对一个木马的算法简单分析
本帖最后由 Smoke 于 2012-2-9 17:58 编辑[文章标题]:对一个木马的算法简单分析[文章作者]:Smoke[木马名称]:fuckme.exe[下载地址]:见附件[分析环境]:windows xp sp3[使用工具]:OD PEID[详细过程]:今天无意之中在 C:\WINDOWS\system32 此文件夹下发现了这个名为 fuckme.exe感到很无奈,不知道是什么东西。于是就载入OD看了下。结果吓了我一跳,不知是神马时候中的这木马。PEID查壳:Microsoft Visual C++ 6.00040458F >55 push ebp
00404590 8BEC mov ebp, esp
00404592 6A FF push -0x1
00404594 68 B0A14000 push 0040A1B0
00404599 68 10444000 push 00404410
0040459E 64:A1 00000000 mov eax, dword ptr fs:
004045A4 50 push eax
004045A5 64:8925 00000000 mov dword ptr fs:, esp
004045AC 83EC 58 sub esp, 0x58
004045AF 53 push ebx
004045B0 56 push esi
004045B1 57 push edi
004045B2 8965 E8 mov dword ptr ss:, esp
004045B5 FF15 F4A04000 call dword ptr ds:[<&KERNEL32.GetVers>; kernel32.GetVersion
004045BB 33D2 xor edx, edx
004045BD 8AD4 mov dl, ah
004045BF 8915 E4DF4000 mov dword ptr ds:, edx
004045C5 8BC8 mov ecx, eax
004045C7 81E1 FF000000 and ecx, 0xFF
004045CD 890D E0DF4000 mov dword ptr ds:, ecx
004045D3 C1E1 08 shl ecx, 0x8
004045D6 03CA add ecx, edx
004045D8 890D DCDF4000 mov dword ptr ds:, ecx
004045DE C1E8 10 shr eax, 0x10
004045E1 A3 D8DF4000 mov dword ptr ds:, eax
004045E6 33F6 xor esi, esi
004045E8 56 push esi
004045E9 E8 52180000 call 00405E40
004045EE 59 pop ecx
004045EF 85C0 test eax, eax
004045F1 75 08 jnz short 004045FB
004045F3 6A 1C push 0x1C
004045F5 E8 B0000000 call 004046AA
004045FA 59 pop ecx
004045FB 8975 FC mov dword ptr ss:, esi
004045FE E8 1D150000 call 00405B20
00404603 FF15 F0A04000 call dword ptr ds:[<&KERNEL32.GetComm>; kernel32.GetCommandLineA
00404609 A3 04F54000 mov dword ptr ds:, eax
0040460E E8 DB130000 call 004059EE
00404613 A3 18E04000 mov dword ptr ds:, eax
00404618 E8 84110000 call 004057A1
0040461D E8 C6100000 call 004056E8
00404622 E8 49FBFFFF call 00404170
00404627 8975 D0 mov dword ptr ss:, esi
0040462A 8D45 A4 lea eax, dword ptr ss:
0040462D 50 push eax
0040462E FF15 ECA04000 call dword ptr ds:[<&KERNEL32.GetStar>; kernel32.GetStartupInfoA
00404634 E8 57100000 call 00405690
00404639 8945 9C mov dword ptr ss:, eax
0040463C F645 D0 01 test byte ptr ss:, 0x1
00404640 74 06 je short 00404648
00404642 0FB745 D4 movzx eax, word ptr ss:
00404646 EB 03 jmp short 0040464B
00404648 6A 0A push 0xA
0040464A 58 pop eax
0040464B 50 push eax
0040464C FF75 9C push dword ptr ss:
0040464F 56 push esi
00404650 56 push esi
00404651 FF15 D4A04000 call dword ptr ds:[<&KERNEL32.GetModu>; kernel32.GetModuleHandleA
00404657 50 push eax
00404658 E8 F3D5FFFF call 00401C50 //我们F8单步走下来 走到这里的时候 这个猥琐的玩意就跑起来嘞.那么很明显了,这个call里面肯定有问题,那个鸟人在这里做了坏事. 所以我们在这里F2下个断,然后重新载入 F9运行后 断在这里.我们F7跟进
0040465D 8945 A0 mov dword ptr ss:, eax
00404660 50 push eax
00404661 E8 37FBFFFF call 0040419D
00404666 8B45 EC mov eax, dword ptr ss:
00404669 8B08 mov ecx, dword ptr ds:
0040466B 8B09 mov ecx, dword ptr ds:
0040466D 894D 98 mov dword ptr ss:, ecx
00404670 50 push eax
00404671 51 push ecx
00404672 E8 950E0000 call 0040550C
00404677 59 pop ecx
00404678 59 pop ecx
00404679 C3 retn
F7跟进后 来到了这里,继续F8单步下去
00401C50 83EC 10 sub esp, 0x10
00401C53 57 push edi
00401C54 68 F0B24000 push 0040B2F0 ; ASCII "Q@VQ"
00401C59 E8 52070000 call 004023B0
00401C5E BF D0B14000 mov edi, 0040B1D0 ; ASCII "qu{{sisirr.;;::.ozg"
00401C63 83C9 FF or ecx, -0x1
00401C66 33C0 xor eax, eax
00401C68 6A 05 push 0x5
00401C6A F2:AE repne scas byte ptr es:
00401C6C F7D1 not ecx
00401C6E 49 dec ecx
00401C6F 51 push ecx
00401C70 68 D0B14000 push 0040B1D0 ; ASCII "qu{{sisirr.;;::.ozg" 发现这里把0040B1D0压入堆栈嘞.数据窗口跟随到0040B1D0,看到是密文
00401C75 E8 A6FFFFFF call 00401C20 //那么这个call里面肯定是在进行强大的解密嘞.我们F7进去看看
00401C7A 83C4 10 add esp, 0x10
00401C7D E8 7E000000 call 00401D00
00401C82 85C0 test eax, eax
00401C84 5F pop edi
00401C85 74 43 je short 00401CCA
00401C87 E8 D4230000 call 00404060
00401C8C 85C0 test eax, eax
00401C8E 75 2B jnz short 00401CBB
00401C90 894424 08 mov dword ptr ss:, eax
00401C94 894424 0C mov dword ptr ss:, eax
00401C98 8D4424 00 lea eax, dword ptr ss:
00401C9C C74424 00 30B04000 mov dword ptr ss:, 0040B030 ; ASCII "Windows Time Acquisition"
00401CA4 50 push eax
00401CA5 C74424 08 A0184000 mov dword ptr ss:, 004018A0
00401CAD FF15 1CA04000 call dword ptr ds:[<&ADVAPI32.StartServiceCtrlDi>; advapi32.StartServiceCtrlDispatcherA
00401CB3 33C0 xor eax, eax
00401CB5 83C4 10 add esp, 0x10
00401CB8 C2 1000 retn 0x10
跟进来来到00401C20 /$ 8B4424 0C mov eax, dword ptr ss:
00401C24 |. B9 FE000000 mov ecx, 0xFE
00401C29 |. 25 FF000000 and eax, 0xFF
00401C2E |. 56 push esi
00401C2F |. 99 cdq
00401C30 |. F7F9 idiv ecx
00401C32 |. 8B7424 0C mov esi, dword ptr ss:
00401C36 |. FEC2 inc dl
00401C38 |. 85F6 test esi, esi
00401C3A |. 76 10 jbe short 00401C4C //很显然 发现了一处循环,就是算法嘞 由于我是算法盲人 只能大致的理解下 如有错误之处 还望大家指出 o(∩_∩)o
00401C3C |. 8B4424 08 mov eax, dword ptr ss:
00401C40 |> 8A08 /mov cl, byte ptr ds: //取eax第一位的16进制给cl
00401C42 |. 2ACA |sub cl, dl //cl减dl 结果为cl
00401C44 |. 32CA |xor cl, dl //cl疑惑dl
00401C46 |. 8808 |mov byte ptr ds:, cl
00401C48 |. 40 |inc eax
00401C49 |. 4E |dec esi
00401C4A |.^ 75 F4 \jnz short 00401C40
00401C4C |> 5E pop esi
00401C4D \. C3 retn根据解密的信息可得这应该是一个木马上线地址为:misskekejj.3322.org
端口为:8088
由于从没分析过病毒,所以此为处女贴。(*^__^*) 写的很低级。望大牛切勿打击。。。
保存下来据研究研究 谢谢楼主。来学习一下 感谢了 楼主 楼住写的很详细,正好适合我这种小白学习 第一次看到这样的帖子 很受教育啊 892644330 发表于 2012-2-9 18:09 static/image/common/back.gif
怎么没说是分析到哪个地址才解密出所谓的上线地址呢?
00401C70 68 D0B14000 push 0040B1D0 ; ASCII "qu{{sisirr.;;::.ozg" 发现这里把0040B1D0压入堆栈嘞.数据窗口跟随到0040B1D0,看到是密文
00401C75 E8 A6FFFFFF call 00401C20 //那么这个call里面肯定是在进行强大的解密嘞.我们F7进去看看
下下来研究一下,,
收藏了,以后好好学习学习、研究研究,支持楼主
页:
[1]
2