因为最近需要找工作了,所以去小卡那边去面试了。因为面试的是,卡巴的病毒分析的职位,所以面试我的人是一个俄国人,是卡巴的APAC地区的病毒中心主任,因为咱不懂俄语,所以只能和他用英语交流。面试的时候,考了一些关于病毒分析技术方面的问题,主要还是关于逆向分析技术还有windows系统机制一些方面的知识。面试完之后,给我两个样本,让我具体分析一下。两个样本,只是两个dll文件。其实,主要想查看一下,逆向分析能力。在这里post给大家,起到个抛砖引玉,希望对大家今后的面试,有所帮助。因为,是要发给老外看,所以IDB文件里面的注释是用英语写的。
biont.rar里面,是第一个sample 的idb文件。我写了一些关于这个样本的总结在下面。
Analysis report about biont.dll
This dll file was packed by nspack V3.7.
So first step I need upacking this dll in OD.
---------------------------------------------------------------------------------------------------------------
6001F21F > 9C pushfd ; load the biont.dll in ollydbg. stop here
6001F220 60 pushad
6001F221 E8 00000000 call 6001F226
6001F226 5D pop ebp
6001F227 83ED 07 sub ebp, 7
6001F22A 8D8D 5DFEFFFF lea ecx, dword ptr [ebp-1A3]
6001F230 8039 01 cmp byte ptr [ecx], 1
6001F233 0F84 42020000 je 6001F47B; the adress 6001F47B very nearly with OEP. So Ctrl+g this address
6001F239 C601 01 mov byte ptr [ecx], 1
6001F23C 8BC5 mov eax, ebp
6001F23E 2B85 F1FDFFFF sub eax, dword ptr [ebp-20F]
6001F244 8985 F1FDFFFF mov dword ptr [ebp-20F], eax
6001F24A 0185 21FEFFFF add dword ptr [ebp-1DF], eax
6001F250 8DB5 65FEFFFF lea esi, dword ptr [ebp-19B]
6001F256 0106 add dword ptr [esi], eax
----------------------------------------------------------------------------------------------
6001F47B B8 00000000 mov eax, 0 ;tracert the code arrive the address 6001F47B.
6001F480 83F8 00 cmp eax, 0
6001F483 74 0A je short 6001F48F
6001F485 61 popad
6001F486 9D popfd
6001F487 B8 01000000 mov eax, 1
6001F48C C2 0C00 retn 0C
6001F48F 61 popad
6001F490 9D popfd
6001F491 - E9 FA9DFEFF jmp 60009290 ;here is OEP
6001F496 8BB5 E9FDFFFF mov esi, dword ptr [ebp-217]
6001F49C 0BF6 or esi, esi
60009290 . 53 push ebx ; jump to 60009290(OEP) ; LoadDl_1.<模块入口点>
60009291 . 55 push ebp
60009292 . 56 push esi
60009293 . 8B7424 14 mov esi, dword ptr [esp+14]
60009297 . 85F6 test esi, esi
60009299 . 57 push edi
6000929A . B8 01000000 mov eax, 1
Now, we can dump this dll in the lordpe software. Then use the importREC fix the dump file.
So in here, we can read the code in the IDA PRO.
I think this dll havs following function:
1、I think this dll file work for paragon software product.
2、This dll file has some harddisk handle、partition handle、master drive and slave drive handle.
3、this dll use some undocumented API like NtOpenDirectoryObject
4、create BioNTDrv service, and control this service.
When you read the .idb file, please pay more attention to these functions like service_control、set_priority、sub_600010A0、GetNtProductType、Get_system_information、Try_to_update_Ft_info、begin_harddisk_handle、PhysicalDrive_handle、filesystem_handle、ChangeServiceConfig start_service、create_service
Following was example code segment that I have analysist them deeply.
.nsp0:60007B40
.nsp0:60007B40 sub esp, 20h
.nsp0:60007B43 push edi
.nsp0:60007B44 push 0F003Fh ; dwDesiredAccess
.nsp0:60007B49 push 0 ; lpDatabaseName
.nsp0:60007B4B push 0 ; lpMachineName point to lcal machine
.nsp0:60007B4D call OpenSCManagerW ; establishes a connection to the service control manager
.nsp0:60007B53 mov edi, eax ; get the control manager handle save it into edi register
.nsp0:60007B55 test edi, edi
.nsp0:60007B57 jnz short connect_success
.nsp0:60007B59 pop edi ; connect the control manager fault. return.
.nsp0:60007B5A add esp, 20h
.nsp0:60007B5D retn
.nsp0:60007B5E ; ---------------------------------------------------------------------------
.nsp0:60007B5E
.nsp0:60007B5E connect_success: ; CODE XREF: service_control+17 j
.nsp0:60007B5E mov eax, [esp+24h+lpServiceName] ; save the specified service name address to eax
.nsp0:60007B62 push ebx
.nsp0:60007B63 push ebp
.nsp0:60007B64 push esi
.nsp0:60007B65 push 0F01FFh ; dwDesiredAccess
.nsp0:60007B6A push eax ; lpServiceName push the service name address to stack
.nsp0:60007B6B push edi ; hSCManager
.nsp0:60007B6C call OpenServiceW ; open an existing service
.nsp0:60007B72 mov ebx, GetLastError
.nsp0:60007B78 mov ebp, CloseServiceHandle
.nsp0:60007B7E mov esi, eax
.nsp0:60007B80 test esi, esi
.nsp0:60007B82 jz short fault_open_service
.nsp0:60007B84 lea ecx, [esp+30h+ServiceStatus]
.nsp0:60007B88 push ecx ; lpServiceStatus
.nsp0:60007B89 push 1 ; dwControl
.nsp0:60007B8B push esi ; hService
.nsp0:60007B8C call ControlService ; send a control code to a service
.nsp0:60007B92 call ebx ; GetLastError
.nsp0:60007B94 push esi ; hSCObject
.nsp0:60007B95 mov [esp+34h+dwErrCode], eax
.nsp0:60007B99 call ebp ; CloseServiceHandle
.nsp0:60007B9B mov edx, [esp+30h+dwErrCode]
.nsp0:60007B9F push edx ; dwErrCode
.nsp0:60007BA0 call __imp_SetLastError
.nsp0:60007BA6
.nsp0:60007BA6 fault_open_service: ; CODE XREF: service_control+42 j
.nsp0:60007BA6 mov eax, [esp+30h+lpServiceName]
.nsp0:60007BAA push 0F01FFh ; dwDesiredAccess
.nsp0:60007BAF push eax ; lpServiceName
.nsp0:60007BB0 push edi ; hSCManager
.nsp0:60007BB1 call OpenServiceW ; open an existing service
.nsp0:60007BB7 mov esi, eax
.nsp0:60007BB9 test esi, esi
.nsp0:60007BBB jz short close_the_control_manager ; fault jmp to close_the_control_manager
.nsp0:60007BBD push esi ; hService
.nsp0:60007BBE call DeleteService
.nsp0:60007BC4 call ebx ; GetLastError
.nsp0:60007BC6 push esi ; hSCObject
.nsp0:60007BC7 mov [esp+34h+lpServiceName], eax
.nsp0:60007BCB call ebp ; CloseServiceHandle
.nsp0:60007BCD mov ecx, [esp+30h+lpServiceName]
.nsp0:60007BD1 push ecx ; dwErrCode
.nsp0:60007BD2 call __imp_SetLastError
.nsp0:60007BD8
.nsp0:60007BD8 close_the_control_manager: ; CODE XREF: service_control+7B j
.nsp0:60007BD8 call ebx ; GetLastError
.nsp0:60007BDA push edi ; hSCObject
.nsp0:60007BDB mov esi, eax
.nsp0:60007BDD call ebp ; CloseServiceHandle
.nsp0:60007BDF push esi ; dwErrCode
.nsp0:60007BE0 call __imp_SetLastError
.nsp0:60007BE6 pop esi
.nsp0:60007BE7 pop ebp
.nsp0:60007BE8 pop ebx
.nsp0:60007BE9 mov eax, 1
.nsp0:60007BEE pop edi
.nsp0:60007BEF add esp, 20h
.nsp0:60007BF2 retn
.nsp0:60007BF2 service_control endp
.nsp0:60007BF2
.nsp0:60007BF2 ; ---------------------------------------------------------------------------
.nsp0:60007BF3 align 10h
Analysis report about sratmain.dll
This dll has backdoor and spyware funtcions.
1、Capture windows, send the capture to hacker.Open the compressor to compress the vedio stream. Use some API from MSVFW32.DLL like ICCompressorFree、ICSeqCompressFrame、ICSeqCompressFrameEnd 、 ICSeqCompressFrameStart、ICSendMessage、ICClose、ICOpen to implement this function。
2、The sratmain.dll use compress_vedio_stream function and end_compress_vedio_stream function (these two funtions was defined by me)to handle vedio stream.
3、The sratmain.dll provide getting the camera input. get the victim private information.
4、The sratmain.dll provide translation voice on the internet. This function is provided by the acm series API like acmStreamConvert、acmStreamOpen from msacm32.dll file.
5、the sratmain.dll record wave from waveform-audio input device. this function is provided by the wave series API like waveInopen waveInStart waveInAddBuffer from winmm.dll file.
6、set some hooks by SetWindowsHooKExa API.
7、handle the 360 safeboxtray.exe.
