睡觉前习惯性浏览下看雪,一看到是新手练习用,就没睡意了。新手笔记奉上
出处:http://bbs.pediy.com/showthread.php?t=96997
od载入后
0101988A > E8 00000000 CALL NOTEPAD.0101988F //近跳转jmp,F7
0101988F 5B POP EBX
01019890 81EB 05000000 SUB EBX,5
01019896 8B93 9F080000 MOV EDX,DWORD PTR DS:[EBX+89F]
0101989C 53 PUSH EBX
0101989D 6A 40 PUSH 40
0101989F 68 00100000 PUSH 1000
010198A4 52 PUSH EDX
010198A5 6A 00 PUSH 0
010198A7 FF93 32080000 CALL DWORD PTR DS:[EBX+832] //F4到这,kernel32.VirtualAlloc申请内存,EAX=00A00000(返回的地址),应该是把要解压后的东西放到这里;F8跳过
010198AD 5B POP EBX
010198AE 8BF0 MOV ESI,EAX
010198B0 8BBB 9B080000 MOV EDI,DWORD PTR DS:[EBX+89B]
010198B6 03FB ADD EDI,EBX
010198B8 56 PUSH ESI //esi = 00A00000,刚申请到的内存
010198B9 57 PUSH EDI //edi = 0101A1EE,loadpe查看是.rsrc区块
010198BA E8 86080000 CALL NOTEPAD.0101A145//F8到这里;快到retn了,F7进去吧
010198BF 83C4 08 ADD ESP,8
010198C2 8D93 BB080000 LEA EDX,DWORD PTR DS:[EBX+8BB]
010198C8 52 PUSH EDX
010198C9 53 PUSH EBX
010198CA 56 PUSH ESI
010198CB C3 RETN
0101A145 60 PUSHAD
0101A146 8B7424 24 MOV ESI,DWORD PTR SS:[ESP+24]
0101A14A 8B7C24 28 MOV EDI,DWORD PTR SS:[ESP+28]
0101A14E FC CLD
0101A14F B2 80 MOV DL,80
0101A151 33DB XOR EBX,EBX
0101A153 A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
0101A154 B3 02 MOV BL,2
0101A156 E8 6D000000 CALL NOTEPAD.0101A1C8
0101A15B ^ 73 F6 JNB SHORT NOTEPAD.0101A153
0101A15D 33C9 XOR ECX,ECX
...
0101A1E4 2B7C24 28 SUB EDI,DWORD PTR SS:[ESP+28]
0101A1E8 897C24 1C MOV DWORD PTR SS:[ESP+1C],EDI
0101A1EC 61 POPAD
0101A1ED C3 RETN
//分析,这个函数应该是把shell从资源中释放到内存中
00A00000 E8 00000000 CALL 00A00005//进跳转jmp,F7
00A00005 5B POP EBX
00A00006 81EB 05000000 SUB EBX,5
00A0000C 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
00A00010 E8 B7020000 CALL 00A002CC//获取kernel32的基地址
00A00015 8983 BF040000 MOV DWORD PTR DS:[EBX+4BF],EAX
00A0001B 8B83 BF040000 MOV EAX,DWORD PTR DS:[EBX+4BF]
00A00021 8DB3 12050000 LEA ESI,DWORD PTR DS:[EBX+512]
00A00027 E8 CE020000 CALL 00A002FA ; F7跟进,发现是获取GetModuleHandleA的地址
00A0002C 8983 22050000 MOV DWORD PTR DS:[EBX+522],EAX
00A00032 8B83 BF040000 MOV EAX,DWORD PTR DS:[EBX+4BF]
00A00038 8DB3 DE040000 LEA ESI,DWORD PTR DS:[EBX+4DE]
00A0003E E8 B7020000 CALL 00A002FA //获取LoadLibraryA的地址
00A00043 8983 EB040000 MOV DWORD PTR DS:[EBX+4EB],EAX
00A00049 8B83 BF040000 MOV EAX,DWORD PTR DS:[EBX+4BF]
00A0004F 8DB3 EF040000 LEA ESI,DWORD PTR DS:[EBX+4EF]
00A00055 E8 A0020000 CALL 00A002FA //获取GetProcAddress的地址
00A0005A 8983 FE040000 MOV DWORD PTR DS:[EBX+4FE],EAX
00A00060 8B83 BF040000 MOV EAX,DWORD PTR DS:[EBX+4BF]
00A00066 8DB3 26050000 LEA ESI,DWORD PTR DS:[EBX+526]
00A0006C E8 89020000 CALL 00A002FA //获取VirtualProtect的地址
...
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!