安全技巧:映像劫持与反劫持技术
IFEO的本意是為一些在默認(rèn)系統(tǒng)環(huán)境中運(yùn)行時(shí)可能引發(fā)錯(cuò)誤的程序執(zhí)行體提供特殊的環(huán)境設(shè)定,系統(tǒng)廠商之所以會(huì)這么做,是有一定歷史原因的,在Windows NT時(shí)代,系統(tǒng)使用一種早期的堆棧Heap,由應(yīng)用程序管理的內(nèi)存區(qū)域)管理機(jī)制,使得一些程序的運(yùn)行機(jī)制與現(xiàn)在的不同,而后隨著系統(tǒng)更新?lián)Q代,廠商修改了系統(tǒng)的堆棧管理機(jī)制,通過(guò)引入動(dòng)態(tài)內(nèi)存分配方案,讓程序?qū)?nèi)存的占用更為減少,在安全上也保護(hù)程序不容易被溢出,但是這些改動(dòng)卻導(dǎo)致了一些程序從此再也無(wú)法運(yùn)作,為了兼顧這些出問(wèn)題的程序,微軟以“從長(zhǎng)計(jì)議”的態(tài)度專門(mén)設(shè)計(jì)了“IFEO”技術(shù),它的原意根本不是“劫持”,而是“映像文件執(zhí)行參數(shù)”!
?
轉(zhuǎn):http://security.ctocio.com.cn/tips/92/8064592_1.shtml
【IT專家網(wǎng)獨(dú)家】當(dāng)前的木馬、病毒似乎比較鐘情于“映像劫持”,通過(guò)其達(dá)到欺騙系統(tǒng)和殺毒軟件,進(jìn)而絕殺安全軟件接管系統(tǒng)。筆者最近就遇到很多這種類(lèi)型的木馬病毒,下面把自己有關(guān)映像劫持的學(xué)習(xí)心得寫(xiě)下來(lái)與大家交流。
一、原理
所謂的映像劫持(IFEO)就是Image File Execution Options,它位于注冊(cè)表的
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/鍵值下。由于這個(gè)項(xiàng)主要是用來(lái)調(diào)試程序用的,對(duì)一般用戶意義不大,默認(rèn)是只有管理員和local system有權(quán)讀寫(xiě)修改。
比如我想運(yùn)行QQ.exe,結(jié)果運(yùn)行的卻是FlashGet.exe,這種情況下,QQ程序被FLASHGET給劫持了,即你想運(yùn)行的程序被另外一個(gè)程序代替了。
二、被劫持
雖然映像劫持是系統(tǒng)自帶的功能,對(duì)一般用戶來(lái)說(shuō)根本沒(méi)什么用的必要,但是就有一些病毒通過(guò)映像劫持來(lái)做文章,表面上看起來(lái)是運(yùn)行了一個(gè)正常的程序,實(shí)際上病毒已經(jīng)在后臺(tái)運(yùn)行了。
大部分的病毒和木馬都是通過(guò)加載系統(tǒng)啟動(dòng)項(xiàng)來(lái)運(yùn)行的,也有一些是注冊(cè)成為系統(tǒng)服務(wù)來(lái)啟動(dòng),他們主要通過(guò)修改注冊(cè)表來(lái)實(shí)現(xiàn)這個(gè)目的,主要有以下幾個(gè)鍵值:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/WindowsCurrent/Version/Run
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/AppInit_DLLs
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Notify
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/WindowsCurrent/Version/RunOnce
HKEY_LOCAL_MACHINE/Software/Microsoft/WindowsCurrent/Version/RunServicesOnce
但是與一般的木馬,病毒不同的是,就有一些病毒偏偏不通過(guò)這些來(lái)加載自己,不隨著系統(tǒng)的啟動(dòng)運(yùn)行。木馬病毒的作者抓住了一些用戶的心理,等到用戶運(yùn)行某個(gè)特定的程序的時(shí)候它才運(yùn)行。因?yàn)橐话愕挠脩?#xff0c;只要發(fā)覺(jué)自己的機(jī)子中了病毒,首先要察看的就是系統(tǒng)的加載項(xiàng),很少有人會(huì)想到映像劫持,這也是這種病毒高明的地方。
映像劫持病毒主要通過(guò)修改注冊(cè)表中的HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/項(xiàng)來(lái)劫持正常的程序,比如有一個(gè)病毒 vires.exe 要劫持qq程序,它會(huì)在上面注冊(cè)表的位置新建一個(gè)qq.exe項(xiàng),再在這個(gè)項(xiàng)下面新建一個(gè)字符串的鍵 debugger把其值改為C:/WINDOWS/SYSTEM32/VIRES.EXE(這里是病毒藏身的目錄)即可。
三、玩劫持
1、禁止某些程序的運(yùn)行
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/qq.exe]
Debugger=123.exe
把上面的代碼保存為norun_qq.reg,雙擊導(dǎo)入注冊(cè)表,每次雙擊運(yùn)行QQ的時(shí)候,系統(tǒng)都會(huì)彈出一個(gè)框提示說(shuō)找不到QQ,原因就QQ被重定向了。如果要讓QQ繼續(xù)運(yùn)行的話,把123.exe改為其安裝目錄就可以了。
?
2、偷梁換柱惡作劇
每次我們按下CTRL+ALT+DEL鍵時(shí),都會(huì)彈出任務(wù)管理器,想不想在我們按下這些鍵的時(shí)候讓它彈出命令提示符窗口,下面就教你怎么玩:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/taskmgr.exe]
Debugger=D:/WINDOWS/pchealth/helpctr/binaries/mconfig.exe
將上面的代碼另存為 task_cmd.reg,雙擊導(dǎo)入注冊(cè)表。按下那三個(gè)鍵打開(kāi)了“系統(tǒng)配置實(shí)用程序”。
3、讓病毒迷失自我
同上面的道理一樣,如果我們把病毒程序給重定向了,是不是病毒就不能運(yùn)行了,答案是肯定的。
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sppoolsv.exe]
Debugger=123.exe
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/logo_1.exe]
Debugger=123.exe
上面的代碼是以金豬病毒和威金病毒為例,這樣即使這些病毒在系統(tǒng)啟動(dòng)項(xiàng)里面,即使隨系統(tǒng)運(yùn)行了,但是由于映象劫持的重定向作用,還是會(huì)被系統(tǒng)提示無(wú)法找到病毒文件(這里是logo_1.exe和sppoolsv.exe)。
四、防劫持
1、權(quán)限限制法
打開(kāi)注冊(cè)表編輯器,定位到
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/,選中該項(xiàng),右鍵→權(quán)限→高級(jí),取消administrator和system用戶的寫(xiě)權(quán)限即可。
2、快刀斬亂麻法
打開(kāi)注冊(cè)表編輯器,定位到[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/,把“Image File Execution Options”項(xiàng)刪除即可。
總結(jié):以上關(guān)于映像劫持的解析與利用但愿對(duì)于大家查殺木馬病毒有所幫助,也希望大家能夠挖掘更多更實(shí)用的功能。
?
?
映像脅持的基本原理:
?
NT系統(tǒng)在試圖執(zhí)行一個(gè)從命令行調(diào)用的可執(zhí)行文件運(yùn)行請(qǐng)求時(shí),先會(huì)檢查運(yùn)行程序是不是可執(zhí)行文件,如果是的話,再檢查格式的,然后就會(huì)檢查是否存在。。如果不存在的話,它會(huì)提示系統(tǒng)找不到文件或者是“指定的路徑不正確等等。。??當(dāng)然,把這些鍵刪除后,程序就可以運(yùn)行! 映像脅持的具體案例:
引用JM的jzb770325001版主的一個(gè)分析案例:
蔚為壯觀的IFEO,稍微有些名氣的都掛了:
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AgentSvr.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/CCenter.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rav.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMonD.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavStub.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavTask.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwcfg.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwsrv.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RsAgent.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Rsaupd.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/runiep.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SmartUp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FileDsty.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RegClean.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360tray.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360Safe.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/360rpt.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kabaload.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/safelive.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Ras.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASMain.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KASTask.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAV32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVDX.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVStart.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KISLnchr.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMailMon.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KMFilter.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFW32X.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KPFWSvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch9x.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatch.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KWatchX.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/TrojanDetector.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UpLive.EXE.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KVSrvXP.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvDetect.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KRegEx.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvolself.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvupload.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/kvwsc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UIHost.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/IceSword.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/iparmo.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmsk.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/adam.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/MagicSet.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFWLiveUpdate.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SREng.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/WoptiClean.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/scan32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/shcfg32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mcconsol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/HijackThis.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/mmqczj.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Trojanwall.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/FTCleanerShell.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/loaddll.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/rfwProxy.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KsLoader.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KvfwMcl.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/autoruns.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AppSvc32.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/ccSvcHst.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/isPwdSvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/symlcsvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32kui.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/avgrssvc.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RfwMain.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVPFW.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/Iparmor.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/nod32krn.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/PFW.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/RavMon.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/KAVSetup.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/NAVSetup.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/SysSafe.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/QHSET.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/zxsweep.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/AvMonitor.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxCfg.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxFwHlp.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxPol.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAgent.exe
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/UmxAttachment.exe
-------------------------------------------------------
從這個(gè)案例,我們可以看到這個(gè)技術(shù)的強(qiáng)大之處!很多的殺軟進(jìn)程和一些輔助殺軟或工具,全部被脅持,導(dǎo)致你遇到的所有殺軟都無(wú)法運(yùn)行!
試想如果更多病毒,利用于此,將是多么可怕的事情!
應(yīng)用舉例:
1.病毒清除和防范
2.網(wǎng)吧網(wǎng)管 防止顧客關(guān)閉管理軟件,可將“任務(wù)管理器”劫持為IE瀏覽器,封鎖一些黑客軟件等等。
3.惡作劇,在MM面前SHOW一番。
手動(dòng)清除使用映像劫持技術(shù)的病毒
2007-07-17 09:32:52 來(lái)源: 太平洋軟件 網(wǎng)友評(píng)論 0 條 進(jìn)入論壇這幾天一直想要把這個(gè)經(jīng)驗(yàn)寫(xiě)一下,總沒(méi)抽出時(shí)間,晚上加加班。樣本已經(jīng)被殺毒U盤(pán)的監(jiān)控干掉,本文回憶下修復(fù)過(guò)程。
現(xiàn)象
一媒體朋友的筆記本染毒,殺毒軟件起不來(lái)。開(kāi)機(jī)就彈出若干個(gè)窗口,總也關(guān)不掉,直到系統(tǒng)內(nèi)存耗盡死機(jī),安全模式也是同樣的現(xiàn)象。無(wú)奈之下,嘗試重裝系統(tǒng),不過(guò),因?yàn)椴簧偃硕贾赖脑?#xff0c;她只是格式化了C分區(qū),系統(tǒng)重裝后,訪問(wèn)其它分區(qū)后,再次出現(xiàn)重裝前的中毒癥狀。
從上述現(xiàn)象至少得到2個(gè)信息:1、病毒會(huì)通過(guò)自動(dòng)播放傳播;2、病毒可能利用映像劫持。
故障現(xiàn)象
檢查故障機(jī),重啟時(shí),很自然的想到啟動(dòng)到帶命令行的安全模式。運(yùn)行regedit,結(jié)果失敗。msconfig一樣失敗。改regedit.exe為regedit.com,同樣失敗,沒(méi)有繼續(xù)嘗試改別的名字。重啟電腦進(jìn)普通模式,想看一下具體中毒的現(xiàn)象。
登錄到桌面后,發(fā)現(xiàn)一個(gè)類(lèi)似記事本的程序不停打開(kāi)一個(gè)小對(duì)話框,速度很快,根本來(lái)不及關(guān)閉,任務(wù)管理器也調(diào)不出來(lái)。立即拿出我的殺毒U盤(pán),其中常備ProcessExplorer、冰刃、Sreng。發(fā)現(xiàn)殺毒U盤(pán)沒(méi)有正常的啟動(dòng)成功。雙擊冰刃/Sreng都宣告失敗。
解決步驟
分別對(duì)將icesword和Sreng主程序改名后運(yùn)行,此時(shí),那個(gè)象記事本的病毒程序已經(jīng)打開(kāi)近百個(gè)對(duì)話框,系統(tǒng)變得很慢。在WINXP的任務(wù)欄選中這一組窗口,關(guān)閉掉,先搶占一些系統(tǒng)資源再說(shuō)。
然后,雙擊U盤(pán)上的ProcessExplorer,一眼看到有記事本圖標(biāo)的三個(gè)進(jìn)程,嘗試結(jié)束其中一個(gè),發(fā)現(xiàn)結(jié)束后,程序會(huì)立即重新啟動(dòng)。看來(lái),直接KILL進(jìn)程是不行的。結(jié)束不行,就用下凍結(jié)進(jìn)程,分別選中這三個(gè)進(jìn)程,單擊右鍵,在進(jìn)程屬性中選擇Suspend(暫停)進(jìn)程,病毒就不再?gòu)棾鲂碌膶?duì)話框,殺它就容易了。(參考下圖的示例:)
?
?
?
圖1 暫停進(jìn)程?
?
切換到冰刃,簡(jiǎn)單地通過(guò)進(jìn)程管理,根據(jù)病毒進(jìn)程的程序位置和文件名,輕松使用冰刃內(nèi)置的文件管理器瀏覽到這幾個(gè)文件,復(fù)制一個(gè)備份到桌面,再單擊右鍵,選擇強(qiáng)制刪除。
(下圖演示冰刃的強(qiáng)制刪除):
?
?
?
圖2 強(qiáng)制刪除?
接下來(lái),再切換到冰刃窗口中的注冊(cè)表編輯器,瀏覽到HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options,逐個(gè)查看子注冊(cè)表鍵中對(duì)應(yīng)的程序名,找到另一個(gè)病毒程序。(這里要說(shuō)明一下,有網(wǎng)友認(rèn)為只需要保留Your Image File Name Here without a path子鍵,其它都可以刪除。覺(jué)得這樣做還是有風(fēng)險(xiǎn)的,謹(jǐn)慎的做法還是一個(gè)子鍵一個(gè)子鍵的檢查,如果發(fā)現(xiàn)鍵值為病毒程序的路徑時(shí),再刪除這個(gè)子鍵)。
?
?
?
圖3 清理注冊(cè)表?
?
?
同樣,需要使用冰刃的文件管理器將病毒程序強(qiáng)制刪除。這個(gè)病毒太惡劣了,我發(fā)現(xiàn)幾乎所有的殺毒軟件、防火墻、系統(tǒng)自帶的管理工具(regedit,msconfig,cmd,任務(wù)管理器)、第三方的系統(tǒng)輔助工具(Sreng、autoruns、冰刃)全部被劫持。
修復(fù)注冊(cè)表后,雙擊殺毒U盤(pán)中的毒霸,新版殺毒U盤(pán)增加了監(jiān)視功能,在我點(diǎn)擊桌面?zhèn)浞莸哪菐讉€(gè)病毒程序時(shí),殺毒U盤(pán)的監(jiān)控立即干掉了病毒。然后打開(kāi)資源管理器,瀏覽到其它分區(qū)根目錄,殺毒U盤(pán)又把另幾個(gè)分區(qū)根目錄下隱藏的病毒干掉。
另類(lèi)解決方案
在你沒(méi)有冰刃、Process Explorer時(shí),可以用其人之道,還治其人之身。編輯一個(gè)修改注冊(cè)表的批處理腳本,把病毒程序也給加到映像劫持的清單中,如下示例:
@echo off
echo Windows Registry Editor Version 5.00>ssm.reg
echo [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File
Execution Options/syssafe.EXE] >>ssm.reg
echo "Debugger"="syssafe.EXE" >>ssm.reg (如果發(fā)現(xiàn)多個(gè)病毒程序,就編輯多行)
rem regedit /s ssm.reg &del /q ssm.reg (如果發(fā)現(xiàn)多個(gè)病毒程序,就編輯多行)
重啟電腦后,病毒程序也啟動(dòng)不了,呵呵,比較毒吧,然后把注冊(cè)表編輯器的程序名regedit.exe為其它的什么名字,雙擊后對(duì)注冊(cè)表的HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options項(xiàng)進(jìn)行修改。再升級(jí)殺毒軟件殺毒。
總結(jié)
對(duì)普通用戶來(lái)說(shuō),遇到這類(lèi)對(duì)抗殺毒軟件很強(qiáng)的病毒,實(shí)在很棘手。使用殺毒軟件輕松修復(fù)的可能性很小,手工修復(fù)對(duì)普通用戶來(lái)說(shuō),很有難度。
建議
1.使用組策略編輯器,關(guān)閉所有驅(qū)動(dòng)器的自動(dòng)播放功能(自動(dòng)播放功能傳播了太多的病毒)。
2.及時(shí)升級(jí)殺毒軟件,防止被這類(lèi)病毒襲擊,中招后再去處理,需要花更多功夫。
3.一旦中毒,應(yīng)立即聯(lián)系專業(yè)反病毒工程師協(xié)助,重裝系統(tǒng)不是好方法。
?
總結(jié)
以上是生活随笔為你收集整理的安全技巧:映像劫持与反劫持技术的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 【HTML】嵌入
- 下一篇: 五边形镶嵌计算机程序,如何看待美国数学家