分析工具: softice , OD
我的操作系统: win 2000 sp4 , win 98
分析对象: QQ2005贺岁版 珊瑚虫外挂
为了方便分析,我先把CoralQQ.dll和coralqq.exe先脱壳,这两个文件加的都是超弱壳,脱壳过程不在这里多说.
由于win nt 平台和win9x 的差异,珊瑚虫外挂因系统的不同而分开两种工作原理.
我们都知道,珊瑚外挂是给QQ的主程序QQ.exe外挂了一个Coralqq.dll,而完成这个工作的就是coralqq.exe .要加载一个dll文件必须是qq.exe自己的某个线程执行LoadLibraryA,并且以coralqq.dll为参数,但qq.exe本来根本没有这样的一段代码,怎么办?答案很简单,既然它没有,那就让我们帮它加上去,coralqq.exe就是利用WriteProcessMemory帮QQ.exe加上了这样一段代码,并且改变程序流程,让qq.exe先加载coralqq.dll再跳到原来的oep执行.
想了一下,比较合理的方法有:
1.在nt内核的系统上,利用远程线程的方法,首先用CreateProcess创建QQ.exe的进程,同时创建了主线程,再用VirtualAllocEx在qq.exe中申请一块内存,然后把我们的代码写进去,最后用CreateRemoteThread在qq的进程中创建另外一个线程,其开始执行的地方正是我们自己加入的代码首地址.
2.先用CreateProcess创建QQ进程和主线程,在QQ的内存空间中找个合理的地方写入我们的代码,然后修改某个地方(例如OEP)使QQ先跳去执行我们写入的代码,加载coralqq.dll,修复原来改过的oep,然后跳回oep让程序正常执行.
下面就让我们分析一下珊瑚虫的外挂是怎样做到的,首先分析nt平台上的运行过程.
用OD载入脱壳后的coralqq.exe,停在下面:
00418E2C >/$ 55 push ebp
00418E2D . 8BEC mov ebp,esp
00418E2F . 83C4 F0 add esp,-10
00418E32 . B8 648D4100 mov eax,CoralQQ.00418D64
00418E37 . E8 A4BAFEFF call CoralQQ.004048E0
00418E3C . A1 F49D4100 mov eax,dword ptr ds:[419DF4]
00418E41 . 33D2 xor edx,edx
00418E43 . E8 30F4FFFF call CoralQQ.00418278
00418E48 . A1 F49D4100 mov eax,dword ptr ds:[419DF4]
00418E4D . 8B00 mov eax,dword ptr ds:[eax]
00418E4F . 83C0 18 add eax,18
00418E52 . E8 F9C6FEFF call CoralQQ.00405550
00418E57 . E8 08A9FEFF call CoralQQ.00403764
然后下断点: bp CreateRemoteThread ,然后运行,结果发现,OD根本没有断下,证明珊瑚虫的外挂没有使用远程线程的方法,难道它是用了第二种方法?我们再验证一下:首先在OD中bp CreateProcess,断下,反回后,用winhex打开QQ.exe的内存,把QQ.exe的OEP处改为CC,接着在softice中 bpint 3 ,在OD中按F9运行,接着就是中断在softice中,把oep(464b58)处还原,在再softice下 bpm 464b58 ,然后结束程序,再运行coralqq.exe发现自始至终那个bpm断点还是没有断下,证明珊瑚虫外挂在2000下也没有修改QQ.exe的oep来改变程序流程,晕.没办法,只好在OD中下WriteProcessMemory断点,看看它究竟修改了哪里.
00231012 57 push edi
00231013 8B4424 24 mov eax,dword ptr ss:[esp+24]
00231017 A3 70302300 mov dword ptr ds:[233070],eax
0023101C 8305 70302300 04 add dword ptr ds:[233070],4
00231023 E8 5C000000 call
上面创建后的QQ主线程是暂停的,不会马上执行,在win9x下也是这样.
第一次中断时堆栈显示:
0012EBDC 0040C75C /CALL 到 WriteProcessMemory 来自 CoralQQ.0040C756
0012EBE0 00000018 hProcess = 00000018
0012EBE4 5F000000 Address = 5F000000
0012EBE8 00CC0F44 Buffer = 00CC0F44
0012EBEC 000000D2 BytesToWrite = D2 (210.)
0012EBF0 0012EC68 /pBytesWritten = 0012EC68
第二次:
0012EC70 00416231 /CALL 到 WriteProcessMemory 来自 CoralQQ.0041622C
0012EC74 00000018 hProcess = 00000018
0012EC78 5F010000 Address = 5F010000
0012EC7C 0012EE9F Buffer = 0012EE9F
0012EC80 00000025 BytesToWrite = 25 (37.)
0012EC84 0012EFD0 /pBytesWritten = 0012EFD0
第三次:
0012EC70 004162CB /CALL 到 WriteProcessMemory 来自 CoralQQ.004162C6
0012EC74 00000018 hProcess = 00000018
0012EC78 77F84BC0 Address = 77F84BC0
0012EC7C 0012EFC3 Buffer = 0012EFC3
0012EC80 00000005 BytesToWrite = 5
0012EC84 0012EFD0 /pBytesWritten = 0012EFD0
第四次:
0012EC70 0041632B /CALL 到 WriteProcessMemory 来自 CoralQQ.00416326
0012EC74 00000018 hProcess = 00000018
0012EC78 5F010025 Address = 5F010025
0012EC7C 0012EC96 Buffer = 0012EC96
0012EC80 00000208 BytesToWrite = 208 (520.)
0012EC84 0012EFD0 /pBytesWritten = 0012EFD0
第五次:
0012EC70 0041634B /CALL 到 WriteProcessMemory 来自 CoralQQ.00416346
0012EC74 00000018 hProcess = 00000018
0012EC78 5F010000 Address = 5F010000
0012EC7C 0012EE9F Buffer = 0012EE9F
0012EC80 00000025 BytesToWrite = 25 (37.)
0012EC84 0012EFD0 /pBytesWritten = 0012EFD0
留意第三次中断: 77F84BC0 对应着: NtTestAlert 所在库:ntdll.dll
程序每次执行前都要经过 ntdll.dll 的 NtTestAlert函数,它使函数首句跳到某个
地方,从而改变程序流程.
00417E7E 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00417E81 50 push eax
00417E82 E8 DDCDFEFF call
把 0012efc3 处的E9改为CC,再在softice中bpint 3 ,让其中断后跟踪:
001B:77F84BC0 E93BB408E7 JMP 5F010000
单步执行跟踪
001B:5F010000 B80000015F MOV EAX,5F010000
001B:5F010005 B90000005F MOV ECX,5F000000
001B:5F01000A FFD1 CALL ECX
此时ecx的值为5F000000
001B:5F000000 55 PUSH EBP
001B:5F000001 8BEC MOV EBP,ESP
001B:5F000003 83C4EC ADD ESP,-14
001B:5F000006 53 PUSH EBX
001B:5F000007 56 PUSH ESI
001B:5F000008 8BD8 MOV EBX,EAX
001B:5F00000A 896DFC MOV [EBP-04],EBP
001B:5F00000D 8B431C MOV EAX,[EBX+1C]
001B:5F000010 8B55FC MOV EDX,[EBP-04]
001B:5F000013 83C204 ADD EDX,04
001B:5F000016 8902 MOV [EDX],EAX
001B:5F000018 8B431C MOV EAX,[EBX+1C]
001B:5F00001B 8945EC MOV [EBP-14],EAX
001B:5F00001E C745FC05000000 MOV DWORD PTR [EBP-04],00000005
001B:5F000025 8D45F8 LEA EAX,[EBP-08]
001B:5F000028 50 PUSH EAX
001B:5F000029 6A40 PUSH 40
001B:5F00002B 8D45FC LEA EAX,[EBP-04]
001B:5F00002E 50 PUSH EAX
001B:5F00002F 8D45EC LEA EAX,[EBP-14]
001B:5F000032 50 PUSH EAX
001B:5F000033 6AFF PUSH FF
001B:5F000035 FF15C600005F CALL [5F0000C6]
001B:5F00003B 8B431C MOV EAX,[EBX+1C]
001B:5F00003E 8B5320 MOV EDX,[EBX+20]
001B:5F000041 8910 MOV [EAX],EDX ;恢复Ntdll.NtTestAlert入口处
001B:5F000043 8A5324 MOV DL,[EBX+24]
001B:5F000046 885004 MOV [EAX+04],DL
001B:5F000049 C745FC05000000 MOV DWORD PTR [EBP-04],00000005
001B:5F000050 8D45F8 LEA EAX,[EBP-08]
001B:5F000053 50 PUSH EAX
001B:5F000054 8B45F8 MOV EAX,[EBP-08]
001B:5F000057 50 PUSH EAX
001B:5F000058 8D45FC LEA EAX,[EBP-04]
001B:5F00005B 50 PUSH EAX
001B:5F00005C 8D45EC LEA EAX,[EBP-14]
001B:5F00005F 50 PUSH EAX
001B:5F000060 6AFF PUSH FF
001B:5F000062 FF15CA00005F CALL [5F0000CA]
001B:5F000068 8B7318 MOV ESI,[EBX+18]
001B:5F00006B 4E DEC ESI
001B:5F00006C 85F6 TEST ESI,ESI
001B:5F00006E 7C4C JL 5F0000BC
001B:5F000070 46 INC ESI
001B:5F000071 8D4325 LEA EAX,[EBX+25]
001B:5F000074 8BD8 MOV EBX,EAX
001B:5F000076 33D2 XOR EDX,EDX
001B:5F000078 8BC3 MOV EAX,EBX
001B:5F00007A 66833800 CMP WORD PTR [EAX],00
001B:5F00007E 740C JZ 5F00008C
001B:5F000080 42 INC EDX
001B:5F000081 83C002 ADD EAX,02
001B:5F000084 81FA03010000 CMP EDX,00000103
001B:5F00008A 75EE JNZ 5F00007A
001B:5F00008C 8BC2 MOV EAX,EDX
001B:5F00008E 03C0 ADD EAX,EAX
001B:5F000090 668945F0 MOV [EBP-10],AX
001B:5F000094 6683C002 ADD AX,02
001B:5F000098 668945F2 MOV [EBP-0E],AX
001B:5F00009C 8BC3 MOV EAX,EBX
001B:5F00009E 8945F4 MOV [EBP-0C],EAX
001B:5F0000A1 8D45FC LEA EAX,[EBP-04]
001B:5F0000A4 50 PUSH EAX
001B:5F0000A5 8D45F0 LEA EAX,[EBP-10]
001B:5F0000A8 50 PUSH EAX
001B:5F0000A9 6A00 PUSH 00
001B:5F0000AB 6A00 PUSH 00
001B:5F0000AD FF15CE00005F CALL [5F0000CE] ;call LoadLibraryA
001B:5F0000B3 81C308020000 ADD EBX,00000208
001B:5F0000B9 4E DEC ESI
001B:5F0000BA 75BA JNZ 5F000076
001B:5F0000BC 5E POP ESI
001B:5F0000BD 5B POP EBX
001B:5F0000BE 8BE5 MOV ESP,EBP
001B:5F0000C0 5D POP EBP
001B:5F0000C1 C3 RET
001B:5F0000C2 0000 ADD [EAX],AL
001B:5F0000C4 0000 ADD [EAX],AL
001B:5F0000C6 C4BFF877C4BF LES EDI,[EDI+BFC477F8]
001B:5F0000CC F8 CLC
001B:5F0000CD 7761 JA 5F000130
001B:5F0000CF 32F8 XOR BH,AL
001B:5F0000D1 7700 JA 5F0000D3