大侠快来看,蛋疼啊,含有StringEncrypt加密函数且用了/cs字符串迷惑,360报木马
这两天我感觉程序写着怎么老报毒,于是乎从代码,到版权,再到压缩壳查,在版权齐全的情况下,不加壳,仍然报毒,真是怪。于是一段一段地删代码来编译,果不其然,问题就出在StringEncrypt加密函数上。
包含这UDF且/cs 迷或字符串的情况下,360准报木马,如果去掉该函数,不管理迷不迷惑,都不会误报。
然后又一段一段删除,感觉问题出现在以下代码:
If $i_Encrypt = 1 Then
For $i_EncryptCountF = 0 To $i_EncryptLevel Step 1
$i_EncryptCountG = ''
$i_EncryptCountH = ''
$v_EncryptModified = Binary('')
For $i_EncryptCountG = 1 To BinaryLen($b_EncryptText)
If $i_EncryptCountH = BinaryLen($b_EncryptPassword) Then
$i_EncryptCountH = 1
Else
$i_EncryptCountH += 1
EndIf
$v_EncryptModified = Binary($v_EncryptModified) & Binary('0x' & Hex(BitXOR(BinaryMid($b_EncryptText, $i_EncryptCountG, 1), BinaryMid($b_EncryptPassword, $i_EncryptCountH, 1), 255),2))
Next
$b_EncryptText = $v_EncryptModified
$i_EncryptCountA = ''
$i_EncryptCountB = 0
$i_EncryptCountC = ''
$i_EncryptCountD = ''
$i_EncryptCountE = ''
$v_EncryptCipherBy = ''
$v_EncryptCipher = ''
$v_EncryptSwap = ''
$av_EncryptBox = ''
Local $av_EncryptBox
For $i_EncryptCountA = 0 To 255
$av_EncryptBox[$i_EncryptCountA] = Dec(StringTrimLeft(BinaryMid($b_EncryptPassword, Mod($i_EncryptCountA, BinaryLen($b_EncryptPassword)) + 1, 1),2))
$av_EncryptBox[$i_EncryptCountA] = $i_EncryptCountA
Next
For $i_EncryptCountA = 0 To 255
$i_EncryptCountB = Mod(($i_EncryptCountB + $av_EncryptBox[$i_EncryptCountA] + $av_EncryptBox[$i_EncryptCountA]), 256)
$v_EncryptSwap = $av_EncryptBox[$i_EncryptCountA]
$av_EncryptBox[$i_EncryptCountA] = $av_EncryptBox[$i_EncryptCountB]
$av_EncryptBox[$i_EncryptCountB] = $v_EncryptSwap
Next
For $i_EncryptCountA = 1 To BinaryLen($b_EncryptText)
$i_EncryptCountC = Mod(($i_EncryptCountC + 1), 256)
$i_EncryptCountD = Mod(($i_EncryptCountD + $av_EncryptBox[$i_EncryptCountC]), 256)
$i_EncryptCountE = $av_EncryptBox + $av_EncryptBox[$i_EncryptCountD]), 256) ]
$v_EncryptCipherBy = BitXOR(BinaryMid($b_EncryptText, $i_EncryptCountA, 1), $i_EncryptCountE)
$v_EncryptCipher = Binary($v_EncryptCipher) & Binary('0x' & Hex($v_EncryptCipherBy, 2))
Next
$b_EncryptText = StringTrimLeft($v_EncryptCipher,2)
Next
Else
$b_EncryptText = $s_EncryptText
For $i_EncryptCountF = 0 To $i_EncryptLevel Step 1
$b_EncryptText = Binary('0x' & $b_EncryptText)
$i_EncryptCountB = 0
$i_EncryptCountC = ''
$i_EncryptCountD = ''
$i_EncryptCountE = ''
$v_EncryptCipherBy = ''
$v_EncryptCipher = ''
$v_EncryptSwap = ''
$av_EncryptBox = ''
Local $av_EncryptBox
For $i_EncryptCountA = 0 To 255
$av_EncryptBox[$i_EncryptCountA] = Dec(StringTrimLeft(BinaryMid($b_EncryptPassword, Mod($i_EncryptCountA, BinaryLen($b_EncryptPassword)) + 1, 1),2))
$av_EncryptBox[$i_EncryptCountA] = $i_EncryptCountA
Next
For $i_EncryptCountA = 0 To 255
$i_EncryptCountB = Mod(($i_EncryptCountB + $av_EncryptBox[$i_EncryptCountA] + $av_EncryptBox[$i_EncryptCountA]), 256)
$v_EncryptSwap = $av_EncryptBox[$i_EncryptCountA]
$av_EncryptBox[$i_EncryptCountA] = $av_EncryptBox[$i_EncryptCountB]
$av_EncryptBox[$i_EncryptCountB] = $v_EncryptSwap
Next
For $i_EncryptCountA = 1 To BinaryLen($b_EncryptText)
$i_EncryptCountC = Mod(($i_EncryptCountC + 1), 256)
$i_EncryptCountD = Mod(($i_EncryptCountD + $av_EncryptBox[$i_EncryptCountC]), 256)
$i_EncryptCountE = $av_EncryptBox + $av_EncryptBox[$i_EncryptCountD]), 256) ]
$v_EncryptCipherBy = BitXOR(BinaryMid($b_EncryptText, $i_EncryptCountA, 1), $i_EncryptCountE)
$v_EncryptCipher = Binary($v_EncryptCipher) & Binary('0x' & Hex($v_EncryptCipherBy,2))
Next
$b_EncryptText = $v_EncryptCipher
$i_EncryptCountG = ''
$i_EncryptCountH = ''
$v_EncryptModified = ''
For $i_EncryptCountG = 1 To BinaryLen($b_EncryptText)
If $i_EncryptCountH = BinaryLen($b_EncryptPassword) Then
$i_EncryptCountH = 1
Else
$i_EncryptCountH += 1
EndIf
$v_EncryptModified = Binary($v_EncryptModified) & Binary('0x' & Hex(BitXOR(BinaryMid($b_EncryptText, $i_EncryptCountG, 1), BinaryMid($b_EncryptPassword, $i_EncryptCountH, 1), 255),2))
Next
$b_EncryptText = BinaryToString($v_EncryptModified, $i_Flag)
Next
EndIf
测试时,如果将这段代码去除,迷惑后也不会报毒
现在头都大了,感觉不知道从何查起,感兴趣的大侠们请移步到这里出谋划策下,谢谢。
我将该UDF函数也完整地发个上来
加密到X60不会分析时~X60说了~我报! 将变量名重命名也加上试试~
没有xx0环境,没法测试 回复 2# haijie1223
谢谢,正在测试中 回复 3# afan
测试结果表明,360真贱,非得让我程序改个图标,换个新图标,包含字符串加密函数,且全迷惑
/cs /cn /cf /cv,不报木马了,但我估计这只是一时不报,等上几十分钟或几个小时说不定又报了,因为我什么都没改,就换个图标,怎么可能是图标的问题引起的误报,今晚先这样,明天观察结果,谢谢A版 讨厌的360 用脚本发送邮件都提示 信息被泄露
页:
[1]