so to get all resources, you have to zip to eof and go back, resourcewise. the ressources that are contained in each dll are the gui background bitmap (.bmp), some weird font stuff, a small test executable, drivers (if needed) and finally the vm itself. to decrypt/uncompress the resdata, see the attached init sources.
when the vm is decrypted that way, it goes via DeviceIoControl and sfdrv01.sys to kernel mode, where kernel init (with ring3 VM copy) is executed. see kernel doc for details.
Wyszukiwarka