t:0043475F push ebx
.text:00434760 call loc_41FAE8 //相同的话跳到MDTM命令处理函数
.text:00434765 add esp, 8
.text:00434768 jmp loc_434AC7
[2] 对时间区域进行处理检测
.text:0041FBB6 loc_41FBB6: ; CODE XREF: sub_41FAE8+9Bj
.text:0041FBB6 push 20h
.text:0041FBB8 lea edx, [ebp+var_9FC] //ebp-9fc中存放全部命令
.text:0041FBBE push edx
.text:0041FBBF call sub_59BEB1 //找命令中的空格找到后把空格后
//的地址放在ebp-78中,也就是找文件名
.text:0041FBC4 add esp, 8
.text:0041FBC7 mov [ebp+var_78], eax
.text:0041FBCA test eax, eax
.text:0041FBCC jz loc_41FE6D //没有找到文件名跳,跳过去将处理
//mdtm autoexec.bat这类看文件时间的命令
.text:0041FBD2 lea edx, [ebp+var_9FC]
.text:0041FBD8 push edx
.text:0041FBD9 call sub_59BDA4 //得到命令长度
.text:0041FBDE pop ecx
.text:0041FBDF cmp eax, 10h //命令长度小于16跳
.text:0041FBE2 jb loc_41FE6D
.text:0041FBE8 lea ecx, [ebp+var_9FC]
.text:0041FBEE mov eax, [ebp+var_78]
.text:0041FBF1 sub eax, ecx //得时间区域长度不要紧张这儿没洞洞
.text:0041FBF3 cmp eax, 0Eh
.text:0041FBF6 jl loc_41FE6D //必须是大于等于14字节
.text:0041FBFC mov [ebp+var_88], 1
.text:0041FC06 xor edi, edi
.text:0041FC08 lea esi, [ebp+var_9FC]
.text:0041FC0E
.text:0041FC0E loc_41FC0E: ; CODE XREF: sub_41FAE8+141j
.text:0041FC0E movsx eax, byte ptr [esi]
.text:0041FC11 push eax
.text:0041FC12 call sub_5A1304
.text:0041FC17 pop ecx
.text:0041FC18 test eax, eax
.text:0041FC1A jnz short loc_41FC24
.text:0041FC1C xor edx, edx
.text:0041FC1E mov [ebp+var_88], edx
.text:0041FC24
.text:0041FC24 loc_41FC24: ; CODE XREF: sub_41FAE8+132j
.text:0041FC24 inc edi
.text:0041FC25 inc esi
.text:0041FC26 cmp edi, 0Eh
.text:0041FC29 jl short loc_41FC0E
.text:0041FC2B cmp [ebp+var_88], 0
.text:0041FC32 jz loc_41FD99 //判断时间区域的前14个字母
//如果不是数字跳到41fd99
//对时间的正确性进行检验
.text:0041FD4F cmp [ebp+var_5C], 7BCh
.text:0041FD56 jl short loc_41FD91 //年小于1980跳
.text:0041FD58 cmp dword ptr [ebp-5Ch], 81Bh
.text:0041FD5F jg short loc_41FD91 //年大于2075跳
.text:0041FD61 cmp dword ptr [ebp-60h], 1
.text:0041FD65 jl short loc_41FD91
.text:0041FD67 cmp dword ptr [ebp-60h], 0Ch
.text:0041FD6B jg &
从漏洞及攻击分析到NIDS规则设计
0
相关文章