编程查杀ttdianying流氓软件
注:本文于07/1月于黑客防线发表版权归黑客防线所有,转载请注明出处
编程查杀ttdianying流氓软件
文/图 冷风[后方网络][东南网安]
最近机房重了一种弹出网页式的流氓软件,毛病倒是不大,只是很讨人厌,每隔几分种就会弹出一次
游戏也玩不安心。如图1示。
用杀毒软件,360安全卫士,超级免子都也查不出个所以然来,上GOOGLE搜索也是哀声一片,并无清除
方法,所以只能自己动手解决了
找出真凶
这类软件一般都是自启动的,就从注册表开始,打开注册表定位到
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
里面有一个名为svchost的项指向路径C:/WINNT/System32/drivers/svchost.exe
有点古怪,首先系统不需要在这里启动svchost服务,再者svchost.exe也不应该出现在
C:/WINNT/System32/drivers目录里,而雅虎助手也频频提示svchost.exe试图更改IE启动页面
把svchost.exe复制出来好好研究研究
分析程序
为了大体了解此恶意软件的动作,就用SSS跟一下。发现此程序只是更改注册表就运行了程序,
并无线程注入,加载驱动
等其它动作,因此清除起来也方便的多,可按以如下思路清除,首先结束进程,然后删除文件
最后清理注册表,就可以清除此软件了。
因为机房近百台机器,如果一台一台恢复,等我恢复完了怕我也得跟着一块挂掉了,所以写个专杀工 具更轻松。
编写程序
通常我们需要通过枚举系统进程来查找流氓软件。流氓软件的进程名为svchost.exe而系统中有好多 svchost.exe进程,那么跟据进程名判断是行不通了,不过可以在枚举进程时列出程序路径,
跟据路径定位流氓软件,程序运行效果如图2示。
以下代码在VC6.0+WIN2000 WINXP下通过。
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/None.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockStart.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ContractedSubBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/InBlock.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedSubBlockEnd.gif)
![](http://images.csdn.net/syntaxhighlighting/OutliningIndicators/ExpandedBlockEnd.gif)
好了,如果以后碰到类似的问题,只要把上面的代码稍加修改,你也可以做出自己的专杀工具啦
代码参考了 如何在NT下获取进程的路径一文谢谢原作者
编程查杀ttdianying流氓软件相关推荐
- 苹果电脑删除软件_5款Mac查杀恶意流氓软件,防护你的MacOS电脑,随时清理优化更加安全!...
苹果电脑需要杀毒吗?MacOS被认为是最安全的操作系统之一.但是随着受欢迎程度的提高,他们越来越受到黑客和恶意软件的攻击.macz为您推荐5款Mac查杀恶意流氓软件,防护你的MacOS电脑,随时清理优 ...
- 病毒木马查杀实战第019篇:病毒特征码查杀之编程实现
前言 上次我们已经简介过了病毒特征码提取的基本方法,那么这次我们就通过编程来实现对于病毒的特征码查杀. 定义特征码存储结构 为了简单起见.这次我们使用的是setup.exe以及unpacked.exe ...
- 最近流行的病毒(杀毒软件无法查杀)
c:/WINDOWS/system32/drivers 下:(最近的病毒都喜欢冒充硬件驱动,很难查杀) dm.sys nmprt.sys SCatch.sys 148953.sys 128640.sy ...
- 奇虎360安全卫士推出木马程序查杀功能
奇虎360安全卫士推出木马程序查杀功能[@more@]6月15日,奇虎公司对外宣布,旗下所属的国内最大安全辅助类软件360安全卫士推出木马程序查杀功能.据悉,这是国内首款免费.专业的木马查杀功能,是3 ...
- 360安全卫士的云查杀原理介绍[转]
我有两个感觉:第一个是关于杀毒软件,一个已经做20年的行业,它的核心技术可以说是一直基于收集病毒样本,采集病毒特征,组成病毒库,在每个用户的机器上按图索骥,像通缉令查坏人一样去查杀病毒.现在木马起来之 ...
- linux服务器查杀,Linux服务器PHP后门查杀
shell脚本一句话查找PHP一句话木马 # find ./ -name "*.php" |xargs egrep "phpspy|c99sh|milw0rm|eval( ...
- 卡巴斯基回应查杀瑞星卡卡:一切为用户
2007年5月19日上午,卡巴斯基公司接到瑞星公司来电,称卡巴斯基反病毒软件将瑞星卡卡当作病毒"查杀",要求卡巴斯基解决这一问题.卡巴斯基公司当即表示,卡巴斯基将在保障用户安全的前 ...
- 手工查杀病毒常见文件型分析总结
很久没写点自己的东西了,今天更新点这么久来积累的一点关于病毒查杀方面的东西,希望对大家日后遇到常见病毒,各种顽固病毒都能有应对的策略. 希望我的这些经验能对大家以后查杀病毒有所帮助,不足之处请高手指点 ...
- 病毒木马查杀实战第020篇:Ring3层主动防御之基本原理
前言 如果说我们的计算机中安装有杀毒软件,那么当我们有意或无意地下载了一个恶意程序后,杀软一般都会弹出一个对话框提示我们,下载的程序很可能是恶意程序,建议删除之类的,或者杀软就不提示,直接删除了:或者 ...
最新文章
- Java 二分法查找
- LocationDemo has leaked ServiceConnection 异常并且无法定位的时候
- 打一场AI竞赛,让你知道我的厉害
- PC2日记——坑爹的第一天2014/08/28
- android面试题总结加强
- Greenplum添加mirror步骤
- 21个营销机构网站设计案例
- EntityFramework Core 3.x添加查询提示(NOLOCK)
- android studio : clang++.exe: error: invalid linker name in argument '-fuse-ld=bfd
- 声乐学习----关于发声的个人解读
- Hello工作室制作《无人深空》更新档
- 数字滤波算法——中值滤波
- Domain Adaptation 论文笔记
- 【React】unmountComponentAtNode卸载组件
- java 数据库 事务 只读_Spring 事务 readOnly 到底是怎么回事?
- GNU GRUB 2.02系统启动项管理设置
- mysql修改游戏,第十二讲 战神引擎游戏列表和公告修改
- 2012年中国各省市区GDP排行榜 附各主要城市GDP排行榜
- 转 Java知识——精华总结
- php表格合并_phpword 合并单元格的坑