Deobfuscating SpyEye Wrapup
At my friend's request, I've released SpyEye 1.3.45 deobfuscation script.
My script performs two deobfuscations.
1st deobfuscation is resolving various information from 4bytes hash values (described in Part1). It resolves the following information:
- library function names (kernel32/ntdll/advapi32/wininet/ws2_32),
- function names exported by SpyEye plugins,
- process names for malicious code injections and
- file names included in config.bin.
The objective of 2nd deobfuscation is to recover important strings. It calculates start addresses and lengths based on specified dword values, then executes the custom xor routine (in more detail, see Part2).
As a bonus, I added a trivial code for enumerating installed folder name and mutex name. Note the names are encoded after executing SC2 that is the initialization routine of C1.
You should configure "names_to_resolve" folder path and function name for 2nd deobfuscation to run the script.
Enjoy your analysis ;-)
| 固定リンク
| コメント (2)
| トラックバック (0)









最近のコメント