编译器被感染,或者出现故障?

发布于 2024-10-11 06:52:02 字数 1676 浏览 5 评论 0原文

我遇到了一些非常奇怪的事情,而且事情根本不合理。 首先,我将其发布在这里是因为我不确定这是否与计算机病毒有任何关系。如果确实如此,您能指导我到一个地方寻求帮助吗?

所以现在:

我在这里遇到了某种奇怪的问题,我的防病毒软件和恶意软件字节标记代码*都是用 masm 和 masm 示例编译为病毒的。我用谷歌搜索了一下,发现这个问题以前也出现过,所以我没有太认真地对待这个问题,一开始以为这是一个误报。

但我编译了您在本文底部看到的代码来测试我的其他一些东西。我通过 ollydbg 运行它(同时忽略我的 comodo 防病毒软件),然后我看到了这一点:

00401000 >  -E9 FBEF6F71    JMP 71B00000  ; this is a weird jump I did not put there
00401005     90             NOP
00401006     8BC0           MOV EAX,EAX
00401008   . 8BD8           MOV EBX,EAX
0040100A   . 33D9           XOR EBX,ECX
0040100C   . 8BC3           MOV EAX,EBX
0040100E   . 03CB           ADD ECX,EBX
00401010   . 33C3           XOR EAX,EBX
00401012   . 2BC1           SUB EAX,ECX
00401014   . 8BCB           MOV ECX,EBX
00401016   . 33D9           XOR EBX,ECX

下面的代码不可能编译到该跳转中,所以我正在单步执行代码。过了一会儿,我看到奇怪的代码开始通过 ntdll.dll 库中的 api 进行枚举。发生什么事了?如果这确实是病毒,到哪里寻求帮助?

但我仍然不确定,comodo 和恶意软件字节都仅将示例标记为病毒,而不将文件(test.exe)标记为病毒

我用来测试的测试代码...

*: include \masm32\include\masm32rt.inc

.data

.code

Start:

nop
nop
nop
nop
nop
nop

mov eax, eax
mov ebx, eax
xor ebx, ecx
mov eax, ebx
add ecx, ebx
xor eax, ebx
sub eax, ecx
mov ecx, ebx
xor ebx, ecx

invoke ExitProcess, 0h


end Start

更新:

代码不在磁盘上,而是在内存中,因此它可能是某种执行此操作的库:

Disassembly

00401000                    start:
00401000 90                     nop
00401001 90                     nop
00401002 90                     nop
00401003 90                     nop
00401004 90                     nop
00401005 90                     nop

并且我已经删除了调用退出过程它仍然在那里

I've encountered something very strange, and things just don't add up.
First of all, I posted this here because I'm not sure if this has anything to do with computer virusses at all. And if it does, could you please direct me to a place to find help?

So now:

I'm having some kind of weird problem here, both my anti virus and malwarebytes flag code* compiled with masm and masm examples as a virus. I've googled and found that this problem has occured before so I didn't take this too seriously and at first thought that it was a false-positive.

But I compiled the code you see on the bottom of this post to test some other things of mine out. And I ran it through ollydbg (meanwhile ignoring my comodo anti-virus) and then I saw this:

00401000 >  -E9 FBEF6F71    JMP 71B00000  ; this is a weird jump I did not put there
00401005     90             NOP
00401006     8BC0           MOV EAX,EAX
00401008   . 8BD8           MOV EBX,EAX
0040100A   . 33D9           XOR EBX,ECX
0040100C   . 8BC3           MOV EAX,EBX
0040100E   . 03CB           ADD ECX,EBX
00401010   . 33C3           XOR EAX,EBX
00401012   . 2BC1           SUB EAX,ECX
00401014   . 8BCB           MOV ECX,EBX
00401016   . 33D9           XOR EBX,ECX

The code below couldn't possibly compile into that jump, so I was stepping in to the code. And a while later I saw that the strange code began enumerating through api's in the ntdll.dll library. What's happening? If this is indeed a virus where to get help?

But I'm still not sure, both comodo and malwarebytes flagg only the examples as viruses, but not the file (test.exe) as a virus

Test code I was using to test...

*:
include \masm32\include\masm32rt.inc

.data

.code

Start:

nop
nop
nop
nop
nop
nop

mov eax, eax
mov ebx, eax
xor ebx, ecx
mov eax, ebx
add ecx, ebx
xor eax, ebx
sub eax, ecx
mov ecx, ebx
xor ebx, ecx

invoke ExitProcess, 0h


end Start

Update:

The code isn't on disk, but in memory, so it's probably a library of some sort doing this:

Disassembly

00401000                    start:
00401000 90                     nop
00401001 90                     nop
00401002 90                     nop
00401003 90                     nop
00401004 90                     nop
00401005 90                     nop

And I've removed the invoke exit process and it's still there

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

苏别ゝ 2024-10-18 06:52:02

关于无法解释的跳转,在谷歌上快速搜索可以找到此帖子在 masm32.com 上,它似乎提供了有趣的信息,并且 最值得注意的是

“COMODO”互联网安全是罪魁祸首。
它正在动态修改可执行文件以实现独特的部分“沙盒”。

Regarding the unexplained jump, a quick search on google lead to this thread on masm32.com which seem to provide interesting information, and most notably :

"COMODO" Internet Security is the culprit.
It is modifying executables on the fly to implement a unique partial "sanbox".

绝情姑娘 2024-10-18 06:52:02

地址 71B00000 距离您当前的代码相当远,请检查它是否实际上位于其他加载的模块内。甚至可能是使用 invoke 宏的副作用(或者简单地使用 DLL - 因为 ExitProcess 是从 DLL 导入的)。尝试一下如果用简单的无限循环替换它会发生什么,即。 JMP . 或类似的东西。当然,您将不得不手动终止您的程序,但这将是一个有趣的数据点。另外,检查磁盘上的 exe 文件,看看它的开头是否已经有 JMP

The address 71B00000 is quite far away from your current code, check if it is in fact inside some other loaded module. Could even be a side-effect of using the invoke macro (or simply using DLLs - since ExitProcess is imported from a DLL). Try what happens if you replace that with a simple endless loop, ie. JMP . or somesuch. You will then have to kill your program manually, of course, but will be an interesting data point. Also, examine your exe file on disk to see if it already has the JMP at the start or not.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文