NtQueryInformationProcess(这个api直接是 sysenter)
这是我分析的大致结构
00A6DE20 Main call eax -------------LocalAlloc
0072E1FD Main mov eax,dword ptr ds:[<&kernel32.GetModuleHandleA>]
0072E202 Main call eax
00B52B39 Main push 0xA14BCF75
00B52B3E Main call 1_vmp.00A32F40
0072E1FD Main mov eax,dword ptr ds:[<&kernel32.GetModuleHandleA>]
0072E202 Main call eax
00B6E530 Main push 0x7E9BDB41
00B6E535 Main call 1_vmp.00A5AF83
00AB234B Main push 0x19F14676
00AB2350 Main call 1_vmp.00A32F40
00B77A4C Main push 0x7EA727E3
00B77A51 Main call 1_vmp.00A5AF83
00ACA012 Main call eax -------------IsWow64Process
009E0500 Main push 0x30467B8
009E0505 Main call 1_vmp.00A6CDA6
0071E4F8 Main call eax -----------IsDebuggerPresent
006FE79C Main push 0x7EB67453
006FE7A1 Main call 1_vmp.00A5AF83
007078FE Main call eax ------------CheckRemoteDebuggerPresent
006E5BE4 Main push 0x3BC7E807
006E5BE9 Main call 00B092E3
00A1F2BD Main push 0x84069C3
00A1F2C2 Main call 00A2070F
00B0293A Main push 0x12C9EB07
00B0293F Main call 1_vmp.00B092E3 -----------------------这里开始创建字符串(字符串提前创建,追码没用)
00A8FF8D Main call eax --------------------GetModuleFileNameW-------------返回400000可执行程序的模块路径
00A32D96 Main call eax --------------------GetProcessWindowStation--------返回值是0就不会执行下个API,不被检测,进行新的执行流程。
00A24D60 Main call eax ---------------------GetUserObjectInformationW 不被执行
00A0E7CF Main mov eax,dword ptr ds:[<&kernel32.LoadLibraryA>]
007015B1 Main call eax -----------------eax返回值是dos头
00AD956C Main push 0xA9722777
00AD9571 Main call 1_vmp.00A32F40--------eax加偏移计算 messagebox地址
00B6879B Main push 0xA4A1B860
00B687A0 Main call 1_vmp.009EB2A3 ------eax加偏移调用messagebox。没有跳转,直接得到的地址。
006DDF54 Main mov eax,dword ptr ss:[ebp]
006DDF58 Main jmp 1_vmp.00A95AF1
00A95AF1 Main call eax