当前位置: 代码迷 >> 汇编语言 >> ,病毒中这个东西是什么
  详细解决方案

,病毒中这个东西是什么

热度:4040   发布时间:2013-02-26 00:00:00.0
请教高手,病毒中这个东西是什么
病毒中db  04Dh,05Ah,090h,000h,003h,000h,000h,000h,004h,000h,000h,000h,0FFh,0FFh,000h,000h 是什么?
怎么得到的呢?,如果自己想定义这个该如何弄?

written_bytes dd 0
hvdfile dd 0 ;virus dropper file handle 

IMAGE_DATA_DIRECTORY  STRUC
  DD_VirtualAddress  DD  BYTE PTR ?
  DD_Size       DD  ?
IMAGE_DATA_DIRECTORY  ENDS


VirusHeaders:

;mz header & dos stub program

db  04Dh,05Ah,090h,000h,003h,000h,000h,000h,004h,000h,000h,000h,0FFh,0FFh,000h,000h
db  0B8h,000h,000h,000h,000h,000h,000h,000h,040h,000h,000h,000h,000h,000h,000h,000h
db  000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
db  000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,080h,000h,000h,000h
db  00Eh,01Fh,0BAh,00Eh,000h,0B4h,009h,0CDh,021h,0B8h,001h,04Ch,0CDh,021h,054h,068h
db  069h,073h,020h,070h,072h,06Fh,067h,072h,061h,06Dh,020h,063h,061h,06Eh,06Eh,06Fh
db  074h,020h,062h,065h,020h,072h,075h,06Eh,020h,069h,06Eh,020h,044h,04Fh,053h,020h
db  06Dh,06Fh,064h,065h,02Eh,00Dh,00Dh,00Ah,024h,000h,000h,000h,000h,000h,000h,000h

;pe header:

PE_Magic DD 00004550h
Machine DW 014ch
NumberOfSections DW 2h
TimeDateStamp DD 3878561Ah
PointerToSymbolTable DD 0
NumberOfSymbols DD 0
SizeOfOptionalHeader DW SizeOfPeOptionalHeader
Characteristics DW 30Eh

Pe_OptionalHeader:
;pe optional header:

OH_Magic            DW 010Bh
OH_MajorLinkerVersion      DB 05h
OH_MinorLinkerVersion      DB 0
OH_SizeOfCode          DD 0
OH_SizeOfInitializedData    DD (SizeOfImportSection+(200h-(SizeOfImportSection mod 200h)))
OH_SizeOfUninitializedData   DD 0
OH_AddressOfEntryPoint     DD (1000h+Wvltg_EntryPoint-_main) ;entry point!
OH_BaseOfCode          DD 1000h ;code placed at 1000h
OH_BaseOfData          DD (1000h+VirusSize+(1000h-(VirusSize mod 1000h))) ;placed after code in the memory
OH_ImageBase          DD 
。。。。。。。。。。。。。
。。。


------解决方案--------------------------------------------------------
内嵌的指令码,字串,hash码等。

你看到的是PE文件的头格式,可能是病毒要即时生成一个PE文件,

不管如何,你都要首先了解他要干什么,单纯的弄这个形式没有意义。
------解决方案--------------------------------------------------------
用二进制工具比如WinHex来导出,或者一些带有导出2进制码的反汇编器,
再或者编程提取也可以,尤其用动态语言更加方便比如ruby,perl等。
------解决方案--------------------------------------------------------
红色部分知识一个PE头,从代码注释看应该是病毒的PE头。

如果得到这部分内容,你用UE可以打开一个exe文件看看。

也可以用mydo提到的工具
  相关解决方案

代码迷 - 您身边的软件异常,代码异常,编程异常助手(发现,解决,分享)
Copyright © 2009-2013 DAIMAMI.COM. All rights reserved.