编译器被感染,或者出现故障?
我遇到了一些非常奇怪的事情,而且事情根本不合理。 首先,我将其发布在这里是因为我不确定这是否与计算机病毒有任何关系。如果确实如此,您能指导我到一个地方寻求帮助吗?
所以现在:
我在这里遇到了某种奇怪的问题,我的防病毒软件和恶意软件字节标记代码*都是用 masm 和 masm 示例编译为病毒的。我用谷歌搜索了一下,发现这个问题以前也出现过,所以我没有太认真地对待这个问题,一开始以为这是一个误报。
但我编译了您在本文底部看到的代码来测试我的其他一些东西。我通过 ollydbg 运行它(同时忽略我的 comodo 防病毒软件),然后我看到了这一点:
00401000 > -E9 FBEF6F71 JMP 71B00000 ; this is a weird jump I did not put there
00401005 90 NOP
00401006 8BC0 MOV EAX,EAX
00401008 . 8BD8 MOV EBX,EAX
0040100A . 33D9 XOR EBX,ECX
0040100C . 8BC3 MOV EAX,EBX
0040100E . 03CB ADD ECX,EBX
00401010 . 33C3 XOR EAX,EBX
00401012 . 2BC1 SUB EAX,ECX
00401014 . 8BCB MOV ECX,EBX
00401016 . 33D9 XOR EBX,ECX
下面的代码不可能编译到该跳转中,所以我正在单步执行代码。过了一会儿,我看到奇怪的代码开始通过 ntdll.dll 库中的 api 进行枚举。发生什么事了?如果这确实是病毒,到哪里寻求帮助?
但我仍然不确定,comodo 和恶意软件字节都仅将示例标记为病毒,而不将文件(test.exe)标记为病毒
我用来测试的测试代码...
*: include \masm32\include\masm32rt.inc
.data
.code
Start:
nop
nop
nop
nop
nop
nop
mov eax, eax
mov ebx, eax
xor ebx, ecx
mov eax, ebx
add ecx, ebx
xor eax, ebx
sub eax, ecx
mov ecx, ebx
xor ebx, ecx
invoke ExitProcess, 0h
end Start
更新:
代码不在磁盘上,而是在内存中,因此它可能是某种执行此操作的库:
Disassembly
00401000 start:
00401000 90 nop
00401001 90 nop
00401002 90 nop
00401003 90 nop
00401004 90 nop
00401005 90 nop
并且我已经删除了调用退出过程它仍然在那里
I've encountered something very strange, and things just don't add up.
First of all, I posted this here because I'm not sure if this has anything to do with computer virusses at all. And if it does, could you please direct me to a place to find help?
So now:
I'm having some kind of weird problem here, both my anti virus and malwarebytes flag code* compiled with masm and masm examples as a virus. I've googled and found that this problem has occured before so I didn't take this too seriously and at first thought that it was a false-positive.
But I compiled the code you see on the bottom of this post to test some other things of mine out. And I ran it through ollydbg (meanwhile ignoring my comodo anti-virus) and then I saw this:
00401000 > -E9 FBEF6F71 JMP 71B00000 ; this is a weird jump I did not put there
00401005 90 NOP
00401006 8BC0 MOV EAX,EAX
00401008 . 8BD8 MOV EBX,EAX
0040100A . 33D9 XOR EBX,ECX
0040100C . 8BC3 MOV EAX,EBX
0040100E . 03CB ADD ECX,EBX
00401010 . 33C3 XOR EAX,EBX
00401012 . 2BC1 SUB EAX,ECX
00401014 . 8BCB MOV ECX,EBX
00401016 . 33D9 XOR EBX,ECX
The code below couldn't possibly compile into that jump, so I was stepping in to the code. And a while later I saw that the strange code began enumerating through api's in the ntdll.dll library. What's happening? If this is indeed a virus where to get help?
But I'm still not sure, both comodo and malwarebytes flagg only the examples as viruses, but not the file (test.exe) as a virus
Test code I was using to test...
*:
include \masm32\include\masm32rt.inc
.data
.code
Start:
nop
nop
nop
nop
nop
nop
mov eax, eax
mov ebx, eax
xor ebx, ecx
mov eax, ebx
add ecx, ebx
xor eax, ebx
sub eax, ecx
mov ecx, ebx
xor ebx, ecx
invoke ExitProcess, 0h
end Start
Update:
The code isn't on disk, but in memory, so it's probably a library of some sort doing this:
Disassembly
00401000 start:
00401000 90 nop
00401001 90 nop
00401002 90 nop
00401003 90 nop
00401004 90 nop
00401005 90 nop
And I've removed the invoke exit process and it's still there
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
关于无法解释的跳转,在谷歌上快速搜索可以找到此帖子在 masm32.com 上,它似乎提供了有趣的信息,并且 最值得注意的是:
Regarding the unexplained jump, a quick search on google lead to this thread on masm32.com which seem to provide interesting information, and most notably :
地址 71B00000 距离您当前的代码相当远,请检查它是否实际上位于其他加载的模块内。甚至可能是使用
invoke宏的副作用(或者简单地使用 DLL - 因为ExitProcess是从 DLL 导入的)。尝试一下如果用简单的无限循环替换它会发生什么,即。JMP .或类似的东西。当然,您将不得不手动终止您的程序,但这将是一个有趣的数据点。另外,检查磁盘上的 exe 文件,看看它的开头是否已经有JMP。The address 71B00000 is quite far away from your current code, check if it is in fact inside some other loaded module. Could even be a side-effect of using the
invokemacro (or simply using DLLs - sinceExitProcessis imported from a DLL). Try what happens if you replace that with a simple endless loop, ie.JMP .or somesuch. You will then have to kill your program manually, of course, but will be an interesting data point. Also, examine your exe file on disk to see if it already has theJMPat the start or not.