(阿波羅新聞網沈波報道)
現在中國和世界各地的網友中,QQ的註冊用戶已經超過1億6000萬。有網友透露,使用卡巴2009掃描機子,報了一個威脅...說類似木馬程序...打開後發現是QQ在訪問硬盤的底層。網友不免覺得疑問,QQ作為一個即時通訊軟件根本沒必要去訪問硬盤底層,經過測試QQ根本沒對硬盤MBR內容做任何改動,只是訪問獲取了一些什麼,因此網友把相關的程序代碼貼到了網上(見本文後面附的代碼)。有懂得匯編的網友看過這段代碼之後,留貼回答,說明這段代碼的大致的作用就是在獲取用戶電腦硬盤的信息。
據知道內情網友留貼透露,現在警察通過qq破案已經是常事。當今中國,對於中共方面對騰訊施加壓力,要求其通過qq軟件來竊取用戶的資料或私隱,查找定位一些人員及組織,對民眾實施管制等,是很容易理解的事情。據說,迅雷等軟件,也都有類似的木馬後門,因此用戶在使用這類軟件時,需要格外注意。
下面是代碼:
[/size][size=1][b]CODE:[/b][/size]
004CDD4C |> /FF75 EC /push dword ptr [ebp-14] ; /<%d>
004CDD4F |. |8D85 98FEFFFF |lea eax, [ebp-168] ; |
004CDD55 |. |68 403C5400 |push 00543C40 ; |format = ".PhysicalDrive%d"
004CDD5A |. |50 |push eax ; |s
004CDD5B |. |FF15 E4294F00 |call [<&MSVCRT.sprintf>] ; sprintf
004CDD61 |. |83C4 0C |add esp, 0C
004CDD64 |. |8D85 98FEFFFF |lea eax, [ebp-168]
004CDD6A |. |53 |push ebx ; /hTemplateFile
004CDD6B |. |53 |push ebx ; |Attributes
004CDD6C |. |6A 03 |push 3 ; |Mode = OPEN_EXISTING
004CDD6E |. |53 |push ebx ; |pSecurity
004CDD6F |. |6A 03 |push 3 ; |ShareMode = FILE_SHARE_READ|FILE_SHARE_WRITE
004CDD71 |. |68 000000C0 |push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE
004CDD76 |. |50 |push eax ; |FileName
004CDD77 |. |FF15 C4214F00 |call [<&KERNEL32.CreateFileA>] ; CreateFileA
004CDD7D |. |8BF8 |mov edi, eax
004CDD7F |. |83FF FF |cmp edi, -1
004CDD82 |. |897D D4 |mov [ebp-2C], edi
004CDD85 |0F84 22010000 je 004CDEAD ;打開失敗,或者權限不夠
004CDD8B |. |6A 18 |push 18 ; /n = 18 (24.)
004CDD8D |. |8D45 BC |lea eax, [ebp-44] ; |
004CDD90 |. |53 |push ebx ; |c
004CDD91 |. |50 |push eax ; |s
004CDD92 |. |895D E4 |mov [ebp-1C], ebx ; |
004CDD95 |. |E8 883BFAFF |call ; memset
004CDD9A |. |83C4 0C |add esp, 0C
004CDD9D |. |8D45 E4 |lea eax, [ebp-1C] ; |
004CDDA0 |. |53 |push ebx ; |/pOverlapped
004CDDA1 |. |50 |push eax ; ||pBytesReturned
004CDDA2 |. |8D45 BC |lea eax, [ebp-44] ; ||
004CDDA5 |. |6A 18 |push 18 ; ||OutBufferSize = 18 (24.)
004CDDA7 |. |50 |push eax ; ||OutBuffer
004CDDA8 |. |53 |push ebx ; ||InBufferSize
004CDDA9 |. |53 |push ebx ; ||InBuffer
004CDDAA |. |68 80400700 |push 74080 ; ||IoControlCode = SMART_GET_VERSION ;取得硬盤參數
004CDDAF |. |57 |push edi ; ||hDevice
004CDDB0 |. |FF15 A0224F00 |call [<&KERNEL32.DeviceIoControl>] ; |DeviceIoControl
004CDDB6 |. |85C0 |test eax, eax ; |
004CDDB8 |. |0F84 F4000000 |je 004CDEB2 ; |
004CDDBE |. |8A45 BF |mov al, [ebp-41] ; |
004CDDC1 |. |3AC3 |cmp al, bl ; |
004CDDC3 |. |0F86 DB000000 |jbe 004CDEA4 ; |
004CDDC9 |. |8A4D EC |mov cl, [ebp-14] ; |
004CDDCC |. |6A 21 |push 21 ; |/n = 21 (33.)
004CDDCE |. |D2E8 |shr al, cl ; ||
004CDDD0 |. |53 |push ebx ; ||c
004CDDD1 |. |24 10 |and al, 10 ; ||
004CDDD3 |. |F6D8 |neg al ; ||
004CDDD5 |. |1AC0 |nbb al, al ; ||
004CDDD7 |. |24 B5 |and al, 0B5 ; ||
004CDDD9 |. |04 EC |add al, 0EC ; ||
004CDDDB |. |8845 DC |mov [ebp-24], al ; ||
004CDDDE |. |8D45 98 |lea eax, [ebp-68] ; ||
004CDDE1 |. |50 |push eax ; ||s
004CDDE2 |. |E8 3B3BFAFF |call ; |memset
004CDDE7 |. |68 10020000 |push 210 ; |/n = 210 (528.)
004CDDEC |. |8D85 88FCFFFF |lea eax, [ebp-378] ; ||
004CDDF2 |. |53 |push ebx ; ||c
004CDDF3 |. |50 |push eax ; ||s
004CDDF4 |. |E8 293BFAFF |call ; |memset
004CDDF9 |. |8D45 E4 |lea eax, [ebp-1C] ; |
004CDDFC |. |50 |push eax ; |Arg6
004CDDFD |. |8D85 88FCFFFF |lea eax, [ebp-378] ; |
004CDE03 |. |FF75 EC |push dword ptr [ebp-14] ; |Arg5
004CDE06 |. |FF75 DC |push dword ptr [ebp-24] ; |Arg4
004CDE09 |. |50 |push eax ; |Arg3
004CDE0A |. |8D45 98 |lea eax, [ebp-68] ; |
004CDE0D |. |50 |push eax ; |Arg2
004CDE0E |. |57 |push edi ; |Arg1
004CDE0F |. |E8 C1FEFFFF |call 004CDCD5 ; QQ.004CDCD5
004CDE14 |. |83C4 30 |add esp, 30
004CDE17 |. |85C0 |test eax, eax
004CDE19 |. |0F84 85000000 |je 004CDEA4
004CDE1F |. |8D8D 88F8FFFF |lea ecx, [ebp-778]
004CDE25 |. |8D85 98FCFFFF |lea eax, [ebp-368]
004CDE2B |. |BA 00010000 |mov edx, 100
004CDE30 |> |0FB738 |/movzx edi, word ptr [eax]
004CDE33 |. |40 ||inc eax
004CDE34 |. |8939 ||mov [ecx], edi
004CDE36 |. |40 ||inc eax
004CDE37 |. |83C1 04 ||add ecx, 4
004CDE3A |. |4A ||dec edx
004CDE3B |.^|75 F3 |jnz short 004CDE30
004CDE3D |. |6A 13 |push 13
004CDE3F |. |8D85 88F8FFFF |lea eax, [ebp-778]
004CDE45 |. |6A 0A |push 0A
004CDE47 |. |50 |push eax
004CDE48 |. |8D45 D8 |lea eax, [ebp-28]
004CDE4B |. |8BCE |mov ecx, esi
004CDE4D |. |50 |push eax
004CDE4E |. |E8 3C020000 |call 004CE08F
004CDE53 |. |50 |push eax
004CDE54 |. |8BCE |mov ecx, esi
004CDE56 |. |895D FC |mov [ebp-4], ebx
004CDE59 |. |E8 9A34FAFF |call
004CDE5E |. |834D FC FF |or dword ptr [ebp-4], FFFFFFFF
004CDE62 |. |8D4D D8 |lea ecx, [ebp-28]
004CDE65 |. |E8 8834FAFF |call
004CDE6A |. |6A 14 |push 14
004CDE6C |. |6A 20 |push 20
004CDE6E |. |8D4D E0 |lea ecx, [ebp-20]
004CDE71 |. |E8 D034FAFF |call
004CDE76 |. |8B00 |mov eax, [eax]
004CDE78 |. |8B0E |mov ecx, [esi]
004CDE7A |. |6A 01 |push 1
004CDE7C |. |5F |pop edi
004CDE7D |. |50 |push eax ; /s2
004CDE7E |. |51 |push ecx ; |s1
004CDE7F |. |897D FC |mov [ebp-4], edi ; |
004CDE82 |. |FF15 742A4F00 |call [<&MSVCRT._mbscmp>] ; _mbscmp
004CDE88 |. |59 |pop ecx
004CDE89 |. |59 |pop ecx
004CDE8A |. |85C0 |test eax, eax
004CDE8C |. |0F9545 F3 |setne [ebp-D]
004CDE90 |. |834D FC FF |or dword ptr [ebp-4], FFFFFFFF
004CDE94 |. |8D4D E0 |lea ecx, [ebp-20]
004CDE97 |. |E8 5634FAFF |call
004CDE9C |. |385D F3 |cmp [ebp-D], bl
004CDE9F |. |74 03 |je short 004CDEA4
004CDEA1 |. |897D E8 |mov [ebp-18], edi
004CDEA4 |> |FF75 D4 |push dword ptr [ebp-2C] ; /hObject
004CDEA7 |. |FF15 F0214F00 |call [<&KERNEL32.CloseHandle>] ; CloseHandle
004CDEAD |> |395D E8 |cmp [ebp-18], ebx
004CDEB0 |. |75 0D |jnz short 004CDEBF
004CDEB2 |> |FF45 EC |inc dword ptr [ebp-14]
004CDEB5 |. |837D EC 04 |cmp dword ptr [ebp-14], 4
004CDEB9 |.^F8C 8DFEFFFF jl 004CDD4C
004CDEBF |> 8B4D F4 mov ecx, [ebp-C]
004CDEC2 |. 8B45 E8 mov eax, [ebp-18]
004CDEC5 |. 5F pop edi
004CDEC6 |. 5E pop esi
004CDEC7 |. 5B pop ebx
004CDEC8 |. 64:890D 00000>mov fs:[0], ecx
004CDECF |. C9 leave
004CDED0 . C3 retn
[size=1][color=#0000ff][Copy to clipboard][/color][/size]
 |
