一个 映象劫持+dll注入+驱动保护 小毒的清理方法

最新推荐文章于 2024-05-09 10:08:40 发布
最新推荐文章于 2024-05-09 10:08:40 发布
阅读量3.8k 收藏 1
点赞数
分类专栏: 病毒汇编和调试逆向技术加脱壳 文章标签: dll file windows c 360 工具
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/iiprogram/article/details/1753990
版权
 首先感谢 ygq1968 提供的样本。
原贴: 可以“秒杀”卡巴和360安全卫士的恶意软件!



本人不会反编译,所以写的难免肤浅,高手见谅!




QUOTE:

病毒尊容











QUOTE:

简单的扫描下,似乎是UPX1.2的壳







QUOTE:

卡巴斯基扫描下,确实没有反应,但是请相信,它确实是个危险文件,接下来你会发现的。











病毒行为分析

■■■■
释放文件:

C:/Program Files/Common Files/Microsoft Shared/MSInfo/45633AA1.dat
C:/Program Files/Common Files/Microsoft Shared/MSInfo/45633AA1.dll
C:/WINDOWS/system32/wbem/Repository/FS/INDEX.MAP
C:/WINDOWS/system32/wbem/Repository/FS/MAPPING.VER
C:/WINDOWS/system32/wbem/Repository/FS/MAPPING1.MAP
C:/WINDOWS/system32/wbem/Repository/FS/OBJECTS.MAP
C:/WINDOWS/system32/SevenSowrdSvr.exe
c:/windows/system32/sevenlog.sys
C:/WINDOWS.0/45633AA1.hlp

■■■■
将自己设为开机自动启动

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
SevenSowrd=C:/WINDOWS/system32/SysSevenSowrd.exe

■■■■
注册为服务并设置为自动启动:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/SevenSword
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Sevenlink
■■■■
向运行的应用程序注入45633aa1.dll
c:/program files/common files/microsoft shared/msinfo/45633aa1.dll
■■■■
劫持IFEO,有点名气的差不多都挂了。。。
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360rpt.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360Safe.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360tray.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/adam.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AgentSvr.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AppSvc32.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/autoruns.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avgrssvc.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AvMonitor.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.com
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/CCenter.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/ccSvcHst.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FileDsty.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FTCleanerShell.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/HijackThis.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IceSword.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/iparmo.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Iparmor.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/isPwdSvc.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kabaload.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KaScrScn.SCR
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASMain.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASTask.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAV32.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVDX.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVPFW.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVSetup.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVStart.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KISLnchr.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMailMon.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMFilter.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32X.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFWSvc.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRegEx.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRepair.COM
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KsLoader.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVCenter.kxp
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvDetect.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvfwMcl.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonXP.kxp
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVMonXP_1.kxp
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvol.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvolself.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvReport.kxp
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVScan.kxp
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVSrvXP.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVStub.kxp
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvupload.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvwsc.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvXP.kxp
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvXP_1.kxp
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch9x.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatchX.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/loaddll.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/MagicSet.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mcconsol.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmqczj.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmsk.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/NAVSetup.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32krn.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32kui.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFW.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFWLiveUpdate.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/QHSET.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Ras.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rav.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMon.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMonD.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavStub.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavTask.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RegClean.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwcfg.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RfwMain.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwProxy.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwsrv.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RsAgent.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rsaupd.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/runiep.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/safelive.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/scan32.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/shcfg32.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SmartUp.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SREng.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/symlcsvc.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SysSafe.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojanDetector.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Trojanwall.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojDie.kxp
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UIHost.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAgent.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAttachment.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxCfg.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxFwHlp.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxPol.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UpLive.EXE.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/WoptiClean.exe
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/zxsweep.exe
所有的 Debugger全部指向:
"C:/PROGRA~1/COMMON~1/MICROS~1/MSINFO/45633AA1.dat"
■■■■
修改该死的ShellExecuteHooks实现特殊自启动
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks/{33AA4563-4563-3AA1-633A-563AA5633AA1}: ""
■■■■
使系统显示隐藏文件失效
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden/SHOWALL/CheckedValue: 0x00000001
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Advanced/Folder/Hidden/SHOWALL/CheckedValue: 0x00000000
■■■■
破坏卡巴斯基服务
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/AVP/Start: 0x00000003
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/AVP/Start: 0x00000004
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/AVP/Start: 0x00000003
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/AVP/Start: 0x00000004
■■■■
破坏安全模式
如果开机按下F8进入安全模式---蓝屏!

 

解决办法





1.你需要准备以下工具:


XPSP2无法进入安全模式注册表修复

完美解决开机后看不到桌面的问题_FOR WINDOWS XP.rar

 

请注意,这个包适用于windows XP,如果你的系统是windows 2000,请点这里下载适用于windows 2000的修复包。

修复_显示所有文件.rar

360文件粉碎工具

syscheck2(1.0.0.68).rar



2.打开360文件粉碎工具

将下面的文件列表选择复制。
点“ ”--》“ ”--》勾上“ ”--》“


[Copy to clipboard] [ - ]
CODE:
C:/Program Files/Common Files/Microsoft Shared/MSInfo/45633AA1.dat
C:/Program Files/Common Files/Microsoft Shared/MSInfo/45633AA1.dll
C:/WINDOWS/system32/wbem/Repository/FS/INDEX.MAP
C:/WINDOWS/system32/wbem/Repository/FS/MAPPING.VER
C:/WINDOWS/system32/wbem/Repository/FS/MAPPING1.MAP
C:/WINDOWS/system32/wbem/Repository/FS/OBJECTS.MAP
C:/WINDOWS/system32/SevenSowrdSvr.exe
c:/windows/system32/sevenlog.sys
C:/WINDOWS.0/45633AA1.hlp




3.使用XPSP2无法进入安全模式注册表修复

4.使用修复_显示所有文件.rar

5.解压缩syscheck2(1.0.0.68).rar,打开syscheck2,嘿嘿,你禁用那么多,没想到我还有这个利剑吧。。

①点“服务管理"



点击下面的”仅显示非微软“

点击这两个S开头的服务:



选择右键菜单中的”删除服务及文件“,两个都要删除。








②换个地方,”检测修复“--》”活动文件“





勾上下面图片中的两个。



看到屏幕下面,有没有,点一下,修复这两项。



5.打完收工,这个病毒被彻底制服!

iiprogram
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
Windows提权笔记-动态库劫持dll劫持、包含多种绕过UAC方法
墨痕诉清风的博客
03-12 642
dll 劫持是也是绕过 UAC 常用的方法,在 UACME 项目中很多绕过方法都是使用 dll 劫持dll 劫持也是一个比较大的主题。一般操作如下,假设受信任的程序 c:\windows\system32\test\test.exe 会加载 c:\windows\system32\test.dll (不在 KnowsDLLS里面),
保护.net中的dll文件方法(防止破解、反编译dll)
01-20
.net是一种建立在虚拟机上执行的语言,它直接生成 MSIL 的中间语言,再由.net编译器 JIT 解释映象为本机代码并交付CPU执行。中间语言很容易被反编译,所以研究下如何有效的保护dll文件。 我大致的方法为 :强签名+...
驱动劫持清理修复工具
05-21
从后台清除驱动劫持1.32位电脑系统请运行PCHunter32.exe 64位电脑系统请运行PCHunter64.exe 2.点击-驱动模块 如图1 3.点击-文件厂商 如图2 4.拉到最底下显示的驱动 文件厂商栏为空的 一般显示为蓝色 5.右键点击 删除驱动文件 然后再次右键点击 卸载驱动 6.会提示蓝屏 点确定重启电脑即可
DLL的远程注入与远程卸载卸载
qq_40535097的博客
05-19 2044
DLL的远程注入与远程卸载卸载 涉及Windows API FindWindow GetWindowThreadProcessId OpenProcess VirtualAlloc WriteProcessMemory CreateRemoteThread WaitForSingleObject 有时候修改目标程序,如制作插件,补丁,外挂等,需要使用到DLL注入的操作,注入的方式主要有远程注入劫持注入、HOOK方式、内存注入等,这里主要说一下远程注入以及远程卸载 远程注入 什么是远程注入: 远程注入
驱动病毒,锁首,劫持
Doraemon_meow_meow的博客
06-09 1285
驱动病毒,锁首,劫持 一,先用火绒剑查看System进程中可以驱动,在内核中搜索可查到相关驱动的注册表真实名称 二,使用pchunter进行对 内核中的系统回调进行删除,查看是否恢复正常,查看过滤驱动,文件系统下的微端口过滤器,系统调试,对象劫持 三,一般在驱动中找到相关注册表进入wepe模式删除便可 wepe下载方式 :http://www.wepe.com.cn/ ...
阻止恶意弹出的广告
04-22 304
所谓浏览器劫持是指网页浏览器(IE等)被恶意程序修改。常见现象为主页及互联网搜索页变为不知名的网站、经常莫名弹出广告网页输入正常网站地址却连接到其他网站。收藏夹内被自动添加陌生网站地址等等。 下面我们就来了解一些对付浏览器劫持方法: 1.编辑hosts文件 HOSTS文件存在于Windows目录下的System32\Drivers\Etc目录中。如果恶意网页将正常的域名映射到恶意网页的IP地址,...
完备度量空间中四个映象一个新的不动点定理* (2008年)
04-27
### 完备度量空间中四个映象一个新的不动点定理 #### 概述 本文探讨了在完备度量空间中的四个映象一个新的公共不动点定理。该研究旨在减少公共不动点定理中对映象对相容性的要求,从而扩展不动点定理的应用...
涉及到四个自映象一个新的公共不动点定理 (2010年)
06-01
2. 自映象对的概念:自映象是指一个映射的定义域和值域相同。自映象对即是指两个映射,它们的定义域和值域均为同一个集合X。 3. 映射的相容性和次相容性:自映象对的相容性是指两个映射相互作用的结果趋向于一致,...
关于Banach空间中可微映象一个注记 (2002年)
04-26
### 关于Banach空间中可微映象一个注记 #### 摘要与背景 本文探讨了Banach空间中的可微映象及其在二阶微分方程不变流问题中的应用。具体而言,考虑赋范空间\(E\)以及Banach空间\(Y\),\(g: \Omega \subseteq E \...
解决流氓软件里的.dll文件无法删除问题,简单易懂
Lina_Xia的博客
05-03 2952
解决流氓软件里的.dll文件无法删除问题
浏览器劫持源码
08-06
浏览器劫持源码 浏览器劫持.e
驱动DLL注入
07-13
工具精选中的极品,很好用的驱动,能注入许多驱动层的软件,如果你遇到有保护的了,可以尝试一下用本工具注入
驱动无模块注入dll
鬼手的博客
12-10 9651
Windows驱动无模块注入姿势全解 包含三环和零环的多种注入方式
驱动开发:内核RIP劫持实现DLL注入
CSDN
06-16 7629
本章将探索内核级DLL模块注入实现原理,DLL模块注入在应用层中通常会使用`CreateRemoteThread`直接开启远程线程执行即可,驱动级别的注入有多种实现原理,而其中最简单的一种实现方式则是通过劫持EIP的方式实现,其实现原理可总结为,挂起目标进程,停止目标进程EIP的变换,在目标进程开启空间,并把相关的指令机器码和数据拷贝到里面去,然后直接修改目标进程EIP使其强行跳转到我们拷贝进去的相关机器码位置,执行相关代码后,然后再次跳转回来执行原始指令集。
Xenos:一款强大的Windows DLL注入工具
最新发布
gitblog_00094的博客
05-09 1733
Xenos:一款强大的Windows DLL注入工具 XenosWindows dll injector项目地址:https://gitcode.com/gh_mirrors/xe/Xenos Xenos 是一个基于 Blackbone 库 的高级DLL注入器,专为开发者和安全研究人员设计,它在Windows平台上展示了出色的灵活性和多功能性。该开源项目以其丰富的功能集和跨平台兼容性脱颖而出,...
驱动开发:内核LoadLibrary实现DLL注入
热门推荐
CSDN
06-13 2万+
远程线程注入是最常用的一种注入技术,在应用层注入是通过`CreateRemoteThread`这个函数实现的,该函数通过创建线程并调用 `LoadLibrary` 动态载入指定的DLL来实现注入,而在内核层同样存在一个类似的内核函数`RtlCreateUserThread`,但需要注意的是此函数未被公开,`RtlCreateUserThread`其实是对`NtCreateThreadEx`的包装,但最终会调用`ZwCreateThread`来实现注入,`RtlCreateUserThread`是`Creat
DLL加载器-远程线程注入(常规dll注入
bring_coco的博客
08-30 1441
注入思路 先获取到LoadLibrary的函数地址,之后使用CreateRemoteThread加载这段地址即可 简单例子: D:\VS项目\Dll3\x64\Debug\Dll3.dll kernel.dll加载的地址在所有进程都是一样的 https://zhuanlan.zhihu.com/p/599915628?utm_id=0 DLL进程注入 dll注入器 生成dll-2-1.exe 这里注入的exe是notepad++,找到其进程,注入dll是我cs生成的beacon.dll 主要思路是:
BlackBone工具集合:注入、hook、驱动程序
zz_strive_2012的专栏
12-09 5072
FF_BlackBone介绍 作为Windows开发人员,经常遇到枚举进程、枚举模块、读写进程内存的操作;Windows安全开发人员更是会涉及注入、hook、操作PE文件、编写驱动。每次都要翻各种资料制造轮子,那么有没有好的开源库解决这个问题呢,目前知道的就Blackbone了,而且它的代码写的很好,完全可以作为教科书来用。 PS:作者DarthTon在github上的头像很有意思,就粘了下来。 ...
Dll注入技术之驱动注入
Hades的博客
01-04 1万+
Dll注入技术之驱动注入 0x0 技术简介 实现环境 系统:Windows 7 64bit 工具:VS+WDK 驱动注入 我这里驱动注入的技术是:采用驱动向目标进程插入APC执行LdrLoadDll函数加载Dll模块。 可以注入64位Dll到64位进程或注入32位Dll到32位进程。暂时没有实现跨位数。 APC(异步过程调用)是一种内核机制,它提供了一种在特定线程上下文中执行定制例...
使用python写一个用于级联失效的耦合映象格子模型代码
05-24
以下是一个简单的用于级联失效的耦合映象格子模型的 Python 代码示例: ```python import numpy as np # 设置模型参数 N = 50 # 格点个数 T = 100 # 模拟时间步长 p = 0.5 # 失效概率 q = 0.1 # 耦合强度 alpha = 0.1 # 失效扩散系数 # 初始化格点状态 x = np.zeros((N, T)) x[0, 0] = 1 # 初始状态为失效 # 模型更新 for t in range(1, T): for i in range(N): # 计算失效概率 p_i = p + alpha * (x[(i-1)%N, t-1] + x[(i+1)%N, t-1] - 2*x[i, t-1]) # 判断是否失效 if np.random.rand() < p_i: x[i, t] = 1 else: x[i, t] = 0 # 耦合更新 x[i, t] = x[i, t] or (np.random.rand() < q*(x[(i-1)%N, t-1] + x[(i+1)%N, t-1])/2) # 可视化结果 import matplotlib.pyplot as plt plt.imshow(x, cmap='gray', aspect='auto') plt.xlabel('Time') plt.ylabel('Node') plt.show() ``` 该模型使用了一个二维数组来表示格点的状态,其中行表示格点,列表示时间步长。模型的更新实现了失效和耦合的联合更新,最终输出的是一个灰度图,用于可视化格点的状态。
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值