OfficeMalScanner/DisView

From aldeid
Jump to: navigation, search
You are here:
DisView

Description

DisView is a disassembler. When using OfficeMalScanner with "scan debug", you may notice an interesting portion of code but it's truncated. DisView will display much more code to help you in the analysis.

Usage

Usage: DisView <file> <offset to start>

Example

The below command is only providing part of the disassembled code starting at offset 0x90c53:

C:\tools\OfficeMalScanner>OfficeMalScanner.exe \malware\TestYourMind.ppt scan brute debug

[SNIP]

--------------------------------------------------------------------------

CALL next/POP signature found at offset: 0x90c53

E800000000                         call $+00000005h
5A                                 pop edx
55                                 push ebp
8BEC                               mov ebp, esp
81EC64040000                       sub esp, 00000464h
8BF4                               mov esi, esp
E861030000                         call $+00000366h
8BF8                               mov edi, eax
E8C4020000                         call $+000002C9h
8906                               mov [esi], eax
895E04                             mov [esi+04h], ebx
FF36                               push [esi]
68AD9B7DDF                         push DF7D9BADh
E8E6020000                         call $+000002EBh
89460C                             mov [esi+0Ch], eax
FF36                               push [esi]
--------------------------------------------------------------------------

[SNIP]

Brute-forcing for encrypted PE- and embedded OLE-files now...
Bruting XOR Key: 0xff
Bruting ADD Key: 0xff
Bruting ROL Key: 0x08


Analysis finished!

-------------------------------------------------------------
TestYourMind.ppt seems to be malicious! Malicious Index = 108
-------------------------------------------------------------

We can use DisView to display more disassembled code, starting at the mentioned offset:

C:\tools\OfficeMalScanner>DisView.exe \malware\TestYourMind.ppt 0x90c53
Filesize is 631296 (0x9a200) Bytes

00090C53: E800000000               call $+00000005h
00090C58: 5A                       pop edx
00090C59: 55                       push ebp
00090C5A: 8BEC                     mov ebp, esp
00090C5C: 81EC64040000             sub esp, 00000464h
00090C62: 8BF4                     mov esi, esp
00090C64: E861030000               call $+00000366h
00090C69: 8BF8                     mov edi, eax
00090C6B: E8C4020000               call $+000002C9h
00090C70: 8906                     mov [esi], eax
00090C72: 895E04                   mov [esi+04h], ebx
00090C75: FF36                     push [esi]
00090C77: 68AD9B7DDF               push DF7D9BADh
00090C7C: E8E6020000               call $+000002EBh
00090C81: 89460C                   mov [esi+0Ch], eax
00090C84: FF36                     push [esi]
00090C86: 68A517007C               push 7C0017A5h
00090C8B: E8D7020000               call $+000002DCh
00090C90: 89462C                   mov [esi+2Ch], eax
00090C93: FF36                     push [esi]
00090C95: 68FB97FD0F               push 0FFD97FBh
00090C9A: E8C8020000               call $+000002CDh
00090C9F: 894618                   mov [esi+18h], eax
00090CA2: FF36                     push [esi]
00090CA4: 68E6178F7B               push 7B8F17E6h
00090CA9: E8B9020000               call $+000002BEh
00090CAE: 894630                   mov [esi+30h], eax
00090CB1: FF36                     push [esi]
00090CB3: 682912C656               push 56C61229h
00090CB8: E8AA020000               call $+000002AFh
00090CBD: 894610                   mov [esi+10h], eax
00090CC0: FF36                     push [esi]
00090CC2: 68593C077B               push 7B073C59h
00090CC7: E89B020000               call $+000002A0h
00090CCC: 894614                   mov [esi+14h], eax
00090CCF: FF36                     push [esi]
00090CD1: 683B4743DD               push DD43473Bh
00090CD6: E88C020000               call $+00000291h
00090CDB: 894628                   mov [esi+28h], eax
00090CDE: FF36                     push [esi]
00090CE0: 683B4673CB               push CB73463Bh
00090CE5: E87D020000               call $+00000282h
00090CEA: 894624                   mov [esi+24h], eax
00090CED: FF36                     push [esi]
00090CEF: 6803F2A640               push 40A6F203h
00090CF4: E86E020000               call $+00000273h
00090CF9: 894620                   mov [esi+20h], eax
00090CFC: FF36                     push [esi]
--------------------------------------------------------------------------

Comments

blog comments powered by Disqus