阅读:1935回复:19
养了几天熊猫,有几分心得
知道最近熊猫比较火爆,赶紧从网上下了一个,美中不足的是熊猫感染的exe文件,无法正常执行。倒是在我的硬盘里面塞了一大堆 desktop_.ini文件,让我不胜其烦。
说实在熊猫采用的技术虽然很一般,但是很有效,要不金山、瑞星、江民的专杀工具的扩展名怎么改扩展名运行。那些所谓神乎其神的工具只要让熊猫先一运行,熊猫立马把后来者干掉,看来这些工具并没有空手夺白刃的高招,浪得虚名。 熊猫的杀进程方法比较拙劣,居然是postmessage WM_QUIT,结果害得我自己的程序还没启动就被它干死了,因为我的窗口标题中包含“进程”两个字,这是熊猫忌讳的。不过熊猫好像没有调用terminateprocess,因为我挂接的openprocess从来没有被激活。 不过用它来测试程序,挺好玩的。只要控制住它不让它操作文件,不让它访问网络,以及注册表操作,就可以用来测试很多东西。比如从内核到应用的各种hook。 好东西,不敢独享,奉献出来供大家测试。谁能帮帮忙把壳给去了。 |
|
|
沙发#
发布于:2007-01-27 09:23
给段代码瞧瞧,怎么处理的。我总是在hook Win32K.sys代码中keWaitFor*一个事件,如果只是简单返回一个拒绝的操作状态码,不会出问题,但是这个hook函数的确用户上层用户或者上层应用来确认。但是等到KeWait*返回上层应用或者用户应答结果时,这个等待时间可可能是一周的时间,但是等不到哪个时间系统就死掉了。死的时候softice无法跟踪断点猜测是进程堆栈切换的问题,采用哪个切换进程堆栈的函数,没有效果。而nt*.exe输出函数的 hook却没有任何问题。
|
|
板凳#
发布于:2007-01-26 21:43
嘿嘿,那是你们处理的问题~~
|
|
|
地板#
发布于:2007-01-26 20:22
Win32K.sys NtUserSetWindowsHook系列函数如果只是拒绝比较简单,但是如果希望停下来和用户交互,可没有那么容易了。由于上下文切换,往往有去无回,等不上上层应用的应答,系统就崩掉了。
|
|
地下室#
发布于:2007-01-26 15:16
嘿嘿,我们过滤消息~
|
|
|
驱动小牛
|
5楼#
发布于:2007-01-26 14:47
任何东西都不是绝对的,感染有他的优势,比如现有的ANTI-ROOTKIT虽多只能针对ROOTKIT,可惜熊猫的感染太明显了,文件增大,图标变样,导致大量EXE不可使用.
杀毒软件可以借监AVP,他就HOOK了WIN32 API,过滤了它自己的窗体句柄. |
6楼#
发布于:2007-01-26 13:29
很少找到我们的东西的窗体~
|
|
|
7楼#
发布于:2007-01-26 10:51
FindWindow(Ex)/PostMessage(WM_QUIT) 终止进程,这方法被病毒用了几年了,居然屡试不爽,杀毒软件怎么没长进呢?
|
|
8楼#
发布于:2007-01-26 09:09
这个方法还是不行的~~我挂钩了NtUserXXX级别的玩意~
|
|
|
9楼#
发布于:2007-01-26 09:00
本以为可执行感染没有什么前途了,没想到又死灰复燃了,那些该死的文件过滤控制也不知道去干嘛了.关键还是智能化不够.
|
|
|
10楼#
发布于:2007-01-26 08:38
多谢WQXNETQIQI,原来是这样干的。怪不得我想尝试通过拦截enumwindows阻止它没有效果,然而使用postmessage反而很有效。跨进程的窗口消息操作都是可疑的。
居然通过这种方式遍历窗口 The FindWindowEx function retrieves a handle to a window whose class name and window name match the specified strings. The function searches child windows, beginning with the one following the specified child window. This function does not perform a case-sensitive search. Syntax HWND FindWindowEx( HWND hwndParent, HWND hwndChildAfter, LPCTSTR lpszClass, LPCTSTR lpszWindow ); Parameters hwndParent [in] Handle to the parent window whose child windows are to be searched. If hwndParent is NULL, the function uses the desktop window as the parent window. The function searches among windows that are child windows of the desktop. Microsoft? Windows? 2000 and Windows XP: If hwndParent is HWND_MESSAGE, the function searches all message-only windows. hwndChildAfter [in] Handle to a child window. The search begins with the next child window in the Z order. The child window must be a direct child window of hwndParent, not just a descendant window. If hwndChildAfter is NULL, the search begins with the first child window of hwndParent. Note that if both hwndParent and hwndChildAfter are NULL, the function searches all top-level and message-only windows. lpszClass [in] Pointer to a null-terminated string that specifies the class name or a class atom created by a previous call to the RegisterClass or RegisterClassEx function. The atom must be placed in the low-order word of lpszClass; the high-order word must be zero. If lpszClass is a string, it specifies the window class name. The class name can be any name registered with RegisterClass or RegisterClassEx, or any of the predefined control-class names, or it can be MAKEINTATOM(0x800). In this latter case, 0x8000 is the atom for a menu class. For more information, see the Remarks section of this topic. lpszWindow [in] Pointer to a null-terminated string that specifies the window name (the window's title). If this parameter is NULL, all window names match. Return Value If the function succeeds, the return value is a handle to the window that has the specified class and window names. If the function fails, the return value is NULL. To get extended error information, call GetLastError. Remarks If the lpszWindow parameter is not NULL, FindWindowEx calls the GetWindowText function to retrieve the window name for comparison. For a description of a potential problem that can arise, see the Remarks section of GetWindowText. An application can call this function in the following way. FindWindowEx( NULL, NULL, MAKEINTATOM(0x8000), NULL ); 0x8000 is the atom for a menu class. When an application calls this function, the function checks whether a context menu is being displayed that the application created. Windows 95 or later: FindWindowExW is supported by the Microsoft Layer for Unicode (MSLU). To use this, you must add certain files to your application, as outlined in Microsoft Layer for Unicode on Windows 95/98/Me Systems. |
|
11楼#
发布于:2007-01-25 22:41
贴一下找窗口并干掉的代码
CODE:004085F5 push offset j_@System@@HandleFinally$qqrv_16 CODE:004085FA push dword ptr fs:[eax] CODE:004085FD mov fs:[eax], esp CODE:00408600 call sub_40852C CODE:00408600 CODE:00408605 xor ebx, ebx CODE:00408607 call GetDesktopWindow CODE:00408607 CODE:0040860C mov edi, eax CODE:0040860C CODE:0040860E CODE:0040860E loc_40860E: ; CODE XREF: sub_4085DC+666j ;这里是个大的循环哦。包括了所有的要干掉的窗口 CODE:0040860E push 0 ; LPCSTR CODE:00408610 push 0 ; LPCSTR CODE:00408612 push ebx ; HWND CODE:00408613 push edi ; HWND CODE:00408614 call FindWindowExA CODE:00408614 CODE:00408619 mov ebx, eax CODE:0040861B push 65h ; nMaxCount CODE:0040861D push esi ; lpString CODE:0040861E push ebx ; hWnd CODE:0040861F call GetWindowTextA CODE:0040861F CODE:00408624 lea eax, [ebp+var_6C] CODE:00408627 mov edx, esi CODE:00408629 mov ecx, 65h CODE:0040862E call @@LStrFromArray$qqrr10AnsiStringpci CODE:0040862E CODE:00408633 mov edx, [ebp+var_6C] CODE:00408636 mov eax, offset dword_408EEC ; "天网" CODE:0040863B call @System@@LStrPos$qqrv CODE:0040863B CODE:00408640 test eax, eax CODE:00408642 jz short loc_408650 CODE:00408642 CODE:00408644 push 0 ; lParam CODE:00408646 push 0 ; wParam CODE:00408648 push WM_QUIT ; Msg CODE:0040864A push ebx ; hWnd CODE:0040864B call PostMessageA CODE:0040864B |
|
|
12楼#
发布于:2007-01-25 22:31
我这里有idb。。。 嘿嘿。。。
不能这么说老V,人家还是蛮好的,经常放一些好玩的东西呀 熊猫不是EnumWindows的,呵呵 |
|
|
13楼#
发布于:2007-01-25 22:25
已经有分析了,51VC和熊猫基本类似,只是一个感染EXE(只是所谓的感染。。。这种方式老V看到会笑的),一个弹IE而已
http://www.cnbeta.com/modules.php?name=News&file=article&mode=flat&sid=21465 这个文章,我已经看了,跟厂商说法一样,我想知道更详细的,最好又脱壳代码。比如说熊猫是怎么得到窗口标题的,是通过enumwindows吗?不是,因为这个函数拦截时没有调用。那么又是通过什么办法? |
|
14楼#
发布于:2007-01-25 22:22
***
|
|
15楼#
发布于:2007-01-25 21:09
不错不错,放出来玩玩
|
|
|
16楼#
发布于:2007-01-25 21:02
同时感染驱动和r3的pe文件,嘿嘿~
|
|
|
17楼#
发布于:2007-01-25 20:58
没意思~
我有一个玩意学习Benny,Hook了IoCreateFile和NtClose,在打开时去掉感染,在关闭时写回感染~ 嘿嘿~ 结果很多国内的杀毒软件杀不干净~~ |
|
|
18楼#
发布于:2007-01-25 20:49
每隔2秒改写一次主页:www.51.vc
每隔6秒关闭以下服务: Schedule sharedaccess RsCCenter RsRavMon KVWSC KVSrvXP kavsvc AVP McAfeeFramework McShield McTaskManager 删除以下注册表: SOFTWARE/Microsoft/Windows/CurrentVersion/Run/RavTask SOFTWARE/Microsoft/Windows/CurrentVersion/Run/KvMonXP SOFTWARE/Microsoft/Windows/CurrentVersion/Run/kav SOFTWARE/Microsoft/Windows/CurrentVersion/Run/KAVPersonal50 SOFTWARE/Microsoft/Windows/CurrentVersion/Run/McAfeeUpdaterUI SOFTWARE/Microsoft/Windows/CurrentVersion/Run/Network Associates Error Reporting Service SOFTWARE/Microsoft/Windows/CurrentVersion/Run/ShStatEXE SOFTWARE/Microsoft/Windows/CurrentVersion/Run/YLive.exe( :D) SOFTWARE/Microsoft/Windows/CurrentVersion/Run/yassistse 停止并删除以下服务: RsCCenter RsRavMon KVWSC KVSrvXP AVP kavsvc McAfeeFramework McShield McTaskManager navapsvc wscsvc KPfwSvc SNDSrvc ccProxy ccEvtMgr ccSetMgr SPBBCSvc Symantec Core LC NPFMntor MskService FireSvc 每隔20分钟弹出IE,地址:www.51.vc 创建线程,关闭以下窗口: VirusScan NOD32 系统配置实用程序 Symantec AntiVirus Windows 任务管理器 esteem procs System Safety Monitor System Repair Engineer Wrapped gift Killer Winsock Expert 游戏木马检测大师 超级巡警 pjf(ustc) msctls_statusbar32 IceSword 天网防火墙 进程 网镖 杀毒 毒霸 瑞星 木马清道夫 注册表编辑器 Duba 卡巴斯基反病毒 绿鹰PC 木马辅助查找器 噬菌体 密码防盗 超级兔子 黄山IE 木馬清道夫 关闭以下程序: Mcshieid.exe VsTskMgr.exe naPrdMgr.exe UpdaterUI.exe TBMon.exe scan32.exe Ravmond.exe CCenter.exe RavTask.exe Rav.exe Ravmon.exe RavmonD.exe RavStub.exe KVXP.kxp KvMonXP.kxp KVCenter.kxp KVSrvXP.exe KRegEx.exe UIHost.exe TrojDie.kxp FrogAgent.exe Logo1_.exe Logo_1.exe Rundl132.exe 使用以下弱密码探测共享并试图传自己为GameSetup.exe过去: password 1234 6969 harley 123456 golf pussy mustang 1111 shadow 1313 fish 5150 7777 qwerty baseball 2112 letmein 12345678 12345 ccc admin 5201314 qq520 1 12 123 1234567 123456789 654321 54321 111 000000 abc pw 11111111 88888888 pass passwd database abcd abc123 sybase 123qwe server computer 520 super 123asd 0 ihavenopass godblessyou enable xp 2002 2003 2600 alpha 110 111111 121212 123123 1234qwer 123abc 007 a aaa patrick pat administrator root sex god foobar secret test test123 temp temp win pc asdf qwer yxcv zxcv home xxx owner login Login pw123 love mypc mypc123 admin123 mypass mypass123 901100 Administrator Guest admin Root 把自己复制到: /Documents and Settings/All Users/「开始」菜单/程序/启动/ /Documents and Settings/All Users/Start Menu/Programs/Startup/ /WINDOWS/Start Menu/Programs/Startup/ /WINNT/Profiles/All Users/Start Menu/Programs/Startup/ 连接: http://www.ac86.cn/88/down/up.txt 其中包括熊猫烧香 http://update.whboy.net/ie.txt 已无法访问 下载文件中的病毒程序 每隔8秒死循环访问如下网站: tom.com 163.com souhu.com google.com yahoo.com 每隔6秒向各盘根目录下释放如下文件 autorun.inf 内容: [AutoRun] OPEN=setup.exe shellexecute=setup.exe shell/Auto/command=setup.exe setup.exe(自己的安装exe) |
|
|
19楼#
发布于:2007-01-25 20:49
已经有分析了,51VC和熊猫基本类似,只是一个感染EXE(只是所谓的感染。。。这种方式老V看到会笑的),一个弹IE而已
http://www.cnbeta.com/modules.php?name=News&file=article&mode=flat&sid=21465 |
|
|