微点主动防御软件_逆向_idb
微点自动防护软件算是一款对比强悍的主防程序,用到很多十分鄙陋\领先又产等第的技术.它在2005年就已被研制出来,仅仅没多少人重视,但防备不认识病毒木马的才能的确十分强悍.在2008年11月份,我大致看了下它包括的13个驱动,逆了一部分,从中学到了部分常识,但仅仅冰山一角.后来由于种种原因,没再碰它了.奉上曾经逆向的部分效果,供参考!从本资猜中您可能获取到如下某些技巧:1.加密解密函数2.IATHOOK/EATHOOK/深度CallHook/InlineHook/(Shadow)SSDTHook及其杂乱的管理3.部分win32k.sys中的未揭露结构及其微点对ShadowSSDT中为揭露函数的引证/管理(比方判别窗体的合法性,并进行可疑度打分)4.栈回溯的无所不用其极的极致发挥/栈绑架来回滚木马的危害行为5.自定义的结构体中的评分机制6.刹那间HOOK及其去除Hook的技巧7.对远程线程注入的防备原理8.对驱动加载的阻拦点及其原理9.一种奇妙的混杂IDA的花的使用10.驱动间的数据交互/内核DLL技术11.如何判别当时程序行为的可疑度12.etc...注:解压密码123456.....太多文件了略.....
(The micro-point automatic protection software is a relatively powerful main defense program, which uses a lot of very humble, leading and high-end technologies. It has been developed in 2005, but not many people pay attention to it, but it is not known to prevent viruses. The Trojan's talent is indeed very powerful. In November 2008, I roughly looked at the 13 drivers it included, reversed part of it, and learned some common sense from it, but it was only the tip of the iceberg. Later, for various reasons, I didn't touch it again. .Provide some of the effects that have been reversed for reference! From this capital guess, you may get some of the following skills: 1. Encryption and decryption functions 2. IATHOOK/EATHOOK/Deep CallHook/InlineHook/(Shadow)SSDTHook and its messy Management 3. Some undisclosed structures in win32k.sys and their micro-points are used to cite/manage exposed functions in ShadowSSDT (for example, to determine the validity of the form, and to score suspiciousness) 4. The stack traceback is all-purpose Extremely extreme play/stack kidnapping and rolling back and forth the harmful behavior of Trojan horses Blocking points and their principles
.....too many files .....)
页:
[1]