Ultra String Reference
Address Disassembly Text String
004032E4 push 00403364 software\borland\delphi\rtlfpumaskvalue
00403318 push 00403380 fpumaskvalue
00403BBD push 00403BF8 \n\n
00404F4F push 0040509C kernel32.dll
00404F64 push 004050AC createtoolhelp32snapshot
00404F76 push 004050C8 heap32listfirstheap32listnext
00404F88 push 004050D8 heap32listnext
00404F9A push 004050E8 heap32firstheap32next
00404FAC push 004050F4 heap32next
00404FBE push 00405100 toolhelp32readprocessmemoryprocess32first
00404FD0 push 0040511C process32first
00404FE2 push 0040512C process32next
00404FF4 push 0040513C process32firstwprocess32nextw
00405006 push 0040514C process32nextw
00405018 push 0040515C thread32first
0040502A push 0040516C thread32next
0040503C push 0040517C module32first
0040504E push 0040518C module32next
00405060 push 0040519C module32firstw
00405072 push 004051AC module32nextw
00405375 mov edx, 00405458 +
004053BF push 00405470 %
0040555B mov eax, 004055FC /
00405645 push 00405820 myapp
00405698 mov eax, 00405828 accept: */*http/1.0
004056AD push 00405834 http/1.0
004056BB push 00405840 post
00405C20 mov edx, 00405C60 .
00406273 push 00406478 \
0040637C mov edx, 00406484 setup.exe
00406678 mov edx, 00406794 2
00406691 mov edx, 004067A0 1
004066A0 mov edx, 00406794 2
004066B3 mov edx, 004067A0 1
00406761 mov edx, 004067AC \\
004067CD push 0040683C netschedulejobadd
004067E6 push 00406850 netshareenum
004067F6 push 00406860 netapibufferfree
00406808 push 00406850 netshareenum
004077D0 push 00407974 gougou
00407890 mov ecx, 00407984 .dat
004078E0 push 00407994 da
00407A29 push 00407A90 ntdll.dll
00407A4A push 00407A9C zwunmapviewofsection
00407EF1 push 00407F0C virtualallocex
00407EF6 push 00407F1C kernel32.dll
004081FE mov edx, 004082A0 0
00408267 mov edx, 004082AC -
00408919 mov eax, 00408990 service pack 2
00409984 mov eax, 00409ACC \
00409A36 push 00409ACC \
00409B57 mov edx, 00409E54 software\
00409C14 mov eax, 00409E68 sebackupprivilege
00409C20 mov eax, 00409E84 serestoreprivilege
00409FA1 mov ecx, 0040A030 \
00409FAE mov eax, 0040A03C :
00409FD4 mov eax, 0040A03C :
00409FEC mov ecx, 0040A048 \program files\internet explorer\iexplore.exe
0040A0C1 mov ecx, 0040A178 :\
0040A21D mov ecx, 0040A258 \
0040A2C3 push 0040A3B0 http://ineturl:/1.0
0040A2DD push 0040A3B8 ineturl:/1.0
0040A58C push 0040A5EC sedebugprivilege
0040A96A push 0040A9D0 afxmdiframe42s
0040A97D push 0040A9D0 afxmdiframe42s
0040A990 push 0040A9E0 static
0040A9A3 push 0040A9E8 button
0040ADC0 mov eax, 0040AE64 /
0040AEBE push 0040B060 httpget
0040AF0E mov ebx, 0040B06C getaccept: */*http/1.0
0040AF18 mov eax, 0040B070 accept: */*http/1.0
0040AF2C push 0040B07C http/1.0
0040B101 push 0040B32C ~
0040B11C push 0040B338 .bat
0040B1A8 mov edx, 0040B348 :siniu
0040B1C2 push 0040B358 del "
0040B1CA push 0040B368 " /a
0040B1FA push 0040B378 if exist "
0040B202 push 0040B38C "
0040B237 mov edx, 0040B3AC del %0 /a
0040B60C mov edx, 0040B6E0 =
0040B738 mov ecx, 0040B7F8 :\
0040B941 mov edx, 0040B9EC :\
0040B988 push 0040B9F0 ntfs
0040BB59 mov eax, 0040BDF0 vxq5:v5gq5:f5:d57
0040BB69 push 0040BE0C "
0040BC13 push 0040BE18 [autorun]\n\nopen=
0040BC1B push 0040BE34 \n\n
0040BC25 push 0040BE34 \n\n
0040BC32 push 0040BE34 \n\n
0040BC37 push 0040BE78 shell\open\default=1
0040BC3C push 0040BE34 \n\n
0040BC41 push 0040BE98 shell\explore=资源管理器(&x)
0040BC46 push 0040BE34 \n\n
0040BC4B push 0040BEC0 shell\explore\command=
0040BC53 push 0040BE34 \n\n
0040C133 mov edx, 0040C17C software\360safe\safemon\
0040C2E7 mov edx, 0040C418 1
0040C303 push 0040C424 "
0040C31F push 0040C430 "
0040C364 push 0040C424 "
0040C380 push 0040C430 "
0040C51F mov edx, 0040C8F8 software\microsoft\windows\currentversion\run
0040C53E mov edx, 0040C8F8 software\microsoft\windows\currentversion\run
0040C593 mov edx, 0040C930 :\
0040C5C7 push 0040C930 :\
0040C613 push 0040C930 :\
0040C618 push 0040C93C autorun.infdisabletaskmgr
0040C692 mov edx, 0040C930 :\
0040C6C6 push 0040C930 :\
0040C712 push 0040C930 :\
0040C717 push 0040C93C autorun.infdisabletaskmgr
0040C759 mov edx, 0040C948 disabletaskmgr
0040C76A mov edx, 0040C958 software\microsoft\windows\currentversion\policies\system
0040C790 mov edx, 0040C994 disablewindowsupdateaccess
0040C7A1 mov edx, 0040C958 software\microsoft\windows\currentversion\policies\system
0040C7C7 mov edx, 0040C9B0 checkedvalue
0040C7D8 mov edx, 0040C9C0 software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall
0040C806 mov edx, 0040CA14 diskdrive
0040C81E mov ecx, 0040CA2C {4d36e967-e325-11ce-bfc1-08002be10318}
0040C865 mov edx, 0040CA5C software\microsoft\windows nt\currentversion\image file execution options\
0040C8A1 mov edx, 0040CAA8 software\microsoft\windows nt\currentversion\image file execution options\
0040CBA5 mov ebx, 0040CD10 software\microsoft\windows\currentversion\run
0040CBC5 push 0040CD10 software\microsoft\windows\currentversion\run
0040CC40 mov eax, 0040CD48 {za}|{r9~`t|rp|bzm|tzf}|4
0040CC5E mov eax, 0040CD6C c|e$;%9~`t|rp|bzm|tzf}|4
0040CE1C mov edx, 0040D02C http://start page
0040CE42 push 0040D034 start page
0040CE47 push 0040D040 software\microsoft\internet explorer\main
0040CEEB mov edx, 0040D06C checkedvalue
0040CEFC mov edx, 0040D07C software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall
0040CF6A mov edx, 0040D0D8 :\
0040CF9A mov edx, 0040D0D8 :\
0040D225 push 0040D430 rpcrt4.dll
0040D274 push 0040D43C uuidcreate
0040D28A push 0040D448 uuidcreatesequential
0040D2A1 push 0040D43C uuidcreate
0040D2B3 push 0040D448 uuidcreatesequential
0040D347 push 0040D468 -
0040D364 push 0040D468 -
0040D381 push 0040D468 -
0040D39E push 0040D468 -
0040D3BB push 0040D468 -
0040D510 mov eax, 0040D524 8vyptg
0040D722 mov edx, 0040D7A0 $
0040DAC1 push 0040DBCC shell_traywnd
0040DB4F mov edx, 0040DBF4
0040DCC1 mov edx, 0040DD2C -service
0040E1E0 push 0040E228 ?*-?
0040E432 mov edx, 00410A58 settings
0040E437 mov eax, 00410A64 config
0040E524 mov eax, 00410AA0 s|mpqa|xp
0040E561 mov eax, 00410AB4 qpytla|xp
0040E59B mov eax, 00410AC8 fyppea|xp
0040E5D8 mov eax, 00410ADC wqpy
0040E66E mov eax, 00410B0C wftsawzza
0040E6AA mov eax, 00410B20 w^plbzgq
0040E6E6 mov eax, 00410B34 w\spz
0040E722 mov eax, 00410B44 wt`azg`{
0040E79A mov eax, 00410B68 watf~xrg
0040E7D6 mov eax, 00410B7C w]|qpegzvpff
0040E80D mov eax, 00410B94 w\ev\{spva
0040E849 mov eax, 00410BA8 wvyzfp@eqtap
0040E885 mov eax, 00410BC0 wyzv~etrp
0040E8C1 mov eax, 00410BD4 fatgaetrp@gy
0040E90E mov eax, 00410BEC fatavz`{a@gy
0040E95B mov eax, 00410C04 eze@gy
0040E9A8 mov eax, 00410C14 eze@gyalep
0040E9F5 mov eax, 00410C28 eze@gya|xp
0040EA8F mov eax, 00410C50 fpgcpgcpg
0040EAE5 mov edx, 00410C64 4
0040EC01 push 00410C70 ~
0040EC1C push 00410C7C .tmp
0040EC8E push 00410CA0 dllcache\
0040ED30 mov ecx, 00410CB4 -siniu
0040EDAC mov eax, 00410CC4 ;ama
0040EE84 mov edx, 00410CE8 drivers\etc\hosts
0040EEC2 mov eax, 00410D04 qg|cpgfiwppe;flf
0040EEF5 mov eax, 00410D20 0flfapxgzza0iflfapx&'ig`{qyy&';pmp
0040EFCE mov eax, 00410D6C c|e$;%9~`t|rp|bzm|tzf}|4
0040F036 push 00410D90
0040F1B1 mov eax, 00410DB0 vtw|{pabvytff
0040F21E mov edx, 00410DEC 32
0040F24E mov eax, 00410DF8 vzxwzwzmpm
0040F25E mov edx, 00410DEC 32
0040F28E mov eax, 00410E0C azzywtgb|{qzb
0040F29E mov edx, 00410DEC 32
0040F2DE mov eax, 00410E24 vzxwzwzm
0040F30E mov eax, 00410E38 pq|a
0040F3A5 push 00410E40 open
0040F4FC push 00410E48 mz
0040F53E push 00410E54 (
0040F556 push 00410E60 )
0040F55B push 00410E6C .exe
0040F718 push 00410E54 (
0040F730 push 00410E60 )
0040F844 push 00410E74 hosts:
0040FA2F mov eax, 00410E84 {za}|{r9~`t|rp|bzm|tzf}|4
0040FA4D mov eax, 00410D6C c|e$;%9~`t|rp|bzm|tzf}|4
0040FC41 mov ecx, 00410EB4 {4d36e967-e325-11ce-bfc1-08002be10318}
0040FC66 mov ecx, 00410EB4 {4d36e967-e325-11ce-bfc1-08002be10318}
0040FCF6 mov edx, 00410EDC ntsd -ddebugger
0040FD07 push 00410EE4 debugger
0040FD28 mov edx, 00410EF8 software\microsoft\windows nt\currentversion\image file execution options\
0040FD78 mov edx, 00410EF8 software\microsoft\windows nt\currentversion\image file execution options\
0040FDC0 mov edx, 00410F44 software\microsoft\windows nt\currentversion\image file execution options\
0040FE38 mov edx, 00410F98 :\
0040FE81 mov edx, 00410F98 :\
004100F4 push 00410F9C -ssdt
0041011E mov eax, 00410F9C -ssdt
00410146 push 00410FAC "
00410151 push 00410FB8 ",mydllentry
0041017D push 00410E40 open
00410205 push 00410D90
0041020A push 00410FD0 -ssdt
0041035F mov eax, 00410FE8 dogkiller
00410380 push 00410FF4 \\.\pciftdisk
0041043C mov edx, 00411004 disabletaskmgr
00410453 mov edx, 00411014 software\microsoft\windows\currentversion\policies\system
0041047F mov edx, 00411050 disablewindowsupdateaccess
00410496 mov edx, 00411014 software\microsoft\windows\currentversion\policies\system
004104C2 mov edx, 0041106C checkedvalue
004104D9 mov edx, 0041107C software\microsoft\windows\currentversion\explorer\advanced\folder\hidden\showall
004105D1 mov edx, 004110D8 vip-
004105EC push 004110F8 mac=
00410613 push 00411108 &os=
0041063A push 00411118 &ver=
00410645 push 00411128 &key=
00410684 mov ecx, 00411138 send ok!
004106D4 push 00410D90
00410761 push 00411144 start page
00410766 push 00411150 software\microsoft\internet explorer\main
004107C3 push 0041117C -service
0041082B mov ecx, 00411190
00410874 push 00411194 system\currentcontrolset\services\spooler
004108AB push 004111C0 imagepath
00410956 mov edx, 004111CC software\microsoft\windows\currentversion\run
00410974 push 004111CC software\microsoft\windows\currentversion\run
004109EC mov edx, 004111CC software\microsoft\windows\currentversion\run |
发表于 2009-3-4 23:36:39
发表于 2009-3-4 23:37:59
发表于 2009-3-4 23:40:00
