破解技术民用:手动清除恶意网页代码

类别:软件工程 点击:0 评论:0 推荐:


作者:lordor
来自:NukeGroup
网页:www.digitalnuke.com
论坛:http://www.digitalnuke.com/forum/index.php

前言:这里列出一种cracker跟踪的方法,用来手动清除恶意网页代码带来的恶果。

使用Mozilla1浏览总是会有一些问题,如有时不能解析主页地址什么。但用IE的话会经常遭到恶意网页的伏击。

很不幸,我今天中招了:病毒(还好有KV杀了),禁用注册表,不能修改默认主页。
真是可恶,现在我们来看看恶意网页的是怎么攻击的

 

用ollydbg载入regedit.exe程序

0100734A  PUSH ESI
0100734B  PUSH EDI
0100734C  CALL DWORD PTR DS:[<&KERNEL32.GetThreadL>; [GetThreadLocale
01007352  XOR EBP,EBP
01007354  PUSH EBP                                 ; /pModule => NULL
01007355  CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; \GetModuleHandleW
0100735B  PUSH EBP                                 ; /Title => NULL
0100735C  PUSH regedit.01001500                    ; |Class = "RegEdit_RegEdit"
01007361  MOV DWORD PTR DS:[104C3E0],EAX           ; |
01007366  CALL DWORD PTR DS:[<&USER32.FindWindowW>>; \FindWindowW
0100736C  MOV ESI,EAX
0100736E  CALL regedit.010074A8
01007373  DEC EAX                                  ;  Switch (cases 1..2)
01007374  JE regedit.01007481
0100737A  DEC EAX
0100737B  JE regedit.01007497
01007381  CMP ESI,EBP                              ;  Default case of switch 01007373
01007383  JE SHORT regedit.010073C3
01007385  PUSH ESI                                 ; /hWnd
01007386  CALL DWORD PTR DS:[<&USER32.IsIconic>]   ; \IsIconic
0100738C  TEST EAX,EAX
0100738E  JE SHORT regedit.0100739E
01007390  PUSH 9                                   ; /ShowState = SW_RESTORE
01007392  PUSH ESI                                 ; |hWnd
01007393  CALL DWORD PTR DS:[<&USER32.ShowWindow>] ; \ShowWindow
01007399  JMP regedit.01007497
0100739E  MOV EDI,DWORD PTR DS:[<&USER32.BringWind>;  USER32.BringWindowToTop
010073A4  PUSH ESI                                 ; /hWnd
010073A5  CALL EDI                                 ; \BringWindowToTop
010073A7  PUSH ESI                                 ; /hOwner
010073A8  CALL DWORD PTR DS:[<&USER32.GetLastActiv>; \GetLastActivePopup
010073AE  MOV EBX,EAX
010073B0  CMP EBX,ESI
010073B2  JE SHORT regedit.010073B7
010073B4  PUSH EBX                                 ; /hWnd
010073B5  CALL EDI                                 ; \BringWindowToTop
010073B7  PUSH EBX                                 ; /hWnd
010073B8  CALL DWORD PTR DS:[<&USER32.SetForegroun>; \SetForegroundWindow
010073BE  JMP regedit.01007497
010073C3  CALL regedit.010075ED  ==>关键call,请看下面
010073C8  TEST EAX,EAX   ==>测试是否禁用
010073CA  JE SHORT regedit.010073E6
010073CC  PUSH 10
010073CE  PUSH 10
010073D0  PUSH 28
010073D2  PUSH EBP
010073D3  PUSH DWORD PTR DS:[104C3E0]              ;  regedit.01000000
010073D9  CALL regedit.010078B1  ==>显示信息 
010073DE  ADD ESP,14
010073E1  JMP regedit.01007497
010073E6  PUSH 1C

-----------------------
010073C3  CALL regedit.010075ED 

010075ED    PUSH EBP
010075EE    MOV EBP,ESP
010075F0    SUB ESP,10
010075F3    LEA EAX,DWORD PTR SS:[EBP-8]
010075F6    PUSH EDI
010075F7    PUSH EAX                                 ; /pHandle
010075F8    PUSH regedit.01001788                    ; |Subkey = "Software\Microsoft\Windows\CurrentVersion\Policies\System"
010075FD    PUSH 80000001                            ; |hKey = HKEY_CURRENT_USER
01007602    XOR EDI,EDI                              ; |
01007604    CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyW
0100760A    TEST EAX,EAX
0100760C    JNZ SHORT regedit.01007651   ==>改这里跳过即可
0100760E    LEA EAX,DWORD PTR SS:[EBP-4]
01007611    MOV DWORD PTR SS:[EBP-4],4
01007618    PUSH EAX                                 ; /pBufSize
01007619    LEA EAX,DWORD PTR SS:[EBP-10]            ; |
0100761C    PUSH EAX                                 ; |Buffer
0100761D    LEA EAX,DWORD PTR SS:[EBP-C]             ; |
01007620    PUSH EAX                                 ; |pValueType
01007621    PUSH EDI                                 ; |Reserved => NULL
01007622    PUSH regedit.0100175C                    ; |ValueName = "DisableRegistryTools"
01007627    PUSH DWORD PTR SS:[EBP-8]                ; |hKey
0100762A    CALL DWORD PTR DS:[<&ADVAPI32.RegQueryVa>; \RegQueryValueExW
01007630    TEST EAX,EAX
01007632    JNZ SHORT regedit.01007648
01007634    CMP DWORD PTR SS:[EBP-C],4
01007638    JNZ SHORT regedit.01007648
0100763A    CMP DWORD PTR SS:[EBP-4],4

可以看到这段代码是读注册表中的"DisableRegistryTools"项值,如为1则禁用注册表.
恢复方法:
按上面信息:把0100760C    JNZ SHORT regedit.01007651 改为jmp即可永久解除禁用注册表,也可以在进入注册表后,在"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
把DisableRegistryTools的值改为0即可。
或写注册表文件
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000


解除注册表限制后,还有一个它禁止设置默认网页,用WindowEnable下断来到这里

023CFDE7      33F6             XOR ESI,ESI
023CFDE9      56               PUSH ESI
023CFDEA      6A 03            PUSH 3
023CFDEC      68 C5000000      PUSH 0C5
023CFDF1      68 D4050000      PUSH 5D4
023CFDF6      53               PUSH EBX
023CFDF7      FFD7             CALL EDI
023CFDF9      50               PUSH EAX
023CFDFA      FF15 B0113C02    CALL DWORD PTR DS:[<&SHLWAPI.#136>]      ; SHLWAPI.#136
023CFE00      66:3935 48E13D02 CMP WORD PTR DS:[23DE148],SI
023CFE07      74 2A            JE SHORT inetcpl.023CFE33
023CFE09      68 80000000      PUSH 80
023CFE0E      8D4424 14        LEA EAX,DWORD PTR SS:[ESP+14]
023CFE12      50               PUSH EAX
023CFE13      68 1B120000      PUSH 121B
023CFE18      E8 B6070000      CALL inetcpl.023D05D3
023CFE1D      8D4424 10        LEA EAX,DWORD PTR SS:[ESP+10]
023CFE21      50               PUSH EAX
023CFE22      56               PUSH ESI
023CFE23      6A 0C            PUSH 0C
023CFE25      53               PUSH EBX
023CFE26      FF15 CC133C02    CALL DWORD PTR DS:[<&USER32.GetParent>]  ; USER32.GetParent
023CFE2C      50               PUSH EAX
023CFE2D      FF15 B0113C02    CALL DWORD PTR DS:[<&SHLWAPI.#136>]      ; SHLWAPI.#136
023CFE33      3935 ECE03D02    CMP DWORD PTR DS:[23DE0EC],ESI
023CFE39      74 30            JE SHORT inetcpl.023CFE6B
023CFE3B      56               PUSH ESI
023CFE3C      68 CF050000      PUSH 5CF
023CFE41      53               PUSH EBX
023CFE42      FFD7             CALL EDI
023CFE44      50               PUSH EAX
023CFE45      FFD5             CALL EBP  =>enablewindow
023            PUSH ESI
023CFE48      68 CD050000      PUSH 5CD
023CFE4D      53               PUSH EBX
023CFE4E      FFD7             CALL EDI
023CFE50      50               PUSH EAX
023CFE51      FFD5             CALL EBP
023CFE53      56               PUSH ESI
023CFE54      68 94010000      PUSH 194
023CFE59      53               PUSH EBX
023CFE5A      FFD7             CALL EDI
023CFE5C      50               PUSH EAX
023CFE5D      FFD5             CALL EBP
023CFE5F      56               PUSH ESI
023CFE60      68 CE050000      PUSH 5CE
023CFE65      53               PUSH EBX
023CFE66      FFD7             CALL EDI
023CFE68      50               PUSH EAX
023CFE69      FFD5             CALL EBP
023CFE6B      3935 38E13D02    CMP DWORD PTR DS:[23DE138],ESI
023CFE71      74 24            JE SHORT inetcpl.023CFE97
023CFE73      56               PUSH ESI
023CFE74      68 73020000      PUSH 273
023CFE79      53               PUSH EBX
023CFE7A      FFD7             CALL EDI
023CFE7C      50               PUSH EAX
023CFE7D      FFD5             CALL EBP
023CFE7F      56               PUSH ESI
023CFE80      68 70020000      PUSH 270
023CFE85      53               PUSH EBX
023CFE86      FFD7             CALL EDI
023CFE88      50               PUSH EAX
023CFE89      FFD5             CALL EBP
023CFE8B      56               PUSH ESI
023CFE8C      68 D2050000      PUSH 5D2
023CFE91      53               PUSH EBX
023CFE92      FFD7             CALL EDI
023CFE94      50               PUSH EAX
023CFE95      FFD5             CALL EBP
023CFE97      3935 F0E03D02    CMP DWORD PTR DS:[23DE0F0],ESI
023CFE9D      74 24            JE SHORT inetcpl.023CFEC3
023CFE9F      56               PUSH ESI
023CFEA0      68 D4050000      PUSH 5D4
023CFEA5      53               PUSH EBX
023CFEA6      FFD7             CALL EDI
023CFEA8      50               PUSH EAX
023CFEA9      FFD5             CALL EBP
023CFEAB      56               PUSH ESI
023CFEAC      68 D5050000      PUSH 5D5
023CFEB1      53               PUSH EBX
023CFEB2      FFD7             CALL EDI
023CFEB4      50               PUSH EAX
023CFEB5      FFD5             CALL EBP
023CFEB7      56               PUSH ESI
023CFEB8      68 D1050000      PUSH 5D1
023CFEBD      53               PUSH EBX
023CFEBE      FFD7             CALL EDI
023CFEC0      50               PUSH EAX
023CFEC1      FFD5             CALL EBP
023CFEC3      5F               POP EDI
023CFEC4      33C0             XOR EAX,EAX
023CFEC6      5D               POP EBP
023CFEC7      40               INC EAX

 

在比较的地方如:
023CFE33      3935 ECE03D02    CMP DWORD PTR DS:[23DE0EC],ESI
023CFE6B      3935 38E13D02    CMP DWORD PTR DS:[23DE138],ESI
下硬件断点,如[23DE0EC]


来到这里
023D2A3D    PUSH DWORD PTR SS:[EBP-4]
023D2A40    MOV DWORD PTR DS:[ESI+30],EAX
023D2A43    CALL inetcpl.023D2905
023D2A48    PUSH inetcpl.023C4204                    ; UNICODE "History"
023D2A4D    PUSH DWORD PTR SS:[EBP-4]
023D2A50    MOV DWORD PTR DS:[ESI+34],EAX
023D2A53    CALL inetcpl.023D2905
023D2A58    PUSH inetcpl.023C4214                    ; UNICODE "Messaging"
023D2A5D    PUSH DWORD PTR SS:[EBP-4]
023D2A60    MOV DWORD PTR DS:[ESI+38],EAX
023D2A63    CALL inetcpl.023D2905
023D2A68    PUSH inetcpl.023C4270                    ; UNICODE "Ratings"

向上看
023D2950    PUSH inetcpl.023C4058                    ; UNICODE "Software\Policies\Microsoft\Internet Explorer\Control Panel"
023D2955    PUSH 80000001
023D295A    CALL DWORD PTR DS:[<&SHLWAPI.#125>]      ; SHLWAPI.#125
023D2960    TEST EAX,EAX
023D2962    JNZ inetcpl.023D2BC1
023D2968    PUSH ESI
进注册表看一下

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage"=dword:00000001


只要把"HomePage"=dword:00000001值改为0即可解除设置主页的限制。另外还有标题显示其它信息,进入注册表
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]把main项删掉吧。

到此又把Ie恢复正常了。

欢迎访问NukeGroup论坛,共同探讨加解密技术。

by lordor  2004.3.12

本文地址:http://com.8s8s.com/it/it37228.htm