001 ;找個時間,把上次還沒搞完的應用給補上,用OD加載上次脫過殼的產品,在如下函數上下斷:
002 TerminateProcess
003 SetWindowsHookExA
004 UnhookWindowsHookEx
005 MessageBoxA
006 lstrlenA
007 lstrcatA
008 GetWindowTextA
009 GetWindowThreadProcessId
010 CreateEventA
011 CreateFileA
012 CreateMutexA
013 CreateProcessA
014 CreateServiceA
015 CreateThread
016 CreateToolhelp32Snapshot
017 DeviceIoControl
018 fopen
019 ;搞定之後,F9,斷在lstrcatA,可以發現它在進行字符串連接,然後就是寫註冊表啓動項:
020 004019AB 68 80000000 push 80
021 004019B0 68 1E344000 push Rtvcan_u.0040341E ; ASCII "C:/WINNT/system32/Rtvcan.exe"
022 004019B5 E8 04050000 call <jmp.&KERNEL32.GetSystemDirecto>
023 004019BA 68 1E344000 push Rtvcan_u.0040341E ; ASCII "C:/WINNT/system32/Rtvcan.exe"
024 004019BF E8 2A050000 call <jmp.&KERNEL32.SetCurrentDirect>
025 004019C4 68 03344000 push Rtvcan_u.00403403 ; ASCII "/Rtvcan.exe"
026 004019C9 68 1E344000 push Rtvcan_u.0040341E ; ASCII "C:/WINNT/system32/Rtvcan.exe"
027 004019CE E8 3F050000 call <jmp.&KERNEL32.lstrcat> ;斷在這裏
028 004019D3 68 16344000 push Rtvcan_u.00403416
029
030 ;這裏有個比較不合理的地方,它已經將路徑進行了硬編碼,即使Rtccan.exe不在system32目錄下,它也會;按照這種寫入。
031 ;往下翻翻代碼就會看見,它打開文件了//./Rtvcan,這裏它倒是有判斷,但由於該驅動已經被停,所以它會;彈出一個錯誤對話框。
032 00401A42 68 3B214000 push Rtvcan_u.0040213B ; ASCII "//./Rtvcan"
033 00401A47 E8 0C040000 call <jmp.&KERNEL32.CreateFileA>
034 00401A4C A3 00304000 mov dword ptr ds:[403000],eax ;保存文件句柄
035 00401A51 83F8 FF cmp eax,-1
036 00401A54 75 0F jnz short Rtvcan_u.00401A65 ;不失敗則跳
037
038 ;爲了滿足想看看這運行效果的好奇心,啓動它的驅動(你可以用4F的KmdManager),運行,竟然沒看見界面
039 ;汗..
040 ;接着幹活,
041 00401A4C A3 00304000 mov dword ptr ds:[403000],eax ; 保存文件句柄
042 00401A51 83F8 FF cmp eax,-1
043 00401A54 75 0F jnz short Rtvcan_u.00401A65
044 00401A56 E8 CDF5FFFF call Rtvcan_u.00401028
045 00401A5B E8 0FF6FFFF call Rtvcan_u.0040106F
046 00401A60 A3 00304000 mov dword ptr ds:[403000],eax
047 00401A65 833D 00304000 FF cmp dword ptr ds:[403000],-1 ; 打開文件是否失敗
048 00401A6C 0F84 2A010000 je Rtvcan_u.00401B9C
049 00401A72 6A 00 push 0
050 00401A74 6A 00 push 0
051 00401A76 6A 00 push 0
052 00401A78 6A 00 push 0
053 00401A7A E8 D3030000 call <jmp.&KERNEL32.CreateEventA>
054 00401A7F A3 04304000 mov dword ptr ds:[403004],eax ; 保存事件句柄
055 00401A84 51 push ecx
056 00401A85 54 push esp
057 00401A86 6A 00 push 0
058 00401A88 FF35 04304000 push dword ptr ds:[403004] ; 將事件句柄傳給線程
059 00401A8E 68 FA184000 push Rtvcan_u.004018FA ; 線程函數
060 00401A93 6A 00 push 0
061 00401A95 6A 00 push 0
062 00401A97 E8 CE030000 call <jmp.&KERNEL32.CreateThread>
063 00401A9C 59 pop ecx
064 00401A9D 0BC0 or eax,eax
065 00401A9F 0F84 9B000000 je Rtvcan_u.00401B40
066 00401AA5 50 push eax
067 00401AA6 E8 A1030000 call <jmp.&KERNEL32.CloseHandle>
068 00401AAB 6A 00 push 0
069 00401AAD 8D45 FC lea eax,dword ptr ss:[ebp-4] ; DWORD dwReted
070 00401AB0 50 push eax ; push &dwReted
071 00401AB1 6A 00 push 0
072 00401AB3 6A 00 push 0
073 00401AB5 6A 04 push 4 ; 緩衝大小
074 00401AB7 68 04304000 push Rtvcan_u.00403004 ; 輸入緩衝區
075 00401ABC 68 00A02200 push 22A000 ; 控制代碼
076 00401AC1 FF35 00304000 push dword ptr ds:[403000]
077 00401AC7 E8 B0030000 call <jmp.&KERNEL32.DeviceIoControl>
078 00401ACC 0BC0 or eax,eax
079 00401ACE 74 5E je short Rtvcan_u.00401B2E
080 00401AD0 6A 00 push 0
081 00401AD2 E8 DB030000 call <jmp.&KERNEL32.GetModuleHandleA>
082 00401AD7 A3 08304000 mov dword ptr ds:[403008],eax ; 本模塊
083 00401ADC E8 28F7FFFF call Rtvcan_u.00401209
084 00401AE1 6A 00 push 0
085 00401AE3 8D45 FC lea eax,dword ptr ss:[ebp-4]
086 00401AE6 50 push eax
087 00401AE7 6A 00 push 0
088 00401AE9 6A 00 push 0
089 00401AEB 6A 00 push 0
090 00401AED 6A 00 push 0
091 00401AEF 68 04202200 push 222004 ; 控制代碼
092 00401AF4 FF35 00304000 push dword ptr ds:[403000]
093 00401AFA E8 7D030000 call <jmp.&KERNEL32.DeviceIoControl>
094 ;可以看到它在這裏創建了一個線程,線程函數地址是004018FA,現在我們就去看看它在線程函數裏幹什麼了;:
095 004018FA 55 push ebp ; 線程函數
096 004018FB 8BEC mov ebp,esp
097 004018FD 83C4 F4 add esp,-0C
098 00401900 C745 F8 20030000 mov dword ptr ss:[ebp-8],320 ; 分配320字節
099 00401907 FF75 F8 push dword ptr ss:[ebp-8]
100 0040190A E8 F1F6FFFF call Rtvcan_u.00401000 ; 分配內存
101 0040190F 0BC0 or eax,eax
102 00401911 0F84 83000000 je Rtvcan_u.0040199A ; 失敗則結束線程
103 00401917 8945 FC mov dword ptr ss:[ebp-4],eax ; 保存分配到的內存
104 0040191A 6A FF push -1
105 0040191C FF75 08 push dword ptr ss:[ebp+8] ; 在此事件上等待
106 0040191F E8 E8050000 call <jmp.&KERNEL32.WaitForSingleObject>; 等待
107 00401924 83F8 FF cmp eax,-1
108 00401927 74 51 je short Rtvcan_u.0040197A
109 00401929 833D 14304000 01 cmp dword ptr ds:[403014],1 ;一個標誌位
110 00401930 74 60 je short Rtvcan_u.00401992 ; 等於1則結束
111 00401932 6A 64 push 64
112 00401934 E8 C7050000 call <jmp.&KERNEL32.Sleep> ; 休息0.064秒
113 00401939 6A 00 push 0
114 0040193B 8D45 F4 lea eax,dword ptr ss:[ebp-C] ; DWORD dwReted
115 0040193E 50 push eax ; push &dwReted
116 0040193F FF75 F8 push dword ptr ss:[ebp-8] ; 緩衝區大小
117 00401942 FF75 FC push dword ptr ss:[ebp-4] ; 輸出緩衝區
118 00401945 6A 00 push 0
119 00401947 6A 00 push 0
120 00401949 68 08602200 push 226008 ; 控制代碼
121 0040194E FF35 00304000 push dword ptr ds:[403000] ; 設備句柄
122 00401954 E8 23050000 call <jmp.&KERNEL32.DeviceIoControl>
123 00401959 0BC0 or eax,eax
124 0040195B 74 11 je short Rtvcan_u.0040196E
125 0040195D 837D F4 00 cmp dword ptr ss:[ebp-C],0 ; 如果返回字節數爲0
126 00401961 74 0B je short Rtvcan_u.0040196E
127 00401963 FF75 F4 push dword ptr ss:[ebp-C] ; 返回字節數
128 00401966 FF75 FC push dword ptr ss:[ebp-4] ; 輸出緩衝區
129 00401969 E8 73FEFFFF call Rtvcan_u.004017E1
130 0040196E 68 84030000 push 384
131 00401973 E8 88050000 call <jmp.&KERNEL32.Sleep> ; 又休息
132 00401978 EB 16 jmp short Rtvcan_u.00401990
133 0040197A 6A 10 push 10
134 0040197C 6A 00 push 0
135 0040197E 68 46214000 push Rtvcan_u.00402146 ; ASCII "Wait failed. Thread now exits. Restart application."
136 00401983 FF35 0C304000 push dword ptr ds:[40300C]
137 00401989 E8 94040000 call <jmp.&USER32.MessageBoxA>
138 0040198E EB 02 jmp short Rtvcan_u.00401992
139 00401990 ^ EB 88 jmp short Rtvcan_u.0040191A ; 繼續循環
140 00401992 FF75 FC push dword ptr ss:[ebp-4]
141 00401995 E8 7AF6FFFF call Rtvcan_u.00401014 ; 釋放內存
142 0040199A 6A 00 push 0
143 0040199C E8 E7040000 call <jmp.&KERNEL32.ExitThread>
144 004019A1 C9 leave
145 004019A2 C2 0400 retn 4
146
147 ;在線程裏它會通過DeviceIoControl向驅動要數據,然後通過00401969處的CALL進一步處理,在00401ADC處;的CALL 00401209的代碼中,它先會用互斥來保證單實例運行,然後通過RegisterHotKey註冊F11,再然後;就是鉤子了,鉤子函數地址是0040127F,會在函數中監視鍵盤,當然也會有其它的操作如枚舉DLL等,
148 ;由於這個鉤子有點礙事,所以得將00401DAC處的調用NOP掉,繼續F8就會發現緊隨其後的DeviceIoControl;調用失敗,調試到此結束。除以上說的這些之外,它還會創建文件併發送,這個在上次就已經提到了。
149
150 ;太累了,睡覺去
終於補課了:Rtvcan.exe
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章