文件: C:\Documents and Settings\user\桌面\zip1.exe

大小: 23283 字节

修改时间: 2008年8月19日, 22:05:52

MD5: 1A508FD863A74CCDA5307E1BFC759319

SHA1: 6D8DD257C6D09A6BE9E41F433C0E0F8CD14F23DB

CRC32: 86C47338 加壳方式：Upack V0.37 -> Dwing

1.释放文件：C:\WINDOWS\system32\mttwfh.dll 275,968 bytes

C:\WINDOWS\system32\mttwfh.dll.LoG 43 bytes

2.使用LoadLibraryA函数将mttwfh.dll注入进程explorer.exe安装钩子监控键盘操作已盗取游戏账号

3.注册表添加：[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{021F087F-4378-545F-74FA-37D345AD7A8C}\InProcServer32]

(Default) = "%System%\mttwfh.dll"

ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

{021F087F-4378-545F-74FA-37D345AD7A8C} = ""

[HKEY_CURRENT_USER\avs\Advanced\Folder\Hidden\SHOWALL]

RegPath = "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"

Text = "@shell32.dll,-30500"

Type = "radio"

CheckedValue = 0x00000001

ValueName = "Hidden"

DefaultValue = 0x00000002

HKeyRoot = 0x80000001

HelpID = "shell.hlp#51105"

4.删除verclsid.exe

5.搜索avp.exe如找到释放winsYs.reg文件

（以上分析为靠字符串+反汇编代码连蒙代猜得出）

ida分析

push esi ; nShowCmd

push esi ; lpDirectory

push esi ; lpParameters

push offset File ; "0.tXt"

push offset Operation ; "open" 打开0.tXt

push esi ; hwnd

call ShellExecuteA

保存为0.txt 不知道发送至何处

push ebp

mov ebp, esp

sub esp, 12Ch

push ebx

push esi

push 0 ; th32ProcessID

push 2 ; dwFlags

call CreateToolhelp32Snapshot

lea ecx, [ebp+String1]

mov [ebp+hObject], eax

push ecx ; lppe

push eax ; hSnapshot

mov [ebp+String1.dwSize], 128h

call Process32First

mov eax, eax

mov edx, edx

mov ecx, ecx

mov ebx, ebx

push 0FFFFFFFFh ; cchCount2

mov esi, CompareStringA

push [ebp+lpString2] ; lpString2

lea eax, [ebp+String1.szExeFile]

mov ebx, 400h

push 0FFFFFFFFh ; cchCount1

push eax ; lpString1

push 1 ; dwCmpFlags

push ebx ; Locale

lea eax, [ebp+String1]

push eax ; lppe

push [ebp+hObject] ; hSnapshot

call Process32Next

cmp eax, 1

00403178 ; char String2[]

PS______:00403178 String2 db 'AvP.ExE',0 ; DATA XREF: sub_401A3F+E0 o

(作者：我孤独行走)