-
-
灌水-某木马初步分析
-
发表于:
2004-5-25 16:16
9362
-
某木马初步分析
kongfoo/2004.5.25
今天早上把QQ挂在线上,过了一会有个人加了好友,过了一会就发了个文件
过来,“照片62.EXE”,JPG的图标,用PEiD看一下是ASPACK的壳,反正正
想要找些东西来玩玩(上个星期搞了一个星期某壳的unpacker还未成功,郁
闷中)。
ASPACK的壳好脱啦,直接去入口+3ae的地方就是出口。
0040A3AF 61 POPAD
0040A3B0 75 08 JNZ SHORT 照片62.0040A3BA
0040A3B2 B8 01000000 MOV EAX,1
0040A3B7 C2 0C00 RETN 0C
0040A3BA 68 E2154000 PUSH 照片62.004015E2 ==去OEP
0040A3BF C3 RETN
00403D8D FF15 A0D04000 CALL DWORD PTR DS:[<&kernel32.CreateFile>; kernel32.CreateFileA ==打开自己。
00401C23 FF15 3CD04000 CALL DWORD PTR DS:[<&kernel32.SetFilePoi>; kernel32.SetFilePointer ==去文件尾。
00403926 FF15 6CD04000 CALL DWORD PTR DS:[<&kernel32.ReadFile>] ; kernel32.ReadFile ==读1000字节。
00401C23 FF15 3CD04000 CALL DWORD PTR DS:[<&kernel32.SetFilePoi>; kernel32.SetFilePointer ==去文件尾(就是上面的代码啦)。
0040102E E8 EE030000 CALL dumped_.00401421 ==可以看到401421/4013ca/4013bf都被调用了3次
00401033 53 PUSH EBX ==401421就是设置文件指针,4013ca读文件
00401034 8D5424 30 LEA EDX,DWORD PTR SS:[ESP+30]
00401038 6A 06 PUSH 6
0040103A 52 PUSH EDX
0040103B E8 8A030000 CALL dumped_.004013CA
00401040 8D4424 38 LEA EAX,DWORD PTR SS:[ESP+38]
00401044 50 PUSH EAX
00401045 E8 75030000 CALL dumped_.004013BF
0040104A 6A 02 PUSH 2
0040104C 6A F4 PUSH -0C
0040104E 53 PUSH EBX
0040104F 8BE8 MOV EBP,EAX
00401051 E8 CB030000 CALL dumped_.00401421
00401056 53 PUSH EBX
00401057 8D4C24 44 LEA ECX,DWORD PTR SS:[ESP+44]
0040105B 6A 06 PUSH 6
0040105D 51 PUSH ECX
0040105E E8 67030000 CALL dumped_.004013CA
00401063 8D5424 4C LEA EDX,DWORD PTR SS:[ESP+4C]
00401067 52 PUSH EDX
00401068 E8 52030000 CALL dumped_.004013BF
0040106D 6A 02 PUSH 2
0040106F 6A FA PUSH -6
00401071 53 PUSH EBX
00401072 894424 54 MOV DWORD PTR SS:[ESP+54],EAX
00401076 E8 A6030000 CALL dumped_.00401421
0040107B 83C4 44 ADD ESP,44
0040107E 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+28]
00401082 53 PUSH EBX
00401083 6A 07 PUSH 7
00401085 50 PUSH EAX
00401086 E8 3F030000 CALL dumped_.004013CA
0040108B 8D4C24 34 LEA ECX,DWORD PTR SS:[ESP+34]
0040108F 51 PUSH ECX
00401090 E8 2A030000 CALL dumped_.004013BF
00401095 83C4 10 ADD ESP,10
00401098 8D5424 30 LEA EDX,DWORD PTR SS:[ESP+30]
0040109C 894424 14 MOV DWORD PTR SS:[ESP+14],EAX
004010A0 68 80000000 PUSH 80
004010A5 52 PUSH EDX
004010A6 FF15 08D04000 CALL DWORD PTR DS:[<&kernel32.GetSystemD>; kernel32.GetSystemDirectoryA ==很明显了
004010AC BF 5C704000 MOV EDI,dumped_.0040705C ; ASCII "\help3721.dll" ==看到3721就有点&^$#$@#感觉$%^%#$
00403D8D FF15 A0D04000 CALL DWORD PTR DS:[<&kernel32.CreateFile>; kernel32.CreateFileA ==生成%systemdir%\help3721.dll
00401C23 FF15 3CD04000 CALL DWORD PTR DS:[<&kernel32.SetFilePoi>; kernel32.SetFilePointer ==去文件头
004011BE FF15 04D04000 CALL DWORD PTR DS:[<&kernel32.GetTempPat>; kernel32.GetTempPathA ==图片要解在临时目录
004011C4 BF 30704000 MOV EDI,dumped_.00407030 ; ASCII "80C834BC.jpg"
00403D8D FF15 A0D04000 CALL DWORD PTR DS:[<&kernel32.CreateFile>; kernel32.CreateFileA ==生成图片
00401266 FF15 C0D04000 CALL DWORD PTR DS:[<&shell32.ShellExecut>; shell32.ShellExecuteA ==打开图片
00401276 FF15 60D04000 CALL DWORD PTR DS:[<&kernel32.WinExec>] ; kernel32.WinExec ==用rundll32打开help3721.dll
==rundll32 %system%\help3721.dll,Rundll32
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课