给Windows10治疗文件改后缀名啰嗦病症
给Windows10【版本1909(OS内部版本18363.592)】 治疗文件改后缀名啰嗦病症:
1.使用x64dbg打开C:\Windows\notepad.exe
2. 在记事本中,我们点文件=》打开,F2修改某个 1.txt为1.txt.dll
然后知情的情况下可以下断bp ShellMessageBoxW
【不知道的情况下,Alt+M内存中,搜索UniCode=》如果改变文件=》就会发现2处
我们来到DUMP窗口中按下Ctrl+Shift+1 ,设置1字节硬件访问断点
断下后】慢慢一级一级往上找。。。。】
00007FFDD8AE941 | 40:55 | push rbp ====》查看堆栈窗口,从这返回上一级A1。。前往B1
00007FFDD8AE941 | 53 | push rbx |
00007FFDD8AE941 | 56 | push rsi |
00007FFDD8AE941 | 57 | push rdi |
00007FFDD8AE941 | 41:54 | push r12 |
00007FFDD8AE941 | 41:56 | push r14 |
00007FFDD8AE941 | 41:57 | push r15 |
00007FFDD8AE941 | 48:8DAC24 70FFFFFF | lea rbp,qword ptr ss: |
00007FFDD8AE942 | 48:81EC 90010000 | sub rsp,190 |
00007FFDD8AE942 | 48:8B05 174F0300 | mov rax,qword ptr ds: |
00007FFDD8AE943 | 48:33C4 | xor rax,rsp |
00007FFDD8AE943 | 48:8985 80000000 | mov qword ptr ss:,rax |
00007FFDD8AE943 | 8365 D0 00 | and dword ptr ss:,0 |
00007FFDD8AE943 | 45:32FF | xor r15b,r15b |
00007FFDD8AE944 | 49:8BF9 | mov rdi,r9 |
00007FFDD8AE944 | 4D:8BE0 | mov r12,r8 |
00007FFDD8AE944 | 48:8BF2 | mov rsi,rdx |
00007FFDD8AE944 | 4C:8BF1 | mov r14,rcx |
00007FFDD8AE944 | 49:81F9 00000100 | cmp r9,10000 |
00007FFDD8AE945 | 0F83 BE000000 | jae shlwapi.7FFDD8AE9519 |
00007FFDD8AE945 | 48:85C9 | test rcx,rcx |
00007FFDD8AE945 | 0F84 B5000000 | je shlwapi.7FFDD8AE9519 |
00007FFDD8AE946 | 41:0FB7D1 | movzx edx,r9w |
00007FFDD8AE946 | 4C:8D45 E0 | lea r8,qword ptr ss: |
00007FFDD8AE946 | BB 50000000 | mov ebx,50 | 50:'P'
00007FFDD8AE947 | 44:8BCB | mov r9d,ebx |
00007FFDD8AE947 | 48:FF15 256B0100 | call qword ptr ds:[<LoadStringW>] |
00007FFDD8AE947 | 0F1F4400 00 | nop dword ptr ds:,eax |
00007FFDD8AE948 | 85C0 | test eax,eax |
00007FFDD8AE948 | 0F85 84000000 | jne shlwapi.7FFDD8AE950C |
00007FFDD8AE948 | 48:85F6 | test rsi,rsi |
00007FFDD8AE948 | 0F84 81000000 | je shlwapi.7FFDD8AE9512 |
00007FFDD8AE949 | 44:8BC3 | mov r8d,ebx |
00007FFDD8AE949 | 48:8D55 E0 | lea rdx,qword ptr ss: |
00007FFDD8AE949 | 48:8BCE | mov rcx,rsi |
00007FFDD8AE949 | 48:FF15 16910300 | call qword ptr ds:[<&GetWindowTextW>] |
00007FFDD8AE94A | 0F1F4400 00 | nop dword ptr ds:,eax |
00007FFDD8AE94A | 85C0 | test eax,eax |
00007FFDD8AE94A | 74 67 | je shlwapi.7FFDD8AE9512 |
00007FFDD8AE94A | 48:8D15 16AE0100 | lea rdx,qword ptr ds: | 00007FFDD8B042C8:L"Program Manager"
00007FFDD8AE94B | 48:8D4D E0 | lea rcx,qword ptr ss: |
00007FFDD8AE94B | 48:FF15 A3700100 | call qword ptr ds:[<StrCmpW>] |
00007FFDD8AE94B | 0F1F4400 00 | nop dword ptr ds:,eax |
00007FFDD8AE94C | 85C0 | test eax,eax |
00007FFDD8AE94C | 75 46 | jne shlwapi.7FFDD8AE950C |
00007FFDD8AE94C | 33D2 | xor edx,edx |
00007FFDD8AE94C | 48:8BCE | mov rcx,rsi |
00007FFDD8AE94C | 48:FF15 AE8F0300 | call qword ptr ds:[<&GetWindowThreadPro |
00007FFDD8AE94D | 0F1F4400 00 | nop dword ptr ds:,eax |
00007FFDD8AE94D | 8BD8 | mov ebx,eax |
00007FFDD8AE94D | 48:FF15 B06B0100 | call qword ptr ds:[<GetCurrentThreadId> |
00007FFDD8AE94E | 0F1F4400 00 | nop dword ptr ds:,eax |
00007FFDD8AE94E | 3BD8 | cmp ebx,eax |
00007FFDD8AE94E | 75 30 | jne shlwapi.7FFDD8AE9519 |
00007FFDD8AE94E | 48:8D15 F8AD0100 | lea rdx,qword ptr ds: | 00007FFDD8B042E8:L"pszDesktopTitleW"
00007FFDD8AE94F | 48:8BCE | mov rcx,rsi |
00007FFDD8AE94F | 48:FF15 8E8F0300 | call qword ptr ds:[<&GetPropW>] |
00007FFDD8AE94F | 0F1F4400 00 | nop dword ptr ds:,eax |
00007FFDD8AE94F | 48:85C0 | test rax,rax |
00007FFDD8AE950 | 48:8D7D E0 | lea rdi,qword ptr ss: |
00007FFDD8AE950 | 48:0F45F8 | cmovne rdi,rax |
00007FFDD8AE950 | EB 0D | jmp shlwapi.7FFDD8AE9519 |
00007FFDD8AE950 | 48:8D7D E0 | lea rdi,qword ptr ss: |
00007FFDD8AE951 | EB 07 | jmp shlwapi.7FFDD8AE9519 |
00007FFDD8AE951 | 48:8D3D 578A0100 | lea rdi,qword ptr ds: |
00007FFDD8AE951 | 48:8D85 F8000000 | lea rax,qword ptr ss: |
00007FFDD8AE952 | 49:8BD4 | mov rdx,r12 |
00007FFDD8AE952 | 4C:8D4424 20 | lea r8,qword ptr ss: |
00007FFDD8AE952 | 48:894424 20 | mov qword ptr ss:,rax |
00007FFDD8AE952 | 49:8BCE | mov rcx,r14 |
00007FFDD8AE953 | E8 5FFDFFFF | call <shlwapi.sub_7FFDD8AE9294> |
00007FFDD8AE953 | 48:836424 20 00 | and qword ptr ss:,0 |
00007FFDD8AE953 | 4C:8BF0 | mov r14,rax |
00007FFDD8AE953 | 48:85C0 | test rax,rax |
00007FFDD8AE954 | 0F84 C4000000 | je shlwapi.7FFDD8AE960B |
00007FFDD8AE954 | BB A0000000 | mov ebx,A0 |
00007FFDD8AE954 | 48:8D4C24 30 | lea rcx,qword ptr ss: |
00007FFDD8AE955 | 44:8BC3 | mov r8d,ebx |
00007FFDD8AE955 | 33D2 | xor edx,edx |
00007FFDD8AE955 | E8 423AFFFF | call <JMP.&memset> |
00007FFDD8AE955 | 8B8D F0000000 | mov ecx,dword ptr ss: |
00007FFDD8AE956 | 48:8D5424 30 | lea rdx,qword ptr ss: |
00007FFDD8AE956 | 895C24 30 | mov dword ptr ss:,ebx |
00007FFDD8AE956 | 48:897424 34 | mov qword ptr ss:,rsi |
00007FFDD8AE956 | 4C:897424 64 | mov qword ptr ss:,r14 |
00007FFDD8AE957 | 48:897C24 4C | mov qword ptr ss:,rdi |
00007FFDD8AE957 | E8 EE250100 | call <shlwapi.sub_7FFDD8AFBB6C> |
00007FFDD8AE957 | 8BD8 | mov ebx,eax |
00007FFDD8AE958 | 85C0 | test eax,eax |
00007FFDD8AE958 | 78 76 | js shlwapi.7FFDD8AE95FA |
00007FFDD8AE958 | 48:8D4D D8 | lea rcx,qword ptr ss: |
00007FFDD8AE958 | E8 13BAFEFF | call <shlwapi.sub_7FFDD8AD4FA0> |
00007FFDD8AE958 | 45:33C9 | xor r9d,r9d |
00007FFDD8AE959 | 48:8D55 D0 | lea rdx,qword ptr ss: |
00007FFDD8AE959 | 48:8D4C24 30 | lea rcx,qword ptr ss: |
00007FFDD8AE959 | E8 4A390100 | call <shlwapi.sub_7FFDD8AFCEE8> |
00007FFDD8AE959 | 8BD8 | mov ebx,eax |
00007FFDD8AE95A | 85C0 | test eax,eax |
00007FFDD8AE95A | 78 18 | js shlwapi.7FFDD8AE95BC |
00007FFDD8AE95A | F685 F0000000 0F | test byte ptr ss:,F |
00007FFDD8AE95A | 75 36 | jne shlwapi.7FFDD8AE95E3 |
00007FFDD8AE95A | 837D D0 02 | cmp dword ptr ss:,2 |
00007FFDD8AE95B | 75 30 | jne shlwapi.7FFDD8AE95E3 |
00007FFDD8AE95B | C745 D0 01000000 | mov dword ptr ss:,1 |
00007FFDD8AE95B | EB 27 | jmp shlwapi.7FFDD8AE95E3 |
00007FFDD8AE95B | 44:8B8D F0000000 | mov r9d,dword ptr ss: |
00007FFDD8AE95C | 4C:8BC7 | mov r8,rdi |
00007FFDD8AE95C | 41:0FBAE9 10 | bts r9d,10 |
00007FFDD8AE95C | 49:8BD6 | mov rdx,r14 |
00007FFDD8AE95C | 48:8BCE | mov rcx,rsi |
00007FFDD8AE95D | 41:B7 01 | mov r15b,1 |
00007FFDD8AE95D | 48:FF15 C58E0300 | call qword ptr ds:[<&MessageBoxW>]
===================================================
c:\windows\system32\windows.storage.dll
00007FFDD66F581 | 74 2F | je windows.storage.7FFDD66F5844 | ================>You are here!742F=>EB2F
00007FFDD66F581 | 48:8D4D 9F | lea rcx,qword ptr ss: |
00007FFDD66F581 | E8 5AE4B5FF | call windows.storage.7FFDD6253C78 |
00007FFDD66F581 | 48:8BC8 | mov rcx,rax |
00007FFDD66F582 | C74424 20 34000000 | mov dword ptr ss:,34 | 34:'4'
00007FFDD66F582 | 44:8BCE | mov r9d,esi |
00007FFDD66F582 | 44:8D46 DC | lea r8d,qword ptr ds: |
00007FFDD66F583 | 49:8BD6 | mov rdx,r14 |
00007FFDD66F583 | 48:FF15 06992900 | call qword ptr ds:[<&ShellMessageBoxW>] |
00007FFDD66F583 | 0F1F4400 00 | nop dword ptr ds:,eax | 我们回来到这里B1
00007FFDD66F583 | 44:8BE0 | mov r12d,eax |
00007FFDD66F584 | EB 04 | jmp windows.storage.7FFDD66F5848 |
00007FFDD66F584 | 44:8B65 C7 | mov r12d,dword ptr ss: |
00007FFDD66F584 | 48:8B4D D7 | mov rcx,qword ptr ss: |
改后之后的补丁需要来到WINPE下,复制回c:\windows\system32覆盖即可。 除了这个外,还有数字签名的DLL,都可以修改下,或许之后就能一劳永逸了。 谢谢,学习了! 感谢分享!对系统dll下手的确是一劳永逸,就是还要在PE里去操作麻烦些。
页:
[1]