-
-
[原创]忙里偷闲,分析了一个病毒,希望高手指点
-
发表于: 2010-11-30 01:40
-
最近比较忙,在学习研究软件漏洞,在公司里借了本failwest的《Oday安全:软件漏洞分析技术》,感觉写的不错,对于像我种漏洞菜鸟来说,入门的绝好材料~~读那本书很流畅,明白了很多道理,原来是这样找漏洞
,说点题外话:如果你拥有扎实的汇编功底,不管以后学什么,你都会比别人学的快,学的更透彻~~
所以有时间的话,建议去好好学学汇编,绝对不是浪费时间的事情~~
对了差点忘说了,听说第二版快要出来了,很期待~~好像还有内核漏洞方面的哦,正好可以补一下,自己的内核方面的知识,快快出版吧,让我等菜鸟等的花儿也谢了~~
昨天在群里有位朋友说有个病毒样本,于是就DOWN下来做了些研究,有点碰运气吧,样本被我草草研究了一下~~大家就将就的看看吧!
病毒名称:server.exe
分析工具:flyODBG
壳:不知道什么鬼壳
开始吧~~~
先查壳,这是我的习惯,查得如图所示:
查不到~~一般都这样!!!!
再来看看EP区段吧
后面四个区段很明显有问题,同一个偏移地址中间三个大小全为零,最后一个大小为00004400,我想.cdata肯定是外壳(只是猜想)
(呵呵,用Exeinfo PE查得是用如下结果,好像是Asprotect的一个老版本)
样本入口代码如下:
00401000 > B8 D507D0B0 mov eax,B0D007D5
00401005 B8 6FA04000 mov eax,server.0040A06F
0040100A 8BC0 mov eax,eax ; EAX = server.0040A06F
0040100C 8BD2 mov edx,edx ; ntdll.KiFastSystemCallRet
0040100E 55 push ebp ; EBP = 0013FFF0
0040100F 8BE9 mov ebp,ecx ; EBP = ECX = 0013FFB0
00401011 5D pop ebp ; EBP = 0013FFF0
00401012 50 push eax ; EAX = server.0040A06F
00401013 51 push ecx ; ECX = 0013FFB0
00401014 8BC8 mov ecx,eax ; ECX = EAX = server.0040A06F
00401016 59 pop ecx ; ECX = 0013FFB0
00401017 C3 retn ; 返回
真不知道上面是作什么用的~~~返回再说吧~~
0040A06F 60 PUSHAD
0040A070 83EC 38 SUB ESP,38 ; ESP = 0012FFA4
0040A073 33C0 XOR EAX,EAX ; EAx = 00000000
0040A075 C745 D8 47657450 MOV DWORD PTR SS:[EBP-28],50746547
0040A07C C745 DC 726F6341 MOV DWORD PTR SS:[EBP-24],41636F72
0040A083 C745 E0 64647265 MOV DWORD PTR SS:[EBP-20],65726464
0040A08A C745 E4 73730000 MOV DWORD PTR SS:[EBP-1C],7373 ; GetProcAddress
0040A091 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0040A094 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
0040A097 60 PUSHAD
0040A098 64:A1 30000000 MOV EAX,DWORD PTR FS:[30] ; TEB+30h ---->PEB
0040A09E 8B50 0C MOV EDX,DWORD PTR DS:[EAX+C] ; PEB+C---->PEB_LDR_DATA
0040A0A1 8B42 1C MOV EAX,DWORD PTR DS:[EDX+1C] ; 模块头指针InInitializationOrderModuleList
0040A0A4 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 找到kernel32.dll链表结点
0040A0A6 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8] ; kernel32.dll的基址加偏移0x08处是kernel32.dll在内存中加载地址
0040A0A9 8945 FC MOV DWORD PTR SS:[EBP-4],EAX ; kernel32.dll加载地址存入堆栈[EBP-4]处
0040A0AC 8BD0 MOV EDX,EAX ; kernel32.7C800000
0040A0AE 83C0 23 ADD EAX,23
0040A0B1 83C0 19 ADD EAX,19 ; EAX = 7C80003C
0040A0B4 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 000000F0
0040A0B6 8D4410 78 LEA EAX,DWORD PTR DS:[EAX+EDX+78] ; EAX = 7C800168 ASCII ",&"
0040A0BA 8B00 MOV EAX,DWORD PTR DS:[EAX] ; EAX = 262C
0040A0BC 8B4C02 18 MOV ECX,DWORD PTR DS:[EDX+EAX+18] ; ECX = 000003B9
0040A0C0 8B5C02 20 MOV EBX,DWORD PTR DS:[EDX+EAX+20] ; EBX = 00003538
0040A0C4 03DA ADD EBX,EDX ; kernel32.7C800000
0040A0C6 49 DEC ECX ; ECX = 3B9
0040A0C7 90 NOP
0040A0C8 85C9 TEST ECX,ECX
0040A0CA 90 NOP
0040A0CB 74 38 JE SHORT 0040A105
0040A0CD 8D7D D8 LEA EDI,DWORD PTR SS:[EBP-28] ; [EBP-28] = GetProcAddress
0040A0D0 8B348B MOV ESI,DWORD PTR DS:[EBX+ECX*4] ; ESI = [EBX+ECX*4] = [7C804418] = 000008FEC
0040A0D3 03F2 ADD ESI,EDX ; ESI = 000008FEC + EDX = 7C800000 = 7C808FEC
0040A0D5 51 PUSH ECX ; 7C808FEC =>lstrlenW ECX = 000003B8
0040A0D6 50 PUSH EAX ; EAX = 0000262C
0040A0D7 B8 09000000 MOV EAX,9 ; EAX = 00000009
0040A0DC 83C0 06 ADD EAX,6 ; EAX = 0000000F
0040A0DF 8BC8 MOV ECX,EAX ; ECX = EAX = 0000000F
0040A0E1 58 POP EAX ; EAX = 0000262C
0040A0E2 F3:A6 REPE CMPS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; 比较名称
0040A0E4 85C9 TEST ECX,ECX
0040A0E6 59 POP ECX
0040A0E7 ^ 75 DD JNZ SHORT 0040A0C6 ; ESI = 7C806AAF = "GetProcessAffinityMask"
0040A0E9 8B7402 24 MOV ESI,DWORD PTR DS:[EDX+EAX+24] ; ESI = 0000441C
0040A0ED 03F2 ADD ESI,EDX ; ESI = 7C80441C
0040A0EF 8BF9 MOV EDI,ECX ; EDI = ECX = 00000198
0040A0F1 0FB7347E MOVZX ESI,WORD PTR DS:[ESI+EDI*2] ; ESI = 00000198
0040A0F5 8B7C02 1C MOV EDI,DWORD PTR DS:[EDX+EAX+1C] ; EDI = 00002654
0040A0F9 03FA ADD EDI,EDX ; EDI = 7C802654
0040A0FB 8B3CB7 MOV EDI,DWORD PTR DS:[EDI+ESI*4] ; EDI = 0000AE30
0040A0FE 03FA ADD EDI,EDX ; EDI = 7C80AE30 kernel32.GetProcAddress
0040A100 897D F8 MOV DWORD PTR SS:[EBP-8],EDI ; SS:[0012FFE8] = EDI = GetProcAddress
0040A103 EB 07 JMP SHORT 0040A10C
0040A105 C745 F8 00000000 MOV DWORD PTR SS:[EBP-8],0
0040A10C 61 POPAD
0040A10D 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] ; ECX = kernel32.7C800000
0040A110 33FF XOR EDI,EDI ; EDI = 00000000
0040A112 3BCF CMP ECX,EDI
0040A114 0F84 DA000000 JE 0040A1F4
0040A11A 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; EAX = SS:[EBP-8] = GetProcAddress
0040A11D 3BC7 CMP EAX,EDI
0040A11F 0F84 CF000000 JE 0040A1F4
0040A125 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20] ; SS:[EBP-20] = "ddress"
0040A128 52 PUSH EDX ; EDX = 0012FFD0 ASCII "ddress"
0040A129 51 PUSH ECX ; ECX = kernel32.7C800000
0040A12A C645 E0 4C MOV BYTE PTR SS:[EBP-20],4C
0040A12E C645 E1 6F MOV BYTE PTR SS:[EBP-1F],6F
0040A132 C645 E2 61 MOV BYTE PTR SS:[EBP-1E],61
0040A136 66:C745 E3 644C MOV WORD PTR SS:[EBP-1D],4C64
0040A13C 90 NOP
0040A13D 90 NOP
0040A13E 66:C745 E5 6962 MOV WORD PTR SS:[EBP-1B],6269
0040A144 90 NOP
0040A145 90 NOP
0040A146 C645 E7 72 MOV BYTE PTR SS:[EBP-19],72
0040A14A C645 E8 61 MOV BYTE PTR SS:[EBP-18],61
0040A14E C645 E9 72 MOV BYTE PTR SS:[EBP-17],72
0040A152 C645 EA 79 MOV BYTE PTR SS:[EBP-16],79
0040A156 C645 EB 41 MOV BYTE PTR SS:[EBP-15],41 ; LoadLibraryA
0040A15A 897D EC MOV DWORD PTR SS:[EBP-14],EDI ; [EBP-14] = EDI = 00000000
0040A15D FFD0 CALL EAX ; GetProcAddress
0040A15F 3BC6 CMP EAX,ESI ; EAX = 7C801D78 ESI = FFFFFFFF
0040A161 0F84 8D000000 JE 0040A1F4
0040A167 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX ; EAX =LoadLibraryA
0040A16A 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] ; ECX = kernel32.7C800000
0040A16D 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; kernel32.GetProcAddress
0040A170 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28] ; GetProcALoadLibraryA
0040A173 52 PUSH EDX ; EDX = 0012FFC8 = "GetProcALoadLibraryA"
0040A174 51 PUSH ECX ; kernel32.7C800000
0040A175 C645 D8 56 MOV BYTE PTR SS:[EBP-28],56
0040A179 C645 D9 69 MOV BYTE PTR SS:[EBP-27],69
0040A17D C645 DA 72 MOV BYTE PTR SS:[EBP-26],72
0040A181 C645 DB 74 MOV BYTE PTR SS:[EBP-25],74
0040A185 C645 DC 75 MOV BYTE PTR SS:[EBP-24],75
0040A189 C645 DD 61 MOV BYTE PTR SS:[EBP-23],61
0040A18D C645 DE 6C MOV BYTE PTR SS:[EBP-22],6C
0040A191 C645 DF 41 MOV BYTE PTR SS:[EBP-21],41
0040A195 C645 E0 6C MOV BYTE PTR SS:[EBP-20],6C
0040A199 C645 E1 6C MOV BYTE PTR SS:[EBP-1F],6C
0040A19D C645 E2 6F MOV BYTE PTR SS:[EBP-1E],6F
0040A1A1 C645 E3 63 MOV BYTE PTR SS:[EBP-1D],63 ; VirtualAlloc
0040A1A5 897D E4 MOV DWORD PTR SS:[EBP-1C],EDI ; [EBP-1C] = [7262694C] = EDI = 00000000
0040A1A8 FFD0 CALL EAX ; kernel32.GetProcAddress
0040A1AA 3BC6 CMP EAX,ESI ; EAX = 7C809AE1
0040A1AC 74 46 JE SHORT 0040A1F4
0040A1AE 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX ; kernel32.VirtualAlloc
0040A1B1 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] ; kernel32.7C800000
0040A1B4 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; kernel32.GetProcAddress
0040A1B7 8D55 D8 LEA EDX,DWORD PTR SS:[EBP-28] ; EDX = VirtualAlloc
0040A1BA 52 PUSH EDX ; VirtualAlloc
0040A1BB 51 PUSH ECX ; kernel32.7C800000
0040A1BC C645 D8 56 MOV BYTE PTR SS:[EBP-28],56
0040A1C0 C645 D9 69 MOV BYTE PTR SS:[EBP-27],69
0040A1C4 C645 DA 72 MOV BYTE PTR SS:[EBP-26],72
0040A1C8 C645 DB 74 MOV BYTE PTR SS:[EBP-25],74
0040A1CC C645 DC 75 MOV BYTE PTR SS:[EBP-24],75
0040A1D0 C645 DD 61 MOV BYTE PTR SS:[EBP-23],61
0040A1D4 C645 DE 6C MOV BYTE PTR SS:[EBP-22],6C
0040A1D8 C645 DF 46 MOV BYTE PTR SS:[EBP-21],46
0040A1DC C645 E0 72 MOV BYTE PTR SS:[EBP-20],72
0040A1E0 C645 E1 65 MOV BYTE PTR SS:[EBP-1F],65
0040A1E4 C645 E2 65 MOV BYTE PTR SS:[EBP-1E],65 ; VirtualFree
0040A1E8 897D E3 MOV DWORD PTR SS:[EBP-1D],EDI ; [EBP-1D] = [0012FFD3] = EDI = 00000000
0040A1EB FFD0 CALL EAX ; kernel32.GetProcAddress
0040A1ED 3BC6 CMP EAX,ESI ; EAX = 7C809B74 = kernel32.VirtualFree ESI = FFFFFFFF
0040A1EF 74 03 JE SHORT 0040A1F4
0040A1F1 8945 EC MOV DWORD PTR SS:[EBP-14],EAX ; SS:[EBP-14] = [0012FFDC] = EAX = VirtualFree
0040A1F4 90 NOP
0040A1F5 90 NOP
0040A1F6 8BC0 MOV EAX,EAX ; kernel32.VirtualFree
0040A1F8 90 NOP
0040A1F9 90 NOP
0040A1FA E8 10000000 CALL 0040A20F
0040A1FF 90 NOP
0040A200 0000 ADD BYTE PTR DS:[EAX],AL
0040A202 40 INC EAX
0040A203 0090 90E21500 ADD BYTE PTR DS:[EAX+15E290],DL
0040A209 0090 90909090 ADD BYTE PTR DS:[EAX+90909090],DL
0040A20F 5E POP ESI ; ESI = server.0040A1FF
0040A210 8BFE MOV EDI,ESI ; server.0040A1FF
0040A212 81EF 9B010000 SUB EDI,19B ; EDI = 0040A064
0040A218 57 PUSH EDI ; server.0040A064
0040A219 6A 04 PUSH 4
0040A21B BF 00100000 MOV EDI,1000 ; EDI = 1000
0040A220 57 PUSH EDI
0040A221 57 PUSH EDI
0040A222 6A 00 PUSH 0
0040A224 FF55 F0 CALL DWORD PTR SS:[EBP-10] ; kernel32.VirtualAlloc
0040A227 59 POP ECX ; server.0040A064
0040A228 BB 00800000 MOV EBX,8000 ; EBX = 00008000
0040A22D 53 PUSH EBX
0040A22E 6A 00 PUSH 0
0040A230 50 PUSH EAX ; EAX = 00390000
0040A231 51 PUSH ECX ; server.0040A064
0040A232 46 INC ESI ; server.0040A1FF
0040A233 8B16 MOV EDX,DWORD PTR DS:[ESI] ; EDX = server.00400000
0040A235 52 PUSH EDX ; server.00400000
0040A236 50 PUSH EAX ; EAX = 00390000
0040A237 50 PUSH EAX
0040A238 8B46 06 MOV EAX,DWORD PTR DS:[ESI+6] ; DS:[ESI+6] = [0040A206] = 000015E2
0040A23B 03C2 ADD EAX,EDX ; EAX =server. 004015E2
0040A23D 8BF0 MOV ESI,EAX ; ESI = EAX = 004015E2
0040A23F 8B00 MOV EAX,DWORD PTR DS:[EAX] ; EAX = 000048B4
0040A241 03C2 ADD EAX,EDX ; EAX = 004048B8
0040A243 8941 05 MOV DWORD PTR DS:[ECX+5],EAX ; server.004048B4
0040A246 58 POP EAX ; EAX = 00390000
0040A247 8946 04 MOV DWORD PTR DS:[ESI+4],EAX ; DS:[004015E6] = 00390000
0040A24A 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C] ; EAX = DS:[004015EE] = 000010E8
0040A24D 03C2 ADD EAX,EDX
0040A24F 50 PUSH EAX ; EAX = server.004010E8
0040A250 8B46 10 MOV EAX,DWORD PTR DS:[ESI+10] ; EAX = DS:[ESI+10] = 0000101F
0040A253 03C2 ADD EAX,EDX ; EAX = 0000101F
0040A255 FFD0 CALL EAX ; server.0040101F
经过上面的分析,我还是不知道它在做什么~~反正是在取一些函数,然后进行VirtualAlloc与VirtualFree操作,不过里有一个很关键的代码CALL EAX
EAX = server.0040101F,说明要调用0040101F处的代码,但我们可以看到这段代码中并没有0040101F这个地址,说明这里跳到了程序分配的一块内存单元中,我们跟进去看看~~
原来是回到了,我们刚开始载入程序的开始代码的下一段代码中~~~这段代码的上面就是我们载入程序时的代码,呵呵~~~~
我花了很长时间去跟踪这段代码,结果并没有找到我想要的,无语,不知道程序搞来搞去在做什么工作,脑有点大了~~~~
里面有很多循环操作,还有很多赋值操作,研究是在做什么~~我也不知道,如果有高手看到这篇文章,还请分析一下,小菜这里就不一步一步讲解了~~~反正过程很是痛苦~~~~
0040101C . 15 24906050 ADC EAX,50609024
00401021 . 52 PUSH EDX ; EDX = server.00400000
00401022 . 8B4424 2C MOV EAX,DWORD PTR SS:[ESP+2C] ; EAX = server.004010E8
00401026 . 8BF0 MOV ESI,EAX ; ESI = server.004010E8
00401028 . 8B5424 30 MOV EDX,DWORD PTR SS:[ESP+30] ; EDX = SS:[0012FF54] = 00390000
0040102C . 8BFA MOV EDI,EDX ; EDI = EDX = 00390000
0040102E . 5A POP EDX ; EDX = server.00400000
0040102F . 58 POP EAX ; EAX = server.0040101F
00401030 . FC CLD ; DF = 0
00401031 . 60 PUSHAD
00401032 > 8A16 MOV DL,BYTE PTR DS:[ESI] ; DL = DS:[ESI] = 00000040 ASCII '@'
00401034 . 84D2 TEST DL,DL
00401036 . 74 08 JE SHORT 00401040
00401038 . 80F2 15 XOR DL,15 ; DL XOR 15 = 00000055
0040103B . 8816 MOV BYTE PTR DS:[ESI],DL ; DS:[004010E8] = DL = 00000055 ASCII 'U'
0040103D . 46 INC ESI ; ESI = server.004010E9
0040103E .^ EB F2 JMP SHORT 00401032
00401040 > 61 POPAD
00401041 . 33D2 XOR EDX,EDX
00401043 . B3 80 MOV BL,80
00401045 > A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
00401046 . B2 02 MOV DL,2
00401048 > E8 71000000 CALL 004010BE
JMP:004010BE
004010BE /$ 02DB ADD BL,BL ; BL = 00
004010C0 |. 75 05 JNZ SHORT 004010C7
004010C2 |. 8A1E MOV BL,BYTE PTR DS:[ESI] ; BL = DS:[ESI] = 1C
004010C4 |. 46 INC ESI ; ESI = server.004010EA
004010C5 |. 10DB ADC BL,BL ; BL = 39
004010C7 \> C3 RET
Return:0040104D
0040104D . 8BC0 MOV EAX,EAX ; EAX = server.0040101F
0040104F .^ 73 F4 JNB SHORT 00401045
JMP:00401045
00401045 > /A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; ES:[EDI] = DS:[ESI] = 8B
00401046 . |B2 02 MOV DL,2 ; DL = 2
00401048 > |E8 71000000 CALL 004010BE
JMP:004010BE
004010BE /$ 02DB ADD BL,BL ; BL = 72
004010C0 |. 75 05 JNZ SHORT 004010C7
004010C2 |. 8A1E MOV BL,BYTE PTR DS:[ESI]
004010C4 |. 46 INC ESI
004010C5 |. 10DB ADC BL,BL
004010C7 \> C3 RET
Return:0040104D EAX = 0040101F
0040104D . 8BC0 MOV EAX,EAX ; EAX = server.0040101F
0040104F .^ 73 F4 JNB SHORT 00401045
JMP:00401045
00401045 > /A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; ES:[EDI] = DS:[ESI] = EC
00401046 . |B2 02 MOV DL,2 ; DL = 2
00401048 > |E8 71000000 CALL 004010BE
JMP:004010BE
004010BE /$ 02DB ADD BL,BL ; BL = E4
004010C0 |. 75 05 JNZ SHORT 004010C7
004010C2 |. 8A1E MOV BL,BYTE PTR DS:[ESI]
004010C4 |. 46 INC ESI
004010C5 |. 10DB ADC BL,BL
004010C7 \> C3 RET
Return:0040104D EAX = 0040101F
0040104D . 8BC0 MOV EAX,EAX ; EAX = server.0040101F
0040104F .^ 73 F4 JNB SHORT 00401045
JMP:00401045
00401045 > /A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; ES:[EDI] = DS:[ESI] = 83
00401046 . |B2 02 MOV DL,2 ; DL = 2
00401048 > |E8 71000000 CALL 004010BE
JMP:004010BE
004010BE /$ 02DB ADD BL,BL ; BL = C8
004010C0 |. 75 05 JNZ SHORT 004010C7
004010C2 |. 8A1E MOV BL,BYTE PTR DS:[ESI]
004010C4 |. 46 INC ESI
004010C5 |. 10DB ADC BL,BL
004010C7 \> C3 RET
Return:0040104D EAX = 0040101F
0040104D . 8BC0 MOV EAX,EAX ; EAX = server.0040101F
0040104F .^ 73 F4 JNB SHORT 00401045
NO JMP
00401051 . 33C9 XOR ECX,ECX ; server.0040A064
00401053 . E8 66000000 CALL 004010BE
JMP:004010BE
004010BE /$ 02DB ADD BL,BL ; BL = 90
004010C0 |. 75 05 JNZ SHORT 004010C7
004010C2 |. 8A1E MOV BL,BYTE PTR DS:[ESI]
004010C4 |. 46 INC ESI
004010C5 |. 10DB ADC BL,BL
004010C7 \> C3 RET
Return:00401058
0040105A . 33C0 XOR EAX,EAX ; EAX = 0
0040105C . E8 5D000000 CALL 004010BE
JMP:004010BE
004010BE /$ 02DB ADD BL,BL ; BL = 20
004010C0 |. 75 05 JNZ SHORT 004010C7
004010C2 |. 8A1E MOV BL,BYTE PTR DS:[ESI]
004010C4 |. 46 INC ESI
004010C5 |. 10DB ADC BL,BL
004010C7 \> C3 RET
Return:
00401061 . 8BC0 MOV EAX,EAX ; EAX = 00000000
00401063 . 73 23 JNB SHORT 00401088
00401065 . B2 02 MOV DL,2 ; DL = 2
00401067 . 41 INC ECX ; ECX = 00000000 + 1 = 00000001
00401068 . B0 10 MOV AL,10 ; AL = 10
0040106A > E8 4F000000 CALL 004010BE
JMP:004010BE
004010BE /$ 02DB ADD BL,BL ; BL = 40
004010C0 |. 75 05 JNZ SHORT 004010C7
004010C2 |. 8A1E MOV BL,BYTE PTR DS:[ESI]
004010C4 |. 46 INC ESI
004010C5 |. 10DB ADC BL,BL
004010C7 \> C3 RET
Return:0040106F
0040106F . 12C0 ADC AL,AL ; AL = 20
00401071 .^ 73 F7 JNB SHORT 0040106A
JMP:0040106A
0040106A > /E8 4F000000 CALL 004010BE
JMP:004010BE
004010BE /$ 02DB ADD BL,BL ; BL = 80
004010C0 |. 75 05 JNZ SHORT 004010C7
004010C2 |. 8A1E MOV BL,BYTE PTR DS:[ESI]
004010C4 |. 46 INC ESI
004010C5 |. 10DB ADC BL,BL
004010C7 \> C3 RET
Return:0040106F
0040106F . 12C0 ADC AL,AL ; AL = 20
00401071 .^ 73 F7 JNB SHORT 0040106A
JMP:0040106A
0040106A > /E8 4F000000 CALL 004010BE
JMP:004010BE
004010BE /$ 02DB ADD BL,BL ; BL = 00
004010C0 |. 75 05 JNZ SHORT 004010C7
004010C2 |. 8A1E MOV BL,BYTE PTR DS:[ESI] ; BL = DS:[004010ED] = 83
004010C4 |. 46 INC ESI ; ESI = server.004010EE
004010C5 |. 10DB ADC BL,BL ; BL = 07
004010C7 \> C3 RET
Return:0040106F
......
00401071 .^\73 F7 JNB SHORT 0040106A
00401073 . 75 3F JNZ SHORT 004010B4
JMP:004010B4
004010B4 > \56 PUSH ESI ; ESI = server.004010EE
004010B5 . 8BF7 MOV ESI,EDI ; ESI = EDI = 00390004
004010B7 . 2BF0 SUB ESI,EAX ; ESI = ESI-EAX = 00390004 - 00000002 = 00390002
004010B9 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; ES:[EDI] = [00390004] = DS:[ESI] = [00390002] = EC
004010BB . 5E POP ESI ; ESI = server.004010EE
004010BC .^ EB 8A JMP SHORT 00401048
JMP:00401048
00401048 > /E8 71000000 CALL 004010BE
JMP:004010BE
004010BE /$ 02DB ADD BL,BL ; BL = 1C
004010C0 |. 75 05 JNZ SHORT 004010C7
004010C2 |. 8A1E MOV BL,BYTE PTR DS:[ESI] ; BL = DS:[004010ED] = 83
004010C4 |. 46 INC ESI ; ESI = server.004010EE
004010C5 |. 10DB ADC BL,BL ; BL = 07
004010C7 \> C3 RET
在这里我反正是跟踪了老半天,还是不知所云~~~这里把一些过程贴出来,供想跟踪的人一个参考~~~
这里我们就简单点,在004010DC处F2,然后F9运行,直接跳过这段代码,然后单步执行~~~
直到RET后,又跳回到了我们进入的那块代码的下面一段代码处:
一直跟到如下代码处:
0040A300 FF55 F4 call dword ptr ss:[ebp-C] ; kernel32.LoadLibraryA
0040A303 8BD8 mov ebx,eax
0040A305 AC lods byte ptr ds:[esi]
0040A306 84C0 test al,al
0040A308 ^ 75 FB jnz short server.0040A305
0040A30A AD lods dword ptr ds:[esi]
0040A30B 85C0 test eax,eax
0040A30D ^ 74 E6 je short server.0040A2F5
0040A30F 83EE 04 sub esi,4
0040A312 AD lods dword ptr ds:[esi]
0040A313 A9 00000080 test eax,80000000 ; 看最高位是否为1
0040A318 75 0B jnz short server.0040A325
0040A31A 83EE 04 sub esi,4
0040A31D 56 push esi
0040A31E 53 push ebx
0040A31F FF55 F8 call dword ptr ss:[ebp-8] ; kernel32.GetProcAddress
0040A322 AB stos dword ptr es:[edi]
0040A323 ^ EB E0 jmp short server.0040A305
0040A325 25 FFFFFF7F and eax,7FFFFFFF ; 取低31位
0040A32A 50 push eax
0040A32B 53 push ebx
0040A32C FF55 F8 call dword ptr ss:[ebp-8]
0040A32F AB stos dword ptr es:[edi]
0040A330 ^ EB D8 jmp short server.0040A30A
0040A332 5D pop ebp
0040A333 5F pop edi
0040A334 C3 retn
这段代码是做重建输入表~~~~有兴趣的可以单步跟踪,看看它是如何重建输入表的
我们直接在0040A332处下断,然后F9,运行到0040A332处,一直F8到Ret,返回到系统代码中
7C809B84 k> 8BFF mov edi,edi ; server.<ModuleEntryPoint>
7C809B86 55 push ebp
7C809B87 8BEC mov ebp,esp
7C809B89 FF75 10 push dword ptr ss:[ebp+10]
7C809B8C FF75 0C push dword ptr ss:[ebp+C]
7C809B8F FF75 08 push dword ptr ss:[ebp+8]
7C809B92 6A FF push -1
7C809B94 E8 09000000 call kernel32.VirtualFreeEx
7C809B99 5D pop ebp
7C809B9A C2 0C00 retn 0C
一直F8,哈哈,来到了如下代码处:
0040A064 83C4 38 add esp,38
0040A067 61 popad
0040A068 B8 B4484000 mov eax,server.004048B4
0040A06D FFE0 jmp eax ;eax ====>server.004048B4
看到jmp eax没,说明我们已经将快到成功一半了,因为外壳代码的分析就快完了,真高兴~~~
EAX = server.004048B4,这个地址又在另外一个内存代码段中,我们直接跟进去~~~~
进入之后,代码好像没有分析完成,不要紧,我们重新分析一下代码,即可得到如下的代码(其实当我们跳到这里时,如果你对一些程序的代码头比较熟悉,就可以知道我们的样
本真实样子就已经暴露了55 8B EC 6A FF 68 XX XX XX XX 68 XX XX XX XX 64:A1 00000000 50 64:8925 00000000)
直接Dump下来,再来分析,这个样本的真实样子吧~~~~我们将Dump下来的程序保存为Cracker.exe,呵呵,好了,我们再用PEDI查得本样本的核心代码是用VC6.0写的,退出
flyODBG,重新分析Cracker.exe即可~~~
PEID查得如下:
区段(还是比较正常的,只是多加了几个区段而已)
Cracker.exe用flyODBG载入得到如下代码:
004048B4 > 55 push ebp
004048B5 8BEC mov ebp,esp
004048B7 6A FF push -1
004048B9 68 E8504000 push Cracker.004050E8
004048BE 68 20484000 push <jmp.&MSVCRT._except_handler3>
004048C3 64:A1 00000000 mov eax,dword ptr fs:[0] ;设置SEH异常
004048C9 50 push eax
004048CA 64:8925 00000000 mov dword ptr fs:[0],esp
.......
.......其中有一小段循环是取文件的路径
.......
一直跟踪到如下代码处:
004049DC FF15 04504000 call dword ptr ds:[<&kernel32.GetModuleHandleA>] ; kernel32.GetModuleHandleA
004049E2 50 push eax ; Cracker.00400000
004049E3 E8 40EEFFFF call Cracker.00403828 ; 这个CALL是关键
004049E8 8945 98 mov dword ptr ss:[ebp-68],eax
004049EB 50 push eax
004049EC FF15 B4504000 call dword ptr ds:[<&MSVCRT.exit>] ; MSVCRT.exit
很容易我们得到004049E3处的CALL Cracker.00403828是关键~~~F7进入来到如下代码处:
00403828 55 push ebp
00403829 8BEC mov ebp,esp
0040382B 56 push esi
0040382C 57 push edi
0040382D 55 push ebp
0040382E 5D pop ebp
0040382F E8 F5F2FFFF call Cracker.00402B29
跟进00402B29得到如下代码:
00402B29 55 push ebp
00402B2A 8BEC mov ebp,esp
00402B2C 83EC 38 sub esp,38
00402B2F 32C0 xor al,al
00402B31 6A 01 push 1
00402B33 8845 FF mov byte ptr ss:[ebp-1],al ; 将[ebp-1]赋为0
00402B36 8845 DA mov byte ptr ss:[ebp-26],al ; 将[ebp-26]赋为0
00402B39 8845 EC mov byte ptr ss:[ebp-14],al ; 将[ebp-14]赋为0
00402B3C 8D45 DC lea eax,dword ptr ss:[ebp-24]
00402B3F 50 push eax ; EAX = 0013FEF0
00402B40 C645 F0 43 mov byte ptr ss:[ebp-10],43
00402B44 C645 F1 53 mov byte ptr ss:[ebp-F],53
00402B48 C645 F2 4F mov byte ptr ss:[ebp-E],4F
00402B4C C645 F3 4C mov byte ptr ss:[ebp-D],4C
00402B50 C645 F4 61 mov byte ptr ss:[ebp-C],61
00402B54 C645 F5 75 mov byte ptr ss:[ebp-B],75
00402B58 C645 F6 6E mov byte ptr ss:[ebp-A],6E
00402B5C C645 F7 63 mov byte ptr ss:[ebp-9],63
00402B60 C645 F8 68 mov byte ptr ss:[ebp-8],68
00402B64 C645 F9 65 mov byte ptr ss:[ebp-7],65
00402B68 C645 FA 72 mov byte ptr ss:[ebp-6],72
00402B6C C645 FB 2E mov byte ptr ss:[ebp-5],2E
00402B70 C645 FC 65 mov byte ptr ss:[ebp-4],65
00402B74 C645 FD 78 mov byte ptr ss:[ebp-3],78
00402B78 C645 FE 65 mov byte ptr ss:[ebp-2],65 ; CSOLauncher.exe
00402B7C C645 C8 63 mov byte ptr ss:[ebp-38],63
00402B80 C645 C9 73 mov byte ptr ss:[ebp-37],73
00402B84 C645 CA 74 mov byte ptr ss:[ebp-36],74
00402B88 C645 CB 72 mov byte ptr ss:[ebp-35],72
00402B8C C645 CC 69 mov byte ptr ss:[ebp-34],69
00402B90 C645 CD 6B mov byte ptr ss:[ebp-33],6B
00402B94 C645 CE 65 mov byte ptr ss:[ebp-32],65
00402B98 C645 CF 2D mov byte ptr ss:[ebp-31],2D
00402B9C C645 D0 6F mov byte ptr ss:[ebp-30],6F
00402BA0 C645 D1 6E mov byte ptr ss:[ebp-2F],6E
00402BA4 C645 D2 6C mov byte ptr ss:[ebp-2E],6C
00402BA8 C645 D3 69 mov byte ptr ss:[ebp-2D],69
00402BAC C645 D4 6E mov byte ptr ss:[ebp-2C],6E
00402BB0 C645 D5 65 mov byte ptr ss:[ebp-2B],65
00402BB4 C645 D6 2E mov byte ptr ss:[ebp-2A],2E
00402BB8 C645 D7 65 mov byte ptr ss:[ebp-29],65
00402BBC C645 D8 78 mov byte ptr ss:[ebp-28],78
00402BC0 C645 D9 65 mov byte ptr ss:[ebp-27],65 ; cstrike-online.exe
00402BC4 C645 DC 53 mov byte ptr ss:[ebp-24],53
00402BC8 C645 DD 65 mov byte ptr ss:[ebp-23],65
00402BCC C645 DE 44 mov byte ptr ss:[ebp-22],44
00402BD0 C645 DF 65 mov byte ptr ss:[ebp-21],65
00402BD4 C645 E0 62 mov byte ptr ss:[ebp-20],62
00402BD8 C645 E1 75 mov byte ptr ss:[ebp-1F],75
00402BDC C645 E2 67 mov byte ptr ss:[ebp-1E],67
00402BE0 C645 E3 50 mov byte ptr ss:[ebp-1D],50
00402BE4 C645 E4 72 mov byte ptr ss:[ebp-1C],72
00402BE8 C645 E5 69 mov byte ptr ss:[ebp-1B],69
00402BEC C645 E6 76 mov byte ptr ss:[ebp-1A],76
00402BF0 C645 E7 69 mov byte ptr ss:[ebp-19],69
00402BF4 C645 E8 6C mov byte ptr ss:[ebp-18],6C
00402BF8 C645 E9 65 mov byte ptr ss:[ebp-17],65
00402BFC C645 EA 67 mov byte ptr ss:[ebp-16],67
00402C00 C645 EB 65 mov byte ptr ss:[ebp-15],65 ; SeDebugPrivilege
00402C04 E8 26E8FFFF call Cracker.0040142F ; 提权
00402C09 8D45 F0 lea eax,dword ptr ss:[ebp-10] ; eax-->ASCII "CSOLauncher.exe"
00402C0C 50 push eax
00402C0D E8 73E6FFFF call Cracker.00401285 ; 遍历进程,查找CSOLauncher.exe进程
00402C12 8D45 C8 lea eax,dword ptr ss:[ebp-38] ; eax-->ASCII "cstrike-online.exe"
00402C15 50 push eax
00402C16 E8 6AE6FFFF call Cracker.00401285 ; 遍历进程,查找cstrike-online.exe进程
00402C1B 83C4 10 add esp,10
00402C1E 6A 64 push 64
00402C20 FF15 0C504000 call dword ptr ds:[<&kernel32.Sleep>] ; kernel32.Sleep
00402C26 C9 leave
00402C27 C3 retn
上面有二个CALL语言,有兴趣的朋友可以跟进去~~~看看,由于篇幅的原因,我在这里说明一下这三个CALL都在做什么
00402C04 call Cracker.0040142F
主要是用LoadLibrary加载两个DLL,advapi32.dll与kernel32.dll,并从中得到OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivilege
这三个函用于进程的提权操作,然后在kernel32.dll中得到CloseHandle,GetCurrentProcess两个进程
GetCurrentProcess---->OpenProcessToken----->LookupPrivilegeValueA---->AdjustTokenPrivileges---->CloseHandle
00402C0D call Cracker.00401285
主要是用于进程枚举,并查找是否有进程为CSOLauncher.exe,也是用LoadLibraryA加载kernel32.dll,然后得到CreateToolhelp32Snapshot,Process32First,Process32Next,然
后查找CSOLauncher.exe进程,查找代码如下:
004013F2 8D85 B8FEFFFF lea eax,dword ptr ss:[ebp-148]
004013F8 50 push eax
004013F9 FF75 08 push dword ptr ss:[ebp+8]
004013FC E8 CA020000 call Cracker.004016CB ; 比较这个进程是否为CSOLauncher.exe
00401401 59 pop ecx
00401402 85C0 test eax,eax
00401404 59 pop ecx
00401405 75 0C jnz short Cracker.00401413
00401407 FFB5 9CFEFFFF push dword ptr ss:[ebp-164]
0040140D E8 8DFDFFFF call Cracker.0040119F
00401412 59 pop ecx
00401413 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-16C]
00401419 50 push eax
0040141A 53 push ebx
0040141B FF55 C0 call dword ptr ss:[ebp-40]
0040141E 85C0 test eax,eax
00401420 ^ 75 D0 jnz short Cracker.004013F2
查找完成之后调用CloseHandle,关闭进程句柄
这段代码完成之后,返回到:
00403834 BE 04010000 mov esi,104
00403839 56 push esi
0040383A FF15 78504000 call dword ptr ds:[<&MSVCRT.malloc>] ; MSVCRT.malloc
00403840 8BF8 mov edi,eax
00403842 56 push esi
00403843 6A 00 push 0
00403845 57 push edi
00403846 E8 E70F0000 call <jmp.&MSVCRT.memset> ; 将分配的内存清零
0040384B 6A 00 push 0
0040384D 57 push edi
0040384E 6A 06 push 6
00403850 E8 F7F3FFFF call Cracker.00402C4C ; 关键CALL
00403855 57 push edi
00403856 FF15 74504000 call dword ptr ds:[<&MSVCRT.free>] ; MSVCRT.free
0040385C 68 1C624000 push Cracker.0040621C
00403861 E8 FBFBFFFF call Cracker.00403461
00403866 83C4 24 add esp,24
00403869 33C0 xor eax,eax
0040386B 5F pop edi
0040386C 5E pop esi
0040386D 5D pop ebp
0040386E C2 1000 retn 10
这段代码很简单,就是分配一块内存,然后对分配的内存清零操作,再调用一个关键CALL进行一些操作,然后释放分配的内存
这个CALL基本就是这个程序的关键之所在了~~~
大家可以自行跟进去,上面我已经将样本的外壳脱去,下面的分析我想很容易,我根据我的跟踪给出一些提示:
生成如下文件:
C:\DOCUME~1\jack\LOCALS~1\Temp\kb712959.sve (Kb后面的数值名称是随机生成的)
C:\Program Files\Common Files\System\kb712959.dla (由kb712959.sve拷贝得来的)
C:\WINDOWS\system32\dsound.dll
C:\WINDOWS\system32\dsound.dll.HUWM
C:\WINDOWS\system32\DllCache\dsound.dll
C:\WINDOWS\system32\DllCache\dsound.dll.HUWM
并写入了注册表:
Software\Microsoft\Windows\ShellNoRoam\MUICache
同时进行进程检查看是否有360
大概就是进行了这三步,我是在我的电脑主机上测试的,由于电脑太垃圾带不动虚拟机了,只能以身试毒,搞完之后会弹出一个对话框说修改了什么系统文件,证明病毒修改了系
统的文件或将自身的文件替换掉了系统文件~~呵呵,故计咱的电脑已经中了木马~~~大家测的时候到虚拟机上测就行了~~~~
(这里我就简单给大家分析主程序代码中两个CALL,后面的大家自行分析,0040258E处的代码,是将样本中的资源写入到一个新创建的文件中C:\DOCUME~1\jack\LOCALS~1
\Temp\kb712959.sve
具体过程如下:
FindResource--->LoadResource--->SizeOfResource--->CreateFileA--->WriteFile--->FlushFileBuffers--->SetFilePointer--->WriteFile--->WriteFile--->SetFilePointer
--->WriteFile--->WriteFile--->CloseHandle--->FreeResource
00402957处的代码,是打开创建的文件,然后读出一些数据,并将读出的数据,写入分配的内存中,并写入一些信息
GetModuleFileNameA--->CreateFileA--->SetFilePointer--->ReadFile--->malloc--->WriteFile--->free--->CloseHandle)
代码中还有很多分配内存和释放内存的操作,有一点我不是很明白为什么作者把所以的函数都单独一个字符一个字符压入堆栈,这样搞也太麻烦了~~~~
可能还没有分析完全,实在太累了,如果有哪位有时间或愿意分享自己的成果的,在后面跟贴吧
~~欢迎指点,比较乱,大家就将就着看看吧~~~
好了,时间也不早了,晚安~~~
|
|
|---|---|
|
|
|
|
|
 b不错嘛 学习了
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
我不是牛人,只是在向牛人学习中~~ESP定律~~嗯,很久没用了,现在习惯了单步跟踪,好搞清楚它到底在做什么操作,以及壳的原理,现在看来想偷懒还是可以用用的~~
|
|
|
对,楼主不是牛人,是熊人,期待以后对反组译高手的尊称从 "大牛" 改成 "大熊", 到时候新雪友不知原因时,我再出面为各位解说典故的由来
|
|
|
牛人啊~~
菜鸟努力学习中啊~~~
|
|
|
|
|
|
饿,也在尝试中。。。
|
|
|
 熊猫正正
|
|
|
|
|
|
|
|
|
顶个顶个
|
