DO载入前
-----------------------------------------------------------------------------------------------------------
100573B6 > 60 PUSHAD
100573B7 E8 12FEFFFF CALL 蜜蜂自动.100571CE
100573BC C3 RETN
100573BD 90 NOP
100573BE 0900 OR DWORD PTR DS:[EAX],EAX
100573C0 0000 ADD BYTE PTR DS:[EAX],AL
100573C2 2C 00 SUB AL,0
100573C4 0000 ADD BYTE PTR DS:[EAX],AL
100573C6 DABE 0400C403 FIDIVR DWORD PTR DS:[ESI+3C40004]
100573CC 0000 ADD BYTE PTR DS:[EAX],AL
100573CE BC A0000000 MOV ESP,0A0
100573D3 40 INC EAX
100573D4 0100 ADD DWORD PTR DS:[EAX],EAX
100573D6 E4 22 IN AL,22 ; I/O 命令
100573D8 04 00 ADD AL,0
100573DA 0000 ADD BYTE PTR DS:[EAX],AL
100573DC 0000 ADD BYTE PTR DS:[EAX],AL
100573DE 0000 ADD BYTE PTR DS:[EAX],AL
100573E0 0000 ADD BYTE PTR DS:[EAX],AL
100573E2 0000 ADD BYTE PTR DS:[EAX],AL
100573E4 0000 ADD BYTE PTR DS:[EAX],AL
100573E6 0000 ADD BYTE PTR DS:[EAX],AL
100573E8 0000 ADD BYTE PTR DS:[EAX],AL
100573EA 99 CDQ
100573EB 0000 ADD BYTE PTR DS:[EAX],AL
100573ED 0000 ADD BYTE PTR DS:[EAX],AL
100573EF 8A00 MOV AL,BYTE PTR DS:[EAX]
100573F1 0000 ADD BYTE PTR DS:[EAX],AL
100573F3 1000 ADC BYTE PTR DS:[EAX],AL
100573F5 0028 ADD BYTE PTR DS:[EAX],CH
=====================================================
OD载入3秒就自动到这里
===========================================================
10004A30 . 53 PUSH EBX ; SFX 代码真正入口点
10004A31 . 8BD8 MOV EBX,EAX
10004A33 . 33C0 XOR EAX,EAX
10004A35 . A3 80B70010 MOV DWORD PTR DS:[1000B780],EAX
10004A3A . 6A 00 PUSH 0 ; /pModule = NULL
10004A3C . E8 2BFFFFFF CALL 蜜蜂自动.1000496C ; \GetModuleHandleA
10004A41 . A3 E4E70010 MOV DWORD PTR DS:[1000E7E4],EAX
10004A46 . A1 E4E70010 MOV EAX,DWORD PTR DS:[1000E7E4]
10004A4B . A3 88B70010 MOV DWORD PTR DS:[1000B788],EAX
10004A50 . 33C0 XOR EAX,EAX
10004A52 . A3 8CB70010 MOV DWORD PTR DS:[1000B78C],EAX
10004A57 . 33C0 XOR EAX,EAX
10004A59 . A3 90B70010 MOV DWORD PTR DS:[1000B790],EAX
10004A5E . E8 C1FFFFFF CALL 蜜蜂自动.10004A24
10004A63 . BA 84B70010 MOV EDX,蜜蜂自动.1000B784
10004A68 . 8BC3 MOV EAX,EBX
10004A6A . E8 DDEEFFFF CALL 蜜蜂自动.1000394C
10004A6F . 5B POP EBX
10004A70 . C3 RETN
10004A71 8D40 00 LEA EAX,DWORD PTR DS:[EAX]
10004A74 $- FF25 88020110 JMP DWORD PTR DS:[10010288] ; kernel32.CloseHandle
10004A7A 8BC0 MOV EAX,EAX
10004A7C $- FF25 84020110 JMP DWORD PTR DS:[10010284] ; kernel32.CreateFileA
10004A82 8BC0 MOV EAX,EAX
10004A84 $- FF25 80020110 JMP DWORD PTR DS:[10010280] ; kernel32.CreateProcessA
10004A8A 8BC0 MOV EAX,EAX
10004A8C $- FF25 7C020110 JMP DWORD PTR DS:[1001027C] ; kernel32.DeviceIoControl
10004A92 8BC0 MOV EAX,EAX
10004A94 $- FF25 78020110 JMP DWORD PTR DS:[10010278] ; kernel32.FindResourceA
10004A9A 8BC0 MOV EAX,EAX
不知道如何下手 希望指点.......谢谢
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课