好友
阅读权限20
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
最近很无聊,发篇文章来娱乐一下 ,大概半年前分析的,今天整理了一下
这里主要分析一下被xpaj.b感染后的文件里面的虚拟机,我还没见过其他的病毒体内有虚拟机(加壳的除外),其虚拟机很小巧,很好玩 ,和vmp tmd aspr等里面的虚拟机大有不同
xpaj.b的感染方式为偷取程序代码节call里面的代码,扩大data节,将病毒要用到的数据或者代码放到data节去,比如:
感染之前的代码:
.text:7C36100E sub_7C36100E proc near ; CODE XREF: DllEntryPoint+8E�p
.text:7C36100E ; sub_7C381029+A9�p
.text:7C36100E
.text:7C36100E lpMem = dword ptr -8
.text:7C36100E cchWideChar = dword ptr -4
.text:7C36100E
.text:7C36100E ; FUNCTION CHUNK AT .text:7C369394 SIZE 00000099 BYTES
.text:7C36100E
.text:7C36100E 51 push ecx
.text:7C36100F 51 push ecx
.text:7C361010 A1 24 B4 3A 7C mov eax, dword_7C3AB424
.text:7C361015 53 push ebx
.text:7C361016 55 push ebp
.text:7C361017 56 push esi
.text:7C361018 57 push edi
.text:7C361019 8B 3D D4 A0 39 7C mov edi, ds:GetEnvironmentStringsW
.text:7C36101F 33 DB xor ebx, ebx
.text:7C361021 33 F6 xor esi, esi
.text:7C361023 3B C3 cmp eax, ebx
.text:7C361025 6A 02 push 2
.text:7C361027 5D pop ebp
.text:7C361028 0F 85 97 00 00 00 jnz loc_7C3610C5
.text:7C36102E FF D7 call edi ; GetEnvironmentStringsW
.text:7C361030 8B F0 mov esi, eax
.text:7C361032 3B F3 cmp esi, ebx
.text:7C361034 0F 84 5A 83 00 00 jz loc_7C369394
.text:7C36103A C7 05 24 B4 3A 7C+ mov dword_7C3AB424, 1
.text:7C361044
.text:7C361044 loc_7C361044: ; CODE XREF: sub_7C36100E+C0�j
.text:7C361044 3B F3 cmp esi, ebx
.text:7C361046 0F 84 69 83 00 00 jz loc_7C3693B5
.text:7C36104C
感染之后的代码:
.text:7C36100E sub_7C36100E proc near ; CODE XREF: DllEntryPoint+8E�p
.text:7C36100E ; sub_7C381029+A9�p
.text:7C36100E
.text:7C36100E value_is_4 = dword ptr -4Ch
.text:7C36100E value_is_640 = dword ptr -48h
.text:7C36100E var_44_key = dword ptr -44h
.text:7C36100E var_1C_decrypt_vmhandle= dword ptr -1Ch
.text:7C36100E var_10_7c362602 = dword ptr -10h
.text:7C36100E
.text:7C36100E 55 push ebp
.text:7C36100F 89 E5 mov ebp, esp
.text:7C361011 51 push ecx
.text:7C361012 E8 DD 15 00 00 call sub_7C3625F4
.text:7C361017
.text:7C361017 loc_7C361017: ; CODE XREF: sub_7C3630A4+36�j
.text:7C361017 01 7D BC add [ebp+var_44_key], edi ; key = 47802ADDh + dword(7c36bd140 -4)
.text:7C36101A 03 4D B4 add ecx, [ebp+value_is_4]
.text:7C36101D 8B 11 mov edx, [ecx] ; edx = dword(7c36bd140)
.text:7C36101F 33 55 BC xor edx, [ebp+var_44_key] ; edx = (47802ADDh + dword(7c36bd140 -4)) ^ dword(7c36bd140)
.text:7C361022 03 55 F0 add edx, [ebp+var_10_7c362602]
.text:7C361025 89 55 E4 mov [ebp+var_1C_decrypt_vmhandle], edx ; handle
.text:7C361028 21 CF and edi, ecx
.text:7C36102A 23 55 B8 and edx, [ebp+value_is_640]
.text:7C36102D BF B5 FC 49 D5 mov edi, 0D549FCB5h
.text:7C361032 01 7D BC add [ebp+var_44_key], edi ; key change
.text:7C361035 E9 2E C7 00 00 jmp loc_7C36D768
.text:7C361035 sub_7C36100E endp
.text:7C361035
.text:7C36103A ; ---------------------------------------------------------------------------
.text:7C36103A C7 05 24 B4 3A 7C+ mov dword_7C3AB424, 1
.text:7C361044
.text:7C361044 loc_7C361044: ; CODE XREF: .text:7C3610CE�j
.text:7C361044 3B F3 cmp esi, ebx
.text:7C361046 0F 84 69 83 00 00 jz loc_7C3693B5
.text:7C36104C
这种方式相对于修改call或者jmp或者函数调用的目的地址(比如virut),然后跳到代码节末尾或者最后一个节去执行病毒代码的隐蔽性要好
被patched掉的call的代码主要负责:
1、获取ZwProtectVirtualMemory的函数地址,修改data节部分数据的内存属性
2、解密存放在data节的下一层代码
3、执行解密后的代码
上面的功能主要通过一个小型的虚拟机来实现。
从被病毒patched掉的call开始:
.text:7C36100E 55 push ebp
.text:7C36100F 89 E5 mov ebp, esp
.text:7C361011 51 push ecx
.text:7C361012 E8 DD 15 00 00 call sub_7C3625F4 ;进
.text:7C3625F4 55 push ebp
.text:7C3625F5 89 E5 mov ebp, esp
.text:7C3625F7 83 EC 50 sub esp, 50h
.text:7C3625FA 51 push ecx
.text:7C3625FB 52 push edx
.text:7C3625FC 57 push edi
.text:7C3625FD E8 05 F7 FF FF call loc_7C361D07 ;获取返回地址7c362602
.text:7C362602 81 4D FC 45 F2 34+ or [ebp+var_4], 34F245h
.text:7C362609 8B 4D F0 mov ecx, [ebp+var_10_7c362602]
.text:7C36260C 81 C1 3E AB 05 00 add ecx, 5AB3Eh
.text:7C362612 89 4D D8 mov [ebp+var_28_7c3bd140], ecx ;返回地址加上5ab3e,得到pvmdata 用来解密vm_handle, 注意该偏移在data节
.text:7C362615 B9 87 9E 22 02 mov ecx, 2229E87h
.text:7C36261A 89 65 F8 mov [ebp+var_8_esp_init], esp ;初始虚拟机的esp
.text:7C36261D FF 75 F8 push [ebp+var_8_esp_init]
.text:7C362620 FF 75 F0 push [ebp+var_10_7c362602]
.text:7C362623 E9 85 0A 00 00 jmp loc_7C3630AD
.text:7C3630AD 8B 7D F0 mov edi, [ebp+var_10_7c362602]
.text:7C3630B0 81 C7 B7 0A 00 00 add edi, 0AB7h
.text:7C3630B6 89 7D D4 mov [ebp+var_2C_7c3630b9], edi
.text:7C3630B9
.text:7C3630B9 start_vm: ; CODE XREF: _control87:loc_7C3623C8�j
.text:7C3630B9 BF 04 00 00 00 mov edi, 4
.text:7C3630BE 89 7D B4 mov [ebp+var_4C_4], edi
.text:7C3630C1 11 65 C0 adc [ebp+var_40_allocaddress_addesp_addesp], esp
.text:7C3630C4 01 65 C0 add [ebp+var_40_allocaddress_addesp_addesp], esp
.text:7C3630C7 B9 DD 2A 80 47 mov ecx, 47802ADDh
.text:7C3630CC 89 4D BC mov [ebp+var_44_key], ecx ;解密vm_handle信息用到的key
.text:7C3630CF 8B 4D D8 mov ecx, [ebp+var_28_7c3bd140] ; 14c
.text:7C3630D2 2B 4D B4 sub ecx, [ebp+var_4C_4] ; 7c3bd140 -4
.text:7C3630D5 23 55 DC and edx, [ebp+var_24]
.text:7C3630D8 8B 39 mov edi, [ecx] ;edi = dword(pvmdata -4 )
.text:7C3630DA E9 38 DF FF FF jmp loc_7C361017
.text:7C361017 01 7D BC add [ebp+var_44_key], edi ;key = 47802ADDh + dword(pvmdata-4)
.text:7C36101A 03 4D B4 add ecx, [ebp+value_is_4]
.text:7C36101D 8B 11 mov edx, [ecx] ;edx = dword(pvmdata)
.text:7C36101F 33 55 BC xor edx, [ebp+var_44_key] ;edx = (47802ADDh + dword(pvmdata -4)) ^ dword(pvmdata),注意该handle为相对于7c362602的偏移
.text:7C361022 03 55 F0 add edx, [ebp+var_10_7c362602]
.text:7C361025 89 55 E4 mov [ebp+var_1C_decrypt_vmhandle], edx ; 算出来vm_handle的地址
.text:7C361028 21 CF and edi, ecx
.text:7C36102A 23 55 B8 and edx, [ebp+value_is_640]
.text:7C36102D BF B5 FC 49 D5 mov edi, 0D549FCB5h
.text:7C361032 01 7D BC add [ebp+var_44_key], edi ;解密出来一个handle之后更新 key
.text:7C361035 E9 2E C7 00 00 jmp loc_7C36D768
.text:7C36D768 03 4D B4 add ecx, [ebp+value_is_4] ;edi = dword(pvmdata+4)
.text:7C36D76B 8B 39 mov edi, [ecx] ; ds:[7C3BD144]=2E26089F
.text:7C36D76B ; edi=D549FCB5
.text:7C36D76B ;
.text:7C36D76D 33 7D BC xor edi, [ebp+var_44_key] ; key
.text:7C36D770 89 7D CC mov [ebp+var_34_decrypt_in_7c36d76d], edi
.text:7C36D773 89 5D F4 mov [ebp+var_C], ebx
.text:7C36D776 BF 4A 18 09 79 mov edi, 7909184Ah
.text:7C36D77B 01 7D BC add [ebp+var_44_key], edi ; key change
.text:7C36D77E 81 55 FC 82 EC 9D+ adc [ebp+var_4], 19DEC82h
.text:7C36D785 03 4D B4 add ecx, [ebp+value_is_4]
.text:7C36D788 8B 11 mov edx, [ecx]
.text:7C36D78A 33 55 BC xor edx, [ebp+var_44_key]
.text:7C36D78D 81 55 E8 21 AD B1+ adc [ebp+var_18], 1B1AD21h
.text:7C36D794 89 55 D0 mov [ebp+var_30_decrypt_7c36d794], edx
.text:7C36D797 81 45 C8 1F 5E 4B+ add [ebp+var_38], 4B5E1Fh
.text:7C36D79E 03 4D B4 add ecx, [ebp+value_is_4]
.text:7C36D7A1 89 4D D8 mov [ebp+var_28_pvmdata], ecx ;跟新pvmdata pvmdata = pvmdata + c
.text:7C36D7A4 E9 57 45 FF FF jmp vm_dispatch
.text:7C361D00 vm_dispatch: ; CODE XREF: sub_7C36D75F+45�j
.text:7C361D00 FF 65 E4 jmp [ebp+var_1C_decrypt_vmhandle] ;执行vm_handle
从上面的代码我们对该虚拟机有个大致的了解,从7c3bd13f(7c3bd140 -4)开始,每c个字节用来代表一个handle
调试发现该vm一共有7个handle:
7c361e78:
功能
push dword(dword(esp +/- xx) +/- yy)
其中xx和yy 为var_34_decrypt_in_7c36d76d var_30_decrypt_7c36d794
7c361e6a:
功能
push dword
其中dowrd的值为var_34_decrypt_in_7c36d76d
7c362009:
功能
pop edx,pop edi,add edi,edx,push edi
实际功能为 add
7c3621f8:
功能
pop,pop,jmp_eq
其中跳转的偏移为var_34_decrypt_in_7c36d76d
7c361d2d:
功能
pop edi,push fs:[30]
7c361f6a:
功能
pop dword(dword(esp +/- xx) +/- yy)
其中xx和yy 为var_34_decrypt_in_7c36d76d var_30_decrypt_7c36d794
7c361d14:
功能
call push result
通过上面的handle c个字节的大体含义为:
以pvmdata(7c3bd140)为起始开始算
struct
{
-4 dword 解密offset用到的key
+0 dword 解密offset用到的数据
+4 dword 用来解密var_34_decrypt_in_7c36d76d handle可能会用到的参数
+8 dword 用来解密var_30_decrypt_7c36d794 handle可能会用到的参数
}
写个IDApython脚本来记录下handle的顺序执行过程:
#-*- coding:UTF:8-*-
def TO_BYTE(a):
return a&ff
def TO_WORD(a):
return a&ffff
def TO_DWORD(a):
return a&ffffffff
def HANDLE_FF_DWORD(a):
if a > 0f0000000:
a = 100000000 - a
a = hex(a)
a = '-' + a
else:
a = hex(a)
a = '+' + a
return a
def main(pvmdata = 7c3bd140):
retn_address = 7c362602
esp_init = 12f770
vm_esp = 12f768
handle_list = []
execute_ins = []
while True:
key = 47802add
#print "pvmdata is %08x" % pvmdata
key = TO_DWORD(key + Dword(pvmdata - 4))
offset = TO_DWORD(Dword(pvmdata) ^ key)
vmhandle = TO_DWORD(retn_address + offset)
if vmhandle > 7c800000 or vmhandle < 7c360000:
break
if vmhandle not in handle_list:
handle_list.append(vmhandle)
#print "%08x" % vmhandle
#print "pvmdata :%08x vmhandle:%08x" % (pvmdata,vmhandle)
key = TO_DWORD(key + D549FCB5)
var34_7c36d770 = TO_DWORD(key ^ Dword(pvmdata + 4))
#print "var34 is %08x" % var34_7c36d770
key = TO_DWORD(key + 7909184a)
var_30_decrypt_7c36d794 = TO_DWORD(key ^ Dword(pvmdata+8))
#print "var30 is %08x" % var_30_decrypt_7c36d794
pvmdata = pvmdata + 0c
if vmhandle == 7c361e78:
str = "push dword(dword(esp %s) %s) vmhandle is %08x" % (HANDLE_FF_DWORD(var34_7c36d770),HANDLE_FF_DWORD(var_30_decrypt_7c36d794),vmhandle)
#print str
execute_ins.append(str)
#PatchDword(vm_esp,value)
elif vmhandle == 7c361e6a:
str = "push %08x vmhandle is %08x" % (var34_7c36d770,vmhandle)
#print str
execute_ins.append(str)
elif vmhandle == 7c362009:
#str = "pop edx"
#print str
#str = "pop edi"
str = "pop edx,pop edi,add edi,edx,push edi vmhandle is %08x" % vmhandle
#print str
execute_ins.append(str)
#str = "push %08x" % value
#print str
elif vmhandle == 7c3621f8:
#str = "pop ecx"
#print str
#str = "pop edi"
#print str
if var34_7c36d770 > 0f0000000:
offset = 100000000 - var34_7c36d770
offset = offset / 0c
offset = offset + 1
str = "pop,pop,jmp_eq $-%08x vmhandle is %08x" % (offset,vmhandle)
else:
offset = var34_7c36d770 / 0c
offset = offset + 1
str = "pop,pop,jmp_eq $+%08x vmhandle is %08x" % (offset,vmhandle)
#print str
execute_ins.append(str)
#if value2 == value1:
#print "add var32 is %08x" % var34_7c36d770
#pvmdata = TO_DWORD(pvmdata + var34_7c36d770)
elif vmhandle == 7c361d2d:
str = "pop edi,push fs:[30] vmhandle is %08x" % vmhandle
#print str
execute_ins.append(str)
elif vmhandle == 7c361f6a:
str = "pop dword(dword(esp %s) %s) vmhandle is %08x" % (HANDLE_FF_DWORD(var34_7c36d770),HANDLE_FF_DWORD(var_30_decrypt_7c36d794),vmhandle)
#print str
execute_ins.append(str)
elif vmhandle == 7c361d14:
#str = "pop edx"
#print str
str = "call push result vmhandle is %08x" % vmhandle
execute_ins.append(str)
#print str
for i in range(len(execute_ins)):
print "%08x,%s" % (i,execute_ins)
if _name_ == '_main_':
print "start to analysis"
main()
log如下:
start to analysis
00000000,push dword(dword(esp -4L) -8L) vmhandle is 7c361e78
00000001,push 0005b66c vmhandle is 7c361e6a
00000002,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
00000003,push dword(dword(esp -4L) -cL) vmhandle is 7c361e78
00000004,push 00000678 vmhandle is 7c361e6a
00000005,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
00000006,push 8e7f35ed vmhandle is 7c361e6a
00000007,push ad6bd309 vmhandle is 7c361e6a
00000008,push 0000e860 vmhandle is 7c361e6a
00000009,push 90909090 vmhandle is 7c361e6a
0000000a,push 0000019f vmhandle is 7c361e6a
0000000b,push fffffeeb vmhandle is 7c361e6a
0000000c,push dword(dword(esp -4L) -cL) vmhandle is 7c361e78
0000000d,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
0000000e,push 00000000 vmhandle is 7c361e6a
0000000f,push 00000000 vmhandle is 7c361e6a
00000010,push 00000000 vmhandle is 7c361e6a
00000011,push 00000000 vmhandle is 7c361e6a
00000012,push 00000000 vmhandle is 7c361e6a
00000013,push 00000000 vmhandle is 7c361e6a
00000014,push 00000000 vmhandle is 7c361e6a
00000015,push 00000000 vmhandle is 7c361e6a
00000016,push 00000000 vmhandle is 7c361e6a
00000017,push ffff4392 vmhandle is 7c361e6a
00000018,push dword(dword(esp -4L) -cL) vmhandle is 7c361e78
00000019,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
0000001a,push 0000c000 vmhandle is 7c361e6a
0000001b,push dword(dword(esp -cL) +0L) vmhandle is 7c361e78
0000001c,push dword(dword(esp -4L) -1cL) vmhandle is 7c361e78
0000001d,pop,pop,jmp_eq $+00000004 vmhandle is 7c3621f8
0000001e,push 00000000 vmhandle is 7c361e6a
0000001f,push 00000000 vmhandle is 7c361e6a
00000020,pop,pop,jmp_eq $+00000007 vmhandle is 7c3621f8
00000021,push dword(dword(esp -10L) +0L) vmhandle is 7c361e78
00000022,push dword(dword(esp -4L) -20L) vmhandle is 7c361e78
00000023,pop,pop,jmp_eq $+000000af vmhandle is 7c3621f8
00000024,push 00000000 vmhandle is 7c361e6a
00000025,push 00000000 vmhandle is 7c361e6a
00000026,pop,pop,jmp_eq $-00000007 vmhandle is 7c3621f8
00000027,push 00000001 vmhandle is 7c361e6a
00000028,push 00000000 vmhandle is 7c361e6a
00000029,pop,pop,jmp_eq $+0000006b vmhandle is 7c3621f8
0000002a,push 00000030 vmhandle is 7c361e6a
0000002b,pop edi,push fs:[30] vmhandle is 7c361d2d
0000002c,pop dword(dword(esp -4L) -30L) vmhandle is 7c361f6a
0000002d,push dword(dword(esp -30L) +cL) vmhandle is 7c361e78
0000002e,pop dword(dword(esp -4L) -30L) vmhandle is 7c361f6a
0000002f,push dword(dword(esp -30L) +cL) vmhandle is 7c361e78
00000030,pop dword(dword(esp -4L) -30L) vmhandle is 7c361f6a
00000031,push dword(dword(esp -30L) +0L) vmhandle is 7c361e78
00000032,pop dword(dword(esp -4L) -30L) vmhandle is 7c361f6a
00000033,push dword(dword(esp -30L) +18L) vmhandle is 7c361e78
00000034,pop dword(dword(esp -4L) -34L) vmhandle is 7c361f6a
00000035,push dword(dword(esp -30L) +18L) vmhandle is 7c361e78
00000036,push 00000000 vmhandle is 7c361e6a
00000037,pop,pop,jmp_eq $+00000016 vmhandle is 7c3621f8
00000038,push dword(dword(esp -4L) -34L) vmhandle is 7c361e78
00000039,push dword(dword(esp -34L) +3cL) vmhandle is 7c361e78
0000003a,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
0000003b,pop dword(dword(esp -4L) -38L) vmhandle is 7c361f6a
0000003c,push dword(dword(esp -38L) +78L) vmhandle is 7c361e78
0000003d,push dword(dword(esp -4L) -34L) vmhandle is 7c361e78
0000003e,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
0000003f,pop dword(dword(esp -4L) -3cL) vmhandle is 7c361f6a
00000040,push dword(dword(esp -4L) -3cL) vmhandle is 7c361e78
00000041,push dword(dword(esp -4L) -34L) vmhandle is 7c361e78
00000042,pop,pop,jmp_eq $+0000000b vmhandle is 7c3621f8
00000043,push dword(dword(esp -3cL) +cL) vmhandle is 7c361e78
00000044,push dword(dword(esp -30L) +18L) vmhandle is 7c361e78
00000045,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
00000046,pop dword(dword(esp -4L) -40L) vmhandle is 7c361f6a
00000047,push dword(dword(esp -40L) +0L) vmhandle is 7c361e78
00000048,push 6c64746e vmhandle is 7c361e6a
00000049,pop,pop,jmp_eq $+00000007 vmhandle is 7c3621f8
0000004a,push dword(dword(esp -40L) +0L) vmhandle is 7c361e78
0000004b,push 4c44544e vmhandle is 7c361e6a
0000004c,pop,pop,jmp_eq $+00000004 vmhandle is 7c3621f8
0000004d,push 00000000 vmhandle is 7c361e6a
0000004e,push 00000000 vmhandle is 7c361e6a
0000004f,pop,pop,jmp_eq $-00000020 vmhandle is 7c3621f8
00000050,push dword(dword(esp -3cL) +24L) vmhandle is 7c361e78
00000051,push dword(dword(esp -4L) -34L) vmhandle is 7c361e78
00000052,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
00000053,pop dword(dword(esp -4L) -40L) vmhandle is 7c361f6a
00000054,push dword(dword(esp -3cL) +20L) vmhandle is 7c361e78
00000055,push dword(dword(esp -4L) -34L) vmhandle is 7c361e78
00000056,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
00000057,pop dword(dword(esp -4L) -44L) vmhandle is 7c361f6a
00000058,push dword(dword(esp -44L) +0L) vmhandle is 7c361e78
00000059,push dword(dword(esp -4L) -34L) vmhandle is 7c361e78
0000005a,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
0000005b,pop dword(dword(esp -4L) -2cL) vmhandle is 7c361f6a
0000005c,push dword(dword(esp -2cL) +7L) vmhandle is 7c361e78
0000005d,push 69567463 vmhandle is 7c361e6a
0000005e,pop,pop,jmp_eq $+0000000c vmhandle is 7c3621f8
0000005f,push dword(dword(esp -4L) -44L) vmhandle is 7c361e78
00000060,push 00000004 vmhandle is 7c361e6a
00000061,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
00000062,pop dword(dword(esp -4L) -44L) vmhandle is 7c361f6a
00000063,push dword(dword(esp -4L) -40L) vmhandle is 7c361e78
00000064,push 00000002 vmhandle is 7c361e6a
00000065,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
00000066,pop dword(dword(esp -4L) -40L) vmhandle is 7c361f6a
00000067,push 00000000 vmhandle is 7c361e6a
00000068,push 00000000 vmhandle is 7c361e6a
00000069,pop,pop,jmp_eq $-00000013 vmhandle is 7c3621f8
0000006a,push dword(dword(esp -2cL) +13L) vmhandle is 7c361e78
0000006b,push 0079726f vmhandle is 7c361e6a
0000006c,pop,pop,jmp_eq $+00000004 vmhandle is 7c3621f8
0000006d,push 00000000 vmhandle is 7c361e6a
0000006e,push 00000000 vmhandle is 7c361e6a
0000006f,pop,pop,jmp_eq $-00000012 vmhandle is 7c3621f8
00000070,push dword(dword(esp -40L) +0L) vmhandle is 7c361e78
00000071,pop dword(dword(esp -4L) -48L) vmhandle is 7c361f6a
00000072,push 00000000 vmhandle is 7c361e6a
00000073,pop dword(dword(esp -4L) -46L) vmhandle is 7c361f6a
00000074,push dword(dword(esp -4L) -48L) vmhandle is 7c361e78
00000075,push dword(dword(esp -4L) -48L) vmhandle is 7c361e78
00000076,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
00000077,pop dword(dword(esp -4L) -48L) vmhandle is 7c361f6a
00000078,push dword(dword(esp -4L) -48L) vmhandle is 7c361e78
00000079,push dword(dword(esp -4L) -48L) vmhandle is 7c361e78
0000007a,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
0000007b,pop dword(dword(esp -4L) -48L) vmhandle is 7c361f6a
0000007c,push dword(dword(esp -3cL) +1cL) vmhandle is 7c361e78
0000007d,push dword(dword(esp -4L) -48L) vmhandle is 7c361e78
0000007e,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
0000007f,push dword(dword(esp -4L) -34L) vmhandle is 7c361e78
00000080,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
00000081,pop dword(dword(esp -4L) -48L) vmhandle is 7c361f6a
00000082,push dword(dword(esp -48L) +0L) vmhandle is 7c361e78
00000083,push dword(dword(esp -4L) -34L) vmhandle is 7c361e78
00000084,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
00000085,pop dword(dword(esp -4L) -48L) vmhandle is 7c361f6a
00000086,push dword(dword(esp -4L) -4L) vmhandle is 7c361e78
00000087,push ffffffd4 vmhandle is 7c361e6a
00000088,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
00000089,push 00000040 vmhandle is 7c361e6a
0000008a,push dword(dword(esp -4L) -4L) vmhandle is 7c361e78
0000008b,push ffffffac vmhandle is 7c361e6a
0000008c,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
0000008d,push dword(dword(esp -4L) -4L) vmhandle is 7c361e78
0000008e,push ffffffb0 vmhandle is 7c361e6a
0000008f,pop edx,pop edi,add edi,edx,push edi vmhandle is 7c362009
00000090,push ffffffff vmhandle is 7c361e6a
00000091,push dword(dword(esp -4L) -48L) vmhandle is 7c361e78
00000092,call push result vmhandle is 7c361d14
00000093,pop dword(dword(esp -4L) -2cL) vmhandle is 7c361f6a
00000094,push 0424448b vmhandle is 7c361e6a
00000095,pop dword(dword(esp -28L) +0L) vmhandle is 7c361f6a
00000096,push 1424548b vmhandle is 7c361e6a
00000097,pop dword(dword(esp -28L) +4L) vmhandle is 7c361f6a
00000098,push 10391087 vmhandle is 7c361e6a
00000099,pop dword(dword(esp -28L) +8L) vmhandle is 7c361f6a
0000009a,push 0025840f vmhandle is 7c361e6a
0000009b,pop dword(dword(esp -28L) +cL) vmhandle is 7c361f6a
0000009c,push 548b0000 vmhandle is 7c361e6a
0000009d,pop dword(dword(esp -28L) +10L) vmhandle is 7c361f6a
0000009e,push 4c8b0c24 vmhandle is 7c361e6a
0000009f,pop dword(dword(esp -28L) +14L) vmhandle is 7c361f6a
000000a0,push 02e90824 vmhandle is 7c361e6a
000000a1,pop dword(dword(esp -28L) +18L) vmhandle is 7c361f6a
000000a2,push 31000000 vmhandle is 7c361e6a
000000a3,pop dword(dword(esp -28L) +1cL) vmhandle is 7c361f6a
000000a4,push 24540310 vmhandle is 7c361e6a
000000a5,pop dword(dword(esp -28L) +20L) vmhandle is 7c361f6a
000000a6,push 81d2d310 vmhandle is 7c361e6a
000000a7,pop dword(dword(esp -28L) +24L) vmhandle is 7c361f6a
000000a8,push a57966f2 vmhandle is 7c361e6a
000000a9,pop dword(dword(esp -28L) +28L) vmhandle is 7c361f6a
000000aa,push 04c08314 vmhandle is 7c361e6a
000000ab,pop dword(dword(esp -28L) +2cL) vmhandle is 7c361f6a
000000ac,push e8850f49 vmhandle is 7c361e6a
000000ad,pop dword(dword(esp -28L) +30L) vmhandle is 7c361f6a
000000ae,push c2ffffff vmhandle is 7c361e6a
000000af,pop dword(dword(esp -28L) +34L) vmhandle is 7c361f6a
000000b0,push 90900014 vmhandle is 7c361e6a
000000b1,pop dword(dword(esp -28L) +38L) vmhandle is 7c361f6a
000000b2,push dword(dword(esp -4L) -1cL) vmhandle is 7c361e78
000000b3,push dword(dword(esp -4L) -18L) vmhandle is 7c361e78
000000b4,push dword(dword(esp -4L) -14L) vmhandle is 7c361e78
000000b5,push dword(dword(esp -4L) -24L) vmhandle is 7c361e78
000000b6,push dword(dword(esp -4L) -cL) vmhandle is 7c361e78
000000b7,push dword(dword(esp -4L) -28L) vmhandle is 7c361e78
000000b8,call push result vmhandle is 7c361d14
000000b9,pop dword(dword(esp -4L) -2cL) vmhandle is 7c361f6a
000000ba,push dword(dword(esp -10L) +0L) vmhandle is 7c361e78
000000bb,push dword(dword(esp -4L) -20L) vmhandle is 7c361e78
000000bc,pop,pop,jmp_eq $+00000004 vmhandle is 7c3621f8
000000bd,push 00000000 vmhandle is 7c361e6a
000000be,push 00000000 vmhandle is 7c361e6a
000000bf,pop,pop,jmp_eq $-000000a0 vmhandle is 7c3621f8
000000c0,push 5c04c483 vmhandle is 7c361e6a
000000c1,pop dword(dword(esp -28L) +0L) vmhandle is 7c361f6a
000000c2,push c9595a5f vmhandle is 7c361e6a
000000c3,pop dword(dword(esp -28L) +4L) vmhandle is 7c361f6a
000000c4,push 000108e9 vmhandle is 7c361e6a
000000c5,pop dword(dword(esp -28L) +8L) vmhandle is 7c361f6a
000000c6,push 00258400 vmhandle is 7c361e6a
000000c7,pop dword(dword(esp -28L) +cL) vmhandle is 7c361f6a
000000c8,push 90909090 vmhandle is 7c361e6a
000000c9,pop dword(dword(esp -28L) +10L) vmhandle is 7c361f6a
000000ca,push 90909090 vmhandle is 7c361e6a
000000cb,pop dword(dword(esp -28L) +14L) vmhandle is 7c361f6a
000000cc,push 90909090 vmhandle is 7c361e6a
000000cd,pop dword(dword(esp -28L) +18L) vmhandle is 7c361f6a
000000ce,push 90909090 vmhandle is 7c361e6a
000000cf,pop dword(dword(esp -28L) +1cL) vmhandle is 7c361f6a
000000d0,push 90909090 vmhandle is 7c361e6a
000000d1,pop dword(dword(esp -28L) +20L) vmhandle is 7c361f6a
000000d2,push dword(dword(esp -4L) -4L) vmhandle is 7c361e78
000000d3,push dword(dword(esp -4L) -28L) vmhandle is 7c361e78
000000d4,call push result vmhandle is 7c361d14
清理标记一下 代码如下:
1 push_dword_dword -4h, -8h
2 push 5B66C
3 add 7c362602,5b66c
4 push_dword_dword -4h, -Ch
5 push 678
6 add 7C3BDC6E,678
7 push 8E7F35ED
8 push AD6BD309
9 push E860
A push 90909090
B push 19F
C push FFFFFEEB
D push_dword_dword -4h, -Ch
E add 7C3BDC6E,FFFFFEEB
F push 0
10 push 0
11 push 0
12 push 0
13 push 0
14 push 0
15 push 0
16 push 0
17 push 0
18 push FFFF4392
19 push_dword_dword -4h, -Ch
1A add 7C3BDC6E,FFFF4392
1B push C000
1C push_dword_dword -Ch, 0h
1D push_dword_dword -4h, -1Ch
1E jmp_eq is_decrypted_done
1F push 0
20 push 0
21 jmp_eq is_memory_protected
is_decrypted_done:
22 push_dword_dword -10h, 0h
23 push_dword_dword -4h, -20h
24 jmp_eq run_decrypted_code
25 push 0
26 push 0
27 jmp_eq is_decrypted_done
is_memory_protected:
28 push 1
29 push 0
2A jmp_eq decrypt
2B push 30
2C push_dword_dword_fs
2D pop_dword_dword -4h, -30h
2E push_dword_dword -30h, Ch 获取peb_ldr_data结构指针
2F pop_dword_dword -4h, -30h
30 push_dword_dword -30h, Ch 获取链表的指针
31 pop_dword_dword -4h, -30h
getntdllimagebase_loop:
32 push_dword_dword -30h, 0h
33 pop_dword_dword -4h, -30h
34 push_dword_dword -30h, 18h 获取dll基址
35 pop_dword_dword -4h, -34h
36 push_dword_dword -30h, 18h
37 push 0
38 jmp_eq next
39 push_dword_dword -4h, -34h
3A push_dword_dword -34h, 3Ch
3B add 7C900000,e0 定位到pe头
3C pop_dword_dword -4h, -38h
3D push_dword_dword -38h, 78h
3E push_dword_dword -4h, -34h
3F add 定位到导出表
40 pop_dword_dword -4h, -3Ch
41 push_dword_dword -4h, -3Ch
42 push_dword_dword -4h, -34h
43 jmp_eq next
44 push_dword_dword -3Ch, Ch
45 push_dword_dword -30h, 18h
46 add 定位到dll的名字
47 pop_dword_dword -4h, -40h
48 push_dword_dword -40h, 0h
49 push 6C64746E 比较是否是ntdll
4A jmp_eq got_imagebase
4B push_dword_dword -40h, 0h
4C push 4C44544E
4D jmp_eq got_imagebase
next:
4E push 0
4F push 0
50 jmp_eq getntdllimagebase_loop
got_imagebase:
51 push_dword_dword -3Ch, 24h
52 push_dword_dword -4h, -34h
53 add
54 pop_dword_dword -4h, -40h AddressOfNameOrdinals
55 push_dword_dword -3Ch, 20h
56 push_dword_dword -4h, -34h
57 add
58 pop_dword_dword -4h, -44h AddressOfNames
next_name_loop:
59 push_dword_dword -44h, 0h
5A push_dword_dword -4h, -34h
5B add
5C pop_dword_dword -4h, -2Ch
5D push_dword_dword -2Ch, 7h
5E push 69567463 比较名字是否含有ctvi
5F jmp_eq found
60 push_dword_dword -4h, -44h
61 push 4
62 add
63 pop_dword_dword -4h, -44h
64 push_dword_dword -4h, -40h
65 push 2
66 add
67 pop_dword_dword -4h, -40h
68 push 0
69 push 0
6A jmp_eq next_name_loop
found:
6B push_dword_dword -2Ch, 13h
6C push 79726F
6D jmp_eq changememoryattr 检测最后三个字母是否是ory
6E push 0
6F push 0
70 jmp_eq next_name_loop
changememoryattr:
71 push_dword_dword -40h, 0h
72 pop_dword_dword -4h, -48h
73 push 0
74 pop_dword_dword -4h, -46h
75 push_dword_dword -4h, -48h
76 push_dword_dword -4h, -48h
77 add
78 pop_dword_dword -4h, -48h
79 push_dword_dword -4h, -48h
7A push_dword_dword -4h, -48h
7B add 序号*4
7C pop_dword_dword -4h, -48h
7D push_dword_dword -3Ch, 1Ch
7E push_dword_dword -4h, -48h
7F add
80 push_dword_dword -4h, -34h
81 add
82 pop_dword_dword -4h, -48h
83 push_dword_dword -48h, 0h
84 push_dword_dword -4h, -34h
85 add ZwProtectVirtualMemory
86 pop_dword_dword -4h, -48h
87 push_dword_dword -4h, -4h
88 push FFFFFFD4
89 add
8A push 40
8B push_dword_dword -4h, -4h
8C push FFFFFFAC
8D add
8E push_dword_dword -4h, -4h
8F push FFFFFFB0
90 add
91 push FFFFFFFF
92 push_dword_dword -4h, -48h
93 call ZwProtectVirtualMemory
{
new protect = 40
protectsize = c000
baseaddress = 7c3b2000
call ZwProtectVirtualMemory
}
94 pop_dword_dword -4h, -2Ch
decrypt:
95 push 424448B
96 pop_dword_dword -28h, 0h
97 push 1424548B
98 pop_dword_dword -28h, 4h
99 push 10391087
9A pop_dword_dword -28h, 8h
9B push 25840F
9C pop_dword_dword -28h, Ch
9D push 548B0000
9E pop_dword_dword -28h, 10h
9F push 4C8B0C24
A0 pop_dword_dword -28h, 14h
A1 push 2E90824
A2 pop_dword_dword -28h, 18h
A3 push 31000000
A4 pop_dword_dword -28h, 1Ch
A5 push 24540310
A6 pop_dword_dword -28h, 20h
A7 push 81D2D310
A8 pop_dword_dword -28h, 24h
A9 push A57966F2
AA pop_dword_dword -28h, 28h
AB push 4C08314
AC pop_dword_dword -28h, 2Ch
AD push E8850F49
AE pop_dword_dword -28h, 30h
AF push C2FFFFFF
B0 pop_dword_dword -28h, 34h
B1 push 90900014
B2 pop_dword_dword -28h, 38h
B3 push_dword_dword -4h, -1Ch
B4 push_dword_dword -4h, -18h
B5 push_dword_dword -4h, -14h
B6 push_dword_dword -4h, -24h
B7 push_dword_dword -4h, -Ch
B8 push_dword_dword -4h, -28h
B9 call decrypt
{
7C3BDB59 8B4424 04 mov eax, dword ptr [esp+4] ; 2.7C3BDC6E
7C3BDB5D 8B5424 14 mov edx, dword ptr [esp+14] ;0000E860
7C3BDB61 8710 xchg dword ptr [eax], edx
7C3BDB63 3910 cmp dword ptr [eax], edx
7C3BDB65 0F84 25000000 je 7C3BDB90
7C3BDB6B 8B5424 0C mov edx, dword ptr [esp+C] 8E7F35ED
7C3BDB6F 8B4C24 08 mov ecx, dword ptr [esp+8] 19f
7C3BDB73 E9 02000000 jmp 7C3BDB7A
7C3BDB78 3110 xor dword ptr [eax], edx
7C3BDB7A 035424 10 add edx, dword ptr [esp+10] AD6BD309
7C3BDB7E D3D2 rcl edx, cl ecx = 19f cl = 9f
7C3BDB80 81F2 6679A514 xor edx, 14A57966
7C3BDB86 83C0 04 add eax, 4
7C3BDB89 49 dec ecx
7C3BDB8A ^ 0F85 E8FFFFFF jnz 7C3BDB78
7C3BDB90 C2 1400 retn 14 平衡堆栈 因为前面传进来5个参数
}
BA pop_dword_dword -4h, -2Ch
BB push_dword_dword -10h, 0h
BC push_dword_dword -4h, -20h
BD jmp_eq next_lay
BE push 0
BF push 0
C0 jmp_eq is_ready
next_lay:
C1 push 5C04C483
C2 pop_dword_dword -28h, 0h
C3 push C9595A5F
C4 pop_dword_dword -28h, 4h
C5 push 108E9
C6 pop_dword_dword -28h, 8h
C7 push 258400
C8 pop_dword_dword -28h, Ch
C9 push 90909090
CA pop_dword_dword -28h, 10h
CB push 90909090
CC pop_dword_dword -28h, 14h
CD push 90909090
CE pop_dword_dword -28h, 18h
CF push 90909090
D0 pop_dword_dword -28h, 1Ch
D1 push 90909090
D2 pop_dword_dword -28h, 20h
run_decrypted_code:
D3 push_dword_dword -4h, -4h
D4 push_dword_dword -4h, -28h
D5 call decrypted_code
{
7C3BDB59 83C4 04 add esp, 4
7C3BDB5C 5C pop esp
7C3BDB5D 5F pop edi
7C3BDB5E 5A pop edx
7C3BDB5F 59 pop ecx
7C3BDB60 C9 leave
7C3BDB61 E9 08010000 jmp 7C3BDC6E
7C3BDB66 8425 00909090 test byte ptr [90909000], ah
7C3BDB6C 90 nop
7C3BDB6D 90 nop
7C3BDB6E 90 nop
7C3BDB6F 90 nop
7C3BDB70 90 nop
7C3BDB71 90 nop
7C3BDB72 90 nop
7C3BDB73 90 nop
7C3BDB74 90 nop
7C3BDB75 90 nop
7C3BDB76 90 nop
7C3BDB77 90 nop
7C3BDB78 90 nop
7C3BDB79 90 nop
7C3BDB7A 90 nop
7C3BDB7B 90 nop
7C3BDB7C 90 nop
}
sample md5:3ad9469f54b64d4d883dd8d02850e89d
就到这里了 have fun
|
|
[复制链接]
