|
Viking病毒免疫器 v0.1
最初由 shoooo 发布 最好直接吃永久安眠药 Sleep(-1); |
|
Viking病毒免疫器 v0.1
原理很简单 00401000 >/$>mov esi,00401246 ; ASCII "Anti-Viking v0.1" 00401005 |.>push esi ; /MutexName => "Anti-Viking v0.1" 00401006 |.>push 0 ; |Inheritable = FALSE 00401008 |.>push 1F0001 ; |Access = 1F0001 0040100D |.>call <jmp.&kernel32.OpenMutexA> ; \OpenMutexA 00401012 |.>or eax,eax 00401014 |.>je short 00401021 00401016 |.>push eax ; /hObject 00401017 |.>call <jmp.&kernel32.CloseHandle> ; \CloseHandle 0040101C |.>jmp 0040123E 00401021 |>>push esi ; /MutexName 00401022 |.>push 0 ; |InitialOwner = FALSE 00401024 |.>push 0 ; |pSecurity = NULL 00401026 |.>call <jmp.&kernel32.CreateMutexA> ; \CreateMutexA 0040102B |.>push 00402085 ; /Value = "Load" 00401030 |.>push 00402050 ; |SubKey = "SoftWare\\microsoft\\Windows NT\\CurrentVersion\\Windows" 00401035 |.>push 80000001 ; |hKey = HKEY_CURRENT_USER 0040103A |.>call <jmp.&shlwapi.SHDeleteValueA> ; \SHDeleteValueA 0040103F |.>mov esi,00403008 00401044 |.>push 0 ; /pModule = NULL 00401046 |.>call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA 0040104B |.>push 100 ; /BufSize = 100 (256.) 00401050 |.>push esi ; |PathBuffer => AntiViki.00403008 00401051 |.>push eax ; |hModule 00401052 |.>call <jmp.&kernel32.GetModuleFileNameA> ; \GetModuleFileNameA 00401057 |.>inc eax 00401058 |.>push eax ; /DataLength 00401059 |.>push esi ; |Data => "" 0040105A |.>push 1 ; |ValueType = REG_SZ 0040105C |.>push 004020B8 ; |Value = "AntiViking" 00401061 |.>push 0040208A ; |Subkey = "software\\microsoft\\Windows\\currentversion\\run" 00401066 |.>push 80000002 ; |hKey = HKEY_LOCAL_MACHINE 0040106B |.>call <jmp.&shlwapi.SHSetValueA> ; \SHSetValueA 00401070 |.>mov esi,00403108 00401075 |.>push 200 ; /BufSize = 200 (512.) 0040107A |.>push esi ; |Buffer => AntiViki.00403108 0040107B |.>call <jmp.&kernel32.GetWindowsDirectoryA> ; \GetWindowsDirectoryA 00401080 |.>mov ebx,eax 00401082 |.>push 004020C3 ; /String2 = "\\Rundl132.exe" 00401087 |.>push esi ; |String1 => "" 00401088 |.>call <jmp.&kernel32.lstrcat> ; \lstrcat 0040108D |.>push 80 ; /FileAttributes = NORMAL 00401092 |.>push esi ; |FileName => "" 00401093 |.>call <jmp.&kernel32.SetFileAttributesA> ; \SetFileAttributesA 00401098 |.>push esi ; /FileName => "" 00401099 |.>call <jmp.&kernel32.DeleteFileA> ; \DeleteFileA 0040109E |.>push 0 ; /hTemplateFile = NULL 004010A0 |.>push 80 ; |Attributes = NORMAL 004010A5 |.>push 2 ; |Mode = CREATE_ALWAYS 004010A7 |.>push 0 ; |pSecurity = NULL 004010A9 |.>push 0 ; |ShareMode = 0 004010AB |.>push 80000000 ; |Access = GENERIC_READ 004010B0 |.>push esi ; |FileName => "" 004010B1 |.>call <jmp.&kernel32.CreateFileA> ; \CreateFileA 004010B6 |.>mov byte ptr [ebx+esi],0 004010BA |.>push 004020D1 ; /String2 = "\\Logo1_.exe" 004010BF |.>push esi ; |String1 => "" 004010C0 |.>call <jmp.&kernel32.lstrcat> ; \lstrcat 004010C5 |.>push 80 ; /FileAttributes = NORMAL 004010CA |.>push esi ; |FileName => "" 004010CB |.>call <jmp.&kernel32.SetFileAttributesA> ; \SetFileAttributesA 004010D0 |.>push esi ; /FileName => "" 004010D1 |.>call <jmp.&kernel32.DeleteFileA> ; \DeleteFileA 004010D6 |.>push 0 ; /hTemplateFile = NULL 004010D8 |.>push 7 ; |Attributes = READONLY|HIDDEN|SYSTEM 004010DA |.>push 2 ; |Mode = CREATE_ALWAYS 004010DC |.>push 0 ; |pSecurity = NULL 004010DE |.>push 0 ; |ShareMode = 0 004010E0 |.>push C0000000 ; |Access = GENERIC_READ|GENERIC_WRITE 004010E5 |.>push esi ; |FileName => "" 004010E6 |.>call <jmp.&kernel32.CreateFileA> ; \CreateFileA 004010EB |.>cmp eax,-1 004010EE |.>jnz short 00401112 004010F0 |.>push 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL 004010F2 |.>push 00402103 ; |Title = "提示" 004010F7 |.>push 004020DD ; |Text = "病毒可能正在运行,请重新启动你的机器!" 004010FC |.>push 0 ; |hOwner = NULL 004010FE |.>call <jmp.&user32.MessageBoxA> ; \MessageBoxA 00401103 |.>push 4 ; /Flags = DELAY_UNTIL_REBOOT 00401105 |.>push 0 ; |NewName = NULL 00401107 |.>push esi ; |ExistingName => "" 00401108 |.>call <jmp.&kernel32.MoveFileExA> ; \MoveFileExA 0040110D |.>jmp 0040123E 00401112 |>>mov edi,00403000 00401117 |.>mov [edi],eax 00401119 |.>mov ebx,00401257 ; ASCII "Anti viking file." 0040111E |.>mov ecx,00403004 00401123 |.>push 0 ; /pOverlapped = NULL 00401125 |.>push ecx ; |pBytesWritten => AntiViki.00403004 00401126 |.>push 12 ; |nBytesToWrite = 12 (18.) 00401128 |.>push ebx ; |Buffer => AntiViki.00401257 00401129 |.>push eax ; |hFile 0040112A |.>call <jmp.&kernel32.WriteFile> ; \WriteFile 0040112F |.>push dword ptr [edi] ; /hObject 00401131 |.>call <jmp.&kernel32.CloseHandle> ; \CloseHandle 00401136 |.>push 0 ; /hTemplateFile = NULL 00401138 |.>push 7 ; |Attributes = READONLY|HIDDEN|SYSTEM 0040113A |.>push 3 ; |Mode = OPEN_EXISTING 0040113C |.>push 0 ; |pSecurity = NULL 0040113E |.>push 0 ; |ShareMode = 0 00401140 |.>push 80000000 ; |Access = GENERIC_READ 00401145 |.>push esi ; |FileName 00401146 |.>call <jmp.&kernel32.CreateFileA> ; \CreateFileA 0040114B |>>/push 1000 ; /Timeout = 4096. ms 00401150 |.>|call <jmp.&kernel32.Sleep> ; \Sleep 00401155 |.>|mov edi,edi 00401157 |.>|mov edi,edi 00401159 |.>|mov edi,edi ........ |.>|............... ; 真无聊...... 00401233 |.>|mov edi,edi 00401235 |.>|mov edi,edi 00401237 |.>|mov edi,edi 00401239 |.>\jmp 0040114B 0040123E |>>push 0 ; /ExitCode = 0 00401240 \.>call <jmp.&kernel32.ExitProcess> ; \ExitProcess 00401245 .>retn 00401246 .>ascii "Anti-Viking v0.1" 00401256 .>ascii 0 00401257 .>ascii "Anti viking file" 00401267 .>ascii ".",0 |
|
|
|
|
|
有关URLDownloadToFile的疑问
又做了一些动态网页下载测试,发现有的可以下载,有的就返回错误.想知道原因. |
|
|
|
[转帖]Universal Extractor 1.3
好东西啊...支持! |
|
脱壳后显示Microsoft Visual C++ 6.0 [Overlay] EP区段 nsp0却没有资源
NsPack的loader代码可能要重定位资源基址,脱壳后可能要修正一下. |
|
[ZT]Visual Assist X v10.3.1534 build 2006.09.02 cracked dll's by Av0id
最初由 codearts 发布 |
|
[ZT]Visual Assist X v10.3.1534 build 2006.09.02 cracked dll's by Av0id
开发人员太狡猾,更新频繁,暗桩无数. |
|
[!]Upack 2.3
最初由 fly 发布 我的印象中FSG和MEW10非常相似,但总是比MEW10差一点,所以就不做对比了. 本来也不想测试UPX和ASPack的,不过这两个壳用的太广泛,就用来做对比. KByS刚刚才发现(相关信息相当少,已下载0.28beta版).初步感觉与NsPack差不多,但选项太少. 如果总体水平超过NsPack,我会加入测试行列. |
|
|
|
[原创]hmimys-Packer v1.0
最初由 q3 watcher 发布 没关系,坚持坚持再坚持.Upack不也度过危险期了吗? |
|
文件监视器
最初由 kinglon 发布 KAV 5.0 pro 不过后来又大胆试了第二次(能杀掉的进程都终止了),成功了.不过感觉不如filemon好用. |
|
请问:怎样用汇编编程将jpg转换为bmp
COM里有个IPicture接口可以解码JPG,但用汇编写调用COM的程序太麻烦了. |
|
[求助]高手进来讲讲驱动透明加密技术
"对文件操作的兼容性"与"防止木马或主动泄密"是矛盾的. 如果实现好"对文件操作的兼容性",就不会有临时文件的生成,对系统透明,很难出现不可预料的错误,当然木马也会利用其"兼容性". 如果实现好"防止木马或主动泄密",那么文件的打开就会受很大影响,要么生成临时文件,要么用hook,二者都是很不稳定的,稳定的极限就是对系统透明,那么就难防木马了. |
|
文件监视器
下载,运行,然后立即蓝屏(XPsp2+KAV) |
|
[求助]高手进来讲讲驱动透明加密技术
TrueCrypt 4.2a 使用驱动虚拟加密磁盘,免费开源. 幸亏宣传不够广泛,使得XX款国产加密软件得以存活. 很好用的软件,好好研究吧. http://www.truecrypt.org/ |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值