Preface:
As is well known, now more and more virus lovers in order to demonstrate individual ability or some of the hidden secrets and the production of a series of virus programs; however, since most of the domestic users on the network security have more understanding, will be in their own installed in the system using a firewall or anti-virus software to protect your system network security! Therefore, this type of security software existence became the virus of the“mix the foot stone.“ How to remove these“mix the foot stone”also became their pursuit of another realm:“let the virus program in the system, such as into the no man’s territory”now!
Common virus protection technology:
Packers compressed or encrypted(mainly the use of network flow line of the packers procedures);
Modify the virus-program the feature code(to evade antivirus of signature scanning); and
In the virus programs inspire its functional module when the first detection system security software, such as present, the clear;
Using the kernel formula, service level programming, so that most antivirus can be found and cannot be cleaned, such the virus more technical, with the Rootkit source code is disclosed in this way also spread rapidly…
… … …
Here to discuss virus protection 3 protection methods“to create musicfree to killversion of the security software”
1, to avoid the“process scan”to kill; and
To avoid this way of the hunted only need to modify the main program file name you can avoid viruses the use of the“process scan”to kill; and
2, to avoid the FindWindow()\FindWindowExA()function of the hunt; the
hwnd = FindWindow(“TApplication”, vbNullString) ;to find the features of the window class name
hwnd = FindWindow(vbNullString, “Pfw”) ;the Find feature in the window title
The main way to prevent such a function of the scan window name or class name in order to terminate security software running; using OllyDbg or SoftICE 载入 需要 打造 的 防火墙 程序 PFW.ExE ,set a breakpoint USER32. CreateWindowExA()
Part of the code:
004EA2B8 /$ 5 5 push ebp
004EA2B9 |. 8BEC mov ebp,esp
004EA2BB |. 5 3 push ebx
004EA2BC |. 8B5D 0 8 mov ebx,dword ptr ss:[ebp+8]
004EA2BF |. 5 3 push ebx ; /lParam
004EA2C0 |. 8B5D 0C mov ebx,dword ptr ss:[ebp+C] ; |
004EA2C3 |. 5 3 push ebx ; |hInst
004EA2C4 |. 8B5D 1 0 mov ebx,dword ptr ss:[ebp+1 0] ; |
004EA2C7 |. 5 3 push ebx ; |hMenu
004EA2C8 |. 8B5D 1 4 mov ebx,dword ptr ss:[ebp+1 4] ; |
004EA2CB |. 5 3 push ebx ; |hParent
004EA2CC |. 8B5D 1 8 mov ebx,dword ptr ss:[ebp+1 8] ; |
004EA2CF |. 5 3 push ebx ; |Height
004EA2D0 |. 8B5D 1C mov ebx,dword ptr ss:[ebp+1C] ; |
004EA2D3 |. 5 3 push ebx ; |Width
004EA2D4 |. 8B5D 2 0 mov ebx,dword ptr ss:[ebp+2 0] ; |
004EA2D7 |. 5 3 push ebx ; |Y
004EA2D8 |. 8B5D 2 4 mov ebx,dword ptr ss:[ebp+2 4] ; |
004EA2DB |. 5 3 push ebx ; |X
004EA2DC |. 5 1 push ecx ; |Style
004EA2DD |. 5 2 push edx ; |WindowName; window title
004EA2DE |. 5 0 push eax ; |Class; program the class name
004EA2DF |. 6A 0 0 push 0 ; |ExtStyle = 0
004EA2E1 |. E8 7C010>call ; \CreateWindowExA
004EA2E6 |. 5B pop ebx
004EA2E7 |. 5D pop ebp
004EA2E8 \. C2 2 0 0 0 retn 2 0
Stack data:
0012FD6C 0 0 0 0 0 0 0 0 |ExtStyle = 0
0012FD70 004ACEAC |Class = “TApplication” ; just modify here and there class named: skyxnet
0012FD74 00F61B28 |WindowName = “Pfw” ; here you can not modify, because the modification has no effect… hehe…
0012FD78 84CA0000
|Style = WS_POPUP|WS_MINIMIZEBOX|WS_CLIPSIBLINGS|WS_SYSMENU|WS_CAPT>
0012FD7C 0 0 0 0 0 2 0 0 |X = 2 0 0 (5 1 2.)
0012FD80 0 0 0 0 0 1 8 0 |Y = 1 8 0 (3 8 4.)
0012FD84 0 0 0 0 0 0 0 0 |Width = 0
0012FD88 0 0 0 0 0 0 0 0 |Height = 0
0012FD8C 0 0 0 0 0 0 0 0 |hParent = NULL
0012FD90 0 0 0 0 0 0 0 0 |hMenu = NULL
0012FD94 0 0 4 0 0 0 0 0 |hInst = 0 0 4 0 0 0 0 0
0012FD98 0 0 0 0 0 0 0 0 \lParam = NULL
Modify operation:
Right key function: the"data window",then in the Hex dump window, select the right function: “binary\\edit or shortcut Ctrl+E” to modify the class name string is!
Next, we use VC++or other resource editor and open a String Table to modify the ID is 1 0 0 0 1 Value: Skynet firewall Personal Edition (will modify for other characters, here to free. Kill. Version…East Poison Jun), save.
Finally, use Spy++ to view the Results: Window Caption: free. Kill. Version…East virus Jun Class Name: skyXnet
Summary:
This example just deal with the mainstream Personal Edition Skynet Firewall, the same reason we can continue to build modify other antivirus software… in fact this is not what a new technology, however, as long as it is regular on the network move around, or use the network communication tools such as QQ, MSN and the like, it will inevitably be infected with the virus, since the virus programs using diversity protection way to achieve its invasion of the object, we can also learn from reverse-engineering the thinking process of our Security Program, it has immune function.