计算机病毒所用的典型中断 bbs.ikaka.com

文物2 - 2008-9-27 11:21:00

INT ID	Function Category	Offset in IVT	Intercepted/Used by Virus Code
INT 00	Divide Error CPU Generated	0:[0]	Anti-Debugging, Anti-Emulation
INT 01	Single Step CPU Generated	0:[4]	Anti-Debugging, Tunneling, EPO
INT 03	Breakpoint CPU Generated	0:[0Ch]	Anti-Debugging, Tracing
INT 04	Overflow CPU Generated	0:[10h]	Anti-Debugging, Anti-Emulation (caused by an INTO instruction)
INT 05	Print Screen BIOS	0:[14h]	Activation routine, Anti-Debugging
INT 06	Invalid Opcode CPU Generated	0:[18h]	Anti-Debugging, Anti-Emulation
INT 08	System Timer CPU Generated	0:[20h]	Activation routine, Anti-Debugging
INT 09	Keyboard BIOS	0:[24h]	Anti-Debugging, Password stealing, Ctrl+Alt+Del handling
INT 0Dh	IRQ 5 HD Disk (XT) Hardware	0:[34h]	Hardware level Stealth on XT
INT 10h	Video BIOS	0:[40h]	Activation routine
INT 12h	Get Memory Size BIOS	0:[48h]	RAM size check
INT 13h	Disk BIOS	0:[4Ch]	Infection, Activation routine, Stealth
INT 19h	Bootstrap Loader BIOS	0:[64h]	Fake rebooting
INT 1Ah	Time BIOS	0:[68h]	Activation routine
INT 1Ch	System Timer Tick BIOS	0:[70h]	Activation routine
INT 20h	Terminate Program DOS Kernel	0:[80h]	Infect on Exit, Terminate Parent
INT 21h	DOS Service DOS Kernel	0:[84h]	Infection, Stealth, Activation routine
INT 23h	Control-Break Handler DOS Kernel	0:[8Ch]	Anti-Debug, Non-Interrupted Infection
INT 24h	Critical Error Handler DOS Kernel	0:[90h]	Avoid DOS errors during Infections (usually hooked temporarily)
INT 25h	DOS Absolute Disk Read (DOS Kernel)	0:[94h]	Disk Infection, Stealth (Gets to INT 13 however)
INT 26h	DOS Absolute Disk Write (DOS Kernel)	0:[98h]	Disk Infection, Stealth (Gets to INT 13 however)
INT 27h	Terminate-and-Stay Resident (DOS Kernel)	0:[9Ch]	Remain in memory
INT 28h	DOS IDLE Interrupt DOS Kernel	0:[A0h]	To perform TSR action while DOS program waits for user input
INT 2Ah	Network Redirector DOS Kernel	0:[A8h]	To infect files without hooking INT 21
INT 2Fh	Multiplex Interrupt Multiple use	0:[BCh]	Infect HMA memory, Access Disk Structures
INT 40h	Diskette Handler BIOS	0:[100h]	Anti-Behavior Blocker
INT 76h	IRQ 14 HD Operation Hardware	0:[1D8h]	Hardware Level Stealth on AT and above

用户系统信息：Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; QQDownload 1.7; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)

天月来了 - 2008-9-27 11:41:00

你一人慢慢看吧:default3:

happysunday2003 - 2008-9-27 13:51:00

看不懂

不过

过一段时间就会看懂了

轩辕小聪 - 2008-9-27 15:21:00

:kaka6: 不是很全，比如用来Anti-Debug的INT中断部分。
单纯的罗列没有意义，重要的是如何使用，以及对病毒程序进行动态调试的时候如何跨过相关的陷阱，所以例子才是最重要的。

文物2 - 2008-9-27 17:29:00

Anti-Debug的中断部分列出了int 0,int ,int3，还有中断吗？

snippet:

引用:

The Obfuscated Trick of Whale
pop ax ; POP 0xE9CF into AX register
xor ax,020C ; decrypt 0xEBC3 in AX (0xc3 RET)
cs:
mov [trap],al ; try to overwrite INT 3 with RET
add ax,020C ; fill the prefetch queue
trap:
INT 3 ; Will change to RET
; Only if the prefetch queue is
; already full (on 8088 only) or
; flushed (Pentium+)

INT3: ; Points to Rubbish
Invd ; Random Rubbish (2 bytes)
ret

The virus writer expected that the INT 3 would be successfully replaced with a RET instruction to take the control flow to the proper place. His computer was an XT (8088), which has a 4-byte processor prefetch queue size (later replaced with 6 bytes on 8086). This is why the preceding code worked on his computer.

Other viruses use prefetch queue attacks to mislead debuggers and emulators. In single-stepping (or emulation not supporting the prefetch queue), such self-modification always takes place. Therefore the attacker can detect tracing easily by checking that the modified code is running instead of the instructions in the prefetch queue.

秦人J - 2008-9-29 16:25:00

楼主，这是什么，能解释一下吗？？？？？？？？？？？

文物2 - 2008-10-6 23:03:00

int 3被RET指令替换了。:default6:

瑞星卡卡安全论坛