本帖最后由 prawnliu 于 2010-4-10 17:11 编辑
基本认定是误报了:
首先是获取系统路径,以便找到hosts文件:
0040106F push 104 ; /BufSize = 104 (260.)
00401074 push edx ; |Buffer
00401075 call dword ptr [<&KERNEL32.GetSystemDirectoryA>]
然后以只读模式打开hosts文件,并以写入模式打开hosts.tmp(自己创建的)
004010B0 push 00407058 ; /Mode="r" 只读
| | | |
00401128 push eax ; | "C:\WINDOWS\system32\drivers\etc\hosts"
00401129 rep movs byte ptr es:[edi], byte ptr [esi]
0040112B call 00401627 ; _fopen
00401130 mov esi, eax
00401132 add esp, 8
00401135 test esi, esi
00401137 je 0040143A
0040113D lea ecx, dword ptr [esp+114]
00401144 push 0040704C ; /Mode="w" 写入
00401149 push ecx ; "C:\WINDOWS\system32\drivers\etc\hosts.tmp"
0040114A call 00401627 ; _fopen
下面是亮点了~~
会依次读出hosts文件的每一行,然后判断是否是注释行,是则将该行写入hosts.tmp。非注释行则判断是否有"baidu.com"字符串,没有也是将该行写入hosts.tmp文件。若发现"baidu.com"字符串则跳过_fwrite函数,不将该行写入hosts.tmp文件:
0040117E push esi ; 打开hosts文件
0040117F lea edx, dword ptr [esp+2B8]
00401186 push 400 ; MaxCount=0x400
0040118B rep stos dword ptr es:[edi]
0040118D push edx ; Buf=0012FB38
0040118E call 0040155A ; _fgets
| |
004011A4 mov al, byte ptr [esp+2B4]
004011AB lea ecx, dword ptr [esp+2B4]
004011B2 test al, al
004011B4 je short 004011C6
004011B6 cmp al, 20
004011B8 je short 004011BE
004011BA cmp al, 9
004011BC jnz short 004011C6
004011BE mov al, byte ptr [ecx+1]
004011C1 inc ecx
004011C2 test al, al
004011C4 jnz short 004011B6
004011C6 mov cl, byte ptr [ecx] ; 将每行第一个字符放入CL
004011C8 cmp cl, 23 ; 查看是否为注释行(0x23=#)
004011CB je short 004011E4 ; 注释行则跳过
004011CD test cl, cl
004011CF je short 004011E4
004011D1 lea eax, dword ptr [esp+2B4]
004011D8 push 00407040 ; /ASCII "baidu.com"
004011DD push eax ; |
004011DE call ebp ; StrStrIA
004011E0 test eax, eax ; 通过返回值判断该行是否有"baidu.com"
004011E2 jnz short 00401209 ; 有"baidu.com"则跳过写入函数,执行下一次循环
004011E4 lea edi, dword ptr [esp+2B4]
004011EB or ecx, FFFFFFFF
004011EE xor eax, eax
004011F0 push ebx
004011F1 repne scas byte ptr es:[edi]
004011F3 not ecx
004011F5 dec ecx
004011F6 push ecx
004011F7 lea ecx, dword ptr [esp+2BC]
004011FE push 1 ; 以字节写入
00401200 push ecx ; 由_fgets获取的内容
00401201 call 00401450 ; _fwrite
00401206 add esp, 10
00401209 mov ecx, 41
0040120E xor eax, eax
00401210 lea edi, dword ptr [esp+2B4]
00401217 push esi
00401218 lea edx, dword ptr [esp+2B8]
0040121F push 400
00401224 rep stos dword ptr es:[edi]
00401226 push edx ; _fgets
00401227 call 0040155A
0040122C add esp, 0C
0040122F test eax, eax
00401231 jnz 004011A4
用IDA自带的插件粗略的逆了一下,大概如下:
while ( fgets(&Str, 1024, hosts_file) )
{
sample_buffer = Str;
for ( j = &Str; sample_buffer; sample_buffer = (j++)[1] )
{
if ( sample_buffer != 32 && sample_buffer != 9 )
break;
}
hosts_line = *j;
if ( hosts_line == 35 || !hosts_line || !StrStrIA(&Str, "baidu.com") )
fwrite(&Str, 1u, strlen(&Str) - 1, hosts_temp);
memset(&Str, 0, 0x104u);
}
最后用hosts.tmp替换hosts,替换后删除host.tmp
00401422 push 0 ; /FailIfExists = FALSE
00401424 push eax ; |"C:\WINDOWS\system32\drivers\etc\hosts"
00401425 push ecx ; |"C:\WINDOWS\system32\drivers\etc\hosts.tmp"
00401426 call dword ptr [<&KERNEL32.CopyFileA>]
0040142C lea edx, dword ptr [esp+114]
00401433 push edx ; / "C:\WINDOWS\system32\drivers\etc\hosts.tmp"
00401434 call dword ptr [<&KERNEL32.DeleteFileA>]
本质上只是把含有"baidu.com"字符串的行删去~
没有什么危害~
估计只是因为触动了敏感位置才会被报的~~ |
楼主: kansong1988
[复制链接]
发表于 2010-4-10 15:09:54
