看見論壇裡那麼多人喜歡寫
移除工具!
由於開發的環境條件對rootkit 這類病毒~就沒做作用了!
給各位一個小工具! 讓沒有程式基礎的能快速寫出移除病毒的小腳本!
讓有稍微電腦程式基礎的~可以寫專殺可以省下很多時間!
大家都能愉快的幫助別人移除病毒了! ^^ 都能當高手.
只要分析完樣本! 就能依照分析記錄~~輕鬆的寫移除病毒腳本給大家使用了!
記得 某位板主 也曾經想要自己寫這類種小工具..不過有心力而不足!
現在把這小工具送給你了...好好利用吧..CC
舉例我要刪除某驅動 只要打 bad
Driver 就可把驅動給刪除了
Example Usage
複製內容到剪貼板
代碼:
Drivers to delete:
BadDriver舉例我要刪除某檔案...腳本只要寫(支援環境變數)..
複製內容到剪貼板代碼:
複製內容到剪貼板
代碼:
Files to delete:
C:\WINDOWS\System32\SomeBadFile.dll
%windir%\bad.exe
c:\documents and settings\file.exeThe Avenger v2 Released!
Including:
- A complete overhaul of the GUI
- Automatic rootkit detection and removal
- New scripting functionality
- Full compatibility with Windows Vista
The AvengerWhat is it?
The Avenger is a fully-scriptable, kernel-level Windows driver designed to remove highly persistent files, registry keys/values, and other drivers protected by entrenched malware.
Why is it useful?
The Avenger is effective at removing malware that is hooked deeply into the operating system itself, which is often difficult for standard tools.
Script TutorialThe core of The Avenger is its script-processing functionality. As a result, I must discuss the syntax used in Avenger scripts.
以下是腳本支援的功能! 應該比各位的專殺來的方便多.
- An Avenger script is composed of lines of plain text, containing one command per line.
- There are 12 command directives currently that The Avenger recognizes. They are:
An In-Depth Example
- To put it all together, I will walk through an example of how to construct an Avenger script.
- I assume a user of The Avenger will already have sufficient familiarity with the Windows registry. If you are not familiar with the registry or reading data exports from it, you might want to read one or more of the following tutorials before going any further with The Avenger:
Demystifying the Windows Registry [bleepingcomputer.com]
Description of the Windows Registry [microsoft.com]
Windows Registry Tutorial [pctools.com] - Even if you are familiar with the basic structure of the registry, if you are not experienced at identifying registry loading points, drivers, or specific signs of malware infection, it is strongly recommended to use The Avenger under expert supervision.
The Avenger is a very powerful tool and can easily be misused! See Why is it important to be careful with it?. Please feel free to contact me any time for help with The Avenger or scripts.
Step 1: Identifying the Problem
- Suppose you have the following exports from the registry (in standard .REG file format) and you know them to be malicious:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_
MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ntbase"="c:\\windows\\ntbase.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"ntbase"="c:\\windows\\ntbase.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="C:\\WINDOWS\\System32\\expl0rer.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmcca]
"Asynchronous"=dword:00000001
"DLLName"="pmcca.dll"
"Impersonate"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServProv]
"DisplayName"="Windows NT Services provider"
"ErrorControl"=dword:00000000
"Group"="Base"
"ImagePath"="System32\\drivers\\provider.sys"
"Start"=dword:00000001
"Type"=dword:00000001
- The same information could be obtained from a program like HijackThis or from many other similar tools. I will use the raw registry export here.
- I made this example up, but it is fairly typical of simple infections using simple loading points to run on reboot, load a driver into kernel memory, etc.
- I will now break down piece-by-piece how to convert this registry export into commands to give The Avenger to remove the infection.
Step 2: Analyzing the PiecesLet's consider each piece of the registry export above in turn.
- Registry data[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ntbase"="c:\\windows\\ntbase.exe"
Here the HKEY_LOCAL_MACHINE\...\Run portion is the registry key name and the "ntbase" line is a value under the \...\Run key. The value name is the bolded part between the quotation marks.
The Run value above is designed to execute the malware on each reboot. We don't want to delete the whole Run key since legitimate applications will execute from there as well. We just want to remove the bad value named "ntbase". Assuming we also wanted to delete the associated file, we would feed to The Avenger:
Avenger scriptRegistry values to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ntbase
Files to delete:
c:\windows\ntbase.exe
where we have constructed the "Registry values to delete:" syntax from the key name, a pipe | , and the value name.
Note that we have discarded the double backslashes \\ in favor of single backslashes \ in the file path. Double backslashes are required (as escape characters) inside quotation marks in .REG file expressions, but The Avenger does not use them.
For more information see the command references for "Registry values to delete:" and "Files to delete:". - The next part is similar, using a different autorun location in the registry:
Registry data[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"ntbase"="c:\\windows\\ntbase.exe"
The Policies\Explorer\Run key does not exist in Windows by default, and if no legitimate applications are running from it (it is likely that none are), we can delete the key outright, which will delete the bad value underneath the key automatically:
Avenger scriptRegistry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Files to delete:
c:\windows\ntbase.exe
Of course, if we have already issued the "Files to delete:" command for c:\windows\ntbase.exe above, there is no need to do it again.
For more information see the command reference for "Registry keys to delete:". - Next we have another loading point:
Registry data[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"="C:\\WINDOWS\\System32\\expl0rer.exe"
The "System" value under the Winlogon key does exist by default, but it is normally empty (null string value). So we don't want to delete the value; instead, we want Avenger to replace it with a dummy, which for a string value is the null string. So we use:
Avenger scriptRegistry values to replace with dummy:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | System
Files to delete:
c:\windows\system32\expl0rer.exe
Note that the legitimate explorer.exe has a letter 'O' instead of a number 'zero' in the filename, and is located in the Windows directory, not the Windows\System32 directory.
For more information see the command reference for "Registry values to replace with dummy:". - The next two parts are again autorun keys we want to delete:
Registry data[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmcca]
"Asynchronous"=dword:00000001
"DLLName"="pmcca.dll"
"Impersonate"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF}]
So we can do:
Avenger scriptRegistry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmcca
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF}
Note that the key name should be put entirely on one line, even if it is very long like this one. (The key name above is in fact on a single line, even though your browser will probably word-wrap it. Be careful of this!) - Lastly, we have the driver:
Registry data[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServProv]
"DisplayName"="Windows NT Services provider"
"ErrorControl"=dword:00000000
"Group"="Base"
"ImagePath"="System32\\drivers\\provider.sys"
"Start"=dword:00000001
"Type"=dword:00000001
Let's examine the various parts of this key. The portion bolded above, the subkey name under Services, is the "driver name". In the Windows services.msc console it is called the "Service name" (for user-mode services/drivers). This is what we need for The Avenger. The other parts, including the "DisplayName" value and the "ImagePath" or file name are not important to us.
We know this is a driver (in fact, we know from the "Start"=dword:00000001 value above that it is a kernel driver), and so we must use a driver-specific Avenger command. If we want to delete this driver outright, we can use "Drivers to delete:", or if we just want to disable it, we can use "Drivers to disable:".
Suppose we want to delete it. The syntax would be:
Avenger scriptDrivers to delete:
ServProv
This will delete the entire HKLM\...\Services\ServProv key, so there is nothing more to do, unless we also want to delete the associated driver file:
Avenger scriptFiles to delete:
C:\WINDOWS\System32\drivers\provider.sys
Step 3: Putting it All TogetherThat's it! Let's put all of this together and see the complete Avenger script:
Drivers to delete:
ServProv
Registry values to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | ntbase
Files to delete:
c:\windows\ntbase.exe
c:\windows\system32\expl0rer.exe
C:\WINDOWS\System32\drivers\provider.sys
Registry values to replace with dummy:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | System
Registry keys to delete:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmcca
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF}
- I have consolidated the commands that we use more than once, for ease of reading the script.
- Note that The Avenger does NOT guarantee that the commands in a script are executed in order. In fact the "Drivers to delete:" command would be executed first, even if I did not list it first, because it needs to be! Otherwise we could not safely delete the associated driver file provider.sys using "Files to delete:" since the driver would still be active, and this could cause system deadlock. I listed the driver first in the script anyway, just so that would be easier to understand, and this is probably good practice.
http://swandog46.geekstogo.com/index.html
Download :
http://swandog46.geekstogo.com/avenger2/download.php
[
本帖最後由 domino 於 2008-4-24 19:14 編輯 ]
