Objective:
As we all know, more and more virus enthusiasts are making a series of virus programs to show their personal ability or some unspeakable secrets, however, because most of the domestic users have more knowledge of network security, they will install the firewall or antivirus software in their own system to protect their system network security! As a result, the existence of such security software has become the "foot-stone" of these viruses. How to clean up these "mix foot stone" also became they pursue another kind of realm: "Lets the virus program in the System No-man"!
Common virus protection techniques:
Shell compression or encryption (mainly used in the network of popular shell procedures);
Modifying signatures in virus programs (avoid signature scans in antivirus software);
When the virus program stimulates its function module, first detects the security software in the system, if it exists, clears it;
The use of core, service-level programming, so that most anti-virus software can not be cleaned up, such viruses are highly technical, with the rootkit source of the public, the way also quickly spread ...
.........
Here is a discussion of the protection method in virus protection 3, "creating a personalized version-free security software"
1, to avoid the "process of scanning" to kill;
To avoid this way of killing only need to modify the main program file name can avoid the virus used by the "process scanning" kill;
2, avoid FindWindow () Findwindowexa () function of the pursuit;
Hwnd=findwindow ("Tapplication", vbNullString); Find Feature window class name
Hwnd=findwindow (vbNullString, "PFW"); Find Feature window title
This approach is primarily to prevent such functions from scanning the window name or class name to terminate the operation of the security software, and using ollydbg or SoftICE to load the firewall program PFW.ExE that needs to be built, set breakpoints User32.createwindowexa ()
Part of the code:
004ea2b8/$Content $nbsp; Push EBP
004ea2b9 |. 8BEC mov Ebp,esp
004EA2BB |. Push EBX
004EA2BC |. 8B5D mov ebx,dword ptr ss:[ebp+8]
004EA2BF |. Push ebx; /lparam
004ea2c0 |. 8b5d 0C mov ebx,dword ptr ss:[ebp+c]; |
004ea2c3 |. push ebx; |hinst
004ea2c4 |. 8B5D mov ebx,dword ptr ss:[ebp+10]; |
004ea2c7 |. push ebx; |hmenu
004ea2c8 |. 8B5D mov ebx,dword ptr ss:[ebp+14]; |
004EA2CB |. push ebx; |hparent
004ea2cc |. 8B5D mov ebx,dword ptr ss:[ebp+18]; |
004EA2CF |. Push ebx; | Height
004ea2d0 |. 8b5d 1C mov ebx,dword ptr ss:[ebp+1c]; |
004ea2d3 |. Push ebx; | Width
004ea2d4 |. 8B5D mov ebx,dword ptr ss:[ebp+20]; |
004ea2d7 |. Push ebx; | Y
004ea2d8 |. 8B5D mov ebx,dword ptr ss:[ebp+24]; |
004ea2db |. Push ebx; | X
004EA2DC |. Yi Push ecx; | Style
004EA2DD |. EdX push; | Windowname window Title
004ea2de |. push eax; | class; Program class name
004ea2df |. 6A Push 0; | Extstyle = 0
004ea2e1 |. E8 7c010>call; Createwindowexa
004ea2e6 |. 5 B pop ebx
004ea2e7 |. 5D Pop EBP
004ea2e8. C2 RETN 20