请教高手,病毒中这个东西是什么
病毒中db 04Dh,05Ah,090h,000h,003h,000h,000h,000h,004h,000h,000h,000h,0FFh,0FFh,000h,000h 是什么?
怎么得到的呢?,如果自己想定义这个该如何弄?
written_bytes dd 0
hvdfile dd 0 ;virus dropper file handle
IMAGE_DATA_DIRECTORY STRUC
DD_VirtualAddress DD BYTE PTR ?
DD_Size DD ?
IMAGE_DATA_DIRECTORY ENDS
VirusHeaders:
;mz header & dos stub program
db 04Dh,05Ah,090h,000h,003h,000h,000h,000h,004h,000h,000h,000h,0FFh,0FFh,000h,000h
db 0B8h,000h,000h,000h,000h,000h,000h,000h,040h,000h,000h,000h,000h,000h,000h,000h
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h
db 000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,000h,080h,000h,000h,000h
db 00Eh,01Fh,0BAh,00Eh,000h,0B4h,009h,0CDh,021h,0B8h,001h,04Ch,0CDh,021h,054h,068h
db 069h,073h,020h,070h,072h,06Fh,067h,072h,061h,06Dh,020h,063h,061h,06Eh,06Eh,06Fh
db 074h,020h,062h,065h,020h,072h,075h,06Eh,020h,069h,06Eh,020h,044h,04Fh,053h,020h
db 06Dh,06Fh,064h,065h,02Eh,00Dh,00Dh,00Ah,024h,000h,000h,000h,000h,000h,000h,000h
;pe header:
PE_Magic DD 00004550h
Machine DW 014ch
NumberOfSections DW 2h
TimeDateStamp DD 3878561Ah
PointerToSymbolTable DD 0
NumberOfSymbols DD 0
SizeOfOptionalHeader DW SizeOfPeOptionalHeader
Characteristics DW 30Eh
Pe_OptionalHeader:
;pe optional header:
OH_Magic DW 010Bh
OH_MajorLinkerVersion DB 05h
OH_MinorLinkerVersion DB 0
OH_SizeOfCode DD 0
OH_SizeOfInitializedData DD (SizeOfImportSection+(200h-(SizeOfImportSection mod 200h)))
OH_SizeOfUninitializedData DD 0
OH_AddressOfEntryPoint DD (1000h+Wvltg_EntryPoint-_main) ;entry point!
OH_BaseOfCode DD 1000h ;code placed at 1000h
OH_BaseOfData DD (1000h+VirusSize+(1000h-(VirusSize mod 1000h))) ;placed after code in the memory
OH_ImageBase DD
。。。。。。。。。。。。。
。。。
[解决办法]
内嵌的指令码,字串,hash码等。
你看到的是PE文件的头格式,可能是病毒要即时生成一个PE文件,
不管如何,你都要首先了解他要干什么,单纯的弄这个形式没有意义。
[解决办法]
用二进制工具比如WinHex来导出,或者一些带有导出2进制码的反汇编器,
再或者编程提取也可以,尤其用动态语言更加方便比如ruby,perl等。
[解决办法]
红色部分知识一个PE头,从代码注释看应该是病毒的PE头。
如果得到这部分内容,你用UE可以打开一个exe文件看看。
也可以用mydo提到的工具