I believe many of my friends have done Trojan-free killing. In the early days, no kill was caused by shelling and pattern modification. Now, the no-kill technology has developed to be used for command-free killing and shell modification, however, this requires some compilation knowledge, but compilation is not an easy-to-crack bone. So I wrote this kill-free compilation tutorial for the cainiao edition to help me get started quickly, measure the test taker's knowledge about kill-free compilation.
I believe many of my friends have done Trojan-free killing. In the early days, no kill was caused by shelling and pattern modification. Now, the no-kill technology has developed to be used for command-free killing and shell modification, however, this requires some compilation knowledge, but compilation is not an easy-to-crack bone. So I wrote this kill-free compilation tutorial for the cainiao edition to help me get started quickly, measure the test taker's knowledge about kill-free compilation.
I believe many of my friends have done Trojan-free killing. In the early days, no kill was caused by shelling and pattern modification. Now, the no-kill technology has developed to be used for command-free killing and shell modification, however, this requires some compilation knowledge, but compilation is not an easy-to-crack bone. So I wrote this kill-free compilation tutorial for the cainiao edition to help me get started quickly, master the Essential Assembly knowledge, modification instructions, pattern modification skills, and write your own instructions.
I. Essential Assembly knowledge
Push and press the stack. the stack is a data structure. Remember four words: Advanced and later. Stack pressure is to put data in the stack, such as from the top of the stack, also from the top of the stack when the stack is out, so there will be an advanced feature! We can understand it as follows. For example, if we put a table tennis barrel into a table tennis ball, then we take out the table tennis ball and take out all the balls. For example, we place the balls in the order of 1, 2, 3, and 4, and the order of the balls is 4, 3, 2, and 1.
Pop-out stack, which corresponds to push.
Mov a and B send the value of B to a, and regard it as a value assignment statement in programming, that is, B is assigned to a. Then the value of a is B.
Nop does not work, that is, nothing is done.
Retn retrieves the return address from the stack and jumps to the address for execution.
Here are some arithmetic operation commands:
ADD Addition
Sub Subtraction
Inc plus 1
Dec minus 1
Finally, the jump command:
Jmp unconditional jump
Je or jz jump if equal
Skip if not equal to jne or jnz
Skip if jb is smaller
Jl skip if it is smaller
Skip if ja is greater
Skip if jg is greater
Skip if jle is less than or equal
Skip if jge is greater than or equal
These are what we need to know. There are not many instructions. Some instructions may not be clear, and we will be clear after reading them. By the way, I forgot to talk about registers, which are components of the central processor. Registers are high-speed storage components with limited storage capacity. They can be used to store commands, data, and addresses. We need to know eight General registers: EAX, EBX, ECX, EDX, ESI, EDI, EBP, ESP
Ii. Modification of signatures and instructions
I will not talk much about the pattern. As we all know, anti-virus software uses the pattern to scan and kill viruses. By changing the pattern of Trojans, anti-virus software cannot find our Trojans. This achieves the effect of No-killing. The useless code in the program is a command. It does not affect many programs and can run normally even if it is missing. After the instructions are added, the anti-virus software uses static disassembly for Trojans, so that the trojan code will not be displayed normally, increasing the difficulty of anti-virus software detection and removal. The principle of spending commands is stack balancing. As mentioned above, stack balancing can be understood in this way. The purpose of writing a spending instruction is to add a spending, and the stack is the same as before.
Because the instructions on the Internet are published, the kill-free period is not long. Generally, they will be scanned and killed by anti-virus software shortly after they are published, however, we only need to simply modify one or two sentences to eliminate the virus. Let's take a look at five ways to modify it. (Also applies to pattern modification)
Let's first look at the trojan color clothing (Golden Fish brocade) flower instructions
1. push ebp
2. mov ebp, esp
3. add esp,-0C
4. add esp, 0C
5. mov eax, original Portal
6. push eax
7. retn
1, 2. You can often see at the beginning of most programs. Push ebp is to push the register ebp into the stack, mov ebp, esp is to send the register esp value to the Register ebp. 3. 4. The add command is used. add esp.-0C is the register esp plus-0C, add esp, and 0C is the register esp plus 0C, 3. 4. add up to nothing to achieve stack balance. 5, 6, 7, completed the jump to the entry point function, let's take a look at mov eax, the original entry, the entry point into the register eax, push eax to the Register eax into the stack, retn we know it is to get the return address from the stack and jump to this address for execution. This will return to the entry point.
Let's take a look at the example. Taking Trojan color clothing as an example, we first detected the shell and loaded it with peid, showing that Microsoft Visual Basic 5.0/6.0, (1) is good, eliminating the trouble of shelling, copy the trojan color and paste it to get the copy. EXE. We use the trojan color clothing to add flowers to the copy. x. (3) scanned with Kabbah and recognized by Kabbah. (4) This is because the Golden Fish brocade has been published for a long time, and more users are used. It is ineffective for anti-virus software.
1. replacement method
We use the replacement method to modify the Golden Fish brocade. The Modification result is as follows:
1. push ebp
2. mov ebp, esp
3. add esp, 1
4. add esp,-1
5. mov eax, original Portal
6. push eax
7. retn
Change 3, 4, sentence add esp,-0C, and add esp, 0C to add esp, 1 and add esp, and-1 to achieve stack balancing. (5) right-click add esp,-0C, click assemble, change add esp,-0C to add esp, 1, and change add esp and 0C to add esp and-1. Select the modified part, right click → copy to Executable File → Select part. In the displayed window, right click to save the file. In this case, I saved it as a replacement method. .exe "and used kaback to scan and kill. (6)
2. Shift Method
1. push ebp
2. mov ebp, esp
3. nop
4. nop
5. add esp,-0C
6. add esp, 0C
7. mov eax, original entry
8. push eax
9. retn
Move the original 32.1642.1652.1662.1678.0 sentences down for 2 lines, and save the modified syntax as "portable location method .exe ".
3. Addition Method
1. push ebp
2. mov ebp, esp
3. push edx
4. pop edx
5. add esp,-0C
6. add esp, 0C
7. mov eax, original entry
8. push eax
9. retn
Add "push edx" and "pop edx" to the Golden Fish brocade. The two statements are to press the register edx into the pop-up stack and achieve the same stack balance. After modification, save the changes to the same cmd.exe ".
4. Removal Method
1. push ebp
2. mov ebp, esp
3. mov eax, original entry
4. push eax
5. retn
Delete add esp,-0C, and add esp,0c, and save the modified values to the suffix ".
5. Jump Method
Push ebp
Mov ebp, esp
Jmp jumps out to add esp,-0C address
Mov eax, replica _ wood? 00401_c
Push eax
Retn
Add esp,-0C
Add esp, 0C
Jmp jumps back to mov eax, And the replica is _ wood? Address of 00401_c
This can be used for comparison. For more information, see <G id = "1"> change to "cmd.exe ".
We can use Kabbah to try the modified effect. (8) Check that only the original Trojan color, the Golden Fish brocade and the removal method can be found. The removal method is because the code of kingdom is relatively short. If the instruction is long, the effect will be better. The combination of several modification methods has a better effect. Of course, the same pattern can be modified. Compared with the redirection method, the pattern can be modified more often.
3. Write your own flower instructions
Through the above learning, we can know the approximate structure of the flower command, generally starting with push ebp and mov ebp, esp, and then some commands that can maintain the stack balance. When it is finished, it is the jump back to the entry point.
I would like to list some code that can keep the stack balance
Push ebp to push base address pointer Register into Stack
Pop ebp pops up the base address pointer register stack
Push eax to push data register into Stack
Pop eax pops up the data register stack
Nop does not work, that is, nothing is done.
Mov eax and eax send eax to eax, which means nothing is done
Sub eax, 1
Add eax, 1 register eax + 1 and register eax-1, the same is equal to nothing
Sub eax, 2
Dec eax
Dec eax is a simple addition and subtraction operation. Register eax + 2 is used first, and register eax is processed two times consecutively using the dec command, namely-1 and-1, to achieve stack balancing.
It's easy. You can write N more commands by yourself after your reference. After writing this, you can write jump statements.
The JMP entry point is the simplest jump, and the unconditional Jump Back entry point is the simplest, of course, the worst.
Mov eax, entry point
Push eax
Retn is very familiar with it, the jump of the Golden Fish brocade, explained, not much to say.
Mov eax, entry point
The jump principle of jmp eax is similar to that of Kingdom. The entry point is pushed into the register eax and then to the Register eax, that is, to the entry point.
Je entry point
When the jne entry point is equal to the jump, the jump is not equal to the jump. In combination, the jump is an absolute jump. There are many conditional jump statements like this. You can refer to the previous jump instruction knowledge to write it yourself.
I believe that you can write your own flower instruction in combination with the above instructions, so that I can achieve the goal of this article. For instructions on how to add flowers, refer to the theme park in the 9th issue last year.