Thursday, July 1, 2010

Spyeye Notes To Share

add .... labels ..... comments ....


0DB355534h ; advapi32.RegCloseKey
0AAD67FF8h ; advapi32.RegOpenKeyExA
3E400FD6h ; advapi32.RegSetValueExA


723EB0D5h ; kernel32.CloseHandle
0A073577h ; kernel32.CreateDirectoryA
8F8F114h ; kernel32.CreateFileA
46318AC7h ; kernel32.CreateProcessA
6FB89AF0h ; kernel32.CreateThread
5BC1D14Fh ; kernel32.CreateToolhelp32Snapshot
475587B7h ; kernel32.GetFileAttributesA
0AEF7CBF1h ; kernel32.GetFileSize
0AE17C071h ; kernel32.GetFileTime
774393E8h ; kernel32.GetModuleFileNameA
9C480E24h ; kernel32.GetOSVersionExA
0FA4F502h ; kernel32.GetTempFileNameA
58FE7ABEh ; kernel32.GetTempPathA
69260152h ; kernel32.GetTickCount
52AC19Ch ; kernel32.IsWow64Process
0C8AC8026h ; kernel32.LoadLibrary
2CA2B7E6h ; kernel32.lstrcmp
99A4299Dh ; kernel32.OpenProcess
19F78C90h ; kernel32.Process32First
487FE16Bh ; kernel32.ReadFile
4D5587B7h ; kernel32.SetFileAttributesA
0EF48E03Ah ; kernel32.SetFilePointer
0AE17C571h ; kernel32.SetFileTime
0BC262395h ; kernel32.SetThreadPriority
3D9972F5h ; kernel32.Sleep
5C17EC75h ; kernel32.VirtualFreeEx
6A582465h ; kernel32.VirtualQuery
6A582465h ; kernel32.VirtualQuery
0F3FD1C3 ; kernel32.WriteFile


4E58F36Bh ; msvcrt._mbscat
4E58FBE6h ; msvcrt._mbscpy
2D3A75E1h ; msvcrt.sprintf
4E5B3171h ; msvcrt.strlen


0FD3D37E4h ; ntdll._itoa
72DC01E1h ; ntdll._snprintf
5DB8F59Eh ; ntdll.memcmp
5DB8FB17h ; ntdll.memcpy
3896F63Eh ; ntdll.NtProtectVirtualMemory
0B044A119h ; ntdll.NtQuerySystemInformation
0B747BC39h ; ntdll.NtReadVirtualMemory
2EE7ADA3h ; ntdll.NtWriteVirtualMemory
0C2A6B1AEh ; ntdll.RtlAdjustPrivilege
1297812Ch ; ntdll.RtlGetLastWin32Error
3287EC73h ; ntdll.RtlInitUnicodeString
1295012Ch ; ntdll.RtlSetLastWin32Error
2D3A75E1h ; ntdll.sprintf
4E58F36Bh ; ntdll.strcat
4E58FBE6h ; ntdll.strcpy
3D9AC241h ; ntdll.ZwClose
6E6F608Bh ; ntdll.ZwCreateSection
534E9A3Ch ; ntdll.ZwMapViewOfSection
9C45B56Ch ; ntdll.ZwOpenFile
0FDB94B7h ; ntdll.ZwQueryInformationFile
0B044A119h ; ntdll.ZwQuerySystemInformation
5ED4D3E1h ; ntdll.ZwUnmapViewOfSection
2EE7ADA3h ; ntdll.ZwWriteVirtualMemory


368435BEh ; ole32.CoCreateInstance
0F341D5CFh ; ole32.CoInitialize
0D120A506h ; ole32.CoGetInterfaceAndReleaseStream
4402F8B2h ; ole32.CoMarshalInterThreadInterfaceInStream
0EDB3159Dh ; ole32.CoUninitialize
951314A0h ; ole32.OleUninitialize


39AEDD1Bh ; oleaut32.SysFreeString
3F1087D9h ; oleaut32.SysStringLen


2F5CE027h ; wininet.HttpQueryInfoA
7314FB0Ch ; wininet.InternetCloseHandle
8593DD7h ; wininet.InternetOpenA
0B87DBD66h ; wininet.InternetOpenUrlA
7EDEC584h ; wininet.InternetQueryDataAvailable
2AE71934h ; wininet.InternetQueryOptionA
1A212962h ; wininet.InternetReadFile

3D9972F5h ; ws2_32.closesocket
0F44318C6h ; ws2_32.gethostbyname
0E797764h ; ws2_32.send
0FC7AF16Ah ; ws2_32.socket
0CDDE757Dh ; ws2_32.WSAStartup


7506E960h ; user32.ShowWindow


0BE037055h ; explorer.exe
46DC9AE6h ; Microsoft Internet Explorer
64A4AF94h ; SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
66E5FC1Bh ; config.bin
0B930573h ; __SPYNET_RELOADCFG__
0B6CA7D4Fh ; __SPYNET_UNINSTALL__
0DBF381B5h ; NtOpenProcess
6AE69F02h ; kernel32.dll
0E62E824Dh ; VirtualAllocEx
0F7C7AE42h ; ReadProcessMemory
4F58972Eh ; WriteProcessMemory
1BFB8645h ; VirtualQueryEx
28ED5C0h ; Process32Next
5D180413h ; VirtualProtectEx
0FF808C10h ; CreateRemoteThread
3DC4AC21h ; csrss.exe
98DA1BA1h ; cleansweep.exe
4A9736A0h ; smss.exe
0CEE114BDh ; System
57D3F3DBh ; config.dat
0B591FE9h ; webinjects.txt
8E3E362Eh ; screenshots.txt
3A417CE1h ; ftp://%s:%s@s
0B7DF383Ah ; POP3 : %s:%s@%s
53DDB9DCh ; config.bin
8BB5F34Ah ; \BaseNamedObjects\__SPYNET_REPALREADYSEND__
0B930573h ; __SPYNET_RELOADCFG__
33C8BA0Ch ; __SPYNET__
0E725FAB5h ; cleansweepupd.exe
0DDF19554h ; cleansweep.exe


Enjoy!!!