OD中忽略所有异常,设断点 bp VirtualAlloc:
7C809A51 > 8BFF MOV EDI,EDI ; 断在这里
7C809A53 55 PUSH EBP
7C809A54 8BEC MOV EBP,ESP
7C809A56 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C809A59 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C809A5C FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C809A5F FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C809A62 6A FF PUSH -1
7C809A64 E8 09000000 CALL kernel32.VirtualAllocEx
7C809A69 5D POP EBP
7C809A6A C2 1000 RETN 10
看一下堆栈:
0012FF80 0040DDDE /CALL 到 VirtualAlloc 来自 Main.0040DDDC
0012FF84 00000000 |Address = NULL
0012FF88 00020000 |Size = 20000 (131072.)
0012FF8C 00001000 |AllocationType = MEM_COMMIT
0012FF90 00000040 \Protect = PAGE_EXECUTE_READWRITE
0012FF94 7C882FC4 kernel32.LoadLibraryA
0012FF98 7C80ADA0 kernel32.GetProcAddress
0012FF9C 7C809AE4 kernel32.VirtualFree
0012FFA0 7C930738 ntdll.7C930738
现在删除断点,ALT+F9返回:
0040DDDE 5F POP EDI ; 返回到这里
0040DDDF 5E POP ESI
0040DDE0 50 PUSH EAX
0040DDE1 6A 00 PUSH 0
0040DDE3 57 PUSH EDI
0040DDE4 56 PUSH ESI
0040DDE5 50 PUSH EAX
0040DDE6 E8 00000000 CALL Main.0040DDEB
0040DDEB 58 POP EAX
看一下寄存器内容:
EAX 00390000
ECX 7C809AB9 kernel32.7C809AB9
EDX 7C92EB94 ntdll.KiFastSystemCallRet
EBX 7C809A51 kernel32.VirtualAlloc
ESP 0012FF94
EBP 0012FFF0
ESI 7C80ADA0 kernel32.GetProcAddress
EDI 7C882FC4 kernel32.LoadLibraryA
EIP 0040DDDE Main.0040DDDE
在EAX寄存器上右键选“数据窗口中跟随”,跟随 00390000 这个地址,然后设内存写入断点,F9,会被断下:
0040DE4F F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; 断在这里
0040DE51 8BC8 MOV ECX,EAX
0040DE53 83E1 03 AND ECX,3
0040DE56 85D2 TEST EDX,EDX
0040DE58 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0040DE5A 76 30 JBE SHORT Main.0040DE8C
0040DE5C 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C]
看信息窗口:
ECX=00000100 (十进制 256.)
DS:[ESI]=[0040E222]=00905A4D
ES:[EDI]=[00390000]=00000000
在信息窗口中的 DS:[ESI]=[0040E222]=00905A4D 这条上右键选“数据窗口中跟随地址”,会在数据窗口中看到这样的内容:
0040E222 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?........
0040E232 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@.......
0040E242 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040E252 00 00 00 00 00 00 00 00 00 00 00 00 B8 00 00 00 ............?..
0040E262 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ?.???L?Th
0040E272 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0040E282 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0040E292 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0040E2A2 25 A5 72 C7 61 C4 1C 94 61 C4 1C 94 61 C4 1C 94 %莂?攁?攁?
0040E2B2 61 C4 1D 94 77 C4 1C 94 E2 CC 41 94 64 C4 1C 94 a?攚?斺藺攄?
0040E2C2 89 DB 17 94 63 C4 1C 94 52 69 63 68 61 C4 1C 94 壽攃?擱icha?
0040E2D2 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 03 00 ........PE..L.
0040E2E2 FA 28 1E 46 00 00 00 00 00 00 00 00 E0 00 0E 21 ?F........?!
0040E2F2 0B 01 06 00 00 20 00 00 00 10 00 00 00 50 00 00 .. ......P..
0040E302 90 7C 00 00 00 60 00 00 00 80 00 00 00 00 00 10 恷...`...€.....
0040E312 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 .............
0040E322 04 00 00 00 00 00 00 00 00 90 00 00 00 10 00 00 ........?....
0040E332 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 .............
0040E342 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 .............
0040E352 00 00 00 00 00 00 00 00 00 80 00 00 94 00 00 00 .........€..?..
0040E362 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040E372 00 00 00 00 00 00 00 00 94 80 00 00 0C 00 00 00 ........攢......
0040E382 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040E392 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040E3A2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040E3B2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040E3C2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0040E3D2 55 50 58 30 00 00 00 00 00 50 00 00 00 10 00 00 UPX0.....P.....
0040E3E2 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 ...............
0040E3F2 00 00 00 00 80 00 00 E0 55 50 58 31 00 00 00 00 ....€..郩PX1....
0040E402 00 20 00 00 00 60 00 00 00 20 00 00 00 04 00 00 . ...`... .....
0040E412 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 E0 ............@..
0040E422 55 50 58 32 00 00 00 00 00 10 00 00 00 80 00 00 UPX2........€..
0040E432 00 02 00 00 00 24 00 00 00 00 00 00 00 00 00 00 ....$..........
这就是个PE文件。现在用LordPE或PETools的区域转存功能,开始地址选我们这里看到的 0040E222,大小可以选大点,如 10000,dump。
把 dump 后的文件后缀名改为 DLL,用 010Editor 打开,删除多余的字节(就是 010Editor 采用 PE 模板时所看到的 Overlay 数据)用PEiD 扫描一下处理过的文件,是UPX加的壳。这时就可以直接用 UPX 的 -d 命令脱壳了。
分析你自己分析吧。这个东西是直接通过VirtualAlloc释放里面这个 DLL,然后再从内存中运行的。不要去脱什么原版的壳,等你跑一遍下来,病毒早运行了。
放个脱了壳的附件,密码是
muma
上传的附件: