目的:分析此木马运行机制及内部实现原理,剖析此木马会带来哪些危害。
调式环境及工具:VMware+Windows7(推荐)、DIE、IDA、OD
1.脱壳拿shellcode,为拿木马主体样本做准备
IDA打开原始样本后,定位在sub_402FBA模块处,注意OD动态调试每次基址会有变化,相对地址是不变的,此模块核心功能就是在内存释放Shellcode的木马Vadchdhv主体;如下0040304C处调用VirtualAlloc申请内存,之后进行Shellcode第一次存放。
完成之后,退回到sub_4043A9模块处,调用sub_401000会再次进行Shellcode的内存释放。
完成之后,退回到start代码处,跟踪到此其实我们最关心的是壳是从哪里跳转进入内存Shellcode主体的,这才是我们拿Shellcode的关键,否则木马是逮不到的;在以上的Shellcode释放主体的过程可能有些繁琐和枯燥,但要注意进行多次跟踪调试一下,注意观察寄存器和栈数据的变化,捕捉关键信息,对于尤其是分析暴露信息较少的木马来说也是一个不错的小技巧;释放Shellcode是通过循环完成的,在退出循环后下断,进行OD单步跟踪F7;
注意上述代码中的00402FAF调用call dword_405090,这个就是从壳进入shellcode内存主体了,F7跟入。接下来,才算是接近了木马Vadchdhv主体代码,但还不全是,因为Vadchdhv不是一次性释放进内存运行的,而是先要从Shellcode释放到更高权限的内存,进行PE文件的组装和修正,然后才木马的核心主体代码。
2.脱ShellCode,拿木马Vadchdhv内存进程主体
OD跟入后,注意在00260261(地址会有变化)处调用002601EE取内核函数字符串,然后返回到0026026C,在00260270处调用CALL 0026020A进行内核函数SHA值比对,然后调用00260318取得下一个函数名,然后回到00260261处进行下一次循环;此循环是完成ntdll内核函数的定位,获取木马所用内核函数地址,并进行木马主体地址修正。
接下来,木马Vadchdhv会调用内核函数ntdll.NtProtectVirtualMemory、ntdll.NtAllocateVirtualMemory等,完成提权并再次申请内存,准备进行进程主体释放、拼接。
调用ntdll.NtAllocateVirtualMemory的栈信息:
接下来在新申请内存处,首先写入PE格式的文件头:
接下来,木马Vadchdhv从ShellCode中解码释放并拼接,
以上代码是首先释放从00021000到00023000地址部分,接下来释放从00023000到00024000部分,
最后进行再次内存申请,释放代码于00032000处,完整代码见附件《木马Vadchdhv脱ShellCode后进程代码》。
3.木马Vadchdhv核心进程启动及行为跟踪分析
Shellcode释放完木马主体后,即跳入进程主体运行。跟踪捕获关键函数:
00021BE7处的调用CALL 00021350,跟入:在用户目录创建隐性文件夹C:\Users*\AppData\Roaming,并创建gxwmgr32.exe文件。
继续跟踪:
注意00021EF8 处PUSH ECX; UNICODE "C:\Users*\Desktop\c14bc530f959cb8dedb0f51527173a44cec8b670"是获取木马原始样本路径。跟入00021EFD处的函数调用CALL 000213C0:
从原始样本取数据,继续跟踪00021F0C处调用CALL 00021C00,跟入:
在 "C:\Windows\system32\"目录下创建svchost.exe并修改文件属性进行隐藏。继续跟踪:
跟入CALL 00021370:
跟入CALL 00021CC0,此函数为木马Vadchdhv启动cmd进程关键代码处,通过cmd运行“C:\Users\h\AppData\Roaming\4336348.bat”文件;文件名4336348为调用底层函数随机生成。
此关键函数00021D2A处调用CALL 00022090 是通过调用RtlTimeToSecondsSince1970、kernel32.GetSystemTimeAsFileTime(pFiletime)对文件属性进行修改,实现隐藏;函数00021DEC 处的调用 CALL 00021AE0 是获取批处理进程所用的批处理命令:ASCII ":l
if not exist "C:\Users\h\Desktop\C14BC5~1" goto edel /Q /F "C:\Users\h\Desktop\C14BC5~1"goto l:edel /Q /F "C:\Users\h\AppData\Roaming\4336348.bat"";之后,在00021E7E 处调用 CALL DWORD PTR DS:[2303C] 即 BOOL kernel32.CreateProcessW启动CMD进程,函数参数为:
至此,木马Vadchdhv完成了第一步;接下来会启动一个循环进行系统进程遍历搜索寻找“explorer.exe”进程,跟踪如下:
找到explorer.exe后会进行进程注入,关于进程注入和后续部分,改天再补充。
.text:0040301F add edi, dword_405D2C
.text:00403025 push flProtect ;flProtect
.text:0040302B push flAllocationType ; flAllocationType
.text:00403031 lea eax, [ebp+var_1C]
.text:00403034 push edi
.text:00403035 pop dword ptr [eax]
.text:00403037 mov esi, [ebp+var_1C]
.text:0040303A mov off_405B1C, esi
.text:00403040 push off_405B1C ; dwSize
.text:00403046 push dword ptr asc_405598+4 ; lpAddress
.text:0040304C call ds:VirtualAlloc
.text:0040301F add edi, dword_405D2C
.text:00403025 push flProtect ;flProtect
.text:0040302B push flAllocationType ; flAllocationType
.text:00403031 lea eax, [ebp+var_1C]
.text:00403034 push edi
.text:00403035 pop dword ptr [eax]
.text:00403037 mov esi, [ebp+var_1C]
.text:0040303A mov off_405B1C, esi
.text:00403040 push off_405B1C ; dwSize
.text:00403046 push dword ptr asc_405598+4 ; lpAddress
.text:0040304C call ds:VirtualAlloc
text:00404436 call sub_401000
text:00404436 call sub_401000
.text:00402F9A mov esi, [ebp+var_20]
.text:00402F9D mov off_40521C, esi
.text:00402FA3 push off_40521C
.text:00402FA9 mov dword_405090, edx
.text:00402FAF call dword_405090
.text:00402F9A mov esi, [ebp+var_20]
.text:00402F9D mov off_40521C, esi
.text:00402FA3 push off_40521C
.text:00402FA9 mov dword_405090, edx
.text:00402FAF call dword_405090
002605DE FF55 D0 CALL DWORD PTR SS:[EBP-30] ; ntdll.NtProtectVirtualMemory
002605E1 85C0 TEST EAX,EAX
002605E3 0F85 87010000 JNE 00260770
002605E9 6A 40 PUSH 40
002605EB 68 00300000 PUSH 3000
002605F0 FF75 0C PUSH DWORD PTR SS:[EBP+0C]
002605F3 6A 00 PUSH 0
002605F5 C745 DC 0000000 MOV DWORD PTR SS:[EBP-24],0
002605FC 8D45 DC LEA EAX,[EBP-24]
002605FF 50 PUSH EAX
00260600 6A FF PUSH -1
00260602 FF55 D4 CALL DWORD PTR SS:[EBP-2C] ; ntdll.NtAllocateVirtualMemory
002605DE FF55 D0 CALL DWORD PTR SS:[EBP-30] ; ntdll.NtProtectVirtualMemory
002605E1 85C0 TEST EAX,EAX
002605E3 0F85 87010000 JNE 00260770
002605E9 6A 40 PUSH 40
002605EB 68 00300000 PUSH 3000
002605F0 FF75 0C PUSH DWORD PTR SS:[EBP+0C]
002605F3 6A 00 PUSH 0
002605F5 C745 DC 0000000 MOV DWORD PTR SS:[EBP-24],0
002605FC 8D45 DC LEA EAX,[EBP-24]
002605FF 50 PUSH EAX
00260600 6A FF PUSH -1
00260602 FF55 D4 CALL DWORD PTR SS:[EBP-2C] ; ntdll.NtAllocateVirtualMemory
CPU Stack
地址 值 ASCII 注释
0017FE88 /FFFFFFFF ÿÿÿÿ ; |Arg1 = -1
0017FE8C |0017FED8 Øþ ; |Arg2 = 17FED8
0017FE90 |00000000 ; |Arg3 = 0
0017FE94 |00025C20 \ ; |Arg4 = c14bc530f959cb8dedb0f51527173a4.25C20
0017FE98 |00003000 0 ; |Arg5 = 3000
0017FE9C |00000040 @ ; \Arg6 = 40
CPU Stack
地址 值 ASCII 注释
0017FE88 /FFFFFFFF ÿÿÿÿ ; |Arg1 = -1
0017FE8C |0017FED8 Øþ ; |Arg2 = 17FED8
0017FE90 |00000000 ; |Arg3 = 0
0017FE94 |00025C20 \ ; |Arg4 = c14bc530f959cb8dedb0f51527173a4.25C20
0017FE98 |00003000 0 ; |Arg5 = 3000
0017FE9C |00000040 @ ; \Arg6 = 40
CPU Disasm
地址 十六进制转储 命令 注释
00260602 FF55 D4 CALL DWORD PTR SS:[EBP-2C] ; ntdll.NtAllocateVirtualMemory
00260605 85C0 TEST EAX,EAX
00260607 0F85 63010000 JNE 00260770
0026060D 8B75 DC MOV ESI,DWORD PTR SS:[EBP-24]
00260610 33C0 XOR EAX,EAX
00260612 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
00260615 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]
00260618 F2:AA REPNE STOS BYTE PTR ES:[EDI] ; Undocumented instruction or encoding :复制到EDI:0002004
A ; ECX :0001AFB6; 包含字符串:“this program cannot be run in DOS mode.&&”
CPU Disasm
地址 十六进制转储 命令 注释
00260602 FF55 D4 CALL DWORD PTR SS:[EBP-2C] ; ntdll.NtAllocateVirtualMemory
00260605 85C0 TEST EAX,EAX
00260607 0F85 63010000 JNE 00260770
0026060D 8B75 DC MOV ESI,DWORD PTR SS:[EBP-24]
00260610 33C0 XOR EAX,EAX
00260612 8B4D E0 MOV ECX,DWORD PTR SS:[EBP-20]
00260615 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]
00260618 F2:AA REPNE STOS BYTE PTR ES:[EDI] ; Undocumented instruction or encoding :复制到EDI:0002004
A ; ECX :0001AFB6; 包含字符串:“this program cannot be run in DOS mode.&&”
CPU Disasm
地址 十六进制转储 命令 注释
002606A7 8BF3 MOV ESI,EBX
002606A9 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]
002606AC 0372 14 ADD ESI,DWORD PTR DS:[EDX+14]
002606AF 037A 0C ADD EDI,DWORD PTR DS:[EDX+0C]
002606B2 51 PUSH ECX
002606B3 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10]
002606B6 85C9 TEST ECX,ECX
002606B8 75 07 JNE SHORT 002606C1
002606BA C742 14 0000000 MOV DWORD PTR DS:[EDX+14],0
002606C1 3B4A 08 CMP ECX,DWORD PTR DS:[EDX+8]
002606C4 76 03 JBE SHORT 002606C9
002606C6 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
002606C9 F2:A4 REPNE MOVS BYTE PTR ES:[EDI],BYTE PTR ; Undocumented instruction or encoding :解码释放:00021000
CPU Disasm
地址 十六进制转储 命令 注释
002606A7 8BF3 MOV ESI,EBX
002606A9 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]
002606AC 0372 14 ADD ESI,DWORD PTR DS:[EDX+14]
002606AF 037A 0C ADD EDI,DWORD PTR DS:[EDX+0C]
002606B2 51 PUSH ECX
002606B3 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10]
002606B6 85C9 TEST ECX,ECX
002606B8 75 07 JNE SHORT 002606C1
002606BA C742 14 0000000 MOV DWORD PTR DS:[EDX+14],0
002606C1 3B4A 08 CMP ECX,DWORD PTR DS:[EDX+8]
002606C4 76 03 JBE SHORT 002606C9
002606C6 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
002606C9 F2:A4 REPNE MOVS BYTE PTR ES:[EDI],BYTE PTR ; Undocumented instruction or encoding :解码释放:00021000
CPU Disasm
地址 十六进制转储 命令 注释
002606A9 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]
002606AC 0372 14 ADD ESI,DWORD PTR DS:[EDX+14]
002606AF 037A 0C ADD EDI,DWORD PTR DS:[EDX+0C]
002606B2 51 PUSH ECX
002606B3 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10]
002606B6 85C9 TEST ECX,ECX
002606B8 75 07 JNE SHORT 002606C1
002606BA C742 14 0000000 MOV DWORD PTR DS:[EDX+14],0
002606C1 3B4A 08 CMP ECX,DWORD PTR DS:[EDX+8]
002606C4 76 03 JBE SHORT 002606C9
002606C6 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
002606C9 F2:A4 REPNE MOVS BYTE PTR ES:[EDI],BYTE PTR ; Undocumented instruction or encoding 释放 :00023000
002606CB 59 POP ECX
CPU Disasm
地址 十六进制转储 命令 注释
002606A9 8B7D FC MOV EDI,DWORD PTR SS:[EBP-4]
002606AC 0372 14 ADD ESI,DWORD PTR DS:[EDX+14]
002606AF 037A 0C ADD EDI,DWORD PTR DS:[EDX+0C]
002606B2 51 PUSH ECX
002606B3 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+10]
002606B6 85C9 TEST ECX,ECX
002606B8 75 07 JNE SHORT 002606C1
002606BA C742 14 0000000 MOV DWORD PTR DS:[EDX+14],0
002606C1 3B4A 08 CMP ECX,DWORD PTR DS:[EDX+8]
002606C4 76 03 JBE SHORT 002606C9
002606C6 8B4A 08 MOV ECX,DWORD PTR DS:[EDX+8]
002606C9 F2:A4 REPNE MOVS BYTE PTR ES:[EDI],BYTE PTR ; Undocumented instruction or encoding 释放 :00023000
002606CB 59 POP ECX
CPU Disasm
地址 十六进制转储 命令 注释
00021BDA |? 56 PUSH ESI
00021BDB |? 57 PUSH EDI
00021BDC |? 68 BC330200 PUSH 000233BC
00021BE1 |? 57 PUSH EDI ; |UNICODE "C:\Users\*\AppData\Roaming"
00021BE2 |? BA 04010000 MOV EDX,104
00021BE7 |? E8 64F7FFFF CALL 00021350
CPU Disasm
地址 十六进制转储 命令 注释
00021BDA |? 56 PUSH ESI
00021BDB |? 57 PUSH EDI
00021BDC |? 68 BC330200 PUSH 000233BC
00021BE1 |? 57 PUSH EDI ; |UNICODE "C:\Users\*\AppData\Roaming"
00021BE2 |? BA 04010000 MOV EDX,104
00021BE7 |? E8 64F7FFFF CALL 00021350
CPU Disasm
地址 十六进制转储 命令 注释
00021350 |? 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8]
00021354 |. 8D4424 0C LEA EAX,[ESP+0C]
00021358 |? 50 PUSH EAX
00021359 |? 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] ; UNICODE "C:\Users\*\AppData\Roaming"
0002135D |. 51 PUSH ECX
0002135E |? 52 PUSH EDX
0002135F |? 50 PUSH EAX UNICODE "C:\Users\h\AppData\Roaming"
00021360 |. FF15 98300200 CALL DWORD PTR DS:[23098] ; \SHLWAPI.7536EFD9 --》7536F0B6 |. 5F POP EDI ; UNICODE "C:\Users\h\AppData\Roaming\Microsoft\gxwmgr32.exe"
栈信息:
7535C527 /$ 3B0D 04233975 CMP ECX,DWORD PTR DS:[75392304]
7535C52D |. 0F85 9E240300 JNE 7538E9D1
7535C533 \. C3 RETN
7535C534 . 5300 7900 730 UNICODE "System",0 ; UNICODE "System"
00021366 |. C3 RETN
CPU Disasm
地址 十六进制转储 命令 注释
00021350 |? 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8]
00021354 |. 8D4424 0C LEA EAX,[ESP+0C]
00021358 |? 50 PUSH EAX
00021359 |? 8B4424 08 MOV EAX,DWORD PTR SS:[ESP+8] ; UNICODE "C:\Users\*\AppData\Roaming"
0002135D |. 51 PUSH ECX
0002135E |? 52 PUSH EDX
0002135F |? 50 PUSH EAX UNICODE "C:\Users\h\AppData\Roaming"
00021360 |. FF15 98300200 CALL DWORD PTR DS:[23098] ; \SHLWAPI.7536EFD9 --》7536F0B6 |. 5F POP EDI ; UNICODE "C:\Users\h\AppData\Roaming\Microsoft\gxwmgr32.exe"
栈信息:
7535C527 /$ 3B0D 04233975 CMP ECX,DWORD PTR DS:[75392304]
7535C52D |. 0F85 9E240300 JNE 7538E9D1
7535C533 \. C3 RETN
7535C534 . 5300 7900 730 UNICODE "System",0 ; UNICODE "System"
00021366 |. C3 RETN
00021ED2 |. 6A 00 PUSH 0
00021ED4 |? FF15 44300200 CALL DWORD PTR DS:[23044] : ; INT kernel32.GetModuleFileNameW(hModule(桌面木马样本),Buffer,Count)
00021EDA |? 85C0 TEST EAX,EAX
00021EDC |? 76 47 JBE SHORT 00021F25
00021EDE |? 8D0424 LEA EAX,[ESP]
00021EE1 |. 8D9424 080200 LEA EDX,[ESP+208]
00021EE8 |? E8 43000000 CALL 00021F30
00021EED |? 85C0 TEST EAX,EAX
00021EEF |? 74 34 JE SHORT 00021F25
00021EF1 |? 8D8C24 080200 LEA ECX,[ESP+208]
00021EF8 |? 51 PUSH ECX; UNICODE "C:\Users\*\Desktop\c14bc530f959cb8dedb0f51527173a44cec8b670"
00021EF9 |? 8D4424 04 LEA EAX,[ESP+4]
00021EFD |? E8 BEF4FFFF CALL 000213C0
00021F02 |? 83C4 04 ADD ESP,4
00021F05 |. 85C0 TEST EAX,EAX
00021F07 |? 74 10 JE SHORT 00021F19
00021F09 |? 8D0424 LEA EAX,[ESP]
00021F0C |. E8 EFFCFFFF CALL 00021C00
00021ED2 |. 6A 00 PUSH 0
00021ED4 |? FF15 44300200 CALL DWORD PTR DS:[23044] : ; INT kernel32.GetModuleFileNameW(hModule(桌面木马样本),Buffer,Count)
00021EDA |? 85C0 TEST EAX,EAX
00021EDC |? 76 47 JBE SHORT 00021F25
00021EDE |? 8D0424 LEA EAX,[ESP]
00021EE1 |. 8D9424 080200 LEA EDX,[ESP+208]
00021EE8 |? E8 43000000 CALL 00021F30
00021EED |? 85C0 TEST EAX,EAX
00021EEF |? 74 34 JE SHORT 00021F25
00021EF1 |? 8D8C24 080200 LEA ECX,[ESP+208]
00021EF8 |? 51 PUSH ECX; UNICODE "C:\Users\*\Desktop\c14bc530f959cb8dedb0f51527173a44cec8b670"
00021EF9 |? 8D4424 04 LEA EAX,[ESP+4]
00021EFD |? E8 BEF4FFFF CALL 000213C0
00021F02 |? 83C4 04 ADD ESP,4
00021F05 |. 85C0 TEST EAX,EAX
00021F07 |? 74 10 JE SHORT 00021F19
00021F09 |? 8D0424 LEA EAX,[ESP]
00021F0C |. E8 EFFCFFFF CALL 00021C00
CPU Disasm
地址 十六进制转储 命令 注释
000213C0 |. 83EC 0C SUB ESP,0C ; \CSCDLL.CSCUnpinFileW
000213C3 |? 53 PUSH EBX
000213C4 |? 56 PUSH ESI
000213C5 |? 57 PUSH EDI
000213C6 |. 8BF0 MOV ESI,EAX
000213C8 |? 68 80000000 PUSH 80
000213CD |? 56 PUSH ESI ; UNICODE "C:\Users\h\AppData\Roaming\Microsoft\gxwmgr32.exe"
000213CE |? 33FF XOR EDI,EDI
000213D0 |? FF15 2C300200 CALL DWORD PTR DS:[2302C] : ; BOOL kernel32.SetFileAttributesW(Name,Attributes)
000213D6 |? 57 PUSH EDI
000213D7 |? 6A 05 PUSH 5
000213D9 |? 6A 02 PUSH 2
000213DB |? 57 PUSH EDI
000213DC |? 57 PUSH EDI
000213DD |? 68 00000040 PUSH 40000000
000213E2 |? 56 PUSH ESI
000213E3 |? 8B35 60300200 MOV ESI,DWORD PTR DS:[23060]
000213E9 |? FFD6 CALL ESI ; kernel32.CreateFileW
000213EB |? 8BD8 MOV EBX,EAX
000213ED |? 83FB FF CMP EBX,-1
000213F0 |? 0F84 C5000000 JE 000214BB
000213F6 |? 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C]; UNICODE "C:\Users\h\Desktop\c14bc530f959cb8dedb0f51527173a44cec8b670"
000213FA |? 57 PUSH EDI
000213FB |? 57 PUSH EDI
000213FC |? 6A 03 PUSH 3
000213FE |. 57 PUSH EDI
CPU Disasm
地址 十六进制转储 命令 注释
000213C0 |. 83EC 0C SUB ESP,0C ; \CSCDLL.CSCUnpinFileW
000213C3 |? 53 PUSH EBX
000213C4 |? 56 PUSH ESI
000213C5 |? 57 PUSH EDI
000213C6 |. 8BF0 MOV ESI,EAX
000213C8 |? 68 80000000 PUSH 80
000213CD |? 56 PUSH ESI ; UNICODE "C:\Users\h\AppData\Roaming\Microsoft\gxwmgr32.exe"
000213CE |? 33FF XOR EDI,EDI
000213D0 |? FF15 2C300200 CALL DWORD PTR DS:[2302C] : ; BOOL kernel32.SetFileAttributesW(Name,Attributes)
000213D6 |? 57 PUSH EDI
000213D7 |? 6A 05 PUSH 5
000213D9 |? 6A 02 PUSH 2
000213DB |? 57 PUSH EDI
000213DC |? 57 PUSH EDI
000213DD |? 68 00000040 PUSH 40000000
000213E2 |? 56 PUSH ESI
000213E3 |? 8B35 60300200 MOV ESI,DWORD PTR DS:[23060]
000213E9 |? FFD6 CALL ESI ; kernel32.CreateFileW
000213EB |? 8BD8 MOV EBX,EAX
000213ED |? 83FB FF CMP EBX,-1
000213F0 |? 0F84 C5000000 JE 000214BB
000213F6 |? 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C]; UNICODE "C:\Users\h\Desktop\c14bc530f959cb8dedb0f51527173a44cec8b670"
000213FA |? 57 PUSH EDI
000213FB |? 57 PUSH EDI
000213FC |? 6A 03 PUSH 3
000213FE |. 57 PUSH EDI
CPU Disasm
地址 十六进制转储 命令 注释
00021C00
00021C05 |. 0053 56 ADD BYTE PTR DS:[EBX+56],DL
00021C08 |? 8B35 60300200 MOV ESI,DWORD PTR DS:[23060]
00021C0E |? 57 PUSH EDI
00021C0F |? 6A 00 PUSH 0
00021C11 |? 68 80000000 PUSH 80
00021C16 |. 6A 03 PUSH 3
00021C18 |? 6A 00 PUSH 0
00021C1A |? 6A 00 PUSH 0
00021C1C |. 68 00010000 PUSH 100
00021C21 |. 50 PUSH EAX
00021C22 |? FFD6 CALL ESI ;kernel32.CreateFileW
00021C24 |? 8B1D 58300200 MOV EBX,DWORD PTR DS:[23058]
00021C2A |? 8BF8 MOV EDI,EAX
00021C2C |? 83FF FF CMP EDI,-1
00021C2F |? 74 7A JE SHORT 00021CAB
00021C31 |. 8D4C24 1C LEA ECX,[ESP+1C]
00021C35 |? 51 PUSH ECX
00021C36 |. 6A 00 PUSH 0
00021C38 |? 6A 00 PUSH 0
00021C3A |? 68 25800000 PUSH 8025
00021C3F |? 6A 00 PUSH 0
00021C41 |? FF15 8C300200 CALL DWORD PTR DS:[2308C] ; SHELL32.SHGetFolderPathW(guessed Arg1,Arg2,Arg3,Arg4,Arg5) : UNICODE "C:\Windows\system32"
00021C47 |? 8D5424 1C LEA EDX,[ESP+1C]
00021C4B |? 52 PUSH EDX
00021C4C |? 8BC2 MOV EAX,EDX;UNICODE "C:\Windows\system32"
00021C4E |? 68 04350200 PUSH 00023504
00021C53 |? 50 PUSH EAX
00021C54 |? BA 04010000 MOV EDX,104
00021C59 |? E8 F2F6FFFF CALL 00021350
00021C5E |. 83C4 0C ADD ESP,0C
00021C61 |? 6A 00 PUSH 0
00021C63 |? 6A 10 PUSH 10
00021C65 |? 6A 03 PUSH 3
00021C67 |? 6A 00 PUSH 0
00021C69 |. 6A 01 PUSH 1 ; /BufSize = 1
00021C6B |? 68 80000000 PUSH 80
00021C70 |? 8D4C24 34 LEA ECX,[ESP+34]
00021C74 |. 51 PUSH ECX; |UNICODE "C:\Windows\system32\svchost.exe"
00021C75 |? FFD6 CALL ESI ;kernel32.CreateFileW
00021C75 |? FFD6 CALL ESI
00021C77 |? 8BF0 MOV ESI,EAX
00021C79 |? 83FE FF CMP ESI,-1
00021C7C |. 74 2A JE SHORT 00021CA8 ; |Buf = "V"
00021C7E |? 8D5424 14 LEA EDX,[ESP+14]
00021C82 |. 52 PUSH EDX ; |Size => 155872.
00021C83 |? 6A 00 PUSH 0
00021C85 |? 8D4424 14 LEA EAX,[ESP+14]
00021C89 |? 50 PUSH EAX
00021C8A |? 56 PUSH ESI
00021C8B |? FF15 48300200 CALL DWORD PTR DS:[23048] ; BOOL kernel32.GetFileTime(hFile,pCreationTime,pLastAccessTime,pLastWriteTime)
00021C91 |? 85C0 TEST EAX,EAX
00021C93 |? 74 13 JE SHORT 00021CA8
00021C95 |. 8D4C24 14 LEA ECX,[ESP+14]; /Arg6 => [LOCAL.3]
00021C99 |? 51 PUSH ECX
00021C9A |? 6A 00 PUSH 0
00021C9C |? 8D5424 14 LEA EDX,[ESP+14]
00021CA0 |? 52 PUSH EDX
00021CA1 |. 57 PUSH EDI
00021CA2 |? FF15 40300200 CALL DWORD PTR DS:[23040] ; BOOL kernel32.SetFileTime(hFile,CreationTime,AccessTime,WriteTime)
00021CA8 |? 56 PUSH ESI
00021CA9 |? FFD3 CALL EBX ;kernel32.CloseHandle
00021CAB |? 57 PUSH EDI
00021CAC |? FFD3 CALL EBX ;kernel32.CloseHandle
00021CAE |? 5F POP EDI
00021CAF |? 5E POP ESI
00021CB0 |? 5B POP EBX
00021CB1 |? 81C4 18020000 ADD ESP,218
00021CB7 |? C3 RETN
CPU Disasm
地址 十六进制转储 命令 注释
00021C00
00021C05 |. 0053 56 ADD BYTE PTR DS:[EBX+56],DL
00021C08 |? 8B35 60300200 MOV ESI,DWORD PTR DS:[23060]
00021C0E |? 57 PUSH EDI
00021C0F |? 6A 00 PUSH 0
00021C11 |? 68 80000000 PUSH 80
00021C16 |. 6A 03 PUSH 3
00021C18 |? 6A 00 PUSH 0
00021C1A |? 6A 00 PUSH 0
00021C1C |. 68 00010000 PUSH 100
00021C21 |. 50 PUSH EAX
00021C22 |? FFD6 CALL ESI ;kernel32.CreateFileW
00021C24 |? 8B1D 58300200 MOV EBX,DWORD PTR DS:[23058]
00021C2A |? 8BF8 MOV EDI,EAX
00021C2C |? 83FF FF CMP EDI,-1
00021C2F |? 74 7A JE SHORT 00021CAB
00021C31 |. 8D4C24 1C LEA ECX,[ESP+1C]
00021C35 |? 51 PUSH ECX
00021C36 |. 6A 00 PUSH 0
00021C38 |? 6A 00 PUSH 0
00021C3A |? 68 25800000 PUSH 8025
00021C3F |? 6A 00 PUSH 0
00021C41 |? FF15 8C300200 CALL DWORD PTR DS:[2308C] ; SHELL32.SHGetFolderPathW(guessed Arg1,Arg2,Arg3,Arg4,Arg5) : UNICODE "C:\Windows\system32"
00021C47 |? 8D5424 1C LEA EDX,[ESP+1C]
00021C4B |? 52 PUSH EDX
00021C4C |? 8BC2 MOV EAX,EDX;UNICODE "C:\Windows\system32"
00021C4E |? 68 04350200 PUSH 00023504
00021C53 |? 50 PUSH EAX
00021C54 |? BA 04010000 MOV EDX,104
00021C59 |? E8 F2F6FFFF CALL 00021350
00021C5E |. 83C4 0C ADD ESP,0C
00021C61 |? 6A 00 PUSH 0
00021C63 |? 6A 10 PUSH 10
00021C65 |? 6A 03 PUSH 3
00021C67 |? 6A 00 PUSH 0
00021C69 |. 6A 01 PUSH 1 ; /BufSize = 1
00021C6B |? 68 80000000 PUSH 80
00021C70 |? 8D4C24 34 LEA ECX,[ESP+34]
00021C74 |. 51 PUSH ECX; |UNICODE "C:\Windows\system32\svchost.exe"
00021C75 |? FFD6 CALL ESI ;kernel32.CreateFileW
00021C75 |? FFD6 CALL ESI
00021C77 |? 8BF0 MOV ESI,EAX
00021C79 |? 83FE FF CMP ESI,-1
00021C7C |. 74 2A JE SHORT 00021CA8 ; |Buf = "V"
00021C7E |? 8D5424 14 LEA EDX,[ESP+14]
00021C82 |. 52 PUSH EDX ; |Size => 155872.
00021C83 |? 6A 00 PUSH 0
00021C85 |? 8D4424 14 LEA EAX,[ESP+14]
00021C89 |? 50 PUSH EAX
00021C8A |? 56 PUSH ESI
00021C8B |? FF15 48300200 CALL DWORD PTR DS:[23048] ; BOOL kernel32.GetFileTime(hFile,pCreationTime,pLastAccessTime,pLastWriteTime)
00021C91 |? 85C0 TEST EAX,EAX
00021C93 |? 74 13 JE SHORT 00021CA8
00021C95 |. 8D4C24 14 LEA ECX,[ESP+14]; /Arg6 => [LOCAL.3]
00021C99 |? 51 PUSH ECX
00021C9A |? 6A 00 PUSH 0
00021C9C |? 8D5424 14 LEA EDX,[ESP+14]
00021CA0 |? 52 PUSH EDX
00021CA1 |. 57 PUSH EDI
00021CA2 |? FF15 40300200 CALL DWORD PTR DS:[23040] ; BOOL kernel32.SetFileTime(hFile,CreationTime,AccessTime,WriteTime)
00021CA8 |? 56 PUSH ESI
00021CA9 |? FFD3 CALL EBX ;kernel32.CloseHandle
00021CAB |? 57 PUSH EDI
00021CAC |? FFD3 CALL EBX ;kernel32.CloseHandle
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
mb_plkoupkf 
