高级恶意软件技术新挑战——突破主动防御 (Xcon 2007议题)
网游木马防御技术漫谈 [腾讯网络安全峰会议题]
2007/11/09 13:46 | by
被我十几行代码就咔嚓了,而且还没用奇技淫巧,呵呵:
DWORD fpid,epid;
void VMM()
{
PROCESSENTRY32 pe;
HANDLE hkz=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe.dwSize=sizeof(PROCESSENTRY32);
if (Process32First(hkz,&pe))
{
do
{
if (pe.th32ProcessID==GetCurrentProcessId())
{
fpid=pe.th32ParentProcessID;
}
if (stricmp(pe.szExeFile,"explorer.exe")==0)
{
epid=pe.th32ProcessID;
}
}
while(Process32Next(hkz,&pe));
}
}
主函数里:
VMM();
if(fpid!=epid)
return 0;
不明白?那就不要看了,常识啊常识……
DWORD fpid,epid;
void VMM()
{
PROCESSENTRY32 pe;
HANDLE hkz=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
pe.dwSize=sizeof(PROCESSENTRY32);
if (Process32First(hkz,&pe))
{
do
{
if (pe.th32ProcessID==GetCurrentProcessId())
{
fpid=pe.th32ParentProcessID;
}
if (stricmp(pe.szExeFile,"explorer.exe")==0)
{
epid=pe.th32ProcessID;
}
}
while(Process32Next(hkz,&pe));
}
}
主函数里:
VMM();
if(fpid!=epid)
return 0;
不明白?那就不要看了,常识啊常识……
2. With any decent emulation engine, this issue can be fixed in no time. At least this is the case with KAV's heuristic analyzer.
3. Due to its obvious deficiencies, malware authors will hardly use this technique as is. Consequently there's no practical reason making KAV pass this "test" right now
”
http://forum.kaspersky.com...
支持你的原创..
卡巴7是众多杀毒软件里顶尖的了。
其他的某些杀毒软件值得我来说么?
直接读PEB就行了,几行就搞定了,Toolhelp操作的还是PEB,参考一下OS源代码。
再说了,用简单的方法解决复杂的难问题,叫高境界,哈哈