Легенда:
 новое сообщение
 закрытая нитка
 новое сообщение
 в закрытой нитке
 старое сообщение
|
- Напоминаю, что масса вопросов по функционированию форума снимается после прочтения его описания.
- Новичкам также крайне полезно ознакомиться с данным документом.
с удивительной вирью(троем?) столкнулся 29.10.04 15:47 Число просмотров: 2886
Автор: ZaDNiCa <indeed ZaDNiCa> Статус: Elderman
|
создает как я понял отладочный файл c:\!apihook.txt. После его прочтения стало не по себе:
кто-нить подобную хрень лечил?
--------------------------------------------------------------------------------
Process32Next - kernel32.dll , hndl: 7C4E0000
physmem: 144
SCANNING pmem (0-7F8D000), mapped on virt, for pagetables
FOUND PAGETABLE! 77F2400 patching...
pagetable patched!
7C4E0000 size: 1000 IsBadWritePtr: 0
7C4E1000 size: 5F000 IsBadWritePtr: 0
7C540000 size: 4000 IsBadWritePtr: 0
7C544000 size: 55000 IsBadWritePtr: 1
fnc addr: 7C51CB70 IsBadWritePtr: 0
Searching block of zeroes in vmem (7C4E0000-7C599000)
found zeroes! 7C4E0283
disasm func & copy instructions to ipz:
instructions lengths: 1 2 6
IsBadReadPtr: 7C4EF0F7
GetCurrentProcessId: 7C4EB8F4
FindWindowA: 77E3449E
SendMessageA: 77E15366
stealthcode: 199 bytes
restoring pagetable...
restored!
NO MORE PAGETABLES!
--------------------------------------------------------------------------------
NtQuerySystemInformation - ntdll.dll , hndl: 77F80000
physmem: 144
SCANNING pmem (0-7F8D000), mapped on virt, for pagetables
FOUND PAGETABLE! 7670400 patching...
pagetable patched!
77F80000 size: 1000 IsBadWritePtr: 0
77F81000 size: 4E000 IsBadWritePtr: 0
77FCF000 size: 2000 IsBadWritePtr: 0
77FD1000 size: 1000 IsBadWritePtr: 0
77FD2000 size: 29000 IsBadWritePtr: 1
fnc addr: 77F87D11 IsBadWritePtr: 0
Searching block of zeroes in vmem (77F80000-77FFB000)
found zeroes! 77F802C2
disasm func & copy instructions to ipz:
instructions lengths: 5
FindWindowA: 77E3449E
SendMessageA: 77E15366
stealthcode: 207 bytes
restoring pagetable...
restored!
NO MORE PAGETABLES!
--------------------------------------------------------------------------------
GetTcpTable - iphlpapi.dll , hndl: 77340000
physmem: 144
SCANNING pmem (0-7F8D000), mapped on virt, for pagetables
FOUND PAGETABLE! 48A0C00 patching...
pagetable patched!
77340000 size: 1000 IsBadWritePtr: 0
77341000 size: E000 IsBadWritePtr: 0
7734F000 size: 1000 IsBadWritePtr: 0
77350000 size: 3000 IsBadWritePtr: 1
fnc addr: 77346399 IsBadWritePtr: 0
Searching block of zeroes in vmem (77340000-77353000)
found zeroes! 7734035E
disasm func & copy instructions to ipz:
instructions lengths: 1 2 3
htons: 75031512
GlobalFindAtomA: 7C4E9F88
htons: 75031512
GlobalFindAtomA: 7C4E9F88
stealthcode: 273 bytes
restoring pagetable...
restored!
NO MORE PAGETABLES!
--------------------------------------------------------------------------------
GetTcpTableFromStack - iphlpapi.dll , hndl: 77340000
physmem: 144
SCANNING pmem (0-7F8D000), mapped on virt, for pagetables
FOUND PAGETABLE! 48A0C00 patching...
pagetable patched!
77340000 size: 1000 IsBadWritePtr: 0
77341000 size: E000 IsBadWritePtr: 0
7734F000 size: 1000 IsBadWritePtr: 0
77350000 size: 3000 IsBadWritePtr: 1
fnc addr: 773490BA IsBadWritePtr: 0
Searching block of zeroes in vmem (77340000-77353000)
found zeroes! 77340483
disasm func & copy instructions to ipz:
instructions lengths: 1 2 3
htons: 75031512
GlobalFindAtomA: 7C4E9F88
htons: 75031512
GlobalFindAtomA: 7C4E9F88
stealthcode: 273 bytes
restoring pagetable...
restored!
NO MORE PAGETABLES!
--------------------------------------------------------------------------------
SnmpExtensionQuery - inetmib1.dll , hndl: 6E2D0000
physmem: 144
SCANNING pmem (0-7F8D000), mapped on virt, for pagetables
FOUND PAGETABLE! E62800 patching...
pagetable patched!
6E2D0000 size: 1000 IsBadWritePtr: 0
6E2D1000 size: 5000 IsBadWritePtr: 0
6E2D6000 size: 1000 IsBadWritePtr: 0
6E2D7000 size: 2000 IsBadWritePtr: 0
6E2D9000 size: 2000 IsBadWritePtr: 1
fnc addr: 6E2D19D4 IsBadWritePtr: 0
Searching block of zeroes in vmem (6E2D0000-6E2DB000)
found zeroes! 6E2D0320
disasm func & copy instructions to ipz:
instructions lengths: 4 4
htons: 75031512
GlobalFindAtomA: 7C4E9F88
htons: 75031512
GlobalFindAtomA: 7C4E9F88
stealthcode: 159 bytes
restoring pagetable...
restored!
NO MORE PAGETABLES!
--------------------------------------------------------------------------------
FindNextFileW - kernel32.dll , hndl: 7C4E0000
physmem: 144
SCANNING pmem (0-7F8D000), mapped on virt, for pagetables
FOUND PAGETABLE! 77F2400 patching...
pagetable patched!
7C4E0000 size: 1000 IsBadWritePtr: 0
7C4E1000 size: 5F000 IsBadWritePtr: 0
7C540000 size: 4000 IsBadWritePtr: 0
7C544000 size: 55000 IsBadWritePtr: 1
fnc addr: 7C4ECCB3 IsBadWritePtr: 0
Searching block of zeroes in vmem (7C4E0000-7C599000)
found zeroes! 7C4E0361
disasm func & copy instructions to ipz:
instructions lengths: 1 2 2
GlobalFindAtomW: 7C4ECC0B
stealthcode: 74 bytes
restoring pagetable...
restored!
NO MORE PAGETABLES!
|
- с удивительной вирью(троем?) столкнулся - ZaDNiCa 29.10.04 15:47 [2886]
|
|
|
подробно о проекте
Анализ криптографических сетевых...
