收藏本站 |切换到宽版 | 更换论坛皮肤
 找回密码  忘记邮箱  QQ快速登录  快速登录  快速注册

卡饭»论坛 安全区 国外杀毒软件 COMODO 帮忙测试下
123下一页
返回列表 发新帖
楼主: snjj1118
 收起左侧

[讨论] 帮忙测试下

[复制链接]
星之梦
发表于 2009-1-8 11:27:26 | 显示全部楼层

victim.exe

(Registry)2009.01.08 11:15:43 victim.exe ISOLATE on start from explorer.exe
2009.01.08 11:17:08 victim.exe ISOLATE on start from explorer.exe
2009.01.08 11:17:18 victim.exe READONLY access to HKLM\SOFTWARE\Microsoft\DownloadManager (Registry)2009.01.08 11:18:39 victim.exe DENY C0AC message to mmc.exe (Process)
2009.01.08 11:18:43 victim.exe DENY C0AE message to explorer.exe (Process)
2009.01.08 11:18:43 victim.exe DENY C0AE message to ctfmon.exe (Process)
[size=+1]Log Scope: Last 7 Days
Date/TimeApplicationActionProtocolSource IPSource PortDestination IPDestination Port
2009-1-8 11:18:08C:\Documents and Settings\Owner\桌面\test\victim.exeBlockedUDP[MyComputerIP]
1051[OPENDNS]53
2009-1-8 11:18:09C:\Documents and Settings\Owner\桌面\test\victim.exeBlockedUDP[MyComputerIP]1051[OPENDNS]53
2009-1-8 11:18:13C:\Documents and Settings\Owner\桌面\test\victim.exeBlockedUDP[MyComputerIP]1051[OPENDNS]53
[size=+1]End of The Report

[size=+1]Log Scope: All The Times
Date/TimeApplicationActionTarget
2009-1-8 11:17:14C:\Documents and Settings\Owner\桌面\test\victim.exeModify FileC:\Documents and Settings\Owner\桌面\test\victim.exe
2009-1-8 11:17:18C:\Documents and Settings\Owner\桌面\test\victim.exeModify FileC:\Documents and Settings\Owner\桌面\test\victim.exe
2009-1-8 11:17:22C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
2009-1-8 11:17:24C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
2009-1-8 11:17:25C:\Documents and Settings\Owner\桌面\test\victim.exeModify FileC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
2009-1-8 11:17:27C:\Documents and Settings\Owner\桌面\test\victim.exeModify FileC:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat
2009-1-8 11:17:29C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
2009-1-8 11:17:31C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit
2009-1-8 11:17:33C:\Documents and Settings\Owner\桌面\test\victim.exeModify FileC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
2009-1-8 11:17:35C:\Documents and Settings\Owner\桌面\test\victim.exeAccess COM Interface\RPC Control\ntsvcs
2009-1-8 11:17:37C:\Documents and Settings\Owner\桌面\test\victim.exeModify File\Device\NamedPipe\lsarpc
2009-1-8 11:17:40C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
2009-1-8 11:17:42C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
2009-1-8 11:17:45C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
2009-1-8 11:17:47C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
2009-1-8 11:17:51C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
2009-1-8 11:17:52C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
2009-1-8 11:17:54C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
2009-1-8 11:17:56C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
2009-1-8 11:17:59C:\Documents and Settings\Owner\桌面\test\victim.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
2009-1-8 11:18:02C:\Documents and Settings\Owner\桌面\test\victim.exeDNS/RPC Client Access\RPC Control\DNSResolver
2009-1-8 11:18:05C:\Documents and Settings\Owner\桌面\test\victim.exeModify File\Device\WMIDataDevice
2009-1-8 11:18:20C:\Documents and Settings\Owner\桌面\test\victim.exeModify File\Device\NetBT_Tcpip_{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}
[size=+1]End of The Report



等了一会儿,无后续行为手动终止。

[ 本帖最后由 星之梦 于 2009-1-8 11:30 编辑 ]
回复

举报

星之梦
发表于 2009-1-8 11:36:34 | 显示全部楼层

样本.exe

运行即出错,不知道是DEP拦了还是什么,没有DNS,SCM。







----------------------------
DEP关闭重起后有了
2009.01.08 11:51:24 7,.exe ISOLATE on start from explorer.exe
2009.01.08 11:51:24 7,.exe READONLY access to HKLM\SOFTWARE\Microsoft\DownloadManager (Registry)2009.01.08 11:52:32 7,.exe DENY C0AE message to explorer.exe (Process)
2009.01.08 11:52:32 7,.exe DENY C0AE message to ctfmon.exe (Process)
[size=+1]Log Scope: Last 7 Days
Date/TimeApplicationActionProtocolSource IPSource PortDestination IPDestination Port
2009-1-8 11:52:14C:\Documents and Settings\Owner\桌面\test\样本.exeBlockedUDP[MyComputerIP]1028[OpenDNS]53
2009-1-8 11:52:16C:\Documents and Settings\Owner\桌面\test\样本.exeBlockedUDP[MyComputerIP]1028[OpenDNS]53
2009-1-8 11:52:20C:\Documents and Settings\Owner\桌面\test\样本.exeBlockedUDP[MyComputerIP]1028[OpenDNS]
53
[size=+1]End of The Report

[size=+1]Log Scope: All The Times
Date/TimeApplicationActionTarget
2009-1-8 11:51:25C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
2009-1-8 11:51:27C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
2009-1-8 11:51:29C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit
2009-1-8 11:51:31C:\Documents and Settings\Owner\桌面\test\样本.exeModify FileC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
2009-1-8 11:51:33C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit
2009-1-8 11:51:35C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
2009-1-8 11:51:37C:\Documents and Settings\Owner\桌面\test\样本.exeModify FileC:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat
2009-1-8 11:51:38C:\Documents and Settings\Owner\桌面\test\样本.exeModify FileC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
2009-1-8 11:51:41C:\Documents and Settings\Owner\桌面\test\样本.exeAccess COM Interface\RPC Control\ntsvcs
2009-1-8 11:51:43C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
2009-1-8 11:51:45C:\Documents and Settings\Owner\桌面\test\样本.exeModify FileC:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat
2009-1-8 11:51:48C:\Documents and Settings\Owner\桌面\test\样本.exeModify File\Device\NamedPipe\lsarpc
2009-1-8 11:51:49C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
2009-1-8 11:51:51C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
2009-1-8 11:51:53C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
2009-1-8 11:51:55C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
2009-1-8 11:51:57C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKUS\S-1-5-21-839522115-706699826-2147053123-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
2009-1-8 11:51:59C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
2009-1-8 11:52:03C:\Documents and Settings\Owner\桌面\test\样本.exeModify FileC:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat
2009-1-8 11:52:05C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory
2009-1-8 11:52:07C:\Documents and Settings\Owner\桌面\test\样本.exeModify KeyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit
2009-1-8 11:52:08C:\Documents and Settings\Owner\桌面\test\样本.exeModify FileC:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat
2009-1-8 11:52:10C:\Documents and Settings\Owner\桌面\test\样本.exeDNS/RPC Client Access\RPC Control\DNSResolver
2009-1-8 11:52:12C:\Documents and Settings\Owner\桌面\test\样本.exeModify File\Device\WMIDataDevice
[size=+1]End of The Report


[ 本帖最后由 星之梦 于 2009-1-8 12:03 编辑 ]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

抓抓
发表于 2009-1-8 12:00:23 | 显示全部楼层
1.exe 过红伞(红伞今天刚更新过):

   





但被蜘蛛查杀掉了:

   

[ 本帖最后由 抓抓 于 2009-1-8 13:33 编辑 ]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

星之梦
发表于 2009-1-8 12:13:43 | 显示全部楼层
可以确定那个 样本.exe 可以被微软的DEP拦截
看来DEP开着没坏处。
回复

举报

Magis
头像被屏蔽
发表于 2009-1-8 12:19:12 | 显示全部楼层

回复 14楼 星之梦 的帖子

硬件DEP?软件的还不如用CMF或CSS呢。
回复

举报

星之梦
发表于 2009-1-8 12:23:15 | 显示全部楼层

回复 15楼 magiscoldeye 的帖子

我一起用,双重保护。
回复

举报

ubuntu
发表于 2009-1-8 12:28:12 | 显示全部楼层
001.exe
http://camas.comodo.com/cgi-bin/ ... c42a7bbb9c9573e87b3

启动、联网都会报可疑


日志:
获得SeDebug特权
Access COM InterfaceLocalSecurityAuthority.Debug


文件:D:\ntdetect_.com

注册表:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\DefaultValue
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\DefaultValue


1.exe
http://camas.comodo.com/cgi-bin/ ... d6abde89ed71f9ec58e

启发报可疑,主要是连 0.0.0.1, 调用cmd.exe


Mouse.exe
http://camas.comodo.com/cgi-bin/ ... fe2c3507cdaf650068b

行为非常多

LocalSecurityAuthority.Debug

映像劫持
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe
。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。。
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wsyscheck.exe

写系统目录
C:\WINDOWS\system32\keepSafe.exe

启动项
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\TXMouie
HKUS\S-1-5-21-842925246-1343024091-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Run\dsfghjgj
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ilortgdg
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cvhnykzx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\deryheruxc

Explorer Advanced
HKUS\S-1-5-21-842925246-1343024091-854245398-1003
\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Debugger
HKUS\S-1-5-21-842925246-1343024091-854245398-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden

结束安全软件
Terminate ProcessC:\Program Files\COMODO\COMODO Internet Security\cfp.exe



后面两个没什么大动作,允许联网后自己退出了

http://camas.comodo.com/cgi-bin/ ... e4f69c9c82d25a74a15



http://camas.comodo.com/cgi-bin/ ... 6072d1dd2a76c3851d1



[ 本帖最后由 ubuntu 于 2009-1-8 14:39 编辑 ]
回复

举报

抓抓
发表于 2009-1-8 12:31:22 | 显示全部楼层
原帖由 星之梦 于 2009-1-8 12:13 发表
可以确定那个 样本.exe 可以被微软的DEP拦截
看来DEP开着没坏处。


DEP我也是一直开启着的,为什么我的是由comodo先拦截的?





另外,可能不同的规则导致日志不太相同,,

比如某些管道设置会直接终止一些行为而使其后继行为终止运行,也就不会呈现在日志里。。。

[ 本帖最后由 抓抓 于 2009-1-8 13:00 编辑 ]

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?快速注册

x
回复

举报

Mr.Z
发表于 2009-1-8 12:39:23 | 显示全部楼层

回复 18楼 抓抓 的帖子

是否軟硬之別?
回复

举报

星之梦
发表于 2009-1-8 13:38:16 | 显示全部楼层
回复 18楼 抓抓 的帖子
嗯,看看CPU支持不支持?

我开启DEP,程序就直接出错,
关闭就有行为了,再开起还是运行就出错。
回复

举报

下一页 »
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2025-5-14 11:13 , Processed in 0.121384 second(s), 15 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表