Looks like a server attack the use of resources to download
AddResourcesList or SizeOfResourceList? Repair before I SizeOfResourceList
for windows
I will not Linux
Code:
/*
035A5394 <>|> /8B50 48 /mov edx, dword ptr [eax+48] ; loc_1D35394
035A5397 |. |8B48 40 |mov ecx, dword ptr [eax+40]
035A539A |. |03FA |add edi, edx
035A539C |. |83F9 02 |cmp ecx, 2
035A539F |. |75 0B |jnz short <loc_1D353AC>
035A53A1 |. |8378 44 01 |cmp dword ptr [eax+44], 1
035A53A5 |. |75 05 |jnz short <loc_1D353AC>
035A53A7 |. |0156 18 |add dword ptr [esi+18], edx
035A53AA |. |EB 03 |jmp short <loc_1D353AF>
035A53AC <>|> |01148E |add dword ptr [esi+ecx*4], edx ; loc_1D353AC
035A53AF <>|> |8B80 80000000 |mov eax, dword ptr [eax+80] ; loc_1D353AF
035A53B5 |. |3BC3 |cmp eax, ebx
035A53B7 |.^\75 DB \jnz short <loc_1D35394>
*/
__declspec(naked)void Safe_SizeofResourceList()
{
__asm{
CMP ECX,7
JA _IsOverflow
ADD DWORD PTR [ESI+ECX*4],EDX
_IsOverflow:
MOV EAX,[EAX+0x80]
RET
}
}
//
bool PatchSizeofResourceList(void *BaseAddr, DWORD BaseSize)
{
DWORD OldProtect;
const char *SizeofResourceList = "\xEB\x03\x01\x14\x8E\x8B\x80\x80\x00\x00\x00\x3B\xC3\x75\xDB";
BYTE *Offset;
Offset = (BYTE*)FindMemory((char*)BaseAddr, (char*)BaseAddr+BaseSize-1, SizeofResourceList, 15);
if(Offset)
{
Offset++;
Offset++;
VirtualProtect((void*)(Offset),9,PAGE_EXECUTE_READWRITE,&OldProtect);
*Offset = 0xBA; //MOV EDX,XXX
*(DWORD*)(Offset+1) = (DWORD)&Safe_SizeofResourceList;
*(Offset+5) = 0xFF; //CALL EDX
*(Offset+6) = 0xD2;
*(Offset+7) = 0x90; //NOP
*(Offset+8) = 0x90; //NOP
return true;
}
return false;
}