9,506
社区成员
发帖
与我相关
我的任务
分享鲜为人知的冲击波(MSBlast)病毒详细代码分析报告(一)
病毒脱壳
查看MSBlast.exe,字节数为6176字节。利用Winhex查看MSBlast.exe十六进制,发现十六进制中包含UPX字符,从经验可以断定是利用UPX压缩,但还是利用language进行识别,判定的确为UPX加壳之后,利用UPXShell将MSBlast.exe进行脱壳之后字节数为11296字节。
病毒浅析
利用W32dsm打开己脱壳的MSBlast.exe,可以从中分析病毒PE文件具体信息。
************************************反汇编MSBlast.exe***************************************
Disassembly of File: msblast.exe *反汇编文件名称:msblast.exe
Code Offset = 00000400, Code Size = 00001458 *代码偏移量: 00000400,代码大小=00001458
Data Offset = 00001A00, Data Size = 0000088C *数据偏移量: 00001A00,数据大小=0000088C
Number of Objects = 0004 (dec), Imagebase = 00400000h
*对象共计= 0004 (dec), 基地址 = 00400000h
Object01: .text RVA: 00001000 Offset: 00000400 Size: 00001458 Flags: 60000020
Object02: .bss RVA: 00003000 Offset: 00000000 Size: 00000000 Flags: C0000080
Object03: .data RVA: 00004000 Offset: 00001A00 Size: 0000088C Flags: C0000040
Object04: .idata RVA: 00005000 Offset: 00002400 Size: 000006C0 Flags: C0000060
*Object01: .text 相对虚拟地址: 00001000 偏移量: 00000400 大小: 00001458标记位: 60000020
*Object02: .bss 相对虚拟地址: 00003000 偏移量: 00000000 大小: 00000000标记位: C0000080
*Object03: .data 相对虚拟地址: 00004000 偏移量: 00001A00 大小: 0000088C标记位: C0000040
*Object04: .idata 相对虚拟地址: 00005000 偏移量: 00002400 大小: 000006C0标记位: C0000060
*文中含有*为解释部分仅供参考。
********************************************************************************************
可以从以上的数据中获取病毒在内存中执行的数据,该病毒PE文件共分为4个区块,分别为text、bss、data、idata。脱壳后的病毒的入口点则为11CBh。
MSBlast.exe病毒共调用5个DLL模块,53个Win32 API函数。5个DLL模块分别为KERNEL32.DLL、ADVAPI32.DLL、CRTDLL.DLL、WININET.DLL、WS2_32.DLL,53个Win32 API函数请参照以下反汇编数据。
********************************************************************************************
+++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++
Number of Imported Modules = 5 (decimal)
Import Module 001: KERNEL32.DLL
Import Module 002: ADVAPI32.DLL
Import Module 003: CRTDLL.DLL
Import Module 004: WININET.DLL
Import Module 005: WS2_32.DLL
+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++
Import Module 001: KERNEL32.DLL
Addr:000053E8 hint(0000) Name: ExitProcess
Addr:000053F8 hint(0000) Name: ExitThread
Addr:00005408 hint(0000) Name: GetCommandLineA
Addr:0000541C hint(0000) Name: GetDateFormatA
Addr:00005430 hint(0000) Name: GetLastError
Addr:00005440 hint(0000) Name: GetModuleFileNameA
Addr:00005458 hint(0000) Name: GetModuleHandleA
Addr:0000546C hint(0000) Name: CloseHandle
Addr:0000547C hint(0000) Name: GetTickCount
Addr:0000548C hint(0000) Name: RtlUnwind
Addr:00005498 hint(0000) Name: CreateMutexA
Addr:000054A8 hint(0000) Name: Sleep
Addr:000054B0 hint(0000) Name: TerminateThread
Addr:000054C4 hint(0000) Name: CreateThread
Import Module 002: ADVAPI32.DLL
Addr:000054D4 hint(0000) Name: RegCloseKey
Addr:000054E4 hint(0000) Name: RegCreateKeyExA
Addr:000054F8 hint(0000) Name: RegSetValueExA
Import Module 003: CRTDLL.DLL
Addr:0000550C hint(0000) Name: __GetMainArgs
Addr:0000551C hint(0000) Name: atoi
Addr:00005524 hint(0000) Name: exit
Addr:0000552C hint(0000) Name: fclose
Addr:00005538 hint(0000) Name: fopen
Addr:00005540 hint(0000) Name: fread
Addr:00005548 hint(0000) Name: memcpy
Addr:00005554 hint(0000) Name: memset
Addr:00005560 hint(0000) Name: raise
Addr:00005568 hint(0000) Name: rand
Addr:00005570 hint(0000) Name: signal
Addr:0000557C hint(0000) Name: sprintf
Addr:00005588 hint(0000) Name: srand
Addr:00005590 hint(0000) Name: strchr
Addr:0000559C hint(0000) Name: strtok
Import Module 004: WININET.DLL
Addr:000053CC hint(0000) Name: InternetGetConnectedState
Import Module 005: WS2_32.DLL
Addr:000052C0 hint(0000) Name: htons
Addr:000052C8 hint(0000) Name: ioctlsocket
Addr:000052D8 hint(0000) Name: inet_addr
Addr:000052E4 hint(0000) Name: inet_ntoa
Addr:000052F0 hint(0000) Name: recvfrom
Addr:000052FC hint(0000) Name: select
Addr:00005308 hint(0000) Name: send
Addr:00005310 hint(0000) Name: sendto
Addr:0000531C hint(0000) Name: setsockopt
Addr:0000532C hint(0000) Name: socket
Addr:00005338 hint(0000) Name: gethostbyname
Addr:00005348 hint(0000) Name: bind
Addr:00005350 hint(0000) Name: gethostname
Addr:00005360 hint(0000) Name: closesocket
Addr:00005370 hint(0000) Name: WSAStartup
Addr:00005380 hint(0000) Name: WSACleanup
Addr:00005390 hint(0000) Name: connect
Addr:0000539C hint(0000) Name: getpeername
Addr:000053AC hint(0000) Name: getsockname
Addr:000053BC hint(0000) Name: WSASocketA
+++++++++++++++++++ EXPORTED FUNCTIONS ++++++++++++++++++
Number of Exported Functions = 0000 (decimal)
********************************************************************************************
看完以上Win32 API函数,你也许就明白了病毒调用那些API函数,如要不太熟API函数可以参阅MSDN获取更详细的资料。了解API函数针对病毒每个动作就会非常熟悉。
查看MSBlast.exe,字节数为6176字节。利用Winhex查看MSBlast.exe十六进制,发现十六进制中包含UPX字符,从经验可以断定是利用UPX压缩,但还是利用language进行识别,判定的确为UPX加壳之后,利用UPXShell将MSBlast.exe进行脱壳之后字节数为11296字节。
病毒浅析
利用W32dsm打开己脱壳的MSBlast.exe,可以从中分析病毒PE文件具体信息。
************************************反汇编MSBlast.exe***************************************
Disassembly of File: msblast.exe *反汇编文件名称:msblast.exe
Code Offset = 00000400, Code Size = 00001458 *代码偏移量: 00000400,代码大小=00001458
Data Offset = 00001A00, Data Size = 0000088C *数据偏移量: 00001A00,数据大小=0000088C
Number of Objects = 0004 (dec), Imagebase = 00400000h
*对象共计= 0004 (dec), 基地址 = 00400000h
Object01: .text RVA: 00001000 Offset: 00000400 Size: 00001458 Flags: 60000020
Object02: .bss RVA: 00003000 Offset: 00000000 Size: 00000000 Flags: C0000080
Object03: .data RVA: 00004000 Offset: 00001A00 Size: 0000088C Flags: C0000040
Object04: .idata RVA: 00005000 Offset: 00002400 Size: 000006C0 Flags: C0000060
*Object01: .text 相对虚拟地址: 00001000 偏移量: 00000400 大小: 00001458标记位: 60000020
*Object02: .bss 相对虚拟地址: 00003000 偏移量: 00000000 大小: 00000000标记位: C0000080
*Object03: .data 相对虚拟地址: 00004000 偏移量: 00001A00 大小: 0000088C标记位: C0000040
*Object04: .idata 相对虚拟地址: 00005000 偏移量: 00002400 大小: 000006C0标记位: C0000060
*文中含有*为解释部分仅供参考。
********************************************************************************************
可以从以上的数据中获取病毒在内存中执行的数据,该病毒PE文件共分为4个区块,分别为text、bss、data、idata。脱壳后的病毒的入口点则为11CBh。
MSBlast.exe病毒共调用5个DLL模块,53个Win32 API函数。5个DLL模块分别为KERNEL32.DLL、ADVAPI32.DLL、CRTDLL.DLL、WININET.DLL、WS2_32.DLL,53个Win32 API函数请参照以下反汇编数据。
********************************************************************************************
+++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++
Number of Imported Modules = 5 (decimal)
Import Module 001: KERNEL32.DLL
Import Module 002: ADVAPI32.DLL
Import Module 003: CRTDLL.DLL
Import Module 004: WININET.DLL
Import Module 005: WS2_32.DLL
+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++
Import Module 001: KERNEL32.DLL
Addr:000053E8 hint(0000) Name: ExitProcess
Addr:000053F8 hint(0000) Name: ExitThread
Addr:00005408 hint(0000) Name: GetCommandLineA
Addr:0000541C hint(0000) Name: GetDateFormatA
Addr:00005430 hint(0000) Name: GetLastError
Addr:00005440 hint(0000) Name: GetModuleFileNameA
Addr:00005458 hint(0000) Name: GetModuleHandleA
Addr:0000546C hint(0000) Name: CloseHandle
Addr:0000547C hint(0000) Name: GetTickCount
Addr:0000548C hint(0000) Name: RtlUnwind
Addr:00005498 hint(0000) Name: CreateMutexA
Addr:000054A8 hint(0000) Name: Sleep
Addr:000054B0 hint(0000) Name: TerminateThread
Addr:000054C4 hint(0000) Name: CreateThread
Import Module 002: ADVAPI32.DLL
Addr:000054D4 hint(0000) Name: RegCloseKey
Addr:000054E4 hint(0000) Name: RegCreateKeyExA
Addr:000054F8 hint(0000) Name: RegSetValueExA
Import Module 003: CRTDLL.DLL
Addr:0000550C hint(0000) Name: __GetMainArgs
Addr:0000551C hint(0000) Name: atoi
Addr:00005524 hint(0000) Name: exit
Addr:0000552C hint(0000) Name: fclose
Addr:00005538 hint(0000) Name: fopen
Addr:00005540 hint(0000) Name: fread
Addr:00005548 hint(0000) Name: memcpy
Addr:00005554 hint(0000) Name: memset
Addr:00005560 hint(0000) Name: raise
Addr:00005568 hint(0000) Name: rand
Addr:00005570 hint(0000) Name: signal
Addr:0000557C hint(0000) Name: sprintf
Addr:00005588 hint(0000) Name: srand
Addr:00005590 hint(0000) Name: strchr
Addr:0000559C hint(0000) Name: strtok
Import Module 004: WININET.DLL
Addr:000053CC hint(0000) Name: InternetGetConnectedState
Import Module 005: WS2_32.DLL
Addr:000052C0 hint(0000) Name: htons
Addr:000052C8 hint(0000) Name: ioctlsocket
Addr:000052D8 hint(0000) Name: inet_addr
Addr:000052E4 hint(0000) Name: inet_ntoa
Addr:000052F0 hint(0000) Name: recvfrom
Addr:000052FC hint(0000) Name: select
Addr:00005308 hint(0000) Name: send
Addr:00005310 hint(0000) Name: sendto
Addr:0000531C hint(0000) Name: setsockopt
Addr:0000532C hint(0000) Name: socket
Addr:00005338 hint(0000) Name: gethostbyname
Addr:00005348 hint(0000) Name: bind
Addr:00005350 hint(0000) Name: gethostname
Addr:00005360 hint(0000) Name: closesocket
Addr:00005370 hint(0000) Name: WSAStartup
Addr:00005380 hint(0000) Name: WSACleanup
Addr:00005390 hint(0000) Name: connect
Addr:0000539C hint(0000) Name: getpeername
Addr:000053AC hint(0000) Name: getsockname
Addr:000053BC hint(0000) Name: WSASocketA
+++++++++++++++++++ EXPORTED FUNCTIONS ++++++++++++++++++
Number of Exported Functions = 0000 (decimal)
********************************************************************************************
看完以上Win32 API函数,你也许就明白了病毒调用那些API函数,如要不太熟API函数可以参阅MSDN获取更详细的资料。了解API函数针对病毒每个动作就会非常熟悉。
...全文
请发表友善的回复…
发表回复
