|
[原创]mfc spy,把mfc程序的内部函数揪出来
我也写了一个东西DeMfc lite,只是半成品。我采用的是静态分析的方法。对比的结果我觉得,你的根据MessageMap Pump的方法可能漏了一些MessageMap 下面是分析你的MfcSpy.exe的结果 1.用MfcSpy分析 // Main Form HWND: 000301CE class:0012FE44(CDialog,size=0x60) CDialog:CWnd:CCmdTarget:CObject [+00]vtbl address=00403578(mfcspy.exe+003578) [+04]CCmdTarget::m_dwRef=1 [+08]CCmdTarget::m_pOuterUnknown=00000000 [+0C]CCmdTarget::m_xInnerUnknown=00000000 [+10]CCmdTarget::m_xDispatch.m_vtbl=00000000 [+14]CCmdTarget::m_bResultExpected=00000001 [+18]CCmdTarget::m_xConnPtContainer.m_vtbl=00000000 [+1C]CCmdTarget::m_pModuleState=00135FF0 [+20]CWnd::m_hWnd=000301CE [+24]CWnd::m_hWndOwner=00000000 [+28]CWnd::m_nFlags=00000018 [+2C]CWnd::m_pfnSuper=77E0D439 [+30]CWnd::m_nModalResult=FFFFFFFF [+34]CWnd::m_pDropTarget=00000000 [+38]CWnd::m_pCtrlCont=00000000 [+3C]CWnd::m_pCtrlSite=00000000 [+40]CDialog::m_nIDHelp=00000066 [+44]CDialog::m_lpszTemplateName=00000066 [+48]CDialog::m_hDialogTemplate=00000000 [+4C]CDialog::m_lpDialogTemplate=00000000 [+50]CDialog::m_lpDialogInit=00000000 [+54]CDialog::m_pParentWnd=(CWnd*)00000000 [+58]CDialog::m_hWndTop=(HWND)00000000 [+5C]CDialog::m_pOccDialogInfo=00000000 [vtbl+00]GetRuntimeClass =00402098->5F4064BC(MFC42.DLL+0064BC) [vtbl+04]destructor =004013D0(mfcspy.exe+0013D0) [vtbl+08]Serialize =00401D00(mfcspy.exe+001D00) [vtbl+0C]AssertValid =00401240(mfcspy.exe+001240) [vtbl+10]Dump =00401D00(mfcspy.exe+001D00) [vtbl+14]OnCmdMsg =00402092->5F4064EB(MFC42.DLL+0064EB) [vtbl+18]OnFinalRelease =0040208C->5F418D39(MFC42.DLL+018D39) [vtbl+1C]IsInvokeAllowed =00401F90->5F4187CB(MFC42.DLL+0187CB) [vtbl+20]GetDispatchIID =00401F8A->5F4103E8(MFC42.DLL+0103E8) [vtbl+24]GetTypeInfoCount =00401F84->5F40196C(MFC42.DLL+00196C) [vtbl+28]GetTypeLibCache =00401F7E->5F40196C(MFC42.DLL+00196C) [vtbl+2C]GetTypeLib =00401F78->5F45E645(MFC42.DLL+05E645) [vtbl+30]GetMessageMap =00401420(mfcspy.exe+001420) [vtbl+34]GetCommandMap =00401F72->5F45E6A6(MFC42.DLL+05E6A6) [vtbl+38]GetDispatchMap =00401F6C->5F45E662(MFC42.DLL+05E662) [vtbl+3C]GetConnectionMap =00401F66->5F45E6A0(MFC42.DLL+05E6A0) [vtbl+40]GetInterfaceMap =00401F60->5F414CC3(MFC42.DLL+014CC3) [vtbl+44]GetEventSinkMap =00401F5A->5F45E668(MFC42.DLL+05E668) [vtbl+48]OnCreateAggregates =00401F54->5F401958(MFC42.DLL+001958) [vtbl+4C]GetInterfaceHook =00401F4E->5F4103E8(MFC42.DLL+0103E8) [vtbl+50]GetExtraConnectionPoints=00401F48->5F4103E8(MFC42.DLL+0103E8) [vtbl+54]GetConnectionHook =00401F42->5F4103E8(MFC42.DLL+0103E8) [vtbl+58]PreSubclassWindow =00402086->5F404448(MFC42.DLL+004448) [vtbl+5C]Create =00402080->5F40AA5F(MFC42.DLL+00AA5F) [vtbl+60]DestroyWindow =0040207A->5F4057B8(MFC42.DLL+0057B8) [vtbl+64]PreCreateWindow =00402074->5F40C22D(MFC42.DLL+00C22D) [vtbl+68]CalcWindowRect =0040206E->5F40C3ED(MFC42.DLL+00C3ED) [vtbl+6C]OnToolHitTest =00402068->5F45C2E3(MFC42.DLL+05C2E3) [vtbl+70]GetScrollBarCtrl =00402062->5F4103E8(MFC42.DLL+0103E8) [vtbl+74]WinHelpA =0040205C->5F45C5BC(MFC42.DLL+05C5BC) [vtbl+78]ContinueModal =00402056->5F414BFE(MFC42.DLL+014BFE) [vtbl+7C]EndModalLoop =00402050->5F414C41(MFC42.DLL+014C41) [vtbl+80]OnCommand =0040204A->5F402A8B(MFC42.DLL+002A8B) [vtbl+84]OnNotify =00402044->5F403290(MFC42.DLL+003290) [vtbl+88]GetSuperWndProcAddr =0040203E->5F404444(MFC42.DLL+004444) [vtbl+8C]DoDataExchange =004013F0(mfcspy.exe+0013F0) [vtbl+90]BeginModalState =00401BE0(mfcspy.exe+001BE0) [vtbl+94]EndModalState =00401BF0(mfcspy.exe+001BF0) [vtbl+98]PreTranslateMessage =00402038->5F414B8F(MFC42.DLL+014B8F) [vtbl+9C]OnAmbientProperty =00402032->5F45E09F(MFC42.DLL+05E09F) [vtbl+A0]WindowProc =0040202C->5F401ADD(MFC42.DLL+001ADD) [vtbl+A4]OnWndMsg =00402026->5F401B21(MFC42.DLL+001B21) [vtbl+A8]DefWindowProcA =00402020->5F401EDD(MFC42.DLL+001EDD) [vtbl+AC]PostNcDestroy =0040201A->5F404448(MFC42.DLL+004448) [vtbl+B0]OnChildNotify =00402014->5F4022BC(MFC42.DLL+0022BC) [vtbl+B4]CheckAutoCenter =0040200E->5F40688B(MFC42.DLL+00688B) [vtbl+B8]IsFrameWnd =00402008->5F40196C(MFC42.DLL+00196C) [vtbl+BC]SetOccDialogInfo =00402002->5F45D6FC(MFC42.DLL+05D6FC) [vtbl+C0]DoModal =00401FD2->5F414E8E(MFC42.DLL+014E8E) [vtbl+C4]OnInitDialog =00401430(mfcspy.exe+001430) [vtbl+C8]OnSetFont =00401FF6->5F405ABF(MFC42.DLL+005ABF) [vtbl+CC]OnOK =00401660(mfcspy.exe+001660) [vtbl+D0]OnCancel =00401FEA->5F45D90F(MFC42.DLL+05D90F) [vtbl+D4]PreInitDialog =00401FE4->5F404448(MFC42.DLL+004448) message map=00403498(mfcspy.exe+003498) msg map entries at 004033D8(mfcspy.exe+0033D8) OnMsg:WM_SYSCOMMAND(0112),func=00401520(mfcspy.exe+001520) OnMsg:WM_PAINT(000f),func=004015A0(mfcspy.exe+0015A0) OnMsg:WM_QUERYDRAGICON(0037),func=00401650(mfcspy.exe+001650) OnCommand: notifycode=0000 id=03e9,func=00401670(mfcspy.exe+001670) OnMsg:WM_LBUTTONUP(0202),func=00401840(mfcspy.exe+001840) OnMsg:WM_MOUSEMOVE(0200),func=004019C0(mfcspy.exe+0019C0) OnMsg:0401,func=004017B0(mfcspy.exe+0017B0) // Help Form HWND: 000D01EA class:0012FB5C(CDialog,size=0x60) CDialog:CWnd:CCmdTarget:CObject [+00]vtbl address=004034A0(mfcspy.exe+0034A0) [+04]CCmdTarget::m_dwRef=1 [+08]CCmdTarget::m_pOuterUnknown=00000000 [+0C]CCmdTarget::m_xInnerUnknown=00000000 [+10]CCmdTarget::m_xDispatch.m_vtbl=00000000 [+14]CCmdTarget::m_bResultExpected=00000001 [+18]CCmdTarget::m_xConnPtContainer.m_vtbl=00000000 [+1C]CCmdTarget::m_pModuleState=00135FF0 [+20]CWnd::m_hWnd=000D01EA [+24]CWnd::m_hWndOwner=00000000 [+28]CWnd::m_nFlags=00000018 [+2C]CWnd::m_pfnSuper=77E0D439 [+30]CWnd::m_nModalResult=FFFFFFFF [+34]CWnd::m_pDropTarget=00000000 [+38]CWnd::m_pCtrlCont=00000000 [+3C]CWnd::m_pCtrlSite=00000000 [+40]CDialog::m_nIDHelp=00000064 [+44]CDialog::m_lpszTemplateName=00000064 [+48]CDialog::m_hDialogTemplate=00000000 [+4C]CDialog::m_lpDialogTemplate=00000000 [+50]CDialog::m_lpDialogInit=00000000 [+54]CDialog::m_pParentWnd=(CWnd*)00000000 [+58]CDialog::m_hWndTop=(HWND)00000000 [+5C]CDialog::m_pOccDialogInfo=00000000 [vtbl+00]GetRuntimeClass =00402098->5F4064BC(MFC42.DLL+0064BC) [vtbl+04]destructor =004012E0(mfcspy.exe+0012E0) [vtbl+08]Serialize =00401D00(mfcspy.exe+001D00) [vtbl+0C]AssertValid =00401240(mfcspy.exe+001240) [vtbl+10]Dump =00401D00(mfcspy.exe+001D00) [vtbl+14]OnCmdMsg =00402092->5F4064EB(MFC42.DLL+0064EB) [vtbl+18]OnFinalRelease =0040208C->5F418D39(MFC42.DLL+018D39) [vtbl+1C]IsInvokeAllowed =00401F90->5F4187CB(MFC42.DLL+0187CB) [vtbl+20]GetDispatchIID =00401F8A->5F4103E8(MFC42.DLL+0103E8) [vtbl+24]GetTypeInfoCount =00401F84->5F40196C(MFC42.DLL+00196C) [vtbl+28]GetTypeLibCache =00401F7E->5F40196C(MFC42.DLL+00196C) [vtbl+2C]GetTypeLib =00401F78->5F45E645(MFC42.DLL+05E645) [vtbl+30]GetMessageMap =00401320(mfcspy.exe+001320) [vtbl+34]GetCommandMap =00401F72->5F45E6A6(MFC42.DLL+05E6A6) [vtbl+38]GetDispatchMap =00401F6C->5F45E662(MFC42.DLL+05E662) [vtbl+3C]GetConnectionMap =00401F66->5F45E6A0(MFC42.DLL+05E6A0) [vtbl+40]GetInterfaceMap =00401F60->5F414CC3(MFC42.DLL+014CC3) [vtbl+44]GetEventSinkMap =00401F5A->5F45E668(MFC42.DLL+05E668) [vtbl+48]OnCreateAggregates =00401F54->5F401958(MFC42.DLL+001958) [vtbl+4C]GetInterfaceHook =00401F4E->5F4103E8(MFC42.DLL+0103E8) [vtbl+50]GetExtraConnectionPoints=00401F48->5F4103E8(MFC42.DLL+0103E8) [vtbl+54]GetConnectionHook =00401F42->5F4103E8(MFC42.DLL+0103E8) [vtbl+58]PreSubclassWindow =00402086->5F404448(MFC42.DLL+004448) [vtbl+5C]Create =00402080->5F40AA5F(MFC42.DLL+00AA5F) [vtbl+60]DestroyWindow =0040207A->5F4057B8(MFC42.DLL+0057B8) [vtbl+64]PreCreateWindow =00402074->5F40C22D(MFC42.DLL+00C22D) [vtbl+68]CalcWindowRect =0040206E->5F40C3ED(MFC42.DLL+00C3ED) [vtbl+6C]OnToolHitTest =00402068->5F45C2E3(MFC42.DLL+05C2E3) [vtbl+70]GetScrollBarCtrl =00402062->5F4103E8(MFC42.DLL+0103E8) [vtbl+74]WinHelpA =0040205C->5F45C5BC(MFC42.DLL+05C5BC) [vtbl+78]ContinueModal =00402056->5F414BFE(MFC42.DLL+014BFE) [vtbl+7C]EndModalLoop =00402050->5F414C41(MFC42.DLL+014C41) [vtbl+80]OnCommand =0040204A->5F402A8B(MFC42.DLL+002A8B) [vtbl+84]OnNotify =00402044->5F403290(MFC42.DLL+003290) [vtbl+88]GetSuperWndProcAddr =0040203E->5F404444(MFC42.DLL+004444) [vtbl+8C]DoDataExchange =00401310(mfcspy.exe+001310) [vtbl+90]BeginModalState =00401BE0(mfcspy.exe+001BE0) [vtbl+94]EndModalState =00401BF0(mfcspy.exe+001BF0) [vtbl+98]PreTranslateMessage =00402038->5F414B8F(MFC42.DLL+014B8F) [vtbl+9C]OnAmbientProperty =00402032->5F45E09F(MFC42.DLL+05E09F) [vtbl+A0]WindowProc =0040202C->5F401ADD(MFC42.DLL+001ADD) [vtbl+A4]OnWndMsg =00402026->5F401B21(MFC42.DLL+001B21) [vtbl+A8]DefWindowProcA =00402020->5F401EDD(MFC42.DLL+001EDD) [vtbl+AC]PostNcDestroy =0040201A->5F404448(MFC42.DLL+004448) [vtbl+B0]OnChildNotify =00402014->5F4022BC(MFC42.DLL+0022BC) [vtbl+B4]CheckAutoCenter =0040200E->5F40688B(MFC42.DLL+00688B) [vtbl+B8]IsFrameWnd =00402008->5F40196C(MFC42.DLL+00196C) [vtbl+BC]SetOccDialogInfo =00402002->5F45D6FC(MFC42.DLL+05D6FC) [vtbl+C0]DoModal =00401FD2->5F414E8E(MFC42.DLL+014E8E) [vtbl+C4]OnInitDialog =00401FFC->5F4063F4(MFC42.DLL+0063F4) [vtbl+C8]OnSetFont =00401FF6->5F405ABF(MFC42.DLL+005ABF) [vtbl+CC]OnOK =00401FF0->5F414C05(MFC42.DLL+014C05) [vtbl+D0]OnCancel =00401FEA->5F45D90F(MFC42.DLL+05D90F) [vtbl+D4]PreInitDialog =00401FE4->5F404448(MFC42.DLL+004448) message map=004033D0(mfcspy.exe+0033D0) msg map entries at 004033B8(mfcspy.exe+0033B8) 2.用DeMfc lite分析 ControlName ControlID Meaning MessageMap Ptr ID_Help 0000E146 WM_COMMAND 00401ED0 CDialog 00000000 WM_SYSCOMMAND 00401520 CDialog 00000000 WM_PAINT 004015A0 CDialog 00000000 WM_QUERYDRAGICON 00401650 unknown 000003E9 WM_COMMAND 00401670 CDialog 00000000 WM_LBUTTONUP 00401840 CDialog 00000000 WM_MOUSEMOVE 004019C0 CDialog 00000000 WM_MOUSEMOVE 004017B0 CDialog 00000000 WM_SETCURSOR 00401C70 CDialog 00000000 WM_LBUTTONDOWN 00401C80 CDialog 00000000 WM_LBUTTONUP 00401CC0 CDialog 00000000 WM_LBUTTONUP 00000000 CDialog 00000000 WM_MOVE 00000000 CDialog 00000000 WM_CREATE 00000000 CDialog 00000000 WM_MOVE 00000000 CDialog 00000000 WM_CREATE 00000000 CDialog 00000000 WM_CREATE 00000000 CDialog 00000000 WM_DESTROY 00000000 CDialog 00000000 WM_CREATE 00000000 CDialog 00000000 WM_CREATE 00000000 对比显示,你还是漏了一些Message,比如 CDialog 00000000 WM_SETCURSOR 00401C70 |
|
从管理员身份获得 SYSTEM 权限的四种方法
我觉得关键还是那几个api OpenProcessToken LookupPrivilegeValue AdjustTokenPrivileges 这几天跟踪filemon,就是学到了这些。 btw:不知道谁对ntdll的NtLoadDriver使用有经验,能说一下吗? |
|
浅谈VB6逆向工程(1)
一点错误: '定义 Dim a, i As Byte Dim b, j As Integer Dim c, k As Long Dim d, l As Boolean Dim e, m As String Dim f, n As Date Dim g, o As Double Dim h, p As Single 这样写法,i,j,k,l,m,n,o,p都是variant类型变量,而不是你希望的integer,long等变量,所以你可以看到编译器生成代码时对于i = a等都是函数__vbaUI1Va(var->UI2)等转变 |
|
壳脱了,有什么情况还会出现入口警告??
可以根据vb程序特点及PE结构手工修正,是的wktvbdebug,exdec等能正常工作 |
|
windebug如何在线升级符号库
最简单办法,用livekd可以自动为你添加在线升级地址 |
|
|
|
|
|
安装WKTVBDE的问题
忽略过去就可以 |
|
API调试程序在VB下能否实现[讨论]在线等
1997年,牛人John Robbins用VB实现了一个debugger http://www.microsoft.com/msj/0997/multivb.aspx Multiple Threads in Visual Basic 5.0, Part II: Writing a Win32 Debugger 所以说MSJ是个好地方 |
|
壳的特征串的提取
60BE000000008DBE00000000C78700000000000000005783CDFFEB0E000000008A064688074701DB75078B UPX 0.89.6 - 1.02 / 1.05 - 1.24 (Delphi) stub -> Markus & Laszlo 0000000000000000000000000000000000000000000000008A064688074701DB75078B1E83EEFC11DB8A0772EBB80100000001DB75078B1E83EEFC11DB11C001DB730075008B1E83EEFC UPX 1.03 - 1.04 -> Markus & Laszlo 807C2408010F850000000060BE000000008DBE000000005783CDFF UPX 0.89.6 - 1.02 / 1.05 - 1.24 DLL -> Markus & Laszlo EBEC000000008A064688074701DB7507 UPX Protector 1.0x -> BlindAngel/TMG 50BE000000008DBE000000005783CD UPX MODifier 0.1x -> snaker 9061BE000000008DBE000000005783CDFF UPX-Scrambler RC1.x 60E80000000083CDFF31DB5E8DBEFA0000FF5766818700000000000081C6B3010000EB0A000000008A064688074701DB7507 UPX 0.71 - 0.72 -> Markus & Laszlo 60E8000000005883E83D508DB8000000FF576681870000000000008DB0EC01000083CDFF31DBEB07908A064688074701DB7507 UPX 0.70 -> Markus & Laszlo 60E8000000005883E83D508DB8000000FF576681870000000000008DB0F001000083CDFF31DB909090EB0890908A064688074701DB7507 UPX 0.62 -> Markus & Laszlo 60E8000000005883E83D508DB8000000FF578DB0E801000083CDFF31DB0000000001DB75078B1E83EEFC11DB730B8A0646880747EBEB90 UPX 0.60 - 0.61 -> Markus & Laszlo 60E8000000005883E83D508DB8000000FF578DB0D801000083CDFF31DB0000000001DB75078B1E83EEFC11DB730B8A0646880747EBEB90 UPX 0.51 -> Markus & Laszlo 79070FB707475047B95748F2AE55FF968400000009C07407890383C304EBD8FF968800000061E9000000FF UPX modified stub -> SAC/uNPACKinG gODS 0000000000000000000000000000000000000000000000008A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB730075008B1E83EEFC UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo 0000000000000000000000000000000000000000000000008A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB77EF75098B1E83EEFC UPX 0.80 - 0.84 -> Markus & Laszlo |
|
壳的特征串的提取
想办法从Peid的外壳特征库提取 |
|
|
|
|
|
|
|
|
|
Prefetch queue??
以前讨论过 http://bbs.pediy.com/showthread.php?s=&threadid=1337 你的代码我试了,2种情况都可以运行,但你必须将.code段属性设定为可读、可写、可执行 |
|
i386kd.exe配置的问题???
弄windbg,少不了livekd----一个可以使你本机调试的东西,是《inside windows 2000》作者作品。 你的问题在于没有调试文件,可以从microsoft网站下载;或者用windbg时联网,并设置symbols地址,这样可以即需即下 |
|
|
|
小楼大侠可以进来看看么?
虚函数出自c++,你可以看《深度探索c++对象模型》,我记得“变速齿轮”的“兄弟小组”主页上有一篇文章,也是讲述虚函数的; 现在,一些讲述delphi的书也讲到虚函数,你可以看看《delphi技术手册》,只是在delphi中虚函数表被称作VMT(virtual method table) 如果你理解COM(组件对象模型)的二进制结构,那么就知道COM也是虚函数的一种 当然,你可以看看《软件加密技术内幕》,我在vb那章中详细讲述了虚函数与vb的关系 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值