作者:lordor 来自:NukeGroup 网页:www.digitalnuke.com 论坛:http://www.digitalnuke.com/forum/index.php
前言:这里列出一种cracker跟踪的方法,用来手动清除恶意网页代码带来的恶果。
使用Mozilla1浏览总是会有一些问题,如有时不能解析主页地址什么。但用IE的话会经常遭到恶意网页的伏击。
很不幸,我今天中招了:病毒(还好有KV杀了),禁用注册表,不能修改默认主页。 真是可恶,现在我们来看看恶意网页的是怎么攻击的
用ollydbg载入regedit.exe程序
0100734A PUSH ESI 0100734B PUSH EDI 0100734C CALL DWORD PTR DS:[<&KERNEL32.GetThreadL>; [GetThreadLocale 01007352 XOR EBP,EBP 01007354 PUSH EBP ; /pModule => NULL 01007355 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; \GetModuleHandleW 0100735B PUSH EBP ; /Title => NULL 0100735C PUSH regedit.01001500 ; |Class = "RegEdit_RegEdit" 01007361 MOV DWORD PTR DS:[104C3E0],EAX ; | 01007366 CALL DWORD PTR DS:[<&USER32.FindWindowW>>; \FindWindowW 0100736C MOV ESI,EAX 0100736E CALL regedit.010074A8 01007373 DEC EAX ; Switch (cases 1..2) 01007374 JE regedit.01007481 0100737A DEC EAX 0100737B JE regedit.01007497 01007381 CMP ESI,EBP ; Default case of switch 01007373 01007383 JE SHORT regedit.010073C3 01007385 PUSH ESI ; /hWnd 01007386 CALL DWORD PTR DS:[<&USER32.IsIconic>] ; \IsIconic 0100738C TEST EAX,EAX 0100738E JE SHORT regedit.0100739E 01007390 PUSH 9 ; /ShowState = SW_RESTORE 01007392 PUSH ESI ; |hWnd 01007393 CALL DWORD PTR DS:[<&USER32.ShowWindow>] ; \ShowWindow 01007399 JMP regedit.01007497 0100739E MOV EDI,DWORD PTR DS:[<&USER32.BringWind>; USER32.BringWindowToTop 010073A4 PUSH ESI ; /hWnd 010073A5 CALL EDI ; \BringWindowToTop 010073A7 PUSH ESI ; /hOwner 010073A8 CALL DWORD PTR DS:[<&USER32.GetLastActiv>; \GetLastActivePopup 010073AE MOV EBX,EAX 010073B0 CMP EBX,ESI 010073B2 JE SHORT regedit.010073B7 010073B4 PUSH EBX ; /hWnd 010073B5 CALL EDI ; \BringWindowToTop 010073B7 PUSH EBX ; /hWnd 010073B8 CALL DWORD PTR DS:[<&USER32.SetForegroun>; \SetForegroundWindow 010073BE JMP regedit.01007497 010073C3 CALL regedit.010075ED ==>关键call,请看下面 010073C8 TEST EAX,EAX ==>测试是否禁用 010073CA JE SHORT regedit.010073E6 010073CC PUSH 10 010073CE PUSH 10 010073D0 PUSH 28 010073D2 PUSH EBP 010073D3 PUSH DWORD PTR DS:[104C3E0] ; regedit.01000000 010073D9 CALL regedit.010078B1 ==>显示信息 010073DE ADD ESP,14 010073E1 JMP regedit.01007497 010073E6 PUSH 1C
----------------------- 010073C3 CALL regedit.010075ED
010075ED PUSH EBP 010075EE MOV EBP,ESP 010075F0 SUB ESP,10 010075F3 LEA EAX,DWORD PTR SS:[EBP-8] 010075F6 PUSH EDI 010075F7 PUSH EAX ; /pHandle 010075F8 PUSH regedit.01001788 ; |Subkey = "Software\Microsoft\Windows\CurrentVersion\Policies\System" 010075FD PUSH 80000001 ; |hKey = HKEY_CURRENT_USER 01007602 XOR EDI,EDI ; | 01007604 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyW 0100760A TEST EAX,EAX 0100760C JNZ SHORT regedit.01007651 ==>改这里跳过即可 0100760E LEA EAX,DWORD PTR SS:[EBP-4] 01007611 MOV DWORD PTR SS:[EBP-4],4 01007618 PUSH EAX ; /pBufSize 01007619 LEA EAX,DWORD PTR SS:[EBP-10] ; | 0100761C PUSH EAX ; |Buffer 0100761D LEA EAX,DWORD PTR SS:[EBP-C] ; | 01007620 PUSH EAX ; |pValueType 01007621 PUSH EDI ; |Reserved => NULL 01007622 PUSH regedit.0100175C ; |ValueName = "DisableRegistryTools" 01007627 PUSH DWORD PTR SS:[EBP-8] ; |hKey 0100762A CALL DWORD PTR DS:[<&ADVAPI32.RegQueryVa>; \RegQueryValueExW 01007630 TEST EAX,EAX 01007632 JNZ SHORT regedit.01007648 01007634 CMP DWORD PTR SS:[EBP-C],4 01007638 JNZ SHORT regedit.01007648 0100763A CMP DWORD PTR SS:[EBP-4],4
可以看到这段代码是读注册表中的"DisableRegistryTools"项值,如为1则禁用注册表. 恢复方法: 按上面信息:把0100760C JNZ SHORT regedit.01007651 改为jmp即可永久解除禁用注册表,也可以在进入注册表后,在"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" 把DisableRegistryTools的值改为0即可。 或写注册表文件 Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableRegistryTools"=dword:00000000
解除注册表限制后,还有一个它禁止设置默认网页,用WindowEnable下断来到这里
023CFDE7 33F6 XOR ESI,ESI 023CFDE9 56 PUSH ESI 023CFDEA 6A 03 PUSH 3 023CFDEC 68 C5000000 PUSH 0C5 023CFDF1 68 D4050000 PUSH 5D4 023CFDF6 53 PUSH EBX 023CFDF7 FFD7 CALL EDI 023CFDF9 50 PUSH EAX 023CFDFA FF15 B0113C02 CALL DWORD PTR DS:[<&SHLWAPI.#136>] ; SHLWAPI.#136 023CFE00 66:3935 48E13D02 CMP WORD PTR DS:[23DE148],SI 023CFE07 74 2A JE SHORT inetcpl.023CFE33 023CFE09 68 80000000 PUSH 80 023CFE0E 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14] 023CFE12 50 PUSH EAX 023CFE13 68 1B120000 PUSH 121B 023CFE18 E8 B6070000 CALL inetcpl.023D05D3 023CFE1D 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10] 023CFE21 50 PUSH EAX 023CFE22 56 PUSH ESI 023CFE23 6A 0C PUSH 0C 023CFE25 53 PUSH EBX 023CFE26 FF15 CC133C02 CALL DWORD PTR DS:[<&USER32.GetParent>] ; USER32.GetParent 023CFE2C 50 PUSH EAX 023CFE2D FF15 B0113C02 CALL DWORD PTR DS:[<&SHLWAPI.#136>] ; SHLWAPI.#136 023CFE33 3935 ECE03D02 CMP DWORD PTR DS:[23DE0EC],ESI 023CFE39 74 30 JE SHORT inetcpl.023CFE6B 023CFE3B 56 PUSH ESI 023CFE3C 68 CF050000 PUSH 5CF 023CFE41 53 PUSH EBX 023CFE42 FFD7 CALL EDI 023CFE44 50 PUSH EAX 023CFE45 FFD5 CALL EBP =>enablewindow 023 PUSH ESI 023CFE48 68 CD050000 PUSH 5CD 023CFE4D 53 PUSH EBX 023CFE4E FFD7 CALL EDI 023CFE50 50 PUSH EAX 023CFE51 FFD5 CALL EBP 023CFE53 56 PUSH ESI 023CFE54 68 94010000 PUSH 194 023CFE59 53 PUSH EBX 023CFE5A FFD7 CALL EDI 023CFE5C 50 PUSH EAX 023CFE5D FFD5 CALL EBP 023CFE5F 56 PUSH ESI 023CFE60 68 CE050000 PUSH 5CE 023CFE65 53 PUSH EBX 023CFE66 FFD7 CALL EDI 023CFE68 50 PUSH EAX 023CFE69 FFD5 CALL EBP 023CFE6B 3935 38E13D02 CMP DWORD PTR DS:[23DE138],ESI 023CFE71 74 24 JE SHORT inetcpl.023CFE97 023CFE73 56 PUSH ESI 023CFE74 68 73020000 PUSH 273 023CFE79 53 PUSH EBX 023CFE7A FFD7 CALL EDI 023CFE7C 50 PUSH EAX 023CFE7D FFD5 CALL EBP 023CFE7F 56 PUSH ESI 023CFE80 68 70020000 PUSH 270 023CFE85 53 PUSH EBX 023CFE86 FFD7 CALL EDI 023CFE88 50 PUSH EAX 023CFE89 FFD5 CALL EBP 023CFE8B 56 PUSH ESI 023CFE8C 68 D2050000 PUSH 5D2 023CFE91 53 PUSH EBX 023CFE92 FFD7 CALL EDI 023CFE94 50 PUSH EAX 023CFE95 FFD5 CALL EBP 023CFE97 3935 F0E03D02 CMP DWORD PTR DS:[23DE0F0],ESI 023CFE9D 74 24 JE SHORT inetcpl.023CFEC3 023CFE9F 56 PUSH ESI 023CFEA0 68 D4050000 PUSH 5D4 023CFEA5 53 PUSH EBX 023CFEA6 FFD7 CALL EDI 023CFEA8 50 PUSH EAX 023CFEA9 FFD5 CALL EBP 023CFEAB 56 PUSH ESI 023CFEAC 68 D5050000 PUSH 5D5 023CFEB1 53 PUSH EBX 023CFEB2 FFD7 CALL EDI 023CFEB4 50 PUSH EAX 023CFEB5 FFD5 CALL EBP 023CFEB7 56 PUSH ESI 023CFEB8 68 D1050000 PUSH 5D1 023CFEBD 53 PUSH EBX 023CFEBE FFD7 CALL EDI 023CFEC0 50 PUSH EAX 023CFEC1 FFD5 CALL EBP 023CFEC3 5F POP EDI 023CFEC4 33C0 XOR EAX,EAX 023CFEC6 5D POP EBP 023CFEC7 40 INC EAX
在比较的地方如: 023CFE33 3935 ECE03D02 CMP DWORD PTR DS:[23DE0EC],ESI 023CFE6B 3935 38E13D02 CMP DWORD PTR DS:[23DE138],ESI 下硬件断点,如[23DE0EC]
来到这里 023D2A3D PUSH DWORD PTR SS:[EBP-4] 023D2A40 MOV DWORD PTR DS:[ESI+30],EAX 023D2A43 CALL inetcpl.023D2905 023D2A48 PUSH inetcpl.023C4204 ; UNICODE "History" 023D2A4D PUSH DWORD PTR SS:[EBP-4] 023D2A50 MOV DWORD PTR DS:[ESI+34],EAX 023D2A53 CALL inetcpl.023D2905 023D2A58 PUSH inetcpl.023C4214 ; UNICODE "Messaging" 023D2A5D PUSH DWORD PTR SS:[EBP-4] 023D2A60 MOV DWORD PTR DS:[ESI+38],EAX 023D2A63 CALL inetcpl.023D2905 023D2A68 PUSH inetcpl.023C4270 ; UNICODE "Ratings"
向上看 023D2950 PUSH inetcpl.023C4058 ; UNICODE "Software\Policies\Microsoft\Internet Explorer\Control Panel" 023D2955 PUSH 80000001 023D295A CALL DWORD PTR DS:[<&SHLWAPI.#125>] ; SHLWAPI.#125 023D2960 TEST EAX,EAX 023D2962 JNZ inetcpl.023D2BC1 023D2968 PUSH ESI 进注册表看一下
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel] "HomePage"=dword:00000001
只要把"HomePage"=dword:00000001值改为0即可解除设置主页的限制。另外还有标题显示其它信息,进入注册表 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]把main项删掉吧。
到此又把Ie恢复正常了。
欢迎访问NukeGroup论坛,共同探讨加解密技术。
by lordor 2004.3.12 
|