the penny dropped
近期评论
Unknown发表在《病毒亲缘》 Yuan发表在《动静结合之py脚本》 Yuan发表在《GetProcAddress》 Bruce发表在《python》 ming发表在《IDA插件编写》
DLL ENTRY REASON
Value Meaning
DLL_PROCESS_ATTACH
1
The DLL is being loaded into the virtual address space of the current process as a result of the process starting up or as a result of a call to LoadLibrary. DLLs can use this opportunity to initialize any instance data or to use the TlsAlloc function to allocate a thread local storage (TLS) index.
The lpReserved parameter indicates whether the DLL is being loaded statically or dynamically.
DLL_PROCESS_DETACH
0
The DLL is being unloaded from the virtual address space of the calling process because it was loaded unsuccessfully or the reference count has reached zero (the processes has either terminated or called FreeLibrary one time for each time it called LoadLibrary).
The lpReserved parameter indicates whether the DLL is being unloaded as a result of a FreeLibrary call, a failure to load, or process termination.
The DLL can use this opportunity to call the TlsFree function to free any TLS indices allocated by using TlsAlloc and to free any thread local data.
Note that the thread that receives the DLL_PROCESS_DETACH notification is not necessarily the same thread that received the DLL_PROCESS_ATTACH notification.
DLL_THREAD_ATTACH
2
The current process is creating a new thread. When this occurs, the system calls the entry-point function of all DLLs currently attached to the process. The call is made in the context of the new thread. DLLs can use this opportunity to initialize a TLS slot for the thread. A thread calling the DLL entry-point function with DLL_PROCESS_ATTACH does not call the DLL entry-point function with DLL_THREAD_ATTACH.
Note that a DLL’s entry-point function is called with this value only by threads created after the DLL is loaded by the process. When a DLL is loaded using LoadLibrary, existing threads do not call the entry-point function of the newly loaded DLL.
DLL_THREAD_DETACH
3
A thread is exiting cleanly. If the DLL has stored a pointer to allocated memory in a TLS slot, it should use this opportunity to free the memory. The system calls the entry-point function of all currently loaded DLLs with this value. The call is made in the context of the exiting thread.
zeroaccess packer
The first type:
1. To find encrypted data by the approach that try to calculate 8 bytes memory crc32 one block after another from the begin of the entry point section, then, it check the crc32 value whether equal to the +8 position dword.
2. The following 0x10 bytes are according to one struct and it is encrypted as:
def BSUB(v1,v2):
if(v1<v2):
return v1+0x100-v2
return v1-v2
def decode(arra):
map_base = {0:7,1:14,2:5,3:11,4:15,6:10,8:13,9:12}
data = arra
for i in range(len(data)):
data[i] = BSUB(data[i],i*2)^1
for i,j in map_base.items():
data[i],data[j] = data[j],data[i]
Debug(data)
return data
struct Block {
DWORD dwMemPosBegin,
DWORD dwEncryptDataSize,
DWORD dwMemsize,
DWORD xx
}
The second type:
decrypt the data use RtlDecompressBuffer(COMPRESSION_FORMAT_LZNT1,pUnCompressMem,dwUnCompressSize,pOriginalMem,dwOriginalSize)
MBR virus will change the main page at the end of world
dh.97780.com is locked to the main page by this milware.
it will have a detil report to this mbr infecting virus.
BOCHS: Transfer file to the inside windows system
Recently, i want use the bochs to debug something under the lower level, but after installed windows system to bochs, i found that it’s can access to the out side, finally i’m try to make an ISO image then use the cdroom by bochs, it’s works. so if you can’t transfer the file to the bochs system you can try the ISO image…
ZwCreateSection Pe File Check
React OS:
NtCreateSection
MmCreateSection
MmCreateImageSection
ExeFmtpCreateImageSection
PeFmtCreateSection
Win:
NtCreateSection
MmCreateSection
MiCreateImageFileMap
MiVerifyImageHeader
天空 