关于Delphi写病毒专杀工具
话说之前有中过快播的病毒、感染了全盘、当时相当郁闷、于是乎、自己写了个专杀、才得以保存住文件。1、得分析感染前和感染后文件的区别、找出一些规律。有的病毒感染后、文件不一样、修复难度就比较大。比如:感染后的区段、或者是代码有相似的地方、对于快播病毒、大家看看代码://-----------------------------------------------------------------感染后的代码------------------------------------------------------00421000 > 55 push ebp00421001 8BEC mov ebp,esp00421003 83EC 70 sub esp,7000421006 53 push ebx00421007 8365 D0 00 and dword ptr ss:[ebp-30],00042100B 8365 F8 00 and dword ptr ss:[ebp-8],00042100F 8365 D8 00 and dword ptr ss:[ebp-28],000421013 33C0 xor eax,eax00421015 66:8945 CC mov word ptr ss:[ebp-34],ax00421019 8365 E0 00 and dword ptr ss:[ebp-20],00042101D 8365 EC 00 and dword ptr ss:[ebp-14],000421021 8365 E4 00 and dword ptr ss:[ebp-1C],000421025 8365 F4 00 and dword ptr ss:[ebp-C],000421029 834D DC FF or dword ptr ss:[ebp-24],FFFFFFFF0042102D 8365 D4 00 and dword ptr ss:[ebp-2C],000421031 8365 C8 00 and dword ptr ss:[ebp-38],000421035 8365 E8 00 and dword ptr ss:[ebp-18],000421039 8365 F0 00 and dword ptr ss:[ebp-10],00042103D 8365 FC 00 and dword ptr ss:[ebp-4],000421041 C745 AC 726F6341 mov dword ptr ss:[ebp-54],41636F7>00421048 90 nop00421049 90 nop0042104A 90 nop0042104B B8 2F000000 mov eax,2F00421050 40 inc eax00421051 64:FF30 push dword ptr fs:[eax]00421054 5B pop ebx00421055 895D E0 mov dword ptr ss:[ebp-20],ebx00421058 8B45 E0 mov eax,dword ptr ss:[ebp-20]0042105B 8B40 0C mov eax,dword ptr ds:[eax+C]0042105E 8B40 1C mov eax,dword ptr ds:[eax+1C]00421061 8B00 mov eax,dword ptr ds:[eax]00421063 8945 EC mov dword ptr ss:[ebp-14],eax00421066 C745 A8 47657450 mov dword ptr ss:[ebp-58],5074654>0042106D 8B45 EC mov eax,dword ptr ss:[ebp-14]00421070 8B40 08 mov eax,dword ptr ds:[eax+8]00421073 8945 F4 mov dword ptr ss:[ebp-C],eax00421076 C745 B4 73730000 mov dword ptr ss:[ebp-4C],73730042107D 8B45 F4 mov eax,dword ptr ss:[ebp-C]00421080 8B40 3C mov eax,dword ptr ds:[eax+3C]00421083 8B4D F4 mov ecx,dword ptr ss:[ebp-C]00421086 8B55 F4 mov edx,dword ptr ss:[ebp-C]00421089 035401 78 add edx,dword ptr ds:[ecx+eax+78]0042108D 8955 E4 mov dword ptr ss:[ebp-1C],edx00421090 8B45 E4 mov eax,dword ptr ss:[ebp-1C]00421093 8B4D F4 mov ecx,dword ptr ss:[ebp-C]00421096 0348 1C add ecx,dword ptr ds:[eax+1C]00421099 894D F8 mov dword ptr ss:[ebp-8],ecx0042109C C745 B0 64647265 mov dword ptr ss:[ebp-50],6572646>004210A3 8B45 E4 mov eax,dword ptr ss:[ebp-1C]004210A6 8B4D F4 mov ecx,dword ptr ss:[ebp-C]004210A9 0348 20 add ecx,dword ptr ds:[eax+20]004210AC 894D D0 mov dword ptr ss:[ebp-30],ecx004210AF 8B45 E4 mov eax,dword ptr ss:[ebp-1C]004210B2 8B4D F4 mov ecx,dword ptr ss:[ebp-C]004210B5 0348 24 add ecx,dword ptr ds:[eax+24]004210B8 894D D8 mov dword ptr ss:[ebp-28],ecx004210BB 8365 A4 00 and dword ptr ss:[ebp-5C],0004210BF EB 07 jmp short cmt.004210C8004210C1 8B45 A4 mov eax,dword ptr ss:[ebp-5C]004210C4 40 inc eax004210C5 8945 A4 mov dword ptr ss:[ebp-5C],eax004210C8 8B45 E4 mov eax,dword ptr ss:[ebp-1C]004210CB 8B4D A4 mov ecx,dword ptr ss:[ebp-5C]004210CE 3B48 18 cmp ecx,dword ptr ds:[eax+18]004210D1 0F83 87000000 jnb cmt.0042115E004210D7 C745 98 01000000 mov dword ptr ss:[ebp-68],1004210DE 8B45 A4 mov eax,dword ptr ss:[ebp-5C]004210E1 8B4D D0 mov ecx,dword ptr ss:[ebp-30]004210E4 8B55 F4 mov edx,dword ptr ss:[ebp-C]004210E7 031481 add edx,dword ptr ds:[ecx+eax*4]004210EA 8955 9C补充:综合编程 , 安全编程 ,上一个:你知道你的密码是怎么被泄露的吗?
下一个:PHP使用DES进行加密和解密
- 更多Delphi疑问解答:
- 用delphi做这个功能怎么做?
- 问delphi 中将Tquery控件查找到的记录数值写入某一edit中代码如何写?
- 有谁知道怎样在Delphi 7中显示代码的行数啊?或者有什么方法能够快速找到已知某一行数的代码啊!
- 关于delphi 操作EXcel的问题
- delphi ,sql,, 数据库 ,求助~~~~ 急~~~~~
- delphi变体记录问题
- delphi能实现反射吗?
- 谁会安装delphi 7 控件啊!会的话,请帮我在线安装一下? QQ785799795
- 在Delphi的Image控件上画移动的图片
- delphi 月份递增的循环查询
- 宝兰公司的开发工具delphi和c++builder现在的年代还流行吗?
- 我是沈阳做delphi开发的,想要集成短信功能到客户管理系统中,麻烦各位达人?
- 我是南昌做delphi开发的,想要集成短信功能到PMS中,分享下吧!
- delphi 取消窗体的最小化怎么弄
- 我是深圳做delphi开发的,想要集成短信功能到知识管理系统中,求达人指点!
