一、样本信息
样本名字: Moment.exe样本大小: 8,400,896 bytes
病毒类型: Trojan.MSIL/Injector
sha1: 17b98df6f5e086a5c1e7b2cda2d000b86c0eeced
二、代码分析
1.可以看到这个一个.net2.0的程序,加obfuscate壳,用ILSpy加载程序,可以发现如下代码:// Moment.bca
public static byte[] Xdfhkkkkkkmmmmmmmooooooooqqqqq(byte[] fosga, string ximu)
{
Array.Reverse(fosga);
checked
{
byte b = fosga[fosga.Length - 1];
byte[] bytes = Encoding.Default.GetBytes(ximu);
byte[] array = new byte[fosga.Length + 1];
int num = 0;
int num2 = fosga.Length - 1;
for (int i = 0; i <= num2; i++)
{
array[i] = (fosga[i] ^ b ^ bytes[num]);
Array.Reverse(bytes);
bool flag = num == bytes.Length - 1;
if (flag)
{
num = 0;
}
else
{
num++;
}
}
return array;
}
}
2.这看起来像一段解密代码,用windbg加载程序,加载sos.dll(加载方法:http://blog.csdn.net/a530791614/article/details/50555410)
3.下函数断点(我的程序名为17b98df6.exe,.net4.0可以通过!bpmd -list查看断点,2.0还不太清楚...)
0:000> !bpmd 17b98df6.exe Moment.bca.Xdfhkkkkkkmmmmmmmooooooooqqqqq
*********************************************************************
* Symbols can not b