OD 解析EXE感染型木马文件7a3e0f74.exe-软件调试-宝峰科技

潇潇发表于 2015-5-8 23:07:34

OD 解析EXE感染型木马文件7a3e0f74.exe

   分析环境：1、虚拟机环境VMware? Workstation_10.0.0 build-12959802、操作系统win2003sp23、无杀软环境
   第一步：查壳和脱壳，先把壳解决了更容易分析：

   再看下区段：

   不难看出应该是双壳或者有可能是伪装壳 ASPack 2.12 和 UPX ，两者都是压缩壳，先简单脱下ASPack 2.12，ESP定律法，OD载入到木马程序入口：00421001 >60             pushad                                  ; 程序入口
00421002 E8 03000000    call 7a3e0f74.0042100A
00421007- E9 EB045D45    jmp 459F14F7
0042100C 55             push ebp
0042100D C3             retn
   F8单步后，寄存器窗口的esp数据窗口中跟随，然后再在 Hex 数据下硬件访问word断点(或者直接在命令行输入 hr 0012FFA4)，F9运行断在如下代码位置：
00421416 /75 08          jnz short 7a3e0f74.00421420             ; esp下断后F9运行断在这里
00421418 |B8 01000000    mov eax,1
0042141D |C2 0C00       retn 0C
00421420 \68 00104000    push 7a3e0f74.00401000
00421425 C3             retn

   接下来单步3次到OEP位置：
00401000 55             push ebp                               ; OEP
00401001 8BEC          mov ebp,esp
00401003 83EC 28       sub esp,28
00401006 8365 FC 00    and dword ptr ss:,0
0040100A 837D 0C 02    cmp dword ptr ss:,2
0040100E 74 30          je short 7a3e0f74.00401040
00401010 837D 0C 03    cmp dword ptr ss:,3
00401014 74 2A          je short 7a3e0f74.00401040
00401016 A1 68E14000    mov eax,dword ptr ds:
……
   在00401000地址处用 OD 自带 dump 或别的工具 dump 得到 1.exe;再用 Imprec 工具看下函数指针是否有效，如果有无效指针则修复得到1_.exe文件。另外这里就不说脱壳后优化了，有兴趣的同学可以自己去做。
   第二步：OD 载入脱壳后的到OEP(注：下面的ASM代码只分析重点了)：00401000 >/$55          push ebp                                        ;OEP
00401001|.8BEC       mov ebp,esp
00401003|.83EC 28    sub esp,28
00401006|.8365 FC 00 and dword ptr ss:,0
0040100A|.837D 0C 02 cmp dword ptr ss:,2
0040100E|.74 30       je short 1_.00401040
00401010|.837D 0C 03 cmp dword ptr ss:,3
00401014|.74 2A       je short 1_.00401040
00401016|.A1 68E14000 mov eax,dword ptr ds:[<&kernel32.GetTempPathA>] ;取GetTempPathA地址
0040101B|.8945 D8    mov dword ptr ss:,eax
0040101E|.A1 38E14000 mov eax,dword ptr ds:[<&kernel32.GetSystemDirector>;取GetSystemDirectory地址
00401023|.8945 DC    mov dword ptr ss:,eax
00401026|.68 A0354100 push 1_.004135A0                               ;系统临时目录路径的保存地址C:\Documents and Settings\Administrator\Local Settings\Temp
0040102B|.68 04010000 push 104
00401030|.FF55 D8    call dword ptr ss:                      ;GetTempPathA -->取系统临时目录路径
00401033|.68 04010000 push 104
00401038|.68 B0364100 push 1_.004136B0                               ;系统system32文件夹路径的保存地址C:\WINDOWS\system32
0040103D|.FF55 DC    call dword ptr ss:                      ;GetSystemDirectory 取系统system32的路径
00401040|>E8 00000000 call 1_.00401045                               ; 注意这里F7进入，因这call的函数入口就在下一行反汇编代码
00401045|$8B0424       mov eax,dword ptr ss:
00401048|.83C4 04    add esp,4
0040104B|.8945 FC    mov dword ptr ss:,eax                   ;00401045
0040104E|.6A 1C       push 1C                                        ; /BufSize
00401050|.8D45 E0    lea eax,dword ptr ss:                   ; |
00401053|.50          push eax                                        ; |Buffer-->0012FFA0指向MEMORY_BASIC_INFORMATION结构的指针，用于接收内存信息。
00401054|.FF75 FC    push dword ptr ss:                      ; |Address 00401045
00401057|.FF15 0CE14000call dword ptr ds:[<&kernel32.VirtualQuery>]    ; \查询地址00401045空间中内存地址的信息
0040105D|.8B45 E4    mov eax,dword ptr ss:
00401060|.A3 38434100 mov dword ptr ds:,eax                   ;00400000
00401065|.6A 00       push 0                                           ; /pModule = NULL
00401067|.FF15 20E14000call dword ptr ds:[<&kernel32.GetModuleHandleW>] ; \GetModuleHandleW获取自身应用程序句柄
0040106D|.3B05 38434100cmp eax,dword ptr ds:                   ;判断是否为自进程句柄
00401073|.74 12       je short 1_.00401087                            ;跳转实现
00401075|.FF75 10    push dword ptr ss:                      ; /Arg3
00401078|.FF75 0C    push dword ptr ss:                      ; |Arg2
0040107B|.FF75 08    push dword ptr ss:                      ; |Arg1
0040107E|.E8 1A4A0000 call 1_.00405A9D                               ; \1_.00405A9D
00401083|.C9          leave
00401084|.C2 0C00    retn 0C
00401087|>6A 01       push 1
00401089|.6A 00       push 0
0040108B|.E8 58230000 call 1_.004033E8                               ;F7进入创建木马的相关文件、注册表操作、服务操作等
00401090|.6A 00       push 0                                           ; /ExitCode = 0
00401092\.FF15 F8E04000call dword ptr ds:[<&kernel32.ExitProcess>]    ; \kernel32.ExitProcess 目标完成后结束自进程
00401098 .C9          leave
00401099 .C2 1000    retn 10
   上面的代码中，F7进入地址0040108B的 call 1_.004033E8，一直F7，注意里面有一部分循环计算啥的不知道，总之一直F7直到：
0040109C/.55          push ebp                               ;F7直到这里
0040109D|.8BEC       mov ebp,esp
0040109F|.E8 201C0000 call 1_.00402CC4                      ;F7进入，看下面的汇编代码
004010A4|.E8 51160000 call 1_.004026FA                      ;生成一个路径为C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\随机名称.log文件
004010A9|.85C0       test eax,eax                            ;eax=1
004010AB|.75 02       jnz short 1_.004010AF                   ;如果eax>0则跳
004010AD|.EB 21       jmp short 1_.004010D0
004010AF|>833D 58384100 >cmp dword ptr ds:,1             ;如果=1,则不跳转
004010B6|.75 0A       jnz short 1_.004010C2
004010B8|.68 84394100 push 1_.00413984                            ; /Arg1 = 00413984 ASCII "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\699340D1.log"
004010BD|.E8 28960000 call 1_.0040A6EA                            ; 截图函数，截图后保存为699340D1.log
004010C2|>E8 1A090000 call 1_.004019E1                            ;未知过程，F7好多次都没执行完
004010C7|.85C0       test eax,eax                                           ;eax=0
004010C9|.75 05       jnz short 1_.004010D0                         ;跳转未实现
004010CB|.E8 91040000 call 1_.00401561          ;创建木马的相关文件、注册表操作、服务操作等
004010D0|>5D          pop ebp                               ; 到此已经生成148大小的dll木马文件13个
004010D1\.C3          retn

//上面CALL执行完成后所生成同大小的(148kb)的tmp和dl木马文件有14个。

0040109F|.E8 201C0000 call 1_.00402CC4                      ;F7进入，看下面的汇编代码
00402CC4 $55          push ebp
00402CC5 .8BEC       mov ebp,esp
00402CC7 .6A FF       push -1
00402CC9 .68 48F04000 push 1_.0040F048
00402CCE .68 1AD24000 push <jmp.&msvcrt._except_handler3>          ;SE 处理程序安装
00402CD3 .64:A1 00000000 mov eax,dword ptr fs:                      ;TEB-->fs:指向SEH链指针
00402CD9 .50          push eax
00402CDA .64:8925 000000>mov dword ptr fs:,esp
00402CE1 .51          push ecx
00402CE2 .51          push ecx
00402CE3 .83EC 10    sub esp,10
00402CE6 .53          push ebx
00402CE7 .56          push esi
00402CE8 .57          push edi
00402CE9 .8965 E8    mov dword ptr ss:,esp
00402CEC .C745 E0 000000>mov dword ptr ss:,4000000
00402CF3 .8365 E4 00 and dword ptr ss:,0
00402CF7 .8365 DC 00 and dword ptr ss:,0
00402CFB .A1 4CE14000 mov eax,dword ptr ds:[<&kernel32.VirtualAlloc>];kernel32.VirtualAlloc
00402D00 .8945 D8    mov dword ptr ss:,eax
00402D03 .8365 FC 00 and dword ptr ss:,0
00402D07 .6A 40       push 40
00402D09 .68 00300000 push 3000
00402D0E .FF75 E0    push dword ptr ss:                   ;4000000
00402D11 .6A 00       push 0
00402D13 .FF55 D8    call dword ptr ss:                   ;分配内存地址,成功返回已分配内存的首地址
00402D16 .8945 DC    mov dword ptr ss:,eax                ;01110000
00402D19 .837D DC 00 cmp dword ptr ss:,0
00402D1D .75 06       jnz short 1_.00402D25                         ;>0跳转实现
00402D1F .834D FC FF or dword ptr ss:,FFFFFFFF
00402D23 .EB 68       jmp short 1_.00402D8D
00402D25 >FF75 E0    push dword ptr ss:                   ; /4000000
00402D28 .68 90000000 push 90                                        ; |c = 90
00402D2D .FF75 DC    push dword ptr ss:                   ; |01110000
00402D30 .E8 79A40000 call <jmp.&msvcrt.memset>                      ; \0040D1AE=<jmp.&msvcrt.memset> -->用0x90初始化
//0111000090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90悙悙悙悙悙悙悙悙
//0111001090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90悙悙悙悙悙悙悙悙
//0111002090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90悙悙悙悙悙悙悙悙
……………………………………………………………………………………………
//0510FFD090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90悙悙悙悙悙悙悙悙
//0510FFE090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90悙悙悙悙悙悙悙悙
//0510FFF090 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90悙悙悙悙悙悙悙悙
//05110000 地址01110000开始，大小4000000 初始化为0x90

00402D35 .83C4 0C    add esp,0C
00402D38 .B8 662D4000 mov eax,1_.00402D66                            ;这里开始计算0510FFFB的跳转地址
00402D3D .8945 E4    mov dword ptr ss:,eax
00402D40 .8B45 DC    mov eax,dword ptr ss:                ;01110000
00402D43 .0345 E0    add eax,dword ptr ss:
00402D46 .C740 FB E90000>mov dword ptr ds:,0E9                   ;ds:=90909090
00402D4D .8B45 DC    mov eax,dword ptr ss:
00402D50 .0345 E0    add eax,dword ptr ss:
00402D53 .8B4D E4    mov ecx,dword ptr ss:
00402D56 .2BC8       sub ecx,eax
00402D58 .8B45 DC    mov eax,dword ptr ss:
00402D5B .0345 E0    add eax,dword ptr ss:
00402D5E .8948 FC    mov dword ptr ds:,ecx                   ;=ECX=FB2F2D66

//0510FFFBE9 66 2D 2F FB                               閒-/?

00402D61 .8B45 DC    mov eax,dword ptr ss:
00402D64 .FFE0       jmp eax                                        ;01110000-->90909090……
{
01110000 90             nop;到这以后，这里有4000000个0x90，实际上在反汇编中没实际意义，F8单步没必要了。这里更像是给分析者一个假象
01110001 90             nop
01110002 90             nop
………………

0510FFF9 90             nop
0510FFFA 90             nop
0510FFFB- E9 662D2FFB    jmp 1_.00402D66;所以我们直接在这F2下断F9运行断下后，再F8一次

}
00402D66 .68 00800000 push 8000                                     ; /FreeType = MEM_RELEASE
//从上面的反汇编代码不难看出从地址00402CFB开始到此的代码没实际意义
00402D6B .6A 00       push 0                                        ; |Size = 0
00402D6D .FF75 DC    push dword ptr ss:                   ; |Address
00402D70 .FF15 24E14000call dword ptr ds:[<&kernel32.VirtualFree>]    ; \VirtualFree
00402D76 .834D FC FF or dword ptr ss:,FFFFFFFF
00402D7A .EB 11       jmp short 1_.00402D8D
00402D7C .33C0       xor eax,eax
00402D7E .40          inc eax
00402D7F .C3          retn
00402D80 .8B65 E8    mov esp,dword ptr ss:
00402D83 .834D FC FF or dword ptr ss:,FFFFFFFF
00402D87 .EB 04       jmp short 1_.00402D8D
00402D89 .834D FC FF or dword ptr ss:,FFFFFFFF
00402D8D >8B4D F0    mov ecx,dword ptr ss:
00402D90 .64:890D 000000>mov dword ptr fs:,ecx                      ;TEB
00402D97 .5F          pop edi
00402D98 .5E          pop esi
00402D99 .5B          pop ebx
00402D9A .C9          leave
00402D9B .C3          retn
   从上面这段反汇编代码中分析后，call 00402CC4 感觉没实际作用，有兴趣的同学可以试着把这call nop掉会是什么样子呢？
   下面我们接着分析004010A4|.E8 51160000 call 1_.004026FA                ;在C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\创建一个随机名称log文件

004026FA $55          push ebp
004026FB .8BEC       mov ebp,esp
004026FD .81EC 80020000sub esp,280
00402703 .C745 E8 010000>mov dword ptr ss:,1
0040270A .834D EC FF or dword ptr ss:,FFFFFFFF
0040270E .8365 F0 00 and dword ptr ss:,0
00402712 .8365 F4 00 and dword ptr ss:,0
00402716 .C745 FC 020000>mov dword ptr ss:,2
0040271D .C745 E4 010000>mov dword ptr ss:,1
00402724 .8365 F8 00 and dword ptr ss:,0
00402728 .C745 E0 102700>mov dword ptr ss:,2710
0040272F .83A5 CCFDFFFF >and dword ptr ss:,0
00402736 .68 04010000 push 104                                     ; /BufSize = 104 (260.)
0040273B .8D85 D0FDFFFFlea eax,dword ptr ss:             ; |
00402741 .50          push eax                                     ; |0012FD20
00402742 .6A 00       push 0                                     ; |hModule = NULL
00402744 .FF15 58E14000call dword ptr ds:[<&kernel32.GetModuleFileNam>; \GetModuleFileNameA 取自进程路径
//0012FD2043 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64C:\Documents and
//0012FD3020 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 Settings\Admini
//0012FD4073 74 72 61 74 6F 72 5C D7 C0 C3 E6 5C 31 5F 2Estrator\桌面\1_.
//0012FD5065 78 65 00 01 00 00 00 50 FA 77 F6 0D ED 82 80exe....P鷚?韨?
0040274A .68 04010000 push 104                                     ; /n = 104 (260.)
0040274F .8D85 D0FDFFFFlea eax,dword ptr ss:             ; |C:\Documents and Settings\Administrator\桌面\1_.exe
00402755 .50          push eax                                     ; |src
00402756 .8D85 D8FEFFFFlea eax,dword ptr ss:             ; |
0040275C .50          push eax                                     ; |dest
0040275D .E8 46AA0000 call <jmp.&msvcrt.memcpy>                   ; \memcpy
//0012FE2843 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 6E 64C:\Documents and
//0012FE3820 53 65 74 74 69 6E 67 73 5C 41 64 6D 69 6E 69 Settings\Admini
//0012FE4873 74 72 61 74 6F 72 5C D7 C0 C3 E6 5C 31 5F 2Estrator\桌面\1_.
//0012FE5865 78 65 00 01 00 00 00 50 FA 77 F6 0D ED 82 80exe....P鷚?韨?
00402762 .83C4 0C    add esp,0C
00402765 .83A5 DBFEFFFF >and dword ptr ss:,0
0040276C .8D85 D8FEFFFFlea eax,dword ptr ss: ;C:\....ments and Settings\Administrator\桌面\1_.exe
00402772 .50          push eax                         ; /RootPathName
00402773 .FF15 ECE04000call dword ptr ds:[<&kernel32.GetD>; \kernel32.GetDriveTypeA -->判断磁盘驱动器类型
00402779 .83F8 02    cmp eax,2                      ;eax=3时为固定磁盘 if eax>2 则跳转
0040277C .75 33       jnz short 1_.004027B1
0040277E .8D85 D8FEFFFFlea eax,dword ptr ss:
00402784 .50          push eax                         ; /<%s>
00402785 .68 68E54000 push 1_.0040E568                ; |Format = "explorer.exe /n,%s"
0040278A .8D85 88FDFFFFlea eax,dword ptr ss: ; |
00402790 .50          push eax                         ; |s
00402791 .FF15 94E24000call dword ptr ds:[<&user32.wsprin>; \wsprintfA
00402797 .83C4 0C    add esp,0C
0040279A .6A 00       push 0                         ; /Arg3 = 00000000
0040279C .6A 00       push 0                         ; |Arg2 = 00000000
0040279E .8D85 88FDFFFFlea eax,dword ptr ss: ; |
004027A4 .50          push eax                         ; |Arg1
004027A5 .E8 B90A0000 call 1_.00403263                ; \1_.00403263
004027AA .C745 E4 030000>mov dword ptr ss:,3
004027B1 >0FBE05 E81C410>movsx eax,byte ptr ds:;eax=FFFFFFB1=-79
004027B8 .83F8 B1    cmp eax,-4F                      ;eax=-4F if eax=-4F 不跳转
004027BB .75 11       jnz short 1_.004027CE
004027BD .68 8F000000 push 8F                         ; /Arg3 = 0000008F
004027C2 .6A 30       push 30                         ; |Arg2 = 00000030
004027C4 .68 E81C4100 push 1_.00411CE8                ; |Arg1 = 00411CE8
004027C9 .E8 E3FAFFFF call 1_.004022B1                ; \1_.004022B1

执行后的结果为：00411CE8=1_.00411CE8 (ASCII "\\.\pipe\{D952F2D0-0BCE-4b2b-8FFF-2317F120FCC3}")
//00411CE85C 5C 2E 5C 70 69 70 65 5C 7B 44 39 35 32 46 32\\.\pipe\{D952F2
//00411CF844 30 2D 30 42 43 45 2D 34 62 32 62 2D 38 46 46D0-0BCE-4b2b-8FF
//00411D0846 2D 32 33 31 37 46 31 32 30 46 43 43 33 7D 00F-2317F120FCC3}.

004027CE > \FF35 E01C4100push dword ptr ds:                   ; /ds:=0040E7AC (1_.0040E7AC), ASCII "Global\{6581F932-EEC4-422e-A5FD-0F78BB508683}"
004027D4 .6A 00       push 0                                     ; |InitiallySignaled = FALSE
004027D6 .6A 00       push 0                                     ; |ManualReset = FALSE
004027D8 .6A 00       push 0                                     ; |pSecurity = NULL
004027DA .FF15 30E14000call dword ptr ds:[<&kernel32.CreateEventA>] ; \CreateEventA创建或打开一个命名的或无名的事件对象
004027E0 .8945 F0    mov dword ptr ss:,eax                ;返回事件对象的句柄 eax=0xCC
004027E3 .FF15 A0E14000call dword ptr ds:[<&kernel32.GetLastError>] ; [GetLastError
004027E9 .8985 CCFDFFFFmov dword ptr ss:,eax             ;0
004027EF >6A 00       push 0                                     ; /hTemplateFile = NULL
004027F1 .6A 00       push 0                                     ; |Attributes = 0
004027F3 .6A 03       push 3                                     ; |Mode = OPEN_EXISTING
004027F5 .6A 00       push 0                                     ; |pSecurity = NULL
004027F7 .6A 00       push 0                                     ; |ShareMode = 0
004027F9 .68 000000C0 push C0000000                               ; |Access = GENERIC_READ|GENERIC_WRITE
004027FE .68 E81C4100 push 1_.00411CE8                            ; |FileName = "\\.\pipe\{D952F2D0-0BCE-4b2b-8FFF-2317F120FCC3}"
00402803 .FF15 FCE04000call dword ptr ds:[<&kernel32.CreateFileA>] ; \CreateFileA --> 创建管道
00402809 .8945 EC    mov dword ptr ss:,eax                ;eax=FFFFFFFF 创建失败
0040280C .837D EC FF cmp dword ptr ss:,-1
00402810 .0F85 85000000jnz 1_.0040289B                            ;跳转未实现
00402816 .FF15 A0E14000call dword ptr ds:[<&kernel32.GetLastError>] ; [GetLastError
0040281C .3D E7000000 cmp eax,0E7                                  ;eax=2 --> 系统找不到指定的文件
00402821 .75 2E       jnz short 1_.00402851                      ;跳转实现
……………………
00402851 >FF15 84E14000call dword ptr ds:[<&kernel32.GetTickCount>] ; [GetTickCount
00402857 .3D 60EA0000 cmp eax,0EA60
0040285C .73 0D       jnb short 1_.0040286B                      ;跳转实现
……………………
0040286B > \81BD CCFDFFFF >cmp dword ptr ss:,0B7

00402875 .75 1A       jnz short 1_.00402891                      ;跳转实现
……………………
00402891 >E9 D2000000 jmp 1_.00402968
……………………
00402968 > \6A 00       push 0
0040296A .FF75 E4    push dword ptr ss:                   ;堆栈 ss:=00000001
0040296D .8D85 D0FDFFFFlea eax,dword ptr ss:
00402973 .50          push eax                                     ;目标程序路径
00402974 .E8 77FAFFFF call 1_.004023F0                            ;创建一个随机名称的.log文件
00402979 .8B45 E8    mov eax,dword ptr ss: ; eax=1
0040297C .C9          leave
0040297D .C3          retn

   下面我们来分析下面一个call 00402974 .E8 77FAFFFF call 1_.004023F0                            ;创建一个随机名称的.log文件
**** Hidden Message *****

   小结：
   1、创建一个管道"\\.\pipe\{D952F2D0-0BCE-4b2b-8FFF-2317F120FCC3}"，遍历进程查找RavMonD.exe、360tray.exe、MPSVC.exe，因在分析环境里没有安装过以上三款杀软，所以创建管道失败执行后面的操作。判断是什么操作系统，并且在目录C:\Documents and Settings\或C:\Users\下生成个Infotmp.txt文件。
   2、在目录C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\下面截取一个随机值名称的，后缀为.log的当前窗口截图。

   3、打开服务设备管理器遍历系统多个服务试图修改感染系统服务文件，来启动执行病毒代码，如果服务设备管理器打开失败则创建注册表服务、衍生病毒DLL文件到%System32%目录下，利用服务启动病毒。在CALL 00401561执行完成后所生成同大小的(148kb)的tmp和dll后缀的木马文件有：7A540000.tmp、appmgmts.dll、HidServ.dll、Ias.dll、Iprip.dll、Irmon.dll、mspmsnsv.dll、Ntmssvc.dll、NWCWorkstation.dll、Nwsapagent.dll、pchsvc.dll、qmgr.dll、WmdmPmSp.dll、xmlprov.dll等14个木马文件。

   4、获取磁盘类型，分析环境为固态磁盘，并且只有一个C盘，所以没执行感染EXE事件。
   5、试图替换或创建以下系统服务文件来达到开机启动病毒：
appmgmts、HidServ、Ias、Iprip、Irmon、mspmsnsv、Ntmssvc、NWCWorkstation、Nwsapagent、pchsvc、qmgr、WmdmPmSp、xmlprov
对应的服务文件按顺序如下：
appmgmts.dll、HidServ.dll、Ias.dll、Iprip.dll、Irmon.dll、mspmsnsv.dll、Ntmssvc.dll、NWCWorkstation.dll、Nwsapagent.dll、pchsvc.dll、qmgr.dll、WmdmPmSp.dll、xmlprov.dll

潇潇发表于 2015-5-10 15:31:44

下面我们重点分析： 004010CB|.E8 91040000 call 1_.00401561 ;创建木马的相关文件、注册表操作、服务操作等
**** Hidden Message *****

页: [1]

宝峰科技's Archiver

OD 解析EXE感染型木马文件7a3e0f74.exe