SBQQ木马病毒分析报告
来源:互联网 发布:逆波兰计算器c语言 编辑:程序博客网 时间:2024/04/29 16:22
SBQQ木马病毒分析报告
by 蓝云
一.病毒信息:
名称: SBQQ.Exe
病毒大小:66.6kb
病毒类型: 木马
受影响系统: Win9x / WinNT
二.病毒简介
该病毒通过安装钩子过程来获取qq的账号信息并通过网站提交的方式发送出去
三.技术特点:
1创建_xr.bat这个文件:完成删除自己的功能;
2创建并加载C:/C:/Program Files/Sysinfo.wmp这个dll文件
3添加注册表"SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks/
项注册“C:/Program Files/SysInfo.wmp"这个dll文件,注册ID为
"{7C3E3EA0-F318-43FB-952E-74736B2F6789}",
4安装钩子过程监视qq窗口
5.当系统重起后复制"C:/WINDOWS/system32/VerCLSID.exe"
为"C:/WINDOWS/system32/VerCLSID.bak"并删除原文件
6.删除qq医生这个程序;
四.解决方案
1. 删除C:/C:/Program Files/Sysinfo.wmp这个dll文件
2.删除注册表"SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks/
“C:/Program Files/SysInfo.wmp",注册ID为
"{7C3E3EA0-F318-43FB-952E-74736B2F6789}"
3.删除注册表HKEY_CLASSES_ROOT/CLSID/{07C3E3EA0-F318-43FB-952E-74736B2F6789}/InProcServer32项
4.删除VerCLSID.bak这个文件
五.分析过程
这是一个木马生成器生成的一个木马病毒程序,没有加壳,查看调用api都是一般木马病毒程序所调用的
关键api有 CreateFileA,ReadFile,DeleteFileA,GetFileType,GetKeyboardType,GetProcAddress,LoadLibraryA
MoveFileExA,RegCreateKeyExA,ShellExecuteA,VirtualAlloc
不多说直接下CreateFile等相关api断点来到这里:
004028D8 . 6A 00 push 0 ; /hTemplateFile = NULL
004028DA . 68 80000000 push 80 ; |Attributes = NORMAL
004028DF . 51 push ecx ; |Mode
004028E0 . 6A 00 push 0 ; |pSecurity = NULL
004028E2 . 52 push edx ; |ShareMode
004028E3 . 50 push eax ; |Access
004028E4 . 8D46 48 lea eax,dword ptr ds:[esi+48] ; |
004028E7 . 50 push eax ; |FileName
004028E8 . E8 1BE7FFFF call <jmp.&kernel32.CreateFileA> ; /CreateFileA
创建_xr.bat这个文件:
00404B0A |. E8 39EFFFFF call SBQQ.00403A48
00404B0F |. E8 14E2FFFF call SBQQ.00402D28
00404B14 |. E8 63DAFFFF call SBQQ.0040257C
00404B19 |. 68 204C4000 push SBQQ.00404C20 ; ASCII "if exist ""
00404B1E |. 8D95 18FEFFFF lea edx,dword ptr ss:[ebp-1E8]
00404B24 |. 33C0 xor eax,eax
00404B26 |. E8 ADDBFFFF call SBQQ.004026D8
00404B2B |. FFB5 18FEFFFF push dword ptr ss:[ebp-1E8]
00404B31 |. 68 144C4000 push SBQQ.00404C14
00404B36 |. 68 344C4000 push SBQQ.00404C34 ; ASCII " goto try"
00404B3B |. 8D85 1CFEFFFF lea eax,dword ptr ss:[ebp-1E4]
00404B41 |. BA 04000000 mov edx,4
00404B46 |. E8 C1ECFFFF call SBQQ.0040380C
00404B4B |. 8B95 1CFEFFFF mov edx,dword ptr ss:[ebp-1E4]
00404B51 |. 8D85 30FEFFFF lea eax,dword ptr ss:[ebp-1D0]
00404B57 |. E8 ECEEFFFF call SBQQ.00403A48
00404B5C |. E8 C7E1FFFF call SBQQ.00402D28
00404B61 |. E8 16DAFFFF call SBQQ.0040257C
00404B66 |. BA 484C4000 mov edx,SBQQ.00404C48 ; ASCII "del %0"
00404B6B |. 8D85 30FEFFFF lea eax,dword ptr ss:[ebp-1D0]
00404B71 |. E8 D2EEFFFF call SBQQ.00403A48
00404B76 |. E8 ADE1FFFF call SBQQ.00402D28
00404B7B |. E8 FCD9FFFF call SBQQ.0040257C
00404B80 |. 8D85 30FEFFFF lea eax,dword ptr ss:[ebp-1D0]
00404B86 |. E8 3DDFFFFF call SBQQ.00402AC8
00404B8B |. E8 ECD9FFFF call SBQQ.0040257C
在这里构造批处理文件,文件内容:
:try
del "E:/crack/收集的病毒/编程爱好者/SBQQ.exe"
if exist "E:/crack/收集的病毒/编程爱好者/SBQQ.exe" goto try
del %0
很明显,这个批处理的内容是想删除病毒自己,很笨的一个办法;
下面当然是执行这个批处理了:
00404B99 |. E8 AEEDFFFF call SBQQ.0040394C
00404B9E |. 50 push eax ; |FileName
00404B9F |. 68 504C4000 push SBQQ.00404C50 ; |Operation = "open"
00404BA4 |. 6A 00 push 0 ; |hWnd = NULL
00404BA6 |. E8 95F4FFFF call <jmp.&shell32.ShellExecuteA> ; /ShellExecuteA
004044AF |. E8 98F4FFFF call SBQQ.0040394C
004044B4 |. 50 push eax ; |FileName
004044B5 |. E8 CEF9FFFF call <jmp.&kernel32.CreateFileA> ; /CreateFileA //老伎俩,打开本身
004044BA |. 8BD8 mov ebx,eax
004044BC |. 83FB FF cmp ebx,-1
004044BF |. 74 6A je short SBQQ.0040452B
004044C1 |. 6A 02 push 2 ; /Origin = FILE_END
004044C3 |. 6A 00 push 0 ; |pOffsetHi = NULL
004044C5 |. 6A FC push -4 ; |OffsetLo = FFFFFFFC (-4.)
004044C7 |. 53 push ebx ; |hFile
004044C8 |. E8 43FAFFFF call <jmp.&kernel32.SetFilePointer> ; /SetFilePointer
004044CD |. 6A 00 push 0 ; /pOverlapped = NULL
004044CF |. 8D45 F8 lea eax,dword ptr ss:[ebp-8] ; |
004044D2 |. 50 push eax ; |pBytesRead
004044D3 |. 6A 04 push 4 ; |BytesToRead = 4
004044D5 |. 8D45 F4 lea eax,dword ptr ss:[ebp-C] ; |
004044D8 |. 50 push eax ; |Buffer
004044D9 |. 53 push ebx ; |hFile
004044DA |. E8 21FAFFFF call <jmp.&kernel32.ReadFile> ; /ReadFile //从文件末尾读四字节
004044DF |. 8175 F4 697A6>xor dword ptr ss:[ebp-C],4D617A69
004044E6 |. 6A 00 push 0 ; /pFileSizeHigh = NULL
004044E8 |. 53 push ebx ; |hFile
004044E9 |. E8 C2F9FFFF call <jmp.&kernel32.GetFileSize> ; /GetFileSize
004044EE |. 3B45 F4 cmp eax,dword ptr ss:[ebp-C]
004044F1 |. 72 38 jb short SBQQ.0040452B
004044F3 |. 6A 02 push 2 ; /Origin = FILE_END
004044F5 |. 6A 00 push 0 ; |pOffsetHi = NULL
004044F7 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C] ; |
004044FA |. F7D8 neg eax ; |
004044FC |. 50 push eax ; |OffsetLo
004044FD |. 53 push ebx ; |hFile
004044FE |. E8 0DFAFFFF call <jmp.&kernel32.SetFilePointer> ; /SetFilePointer
00404503 |. 8BC6 mov eax,esi
00404505 |. 8B55 F4 mov edx,dword ptr ss:[ebp-C]
00404508 |. E8 D7F4FFFF call SBQQ.004039E4
0040450D |. 6A 00 push 0
0040450F |. 8D45 F8 lea eax,dword ptr ss:[ebp-8]
00404512 |. 50 push eax
00404513 |. 8B45 F4 mov eax,dword ptr ss:[ebp-C]
00404516 |. 50 push eax
00404517 |. 8BC6 mov eax,esi
00404519 |. E8 7EF4FFFF call SBQQ.0040399C
0040451E |. 50 push eax ; |Buffer
0040451F |. 53 push ebx ; |hFile
00404520 |. E8 DBF9FFFF call <jmp.&kernel32.ReadFile> ; /ReadFile //这次读的多
很明了加密数据全在buffer所指向的地方了,在buffer处下硬件断点,可以得到密文
继续跟踪:
00404EEE |> /53 push ebx ; /Path
00404EEF |. E8 28F5FFFF call <jmp.&shlwapi.PathFileExistsA> ; //检测c/Program Files/Sysinfo.wmp是否存在
00404EF4 |. 85C0 test eax,eax
00404EF6 |. 74 36 je short SBQQ.00404F2E //存在就跳:
来到这里:
00404F45 |. 53 push ebx ; /FileName
00404F46 |. E8 95EFFFFF call <jmp.&kernel32.LoadLibraryA> ; /LoadLibraryA
创建并加载C:/C:/Program Files/Sysinfo.wmp说明Sysinfo.wmp是一个dll文件,
00404F55 |. 68 FC504000 push SBQQ.004050FC ; /ProcNameOrOrdinal = "JmpHookOff"
00404F5A |. 53 push ebx ; |hModule
00404F5B |. E8 60EFFFFF call <jmp.&kernel32.GetProcAddress> ; /GetProcAddress
00404F60 |. 89C6 mov esi,eax
00404F62 |. 68 08514000 push SBQQ.00405108 ; /ProcNameOrOrdinal = "JmpHookOn"
00404F67 |. 53 push ebx ; |hModule
00404F68 |. E8 53EFFFFF call <jmp.&kernel32.GetProcAddress> ; /GetProcAddress
获取dll文件里JmpHookOff,JmpHookOn两个函数地址;
接下来
00404F7F |. 6A 00 push 0 ; /Arg8 = 00000000
00404F81 |. 6A 00 push 0 ; |Arg7 = 00000000
00404F83 |. 6A 00 push 0 ; |Arg6 = 00000000
00404F85 |. 6A 00 push 0 ; |Arg5 = 00000000
00404F87 |. 6A 00 push 0 ; |Arg4 = 00000000
00404F89 |. 6A 00 push 0 ; |Arg3 = 00000000
00404F8B |. A1 50764000 mov eax,dword ptr ds:[407650] ; |
00404F90 |. 50 push eax ; |Arg2 => 00400000 ASCII "MZP"
00404F91 |. 6A 00 push 0 ; |Arg1 = 00000000
00404F93 |. BA 14514000 mov edx,SBQQ.00405114 ; |ASCII "ZXY_Exe"
00404F98 |. B8 1C514000 mov eax,SBQQ.0040511C ; |ASCII "ListBox"
00404F9D |. 33C9 xor ecx,ecx ; |
00404F9F |. E8 C0EFFFFF call SBQQ.00403F64 ; /SBQQ.00403F64
跟进call是创建窗口,接着
00404FEF |. 8B45 B8 mov eax,dword ptr ss:[ebp-48]
00404FF2 |. BA 98504000 mov edx,SBQQ.00405098 ; ASCII "c:/sf.exe"
00404FF7 |. E8 9CE8FFFF call SBQQ.00403898
00404FFC |. 75 28 jnz short SBQQ.00405026
检测有没有c:/sf.exe,如果没有就跳到下面
00405026 |> /FFD7 call edi ; SysInfo.JmpHookOn
执行dll中挂钩程序,
接着:
00404758 |. 51 push ecx ; |pHandle
00404759 |. 6A 00 push 0 ; |pSecurity = NULL
0040475B |. 68 3F000F00 push 0F003F ; |Access = KEY_ALL_ACCESS
00404760 |. 6A 00 push 0 ; |Options = REG_OPTION_NON_VOLATILE
00404762 |. 6A 00 push 0 ; |Class = NULL
00404764 |. 6A 00 push 0 ; |Reserved = 0
00404766 |. 52 push edx ; |Subkey
00404767 |. 50 push eax ; |hKey
00404768 |. E8 03F7FFFF call <jmp.&advapi32.RegCreateKe>; /RegCreateKeyExA
00404774 |. 50 push eax ; /BufSize
00404775 |. 53 push ebx ; |Buffer
00404776 |. 6A 01 push 1 ; |ValueType = REG_SZ
00404778 |. 6A 00 push 0 ; |Reserved = 0
0040477A |. 56 push esi ; |ValueName
0040477B |. 8B45 FC mov eax,dword ptr ss:[ebp-4] ; |
0040477E |. 50 push eax ; |hKey
0040477F |. E8 F4F6FFFF call <jmp.&advapi32.RegSetValue>; /RegSetValueExA
00404784 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00404787 |. 50 push eax ; /hKey
00404788 |. E8 DBF6FFFF call <jmp.&advapi32.RegCloseKey>; /RegCloseKey
添加注册表"SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks/
项注册“C:/Program Files/SysInfo.wmp"这个dll文件,注册ID为
"{7C3E3EA0-F318-43FB-952E-74736B2F6789}",
接下来当然是注册为COM服务了
004047CB |. BA D0484000 mov edx,SBQQ.004048D0 ; ASCII "CLSID/{7C3E3EA0-F318-43FB-952E-74736B2F6789}"
004047D0 |. E8 C7EEFFFF call SBQQ.0040369C
004047D5 |. 68 54484000 push SBQQ.00404854
004047DA |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
004047DD |. E8 6AF1FFFF call SBQQ.0040394C
004047E2 |. 8BD0 mov edx,eax ; |
004047E4 |. B9 54484000 mov ecx,SBQQ.00404854 ; |
004047E9 |. B8 00000080 mov eax,80000000 ; |
004047EE |. E8 45FFFFFF call SBQQ.00404738 ; /SBQQ.00404738
004047F3 |. 8D45 FC lea eax,dword ptr ss:[ebp-4]
004047F6 |. BA 08494000 mov edx,SBQQ.00404908 ; ASCII "/InProcServer32"
004047FB |. E8 54EFFFFF call SBQQ.00403754
00404800 |. 56 push esi
00404801 |. 8B45 FC mov eax,dword ptr ss:[ebp-4]
00404804 |. E8 43F1FFFF call SBQQ.0040394C
00404809 |. 8BD8 mov ebx,eax ; |
0040480B |. 8BD3 mov edx,ebx ; |
0040480D |. B9 54484000 mov ecx,SBQQ.00404854 ; |
00404812 |. B8 00000080 mov eax,80000000 ; |
00404817 |. E8 1CFFFFFF call SBQQ.00404738 ; /SBQQ.00404738
0040481C |. 68 18494000 push SBQQ.00404918 ; /Arg1 = 00404918 ASCII "Apartment"
00404821 |. 8BD3 mov edx,ebx ; |
00404823 |. B9 24494000 mov ecx,SBQQ.00404924 ; |ASCII "ThreadingModel"
00404828 |. B8 00000080 mov eax,80000000 ; |
0040482D |. E8 06FFFFFF call SBQQ.00404738 ; /SBQQ.00404738
下面开始分析SysInfo.wmp这个dll文件了
查看函数调用可以看出和上面关键函数差不多,只是多了socket连接,应该知道什么了吧
到这里:
003D98D9 |> /BA A89B3D0>mov edx,SysInfo.003D9BA8 ; ASCII "Explorer.Exe"
003D98DE |. A1 58B83D0>mov eax,dword ptr ds:[3DB858]
003D98E3 |. E8 04ABFFF>call SysInfo.003D43EC //在这里面检测是否是Explorer.Exe加载它
003D98E8 |. 84C0 test al,al //
003D98EA |. 74 58 je short SysInfo.003D9944 //如果不是就跳
继续跟踪:
003D9907 |. E8 2898FFF>call SysInfo.003D3134 //得到系统路径
003D990C |. 8D45 B4 lea eax,dword ptr ss:[ebp-4C]
003D990F |. B9 C09B3D0>mov ecx,SysInfo.003D9BC0 ; ASCII "VerCLSID.exe"
003D9914 |. 8B15 5CB83>mov edx,dword ptr ds:[3DB85C]
003D991A |. E8 8599FFF>call SysInfo.003D32A4 //设置"VerCLSID.exe"的路径
003D991F |. 8B45 B4 mov eax,dword ptr ss:[ebp-4C]
003D9922 |. 50 push eax
接着:
003D9926 |. B9 D89B3D0>mov ecx,SysInfo.003D9BD8 ; ASCII "VerCLSID.bak"
003D992B |. 8B15 5CB83>mov edx,dword ptr ds:[3DB85C]
003D9931 |. E8 6E99FFF>call SysInfo.003D32A4
003D9936 |. 8B45 B0 mov eax,dword ptr ss:[ebp-50]
003D9939 |. 5A pop edx
设置"VerCLSID.bak"的路径为C:/windows/system32
继续跟踪到这:
003D45A6 |. 8BC3 mov eax,ebx
003D45A8 |. E8 ABEEFFF>call SysInfo.003D3458
003D45AD |. 50 push eax
003D45AE |. 8BC6 mov eax,esi
003D45B0 |. E8 A3EEFFF>call SysInfo.003D3458
003D45B5 |. 50 push eax ; |ExistingName
003D45B6 |. E8 8DF5FFF>call <jmp.&kernel32.MoveFileExA> ; /MoveFileExA
当系统重起后复制"C:/WINDOWS/system32/VerCLSID.exe"
为"C:/WINDOWS/system32/VerCLSID.bak"并删除原文件
继续:
003D9AFD |. /74 2C je short SysInfo.003D9B2B
003D9AFF |. |68 249C3D0>push SysInfo.003D9C24 ; /Title = "ZXY_Dll"
003D9B04 |. |68 2C9C3D0>push SysInfo.003D9C2C ; |Class = "ListBox"
003D9B09 |. |E8 8AA0FFF>call <jmp.&user32.FindWindowA> ; /FindWindowA
003D9B0E |. |85C0 test eax,eax
003D9B10 |. |75 2D jnz short SysInfo.003D9B3F
003D9B12 |. |68 60B83D0>push SysInfo.003DB860 ; /pThreadId = SysInfo.003DB860
003D9B17 |. |6A 00 push 0 ; |CreationFlags = 0
003D9B19 |. |6A 42 push 42 ; |pThreadParm = 00000042
003D9B1B |. |68 6C943D0>push SysInfo.003D946C ; |ThreadFunction = SysInfo.003D946C
003D9B20 |. |6A 00 push 0 ; |StackSize = 0
003D9B22 |. |6A 00 push 0 ; |pSecurity = NULL
003D9B24 |. |E8 AF9FFFF>call <jmp.&kernel32.CreateThread> ; /CreateThread
可以看出查找指定窗口,如果找到就创建线程否则就跳出:
接着上面分析如果是QQ挂栽它,到这里:
003D9A28 |> /E8 C7DEFFF>call SysInfo.003D78F4
003D9A2D |> BA 149C3D0>mov edx,SysInfo.003D9C14 ; ASCII "QQDoctor.exe"
003D9A32 |. A1 58B83D0>mov eax,dword ptr ds:[3DB858]
003D9A37 |. E8 B0A9FFF>call SysInfo.003D43EC
003D9A3C |. 84C0 test al,al
003D9A3E |. 74 07 je short SysInfo.003D9A47
003D9A40 |. 6A 00 push 0 ; /ExitCode = 0
003D9A42 |. E8 A1A0FFF>call <jmp.&kernel32.ExitProcess> ; /ExitProcess
查看QQDoctor.exe是否在运行,如果在运行就结束进程:
接着查看特定窗口,如果存在则创建新线程了
跟踪进新线程:
003D94BD |. 50 push eax ; /FileName
003D94BE |. E8 7DA6FFF>call <jmp.&kernel32.LoadLibraryA> ; /LoadLibraryA
加载本身了,
继续跟踪
003D9356 |> /68 C8923D0>push SysInfo.003D92C8 ; /Timerproc = SysInfo.003D92C8
003D935B |. 68 E803000>push 3E8 ; |Timeout = 1000. ms
003D9360 |. 6A 00 push 0 ; |TimerID = 0
003D9362 |. 6A 00 push 0 ; |hWnd = NULL
003D9364 |. E8 A7A8FFF>call <jmp.&user32.SetTimer> ; /SetTimer
设置定时器,
003D4075 |. 6A 00 |push 0 ; /Title = NULL
003D4077 |. 68 DC403D0>|push SysInfo.003D40DC ; |Class = "Tencent_QQBar"
003D407C |. 6A 00 |push 0 ; |hAfterWnd = NULL
003D407E |. 53 |push ebx ; |hParent
003D407F |. E8 1CFBFFF>|call <jmp.&user32.FindWindowExA> ; /FindWindowExA
隔一秒种就检查QQ的窗口,同时:
003D40F0 |. 54 push esp ; /pHandle
003D40F1 |. 68 3C413D0>push SysInfo.003D413C ; |Subkey = "SOFTWARE"
003D40F6 |. 68 0200008>push 80000002 ; |hKey = HKEY_LOCAL_MACHINE
003D40FB |. E8 78F9FFF>call <jmp.&advapi32.RegOpenKeyA> ; /RegOpenKeyA
003D4100 |. 54 push esp ; /pHandle
003D4101 |. 68 48413D0>push SysInfo.003D4148 ; |Subkey = "Microsoft"
003D4106 |. 8B4424 08 mov eax,dword ptr ss:[esp+8] ; |
003D410A |. 50 push eax ; |hKey
003D410B |. E8 68F9FFF>call <jmp.&advapi32.RegOpenKeyA> ; /RegOpenKeyA
003D4110 |. 68 FF00000>push 0FF ; /BufSize = FF (255.)
003D4115 |. 53 push ebx ; |Buffer
003D4116 |. 6A 01 push 1 ; |ValueType = REG_SZ
003D4118 |. 6A 00 push 0 ; |Reserved = 0
003D411A |. 68 54413D0>push SysInfo.003D4154 ; |ValueName = "onecloseqq"
003D411F |. 8B4424 14 mov eax,dword ptr ss:[esp+14] ; |
003D4123 |. 50 push eax ; |hKey
003D4124 |. E8 5FF9FFF>call <jmp.&advapi32.RegSetValueExA> ; /RegSetValueExA
设置注册表项;
接着分析来到这里:
003D421D |. 6A 00 push 0 ; /hTemplateFile = NULL
003D421F |. 68 8000000>push 80 ; |Attributes = NORMAL
003D4224 |. 6A 03 push 3 ; |Mode = OPEN_EXISTING
003D4226 |. 6A 00 push 0 ; |pSecurity = NULL
003D4228 |. 6A 01 push 1 ; |ShareMode = FILE_SHARE_READ
003D422A |. 68 0000008>push 80000000 ; |Access = GENERIC_READ
003D422F |. 53 push ebx ; |FileName
003D4230 |. E8 6BF8FFF>call <jmp.&kernel32.CreateFileA> ; /CreateFileA
003D4296 |. 50 push eax
003D4297 |. 8D45 F4 lea eax,dword ptr ss:[ebp-C]
003D429A |. E8 11F2FFF>call SysInfo.003D34B0
003D429F |. 50 push eax ; |Buffer
003D42A0 |. 53 push ebx ; |hFile
003D42A1 |. E8 BAF8FFF>call <jmp.&kernel32.ReadFile> ; /ReadFile
读取自己最后的几个字节了,里面肯保存的是邮箱号或者网站网址了,在保存数据地址处下硬件断点就得到了解密后的数据了,这个我们不关心,我们的目的是分析这个病毒:
其实,这个病毒已经分析完毕了,剩下的就是病毒发送获取的东西了
- SBQQ木马病毒分析报告
- 木马病毒分析
- 木马病毒分析考试
- 10.木马病毒分析
- 9.灰鸽子木马病毒分析
- 一个感染型木马病毒分析(一)
- 一个感染型木马病毒分析(二)
- 一个简单的Android木马病毒的分析
- Backdoor.Zegost木马病毒分析(一)
- Win32.Rootkit.Lapka.Wozw 木马病毒分析
- 一个感染型木马病毒分析(一)
- 一个感染型木马病毒分析(二)
- Backdoor.Zegost木马病毒分析(一)
- SysLoad3.exe木马病毒地分析及清除方法
- SysLoad3.exe木马病毒的分析及清除方法
- 感染性的木马病毒分析之样本KWSUpreport.exe
- 一个感染性木马病毒分析(三)--文件的修复
- 一个感染性木马病毒分析(三)--文件的修复
- 如何使用asp.net做文件上传并显示上传进度?
- 第二章:一切都是对象 (光棍的梦想^_^)
- 五十条经典的爱情观
- 留侯论_苏轼
- apdcomport操作串口实例
- SBQQ木马病毒分析报告
- 决定一个项目进度与质量的关键是什么
- [转]11种脸色反映你的健康
- 十种蔬菜的错误吃法
- 十个饮食习惯让你年轻
- C#编码规范
- javascript和jquery之间可能的冲突
- 黑客版QQ登陆器.Exe病毒分析报告
- 我的心