作者:lordor
来自:NukeGroup
网页:www.digitalnuke.com
论坛:http://www.digitalnuke.com/forum/index.php
前言:这里列出一种cracker跟踪的方法,用来手动清除恶意网页代码带来的恶果。
使用Mozilla1浏览总是会有一些问题,如有时不能解析主页地址什么。但用IE的话会经常遭到恶意网页的伏击。
很不幸,我今天中招了:病毒(还好有KV杀了),禁用注册表,不能修改默认主页。
真是可恶,现在我们来看看恶意网页的是怎么攻击的
用ollydbg载入regedit.exe程序
0100734A PUSH ESI
0100734B PUSH EDI
0100734C CALL DWORD PTR DS:[<&KERNEL32.GetThreadL>; [GetThreadLocale
01007352 XOR EBP,EBP
01007354 PUSH EBP ; /pModule => NULL
01007355 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; \GetModuleHandleW
0100735B PUSH EBP ; /Title => NULL
0100735C PUSH regedit.01001500 ; |Class = "RegEdit_RegEdit"
01007361 MOV DWORD PTR DS:[104C3E0],EAX ; |
01007366 CALL DWORD PTR DS:[<&USER32.FindWindowW>>; \FindWindowW
0100736C MOV ESI,EAX
0100736E CALL regedit.010074A8
01007373 DEC EAX ; Switch (cases 1..2)
01007374 JE regedit.01007481
0100737A DEC EAX
0100737B JE regedit.01007497
01007381 CMP ESI,EBP ; Default case of switch 01007373
01007383 JE SHORT regedit.010073C3
01007385 PUSH ESI ; /hWnd
01007386 CALL DWORD PTR DS:[<&USER32.IsIconic>] ; \IsIconic
0100738C TEST EAX,EAX
0100738E JE SHORT regedit.0100739E
01007390 PUSH 9 ; /ShowState = SW_RESTORE
01007392 PUSH ESI ; |hWnd
01007393 CALL DWORD PTR DS:[<&USER32.ShowWindow>] ; \ShowWindow
01007399 JMP regedit.01007497
0100739E MOV EDI,DWORD PTR DS:[<&USER32.BringWind>; USER32.BringWindowToTop
010073A4 PUSH ESI ; /hWnd
010073A5 CALL EDI ; \BringWindowToTop
010073A7 PUSH ESI ; /hOwner
010073A8 CALL DWORD PTR DS:[<&USER32.GetLastActiv>; \GetLastActivePopup
010073AE MOV EBX,EAX
010073B0 CMP EBX,ESI
010073B2 JE SHORT regedit.010073B7
010073B4 PUSH EBX ; /hWnd
010073B5 CALL EDI ; \BringWindowToTop
010073B7 PUSH EBX ; /hWnd
010073B8 CALL DWORD PTR DS:[<&USER32.SetForegroun>; \SetForegroundWindow
010073BE JMP regedit.01007497
010073C3 CALL regedit.010075ED ==>关键call,请看下面
010073C8 TEST EAX,EAX ==>测试是否禁用
010073CA JE SHORT regedit.010073E6
010073CC PUSH 10
010073CE PUSH 10
010073D0 PUSH 28
010073D2 PUSH EBP
010073D3 PUSH DWORD PTR DS:[104C3E0] ; regedit.01000000
010073D9 CALL regedit.010078B1 ==>显示信息
010073DE ADD ESP,14
010073E1 JMP regedit.01007497
010073E6 PUSH 1C
-----------------------
010073C3 CALL regedit.010075ED
010075ED PUSH EBP
010075EE MOV EBP,ESP
010075F0 SUB ESP,10
010075F3 LEA EAX,DWORD PTR SS:[EBP-8]
010075F6 PUSH EDI
010075F7 PUSH EAX ; /pHandle
010075F8 PUSH regedit.01001788 ; |Subkey = "Software\Microsoft\Windows\CurrentVersion\Policies\System"
010075FD PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
01007602 XOR EDI,EDI ; |
01007604 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; \RegOpenKeyW
0100760A TEST EAX,EAX
0100760C JNZ SHORT regedit.01007651 ==>改这里跳过即可
0100760E LEA EAX,DWORD PTR SS:[EBP-4]
01007611 MOV DWORD PTR SS:[EBP-4],4
01007618 PUSH EAX ; /pBufSize
01007619 LEA EAX,DWORD PTR SS:[EBP-10] ; |
0100761C PUSH EAX ; |Buffer
0100761D LEA EAX,DWORD PTR SS:[EBP-C] ; |
01007620 PUSH EAX ; |pValueType
01007621 PUSH EDI ; |Reserved => NULL
01007622 PUSH regedit.0100175C ; |ValueName = "DisableRegistryTools"
01007627 PUSH DWORD PTR SS:[EBP-8] ; |hKey
0100762A CALL DWORD PTR DS:[<&ADVAPI32.RegQueryVa>; \RegQueryValueExW
01007630 TEST EAX,EAX
01007632 JNZ SHORT regedit.01007648
01007634 CMP DWORD PTR SS:[EBP-C],4
01007638 JNZ SHORT regedit.01007648
0100763A CMP DWORD PTR SS:[EBP-4],4
可以看到这段代码是读注册表中的"DisableRegistryTools"项值,如为1则禁用注册表.
恢复方法:
按上面信息:把0100760C JNZ SHORT regedit.01007651 改为jmp即可永久解除禁用注册表,也可以在进入注册表后,在"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
把DisableRegistryTools的值改为0即可。
或写注册表文件
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=dword:00000000
解除注册表限制后,还有一个它禁止设置默认网页,用WindowEnable下断来到这里
023CFDE7 33F6 XOR ESI,ESI
023CFDE9 56 PUSH ESI
023CFDEA 6A 03 PUSH 3
023CFDEC 68 C5000000 PUSH 0C5
023CFDF1 68 D4050000 PUSH 5D4
023CFDF6 53 PUSH EBX
023CFDF7 FFD7 CALL EDI
023CFDF9 50 PUSH EAX
023CFDFA FF15 B0113C02 CALL DWORD PTR DS:[<&SHLWAPI.#136>] ; SHLWAPI.#136
023CFE00 66:3935 48E13D02 CMP WORD PTR DS:[23DE148],SI
023CFE07 74 2A JE SHORT inetcpl.023CFE33
023CFE09 68 80000000 PUSH 80
023CFE0E 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
023CFE12 50 PUSH EAX
023CFE13 68 1B120000 PUSH 121B
023CFE18 E8 B6070000 CALL inetcpl.023D05D3
023CFE1D 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
023CFE21 50 PUSH EAX
023CFE22 56 PUSH ESI
023CFE23 6A 0C PUSH 0C
023CFE25 53 PUSH EBX
023CFE26 FF15 CC133C02 CALL DWORD PTR DS:[<&USER32.GetParent>] ; USER32.GetParent
023CFE2C 50 PUSH EAX
023CFE2D FF15 B0113C02 CALL DWORD PTR DS:[<&SHLWAPI.#136>] ; SHLWAPI.#136
023CFE33 3935 ECE03D02 CMP DWORD PTR DS:[23DE0EC],ESI
023CFE39 74 30 JE SHORT inetcpl.023CFE6B
023CFE3B 56 PUSH ESI
023CFE3C 68 CF050000 PUSH 5CF
023CFE41 53 PUSH EBX
023CFE42 FFD7 CALL EDI
023CFE44 50 PUSH EAX
023CFE45 FFD5 CALL EBP =>enablewindow
023 PUSH ESI
023CFE48 68 CD050000 PUSH 5CD
023CFE4D 53 PUSH EBX
023CFE4E FFD7 CALL EDI
023CFE50 50 PUSH EAX
023CFE51 FFD5 CALL EBP
023CFE53 56 PUSH ESI
023CFE54 68 94010000 PUSH 194
023CFE59 53 PUSH EBX
023CFE5A FFD7 CALL EDI
023CFE5C 50 PUSH EAX
023CFE5D FFD5 CALL EBP
023CFE5F 56 PUSH ESI
023CFE60 68 CE050000 PUSH 5CE
023CFE65 53 PUSH EBX
023CFE66 FFD7 CALL EDI
023CFE68 50 PUSH EAX
023CFE69 FFD5 CALL EBP
023CFE6B 3935 38E13D02 CMP DWORD PTR DS:[23DE138],ESI
023CFE71 74 24 JE SHORT inetcpl.023CFE97
023CFE73 56 PUSH ESI
023CFE74 68 73020000 PUSH 273
023CFE79 53 PUSH EBX
023CFE7A FFD7 CALL EDI
023CFE7C 50 PUSH EAX
023CFE7D FFD5 CALL EBP
023CFE7F 56 PUSH ESI
023CFE80 68 70020000 PUSH 270
023CFE85 53 PUSH EBX
023CFE86 FFD7 CALL EDI
023CFE88 50 PUSH EAX
023CFE89 FFD5 CALL EBP
023CFE8B 56 PUSH ESI
023CFE8C 68 D2050000 PUSH 5D2
023CFE91 53 PUSH EBX
023CFE92 FFD7 CALL EDI
023CFE94 50 PUSH EAX
023CFE95 FFD5 CALL EBP
023CFE97 3935 F0E03D02 CMP DWORD PTR DS:[23DE0F0],ESI
023CFE9D 74 24 JE SHORT inetcpl.023CFEC3
023CFE9F 56 PUSH ESI
023CFEA0 68 D4050000 PUSH 5D4
023CFEA5 53 PUSH EBX
023CFEA6 FFD7 CALL EDI
023CFEA8 50 PUSH EAX
023CFEA9 FFD5 CALL EBP
023CFEAB 56 PUSH ESI
023CFEAC 68 D5050000 PUSH 5D5
023CFEB1 53 PUSH EBX
023CFEB2 FFD7 CALL EDI
023CFEB4 50 PUSH EAX
023CFEB5 FFD5 CALL EBP
023CFEB7 56 PUSH ESI
023CFEB8 68 D1050000 PUSH 5D1
023CFEBD 53 PUSH EBX
023CFEBE FFD7 CALL EDI
023CFEC0 50 PUSH EAX
023CFEC1 FFD5 CALL EBP
023CFEC3 5F POP EDI
023CFEC4 33C0 XOR EAX,EAX
023CFEC6 5D POP EBP
023CFEC7 40 INC EAX
在比较的地方如:
023CFE33 3935 ECE03D02 CMP DWORD PTR DS:[23DE0EC],ESI
023CFE6B 3935 38E13D02 CMP DWORD PTR DS:[23DE138],ESI
下硬件断点,如[23DE0EC]
来到这里
023D2A3D PUSH DWORD PTR SS:[EBP-4]
023D2A40 MOV DWORD PTR DS:[ESI+30],EAX
023D2A43 CALL inetcpl.023D2905
023D2A48 PUSH inetcpl.023C4204 ; UNICODE "History"
023D2A4D PUSH DWORD PTR SS:[EBP-4]
023D2A50 MOV DWORD PTR DS:[ESI+34],EAX
023D2A53 CALL inetcpl.023D2905
023D2A58 PUSH inetcpl.023C4214 ; UNICODE "Messaging"
023D2A5D PUSH DWORD PTR SS:[EBP-4]
023D2A60 MOV DWORD PTR DS:[ESI+38],EAX
023D2A63 CALL inetcpl.023D2905
023D2A68 PUSH inetcpl.023C4270 ; UNICODE "Ratings"
向上看
023D2950 PUSH inetcpl.023C4058 ; UNICODE "Software\Policies\Microsoft\Internet Explorer\Control Panel"
023D2955 PUSH 80000001
023D295A CALL DWORD PTR DS:[<&SHLWAPI.#125>] ; SHLWAPI.#125
023D2960 TEST EAX,EAX
023D2962 JNZ inetcpl.023D2BC1
023D2968 PUSH ESI
进注册表看一下
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage"=dword:00000001
只要把"HomePage"=dword:00000001值改为0即可解除设置主页的限制。另外还有标题显示其它信息,进入注册表
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]把main项删掉吧。
到此又把Ie恢复正常了。
欢迎访问NukeGroup论坛,共同探讨加解密技术。
by lordor 2004.3.12
本文地址:http://com.8s8s.com/it/it37228.htm