0AFFB1F0 push ebp
0AFFB1F1 mov ebp, esp
0AFFB1F3 sub esp, 188
0AFFB1F9 mov dword ptr [ebp-8], 0
0AFFB200 mov dword ptr [ebp-3C], 0
0AFFB207 mov dword ptr [ebp-38], 443760
0AFFB20E mov dword ptr [ebp-34], 443780
0AFFB215 mov dword ptr [ebp-4], 0
0AFFB21C mov dword ptr [ebp-30], 0
0AFFB223 mov byte ptr [ebp-C], 0
0AFFB227 push 10000 ; UNICODE "=::=::\"
0AFFB22C lea eax, dword ptr [ebp-4]
0AFFB22F push eax
0AFFB230 call dword ptr [ebp-38]
0AFFB233 cmp dword ptr [ebp-4], 0
0AFFB237 je 0AFFB4B9
0AFFB23D push 0
0AFFB23F push 2
0AFFB241 call kernel32.CreateToolhelp32Snapshot
0AFFB246 mov dword ptr [ebp-40], eax
0AFFB249 cmp dword ptr [ebp-40], -1
0AFFB24D je 0AFFB4B2
0AFFB253 call dword ptr [B50C2D8] ; kernel32.GetCurrentProcessId
0AFFB259 mov dword ptr [ebp-170], eax ;保存进程ID
0AFFB25F mov dword ptr [ebp-16C], 128
0AFFB269 lea ecx, dword ptr [ebp-16C]
0AFFB26F push ecx
0AFFB270 mov edx, dword ptr [ebp-40]
0AFFB273 push edx
0AFFB274 call kernel32.Process32First
0AFFB279 mov dword ptr [ebp-44], eax
0AFFB27C cmp dword ptr [ebp-44], 0
0AFFB280 je 0AFFB4A8
0AFFB286 lea eax, dword ptr [ebp-148]
0AFFB28C mov dword ptr [ebp-180], eax
0AFFB292 mov ecx, dword ptr [ebp-180]
0AFFB298 mov dword ptr [ebp-174], ecx
0AFFB29E mov edx, dword ptr [ebp-174]
0AFFB2A4 movsx eax, byte ptr [edx]
0AFFB2A7 test eax, eax
0AFFB2A9 je short 0AFFB2CA
0AFFB2AB mov ecx, dword ptr [ebp-174]
0AFFB2B1 movsx edx, byte ptr [ecx]
0AFFB2B4 cmp edx, 2E
0AFFB2B7 je short 0AFFB2CA
0AFFB2B9 mov eax, dword ptr [ebp-174]
0AFFB2BF add eax, 1
0AFFB2C2 mov dword ptr [ebp-174], eax
0AFFB2C8 jmp short 0AFFB29E
0AFFB2CA mov ecx, dword ptr [ebp-174]
0AFFB2D0 sub ecx, dword ptr [ebp-180]
0AFFB2D6 cmp ecx, 0C
0AFFB2D9 jle short 0AFFB33F ;比较长度
0AFFB2DB mov edx, dword ptr [ebp-174]
0AFFB2E1 sub edx, 0C
0AFFB2E4 mov dword ptr [ebp-184], edx
0AFFB2EA mov eax, dword ptr [ebp-184]
0AFFB2F0 cmp dword ptr [eax], AAAAAAAA ;比较进程的名字,去掉了信息
0AFFB2F6 jnz short 0AFFB307
0AFFB2F8 mov ecx, dword ptr [ebp-184]
0AFFB2FE cmp dword ptr [ecx+8], BBBBBBBB
0AFFB305 je short 0AFFB324
0AFFB307 mov edx, dword ptr [ebp-184]
0AFFB30D cmp dword ptr [edx], CCCCCCCC
0AFFB313 jnz short 0AFFB33F
0AFFB315 mov eax, dword ptr [ebp-184]
0AFFB31B cmp dword ptr [eax+8], DDDDDDDD
0AFFB322 jnz short 0AFFB33F
0AFFB324 mov ecx, dword ptr [ebp-30]
0AFFB327 add ecx, 1
0AFFB32A mov dword ptr [ebp-30], ecx
0AFFB32D mov edx, dword ptr [ebp-170]
0AFFB333 cmp edx, dword ptr [ebp-164] ;与当前的进程ID相比较
0AFFB339 jnz short 0AFFB33F
0AFFB33B mov byte ptr [ebp-C], 1
0AFFB33F mov eax, dword ptr [ebp-3C]
0AFFB342 add eax, 1
0AFFB345 mov dword ptr [ebp-3C], eax
0AFFB348 mov ecx, dword ptr [ebp-164]
0AFFB34E mov dword ptr [ebp-17C], ecx
0AFFB354 mov edx, dword ptr [ebp-17C]
0AFFB35A push edx
0AFFB35B push 0
0AFFB35D push 410
0AFFB362 call dword ptr [57A6800] ; kernel32.OpenProcess
0AFFB368 mov dword ptr [ebp-178], eax
0AFFB36E cmp dword ptr [ebp-178], 0
0AFFB375 je 0AFFB490
0AFFB37B mov dword ptr [ebp-188], 0
0AFFB385 lea eax, dword ptr [ebp-188]
0AFFB38B push eax
0AFFB38C push 1000
0AFFB391 mov ecx, dword ptr [ebp-4]
0AFFB394 push ecx
0AFFB395 push 400000
0AFFB39A mov edx, dword ptr [ebp-178]
0AFFB3A0 push edx
0AFFB3A1 call dword ptr [5876180] ; kernel32.ReadProcessMemory
0AFFB3A7 test eax, eax
0AFFB3A9 je 0AFFB483
0AFFB3AF cmp dword ptr [ebp-188], 1000
0AFFB3B9 jnz 0AFFB483
0AFFB3BF mov eax, dword ptr [ebp-4]
0AFFB3C2 cmp dword ptr [eax+B4], 3014C
0AFFB3CC jnz short 0AFFB422
0AFFB3CE mov ecx, dword ptr [ebp-4]
0AFFB3D1 cmp dword ptr [ecx+100], 19A000
0AFFB3DB jnz short 0AFFB422
0AFFB3DD mov edx, dword ptr [ebp-4]
0AFFB3E0 cmp dword ptr [edx+130], 0D6E34
0AFFB3EA jnz short 0AFFB422
0AFFB3EC mov eax, dword ptr [ebp-4]
0AFFB3EF cmp dword ptr [eax+13C], 0D5C
0AFFB3F9 jnz short 0AFFB422
0AFFB3FB mov ecx, dword ptr [ebp-4]
0AFFB3FE cmp dword ptr [ecx+1B0], 0D5000
0AFFB408 jnz short 0AFFB422
0AFFB40A mov edx, dword ptr [ebp-4]
0AFFB40D cmp dword ptr [edx+1D0], 70736E2E
0AFFB417 jnz short 0AFFB422
0AFFB419 mov dword ptr [ebp-8], 1
0AFFB420 jmp short 0AFFB483
0AFFB422 mov eax, dword ptr [ebp-4]
0AFFB425 cmp dword ptr [eax+B4], 2014C
0AFFB42F jnz short 0AFFB483
0AFFB431 mov ecx, dword ptr [ebp-4]
0AFFB434 cmp dword ptr [ecx+100], 162458
0AFFB43E jnz short 0AFFB483
0AFFB440 mov edx, dword ptr [ebp-4]
0AFFB443 cmp dword ptr [edx+130], 1618FB
0AFFB44D jnz short 0AFFB483
0AFFB44F mov eax, dword ptr [ebp-4]
0AFFB452 cmp dword ptr [eax+13C], 1F5E
0AFFB45C jnz short 0AFFB483
0AFFB45E mov ecx, dword ptr [ebp-4]
0AFFB461 cmp dword ptr [ecx+1B0], 111000
0AFFB46B jnz short 0AFFB483
0AFFB46D mov edx, dword ptr [ebp-4]
0AFFB470 cmp dword ptr [edx+1D0], 504C522E
0AFFB47A jnz short 0AFFB483
0AFFB47C mov dword ptr [ebp-8], 2
0AFFB483 mov eax, dword ptr [ebp-178]
0AFFB489 push eax
0AFFB48A call dword ptr [57A58A8] ; kernel32.CloseHandle
0AFFB490 lea ecx, dword ptr [ebp-16C]
0AFFB496 push ecx
0AFFB497 mov edx, dword ptr [ebp-40]
0AFFB49A push edx
0AFFB49B call kernel32.Process32Next
0AFFB4A0 mov dword ptr [ebp-44], eax
0AFFB4A3 jmp 0AFFB27C
0AFFB4A8 mov eax, dword ptr [ebp-40]
0AFFB4AB push eax
0AFFB4AC call dword ptr [57A58A8] ; kernel32.CloseHandle
0AFFB4B2 mov ecx, dword ptr [ebp-4]
0AFFB4B5 push ecx
0AFFB4B6 call dword ptr [ebp-34]
0AFFB4B9 cmp dword ptr [ebp-3C], 2
0AFFB4BD jge short 0AFFB4C9
0AFFB4BF mov eax, dword ptr [ebp-3C]
0AFFB4C2 add eax, 1F4
0AFFB4C7 jmp short 0AFFB4ED
0AFFB4C9 mov edx, dword ptr [ebp-C]
0AFFB4CC and edx, 0FF
0AFFB4D2 test edx, edx
0AFFB4D4 jnz short 0AFFB4DD
0AFFB4D6 mov eax, 65
0AFFB4DB jmp short 0AFFB4ED
0AFFB4DD cmp dword ptr [ebp-30], 7
0AFFB4E1 jl short 0AFFB4EA
0AFFB4E3 mov eax, 66
0AFFB4E8 jmp short 0AFFB4ED
0AFFB4EA mov eax, dword ptr [ebp-8]
0AFFB4ED mov esp, ebp
0AFFB4EF pop ebp
0AFFB4F0 retn
1.比较进程的名字,想HookAPI Process32First跟Process32Next,好象网上没有看到
2.比较是否是当前进程来进行附值
是否有其他的方法来跳过这个检测呢???
[培训]内核驱动高级班,冲击BAT一流互联网大厂工
作,每周日13:00-18:00直播授课
