Author: RunJin
Runjin000@yahoo.com.cn
Analysis Tools: Softice, OD
My operating system: Win 2000 SP4, WIN 98
Analysis object: QQ2005 New Year's Edition coral insect plug
In order to facilitate analysis, I first take Coralqq.dll and Coralqq.exe first shell, these two files are added
They are all ultra-weak shells, and the shelling process is not more.
Due to the Win NT platform and Win9X, the coral insects are separated from the system.
working principle.
We all know that coral plugging is a coralqq.dll hanging from QQ.exe QQ.exe,
The completion of this is CORALQQ.EXE. To load a DLL file must be qq.exe
A thread performs LoadLibrarya, and is parameter with coralqq.dll, but QQ.exe is originally fundamentally
There is no such code, what should I do? The answer is simple, since it doesn't, let us help it,
CORALQQ.exe is using WriteProcessMemory to help QQ.exe add such a code, and
Changing the program process, let QQ.exe first load CORALQQ.dll and skip to the original OEP execution.
Think of it, more reasonable methods are:
1. On the system of the NT core, use the remote thread method to create QQ.exe with CreateProcess
The process, also created the main thread, and use VirtualaLalkEx to apply for a memory in QQ.exe, then put
Our code is written, and finally uses CreateremoteThread to create another one in QQ process.
Thread, where it starts to execute is the first address of the code we join.
2. Create a QQ process and main thread with CreateProcess, find a reasonable in QQ memory space.
Write our code, then modify a place (for example, OEP) make QQ first jump to implement us
Write code, load CORALQQ.dll, fix the original OEP, then jump back to OEP to make the program to perform normally.
Let us analyze how the plug is doing, first analyzing the NT platform.
working process.
Use OD to load the shelled Coralqq.exe, stopped below:
00418E2C> / $ 55 PUSH EBP
00418E2D |. 8bec MOV EBP, ESP
00418E2F |. 83C4 F0 Add ESP, -10
00418E32 |. B8 648D4100 MOV EAX, CORALQQ.00418D64
00418E37 |. E8 a4bafeff call coralqq.004048e0
00418E3C |. A1 F49D4100 MOV EAX, DWORD PTR DS: [419DF4]
00418E41 |. 33D2 XOR EDX, EDX
00418E43 |. E8 30f4ffffffff Call coralqq.00418278
00418E48 |. A1 F49D4100 MOV EAX, DWORD PTR DS: [419DF4]
00418E4D |. 8B00 MOV Eax, DWORD PTR DS: [EAX]
00418E4F |. 83c0 18 Add Eax, 18
00418E52 |. E8 f9c6feff call coralqq.00405550
00418E57 |. E8 08A9Feff Call Coralqq.00403764
Then go breakpoint: BP CreateRemoteThread, then run, the result is found that OD is not broken at all.
Certification of plug-in hangs without using the remote thread, is it a second way? We can verify: First in OD, BP CreateProcess, broken, reverse, use WinHex to open QQ.EXE memory, QQ.exe
The OEP is changed to CC, followed by BPint 3 in Softice, press F9 in OD to run, then it is interrupted in Softice
In the middle, restore the OEP (464B58), in the SOFTICE BPM 464B58, then end the program, then run CORALQQ.EXE
It was found that the BPM breakpoint from beginning to end is still not broken, prove that the coral insects hang in 2000 and did not modify QQ.exe.
OEP to change the program process, halo. No way, I have to write in the OD in the WriteProcessMemory breakpoint, look at it
Where is the revised.
00231012 57 PUSH EDI
00231013 8B4424 24 MOV Eax, DWORD PTR SS: [ESP 24]
00231017 A3 70302300 MOV DWORD PTR DS: [233070], EAX
0023101C 8305 70302300 04 Add DWORD PTR DS: [233070], 4
00231023 E8 5C000000 Call
Creating a QQ process
The QQ main thread to be created above is paused, and it will not be executed immediately, and it is the case under Win9X.
The stack is displayed in the first interrupt:
0012EBDC 0040C75C / CALL to WRITEPROCESSMEMORY from CORALQQ.0040C756
0012ebe0 00000018 | HProcess = 00000018
0012EBE4 5F000000 | Address = 5f000000
0012EBE8 00cc0f44 | buffer = 00cc0f44
0012ebec 000000d2 | Bytestowrite = D2 (210.)
0012EBF0 0012EC68 / PBYTESWRITTEN = 0012EC68
the second time:
0012EC70 00416231 / CALL to WRITEPROCESSMORY from CORALQQ.0041622C
0012EC74 00000018 | HProcess = 00000018
0012EC78 5F010000 | Address = 5F010000
0012EC7C 0012EE9F | BUFFER = 0012EE9F
0012EC80 00000025 | BYTESTOWRITE = 25 (37.)
0012EC84 0012EFD0 / PBYTESWRITTEN = 0012EFD0
the third time:
0012EC70 004162CB / CALL to WRITEPROCESSMEMORY from CORALQQ.004162C6
0012EC74 00000018 | HProcess = 00000018
0012EC78 77F84BC0 | Address = 77f84bc0
0012EC7C 0012EFC3 | BUFFER = 0012EFC3
0012EC80 00000005 | BYTESTOWRITE = 5
0012EC84 0012EFD0 / PBYTESWRITTEN = 0012EFD0
the fourth time:
0012EC70 0041632B / CALL to WRITEPROCESSMORY from CORALQQ.00416326
0012EC74 00000018 | HProcess = 00000018
0012EC78 5F010025 | Address = 5f010025
0012EC7C 0012EC96 | BUFFER = 0012EC960012EC80 00000208 | BYTESTOWRITE = 208 (520.)
0012EC84 0012EFD0 / PBYTESWRITTEN = 0012EFD0
the fifth time:
0012EC70 0041634B / CALL to WRITEPROCESSMEMORY from CORALQQ.00416346
0012EC74 00000018 | HProcess = 00000018
0012EC78 5F010000 | Address = 5f010000
0012EC7C 0012EE9F | BUFFER = 0012EE9F
0012EC80 00000025 | BYTESTOWRITE = 25 (37.)
0012EC84 0012EFD0 / PBYTESWRITTEN = 0012EFD0
Pay attention to the third interruption: 77f84bc0 corresponds to: NTTESTALERT LEARK: NTDLL.DLL
The program must pass the NTDLL.DLL of NTDLL.DLL before executing, which makes the first sentence jumps to a certain
Place, thereby changing the program process.
00417E7E 8B45 F4 MOV EAX, DWORD PTR SS: [EBP-C]
00417E81 50 Push EAX
00417E82 E8 DDCDFEFF CALL
Make the main thread of QQ continues
Change the E9 at 0012EFC3 to CC, then in Softice, BPINT 3, let the broken track:
001b: 77f84bc0 E93BB408E7 JMP 5F010000
Single-step tracking
001b: 5F010000 B80000015F MOV Eax, 5F010000
001b: 5F010005 B90000005F MOV ECX, 5F000000
001b: 5f01000a ffd1 Call ECX
At this time, the value of ECX is 5F000000
001b: 5f000000 55 Push EBP
001b: 5f000001 8bec MOV EBP, ESP
001b: 5f000003 83C4EC Add ESP, -14
001b: 5f000006 53 Push EBX
001b: 5f000007 56 Push ESI
001b: 5f000008 8BD8 MOV EBX, EAX
001b: 5F00000A 896DFC MOV [EBP-04], EBP
001b: 5F00000D 8B431C MOV EAX, [EBX 1C]
001b: 5f000010 8B55FC MOV EDX, [EBP-04]
001b: 5f000013 83C204 Add EDX, 04
001b: 5f000016 8902 MOV [EDX], EAX
001b: 5F000018 8B431C MOV EAX, [EBX 1C]
001b: 5F00001B 8945EC MOV [EBP-14], EAX001B: 5F0000001E C745FC05000000 MOV DWORD PTR [EBP-04], 00000005
001b: 5f000025 8D45F8 Lea Eax, [EBP-08]
001b: 5f000028 50 Push EAX
001b: 5f000029 6A40 PUSH 40
001b: 5F00002B 8D45FC Lea Eax, [EBP-04]
001b: 5f00002e 50 Push EAX
001b: 5f00002F 8D45EC Lea Eax, [EBP-14]
001b: 5f000032 50 Push EAX
001b: 5f000033 6AFF PUSH FF
001b: 5f000035 FF15C600005F CALL [5F0000C6]
001b: 5F00003B 8B431C MOV EAX, [EBX 1C]
001b: 5f00003e 8b5320 MOV EDX, [EBX 20]
001b: 5f000041 8910 MOV [EAX], EDX; Restore NTDLL.NTTESTALERT entrance
001b: 5f000043 8A5324 MOV DL, [EBX 24]
001b: 5f000046 885004 MOV [EAX 04], DL
001b: 5f000049 C745FC05000000 MOV DWORD PTR [EBP-04] 00000005
001b: 5f000050 8D45F8 Lea Eax, [EBP-08]
001b: 5f000053 50 Push EAX
001b: 5f000054 8B45F8 MOV EAX, [EBP-08]
001b: 5f000057 50 Push EAX
001b: 5F000058 8D45FC Lea Eax, [EBP-04]
001b: 5F00005B 50 Push EAX
001b: 5F00005C 8D45EC Lea Eax, [EBP-14]
001b: 5F00005F 50 Push EAX
001b: 5f000060 6AFF PUSH FF
001b: 5f000062 FF15CA00005F Call [5F0000CA]
001b: 5F000068 8B7318 MOV ESI, [EBX 18]
001b: 5F00006B 4e Dec ESI
001b: 5F00006C 85F6 Test ESI, ESI
001b: 5f00006e 7C4C JL 5F0000BC001B: 5F000070 46 Inc ESI
001b: 5f000071 8D4325 Lea Eax, [EBX 25]
001b: 5f000074 8bd8 MOV EBX, EAX
001b: 5f000076 33D2 XOR EDX, EDX
001b: 5F000078 8BC3 MOV EAX, EBX
001b: 5f00007a 66833800 CMP Word PTR [EAX], 00
001b: 5F00007E 740C JZ 5F00008C
001b: 5f000080 42 Inc EDX
001b: 5f000081 83C002 Add Eax, 02
001b: 5f000084 81fa03010000 CMP EDX, 00000103
001b: 5f00008a 75ee JNZ 5F00007A
001b: 5F00008C 8BC2 MOV Eax, EDX
001b: 5f00008e 03c0 Add Eax, EAX
001b: 5f000090 668945F0 MOV [EBP-10], AX
001b: 5f000094 6683C002 Add Ax, 02
001b: 5f000098 668945F2 MOV [EBP-0E], AX
001b: 5f00009c 8bc3 MOV EAX, EBX
001b: 5f00009E 8945F4 MOV [EBP-0C], EAX
001b: 5F0000A1 8D45FC Lea Eax, [EBP-04]
001b: 5F0000A4 50 Push EAX
001b: 5f0000A5 8D45F0 Lea Eax, [EBP-10]
001b: 5F0000A8 50 Push EAX
001b: 5F0000A9 6A00 Push 00
001b: 5F0000AB 6A00 Push 00
001b: 5F0000AD FF15CE00005F Call [5F0000CE]; Call LoadLibrarya
001b: 5F0000B3 81C308020000 Add EBX, 00000208
001b: 5f0000b9 4e Dec ESI
001b: 5F0000BA 75BA JNZ 5F000076
001b: 5F0000BC 5E POP ESI
001b: 5F0000BD 5B POP EBX
001b: 5F0000BE 8BE5 MOV ESP, EBP001B: 5F0000C0 5D POP EBP
001b: 5F0000C1 C3 RET
001b: 5F0000C2 0000 Add [EAX], Al
001b: 5F0000C4 0000 Add [EAX], Al
001b: 5F0000C6 C4BFF877C4BF LES EDI, [EDI BFC477F8]
001b: 5f0000cc F8 CLC
001b: 5F0000CD 7761 JA 5F000130
001b: 5f0000cf 32F8 XOR BH, Al
001b: 5F0000D1 7700 JA 5F0000D3
We analyze how to run in Win9X corals.
Load CORALQQ.EXE again with OD
00415C9D MOV DWORD PTR SS: [EBP-C], ECX
00415CA0 MOV DWORD PTR SS: [EBP-4], EDX
00415CA3 MOV DWORD PTR SS: [EBP-8], EAX
00415CA6 XOR EBX, EBX
00415 CA8 CALL
Judging the operating system
00415CAD TEST EAX, 80000000
00415cb2 Je Short Coralqq.00415CFE
00415CB4 XOR EDI, EDI
00415CB6 XOR ESI, ESI
00415CB8 JMP short coralqq.00415CE7
00415CBA / CMP ESI, DWORD PTR SS: [EBP-24]
00415CBD | JE Short CORALQQ.00415CE2
00415CBF | MOV Eax, DWORD PTR SS: [EBP-4]
00415cc2 | MOV EDX, DWORD PTR SS: [EBP-24]
00415cc5 | MOV DWORD PTR DS: [EAX], EDX
00415CC7 | CMP DWORD PTR SS: [EBP-18], 1000
00415CCE | JNZ Short Coralqqq.00415CDF
00415CD0 | Push EBP; / Arg1
00415cd1 | Call CORALQQ.00415BD4; /CORALQQ.00415BD4
00415cd6 | POP ECX
00415cd7 | Test Al, Al
00415cd9 | Je Short Coralqqq.00415CDF
00415cdb | MOV BL, 1
00415CDD | JMP Short Coralqqq.00415D29
00415CDF | MOV ESI, DWORD PTR SS: [EBP-24]
00415CE2 | MOV EAX, DWORD PTR SS: [EBP-1C]
00415 CE5 | Add Edi, EAX
00415ce7 push 1c; / bufsize = 1c (28.)
00415 CE9 | Lea Eax, DWORD PTR SS: [EBP-28];
00415CEC | PUSH EAX; | Buffer
00415Ced | Push EDI; | Address00415cee | MOV EAX, DWORD PTR SS: [EBP-8];
00415CF1 | Push Eax; | HProcess
00415cf2 | Call
; / VirtualQueryex gets internal memory information
00415CF7 | CMP EAX, 1C
00415cfa / Je Short Coralqq.00415CBA
00415CFC JMP Short Coralqq.00415D29
The above code is to determine the version of the operating system. If it is Win9x, just jump to 415CE7,
00415A4B |> / 8> Lea Eax, DWORD PTR SS: [EBP-8]
00415A4E |. 5> Push Eax; / PBYTESWRITTEN
00415A4F |. 5> Push EDI; | BYTESTOWRITE
00415A50 |. 8> MOV EAX, DWORD PTR SS: [EBP-4];
00415A53 |. 5> Push Eax; | buffer
00415A54 |. 5> Push ESI; | Address
00415A55 |. 5> Push EBX; | HPROCESS
00415A56 |. E> Call
; / WriteProcessMemory
Look at the stack at this time:
0067EA5C 0000000C | HProcess = 0000000c
0067EA60 83138AAC | Address = 83138AAC
0067EA64 0067EABC | Buffer = 0067EABC
0067EA68 00000292 | BYTESTOWRITE = 292 (658.)
0067EA6C 0067EA7C / PBYTESWRITEN = 0067EA7C
It writes buffer 0067EABC's 658 byte into QQ.EXE memory 83138aac, under Win98, sharing in the process memory (M
The MF) partition is 0x80000000 ~ 0xBFFFFFF, all memory map files and system sharing DLL will be loaded at this address, and
Those mapping files and system sharing DLLs are often relatively high, so, from a large segment address space from 80000000 address.
It is often a comparative "idle", of course, not to say that these addresses can be written, so that the address value of this 83138AAC is calculated,
I haven't analyzed it yet, but I think another feasible method, and after my own programming confirmed, that is, the size of 1000h, from 80000000
I started writing data with WriteProcessMemory until the write is successful, proves that the address of the 1000h is available, and 1000h
The size of the memory space is enough for us to put the code, the reason why the unit is in units of 1000h is because of the block alignment.
continue following:
00415A39 |. 8D45 F8 LEA EAX, DWORD PTR SS: [EBP-8]
00415A3C |. 50 Push Eax; / PoldProtect
00415A3D |. 6A 40 Push 40; | NewProtect = Page_execute_readwrite00415a3f |. 57 push edi; | SIZE
00415a40 |. 56 push esi; | address
00415a41 |. 53 push ebx; | hprocess
00415A42 |. E8 85f2feff Call
The code above / virtualProtectex is the property that changes QQ.exe's OEP, allowing it to read and writable, ready for the code at the OEP, and then interrupt in WriteProcessMemory to see the stack: 0067EA5C 0000000C | HProcess = 0000000C 0067EA60 00464B58 | Address = 464B58 0067EA64 0067EE46 | Buffer = 0067EE46 0067EA68 00000005 | BytesToWrite = 5 0067EA6C 0067EA7C / pBytesWritten = 0067EA7C 464b58 is QQ.exe of OEP, it is clear that it wants to change the program flow change oep !! well, we Also use the method, change 0067EEA6's first byte to CC, BPINT 3 in Softice, then interrupt, then track. After Softice is interrupted: 0167: 0046005587370 0167: 83147370 C70584B4600558BEC6AMOV DWORD PTR [00464B58 ], 6AEC8B55; immediately restore code oep at 0167: 8314737A C6055C4B4600FF MOV BYTE PTR [00464B5C], FF 0167: 83147381 68FA731483 PUSH 831473FA 0167: 83147386 6838000000 PUSH 00000038 0167: 8314738B 6A40 PUSH 40 0167: 8314738D FF15F6731483 CALL [KERNEL32 GlobalAlloc]! ; another application memory 0167: 83147393 C700B85077F7 MOV DWORD PTR [EAX], F77750B8; from here has been filled in the new data 0167: 83147399 C74004BFFFD068 MOV DWORD PTR [EAX 04], 68D0FFBF 0167: 831473A0 C7400870731483 MOV DWORD PTR [EAX 08 ], 83147370 0167: 831473A7 C7400CB89348E9 MOV DWORD PTR [EAX 0C], E94893B 8 0167: 831473AE C74010BFFFD0B8 MOV DWORD PTR [EAX 10], B8D0FFBF 0167: 831473B5 C74014584B4600 MOV DWORD PTR [EAX 14], 00464B58 0167: 831473BC C74018FFE0C705 MOV DWORD PTR [EAX 18], 05C7E0FF 0167: 831473C3 C7401C584B4600 MOV DWORD PTR [EAX 1C], 00464B58 0167: 831473CA C74020558BEC6A MOV DWORD PTR [EAX 20], 6AEC8B55 0167: 831473D1 C74024C6055C4B MOV DWORD PTR [EAX 24], 4B5C05C6 0167: 831473D8 C740284600FF68 MOV DWORD PTR [EAX 28], 68FF0046 0167 : 831473DF C7402CFA731483 MOV DWORD PTR [EAX 2C], 831473FA 0167: 831473E6 C7403068380000 MOV DWORD PTR [EAX 30], 00003868 0167: 831473ED C74034006A40FF MOV DWORD PTR [EAX 34], FF406A00 0167: 831473F4 FFE0 JMP EAX;
At this point eax as 0063059C 0167: 0063059C B85077F7BF MOV EAX, KERNEL32 LoadLibraryA; loading Coralqq.dll 0167:! 006305A1 FFD0 CALL EAX 0167: 006305A3 6870731483 PUSH 83147370 0167: 006305A8 B89348E9BF MOV EAX, COMCTL32 ORD_0049 0167: 006305AD FFD0 CALL EAX 0167:! 006305AF B8584B4600 MOV EAX, 00464B58 0167: 006305B58 0167: 006305B4 FFE0 JMP EAX; jumping back to QQ.EXE entry analysis is completed. To here, we can summarize it, in win2000 / xp Coralqq.exe first created QQ process, Created the Paused main thread of QQ, then the memory write code of the QQ process, modify the NTDLL.NTTELERT code jump program jump to its own code, and restore NTDLL.nttelert to the execution process. Code, simultaneously load CORALQQ.dll. Under Win9x, Coralqq.exe first creates QQ process, and also creates QQ's suspended main thread, then write data to QQ.exe, to write qq.exe's OEP To change the purpose of changing the process, let it execute the joined code, load coralqq.dll, and then skip to the original QQ.EXE OEP continues. In fact, the following can be used under Win2000 / XP. To achieve the loaded DLL file, I later programmed this step. Maybe there is a reader after reading this article, I will ask: "What is the use of CORALQQ.dll? How is it significantly IP?" In fact, Of course, IP must modify the code in the memory of QQ, and the step of modifying the memory is completed by coralqq.dll when loading coralqq.dll. That is, the system will execute corall.dll during the execution of LoadLibrary. Libmain, the process of modification is completed in libmain! And the principle of display IP, sorry, not within our discussion of our article, we just discuss the step "hanging" this step. Below is the code I wrote. It can make a program for replacement Coralqq.exe, but there is a little different from Coralqq.exe. 586 .Model flat, stdcall Opt ION CASEMAP: NON CASEMAP: NONE; CASE SENSITIVE INCLUDE Windows.inc Include Kernel32.inc Includelib Kernel32.lib .data QQ DB "./qq.exe" ,0 IkeyName DB" QQ ", 0 ISecName DB" Main ", 0 Szbuffer DW 50 DUP (0) Dllname DB "./coralqq.dll", 0 Szkernel32 DB" kernel32.dll ", 0 Dllin DD 0 SzloadLibrary DB" LoadLibrarya ", 0 Oaddr DD 0 Wriaddr DD 0 ininame DB" ./coralqq.ini" ,0 .DATA? Align DWord Context <> align dword contempted <> ststartup startupinfostprocinfo process_information
. Code Start: Main Proc Local WRISIZE: DWORD; DWORD DWORD DWORD DWORD LOCAL NUL: DWORD LOCAL LOCAL OLDPRO: DWORD LOCAL LASTWRI: DWORD LOCAL WRIBASE: DWORD; INVOKE GETPRIVATEPROFILESTRING used to store the write code, offset isecname, offset ikeyname, / offset szloadlibrary, offset szBuffer, / sizeof szBuffer, offset ininame; QQ program acquired from Coralqq.ini path invoke GetModuleHandle, offset szkernel32 invoke GetProcAddress, eax, offset szloadlibrary mov dllin, eax invoke GetStartupInfo, addr stStartUp invoke CreateProcess, NULL, offset szBuffer, NULL, NULL, FALSE, / CREATE_SUSPENDED, NULL, NULL, addr stStartUp, addr stProcInfo; create QQ process cmp eax, 0 jz exit invoke GetVersion test eax, 080000000h; determine the type of operating system jnz win9x invoke VirtualAllocEx, stProcInfo.hProcess, NULL, 01000h, MEM_COMMIT, / PAGE_EXECUTE_READWRITE; QQ in the allocated memory space mov oaddr, eax invoke WriteProcessMemory, stProcInfo.hProcess, oaddr, offset dllname, / sizeof dllname, addr num; write data invoke CreateRemoteThread , StProcinfo.hprocess, NULL, 0, DLLIN, OADDR, 0, / ADDR NUM; Create Remote Thread Invoke CloseHandle, Eax Invoke ResumeThread, StProcinfo .hThread; let QQ continue invoke ExitProcess, 0 ret win9x: mov wribase, oepwrite mov wrisize, codeend-oepwrite invoke VirtualProtect, wribase, wrisize, / PAGE_EXECUTE_READWRITE, addr oldpro; change the program to be written to local property code, in fact, the switch may be added at compile time mov wrisize, codeend-codewrite mov wriaddr, 080000000h sub wriaddr, 1000h again: add wriaddr, 1000h mov wribase, codewrite invoke WriteProcessMemory, stProcInfo.hProcess, wriaddr, / wribase, wrisize, addr num; write in code mov eax, wrisize cmp eax, num jnz again mov eax, wriaddr mov ebx, chan0-4 mov [ebx], eax invoke VirtualProtectEx, stProcInfo.hProcess, 0464b58h, 7, / PAGE_EXECUTE_READWRITE, addr oldpro; change of QQ.exe OEP Attributes MOV WRIBASE, OEPWRITE INVOKE WRITEPROCESSMEMORY, STPROCINFO.HPROCESS, 0464B58H, WRIBASE, 7, / ADDR NUM
