-
-
[原创]第三阶段
-
2008-10-31 15:42
-
下面释放出来的文件我试过用IceSword、360、瑞星都不能删掉,我实在太菜了,我没有办法了
只贴分析过程,不知道有没有分呢~?
===================================================================
[a.exe]
ProcMon分析:
释放文件:
C:\WINDOWS\system32\drivers\HBKernel32.sys SUCCESS Offset: 0, Length: 18,080
C:\WINDOWS\system32\HBQQXX.dll SUCCESS Offset: 0, Length: 14,336
C:\WINDOWS\system32\System.exe SUCCESS Offset: 0, Length: 7,680
C:\Documents and Settings\Administrator\Local Settings\Temp\SelfDel.bat SUCCESS Offset: 0, Length: 164
修改注册表:
HKLM\SOFTWARE\360Safe\safemon\ARPAccess SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\ExecAccess SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\IEProtAccess SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\LeakShowed SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\MonAccess SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\NoNotiLeak SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\NoNotiNews SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\SiteAccess SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\UDiskAccess SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\weeken SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS Type: REG_BINARY, Length: 80, Data: 69 C9 BE 8A F2 20 EA 97 39 DF BF 7C 61 70 62 CE
手工分析:
IDA载入a.exe,发现有壳,PeID查不出,不过手脱也很容易。DUMP完之后记得要修复导入表。
IDA重新载入脱了壳之后的a.exe,看看它干了些啥,除了上面ProcMon看到的之外,它还做了:
1、启动HBkernel32服务
2、启动System.exe进程,并在注册表Software\Microsoft\Windows\CurrentVersion\Run将其设成自启动
[System.exe]
ProcMon分析:
发现它不断地在system32里找一些以HB开关的DLL文件
手工分析:
没什么特别的,因为它是被设置成自启动的文件,所以只是确认一下a.exe的工作,例如启动HBkernel32服务之类的。
[HBQQXX.dll] 好像每次释放出来的文件不一定都是这个名字里面有键盘钩子,针对tty3d.exe(Xunxian.dat)和QQlogin.exe分别有一些动作。
[HBkernel32.sys]
创建了一个系统线程。至于这个线程里干了些啥我就看不出来了
只贴分析过程,不知道有没有分呢~?
===================================================================
[a.exe]
ProcMon分析:
释放文件:
C:\WINDOWS\system32\drivers\HBKernel32.sys SUCCESS Offset: 0, Length: 18,080
C:\WINDOWS\system32\HBQQXX.dll SUCCESS Offset: 0, Length: 14,336
C:\WINDOWS\system32\System.exe SUCCESS Offset: 0, Length: 7,680
C:\Documents and Settings\Administrator\Local Settings\Temp\SelfDel.bat SUCCESS Offset: 0, Length: 164
修改注册表:
HKLM\SOFTWARE\360Safe\safemon\ARPAccess SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\ExecAccess SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\IEProtAccess SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\LeakShowed SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\MonAccess SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\NoNotiLeak SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\NoNotiNews SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\SiteAccess SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\UDiskAccess SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\360Safe\safemon\weeken SUCCESS Type: REG_DWORD, Length: 4, Data: 0
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed SUCCESS Type: REG_BINARY, Length: 80, Data: 69 C9 BE 8A F2 20 EA 97 39 DF BF 7C 61 70 62 CE
手工分析:
IDA载入a.exe,发现有壳,PeID查不出,不过手脱也很容易。DUMP完之后记得要修复导入表。
IDA重新载入脱了壳之后的a.exe,看看它干了些啥,除了上面ProcMon看到的之外,它还做了:
1、启动HBkernel32服务
2、启动System.exe进程,并在注册表Software\Microsoft\Windows\CurrentVersion\Run将其设成自启动
[System.exe]
ProcMon分析:
发现它不断地在system32里找一些以HB开关的DLL文件
手工分析:
没什么特别的,因为它是被设置成自启动的文件,所以只是确认一下a.exe的工作,例如启动HBkernel32服务之类的。
[HBQQXX.dll] 好像每次释放出来的文件不一定都是这个名字里面有键盘钩子,针对tty3d.exe(Xunxian.dat)和QQlogin.exe分别有一些动作。
[HBkernel32.sys]
创建了一个系统线程。至于这个线程里干了些啥我就看不出来了
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
