有什么办法杀掉卡巴斯基的进程?
卡巴斯基的进程保护做得很好,一般的杀进程手段对它没有效果。
我想知道它是如何做的?哪位大侠对进程保护这方面有研究,请指点一二。。。
问题点数:0、回复次数:19Top
1 楼Rogeremail(绿色环保-菜青虫)回复于 2005-02-01 14:17:08 得分 0
和norton anti virus估计一样,都用驱动来保护。Top
2 楼Zark(金陵五月)回复于 2005-02-02 04:18:02 得分 0
请问Norton anti virus的进程名是什么? 真得杀不掉?
Top
3 楼alphagx(alpha)回复于 2005-02-02 17:04:33 得分 0
可以在应用层Hook 打开进程或者结束进程的函数,
也可以在内核层,通过进入Ring0,修改ActiveProcessLink中的进程ID号,
使得你打不开这个进程,
也可以Hook SystemServices Tables ,更改NtOpenProcess的处理函数,
当判断到进程ID是我要保护的,则返回没有权限。这种方法比较简单吧。
方法有很多,只要知道一般用户如何杀进程,然后就能想到许多解决的方法。
前提是你要对进程相关的信息比较了解
Top
4 楼BeRoy(失眠)回复于 2005-02-03 22:19:31 得分 0
麻棵Top
5 楼pepsi1980(这只老鼠不会游泳)回复于 2005-02-05 11:39:27 得分 0
获取足够高的权限(DEBUG或者SYSTEM),强行终止删除EXE。Top
6 楼Rogeremail(绿色环保-菜青虫)回复于 2005-02-05 13:25:19 得分 0
to Zark(金陵五月):
请问Norton anti virus的进程名是什么? 真得杀不掉?
**************************************************
它的名字叫"SAVSCAN.EXE",我直接注入一段自杀的代码、
绕过修改IAT的方法……都没杀死它!(SYSTEM权限下)Top
7 楼Zark(金陵五月)回复于 2005-02-08 00:10:17 得分 0
请问你NORTON的版本?
Top
8 楼ukyo1(**)回复于 2005-02-08 13:21:57 得分 0
为什么你要杀它?昨天我的机器不小心运行了木马,只有它能搞定,难道你想写一个超强木马吗?Top
9 楼fanqing(火影忍者+28%(准备学习进程/线程))回复于 2005-02-08 15:57:03 得分 0
gzTop
10 楼gaooo(像男人一样去战斗www.sawin.cn)回复于 2005-02-08 17:36:55 得分 0
gzTop
11 楼yczhenghe(长枫)回复于 2005-02-08 18:29:02 得分 0
ntsd -c q -p PID
usage: ntsd [options]
Options:
<command-line> command to run under the debugger
-? displays command line help text
-- equivalent to -G -g -o -p -1 -d -pd
-2 creates a separate console window for debuggee
-a<DllName> adds a default extension DLL
-bonc request break in after session started
-c "<command>" executes the given debugger command at the first debugger
prompt
-cf <file> specifies a script file to be processed at the first debugger
prompt
-clines <#> number of lines of output history retrieved by a remote
client
-d sends all debugger output to kernel debugger via DbgPrint
input is requested from the kernel debugger via DbgPrompt
-d cannot be used with debugger remoting
-d can only be used when the kernel debugger is enabled
-ddefer sends all debugger output to kernel debugger via DbgPrint
input is requested from the kernel debugger via DbgPrompt unless
there are remote clients that can provide input
-ddefer can only be used when the kernel debugger is enabled
-ddefer should be used with -server
-ee <name> set default expression evaluator
<name> can be MASM or C++
-failinc causes incomplete symbol and module loads to fail
-g ignores initial breakpoint in debuggee
-G ignores final breakpoint at process termination
-hd specifies that the debug heap should not be used for created
processes.
This only works on Windows XP and later
-i <ImagePath> specifies the location of the executables that generated
the
fault (see _NT_EXECUTABLE_IMAGE_PATH)
-isd sets the CREATE_IGNORE_SYSTEM_DEFAULT flag in STARTUPINFO.dwFlags
during CreateProcess
-lines requests that line number information be used if present
-loga <logfile> appends to a log file
-logo <logfile> opens a new log file
-myob ignores version mismatches in DBGHELP.DLL
-n enables verbose output from symbol handler
-noio disables all I/O for dedicated remoting servers
-noshell disables the .shell (!!) command
-o debugs all processes launched by debuggee
-p <pid> specifies the decimal process ID to attach to
-pb specifies that the debugger should not break in at attach
-pd specifies that the debugger should automatically detach
-pe specifies that any attach should be to an existing debug port
-pn <name> specifies the name of the process to attach to
-pr specifies that the debugger should resume on attach
-premote <transport>:server=<name>,<params>
specifies the process server to connect to
transport arguments are given as with remoting
-pt <#> specifies the interrupt timeout
-pv specifies that any attach should be noninvasive
-pvr specifies that any attach should be noninvasive and nonsuspending
-QR \\<machine> queries for remote servers
-r <BreakErrorLevel> specifies the (0-3) error level to break on (see
SetErrorLevel)
-remote <transport>:server=<name>,<params>
lets you connect to a debugger session started with -server
must be the first argument if present
transport: tcp | npipe | ssl | spipe | 1394 | com
name: machine name on which the debug server was created
params: parameters the debugger server was created with
for tcp use: port=<socket port #>
for npipe use: pipe=<name of pipe>
for 1394 use: channel=<channel #>
for com use: port=<COM port>,baud=<baud rate>,
channel=<channel #>
for ssl and spipe see the documentation
example: ... -remote npipe:server=yourmachine,pipe=foobar
-robp allows breakpoints to be set in read-only memory
-rtl uses RtlCreateUserProcess instead of Win32 CreateProcess
-s disables lazy symbol loading
-sdce pops up dialogs for critical errors
-secure disallows operations dangerous for the host
-server <transport>:<params>
creates a debugger session other people can connect to
must be the first argument if present
transport: tcp | npipe | ssl | spipe | 1394 | com
params: connection parameterization
for tcp use: port=<socket port #>
for npipe use: pipe=<name of pipe>
for 1394 use: channel=<channel #>
for com use: port=<COM port>,baud=<baud rate>,
channel=<channel #>
for ssl and spipe see the documentation
example: ... -server npipe:pipe=foobar
-ses enables strict symbol loading
-sfce fails critical errors encountered during file searching
-sflags <flags> sets symbol flags from a numeric argument
-sicv ignores the CV record when symbol loading
-sins ignores the symbol path environment variables
-snc converts :: to __ in symbol names
-snul disables automatic symbol loading for unqualified names
-srcpath <SourcePath> specifies the source search path
-sup enables full public symbol searches
-t <PrintErrorLevel> specifies the (0-3) error level to display (see
SetErrorLevel)
-v enables verbose output from debugger
-w specifies to debug 16 bit applications in a separate VDM
-wake <pid> wakes up a sleeping debugger and exits
-x sets second-chance break on AV exceptions
-x{e|d|n|i} <event> sets the break status for the specified event
-y <SymbolsPath> specifies the symbol search path (see _NT_SYMBOL_PATH)
-z <CrashDmpFile> specifies the name of a crash dump file to debug
-zp <CrashPageFile> specifies the name of a page.dmp file to use with a
crash dump
Environment Variables:
_NT_SYMBOL_PATH=[Drive:][Path]
Specify symbol image path.
_NT_ALT_SYMBOL_PATH=[Drive:][Path]
Specify an alternate symbol image path.
_NT_DEBUGGER_EXTENSION_PATH=[Drive:][Path]
Specify a path which should be searched first for extensions dlls
_NT_EXECUTABLE_IMAGE_PATH=[Drive:][Path]
Specify executable image path.
_NT_SOURCE_PATH=[Drive:][Path]
Specify source file path.
_NT_DEBUG_LOG_FILE_OPEN=filename
If specified, all output will be written to this file from offset
0.
_NT_DEBUG_LOG_FILE_APPEND=filename
If specified, all output will be APPENDed to this file.
_NT_DEBUG_HISTORY_SIZE=size
Specifies the size of a server\'s output history in kilobytes
Control Keys:
<Ctrl-B><Enter> Quit debugger
<Ctrl-C> Break into Target
<Ctrl-F><Enter> Force a break into debuggee (same as Ctrl-C)
<Ctrl-P><Enter> Debug Current debugger
<Ctrl-V><Enter> Toggle Verbose mode
<Ctrl-W><Enter> Print version informationTop
12 楼yunboddd(云波)回复于 2005-02-11 01:58:16 得分 0
NT下停止Norton ,Kapersky的服务即可 98,ME不知道杂办Top
13 楼zju3020912063()回复于 2005-02-11 17:03:05 得分 0
yczhenghe(长枫) 说的是万能方法啊,不过会不会被重新启动就难说了Top
14 楼Rogeremail(绿色环保-菜青虫)回复于 2005-02-12 18:56:01 得分 0
to Zark(金陵五月):
请问你NORTON的版本?
**********************************************
Norton AntiVirus 2004 Professional
SAVScan.exe 9.2.0.79
Top
15 楼tabris17(四不象)回复于 2005-02-14 16:06:24 得分 0
hook SwapContext
拒绝该进程的线程执行就可以了Top
16 楼wangjia184(我就是传说中的。。。。。。SB)回复于 2005-02-14 21:46:10 得分 0
呵呵
上次到网络上一台机器上乱逛
发现一程序
窃喜
下载运行之
无界面
心惊:病毒!
遂破我NORTON(最新) 天网 且删之
重安装NORTON 遂发现安装程序被删
郁闷不已 找专杀工具查之
3000多文件感染已
叹:以后再也不去别人机器上乱逛了
Top
17 楼Zark(金陵五月)回复于 2005-02-15 00:50:35 得分 0
我只有Norton 9.0,好像它的进程是Rtvscan.exe,是可以被关掉的. 下次有了9.2再看看SAVScan.exe是不是能关,多谢! (原则上,由于用户拥有计算机,所以任何软件在法律角度上都不能剥夺用户关闭其进程的权利).
Top
18 楼Rogeremail(绿色环保-菜青虫)回复于 2005-02-15 13:07:13 得分 0
继续关注……Top
19 楼wenxy1(周末了,极速飙车)回复于 2005-02-15 13:27:13 得分 0
关注Top
