2021-03-29

样本MD5:

 

1:找入口函数

1. 通过工具检测是mfc写的程序. Main函数是afxmain(),如下特征:

A: main函数之前, 会有GetStartupInfo()和GetCommadLine()或者GetModuleHandle()(带界面一般是后者,命令行前者).

B:四个参数, 一般会有连续几个push. 

C:main函数一般之后的几个函数会紧跟Exit()函数

      2.如图找到afxmain():

1.3入口函数应该是在afxmain函数内部,在afxmain中出现第一个用户函数:

步入后回到用户空间:发现前边几个是mfc的库函数,步过:直到401B3A这个位置为用户代码, 步入,发现是入口代码.

遇到的问题: 进入afxmain系统领空后,alt+F9并不能跳出来,要找到调用用户的代码跟进去才可以跳出来

 

2:分析用户代码:

         2.1主要行为之前准备工作:load dll,比较字符串wolf

 

 

 

2.2

 

         2.2.1         获取 explorer.exe pid,当eax 与ecx 都是explorer.exe时,将pid放入eax返回.

100027DF    E8 ACFDFFFF     call    10002590   (get explorer.exe pid)

2.2.2  获取该进程的父进程,在此返回的是od的pid

 

2.2.3复制自身

2.2.4创建服务

 

 

 

2.2.5移动自身到系统目录:

        

         2.2.6联网:

主要api:

2.2.6.1 wsastartup

2.2.6.2createEventA() eax返回事件句柄0x7C 

 

 

 

2.2.6.3 初始化socket   并且将event状态设置为true   传入的事件句柄刚好是刚才创建的0x7C

2.2.6.4  resetevent, 将event状态设置为false

 

2.2.6.5创建套接字;将ip222.211.72.21转化为相应的结构体,然后使用

 

 

 

2.2.6.6 设置端口2013  0x7DD  通过ws2_32.ntohs

2.2.6.7 联网  connect

 

2.2.7.1获取事件句柄,然后sleep(10*0x1F4)即 5000ms 继续connect  循环

 

 

待解决问题:

1.WaitForSingleobject()  应该用到了,但是没发现在哪调用的, api下断点还没尝试.

2.创建服务启动时会有异常,跳到了系统空间.不清楚原因,将创建服务的函数nop掉才分析后续. --1000247C    E8 5FFBFFFF     call    10001FE0             #########会出现异常,nop掉  接着分析下边

3.计算的延时时间是(10*0x1F4)即 5000ms,但是winsys检测的事每30s左右连一次网.

 

 

 

 

 

 

 

 

执行流程总结:

401A40--

              --401A66 -> 4019F0

              --401A70 -> 401180

              --401AA4 -> 10002670 call eax

 

100027DF->10002590

 

 

                            100027DF    E8 ACFDFFFF     call    10002590   (get explorer.exe pid)

                            100027E9    E8 F2FCFFFF     call    100024E0           (push 1.exe pid and get father process pid; return OD pid )

 

                            10002804    E8 F7FAFFFF     call    10002300

                                          --10002434    E8 A7F7FFFF     call    10001BE0 (push  ASCII "C:\Program Files\Arrange\NULL.jpg")

                                          --1000245E    FF15 44A10010   call    dword ptr [1000A144]             ; kernel32.CopyFileA()

                                                                      (ECX 0012F694 ASCII "C:\Program Files\Arrange\NULL.jpg"

                                                                       EDX 0012F798 ASCII "C:\Documents and Settings\Administrator\Desktop\Temp\1.exe")

                                          --1000247C    E8 5FFBFFFF     call    10001FE0                                                   #########会出现异常,nop掉  接着分析下边

                                                                      ("C:\Program Files\Arrange\NULL.jpg","Internet Connetion Sharing(ICS)","SharedAccess")

 

                                                        --1000207D    FF15 1CA00010   call    dword ptr [1000A01C]             ; ADVAPI32.CreateServiceA

                                                                      (|StartType = SERVICE_AUTO_START                     #系统启动时由服务控制管理器自动启动该服务程序)

                                          --10002484    E8 D7F6FFFF     call    10001B60                                    #MoveFileExA

                                          --10002325    E8 B6F7FFFF     call    10001AE0                                    connect ip 222.211.72.24

                                          --10001937    8D4424 18       lea     eax, dword ptr [esp+18]          ; wsastartup  createvent

 

                                                        --10002C3D    FF15 6CA20010   call    dword ptr [1000A26C]             ; WS2_32.WSAStartup

                                                        --10002C4B    FF15 0CA10010   call    dword ptr [1000A10C]             ; kernel32.CreateEventA

 

                                          --100019EE    E8 AD130000     call    10002DA0                         ; #reset event and wsa starup  main loop conneting

                                                        --10002DA7    E8 A4040000     call    10003250                         ; # init  setsocket  and setevent

                                                        --10002DB3    FF15 70A00010   call    dword ptr [1000A070]             ; kernel32.ResetEvent

                                                        --10002DC6    FF15 80A20010   call    dword ptr [1000A280]             ; WS2_32.socket

                                                        --10002DE6    FF15 7CA20010   call    dword ptr [1000A27C]             ; WS2_32.gethostbyname #222.211.72.24

                                                        --10002E08    FF15 78A20010   call    dword ptr [1000A278]             ; WS2_32.ntohs               #0x7DD 2013

                                          --10001989    FFD5            call    ebp                                               ;openevent

                                          --10001993    FFD3            call    ebx                              ; kernel32.Sleep 0x0A

                                          --10001996    81FF F4010000   cmp     edi, 1F4                                               

                                          --1000199C  ^ 7C DC           jl      short 1000197A                                          ;未增加到1F4,继续循环

                                          --1000199E   /EB 10           jmp     short 100019B0                                        ;edi 增加到0x1F4才跳转,结束sleep 跳转继续执行

                                                                                                                                                                        100019EE    E8 AD130000     call    10002DA0