add malware scan
This commit is contained in:
412
forensics/honeypot/win_malware
Normal file
412
forensics/honeypot/win_malware
Normal file
@@ -0,0 +1,412 @@
|
|||||||
|
Volatility 3 Framework 1.0.1
|
||||||
|
|
||||||
|
PID Process Start VPN End VPN Tag Protection CommitCharge PrivateMemory File output Hexdump Disasm
|
||||||
|
|
||||||
|
1556 explorer.exe 0x3130000 0x3130fff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 13 03 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
10 00 13 03 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
20 00 13 03 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
0x3130000: add byte ptr [eax], al
|
||||||
|
0x3130002: add byte ptr [eax], al
|
||||||
|
0x3130004: add byte ptr [eax], al
|
||||||
|
0x3130006: add byte ptr [eax], al
|
||||||
|
0x3130008: add byte ptr [eax], al
|
||||||
|
0x313000a: add byte ptr [eax], al
|
||||||
|
0x313000c: add byte ptr [eax], al
|
||||||
|
0x313000e: add byte ptr [eax], al
|
||||||
|
0x3130010: add byte ptr [eax], al
|
||||||
|
0x3130012: adc eax, dword ptr [ebx]
|
||||||
|
0x3130014: add byte ptr [eax], al
|
||||||
|
0x3130016: add byte ptr [eax], al
|
||||||
|
0x3130018: add byte ptr [eax], al
|
||||||
|
0x313001a: add byte ptr [eax], al
|
||||||
|
0x313001c: add byte ptr [eax], al
|
||||||
|
0x313001e: add byte ptr [eax], al
|
||||||
|
0x3130020: adc byte ptr [eax], al
|
||||||
|
0x3130022: adc eax, dword ptr [ebx]
|
||||||
|
0x3130024: add byte ptr [eax], al
|
||||||
|
0x3130026: add byte ptr [eax], al
|
||||||
|
0x3130028: add byte ptr [eax], al
|
||||||
|
0x313002a: add byte ptr [eax], al
|
||||||
|
0x313002c: add byte ptr [eax], al
|
||||||
|
0x313002e: add byte ptr [eax], al
|
||||||
|
0x3130030: and byte ptr [eax], al
|
||||||
|
0x3130032: adc eax, dword ptr [ebx]
|
||||||
|
0x3130034: add byte ptr [eax], al
|
||||||
|
0x3130036: add byte ptr [eax], al
|
||||||
|
0x3130038: add byte ptr [eax], al
|
||||||
|
0x313003a: add byte ptr [eax], al
|
||||||
|
0x313003c: add byte ptr [eax], al
|
||||||
|
0x313003e: add byte ptr [eax], al
|
||||||
|
2460 SearchFilterHo 0x730000 0x76ffff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
|
||||||
|
c5 2f 31 e7 87 c4 00 01 ./1.....
|
||||||
|
ee ff ee ff 00 00 00 00 ........
|
||||||
|
a8 00 73 00 a8 00 73 00 ..s...s.
|
||||||
|
00 00 73 00 00 00 73 00 ..s...s.
|
||||||
|
40 00 00 00 88 05 73 00 @.....s.
|
||||||
|
00 00 77 00 3f 00 00 00 ..w.?...
|
||||||
|
01 00 00 00 00 00 00 00 ........
|
||||||
|
f0 0f 73 00 f0 0f 73 00 ..s...s.
|
||||||
|
0x730000: lds ebp, ptr [edi]
|
||||||
|
0x730002: xor edi, esp
|
||||||
|
0x730004: xchg esp, eax
|
||||||
|
0x730006: add byte ptr [ecx], al
|
||||||
|
0x730008: out dx, al
|
||||||
|
2856 explorer.exe 0x16e0000 0x16e0fff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 6e 01 00 00 00 00 ..n.....
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
10 00 6e 01 00 00 00 00 ..n.....
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
20 00 6e 01 00 00 00 00 ..n.....
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
0x16e0000: add byte ptr [eax], al
|
||||||
|
0x16e0002: add byte ptr [eax], al
|
||||||
|
0x16e0004: add byte ptr [eax], al
|
||||||
|
0x16e0006: add byte ptr [eax], al
|
||||||
|
0x16e0008: add byte ptr [eax], al
|
||||||
|
0x16e000a: add byte ptr [eax], al
|
||||||
|
0x16e000c: add byte ptr [eax], al
|
||||||
|
0x16e000e: add byte ptr [eax], al
|
||||||
|
0x16e0010: add byte ptr [eax], al
|
||||||
|
0x16e0012: outsb dx, byte ptr [esi]
|
||||||
|
0x16e0013: add dword ptr [eax], eax
|
||||||
|
0x16e0015: add byte ptr [eax], al
|
||||||
|
0x16e0017: add byte ptr [eax], al
|
||||||
|
0x16e0019: add byte ptr [eax], al
|
||||||
|
0x16e001b: add byte ptr [eax], al
|
||||||
|
0x16e001d: add byte ptr [eax], al
|
||||||
|
0x16e001f: add byte ptr [eax], dl
|
||||||
|
0x16e0021: add byte ptr [esi + 1], ch
|
||||||
|
0x16e0024: add byte ptr [eax], al
|
||||||
|
0x16e0026: add byte ptr [eax], al
|
||||||
|
0x16e0028: add byte ptr [eax], al
|
||||||
|
0x16e002a: add byte ptr [eax], al
|
||||||
|
0x16e002c: add byte ptr [eax], al
|
||||||
|
0x16e002e: add byte ptr [eax], al
|
||||||
|
0x16e0030: and byte ptr [eax], al
|
||||||
|
0x16e0032: outsb dx, byte ptr [esi]
|
||||||
|
0x16e0033: add dword ptr [eax], eax
|
||||||
|
0x16e0035: add byte ptr [eax], al
|
||||||
|
0x16e0037: add byte ptr [eax], al
|
||||||
|
0x16e0039: add byte ptr [eax], al
|
||||||
|
0x16e003b: add byte ptr [eax], al
|
||||||
|
0x16e003d: add byte ptr [eax], al
|
||||||
|
2856 explorer.exe 0x38d0000 0x38d1fff VadS PAGE_EXECUTE_READWRITE 2 1 Disabled
|
||||||
|
b0 00 eb 70 b0 01 eb 6c ...p...l
|
||||||
|
b0 02 eb 68 b0 03 eb 64 ...h...d
|
||||||
|
b0 04 eb 60 b0 05 eb 5c ...`...\
|
||||||
|
b0 06 eb 58 b0 07 eb 54 ...X...T
|
||||||
|
b0 08 eb 50 b0 09 eb 4c ...P...L
|
||||||
|
b0 0a eb 48 b0 0b eb 44 ...H...D
|
||||||
|
b0 0c eb 40 b0 0d eb 3c ...@...<
|
||||||
|
b0 0e eb 38 b0 0f eb 34 ...8...4
|
||||||
|
0x38d0000: mov al, 0
|
||||||
|
0x38d0002: jmp 0x38d0074
|
||||||
|
0x38d0004: mov al, 1
|
||||||
|
0x38d0006: jmp 0x38d0074
|
||||||
|
0x38d0008: mov al, 2
|
||||||
|
0x38d000a: jmp 0x38d0074
|
||||||
|
0x38d000c: mov al, 3
|
||||||
|
0x38d000e: jmp 0x38d0074
|
||||||
|
0x38d0010: mov al, 4
|
||||||
|
0x38d0012: jmp 0x38d0074
|
||||||
|
0x38d0014: mov al, 5
|
||||||
|
0x38d0016: jmp 0x38d0074
|
||||||
|
0x38d0018: mov al, 6
|
||||||
|
0x38d001a: jmp 0x38d0074
|
||||||
|
0x38d001c: mov al, 7
|
||||||
|
0x38d001e: jmp 0x38d0074
|
||||||
|
0x38d0020: mov al, 8
|
||||||
|
0x38d0022: jmp 0x38d0074
|
||||||
|
0x38d0024: mov al, 9
|
||||||
|
0x38d0026: jmp 0x38d0074
|
||||||
|
0x38d0028: mov al, 0xa
|
||||||
|
0x38d002a: jmp 0x38d0074
|
||||||
|
0x38d002c: mov al, 0xb
|
||||||
|
0x38d002e: jmp 0x38d0074
|
||||||
|
0x38d0030: mov al, 0xc
|
||||||
|
0x38d0032: jmp 0x38d0074
|
||||||
|
0x38d0034: mov al, 0xd
|
||||||
|
0x38d0036: jmp 0x38d0074
|
||||||
|
0x38d0038: mov al, 0xe
|
||||||
|
0x38d003a: jmp 0x38d0074
|
||||||
|
0x38d003c: mov al, 0xf
|
||||||
|
0x38d003e: jmp 0x38d0074
|
||||||
|
3324 iexplore.exe 0x1fd0000 0x1fd1fff VadS PAGE_EXECUTE_READWRITE 2 1 Disabled
|
||||||
|
b0 00 eb 70 b0 01 eb 6c ...p...l
|
||||||
|
b0 02 eb 68 b0 03 eb 64 ...h...d
|
||||||
|
b0 04 eb 60 b0 05 eb 5c ...`...\
|
||||||
|
b0 06 eb 58 b0 07 eb 54 ...X...T
|
||||||
|
b0 08 eb 50 b0 09 eb 4c ...P...L
|
||||||
|
b0 0a eb 48 b0 0b eb 44 ...H...D
|
||||||
|
b0 0c eb 40 b0 0d eb 3c ...@...<
|
||||||
|
b0 0e eb 38 b0 0f eb 34 ...8...4
|
||||||
|
0x1fd0000: mov al, 0
|
||||||
|
0x1fd0002: jmp 0x1fd0074
|
||||||
|
0x1fd0004: mov al, 1
|
||||||
|
0x1fd0006: jmp 0x1fd0074
|
||||||
|
0x1fd0008: mov al, 2
|
||||||
|
0x1fd000a: jmp 0x1fd0074
|
||||||
|
0x1fd000c: mov al, 3
|
||||||
|
0x1fd000e: jmp 0x1fd0074
|
||||||
|
0x1fd0010: mov al, 4
|
||||||
|
0x1fd0012: jmp 0x1fd0074
|
||||||
|
0x1fd0014: mov al, 5
|
||||||
|
0x1fd0016: jmp 0x1fd0074
|
||||||
|
0x1fd0018: mov al, 6
|
||||||
|
0x1fd001a: jmp 0x1fd0074
|
||||||
|
0x1fd001c: mov al, 7
|
||||||
|
0x1fd001e: jmp 0x1fd0074
|
||||||
|
0x1fd0020: mov al, 8
|
||||||
|
0x1fd0022: jmp 0x1fd0074
|
||||||
|
0x1fd0024: mov al, 9
|
||||||
|
0x1fd0026: jmp 0x1fd0074
|
||||||
|
0x1fd0028: mov al, 0xa
|
||||||
|
0x1fd002a: jmp 0x1fd0074
|
||||||
|
0x1fd002c: mov al, 0xb
|
||||||
|
0x1fd002e: jmp 0x1fd0074
|
||||||
|
0x1fd0030: mov al, 0xc
|
||||||
|
0x1fd0032: jmp 0x1fd0074
|
||||||
|
0x1fd0034: mov al, 0xd
|
||||||
|
0x1fd0036: jmp 0x1fd0074
|
||||||
|
0x1fd0038: mov al, 0xe
|
||||||
|
0x1fd003a: jmp 0x1fd0074
|
||||||
|
0x1fd003c: mov al, 0xf
|
||||||
|
0x1fd003e: jmp 0x1fd0074
|
||||||
|
3324 iexplore.exe 0x3030000 0x3030fff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 03 03 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
10 00 03 03 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
20 00 03 03 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
0x3030000: add byte ptr [eax], al
|
||||||
|
0x3030002: add byte ptr [eax], al
|
||||||
|
0x3030004: add byte ptr [eax], al
|
||||||
|
0x3030006: add byte ptr [eax], al
|
||||||
|
0x3030008: add byte ptr [eax], al
|
||||||
|
0x303000a: add byte ptr [eax], al
|
||||||
|
0x303000c: add byte ptr [eax], al
|
||||||
|
0x303000e: add byte ptr [eax], al
|
||||||
|
0x3030010: add byte ptr [eax], al
|
||||||
|
0x3030012: add eax, dword ptr [ebx]
|
||||||
|
0x3030014: add byte ptr [eax], al
|
||||||
|
0x3030016: add byte ptr [eax], al
|
||||||
|
0x3030018: add byte ptr [eax], al
|
||||||
|
0x303001a: add byte ptr [eax], al
|
||||||
|
0x303001c: add byte ptr [eax], al
|
||||||
|
0x303001e: add byte ptr [eax], al
|
||||||
|
0x3030020: adc byte ptr [eax], al
|
||||||
|
0x3030022: add eax, dword ptr [ebx]
|
||||||
|
0x3030024: add byte ptr [eax], al
|
||||||
|
0x3030026: add byte ptr [eax], al
|
||||||
|
0x3030028: add byte ptr [eax], al
|
||||||
|
0x303002a: add byte ptr [eax], al
|
||||||
|
0x303002c: add byte ptr [eax], al
|
||||||
|
0x303002e: add byte ptr [eax], al
|
||||||
|
0x3030030: and byte ptr [eax], al
|
||||||
|
0x3030032: add eax, dword ptr [ebx]
|
||||||
|
0x3030034: add byte ptr [eax], al
|
||||||
|
0x3030036: add byte ptr [eax], al
|
||||||
|
0x3030038: add byte ptr [eax], al
|
||||||
|
0x303003a: add byte ptr [eax], al
|
||||||
|
0x303003c: add byte ptr [eax], al
|
||||||
|
0x303003e: add byte ptr [eax], al
|
||||||
|
3324 iexplore.exe 0x5fff0000 0x5fffffff VadS PAGE_EXECUTE_READWRITE 16 1 Disabled
|
||||||
|
64 74 72 52 00 00 00 00 dtrR....
|
||||||
|
00 02 ff 5f 00 00 00 00 ..._....
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
0x5fff0000: je 0x5fff0075
|
||||||
|
0x5fff0003: push edx
|
||||||
|
0x5fff0004: add byte ptr [eax], al
|
||||||
|
0x5fff0006: add byte ptr [eax], al
|
||||||
|
0x5fff0008: add byte ptr [edx], al
|
||||||
|
0x5fff000a: lcall [edi]
|
||||||
|
0x5fff000d: add byte ptr [eax], al
|
||||||
|
0x5fff000f: add byte ptr [eax], al
|
||||||
|
0x5fff0011: add byte ptr [eax], al
|
||||||
|
0x5fff0013: add byte ptr [eax], al
|
||||||
|
0x5fff0015: add byte ptr [eax], al
|
||||||
|
0x5fff0017: add byte ptr [eax], al
|
||||||
|
0x5fff0019: add byte ptr [eax], al
|
||||||
|
0x5fff001b: add byte ptr [eax], al
|
||||||
|
0x5fff001d: add byte ptr [eax], al
|
||||||
|
0x5fff001f: add byte ptr [eax], al
|
||||||
|
0x5fff0021: add byte ptr [eax], al
|
||||||
|
0x5fff0023: add byte ptr [eax], al
|
||||||
|
0x5fff0025: add byte ptr [eax], al
|
||||||
|
0x5fff0027: add byte ptr [eax], al
|
||||||
|
0x5fff0029: add byte ptr [eax], al
|
||||||
|
0x5fff002b: add byte ptr [eax], al
|
||||||
|
0x5fff002d: add byte ptr [eax], al
|
||||||
|
0x5fff002f: add byte ptr [eax], al
|
||||||
|
0x5fff0031: add byte ptr [eax], al
|
||||||
|
0x5fff0033: add byte ptr [eax], al
|
||||||
|
0x5fff0035: add byte ptr [eax], al
|
||||||
|
0x5fff0037: add byte ptr [eax], al
|
||||||
|
0x5fff0039: add byte ptr [eax], al
|
||||||
|
0x5fff003b: add byte ptr [eax], al
|
||||||
|
0x5fff003d: add byte ptr [eax], al
|
||||||
|
3344 iexplore.exe 0x25c0000 0x25c1fff VadS PAGE_EXECUTE_READWRITE 2 1 Disabled
|
||||||
|
b0 00 eb 70 b0 01 eb 6c ...p...l
|
||||||
|
b0 02 eb 68 b0 03 eb 64 ...h...d
|
||||||
|
b0 04 eb 60 b0 05 eb 5c ...`...\
|
||||||
|
b0 06 eb 58 b0 07 eb 54 ...X...T
|
||||||
|
b0 08 eb 50 b0 09 eb 4c ...P...L
|
||||||
|
b0 0a eb 48 b0 0b eb 44 ...H...D
|
||||||
|
b0 0c eb 40 b0 0d eb 3c ...@...<
|
||||||
|
b0 0e eb 38 b0 0f eb 34 ...8...4
|
||||||
|
0x25c0000: mov al, 0
|
||||||
|
0x25c0002: jmp 0x25c0074
|
||||||
|
0x25c0004: mov al, 1
|
||||||
|
0x25c0006: jmp 0x25c0074
|
||||||
|
0x25c0008: mov al, 2
|
||||||
|
0x25c000a: jmp 0x25c0074
|
||||||
|
0x25c000c: mov al, 3
|
||||||
|
0x25c000e: jmp 0x25c0074
|
||||||
|
0x25c0010: mov al, 4
|
||||||
|
0x25c0012: jmp 0x25c0074
|
||||||
|
0x25c0014: mov al, 5
|
||||||
|
0x25c0016: jmp 0x25c0074
|
||||||
|
0x25c0018: mov al, 6
|
||||||
|
0x25c001a: jmp 0x25c0074
|
||||||
|
0x25c001c: mov al, 7
|
||||||
|
0x25c001e: jmp 0x25c0074
|
||||||
|
0x25c0020: mov al, 8
|
||||||
|
0x25c0022: jmp 0x25c0074
|
||||||
|
0x25c0024: mov al, 9
|
||||||
|
0x25c0026: jmp 0x25c0074
|
||||||
|
0x25c0028: mov al, 0xa
|
||||||
|
0x25c002a: jmp 0x25c0074
|
||||||
|
0x25c002c: mov al, 0xb
|
||||||
|
0x25c002e: jmp 0x25c0074
|
||||||
|
0x25c0030: mov al, 0xc
|
||||||
|
0x25c0032: jmp 0x25c0074
|
||||||
|
0x25c0034: mov al, 0xd
|
||||||
|
0x25c0036: jmp 0x25c0074
|
||||||
|
0x25c0038: mov al, 0xe
|
||||||
|
0x25c003a: jmp 0x25c0074
|
||||||
|
0x25c003c: mov al, 0xf
|
||||||
|
0x25c003e: jmp 0x25c0074
|
||||||
|
3344 iexplore.exe 0x5fff0000 0x5fffffff VadS PAGE_EXECUTE_READWRITE 16 1 Disabled
|
||||||
|
64 74 72 52 00 00 00 00 dtrR....
|
||||||
|
20 03 ff 5f 00 00 00 00 ..._....
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
00 00 00 00 00 00 00 00 ........
|
||||||
|
0x5fff0000: je 0x5fff0075
|
||||||
|
0x5fff0003: push edx
|
||||||
|
0x5fff0004: add byte ptr [eax], al
|
||||||
|
0x5fff0006: add byte ptr [eax], al
|
||||||
|
0x5fff0008: and byte ptr [ebx], al
|
||||||
|
0x5fff000a: lcall [edi]
|
||||||
|
0x5fff000d: add byte ptr [eax], al
|
||||||
|
0x5fff000f: add byte ptr [eax], al
|
||||||
|
0x5fff0011: add byte ptr [eax], al
|
||||||
|
0x5fff0013: add byte ptr [eax], al
|
||||||
|
0x5fff0015: add byte ptr [eax], al
|
||||||
|
0x5fff0017: add byte ptr [eax], al
|
||||||
|
0x5fff0019: add byte ptr [eax], al
|
||||||
|
0x5fff001b: add byte ptr [eax], al
|
||||||
|
0x5fff001d: add byte ptr [eax], al
|
||||||
|
0x5fff001f: add byte ptr [eax], al
|
||||||
|
0x5fff0021: add byte ptr [eax], al
|
||||||
|
0x5fff0023: add byte ptr [eax], al
|
||||||
|
0x5fff0025: add byte ptr [eax], al
|
||||||
|
0x5fff0027: add byte ptr [eax], al
|
||||||
|
0x5fff0029: add byte ptr [eax], al
|
||||||
|
0x5fff002b: add byte ptr [eax], al
|
||||||
|
0x5fff002d: add byte ptr [eax], al
|
||||||
|
0x5fff002f: add byte ptr [eax], al
|
||||||
|
0x5fff0031: add byte ptr [eax], al
|
||||||
|
0x5fff0033: add byte ptr [eax], al
|
||||||
|
0x5fff0035: add byte ptr [eax], al
|
||||||
|
0x5fff0037: add byte ptr [eax], al
|
||||||
|
0x5fff0039: add byte ptr [eax], al
|
||||||
|
0x5fff003b: add byte ptr [eax], al
|
||||||
|
0x5fff003d: add byte ptr [eax], al
|
||||||
|
2700 powershell.exe 0x1100000 0x113ffff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
|
||||||
|
f2 44 93 9f 1e 46 00 01 .D...F..
|
||||||
|
ee ff ee ff 00 00 00 00 ........
|
||||||
|
a8 00 10 01 a8 00 10 01 ........
|
||||||
|
00 00 10 01 00 00 10 01 ........
|
||||||
|
40 00 00 00 88 05 10 01 @.......
|
||||||
|
00 00 14 01 3f 00 00 00 ....?...
|
||||||
|
01 00 00 00 00 00 00 00 ........
|
||||||
|
f0 0f 10 01 f0 0f 10 01 ........
|
||||||
|
0x1100000: inc esp
|
||||||
|
0x1100002: xchg eax, ebx
|
||||||
|
0x1100003: lahf
|
||||||
|
0x1100004: push ds
|
||||||
|
0x1100005: inc esi
|
||||||
|
0x1100006: add byte ptr [ecx], al
|
||||||
|
0x1100008: out dx, al
|
||||||
|
2700 powershell.exe 0x1b10000 0x1b4ffff VadS PAGE_EXECUTE_READWRITE 4 1 Disabled
|
||||||
|
fb e8 fc 8b e3 61 00 01 .....a..
|
||||||
|
ee ff ee ff 00 00 00 00 ........
|
||||||
|
a8 00 b1 01 a8 00 b1 01 ........
|
||||||
|
00 00 b1 01 00 00 b1 01 ........
|
||||||
|
40 00 00 00 88 05 b1 01 @.......
|
||||||
|
00 00 b5 01 3c 00 00 00 ....<...
|
||||||
|
01 00 00 00 00 00 00 00 ........
|
||||||
|
f0 3f b1 01 f0 3f b1 01 .?...?..
|
||||||
|
0x1b10000: sti
|
||||||
|
0x1b10001: call 0x63948c02
|
||||||
|
0x1b10006: add byte ptr [ecx], al
|
||||||
|
0x1b10008: out dx, al
|
||||||
|
2700 powershell.exe 0x7ff50000 0x7ff5ffff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
|
||||||
|
00 00 00 00 97 19 00 00 ........
|
||||||
|
00 00 00 00 0e 00 00 00 ........
|
||||||
|
68 00 00 00 00 e9 b2 38 h......8
|
||||||
|
bc 81 68 01 00 00 00 e9 ..h.....
|
||||||
|
a8 38 bc 81 68 02 00 00 .8..h...
|
||||||
|
00 e9 9e 38 bc 81 68 03 ...8..h.
|
||||||
|
00 00 00 e9 94 38 bc 81 .....8..
|
||||||
|
68 04 00 00 00 e9 8a 38 h......8
|
||||||
|
0x7ff50000: add byte ptr [eax], al
|
||||||
|
0x7ff50002: add byte ptr [eax], al
|
||||||
|
0x7ff50004: xchg eax, edi
|
||||||
|
0x7ff50005: sbb dword ptr [eax], eax
|
||||||
|
0x7ff50007: add byte ptr [eax], al
|
||||||
|
0x7ff50009: add byte ptr [eax], al
|
||||||
|
0x7ff5000b: add byte ptr [esi], cl
|
||||||
|
0x7ff5000d: add byte ptr [eax], al
|
||||||
|
0x7ff5000f: add byte ptr [eax], ch
|
||||||
|
0x7ff50012: add byte ptr [eax], al
|
||||||
|
0x7ff50014: add cl, ch
|
||||||
|
0x7ff50016: mov dl, 0x38
|
||||||
|
0x7ff50018: mov esp, 0x16881
|
||||||
|
0x7ff5001d: add byte ptr [eax], al
|
||||||
|
0x7ff5001f: jmp 0x1b138cc
|
||||||
|
0x7ff50024: push 2
|
||||||
|
0x7ff50029: jmp 0x1b138cc
|
||||||
|
0x7ff5002e: push 3
|
||||||
|
0x7ff50033: jmp 0x1b138cc
|
||||||
|
0x7ff50038: push 4
|
||||||
|
2700 powershell.exe 0x7ff60000 0x7ffaffff VadS PAGE_EXECUTE_READWRITE 1 1 Disabled
|
||||||
|
ec ff ff ff 04 00 00 00 ........
|
||||||
|
01 00 00 00 00 00 08 01 ........
|
||||||
|
1c 00 00 00 15 00 0e 00 ........
|
||||||
|
0e 00 00 00 64 09 ab 6a ....d..j
|
||||||
|
00 10 84 6a 5c 70 86 6a ...j\p.j
|
||||||
|
2c 30 84 6a 00 00 00 00 ,0.j....
|
||||||
|
00 00 00 00 10 00 f5 7f ........
|
||||||
|
1a 00 f5 7f 24 00 f5 7f ....$...
|
||||||
|
0x7ff60000: in al, dx
|
||||||
Reference in New Issue
Block a user