Kill-free source code for gh0s

Source: Internet
Author: User
Remote Control Software GHOST source code kill-free (reprinted for reference) I. Environment configuration and compilation environment must be configured properly: DDK + SDK + VC6, DDK used to compile sys files, SDK + VC6 is used to compile the project. II. Pattern positioning description the principle of anti-virus software trojan detection and removal is based on the features. The detected content is called a pattern, so we can

Remote Control Software GHOST source code kill-free (reprinted for reference)

I. Environment Configuration
Make sure to configure the compiling environment: DDK + SDK + VC6, DDK is used to compile the sys file, and SDK + VC6 is used to compile the project

Ii. Brief description of pattern Positioning
Anti-virus software detects and removes Trojans Based on features. The detected Trojans are called signatures. Therefore, we can use the signature locating tool MyCLL to locate the virus's signature location, the positioning tool blocks the scanned Trojan Horse and uses the segmented Filling Method to match the soft feature value to find the location where the soft virus is killed.
How can I find the corresponding position in the source code in reverse direction when locating a signature? See the following analysis,

Iii. Location of binary files and source code using map Files
The map file is a ing file corresponding to the binary and source code.
Assume that the virus pattern is located based on Step 3:

Virus name, pattern, location, memory address
Svchost. dll 11638aa_00000002 100044AA
Svchost. dll 4105f98_00000002

Step 1: Set the VC compiling environment to generate a Map file.
In VC, click the "Project-> Settings" option page (or press Alt + F7), select the C/C ++ tab, and enter: /Zd, click the Link tab, and select "Generate map"File"Check box, and enter:/mapinfo: lines in the bottom Project Options to add row information when the MAP file is generated. The settings are complete.

Step 2: Compile the VC project and set the activity project to compile. This is not required. After this step is completed, A. map File (such as svchost. map) is added to the release (or debug) directory ).

Step 3 open the map file (open it with UE or text editor) in the following format:

(Begin)
Timestamp is 488fcef2 (WEdJul 30 10:16:18 2008)

Preferred loadDdRess is 10000000
--------------------------------------------------------------------------- 1 ---- (add wrw for convenience instructions)
Start Length Name Class
0001:00000000 00010a50H. tExT CODE
0001: 00010a50 00000485 H. text $ x CODE
000:00000000 000004c8H.IdAta $5 DATA
......
0003:00000010 00000004 H. CRT $ XIZ DATA
0003:00000020 100001a50h. data DATA
0003: 20171a70 00000688 H. bss DATA
0004:00000000 000000a8H. rsrc $01 DATA
0004: 000000b0 00000cf0H. rsrc $02 DATA

-------------------------------------------------------------------------- 2 --- (add wrw for convenience instructions)
Address Publics by Value Rva + Base Lib: Object

0001:00000000 ?? 0CAudio @ QAE @ XZ 10001000 f Audio. obj
0001: 000000d0 ?? _ GCAudio @ UAEPAXI @ Z 100010d0 f I Audio. obj
0001: 000000d0 ?? _ ECAudio @ UAEPAXI @ Z 100010d0 f I Audio. obj
0001: 000000f0 ?? 1CAudio @ UAE @ XZ 100010f0 f Audio. obj
0001: 000001e0? GetRecordBuffer @ CAudio @ QAEPAEPAK @ Z 100011e0 f Audio. obj
000:00000240? PlayBuffer @ CAudio @ QAE_NPAEK @ Z 10001240 f Audio. obj
0001: 000002c0? InitializeWaveIn @ CAudio @ AAE_NXZ 100012c0 f Audio. obj
......
000:00003310? SendToken @ CFileManager @ AAEHE @ Z 10004310 f FileManager. obj
000:00003320? UploadToRemote @ CFileManager @ AAE_NPAE @ Z 10004320 f FileManager. obj
0001:00003440? FixedUploadList @ CFileManager @ AAE_NPBD @ Z 10004440 f FileManager. obj
0001: 00003670? StopTransfer @ CFileManager @ AAEXXZ 10004670 f FileManager. obj
0001: 00003730? CreateLocalRecvFile @ CFileManager @ AAEXPAE @ Z 10004730 f FileManager. obj

......
-------------------------------------------------------------------------- 3 --- (add wrw for convenience instructions)

Line numbers for./Release/FileManager. obj (E:/vtmp/gh0st3src/Server/svchost/common/FileManager.CpP) segment. text

17 0001: 00002630 20 0001: 2017267f 21 0001: 00002698 24 0001: 201726d0
25 0001: 201726f8 26 0001: 2017273c 29 0001: 201727d0 33 0001: 201727ee
77 0001: 201727f8 36 0001: 201727fb 37 0001: 00002803 77 0001: 2017280d
......
532 0001: 2017340f 534 0001:00003414 537 0001:00003428 540 0001:00003440
546 0001: 2017345d 547 0001: 00003487 548: 0001 00003490 549: 0001
551 0001: 2017349e 552 0001: 201734b8 553: 201734cb 0001 554: 201734d4
558 0001: 201734de 560 0001: 201734e9 563: 201734ee 0001 00020173506
......

(End)

Let's take a look at the first pattern memory address of svchost. dll: 100044AA. In block 2nd, we can find that RVA + BASE is very close

0001:00003440? FixedUploadList @ CFileManager @ AAE_NPBD @ Z 10004440 f FileManager. obj

In this way, we can locate the FixedUploadList function in FileManager. cpp. Is the range reduced?
Below we will narrow down the code line
Use this formula: Pattern line offset = Pattern Address (Crash Address)-base Address (ImageBase Address)-0x1000
It seems very difficult. In fact, it is very simple. We will remove 100044AA from the memory base address 10000000 and then reduce it by 1000, because many PES can get the code offset address from 1000 to 34AA. Find the corresponding line of code in block 3rd.
The offset address 34AA is in the middle of (551 0001: 0000349e 552 0001: 000034b8), that is, between 551 and 552 rows. We can find 551st rows in the source program:
Wsprintf (lpszFilter, "% s *. *", lpPathName, lpszSlash );
In this way, the source code is located, and you can modify the source code as needed.

4. Hands-on kill-free
A. Kaba kickoff
After the first compilation, Kaba-free killing will be performed first. The Kaspersky file and the dllwill, of course, Kaba will also kill the install.exe of the Community, and finally Kaba will kill the generated sever. Here I say that the server generated by kill is not a place that overlaps with the previous signature, but a configuration information.
Step 1: sys kill-free
After sys re-compiled, the input table functions were added, and the system was different. As a result, many features were different from those of the original ones, and they were successfully released through Kabbah, Jinshan, and red umbrella.
Step 2: svchost. dll kill-free
Locate MultiByteToWideChar and "gh0st upDate"Two locations. This is obtained through step 1 map file.
Kabbah is afraid to add a flag. You can add a few invalid statements before this function to call the MultiByteToWideChar function.
String call "gh0st update", which is used for update. If online update is not required, delete the code block where the statement is located, in fact, the search project can replace this string with other strings ^ _ ^. This method can also use Kingsoft to kill the software.
Step 3: server kill-free
Kabbah is positioned in the final configuration information. It is obviously not feasible to jump to the configuration information. It adopts the method of adding flowers. before writing AAAAAA configuration information, you can simply write something for server-free killing.
Kaba kill-free!

B. Avast no-kill
In the latest avastsearch, kill install.exe and svchost. dll (that is, kill the generated files and the resource files), and then do its source code kill-free.
Locate the feature string % 02d/% 02d/% 02d and "SYSTEM/CurrentCon"TrOlSet/Services/% s.
Solution:
1. The svchost. dll pattern is located in the SaveInfo (char * lpBuffer) function in the KeyboardManager. cpp file on the keyboard record. Feature string % 02d/% 02d/% 02d, that is, we can see the date of the keyboard record. There are many ways to modify it, change it to [% d/% d: % d], and compile it to kill the software through avast.
2. the install signature is located in "SYSTEM/CurrentControlSet/Services/% s", and the corresponding file is the InstallService function in install. cpp. Modify the case sensitivity and compile it to eliminate it.


5. Small Method for adding junk code
The Spam code should move the location of the pattern, and do not run to the stack. Such code is useless. You can add a for loop for counting, simple statistics, and local variables without changing the subsequent logic.
How to add an output table:
If an output table is killed, you can add an empty function to the generated svchost. dll. However, you need to modify the resource once every compilation. In fact, we add the following statement to the source code:
Extern "C" _ decLsPec (dllExport) Bool JustTempFun (); // Declaration
......
Extern "C" _ declspec (dllexport) bool JustTempFun () // implementation
{
Return false;
}
After compilation, the output table will be changed, and some will be able to eliminate code.

6. gh0st automatically generates 6to4ex. dll modifications
The 6to4ex is automatically generated when many websites' questions are asked. dll problems, some enthusiastic Station friends also put forward their own opinions, I feel that some people proposed the solution is not completely correct, it may cause misunderstanding of the people who just started, I will explain 1 according to my own understanding.

The gh0st server is started through svchost-netsvcs. Therefore, the program must use the netsvcs service, and the server is generated based on netsvcs. Therefore, it cannot be said that server generation is random. Compared with most systems, it is basically fixed. Let's look at the analysis below.

View install. the InstallService () method in cpp first traverses the service items in HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Svchost. After finding a service, the program replaces the service, delete the original service and generate the corresponding service item + ex. dll files replace the original service. The 6to4 service is generally ranked first. The 6to4 service is an automatic tunnel construction method, it only requires a unique IPv4 address in the world to connect the entire site to IPv6. This service is basically idle for general users, so our program will replace the 6to4 service and generate 6to4ex in the windows/system32/directory. dll, 6to4ex will be started later. If you skip this service, you will generate services such as Ias and Iprip in sequence. If the netsvcs item does not have a service that can be replaced, the program adds one service by itself. The name is Netsvcs_0x % d generated by the AddsvchostService () method.
 

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.