查看文章 |
一个比较变态的MessageBox
2009-03-03 17:29
.text:0040A4CB MyMessageBox proc near .text:0040A4CB .text:0040A4CB var_24 = dword ptr -24h .text:0040A4CB var_14 = byte ptr -14h .text:0040A4CB var_C = byte ptr -0Ch .text:0040A4CB var_8 = byte ptr -8 .text:0040A4CB Hwnd = dword ptr -4 .text:0040A4CB arg_0 = dword ptr 8 .text:0040A4CB arg_4 = dword ptr 0Ch .text:0040A4CB arg_8 = dword ptr 10h .text:0040A4CB .text:0040A4CB mov edi, edi .text:0040A4CD push ebp .text:0040A4CE mov ebp, esp .text:0040A4D0 sub esp, 14h .text:0040A4D3 push ebx .text:0040A4D4 push esi .text:0040A4D5 push edi .text:0040A4D6 call CallEncodePointer .text:0040A4DB and [ebp+Hwnd], 0 .text:0040A4DF cmp PMessageBoxA_ENCODED, 0 .text:0040A4E6 mov ebx, eax .text:0040A4E8 jnz loc_40A57C .text:0040A4EE push offset LibFileName ; "USER32.DLL" .text:0040A4F3 call ds:LoadLibraryA .text:0040A4F9 mov edi, eax .text:0040A4FB test edi, edi .text:0040A4FD jz loc_40A62D .text:0040A503 mov esi, ds:GetProcAddress .text:0040A509 push offset aMessageboxa ; "MessageBoxA" .text:0040A50E push edi ; hModule .text:0040A50F call esi ; GetProcAddress .text:0040A511 test eax, eax .text:0040A513 jz loc_40A62D .text:0040A519 push eax ; lpProcName .text:0040A51A call LoadModuleAndCallEncodePointer ; 返回调用EncodePointer后的结果。 .text:0040A51F mov [esp+24h+var_24], offset aGetactivewindo ; "GetActiveWindow" .text:0040A526 push edi ; hModule .text:0040A527 mov PMessageBoxA_ENCODED, eax .text:0040A52C call esi ; GetProcAddress .text:0040A52E push eax ; lpProcName .text:0040A52F call LoadModuleAndCallEncodePointer ; 返回调用EncodePointer后的结果。 .text:0040A534 mov [esp+24h+var_24], offset aGetlastactivep ; "GetLastActivePopup" .text:0040A53B push edi ; hModule .text:0040A53C mov PGetActiveWindow_ENCODED, eax .text:0040A541 call esi ; GetProcAddress .text:0040A543 push eax ; lpProcName .text:0040A544 call LoadModuleAndCallEncodePointer ; 返回调用EncodePointer后的结果。 .text:0040A549 mov [esp+24h+var_24], offset aGetuserobjecti ; "GetUserObjectInformationA" .text:0040A550 push edi ; hModule .text:0040A551 mov pGetLastActivePopup_ENCODED, eax .text:0040A556 call esi ; GetProcAddress .text:0040A558 push eax .text:0040A559 call LoadModuleAndCallEncodePointer ; 返回调用EncodePointer后的结果。 .text:0040A55E pop ecx .text:0040A55F mov pGetUserObjectInformationA_ENCODED, eax .text:0040A564 test eax, eax .text:0040A566 jz short loc_40A57C .text:0040A568 push offset aGetprocesswind ; "GetProcessWindowStation" .text:0040A56D push edi ; hModule .text:0040A56E call esi ; GetProcAddress .text:0040A570 push eax .text:0040A571 call LoadModuleAndCallEncodePointer ; 返回调用EncodePointer后的结果。 .text:0040A576 pop ecx .text:0040A577 mov PGetProcessWindowStation_ENCODED, eax .text:0040A57C .text:0040A57C loc_40A57C: ; CODE XREF: MyMessageBox+1D j .text:0040A57C ; MyMessageBox+9B j .text:0040A57C mov eax, PGetProcessWindowStation_ENCODED .text:0040A581 cmp eax, ebx .text:0040A583 jz short loc_40A5D4 .text:0040A585 cmp pGetUserObjectInformationA_ENCODED, ebx .text:0040A58B jz short loc_40A5D4 .text:0040A58D push eax .text:0040A58E call LoadModuleAndCallDecodePointer .text:0040A593 push pGetUserObjectInformationA_ENCODED .text:0040A599 mov esi, eax ; esi保存解码后的GetProcessWindowStation地址 .text:0040A59B call LoadModuleAndCallDecodePointer .text:0040A5A0 pop ecx .text:0040A5A1 pop ecx .text:0040A5A2 mov edi, eax ; edi保存解码后的GetUserObjectInformation地址 .text:0040A5A4 test esi, esi .text:0040A5A6 jz short loc_40A5D4 .text:0040A5A8 test edi, edi .text:0040A5AA jz short loc_40A5D4 .text:0040A5AC call esi ; call GetProcessWindowStation .text:0040A5AE test eax, eax .text:0040A5B0 jz short loc_40A5CB .text:0040A5B2 lea ecx, [ebp+var_8] .text:0040A5B5 push ecx .text:0040A5B6 push 0Ch ; nLength .text:0040A5B6 ; .text:0040A5B8 lea ecx, [ebp+var_14] ; typedef struct tagUSEROBJECTFLAGS { .text:0040A5B8 ; BOOL fInherit; .text:0040A5B8 ; BOOL fReserved; .text:0040A5B8 ; DWORD dwFlags; .text:0040A5B8 ; } USEROBJECTFLAGS, *PUSEROBJECTFLAGS; .text:0040A5BB push ecx .text:0040A5BC push 1 ; UOI_FLAGS .text:0040A5BC ; .text:0040A5BE push eax ; handle .text:0040A5BF call edi ; call GetUserObjectInformation .text:0040A5C1 test eax, eax .text:0040A5C3 jz short loc_40A5CB ; 失败跳转 .text:0040A5C5 test [ebp+var_C], 1 ; 判断dwFlags属性是否为WSF_VISIBLE .text:0040A5C9 jnz short loc_40A5D4 .text:0040A5CB .text:0040A5CB loc_40A5CB: ; CODE XREF: MyMessageBox+E5 j .text:0040A5CB ; MyMessageBox+F8 j .text:0040A5CB or [ebp+arg_8], 200000h .text:0040A5D2 jmp short loc_40A60D .text:0040A5D4 ; --------------------------------------------------------------------------- .text:0040A5D4 .text:0040A5D4 loc_40A5D4: ; CODE XREF: MyMessageBox+B8 j .text:0040A5D4 ; MyMessageBox+C0 j ... .text:0040A5D4 mov eax, PGetActiveWindow_ENCODED .text:0040A5D9 cmp eax, ebx .text:0040A5DB jz short loc_40A60D .text:0040A5DD push eax .text:0040A5DE call LoadModuleAndCallDecodePointer .text:0040A5E3 pop ecx .text:0040A5E4 test eax, eax .text:0040A5E6 jz short loc_40A60D .text:0040A5E8 call eax ; PGetActiveWindow_ENCODED ; 调用GetActiveWindow .text:0040A5EA mov [ebp+Hwnd], eax .text:0040A5ED test eax, eax .text:0040A5EF jz short loc_40A60D .text:0040A5F1 mov eax, pGetLastActivePopup_ENCODED .text:0040A5F6 cmp eax, ebx .text:0040A5F8 jz short loc_40A60D .text:0040A5FA push eax .text:0040A5FB call LoadModuleAndCallDecodePointer .text:0040A600 pop ecx .text:0040A601 test eax, eax .text:0040A603 jz short loc_40A60D .text:0040A605 push [ebp+Hwnd] .text:0040A608 call eax ; pGetLastActivePopup_ENCODED ; 调用GetLastActivePopup .text:0040A60A mov [ebp+Hwnd], eax ; 保存得到的最后一个弹出窗口 .text:0040A60D .text:0040A60D loc_40A60D: ; CODE XREF: MyMessageBox+107 j .text:0040A60D ; MyMessageBox+110 j ... .text:0040A60D push PMessageBoxA_ENCODED .text:0040A613 call LoadModuleAndCallDecodePointer .text:0040A618 pop ecx .text:0040A619 test eax, eax .text:0040A61B jz short loc_40A62D .text:0040A61D push [ebp+arg_8] .text:0040A620 push [ebp+arg_4] .text:0040A623 push [ebp+arg_0] .text:0040A626 push [ebp+Hwnd] .text:0040A629 call eax ; PGetProcessWindowStation_ENCODED ; 调用MessageBoxA .text:0040A62B jmp short loc_40A62F .text:0040A62D ; --------------------------------------------------------------------------- .text:0040A62D .text:0040A62D loc_40A62D: ; CODE XREF: MyMessageBox+32 j .text:0040A62D ; MyMessageBox+48 j ... .text:0040A62D xor eax, eax .text:0040A62F .text:0040A62F loc_40A62F: ; CODE XREF: MyMessageBox+160 j .text:0040A62F pop edi .text:0040A630 pop esi .text:0040A631 pop ebx .text:0040A632 leave .text:0040A633 retn .text:0040A633 MyMessageBox endp 这个函数写的很麻烦,主要思路是。 1)从user32.dll中获取函数地址,然后加密这些函数地址。 2)解密函数地址,并调用函数,获得当前进程桌面,判断桌面属性是否可见。 如果可见,则获取当前活动的窗口,然后得到活动窗口最后弹出的一个popup窗口句柄 最后使用这个句柄,弹出MessageBox 3)加密函数和解密函数来源于一个dll模块。 |
最近读者:
