用 native API 查找 DebugObject
一个捆绑木马、工具条的恶毒外挂中提取的:
劲舞小贝(VIP版)
00401000 83EC 20 SUB ESP, 20
00401003 B0 93 MOV AL, 93
00401005 53 PUSH EBX
00401006 55 PUSH EBP
00401007 884424 0F MOV [ESP+F], AL
0040100B 884424 10 MOV [ESP+10], AL
0040100F 884424 13 MOV [ESP+13], AL
00401013 884424 14 MOV [ESP+14], AL
00401017 56 PUSH ESI
00401018 8D4424 10 LEA EAX, [ESP+10]
0040101C 57 PUSH EDI
0040101D B3 8B MOV BL, 8B
0040101F B1 9B MOV CL, 9B
00401021 50 PUSH EAX
00401022 C64424 18 91 MOV BYTE PTR [ESP+18], 91
00401027 885C24 19 MOV [ESP+19], BL
0040102B 884C24 1A MOV [ESP+1A], CL
0040102F C64424 1D D1 MOV BYTE PTR [ESP+1D], 0D1
00401034 884C24 1E MOV [ESP+1E], CL
00401038 C64424 21 00 MOV BYTE PTR [ESP+21], 0
0040103D E8 DEAA0000 CALL 0040BB20
00401042 83C4 04 ADD ESP, 4
00401045 8D4C24 14 LEA ECX, [ESP+14]
00401049 51 PUSH ECX
0040104A FF15 88E04000 CALL [<&kernel32.GetModuleHandleA>] ; kernel32.GetModuleHandleA
00401050 8BF0 MOV ESI, EAX
00401052 85F6 TEST ESI, ESI
00401054 0F84 38010000 JE 00401192
0040105A 8D5424 20 LEA EDX, [ESP+20]
0040105E B0 9A MOV AL, 9A
00401060 52 PUSH EDX
00401061 C64424 24 A5 MOV BYTE PTR [ESP+24], 0A5
00401066 C64424 25 88 MOV BYTE PTR [ESP+25], 88
0040106B C64424 26 AE MOV BYTE PTR [ESP+26], 0AE
00401070 C64424 27 8A MOV BYTE PTR [ESP+27], 8A
00401075 884424 28 MOV [ESP+28], AL
00401079 C64424 29 8D MOV BYTE PTR [ESP+29], 8D
0040107E C64424 2A 86 MOV BYTE PTR [ESP+2A], 86
00401083 C64424 2B B0 MOV BYTE PTR [ESP+2B], 0B0
00401088 C64424 2C 9D MOV BYTE PTR [ESP+2C], 9D
0040108D C64424 2D 95 MOV BYTE PTR [ESP+2D], 95
00401092 884424 2E MOV [ESP+2E], AL
00401096 C64424 2F 9C MOV BYTE PTR [ESP+2F], 9C
0040109B 885C24 30 MOV [ESP+30], BL
0040109F C64424 31 00 MOV BYTE PTR [ESP+31], 0
004010A4 E8 77AA0000 CALL 0040BB20
004010A9 83C4 04 ADD ESP, 4
004010AC 8D4424 20 LEA EAX, [ESP+20]
004010B0 50 PUSH EAX
004010B1 56 PUSH ESI
004010B2 FF15 00E14000 CALL [<&kernel32.GetProcAddress>] ; kernel32.GetProcAddress
004010B8 85C0 TEST EAX, EAX
004010BA A3 58294100 MOV [412958], EAX
004010BF 0F84 CD000000 JE 00401192
004010C5 8D4C24 10 LEA ECX, [ESP+10]
004010C9 51 PUSH ECX
004010CA 6A 00 PUSH 0
004010CC 6A 00 PUSH 0
004010CE 6A 03 PUSH 3
004010D0 6A 00 PUSH 0
004010D2 FFD0 CALL EAX ; ZwQueryObject
004010D4 3D 040000C0 CMP EAX, C0000004
004010D9 0F85 A1000000 JNZ 00401180
004010DF 8B5424 10 MOV EDX, [ESP+10]
004010E3 6A 04 PUSH 4
004010E5 68 00100000 PUSH 1000
004010EA 52 PUSH EDX
004010EB 6A 00 PUSH 0
004010ED FF15 90E04000 CALL [<&kernel32.VirtualAlloc>] ; kernel32.VirtualAlloc
004010F3 8BF8 MOV EDI, EAX
004010F5 85FF TEST EDI, EDI
004010F7 0F84 95000000 JE 00401192
004010FD 8B4C24 10 MOV ECX, [ESP+10]
00401101 8D4424 10 LEA EAX, [ESP+10]
00401105 50 PUSH EAX
00401106 51 PUSH ECX
00401107 57 PUSH EDI
00401108 6A 03 PUSH 3
0040110A 6A 00 PUSH 0
0040110C FF15 58294100 CALL [412958]
00401112 85C0 TEST EAX, EAX
00401114 75 7C JNZ SHORT 00401192
00401116 8B07 MOV EAX, [EDI]
00401118 33ED XOR EBP, EBP
0040111A 85C0 TEST EAX, EAX
0040111C 8D77 04 LEA ESI, [EDI+4]
0040111F 76 63 JBE SHORT 00401184
00401121 8B1D 28E54000 MOV EBX, [<&msvcrt._wcsicmp>] ; msvcrt._wcsicmp
00401127 8B56 04 MOV EDX, [ESI+4]
0040112A 68 30204100 PUSH 00412030 ; UNICODE "DebugObject"
0040112F 52 PUSH EDX
00401130 FFD3 CALL EBX
00401132 83C4 08 ADD ESP, 8
00401135 85C0 TEST EAX, EAX
00401137 74 1E JE SHORT 00401157
00401139 33C0 XOR EAX, EAX
0040113B 8B56 04 MOV EDX, [ESI+4]
0040113E 66:8B46 02 MOV AX, [ESI+2]
00401142 8BC8 MOV ECX, EAX
00401144 8B07 MOV EAX, [EDI]
00401146 83C1 03 ADD ECX, 3
00401149 83E1 FC AND ECX, FFFFFFFC
0040114C 03CA ADD ECX, EDX
0040114E 45 INC EBP
0040114F 3BE8 CMP EBP, EAX
00401151 8BF1 MOV ESI, ECX
00401153 ^ 72 D2 JB SHORT 00401127
00401155 EB 2D JMP SHORT 00401184
00401157 8B46 08 MOV EAX, [ESI+8]
0040115A 85C0 TEST EAX, EAX
0040115C 77 07 JA SHORT 00401165
0040115E 8B46 0C MOV EAX, [ESI+C]
00401161 85C0 TEST EAX, EAX
00401163 76 1F JBE SHORT 00401184
00401165 68 00800000 PUSH 8000
0040116A 6A 00 PUSH 0
0040116C 57 PUSH EDI
0040116D FF15 94E04000 CALL [<&kernel32.VirtualFree>] ; kernel32.VirtualFree
00401173 5F POP EDI ; jwt.00403BA5
00401174 5E POP ESI ; jwt.00403BA5
00401175 5D POP EBP ; jwt.00403BA5
00401176 B8 01000000 MOV EAX, 1
0040117B 5B POP EBX ; jwt.00403BA5
0040117C 83C4 20 ADD ESP, 20
0040117F C3 RETN
00401180 8B7C24 10 MOV EDI, [ESP+10]
00401184 68 00800000 PUSH 8000
00401189 6A 00 PUSH 0
0040118B 57 PUSH EDI
0040118C FF15 94E04000 CALL [<&kernel32.VirtualFree>] ; kernel32.VirtualFree
00401192 5F POP EDI ; jwt.00403BA5
00401193 5E POP ESI ; jwt.00403BA5
00401194 5D POP EBP ; jwt.00403BA5
00401195 33C0 XOR EAX, EAX
00401197 5B POP EBX ; jwt.00403BA5
00401198 83C4 20 ADD ESP, 20
0040119B C3 RETN
[课程]Linux pwn 探索篇!