OfficeMalScanner/DisView
Jump to navigation
Jump to search
| You are here: | DisView
|
Description
DisView is a disassembler. When using OfficeMalScanner with "scan debug", you may notice an interesting portion of code but it's truncated. DisView will display much more code to help you in the analysis.
Usage
Usage: DisView <file> <offset to start>
Example
The below command is only providing part of the disassembled code starting at offset 0x90c53:
C:\tools\OfficeMalScanner>OfficeMalScanner.exe \malware\TestYourMind.ppt scan brute debug [SNIP] -------------------------------------------------------------------------- CALL next/POP signature found at offset: 0x90c53 E800000000 call $+00000005h 5A pop edx 55 push ebp 8BEC mov ebp, esp 81EC64040000 sub esp, 00000464h 8BF4 mov esi, esp E861030000 call $+00000366h 8BF8 mov edi, eax E8C4020000 call $+000002C9h 8906 mov [esi], eax 895E04 mov [esi+04h], ebx FF36 push [esi] 68AD9B7DDF push DF7D9BADh E8E6020000 call $+000002EBh 89460C mov [esi+0Ch], eax FF36 push [esi] -------------------------------------------------------------------------- [SNIP] Brute-forcing for encrypted PE- and embedded OLE-files now... Bruting XOR Key: 0xff Bruting ADD Key: 0xff Bruting ROL Key: 0x08 Analysis finished! ------------------------------------------------------------- TestYourMind.ppt seems to be malicious! Malicious Index = 108 -------------------------------------------------------------
We can use DisView to display more disassembled code, starting at the mentioned offset:
C:\tools\OfficeMalScanner>DisView.exe \malware\TestYourMind.ppt 0x90c53 Filesize is 631296 (0x9a200) Bytes 00090C53: E800000000 call $+00000005h 00090C58: 5A pop edx 00090C59: 55 push ebp 00090C5A: 8BEC mov ebp, esp 00090C5C: 81EC64040000 sub esp, 00000464h 00090C62: 8BF4 mov esi, esp 00090C64: E861030000 call $+00000366h 00090C69: 8BF8 mov edi, eax 00090C6B: E8C4020000 call $+000002C9h 00090C70: 8906 mov [esi], eax 00090C72: 895E04 mov [esi+04h], ebx 00090C75: FF36 push [esi] 00090C77: 68AD9B7DDF push DF7D9BADh 00090C7C: E8E6020000 call $+000002EBh 00090C81: 89460C mov [esi+0Ch], eax 00090C84: FF36 push [esi] 00090C86: 68A517007C push 7C0017A5h 00090C8B: E8D7020000 call $+000002DCh 00090C90: 89462C mov [esi+2Ch], eax 00090C93: FF36 push [esi] 00090C95: 68FB97FD0F push 0FFD97FBh 00090C9A: E8C8020000 call $+000002CDh 00090C9F: 894618 mov [esi+18h], eax 00090CA2: FF36 push [esi] 00090CA4: 68E6178F7B push 7B8F17E6h 00090CA9: E8B9020000 call $+000002BEh 00090CAE: 894630 mov [esi+30h], eax 00090CB1: FF36 push [esi] 00090CB3: 682912C656 push 56C61229h 00090CB8: E8AA020000 call $+000002AFh 00090CBD: 894610 mov [esi+10h], eax 00090CC0: FF36 push [esi] 00090CC2: 68593C077B push 7B073C59h 00090CC7: E89B020000 call $+000002A0h 00090CCC: 894614 mov [esi+14h], eax 00090CCF: FF36 push [esi] 00090CD1: 683B4743DD push DD43473Bh 00090CD6: E88C020000 call $+00000291h 00090CDB: 894628 mov [esi+28h], eax 00090CDE: FF36 push [esi] 00090CE0: 683B4673CB push CB73463Bh 00090CE5: E87D020000 call $+00000282h 00090CEA: 894624 mov [esi+24h], eax 00090CED: FF36 push [esi] 00090CEF: 6803F2A640 push 40A6F203h 00090CF4: E86E020000 call $+00000273h 00090CF9: 894620 mov [esi+20h], eax 00090CFC: FF36 push [esi] --------------------------------------------------------------------------