Discussion on Anti-Virus methods of the latest QQ doctor version 1.4

Haha, this article is faster

QQ was launched immediately when the official version of 2007 was released, and the function of QQ doctor was also improved. It was monitored and run in the background. When I got online today, QQ doctor suddenly popped up, the trojan is reported.
Khan! The QQ doctor function in the official version of QQ2007 is really powerful. If you are bored, study the anti-virus mechanism of this small item if you have to spend the 11th day in school. I have a black hole 2005 in my disk, a remote control software. I used it to help my friends Check the computer, mainly because the screen is well transmitted and is now listed as a Trojan. Run a local tool to check if the QQ doctor has killed it. After installing it locally, run it. For example, if it has been killed, haha. You don't have to look for a virus sample to test it.

How did the QQ doctor kill the virus? Active defensive? But I didn't reflect it at the time of installation. I took off the black hole Server Shell with Upx ShellEx and started all the registries in it, all the strings such as service startup are filled with 0, such

The red part is originally filled with all the points where the registry is written, and the other parts that can be found are also filled, re-generated, and the operation is still detected, this little thing cannot be able to actively defend against that technology. I doubt it. Prediction is the memory killing feature.
The program running in the memory is equivalent to the case-free loading. The PEID is used to check the case and the UPX is used. It is very easy to use the tool and the OD is used to load the case, if you load a shell, you will not be killed if you are hungry. The memory of rising will be scanned and killed if there is no shell OD loaded. I am still a bit confused. Since it is detected as a virus without a shell, a feature locating tool should be used to locate it. If a pattern is detected successfully, it indicates that Dr. QQ.com is indeed scanning and killing the memory.
TK. loader (memory-assisted locating tool) and MYCLL. note when setting it. It is best to divide it into several smaller parts. My husband has become 50, which is easier to view, because a large part must be done manually. Or you cannot load the data into the memory. There are many ways to use this tool on the network. It is a good tool for eliminating Trojans. This section briefly introduces MYCLL and TK. LOADER and MYCLL divide the file into N parts, and then fill the N parts with 00 respectively. Then, N files are generated. In fact, this is an exclusion method, while TK. LOADER is responsible for loading files with suffixes into the memory, so that they can be detected in the memory. The MYCLL interface is as follows,

50 files are generated in the OUTPUT directory under the MYCLL directory.
Then load the memory with TK. LOADER, as shown in figure

Scan by QQ doctor, 5

Then, in the OUTPUT Folder, delete all the items found, perform secondary processing, continue to locate and repeat the above operations, and finally locate a feature.
Finally, find the following results:
The physical address/physical length of the signature is as follows:
[Features] 00061BAE_00000002


Pattern Distribution:
[--------------------------------------------------]
[--------------------------------------------------]
[--------------------------------------------------]
[------------------- M ------------------------------]
[--------------------------------------------------]
Use the next OC to convert the file offset to the memory address, as shown in the figure below)

OD loaded the file, jumped to 004627AE, replaced it with NOP, saved it, loaded it, And the QQ doctor could not find it. Thus, he came to the conclusion that the QQ doctor used the memory detection and removal feature, it is also anti-virus.

Finally, I analyzed why the QQ doctor could not find out why OD was loaded into the shelled database, because it is different from rising's. Rising has a shell removal engine, and Dr. QQ didn't, so he could only kill OD and load it to the shelled database.