恶意代码分析实战第十二章隐蔽的恶意代码启动

2024年1月24日发(作者：)

{ // Char keys for ASCI // No VM Def in header

case 0x41: key = caps ? (shift ? "a" : "A") : (shift ? "A" : "a"); break; case 0x42: key = caps ? (shift ? "b" : "B") : (shift ? "B" : "b"); break; case 0x43: key = caps ? (shift ? "c" : "C") : (shift ? "C" : "c"); break; case 0x44: key = caps ? (shift ? "d" : "D") : (shift ? "D" : "d"); break; case 0x45: key = caps ? (shift ? "e" : "E") : (shift ? "E" : "e"); break; case 0x46: key = caps ? (shift ? "f" : "F") : (shift ? "F" : "f"); break; case 0x47: key = caps ? (shift ? "g" : "G") : (shift ? "G" : "g"); break; case 0x48: key = caps ? (shift ? "h" : "H") : (shift ? "H" : "h"); break; case 0x49: key = caps ? (shift ? "i" : "I") : (shift ? "I" : "i"); break; case 0x4A: key = caps ? (shift ? "j" : "J") : (shift ? "J" : "j"); break; case 0x4B: key = caps ? (shift ? "k" : "K") : (shift ? "K" : "k"); break; case 0x4C: key = caps ? (shift ? "l" : "L") : (shift ? "L" : "l"); break; case 0x4D: key = caps ? (shift ? "m" : "M") : (shift ? "M" : "m"); break; case 0x4E: key = caps ? (shift ? "n" : "N") : (shift ? "N" : "n"); break; case 0x4F: key = caps ? (shift ? "o" : "O") : (shift ? "O" : "o"); break; case 0x50: key = caps ? (shift ? "p" : "P") : (shift ? "P" : "p"); break; case 0x51: key = caps ? (shift ? "q" : "Q") : (shift ? "Q" : "q"); break; case 0x52: key = caps ? (shift ? "r" : "R") : (shift ? "R" : "r"); break; case 0x53: key = caps ? (shift ? "s" : "S") : (shift ? "S" : "s"); break; case 0x54: key = caps ? (shift ? "t" : "T") : (shift ? "T" : "t"); break; case 0x55: key = caps ? (shift ? "u" : "U") : (shift ? "U" : "u"); break; case 0x56: key = caps ? (shift ? "v" : "V") : (shift ? "V" : "v"); break; case 0x57: key = caps ? (shift ? "w" : "W") : (shift ? "W" : "w"); break; case 0x58: key = caps ? (shift ? "x" : "X") : (shift ? "X" : "x"); break; case 0x59: key = caps ? (shift ? "y" : "Y") : (shift ? "Y" : "y"); break; case 0x5A: key = caps ? (shift ? "z" : "Z") : (shift ? "Z" : "z"); break; // Sleep Key case VK_SLEEP: key = "[SLEEP]"; break; // Num Keyboard

case VK_NUMPAD0: key = "0"; break; case VK_NUMPAD1: key = "1"; break; case VK_NUMPAD2: key = "2"; break; case VK_NUMPAD3: key = "3"; break; case VK_NUMPAD4: key = "4"; break; case VK_NUMPAD5: key = "5"; break; case VK_NUMPAD6: key = "6"; break; case VK_NUMPAD7: key = "7"; break; case VK_NUMPAD8: key = "8"; break; case VK_NUMPAD9: key = "9"; break; case VK_MULTIPLY: key = "*"; break; case VK_ADD: key = "+"; break; case VK_SEPARATOR: key = "-"; break; case VK_SUBTRACT: key = "-"; break; case VK_DECIMAL: key = "."; break; case VK_DIVIDE: key = "/"; break; // Function Keys case VK_F1: key = "[F1]"; break; case VK_F2: key = "[F2]"; break; case VK_F3: key = "[F3]"; break; case VK_F4: key = "[F4]"; break; case VK_F5: key = "[F5]"; break; case VK_F6: key = "[F6]"; break; case VK_F7: key = "[F7]"; break; case VK_F8: key = "[F8]"; break; case VK_F9: key = "[F9]"; break; case VK_F10: key = "[F10]"; break; case VK_F11: key = "[F11]"; break; case VK_F12: key = "[F12]"; break; case VK_F13: key = "[F13]"; break; case VK_F14: key = "[F14]"; break; case VK_F15: key = "[F15]"; break; case VK_F16: key = "[F16]"; break; case VK_F17: key = "[F17]"; break; case VK_F18: key = "[F18]"; break; case VK_F19: key = "[F19]"; break; case VK_F20: key = "[F20]"; break; case VK_F21: key = "[F22]"; break; case VK_F22: key = "[F23]"; break; case VK_F23: key = "[F24]"; break; case VK_F24: key = "[F25]"; break;

ntdll!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 BitField : UChar +0x003 ImageUsesLargePages : Pos 0, 1 Bit +0x003 IsProtectedProcess : Pos 1, 1 Bit +0x003 IsLegacyProcess : Pos 2, 1 Bit +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit +0x003 SpareBits : Pos 5, 3 Bits +0x004 Mutant : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void +0x00c Ldr : Ptr32 _PEB_LDR_DATA +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS +0x014 SubSystemData : Ptr32 Void +0x018 ProcessHeap : Ptr32 Void +0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION +0x020 AtlThunkSListPtr : Ptr32 Void +0x024 IFEOKey : Ptr32 Void +0x028 CrossProcessFlags : Uint4B +0x028 ProcessInJob : Pos 0, 1 Bit +0x028 ProcessInitializing : Pos 1, 1 Bit +0x028 ProcessUsingVEH : Pos 2, 1 Bit +0x028 ProcessUsingVCH : Pos 3, 1 Bit +0x028 ProcessUsingFTH : Pos 4, 1 Bit +0x028 ReservedBits0 : Pos 5, 27 Bits +0x02c KernelCallbackTable : Ptr32 Void +0x02c UserSharedInfoPtr : Ptr32 Void +0x030 SystemReserved : [1] Uint4B +0x034 AtlThunkSListPtr32 : Uint4B +0x038 ApiSetMap : Ptr32 Void +0x03c TlsExpansionCounter : Uint4B +0x040 TlsBitmap : Ptr32 Void +0x044 TlsBitmapBits : [2] Uint4B +0x04c ReadOnlySharedMemoryBase : Ptr32 Void +0x050 HotpatchInformation : Ptr32 Void +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void +0x058 AnsiCodePageData : Ptr32 Void +0x05c OemCodePageData : Ptr32 Void +0x060 UnicodeCaseTableData : Ptr32 Void +0x064 NumberOfProcessors : Uint4B +0x068 NtGlobalFlag : Uint4B +0x070 CriticalSectionTimeout : _LARGE_INTEGER +0x078 HeapSegmentReserve : Uint4B +0x07c HeapSegmentCommit : Uint4B +0x080 HeapDeCommitTotalFreeThreshold : Uint4B +0x084 HeapDeCommitFreeBlockThreshold : Uint4B +0x088 NumberOfHeaps : Uint4B +0x08c MaximumNumberOfHeaps : Uint4B +0x090 ProcessHeaps : Ptr32 Ptr32 Void +0x094 GdiSharedHandleTable : Ptr32 Void +0x098 ProcessStarterHelper : Ptr32 Void +0x09c GdiDCAttributeList : Uint4B +0x0a0 LoaderLock : Ptr32 _RTL_CRITICAL_SECTION +0x0a4 OSMajorVersion : Uint4B +0x0a8 OSMinorVersion : Uint4B +0x0ac OSBuildNumber : Uint2B +0x0ae OSCSDVersion : Uint2B +0x0b0 OSPlatformId : Uint4B +0x0b4 ImageSubsystem : Uint4B +0x0b8 ImageSubsystemMajorVersion : Uint4B +0x0bc ImageSubsystemMinorVersion : Uint4B +0x0c0 ActiveProcessAffinityMask : Uint4B +0x0c4 GdiHandleBuffer : [34] Uint4B +0x14c PostProcessInitRoutine : Ptr32 void

+0x150 TlsExpansionBitmap : Ptr32 Void +0x154 TlsExpansionBitmapBits : [32] Uint4B +0x1d4 SessionId : Uint4B +0x1d8 AppCompatFlags : _ULARGE_INTEGER +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER +0x1e8 pShimData : Ptr32 Void