00002300h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00002400h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00002500h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00002600h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00002700h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00002800h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00002900h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00002a00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00002b00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00002c00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00002d00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00002e00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00002f00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003000h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003100h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003200h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003300h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003400h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003500h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003600h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003700h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003800h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003900h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003a00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003b00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003c00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003d00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003e00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00003f00h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00004000h: 00 00 00 00 3B 01 0B 01
上面蓝色的字是模式,红色的字是模式的数字和。因为在 RULE 结构体中 ,
Pattern 定义为:WCHAR Pattern,这就说明 Pattern 是宽字符型,即占两个字节 16 位。
因此上面的这段模式是宽字符的 E:\TEST*(开头的 01000000 是后面要说的 Policy)。
而在后面 CRC 校验时是将该模式转化成 ULONG 来处理的,而 sizeof(ULONG)=4,因
此应该 4 个字节为一组。又因为 X86 体系架构下高位在后低位在前的原则,那么上面
的:
00000000h: 01 00 00 00 45 00 3A 00 5C 00 54 00 45 00 53 00
00000100h: 54 00 2A 00 00 00 00 00 00 00 00 00 00 00 00 00
是每 4 个一组,反过来读。例如开始的 01 00 00 00,就应该是 00000001,即 16 进
制的 0x1。这个就是加密策略的值(RULE.Policy),后面我们可以看到。我们将上面
的数据通过查 ASCII 码表可以得出模式是从第五个字节开始的位置,即上面第一个 45
的位置。模式为 E:\TEST*,这里都是 WCHAR 型,所以每个都会多一个 00。我们将
蓝色部分数值加起来:
0x00000001 + 0x003A0045 + 0x0054005C + 0x00530045 + 0x002A0054 =