首页| 论坛| 搜索| 消息
> 〖系统安全〗
主题:持续演进的银狐——不断增加脆弱驱动通过BYOVD结束防病毒软件
回帖:ount = 8assign Var5, Var8pop ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype Type30 ; StackCount = 9pushtype S32 ; StackCount = 10assign Var10, S32(11)pushvar Var9 ; StackCount = 11call SETARRAYLENGTHpop ; StackCount = 10pop ; StackCount = 9assign Var9[0], S32(77)assign Var9[1], S32(115)assign Var9[2], S32(77)assign Var9[3], S32(112)assign Var9[4], S32(69)assign Var9[5], S32(110)assign Var9[6], S32(103)assign Var9[7], S32(46)assign Var9[8], S32(101)assign Var9[9], S32(120)assign Var9[10], S32(101)assign Var8, Var9pop ; StackCount = 8pushvar Var6 ; StackCount = 9call STRFROMCODEpop ; StackCount = 8pop ; StackCount = 7pushtype WideString ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9pushtype Type30 ; StackCount = 10pushtype Type30 ; StackCount = 11pushtype S32 ; StackCount = 12assign Var12, S32(40)pushvar Var11 ; StackCount = 13call SETARRAYLENGTHpop ; StackCount = 12pop ; StackCount = 11assign Var11[0], S32(83)assign Var11[1], S32(69)assign Var11[2], S32(76)assign Var11[3], S32(69)assign Var11[4], S32(67)assign Var11[5], S32(84)assign Var11[6], S32(32)assign Var11[7], S32(42)assign Var11[8], S32(32)assign Var11[9], S32(70)assign Var11[10], S32(82)assign Var11[11], S32(79)assign Var11[12], S32(77)assign Var11[13], S32(32)assign Var11[14], S32(87)assign Var11[15], S32(105)assign Var11[16], S32(110)assign Var11[17], S32(51)assign Var11[18], S32(50)assign Var11[19], S32(95)assign Var11[20], S32(80)assign Var11[21], S32(114)assign Var11[22], S32(111)assign Var11[23], S32(99)assign Var11[24], S32(101)assign Var11[25], S32(115)assign Var11[26], S32(115)assign Var11[27], S32(32)assign Var11[28], S32(87)assign Var11[29], S32(72)assign Var11[30], S32(69)assign Var11[31], S32(82)assign Var11[32], S32(69)assign Var11[33], S32(32)assign Var11[34], S32(78)assign Var11[35], S32(97)assign Var11[36], S32(109)assign Var11[37], S32(101)assign Var11[38], S32(61)assign Var11[39], S32(34)assign Var10, Var11pop ; StackCount = 10pushvar Var9 ; StackCount = 11call STRFROMCODEpop ; StackCount = 10pop ; StackCount = 9assign Var8, Var9pop ; StackCount = 8add Var8, Var6pushtype UnicodeString_2 ; StackCount = 9pushtype Type30 ; StackCount = 10pushtype Type30 ; StackCount = 11pushtype S32 ; StackCount = 12assign Var12, S32(1)pushvar Var11 ; StackCount = 13call SETARRAYLENGTHpop ; StackCount = 12pop ; StackCount = 11assign Var11[0], S32(34)assign Var10, Var11pop ; StackCount = 10pushvar Var9 ; StackCount = 11call STRFROMCODEpop ; StackCount = 10pop ; StackCount = 9add Var8, Var9pop ; StackCount = 8assign Var7, Var8pop ; StackCount = 7pushtype IDISPATCH ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9assign Var9, Var4pushvar Var8 ; StackCount = 10call CREATEOLEOBJECTpop ; StackCount = 9pop ; StackCount = 8assign Var1, Var8pop ; StackCount = 7pushtype !OPENARRAYOFVARIANT ; StackCount = 8pushtype !OPENARRAYOFVARIANT ; StackCount = 9pushtype S32 ; StackCount = 10assign Var10, S32(2)pushvar Var9 ; StackCount = 11call SETARRAYLENGTHpop ; StackCount = 10pop ; StackCount = 9assign Var9[0], String_3("")assign Var9[1], Var5assign Var8, Var9pop ; StackCount = 8pushtype String_3 ; StackCount = 9assign Var9, String_3("ConnectServer")pushtype BOOLEAN ; StackCount = 10assign Var10, BOOLEAN(0)pushtype IDISPATCH ; StackCount = 11assign Var11, Var1pushvar Var2 ; StackCount = 12call IDISPATCHINVOKEpop ; StackCount = 11pop ; StackCount = 10pop ; StackCount = 9pop ; StackCount = 8pop ; StackCount = 7pushtype !OPENARRAYOFVARIANT ; StackCount = 8pushtype !OPENARRAYOFVARIANT ; StackCount = 9pushtype S32 ; StackCount = 10assign Var10, S32(1)pushvar Var9 ; StackCount = 11call SETARRAYLENGTHpop ; StackCount = 10pop ; StackCount = 9assign Var9[0], Var7assign Var8, Var9pop ; StackCount = 8pushtype String_3 ; StackCount = 9assign Var9, String_3("ExecQuery")pushtype BOOLEAN ; StackCount = 10assign Var10, BOOLEAN(0)pushtype IDISPATCH ; StackCount = 11assign Var11, Var2pushvar Var3 ; StackCount = 12call IDISPATCHINVOKEpop ; StackCount = 11pop ; StackCount = 10pop ; StackCount = 9pop ; StackCount = 8pop ; StackCount = 7pushtype Variant ; StackCount = 8pushtype !OPENARRAYOFVARIANT ; StackCount = 9pushtype !OPENARRAYOFVARIANT ; StackCount = 10pushtype S32 ; StackCount = 11assign Var11, S32(0)pushvar Var10 ; StackCount = 12call SETARRAYLENGTHpop ; StackCount = 11pop ; StackCount = 10assign Var9, Var10pop ; StackCount = 9pushtype String_3 ; StackCount = 10assign Var10, String_3("Count")pushtype BOOLEAN ; StackCount = 11assign Var11, BOOLEAN(0)pushtype IDISPATCH ; StackCount = 12assign Var12, Var3pushvar Var8 ; StackCount = 13call IDISPATCHINVOKEpop ; StackCount = 12pop ; StackCount = 11pop ; StackCount = 10pop ; StackCount = 9pop ; StackCount = 8gt RetVal, Var8, S32(0)pop ; StackCount = 7endtryloc_b35:assign RetVal, BOOLEAN(0)endcatchloc_b43:ret

以下是所有ASCII码数组的还原结果:

第一个数组(26字节)ASCII码:87, 66, 69, 77, 83, 99, 114, 105, 112, 116, 105, 110, 103, 46, 83, 87, 66, 69, 77, 76, 111, 99, 97, 116, 111, 114字符串:"WBEMScripting.SWBEMLocator"

第二个数组(4字节)ASCII码:114, 111, 111, 116字符串:"root"

第三个数组(1字节)ASCII码:92字符串:""

第四个数组(5字节)ASCII码:99, 105, 109, 118, 50字符串:"cimv2"

第五个数组(11字节)ASCII码:77, 115, 77, 112, 69, 110, 103, 46, 101, 120, 101字符串:"MsMpEng.exe"

第六个数组(40字节)ASCII码:83, 69, 76, 69, 67, 84, 32, 42, 32, 70, 82, 79, 77, 32, 87, 105, 110, 51, 50, 95, 80, 114, 111, 99, 101, 115, 115, 32, 87, 72, 69, 82, 69, 32, 78, 97, 109, 101, 61, 34字符串:"SELECT * FROM Win32_Process WHERE Name=""

第七个数组(1字节)ASCII码:34字符串:"""

这个函数通过WMI查询检查Windows Defender进程(MsMpEng.exe)是否在运行。它构建WQL查询语句:SELECT * FROM Win32_Process WHERE Name="MsMpEng.exe"如果查询返回结果计数大于0,则返回True,表示Windows Defender进程在运行。
z3960回帖于2026-02-21 07:50
下一页上一页  (4/17)
下一楼›:来看看看(huwg)

查看全部回帖(7)
«返回主帖