Ҫע⣺x86ļѾx64ļ޸ʱҪȰx86еx64ļ滻޸ġ

ֹɾǩݣļͷеıǣ
ֹɾļͷеCRCУͱ

޸_x64ҵһУĶܶӦͬ汾
418D48C0
滻418D48C1
41B848000000B908000000
滻41B848000000B909000000
GetStockObject(DEFAULT_GUI_FONT)
޸_x86ҵһУĶܶӦͬ汾
6A08FFD3F7D8
滻6A09FFD3F7D8
900100006A08
滻900100006A09

ĬϹرսҳTCP/IPеġַҵһУĶܶӦͬ汾
01000000010000000100000001000000FFFFFFFF
滻00000000010000000100000001000000FFFFFFFF
FFFFFFFF000001000100000001000000
滻FFFFFFFF000001000100000000000000

ɴ
Riched32.dllһã취޸Ĳ2ֵΪ0
x64ҵһУĶܶӦͬ汾
8BD5E857010000
滻B201E857010000
418BD6E871000000
滻B20190E871000000
x86ҵһУĶܶӦͬ汾
53FF7508E82E010000
滻50FF7508E82E010000
57FF7508E854000000
滻50FF7508E854000000

-------------ݵ޸ҪԷ--------------------
-CPU-ڴ-ڴʹ-PID--˾--߳
--˾-·-ַ-С
---
1F042800 24045000 27045000 04002800 26009600 09048C00
1F042800 24045000 27045000 04002800 26009600 09048C00 12003C00 29043C00
ǰĬϵĽֶΣǾֶΣٺĸΪDLLֶΡ
ΪֶռþֶΡ
15006400 1600C201
15006400 1600C201 14008C00 27006400
ٰԭDLLֶ޸ΪֶΣΪֶռDLLֶΡ޸ָ롣
1A006E00 2A00B400 09048C00 57042C01
1A006E00 2A00B400 09048C00 57040401 17006400 18004000
һհ״µDLLֶΣ޸ָ롣

00000000 00001840
00000000 00002040
ֵǽе6Ϊ8
00000000 00000040
00000000 00001040
ֵǾе2Ϊ4
00000000 00001040
00000000 00001840
DLLе4Ϊ6
ֱļַڰ4ֽڶƫλãһһλãֵԶС
ָWinHEXҵļƫƣLordPEڴƫƣprocexp鿴ڴַڴַx64dbgصڴϵ㡣˸ҲĴ븽
̡ģ顢ô롢һ
-------------ݵ޸ҪԷ--------------------

ԶԻĵַıΪҶ
00000250180040001E000800
滻02000250180040001E000800

SetWindowplacement_x86
6884030000
滻6800040000
SetWindowplacement_x64
B984030000
滻B900040000
޸ĬϴڴСýֶ̡߳δǰ棩

16.30֮İ汾ַ֧SP1汾Win7
winsta!WinStationConnectW
winsta!WinStationShadow
winsta!WinStationGetProcessSid
滻ǽLoadLibraryExW(DLL,LOAD_LIBRARY_SEARCH_SYSTEM32)ΪLoadLibraryExW(DLL,0)
x86
BE01000000C1E60B
滻BE00000000C1E60B
x64
BB01000000C1E30B
滻BB00000000C1E30B

16.32汾32λ޸֧XP
ReBarWindow32ַ֮еú
SendMessageW(ReBarWindow32, RB_INSERTBANDW, -1, &REBARBANDINFO);
SendMessageW(ReBarWindow32, 0x40A, -1, &REBARBANDINFO);
SendMessageW(ReBarWindow32, RB_GETBANDINFOW, N, &REBARBANDINFO);
SendMessageW(ReBarWindow32, 0x41C, N, &REBARBANDINFO);
REBARBANDINFO.cbSize64޸Ϊ50XP֧64
C78550FEFFFF64000000
滻C78550FEFFFF50000000
C78598FCFFFF64000000
滻C78598FCFFFF50000000

17.09ϰ汾֧Win7 x64
GetProcessInformation(ProcessMachineTypeInfo)ģWin7ûΪNtQueryInformationProcessû㹻Ŀռ䣬޸̫鷳޸Ĵֱ⺯ã޸ȥΪжּⷽGetProcessInformationֻһȥҲӰ첻
2502000041B908000000
滻25020000EB1E90909090
