04 复制删除行为IDA反汇编
(很久以前的学习记录,放到博客上来)
(IDA5.0版的不知道为何反汇编进去每一行被截断的景象,惨不忍睹......明明是个正版的。只好回来用拷过来的破解版,依然有一些叽里呱啦的问题,懒得管了,勉强能用。)
之前的一个拷贝自身到C盘下,并删除自身的exe文件(Reverse 01 中的),拖到IDA里反汇编:
.text:00401000 ; int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
之前的一个拷贝自身到C盘下,并删除自身的exe文件(Reverse 01 中的),拖到IDA里反汇编:
.text:00401000 ; int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
.text:00401000 _WinMain@16 proc near ; CODE XREF: ___tmainCRTStartup+14Bp
.text:00401000
.text:00401000 Msg = tagMSG ptr -820h
.text:00401000 Filename = byte ptr -804h
.text:00401000 pszPath = byte ptr -404h
.text:00401000 var_4 = dword ptr -4
.text:00401000 hInstance = dword ptr 8
.text:00401000 hPrevInstance = dword ptr 0Ch
.text:00401000 lpCmdLine = dword ptr 10h
.text:00401000 nShowCmd = dword ptr 14h
.text:00401000
.text:00401000 push ebp
.text:00401001 mov ebp, esp
.text:00401003 sub esp, 820h
.text:00401009 mov eax, ___security_cookie
.text:0040100E xor eax, ebp
.text:00401010 mov [ebp+var_4], eax
.text:00401013 push esi
.text:00401014 mov esi, [ebp+hInstance]
.text:00401017 push 400h ; nSize
.text:0040101C lea eax, [ebp+Filename]
.text:00401022 push eax ; lpFilename
.text:00401023 push 0 ; hModule
.text:00401025 call ds:GetModuleFileNameA
.text:0040102B push 0 ; fCreate
.text:0040102D push 7 ; csidl
.text:0040102F lea ecx, [ebp+pszPath]
.text:00401035 push ecx ; pszPath
.text:00401036 push 0 ; hwnd
.text:00401038 call ds:SHGetSpecialFolderPathA
.text:0040103E push offset String2 ; "\\0.exe"
.text:00401043 lea edx, [ebp+pszPath]
.text:00401049 push edx ; lpString1
.text:0040104A call ds:lstrcatA
.text:00401050 lea eax, [ebp+Filename]
.text:00401056 push eax ; lpString2
.text:00401057 lea ecx, [ebp+pszPath]
.text:0040105D push ecx ; lpString1
.text:0040105E call ds:lstrcmpA
.text:00401064 test eax, eax
.text:00401066 jz short loc_40108C
.text:00401068 lea edx, [ebp+pszPath]
.text:0040106E push edx ; pszPath
.text:0040106F call ds:PathFileExistsA
.text:00401075 test eax, eax
.text:00401077 jz short loc_40108C
.text:00401079 xor eax, eax
.text:0040107B pop esi
.text:0040107C mov ecx, [ebp+var_4]
.text:0040107F xor ecx, ebp
.text:00401081 call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00401086 mov esp, ebp
.text:00401088 pop ebp
.text:00401089 retn 10h
.text:0040108C ; ---------------------------------------------------------------------------
.text:0040108C
.text:0040108C loc_40108C: ; CODE XREF: WinMain(x,x,x,x)+66j
.text:0040108C ; WinMain(x,x,x,x)+77j
.text:0040108C push edi
.text:0040108D mov edi, ds:LoadStringA
.text:00401093 push 64h ; cchBufferMax
.text:00401095 push offset WindowName ; lpBuffer
.text:0040109A push 67h ; uID
.text:0040109C push esi ; hInstance
.text:0040109D call edi ; LoadStringA
.text:0040109F push 64h ; cchBufferMax
.text:004010A1 push offset ClassName ; lpBuffer
.text:004010A6 push 6Dh ; uID
.text:004010A8 push esi ; hInstance
.text:004010A9 call edi ; LoadStringA
.text:004010AB mov eax, esi
.text:004010AD call sub_4011A0
.text:004010B2 push 0 ; lpParam
.text:004010B4 push esi ; hInstance
.text:004010B5 push 0 ; hMenu
.text:004010B7 push 0 ; hWndParent
.text:004010B9 push 64h ; nHeight
.text:004010BB push 0C8h ; nWidth
.text:004010C0 push 64h ; Y
.text:004010C2 push 0C8h ; X
.text:004010C7 push 0CF0000h ; dwStyle
.text:004010CC push offset WindowName ; lpWindowName
.text:004010D1 push offset ClassName ; lpClassName
.text:004010D6 push 0 ; dwExStyle
.text:004010D8 mov hInstance, esi
.text:004010DE call ds:CreateWindowExA
.text:004010E4 mov edi, eax
.text:004010E6 test edi, edi
.text:004010E8 jz loc_40118B
.text:004010EE mov eax, [ebp+nShowCmd]
.text:004010F1 push eax ; nCmdShow
.text:004010F2 push edi ; hWnd
.text:004010F3 call ds:ShowWindow
.text:004010F9 push edi ; hWnd
.text:004010FA call ds:UpdateWindow
.text:00401100 push 6Dh ; lpTableName
.text:00401102 push esi ; hInstance
.text:00401103 call ds:LoadAcceleratorsA
.text:00401109 mov edi, ds:GetMessageA
.text:0040110F push 0 ; wMsgFilterMax
.text:00401111 push 0 ; wMsgFilterMin
.text:00401113 push 0 ; hWnd
.text:00401115 lea ecx, [ebp+Msg]
.text:0040111B push ecx ; lpMsg
.text:0040111C mov esi, eax
.text:0040111E call edi ; GetMessageA
.text:00401120 test eax, eax
.text:00401122 jz short loc_401173
.text:00401124 push ebx
.text:00401125 mov ebx, ds:TranslateAcceleratorA
.text:0040112B jmp short loc_401130
.text:0040112B ; ---------------------------------------------------------------------------
.text:0040112D align 10h
.text:00401130
.text:00401130 loc_401130: ; CODE XREF: WinMain(x,x,x,x)+12Bj
.text:00401130 ; WinMain(x,x,x,x)+170j
.text:00401130 mov eax, [ebp+Msg.hwnd]
.text:00401136 lea edx, [ebp+Msg]
.text:0040113C push edx ; lpMsg
.text:0040113D push esi ; hAccTable
.text:0040113E push eax ; hWnd
.text:0040113F call ebx ; TranslateAcceleratorA
.text:00401141 test eax, eax
.text:00401143 jnz short loc_40115F
.text:00401145 lea ecx, [ebp+Msg]
.text:0040114B push ecx ; lpMsg
.text:0040114C call ds:TranslateMessage
.text:00401152 lea edx, [ebp+Msg]
.text:00401158 push edx ; lpMsg
.text:00401159 call ds:DispatchMessageA
.text:0040115F
.text:0040115F loc_40115F: ; CODE XREF: WinMain(x,x,x,x)+143j
.text:0040115F push 0 ; wMsgFilterMax
.text:00401161 push 0 ; wMsgFilterMin
.text:00401163 push 0 ; hWnd
.text:00401165 lea eax, [ebp+Msg]
.text:0040116B push eax ; lpMsg
.text:0040116C call edi ; GetMessageA
.text:0040116E test eax, eax
.text:00401170 jnz short loc_401130
.text:00401172 pop ebx
.text:00401173
.text:00401173 loc_401173: ; CODE XREF: WinMain(x,x,x,x)+122j
.text:00401173 mov eax, [ebp+Msg.wParam]
.text:00401179 pop edi
.text:0040117A pop esi
.text:0040117B mov ecx, [ebp+var_4]
.text:0040117E xor ecx, ebp
.text:00401180 call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00401185 mov esp, ebp
.text:00401187 pop ebp
.text:00401188 retn 10h
.text:0040118B ; ---------------------------------------------------------------------------
.text:0040118B
.text:0040118B loc_40118B: ; CODE XREF: WinMain(x,x,x,x)+E8j
.text:0040118B mov ecx, [ebp+var_4]
.text:0040118E pop edi
.text:0040118F xor ecx, ebp
.text:00401191 xor eax, eax
.text:00401193 pop esi
.text:00401194 call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00401199 mov esp, ebp
.text:0040119B pop ebp
.text:0040119C retn 10h
.text:0040119C _WinMain@16 endp
.text:0040119C
.text:0040119C ; ---------------------------------------------------------------------------
.text:0040119F align 10h
.text:004011A0
.text:004011A0 ; =============== S U B R O U T I N E =======================================
.text:004011A0
.text:004011A0 ; Attributes: bp-based frame
.text:004011A0
.text:004011A0 sub_4011A0 proc near ; CODE XREF: WinMain(x,x,x,x)+ADp
.text:004011A0
.text:004011A0 var_30 = WNDCLASSEXA ptr -30h
.text:004011A0
.text:004011A0 push ebp
.text:004011A1 mov ebp, esp
.text:004011A3 sub esp, 30h
.text:004011A6 push esi
.text:004011A7 mov esi, ds:LoadIconA
.text:004011AD push 6Bh ; lpIconName
.text:004011AF push eax ; hInstance
.text:004011B0 mov [ebp+var_30.cbSize], 30h
.text:004011B7 mov [ebp+var_30.style], 3
.text:004011BE mov [ebp+var_30.lpfnWndProc], offset sub_401380
.text:004011C5 mov [ebp+var_30.cbClsExtra], 0
.text:004011CC mov [ebp+var_30.cbWndExtra], 0
.text:004011D3 mov [ebp+var_30.hInstance], eax
.text:004011D6 call esi ; LoadIconA
.text:004011D8 push 7F00h ; lpCursorName
.text:004011DD push 0 ; hInstance
.text:004011DF mov [ebp+var_30.hIcon], eax
.text:004011E2 call ds:LoadCursorA
.text:004011E8 mov [ebp+var_30.hCursor], eax
.text:004011EB mov eax, [ebp+var_30.hInstance]
.text:004011EE push 6Ch ; lpIconName
.text:004011F0 push eax ; hInstance
.text:004011F1 mov [ebp+var_30.hbrBackground], 6
.text:004011F8 mov [ebp+var_30.lpszMenuName], 6Dh
.text:004011FF mov [ebp+var_30.lpszClassName], offset ClassName
.text:00401206 call esi ; LoadIconA
.text:00401208 lea ecx, [ebp+var_30]
.text:0040120B push ecx ; WNDCLASSEXA *
.text:0040120C mov [ebp+var_30.hIconSm], eax
.text:0040120F call ds:RegisterClassExA
.text:00401215 pop esi
.text:00401216 mov esp, ebp
.text:00401218 pop ebp
.text:00401219 retn
.text:00401219 sub_4011A0 endp
.text:00401219
.text:00401219 ; ---------------------------------------------------------------------------
.text:0040121A align 10h
.text:00401220
.text:00401220 ; =============== S U B R O U T I N E =======================================
.text:00401220
.text:00401220 ; Attributes: bp-based frame
.text:00401220
.text:00401220 sub_401220 proc near ; CODE XREF: sub_401380+DAp
.text:00401220
.text:00401220 String1 = byte ptr -20Ch
.text:00401220 Filename = byte ptr -108h
.text:00401220 var_4 = dword ptr -4
.text:00401220
.text:00401220 push ebp
.text:00401221 mov ebp, esp
.text:00401223 sub esp, 20Ch
.text:00401229 mov eax, ___security_cookie
.text:0040122E xor eax, ebp
.text:00401230 mov [ebp+var_4], eax
.text:00401233 push 104h ; nSize
.text:00401238 lea eax, [ebp+Filename]
.text:0040123E push eax ; lpFilename
.text:0040123F push 0 ; hModule
.text:00401241 call ds:GetModuleFileNameA
.text:00401247 test eax, eax
.text:00401249 jz loc_4012F3
.text:0040124F push 104h ; cchBuffer
.text:00401254 lea ecx, [ebp+Filename]
.text:0040125A push ecx ; lpszShortPath
.text:0040125B mov edx, ecx
.text:0040125D push edx ; lpszLongPath
.text:0040125E call ds:GetShortPathNameA
.text:00401264 test eax, eax
.text:00401266 jz loc_4012F3
.text:0040126C push esi
.text:0040126D push offset aCDel ; "/c del "
.text:00401272 lea eax, [ebp+String1]
.text:00401278 push eax ; lpString1
.text:00401279 call ds:lstrcpyA
.text:0040127F mov esi, ds:lstrcatA
.text:00401285 lea ecx, [ebp+Filename]
.text:0040128B push ecx ; lpString2
.text:0040128C lea edx, [ebp+String1]
.text:00401292 push edx ; lpString1
.text:00401293 call esi ; lstrcatA
.text:00401295 push offset aNul ; " >> NUL"
.text:0040129A lea eax, [ebp+String1]
.text:004012A0 push eax ; lpString1
.text:004012A1 call esi ; lstrcatA
.text:004012A3 push 104h ; nSize
.text:004012A8 lea ecx, [ebp+Filename]
.text:004012AE push ecx ; lpBuffer
.text:004012AF push offset Name ; "ComSpec"
.text:004012B4 call ds:GetEnvironmentVariableA
.text:004012BA pop esi
.text:004012BB test eax, eax
.text:004012BD jz short loc_4012F3
.text:004012BF push 0 ; nShowCmd
.text:004012C1 push 0 ; lpDirectory
.text:004012C3 lea edx, [ebp+String1]
.text:004012C9 push edx ; lpParameters
.text:004012CA lea eax, [ebp+Filename]
.text:004012D0 push eax ; lpFile
.text:004012D1 push 0 ; lpOperation
.text:004012D3 push 0 ; hwnd
.text:004012D5 call ds:ShellExecuteA
.text:004012DB cmp eax, 20h
.text:004012DE jle short loc_4012F3
.text:004012E0 mov eax, 1
.text:004012E5 mov ecx, [ebp+var_4]
.text:004012E8 xor ecx, ebp
.text:004012EA call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:004012EF mov esp, ebp
.text:004012F1 pop ebp
.text:004012F2 retn
.text:004012F3 ; ---------------------------------------------------------------------------
.text:004012F3
.text:004012F3 loc_4012F3: ; CODE XREF: sub_401220+29j
.text:004012F3 ; sub_401220+46j ...
.text:004012F3 mov ecx, [ebp+var_4]
.text:004012F6 xor ecx, ebp
.text:004012F8 xor eax, eax
.text:004012FA call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:004012FF mov esp, ebp
.text:00401301 pop ebp
.text:00401302 retn
.text:00401302 sub_401220 endp
.text:00401302
.text:00401302 ; ---------------------------------------------------------------------------
.text:00401303 align 10h
.text:00401310
.text:00401310 ; =============== S U B R O U T I N E =======================================
.text:00401310
.text:00401310 ; Attributes: bp-based frame
.text:00401310
.text:00401310 ; int __cdecl sub_401310(BYTE *lpData, DWORD cbData)
.text:00401310 sub_401310 proc near ; CODE XREF: sub_401380+D2p
.text:00401310
.text:00401310 dwDisposition = dword ptr -8
.text:00401310 phkResult = dword ptr -4
.text:00401310 lpData = dword ptr 8
.text:00401310 cbData = dword ptr 0Ch
.text:00401310
.text:00401310 push ebp
.text:00401311 mov ebp, esp
.text:00401313 sub esp, 8
.text:00401316 push esi
.text:00401317 lea eax, [ebp+dwDisposition]
.text:0040131A push eax ; lpdwDisposition
.text:0040131B xor esi, esi
.text:0040131D lea ecx, [ebp+phkResult]
.text:00401320 push ecx ; phkResult
.text:00401321 push esi ; lpSecurityAttributes
.text:00401322 push 0F003Fh ; samDesired
.text:00401327 push esi ; dwOptions
.text:00401328 push offset Class ; lpClass
.text:0040132D push esi ; Reserved
.text:0040132E push offset SubKey ; "Software\\Microsoft\\Windows\\CurrentVe"...
.text:00401333 push 80000002h ; hKey
.text:00401338 mov [ebp+phkResult], esi
.text:0040133B call ds:RegCreateKeyExA
.text:00401341 test eax, eax
.text:00401343 jnz short loc_401370
.text:00401345 mov edx, [ebp+cbData]
.text:00401348 mov eax, [ebp+lpData]
.text:0040134B mov ecx, [ebp+phkResult]
.text:0040134E push edx ; cbData
.text:0040134F push eax ; lpData
.text:00401350 push 1 ; dwType
.text:00401352 push esi ; Reserved
.text:00401353 push offset ValueName ; "sample_mal"
.text:00401358 push ecx ; hKey
.text:00401359 call ds:RegSetValueExA
.text:0040135F test eax, eax
.text:00401361 jnz short loc_401366
.text:00401363 lea esi, [eax+1]
.text:00401366
.text:00401366 loc_401366: ; CODE XREF: sub_401310+51j
.text:00401366 mov edx, [ebp+phkResult]
.text:00401369 push edx ; hKey
.text:0040136A call ds:RegCloseKey
.text:00401370
.text:00401370 loc_401370: ; CODE XREF: sub_401310+33j
.text:00401370 mov eax, esi
.text:00401372 pop esi
.text:00401373 mov esp, ebp
.text:00401375 pop ebp
.text:00401376 retn
.text:00401376 sub_401310 endp
.text:00401376
.text:00401376 ; ---------------------------------------------------------------------------
.text:00401377 align 10h
.text:00401380
.text:00401380 ; =============== S U B R O U T I N E =======================================
.text:00401380
.text:00401380 ; Attributes: bp-based frame
.text:00401380
.text:00401380 ; int __stdcall sub_401380(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
.text:00401380 sub_401380 proc near ; DATA XREF: sub_4011A0+1Eo
.text:00401380
.text:00401380 Paint = tagPAINTSTRUCT ptr -848h
.text:00401380 pszPath = byte ptr -808h
.text:00401380 Filename = byte ptr -408h
.text:00401380 var_4 = dword ptr -4
.text:00401380 hWnd = dword ptr 8
.text:00401380 Msg = dword ptr 0Ch
.text:00401380 wParam = dword ptr 10h
.text:00401380 lParam = dword ptr 14h
.text:00401380
.text:00401380 push ebp
.text:00401381 mov ebp, esp
.text:00401383 and esp, 0FFFFFFF8h
.text:00401386 sub esp, 84Ch
.text:0040138C mov eax, ___security_cookie
.text:00401391 xor eax, esp
.text:00401393 mov [esp+84Ch+var_4], eax
.text:0040139A mov eax, [ebp+Msg]
.text:0040139D push ebx
.text:0040139E push esi
.text:0040139F mov esi, [ebp+hWnd]
.text:004013A2 push edi
.text:004013A3 cmp eax, 0Fh
.text:004013A6 ja loc_40149B
.text:004013AC jz loc_40146C
.text:004013B2 mov ecx, eax
.text:004013B4 dec ecx
.text:004013B5 jz loc_40151F
.text:004013BB dec ecx
.text:004013BC jnz loc_4014A2
.text:004013C2 push 400h ; nSize
.text:004013C7 lea eax, [esp+85Ch+Filename]
.text:004013CE push eax ; lpFilename
.text:004013CF push ecx ; hModule
.text:004013D0 call ds:GetModuleFileNameA
.text:004013D6 mov esi, ds:SHGetSpecialFolderPathA
.text:004013DC push 0 ; fCreate
.text:004013DE push 7 ; csidl
.text:004013E0 lea ecx, [esp+860h+pszPath]
.text:004013E4 push ecx ; pszPath
.text:004013E5 push 0 ; hwnd
.text:004013E7 call esi ; SHGetSpecialFolderPathA
.text:004013E9 mov edi, ds:lstrcatA
.text:004013EF push offset String2 ; "\\0.exe"
.text:004013F4 lea edx, [esp+85Ch+pszPath]
.text:004013F8 push edx ; lpString1
.text:004013F9 call edi ; lstrcatA
.text:004013FB mov ebx, ds:CopyFileA
.text:00401401 push 0 ; bFailIfExists
.text:00401403 lea eax, [esp+85Ch+pszPath]
.text:00401407 push eax ; lpNewFileName
.text:00401408 lea ecx, [esp+860h+Filename]
.text:0040140F push ecx ; lpExistingFileName
.text:00401410 call ebx ; CopyFileA
.text:00401412 push 0 ; fCreate
.text:00401414 push 5 ; csidl
.text:00401416 lea edx, [esp+860h+pszPath]
.text:0040141A push edx ; pszPath
.text:0040141B push 0 ; hwnd
.text:0040141D call esi ; SHGetSpecialFolderPathA
.text:0040141F push offset a1_exe ; "\\1.exe"
.text:00401424 lea eax, [esp+85Ch+pszPath]
.text:00401428 push eax ; lpString1
.text:00401429 call edi ; lstrcatA
.text:0040142B push 0 ; bFailIfExists
.text:0040142D lea ecx, [esp+85Ch+pszPath]
.text:00401431 push ecx ; lpNewFileName
.text:00401432 lea edx, [esp+860h+Filename]
.text:00401439 push edx ; lpExistingFileName
.text:0040143A call ebx ; CopyFileA
.text:0040143C lea eax, [esp+858h+pszPath]
.text:00401440 lea edx, [eax+1]
.text:00401443
.text:00401443 loc_401443: ; CODE XREF: sub_401380+C8j
.text:00401443 mov cl, [eax]
.text:00401445 inc eax
.text:00401446 test cl, cl
.text:00401448 jnz short loc_401443
.text:0040144A sub eax, edx
.text:0040144C push eax ; cbData
.text:0040144D lea eax, [esp+85Ch+pszPath]
.text:00401451 push eax ; lpData
.text:00401452 call sub_401310
.text:00401457 add esp, 8
.text:0040145A call sub_401220
.text:0040145F push 0 ; nExitCode
.text:00401461 call ds:PostQuitMessage
.text:00401467 jmp loc_40151F
.text:0040146C ; ---------------------------------------------------------------------------
我是想要找到exe文件执行后如何把自身给删除的,反汇编出来的代码远不止粘出来的这么长,大海捞针,这里截取一部分。
进去sub_401220:
.text:00401220 sub_401220 proc near ; CODE XREF: sub_401380+DAp
我是想要找到exe文件执行后如何把自身给删除的,反汇编出来的代码远不止粘出来的这么长,大海捞针,这里截取一部分。
进去sub_401220:
.text:00401220 sub_401220 proc near ; CODE XREF: sub_401380+DAp
.text:00401220
.text:00401220 String1 = byte ptr -20Ch
.text:00401220 Filename = byte ptr -108h
.text:00401220 var_4 = dword ptr -4
.text:00401220
.text:00401220 push ebp
.text:00401221 mov ebp, esp
.text:00401223 sub esp, 20Ch
.text:00401229 mov eax, ___security_cookie
.text:0040122E xor eax, ebp
.text:00401230 mov [ebp+var_4], eax
.text:00401233 push 104h ; nSize
.text:00401238 lea eax, [ebp+Filename]
.text:0040123E push eax ; lpFilename
.text:0040123F push 0 ; hModule
.text:00401241 call ds:GetModuleFileNameA
.text:00401247 test eax, eax
.text:00401249 jz loc_4012F3
.text:0040124F push 104h ; cchBuffer
.text:00401254 lea ecx, [ebp+Filename]
.text:0040125A push ecx ; lpszShortPath
.text:0040125B mov edx, ecx
.text:0040125D push edx ; lpszLongPath
.text:0040125E call ds:GetShortPathNameA
.text:00401264 test eax, eax
.text:00401266 jz loc_4012F3
.text:0040126C push esi
.text:0040126D push offset aCDel ; "/c del "
.text:00401272 lea eax, [ebp+String1]
.text:00401278 push eax ; lpString1
.text:00401279 call ds:lstrcpyA
.text:0040127F mov esi, ds:lstrcatA
.text:00401285 lea ecx, [ebp+Filename]
.text:0040128B push ecx ; lpString2
.text:0040128C lea edx, [ebp+String1]
.text:00401292 push edx ; lpString1
.text:00401293 call esi ; lstrcatA
.text:00401295 push offset aNul ; " >> NUL"
.text:0040129A lea eax, [ebp+String1]
.text:004012A0 push eax ; lpString1
.text:004012A1 call esi ; lstrcatA
.text:004012A3 push 104h ; nSize
.text:004012A8 lea ecx, [ebp+Filename]
.text:004012AE push ecx ; lpBuffer
.text:004012AF push offset Name ; "ComSpec"
.text:004012B4 call ds:GetEnvironmentVariableA
.text:004012BA pop esi
.text:004012BB test eax, eax
.text:004012BD jz short loc_4012F3
.text:004012BF push 0 ; nShowCmd
.text:004012C1 push 0 ; lpDirectory
.text:004012C3 lea edx, [ebp+String1]
.text:004012C9 push edx ; lpParameters
.text:004012CA lea eax, [ebp+Filename]
.text:004012D0 push eax ; lpFile
.text:004012D1 push 0 ; lpOperation
.text:004012D3 push 0 ; hwnd
.text:004012D5 call ds:ShellExecuteA
.text:004012DB cmp eax, 20h
.text:004012DE jle short loc_4012F3
.text:004012E0 mov eax, 1
.text:004012E5 mov ecx, [ebp+var_4]
.text:004012E8 xor ecx, ebp
.text:004012EA call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:004012EF mov esp, ebp
.text:004012F1 pop ebp
.text:004012F2 retn
GetModuleFileNameA, GetShortPathNameA之类的函数不是重点,唯一值得推测的是004012D5 call ds:ShellExecuteA
百度查了一下exe文件删除自身的方法,CSDN上确实有谈论过,也有人指出用ShellExecute可以实现(这点更加让我觉得ShellExecuteA很有可能是删除文件本身的关键所在),用了其上的代码,并没有实现删除exe本身,只是闪现了黑窗口(打开后关闭了黑窗口),可能这个类病毒实现删除自己实在复制过自己到C盘下后,由C盘下exe文件删除了自己?
GetModuleFileNameA, GetShortPathNameA之类的函数不是重点,唯一值得推测的是004012D5 call ds:ShellExecuteA
百度查了一下exe文件删除自身的方法,CSDN上确实有谈论过,也有人指出用ShellExecute可以实现(这点更加让我觉得ShellExecuteA很有可能是删除文件本身的关键所在),用了其上的代码,并没有实现删除exe本身,只是闪现了黑窗口(打开后关闭了黑窗口),可能这个类病毒实现删除自己实在复制过自己到C盘下后,由C盘下exe文件删除了自己?
附CSDN上的代码(并未实现删除exe本身) :
#include <windows.h>
#include <fstream>
using namespace std;
int main()
{
ofstream file;
file.open("1.bat");
file<<"del 1.exe"<<endl;
file<<"del 1.bat"<<endl;
file.close();
ShellExecute(NULL,"open","1.bat","",NULL,SW_SHOWNORMAL);
}
告辞。
告辞。
