发现一超级新壳诞生(带驱动)部分分析
作者:大老
初步分析外壳包含了
程序运行后对代码进行动态加密!
用到了双进程
各种反跟踪手段都用上了!
驱动监视程序的运行防止dump
部分分析
=================================================================
在临时目录产生HtdpDumy.dll
004C0840 56 push esi
004C0841 8B7424 08 mov esi, [esp+8]
004C0845 57 push edi
004C0846 8B56 40 mov edx, [esi+40]
004C0849 42 inc edx
004C084A 8BC2 mov eax, edx
004C084C 8956 40 mov [esi+40], edx
004C084F 83F8 02 cmp eax, 2
004C0852 72 08 jb short test.004C085C
004C0854 5F pop edi
004C0855 B8 01000000 mov eax, 1
004C085A 5E pop esi
004C085B C3 retn
004C085C 6A 01 push 1
004C085E 56 push esi
004C085F E8 7C000000 call test.004C08E0
004C0864 8A56 20 mov dl, [esi+20]
004C0867 83C4 08 add esp, 8
004C086A F6C2 04 test dl, 4
004C086D B9 80000000 mov ecx, 80
004C0872 74 05 je short test.004C0879
004C0874 B9 06000000 mov ecx, 6
004C0879 6A 00 push 0
004C087B 51 push ecx
004C087C 6A 02 push 2
004C087E 6A 00 push 0
004C0880 6A 00 push 0
004C0882 68 00000040 push 40000000
004C0887 50 push eax
004C0888 FF15 28164C00 call near [4C1628] ; KeRnEl32.CreateFileA =====>判断有没有这个文件
004C088E 8BF8 mov edi, eax
004C0890 83FF FF cmp edi, -1
004C0893 75 05 jnz short test.004C089A
004C0895 5F pop edi
004C0896 33C0 xor eax, eax
004C0898 5E pop esi
004C0899 C3 retn
004C089A 8B46 24 mov eax, [esi+24]
004C089D 8B0D F0194C00 mov ecx, [4C19F0] ; test.00400000
004C08A3 8B76 2C mov esi, [esi+2C]
004C08A6 03C1 add eax, ecx
004C08A8 53 push ebx
004C08A9 8D4C24 10 lea ecx, [esp+10]
004C08AD 6A 00 push 0
004C08AF 51 push ecx
004C08B0 56 push esi
004C08B1 50 push eax
004C08B2 57 push edi
004C08B3 FF15 24164C00 call near [4C1624] ; KeRnEl32.WriteFile ====〉没有写入文件
004C08B9 8BD8 mov ebx, eax
004C08BB 85DB test ebx, ebx
004C08BD 74 0B je short test.004C08CA
004C08BF 8B4424 10 mov eax, [esp+10]
004C08C3 33DB xor ebx, ebx
004C08C5 3BC6 cmp eax, esi
004C08C7 0F94C3 sete bl
004C08CA 57 push edi
004C08CB FF15 0C164C00 call near [4C160C] ; KeRnEl32.CloseHandle
004C08D1 8BC3 mov eax, ebx
004C08D3 5B pop ebx
004C08D4 5F pop edi
004C08D5 5E pop esi
004C08D6 C3 retn
===================================================================
外壳载入HtdpDumy.dll文件
6FFF1000 >/$ B8 01000000 mov eax, 1
6FFF1005 \. C2 0C00 retn 0C
====================================================================
004C00C0 8B4424 08 mov eax, [esp+8]
004C00C4 56 push esi
004C00C5 85C0 test eax, eax
004C00C7 74 1E je short test.004C00E7
004C00C9 50 push eax
004C00CA 8B4424 0C mov eax, [esp+C]
004C00CE 50 push eax
004C00CF E8 0C030000 call test.004C03E0 ===>经过这个call 会改变为下面的代码
004C00D4 83C4 08 add esp, 8
004C00D7 8BF0 mov esi, eax
004C00D9 6A 00 push 0
004C00DB FF15 04164C00 call near [4C1604] ; KeRnEl32.SetLastError
004C00E1 8BC6 mov eax, esi
004C00E3 5E pop esi
=====================================================================
改变为初步判断是和新线程注入有关
6FFF1000 >/$ E8 2BFB4C90 call test.004C0B30
6FFF1005 \. C2 0C00 retn 0C
加载外壳所需驱动
=================================================================
004C7701 68 80000000 push 80
004C7706 6A 03 push 3
004C7708 6A 00 push 0
004C770A 6A 00 push 0
004C770C 68 000000C0 push C0000000
004C7711 68 687E4C00 push test.004C7E68 ; ASCII "\\.\Htsysm"
004C7716 FF15 107E4C00 call near [4C7E10] ; KeRnEl32.CreateFileA
004C771C 33C9 xor ecx, ecx
004C771E 83F8 FF cmp eax, -1
004C7721 0F95C1 setne cl
004C7724 A3 2C7E4C00 mov [4C7E2C], eax
004C7729 8BC1 mov eax, ecx
004C772B C3 retn
成功置cl=1, [4C7E2C]保存句柄
==================================================================
这程序用到了大量的单步中断所以再异常里除了内存访问以外的异常都打上
下面是部分流程代码
004B5497 8985 3B1F4300 mov [ebp+431F3B], eax
004B549D F785 011F4300 0>test dword ptr [ebp+431F01], 1
004B54A7 0F84 8C000000 je test.004B5539
004B54AD C785 311F4300 0>mov dword ptr [ebp+431F31], 4
004B54B7 8D85 311F4300 lea eax, [ebp+431F31]
004B54BD 50 push eax
004B54BE 8D85 58FC4200 lea eax, [ebp+42FC58]
004B54C4 50 push eax
004B54C5 8D85 7BFB4200 lea eax, [ebp+42FB7B]
004B54CB 50 push eax
004B54CC 8BFD mov edi, ebp
004B54CE E8 562A0000 call test.004B7F29
004B54D3 60 pushad
004B54D4 CD 01 int 1 ====================>会中断再这
004B54D6 61 popad
004B54D7 8BFD mov edi, ebp
004B54D9 E8 932A0000 call test.004B7F71
004B54DE 83C4 0C add esp, 0C
004B54E1 F785 311F4300 0>test dword ptr [ebp+431F31], 2
004B54EB ^ 0F84 62FFFFFF je test.004B5453
004B54F1 83BD 91EF4200 0>cmp dword ptr [ebp+42EF91], 0
004B54F8 74 02 je short test.004B54FC
004B54FA EB 3D jmp short test.004B5539
004B54FC C785 311F4300 0>mov dword ptr [ebp+431F31], 4
004B5506 8D85 B2FB4200 lea eax, [ebp+42FBB2]
004B550C 50 push eax
004B550D FF95 3F1F4300 call near [ebp+431F3F]
004B5513 60 pushad
004B5514 FFB5 311F4300 push dword ptr [ebp+431F31]
004B551A CC int3
004B551B 8F85 311F4300 pop dword ptr [ebp+431F31]
004B5521 61 popad
004B5522 50 push eax
004B5523 FF95 3F1F4300 call near [ebp+431F3F]
004B5529 F785 311F4300 0>test dword ptr [ebp+431F31], 1
004B5533 ^ 0F84 1AFFFFFF je test.004B5453
004B5539 F785 FB054300 8>test dword ptr [ebp+4305FB], 80
004B5543 0F84 8B010000 je test.004B56D4
004B5549 6A 00 push 0
004B554B 68 00540000 push 5400
004B5550 FF95 71254300 call near [ebp+432571]
004B5556 C785 311F4300 0>mov dword ptr [ebp+431F31], 4
004B5560 8D85 311F4300 lea eax, [ebp+431F31]
004B5566 50 push eax
004B5567 8D85 3DFD4200 lea eax, [ebp+42FD3D]
004B556D 50 push eax
004B556E 8D85 7BFB4200 lea eax, [ebp+42FB7B]
004B5574 50 push eax
004B5575 8BFD mov edi, ebp
004B5577 E8 AD290000 call test.004B7F29
004B557C 60 pushad
004B557D 0F018D 351F4300 sidt [ebp+431F35]
004B5584 FFB5 371F4300 push dword ptr [ebp+431F37]
004B558A 68 01540000 push 5401
004B558F FF95 71254300 call near [ebp+432571]
004B5595 8B85 371F4300 mov eax, [ebp+431F37]
004B559B 3D 00000090 cmp eax, 90000000
004B55A0 7C 19 jl short test.004B55BB
004B55A2 61 popad
004B55A3 C785 311F4300 0>mov dword ptr [ebp+431F31], 0
004B55AD 60 pushad
004B55AE 6A 00 push 0
004B55B0 68 A0540000 push 54A0
004B55B5 FF95 71254300 call near [ebp+432571]
004B55BB 61 popad
004B55BC 8BFD mov edi, ebp
004B55BE E8 AE290000 call test.004B7F71
004B55C3 83C4 0C add esp, 0C
004B55C6 F785 311F4300 0>test dword ptr [ebp+431F31], 4
004B55D0 ^ 0F84 7DFEFFFF je test.004B5453
004B55D6 6A 00 push 0
004B55D8 68 10540000 push 5410
004B55DD FF95 71254300 call near [ebp+432571]
004B55E3 C785 311F4300 0>mov dword ptr [ebp+431F31], 4
004B55ED 8D85 311F4300 lea eax, [ebp+431F31]
004B55F3 50 push eax
004B55F4 8D85 C1FD4200 lea eax, [ebp+42FDC1]
004B55FA 50 push eax
004B55FB 8D85 7BFB4200 lea eax, [ebp+42FB7B]
004B5601 50 push eax
004B5602 8BFD mov edi, ebp
004B5604 E8 20290000 call test.004B7F29
004B5609 60 pushad
004B560A B8 68584D56 mov eax, 564D5868
004B560F BB 65D48586 mov ebx, 8685D465
004B5614 B9 0A000000 mov ecx, 0A
004B5619 66:BA 5856 mov dx, 5658
004B561D ED in eax, dx
004B561E 81FB 68584D56 cmp ebx, 564D5868
004B5624 75 19 jnz short test.004B563F
004B5626 61 popad
004B5627 C785 311F4300 0>mov dword ptr [ebp+431F31], 0
004B5631 60 pushad
004B5632 6A 00 push 0
004B5634 68 B0540000 push 54B0
004B5639 FF95 71254300 call near [ebp+432571]
004B563F 61 popad
004B5640 8BFD mov edi, ebp
004B5642 E8 2A290000 call test.004B7F71
004B5647 83C4 0C add esp, 0C
004B564A F785 311F4300 0>test dword ptr [ebp+431F31], 5
004B5654 ^ 0F84 F9FDFFFF je test.004B5453
004B565A 6A 00 push 0
004B565C 68 20540000 push 5420
004B5661 FF95 71254300 call near [ebp+432571]
004B5667 C785 311F4300 0>mov dword ptr [ebp+431F31], 4
004B5671 8D85 311F4300 lea eax, [ebp+431F31]
004B5677 50 push eax
004B5678 8D85 3BFE4200 lea eax, [ebp+42FE3B]
004B567E 50 push eax
004B567F 8D85 7BFB4200 lea eax, [ebp+42FB7B]
004B5685 50 push eax
004B5686 8BFD mov edi, ebp
004B5688 E8 9C280000 call test.004B7F29
004B568D 60 pushad
004B568E 8BEC mov ebp, esp
004B5690 B8 01000000 mov eax, 1
004B5695 0F3F ??? ; Unknown command
004B5697 07 pop es
004B5698 0BC7 or eax, edi
004B569A 45 inc ebp
004B569B FC cld
004B569C FFFF ??? ; Unknown command
004B569E FFFF ??? ; Unknown command
004B56A0 61 popad
004B56A1 C785 311F4300 0>mov dword ptr [ebp+431F31], 0
004B56AB 60 pushad
004B56AC 6A 00 push 0
004B56AE 68 C0540000 push 54C0
004B56B3 FF95 71254300 call near [ebp+432571]
004B56B9 61 popad
004B56BA 8BFD mov edi, ebp
004B56BC E8 B0280000 call test.004B7F71
004B56C1 83C4 0C add esp, 0C
004B56C4 F785 311F4300 0>test dword ptr [ebp+431F31], 1
004B56CE ^ 0F84 7FFDFFFF je test.004B5453
004B56D4 8B85 FB054300 mov eax, [ebp+4305FB]
004B56DA 83E0 01 and eax, 1
004B56DD 74 61 je short test.004B5740
004B56DF 6A 00 push 0
004B56E1 68 00550000 push 5500
004B56E6 FF95 71254300 call near [ebp+432571]
004B56EC 83BD 011F4300 0>cmp dword ptr [ebp+431F01], 0
004B56F3 75 02 jnz short test.004B56F7
004B56F5 EB 12 jmp short test.004B5709
004B56F7 8B85 3B1F4300 mov eax, [ebp+431F3B]
004B56FD 8038 CC cmp byte ptr [eax], 0CC
004B5700 74 02 je short test.004B5704
004B5702 EB 3C jmp short test.004B5740
004B5704 ^ E9 6DEEFFFF jmp test.004B4576
004B5709 0F018D 351F4300 sidt [ebp+431F35]
004B5710 8B85 371F4300 mov eax, [ebp+431F37]
004B5716 83C0 08 add eax, 8
004B5719 8B18 mov ebx, [eax]
004B571B 83C0 10 add eax, 10
004B571E 8B00 mov eax, [eax]
004B5720 25 FFFF0000 and eax, 0FFFF
004B5725 81E3 FFFF0000 and ebx, 0FFFF
004B572B 2BC3 sub eax, ebx
004B572D 83F8 1E cmp eax, 1E
004B5730 74 09 je short test.004B573B
004B5732 3D FC020000 cmp eax, 2FC
004B5737 74 02 je short test.004B573B
004B5739 EB 05 jmp short test.004B5740
004B573B ^ E9 36EEFFFF jmp test.004B4576
===========================================================================
取kernel32.dll一些函数地址为后面做准备
004B5740 8BB5 CDF34200 mov esi, [ebp+42F3CD]
004B5746 8D85 F41D4300 lea eax, [ebp+431DF4]
004B574C E8 26020000 call test.004B5977
004B5751 8985 151F4300 mov [ebp+431F15], eax
004B5757 8D85 071E4300 lea eax, [ebp+431E07]
004B575D E8 15020000 call test.004B5977
004B5762 8985 191F4300 mov [ebp+431F19], eax
004B5768 8D85 131E4300 lea eax, [ebp+431E13]
004B576E E8 04020000 call test.004B5977
004B5773 8985 1D1F4300 mov [ebp+431F1D], eax
004B5779 8D85 1F1E4300 lea eax, [ebp+431E1F]
004B577F E8 F3010000 call test.004B5977
004B5784 8985 211F4300 mov [ebp+431F21], eax
004B578A 8D85 2A1E4300 lea eax, [ebp+431E2A]
004B5790 E8 E2010000 call test.004B5977
004B5795 8985 251F4300 mov [ebp+431F25], eax
004B579B 8D85 331E4300 lea eax, [ebp+431E33]
004B57A1 E8 D1010000 call test.004B5977
004B57A6 8985 291F4300 mov [ebp+431F29], eax
004B57AC 8D85 3F1E4300 lea eax, [ebp+431E3F]
004B57B2 E8 C0010000 call test.004B5977
004B57B7 8985 2D1F4300 mov [ebp+431F2D], eax
004B57BD 6A 00 push 0
004B57BF 68 00560000 push 5600
004B57C4 FF95 71254300 call near [ebp+432571]
004B57CA 8B85 C9F34200 mov eax, [ebp+42F3C9]
004B57D0 BB 01000000 mov ebx, 1
004B57D5 8DB5 C11E4300 lea esi, [ebp+431EC1]
004B57DB E8 AB030000 call test.004B5B8B
004B57E0 85C0 test eax, eax
004B57E2 ^ 0F84 8EEDFFFF je test.004B4576
004B57E8 8B9D C9F34200 mov ebx, [ebp+42F3C9]
004B57EE 8BC3 mov eax, ebx
004B57F0 0385 FF054300 add eax, [ebp+4305FF]
004B57F6 8985 D9F34200 mov [ebp+42F3D9], eax
004B57FC 8BC3 mov eax, ebx
004B57FE 0385 03064300 add eax, [ebp+430603]
004B5804 8985 051F4300 mov [ebp+431F05], eax
004B580A 8BC3 mov eax, ebx
004B580C 0385 07064300 add eax, [ebp+430607]
004B5812 8985 091F4300 mov [ebp+431F09], eax
004B5818 8BC3 mov eax, ebx
004B581A 0385 0B064300 add eax, [ebp+43060B]
004B5820 8985 0D1F4300 mov [ebp+431F0D], eax
004B5826 83BD D9F34200 0>cmp dword ptr [ebp+42F3D9], 0
004B582D 74 28 je short test.004B5857
004B582F 8D85 65254300 lea eax, [ebp+432565]
004B5835 50 push eax
004B5836 83BD 91EF4200 0>cmp dword ptr [ebp+42EF91], 0
004B583D 75 04 jnz short test.004B5843
004B583F 6A 00 push 0
004B5841 EB 06 jmp short test.004B5849
004B5843 FFB5 C9F34200 push dword ptr [ebp+42F3C9]
004B5849 FF95 D9F34200 call near [ebp+42F3D9]
004B584F 85C0 test eax, eax
004B5851 ^ 0F84 1FEDFFFF je test.004B4576
004B5857 83BD 0D1F4300 0>cmp dword ptr [ebp+431F0D], 0
004B585E 74 21 je short test.004B5881
004B5860 6A 00 push 0
004B5862 6A 00 push 0
004B5864 83BD 91EF4200 0>cmp dword ptr [ebp+42EF91], 0
004B586B 75 04 jnz short test.004B5871
004B586D 6A 00 push 0
004B586F EB 02 jmp short test.004B5873
004B5871 6A 10 push 10
004B5873 FF95 0D1F4300 call near [ebp+431F0D]
004B5879 85C0 test eax, eax
004B587B ^ 0F84 F5ECFFFF je test.004B4576
004B5881 F785 FB054300 4>test dword ptr [ebp+4305FB], 40
004B588B 75 05 jnz short test.004B5892
004B588D E9 E3000000 jmp test.004B5975
004B5892 6A 00 push 0
004B5894 68 00570000 push 5700
004B5899 FF95 71254300 call near [ebp+432571]
004B589F 83BD 051F4300 0>cmp dword ptr [ebp+431F05], 0
004B58A6 74 0F je short test.004B58B7
004B58A8 8D85 65254300 lea eax, [ebp+432565]
004B58AE 50 push eax
004B58AF 6A 01 push 1
004B58B1 FF95 051F4300 call near [ebp+431F05]
004B58B7 83BD 011F4300 0>cmp dword ptr [ebp+431F01], 0
004B58BE 75 02 jnz short test.004B58C2
004B58C0 EB 68 jmp short test.004B592A
004B58C2 8B85 C9F34200 mov eax, [ebp+42F3C9]
004B58C8 BB 01000000 mov ebx, 1
004B58CD 8DB5 D11E4300 lea esi, [ebp+431ED1]
004B58D3 E8 B3020000 call test.004B5B8B
004B58D8 85C0 test eax, eax
004B58DA ^ 0F84 96ECFFFF je test.004B4576
004B58E0 8D85 4B1E4300 lea eax, [ebp+431E4B]
004B58E6 50 push eax
004B58E7 FF95 69254300 call near [ebp+432569]=====>载入驱动
004B58ED 85C0 test eax, eax
004B58EF ^ 0F84 81ECFFFF je test.004B4576
004B58F5 8BF0 mov esi, eax
004B58F7 8D85 571E4300 lea eax, [ebp+431E57]
004B58FD E8 75000000 call test.004B5977
004B5902 85C0 test eax, eax
004B5904 ^ 0F84 6CECFFFF je test.004B4576
004B590A 8985 111F4300 mov [ebp+431F11], eax
004B5910 6A 00 push 0
004B5912 FFB5 C9F34200 push dword ptr [ebp+42F3C9]
004B5918 6A 00 push 0
004B591A FF95 111F4300 call near [ebp+431F11]============>访问驱动 到这里如果是用调试器的话程序就终止了!
004B5920 85C0 test eax, eax
004B5922 ^ 0F84 4EECFFFF je test.004B4576
经过上面的call后 od的代码窗里会产生下面的这种数据
从头到位应该是hook了某些函数导致的!使跟踪无法继续
004012CC 0865 64 or [ebp+64], ah
004012CF 0078 01 add [eax+1], bh
004012D2 58 pop eax
004012D3 004400 62 add [eax+eax+62], al
004012D7 0079 00 add [ecx], bh
004012DA 44 inc esp
004012DB 0059 00 add [ecx], bl
004012DE 4B dec ebx
004012DF 0020 add [eax], ah
004012E1 0076 00 add [esi], dh
004012E4 3100 xor [eax], eax
004012E6 5B pop ebx
004012E7 0031 add [ecx], dh
004012E9 005D 00 add [ebp], bl
004012EC 2E:0031 add cs:[ecx], dh
004012EF 0030 add [eax], dh
004012F1 005C00 4F add [eax+eax+4F], bl
004012F5 004400 62 add [eax+eax+62], al
===================================================================================
防止dump
004B59C6 0BD2 or edx, edx
004B59C8 75 09 jnz short test.004B59D3
004B59CA C740 20 0020000>mov dword ptr [eax+20], 2000 ===========>这里初步判断是防止dump ,资源大小改为2000
004B59D1 EB 07 jmp short test.004B59DA
004B59D3 8168 20 0010000>sub dword ptr [eax+20], 1000
004B59DA EB 1C jmp short test.004B59F8
004B59DC 6A 00 push 0
004B59DE FF95 65254300 call near [ebp+432565]
004B59E4 85D2 test edx, edx
004B59E6 79 10 jns short test.004B59F8
004B59E8 837A 08 FF cmp dword ptr [edx+8], -1
004B59EC 75 0A jnz short test.004B59F8
004B59EE 8B52 04 mov edx, [edx+4]
004B59F1 C742 50 0020000>mov dword ptr [edx+50], 2000
004B59F8 E9 87000000 jmp test.004B5A84
004B59FD 83BD 75254300 0>cmp dword ptr [ebp+432575], 0
004B5A04 75 06 jnz short test.004B5A0C
由于能力有限只分析了这么多我还会继续分析这个壳的!希望对这个壳感兴趣的朋友有所帮助!
有兴趣的朋友可以一起研究一下这个新壳
外壳程序下载
http://free5.ys168.com/?dalaoqd
test.exe是加密的文件
测试前先注册驱动sys目录里有说明!
200605
[课程]Android-CTF解题方法汇总!