【文章标题】分析盗窃某游戏的帐号和密码的小木马
【文章作者】ZzAge[LCG]
【文章目标】某游戏木马
【相关工具】ollydbg
【作者 Q Q】85400516
【作者邮箱】[email protected]
【作者主页】http://hi.baidu.com/zzage
此木马被执行后拷贝自身到系统目录system32下并执行此木马，通过批处理执行自删除，该木马通过创建服务项，使得计算机每次重启后,都运行此木马.把释放的到系统目录下的DLL插入到IE进程.然后修改系统时间,导致某些杀软软件失效~枚举当前进程是否存在杀毒软件等安全软件,如果存在就强制结束进程,然后镜像劫持一大串杀毒软件等安全软件,注册表,任务管理器等....
01）.004015AB > 55 PUSH EBP //入口处

02）..004015AC 8BEC MOV EBP,ESP

03）..004015AE 81EC 48020000 SUB ESP,248

04）..004015B4 E8 E8FEFFFF CALL 21.004014A1

05）..004015B9 85C0 TEST EAX,EAX

06）..004015BB 74 68 JE SHORT 21.00401625 //这里跳向00401625！请下图！

07）..004015BD 68 04010000 PUSH 104

08）..004015C2 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]

09）..004015C8 50 PUSH EAX

10）..004015C9 FF15 68204000 CALL DWORD PTR DS:[<&KERNEL32.GetSystemD>; kernel32.GetSystemDirectoryA

11）..004015CF FF15 4C204000 CALL DWORD PTR DS:[<&KERNEL32.GetTickCou>; kernel32.GetTickCount

12）..004015D5 50 PUSH EAX

13）..004015D6 8D85 BCFEFFFF LEA EAX,DWORD PTR SS:[EBP-144]

14）..004015DC 68 A8214000 PUSH 21.004021A8 ; ASCII "\%d.dll"

15）..004015E1 50 PUSH EAX

16）..004015E2 FF15 A0204000 CALL DWORD PTR DS:[<&USER32.wsprintfA>] ; USER32.wsprintfA

17）..004015E8 83C4 0C ADD ESP,0C

18）..004015EB 8D85 BCFEFFFF LEA EAX,DWORD PTR SS:[EBP-144]

19）..004015F1 50 PUSH EAX
一：
开始把木马复制到系统目录，并重命名为DnfServer.exe

二：
创建一项新的服务，并启动服务！

三：
在临时文件夹创建一个批处理文件，写入自删除命令，并运行！


四：
以资源释放的方法把木马的DLL释放到系统目录下!

五：
查找注册表，获取IE的路径！为插入IE做好准备！


到这里,整个木马的EXE程序的工作流程就基本完成了！

接下来看看木马释放出来的DLL文件！


一 ：
01）.

02）.100011C0 >/$ 837C24 08 01 cmp dword ptr [esp+8], 1

03）.100011C5 |. 75 31 jnz short 100011F8

04）.100011C7 |. 8B4424 04 mov eax, dword ptr [esp+4]

05）.100011CB |. A3 FC530010 mov dword ptr [100053FC], eax

06）.100011D0 |. A1 10600010 mov eax, dword ptr [10006010]

07）.100011D5 |. 85C0 test eax, eax

08）.100011D7 |. 75 1F jnz short 100011F8

09）.100011D9 |. 6A 00 push 0 ; /pThreadId = NULL

10）.100011DB |. 6A 00 push 0 ; |CreationFlags = 0

11）.100011DD |. 6A 00 push 0 ; |pThreadParm = NULL

12）.100011DF |. 68 20110010 push 10001120 ; |ThreadFunction = eq.10001120

13）.100011E4 |. 6A 00 push 0 ; |StackSize = 0

14）.100011E6 |. 6A 00 push 0 ; |pSecurity = NULL

15）.100011E8 |. C705 10600010>mov dword ptr [10006010], 1 ; |

16）.100011F2 |. FF15 C0300010 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread

17）.100011F8 |> B8 01000000 mov eax, 1

18）.100011FD \. C2 0C00 retn 0C
创建一个新的线程！直接去到10001120去看一下是什么东西！
01.

02）.10001120 . E8 DBFEFFFF call 10001000

03）.10001125 . 85C0 test eax, eax

04）.10001127 . 74 0D je short 10001136

05）.10001129 . E8 D2FEFFFF call 10001000

06）.1000112E . 6A 00 push 0 ; /ExitCode = 0

07）.10001130 . FF15 E4300010 call dword ptr [<&KERNEL32.ExitProces>; \ExitProcess

08）.10001136 > A1 0C600010 mov eax, dword ptr [1000600C]

09）.1000113B . 85C0 test eax, eax

10）.1000113D . 74 05 je short 10001144

11）.1000113F . E8 5C0B0000 call 10001CA0

12）.10001144 > E8 B7FEFFFF call 10001000

13）.10001149 . 6A 04 push 4 ; /Style = MB_YESNO|MB_APPLMODAL

14）.1000114B . 68 88310010 push 10003188 ; |Title = "新起点?,A4,"",D7,"",F7,"室"

15）.10001150 . 68 98310010 push 10003198 ; |Text = "本软件用于?,B0,"",BB,"赜蜗",B7,"账号?,AC,"具有?,BB,"",B6,"",A8,"的危险性?,AC,"您?,B7,"信要继续运行吗？"

16）.10001155 . 6A 00 push 0 ; |hOwner = NULL

17）.10001157 . FF15 0C310010 call dword ptr [<&USER32.MessageBoxA>>; \MessageBoxA

18）.1000115D . 83F8 06 cmp eax, 6

19）.10001160 . 74 08 je short 1000116A

20）.10001162 . 6A 00 push 0 ; /ExitCode = 0

21）.10001164 . FF15 E4300010 call dword ptr [<&KERNEL32.ExitProces>; \ExitProcess

22）.1000116A > A1 00600010 mov eax, dword ptr [10006000]

23）.1000116F . 56 push esi

24）.10001170 . 8B35 C0300010 mov esi, dword ptr [<&KERNEL32.Creat>; KERNEL32.CreateThread

25）.10001176 . 6A 00 push 0 ; /pThreadId = NULL

26）.10001178 . 6A 00 push 0 ; |CreationFlags = 0

27）.1000117A . 50 push eax ; |pThreadParm => 00000001

28）.1000117B . 68 00200010 push 10002000 ; |ThreadFunction = eq.10002000

29）.10001180 . 6A 00 push 0 ; |StackSize = 0

30）.10001182 . 6A 00 push 0 ; |pSecurity = NULL

31）.10001184 . FFD6 call esi ; \CreateThread

32）.10001186 . A1 08600010 mov eax, dword ptr [10006008]

33）.1000118B . 85C0 test eax, eax

34）.1000118D . 74 11 je short 100011A0

35）.1000118F . 6A 00 push 0 ; /pThreadId = NULL

36）.10001191 . 6A 00 push 0 ; |CreationFlags = 0

37）.10001193 . 6A 00 push 0 ; |pThreadParm = NULL

38）.10001195 . 68 F01D0010 push 10001DF0 ; |ThreadFunction = eq.10001DF0

39）.1000119A . 6A 00 push 0 ; |StackSize = 0

40）.1000119C . 6A 00 push 0 ; |pSecurity = NULL

41）.1000119E . FFD6 call esi ; \CreateThread

42）.100011A0 > 6A 00 push 0

43）.100011A2 . 6A 00 push 0

44）.100011A4 . 6A 00 push 0

45）.100011A6 . 68 00170010 push 10001700

46）.100011AB . 6A 00 push 0

47）.100011AD . 6A 00 push 0

48）.100011AF . FFD6 call esi

49）.100011B1 . 33C0 xor eax, eax

50）.100011B3 . 5E pop esi

51）.100011B4 . C2 0400 retn 4

以资源释放的方法把驱动文件释放到系统目录下！再往下看！
10002061 . E8 5A030000 call 100023C0 //这个CALL进去看看！

使用CreateFile来打开设备驱动程序

首先,把木马的EXE程序再入ollydbg里面. \\.\Khelper_prochook 为设备路径

通过SCM加载驱动！

调用SeSystemtimePrivilege特权更改系统时间（过主动？）

很邪恶的驱动与杀毒之间的屠杀...不晓得谁先杀谁！哈哈

谢谢分享