[讨论]火绒剑是依靠什么能够检测进程组行为呢？有没有方法躲过火绒剑的检测~-求助问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (5)
Lixinist 雪币： 9934 活跃值： (2554) 能力值： ( LV6，RANK：87 ) 在线值：发帖 13 回帖 350 粉丝 17 关注私信	Lixinist 1 2020-1-25 20:22 2 楼 1 《Ring0：从入门到蓝屏》
hzqst 雪币： 12839 活跃值： (9023) 能力值： ( LV9，RANK：280 ) 在线值：发帖 47 回帖 1792 粉丝 541 关注私信	hzqst 3 2020-1-25 21:33 3 楼 0 minifilter, wfp, callback
yueyetu 雪币： 184 活跃值： (15) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 23 粉丝 0 关注私信	yueyetu 2020-1-27 14:36 4 楼 0 minifilter, wfp, callback
killleer 雪币： 1556 活跃值： (2122) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 77 粉丝 10 关注私信	killleer 2020-1-27 15:46 5 楼 0 一个xpaj的驱动似乎（似乎，到底是不是还需要楼主测试）做到了，XP时代的玩意，创建文件和驱动自删除火绒剑看不见了 18:17:55:474, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_XPAJ_SERVICE\0000\Control\ActiveService, type:0x00000001 datalen:26 data:'78 70 61 6A 5F 53 65 72 76 69 63 65 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:552, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x000F003F , 0x00000000 [操作成功完成。 ], 18:17:55:552, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\awzhk, type:0x00000004 datalen:4 data:'6D 25 09 A1 ' , 0x00000000 [操作成功完成。 ], 18:17:55:552, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:552, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Start, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:568, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\ErrorControl, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:568, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Group, type:0x00000001 datalen:36 data:'42 6F 6F 74 20 42 75 73 20 45 78 74 65 6E 64 65 ' , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum, access:0x000F003F , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN, access:0x000F003F , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\NextInstance, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000, access:0x000F003F , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Control, access:0x000F003F , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Control\NewlyCreated, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Service, type:0x00000001 datalen:20 data:'6B 63 61 71 65 76 79 69 6E 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Legacy, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\ConfigFlags, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Class, type:0x00000001 datalen:26 data:'4C 65 67 61 63 79 44 72 69 76 65 72 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\ClassGUID, type:0x00000001 datalen:78 data:'7B 38 45 43 43 30 35 35 44 2D 30 34 37 46 2D 31 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\DeviceDesc, type:0x00000001 datalen:20 data:'6B 63 61 71 65 76 79 69 6E 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\0, type:0x00000001 datalen:54 data:'52 6F 6F 74 5C 4C 45 47 41 43 59 5F 4B 43 41 51 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\Count, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\NextInstance, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Control\ActiveService, type:0x00000001 datalen:20 data:'6B 63 61 71 65 76 79 69 6E 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\Count, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\NextInstance, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:833, System, 4:52, 0, SYS_load_kmod, C:\WINDOWS\System32\Drivers\kcaqevyin.sys, , 0x00000000 [操作成功完成。 ], 18:17:55:849, System, 4:52, 0, REG_rmkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xpaj_Service\Security, , 0x00000000 [操作成功完成。 ], 18:17:55:849, System, 4:52, 0, REG_rmkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xpaj_Service\Enum, , 0x00000000 [操作成功完成。 ], 18:17:55:849, System, 4:52, 0, REG_rmkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xpaj_Service, , 0x00000000 [操作成功完成。 ], 18:17:55:849, 加驱用.exe, 3028:3036, 3028, SYS_load_kmod, C:\Documents and Settings\bubuquoyq.sys\桌面\xpaj.sys, , 0xC0000001 [连到系统上的设备没有发挥作用。 ], 18:17:55:849, services.exe, 776:3252, 0, FILE_open, C:\WINDOWS\system32\dnsapi.dll, access:0x00100020 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_openkey, HKEY_CURRENT_USER, access:0x00020019 , 0x00000000 [操作成功完成。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_openkey, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Cryptography\Providers\Type 001, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001, access:0x00020019 , 0x00000000 [操作成功完成。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:927, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider, access:0x00020019 , 0x00000000 [操作成功完成。 ], 18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_CURRENT_USER, access:0x00020019 , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Cryptography\Providers\Type 001, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001, access:0x00020019 , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider, access:0x00020019 , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:068, services.exe, 776:3256, 0, FILE_touch, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, access:0x00120196 alloc_size:0 attrib:0x00000004 share_access:0x00000000 disposition:0x00000003 options:0x00000064 , 0x00000000 [操作成功完成。 ], 18:17:56:068, services.exe, 776:3256, 0, FILE_write, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, offset:0x00000000 datalen:0x0000002F , 0x00000000 [操作成功完成。 ], 18:17:56:068, services.exe, 776:3256, 0, FILE_modified, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, , 0x00000000 [操作成功完成。 ], 18:17:56:068, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, access:0x02000000 , 0x00000000 [操作成功完成。 ], 18:17:56:068, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort, type:0x00000004 datalen:4 data:'FE FF 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:083, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay, type:0x00000004 datalen:4 data:'10 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:083, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPFinWait2Delay, type:0x00000004 datalen:4 data:'10 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:083, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\MaxHashTableSize, type:0x00000004 datalen:4 data:'00 00 01 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:115, services.exe, 776:3256, 0, FILE_open, C:\WINDOWS\system32\drivers\tcpip.sys, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000003 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ], 18:17:56:130, services.exe, 776:3256, 0, SYS_opendev, \Device\{00B7EE7D-2FF5-EDCA-35-CF872F11ECD5}, devtype:23 access:0x00100080 share:0x00000000 , 0x00000000 [操作成功完成。 ], 18:17:56:146, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。 ], 18:17:56:146, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。 ], 18:17:56:162, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\uYf7bKh2, type:0x00000003 datalen:8 data:'6C B0 62 9A 28 E6 B2 CB ' , 0x00000000 [操作成功完成。 ], 18:17:56:193, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。 ], 18:17:56:318, services.exe, 776:3256, 0, NET_connect, 13.82.28.61:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ], 18:17:56:927, services.exe, 776:3256, 0, FILE_write, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, offset:0x00000000 datalen:0x00001000 , 0x00000000 [操作成功完成。 ], 18:18:02:740, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。 ], 18:18:02:787, services.exe, 776:1388, 0, FILE_chmod, C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 18:18:02:802, services.exe, 776:1388, 0, FILE_chmod, C:\Documents and Settings\LocalService\Cookies\index.dat, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 18:18:02:818, services.exe, 776:1388, 0, FILE_chmod, C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 18:18:02:974, services.exe, 776:1388, 0, NET_connect, 64.13.192.76:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ], 18:18:02:990, services.exe, 776:1388, 0, NET_http, en.wikipedia.org/wiki/Special:Random, protocol:(TCP)0 cmd:'GET' datalen:275 , 0x00000000 [操作成功完成。 ], 18:18:03:865, services.exe, 776:3256, 0, NET_http, hollyjesus.com/viewforum.php?f=108, protocol:(TCP)0 cmd:'POST' datalen:586 , 0x00000000 [操作成功完成。 ], 18:18:39:396, services.exe, 776:3256, 0, NET_http, hollyjesus.com/blog.php?85dd25d8a069da288b6bcec5e546504a, protocol:(TCP)0 cmd:'POST' datalen:598 , 0x00000000 [操作成功完成。 ], 18:21:03:677, services.exe, 776:3256, 0, NET_http, hollyjesus.com/index.php?topic=115.13, protocol:(TCP)0 cmd:'POST' datalen:597 , 0x00000000 [操作成功完成。 ], 其余的我见到都不行，加载驱动后System创建文件被看得明明白白的，但是双枪rootkit和TCPIP改名劫持的rootkit都可以让火绒剑记录到假的system的自检查动作。然而双枪rootkit和TCPIP改名劫持还是被看到了一开始的创建文件，注册表操作和读ntoskrnl的动作，自动更新也是被看见了。。。最后于 2020-1-27 15:56 被killleer编辑，原因：上传的附件： xpaj-drv.zip （739.95kb，7次下载）
NoThx 雪币： 2216 活跃值： (729) 能力值： ( LV4，RANK：40 ) 在线值：发帖 11 回帖 40 粉丝 16 关注私信	NoThx 2020-1-27 18:52 6 楼 0 Lixinist 《Ring0：从入门到蓝屏》这是什么？百度了一下可以确定不是一本书
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

最新回复 (5)
Lixinist 雪币： 9934 活跃值： (2554) 能力值： ( LV6，RANK：87 ) 在线值：发帖 13 回帖 350 粉丝 17 关注私信	Lixinist 1 2020-1-25 20:22 2 楼 1 《Ring0：从入门到蓝屏》
hzqst 雪币： 12839 活跃值： (9023) 能力值： ( LV9，RANK：280 ) 在线值：发帖 47 回帖 1792 粉丝 541 关注私信	hzqst 3 2020-1-25 21:33 3 楼 0 minifilter, wfp, callback
yueyetu 雪币： 184 活跃值： (15) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 23 粉丝 0 关注私信	yueyetu 2020-1-27 14:36 4 楼 0 minifilter, wfp, callback
killleer 雪币： 1556 活跃值： (2122) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 77 粉丝 10 关注私信	killleer 2020-1-27 15:46 5 楼 0 一个xpaj的驱动似乎（似乎，到底是不是还需要楼主测试）做到了，XP时代的玩意，创建文件和驱动自删除火绒剑看不见了 18:17:55:474, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_XPAJ_SERVICE\0000\Control\ActiveService, type:0x00000001 datalen:26 data:'78 70 61 6A 5F 53 65 72 76 69 63 65 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:552, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x000F003F , 0x00000000 [操作成功完成。 ], 18:17:55:552, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\awzhk, type:0x00000004 datalen:4 data:'6D 25 09 A1 ' , 0x00000000 [操作成功完成。 ], 18:17:55:552, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:552, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Start, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:568, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\ErrorControl, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:568, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Group, type:0x00000001 datalen:36 data:'42 6F 6F 74 20 42 75 73 20 45 78 74 65 6E 64 65 ' , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum, access:0x000F003F , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN, access:0x000F003F , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\NextInstance, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000, access:0x000F003F , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Control, access:0x000F003F , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Control\NewlyCreated, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Service, type:0x00000001 datalen:20 data:'6B 63 61 71 65 76 79 69 6E 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:615, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Legacy, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\ConfigFlags, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Class, type:0x00000001 datalen:26 data:'4C 65 67 61 63 79 44 72 69 76 65 72 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\ClassGUID, type:0x00000001 datalen:78 data:'7B 38 45 43 43 30 35 35 44 2D 30 34 37 46 2D 31 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\DeviceDesc, type:0x00000001 datalen:20 data:'6B 63 61 71 65 76 79 69 6E 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\0, type:0x00000001 datalen:54 data:'52 6F 6F 74 5C 4C 45 47 41 43 59 5F 4B 43 41 51 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\Count, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\NextInstance, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_KCAQEVYIN\0000\Control\ActiveService, type:0x00000001 datalen:20 data:'6B 63 61 71 65 76 79 69 6E 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\Count, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:630, System, 4:52, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\Enum\NextInstance, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:833, System, 4:52, 0, SYS_load_kmod, C:\WINDOWS\System32\Drivers\kcaqevyin.sys, , 0x00000000 [操作成功完成。 ], 18:17:55:849, System, 4:52, 0, REG_rmkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xpaj_Service\Security, , 0x00000000 [操作成功完成。 ], 18:17:55:849, System, 4:52, 0, REG_rmkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xpaj_Service\Enum, , 0x00000000 [操作成功完成。 ], 18:17:55:849, System, 4:52, 0, REG_rmkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\xpaj_Service, , 0x00000000 [操作成功完成。 ], 18:17:55:849, 加驱用.exe, 3028:3036, 3028, SYS_load_kmod, C:\Documents and Settings\bubuquoyq.sys\桌面\xpaj.sys, , 0xC0000001 [连到系统上的设备没有发挥作用。 ], 18:17:55:849, services.exe, 776:3252, 0, FILE_open, C:\WINDOWS\system32\dnsapi.dll, access:0x00100020 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_openkey, HKEY_CURRENT_USER, access:0x00020019 , 0x00000000 [操作成功完成。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_openkey, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Cryptography\Providers\Type 001, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001, access:0x00020019 , 0x00000000 [操作成功完成。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:912, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:927, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider, access:0x00020019 , 0x00000000 [操作成功完成。 ], 18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:55:927, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_CURRENT_USER, access:0x00020019 , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Cryptography\Providers\Type 001, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001, access:0x00020019 , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001\Name, type:0x00000001 datalen:80 data:'4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider, access:0x00020019 , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:037, services.exe, 776:3256, 0, REG_getval, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path, type:0x00000001 datalen:22 data:'72 00 73 00 61 00 65 00 6E 00 68 00 2E 00 64 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:068, services.exe, 776:3256, 0, FILE_touch, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, access:0x00120196 alloc_size:0 attrib:0x00000004 share_access:0x00000000 disposition:0x00000003 options:0x00000064 , 0x00000000 [操作成功完成。 ], 18:17:56:068, services.exe, 776:3256, 0, FILE_write, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, offset:0x00000000 datalen:0x0000002F , 0x00000000 [操作成功完成。 ], 18:17:56:068, services.exe, 776:3256, 0, FILE_modified, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, , 0x00000000 [操作成功完成。 ], 18:17:56:068, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, access:0x02000000 , 0x00000000 [操作成功完成。 ], 18:17:56:068, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort, type:0x00000004 datalen:4 data:'FE FF 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:083, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay, type:0x00000004 datalen:4 data:'10 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:083, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPFinWait2Delay, type:0x00000004 datalen:4 data:'10 00 00 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:083, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\MaxHashTableSize, type:0x00000004 datalen:4 data:'00 00 01 00 ' , 0x00000000 [操作成功完成。 ], 18:17:56:115, services.exe, 776:3256, 0, FILE_open, C:\WINDOWS\system32\drivers\tcpip.sys, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000003 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ], 18:17:56:130, services.exe, 776:3256, 0, SYS_opendev, \Device\{00B7EE7D-2FF5-EDCA-35-CF872F11ECD5}, devtype:23 access:0x00100080 share:0x00000000 , 0x00000000 [操作成功完成。 ], 18:17:56:146, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。 ], 18:17:56:146, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。 ], 18:17:56:162, services.exe, 776:3256, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin\uYf7bKh2, type:0x00000003 datalen:8 data:'6C B0 62 9A 28 E6 B2 CB ' , 0x00000000 [操作成功完成。 ], 18:17:56:193, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。 ], 18:17:56:318, services.exe, 776:3256, 0, NET_connect, 13.82.28.61:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ], 18:17:56:927, services.exe, 776:3256, 0, FILE_write, C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_f73da4ee-833b-43a6-80b3-31946bdcaf51, offset:0x00000000 datalen:0x00001000 , 0x00000000 [操作成功完成。 ], 18:18:02:740, services.exe, 776:3256, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kcaqevyin, access:0x02000000 , 0x00000000 [操作成功完成。 ], 18:18:02:787, services.exe, 776:1388, 0, FILE_chmod, C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 18:18:02:802, services.exe, 776:1388, 0, FILE_chmod, C:\Documents and Settings\LocalService\Cookies\index.dat, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 18:18:02:818, services.exe, 776:1388, 0, FILE_chmod, C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat, attrib:0x00000000 , 0x00000000 [操作成功完成。 ], 18:18:02:974, services.exe, 776:1388, 0, NET_connect, 64.13.192.76:80, protocol:(TCP)0 , 0x00000000 [操作成功完成。 ], 18:18:02:990, services.exe, 776:1388, 0, NET_http, en.wikipedia.org/wiki/Special:Random, protocol:(TCP)0 cmd:'GET' datalen:275 , 0x00000000 [操作成功完成。 ], 18:18:03:865, services.exe, 776:3256, 0, NET_http, hollyjesus.com/viewforum.php?f=108, protocol:(TCP)0 cmd:'POST' datalen:586 , 0x00000000 [操作成功完成。 ], 18:18:39:396, services.exe, 776:3256, 0, NET_http, hollyjesus.com/blog.php?85dd25d8a069da288b6bcec5e546504a, protocol:(TCP)0 cmd:'POST' datalen:598 , 0x00000000 [操作成功完成。 ], 18:21:03:677, services.exe, 776:3256, 0, NET_http, hollyjesus.com/index.php?topic=115.13, protocol:(TCP)0 cmd:'POST' datalen:597 , 0x00000000 [操作成功完成。 ], 其余的我见到都不行，加载驱动后System创建文件被看得明明白白的，但是双枪rootkit和TCPIP改名劫持的rootkit都可以让火绒剑记录到假的system的自检查动作。然而双枪rootkit和TCPIP改名劫持还是被看到了一开始的创建文件，注册表操作和读ntoskrnl的动作，自动更新也是被看见了。。。最后于 2020-1-27 15:56 被killleer编辑，原因：上传的附件： xpaj-drv.zip （739.95kb，7次下载）
NoThx 雪币： 2216 活跃值： (729) 能力值： ( LV4，RANK：40 ) 在线值：发帖 11 回帖 40 粉丝 16 关注私信	NoThx 2020-1-27 18:52 6 楼 0 Lixinist 《Ring0：从入门到蓝屏》这是什么？百度了一下可以确定不是一本书
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

[讨论]火绒剑 是依靠什么能够检测进程组行为呢？ 有没有方法躲过火绒剑的检测~

[讨论]火绒剑是依靠什么能够检测进程组行为呢？有没有方法躲过火绒剑的检测~