[摘要]1、定位 卡巴: pchide.sys: [特征] 00000986_00000001 pcmain.dll [特征] 0000BB02_00000001 pcinit.exe [特征... 1、定位 卡巴: pchide.sys: [特征] 00000986_00000001 pcmain.dll [特征] 0000BB02_00000001 pcinit.exe [特征] 00000825_00000001 [特征] 00001369_00000001 瑞星: pchide.sys: [特征] 00000D56_00000001 pcmain.dll: [特征] 0000BB49_00000001 pcinit.exe [特征] 00000673_00000001 [特征] 00000827_00000001 [特征] 00000D5B_00000001 金山: pchide.sys: [特征] 00000D3E_00000001 pcmain.dll: 反向: [特征] 0000BAB4_00000001 [特征] 0000BABB_00000001 [特征] 0000DE28_00000001 [特征] 0000DE79_00000001 pcinit.exe: [特征] 00001238_00000001 [特征] 00001265_00000001 江民: pchide.sys: [特征] 00000DAF_00000001 pcmain.dll: [特征] 0000BB0A_00000001 pcinit.exe: [特征] 000008BC_00000001 [特征] 00000EE4_00000001 [特征] 000012BA_00000001 ######################################################################################################################## 2、修改特征码: //*********************************************************************************************************************** 卡巴: pchide.sys: [特征] 00000986_00000001 00010975: FF15 20030100 CALL [10320] 0001097B: 33C0 XOR EAX,EAX 0001097D: EB 11 JMP SHORT 00010990 0001097F: 50 PUSH EAX 00010980: 33C0 XOR EAX,EAX //nop掉 00010982: 33C0 XOR EAX,EAX 00010984: 0F84 03000000 JE 0001098D 0001098A: 55 PUSH EBP 0001098B: 8211 58 ADC BYTE PTR [ECX],58 //--------------------------------------------------------------------------------------------------------------------- pcmain.dll [特征] 0000BB02_00000001 1000BAF9: EB 4E JMP SHORT 1000BB49 1000BAFB: 57 PUSH EDI 1000BAFC: 56 PUSH ESI 1000BAFD: 53 PUSH EBX 1000BAFE: E8 FDF8FFFF CALL 1000B400 //2、改1000B400为:1000B3F8 1000BB03: 83FE 01 CMP ESI,1 1000B3F8 //1、将1000B400处代码移到此处 1000B3FE: 90 NOP 1000B3FF: 90 NOP 1000B400: 8B4424 08 MOV EAX,[ESP+8] 1000B404: 81EC 24050000 SUB ESP,524 1000B40A: 83F8 01 CMP EAX,1 1000B40D: 56 PUSH ESI 1000B40E: 57 PUSH EDI //--------------------------------------------------------------------------------------------------------------------- pcinit.exe [特征] 00000825_00000001 00401425 0040081D: FFD6 CALL NEAR ESI 0040081F: 6A 06 PUSH 1 // 00400821: 58 POP EAX 00400822: 5F POP EDI 00400823: 5E POP ESI 00400824: 5B POP EBX 00400825: C9 LEAVE [特征] 00001369_00000001 00401F69 该处的call调用, 进入到call内如下, 把其中上面的四句移到空白区域, 然后修改call调用地址, 免杀! 00401429 /$ 55 push ebp 0040142A |