提醒:本文最后更新于 152 天前,其中某些信息可能已经过时,请谨慎使用!
你似乎正在查看一篇很久远的文章。
为了你这样的访客,我特地保留了我的历史博文。不要笑话过去的我,用温柔的目光看下去吧。

浅谈白利用三

前面所说的导入表DLL劫持,其实还是可以被检测出来,杀软通过扫描可执行EXE 文件的导入表,就可以知道该程序会用到哪些DLL。下面要说的是更为隐蔽的方法,白程序内部通过LoadLibrary来加载DLL,而木马通过劫持这个DLL,来达到白利用的目的。举个例子

MD5为E07CF32207C7BD95AA04A982755CDFA8,貌似是联想的程序。

.text:00404190                 push    ebp
.text:00404191                 mov     ebp, esp
.text:00404193                 sub     esp, 43Ch
.text:00404199                 mov     eax, dword_42546C
.text:0040419E                 xor     eax, ebp
.text:004041A0                 mov     [ebp+var_48], eax
.text:004041A3                 push    esi
.text:004041A4                 mov     [ebp+var_198], 0
.text:004041AB                 push    10Fh            ; size_t
.text:004041B0                 push    0               ; int
.text:004041B2                 lea     eax, [ebp+var_197]
.text:004041B8                 push    eax             ; void *
.text:004041B9                 call    _memset
.text:004041BE                 add     esp, 0Ch
.text:004041C1                 mov     [ebp+Param], 0
.text:004041CB                 push    24Ch            ; size_t
.text:004041D0                 push    0               ; int
.text:004041D2                 lea     ecx, [ebp+TimerQueue]
.text:004041D8                 push    ecx             ; void *
.text:004041D9                 call    _memset
.text:004041DE                 add     esp, 0Ch
.text:004041E1                 mov     [ebp+lf.lfHeight], 0
.text:004041EB                 push    38h             ; size_t
.text:004041ED                 push    0               ; int
.text:004041EF                 lea     edx, [ebp+lf.lfWidth]
.text:004041F2                 push    edx             ; void *
.text:004041F3                 call    _memset
.text:004041F8                 add     esp, 0Ch
.text:004041FB                 push    offset LibFileName ; "wtsapi32.dll"
.text:00404200                 call    ds:LoadLibraryA
.text:00404206                 mov     [ebp+hLibModule], eax
.text:00404209                 mov     [ebp+var_410], 0
.text:00404213                 mov     [ebp+var_40], 0
.text:0040421A                 mov     [ebp+var_414], 0
.text:00404224                 mov     [ebp+hThread], 0
.text:0040422E                 mov     [ebp+var_34.cbSize], 0
.text:00404235                 push    2Ch             ; size_t
.text:00404237                 push    0               ; int
.text:00404239                 lea     eax, [ebp+var_34.style]
.text:0040423C                 push    eax             ; void *
.text:0040423D                 call    _memset
.text:00404242                 add     esp, 0Ch
.text:00404245                 mov     [ebp+Msg.hwnd], 0
.text:0040424F                 xor     ecx, ecx
.text:00404251                 mov     [ebp+Msg.message], ecx
.text:00404257                 mov     [ebp+Msg.wParam], ecx
.text:0040425D                 mov     [ebp+Msg.lParam], ecx
.text:00404263                 mov     [ebp+Msg.time], ecx
.text:00404269                 mov     [ebp+Msg.pt.x], ecx
.text:0040426F                 mov     [ebp+Msg.pt.y], ecx
.text:00404275                 mov     [ebp+hObject], 0
.text:0040427C                 mov     [ebp+var_408], 0
.text:00404286                 push    0FFFFFFFFh      ; DWORD
.text:00404288                 call    ImmDisableIME
.text:0040428D                 push    offset aEnlpu32_dll ; "enlpu32.dll"
.text:00404292                 call    sub_403EC0
.text:00404297                 add     esp, 4
.text:0040429A                 mov     [ebp+var_408], eax
.text:004042A0                 push    offset aLocalMutexThin ; "Local\\mutex ThinkPad OSD"
.text:004042A5                 push    1               ; bInitialOwner
.text:004042A7                 push    0               ; lpMutexAttributes
.text:004042A9                 call    ds:CreateMutexA
.text:004042AF                 mov     [ebp+hObject], eax
.text:004042B2                 call    ds:GetLastError
……

.text:00403EC0 sub_403EC0      proc near               ; CODE XREF: WinMain(x,x,x,x)+102 p
.text:00403EC0
.text:00403EC0 var_134         = dword ptr -134h
.text:00403EC0 var_130         = dword ptr -130h
.text:00403EC0 var_12C         = dword ptr -12Ch
.text:00403EC0 var_128         = dword ptr -128h
.text:00403EC0 var_124         = dword ptr -124h
.text:00403EC0 var_120         = dword ptr -120h
.text:00403EC0 hLibModule      = dword ptr -11Ch
.text:00403EC0 var_118         = dword ptr -118h
.text:00403EC0 var_114         = dword ptr -114h
.text:00403EC0 Start           = byte ptr -110h
.text:00403EC0 var_10F         = byte ptr -10Fh
.text:00403EC0 var_8           = dword ptr -8
.text:00403EC0 var_4           = dword ptr -4
.text:00403EC0 arg_0           = dword ptr  8
.text:00403EC0
.text:00403EC0                 push    ebp
.text:00403EC1                 mov     ebp, esp
.text:00403EC3                 sub     esp, 134h
.text:00403EC9                 mov     eax, dword_42546C
.text:00403ECE                 xor     eax, ebp
.text:00403ED0                 mov     [ebp+var_8], eax
.text:00403ED3                 mov     [ebp+var_118], 0
.text:00403EDD                 mov     [ebp+Start], 0
.text:00403EE4                 push    103h            ; size_t
.text:00403EE9                 push    0               ; int
.text:00403EEB                 lea     eax, [ebp+var_10F]
.text:00403EF1                 push    eax             ; void *
.text:00403EF2                 call    _memset
.text:00403EF7                 add     esp, 0Ch
.text:00403EFA                 mov     [ebp+var_120], 104h
.text:00403F04                 mov     [ebp+var_4], 0
.text:00403F0B                 mov     [ebp+hLibModule], 0
.text:00403F15                 mov     [ebp+var_114], 0
.text:00403F1F                 push    104h            ; nSize
.text:00403F24                 lea     ecx, [ebp+Start]
.text:00403F2A                 push    ecx             ; lpFilename
.text:00403F2B                 push    0               ; hModule
.text:00403F2D                 call    ds:GetModuleFileNameA
.text:00403F33                 neg     eax
.text:00403F35                 sbb     eax, eax
.text:00403F37                 neg     eax
.text:00403F39                 mov     [ebp+var_118], eax
.text:00403F3F                 jz      short loc_403F67
.text:00403F41                 push    5Ch             ; wMatch
.text:00403F43                 push    0               ; lpEnd
.text:00403F45                 lea     edx, [ebp+Start]
.text:00403F4B                 push    edx             ; lpStart
.text:00403F4C                 call    ds:StrRChrA
.text:00403F52                 mov     [ebp+var_4], eax
.text:00403F55                 cmp     [ebp+var_4], 0
.text:00403F59                 jz      short loc_403F67
.text:00403F5B                 mov     [ebp+var_124], 1
.text:00403F65                 jmp     short loc_403F71
.text:00403F67 ; ---------------------------------------------------------------------------
.text:00403F67
.text:00403F67 loc_403F67:                             ; CODE XREF: sub_403EC0+7F j
.text:00403F67                                         ; sub_403EC0+99 j
.text:00403F67                 mov     [ebp+var_124], 0
.text:00403F71
.text:00403F71 loc_403F71:                             ; CODE XREF: sub_403EC0+A5 j
.text:00403F71                 mov     eax, [ebp+var_124]
.text:00403F77                 mov     [ebp+var_118], eax
.text:00403F7D                 cmp     [ebp+var_118], 0
.text:00403F84                 jz      short loc_403FA8
.text:00403F86                 mov     ecx, [ebp+var_4]
.text:00403F89                 add     ecx, 1
.text:00403F8C                 mov     [ebp+var_4], ecx
.text:00403F8F                 mov     edx, [ebp+var_4]
.text:00403F92                 lea     eax, [ebp+Start]
.text:00403F98                 sub     edx, eax
.text:00403F9A                 mov     ecx, [ebp+var_120]
.text:00403FA0                 sub     ecx, edx
.text:00403FA2                 mov     [ebp+var_120], ecx
.text:00403FA8
.text:00403FA8 loc_403FA8:                             ; CODE XREF: sub_403EC0+C4 j
.text:00403FA8                 cmp     [ebp+var_118], 0
.text:00403FAF                 jz      short loc_403FD5
.text:00403FB1                 mov     edx, [ebp+arg_0]
.text:00403FB4                 push    edx
.text:00403FB5                 mov     eax, [ebp+var_120]
.text:00403FBB                 push    eax
.text:00403FBC                 mov     ecx, [ebp+var_4]
.text:00403FBF                 push    ecx
.text:00403FC0                 call    sub_404A30
.text:00403FC5                 test    eax, eax
.text:00403FC7                 jl      short loc_403FD5
.text:00403FC9                 mov     [ebp+var_128], 1
.text:00403FD3                 jmp     short loc_403FDF
.text:00403FD5 ; ---------------------------------------------------------------------------
.text:00403FD5
.text:00403FD5 loc_403FD5:                             ; CODE XREF: sub_403EC0+EF j
.text:00403FD5                                         ; sub_403EC0+107 j
.text:00403FD5                 mov     [ebp+var_128], 0
.text:00403FDF
.text:00403FDF loc_403FDF:                             ; CODE XREF: sub_403EC0+113 j
.text:00403FDF                 mov     edx, [ebp+var_128]
.text:00403FE5                 mov     [ebp+var_118], edx
.text:00403FEB                 cmp     [ebp+var_118], 0
.text:00403FF2                 jz      short loc_40401C
.text:00403FF4                 lea     eax, [ebp+Start]
.text:00403FFA                 push    eax             ; lpLibFileName
.text:00403FFB                 call    ds:LoadLibraryA
.text:00404001                 mov     [ebp+hLibModule], eax
.text:00404007                 cmp     [ebp+hLibModule], 0
.text:0040400E                 jz      short loc_40401C
.text:00404010                 mov     [ebp+var_12C], 1
.text:0040401A                 jmp     short loc_404026
.text:0040401C ; ---------------------------------------------------------------------------
.text:0040401C
.text:0040401C loc_40401C:                             ; CODE XREF: sub_403EC0+132 j
.text:0040401C                                         ; sub_403EC0+14E j
.text:0040401C                 mov     [ebp+var_12C], 0
.text:00404026
.text:00404026 loc_404026:                             ; CODE XREF: sub_403EC0+15A j
.text:00404026                 mov     ecx, [ebp+var_12C]
.text:0040402C                 mov     [ebp+var_118], ecx
.text:00404032                 cmp     [ebp+var_118], 0
.text:00404039                 jz      short loc_404068
.text:0040403B                 push    offset ProcName ; "EnableLPU"
.text:00404040                 mov     edx, [ebp+hLibModule]
.text:00404046                 push    edx             ; hModule
.text:00404047                 call    ds:GetProcAddress
.text:0040404D                 mov     [ebp+var_114], eax
.text:00404053                 cmp     [ebp+var_114], 0
.text:0040405A                 jz      short loc_404068
.text:0040405C                 mov     [ebp+var_130], 1
.text:00404066                 jmp     short loc_404072
.text:00404068 ; ---------------------------------------------------------------------------
.text:00404068
.text:00404068 loc_404068:                             ; CODE XREF: sub_403EC0+179 j
.text:00404068                                         ; sub_403EC0+19A j
.text:00404068                 mov     [ebp+var_130], 0
.text:00404072
.text:00404072 loc_404072:                             ; CODE XREF: sub_403EC0+1A6 j
.text:00404072                 mov     eax, [ebp+var_130]
.text:00404078                 mov     [ebp+var_118], eax
.text:0040407E                 cmp     [ebp+var_118], 0
.text:00404085                 jz      short loc_40409D
.text:00404087                 call    [ebp+var_114]
.text:0040408D                 test    eax, eax
.text:0040408F                 jz      short loc_40409D
.text:00404091                 mov     [ebp+var_134], 1
.text:0040409B                 jmp     short loc_4040A7
.text:0040409D ; ---------------------------------------------------------------------------
.text:0040409D
.text:0040409D loc_40409D:                             ; CODE XREF: sub_403EC0+1C5 j
.text:0040409D                                         ; sub_403EC0+1CF j
.text:0040409D                 mov     [ebp+var_134], 0
.text:004040A7
.text:004040A7 loc_4040A7:                             ; CODE XREF: sub_403EC0+1DB j
.text:004040A7                 mov     ecx, [ebp+var_134]
.text:004040AD                 mov     [ebp+var_118], ecx
.text:004040B3                 cmp     [ebp+var_118], 0
.text:004040BA                 jnz     short loc_4040DC
.text:004040BC                 cmp     [ebp+hLibModule], 0
.text:004040C3                 jz      short loc_4040DC
.text:004040C5                 mov     edx, [ebp+hLibModule]
.text:004040CB                 push    edx             ; hLibModule
.text:004040CC                 call    ds:FreeLibrary
.text:004040D2                 mov     [ebp+hLibModule], 0
.text:004040DC
.text:004040DC loc_4040DC:                             ; CODE XREF: sub_403EC0+1FA j
.text:004040DC                                         ; sub_403EC0+203 j
.text:004040DC                 mov     eax, [ebp+hLibModule]
.text:004040E2                 mov     ecx, [ebp+var_8]
.text:004040E5                 xor     ecx, ebp
.text:004040E7                 call    sub_4053CA
.text:004040EC                 mov     esp, ebp
.text:004040EE                 pop     ebp
.text:004040EF                 retn
.text:004040EF sub_403EC0      endp

该程序会通过Loadlibrary来加载EXE当前目录下的enlpu32.dll,并调用其导出的函数EnableLPU,木马既可以在该DLL的DLLMAIN里做坏事,也可以在导出的EnableLPU函数里做坏事。而这种白利用基本只有发现一个杀一个了。

发表评论

共有 0 条看法