首页
社区
课程
招聘
未解决 [讨论]火绒剑 是依靠什么能够检测进程组行为呢? 有没有方法躲过火绒剑的检测~
发表于: 2020-1-25 19:08 4300

未解决 [讨论]火绒剑 是依靠什么能够检测进程组行为呢? 有没有方法躲过火绒剑的检测~

2020-1-25 19:08
4300
最近在学习病毒分析,使用火绒剑查看程序行为,通过分析程序行为来大致了解程序的运行流程和一些功能。那么是不是有方法可以让火绒剑这种行为检测软件查不到一些敏感异常行为呢?比如网络连接,注册表改写,恶意文件的写入,恶意文件自启动等等行为呢?

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (5)
雪    币: 9934
活跃值: (2554)
能力值: ( LV6,RANK:87 )
在线值:
发帖
回帖
粉丝
2
《Ring0:从入门到蓝屏》
2020-1-25 20:22
1
雪    币: 12857
活跃值: (9172)
能力值: ( LV9,RANK:280 )
在线值:
发帖
回帖
粉丝
3
minifilter, wfp, callback
2020-1-25 21:33
0
雪    币: 184
活跃值: (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
minifilter, wfp, callback 
2020-1-27 14:36
0
雪    币: 1556
活跃值: (2312)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
一个xpaj的驱动似乎(似乎,到底是不是还需要楼主测试)做到了,XP时代的玩意,创建文件和驱动自删除火绒剑看不见了
18:17:55:474, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_XPAJ_SERVICE\0000\Control\ActiveService, type:0x00000001 datalen:26 data:'78 70 61 6A 5F 53 65 72 76 69 63 65 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:552, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x000F003F , 0x00000000 [操作成功完成。  ],

18:17:55:552, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\awzhk, type:0x00000004 datalen:4 data:'6D 25 09 A1 ' , 0x00000000 [操作成功完成。  ],

18:17:55:552, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:552, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Start, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:568, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\ErrorControl, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:568, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Group, type:0x00000001 datalen:36 data:'42 6F 6F 74 20 42 75 73 20 45 78 74 65 6E 64 65 ' , 0x00000000 [操作成功完成。  ],

18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum, access:0x000F003F , 0x00000000 [操作成功完成。  ],

18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN, access:0x000F003F , 0x00000000 [操作成功完成。  ],

18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\NextInstance, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000, access:0x000F003F , 0x00000000 [操作成功完成。  ],

18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Control, access:0x000F003F , 0x00000000 [操作成功完成。  ],

18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Control\*NewlyCreated*, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Service, type:0x00000001 datalen:20 data:'6B 63 61 71 65 76 79 69 6E 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Legacy, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\ConfigFlags, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Class, type:0x00000001 datalen:26 data:'4C 65 67 61 63 79 44 72 69 76 65 72 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\ClassGUID, type:0x00000001 datalen:78 data:'7B 38 45 43 43 30 35 35 44 2D 30 34 37 46 2D 31 ' , 0x00000000 [操作成功完成。  ],

18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\DeviceDesc, type:0x00000001 datalen:20 data:'6B 63 61 71 65 76 79 69 6E 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\0, type:0x00000001 datalen:54 data:'52 6F 6F 74 5C 4C 45 47 41 43 59 5F 4B 43 41 51 ' , 0x00000000 [操作成功完成。  ],

18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\Count, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\NextInstance, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Control\ActiveService, type:0x00000001 datalen:20 data:'6B 63 61 71 65 76 79 69 6E 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\Count, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\NextInstance, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:833, System, 4:52, 0, SYS_load_kmod, C:\WINDOWS\System32\Drivers\kcaqevyin.sys, , 0x00000000 [操作成功完成。  ],

18:17:55:849, System, 4:52, 0, REG_rmkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xpaj_Service\Security, , 0x00000000 [操作成功完成。  ],

18:17:55:849, System, 4:52, 0, REG_rmkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xpaj_Service\Enum, , 0x00000000 [操作成功完成。  ],

18:17:55:849, System, 4:52, 0, REG_rmkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xpaj_Service, , 0x00000000 [操作成功完成。  ],

18:17:55:849, 加驱用.exe, 3028:3036, 3028, SYS_load_kmod, C:\Documents and Settings\bubuquoyq.sys\桌面\xpaj.sys, , 0xC0000001 [连到系统上的设备没有发挥作用。  ],

18:17:55:849, services.exe, 776:3252, 0, FILE_open, C:\WINDOWS\system32\dnsapi.dll, access:0x00100020 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。  ],

18:17:55:912, services.exe, 776:3256, 0, REG_openkey, HKEY_CURRENT_USER, access:0x00020019 , 0x00000000 [操作成功完成。  ],
18:17:55:912, services.exe, 776:3256, 0, REG_openkey, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Cryptography\Providers\Type 001, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。  ],

18:17:55:912, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001, access:0x00020019 , 0x00000000 [操作成功完成。  ],

18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:927, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider, access:0x00020019 , 0x00000000 [操作成功完成。  ],

18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。  ],

18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_CURRENT_USER, access:0x00020019 , 0x00000000 [操作成功完成。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Cryptography\Providers\Type 001, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001, access:0x00020019 , 0x00000000 [操作成功完成。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider, access:0x00020019 , 0x00000000 [操作成功完成。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:068, services.exe, 776:3256, 0, FILE_touch, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, access:0x00120196 alloc_size:0 attrib:0x00000004 share_access:0x00000000 disposition:0x00000003 options:0x00000064 , 0x00000000 [操作成功完成。  ],

18:17:56:068, services.exe, 776:3256, 0, FILE_write, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, offset:0x00000000 datalen:0x0000002F , 0x00000000 [操作成功完成。  ],

18:17:56:068, services.exe, 776:3256, 0, FILE_modified, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, , 0x00000000 [操作成功完成。  ],

18:17:56:068, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, access:0x02000000 , 0x00000000 [操作成功完成。  ],

18:17:56:068, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort, type:0x00000004 datalen:4 data:'FE FF 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:083, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay, type:0x00000004 datalen:4 data:'10 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:083, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPFinWait2Delay, type:0x00000004 datalen:4 data:'10 00 00 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:083, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\MaxHashTableSize, type:0x00000004 datalen:4 data:'00 00 01 00 ' , 0x00000000 [操作成功完成。  ],

18:17:56:115, services.exe, 776:3256, 0, FILE_open, C:\WINDOWS\system32\drivers\tcpip.sys, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000003 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。  ],

18:17:56:130, services.exe, 776:3256, 0, SYS_opendev, \Device\{00B7EE7D-2FF5-EDCA-35-CF872F11ECD5}, devtype:23 access:0x00100080 share:0x00000000 , 0x00000000 [操作成功完成。  ],

18:17:56:146, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。  ],

18:17:56:146, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。  ],

18:17:56:162, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\uYf7bKh2, type:0x00000003 datalen:8 data:'6C B0 62 9A 28 E6 B2 CB ' , 0x00000000 [操作成功完成。  ],

18:17:56:193, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。  ],

18:17:56:318, services.exe, 776:3256, 0, NET_connect, 13.82.28.61:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。  ],

18:17:56:927, services.exe, 776:3256, 0, FILE_write, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, offset:0x00000000 datalen:0x00001000 , 0x00000000 [操作成功完成。  ],

18:18:02:740, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。  ],

18:18:02:787, services.exe, 776:1388, 0, FILE_chmod, C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat, attrib:0x00000000 , 0x00000000 [操作成功完成。  ],

18:18:02:802, services.exe, 776:1388, 0, FILE_chmod, C:\Documents and Settings\LocalService\Cookies\index.dat, attrib:0x00000000 , 0x00000000 [操作成功完成。  ],

18:18:02:818, services.exe, 776:1388, 0, FILE_chmod, C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat, attrib:0x00000000 , 0x00000000 [操作成功完成。  ],

18:18:02:974, services.exe, 776:1388, 0, NET_connect, 64.13.192.76:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。  ],

18:18:02:990, services.exe, 776:1388, 0, NET_http, en.wikipedia.org/wiki/Special:Random, protocol:(TCP)0 cmd:'GET' datalen:275 , 0x00000000 [操作成功完成。  ],

18:18:03:865, services.exe, 776:3256, 0, NET_http, hollyjesus.com/viewforum.php?f=108, protocol:(TCP)0 cmd:'POST' datalen:586 , 0x00000000 [操作成功完成。  ],

18:18:39:396, services.exe, 776:3256, 0, NET_http, hollyjesus.com/blog.php?85dd25d8a069da288b6bcec5e546504a, protocol:(TCP)0 cmd:'POST' datalen:598 , 0x00000000 [操作成功完成。  ],

18:21:03:677, services.exe, 776:3256, 0, NET_http, hollyjesus.com/index.php?topic=115.13, protocol:(TCP)0 cmd:'POST' datalen:597 , 0x00000000 [操作成功完成。  ],

其余的我见到都不行,加载驱动后System创建文件被看得明明白白的,但是双枪rootkit和TCPIP改名劫持的rootkit都可以让火绒剑记录到假的system的自检查动作。


然而双枪rootkit和TCPIP改名劫持还是被看到了一开始的创建文件,注册表操作和读ntoskrnl的动作,自动更新也是被看见了。。。


最后于 2020-1-27 15:56 被killleer编辑 ,原因:
上传的附件:
2020-1-27 15:46
0
雪    币: 2232
活跃值: (739)
能力值: ( LV4,RANK:40 )
在线值:
发帖
回帖
粉丝
6
Lixinist 《Ring0:从入门到蓝屏》
这是什么? 百度了一下可以确定不是一本书
2020-1-27 18:52
0
游客
登录 | 注册 方可回帖
返回
//