2. Tech
  3. Cracker preliminary: manual clearing malicious web code

Cracker preliminary: manual clearing malicious web code

zhaozj2021-02-17  45

Author: lordor

QQ: 88378557 From: Web: Welcome Visit Person Home: http://coder.osdiy.com.cn

forum:

Preface: A CRACKER tracking method is listed here, which is used to manually remove the evil results brought by the malicious web code.

Browse with Mozilla1 will always have some problems, if sometimes you can't resolve what the home page address is. But with IE, it will often be ambushed by malicious webpage.

Unfortunately, I am tricking today: virus (okay to kill), disable the registry, and cannot modify the default home page. It's awful, now let's take a look at how to attack the malicious web page.

Load regedit.exe programs with ollydbg

0100734A PUSH ESI0100734B PUSH EDI0100734C CALL DWORD PTR DS: [<& KERNEL32.GetThreadL>; [GetThreadLocale01007352 XOR EBP, EBP01007354 PUSH EBP; / pModule => NULL01007355 CALL DWORD PTR DS: [<& KERNEL32.GetModuleH>; / GetModuleHandleW0100735B PUSH EBP; / Title => NULL0100735C PUSH regedit.01001500; | Class = "RegEdit_RegEdit" 01007361 MOV DWORD PTR DS: [104C3E0], EAX; | 01007366 CALL DWORD PTR DS: [<& USER32.FindWindowW >>; / FindWindowW0100736C MOV ESI, EAX0100736E CALL regedit. 010074A801007373 DEC EAX; Switch (cases 1..2) 01007374 JE regedit.010074810100737A DEC EAX0100737B JE regedit.0100749701007381 CMP ESI, EBP; Default case of switch 0100737301007383 JE SHORT regedit.010073C301007385 PUSH ESI; / hWnd01007386 CALL DWORD PTR DS: [< & User32.isiconic>]; / isiconic0100738c test eax, Eax0100738e JE SHORT regedit.0100739E01007390 PUSH 9; / ShowState = SW_RESTORE01007392 PUSH ESI; | hWnd01007393 CALL DWORD PTR DS: [<& USER32.ShowWindow>]; / ShowWindow01007399 JMP regedit.010074970100739E MOV EDI, DWORD PTR DS: [<& USER32.BringWind>; User32.bringwindowtotop010073a4 push ESI; / hWND010073A5 Call EDI; / BRINGWINDOWTOP010073A7 PUSH ESI; / HOWNER010073A8 CALL DWORD PTR DS: [<& user32.getlastactiv>;

/ GetLastActivePopup010073AE MOV EBX, EAX010073B0 CMP EBX, ESI010073B2 JE SHORT regedit.010073B7010073B4 PUSH EBX; / hWnd010073B5 CALL EDI; / BringWindowToTop010073B7 PUSH EBX; / hWnd010073B8 CALL DWORD PTR DS: [<& USER32.SetForegroun>; / SetForegroundWindow010073BE JMP regedit.01007497010073C3 CALL regedit .010075ED ==> key to call, see the following 010073C8 tEST EAX, EAX ==> test whether disabled 010073CA JE SHORT regedit.010073E6010073CC PUSH 10010073CE PUSH 10010073D0 PUSH 28010073D2 PUSH EBP010073D3 PUSH DWORD PTR DS: [104C3E0]; regedit.01000000010073D9 CALL regedit .010078b1 ==> Display information 010073de add ESP, 14010073E1 JMP regedit.01007497010073E6 PUSH 1C ---------------------- 010073C3 Call regedit.010075ed

010075ED PUSH EBP010075EE MOV EBP, ESP010075F0 SUB ESP, 10010075F3 LEA EAX, DWORD PTR SS: [EBP-8] 010075F6 PUSH EDI010075F7 PUSH EAX; / pHandle010075F8 PUSH regedit.01001788; | Subkey = "Software / Microsoft / Windows / CurrentVersion / Policies / System "010075FD PUSH 80000001; | hKey HKEY_CURRENT_USER01007602 XOR EDI =, EDI; | 01007604 CALL DWORD PTR DS: [<& ADVAPI32.RegOpenKey>; / RegOpenKeyW0100760A TEST EAX, EAX0100760C ​​JNZ SHORT regedit.01007651 ==> change can be skipped herein 0100760E Lea Eax, DWORD PTR SS: [EBP-4] 01007611 MOV DWORD PTR SS: [EBP-4], 401007618 Push Eax; / Pbufsize01007619 Lea EAX, DWORD PTR SS: [EBP-10]; | 0100761C Push Eax; | Buffer0100761d Lea Eax, DWORD PTR SS: [EBP-C]; | 01007620 Push Eax; | PVALUETYPE01007621 PUSH EDI ; | Reserved => NULL01007622 PUSH regedit.0100175C; | ValueName = "DisableRegistryTools" 01007627 PUSH DWORD PTR SS: [EBP-8]; | hKey0100762A CALL DWORD PTR DS: [<& ADVAPI32.RegQueryVa>; / RegQueryValueExW01007630 TEST EAX, EAX01007632 JNZ Short regedit.0100764801007634 CMP DWORD PTR SS: [EBP-C], 401007638 JNZ Short regedit.010076480100763a Cmp DWORD PTR SS: [EBP-4], 4

You can see that this code is the "disableregistryTryTools" item value in the registry, such as 1 disabled registry. Recovery method: Press above: Transform 0100760c jnz short regedit.01007651 to JMP to permanently release the registry You can also change the value of DisableRegistryTools in "HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows / CurrentVersion / Policies / System" after entering the registry. Or write registry file Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER / SOFTWARE / Microsoft / Windows / CurrentVersion / Policies / System] "DisableregistryTools" = dword: 00000000

After the registry restriction is released, there is also one of it prohibits setting the default web page, with Windowenable to go here.

023CFDE7 33F6 XOR ESI, ESI023CFDE9 56 PUSH ESI023CFDEA 6A 03 PUSH 3023CFDEC 68 C5000000 PUSH 0C5023CFDF1 68 D4050000 PUSH 5D4023CFDF6 53 PUSH EBX023CFDF7 FFD7 CALL EDI023CFDF9 50 PUSH EAX023CFDFA FF15 B0113C02 CALL DWORD PTR DS: [<& SHLWAPI # 136.>]; SHLWAPI # 136023CFE00. 66: 3935 48E13D02 CMP WORD PTR DS: [23DE148], SI023CFE07 74 2A JE SHORT inetcpl.023CFE33023CFE09 68 80000000 PUSH 80023CFE0E 8D4424 14 LEA EAX, DWORD PTR SS: [ESP 14] 023CFE12 50 PUSH EAX023CFE13 68 1B120000 PUSH 121B023CFE18 E8 B6070000 CALL inetcpl.023D05D3023CFE1D 8D4424 10 LEA EAX, DWORD PTR SS: [ESP 10] 023CFE21 50 PUSH EAX023CFE22 56 PUSH ESI023CFE23 6A 0C PUSH 0C023CFE25 53 PUSH EBX023CFE26 FF15 CC133C02 CALL DWORD PTR DS: [<& USER32.GetParent>]; USER32.GetParent023CFE2C 50 PUSH EAX023CFE2D FF15 B0113C02 CALL DWORD PTR DS: [<& SHLWAPI # 136.>]; SHLWAPI # 136023CFE33 3935 ECE03D02 CMP DWORD PTR DS: [23DE0EC], ESI023CFE39 74. 30 Je Short INETCPL.023CFE6B023CFE3B 56 PUSH ESI023CFE3C 68 CF050000 PUSH 5CF023CFE41 53 PUSH EBX023CFE42 FFD7 Call EDI023CFE44 50 PUSH EAX023CFE45 FFD5 Call EBP =>

enablewindow023 PUSH ESI023CFE48 68 CD050000 PUSH 5CD023CFE4D 53 PUSH EBX023CFE4E FFD7 CALL EDI023CFE50 50 PUSH EAX023CFE51 FFD5 CALL EBP023CFE53 56 PUSH ESI023CFE54 68 94010000 PUSH 194023CFE59 53 PUSH EBX023CFE5A FFD7 CALL EDI023CFE5C 50 PUSH EAX023CFE5D FFD5 CALL EBP023CFE5F 56 PUSH ESI023CFE60 68 CE050000 PUSH 5CE023CFE65 53 PUSH EBX023CFE66 FFD7 CALL EDI023CFE68 50 PUSH EAX023CFE69 FFD5 CALL EBP023CFE6B ​​3935 38E13D02 CMP DWORD PTR DS: [23DE138], ESI023CFE71 74 24 JE SHORT inetcpl.023CFE97023CFE73 56 PUSH ESI023CFE74 68 73020000 PUSH 273023CFE79 53 PUSH EBX023CFE7A FFD7 CALL EDI023CFE7C 50 PUSH EAX023CFE7D FFD5 CALL EBP023CFE7F 56 PUSH ESI023CFE80 68 70020000 PUSH 270023CFE85 53 PUSH EBX023CFE86 FFD7 CALL EDI023CFE88 50 PUSH EAX023CFE89 FFD5 CALL EBP023CFE8B 56 PUSH ESI023CFE8C 68 D2050000 PUSH 5D2023CFE91 53 PUSH EBX023CFE92 FFD7 CALL EDI023CFE94 50 PUSH EAX023CFE95 FFD5 CALL EBP023CFE97 3935 F0E03D02 CMP DWORD PTR DS:

[23DE0F0], ESI023CFE9D 74 24 JE SHORT inetcpl.023CFEC3023CFE9F 56 PUSH ESI023CFEA0 68 D4050000 PUSH 5D4023CFEA5 53 PUSH EBX023CFEA6 FFD7 CALL EDI023CFEA8 50 PUSH EAX023CFEA9 FFD5 CALL EBP023CFEAB 56 PUSH ESI023CFEAC 68 D5050000 PUSH 5D5023CFEB1 53 PUSH EBX023CFEB2 FFD7 CALL EDI023CFEB4 50 PUSH EAX023CFEB5 FFD5 CALL EBP023CFEB7 56 PUSH ESI023CFEB8 68 D1050000 PUSH 5D1023CFEBD 53 PUSH EBX023CFEBE FFD7 CALL EDI023CFEC0 50 PUSH EAX023CFEC1 FFD5 CALL EBP023CFEC3 5F POP EDI023CFEC4 33C0 XOR EAX, EAX023CFEC6 5D POP EBP023CFEC7 40 INC EAX where the comparison such as: 023CFE33 3935 ECE03D02 CMP DWORD PTR DS: [23DE0EC] ESI023C Fe6B 3935 38E13D02 CMP DWORD PTR DS: [23DE138], ESI minimal breakpoint, such as [23de0ec]

Here 023D2A3D PUSH DWORD PTR SS: [EBP-4] 023D2A40 MOV DWORD PTR DS: [ESI 30], EAX023D2A43 CALL inetcpl.023D2905023D2A48 PUSH inetcpl.023C4204; UNICODE "History" 023D2A4D PUSH DWORD PTR SS: [EBP-4 ] 023D2A50 MOV DWORD PTR DS: [ESI 34], EAX023D2A53 CALL inetcpl.023D2905023D2A58 PUSH inetcpl.023C4214; UNICODE "Messaging" 023D2A5D PUSH DWORD PTR SS: [EBP-4] 023D2A60 MOV DWORD PTR DS: [ESI 38], EAX023D2A63 CALL INETCPL.023D2905023D2A68 PUSH INETCPL.023C4270; Unicode "Ratings"

Look up 023D2950 PUSH inetcpl.023C4058; UNICODE "Software / Policies / Microsoft / Internet Explorer / Control Panel" 023D2955 PUSH 80000001023D295A CALL DWORD PTR DS: [<& SHLWAPI # 125.>]; SHLWAPI # 125023D2960 TEST EAX, EAX023D2962 JNZ inetcpl.. 023D2BC1023D2968 PUSH ESI Enter registration table See [HKEY_CURRENT_USER / SOFTWARE / Policies / Microsoft / Internet Explorer / Control Panel] "HomePage" = DWord: 00000001

As long as the "homepage" = DWORD: 00000001 value is changed to 0, the limitations will be released. There is also a title to display additional information, enter the registry [HKEY_CURRENT_USER / SOFTWARE / Microsoft / Internet Explorer / main] delete the main item.

Here, I will return IE to normal.

Welcome to my personal website to discuss the decryption technology.

By Lordor 2004.3.12

转载请注明原文地址:https://www.9cbs.com/read-28409.html

9cbs

New Post(0)