首页
社区
课程
招聘
[原创]反沙箱钓鱼远控样本分析[2024.6]
发表于: 2024-6-15 10:06 9963

[原创]反沙箱钓鱼远控样本分析[2024.6]

2024-6-15 10:06
9963

老大发我一份样本学习,现与大家一起分享交流
原作者首发:https://xz.aliyun.com/t/14610,感谢原作者分享样本
本文编写时攻击者已经撤了资源,并且互联网上没有找到 样本资料,因此部分流程无法分析。但是已经基本把反沙箱、反虚拟机以及混淆看了。

样本信息
微步:https://s.threatbook.com/report/file/b3e8070d005d4f68f5a2bd3e4bed287b2b1dd9e8ee3d3ceb409c58f0f2d39d28
报告:b3e8070d005d4f68f5a2bd3e4bed287b2b1dd9e8ee3d3ceb409c58f0f2d39d28-report.pdf

hash
SHA256:b3e8070d005d4f68f5a2bd3e4bed287b2b1dd9e8ee3d3ceb409c58f0f2d39d28
MD5:403eda5d13e6fdf8ff839442b9536001
SHA1:c45c4c9e01dfb9ac48f05ff6cc23f0238021a946

样本特殊的点在于,反沙箱做得很好,微步查不出来,行为也就无从分析了
image.png
那就下载看一下

下载样本,观察,发现伪装成企业微信安装程序,加了一些版权信息
image.png
image.png
打开火绒剑,过滤这个进程
image.png
双击样本,没有要管理员权限,注册表操作了很多东西
image.png
在虚拟机中执行,他获取了一些注册表信息,比如current user,机器语言等信息,属于默认操作,然后打开了一系列system32的dll。没有什么敏感的操作
直接看静态分析吧

首先查壳,无壳,C++编写
image.png
脱了符号表
来到winmain,开始分析

获取已知文件夹(这里是用户桌面)路径

这个rfid的值如下

在官网(https://learn.microsoft.com/en-us/windows/win32/shell/knownfolderid)找到了对应的GUID,是**FOLDERID_Desktop,**也就是当前用户的桌面image.png
访问默认用户需要管理员权限。
跟进sub_140006C50,传入了桌面路径
其中,经过对路径的处理(增加通配符"\\*"到路径末尾),调用FindFirstFileW,获取桌面下第一个find的文件的句柄,存放到_WIN32_FIND_DATAW类型的FindFileData中

后续对这个数据的处理,获取属性,如果不是16(FILE_ATTRIBUTE_DIRECTORY 16 (0x00000010) 标识目录的句柄),则计数器加一,并继续寻找下一个文件数据,直到检查完所有桌面的文件,返回非目录文件的数量

如果桌面存放的非目录文件小于六个(五个以内),则v9为真,退出程序

紧接着的是sub_140003B10,其中获取当前进程所在目录

经过对字符的处理后前往19标签

又是寻找当前进程目录文件

不过这里是对比文件信息,看一下这个大循环

整体操作就是跳过"."和"..",将剩余的文件名存放在一个数据结构里,最后返回数据结构

这个a1其实就是一开始传入的block void参数。现在充当索引数组的作用
image.png

回到win main,继续往下

获取FOLDERID_Recent(C:\Users\Wang\AppData\Roaming\Microsoft\Windows\Recent),并追加通配符匹配所有带后缀的文件

image.png
继续获取目录下文件信息,获取非目录文件数量

如果数量小于等于5,或者GetTickCount()计时器值小于0x75300(480000ms,是否少于八小时),就会退出程序。这个GetTickCount的最大值是49.7天(0xFFFFFFFF

这里还有两个函数,分别是与时间间隔和服务扫描有关的,分别分析

OpenSCManagerW打开服务管理器,localalloc分配一个存放sevice枚举状态的变量

enumServicesStatusA函数枚举指定的服务控制管理器数据库中的服务。 提供了每个服务的名称和状态。

这里静态调试摸不明白,动调一手,符号找到EnumServicesStatusA,然后摸到这个解密函数,运行完之后可以观察到,这里获取到的服务是AJRoute(AllJoyn Router Service),解密之后rax寄存器存放VMware Tools
image.png
下面还有Virtual MachineVirtualBox Guestimage.png

一直运行到vmware tools服务,进程就会退出。image.png
这里可以通过nop实现绕过

仍旧在main函数中
首先是加密在代码中的二进制数据,把他按照给定的算法解密成url

逆向算法不是我的专长,这里直接用dbg调出来,从内存里看
获得http的信息装填到临时变量中,后面解析

解出来的结果

下载一个txt到内存,暂时存储
还会有一个url存储在内存中,会再次下载

image.png
中途有messagebox跳出骚扰窗口
image.png
这个口令硬编码
image.pngimage.png

接着下载刚刚新的jpg云文件,跟进sub_140006A60
从aliyun下载加密文件(https://fish-123.oss-cn-shanghai.aliyuncs.com/27f6fe91-b4d3-4dd9-89cd-03b8ed32fe0d.jpg)

接着程序生成feishu.exe(恶意程序)
首先生成恶意程序路径

这一定是某个三方库(不知道有没有人知道),前面也有用到的(vmware服务名,文章里没记录)

恶意文件路径:C:\\Users\\Public\\Downloads\\feishu.exe

再说一句,样本里的几乎所有关键字符串都用了混淆的三方库,比如这里sub_140007D00生成的baidudocument

进入sub_140006A60下载恶意文件。

这里由于已经被标记了(文章编写时距离第一次提交已经过去快一个月了),攻击人员撤销了资源,所以返回error xml

微步上已经有相关样本记录(f495f57d4ad156d7e31a40d20952220d4933e8658f2db4c62c3b7f555beffc2d),再次感谢第一位提交的并且分析样本的师傅,他的首发文章:https://xz.aliyun.com/t/14610
将文件放到C:\Users\Public\Downloads\feishu.exe,

经过一系列寄存器取值操作,最后使用SHELLEXECUTEW调用程序,携带参数baidudocument
image.png

现在我们已经把恶意文件下载下来了,以下是他的基本信息(为什么这位大哥这么喜欢文件说明和图标名称对不上,强迫症犯了)
image.png
首先观察静态代码,可以发现非常平坦化,估计用ollvm混淆过了
观察到其中的关键代码,shellcode创建线程

混淆后的代码很难看,这里找到了一个之前一样的字符串混淆方式(按位循环,中间数据不变,提取尾部数据到头部向前一位偏移,头部)

顺着loader执行进去的x64dbg可以直接查看,但是我执行的时候报错,位数出问题,我这里直接用x64dbg跑feishu.exe了。
有个前提,必须携带baidudocument参数

我这里选择用x64dbg改变命令行
image.png

由于发现时间滞后了,云资源已经撤销,暂时没有在互联网和情报社区找到最后的shellcode的txt,于是到此结束。
这个样本的亮点就是反沙箱,反虚拟机,以及其中奇奇怪怪的加密,当然我感觉这个混淆其实就看脑洞了。

if ( SHGetKnownFolderPath(&rfid, 0, 0i64, &ppszPath) < 0 )
  {
    LODWORD(v9) = 1;
  }
  else
  {
    v8 = sub_140006C50(ppszPath);
    CoTaskMemFree(ppszPath);
    v9 = v8 < 6;
  }
if ( SHGetKnownFolderPath(&rfid, 0, 0i64, &ppszPath) < 0 )
  {
    LODWORD(v9) = 1;
  }
  else
  {
    v8 = sub_140006C50(ppszPath);
    CoTaskMemFree(ppszPath);
    v9 = v8 < 6;
  }
.rdata:0000000140038780                               ; const KNOWNFOLDERID rfid
.rdata:0000000140038780 3A CC BF B4 2C DB 4C 42 B0 29+rfid dd 0B4BFCC3Ah                           ; Data1
.rdata:0000000140038780 7F E9 9A 87 C6 41                                                     ; DATA XREF: WinMain+150↑o
.rdata:0000000140038780                               dw 0DB2Ch                               ; Data2
.rdata:0000000140038780                               dw 424Ch                                ; Data3
.rdata:0000000140038780                               db 0B0h, 29h, 7Fh, 0E9h, 9Ah, 87h, 0C6h, 41h; Data4
.rdata:0000000140038780                               ; const KNOWNFOLDERID rfid
.rdata:0000000140038780 3A CC BF B4 2C DB 4C 42 B0 29+rfid dd 0B4BFCC3Ah                           ; Data1
.rdata:0000000140038780 7F E9 9A 87 C6 41                                                     ; DATA XREF: WinMain+150↑o
.rdata:0000000140038780                               dw 0DB2Ch                               ; Data2
.rdata:0000000140038780                               dw 424Ch                                ; Data3
.rdata:0000000140038780                               db 0B0h, 29h, 7Fh, 0E9h, 9Ah, 87h, 0C6h, 41h; Data4
v4 = (const WCHAR *)lpFileName;
  if ( si128.m128i_i64[1] >= 8ui64 )
    v4 = lpFileName[0];
  FirstFileW = FindFirstFileW(v4, &FindFileData);
v4 = (const WCHAR *)lpFileName;
  if ( si128.m128i_i64[1] >= 8ui64 )
    v4 = lpFileName[0];
  FirstFileW = FindFirstFileW(v4, &FindFileData);
typedef struct _WIN32_FIND_DATAW {
  DWORD    dwFileAttributes;          // 文件属性,如只读、隐藏、系统文件等
  FILETIME ftCreationTime;            // 文件创建时间
  FILETIME ftLastAccessTime;          // 文件最后访问时间
  FILETIME ftLastWriteTime;           // 文件最后写入时间
  DWORD    nFileSizeHigh;             // 文件大小的高32位,用于大文件
  DWORD    nFileSizeLow;              // 文件大小的低32位
  DWORD    dwReserved0;               // 保留字段,不使用
  DWORD    dwReserved1;               // 保留字段,不使用
  WCHAR    cFileName[MAX_PATH];       // 文件名
  WCHAR    cAlternateFileName[14];    // 文件的8.3缩写格式名称,不常用
  DWORD    dwFileType;                // 文件类型,已废弃,不应使用
  DWORD    dwCreatorType;             // 创建者类型,已废弃,不应使用
  WORD     wFinderFlags;              // 查找标志,已废弃,不应使用
} WIN32_FIND_DATAW, *PWIN32_FIND_DATAW, *LPWIN32_FIND_DATAW;
typedef struct _WIN32_FIND_DATAW {
  DWORD    dwFileAttributes;          // 文件属性,如只读、隐藏、系统文件等
  FILETIME ftCreationTime;            // 文件创建时间
  FILETIME ftLastAccessTime;          // 文件最后访问时间
  FILETIME ftLastWriteTime;           // 文件最后写入时间
  DWORD    nFileSizeHigh;             // 文件大小的高32位,用于大文件
  DWORD    nFileSizeLow;              // 文件大小的低32位
  DWORD    dwReserved0;               // 保留字段,不使用
  DWORD    dwReserved1;               // 保留字段,不使用
  WCHAR    cFileName[MAX_PATH];       // 文件名
  WCHAR    cAlternateFileName[14];    // 文件的8.3缩写格式名称,不常用
  DWORD    dwFileType;                // 文件类型,已废弃,不应使用
  DWORD    dwCreatorType;             // 创建者类型,已废弃,不应使用
  WORD     wFinderFlags;              // 查找标志,已废弃,不应使用
} WIN32_FIND_DATAW, *PWIN32_FIND_DATAW, *LPWIN32_FIND_DATAW;
do
  {
    if ( FindFileData.dwFileAttributes != 16 )
      ++v1;
  }
  while ( FindNextFileW(FirstFileW, &FindFileData) );
  FindClose(FirstFileW);
  return v1;
}
do
  {
    if ( FindFileData.dwFileAttributes != 16 )
      ++v1;
  }
  while ( FindNextFileW(FirstFileW, &FindFileData) );
  FindClose(FirstFileW);
  return v1;
}
v8 = sub_140006C50(ppszPath);
CoTaskMemFree(ppszPath);
v9 = v8 < 6;
v8 = sub_140006C50(ppszPath);
CoTaskMemFree(ppszPath);
v9 = v8 < 6;
GetCurrentDirectoryA(0x104u, Buffer);
GetCurrentDirectoryA(0x104u, Buffer);
do
    ++v2;
    while ( Buffer[v2] );
if ( v2 > 0x7FFFFFFFFFFFFFFFi64 )
    sub_1400014C0();
v37 = 15i64;
if ( v2 < 0x10 )
{
    v36 = v2;
    memcpy(lpFileName, Buffer, v2);
    *((_BYTE *)lpFileName + v2) = 0;
    goto LABEL_19;
}
do
    ++v2;
    while ( Buffer[v2] );
if ( v2 > 0x7FFFFFFFFFFFFFFFi64 )
    sub_1400014C0();
v37 = 15i64;
if ( v2 < 0x10 )
{
    v36 = v2;
    memcpy(lpFileName, Buffer, v2);
    *((_BYTE *)lpFileName + v2) = 0;
    goto LABEL_19;
}
FirstFileA = FindFirstFileA(v8, &FindFileData);
FirstFileA = FindFirstFileA(v8, &FindFileData);
do
  {
    v31 = 20;
    v30[0] = 46; // '.'当前目录
    if ( !strcmp(FindFileData.cFileName, (const char *)v30) )
      continue;
    v32[1] = 107;
    v32[2] = 107;
    strcpy((char *)v32, "..");// 父目录
    if ( !strcmp(FindFileData.cFileName, (const char *)v32) || (FindFileData.dwFileAttributes & 0x10) != 0 )
      continue;
    v28 = 0i64;
    v29 = 0ui64;
    v13 = -1i64;
    do
      ++v13;
    while ( FindFileData.cFileName[v13] );
    if ( v13 > 0x7FFFFFFFFFFFFFFFi64 )
      sub_1400014C0();
    *((_QWORD *)&v29 + 1) = 15i64;
    if ( v13 < 0x10 )
    {
      *(_QWORD *)&v29 = v13;
      memcpy(&v28, FindFileData.cFileName, v13);
      *((_BYTE *)&v28 + v13) = 0;
      goto LABEL_51;
    }
    v14 = v13 | 0xF;
    if ( (v13 | 0xF) > 0x7FFFFFFFFFFFFFFFi64 )
    {
      v14 = 0x7FFFFFFFFFFFFFFFi64;
      v15 = 0x8000000000000027ui64;
LABEL_45:
      v17 = operator new(v15);
      if ( !v17 )
        goto LABEL_60;
      v18 = (_QWORD *)(((unsigned __int64)v17 + 39) & 0xFFFFFFFFFFFFFFE0ui64);
      *(v18 - 1) = v17;
      goto LABEL_50;
    }
    if ( v14 < 0x16 )
      v14 = 22i64;
    v16 = v14 + 1;
    if ( v14 + 1 >= 0x1000 )
    {
      v15 = v14 + 40;
      if ( v14 + 40 <= v14 + 1 )
        sub_140001420(v16);
      goto LABEL_45;
    }
    if ( v14 == -1i64 )
      v18 = 0i64;
    else
      v18 = operator new(v16);
LABEL_50:
    *(_QWORD *)&v28 = v18;
    *(_QWORD *)&v29 = v13;
    *((_QWORD *)&v29 + 1) = v14;
    memcpy(v18, FindFileData.cFileName, v13);
    *((_BYTE *)v18 + v13) = 0;
LABEL_51:
    v19 = *((_QWORD *)&v33 + 1);
    if ( *((_QWORD *)&v33 + 1) == v34 )
    {
      sub_140013FE0(&v33, *((_QWORD *)&v33 + 1), &v28);
      v20 = *((_QWORD *)&v29 + 1);
    }
    else
    {
      **((_OWORD **)&v33 + 1) = v28;
      *(_OWORD *)(v19 + 16) = v29;
      v20 = 15i64;
      LOBYTE(v28) = 0;
      *((_QWORD *)&v33 + 1) += 32i64;
    }
    if ( v20 >= 0x10 )
    {
      v21 = (void *)v28;
      if ( v20 + 1 >= 0x1000 )
      {
        v21 = *(void **)(v28 - 8);
        if ( (unsigned __int64)(v28 - (_QWORD)v21 - 8) > 0x1F )
LABEL_60:
          invalid_parameter_noinfo_noreturn();
      }
      j_j_free_0(v21);
    }
  }
  while ( FindNextFileA(FirstFileA, &FindFileData) );
do
  {
    v31 = 20;
    v30[0] = 46; // '.'当前目录
    if ( !strcmp(FindFileData.cFileName, (const char *)v30) )
      continue;
    v32[1] = 107;
    v32[2] = 107;
    strcpy((char *)v32, "..");// 父目录
    if ( !strcmp(FindFileData.cFileName, (const char *)v32) || (FindFileData.dwFileAttributes & 0x10) != 0 )
      continue;
    v28 = 0i64;
    v29 = 0ui64;
    v13 = -1i64;
    do
      ++v13;
    while ( FindFileData.cFileName[v13] );
    if ( v13 > 0x7FFFFFFFFFFFFFFFi64 )
      sub_1400014C0();
    *((_QWORD *)&v29 + 1) = 15i64;
    if ( v13 < 0x10 )
    {
      *(_QWORD *)&v29 = v13;
      memcpy(&v28, FindFileData.cFileName, v13);
      *((_BYTE *)&v28 + v13) = 0;
      goto LABEL_51;
    }
    v14 = v13 | 0xF;
    if ( (v13 | 0xF) > 0x7FFFFFFFFFFFFFFFi64 )
    {
      v14 = 0x7FFFFFFFFFFFFFFFi64;
      v15 = 0x8000000000000027ui64;
LABEL_45:
      v17 = operator new(v15);
      if ( !v17 )
        goto LABEL_60;
      v18 = (_QWORD *)(((unsigned __int64)v17 + 39) & 0xFFFFFFFFFFFFFFE0ui64);
      *(v18 - 1) = v17;
      goto LABEL_50;
    }
    if ( v14 < 0x16 )
      v14 = 22i64;
    v16 = v14 + 1;
    if ( v14 + 1 >= 0x1000 )
    {
      v15 = v14 + 40;
      if ( v14 + 40 <= v14 + 1 )
        sub_140001420(v16);
      goto LABEL_45;
    }
    if ( v14 == -1i64 )
      v18 = 0i64;
    else
      v18 = operator new(v16);
LABEL_50:
    *(_QWORD *)&v28 = v18;
    *(_QWORD *)&v29 = v13;
    *((_QWORD *)&v29 + 1) = v14;
    memcpy(v18, FindFileData.cFileName, v13);
    *((_BYTE *)v18 + v13) = 0;
LABEL_51:
    v19 = *((_QWORD *)&v33 + 1);
    if ( *((_QWORD *)&v33 + 1) == v34 )
    {
      sub_140013FE0(&v33, *((_QWORD *)&v33 + 1), &v28);
      v20 = *((_QWORD *)&v29 + 1);
    }
    else
    {
      **((_OWORD **)&v33 + 1) = v28;
      *(_OWORD *)(v19 + 16) = v29;
      v20 = 15i64;
      LOBYTE(v28) = 0;
      *((_QWORD *)&v33 + 1) += 32i64;
    }
    if ( v20 >= 0x10 )
    {
      v21 = (void *)v28;
      if ( v20 + 1 >= 0x1000 )
      {
        v21 = *(void **)(v28 - 8);
        if ( (unsigned __int64)(v28 - (_QWORD)v21 - 8) > 0x1F )
LABEL_60:
          invalid_parameter_noinfo_noreturn();
      }
      j_j_free_0(v21);
    }
  }
  while ( FindNextFileA(FirstFileA, &FindFileData) );
v22 = v34;
v34 = 0i64;
v23 = *((_QWORD *)&v33 + 1);
v24 = 0i64;
v25 = v33;
v26 = 0i64;
v33 = 0ui64;
*a1 = v25;
a1[1] = v23;
a1[2] = v22;
.....
    return a1;
v22 = v34;
v34 = 0i64;
v23 = *((_QWORD *)&v33 + 1);
v24 = 0i64;
v25 = v33;
v26 = 0i64;
v33 = 0ui64;
*a1 = v25;
a1[1] = v23;
a1[2] = v22;
.....
    return a1;
ppszPath = 0i64;
if ( SHGetKnownFolderPath(&stru_140038790, 0, 0i64, &ppszPath) < 0 )
    goto LABEL_149;
sub_140011810(lpFileName, ppszPath);
append(lpFileName, L"\\*.*");
ppszPath = 0i64;
if ( SHGetKnownFolderPath(&stru_140038790, 0, 0i64, &ppszPath) < 0 )
    goto LABEL_149;
sub_140011810(lpFileName, ppszPath);
append(lpFileName, L"\\*.*");
.rdata:0000000140038790 81 C0 50 AE D2 EB 8A 43 86 55+stru_140038790 dd 0AE50C081h                           ; Data1
.rdata:0000000140038790 8A 09 2E 34 98 7A                                                     ; DATA XREF: WinMain+2AF↑o
.rdata:0000000140038790                               dw 0EBD2h                               ; Data2
.rdata:0000000140038790                               dw 438Ah                                ; Data3
.rdata:0000000140038790                               db 86h, 55h, 8Ah, 9, 2Eh, 34h, 98h, 7Ah ; Data4
.rdata:0000000140038790 81 C0 50 AE D2 EB 8A 43 86 55+stru_140038790 dd 0AE50C081h                           ; Data1
.rdata:0000000140038790 8A 09 2E 34 98 7A                                                     ; DATA XREF: WinMain+2AF↑o
.rdata:0000000140038790                               dw 0EBD2h                               ; Data2
.rdata:0000000140038790                               dw 438Ah                                ; Data3
.rdata:0000000140038790                               db 86h, 55h, 8Ah, 9, 2Eh, 34h, 98h, 7Ah ; Data4
v22 = (const WCHAR *)lpFileName;
if ( v85 >= 8 )
    v22 = lpFileName[0];
FirstFileW = FindFirstFileW(v22, &FindFileData);
if ( FirstFileW != (HANDLE)-1i64 )
{
    do
        {
            v24 = v21 + 1;
            if ( (FindFileData.dwFileAttributes & 0x10) != 0 )
                v24 = v21;
            v21 = v24;
        }
        while ( FindNextFileW(FirstFileW, &FindFileData) );
    FindClose(FirstFileW);
}
CoTaskMemFree(ppszPath);
v22 = (const WCHAR *)lpFileName;
if ( v85 >= 8 )
    v22 = lpFileName[0];
FirstFileW = FindFirstFileW(v22, &FindFileData);
if ( FirstFileW != (HANDLE)-1i64 )
{
    do
        {
            v24 = v21 + 1;
            if ( (FindFileData.dwFileAttributes & 0x10) != 0 )
                v24 = v21;
            v21 = v24;
        }
        while ( FindNextFileW(FirstFileW, &FindFileData) );
    FindClose(FirstFileW);
}
CoTaskMemFree(ppszPath);
if ( v21 <= 5 || GetTickCount() < 0x75300 || (unsigned __int8)sub_1400040C0() || (unsigned int)sub_140004570() )
    goto LABEL_149;
if ( v21 <= 5 || GetTickCount() < 0x75300 || (unsigned __int8)sub_1400040C0() || (unsigned int)sub_140004570() )
    goto LABEL_149;
v0 = Xtime_get_ticks() / 10000;
perf_frequency = Query_perf_frequency();
perf_counter = Query_perf_counter();
if ( perf_frequency == 10000000 )
    v3 = 100 * perf_counter;
else
    v3 = 1000000000 * (perf_counter / perf_frequency) + 1000000000 * (perf_counter % perf_frequency) / perf_frequency;
v4 = v3 + 300000000;
if ( v3 >= 0x7FFFFFFFEE1E5CFFi64 )
    v4 = 0x7FFFFFFFFFFFFFFFi64;
while ( 1 )
    {
        v5 = Query_perf_frequency();
        v6 = Query_perf_counter();
        v7 = v5 == 10000000 ? 100 * v6 : 1000000000 * (v6 / v5) + 1000000000 * (v6 % v5) / v5;
        ticks = Xtime_get_ticks();
        if ( v7 >= v4 )
            break;
        v9 = 100 * ticks;
        v10 = v4 - v7;
        v11 = v9 - 1391067136;
        v12 = (double)((int)v4 - (int)v7);
        if ( v12 <= 8.64e14 )
            v11 = v10 + v9;
        v13 = v9 + v10;
        v14 = v9 + 864000000000000i64;
        if ( v12 <= 8.64e14 )
            v14 = v13;
        v15 = (__int64)((unsigned __int128)(v14 * (__int128)0x112E0BE826D694B3i64) >> 64) >> 26;
        v17.sec = (v15 >> 63) + v15;
        v17.nsec = v11 - 1000000000 * LODWORD(v17.sec);
        Thrd_sleep(&v17);
    }
return (int)(((ticks / 10000 + -300 - v0) ^ ((unsigned __int64)(ticks / 10000 + -300 - (int)v0) >> 32))
    - ((unsigned __int64)(ticks / 10000 + -300 - (int)v0) >> 32)) > 100;
v0 = Xtime_get_ticks() / 10000;
perf_frequency = Query_perf_frequency();
perf_counter = Query_perf_counter();
if ( perf_frequency == 10000000 )
    v3 = 100 * perf_counter;
else
    v3 = 1000000000 * (perf_counter / perf_frequency) + 1000000000 * (perf_counter % perf_frequency) / perf_frequency;
v4 = v3 + 300000000;
if ( v3 >= 0x7FFFFFFFEE1E5CFFi64 )
    v4 = 0x7FFFFFFFFFFFFFFFi64;
while ( 1 )
    {
        v5 = Query_perf_frequency();
        v6 = Query_perf_counter();
        v7 = v5 == 10000000 ? 100 * v6 : 1000000000 * (v6 / v5) + 1000000000 * (v6 % v5) / v5;
        ticks = Xtime_get_ticks();
        if ( v7 >= v4 )
            break;
        v9 = 100 * ticks;
        v10 = v4 - v7;
        v11 = v9 - 1391067136;
        v12 = (double)((int)v4 - (int)v7);
        if ( v12 <= 8.64e14 )
            v11 = v10 + v9;
        v13 = v9 + v10;
        v14 = v9 + 864000000000000i64;
        if ( v12 <= 8.64e14 )
            v14 = v13;
        v15 = (__int64)((unsigned __int128)(v14 * (__int128)0x112E0BE826D694B3i64) >> 64) >> 26;
        v17.sec = (v15 >> 63) + v15;
        v17.nsec = v11 - 1000000000 * LODWORD(v17.sec);
        Thrd_sleep(&v17);
    }
return (int)(((ticks / 10000 + -300 - v0) ^ ((unsigned __int64)(ticks / 10000 + -300 - (int)v0) >> 32))
    - ((unsigned __int64)(ticks / 10000 + -300 - (int)v0) >> 32)) > 100;
v0 = OpenSCManagerW(0i64, 0i64, 4u);
if ( !v0 )
    return 0xFFFFFFFFi64;
v1 = 0i64;
pcbBytesNeeded = 0;
ServicesReturned = 0;
ResumeHandle = 0;
v2 = (struct _ENUM_SERVICE_STATUSA *)LocalAlloc(0x40u, 0x10000ui64);
if ( !EnumServicesStatusA(v0, 0x30u, 3u, v2, 0x10000u, &pcbBytesNeeded, &ServicesReturned, &ResumeHandle) )
    return 0xFFFFFFFFi64;
v0 = OpenSCManagerW(0i64, 0i64, 4u);
if ( !v0 )
    return 0xFFFFFFFFi64;
v1 = 0i64;
pcbBytesNeeded = 0;
ServicesReturned = 0;
ResumeHandle = 0;
v2 = (struct _ENUM_SERVICE_STATUSA *)LocalAlloc(0x40u, 0x10000ui64);
if ( !EnumServicesStatusA(v0, 0x30u, 3u, v2, 0x10000u, &pcbBytesNeeded, &ServicesReturned, &ResumeHandle) )
    return 0xFFFFFFFFi64;
typedef struct _ENUM_SERVICE_STATUSA {
LPSTR          lpServiceName;
LPSTR          lpDisplayName;
SERVICE_STATUS ServiceStatus;
} ENUM_SERVICE_STATUSA, *LPENUM_SERVICE_STATUSA;
typedef struct _ENUM_SERVICE_STATUSA {
LPSTR          lpServiceName;
LPSTR          lpDisplayName;
SERVICE_STATUS ServiceStatus;
} ENUM_SERVICE_STATUSA, *LPENUM_SERVICE_STATUSA;
BOOL EnumServicesStatusA(
    [in]                SC_HANDLE              hSCManager,           // 输入: 服务控制管理器的句柄
    [in]                DWORD                  dwServiceType,        // 输入: 要枚举的服务类型
    [in]                DWORD                  dwServiceState,       // 输入: 要枚举的服务状态
    [out, optional]     LPENUM_SERVICE_STATUSA lpServices,           // 输出: 枚举服务的状态数组
    [in]                DWORD                  cbBufSize,            // 输入: lpServices 缓冲区的大小(字节)
    [out]               LPDWORD                pcbBytesNeeded,       // 输出: 需要的字节数,如果缓冲区太小则返回所需大小
    [out]               LPDWORD                lpServicesReturned,   // 输出: 返回的服务状态结构的数量
    [in, out, optional] LPDWORD                lpResumeHandle        // 输入/输出: 用于继续枚举的恢复句柄
);
BOOL EnumServicesStatusA(
    [in]                SC_HANDLE              hSCManager,           // 输入: 服务控制管理器的句柄
    [in]                DWORD                  dwServiceType,        // 输入: 要枚举的服务类型
    [in]                DWORD                  dwServiceState,       // 输入: 要枚举的服务状态
    [out, optional]     LPENUM_SERVICE_STATUSA lpServices,           // 输出: 枚举服务的状态数组
    [in]                DWORD                  cbBufSize,            // 输入: lpServices 缓冲区的大小(字节)
    [out]               LPDWORD                pcbBytesNeeded,       // 输出: 需要的字节数,如果缓冲区太小则返回所需大小
    [out]               LPDWORD                lpServicesReturned,   // 输出: 返回的服务状态结构的数量
    [in, out, optional] LPDWORD                lpResumeHandle        // 输入/输出: 用于继续枚举的恢复句柄
);
00007FF67361465E | E8 1DBA0000              | call 同济大学文档保护系统.7FF673620080            |
00007FF673614663 | 48:8D3C5B                | lea rdi,qword ptr ds:[rbx+rbx*2]        | rdi:&"vmvss"
00007FF673614667 | 48:8BD0                  | mov rdx,rax                             | rdx:"VMware Tools"
00007FF67361466A | 48:C1E7 04               | shl rdi,4                               | rdi:&"vmvss"
00007FF67361466E | 49:03FE                  | add rdi,r14                             | rdi:&"vmvss", r14:&"AJRouter"
00007FF673614671 | 48:8B4F 08               | mov rcx,qword ptr ds:[rdi+8]            | [rdi+08]:"VMware Snapshot Provider"
00007FF673614675 | FF15 9D3D0300            | call qword ptr ds:[<strstr>]            |
00007FF67361467B | 48:85C0                  | test rax,rax                            |
00007FF67361467E | 90                       | nop                                     |
00007FF67361467F | 90                       | nop                                     |
00007FF673614680 | 90                       | nop                                     |
00007FF673614681 | 90                       | nop                                     |
00007FF673614682 | 90                       | nop                                     |
00007FF673614683 | 90                       | nop                                     |
00007FF673614684 | 66:0F6F0D F4BE0300       | movdqa xmm1,xmmword ptr ds:[7FF67365058 |
00007FF67361468C | 48:8D4D 90               | lea rcx,qword ptr ss:[rbp-70]           |
00007FF673614690 | 0F57C0                   | xorps xmm0,xmm0                         |
00007FF673614693 | 66:0F7F4D C0             | movdqa xmmword ptr ss:[rbp-40],xmm1     |
00007FF67361465E | E8 1DBA0000              | call 同济大学文档保护系统.7FF673620080            |
00007FF673614663 | 48:8D3C5B                | lea rdi,qword ptr ds:[rbx+rbx*2]        | rdi:&"vmvss"
00007FF673614667 | 48:8BD0                  | mov rdx,rax                             | rdx:"VMware Tools"
00007FF67361466A | 48:C1E7 04               | shl rdi,4                               | rdi:&"vmvss"
00007FF67361466E | 49:03FE                  | add rdi,r14                             | rdi:&"vmvss", r14:&"AJRouter"
00007FF673614671 | 48:8B4F 08               | mov rcx,qword ptr ds:[rdi+8]            | [rdi+08]:"VMware Snapshot Provider"
00007FF673614675 | FF15 9D3D0300            | call qword ptr ds:[<strstr>]            |
00007FF67361467B | 48:85C0                  | test rax,rax                            |
00007FF67361467E | 90                       | nop                                     |
00007FF67361467F | 90                       | nop                                     |
00007FF673614680 | 90                       | nop                                     |
00007FF673614681 | 90                       | nop                                     |
00007FF673614682 | 90                       | nop                                     |
00007FF673614683 | 90                       | nop                                     |

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

最后于 2024-7-2 16:37 被天堂猪0ink编辑 ,原因:
收藏
免费 2
支持
分享
最新回复 (2)
雪    币: 3126
活跃值: (3386)
能力值: ( LV8,RANK:120 )
在线值:
发帖
回帖
粉丝
2
1400042B0不会是判断文件名是否有特殊字符串或者MD5/SHA256命名来确定是否退出的吧,我瞎猜的
2024-6-18 16:06
0
雪    币: 3018
活跃值: (958)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
3
dayday向上8 1400042B0不会是判断文件名是否有特殊字符串或者MD5/SHA256命名来确定是否退出的吧,我瞎猜的

可能是的

最后于 2024-6-18 22:50 被天堂猪0ink编辑 ,原因:
2024-6-18 20:30
0
游客
登录 | 注册 方可回帖
返回
//