突破口:通过VirusTotal和微云沙盒分析的得知可能的操作有分配内存,写内存。在给WriteProcessMemory下断调试观察参数时发现当前区域为动态分配的内存,
strcpy(str_kernel32, "kernel32.dll");
strcpy(str_ntdll, "ntdll.dll");
strcpy(str_shell32, "shell32.dll");
strcpy(str_advapi32, "advapi32.dll");
strcpy(str_psapi, "psapi.dll");
strcpy(str_GetProcAddress, "GetProcAddress");
strcpy(str_GetModuleHandleA, "GetModuleHandleA");
strcpy(str_GetModuleFileNameA, "GetModuleFileNameA");
strcpy(str_GetModuleFileNameW, "GetModuleFileNameW");
strcpy(str_CreateProcessA, "CreateProcessA");
strcpy(str_CreateProcessW, "CreateProcessW");
strcpy(str_CreateToolhelp32Snapshot, "CreateToolhelp32Snapshot");
strcpy(str_Process32First, "Process32First");
strcpy(str_Process32Next, "Process32Next");
strcpy(str_Module32First, "Module32First");
strcpy(str_Module32Next, "Module32Next");
strcpy(str_CloseHandle, "CloseHandle");
strcpy(str_GetCurrentProcess, "GetCurrentProcess");
strcpy(str_GlobalAlloc, "GlobalAlloc");
strcpy(str_OpenProcessToken, "OpenProcessToken");
strcpy(str_GetTokenInformation, "GetTokenInformation");
strcpy(str_AllocateAndInitializeSid, "AllocateAndInitializeSid");
strcpy(str_EqualSid, "EqualSid");
strcpy(str_LookupAccountSidA, "LookupAccountSidA");
strcpy(str_OpenMutexA, "OpenMutexA");
strcpy(str_CreateMutexA, "CreateMutexA");
strcpy(str_CreateFileA, "CreateFileA");
strcpy(str_CreateFileW, "CreateFileW");
strcpy(str_GetFileSize, "GetFileSize");
strcpy(str_ReadFile, "ReadFile");
strcpy(str_GetSystemDirectoryA, "GetSystemDirectoryA");
strcpy(str_GetSystemDirectoryW, "GetSystemDirectoryW");
strcpy(str_SetFileAttributesW, "SetFileAttributesW");
strcpy(str_MoveFileExW, "MoveFileExW");
strcpy(str_SHGetSpecialFolderPathA, "SHGetSpecialFolderPathA");
strcpy(str_SHGetSpecialFolderPathW, "SHGetSpecialFolderPathW");
strcpy(str_RegOpenKeyExA, "RegOpenKeyExA");
strcpy(str_RegOpenKeyExW, "RegOpenKeyExW");
strcpy(str_RegSetValueExA, "RegSetValueExA");
strcpy(str_RegSetValueExW, "RegSetValueExW");
strcpy(str_RegQueryValueExA, "RegQueryValueExA");
strcpy(str_RegQueryValueExW, "RegQueryValueExW");
strcpy(str_RegCloseKey, "RegCloseKey");
strcpy(str_CreateDirectoryW, "CreateDirectoryW");
strcpy(str_ExitProcess, "ExitProcess");
strcpy(str_Sleep, "Sleep");
strcpy(str_GetFileTime, "GetFileTime");
strcpy(str_SetFileTime, "SetFileTime");
strcpy(str_CopyFileW, "CopyFileW");
strcpy(str_DeleteFileW, "DeleteFileW");
strcpy(str_VirtualAlloc, "VirtualAlloc");
strcpy(str_GetTickCount, "GetTickCount");
strcpy(str_IsWow64Process, "IsWow64Process");
strcpy(str_OpenProcess, "OpenProcess");
strcpy(str_DuplicateHandle, "DuplicateHandle");
strcpy(str_NtUnmapViewOfSection, "NtUnmapViewOfSection");
strcpy(str_VirtualAllocEx, "VirtualAllocEx");
strcpy(str_WriteProcessMemory, "WriteProcessMemory");
strcpy(str_GetThreadContext, "GetThreadContext");
strcpy(str_SetThreadContext, "SetThreadContext");
strcpy(str_ResumeThread, "ResumeThread");
strcpy(str_SuspendThread, "SuspendThread");
strcpy(str_TerminateProcess, "TerminateProcess");
strcpy(str_NtReadVirtualMemory, "NtReadVirtualMemory");
strcpy(str_GetCommandLineW, "GetCommandLineW");
strcpy(str_GetProcessMemoryInfo, "GetProcessMemoryInfo");
strcpy(str_WriteFile, "WriteFile");