分析彩虹外挂
彩虹QQ删除原版MSIMG32.dll
012581F3 83C4 0C add esp, 0C
012581F6 68 2C4D2C01 push 012C4D2C ; ASCII "MSIMG32.dll"
012581FB 8D8D D8FEFFFF lea ecx, dword ptr [ebp-128]
01258201 51 push ecx
01258202 E8 B99B0300 call 01291DC0
01258207 83C4 08 add esp, 8
0125820A 68 80000000 push 80
0125820F 8D95 D8FEFFFF lea edx, dword ptr [ebp-128]
01258215 52 push edx
01258216 FF15 98312C01 call dword ptr [<&KERNEL32.SetFileAtt>; kernel32.SetFileAttributesA
0125821C 8D85 D8FEFFFF lea eax, dword ptr [ebp-128]
01258222 50 push eax
01258223 FF15 9C312C01 call dword ptr [<&KERNEL32.DeleteFile>; kernel32.DeleteFileA
01258229 C785 B0FBFFFF 0>mov dword ptr [ebp-450], 0
01258233 6A 10 push 10
01258235 6A 00 push 0
01258237 8D8D C4FCFFFF lea ecx, dword ptr [ebp-33C]
0125823D 51 push ecx
0125823E E8 0D8B0300 call 01290D50
01258243 83C4 0C add esp, 0C
01258246 C745 FC 0000000>mov dword ptr [ebp-4], 0
0125824D 8D95 B8FBFFFF lea edx, dword ptr [ebp-448]
01258253 52 push edx
复制自己的 msimg32.dll去给QQ BB
012583EB 8D8D A8FAFFFF lea ecx, dword ptr [ebp-558]
012583F1 51 push ecx
012583F2 E8 B9990300 call 01291DB0
012583F7 83C4 08 add esp, 8
012583FA 68 604D2C01 push 012C4D60 ; ASCII "msimg32.dll"
012583FF 8D95 A8FAFFFF lea edx, dword ptr [ebp-558]
01258405 52 push edx
01258406 E8 B5990300 call 01291DC0
0125840B 83C4 08 add esp, 8
0125840E 6A 00 push 0
01258410 8D85 A8FAFFFF lea eax, dword ptr [ebp-558]
01258416 50 push eax
01258417 68 6C4D2C01 push 012C4D6C ; ASCII "msimg32.dll"
0125841C FF15 D4312C01 call dword ptr [<&KERNEL32.CopyFileA>] ; kernel32.CopyFileA
01258422 8B4D 10 mov ecx, dword ptr [ebp+10]
01258425 890D 04F12F01 mov dword ptr [12FF104], ecx
0125842B C785 48F9FFFF 0>mov dword ptr [ebp-6B8], 0
01258435 B9 10000000 mov ecx, 10
0125843A 33C0 xor eax, eax
0125843C 8DBD 4CF9FFFF lea edi, dword ptr [ebp-6B4]
01258442 F3:AB rep stos dword ptr es:[edi]
开始启动QQ了
0125845C 6A 00 push 0
0125845E 6A 00 push 0
01258460 6A 20 push 20
01258462 6A 00 push 0
01258464 6A 00 push 0
01258466 6A 00 push 0
01258468 8D8D D8FCFFFF lea ecx, dword ptr [ebp-328]
0125846E 51 push ecx
0125846F 8D95 D8FEFFFF lea edx, dword ptr [ebp-128]
01258475 52 push edx
01258476 FF15 A8312C01 call dword ptr [<&KERNEL32.CreateProcessA>] ; kernel32.CreateProcessA
0125847C 85C0 test eax, eax
0125847E 75 0A jnz short 0125848A
01258480 C785 B0FBFFFF 0>mov dword ptr [ebp-450], 1
0125848A C745 FC FFFFFFF>mov dword ptr [ebp-4], -1
01258491 E8 02000000 call 01258498
01258496 EB 43 jmp short 012584DB
01258498 83BD C4FCFFFF 0>cmp dword ptr [ebp-33C], 0
0125849F 74 18 je short 012584B9
012584A1 8B85 C4FCFFFF mov eax, dword ptr [ebp-33C]
012584A7 50 push eax
012584A8 FF15 AC312C01 call dword ptr [<&KERNEL32.CloseHandle>] ; kernel32.CloseHandle
012584AE 8B4D 08 mov ecx, dword ptr [ebp+8]
堆栈信息
0012F4B0 0012F874 |CommandLine = """D:\soft\Tencent\QQ\caihong hok\CaiHong.exe"""
0012F4B4 00000000 |pProcessSecurity = NULL
0012F4B8 00000000 |pThreadSecurity = NULL
0012F4BC 00000000 |InheritHandles = FALSE
0012F4C0 00000020 |CreationFlags = NORMAL_PRIORITY_CLASS
0012F4C4 00000000 |pEnvironment = NULL
0012F4C8 00000000 |CurrentDir = NULL
0012F4CC 0012F4E4 |pStartupInfo = 0012F4E4
0012F4D0 0012F860 \pProcessInfo = 0012F860
0012F4D4 7C80B6A1 kernel32.GetModuleHandleA
0012F4D8 00000000
0040158F . 52 push edx
00401590 . 68 F8994000 push 004099F8
00401595 . 68 F4994000 push 004099F4
0040159A . FF95 8CFEFFFF call dword ptr [ebp-174] ; 原来在这里 回去caihong.exe了 打算功成身退了
004015A0 . 83C4 0C add esp, 0C
004015A3 . 8945 BC mov dword ptr [ebp-44], eax
004015A6 . 8B45 BC mov eax, dword ptr [ebp-44]
004015A9 . 50 push eax
004015AA . FF55 E4 call dword ptr [ebp-1C]
004015AD . 83C4 04 add esp, 4
004015B0 > 837D BC 00 cmp dword ptr [ebp-44], 0
004015B4 . 74 08 je short 004015BE
浙公网安备 33010602011771号