<p style="text-align: left;"> 前段时间,我在网上下载了一个3D游戏,想要玩的时候却被提示需要将IE的主页设置为特定的网址才能玩这个游戏.对于我这种有"系统洁癖"的人来说,最反感的就是这种要求,用Peid查了下,发现没有加壳,一路跟下来,发现这个程序也提供了一种病毒感染的思路,那就是资源感染,既将宿主程序作为病毒程序的一个资源保存,将附加了宿主程序资源的病毒程序覆盖原宿主程序,在打开病毒程序时,病毒发作同时将宿主程序释放出来,运行之.这个3D游戏的反汇编片段:</p>
<p><textarea class="cpp:nogutter" name="code">/****************************************************************
.text:004012F8 loc_4012F8: ; CODE XREF: sub_4010C0+231j
.text:004012F8 lea ecx, [esp+12B4h+var_12A0]
.text:004012FC call ??1CString@@QAE@XZ ; CString::~CString(void)
.text:00401301 mov eax, [esp+12B4h+var_1294]
.text:00401305 add esi, 4
.text:00401308 cmp esi, eax
.text:0040130A jnz short loc_4012CF
.text:0040130C cmp edi, 1
.text:0040130F jnz loc_401470
.text:00401315 mov ecx, 3FFh
.text:0040131A xor eax, eax
.text:0040131C lea edi, [esp+12B4h+var_100B]
.text:00401323 mov [esp+12B4h+Filename], bl
.text:0040132A rep stosd
.text:0040132C stosw
.text:0040132E lea ecx, [esp+12B4h+Filename]
.text:00401335 push 1000h ; nSize
.text:0040133A push ecx ; lpFilename
.text:0040133B push ebx ; hModule
.text:0040133C stosb
.text:0040133D call ds:GetModuleFileNameA
.text:00401343 loc_401343: ; CODE XREF: sub_4010C0+28Ej
.text:00401343 mov dl, [esp+eax+12B4h+Filename]
.text:0040134A dec eax
.text:0040134B cmp dl, 5Ch
.text:0040134E jnz short loc_401343
.text:00401350 mov [esp+eax+12B4h+var_100B], bl
.text:00401357 lea eax, [esp+12B4h+Filename]
.text:0040135E push eax
.text:0040135F lea ecx, [esp+12B8h+var_12A0]
.text:00401363 call ??0CString@@QAE@PBD@Z ; CString::CString(char const *)
.text:00401368 push offset aRplay_cn_exe ; "//RpLay_cn.exe"
.text:0040136D lea ecx, [esp+12B8h+var_12A0]
.text:00401371 mov byte ptr [esp+12B8h+var_4], 2
.text:00401379 call ??YCString@@QAEABV0@PBD@Z ; CString::operator+=(char const *)
.text:0040137E push ecx ; lpType
.text:0040137F mov ecx, esp
.text:00401381 mov [esp+12B8h+var_126C], esp
.text:00401385 push offset unk_4062E4
.text:0040138A call ??0CString@@QAE@PBD@Z ; CString::CString(char const *)
.text:0040138F push 9Dh ; int
.text:00401394 push ebx
.text:00401395 lea ecx, [esp+12C0h+var_12A0]
.text:00401399 mov byte ptr [esp+12C0h+var_4], 3
.text:004013A1 call ?GetBuffer@CString@@QAEPADH@Z ; CString::GetBuffer(int)
.text:004013A6 push ecx ; lpFileName
.text:004013A7 mov ecx, esp
.text:004013A9 mov [esp+12C0h+var_1268], esp
.text:004013AD push eax
.text:004013AE call ??0CString@@QAE@PBD@Z ; CString::CString(char const *)
.text:004013B3 mov ecx, ebp
.text:004013B5 mov byte ptr [esp+12C0h+var_4], 2
.text:004013BD call sub_401510
.text:00401510 ; int __stdcall sub_401510(LPCSTR lpFileName, int, LPCSTR lpType)
.text:00401510 sub_401510 proc near ; CODE XREF: sub_4010C0+2FDp
.text:00401510
.text:00401510 NumberOfBytesWritten= dword ptr -10h
.text:00401510 var_C = dword ptr -0Ch
.text:00401510 var_4 = dword ptr -4
.text:00401510 lpFileName = dword ptr 4
.text:00401510 arg_4 = dword ptr 8
.text:00401510 lpType = dword ptr 0Ch
.text:00401510
.text:00401510 push 0FFFFFFFFh
.text:00401512 push offset SEH_401510
.text:00401517 mov eax, large fs:0
.text:0040151D push eax
.text:0040151E mov large fs:0, esp
.text:00401525 push ecx
.text:00401526 push ebx
.text:00401527 push esi
.text:00401528 xor ebx, ebx
.text:0040152A mov [esp+18h+var_4], ebx
.text:0040152E mov eax, [esp+18h+lpFileName]
.text:00401532 push ebx ; hTemplateFile
.text:00 |
|
转播
