应该不是病毒。从IDA分析看它创建了一个驱动对象又释放..
; Attributes: bp-based frame
; int __stdcall DriverEntry(int,PUNICODE_STRING DestinationString)
public __stdcall DriverEntry(x, x)
__stdcall DriverEntry(x, x) proc near
arg_0= dword ptr 8
DestinationString= dword ptr 0Ch
push ebp
mov ebp, esp
push ebx
push esi
mov esi, [ebp+arg_0]
push [ebp+DestinationString] ; DestinationString
mov dword ptr [esi+38h], offset FirelmDispatchClose(x,x)
mov dword ptr [esi+40h], offset FirelmDispatchClose(x,x)
mov dword ptr [esi+74h], offset FirelmDispatchInternalIOCTL(x,x)
mov dword ptr [esi+34h], offset FirelmDriverUnload(x)
call GetServiceNameFromRegistryPath(x)
mov ebx, eax
test ebx, ebx
jz short loc_10849
push offset _FirelmDeviceObject ; DeviceObject
push 0 ; Exclusive
push 0 ; DeviceCharacteristics
push 22h ; DeviceType
push ebx ; DeviceName
push 2458h ; DeviceExtensionSize
push esi ; DriverObject
call ds:IoCreateDevice(x,x,x,x,x,x,x)
mov [ebp+arg_0], eax
mov eax, _FirelmDeviceObject
push dword ptr [eax+28h] ; SpinLock
call InitializeIDScontext(x)
test eax, eax
jz short loc_10842
push _FirelmDeviceObject ; DeviceObject
mov [ebp+arg_0], 0C000009Ah
call ds:IoDeleteDevice(x)
and _FirelmDeviceObject, 0
loc_10842: ; P
push ebx
call ds:ExFreePool(x)
loc_10849:
or dword ptr [esi+8], 2
mov eax, [ebp+arg_0]
pop esi
pop ebx
pop ebp
retn 8
__stdcall DriverEntry(x, x) endp |