匿名通过本文主要向大家介绍了文件型病毒,文件型病毒最主要感染,文件型病毒传染的对象,文件型病毒有哪些,文件型病毒的特点等相关知识,希望对您有所帮助,也希望大家支持linkedu.com www.linkedu.com
</div>
;本程序在Tasm下编译通过
;CIH文件型病毒检测消除程序
GOFIRST MACRO
XOR CX,CX
XOR DX,DX
MOV AX,4200H
INT 21H ;文件指针指到文件首
ENDM
ALTERLINE MACRO
MOV DL,0DH
MOV AH,02H
INT 21H ;回车
MOV DL,0AH
MOV AH,02H
INT 21H ;换行
ENDM
COPYHANDLE MACRO
PUSH BX
MOV AH,45H
INT 21H ;复制文件把柄
MOV BX,AX
MOV AH,3EH
INT 21H ;关闭复制文件
POP BX
ENDM
DATA SEGMENT PARA PUBLIC 'DATA'
EXEFILE DB '*.EXE',00
DIRFILE DB '*.*',00
FILEBZ DB 00 ;文件标志(COM:00;EXE:FF)
DISKSGN DB 00 ;检测盘号
CURRDISK DB 00 ;当前盘号
DISKCHA DB 00,3AH,24H
DAT DB 256 DUP(24H) ;磁盘传送地址DISK TRANSPORT AREA
OVERMSG DB '所有CIH病毒已被清除!!!',0DH,0AH,24H
FILESUF DB 2000 DUP(0) ;存放被检测文件部份内容
PE_HEAD DB 4 DUP(0) ;存放PE HEAD指针
VIRSUF DB 1024 DUP(0) ;存放CIH病毒头块程序
VIRPOINT DB 4 DUP(0) ;存放CIH 首块及链表区首指针
SECNUM DB 00,00 ;Number of FILE SECTIONS
T_ENTRY DB 4 DUP(0) ; true Entry RVA
FILEMSG DB ' ( CIH virus) ',24H
CLEAMSG DB ' killed !!',0DH,0AH,24H
CL_ZERO DB 1024 DUP(0) ;清零数据
HZSM DB '正在扫描: ',24H
BLANK DB 60 DUP(20H),24H ;送空格
INITDIR DB "",64 DUP(0) ;初始目录
CURRDIR DB " PE",00,63 DUP(24H) ;当前目录
UPDIR DB "..",00 ;上一级目录
DIRSUFF DB 4096 DUP(0) ;目录参数保留区
DIRSUFP DB 00,00 ;目录参数保留区指针
DIRNUM DB 01,00 ;盘中目录文件个数
EXENUM DB 00,00 ;盘中EXE文件个数
VIREXE DB 00,00 ;感染病毒EXE文件个数
DIRMSG DB "subdirectory number:",24H
EXEMSG DB "*.EXE numbers:",24H
ERRMSG DB "; which affected:",24H
DECSUF DB 11 DUP(0) ;二进制->十进制数存放区
TITL DB "CIH CLEAN ASM SOURCECODE TESTING",0dh,0ah
DB "kuibing kuibing@163.com",0DH,0AH,0dh,0ah
DB "The virus is a Parastic Virus which infects Windows 95/98 .EXE files",0DH,
0AH
DB 0DH,0AH,0dh,0ah,24H
BEGIN DB 07H,07H,"按任意键开始检测/清除病毒!!",0dh,0ah,24h
DATA ENDS
CODE SEGMENT PARA PUBLIC 'CODE'
ASSUME CS:CODE,DS:DATA,ES:DATA,SS:STACK
KILLCIH PROC FAR
MOV DI,0082H
MOV DL,[DI]
dec di
mov bl,[di]
PUSH DS
XOR AX,AX
PUSH AX
PUSH DS
MOV AX,DATA
MOV DS,AX
MOV ES,AX
MOV AX,STACK
MOV SS,AX
;确定检测盘号
cmp bl,0dh
jz disk2
AND DL,05FH
CMP DL,41H
JNZ DISK1
MOV BYTE PTR[DISKSGN],01H
MOV BYTE PTR[DISKCHA],41H
JMP DISK2
DISK1: CMP DL,42H
JNZ DISK3
MOV BYTE PTR[DISKSGN],02H
MOV BYTE PTR[DISKCHA],42H
JMP DISK2
DISK3: CMP DL,43H
JNZ DISK2
MOV BYTE PTR[DISKSGN],03H
MOV BYTE PTR[DISKCHA],43H
DISK2: MOV AH,19H
INT 21H ;取当前盘号
MOV BYTE PTR[CURRDISK],AL ;保存当前盘号
;
CMP BYTE PTR[DISKSGN],00H
JNZ DISK4
ADD AL,41H
MOV BYTE PTR[DISKCHA],AL
JMP DISK5
;
DISK4: MOV DL,BYTE PTR[DISKSGN]
DEC DL
MOV AH,0EH
INT 21H ;选择磁盘驱动器
;
DISK5: PUSH ES
MOV AX,0040H
MOV ES,AX
MOV DI,0087H
MOV AL,ES:[DI]
POP ES
CMP AL,00H
JZ CGA
MOV AX,0003H
JMP CLS
CGA: MOV AX,0006H
CLS: INT 10H ;清屏
MOV AH,09H
MOV DX,OFFSET TITL
INT 21H
MOV DX,OFFSET DAT ;磁盘传送首址->DX
MOV AH,1AH
INT 21H ;CREAT DAT
MOV AH,47H
MOV DL,BYTE PTR[DISKSGN]
MOV SI,OFFSET INITDIR+1
INT 21H ;保存初始目录名
MOV AH,3BH
MOV DX,OFFSET CURRDIR
INT 21H ;回到根目录
MOV BYTE PTR[FILEBZ],0FFH ;置EXE文件标志
MOV DX,OFFSET EXEFILE
;
CALL CLEA_VIRUS ;chesk and clear CIH virus
CALL CLE_SDIR ;检测各子目录下文件及消除
;
MOV AH,3BH
MOV DX,OFFSET INITDIR
INT 21H ;恢复初始目录
MOV DL,BYTE PTR[CURRDISK]
MOV AH,0EH
INT 21H ;选择磁盘驱动器
DONE: ALTERLINE
MOV DX,OFFSET OVERMSG
MOV AH,09H
INT 21H
MOV DX,OFFSET DIRMSG
MOV AH,09H
INT 21H
MOV DI,OFFSET DIRNUM
CALL BTOD ;显示目录个数
ALTERLINE
MOV DX,OFFSET EXEMSG
MOV AH,09H
INT 21H
MOV DI,OFFSET EXENUM
CALL BTOD ;显示EXE文件个数
MOV DX,OFFSET ERRMSG
MOV AH,09H
INT 21H
MOV DI,OFFSET VIREXE
CALL BTOD ;显示病毒EXE文件个数
ALTERLINE
MOV CX,0200H
MOV AH,01H
INT 10H ;恢复光标
MOV AH,4CH
INT 21H ;结束程序退回DOS
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;Key programm;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CLEA_VIRUS PROC NEAR ;在同一子目下搜寻EXE文件并检测是否存在病毒以及消除
MOV CX,027H
MOV AH,4EH
INT 21H ;搜寻第一匹配文件
JNC LOOK
JMP EXIT ;没找到,->EXIT
LOOK: INC BYTE PTR[EXENUM]
MOV DX,OFFSET HZSM
MOV AH,09H
INT 21H
MOV DX,OFFSET DISKCHA
MOV AH,09H
INT 21H
MOV DX,OFFSET CURRDIR
MOV AH,09H
INT 21H ;显示当前目录路径
MOV DI,OFFSET CURRDIR+1
CMP BYTE PTR[DI],00H
JZ ZJS1
MOV AH,02H
MOV DL,5CH
INT 21H
ZJS1: MOV DX,OFFSET DAT
ADD DX,1EH ;DX:匹配文件名首址
PUSH DX
PUSH DX
POP DI
BZ5: INC DI
CMP BYTE PTR[DI],00H
JNZ BZ5
INC DI
MOV BYTE PTR[DI],24H
POP DX
MOV AH,09H
INT 21H ;显示文件名
MOV DX,OFFSET DAT
ADD DX,1EH
MOV AX,3D02H
INT 21H ;打开匹配文件
JNB CL0
JMP NEXTFILE
;;;;;;;;;;;;;
CL0: MOV BX,AX
MOV AX,4200H
MOV CX,00H
MOV DX,3CH
INT 21H ;文件指针移到文件头第3CH字节
MOV DX,OFFSET FILESUF ;文件缓冲区首址->DX
MOV CX,04H
MOV AH,3FH
INT 21H ;读入4个字节(File address of new exe header)
JNB CL1
JMP NEXTFILE
CL1: MOV AX,4200H
MOV CX,WORD PTR[FILESUF+2]
MOV DX,WORD PTR[FILESUF]
MOV WORD PTR[PE_HEAD],DX ;保存PE FILE HEAD 指针
MOV WORD PTR[PE_HEAD+2],CX
DEC DX
INT 21H ;文件指针移到new exe header-1
MOV DX,OFFSET FILESUF ;文件缓冲区首址->DX
MOV CX,0200H
MOV AH,3FH
INT 21H ;读入512个字节(PE File Signature)
JNB CL2
JMP NEXTFILE
CL2: CMP WORD PTR[FILESUF+1],04550H ;see if is "PE" format file
JZ CL21
JMP NEXTFILE
CL21: CMP BYTE PTR[FILESUF],00H
JNZ CL3 ;"XPE" May have CIH viurs
JMP NEXTFILE ;NOT BEEN INFECTED CIH VIRUS
CL3: MOV CX,WORD PTR[FILESUF+07H] ;Get Number of Sections
MOV WORD PTR[SECNUM],CX
INC CX
SHL CX,1
SHL CX,1
SHL CX,1
PUSH CX ;(Section 数+1)*8 =病毒块指针区大小
POP DI
;get PE FILE Entry RVA
MOV CX,WORD PTR[FILESUF+2BH] ;
MOV DX,WORD PTR[FILESUF+29H] ;[FILESUF+29,2A,2B,2CH]=Entry RVA
CMP CX,WORD PTR[FILESUF+57H] ;[FILESUF+55,56,57,58H]=File Header Size
JE CL4
JB CL5 ;Maybe has CIH virus
JMP NEXTFILE
CL4: CMP DX,WORD PTR[FILESUF+55H]
JB CL5 ;Maybe has CIH virus
JMP NEXTFILE
CL5: SUB DX,DI
MOV WORD PTR[VIRPOINT],DX
MOV WORD PTR[VIRPOINT+2H],CX ;Save CIH first block point
MOV AX,4200H
INT 21H ;文件指针移到FILE Entry address-病毒块指针区大小(DI)
MOV DX,OFFSET VIRSUF ;病毒缓冲区首址->DX
MOV CX,100H
MOV AH,3FH
INT 21H ;读入100H个字节
JNB CL6
JMP NEXTFILE
CL6: CMP WORD PTR[VIRSUF+DI+36H],056CCH
JZ CL7 ;May CIH virus
JMP NEXTFILE
CL7: CMP WORD PTR[VIRSUF+DI+4BH],0FBCCH
JZ CL8 ;Sure CIH virus
JMP NEXTFILE
CL8: MOV DX,OFFSET FILEMSG
MOV AH,09H
INT 21H ;显示有病毒
MOV AX,4301H
MOV CX,0020H
MOV DX,OFFSET DAT
ADD DX,1EH
INT 21H ;置文件属性为归档
;
;Save true Entry RVA
MOV AX,WORD PTR[VIRSUF+DI+5EH]
MOV WORD PTR[T_ENTRY],AX
MOV AX,WORD PTR[VIRSUF+DI+60H]
MOV WORD PTR[T_ENTRY+2H],AX
;
MOV DX,WORD PTR[VIRPOINT]
MOV CX,WORD PTR[VIRPOINT+2H] ;GET CIH first block point
MOV AX,4200H
INT 21H ;文件指针移到FILE Entry address-病毒块指针区大小
;
;CIH文件型病毒检测消除程序
GOFIRST MACRO
XOR CX,CX
XOR DX,DX
MOV AX,4200H
INT 21H ;文件指针指到文件首
ENDM
ALTERLINE MACRO
MOV DL,0DH
MOV AH,02H
INT 21H ;回车
MOV DL,0AH
MOV AH,02H
INT 21H ;换行
ENDM
COPYHANDLE MACRO
PUSH BX
MOV AH,45H
INT 21H ;复制文件把柄
MOV BX,AX
MOV AH,3EH
INT 21H ;关闭复制文件
POP BX
ENDM
DATA SEGMENT PARA PUBLIC 'DATA'
EXEFILE DB '*.EXE',00
DIRFILE DB '*.*',00
FILEBZ DB 00 ;文件标志(COM:00;EXE:FF)
DISKSGN DB 00 ;检测盘号
CURRDISK DB 00 ;当前盘号
DISKCHA DB 00,3AH,24H
DAT DB 256 DUP(24H) ;磁盘传送地址DISK TRANSPORT AREA
OVERMSG DB '所有CIH病毒已被清除!!!',0DH,0AH,24H
FILESUF DB 2000 DUP(0) ;存放被检测文件部份内容
PE_HEAD DB 4 DUP(0) ;存放PE HEAD指针
VIRSUF DB 1024 DUP(0) ;存放CIH病毒头块程序
VIRPOINT DB 4 DUP(0) ;存放CIH 首块及链表区首指针
SECNUM DB 00,00 ;Number of FILE SECTIONS
T_ENTRY DB 4 DUP(0) ; true Entry RVA
FILEMSG DB ' ( CIH virus) ',24H
CLEAMSG DB ' killed !!',0DH,0AH,24H
CL_ZERO DB 1024 DUP(0) ;清零数据
HZSM DB '正在扫描: ',24H
BLANK DB 60 DUP(20H),24H ;送空格
INITDIR DB "",64 DUP(0) ;初始目录
CURRDIR DB " PE",00,63 DUP(24H) ;当前目录
UPDIR DB "..",00 ;上一级目录
DIRSUFF DB 4096 DUP(0) ;目录参数保留区
DIRSUFP DB 00,00 ;目录参数保留区指针
DIRNUM DB 01,00 ;盘中目录文件个数
EXENUM DB 00,00 ;盘中EXE文件个数
VIREXE DB 00,00 ;感染病毒EXE文件个数
DIRMSG DB "subdirectory number:",24H
EXEMSG DB "*.EXE numbers:",24H
ERRMSG DB "; which affected:",24H
DECSUF DB 11 DUP(0) ;二进制->十进制数存放区
TITL DB "CIH CLEAN ASM SOURCECODE TESTING",0dh,0ah
DB "kuibing kuibing@163.com",0DH,0AH,0dh,0ah
DB "The virus is a Parastic Virus which infects Windows 95/98 .EXE files",0DH,
0AH
DB 0DH,0AH,0dh,0ah,24H
BEGIN DB 07H,07H,"按任意键开始检测/清除病毒!!",0dh,0ah,24h
DATA ENDS
CODE SEGMENT PARA PUBLIC 'CODE'
ASSUME CS:CODE,DS:DATA,ES:DATA,SS:STACK
KILLCIH PROC FAR
MOV DI,0082H
MOV DL,[DI]
dec di
mov bl,[di]
PUSH DS
XOR AX,AX
PUSH AX
PUSH DS
MOV AX,DATA
MOV DS,AX
MOV ES,AX
MOV AX,STACK
MOV SS,AX
;确定检测盘号
cmp bl,0dh
jz disk2
AND DL,05FH
CMP DL,41H
JNZ DISK1
MOV BYTE PTR[DISKSGN],01H
MOV BYTE PTR[DISKCHA],41H
JMP DISK2
DISK1: CMP DL,42H
JNZ DISK3
MOV BYTE PTR[DISKSGN],02H
MOV BYTE PTR[DISKCHA],42H
JMP DISK2
DISK3: CMP DL,43H
JNZ DISK2
MOV BYTE PTR[DISKSGN],03H
MOV BYTE PTR[DISKCHA],43H
DISK2: MOV AH,19H
INT 21H ;取当前盘号
MOV BYTE PTR[CURRDISK],AL ;保存当前盘号
;
CMP BYTE PTR[DISKSGN],00H
JNZ DISK4
ADD AL,41H
MOV BYTE PTR[DISKCHA],AL
JMP DISK5
;
DISK4: MOV DL,BYTE PTR[DISKSGN]
DEC DL
MOV AH,0EH
INT 21H ;选择磁盘驱动器
;
DISK5: PUSH ES
MOV AX,0040H
MOV ES,AX
MOV DI,0087H
MOV AL,ES:[DI]
POP ES
CMP AL,00H
JZ CGA
MOV AX,0003H
JMP CLS
CGA: MOV AX,0006H
CLS: INT 10H ;清屏
MOV AH,09H
MOV DX,OFFSET TITL
INT 21H
MOV DX,OFFSET DAT ;磁盘传送首址->DX
MOV AH,1AH
INT 21H ;CREAT DAT
MOV AH,47H
MOV DL,BYTE PTR[DISKSGN]
MOV SI,OFFSET INITDIR+1
INT 21H ;保存初始目录名
MOV AH,3BH
MOV DX,OFFSET CURRDIR
INT 21H ;回到根目录
MOV BYTE PTR[FILEBZ],0FFH ;置EXE文件标志
MOV DX,OFFSET EXEFILE
;
CALL CLEA_VIRUS ;chesk and clear CIH virus
CALL CLE_SDIR ;检测各子目录下文件及消除
;
MOV AH,3BH
MOV DX,OFFSET INITDIR
INT 21H ;恢复初始目录
MOV DL,BYTE PTR[CURRDISK]
MOV AH,0EH
INT 21H ;选择磁盘驱动器
DONE: ALTERLINE
MOV DX,OFFSET OVERMSG
MOV AH,09H
INT 21H
MOV DX,OFFSET DIRMSG
MOV AH,09H
INT 21H
MOV DI,OFFSET DIRNUM
CALL BTOD ;显示目录个数
ALTERLINE
MOV DX,OFFSET EXEMSG
MOV AH,09H
INT 21H
MOV DI,OFFSET EXENUM
CALL BTOD ;显示EXE文件个数
MOV DX,OFFSET ERRMSG
MOV AH,09H
INT 21H
MOV DI,OFFSET VIREXE
CALL BTOD ;显示病毒EXE文件个数
ALTERLINE
MOV CX,0200H
MOV AH,01H
INT 10H ;恢复光标
MOV AH,4CH
INT 21H ;结束程序退回DOS
;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;Key programm;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
CLEA_VIRUS PROC NEAR ;在同一子目下搜寻EXE文件并检测是否存在病毒以及消除
MOV CX,027H
MOV AH,4EH
INT 21H ;搜寻第一匹配文件
JNC LOOK
JMP EXIT ;没找到,->EXIT
LOOK: INC BYTE PTR[EXENUM]
MOV DX,OFFSET HZSM
MOV AH,09H
INT 21H
MOV DX,OFFSET DISKCHA
MOV AH,09H
INT 21H
MOV DX,OFFSET CURRDIR
MOV AH,09H
INT 21H ;显示当前目录路径
MOV DI,OFFSET CURRDIR+1
CMP BYTE PTR[DI],00H
JZ ZJS1
MOV AH,02H
MOV DL,5CH
INT 21H
ZJS1: MOV DX,OFFSET DAT
ADD DX,1EH ;DX:匹配文件名首址
PUSH DX
PUSH DX
POP DI
BZ5: INC DI
CMP BYTE PTR[DI],00H
JNZ BZ5
INC DI
MOV BYTE PTR[DI],24H
POP DX
MOV AH,09H
INT 21H ;显示文件名
MOV DX,OFFSET DAT
ADD DX,1EH
MOV AX,3D02H
INT 21H ;打开匹配文件
JNB CL0
JMP NEXTFILE
;;;;;;;;;;;;;
CL0: MOV BX,AX
MOV AX,4200H
MOV CX,00H
MOV DX,3CH
INT 21H ;文件指针移到文件头第3CH字节
MOV DX,OFFSET FILESUF ;文件缓冲区首址->DX
MOV CX,04H
MOV AH,3FH
INT 21H ;读入4个字节(File address of new exe header)
JNB CL1
JMP NEXTFILE
CL1: MOV AX,4200H
MOV CX,WORD PTR[FILESUF+2]
MOV DX,WORD PTR[FILESUF]
MOV WORD PTR[PE_HEAD],DX ;保存PE FILE HEAD 指针
MOV WORD PTR[PE_HEAD+2],CX
DEC DX
INT 21H ;文件指针移到new exe header-1
MOV DX,OFFSET FILESUF ;文件缓冲区首址->DX
MOV CX,0200H
MOV AH,3FH
INT 21H ;读入512个字节(PE File Signature)
JNB CL2
JMP NEXTFILE
CL2: CMP WORD PTR[FILESUF+1],04550H ;see if is "PE" format file
JZ CL21
JMP NEXTFILE
CL21: CMP BYTE PTR[FILESUF],00H
JNZ CL3 ;"XPE" May have CIH viurs
JMP NEXTFILE ;NOT BEEN INFECTED CIH VIRUS
CL3: MOV CX,WORD PTR[FILESUF+07H] ;Get Number of Sections
MOV WORD PTR[SECNUM],CX
INC CX
SHL CX,1
SHL CX,1
SHL CX,1
PUSH CX ;(Section 数+1)*8 =病毒块指针区大小
POP DI
;get PE FILE Entry RVA
MOV CX,WORD PTR[FILESUF+2BH] ;
MOV DX,WORD PTR[FILESUF+29H] ;[FILESUF+29,2A,2B,2CH]=Entry RVA
CMP CX,WORD PTR[FILESUF+57H] ;[FILESUF+55,56,57,58H]=File Header Size
JE CL4
JB CL5 ;Maybe has CIH virus
JMP NEXTFILE
CL4: CMP DX,WORD PTR[FILESUF+55H]
JB CL5 ;Maybe has CIH virus
JMP NEXTFILE
CL5: SUB DX,DI
MOV WORD PTR[VIRPOINT],DX
MOV WORD PTR[VIRPOINT+2H],CX ;Save CIH first block point
MOV AX,4200H
INT 21H ;文件指针移到FILE Entry address-病毒块指针区大小(DI)
MOV DX,OFFSET VIRSUF ;病毒缓冲区首址->DX
MOV CX,100H
MOV AH,3FH
INT 21H ;读入100H个字节
JNB CL6
JMP NEXTFILE
CL6: CMP WORD PTR[VIRSUF+DI+36H],056CCH
JZ CL7 ;May CIH virus
JMP NEXTFILE
CL7: CMP WORD PTR[VIRSUF+DI+4BH],0FBCCH
JZ CL8 ;Sure CIH virus
JMP NEXTFILE
CL8: MOV DX,OFFSET FILEMSG
MOV AH,09H
INT 21H ;显示有病毒
MOV AX,4301H
MOV CX,0020H
MOV DX,OFFSET DAT
ADD DX,1EH
INT 21H ;置文件属性为归档
;
;Save true Entry RVA
MOV AX,WORD PTR[VIRSUF+DI+5EH]
MOV WORD PTR[T_ENTRY],AX
MOV AX,WORD PTR[VIRSUF+DI+60H]
MOV WORD PTR[T_ENTRY+2H],AX
;
MOV DX,WORD PTR[VIRPOINT]
MOV CX,WORD PTR[VIRPOINT+2H] ;GET CIH first block point
MOV AX,4200H
INT 21H ;文件指针移到FILE Entry address-病毒块指针区大小
;