--------------------------------------------------------------------------------
我在调试一个木马程序msn.exe(只是同名字不是MS的那个MSN),
我想知道它是怎么释放msn.dll,msnkey.dll的
我就搞不明白为什么我把msn.exe放到c:\windows 下执行的时候
可以看到它释放了msn.dll,(只释放了个msn.dll)
可是在别的地方执行msn.exe的时候就释放了
msn.dll,msnkey.dll而且还把这2个模块挂到了IE上启动了个IE进程
13146312 50 push eax
13146313 8BC3 mov eax, ebx
13146315 E8 8EDDFFFF call 131440A8
1314631A 50 push eax
1314631B E8 14EFFFFF call <jmp.&kernel32.FindFirstFileA>
FindFirstFileA()的参数
0012FDE0 00CA1C54 |FileName = "C:\WINDOWS\MSN.exe"
0012FDE4 0012FDEC \pFindFileData = 0012FDEC
13146320 83F8 FF cmp eax, -1
13146323 74 34 je short 13146359 ;文件存在的话跳走
之后在这里复制文件
1314C940 50 push eax
1314C941 8D55 F0 lea edx, dword ptr [ebp-10]
1314C944 33C0 xor eax, eax
1314C946 E8 655EFFFF call 131427B0
1314C94B 8B45 F0 mov eax, dword ptr [ebp-10]
1314C94E E8 5577FFFF call 131440A8
1314C953 50 push eax
1314C954 E8 4388FFFF call <jmp.&kernel32.CopyFileA>
CopyFileA()的参数
0012FF3C 00CA1CA0 |ExistingFileName = "C:\dumped_\MSN.exe"
0012FF40 00CA1C54 |NewFileName = "C:\WINDOWS\MSN.exe"
0012FF44 00000000 \FailIfExists = FALSE
在这里创建个文件msn.dll
1314B74E 6A 00 push 0
1314B750 6A 20 push 20
1314B752 6A 02 push 2
1314B754 6A 00 push 0
1314B756 6A 03 push 3
1314B758 68 000000C0 push C0000000
1314B75D 8B07 mov eax, dword ptr [edi]
1314B75F E8 4489FFFF call 131440A8
1314B764 50 push eax
1314B765 E8 429AFFFF call <jmp.&kernel32.CreateFileA>
CreateFileA()的参数
0012FF08 00CA1CA4 |FileName = "C:\WINDOWS\MSN.DLL"
0012FF0C C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0012FF10 00000003 |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
0012FF14 00000000 |pSecurity = NULL
0012FF18 00000002 |Mode = CREATE_ALWAYS
0012FF1C 00000020 |Attributes = ARCHIVE
0012FF20 00000000 \hTemplateFile = NULL
CreateServiceA() 下面是参数
0012FEC8 00147328 |hManager = 00147328
0012FECC 00CA1B40 |ServiceName = "Net_Scheduler"
0012FED0 00CA1B24 |DisplayName = "Net_Scheduler"
0012FED4 000F01FF |DesiredAccess = SERVICE_ALL_ACCESS
0012FED8 00000110 |ServiceType=
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS
0012FEDC 00000002 |StartType = SERVICE_AUTO_START
0012FEE0 00000000 |ErrorControl = SERVICE_ERROR_IGNORE
0012FEE4 00CA1C54 |BinaryPathName = "C:\WINDOWS\MSN.exe"
0012FEE8 00000000 |LoadOrderGroup = NULL
0012FEEC 00000000 |pTagId = NULL
0012FEF0 00000000 |pDependencies = NULL
0012FEF4 00000000 |ServiceStartName = NULL
0012FEF8 00000000 \Password = NULL
1314B1B8 8D45 F4 lea eax, dword ptr [ebp-C]
;ebp-c == 0012ff3c,eip==1314b1b8 eax==0
1314B1BB 50 push eax
;走到这句的时候
; eax==0012ff3c eip==1314b1bb
;[1314b1bb]里指向的值是: "Pj/0"
1314B1BC 6A 00 push 0
1314B1BE 8B45 EC mov eax, dword ptr [ebp-14]
1314B1C1 50 push eax
1314B1C2 E8 B1EEFFFF call <jmp.&advapi32.StartServiceA>
这个时候堆栈里是
0012FEF0 00146D90 SC_Handle hService==00146d90
0012FEF4 00000000 DWORD dwNumServiceArgs==00000000
0012FEF8 0012FF3C LPCTSTR* lpServiceArgVectors==0012FF3C
//上面的那段是OD里没有的 我是看了MSDN我想应该是参数的问题
//另外也希望哪个大大能详细介绍下LEA的指令
我于是我用OD中加入了参数: Pj 调试c:\windows\msn.exe
可是结果依然如故
希望高人指点.
权限不够传不了文件.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课