第一章恶意软件静态分析基础
2021/11/25 23:13:26
本文主要是介绍第一章恶意软件静态分析基础,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
第一章恶意软件静态分析基础
- 《基于数据科学的恶意软件分析》
- 代码清单1-1 加载pefile模块并解析PE文件(ircbot.exe)
- 代码清单1-2 遍历PE文件的各个节并打印有关它们的信息
- 代码清单1-4 从ircbot.exe中提取导入信息
- 代码清单1-6 从恶意软件样本中提取图像的Shell命令
- 代码清单1-7 显示恶意软件可以将攻击者指定的文件下载到目标计算机的字符串输出
- 代码清单1-8 显示恶意软件有一个攻击者可以连接的HTTP服务器的字符串输出
《基于数据科学的恶意软件分析》
Malware Data Science Attack Detection and Attribution
Joshua Saxe Hillary Sanders著 何能强 严寒冰 译
代码清单1-1 加载pefile模块并解析PE文件(ircbot.exe)
#终端输入 pip3 install pefile
#jupyter notebook import os print(os.getcwd()) #result:/home/ubuntu20/桌面
import pefile pe = pefile.PE("/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe")
代码清单1-2 遍历PE文件的各个节并打印有关它们的信息
for section in pe.sections: print(section.Name, hex(section.VirtualAddress), section.SizeOfRawData) #result: b'.text\x00\x00\x00' 0x1000 207360 b'.rdata\x00\x00' 0x34000 17408 b'.data\x00\x00\x00' 0x39000 10752 b'.idata\x00\x00' 0x96000 3072 b'.reloc\x00\x00' 0x97000 8704
for section in pe.sections: print(hex(section.Name, section.Misc_VirtualSize)) #TypeError: hex() takes exactly one argument (2 given)
代码清单1-4 从ircbot.exe中提取导入信息
pe = pefile.PE("/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe") for entry in pe.DIRECTORY_ENTRY_IMPORT: print(entry.dll) for function in entry.imports: print('\t', function.name) #result: b'KERNEL32.DLL' b'GetLocalTime' b'ExitThread' b'CloseHandle' b'WriteFile' b'CreateFileA' b'ExitProcess' b'CreateProcessA' b'GetTickCount' b'GetModuleFileNameA' b'GetSystemDirectoryA' b'Sleep' b'GetTimeFormatA' b'GetDateFormatA' b'GetLastError' b'CreateThread' b'GetFileSize' b'GetFileAttributesA' b'FindClose' b'FileTimeToSystemTime' b'FileTimeToLocalFileTime' b'FindNextFileA' b'FindFirstFileA' b'ReadFile' b'SetFilePointer' b'WriteConsoleA' b'GetStdHandle' b'LoadLibraryA' b'GetProcAddress' b'GetModuleHandleA' b'FormatMessageA' b'GlobalUnlock' b'GlobalLock' b'UnmapViewOfFile' b'MapViewOfFile' b'CreateFileMappingA' b'SetFileTime' b'GetFileTime' b'ExpandEnvironmentStringsA' b'SetFileAttributesA' b'GetTempPathA' b'GetCurrentProcess' b'TerminateProcess' b'OpenProcess' b'GetComputerNameA' b'GetLocaleInfoA' b'GetVersionExA' b'TerminateThread' b'FlushFileBuffers' b'SetStdHandle' b'IsBadWritePtr' b'IsBadReadPtr' b'HeapValidate' b'GetStartupInfoA' b'GetCommandLineA' b'GetVersion' b'DebugBreak' b'InterlockedDecrement' b'OutputDebugStringA' b'InterlockedIncrement' b'HeapAlloc' b'HeapReAlloc' b'HeapFree' b'HeapDestroy' b'HeapCreate' b'VirtualFree' b'VirtualAlloc' b'WideCharToMultiByte' b'MultiByteToWideChar' b'LCMapStringA' b'LCMapStringW' b'GetCPInfo' b'GetACP' b'GetOEMCP' b'UnhandledExceptionFilter' b'FreeEnvironmentStringsA' b'FreeEnvironmentStringsW' b'GetEnvironmentStrings' b'GetEnvironmentStringsW' b'SetHandleCount' b'GetFileType' b'RtlUnwind' b'SetConsoleCtrlHandler' b'GetStringTypeA' b'GetStringTypeW' b'SetEndOfFile' b'USER32.dll' b'MessageBoxA'
#推荐学习:python之pefile模块(解析PE) #https://blog.csdn.net/b_h_l/article/details/9371611
代码清单1-6 从恶意软件样本中提取图像的Shell命令
#创建目录 #/home/ubuntu20/桌面/malware_data_science/ch1/终端输入: mkdir images
#使用wrestool从fakepdfmalware.exe中提取图像资源到/images目录 #先下载icoutils sudo apt install icoutils wrestool -x '/home/ubuntu20/桌面/malware_data_science/ch1/fakepdfmalware.exe' -output=images
#使用icotool提取并将Adobe中的.ico图标格式中的所有资源转换为.png图形 icotool -x -o image images/*.ico #报错icotool: images/*.ico: cannot open file
使用其它方法将.ico图标转换为.png图形
wrestool -x --output=. -t14 '/home/ubuntu20/桌面/malware_data_science/ch1/fakepdfmalware.exe'
sudo apt install imagemagick-6.q16 for i in *.ico; do convert "$i" "$i.png"; done
images是创建的目录,utput=images是提取的图像资源.icon格式,fakepdfmalware.exe_14_101_2052.ico是提取的.icon,fakepdfmalware.exe_14_101_2052.ico.png是转换的.png
代码清单1-7 显示恶意软件可以将攻击者指定的文件下载到目标计算机的字符串输出
代码清单1-8 显示恶意软件有一个攻击者可以连接的HTTP服务器的字符串输出
#查看文件中所有字符串 strings '/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe' | less
#只提取最小长度为10字节的字符串 strings -n 10 '/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe' | less
#将ircbot.exe中的字符串镜像到ircbotstring.txt文件中 strings '/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe' > ircbotstring.txt #ircbotstring.txt内容如下: !This program cannot be run in DOS mode. Rich .text `.rdata @.data .idata .reloc DSVW h,@C TSVW Ph@@C (_^[ Y_^[ PSVW hh@C DSVW ht@C ht@C Y_^[ DSVW HSVW X_^[ Pj,h Pj,h Pj`hA Pj`h@ PSVW PSVW Ph\GC Ph(GC $hxFC PhpFC PhTFC DSVW @SVW DSVW XSVW YYPh YYPh YYPh YPhTHC Y_^[ LSVW Y_^[ Ph~f Ph~f hPKC h0KC Ph\KC htPC hpOC h|NC PhXNC Ph<NC Ph\MC Ph@MC hlLC DSVW hxQC h`QC YPh`QC xSVW hx[C h\[C hL[C h<[C h [C htZC h`ZC hPZC h<ZC h,ZC hlYC hPYC h4YC h YC h|XC hpXC hdXC hPXC h8XC h(XC hlWC h\WC hTWC hDWC h8WC h,WC h WC h|VC hlVC h\VC hLVC h<VC hlUC hTUC h4UC h(UC htTC hdTC hTTC hDTC h0TC hlSC hTSC h8SC hpRC h`RC hDRC h$RC X_^[ hl]C hP]C h4]C h`\C hD\C h$\C Y_^[ hDcH j?h0dH hDcH hDcH HSVW HSVW DSVW hlCI HSVW LSVW @SVW X_^[ PhLdC Ph0dC lSVW HSVW DSVW h<eC h<eC TSVW PhpeC DSVW PSVW XSVW jIY3 HSVW h,dH hLfC h,fC @SVW X_^[ h,dH hLfC h,fC htkC h`kC h\kC h8kC h0kC h,kC h|jC h\jC h|jC h8jC htiC hpiC hhiC h8iC hhhC YYh`hC h0hC h<gC PhlfC h`fC hXfC E,_^[ DSVW HSVW PSVW PSVW Ph(lC h,lC hSVW hTlC LSVW DSVW hhlC h`lC DSVW HSVW HSVW HSVW HSVW h|lC Y_^[ @SVW %0bI %4bI %8bI %<bI %@bI %DbI %HbI %LbI %PbI %TbI %XbI %\bI %`bI %dbI %hbI %lbI %pbI %tbI %xbI %|bI tzVS GIt% t/Ku t&:a PRSVWh _^[ZX 0SVW ,SVW 0SVW &hhnC QhDnC _^[ RhLpC &h(pC t!hPoC QSVW t!hlqC Rh@qC t!hlqC QSVW t!hlqC QSVW &hlrC Rh@qC Qh8rC u+hLsC Rh(sC H0_^[ u.htsC A,+B, J0+H0 hltC PhXtC RhLtC RhDtC \SVW 4SVW QSVW Q,Rh Q0Rh h uC hluC j5hduC hPuC j6hduC h@uC j7hduC h,uC j8hduC _^[] WVS3 ^[_3 h uC j8h|uC j9h|uC GIt# t hPvC h|wC hxwC hxwC h\vC h uC hxxC = FI =pFI =tFI _^[] h uC $SVW h@uC h uC >jUh h yC ^_[3 h uC jAh(yC uZj^h(yC QSVW t!h4yC h(yC hPyC hLyC U`]I E`]I E`]I =l]I =l]I jmhhyC =PFI =tGjyhhyC htyC SVWUj ]_^[ t.;t$$t( VC20XC00U SVWU tEVU t3x< ]_^[ h|wC hxwC hD|C lht|C h`|C QSVW h uC =,HI =,HI hLyC |jyh =(HI =,FI QSVW QSVW =,FI % cI %$cI %(cI %,cI %0cI %4cI %8cI %<cI %@cI %DcI %HcI %LcI %PcI %TcI %XcI %\cI %`cI %dcI %hcI %lcI %pcI %tcI %xcI %|cI %d. %s = %s -[Alias List]- [%.2d-%.2d-%4d %.2d:%.2d:%.2d] %s -[Logs]- [LOGS]: Cleared. [LOG]: List complete. [LOG]: Begin DISPLAY Window n;^ Qkkbal i]Wb 9a&g MGiI wn>Jj #.zf +o*7 [DOWNLOAD]: Bad URL, or DNS Error: %s. [DOWNLOAD]: Update failed: Error executing file: %s. [DOWNLOAD]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating. [DOWNLOAD]: Opened: %s. open [DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec. [DOWNLOAD]: CRC Failed (%d != %d). [DOWNLOAD]: Filesize is incorrect: (%d != %d). [DOWNLOAD]: Update: %s (%dKB transferred). [DOWNLOAD]: File download: %s (%dKB transferred). [DOWNLOAD]: Couldn't open file: %s. Cdrom Network Disk Invalid Unknown %sKB failed [MAIN]: %s Drive (%s): %s total, %s free, %s available. [MAIN]: %s Drive (%s): Failed to stat, device not ready. [HTTPD]: Error: server failed, returned: <%d>. GET HTTP/1.0 200 OK Server: myBot Cache-Control: no-cache,no-store,max-age=0 pragma: no-cache Content-Type: %s Content-Length: %i Accept-Ranges: bytes Date: %s %s GMT Last-Modified: %s %s GMT Expires: %s %s GMT Connection: close HTTP/1.0 200 OK Server: myBot Cache-Control: no-cache,no-store,max-age=0 pragma: no-cache Content-Type: %s Accept-Ranges: bytes Date: %s %s GMT Last-Modified: %s %s GMT Expires: %s %s GMT Connection: close HH:mm:ss ddd, dd MMM yyyy application/octet-stream text/html [HTTPD]: Failed to start worker thread, error: <%d>. [HTTPD]: Worker thread of server thread: %d. %s%s Found: %i Files and %i Directories <TR> <TD COLSPAN="3"><HR></TD> </TR> </TABLE> </BODY> </HTML> PRIVMSG %s :Found %s Files and %s Directories %-31s %-21s (%i bytes) </TD> <TD WIDTH="%d"><CODE>%s</CODE></TD> <TD WIDTH="%d" ALIGN="right"><CODE>%dk</CODE></TD> </TR> "><CODE>%s</CODE></A> "><CODE>%.30s></CODE></A> PRIVMSG %s :%-31s %-21s (%s bytes) %-31s %-21s </TD> <TD WIDTH="%d"><CODE>%s</CODE></TD> <TD WIDTH="%d" ALIGN="right"><CODE>-</CODE></TD> </TR> "><CODE>%s/</CODE></A> "><CODE>%.29s>/</CODE></A> %s%s/ <TR> <TD WIDTH="%d"><A HREF=" PRIVMSG %s :%-31s %-21s <%s> %2.2d/%2.2d/%4d %2.2d:%2.2d %s <TR> <TD COLSPAN="3"><A HREF="%s"><CODE>Parent Directory</CODE></A></TD> </TR> Searching for: %s <TR> <TD COLSPAN="3"><HR></TD> </TR> <TR> <TD WIDTH="%d"><CODE>Name</CODE></TD> <TD WIDTH="%d"><CODE>Last Modified</CODE></TD> <TD WIDTH="%d" ALIGN="right"><CODE>Size</CODE></TD> </TR> <H1>Index of %s</H1> <TABLE BORDER="0"> <HTML> <HEAD> <TITLE>Index of %s</TITLE> </HEAD> <BODY> PRIVMSG %s :Searching for: %s %s %s HTTP/1.1 Referer: %s Host: %s Connection: close Sending PRIVMSG!!! %s %s :%s PRIVMSG NOTICE [KEYLOG]: %s [%d-%d-%d %d:%d:%d] %s %s (Return) (%s) %s (Buffer full) (%s) %s (Changed Windows: %s) capGetDriverDescriptionA capCreateCaptureWindowA avicap32.dll SQLDisconnect SQLFreeHandle SQLAllocHandle SQLExecDirect SQLSetEnvAttr SQLDriverConnect odbc32.dll SHChangeNotify ShellExecuteA shell32.dll WNetCancelConnection2W WNetCancelConnection2A WNetAddConnection2W WNetAddConnection2A mpr.dll DeleteIpNetEntry GetIpNetTable iphlpapi.dll DnsFlushResolverCacheEntry_A DnsFlushResolverCache dnsapi.dll NetMessageBufferSend NetUserGetInfo NetUserEnum NetUserDel NetUserAdd NetRemoteTOD NetApiBufferFree NetScheduleJobAdd NetShareEnum NetShareDel NetShareAdd netapi32.dll IcmpSendEcho IcmpCloseHandle IcmpCreateFile icmp.dll Mozilla/4.0 (compatible) InternetCloseHandle InternetReadFile InternetCrackUrlA InternetOpenUrlA InternetOpenA InternetConnectA HttpSendRequestA HttpOpenRequestA InternetGetConnectedStateEx InternetGetConnectedState wininet.dll closesocket getpeername gethostbyaddr gethostbyname gethostname getsockname setsockopt accept listen select bind recvfrom recv sendto send ntohl ntohs htonl htons inet_addr inet_ntoa connect ioctlsocket socket WSACleanup WSAGetLastError WSAIoctl __WSAFDIsSet WSAAsyncSelect WSASocketA WSAStartup ws2_32.dll DeleteObject DeleteDC BitBlt SelectObject GetDIBColorTable GetDeviceCaps CreateCompatibleDC CreateDIBSection CreateDCA gdi32.dll GetUserNameA IsValidSecurityDescriptor EnumServicesStatusA CloseServiceHandle DeleteService ControlService StartServiceA OpenServiceA OpenSCManagerA AdjustTokenPrivileges LookupPrivilegeValueA OpenProcessToken RegCloseKey RegDeleteValueA RegQueryValueExA RegSetValueExA RegCreateKeyExA RegOpenKeyExA advapi32.dll GetForegroundWindow GetWindowTextA GetKeyState GetAsyncKeyState ExitWindowsEx CloseClipboard GetClipboardData OpenClipboard DestroyWindow IsWindow FindWindowA SendMessageA user32.dll RegisterServiceProcess QueryPerformanceFrequency QueryPerformanceCounter SearchPathA GetDriveTypeA GetLogicalDriveStringsA GetDiskFreeSpaceExA Module32First Process32Next Process32First CreateToolhelp32Snapshot SetErrorMode kernel32.dll [MAIN]: DLL test complete. Avicap32.dll failed. <%d> Odbc32.dll failed. <%d> Shell32.dll failed. <%d> Mpr32.dll failed. <%d> Iphlpapi.dll failed. <%d> Dnsapi.dll failed. <%d> Netapi32.dll failed. <%d> Icmp.dll failed. <%d> Wininet.dll failed. <%d> Ws2_32.dll failed. <%d> Gdi32.dll failed. <%d> Advapi32.dll failed. <%d> User32.dll failed. <%d> Kernel32.dll failed. <%d> intranet main winpass blank office control nokia siemens compaq dell cisco orainstall sqlpassoainstall db1234 databasepassword data databasepass dbpassword dbpass access domainpassword domainpass domain hello hell slut bitch fuck exchange backup technical loginpass login mary katie kate george eric chris neil brian susan luke peter john mike bill fred win2000 winnt winxp win2k win98 windows oeminstall oemuser user homeuser home accounting accounts internet outlook mail qwerty null server system changeme linux unix demo none test 2004 2003 2002 2001 2000 1234567890 123456789 12345678 1234567 123456 12345 1234 pass pass1234 passwd password password1 oracle database default guest wwwadmin teacher student owner computer root staff admin admins administrat administrateur administrador administrator mIRC v6.03 K.Mardam-Bey mIRC v6.01 K.Mardam-Bey mIRC v5.82 K.Mardam-Bey mIRC v5.71 K.Mardam-Bey mIRC32 v6.12 K.Mardam-Bey mIRC32 v6.03 K.Mardam-Bey mIRC32 v6.01 K.Mardam-Bey mIRC32 v5.82 K.Mardam-Bey mIRC v6.03 Khaled Mardam-Bey mIRC v6.12 Khaled Mardam-Bey Yes. Success %s Error: %s <%d>. mIRC explorer.exe %s %s SeShutdownPrivilege %%comspec%% /c %s %s @echo off :repeat del "%%1" if exist "%%1" goto repeat del "%s" %sdel.bat [FLUSHDNS]: Not supported by this system. [FLUSHDNS]: ARP cache is empty. [FLUSHDNS]: Unable to allocation ARP cache. [FLUSHDNS]: Error getting ARP cache: <%d>. %d.%d.%d.%d %s (%d) SeDebugPrivilege [PROC]: Process list failed. [PROC]: Process list completed. [PROC]: Listing processes: [MAIN]: Connected to %s. NICK %s USER %s 0 0 :%s PASS %s hcon httpcon [DOWNLOAD]: Failed to start transfer thread, error: <%d>. [DOWNLOAD]: Downloading URL: %s to: %s. dlz0r d0wnl04d [CAPTURE]: Invalid parameters for amateur video capture. [CAPTURE]: Error while capturing amateur video from webcam. [CAPTURE]: Amateur video saved to: %s. video [CAPTURE]: Invalid parameters for webcam capture. [CAPTURE]: Error while capturing from webcam. [CAPTURE]: Webcam capture saved to: %s. frame [CAPTURE]: Driver list complete. [CAPTURE]: Driver #%d - %s - %s. drivers [CAPTURE]: No filename specified for screen capture. [CAPTURE]: Error while capturing screen. [CAPTURE]: Screen capture saved to: %s. screen capture [KEYLOG]: No key logger thread found. [KEYLOG]: Key logger stopped. (%d thread(s) stopped.) [KEYLOG]: Failed to start logging thread, error: <%d>. [KEYLOG]: Key logger active. [KEYLOG]: Already running. file keylog [HTTPD]: Failed to start server thread, error: <%d>. [HTTPD]: Server listening on IP: %s:%d, Directory: %s\. http httpserver TOPIC [MAIN]: Joined channel: %s. NOTICE %s :%s [MAIN]: User %s logged out. KICK NICK %s MODE %s +i USERHOST %s JOIN %s %s PONG %s PING KBOT5 YEAH %s%i [%s]| [%d]%s %d. %s -[Thread List]- %s: No %s thread found. %s: %s stopped. (%d thread(s) stopped.) i386\chkesp.c The value of ESP was not properly saved across a function call. This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention. format != NULL sprintf.c string != NULL vsprintf.c Client Ignore Normal Free Error: memory allocation: bad memory block type. Invalid allocation size: %u bytes. Client hook allocation failure. Client hook allocation failure at file %hs line %d. dbgheap.c _CrtCheckMemory() _pFirstBlock == pOldBlock _pLastBlock == pOldBlock fRealloc || (!fRealloc && pNewBlock == pOldBlock) _BLOCK_TYPE(pOldBlock->nBlockUse)==_BLOCK_TYPE(nBlockUse) pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ _CrtIsValidHeapPointer(pUserData) Allocation too large or negative: %u bytes. Client hook re-allocation failure. Client hook re-allocation failure at file %hs line %d. _pFirstBlock == pHead _pLastBlock == pHead pHead->nBlockUse == nBlockUse pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ DAMAGE: after %hs block (#%d) at 0x%08X. DAMAGE: before %hs block (#%d) at 0x%08X. _BLOCK_TYPE_IS_VALID(pHead->nBlockUse) Client hook free failure. memory check error at 0x%08X = 0x%02X, should be 0x%02X. %hs located at 0x%08X is %u bytes long. %hs allocated at file %hs(%d). DAMAGE: on top of Free block at 0x%08X. DAMAGED _heapchk fails with unknown return value! _heapchk fails with _HEAPBADPTR. _heapchk fails with _HEAPBADEND. _heapchk fails with _HEAPBADNODE. _heapchk fails with _HEAPBADBEGIN. Bad memory block found at 0x%08X. _CrtMemCheckPoint: NULL state pointer. _CrtMemDifference: NULL state pointer. Object dump complete. crt block at 0x%08X, subtype %x, %u bytes long. normal block at 0x%08X, %u bytes long. client block at 0x%08X, subtype %x, %u bytes long. {%ld} %hs(%d) : #File Error#(%d) : Dumping objects -> Data: <%s> %s %.2X Detected memory leaks! Total allocations: %ld bytes. Largest number used: %ld bytes. %ld bytes in %ld %hs Blocks. fclose.c str != NULL *mode != _T('\0') mode != NULL *file != _T('\0') fopen.c file != NULL fprintf.c Assertion Failed Error Warning %s(%d) : %s Assertion failed! Assertion failed: _CrtDbgReport: String too long or IO Error Second Chance Assertion Failed: File %s, Line %d wsprintfA Microsoft Visual C++ Debug Library Debug %s! Program: %s%s%s%s%s%s%s%s%s%s%s (Press Retry to debug the application) Module: File: Line: Expression: For information on how your program can cause an assertion failure, see the Visual C++ documentation on asserts. <program name unknown> dbgrpt.c szUserMessage != NULL ("inconsistent IOB fields", stream->_ptr - stream->_base >= 0) _flsbuf.c (8PX 700WP `h```` ppxxxx (null) output.c ch != _T('\0') _freebuf.c stream != NULL _filbuf.c _open.c filename != NULL stream.c ?IsProcessorFeaturePresent KERNEL32 e+000 _sftbuf.c flag == 0 || flag == 1 stdenvp.c stdargv.c a_env.c ioinit.c runtime error TLOSS error SING error DOMAIN error R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data abnormal program termination R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point not loaded Microsoft Visual C++ Runtime Library Runtime Error! Program: GetLastActivePopup GetActiveWindow MessageBoxA _getbuf.c _file.c osfinfo.c chsize.c size >= 0 1#QNAN 1#INF 1#IND 1#SNAN [ESC] [ESC] [F1] [F1] [F2] [F2] [F3] [F3] [F4] [F4] [F5] [F5] [F6] [F6] [F7] [F7] [F8] [F8] [F9] [F9] [F10] [F10] [F11] [F11] [F12] [F12] [TAB] [TAB] [CTRL] [CTRL] [WIN] [WIN] [WIN] [WIN] [PRSC] [PRSC] [SCLK] [SCLK] [INS] [INS] [HOME] [HOME] [PGUP] [PGUP] [DEL] [DEL] [END] [END] [PGDN] [PGDN] [LEFT] [LEFT] [UP] [UP] [RGHT] [RGHT] [DOWN] [DOWN] [NMLK] [NMLK] bbot bBot-Version 0.6 index botirc.net #test irc.server2.net #channel2 channelpass2 wuamgrd32.exe key.txt winnt DNS ident bBot| sysconfig.dat #channel #channel #channel Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\RunServices Software\Microsoft\OLE SYSTEM\CurrentControlSet\Control\Lsa const letter comp country kU'9 HMXB ?Zd; ?/L[ S;uD z?aUY D?$? U>c{ zc%C1 .:3q -64OS NKeb KERNEL32.DLL USER32.dll GetLocalTime ExitThread CloseHandle WriteFile CreateFileA ExitProcess CreateProcessA GetTickCount GetModuleFileNameA GetSystemDirectoryA Sleep GetTimeFormatA GetDateFormatA GetLastError CreateThread GetFileSize GetFileAttributesA FindClose FileTimeToSystemTime FileTimeToLocalFileTime FindNextFileA FindFirstFileA ReadFile SetFilePointer WriteConsoleA GetStdHandle LoadLibraryA GetProcAddress GetModuleHandleA FormatMessageA GlobalUnlock GlobalLock UnmapViewOfFile MapViewOfFile CreateFileMappingA SetFileTime GetFileTime ExpandEnvironmentStringsA SetFileAttributesA GetTempPathA GetCurrentProcess TerminateProcess OpenProcess GetComputerNameA GetLocaleInfoA GetVersionExA TerminateThread FlushFileBuffers SetStdHandle IsBadWritePtr IsBadReadPtr HeapValidate GetStartupInfoA GetCommandLineA GetVersion DebugBreak InterlockedDecrement OutputDebugStringA InterlockedIncrement HeapAlloc HeapReAlloc HeapFree HeapDestroy HeapCreate VirtualFree VirtualAlloc WideCharToMultiByte MultiByteToWideChar LCMapStringA LCMapStringW GetCPInfo GetACP GetOEMCP UnhandledExceptionFilter FreeEnvironmentStringsA FreeEnvironmentStringsW GetEnvironmentStrings GetEnvironmentStringsW SetHandleCount GetFileType RtlUnwind SetConsoleCtrlHandler GetStringTypeA GetStringTypeW SetEndOfFile MessageBoxA
#提取代码清单1-7内容: [DOWNLOAD]: Bad URL, or DNS Error: %s. [DOWNLOAD]: Update failed: Error executing file: %s. [DOWNLOAD]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating. [DOWNLOAD]: Opened: %s. open [DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec. [DOWNLOAD]: CRC Failed (%d != %d). [DOWNLOAD]: Filesize is incorrect: (%d != %d). [DOWNLOAD]: Update: %s (%dKB transferred). [DOWNLOAD]: File download: %s (%dKB transferred). [DOWNLOAD]: Couldn't open file: %s.
#提取代码清单1-8内容: GET HTTP/1.0 200 OK Server: myBot Cache-Control: no-cache,no-store,max-age=0 pragma: no-cache Content-Type: %s Content-Length: %i Accept-Ranges: bytes Date: %s %s GMT Last-Modified: %s %s GMT Expires: %s %s GMT Connection: close HTTP/1.0 200 OK Server: myBot Cache-Control: no-cache,no-store,max-age=0 pragma: no-cache Content-Type: %s Accept-Ranges: bytes Date: %s %s GMT Last-Modified: %s %s GMT Expires: %s %s GMT Connection: close HH:mm:ss ddd, dd MMM yyyy application/octet-stream text/html
认真是一种态度更是一种责任
这篇关于第一章恶意软件静态分析基础的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-11-23Springboot应用的多环境打包入门
- 2024-11-23Springboot应用的生产发布入门教程
- 2024-11-23Python编程入门指南
- 2024-11-23Java创业入门:从零开始的编程之旅
- 2024-11-23Java创业入门:新手必读的Java编程与创业指南
- 2024-11-23Java对接阿里云智能语音服务入门详解
- 2024-11-23Java对接阿里云智能语音服务入门教程
- 2024-11-23JAVA对接阿里云智能语音服务入门教程
- 2024-11-23Java副业入门:初学者的简单教程
- 2024-11-23JAVA副业入门:初学者的实战指南