在分析的过程中可以发现,这个组件和前面分析的一个组件在大的框架下表现是一样的:它们都有一个贯穿整个过程的解密函数,同时使用资源来装载‘材料’–数据和程序。
寻找资源的代码
FindResourceA(hModule,lpName,lpType);
//其中lpName的取值可以为:1,2,4;lpName去1或2时,找到相应的数据;取4时释放一个dll文件。
//lpType="BINRES",--binary resource 二进制资源
接下来是解密函数,感觉这个重要的函数怪怪的。
Decryption proc near
arg_0 =dword ptr 8 ;要解密的数据
arg_4 =byte ptr 0xh ;种子 ,有2个。0x3c(占大部分) ,0x7f
push ebp
mov ebp,esp
push ecx
push esi
push edi
mov edi,[ebp+arg_0]
mov eax,edi
xor ecx,ecx ;ecx=0
lea esi,[eax+1]
loc_40420a:
mov dl,[eax]
inc eax
test dl,dl
jnz short loc_40420a ;不为0 ,接着循环
sub eax,esi
jz short loc_40422e ;数据长度太小,失败
loc_404215:
mov al,[ebp+arg_4]
xor [ecx+edi],al ;将数据与种子进行异或运算
mov eax,edi
inc ecx
lea esi,[eax+1] ;下一个字节数据的地址
loc_404221:
mov dl,[eax]
inc eax
test dl,dl
jnz short loc_404221 ;去数据最大地址
sub eax,esi
cmp ecx,eax ;比较是否到头了
jb short loc_404215 ;没有,接着处理数据
loc_40422e:
pop edi
pop esi
leave
retn
Decryption endp
解密后的一些数据
(1){77032DAA-B7F2-101B-A1F0-01C29183BCA1}
(2)008.002.001.004
(3)ee.dll
(4)HKLM\Software\Agnitum\Outpost Firewall\;
(5)HKLM\Software\PWI, Inc.\;
(6)HKLM\Software\Network Ice\BlackInce\;
(7)HKLM\Software\Data Fellows\F-Secure\;
(8)HKLM\Software\S.NSafe&Software\;
(9)HKLM\Software\PCTools\ThreadFire\;
(10)HKLM\Software\ProSecurity\;
(11)HKLM\Software\Diamond Computer System\;
(12)HKLM\Software\GentleSecurity\GeSWall\;
(13)HKLM\Software\Avira\;
(14)HKLM\Software\360Safe\;(360Safe的认可度还是蛮高的:)
(15)HKLM\Software\BitDefender\BitDefender Total Security 2010\;
(16)HKLM\Software\BitDefender\BitDefender Total Security 2009\;
BFE_Notify_Event_{1C44EB9C-6C6E-4f31-9216-6C61424AF2C3}
ee.dll
actxprxy.dll
Software\Microsoft\Windows\CurrentVersion\Internet Settings
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
ProxyServer
MiscStatus
{%08X-%04X-%04X-%08X%04X}
SOFTWARE
{77032DAA-B7F2-101B-A1F01C29183BCA1}
ee.dll
CLSID\{B8DA6310-E19B-11D0-933C-00A0C90DCAA9}\InProcServer32
actxprxy32.dll
actxprxyserv.dll
CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
avp.exe
svchost.exe
C:\WINDOWS\SYSTEM\Shell32.dll
%SystemRoot%\\system32\\shell32.dll
System\CurrentControlSet\Control\SessionManager\KnownDLLs
LINKINFODLL
SOFTWARE\Classes\CLSID\{FAEDCF53-31FE-11D1-AAD2-00805FC1270E}\InProcServer32
netshell.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
midimapper
midimap.dll
SYSTEM\CurrentControlSet\Set\Services\Tcpip\Pameters\Winsock
HelperDllNName
wshtcpip.dll
SYSTEM\CurrentControlSet\Control\SecurityProviders
Securityuroviders
credssp.dll
%SystemRoot%\system32\
{28987EBA-B226-49bd-9862-3645348E0027}
SOFTWAREMicrosoftWindows1
SYSTEM\CurrentControlSet\Set\Services\VxD\VREGSTR
SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Common
(on reboot)
msscd16
.sys
System
m5;'
NUL=
\wininit.ini
[rename]
wininet.dll
InternetConnectA
InternetOpenA
HttpOpenRequestA
HttpSendequestA
HttpQueryInfoA
InternetReadFile
InternetCloseHandle
InternetGetConnectedState
InternetSetOptionA
InternetQueryOptionA
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; S1)
Mozilla/4.0 (compatible; MSIE
SOFTWARE\Microsoft\Internet Explorer\Version Vector
IE
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Usesr Agent\Post Platform
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post
Platform
Win32
Windows 98
Windows NT 5.0
Windows NT 5.1
Windows NT 5.2
Windows NT 6.0
Windows NT 6.1
EIag: 0d1975bf%x9c:eac
POST
GET
Default.aspx?
index.jsp?
index.asp?
Default.jsp?
index.aspx?
TypeLib
Version
{%8c-%4c-%4c-%4c-%12c}
%16I64x%16I64x
{%08X-%04X-%04X-%04X-%08X%04X}
%d.%d.%d.%d
dll_u
Direct connect
Unable to determine connection type
000:%s 0001:
iphlpapi.dll
GetAdaptersInfo
0.0.0.0
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SOFTWARE\Microsoft\Windows\CurrentVersion\
RegisteredOwner
RegisteredOrganization
CSDVersion CurrentBuildNumber
VersionNumber
CurrentVersion
uroductID
32-bit OS Archtecture
64-bit OS Archtecture
SYSTEM\\CurrentControlSet\\Control\\ProductOptions
ProductType
WINNT
LANMANNT
SERVRNT
DigitalProductId
msregstr
EnumProcessModules
GetModuleBaseNameA
unknown
kernel32
CreateToolhelp32Snapshot
Process32First
Process32Next
psapi
EnumProcesses
Software\Microsoft\Windows\CurrentVersion\RunOnce