-
-
[求助]关于PEB.ReadOnlyStaticServerData
-
发表于: 2010-6-22 18:01
-
在分析一个程序时看到下面的代码:
004012e3 33c0 xor eax,eax
004012e5 648b4018 mov eax,dword ptr fs:[eax+18h] ;_TIB.Self
004012e9 8b4030 mov eax,dword ptr [eax+30h] ;_PEB
004012ec 8b4054 mov eax,dword ptr [eax+54h] ;_PEB.ReadOnlyStaticServerData
004012ef 8b4004 mov eax,dword ptr [eax+4]
004012f2 8b4004 mov eax,dword ptr [eax+4]
004012f5 8b4004 mov eax,dword ptr [eax+4]
004012f8 0d20002000 or eax,200020h
004012fd 3d7c007700 cmp eax,77007Ch
00401302 7401 je image00400000+0x1305 (00401305)
00401304 c3 ret
不知道里面的ReadOnlyStaticServerData 是什么东西?google了半天也无果。
执行到[eax+54h]=7f6f0688
0:000> dd 7f6f0688 L2
7f6f0688 00000000 7f6f06a0
第一个[eax+4]=7f6f06a0
0:000> dd 7f6f06a0 L2
7f6f06a0 00160014 7f6f2170
第二个[eax+4]=7f6f2170
0:000> db 7f6f2170
7f6f2170 43 00 3a 00 5c 00 57 00-49 00 4e 00 44 00 4f 00 C.:.\.W.I.N.D.O.
7f6f2180 57 00 53 00 00 00 00 00-06 00 04 00 93 01 08 00 W.S.............
7f6f2190 43 00 3a 00 5c 00 57 00-49 00 4e 00 44 00 4f 00 C.:.\.W.I.N.D.O.
7f6f21a0 57 00 53 00 5c 00 73 00-79 00 73 00 74 00 65 00 W.S.\.s.y.s.t.e.
7f6f21b0 6d 00 33 00 32 00 00 00-06 00 06 00 95 01 0c 00 m.3.2...........
7f6f21c0 5c 00 42 00 61 00 73 00-65 00 4e 00 61 00 6d 00 \.B.a.s.e.N.a.m.
7f6f21d0 65 00 64 00 4f 00 62 00-6a 00 65 00 63 00 74 00 e.d.O.b.j.e.c.t.
7f6f21e0 73 00 00 00 00 00 00 00-03 00 06 00 9f 01 08 00 s...............
第三个[eax+4]=0057005c //即是上面的\.W.
执行完后eax就等于了0057005c,最后再执行or eax,200020h再比较cmp eax,77007Ch
我想知道,它在干嘛?应该不是一个Anti。。。
网上只搜到http://wasm.ru/forum/viewtopic.php?pid=318646
{
mov eax,dword ptr fs:[18h]
mov eax,dword ptr ds:[eax+30h]
mov eax,dword ptr ds:[eax+54h]
mov eax,dword ptr ds:[eax+4]
mov eax,dword ptr ds:[eax+4] ; Тут на C:\WINDOWS указатель.
mov eax,dword ptr ds:[eax+4] ; \W
or eax,00200020h ; К нижнему регистру.
lea eax,[eax + (offset DecryptEntry - 77007Ch)]
jmp eax
}
没看明白是什么。
期待高手解答。。。。
004012e3 33c0 xor eax,eax
004012e5 648b4018 mov eax,dword ptr fs:[eax+18h] ;_TIB.Self
004012e9 8b4030 mov eax,dword ptr [eax+30h] ;_PEB
004012ec 8b4054 mov eax,dword ptr [eax+54h] ;_PEB.ReadOnlyStaticServerData
004012ef 8b4004 mov eax,dword ptr [eax+4]
004012f2 8b4004 mov eax,dword ptr [eax+4]
004012f5 8b4004 mov eax,dword ptr [eax+4]
004012f8 0d20002000 or eax,200020h
004012fd 3d7c007700 cmp eax,77007Ch
00401302 7401 je image00400000+0x1305 (00401305)
00401304 c3 ret
不知道里面的ReadOnlyStaticServerData 是什么东西?google了半天也无果。
执行到[eax+54h]=7f6f0688
0:000> dd 7f6f0688 L2
7f6f0688 00000000 7f6f06a0
第一个[eax+4]=7f6f06a0
0:000> dd 7f6f06a0 L2
7f6f06a0 00160014 7f6f2170
第二个[eax+4]=7f6f2170
0:000> db 7f6f2170
7f6f2170 43 00 3a 00 5c 00 57 00-49 00 4e 00 44 00 4f 00 C.:.\.W.I.N.D.O.
7f6f2180 57 00 53 00 00 00 00 00-06 00 04 00 93 01 08 00 W.S.............
7f6f2190 43 00 3a 00 5c 00 57 00-49 00 4e 00 44 00 4f 00 C.:.\.W.I.N.D.O.
7f6f21a0 57 00 53 00 5c 00 73 00-79 00 73 00 74 00 65 00 W.S.\.s.y.s.t.e.
7f6f21b0 6d 00 33 00 32 00 00 00-06 00 06 00 95 01 0c 00 m.3.2...........
7f6f21c0 5c 00 42 00 61 00 73 00-65 00 4e 00 61 00 6d 00 \.B.a.s.e.N.a.m.
7f6f21d0 65 00 64 00 4f 00 62 00-6a 00 65 00 63 00 74 00 e.d.O.b.j.e.c.t.
7f6f21e0 73 00 00 00 00 00 00 00-03 00 06 00 9f 01 08 00 s...............
第三个[eax+4]=0057005c //即是上面的\.W.
执行完后eax就等于了0057005c,最后再执行or eax,200020h再比较cmp eax,77007Ch
我想知道,它在干嘛?应该不是一个Anti。。。
网上只搜到http://wasm.ru/forum/viewtopic.php?pid=318646
{
mov eax,dword ptr fs:[18h]
mov eax,dword ptr ds:[eax+30h]
mov eax,dword ptr ds:[eax+54h]
mov eax,dword ptr ds:[eax+4]
mov eax,dword ptr ds:[eax+4] ; Тут на C:\WINDOWS указатель.
mov eax,dword ptr ds:[eax+4] ; \W
or eax,00200020h ; К нижнему регистру.
lea eax,[eax + (offset DecryptEntry - 77007Ch)]
jmp eax
}
没看明白是什么。
期待高手解答。。。。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
