% 超强灰鸽子vip2005检测器 % 检测原理简单分析
http://skyxnet.blogdriver.com/skyxnet/1013647.html

    前言，新款的灰鸽子总给人无处不在的感觉, 自己就曾在朋友主机中碰到多次,每次只能手工判断并清除.在看到此款检测器时，作了少许测试。效果很不错， 就产生了想了解她是如何工作的！^_^

先来看看系统未感染 灰鸽子 时的执行情况=>>>

00459E2B    68 10A24500     push 超强灰鸽.0045A210                       
; ASCII "GPigeon5_Shared"
00459E30    6A 00           push 0
00459E32    6A 04           push 4
00459E34    E8 E3C3FAFF     call
00459E39    A3 ACDC4500     mov dword ptr ds:[45DCAC],eax            
; Eax=0 表示无可操作句柄
00459E3E    833D ACDC4500 0>cmp dword ptr ds:[45DCAC],0
00459E45    0F84 70030000   je 超强灰鸽.0045A1BB       ;  jump

OpenFileMappingA()函数执行后的堆栈情况：

0012F5E4   00000004     |Access = FILE_MAP_READ
0012F5E8   00000000     |InheritHandle = FALSE
0012F5EC   0045A210     \MappingName = "GPigeon5_Shared"

0045A1BB    8B83 FC020000   mov eax,dword ptr ds:[ebx+2FC] ;跳到此处
0045A1C1    8B80 20020000   mov eax,dword ptr ds:[eax+220]
0045A1C7    BA C8A34500     mov edx,超强灰鸽.0045A3C8                 
; 没有检测到 灰鸽子 Vip 2005 服务端
0045A1CC    8B08            mov ecx,dword ptr ds:[eax]               
; ecx=0x427c4c ASCII "4AA"
0045A1CE    FF51 38         call dword ptr ds:[ecx+38]                ; Retn eax=0
0045A1D1    833D ACDC4500 0>cmp dword ptr ds:[45DCAC],0
0045A1D8    74 0B           je short 超强灰鸽.0045A1E5                ; Jump
0045A1DA    A1 ACDC4500     mov eax,dword ptr ds:[45DCAC]
0045A1DF    50              push eax
0045A1E0    E8 F7BDFAFF     call
0045A1E5    33C0            xor eax,eax
0045A1E7    5A              pop edx
0045A1E8    59              pop ecx