⚠ Switch to EXCALIDRAW VIEW in the MORE OPTIONS menu of this document. ⚠ You can decompress Drawing data with the command palette: ‘Decompress current Excalidraw file’. For more info check in plugin settings under ‘Saving’
Excalidraw Data
Text Elements
MasqueradePEBToCopyFile
ImagePathName
ChangePEB
CommandLine
“C:\windows\explorer.exe”
COM Option
CopyItem
IFileOperation
发起 RPC 调用, 传递伪装路径
RPCSS
rpcss!_Connect
CProcess
传递伪装路径
{e60c73e6-88f9-11cf-9af1-0020af6e72f4}:0
rpcss!SCMActivatorCreateInstance 的调用
wait
发起 RPC 调用
ole32!RAiGetTokenForCOM
AppInfo
AppInfo!RAiGetTokenForCOM
AppInfo!AipGetTokenForService
AppInfo!AiCheckSecureAPPLicationDirectory
校验时传入的PEB路径