TA的每日心情 | 奋斗
2020-6-5 22:18 |
|---|
签到天数: 22 天 [LV.4]偶尔看看III
|
|
分析环境:1、虚拟机环境VMware? Workstation_10.0.0 build-1295980 2、操作系统win2003sp2 3、无杀软环境
第一步:查壳和脱壳,先把壳解决了更容易分析:
再看下区段:
不难看出应该是双壳或者有可能是伪装壳 ASPack 2.12 和 UPX ,两者都是压缩壳,先简单脱下ASPack 2.12,ESP定律法,OD载入到木马程序入口:[Asm] 纯文本查看 复制代码 00421001 > 60 pushad ; 程序入口
00421002 E8 03000000 call 7a3e0f74.0042100A
00421007 - E9 EB045D45 jmp 459F14F7
0042100C 55 push ebp
0042100D C3 retn
F8单步后,寄存器窗口的esp数据窗口中跟随,然后再在 Hex 数据下硬件访问word断点(或者直接在命令行输入 hr 0012FFA4),F9运行断在如下代码位置:
[Asm] 纯文本查看 复制代码 00421416 /75 08 jnz short 7a3e0f74.00421420 ; esp下断后F9运行断在这里
00421418 |B8 01000000 mov eax,1
0042141D |C2 0C00 retn 0C
00421420 \68 00104000 push 7a3e0f74.00401000
00421425 C3 retn
接下来单步3次到OEP位置:
[Asm] 纯文本查看 复制代码 00401000 55 push ebp ; OEP
00401001 8BEC mov ebp,esp
00401003 83EC 28 sub esp,28
00401006 8365 FC 00 and dword ptr ss:[ebp-4],0
0040100A 837D 0C 02 cmp dword ptr ss:[ebp+C],2
0040100E 74 30 je short 7a3e0f74.00401040
00401010 837D 0C 03 cmp dword ptr ss:[ebp+C],3
00401014 74 2A je short 7a3e0f74.00401040
00401016 A1 68E14000 mov eax,dword ptr ds:[40E168]
……
在00401000地址处用 OD 自带 dump 或别的工具 dump 得到 1.exe;再用 Imprec 工具看下函数指针是否有效,如果有无效指针则修复得到1_.exe文件。另外这里就不说脱壳后优化了,有兴趣的同学可以自己去做。
第二步:OD 载入脱壳后的到OEP(注:下面的ASM代码只分析重点了):[Asm] 纯文本查看 复制代码 00401000 >/$ 55 push ebp ; OEP
00401001 |. 8BEC mov ebp,esp
00401003 |. 83EC 28 sub esp,28
00401006 |. 8365 FC 00 and dword ptr ss:[ebp-4],0
0040100A |. 837D 0C 02 cmp dword ptr ss:[ebp+C],2
0040100E |. 74 30 je short 1_.00401040
00401010 |. 837D 0C 03 cmp dword ptr ss:[ebp+C],3
00401014 |. 74 2A je short 1_.00401040
00401016 |. A1 68E14000 mov eax,dword ptr ds:[<&kernel32.GetTempPathA>] ; 取GetTempPathA地址
0040101B |. 8945 D8 mov dword ptr ss:[ebp-28],eax
0040101E |. A1 38E14000 mov eax,dword ptr ds:[<&kernel32.GetSystemDirector>; 取GetSystemDirectory地址
00401023 |. 8945 DC mov dword ptr ss:[ebp-24],eax
00401026 |. 68 A0354100 push 1_.004135A0 ; 系统临时目录路径的保存地址C:\Documents and Settings\Administrator\Local Settings\Temp
0040102B |. 68 04010000 push 104
00401030 |. FF55 D8 call dword ptr ss:[ebp-28] ; GetTempPathA -->取系统临时目录路径
00401033 |. 68 04010000 push 104
00401038 |. 68 B0364100 push 1_.004136B0 ; 系统system32文件夹路径的保存地址C:\WINDOWS\system32
0040103D |. FF55 DC call dword ptr ss:[ebp-24] ; GetSystemDirectory 取系统system32的路径
00401040 |> E8 00000000 call 1_.00401045 ; 注意这里F7进入,因这call的函数入口就在下一行反汇编代码
00401045 |$ 8B0424 mov eax,dword ptr ss:[esp]
00401048 |. 83C4 04 add esp,4
0040104B |. 8945 FC mov dword ptr ss:[ebp-4],eax ; 00401045
0040104E |. 6A 1C push 1C ; /BufSize
00401050 |. 8D45 E0 lea eax,dword ptr ss:[ebp-20] ; |
00401053 |. 50 push eax ; |Buffer-->0012FFA0指向MEMORY_BASIC_INFORMATION结构的指针,用于接收内存信息。
00401054 |. FF75 FC push dword ptr ss:[ebp-4] ; |Address 00401045
00401057 |. FF15 0CE14000 call dword ptr ds:[<&kernel32.VirtualQuery>] ; \查询地址00401045空间中内存地址的信息
0040105D |. 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00401060 |. A3 38434100 mov dword ptr ds:[414338],eax ; 00400000
00401065 |. 6A 00 push 0 ; /pModule = NULL
00401067 |. FF15 20E14000 call dword ptr ds:[<&kernel32.GetModuleHandleW>] ; \GetModuleHandleW获取自身应用程序句柄
0040106D |. 3B05 38434100 cmp eax,dword ptr ds:[414338] ; 判断是否为自进程句柄
00401073 |. 74 12 je short 1_.00401087 ; 跳转实现
00401075 |. FF75 10 push dword ptr ss:[ebp+10] ; /Arg3
00401078 |. FF75 0C push dword ptr ss:[ebp+C] ; |Arg2
0040107B |. FF75 08 push dword ptr ss:[ebp+8] ; |Arg1
0040107E |. E8 1A4A0000 call 1_.00405A9D ; \1_.00405A9D
00401083 |. C9 leave
00401084 |. C2 0C00 retn 0C
00401087 |> 6A 01 push 1
00401089 |. 6A 00 push 0
0040108B |. E8 58230000 call 1_.004033E8 ; F7进入创建木马的相关文件、注册表操作、服务操作等
00401090 |. 6A 00 push 0 ; /ExitCode = 0
00401092 \. FF15 F8E04000 call dword ptr ds:[<&kernel32.ExitProcess>] ; \kernel32.ExitProcess 目标完成后结束自进程
00401098 . C9 leave
00401099 . C2 1000 retn 10
上面的代码中,F7进入地址0040108B的 call 1_.004033E8,一直F7,注意里面有一部分循环计算啥的不知道,总之一直F7直到:
[Asm] 纯文本查看 复制代码 0040109C /. 55 push ebp ; F7直到这里
0040109D |. 8BEC mov ebp,esp
0040109F |. E8 201C0000 call 1_.00402CC4 ; F7进入,看下面的汇编代码
004010A4 |. E8 51160000 call 1_.004026FA ; 生成一个路径为C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\随机名称.log文件
004010A9 |. 85C0 test eax,eax ; eax=1
004010AB |. 75 02 jnz short 1_.004010AF ; 如果eax>0则跳
004010AD |. EB 21 jmp short 1_.004010D0
004010AF |> 833D 58384100 >cmp dword ptr ds:[413858],1 ; 如果[413858]=1,则不跳转
004010B6 |. 75 0A jnz short 1_.004010C2
004010B8 |. 68 84394100 push 1_.00413984 ; /Arg1 = 00413984 ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\699340D1.log"
004010BD |. E8 28960000 call 1_.0040A6EA ; 截图函数,截图后保存为699340D1.log
004010C2 |> E8 1A090000 call 1_.004019E1 ;未知过程,F7好多次都没执行完
004010C7 |. 85C0 test eax,eax ;eax=0
004010C9 |. 75 05 jnz short 1_.004010D0 ;跳转未实现
004010CB |. E8 91040000 call 1_.00401561 ;创建木马的相关文件、注册表操作、服务操作等
004010D0 |> 5D pop ebp ; 到此已经生成148大小的dll木马文件13个
004010D1 \. C3 retn
//上面CALL执行完成后所生成同大小的(148kb)的tmp和dl木马文件有14个。
0040109F |. E8 201C0000 call 1_.00402CC4 ; F7进入,看下面的汇编代码
[Asm] 纯文本查看 复制代码 00402CC4 $ 55 push ebp
00402CC5 . 8BEC mov ebp,esp
00402CC7 . 6A FF push -1
00402CC9 . 68 48F04000 push 1_.0040F048
00402CCE . 68 1AD24000 push <jmp.&msvcrt._except_handler3> ; SE 处理程序安装
00402CD3 . 64:A1 00000000 mov eax,dword ptr fs:[0] ; TEB-->fs:[0]指向SEH链指针
00402CD9 . 50 push eax
00402CDA . 64:8925 000000>mov dword ptr fs:[0],esp
00402CE1 . 51 push ecx
00402CE2 . 51 push ecx
00402CE3 . 83EC 10 sub esp,10
00402CE6 . 53 push ebx
00402CE7 . 56 push esi
00402CE8 . 57 push edi
00402CE9 . 8965 E8 mov dword ptr ss:[ebp-18],esp
00402CEC . C745 E0 000000>mov dword ptr ss:[ebp-20],4000000
00402CF3 . 8365 E4 00 and dword ptr ss:[ebp-1C],0
00402CF7 . 8365 DC 00 and dword ptr ss:[ebp-24],0
00402CFB . A1 4CE14000 mov eax,dword ptr ds:[<&kernel32.VirtualAlloc>] ; kernel32.VirtualAlloc
00402D00 . 8945 D8 mov dword ptr ss:[ebp-28],eax
00402D03 . 8365 FC 00 and dword ptr ss:[ebp-4],0
00402D07 . 6A 40 push 40
00402D09 . 68 00300000 push 3000
00402D0E . FF75 E0 push dword ptr ss:[ebp-20] ; 4000000
00402D11 . 6A 00 push 0
00402D13 . FF55 D8 call dword ptr ss:[ebp-28] ; 分配内存地址,成功返回已分配内存的首地址
00402D16 . 8945 DC mov dword ptr ss:[ebp-24],eax ; 01110000
00402D19 . 837D DC 00 cmp dword ptr ss:[ebp-24],0
00402D1D . 75 06 jnz short 1_.00402D25 ; [ebp-24]>0跳转实现
00402D1F . 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
00402D23 . EB 68 jmp short 1_.00402D8D
00402D25 > FF75 E0 push dword ptr ss:[ebp-20] ; /4000000
00402D28 . 68 90000000 push 90 ; |c = 90
00402D2D . FF75 DC push dword ptr ss:[ebp-24] ; |01110000
00402D30 . E8 79A40000 call <jmp.&msvcrt.memset> ; \0040D1AE=<jmp.&msvcrt.memset> -->用0x90初始化
//01110000 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 悙悙悙悙悙悙悙悙
//01110010 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 悙悙悙悙悙悙悙悙
//01110020 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 悙悙悙悙悙悙悙悙
……………………………………………………………………………………………
//0510FFD0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 悙悙悙悙悙悙悙悙
//0510FFE0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 悙悙悙悙悙悙悙悙
//0510FFF0 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 悙悙悙悙悙悙悙悙
//05110000 地址01110000开始,大小4000000 初始化为0x90
00402D35 . 83C4 0C add esp,0C
00402D38 . B8 662D4000 mov eax,1_.00402D66 ; 这里开始计算0510FFFB的跳转地址
00402D3D . 8945 E4 mov dword ptr ss:[ebp-1C],eax
00402D40 . 8B45 DC mov eax,dword ptr ss:[ebp-24] ; 01110000
00402D43 . 0345 E0 add eax,dword ptr ss:[ebp-20]
00402D46 . C740 FB E90000>mov dword ptr ds:[eax-5],0E9 ; ds:[0510FFFB]=90909090
00402D4D . 8B45 DC mov eax,dword ptr ss:[ebp-24]
00402D50 . 0345 E0 add eax,dword ptr ss:[ebp-20]
00402D53 . 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
00402D56 . 2BC8 sub ecx,eax
00402D58 . 8B45 DC mov eax,dword ptr ss:[ebp-24]
00402D5B . 0345 E0 add eax,dword ptr ss:[ebp-20]
00402D5E . 8948 FC mov dword ptr ds:[eax-4],ecx ; [05110000-4]=ECX=FB2F2D66
//0510FFFB E9 66 2D 2F FB 閒-/?
00402D61 . 8B45 DC mov eax,dword ptr ss:[ebp-24]
00402D64 . FFE0 jmp eax ; 01110000-->90909090……
{
01110000 90 nop;到这以后,这里有4000000个0x90,实际上在反汇编中没实际意义,F8单步没必要了。这里更像是给分析者一个假象
01110001 90 nop
01110002 90 nop
………………
0510FFF9 90 nop
0510FFFA 90 nop
0510FFFB - E9 662D2FFB jmp 1_.00402D66;所以我们直接在这F2下断F9运行断下后,再F8一次
}
00402D66 . 68 00800000 push 8000 ; /FreeType = MEM_RELEASE
//从上面的反汇编代码不难看出从地址00402CFB开始到此的代码没实际意义
00402D6B . 6A 00 push 0 ; |Size = 0
00402D6D . FF75 DC push dword ptr ss:[ebp-24] ; |Address
00402D70 . FF15 24E14000 call dword ptr ds:[<&kernel32.VirtualFree>] ; \VirtualFree
00402D76 . 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
00402D7A . EB 11 jmp short 1_.00402D8D
00402D7C . 33C0 xor eax,eax
00402D7E . 40 inc eax
00402D7F . C3 retn
00402D80 . 8B65 E8 mov esp,dword ptr ss:[ebp-18]
00402D83 . 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
00402D87 . EB 04 jmp short 1_.00402D8D
00402D89 . 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
00402D8D > 8B4D F0 mov ecx,dword ptr ss:[ebp-10]
00402D90 . 64:890D 000000>mov dword ptr fs:[0],ecx ; TEB
00402D97 . 5F pop edi
00402D98 . 5E pop esi
00402D99 . 5B pop ebx
00402D9A . C9 leave
00402D9B . C3 retn
从上面这段反汇编代码中分析后,call 00402CC4 感觉没实际作用,有兴趣的同学可以试着把这call nop掉会是什么样子呢?
下面我们接着分析004010A4 |. E8 51160000 call 1_.004026FA ; 在C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\创建一个随机名称log文件
[Asm] 纯文本查看 复制代码 004026FA $ 55 push ebp
004026FB . 8BEC mov ebp,esp
004026FD . 81EC 80020000 sub esp,280
00402703 . C745 E8 010000>mov dword ptr ss:[ebp-18],1
0040270A . 834D EC FF or dword ptr ss:[ebp-14],FFFFFFFF
0040270E . 8365 F0 00 and dword ptr ss:[ebp-10],0
00402712 . 8365 F4 00 and dword ptr ss:[ebp-C],0
00402716 . C745 FC 020000>mov dword ptr ss:[ebp-4],2
0040271D . C745 E4 010000>mov dword ptr ss:[ebp-1C],1
00402724 . 8365 F8 00 and dword ptr ss:[ebp-8],0
00402728 . C745 E0 102700>mov dword ptr ss:[ebp-20],2710
0040272F . 83A5 CCFDFFFF >and dword ptr ss:[ebp-234],0
00402736 . 68 04010000 push 104 ; /BufSize = 104 (260.)
0040273B . 8D85 D0FDFFFF lea eax,dword ptr ss:[ebp-230] ; |
00402741 . 50 push eax ; |0012FD20
00402742 . 6A 00 push 0 ; |hModule = NULL
00402744 . FF15 58E14000 call dword ptr ds:[<&kernel32.GetModuleFileNam>; \GetModuleFileNameA 取自进程路径
//0012FD20 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 C:\Documents and
//0012FD30 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 Settings\Admini
//0012FD40 73 74 72 61 74 6F 72 5C D7 C0 C3 E6 5C 31 5F 2E strator\桌面\1_.
//0012FD50 65 78 65 00 01 00 00 00 50 FA 77 F6 0D ED 82 80 exe.�...P鷚?韨?
0040274A . 68 04010000 push 104 ; /n = 104 (260.)
0040274F . 8D85 D0FDFFFF lea eax,dword ptr ss:[ebp-230] ; |C:\Documents and Settings\Administrator\桌面\1_.exe
00402755 . 50 push eax ; |src
00402756 . 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-128] ; |
0040275C . 50 push eax ; |dest
0040275D . E8 46AA0000 call <jmp.&msvcrt.memcpy> ; \memcpy
//0012FE28 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64 C:\Documents and
//0012FE38 20 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 Settings\Admini
//0012FE48 73 74 72 61 74 6F 72 5C D7 C0 C3 E6 5C 31 5F 2E strator\桌面\1_.
//0012FE58 65 78 65 00 01 00 00 00 50 FA 77 F6 0D ED 82 80 exe.�...P鷚?韨?
00402762 . 83C4 0C add esp,0C
00402765 . 83A5 DBFEFFFF >and dword ptr ss:[ebp-125],0
0040276C . 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-128] ; C:\....ments and Settings\Administrator\桌面\1_.exe
00402772 . 50 push eax ; /RootPathName
00402773 . FF15 ECE04000 call dword ptr ds:[<&kernel32.GetD>; \kernel32.GetDriveTypeA -->判断磁盘驱动器类型
00402779 . 83F8 02 cmp eax,2 ; eax=3时为固定磁盘 if eax>2 则跳转
0040277C . 75 33 jnz short 1_.004027B1
0040277E . 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-128]
00402784 . 50 push eax ; /<%s>
00402785 . 68 68E54000 push 1_.0040E568 ; |Format = "explorer.exe /n,%s"
0040278A . 8D85 88FDFFFF lea eax,dword ptr ss:[ebp-278] ; |
00402790 . 50 push eax ; |s
00402791 . FF15 94E24000 call dword ptr ds:[<&user32.wsprin>; \wsprintfA
00402797 . 83C4 0C add esp,0C
0040279A . 6A 00 push 0 ; /Arg3 = 00000000
0040279C . 6A 00 push 0 ; |Arg2 = 00000000
0040279E . 8D85 88FDFFFF lea eax,dword ptr ss:[ebp-278] ; |
004027A4 . 50 push eax ; |Arg1
004027A5 . E8 B90A0000 call 1_.00403263 ; \1_.00403263
004027AA . C745 E4 030000>mov dword ptr ss:[ebp-1C],3
004027B1 > 0FBE05 E81C410>movsx eax,byte ptr ds:[411CE8];eax=FFFFFFB1=-79
004027B8 . 83F8 B1 cmp eax,-4F ; eax=-4F if eax=-4F 不跳转
004027BB . 75 11 jnz short 1_.004027CE
004027BD . 68 8F000000 push 8F ; /Arg3 = 0000008F
004027C2 . 6A 30 push 30 ; |Arg2 = 00000030
004027C4 . 68 E81C4100 push 1_.00411CE8 ; |Arg1 = 00411CE8
004027C9 . E8 E3FAFFFF call 1_.004022B1 ; \1_.004022B1
执行后的结果为:00411CE8=1_.00411CE8 (ASCII "\\.\pipe\{D952F2D0-0BCE-4b2b-8FFF-2317F120FCC3}")
//00411CE8 5C 5C 2E 5C 70 69 70 65 5C 7B 44 39 35 32 46 32 \\.\pipe\{D952F2
//00411CF8 44 30 2D 30 42 43 45 2D 34 62 32 62 2D 38 46 46 D0-0BCE-4b2b-8FF
//00411D08 46 2D 32 33 31 37 46 31 32 30 46 43 43 33 7D 00 F-2317F120FCC3}.
004027CE > \FF35 E01C4100 push dword ptr ds:[411CE0] ; /ds:[00411CE0]=0040E7AC (1_.0040E7AC), ASCII "Global\{6581F932-EEC4-422e-A5FD-0F78BB508683}"
004027D4 . 6A 00 push 0 ; |InitiallySignaled = FALSE
004027D6 . 6A 00 push 0 ; |ManualReset = FALSE
004027D8 . 6A 00 push 0 ; |pSecurity = NULL
004027DA . FF15 30E14000 call dword ptr ds:[<&kernel32.CreateEventA>] ; \CreateEventA创建或打开一个命名的或无名的事件对象
004027E0 . 8945 F0 mov dword ptr ss:[ebp-10],eax ; 返回事件对象的句柄 eax=0xCC
004027E3 . FF15 A0E14000 call dword ptr ds:[<&kernel32.GetLastError>] ; [GetLastError
004027E9 . 8985 CCFDFFFF mov dword ptr ss:[ebp-234],eax ; 0
004027EF > 6A 00 push 0 ; /hTemplateFile = NULL
004027F1 . 6A 00 push 0 ; |Attributes = 0
004027F3 . 6A 03 push 3 ; |Mode = OPEN_EXISTING
004027F5 . 6A 00 push 0 ; |pSecurity = NULL
004027F7 . 6A 00 push 0 ; |ShareMode = 0
004027F9 . 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004027FE . 68 E81C4100 push 1_.00411CE8 ; |FileName = "\\.\pipe\{D952F2D0-0BCE-4b2b-8FFF-2317F120FCC3}"
00402803 . FF15 FCE04000 call dword ptr ds:[<&kernel32.CreateFileA>] ; \CreateFileA --> 创建管道
00402809 . 8945 EC mov dword ptr ss:[ebp-14],eax ; eax=FFFFFFFF 创建失败
0040280C . 837D EC FF cmp dword ptr ss:[ebp-14],-1
00402810 . 0F85 85000000 jnz 1_.0040289B ; 跳转未实现
00402816 . FF15 A0E14000 call dword ptr ds:[<&kernel32.GetLastError>] ; [GetLastError
0040281C . 3D E7000000 cmp eax,0E7 ; eax=2 --> 系统找不到指定的文件
00402821 . 75 2E jnz short 1_.00402851 ; 跳转实现
……………………
00402851 > FF15 84E14000 call dword ptr ds:[<&kernel32.GetTickCount>] ; [GetTickCount
00402857 . 3D 60EA0000 cmp eax,0EA60
0040285C . 73 0D jnb short 1_.0040286B ; 跳转实现
……………………
0040286B > \81BD CCFDFFFF >cmp dword ptr ss:[ebp-234],0B7
00402875 . 75 1A jnz short 1_.00402891 ; 跳转实现
……………………
00402891 > E9 D2000000 jmp 1_.00402968
……………………
00402968 > \6A 00 push 0
0040296A . FF75 E4 push dword ptr ss:[ebp-1C] ; 堆栈 ss:[0012FF34]=00000001
0040296D . 8D85 D0FDFFFF lea eax,dword ptr ss:[ebp-230]
00402973 . 50 push eax ; 目标程序路径
00402974 . E8 77FAFFFF call 1_.004023F0 ; 创建一个随机名称的.log文件
00402979 . 8B45 E8 mov eax,dword ptr ss:[ebp-18] ; eax=1
0040297C . C9 leave
0040297D . C3 retn
下面我们来分析下面一个call 00402974 . E8 77FAFFFF call 1_.004023F0 ; 创建一个随机名称的.log文件
小结:
1、创建一个管道"\\.\pipe\{D952F2D0-0BCE-4b2b-8FFF-2317F120FCC3}",遍历进程查找RavMonD.exe、360tray.exe、MPSVC.exe,因在分析环境里没有安装过以上三款杀软,所以创建管道失败执行后面的操作。判断是什么操作系统,并且在目录C:\Documents and Settings\或C:\Users\下生成个Infotmp.txt文件。
2、在目录C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\下面截取一个随机值名称的,后缀为.log的当前窗口截图。
3、打开服务设备管理器遍历系统多个服务试图修改感染系统服务文件,来启动执行病毒代码,如果服务设备管理器打开失败则创建注册表服务、衍生病毒DLL文件到%System32%目录下,利用服务启动病毒。在CALL 00401561执行完成后所生成同大小的(148kb)的tmp和dll后缀的木马文件有:7A540000.tmp、appmgmts.dll、HidServ.dll、Ias.dll、Iprip.dll、Irmon.dll、mspmsnsv.dll、Ntmssvc.dll、NWCWorkstation.dll、Nwsapagent.dll、pchsvc.dll、qmgr.dll、WmdmPmSp.dll、xmlprov.dll等14个木马文件。
4、获取磁盘类型,分析环境为固态磁盘,并且只有一个C盘,所以没执行感染EXE事件。
5、试图替换或创建以下系统服务文件来达到开机启动病毒:
appmgmts、HidServ、Ias、Iprip、Irmon、mspmsnsv、Ntmssvc、NWCWorkstation、Nwsapagent、pchsvc、qmgr、WmdmPmSp、xmlprov
对应的服务文件按顺序如下:
appmgmts.dll、HidServ.dll、Ias.dll、Iprip.dll、Irmon.dll、mspmsnsv.dll、Ntmssvc.dll、NWCWorkstation.dll、Nwsapagent.dll、pchsvc.dll、qmgr.dll、WmdmPmSp.dll、xmlprov.dll
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?注册
x
|
IP卡
狗仔卡
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主
