入口点错误？

webweb

如上，先说点题外的
玩完魔兽争霸
一看自家的小红伞被莫名其妙关了 吓得赶紧检查原因
虽然初步判定可能是key被封了
但是还不放心 于是打开sreng
谁知刚一打开就有提示 大体意思是 sreng发现下面函数内容与预期值不符
然后2行分别是 入口点错误：CreateserviceA        入口点错误：CreateserviceW
扫描后日志里也有这么个记录 后边还加行 危险等级: 高,  被下面模块所HOOK: C:\Windows\system32\guard32.dll

请大家帮我看看吧（我还装着comodo 有个反复出现的记录 小红伞阻止钩子 c:\windows\system32\swmapi.dll）

封毒刃

入口点错误有时也是安全软件所致

Beloved

点击查看：guard32.dll是什么？

天月来了

C:\Windows\system32\guard32.dll这个文件必须实际文件拿过来看看了

没别的好办法

webweb

OK中午回家就上传上来

天月来了

算了

好象就是毛豆带的吧？？

backway

那个文件确实是毛豆的，api hook 一大堆。

webweb

File size: 168208 bytes

MD5...: 35d8021d30485677e1aba5af4856ee7c

SHA1..: 3e60198893682b62792afe0f3b2486901e478b11

SHA256: 4c0d30c42209cddeedea23647a570e4ba5b64eea6c199fdd606a955c7992d9e9

SHA512: 0f79e39e33fd3305a3c2cbda05092496c6e22068050d90082cb81f2c805b0368 f985119693e75e6575632345c3cde6db98f0cb47d2617755356749f582c8f1c3

ssdeep: 1536:9+VWE+C8ukUUGrET5Hg6ns6+WXT3y9wnZYTBTZiXmoR4Ae6KttEJStj3B7G 0FPvY:QE88LGrC5FsqwBTPKxe9ttEstj3Y

PEiD..: -

TrID..: File type identification Win32 Executable MS Visual C++ (generic) (65.2%) Win32 Executable Generic (14.7%) Win32 Dynamic Link Library (generic) (13.1%) Generic Win/DOS Executable (3.4%) DOS Executable Generic (3.4%)

PEInfo: PE Structure information ( base data ) entrypointaddress.: 0xdc31 timedatestamp.....: 0x4a0386ee (Fri May 08 01:12:14 2009) machinetype.......: 0x14c (I386) ( 5 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x18f19 0x19000 6.52 acdd94af49dff2ab3203ae8fa05014e1 .rdata 0x1a000 0x7a14 0x8000 4.65 3c657951e49b6e5a6e2954001b43a4c0 .data 0x22000 0x3d40 0x2000 2.46 f000568b174762027adfcd13501ab176 .rsrc 0x26000 0x2d8 0x1000 0.79 502db4518d829f0dddfc336a1b969bf7 .reloc 0x27000 0x2ee6 0x3000 5.40 41063998aa7377c38d287703c88204bb ( 6 imports ) > KERNEL32.dll: GetModuleFileNameW, CreateThread, CloseHandle, VirtualAlloc, VirtualFree, GetCurrentThreadId, GetCurrentThread, MultiByteToWideChar, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetModuleHandleA, WideCharToMultiByte, GetModuleHandleExA, GetTickCount, GetCurrentProcess, LocalAlloc, GetLastError, GetModuleHandleW, LocalFree, LoadLibraryW, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, RaiseException, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, Sleep, HeapSize, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, ExitThread, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapDestroy, HeapCreate, QueryPerformanceCounter, GetSystemTimeAsFileTime, HeapReAlloc, WriteFile, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, FreeLibrary, LoadLibraryA, RtlUnwind, SetFilePointer, GetConsoleCP, GetConsoleMode, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, FlushFileBuffers, SetThreadContext, GetThreadContext, FlushInstructionCache, ResumeThread, InterlockedCompareExchange, VirtualProtect, VirtualQuery, ExitProcess, SetLastError, DeleteCriticalSection, GetCurrentProcessId, SuspendThread > USER32.dll: WindowFromDC, wsprintfA, GetWindowThreadProcessId > ole32.dll: CoTaskMemFree, StringFromCLSID, ProgIDFromCLSID > ADVAPI32.dll: EqualSid, OpenProcessToken, GetTokenInformation > ntdll.dll: RtlEqualUnicodeString, NtQueryObject, NtQueryInformationThread, NtQueryInformationProcess, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, RtlAppendUnicodeToString, NtQuerySystemInformation > VERSION.dll: VerQueryValueA ( 0 exports )

PDFiD.: -

RDS...: NSRL Reference Data Set

aquaos

都带数字签名了 可以排除

backway

已经说了guard32.dll是毛豆的文件，打开sreng时会提示一堆api hook
忽视就行了
sreng平时没必要使用。