簡單小木馬脫殼

一個小木馬脫殼請虛擬機下調試相關文件見附件未知殼相當簡單但是典型有stolen code和overlay 只是練習脫殼所以沒有分析木馬
初次實戰一路F8
載入：
00410336 > $ 57 PUSH EDI
00410337 . 8BFC MOV EDI,ESP
00410339 . 83EC 26 SUB ESP,26
0041033C . C74424 0E 000>MOV DWORD PTR SS:[ESP+E],0
00410344 > C74424 06 FB6>MOV DWORD PTR SS:[ESP+6],DC8A65FB ;解密key
0041034C . C74424 02 000>MOV DWORD PTR SS:[ESP+2],0
00410354 . BE D5034100 MOV ESI,1.004103D5 ;解密起始地址
00410359 . 897424 12 MOV DWORD PTR SS:[ESP+12],ESI
0041035D > EB 00 JMP SHORT 1.0041035F
0041035F > BE 7A210000 MOV ESI,217A
00410364 . 03F7 ADD ESI,EDI
00410366 . 2BF4 SUB ESI,ESP ;esi + esp + (esp-26h) = esi + 26h
00410368 . 397424 0E CMP DWORD PTR SS:[ESP+E],ESI ;[esp+e]計數器
0041036C . 74 02 JE SHORT 1.00410370
0041036E . EB 0C JMP SHORT 1.0041037C
00410370 > 8B7424 12 MOV ESI,DWORD PTR SS:[ESP+12] ;[esp+e] == esi時纔開始解密
00410374 . 8A6424 06 MOV AH,BYTE PTR SS:[ESP+6]
00410378 . 2826 SUB BYTE PTR DS:[ESI],AH
0041037A . EB 00 JMP SHORT 1.0041037C
0041037C > 834424 12 01 ADD DWORD PTR SS:[ESP+12],1
00410381 . C16C24 06 02 SHR DWORD PTR SS:[ESP+6],2
00410386 . C16C24 06 02 SHR DWORD PTR SS:[ESP+6],2
0041038B . C16C24 06 02 SHR DWORD PTR SS:[ESP+6],2
00410390 . C16C24 06 02 SHR DWORD PTR SS:[ESP+6],2 ;右移8位即右移一個字節
00410395 . 834424 02 01 ADD DWORD PTR SS:[ESP+2],1
0041039A . 837C24 02 04 CMP DWORD PTR SS:[ESP+2],4
0041039F . 75 10 JNZ SHORT 1.004103B1
004103A1 . C74424 06 FB6>MOV DWORD PTR SS:[ESP+6],DC8A65FB
004103A9 . C74424 02 000>MOV DWORD PTR SS:[ESP+2],0
004103B1 > BE 98064100 MOV ESI,1.00410698 ;解密終止地址
004103B6 . 397424 12 CMP DWORD PTR SS:[ESP+12],ESI
004103BA .^ 72 A1 JB SHORT 1.0041035D
004103BC . FF4424 0E INC DWORD PTR SS:[ESP+E]
004103C0 . 817C24 0E 332>CMP DWORD PTR SS:[ESP+E],2333
004103C8 .^ 0F86 76FFFFFF JBE 1.00410344
//整個解密過程簡單但是干擾性極大 [esp+e]爲21A0時解密纔開始解密過程的key爲DC8A65FB 變換過程循環右移一個字節
00410407 |. 33C0 XOR EAX,EAX
00410409 |. 8B0424 MOV EAX,DWORD PTR SS:[ESP] ;kernel裏的一個地址送eax
0041040C |. 66:33C0 XOR AX,AX
0041040F |. 68 FFFF0000 PUSH 0FFFF ;函數名HASH值入棧
00410414 |. 68 B674755D PUSH 5D7574B6 ;GetProcAddress
00410419 |. 68 2207E471 PUSH 71E40722 ;LoadLibraryA
0041041E |. 68 80EFF815 PUSH 15F8EF80 ;VirtualProtect
00410423 |. 68 EC5863D6 PUSH D66358EC ;ExitProcess
00410428 |. 8BFC MOV EDI,ESP ;EDI 用來定位堆棧
0041042A |> 66:8138 4D5A /CMP WORD PTR DS:[EAX],5A4D ;PE
0041042F |. 75 13 |JNZ SHORT 1.00410444
00410431 |. 8B50 3C |MOV EDX,DWORD PTR DS:[EAX+3C]
00410434 |. 81FA 00100000 |CMP EDX,1000
0041043A |. 77 08 |JA SHORT 1.00410444
0041043C |. 66:813C10 504>|CMP WORD PTR DS:[EAX+EDX],4550 ;MZ
00410442 |. 74 07 |JE SHORT 1.0041044B
00410444 |> 2D 00000100 |SUB EAX,10000 ; UNICODE "ALLUSERSPROFILE=C:/Documents and Settings/All Users"
00410449 |.^ EB DF /JMP SHORT 1.0041042A
//尋找kernel 基址
0041044B |> /50 PUSH EAX ; kernel32.7C800000
0041044C |. 8B7410 78 MOV ESI,DWORD PTR DS:[EAX+EDX+78] ; 定位到DataDirectory[0].VirtualAddress
00410450 |. 03F0 ADD ESI,EAX ; 定位到導出表
00410452 |. 83C6 18 ADD ESI,18 ;IMAGE_EXPORT_DIRECTORY.NumberOfNames
00410455 |. 93 XCHG EAX,EBX
00410456 |. AD LODS DWORD PTR DS:[ESI]
00410457 |. 50 PUSH EAX ;IMAGE_EXPORT_DIRECTORY.NumberOfNames入棧
00410458 |. AD LODS DWORD PTR DS:[ESI]
00410459 |. 50 PUSH EAX ;IMAGE_EXPORT_DIRECTORY.AddressOfFunctions入棧
0041045A |. AD LODS DWORD PTR DS:[ESI]
0041045B |. 50 PUSH EAX ;IMAGE_EXPORT_DIRECTORY.AddressOfNames入棧
0041045C |. 03C3 ADD EAX,EBX
0041045E |. 50 PUSH EAX ;IMAGE_EXPORT_DIRECTORY.AddressOfNames+ImageBase入棧
0041045F |. AD LODS DWORD PTR DS:[ESI]
00410460 |. 50 PUSH EAX ;IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals入棧
00410461 |. 8BEC MOV EBP,ESP ;EBP指向IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals
00410463 |> 8B4D 10 /MOV ECX,DWORD PTR SS:[EBP+10] ;IMAGE_EXPORT_DIRECTORY.NumberOfNames
00410466 |. 33D2 |XOR EDX,EDX
00410468 |> 8B75 04 |/MOV ESI,DWORD PTR SS:[EBP+4] ;IMAGE_EXPORT_DIRECTORY.AddressOfNames+ImageBase
0041046B |. 8B36 ||MOV ESI,DWORD PTR DS:[ESI] ;ESI 爲函數名的起始地址RVA
0041046D |. 03F3 ||ADD ESI,EBX ;得到函數名地址VA
0041046F |. 33C0 ||XOR EAX,EAX
00410471 |. 50 ||PUSH EAX
00410472 |> C1C8 07 ||/ROR EAX,7
00410475 |. 310424 |||XOR DWORD PTR SS:[ESP],EAX
00410478 |. AC |||LODS BYTE PTR DS:[ESI]
00410479 |. 84C0 |||TEST AL,AL
0041047B |.^ 75 F5 ||/JNZ SHORT 1.00410472 ;函數名HASH
0041047D |. 58 ||POP EAX
0041047E |. 57 ||PUSH EDI
0041047F |> 813F FFFF0000 ||/CMP DWORD PTR DS:[EDI],0FFFF ;函數是否地址都找到找到就跳
00410485 |. 74 09 |||JE SHORT 1.00410490
00410487 |. 3B07 |||CMP EAX,DWORD PTR DS:[EDI] ;比較函數名HASH值
00410489 |. 74 0F |||JE SHORT 1.0041049A
0041048B |. 83C7 04 |||ADD EDI,4
0041048E |.^ EB EF ||/JMP SHORT 1.0041047F
00410490 |> 5F ||POP EDI
00410491 |. 8345 04 04 ||ADD DWORD PTR SS:[EBP+4],4 ;移到下一個函數名起始地址
00410495 |. 42 ||INC EDX
00410496 |.^ E2 D0 |/LOOPD SHORT 1.00410468
00410498 |. EB 2C |JMP SHORT 1.004104C6
0041049A |> D1E2 |SHL EDX,1
0041049C |. 8B4D 00 |MOV ECX,DWORD PTR SS:[EBP] ;IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals
0041049F |. 03CB |ADD ECX,EBX ;IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals+IMAGEBASE
004104A1 |. 03CA |ADD ECX,EDX ;得到特定函數序號地址
004104A3 |. 8B09 |MOV ECX,DWORD PTR DS:[ECX] ;得到函數序號
004104A5 |. 81E1 FFFF0000 |AND ECX,0FFFF
004104AB |. 8B55 0C |MOV EDX,DWORD PTR SS:[EBP+C] ;IMAGE_EXPORT_DIRECTORY.AddressOfFunctions
004104AE |. 03D3 |ADD EDX,EBX ;IMAGE_EXPORT_DIRECTORY.AddressOfFunctions+IAMGEBASE
004104B0 |. C1E1 02 |SHL ECX,2
004104B3 |. 03D1 |ADD EDX,ECX
004104B5 |. 8B12 |MOV EDX,DWORD PTR DS:[EDX]
004104B7 |. 03D3 |ADD EDX,EBX ;得到函數VA
004104B9 |. 8917 |MOV DWORD PTR DS:[EDI],EDX ;存放函數地址
004104BB |. 8B4D 08 |MOV ECX,DWORD PTR SS:[EBP+8]
004104BE |. 03CB |ADD ECX,EBX
004104C0 |. 894D 04 |MOV DWORD PTR SS:[EBP+4],ECX
004104C3 |. 5F |POP EDI
004104C4 |.^ EB 9D /JMP SHORT 1.00410463
//想起failwest的shellcode。。。。。
004104C6 |> /83EF 04 SUB EDI,4
004104C9 |. 8BE7 MOV ESP,EDI
004104CB |. 8B5C24 08 MOV EBX,DWORD PTR SS:[ESP+8]
004104CF |. 8BFC MOV EDI,ESP
004104D1 |. 83EF 04 SUB EDI,4
004104D4 |. 57 PUSH EDI
004104D5 |. 6A 40 PUSH 40 ;PAGE_EXECUTE_READWRITE
004104D7 |. 68 00100000 PUSH 1000
004104DC |. 68 00004000 PUSH 1.00400000
004104E1 |. FFD3 CALL EBX ; VirtualProtect修改PE頭屬性爲可讀可寫可執行
004104E3 |. BF 00004000 MOV EDI,1.00400000 ;IMAGEBASE
004104E8 |. 037F 3C ADD EDI,DWORD PTR DS:[EDI+3C] ;IMAGE_NT_HEADER
004104EB |. C787 A0000000>MOV DWORD PTR DS:[EDI+A0],12000 ;重定位表IMAGE_DIRECTORY_ENTRY_BASERELOC.VirtualAddress
004104F5 |. C787 A4000000>MOV DWORD PTR DS:[EDI+A4],11E4 ;IMAGE_DIRECTORY_ENTRY_BASERELOC.Size
004104FF |. C787 80000000>MOV DWORD PTR DS:[EDI+80],0 ;IMAGE_DIRECTORY_ENTRY_IMPORT.VirtualAddress清空了導入表偏移
00410509 |. C787 84000000>MOV DWORD PTR DS:[EDI+84],0 ;IMAGE_DIRECTORY_ENTRY_IMPORT.Size
00410513 |. 8BD7 MOV EDX,EDI ;IMAGE_NT_HEADER
00410515 |. 83C2 18 ADD EDX,18 ;IMAGE_OPTIONAL_HEADER32
00410518 |. 33C9 XOR ECX,ECX
0041051A |. 66:8B4F 14 MOV CX,WORD PTR DS:[EDI+14] ;SizeOfOptionalHeader
0041051E |. 03D1 ADD EDX,ECX ;定位到節表IMAGE_SECTION_HEADER
00410520 |. 33C9 XOR ECX,ECX
00410522 |> 8B72 0C /MOV ESI,DWORD PTR DS:[EDX+C] ;IMAGE_SECTION_HEADER.VirtualAddress
00410525 |. 81C6 00004000 |ADD ESI,1.00400000 ;IMAGE_SECTION_HEADER.VirtualAddress+IMAGEBASE
0041052B |. 60 |PUSHAD
0041052C |. 8BFC |MOV EDI,ESP
0041052E |. 83EF 04 |SUB EDI,4
00410531 |. 57 |PUSH EDI
00410532 |. 6A 40 |PUSH 40
00410534 |. FF72 08 |PUSH DWORD PTR DS:[EDX+8] ;IMAGE_SECTION_HEADER.VirtualSize
00410537 |. 56 |PUSH ESI
00410538 |. FFD3 |CALL EBX ;VirtualProtect
0041053A |. 61 |POPAD
0041053B |. 83C2 28 |ADD EDX,28
0041053E |. 41 |INC ECX
0041053F |. 81F9 03000000 |CMP ECX,3
00410545 |.^ 72 DB /JB SHORT 1.00410522 ;將PE文件前3個節屬性變爲可讀可寫可執行
00410547 |. 83EA 28 SUB EDX,28 ;定位到第3個節的節表
0041054A |. 8B42 0C MOV EAX,DWORD PTR DS:[EDX+C] ;IMAGE_SECTION_HEADER.VirtualAddress
0041054D |. 0342 10 ADD EAX,DWORD PTR DS:[EDX+10] ;+ IMAGE_SECTION_HEADER.SizeOfRawData
00410550 |. 05 00004000 ADD EAX,1.00400000 ;定位到節空隙
00410555 |. 83C0 64 ADD EAX,64
00410558 |. 60 PUSHAD
00410559 |. 8BF8 MOV EDI,EAX
0041055B |. BE D5034100 MOV ESI,1.004103D5 ;首次解密的起始地址
00410560 |. B9 98064100 MOV ECX,1.00410698 ;首次解密的終止地址
00410565 |. 2BCE SUB ECX,ESI
00410567 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
;將殼代碼複製到節表間隙中去想寫插入型病毒的可以參考這裏怎樣定位的
00410569 |. 61 POPAD
0041056A |. 68 FB658ADC PUSH DC8A65FB
0041056F |. FFE0 JMP EAX ;跳
00413667 . B9 FB658ADC MOV ECX,DC8A65FB ;注意上面入棧的再看看這裏該殼有多種變形殼但是都是通過比較一個DWORD 來確定運行流程
0041366C . 3B0C24 CMP ECX,DWORD PTR SS:[ESP]
0041366F . 0F84 8B010000 JE 1.00413800 ;跳到殼的第二部分
00413675 . B8 00000000 MOV EAX,0
00413800 > /5E POP ESI
00413801 . 05 98064100 ADD EAX,1.00410698
00413806 . 2D D5034100 SUB EAX,1.004103D5 ;重定位殼代碼的結束地址
0041380B . 8BD8 MOV EBX,EAX
0041380D . 33C0 XOR EAX,EAX
0041380F . B8 03000000 MOV EAX,3
00413814 . 48 DEC EAX
00413815 . 6BC0 28 IMUL EAX,EAX,28
00413818 . 2BD0 SUB EDX,EAX ;定位到第1個節的IMAGE_SECTION_HEADER
0041381A . 33C9 XOR ECX,ECX
0041381C > 8B72 0C MOV ESI,DWORD PTR DS:[EDX+C] ;IMAGE_SECTION_HEADER[0].VirtualAddress
0041381F . 81C6 00004000 ADD ESI,1.00400000 ;+IMAGEBASE
00413825 . 33C0 XOR EAX,EAX
00413827 . 8A06 MOV AL,BYTE PTR DS:[ESI] ;每個節的開始都有一個結構
00413829 . 03F0 ADD ESI,EAX
0041382B . 60 PUSHAD
0041382C . 8BFB MOV EDI,EBX
0041382E . E8 1F000000 CALL 1.00413852 ;解壓CALL跟進去看看
{
00413852 /$ 60 PUSHAD
00413853 |. BB D218CF1F MOV EBX,1FCF18D2
00413858 |. B9 00000000 MOV ECX,0
0041385D |. BA 00000000 MOV EDX,0
00413862 |> 281E /SUB BYTE PTR DS:[ESI],BL
00413864 |. C1EB 08 |SHR EBX,8
00413867 |. 41 |INC ECX
00413868 |. 83F9 04 |CMP ECX,4
0041386B |. 75 0A |JNZ SHORT 1.00413877
0041386D |. BB D218CF1F |MOV EBX,1FCF18D2
00413872 |. B9 00000000 |MOV ECX,0
00413877 |> 46 |INC ESI
00413878 |. 42 |INC EDX
00413879 |. 83FA 08 |CMP EDX,8
0041387C |.^ 7C E4 |JL SHORT 1.00413862
0041387E |. 7F 05 |JG SHORT 1.00413885 ;EDX爲8時才解密
00413880 |. 8B46 FC |MOV EAX,DWORD PTR DS:[ESI-4] ;解密後的[ESI-4]代表需解壓的代碼終止地址
00413883 |. 03C6 |ADD EAX,ESI
00413885 |> 3BF0 |CMP ESI,EAX
00413887 |.^ 7C D9 /JL SHORT 1.00413862
00413889 |. 61 POPAD
//下面是解壓過程代碼不貼了
}
每個節的第1個字節代表需解密的代碼在節中偏移，解密後的代碼的第2個DWORD值代表需解壓的代碼的大小
導入表在第3個節中第3次解壓將導入表破壞
00413833 . 8B0E MOV ECX,DWORD PTR DS:[ESI]
00413835 . 8BFE MOV EDI,ESI
00413837 . 2BF8 SUB EDI,EAX
00413839 . 8BF3 MOV ESI,EBX
0041383B . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI];將解壓後的代碼複製回原地
0041383D . 61 POPAD
0041383E . 83C2 28 ADD EDX,28
00413841 . 41 INC ECX
00413842 . 81F9 03000000 CMP ECX,3
00413848 .^ 72 D2 JB SHORT 1.0041381C ;循環解壓3個節
0041384A . B8 2D704000 MOV EAX,1.0040702D
0041384F . FFD0 CALL EAX ;進入OEP
00413851 . C3 RETN
簡便方法：該殼在最後解壓3個節並破壞原IAT 所以在原IAT 下硬件寫入斷點就可停在0041383B 往下再走幾步就到
OEP了
修復IAT:整個殼雖然清0了導入表偏移並破壞了導入表結構但是該導入表是僞導入表無論是殼還是木馬本身都跟該導入表中函數無關 dump後 importfix 檢測到導入表但是無導入函數直接運行後錯誤所以仔細跟了下是堆棧引起的寫了個腳本修復了下運行後 dump 可以直接運行
腳本:
var iataddress
var mem
var xxx
var org_esp
var oep
var yyy
gmi eip, IDATATABLE
mov iataddress, $RESULT
bphws iataddress, "w"
run
bphwcall
findop eip, #ffd0#
bp $RESULT
run
bc eip
sti
msg "到達oep,開始修補堆棧,修補後會改變OEP"
mov oep, eip
alloc 1000
mov mem, $RESULT
mov xxx, mem
mov org_esp, esp
@continue:
add esp, 4
cmp [esp], 0000ffff
jnz @continue
@next:
mov [xxx], #68#,1
inc xxx
mov [xxx], [esp]
sub esp,4
add xxx,4
cmp esp, org_esp
jae @next
mov [xxx], #ff25#, 2
add xxx, 2
mov [xxx], iataddress
add xxx, 4
sub xxx, mem
mov [iataddress], oep
add iataddress, 4
mov eip, iataddress
mov yyy, mem
@orz:
cmp xxx, 0
je @exit
mov [iataddress], [yyy], 1
inc iataddress
inc yyy
dec xxx
jmp @orz
@exit:
msg "修補完成,可以dump"
free mem
ret
overlay處理:直接把原文件的overlay貼到脫殼後的文件末尾就可以了
注意下:
1：我的虛擬機裏XP版本過老木馬運行後系統崩潰
可能是XP版本問題，換了個新版本的XP 運行正常但是因爲新版本的XP 沒有弄測試
環境所以不能肯定
2：在某個系統下調試就不要換其它系統，修復堆棧裏存放的函數地址是直接從堆棧中讀取的而不是自己寫動態獲取過程得到的所以肯定不能跨系統版本運行腳本運行過程中會有個斷點下在數據段的警告確定就可以了
3：木馬有危險，切記虛擬機下調試稍微看了下沒有新技術以後有時間再仔細分析字符串都是加密的不停的拷貝自身。。
附件下載：http://bbs.pediy.com/showthread.php?t=79532

簡單小木馬脫殼

autoit 修復

bones腳本篇 - 實現一個簡單的列表

代碼注入 API HOOK(非DLL)

靜態分析KiSystemService

老殼petite不完全分析

Mac下配置sublime實現LaTeX

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結