-
-
[原创]木马Vadchdhv.exe样本分析(上)
-
2021-7-21 17:35 15306
-
目的:分析此木马运行机制及内部实现原理,剖析此木马会带来哪些危害。
调式环境及工具:VMware+Windows7(推荐)、DIE、IDA、OD
1.脱壳拿shellcode,为拿木马主体样本做准备
IDA打开原始样本后,定位在sub_402FBA模块处,注意OD动态调试每次基址会有变化,相对地址是不变的,此模块核心功能就是在内存释放Shellcode的木马Vadchdhv主体;如下0040304C处调用VirtualAlloc申请内存,之后进行Shellcode第一次存放。
1 2 3 4 5 6 7 8 9 10 11 | .text: 0040301F add edi, dword_405D2C .text: 00403025 push flProtect ;flProtect .text: 0040302B push flAllocationType ; flAllocationType .text: 00403031 lea eax, [ebp + var_1C] .text: 00403034 push edi .text: 00403035 pop dword ptr [eax] .text: 00403037 mov esi, [ebp + var_1C] .text: 0040303A mov off_405B1C, esi .text: 00403040 push off_405B1C ; dwSize .text: 00403046 push dword ptr asc_405598 + 4 ; lpAddress .text: 0040304C call ds:VirtualAlloc |
完成之后,退回到sub_4043A9模块处,调用sub_401000会再次进行Shellcode的内存释放。
1 | text: 00404436 call sub_401000 |
完成之后,退回到start代码处,跟踪到此其实我们最关心的是壳是从哪里跳转进入内存Shellcode主体的,这才是我们拿Shellcode的关键,否则木马是逮不到的;在以上的Shellcode释放主体的过程可能有些繁琐和枯燥,但要注意进行多次跟踪调试一下,注意观察寄存器和栈数据的变化,捕捉关键信息,对于尤其是分析暴露信息较少的木马来说也是一个不错的小技巧;释放Shellcode是通过循环完成的,在退出循环后下断,进行OD单步跟踪F7;
1 2 3 4 5 | .text: 00402F9A mov esi, [ebp + var_20] .text: 00402F9D mov off_40521C, esi .text: 00402FA3 push off_40521C .text: 00402FA9 mov dword_405090, edx .text: 00402FAF call dword_405090 |
注意上述代码中的00402FAF调用call dword_405090,这个就是从壳进入shellcode内存主体了,F7跟入。接下来,才算是接近了木马Vadchdhv主体代码,但还不全是,因为Vadchdhv不是一次性释放进内存运行的,而是先要从Shellcode释放到更高权限的内存,进行PE文件的组装和修正,然后才木马的核心主体代码。
2.脱ShellCode,拿木马Vadchdhv内存进程主体
OD跟入后,注意在00260261(地址会有变化)处调用002601EE取内核函数字符串,然后返回到0026026C,在00260270处调用CALL 0026020A进行内核函数SHA值比对,然后调用00260318取得下一个函数名,然后回到00260261处进行下一次循环;此循环是完成ntdll内核函数的定位,获取木马所用内核函数地址,并进行木马主体地址修正。
接下来,木马Vadchdhv会调用内核函数ntdll.NtProtectVirtualMemory、ntdll.NtAllocateVirtualMemory等,完成提权并再次申请内存,准备进行进程主体释放、拼接。
1 2 3 4 5 6 7 8 9 10 11 12 | 002605DE FF55 D0 CALL DWORD PTR SS:[EBP - 30 ] ; ntdll.NtProtectVirtualMemory 002605E1 85C0 TEST EAX,EAX 002605E3 0F85 87010000 JNE 00260770 002605E9 6A 40 PUSH 40 002605EB 68 00300000 PUSH 3000 002605F0 FF75 0C PUSH DWORD PTR SS:[EBP + 0C ] 002605F3 6A 00 PUSH 0 002605F5 C745 DC 0000000 MOV DWORD PTR SS:[EBP - 24 ], 0 002605FC 8D45 DC LEA EAX,[EBP - 24 ] 002605FF 50 PUSH EAX 00260600 6A FF PUSH - 1 00260602 FF55 D4 CALL DWORD PTR SS:[EBP - 2C ] ; ntdll.NtAllocateVirtualMemory |
调用ntdll.NtAllocateVirtualMemory的栈信息:
1 2 3 4 5 6 7 8 | CPU Stack 地址 值 ASCII 注释 0017FE88 / FFFFFFFF ÿÿÿÿ ; |Arg1 = - 1 0017FE8C | 0017FED8 Øþ ; |Arg2 = 17FED8 0017FE90 | 00000000 ; |Arg3 = 0 0017FE94 | 00025C20 \ ; |Arg4 = c14bc530f959cb8dedb0f51527173a4. 25C20 0017FE98 | 00003000 0 ; |Arg5 = 3000 0017FE9C | 00000040 @ ; \Arg6 = 40 |
接下来在新申请内存处,首先写入PE格式的文件头:
1 2 3 4 5 6 7 8 9 10 11 12 | CPU Disasm 地址 十六进制转储 命令 注释 00260602 FF55 D4 CALL DWORD PTR SS:[EBP - 2C ] ; ntdll.NtAllocateVirtualMemory 00260605 85C0 TEST EAX,EAX 00260607 0F85 63010000 JNE 00260770 0026060D 8B75 DC MOV ESI,DWORD PTR SS:[EBP - 24 ] 00260610 33C0 XOR EAX,EAX 00260612 8B4D E0 MOV ECX,DWORD PTR SS:[EBP - 20 ] 00260615 8B7D FC MOV EDI,DWORD PTR SS:[EBP - 4 ] 00260618 F2:AA REPNE STOS BYTE PTR ES:[EDI] ; Undocumented instruction or encoding :复制到EDI: 0002004 A ; ECX : 0001AFB6 ; 包含字符串:“this program cannot be run in DOS mode.&&” |
接下来,木马Vadchdhv从ShellCode中解码释放并拼接,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | CPU Disasm 地址 十六进制转储 命令 注释 002606A7 8BF3 MOV ESI,EBX 002606A9 8B7D FC MOV EDI,DWORD PTR SS:[EBP - 4 ] 002606AC 0372 14 ADD ESI,DWORD PTR DS:[EDX + 14 ] 002606AF 037A 0C ADD EDI,DWORD PTR DS:[EDX + 0C ] 002606B2 51 PUSH ECX 002606B3 8B4A 10 MOV ECX,DWORD PTR DS:[EDX + 10 ] 002606B6 85C9 TEST ECX,ECX 002606B8 75 07 JNE SHORT 002606C1 002606BA C742 14 0000000 MOV DWORD PTR DS:[EDX + 14 ], 0 002606C1 3B4A 08 CMP ECX,DWORD PTR DS:[EDX + 8 ] 002606C4 76 03 JBE SHORT 002606C9 002606C6 8B4A 08 MOV ECX,DWORD PTR DS:[EDX + 8 ] 002606C9 F2:A4 REPNE MOVS BYTE PTR ES:[EDI],BYTE PTR ; Undocumented instruction or encoding :解码释放: 00021000 |
以上代码是首先释放从00021000到00023000地址部分,接下来释放从00023000到00024000部分,
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | CPU Disasm 地址 十六进制转储 命令 注释 002606A9 8B7D FC MOV EDI,DWORD PTR SS:[EBP - 4 ] 002606AC 0372 14 ADD ESI,DWORD PTR DS:[EDX + 14 ] 002606AF 037A 0C ADD EDI,DWORD PTR DS:[EDX + 0C ] 002606B2 51 PUSH ECX 002606B3 8B4A 10 MOV ECX,DWORD PTR DS:[EDX + 10 ] 002606B6 85C9 TEST ECX,ECX 002606B8 75 07 JNE SHORT 002606C1 002606BA C742 14 0000000 MOV DWORD PTR DS:[EDX + 14 ], 0 002606C1 3B4A 08 CMP ECX,DWORD PTR DS:[EDX + 8 ] 002606C4 76 03 JBE SHORT 002606C9 002606C6 8B4A 08 MOV ECX,DWORD PTR DS:[EDX + 8 ] 002606C9 F2:A4 REPNE MOVS BYTE PTR ES:[EDI],BYTE PTR ; Undocumented instruction or encoding 释放 : 00023000 002606CB 59 POP ECX |
最后进行再次内存申请,释放代码于00032000处,完整代码见附件《木马Vadchdhv脱ShellCode后进程代码》。
3.木马Vadchdhv核心进程启动及行为跟踪分析
Shellcode释放完木马主体后,即跳入进程主体运行。跟踪捕获关键函数:
1 2 3 4 5 6 7 8 | CPU Disasm 地址 十六进制转储 命令 注释 00021BDA |? 56 PUSH ESI 00021BDB |? 57 PUSH EDI 00021BDC |? 68 BC330200 PUSH 000233BC 00021BE1 |? 57 PUSH EDI ; | UNICODE "C:\Users\*\AppData\Roaming" 00021BE2 |? BA 04010000 MOV EDX, 104 00021BE7 |? E8 64F7FFFF CALL 00021350 |
00021BE7处的调用CALL 00021350,跟入:在用户目录创建隐性文件夹C:\Users*\AppData\Roaming,并创建gxwmgr32.exe文件。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | CPU Disasm 地址 十六进制转储 命令 注释 00021350 |? 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP + 8 ] 00021354 |. 8D4424 0C LEA EAX,[ESP + 0C ] 00021358 |? 50 PUSH EAX 00021359 |? 8B4424 08 MOV EAX,DWORD PTR SS:[ESP + 8 ] ; UNICODE "C:\Users\*\AppData\Roaming" 0002135D |. 51 PUSH ECX 0002135E |? 52 PUSH EDX 0002135F |? 50 PUSH EAX UNICODE "C:\Users\h\AppData\Roaming" 00021360 |. FF15 98300200 CALL DWORD PTR DS:[ 23098 ] ; \SHLWAPI. 7536EFD9 - - 》 7536F0B6 |. 5F POP EDI ; UNICODE "C:\Users\h\AppData\Roaming\Microsoft\gxwmgr32.exe" 栈信息: 7535C527 / $ 3B0D 04233975 CMP ECX,DWORD PTR DS:[ 75392304 ] 7535C52D |. 0F85 9E240300 JNE 7538E9D1 7535C533 \. C3 RETN 7535C534 . 5300 7900 730 UNICODE "System" , 0 ; UNICODE "System" 00021366 |. C3 RETN |
继续跟踪:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | 00021ED2 |. 6A 00 PUSH 0 00021ED4 |? FF15 44300200 CALL DWORD PTR DS:[ 23044 ] : ; INT kernel32.GetModuleFileNameW(hModule(桌面木马样本), Buffer ,Count) 00021EDA |? 85C0 TEST EAX,EAX 00021EDC |? 76 47 JBE SHORT 00021F25 00021EDE |? 8D0424 LEA EAX,[ESP] 00021EE1 |. 8D9424 080200 LEA EDX,[ESP + 208 ] 00021EE8 |? E8 43000000 CALL 00021F30 00021EED |? 85C0 TEST EAX,EAX 00021EEF |? 74 34 JE SHORT 00021F25 00021EF1 |? 8D8C24 080200 LEA ECX,[ESP + 208 ] 00021EF8 |? 51 PUSH ECX; UNICODE "C:\Users\*\Desktop\c14bc530f959cb8dedb0f51527173a44cec8b670" 00021EF9 |? 8D4424 04 LEA EAX,[ESP + 4 ] 00021EFD |? E8 BEF4FFFF CALL 000213C0 00021F02 |? 83C4 04 ADD ESP, 4 00021F05 |. 85C0 TEST EAX,EAX 00021F07 |? 74 10 JE SHORT 00021F19 00021F09 |? 8D0424 LEA EAX,[ESP] 00021F0C |. E8 EFFCFFFF CALL 00021C00 |
注意00021EF8 处PUSH ECX; UNICODE "C:\Users*\Desktop\c14bc530f959cb8dedb0f51527173a44cec8b670"是获取木马原始样本路径。跟入00021EFD处的函数调用CALL 000213C0:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | CPU Disasm 地址 十六进制转储 命令 注释 000213C0 |. 83EC 0C SUB ESP, 0C ; \CSCDLL.CSCUnpinFileW 000213C3 |? 53 PUSH EBX 000213C4 |? 56 PUSH ESI 000213C5 |? 57 PUSH EDI 000213C6 |. 8BF0 MOV ESI,EAX 000213C8 |? 68 80000000 PUSH 80 000213CD |? 56 PUSH ESI ; UNICODE "C:\Users\h\AppData\Roaming\Microsoft\gxwmgr32.exe" 000213CE |? 33FF XOR EDI,EDI 000213D0 |? FF15 2C300200 CALL DWORD PTR DS:[ 2302C ] : ; BOOL kernel32.SetFileAttributesW(Name,Attributes) 000213D6 |? 57 PUSH EDI 000213D7 |? 6A 05 PUSH 5 000213D9 |? 6A 02 PUSH 2 000213DB |? 57 PUSH EDI 000213DC |? 57 PUSH EDI 000213DD |? 68 00000040 PUSH 40000000 000213E2 |? 56 PUSH ESI 000213E3 |? 8B35 60300200 MOV ESI,DWORD PTR DS:[ 23060 ] 000213E9 |? FFD6 CALL ESI ; kernel32.CreateFileW 000213EB |? 8BD8 MOV EBX,EAX 000213ED |? 83FB FF CMP EBX, - 1 000213F0 |? 0F84 C5000000 JE 000214BB 000213F6 |? 8B4424 1C MOV EAX,DWORD PTR SS:[ESP + 1C ]; UNICODE "C:\Users\h\Desktop\c14bc530f959cb8dedb0f51527173a44cec8b670" 000213FA |? 57 PUSH EDI 000213FB |? 57 PUSH EDI 000213FC |? 6A 03 PUSH 3 000213FE |. 57 PUSH EDI |
从原始样本取数据,继续跟踪00021F0C处调用CALL 00021C00,跟入:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 | CPU Disasm 地址 十六进制转储 命令 注释 00021C00 00021C05 |. 0053 56 ADD BYTE PTR DS:[EBX + 56 ],DL 00021C08 |? 8B35 60300200 MOV ESI,DWORD PTR DS:[ 23060 ] 00021C0E |? 57 PUSH EDI 00021C0F |? 6A 00 PUSH 0 00021C11 |? 68 80000000 PUSH 80 00021C16 |. 6A 03 PUSH 3 00021C18 |? 6A 00 PUSH 0 00021C1A |? 6A 00 PUSH 0 00021C1C |. 68 00010000 PUSH 100 00021C21 |. 50 PUSH EAX 00021C22 |? FFD6 CALL ESI ;kernel32.CreateFileW 00021C24 |? 8B1D 58300200 MOV EBX,DWORD PTR DS:[ 23058 ] 00021C2A |? 8BF8 MOV EDI,EAX 00021C2C |? 83FF FF CMP EDI, - 1 00021C2F |? 74 7A JE SHORT 00021CAB 00021C31 |. 8D4C24 1C LEA ECX,[ESP + 1C ] 00021C35 |? 51 PUSH ECX 00021C36 |. 6A 00 PUSH 0 00021C38 |? 6A 00 PUSH 0 00021C3A |? 68 25800000 PUSH 8025 00021C3F |? 6A 00 PUSH 0 00021C41 |? FF15 8C300200 CALL DWORD PTR DS:[ 2308C ] ; SHELL32.SHGetFolderPathW(guessed Arg1,Arg2,Arg3,Arg4,Arg5) : UNICODE "C:\Windows\system32" 00021C47 |? 8D5424 1C LEA EDX,[ESP + 1C ] 00021C4B |? 52 PUSH EDX 00021C4C |? 8BC2 MOV EAX,EDX; UNICODE "C:\Windows\system32" 00021C4E |? 68 04350200 PUSH 00023504 00021C53 |? 50 PUSH EAX 00021C54 |? BA 04010000 MOV EDX, 104 00021C59 |? E8 F2F6FFFF CALL 00021350 00021C5E |. 83C4 0C ADD ESP, 0C 00021C61 |? 6A 00 PUSH 0 00021C63 |? 6A 10 PUSH 10 00021C65 |? 6A 03 PUSH 3 00021C67 |? 6A 00 PUSH 0 00021C69 |. 6A 01 PUSH 1 ; / BufSize = 1 00021C6B |? 68 80000000 PUSH 80 00021C70 |? 8D4C24 34 LEA ECX,[ESP + 34 ] 00021C74 |. 51 PUSH ECX; | UNICODE "C:\Windows\system32\svchost.exe" 00021C75 |? FFD6 CALL ESI ;kernel32.CreateFileW 00021C75 |? FFD6 CALL ESI 00021C77 |? 8BF0 MOV ESI,EAX 00021C79 |? 83FE FF CMP ESI, - 1 00021C7C |. 74 2A JE SHORT 00021CA8 ; |Buf = "V" 00021C7E |? 8D5424 14 LEA EDX,[ESP + 14 ] 00021C82 |. 52 PUSH EDX ; |Size = > 155872. 00021C83 |? 6A 00 PUSH 0 00021C85 |? 8D4424 14 LEA EAX,[ESP + 14 ] 00021C89 |? 50 PUSH EAX 00021C8A |? 56 PUSH ESI 00021C8B |? FF15 48300200 CALL DWORD PTR DS:[ 23048 ] ; BOOL kernel32.GetFileTime(hFile,pCreationTime,pLastAccessTime,pLastWriteTime) 00021C91 |? 85C0 TEST EAX,EAX 00021C93 |? 74 13 JE SHORT 00021CA8 00021C95 |. 8D4C24 14 LEA ECX,[ESP + 14 ]; / Arg6 = > [LOCAL. 3 ] 00021C99 |? 51 PUSH ECX 00021C9A |? 6A 00 PUSH 0 00021C9C |? 8D5424 14 LEA EDX,[ESP + 14 ] 00021CA0 |? 52 PUSH EDX 00021CA1 |. 57 PUSH EDI 00021CA2 |? FF15 40300200 CALL DWORD PTR DS:[ 23040 ] ; BOOL kernel32.SetFileTime(hFile,CreationTime,AccessTime,WriteTime) 00021CA8 |? 56 PUSH ESI 00021CA9 |? FFD3 CALL EBX ;kernel32.CloseHandle 00021CAB |? 57 PUSH EDI 00021CAC |? FFD3 CALL EBX ;kernel32.CloseHandle 00021CAE |? 5F POP EDI 00021CAF |? 5E POP ESI 00021CB0 |? 5B POP EBX 00021CB1 |? 81C4 18020000 ADD ESP, 218 00021CB7 |? C3 RETN |
在 "C:\Windows\system32\"目录下创建svchost.exe并修改文件属性进行隐藏。继续跟踪:
1 2 3 4 | 00021F11 |? 8D0424 LEA EAX,[ESP] 00021F14 |? E8 57F4FFFF CALL 00021370 00021F19 |? 8D8C24 080200 LEA ECX,[ESP + 208 ] 00021F20 |? E8 9BFDFFFF CALL 00021CC0 |
跟入CALL 00021370:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | CPU Disasm 地址 十六进制转储 命令 注释 00021370 00021373 |. 0200 ADD AL,BYTE PTR DS:[EAX] 00021375 |? 0068 50 ADD BYTE PTR DS:[EAX + 50 ],CH 00021378 |? 35 0200508D XOR EAX, 8D500002 0002137D |? 4C DEC ESP 0002137E |? 24 08 AND AL, 08 00021380 |? 68 18390200 PUSH 00023918 00021385 |. 51 PUSH ECX 00021386 |? BA 04010000 MOV EDX, 104 0002138B |. E8 C0FFFFFF CALL 00021350 ; |Arg2 = c14bc530f959cb8dedb0f51527173a4. 21350 00021390 |? 83C4 10 ADD ESP, 10 00021393 |? 68 80000000 PUSH 80 00021398 |? 8D5424 04 LEA EDX,[ESP + 4 ] 0002139C |? 52 PUSH EDX; UNICODE "C:\Users\h\AppData\Roaming\Microsoft\gxwmgr32.exe:Zone.Identifier" 0002139D |. FF15 2C300200 CALL DWORD PTR DS:[ 2302C ] : BOOL kernel32.SetFileAttributesW(Name,Attributes) 000213A3 |. 8D0424 LEA EAX,[ESP] 000213A6 |? 50 PUSH EAX ; UNICODE "C:\Users\h\AppData\Roaming\Microsoft\gxwmgr32.exe:Zone.Identifier" 000213A7 |? FF15 38300200 CALL DWORD PTR DS:[ 23038 ] ; BOOL kernel32.DeleteFileW(Name) 000213AD |? 81C4 08020000 ADD ESP, 208 000213B3 |? C3 RETN |
跟入CALL 00021CC0,此函数为木马Vadchdhv启动cmd进程关键代码处,通过cmd运行“C:\Users\h\AppData\Roaming\4336348.bat”文件;文件名4336348为调用底层函数随机生成。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 | CPU Disasm 地址 十六进制转储 命令 注释 00021CC0 |? 81EC 68040000 SUB ESP, 468 00021CC6 |? 68 04010000 PUSH 104 00021CCB |? 8D8424 640200 LEA EAX,[ESP + 264 ] 00021CD2 |? 50 PUSH EAX ; UNICODE "C:\Users\*\AppData\Roaming\Microsoft\gxwmgr32.exe:Zone.Identifier" 00021CD3 |? 51 PUSH ECX 00021CD4 |. FF15 4C300200 CALL DWORD PTR DS:[ 2304C ] ;UINT kernel32.GetShortPathNameW(Path,ShortPath,Count) - - CPU Stack UNICODE "C:\Users\*\Desktop\C14BC5~1" 00021CDA |. 85C0 TEST EAX,EAX 00021CDC |? 0F84 C4010000 JE 00021EA6 00021CE2 |. 56 PUSH ESI 00021CE3 |? 8D5424 5C LEA EDX,[ESP + 5C ] 00021CE7 |? 52 PUSH EDX 00021CE8 |. 6A 00 PUSH 0 00021CEA |? 6A 00 PUSH 0 00021CEC |? 68 1A800000 PUSH 801A 00021CF1 |? 6A 00 PUSH 0 00021CF3 |? FF15 8C300200 CALL DWORD PTR DS:[ 2308C ] ; SHELL32.SHGetFolderPathW(guessed Arg1,Arg2,Arg3,Arg4,Arg5) “ UNICODE "C:\Users\*\AppData\Roaming" ” 00021CF9 |? 68 60310200 PUSH 00023160 00021CFE |? 68 6C310200 PUSH 0002316C 00021D03 |? FF15 70300200 CALL DWORD PTR DS:[ 23070 ] ; HMODULE kernel32.GetModuleHandleW(ModuleName) 00021D09 |? 50 PUSH EAX 00021D0A |? FF15 6C300200 CALL DWORD PTR DS:[ 2306C ] ; |CPU Stack ; |hModule = 776F0000 ( 'ntdll' ); ` 1 ; \Procname = "RtlRandom" ; CALLBACK kernel32.GetProcAddress(hModule,Procname) 00021D10 |? 8BF0 MOV ESI,EAX 00021D12 |? 85F6 TEST ESI,ESI 00021D14 |. 75 04 JNE SHORT 00021D1A ;\SHLWAPI.PathIsUNCServerW 00021D16 |? 33C9 XOR ECX,ECX 00021D18 |? EB 23 JMP SHORT 00021D3D 00021D1A |. F605 B4130300 TEST BYTE PTR DS:[ 313B4 ], 01 00021D21 |? 75 11 JNE SHORT 00021D34 00021D23 |. 830D B4130300 OR DWORD PTR DS:[ 313B4 ], 00000001 ; Arg1 = > [LOCAL. 6 ] 00021D2A |? E8 61030000 CALL 00022090 00021D2F |. A3 B0130300 MOV DWORD PTR DS:[ 313B0 ],EAX 00021D34 |? 68 B0130300 PUSH OFFSET 000313B0 ; \Arg1 = c14bc530f959cb8dedb0f51527173a4. 313B0 00021D39 |? FFD6 CALL ESI ;ntdll.RtlRandom 00021D3B |? 8BC8 MOV ECX,EAX 00021D3D |? B8 6BCA5F6B MOV EAX, 6B5FCA6B 00021D42 |? F7E1 MUL ECX 00021D44 |? C1EA 16 SHR EDX, 16 00021D47 |. 69D2 80969800 IMUL EDX,EDX, 989680 00021D4D |? 55 PUSH EBP 00021D4E |? 2BCA SUB ECX,EDX 00021D50 |? 51 PUSH ECX 00021D51 |? 8D4424 64 LEA EAX,[ESP + 64 ] 00021D55 |. 50 PUSH EAX UNICODE "C:\Users\h\AppData\Roaming" 00021D56 |? 8BC8 MOV ECX,EAX 00021D58 |? 68 9C340200 PUSH 0002349C 00021D56 |? 8BC8 MOV ECX,EAX 00021D58 |? 68 9C340200 PUSH 0002349C ; UNICODE "C:\Users\*\AppData\Roaming" 00021D5D |? 51 PUSH ECX ; UNICODE "C:\Users\h\AppData\Roaming" 00021D5E |? BA 04010000 MOV EDX, 104 00021D63 |? E8 E8F5FFFF CALL 00021350 调用后栈信息: UNICODE "C:\Users\h\AppData\Roaming\4336348.bat" 00021D68 |? 8B2D 1C300200 MOV EBP,DWORD PTR DS:[ 2301C ] ;KERNELBASE.GetProcessHeap 00021D6E |? 83C4 10 ADD ESP, 10 00021D71 |. 68 00040000 PUSH 400 00021D76 |? 6A 08 PUSH 8 00021D78 |? FFD5 CALL EBP ;KERNELBASE.GetProcessHeap 00021D7A |? 50 PUSH EAX ;Heap = 00640000 ; |Flags = HEAP_ZERO_MEMORY ; \Size = 1024. 00021D7B |. FF15 14300200 CALL DWORD PTR DS:[ 23014 ] ;VOIDPTR ntdll.RtlAllocateHeap(Heap,Flags,Size) 00021D81 |. 8BF0 MOV ESI,EAX 00021D83 |? 85F6 TEST ESI,ESI 00021D85 |. 0F84 19010000 JE 00021EA4 00021D8B |? 53 PUSH EBX 00021D8C |? 57 PUSH EDI 00021D8D |? 6A 00 PUSH 0 00021D8F |? 68 80000000 PUSH 80 00021D94 |? 6A 02 PUSH 2 00021D96 |. 6A 00 PUSH 0 00021D98 |? 6A 00 PUSH 0 00021D9A |? 68 00000040 PUSH 40000000 00021D9F |? 8D9424 800000 LEA EDX,[ESP + 80 ] 00021DA6 |? 52 PUSH EDX ; UNICODE "C:\Users\h\AppData\Roaming\4336348.bat" 00021DA7 |? FF15 60300200 CALL DWORD PTR DS:[ 23060 ];HANDLE kernel32.CreateFileW(FileName,DesiredAccess,ShareMode,pSecurity,CreationDistribution,Attributes,hTemplate) 00021DAD |? 8B1D 58300200 MOV EBX,DWORD PTR DS:[ 23058 ] 00021DB3 |? 8BF8 MOV EDI,EAX 00021DB5 |? 83FF FF CMP EDI, - 1 00021DB8 |? 74 51 JE SHORT 00021E0B 00021DBA |. 68 04010000 PUSH 104 00021DBF |? 8D4424 6C LEA EAX,[ESP + 6C ] 00021DC3 |? 50 PUSH EAX ; UNICODE "C:\Users\h\AppData\Roaming\4336348.bat" 00021DC4 |? 8BC8 MOV ECX,EAX 00021DC6 |? 51 PUSH ECX ; UNICODE "C:\Users\h\AppData\Roaming\4336348.bat" 00021DC7 |? FF15 4C300200 CALL DWORD PTR DS:[ 2304C ] ; UINT kernel32.GetShortPathNameW(Path,ShortPath,Count) 00021DCD |? 85C0 TEST EAX,EAX 00021DCF |? 74 3A JE SHORT 00021E0B 00021DD1 |? 8D5424 68 LEA EDX,[ESP + 68 ] 00021DD5 |? 52 PUSH EDX ;| UNICODE "C:\Users\h\AppData\Roaming\4336348.bat" 00021DD6 |? 8D8424 740200 LEA EAX,[ESP + 274 ] 00021DDD |? 50 PUSH EAX; UNICODE "C:\Users\h\Desktop\C14BC5~1" 00021DDE |. 8BC8 MOV ECX,EAX 00021DE0 |? 51 PUSH ECX 00021DE1 |. 68 B8340200 PUSH 000234B8 00021DE6 |? 56 PUSH ESI 00021DE7 |. BA 00040000 MOV EDX, 400 ; Arg4 = > [LOCAL. 177 ] 00021DEC |? E8 EFFCFFFF CALL 00021AE0 00021DF1 |? 83C4 14 ADD ESP, 14 00021DF4 |? 6A 00 PUSH 0 00021DF6 |? 8D5424 14 LEA EDX,[ESP + 14 ] 00021DFA |? 52 PUSH EDX 00021DFB |? 50 PUSH EAX 00021DFC |? 56 PUSH ESI ;|ASCII ":lif not exist " C:\Users\h\Desktop\C14BC5~ 1 " goto edel /Q /F " C:\Users\h\Desktop\C14BC5~ 1 "goto l:edel /Q /F " C:\Users\h\AppData\Roaming\ 4336348.bat "" 00021DFD |? 57 PUSH EDI 00021DFE |. 894424 24 MOV DWORD PTR SS:[ESP + 24 ],EAX 00021E02 |? FF15 68300200 CALL DWORD PTR DS:[ 23068 ] ; BOOL kernel32.WriteFile(hFile, Buffer ,Size,pBytesWritten,pOverlapped) 00021E08 |? 57 PUSH EDI 00021E09 |? FFD3 CALL EBX ;kernel32.CloseHandle 00021E0B |? 68 04010000 PUSH 104 00021E10 |? 8D8424 740200 LEA EAX,[ESP + 274 ] 00021E17 |? 50 PUSH EAX ; UNICODE "C:\Users\h\Desktop\C14BC5~1" 00021E18 |? 68 24350200 PUSH 00023524 ; CPU Stack ; |Name = "ComSpec" ; | Buffer = "C:\Users\h\Desktop\C14BC5~1" ; \Count = 260. 00021E1D |? FF15 34300200 CALL DWORD PTR DS:[ 23034 ];UINT kernel32.GetEnvironmentVariableW(Name, Buffer ,Count) 00021E23 |? 85C0 TEST EAX,EAX 00021E25 |. 74 6F JE SHORT 00021E96 00021E27 |? 8D4C24 68 LEA ECX,[ESP + 68 ] 00021E2B |. 51 PUSH ECX ; UNICODE "C:\Users\h\AppData\Roaming\4336348.bat" 00021E2C |? 8D9424 740200 LEA EDX,[ESP + 274 ] 00021E2C |? 8D9424 740200 LEA EDX,[ESP + 274 ] 00021E33 |. 52 PUSH EDX ; UNICODE "C:\Windows\system32\cmd.exe" 00021E34 |? 68 34350200 PUSH 00023534 00021E39 |? 56 PUSH ESI ;CPU Disasm ASCII ":if not exist " C:\Users\h\Desktop\C14BC5~ 1 " goto edel /Q /F " C:\Users\h\Desktop\C14BC5~ 1 "goto l:edel /Q /F " C:\Users\h\AppData\Roaming\ 4336348.bat "" 00021E3A |? BA 00020000 MOV EDX, 200 00021E3F |? E8 0CF5FFFF CALL 00021350 ;调用后栈: UNICODE " "C:\Windows\system32\cmd.exe" / c "C:\Users\h\AppData\Roaming\4336348.bat" " 00021E44 |. 6A 00 PUSH 0 00021E46 |? 8D4424 38 LEA EAX,[ESP + 38 ] 00021E4A |. 6A 44 PUSH 44 00021E4C |? 50 PUSH EAX 00021E4D |? E8 0EF7FFFF CALL 00021560 00021E52 |? 834C24 6C 01 OR DWORD PTR SS:[ESP + 6C ], 00000001 00021E57 |. 83C4 1C ADD ESP, 1C 00021E5A |? 8D4C24 14 LEA ECX,[ESP + 14 ] 00021E5E |? 51 PUSH ECX 00021E5F |? 8D5424 28 LEA EDX,[ESP + 28 ] 00021E63 |. 52 PUSH EDX 00021E64 |? 6A 00 PUSH 0 00021E66 |? 6A 00 PUSH 0 00021E68 |? 68 00000008 PUSH 8000000 00021E6D |? 6A 00 PUSH 0 00021E6F |. 6A 00 PUSH 0 00021E71 |? 6A 00 PUSH 0 00021E73 |? 56 PUSH ESI ; UNICODE " "C:\Windows\system32\cmd.exe" / c "C:\Users\h\AppData\Roaming\4336348.bat" " 00021E74 |? 6A 00 PUSH 0 00021E76 |? C74424 4C 440 MOV DWORD PTR SS:[ESP + 4C ], 44 ; |CPU Stack |ApplicationName = NULL ; |CommandLine = " "C:\Windows\system32\cmd.exe" / c "C:\Users\h\AppData\Roaming\4336348.bat" " ; |pProcessSecurity = NULL ; |pThreadSecurity = NULL ; |InheritHandles = FALSE ; |CreationFlags = CREATE_NO_WINDOW; |pEnvironment = NULL ; |CurrentDirectory = NULL; |pStartupInfo = 0017F6E4 - > STARTUPINFOW {Size = 68. , Reserved1 = NULL, Desktop = NULL, Title = NULL, X = 0 , Y = 0 , Width = 0 , Height = 0 , XCountChars = 0 , YCountChars = 0 , FillAttribute = 0 , Flags = STARTF_USESHOWWINDOW, ShowWindow = SW_HIDE, Reserved2 = 0 , Reserved3 = NULL, hStdInpu ; \pProcessInformation = 0017F6D4 - > PROCESS_INFORMATION {hProcess = 00650064 , hThread = 0074006E , ProcessID = 660069 ( 6684777. ), ThreadID = 7F } 00021E7E |? FF15 3C300200 CALL DWORD PTR DS:[ 2303C ]; BOOL kernel32.CreateProcessW(ApplicationName,CommandLine,pProcessSecurity,pThreadSecurity,InheritHandles,CreationFlags,pEnvironment,CurrentDirectory,pStartupInfo,pProcessInformation) 启动进程“cmd” 00021E84 |? 85C0 TEST EAX,EAX 00021E86 |? 74 0E JE SHORT 00021E96 00021E88 |? 8B4424 18 MOV EAX,DWORD PTR SS:[ESP + 18 ] 00021E8C |? 50 PUSH EAX 00021E8D |? FFD3 CALL EBX ;|kernel32.CloseHandle 00021E8F |. 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP + 14 ] 00021E93 |? 51 PUSH ECX 00021E94 |? FFD3 CALL EBX ;kernel32.CloseHandle 00021E96 |? 56 PUSH ESI ; UNICODE " "C:\Windows\system32\cmd.exe" / c "C:\Users\h\AppData\Roaming\4336348.bat" " 00021E97 |? 6A 00 PUSH 0 00021E99 |? FFD5 CALL EBP ;kernel32.GetProcessHeap 00021E9B |. 50 PUSH EAX 00021E9C |? FF15 18300200 CALL DWORD PTR DS:[ 23018 ] ; BOOL kernel32.HeapFree(Heap,Flags,pMem) 00021EA2 |? 5F POP EDI 00021EA3 |? 5B POP EBX 00021EA4 |? 5D POP EBP 00021EA5 |? 5E POP ESI 00021EA6 |? 81C4 68040000 ADD ESP, 468 00021EAC |? C3 RETN |
此关键函数00021D2A处调用CALL 00022090 是通过调用RtlTimeToSecondsSince1970、kernel32.GetSystemTimeAsFileTime(pFiletime)对文件属性进行修改,实现隐藏;函数00021DEC 处的调用 CALL 00021AE0 是获取批处理进程所用的批处理命令:ASCII ":l
if not exist "C:\Users\h\Desktop\C14BC5~1" goto edel /Q /F "C:\Users\h\Desktop\C14BC5~1"goto l:edel /Q /F "C:\Users\h\AppData\Roaming\4336348.bat"";之后,在00021E7E 处调用 CALL DWORD PTR DS:[2303C] 即 BOOL kernel32.CreateProcessW启动CMD进程,函数参数为:
1 2 3 4 5 6 7 8 9 10 | |CPU Stack |ApplicationName = NULL ; |CommandLine = " "C:\Windows\system32\cmd.exe" / c "C:\Users\h\AppData\Roaming\4336348.bat" " ; |pProcessSecurity = NULL ; |pThreadSecurity = NULL ; |InheritHandles = FALSE ; |CreationFlags = CREATE_NO_WINDOW; |pEnvironment = NULL ; |CurrentDirectory = NULL; |pStartupInfo = 0017F6E4 - > STARTUPINFOW {Size = 68. , Reserved1 = NULL, Desktop = NULL, Title = NULL, X = 0 , Y = 0 , Width = 0 , Height = 0 , XCountChars = 0 , YCountChars = 0 , FillAttribute = 0 , Flags = STARTF_USESHOWWINDOW, ShowWindow = SW_HIDE, Reserved2 = 0 , Reserved3 = NULL, hStdInpu ; \pProcessInformation = 0017F6D4 - > PROCESS_INFORMATION {hProcess = 00650064 , hThread = 0074006E , ProcessID = 660069 ( 6684777. ), ThreadID = 7F } |
至此,木马Vadchdhv完成了第一步;接下来会启动一个循环进行系统进程遍历搜索寻找“explorer.exe”进程,跟踪如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | CPU Disasm 地址 十六进制转储 命令 注释 0002190F |. 8BF7 MOV ESI,EDI 00021911 |? 74 09 JE SHORT 0002191C 00021913 |? 83C6 02 ADD ESI, 2 00021915 |. 0266 83 ADD AH,BYTE PTR DS:[ESI - 7D ] 00021918 |? 3E : 0075 F7 ADD BYTE PTR DS:[EBP - 9 ],DH 0002191C |. 68 24390200 PUSH 00023924 00021921 |? 68 34390200 PUSH 00023934 00021926 |? FF15 70300200 CALL DWORD PTR DS:[ 23070 ] ; UNICODE "csrss.exe" 0002192C |? 50 PUSH EAX 0002192D |. FF15 6C300200 CALL DWORD PTR DS:[ 2306C ] ;KERNELBASE.GetProcAddress 00021933 |? 85C0 TEST EAX,EAX 00021935 |? 75 0E JNE SHORT 00021945 00021937 |? 33C9 XOR ECX,ECX 00021939 |? 3D 44285E09 CMP EAX, 95E2844 0002193E |? 0F94C1 SETE CL 00021941 |? 5E POP ESI 00021942 |? 8BC1 MOV EAX,ECX 00021944 |? C3 RETN 00021945 |? 2BF7 SUB ESI,EDI ; UNICODE "csrss.exe" 00021947 |? D1FE SAR ESI, 1 00021949 |.^ 03F6 ADD ESI,ESI 0002194B |? 56 PUSH ESI 0002194C |? 57 PUSH EDI ; UNICODE "wininit.exe" ; UNICODE "services.exe" ; UNICODE "lsass.exe" 0002194D |? 6A 00 PUSH 0 0002194F |? FFD0 CALL EAX ;ntdll.RtlComputeCrc32 00021951 |? 33C9 XOR ECX,ECX 00021953 |? 3D 44285E09 CMP EAX, 95E2844 00021958 |> 0F94C1 SETE CL 0002195B |? 5E POP ESI 0002195C |? 8BC1 MOV EAX,ECX 0002195E |? C3 RETN |
找到explorer.exe后会进行进程注入,关于进程注入和后续部分,改天再补充。
赞赏
|
|
---|---|
|
|
|
mark
|