Peid.exe是怎么枚举激活的进程的？-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
msvcp60 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 69 粉丝 0 关注私信	msvcp60 2 楼 vckbase.com 有介绍 2005-10-11 15:14 0
shooter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 5 粉丝 0 关注私信	shooter 3 楼 PEID用的是EnumProcesses, EnumProcessModules 0043C1AA . 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18] 0043C1AE . 50 PUSH EAX 0043C1AF . 68 00100000 PUSH 1000 0043C1B4 . 8D8C24 680300>LEA ECX,DWORD PTR SS:[ESP+368] 0043C1BB . 51 PUSH ECX 0043C1BC . FF15 242E4600 CALL DWORD PTR DS:[462E24] ; psapi.EnumProcesses 0043C1C2 . 85C0 TEST EAX,EAX 0043C1C4 . 0F84 44040000 JE dumped_.0043C60E 0043C1CA . 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18] 0043C1CE . C1E8 02 SHR EAX,2 0043C1D1 . 33F6 XOR ESI,ESI 0043C1D3 . 85C0 TEST EAX,EAX 0043C1D5 . 894424 20 MOV DWORD PTR SS:[ESP+20],EAX 0043C1D9 . 897424 14 MOV DWORD PTR SS:[ESP+14],ESI 0043C1DD . 0F86 2B040000 JBE dumped_.0043C60E 0043C1E3 . EB 0B JMP SHORT dumped_.0043C1F0 0043C1E5 . 8DA424 000000>LEA ESP,DWORD PTR SS:[ESP] 0043C1EC . 8D6424 00 LEA ESP,DWORD PTR SS:[ESP] 0043C1F0 > A1 50634000 MOV EAX,DWORD PTR DS:[406350] 0043C1F5 . 8B15 4C634000 MOV EDX,DWORD PTR DS:[40634C] 0043C1FB . 894424 2C MOV DWORD PTR SS:[ESP+2C],EAX 0043C1FF . 33C0 XOR EAX,EAX 0043C201 . 895424 28 MOV DWORD PTR SS:[ESP+28],EDX 0043C205 . B9 3F000000 MOV ECX,3F 0043C20A . 8D7C24 30 LEA EDI,DWORD PTR SS:[ESP+30] 0043C20E . F3:AB REP STOS DWORD PTR ES:[EDI] 0043C210 . 8B8CB4 600300>MOV ECX,DWORD PTR SS:[ESP+ESI*4+360] 0043C217 . 51 PUSH ECX ; /ProcessId 0043C218 . 50 PUSH EAX ; \|Inheritable => FALSE 0043C219 . 68 10040000 PUSH 410 ; \|Access = VM_READ\|QUERY_INFORMATION 0043C21E . FF15 DC114000 CALL DWORD PTR DS:[<&kernel32.OpenProces>; \OpenProcess 0043C224 . 8BF8 MOV EDI,EAX 0043C226 . 85FF TEST EDI,EDI 0043C228 . 0F84 43010000 JE dumped_.0043C371 0043C22E . 8D5424 24 LEA EDX,DWORD PTR SS:[ESP+24] 0043C232 . 52 PUSH EDX 0043C233 . 6A 04 PUSH 4 0043C235 . 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24] 0043C239 . 50 PUSH EAX 0043C23A . 57 PUSH EDI 0043C23B . FF15 0C2E4600 CALL DWORD PTR DS:[462E0C] ; psapi.EnumProcessModules 0043C241 . 85C0 TEST EAX,EAX 0043C243 . 0F84 21010000 JE dumped_.0043C36A 0043C249 . 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C] 获得系统文件的全路径，需要打开调试权限 inline BOOL CToolhelp::EnableDebugPrivilege(BOOL fEnable) { // Enabling the debug privilege allows the application to see // information about service applications BOOL fOk = FALSE; // Assume function fails HANDLE hToken; // Try to open this process's access token if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) { // Attempt to modify the "Debug" privilege TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0; AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); fOk = (GetLastError() == ERROR_SUCCESS); CloseHandle(hToken); } return(fOk); } 2005-10-11 16:48 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)
msvcp60 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 69 粉丝 0 关注私信	msvcp60 2 楼 vckbase.com 有介绍 2005-10-11 15:14 0
shooter 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 5 粉丝 0 关注私信	shooter 3 楼 PEID用的是EnumProcesses, EnumProcessModules 0043C1AA . 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18] 0043C1AE . 50 PUSH EAX 0043C1AF . 68 00100000 PUSH 1000 0043C1B4 . 8D8C24 680300>LEA ECX,DWORD PTR SS:[ESP+368] 0043C1BB . 51 PUSH ECX 0043C1BC . FF15 242E4600 CALL DWORD PTR DS:[462E24] ; psapi.EnumProcesses 0043C1C2 . 85C0 TEST EAX,EAX 0043C1C4 . 0F84 44040000 JE dumped_.0043C60E 0043C1CA . 8B4424 18 MOV EAX,DWORD PTR SS:[ESP+18] 0043C1CE . C1E8 02 SHR EAX,2 0043C1D1 . 33F6 XOR ESI,ESI 0043C1D3 . 85C0 TEST EAX,EAX 0043C1D5 . 894424 20 MOV DWORD PTR SS:[ESP+20],EAX 0043C1D9 . 897424 14 MOV DWORD PTR SS:[ESP+14],ESI 0043C1DD . 0F86 2B040000 JBE dumped_.0043C60E 0043C1E3 . EB 0B JMP SHORT dumped_.0043C1F0 0043C1E5 . 8DA424 000000>LEA ESP,DWORD PTR SS:[ESP] 0043C1EC . 8D6424 00 LEA ESP,DWORD PTR SS:[ESP] 0043C1F0 > A1 50634000 MOV EAX,DWORD PTR DS:[406350] 0043C1F5 . 8B15 4C634000 MOV EDX,DWORD PTR DS:[40634C] 0043C1FB . 894424 2C MOV DWORD PTR SS:[ESP+2C],EAX 0043C1FF . 33C0 XOR EAX,EAX 0043C201 . 895424 28 MOV DWORD PTR SS:[ESP+28],EDX 0043C205 . B9 3F000000 MOV ECX,3F 0043C20A . 8D7C24 30 LEA EDI,DWORD PTR SS:[ESP+30] 0043C20E . F3:AB REP STOS DWORD PTR ES:[EDI] 0043C210 . 8B8CB4 600300>MOV ECX,DWORD PTR SS:[ESP+ESI*4+360] 0043C217 . 51 PUSH ECX ; /ProcessId 0043C218 . 50 PUSH EAX ; \|Inheritable => FALSE 0043C219 . 68 10040000 PUSH 410 ; \|Access = VM_READ\|QUERY_INFORMATION 0043C21E . FF15 DC114000 CALL DWORD PTR DS:[<&kernel32.OpenProces>; \OpenProcess 0043C224 . 8BF8 MOV EDI,EAX 0043C226 . 85FF TEST EDI,EDI 0043C228 . 0F84 43010000 JE dumped_.0043C371 0043C22E . 8D5424 24 LEA EDX,DWORD PTR SS:[ESP+24] 0043C232 . 52 PUSH EDX 0043C233 . 6A 04 PUSH 4 0043C235 . 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24] 0043C239 . 50 PUSH EAX 0043C23A . 57 PUSH EDI 0043C23B . FF15 0C2E4600 CALL DWORD PTR DS:[462E0C] ; psapi.EnumProcessModules 0043C241 . 85C0 TEST EAX,EAX 0043C243 . 0F84 21010000 JE dumped_.0043C36A 0043C249 . 8B5424 1C MOV EDX,DWORD PTR SS:[ESP+1C] 获得系统文件的全路径，需要打开调试权限 inline BOOL CToolhelp::EnableDebugPrivilege(BOOL fEnable) { // Enabling the debug privilege allows the application to see // information about service applications BOOL fOk = FALSE; // Assume function fails HANDLE hToken; // Try to open this process's access token if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) { // Attempt to modify the "Debug" privilege TOKEN_PRIVILEGES tp; tp.PrivilegeCount = 1; LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.Privileges[0].Attributes = fEnable ? SE_PRIVILEGE_ENABLED : 0; AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(tp), NULL, NULL); fOk = (GetLastError() == ERROR_SUCCESS); CloseHandle(hToken); } return(fOk); } 2005-10-11 16:48 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复