Source code kill-free notes

I have no mood to write a blog recently. It seems that I have stopped. Alas, I am getting lazy and don't know what's going on. I have to sort out my previous notes. I don't know if the content is outdated.

Anti-virus software has different features. The following describes the features of anti-virus software, including API functions, strings, code segments, and resource segments. The kill-free method has the following methods: dynamic function call, delayed DLL loading, merging segment, string hiding, copyright deletion for copyright, instructions, anti-debugging, and other details, most of the above methods have been used to kill software. Of course, you can also change the code of the program to implement the original functions.

1. Dynamic function call

Two functions cannot be called, GetProcAddress and LoadLibrary.

If anti-virus software is found and killed on API functions, it can be solved by calling dynamic functions.

Typedef int (WINAPI * MessageBoxAT)

(

HWND hWnd,

LPCSTR lpText,

Maid,

UINT uType

);

MessageBoxAT pMessageBoxA = (MessageBoxAT) GetProcAddress (LoadLibrary ("user32.dll"), "MessageBoxA ");

2. Hide strings

Using arrays to hide strings is relatively simple to process. There are many ways to hide strings.

Char name [] = {'A', 'B', 'C', '\ 0 '};

Replace the original string with name.

3. Delayed DLL Loading

Add the source code, or write the header file.

# Pragma comment (linker, "/OPT: NOWIN98 ")

# Pragma comment (lib, "DELAYIMP. LIB ")

# Pragma comment (linker, "/DELAYLOAD: WININET. dll ")

# Pragma comment (linker, "/DELAYLOAD: WS2_32.dll ")

# Pragma comment (linker, "/DELAYLOAD: PSAPI. DLL ")

# Pragma comment (linker, "/DELAYLOAD: GDI32.dll ")

# Pragma comment (linker, "/DELAYLOAD: ADVAPI32.dll ")

# Pragma comment (linker, "/DELAYLOAD: SHELL32.dll ")

# Pragma comment (linker, "/DELAYLOAD: WINMM. dll ")

# Pragma comment (linker, "/DELAYLOAD: USER32.dll ")

# Pragma comment (linker, "/DELAYLOAD: WTSAPI32.dll ")

# Pragma comment (linker, "/DELAYLOAD: AVICAP32.dll ")

# Pragma comment (linker, "/DELAYLOAD: SHLWAPI. dll ")

# Pragma comment (linker, "/DELAYLOAD: MSVFW32.dll ")

# Pragma comment (linker, "/DELAY: nobind ")

# Pragma comment (linker, "/DELAY: unload ")

4. Merge CIDR blocks

Merge other segments into a single segment. This method previously works. You can try it, but it is best not to add it.

# Pragma comment (linker, "/MERGE:. rdata =. data") // MERGE rdata segments into data segments

# Pragma comment (linker, "/MERGE:. text =. data") // MERGE text segments into data segments

# Pragma comment (linker, "/MERGE:. reloc =. data") // MERGE reloc segments into data segments

4. Delete copyright Resources

You can delete or change the copyright.

5. Flower instructions

If the code segment is killed, you can add NOP to disrupt the position of the program. Generally, do not add too much. Sometimes, NOP will be killed.

_ Asm nop;

_ Asm nop;

_ Asm nop;

5. Anti-debugging

HKEY ck;

Char strreg [] = {'s ', 'O', 'F', 't', 'w', 'A', 'R', 'E ', '\', 'O', 'D ',' B ', 'C',' \ 0 '};

If (ERROR_SUCCESS! = RegOpenKeyEx (HKEY_LOCAL_MACHINE, (LPCTSTR) strreg, 0, KEY_ALL_ACCESS, & ck ))

{

Return 0;

}

6. Code transposition
After locating the signature, check whether the program in the code can change the position of the Code.


Note:
When positioning the 360BD engine, find the entry point, fill in the code above the entry point, and scan and kill. If no kill is required, it indicates that it is in this section.

Map File Location:
When you use OD to find code, sometimes there is no reference in the upper and lower layers. You can use the map file to help, set the map file in VC6.0, and then take it out. Use the plugin loadmap in OD to load the map, run it again.