特征1-上线特征
48 8B C4 48 89 58 08 48 89 68 10 48 89 70 18 48
89 78 20 45 33 DB 45 33 D2 33 FF 33 F6 48 8B E9
BB 03 00 00 00 85 D2 0F 84 81 00 00 00 0F B6 45
检测(baes64_decode 函数)
48 8B C4 48 89 58 08 48 89 68 10 48 89 70 18 48
89 78 20 45 33 DB 45 33 D2 33 FF 33 F6 48 8B E9
BB 03 00 00 00 85 D2 0F 84 81 00 00 00
bypass
33 FF
29 FF
48 8B C4 mov rax, rsp
48 89 58 08 mov [rax+8], rbx
48 89 68 10 mov [rax+10h], rbp
48 89 70 18 mov [rax+18h], rsi
48 89 78 20 mov [rax+20h], rdi
45 33 DB xor r11d, r11d
45 33 D2 xor r10d, r10d
33 FF xor edi, edi
33 F6 xor esi, esi
48 8B E9 mov rbp, rcx
BB 03 00 00 00 mov ebx, 3
85 D2 test edx, edx
0F 84 81 00 00 00 jz loc_1800010AE
特征2
0D B8 7B 03 00 8A 0C 08 80 F9 FF 74 61 80 F9 FE
75 0D 32 C9 FF CB 79 0C B8 07 00 00 00 EB 61 83
FB 03 75 F4 41 C1 E3 06
80 F9 FF 90 84 C9
特征3
48 89 5C 24 08 48 89 6C 24 18 48 89 74 24 20 57
41 54 41 55 41 56 41 57 48 83 EC 20 45 33 E4 45
33 F6 33 DB
48 89 5C 24 08 mov [rsp+arg_0], rbx
48 89 6C 24 18 mov [rsp+arg_10], rbp
48 89 74 24 20 mov [rsp+arg_18], rsi
57 push rdi
41 54 push r12
41 55 push r13
41 56 push r14
41 57 push r15
48 83 EC 20 sub rsp, 20h
45 33 E4 xor r12d, r12d
45 33 F6 xor r14d, r14d
33 DB xor ebx, ebx
bypass
33 DB
29 DB