天堂木马服务端
说是他中了这个东西委托我拆开看看在此献丑了
OD载入
停在如下代码处00428F6D L> BE 88014000 mov esi,L.00400188
00428F72 AD lods dword ptr ds:[esi]
00428F73 8BF8 mov edi,eax
00428F75 95 xchg eax,ebp
00428F76 AD lods dword ptr ds:[esi]
00428F77 91 xchg eax,ecx
代码分析不是很麻烦但是也不必慢慢分析了
我整理总结了
下WinUpack寻找OEP规律直接CTRL+S搜索命令序列
push esi
xchg eax,edi
到了如下代码处
00429117 - 0F84 BBDFFDFF je L.004070D8
0042911D 56 push esi
0042911E 97 xchg eax,edi
0042911F FF53 FC call dword ptr ds:[ebx-4]
00429122 95 xchg eax,ebp
00429123 AC lods
ptr ds:[esi]紧靠上面
je L.004070D8看见了么?je后面
值就是OEP了呵呵简单吧复制OEP
CTRL+G转跳到 OEP F4运行到OEP
004070D8 55 db 55 ; CHAR 'U'
004070D9 8B db 8B
004070DA EC db EC
004070DB 83 db 83
004070DC C4 db C4
004070DD F0 db F0
004070DE B8 db B8
004070DF 68704000 dd L.00407068
004070E3 E8 db E8
004070E4 5C db 5C ; CHAR ''
看见
都是数据呵没有关系CTRL+A分析代码典型
Borland Delphi 6.0 - 7.0入口用LordPE DUMP出来
RecImport修复输入表运行看看有没有问题
..................竟然运行以后没有反应估计是有自校验
再看看自校验
问题OD载入
004070D8 d> $ 55 push ebp
004070D9 . 8BEC mov ebp,esp
004070DB . 83C4 F0 add esp,-10
004070DE . B8 68704000 mov eax,dumped_.00407068
004070E3 . E8 5CCDFFFF call dumped_.00403E44
004070E8 . E8 B3E9FFFF call dumped_.00405AA0
004070ED . E8 EAC3FFFF call dumped_.004034DC
从call dumped_.00405AA0跟进
00405AA0 /$ 55 push ebp
00405AA1 |. 8BEC mov ebp,esp
00405AA3 |. B9 0C000000 mov ecx,0C
00405AA8 |> 6A 00 /push 0
00405AAA |. 6A 00 |push 0
00405AAC |. 49 |dec ecx
00405AAD |.^ 75 F9 \jnz
dumped_.00405AA800405AAF |. 51 push ecx
00405AB0 |. 53 push ebx
把光标停在00405AB0
F4越过00405AAD |.^ 75 F9 \jnz
dumped_.00405AA8处循环看见下面
00405AC6 |> /E8 51120000 /call dumped_.00406D1C
00405ACB |. |A1 04814000 |mov eax,dword ptr ds:[408104]
00405AD0 |. |8B00 |mov eax,dword ptr ds:[eax]
00405AD2 |. |E8 6DDEFFFF |call dumped_.00403944
00405AD7 |. |50 |push eax ; /MapName
00405AD8 |. |68 FB100100 |push 110FB ; |MaximumSizeLow = 110FB
00405ADD |. |6A 00 |push 0 ; |MaximumSizeHigh = 0
00405ADF |. |6A 04 |push 4 ; |Protection = PAGE_READWRITE
00405AE1 |. |6A 00 |push 0 ; |pSecurity = NULL
00405AE3 |. |6A FF |push -1 ; |hFile = FFFFFFFF
00405AE5 |. |E8 46E4FFFF |call <jmp.&kernel32.CreateFileMa>; \CreateFileMappingA
00405AEA |. |A3 CC974000 |mov dword ptr ds:[4097CC],eax
00405AEF |. |6A 00 |push 0 ; /MapSize = 0
00405AF1 |. |6A 00 |push 0 ; |Off
Low = 000405AF3 |. |6A 00 |push 0 ; |Off
High = 000405AF5 |. |6A 06 |push 6 ; |AccessMode = 6
00405AF7 |. |A1 CC974000 |mov eax,dword ptr ds:[4097CC] ; |
00405AFC |. |50 |push eax ; |hMapObject => NULL
00405AFD |. |E8 36E5FFFF |call <jmp.&kernel32.MapViewOfFil>; \MapViewOfFile
呵呵
木马打开自身准备操作了跟进00405AC6处
call 00406D1C看下面
代码00406D55 . 6A 00 push 0 ; /pFileSizeHigh = NULL
00406D57 . 56 push esi ; |hFile
00406D58 . E8 53D2FFFF call <jmp.&kernel32.GetFileSize> ; \GetFileSize
00406D5D . 8945 FC mov dword ptr ss:[ebp-4],eax
00406D60 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
00406D63 . E8 20B7FFFF call dumped_.00402488
00406D68 . 8BD8 mov ebx,eax
00406D6A . 6A 00 push 0 ; /pOverlapped = NULL
00406D6C . 8D45 FC lea eax,dword ptr ss:[ebp-4] ; |
00406D6F . 50 push eax ; |pBytesRead
00406D70 . 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
00406D73 . 50 push eax ; |BytesToRead
00406D74 . 53 push ebx ; |Buffer
00406D75 . 56 push esi ; |hFile
00406D76 . E8 D5D2FFFF call <jmp.&kernel32.ReadFile> ; \ReadFile
00406D9D .^\75 EF jnz
dumped_.00406D8E00406D9F > 8B55 FC mov edx,dword ptr ss:[ebp-4]
00406DA2 . 8BC3 mov eax,ebx
00406DA4 . E8 FFB6FFFF call dumped_.004024A8
00406DA9 . 56 push esi ; /hObject
00406DAA . E8 61D1FFFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
00406DAF . 817D F8 80000000 cmp dword ptr ss:[ebp-8],80
00406DB6 . 74 11 je
dumped_.00406DC900406DB8 > 6A 00 push 0 ; /ExitCode = 0
00406DBA . E8 99D1FFFF call <jmp.&kernel32.ExitProcess> ; \ExitProcess
00406DBF .^\E9 73FFFFFF jmp dumped_.00406D37
00406DC4 . E8 13C7FFFF call dumped_.004034DC
木马通过上面
代码验证自身大小如果大小和预定值不符则ExitProcess解除自校验也很简单
把00406DB6 处
je 00406DC9改成绝对转跳就OK了jmp
00406DC9改好以后另存为exe就好了
篇文章: 利用FTP服务器漏洞找肉鸡篇文章: 单引号进后台全集
最新评论