xinali · December 12, 2018 09:22
diff --git a/windbg_debug_malware.txt b/windbg_debug_malware.txt
 $$ windbg脚本处理恶意软件

 $$ 开启日志
 .logopen windbg_execute.log

 $$ 清除所有断点
 bc *

 $$ 网络操作
 bu ws2_32!connect ".printf \"ip: %x\", poi(poi(esp+0x8)+0x4); .echo; g"
 $$ bu ws2_32!sendto 
 bu WININET!InternetConnectA ".printf \"url: %ma\", poi(esp+8); .echo; g"
 bu WININET!InternetConnectW ".printf \"url: %mu\", poi(esp+8); .echo; g"
 $$ bu Winhttp!WinHttpConnect


 $$ 内存操作
 bu kernel32!VirtualAlloc ".printf \"VirtualAlloc=> lpAddress:%x dwSize:%x flAllocationType:%x flProtect:%x\", poi(esp+0x4), poi(esp+0x8), poi(esp+0xc), poi(esp+0x10);.echo;g"
 bu kernel32!VirtualAllocEx ".printf \"VirtualAllocEx=> hProcess:%x lpAddress:%x dwSize:%x flAllocationType:%x flProtect:%x\",poi(esp+0x4), poi(esp+0x8), poi(esp+0xc), poi(esp+0x10), poi(esp+0x14); .echo;g"
 bu msvcrt!malloc ".printf \"Size: %x\n\",poi(esp+4);gu;.printf \"Returned Pointer: %x\n\",eax;g"

 $$ 进程
 bu kernel32!CreateProcessW ".printf \"Creating Process: %mu\",poi(esp+0x8);.echo;g"
 bu kernel32!CreateProcessA ".printf \"Creating Process: %ma\",poi(esp+0x8);.echo;g"

 $$ 服务
 bu advapi32!CreateServiceA ".printf \"Creating Service: \";.echo;.printf \"\tService Name: %ma\",poi(esp+0x4);.echo;.printf \"\tDisplay Name: %ma\",poi(esp+0x8);.echo;g"
 bu advapi32!CreateServiceW ".printf \"Creating Service: \";.echo;.printf \"\tService Name: %mu\",poi(esp+0x4);.echo;.printf \"\tDisplay Name: %mu\",poi(esp+0x8);.echo;g"


 $$ 执行命令
 bu shell32!shellexecuteW ".printf\"Running Command:\";.echo;\"\tOperation: %mu\";.echo;\"\tTarget: %mu\";.echo;\"\tParams: %mu\",poi(esp+0x8),poi(esp+0xC),poi(esp+0x10);.echo;g"
 bu shell32!shellexecuteA ".printf\"Running Command:\";.echo;\"\tOperation: %ma\";.echo;\"\tTarget: %ma\";.echo;\"\tParams: %mu\",poi(esp+0x8),poi(esp+0xC),poi(esp+0x10);.echo;g"
 bu shell32!shellExecuteExW ".printf\"Running Command:\";.echo;\"\tOperation: %mu\";.echo;\"\tTarget: %mu\";.echo;\"\tParams: %mu\",poi(poi(esp+0x4)+0xC),poi(poi(esp+0x4)+0x10),poi(poi(esp+0x4)+0x14)
 bu shell32!shellExecuteExA ".printf\"Running Command:\";.echo;\"\tOperation: %ma\";.echo;\"\tTarget: %ma\";.echo;\"\tParams: %ma\",poi(poi(esp+0x4)+0xC),poi(poi(esp+0x4)+0x10),poi(poi(esp+0x4)+0x14)


 $$ 库载入
 bu kernel32!LoadLibraryA ".printf \"Loading LibraryA: %ma\",poi(esp+0x4);.echo;g"
 bu kernel32!LoadLibraryW ".printf \"Loading LibraryW: %mu\",poi(esp+0x4);.echo;g"

 $$ 载入函数
 bu kernel32!GetProcAddress ".printf \"\t Looking up function: %ma\",poi(esp+0x8);.echo;g"

 $$ 文件操作
 $$ 创建文件
 bu kernelbase!CreateFileW ".if(poi(esp+0x14) != 0n3){.printf \"Creating File: %mu\",poi(esp+0x4);.echo};g"
 bu kernelbase!CreateFileA ".if(poi(esp+0x14) != 0n3){.printf \"Creating File: %mu\",poi(esp+0x4);.echo};g"
 $$ 移动文件
 bu kernel32!MoveFileExW ".printf \"File moved.\";.echo;.printf \"From: %mu\",poi(esp+0x4);.echo;.printf \"To: %mu\",poi(esp+0x8);.echo;g"
 bu kernel32!MoveFileExA ".printf \"File moved.\";.echo;.printf \"From: %ma\",poi(esp+0x4);.echo;.printf \"To: %ma\",poi(esp+0x8);.echo;g"
 $$ 复制文件
 bu kernel32!CopyFileW ".printf \" Copying file: \";.echo;.printf \"\tFrom: %mu\",poi(esp+0x4);.echo;.printf \"\tTo: %mu\",poi(esp+0x8);.echo;g"
 bu kernel32!CopyFileA ".printf \" Copying file: \";.echo;.printf \"\tFrom: %ma\",poi(esp+0x4);.echo;.printf \"\tTo: %ma\",poi(esp+0x8);.echo;g"
 $$ 写文件
 bu kernel32!WriteFile ".printf \" Writting file \";.echo;g"


 $$ 创建注册表
 bu kernel32!RegCreateKeyExA ".printf \"Creating RegKey: %ma\",poi(esp+0x8);.echo;g"
 bu kernel32!RegCreateKeyExW ".printf \"Creating RegKey: %mu\",poi(esp+0x8);.echo;g"

 $$ 打开注册表
 bu kernel32!RegOpenKeyExA ".printf \"Accessed RegKey: %ma\",poi(esp+0x8);.echo;g"
 bu kernel32!RegOpenKeyExW ".printf \"Accessed RegKey: %mu\",poi(esp+0x8);.echo;g"

 $$ 访问注册表
 bu kernel32!RegQueryValueExA ".printf \"\tAccessed RegValue: %ma\",poi(esp+0x8);.echo;g"
 bu kernel32!RegQueryValueExW ".printf \"\tAccessed RegValue: %mu\",poi(esp+0x8);.echo;g"

 $$ 设置注册表值
 bu kernel32!RegSetValueExA ".printf \"Setting RegKey %ma to value: %ma\",poi(esp+0x8),poi(esp+0x14);.echo;g"
 bu kernel32!RegSetValueExW ".printf \"Setting RegKey %mu to value: %mu\",poi(esp+0x8),poi(esp+0x14);.echo;g"


 $$ 反调试
 bu kernel32!IsDebuggerPresent "gu;r eax=0;g"

 $$ 关闭日志
 $$ .logclose windbg_execute.log
	$$ windbg脚本处理恶意软件

	$$ 开启日志
	.logopen windbg_execute.log

	$$ 清除所有断点
	bc *

	$$ 网络操作
	bu ws2_32!connect ".printf \"ip: %x\", poi(poi(esp+0x8)+0x4); .echo; g"
	$$ bu ws2_32!sendto
	bu WININET!InternetConnectA ".printf \"url: %ma\", poi(esp+8); .echo; g"
	bu WININET!InternetConnectW ".printf \"url: %mu\", poi(esp+8); .echo; g"
	$$ bu Winhttp!WinHttpConnect


	$$ 内存操作
	bu kernel32!VirtualAlloc ".printf \"VirtualAlloc=> lpAddress:%x dwSize:%x flAllocationType:%x flProtect:%x\", poi(esp+0x4), poi(esp+0x8), poi(esp+0xc), poi(esp+0x10);.echo;g"
	bu kernel32!VirtualAllocEx ".printf \"VirtualAllocEx=> hProcess:%x lpAddress:%x dwSize:%x flAllocationType:%x flProtect:%x\",poi(esp+0x4), poi(esp+0x8), poi(esp+0xc), poi(esp+0x10), poi(esp+0x14); .echo;g"
	bu msvcrt!malloc ".printf \"Size: %x\n\",poi(esp+4);gu;.printf \"Returned Pointer: %x\n\",eax;g"

	$$ 进程
	bu kernel32!CreateProcessW ".printf \"Creating Process: %mu\",poi(esp+0x8);.echo;g"
	bu kernel32!CreateProcessA ".printf \"Creating Process: %ma\",poi(esp+0x8);.echo;g"

	$$ 服务
	bu advapi32!CreateServiceA ".printf \"Creating Service: \";.echo;.printf \"\tService Name: %ma\",poi(esp+0x4);.echo;.printf \"\tDisplay Name: %ma\",poi(esp+0x8);.echo;g"
	bu advapi32!CreateServiceW ".printf \"Creating Service: \";.echo;.printf \"\tService Name: %mu\",poi(esp+0x4);.echo;.printf \"\tDisplay Name: %mu\",poi(esp+0x8);.echo;g"


	$$ 执行命令
	bu shell32!shellexecuteW ".printf\"Running Command:\";.echo;\"\tOperation: %mu\";.echo;\"\tTarget: %mu\";.echo;\"\tParams: %mu\",poi(esp+0x8),poi(esp+0xC),poi(esp+0x10);.echo;g"
	bu shell32!shellexecuteA ".printf\"Running Command:\";.echo;\"\tOperation: %ma\";.echo;\"\tTarget: %ma\";.echo;\"\tParams: %mu\",poi(esp+0x8),poi(esp+0xC),poi(esp+0x10);.echo;g"
	bu shell32!shellExecuteExW ".printf\"Running Command:\";.echo;\"\tOperation: %mu\";.echo;\"\tTarget: %mu\";.echo;\"\tParams: %mu\",poi(poi(esp+0x4)+0xC),poi(poi(esp+0x4)+0x10),poi(poi(esp+0x4)+0x14)
	bu shell32!shellExecuteExA ".printf\"Running Command:\";.echo;\"\tOperation: %ma\";.echo;\"\tTarget: %ma\";.echo;\"\tParams: %ma\",poi(poi(esp+0x4)+0xC),poi(poi(esp+0x4)+0x10),poi(poi(esp+0x4)+0x14)


	$$ 库载入
	bu kernel32!LoadLibraryA ".printf \"Loading LibraryA: %ma\",poi(esp+0x4);.echo;g"
	bu kernel32!LoadLibraryW ".printf \"Loading LibraryW: %mu\",poi(esp+0x4);.echo;g"

	$$ 载入函数
	bu kernel32!GetProcAddress ".printf \"\t Looking up function: %ma\",poi(esp+0x8);.echo;g"

	$$ 文件操作
	$$ 创建文件
	bu kernelbase!CreateFileW ".if(poi(esp+0x14) != 0n3){.printf \"Creating File: %mu\",poi(esp+0x4);.echo};g"
	bu kernelbase!CreateFileA ".if(poi(esp+0x14) != 0n3){.printf \"Creating File: %mu\",poi(esp+0x4);.echo};g"
	$$ 移动文件
	bu kernel32!MoveFileExW ".printf \"File moved.\";.echo;.printf \"From: %mu\",poi(esp+0x4);.echo;.printf \"To: %mu\",poi(esp+0x8);.echo;g"
	bu kernel32!MoveFileExA ".printf \"File moved.\";.echo;.printf \"From: %ma\",poi(esp+0x4);.echo;.printf \"To: %ma\",poi(esp+0x8);.echo;g"
	$$ 复制文件
	bu kernel32!CopyFileW ".printf \" Copying file: \";.echo;.printf \"\tFrom: %mu\",poi(esp+0x4);.echo;.printf \"\tTo: %mu\",poi(esp+0x8);.echo;g"
	bu kernel32!CopyFileA ".printf \" Copying file: \";.echo;.printf \"\tFrom: %ma\",poi(esp+0x4);.echo;.printf \"\tTo: %ma\",poi(esp+0x8);.echo;g"
	$$ 写文件
	bu kernel32!WriteFile ".printf \" Writting file \";.echo;g"


	$$ 创建注册表
	bu kernel32!RegCreateKeyExA ".printf \"Creating RegKey: %ma\",poi(esp+0x8);.echo;g"
	bu kernel32!RegCreateKeyExW ".printf \"Creating RegKey: %mu\",poi(esp+0x8);.echo;g"

	$$ 打开注册表
	bu kernel32!RegOpenKeyExA ".printf \"Accessed RegKey: %ma\",poi(esp+0x8);.echo;g"
	bu kernel32!RegOpenKeyExW ".printf \"Accessed RegKey: %mu\",poi(esp+0x8);.echo;g"

	$$ 访问注册表
	bu kernel32!RegQueryValueExA ".printf \"\tAccessed RegValue: %ma\",poi(esp+0x8);.echo;g"
	bu kernel32!RegQueryValueExW ".printf \"\tAccessed RegValue: %mu\",poi(esp+0x8);.echo;g"

	$$ 设置注册表值
	bu kernel32!RegSetValueExA ".printf \"Setting RegKey %ma to value: %ma\",poi(esp+0x8),poi(esp+0x14);.echo;g"
	bu kernel32!RegSetValueExW ".printf \"Setting RegKey %mu to value: %mu\",poi(esp+0x8),poi(esp+0x14);.echo;g"


	$$ 反调试
	bu kernel32!IsDebuggerPresent "gu;r eax=0;g"

	$$ 关闭日志
	$$ .logclose windbg_execute.log