bu ntdll!LdrLoadDll "r $t0=poi(poi(esp+c)+4);as /mu ${/v:dllname} @$t0;.block{.if($spat(\"${dllname}\",\"*pass.dll\")){kbn}; .else{ad ${/v:dllname};g}}"
// 判断注册表查询的是否是Start *值
// 判断注册表查询的是否是Start *值
bu kernel32!RegQueryValueExW ".if(poi(esp+8)>0) {r $t0=poi(esp+8);as /mu ${/v:valuename} @$t0;du @$t0;.block{.if($spat(\"${valuename}\",\"Start*\")){kbn};.else{ad ${/v:valuename};g}}};.else{g; dd poi(esp+8)}"
扫描虚拟内存中的PE头
.imgscan