Virus Trojan scan: Reverse Analysis of pandatv (I)

Virus Trojan scan: Reverse Analysis of pandatv (I)
1. Preface conduct Reverse Analysis on viruses to thoroughly identify the behavior of viruses and take more effective measures. In order to save space, I am not going to thoroughly analyze the "pandatv incense" here. I will only explain some important parts. If you have mastered these ideas, then we can handle a lot of malicious programs. Generally, we use IDA Pro for Static Analysis of viruses and OllyDbg for dynamic analysis. Because the latter will actually run the virus, it is best to operate in the Virtual Machine for security reasons. In addition, in the actual analysis process, we may need some auxiliary tools, such as shell detection or shell removal programs. For the sake of simplicity, the "pandatv incense" program in this study is not shelled, but we will discuss how to deal with viruses that are shelled or protected by other means later.
2. Reverse Analysis of Shell check operations the first step is to use shell check tools to perform shell check on the target program. Here I use PEiD v0.95, and the detection result is as follows:

Figure 1 shell check for pandatv
It can be seen that this program is not shelled, so it does not involve shelling, and it is written by Borland Delphi 6.0-7.0. The Code Compiled by Delphi is different from the code written by VC ++. The two most obvious differences are as follows:
1. When a function is called, parameters are not transferred completely using stacks, but mainly using registers. That is, the Delphi compiler transfers function parameters using register by default. This is totally different from the program compiled by VC. Delphi generally puts the first parameter in the eax register, the second parameter in the edx, and the third parameter in the ecx register. The other parameters are pushed to the stack in a way similar to VC program.
2. When the stack allocates space for local variables, the stack grows downward, while the arrays, strings, and struct on the stack increase upwards. Understanding this helps identify the variables on the stack.
After a simple detection of the virus sample, the analysis direction is determined. Then we need to use the Disassembly tool for analysis.


Iii. Preliminary Analysis of pandatv. Here I use IDA Pro to load a virus sample. First, we can see the following code:



Figure 2 "pandatv" entry code
The disassembly code at the beginning of the virus program is generated by Delphi. It is not the functional code of the virus program we are concerned about, so we will not explain it here. The following code is as follows:

Figure 3 "pandatv incense" entry code Part 2
Here, the first two calls CALL all CALL functions named sub_403C98. IDA Pro has analyzed the characters above the second CALL, which is a piece of comments from the author. Therefore, I believe that the top part of the first CALL should also be a string. Here we can check it with OD:

Figure 4 View strings
It can be seen that the character string at the top of the first CALL is "** Wu ** Han * Male * Health * feeling * dyeing * carrying * Persons ***", it can be understood as the virus author information, so it is necessary to analyze what the virus program has done with these two strings. That is, go to the inside of the CALL, that is, sub_403C98 to study:

CODE: 00403C98 sub_403C98 proc near; code xref: sub_403ED4 + 8j CODE: 00403C98; sub_403F18 + 4.7...
CODE: 00403C98 test edx, edx; Verify edx. the test here is equivalent to and. The difference is that test only compares and does not save the result.
; In edx. Since edx stores a string written by the virus author, the result here must be non-zero. CODE: 00403C9A jz short loc_403CC0
Because the result of the previous statement is not 0, this jump statement will not be executed. CODE: 00403C9C mov ecx, [edx-8]
Using OD for dynamic analysis, we can see that [edx-8] is to take out the value of the edx-8 address, assign to ecx, then assign value; after the end, the value of ecx is 0x0FFFFFFFF.
CODE: 00403C9F inc ecx; ecx auto increment 1, then the ecx value is changed to 0x0. Note that this auto increment operation will change the ZF value to 1.
CODE: 00403CA0 jg short loc_403CBC; here the jg indicates that the jump is not greater. Or, more accurately, the jump condition is SF = OF and ZF = 0. Because
;, ZF = 1, so this jump is not valid. CODE: 00403a2 push eax
CODE: 00403a3 push edx CODE: 00403CA4 mov eax, [edx-4]
After the value is assigned, the value saved in eax is 0x20. CODE: 00403CA7 call sub_403D08
Combined with the dynamic analysis of OD in the virtual machine, you can find that the CALL is called at the next layer. The LocalAlloc function allocates 0xFF8 space from the heap, function parameter uFlags = 0, that is
LMEM_FIXED indicates the allocation of fixed memory. The returned value is a pointer to a memory object. LocalAlloc function; if the execution is successful, a handle pointing to the new memory object is returned.
CODE: 00403CAC mov edx, eax CODE: 00403CAE pop eax
CODE: 00403CAF push edx CODE: 00403CB0 mov ecx, [eax-4]
CODE: 00403CB3 call sub_402650; combined with OD for dynamic analysis in the virtual machine, the main function of this CALL is to save the strings previously stored in edx (Disease
Virus Information and the author's comments) are copied to the heap space allocated above. 5. CODE: 00403CB8 pop edx
CODE: 00403CB9 pop eax CODE: 00403CBA jmp short loc_403CC0

 

Figure 5 copy the string to the newly applied space

Now, sub_403C98 has been analyzed. This function has two parameters. Because the Delphi compiler is used, in the disassembly, the first parameter is saved in eax, and the second parameter is saved in edx. This function first completes heap space application, and then copies the strings saved in edx to the newly applied space. When this function is initially assigned a value, the eax value is 0. After execution, the eax stores the first address of the copied string in the newly applied heap space. For ease of observation, I renamed sub_403C98 in IDA Pro to AllocStackAndCopyString, as shown in:

Figure 6 function rename

The following are:

Figure 7 sub_405360 Function Analysis

Here are two strings, the first one is "xboy", and the second one is known to be a bunch of garbled characters with the help of OD:

Figure 8 garbled string

After that, you can use OD to enter sub_405360 for dynamic viewing. However, here we do not need to pay attention to all the details, but there is only one loop that requires attention:

CODE: 004053D1 loc_4053D1:; code xref: sub_405360 + B5 j CODE: 004053D1 mov eax, [ebp + var_14]
CODE: 004053D4 call sub_403ECC CODE: 004053D9 push eax
CODE: 004053DA mov eax, ebx CODE: 004053DC pop edx
CODE: 004053DD mov ecx, edx CODE: 004053DF cdq
CODE: 004053E0 idiv ecx CODE: 004053E2 mov edi, edx
CODE: 004053E4 inc edi CODE: 004053E5 mov eax, [ebp + var_14]
CODE: 004053E8 movzx eax, byte ptr [eax + edi-1 ".
CODE: 004053ED mov ecx, 0Ah; assign the value of ecx to 0x0A as the addition of the division operation.
CODE: 004053F2 xor edx, edx; clear edx.
CODE: 004053F4 div ecx; perform Division operations, store the remainder in eax, and store it in edx.
CODE: 004053F6 mov eax, [ebp + var_4]; here, because eax is assigned a new value, it indicates that the program actually wants to use the remainder in edx.
CODE: 004053F9 movzx eax, byte ptr [eax + ebx-1]; each cycle extracts characters in garbled characters by byte and assigns them to eax for subsequent computation.
CODE: 004053FE xor edx, eax; exclusive or operation. The result is saved in edx, that is, the final character obtained through the operation.
CODE: 00405400 lea eax, [ebp + var_18] CODE: 00405403 call sub_403E2C
CODE: 00405408 mov edx, [ebp + var_18] CODE: 0040540B lea eax, [ebp + var_10]
CODE: 0040540E call sub_403ED4 CODE: 00405413 inc ebx
CODE: 00405414 dec esi CODE: 00405415 jnz short loc_4053D1

 

Obviously, this is a piece of decryption code. The keyword "xboy" is used to restore the garbled code, which is observed through OD, the restored string is "*** Wu ** Han ** male ** health ** infected ** and ** carried ***". You can rename the sub_405360 function to DecodeString. Continue analysis:

Figure 9 sub_404018 Function Analysis

Here the first disassembly code in the [ebp-14h] is saved above the decrypted string address, and ds: dword_40E7D4 stores the string addresses saved in the previously allocated heap space. Through the dynamic analysis of OD, we can easily determine that the sub_404018 function is used to compare strings, so we can rename it as StringCmp. Normally, after the comparison, the two are the same, so the following "equal to jump" will be executed, jump to loc_40CBBC to execute:

Figure 10 Code of loc_40CBBC

As you have analyzed and renamed the code, the code functions here are clear at a glance. First, decrypt and then compare strings. Then the next conditional jump will also be established, directly to loc_40CBE6:

Figure 11 code at loc_40CBE6

Three consecutive calls are used here. Due to space limitations, I will analyze them in the following article.

 

Iv. Summary

This article makes a preliminary analysis of the initial part of the disassembly program of the "pandatv incense" virus sample. Since there will always be various calls and jumps in the disassembly code, the analysis may look messy and may dispel everyone's enthusiasm. It can be seen that reverse analysis requires patience and attention from readers. PATIENCE: You need to stay calm and keep track of every suspicious CALL. Meticulous, You need to always pay attention to the content in the Register to find the information we need. Of course, experience is also very important. The joy of successfully analyzing the virus function is self-evident. It also attracts the virus analysts to continue to explore and complete their work in one breath. I also hope that you can use this as a starting point to experience the fun of it.