第一章恶意软件静态分析基础

• 《基于数据科学的恶意软件分析》
• 代码清单1-1 加载pefile模块并解析PE文件(ircbot.exe)
• 代码清单1-2 遍历PE文件的各个节并打印有关它们的信息
• 代码清单1-4 从ircbot.exe中提取导入信息
• 代码清单1-6 从恶意软件样本中提取图像的Shell命令
• 代码清单1-7 显示恶意软件可以将攻击者指定的文件下载到目标计算机的字符串输出
• 代码清单1-8 显示恶意软件有一个攻击者可以连接的HTTP服务器的字符串输出

《基于数据科学的恶意软件分析》

Malware Data Science Attack Detection and Attribution
Joshua Saxe Hillary Sanders著 何能强 严寒冰 译

代码清单1-1 加载pefile模块并解析PE文件(ircbot.exe)

#终端输入
pip3 install pefile

#jupyter notebook
import os
print(os.getcwd())
#result:/home/ubuntu20/桌面

import pefile
pe = pefile.PE("/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe")

代码清单1-2 遍历PE文件的各个节并打印有关它们的信息

for section in pe.sections:
    print(section.Name, hex(section.VirtualAddress), section.SizeOfRawData)
    
#result:
b'.text\x00\x00\x00' 0x1000 207360
b'.rdata\x00\x00' 0x34000 17408
b'.data\x00\x00\x00' 0x39000 10752
b'.idata\x00\x00' 0x96000 3072
b'.reloc\x00\x00' 0x97000 8704

for section in pe.sections:
    print(hex(section.Name, section.Misc_VirtualSize))
#TypeError: hex() takes exactly one argument (2 given)

代码清单1-4 从ircbot.exe中提取导入信息

pe = pefile.PE("/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe")
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    print(entry.dll)
    for function in entry.imports:
        print('\t', function.name)

#result：
b'KERNEL32.DLL'
	 b'GetLocalTime'
	 b'ExitThread'
	 b'CloseHandle'
	 b'WriteFile'
	 b'CreateFileA'
	 b'ExitProcess'
	 b'CreateProcessA'
	 b'GetTickCount'
	 b'GetModuleFileNameA'
	 b'GetSystemDirectoryA'
	 b'Sleep'
	 b'GetTimeFormatA'
	 b'GetDateFormatA'
	 b'GetLastError'
	 b'CreateThread'
	 b'GetFileSize'
	 b'GetFileAttributesA'
	 b'FindClose'
	 b'FileTimeToSystemTime'
	 b'FileTimeToLocalFileTime'
	 b'FindNextFileA'
	 b'FindFirstFileA'
	 b'ReadFile'
	 b'SetFilePointer'
	 b'WriteConsoleA'
	 b'GetStdHandle'
	 b'LoadLibraryA'
	 b'GetProcAddress'
	 b'GetModuleHandleA'
	 b'FormatMessageA'
	 b'GlobalUnlock'
	 b'GlobalLock'
	 b'UnmapViewOfFile'
	 b'MapViewOfFile'
	 b'CreateFileMappingA'
	 b'SetFileTime'
	 b'GetFileTime'
	 b'ExpandEnvironmentStringsA'
	 b'SetFileAttributesA'
	 b'GetTempPathA'
	 b'GetCurrentProcess'
	 b'TerminateProcess'
	 b'OpenProcess'
	 b'GetComputerNameA'
	 b'GetLocaleInfoA'
	 b'GetVersionExA'
	 b'TerminateThread'
	 b'FlushFileBuffers'
	 b'SetStdHandle'
	 b'IsBadWritePtr'
	 b'IsBadReadPtr'
	 b'HeapValidate'
	 b'GetStartupInfoA'
	 b'GetCommandLineA'
	 b'GetVersion'
	 b'DebugBreak'
	 b'InterlockedDecrement'
	 b'OutputDebugStringA'
	 b'InterlockedIncrement'
	 b'HeapAlloc'
	 b'HeapReAlloc'
	 b'HeapFree'
	 b'HeapDestroy'
	 b'HeapCreate'
	 b'VirtualFree'
	 b'VirtualAlloc'
	 b'WideCharToMultiByte'
	 b'MultiByteToWideChar'
	 b'LCMapStringA'
	 b'LCMapStringW'
	 b'GetCPInfo'
	 b'GetACP'
	 b'GetOEMCP'
	 b'UnhandledExceptionFilter'
	 b'FreeEnvironmentStringsA'
	 b'FreeEnvironmentStringsW'
	 b'GetEnvironmentStrings'
	 b'GetEnvironmentStringsW'
	 b'SetHandleCount'
	 b'GetFileType'
	 b'RtlUnwind'
	 b'SetConsoleCtrlHandler'
	 b'GetStringTypeA'
	 b'GetStringTypeW'
	 b'SetEndOfFile'
b'USER32.dll'
	 b'MessageBoxA'

#推荐学习：python之pefile模块（解析PE）
#https://blog.csdn.net/b_h_l/article/details/9371611

代码清单1-6 从恶意软件样本中提取图像的Shell命令

#创建目录
#/home/ubuntu20/桌面/malware_data_science/ch1/终端输入：
mkdir images

#使用wrestool从fakepdfmalware.exe中提取图像资源到/images目录
#先下载icoutils
sudo apt install icoutils
wrestool -x '/home/ubuntu20/桌面/malware_data_science/ch1/fakepdfmalware.exe' -output=images

#使用icotool提取并将Adobe中的.ico图标格式中的所有资源转换为.png图形
icotool -x -o image images/*.ico
#报错icotool: images/*.ico: cannot open file

使用其它方法将.ico图标转换为.png图形

wrestool -x --output=. -t14 '/home/ubuntu20/桌面/malware_data_science/ch1/fakepdfmalware.exe'

sudo apt install imagemagick-6.q16
for i in *.ico; do convert "$i" "$i.png"; done

images是创建的目录，utput=images是提取的图像资源.icon格式，fakepdfmalware.exe_14_101_2052.ico是提取的.icon，fakepdfmalware.exe_14_101_2052.ico.png是转换的.png

代码清单1-7 显示恶意软件可以将攻击者指定的文件下载到目标计算机的字符串输出

代码清单1-8 显示恶意软件有一个攻击者可以连接的HTTP服务器的字符串输出

#查看文件中所有字符串
strings '/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe' | less

#只提取最小长度为10字节的字符串
strings -n 10 '/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe' | less

#将ircbot.exe中的字符串镜像到ircbotstring.txt文件中
strings '/home/ubuntu20/桌面/malware_data_science/ch1/ircbot.exe' > ircbotstring.txt
#ircbotstring.txt内容如下：
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.idata
.reloc
DSVW
h,@C
TSVW
Ph@@C
(_^[
Y_^[
PSVW
hh@C
DSVW
ht@C
ht@C
Y_^[
DSVW
HSVW
X_^[
Pj,h
Pj,h
Pj`hA
Pj`h@
PSVW
PSVW
Ph\GC
Ph(GC
$hxFC
PhpFC
PhTFC
DSVW
@SVW
DSVW
XSVW
YYPh
YYPh
YYPh
YPhTHC
Y_^[
LSVW
Y_^[
Ph~f
Ph~f
hPKC
h0KC
Ph\KC
htPC
hpOC
h|NC
PhXNC
Ph<NC
Ph\MC
Ph@MC
hlLC
DSVW
hxQC
h`QC
YPh`QC
xSVW
hx[C
h\[C
hL[C
h<[C
h [C
htZC
h`ZC
hPZC
h<ZC
h,ZC
hlYC
hPYC
h4YC
h YC
h|XC
hpXC
hdXC
hPXC
h8XC
h(XC
hlWC
h\WC
hTWC
hDWC
h8WC
h,WC
h WC
h|VC
hlVC
h\VC
hLVC
h<VC
hlUC
hTUC
h4UC
h(UC
htTC
hdTC
hTTC
hDTC
h0TC
hlSC
hTSC
h8SC
hpRC
h`RC
hDRC
h$RC
X_^[
hl]C
hP]C
h4]C
h`\C
hD\C
h$\C
Y_^[
hDcH
j?h0dH
hDcH
hDcH
HSVW
HSVW
DSVW
hlCI
HSVW
LSVW
@SVW
X_^[
PhLdC
Ph0dC
lSVW
HSVW
DSVW
h<eC
h<eC
TSVW
PhpeC
DSVW
PSVW
XSVW
jIY3
HSVW
h,dH
hLfC
h,fC
@SVW
X_^[
h,dH
hLfC
h,fC
htkC
h`kC
h\kC
h8kC
h0kC
h,kC
h|jC
h\jC
h|jC
h8jC
htiC
hpiC
hhiC
h8iC
hhhC
YYh`hC
h0hC
h<gC
PhlfC
h`fC
hXfC
E,_^[
DSVW
HSVW
PSVW
PSVW
Ph(lC
h,lC
hSVW
hTlC
LSVW
DSVW
hhlC
h`lC
DSVW
HSVW
HSVW
HSVW
HSVW
h|lC
Y_^[
@SVW
%0bI
%4bI
%8bI
%<bI
%@bI
%DbI
%HbI
%LbI
%PbI
%TbI
%XbI
%\bI
%`bI
%dbI
%hbI
%lbI
%pbI
%tbI
%xbI
%|bI
tzVS
GIt%
t/Ku
t&:a
PRSVWh
_^[ZX
0SVW
,SVW
0SVW
&hhnC
QhDnC
 _^[
RhLpC
&h(pC
t!hPoC
QSVW
t!hlqC
Rh@qC
t!hlqC
QSVW
t!hlqC
QSVW
&hlrC
Rh@qC
 Qh8rC
u+hLsC
Rh(sC
H0_^[
u.htsC
A,+B,
J0+H0
hltC
PhXtC
RhLtC
RhDtC
\SVW
4SVW
QSVW
Q,Rh
Q0Rh
h uC
hluC
j5hduC
hPuC
j6hduC
h@uC
j7hduC
h,uC
j8hduC
_^[]
WVS3
^[_3
h uC
j8h|uC
j9h|uC
GIt#
t hPvC
h|wC
hxwC
hxwC
h\vC
h uC
hxxC
= FI
=pFI
=tFI
_^[]
h uC
$SVW
h@uC
h uC
																								
													
													
										
					
>jUh
h yC
^_[3
h uC
jAh(yC
uZj^h(yC
QSVW
t!h4yC
h(yC
hPyC
hLyC
U`]I
E`]I
E`]I
=l]I
=l]I
jmhhyC
=PFI
=tGjyhhyC
htyC
SVWUj
]_^[
t.;t$$t(
VC20XC00U
SVWU
tEVU
t3x<
]_^[
h|wC
hxwC
hD|C
lht|C
h`|C
QSVW
h uC
=,HI
=,HI
hLyC
|jyh
=(HI
=,FI
QSVW
QSVW
=,FI
% cI
%$cI
%(cI
%,cI
%0cI
%4cI
%8cI
%<cI
%@cI
%DcI
%HcI
%LcI
%PcI
%TcI
%XcI
%\cI
%`cI
%dcI
%hcI
%lcI
%pcI
%tcI
%xcI
%|cI
%d. %s = %s
-[Alias List]-
[%.2d-%.2d-%4d %.2d:%.2d:%.2d] %s
-[Logs]-
[LOGS]: Cleared.
[LOG]: List complete.
[LOG]: Begin
DISPLAY
Window
 n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
[DOWNLOAD]: Bad URL, or DNS Error: %s.
[DOWNLOAD]: Update failed: Error executing file: %s.
[DOWNLOAD]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.
[DOWNLOAD]: Opened: %s.
open
[DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec.
[DOWNLOAD]: CRC Failed (%d != %d).
[DOWNLOAD]: Filesize is incorrect: (%d != %d).
[DOWNLOAD]: Update: %s (%dKB transferred).
[DOWNLOAD]: File download: %s (%dKB transferred).
[DOWNLOAD]: Couldn't open file: %s.
Cdrom
Network
Disk
Invalid
Unknown
%sKB
failed
[MAIN]: %s Drive (%s): %s total, %s free, %s available.
[MAIN]: %s Drive (%s): Failed to stat, device not ready.
[HTTPD]: Error: server failed, returned: <%d>.
GET 
HTTP/1.0 200 OK
Server: myBot
Cache-Control: no-cache,no-store,max-age=0
pragma: no-cache
Content-Type: %s
Content-Length: %i
Accept-Ranges: bytes
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Connection: close
HTTP/1.0 200 OK
Server: myBot
Cache-Control: no-cache,no-store,max-age=0
pragma: no-cache
Content-Type: %s
Accept-Ranges: bytes
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Connection: close
HH:mm:ss
ddd, dd MMM yyyy
application/octet-stream
text/html
[HTTPD]: Failed to start worker thread, error: <%d>.
[HTTPD]: Worker thread of server thread: %d.
%s%s
Found: %i Files and %i Directories
<TR>
<TD COLSPAN="3"><HR></TD>
</TR>
</TABLE>
</BODY>
</HTML>
PRIVMSG %s :Found %s Files and %s Directories
%-31s  %-21s (%i bytes)
</TD>
<TD WIDTH="%d"><CODE>%s</CODE></TD>
<TD WIDTH="%d" ALIGN="right"><CODE>%dk</CODE></TD>
</TR>
"><CODE>%s</CODE></A>
"><CODE>%.30s&gt;</CODE></A>
PRIVMSG %s :%-31s  %-21s (%s bytes)
%-31s  %-21s
</TD>
<TD WIDTH="%d"><CODE>%s</CODE></TD>
<TD WIDTH="%d" ALIGN="right"><CODE>-</CODE></TD>
</TR>
"><CODE>%s/</CODE></A>
"><CODE>%.29s&gt;/</CODE></A>
%s%s/
<TR>
<TD WIDTH="%d"><A HREF="
PRIVMSG %s :%-31s  %-21s
<%s>
%2.2d/%2.2d/%4d  %2.2d:%2.2d %s
<TR>
<TD COLSPAN="3"><A HREF="%s"><CODE>Parent Directory</CODE></A></TD>
</TR>
Searching for: %s
<TR>
<TD COLSPAN="3"><HR></TD>
</TR>
<TR>
<TD WIDTH="%d"><CODE>Name</CODE></TD>
<TD WIDTH="%d"><CODE>Last Modified</CODE></TD>
<TD WIDTH="%d" ALIGN="right"><CODE>Size</CODE></TD>
</TR>
<H1>Index of %s</H1>
<TABLE BORDER="0">
<HTML>
<HEAD>
<TITLE>Index of %s</TITLE>
</HEAD>
<BODY>
PRIVMSG %s :Searching for: %s
%s %s HTTP/1.1
Referer: %s
Host: %s
Connection: close
Sending PRIVMSG!!!
%s %s :%s
PRIVMSG
NOTICE
[KEYLOG]: %s
[%d-%d-%d %d:%d:%d] %s
%s (Return) (%s)
%s (Buffer full) (%s)
%s (Changed Windows: %s)
capGetDriverDescriptionA
capCreateCaptureWindowA
avicap32.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
SHChangeNotify
ShellExecuteA
shell32.dll
WNetCancelConnection2W
WNetCancelConnection2A
WNetAddConnection2W
WNetAddConnection2A
mpr.dll
DeleteIpNetEntry
GetIpNetTable
iphlpapi.dll
DnsFlushResolverCacheEntry_A
DnsFlushResolverCache
dnsapi.dll
NetMessageBufferSend
NetUserGetInfo
NetUserEnum
NetUserDel
NetUserAdd
NetRemoteTOD
NetApiBufferFree
NetScheduleJobAdd
NetShareEnum
NetShareDel
NetShareAdd
netapi32.dll
IcmpSendEcho
IcmpCloseHandle
IcmpCreateFile
icmp.dll
Mozilla/4.0 (compatible)
InternetCloseHandle
InternetReadFile
InternetCrackUrlA
InternetOpenUrlA
InternetOpenA
InternetConnectA
HttpSendRequestA
HttpOpenRequestA
InternetGetConnectedStateEx
InternetGetConnectedState
wininet.dll
closesocket
getpeername
gethostbyaddr
gethostbyname
gethostname
getsockname
setsockopt
accept
listen
select
bind
recvfrom
recv
sendto
send
ntohl
ntohs
htonl
htons
inet_addr
inet_ntoa
connect
ioctlsocket
socket
WSACleanup
WSAGetLastError
WSAIoctl
__WSAFDIsSet
WSAAsyncSelect
WSASocketA
WSAStartup
ws2_32.dll
DeleteObject
DeleteDC
BitBlt
SelectObject
GetDIBColorTable
GetDeviceCaps
CreateCompatibleDC
CreateDIBSection
CreateDCA
gdi32.dll
GetUserNameA
IsValidSecurityDescriptor
EnumServicesStatusA
CloseServiceHandle
DeleteService
ControlService
StartServiceA
OpenServiceA
OpenSCManagerA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegDeleteValueA
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegOpenKeyExA
advapi32.dll
GetForegroundWindow
GetWindowTextA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
CloseClipboard
GetClipboardData
OpenClipboard
DestroyWindow
IsWindow
FindWindowA
SendMessageA
user32.dll
RegisterServiceProcess
QueryPerformanceFrequency
QueryPerformanceCounter
SearchPathA
GetDriveTypeA
GetLogicalDriveStringsA
GetDiskFreeSpaceExA
Module32First
Process32Next
Process32First
CreateToolhelp32Snapshot
SetErrorMode
kernel32.dll
[MAIN]: DLL test complete.
Avicap32.dll failed. <%d>
Odbc32.dll failed. <%d>
Shell32.dll failed. <%d>
Mpr32.dll failed. <%d>
Iphlpapi.dll failed. <%d>
Dnsapi.dll failed. <%d>
Netapi32.dll failed. <%d>
Icmp.dll failed. <%d>
Wininet.dll failed. <%d>
Ws2_32.dll failed. <%d>
Gdi32.dll failed. <%d>
Advapi32.dll failed. <%d>
User32.dll failed. <%d>
Kernel32.dll failed. <%d>
intranet
main
winpass
blank
office
control
nokia
siemens
compaq
dell
cisco
orainstall
sqlpassoainstall
db1234
databasepassword
data
databasepass
dbpassword
dbpass
access
domainpassword
domainpass
domain
hello
hell
slut
bitch
fuck
exchange
backup
technical
loginpass
login
mary
katie
kate
george
eric
chris
neil
brian
susan
luke
peter
john
mike
bill
fred
win2000
winnt
winxp
win2k
win98
windows
oeminstall
oemuser
user
homeuser
home
accounting
accounts
internet
outlook
mail
qwerty
null
server
system
changeme
linux
unix
demo
none
test
2004
2003
2002
2001
2000
1234567890
123456789
12345678
1234567
123456
12345
1234
pass
pass1234
passwd
password
password1
oracle
database
default
guest
wwwadmin
teacher
student
owner
computer
root
staff
admin
admins
administrat
administrateur
administrador
administrator
mIRC v6.03 K.Mardam-Bey
mIRC v6.01 K.Mardam-Bey
mIRC v5.82 K.Mardam-Bey
mIRC v5.71 K.Mardam-Bey
mIRC32 v6.12 K.Mardam-Bey
mIRC32 v6.03 K.Mardam-Bey
mIRC32 v6.01 K.Mardam-Bey
mIRC32 v5.82 K.Mardam-Bey
mIRC v6.03 Khaled Mardam-Bey
mIRC v6.12 Khaled Mardam-Bey
Yes.
Success
%s Error: %s <%d>.
mIRC
explorer.exe
%s %s
SeShutdownPrivilege
%%comspec%% /c %s %s
@echo off
:repeat
del "%%1"
if exist "%%1" goto repeat
del "%s"
%sdel.bat
[FLUSHDNS]: Not supported by this system.
[FLUSHDNS]: ARP cache is empty.
[FLUSHDNS]: Unable to allocation ARP cache.
[FLUSHDNS]: Error getting ARP cache: <%d>.
%d.%d.%d.%d
 %s (%d)
SeDebugPrivilege
[PROC]: Process list failed.
[PROC]: Process list completed.
[PROC]: Listing processes:
[MAIN]: Connected to %s.
NICK %s
USER %s 0 0 :%s
PASS %s
hcon
httpcon
[DOWNLOAD]: Failed to start transfer thread, error: <%d>.
[DOWNLOAD]: Downloading URL: %s to: %s.
dlz0r
d0wnl04d
[CAPTURE]: Invalid parameters for amateur video capture.
[CAPTURE]: Error while capturing amateur video from webcam.
[CAPTURE]: Amateur video saved to: %s.
video
[CAPTURE]: Invalid parameters for webcam capture.
[CAPTURE]: Error while capturing from webcam.
[CAPTURE]: Webcam capture saved to: %s.
frame
[CAPTURE]: Driver list complete.
[CAPTURE]: Driver #%d - %s - %s.
drivers
[CAPTURE]: No filename specified for screen capture.
[CAPTURE]: Error while capturing screen.
[CAPTURE]: Screen capture saved to: %s.
screen
capture
[KEYLOG]: No key logger thread found.
[KEYLOG]: Key logger stopped. (%d thread(s) stopped.)
[KEYLOG]: Failed to start logging thread, error: <%d>.
[KEYLOG]: Key logger active.
[KEYLOG]: Already running.
file
keylog
[HTTPD]: Failed to start server thread, error: <%d>.
[HTTPD]: Server listening on IP: %s:%d, Directory: %s\.
http
httpserver
TOPIC
[MAIN]: Joined channel: %s.
NOTICE %s :%s
[MAIN]: User %s logged out.
KICK
NICK %s
MODE %s +i
USERHOST %s
JOIN %s %s
PONG %s
PING
KBOT5
YEAH
%s%i
[%s]|
[%d]%s
%d. %s
-[Thread List]-
%s: No %s thread found.
%s: %s stopped. (%d thread(s) stopped.)
i386\chkesp.c
The value of ESP was not properly saved across a function call.  This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention. 
format != NULL
sprintf.c
string != NULL
vsprintf.c
Client
Ignore
Normal
Free
Error: memory allocation: bad memory block type.
Invalid allocation size: %u bytes.
Client hook allocation failure.
Client hook allocation failure at file %hs line %d.
dbgheap.c
_CrtCheckMemory()
_pFirstBlock == pOldBlock
_pLastBlock == pOldBlock
fRealloc || (!fRealloc && pNewBlock == pOldBlock)
_BLOCK_TYPE(pOldBlock->nBlockUse)==_BLOCK_TYPE(nBlockUse)
pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ
_CrtIsValidHeapPointer(pUserData)
Allocation too large or negative: %u bytes.
Client hook re-allocation failure.
Client hook re-allocation failure at file %hs line %d.
_pFirstBlock == pHead
_pLastBlock == pHead
pHead->nBlockUse == nBlockUse
pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ
DAMAGE: after %hs block (#%d) at 0x%08X.
DAMAGE: before %hs block (#%d) at 0x%08X.
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)
Client hook free failure.
memory check error at 0x%08X = 0x%02X, should be 0x%02X.
%hs located at 0x%08X is %u bytes long.
%hs allocated at file %hs(%d).
DAMAGE: on top of Free block at 0x%08X.
DAMAGED
_heapchk fails with unknown return value!
_heapchk fails with _HEAPBADPTR.
_heapchk fails with _HEAPBADEND.
_heapchk fails with _HEAPBADNODE.
_heapchk fails with _HEAPBADBEGIN.
Bad memory block found at 0x%08X.
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
Object dump complete.
crt block at 0x%08X, subtype %x, %u bytes long.
normal block at 0x%08X, %u bytes long.
client block at 0x%08X, subtype %x, %u bytes long.
{%ld} 
%hs(%d) : 
#File Error#(%d) : 
Dumping objects ->
 Data: <%s> %s
%.2X 
Detected memory leaks!
Total allocations: %ld bytes.
Largest number used: %ld bytes.
%ld bytes in %ld %hs Blocks.
fclose.c
str != NULL
*mode != _T('\0')
mode != NULL
*file != _T('\0')
fopen.c
file != NULL
fprintf.c
Assertion Failed
Error
Warning
%s(%d) : %s
Assertion failed!
Assertion failed: 
_CrtDbgReport: String too long or IO Error
Second Chance Assertion Failed: File %s, Line %d
wsprintfA
Microsoft Visual C++ Debug Library
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s
(Press Retry to debug the application)
Module: 
File: 
Line: 
Expression: 
For information on how your program can cause an assertion
failure, see the Visual C++ documentation on asserts.
<program name unknown>
dbgrpt.c
szUserMessage != NULL
("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)
_flsbuf.c
 (8PX
700WP
`h````
ppxxxx
(null)
output.c
ch != _T('\0')
_freebuf.c
stream != NULL
_filbuf.c
_open.c
filename != NULL
stream.c
?IsProcessorFeaturePresent
KERNEL32
e+000
_sftbuf.c
flag == 0 || flag == 1
stdenvp.c
stdargv.c
a_env.c
ioinit.c
runtime error 
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
GetLastActivePopup
GetActiveWindow
MessageBoxA
_getbuf.c
_file.c
osfinfo.c
chsize.c
size >= 0
1#QNAN
1#INF
1#IND
1#SNAN
[ESC]
[ESC]
[F1]
[F1]
[F2]
[F2]
[F3]
[F3]
[F4]
[F4]
[F5]
[F5]
[F6]
[F6]
[F7]
[F7]
[F8]
[F8]
[F9]
[F9]
[F10]
[F10]
[F11]
[F11]
[F12]
[F12]
[TAB]
[TAB]
[CTRL]
[CTRL]
[WIN]
[WIN]
[WIN]
[WIN]
[PRSC]
[PRSC]
[SCLK]
[SCLK]
[INS]
[INS]
[HOME]
[HOME]
[PGUP]
[PGUP]
[DEL]
[DEL]
[END]
[END]
[PGDN]
[PGDN]
[LEFT]
[LEFT]
[UP]
[UP]
[RGHT]
[RGHT]
[DOWN]
[DOWN]
[NMLK]
[NMLK]
bbot
bBot-Version 0.6
index
botirc.net
#test
irc.server2.net
#channel2
channelpass2
wuamgrd32.exe
key.txt
winnt DNS ident
bBot|
sysconfig.dat
#channel
#channel
#channel
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
Software\Microsoft\OLE
SYSTEM\CurrentControlSet\Control\Lsa
const
letter
comp
country
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb
KERNEL32.DLL
USER32.dll
GetLocalTime
ExitThread
CloseHandle
WriteFile
CreateFileA
ExitProcess
CreateProcessA
GetTickCount
GetModuleFileNameA
GetSystemDirectoryA
Sleep
GetTimeFormatA
GetDateFormatA
GetLastError
CreateThread
GetFileSize
GetFileAttributesA
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
FindNextFileA
FindFirstFileA
ReadFile
SetFilePointer
WriteConsoleA
GetStdHandle
LoadLibraryA
GetProcAddress
GetModuleHandleA
FormatMessageA
GlobalUnlock
GlobalLock
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
SetFileTime
GetFileTime
ExpandEnvironmentStringsA
SetFileAttributesA
GetTempPathA
GetCurrentProcess
TerminateProcess
OpenProcess
GetComputerNameA
GetLocaleInfoA
GetVersionExA
TerminateThread
FlushFileBuffers
SetStdHandle
IsBadWritePtr
IsBadReadPtr
HeapValidate
GetStartupInfoA
GetCommandLineA
GetVersion
DebugBreak
InterlockedDecrement
OutputDebugStringA
InterlockedIncrement
HeapAlloc
HeapReAlloc
HeapFree
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
WideCharToMultiByte
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetCPInfo
GetACP
GetOEMCP
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetFileType
RtlUnwind
SetConsoleCtrlHandler
GetStringTypeA
GetStringTypeW
SetEndOfFile
MessageBoxA

#提取代码清单1-7内容：
[DOWNLOAD]: Bad URL, or DNS Error: %s.
[DOWNLOAD]: Update failed: Error executing file: %s.
[DOWNLOAD]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.
[DOWNLOAD]: Opened: %s.
open
[DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec.
[DOWNLOAD]: CRC Failed (%d != %d).
[DOWNLOAD]: Filesize is incorrect: (%d != %d).
[DOWNLOAD]: Update: %s (%dKB transferred).
[DOWNLOAD]: File download: %s (%dKB transferred).
[DOWNLOAD]: Couldn't open file: %s.

#提取代码清单1-8内容：
GET 
HTTP/1.0 200 OK
Server: myBot
Cache-Control: no-cache,no-store,max-age=0
pragma: no-cache
Content-Type: %s
Content-Length: %i
Accept-Ranges: bytes
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Connection: close
HTTP/1.0 200 OK
Server: myBot
Cache-Control: no-cache,no-store,max-age=0
pragma: no-cache
Content-Type: %s
Accept-Ranges: bytes
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Connection: close
HH:mm:ss
ddd, dd MMM yyyy
application/octet-stream
text/html

认真是一种态度更是一种责任