代码:
感染型病毒简单分析 ID:疯狂的小鬼(卡饭) 工具:OD 病毒自身就脱壳 样本地址:http://bbs.kafan.cn/forum.php?mod=redirect&goto=findpost&ptid=996515&pid=19521529&fromuid=553277 (46楼)
代码:
00429E5E > 55 push ebp ; 入口 00429EC0 /75 08 jnz short VideoPlu.00429ECA 为了分析。不让他跳 00429EC4 E8 B0000000 call VideoPlu.00429F79 F7 进去看看 00429F79 833D 10234300 0>cmp dword ptr ds:[0x432310],0x1 00429F80 75 05 jnz short VideoPlu.00429F87 00429F82 E8 890B0000 call VideoPlu.0042AB10 00429F87 FF7424 04 push dword ptr ss:[esp+0x4] 00429F8B E8 B90B0000 call VideoPlu.0042AB49 00429F90 59 pop ecx 00429F91 68 FF000000 push 0xFF ; 下面退出进程 00429F96 FF15 34D04200 call dword ptr ds:[<&KERNEL32.ExitProces>; kernel32.ExitProcess 00429F9C C3 retn
代码:
00429F80 /75 05 jnz short VideoPlu.00429F87 不让跳 00429F82 E8 890B0000 call VideoPlu.0042AB10 F7 0042AB15 83F8 01 cmp eax,0x1 0042AB18 74 0D je short VideoPlu.0042AB27 0042AB1A 85C0 test eax,eax 0042AB1C 75 2A jnz short VideoPlu.0042AB48 0042AB1E 833D B41C4300 0>cmp dword ptr ds:[0x431CB4],0x1 0042AB25 75 21 jnz short VideoPlu.0042AB48 0042AB27 68 FC000000 push 0xFC 0042AB2C E8 18000000 call VideoPlu.0042AB49 0042AB31 A1 6C244300 mov eax,dword ptr ds:[0x43246C] 0042AB36 59 pop ecx 0042AB37 85C0 test eax,eax 0042AB39 74 02 je short VideoPlu.0042AB3D 0042AB3B FFD0 call eax 0042AB3D 68 FF000000 push 0xFF 0042AB42 E8 02000000 call VideoPlu.0042AB49 0042AB47 59 pop ecx 0042AB48 C3 retn 0042AB25 /75 21 jnz short VideoPlu.0042AB48 不让跳 0042AB2C E8 18000000 call VideoPlu.0042AB49 F7 进入 0042ABA2 /0F84 F1000000 je VideoPlu.0042AC99 不让跳 0042ABB6 FF15 ECD04200 call dword ptr ds:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA 获取系统目录文件路径 0042ABBE /75 13 jnz short VideoPlu.0042ABD3 不跳 0042ABCC E8 5F0D0000 call VideoPlu.0042B930 F7 堆栈 [0012FD88]=0012FD94 (0012FD94), ASCII "<program name unknown>" ecx=0042D4D4 (VideoPlu.0042D4D4), ASCII "GetLastActivePopup" 获取弹出窗口中最近活动的窗口 0042ABCC E8 5F0D0000 call VideoPlu.0042B930 F7 和上面的内容一样 0042AC1C 68 9CD44200 push VideoPlu.0042D49C ; ASCII "Runtime Error! Program: " 错误。。= =!!我也不怎么清楚 0042AC2F E8 0C0D0000 call VideoPlu.0042B940 F7 没什么重要信息 0042AC45 FFB6 641D4300 push dword ptr ds:[esi+0x431D64] ; VideoPlu.0042D228 ds:[00431DC4]=0042D228 (VideoPlu.0042D228), ASCII "R6028 - unable to initialize heap " 0042AC62 68 70D44200 push VideoPlu.0042D470 ; ASCII "Microsoft Visual C++ Runtime Library" 报错 0042AC68 E8 B30D0000 call VideoPlu.0042BA20 F7 内容: 0042BA20 53 push ebx 0042BA21 33DB xor ebx,ebx 0042BA23 391D 7C244300 cmp dword ptr ds:[0x43247C],ebx 0042BA29 56 push esi 0042BA2A 57 push edi 0042BA2B 75 42 jnz short VideoPlu.0042BA6F 0042BA2D 68 04D54200 push VideoPlu.0042D504 ; ASCII "user32.dll" 0042BA32 FF15 84D04200 call dword ptr ds:[<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA(加载到调用进程的地址空间指定的模块) 0042BA38 8BF8 mov edi,eax 0042BA3A 3BFB cmp edi,ebx 0042BA3C 74 67 je short VideoPlu.0042BAA5 0042BA3E 8B35 1CD14200 mov esi,dword ptr ds:[<&KERNEL32.GetProc>; kernel32.GetProcAddress(获取DLL 导出函数的地址) 0042BA44 68 F8D44200 push VideoPlu.0042D4F8 ; ASCII "MessageBoxA"(利用messagebox函数) 0042BA49 57 push edi 0042BA4A FFD6 call esi 0042BA4C 85C0 test eax,eax 0042BA4E A3 7C244300 mov dword ptr ds:[0x43247C],eax 0042BA53 74 50 je short VideoPlu.0042BAA5 ; 获取活动窗口的句柄 0042BA55 68 E8D44200 push VideoPlu.0042D4E8 ; ASCII "GetActiveWindow" 0042BA5A 57 push edi 0042BA5B FFD6 call esi 0042BA5D 68 D4D44200 push VideoPlu.0042D4D4 ; ASCII "GetLastActivePopup"(获取弹出窗口中最近活动的窗口) 0042BA62 57 push edi 0042BA63 A3 80244300 mov dword ptr ds:[0x432480],eax 0042BA68 FFD6 call esi 0042BA6A A3 84244300 mov dword ptr ds:[0x432484],eax 0042BA6F A1 80244300 mov eax,dword ptr ds:[0x432480] 0042BA74 85C0 test eax,eax 0042BA76 74 16 je short VideoPlu.0042BA8E 0042BA78 FFD0 call eax 0042BA7A 8BD8 mov ebx,eax 0042BA7C 85DB test ebx,ebx 0042BA7E 74 0E je short VideoPlu.0042BA8E 0042BA80 A1 84244300 mov eax,dword ptr ds:[0x432484] 0042BA85 85C0 test eax,eax 0042BA87 74 05 je short VideoPlu.0042BA8E 0042BA89 53 push ebx 0042BA8A FFD0 call eax 0042BA8C 8BD8 mov ebx,eax 0042BA8E FF7424 18 push dword ptr ss:[esp+0x18] 0042BA92 FF7424 18 push dword ptr ss:[esp+0x18] 0042BA96 FF7424 18 push dword ptr ss:[esp+0x18] 0042BA9A 53 push ebx 0042BA9B FF15 7C244300 call dword ptr ds:[0x43247C] 0042BAA1 5F pop edi 0042BAA2 5E pop esi 0042BAA3 5B pop ebx 0042BAA4 C3 retn 0042BA9B FF15 7C244300 call dword ptr ds:[0x43247C] ; USER32.MessageBoxA 这里C++报错 00429ECD E8 84080000 call VideoPlu.0042A756 ; F7 00429ED2 FF15 08D14200 call dword ptr ds:[<&KERNEL32.GetCommand>; kernel32.GetCommandLineA 获得指向当前命令行缓冲区的一个指针 0042A762 E8 36F8FFFF call VideoPlu.00429F9D F7 0042B3CA FF15 24D14200 call dword ptr ds:[<&KERNEL32.VirtualAll>; kernel32.VirtualAlloc(储备或犯有在调用进程的虚拟地址空间的页面区域) 0012FE8C 00000000 |Address = NULL 0012FE90 00100000 |Size = 100000 (1048576.) 0012FE94 00002000 |AllocationType = MEM_RESERVE 0012FE98 00000004 \Protect = PAGE_READWRITE 改变了属性 0042B126 E8 DA020000 call VideoPlu.0042B405 F7 0042B456 FF15 24D14200 call dword ptr ds:[<&KERNEL32.VirtualAll>; kernel32.VirtualAlloc(储备或犯有在调用进程的虚拟地址空间的页面区域) 0012FE7C 00A60000 |Address = 00A60000 0012FE80 00008000 |Size = 8000 (32768.) 0012FE84 00001000 |AllocationType = MEM_COMMIT 0012FE88 00000004 \Protect = PAGE_READWRITE 上面改变了大小和地址等 0042A7AF FF15 0CD14200 call dword ptr ds:[<&KERNEL32.GetStartup>; kernel32.GetStartupInfoA(获取信息创建进程) 0042A8AE FF15 CCD04200 call dword ptr ds:[<&KERNEL32.GetStdHand>; kernel32.GetStdHandle 0042A8BC FF15 C8D04200 call dword ptr ds:[<&KERNEL32.GetFileTyp>; kernel32.GetFileType(获取系统文件类型) 0042A8F3 FF15 D0D04200 call dword ptr ds:[<&KERNEL32.SetHandleC>; kernel32.SetHandleCount(可以获取变量的内存地址) 得到系统文件的信息 00429EDD E8 42070000 call VideoPlu.0042A624 F7 0042A62D 8B2D D4D04200 mov ebp,dword ptr ds:[<&KERNEL32.GetEnvi>; kernel32.GetEnvironmentStringsW(获取当前进程的环境变量) 0042A6A2 8B3D DCD04200 mov edi,dword ptr ds:[<&KERNEL32.WideCha>; kernel32.WideCharToMultiByte(得到新的字符串) 0042A6B3 894424 34 mov dword ptr ss:[esp+0x34],eax ; 调用新的字符串 eax=000003F0 堆栈 ss:[0012FF44]=7C92F641 (ntdll.7C92F641) 0042A6DD /75 0E jnz short VideoPlu.0042A6ED 不跳 0042A6E3 E8 29F9FFFF call VideoPlu.0042A011 F7 没啥信息 返回 0042A01B E8 D50C0000 call VideoPlu.0042ACF5 F7 没啥信息 返回(0042A6E3) 0042A6F2 FF15 E0D04200 call dword ptr ds:[<&KERNEL32.FreeEnviro>; kernel32.FreeEnvironmentStringsW 释放字符串到模块 返回到00429EDD 继续F8 00429EE7 E8 EB040000 call VideoPlu.0042A3D7 F7 0042A3FA FF15 ECD04200 call dword ptr ds:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA(获取模块文件信息等会载入) 00429F20 FF15 58D04200 call dword ptr ds:[<&KERNEL32.GetModuleH>; kernel32.GetModuleHandleA 获取模块句柄 0040288D FF15 A8D14200 call dword ptr ds:[<&USER32.LoadStringA>>; USER32.LoadStringA 加载一个从指定的模块相关,拷贝到缓冲区的字符串的字符串资源的可执行文件,并附加一个终止空字符 004028C2 FF15 9CD04200 call dword ptr ds:[<&KERNEL32.GetSystemD>; kernel32.GetSystemDirectoryA 获取系统目录的路径 004028EB FF15 44D14200 call dword ptr ds:[<&SHELL32.StrStrIA>] ; SHELL32.StrStrIA 0012FDF8 0012FE00 |String = "C:\WINDOWS\system32" 0012FDFC 00431BCC \Pattern = "win" 00402878 E8 F30F0000 call VideoPlu.00403870 F7 00403887 FF15 4CD14200 call dword ptr ds:[<&USER32.GetDesktopWi>; USER32.GetDesktopWindow(获取桌面窗口) 004038B0 FF15 BCD14200 call dword ptr ds:[<&USER32.GetDC>] ; USER32.GetDC 004038BF FF15 24D04200 call dword ptr ds:[<&GDI32.GetDeviceCaps>; GDI32.GetDeviceCaps 004038D7 FF15 20D04200 call dword ptr ds:[<&GDI32.CreateCompati>; GDI32.CreateCompatibleBitmap 004028F3 /74 16 je short VideoPlu.0040290B 跳走 0040290F E8 C1000000 call VideoPlu.004029D5 F7 00402A0A FF15 9CD14200 call dword ptr ds:[<&USER32.LoadIconA>] ; USER32.LoadIconA 从可执行加载指定的图标资源的实例与应用程序关联的文件。 00402A1A FF15 A0D14200 call dword ptr ds:[<&USER32.LoadCursorA>>; USER32.LoadCursorA 加载从可执行的实例与应用程序关联的文件指定游标资源。 00402A4B FF15 A4D14200 call dword ptr ds:[<&USER32.RegisterClas>; USER32.RegisterClassExA 该函数为随后在调用Createwindow函数和CreatewindowEx函数中使用的窗口注册一个窗口类 (注册) 上面获取用户信息。。。 0040291F E8 31010000 call VideoPlu.00402A55 F7 00402A8A FF15 90D14200 call dword ptr ds:[<&USER32.CreateWindow>; USER32.CreateWindowExA 00429F30 E8 38010000 call VideoPlu.0042A06D F7 0042A075 E8 15000000 call VideoPlu.0042A08F 0042A099 /75 11 jnz short VideoPlu.0042A0AC 0042A09F FF15 F4D04200 call dword ptr ds:[<&KERNEL32.GetCurrent>; kernel32.GetCurrentProcess 获取当前进程的一个伪句柄 0042A0A6 FF15 F8D04200 call dword ptr ds:[<&KERNEL32.TerminateP>; kernel32.TerminateProcess 结束一个进程 0042A120 FF15 34D04200 call dword ptr ds:[<&KERNEL32.ExitProces>; kernel32.ExitProcess 退出
代码:
总结: 病毒获取当前系统的版本号。直接获取C:\Documents and Settings\Administrator,然后 获取用户的信息,包括桌面的图标资源,感染这些图标。。 RegisterClassExA函数为CreatewindowEx函数中使用的窗口注册一个窗口类 并在进程中获取进程信息结束掉系统进程,自身创建一个相同的进程。。 (PS:有些函数不怎么知道。。所以不能很好的表达清楚) 这个貌似是感染型病毒。。具体我只是简单的分析了下。。高手莫喷。。欢迎指点下。。 By 疯狂的小鬼