lcx源代码以及免杀的研究

之前和Random大神讨论了一下免杀的问题，他给出了一个比较不错的想法，使用debug版本发布可以过很多杀软。顺便看了下lcx的源码，发现其代码不算特别复杂，于是乎就在这分析一下。

报毒情况

因为使用的源代码编译，报毒不算很多，因为lcx使用的都是socket运行时不会被杀掉。基本上不报毒就是可以用了

使用debug方式发布的报毒

使用release方式发布的报毒情况，的确是多了那么几个但是没有想象中多的那么多

源代码

大体看了一下，其实就是很简单的运用了socket，三个核心函数bind2bind() conn2bind() conn2conn() 最后都是生成两个socket，之后放到transmitdata()里面传递数据

之前不大理解一个端口绑定两个socket，在代码里发现setsockopt()可以设置，因为每一个连接都由本地地址和远端地址的组合唯一确定，所以只要远端地址不同，两个套接口与一个地址捆绑并无大碍。为了通知WINDOWS套接口实现不要因为一个地址已被一个套接口使用就不让它与另一个套接口捆绑，应用程序可在bind()调用前先设置SO_REUSEADDR选项。

/*
************************************************************************************
*
* HTran.cpp - HUC Packet Transmit Tool.
*
* Copyright (C) 2000-2004 HUC All Rights Reserved.
*
* Author : lion
* : lion#cnhonker.net
* : <a href="http://www.cnhonker.com" target="_blank">http://www.cnhonker.com</a>
* :
* Notice : Thx to bkbll (bkbll#cnhonker.net)
* :
* Date : 2003-10-20
* :
* Complie : cl HTran.cpp
* :
* Usage : E:\>HTran
* : ======================== HUC Packet Transmit Tool V1.00 =======================
* : =========== Code by lion & bkbll, Welcome to <a href="http://www.cnhonker.com" target="_blank">http://www.cnhonker.com</a> ==========
* :
* : [Usage of Packet Transmit:]
* : HTran - [-log logfile]
* :
* : [option:]
* : -listen
* : -tran
* : -slave
*
************************************************************************************
*/
#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <winsock.h>
#include <signal.h>
#include <errno.h>
#include <io.h>
#pragma comment(lib, "ws2_32.lib")

#define VERSION "1.00"
#define TIMEOUT 300
#define MAXSIZE 20480
#define HOSTLEN 40
#define CONNECTNUM 5

// define 2 socket struct
struct transocket
{
	SOCKET fd1;
	SOCKET fd2;
};

// define function
void ver();
void usage(char *prog);
void transmitdata(LPVOID data);
void getctrlc(int j);
void closeallfd();
void makelog(char *buffer, int length);
void proxy(int port);
void bind2bind(int port1, int port2);
void bind2conn(int port1, char *host, int port2);
void conn2conn(char *host1, int port1, char *host2, int port2);
int testifisvalue(char *str);
int create_socket();
int create_server(int sockfd, int port);
int client_connect(int sockfd, char* server, int port);

// define GLOBAL variable here
extern int errno;
FILE *fp;
int method=0;
//int connectnum=0;

//************************************************************************************
//
// function main 主要是处理用户参数输入的问题
//
//************************************************************************************
VOID main(int argc, char* argv[])
{
	char **p;
	char sConnectHost[HOSTLEN], sTransmitHost[HOSTLEN];
	int iConnectPort=0, iTransmitPort=0;
	char *logfile=NULL;

	ver();
	memset(sConnectHost, 0, HOSTLEN);
	memset(sTransmitHost, 0, HOSTLEN);

	p=argv;
	while(*p)
	{
		if(stricmp(*p, "-log") == 0)
		{
			if(testifisvalue(*(p+1)))
			{
				logfile = *(++p);
			}
			else
			{
				printf("[-] ERROR: Must supply logfile name.\r\n");
				return;
			}
			p++;
			continue;
		}
		p++;
	}

	if(logfile !=NULL)
	{
		fp=fopen(logfile,"a");
		if(fp == NULL )
		{
			printf("[-] ERROR: open logfile");
			return;
		}

		makelog("====== Start ======\r\n", 22);
	}

	// Win Start Winsock.
	WSADATA wsadata;
	WSAStartup(MAKEWORD(1, 1), &wsadata);

	signal(SIGINT, &getctrlc);

	if(argc > 2)
	{
		if(stricmp(argv[1], "-listen") == 0 && argc >= 4)
		{
			iConnectPort = atoi(argv[2]);
			iTransmitPort = atoi(argv[3]);
			method = 1;
		}
		else
		if(stricmp(argv[1], "-tran") == 0 && argc >= 5)
		{
			iConnectPort = atoi(argv[2]);
			strncpy(sTransmitHost, argv[3], HOSTLEN);
			iTransmitPort = atoi(argv[4]);
			method = 2;
		}
		else
		if(stricmp(argv[1], "-slave") == 0 && argc >= 6)
		{
			strncpy(sConnectHost, argv[2], HOSTLEN);
			iConnectPort = atoi(argv[3]);
			strncpy(sTransmitHost, argv[4], HOSTLEN);
			iTransmitPort = atoi(argv[5]);
			method = 3;
		}
	}

	switch(method)
	{
		case 1:
		bind2bind(iConnectPort, iTransmitPort);
		break;
		case 2:
		bind2conn(iConnectPort, sTransmitHost, iTransmitPort);
		break;
		case 3:
		conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort);
		break;
		default:
		usage(argv[0]);
		break;
	}

	if(method)
	{
		closeallfd();
	}

	WSACleanup();

	return;
}

//************************************************************************************
//
// print version message
//
//************************************************************************************
VOID ver()
{
	printf("======================== HUC Packet Transmit Tool V%s =======================\r\n", VERSION);
	printf("=========== Code by lion & bkbll, Welcome to http://www.cnhonker.com==========\r\n\n");
}

//************************************************************************************
//
// print usage message
//
//************************************************************************************
VOID usage(char* prog)
{
	printf("[Usage of Packet Transmit:]\r\n");
	printf(" %s - [-log logfile]\n\n", prog);
	printf("[option:]\n");
	printf(" -listen \n");
	printf(" -tran \n");
	printf(" -slave \n\n");
	return;
}

//************************************************************************************
//
// test if is value
//
//************************************************************************************
int testifisvalue(char *str)
{
	if(str == NULL ) return(0);
	if(str[0]=='-') return(0);
	return(1);
}

//************************************************************************************
//
// LocalHost:ConnectPort transmit to LocalHost:TransmitPort
//
//************************************************************************************
void bind2bind(int port1, int port2)
{
	SOCKET fd1,fd2, sockfd1, sockfd2;
	struct sockaddr_in client1,client2;
	int size1,size2;

	HANDLE hThread=NULL;
	transocket sock;
	DWORD dwThreadID;

	if((fd1=create_socket())==0) return;
	if((fd2=create_socket())==0) return;

	printf("[+] Listening port %d ......\r\n",port1);
	fflush(stdout);

	if(create_server(fd1, port1)==0)
	{
		closesocket(fd1);
		return;
	}

	printf("[+] Listen OK!\r\n");
	printf("[+] Listening port %d ......\r\n",port2);
	fflush(stdout);
	if(create_server(fd2, port2)==0)
	{
		closesocket(fd2);
		return;
	}

	printf("[+] Listen OK!\r\n");
	size1=size2=sizeof(struct sockaddr);
	while(1)
	{
		printf("[+] Waiting for Client on port:%d ......\r\n",port1);
		if((sockfd1 = accept(fd1,(struct sockaddr *)&client1,&size1))<0)
		{
			printf("[-] Accept1 error.\r\n");
			continue;
		}

	printf("[+] Accept a Client on port %d from %s ......\r\n", port1, inet_ntoa(client1.sin_addr));
	printf("[+] Waiting another Client on port:%d....\r\n", port2);
	if((sockfd2 = accept(fd2, (struct sockaddr *)&client2, &size2))<0)
	{
		printf("[-] Accept2 error.\r\n");
		closesocket(sockfd1);
		continue;
	}

	printf("[+] Accept a Client on port %d from %s\r\n",port2, inet_ntoa(client2.sin_addr));
	printf("[+] Accept Connect OK!\r\n");

	sock.fd1 = sockfd1;
	sock.fd2 = sockfd2;

	hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID);
	if(hThread == NULL)
	{
		TerminateThread(hThread, 0);
		return;
	}

	Sleep(1000);
	printf("[+] CreateThread OK!\r\n\n");
	}
}

//************************************************************************************
//
// LocalHost:ConnectPort transmit to TransmitHost:TransmitPort
//
//************************************************************************************
void bind2conn(int port1, char *host, int port2)
{
	SOCKET sockfd,sockfd1,sockfd2;
	struct sockaddr_in remote;
	int size;
	char buffer[1024];

	HANDLE hThread=NULL;
	transocket sock;
	DWORD dwThreadID;

	if (port1 > 65535 || port1 < 1)
	{
		printf("[-] ConnectPort invalid.\r\n");
		return;
	}

	if (port2 > 65535 || port2 < 1)
	{
		printf("[-] TransmitPort invalid.\r\n");
		return;
	}

	memset(buffer,0,1024);
	if((sockfd=create_socket()) == INVALID_SOCKET) return;

	if(create_server(sockfd, port1) == 0)
	{
		closesocket(sockfd);
		return;
	}

	size=sizeof(struct sockaddr);
	while(1)
	{
		printf("[+] Waiting for Client ......\r\n");
		if((sockfd1=accept(sockfd,(struct sockaddr *)&remote,&size))<0)
		{
		printf("[-] Accept error.\r\n");
		continue;
	}

	printf("[+] Accept a Client from %s:%d ......\r\n",
	inet_ntoa(remote.sin_addr), ntohs(remote.sin_port));
	if((sockfd2=create_socket())==0)
	{
		closesocket(sockfd1);
		continue;
	}
	printf("[+] Make a Connection to %s:%d ......\r\n",host,port2);
	fflush(stdout);

	if(client_connect(sockfd2,host,port2)==0)
	{
		closesocket(sockfd2);
		sprintf(buffer,"[SERVER]connection to %s:%d error\r\n", host, port2);
		send(sockfd1,buffer,strlen(buffer),0);
		memset(buffer, 0, 1024);
		closesocket(sockfd1);
		continue;
	}

	printf("[+] Connect OK!\r\n");

	sock.fd1 = sockfd1;
	sock.fd2 = sockfd2;

	hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID);
	if(hThread == NULL)
	{
		TerminateThread(hThread, 0);
		return;
	}

	Sleep(1000);
	printf("[+] CreateThread OK!\r\n\n");
	}
}

//************************************************************************************
//
// ConnectHost:ConnectPort transmit to TransmitHost:TransmitPort
//
//************************************************************************************
void conn2conn(char *host1,int port1,char *host2,int port2)
{
	SOCKET sockfd1,sockfd2;

	HANDLE hThread=NULL;
	transocket sock;
	DWORD dwThreadID;
	fd_set fds;
	int l;
	char buffer[MAXSIZE];

	while(1)
	{
		/*
		while(connectnum)
		{
			if(connectnum < CONNECTNUM)
			{
				Sleep(10000);
				break;
			}
			else
			{
				Sleep(TIMEOUT*1000);
				continue;
			}
		}
		*/

		if((sockfd1=create_socket())==0) return;
		if((sockfd2=create_socket())==0) return;

		printf("[+] Make a Connection to %s:%d....\r\n",host1,port1);
		fflush(stdout);
		if(client_connect(sockfd1,host1,port1)==0)
		{
			closesocket(sockfd1);
			closesocket(sockfd2);
			continue;
		}

		// fix by bkbll
		// if host1:port1 recved data, than connect to host2,port2
		l=0;
		memset(buffer,0,MAXSIZE);
		while(1)
		{
			FD_ZERO(&fds);
			FD_SET(sockfd1, &fds);
			if (select(sockfd1+1, &fds, NULL, NULL, NULL) == SOCKET_ERROR)
			{
				if (errno == WSAEINTR) continue;
				break;
			}
			if (FD_ISSET(sockfd1, &fds))
			{
				l=recv(sockfd1, buffer, MAXSIZE, 0);
				break;
			}
			Sleep(5);
		}

		if(l<=0)
		{
			printf("[-] There is a error...Create a new connection.\r\n");
			continue;
		}
		while(1)
		{
			printf("[+] Connect OK!\r\n");
			printf("[+] Make a Connection to %s:%d....\r\n", host2,port2);
			fflush(stdout);
			if(client_connect(sockfd2,host2,port2)==0)
			{
				closesocket(sockfd1);
				closesocket(sockfd2);
				continue;
			}

			if(send(sockfd2,buffer,l,0)==SOCKET_ERROR)
			{
				printf("[-] Send failed.\r\n");
				continue;
			}

			l=0;
			memset(buffer,0,MAXSIZE);
			break;
		}

		printf("[+] All Connect OK!\r\n");

		sock.fd1 = sockfd1;
		sock.fd2 = sockfd2;

		hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID);
		if(hThread == NULL)
		{
			TerminateThread(hThread, 0);
			return;
		}

		// connectnum++;

		Sleep(1000);
		printf("[+] CreateThread OK!\r\n\n");
	}
}

//************************************************************************************
//
// Socket Transmit to Socket
//
//************************************************************************************
void transmitdata(LPVOID data)
{
SOCKET fd1, fd2;
transocket *sock;
struct timeval timeset;
fd_set readfd,writefd;
int result,i=0;
char read_in1[MAXSIZE],send_out1[MAXSIZE];
char read_in2[MAXSIZE],send_out2[MAXSIZE];
int read1=0,totalread1=0,send1=0;
int read2=0,totalread2=0,send2=0;
int sendcount1,sendcount2;
int maxfd;
struct sockaddr_in client1,client2;
int structsize1,structsize2;
char host1[20],host2[20];
int port1=0,port2=0;
char tmpbuf[100];

sock = (transocket *)data;
fd1 = sock->fd1;
fd2 = sock->fd2;

memset(host1,0,20);
memset(host2,0,20);
memset(tmpbuf,0,100);

structsize1=sizeof(struct sockaddr);
structsize2=sizeof(struct sockaddr);

if(getpeername(fd1,(struct sockaddr *)&client1,&structsize1)<0)
{
strcpy(host1, "fd1");
}
else
{
// printf("[+]got, ip:%s, port:%d\r\n",inet_ntoa(client1.sin_addr),ntohs(client1.sin_port));
strcpy(host1, inet_ntoa(client1.sin_addr));
port1=ntohs(client1.sin_port);
}

if(getpeername(fd2,(struct sockaddr *)&client2,&structsize2)<0)
{
strcpy(host2,"fd2");
}
else
{
// printf("[+]got, ip:%s, port:%d\r\n",inet_ntoa(client2.sin_addr),ntohs(client2.sin_port));
strcpy(host2, inet_ntoa(client2.sin_addr));
port2=ntohs(client2.sin_port);
}

printf("[+] Start Transmit (%s:%d <-> %s:%d) ......\r\n\n", host1, port1, host2, port2);

maxfd=max(fd1,fd2)+1;
memset(read_in1,0,MAXSIZE);
memset(read_in2,0,MAXSIZE);
memset(send_out1,0,MAXSIZE);
memset(send_out2,0,MAXSIZE);

timeset.tv_sec=TIMEOUT;
timeset.tv_usec=0;

while(1)
{
FD_ZERO(&readfd);
FD_ZERO(&writefd);

FD_SET((UINT)fd1, &readfd);
FD_SET((UINT)fd1, &writefd);
FD_SET((UINT)fd2, &writefd);
FD_SET((UINT)fd2, &readfd);

result=select(maxfd,&readfd,&writefd,NULL,×et);
if((result<0) && (errno!=EINTR))
{
printf("[-] Select error.\r\n");
break;
}
else if(result==0)
{
printf("[-] Socket time out.\r\n");
break;
}

if(FD_ISSET(fd1, &readfd))
{
/* must < MAXSIZE-totalread1, otherwise send_out1 will flow */
if(totalread1) {
read1=recv(fd1, read_in1, MAXSIZE-totalread1, 0);
if((read1==SOCKET_ERROR) || (read1==0))
{
printf("[-] Read fd1 data error,maybe close?\r\n");
break;
}

memcpy(send_out1+totalread1,read_in1,read1);
sprintf(tmpbuf,"\r\nRecv %5d bytes from %s:%d\r\n", read1, host1, port1);
printf(" Recv %5d bytes %16s:%d\r\n", read1, host1, port1);
makelog(tmpbuf,strlen(tmpbuf));
makelog(read_in1,read1);
totalread1+=read1;
memset(read_in1,0,MAXSIZE);
}
}

if(FD_ISSET(fd2, &writefd))
{
int err=0;
sendcount1=0;
while(totalread1>0)
{
send1=send(fd2, send_out1+sendcount1, totalread1, 0);
if(send1==0)break;
if((send1<0) && (errno!=EINTR))
{
printf("[-] Send to fd2 unknow error.\r\n");
err=1;
break;
}

if((send1<0) && (errno==ENOSPC)) break;
sendcount1+=send1;
totalread1-=send1;

printf(" Send %5d bytes %16s:%d\r\n", send1, host2, port2);
}

if(err==1) break;
if((totalread1>0) && (sendcount1>0))
{
/* move not sended data to start addr */
memcpy(send_out1,send_out1+sendcount1,totalread1);
memset(send_out1+totalread1,0,MAXSIZE-totalread1);
}
else
memset(send_out1,0,MAXSIZE);
}

if(FD_ISSET(fd2, &readfd))
{
if(totalread2) {
read2=recv(fd2,read_in2,MAXSIZE-totalread2, 0);
if(read2==0)break;
if((read2<0) && (errno!=EINTR))
{
printf("[-] Read fd2 data error,maybe close?\r\n\r\n");
break;
}

memcpy(send_out2+totalread2,read_in2,read2);
sprintf(tmpbuf, "\r\nRecv %5d bytes from %s:%d\r\n", read2, host2, port2);
printf(" Recv %5d bytes %16s:%d\r\n", read2, host2, port2);
makelog(tmpbuf,strlen(tmpbuf));
makelog(read_in2,read2);
totalread2+=read2;
memset(read_in2,0,MAXSIZE);
}
}

if(FD_ISSET(fd1, &writefd))
{
int err2=0;
sendcount2=0;
while(totalread2>0)
{
send2=send(fd1, send_out2+sendcount2, totalread2, 0);
if(send2==0)break;
if((send2<0) && (errno!=EINTR))
{
printf("[-] Send to fd1 unknow error.\r\n");
err2=1;
break;
}
if((send2<0) && (errno==ENOSPC)) break;
sendcount2+=send2;
totalread2-=send2;

printf(" Send %5d bytes %16s:%d\r\n", send2, host1, port1);
}
if(err2==1) break;
if((totalread2>0) && (sendcount2 > 0))
{
/* move not sended data to start addr */
memcpy(send_out2, send_out2+sendcount2, totalread2);
memset(send_out2+totalread2, 0, MAXSIZE-totalread2);
}
else
memset(send_out2,0,MAXSIZE);
}

Sleep(5);
}

closesocket(fd1);
closesocket(fd2);
// if(method == 3)
// connectnum --;

printf("\r\n[+] OK! I Closed The Two Socket.\r\n");
}

void getctrlc(int j)
{
	printf("\r\n[-] Received Ctrl+C\r\n");
	closeallfd();
	exit(0);
}

void closeallfd()
{
	int i;

	printf("[+] Let me exit ......\r\n");
	fflush(stdout);

	for(i=3; i<256; i++)
	{
		closesocket(i);
	}

	if(fp != NULL)
	{
		fprintf(fp,"\r\n====== Exit ======\r\n");
		fclose(fp);
	}

	printf("[+] All Right!\r\n");
}

int create_socket()
{
	int sockfd;

	sockfd=socket(AF_INET,SOCK_STREAM,0);
	if(sockfd<0)
	{
		printf("[-] Create socket error.\r\n");
		return(0);
	}

	return(sockfd);
}

int create_server(int sockfd,int port)
{
	struct sockaddr_in srvaddr;
	int on=1;

	memset(&srvaddr, 0, sizeof(struct sockaddr));

	srvaddr.sin_port=htons(port);
	srvaddr.sin_family=AF_INET;
	srvaddr.sin_addr.s_addr=htonl(INADDR_ANY);

	setsockopt(sockfd,SOL_SOCKET,SO_REUSEADDR, (char*)&on,sizeof(on)); //so I can rebind the port

	if(bind(sockfd,(struct sockaddr *)&srvaddr,sizeof(struct sockaddr))<0)
	{
		printf("[-] Socket bind error.\r\n");
		return(0);
	}

	if(listen(sockfd,CONNECTNUM)<0)
	{
		printf("[-] Socket Listen error.\r\n");
		return(0);
	}

	return(1);
}

int client_connect(int sockfd,char* server,int port)
{
	struct sockaddr_in cliaddr;
	struct hostent *host;

	if(!(host=gethostbyname(server)))
	{
		printf("[-] Gethostbyname(%s) error:%s\n",server,strerror(errno));
		return(0);
	}

	memset(&cliaddr, 0, sizeof(struct sockaddr));
	cliaddr.sin_family=AF_INET;
	cliaddr.sin_port=htons(port);
	cliaddr.sin_addr=*((struct in_addr *)host->h_addr);

	if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0)
	{
		printf("[-] Connect error.\r\n");
		return(0);
	}
	return(1);
}

void makelog(char *buffer,int length)
{
	if(fp !=NULL)
	{
		// fprintf(fp, "%s", buffer);
		// printf("%s",buffer);
		write(fileno(fp),buffer,length);
		// fflush(fp);
	}
}

关于免杀

理论上来说只要找到特征码的那一段程序，然后改一改就可以了。

通常有源码情况下的免杀思路是使用MyCLL确定特征码，再通过特征码推出，原始语句并进行修改。

不过介于LCX的代码比较短，考虑直接从源代码入手。

四个核心函数bind2bind() conn2bind() conn2conn() transmitdata()分别注释掉。

注释掉  bind2bind() 报毒情况 

Ikarus	 Backdoor.Win32.Liondoor	 20130709
Kaspersky	 not-a-virus:HEUR:NetTool.Win32.Transmit.gen	 20130709

注释掉 bind2bind() conn2bind() conn2conn() 报毒情况

妥妥的没有毒~~~

注释掉 bind2bind() conn2bind() 报毒情况

还是妥妥的没有毒~~~

注释掉 conn2bind() 报毒情况

依旧是妥妥的没有毒~~~

其实这里我们只需要吧conn2bind()直接注释掉就可以了，它对应了-tran这个功能非常不常用，但是本着精益求精的态度，还是继续分析一下。

注释掉conn2bind()的函数内容，报毒反而增多了，有点诡异。

ESET-NOD32	 a variant of Win32/HackTool.Hucline.C	 20130708
Jiangmin	 Heur:Backdoor/RemoteControl	 20130709
Kaspersky	 not-a-virus:HEUR:NetTool.Win32.Transmit.gen	 20130709

这里突然醒悟，其实特征码也不在conn2bind()中，而是在main()函数的一段代码，在这里只要把下面的代码注释掉就不会报错。

switch(method)
{
case 1:
bind2bind(iConnectPort, iTransmitPort);
break;
case 2:
bind2conn(iConnectPort, sTransmitHost, iTransmitPort);
break;
case 3:
conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort);
break;
default:
usage(argv[0]);
break;
}

我们试着修改它一下

if (method==1)
	bind2bind(iConnectPort, iTransmitPort);
else if (method==2)
	bind2conn(iConnectPort, sTransmitHost, iTransmitPort);
else if (method==3)
	conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort);
else
	usage(argv[0]);

依旧报错了，还是那3个杀软。

试着加点料，结果还是不行

if (method==1){
	__asm nop;
	bind2bind(iConnectPort, iTransmitPort);
}
else if (method==2){
	__asm nop;
	bind2conn(iConnectPort, sTransmitHost, iTransmitPort);
}
else if (method==3){
	__asm nop;
	conn2conn(sConnectHost, iConnectPort, sTransmitHost, iTransmitPort);
}
else {
	__asm nop;
	usage(argv[0]);
}

这时突然发现我又傻逼了，其实特征码应该在transmitdata()中，感觉江民定位的代码应该是这一句

hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)transmitdata, (LPVOID)&sock, 0, &dwThreadID); 

如果是地址定位的话，换一换函数和变量的定义顺序应该就可以，但是没有生效。这里因为不想装一个杀软做测试所以，留个坑。

最后贴上几个比较通用的免杀方法，是看雪的一个神贴里面的。

http://bbs.pediy.com/showthread.php?t=134354

设置对齐方式

#pragma comment(linker, "/FILEALIGN:16")
// 设置最小节的大小，数值越小文件的体积就越小，不过最小是16
#pragma comment(linker, "/ALIGN:16")

优化选项

// 清除从未引用的函数和/或数据
#pragma comment(linker, "/opt:ref")
#pragma comment (linker, "/OPT:ICF")
// 获得精简应用程序，减小体积
#pragma comment(linker, "/opt:nowin98")

区段的合并和独立

// 设置data段属性为可读可写可执行
#pragma comment(linker, "/section:.data,RWE")
// 接下来就可以进行区段合并操作了比如，将上面的text和rdata都合并到data去
#pragma comment(linker, "/MERGE:.rdata=.data")
#pragma comment(linker, "/MERGE:.text=.data")

另外一种方法就是将一个文件的代码全部放置到一个自定义段中

#pragma code_seg("section1")