魔盾安全分析报告

分析类型 开始时间 结束时间 持续时间 分析引擎版本
FILE 2021-06-18 21:00:18 2021-06-18 21:00:38 20 秒 1.4-Maldun
虚拟机机器名 标签 虚拟机管理 开机时间 关机时间
win7-sp1-x64-shaapp03-1 win7-sp1-x64-shaapp03-1 KVM 2021-06-18 21:00:18 2021-06-18 21:00:39
魔盾分数

0.05

正常的

文件详细信息

文件名 ACE-GAME.sys
文件大小 751872 字节
文件类型 PE32+ executable (native) x86-64, for MS Windows
CRC32 55C05935
MD5 32c9df5851abb153fdc8e84395503c10
SHA1 b33d1fcfe91286901f5d7d689effcbf7778139d4
SHA256 eead7704abec2b0dacf6c10a191efc9304777a464e3113b5d9a0418cb8bea7d6
SHA512 42dc93128a6ed4a21d5ec05bb729e792c9efae8ecc85d235dff0b963e713cca74f0df49239c50ff06a361b8838c6564a92b642c61edf2e302e9e5719ddf55246
Ssdeep 12288:mqyVaFXVkhT7q+Bjq0uS3Os/sSk6Fb2QnqPu9zOYvin6/v/fNTeDoNynk5Oz4SUM:mqyVawT7q+BjZuS3OcFb2QnqPu9zOYv+
PEiD 无匹配
Yara
  • with_urls (Detected the presence of an or several urls)
  • IsPE64 (Detected a 64bit PE sample)
  • HasOverlay (Detected Overlay signature)
  • HasDigitalSignature (Detected Digital Signature)
  • HasDebugData (Detected Debug Data)
  • HasRichSignature (Detected Rich Signature)
  • DebuggerTiming__PerformanceCounter ()
VirusTotal VirusTotal查询失败

特征

样本的签名证书合法
魔盾安全Yara检测结果 - 普通

运行截图

无运行截图

网络分析

无信息

静态分析

PE 信息

初始地址 0x140000000
入口地址 0x14016f000
声明校验值 0x000c746f
实际校验值 0x000c746f
最低操作系统版本要求 10.0
PDB路径 ACE-GAME.pdb
编译时间 2021-05-28 11:00:36
载入哈希 9e07573c0893789df0b3065881056dc9

版本信息

LegalCopyright: \xc2 AntiCheatExpert.com Limited. All Rights Reserved.
InternalName: ACE-GAME64
FileVersion: 1.0.2105.5120
CompanyName: ANTICHEATEXPERT.COM
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Anti-Cheat Expert
SpecialBuild:
ProductVersion: 1.0.0.0
FileDescription: ACE-GAME64 NT Driver
Translation: 0x0409 0x04b0

PE数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x000253c5 0x00025400 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.98
.rdata 0x00027000 0x00041a14 0x00041c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ 4.85
.data 0x00069000 0x001023a0 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 3.36
.pdata 0x0016c000 0x000019ec 0x00001a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ 5.30
.CRT 0x0016e000 0x00000008 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_READ 0.06
INIT 0x0016f000 0x0000115c 0x00001200 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.24
.rsrc 0x00171000 0x000003d0 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 3.24
.reloc 0x00172000 0x00000068 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 1.36
.tvm0 0x00173000 0x00046000 0x00046000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_NOT_PAGED|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 5.75

覆盖

偏移量: 0x000b1400
大小: 0x00006500

资源

名称 偏移量 大小 语言 子语言 熵(Entropy) 文件类型
RT_VERSION 0x00171060 0x00000370 LANG_CHINESE SUBLANG_CHINESE_SIMPLIFIED 3.49 data

导入

库 FLTMGR.SYS:
0x140027000 - FltGetFileNameInformationUnsafe
0x140027008 - FltReleaseFileNameInformation
0x140027010 - FltStartFiltering
0x140027018 - FltUnregisterFilter
0x140027020 - FltRegisterFilter
0x140027028 - FltGetRequestorProcessId
库 HIDPARSE.SYS:
0x140027050 - HidP_GetCollectionDescription
库 ntoskrnl.exe:
0x140027060 - KeAcquireGuardedMutex
0x140027068 - KeReleaseGuardedMutex
0x140027070 - ObfDereferenceObject
0x140027078 - KeStackAttachProcess
0x140027080 - KeUnstackDetachProcess
0x140027088 - PsLookupProcessByProcessId
0x140027090 - PsSetLoadImageNotifyRoutine
0x140027098 - PsRemoveLoadImageNotifyRoutine
0x1400270a0 - KeSetEvent
0x1400270a8 - KeWaitForSingleObject
0x1400270b0 - strncpy
0x1400270b8 - PsGetCurrentProcessId
0x1400270c0 - PsGetCurrentThreadId
0x1400270c8 - PsSetCreateProcessNotifyRoutineEx
0x1400270d0 - RtlInitUnicodeString
0x1400270d8 - KeInitializeEvent
0x1400270e0 - KeClearEvent
0x1400270e8 - IofCompleteRequest
0x1400270f0 - IoCreateDevice
0x1400270f8 - IoCreateNotificationEvent
0x140027100 - IoCreateSymbolicLink
0x140027108 - IoDeleteDevice
0x140027110 - IoDeleteSymbolicLink
0x140027118 - ZwClose
0x140027120 - MmGetSystemRoutineAddress
0x140027128 - MmIsAddressValid
0x140027130 - wcsncmp
0x140027138 - wcsncpy
0x140027140 - ExAllocatePool
0x140027148 - RtlIntegerToUnicodeString
0x140027150 - RtlCompareUnicodeString
0x140027158 - RtlAppendUnicodeToString
0x140027160 - PsCreateSystemThread
0x140027168 - PsTerminateSystemThread
0x140027170 - ObReferenceObjectByHandle
0x140027178 - SeQuerySessionIdToken
0x140027180 - PsReferencePrimaryToken
0x140027188 - PsDereferencePrimaryToken
0x140027190 - ObQueryNameString
0x140027198 - PsGetProcessPeb
0x1400271a0 - __C_specific_handler
0x1400271a8 - DbgPrint
0x1400271b0 - ZwWaitForSingleObject
0x1400271b8 - RtlGetVersion
0x1400271c0 - KeAcquireSpinLockRaiseToDpc
0x1400271c8 - KeReleaseSpinLock
0x1400271d0 - KeIpiGenericCall
0x1400271d8 - MmGetPhysicalAddress
0x1400271e0 - MmGetVirtualForPhysical
0x1400271e8 - KeNumberProcessors
0x1400271f0 - KeDelayExecutionThread
0x1400271f8 - KeQueryTimeIncrement
0x140027200 - wcsrchr
0x140027208 - RtlCopyUnicodeString
0x140027210 - RtlAppendUnicodeStringToString
0x140027218 - ZwUnloadDriver
0x140027220 - MmBuildMdlForNonPagedPool
0x140027228 - MmMapLockedPagesSpecifyCache
0x140027230 - MmUnmapLockedPages
0x140027238 - IoAllocateMdl
0x140027240 - IoFreeMdl
0x140027248 - ZwCreateFile
0x140027250 - ZwQueryInformationFile
0x140027258 - ZwReadFile
0x140027260 - ZwWriteFile
0x140027268 - ZwCreateSection
0x140027270 - ZwMapViewOfSection
0x140027278 - ZwUnmapViewOfSection
0x140027280 - KeRegisterBugCheckReasonCallback
0x140027288 - ProbeForWrite
0x140027290 - KeInitializeGuardedMutex
0x140027298 - MmProbeAndLockPages
0x1400272a0 - MmUnlockPages
0x1400272a8 - MmProtectMdlSystemAddress
0x1400272b0 - RtlAnsiStringToUnicodeString
0x1400272b8 - RtlUnicodeStringToAnsiString
0x1400272c0 - PsGetVersion
0x1400272c8 - IoGetLowerDeviceObject
0x1400272d0 - IoDriverObjectType
0x1400272d8 - _wcsnicmp
0x1400272e0 - ZwOpenKey
0x1400272e8 - ZwQueryValueKey
0x1400272f0 - ZwOpenSymbolicLinkObject
0x1400272f8 - ZwQuerySymbolicLinkObject
0x140027300 - RtlUpcaseUnicodeString
0x140027308 - wcsstr
0x140027310 - _wcsupr
0x140027318 - ExAcquireRundownProtection
0x140027320 - ExReleaseRundownProtection
0x140027328 - PsInitialSystemProcess
0x140027330 - _strnicmp
0x140027338 - strncmp
0x140027340 - RtlInitAnsiString
0x140027348 - ExAcquireFastMutex
0x140027350 - ExReleaseFastMutex
0x140027358 - RtlInt64ToUnicodeString
0x140027360 - RtlFreeUnicodeString
0x140027368 - RtlFreeAnsiString
0x140027370 - wcsncpy_s
0x140027378 - ZwSetInformationFile
0x140027380 - CcCoherencyFlushAndPurgeCache
0x140027388 - RtlWalkFrameChain
0x140027390 - KeEnterCriticalRegion
0x140027398 - KeLeaveCriticalRegion
0x1400273a0 - ExInitializeResourceLite
0x1400273a8 - ExAcquireResourceSharedLite
0x1400273b0 - ExAcquireResourceExclusiveLite
0x1400273b8 - ExReleaseResourceLite
0x1400273c0 - ExDeleteResourceLite
0x1400273c8 - RtlInitializeGenericTableAvl
0x1400273d0 - RtlInsertElementGenericTableAvl
0x1400273d8 - RtlDeleteElementGenericTableAvl
0x1400273e0 - RtlLookupElementGenericTableAvl
0x1400273e8 - RtlIsGenericTableEmptyAvl
0x1400273f0 - IoGetCurrentProcess
0x1400273f8 - KeBugCheckEx
0x140027400 - ExFreePoolWithTag
0x140027408 - KeDeregisterBugCheckReasonCallback
0x140027410 - ExAllocatePoolWithTag
0x140027418 - ProbeForRead
0x140027420 - ZwCreateKey
0x140027428 - ZwDeleteKey
0x140027430 - ZwEnumerateKey
0x140027438 - ZwSetValueKey
库 HAL.dll:
0x140027038 - KeStallExecutionProcessor
0x140027040 - KeQueryPerformanceCounter

投放文件

无信息

行为分析

互斥量(Mutexes) 无信息
执行的命令 无信息
创建的服务 无信息
启动的服务 无信息

进程

无信息
访问的文件 无信息
读取的文件 无信息
修改的文件 无信息
删除的文件 无信息
注册表键 无信息
读取的注册表键 无信息
修改的注册表键 无信息
删除的注册表键 无信息
API解析 无信息