本帖最后由 lifan88 于 2019-10-4 21:42 编辑
球顶置 修改测试条件,加载驱动后,要手动把驱动放到drivers目录下,并且检查注册表的指向是否与你现在的文件对应上!
测试环境:虚拟机WIN8.1-X64专业版
测试结果:虚拟机下无明显动作,重启后不再加载,需要有母体支持,或者反虚拟机-----当手动放在drivers后,在该测试条件下几乎完美骗过PCH,除了内核劫持项过不了。。
关键词解释:
SYS_regsrv:注册服务
REG_openkey:打开注册表项
REG_getval:获取注册表键值
FILE_open:打开文件
FILE_touch:创建文件
FILE_truncate:截断文件
FILE_write:写文件
SYS_load_kmod:加载内核模块
NET_connect:网络连接
NET_send:发送数据包
NET_http:HTTP请求
REG_mkkey:创建注册表项
REG_setval:设置注册表项值
驱动加载后动作( )
14:10:44:950, 加驱用.exe, 1072:4004, 1072, SYS_regsrv, C:\Users\j8qq_000\Desktop\wycmzbrk(2019-10-4).sys, access:0x000F01FF type:0x00000001 start_type:0x00000003 srvname:'wycmzbrk(2019-10-4)_Service' , 0x00000000 [操作成功完成。 ],
14:10:57:372, services.exe, 560:2280, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:372, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:10:57:372, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:372, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\ImagePath, type:0x00000002 datalen:108 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:372, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Type, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:372, System, 4:160, 0, FILE_open, C:\Users\j8qq_000\Desktop\wycmzbrk(2019-10-4).sys, access:0x00000020 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
14:10:57:482, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\wycmzbrk(2019-10-4).sys, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:10:57:482, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Compatibility\Driver\wycmzbrk(2019-10-4).sys, access:0x00020019 , 0xC0000034 [系统找不到指定的文件。 ],
14:10:57:482, System, 4:160, 0, FILE_open, C:\Windows\apppatch\drvmain.sdb, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
14:10:57:482, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\ImagePath, type:0x00000002 datalen:108 data:'5C 00 3F 00 3F 00 5C 00 43 00 3A 00 5C 00 55 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:482, System, 4:160, 0, FILE_open, C:\Windows\apppatch\drvmain.sdb, access:0x00120089 alloc_size:0 attrib:0x00000000 share_access:0x00000005 disposition:0x00000001 options:0x00000000 , 0x00000000 [操作成功完成。 ],
14:10:57:966, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:966, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Start, type:0x00000004 datalen:4 data:'03 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:966, System, 4:160, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service, access:0x00020006 , 0x00000000 [操作成功完成。 ],
14:10:57:966, System, 4:160, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Start, type:0x00000004 datalen:4 data:'01 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:966, System, 4:160, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service, access:0x00020006 , 0x00000000 [操作成功完成。 ],
14:10:57:966, System, 4:160, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Group, type:0x00000001 datalen:40 data:'53 79 73 74 65 6D 20 42 75 73 20 45 78 74 65 6E ' , 0x00000000 [操作成功完成。 ],
14:10:57:966, System, 4:160, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service, access:0x00020006 , 0x00000000 [操作成功完成。 ],
14:10:57:966, System, 4:160, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\ImagePath, type:0x00000002 datalen:98 data:'53 79 73 74 65 6D 33 32 5C 44 72 69 76 65 72 73 ' , 0x00000000 [操作成功完成。 ],
14:10:57:966, System, 4:160, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service, access:0x00020006 , 0x00000000 [操作成功完成。 ],
14:10:57:966, System, 4:160, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\DisplayName, type:0x00000001 datalen:58 data:'50 6F 77 65 72 20 45 6E 67 69 6E 65 20 50 6C 75 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Disk, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Disk, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\disk\CRTULTI, type:0x00000004 datalen:4 data:'BB 04 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Disk, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Disk, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Disk, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Disk, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\disk\CRTNVDT, type:0x00000003 datalen:4096 data:'B6 9B 2C A6 EA 16 BB A3 58 71 75 87 92 F1 15 6E ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances, access:0x000F003F , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\DefaultInstance, type:0x00000001 datalen:18 data:'4D 46 53 79 73 47 72 70 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp, access:0x000F003F , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\Altitude, type:0x00000001 datalen:12 data:'34 30 30 30 31 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\Flags, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\DEFAULTINSTANCE, type:0x00000001 datalen:18 data:'4D 00 46 00 53 00 79 00 73 00 47 00 72 00 70 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\ALTITUDE, type:0x00000001 datalen:12 data:'34 00 30 00 30 00 30 00 31 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\FLAGS, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\ALTITUDE, type:0x00000001 datalen:12 data:'34 00 30 00 30 00 30 00 31 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\FLAGS, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\ALTITUDE, type:0x00000001 datalen:12 data:'34 00 30 00 30 00 30 00 31 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\FLAGS, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\ALTITUDE, type:0x00000001 datalen:12 data:'34 00 30 00 30 00 30 00 31 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:2872, 0, FILE_open, C:\Windows\System32\drivers\Classpnp.sys, access:0x00120089 alloc_size:0 attrib:0x00000080 share_access:0x00000001 disposition:0x00000001 options:0x00000060 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\FLAGS, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\ALTITUDE, type:0x00000001 datalen:12 data:'34 00 30 00 30 00 30 00 31 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\FLAGS, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\ALTITUDE, type:0x00000001 datalen:12 data:'34 00 30 00 30 00 30 00 31 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\INSTANCES, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\FLAGS, type:0x00000004 datalen:4 data:'00 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, System, 4:160, 0, REG_getval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service\Instances\MFSysGrp\ALTITUDE, type:0x00000001 datalen:12 data:'34 00 30 00 30 00 30 00 31 00 00 00 ' , 0x00000000 [操作成功完成。 ],
14:10:57:982, services.exe, 560:2280, 0, REG_openkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wycmzbrk(2019-10-4)_Service, access:0x00020019 , 0x00000000 [操作成功完成。 ],
14:10:57:982, 加驱用.exe, 1072:4004, 1072, SYS_load_kmod, C:\Users\j8qq_000\Desktop\wycmzbrk(2019-10-4).sys, , 0x00000000 [操作成功完成。 ],
出现的非寻常的System操作:
14:11:57:982, System, 4:2872, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Disk, access:0x00020006 , 0x00000104 [因为文件名产生符号链接,所以需由对象管理器重新运行分析操作。 ],
14:11:57:982, System, 4:2872, 0, REG_mkkey, HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\Disk, access:0x00020006 , 0x00000000 [操作成功完成。 ],
14:11:57:982, System, 4:2872, 0, REG_setval, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\disk\CRTNVDT, type:0x00000003 datalen:4096 data:'66 AD 78 49 E9 87 58 7E D1 AC F4 FB A3 26 34 13 ' , 0x00000000 [操作成功完成。 ],
PCH检查结果:
在该测试条件下无保护,内核线程X2,回调X4,微端口过滤器X3,内核钩子X8,没有联网的迹象
有可能是个挂的什么东西,有可能还有其他用途,只能看大佬逆向了。。。
PS:这个加载后打开了你说的那个驱动Classpnp.sys,那个驱动应该是本来就有的,但是不知道为什么打开它,也不知道dump出来的是什么鬼8.9M大,而且dump出来的东西会报毒!下面解释了为什么打开classpnp.sys!
中毒现象(几乎完美BYPASS了PCH,这东西像个内存ROOTKIT):
1)注册表欺骗,R3和PCH看到的东西完全不同,R3下注册表内容完全抄袭classpnp.sys,在PCH中可以看到只有描述抄袭了classpnp.sys
2)启动欺骗,实际上驱动已经加载,然而PCH显示该驱动没有加载。。。而且这个设置应该是被定向到真实的classpnp.sys去了。。
3)自身伪造
然而在gmer里手动查看还是能看出问题。。。
4)假冒的微端口,混在一起的内核回调和内核钩子
pcH再不更新就要难受了呀
初步尝试PCH保留文件手杀失败,TDSSKILLER可灭之
|
发表于 2019-10-4 11:27:10
楼主
