Alman病毒简要分析
本来今天下午发了个自己写的程序,期待着表扬呢,结果中了这个该死的毒。心理不爽,下个专杀吧。上网一查,结果说杀毒软件都没法修复
(不知是真是假)。那好,就拿你开刀!!!!!!
OD载入不同的样本后发现,病毒的EntryPoint总是在401000处,覆盖了原来的代码,在病毒体运行完后会将原来代码恢复。
00401000 >/$ /EB 00 jmp short 00401002
00401002 |> \56 push esi
00401003 |. 5E pop esi
00401004 |. 57 push edi
00401005 |. 5F pop edi
00401006 |. 8BDB mov ebx, ebx
00401008 |. 90 nop
00401009 |. 90 nop
0040100A |. 90 nop ; 以上几句都是JunkCode
0040100B |. 33C0 xor eax, eax ; ---------------|
0040100D |. 85C0 test eax, eax
0040100F |. 74 0F je short 00401020
00401011 |. CC int3
00401012 |$ 5B pop ebx
00401013 |. B9 AD020000 mov ecx, 2AD ; 这几句可以做特征码
00401018 |> 800419 A1 /add byte ptr [ecx+ebx], 0A1 ; 这个0A1在不同的样本中是变化的
0040101C |.^ E2 FA \loopd short 00401018
0040101E |. EB 06 jmp short 00401026 ; <--- 直接在这里<F4>,jmp 后会看到代码有变化
00401020 |> E8 EDFFFFFF call 00401012 ;
00401025 |. C3 retn ; ----------------|
00401026 > \EB 04 jmp short 0040102C
......
0040102C > \E8 09000000 call 0040103A ; Step Over
00401031 . E8 64010000 call 0040119A ; Step Into
00401036 . C3 retn
......
0040119A $ 55 push ebp
0040119B . 8BEC mov ebp, esp
0040119D . 81C4 E8FEFFFF add esp, -118
004011A3 . E8 00000000 call 004011A8
004011A8 $ 5B pop ebx
004011A9 . 81EB 82114000 sub ebx, 00401182
004011AF . E8 B9FFFFFF call 0040116D
004011B4 . 8945 F4 mov dword ptr [ebp-C], eax
004011B7 . 05 00500500 add eax, 55000
004011BC . 8945 FC mov dword ptr [ebp-4], eax
004011BF . 8BD0 mov edx, eax
004011C1 . B8 D3020000 mov eax, 2D3
004011C6 . 8945 EC mov dword ptr [ebp-14], eax
004011C9 . 03D0 add edx, eax
004011CB . B9 00920000 mov ecx, 9200
004011D0 . 894D F0 mov dword ptr [ebp-10], ecx
004011D3 . 4A dec edx
004011D4 > 80340A 18 xor byte ptr [edx+ecx], 18
004011D8 .^ E2 FA loopd short 004011D4 ; 上面这一小段没有分析,这两句是解密
004011DA . E8 00000000 call 004011DF
004011DF $ 5B pop ebx
004011E0 . 81EB B9114000 sub ebx, 004011B9
004011E6 . 8D95 ECFEFFFF lea edx, dword ptr [ebp-114]
004011EC . 6A 64 push 64
004011EE . 52 push edx
004011EF . FF93 1F114000 call dword ptr [ebx+40111F]
004011F5 . E8 0F000000 call 00401209 ; PUSH ASCII "\\linkinfo.dll"
004011FA . 5C 5C 6C 69 6>ascii "\\linkinfo.dll",0
00401209 > 8D95 ECFEFFFF lea edx, dword ptr [ebp-114]
0040120F . 52 push edx
00401210 . FF93 1B114000 call dword ptr [ebx+40111B]
00401216 . 6A 00 push 0
00401218 . 6A 00 push 0
0040121A . 6A 02 push 2
0040121C . 6A 00 push 0
0040121E . 6A 00 push 0
00401220 . 68 00000040 push 40000000
00401225 . 8D95 ECFEFFFF lea edx, dword ptr [ebp-114]
0040122B . 52 push edx
0040122C . FF93 0B114000 call dword ptr [ebx+40110B] ; 试图打开%WINDIR%\linkinfo.dll
00401232 . 83F8 FF cmp eax, -1 ; 我在WINNT目录中创建了一个同名目录,这里病毒的操作会失
败,所以就直接跳了.
00401235 . 74 4E je short 00401285
00401237 . 8985 E8FEFFFF mov dword ptr [ebp-118], eax
0040123D . 6A 00 push 0
0040123F . 8D45 F0 lea eax, dword ptr [ebp-10]
00401242 . 50 push eax
00401243 . FF75 F0 push dword ptr [ebp-10]
00401246 . 8B55 FC mov edx, dword ptr [ebp-4]
00401249 . 0355 EC add edx, dword ptr [ebp-14]
0040124C . 52 push edx
0040124D . FFB5 E8FEFFFF push dword ptr [ebp-118]
00401253 . FF93 0F114000 call dword ptr [ebx+40110F]
00401259 . FFB5 E8FEFFFF push dword ptr [ebp-118]
0040125F . FF93 13114000 call dword ptr [ebx+401113]
00401265 . 8D95 ECFEFFFF lea edx, dword ptr [ebp-114]
0040126B . 52 push edx
0040126C . FF93 07114000 call dword ptr [ebx+401107]
00401272 . 85C0 test eax, eax
00401274 . 74 0F je short 00401285
00401276 . 6A 65 push 65
00401278 . 50 push eax
00401279 . FF93 43114000 call dword ptr [ebx+401143]
0040127F . 85C0 test eax, eax
00401281 . 74 02 je short 00401285
00401283 . FFD0 call eax
00401285 > 6A 40 push 40
00401287 . 68 00100000 push 1000
0040128C . 68 00100000 push 1000
00401291 . 6A 00 push 0
00401293 . FF93 17114000 call dword ptr [ebx+401117] ; VirtualAlloc 申请内存,跳转用
00401299 . 8945 F8 mov dword ptr [ebp-8], eax
0040129C . FC cld
0040129D . BE 11104000 mov esi, 00401011
004012A2 . 03F3 add esi, ebx
004012A4 . B9 03000000 mov ecx, 3
004012A9 . 8BF8 mov edi, eax
004012AB . F3:A4 rep movs byte ptr es:[edi], byte pt>
004012AD . 8B45 F4 mov eax, dword ptr [ebp-C]
004012B0 . 05 FC100000 add eax, 10FC ; 注意,这里是 add eax,<OriginalEntryPoint>
004012B5 . 50 push eax ; 这一段代码不会变
004012B6 . 8B4D EC mov ecx, dword ptr [ebp-14]
004012B9 . 8B75 FC mov esi, dword ptr [ebp-4]
004012BC . BF 00104000 mov edi, <模块入口点>
004012C1 . 03FB add edi, ebx
004012C3 . 8B83 02104000 mov eax, dword ptr [ebx+401002]
004012C9 . 2BF8 sub edi, eax
004012CB . FC cld
004012CC . 8B45 F8 mov eax, dword ptr [ebp-8]
004012CF . FFE0 jmp eax ; 这里跳到申请的内存中,<F4>
......
00950000 F3:A4 rep movs byte ptr es:[edi], byte pt>; 恢复Loader占据的代码
00950002 C3 retn ; goto OEP
我明天就要开学了,所以没时间做专杀.
这个用那种类似于脱壳机的东西(用DebugAPI的Loader)很好解决.
论坛上的各位大牛,帮个忙吧!期待中……
同时对已经下载了我的带毒软件的同志们道个歉.
我家的杀毒软件很乖,他什么都没说!_!
最后附上病毒样本(斑竹要是觉得不合适就删掉吧)
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)