c0d3inj3cT · October 18, 2017 05:29
diff --git a/wmtimer.asm b/wmtimer.asm
 ; Below are the first few lines of code of the Window Procedure:

 00402680   55               PUSH EBP
 00402681   8BEC             MOV EBP,ESP
 00402683   83E4 F8          AND ESP,FFFFFFF8
 00402686   83EC 4C          SUB ESP,4C
 00402689   A1 04A04000      MOV EAX,DWORD PTR DS:[40A004]
 0040268E   33C4             XOR EAX,ESP
 00402690   894424 48        MOV DWORD PTR SS:[ESP+48],EAX
 00402694   8B45 0C          MOV EAX,DWORD PTR SS:[EBP+C]		; window message code
 00402697   56               PUSH ESI
 00402698   8B75 08          MOV ESI,DWORD PTR SS:[EBP+8]
 0040269B   83F8 0F          CMP EAX,0F
 0040269E   77 75            JA SHORT 249be839.00402715			; if wind_code > 0xF
 004026A0   74 47            JE SHORT 249be839.004026E9			; WM_PAINT
 004026A2   8BC8             MOV ECX,EAX
 004026A4   49               DEC ECX
 004026A5   74 1E            JE SHORT 249be839.004026C5			; if wind_code == 0x1 (WM_CREATE)

 ; The below code will setup the timer when the WM_CREATE window message is received by the Window Procedure:

 004026C5   6A 00            PUSH 0
 004026C7   68 E8030000      PUSH 3E8
 004026CC   6A 01            PUSH 1
 004026CE   56               PUSH ESI
 004026CF   FF15 5C714000    CALL DWORD PTR DS:[40715C]                      ; USER32.SetTimer

 ; The below code will check if the window message code is 0x113 (WM_TIMER) and call the corresponding code to handle this window message:

 00402715   8BC8             MOV ECX,EAX
 00402717   81E9 11010000    SUB ECX,111
 0040271D   74 57            JE SHORT 249be839.00402776
 0040271F   83E9 02          SUB ECX,2
 00402722   74 22            JE SHORT 249be839.00402746			; if wind_code == 0x113 (WM_TIMER)

 00402746   A1 C4C64400      MOV EAX,DWORD PTR DS:[44C6C4]
 0040274B   40               INC EAX					; increment the counter
 0040274C   A3 C4C64400      MOV DWORD PTR DS:[44C6C4],EAX
 00402751   83F8 05          CMP EAX,5					; check if counter == 0x5
 00402754   75 67            JNZ SHORT 249be839.004027BD
 00402756   E8 75FBFFFF      CALL 249be839.004022D0			; call malicious subroutine.
	; Below are the first few lines of code of the Window Procedure:

	00402680 55 PUSH EBP
	00402681 8BEC MOV EBP,ESP
	00402683 83E4 F8 AND ESP,FFFFFFF8
	00402686 83EC 4C SUB ESP,4C
	00402689 A1 04A04000 MOV EAX,DWORD PTR DS:[40A004]
	0040268E 33C4 XOR EAX,ESP
	00402690 894424 48 MOV DWORD PTR SS:[ESP+48],EAX
	00402694 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; window message code
	00402697 56 PUSH ESI
	00402698 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
	0040269B 83F8 0F CMP EAX,0F
	0040269E 77 75 JA SHORT 249be839.00402715 ; if wind_code > 0xF
	004026A0 74 47 JE SHORT 249be839.004026E9 ; WM_PAINT
	004026A2 8BC8 MOV ECX,EAX
	004026A4 49 DEC ECX
	004026A5 74 1E JE SHORT 249be839.004026C5 ; if wind_code == 0x1 (WM_CREATE)

	; The below code will setup the timer when the WM_CREATE window message is received by the Window Procedure:

	004026C5 6A 00 PUSH 0
	004026C7 68 E8030000 PUSH 3E8
	004026CC 6A 01 PUSH 1
	004026CE 56 PUSH ESI
	004026CF FF15 5C714000 CALL DWORD PTR DS:[40715C] ; USER32.SetTimer

	; The below code will check if the window message code is 0x113 (WM_TIMER) and call the corresponding code to handle this window message:

	00402715 8BC8 MOV ECX,EAX
	00402717 81E9 11010000 SUB ECX,111
	0040271D 74 57 JE SHORT 249be839.00402776
	0040271F 83E9 02 SUB ECX,2
	00402722 74 22 JE SHORT 249be839.00402746 ; if wind_code == 0x113 (WM_TIMER)

	00402746 A1 C4C64400 MOV EAX,DWORD PTR DS:[44C6C4]
	0040274B 40 INC EAX ; increment the counter
	0040274C A3 C4C64400 MOV DWORD PTR DS:[44C6C4],EAX
	00402751 83F8 05 CMP EAX,5 ; check if counter == 0x5
	00402754 75 67 JNZ SHORT 249be839.004027BD
	00402756 E8 75FBFFFF CALL 249be839.004022D0 ; call malicious subroutine.