扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
大小: 23283 字节
修改时间: 2008年8月19日, 22:05:52
MD5: 1A508FD863A74CCDA5307E1BFC759319
SHA1: 6D8DD257C6D09A6BE9E41F433C0E0F8CD14F23DB
CRC32: 86C47338 加壳方式:Upack V0.37 -> Dwing
1.释放文件:C:WINDOWSsystem32mttwfh.dll 275,968 bytes
C:WINDOWSsystem32mttwfh.dll.LoG 43 bytes
2.使用LoadLibraryA函数将mttwfh.dll注入进程explorer.exe安装钩子监控键盘操作已盗取游戏账号
3.注册表添加:[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{021F087F-4378-545F-74FA-37D345AD7A8C}InProcServer32]
(Default) = "%System%mttwfh.dll"
ThreadingModel = "Apartment"
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks]
{021F087F-4378-545F-74FA-37D345AD7A8C} = ""
[HKEY_CURRENT_USERavsAdvancedFolderHiddenSHOWALL]
RegPath = "SoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced"
Text = "@shell32.dll,-30500"
Type = "radio"
CheckedValue = 0x00000001
ValueName = "Hidden"
DefaultValue = 0x00000002
HKeyRoot = 0x80000001
HelpID = "shell.hlp#51105"
4.删除verclsid.exe
5.搜索avp.exe如找到释放winsYs.reg文件
(以上分析为靠字符串+反汇编代码连蒙代猜得出)
ida分析
push esi ; nShowCmd
push esi ; lpDirectory
push esi ; lpParameters
push offset File ; "0.tXt"
push offset Operation ; "open" 打开0.tXt
push esi ; hwnd
call ShellExecuteA
保存为0.txt 不知道发送至何处
push ebp
mov ebp, esp
sub esp, 12Ch
push ebx
push esi
push 0 ; th32ProcessID
push 2 ; dwFlags
call CreateToolhelp32Snapshot
lea ecx, [ebp+String1]
mov [ebp+hObject], eax
push ecx ; lppe
push eax ; hSnapshot
mov [ebp+String1.dwSize], 128h
call Process32First
mov eax, eax
mov edx, edx
mov ecx, ecx
mov ebx, ebx
push 0FFFFFFFFh ; cchCount2
mov esi, CompareStringA
push [ebp+lpString2] ; lpString2
lea eax, [ebp+String1.szExeFile]
mov ebx, 400h
push 0FFFFFFFFh ; cchCount1
push eax ; lpString1
push 1 ; dwCmpFlags
push ebx ; Locale
lea eax, [ebp+String1]
push eax ; lppe
push [ebp+hObject] ; hSnapshot
call Process32Next
cmp eax, 1
00403178 ; char String2[]
PS______:00403178 String2 db 'AvP.ExE',0 ; DATA XREF: sub_401A3F+E0 o
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。