-
-
[原创]解答 defcon_27_windbg_workshop 几个challenges
-
发表于: 2025-7-22 02:25 2730
-
恰如海德格尔有锤子、维特根斯坦有拨火棍,windows 逆向人员要上手windbg。defcon_27_windbg_workshop 几个 challenges 比较适合windbg入门,在此试着解答,抛砖引玉。
如果时间旅行调试加载exe, 即 Record with Time Travel Debugging(TTD),程序直接输出No,终结比赛。
不用TTD如下:
看到IsBeingDebugged!__main,肯定得下个断点。g(Go)3次,程序输出Yes。试试g两次。
这里进入了主函数,反汇编窗口显示如下:
程序将执行call poi[40824Ch]。
程序将跳转至KERNELBASE!IsDebuggerPresent。
在返回之前r rax=0。
继续g,输出No。
注意到,IsDebuggerPresent由KERNEL32!IsDebuggerPresentStub实现,就是跳转到KERNEL32!_imp_IsDebuggerPresent存储的地址,即KERNELBASE!IsDebuggerPresent地址。而KERNELBASE!IsDebuggerPresent的3条指令就是获取PEB BeingDebugged字段后返回。所以也可用hook大法,不管程序每次执行什么指令,都在其之前把PEB BeingDebugged置零。
作者在 WinDBG Workshop.pdf 有提示: MONITOR MESSAGES RECEIVED BY USER32!GETMESSAGEW, AND CHECK WINTYPES!MSG.WPARAM。那么下断点的函数和要监控的参数都有了。
根据IDA反汇编结果,该程序使用了以下函数:VirtualAlloc、memcpy、VirtualProtect、CreateThread、WaitForSingleObject和VirtualFree。此调用序列呈现了典型的基于C语言的shellcode加载流程。其中sub_401569函数主要调用VirtualAlloc为unk_403040分配内存,随后通过sub_4015E5进行异或解密(密钥从0x13开始,自增到256开始循环),因此之前加密的SHELLCODE存放于此。而sub_401543函数则对应 xor-payload.py 中的CheckNtGlobalFlag功能模块。
首先绕过IsDebuggerPresent与CheckNtGlobalFlag检测。单步调试时,ret前r eax = 0。随后在VirtualAlloc或memcpy处设置断点。当memcpy(v5, Src, Size)执行时,其参数Src即为加密SHELLCODE地址。单步执行至地址 0x75338CFB 处的msvcrt!memcpy函数时,esi即加密SHELLCODE地址,ecx即其长度。最终sub_4015E5函数同样可以异或解密加密SHELLCODE。
加载模块查看PE头信息。
从内存 dump 出 exe,文件当然是不完全的。
由于缺乏符号信息,反汇编窗口未显示函数名称,使出动静结合大法,放出IDA。可知,MiniRansomware为Go语言编译的exe文件。通过IDA获取所有函数名称与地址的双射,现列出main包中的所有函数如下:
全部设置断点。
g下去,程序未进入main函数,而是中断于MiniRansomware+0xb1670(0x4b1670)处。查询IDA函数名称地址的双射,是main_DecodeStaticKey。
查看main_DecodeStaticKey反汇编。
函数前半部分是一个循环,rax每次自增,与0-8比较,在栈上赋值或跳转。函数的参数与返回值都在栈上操作,因此每次调用及返回前都可以先行查看。RCX与RDX处理完成的最终数值已存入栈中,可先行查看RCX/RDX。因此bp 004b1795。
main_DecodeStaticKey通过栈返回了值"0defcon00defcon00defcon00defcon0"。继续g,进入main_main函数,随后步入main_AcceptSeriousWarning函数,最终抵达main_EntryFunctionEncrypt函数。
重点分析main_EntryFunctionEncrypt加密逻辑。
对所有的call指令,查询IDA函数名称地址双射。
在最后两次函数调用处设置断点,g下去。会在main_EntryFunctionEncrypt与main_IsRegularFile函数之间会反复横跳,表明存在文件验证机制。删除这两个函数断点,继续g,在main_IsValidExtensions处进入新循环。删除该处断点,继续g。
程序执行在call 00000000004B1960处中断。步进该函数。对函数内部的call指令,查询IDA的函数名称地址双射。
地址46D910对应crypto_aes_NewCipher,其唯一参数为AES加密密钥。在main_EntryFunctionEncrypt整个执行流程里,只在crypto_aes_NewCipher和地址4622E0处理加密逻辑,而4622E0只是决定AES加密方式CFB,与密钥无关。查看call crypto_aes_NewCipher上下文。
因此bp 004b1b09,db查看密钥。
HideMe.sys driver在搭建的win10 lab环境里无法运行,所以换成了Nidhogg-Alpha. pid隐藏原理是一样的。
要解决的问题:rootkit如何隐藏pid,windbg如何找出?
运行driver如下:
在windbg查看此driver如下:
notepad打开了两个文件,pid分别为3432和4776。运行NidhoggClient隐藏3432, 查看确认。
主要相关代码如下:
结论:rootkit隐藏进程PID是通过修改Windows内核的 ActiveProcessLinks,摘除目标进程的链表节点且将节点指针指向自身实现隐藏,使目标进程在系统枚举时不可见。
枚举所有活动进程,进程地址或pid存入 ps.txt。
枚举所有句柄,结果存为 handles.txt,过滤出所有进程地址或pid存入 addresses.txt。
去重。
将 ha.txt 与 ps.txt 对比,多出来的就是隐藏进程。
#include <windows.h>#include <stdio.h>int main(int argc, char** argv){ if(IsDebuggerPresent()){ printf("Yes !\n"); }else{ printf("No !\n"); } getchar(); return 0;}#include <windows.h>#include <stdio.h>int main(int argc, char** argv){ if(IsDebuggerPresent()){ printf("Yes !\n"); }else{ printf("No !\n"); } getchar(); return 0;}0:000> lmstart end module name00000000`00400000 00000000`00461000 IsBeingDebugged (service symbols: DWARF Private Symbols) C:\Users\user\defcon_27_windbg_workshop\challenges\IsBeingDebugged\IsBeingDebugged.exe00007ffc`f5da0000 00007ffc`f6097000 KERNELBASE (deferred) 00007ffc`f77c0000 00007ffc`f785e000 msvcrt (deferred) 00007ffc`f7c50000 00007ffc`f7d12000 KERNEL32 (deferred) 00007ffc`f8390000 00007ffc`f8588000 ntdll (pdb symbols) c:\symbols\ntdll.pdb\DAD4BF763E723284BC97F7DB68FA41781\ntdll.pdb0:000> x IsBeingDebugged!*00000000`00407968 IsBeingDebugged!__mingw_winmain_hInstance = 0x00000000`0000000000000000`00407960 IsBeingDebugged!__mingw_winmain_lpCmdLine = 0x00000000`00000000 ""00000000`00403000 IsBeingDebugged!__mingw_winmain_nShowCmd = 0xa00000000`00407020 IsBeingDebugged!argc = 0n000000000`00407018 IsBeingDebugged!argv = 0x00000000`0000000000000000`00407010 IsBeingDebugged!envp = 0x00000000`0000000000000000`0040700c IsBeingDebugged!mainret = 0n000000000`00407008 IsBeingDebugged!managedapp = 0n000000000`00407004 IsBeingDebugged!has_cctor = 0n000000000`00407000 IsBeingDebugged!startinfo = _startupinfo00000000`00409020 IsBeingDebugged!mingw_pcinit = 0x00000000`0040101000000000`00409008 IsBeingDebugged!mingw_pcppinit = 0x00000000`0040116000000000`00407970 IsBeingDebugged!__onexitbegin = 0x00000000`0000000000000000`00407978 IsBeingDebugged!__onexitend = 0x00000000`0000000000000000`00407030 IsBeingDebugged!initialized = 0n000000000`00403024 IsBeingDebugged!__native_dllmain_reason = 0xffffffff00000000`00403020 IsBeingDebugged!__native_vcclrit_reason = 0xffffffff00000000`00407980 IsBeingDebugged!__native_startup_state = __uninitialized (0n0)00000000`00407988 IsBeingDebugged!__native_startup_lock = 0x00000000`0000000000000000`00407040 IsBeingDebugged!_dowildcard = 0n000000000`00407050 IsBeingDebugged!mingw_initcharmax = 0n000000000`00403030 IsBeingDebugged!_charmax = 0n25500000000`00409028 IsBeingDebugged!__mingw_pinit = 0x00000000`0040175000000000`00407540 IsBeingDebugged!GS_ExceptionRecord = EXCEPTION_RECORD00000000`00407060 IsBeingDebugged!GS_ContextRecord = CONTEXT00000000`00404010 IsBeingDebugged!GS_ExceptionPointers = EXCEPTION_POINTERS00000000`00403070 IsBeingDebugged!__security_cookie = 0x00002b99`2ddfa23200000000`00403080 IsBeingDebugged!__security_cookie_complement = 0xffffd466`d2205dcd00000000`004075e0 IsBeingDebugged!_newmode = 0n000000000`004075fc IsBeingDebugged!_tls_index = 000000000`0040a000 IsBeingDebugged!_tls_start = 0x00000000`00000000 ""00000000`0040a060 IsBeingDebugged!_tls_end = 0x00000000`00000000 ""00000000`00409038 IsBeingDebugged!__xl_a = 0x00000000`0000000000000000`00409050 IsBeingDebugged!__xl_z = 0x00000000`0000000000000000`0040a020 IsBeingDebugged!_tls_used = IMAGE_TLS_DIRECTORY00000000`00409058 IsBeingDebugged!__xd_a = 0x00000000`0000000000000000`00409060 IsBeingDebugged!__xd_z = 0x00000000`0000000000000000`00404020 IsBeingDebugged!__dyn_tls_init_callback = 0x00000000`0040198000000000`00409040 IsBeingDebugged!__xl_c = 0x00000000`0040198000000000`00409048 IsBeingDebugged!__xl_d = 0x00000000`0040195000000000`004075f8 IsBeingDebugged!mingw_initltsdrot_force = 0n000000000`004075f4 IsBeingDebugged!mingw_initltsdyn_force = 0n000000000`004075f0 IsBeingDebugged!mingw_initltssuo_force = 0n000000000`00409018 IsBeingDebugged!__xi_a = _PVFV [1]00000000`00409030 IsBeingDebugged!__xi_z = _PVFV [1]00000000`00409000 IsBeingDebugged!__xc_a = _PVFV [1]00000000`00409010 IsBeingDebugged!__xc_z = _PVFV [1]00000000`00407600 IsBeingDebugged!stUserMathErr = 0x00000000`0000000000000000`00407610 IsBeingDebugged!mingw_app_type = 0n000000000`00407628 IsBeingDebugged!the_secs = 0x00000000`0000000000000000`00407624 IsBeingDebugged!maxSections = 0n000000000`00407630 IsBeingDebugged!_fmode = 0n000000000`00407760 IsBeingDebugged!emu_pdata = RUNTIME_FUNCTION [32]00000000`00407660 IsBeingDebugged!emu_xdata = UNWIND_INFO [32]00000000`00407640 IsBeingDebugged!__mingw_oldexcpt_handler = 0x00000000`0000000000000000`00407900 IsBeingDebugged!__mingwthr_cs = CRITICAL_SECTION00000000`004078e8 IsBeingDebugged!__mingwthr_cs_init = 0n000000000`004078e0 IsBeingDebugged!key_dtor_list = 0x00000000`0000000000000000`00403040 IsBeingDebugged!_CRT_MT = 0n200000000`00407941 IsBeingDebugged!__RUNTIME_PSEUDO_RELOC_LIST_END__ = 0n0 ''00000000`00407940 IsBeingDebugged!__RUNTIME_PSEUDO_RELOC_LIST__ = 0n0 ''00000000`00403050 IsBeingDebugged!_MINGW_INSTALL_DEBUG_MATHERR = 0n-100000000`00407950 IsBeingDebugged!handler = 0x00000000`0000000000000000`00403068 IsBeingDebugged!__imp__set_invalid_parameter_handler = 0x00000000`00402c6000000000`00403060 IsBeingDebugged!__imp__get_invalid_parameter_handler = 0x00000000`00402c5000000000`00000000 IsBeingDebugged!refcount = <Memory access error>00000000`004011b0 IsBeingDebugged!__tmainCRTStartup (void)00000000`00401500 IsBeingDebugged!mainCRTStartup (void)00000000`004014d0 IsBeingDebugged!WinMainCRTStartup (void)00000000`00401160 IsBeingDebugged!pre_cpp_init (void)00000000`00401010 IsBeingDebugged!pre_c_init (void)00000000`00401000 IsBeingDebugged!__mingw_invalidParameterHandler (wchar_t *, wchar_t *, wchar_t *, unsigned int, uintptr_t)00000000`00401660 IsBeingDebugged!atexit (_PVFV)00000000`004015b0 IsBeingDebugged!mingw_onexit (_onexit_t)00000000`00401730 IsBeingDebugged!__main (void)00000000`004016c0 IsBeingDebugged!__do_global_ctors (void)00000000`00401680 IsBeingDebugged!__do_global_dtors (void)00000000`00401750 IsBeingDebugged!my_lconv_init (void)00000000`00401760 IsBeingDebugged!_setargv (void)00000000`00401850 IsBeingDebugged!__report_gsfailure (ULONG_PTR)00000000`00401770 IsBeingDebugged!__security_init_cookie (void)00000000`00401950 IsBeingDebugged!__dyn_tls_dtor (HANDLE, DWORD, LPVOID)00000000`004019f0 IsBeingDebugged!__tlregdtor (_PVFV)00000000`00401980 IsBeingDebugged!__dyn_tls_init (HANDLE, DWORD, LPVOID)00000000`00401a60 IsBeingDebugged!_matherr (_exception *)00000000`00401a50 IsBeingDebugged!__mingw_setusermatherr (<function> *)00000000`00401a00 IsBeingDebugged!__mingw_raise_matherr (int, char *, double, double, double)00000000`00401b50 IsBeingDebugged!_fpreset (void)00000000`00401b70 IsBeingDebugged!_encode_pointer (void *)00000000`00401d60 IsBeingDebugged!_pei386_runtime_relocator (void)00000000`00401b80 IsBeingDebugged!__report_error (char *)00000000`00401bf0 IsBeingDebugged!__write_memory (void *, void *, size_t)00000000`004022c0 IsBeingDebugged!_gnu_exception_handler (EXCEPTION_POINTERS *)00000000`00402030 IsBeingDebugged!__mingw_SEH_error_handler (_EXCEPTION_RECORD *, void *, _CONTEXT *, void *)00000000`004021d0 IsBeingDebugged!__mingw_init_ehandler (void)00000000`00402630 IsBeingDebugged!__mingw_TLScallback (HANDLE, DWORD, LPVOID)00000000`00402590 IsBeingDebugged!___w64_mingwthr_remove_key_dtor (DWORD)00000000`00402510 IsBeingDebugged!___w64_mingwthr_add_key_dtor (DWORD, <function> *)00000000`004024a0 IsBeingDebugged!__mingwthr_run_key_dtors (void)00000000`00402a60 IsBeingDebugged!__mingw_enum_import_library_names (int)00000000`004029c0 IsBeingDebugged!_IsNonwritableInCurrentImage (PBYTE)00000000`00402980 IsBeingDebugged!_GetPEImageBase (void)00000000`00402900 IsBeingDebugged!_FindPESectionExec (size_t)00000000`004028c0 IsBeingDebugged!__mingw_GetSectionCount (void)00000000`00402830 IsBeingDebugged!__mingw_GetSectionForAddress (LPVOID)00000000`004027a0 IsBeingDebugged!_FindPESectionByName (char *)00000000`00402710 IsBeingDebugged!_ValidateImageBase (PBYTE)00000000`00402730 IsBeingDebugged!_ValidateImageBase (PBYTE)00000000`00402750 IsBeingDebugged!_FindPESection (PBYTE, DWORD_PTR)00000000`00402c50 IsBeingDebugged!mingw_get_invalid_parameter_handler (void)00000000`00402c60 IsBeingDebugged!mingw_set_invalid_parameter_handler (_invalid_parameter_handler)0:000> lmstart end module name00000000`00400000 00000000`00461000 IsBeingDebugged (service symbols: DWARF Private Symbols) C:\Users\user\defcon_27_windbg_workshop\challenges\IsBeingDebugged\IsBeingDebugged.exe00007ffc`f5da0000 00007ffc`f6097000 KERNELBASE (deferred) 00007ffc`f77c0000 00007ffc`f785e000 msvcrt (deferred) 00007ffc`f7c50000 00007ffc`f7d12000 KERNEL32 (deferred) 00007ffc`f8390000 00007ffc`f8588000 ntdll (pdb symbols) c:\symbols\ntdll.pdb\DAD4BF763E723284BC97F7DB68FA41781\ntdll.pdb0:000> x IsBeingDebugged!*00000000`00407968 IsBeingDebugged!__mingw_winmain_hInstance = 0x00000000`0000000000000000`00407960 IsBeingDebugged!__mingw_winmain_lpCmdLine = 0x00000000`00000000 ""00000000`00403000 IsBeingDebugged!__mingw_winmain_nShowCmd = 0xa00000000`00407020 IsBeingDebugged!argc = 0n000000000`00407018 IsBeingDebugged!argv = 0x00000000`0000000000000000`00407010 IsBeingDebugged!envp = 0x00000000`0000000000000000`0040700c IsBeingDebugged!mainret = 0n000000000`00407008 IsBeingDebugged!managedapp = 0n000000000`00407004 IsBeingDebugged!has_cctor = 0n000000000`00407000 IsBeingDebugged!startinfo = _startupinfo00000000`00409020 IsBeingDebugged!mingw_pcinit = 0x00000000`0040101000000000`00409008 IsBeingDebugged!mingw_pcppinit = 0x00000000`0040116000000000`00407970 IsBeingDebugged!__onexitbegin = 0x00000000`0000000000000000`00407978 IsBeingDebugged!__onexitend = 0x00000000`0000000000000000`00407030 IsBeingDebugged!initialized = 0n000000000`00403024 IsBeingDebugged!__native_dllmain_reason = 0xffffffff00000000`00403020 IsBeingDebugged!__native_vcclrit_reason = 0xffffffff00000000`00407980 IsBeingDebugged!__native_startup_state = __uninitialized (0n0)00000000`00407988 IsBeingDebugged!__native_startup_lock = 0x00000000`0000000000000000`00407040 IsBeingDebugged!_dowildcard = 0n000000000`00407050 IsBeingDebugged!mingw_initcharmax = 0n000000000`00403030 IsBeingDebugged!_charmax = 0n25500000000`00409028 IsBeingDebugged!__mingw_pinit = 0x00000000`0040175000000000`00407540 IsBeingDebugged!GS_ExceptionRecord = EXCEPTION_RECORD00000000`00407060 IsBeingDebugged!GS_ContextRecord = CONTEXT00000000`00404010 IsBeingDebugged!GS_ExceptionPointers = EXCEPTION_POINTERS00000000`00403070 IsBeingDebugged!__security_cookie = 0x00002b99`2ddfa23200000000`00403080 IsBeingDebugged!__security_cookie_complement = 0xffffd466`d2205dcd00000000`004075e0 IsBeingDebugged!_newmode = 0n000000000`004075fc IsBeingDebugged!_tls_index = 000000000`0040a000 IsBeingDebugged!_tls_start = 0x00000000`00000000 ""00000000`0040a060 IsBeingDebugged!_tls_end = 0x00000000`00000000 ""00000000`00409038 IsBeingDebugged!__xl_a = 0x00000000`0000000000000000`00409050 IsBeingDebugged!__xl_z = 0x00000000`0000000000000000`0040a020 IsBeingDebugged!_tls_used = IMAGE_TLS_DIRECTORY00000000`00409058 IsBeingDebugged!__xd_a = 0x00000000`0000000000000000`00409060 IsBeingDebugged!__xd_z = 0x00000000`0000000000000000`00404020 IsBeingDebugged!__dyn_tls_init_callback = 0x00000000`0040198000000000`00409040 IsBeingDebugged!__xl_c = 0x00000000`0040198000000000`00409048 IsBeingDebugged!__xl_d = 0x00000000`0040195000000000`004075f8 IsBeingDebugged!mingw_initltsdrot_force = 0n000000000`004075f4 IsBeingDebugged!mingw_initltsdyn_force = 0n000000000`004075f0 IsBeingDebugged!mingw_initltssuo_force = 0n000000000`00409018 IsBeingDebugged!__xi_a = _PVFV [1]00000000`00409030 IsBeingDebugged!__xi_z = _PVFV [1]00000000`00409000 IsBeingDebugged!__xc_a = _PVFV [1]00000000`00409010 IsBeingDebugged!__xc_z = _PVFV [1]00000000`00407600 IsBeingDebugged!stUserMathErr = 0x00000000`0000000000000000`00407610 IsBeingDebugged!mingw_app_type = 0n000000000`00407628 IsBeingDebugged!the_secs = 0x00000000`0000000000000000`00407624 IsBeingDebugged!maxSections = 0n000000000`00407630 IsBeingDebugged!_fmode = 0n000000000`00407760 IsBeingDebugged!emu_pdata = RUNTIME_FUNCTION [32]00000000`00407660 IsBeingDebugged!emu_xdata = UNWIND_INFO [32]00000000`00407640 IsBeingDebugged!__mingw_oldexcpt_handler = 0x00000000`0000000000000000`00407900 IsBeingDebugged!__mingwthr_cs = CRITICAL_SECTION00000000`004078e8 IsBeingDebugged!__mingwthr_cs_init = 0n000000000`004078e0 IsBeingDebugged!key_dtor_list = 0x00000000`0000000000000000`00403040 IsBeingDebugged!_CRT_MT = 0n200000000`00407941 IsBeingDebugged!__RUNTIME_PSEUDO_RELOC_LIST_END__ = 0n0 ''00000000`00407940 IsBeingDebugged!__RUNTIME_PSEUDO_RELOC_LIST__ = 0n0 ''00000000`00403050 IsBeingDebugged!_MINGW_INSTALL_DEBUG_MATHERR = 0n-100000000`00407950 IsBeingDebugged!handler = 0x00000000`0000000000000000`00403068 IsBeingDebugged!__imp__set_invalid_parameter_handler = 0x00000000`00402c6000000000`00403060 IsBeingDebugged!__imp__get_invalid_parameter_handler = 0x00000000`00402c5000000000`00000000 IsBeingDebugged!refcount = <Memory access error>00000000`004011b0 IsBeingDebugged!__tmainCRTStartup (void)00000000`00401500 IsBeingDebugged!mainCRTStartup (void)00000000`004014d0 IsBeingDebugged!WinMainCRTStartup (void)00000000`00401160 IsBeingDebugged!pre_cpp_init (void)00000000`00401010 IsBeingDebugged!pre_c_init (void)00000000`00401000 IsBeingDebugged!__mingw_invalidParameterHandler (wchar_t *, wchar_t *, wchar_t *, unsigned int, uintptr_t)00000000`00401660 IsBeingDebugged!atexit (_PVFV)00000000`004015b0 IsBeingDebugged!mingw_onexit (_onexit_t)00000000`00401730 IsBeingDebugged!__main (void)00000000`004016c0 IsBeingDebugged!__do_global_ctors (void)00000000`00401680 IsBeingDebugged!__do_global_dtors (void)00000000`00401750 IsBeingDebugged!my_lconv_init (void)00000000`00401760 IsBeingDebugged!_setargv (void)00000000`00401850 IsBeingDebugged!__report_gsfailure (ULONG_PTR)00000000`00401770 IsBeingDebugged!__security_init_cookie (void)00000000`00401950 IsBeingDebugged!__dyn_tls_dtor (HANDLE, DWORD, LPVOID)00000000`004019f0 IsBeingDebugged!__tlregdtor (_PVFV)00000000`00401980 IsBeingDebugged!__dyn_tls_init (HANDLE, DWORD, LPVOID)00000000`00401a60 IsBeingDebugged!_matherr (_exception *)00000000`00401a50 IsBeingDebugged!__mingw_setusermatherr (<function> *)00000000`00401a00 IsBeingDebugged!__mingw_raise_matherr (int, char *, double, double, double)00000000`00401b50 IsBeingDebugged!_fpreset (void)00000000`00401b70 IsBeingDebugged!_encode_pointer (void *)00000000`00401d60 IsBeingDebugged!_pei386_runtime_relocator (void)00000000`00401b80 IsBeingDebugged!__report_error (char *)00000000`00401bf0 IsBeingDebugged!__write_memory (void *, void *, size_t)00000000`004022c0 IsBeingDebugged!_gnu_exception_handler (EXCEPTION_POINTERS *)00000000`00402030 IsBeingDebugged!__mingw_SEH_error_handler (_EXCEPTION_RECORD *, void *, _CONTEXT *, void *)00000000`004021d0 IsBeingDebugged!__mingw_init_ehandler (void)00000000`00402630 IsBeingDebugged!__mingw_TLScallback (HANDLE, DWORD, LPVOID)00000000`00402590 IsBeingDebugged!___w64_mingwthr_remove_key_dtor (DWORD)00000000`00402510 IsBeingDebugged!___w64_mingwthr_add_key_dtor (DWORD, <function> *)00000000`004024a0 IsBeingDebugged!__mingwthr_run_key_dtors (void)00000000`00402a60 IsBeingDebugged!__mingw_enum_import_library_names (int)00000000`004029c0 IsBeingDebugged!_IsNonwritableInCurrentImage (PBYTE)00000000`00402980 IsBeingDebugged!_GetPEImageBase (void)00000000`00402900 IsBeingDebugged!_FindPESectionExec (size_t)00000000`004028c0 IsBeingDebugged!__mingw_GetSectionCount (void)00000000`00402830 IsBeingDebugged!__mingw_GetSectionForAddress (LPVOID)00000000`004027a0 IsBeingDebugged!_FindPESectionByName (char *)00000000`00402710 IsBeingDebugged!_ValidateImageBase (PBYTE)00000000`00402730 IsBeingDebugged!_ValidateImageBase (PBYTE)00000000`00402750 IsBeingDebugged!_FindPESection (PBYTE, DWORD_PTR)00000000`00402c50 IsBeingDebugged!mingw_get_invalid_parameter_handler (void)00000000`00402c60 IsBeingDebugged!mingw_set_invalid_parameter_handler (_invalid_parameter_handler)0:000> bp 004017300:000> gBreakpoint 0 hitIsBeingDebugged!__main:00000000`00401730 8b05fa580000 mov eax,dword ptr [IsBeingDebugged+0x7030 (00000000`00407030)] ds:00000000`00407030=000000000:000> gBreakpoint 0 hitIsBeingDebugged!__main:00000000`00401730 8b05fa580000 mov eax,dword ptr [IsBeingDebugged+0x7030 (00000000`00407030)] ds:00000000`00407030=000000010:000> pIsBeingDebugged!__main+0x6:00000000`00401736 85c0 test eax,eax0:000> pIsBeingDebugged!__main+0x8:00000000`00401738 7406 je IsBeingDebugged!__main+0x10 (00000000`00401740) [br=0]0:000> pIsBeingDebugged!__main+0xa:00000000`0040173a f3c3 rep ret0:000> pIsBeingDebugged+0x1574:00000000`00401574 488b05d16c0000 mov rax,qword ptr [IsBeingDebugged+0x824c (00000000`0040824c)] ds:00000000`0040824c={KERNEL32!IsDebuggerPresentStub (00007ffc`f7c704f0)}0:000> bp 004017300:000> gBreakpoint 0 hitIsBeingDebugged!__main:00000000`00401730 8b05fa580000 mov eax,dword ptr [IsBeingDebugged+0x7030 (00000000`00407030)] ds:00000000`00407030=000000000:000> gBreakpoint 0 hitIsBeingDebugged!__main:00000000`00401730 8b05fa580000 mov eax,dword ptr [IsBeingDebugged+0x7030 (00000000`00407030)] ds:00000000`00407030=000000010:000> pIsBeingDebugged!__main+0x6:00000000`00401736 85c0 test eax,eax0:000> pIsBeingDebugged!__main+0x8:00000000`00401738 7406 je IsBeingDebugged!__main+0x10 (00000000`00401740) [br=0]0:000> pIsBeingDebugged!__main+0xa:00000000`0040173a f3c3 rep ret0:000> pIsBeingDebugged+0x1574:00000000`00401574 488b05d16c0000 mov rax,qword ptr [IsBeingDebugged+0x824c (00000000`0040824c)] ds:00000000`0040824c={KERNEL32!IsDebuggerPresentStub (00007ffc`f7c704f0)}00401560 55 push rbp00401561 4889e5 mov rbp, rsp00401564 4883ec20 sub rsp, 20h00401568 894d10 mov dword ptr [rbp+10h], ecx0040156b 48895518 mov qword ptr [rbp+18h], rdx0040156f e8bc010000 call IsBeingDebugged!__main (401730)>> 00401574 488b05d16c0000 mov rax, qword ptr [40824Ch]0040157b ffd0 call rax0040157d 85c0 test eax, eax0040157f 740e je 000000000040158F00401581 488d0d782a0000 lea rcx, [404000h]00401588 e803160000 call 0000000000402B900040158d eb0c jmp 000000000040159B0040158f 488d0d702a0000 lea rcx, [404006h]00401596 e8f5150000 call 0000000000402B900040159b e808160000 call 0000000000402BA8004015a0 b800000000 mov eax, 0004015a5 4883c420 add rsp, 20h004015a9 5d pop rbp004015aa c3 ret 00401560 55 push rbp00401561 4889e5 mov rbp, rsp00401564 4883ec20 sub rsp, 20h00401568 894d10 mov dword ptr [rbp+10h], ecx0040156b 48895518 mov qword ptr [rbp+18h], rdx0040156f e8bc010000 call IsBeingDebugged!__main (401730)>> 00401574 488b05d16c0000 mov rax, qword ptr [40824Ch]0040157b ffd0 call rax0040157d 85c0 test eax, eax0040157f 740e je 000000000040158F00401581 488d0d782a0000 lea rcx, [404000h]00401588 e803160000 call 0000000000402B900040158d eb0c jmp 000000000040159B0040158f 488d0d702a0000 lea rcx, [404006h]00401596 e8f5150000 call 0000000000402B900040159b e808160000 call 0000000000402BA8004015a0 b800000000 mov eax, 0004015a5 4883c420 add rsp, 20h004015a9 5d pop rbp004015aa c3 ret 0:000> u poi[40824Ch]KERNEL32!IsDebuggerPresentStub:00007ffc`f7c704f0 48ff25213e0600 jmp qword ptr [KERNEL32!_imp_IsDebuggerPresent (00007ffc`f7cd4318)]00007ffc`f7c704f7 cc int 300007ffc`f7c704f8 cc int 300007ffc`f7c704f9 cc int 300007ffc`f7c704fa cc int 300007ffc`f7c704fb cc int 300007ffc`f7c704fc cc int 300007ffc`f7c704fd cc int 30:000> bp KERNEL32!IsDebuggerPresentStub0:000> gBreakpoint 1 hitKERNEL32!IsDebuggerPresentStub:00007ffc`f7c704f0 48ff25213e0600 jmp qword ptr [KERNEL32!_imp_IsDebuggerPresent (00007ffc`f7cd4318)] ds:00007ffc`f7cd4318={KERNELBASE!IsDebuggerPresent (00007ffc`f5ddb6c0)}0:000> u poi[40824Ch]KERNEL32!IsDebuggerPresentStub:00007ffc`f7c704f0 48ff25213e0600 jmp qword ptr [KERNEL32!_imp_IsDebuggerPresent (00007ffc`f7cd4318)]00007ffc`f7c704f7 cc int 300007ffc`f7c704f8 cc int 300007ffc`f7c704f9 cc int 300007ffc`f7c704fa cc int 300007ffc`f7c704fb cc int 300007ffc`f7c704fc cc int 300007ffc`f7c704fd cc int 30:000> bp KERNEL32!IsDebuggerPresentStub0:000> gBreakpoint 1 hitKERNEL32!IsDebuggerPresentStub:00007ffc`f7c704f0 48ff25213e0600 jmp qword ptr [KERNEL32!_imp_IsDebuggerPresent (00007ffc`f7cd4318)] ds:00007ffc`f7cd4318={KERNELBASE!IsDebuggerPresent (00007ffc`f5ddb6c0)} KERNELBASE!IsDebuggerPresent: CFG00007ffc`f5ddb6c0 65488b042560000000 mov rax, qword ptr gs:[60h]00007ffc`f5ddb6c9 0fb64002 movzx eax, byte ptr [rax+2]00007ffc`f5ddb6cd c3 ret KERNELBASE!IsDebuggerPresent: CFG00007ffc`f5ddb6c0 65488b042560000000 mov rax, qword ptr gs:[60h]00007ffc`f5ddb6c9 0fb64002 movzx eax, byte ptr [rax+2]00007ffc`f5ddb6cd c3 ret 0:000> tKERNELBASE!IsDebuggerPresent:00007ffc`f5ddb6c0 65488b042560000000 mov rax,qword ptr gs:[60h] gs:00000000`00000060=????????????????0:000> tKERNELBASE!IsDebuggerPresent+0x9:00007ffc`f5ddb6c9 0fb64002 movzx eax,byte ptr [rax+2] ds:00000000`003ff002=010:000> tKERNELBASE!IsDebuggerPresent+0xd:00007ffc`f5ddb6cd c3 ret0:000> r rax=00:000> pIsBeingDebugged+0x157d:00000000`0040157d 85c0 test eax,eax0:000> pIsBeingDebugged+0x157f:00000000`0040157f 740e je IsBeingDebugged+0x158f (00000000`0040158f) [br=1]0:000> pIsBeingDebugged+0x158f:00000000`0040158f 488d0d702a0000 lea rcx,[IsBeingDebugged+0x4006 (00000000`00404006)]0:000> pIsBeingDebugged+0x1596:00000000`00401596 e8f5150000 call IsBeingDebugged+0x2b90 (00000000`00402b90)0:000> db [404006h]00000000`00404006 4e 6f 20 21 00 00 00 00-00 00 40 75 40 00 00 00 No !......@u@...00000000`00404016 00 00 60 70 40 00 00 00-00 00 80 19 40 00 00 00 ..`p@.......@...00000000`00404026 00 00 00 00 00 00 00 00-00 00 41 72 67 75 6d 65 ..........Argume00000000`00404036 6e 74 20 64 6f 6d 61 69-6e 20 65 72 72 6f 72 20 nt domain error 00000000`00404046 28 44 4f 4d 41 49 4e 29-00 41 72 67 75 6d 65 6e (DOMAIN).Argumen00000000`00404056 74 20 73 69 6e 67 75 6c-61 72 69 74 79 20 28 53 t singularity (S00000000`00404066 49 47 4e 29 00 00 00 00-00 00 4f 76 65 72 66 6c IGN)......Overfl00000000`00404076 6f 77 20 72 61 6e 67 65-20 65 72 72 6f 72 20 28 ow range error (0:000> tIsBeingDebugged+0x2b90:00000000`00402b90 ff25f6570000 jmp qword ptr [IsBeingDebugged+0x838c (00000000`0040838c)] ds:00000000`0040838c={msvcrt!puts (00007ffc`f780e470)}0:000> tmsvcrt!puts:00007ffc`f780e470 488bc4 mov rax,rsp...0:000> tKERNELBASE!IsDebuggerPresent:00007ffc`f5ddb6c0 65488b042560000000 mov rax,qword ptr gs:[60h] gs:00000000`00000060=????????????????0:000> tKERNELBASE!IsDebuggerPresent+0x9:00007ffc`f5ddb6c9 0fb64002 movzx eax,byte ptr [rax+2] ds:00000000`003ff002=010:000> tKERNELBASE!IsDebuggerPresent+0xd:00007ffc`f5ddb6cd c3 ret0:000> r rax=00:000> pIsBeingDebugged+0x157d:00000000`0040157d 85c0 test eax,eax0:000> pIsBeingDebugged+0x157f:00000000`0040157f 740e je IsBeingDebugged+0x158f (00000000`0040158f) [br=1]0:000> pIsBeingDebugged+0x158f:00000000`0040158f 488d0d702a0000 lea rcx,[IsBeingDebugged+0x4006 (00000000`00404006)]0:000> pIsBeingDebugged+0x1596:00000000`00401596 e8f5150000 call IsBeingDebugged+0x2b90 (00000000`00402b90)0:000> db [404006h]00000000`00404006 4e 6f 20 21 00 00 00 00-00 00 40 75 40 00 00 00 No !......@u@...00000000`00404016 00 00 60 70 40 00 00 00-00 00 80 19 40 00 00 00 ..`p@.......@...00000000`00404026 00 00 00 00 00 00 00 00-00 00 41 72 67 75 6d 65 ..........Argume00000000`00404036 6e 74 20 64 6f 6d 61 69-6e 20 65 72 72 6f 72 20 nt domain error 00000000`00404046 28 44 4f 4d 41 49 4e 29-00 41 72 67 75 6d 65 6e (DOMAIN).Argumen00000000`00404056 74 20 73 69 6e 67 75 6c-61 72 69 74 79 20 28 53 t singularity (S00000000`00404066 49 47 4e 29 00 00 00 00-00 00 4f 76 65 72 66 6c IGN)......Overfl00000000`00404076 6f 77 20 72 61 6e 67 65-20 65 72 72 6f 72 20 28 ow range error (0:000> tIsBeingDebugged+0x2b90:00000000`00402b90 ff25f6570000 jmp qword ptr [IsBeingDebugged+0x838c (00000000`0040838c)] ds:00000000`0040838c={msvcrt!puts (00007ffc`f780e470)}0:000> tmsvcrt!puts:00007ffc`f780e470 488bc4 mov rax,rsp...// d47K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6D9k6h3q4J5L8W2)9J5k6h3#2A6j5%4u0G2M7$3!0X3N6q4)9J5k6h3y4G2L8g2)9J5c8Y4A6Z5i4K6u0V1j5$3&6Q4x3V1k6%4K9h3&6V1L8%4N6K6i4K6u0r3N6$3W2F1x3K6u0Q4x3V1k6S2M7r3W2Q4x3V1k6%4K9h3&6#2M7$3g2J5i4K6u0r3L8X3k6Q4x3X3c8%4K9h3&6#2M7$3g2J5i4K6u0V1k6$3g2@1L8h3g2K6M7$3q4Y4k6i4M7`.BOOL GetMessageW( [out] LPMSG lpMsg, [in, optional] HWND hWnd, [in] UINT wMsgFilterMin, [in] UINT wMsgFilterMax);// 161K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6D9k6h3q4J5L8W2)9J5k6h3#2A6j5%4u0G2M7$3!0X3N6q4)9J5k6h3y4G2L8g2)9J5c8X3g2F1i4K6u0V1N6i4y4Q4x3V1k6%4K9h3&6V1L8%4N6K6i4K6u0r3N6$3W2F1x3K6u0Q4x3V1k6S2M7r3W2Q4x3V1k6%4K9h3&6#2M7$3g2J5i4K6u0r3L8Y4y4Q4x3X3c8%4K9h3&6#2M7$3g2J5i4K6u0V1L8i4y4Y4typedef struct tagMSG { HWND hwnd; UINT message; WPARAM wParam; LPARAM lParam; DWORD time; POINT pt; DWORD lPrivate;} MSG, *PMSG, *NPMSG, *LPMSG;// message// d15K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6D9k6h3q4J5L8W2)9J5k6h3#2A6j5%4u0G2M7$3!0X3N6q4)9J5k6h3y4G2L8g2)9J5c8X3g2F1i4K6u0V1N6i4y4Q4x3V1k6%4K9h3&6V1L8%4N6K6i4K6u0r3N6$3W2F1x3K6u0Q4x3V1k6A6L8Y4m8#2N6r3c8W2N6W2)9J5c8Y4N6E0i4K6u0V1K9$3g2&6k6r3!0%4L8R3`.`.// \Windows Kits\10\Include\10.x.x.x\um\WinUser.h#define WM_KEYDOWN 0x0100// wParam// 47fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6D9k6h3q4J5L8W2)9J5k6h3#2A6j5%4u0G2M7$3!0X3N6q4)9J5k6h3y4G2L8g2)9J5c8X3g2F1i4K6u0V1N6i4y4Q4x3V1k6%4K9h3&6V1L8%4N6K6i4K6u0r3N6$3W2F1x3K6u0Q4x3V1k6A6L8Y4m8#2N6r3c8W2N6W2)9J5c8Y4k6A6M7Y4c8#2j5h3I4Q4x3X3c8C8k6i4W2Q4x3X3c8U0L8$3c8W2M7H3`.`.`A` 0x41 A key`B` 0x42 B key`C` 0x43 C key// f18K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6D9k6h3q4J5L8W2)9J5k6h3#2A6j5%4u0G2M7$3!0X3N6q4)9J5k6h3y4G2L8g2)9J5c8Y4A6Z5i4K6u0V1j5$3&6Q4x3V1k6%4K9h3&6V1L8%4N6K6i4K6u0r3N6$3W2F1x3K6u0Q4x3V1k6S2M7r3W2Q4x3V1k6%4K9h3&6#2M7$3g2J5i4K6u0r3L8X3k6Q4x3X3c8%4K9h3&6#2M7$3g2J5i4K6u0V1k6$3g2@1L8h3g2K6M7$3q4Y4k6i4M7`.BOOL GetMessageW( [out] LPMSG lpMsg, [in, optional] HWND hWnd, [in] UINT wMsgFilterMin, [in] UINT wMsgFilterMax);// e60K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6D9k6h3q4J5L8W2)9J5k6h3#2A6j5%4u0G2M7$3!0X3N6q4)9J5k6h3y4G2L8g2)9J5c8X3g2F1i4K6u0V1N6i4y4Q4x3V1k6%4K9h3&6V1L8%4N6K6i4K6u0r3N6$3W2F1x3K6u0Q4x3V1k6S2M7r3W2Q4x3V1k6%4K9h3&6#2M7$3g2J5i4K6u0r3L8Y4y4Q4x3X3c8%4K9h3&6#2M7$3g2J5i4K6u0V1L8i4y4Y4typedef struct tagMSG { HWND hwnd; UINT message; WPARAM wParam; LPARAM lParam; DWORD time; POINT pt; DWORD lPrivate;} MSG, *PMSG, *NPMSG, *LPMSG;// message// 75dK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6D9k6h3q4J5L8W2)9J5k6h3#2A6j5%4u0G2M7$3!0X3N6q4)9J5k6h3y4G2L8g2)9J5c8X3g2F1i4K6u0V1N6i4y4Q4x3V1k6%4K9h3&6V1L8%4N6K6i4K6u0r3N6$3W2F1x3K6u0Q4x3V1k6A6L8Y4m8#2N6r3c8W2N6W2)9J5c8Y4N6E0i4K6u0V1K9$3g2&6k6r3!0%4L8R3`.`.// \Windows Kits\10\Include\10.x.x.x\um\WinUser.h#define WM_KEYDOWN 0x0100// wParam// eccK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6D9k6h3q4J5L8W2)9J5k6h3#2A6j5%4u0G2M7$3!0X3N6q4)9J5k6h3y4G2L8g2)9J5c8X3g2F1i4K6u0V1N6i4y4Q4x3V1k6%4K9h3&6V1L8%4N6K6i4K6u0r3N6$3W2F1x3K6u0Q4x3V1k6A6L8Y4m8#2N6r3c8W2N6W2)9J5c8Y4k6A6M7Y4c8#2j5h3I4Q4x3X3c8C8k6i4W2Q4x3X3c8U0L8$3c8W2M7H3`.`.`A` 0x41 A key`B` 0x42 B key`C` 0x43 C keybp user32!GetMessageW "j (poi(rcx+8)==0x100) 'r @$t0=poi(rcx+10); .printf\"KEYDOWN:0x%x\", @$t0; .if( @$t0 >= 0x30 & @$t0 <= 0x5A ){ .printf\"(%c)\", @$t0 }; .echo; gc'; 'g'" KEYDOWN:0x57(W)KEYDOWN:0x49(I)KEYDOWN:0x4e(N)KEYDOWN:0x44(D)KEYDOWN:0x42(B)KEYDOWN:0x47(G)KEYDOWN:0x20KEYDOWN:0x49(I)KEYDOWN:0x53(S)KEYDOWN:0x20KEYDOWN:0x41(A)KEYDOWN:0x57(W)KEYDOWN:0x45(E)KEYDOWN:0x53(S)KEYDOWN:0x4f(O)KEYDOWN:0x4d(M)KEYDOWN:0x45(E)KEYDOWN:0x20KEYDOWN:0x10KEYDOWN:0x31(1)bp user32!GetMessageW "j (poi(rcx+8)==0x100) 'r @$t0=poi(rcx+10); .printf\"KEYDOWN:0x%x\", @$t0; .if( @$t0 >= 0x30 & @$t0 <= 0x5A ){ .printf\"(%c)\", @$t0 }; .echo; gc'; 'g'" KEYDOWN:0x57(W)KEYDOWN:0x49(I)KEYDOWN:0x4e(N)KEYDOWN:0x44(D)KEYDOWN:0x42(B)KEYDOWN:0x47(G)KEYDOWN:0x20KEYDOWN:0x49(I)KEYDOWN:0x53(S)KEYDOWN:0x20KEYDOWN:0x41(A)KEYDOWN:0x57(W)KEYDOWN:0x45(E)KEYDOWN:0x53(S)KEYDOWN:0x4f(O)KEYDOWN:0x4d(M)KEYDOWN:0x45(E)KEYDOWN:0x20KEYDOWN:0x10KEYDOWN:0x31(1)int __cdecl main(int argc, const char **argv, const char **envp){ SIZE_T v3; // ebx HANDLE CurrentProcess; // eax DWORD flOldProtect; // [esp+0h] [ebp-28h] BYREF DWORD ThreadId[2]; // [esp+4h] [ebp-24h] BYREF HANDLE hHandle; // [esp+Ch] [ebp-1Ch] LPVOID lpAddress; // [esp+10h] [ebp-18h] HANDLE hObject; // [esp+14h] [ebp-14h] SIZE_T dwSize; // [esp+1Ch] [ebp-Ch] int *p_argc; // [esp+20h] [ebp-8h] p_argc = &argc; sub_4019D0(); dwSize = 342; if ( IsDebuggerPresent() ) exit(1); if ( sub_401543() ) exit(1); hObject = CreateMutexA(0, 1, "Ipc::Critical::DontRemove"); if ( !hObject ) exit(1); CloseHandle(hObject); SetErrorMode(0x400u); if ( SetErrorMode(0) != 1024 ) exit(1); lpAddress = (LPVOID)sub_401569(&unk_403040, dwSize); if ( !lpAddress ) exit(3); sub_4015E5(lpAddress, dwSize); if ( !VirtualProtect(lpAddress, dwSize, 0x40u, &flOldProtect) ) { VirtualFree(lpAddress, dwSize, 0x8000u); exit(4); } v3 = dwSize; CurrentProcess = GetCurrentProcess(); FlushInstructionCache(CurrentProcess, lpAddress, v3); hHandle = CreateThread(0, 0, StartAddress, lpAddress, 0, ThreadId); WaitForSingleObject(hHandle, 0xFFFFFFFF); VirtualFree(lpAddress, dwSize, 0x8000u); return ThreadId[1];}void *__cdecl sub_401569(void *Src, size_t Size){ SIZE_T dwPageSize; // eax _SYSTEM_INFO SystemInfo; // [esp+14h] [ebp-34h] BYREF void *v5; // [esp+38h] [ebp-10h] SIZE_T dwSize; // [esp+3Ch] [ebp-Ch] GetSystemInfo(&SystemInfo); dwPageSize = SystemInfo.dwPageSize; if ( Size >= SystemInfo.dwPageSize ) dwPageSize = Size; dwSize = dwPageSize; v5 = VirtualAlloc(0, dwPageSize, 0x3000u, 4u); if ( v5 ) return memcpy(v5, Src, Size); else return 0;}unsigned int __cdecl sub_4015E5(int a1, unsigned int a2){ char v2; // al unsigned int result; // eax int i; // [esp+8h] [ebp-Ch] int k; // [esp+8h] [ebp-Ch] unsigned int j; // [esp+Ch] [ebp-8h] for ( i = 0x2000000; i; --i ) ; for ( j = 0; ; ++j ) { result = a2; if ( j >= a2 ) break; v2 = byte_403020++; *(_BYTE *)(a1 + j) ^= v2; } for ( k = 0x2000000; k; --k ) ; return result;}int __cdecl main(int argc, const char **argv, const char **envp){ SIZE_T v3; // ebx HANDLE CurrentProcess; // eax DWORD flOldProtect; // [esp+0h] [ebp-28h] BYREF DWORD ThreadId[2]; // [esp+4h] [ebp-24h] BYREF HANDLE hHandle; // [esp+Ch] [ebp-1Ch] LPVOID lpAddress; // [esp+10h] [ebp-18h] HANDLE hObject; // [esp+14h] [ebp-14h] SIZE_T dwSize; // [esp+1Ch] [ebp-Ch] int *p_argc; // [esp+20h] [ebp-8h] p_argc = &argc; sub_4019D0(); dwSize = 342; if ( IsDebuggerPresent() ) exit(1); if ( sub_401543() ) exit(1); hObject = CreateMutexA(0, 1, "Ipc::Critical::DontRemove"); if ( !hObject ) exit(1); CloseHandle(hObject); SetErrorMode(0x400u); if ( SetErrorMode(0) != 1024 ) exit(1); lpAddress = (LPVOID)sub_401569(&unk_403040, dwSize); if ( !lpAddress ) exit(3); sub_4015E5(lpAddress, dwSize); if ( !VirtualProtect(lpAddress, dwSize, 0x40u, &flOldProtect) ) { VirtualFree(lpAddress, dwSize, 0x8000u); exit(4); } v3 = dwSize; CurrentProcess = GetCurrentProcess(); FlushInstructionCache(CurrentProcess, lpAddress, v3); hHandle = CreateThread(0, 0, StartAddress, lpAddress, 0, ThreadId); WaitForSingleObject(hHandle, 0xFFFFFFFF); VirtualFree(lpAddress, dwSize, 0x8000u); return ThreadId[1];}void *__cdecl sub_401569(void *Src, size_t Size){ SIZE_T dwPageSize; // eax _SYSTEM_INFO SystemInfo; // [esp+14h] [ebp-34h] BYREF void *v5; // [esp+38h] [ebp-10h] SIZE_T dwSize; // [esp+3Ch] [ebp-Ch] GetSystemInfo(&SystemInfo); dwPageSize = SystemInfo.dwPageSize; if ( Size >= SystemInfo.dwPageSize ) dwPageSize = Size; dwSize = dwPageSize; v5 = VirtualAlloc(0, dwPageSize, 0x3000u, 4u); if ( v5 ) return memcpy(v5, Src, Size); else return 0;}unsigned int __cdecl sub_4015E5(int a1, unsigned int a2){ char v2; // al unsigned int result; // eax int i; // [esp+8h] [ebp-Ch] int k; // [esp+8h] [ebp-Ch] unsigned int j; // [esp+Ch] [ebp-8h] for ( i = 0x2000000; i; --i ) ; for ( j = 0; ; ++j ) { result = a2; if ( j >= a2 ) break; v2 = byte_403020++; *(_BYTE *)(a1 + j) ^= v2; } for ( k = 0x2000000; k; --k ) ; return result;}0:000> bl 0 e Disable Clear 764d5570 0001 (0001) 0:**** KERNELBASE!VirtualAlloc KERNELBASE!VirtualAlloc+0x3b:764d55ab ff156cf75976 call dword ptr [KERNELBASE!_imp__NtAllocateVirtualMemory (7659f76c)] ds:002b:7659f76c={ntdll!NtAllocateVirtualMemory (77493340)} ntdll!NtAllocateVirtualMemory: CFG77493340 b818000000 mov eax, 18h77493345 ba50914a77 mov edx, 774A9150h7749334a ffd2 call edx7749334c c21800 ret 18h msvcrt!memcpy: CFG75338cf0 55 push ebp75338cf1 8bec mov ebp, esp75338cf3 57 push edi75338cf4 56 push esi75338cf5 8b750c mov esi, dword ptr [ebp+0Ch]75338cf8 8b4d10 mov ecx, dword ptr [ebp+10h]>> 75338cfb 8b7d08 mov edi, dword ptr [ebp+8]75338cfe 8bc1 mov eax, ecx0:000> db @esi L15600403040 ef fc 97 16 17 18 79 93-fe 2d dd 7a 94 70 11 a9 ......y..-.z.p..00403050 71 28 ae 74 33 a3 5b 02-24 9b 67 08 1e cf 9d 0e q(.t3.[.$.g.....00403060 52 48 37 1a 17 f9 f6 37-3a fb df cc 6d 17 ca 10 RH7....7:...m...00403070 53 cf 0f 7a cc 04 58 32-a8 04 4c 9f 1e db 08 72 S..z..X2..L....r00403080 52 87 de 1f 4f bb 63 13-d0 68 d6 5f 89 51 9e ce R...O.c..h._.Q..00403090 a2 ab 68 67 a0 50 89 1f-9d 6f 10 96 54 0d 55 07 ..hg.P...o..T.U.004030a0 97 2c fe 2e 53 79 aa 1c-f0 70 36 f5 27 9c 80 51 .,..Sy...p6.'..Q004030b0 08 80 0e 87 57 01 cd ae-af d7 d6 ef d6 ca c0 6d ....W..........m004030c0 73 cb ca cc 1c 8a 72 17-c6 f4 ae ac 9f a0 c9 d5 s.....r.........004030d0 d0 96 fa f2 cf e4 de 8c-ac 25 45 51 7f 08 21 b3 .........%EQ..!.004030e0 b3 b4 9c 72 e3 e8 d1 93-3b d7 bd 41 6a aa cb aa ...r....;..Aj...004030f0 6f d8 45 c3 af ca c9 db-97 45 2b 9e 9f 80 81 92 o.E......E+.....00403100 83 94 85 be 3d d7 06 3a-24 09 4a b4 cf b6 b6 8a ....=..:$.J.....00403110 7a 41 91 87 18 3d 6c 2a-9f e6 12 a0 e7 85 1d 1a zA...=l*........00403120 94 f4 f5 f6 9d f8 93 fe-ad ab 95 fc 26 c8 5e fd ............&.^.00403130 d6 87 fd 06 79 3e 82 3c-61 4c 65 0e 1f 10 11 44 ....y>.<aLe....D00403140 79 14 7d 4e b3 4b fc e5-ce 8f 4e 74 1f 76 72 75 y.}N.K....Nt.vru00403150 4b 26 fc ee 78 d7 fc a9-d3 2c 50 06 77 58 31 72 K&..x....,P.wX1r00403160 33 34 5f 36 67 50 32 15-34 0c c2 eb 68 28 34 2c 34_6gP2.4...h(4,00403170 0e 25 ba 93 19 16 b6 46-6f 43 c8 3e b0 af ae bb .%.....FoC.>....00403180 c8 ab aa a9 56 9b 70 9c-2e 9d 9e e5 af d5 c3 34 ....V.p........400403190 09 64 36 99 b2 00 .d6...0:000> bl 0 e Disable Clear 764d5570 0001 (0001) 0:**** KERNELBASE!VirtualAlloc KERNELBASE!VirtualAlloc+0x3b:764d55ab ff156cf75976 call dword ptr [KERNELBASE!_imp__NtAllocateVirtualMemory (7659f76c)] ds:002b:7659f76c={ntdll!NtAllocateVirtualMemory (77493340)} ntdll!NtAllocateVirtualMemory: CFG77493340 b818000000 mov eax, 18h77493345 ba50914a77 mov edx, 774A9150h7749334a ffd2 call edx7749334c c21800 ret 18h msvcrt!memcpy: CFG75338cf0 55 push ebp75338cf1 8bec mov ebp, esp75338cf3 57 push edi75338cf4 56 push esi75338cf5 8b750c mov esi, dword ptr [ebp+0Ch]75338cf8 8b4d10 mov ecx, dword ptr [ebp+10h]>> 75338cfb 8b7d08 mov edi, dword ptr [ebp+8]75338cfe 8bc1 mov eax, ecx0:000> db @esi L15600403040 ef fc 97 16 17 18 79 93-fe 2d dd 7a 94 70 11 a9 ......y..-.z.p..00403050 71 28 ae 74 33 a3 5b 02-24 9b 67 08 1e cf 9d 0e q(.t3.[.$.g.....00403060 52 48 37 1a 17 f9 f6 37-3a fb df cc 6d 17 ca 10 RH7....7:...m...00403070 53 cf 0f 7a cc 04 58 32-a8 04 4c 9f 1e db 08 72 S..z..X2..L....r00403080 52 87 de 1f 4f bb 63 13-d0 68 d6 5f 89 51 9e ce R...O.c..h._.Q..00403090 a2 ab 68 67 a0 50 89 1f-9d 6f 10 96 54 0d 55 07 ..hg.P...o..T.U.004030a0 97 2c fe 2e 53 79 aa 1c-f0 70 36 f5 27 9c 80 51 .,..Sy...p6.'..Q004030b0 08 80 0e 87 57 01 cd ae-af d7 d6 ef d6 ca c0 6d ....W..........m004030c0 73 cb ca cc 1c 8a 72 17-c6 f4 ae ac 9f a0 c9 d5 s.....r.........004030d0 d0 96 fa f2 cf e4 de 8c-ac 25 45 51 7f 08 21 b3 .........%EQ..!.004030e0 b3 b4 9c 72 e3 e8 d1 93-3b d7 bd 41 6a aa cb aa ...r....;..Aj...004030f0 6f d8 45 c3 af ca c9 db-97 45 2b 9e 9f 80 81 92 o.E......E+.....00403100 83 94 85 be 3d d7 06 3a-24 09 4a b4 cf b6 b6 8a ....=..:$.J.....00403110 7a 41 91 87 18 3d 6c 2a-9f e6 12 a0 e7 85 1d 1a zA...=l*........00403120 94 f4 f5 f6 9d f8 93 fe-ad ab 95 fc 26 c8 5e fd ............&.^.00403130 d6 87 fd 06 79 3e 82 3c-61 4c 65 0e 1f 10 11 44 ....y>.<aLe....D00403140 79 14 7d 4e b3 4b fc e5-ce 8f 4e 74 1f 76 72 75 y.}N.K....Nt.vru00403150 4b 26 fc ee 78 d7 fc a9-d3 2c 50 06 77 58 31 72 K&..x....,P.wX1r00403160 33 34 5f 36 67 50 32 15-34 0c c2 eb 68 28 34 2c 34_6gP2.4...h(4,00403170 0e 25 ba 93 19 16 b6 46-6f 43 c8 3e b0 af ae bb .%.....FoC.>....00403180 c8 ab aa a9 56 9b 70 9c-2e 9d 9e e5 af d5 c3 34 ....V.p........400403190 09 64 36 99 b2 00 .d6...0:000> lmstart end module name00000000`00400000 00000000`00667000 MiniRansomware T (no symbols) 00007ffa`605d0000 00007ffa`607ac000 TTDRecordCPU (deferred) 00007ffa`83c70000 00007ffa`83c9d000 WINMMBASE (deferred) 00007ffa`83ca0000 00007ffa`83cc4000 winmm (deferred) 00007ffa`851a0000 00007ffa`8522f000 apphelp (deferred) 00007ffa`87010000 00007ffa`8705a000 cfgmgr32 (deferred) 00007ffa`87060000 00007ffa`87303000 KERNELBASE (deferred) 00007ffa`87f80000 00007ffa`8807a000 ucrtbase (deferred) 00007ffa`88260000 00007ffa`88312000 KERNEL32 # (pdb symbols) 00007ffa`88ff0000 00007ffa`8908e000 msvcrt (deferred) 00007ffa`892c0000 00007ffa`893e0000 RPCRT4 (deferred) 00007ffa`895c0000 00007ffa`8962f000 ws2_32 (deferred) 00007ffa`89fc0000 00007ffa`8a1b0000 ntdll # (pdb symbols)0:000> !dh 00000000`00400000File Type: EXECUTABLE IMAGEFILE HEADER VALUES 8664 machine (X64) E number of sections 0 time date stamp 218600 file pointer to symbol table EE9 number of symbols F0 size of optional headerOPTIONAL HEADER VALUES 20B magic # 3.00 linker version B2200 size of code 15A00 size of initialized data 0 size of uninitialized data 53000 address of entry point 1000 base of code ----- new -----0000000000400000 image base 1000 section alignment 200 file alignment 3 subsystem (Windows CUI) 4.00 operating system version 1.00 image version 4.00 subsystem version 267000 size of image 600 size of headers 0 checksum0:000> lmstart end module name00000000`00400000 00000000`00667000 MiniRansomware T (no symbols) 00007ffa`605d0000 00007ffa`607ac000 TTDRecordCPU (deferred) 00007ffa`83c70000 00007ffa`83c9d000 WINMMBASE (deferred) 00007ffa`83ca0000 00007ffa`83cc4000 winmm (deferred) 00007ffa`851a0000 00007ffa`8522f000 apphelp (deferred) 00007ffa`87010000 00007ffa`8705a000 cfgmgr32 (deferred) 00007ffa`87060000 00007ffa`87303000 KERNELBASE (deferred) 00007ffa`87f80000 00007ffa`8807a000 ucrtbase (deferred) 00007ffa`88260000 00007ffa`88312000 KERNEL32 # (pdb symbols) 00007ffa`88ff0000 00007ffa`8908e000 msvcrt (deferred) 00007ffa`892c0000 00007ffa`893e0000 RPCRT4 (deferred) 00007ffa`895c0000 00007ffa`8962f000 ws2_32 (deferred) 00007ffa`89fc0000 00007ffa`8a1b0000 ntdll # (pdb symbols)0:000> !dh 00000000`00400000File Type: EXECUTABLE IMAGEFILE HEADER VALUES 8664 machine (X64) E number of sections 0 time date stamp 218600 file pointer to symbol table EE9 number of symbols F0 size of optional headerOPTIONAL HEADER VALUES 20B magic # 3.00 linker version B2200 size of code 15A00 size of initialized data 0 size of uninitialized data 53000 address of entry point 1000 base of code ----- new -----0000000000400000 image base 1000 section alignment 200 file alignment 3 subsystem (Windows CUI) 4.00 operating system version 1.00 image version 4.00 subsystem version 267000 size of image 600 size of headers 0 checksum0:000> .writemem MiniRansomware.exe 0x00400000 0x00667000-0x10:000> .writemem MiniRansomware.exe 0x00400000 0x00667000-0x1Function name Segment Start Length Locals Arguments main_DecodeStaticKey .text 00000000004B1670 00000148 00000000 00000098main_IsValidExtensions .text 00000000004B17C0 000000FF 00000000 00000098main_IsRegularFile .text 00000000004B18C0 000000DC 00000020 00000098main_EntryFunctionEncrypt .text 00000000004B1E90 000002A1 00000000 00000098main_DecryptFile .text 00000000004B20E0 00000510 00000060 00000048main_EntryFunctionDecrypt .text 00000000004B25F0 0000003F 00000000 000000F0main_AcceptSeriousWarning .text 00000000004B27D0 00000260 00000000 00000151main_main .text 00000000004B2A30 0000037F 00000130 000000B8main_init .text 00000000004B2EC0 000000BD 00000120 00000021Function name Segment Start Length Locals Arguments main_DecodeStaticKey .text 00000000004B1670 00000148 00000000 00000098main_IsValidExtensions .text 00000000004B17C0 000000FF 00000000 00000098main_IsRegularFile .text 00000000004B18C0 000000DC 00000020 00000098main_EntryFunctionEncrypt .text 00000000004B1E90 000002A1 00000000 00000098main_DecryptFile .text 00000000004B20E0 00000510 00000060 00000048main_EntryFunctionDecrypt .text 00000000004B25F0 0000003F 00000000 000000F0main_AcceptSeriousWarning .text 00000000004B27D0 00000260 00000000 00000151main_main .text 00000000004B2A30 0000037F 00000130 000000B8main_init .text 00000000004B2EC0 000000BD 00000120 00000021as main_DecodeStaticKey 4B1670as main_IsValidExtensions 4B17C0as main_IsRegularFile 4B18C0as main_EntryFunctionEncrypt 4B1E90as main_DecryptFile 4B20E0as main_EntryFunctionDecrypt 4B25F0as main_AcceptSeriousWarning 4B27D0as main_main 4B2A30bp main_DecodeStaticKeybp main_IsValidExtensions bp main_IsRegularFile bp main_EntryFunctionEncrypt bp main_DecryptFile bp main_EntryFunctionDecryptbp main_AcceptSeriousWarningbp main_main0:000> bl 0 e Disable Clear 00000000`004b1670 0001 (0001) 0:**** MiniRansomware+0xb1670 1 e Disable Clear 00000000`004b17c0 0001 (0001) 0:**** MiniRansomware+0xb17c0 2 e Disable Clear 00000000`004b18c0 0001 (0001) 0:**** MiniRansomware+0xb18c0 3 e Disable Clear 00000000`004b1e90 0001 (0001) 0:**** MiniRansomware+0xb1e90 4 e Disable Clear 00000000`004b20e0 0001 (0001) 0:**** MiniRansomware+0xb20e0 5 e Disable Clear 00000000`004b25f0 0001 (0001) 0:**** MiniRansomware+0xb25f0 6 e Disable Clear 00000000`004b27d0 0001 (0001) 0:**** MiniRansomware+0xb27d0 7 e Disable Clear 00000000`004b2a30 0001 (0001) 0:**** MiniRansomware+0xb2a30as main_DecodeStaticKey 4B1670as main_IsValidExtensions 4B17C0as main_IsRegularFile 4B18C0as main_EntryFunctionEncrypt 4B1E90as main_DecryptFile 4B20E0as main_EntryFunctionDecrypt 4B25F0as main_AcceptSeriousWarning 4B27D0as main_main 4B2A30bp main_DecodeStaticKeybp main_IsValidExtensions bp main_IsRegularFile bp main_EntryFunctionEncrypt bp main_DecryptFile bp main_EntryFunctionDecryptbp main_AcceptSeriousWarningbp main_main0:000> bl 0 e Disable Clear 00000000`004b1670 0001 (0001) 0:**** MiniRansomware+0xb1670 1 e Disable Clear 00000000`004b17c0 0001 (0001) 0:**** MiniRansomware+0xb17c0 2 e Disable Clear 00000000`004b18c0 0001 (0001) 0:**** MiniRansomware+0xb18c0 3 e Disable Clear 00000000`004b1e90 0001 (0001) 0:**** MiniRansomware+0xb1e90 4 e Disable Clear 00000000`004b20e0 0001 (0001) 0:**** MiniRansomware+0xb20e0 5 e Disable Clear 00000000`004b25f0 0001 (0001) 0:**** MiniRansomware+0xb25f0 6 e Disable Clear 00000000`004b27d0 0001 (0001) 0:**** MiniRansomware+0xb27d0 7 e Disable Clear 00000000`004b2a30 0001 (0001) 0:**** MiniRansomware+0xb2a300:000> gBreakpoint 0 hitTime Travel Position: FF5:2185MiniRansomware+0xb1670:00000000`004b1670 65488b0c2528000000 mov rcx,qword ptr gs:[28h] gs:00000000`00000028=00000000000000000:000> gBreakpoint 0 hitTime Travel Position: FF5:2185MiniRansomware+0xb1670:00000000`004b1670 65488b0c2528000000 mov rcx,qword ptr gs:[28h] gs:00000000`00000028=0000000000000000004b1670 65488b0c2528000000 mov rcx, qword ptr gs:[28h]004b1679 488b8900000000 mov rcx, qword ptr [rcx]004b1680 483b6110 cmp rsp, qword ptr [rcx+10h]004b1684 0f861f010000 jbe 00000000004B17A9004b168a 4883ec60 sub rsp, 60h004b168e 48896c2458 mov qword ptr [rsp+58h], rbp004b1693 488d6c2458 lea rbp, [rsp+58h]004b1698 48c744244800000000 mov qword ptr [rsp+48h], 0004b16a1 31c0 xor eax, eax004b16a3 eb03 jmp 00000000004B16A8004b16a5 48ffc0 inc rax004b16a8 4883f808 cmp rax, 8004b16ac 7d56 jge 00000000004B1704004b16ae 4885c0 test rax, rax004b16b1 7549 jne 00000000004B16FC004b16b3 c644044830 mov byte ptr [rsp+rax+48h], 30h004b16b8 4883f805 cmp rax, 5004b16bc 7505 jne 00000000004B16C3004b16be c64404486f mov byte ptr [rsp+rax+48h], 6Fh004b16c3 4883f801 cmp rax, 1004b16c7 7505 jne 00000000004B16CE004b16c9 c644044864 mov byte ptr [rsp+rax+48h], 64h004b16ce 4883f806 cmp rax, 6004b16d2 7505 jne 00000000004B16D9004b16d4 c64404486e mov byte ptr [rsp+rax+48h], 6Eh004b16d9 4883f802 cmp rax, 2004b16dd 7505 jne 00000000004B16E4004b16df c644044865 mov byte ptr [rsp+rax+48h], 65h004b16e4 4883f803 cmp rax, 3004b16e8 7505 jne 00000000004B16EF004b16ea c644044866 mov byte ptr [rsp+rax+48h], 66h004b16ef 4883f804 cmp rax, 4004b16f3 75b0 jne 00000000004B16A5004b16f5 c644044863 mov byte ptr [rsp+rax+48h], 63h004b16fa eba9 jmp 00000000004B16A5004b16fc 4883f807 cmp rax, 7004b1700 74b1 je 00000000004B16B3004b1702 ebb4 jmp 00000000004B16B8004b1704 31c0 xor eax, eax004b1706 31c9 xor ecx, ecx004b1708 31d2 xor edx, edx004b170a eb7f jmp 00000000004B178B004b170c 4889442438 mov qword ptr [rsp+38h], rax004b1711 48894c2450 mov qword ptr [rsp+50h], rcx004b1716 4889542440 mov qword ptr [rsp+40h], rdx004b171b 48c7042400000000 mov qword ptr [rsp], 0004b1723 488d442448 lea rax, [rsp+48h]004b1728 4889442408 mov qword ptr [rsp+8], rax004b172d 48c744241008000000 mov qword ptr [rsp+10h], 8004b1736 48c744241808000000 mov qword ptr [rsp+18h], 8004b173f e88cdbf8ff call 000000000043F2D0004b1744 488b442420 mov rax, qword ptr [rsp+20h]004b1749 488b4c2428 mov rcx, qword ptr [rsp+28h]004b174e 4889442418 mov qword ptr [rsp+18h], rax004b1753 48894c2420 mov qword ptr [rsp+20h], rcx004b1758 48c7042400000000 mov qword ptr [rsp], 0004b1760 488b442450 mov rax, qword ptr [rsp+50h]004b1765 4889442408 mov qword ptr [rsp+8], rax004b176a 488b442440 mov rax, qword ptr [rsp+40h]004b176f 4889442410 mov qword ptr [rsp+10h], rax004b1774 e857d9f8ff call 000000000043F0D0004b1779 488b442438 mov rax, qword ptr [rsp+38h]004b177e 48ffc0 inc rax004b1781 488b542430 mov rdx, qword ptr [rsp+30h]004b1786 488b4c2428 mov rcx, qword ptr [rsp+28h]004b178b 4883f804 cmp rax, 4004b178f 0f8c77ffffff jl 00000000004B170C>> 004b1795 48894c2468 mov qword ptr [rsp+68h], rcx004b179a 4889542470 mov qword ptr [rsp+70h], rdx004b179f 488b6c2458 mov rbp, qword ptr [rsp+58h]004b17a4 4883c460 add rsp, 60h004b17a8 c3 ret 004b1670 65488b0c2528000000 mov rcx, qword ptr gs:[28h]004b1679 488b8900000000 mov rcx, qword ptr [rcx]004b1680 483b6110 cmp rsp, qword ptr [rcx+10h]004b1684 0f861f010000 jbe 00000000004B17A9004b168a 4883ec60 sub rsp, 60h004b168e 48896c2458 mov qword ptr [rsp+58h], rbp004b1693 488d6c2458 lea rbp, [rsp+58h]004b1698 48c744244800000000 mov qword ptr [rsp+48h], 0004b16a1 31c0 xor eax, eax004b16a3 eb03 jmp 00000000004B16A8004b16a5 48ffc0 inc rax004b16a8 4883f808 cmp rax, 8004b16ac 7d56 jge 00000000004B1704004b16ae 4885c0 test rax, rax004b16b1 7549 jne 00000000004B16FC004b16b3 c644044830 mov byte ptr [rsp+rax+48h], 30h004b16b8 4883f805 cmp rax, 5004b16bc 7505 jne 00000000004B16C3004b16be c64404486f mov byte ptr [rsp+rax+48h], 6Fh004b16c3 4883f801 cmp rax, 1004b16c7 7505 jne 00000000004B16CE004b16c9 c644044864 mov byte ptr [rsp+rax+48h], 64h004b16ce 4883f806 cmp rax, 6004b16d2 7505 jne 00000000004B16D9004b16d4 c64404486e mov byte ptr [rsp+rax+48h], 6Eh004b16d9 4883f802 cmp rax, 2004b16dd 7505 jne 00000000004B16E4004b16df c644044865 mov byte ptr [rsp+rax+48h], 65h004b16e4 4883f803 cmp rax, 3004b16e8 7505 jne 00000000004B16EF004b16ea c644044866 mov byte ptr [rsp+rax+48h], 66h004b16ef 4883f804 cmp rax, 4004b16f3 75b0 jne 00000000004B16A5004b16f5 c644044863 mov byte ptr [rsp+rax+48h], 63h004b16fa eba9 jmp 00000000004B16A5004b16fc 4883f807 cmp rax, 7004b1700 74b1 je 00000000004B16B3004b1702 ebb4 jmp 00000000004B16B8004b1704 31c0 xor eax, eax004b1706 31c9 xor ecx, ecx004b1708 31d2 xor edx, edx004b170a eb7f jmp 00000000004B178B004b170c 4889442438 mov qword ptr [rsp+38h], rax004b1711 48894c2450 mov qword ptr [rsp+50h], rcx004b1716 4889542440 mov qword ptr [rsp+40h], rdx004b171b 48c7042400000000 mov qword ptr [rsp], 0004b1723 488d442448 lea rax, [rsp+48h]004b1728 4889442408 mov qword ptr [rsp+8], rax004b172d 48c744241008000000 mov qword ptr [rsp+10h], 8004b1736 48c744241808000000 mov qword ptr [rsp+18h], 8004b173f e88cdbf8ff call 000000000043F2D0004b1744 488b442420 mov rax, qword ptr [rsp+20h]004b1749 488b4c2428 mov rcx, qword ptr [rsp+28h]004b174e 4889442418 mov qword ptr [rsp+18h], rax004b1753 48894c2420 mov qword ptr [rsp+20h], rcx004b1758 48c7042400000000 mov qword ptr [rsp], 0004b1760 488b442450 mov rax, qword ptr [rsp+50h]004b1765 4889442408 mov qword ptr [rsp+8], rax004b176a 488b442440 mov rax, qword ptr [rsp+40h]004b176f 4889442410 mov qword ptr [rsp+10h], rax004b1774 e857d9f8ff call 000000000043F0D0004b1779 488b442438 mov rax, qword ptr [rsp+38h]004b177e 48ffc0 inc rax004b1781 488b542430 mov rdx, qword ptr [rsp+30h]004b1786 488b4c2428 mov rcx, qword ptr [rsp+28h]004b178b 4883f804 cmp rax, 4004b178f 0f8c77ffffff jl 00000000004B170C>> 004b1795 48894c2468 mov qword ptr [rsp+68h], rcx004b179a 4889542470 mov qword ptr [rsp+70h], rdx004b179f 488b6c2458 mov rbp, qword ptr [rsp+58h]004b17a4 4883c460 add rsp, 60h004b17a8 c3 ret 0:000> bp 4b17950:000> gBreakpoint 8 hitTime Travel Position: FF6:3A4MiniRansomware+0xb1795:00000000`004b1795 48894c2468 mov qword ptr [rsp+68h],rcx ss:000000c0`00065f78=00000000004c50600:000> db rcx L30000000c0`0000c320 30 64 65 66 63 6f 6e 30-30 64 65 66 63 6f 6e 30 0defcon00defcon0000000c0`0000c330 30 64 65 66 63 6f 6e 30-30 64 65 66 63 6f 6e 30 0defcon00defcon0000000c0`0000c340 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................0:000> db rdx L3000000000`00000020 fc 59 3b aa 80 01 00 00-00 00 00 00 00 00 00 00 .Y;.............00000000`00000030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................00000000`00000040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0:000> da rcx000000c0`0000c320 "0defcon00defcon00defcon00defcon0"000000c0`0000c340 ""0:000> bp 4b17950:000> gBreakpoint 8 hitTime Travel Position: FF6:3A4MiniRansomware+0xb1795:00000000`004b1795 48894c2468 mov qword ptr [rsp+68h],rcx ss:000000c0`00065f78=00000000004c50600:000> db rcx L30000000c0`0000c320 30 64 65 66 63 6f 6e 30-30 64 65 66 63 6f 6e 30 0defcon00defcon0000000c0`0000c330 30 64 65 66 63 6f 6e 30-30 64 65 66 63 6f 6e 30 0defcon00defcon0000000c0`0000c340 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................0:000> db rdx L3000000000`00000020 fc 59 3b aa 80 01 00 00-00 00 00 00 00 00 00 00 .Y;.............00000000`00000030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................00000000`00000040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????0:000> da rcx000000c0`0000c320 "0defcon00defcon00defcon00defcon0"000000c0`0000c340 ""0:000> gBreakpoint 7 hitTime Travel Position: FF8:3AMiniRansomware+0xb2a30:00000000`004b2a30 65488b0c2528000000 mov rcx,qword ptr gs:[28h] gs:00000000`00000028=00000000000000000:000> gBreakpoint 6 hitTime Travel Position: 101B:14A1MiniRansomware+0xb27d0:00000000`004b27d0 65488b0c2528000000 mov rcx,qword ptr gs:[28h] gs:00000000`00000028=00000000000000000:000> gBreakpoint 3 hitTime Travel Position: 1333:143DMiniRansomware+0xb1e90:00000000`004b1e90 65488b0c2528000000 mov rcx,qword ptr gs:[28h] gs:00000000`00000028=00000000000000000:000> gBreakpoint 7 hitTime Travel Position: FF8:3AMiniRansomware+0xb2a30:00000000`004b2a30 65488b0c2528000000 mov rcx,qword ptr gs:[28h] gs:00000000`00000028=00000000000000000:000> gBreakpoint 6 hitTime Travel Position: 101B:14A1MiniRansomware+0xb27d0:00000000`004b27d0 65488b0c2528000000 mov rcx,qword ptr gs:[28h] gs:00000000`00000028=00000000000000000:000> gBreakpoint 3 hitTime Travel Position: 1333:143DMiniRansomware+0xb1e90:00000000`004b1e90 65488b0c2528000000 mov rcx,qword ptr gs:[28h] gs:00000000`00000028=0000000000000000004b1e90 65488b0c2528000000 mov rcx, qword ptr gs:[28h]004b1e99 488b8900000000 mov rcx, qword ptr [rcx]004b1ea0 483b6110 cmp rsp, qword ptr [rcx+10h]004b1ea4 0f862c020000 jbe 00000000004B20D6004b1eaa 4883ec78 sub rsp, 78h004b1eae 48896c2470 mov qword ptr [rsp+70h], rbp004b1eb3 488d6c2470 lea rbp, [rsp+70h]004b1eb8 488b842480000000 mov rax, qword ptr [rsp+80h]004b1ec0 48890424 mov qword ptr [rsp], rax004b1ec4 488b8c2488000000 mov rcx, qword ptr [rsp+88h]004b1ecc 48894c2408 mov qword ptr [rsp+8], rcx004b1ed1 e8eaf9ffff call 00000000004B18C0004b1ed6 488d442410 lea rax, [rsp+10h]004b1edb 803800 cmp byte ptr [rax], 0004b1ede 0f84dd010000 je 00000000004B20C1004b1ee4 488b842480000000 mov rax, qword ptr [rsp+80h]004b1eec 48890424 mov qword ptr [rsp], rax004b1ef0 488b8c2488000000 mov rcx, qword ptr [rsp+88h]004b1ef8 48894c2408 mov qword ptr [rsp+8], rcx004b1efd e8aee2ffff call 00000000004B01B0004b1f02 488b442418 mov rax, qword ptr [rsp+18h]004b1f07 488b4c2410 mov rcx, qword ptr [rsp+10h]004b1f0c 4885c0 test rax, rax004b1f0f 7515 jne 00000000004B1F26004b1f11 0f57c0 xorps xmm0, xmm0004b1f14 0f118424b0000000 movups xmmword ptr [rsp+0B0h], xmm0004b1f1c 488b6c2470 mov rbp, qword ptr [rsp+70h]004b1f21 4883c478 add rsp, 78h004b1f25 c3 ret 004b1f26 4883f804 cmp rax, 4004b1f2a 7508 jne 00000000004B1F34004b1f2c 81392e656e63 cmp dword ptr [rcx], 636E652Eh004b1f32 74dd je 00000000004B1F11004b1f34 48890c24 mov qword ptr [rsp], rcx004b1f38 4889442408 mov qword ptr [rsp+8], rax004b1f3d e87ef8ffff call 00000000004B17C0004b1f42 488d442410 lea rax, [rsp+10h]004b1f47 803800 cmp byte ptr [rax], 0004b1f4a 74c5 je 00000000004B1F11004b1f4c 488b842480000000 mov rax, qword ptr [rsp+80h]004b1f54 4889442440 mov qword ptr [rsp+40h], rax004b1f59 488b8c2488000000 mov rcx, qword ptr [rsp+88h]004b1f61 48894c2448 mov qword ptr [rsp+48h], rcx004b1f66 0f57c0 xorps xmm0, xmm0004b1f69 0f11442450 movups xmmword ptr [rsp+50h], xmm0004b1f6e 488d156b410100 lea rdx, [4C60E0h]004b1f75 48891424 mov qword ptr [rsp], rdx004b1f79 488d5c2440 lea rbx, [rsp+40h]004b1f7e 48895c2408 mov qword ptr [rsp+8], rbx004b1f83 e8d86ef5ff call 0000000000408E60004b1f88 488b442410 mov rax, qword ptr [rsp+10h]004b1f8d 488b4c2418 mov rcx, qword ptr [rsp+18h]004b1f92 4889442450 mov qword ptr [rsp+50h], rax004b1f97 48894c2458 mov qword ptr [rsp+58h], rcx004b1f9c 488d0596cb0300 lea rax, [4EEB39h]004b1fa3 48890424 mov qword ptr [rsp], rax004b1fa7 48c744240819000000 mov qword ptr [rsp+8], 19h004b1fb0 488d442450 lea rax, [rsp+50h]004b1fb5 4889442410 mov qword ptr [rsp+10h], rax004b1fba 48c744241801000000 mov qword ptr [rsp+18h], 1004b1fc3 48c744242001000000 mov qword ptr [rsp+20h], 1004b1fcc e8cfe6feff call 00000000004A06A0004b1fd1 488b842480000000 mov rax, qword ptr [rsp+80h]004b1fd9 48890424 mov qword ptr [rsp], rax004b1fdd 488b842488000000 mov rax, qword ptr [rsp+88h]004b1fe5 4889442408 mov qword ptr [rsp+8], rax004b1fea 488b842490000000 mov rax, qword ptr [rsp+90h]004b1ff2 4889442410 mov qword ptr [rsp+10h], rax004b1ff7 488b842498000000 mov rax, qword ptr [rsp+98h]004b1fff 4889442418 mov qword ptr [rsp+18h], rax004b2004 e857f9ffff call 00000000004B1960004b2009 488d442420 lea rax, [rsp+20h]004b200e 803800 cmp byte ptr [rax], 0004b2011 747f je 00000000004B2092004b2013 488d05838b0300 lea rax, [4EAB9Dh]004b201a 48890424 mov qword ptr [rsp], rax004b201e 48c744240807000000 mov qword ptr [rsp+8], 7004b2027 48c744241000000000 mov qword ptr [rsp+10h], 0004b2030 0f57c0 xorps xmm0, xmm0004b2033 0f11442418 movups xmmword ptr [rsp+18h], xmm0004b2038 e863e6feff call 00000000004A06A0004b203d 0f57c0 xorps xmm0, xmm0004b2040 0f11442460 movups xmmword ptr [rsp+60h], xmm0004b2045 488d0594400100 lea rax, [4C60E0h]004b204c 4889442460 mov qword ptr [rsp+60h], rax004b2051 488d05280a0500 lea rax, [502A80h]004b2058 4889442468 mov qword ptr [rsp+68h], rax004b205d 488d442460 lea rax, [rsp+60h]004b2062 48890424 mov qword ptr [rsp], rax004b2066 48c744240801000000 mov qword ptr [rsp+8], 1004b206f 48c744241001000000 mov qword ptr [rsp+10h], 1004b2078 e8b3e9feff call 00000000004A0A30004b207d 0f57c0 xorps xmm0, xmm0004b2080 0f118424b0000000 movups xmmword ptr [rsp+0B0h], xmm0004b2088 488b6c2470 mov rbp, qword ptr [rsp+70h]004b208d 4883c478 add rsp, 78h004b2091 c3 ret 004b2092 488d05c2880300 lea rax, [4EA95Bh]004b2099 48890424 mov qword ptr [rsp], rax004b209d 48c744240806000000 mov qword ptr [rsp+8], 6004b20a6 48c744241000000000 mov qword ptr [rsp+10h], 0004b20af 0f57c0 xorps xmm0, xmm0004b20b2 0f11442418 movups xmmword ptr [rsp+18h], xmm0004b20b7 e8e4e5feff call 00000000004A06A0004b20bc e97cffffff jmp 00000000004B203D004b20c1 0f57c0 xorps xmm0, xmm0004b20c4 0f118424b0000000 movups xmmword ptr [rsp+0B0h], xmm0004b20cc 488b6c2470 mov rbp, qword ptr [rsp+70h]004b20d1 4883c478 add rsp, 78h004b20d5 c3 ret 004b1e90 65488b0c2528000000 mov rcx, qword ptr gs:[28h]004b1e99 488b8900000000 mov rcx, qword ptr [rcx]004b1ea0 483b6110 cmp rsp, qword ptr [rcx+10h]004b1ea4 0f862c020000 jbe 00000000004B20D6004b1eaa 4883ec78 sub rsp, 78h004b1eae 48896c2470 mov qword ptr [rsp+70h], rbp004b1eb3 488d6c2470 lea rbp, [rsp+70h]004b1eb8 488b842480000000 mov rax, qword ptr [rsp+80h]004b1ec0 48890424 mov qword ptr [rsp], rax004b1ec4 488b8c2488000000 mov rcx, qword ptr [rsp+88h]004b1ecc 48894c2408 mov qword ptr [rsp+8], rcx004b1ed1 e8eaf9ffff call 00000000004B18C0004b1ed6 488d442410 lea rax, [rsp+10h]004b1edb 803800 cmp byte ptr [rax], 0004b1ede 0f84dd010000 je 00000000004B20C1004b1ee4 488b842480000000 mov rax, qword ptr [rsp+80h]004b1eec 48890424 mov qword ptr [rsp], rax004b1ef0 488b8c2488000000 mov rcx, qword ptr [rsp+88h]004b1ef8 48894c2408 mov qword ptr [rsp+8], rcx004b1efd e8aee2ffff call 00000000004B01B0004b1f02 488b442418 mov rax, qword ptr [rsp+18h]004b1f07 488b4c2410 mov rcx, qword ptr [rsp+10h]004b1f0c 4885c0 test rax, rax004b1f0f 7515 jne 00000000004B1F26004b1f11 0f57c0 xorps xmm0, xmm0004b1f14 0f118424b0000000 movups xmmword ptr [rsp+0B0h], xmm0004b1f1c 488b6c2470 mov rbp, qword ptr [rsp+70h]004b1f21 4883c478 add rsp, 78h004b1f25 c3 ret
最后于 2025-7-22 08:07
被0xFF_Rick编辑
,原因: 补充
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
