关于进程注入的问题

逆向工程 部件 恶意软件 注射
2021-07-07 01:03:12

在分析过程中,我发现了以下恶意软件:

   ...
   lea eax, [ebp+ThreadId]
   push eax                   ;lpThreadId
   push ebx                   ;dwCreationFlags
   push [ebp+lpParameter]     ;lpParameter
   push [ebp+lpStartAddress]  ;lpStartAddress
   push ebx                   ;dwStackSize
   push ebx                   ;lpThreadAttributes
   push [ebp+hProcess]        ;hProcess
   call CreateRemoteThread
   ...

我肯定知道的

从之前的一些部分,我知道 

xor ebx, ebx -> ebx = NULL or zero

在 指向的地址处lpParameter,恶意软件存储了 的地址LoadLibrary并且hProcess是 的句柄explorer.exe

我想知道什么

与 相关lpStartAddress,我发现了以下几行:

  ...
  push ebx
  push [ebp+nSize]
  push offset loc_402B58
  push [ebp+lpStartAddress]
  push [ebp+hProcess] 
  call WriteProcessMemory
  ...

因此,该函数将 的内容写入offset loc_402B58开始于的页面区域lpStartAddress(之前分配了一些行)。现在,当我转到 时offset loc_402B58,我看到以下内容(注意:我使用 IDA PRO):

loc_402B58:
 push esi
 mov esi, [esp+8]
 lea eax, [esi+14h]
 push eax
 call dword ptr[esi]
 test eax, eax
 mov [esi+10h], eax
 jz short loc_402B80
 lea ecx, [esi+46h]
 push ecx
 push eax
 call dword ptr [esi+4]
 test eax, eax
 jz short_loc402B80
 call eax
 push 0
 call eax                  <----- edited because i have forgotten it
 push 0                    <-----                    ''
 call dword ptr [esi+8]    <-----                    ''

loc_402B80:     
 xor eax, eax
 pop esi
 retn 4

所以我的问题是:

什么大会在loc_402B58loc_402B80

1个回答

它还应该存储地址 GetProcAddress() at <lpparm+4>

它应该存储一个字符串 name of module at <lpparam+14>

它应该存储一个字符串 name of proc for getProcAddress at <lpparm+46>

[esp+8]它访问写入远程进程的 lpparam 时,您可能需要找到它WriteProcessMemory Also并查看local Buffer to Know the datadll 的名称和 Proc 的名称

或者您可能需要附加到远程进程并Break on Thread CreateEvent单步执行BaseThreadStartThunk() 此例程中的例程,您会注意到 ebp 在那里被归零,Eax 和 Ebx 持有 LpStart 和 lpParam,这就是 lpStart 被执行的方式

push [ebp+c] lpparam
call [enp+8] lpStart

esi 通过 mov esi [esp+8] 获取 lpparm,在您的情况下,它保存了您正确观察到的 LoadLibrary 地址,但您没有观察到什么是 

assuming [esp+8 ] holds 403000 <lpparam>
[[esp+8] + 0 ] [403000] holds Address of LoadLibrary as you observed
[[esp+8] + 4]  [403004] will hold Address of GetProcAddress
[[esp+8] + 14] [403014] will hold a string the dll name
[[esp+8] + 46] [403046] will hold the name of  Proc in the Loaded Dll
[[esp+8] + 10] [403010] gets the Result of LoadLibrary Return in your above snippet

编辑

添加了带注释的片段以供参考

push esi
 mov esi, [esp+8]    <lpparameter> assuming 403000
 lea eax, [esi+14h]  lpparameter+14> should be a string the name of dll 403014
 push eax            push 403014    
 call dword ptr[esi] DWORD [ lpparmeter+0 ] = [403000] = Address Of LoadLib so calling loadlib
 test eax, eax
 mov [esi+10h], eax  [lpparam+10] [403010] store LoadLibResult here
 jz short loc_402B80  failure
 lea ecx, [esi+46h] [403046] = <lpparm+46> again a string name of Proc for GetProcAddress()
 push ecx           processname     
 push eax           HandletoLoadedmod  
 call dword ptr [esi+4]  Must be Address of GetProcAddress from the looks check your code 
capture local buffer when Writing to ProcessMemory or Break on Create new Thread in the RemoteProcess
by attaching a debugger Executing the RemoteDebugge and when a new Thread Create Event is triggered 
single step to find the contents of lpparam
 test eax, eax    
 jz short_loc402B80
 call eax  <calls the  functions that was just getproc'ed>
 push 0
 call
其它你可能感兴趣的问题
上一篇如何将修改后的固件恢复为只读安装 下一篇R.java 转 xml 文件