此函数为 RkU 号称拥有版权的 (c) PVASE Process Virtual Address Space Erasing (进程虚拟地址空间擦除)技术的关键部分。
-> Creating instruction list
No type information for function at 000145B0!
No type information for function at 00010E7B!
WARNING: unhandled call instruction
No type information for function at 00014355!
WARNING: unhandled call instruction
No type information for function at 00010E8D!
No type information for function at 000145D0!
WARNING: unhandled call instruction
No type information for function at 00014628!
WARNING: unhandled call instruction
-> Creating node list
-> Update uses and definitions
-> Live register analysis
-> Finding DU chains
-> Data flow analysis
00012846 I guess this function call takes 3 parameters.
00012852 I guess this function call takes 0 parameters.
00012857 I guess this function call takes 0 parameters.
0001289F Error! Can't POP from empty stack!
000128A2 Error! Can't POP from empty stack!
Basic block list:
引用:
00012805 sub_12805:
00012810 si = 0x10000; // 初始化变量 si 为一个固定值,内存擦除从这个地址开始。
00012815 KeAttachProcess(arg_0); // 魔鬼附身。arg_0 是 EPROCESS。0001281b loc_1281B:
0001281c ax = MmGetPhysicalAddress(si); // 现在得到该进程内虚拟地址 0x10000 对应的物理地址。// 下面是一个 for 循环。
00012828 if (dx > dword_14D84) goto loc_1285C;0001282a if (dx < dword_14D84) goto loc_12834;
00012832 if (ax >= dword_14D80) goto loc_1285C;
00012834 loc_12834:
00012838 /* Low-level instruction of type 85 */
00012844 if (si != MmGetVirtualForPhysical(ax)) goto loc_1285C; // 小心谨慎。00012846 sub_10E7B(dx, si, cx); // 取消写保护。
0001284b dx = 0x1000;
00012852 sub_14355(); // 擦内存
00012857 sub_10E8D(); // 重新打开写保护。0001285c loc_1285C:
00012861 si = si + 0x1000;
00012869 if (si < * MmSystemRangeStart) goto loc_1281B; // 这里是 for 循环的结尾。0001286b KeDetachProcess(); // 擦内存完毕,脱离受害者。
00012871 si = 0;// 下面象征性地再杀一下
00012880 ax = ObOpenObjectByPointer(arg_0, si, si, si, si, si, & Handle);
00012888 if (ax != 0) goto loc_1289F; // 打开进程不成功就直接返回,反正进程已经死掉了。0001288f ZwTerminateProcess(Handle, si);
00012899 ax = ZwClose(Handle);0001289f loc_1289F:
0001289f /* pop */
000128a2 /* pop */
000128a3 return ax; // 结束了。也不是很邪恶,对吧?