Create personalized free kill version firewall, anti-virus software-bug warning-the black bar safety net

2006-06-28T00:00:00
ID MYHACK58:62200610054
Type myhack58
Reporter 佚名
Modified 2006-06-28T00:00:00

Description

Preface:

As is well known, now more and more virus lovers in order to demonstrate individual ability or some of the hidden secrets and the production of a series of virus programs; however, since most of the domestic users on the network security have more understanding, will be in their own installed in the system using a firewall or anti-virus software to protect your system network security! Therefore, this type of security software existence became the virus of the“mix the foot stone.“ How to remove these“mix the foot stone”also became their pursuit of another realm:“let the virus program in the system, such as into the no man's territory”now!

Common virus protection technology:

Packers compressed or encrypted(mainly the use of network flow line of the packers procedures);

Modify the virus-program the feature code(to evade antivirus of signature scanning); and

In the virus programs inspire its functional module when the first detection system security software, such as present, the clear;

Using the kernel formula, service level programming, so that most antivirus can be found and cannot be cleaned, such the virus more technical, with the Rootkit source code is disclosed in this way also spread rapidly...

... ... ...

Here to discuss virus protection 3 protection methods“to create musicfree to killversion of the security software”

1, to avoid the“process scan”to kill; and

To avoid this way of the hunted only need to modify the main program file name you can avoid viruses the use of the“process scan”to kill; and

2, to avoid the FindWindow()\FindWindowExA()function of the hunt; the

hwnd = FindWindow("TApplication", vbNullString) ;to find the features of the window class name

hwnd = FindWindow(vbNullString, "Pfw") ;the Find feature in the window title

The main way to prevent such a function of the scan window name or class name in order to terminate security software running; using OllyDbg or SoftICE 载入 需要 打造 的 防火墙 程序 PFW.ExE ,set a breakpoint USER32. CreateWindowExA()

Part of the code:

004EA2B8 /$ 5 5 push ebp

004EA2B9 |. 8BEC mov ebp,esp

004EA2BB |. 5 3 push ebx

004EA2BC |. 8B5D 0 8 mov ebx,dword ptr ss:[ebp+8]

004EA2BF |. 5 3 push ebx ; /lParam

004EA2C0 |. 8B5D 0C mov ebx,dword ptr ss:[ebp+C] ; |

004EA2C3 |. 5 3 push ebx ; |hInst

004EA2C4 |. 8B5D 1 0 mov ebx,dword ptr ss:[ebp+1 0] ; |

004EA2C7 |. 5 3 push ebx ; |hMenu

004EA2C8 |. 8B5D 1 4 mov ebx,dword ptr ss:[ebp+1 4] ; |

004EA2CB |. 5 3 push ebx ; |hParent

004EA2CC |. 8B5D 1 8 mov ebx,dword ptr ss:[ebp+1 8] ; |

004EA2CF |. 5 3 push ebx ; |Height

004EA2D0 |. 8B5D 1C mov ebx,dword ptr ss:[ebp+1C] ; |

004EA2D3 |. 5 3 push ebx ; |Width

004EA2D4 |. 8B5D 2 0 mov ebx,dword ptr ss:[ebp+2 0] ; |

004EA2D7 |. 5 3 push ebx ; |Y

004EA2D8 |. 8B5D 2 4 mov ebx,dword ptr ss:[ebp+2 4] ; |

004EA2DB |. 5 3 push ebx ; |X

004EA2DC |. 5 1 push ecx ; |Style

004EA2DD |. 5 2 push edx ; |WindowName; window title

004EA2DE |. 5 0 push eax ; |Class; program the class name

004EA2DF |. 6A 0 0 push 0 ; |ExtStyle = 0

004EA2E1 |. E8 7C010>call ; \CreateWindowExA

004EA2E6 |. 5B pop ebx

004EA2E7 |. 5D pop ebp

004EA2E8 \. C2 2 0 0 0 retn 2 0

Stack data:

0012FD6C 0 0 0 0 0 0 0 0 |ExtStyle = 0

0012FD70 004ACEAC |Class = "TApplication" ; just modify here and there class named: skyxnet

0012FD74 00F61B28 |WindowName = "Pfw" ; here you can not modify, because the modification has no effect... hehe...

0012FD78 84CA0000

|Style = WS_POPUP|WS_MINIMIZEBOX|WS_CLIPSIBLINGS|WS_SYSMENU|WS_CAPT>

0012FD7C 0 0 0 0 0 2 0 0 |X = 2 0 0 (5 1 2.)

0012FD80 0 0 0 0 0 1 8 0 |Y = 1 8 0 (3 8 4.)

0012FD84 0 0 0 0 0 0 0 0 |Width = 0

0012FD88 0 0 0 0 0 0 0 0 |Height = 0

0012FD8C 0 0 0 0 0 0 0 0 |hParent = NULL

0012FD90 0 0 0 0 0 0 0 0 |hMenu = NULL

0012FD94 0 0 4 0 0 0 0 0 |hInst = 0 0 4 0 0 0 0 0

0012FD98 0 0 0 0 0 0 0 0 \lParam = NULL

Modify operation:

Right key function: the"data window",then in the Hex dump window, select the right function: "binary\\edit or shortcut Ctrl+E" to modify the class name string is!

Next, we use VC++or other resource editor and open a String Table to modify the ID is 1 0 0 0 1 Value: Skynet firewall Personal Edition (will modify for other characters, here to free. Kill. Version..East Poison Jun), save.

Finally, use Spy++ to view the Results: Window Caption: free. Kill. Version..East virus Jun Class Name: skyXnet

Summary:

This example just deal with the mainstream Personal Edition Skynet Firewall, the same reason we can continue to build modify other antivirus software... in fact this is not what a new technology, however, as long as it is regular on the network move around, or use the network communication tools such as QQ, MSN and the like, it will inevitably be infected with the virus, since the virus programs using diversity protection way to achieve its invasion of the object, we can also learn from reverse-engineering the thinking process of our Security Program, it has immune function.