|
腾讯QQ珊瑚虫外挂原理分析(3)
|
中华网科技 http://tech.china.com
2005-06-23 10:38:15
|
|
|
|
我们再分析一下win9x下珊瑚虫的外挂又是怎样运行的.
再次用OD载入Coralqq.exe
00415C9D mov dword ptr ss:[ebp-C],ecx
00415CA0 mov dword ptr ss:[ebp-4],edx
00415CA3 mov dword ptr ss:[ebp-8],eax
00415CA6 xor ebx,ebx
00415CA8 call ;判断操作系统
00415CAD test eax,80000000
00415CB2 je short CORALQQ.00415CFE
00415CB4 xor edi,edi
00415CB6 xor esi,esi
00415CB8 jmp short CORALQQ.00415CE7
00415CBA /cmp esi,dword ptr ss:[ebp-24]
00415CBD je short CORALQQ.00415CE2
00415CBF mov eax,dword ptr ss:[ebp-4]
00415CC2 mov edx,dword ptr ss:[ebp-24]
00415CC5 mov dword ptr ds:[eax],edx
00415CC7 cmp dword ptr ss:[ebp-18],1000
00415CCE jnz short CORALQQ.00415CDF
00415CD0 push ebp ; /Arg1
00415CD1 call CORALQQ.00415BD4 ; CoralQQ.00415BD4
00415CD6 pop ecx
00415CD7 test al,al
00415CD9 je short CORALQQ.00415CDF
00415CDB mov bl,1
00415CDD jmp short CORALQQ.00415D29
00415CDF mov esi,dword ptr ss:[ebp-24]
00415CE2 mov eax,dword ptr ss:[ebp-1C]
00415CE5 add edi,eax
00415CE7 push 1C ; /BufSize = 1C (28.)
00415CE9 lea eax,dword ptr ss:[ebp-28] ;
00415CEC push eax ; Buffer
00415CED push edi ; Address
00415CEE mov eax,dword ptr ss:[ebp-8] ;
00415CF1 push eax ; hProcess
00415CF2 call ; VirtualQueryEx 获得内存业面信息
00415CF7 cmp eax,1C
00415CFA je short CORALQQ.00415CBA
00415CFC jmp short CORALQQ.00415D29
上面的代码是判断操作系统的版本,如果是win9x的话就先跳到415ce7,
00415A4B > 8>lea eax,dword ptr ss:[ebp-8]
00415A4E . 5>push eax ; /pBytesWritten
00415A4F . 5>push edi ; BytesToWrite
00415A50 . 8>mov eax,dword ptr ss:[ebp-4] ;
00415A53 . 5>push eax ; Buffer
00415A54 . 5>push esi ; Address
00415A55 . 5>push ebx ; hProcess
00415A56 . E>call ; WriteProcessMemory
看一下此时的堆栈:
0067EA5C 0000000C hProcess = 0000000C
0067EA60 83138AAC Address = 83138AAC
0067EA64 0067EABC Buffer = 0067EABC
0067EA68 00000292 BytesToWrite = 292 (658.)
0067EA6C 0067EA7C pBytesWritten = 0067EA7C
首页 上页 | 1 | 2 | 3 | 4 | 5 | 6... 下页 尾页 共 6 页 |
