To create a personalized version of the firewall, anti-virus software

Source: Internet
Author: User
Tags version firewall

Objective:

As we all know, more and more virus enthusiasts are making a series of virus programs to show their personal ability or some unspeakable secrets, however, because most of the domestic users have more knowledge of network security, they will install the firewall or antivirus software in their own system to protect their system network security! As a result, the existence of such security software has become the "foot-stone" of these viruses. How to clean up these "mix foot stone" also became they pursue another kind of realm: "Lets the virus program in the System No-man"!

Common virus protection techniques:

Shell compression or encryption (mainly used in the network of popular shell procedures);

Modifying signatures in virus programs (avoid signature scans in antivirus software);

When the virus program stimulates its function module, first detects the security software in the system, if it exists, clears it;

The use of core, service-level programming, so that most anti-virus software can not be cleaned up, such viruses are highly technical, with the rootkit source of the public, the way also quickly spread ...

.........

Here is a discussion of the protection method in virus protection 3, "creating a personalized version-free security software"

1, to avoid the "process of scanning" to kill;

To avoid this way of killing only need to modify the main program file name can avoid the virus used by the "process scanning" kill;

2, avoid FindWindow () Findwindowexa () function of the pursuit;

Hwnd=findwindow ("Tapplication", vbNullString); Find Feature window class name

Hwnd=findwindow (vbNullString, "PFW"); Find Feature window title

This approach is primarily to prevent such functions from scanning the window name or class name to terminate the operation of the security software, and using ollydbg or SoftICE to load the firewall program PFW.ExE that needs to be built, set breakpoints User32.createwindowexa ()

Part of the code:

004ea2b8/$Content $nbsp; Push EBP
004ea2b9 |. 8BEC mov Ebp,esp
004EA2BB |. Push EBX
004EA2BC |. 8B5D mov ebx,dword ptr ss:[ebp+8]
004EA2BF |. Push ebx; /lparam
004ea2c0 |. 8b5d 0C mov ebx,dword ptr ss:[ebp+c]; |
004ea2c3 |. push ebx; |hinst
004ea2c4 |. 8B5D mov ebx,dword ptr ss:[ebp+10]; |
004ea2c7 |. push ebx; |hmenu
004ea2c8 |. 8B5D mov ebx,dword ptr ss:[ebp+14]; |
004EA2CB |. push ebx; |hparent
004ea2cc |. 8B5D mov ebx,dword ptr ss:[ebp+18]; |
004EA2CF |. Push ebx; | Height
004ea2d0 |. 8b5d 1C mov ebx,dword ptr ss:[ebp+1c]; |
004ea2d3 |. Push ebx; | Width
004ea2d4 |. 8B5D mov ebx,dword ptr ss:[ebp+20]; |
004ea2d7 |. Push ebx; | Y
004ea2d8 |. 8B5D mov ebx,dword ptr ss:[ebp+24]; |
004ea2db |. Push ebx; | X
004EA2DC |. Yi Push ecx; | Style
004EA2DD |. EdX push; | Windowname window Title
004ea2de |. push eax; | class; Program class name
004ea2df |. 6A Push 0; | Extstyle = 0
004ea2e1 |. E8 7c010>call; Createwindowexa
004ea2e6 |. 5 B pop ebx
004ea2e7 |. 5D Pop EBP
004ea2e8. C2 RETN 20



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.