% 超强灰鸽子vip2005检测器 % 检测原理简单分析
http://skyxnet.blogdriver.com/skyxnet/1013647.html
前言,新款的灰鸽子总给人无处不在的感觉, 自己就曾在朋友主机中碰到多次,每次只能手工判断并清除.在看到此款检测器时,作了少许测试。效果很不错, 就产生了想了解她是如何工作的!^_^
先来看看系统未感染 灰鸽子 时的执行情况=>>>
00459E2B 68 10A24500 push 超强灰鸽.0045A210
; ASCII "GPigeon5_Shared"
00459E30 6A 00 push 0
00459E32 6A 04 push 4
00459E34 E8 E3C3FAFF call
00459E39 A3 ACDC4500 mov dword ptr ds:[45DCAC],eax
; Eax=0 表示无可操作句柄
00459E3E 833D ACDC4500 0>cmp dword ptr ds:[45DCAC],0
00459E45 0F84 70030000 je 超强灰鸽.0045A1BB ; jump
OpenFileMappingA()函数执行后的堆栈情况:
0012F5E4 00000004 |Access = FILE_MAP_READ
0012F5E8 00000000 |InheritHandle = FALSE
0012F5EC 0045A210 MappingName = "GPigeon5_Shared"
0045A1BB 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC] ;跳到此处
0045A1C1 8B80 20020000 mov eax,dword ptr ds:[eax+220]
0045A1C7 BA C8A34500 mov edx,超强灰鸽.0045A3C8
; 没有检测到 灰鸽子 Vip 2005 服务端
0045A1CC 8B08 mov ecx,dword ptr ds:[eax]
; ecx=0x427c4c ASCII "4AA"
0045A1CE FF51 38 call dword ptr ds:[ecx+38] ; Retn eax=0
0045A1D1 833D ACDC4500 0>cmp dword ptr ds:[45DCAC],0
0045A1D8 74 0B je short 超强灰鸽.0045A1E5 ; Jump
0045A1DA A1 ACDC4500 mov eax,dword ptr ds:[45DCAC]
0045A1DF 50 push eax
0045A1E0 E8 F7BDFAFF call
0045A1E5 33C0 xor eax,eax
0045A1E7 5A pop edx
0045A1E8 59 pop ecx
0045A1E9 59 pop ecx
0045A1EA 64:8910 mov dword ptr fs:[eax],edx
0045A1ED 68 07A24500 push 超强灰鸽.0045A207
0045A1F2 8D45 B8 lea eax,dword ptr ss:[ebp-48]
0045A1F5 BA 12000000 mov edx,12
0045A1FA E8 F99CFAFF call 超强灰鸽.00403EF8
0045A1FF C3 retn ;retn to 0x45a207
剩下的是一些返回后的处理...
这里可以看到,检测系统是否存在 "灰鸽子 Vip 2005 服务端" 是通过 OpenFileMappingA()打开一个现成的文件映射对象,如存在则返回成功打开的句柄,否则退出往下的检测清除程序段,用C简单可描述成:
hMap = OpenFileMapping(FILE_MAP_READ,FALSE,"GPigeon5_Shared");
if (hMap == NULL)
{
"没有检测到 灰鸽子 Vip 2005 服务端!"
}
此时, 程序编辑中出来提示信息:"没有检测到 灰鸽子 Vip 2005 服务端!"
接着进入 灰鸽子 感染系统后 的检测及清除代码的分析...
同样地, 程序照常中断在此处=>>
00459E2B 68 10A24500 push 超强灰鸽.0045A210
; ASCII "GPigeon5_Shared"
00459E30 6A 00 push 0
00459E32 6A 04 push 4
00459E34 E8 E3C3FAFF call
00459E39 A3 ACDC4500 mov dword ptr ds:[45DCAC],eax
; 如果检测到:eax=0xcc 0xb4 0xd8 句柄值,如无:eax=0
00459E3E 833D ACDC4500 00 cmp dword ptr ds:[45DCAC],0
00459E45 0F84 70030000 je 超强灰鸽.0045A1BB ; not jump
00459E4B 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC] ; eax=01023f24
00459E51 8B80 20020000 mov eax,dword ptr ds:[eax+220] ; eax=01024208
00459E57 BA 28A24500 mov edx,超强灰鸽.0045A228
; edx=0x45a228 => 检测到 灰鸽子 Vip 2005 0105 服务端存在
00459E5C 8B08 mov ecx,dword ptr ds:[eax]
; ecx=0x427c4c ; ASCII "4AA"
00459E5E FF51 38 call dword ptr ds:[ecx+38]
; 编辑框中显示检测到的字符
00459E61 6A 00 push 0
00459E63 6A 00 push 0
00459E65 6A 00 push 0
00459E67 6A 04 push 4
00459E69 A1 ACDC4500 mov eax,dword ptr ds:[45DCAC]
; eax=0xcc \0xb4 \0xd8,句柄值
00459E6E 50 push eax
; 将此句柄值压入堆栈,供下一函数用
00459E6F E8 98C3FAFF call ;映射文件名
; Retn EAX=01330000=》ASCII "一大串数字"
00459E74 8BF0 mov esi,eax
堆栈值:
eax=01310000, (ASCII "5F7E8111