【逆向】Delphi程序逆向之熊猫烧香病毒分析
<h1>1、前言</h1><p>本文主要用于记录Delphi程序逆向的一些方法和技巧,以及熊猫烧香病毒的分析过程。</p>
<h1>2、分析技巧</h1>
<p>2.1 使用IDR或DEDE加载Delphi程序,导出Map文件,将Map文件导入OD。</p>
<p>2.2 IDA加载Delphi程序后,根据实际情况修改编译器选项,ASCII字符串风格,增加代码可读性。</p>
<p>2.3 IDA添加Delphi程序签名文件,识别常用系统函数调用。</p>
<p>2.4 由于IDR对Delphi库函数的识别率比IDA高,动态调试时,可以配合OD/IDA一起使用。</p>
<p>2.5 常用Delphi系统库函数,可以查看Delphi system文件,也可以参考文末参考链接。</p>
<p>2.6 Delphi程序,使用fastcall调用约定,前2个参数使用eax,edx传递,其余参数从左到右依次压栈,堆栈由被调用者恢复。(由于编译器不同,寄存器,压栈顺序可能不同,视具体情况而定)</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)">1</span> 004529A9 push dword ptr ds:; <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">参数3:"Hello"</span>
<span style="color: rgba(0, 128, 128, 1)">2</span> 004529AF push 452A18; <span style="color: rgba(128, 0, 0, 1)">'</span> <span style="color: rgba(128, 0, 0, 1)">'</span> <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">参数4:" "</span>
<span style="color: rgba(0, 128, 128, 1)">3</span> 004529B4 push dword ptr ds:; <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">参数5:"World"</span>
<span style="color: rgba(0, 128, 128, 1)">4</span> 004529BA lea eax, <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">参数1</span>
<span style="color: rgba(0, 128, 128, 1)">5</span> 004529BD mov edx,<span style="color: rgba(128, 0, 128, 1)">3</span> <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">参数2</span>
<span style="color: rgba(0, 128, 128, 1)">6</span> 004529C2 call @LStrCatN LStrCatN(lpBuff,<span style="color: rgba(128, 0, 128, 1)">3</span>,<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">Hello</span><span style="color: rgba(128, 0, 0, 1)">"</span>,<span style="color: rgba(128, 0, 0, 1)">"</span> <span style="color: rgba(128, 0, 0, 1)">"</span>,<span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">World</span><span style="color: rgba(128, 0, 0, 1)">"</span>)</pre>
</div>
<h1>3、分析流程</h1>
<h2>3.1 流程图</h2>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908201159968-501748467.png" alt=""></p>
<h2>3.2 静态分析</h2>
<h3>3.2.1 分析导入表</h3>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 128, 128, 1)"> 1</span> <span style="color: rgba(0, 0, 0, 1)">文件:
</span><span style="color: rgba(0, 128, 128, 1)"> 2</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">CreateFileA</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)"> 3</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">WriteFile</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)"> 4</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">ReadFile</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)"> 5</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">FindNextFileA</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)"> 6</span> <span style="color: rgba(0, 0, 0, 1)">网络:
</span><span style="color: rgba(0, 128, 128, 1)"> 7</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">socket</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)"> 8</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">connect</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)"> 9</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">InternetReadFile</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">10</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">InternetOpenUrlA</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">11</span> <span style="color: rgba(0, 0, 0, 1)">服务:
</span><span style="color: rgba(0, 128, 128, 1)">12</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">OpenServiceA</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">13</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">OpenSCManagerA</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">14</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">DeleteService</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">15</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">ControlService</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">16</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">CloseServiceHandle</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">17</span> <span style="color: rgba(0, 0, 0, 1)">进线程:
</span><span style="color: rgba(0, 128, 128, 1)">18</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">CreateThread</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">19</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">TerminateProcess</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">20</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">WinExec</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">21</span> <span style="color: rgba(0, 0, 0, 1)">注册表:
</span><span style="color: rgba(0, 128, 128, 1)">22</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">RegSetValueExA</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">23</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">RegDeleteValueA</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">24</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">RegCreateKeyExA</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">25</span> <span style="color: rgba(0, 0, 0, 1)">其它:
</span><span style="color: rgba(0, 128, 128, 1)">26</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">SetTimer</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">27</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">NetRemoteTOD</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">28</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">NetScheduleJobAdd</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">29</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">URLDownloadToFileA</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">30</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">OpenProcessToken</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">31</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">LookupPrivilegeValueA</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">32</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">AdjustTokenPrivileges</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">33</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">WNetAddConnection2A</span><span style="color: rgba(128, 0, 0, 1)">"</span>
<span style="color: rgba(0, 128, 128, 1)">34</span> <span style="color: rgba(128, 0, 128, 1)">0x0000</span> <span style="color: rgba(128, 0, 0, 1)">"</span><span style="color: rgba(128, 0, 0, 1)">WNetCancelConnectionA</span><span style="color: rgba(128, 0, 0, 1)">"</span></pre>
</div>
<h2>3.3 动态分析</h2>
<h3>3.3.1 初始化自校验</h3>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908000223508-157384317.png" alt=""></p>
<h3>3.3.2 主功能模块1:自拷贝,bat自删除</h3>
<p>判断当前路径是否存在ini配置文件,存在则删除</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908002451387-756608059.png" alt=""></p>
<p>如果当前文件未被感染,并且不是"drivers\spcolsv.exe",则自拷贝并运行</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908003404817-281726107.png" alt=""></p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908003412204-400232514.png" alt=""></p>
<p>如果是被感染的文件,则从自身释放原文件,创建.bat删除感染文件,运行原文件后自删除</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908004616410-2102292294.png" alt=""></p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908004623352-617522205.png" alt=""></p>
<p>如果"drivers\spcolsv.exe"正在运行则程序退出,否则删除"drivers\spcolsv.exe"后重新创建,并运行。</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908011336441-101626603.png" alt=""></p>
<h3>3.3.3 主功能模块2:</h3>
<p>递归遍历,感染Exe等文件</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908014244103-2000960040.png" alt=""></p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908021824941-116394937.png" alt=""></p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908021622136-542404561.png" alt=""></p>
<p>递归遍历,感染Html等文件</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908014251087-103520945.png" alt=""></p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908022048088-1131101607.png" alt=""></p>
<p>删除.GHO系统备份文件</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908014209952-1215750610.png" alt=""></p>
<p>在每个文件夹目录下生成ini配置文件,更新当前日期</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908022729153-988447286.png" alt=""></p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908022736800-523448655.png" alt=""></p>
<p>设置定时器,每6秒执行一次,在磁盘根目录生成setup.exe和autorun.inf文件</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908023958112-1626244202.png" alt=""></p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908182556457-198376204.png" alt=""></p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908024007628-1063567956.png" alt=""></p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908024016444-541046360.png" alt=""></p>
<p>创建线程,通过139,445端口感染局域网主机。</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908185033761-984519971.png" alt=""></p>
<p>自拷贝到网络主机共享目录,创建计划任务执行“GameSetup.exe”</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908190457223-1627355453.png" alt=""></p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908190631316-967336190.png" alt=""></p>
<h3>3.3.4 主功能模块3:</h3>
<p>创建定时器,执行不同任务</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908191900702-1258228921.png" alt=""></p>
<p>结束杀软,任务管理器等进程</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908192728285-2126556301.png" alt=""></p>
<p>设置Run注册表自启动</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908193045673-315198281.png" alt=""></p>
<p>设置隐藏文件不显示</p>
<p> <img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908193429722-1574867867.png" alt=""></p>
<p>解密URL,下载并执行</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908194019842-813666708.png" alt=""></p>
<p>删除共享</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908194252535-371958217.png" alt=""></p>
<p>停止并删除杀软服务</p>
<p><img src="https://img2018.cnblogs.com/blog/1743055/201909/1743055-20190908194526059-442022731.png" alt=""></p>
<p> </p>
<p>Delphi常用库函数参考:</p>
<p>https://www.cnblogs.com/Little-Star/p/7541389.html</p>
<p>https://www.pediy.com/kssd/pediy06/pediy6843.htm</p>
<p>样本与调试文件下载:</p>
<p>https://files.cnblogs.com/files/SunsetR/熊猫烧香样本.zip 密码("SunsetBlogs")</p><br><br>
来源:https://www.cnblogs.com/SunsetR/p/11358388.html
頁:
[1]