Super dove gray vip2005 detector detection principle of a simple analysis-vulnerability warning-the black bar safety net

2005-10-2900:00:00

佚名

www.myhack58.com

JSON

The Preface of the new gray pigeons always give people everywhere the feeling, own it worked in the friend of the host met several times,each time can only be manually determined and clear. Looking at this detector for a little test. The effect is very good, it creates a want to know how she works!^_^

First look at the system is not infected with the Dove gray of the implementation of the=>>>

OpenFileMappingA()function after the execution of the stack case:

0012F5E4 0 0 0 0 0 0 0 4 |Access = FILE_MAP_READ
0012F5E8 0 0 0 0 0 0 0 0 |InheritHandle = FALSE
0012F5EC 0045A210 \MappingName = “GPigeon5_Shared”

0045A1BB 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC] ;jump to here
0045A1C1 8B80 2 0 0 2 0 0 0 0 mov eax,dword ptr ds:[eax+2 2 0]
0045A1C7 BA C8A34500 mov edx,Super gray Pigeon. 0045A3C8
; No detection to the gray pigeons Vip 2 0 0 5 service end
0045A1CC 8B08 mov ecx,dword ptr ds:[eax]
; ecx=0x427c4c ASCII “4AA”
0045A1CE FF51 3 8 call dword ptr ds:[ecx+3 8] ; Retn eax=0
0045A1D1 833D ACDC4500 0>cmp dword ptr ds:[45DCAC],0
0045A1D8 7 4 0B je short Super gray Pigeon. 0045A1E5 ; Jump
0045A1DA A1 ACDC4500 mov eax,dword ptr ds:[45DCAC]
0045A1DF 5 0 push eax
0045A1E0 E8 F7BDFAFF call <jmp.& amp;kernel32. CloseHandle>
0045A1E5 33C0 xor eax,eax
0045A1E7 5A pop edx
0045A1E8 5 9 pop ecx
0045A1E9 5 9 pop ecx
0045A1EA 6 4:8 9 1 0 mov dword ptr fs:[eax],edx
0045A1ED 6 8 07A24500 push super strong gray Pigeon. 0045A207
0045A1F2 8D45 B8 lea eax,dword ptr ss:[ebp-4 8]
0045A1F5 BA 1 2 0 0 0 0 0 0 mov edx,1 2
0045A1FA E8 F99CFAFF call Super gray Pigeon. 00403EF8
0045A1FF C3 retn ;retn to 0x45a207

The rest is some return after treatment…

Here you can see,the detection system is the existence of “gray pigeons Vip 2 0 0 5 service end” is by OpenFileMappingA()to open an existing file mapping object,if exists returns successfully open the handle,otherwise exit to the lower detection removal program segment,C is simple and can be described as:

hMap = OpenFileMapping(FILE_MAP_READ,FALSE,“GPigeon5_Shared”);

if (hMap == NULL)
{
“There is no detection to the gray pigeons Vip 2 0 0 5 service the end!”
}

In this case, the program edited out message:“there is no detection to the gray pigeons Vip 2 0 0 5 service the end!”

Then into the gray pigeons infected system after the detection and removal of code analysis…

Similarly, the program as usual interrupt here=>>

00459E2B 6 8 10A24500 push super strong gray Pigeon. 0045A210
; ASCII “GPigeon5_Shared”
00459E30 6A 0 0 push 0
00459E32 6A 0 4 push 4
00459E34 E8 E3C3FAFF call <jmp.& amp;kernel32. OpenFileMappingA>
00459E39 A3 ACDC4500 mov dword ptr ds:[45DCAC],eax
; If detected: eax=0xcc 0xb4 0xd8 handle value, such as none: eax=0
00459E3E 833D ACDC4500 0 0 cmp dword ptr ds:[45DCAC],0
00459E45 0F84 7 0 0 3 0 0 0 0 je Super gray Pigeon. 0045A1BB ; not jump
00459E4B 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC] ; eax=01023f24
00459E51 8B80 2 0 0 2 0 0 0 0 mov eax,dword ptr ds:[eax+2 2 0] ; eax=0 1 0 2 4 2 0 8
00459E57 BA 28A24500 mov edx,Super gray Pigeon. 0045A228
; edx=0x45a228 => detects a gray Pigeon Vip 2 0 0 5 0 1 0 5 service end there
00459E5C 8B08 mov ecx,dword ptr ds:[eax]
; ecx=0x427c4c ; ASCII “4AA”
00459E5E FF51 3 8 call dword ptr ds:[ecx+3 8]
; Edit box displays the detected characters
00459E61 6A 0 0 push 0
00459E63 6A 0 0 push 0
00459E65 6A 0 0 push 0
00459E67 6A 0 4 push 4
00459E69 A1 ACDC4500 mov eax,dword ptr ds:[45DCAC]
; eax=0xcc \\0xb4 \\0xd8,handle value
00459E6E 5 0 push eax
; This handle value pushed onto the stack,for the next function
00459E6F E8 98C3FAFF call <jmp.& amp;kernel32. MapViewOfFile> ;map the file name
; Retn EAX=0 1 3 3 0 0 0 0=OF ASCII “a big string of numbers”
00459E74 8BF0 mov esi,eax

The stack value:

| eax=0 1 3 1 0 0 0 0, (ASCII "5F7E8111692AAA7694C721CB5300D7072A14D8CE7138EA0903AEAA23D8907C6072109D983725466507924E2237B9AF5BFBA7FC98060E8E620FE692E8DA4EE8D963D6241181D3988E9A13550DC7AF1E816F8FB154967BA939DDF9F6AC6F9B225CBDBDADFF3410875CA95DC8BA5C46BBC9A79DDA0F)
esi=0 0 4 2 9 0 2 8 (Super gray Pigeon. 0 0 4 2 9 0 2 8)

??? Don’t know what is the data ??? The test code?

00459E76 85F6 test esi,esi
00459E78 7 4 6 2 je short Super gray Pigeon. 00459EDC ; NoT jUMP
00459E7A 8D45 F4 lea eax,dword ptr ss:[ebp-C]
; EAX=0X12F640
00459E7D 8BD6 mov edx,esi
; The string string incoming EDX.
00459E7F E8 48A2FAFF call Super gray Pigeon. 004040CC ; ECX=0 0,EDX=0 0
00459E84 B2 0 1 mov dl,1 ; edx=0x1
00459E86 A1 7 0 9 5 4 5 0 0 mov eax,dword ptr ds:[4 5 9 5 7 0]
00459E8B E8 48F7FFFF call Super gray Pigeon. 004595D8
00459E90 8BF0 mov esi,eax
00459E92 8B45 F4 mov eax,dword ptr ss:[ebp-C] ;
Will that string re-incoming
00459E95 E8 FAA4FAFF call Super gray Pigeon. 0 0 4 0 4 3 9 4
00459E9A 8BD0 mov edx,eax
00459E9C 8D45 EC lea eax,dword ptr ss:[ebp-1 4]
00459E9F E8 28A2FAFF call Super gray Pigeon. 004040CC
00459EA4 8B45 EC mov eax,dword ptr ss:[ebp-1 4]
; EAX=0 1 0 2 4 3 9 8,ASCII"feature string"
00459EA7 8D4D F0 lea ecx,dword ptr ss:[ebp-1 0]
00459EAA BA 5CA24500 mov edx,Super gray Pigeon. 0045A25C
; edx=0x45a25c ASCII “2 0 0 5 0 1 0 1”
00459EAF E8 A0F5FFFF call Super gray Pigeon. 0 0 4 5 9 4 5 4
00459EB4 8B55 F0 mov edx,dword ptr ss:[ebp-1 0]
00459EB7 8BC6 mov eax,esi
00459EB9 E8 FEF7FFFF call Super gray Pigeon. 004596BC
00459EBE 8D4D F8 lea ecx,dword ptr ss:[ebp-8]
00459EC1 33D2 xor edx,edx
00459EC3 8BC6 mov eax,esi
00459EC5 E8 9AF8FFFF call Super gray Pigeon. 0 0 4 5 9 7 6 4
00459ECA 8BC6 mov eax,esi
00459ECC E8 0792FAFF call Super gray Pigeon. 004030D8
00459ED1 A1 ACDC4500 mov eax,dword ptr ds:[45DCAC]
00459ED6 5 0 push eax
; EAX=0XCC,handle
00459ED7 E8 00C1FAFF call <jmp.& amp;kernel32. CloseHandle>
; The closing operation of the handle
00459EDC 8D45 E8 lea eax,dword ptr ss:[ebp-1 8]
00459EDF 8B4D F8 mov ecx,dword ptr ss:[ebp-8]
; ECX=010252F0=ASCII “8 3 0 3 4” ,The VIP username
00459EE2 BA 70A24500 mov edx,Super gray Pigeon. 0045A270
00459EE7 E8 F4A2FAFF call Super gray Pigeon. 004041E0
00459EEC 8B55 E8 mov edx,dword ptr ss:[ebp-1 8]
; Incoming edit box=on Vip username: 8 3 0 3 4
00459EEF 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
00459EF5 8B80 2 0 0 2 0 0 0 0 mov eax,dword ptr ds:[eax+2 2 0]
00459EFB 8B08 mov ecx,dword ptr ds:[eax]
00459EFD FF51 3 8 call dword ptr ds:[ecx+3 8]
00459F00 E8 37FCFFFF call Super gray Pigeon. 00459B3C
; This function detects whether there is a hidden module,returns eax=0x1 indicating the detection to the hidden module
00459F05 84C0 test al,al
00459F07 0F84 9 6 0 2 0 0 0 0 je Super gray Pigeon. 0045A1A3 ; not jump
00459F0D E8 E6FAFFFF call Super gray Pigeon. 004599F8
; Open the Token Ring, set the system debug permissions
00459F12 E8 61FCFFFF call Super gray Pigeon. 00459B78
; Detect hidden modules,mapping a specific file name
00459F17 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
00459F1D 8B80 2 0 0 2 0 0 0 0 mov eax,dword ptr ds:[eax+2 2 0]
00459F23 BA 84A24500 mov edx,Super gray Pigeon. 0045A284
00459F28 8B08 mov ecx,dword ptr ds:[eax]
00459F2A FF51 3 8 call dword ptr ds:[ecx+3 8]
; The function to handle some messages
00459F2D A1 C8DC4500 mov eax,dword ptr ds:[45DCC8]
00459F32 33D2 xor edx,edx
00459F34 5 2 push edx
00459F35 5 0 push eax
00459F36 8D45 E0 lea eax,dword ptr ss:[ebp-2 0]
00459F39 E8 EAE1FAFF call Super gray Pigeon. 0 0 4 0 8 1 2 8
; Get the hidden process ID ?
00459F3E 8B4D E0 mov ecx,dword ptr ss:[ebp-2 0]
; ecx=00ee546c ascii “9 1 6”\\1 8 0 4
00459F41 8D45 E4 lea eax,dword ptr ss:[ebp-1C]
00459F44 BA B4A24500 mov edx,Super gray Pigeon. 0045A2B4
00459F49 E8 92A2FAFF call Super gray Pigeon. 004041E0
00459F4E 8B55 E4 mov edx,dword ptr ss:[ebp-1C]
00459F51 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
00459F57 8B80 2 0 0 2 0 0 0 0 mov eax,dword ptr ds:[eax+2 2 0]
00459F5D 8B08 mov ecx,dword ptr ds:[eax]
00459F5F FF51 3 8 call dword ptr ds:[ecx+3 8]
; Hide the process ID: 1 8 0 4
00459F62 8D45 DC lea eax,dword ptr ss:[ebp-2 4]
00459F65 8B0D B8DC4500 mov ecx,dword ptr ds:[45DCB8]
00459F6B BA CCA24500 mov edx,Super gray Pigeon. 0045A2CC
00459F70 E8 6BA2FAFF call Super gray Pigeon. 004041E0
00459F75 8B55 DC mov edx,dword ptr ss:[ebp-2 4]
00459F78 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
00459F7E 8B80 2 0 0 2 0 0 0 0 mov eax,dword ptr ds:[eax+2 2 0]
00459F84 8B08 mov ecx,dword ptr ds:[eax]
00459F86 FF51 3 8 call dword ptr ds:[ecx+3 8]
; Setup file name: LWVVKL_
00459F89 8D45 D8 lea eax,dword ptr ss:[ebp-2 8]
00459F8C 8B0D BCDC4500 mov ecx,dword ptr ds:[45DCBC]
00459F92 BA E4A24500 mov edx,Super gray Pigeon. 0045A2E4
00459F97 E8 44A2FAFF call Super gray Pigeon. 004041E0
00459F9C 8B55 D8 mov edx,dword ptr ss:[ebp-2 8]
00459F9F 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
00459FA5 8B80 2 0 0 2 0 0 0 0 mov eax,dword ptr ds:[eax+2 2 0]
00459FAB 8B08 mov ecx,dword ptr ds:[eax]
00459FAD FF51 3 8 call dword ptr ds:[ecx+3 8]
; The main DLL file name: 3WVVK+3
00459FB0 8D45 D4 lea eax,dword ptr ss:[ebp-2C]
00459FB3 E8 94FDFFFF call Super gray Pigeon. 00459D4C
; GetWindowsDirectoryA()
00459FB8 FF75 D4 push dword ptr ss:[ebp-2C]
; SS:[0012F620]=00EE54E4 ASCII "D:\WINDOWS"
00459FBB 8D45 D0 lea eax,dword ptr ss:[ebp-3 0]
00459FBE 5 0 push eax
00459FBF A1 B8DC4500 mov eax,dword ptr ds:[45DCB8]
00459FC4 E8 CBA1FAFF call Super gray Pigeon. 0 0 4 0 4 1 9 4
00459FC9 8BC8 mov ecx,eax
00459FCB 83E9 0 4 sub ecx,4
00459FCE BA 0 1 0 0 0 0 0 0 mov edx,1
00459FD3 A1 B8DC4500 mov eax,dword ptr ds:[45DCB8]

; LWVVKL_
00459FD8 E8 17A4FAFF call Super gray Pigeon. 004043F4
00459FDD FF75 D0 push dword ptr ss:[ebp-3 0]
; ASCII “LWVV”
00459FE0 6 8 FCA24500 push super strong gray Pigeon. 0045A2FC
; ASCII “_Hook.DLL”
00459FE5 8D45 FC lea eax,dword ptr ss:[ebp-4]
00459FE8 BA 0 3 0 0 0 0 0 0 mov edx,3
; 3 a string The number of connections
00459FED E8 62A2FAFF call Super gray Pigeon. 0 0 4 0 4 2 5 4
; The three strings are connected ASCII “D:\WINDOWS\LWVV_Hook.DLL”
00459FF2 8B45 FC mov eax,dword ptr ss:[ebp-4]
; EAX=00459FF2 SS:[0012F648]=00EE5510,ASCII “D:\WINDOWS\LWVV_Hook.DLL”
00459FF5 E8 9AA1FAFF call Super gray Pigeon. 0 0 4 0 4 1 9 4
; EAX=0X18=2 4 => ASCII “D:\WINDOWS\LWVV_Hook.DLL” the character length of the number
00459FFA 8BD0 mov edx,eax
00459FFC 85D2 test edx,edx
00459FFE 7E 1 8 jle short Super gray Pigeon. 0045A018
0045A000 BE 0 1 0 0 0 0 0 0 mov esi,1
0045A005 B8 CCDC4500 mov eax,ultra-strong gray Pigeon. 0045DCCC
; ASCII “D:\WINDOWS\LWVV_Hook.DLL”
0045A00A 8B4D FC mov ecx,dword ptr ss:[ebp-4]
0045A00D 8A4C31 FF mov cl,byte ptr ds:[ecx+esi-1]
0045A011 8 8 0 8 mov byte ptr ds:[eax],cl
0045A013 4 6 inc esi
0045A014 4 0 inc eax
0045A015 4A dec edx
0045A016 ^ 7 5 F2 jnz short Super gray Pigeon. 0045A00A
0045A018 E8 47C1FAFF call <jmp.& amp;kernel32. GetVersion>
0045A01D A9 0 0 0 0 0 0 8 0 test eax,8 0 0 0 0 0 0 0
0045A022 7 4 1 3 je short Super gray Pigeon. 0045A037 ; JUMP
0045A024 6 8 581B0000 push 1B58
0045A029 6 8 CCDC4500 push super strong gray Pigeon. 0045DCCC
; ASCII “D:\WINDOWS\LWVV_Hook.DLL”
0045A02E 6A FD push -3
0045A030 E8 97E6FFFF call Super gray Pigeon. 004586CC
0045A035 EB 2B jmp short Super gray Pigeon. 0045A062
0045A037 8B45 FC mov eax,dword ptr ss:[ebp-4]
0045A03A E8 55A1FAFF call Super gray Pigeon. 0 0 4 0 4 1 9 4
0045A03F 8BC8 mov ecx,eax
0045A041 03C9 add ecx,ecx
0045A043 4 1 inc ecx
0045A044 BA D4DD4500 mov edx,Super gray Pigeon. 0045DDD4
; UNICODE “D:\WINDOWS\LWVV_Hook.DLL”
0045A049 8B45 FC mov eax,dword ptr ss:[ebp-4]
0045A04C E8 1FACFAFF call Super gray Pigeon. 00404C70
; MultiByteToWideChar()
0045A051 6 8 581B0000 push 1B58
0045A056 6 8 D4DD4500 push super strong gray Pigeon. 0045DDD4
; UNICODE “D:\WINDOWS\LWVV_Hook.DLL”
0045A05B 6A FD push -3
0045A05D E8 96E6FFFF call Super gray Pigeon. 004586F8
0045A062 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
0045A068 8B80 2 0 0 2 0 0 0 0 mov eax,dword ptr ds:[eax+2 2 0]
0045A06E BA 10A34500 mov edx,Super gray Pigeon. 0045A310
0045A073 8B08 mov ecx,dword ptr ds:[eax]
0045A075 FF51 3 8 call dword ptr ds:[ecx+3 8]
0045A078 6A 0 0 push 0
0045A07A 6 8 30A34500 push super strong gray Pigeon. 0045A330
; ASCII “TGVIP_MainForm”
0045A07F E8 78C5FAFF call <jmp.& amp;user32. FindWindowA>
;Find the hidden process window
0045A084 8BF0 mov esi,eax
0045A086 85F6 test esi,esi
0045A088 7 4 6 1 je short Super gray Pigeon. 0045A0EB
0045A08A 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
0045A090 8B80 2 0 0 2 0 0 0 0 mov eax,dword ptr ds:[eax+2 2 0]
0045A096 BA 48A34500 mov edx,Super gray Pigeon. 0045A348
0045A09B 8B08 mov ecx,dword ptr ds:[eax]
0045A09D FF51 3 8 call dword ptr ds:[ecx+3 8]
0045A0A0 6A 6 4 push 6 4
0045A0A2 E8 8128FBFF call <jmp.& amp;kernel32. Sleep>
0045A0A7 6A 0 0 push 0
0045A0A9 6A 0 0 push 0
0045A0AB 6 8 0 0 3 4 0 0 0 0 push 3 4 0 0
0045A0B0 5 6 push esi
0045A0B1 E8 86C7FAFF call <jmp.& amp;user32. PostMessageA>
0045A0B6 6A 6 4 push 6 4
0045A0B8 E8 6B28FBFF call <jmp.& amp;kernel32. Sleep>
0045A0BD 6A 0 0 push 0
0045A0BF 6A 0 0 push 0
0045A0C1 6 8 0 0 3 4 0 0 0 0 push 3 4 0 0
0045A0C6 5 6 push esi
0045A0C7 E8 70C7FAFF call <jmp.& amp;user32. PostMessageA>
0045A0CC 6A 6 4 push 6 4
0045A0CE E8 5528FBFF call <jmp.& amp;kernel32. Sleep>
0045A0D3 6A 0 0 push 0
0045A0D5 6A 0 0 push 0
0045A0D7 6 8 0 0 3 4 0 0 0 0 push 3 4 0 0
0045A0DC 5 6 push esi
0045A0DD E8 5AC7FAFF call <jmp.& amp;user32. PostMessageA>
0045A0E2 6A 6 4 push 6 4
0045A0E4 E8 3F28FBFF call <jmp.& amp;kernel32. Sleep>
0045A0E9 EB 1 6 jmp short Super gray Pigeon. 0045A101
0045A0EB 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
0045A0F1 8B80 2 0 0 2 0 0 0 0 mov eax,dword ptr ds:[eax+2 2 0]
0045A0F7 BA 7CA34500 mov edx,Super gray Pigeon. 0045A37C
0045A0FC 8B08 mov ecx,dword ptr ds:[eax]
0045A0FE FF51 3 8 call dword ptr ds:[ecx+3 8]
0045A101 8D45 CC lea eax,dword ptr ss:[ebp-3 4]
0045A104 E8 43FCFFFF call Super gray Pigeon. 00459D4C
0045A109 8D45 CC lea eax,dword ptr ss:[ebp-3 4]
0045A10C 8B15 B8DC4500 mov edx,dword ptr ds:[45DCB8]
0045A112 E8 85A0FAFF call Super gray Pigeon. 0040419C
0045A117 8B45 CC mov eax,dword ptr ss:[ebp-3 4]
0045A11A 33D2 xor edx,edx
0045A11C E8 9BE3FAFF call Super gray Pigeon. 004084BC
0045A121 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
0045A124 E8 23FCFFFF call Super gray Pigeon. 00459D4C
; To cancel the processing of file attributes
0045A129 8D45 C4 lea eax,dword ptr ss:[ebp-3C]
0045A12C 8B15 B8DC4500 mov edx,dword ptr ds:[45DCB8]
0045A132 E8 65A0FAFF call Super gray Pigeon. 0040419C
0045A137 8B45 C4 mov eax,dword ptr ss:[ebp-3C]
0045A13A E8 55A2FAFF call Super gray Pigeon. 0 0 4 0 4 3 9 4
0045A13F 8BD0 mov edx,eax
0045A141 8D45 C8 lea eax,dword ptr ss:[ebp-3 8]
0045A144 E8 839FFAFF call Super gray Pigeon. 004040CC
0045A149 8B45 C8 mov eax,dword ptr ss:[ebp-3 8]
0045A14C E8 93E3FAFF call Super gray Pigeon. 004084E4
; Deletevirusfile
0045A151 8D45 C0 lea eax,dword ptr ss:[ebp-4 0]
0045A154 E8 F3FBFFFF call Super gray Pigeon. 00459D4C
; Get WINDOWS directory
0045A159 8D45 C0 lea eax,dword ptr ss:[ebp-4 0]
0045A15C 8B15 BCDC4500 mov edx,dword ptr ds:[45DCBC]
0045A162 E8 35A0FAFF call Super gray Pigeon. 0040419C
0045A167 8B45 C0 mov eax,dword ptr ss:[ebp-4 0]
0045A16A 33D2 xor edx,edx
0045A16C E8 4BE3FAFF call Super gray Pigeon. 004084BC
; To cancel the file properties
0045A171 8D45 B8 lea eax,dword ptr ss:[ebp-4 8]
0045A174 E8 D3FBFFFF call Super gray Pigeon. 00459D4C
0045A179 8D45 B8 lea eax,dword ptr ss:[ebp-4 8]
0045A17C 8B15 BCDC4500 mov edx,dword ptr ds:[45DCBC]
0045A182 E8 15A0FAFF call Super gray Pigeon. 0040419C
0045A187 8B45 B8 mov eax,dword ptr ss:[ebp-4 8]
0045A18A E8 05A2FAFF call Super gray Pigeon. 0 0 4 0 4 3 9 4
0045A18F 8BD0 mov edx,eax
0045A191 8D45 BC lea eax,dword ptr ss:[ebp-4 4]
0045A194 E8 339FFAFF call Super gray Pigeon. 004040CC
0045A199 8B45 BC mov eax,dword ptr ss:[ebp-4 4]
0045A19C E8 43E3FAFF call Super gray Pigeon. 004084E4
; Deletevirusbody
0045A1A1 EB 4 2 jmp short Super gray Pigeon. 0045A1E5
0045A1A3 8B83 FC020000 mov eax,dword ptr ds:[ebx+2FC]
0045A1A9 8B80 2 0 0 2 0 0 0 0 mov eax,dword ptr ds:[eax+2 2 0]
0045A1AF BA A4A34500 mov edx,Super gray Pigeon. 0045A3A4
0045A1B4 8B08 mov ecx,dword ptr ds:[eax]
0045A1B6 FF51 3 8 call dword ptr ds:[ecx+3 8]
0045A1B9 EB 2A jmp short Super gray Pigeon. 0045A1E5

The process is completed.。。。。

0045A1E5 33C0 xor eax,eax
0045A1E7 5A pop edx
0045A1E8 5 9 pop ecx
0045A1E9 5 9 pop ecx
0045A1EA 6 4:8 9 1 0 mov dword ptr fs:[eax],edx
0045A1ED 6 8 07A24500 push super strong gray Pigeon. 0045A207
0045A1F2 8D45 B8 lea eax,dword ptr ss:[ebp-4 8]
0045A1F5 BA 1 2 0 0 0 0 0 0 mov edx,1 2
0045A1FA E8 F99CFAFF call Super gray Pigeon. 00403EF8
0045A1FF C3 retn

Summary:
The detector by OpenFileMappingA()function detects the specified mapping object whether the presence of the judge,such as the presence,obtain a VIP user name,continue to detect hidden process module,get its process ID,the image a specific file name(and then make the appropriate file full path of the combination),elevation(open a Token Ring,setting the system debug privilege),PostMessageA()to send a message to close hidden process in the main window,processing the service process,cancel thevirusfile of all the attributes(system,hidden,read-only),and finally deletevirusbody!!!

Detector code using Borland Delphi to write,to see these Anti-compiled code will always run into layers call this phenomenon,in which the main CALL of the comment,in fact its portion of the call there are a lot more detailed code calls,limited space,not enumerated.

In addition, due to the person ability is limited,errors and omissions can hardly be avoided! Perhaps the detector principle is not so simple,please also detector program the writing of the author or other expert to make pointing. Thanks a million! Author: East Poison Jun

JSON