科技行者

行者学院 转型私董会 科技行者专题报道 网红大战科技行者

知识库

知识库 安全导航

至顶网网络频道超强灰鸽子vip2005检测器 检测原理简单分析

超强灰鸽子vip2005检测器 检测原理简单分析

  • 扫一扫
    分享文章到微信

  • 扫一扫
    关注官方公众号
    至顶头条

检测器代码采用Borland Delphi编写,看这些反汇编代码总会碰到层层调用这一现象,在这些主要CALL的注释中,其实其内部的调用还有很多较详细的代码调用,限于篇幅,就不一一列举了.

作者:安全中国 2007年11月7日

关键字: 灰鸽子 灰鸽子病毒 灰鸽子专杀 灰鸽子2007 灰鸽子专杀工具

  • 评论
  • 分享微博
  • 分享邮件

  LWVVKL_

  00459FD8 E8 17A4FAFF call 超强灰鸽.004043F4

  00459FDD FF75 D0 push dword ptr ss:[ebp-30]

  ; ASCII "LWVV"

  00459FE0 68 FCA24500 push 超强灰鸽.0045A2FC

  ; ASCII "_Hook.DLL"

  00459FE5 8D45 FC lea eax,dword ptr ss:[ebp-4]

  00459FE8 BA 03000000 mov edx,3

  3个字符串连接数

  00459FED E8 62A2FAFF call 超强灰鸽.00404254

  将三个字符串连接起来ASCII "D:\WINDOWS\LWVV_Hook.DLL"

  00459FF2 8B45 FC mov eax,dword ptr ss:[ebp-4]

  EAX=00459FF2 SS:[0012F648]=00EE5510,ASCII "D:\WINDOWS\LWVV_Hook.DLL"

  00459FF5 E8 9AA1FAFF call 超强灰鸽.00404194

  ; EAX=0X18=24 => ASCII "D:\WINDOWS\LWVV_Hook.DLL" 字符长度数

  00459FFA 8BD0 mov edx,eax

  00459FFC 85D2 test edx,edx

  00459FFE 7E 18 jle short 超强灰鸽.0045A018

  0045A000 BE 01000000 mov esi,1

  0045A005 B8 CCDC4500 mov eax,超强灰鸽.0045DCCC

  ASCII "D:\WINDOWS\LWVV_Hook.DLL"

  0045A00A 8B4D FC mov ecx,dword ptr ss:[ebp-4]

  0045A00D 8A4C31 FF mov cl,byte ptr ds:[ecx+esi-1]

  0045A011 8808 mov byte ptr ds:[eax],cl

  0045A013 46 inc esi

  0045A014 40 inc eax

  0045A015 4A dec edx

  0045A016 ^ 75 F2 jnz short 超强灰鸽.0045A00A

  0045A018 E8 47C1FAFF call

  0045A01D A9 00000080 test eax,80000000

  0045A022 74 13 je short 超强灰鸽.0045A037 ; JUMP

  0045A024 68 581B0000 push 1B58

  0045A029 68 CCDC4500 push 超强灰鸽.0045DCCC

  ASCII "D:\WINDOWS\LWVV_Hook.DLL"

  0045A02E 6A FD push -3

  0045A030 E8 97E6FFFF call 超强灰鸽.004586CC

  0045A035 EB 2B jmp short 超强灰鸽.0045A062

  0045A037 8B45 FC mov eax,dword ptr ss:[ebp-4]

  0045A03A E8 55A1FAFF call 超强灰鸽.00404194

  0045A03F 8BC8 mov ecx,eax

  0045A041 03C9 add ecx,ecx

  0045A043 41 inc ecx

  0045A044 BA D4DD4500 mov edx,超强灰鸽.0045DDD4

  ; UNICODE "D:\WINDOWS\LWVV_Hook.DLL"

  0045A049 8B45 FC mov eax,dword ptr ss:[ebp-4]

  0045A04C E8 1FACFAFF call 超强灰鸽.00404C70

  MultiByteToWideChar()

  0045A051 68 581B0000 push 1B58

  0045A056 68 D4DD4500 push 超强灰鸽.0045DDD4

  UNICODE "D:\WINDOWS\LWVV_Hook.DLL"

  0045A05B 6A FD push -3

  0045A05D E8 96E6FFFF call 超强灰鸽.004586F8

  0045A062 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]

  0045A068 8B80 20020000 mov eax,dword ptr ds:[eax+220]

  0045A06E BA 10A34500 mov edx,超强灰鸽.0045A310

  0045A073 8B08 mov ecx,dword ptr ds:[eax]

  0045A075 FF51 38 call dword ptr ds:[ecx+38]

  0045A078 6A 00 push 0

  0045A07A 68 30A34500 push 超强灰鸽.0045A330

  ; ASCII "TGVIP_MainForm"

  0045A07F E8 78C5FAFF call

  查找隐藏进程窗口

  0045A084 8BF0 mov esi,eax

  0045A086 85F6 test esi,esi

  0045A088 74 61 je short 超强灰鸽.0045A0EB

  0045A08A 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]

  0045A090 8B80 20020000 mov eax,dword ptr ds:[eax+220]

  0045A096 BA 48A34500 mov edx,超强灰鸽.0045A348

  0045A09B 8B08 mov ecx,dword ptr ds:[eax]

  0045A09D FF51 38 call dword ptr ds:[ecx+38]

  0045A0A0 6A 64 push 64

  0045A0A2 E8 8128FBFF call

  0045A0A7 6A 00 push 0

  0045A0A9 6A 00 push 0

  0045A0AB 68 00340000 push 3400

  0045A0B0 56 push esi

  0045A0B1 E8 86C7FAFF call

  0045A0B6 6A 64 push 64

  0045A0B8 E8 6B28FBFF call

  0045A0BD 6A 00 push 0

  0045A0BF 6A 00 push 0

  0045A0C1 68 00340000 push 3400

  0045A0C6 56 push esi

  0045A0C7 E8 70C7FAFF call

  0045A0CC 6A 64 push 64

  0045A0CE E8 5528FBFF call

  0045A0D3 6A 00 push 0

  0045A0D5 6A 00 push 0

  0045A0D7 68 00340000 push 3400

  0045A0DC 56 push esi

  0045A0DD E8 5AC7FAFF call

  0045A0E2 6A 64 push 64

  0045A0E4 E8 3F28FBFF call

  0045A0E9 EB 16 jmp short 超强灰鸽.0045A101

  0045A0EB 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]

  0045A0F1 8B80 20020000 mov eax,dword ptr ds:[eax+220]

  0045A0F7 BA 7CA34500 mov edx,超强灰鸽.0045A37C

  0045A0FC 8B08 mov ecx,dword ptr ds:[eax]

  0045A0FE FF51 38 call dword ptr ds:[ecx+38]

  0045A101 8D45 CC lea eax,dword ptr ss:[ebp-34]

  0045A104 E8 43FCFFFF call 超强灰鸽.00459D4C

  0045A109 8D45 CC lea eax,dword ptr ss:[ebp-34]

  0045A10C 8B15 B8DC4500 mov edx,dword ptr ds:[45DCB8]

  0045A112 E8 85A0FAFF call 超强灰鸽.0040419C

  0045A117 8B45 CC mov eax,dword ptr ss:[ebp-34]

  0045A11A 33D2 xor edx,edx

  0045A11C E8 9BE3FAFF call 超强灰鸽.004084BC

  0045A121 8D45 C4 lea eax,dword ptr ss:[ebp-3C]

  0045A124 E8 23FCFFFF call 超强灰鸽.00459D4C

  取消所要处理文件的属性

  0045A129 8D45 C4 lea eax,dword ptr ss:[ebp-3C]

  0045A12C 8B15 B8DC4500 mov edx,dword ptr ds:[45DCB8]

  0045A132 E8 65A0FAFF call 超强灰鸽.0040419C

  0045A137 8B45 C4 mov eax,dword ptr ss:[ebp-3C]

  0045A13A E8 55A2FAFF call 超强灰鸽.00404394

  0045A13F 8BD0 mov edx,eax

  0045A141 8D45 C8 lea eax,dword ptr ss:[ebp-38]

  0045A144 E8 839FFAFF call 超强灰鸽.004040CC

  0045A149 8B45 C8 mov eax,dword ptr ss:[ebp-38]

  0045A14C E8 93E3FAFF call 超强灰鸽.004084E4

  删除病毒文件

  0045A151 8D45 C0 lea eax,dword ptr ss:[ebp-40]

  0045A154 E8 F3FBFFFF call 超强灰鸽.00459D4C

  ; 获取WINDOWS目录

  0045A159 8D45 C0 lea eax,dword ptr ss:[ebp-40]

  0045A15C 8B15 BCDC4500 mov edx,dword ptr ds:[45DCBC]

  0045A162 E8 35A0FAFF call 超强灰鸽.0040419C

  0045A167 8B45 C0 mov eax,dword ptr ss:[ebp-40]

  0045A16A 33D2 xor edx,edx

  0045A16C E8 4BE3FAFF call 超强灰鸽.004084BC

  ; 取消文件的属性

  0045A171 8D45 B8 lea eax,dword ptr ss:[ebp-48]

  0045A174 E8 D3FBFFFF call 超强灰鸽.00459D4C

  0045A179 8D45 B8 lea eax,dword ptr ss:[ebp-48]

  0045A17C 8B15 BCDC4500 mov edx,dword ptr ds:[45DCBC]

  0045A182 E8 15A0FAFF call 超强灰鸽.0040419C

  0045A187 8B45 B8 mov eax,dword ptr ss:[ebp-48]

  0045A18A E8 05A2FAFF call 超强灰鸽.00404394

  0045A18F 8BD0 mov edx,eax

  0045A191 8D45 BC lea eax,dword ptr ss:[ebp-44]

  0045A194 E8 339FFAFF call 超强灰鸽.004040CC

  0045A199 8B45 BC mov eax,dword ptr ss:[ebp-44]

  0045A19C E8 43E3FAFF call 超强灰鸽.004084E4

  ; 删除病毒体

  0045A1A1 EB 42 jmp short 超强灰鸽.0045A1E5

  0045A1A3 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]

  0045A1A9 8B80 20020000 mov eax,dword ptr ds:[eax+220]

  0045A1AF BA A4A34500 mov edx,超强灰鸽.0045A3A4

  0045A1B4 8B08 mov ecx,dword ptr ds:[eax]

  0045A1B6 FF51 38 call dword ptr ds:[ecx+38]

  0045A1B9 EB 2A jmp short 超强灰鸽.0045A1E5

  处理完毕啦。。。。

  0045A1E5 33C0 xor eax,eax

  0045A1E7 5A pop edx

  0045A1E8 59 pop ecx

  0045A1E9 59 pop ecx

  0045A1EA 64:8910 mov dword ptr fs:[eax],edx

  0045A1ED 68 07A24500 push 超强灰鸽.0045A207

  0045A1F2 8D45 B8 lea eax,dword ptr ss:[ebp-48]

  0045A1F5 BA 12000000 mov edx,12

  0045A1FA E8 F99CFAFF call 超强灰鸽.00403EF8

  0045A1FF C3 retn

  总结:

  该检测器通过OpenFileMappingA()函数检测指定的映射对象是否存在作判断,如存在,获取VIP用户名,继续检测隐藏的进程模块,获取其进程ID,映像出具体文件名(继而作相应的文件完整路径的组合),进行权限提升(打开令牌环,设置系统调试权限),PostMessageA()发送消息关闭隐藏进程主窗口,处理服务进程,取消病毒文件的所有属性(系统,隐藏,只读),最后删除病毒体!!!

  检测器代码采用Borland Delphi编写,看这些反汇编代码总会碰到层层调用这一现象,在这些主要CALL的注释中,其实其内部的调用还有很多较详细的代码调用,限于篇幅,就不一一列举了.

  此外, 由于本人能力的有限,错误及遗漏在所难免! 或许检测器原理并没有这么简单,还请检测器程序的编写作者或其他高手作出指点. 万分感谢! 作者: 东毒君

    • 评论
    • 分享微博
    • 分享邮件
    邮件订阅

    如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。

    重磅专题
    往期文章
    最新文章