病毒反调试跟踪

跟踪一个反调试巨多的病毒样本

1.调用 QueryPerformanceCounter反调试，这个API调用了封装ZwQueryPerformanceCounter系统调用的ntdll！NtQueryPerformanceCounter

004060FA  |.  3345 FC         xor eax,[local.1]
004060FD  |.  8945 FC         mov [local.1],eax
00406100  |.  8D55 EC         lea edx,[local.5]
00406103  |.  52              push edx                                                  
00406104  |.  FF15 C0204300   call dword ptr ds:[<&KERNEL32.QueryPerformanceCounter>]
0040610A  |.  8B45 FC         mov eax,[local.1]
0040610D  |.  3345 EC         xor eax,[local.5]
00406110  |.  8945 FC         mov [local.1],eax

2.注册SEH异常处理函数

004053C0   $  55              push ebp
004053C1   .  8BEC            mov ebp,esp
004053C3   .  6A FE           push -0x2
004053C5   .  68 10654400     push 123.00446510
004053CA   .  68 F0874000     push 123.004087F0
004053CF   .  64:A1 00000000  mov eax,dword ptr fs:[0]                                  ;  SEH地址
004053D5   .  50              push eax
004053D6   .  83C4 D0         add esp,-0x30
004053D9   .  53              push ebx
004053DA   .  56              push esi
004053DB   .  57              push edi
004053DC   .  A1 0C804400     mov eax,dword ptr ds:[0x44800C]
004053E1   .  3145 F8         xor dword ptr ss:[ebp-0x8],eax
004053E4   .  33C5            xor eax,ebp
004053E6   .  50              push eax
004053E7   .  8D45 F0         lea eax,dword ptr ss:[ebp-0x10]
004053EA   .  64:A3 00000000  mov dword ptr fs:[0],eax                                  ;  注册SEH
004053F0   .  8965 E8         mov dword ptr ss:[ebp-0x18],esp
004053F3   .  6A 01           push 0x1

3.调用 IsProcessorFeaturePresent 反调试，手动修改eax=0即可

00405DA1   .  83C8 01         or eax,0x1
00405DA4   .  A3 10804400     mov dword ptr ds:[0x448010],eax
00405DA9   .  6A 0A           push 0xA
00405DAB   .  E8 82A00200     call <jmp.&KERNEL32.IsProcessorFeaturePresent>            ;  反调试
00405DB0   .  85C0            test eax,eax
00405DB2   .  75 07           jnz short 123.00405DBB
00405DB4   .  33C0            xor eax,eax
00405DB6   .  E9 88020000     jmp 123.00406043
00405DBB   >  C745 F0 0000000>mov dword ptr ss:[ebp-0x10],0x0
00405DC2   .  C745 F4 0000000>mov dword ptr ss:[ebp-0xC],0x0

4.LoadLibrary 加载一个奇怪的dll…

0012FE88    004084C5  /CALL 到 LoadLibraryExW 来自 123.004084BF
0012FE8C    00432494  |FileName = "api-ms-win-core-synch-l1-2-0"
0012FE90    00000000  |hFile = NULL
0012FE94    00000800  \Flags = 800

5.加载kernel32.dll 得到 InitializeCriticalSectionEx 地址

EBP-10   0> 0040849F  /CALL 到 GetProcAddress 来自 123.00408499
EBP-C    0> 7C800000  |hModule = 7C800000 (kernel32)
EBP-8    0> 004326C0  \ProcNameOrOrdinal = "InitializeCriticalSectionEx"

6.再次调用 IsProcessorFeaturePresent 反调试，修改0x4606C4的值

0042CEB3    8BEC           mov ebp,esp
0042CEB5    6A 0A          push 0xA
0042CEB7    E8 762F0000    call <jmp.&KERNEL32.IsProcessorFeaturePresent>
0042CEBC    A3 C4064600    mov dword ptr ds:[0x4606C4],eax
0042CEC1    33C0           xor eax,eax

7.调用UnhandledExceptionFilter 反调试，进入SEH

EBP-8    0> 00405A4E  /CALL 到 SetUnhandledExceptionFilter 来自 123.00405A48
EBP-4    0> 00405A50  \pTopLevelFilter = 123.00405A50

猜你喜欢