The old PUSH Assembly Instruction is old culture for malware programmers .... is easy see the Assembly Instruction PUSHAD just beginning section .TEXT , .CODE , as SALLITY malware.
The PUSHAD (Code 60h ) (Push ALl Register), put at Stack all Register Values (EAX, EBX,ECX, and so on).
To get values is easy, and very intuitive ! The Instruction POPAD can be used !
Then ... the code below can run
PUSHAD
MOV EAX, 5
MOV ECX, EAX
MOV EBX, 2
MOV EDX, EBX
POPAD
Why to use PUSHAD ? caue the malware need be the smaller possible ! and all way is used to do it.
The Sallity Malware Code:
00401010 60 PUSHAD
00401011 E8 00000000 CALL min2.00401016
00401016 5B POP EBX
00401017 0FAFC8 IMUL ECX,EAX
0040101A 46 INC ESI
0040101B 69CF E7FF0351 IMUL ECX,EDI,5103FFE7
00401021 FFC6 INC ESI
00401023 0FAFFE IMUL EDI,ESI
00401026 68 7C060000 PUSH 67C
0040102B 0FBEF8 MOVSX EDI,AL
.
.
.
Nenhum comentário:
Postar um comentário