本帖最后由 疯狂的小鬼 于 2011-6-10 19:14 编辑 感染型病毒简单分析
ID:疯狂的小鬼
工具:OD
病毒自身就脱壳
样本地址:http://bbs.kafan.cn/forum.php?mod=redirect&goto=findpost&ptid=996515&pid=19521529&fromuid=553277 (46楼)
00429E5E > 55 push ebp ; 入口
00429EC0 /75 08 jnz short VideoPlu.00429ECA 分析。不跳
00429EC4 E8 B0000000 call VideoPlu.00429F79 F7 进去看看
00429F79 833D 10234300 0>cmp dword ptr ds:[0x432310],0x1
00429F80 75 05 jnz short VideoPlu.00429F87
00429F82 E8 890B0000 call VideoPlu.0042AB10
00429F87 FF7424 04 push dword ptr ss:[esp+0x4]
00429F8B E8 B90B0000 call VideoPlu.0042AB49
00429F90 59 pop ecx
00429F91 68 FF000000 push 0xFF ; 下面退出进程
00429F96 FF15 34D04200 call dword ptr ds:[<&KERNEL32.ExitProces>; kernel32.ExitProcess
00429F9C C3 retn
00429F80 /75 05 jnz short VideoPlu.00429F87 不跳
00429F82 E8 890B0000 call VideoPlu.0042AB10 F7
0042AB15 83F8 01 cmp eax,0x1
0042AB18 74 0D je short VideoPlu.0042AB27
0042AB1A 85C0 test eax,eax
0042AB1C 75 2A jnz short VideoPlu.0042AB48
0042AB1E 833D B41C4300 0>cmp dword ptr ds:[0x431CB4],0x1
0042AB25 75 21 jnz short VideoPlu.0042AB48
0042AB27 68 FC000000 push 0xFC
0042AB2C E8 18000000 call VideoPlu.0042AB49
0042AB31 A1 6C244300 mov eax,dword ptr ds:[0x43246C]
0042AB36 59 pop ecx
0042AB37 85C0 test eax,eax
0042AB39 74 02 je short VideoPlu.0042AB3D
0042AB3B FFD0 call eax
0042AB3D 68 FF000000 push 0xFF
0042AB42 E8 02000000 call VideoPlu.0042AB49
0042AB47 59 pop ecx
0042AB48 C3 retn
0042AB25 /75 21 jnz short VideoPlu.0042AB48 不让跳
0042AB2C E8 18000000 call VideoPlu.0042AB49 F7 进入
0042ABA2 /0F84 F1000000 je VideoPlu.0042AC99 不让跳
0042ABB6 FF15 ECD04200 call dword ptr ds:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA
获取系统目录文件路径
0042ABBE /75 13 jnz short VideoPlu.0042ABD3 不跳
0042ABCC E8 5F0D0000 call VideoPlu.0042B930 F7
堆栈 [0012FD88]=0012FD94 (0012FD94), ASCII "<program name unknown>"
ecx=0042D4D4 (VideoPlu.0042D4D4), ASCII "GetLastActivePopup"
获取弹出窗口中最近活动的窗口
0042ABCC E8 5F0D0000 call VideoPlu.0042B930 F7
和上面的内容一样
0042AC1C 68 9CD44200 push VideoPlu.0042D49C ; ASCII "Runtime Error!
Program: "
错误。。= =!!我也不怎么清楚
0042AC2F E8 0C0D0000 call VideoPlu.0042B940 F7
没什么重要信息
0042AC45 FFB6 641D4300 push dword ptr ds:[esi+0x431D64] ; VideoPlu.0042D228
ds:[00431DC4]=0042D228 (VideoPlu.0042D228), ASCII "R6028
- unable to initialize heap
"
0042AC62 68 70D44200 push VideoPlu.0042D470 ; ASCII "Microsoft Visual C++ Runtime Library"
报错
0042AC68 E8 B30D0000 call VideoPlu.0042BA20 F7
内容:
0042BA20 53 push ebx
0042BA21 33DB xor ebx,ebx
0042BA23 391D 7C244300 cmp dword ptr ds:[0x43247C],ebx
0042BA29 56 push esi
0042BA2A 57 push edi
0042BA2B 75 42 jnz short VideoPlu.0042BA6F
0042BA2D 68 04D54200 push VideoPlu.0042D504 ; ASCII "user32.dll"
0042BA32 FF15 84D04200 call dword ptr ds:[<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA(加载到调用进程的地址空间指定的模块)
0042BA38 8BF8 mov edi,eax
0042BA3A 3BFB cmp edi,ebx
0042BA3C 74 67 je short VideoPlu.0042BAA5
0042BA3E 8B35 1CD14200 mov esi,dword ptr ds:[<&KERNEL32.GetProc>; kernel32.GetProcAddress(获取DLL 导出函数的地址)
0042BA44 68 F8D44200 push VideoPlu.0042D4F8 ; ASCII "MessageBoxA"(利用messagebox函数)
0042BA49 57 push edi
0042BA4A FFD6 call esi
0042BA4C 85C0 test eax,eax
0042BA4E A3 7C244300 mov dword ptr ds:[0x43247C],eax
0042BA53 74 50 je short VideoPlu.0042BAA5 ; 获取活动窗口的句柄
0042BA55 68 E8D44200 push VideoPlu.0042D4E8 ; ASCII "GetActiveWindow"
0042BA5A 57 push edi
0042BA5B FFD6 call esi
0042BA5D 68 D4D44200 push VideoPlu.0042D4D4 ; ASCII "GetLastActivePopup"(获取弹出窗口中最近活动的窗口)
0042BA62 57 push edi
0042BA63 A3 80244300 mov dword ptr ds:[0x432480],eax
0042BA68 FFD6 call esi
0042BA6A A3 84244300 mov dword ptr ds:[0x432484],eax
0042BA6F A1 80244300 mov eax,dword ptr ds:[0x432480]
0042BA74 85C0 test eax,eax
0042BA76 74 16 je short VideoPlu.0042BA8E
0042BA78 FFD0 call eax
0042BA7A 8BD8 mov ebx,eax
0042BA7C 85DB test ebx,ebx
0042BA7E 74 0E je short VideoPlu.0042BA8E
0042BA80 A1 84244300 mov eax,dword ptr ds:[0x432484]
0042BA85 85C0 test eax,eax
0042BA87 74 05 je short VideoPlu.0042BA8E
0042BA89 53 push ebx
0042BA8A FFD0 call eax
0042BA8C 8BD8 mov ebx,eax
0042BA8E FF7424 18 push dword ptr ss:[esp+0x18]
0042BA92 FF7424 18 push dword ptr ss:[esp+0x18]
0042BA96 FF7424 18 push dword ptr ss:[esp+0x18]
0042BA9A 53 push ebx
0042BA9B FF15 7C244300 call dword ptr ds:[0x43247C]
0042BAA1 5F pop edi
0042BAA2 5E pop esi
0042BAA3 5B pop ebx
0042BAA4 C3 retn
0042BA9B FF15 7C244300 call dword ptr ds:[0x43247C] ; USER32.MessageBoxA
这里C++报错
00429ECD E8 84080000 call VideoPlu.0042A756 ; F7
00429ED2 FF15 08D14200 call dword ptr ds:[<&KERNEL32.GetCommand>; kernel32.GetCommandLineA
获得指向当前命令行缓冲区的一个指针
0042A762 E8 36F8FFFF call VideoPlu.00429F9D F7
0042B3CA FF15 24D14200 call dword ptr ds:[<&KERNEL32.VirtualAll>; kernel32.VirtualAlloc(储备或犯有在调用进程的虚拟地址空间的页面区域)
0012FE8C 00000000 |Address = NULL
0012FE90 00100000 |Size = 100000 (1048576.)
0012FE94 00002000 |AllocationType = MEM_RESERVE
0012FE98 00000004 \Protect = PAGE_READWRITE
改变了属性
0042B126 E8 DA020000 call VideoPlu.0042B405 F7
0042B456 FF15 24D14200 call dword ptr ds:[<&KERNEL32.VirtualAll>; kernel32.VirtualAlloc(储备或犯有在调用进程的虚拟地址空间的页面区域)
0012FE7C 00A60000 |Address = 00A60000
0012FE80 00008000 |Size = 8000 (32768.)
0012FE84 00001000 |AllocationType = MEM_COMMIT
0012FE88 00000004 \Protect = PAGE_READWRITE
上面改变了大小和地址等
0042A7AF FF15 0CD14200 call dword ptr ds:[<&KERNEL32.GetStartup>; kernel32.GetStartupInfoA(获取信息创建进程)
0042A8AE FF15 CCD04200 call dword ptr ds:[<&KERNEL32.GetStdHand>; kernel32.GetStdHandle
0042A8BC FF15 C8D04200 call dword ptr ds:[<&KERNEL32.GetFileTyp>; kernel32.GetFileType(获取系统文件类型)
0042A8F3 FF15 D0D04200 call dword ptr ds:[<&KERNEL32.SetHandleC>; kernel32.SetHandleCount(可以获取变量的内存地址)
得到系统文件的信息
00429EDD E8 42070000 call VideoPlu.0042A624 F7
0042A62D 8B2D D4D04200 mov ebp,dword ptr ds:[<&KERNEL32.GetEnvi>; kernel32.GetEnvironmentStringsW(获取当前进程的环境变量)
0042A6A2 8B3D DCD04200 mov edi,dword ptr ds:[<&KERNEL32.WideCha>; kernel32.WideCharToMultiByte(得到新的字符串)
0042A6B3 894424 34 mov dword ptr ss:[esp+0x34],eax ; 调用新的字符串
eax=000003F0
堆栈 ss:[0012FF44]=7C92F641 (ntdll.7C92F641)
0042A6DD /75 0E jnz short VideoPlu.0042A6ED 不跳
0042A6E3 E8 29F9FFFF call VideoPlu.0042A011 F7
没啥信息 返回
0042A01B E8 D50C0000 call VideoPlu.0042ACF5 F7
没啥信息 返回(0042A6E3)
0042A6F2 FF15 E0D04200 call dword ptr ds:[<&KERNEL32.FreeEnviro>; kernel32.FreeEnvironmentStringsW
释放字符串到模块
返回到00429EDD 继续F8
00429EE7 E8 EB040000 call VideoPlu.0042A3D7 F7
0042A3FA FF15 ECD04200 call dword ptr ds:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA(获取模块文件信息等会载入)
00429F20 FF15 58D04200 call dword ptr ds:[<&KERNEL32.GetModuleH>; kernel32.GetModuleHandleA
获取模块句柄
0040288D FF15 A8D14200 call dword ptr ds:[<&USER32.LoadStringA>>; USER32.LoadStringA
加载一个从指定的模块相关,拷贝到缓冲区的字符串的字符串资源的可执行文件,并附加一个终止空字符
004028C2 FF15 9CD04200 call dword ptr ds:[<&KERNEL32.GetSystemD>; kernel32.GetSystemDirectoryA
获取系统目录的路径
004028EB FF15 44D14200 call dword ptr ds:[<&SHELL32.StrStrIA>] ; SHELL32.StrStrIA
0012FDF8 0012FE00 |String = "C:\WINDOWS\system32"
0012FDFC 00431BCC \Pattern = "win"
复制win到system32文件夹
00402878 E8 F30F0000 call VideoPlu.00403870 F7
00403887 FF15 4CD14200 call dword ptr ds:[<&USER32.GetDesktopWi>; USER32.GetDesktopWindow(获取桌面窗口)
004038B0 FF15 BCD14200 call dword ptr ds:[<&USER32.GetDC>] ; USER32.GetDC
004038BF FF15 24D04200 call dword ptr ds:[<&GDI32.GetDeviceCaps>; GDI32.GetDeviceCaps
004038D7 FF15 20D04200 call dword ptr ds:[<&GDI32.CreateCompati>; GDI32.CreateCompatibleBitmap
004028F3 /74 16 je short VideoPlu.0040290B 跳走
0040290F E8 C1000000 call VideoPlu.004029D5 F7
00402A0A FF15 9CD14200 call dword ptr ds:[<&USER32.LoadIconA>] ; USER32.LoadIconA
从可执行加载指定的图标资源的实例与应用程序关联的文件。
00402A1A FF15 A0D14200 call dword ptr ds:[<&USER32.LoadCursorA>>; USER32.LoadCursorA
加载从可执行的实例与应用程序关联的文件指定游标资源。
00402A4B FF15 A4D14200 call dword ptr ds:[<&USER32.RegisterClas>; USER32.RegisterClassExA
该函数为随后在调用Createwindow函数和CreatewindowEx函数中使用的窗口注册一个窗口类
(注册)
上面获取用户信息。。。
0040291F E8 31010000 call VideoPlu.00402A55 F7
00402A8A FF15 90D14200 call dword ptr ds:[<&USER32.CreateWindow>; USER32.CreateWindowExA
00429F30 E8 38010000 call VideoPlu.0042A06D F7
0042A075 E8 15000000 call VideoPlu.0042A08F
0042A099 /75 11 jnz short VideoPlu.0042A0AC
0042A09F FF15 F4D04200 call dword ptr ds:[<&KERNEL32.GetCurrent>; kernel32.GetCurrentProcess
获取当前进程的一个伪句柄
0042A0A6 FF15 F8D04200 call dword ptr ds:[<&KERNEL32.TerminateP>; kernel32.TerminateProcess
结束一个进程
0042A120 FF15 34D04200 call dword ptr ds:[<&KERNEL32.ExitProces>; kernel32.ExitProcess
退出
总结:
病毒获取当前系统的版本号。直接获取C:\Documents and Settings\Administrator,然后
获取用户的信息,包括桌面的图标资源,感染这些图标。。
RegisterClassExA函数为CreatewindowEx函数中使用的窗口注册一个窗口类
并在进程中获取进程信息结束掉系统进程,自身创建一个相同的进程。。
(PS:有些函数不怎么知道。。所以不能很好的表达清楚)
这个貌似是感染型病毒。。具体我只是简单的分析了下。。高手莫喷。。欢迎指点下。。
By 疯狂的小鬼
|