看到网盟的
IGM、IGW发表的病毒免疫补丁,没下下来看,要威望啊!我是穷人,所以打算自己作一个
基本思想是禁止病毒文件创建、禁止病毒文件运行。
禁止病毒文件创建,无非就是在同一目录下创建一个和病毒文件同名的文件夹,再把属性
设置为隐藏和只读,如威金,
mkdir %systemroot%\system32\logo1_.exe
attrib +s +h +r %systemroot%\system32\logo1_.exe
就在system32目录下创建一个名为logo1_.exe只读隐藏的文件夹。
第二步就是防止病毒运行,第一种方法是通过组策略,第二种方法就是通过IFEO hijack(映象劫持).
第一种:组策略,我们都知道运行gpedit.msc里修改,但其实这个也可以修改
注册表达到一样的效果
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ /v DisallowRun /t REG_DWORD /d 1 /f
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\ /v 1 /t REG_SZ /d logo1_.exe
中国.网管联盟 如多个
程序,可修改/v后面的1和/d后面的值
secedit /refreshpolicy user_policy /enforce '刷新一下策略
第二种方法:IFEO hijack(映象劫持),简单点说,你要运行这个程序,但却被转到运行另一个程序,这是很多病毒经常使用不让杀毒
软件运行的鬼把戏,我们这里用了做免疫补丁了. :)
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\logo1_.exe" /v Debugger /t REG_SZ /d cmd.exe /f '让病毒运行都打开cmd吧,呵呵~
下面是一段测试程序(2000pro下通过):
@Echo Off
title 流行病毒免疫补丁-By n3tl04d
:hitauto
cls
Echo.
Echo 流行病毒免疫补丁
Echo.
Echo.
Echo.
Echo 制作:n3tl04d
中国.网管联盟 Echo n3tl04d[at]gmail.com 10492315
Echo.
Echo 本程序运行后给某些流行病毒打上免设补丁
Echo 本程序只是测试使用,功能需自己完善
Echo.
Echo [1] 打上补丁
Echo [0] 退出
Echo.
Set /p hitslt= 请输入您的选择(1/0):
If "%hitslt%"=="" Goto hitauto
If "%hitslt%"=="1" Goto hitauto
If "%hitslt%"=="0" Exit
:hitauto
mkdir %systemroot%\system32\logo1_.exe
attrib +s +h +r %systemroot%\system32\logo1_.exe
mkdir %systemroot%\system32\rundl132.exe
attrib +s +h +r %systemroot%\system32\rundl132.exe
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ /v DisallowRun /t REG_DWORD /d 1 /f
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\ /v 1 /t REG_SZ /d logo1_.exe /f
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\ /v 2 /t REG_SZ /d rundl132.exe /f
bitscn.com
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\logo1_.exe" /v Debugger /t REG_SZ /d cmd.exe /f
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options\rundl132.exe" /v Debugger /t REG_SZ /d cmd.exe /f
secedit /refreshpolicy user_policy /enforce
echo 免疫完成 &&pause
以前写的东东
IFEO hijack(映象劫持)相关技术背景
Image File Execution Options (IFEO in short)
You can set up your application to start Visual Studio when you launch the application from Windows. Visual Studio will load your application, ready for debugging, but will not commence debugging until you issue an execution command. Having Visual Studio launch the debugger in this way is useful for debugging services and COM out-of-proc servers.
To setup an application to launch the debugger automatically
中国网管联盟 Start the Registry Editor (regedit).
In the Registry Editor, open the HKEY_LOCAL_MACHINE folder.
Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options.
Under the Image File Execution Options folder, locate the name of the application you want to debug (myapp.exe, for example). If you cannot find the application you want to debug:
Right-click the Image File Execution Options folder and choose New Key from the shortcut menu.
Right-click the new key and choose Rename from the shortcut menu.
Edit the key name to the name of your application, for example, myapp.exe.
Right-click the myapp.exe folder and choose New String Value from the shortcut menu.
Right-click the new string value and choose Rename from the shortcut menu.
Change the name to debugger.
Right-click the new string value and choose Modify from the shortcut menu.
The Edit String dialog box appears.
In the Value data box, type devenv /debugexe.
DL.bitsCN.com网管软件下载 Click OK.
From the Registry menu, choose Exit.
The directory containing devenv.exe must be in your system path.
Now, use any method to start your application. Visual Studio .NET will start and load the application.
Note If the application is managed, Visual Studio launches with the Debugger Type set to Auto. Before you debug, change the Debugger Type from Auto to Mixed in the Property Pages dialog box. For more information, see Specifying Debugger Settings.
See Also
