table of Contents
Rainbow Cats analysis
Rainbow Cats analysis process, we analyze today for a whole day, but it finally omissions or one or two paths, and then continue it tomorrow
Outline
Program is divided into three starts
One is without any startup parameters
The second is with
/mainthe parameter startThe third is with
/watchdogthe parameter start
This part of the code will be executed every startup mode
- By
GetSystemMetrics()acquiring the screen width and height but then it did not seem to use this part? - Then
GetCommandLineW()get command line arguments - Finally, by
CommandLineToArgvW()having parameters as a function of resolution parameters array (array mode can be used in accordance) - Based on two parameters determined with reference execution behavior
No arguments start
First, a user runs
MEMZ.exeafter the file is executed with no parameters, I guess I got the sample should be Gangster modified, will remind twice, and then the virus code will really begin
The figure is executed without tag parameters
- First, apply for a period of memory, after the adoption of
GetModuleFileNameWacquired own executable file name function - Then start the cycle with five
/watchdogcopies of the parameters - Next construct
SHELLEXECUTEINFOWa structure used to create a copy, and with/mainparameters, and the difference is in itself will increase the priority of the CPU, take up more CPU time and system resources to pave the way bit behind - Then exit process
With /mainparameters start
The main role of this start-up mode to the
MBR扇区guide portion overwritten, cats and rainbow after the code is written to restart animation
With /watchdogparameters start
The start-up mode as his name is usually (watchdog), is used to detect whether the user's own initiative to the end of the process, if ended, then began to undermine the user's computer (in fact,
/mainthe parameters have been)
- Create a new thread through into the analysis, that the process will monitor the process list,
The written program is divided into two sections
This is the first length 304 should boot code
The length of the second paragraph is 1952this should be a rainbow cat animation program body
This address start down a long period are content to note that marks the end of the AA55 MBR sector
As I understand it here, MBR sector a total of 512 bytes
