Sunday, November 19, 2006

Dịch ngược AutoIt

Một người bạn ở REAOnline vừa chỉ cho tôi cách dịch ngược tất cả các loại virus viết bằng AutoIt. Tôi đã thử và thành công với tất cả mẫu virus viết bằng AutoIt mà tôi có. Qui trình như sau:

1. Sử dụng file, objdumpstrings trên Linux (hoặc PeID nếu bạn sử dụng Windows) để xác định xem virus được pack bằng packer nào. Tất cả AutoIt virus mà tôi gặp phải đều sử dụng UPX.

2. Unpack con virus, nhớ sao lưu lại nguyên bản.

3. Load con virus đã unpack vào OllyDBG.

4. Right click --> Search for --> All referenced text strings.

5. Right click --> Search for text --> gõ vào >autoit script<, bỏ chọn Case sensitive, chọn Entire scope rồi Enter và double click vào dòng có hàng chữ ASCII ">AUTOIT SCRIPT<".

6. Nhìn vào cửa sổ CPU của OllyDBG, bạn sẽ thấy những dòng sau đây:
PUSH game-enc.0045222C ; |Arg1 = 0045222C ASCII ">AUTOIT SCRIPT<" LEA EAX,DWORD PTR SS:[EBP-18] ; | CALL game-enc.0043F025 ; \game-enc.0043F025 TEST EAX,EAX
7. Chọn dòng CALL game-enc.0043F025 trước dòng TEST EAX, EAX rồi nhấn F2 hoặc double click để đặt breakpoint ở đó.

8. Nhấn F9 để chạy con virus trong OllyDBG. Lúc này OllyDBG sẽ chạy từ đầu cho đến khi dừng lại ở vị trí đặt breakpoint ở trên.

9. Nhấn F8 để nhảy sang lệnh kế tiếp là TEST EAX, EAX.

10. Nhìn sang cửa sổ Registers (FDU), tìm register ECX. Vùng ô nhớ mà register này đang trỏ đến chính là mã nguồn viết bằng AutoIt của con virus.

Chúc thành công.

10 comments:

Anonymous said...

xin loi ban vi post bai hoi nguoc chu de, nhung ma tien co anh conmale o day cho minh hoi bao gio HVA tro lai vay, cha`i nho HVA qua.

conmale said...

HVA se tro lai mot ngay gan day. Ngay sau khi duong day va moi thu tuc hoan tat, dien dan se mo cua.

Anonymous said...

thank Thai for sharing,

btw, there are at least 2 solutions for that AutoIt-reverse-engineering:
- encode the source codes before compiling.
- hack the Aut2Exe.exe to change the signature (">AUTOIT SCRIPT<")

Both are a bit difficult to implement, they were devised 2 months ago at least. Fortunately, the current malicious scripts are from kiddies and not creative at all.

Anonymous said...

@ anh conmale: se hieu qua va thiet thuc phai khong anh?
Hi vong HVA va moi nguoi tro lai som!

Anonymous said...

AutoIt co share VC++ source code, nen dua tren source code nay, tui da viet ra cho tui mot tool unrelease, co the lay source code hay decompile ra source code autoit cua bat ky AutoIt exe nao.
Tai sao AutoIt lai ton nhieu giay muc qua vay, no co quai gi dau, chi la mot script interpreter.
ThangCuAnh

Anonymous said...

Xin chao, toi thu cach nay voi con worm SSCVIIHOST.exe tu nhatquanglan11.exe nhung khong thanh cong. Ban co the dich nguoc ma nguon cua no va post len day khong?
Link download tu http://www.freewebs.com/chuafile

Tuy ntd khong doc duoc source code, nhung ntd su dung Filemon, Regmon, RegAlyzer va RunAlyzer de do tim dau vet cac thay doi ma con worm nay thuc hien tren he thong, nhung khong ro co hoan toan dung het hay khong. Neu ban co thoi gian, ban co the cho nhan xet ve doan script sau day ma ntd viet de remove con worm do. Script nay, ntd viet re remove 5 con worm va trojan ma may tinh cua ntd bi nhiem.

'*************************************************************************
' DESCRIPTION
'
' This script is designed to help you remove:
' 1/ W32/Hakaglan.worm.gen (http://vil.nai.com/vil/content/v_142233.htm)
' 2/ BackDoor-AVW (http://vil.nai.com/vil/content/v_103064.htm)
' 3/ Keylog-Perfect (http://vil.nai.com/vil/content/v_100257.htm)
' 4/ NTRootKit-W (http://vil.nai.com/vil/content/v_139108.htm)
' 5/ W32/Bagle.ea (http://vil.nai.com/vil/content/v_139038.htm)
'*************************************************************************

Option Explicit

' SCRIPT CONFIGURATION
Dim WshShell, DocDir, TmpDir, WinDir, SysDir
Dim strComp, strLogs, arrProcs(10), arrFiles(51)

Set WshShell = WScript.CreateObject("WScript.Shell")
DocDir = WshShell.ExpandEnvironmentStrings("%UserProfile%") & chr(92)
TmpDir = WshShell.ExpandEnvironmentStrings("%Temp%") & chr(92)
WinDir = WshShell.ExpandEnvironmentStrings("%WinDir%") & chr(92)
SysDir = WinDir & "system32"

strComp = "." ' Can be changed to name of remote computer
strLogs = ""

' Process Names (in lowercase)
arrProcs(0) = "rvhost.exe"
arrProcs(1) = "ssvichosst.exe"
arrProcs(2) = "sscviihost.exe"
arrProcs(3) = "new folder.exe"
arrProcs(4) = "hinhem.scr"
arrProcs(5) = "blastclnnn.exe"
arrProcs(6) = "skcvhost.exe"
arrProcs(7) = "systems.exe"
arrProcs(8) = "hidr.exe"
arrProcs(9) = "m_hook.sys"

' W32/Hakaglan.worm.gen (nhattruongquang, nhatquanglan[*], hinhem, etc.)
arrFiles(0) = WinDir & "RVHOST.exe"
arrFiles(1) = WinDir & "SSVICHOSST.exe"
arrFiles(2) = WinDir & "SSCVIIHOST.exe"
arrFiles(3) = WinDir & "Tasks\At1.job"
arrFiles(4) = SysDir & "nhatquanglan9.exe"
arrFiles(5) = SysDir & "nhatquanglan11.exe"
arrFiles(6) = SysDir & "SSVICHOSST.exe"
arrFiles(7) = SysDir & "SSCVIIHOST.exe"
arrFiles(8) = SysDir & "New Folder.exe"
arrFiles(9) = SysDir & "hinhem.scr"
arrFiles(10) = SysDir & "blastclnnn.exe"
arrFiles(11) = SysDir & "autorun.ini"
arrFiles(12) = SysDir & "setting.ini"
arrFiles(13) = SysDir & "setting.xls"
arrFiles(14) = SysDir & "setting.doc"

' BackDoor-AVW
arrFiles(15) = WinDir & "services.exe"
arrFiles(16) = WinDir & "ktd32.atm"
arrFiles(17) = WinDir & "system\sservice.exe"
arrFiles(18) = SysDir & "fservice.exe"
arrFiles(19) = SysDir & "server.exe"
arrFiles(20) = SysDir & "reginv.dll"
arrFiles(21) = SysDir & "winkey.dll"

' Keylog-Perfect
arrFiles(22) = SysDir & "SKCVHOST.exe"
arrFiles(23) = SysDir & "SKCVHOSTr.exe"
arrFiles(24) = SysDir & "SKCVHOSThk.dll"
arrFiles(25) = SysDir & "SYSTEMS.exe"
arrFiles(26) = SysDir & "SYSTEMShk.dll"
arrFiles(27) = SysDir & "SYSTEMShk.dll"
arrFiles(28) = SysDir & "apps.dat"
arrFiles(29) = SysDir & "bpk.bin"
arrFiles(30) = SysDir & "bpk.dat"
arrFiles(31) = SysDir & "bpk.exe"
arrFiles(32) = SysDir & "bpkch.dat"
arrFiles(33) = SysDir & "bsdhooks.dll"
arrFiles(34) = SysDir & "inst.dat"
arrFiles(35) = SysDir & "inst.tmp"
arrFiles(36) = SysDir & "kw.dat"
arrFiles(37) = SysDir & "mc.dat"
arrFiles(38) = SysDir & "pk.bin"
arrFiles(39) = SysDir & "rinst.dat"
arrFiles(40) = SysDir & "rinst.exe"
arrFiles(41) = SysDir & "titles.dat"
arrFiles(42) = SysDir & "web.dat"
arrFiles(43) = SysDir & "web.dll"
arrFiles(44) = SysDir & "keystrokes.html"
arrFiles(45) = SysDir & "websites.html"
arrFiles(46) = SysDir & "chats.html"
arrFiles(47) = SysDir & "report.txt"

' W32/Bagle.ea
arrFiles(48) = DocDir & "Application Data\hidires\hidr.exe"
arrFiles(49) = DocDir & "Application Data\hidires\m_hook.sys"
arrFiles(50) = SysDir & "wintems.exe"

' RESTORE REGISTRY
' W32/Hakaglan.worm.gen
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\shares"
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger"
setRegVal "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell", "Explorer.exe", "REG_SZ"
delRegVal "HKLM\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours"

' BackDoor-AVW
delRegVal "HKCR\CLSID\{1D1B2879-99FF-11E3-8D96-D7ACAC95952A}"
delRegVal "HKCR\TypeLib\{1D1B286C-99FF-11E3-8D96-D7ACAC95952A}"
delRegVal "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}"

' Keylog-Perfect
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bpk"
delRegVal "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SYSTEMS"

' NTRootKit-W
delRegVal "HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_M_HOOK"
delRegVal "HKLM\SYSTEM\ControlSet001\Services\m_hook"
delRegVal "HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_M_HOOK"

' W32/Bagle.ea
delRegVal "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvsyskit"

If strLogs <> "" Then
WScript.Echo "Scanning in process: " & VBCrLf & VBCrLf & strLogs
strLogs = ""
End If

Sub setRegVal(ByVal Target As String, ByVal Value As String, ByVal Reg As String)
On Error Resume Next
WshShell.RegWrite Target, Value, Reg
If Err = 0 Then
strLogs = strLogs & ".. Set value of " & Target & " to " & Value & VBCrLf
End If
Err.Clear
On Error Goto 0
End Sub

Sub delRegVal(ByVal Target As String)
On Error Resume Next
WshShell.RegDelete Target
If Err = 0 Then
strLogs = strLogs & ".. Deleted value: " & Target & VBCrLf
End If
Err.Clear
On Error Goto 0
End Sub

' KILL 'EM
Dim objWMI : Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComp & "\root\cimv2")
Dim objFSO : Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")

If Err = 0 Then
KillProcs
Set objWMI = Nothing
Set objFSO = Nothing
End If
Err.Clear

Sub KillProcs
' Variables
Dim objProc, objFile
Dim strFile, i

' Kill process if running
Dim colProc : Set colProc = objWMI.ExecQuery("Select Name from Win32_Process")
For Each objProc in colProc
For i=0 to UBound(arrProcs)
If arrProcs(i) = LCase(CStr(objProc.Name)) Then
objProc.Terminate()
strLogs = strLogs & ".. Terminated process: " & arrProcs(i) & VBCrLf
Exit For
End If
Next
Next

Set colProc = Nothing
Set objProc = Nothing

' Delete file
For i=0 to UBound(arrFiles)
RemoveFile arrFiles(i)
Next

' Delete folder
If objFSO.FolderExists(DocDir & "Application Data\hidires") Then
Dim objFolder : Set objFolder = objFSO.GetFolder(DocDir & "Application Data\hidires")
objFolder.Attributes = 0
objFolder.Delete
Set objFolder = Nothing
End If

' Empty TEMP folder
RemoveTmpFolder TmpDir

If strLogs <> "" Then
WScript.Echo "Scanning in process: " & VBCrLf & VBCrLf & strLogs
End If
End Sub

Sub RemoveTmpFolder(Byval Target AS String)
On Error Resume Next
Dim tmpDir : Set tmpDir = objFSO.GetFolder(Target)
Dim tmpFolder, tmpFile

For Each tmpFile In tmpDir.Files
tmpFile.Attributes = 0
tmpFile.Delete
Next

For Each tmpFolder In tmpDir.SubFolders
RemoveTmpFolder tmpFolder.Path
tmpFolder.Attributes = 0
tmpFolder.Delete
Next

Set tmpDir = Nothing
Set tmpFolder = Nothing
Set tmpFile = Nothing
On Error Goto 0
End Sub

Sub RemoveFile(ByVal Target As String)
On Error Resume Next
If objFSO.FileExists(Target) Then
Dim objFile : Set objFile = objFSO.GetFile(Target)
objFile.attributes = 0
objFile.Delete
Set objFile = Nothing
strLogs = strLogs & ".. Deleted file: " & Target & VBCrLf
End If
On Error Goto 0
End Sub

' BYE
WScript.Echo "Done!"
WScript.Quit

Anonymous said...

Mình rất muốn thực hiện y như bạn. Tuy nhiên cái file sau là Bó tay. Nếu được help mình giúp.
http://rapidshare.com/files/45844082/Pinnacle.exe.html

Anonymous said...

Minh lam sap thanh cong roi, nhung toi buoc cuoi cung that bai.
Cho nay day:

10. Nhìn sang cửa sổ Registers (FDU), tìm register ECX. Vùng ô nhớ mà register này đang trỏ đến chính là mã nguồn viết bằng AutoIt của con virus.

Tim thay ECX rui, vung nho tro den vi du nhu:


ECX 00D90048 ASCII "; AUT2EXE VERSION: 3.2.0.1

; ----------------------------------------------------------------------------
; AUT2EXE INCLUDE-START: D:\Program Files\AutoIt3\ken\vnn.au3
; -------------------------------------------------------

Khong tim thay soucre code Autoit o dau hit. Chi minh voi. Cam on

BM Đốm said...

a có thể dịch hộ em ko?
https://dombm.googlecode.com/files/Auto%20Farm%20Sky%20v23a.rar

Thanh Ngi said...

http://lix.444play.com/download/WJXSmartFocus460.zip
decomplie giup em voi : ken07.epu@gmail.com