Corals plug Principle Analysis: RunJin runjin000@yahoo.com.cn analysis tools: softice, OD my operating system: win 2000 sp4, win 98 analysis objects: QQ2005 Hesuiban corals plug-in in order to facilitate analysis, and I put CoralQQ.dll Coralqq.exe first shells, these two files are superneath, the shelling process is not here. Due to the Win NT platform and Win9X difference, the coral insects have different working principles due to the different systems. We They all know that coral plug-in is a coralqq.dll, which is hung up to QQ's main program QQ.EXE, and completing this work is CORALQQ.exe. To load a DLL file must be QQ.EXE's own thread to perform LoadLibrarya, and With coralqq.dll as a parameter, QQ.EXE has not yet, what should I do? The answer is simple, since it doesn't, let us help it, CORALQQ.exe is using WriteProcessMemory to help QQ.EXE plus On such a code, change the program process, let QQ.EXE load CORALQQ.dll and then jump to the original OEP execution. Think, relatively reasonable methods are: 1. On the NT core system, use the remote thread Method, first create QQ.exe's process with CreateProcess, and create a primary thread, and use VirtualaLalkEx to apply for a memory in QQ.exe, then write our code, and finally create another one in QQ process in QQ process. Thread, where it starts to execute is the first code first address. 2. First create the QQ process and main thread first, find a reasonable place to write to our code in QQ memory space, then modify a certain Place (for example, OEP) makes QQ first jumps to execute the code we wrote, loads CORALQQ.dll, fix the original OEP, then jump back to the OEP to make it normal. Let us analyze how the coral plug is doing First, analyze the running process on the NT platform. Use OD to load the shelled Coralqq.exe, stopped below: 00418E2C>
. / $ 55 push ebp00418E2D | 8BEC mov ebp, esp00418E2F | 83C4 F0 add esp, -1000418E32 | B8 648D4100 mov eax, CoralQQ.00418D6400418E37 | E8 A4BAFEFF call CoralQQ.004048E000418E3C | A1 F49D4100 mov eax, dword ptr ds....: [419DF4] 00418E41 | 33D2 xor edx, edx00418E43 | E8 30F4FFFF call CoralQQ.0041827800418E48 | A1 F49D4100 mov eax, dword ptr ds:.... [419DF4] 00418E4D | 8B00 mov eax, dword ptr ds: [eax] 00418E4F |. 83C0 18 Add Eax, 1800418E52 |. E8 F9C6Feff Callqq.004055000418E57 |. E8 08A9FEFF CALALQ.004055000418E57 |. E8 08A9FEFF CALALQQ.00403764 Then the breakpoint: BP CreateremoteThread, then run, the result is found that OD is not broken, prove the plug-in plug-in no remote thread How does it use a second method? We can then verify: First in the OD BP CreateProcess, broken, reverse, use WinHex to open QQ.EXE memory, change QQ.exe's OEP CC, then in Softice, BPINT 3, press F9 in OD, then the interrupt is in Softice, restoring OEP (464B58), in the Softice BPM 4 64b58, then end the program, then run CORALQQ.EXE to find that the BPM breakpoint is still not broken, prove that the coral insects have not modified QQ.exe's OEP to change the program process, halo. No way, I have to be in OD under WriteProcessMemory break and see where it actually modifies the .00231012 57 push edi00231013 8B4424 24 mov eax, dword ptr ss: [esp 24] 00231017 A3 70302300 mov dword ptr ds: [233070], eax0023101C 8305 70302300 04 add dword ptr DS: [233070], 400231023 E8 5C000000 Call
D2 (210.) 0012EBF0 0012EC68 / pBytesWritten = 0012EC68 Second: 0012EC70 00416231 / CALL to WriteProcessMemory from CoralQQ.0041622C0012EC74 00000018 | hProcess = 000000180012EC78 5F010000 | Address = 5F0100000012EC7C 0012EE9F | Buffer = 0012EE9F0012EC80 00000025 | BytesToWrite = 25 (37.) 0012EC84 0012EFD0 / pBytesWritten = 0012EFD0 third: 0012EC70 004162CB / CALL to WriteProcessMemory from CoralQQ.004162C60012EC74 00000018 | hProcess = 000000180012EC78 77F84BC0 | Address = 77F84BC00012EC7C 0012EFC3 | Buffer = 0012EFC30012EC80 00000005 | BytesToWrite = 50012EC84 0012EFD0 / pBytesWritten = 0012EFD0 fourth: 0012EC70 0041632B / CALL to WriteProcessMemory from CoralQQ.004163260012EC74 00000018 | hProcess = 000000180012EC78 5F010025 | Address = 5F0100250012EC7C 0012EC96 | Buffer = 0012EC960012EC80 00000208 | BytesToWrite = 208 (520.) 0012EC84 0012EFD0 / pBytesWritten = 0012EFD0 fifth: 0012EC70 0041634B / CALL to WriteProcessMemory from CoralQQ .004163460012EC74 00000018 | HPROCESS = 000000180012EC78 5F010000 | Address = 5F0100000012EC7C 0012EE9F | Buffer = 0012EE9F0012EC80 00000025 | BytesToWrite = 25 (37.) 0012EC84 0012EFD0 / pBytesWritten = 0012EFD0 pay attention to the third interruption: 77F84BC0 corresponds: NtTestAlert where the library: ntdll.dll before each program to be executed After NTDLL.DLL's NTTestalert function, it jumps to a place to change the program process .00417E7E 8B45 F4 MOV EAX, DWORD PTR SS: [EBP-C] 00417E81 50 Push EAX00417E82 E8 DDCDFEFF CALL
Make QQ's main thread to change E9 at 0012EFC3 to CC, then in Softice BPINT 3, let it break trace: 001b: 77F84BC0 E93BB408E7 JMP 5F010000 single-step execution Track 001b: 5F010000 B80000015F MOV EAX, 5F0100005F MOV eCX, 5F000000001B: 5F01000A FFD1 CALL eCX case ecx value 5F000000001B: 5F000000 55 PUSH EBP001B: 5F000001 8BEC MOV EBP, ESP001B: 5F000003 83C4EC ADD ESP, -14001B: 5F000006 53 PUSH EBX001B: 5F000007 56 PUSH ESI001B: 5F000008 8BD8 MOV EBX , EAX001B: 5F00000A 896DFC MOV [EBP-04], EBP001B: 5F00000D 8B431C MOV EAX, [EBX 1C] 001B: 5F000010 8B55FC MOV EDX, [EBP-04] 001B: 5F000013 83C204 Add EDX, 04001B: 5F000016 8902 MOV [EDX ], EAX001B: 5F000018 8B431C MOV EAX, [EBX 1C] 001B: 5F00001B 8945EC MOV [EBP-14], EAX001B: 5F00001E C745FC05000000 MOV DWORD PTR [EBP-04], 00000005001B: 5F000025 8D45F8 LEA EAX, [EBP-08] 001B: 5F000028 50 PUSH EAX001B: 5F000029 6A40 PUSH 40001B: 5F00002B 8D45FC LEA EAX, [EBP-04] 001B: 5F00002E 50 PUSH EAX001B : 5F00002F 8D45EC LEA EAX, [EBP-14] 001B: 5F000032 50 PUSH EAX001B: 5F000033 6AFF PUSH FF001B: 5F000035 FF15C600005F CALL [5F0000C6] 001B: 5F00003B 8B431C MOV EAX, [EBX 1C] 001B: 5F00003E 8B5320 MOV EDX, [EBX 20] 001B: 5F000041 8910 MOV [EAX], EDX;
Recovery Ntdll.NtTestAlert entrance 001B: 5F000043 8A5324 MOV DL, [EBX 24] 001B: 5F000046 885004 MOV [EAX 04], DL001B: 5F000049 C745FC05000000 MOV DWORD PTR [EBP-04], 00000005001B: 5F000050 8D45F8 LEA EAX, [ EBP-08] 001B: 5F000053 50 PUSH EAX001B: 5F000054 8B45F8 MOV EAX, [EBP-08] 001B: 5F000057 50 PUSH EAX001B: 5F000058 8D45FC LEA EAX, [EBP-04] 001B: 5F00005B 50 PUSH EAX001B: 5F00005C 8D45EC LEA EAX, [EBP-14] 001B: 5F00005F 50 PUSH EAX001B: 5F000060 6AFF PUSH FF001B: 5F000062 FF15CA00005F CALL [5F0000CA] 001B: 5F000068 8B7318 MOV ESI, [EBX 18] 001B: 5F00006B 4E DEC ESI001B: 5F00006C 85F6 TEST ESI, ESI001B: 5F00006E 7C4C JL 5F0000BC001B: 5F000070 46 INC ESI001B: 5F000071 8D4325 LEA EAX, [EBX
25] 001B: 5F000074 8BD8 MOV EBX, EAX001B: 5F000076 33D2 XOR EDX, EDX001B: 5F000078 8BC3 MOV EAX, EBX001B: 5F00007A 66833800 CMP WORD PTR [EAX], 00001B: 5F00007E 740C JZ 5F00008C001B: 5F000080 42 INC EDX001B: 5F000081 83C002 ADD EAX , 02001B: 5F000084 81FA03010000 CMP EDX, 00000103001B: 5F00008A 75EE JNZ 5F00007A001B: 5F00008C 8BC2 MOV EAX, EDX001B: 5F00008E 03C0 ADD EAX, EAX001B: 5F000090 668945F0 MOV [EBP-10], AX001B: 5F000094 6683C002 ADD AX, 02001B: 5F000098 668945F2 MOV [EBP-0E], AX001B: 5F00009C 8BC3 MOV EAX, EBX001B: 5F00009E 8945F4 MOV [EBP-0C], EAX001B: 5F0000A1 8D45FC LEA EAX, [EBP-04] 001B: 5F0000A4 50 Push Eax001b: 5F0000A5 8D45F0 LE A EAX, [EBP-10] 001B: 5F0000A8 50 Push EAX001B: 5F0000A9 6A00 PUSH 00001B: 5F0000AB 6A00 PUSH 00001B: 5F0000AD FF15CE00005F CALL [5F0000CE];
call LoadLibraryA001B: 5F0000B3 81C308020000 ADD EBX, 00000208001B: 5F0000B9 4E DEC ESI001B: 5F0000BA 75BA JNZ 5F000076001B: 5F0000BC 5E POP ESI001B: 5F0000BD 5B POP EBX001B: 5F0000BE 8BE5 MOV ESP, EBP001B: 5F0000C0 5D POP EBP001B: 5F0000C1 C3 RET001B: 5F0000C2 0000 ADD [ EAX], AL001B: 5F0000C4 0000 ADD [EAX], AL001B: 5F0000C6 C4BFF877C4BF LES EDI, [EDI BFC477F8] 001B: 5F0000CC F8 CLC001B: 5F0000CD 7761 JA 5F000130001B: 5F0000CF 32F8 XOR BH, AL001B: 5F0000D1 7700 JA 5F0000D3 we re-analyze How does the plug in corals under Win9X run. Use OD to load CORALQQ.EXE00415C9D MOV DWORD PTR SS: [EBP-C], ECX00415CA0 MOV DWORD PTR SS: [EBP-4], EDX00415CA3 MOV DWORD PTR SS: [EBP -8], EBX00415CA6 XOR EBX, EBX00415CA8 Call
/CoralQQ.00415BD400415CD6 | pop ecx00415CD7 | test al, al00415CD9 | je short CORALQQ.00415CDF00415CDB | mov bl, 100415CDD | jmp short CORALQQ.00415D2900415CDF | mov esi, dword ptr ss: [ebp-24] 00415CE2 | mov eax, dword ptr ss : [EBP-1C] 00415CE5 | Add Edi, EAX00415CE7 PUSH 1C; / BUFSIZE = 1C (28.) 00415CE9 | Lea Eax, DWORD PTR SS: [EBP-28]; 00415CEC | PUSH ED; | Buffer00415Ced | Push EDI; | Address00415CEE | mov eax, dword ptr ss: [ebp-8]; | 00415CF1 | push eax; | hProcess00415CF2 | call
0067EA7C It writes a buffer 0067EABC's 658 byte into QQ.EXE memory 83138AAC, under Win98, the shared (MMF) partition in the process memory is 0x80000000 ~ 0xBffFFFFF, all memory maps and system sharing DLL will load In this address, those mapping files and system shares DLL are often relatively high, so, from the 80000000 address, a large number of address spaces are often more "free", of course, not to say these addresses. It can be written, as for how this 83138AAC address value is calculated, I haven't analyzed it yet, but I think another feasible method, and after my own programming confirmed, that is, the size of 1000h, From 80000000, use WriteProcessMemory to write data until the write is successful, prove that the address of the 1000H is available, and the memory space of 1000h is enough for us to put the code, the reason why it is in units of 1000h, because considering block alignment continue to follow: 00415A39 | 8D45 F8 lea eax, dword ptr ss:..... [ebp-8] 00415A3C | 50 push eax; / pOldProtect00415A3D | 6A 40 push 40; | NewProtect = PAGE_EXECUTE_READWRITE00415A3F | 57 push edi; | Size00415A40 | 56 push esi;. | Address00415A41 | 53 push ebx;. |. hProcess00415A42 | E8 85F2FEFF call <. jmp & kernel32.VirtualProtectEx>; / VirtualProtectEx above code is to change the properties of oep QQ.exe at so-readable can Write executables, in preparation for rewriting the code oep at Next, look again interrupt stack WriteProcessMemory: 0067EA5C 0000000C | hProcess = 0000000C0067EA60 00464B58 | Address = 464B580067EA64 0067EE46 | Buffer = 0067EE460067EA68 00000005 | BytesToWrite = 50067EA6C 0067EA7C / pBytesWritten = 0067EA7C464b58 is Qq.exe's OEP, it is obvious that it will change the OEP to change the program process !! Well, we use the way, change 0067EEA6's first byte to CC, in Softice, BPINT 3, then interrupt, Take again. After Softice is interrupted: 0167004658 E91328CE82 JMP 83147370 0167: 83147370 C705584B460058BEC6AMOV DWORD PTR [00464B58], 6AEC8B55;
Immediately recovery code oep at 0167: 8314737A C6055C4B4600FF MOV BYTE PTR [00464B5C], FF0167: 83147381 68FA731483 PUSH 831473FA0167: 83147386 6838000000 PUSH 000000380167: 8314738B 6A40 PUSH 400167: 8314738D FF15F6731483 CALL [! KERNEL32 GlobalAlloc]; another Application Memory 0167: 83147393 C700B85077F7 MOV DWORD PTR [EAX], F77750B8; from here has been filled in the new data 0167: 83147399 C74004BFFFD068 MOV DWORD PTR [EAX 04], 68D0FFBF0167: 831473A0 C7400870731483 MOV DWORD PTR [EAX 08], 831473700167: 831473A7 C7400CB89348E9 MOV DWORD PTR [EAX 0C], E94893B80167: 831473AE C74010BFFFD0B8 MOV DWORD PTR [EAX 10], B8D0FFBF0167: 831473B5 C74014584B4600 MOV DWORD PTR [EAX 14], 00464B580167: 831473BC C74018FFE0C705 MOV DWORD PTR [EAX 18], 05C7E0FF0167: 831473C3 C7401C584B4600 MOV DWORD PTR [EAX 1C], 00464B580167: 831473CA C74020558BEC6A MOV DWORD PTR [EAX 20], 6AEC8B550167: 831473D1 C74024C6055C4B M OV DWORD PTR [EAX 24], 4B5C05C60167: 831473D8 C740284600FF68 MOV DWORD PTR [EAX 28], 68FF00460167: 831473DF C7402CFA731483 MOV DWORD PTR [EAX 2C], 831473FA0167: 831473E6 C7403068380000 MOV DWORD PTR [EAX 30], 000038680167: 831473ED C74034006A40FF MOV DWORD PTR [EAX 34], FF406A000167: 831473F4 FFE0 JMP EAX; this time EAX is 0063059C0167: 0063059C B85077F7BF MOV Eax, kernel32! LoadingLibraryA;
Loading Coralqq.dll0167: 006305A1 FFD0 CALL EAX0167: 006305A3 6870731483 PUSH 831473700167: 006305A8 B89348E9BF MOV EAX, COMCTL32 ORD_00490167: 006305AD FFD0 CALL EAX0167: 006305AF B8584B4600 MOV EAX, 00464B58 0167:! 006305B4 FFE0 JMP EAX; jump back to the entry point QQ.exe The analysis is complete. Here, we can summarize it. CORALQQ.EXE in Win2000 / XP first creates QQ process, and also creates QQ's suspended main thread, then call the code to the QQ process, modify NTDLL .NtTestalert's code jump allows the program to jump to its code, restore the code that NTDLL.nttelert is changed during the execution, and loads CORALQQ.dll. Under Win9X, Coralqq.exe first creates QQ process, At the same time, the main thread of the QQ pause is created. Then, write data to QQ.EXE, to change the qq.exe's OEP to change the purpose of changing the program process, let it execute the join code, load CORALQQ.dll, After loading, skip to the original QQ.EXE OEP continues to execute. In fact, in Win2000 / XP, you can use the remote thread method to implement the DLL file, I later programmed the way, maybe readers read This article will be asked: "What is the use of CORALQQ.dll? How is it significantly IP?" In fact, it is necessary to display the IP of course to modify the code in the QQ memory, and the step of modifying the memory is loading CORALQQ.dll is done by coralqq.dll. That is, in the process of executing LoadLibrary, the system will execute corall.dll's libmain, the modified process is completed in libmain! And say the principle of display IP, sorry It is not within the scope of our article, we just discuss the step of "hanging" in the plug-in. Below is the code I wrote, you can make a procedure for Coralqq.exe, but in principle and coralqq.exe have one Different. 586.m odel flat, stdcalloption casemap: none; case sensitiveinclude windows.incinclude kernel32.incincludelib kernel32.lib.dataqq db "./QQ.exe",0ikeyname db" qq ", 0isecname db" main ", 0szBuffer dw 50 dup (0) dllname db "./CoralQQ.dll",0szkernel32 db" Kernel32.dll ", 0dllin dd 0szloadlibrary db" LoadLibraryA ", 0oaddr dd 0wriaddr dd 0ininame db" ./CoralQQ.ini",0.data?align dwordcon CONTEXT <> align dwordcon2 CONTEXT <> stStartUp STARTUPINFO stProcInfo PROCESS_INFORMATION code start: main proc local wrisize: dword; used to store the size of the code to be written local num: . dword local oldpro: dword local lastwri: dword local wribase: dword ;
Written into the code used to store the base address invoke GetPrivateProfileString, offset isecname, offset ikeyname, / offset szloadlibrary, offset szBuffer, / sizeof szBuffer, offset ininame; QQ program acquired from Coralqq.ini path invoke GetModuleHandle, offset szkernel32 invoke GetProcAddress, eax, offset szloadlibrary mov dllin, eax invoke GetStartupInfo, addr stStartUp invoke CreateProcess, NULL, offset szBuffer, NULL, NULL, FALSE, / CREATE_SUSPENDED, NULL, NULL, addr stStartUp, addr stProcInfo; create QQ process cmp eax, 0 jz exit invoke GetVersion test eax, 080000000h; determining the type of operating system jnz win9x invoke VirtualAllocEx, stProcInfo.hProcess, NULL, 01000h, MEM_COMMIT, / PAGE_EXECUTE_READWRITE; QQ in the allocated memory space mov oaddr, eax invoke WriteProcessMemory, stProcInfo.hProcess, oaddr, offset dllname, / sizeof dllname, addr num; write data invoke CreateRemoteThread, stProcInfo.hProcess, NULL, 0, dllin, oaddr, 0, / addr num; create a remote thread invoke CloseHandle, eax invoke ResumeThread, stProcInfo.hThread; let QQ continue invoke EXITPROCESS, 0 retwin9x: mov wribase, oepwrite mov wrisize, codeend-oepwrite invoke VirtualProtect, wribase, wrisize, / PAGE_EXECUTE_READWRITE, addr oldpro; change the place of the program to be written into the code properties, in fact, may be added at compile time switches mov wrisize, codeend -codewrite mov wriaddr, 080000000h sub wriaddr, 1000hagain: add wriaddr, 1000h mov wribase, codewrite invoke WriteProcessMemory, stProcInfo.hProcess, wriaddr, / wribase, wrisize, addr num; written into the code mov eax, wrisize cmp eax, num jnz again mov eax, wriaddr mov ebx, chan0-4 mov [ebx], eax invoke VirtualProtectEx, stProcInfo.hProcess, 0464b58h, 7, / PAGE_EXECUTE_READWRITE, addr oldpro; attribute change QQ.exe mov oep at wribase, oepwrite invoke WriteProcessMemory, stProcInfo. HProcess, 0464B58H, WRIBASE, 7, / ADDR NUM
