Chinaunix首页 | 论坛 | 博客
  • 博客访问: 168798
  • 博文数量: 36
  • 博客积分: 1466
  • 博客等级: 上尉
  • 技术积分: 380
  • 用 户 组: 普通用户
  • 注册时间: 2007-04-17 17:43
文章分类

全部博文(36)

分类: 网络与安全

2008-06-28 02:06:27

最近在分析一只盗号木马,程序运行完之后当然要实现自删除了。和很多木马一样用的是BAT文件方法。
记下来, 备忘吧。
------------------------------------------------
:try
del "C:\trojan.exe"
if exist "C:\trojan.exe"goto try
del %0
------------------------------------------------

还有帖上生成这个BAT文件并运行它的反汇编。


0040216C >/$ 53 push ebx
0040216D |. 56 push esi
0040216E |. 81C4 9CFDFFFF add esp, -264
00402174 |. 8DB424 5D0100>lea esi, dword ptr [esp+15D]
0040217B |. 8D4424 58 lea eax, dword ptr [esp+58]
0040217F |. E8 A8F9FFFF call 00401B2C
00402184 |. C64404 58 00 mov byte ptr [esp+eax+58], 0 ; 这里开始创建一个bat文件, 开始作怪了!
00402189 |. BA 08234000 mov edx, 00402308 ; ASCII "$dhu8jnvhx.bat"
0040218E |. 8D4424 58 lea eax, dword ptr [esp+58]
00402192 |. E8 2DF3FFFF call <strcat(eax, edx)>
00402197 |. E8 E0F4FFFF call <这个叼毛函数到底 有什么用?>
0040219C |. 6A 00 push 0 ; /hTemplateFile = NULL
0040219E |. 68 80000000 push 80 ; |Attributes = NORMAL
004021A3 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
004021A5 |. 6A 00 push 0 ; |pSecurity = NULL
004021A7 |. 6A 00 push 0 ; |ShareMode = 0
004021A9 |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004021AE |. 8D4424 70 lea eax, dword ptr [esp+70] ; |
004021B2 |. 50 push eax ; |FileName
004021B3 |. E8 68EFFFFF call <jmp.&kernel32.CreateFileA> ; \CreateFileA
004021B8 |. 8BD8 mov ebx, eax
004021BA |. 6A 02 push 2 ; /Origin = FILE_END
004021BC |. 6A 00 push 0 ; |pOffsetHi = NULL
004021BE |. 6A 00 push 0 ; |OffsetLo = 0
004021C0 |. 53 push ebx ; |hFile
004021C1 |. E8 52F0FFFF call <jmp.&kernel32.SetFilePointer> ; \SetFilePointer
004021C6 |. 890424 mov dword ptr [esp], eax
004021C9 |. C606 3A mov byte ptr [esi], 3A
004021CC |. C646 01 74 mov byte ptr [esi+1], 74
004021D0 |. C646 02 72 mov byte ptr [esi+2], 72
004021D4 |. C646 03 79 mov byte ptr [esi+3], 79
004021D8 |. C646 04 0D mov byte ptr [esi+4], 0D
004021DC |. C646 05 0A mov byte ptr [esi+5], 0A
004021E0 |. C646 06 00 mov byte ptr [esi+6], 0
004021E4 |. 6A 00 push 0
004021E6 |. 8D4424 04 lea eax, dword ptr [esp+4]
004021EA |. 50 push eax
004021EB |. 8BC6 mov eax, esi
004021ED |. E8 4AF2FFFF call <返回字符串长度>
004021F2 |. 50 push eax ; |nBytesToWrite
004021F3 |. 56 push esi ; |Buffer
004021F4 |. 53 push ebx ; |hFile
004021F5 |. E8 56F0FFFF call <jmp.&kernel32.WriteFile> ; \WriteFile
004021FA |. C606 64 mov byte ptr [esi], 64
004021FD |. C646 01 65 mov byte ptr [esi+1], 65
00402201 |. C646 02 6C mov byte ptr [esi+2], 6C
00402205 |. C646 03 20 mov byte ptr [esi+3], 20
00402209 |. C646 04 00 mov byte ptr [esi+4], 0
0040220D |. E8 56EFFFFF call <jmp.&kernel32.GetCommandLineA> ; [GetCommandLineA
00402212 |. 8BD0 mov edx, eax
00402214 |. 8BC6 mov eax, esi
00402216 |. E8 A9F2FFFF call <strcat(eax, edx)>
0040221B |. BA 18234000 mov edx, 00402318 ; ASCII CR,LF
00402220 |. 8BC6 mov eax, esi
00402222 |. E8 9DF2FFFF call <strcat(eax, edx)>
00402227 |. 6A 00 push 0
00402229 |. 8D4424 04 lea eax, dword ptr [esp+4]
0040222D |. 50 push eax
0040222E |. 8BC6 mov eax, esi
00402230 |. E8 07F2FFFF call <返回字符串长度>
00402235 |. 50 push eax ; |nBytesToWrite
00402236 |. 56 push esi ; |Buffer
00402237 |. 53 push ebx ; |hFile
00402238 |. E8 13F0FFFF call <jmp.&kernel32.WriteFile> ; \WriteFile
0040223D |. BA 1C234000 mov edx, 0040231C ; ASCII "if exist "
00402242 |. 8BC6 mov eax, esi
00402244 |. E8 1FF2FFFF call <strcpy(eax, edx)>
00402249 |. E8 1AEFFFFF call <jmp.&kernel32.GetCommandLineA> ; [GetCommandLineA
0040224E |. 8BD0 mov edx, eax
00402250 |. 8BC6 mov eax, esi
00402252 |. E8 6DF2FFFF call <strcat(eax, edx)>
00402257 |. BA 28234000 mov edx, 00402328 ; ASCII "goto try",CR,LF
0040225C |. 8BC6 mov eax, esi
0040225E |. E8 61F2FFFF call <strcat(eax, edx)>
00402263 |. 6A 00 push 0
00402265 |. 8D4424 04 lea eax, dword ptr [esp+4]
00402269 |. 50 push eax
0040226A |. 8BC6 mov eax, esi
0040226C |. E8 CBF1FFFF call <返回字符串长度>
00402271 |. 50 push eax ; |nBytesToWrite
00402272 |. 56 push esi ; |Buffer
00402273 |. 53 push ebx ; |hFile
00402274 |. E8 D7EFFFFF call <jmp.&kernel32.WriteFile> ; \WriteFile
00402279 |. BA 34234000 mov edx, 00402334 ; ASCII "del %0"
0040227E |. 8BC6 mov eax, esi
00402280 |. E8 E3F1FFFF call <strcpy(eax, edx)>
00402285 |. 6A 00 push 0
00402287 |. 8D4424 04 lea eax, dword ptr [esp+4]
0040228B |. 50 push eax
0040228C |. 8BC6 mov eax, esi
0040228E |. E8 A9F1FFFF call <返回字符串长度>
00402293 |. 50 push eax ; |nBytesToWrite
00402294 |. 56 push esi ; |Buffer
00402295 |. 53 push ebx ; |hFile
00402296 |. E8 B5EFFFFF call <jmp.&kernel32.WriteFile> ; \WriteFile
0040229B |. 53 push ebx ; /hObject
0040229C |. E8 77EEFFFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
004022A1 |. 8D4424 14 lea eax, dword ptr [esp+14]
004022A5 |. 33C9 xor ecx, ecx
004022A7 |. BA 44000000 mov edx, 44
004022AC |. E8 A3FEFFFF call 00402154
004022B1 |. E8 C6F3FFFF call <这个叼毛函数到底 有什么用?>
004022B6 |. C74424 40 010>mov dword ptr [esp+40], 1
004022BE |. 66:C74424 44 >mov word ptr [esp+44], 0
004022C5 |. 8D4424 04 lea eax, dword ptr [esp+4] ; 运行上面的bat
004022C9 |. 50 push eax ; /pProcessInfo
004022CA |. 8D4424 18 lea eax, dword ptr [esp+18] ; |
004022CE |. 50 push eax ; |pStartupInfo
004022CF |. 6A 00 push 0 ; |CurrentDir = NULL
004022D1 |. 6A 00 push 0 ; |pEnvironment = NULL
004022D3 |. 6A 40 push 40 ; |CreationFlags = IDLE_PRIORITY_CLASS
004022D5 |. 6A 00 push 0 ; |InheritHandles = FALSE
004022D7 |. 6A 00 push 0 ; |pThreadSecurity = NULL
004022D9 |. 6A 00 push 0 ; |pProcessSecurity = NULL
004022DB |. 8D4424 78 lea eax, dword ptr [esp+78] ; |
004022DF |. 50 push eax ; |CommandLine
004022E0 |. 6A 00 push 0 ; |ModuleFileName = NULL
004022E2 |. E8 49EEFFFF call <jmp.&kernel32.CreateProcessA> ; \CreateProcessA
004022E7 |. 85C0 test eax, eax
004022E9 |. 74 14 je short 004022FF
004022EB |. 8B4424 08 mov eax, dword ptr [esp+8]
004022EF |. 50 push eax ; /hObject
004022F0 |. E8 23EEFFFF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
004022F5 |. 8B4424 04 mov eax, dword ptr [esp+4]
004022F9 |. 50 push eax ; /hObject
004022FA |. E8 19EEFFFF call <jmp.&kernel32.CloseHandle>           ; \CloseHandle
004022FF |> 81C4 64020000 add esp, 264
00402305 |. 5E pop esi
00402306 |. 5B pop ebx
00402307 \. C3 retn

阅读(2055) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~