-
-
[原创]初入逆向之木马分析牛刀小试
-
发表于: 2009-12-25 16:42 8198
-
关于GenPack:Backdoor.Generic木马的分析报告
Finn
一、病毒标签:
病毒名称: GenPack:Backdoor.Generic
病毒类型: 后门类
文件 MD5:326bf248d364ed48d742856109cbf97a
公开范围: 完全公开
危害等级: 4
文件长度: 1,403,638 字节
感染系统: windows 98以上版本
加壳类型: 未知壳
二、病毒描述:
病毒运行后,复制自身到系统目录下,衍生病毒文件。创建注册表方式达到随机启动的目的。进程进行键盘记录,主动访问网络连接病毒服务端,连接成功后中毒电脑会受到远程控制。
三、行为分析:
1、 病毒运行后,复制自身到系统目录下,衍生病毒文件,并删除自身。病毒运行后其副本系统目录下为隐藏属性,且病毒及副本的图标显示为文件夹,来欺骗中毒用户点击:
2、 感染U盘上的文件,修改原文件夹为隐藏,并创建相同名字的exe文件,欺骗用户点击。
C:\WINDOWS\system32\B80A3E\127A0E.EXE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4
(%USERPROFILE%\Local Settings\Temp)
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21787
病毒在temp目录下释放八个文件(后经分析,发现为dll文件):
2、修改注册表,以更改Internet的默认设置:
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\WINDOWS\system32\B80A3E\127A0E.EXE
在可执行文件的属性对话框、兼容性标签页里勾选“以管理员身份启动该程序”复选框。这等效于在HKCU \Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers注册表分支下添加键值,也相当于修改C:\Windows \AppPatch下的sysmain.sdb兼容性数据库。
windows映像劫持技术(IFEO)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\127A0E.EXE
Date & Time: 2009-11-23 11:24:49
Event Class: File System
Operation: WriteFile
Result: SUCCESS
Path: C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\127A0E.lnk
TID: 1504
Duration: 0.0000449
Offset: 0
Length: 677
[.ShellClassInfo]
InfoTip=@Shell32.dll,-12690
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=-238
LocalizedResourceName=@shell32.dll,-28996
3、进程进行键盘记录,访问网络,等待病毒服务端连接,连接成功后中毒电脑会受到远程控制。
127A0E.EXE:2232 TCP 20090818-0938:3036 mailitciberia.com:http CLOSE_WAIT
电信在他的DNS里搞了鬼,所有不能用的域名统统转到60.191.124.236,也就是在IE里面输入一些不能解析的域名时,也会转到那里去,几时经常看到的114页面,还有难看的
广告
(除cnvpe.fne,其他七个dll全部加载。。)
注释:
%Windir% WINDODWS所在目录
%DriveLetter% 逻辑驱动器根目录
%ProgramFiles% 系统程序默认安装目录
%HomeDrive% 当前启动系统所在分区
%Documents and Settings% 当前用户文档根目录
%Temp% 当前用户TEMP缓存变量;路径为:
%Documents and Settings%\当前用户\Local Settings\Temp
%System32% 是一个可变路径;
病毒通过查询操作系统来决定当前System32文件夹的位置;
Windows2000/NT中默认的安装路径是 C:\Winnt\System32;
Windows95/98/Me中默认的安装路径是 C:\Windows\System;
WindowsXP中默认的安装路径是 C:\Windows\System32。
名称位于 eAPI, 条目 108
地址=1003128C
区段=.rdata
类型=输入 (已知)
名称=KERNEL32.GetDriveTypeA
名称位于 eAPI, 条目 316
地址=100312A4
区段=.rdata
类型=输入 (已知)
名称=KERNEL32.SetFileAttributesA
名称位于 internet, 条目 247
地址=1001B37C
区段=.rdata
类型=输入 (已知)
名称=USER32.SetWindowsHookExA
四、清除方案:
按照行为分析手工清除对应文件,恢复相关系统设置。
(1) 使用windows任务管理器或者IceSword结束127A0E.EXE进程
(2) 删除病毒文件
%WINDIR%\Winmgnts.exe
%WINDIR%\Winmgnts.DLL
%WINDIR%\WinmgntsKey.DLL
%WINDIR%\Winmgnts_Hook.DLL
另附:逆向分析过程
#######################################################################
00401344 > $ 52 push edx ; 程序由此开始
00401345 . 56 push esi
00401346 . F9 stc ; 标志(进位)设置。设置CF=1
00401347 . 51 push ecx
00401348 . 50 push eax
00401349 . 53 push ebx
0040134A . 57 push edi
0040134B >^ 0F82 6DFEFFFF jb <guanjiancal> ; if CF==1; jump
#######################################################################
004011BE > > /E8 D9FFFFFF call 0040119C ; jump到此处,若按F8,木马发作,按F7跟入
#######################################################################
0040119C $ 5E pop esi ; Recycled.004011C3
#######################################################################
0040119D . /0F82 89000000 jb 0040122C ; if CF==1,jump
#######################################################################
0040122C > \81EE 9F000000 sub esi, 9F ; esi=esi-0x9F
00401232 .^ E9 BAFFFFFF jmp 004011F1
#######################################################################
004011F1 > /833E 00 cmp dword ptr [esi], 0 ; 比较.(两操作数作减法,仅修改标志位,不回送结果).
004011F4 . |F8 clc ; 对CF位(进位标志位)清零
004011F5 . |0F83 8E000000 jnb 00401289 ; if CF==0;jump(不小于)
#######################################################################
00401289 > \0F84 93000000 je 00401322 ; if ZF==1;jump (等于)
0040128F . F9 stc ; set CF==1
00401290 .^ 0F82 D4FFFFFF jb 0040126A ; if CF==1;jump(小于)
#######################################################################
0040126A > /8BCE mov ecx, esi
0040126C . |0F82 72010000 jb 004013E4 ; if CF==1;jump(小于)
#######################################################################
004013E4 > \F9 stc ; set CF==1
004013E5 . 83D6 03 adc esi, 3 ;
esi=esi+ox3h+CF;(进位加法)
004013E8 .^ E9 E2FEFFFF jmp 004012CF
#######################################################################
004012CF > /FF36 push dword ptr [esi]
004012D1 . |58 pop eax
004012D2 . |E9 3B010000 jmp 00401412
#######################################################################
00401412 > \03C6 add eax, esi
00401414 . F8 clc ; set CF==0;( 进位清零 )
00401415 .^ 0F83 E8FFFFFF jnb 00401403 ; if CF==0,jump(不小于)
#######################################################################
00401403 > /FF76 04 push dword ptr [esi+4]
00401406 . |5A pop edx ; edx==0x49h
00401407 .^|0F83 53FDFFFF jnb 00401160
#######################################################################
00401160 ? 8100 345AB05A add dword ptr [eax], 5AB05A34 ; eax==00401000
00401166 . E9 23020000 jmp 0040138E
; 执行前 00401000 /. 2131 and dword ptr [ecx], esi
;执行后 00401000 /. 55 push ebp
#######################################################################
0040138E ? 83E8 FC sub eax, -4 ; eax==00401004
00401391 .^ E9 CDFFFFFF jmp 00401363
#######################################################################
00401363 > /83EA 01 sub edx, 1 ; 执行后edx==0x48h,与 00401406处edx相呼应,看样子像个计数器:)
00401366 . |F9 stc
00401367 . |0F82 47000000 jb 004013B4 ; if CF==1,jump(小于)
;00401366和00401367等价于jmp 004013B4 :)
#######################################################################
004013B4 >^\0F85 A6FDFFFF jnz 00401160 ; if ZF==0;jump(不相等)
#######################################################################
在004013B4上按shift+F2 设置条件断点 edx==0 :)
在循环了0x49h 次之后;
此时ZF==1,004013B4 不跳转,继续执行 004013BA
***********************************************************************
004013BA .^\0F82 E5FFFFFF jb 004013A5
#######################################################################
判断需要解密的位置
***********************************************************************
004013A5 > /83C6 08 add esi, 8
004013A8 . |E9 29000000 jmp 004013D6
#######################################################################
004013D6 > \8329 01 sub dword ptr [ecx], 1
004013D9 . F9 stc
004013DA .^\0F82 E5FFFFFF jb 004013C5
#######################################################################
004013C0 . 29BD 9634D00F sub dword ptr [ebp+FD03496], edi
部分数据不详,ollydug出错了吧
004013E8 .^\E9 E2FEFFFF jmp 004012CF
004012CF > /FF36 push dword ptr [esi]
004012D1 . |58 pop eax
004012D2 . |E9 3B010000 jmp 00401412
#######################################################################
00401412 > \03C6 add eax, esi
00401414 . F8 clc ; set CF==0;( 进位清零 )
00401415 .^ 0F83 E8FFFFFF jnb 00401403 ; if CF==0,jump(不小于)
#######################################################################
00401403 > /FF76 04 push dword ptr [esi+4] ;产生计数器,即edx
00401406 . |5A pop edx
00401407 .^|0F83 53FDFFFF jnb 00401160
#######################################################################
看样子,又要去做自解密 :)
在004013B4上按shift+F2 设置条件断点 edx==0 :)
在循环了0x132Eh 次之后;
此时ZF==1,004013B4 不跳转,继续执行 004013BA
edx==
#######################################################################
又要去做自解密 :)
在004013B4上按shift+F2 设置条件断点 edx==0 :)
在循环了0x84ADh 次之后;
此时ZF==1,004013B4 不跳转,继续执行 004013BA
#######################################################################
又要去做自解密 :) 0040141F--0040141F+0x3Fh
在004013B4上按shift+F2 设置条件断点 edx==0 :)
在循环了0x3Fh 次之后;
此时ZF==1,004013B4 不跳转,继续执行 004013BA
#######################################################################
004012B7 . /0F82 36010000 jb 004013F3
004013F3 > \E8 27000000 call 0040141F ;未跟进,作用不祥
004013F8 .^\E9 25FFFFFF jmp 00401322
004012F7 > /E9 85290000 jmp 00403C81
#######################################################################
若干次跳转之后,来到刚刚解密过的代码处,看上去想个vc 6.0 的OEP :)
***********************************************************************
00403C81 > \55 push ebp ; maybe OEP
00403C82 . 8BEC mov ebp, esp
00403C84 ? 6A FF push -1
00403C86 ? 68 F0724000 push 004072F0
00403C8B . 68 F4504000 push 004050F4
00403C90 . 64:A1 0000000>mov eax, dword ptr fs:[0]
00403C96 . 50 push eax
00403C97 > 64:8925 00000>mov dword ptr fs:[0], esp
00403C9E . 83EC 58 sub esp, 58
00403CA1 ? 53 push ebx
00403CA2 ? 56 push esi
00403CA3 ? 57 push edi
00403CA4 . 8965 E8 mov dword ptr [ebp-18], esp
00403CA7 . FF15 48704000 call dword ptr [<&KERNEL32.GetVersion>; kernel32.GetVersion
00403CAD |. 33D2 xor edx, edx
00403CAF |. 8AD4 mov dl, ah
00403CB1 |. 8915 6C9A4000 mov dword ptr [409A6C], edx
00403CB7 |. 8BC8 mov ecx, eax
00403CB9 |. 81E1 FF000000 and ecx, 0FF
00403CBF |. 890D 689A4000 mov dword ptr [409A68], ecx
00403CC5 |. C1E1 08 shl ecx, 8
00403CC8 |. 03CA add ecx, edx
00403CCA |. 890D 649A4000 mov dword ptr [409A64], ecx
00403CD0 |. C1E8 10 shr eax, 10
00403CD3 |. A3 609A4000 mov dword ptr [409A60], eax
00403CD8 |. 33F6 xor esi, esi
00403CDA |. 56 push esi
00403CDB |. E8 D3010000 call 00403EB3
00403CE0 |. 59 pop ecx
00403CE1 |. 85C0 test eax, eax
00403CE3 |. 75 08 jnz short 00403CED
00403CE5 |. 6A 1C push 1C
00403CE7 |. E8 B0000000 call 00403D9C
00403CEC |. 59 pop ecx
00403CED |> 8975 FC mov dword ptr [ebp-4], esi
00403CF0 |. E8 59110000 call 00404E4E
00403CF5 |. FF15 44704000 call dword ptr [<&KERNEL32.GetCommand>; [GetCommandLineA
00403CFB |. A3 549F4000 mov dword ptr [409F54], eax
00403D00 |. E8 17100000 call 00404D1C
00403D05 |. A3 409A4000 mov dword ptr [409A40], eax
00403D0A |. E8 C00D0000 call 00404ACF
00403D0F |. E8 020D0000 call 00404A16
00403D14 |. E8 1F0A0000 call 00404738
00403D19 |. 8975 D0 mov dword ptr [ebp-30], esi
00403D1C |. 8D45 A4 lea eax, dword ptr [ebp-5C]
00403D1F |. 50 push eax ; /pStartupinfo
00403D20 |. FF15 40704000 call dword ptr [<&KERNEL32.GetStartup>; \GetStartupInfoA
00403D26 |. E8 930C0000 call 004049BE
00403D2B |. 8945 9C mov dword ptr [ebp-64], eax
00403D2E |. F645 D0 01 test byte ptr [ebp-30], 1
00403D32 |. 74 06 je short 00403D3A
00403D34 |. 0FB745 D4 movzx eax, word ptr [ebp-2C]
00403D38 |. EB 03 jmp short 00403D3D
00403D3D |> 50 push eax
00403D3E |. FF75 9C push dword ptr [ebp-64]
00403D41 |. 56 push esi
00403D42 |. 56 push esi ; /pModule
00403D43 |. FF15 3C704000 call dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA
***********************************************************************
00403D00 |. E8 17100000 call 00404D1C ;返回指针,003C4988 ALLUSERSPROFILE=C:\Documents andSettings\All Users.
***********************************************************************
#######################################################################
00403D49 |. 50 push eax ; eax==00400000Recycled.00400000
00403D4A |. E8 0DD8FFFF call 0040155C ; 木马模块,按F7跟入,(要复制病毒到指定位置 :) )
#######################################################################
0040155C /$ 55 push ebp
0040155D |. 8BEC mov ebp, esp
0040155F |. 81EC 98020000 sub esp, 298
00401565 |. 53 push ebx
00401566 |. 56 push esi
00401567 |. 57 push edi
00401568 |. 8D85 6CFEFFFF lea eax, dword ptr [ebp-194]
0040156E |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00401573 |. 50 push eax ; |PathBuffer
00401574 |. FF75 08 push dword ptr [ebp+8] ; |hModule
00401577 |. 33DB xor ebx, ebx ; |
00401579 |. 895D FC mov dword ptr [ebp-4], ebx ; |
0040157C |. 895D F8 mov dword ptr [ebp-8], ebx ; |
0040157F |. 895D F0 mov dword ptr [ebp-10], ebx ; |
00401582 |. FF15 24704000 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401588 |. 53 push ebx ; /hTemplateFile => NULL
00401589 |. 68 80000000 push 80 ; |Attributes = NORMAL
0040158E |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
00401590 |. 53 push ebx ; |pSecurity => NULL
00401591 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00401593 |. 8D85 6CFEFFFF lea eax, dword ptr [ebp-194] ; |
00401599 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
0040159E |. 50 push eax ; |FileName eax==0012FDA0 C:\Documents and Settings\Administrator\桌面\Recycled.exe.
0040159F |. FF15 20704000 call dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
004015A5 |. 8BF8 mov edi, eax
004015A7 |. 83FF FF cmp edi, -1
004015AA |. /75 0C jnz short 004015B8
***********************************************************************
调用不成功,才执行这个;
004015AC |. |C745 FC C0814>mov dword ptr [ebp-4], 004081C0 ; ASCII "Can't open file!"
004015B3 |. |E9 64030000 jmp 0040191C
***********************************************************************
004015B8 |> \8B35 1C704000 mov esi, dword ptr [<&KERNEL32.SetFi>; kernel32.SetFilePointer
004015BE |. 6A 02 push 2 ; /Origin = FILE_END
004015C0 |. 53 push ebx ; |pOffsetHi
004015C1 |. 6A F8 push -8 ; |OffsetLo = FFFFFFF8 (-8.)
004015C3 |. 57 push edi ; |hFile
004015C4 |. FFD6 call esi ; \SetFilePointer
004015C6 |. 3D E8030000 cmp eax, 3E8
004015CB |. 8945 F4 mov dword ptr [ebp-C], eax
004015CE |. 0F82 2A030000 jb 004018FE
004015D4 |. 8D45 E4 lea eax, dword ptr [ebp-1C]
004015D7 |. 53 push ebx ; /pOverlapped
004015D8 |. 50 push eax ; |pBytesRead
004015D9 |. 8D45 DC lea eax, dword ptr [ebp-24] ; |
004015DC |. 6A 08 push 8 ; |BytesToRead = 8
004015DE |. 50 push eax ; |Buffer
004015DF |. 57 push edi ; |hFile
004015E0 |. 895D E4 mov dword ptr [ebp-1C], ebx ; |
004015E3 |. FF15 18704000 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
004015E9 |. 85C0 test eax, eax
004015EB |. 0F84 16030000 je 00401907
004015F1 |. 837D E4 08 cmp dword ptr [ebp-1C], 8
004015F5 |. 0F85 0C030000 jnz 00401907
004015FB |. 8B45 DC mov eax, dword ptr [ebp-24]
004015FE |. 817D E0 A5B79>cmp dword ptr [ebp-20], 829AB7A5
00401605 |. 8945 08 mov dword ptr [ebp+8], eax
00401608 |. 0F85 F0020000 jnz 004018FE
0040160E |. 83F8 04 cmp eax, 4
00401611 |. 0F8C E7020000 jl 004018FE
00401617 |. 3B45 F4 cmp eax, dword ptr [ebp-C]
0040161A |. 0F8D DE020000 jge 004018FE
00401620 |. 50 push eax
00401621 |. E8 65220000 call 0040388B
00401626 |. 3BC3 cmp eax, ebx
00401628 |. 59 pop ecx
00401629 |. 8945 F8 mov dword ptr [ebp-8], eax
0040162C |. 0F84 32010000 je 00401764
00401632 |. 6A 02 push 2
00401634 |. 53 push ebx
00401635 |. 6A F8 push -8
00401637 |. 895D E8 mov dword ptr [ebp-18], ebx
0040163A |. 58 pop eax
0040163B |. 2B45 08 sub eax, dword ptr [ebp+8]
0040163E |. 50 push eax
0040163F |. 57 push edi
00401640 |. FFD6 call esi
00401642 |. 83F8 FF cmp eax, -1
00401645 |. 0F84 AA020000 je 004018F5
0040164B |. 8B75 F8 mov esi, dword ptr [ebp-8]
0040164E |. 8D45 E8 lea eax, dword ptr [ebp-18]
00401651 |. 53 push ebx ; /pOverlapped
00401652 |. 50 push eax ; |pBytesRead
00401653 |. FF75 08 push dword ptr [ebp+8] ; |BytesToRead
00401656 |. 56 push esi ; |Buffer
00401657 |. 57 push edi ; |hFile
00401658 |. FF15 18704000 call dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
***********************************************************************
要获得临时目录
***********************************************************************
0040165E |. 85C0 test eax, eax
00401660 |. 0F84 8F020000 je 004018F5
00401666 |. 8B45 08 mov eax, dword ptr [ebp+8]
00401669 |. 3945 E8 cmp dword ptr [ebp-18], eax
0040166C |. 0F85 83020000 jnz 004018F5
00401672 |. 813E A5B79A82 cmp dword ptr [esi], 829AB7A5
00401678 |. 0F85 77020000 jnz 004018F5
0040167E |. 8D85 6CFEFFFF lea eax, dword ptr [ebp-194]
00401684 |. 83C6 04 add esi, 4
00401687 |. 50 push eax ; /Buffer
00401688 |. 68 04010000 push 104 ; |BufSize = 104 (260.)
0040168D |. FF15 14704000 call dword ptr [<&KERNEL32.GetTempPat>; \GetTempPathA
***********************************************************************
装模作样一番,如果不能获得临时目录,真的会告诉用户吗?
***********************************************************************
00401693 |. 85C0 test eax, eax
00401695 |. 75 0C jnz short 004016A3
00401697 |. C745 FC 98814>mov dword ptr [ebp-4], 00408198 ; ASCII "Can't retrieve the temporary directory!"
0040169E |. E9 6B020000 jmp 0040190E
004016A3 |> 8B06 mov eax, dword ptr [esi]
004016A5 |. FF76 04 push dword ptr [esi+4]
004016A8 |. 836D 08 0C sub dword ptr [ebp+8], 0C
004016AC |. 83C6 04 add esi, 4
004016AF |. FF75 08 push dword ptr [ebp+8]
004016B2 |. 8945 F4 mov dword ptr [ebp-C], eax
004016B5 |. 8D7E 04 lea edi, dword ptr [esi+4]
004016B8 |. 57 push edi
004016B9 |. E8 7DFEFFFF call 0040153B
***********************************************************************
在temp目录上新建文件夹的名字。。
***********************************************************************
004016BE |. 8BF7 mov esi, edi
004016C0 |. 83C4 0C add esp, 0C
004016C3 |. 381E cmp byte ptr [esi], bl
004016C5 |. 75 2E jnz short 004016F5
004016C7 |. FF75 F4 push dword ptr [ebp-C] ; /<%X>
004016CA |. 8D85 70FFFFFF lea eax, dword ptr [ebp-90] ; |
004016D0 |. 68 90814000 push 00408190 ; |Format = "E_N%X"
004016D5 |. 50 push eax ; |s
004016D6 |. FF15 B0704000 call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
***********************************************************************
0012FC7C 0012FDA0 ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\"
0012FC80 0012FEA4 ASCII "E_N4"
0012FC84 0012FEA4 ASCII "E_N4"
0012FC88 00408190 ASCII "E_N%X"
根据压栈的参数猜想,call 00403720 也许要新建文件夹了吧,hoho。maybe。。
***********************************************************************
004016DC |. 8D85 70FFFFFF lea eax, dword ptr [ebp-90]
004016E2 |. 50 push eax
004016E3 |. 8D85 6CFEFFFF lea eax, dword ptr [ebp-194]
004016E9 |. 50 push eax
004016EA |. E8 31200000 call 00403720
***********************************************************************
还要自己平衡堆栈,真够辛苦的0012FC7C --0012FC88
***********************************************************************
004016EF |. 83C4 14 add esp, 14
004016F2 |. 46 inc esi
004016F3 |. EB 1A jmp short 0040170F
***********************************************************************
刚刚错怪call 00403720 了,现在调用CreateDirectoryA创建文件夹
马上去temp下去看了看,还真给新建了个“E_N4”文件夹。。
***********************************************************************
0040170F |> \8D85 6CFEFFFF lea eax, dword ptr [ebp-194]
00401715 |. 53 push ebx ; /pSecurity
00401716 |. 50 push eax ; |Path
00401717 |. FF15 10704000 call dword ptr [<&KERNEL32.CreateDire>; \CreateDirectoryA
0040171D |. 8D85 6CFEFFFF lea eax, dword ptr [ebp-194]
00401723 |. 68 8C814000 push 0040818C
00401728 |. 50 push eax
00401729 |. E8 F21F0000 call 00403720
0040172E |. 836D 08 08 sub dword ptr [ebp+8], 8
00401732 |. 8B46 04 mov eax, dword ptr [esi+4]
00401735 |. 395D 08 cmp dword ptr [ebp+8], ebx
00401738 |. 59 pop ecx
00401739 |. 59 pop ecx
0040173A |. 8945 EC mov dword ptr [ebp-14], eax
0040173D |. 0F8E A9010000 jle 004018EC
0040171D |. 8D85 6CFEFFFF lea eax, dword ptr [ebp-194]
00401723 |. 68 8C814000 push 0040818C
00401728 |. 50 push eax
00401729 |. E8 F21F0000 call 00403720
0040172E |. 836D 08 08 sub dword ptr [ebp+8], 8
00401732 |. 8B46 04 mov eax, dword ptr [esi+4]
00401735 |. 395D 08 cmp dword ptr [ebp+8], ebx
00401738 |. 59 pop ecx
00401739 |. 59 pop ecx
0040173A |. 8945 EC mov dword ptr [ebp-14], eax
0040173D |. 0F8E A9010000 jle 004018EC
00401743 |. 813E 0D0F3E03 cmp dword ptr [esi], 33E0F0D
00401749 |. 0F85 9D010000 jnz 004018EC
0040174F |. 3BC3 cmp eax, ebx
00401751 |. 0F8E 95010000 jle 004018EC
00401757 |. 50 push eax
00401758 |. E8 2E210000 call 0040388B
0040175D |. 8BF8 mov edi, eax
0040175F |. 59 pop ecx
00401760 |. 3BFB cmp edi, ebx
00401762 |. 75 0C jnz short 00401770
00401770 |> \FF75 08 push dword ptr [ebp+8]
00401773 |. 83C6 08 add esi, 8
00401776 |. 8D45 EC lea eax, dword ptr [ebp-14]
00401779 |. 56 push esi
0040177A |. 50 push eax
0040177B |. 57 push edi
0040177C |. E8 EE1E0000 call 0040366F
00401781 |. 83C4 10 add esp, 10
00401784 |. 85C0 test eax, eax
00401786 |. 74 13 je short 0040179B
0040179B |> \FF75 F8 push dword ptr [ebp-8]
0040179E |. E8 5D200000 call 00403800
004017A3 |. 8B45 EC mov eax, dword ptr [ebp-14]
004017A6 |. 59 pop ecx
004017A7 |. 03C7 add eax, edi
004017A9 |. 897D F8 mov dword ptr [ebp-8], edi
004017AC |. 3BF8 cmp edi, eax
004017AE |. 8BF7 mov esi, edi
004017B0 |. 8945 F4 mov dword ptr [ebp-C], eax
004017B3 |. 885D A4 mov byte ptr [ebp-5C], bl
004017B6 |. 0F83 B4000000 jnb 00401870
004017BC |> 8BFE /mov edi, esi
004017BE |. 56 |push esi
004017BF |. 897D 08 |mov dword ptr [ebp+8], edi
004017C2 |. E8 49200000 |call 00403810
004017C7 |. C70424 4C8140>|mov dword ptr [esp], 0040814C ; ASCII "krnln.fnr"
004017CE |. 57 |push edi
004017CF |. 8D7406 01 |lea esi, dword ptr [esi+eax+1]
004017D3 |. E8 48480000 |call 00406020
004017D8 |. 59 |pop ecx
004017D9 |. 85C0 |test eax, eax
004017DB |. 59 |pop ecx
004017DC |. 74 11 |je short 004017EF
004017EF |> \8D45 A4 |lea eax, dword ptr [ebp-5C]
004017F2 |. 57 |push edi
004017F3 |. 50 |push eax
004017F4 |. E8 171F0000 |call 00403710
004017F9 |. 59 |pop ecx
004017FA |. 59 |pop ecx
004017FB |> 8B3E |mov edi, dword ptr [esi]
004017FD |. 8D85 6CFEFFFF |lea eax, dword ptr [ebp-194]
00401803 |. 50 |push eax
00401804 |. 8D85 68FDFFFF |lea eax, dword ptr [ebp-298]
0040180A |. 50 |push eax
0040180B |. 83C6 04 |add esi, 4
0040180E |. E8 FD1E0000 |call 00403710
00401813 |. FF75 08 |push dword ptr [ebp+8]
00401816 |. 8D85 68FDFFFF |lea eax, dword ptr [ebp-298]
0040181C |. 50 |push eax
0040181D |. E8 FE1E0000 |call 00403720
00401822 |. 83C4 10 |add esp, 10
00401825 |. 8D85 68FDFFFF |lea eax, dword ptr [ebp-298] ;eax==0012FC9C C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\krnln.fnr.
***********************************************************************
在temp下新建了个文件(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\krnln.fnr)
***********************************************************************
0040182B |. 53 |push ebx ; /hTemplateFile
0040182C |. 68 80000000 |push 80 ; |Attributes = NORMAL
00401831 |. 6A 02 |push 2 ; |Mode = CREATE_ALWAYS
00401833 |. 53 |push ebx ; |pSecurity
00401834 |. 53 |push ebx ; |ShareMode
00401835 |. 68 00000040 |push 40000000 ; |Access = GENERIC_WRITE
0040183A |. 50 |push eax ; |FileName
0040183B |. FF15 20704000 |call dword ptr [<&KERNEL32.CreateFil>; \CreateFileA
***********************************************************************
向文件里面写数据(C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\krnln.fnr)
***********************************************************************
00401841 |. 83F8 FF |cmp eax, -1
00401844 |. 8945 08 |mov dword ptr [ebp+8], eax
00401847 |. 74 17 |je short 00401860
00401849 |. 8D4D D8 |lea ecx, dword ptr [ebp-28]
0040184C |. 53 |push ebx ; /pOverlapped
0040184D |. 51 |push ecx ; |pBytesWritten
0040184E |. 57 |push edi ; |nBytesToWrite
0040184F |. 56 |push esi ; |Buffer
00401850 |. 50 |push eax ; |hFile
00401851 |. FF15 0C704000 |call dword ptr [<&KERNEL32.WriteFile>; \WriteFile
00401857 |. FF75 08 |push dword ptr [ebp+8] ; /hObject
0040185A |. FF15 08704000 |call dword ptr [<&KERNEL32.CloseHand>; \CloseHandle
00401860 |> 03F7 |add esi, edi
00401862 |. 3B75 F4 |cmp esi, dword ptr [ebp-C]
00401865 |.^ 0F82 51FFFFFF \jb 004017BC
***********************************************************************
循环,估计要再建个0012FC8C 00C4D02E ASCII "HtmlView.fne"的文件
***********************************************************************
004017BC |> /8BFE /mov edi, esi
004017BE |. |56 |push esi
004017BF |. |897D 08 |mov dword ptr [ebp+8], edi
004017C2 |. |E8 49200000 |call 00403810
004017C7 |. |C70424 4C8140>|mov dword ptr [esp], 0040814C ; ASCII "krnln.fnr"
004017CE |. |57 |push edi
004017CF |. |8D7406 01 |lea esi, dword ptr [esi+eax+1]
004017D3 |. |E8 48480000 |call 00406020
***********************************************************************
循环,估计要再建个00C8203F internet.fne.
00CAF050 eAPI.fne..
00CFE05D shell.fne.
00D0806B dp1.fne.
00D24077 cnvpe.fne
00D33085 spec.fne.
的文件
循环建好8个文件之后
***********************************************************************
0040186B |. 385D A4 cmp byte ptr [ebp-5C], bl
0040186E |. 75 0C jnz short 0040187C
***********************************************************************
看样子刚刚释放出来的那个krnln.fnr也许是个dll文件吧,下面要载入了。。hoho
***********************************************************************
0040187C |> \8D85 6CFEFFFF lea eax, dword ptr [ebp-194]
00401882 |. 50 push eax
00401883 |. 8D85 68FDFFFF lea eax, dword ptr [ebp-298]
00401889 |. 50 push eax
0040188A |. E8 811E0000 call 00403710
0040188F |. 8D45 A4 lea eax, dword ptr [ebp-5C]
00401892 |. 50 push eax
00401893 |. 8D85 68FDFFFF lea eax, dword ptr [ebp-298]
00401899 |. 50 push eax
0040189A |. E8 811E0000 call 00403720
0040189F |. 83C4 10 add esp, 10
004018A2 |. 8D85 68FDFFFF lea eax, dword ptr [ebp-298]
004018A8 |. 50 push eax ; /FileName eax==0012FC9C C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\E_N4\krnln.fnr.
004018A9 |. FF15 04704000 call dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA
004018AF |. 3BC3 cmp eax, ebx
004018B1 |. 75 09 jnz short 004018BC
004018BC |> \68 F4804000 push 004080F4 ; /ProcNameOrOrdinal = "GetNewSock"
004018C1 |. 50 push eax ; |hModule
004018C2 |. FF15 00704000 call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
004018C8 |. 3BC3 cmp eax, ebx
004018CA |. 75 09 jnz short 004018D5
***********************************************************************
调用了krnln中的100298FA
***********************************************************************
004018D5 |> \68 E8030000 push 3E8 ;100298FA krnln.100298FA
004018DA |. FFD0 call eax
004018DC |. 3BC3 cmp eax, ebx
004018DE |. 8945 F0 mov dword ptr [ebp-10], eax
004018E1 |. 75 2B jnz short 0040190E
0040190E |> \395D F8 cmp dword ptr [ebp-8], ebx
00401911 |. 74 09 je short 0040191C
00401913 |. FF75 F8 push dword ptr [ebp-8]
00401916 |. E8 E51E0000 call 00403800
0040191B |. 59 pop ecx
0040191C |> 395D FC cmp dword ptr [ebp-4], ebx
0040191F |. 75 13 jnz short 00401934
00401921 |. 8B45 F0 mov eax, dword ptr [ebp-10]
00401924 |. E8 00000000 call 00401929
00401929 |$ 810424 D78600>add dword ptr [esp], 86D7
00401930 |. FFD0 call eax ; krnln.100298FA 关键模块,必须跟入
100298FA 55 push ebp
100298FB 8BEC mov ebp, esp
100298FD 8B45 08 mov eax, dword ptr [ebp+8]
10029900 50 push eax
10029901 B9 68CF0E10 mov ecx, 100ECF68
10029906 E8 04F5FFFF call 10028E0F ;关键模块,必须跟入
10028E0F 55 push ebp
10028E10 8BEC mov ebp, esp
10028E12 83EC 08 sub esp, 8
10028E15 53 push ebx
10028E16 56 push esi
10028E17 57 push edi
10028E18 894D F8 mov dword ptr [ebp-8], ecx
10028E1B FF15 E4330C10 call dword ptr [<&KERNEL32.GetProcessHeap>] ; kernel32.GetProcessHeap
10028E21 8B4D F8 mov ecx, dword ptr [ebp-8]
10028E24 8981 8C040000 mov dword ptr [ecx+48C], eax
10028E2A 8B55 08 mov edx, dword ptr [ebp+8]
10028E2D 8B42 30 mov eax, dword ptr [edx+30]
10028E30 83E0 01 and eax, 1
10028E33 85C0 test eax, eax
10028E35 75 10 jnz short 10028E47
10028E37 8B4D 08 mov ecx, dword ptr [ebp+8]
10028E3A 51 push ecx
10028E3B 8B4D F8 mov ecx, dword ptr [ebp-8]
10028E3E E8 CD050300 call 10059410
100594A5 C786 84040000 0>mov dword ptr [esi+484], 1
100594AF 8D95 ECFDFFFF lea edx, dword ptr [ebp-214]
100594B5 68 04010000 push 104
100594BA 52 push edx
100594BB 6A 00 push 0
100594BD FF15 04340C10 call dword ptr [<&KERNEL32.GetModuleFileNameA>>; kernel32.GetModuleFileNameA
100594C3 8D85 ECFDFFFF lea eax, dword ptr [ebp-214]
100594C9 6A 5C push 5C
100594CB 50 push eax
100594CC E8 1C420400 call 1009D6ED ; 返回eax==0012FA70 \Recycled.exe.
100594D1 8BF8 mov edi, eax
100594D3 83C4 08 add esp, 8
100594D6 85FF test edi, edi
100594D8 74 19 je short 100594F3
100594DA 8D95 ECFDFFFF lea edx, dword ptr [ebp-214]
100594E0 8D8E EC000000 lea ecx, dword ptr [esi+EC]
100594E6 52 push edx
100594E7 C607 00 mov byte ptr [edi], 0
100594EA E8 BD840500 call 100B19AC
100594EF 47 inc edi
100594F0 57 push edi
100594F1 EB 12 jmp short 10059505
10059505 8D8E F0000000 lea ecx, dword ptr [esi+F0]
1005950B E8 9C840500 call 100B19AC ; 返回EAX==100ED058 krnln.100ED058
10059510 837B 2C 02 cmp dword ptr [ebx+2C], 2
10059514 74 0F je short 10059525
10059516 8B86 EC000000 mov eax, dword ptr [esi+EC]
1005951C 50 push eax
1005951D FF15 8C330C10 call dword ptr [<&KERNEL32.SetCurrentDirectoryA>] ; kernel32.SetCurrentDirectoryA
10059523 EB 4C jmp short 10059571
10059571 8B46 68 mov eax, dword ptr [esi+68]
10059574 68 CC450E10 push 100E45CC ; ASCII "mp3"
10059579 50 push eax
1005957A 8D8E FC030000 lea ecx, dword ptr [esi+3FC]
10059580 E8 6B9FFBFF call 100134F0
10059585 8B4E 68 mov ecx, dword ptr [esi+68]
10059588 68 44410E10 push 100E4144 ; ASCII "odbcdb"
1005958D 51 push ecx
1005958E 8D8E 0C040000 lea ecx, dword ptr [esi+40C]
10059594 E8 579FFBFF call 100134F0
10059599 8B56 68 mov edx, dword ptr [esi+68]
1005959C 68 C4450E10 push 100E45C4 ; ASCII "ComInf"
100595A1 52 push edx
100595A2 8D8E 3C040000 lea ecx, dword ptr [esi+43C]
100595A8 E8 439FFBFF call 100134F0
100595AD 33FF xor edi, edi
100595AF 68 007F0000 push 7F00
100595B4 57 push edi
100595B5 FF15 D0360C10 call dword ptr [<&USER32.LoadCursorA>] ; USER32.LoadCursorA
100595BB 57 push edi
100595BC 57 push edi
100595BD 57 push edi
100595BE 57 push edi
100595BF 57 push edi
100595C0 57 push edi
100595C1 57 push edi
100595C2 57 push edi
100595C3 68 90C90E10 push 100EC990
100595C8 57 push edi
100595C9 6A 05 push 5
100595CB 8945 D0 mov dword ptr [ebp-30], eax
100595CE FF15 48310C10 call dword ptr [<&GDI32.GetStockObject>] ; GDI32.GetStockObject
100595D4 50 push eax
100595D5 8B45 D0 mov eax, dword ptr [ebp-30]
100595D8 50 push eax
100595D9 57 push edi
100595DA E8 D55C0500 call 100AF2B4
100595DF 50 push eax
100595E0 68 80000000 push 80
100595E5 8D8E 48040000 lea ecx, dword ptr [esi+448]
100595EB E8 E0550500 call 100AEBD0
100595F0 FF15 98330C10 call dword ptr [<&KERNEL32.GetCurrentThreadId>] ; kernel32.GetCurrentThreadId
100595F6 8986 B4020000 mov dword ptr [esi+2B4], eax
100595FC EB 1B jmp short 10059619
10059619 8B43 48 mov eax, dword ptr [ebx+48]
1005961C 897D 98 mov dword ptr [ebp-68], edi
1005961F 83F8 FF cmp eax, -1
10059622 897D 9C mov dword ptr [ebp-64], edi
10059625 897D A0 mov dword ptr [ebp-60], edi
10059628 897D A4 mov dword ptr [ebp-5C], edi
1005962B 74 2F je short 1005965C
1005962D 8B7C18 2C mov edi, dword ptr [eax+ebx+2C]
10059631 03FB add edi, ebx
10059633 897D 98 mov dword ptr [ebp-68], edi
10059636 8B4418 24 mov eax, dword ptr [eax+ebx+24]
1005963A 83F8 34 cmp eax, 34
1005963D 72 05 jb short 10059644
1005963F B8 34000000 mov eax, 34
10059644 8BC8 mov ecx, eax
10059646 BE E8370E10 mov esi, 100E37E8
1005964B 8BD1 mov edx, ecx
1005964D C1E9 02 shr ecx, 2
10059650 F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
10059652 8BCA mov ecx, edx
10059654 83E1 03 and ecx, 3
10059657 F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
10059659 8B75 EC mov esi, dword ptr [ebp-14]
1005965C 8B86 DC000000 mov eax, dword ptr [esi+DC]
10059662 8D8E 18020000 lea ecx, dword ptr [esi+218]
10059668 50 push eax
10059669 E8 C205FDFF call 10029C30
1005966E 8B43 40 mov eax, dword ptr [ebx+40]
10059671 83F8 FF cmp eax, -1
10059674 8945 E4 mov dword ptr [ebp-1C], eax
10059677 74 2C je short 100596A5
10059679 8B7C18 2C mov edi, dword ptr [eax+ebx+2C]
1005967D 8D8E 04020000 lea ecx, dword ptr [esi+204]
10059683 03FB add edi, ebx
10059685 57 push edi
10059686 E8 A505FDFF call 10029C30
1005968B 8B4D E4 mov ecx, dword ptr [ebp-1C]
1005968E 8B4419 24 mov eax, dword ptr [ecx+ebx+24]
10059692 8D8E 04020000 lea ecx, dword ptr [esi+204]
10059698 03C7 add eax, edi
1005969A 50 push eax
1005969B E8 9005FDFF call 10029C30
100596A0 897D 9C mov dword ptr [ebp-64], edi
100596A3 EB 18 jmp short 100596BD
100596BD 8B43 4C mov eax, dword ptr [ebx+4C]
100596C0 C745 C4 0000000>mov dword ptr [ebp-3C], 0
100596C7 83F8 FF cmp eax, -1
100596CA 74 0C je short 100596D8
100596CC 8B4418 2C mov eax, dword ptr [eax+ebx+2C]
100596D0 03C3 add eax, ebx
100596D2 8945 C4 mov dword ptr [ebp-3C], eax
100596D5 8945 A4 mov dword ptr [ebp-5C], eax
100596D8 8B43 50 mov eax, dword ptr [ebx+50]
100596DB 83F8 FF cmp eax, -1
100596DE 8945 D8 mov dword ptr [ebp-28], eax
100596E1 74 60 je short 10059743
100596E3 8B4418 24 mov eax, dword ptr [eax+ebx+24]
100596E7 85C0 test eax, eax
100596E9 7E 58 jle short 10059743
100596EB 50 push eax
100596EC E8 3C4A0500 call 100AE12D
100596F1 8B55 D8 mov edx, dword ptr [ebp-28]
100596F4 8BF8 mov edi, eax
100596F6 33C0 xor eax, eax
100596F8 897D E4 mov dword ptr [ebp-1C], edi
100596FB 8B4C1A 24 mov ecx, dword ptr [edx+ebx+24]
100596FF 83C4 04 add esp, 4
10059702 8BD1 mov edx, ecx
10059704 81C6 F8000000 add esi, 0F8
1005970A C1E9 02 shr ecx, 2
1005970D F3:AB rep stos dword ptr es:[edi]
1005970F 8BCA mov ecx, edx
10059711 83E1 03 and ecx, 3
10059714 F3:AA rep stos byte ptr es:[edi]
10059716 8B45 E4 mov eax, dword ptr [ebp-1C]
10059719 8BCE mov ecx, esi
1005971B 50 push eax
1005971C E8 0F05FDFF call 10029C30
10059721 8B45 E4 mov eax, dword ptr [ebp-1C]
10059724 8B4D D8 mov ecx, dword ptr [ebp-28]
10059727 8945 A0 mov dword ptr [ebp-60], eax
1005972A 8B7419 08 mov esi, dword ptr [ecx+ebx+8]
1005972E 8B5419 24 mov edx, dword ptr [ecx+ebx+24]
10059732 83E6 EF and esi, FFFFFFEF
10059735 2BC3 sub eax, ebx
10059737 895419 28 mov dword ptr [ecx+ebx+28], edx
1005973B 897419 08 mov dword ptr [ecx+ebx+8], esi
1005973F 894419 2C mov dword ptr [ecx+ebx+2C], eax
10059743 8B5B 54 mov ebx, dword ptr [ebx+54]
10059746 C745 C8 0000000>mov dword ptr [ebp-38], 0
1005974D 83FB FF cmp ebx, -1
10059750 895D E8 mov dword ptr [ebp-18], ebx
10059753 0F84 BF000000 je 10059818
100597F1 8B07 mov eax, dword ptr [edi]
100597F3 83C7 04 add edi, 4
100597F6 8BC8 mov ecx, eax
100597F8 83E0 07 and eax, 7
100597FB C1E9 03 shr ecx, 3
100597FE 8B4485 98 mov eax, dword ptr [ebp+eax*4-68]
10059802 03CE add ecx, esi
10059804 0101 add dword ptr [ecx], eax
10059806 8B43 30 mov eax, dword ptr [ebx+30]
10059809 42 inc edx
1005980A 3BD0 cmp edx, eax
1005980C ^ 7C E3 jl short 100597F1
10054096 6A 00 push 0
10054098 6A 00 push 0
1005409A 6A 00 push 0
1005409C 51 push ecx
1005409D FF15 30360C10 call dword ptr [<&USER32.SetWindowPos>] ; USER32.SetWindowPos
***********************************************************************
0012FB38 00190530 0 . |hWnd = 00190530 (class='Afx:10000000:8:10011:1900015:0',parent=0021044A)
0012FB3C 00000000 .... |InsertAfter = HWND_TOP
0012FB40 00000000 .... |X = 0
0012FB44 00000000 .... |Y = 0
0012FB48 00000000 .... |Width = 0
0012FB4C 00000000 .... |Height = 0
0012FB50 00000013 ... \Flags = SWP_NOSIZE|SWP_NOMOVE|SWP_NOACTIVATE
***********************************************************************
00423C31 E8 B6740000 call 0042B0EC ;00190F80 127A0E.
00423CAB E8 34140000 call 004250E4 ;00190FA0 127A0E.EXE.
00423CD1 E8 16740000 call 0042B0EC ;001907F8 b80a3e.
00423CE9 83C4 04 add esp, 4
00423CEC 68 B4A24000 push 0040A2B4
00423CF1 FF75 E4 push dword ptr [ebp-1C]
00423CF4 FF75 FC push dword ptr [ebp-4]
00423CF7 B9 03000000 mov ecx, 3
00423CFC E8 D7FAFFFF call 004237D8 ;00190FC8 C:\WINDOWS\system32\B80A3E\.
00423D01 83C4 0C add esp, 0C
00423D7F 68 B4A24000 push 0040A2B4
00423D84 FF75 E4 push dword ptr [ebp-1C]
00423D87 FF75 FC push dword ptr [ebp-4]
00423D8A B9 03000000 mov ecx, 3
00423D8F E8 44FAFFFF call 004237D8 ;001907F8 C:\WINDOWS\system32\442BD5\.
00423DE7 B8 A8A24000 mov eax, 0040A2A8
00423DEC 50 push eax
00423DED 68 01000000 push 1
00423DF2 BB 50010000 mov ebx, 150
00423DF7 E8 F0720000 call 0042B0EC ;001907D8 2A7D59.
00423E12 68 B4A24000 push 0040A2B4
00423E17 FF75 E4 push dword ptr [ebp-1C]
00423E1A FF75 FC push dword ptr [ebp-4]
00423E1D B9 03000000 mov ecx, 3
00423E22 E8 B1F9FFFF call 004237D8 ;00190830 C:\WINDOWS\system32\2A7D59\.
00190868 C:\WINDOWS\system32\EC7AEB\.
00190950 C:\WINDOWS\system32\2A7D59\8f7b9c.txt.
00190868 C:\WINDOWS\system32\EC7AEB\.
00424333 FF35 8805E500 push dword ptr [E50588]
00424339 FF35 8C05E500 push dword ptr [E5058C]
0042433F B9 02000000 mov ecx, 2
00424344 E8 8FF4FFFF call 004237D8 ;00190A20 C:\WINDOWS\system32\B80A3E\127A0E.EXE.
004244AC 8945 E0 mov dword ptr [ebp-20], eax
004244AF 8B5D E4 mov ebx, dword ptr [ebp-1C]
004244B2 85DB test ebx, ebx
004244B4 74 09 je short 004244BF
004244B6 53 push ebx
004244B7 E8 2A6C0000 call 0042B0E6 :00190A20 explorer .
1005A826 50 push eax
1005A827 51 push ecx
1005A828 6A 00 push 0
1005A82A 6A 00 push 0
1005A82C 6A 00 push 0
1005A82E 6A 00 push 0
1005A830 6A 00 push 0
1005A832 6A 00 push 0
1005A834 52 push edx
1005A835 6A 00 push 0
1005A837 FF15 88330C10 call dword ptr [<&KERNEL32.CreateProcessA>] ; kernel32.CreateProcessA
***********************************************************************
创建木马进程 hoho :)
***********************************************************************
0012F9B4 00000000 .... |ModuleFileName = NULL
0012F9B8 00190A90 ? . |CommandLine = "explorer C:\Documents and Settings\Administrator\",D7,"烂鎈"
0012F9BC 00000000 .... |pProcessSecurity = NULL
0012F9C0 00000000 .... |pThreadSecurity = NULL
0012F9C4 00000000 .... |InheritHandles = FALSE
0012F9C8 00000000 .... |CreationFlags = 0
0012F9CC 00000000 .... |pEnvironment = NULL
0012F9D0 00000000 .... |CurrentDir = NULL
0012F9D4 0012F9F4 豉 . |pStartupInfo = 0012F9F4
0012F9D8 0012F9E4 澌 . \pProcessInfo = 0012F9E4
***********************************************************************
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
- [原创]仅作部分分析 4899
- [转帖]非原创,有点超时 4228
- [原创]有点小紧张 4738
- [原创]初入逆向之木马分析牛刀小试 8199