免责声明
本文仅用于技术讨论与学习,利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,文章作者不为此承担任何责任。
只供对已授权的目标使用测试,对未授权目标的测试作者不承担责任,均由使用本人自行承担。
文章正文
这篇博文是有关 Insomni'hack 2022 上的演讲。源代码和幻灯片公众号获取。
介绍
当防病毒软件检测到我们在渗透测试期间使用的工具时,我们该怎么办?
很长一段时间,答案是:加壳。过了一段时间,一切都是关于制作自己的“加壳”或依赖。然而最近,我们遇到了越来越多的执行内存扫描的安全软件,我们并不是特别喜欢维护几种工具,一种用于防病毒 X,一种用于防病毒 Y,等等。
因此,像往常一样,我们寻找尽可能通用的解决方案,并提出了作为本博文主题的工具。与此同时,社区提出了类似的解决方案,但我们相信我们的解决方案有足够的不同,对社区仍然具有一定的价值。
工具
事不宜迟,我们的工具在 GitHub 上是开源的,可以按如下方式使用:
$ python3 antivirus_debugger.py -h
usage: antivirus_debugger.py [-h] [-s] [-z] [-f FILE] [-e] [-l LENGTH] [-c SECTION] [-g]
optional arguments:
-h, --help show this help message and exit
-s, --skip-strings Skip strings analysis
-z, --skip-sections Skip sections analysis
-f FILE, --file FILE path to file
-e, --extensive search strings in all sections
-l LENGTH, --length LENGTH
minimum length of strings
-c SECTION, --section SECTION
Analyze provided section
-g, --globals Analyze global variables in .data section开始
这一部分描述了设计过程中实现的选择,并列出了理论需要理解为什么我们这样做。
通常的AV原理
McAfee 在 1988 年表示,“计算机病毒问题是暂时的,将在未来 2 年内解决”。显然这个预测偏离了几个世纪,但我认为开发防病毒软件有点讽刺,所以软件分析其他软件,却不知道赖斯定理。无论如何,安全软件总是会努力实现一种算法来区分好程序或恶意程序而不会出错,而该断言的理论证明可以追溯到图灵机,所以就是这样。
鉴于此,我们为规避防病毒软件所做的所有工作都利用了这一点。尽管如此,其中一些仍然很难规避,这是因为它们在堆叠检测机制。
这是情况图:
如您所见,可怜的有效载荷必须通过所有这些测试才能生存并能够发挥其全部功能。对我们来说幸运的是,每一个都有缺陷,我们将单独利用这些缺陷来实现完全远程代码执行而不被发现。
静态检测绕过
签名
删除所有可识别的特征仅绕过静态签名。
仿真/沙箱执行
检测检测器并将其用于一个/多个(处理器)检测,例如,无限循环。这样就能学到东西了,因为也许他们不知道赖斯定理,但他们肯定听说过停止的问题。
动态检测
这里变得有点复杂,但是到 2022 年,所有概念现在都得到了很好的记录:
-
内存扫描:删除静态特征,例如字符串、常量和 API 导入。
-
Userland 检测:通过删除防病毒软件的数据源来屏蔽防病毒软件。
-
Kernel-land 检测:混入其中或加载自己的驱动程序以武器化某些内核对象。
一个重要的引用
在我开始研究 Windows Defender 的时候,当时的传言是这样的:
-
“确实有一段时间很糟糕,但最近他们增加了人工智能。”
-
“你不能有 RWX 部分,因为任何防病毒软件都会捕捉到它”。
但是实际上:当时没有,今天也没有。我认为 Windows Defender 仍然很糟糕,无论是与竞争对手相同还是更糟,我认为如果它能够检测到用自定义编码器包裹的新生成的 Meterpreter 有效负载,那一定是因为恶意特征很明显。
方法
当防病毒软件检测到有效载荷时,可以执行一些快速测试来查明所使用的检测机制(与上述模式相关)。
-
文件哈希签名:改变一个字节。
-
动态检测:保留整个代码库,但在某个地方插入一个无限循环,这样程序就真的是良性的。如果文件仍然被检测到,那么检测就会发生,因为防病毒软件由于一些静态可用的特征而简化了它的分析。如果不是,则在有效负载执行时进行检测。
如果是这样的话,没有理由认为它比内存扫描或用户态钩子更复杂,所以保持冷静并尝试一一排除每一种可能性。
在 Windows Defender 上应用这种方法很快让我了解到检测大部分时间是由于静态元素引起的,尽管扫描发生在负载执行的多个级别。
之前的博文解决了动态检测的问题,这篇解决了静态签名的问题,有两个方面:
-
有时重建有效载荷比仅仅更改签名所在的部分更麻烦,特别是对于具有大量依赖关系的复杂有效载荷。
-
仅对于 Windows Defender,我们在相对较短的时间内观察到我们使用的有效负载的新签名。他们很可能已经将流程自动化,因此作为回应,我们也应该这样做。
证明杀毒软件“还早”
让我们站在那些可能认为防病毒软件是高级软件的人的一边,看看 AV 供应商应该如何实施他们的算法来满足这些期望。
人工智能很神奇
让我们假设杀毒软件是完全有意识的,并且能够通过 IA 预测一个文件是恶意的,而不需要执行它。为了实现这一点,分析师需要向算法输入数千个恶意软件,并让它查看可执行文件中可能对程序行为起作用的人为因素,这些因素包括:
-
可执行结构:寻找异常。
-
导入函数:寻找常用的作恶API(例如SetWindowsHookEx )
-
嵌入式资源(例如隐藏的可执行文件或高熵二进制 blob,它们可能是等待入侵系统的加密恶意软件)。
-
字符串
为了检查这一点,我们只是做一些快速测试:
-
可执行文件的结构看起来像防病毒软件:让它看起来像一个正常的可执行文件并重新扫描。您不需要损坏的 PE 来逃避防病毒。
-
导入函数:这些位于.idataPE 文件的部分。删除该部分并查看防病毒软件是否仍然检测到二进制文件。
-
嵌入式资源:删除部分.rsrc和自定义部分。
-
字符串:删除*.data和.rdata*部分。
对于这些测试中的每一个,如果防病毒软件仍然检测到二进制文件,并得出相同的结论,那么它正在寻找其他地方,这会使测试标准的重要性无效。
如果字符串对 AV 有帮助,则可以删除它们。字符串是给人类使用的,恶意软件不需要字符串。
如果导入的函数给出了程序的行为,那么 AV 假定程序必须声明它用来完成其工作的 API,并且问题会随着GetProcAddress和函数指针而消失。
我们可以对每个检测到的伪影继续这样,关键是如果 AV 寻找静态伪影,那么它并不是“真正”预测程序的行为,它是推断并且很容易被破坏。
防病毒软件只是“看到”您的算法看起来有害
为此,防病毒软件对恶意软件进行了完美的反编译,将自定义函数与库代码隔离开来,然后将它们分类为良性和恶意。尽管 IDA Pro 已经 30 岁了,仍然需要人工干预来识别复杂软件中的功能,但我们假设 AV 比目前最先进的逆向工程框架更先进。
要测试这一点,只需将二进制文件的.text部分切开,并在分析的恶意软件中替换它,然后重新扫描它。如果防病毒软件仍然检测到它,那么这不是问题所在。如果没有,那么您应该确定哪个函数触发防病毒,这里简单的二进制搜索也可以。即使如此,我也会怀疑该函数实际上是导致检测的根本原因,我更希望一些堆栈字符串和外壳代码嵌入到.text部分,并被不执行任何反编译的扫描仪看到。毕竟,即使使用IDA Pro的FLIRT签名,您也必须拥有与编译器版本和ABI完全相同的库版本。类似的产品或工具面临类似的问题。
防病毒软件模拟该文件并查看它在做什么
Windows defender实际上在mpclient.dll中嵌入了一个模拟器。然而,有更高级的模拟器可以公开使用,它们不适用于复杂的软件,因此我也不希望防病毒软件在这个领域表现更好。但让我们假设它们确实存在,并简单地在程序的入口点插入一个过度设计的无限循环。模拟器应该会卡住它,并报告文件为良性,然后您可以利用它来实现反模拟器检查。如果没有,他们已经解决了停下来的问题。
自动化静态签名识别
到现在为止,我希望我已经让你相信杀毒软件是“grep”的增强版,你可能想知道这是怎么回事。最初的方法相当天真:对反病毒引擎可以检测到的字节序列执行二进制搜索。虽然它确实提供了结果,但它不是最理想的:
-
此方法不考虑可执行文件的结构。如果 PE 损坏,防病毒引擎可能会停止分析它并认为它是良性的,这会在我们的分析中产生误报。据我们所知,截至 2022 年,每个提供自动签名识别的工具都是如此简单。
-
该方法不够精确:为了优化,我们可能决定为字节序列实现最小长度,例如,我们将文件分成多个部分,每次更小,但绝不会小于 256 字节。如果杀毒软件触发了一个 5 字节长的序列,我们可能仍然对真正的签名内容感到困惑。
-
该方法未经过优化:市面上有 50 多种防病毒软件,每一种都以自己的方式不是最佳的。因此,自动分析应该可以快速识别它是哪种检测。
输入防病毒调试器
为了解释上面解释的所有元素,我们的算法工作如下:
拿一个恶意软件并断言它被目标 AV 检测到。在不破坏 PE 的情况下,迭代地将其每个部分归零并查找扫描时间或签名名称的显着变化。
此测试允许查明一个部分,如果将其清零,则可以防止防病毒软件了解它正在查看恶意软件,但如果 AV 实施评分系统并且有多个签名分布在多个部分,您将错过它们。为了解决这个问题,人们可能想要执行相同的方法但相反:将每个部分归零,然后逐个迭代地恢复部分。
然后,根据检测到的部分,有一种专门的方法来定位签名。
代码段
如果检测到代码段,您可以退回到对字节序列进行二进制搜索但仅限于代码段的边界,或者识别函数边界并定位由 AV 检测到的边界,然后查找静态数据在里面。
我们从未遇到过这种情况,所以我们将专注于其他情况。
.data 部分
按照惯例,此部分包含程序的全局变量。我们的分析实施了一种启发式算法来枚举全局变量及其大小,然后我们通过将其中一些清零来对结果进行二进制搜索。
.rodata 部分
本节主要是程序使用的字符串。在这里,利用字符串边界的二进制搜索效果很好。
.rsrc文件
你是否嵌入了一个大的、高熵的数据块?然后删除它以确保它确实引起了检测,然后更加小心地隐藏它。
其他的
退回到对原始二进制数据的二进制搜索。
自动扫描
上述测试需要一种多次扫描二进制文件的方法。很多时候,用手做是不可取的。我们在VMWare的vmrun命令行工具的基础上,在实验室中实现了一个自定义的VirusTotal,但对于Windows Defender来说,由于taviso及其出色的loadlibrary对象,有一个更好的方法。
执行
该工具是用 Python 编写的,依赖radare2于rizin二进制r2pipe分析部分。修补也可以完成radare2,但由于一些bug,我们也开发了一种没有依赖关系的替代方法。
全局变量识别
请注意,以下方法纯粹是启发式的,绝不是在软件中恢复全局变量的准确方法。不需要精确的算法来逃避我们面临的防病毒,所以我们在这里走了捷径。
当目标防病毒程序检测到.data部分中的内容时,此分析非常有用。编译器需要将全局变量放在那里。为了检测其中的大多数,可以认为处理.data部分中给定地址的交叉引用就足够了。当然,这并不总是正确的,因为它比这更复杂。幸运的是,这个假设对我们的用例来说很好。
使用r2pipe,可以使用以下代码将 XREFS 提取为 JSON:
pipe = r2pipe.open(pe.filename)
pipe.cmd("aaa")
xrefs = pipe.cmdj("axj") # get cross-refs as JSON
xrefs = [x for x in xrefs if x["type"] == "DATA"] # keep only xrefs to data
xrefs = sorted(xrefs, key=lambda x: x["addr"]) # sort by address接下来,为了猜测每个变量的大小,我们将做另一个简化,假设编译器没有浪费任何空间,radare2没有遗漏任何交叉引用(剧透:它经常遗漏一些),因此变量的大小等于下一个变量的地址减去当前分析变量的地址:
# guess var' size
for index, xref in enumerate(xrefs):
if index >= len(xrefs) - 1:
size = 256 # too lazy to handle this edge case
else:
size = xrefs[index + 1]["addr"] - xref["addr"]
vars += [Variable(xref["addr"], size)]WhereVariable是一个数据类,定义如下:
@dataclass(unsafe_hash=True, eq=True, order=True)
class Variable:
addr: int
size: int
paddr:int = 0
def display(self, pe):
with open(pe.filename, 'rb') as f:
f.seek(self.paddr)
bf = f.read(min(self.size,128))
logging.info("n"+hexdump.hexdump(bf, result="return"))使用上面显示的代码,可以识别大小为零的变量,因此应该通过给它下一个变量的大小来为此做好准备。
# fix vars with size 0
for i, var in enumerate(vars):
for j, var2 in enumerate(vars):
if i == j:
continue
if var.addr == var2.addr:
if var.size == 0:
var.size = var2.size
elif var2.size == 0:
var2.size = var.size这会产生重复项,可以按如下方式进行 python 过滤:
# uniq sort
vars_filtered = sorted(list(set(vars)), key=lambda x: x.addr)然后,最后一个过滤处理地址在.data节边界之外的变量,一旦完成,每个结果都可以用虚拟地址的正确文件地址进行更新:
# only vars in .data section
section = next((sec for sec in pe.sections if sec.name == ".data"), None)
vars_filtered = [x for x in vars_filtered if section.vaddr <= x.addr < section.vaddr + section.vsize]
# guess file address with virtual address
for var in vars_filtered:
var.paddr = var.addr - section.vaddr + section.addr字符串识别
在这里,r2pipe也与 一起使用izzj,但您应该知道它可能不会提供与其他二进制分析软件相同的结果。
pipe = r2pipe.open(filename)
pipe.cmd("aaa") # trigger the whole program analysis
strings = pipe.cmdj("izzj") # find all the strings in every section
string_refs = []
for string in strings:
if string.get("size") < min_length:
continue
# collect
str_ref = StringRef()
str_ref.index = string["ordinal"]
str_ref.paddr = string.get("paddr")
str_ref.vaddr = string.get("vaddr")
str_ref.length = string.get("length")
str_ref.size = string.get("size")
str_ref.section = string.get("section")
str_ref.encoding = string.get("type")
new_encoding = convert_encoding(str_ref.encoding)
# skip first whitespace
content = string.get("string").replace("\\", "\")
str_ref.content = content # .encode(convert_encoding(str_ref.encoding))
string_refs += [str_ref]解析 PE 部分
radare2提供命令iS来恢复有关 PE 部分的信息:
section_size = 0
section_addr = 0
pipe = r2pipe.open(pe.filename)
# get the sections
sections = pipe.cmdj("iSj")
for section in sections:
if section.get("size") != 0 and section.get("addr") != 0:
pe.sections += [
Section(
section.get("name"),
section.get("size"),
section.get("vsize"),
section.get("paddr"),
section.get("vaddr")
)]
logging.debug(f"Found section: {pe.sections[-1]}")【腾讯云】轻量新用户上云福利,2核2G4M 低至 50 元/年 起, 抓住上云好时机!
https://curl.qcloud.com/2w9ip1GP
二进制补丁
在本文的上下文中,二进制修补意味着将字节序列归零,这非常简单:
def hide_bytes(pe, start, length, use_r2=False):
logging.debug(f"Hiding {length} bytes @ {start}")
if use_r2:
pipe = r2pipe.open(pe.filename, flags=["-w"])
replacement = ''.join(random.choice(string.ascii_letters) for i in range(length))
replacement = base64.b64encode(bytes(replacement, "ascii")).decode()
pipe.cmd(f"w6d {replacement} @ {start}")
else:
# for some reasons the code above is buggy with my radare2 version, so here is a workaround
with open(pe.filename, 'r+b') as f:
f.seek(start)
f.write(bytes(''.join(random.choice(string.ascii_letters) for i in range(length)), encoding='ascii'))在正确的地址寻找并写入一些零就足够了。然而,对于不同编码的字符串,这会变得更加复杂,因此这就是r2pipe最初使用的原因:收集字符串编码,并且二进制文件中对字符串的每个操作都必须考虑字符串的编码。例如,字符串有 2 个字节的 par 字符。UTF-8
这会在字符串分析后将字符串写回原位时产生问题,但解决此问题r2pipe的方法是使用提供的编码编写 base64 编码的内容,这可以挽救局面:
def patch_string(filename, str_ref, pipe=None, unmask_only=False, use_r2=True):
if pipe is None:
pipe = r2pipe.open(filename, flags=["-w"])
if not str_ref.should_mask:
replacement = str_ref.content
elif not unmask_only:
replacement = ''.join(random.choice(['x00']) for _ in range(str_ref.length))
replacement = replacement + ''
else:
return
logging.debug(f"Patching {str_ref.content} @ {str_ref.paddr} ({filename})")
if use_r2:
eplacement = base64.b64encode(bytes(replacement, convert_encoding(str_ref.encoding))).decode()
pipe.cmd(f"w6d {replacement} @ {str_ref.paddr}")
else:
# weird bug with r2 on macOS. Code below is not correct in all cases but is a workaround
with open(filename, 'r+b') as f:
f.seek(str_ref.paddr)
f.write(bytes(replacement, encoding=convert_encoding(str_ref.encoding)))其余代码在这篇博文中没有进一步评论,因为它包含对这些人工制品的二进制搜索算法,以及用于过滤重叠结果的区间树,没有一个太复杂以至于不值得冗长的解释。
例如metsrv.x64.dll
免责声明:我们的metsrv.x64.dll修补了一些好东西,以避免其他防病毒,并使用了自定义反射加载器,但稍后识别的签名也会导致原始签名中的检测,除非有更高分数的特征需要首先处理。
python3 antivirus_debugger.py -f /tmp/metsrv.x64.dll -g
[DEBUG ][2021-08-28 17:11:47,317][pe_utils.py:134] get_sections() :: Found section: Section(name='.text', size=132096, vsize=135168, addr=1024, vaddr=1820594176, detected=False)
[DEBUG ][2021-08-28 17:11:47,318][pe_utils.py:134] get_sections() :: Found section: Section(name='.data', size=9728, vsize=12288, addr=133120, vaddr=1820729344, detected=False)
[DEBUG ][2021-08-28 17:11:47,318][pe_utils.py:134] get_sections() :: Found section: Section(name='.rdata', size=6656, vsize=8192, addr=142848, vaddr=1820741632, detected=False)
[DEBUG ][2021-08-28 17:11:47,318][pe_utils.py:134] get_sections() :: Found section: Section(name='.pdata', size=5120, vsize=8192, addr=149504, vaddr=1820749824, detected=False)
[DEBUG ][2021-08-28 17:11:47,318][pe_utils.py:134] get_sections() :: Found section: Section(name='.xdata', size=5632, vsize=8192, addr=154624, vaddr=1820758016, detected=False)
[DEBUG ][2021-08-28 17:11:47,318][pe_utils.py:134] get_sections() :: Found section: Section(name='.edata', size=512, vsize=4096, addr=160256, vaddr=1820782592, detected=False)
[DEBUG ][2021-08-28 17:11:47,318][pe_utils.py:134] get_sections() :: Found section: Section(name='.idata', size=8192, vsize=8192, addr=160768, vaddr=1820786688, detected=False)
[DEBUG ][2021-08-28 17:11:47,318][pe_utils.py:134] get_sections() :: Found section: Section(name='.CRT', size=512, vsize=4096, addr=168960, vaddr=1820794880, detected=False)
[DEBUG ][2021-08-28 17:11:47,318][pe_utils.py:134] get_sections() :: Found section: Section(name='.tls', size=512, vsize=4096, addr=169472, vaddr=1820798976, detected=False)
[DEBUG ][2021-08-28 17:11:47,318][pe_utils.py:134] get_sections() :: Found section: Section(name='.reloc', size=512, vsize=4096, addr=169984, vaddr=1820803072, detected=False)
[DEBUG ][2021-08-28 17:11:53,705][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmp59yh6tr3...
[DEBUG ][2021-08-28 17:11:53,706][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:11:53,706][scanner.py: 99] scan() :: EngineScanCallback(): Threat SLFPER:Win32/Meterpreter!ApiRetrieval identified.
[DEBUG ][2021-08-28 17:11:53,706][scanner.py: 99] scan() :: Threat found
[INFO ][2021-08-28 17:11:53,921][antivirus_debugger.py:161] global_vars_analysis() :: Applying patches
[INFO ][2021-08-28 17:11:53,977][antivirus_debugger.py:167] global_vars_analysis() :: Simple check: maybe a single global variable is detected
[DEBUG ][2021-08-28 17:11:55,183][pe_utils.py:324] detect_data() :: [Variable(addr=1820729376, size=4608, paddr=133152), Variable(addr=1820733984, size=32, paddr=137760), Variable(addr=1820734016, size=32, paddr=137792), Variable(addr=1820734048, size=32, paddr=137824), Variable(addr=1820734080, size=32, paddr=137856), Variable(addr=1820734112, size=608, paddr=137888), Variable(addr=1820734720, size=289, paddr=138496), Variable(addr=1820735009, size=111, paddr=138785), Variable(addr=1820735120, size=16, paddr=138896), Variable(addr=1820735136, size=32, paddr=138912), Variable(addr=1820735168, size=992, paddr=138944), Variable(addr=1820736160, size=2016, paddr=139936), Variable(addr=1820738176, size=32, paddr=141952), Variable(addr=1820738208, size=32, paddr=141984), Variable(addr=1820738240, size=160, paddr=142016), Variable(addr=1820738400, size=32, paddr=142176), Variable(addr=1820738432, size=32, paddr=142208), Variable(addr=1820738464, size=128, paddr=142240), Variable(addr=1820738592, size=96, paddr=142368), Variable(addr=1820738688, size=4, paddr=142464), Variable(addr=1820738692, size=4, paddr=142468), Variable(addr=1820738696, size=4, paddr=142472), Variable(addr=1820738700, size=4, paddr=142476), Variable(addr=1820738704, size=4, paddr=142480), Variable(addr=1820738708, size=12, paddr=142484), Variable(addr=1820738720, size=192, paddr=142496), Variable(addr=1820738912, size=96, paddr=142688), Variable(addr=1820739008, size=16, paddr=142784), Variable(addr=1820739024, size=16, paddr=142800), Variable(addr=1820739040, size=16, paddr=142816), Variable(addr=1820739056, size=2576, paddr=142832)]
[DEBUG ][2021-08-28 17:11:55,183][pe_utils.py:331] print_global_variables() :: Found 4608 bytes variable @ 0x6c862020:
[DEBUG ][2021-08-28 17:11:55,184][pe_utils.py:335] print_global_variables() ::
00000000: 09 00 00 00 00 00 00 00 D0 13 84 6C 00 00 00 00 ...........l....
00000010: 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 01 00 00 10 00 00 00 00 ................
00000060: E0 13 84 6C 00 00 00 00 00 00 00 00 00 00 00 00 ...l............
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:11:55,184][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c863220:
[DEBUG ][2021-08-28 17:11:55,184][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 65 61 74 65 61 68 72 61 61 64 61 78 aaareateahraadax
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:11:55,184][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c863240:
[DEBUG ][2021-08-28 17:11:55,184][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 61 74 65 61 69 61 74 61 61 6C 61 65 aaarateaiataalae
00000010: 6D 61 72 61 00 00 00 00 00 00 00 00 00 00 00 00 mara............
[DEBUG ][2021-08-28 17:11:55,184][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c863260:
[DEBUG ][2021-08-28 17:11:55,184][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 65 61 74 65 61 68 72 61 61 64 61 78 aaareateahraadax
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:11:55,184][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c863280:
[DEBUG ][2021-08-28 17:11:55,184][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 61 74 65 61 69 61 74 61 61 6C 61 65 aaarateaiataalae
00000010: 6D 61 72 61 00 00 00 00 00 00 00 00 00 00 00 00 mara............
[DEBUG ][2021-08-28 17:11:55,184][pe_utils.py:331] print_global_variables() :: Found 608 bytes variable @ 0x6c8632a0:
[DEBUG ][2021-08-28 17:11:55,185][pe_utils.py:335] print_global_variables() ::
00000000: FC 80 79 10 00 0F 85 13 01 00 00 C6 41 10 01 48 ..y.........A..H
00000010: 83 EC 78 E8 C8 00 00 00 41 51 41 50 52 51 56 48 ..x.....AQAPRQVH
00000020: 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 1.eH.R`H.R.H.R H
00000030: 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C .rPH..JJM1.H1..<
00000040: 61 7C 02 2C 20 41 C1 C9 0D 41 01 C1 E2 ED 52 41 a|., A...A....RA
00000050: 51 48 8B 52 20 8B 42 3C 48 01 D0 66 81 78 18 0B QH.R .B<H..f.x..
00000060: 02 75 72 8B 80 88 00 00 00 48 85 C0 74 67 48 01 .ur......H..tgH.
00000070: D0 50 8B 48 18 44 8B 40 20 49 01 D0 E3 56 48 FF .P.H.D.@ I...VH.
[DEBUG ][2021-08-28 17:11:55,185][pe_utils.py:331] print_global_variables() :: Found 289 bytes variable @ 0x6c863500:
[DEBUG ][2021-08-28 17:11:55,185][pe_utils.py:335] print_global_variables() ::
00000000: FC 48 89 CE 48 89 E7 48 83 E4 F0 E8 C8 00 00 00 .H..H..H........
00000010: 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 60 48 AQAPRQVH1.eH.R`H
00000020: 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A .R.H.R H.rPH..JJ
00000030: 4D 31 C9 48 31 C0 AC 3C 61 7C 02 2C 20 41 C1 C9 M1.H1..<a|., A..
00000040: 0D 41 01 C1 E2 ED 52 41 51 48 8B 52 20 8B 42 3C .A....RAQH.R .B<
00000050: 48 01 D0 66 81 78 18 0B 02 75 72 8B 80 88 00 00 H..f.x...ur.....
00000060: 00 48 85 C0 74 67 48 01 D0 50 8B 48 18 44 8B 40 .H..tgH..P.H.D.@
00000070: 20 49 01 D0 E3 56 48 FF C9 41 8B 34 88 48 01 D6 I...VH..A.4.H..
[DEBUG ][2021-08-28 17:11:55,185][pe_utils.py:331] print_global_variables() :: Found 111 bytes variable @ 0x6c863621:
[DEBUG ][2021-08-28 17:11:55,186][pe_utils.py:335] print_global_variables() ::
00000000: 83 C4 50 48 89 FC C3 00 00 00 00 00 00 00 00 00 ..PH............
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 ...............U
00000020: 89 E5 56 57 8B 75 08 8B 4D 0C E8 00 00 00 00 58 ..VW.u..M......X
00000030: 83 C0 2B 83 EC 08 89 E2 C7 42 04 33 00 00 00 89 ..+......B.3....
00000040: 02 E8 0F 00 00 00 66 8C D8 66 8E D0 83 C4 14 5F ......f..f....._
00000050: 5E 5D C2 08 00 8B 3C E4 FF 2A 48 31 C0 57 FF D6 ^]....<..*H1.W..
00000060: 5F 50 C7 44 24 04 23 00 00 00 89 3C 24 FF 2C _P.D$.#....<$.,
[DEBUG ][2021-08-28 17:11:55,186][pe_utils.py:331] print_global_variables() :: Found 16 bytes variable @ 0x6c863690:
[DEBUG ][2021-08-28 17:11:55,186][pe_utils.py:335] print_global_variables() ::
00000000: 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $...............
[DEBUG ][2021-08-28 17:11:55,186][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c8636a0:
[DEBUG ][2021-08-28 17:11:55,186][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 65 61 74 65 61 68 72 61 61 64 61 78 aaareateahraadax
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:11:55,186][pe_utils.py:331] print_global_variables() :: Found 992 bytes variable @ 0x6c8636c0:
[DEBUG ][2021-08-28 17:11:55,186][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 61 74 65 61 69 61 74 61 61 6C 61 65 aaarateaiataalae
00000010: 6D 61 72 61 00 00 00 00 00 00 00 00 00 00 00 00 mara............
00000020: 00 37 86 6C 00 00 00 00 00 00 00 00 00 00 00 00 .7.l............
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 10 73 84 6C 00 00 00 00 40 72 84 6C 00 00 00 00 [email protected]....
00000050: 30 76 84 6C 00 00 00 00 20 6D 84 6C 00 00 00 00 0v.l.... m.l....
00000060: D0 65 84 6C 00 00 00 00 00 79 84 6C 00 00 00 00 .e.l.....y.l....
00000070: D0 62 84 6C 00 00 00 00 80 69 84 6C 00 00 00 00 .b.l.....i.l....
[DEBUG ][2021-08-28 17:11:55,186][pe_utils.py:331] print_global_variables() :: Found 2016 bytes variable @ 0x6c863aa0:
[DEBUG ][2021-08-28 17:11:55,187][pe_utils.py:335] print_global_variables() ::
00000000: 0C 00 00 00 00 00 00 00 F0 D2 84 6C 00 00 00 00 ...........l....
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:11:55,187][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c864280:
[DEBUG ][2021-08-28 17:11:55,187][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 65 61 74 65 61 68 72 61 61 64 61 78 aaareateahraadax
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:11:55,187][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c8642a0:
[DEBUG ][2021-08-28 17:11:55,187][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 61 74 65 61 69 61 74 61 61 6C 61 65 aaarateaiataalae
00000010: 6D 61 72 61 00 00 00 00 00 00 00 00 00 00 00 00 mara............
[DEBUG ][2021-08-28 17:11:55,187][pe_utils.py:331] print_global_variables() :: Found 160 bytes variable @ 0x6c8642c0:
[DEBUG ][2021-08-28 17:11:55,187][pe_utils.py:335] print_global_variables() ::
00000000: 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 ................
00000010: 0F 00 00 00 1F 00 00 00 3F 00 00 00 7F 00 00 00 ........?.......
00000020: FF 00 00 00 FF 01 00 00 FF 03 00 00 FF 07 00 00 ................
00000030: FF 0F 00 00 FF 1F 00 00 FF 3F 00 00 FF 7F 00 00 .........?......
00000040: FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 20 69 6E 66 6C 61 74 65 20 31 2E 30 2E 34 20 43 inflate 1.0.4 C
00000070: 6F 70 79 72 69 67 68 74 20 31 39 39 35 2D 31 39 opyright 1995-19
[DEBUG ][2021-08-28 17:11:55,187][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c864360:
[DEBUG ][2021-08-28 17:11:55,187][pe_utils.py:335] print_global_variables() ::
00000000: 00 00 00 00 00 00 00 00 C0 43 86 6C 00 00 00 00 .........C.l....
00000010: 00 00 00 00 13 00 00 00 07 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:11:55,187][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c864380:
[DEBUG ][2021-08-28 17:11:55,188][pe_utils.py:335] print_global_variables() ::
00000000: 60 D6 86 6C 00 00 00 00 20 44 86 6C 00 00 00 00 `..l.... D.l....
00000010: 00 00 00 00 1E 00 00 00 0F 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:11:55,188][pe_utils.py:331] print_global_variables() :: Found 128 bytes variable @ 0x6c8643a0:
[DEBUG ][2021-08-28 17:11:55,188][pe_utils.py:335] print_global_variables() ::
00000000: E0 D6 86 6C 00 00 00 00 A0 44 86 6C 00 00 00 00 ...l.....D.l....
00000010: 01 01 00 00 1E 01 00 00 0F 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 02 00 00 00 03 00 00 00 07 00 00 00 00 00 00 00 ................
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:11:55,188][pe_utils.py:331] print_global_variables() :: Found 96 bytes variable @ 0x6c864420:
[DEBUG ][2021-08-28 17:11:55,188][pe_utils.py:335] print_global_variables() ::
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 01 00 00 00 01 00 00 00 02 00 00 00 02 00 00 00 ................
00000020: 03 00 00 00 03 00 00 00 04 00 00 00 04 00 00 00 ................
00000030: 05 00 00 00 05 00 00 00 06 00 00 00 06 00 00 00 ................
00000040: 07 00 00 00 07 00 00 00 08 00 00 00 08 00 00 00 ................
00000050: 09 00 00 00 09 00 00 00 0A 00 00 00 0A 00 00 00 ................
[DEBUG ][2021-08-28 17:11:55,188][pe_utils.py:331] print_global_variables() :: Found 4 bytes variable @ 0x6c864480:
[DEBUG ][2021-08-28 17:11:55,188][pe_utils.py:335] print_global_variables() ::
00000000: 0B 00 00 00 ....
[DEBUG ][2021-08-28 17:11:55,188][pe_utils.py:331] print_global_variables() :: Found 4 bytes variable @ 0x6c864484:
[DEBUG ][2021-08-28 17:11:55,188][pe_utils.py:335] print_global_variables() ::
00000000: 0B 00 00 00 ....
[DEBUG ][2021-08-28 17:11:55,188][pe_utils.py:331] print_global_variables() :: Found 4 bytes variable @ 0x6c864488:
[DEBUG ][2021-08-28 17:11:55,189][pe_utils.py:335] print_global_variables() ::
00000000: 0C 00 00 00 ....
[DEBUG ][2021-08-28 17:11:55,189][pe_utils.py:331] print_global_variables() :: Found 4 bytes variable @ 0x6c86448c:
[DEBUG ][2021-08-28 17:11:55,189][pe_utils.py:335] print_global_variables() ::
00000000: 0C 00 00 00 ....
[DEBUG ][2021-08-28 17:11:55,189][pe_utils.py:331] print_global_variables() :: Found 4 bytes variable @ 0x6c864490:
[DEBUG ][2021-08-28 17:11:55,189][pe_utils.py:335] print_global_variables() ::
00000000: 0D 00 00 00 ....
[DEBUG ][2021-08-28 17:11:55,189][pe_utils.py:331] print_global_variables() :: Found 12 bytes variable @ 0x6c864494:
[DEBUG ][2021-08-28 17:11:55,189][pe_utils.py:335] print_global_variables() ::
00000000: 0D 00 00 00 00 00 00 00 00 00 00 00 ............
[DEBUG ][2021-08-28 17:11:55,189][pe_utils.py:331] print_global_variables() :: Found 192 bytes variable @ 0x6c8644a0:
[DEBUG ][2021-08-28 17:11:55,189][pe_utils.py:335] print_global_variables() ::
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
00000030: 02 00 00 00 02 00 00 00 02 00 00 00 02 00 00 00 ................
00000040: 03 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 ................
00000050: 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00 00 ................
00000060: 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 ................
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:11:55,189][pe_utils.py:331] print_global_variables() :: Found 96 bytes variable @ 0x6c864560:
[DEBUG ][2021-08-28 17:11:55,189][pe_utils.py:335] print_global_variables() ::
00000000: 40 12 86 6C 00 00 00 00 00 00 00 00 00 00 00 00 @..l............
00000010: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
00000020: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 70 0E 86 6C 00 00 00 00 90 0D 86 6C 00 00 00 00 p..l.......l....
00000040: 60 0D 86 6C 00 00 00 00 00 00 00 00 00 00 00 00 `..l............
00000050: F0 0E 86 6C 00 00 00 00 00 00 00 00 00 00 00 00 ...l............
[DEBUG ][2021-08-28 17:11:55,189][pe_utils.py:331] print_global_variables() :: Found 16 bytes variable @ 0x6c8645c0:
[DEBUG ][2021-08-28 17:11:55,190][pe_utils.py:335] print_global_variables() ::
00000000: 10 0F 86 6C 00 00 00 00 00 00 00 00 00 00 00 00 ...l............
[DEBUG ][2021-08-28 17:11:55,190][pe_utils.py:331] print_global_variables() :: Found 16 bytes variable @ 0x6c8645d0:
[DEBUG ][2021-08-28 17:11:55,190][pe_utils.py:335] print_global_variables() ::
00000000: 40 10 86 6C 00 00 00 00 00 00 00 00 00 00 00 00 @..l............
[DEBUG ][2021-08-28 17:11:55,190][pe_utils.py:331] print_global_variables() :: Found 16 bytes variable @ 0x6c8645e0:
[DEBUG ][2021-08-28 17:11:55,190][pe_utils.py:335] print_global_variables() ::
00000000: 32 A2 DF 2D 99 2B 00 00 00 00 00 00 00 00 00 00 2..-.+..........
[DEBUG ][2021-08-28 17:11:55,190][pe_utils.py:331] print_global_variables() :: Found 2576 bytes variable @ 0x6c8645f0:
[DEBUG ][2021-08-28 17:11:55,190][pe_utils.py:335] print_global_variables() ::
00000000: CD 5D 20 D2 66 D4 FF FF 00 00 00 00 00 00 00 00 .] .f...........
00000010: 68 69 64 5F 74 5F 63 5F 70 5F 5F 6F 52 78 50 46 hid_t_c_p__oRxPF
00000020: 78 74 49 39 78 45 62 00 68 69 64 5F 70 5F 69 5F xtI9xEb.hid_p_i_
00000030: 70 5F 5F 76 4E 53 37 5A 7A 32 33 57 35 75 49 00 p__vNS7Zz23W5uI.
00000040: 68 69 64 5F 68 5F 74 5F 74 5F 5F 75 46 55 34 43 hid_h_t_t__uFU4C
00000050: 69 62 42 65 58 70 49 00 5A 77 57 72 69 74 65 56 ibBeXpI.ZwWriteV
00000060: 69 72 74 75 61 6C 4D 65 6D 6F 72 79 00 63 3A 5C irtualMemory.c:
00000070: 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 windowssystem32
[DEBUG ][2021-08-28 17:12:00,454][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmped3im1ly...
[DEBUG ][2021-08-28 17:12:00,455][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:12:00,455][scanner.py: 99] scan() :: EngineScanCallback(): Threat SLFPER:Win32/Meterpreter!ApiRetrieval identified.
[DEBUG ][2021-08-28 17:12:00,455][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:12:00,701][pe_utils.py:157] hide_bytes() :: Hiding 4608 bytes @ 133152
[DEBUG ][2021-08-28 17:12:06,035][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmpzx74mt29...
[DEBUG ][2021-08-28 17:12:06,036][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:12:06,036][scanner.py: 99] scan() :: EngineScanCallback(): Threat SLFPER:Win32/Meterpreter!ApiRetrieval identified.
[DEBUG ][2021-08-28 17:12:06,036][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:12:06,215][antivirus_debugger.py:182] global_vars_analysis() :: True - SLFPER:Win32/Meterpreter!ApiRetrieval
[DEBUG ][2021-08-28 17:12:06,281][pe_utils.py:157] hide_bytes() :: Hiding 32 bytes @ 137760
[DEBUG ][2021-08-28 17:12:11,666][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmpa_4l0sk8...
[DEBUG ][2021-08-28 17:12:11,667][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:12:11,667][scanner.py: 99] scan() :: EngineScanCallback(): Threat SLFPER:Win32/Meterpreter!ApiRetrieval identified.
[DEBUG ][2021-08-28 17:12:11,667][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:12:11,862][antivirus_debugger.py:182] global_vars_analysis() :: True - SLFPER:Win32/Meterpreter!ApiRetrieval
[DEBUG ][2021-08-28 17:12:11,943][pe_utils.py:157] hide_bytes() :: Hiding 32 bytes @ 137792
[DEBUG ][2021-08-28 17:12:17,213][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmpi7gp9d48...
[DEBUG ][2021-08-28 17:12:17,213][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:12:17,213][scanner.py: 99] scan() :: EngineScanCallback(): Threat SLFPER:Win32/Meterpreter!ApiRetrieval identified.
[DEBUG ][2021-08-28 17:12:17,214][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:12:17,419][antivirus_debugger.py:182] global_vars_analysis() :: True - SLFPER:Win32/Meterpreter!ApiRetrieval
[DEBUG ][2021-08-28 17:12:17,493][pe_utils.py:157] hide_bytes() :: Hiding 32 bytes @ 137824
[DEBUG ][2021-08-28 17:12:22,833][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmpr71y603k...
[DEBUG ][2021-08-28 17:12:22,833][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:12:22,833][scanner.py: 99] scan() :: EngineScanCallback(): Threat SLFPER:Win32/Meterpreter!ApiRetrieval identified.
[DEBUG ][2021-08-28 17:12:22,834][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:12:23,007][antivirus_debugger.py:182] global_vars_analysis() :: True - SLFPER:Win32/Meterpreter!ApiRetrieval
[DEBUG ][2021-08-28 17:12:23,055][pe_utils.py:157] hide_bytes() :: Hiding 32 bytes @ 137856
[DEBUG ][2021-08-28 17:12:28,942][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmpvbalewhc...
[DEBUG ][2021-08-28 17:12:28,942][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:12:28,943][scanner.py: 99] scan() :: EngineScanCallback(): Threat SLFPER:Win32/Meterpreter!ApiRetrieval identified.
[DEBUG ][2021-08-28 17:12:28,943][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:12:29,161][antivirus_debugger.py:182] global_vars_analysis() :: True - SLFPER:Win32/Meterpreter!ApiRetrieval
[DEBUG ][2021-08-28 17:12:29,225][pe_utils.py:157] hide_bytes() :: Hiding 608 bytes @ 137888
[DEBUG ][2021-08-28 17:12:34,480][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmp1jktj6b4...
[DEBUG ][2021-08-28 17:12:34,480][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:12:34,480][scanner.py: 99] scan() :: EngineScanCallback(): Threat ALF:HSTR:MeterpreterAPIHashingX64 identified.
[DEBUG ][2021-08-28 17:12:34,481][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:12:34,672][antivirus_debugger.py:182] global_vars_analysis() :: True - ALF:HSTR:MeterpreterAPIHashingX64
[INFO ][2021-08-28 17:12:34,672][antivirus_debugger.py:184] global_vars_analysis() :: Windows Defender detects this global variable:
[INFO ][2021-08-28 17:12:34,672][pe_utils.py: 70] display() ::
00000000: FC 80 79 10 00 0F 85 13 01 00 00 C6 41 10 01 48 ..y.........A..H
00000010: 83 EC 78 E8 C8 00 00 00 41 51 41 50 52 51 56 48 ..x.....AQAPRQVH
00000020: 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 1.eH.R`H.R.H.R H
00000030: 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C .rPH..JJM1.H1..<
00000040: 61 7C 02 2C 20 41 C1 C9 0D 41 01 C1 E2 ED 52 41 a|., A...A....RA
00000050: 51 48 8B 52 20 8B 42 3C 48 01 D0 66 81 78 18 0B QH.R .B<H..f.x..
00000060: 02 75 72 8B 80 88 00 00 00 48 85 C0 74 67 48 01 .ur......H..tgH.
00000070: D0 50 8B 48 18 44 8B 40 20 49 01 D0 E3 56 48 FF .P.H.D.@ I...VH.
[ERROR ][2021-08-28 17:12:34,672][antivirus_debugger.py:195] global_vars_analysis() :: Patching and starting over, since we've found something that may decrease the detection score.
[INFO ][2021-08-28 17:12:34,672][antivirus_debugger.py:161] global_vars_analysis() :: Applying patches
[DEBUG ][2021-08-28 17:12:34,723][pe_utils.py:157] hide_bytes() :: Hiding 608 bytes @ 137888
[INFO ][2021-08-28 17:12:34,724][antivirus_debugger.py:167] global_vars_analysis() :: Simple check: maybe a single global variable is detected
[DEBUG ][2021-08-28 17:12:35,919][pe_utils.py:324] detect_data() :: [Variable(addr=1820729376, size=4608, paddr=133152), Variable(addr=1820733984, size=32, paddr=137760), Variable(addr=1820734016, size=32, paddr=137792), Variable(addr=1820734048, size=32, paddr=137824), Variable(addr=1820734080, size=32, paddr=137856), Variable(addr=1820734112, size=608, paddr=137888), Variable(addr=1820734720, size=289, paddr=138496), Variable(addr=1820735009, size=111, paddr=138785), Variable(addr=1820735120, size=16, paddr=138896), Variable(addr=1820735136, size=32, paddr=138912), Variable(addr=1820735168, size=992, paddr=138944), Variable(addr=1820736160, size=2016, paddr=139936), Variable(addr=1820738176, size=32, paddr=141952), Variable(addr=1820738208, size=32, paddr=141984), Variable(addr=1820738240, size=160, paddr=142016), Variable(addr=1820738400, size=32, paddr=142176), Variable(addr=1820738432, size=32, paddr=142208), Variable(addr=1820738464, size=128, paddr=142240), Variable(addr=1820738592, size=96, paddr=142368), Variable(addr=1820738688, size=4, paddr=142464), Variable(addr=1820738692, size=4, paddr=142468), Variable(addr=1820738696, size=4, paddr=142472), Variable(addr=1820738700, size=4, paddr=142476), Variable(addr=1820738704, size=4, paddr=142480), Variable(addr=1820738708, size=12, paddr=142484), Variable(addr=1820738720, size=192, paddr=142496), Variable(addr=1820738912, size=96, paddr=142688), Variable(addr=1820739008, size=16, paddr=142784), Variable(addr=1820739024, size=16, paddr=142800), Variable(addr=1820739040, size=16, paddr=142816), Variable(addr=1820739056, size=2576, paddr=142832)]
[DEBUG ][2021-08-28 17:12:35,919][pe_utils.py:331] print_global_variables() :: Found 4608 bytes variable @ 0x6c862020:
[DEBUG ][2021-08-28 17:12:35,920][pe_utils.py:335] print_global_variables() ::
00000000: 09 00 00 00 00 00 00 00 D0 13 84 6C 00 00 00 00 ...........l....
00000010: 00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 01 00 00 10 00 00 00 00 ................
00000060: E0 13 84 6C 00 00 00 00 00 00 00 00 00 00 00 00 ...l............
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:12:35,920][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c863220:
[DEBUG ][2021-08-28 17:12:35,920][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 65 61 74 65 61 68 72 61 61 64 61 78 aaareateahraadax
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:12:35,920][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c863240:
[DEBUG ][2021-08-28 17:12:35,920][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 61 74 65 61 69 61 74 61 61 6C 61 65 aaarateaiataalae
00000010: 6D 61 72 61 00 00 00 00 00 00 00 00 00 00 00 00 mara............
[DEBUG ][2021-08-28 17:12:35,920][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c863260:
[DEBUG ][2021-08-28 17:12:35,920][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 65 61 74 65 61 68 72 61 61 64 61 78 aaareateahraadax
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:12:35,921][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c863280:
[DEBUG ][2021-08-28 17:12:35,921][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 61 74 65 61 69 61 74 61 61 6C 61 65 aaarateaiataalae
00000010: 6D 61 72 61 00 00 00 00 00 00 00 00 00 00 00 00 mara............
[DEBUG ][2021-08-28 17:12:35,921][pe_utils.py:331] print_global_variables() :: Found 608 bytes variable @ 0x6c8632a0:
[DEBUG ][2021-08-28 17:12:35,921][pe_utils.py:335] print_global_variables() ::
00000000: 4F 4E 73 64 4E 52 76 53 4D 71 64 73 63 68 63 6D ONsdNRvSMqdschcm
00000010: 64 67 4C 5A 4A 4A 71 63 51 68 7A 73 6C 42 69 7A dgLZJJqcQhzslBiz
00000020: 4B 49 7A 71 43 6F 6D 76 52 6A 77 73 64 69 68 65 KIzqComvRjwsdihe
00000030: 70 74 51 66 64 4A 68 6C 6B 6F 64 4D 4A 67 4C 4B ptQfdJhlkodMJgLK
00000040: 62 53 65 61 47 74 43 59 6D 73 6D 78 74 77 71 6C bSeaGtCYmsmxtwql
00000050: 69 77 52 63 4C 69 6D 4E 68 63 64 77 73 65 46 55 iwRcLimNhcdwseFU
00000060: 6C 69 65 75 4D 67 56 4E 62 6F 4B 6B 4A 57 73 70 lieuMgVNboKkJWsp
00000070: 4B 59 4F 50 76 65 56 49 5A 75 66 65 62 51 6E 52 KYOPveVIZufebQnR
[DEBUG ][2021-08-28 17:12:35,921][pe_utils.py:331] print_global_variables() :: Found 289 bytes variable @ 0x6c863500:
[DEBUG ][2021-08-28 17:12:35,921][pe_utils.py:335] print_global_variables() ::
00000000: FC 48 89 CE 48 89 E7 48 83 E4 F0 E8 C8 00 00 00 .H..H..H........
00000010: 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 60 48 AQAPRQVH1.eH.R`H
00000020: 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A .R.H.R H.rPH..JJ
00000030: 4D 31 C9 48 31 C0 AC 3C 61 7C 02 2C 20 41 C1 C9 M1.H1..<a|., A..
00000040: 0D 41 01 C1 E2 ED 52 41 51 48 8B 52 20 8B 42 3C .A....RAQH.R .B<
00000050: 48 01 D0 66 81 78 18 0B 02 75 72 8B 80 88 00 00 H..f.x...ur.....
00000060: 00 48 85 C0 74 67 48 01 D0 50 8B 48 18 44 8B 40 .H..tgH..P.H.D.@
00000070: 20 49 01 D0 E3 56 48 FF C9 41 8B 34 88 48 01 D6 I...VH..A.4.H..
[DEBUG ][2021-08-28 17:12:35,921][pe_utils.py:331] print_global_variables() :: Found 111 bytes variable @ 0x6c863621:
[DEBUG ][2021-08-28 17:12:35,921][pe_utils.py:335] print_global_variables() ::
00000000: 83 C4 50 48 89 FC C3 00 00 00 00 00 00 00 00 00 ..PH............
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 ...............U
00000020: 89 E5 56 57 8B 75 08 8B 4D 0C E8 00 00 00 00 58 ..VW.u..M......X
00000030: 83 C0 2B 83 EC 08 89 E2 C7 42 04 33 00 00 00 89 ..+......B.3....
00000040: 02 E8 0F 00 00 00 66 8C D8 66 8E D0 83 C4 14 5F ......f..f....._
00000050: 5E 5D C2 08 00 8B 3C E4 FF 2A 48 31 C0 57 FF D6 ^]....<..*H1.W..
00000060: 5F 50 C7 44 24 04 23 00 00 00 89 3C 24 FF 2C _P.D$.#....<$.,
[DEBUG ][2021-08-28 17:12:35,922][pe_utils.py:331] print_global_variables() :: Found 16 bytes variable @ 0x6c863690:
[DEBUG ][2021-08-28 17:12:35,922][pe_utils.py:335] print_global_variables() ::
00000000: 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $...............
[DEBUG ][2021-08-28 17:12:35,922][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c8636a0:
[DEBUG ][2021-08-28 17:12:35,922][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 65 61 74 65 61 68 72 61 61 64 61 78 aaareateahraadax
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:12:35,922][pe_utils.py:331] print_global_variables() :: Found 992 bytes variable @ 0x6c8636c0:
[DEBUG ][2021-08-28 17:12:35,922][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 61 74 65 61 69 61 74 61 61 6C 61 65 aaarateaiataalae
00000010: 6D 61 72 61 00 00 00 00 00 00 00 00 00 00 00 00 mara............
00000020: 00 37 86 6C 00 00 00 00 00 00 00 00 00 00 00 00 .7.l............
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 10 73 84 6C 00 00 00 00 40 72 84 6C 00 00 00 00 [email protected]....
00000050: 30 76 84 6C 00 00 00 00 20 6D 84 6C 00 00 00 00 0v.l.... m.l....
00000060: D0 65 84 6C 00 00 00 00 00 79 84 6C 00 00 00 00 .e.l.....y.l....
00000070: D0 62 84 6C 00 00 00 00 80 69 84 6C 00 00 00 00 .b.l.....i.l....
[DEBUG ][2021-08-28 17:12:35,922][pe_utils.py:331] print_global_variables() :: Found 2016 bytes variable @ 0x6c863aa0:
[DEBUG ][2021-08-28 17:12:35,922][pe_utils.py:335] print_global_variables() ::
00000000: 0C 00 00 00 00 00 00 00 F0 D2 84 6C 00 00 00 00 ...........l....
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:12:35,923][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c864280:
[DEBUG ][2021-08-28 17:12:35,923][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 65 61 74 65 61 68 72 61 61 64 61 78 aaareateahraadax
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:12:35,923][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c8642a0:
[DEBUG ][2021-08-28 17:12:35,923][pe_utils.py:335] print_global_variables() ::
00000000: 61 61 61 72 61 74 65 61 69 61 74 61 61 6C 61 65 aaarateaiataalae
00000010: 6D 61 72 61 00 00 00 00 00 00 00 00 00 00 00 00 mara............
[DEBUG ][2021-08-28 17:12:35,923][pe_utils.py:331] print_global_variables() :: Found 160 bytes variable @ 0x6c8642c0:
[DEBUG ][2021-08-28 17:12:35,923][pe_utils.py:335] print_global_variables() ::
00000000: 00 00 00 00 01 00 00 00 03 00 00 00 07 00 00 00 ................
00000010: 0F 00 00 00 1F 00 00 00 3F 00 00 00 7F 00 00 00 ........?.......
00000020: FF 00 00 00 FF 01 00 00 FF 03 00 00 FF 07 00 00 ................
00000030: FF 0F 00 00 FF 1F 00 00 FF 3F 00 00 FF 7F 00 00 .........?......
00000040: FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 20 69 6E 66 6C 61 74 65 20 31 2E 30 2E 34 20 43 inflate 1.0.4 C
00000070: 6F 70 79 72 69 67 68 74 20 31 39 39 35 2D 31 39 opyright 1995-19
[DEBUG ][2021-08-28 17:12:35,923][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c864360:
[DEBUG ][2021-08-28 17:12:35,923][pe_utils.py:335] print_global_variables() ::
00000000: 00 00 00 00 00 00 00 00 C0 43 86 6C 00 00 00 00 .........C.l....
00000010: 00 00 00 00 13 00 00 00 07 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:12:35,923][pe_utils.py:331] print_global_variables() :: Found 32 bytes variable @ 0x6c864380:
[DEBUG ][2021-08-28 17:12:35,924][pe_utils.py:335] print_global_variables() ::
00000000: 60 D6 86 6C 00 00 00 00 20 44 86 6C 00 00 00 00 `..l.... D.l....
00000010: 00 00 00 00 1E 00 00 00 0F 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:12:35,924][pe_utils.py:331] print_global_variables() :: Found 128 bytes variable @ 0x6c8643a0:
[DEBUG ][2021-08-28 17:12:35,924][pe_utils.py:335] print_global_variables() ::
00000000: E0 D6 86 6C 00 00 00 00 A0 44 86 6C 00 00 00 00 ...l.....D.l....
00000010: 01 01 00 00 1E 01 00 00 0F 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 02 00 00 00 03 00 00 00 07 00 00 00 00 00 00 00 ................
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:12:35,924][pe_utils.py:331] print_global_variables() :: Found 96 bytes variable @ 0x6c864420:
[DEBUG ][2021-08-28 17:12:35,924][pe_utils.py:335] print_global_variables() ::
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 01 00 00 00 01 00 00 00 02 00 00 00 02 00 00 00 ................
00000020: 03 00 00 00 03 00 00 00 04 00 00 00 04 00 00 00 ................
00000030: 05 00 00 00 05 00 00 00 06 00 00 00 06 00 00 00 ................
00000040: 07 00 00 00 07 00 00 00 08 00 00 00 08 00 00 00 ................
00000050: 09 00 00 00 09 00 00 00 0A 00 00 00 0A 00 00 00 ................
[DEBUG ][2021-08-28 17:12:35,924][pe_utils.py:331] print_global_variables() :: Found 4 bytes variable @ 0x6c864480:
[DEBUG ][2021-08-28 17:12:35,925][pe_utils.py:335] print_global_variables() ::
00000000: 0B 00 00 00 ....
[DEBUG ][2021-08-28 17:12:35,925][pe_utils.py:331] print_global_variables() :: Found 4 bytes variable @ 0x6c864484:
[DEBUG ][2021-08-28 17:12:35,925][pe_utils.py:335] print_global_variables() ::
00000000: 0B 00 00 00 ....
[DEBUG ][2021-08-28 17:12:35,925][pe_utils.py:331] print_global_variables() :: Found 4 bytes variable @ 0x6c864488:
[DEBUG ][2021-08-28 17:12:35,925][pe_utils.py:335] print_global_variables() ::
00000000: 0C 00 00 00 ....
[DEBUG ][2021-08-28 17:12:35,925][pe_utils.py:331] print_global_variables() :: Found 4 bytes variable @ 0x6c86448c:
[DEBUG ][2021-08-28 17:12:35,925][pe_utils.py:335] print_global_variables() ::
00000000: 0C 00 00 00 ....
[DEBUG ][2021-08-28 17:12:35,925][pe_utils.py:331] print_global_variables() :: Found 4 bytes variable @ 0x6c864490:
[DEBUG ][2021-08-28 17:12:35,925][pe_utils.py:335] print_global_variables() ::
00000000: 0D 00 00 00 ....
[DEBUG ][2021-08-28 17:12:35,925][pe_utils.py:331] print_global_variables() :: Found 12 bytes variable @ 0x6c864494:
[DEBUG ][2021-08-28 17:12:35,926][pe_utils.py:335] print_global_variables() ::
00000000: 0D 00 00 00 00 00 00 00 00 00 00 00 ............
[DEBUG ][2021-08-28 17:12:35,926][pe_utils.py:331] print_global_variables() :: Found 192 bytes variable @ 0x6c8644a0:
[DEBUG ][2021-08-28 17:12:35,926][pe_utils.py:335] print_global_variables() ::
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
00000030: 02 00 00 00 02 00 00 00 02 00 00 00 02 00 00 00 ................
00000040: 03 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 ................
00000050: 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00 00 ................
00000060: 05 00 00 00 05 00 00 00 05 00 00 00 05 00 00 00 ................
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[DEBUG ][2021-08-28 17:12:35,926][pe_utils.py:331] print_global_variables() :: Found 96 bytes variable @ 0x6c864560:
[DEBUG ][2021-08-28 17:12:35,926][pe_utils.py:335] print_global_variables() ::
00000000: 40 12 86 6C 00 00 00 00 00 00 00 00 00 00 00 00 @..l............
00000010: FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 ................
00000020: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 70 0E 86 6C 00 00 00 00 90 0D 86 6C 00 00 00 00 p..l.......l....
00000040: 60 0D 86 6C 00 00 00 00 00 00 00 00 00 00 00 00 `..l............
00000050: F0 0E 86 6C 00 00 00 00 00 00 00 00 00 00 00 00 ...l............
[DEBUG ][2021-08-28 17:12:35,926][pe_utils.py:331] print_global_variables() :: Found 16 bytes variable @ 0x6c8645c0:
[DEBUG ][2021-08-28 17:12:35,926][pe_utils.py:335] print_global_variables() ::
00000000: 10 0F 86 6C 00 00 00 00 00 00 00 00 00 00 00 00 ...l............
[DEBUG ][2021-08-28 17:12:35,926][pe_utils.py:331] print_global_variables() :: Found 16 bytes variable @ 0x6c8645d0:
[DEBUG ][2021-08-28 17:12:35,926][pe_utils.py:335] print_global_variables() ::
00000000: 40 10 86 6C 00 00 00 00 00 00 00 00 00 00 00 00 @..l............
[DEBUG ][2021-08-28 17:12:35,927][pe_utils.py:331] print_global_variables() :: Found 16 bytes variable @ 0x6c8645e0:
[DEBUG ][2021-08-28 17:12:35,927][pe_utils.py:335] print_global_variables() ::
00000000: 32 A2 DF 2D 99 2B 00 00 00 00 00 00 00 00 00 00 2..-.+..........
[DEBUG ][2021-08-28 17:12:35,927][pe_utils.py:331] print_global_variables() :: Found 2576 bytes variable @ 0x6c8645f0:
[DEBUG ][2021-08-28 17:12:35,927][pe_utils.py:335] print_global_variables() ::
00000000: CD 5D 20 D2 66 D4 FF FF 00 00 00 00 00 00 00 00 .] .f...........
00000010: 68 69 64 5F 74 5F 63 5F 70 5F 5F 6F 52 78 50 46 hid_t_c_p__oRxPF
00000020: 78 74 49 39 78 45 62 00 68 69 64 5F 70 5F 69 5F xtI9xEb.hid_p_i_
00000030: 70 5F 5F 76 4E 53 37 5A 7A 32 33 57 35 75 49 00 p__vNS7Zz23W5uI.
00000040: 68 69 64 5F 68 5F 74 5F 74 5F 5F 75 46 55 34 43 hid_h_t_t__uFU4C
00000050: 69 62 42 65 58 70 49 00 5A 77 57 72 69 74 65 56 ibBeXpI.ZwWriteV
00000060: 69 72 74 75 61 6C 4D 65 6D 6F 72 79 00 63 3A 5C irtualMemory.c:
00000070: 77 69 6E 64 6F 77 73 5C 73 79 73 74 65 6D 33 32 windowssystem32
[DEBUG ][2021-08-28 17:12:41,182][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmpuqgr4pyb...
[DEBUG ][2021-08-28 17:12:41,183][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:12:41,183][scanner.py: 99] scan() :: EngineScanCallback(): Threat ALF:HSTR:MeterpreterAPIHashingX64 identified.
[DEBUG ][2021-08-28 17:12:41,183][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:12:41,417][pe_utils.py:157] hide_bytes() :: Hiding 4608 bytes @ 133152
[DEBUG ][2021-08-28 17:12:46,799][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmpz4xqjxpi...
[DEBUG ][2021-08-28 17:12:46,799][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:12:46,799][scanner.py: 99] scan() :: EngineScanCallback(): Threat ALF:HSTR:MeterpreterAPIHashingX64 identified.
[DEBUG ][2021-08-28 17:12:46,799][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:12:46,983][antivirus_debugger.py:182] global_vars_analysis() :: True - ALF:HSTR:MeterpreterAPIHashingX64
[DEBUG ][2021-08-28 17:12:47,044][pe_utils.py:157] hide_bytes() :: Hiding 32 bytes @ 137760
[DEBUG ][2021-08-28 17:12:52,377][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmpe3g3inki...
[DEBUG ][2021-08-28 17:12:52,377][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:12:52,378][scanner.py: 99] scan() :: EngineScanCallback(): Threat ALF:HSTR:MeterpreterAPIHashingX64 identified.
[DEBUG ][2021-08-28 17:12:52,378][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:12:52,571][antivirus_debugger.py:182] global_vars_analysis() :: True - ALF:HSTR:MeterpreterAPIHashingX64
[DEBUG ][2021-08-28 17:12:52,637][pe_utils.py:157] hide_bytes() :: Hiding 32 bytes @ 137792
[DEBUG ][2021-08-28 17:12:57,946][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmp3uzv03yw...
[DEBUG ][2021-08-28 17:12:57,947][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:12:57,947][scanner.py: 99] scan() :: EngineScanCallback(): Threat ALF:HSTR:MeterpreterAPIHashingX64 identified.
[DEBUG ][2021-08-28 17:12:57,947][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:12:58,148][antivirus_debugger.py:182] global_vars_analysis() :: True - ALF:HSTR:MeterpreterAPIHashingX64
[DEBUG ][2021-08-28 17:12:58,205][pe_utils.py:157] hide_bytes() :: Hiding 32 bytes @ 137824
[DEBUG ][2021-08-28 17:13:03,503][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmpynvakvrg...
[DEBUG ][2021-08-28 17:13:03,503][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:13:03,503][scanner.py: 99] scan() :: EngineScanCallback(): Threat ALF:HSTR:MeterpreterAPIHashingX64 identified.
[DEBUG ][2021-08-28 17:13:03,503][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:13:03,711][antivirus_debugger.py:182] global_vars_analysis() :: True - ALF:HSTR:MeterpreterAPIHashingX64
[DEBUG ][2021-08-28 17:13:03,773][pe_utils.py:157] hide_bytes() :: Hiding 32 bytes @ 137856
[DEBUG ][2021-08-28 17:13:09,083][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmpqg26sa32...
[DEBUG ][2021-08-28 17:13:09,083][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:13:09,083][scanner.py: 99] scan() :: EngineScanCallback(): Threat ALF:HSTR:MeterpreterAPIHashingX64 identified.
[DEBUG ][2021-08-28 17:13:09,083][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:13:09,280][antivirus_debugger.py:182] global_vars_analysis() :: True - ALF:HSTR:MeterpreterAPIHashingX64
[DEBUG ][2021-08-28 17:13:09,334][pe_utils.py:157] hide_bytes() :: Hiding 608 bytes @ 137888
[DEBUG ][2021-08-28 17:13:14,691][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmphtzs4acy...
[DEBUG ][2021-08-28 17:13:14,692][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:13:14,692][scanner.py: 99] scan() :: EngineScanCallback(): Threat ALF:HSTR:MeterpreterAPIHashingX64 identified.
[DEBUG ][2021-08-28 17:13:14,692][scanner.py: 99] scan() :: Threat found
[DEBUG ][2021-08-28 17:13:14,864][antivirus_debugger.py:182] global_vars_analysis() :: True - ALF:HSTR:MeterpreterAPIHashingX64
[DEBUG ][2021-08-28 17:13:14,934][pe_utils.py:157] hide_bytes() :: Hiding 289 bytes @ 138496
[DEBUG ][2021-08-28 17:13:20,336][scanner.py: 99] scan() :: main(): Scanning /var/folders/l9/x995_3m52yd6mm3qv98k6d180000gn/T/tmpv1pa0e29...
[DEBUG ][2021-08-28 17:13:20,336][scanner.py: 99] scan() :: EngineScanCallback(): Scanning input
[DEBUG ][2021-08-28 17:13:20,482][antivirus_debugger.py:182] global_vars_analysis() :: False - Nothing
[INFO ][2021-08-28 17:13:20,483][antivirus_debugger.py:184] global_vars_analysis() :: Windows Defender detects this global variable:
[INFO ][2021-08-28 17:13:20,483][pe_utils.py: 70] display() ::
00000000: FC 48 89 CE 48 89 E7 48 83 E4 F0 E8 C8 00 00 00 .H..H..H........
00000010: 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 60 48 AQAPRQVH1.eH.R`H
00000020: 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A .R.H.R H.rPH..JJ
00000030: 4D 31 C9 48 31 C0 AC 3C 61 7C 02 2C 20 41 C1 C9 M1.H1..<a|., A..
00000040: 0D 41 01 C1 E2 ED 52 41 51 48 8B 52 20 8B 42 3C .A....RAQH.R .B<
00000050: 48 01 D0 66 81 78 18 0B 02 75 72 8B 80 88 00 00 H..f.x...ur.....
00000060: 00 48 85 C0 74 67 48 01 D0 50 8B 48 18 44 8B 40 .H..tgH..P.H.D.@
00000070: 20 49 01 D0 E3 56 48 FF C9 41 8B 34 88 48 01 D6 I...VH..A.4.H..
[INFO ][2021-08-28 17:13:20,483][antivirus_debugger.py:190] global_vars_analysis() :: Done ! You should patch these bytes:
[INFO ][2021-08-28 17:13:20,483][pe_utils.py: 81] display() :: 608 bytes @ 137888:
[INFO ][2021-08-28 17:13:20,483][pe_utils.py: 86] display() ::
00000000: FC 80 79 10 00 0F 85 13 01 00 00 C6 41 10 01 48 ..y.........A..H
00000010: 83 EC 78 E8 C8 00 00 00 41 51 41 50 52 51 56 48 ..x.....AQAPRQVH
00000020: 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 1.eH.R`H.R.H.R H
00000030: 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C .rPH..JJM1.H1..<
00000040: 61 7C 02 2C 20 41 C1 C9 0D 41 01 C1 E2 ED 52 41 a|., A...A....RA
00000050: 51 48 8B 52 20 8B 42 3C 48 01 D0 66 81 78 18 0B QH.R .B<H..f.x..
00000060: 02 75 72 8B 80 88 00 00 00 48 85 C0 74 67 48 01 .ur......H..tgH.
00000070: D0 50 8B 48 18 44 8B 40 20 49 01 D0 E3 56 48 FF .P.H.D.@ I...VH.
[INFO ][2021-08-28 17:13:20,483][pe_utils.py: 81] display() :: 289 bytes @ 138496:
[INFO ][2021-08-28 17:13:20,484][pe_utils.py: 86] display() ::
00000000: FC 48 89 CE 48 89 E7 48 83 E4 F0 E8 C8 00 00 00 .H..H..H........
00000010: 41 51 41 50 52 51 56 48 31 D2 65 48 8B 52 60 48 AQAPRQVH1.eH.R`H
00000020: 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A .R.H.R H.rPH..JJ
00000030: 4D 31 C9 48 31 C0 AC 3C 61 7C 02 2C 20 41 C1 C9 M1.H1..<a|., A..
00000040: 0D 41 01 C1 E2 ED 52 41 51 48 8B 52 20 8B 42 3C .A....RAQH.R .B<
00000050: 48 01 D0 66 81 78 18 0B 02 75 72 8B 80 88 00 00 H..f.x...ur.....
00000060: 00 48 85 C0 74 67 48 01 D0 50 8B 48 18 44 8B 40 .H..tgH..P.H.D.@
00000070: 20 49 01 D0 E3 56 48 FF C9 41 8B 34 88 48 01 D6 I...VH..A.4.H..因此,我们的工具显示了两个不同的变量,它们共同触发了 Windows Defender 的检测。然而,它们并没有明显地表现出恶意。为了解释这个结果,我们可以反汇编这些字节,或者反映出由于它们位于段中,因此它们被段中的函数用作初始化数据。一个简单的Meterpreter 代码库内部显示我们正在查看两个 shellcode:.data .text grep
grep -arA 5 'FC\x80' metasploit-payloads/c/meterpreter/source/
metasploit-payloads/c/meterpreter/source//metsrv/base_inject.c:BYTE apc_stub_x64[] = "xFCx80x79x10x00x0Fx85x13x01x00x00xC6x41x10x01x48"
metasploit-payloads/c/meterpreter/source//metsrv/base_inject.c- "x83xECx78xE8xC8x00x00x00x41x51x41x50x52x51x56x48"
metasploit-payloads/c/meterpreter/source//metsrv/base_inject.c- "x31xD2x65x48x8Bx52x60x48x8Bx52x18x48x8Bx52x20x48"
metasploit-payloads/c/meterpreter/source//metsrv/base_inject.c- "x8Bx72x50x48x0FxB7x4Ax4Ax4Dx31xC9x48x31xC0xACx3C"
metasploit-payloads/c/meterpreter/source//metsrv/base_inject.c- "x61x7Cx02x2Cx20x41xC1xC9x0Dx41x01xC1xE2xEDx52x41"
metasploit-payloads/c/meterpreter/source//metsrv/base_inject.c- "x51x48x8Bx52x20x8Bx42x3Cx48x01xD0x66x81x78x18x0B"grep -arA 5 'FC\x48' metasploit-payloads/c/meterpreter/source/
metasploit-payloads/c/meterpreter/source//metsrv/base_inject.c:BYTE migrate_wownativex[] = "xFCx48x89xCEx48x89xE7x48x83xE4xF0xE8xC8x00x00x00"
metasploit-payloads/c/meterpreter/source//metsrv/base_inject.c- "x41x51x41x50x52x51x56x48x31xD2x65x48x8Bx52x60x48"
metasploit-payloads/c/meterpreter/source//metsrv/base_inject.c- "x8Bx52x18x48x8Bx52x20x48x8Bx72x50x48x0FxB7x4Ax4A"
metasploit-payloads/c/meterpreter/source//metsrv/base_inject.c- "x4Dx31xC9x48x31xC0xACx3Cx61x7Cx02x2Cx20x41xC1xC9"
metasploit-payloads/c/meterpreter/source//metsrv/base_inject.c- "x0Dx41x01xC1xE2xEDx52x41x51x48x8Bx52x20x8Bx42x3C"
metasploit-payloads/c/meterpreter/source//metsrv/base_inject.c- "x48x01xD0x66x81x78x18x0Bx02x75x72x8Bx80x88x00x00"对这些 shellcode 进行简单的xor加密就足以使检测消失,同时保持其功能。
结语
这就是我们工具的工作方式。然而,它是用希望和胶带固定在一起的,所以不要指望它能为您的特定用例开箱即用。相反,如果检测是静态进行的,则将其视为一个库,以快速查明您的防病毒检测策略,然后运行不同的分析以尝试转储签名,或者如果它的工作方式略有不同,则为您的 AV 构建一个新的。我们希望我们有机会继续改进它!
源代码和幻灯片公众号后台回复 “20230223” 获取。
技术交流
知识星球
致力于红蓝对抗,实战攻防,星球不定时更新内外网攻防渗透技巧,以及最新学习研究成果等。常态化更新最新安全动态。专题更新奇技淫巧小Tips及实战案例。
涉及方向包括Web渗透、免杀绕过、内网攻防、代码审计、应急响应、云安全。星球中已发布 200+ 安全资源,针对网络安全成员的普遍水平,并为星友提供了教程、工具、POC&EXP以及各种学习笔记等等。
交流群
关注公众号回复“加群”,添加Z2OBot 小K自动拉你加入Z2O安全攻防交流群分享更多好东西。
关注我们
关注福利:
回复“app" 获取 app渗透和app抓包教程
回复“渗透字典" 获取 针对一些字典重新划分处理,收集了几个密码管理字典生成器用来扩展更多字典的仓库。
回复“书籍" 获取 网络安全相关经典书籍电子版pdf
回复“资料" 获取 网络安全、渗透测试相关资料文档
往期文章
Powershell 免杀过 defender 火绒,附自动化工具
通过DCERPC和ntlmssp获取Windows远程主机信息
原文始发于微信公众号(Z2O安全攻防):自动提取静态防病毒签名
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论