前言
小菜最近开始做样本分析,第一次遇到dll劫持样本,所以这里写一个分析,一是方便监督自己学习,二是
0x01.dll劫持原理
由于输入表中只包含DLL名而没有它的路径名,因此加载程序必须在磁盘上搜索DLL文件。首先会尝试从当前程序所在的目录加载DLL,如果没找到,则在Windows系统目录中查找,最后是在环境变量中列出的各个目录下查找。利用这个特点,先伪造一个系统同名的DLL,提供同样的输出表,每个输出函数转向真正的系统DLL。程序调用系统DLL时会先调用当前目录下伪造的DLL,完成相关功能后,再跳到系统DLL同名函数里执行。这个过程用个形象的词来描述就是系统DLL被劫持(hijack)了,而本文中的lpk.dll是大部分程序都会调用到的一个dll
0x02样本信息
MD5:
基本行为:
0x03行为分析
3.1加载资源,写入tmp文件
该木马通过调用GetModuleFileNameW()后就加载资源文件,从资源文件中读取到"Distribuijq"这个字符串
创建名为"Distribuijq"的互斥量
1: 100012BD /$ 57 push edi
2: 100012BE |. 68 20320010 push lpk_1.10003220 ; /MutexName = "Distribuijq"
3: 100012C3 |. 6A 00 push 0x0 ; |InitialOwner = FALSE
4: 100012C5 |. 6A 00 push 0x0 ; |pSecurity = NULL
5: 100012C7 |. FF15 50200010 call dword ptr ds:[<&KERNEL32.CreateMute>; \CreateMutexA
6:
创建互斥量后,继续读取资源,从下图中可以看出是个明显的PE结构文件
读取到资源后会在系统临时目录下创建一个前缀名为"hrl"+*的文件名,因为GetTempFileameW()函数中的Unique参数(追加到前缀字串后面的数字)设置的是0x0所以这个函数会用一个随机数字生成文件。随后,它会检查是否存在同名的文件。如果存在,函数会增加这个数字,并继续尝试,直到生成一个独一无二的名字为止。
1: 10001204 |. 50 push eax ; /Buffer = 0012F610
2: 10001205 |. 68 04010000 push 0x104 ; |BufSize = 104 (260.)
3: 1000120A |. FF15 48200010 call dword ptr ds:[<&KERNEL32.GetTempPat>; \GetTempPathW
4: 10001210 |. 8D85 94FDFFFF lea eax,[local.155]
5: 10001216 |. 50 push eax ; /TempName = 0012F610
6: 10001217 |. 56 push esi ; |Unique = 0x0
7: 10001218 |. 68 C4210010 push lpk_1.100021C4 ; |Prefix = "hrl"
8: 1000121D |. 50 push eax ; |Path = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hrl26.tmp"
9: 1000121E |. FF15 44200010 call dword ptr ds:[<&KERNEL32.GetTempFil>; \GetTempFileNameW
10: 10001224 |. 56 push esi ; /hTemplateFile = NULL
11: 10001225 |. 56 push esi ; |Attributes = 0
12: 10001226 |. 6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
13: 10001228 |. 56 push esi ; |pSecurity = NULL
14: 10001229 |. 33DB xor ebx,ebx ; |
15: 1000122B |. 43 inc ebx ; |
16: 1000122C |. 53 push ebx ; |ShareMode = FILE_SHARE_READ
17: 1000122D |. 68 00000040 push 0x40000000 ; |Access = GENERIC_WRITE
18: 10001232 |. 8D85 94FDFFFF lea eax,[local.155] ; |
19: 10001238 |. 50 push eax ; |FileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hrl26.tmp"
20: 10001239 |. FF15 40200010 call dword ptr ds:[<&KERNEL32.CreateFile>; \CreateFileW
创建完成后就会将数据写入到该tmp文件中去
1: 10001246 |. 56 push esi ; /pOverlapped = NULL
2: 10001247 |. 8D45 F0 lea eax,[local.4] ; |
3: 1000124A |. 50 push eax ; |pBytesWritten = 0012F86C
4: 1000124B |. FF75 F8 push [local.2] ; |nBytesToWrite = 9A00 (39424.)
5: 1000124E |. 8975 F0 mov [local.4],esi ; |
6: 10001251 |. FF75 F4 push [local.3] ; |Buffer = lpk_1.10004094
7: 10001254 |. 57 push edi ; |hFile = 00000084 (window)
8: 10001255 |. FF15 3C200010 call dword ptr ds:[<&KERNEL32.WriteFile>>; \WriteFile
9:
3.2创建新进程"hrl*.tmp"
1: 10001281 |. 50 push eax ; /pProcessInfo = 0012F610
2: 10001282 |. 8D45 9C lea eax,[local.25] ; |
3: 10001285 |. 50 push eax ; |pStartupInfo = 0012F610
4: 10001286 |. 56 push esi ; |CurrentDir = NULL
5: 10001287 |. 56 push esi ; |pEnvironment = NULL
6: 10001288 |. 56 push esi ; |CreationFlags = 0
7: 10001289 |. 56 push esi ; |InheritHandles = FALSE
8: 1000128A |. 56 push esi ; |pThreadSecurity = NULL
9: 1000128B |. 56 push esi ; |pProcessSecurity = NULL
10: 1000128C |. 8D85 94FDFFFF lea eax,[local.155] ; |
11: 10001292 |. 50 push eax ; |CommandLine = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hrl26.tmp"
12: 10001293 |. 56 push esi ; |ModuleFileName = NULL
13: 10001294 |. C745 9C 44000>mov [local.25],0x44 ; |
14: 1000129B |. 895D C8 mov [local.14],ebx ; |
15: 1000129E |. FF15 30200010 call dword ptr ds:[<&KERNEL32.CreateProc>; \CreateProcessW
获取到当前进程的名字写入到进程的内存中
1: 100012F6 /$ 55 push ebp
2: 100012F7 |. 8BEC mov ebp,esp
3: 100012F9 |. 81EC 08020000 sub esp,0x208
4: 100012FF |. 68 04010000 push 0x104 ; /BufSize = 104 (260.)
5: 10001304 |. 8D85 F8FDFFFF lea eax,[local.130] ; |
6: 1000130A |. 50 push eax ; |PathBuffer = 0012F6DE
7: 1000130B |. FF35 90320010 push dword ptr ds:[0x10003290] ; |hModule = 10000000 (lpk_1)
8: 10001311 |. FF15 58200010 call dword ptr ds:[<&KERNEL32.GetModuleF>; \GetModuleFileNameW
9: 10001317 |. 8D85 F8FDFFFF lea eax,[local.130]
10: 1000131D |. 50 push eax ; /Path = "lpk.dll"
11: 1000131E |. FF15 C8200010 call dword ptr ds:[<&SHLWAPI.PathFindFil>; \PathFindFileNameW
12: 10001324 |. 68 CC210010 push lpk_1.100021CC ; /String2 = "lpk.dll"
13: 10001329 |. 50 push eax ; |String1 = "lpk.dll"
14: 1000132A |. FF15 54200010 call dword ptr ds:[<&KERNEL32.lstrcmpiW>>; \lstrcmpiW
hrl*.tmp分析
1: if ( Openkey() )
2: {
3: ServiceStartTable.lpServiceName = ServiceName;
4: ServiceStartTable.lpServiceProc = (LPSERVICE_MAIN_FUNCTIONA)sub_4028D0;
5: v5 = 0;
6: v6 = 0;
7: StartServiceCtrlDispatcherA(&ServiceStartTable);
8: }
9: else
10: {
11: ServerAndKeyAndCreate(ServiceName, DisplayName, aDistribumgqTra);
12: if ( dword_409344 )
13: {
14: GetTempAndMove();
15: ExitProcess(0);
16: }
17: }
OpenKey()
0x01尝试打开名"SYSTEM\CurrentControlSet\Services\Distribuijq"的注册表
使用用字符串拼接的方式得到注册表名
1: 00402C67 |. 68 A4844000 push hrl1A.004084A4 ; /String2 = "SYSTEM\CurrentControlSet\Services\"
2: 00402C6C |. F3:AB rep stos dword ptr es:[edi] ; |
3: 00402C6E |. 66:AB stos word ptr es:[edi] ; |
4: 00402C70 |. AA stos byte ptr es:[edi] ; |
5: 00402C71 |. 8D4424 0C lea eax,dword ptr ss:[esp+0xC] ; |
6: 00402C75 |. 50 push eax ; |String1 = 0012F780
7: 00402C76 |. FF15 7C604000 call dword ptr ds:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
8: 00402C7C |. 8D4C24 08 lea ecx,dword ptr ss:[esp+0x8]
9: 00402C80 |. 68 24804000 push hrl1A.00408024 ; /StringToAdd = "Distribuijq"
10: 00402C85 |. 51 push ecx ; |ConcatString = "SYSTEM\CurrentControlSet\Services\"
11: 00402C86 |. FF15 4C604000 call dword ptr ds:[<&KERNEL32.lstrcatA>] ; \lstrcatA
调用RegOpenKeyExA函数,这里不是直接调用的RegOpenKeyExA函数的,而是通过使用LoadLibraryA函数和GetProcessAdderss函数组合来调用的该函数。后面的大部分函数都是通过这样的方法来的就不在重复了
1: 00403B43 |> \FF75 E8 push [local.6] ; /FileName = "ADVAPI32.dll"
2: 00403B46 |. FF15 58604000 call dword ptr ds:[<&KERNEL32.LoadLibrar>; \LoadLibraryA
1: 00403C25 |> \FF75 F0 push [local.4] ; /ProcNameOrOrdinal = "RegOpenKeyExA"
2: 00403C28 |. 57 push edi ; |hModule
3: 00403C29 |. FF15 64604000 call dword ptr ds:[<&KERNEL32.GetProcAdd>; \GetProcAddress
如果打开成功
如果打开失败
当前路径和系统路径进行对比,如果就开始复制自身到系统文件中
1: 00402DB5 |. 51 push ecx ; /maxlen
2: 00402DB6 |. 8D85 D8FCFFFF lea eax,[local.202] ; |
3: 00402DBC |. 50 push eax ; |s2 = "C:\Documents and Settings\Administrator\桌面\hrl1A.tmp"
4: 00402DBD |. 8D8D E0FDFFFF lea ecx,[local.136] ; |
5: 00402DC3 |. 51 push ecx ; |s1 = "C:\WINDOWS\system32"
6: 00402DC4 |. FF15 60624000 call dword ptr ds:[<&MSVCRT.strncmp>] ; \strncmp
7:
生成的文件名只有6位,是通过重复调用下面的函数获得的,进去看了一下,使用GetTickCount函数和rand函数一起使用获得一个assic然后使用wsprintfA函数的到的
1: v6 = sub_403CC0(0x1Au) + 97;
2: v7 = sub_403CC0(0x1Au) + 97;
3: v8 = sub_403CC0(0x1Au) + 97;
4: v9 = sub_403CC0(0x1Au) + 97;
5: v10 = sub_403CC0(0x1Au) + 97;
6: v11 = sub_403CC0(0x1Au);
1: v1 = GetTickCount();
2: return v1 * (rand() + 3) % a1;
复制自身到C:windwos\system32
1: 00402E3E |. 68 D4844000 push hrl1A.004084D4 ; /StringToAdd = "\"
2: 00402E43 |. 8D85 E0FDFFFF lea eax,[local.136] ; |
3: 00402E49 |. 50 push eax ; |ConcatString = "C:\WINDOWS\system32\icdgae.exe"
4: 00402E4A |. 8B1D 4C604000 mov ebx,dword ptr ds:[<&KERNEL32.lstrcat>; |kernel32.lstrcatA
5: 00402E50 |. FFD3 call ebx ; \lstrcatA
6: 00402E52 |. 8D8D 68FCFFFF lea ecx,[local.230]
7: 00402E58 |. 51 push ecx ; /StringToAdd = "C:\Documents and Settings\Administrator\桌面\hrl1A.tmp"
8: 00402E59 |. 8D95 E0FDFFFF lea edx,[local.136] ; |
9: 00402E5F |. 52 push edx ; |ConcatString = 0000000B ???
10: 00402E60 |. FFD3 call ebx ; \lstrcatA
11: 00402E62 |. 56 push esi ; /FailIfExists = FALSE
12: 00402E63 |. 8D85 E0FDFFFF lea eax,[local.136] ; |
13: 00402E69 |. 50 push eax ; |NewFileName = "C:\WINDOWS\system32\icdgae.exe"
14: 00402E6A |. 8D8D D8FCFFFF lea ecx,[local.202] ; |
15: 00402E70 |. 51 push ecx ; |ExistingFileName = "C:\Documents and Settings\Administrator\桌面\hrl1A.tmp"
16: 00402E71 |. FF15 88604000 call dword ptr ds:[<&KERNEL32.CopyFileA>>; \CopyFileA
服务控制管理器的连接
1: 00402EC3 |. 68 3F000F00 push 0xF003F
2: 00402EC8 |. 57 push edi
3: 00402EC9 |. 57 push edi
4: 00402ECA |. FF15 748D4000 call dword ptr ds:[0x408D74] ; advapi32.OpenSCManagerA
如果建立连接成功
创建服务,如果创建服务返回1073(服务已经存在)就打开服务,执行服务
创建服务
1: 0012F4A0 00402F03 /CALL 到 CreateServiceA 来自 hrl1A.00402EFD
2: 0012F4A4 0015A560 |hManager = 0015A560
3: 0012F4A8 00408024 |ServiceName = "Distribuijq"
4: 0012F4AC 00408044 |DisplayName = "Distribuluf Transaction Coordinator Service"
5: 0012F4B0 000F01FF |DesiredAccess = SERVICE_ALL_ACCESS
6: 0012F4B4 00000010 |ServiceType = SERVICE_WIN32_OWN_PROCESS
7: 0012F4B8 00000002 |StartType = SERVICE_AUTO_START
8: 0012F4BC 00000000 |ErrorControl = SERVICE_ERROR_IGNORE
9: 0012F4C0 0012F554 |BinaryPathName = "C:\WINDOWS\system32\xwxnws.exe"
10: 0012F4C4 00000000 |LoadOrderGroup = NULL
11: 0012F4C8 00000000 |pTagId = NULL
12: 0012F4CC 00000000 |pDependencies = NULL
13: 0012F4D0 00000000 |ServiceStartName = NULL
14: 0012F4D4 00000000 \Password = NULL
15:
1: 00402EF4 |. 8B55 0C mov edx,[arg.2] ; hrl1A.00408044
2: 00402EF7 |. 52 push edx ; Distribuluf Transaction Coordinator Service
3: 00402EF8 |. 8B7D 08 mov edi,[arg.1] ; Distribuijq
4: 00402EFB |. 57 push edi ; hrl1A.00408024
5: 00402EFC |. 50 push eax
6: 00402EFD |. FF15 448D4000 call dword ptr ds:[0x408D44] ; hrl1A.00403956
1:
2: v5 = CreateServiceA(v13, lpServiceName, lpDisplayName, 0xF01FFu, 0x10u, 2u, 0, &Str2, 0, 0, 0, 0, 0);
3: v37 = v5;
4: if ( !v5 && GetLastError() == 1073 )
5: {
6: v14 = OpenServiceA(hSCManager, lpServiceName, 0xF01FFu);
7: v5 = v14;
8: v37 = v14;
9: if ( !v14 )
10: goto LABEL_11;
11: StartServiceA(v14, 0, 0);
12: }
13: if ( StartServiceA(v5, 0, 0) )
14: {
15: lstrcpyA(&String1, aSystemCurrentc);
16: v12(&String1, lpServiceName);
17: RegOpenKeyA(HKEY_LOCAL_MACHINE, &String1, &phkResult);
18: v15 = lstrlenA(lpString);
19: RegSetValueExA(phkResult, aDescription, 0, 1u, (const BYTE *)lpString, v15);
20: }
创建的服务指向刚刚复制到系统文件夹的程序然后打开服务执行服务
1: 00402F55 |. 68 A4844000 push hrl1A.004084A4 ; /String2 = "SYSTEM\CurrentControlSet\Services\"
2: 00402F5A |. 8D8D E4FEFFFF lea ecx,[local.71] ; |
3: 00402F60 |. 51 push ecx ; |String1 = 0012F760
4: 00402F61 |. FF15 7C604000 call dword ptr ds:[<&KERNEL32.lstrcpyA>] ; \lstrcpyA
如果启动
1: 00402588 |. 52 push edx ; /Buffer = 0000000D
2: 00402589 |. 68 04010000 push 0x104 ; |BufSize = 104 (260.)
3: 0040258E |. FF15 28604000 call dword ptr ds:[<&KERNEL32.GetTempPat>; \GetTempPathA
4: 00402594 |. 8D8424 200100>lea eax,dword ptr ss:[esp+0x120]
5: 0040259B |. 68 88844000 push hrl1A.00408488 ; /StringToAdd = "SOFTWARE.LOG"
6: 004025A0 |. 50 push eax ; |ConcatString = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SOFTWARE.LOG"
7: 004025A1 |. FF15 4C604000 call dword ptr ds:[<&KERNEL32.lstrcatA>] ; \lstrcatA
8: 004025A7 |. 8B35 2C604000 mov esi,dword ptr ds:[<&KERNEL32.MoveFil>; kernel32.MoveFileExA
9: 004025AD |. 8D8C24 200100>lea ecx,dword ptr ss:[esp+0x120]
10: 004025B4 |. 6A 03 push 0x3 ; /Flags = REPLACE_EXISTING|COPY_ALLOWED
11: 004025B6 |. 8D5424 20 lea edx,dword ptr ss:[esp+0x20] ; |
12: 004025BA |. 51 push ecx ; |NewName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SOFTWARE.LOG"
13: 004025BB |. 52 push edx ; |ExistingName = "C:\Documents and Settings\Administrator\桌面\hrl1A.exe"
14: 004025BC |. FFD6 call esi ; \MoveFileExA
15: 004025BE |. 85C0 test eax,eax
16: 004025C0 |. 74 0E je short hrl1A.004025D0
17: 004025C2 |. 6A 05 push 0x5 ; /Flags = REPLACE_EXISTING|DELAY_UNTIL_REBOOT
18: 004025C4 |. 8D8424 240100>lea eax,dword ptr ss:[esp+0x124] ; |
19: 004025CB |. 6A 00 push 0x0 ; |NewName = NULL
20: 004025CD |. 50 push eax ; |ExistingName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SOFTWARE.LOG"
21: 004025CE |. FFD6 call esi ; \MoveFileExA
22:
402EFD
写注册表和服务 重要
402f4b 运行服务
4025ce movefile居然修改了注册表
函数学习:
SetHandleCount():获取变量内存地址
PathFindFileName():由文件路径获得文件名
73d3cf71
402b80
0012f4e444444
时间: 2024-08-07 09:46:07