-
-
[旧帖] [求助]关于wincmos是不是进入了ring0环 0.00雪花
-
发表于: 2009-9-6 18:07 2375
-
前几天在网上看到一个叫wincmos的在xp下可以直接读写bios的程序.在虚拟机上试了一下,好象真的可以用,就拿来分析一下,感觉它好象还是进入了ring0环,不过功力太差,分析不出它是进入的.
我用syser 脱了个可没修iat的文件出来.然后在ida中分析,找到了备份cmos窗口的处理代码如下:
.text:00401E60 sub_401E60 proc near
.text:00401E60
.text:00401E60 var_B2 = byte ptr -0B2h
.text:00401E60 var_A8 = byte ptr -0A8h
.text:00401E60 var_A7 = byte ptr -0A7h
.text:00401E60 var_2C = byte ptr -2Ch
.text:00401E60 var_24 = byte ptr -24h
.text:00401E60 var_14 = dword ptr -14h
.text:00401E60 var_10 = dword ptr -10h
.text:00401E60 var_C = dword ptr -0Ch
.text:00401E60 var_4 = dword ptr -4
.text:00401E60
.text:00401E60 push ebp
.text:00401E61 mov ebp, esp
.text:00401E63 push 0FFFFFFFFh
.text:00401E65 push offset SEH_401E60
.text:00401E6A mov eax, large fs:0
.text:00401E70 push eax
.text:00401E71 mov large fs:0, esp
.text:00401E78 sub esp, 9Ch
.text:00401E7E push ebx
.text:00401E7F push esi
.text:00401E80 push edi
.text:00401E81 lea ecx, [ebp+var_2C]
.text:00401E84 mov [ebp+var_10], esp
.text:00401E87 call sub_4022F8
.text:00401E8C push 1001h
.text:00401E91 mov [ebp+var_4], 0
.text:00401E98 push offset aCCmos_bak ; "c:\\cmos.bak"
.text:00401E9D lea ecx, [ebp+var_24]
.text:00401EA0 mov byte ptr [ebp+var_4], 1
.text:00401EA4 call sub_4021F0 ; CFile::CFile(char const *, unsigned int)
.text:00401EA9 mov ecx, 1Dh
.text:00401EAE xor eax, eax
.text:00401EB0 lea edi, [ebp+var_A7]
.text:00401EB6 mov [ebp+var_A8], 0
.text:00401EBD rep stosd
.text:00401EBF mov byte ptr [ebp+var_4], 2
.text:00401EC3 mov bl, 0Ah
.text:00401EC5 stosb
.text:00401EC6
.text:00401EC6 loc_401EC6: ; CODE XREF: sub_401E60+95j
.text:00401EC6 cmp bl, 80h
.text:00401EC9 mov byte ptr [ebp+var_14], bl
.text:00401ECC jnb short loc_401EF7
.text:00401ECE mov esi, [ebp+var_14]
.text:00401ED1 push esi
.text:00401ED2 push 70h
.text:00401ED4 call sub_4017F0
.text:00401ED9 add esp, 8
.text:00401EDC push 71h
.text:00401EDE call sub_4017D0
.text:00401EE3 and esi, 0FFh
.text:00401EE9 add esp, 4
.text:00401EEC inc bl
.text:00401EEE mov [ebp+esi+var_B2], al
.text:00401EF5 jmp short loc_401EC6
.text:00401EF7 ; ---------------------------------------------------------------------------
.text:00401EF7
.text:00401EF7 loc_401EF7: ; CODE XREF: sub_401E60+6Cj
.text:00401EF7 lea eax, [ebp+var_A8]
.text:00401EFD push 76h
.text:00401EFF push eax
.text:00401F00 lea ecx, [ebp+var_24]
.text:00401F03 call sub_4022F2 ; CFile__Write(LPCVOID lpBuffer,DWORD NumberOfBytesWritten)
.text:00401F08 lea ecx, [ebp+var_24]
.text:00401F0B call sub_4021EA
.text:00401F10 lea ecx, [ebp+var_24]
.text:00401F13 call sub_4022EC ; CFile::Close(void)
.text:00401F18 push 0
.text:00401F1A push 0
.text:00401F1C push offset aCCmos_bakJ ; "备份 c:\\cmos.bak成功!"
.text:00401F21 call sub_4021DE ; AfxMessageBox(const char *,unsigned int,unsigned int)
.text:00401F26 lea ecx, [ebp+var_24]
.text:00401F29 mov byte ptr [ebp+var_4], 1
.text:00401F2D call sub_4021E4
.text:00401F32
.text:00401F32 loc_401F32: ; DATA XREF: std::locale::classic(void)+5o
.text:00401F32 mov [ebp+var_4], 0FFFFFFFFh
.text:00401F39 call sub_4022E6 ; AfxTryCleanup()
.text:00401F3E mov ecx, [ebp+var_C]
.text:00401F41 pop edi
.text:00401F42 pop esi
.text:00401F43 mov large fs:0, ecx
.text:00401F4A pop ebx
.text:00401F4B mov esp, ebp
.text:00401F4D pop ebp
.text:00401F4E retn
.text:00401F4E sub_401E60 endp
//
sub_4017F0 proc near
arg_0= word ptr 8
arg_4= byte ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov dx, [ebp+arg_0]
mov al, [ebp+arg_4]
out dx, al
pop edi
pop esi
pop ebx
pop ebp
retn
sub_4017F0 endp
//
sub_4017D0 proc near
var_4= byte ptr -4
arg_0= word ptr 8
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
mov dx, [ebp+arg_0]
in al, dx
mov [ebp+var_4], al
mov al, [ebp+var_4]
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
sub_4017D0 endp
其中用来读写cmos的子程序中明显有out,in等特权指令.我想应该是进入了ring0环了吧
同时,在这个程序中好象有许多资源,不知是不是那个木马的资源,有人指点一下吗?
我用syser 脱了个可没修iat的文件出来.然后在ida中分析,找到了备份cmos窗口的处理代码如下:
.text:00401E60 sub_401E60 proc near
.text:00401E60
.text:00401E60 var_B2 = byte ptr -0B2h
.text:00401E60 var_A8 = byte ptr -0A8h
.text:00401E60 var_A7 = byte ptr -0A7h
.text:00401E60 var_2C = byte ptr -2Ch
.text:00401E60 var_24 = byte ptr -24h
.text:00401E60 var_14 = dword ptr -14h
.text:00401E60 var_10 = dword ptr -10h
.text:00401E60 var_C = dword ptr -0Ch
.text:00401E60 var_4 = dword ptr -4
.text:00401E60
.text:00401E60 push ebp
.text:00401E61 mov ebp, esp
.text:00401E63 push 0FFFFFFFFh
.text:00401E65 push offset SEH_401E60
.text:00401E6A mov eax, large fs:0
.text:00401E70 push eax
.text:00401E71 mov large fs:0, esp
.text:00401E78 sub esp, 9Ch
.text:00401E7E push ebx
.text:00401E7F push esi
.text:00401E80 push edi
.text:00401E81 lea ecx, [ebp+var_2C]
.text:00401E84 mov [ebp+var_10], esp
.text:00401E87 call sub_4022F8
.text:00401E8C push 1001h
.text:00401E91 mov [ebp+var_4], 0
.text:00401E98 push offset aCCmos_bak ; "c:\\cmos.bak"
.text:00401E9D lea ecx, [ebp+var_24]
.text:00401EA0 mov byte ptr [ebp+var_4], 1
.text:00401EA4 call sub_4021F0 ; CFile::CFile(char const *, unsigned int)
.text:00401EA9 mov ecx, 1Dh
.text:00401EAE xor eax, eax
.text:00401EB0 lea edi, [ebp+var_A7]
.text:00401EB6 mov [ebp+var_A8], 0
.text:00401EBD rep stosd
.text:00401EBF mov byte ptr [ebp+var_4], 2
.text:00401EC3 mov bl, 0Ah
.text:00401EC5 stosb
.text:00401EC6
.text:00401EC6 loc_401EC6: ; CODE XREF: sub_401E60+95j
.text:00401EC6 cmp bl, 80h
.text:00401EC9 mov byte ptr [ebp+var_14], bl
.text:00401ECC jnb short loc_401EF7
.text:00401ECE mov esi, [ebp+var_14]
.text:00401ED1 push esi
.text:00401ED2 push 70h
.text:00401ED4 call sub_4017F0
.text:00401ED9 add esp, 8
.text:00401EDC push 71h
.text:00401EDE call sub_4017D0
.text:00401EE3 and esi, 0FFh
.text:00401EE9 add esp, 4
.text:00401EEC inc bl
.text:00401EEE mov [ebp+esi+var_B2], al
.text:00401EF5 jmp short loc_401EC6
.text:00401EF7 ; ---------------------------------------------------------------------------
.text:00401EF7
.text:00401EF7 loc_401EF7: ; CODE XREF: sub_401E60+6Cj
.text:00401EF7 lea eax, [ebp+var_A8]
.text:00401EFD push 76h
.text:00401EFF push eax
.text:00401F00 lea ecx, [ebp+var_24]
.text:00401F03 call sub_4022F2 ; CFile__Write(LPCVOID lpBuffer,DWORD NumberOfBytesWritten)
.text:00401F08 lea ecx, [ebp+var_24]
.text:00401F0B call sub_4021EA
.text:00401F10 lea ecx, [ebp+var_24]
.text:00401F13 call sub_4022EC ; CFile::Close(void)
.text:00401F18 push 0
.text:00401F1A push 0
.text:00401F1C push offset aCCmos_bakJ ; "备份 c:\\cmos.bak成功!"
.text:00401F21 call sub_4021DE ; AfxMessageBox(const char *,unsigned int,unsigned int)
.text:00401F26 lea ecx, [ebp+var_24]
.text:00401F29 mov byte ptr [ebp+var_4], 1
.text:00401F2D call sub_4021E4
.text:00401F32
.text:00401F32 loc_401F32: ; DATA XREF: std::locale::classic(void)+5o
.text:00401F32 mov [ebp+var_4], 0FFFFFFFFh
.text:00401F39 call sub_4022E6 ; AfxTryCleanup()
.text:00401F3E mov ecx, [ebp+var_C]
.text:00401F41 pop edi
.text:00401F42 pop esi
.text:00401F43 mov large fs:0, ecx
.text:00401F4A pop ebx
.text:00401F4B mov esp, ebp
.text:00401F4D pop ebp
.text:00401F4E retn
.text:00401F4E sub_401E60 endp
//
sub_4017F0 proc near
arg_0= word ptr 8
arg_4= byte ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
push edi
mov dx, [ebp+arg_0]
mov al, [ebp+arg_4]
out dx, al
pop edi
pop esi
pop ebx
pop ebp
retn
sub_4017F0 endp
//
sub_4017D0 proc near
var_4= byte ptr -4
arg_0= word ptr 8
push ebp
mov ebp, esp
push ecx
push ebx
push esi
push edi
mov dx, [ebp+arg_0]
in al, dx
mov [ebp+var_4], al
mov al, [ebp+var_4]
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn
sub_4017D0 endp
其中用来读写cmos的子程序中明显有out,in等特权指令.我想应该是进入了ring0环了吧
同时,在这个程序中好象有许多资源,不知是不是那个木马的资源,有人指点一下吗?
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
他的文章
- [求助]中毒了,右键dll文件就自动运行,附测试dll 4885
- 中毒了,只分析出一个行为不正常(求助) 3424
- [求助]关于wincmos是不是进入了ring0环 2376
- [分享]一个800字节左右的网马 3454
- [建议]OllyScript GCI命令使用说明补充 4648
看原图
赞赏
雪币:
留言: