同志们有没有懂自跟踪的？-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (4)
北极星2003 雪币： 1852 活跃值： (504) 能力值： (RANK：1010 ) 在线值：发帖 86 回帖 1240 粉丝 12 关注私信	北极星2003 25 2 楼通过改变handle的处理结果是否为EXCEPTION_CONTINUE，若是的话，则回到被调度程序。如果不是的话，可以试着改变，不过可能会出现不可预期的情况（因为没有处理一定的异常而强行返回）声明：没有实际过，只是给点建议。另外，问个问题： “SEH实现自跟踪”，是什么意思？更普通的SEH链调试不同吗？能不能解释一下。 2005-7-7 10:03 0
cleverboy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 50 粉丝 0 关注私信	cleverboy 3 楼传说中设定单步异常异常标志后，每一步指令执行完就会调用SEH句柄，用来跟踪目标程序。我的问题是设定了单步异常标志后连RET都会引发异常，这样就回不到目标程序了 2005-7-7 15:49 0
nbw 雪币： 339 活跃值： (1510) 能力值： ( LV13，RANK：970 ) 在线值：发帖 141 回帖 2842 粉丝 23 关注私信	nbw 24 4 楼 Self-Debug 利用SEH，自检测自己的运行状态。 ; 2004.02.17 :: fixed! let's celebrate! ;P ; but.. with this fix softice is able to trace through the code ;/ ; so we have to adapt old buggy version ;] ; Omega Red 10/2003 ; NASM source ; primitive exception testing bits32 %include "omeg.inc" %include "win32n.inc" extern wsprintfA extern MessageBoxA ;extern SetUnhandledExceptionFilter extern ExitProcess ;extern Sleep ;-------------------------------------------------------------------- section.codeuse32 ..start: pusheax calltrap trap: popeax; offset of trap in eax subeax, (trap-..start); starting IP in eax mov[init_eip], eax popeax callcwsprintfA, txtbuf, exc_f1, eax, ebx, ecx, edx, edi, esi, ebp, [init_eip], cs, ds, es, fs, gs, ss, esp callfMessageBoxA, 0, txtbuf, 0, 0 ;that's FINAL process handler with different parameters, should return -1 to continue ;callfSetUnhandledExceptionFilter, ExceptionHandler SEH_INSTALLThreadExceptionHandler ; initialize single-step tracing ; handler doesn't need the address of continue point because its debug exception and EIP is progressed normally mov[steps], dword 0 pushf popeax oreax, 0x00000100 pusheax popf nop callIntegrityCheck ;save IP to safe place for next non-debug exceptions ;) mov[exc_eip], dword exception_continue1 callfMessageBoxA, 0, mid_msg, 0, 0 ; GENERATE EXCEPTION ud2; undefined opcode exception_continue1: mov[exc_eip], dword exception_continue2 moveax, cr0; privileged instruction used exception_continue2: pushf popeax andeax, ~0x00000100; disable single-stepping pusheax popf callfMessageBoxA, 0, end_msg, 0, 0 callcwsprintfA, txtbuf, steps_f, [steps] callfMessageBoxA, 0, txtbuf, 0, 0 SEH_REMOVE xoreax, eax ret ;-------------------------------------------------------------------- ; C calling convention! ThreadExceptionHandler: cprocpExceptionRecord, pErr, pContext, pDispatch pushesi movesi, pContext ; CPU state when exception occured movedx, pExceptionRecord ; exception info moveax, [edx+EXCEPTION_RECORD.ExceptionCode]; code cmpeax, 0x80000004; debug exception (trap) ? jeexc_debug callcwsprintfA, txtbuf, exc_f, eax, [edx+EXCEPTION_RECORD.ExceptionFlags], [edx+EXCEPTION_RECORD.ExceptionAddress], [esi+CONTEXT.regEax], [esi+CONTEXT.regEbx], [esi+CONTEXT.regEcx], [esi+CONTEXT.regEdx], [esi+CONTEXT.regEdi], [esi+CONTEXT.regEsi], [esi+CONTEXT.regEbp], [esi+CONTEXT.regEip], [esi+CONTEXT.regCs], [esi+CONTEXT.regDs], [esi+CONTEXT.regEs], [esi+CONTEXT.regFs], [esi+CONTEXT.regGs], [esi+CONTEXT.regSs], [esi+CONTEXT.regEsp] callfMessageBoxA, 0, txtbuf, 0, 0 ; recover cpu state pushdword [exc_eip] popdword [esi+CONTEXT.regEip] ; stack is not altered after handler's return jmpexc_end exc_debug: ; restore trap flag incdword [steps] moveax, [esi+CONTEXT.regFlag] oreax, 0x00000100 mov[esi+CONTEXT.regFlag], eax exc_end: popesi ;moveax, EXCEPTION_CONTINUE_EXECUTION; that's for FINAL handler xoreax, eax endcproc end_check: ;-------------------------------------------------------------------- ; simple checksum (badziew ;) IntegrityCheck: movebx, ..start xoreax, eax check_loop: addeax, [ebx] addebx, 4 cmpebx, end_check jbcheck_loop cmpeax, 0x1e341ab7 jzcheck_ok callcwsprintfA, txtbuf, check_f, eax callfMessageBoxA, 0, txtbuf, 0, 0 callfMessageBoxA, 0, check_bad, 0, MB_ICONSTOP ;callfExitProcess check_ok: ret ;-------------------------------------------------------------------- section.datause32 exc_fdb"Exception catched: code=%08x, flags=%08x, address=%08x",13,10 db"eax=%08x, ebx=%08x, ecx=%08x, edx=%08x, edi=%08x, esi=%08x, ebp=%08x",13,10 db"eip=%08x, cs=%08x, ds=%08x, es=%08x, fs=%08x, gs=%08x, ss=%08x, esp=%08x",0 exc_f1db"Initial CPU state:",13,10 db"eax=%08x, ebx=%08x, ecx=%08x, edx=%08x, edi=%08x, esi=%08x, ebp=%08x",13,10 db"eip=%08x, cs=%08x, ds=%08x, es=%08x, fs=%08x, gs=%08x, ss=%08x, esp=%08x",0 check_fdb"Checksum = %08x",0 check_baddb"Code modified - terminating (not really ;P).",0 end_msgdb"Terminating.",0 mid_msgdb"Causing exception...",0 debug_msgdb"Debug",0 steps_fdb"Instructions traced: %d",0 ;-------------------------------------------------------------------- section.bssuse32 txtbufresb1024 exc_eipresd1 init_eipresd1 stepsresd1 ;-------------------------------------------------------------------- 2005-7-8 22:39 0
cleverboy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 50 粉丝 0 关注私信	cleverboy 5 楼好长~~~~~~~~，先谢过再看 2005-7-9 09:59 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (4)
北极星2003 雪币： 1852 活跃值： (504) 能力值： (RANK：1010 ) 在线值：发帖 86 回帖 1240 粉丝 12 关注私信	北极星2003 25 2 楼通过改变handle的处理结果是否为EXCEPTION_CONTINUE，若是的话，则回到被调度程序。如果不是的话，可以试着改变，不过可能会出现不可预期的情况（因为没有处理一定的异常而强行返回）声明：没有实际过，只是给点建议。另外，问个问题： “SEH实现自跟踪”，是什么意思？更普通的SEH链调试不同吗？能不能解释一下。 2005-7-7 10:03 0
cleverboy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 50 粉丝 0 关注私信	cleverboy 3 楼传说中设定单步异常异常标志后，每一步指令执行完就会调用SEH句柄，用来跟踪目标程序。我的问题是设定了单步异常标志后连RET都会引发异常，这样就回不到目标程序了 2005-7-7 15:49 0
nbw 雪币： 339 活跃值： (1510) 能力值： ( LV13，RANK：970 ) 在线值：发帖 141 回帖 2842 粉丝 23 关注私信	nbw 24 4 楼 Self-Debug 利用SEH，自检测自己的运行状态。 ; 2004.02.17 :: fixed! let's celebrate! ;P ; but.. with this fix softice is able to trace through the code ;/ ; so we have to adapt old buggy version ;] ; Omega Red 10/2003 ; NASM source ; primitive exception testing bits32 %include "omeg.inc" %include "win32n.inc" extern wsprintfA extern MessageBoxA ;extern SetUnhandledExceptionFilter extern ExitProcess ;extern Sleep ;-------------------------------------------------------------------- section.codeuse32 ..start: pusheax calltrap trap: popeax; offset of trap in eax subeax, (trap-..start); starting IP in eax mov[init_eip], eax popeax callcwsprintfA, txtbuf, exc_f1, eax, ebx, ecx, edx, edi, esi, ebp, [init_eip], cs, ds, es, fs, gs, ss, esp callfMessageBoxA, 0, txtbuf, 0, 0 ;that's FINAL process handler with different parameters, should return -1 to continue ;callfSetUnhandledExceptionFilter, ExceptionHandler SEH_INSTALLThreadExceptionHandler ; initialize single-step tracing ; handler doesn't need the address of continue point because its debug exception and EIP is progressed normally mov[steps], dword 0 pushf popeax oreax, 0x00000100 pusheax popf nop callIntegrityCheck ;save IP to safe place for next non-debug exceptions ;) mov[exc_eip], dword exception_continue1 callfMessageBoxA, 0, mid_msg, 0, 0 ; GENERATE EXCEPTION ud2; undefined opcode exception_continue1: mov[exc_eip], dword exception_continue2 moveax, cr0; privileged instruction used exception_continue2: pushf popeax andeax, ~0x00000100; disable single-stepping pusheax popf callfMessageBoxA, 0, end_msg, 0, 0 callcwsprintfA, txtbuf, steps_f, [steps] callfMessageBoxA, 0, txtbuf, 0, 0 SEH_REMOVE xoreax, eax ret ;-------------------------------------------------------------------- ; C calling convention! ThreadExceptionHandler: cprocpExceptionRecord, pErr, pContext, pDispatch pushesi movesi, pContext ; CPU state when exception occured movedx, pExceptionRecord ; exception info moveax, [edx+EXCEPTION_RECORD.ExceptionCode]; code cmpeax, 0x80000004; debug exception (trap) ? jeexc_debug callcwsprintfA, txtbuf, exc_f, eax, [edx+EXCEPTION_RECORD.ExceptionFlags], [edx+EXCEPTION_RECORD.ExceptionAddress], [esi+CONTEXT.regEax], [esi+CONTEXT.regEbx], [esi+CONTEXT.regEcx], [esi+CONTEXT.regEdx], [esi+CONTEXT.regEdi], [esi+CONTEXT.regEsi], [esi+CONTEXT.regEbp], [esi+CONTEXT.regEip], [esi+CONTEXT.regCs], [esi+CONTEXT.regDs], [esi+CONTEXT.regEs], [esi+CONTEXT.regFs], [esi+CONTEXT.regGs], [esi+CONTEXT.regSs], [esi+CONTEXT.regEsp] callfMessageBoxA, 0, txtbuf, 0, 0 ; recover cpu state pushdword [exc_eip] popdword [esi+CONTEXT.regEip] ; stack is not altered after handler's return jmpexc_end exc_debug: ; restore trap flag incdword [steps] moveax, [esi+CONTEXT.regFlag] oreax, 0x00000100 mov[esi+CONTEXT.regFlag], eax exc_end: popesi ;moveax, EXCEPTION_CONTINUE_EXECUTION; that's for FINAL handler xoreax, eax endcproc end_check: ;-------------------------------------------------------------------- ; simple checksum (badziew ;) IntegrityCheck: movebx, ..start xoreax, eax check_loop: addeax, [ebx] addebx, 4 cmpebx, end_check jbcheck_loop cmpeax, 0x1e341ab7 jzcheck_ok callcwsprintfA, txtbuf, check_f, eax callfMessageBoxA, 0, txtbuf, 0, 0 callfMessageBoxA, 0, check_bad, 0, MB_ICONSTOP ;callfExitProcess check_ok: ret ;-------------------------------------------------------------------- section.datause32 exc_fdb"Exception catched: code=%08x, flags=%08x, address=%08x",13,10 db"eax=%08x, ebx=%08x, ecx=%08x, edx=%08x, edi=%08x, esi=%08x, ebp=%08x",13,10 db"eip=%08x, cs=%08x, ds=%08x, es=%08x, fs=%08x, gs=%08x, ss=%08x, esp=%08x",0 exc_f1db"Initial CPU state:",13,10 db"eax=%08x, ebx=%08x, ecx=%08x, edx=%08x, edi=%08x, esi=%08x, ebp=%08x",13,10 db"eip=%08x, cs=%08x, ds=%08x, es=%08x, fs=%08x, gs=%08x, ss=%08x, esp=%08x",0 check_fdb"Checksum = %08x",0 check_baddb"Code modified - terminating (not really ;P).",0 end_msgdb"Terminating.",0 mid_msgdb"Causing exception...",0 debug_msgdb"Debug",0 steps_fdb"Instructions traced: %d",0 ;-------------------------------------------------------------------- section.bssuse32 txtbufresb1024 exc_eipresd1 init_eipresd1 stepsresd1 ;-------------------------------------------------------------------- 2005-7-8 22:39 0
cleverboy 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 13 回帖 50 粉丝 0 关注私信	cleverboy 5 楼好长~~~~~~~~，先谢过再看 2005-7-9 09:59 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复