ä¸è±¡2004åå 个çæ¬,éç¨äºèæSHELLææ¯ï¼çå
å è½½å°ç³»ç»å
æ ¸ï¼å¦æ强è¡ç»æ¢ä¸è±¡è¿ç¨åªä¼ä½¿ç³»ç»å´©æºã
以åçç ´è§£æ¹å¼ï¼
1.ç¦ç¨å¹¿æåè®®ï¼ä¸è±¡å¯¹çé»ï¼é»è®¤å¹¶æ¨è使ç¨TCP/IPåè®®ï¼é²æ¢è¢«æ¶æç ´åã
2.æ¸
é¤å¯å¨é¡¹ï¼æ³¨éåç»éç³»ç»ï¼ä¸è±¡å¯¹çï¼é¼ æ ä¸ç´å¤äºå¼ºå¶éå®æä¸ç¹ç¶æã
3.åæ°ç¨æ·ç»éï¼ä¸è±¡å¯¹çï¼å2ã
4.æ¹éç»æ¢ä¸è±¡è¿ç¨+winlogon.exe+smss.exe,ä¸è±¡å¯¹çï¼2004åé¢ççæ¬å·²ç»ææ´æ°ï¼ç»æ¢è¿äºè¿ç¨åå°±ä¼åºç°ç³»ç»å´©æºçæ
åµã
5.ä¸è±¡2004æ å¯ç ç»å½å¨,ä¸è±¡å¯¹çï¼æ æ³å
¼å®¹ææ°ççä¸è±¡2008.
çãããã
ç³»ç»å¯å¨å
ç³»ç»è¿ç¨winLoGon.exe å è½½ä¸è±¡ç»é模å loguser.dll
å注å表ä½ç½® HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ginadll
该模å主è¦åè½ï¼ç¨æ·åªè¦å¤äºä¸ºç»éç¶æï¼æ³¨éåçç¶æï¼ï¼å°±å¼ºå¶éå®é¼ æ ä¸æä¸ç¹ï¼é¤éçå°ä¸è±¡çClsmn.exe è¿è¡åæå¯ä»¥è§£é¤é¼ æ éå®ã
ç¬è
å°è¯è¿ç¨å·¥å
·å»ç»winlogonä¸çloguser线ç¨ï¼åå é¤ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ginadll
ï¼å 为loguserå¨è¿è¡çè¿ç¨ä¸ï¼æ éçå注å表ï¼æ®éçä¿®æ¹ä¸ç»ä¿®æ¹ç«å³å°±ä¼è¢«ä»æ¹åãï¼
注éååç°é¼ æ è¿æ¯è¢«éå®ç¶æï¼å 为winlogonä¸ççloguser模åå被æ¿æ´»äºï¼å¹¶ä¸å¦æå¸è½½è¯¥æ¨¡åwinlogonåä¼å´©æºæã
å
¶å®å¼ºå¶å¸è½½ä¸è±¡è¿æ¯å¾ç®åçï¼å»ç»loguser线ç¨å å é¤æ³¨å表ï¼åæ´å Clsmn.exe ,ç¶åéæ°å¯å¨è®¡ç®æºï¼ä½ å°±ä¼åç°ä¸è±¡ä¸è§äºã
ï¼ä½æ¯ç½å§æè¿åï¼è¿ä¸ªæ¹æ³ä¸è¡ï¼ç»§ç»çåé¢ç)
ç»è¿æ°æ¬¡ç失败ï¼æ»ç»åºè§£é¤ä¸è±¡ç3个æ¹æ³ï¼
1.CSetup.exe ä¸è±¡ç设置å¨ï¼åç¼è¯ä¸è±¡2008ç设置工å
·ï¼è¯»åºå¯ç æè
ç ´è§£ä¸ºæ å¯ç ç»éï¼å¦åä¸è±¡æ å¯ç ç»éå¨2004)
2.Clsmn.exe ä¸è±¡å±å¹é(åç¼è¯ï¼æ¾å°è§£é¤é¼ æ éçæ¹æ³,æè
æ¾å°çªç ´å¯ç é误çæ¹æ³)
3.Loguser.dll ä¸è±¡ç¨æ·ç»é模å(åç¼è¯ï¼æ¾å°éå®é¼ æ çæ¹æ³)
CSetup.exe æ¥å£³ ASProtect 2.0x Registered -> Alexey Solodovnikov
è±å£³åï¼ç¬è
ä¸ç¥éæ¯æ¯å£³æ²¡è±å¥½ï¼è¿æ¯å«çåå ï¼æ»ä¹æ¯æ æ³å¯å¨è®¾ç½®çªå£ã
ä¸é¢æ¹æ³2ï¼
Clsmn.exe ASPack 2.12 -> Alexey Solodovnikov
æ¾å°OEP
00548810 55 push ebp
00548811 8BEC mov ebp,esp
00548813 B9 29000000 mov ecx,29
00548818 6A 00 push 0
0054881A 6A 00 push 0
è¿ä¸ªå£³æ¯è¾ç®åï¼ç´æ¥è±äºåä¸ç¨ä¿®å¤è¾å
¥è¡¨ã
å次æ¥è¯¢ Borland Delphi 6.0 - 7.0 æ 壳äºã
ODå次载å
¥å°è¾¾ï¼
00548810 > 55 push ebp
00548811 8BEC mov ebp,esp
00548813 B9 29000000 mov ecx,29
00548818 6A 00 push 0
0054881A 6A 00 push 0
0054881C 49 dec ecx
å³é®--è¶
级å符串--æ¥æ¾ASCII
å¨æ ctrl+f è¾å
¥ "å¯ç ä¸æ£ç¡®" ï¼ä¸è¦å¼å·ï¼
åå» å符串 "å¯ç ä¸æ£ç¡®" æ¥å°
å¯ç ä¸æ£ç¡®å¯¹åºä¸é¢ä¸é¢çé£è¡ 00536D1A | 74 1C è¿éæ个JE æ¡ä»¶è·³è½¬ï¼æ»¡è¶³æ¡ä»¶å°±è·³è½¬å° 00536D38
æ以æ们ç´æ¥æè¿éçJE æ¹æJMPï¼å¼ºå¶è·³è½¬ï¼ä¸ç¨å¤æå¯ç æ¯å¦æ£ç¡®ï¼ç´æ¥è·³è¿å¯ç é误è¿æ®µ
------------------------------------
00536D11 |. 8B55 8C mov edx,dword ptr ss:[ebp-74]
00536D14 |. 58 pop eax
00536D15 |. E8 A6E0ECFF call test.00404DC0
00536D1A |. 74 1C je short test.00536D38
00536D1C |. 8D4D 84 lea ecx,dword ptr ss:[ebp-7C]
00536D1F |. BA F06F5300 mov edx,test.00536FF0 ; å¯ç ä¸æ£ç¡®
00536D24 |. B8 04705300 mov eax,test.00537004 ; ids_clt52
00536D29 |. E8 F283FAFF call test.004DF120
00536D2E |. 8B45 84 mov eax,dword ptr ss:[ebp-7C]
00536D31 |. E8 E6EDFFFF call test.00535B1C
00536D36 |. EB 6B jmp short test.00536DA3
00536D38 |> 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00536D3B |. BA 18705300 mov edx,test.00537018 ; ok
00536D40 |. E8 7BE0ECFF call test.00404DC0
00536D45 |. 74 3A je short test.00536D81
----------------------------------
ä¸é¢çæç ´è§£åçæ件
å³é®--å¤å¶å°å¯æ§è¡æ件--å
¨é¨å¤å¶
ä¿åæ件,å³å®æäºä¸è±¡2008 Clsmn.exe çç ´è§£.
------------èé¸ç®¡çåç»éæ¹æ³ï¼
å¨ä¸è±¡2008çæºåä¸ï¼æå¼ç³»ç»ç®å½ c:\windows\system32\Clsmn.exe æè¿ä¸ªæ件è¿è¡éå½åï¼é便æ¹æä»ä¹é½è¡ã
ç¶åææä»¬ç ´è§£å¥½ççClsmn.exe (1楼ææå
æ件)å¤å¶å°è¿ä¸ªç®å½ä¸ï¼æ¥ç注é计ç®æºã
ç¶ååºç°éè¦ç¨æ·ç»éççé¢ï¼ç¶åéæ©ç®¡çåç»éï¼è¾å
¥ä»»æå¯ç ï¼ç»éå³å¯ã
æåä½ ï¼å®æä¸è±¡2008ææ°çç ´è§£ã
温馨提示:答案为网友推荐,仅供参考