為什麼受傷的總是我--手動清除惡意網頁程式碼

看雪資料發表於2015-11-15

作者:lordor
來自:NukeGroup
網頁:www.digitalnuke.com
論壇:http://www.digitalnuke.com/forum/index.php



使用Mozilla1瀏覽總是會有一些問題,如有時不能解析主頁地址什麼。但用IE的話會經常遭到

惡意網頁的伏擊。

很不幸,我今天中招了:病毒(還好有KV殺了),禁用登錄檔,不能修改預設主頁。
真是可惡,現在我們來看看惡意網頁的是怎麼攻擊的



用ollydbg載入regedit.exe程式

0100734A  PUSH ESI
0100734B  PUSH EDI
0100734C  CALL DWORD PTR DS:[<&KERNEL32.GetThreadL>; [GetThreadLocale
01007352  XOR EBP,EBP
01007354  PUSH EBP                                 ; /pModule => NULL
01007355  CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; GetModuleHandleW
0100735B  PUSH EBP                                 ; /Title => NULL
0100735C  PUSH regedit.01001500                    ; |Class = "RegEdit_RegEdit"
01007361  MOV DWORD PTR DS:[104C3E0],EAX           ; |
01007366  CALL DWORD PTR DS:[<&USER32.FindWindowW>>; FindWindowW
0100736C  MOV ESI,EAX
0100736E  CALL regedit.010074A8
01007373  DEC EAX                                  ;  Switch (cases 1..2)
01007374  JE regedit.01007481
0100737A  DEC EAX
0100737B  JE regedit.01007497
01007381  CMP ESI,EBP                              ;  Default case of switch 

01007373
01007383  JE SHORT regedit.010073C3
01007385  PUSH ESI                                 ; /hWnd
01007386  CALL DWORD PTR DS:[<&USER32.IsIconic>]   ; IsIconic
0100738C  TEST EAX,EAX
0100738E  JE SHORT regedit.0100739E
01007390  PUSH 9                                   ; /ShowState = SW_RESTORE
01007392  PUSH ESI                                 ; |hWnd
01007393  CALL DWORD PTR DS:[<&USER32.ShowWindow>] ; ShowWindow
01007399  JMP regedit.01007497
0100739E  MOV EDI,DWORD PTR DS:[<&USER32.BringWind>;  USER32.BringWindowToTop
010073A4  PUSH ESI                                 ; /hWnd
010073A5  CALL EDI                                 ; BringWindowToTop
010073A7  PUSH ESI                                 ; /hOwner
010073A8  CALL DWORD PTR DS:[<&USER32.GetLastActiv>; GetLastActivePopup
010073AE  MOV EBX,EAX
010073B0  CMP EBX,ESI
010073B2  JE SHORT regedit.010073B7
010073B4  PUSH EBX                                 ; /hWnd
010073B5  CALL EDI                                 ; BringWindowToTop
010073B7  PUSH EBX                                 ; /hWnd
010073B8  CALL DWORD PTR DS:[<&USER32.SetForegroun>; SetForegroundWindow
010073BE  JMP regedit.01007497
010073C3  CALL regedit.010075ED    ==>關鍵call,請看下面
010073C8  TEST EAX,EAX      ==>測試是否禁用
010073CA  JE SHORT regedit.010073E6
010073CC  PUSH 10
010073CE  PUSH 10
010073D0  PUSH 28
010073D2  PUSH EBP
010073D3  PUSH DWORD PTR DS:[104C3E0]              ;  regedit.01000000
010073D9  CALL regedit.010078B1    ==>顯示資訊  
010073DE  ADD ESP,14
010073E1  JMP regedit.01007497
010073E6  PUSH 1C

-----------------------
010073C3  CALL regedit.010075ED  

010075ED    PUSH EBP
010075EE    MOV EBP,ESP
010075F0    SUB ESP,10
010075F3    LEA EAX,DWORD PTR SS:[EBP-8]
010075F6    PUSH EDI
010075F7    PUSH EAX                                 ; /pHandle
010075F8    PUSH regedit.01001788                    ; |Subkey = 

"SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem"
010075FD    PUSH 80000001                            ; |hKey = HKEY_CURRENT_USER
01007602    XOR EDI,EDI                              ; |
01007604    CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKey>; RegOpenKeyW
0100760A    TEST EAX,EAX
0100760C    JNZ SHORT regedit.01007651      ==>改這裡跳過即可
0100760E    LEA EAX,DWORD PTR SS:[EBP-4]
01007611    MOV DWORD PTR SS:[EBP-4],4
01007618    PUSH EAX                                 ; /pBufSize
01007619    LEA EAX,DWORD PTR SS:[EBP-10]            ; |
0100761C    PUSH EAX                                 ; |Buffer
0100761D    LEA EAX,DWORD PTR SS:[EBP-C]             ; |
01007620    PUSH EAX                                 ; |pValueType
01007621    PUSH EDI                                 ; |Reserved => NULL
01007622    PUSH regedit.0100175C                    ; |ValueName = 

"DisableRegistryTools"
01007627    PUSH DWORD PTR SS:[EBP-8]                ; |hKey
0100762A    CALL DWORD PTR DS:[<&ADVAPI32.RegQueryVa>; RegQueryValueExW
01007630    TEST EAX,EAX
01007632    JNZ SHORT regedit.01007648
01007634    CMP DWORD PTR SS:[EBP-C],4
01007638    JNZ SHORT regedit.01007648
0100763A    CMP DWORD PTR SS:[EBP-4],4

可以看到這段程式碼是讀登錄檔中的"DisableRegistryTools"項值,如為1則禁用登錄檔.
恢復方法:
按上面資訊:把0100760C    JNZ SHORT regedit.01007651  改為jmp即可永久解除禁用注

冊表,也可以在進入登錄檔後,在

"HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem"
把DisableRegistryTools的值改為0即可。
或寫登錄檔檔案
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"DisableRegistryTools"=dword:00000000


解除登錄檔限制後,還有一個它禁止設定預設網頁,用WindowEnable下斷來到這裡

023CFDE7      33F6             XOR ESI,ESI
023CFDE9      56               PUSH ESI
023CFDEA      6A 03            PUSH 3
023CFDEC      68 C5000000      PUSH 0C5
023CFDF1      68 D4050000      PUSH 5D4
023CFDF6      53               PUSH EBX
023CFDF7      FFD7             CALL EDI
023CFDF9      50               PUSH EAX
023CFDFA      FF15 B0113C02    CALL DWORD PTR DS:[<&SHLWAPI.#136>]      ; 

SHLWAPI.#136
023CFE00      66:3935 48E13D02 CMP WORD PTR DS:[23DE148],SI
023CFE07      74 2A            JE SHORT inetcpl.023CFE33
023CFE09      68 80000000      PUSH 80
023CFE0E      8D4424 14        LEA EAX,DWORD PTR SS:[ESP+14]
023CFE12      50               PUSH EAX
023CFE13      68 1B120000      PUSH 121B
023CFE18      E8 B6070000      CALL inetcpl.023D05D3
023CFE1D      8D4424 10        LEA EAX,DWORD PTR SS:[ESP+10]
023CFE21      50               PUSH EAX
023CFE22      56               PUSH ESI
023CFE23      6A 0C            PUSH 0C
023CFE25      53               PUSH EBX
023CFE26      FF15 CC133C02    CALL DWORD PTR DS:[<&USER32.GetParent>]  ; 

USER32.GetParent
023CFE2C      50               PUSH EAX
023CFE2D      FF15 B0113C02    CALL DWORD PTR DS:[<&SHLWAPI.#136>]      ; 

SHLWAPI.#136
023CFE33      3935 ECE03D02    CMP DWORD PTR DS:[23DE0EC],ESI
023CFE39      74 30            JE SHORT inetcpl.023CFE6B
023CFE3B      56               PUSH ESI
023CFE3C      68 CF050000      PUSH 5CF
023CFE41      53               PUSH EBX
023CFE42      FFD7             CALL EDI
023CFE44      50               PUSH EAX
023CFE45      FFD5             CALL EBP    =>enablewindow
023            PUSH ESI
023CFE48      68 CD050000      PUSH 5CD
023CFE4D      53               PUSH EBX
023CFE4E      FFD7             CALL EDI
023CFE50      50               PUSH EAX
023CFE51      FFD5             CALL EBP
023CFE53      56               PUSH ESI
023CFE54      68 94010000      PUSH 194
023CFE59      53               PUSH EBX
023CFE5A      FFD7             CALL EDI
023CFE5C      50               PUSH EAX
023CFE5D      FFD5             CALL EBP
023CFE5F      56               PUSH ESI
023CFE60      68 CE050000      PUSH 5CE
023CFE65      53               PUSH EBX
023CFE66      FFD7             CALL EDI
023CFE68      50               PUSH EAX
023CFE69      FFD5             CALL EBP
023CFE6B      3935 38E13D02    CMP DWORD PTR DS:[23DE138],ESI
023CFE71      74 24            JE SHORT inetcpl.023CFE97
023CFE73      56               PUSH ESI
023CFE74      68 73020000      PUSH 273
023CFE79      53               PUSH EBX
023CFE7A      FFD7             CALL EDI
023CFE7C      50               PUSH EAX
023CFE7D      FFD5             CALL EBP
023CFE7F      56               PUSH ESI
023CFE80      68 70020000      PUSH 270
023CFE85      53               PUSH EBX
023CFE86      FFD7             CALL EDI
023CFE88      50               PUSH EAX
023CFE89      FFD5             CALL EBP
023CFE8B      56               PUSH ESI
023CFE8C      68 D2050000      PUSH 5D2
023CFE91      53               PUSH EBX
023CFE92      FFD7             CALL EDI
023CFE94      50               PUSH EAX
023CFE95      FFD5             CALL EBP
023CFE97      3935 F0E03D02    CMP DWORD PTR DS:[23DE0F0],ESI
023CFE9D      74 24            JE SHORT inetcpl.023CFEC3
023CFE9F      56               PUSH ESI
023CFEA0      68 D4050000      PUSH 5D4
023CFEA5      53               PUSH EBX
023CFEA6      FFD7             CALL EDI
023CFEA8      50               PUSH EAX
023CFEA9      FFD5             CALL EBP
023CFEAB      56               PUSH ESI
023CFEAC      68 D5050000      PUSH 5D5
023CFEB1      53               PUSH EBX
023CFEB2      FFD7             CALL EDI
023CFEB4      50               PUSH EAX
023CFEB5      FFD5             CALL EBP
023CFEB7      56               PUSH ESI
023CFEB8      68 D1050000      PUSH 5D1
023CFEBD      53               PUSH EBX
023CFEBE      FFD7             CALL EDI
023CFEC0      50               PUSH EAX
023CFEC1      FFD5             CALL EBP
023CFEC3      5F               POP EDI
023CFEC4      33C0             XOR EAX,EAX
023CFEC6      5D               POP EBP
023CFEC7      40               INC EAX



在比較的地方如:
023CFE33      3935 ECE03D02    CMP DWORD PTR DS:[23DE0EC],ESI
023CFE6B      3935 38E13D02    CMP DWORD PTR DS:[23DE138],ESI
下硬體斷點,如[23DE0EC]


來到這裡
023D2A3D    PUSH DWORD PTR SS:[EBP-4]
023D2A40    MOV DWORD PTR DS:[ESI+30],EAX
023D2A43    CALL inetcpl.023D2905
023D2A48    PUSH inetcpl.023C4204                    ; UNICODE "History"
023D2A4D    PUSH DWORD PTR SS:[EBP-4]
023D2A50    MOV DWORD PTR DS:[ESI+34],EAX
023D2A53    CALL inetcpl.023D2905
023D2A58    PUSH inetcpl.023C4214                    ; UNICODE "Messaging"
023D2A5D    PUSH DWORD PTR SS:[EBP-4]
023D2A60    MOV DWORD PTR DS:[ESI+38],EAX
023D2A63    CALL inetcpl.023D2905
023D2A68    PUSH inetcpl.023C4270                    ; UNICODE "Ratings"

向上看
023D2950    PUSH inetcpl.023C4058                    ; UNICODE 

"SoftwarePoliciesMicrosoftInternet ExplorerControl Panel"
023D2955    PUSH 80000001
023D295A    CALL DWORD PTR DS:[<&SHLWAPI.#125>]      ; SHLWAPI.#125
023D2960    TEST EAX,EAX
023D2962    JNZ inetcpl.023D2BC1
023D2968    PUSH ESI
進登錄檔看一下

[HKEY_CURRENT_USERSoftwarePoliciesMicrosoftInternet ExplorerControl Panel]
"HomePage"=dword:00000001


只要把"HomePage"=dword:00000001值改為0即可解除設定主頁的限制。另外還有標題顯示其它

資訊,進入登錄檔
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain]把main項刪掉吧。

到此又把Ie恢復正常了。

歡迎訪問NukeGroup論壇,共同探討加解密技術。

by lordor  2004.3.12

相關文章