首页/杀毒教程/内容

PC Share特征码公布及更改办法

杀毒教程2024-02-27 阅读()
[摘要]1、定位 卡巴: pchide.sys: [特征] 00000986_00000001 pcmain.dll [特征] 0000BB02_00000001 pcinit.exe [特征...

1、定位

卡巴:

pchide.sys:

[特征] 00000986_00000001

pcmain.dll

[特征] 0000BB02_00000001

pcinit.exe

[特征] 00000825_00000001

[特征] 00001369_00000001

瑞星:

pchide.sys:

[特征] 00000D56_00000001

pcmain.dll:

[特征] 0000BB49_00000001

pcinit.exe

[特征] 00000673_00000001

[特征] 00000827_00000001

[特征] 00000D5B_00000001

金山:

pchide.sys:

[特征] 00000D3E_00000001

pcmain.dll:

反向:

[特征] 0000BAB4_00000001

[特征] 0000BABB_00000001

[特征] 0000DE28_00000001

[特征] 0000DE79_00000001

pcinit.exe:

[特征] 00001238_00000001

[特征] 00001265_00000001

江民:

pchide.sys:

[特征] 00000DAF_00000001

pcmain.dll:

[特征] 0000BB0A_00000001

pcinit.exe:

[特征] 000008BC_00000001

[特征] 00000EE4_00000001

[特征] 000012BA_00000001

########################################################################################################################

2、修改特征码:

//***********************************************************************************************************************

卡巴:

pchide.sys:

[特征] 00000986_00000001

00010975:  FF15 20030100              CALL [10320]

0001097B:  33C0                       XOR EAX,EAX

0001097D:  EB 11                      JMP SHORT 00010990

0001097F:  50                         PUSH EAX

00010980:  33C0                       XOR EAX,EAX       //nop掉

00010982:  33C0                       XOR EAX,EAX

00010984:  0F84 03000000              JE 0001098D

0001098A:  55                         PUSH EBP

0001098B:  8211 58                    ADC BYTE PTR [ECX],58

//---------------------------------------------------------------------------------------------------------------------

pcmain.dll

[特征] 0000BB02_00000001

1000BAF9:  EB 4E                      JMP SHORT 1000BB49

1000BAFB:  57                         PUSH EDI

1000BAFC:  56                         PUSH ESI

1000BAFD:  53                         PUSH EBX

1000BAFE:  E8 FDF8FFFF                CALL 1000B400     //2、改1000B400为:1000B3F8

1000BB03:  83FE 01                    CMP ESI,1

1000B3F8                                                //1、将1000B400处代码移到此处

1000B3FE:  90                         NOP

1000B3FF:  90                         NOP

1000B400:  8B4424 08                  MOV EAX,[ESP+8]

1000B404:  81EC 24050000              SUB ESP,524

1000B40A:  83F8 01                    CMP EAX,1

1000B40D:  56                         PUSH ESI

1000B40E:  57                         PUSH EDI

//---------------------------------------------------------------------------------------------------------------------

pcinit.exe

[特征] 00000825_00000001  00401425

0040081D:  FFD6                       CALL NEAR ESI

0040081F:  6A 06                      PUSH 1            //

00400821:  58                         POP EAX

00400822:  5F                         POP EDI

00400823:  5E                         POP ESI

00400824:  5B                         POP EBX

00400825:  C9                         LEAVE

[特征] 00001369_00000001  00401F69

该处的call调用, 进入到call内如下, 把其中上面的四句移到空白区域, 然后修改call调用地址, 免杀!

00401429  /$  55                    push    ebp

0040142A  (北联网教程,专业提供视频软件下载)

第1页  第2页  第3页  第4页  第5页  第6页  第7页  第8页  第9页  第10页  第11页  第12页  第13页  第14页 

……

相关阅读