1、 6A FF -10041C08E 68 66666600 6666660041C093 68 88888800 888888 ; SE 处理程序安装0041C098 64:A1 0000000mov eax, dword ptr fs:00041C09E 50 eax0041C09F8925 00000 dword ptr fs:0, esp0041C0A6 58 pop0041C0A7A3 00000000, eax0041C0AD 90 nop0041C0AE 72 0C jb short 0041C0BC0041C0B0 73 0A jnb0041C0B2 0041C0B30041C0
2、B40041C0B50041C0B6 72 10 short 0041C0C80041C0B8 73 0E0041C0BA 0000 add byte ptr eax, al0041C0BC0041C0BD0041C0BE0041C0BF0041C0C0 . 72 F0 short 0041C0B20041C0C2 . 73 EE0041C0C40041C0C60041C0C80041C0C90041C0CA0041C0CB0041C0CC0041C0CD0041C0CE 83C4 01 esp, 10041C0D10041C0D20041C0D30041C0D4 83C4 FF esp, -
3、10041C0D70041C0D8 . 0F82 76D8FEFF jb 004099540041C0DE . 0F83 70D8FEFF jnb最后2句玩过免杀的人都知道,这2句合成的效果就是jmp 00409954我们到 00409954 看看,00409954 / /5500409955 |. |8BEC00409957 |. |B9 0E000000 ecx, 0E0040995C | |6A 00 /push 00040995E |. |6A 00 |push00409960 |. |49 |dec ecx00409961 |.|75 F9 jnz short 0040995C这个头
4、好点熟悉啊,玩破解的人应该知道是什么语言的oep了吧?!我们 在 00409954 按 F4 ,dump出来查壳 Borland Delphi 6.0 - 7.0成功脱壳去花了,下面就来简单分析这个病毒的工作原理吧为了安全起见,我推荐在虚拟机或者影子系统上分析我机子配置比较差 , 只好直接分析了(一不小心运行就.)不过为了安全,我们还是对关键的函数下断点对那些 CreateFile,CopyFile,DeleteFile 这些文件操作的函数下断最好还打开文件监控和注册表监控的软件如果api不熟悉的话,可以用这个软件LiquidX 函数查询宝典 V2.0 Pro下载地址 我在这里就直接 右键,
5、查找, 所以参考文本字符串可以看到一堆的字符串了然后双击一些关键的字符串进去简单分析分析算了比如分析一下这里:文本字串参考位于 d2:, 条目 557地址=00408A6A反汇编=mov ecx, 00408B40文本字串=ASCII AutoRun.inf双击来到下面函数:004089F0 /$004089F1 |.004089F3 83C4 D0 esp, -30004089F6 53 ebx004089F7 56 esi004089F8 57 edi004089F9 33C0 xor eax, eax 初始化一些局部变量004089FB 8945 D0 dword ptr ebp-30,
6、 eax004089FE 8945 D4 dword ptr ebp-2C, eax00408A01 8945 FC dword ptr ebp-4, eax00408A04 8945 F8 dword ptr ebp-8, eax00408A07 8945 F4 dword ptr ebp-C, eax00408A0A 8945 F0 dword ptr ebp-10, eax00408A0D eax, eax00408A0F00408A10 68 F58A4000 00408AF500408A15FF30eax00408A188920eax, esp00408A1B BE 048B4000
7、 esi, 00408B04 ASCII DEFGHIJKLMNOPQRSTUVWXYZ; 看样子是想遍历所有磁盘了 C盘肯定是系统盘,所以不用遍历00408A20 8D7D D9 lea edi, dword ptr ebp-2700408A23 B9 05000000 ecx, 500408A28 F3:A5 rep movs dword ptr es:edi, dword ptr esi00408A2A 66: movs word ptr es:edi, word ptr esi00408A2C A4 byte ptr es:edi, byte ptr esi00408A2D 8D45
8、D4 eax, dword ptr ebp-2C00408A30 E8 63C1FFFF call 00404B9800408A35 8B55 D4 edx, dword ptr ebp-2C00408A38 8D45 F8 eax, dword ptr ebp-800408A3B B9 248B4000 ecx, 00408B24.exe00408A40 E8 2FACFFFF 0040367400408A45 BE 17000000 esi, 17 循环0x17次,23次,就是上面的字母数了00408A4A 8D5D D9 ebx, dword ptr ebp-2700408A4D 8D4
9、5 D0 /lea eax, dword ptr ebp-3000408A50 8A13 |mov dl, byte ptr ebx00408A52 E8 79ABFFFF |call 004035D000408A57 8B55 D0 edx, dword ptr ebp-3000408A5A 8D45 FC |lea eax, dword ptr ebp-400408A5D B9 348B4000 ecx, 00408B34:00408A62 E8 0DACFFFF00408A67 8D45 F4 eax, dword ptr ebp-C00408A6A B9 408B4000 ecx, 0
10、0408B4000408A6F 8B55 FC edx, dword ptr ebp-400408A72 E8 FDABFFFF00408A77 8D45 F0 eax, dword ptr ebp-1000408A7A 8B4D F8 ecx, dword ptr ebp-800408A7D00408A80 E8 EFABFFFF00408A85 8B45 FC00408A88 E8 9BADFFFF 0040382800408A8D eax /RootPathName00408A8E E8 E1B5FFFF GetDriveTypeA00408A9383F8 03 |cmp ax, 3 判
11、断是否为固定硬盘00408A97 75 30 |jnz short 00408AC9 不是的话就跳00408A99 6A 00 0 SetFileAttributes的参数,normal属性00408A9B 8B45 F400408A9E E8 85ADFFFF 00403828 跟进,发现是使eax指向0040382D00408AA3 8BF8 edi, eax |00408AA5 edi |FileName00408AA6 E8 69B6FFFFkernel32.SetFileAttributesA SetFileAttributesA00408AAB /FileName00408AAC
12、E8 9BB5FFFFkernel32.DeleteFileA DeleteFileA00408AB100408AB3 8B45 F000408AB6 E8 6DADFFFF00408ABB00408ABD00408ABE E8 51B6FFFF00408AC300408AC4 E8 83B5FFFF00408AC9 43 |inc00408ACA 4E00408ACB |. 75 80 short 00408A4D00408ACD00408ACF 5A edx00408AD0 5900408AD100408AD28910eax, edx00408AD5 68 FC8A4000 00408AF
13、C00408ADA00408ADD BA 02000000 edx, 200408AE2 E8 EDA9FFFF 004034D400408AE700408AEA BA 04000000 edx, 400408AEF E8 E0A9FFFF00408AF4 . C3 retn这个函数简单看来好像是遍历所有磁盘,把原来的存在的 AutoRun.inf以及.exe 删掉然后再放进他自己的 AutoRun.inf 和 病毒.exe还有其他功能可能要动态分析了,我们简单分析一下就够了,去下一个函数吧就在刚才那个的下面,找到这个吧, 条目 563地址=00408B8B eax, 00408E14Explorer.Exe双击来到下面:00408B4C00408B4D00408B4F B9 0A000000 ecx, 0A00408B5400408B5600408B58 49
copyright@ 2008-2022 冰豆网网站版权所有
经营许可证编号:鄂ICP备2022015515号-1