Virus Trojan scan: Reverse Analysis of pandatv incense (medium)
I. Preface
The previous article explained the analysis at the entrance to the disassembly code of the "pandatv incense" virus sample. Although the core part of the virus has not been studied yet, our subsequent analysis is consistent with the previous thought. As far as the core part is concerned, more and more API functions may be encountered. The analysis based on the parameters of the called function helps us to understand the virus behavior more easily. Every CALL function analyzed should be changed to a name that we can understand. This will also help us to understand subsequent programs.
Ii. Virus Function Analysis
At the end of the previous article, I left three calls without analysis. Now I will go to the first CALL, that is, check the sub_408024:
Figure 1 starting position of sub_408024
The program first assigns 0x84 to ecx, which is the number of cycles. Then two push 0 s are used, and each push can open up 8 bytes (32 bits) space, so here we can get 16 bytes of space each time. This space applies for ecx in total. The function of this Code is to apply for a space. The following are:
Figure 2 analysis function sub_40277C
The sub_40277C function is shown at the end of this Code. After following up, we can see the following code:
Figure 3 sub_40277C
It can be seen that sub_40277C is mainly used to call the GetMuduleFileNameA API function. The function is used to obtain the complete path of the file of the module loaded by the current process. Then, you can rename sub_40277C to GetFilePathAndName. After obtaining the information, you can see the following information in combination with OD:
Figure 4 obtain the complete path of the current process
The following are:
Figure 5 sub_405684 Function Analysis
Note that the [ebp + var_3B8] In the first code saves the path address obtained in figure 4, which is assigned to eax. Go to sub_405684 for analysis. This function has a circular structure, which is the object we focus on. Using OD dynamic analysis:
Figure 6 loop structure in sub_405684
Static analysis alone makes it difficult to understand the role of this loop. However, when combined with the single-step OD execution, it is easy to understand the functions of this Code by observing the values in the register: it uses the complete path of the file obtained previously, and continuously searches for it in a single byte from the back to the front until it encounters an ASCII code value of 0x5C, 0x2F or 0x3A, and then jumps out of the loop. 0x5C represents the character "\". You can know that this program either gets the file name or the path that does not contain the file name. Go to the CALL analysis of the last statement and soon find:
Figure 7 string copy
It can be seen that the program copies the path excluding the file name to the previously applied space, so it can rename sub_405684 to: GetFilePath. The following are:
Figure 8 sub_403ED4 Function Analysis
The first sentence of the code is to assign the address of the obtained path without a file name to eax, and then assign the address of the string "Desktop _. ini" to edx. Go to sub_403ED4 for analysis:
Figure 9 string connection code
When analyzing sub_405684 (GetFilePath), the last CALL in the code is used to copy the string to the specified position. For this program, the "Desktop _. ini" character is copied to the end of the previous path character. Then we can know that sub_403ED4 serves as a string connection and rename it as StringCat. Continue analysis:
Figure 10 sub_4057A4 Function Analysis
The first code is to assign the previously processed path string address to eax, and then call the sub_4057A4 function. After entering this function, we can find that:
Figure 11 file search function
The FindFirstFileA function is called here, indicating that it is searching for "Desktop _. if the ini file exists, the sub_4057A4 function is used to check whether the file exists. You can change it to CheckFileExist. The following are:
Figure 12 setting file attributes
With the previous analysis and renaming, the role of this piece of code is obvious. First, it is determined based on the search results of the previous piece of code, that is, if the current directory is Desktop _. if the INI file exists, the file attribute of the file is changed to NORMAL. The following are the following:
Figure 13 File Deletion
After stopping for 1 ms, delete Desktop _. ini. In Figure 12, there is an unknown function sub_404040cc. If you go in and view it, the following are available:
Figure 14 analyze the sub_4040CC Function
This function is used to check whether the file path to be deleted is null. You can rename sub_404040cc to CheckPath. Of course, the above analysis is based on the existence of the Desktop _. ini file. If the file does not exist, the program will directly jump to loc_408110 for execution:
Figure 15 analyze the sub_4078E0 Function
Here, the last sentence calls the sub_4078E0 function. It is found that this function is long and many other functions have been called. At first glance, it seems that I do not know what this function actually does. In this case, we can ignore the specific implementation details and only look at the changes in our registers and other locations after the function is executed. We mainly focus on the changes before and after the function is executed, registers used by the program. With OD, you can easily detect changes:
Figure 16 changes after the sub_4078E0 function is executed (partial)
It can be found that after obtaining the path of the current file, the function writes a large number of seemingly meaningless characters in a large area. Combined with the ASCII code analyzed on the right, it can be understood as a dictionary of brute-force cracking. virus writers attempt to use brute-force cracking to crack some verification mechanisms in computers. Of course, only a small part of the changes are shown, and the virus also writes a lot of other information. Interested readers can view the changes on their own. We will not go into details here, which will help us to obtain the behavior information of the virus. Here, we can rename the sub_4078E0 function to WriteVirusInfoToMem. The following are:
Figure 17 analyze the sub_403C44 Function
After the first statement is executed, the eax value is ebp + var_8 address. You can see through OD that the address stores 0, which can be understood as no data. There is a CALL later. Let's go and check it:
Figure 18 enter the sub_403C44 Function
Here, the value in the address saved by eax is taken out, that is, 0, and assigned to edx. Then, the value saved by edx is 0. After the test operation, ZF is changed to 1, and the jump condition is met, this function is complete. If the value saved by edx is not 0, the following statement sets the value in the address saved by eax to 0. As a result, this function does not seem to implement any clear and specific functions, so you may wish to consider this operation as a flag setting and rename sub_403C44 to SetZeroFlags. Continue analysis:
Figure 19 sub_403ECC Function Analysis
In combination with OD, you can know that the first sentence is to get the first address of the file in the memory, and then go to sub_403ECC to view:
Figure 20 go to sub_403ECC to view
It should be particularly emphasized that, because the virus program is written in Delphi, the first address of the string minus 4, and the four bytes taken out are the length of the string. That is, the [eax-4] In this Code is the length of the file that eax points. Therefore, you can rename sub_403ECC to GetFileLen. After obtaining the file length, the program will jump to loc_408163 and execute:
Figure 21 loc_408163
After obtaining the file length, this code first verifies whether the file length is 0. Because the file actually exists, the next hop is not valid. Next, eax stores the starting address of the file, while ebx is the length of the file, so we can know that the comparison between the last and last sentences is to verify whether the end data of the file is 0, if the value is 0, the next hop is not valid. After the OD dynamic analysis, the end value of the file here is 0, so do not perform the jump, continue to run down.
The code analysis is left to the next article.
Iii. Summary
After a whole article, I have not completely analyzed a complete functional block of the virus. The main reason is that I need to elaborate on it and let everyone figure out the functions of each CALL. The last article in the following article cannot completely analyze the entire virus, but I believe that as long as you are diligent and understand the basic principles of reverse analysis, then, the "pandatv incense" is just plain-spoken.