本帖最后由 BitterLotus 于 2021-2-10 20:31 编辑
https://www.virustotal.com/gui/f ... 3bdcb010c/detection
大概分析了一下main函数,这里是伪C代码,有兴趣的可以看看,前半部分有注释。
@ruineng 你可以来看看分析的对不对。
- int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
- {
- HANDLE 创建文件返回的句柄; // eax
- void *创建文件返回的句柄2; // edi
- _DWORD *v6; // esi
- DWORD *v7; // esi
- DWORD v8; // eax
- char *v9; // ST18_4
- int v10; // esi
- const char *v11; // edi
- const char *v12; // esi
- signed int v13; // eax
- char *v14; // edi
- const char *v15; // esi
- const char *v16; // edi
- const char *v17; // ST14_4
- DWORD *v18; // esi
- DWORD v19; // edi
- char *v20; // esi
- HINSTANCE v21; // eax
- HMODULE v22; // eax
- FARPROC v23; // eax
- CHAR FileName; // [esp+10h] [ebp-298h]
- CHAR 文件名; // [esp+114h] [ebp-194h]
- CHAR v27; // [esp+218h] [ebp-90h]
- char v28; // [esp+24Ch] [ebp-5Ch]
- DWORD NumberOfBytesWritten; // [esp+280h] [ebp-28h]
- HINSTANCE buffer; // [esp+284h] [ebp-24h]
- int v31; // [esp+288h] [ebp-20h]
- DWORD NumberOfBytesRead; // [esp+28Ch] [ebp-1Ch]
- DWORD v33; // [esp+290h] [ebp-18h]
- int v34; // [esp+294h] [ebp-14h]
- void (__stdcall *v35)(signed int); // [esp+298h] [ebp-10h]
- DWORD v36; // [esp+29Ch] [ebp-Ch]
- LPVOID lpBuffer; // [esp+2A0h] [ebp-8h]
- LPCSTR lpText; // [esp+2A4h] [ebp-4h]
- HINSTANCE buffer2; // [esp+2B0h] [ebp+8h]
- HINSTANCE hInstanceb; // [esp+2B0h] [ebp+8h]
- HINSTANCE hInstancec; // [esp+2B0h] [ebp+8h]
- const char *hInstanced; // [esp+2B0h] [ebp+8h]
- HINSTANCE hInstancee; // [esp+2B0h] [ebp+8h]
- lpText = 0;
- lpBuffer = 0;
- v35 = 0;
- GetModuleFileNameA(hInstance, &文件名, 0x104u); // 获得某个正在运行的EXE或者DLL的全路径
- 创建文件返回的句柄 = CreateFileA(&文件名, 0x80000000, 1u, 0, 3u, 0x80u, 0);// 创建一个文件
- 创建文件返回的句柄2 = 创建文件返回的句柄; // 将v5赋值为创建文件返回的句柄
- if ( 创建文件返回的句柄 == (HANDLE)-1 ) // 判断创建是否成功
- {
- lpText = aCanTOpenFile;
- goto LABEL_47; // 跳转到MessageBox报错
- }
- v36 = SetFilePointer(创建文件返回的句柄, -8, 0, 2u); // 猜测是指向打开文件的末尾以获取文件长度
- if ( v36 < 0x3E8 ) // 如果大于1000视为无效大小
- goto LABEL_53;
- NumberOfBytesRead = 0; // 将以读取的字节数设为0
- if ( !ReadFile(创建文件返回的句柄2, &buffer, 8u, &NumberOfBytesRead, 0) || NumberOfBytesRead != 8 )
- {
- lpText = aFailedToReadDa; // 读取文件失败
- goto LABEL_45;
- }
- buffer2 = buffer;
- if ( v31 != -2103789659 || (signed int)buffer < 4 || (signed int)buffer >= (signed int)v36 )
- {
- LABEL_53:
- lpText = aInvalidDataInT; // 无效文件大小
- goto LABEL_47;
- }
- lpBuffer = operator new((unsigned int)buffer);// 将buffer重载为lpBuffer
- if ( !lpBuffer )
- {
- LABEL_23:
- lpText = aInsufficientMe; // 没看懂。大概就是报错
- goto LABEL_45;
- }
- v33 = 0;
- if ( SetFilePointer(创建文件返回的句柄2, -8 - (_DWORD)buffer2, 0, 2u) != -1
- && (v6 = lpBuffer, ReadFile(创建文件返回的句柄2, lpBuffer, (DWORD)buffer2, &v33, 0))
- && (HINSTANCE)v33 == buffer2
- && *v6 == -2103789659 )
- {
- v7 = v6 + 1;
- if ( !GetTempPathA(0x104u, &文件名) )
- {
- lpText = aCanTRetrieveTh;
- goto LABEL_45;
- }
- v8 = *v7;
- v9 = (char *)v7[1];
- hInstanceb = buffer2 - 3;
- v10 = (int)(v7 + 1);
- v36 = v8;
- sub_401119(v10 + 4, hInstanceb, (char)v9);
- v11 = (const char *)(v10 + 4);
- if ( *(_BYTE *)(v10 + 4) )
- {
- strcat(&文件名, v11);
- v12 = &v11[strlen(v11) + 1];
- }
- else
- {
- wsprintfA(&v27, aENX, v36);
- strcat(&文件名, &v27);
- v12 = (const char *)(v10 + 5);
- }
- CreateDirectoryA(&文件名, 0);
- strcat(&文件名, asc_40718C);
- hInstancec = hInstanceb - 2;
- v13 = *((_DWORD *)v12 + 1);
- v34 = *((_DWORD *)v12 + 1);
- if ( (signed int)hInstancec > 0 && *(_DWORD *)v12 == 54398733 && v13 > 0 )
- {
- v14 = (char *)operator new(v13);
- if ( v14 )
- {
- if ( sub_403248(v14, &v34, v12 + 8, hInstancec) )
- {
- operator delete(v14);
- lpText = aFailedToDecomp;
- }
- else
- {
- operator delete(lpBuffer);
- lpBuffer = v14;
- v15 = v14;
- v36 = (DWORD)&v14[v34];
- v28 = 0;
- if ( v14 >= &v14[v34] )
- goto LABEL_54;
- do
- {
- v16 = v15;
- hInstanced = v15;
- v17 = v15;
- v18 = (DWORD *)&v15[strlen(v15) + 1];
- if ( !_strcmpi(v17, aKrnlnFnr) || !_strcmpi(v16, aKrnlnFne) )
- strcpy(&v28, v16);
- v19 = *v18;
- v20 = (char *)(v18 + 1);
- strcpy(&FileName, &文件名);
- strcat(&FileName, hInstanced);
- v21 = (HINSTANCE)CreateFileA(&FileName, 0x40000000u, 0, 0, 2u, 0x80u, 0);
- hInstancee = v21;
- if ( v21 != (HINSTANCE)-1 )
- {
- WriteFile(v21, v20, v19, &NumberOfBytesWritten, 0);
- CloseHandle(hInstancee);
- }
- v15 = &v20[v19];
- }
- while ( (unsigned int)v15 < v36 );
- if ( v28 )
- {
- strcpy(&FileName, &文件名);
- strcat(&FileName, &v28);
- v22 = LoadLibraryA(&FileName);
- if ( v22 )
- {
- v23 = GetProcAddress(v22, ProcName);
- if ( v23 )
- {
- v35 = (void (__stdcall *)(signed int))((int (__stdcall *)(signed int))v23)(1000);
- if ( !v35 )
- lpText = aTheInterfaceOf;
- }
- else
- {
- lpText = aTheKernelLibra;
- }
- }
- else
- {
- lpText = aFailedToLoadKe;
- }
- }
- else
- {
- LABEL_54:
- lpText = aNotFoundTheKer;
- }
- }
- goto LABEL_45;
- }
- goto LABEL_23;
- }
- lpText = aInvalidDataInT;
- }
- else
- {
- lpText = aFailedToReadFi;
- }
- LABEL_45:
- if ( lpBuffer )
- operator delete(lpBuffer);
- LABEL_47:
- if ( lpText )
- MessageBoxA(0, lpText, Caption, 0x10u);
- else
- v35(4231168);
- return 0;
- }
复制代码
|