venerdì 2 ottobre 2009

Bifrost Debug










Questo trojan è stato creato con Bifrost famoso tool per gestire il trojan bifrost
facendo una panoramica su questo server:
Nome del file: photo15_jpg.exe #cerca di confondersi come file jpg infatti ha anche l icona di una jpg
si installa nella directory di sistema
{AEDFB120-4369-AEF1-980E-CD34535DC196}
Mutex name:
pikachu
Registry key:
system123
process name:
msnmsgr.exe.
rootkit hide process

dns: vnc-k3v.no-ip.org / 83.192.102.236 port: 8978

IP address : 83.192.102.236
IP country code: FR
IP address country: ip address flag France
IP address state: Nord-Pas-de-Calais
IP address city: Crochte
IP address latitude: 50.9333
IP address longitude: 2.3833
ISP of this IP : France Telecom
Organization: France Telecom
Host of this IP: [?]: ALille-252-1-14-236.w83-192.abo.wanadoo.fr [Whois] [Trace]
Local time in France: 2009-10-02 16:14

Host of the IP: vnc-k3v.no-ip.org
Host IP: 69.65.19.125
IP country code: US

The server builder component has the following capabilities:

* Create the server component
* Change the server component's port number and/or IP address
* Change the server component's executable name
* Change the name of the Windows registry startup entry
* Include rootkit to hide server process
* Include extensions to add features (adds 22,759 bytes to server)
* Use persistence (makes the server harder to remove from the infected system)

The client component has the following capabilities:

* Process Manager (Browse or kill running processes)
* File manager (Browse, upload, download, or delete files)
* Window Manager (Browse, close, maximize/minimize, or rename windows)
* Get system information
* Extract passwords from machine
* Keystroke logging
* Screen capture
* Webcam capture
* Desktop logoff, reboot or shutdown
* Registry editor
* Remote shell



Reports:

Code:


0009:Starting process L"Z:\\tmp\\vir\\1c23ff4a4784fa6ad8fbbe75078d68af\\malware.exe" (entryproc=0x403780)
0009:Call KERNEL32.GetModuleHandleA(00000000) ret=00401b99
0009:Call KERNEL32.GetCurrentThreadId() ret=00401adb
0009:Call KERNEL32.GetModuleHandleA(00000000) ret=004032d0
0009:Call KERNEL32.GetModuleFileNameA(00400000,0032fdc6,00000104) ret=004032d6
0009:Call ntdll.LdrLockLoaderLock(00000000,00000000,0032fcb8) ret=7b864d2a
0009:Call ntdll.LdrFindEntryForAddress(00400000,0032fcb4) ret=7b864d44
0009:Call ntdll.LdrUnlockLoaderLock(00000000,00000009) ret=7b864d9c
0009:Call KERNEL32.GetModuleFileNameA(00000000,0032fc8c,00000105) ret=00401389
0009:Call ntdll.LdrLockLoaderLock(00000000,00000000,0032fb98) ret=7b864d2a
0009:Call ntdll.LdrFindEntryForAddress(00400000,0032fb94) ret=7b864d44
0009:Call ntdll.LdrUnlockLoaderLock(00000000,00000009) ret=7b864d9c
0009:Call KERNEL32.LoadLibraryA(0011de28 "kernel32.dll") ret=0040314e
0009:Call ntdll.LdrLoadDll(00121870 L"Z:\\tmp\\vir\\1c23ff4a4784fa6ad8fbbe75078d68af;.;C:\\windows\\system32;C:\\windows\\system;C:\\windows;",00000000,0032fda8,0032fb68) ret=7b8655a7
0009:Call ntdll.LdrGetProcedureAddress(7b820000,0032fdd8,00000000,0032fdd4) ret=7b865abb
0009:Call ntdll.LdrGetProcedureAddress(7b820000,0032fdd8,00000000,0032fdd4) ret=7b865abb
0009:Call ntdll.LdrGetProcedureAddress(7b820000,0032fdd8,00000000,0032fdd4) ret=7b865abb
0009:Call ntdll.NtQuerySystemTime(0032fde0) ret=7b8531cd
0009:Call KERNEL32.Sleep(00000096) ret=004031d5
0009:Call ntdll.NtDelayExecution(00000000,0032fdc8) ret=7b889913
0009:Call ntdll.NtQuerySystemTime(0032fde0) ret=7b8531cd
0009:Call KERNEL32.Sleep(00000096) ret=004031e3
0009:Call ntdll.NtDelayExecution(00000000,0032fdc8) ret=7b889913
0009:Call ntdll.NtQuerySystemTime(0032fde0) ret=7b8531cd
0009:Call KERNEL32.LoadLibraryA(0011de28 "kernel32.dll") ret=004033e3
0009:Call ntdll.LdrLoadDll(00121870 L"Z:\\tmp\\vir\\1c23ff4a4784fa6ad8fbbe75078d68af;.;C:\\windows\\system32;C:\\windows\\system;C:\\windows;",00000000,0032fdb8,0032fb78) ret=7b8655a7
0009:Call ntdll.LdrGetProcedureAddress(7b820000,0032fde8,00000000,0032fde4) ret=7b865abb
0009:Call KERNEL32.LoadLibraryA(0011de78 "kernel32.dll") ret=0040342d
0009:Call ntdll.LdrLoadDll(00121870 L"Z:\\tmp\\vir\\1c23ff4a4784fa6ad8fbbe75078d68af;.;C:\\windows\\system32;C:\\windows\\system;C:\\windows;",00000000,0032fdb8,0032fb78) ret=7b8655a7
0009:Call ntdll.LdrGetProcedureAddress(7b820000,0032fde8,00000000,0032fde4) ret=7b865abb
0009:Call KERNEL32.IsDebuggerPresent() ret=00403451
0009:Call KERNEL32.GetCommandLineA() ret=0040131c
0009:Call KERNEL32.LoadLibraryA(0011de40 "kernel32.dll") ret=00403515
0009:Call ntdll.LdrLoadDll(00121870 L"Z:\\tmp\\vir\\1c23ff4a4784fa6ad8fbbe75078d68af;.;C:\\windows\\system32;C:\\windows\\system;C:\\windows;",00000000,0032fd88,0032fb48) ret=7b8655a7
0009:Call ntdll.LdrGetProcedureAddress(7b820000,0032fdb8,00000000,0032fdb4) ret=7b865abb
0009:Call ntdll.LdrGetProcedureAddress(7b820000,0032fdb8,00000000,0032fdb4) ret=7b865abb
0009:Call ntdll.LdrGetProcedureAddress(7b820000,0032fdb8,00000000,0032fdb4) ret=7b865abb
0009:Call ntdll.LdrGetProcedureAddress(7b820000,0032fdb8,00000000,0032fdb4) ret=7b865abb
0009:Call ntdll.LdrGetProcedureAddress(7b820000,0032fdb8,00000000,0032fdb4) ret=7b865abb
0009:Call ntdll.LdrGetProcedureAddress(7b820000,0032fdb8,00000000,0032fdb4) ret=7b865abb
0009:Call KERNEL32.FindResourceA(00400000,0011ddf8 "KYNC",0000000a) ret=00403608
0009:Call ntdll.LdrFindResource_U(00400000,0032fd50,00000003,0032fc8c) ret=7b88041b
0009:Call KERNEL32.SizeofResource(00400000,00409140) ret=00403618
0009:Call KERNEL32.LoadResource(00400000,00409140) ret=0040362a
0009:Call ntdll.LdrAccessResource(00400000,00409140,0032fdb8,00000000) ret=7b8819a9
0009:Call KERNEL32.LockResource(00409e54) ret=00403634
0009:Call KERNEL32.FreeResource(00409e54) ret=00403644



Memory dump:

Code:


%|`@
%x`@
%t`@
%p`@
%l`@
%h`@
%d`@
tSVW
t:VW
SVWU
C<"u1S Q<"u8S 7CF; 7CF; ]_^[ ZYYd ^[Y] YYZX SVWU ]_^[ SVWU ]_^[ SVWU -8P@ ]_^[ SVWU ]_^[ ;_^[ SVWRP Z_^[X uXJt uAJt u:Jt It1S t&J| ;_^[ =XP@ ZYYd -$P@ ZYYd ZYYd - Q@ ZYYd -$Q@ ZYYd _^[YY] SVW3 ZYYd ZYYd -(Q@ ZYYd ZYYd ZYYd UO\XOV X^NVV 1O^:\YM+NN\O]] -\OK^O:\YMO]]+ 1O^>R\OKN-YX^Ob^
R\OKN-YX^Ob^
R\OKN
@S\^_KV+VVYM/b
@S\^_KV:\Y^OM^/b
Da?XWKZ@SOa9P=OM^SYX
>O\WSXK^O:\YMO]]
ZYYd
-,Q@
registered
Xj[X
registered
registered
registered
registered
wrong serial
wrong serial
registered
registered
Xj[X
registered
registered
registered
registered
wrong serial
wrong serial
registered
registered
Xj[X
registered
registered
registered
registered
wrong serial
wrong serial
registered
registered
Xj[X
istered
registered
registered
registered
wrong serial
wrong serial
registered
ZYYd
Uh 2@
ZYYd
h'2@
UO\XOV
1O^:\YM+NN\O]]
1O^>SMU-Y_X^
=VOOZ
Uh{3@
ZYYd
C:\InsideTm\
Uho4@
ZYYd
hv4@
UO\XOV
1O^:\YM+NN\O]]
IsDebuggerPresent
Uh_6@





Code:


----------DOS_HEADER----------

[IMAGE_DOS_HEADER]
e_magic:                       0x5A4D   
e_cblp:                        0x50     
e_cp:                          0x2      
e_crlc:                        0x0      
e_cparhdr:                     0x4      
e_minalloc:                    0xF      
e_maxalloc:                    0xFFFF   
e_ss:                          0x0      
e_sp:                          0xB8     
e_csum:                        0x0      
e_ip:                          0x0      
e_cs:                          0x0      
e_lfarlc:                      0x40     
e_ovno:                        0x1A     
e_res:                        
e_oemid:                       0x0      
e_oeminfo:                     0x0      
e_res2:                       
e_lfanew:                      0x100    

----------NT_HEADERS----------

[IMAGE_NT_HEADERS]
Signature:                     0x4550   

----------FILE_HEADER----------

[IMAGE_FILE_HEADER]
Machine:                       0x14C    
NumberOfSections:              0x7      
TimeDateStamp:                 0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
PointerToSymbolTable:          0x0      
NumberOfSymbols:               0x0      
SizeOfOptionalHeader:          0xE0     
Characteristics:               0x818F   
Flags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_BYTES_REVERSED_LO, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_BYTES_REVERSED_HI, IMAGE_FILE_RELOCS_STRIPPED

----------OPTIONAL_HEADER----------

[IMAGE_OPTIONAL_HEADER]
Magic:                         0x10B    
MajorLinkerVersion:            0x2      
MinorLinkerVersion:            0x19     
SizeOfCode:                    0x2A00   
SizeOfInitializedData:         0x7E00   
SizeOfUninitializedData:       0x0      
AddressOfEntryPoint:           0x3780   
BaseOfCode:                    0x1000   
BaseOfData:                    0x4000   
ImageBase:                     0x400000 
SectionAlignment:              0x1000   
FileAlignment:                 0x200    
MajorOperatingSystemVersion:   0x4      
MinorOperatingSystemVersion:   0x0      
MajorImageVersion:             0x0      
MinorImageVersion:             0x0      
MajorSubsystemVersion:         0x4      
MinorSubsystemVersion:         0x0      
Reserved1:                     0x0      
SizeOfImage:                   0x11000  
SizeOfHeaders:                 0x400    
CheckSum:                      0x0      
Subsystem:                     0x2      
DllCharacteristics:            0x0      
SizeOfStackReserve:            0x100000 
SizeOfStackCommit:             0x4000   
SizeOfHeapReserve:             0x100000 
SizeOfHeapCommit:              0x1000   
LoaderFlags:                   0x0      
NumberOfRvaAndSizes:           0x10     
DllCharacteristics:

----------PE Sections----------

[IMAGE_SECTION_HEADER]
Name:                          CODE
Misc:                          0x3000   
Misc_PhysicalAddress:          0x3000   
Misc_VirtualSize:              0x3000   
VirtualAddress:                0x1000   
SizeOfRawData:                 0x2A00   
PointerToRawData:              0x400    
PointerToRelocations:          0x0      
PointerToLinenumbers:          0x0      
NumberOfRelocations:           0x0      
NumberOfLinenumbers:           0x0      
Characteristics:               0x60000020
Flags: IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Entropy: 6.392527 (Min=0.0, Max=8.0)
MD5     hash: 335fd2b34ad6a69fc874f6f4044e5f3d
SHA-1   hash: 7f3ba1591430d7b438def8ecffb1f3e081f90066
SHA-256 hash: bbc98f05f483cfbe8403396e4806aacf40866f578f5ee4beec52dc1b51f64ead
SHA-512 hash: 173ae22005f2ace488ac3ef57f2dd8100ed0fce562c11411699ded5492c81ec124256cd644b278a7162d28b5c759dbca90b1893ecf7a3952915cb83dc1e9360b

[IMAGE_SECTION_HEADER]
Name:                          DATA
Misc:                          0x1000   
Misc_PhysicalAddress:          0x1000   
Misc_VirtualSize:              0x1000   
VirtualAddress:                0x4000   
SizeOfRawData:                 0x200    
PointerToRawData:              0x2E00   
PointerToRelocations:          0x0      
PointerToLinenumbers:          0x0      
NumberOfRelocations:           0x0      
NumberOfLinenumbers:           0x0      
Characteristics:               0xC0000040
Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Entropy: 1.105826 (Min=0.0, Max=8.0)
MD5     hash: b6e17bf8fb5029cb6b5cf0e61876c459
SHA-1   hash: c1fe552007fbfeab9a047524be94d0cff6abd52d
SHA-256 hash: 7900f543fa6b30155fbe4fd609577bcc21fd0025270595eae56e971e8444989a
SHA-512 hash: ccf534bdf419e4438d7c73d58fb8983c772305e06f50a17309f3cea8cefeb2e91c5dc23313f58bf00ef7d54cda5a218ce0f4652f8ad4e1fc9b017642cc38937c

[IMAGE_SECTION_HEADER]
Name:                          BSS
Misc:                          0x1000   
Misc_PhysicalAddress:          0x1000   
Misc_VirtualSize:              0x1000   
VirtualAddress:                0x5000   
SizeOfRawData:                 0x0      
PointerToRawData:              0x3000   
PointerToRelocations:          0x0      
PointerToLinenumbers:          0x0      
NumberOfRelocations:           0x0      
NumberOfLinenumbers:           0x0      
Characteristics:               0xC0000000
Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Entropy: 0.000000 (Min=0.0, Max=8.0)
MD5     hash: d41d8cd98f00b204e9800998ecf8427e
SHA-1   hash: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA-256 hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA-512 hash: cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

[IMAGE_SECTION_HEADER]
Name:                          .idata
Misc:                          0x1000   
Misc_PhysicalAddress:          0x1000   
Misc_VirtualSize:              0x1000   
VirtualAddress:                0x6000   
SizeOfRawData:                 0x400    
PointerToRawData:              0x3000   
PointerToRelocations:          0x0      
PointerToLinenumbers:          0x0      
NumberOfRelocations:           0x0      
NumberOfLinenumbers:           0x0      
Characteristics:               0xC0000040
Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Entropy: 2.863761 (Min=0.0, Max=8.0)
MD5     hash: dd0227fe333799f12db8c40912ac87f3
SHA-1   hash: 9e6eef93041d9925e98569f8afb86d26e90d6b2d
SHA-256 hash: 09fc6a80318564820d39861f6c35acab2166178e03a68635e831878bd6fb3185
SHA-512 hash: d7ea609ab04d415b76eefd76494ed6f010e9acbaa104a0ae56af90bab7c0c8ad5cf3a102908c6be92dd1ad5aa0ca8cee8fc1b4232add7df3dd77f6e5a8ec4cdb

[IMAGE_SECTION_HEADER]
Name:                          .tls
Misc:                          0x1000   
Misc_PhysicalAddress:          0x1000   
Misc_VirtualSize:              0x1000   
VirtualAddress:                0x7000   
SizeOfRawData:                 0x0      
PointerToRawData:              0x3400   
PointerToRelocations:          0x0      
PointerToLinenumbers:          0x0      
NumberOfRelocations:           0x0      
NumberOfLinenumbers:           0x0      
Characteristics:               0xC0000000
Flags: IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Entropy: 0.000000 (Min=0.0, Max=8.0)
MD5     hash: d41d8cd98f00b204e9800998ecf8427e
SHA-1   hash: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA-256 hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA-512 hash: cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

[IMAGE_SECTION_HEADER]
Name:                          .rdata
Misc:                          0x1000   
Misc_PhysicalAddress:          0x1000   
Misc_VirtualSize:              0x1000   
VirtualAddress:                0x8000   
SizeOfRawData:                 0x200    
PointerToRawData:              0x3400   
PointerToRelocations:          0x0      
PointerToLinenumbers:          0x0      
NumberOfRelocations:           0x0      
NumberOfLinenumbers:           0x0      
Characteristics:               0x50000040
Flags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
Entropy: 0.204488 (Min=0.0, Max=8.0)
MD5     hash: 3308d673b7c6e0dbe0de45bd95389f5e
SHA-1   hash: 3891e6d98accb8f59f37e1202871e632285bd61d
SHA-256 hash: d06ad14726818dcd3887a2c517b0c80416004e36b494dc5e8ff7aae2dad5b2d7
SHA-512 hash: 236bfd204d22319728ee2963ccb9dab32eeaa40c1dc262a3994065c4d656008381ee6b41931b6e3d5cf62f7e72283234befb8296281392b62cb6e950fde78ab3

[IMAGE_SECTION_HEADER]
Name:                          .rsrc
Misc:                          0x75F8   
Misc_PhysicalAddress:          0x75F8   
Misc_VirtualSize:              0x75F8   
VirtualAddress:                0x9000   
SizeOfRawData:                 0x7600   
PointerToRawData:              0x3600   
PointerToRelocations:          0x0      
PointerToLinenumbers:          0x0      
NumberOfRelocations:           0x0      
NumberOfLinenumbers:           0x0      
Characteristics:               0x50000040
Flags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
Entropy: 7.763448 (Min=0.0, Max=8.0)
MD5     hash: a27dd9e454ed3679608c7b136d63b8b8
SHA-1   hash: c75a8c41eaba5a9fbba2a998492868a1e30f3935
SHA-256 hash: d9762d6e2714325a4044a36618d5a9faec092aa67d64a72ce32fbef603e19fde
SHA-512 hash: e771b19b7f67af1a9475d63e905da31796c14015ac304a5a3904677ddcb2abc8e16a1c70fa0cd00ef4a38103d03accc72eae91575e663faaae7407d7a64fcce3

----------Directories----------

[IMAGE_DIRECTORY_ENTRY_EXPORT]
VirtualAddress:                0x0      
Size:                          0x0      
[IMAGE_DIRECTORY_ENTRY_IMPORT]
VirtualAddress:                0x6000   
Size:                          0x268    
[IMAGE_DIRECTORY_ENTRY_RESOURCE]
VirtualAddress:                0x9000   
Size:                          0x75F8   
[IMAGE_DIRECTORY_ENTRY_EXCEPTION]
VirtualAddress:                0x0      
Size:                          0x0      
[IMAGE_DIRECTORY_ENTRY_SECURITY]
VirtualAddress:                0x0      
Size:                          0x0      
[IMAGE_DIRECTORY_ENTRY_BASERELOC]
VirtualAddress:                0x0      
Size:                          0x0      
[IMAGE_DIRECTORY_ENTRY_DEBUG]
VirtualAddress:                0x0      
Size:                          0x0      
[IMAGE_DIRECTORY_ENTRY_COPYRIGHT]
VirtualAddress:                0x0      
Size:                          0x0      
[IMAGE_DIRECTORY_ENTRY_GLOBALPTR]
VirtualAddress:                0x0      
Size:                          0x0      
[IMAGE_DIRECTORY_ENTRY_TLS]
VirtualAddress:                0x8000   
Size:                          0x18     
[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
VirtualAddress:                0x0      
Size:                          0x0      
[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]
VirtualAddress:                0x0      
Size:                          0x0      
[IMAGE_DIRECTORY_ENTRY_IAT]
VirtualAddress:                0x0      
Size:                          0x0      
[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]
VirtualAddress:                0x0      
Size:                          0x0      
[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]
VirtualAddress:                0x0      
Size:                          0x0      
[IMAGE_DIRECTORY_ENTRY_RESERVED]
VirtualAddress:                0x0      
Size:                          0x0      

----------Imported symbols----------

[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk:            0x0      
Characteristics:               0x0      
TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
ForwarderChain:                0x0      
Name:                          0x60CC   
FirstThunk:                    0x6064   

kernel32.dll.GetCurrentThreadId Hint[0]
kernel32.dll.ExitProcess Hint[0]
kernel32.dll.RtlUnwind Hint[0]
kernel32.dll.RaiseException Hint[0]
kernel32.dll.GetCommandLineA Hint[0]
kernel32.dll.TlsSetValue Hint[0]
kernel32.dll.TlsGetValue Hint[0]
kernel32.dll.LocalAlloc Hint[0]
kernel32.dll.GetModuleHandleA Hint[0]
kernel32.dll.GetModuleFileNameA Hint[0]
kernel32.dll.FreeLibrary Hint[0]
kernel32.dll.HeapFree Hint[0]
kernel32.dll.HeapReAlloc Hint[0]
kernel32.dll.HeapAlloc Hint[0]
kernel32.dll.GetProcessHeap Hint[0]

[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk:            0x0      
Characteristics:               0x0      
TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
ForwarderChain:                0x0      
Name:                          0x61C8   
FirstThunk:                    0x60A4   

user32.dll.CharNextA Hint[0]

[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk:            0x0      
Characteristics:               0x0      
TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
ForwarderChain:                0x0      
Name:                          0x61E0   
FirstThunk:                    0x60AC   

kernel32.dll.LoadLibraryA Hint[0]
kernel32.dll.GetProcAddress Hint[0]
kernel32.dll.GetModuleHandleA Hint[0]
kernel32.dll.GetModuleFileNameA Hint[0]
kernel32.dll.ExitProcess Hint[0]

[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk:            0x0      
Characteristics:               0x0      
TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
ForwarderChain:                0x0      
Name:                          0x6248   
FirstThunk:                    0x60C4   

ntdll.dll.RtlDecompressBuffer Hint[0]

----------Resource directory----------

[IMAGE_RESOURCE_DIRECTORY]
Characteristics:               0x0      
TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
MajorVersion:                  0x4      
MinorVersion:                  0x0      
NumberOfNamedEntries:          0x0      
NumberOfIdEntries:             0x3      
 Id: [0x3] (RT_ICON)
 [IMAGE_RESOURCE_DIRECTORY_ENTRY]
 Name:                          0x3      
 OffsetToData:                  0x80000028
   [IMAGE_RESOURCE_DIRECTORY]
   Characteristics:               0x0      
   TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
   MajorVersion:                  0x4      
   MinorVersion:                  0x0      
   NumberOfNamedEntries:          0x0      
   NumberOfIdEntries:             0x2      
     Id: [0x1]
     [IMAGE_RESOURCE_DIRECTORY_ENTRY]
     Name:                          0x1      
     OffsetToData:                  0x80000080
       [IMAGE_RESOURCE_DIRECTORY]
       Characteristics:               0x0      
       TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
       MajorVersion:                  0x4      
       MinorVersion:                  0x0      
       NumberOfNamedEntries:          0x0      
       NumberOfIdEntries:             0x2      
         [IMAGE_RESOURCE_DIRECTORY_ENTRY]
         Name:                          0x0      
         OffsetToData:                  0x100    
           [IMAGE_RESOURCE_DATA_ENTRY]
           OffsetToData:                  0x918C   
           Size:                          0x8A8    
           CodePage:                      0x4E4    
           Reserved:                      0x0      
         [IMAGE_RESOURCE_DIRECTORY_ENTRY]
         Name:                          0xC0C    
         OffsetToData:                  0x110    
           [IMAGE_RESOURCE_DATA_ENTRY]
           OffsetToData:                  0x9A34   
           Size:                          0x2E8    
           CodePage:                      0x4E4    
           Reserved:                      0x0      
     Id: [0x2]
     [IMAGE_RESOURCE_DIRECTORY_ENTRY]
     Name:                          0x2      
     OffsetToData:                  0x800000A0
       [IMAGE_RESOURCE_DIRECTORY]
       Characteristics:               0x0      
       TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
       MajorVersion:                  0x4      
       MinorVersion:                  0x0      
       NumberOfNamedEntries:          0x0      
       NumberOfIdEntries:             0x1      
         [IMAGE_RESOURCE_DIRECTORY_ENTRY]
         Name:                          0xC0C    
         OffsetToData:                  0x120    
           [IMAGE_RESOURCE_DATA_ENTRY]
           OffsetToData:                  0x9D1C   
           Size:                          0x128    
           CodePage:                      0x4E4    
           Reserved:                      0x0      

 Id: [0xA] (RT_RCDATA)
 [IMAGE_RESOURCE_DIRECTORY_ENTRY]
 Name:                          0xA      
 OffsetToData:                  0x80000048
   [IMAGE_RESOURCE_DIRECTORY]
   Characteristics:               0x0      
   TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
   MajorVersion:                  0x4      
   MinorVersion:                  0x0      
   NumberOfNamedEntries:          0x2      
   NumberOfIdEntries:             0x0      
     Name: [DVCLAL]
     [IMAGE_RESOURCE_DIRECTORY_ENTRY]
     Name:                          0x80000160
     OffsetToData:                  0x800000B8
       [IMAGE_RESOURCE_DIRECTORY]
       Characteristics:               0x0      
       TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
       MajorVersion:                  0x4      
       MinorVersion:                  0x0      
       NumberOfNamedEntries:          0x0      
       NumberOfIdEntries:             0x1      
         [IMAGE_RESOURCE_DIRECTORY_ENTRY]
         Name:                          0x0      
         OffsetToData:                  0x130    
           [IMAGE_RESOURCE_DATA_ENTRY]
           OffsetToData:                  0x9E44   
           Size:                          0x10     
           CodePage:                      0x4E4    
           Reserved:                      0x0      
     Name: [KYNC]
     [IMAGE_RESOURCE_DIRECTORY_ENTRY]
     Name:                          0x8000016E
     OffsetToData:                  0x800000D0
       [IMAGE_RESOURCE_DIRECTORY]
       Characteristics:               0x0      
       TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
       MajorVersion:                  0x4      
       MinorVersion:                  0x0      
       NumberOfNamedEntries:          0x0      
       NumberOfIdEntries:             0x1      
         [IMAGE_RESOURCE_DIRECTORY_ENTRY]
         Name:                          0x0      
         OffsetToData:                  0x140    
           [IMAGE_RESOURCE_DATA_ENTRY]
           OffsetToData:                  0x9E54   
           Size:                          0x677E   
           CodePage:                      0x4E4    
           Reserved:                      0x0      

 Id: [0xE] (RT_GROUP_ICON)
 [IMAGE_RESOURCE_DIRECTORY_ENTRY]
 Name:                          0xE      
 OffsetToData:                  0x80000068
   [IMAGE_RESOURCE_DIRECTORY]
   Characteristics:               0x0      
   TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
   MajorVersion:                  0x4      
   MinorVersion:                  0x0      
   NumberOfNamedEntries:          0x1      
   NumberOfIdEntries:             0x0      
     Name: [MAINICON]
     [IMAGE_RESOURCE_DIRECTORY_ENTRY]
     Name:                          0x80000178
     OffsetToData:                  0x800000E8
       [IMAGE_RESOURCE_DIRECTORY]
       Characteristics:               0x0      
       TimeDateStamp:                 0x0        [Thu Jan  1 00:00:00 1970 UTC]
       MajorVersion:                  0x4      
       MinorVersion:                  0x0      
       NumberOfNamedEntries:          0x0      
       NumberOfIdEntries:             0x1      
         [IMAGE_RESOURCE_DIRECTORY_ENTRY]
         Name:                          0xC0C    
         OffsetToData:                  0x150    
           [IMAGE_RESOURCE_DATA_ENTRY]
           OffsetToData:                  0x105D4  
           Size:                          0x22     
           CodePage:                      0x4E4    
           Reserved:                      0x0      


----------TLS----------

[IMAGE_TLS_DIRECTORY]
StartAddressOfRawData:         0x407000 
EndAddressOfRawData:           0x407004 
AddressOfIndex:                0x40510C 
AddressOfCallBacks:            0x408010 
SizeOfZeroFill:                0x0      
Characteristics:               0x0







Detected trick isDebuggerPresent (Generic debugger detection)
Pubblicato da aliceinwire a 06:42
blog comments powered by Disqus