病毒样本:http://www.52pojie.cn/thread-64398-1-1.html
只分析了exe,感染的dll下次分析
exe
去除启动时候的小漏斗
004017C9 |. 53 push ebx
004017CA |. 55 push ebp
004017CB |. 56 push esi
004017CC |. 57 push edi
004017CD |. FF15 AC104000 call dword ptr [<&USER32.GetInputStat>; [GetInputState
004017D3 |. 33DB xor ebx, ebx
004017D5 |. 53 push ebx ; /lParam => 0
004017D6 |. 53 push ebx ; |wParam => 0
004017D7 |. 53 push ebx ; |Message => WM_NULL
004017D8 |. FF15 64104000 call dword ptr [<&KERNEL32.GetCurrent>; |[GetCurrentThreadId
004017DE |. 50 push eax ; |ThreadId
004017DF |. FF15 B0104000 call dword ptr [<&USER32.PostThreadMe>; \PostThreadMessageA
004017E5 |. 53 push ebx ; /MsgFilterMax => 0
004017E6 |. 53 push ebx ; |MsgFilterMin => 0
004017E7 |. 8D4424 1C lea eax, dword ptr [esp+1C] ; |
004017EB |. 53 push ebx ; |hWnd => NULL
004017EC |. 50 push eax ; |pMsg
004017ED |. FF15 B4104000 call dword ptr [<&USER32.GetMessageA>>; \GetMessageA
阅读全文
分析, 木马, 龙之谷
继续上一次分析感染的dll
00871B9A |. 6A 1C push 1C ; /BufSize = 1C (28.)
00871B9C |. 8D45 E4 lea eax, dword ptr [ebp-1C] ; |
00871B9F |. 50 push eax ; |Buffer
00871BA0 |. FF75 E0 push dword ptr [ebp-20] ; |Address
00871BA3 |. FF15 2C918700 call dword ptr [<&KERNEL32.VirtualQue>; \VirtualQuery
00871BA9 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; VirTualQuery获取内存信息
00871BAC |. A3 38DC8700 mov dword ptr [87DC38], eax
00871BB1 |. 6A 00 push 0 ; /pModule = NULL
00871BB3 |. FF15 04918700 call dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA
00871BB9 |. 3B05 38DC8700 cmp eax, dword ptr [87DC38] ; GetModuleHandle获取当前模块基址
00871BBF |. 75 16 jnz short 00871BD7 ; 两者比较,相等执行loder部分功能,不相等则开始。。。
008758E2 |. 6A 00 push 0 ; /pThreadId = NULL
008758E4 |. 6A 00 push 0 ; |CreationFlags = 0
008758E6 |. 6A 00 push 0 ; |pThreadParm = NULL
008758E8 |. 68 9D538700 push 0087539D ; |ThreadFunction = appmgmts.0087539D
008758ED |. 6A 00 push 0 ; |StackSize = 0
008758EF |. 6A 00 push 0 ; |pSecurity = NULL
008758F1 |. FF15 80918700 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
008758F7 |> 33C0 xor eax, eax ; 启动线程A
阅读全文
分析, 极虎, 样本, 病毒
样本下载:http://vip.begin09.com/thread-5745-1-1.html
只分析了exe运行的情况,关闭windows文件保护,更改自身属性为DLL,写入C:\WINDOWS\system32\appmgmts.dll并以服务方式启动,dll下次在分析,今天没时间了~
00401B9A |. 6A 1C push 1C ; /BufSize = 1C (28.)
00401B9C |. 8D45 E4 lea eax, dword ptr [ebp-1C] ; |
00401B9F |. 50 push eax ; |Buffer
00401BA0 |. FF75 E0 push dword ptr [ebp-20] ; |Address
00401BA3 |. FF15 2C914000 call dword ptr [<&KERNEL32.VirtualQue>; \VirtualQuery
00401BA9 |. 8B45 E8 mov eax, dword ptr [ebp-18] ; VirTualQuery获取内存信息
00401BAC |. A3 38DC4000 mov dword ptr [40DC38], eax
00401BB1 |. 6A 00 push 0 ; /pModule = NULL
00401BB3 |. FF15 04914000 call dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA
00401BB9 |. 3B05 38DC4000 cmp eax, dword ptr [40DC38] ; GetModuleHandle获取当前模块基址
00401BBF |. 75 16 jnz short 00401BD7 ; 两者比较,不要相等则退出线程
阅读全文
分析, 极虎, 样本, 病毒