详解:通过程序行为追踪揪出木马病毒
附1 - dumbug 的源代码可以从这里获得:
http://www.phenoelit.de/dumbug/dumbugVegasRelease.zip
附2 - 简单的 ApiTracing-plugin for OllyDbg 源代码:
// ApiTracing.c
#define STRICT// Avoids some type mismatches
#include
#include
#include
#include "plugin.h"
#define VERSIONHI 1 // High plugin version
#define VERSIONLO 0 // Low plugin version
#define LOG_FILENAME"TraceApi.log"// Log filename
static HINSTANCE hinst; // DLL instance
static BOOL bFastTracing = TRUE;
static BOOL bStartTrace = FALSE;
int Execute(char *text,char *answer);
BOOL WINAPI DllEntryPoint(HINSTANCE hi, DWORD reason, LPVOID reserved)
{
FILE *fLog;
if (reason == DLL_PROCESS_ATTACH) {
hinst = hi; // Mark plugin instance
fLog = fopen(LOG_FILENAME, "w");
if (fLog) {
fprintf(fLog, "API tracing plugin v%i.%02i, written by glacier_at_xfocus.org ",
VERSIONHI, VERSIONLO);
fclose(fLog);
}
}
return 1; // Report success
}
// Report plugin name and return version of plugin interface.
extc int _export cdecl ODBG_Plugindata(char shortname[32])
{
strcpy(shortname, "API tracing"); // Name of command line plugin
return PLUGIN_VERSION;
}
extc int _export cdecl ODBG_Plugininit(int ollydbgversion, HWND hw, ulong *features)
{
// This plugin uses some newest features,
// check that version of OllyDbg is correct.
if (ollydbgversion < PLUGIN_VERSION)
return -1;
return 0;
}
extc void _export cdecl ODBG_Pluginmainloop(DEBUG_EVENT *debugevent) {
}
// Function adds items to main OllyDbg menu (origin=PM_MAIN).
extc int _export cdecl ODBG_Pluginmenu(int origin, char data[4096], void *item)
{
if (origin != PM_MAIN)
return 0; // No pop-up menus in OllyDbg’s windows
strcpy(data, "0 &Fast trace,1 &Slow trace|2 &About");
return 1;
}
// Receives commands from main menu.
extc void _export cdecl ODBG_Pluginaction(int origin, int action, void *item)
{
char szLine[MAX_PATH] = {0};
if (origin != PM_MAIN)
return;
switch (action) {
case 0: // Fast tracing
bFastTracing = TRUE;
bStartTrace = TRUE;
Sendshortcut(PM_MAIN, 0, WM_KEYDOWN, 0, 0, VK_F9);
break;
case 1: // Slow tracing
bFastTracing = FALSE;
bStartTrace = TRUE;
Sendshortcut(PM_MAIN, 0, WM_KEYDOWN, 0, 0, VK_F7);
break;
case 2: // "About", displays plugin info
sprintf(szLine, "API tracing plugin v%i.%02i",
VERSIONHI, VERSIONLO);
MessageBox(0, szLine, "API tracing", MB_OK|MB_ICONINFORMATION);
break;
default: break;
}
}
// User opens new or restarts current application.
extc void _export cdecl ODBG_Pluginreset(void)
{
bStartTrace = FALSE;
}
extc int _export cdecl ODBG_Pluginclose(void)
{
return 0;
}
extc void _export cdecl ODBG_Plugindestroy(void)
{
}
// 记录二进制内容
void LogBinToFile(char *szFileName, const char *pBuf, int nSize)
{
FILE *fLog;
int i, j;
unsigned const char *ptr = (unsigned const char *)pBuf;
fLog = fopen(szFileName, "a+");
if (!fLog) return;
if (nSize == 0)
nSize = strlen(pBuf);
for (i=0; ifprintf(fLog, " ");
for (j=i; jfprintf(fLog, "%02X ", ptr[j]);
fprintf(fLog, " ");
for (j=i; jif (IsCharAlpha(ptr[j]) || (ptr[j]>=0x20 && ptr[j]<0x7F))
fprintf(fLog, "%c", ptr[j]);
else
fprintf(fLog, "%c", ’.’);
}
fprintf(fLog, " ");
}
fclose(fLog);
}
// 格式化记录日志
void LogToFile(char *szFileName, char *szFmt, ...)
{
FILE *fLog;
char buff[1024];
va_list arglist;
va_start(arglist, szFmt);
_vsnprintf(buff, sizeof(buff), szFmt, arglist);
va_end(arglist);
fLog = fopen(szFileName, "a+");
if (!fLog) return;
fprintf(fLog, "%s", buff);
fclose(fLog);
}
// 检查是否为ASCII字符串
BOOL CheckCharAlpha(char *szLine)
{
int i = 0;
while (szLine) {
if (!IsCharAlpha(szLine) && (szLine<0x20 || szLine>=0x7F))
return FALSE;
i++;
}
return TRUE;
}
extc int _export cdecl ODBG_Paused(int reason, t_reg *reg)
{
char szSrcDec[1024] = {0};
char szLine[1024] = {0};
unsigned long uEsp = 0, uAddr = 0, uTemp = 0;
int nSize = 0, i = 0;
if (!bStartTrace) return 0;
if (!reg) {
ShellExecute(0, "open", "notepad.exe", LOG_FILENAME, NULL, SW_SHOW);
return 0;
}
// 读取断点处指令
nSize = Readcommand(reg->ip, szLine);
if (nSize > 0) {
t_disasm disasm;
// 反汇编二进制指令
Disasm(szLine, nSize, reg->ip, szSrcDec, &disasm, DISASM_ALL, 0);
if (strstr(disasm.result, "CALL ")) { // 若为CALL指令
LogToFile(LOG_FILENAME, " %s ",
"------------------------------------------------------");
LogToFile(LOG_FILENAME, "%08X: %s (%s)", reg->ip, disasm.result, disasm.comment);
LogToFile(LOG_FILENAME, " %s ",
"------------------------------------------------------");
uEsp = reg->r[4];
// 由ESP读取8个堆栈参数
uTemp = uEsp;
for (i=0; i<8; i++) {
Readmemory(&uAddr, uTemp, sizeof(uAddr), MM_SILENT);
LogToFile(LOG_FILENAME, " ESP+%02X (%08X): %08X", i*4, uTemp, uAddr);
if (uAddr == 0) nSize = 0;
else nSize = Decodeascii(uAddr, szLine, sizeof(szLine)-1, DASC_ASCII);
if (nSize > 0 && CheckCharAlpha(szLine)) {
LogToFile(LOG_FILENAME, " %s ", szLine);
}
else {
memset(szLine, 0, sizeof(szLine));
nSize = Readmemory(szLine, uAddr, 128, MM_SILENT);
if (nSize > 0) {
LogToFile(LOG_FILENAME, " ");
LogBinToFile(LOG_FILENAME, szLine, nSize);
}
else
LogToFile(LOG_FILENAME, " ");
}
uTemp += 4;
}
}
// 继续执行
if (bFastTracing)
Sendshortcut(PM_MAIN, 0, WM_KEYDOWN, 0, 0, VK_F9);
else {
if (strstr(disasm.result, ".0")) {
Go(0, reg->ip, STEP_IN, 1, 0);
}
else {
Go(0, reg->ip, STEP_OVER, 1, 0);
}
}
}
return 0;
}
-
上一篇 北京奥运会虚假信息邮件病毒成恶意攻击源头 -
下一篇 网络安全友情链接
阅读推荐
相关文章
- (2008-06-26 13:22)·程序员友情链接
- (2008-06-24 10:22)·Java 5并发编程基础知识片段
- (2008-06-23 11:49)·Delphi木马DIY之代码藏后门可能性
- (2008-06-20 14:39)·如何借助虚拟化部署和使用应用程序?
- (2008-06-19 13:32)·30岁IT人,价值在哪里?产出代码还是产出思想
- (2008-06-18 14:31)·Linux操作系统上编译程序的方法详细介绍
- (2008-06-18 11:29)·一个女程序员的心酸和无奈
频道最新
- · 软件安全大赛上演“
- · 采用UTM实现立体安
- · 手机或成僵尸网络
- · 安全上网之“防毒八
- · Flash曝出安全漏洞
- · 奥运网络安保论功行
- · IDC:信息安全顾虑
- · iPhone被曝安全漏洞
热点推荐
灾备中国
盖茨香港演讲