winhex 18.90028FD3C 031B219A UNICODE "Available only with a superior license type."0028FD50 005FB74C UNICODE "For evaluation purposes only. [unregistered]"0044CEAB \. C3 RETN0044CEAC . 77 69 6E 68 6>ASCII "winhex.user",00044CEB8 2E DB 2E ; CHAR '.'0044CEB9 00 DB 000044CEBA 00 DB 000044CEBB 00 DB 000044CEBC . 77 69 6E 68 6>ASCII "winhex.nouser",00044CD38 /$ 53 push ebx0044CD39 |. 56 push esi0044CD3A |. 81C4 FCFDFFFF add esp,-0x2040044CD40 |. 8BD8 mov ebx,eax0044CD42 |. A1 10D95C00 mov eax,dword ptr ds:[0x5CD910]0044CD47 |. 8038 00 cmp byte ptr ds:[eax],0x00044CD4A |. 75 68 jnz short WinHex.0044CDB40044CD4C |. 8D5424 04 lea edx,dword ptr ss:[esp+0x4]0044CD50 |. B8 ACCE4400 mov eax,WinHex.0044CEAC ; ASCII "winhex.user"0044CD55 |. 33C9 xor ecx,ecx0044CD57 |. E8 54D8FBFF call WinHex.0040A5B00044CD5C |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4]0044CD60 |. 33D2 xor edx,edx ; sechost.OpenServiceA0044CD62 |. E8 5D75FCFF call WinHex.004142C40044CD67 |. 84C0 test al,al0044CD69 |. 75 3D jnz short WinHex.0044CDA80044CD6B |. BA B8CE4400 mov edx,WinHex.0044CEB80044CD70 |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4]0044CD74 |. E8 93B6FBFF call WinHex.0040840C0044CD79 |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4]0044CD7D |. E8 5AAEFBFF call WinHex.00407BDC0044CD82 |. BA FF000000 mov edx,0xFF0044CD87 |. 2BD0 sub edx,eax0044CD89 |. 4A dec edx ; sechost.OpenServiceA0044CD8A |. 891424 mov dword ptr ss:[esp],edx ; sechost.OpenServiceA0044CD8D |. 54 push esp0044CD8E |. 8D4424 08 lea eax,dword ptr ss:[esp+0x8]0044CD92 |. E8 75AEFBFF call WinHex.00407C0C0044CD97 |. 50 push eax ; |Buffer = 0028F3880044CD98 |. E8 B78DFBFF call <jmp.&advapi32.GetUserNameW> ; \GetUserNameW0044CD9D |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4]0044CDA1 |. 33D2 xor edx,edx ; sechost.OpenServiceA0044CDA3 |. E8 1C75FCFF call WinHex.004142C40044CDA8 |> 84C0 test al,al0044CDAA |. 74 08 je short WinHex.0044CDB40044CDAC |. A1 10D95C00 mov eax,dword ptr ds:[0x5CD910]0044CDB1 |. C600 03 mov byte ptr ds:[eax],0x30044CDB4 |> 8D5424 04 lea edx,dword ptr ss:[esp+0x4]0044CDB8 |. B8 BCCE4400 mov eax,WinHex.0044CEBC ; ASCII "winhex.nouser"0044CDBD |. 33C9 xor ecx,ecx0044CDBF |. E8 ECD7FBFF call WinHex.0040A5B00044CDC4 |. A1 10D95C00 mov eax,dword ptr ds:[0x5CD910]0044CDC9 |. 8038 00 cmp byte ptr ds:[eax],0x00044CDCC |. 75 3F jnz short WinHex.0044CE0D0044CDCE |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4]0044CDD2 |. 33D2 xor edx,edx ; sechost.OpenServiceA0044CECC /$ 53 push ebx ; 00-10044CECD |. 56 push esi0044CECE |. 57 push edi ; sechost.OpenServiceA0044CECF |. 81C4 F4FDFFFF add esp,-0x20C0044CED5 |. 8BD8 mov ebx,eax0044CED7 |. 8B35 DCD65C00 mov esi,dword ptr ds:[0x5CD6DC] ; WinHex.005F5CF00044CEDD |. 8B3D A4DD5C00 mov edi,dword ptr ds:[0x5CDDA4] ; WinHex.005C8A700044CEE3 |. 8B15 B0DF5C00 mov edx,dword ptr ds:[0x5CDFB0] ; WinHex.005FB74C0044CEE9 |. 8B47 1C mov eax,dword ptr ds:[edi+0x1C] ; shell32.75FF0C750044CEEC |. 33C9 xor ecx,ecx0044CEEE |. E8 BDD6FBFF call WinHex.0040A5B00044CEF3 |. 33D2 xor edx,edx ; sechost.OpenServiceA0044CEF5 |. E8 CA73FCFF call WinHex.004142C40044CEFA |. 8B15 24D05C00 mov edx,dword ptr ds:[0x5CD024] ; WinHex.005FA3160044CF00 |. 8802 mov byte ptr ds:[edx],al0044CF02 |. A1 24D05C00 mov eax,dword ptr ds:[0x5CD024]0044CF07 |. 8038 00 cmp byte ptr ds:[eax],0x00044CF0A |. 74 43 je short WinHex.0044CF4F0044CF0C |. 8D4424 04 lea eax,dword ptr ss:[esp+0x4]0044CF10 |. 50 push eax ; /pHandle = 0028F3880044CF11 |. A1 ACD85C00 mov eax,dword ptr ds:[0x5CD8AC] ; |0044CF16 |. 50 push eax ; |Subkey = ""0044CF17 |. 68 01000080 push 0x80000001 ; |hKey = HKEY_CURRENT_USER0044CF1C |. E8 8B8CFBFF call <jmp.&advapi32.RegOpenKeyA> ; \RegOpenKeyA0044CF21 |. 85C0 test eax,eax0044CF23 |. 75 2A jnz short WinHex.0044CF4F0044CF25 |. C70424 354400>mov dword ptr ss:[esp],0x44350044CF2C |. 54 push esp ; /pBufSize = 0028F3740044CF2D |. 56 push esi ; |Buffer = 006F00040044CF2E |. 6A 00 push 0x0 ; |pValueType = NULL0044CF30 |. 6A 00 push 0x0 ; |Reserved = NULL0044CF32 |. A1 FCDB5C00 mov eax,dword ptr ds:[0x5CDBFC] ; |0044CF37 |. 50 push eax ; |ValueName = ""0044CF38 |. 8B4424 18 mov eax,dword ptr ss:[esp+0x18] ; |dtrampo.743A162A0044CF3C |. 50 push eax ; |hKey = 0x28F3880044CF3D |. E8 828CFBFF call <jmp.&advapi32.RegQueryValueExA> ; \RegQueryValueExA0044CF42 |. 85C0 test eax,eax0044CF44 |. 74 10 je short WinHex.0044CF560044CF46 |. 8BC3 mov eax,ebx0044CF48 |. E8 EBFDFFFF call WinHex.0044CD380044CF4D |. EB 07 jmp short WinHex.0044CF560044CF4F |> 8BC3 mov eax,ebx0044CF51 |. E8 E2FDFFFF call WinHex.0044CD380044CF56 |> 8A86 9C020000 mov al,byte ptr ds:[esi+0x29C]0044CF5C |. 8B15 58E55C00 mov edx,dword ptr ds:[0x5CE558] ; WinHex.005FA3180044CF62 |. 8802 mov byte ptr ds:[edx],al0044CF64 |. 8A86 73020000 mov al,byte ptr ds:[esi+0x273]0044CF6A |. E8 55301300 call WinHex.0057FFC40044CF6F |. 80BE B8040000>cmp byte ptr ds:[esi+0x4B8],0x0004145C4 /$ 55 push ebp ; sechost.OpenServiceA004145C5 |. 8BEC mov ebp,esp004145C7 |. 51 push ecx004145C8 |. 53 push ebx004145C9 |. 33DB xor ebx,ebx004145CB |. 895D FC mov [local.1],ebx004145CE |. 6A 00 push 0x0 ; /hTemplateFile = NULL004145D0 |. 81C9 80000000 or ecx,0x80 ; |004145D6 |. 51 push ecx ; |Attributes = READONLY|SYSTEM004145D7 |. 6A 03 push 0x3 ; |Mode = OPEN_EXISTING004145D9 |. 6A 00 push 0x0 ; |pSecurity = NULL004145DB |. 8B4D 08 mov ecx,[arg.1] ; |004145DE |. 51 push ecx ; |ShareMode = FILE_SHARE_READ|4004145DF |. 52 push edx ; |Access = GENERIC_WRITE|GENERIC_EXECUTE|GENERIC_ALL|5657245004145E0 |. 50 push eax ; |FileName = ""004145E1 |. E8 5E16FFFF call <jmp.&kernel32.CreateFileW> ; \CreateFileW004145E6 |. 5B pop ebx ; dtrampo.743A5767004145E7 |. 59 pop ecx ; dtrampo.743A5767004145E8 |. 5D pop ebp ; dtrampo.743A5767004145E9 \. C2 0400 retn 0x4004145EC /$ 6A 00 push 0x0 ; /hTemplateFile = NULL004145EE |. 68 80000008 push 0x8000080 ; |Attributes = NORMAL|SEQUENTIAL_SCAN004145F3 |. 6A 04 push 0x4 ; |Mode = OPEN_ALWAYS004145F5 |. 6A 00 push 0x0 ; |pSecurity = NULL004145F7 |. 52 push edx ; |ShareMode = FILE_SHARE_READ|75657244004145F8 |. 68 000000C0 push 0xC0000000 ; |Access = GENERIC_READ|GENERIC_WRITE004145FD |. 50 push eax ; |FileName = ""004145FE |. E8 4116FFFF call <jmp.&kernel32.CreateFileW> ; \CreateFileW00414603 \. C3 retn0044989D |. E8 CAEEFCFF call WinHex.0041876C 从这里好像第一次发现授权字样! 0001
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课