Rombertik木马分析

   1: start /d "C:\Documents and Settings\Administrator\Application Data\rsr" yfoye.exe

木马行为分析：

1.先跑跑行为-发现会创建几个文件

2.新生成文件分析

yfoye.bat –启动yfoye程序

   1: start /d "C:\Documents and Settings\Administrator\Application Data\rsr" yfoye.exe

fgf.vbs -- 实现运行yfoye.bat(因为被写在C:\Documents and Settings\Administrator\Application Data\rsr文件夹下面，所以开机会自己启动)

   1: Set WshShell = CreateObject("WScript.Shell")

   2: WshShell.Run chr(34) & "C:\Documents and Settings\Administrator\Application Data\rsr\yfoye.bat" & Chr(34), 0

   3: Set WshShell = Nothing

注册表修改：--开机启动记事本

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders; *Startup    值: C:\Documents and Settings\Administrator\「开始」菜单\程序\启动

2.调用ZwSetInfrmatioThread()函数将线程隐藏,从而调试器接受不到信息

使用ZwMapViewOfSection进行注入，代码

   1: 00E441CD  ^\E9 87C8FFFF     jmp 00E40A59

   2: 00E441D2    55              push ebp

   3: 00E441D3    68 00100000     push 0x1000

   4: 00E441D8    57              push edi

   5: 00E441D9    FF53 64         call dword ptr ds:[ebx+0x64]         ; kernel32.VirtualAlloc

   1: 00E417EA    8945 D8         mov dword ptr ss:[ebp-0x28],eax

   2: 00E417ED    FF93 A4000000   call dword ptr ds:[ebx+0xA4]             ; kernel32.GetThreadContext

   1: 00E440A8    FF53 6C         call dword ptr ds:[ebx+0x6C]             ; ntdll.ZwQueryInformationProcess

   2: 00E440AB    85C0            test eax,eax

   1: 00E403A6    FF93 90000000   call dword ptr ds:[ebx+0x90]             ; ntdll.ZwUnmapViewOfSection

   2: 00E403AC    8365 F4 00      and dword ptr ss:[ebp-0xC],0x0

   3: 00E403B0    8D45 F4         lea eax,dword ptr ss:[ebp-0xC]

   4:  

   1: 00E408C5    FF50 70         call dword ptr ds:[eax+0x70]             ; ntdll.ZwCreateSection

   2: 00E408C8    E9 CE320000     jmp 00E43B9B

   3:  

   1: 00E4055B    FF50 4C         call dword ptr ds:[eax+0x4C]             ; ntdll.ZwMapViewOfSection

   2: 00E4055E    33C9            xor ecx,ecx

   3: 00E40560    E9 921B0000     jmp 00E420F7

   1: 00E408EA    50              push eax

   2: 00E408EB    8988 B0000000   mov dword ptr ds:[eax+0xB0],ecx

   3: 00E408F1    FF75 E4         push dword ptr ss:[ebp-0x1C]

   4: 00E408F4    FF93 8C000000   call dword ptr ds:[ebx+0x8C]             ; kernel32.SetThreadContext

   5:  

   1: 00E42F15    FF53 74         call dword ptr ds:[ebx+0x74]             ; ntdll.ZwResumeThread

   2: 00E42F18  ^ E9 82F5FFFF     jmp 00E4249F

   3:  

当前线程ID :13A4

函数学习：

int GetKeyboardType(int nTypeFlag)  获取系统当前键盘的信息

int WINAPI GetSystemMetrics( __in intnIndex);用于得到被定义的系统数据或者系统配置信息.

LONG InterlockedDecrement(LPLONG volatile lpAddend ) 该函数减小指定的变量，并检查值，可以保证同一时刻只有一个线程访问该变量，即保证增加操作的原子性。

VOID InitializeCriticalSection(LPCRITICAL_SECTION lpCriticalSection )：函数功能初始化一个临界资源对象