收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 病毒样本 分享&分析区 疑似 RootKit SYS (?)
12下一页
返回列表 发新帖
查看: 1712|回复: 17
收起左侧

[可疑文件] 疑似 RootKit SYS (?)

[复制链接]
wwwab
发表于 2022-5-7 11:06:24 | 显示全部楼层 |阅读模式

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

anthonyqian
发表于 2022-5-7 11:25:42 | 显示全部楼层
ESSP missed
回复

举报

多变的风向
发表于 2022-5-7 11:26:26 | 显示全部楼层
FS MISS
回复

举报

11111111111445
发表于 2022-5-7 11:30:53 | 显示全部楼层
本帖最后由 11111111111445 于 2022-5-7 11:32 编辑

360kill,安天miss

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

wjy19800315
发表于 2022-5-7 11:58:28 | 显示全部楼层
卡巴miss





本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

tdsskiller
发表于 2022-5-7 12:42:51 | 显示全部楼层
本帖最后由 tdsskiller 于 2022-5-7 12:48 编辑

不用疑似了。。。但是不知道为什么重启就没了
[ANSI] 0x0002078a: 烫烫烫E:\VS_Project\QW\QC\CryptConfig.c
[ANSI] 0x000207b2: 烫烫烫烫烫烫烫\
[ANSI] 0x000207e6: 烫烫烫烫烫E:\VS_Project\QW\QC\CryptDes.c
[ANSI] 0x00020810: E:\VS_Project\QW\QC\CryptMd5.c
[ANSI] 0x00020830: E:\VS_Project\QW\QC\DoFunc.c
[ANSI] 0x00020856: 烫烫烫烫烫test kfthread spy
[ANSI] 0x00020872: 烫烫烫烫烫烫烫kfprocess
[ANSI] 0x0002088a: 烫烫烫E
[ANSI] 0x000208cc: 烫烫P
[ANSI] 0x00020948: 烫烫烫烫P
[ANSI] 0x0002098c: 烫烫P
[ANSI] 0x000209fa: 烫烫烫E:\VS_Project\QW\QC\ForceDelFile.c
[ANSI] 0x00020a24: 烫烫烫烫烫烫\
[ANSI] 0x00020a3a: 烫烫烫E:\VS_Project\QW\QC\GuardModule.c
[ANSI] 0x00020a62: 烫烫烫烫烫烫烫M
[ANSI] 0x00020ac2: 烫烫烫烫烫烫烫E:\VS_Project\QW\QC\GuardProcess.c
[ANSI] 0x00020af4: 烫烫烫烫烫烫s
[ANSI] 0x00020b28: 烫烫烫烫w
[ANSI] 0x00020b4a: 烫烫烫%
[ANSI] 0x00020b98: 烫烫烫烫\
[ANSI] 0x00020bb8: 烫烫烫烫TransportAddress
[ANSI] 0x00020bd2: 烫烫烫烫烫烫烫ConnectionContext
[ANSI] 0x00020bf2: 烫烫烫烫烫烫烫%
[ANSI] 0x00020c08: 烫烫烫烫E:\VS_Project\QW\QC\Matcher.c


[UNICODE] 0x00020890: Exit Driver In %d MillSeconds
[UNICODE] 0x000208d0: PsSetCreateProcessNotifyRoutine
[UNICODE] 0x00020910: PsSetLoadImageNotifyRoutine
[UNICODE] 0x00020950: PsSetLoadImageNotifyRoutineEx
[UNICODE] 0x00020990: PsSetCreateThreadNotifyRoutine
[UNICODE] 0x000209d0: CmUnRegisterCallback
[UNICODE] 0x00020a30: \??\
[UNICODE] 0x00020a70: ModuleInfo PE File %ws may be Broken!
[UNICODE] 0x00020b00: system
[UNICODE] 0x00020b10: wininit.exe
[UNICODE] 0x00020b30: winlogon.exe
[UNICODE] 0x00020b50: %d/%d/%ws/%ws/%d/%x/%ws
[UNICODE] 0x00020b80: \Device\Tcp
[UNICODE] 0x00020ba0: \Device\Udp
[UNICODE] 0x00020c30: CMD Add Rule Input Error!
[UNICODE] 0x00020c70: AddRule %d bytes Use Tick %d
[UNICODE] 0x00020cb0: ForceDelFIle %S
[UNICODE] 0x00020cd0: SimpleInjectDll Too Small CommInjParam
[UNICODE] 0x00020d20: SimpleInjectDll Pid:%d Path:%ws
[UNICODE] 0x00020d60: KillThread Tid:%d Status:%x
[UNICODE] 0x00020df0: tag,
[UNICODE] 0x00020e10: %wZ/%d/0/%d
[UNICODE] 0x00020e30: *\$RECYCLE.BIN\*
[UNICODE] 0x00020e80: 320077
[UNICODE] 0x00020e90: FackWdm Failed ! Return!
[UNICODE] 0x00020ed0: File Protect Loaded!
[UNICODE] 0x00020f20: unlock
[UNICODE] 0x00020f30: ac_owner_exit Driver Unload!!!
[UNICODE] 0x00020f70: Run Process %S
[UNICODE] 0x00020f90: Hide Process Pid %d
[UNICODE] 0x00020fc0: unlockfile/%wZ
[UNICODE] 0x00020fe0: delete
[UNICODE] 0x00020ff0: unlockfile/delete %wZ
[UNICODE] 0x00021020: rename,
[UNICODE] 0x00021030: unlockfile/rename %ws to %ws
[UNICODE] 0x000210b0: pci.sys
[UNICODE] 0x000210d0: Mod_Job Start!
[UNICODE] 0x000210f0: Mod_Job Exit!
[UNICODE] 0x00021130: \SystemRoot\%ws%d.txt
[UNICODE] 0x00021160: %ws%d.txt
[UNICODE] 0x000211b0: %ws|%ws|%ws|%d|%ws|%ws
[UNICODE] 0x000211f0: \??\%wZ
[UNICODE] 0x00021210: .exe
[UNICODE] 0x00021220: %ws/%d/%x/%ws
[UNICODE] 0x00021270: %ws/%d/%x
[UNICODE] 0x000212b0: 320031
[UNICODE] 0x000212c0: Mod_Ob Loaded %x!
[UNICODE] 0x00021320: 320022
[UNICODE] 0x00021330: Reg Protect Start!
[UNICODE] 0x00021360: Reg Protect Register Callback Error %016x
[UNICODE] 0x00021420: %ws/%d.%d.%d.%d/%d/%d.%d.%d.%d/%d
[UNICODE] 0x000214c0: deny,kill
[UNICODE] 0x000214e0: delay,
[UNICODE] 0x000214f0: Inject/%ws/%d/%x/%ws
[UNICODE] 0x00021550: path
[UNICODE] 0x00021560: cmdline
[UNICODE] 0x00021570: calc
[UNICODE] 0x00021580: fsize
[UNICODE] 0x00021590: timestamp
[UNICODE] 0x000215b0: global
[UNICODE] 0x00021680: Parse Parent [%wZ][%d]
[UNICODE] 0x000216b0: Parse Parent Error [%wZ][%d]
[UNICODE] 0x00021760: file_unlock
[UNICODE] 0x00021780: cb_check
[UNICODE] 0x000217a0: thread
[UNICODE] 0x000217d0: file_new
[UNICODE] 0x000217f0: file_open
[UNICODE] 0x00021810: file_read
[UNICODE] 0x00021830: file_write
[UNICODE] 0x00021850: file_del
[UNICODE] 0x00021870: file_query
[UNICODE] 0x00021890: file_cname
[UNICODE] 0x000218b0: reg_new
[UNICODE] 0x000218c0: reg_open
[UNICODE] 0x000218e0: reg_read
[UNICODE] 0x00021900: reg_write
[UNICODE] 0x00021930: msghook
[UNICODE] 0x00021940: rthread
[UNICODE] 0x00021950: net_con
[UNICODE] 0x00021960: net_data
[UNICODE] 0x00021980: net_http
[UNICODE] 0x000219a0: net_dns
[UNICODE] 0x000219b0: deny
[UNICODE] 0x000219c0: allow
[UNICODE] 0x000219d0: report
[UNICODE] 0x000219e0: report,
[UNICODE] 0x000219f0: file_hide
[UNICODE] 0x00021a10: file_readonly
[UNICODE] 0x00021a30: file_delete
[UNICODE] 0x00021a50: &&deny
[UNICODE] 0x00021a60: action
[UNICODE] 0x00021a70: interval
[UNICODE] 0x00021a90: times
[UNICODE] 0x00021aa0: Inject_Exist/%ws/%d/%x/%d/%u/%ws
[UNICODE] 0x00021af0: 初始化父进程链表 phrase2 完成
[UNICODE] 0x00021b20: Done ParseRule_CallBack %d
[UNICODE] 0x00021b60: Add Rule %s
[UNICODE] 0x00021b80: Done ParseRule
[UNICODE] 0x00021ba0: offset
[UNICODE] 0x00021bb0: modpath
[UNICODE] 0x00021bd0: ishide
[UNICODE] 0x00021be0: cmdlines
[UNICODE] 0x00021c00: dllpath
[UNICODE] 0x00021c10: number
[UNICODE] 0x00021c20: mapname
[UNICODE] 0x00021c30: keyname
[UNICODE] 0x00021c40: type
[UNICODE] 0x00021c50: process
[UNICODE] 0x00021c60: image
[UNICODE] 0x00021c80: protocol
[UNICODE] 0x00021ca0: srcaddress
[UNICODE] 0x00021cc0: srcport
[UNICODE] 0x00021cd0: dstaddress
[UNICODE] 0x00021cf0: dstport
[UNICODE] 0x00021d20: time
[UNICODE] 0x00021d30: 0:00-23:59
[UNICODE] 0x00021d50: percent
[UNICODE] 0x00021dd0: search
[UNICODE] 0x00021e00: ntdll.dll
[UNICODE] 0x00021e30: Pid:%d Get LdrLoadDll Function Address Failed!
[UNICODE] 0x00021e90: InjDll Pid:%d AllocMemory Failed With %x
[UNICODE] 0x00021ef0: InjDll Pid:%d CreateUserThread Failed With %x
[UNICODE] 0x00021f50: InjDll Pid:%d %ws Success!
[UNICODE] 0x00021f90: InjProcess Failed At Pid:%d
[UNICODE] 0x00021fd0: Pid:%d Get LdrLoadDllMem Function Address Failed!
[UNICODE] 0x00022040: InjDllMem Pid:%d AllocMemory Failed With %x
[UNICODE] 0x000220a0: InjDllMem Pid:%d CreateUserThread Failed With %x
[UNICODE] 0x00022110: InjDllMem Pid:%d %ws Success!
[UNICODE] 0x00022150: %ws,
[UNICODE] 0x000221a0: \SystemRoot
[UNICODE] 0x000221c0: \??\A:\Windows
[UNICODE] 0x000221e0: %02d.%02d.%02d.%03d
[UNICODE] 0x00022220: NtOpenFile
[UNICODE] 0x00022240: PsTerminateSystemThread
[UNICODE] 0x00022270: Instances
[UNICODE] 0x00022290: DefaultInstance
[UNICODE] 0x000222b0: Altitude
[UNICODE] 0x000222d0: 270030
[UNICODE] 0x000222e0: Flags
[UNICODE] 0x00022320: ZwQueryDirectoryObject
[UNICODE] 0x00022350: SymbolicLink
[UNICODE] 0x00022370: \SystemRoot\
[UNICODE] 0x00022390: \??\C:\Windows\
[UNICODE] 0x000223b0: \DosDevices\
[UNICODE] 0x00022400: \SystemRoot\system32\ntdll.dll
[UNICODE] 0x000224f0: Driver Unload!!!
[UNICODE] 0x00022520: \Device\%ws
[UNICODE] 0x00022540: \DosDevices\%ws
[UNICODE] 0x00022560: ImagePath
[UNICODE] 0x00022580: param
[UNICODE] 0x000225a0: file
[UNICODE] 0x000225b0: dbgview
[UNICODE] 0x000225f0: protect
[UNICODE] 0x00022600: logSwitch
[UNICODE] 0x00022620: keep
[UNICODE] 0x00022630: dbgs
[UNICODE] 0x00022640: InitEnvThread Start!
[UNICODE] 0x0002268c: 停止初始化!
[UNICODE] 0x000226a0: Win32k Inition ntdll.dll Completed!
[UNICODE] 0x000226f0: kernel32.dll
[UNICODE] 0x00022720: Win32k Inition kernel32.dll Completed!
[UNICODE] 0x00022770: Get Ssdt Base Info Failed!
[UNICODE] 0x00022860: 获取CreateProcessA||ZwTerminateThread||ZwSuspendThread||ZwSuspendProcess||PspExitThread||PspTerminateThreadBP失败!
[UNICODE] 0x00022940: ProcessNotifyEntry:%llx ImageNotifyEntry:%llx ThreadNotifyEntry:%llx RegNotifyEntry:%llx
[UNICODE] 0x00022a00: Invalid NotifyNumber %d
[UNICODE] 0x00022a30: 初始化函数成功!
[UNICODE] 0x00022a50: \BaseNamedObjects\A917D4B9A44610752AE34195
[UNICODE] 0x00022ab0: FILEVERSION 1.0.0.79
[UNICODE] 0x00022ae0: 2021.06.11 17:27 (75.20.0)
[UNICODE] 0x00022b20: Ver:%d Param:%ws Time:%ws, %ws  Start To Loading!
[UNICODE] 0x00022b90: Support 10586 14393 16299 17134 17763 18362 18363 19041 19042 19043
[UNICODE] 0x00022c20: Kernel Version %d Not Support!
[UNICODE] 0x00022c60: 初始化父进程链表 phrase1 完成
[UNICODE] 0x00022c90: Driver Load Use %d ms!
[UNICODE] 0x00022ce0: rerun
[UNICODE] 0x00022cf0: run,%wZ
[UNICODE] 0x00022d90: \Device\tdifw
[UNICODE] 0x00022db0: \??\tdifw
[UNICODE] 0x00022dd0: \Device\tdifw_nfo
[UNICODE] 0x00022e00: \??\tdifw_nfo
回复

举报

aboringman
发表于 2022-5-7 12:52:15 | 显示全部楼层
诺顿:WS.Reputation.1(下载智能分析)
回复

举报

比卡诺微
发表于 2022-5-7 13:07:50 | 显示全部楼层
eis无反应。
回复

举报

lvzhiwei
发表于 2022-5-7 14:55:50 | 显示全部楼层
secureaplus解压自动杀

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

zpy0206
发表于 2022-5-7 15:03:36 | 显示全部楼层
火绒 MISS
回复

举报

下一页 »
12下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-6 15:17 , Processed in 0.138334 second(s), 17 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表