易语言程序(而且,就连运行库都是直接释放几个Dll文件来储存的)
VMP加壳
有虚拟机检测
检测内核调试器(检测自身是否被调试),遍历系统当中驱动程序名称(可能是为了检测虚拟机或者杀毒软件),调用大量系统API(疑似可能为检测虚拟机),检测CPU时钟(可能是为了检测虚拟机),检测VMware的相关组件(为了检测虚拟机)
- 行为描述: 直接调用系统关键API
- 详情信息:
- Index = 0x0000009A, Name: NtQueryInformationProcess, Instruction Address = 0x025ED881
- Index = 0x000000E5, Name: NtSetInformationThread, Instruction Address = 0x0263CACD
- Index = 0x00000074, Name: NtOpenFile, Instruction Address = 0x025ED881
- Index = 0x00000032, Name: NtCreateSection, Instruction Address = 0x0151E0FB
- Index = 0x0000006C, Name: NtMapViewOfSection, Instruction Address = 0x015284F5
- Index = 0x0000010B, Name: NtUnmapViewOfSection, Instruction Address = 0x0151E0FB
- Index = 0x00000019, Name: NtClose, Instruction Address = 0x0151E0FB
- Index = 0x00000019, Name: NtClose, Instruction Address = 0x015DB4CA
- Index = 0x00000089, Name: NtProtectVirtualMemory, Instruction Address = 0x015284F5
- 行为描述: 直接获取CPU时钟
- 详情信息:
- EAX = 0xe00e172e, EDX = 0x000000bc
- EAX = 0xe00e177a, EDX = 0x000000bc
- EAX = 0xe00e17c6, EDX = 0x000000bc
- EAX = 0xe00e1812, EDX = 0x000000bc
- EAX = 0xe00e185e, EDX = 0x000000bc
- EAX = 0xe00e18aa, EDX = 0x000000bc
- EAX = 0xe00e18f6, EDX = 0x000000bc
- EAX = 0xe00e1942, EDX = 0x000000bc
- EAX = 0xe00e198e, EDX = 0x000000bc
- EAX = 0xe00e19da, EDX = 0x000000bc
- 行为描述: VMWare特殊指令检测虚拟机
- 详情信息:
- N/A
调用Sleep函数(疑似可能有睡眠。可能是为了躲避分析,逃避云沙箱) |
楼主: babaj
发表于 2022-1-23 12:07:22
