c0d3inj3cT/wmtimer.asm

## wmtimer.asm
; Below are the first few lines of code of the Window Procedure:

00402680   55               PUSH EBP
00402681   8BEC             MOV EBP,ESP
00402683   83E4 F8          AND ESP,FFFFFFF8
00402686   83EC 4C          SUB ESP,4C
00402689   A1 04A04000      MOV EAX,DWORD PTR DS:[40A004]
0040268E   33C4             XOR EAX,ESP
00402690   894424 48        MOV DWORD PTR SS:[ESP+48],EAX
00402694   8B45 0C          MOV EAX,DWORD PTR SS:[EBP+C]		; window message code
00402697   56               PUSH ESI
00402698   8B75 08          MOV ESI,DWORD PTR SS:[EBP+8]
0040269B   83F8 0F          CMP EAX,0F
0040269E   77 75            JA SHORT 249be839.00402715			; if wind_code > 0xF
004026A0   74 47            JE SHORT 249be839.004026E9			; WM_PAINT
004026A2   8BC8             MOV ECX,EAX
004026A4   49               DEC ECX
004026A5   74 1E            JE SHORT 249be839.004026C5			; if wind_code == 0x1 (WM_CREATE)

; The below code will setup the timer when the WM_CREATE window message is received by the Window Procedure:

004026C5   6A 00            PUSH 0
004026C7   68 E8030000      PUSH 3E8
004026CC   6A 01            PUSH 1
004026CE   56               PUSH ESI
004026CF   FF15 5C714000    CALL DWORD PTR DS:[40715C]                      ; USER32.SetTimer

; The below code will check if the window message code is 0x113 (WM_TIMER) and call the corresponding code to handle this window message:

00402715   8BC8             MOV ECX,EAX
00402717   81E9 11010000    SUB ECX,111
0040271D   74 57            JE SHORT 249be839.00402776
0040271F   83E9 02          SUB ECX,2
00402722   74 22            JE SHORT 249be839.00402746			; if wind_code == 0x113 (WM_TIMER)

00402746   A1 C4C64400      MOV EAX,DWORD PTR DS:[44C6C4]
0040274B   40               INC EAX					; increment the counter
0040274C   A3 C4C64400      MOV DWORD PTR DS:[44C6C4],EAX
00402751   83F8 05          CMP EAX,5					; check if counter == 0x5
00402754   75 67            JNZ SHORT 249be839.004027BD
00402756   E8 75FBFFFF      CALL 249be839.004022D0			; call malicious subroutine.
	; Below are the first few lines of code of the Window Procedure:

	00402680 55 PUSH EBP
	00402681 8BEC MOV EBP,ESP
	00402683 83E4 F8 AND ESP,FFFFFFF8
	00402686 83EC 4C SUB ESP,4C
	00402689 A1 04A04000 MOV EAX,DWORD PTR DS:[40A004]
	0040268E 33C4 XOR EAX,ESP
	00402690 894424 48 MOV DWORD PTR SS:[ESP+48],EAX
	00402694 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] ; window message code
	00402697 56 PUSH ESI
	00402698 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8]
	0040269B 83F8 0F CMP EAX,0F
	0040269E 77 75 JA SHORT 249be839.00402715 ; if wind_code > 0xF
	004026A0 74 47 JE SHORT 249be839.004026E9 ; WM_PAINT
	004026A2 8BC8 MOV ECX,EAX
	004026A4 49 DEC ECX
	004026A5 74 1E JE SHORT 249be839.004026C5 ; if wind_code == 0x1 (WM_CREATE)

	; The below code will setup the timer when the WM_CREATE window message is received by the Window Procedure:

	004026C5 6A 00 PUSH 0
	004026C7 68 E8030000 PUSH 3E8
	004026CC 6A 01 PUSH 1
	004026CE 56 PUSH ESI
	004026CF FF15 5C714000 CALL DWORD PTR DS:[40715C] ; USER32.SetTimer

	; The below code will check if the window message code is 0x113 (WM_TIMER) and call the corresponding code to handle this window message:

	00402715 8BC8 MOV ECX,EAX
	00402717 81E9 11010000 SUB ECX,111
	0040271D 74 57 JE SHORT 249be839.00402776
	0040271F 83E9 02 SUB ECX,2
	00402722 74 22 JE SHORT 249be839.00402746 ; if wind_code == 0x113 (WM_TIMER)

	00402746 A1 C4C64400 MOV EAX,DWORD PTR DS:[44C6C4]
	0040274B 40 INC EAX ; increment the counter
	0040274C A3 C4C64400 MOV DWORD PTR DS:[44C6C4],EAX
	00402751 83F8 05 CMP EAX,5 ; check if counter == 0x5
	00402754 75 67 JNZ SHORT 249be839.004027BD
	00402756 E8 75FBFFFF CALL 249be839.004022D0 ; call malicious subroutine.