病毒樣本md5: 642a393a5c65d202180df5af06f29c5a
#include
#include
//通過hkey_performance_data遍歷程序. ----- 從nimda病毒中發現的這種方式.
//int main()
;dword cb = 0x40000, type = 0;;
regqueryvalueexa(hkey_performance_data, "230 232", null, &type, data, &cb);
//pperf_data_block ppdb = (pperf_data_block)data;
pperf_object_type ppbt = (pperf_object_type)((byte*)data + ppdb->headerlength);
int count_obj = 0;
while (ppbt->objectnametitleindex != 230) //process
}pperf_counter_definition ppcd = (pperf_counter_definition)(ppbt->headerlength + (byte*)ppbt);
int count_counter = 0;
while (ppcd->counternametitleindex != 784) //pid
}perf_instance_definition *ppid = (pperf_instance_definition)(ppbt->definitionlength + (byte*)ppbt);
int count_instance = 0;
while (ppid && ppid->bytelength) //因為看了下ppbt->numofinstance是0, 不能用於作結尾標誌,所以就這樣了..
這個比較常見
#include
#include
typedef
ntstatus
(_stdcall *pfnzwquerysysteminformation)(
int systeminformationclass,
pvoid
systeminformation,
ulong
systeminformationlength,
ulong *returnlength);
int main()
virtualfree(data, 0x100000, 0x10000);
return 0;
}
numeric value
symbolic name
0x05
systemprocessinformation
offset(x86)
offset(x64)
definition
0x00
0x00
ulong nextentryoffset
0x38
0x38
unicode_string imagename
0x44
0x50
uniqueprocessid
另外, 呼叫createtoolhelp32snapshot本質上也是這個方式:
兩種Map遍歷方式
1 使用 jdk1.4中hashmap entryset 遍歷 存放key value鍵值對 maptempmap new hashmap tempmap.put a 1 tempmap.put b 2 tempmap.put c 3 iterator it tempmap.entryset ite...
兩種Map遍歷方式
map集合遍歷 1 使用 jdk1.4中hashmap entryset 遍歷 存放key value鍵值對 maptempmap new hashmap tempmap.put a 1 tempmap.put b 2 tempmap.put c 3 iterator it tempmap.entr...
delphi殺程序的兩種方式
第一種 比較簡單,根據標題,找到視窗,再找到程序,殺死程序 procedure killprogram windowtitle string const process terminate 0001 var processhandle thandle processid integer thewin...