某DDOS木马的一次分析 By HackWm[D.S.T]
【破文标题】某DDOS木马的一次分析.
【破文作者】HackWm[D.S.T]
【作者邮箱】 [email protected]
【作者主页】 [url]http://hackwm.blog.51cto.com[/url]
【破解工具】PEiD.OD
【破解平台】Windows XP SP2
【软件名称】某DDOS木马
【软件大小】29.5 KB
【原版下载】无
【保护方式】UPX
【软件简介】没啥好介绍的.
【破解声明】只为学习,毫无他意. 不对的地方还望高手指点.
------------------------------------------------------------------------
【破解过程】首先PEiD上场查出为UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]壳.ESP快速解决
【破文作者】HackWm[D.S.T]
【作者邮箱】 [email protected]
【作者主页】 [url]http://hackwm.blog.51cto.com[/url]
【破解工具】PEiD.OD
【破解平台】Windows XP SP2
【软件名称】某DDOS木马
【软件大小】29.5 KB
【原版下载】无
【保护方式】UPX
【软件简介】没啥好介绍的.
【破解声明】只为学习,毫无他意. 不对的地方还望高手指点.
------------------------------------------------------------------------
【破解过程】首先PEiD上场查出为UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]壳.ESP快速解决
继续OD上场,查找下字符串看看吧,一查还真发现了.里面有注册表的路径.那就进下下段吧.省得慢慢跟.
>>>>>>>>>>>>>>>>>进来后如下这里应该是判断自身路径.继续慢慢跟.<<<<<<<<<<<<<<<<<<<<
00401070 /$ 81EC 0C020000 sub esp, 20C
00401076 |. 8D4424 04 lea eax, dword ptr [esp+4]
0040107A |. 53 push ebx
0040107B |. 56 push esi
0040107C |. 57 push edi
0040107D |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00401082 |. 50 push eax ; |Buffer
00401083 |. FF15 40604000 call dword ptr [<&kernel32.GetSystemD>; \GetSystemDirectoryA
00401089 |. BF B4704000 mov edi, 004070B4 ; ASCII "\mstscs.exe"
0040108E |. 83C9 FF or ecx, FFFFFFFF
00401091 |. 33C0 xor eax, eax
00401093 |. 8D5424 10 lea edx, dword ptr [esp+10]
00401097 |. F2:AE repne scas byte ptr es:[edi]
00401099 |. F7D1 not ecx
0040109B |. 2BF9 sub edi, ecx
00401070 /$ 81EC 0C020000 sub esp, 20C
00401076 |. 8D4424 04 lea eax, dword ptr [esp+4]
0040107A |. 53 push ebx
0040107B |. 56 push esi
0040107C |. 57 push edi
0040107D |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00401082 |. 50 push eax ; |Buffer
00401083 |. FF15 40604000 call dword ptr [<&kernel32.GetSystemD>; \GetSystemDirectoryA
00401089 |. BF B4704000 mov edi, 004070B4 ; ASCII "\mstscs.exe"
0040108E |. 83C9 FF or ecx, FFFFFFFF
00401091 |. 33C0 xor eax, eax
00401093 |. 8D5424 10 lea edx, dword ptr [esp+10]
00401097 |. F2:AE repne scas byte ptr es:[edi]
00401099 |. F7D1 not ecx
0040109B |. 2BF9 sub edi, ecx
>>>>>>>>>>>如下应该是对注册表的检测是否有了.没有写写入<<<<<<<<<<<<
004010D2 |. 8D9424 180100>lea edx, dword ptr [esp+118] ; |
004010D9 |. 51 push ecx ; |NewFileName
004010DA |. 52 push edx ; |ExistingFileName
004010DB |. FF15 68604000 call dword ptr [<&kernel32.CopyFileA>>; \CopyFileA
004010E1 |. 8D4424 0C lea eax, dword ptr [esp+C]
004010E5 |. 50 push eax ; /pHandle
004010E6 |. 68 74704000 push 00407074 ; |Subkey = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
004010EB |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004010F0 |. FF15 08604000 call dword ptr [<&advapi32.RegCreateK>; \RegCreateKeyA
004010F6 |. 8B35 0C604000 mov esi, dword ptr [<&advapi32.RegSe>; advapi32.RegSetValueExA
004010FC |. 8B3D 6C604000 mov edi, dword ptr [<&kernel32.lstrl>; kernel32.lstrlenA
00401102 |. 8B1D 10604000 mov ebx, dword ptr [<&advapi32.RegCl>; advapi32.RegCloseKey
00401108 |. 85C0 test eax, eax
0040110A |. 75 24 jnz short 00401130
0040110C |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00401110 |. 51 push ecx ; /String
00401111 |. FFD7 call edi ; \lstrlenA
00401113 |. 8D5424 10 lea edx, dword ptr [esp+10]
004010D2 |. 8D9424 180100>lea edx, dword ptr [esp+118] ; |
004010D9 |. 51 push ecx ; |NewFileName
004010DA |. 52 push edx ; |ExistingFileName
004010DB |. FF15 68604000 call dword ptr [<&kernel32.CopyFileA>>; \CopyFileA
004010E1 |. 8D4424 0C lea eax, dword ptr [esp+C]
004010E5 |. 50 push eax ; /pHandle
004010E6 |. 68 74704000 push 00407074 ; |Subkey = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
004010EB |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004010F0 |. FF15 08604000 call dword ptr [<&advapi32.RegCreateK>; \RegCreateKeyA
004010F6 |. 8B35 0C604000 mov esi, dword ptr [<&advapi32.RegSe>; advapi32.RegSetValueExA
004010FC |. 8B3D 6C604000 mov edi, dword ptr [<&kernel32.lstrl>; kernel32.lstrlenA
00401102 |. 8B1D 10604000 mov ebx, dword ptr [<&advapi32.RegCl>; advapi32.RegCloseKey
00401108 |. 85C0 test eax, eax
0040110A |. 75 24 jnz short 00401130
0040110C |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00401110 |. 51 push ecx ; /String
00401111 |. FFD7 call edi ; \lstrlenA
00401113 |. 8D5424 10 lea edx, dword ptr [esp+10]
>>>>>>>>>>>>>>>>>>>>>>开始写了发现项名字<<<<<<<<<<<<<<<<<<<<<<<
00401117 |. 50 push eax ; /BufSize
00401118 |. 8B4424 10 mov eax, dword ptr [esp+10] ; |
0040111C |. 52 push edx ; |Buffer
0040111D |. 6A 01 push 1 ; |ValueType = REG_SZ
0040111F |. 6A 00 push 0 ; |Reserved = 0
00401121 |. 68 68704000 push 00407068 ; |ValueName = "IAMAPP32"
00401126 |. 50 push eax ; |hKey
00401127 |. FFD6 call esi ; \RegSetValueExA
00401129 |. 8B4C24 0C mov ecx, dword ptr [esp+C]
0040112D |. 51 push ecx ; /hKey
0040112E |. FFD3 call ebx ; \RegCloseKey
00401130 |> 8D5424 0C lea edx, dword ptr [esp+C]
00401117 |. 50 push eax ; /BufSize
00401118 |. 8B4424 10 mov eax, dword ptr [esp+10] ; |
0040111C |. 52 push edx ; |Buffer
0040111D |. 6A 01 push 1 ; |ValueType = REG_SZ
0040111F |. 6A 00 push 0 ; |Reserved = 0
00401121 |. 68 68704000 push 00407068 ; |ValueName = "IAMAPP32"
00401126 |. 50 push eax ; |hKey
00401127 |. FFD6 call esi ; \RegSetValueExA
00401129 |. 8B4C24 0C mov ecx, dword ptr [esp+C]
0040112D |. 51 push ecx ; /hKey
0040112E |. FFD3 call ebx ; \RegCloseKey
00401130 |> 8D5424 0C lea edx, dword ptr [esp+C]
>>>>>>>>>>>>>>>>>>>写也写了屁股也擦了居然又写了一处,和上处一样手段<<<<<<<<<<<<<<<<<<<<
00401130 |> \8D5424 0C lea edx, dword ptr [esp+C]
00401134 |. 52 push edx ; /pHandle
00401135 |. 68 38704000 push 00407038 ; |Subkey = "Software\Microsoft\Windows\CurrentVersion\Run"
0040113A |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
0040113F |. FF15 14604000 call dword ptr [<&advapi32.RegOpenKey>; \RegOpenKeyA
00401145 |. 85C0 test eax, eax
00401147 |. 75 24 jnz short 0040116D
00401149 |. 8D4424 10 lea eax, dword ptr [esp+10]
0040114D |. 50 push eax
0040114E |. FFD7 call edi
00401150 |. 8B5424 0C mov edx, dword ptr [esp+C]
00401154 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00401158 |. 50 push eax
00401130 |> \8D5424 0C lea edx, dword ptr [esp+C]
00401134 |. 52 push edx ; /pHandle
00401135 |. 68 38704000 push 00407038 ; |Subkey = "Software\Microsoft\Windows\CurrentVersion\Run"
0040113A |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
0040113F |. FF15 14604000 call dword ptr [<&advapi32.RegOpenKey>; \RegOpenKeyA
00401145 |. 85C0 test eax, eax
00401147 |. 75 24 jnz short 0040116D
00401149 |. 8D4424 10 lea eax, dword ptr [esp+10]
0040114D |. 50 push eax
0040114E |. FFD7 call edi
00401150 |. 8B5424 0C mov edx, dword ptr [esp+C]
00401154 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00401158 |. 50 push eax
之后就一个retn返回了.继续跟了几步发现一个DLL文件出现.
看来木马功夫都下在DLL上了.EXE是个托.之后就把DLL文件插入进程.随之结束.
DLL文件的事就是攻击的时候发挥作用..还有就是插了进程对系统会导致不稳定..
------------------------------------------------------------------------
【破解总结】写注册表达到自启动,在系统目录生成一个mstscex.dll文件和mstscs.exe文件.
自定义插进程.
------------------------------------------------------------------------
【破解总结】写注册表达到自启动,在系统目录生成一个mstscex.dll文件和mstscs.exe文件.
自定义插进程.
清除方法将注册表和系统目录里的文件删除即可..
第一次对木马做分析不知道分析的对不.希望大牛指点.
------------------------------------------------------------------------
【版权声明】转载注目出处.
------------------------------------------------------------------------
【版权声明】转载注目出处.