0

我正在学习恶意软件(Blackhole Exploit)的工作原理,我从恶意代码中提取了 shellcode。除了搜索字节字符串之外,我想通了一切。谁可以帮我这个事?为什么这个 shellcode(大多数恶意 shellcode)会搜索这个特定的字符串?搜索代码如下:

mov   eax, 0C330408BH;
inc   esi
cmp   dword ptr [esi], eax
jne   //back to top//
4

2 回答 2

3

作为 Igor 回答的补充,我建议您阅读这篇文章http://skypher.com/index.php/2010/11/17/bypassing-eaf/。该代码在系统 DLL 中查找特定指令,以使用它们从内存中的任意位置读取或写入数据。因此,要使用此代码,只需将 (address-0x30) 放入 eax,然后调用上面的序列。

于 2012-07-27T14:26:56.537 回答
2

If you take the magic bytes, convert them to little-endian format and disassemble, you get the following:

8B 40 30    mov     eax, [eax+30h]
C3          retn

So, the shellcode is searching for this sequence of instructions. I'm not 100% sure but I think it's used to find kernel32 image in memory (since this sequence usually occurs there).

于 2012-05-18T10:18:34.267 回答