关于Delphi写病毒专杀工具

2012-11-22 12:07 发布者: 疯子阅读：11915

开始~
话说之前有中过快播的病毒、感染了全盘、当时相当郁闷、于是乎、自己写了个专杀、才得以保存住文件。
1、
得分析感染前和感染后文件的区别、找出一些规律。有的病毒感染后、文件不一样、修复难度就比较大。
比如：感染后的区段、或者是代码有相似的地方、
对于快播病毒、大家看看代码：
//-----------------------------------------------------------------感染后的代码------------------------------------------------------
00421000 >  55                push ebp
00421001 8BEC             mov ebp,esp
00421003 83EC 70          sub esp,70
00421006 53                push ebx
00421007 8365 D0 00       and dword ptr ss:[ebp-30],0
0042100B 8365 F8 00       and dword ptr ss:[ebp-8],0
0042100F 8365 D8 00       and dword ptr ss:[ebp-28],0
00421013 33C0             xor eax,eax
00421015 66:8945 CC       mov word ptr ss:[ebp-34],ax
00421019 8365 E0 00       and dword ptr ss:[ebp-20],0
0042101D 8365 EC 00       and dword ptr ss:[ebp-14],0
00421021 8365 E4 00       and dword ptr ss:[ebp-1C],0
00421025 8365 F4 00       and dword ptr ss:[ebp-C],0
00421029 834D DC FF       or dword ptr ss:[ebp-24],FFFFFFFF
0042102D 8365 D4 00       and dword ptr ss:[ebp-2C],0
00421031 8365 C8 00       and dword ptr ss:[ebp-38],0
00421035 8365 E8 00       and dword ptr ss:[ebp-18],0
00421039 8365 F0 00       and dword ptr ss:[ebp-10],0
0042103D 8365 FC 00       and dword ptr ss:[ebp-4],0
00421041 C745 AC 726F6341 mov dword ptr ss:[ebp-54],41636F7>
00421048 90                nop
00421049 90                nop
0042104A 90                nop
0042104B B8 2F000000       mov eax,2F
00421050 40                inc eax
00421051 64:FF30          push dword ptr fs:[eax]
00421054 5B                pop ebx
00421055 895D E0          mov dword ptr ss:[ebp-20],ebx
00421058 8B45 E0          mov eax,dword ptr ss:[ebp-20]
0042105B 8B40 0C          mov eax,dword ptr ds:[eax+C]
0042105E 8B40 1C          mov eax,dword ptr ds:[eax+1C]
00421061 8B00             mov eax,dword ptr ds:[eax]
00421063 8945 EC          mov dword ptr ss:[ebp-14],eax
00421066 C745 A8 47657450 mov dword ptr ss:[ebp-58],5074654>
0042106D 8B45 EC          mov eax,dword ptr ss:[ebp-14]
00421070 8B40 08          mov eax,dword ptr ds:[eax+8]
00421073 8945 F4          mov dword ptr ss:[ebp-C],eax
00421076 C745 B4 73730000 mov dword ptr ss:[ebp-4C],7373
0042107D 8B45 F4          mov eax,dword ptr ss:[ebp-C]
00421080 8B40 3C          mov eax,dword ptr ds:[eax+3C]
00421083 8B4D F4          mov ecx,dword ptr ss:[ebp-C]
00421086 8B55 F4          mov edx,dword ptr ss:[ebp-C]
00421089 035401 78       add edx,dword ptr ds:[ecx+eax+78]
0042108D 8955 E4          mov dword ptr ss:[ebp-1C],edx
00421090 8B45 E4          mov eax,dword ptr ss:[ebp-1C]
00421093 8B4D F4          mov ecx,dword ptr ss:[ebp-C]
00421096 0348 1C          add ecx,dword ptr ds:[eax+1C]
00421099 894D F8          mov dword ptr ss:[ebp-8],ecx
0042109C C745 B0 64647265 mov dword ptr ss:[ebp-50],6572646>
004210A3 8B45 E4          mov eax,dword ptr ss:[ebp-1C]
004210A6 8B4D F4          mov ecx,dword ptr ss:[ebp-C]
004210A9 0348 20          add ecx,dword ptr ds:[eax+20]
004210AC 894D D0          mov dword ptr ss:[ebp-30],ecx
004210AF 8B45 E4          mov eax,dword ptr ss:[ebp-1C]
004210B2 8B4D F4          mov ecx,dword ptr ss:[ebp-C]
004210B5 0348 24          add ecx,dword ptr ds:[eax+24]
004210B8 894D D8          mov dword ptr ss:[ebp-28],ecx
004210BB 8365 A4 00       and dword ptr ss:[ebp-5C],0
004210BF EB 07             jmp short cmt.004210C8
004210C1 8B45 A4          mov eax,dword ptr ss:[ebp-5C]
004210C4 40                inc eax
004210C5 8945 A4          mov dword ptr ss:[ebp-5C],eax
004210C8 8B45 E4          mov eax,dword ptr ss:[ebp-1C]
004210CB 8B4D A4          mov ecx,dword ptr ss:[ebp-5C]
004210CE 3B48 18          cmp ecx,dword ptr ds:[eax+18]
004210D1 0F83 87000000    jnb cmt.0042115E
004210D7 C745 98 01000000 mov dword ptr ss:[ebp-68],1
004210DE 8B45 A4          mov eax,dword ptr ss:[ebp-5C]
004210E1 8B4D D0          mov ecx,dword ptr ss:[ebp-30]
004210E4 8B55 F4          mov edx,dword ptr ss:[ebp-C]
004210E7 031481          add edx,dword ptr ds:[ecx+eax*4]
004210EA 8955 9C          mov dword ptr ss:[ebp-64],edx
004210ED 8D45 A8          lea eax,dword ptr ss:[ebp-58]
004210F0 8945 A0          mov dword ptr ss:[ebp-60],eax
004210F3 8B45 A0          mov eax,dword ptr ss:[ebp-60]
004210F6 0FBE00          movsx eax,byte ptr ds:[eax]
004210F9 85C0             test eax,eax
004210FB 74 26             je short cmt.00421123
004210FD 8B45 A0          mov eax,dword ptr ss:[ebp-60]
00421100 0FBE00          movsx eax,byte ptr ds:[eax]
00421103 8B4D 9C          mov ecx,dword ptr ss:[ebp-64]
00421106 0FBE09          movsx ecx,byte ptr ds:[ecx]
00421109 3BC1             cmp eax,ecx
0042110B 74 06             je short cmt.00421113
0042110D 8365 98 00       and dword ptr ss:[ebp-68],0
00421111 EB 10             jmp short cmt.00421123
00421113 8B45 A0          mov eax,dword ptr ss:[ebp-60]
00421116 40                inc eax
00421117 8945 A0          mov dword ptr ss:[ebp-60],eax
0042111A 8B45 9C          mov eax,dword ptr ss:[ebp-64]
0042111D 40                inc eax
0042111E 8945 9C          mov dword ptr ss:[ebp-64],eax
00421121  ^ EB D0             jmp short cmt.004210F3
00421123 837D 98 01       cmp dword ptr ss:[ebp-68],1
00421127 75 30             jnz short cmt.00421159
00421129 8B45 9C          mov eax,dword ptr ss:[ebp-64]
0042112C 0FBE00          movsx eax,byte ptr ds:[eax]
0042112F 85C0             test eax,eax
00421131 75 26             jnz short cmt.00421159
00421133 8B45 A4          mov eax,dword ptr ss:[ebp-5C]
00421136 8B4D D8          mov ecx,dword ptr ss:[ebp-28]
00421139 66:8B0441       mov ax,word ptr ds:[ecx+eax*2]
0042113D 66:8945 CC       mov word ptr ss:[ebp-34],ax
00421141 0FB745 CC       movzx eax,word ptr ss:[ebp-34]
00421145 8B4D F8          mov ecx,dword ptr ss:[ebp-8]
00421148 8B0481          mov eax,dword ptr ds:[ecx+eax*4]
0042114B 8945 F8          mov dword ptr ss:[ebp-8],eax
0042114E 8B45 F4          mov eax,dword ptr ss:[ebp-C]
00421151 0345 F8          add eax,dword ptr ss:[ebp-8]
00421154 8945 D4          mov dword ptr ss:[ebp-2C],eax
00421157 EB 05             jmp short cmt.0042115E
00421159  ^ E9 63FFFFFF       jmp cmt.004210C1
0042115E C745 A8 57696E45 mov dword ptr ss:[ebp-58],456E695>
00421165 C745 AC 78656300 mov dword ptr ss:[ebp-54],636578
0042116C 8D45 A8          lea eax,dword ptr ss:[ebp-58]
0042116F 50                push eax
00421170 FF75 F4          push dword ptr ss:[ebp-C]
00421173 FF55 D4          call dword ptr ss:[ebp-2C]
00421176 8945 FC          mov dword ptr ss:[ebp-4],eax
00421179 90                nop
0042117A C745 A8 57726974 mov dword ptr ss:[ebp-58],7469725>
00421181 C745 AC 6546696C mov dword ptr ss:[ebp-54],6C69466>
00421188 C745 B0 65000000 mov dword ptr ss:[ebp-50],65
0042118F 90                nop
00421190 8D45 A8          lea eax,dword ptr ss:[ebp-58]
00421193 50                push eax
00421194 FF75 F4          push dword ptr ss:[ebp-C]
00421197 FF55 D4          call dword ptr ss:[ebp-2C]
0042119A 8945 E8          mov dword ptr ss:[ebp-18],eax
0042119D C745 A8 43726561 mov dword ptr ss:[ebp-58],6165724>
004211A4 C745 AC 74654669 mov dword ptr ss:[ebp-54],6946657>
004211AB C745 B0 6C654100 mov dword ptr ss:[ebp-50],cmt.004>
004211B2 8D45 A8          lea eax,dword ptr ss:[ebp-58]
004211B5 50                push eax
004211B6 FF75 F4          push dword ptr ss:[ebp-C]
004211B9 FF55 D4          call dword ptr ss:[ebp-2C]
004211BC 8945 C8          mov dword ptr ss:[ebp-38],eax
004211BF C745 A8 436C6F73 mov dword ptr ss:[ebp-58],736F6C4>
004211C6 C745 AC 6548616E mov dword ptr ss:[ebp-54],6E61486>
004211CD 90                nop
004211CE C745 B0 646C6500 mov dword ptr ss:[ebp-50],656C64  ; ASCII

关注公众号：Mcbang_com 了解更多精彩！

[广告]赞助链接：

选择AiDeep，让人工智能为你工作：http://www.aideep.com/
成都火锅串串加盟首选：http://www.niupinhui.com/
四季很好，只要有你，文娱排行榜：http://www.yaopaiming.com/
让资讯触达的更精准有趣：https://www.0xu.cn/

*文章为作者独立观点，不代表 MCBANG 立场
本文由疯子发表，转载此文章须经作者同意，并请附上出处( MCBANG )及本页链接。

疯子

关注网络尖刀微信公众号
随时掌握互联网精彩

赞助链接