跟踪一个反调试巨多的病毒样本
1.调用 QueryPerformanceCounter反调试,这个API调用了封装ZwQueryPerformanceCounter系统调用的ntdll!NtQueryPerformanceCounter
004060FA |. 3345 FC xor eax,[local.1]
004060FD |. 8945 FC mov [local.1],eax
00406100 |. 8D55 EC lea edx,[local.5]
00406103 |. 52 push edx
00406104 |. FF15 C0204300 call dword ptr ds:[<&KERNEL32.QueryPerformanceCounter>]
0040610A |. 8B45 FC mov eax,[local.1]
0040610D |. 3345 EC xor eax,[local.5]
00406110 |. 8945 FC mov [local.1],eax
2.注册SEH异常处理函数
004053C0 $ 55 push ebp
004053C1 . 8BEC mov ebp,esp
004053C3 . 6A FE push -0x2
004053C5 . 68 10654400 push 123.00446510
004053CA . 68 F0874000 push 123.004087F0
004053CF . 64:A1 00000000 mov eax,dword ptr fs:[0] ; SEH地址
004053D5 . 50 push eax
004053D6 . 83C4 D0 add esp,-0x30
004053D9 . 53 push ebx
004053DA . 56 push esi
004053DB . 57 push edi
004053DC . A1 0C804400 mov eax,dword ptr ds:[0x44800C]
004053E1 . 3145 F8 xor dword ptr ss:[ebp-0x8],eax
004053E4 . 33C5 xor eax,ebp
004053E6 . 50 push eax
004053E7 . 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
004053EA . 64:A3 00000000 mov dword ptr fs:[0],eax ; 注册SEH
004053F0 . 8965 E8 mov dword ptr ss:[ebp-0x18],esp
004053F3 . 6A 01 push 0x1
3.调用 IsProcessorFeaturePresent 反调试 ,手动修改eax=0即可
00405DA1 . 83C8 01 or eax,0x1
00405DA4 . A3 10804400 mov dword ptr ds:[0x448010],eax
00405DA9 . 6A 0A push 0xA
00405DAB . E8 82A00200 call <jmp.&KERNEL32.IsProcessorFeaturePresent> ; 反调试
00405DB0 . 85C0 test eax,eax
00405DB2 . 75 07 jnz short 123.00405DBB
00405DB4 . 33C0 xor eax,eax
00405DB6 . E9 88020000 jmp 123.00406043
00405DBB > C745 F0 0000000>mov dword ptr ss:[ebp-0x10],0x0
00405DC2 . C745 F4 0000000>mov dword ptr ss:[ebp-0xC],0x0
4.LoadLibrary 加载 一个奇怪的dll…
0012FE88 004084C5 /CALL 到 LoadLibraryExW 来自 123.004084BF
0012FE8C 00432494 |FileName = "api-ms-win-core-synch-l1-2-0"
0012FE90 00000000 |hFile = NULL
0012FE94 00000800 \Flags = 800
5.加载kernel32.dll 得到 InitializeCriticalSectionEx 地址
EBP-10 0> 0040849F /CALL 到 GetProcAddress 来自 123.00408499
EBP-C 0> 7C800000 |hModule = 7C800000 (kernel32)
EBP-8 0> 004326C0 \ProcNameOrOrdinal = "InitializeCriticalSectionEx"
6.再次调用 IsProcessorFeaturePresent 反调试,修改0x4606C4的值
0042CEB3 8BEC mov ebp,esp
0042CEB5 6A 0A push 0xA
0042CEB7 E8 762F0000 call <jmp.&KERNEL32.IsProcessorFeaturePresent>
0042CEBC A3 C4064600 mov dword ptr ds:[0x4606C4],eax
0042CEC1 33C0 xor eax,eax
7.调用UnhandledExceptionFilter 反调试,进入SEH
EBP-8 0> 00405A4E /CALL 到 SetUnhandledExceptionFilter 来自 123.00405A48
EBP-4 0> 00405A50 \pTopLevelFilter = 123.00405A50