--- title: ghidra tags: malware --- [TOC] # WannaCry [ghidra.ninja](https://www.ghidra.ninja/posts/03-wannacry-1/) ## 修改data type(Edit Function Signature) - 找不到main -> 從entry開始看 - entry是microsoft的default - [csdn - OEP](https://blog.csdn.net/kkfd1002/article/details/79832269) -  - GetModuleHandleA 是啟動函數 - exit(WinMain) - 所以 local_6c 就是 WinMain -> [MSDN](https://docs.microsoft.com/zh-tw/windows/win32/learnwin32/winmain--the-application-entry-point) - ```int WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow);``` - 去掉預設跟 c -> ```int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow)``` ## Kill Switch - WinMain 裡面可以看到，奇怪的 URL -> 這就是 kill switch 了 - change var name，fix data type -  - 這邊可以看到 只有兩行指令 -> 直接讀assembly的意思是重複的將一個var讀到記憶體區段 -> strcpy ## InterNetOpenA、InternetOpenUrlA :::success ```c= HINTERNET InternetOpenA( LPCSTR lpszAgent, DWORD dwAccessType, LPCSTR lpszProxy, LPCSTR lpszProxyBypass, DWORD dwFlags ); ``` ::: - 沒有對應的function type時，在data type自己新增 -  - fix data type :::success ```c= HINTERNET InternetOpenUrlA( HINTERNET hInternet, LPCSTR lpszUrl, LPCSTR lpszHeaders, DWORD dwHeadersLength, DWORD dwFlags, DWORD_PTR dwContext ); ``` ::: - fix data type ==**有時候MSDN上會有錯的 Function type 要注意!!!**== ## GetModuleFileNameA :::info GetModuleFileNameA ```cpp= DWORD GetModuleFileNameA ( HMODULE hModule, LPSTR lpFilename, DWORD nSize ); ```  lpFilename -> ExecutablePath ::: ## (int *)__p___argc();     | | Release | Debug | | --------| -------- | -------- | | x64 | __p___argc() | j___p___argc | | x86 | _get_wide_winmain_command_line | j__get_wide_winmain_command_line | [stackoverflow](https://stackoverflow.com/questions/54655387/assembly-return-value-of-p-argv)   - 這邊可以 fix function type -> ```int * __p___argc (void)``` ## Create_wannacry_service :::success  - sprintf -> 格式化字串 ```c= int sprintf( char *buffer, const char *format [, argument] ... ); ``` e.g:檔案路徑是 C:\Users\Dung\Desktop\Malware\test\wannacry.exe buffer 會存 C:\Users\Dung\Desktop\Malware\test\wannacry.exe -m security ::: :::info  - OpenSCManagerA  - 0x0 - the function connects to the service control manager on the local computer. - 0x0 - If it is NULL, the SERVICES_ACTIVE_DATABASE database is opened by default. - 0xf003f -  -  ::: :::success - 如果SCManager有被成功打開並返回SC_HANDLE - CreateServiceA ```c= SC_HANDLE CreateServiceA( SC_HANDLE hSCManager, LPCSTR lpServiceName, LPCSTR lpDisplayName, DWORD dwDesiredAccess, DWORD dwServiceType, DWORD dwStartType, DWORD dwErrorControl, LPCSTR lpBinaryPathName, LPCSTR lpLoadOrderGroup, LPDWORD lpdwTagId, LPCSTR lpDependencies, LPCSTR lpServiceStartName, LPCSTR lpPassword ); ``` - s_mssecsvc2.0_004312fc - lpServiceName - s_Microsoft_Security_Center_(2.0)_S_00431308 - Microsoft Security Center(2.0)Service - 0xf01ff -  - 0x10 -  - 0x2 - SERVICE_AUTO_START -  - 0x1 - SERVICE_ERROR_NORMAL -  - buffer_exec_with_path -  - 0x0 - Specify NULL or an empty string if the service does not belong to a group. - 0x0 - pecify NULL if you are not changing the existing tag. - 0x0 - Specify NULL or an empty string if the service has no dependencies. - 0x0 - If this parameter is NULL, CreateService uses the LocalSystem account. If the service type specifies SERVICE_INTERACTIVE_PROCESS, the service must run in the LocalSystem account. -> 基本上是已經使用拿到 administrator 的權限創造的 service 後面幾項都是填 null。創建的 service 會 auto run ::: ## 第二個func  - 接著可以看到hModule在kernel32.dll - 然後抓func的address - 修參數名稱   ## memset -> 待研究 - 這邊兩個 for loop 做的事情跟 memset 一樣 ## sprintf -  - 這邊兩個 sprintf 的參數其實有多個 -> 修改 ghidra -  -  ## MoveFileExA :::success BOOL MoveFileExA( LPCSTR lpExistingFileName, LPCSTR lpNewFileName, DWORD dwFlags ); ::: - 先看dwFlags -  - MOVEFILE_REPLACE_EXISTING # wannacry -> 無聊想修改的地方 ## entry - STARTUPINFOA -  ## SERVICE_TABLE_ENTRYA -  - retype Variable -  -  - service在撰寫的時候就規定最後一個要填 null -  ## ChangeServiceConfig2A -  - 位置接在這邊 -> 應該是sevice沒辦法open的時候做的事情 -  [msdn](https://docs.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-changeserviceconfig2a)