能力值:
( LV9,RANK:250 )
|
-
-
2 楼
EP是指程序入口。由于加壳软件会模拟PE装载器对文件进行载入,所以你去读40**处地址时,可能还未有数据
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
但这个块里就是壳的代码啊.程序最一开始就得到这运行的.而且是在PE文件中可以看出来的一个块,应该属于自动加载的块.我不明白用CreateProcess后这一块怎么会不加载,那马上我一ResumeThread主线程就要运行这里的代码了,它又如何马上加载上这代码呢?
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
再做了些实验,发现这个块应该是加载了的,只是对ReadProcessMemory,VirtualQureyEx之类的函数做了防范.这应该就是所谓的防内存读写功能吧.不知如何改掉它
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
我想应该是壳通过SEH技术在后来加载此块吧.但啥代码都没运行,就能设置SEH处理功能吗?不太懂
|
能力值:
( LV9,RANK:250 )
|
-
-
6 楼
AsprDbgr.>CALL AsprDbgr.0040100C
00401005 PUSH 0 ; /ExitCode = 0
00401007 CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess
0040100C PUSH AsprDbgr.00404000 ; /Arg1 = 00404000 ASCII "AsprDbgr v1.0beta (:P) Made by me... Manko.
"
00401011 CALL AsprDbgr.00402ED0 ; \AsprDbgr.00402ED0
00401016 MOV DWORD PTR DS:[404030],4C
00401020 MOV DWORD PTR DS:[40403C],AsprDbgr.00404180 ; ASCII "Any files"
0040102A MOV DWORD PTR DS:[40404C],AsprDbgr.0040407C
00401034 MOV DWORD PTR DS:[404050],104
0040103E MOV DWORD PTR DS:[404064],281804
00401048 PUSH AsprDbgr.00404030 ; /pOpenFileName = AsprDbgr.00404030
0040104D CALL <JMP.&comdlg32.GetOpenFileNameA> ; \GetOpenFileNameA
00401052 MOV EAX,DWORD PTR DS:[40404C]
00401057 MOV EAX,DWORD PTR DS:[EAX]
00401059 TEST EAX,EAX
0040105B JE AsprDbgr.00402E3E
00401061 PUSH AsprDbgr.004041D3 ; /pStartupinfo = AsprDbgr.004041D3
00401066 CALL <JMP.&kernel32.GetStartupInfoA> ; \GetStartupInfoA
0040106B PUSH AsprDbgr.00404217 ; /pProcessInfo = AsprDbgr.00404217
00401070 PUSH AsprDbgr.004041D3 ; |pStartupInfo = AsprDbgr.004041D3
00401075 PUSH 0 ; |CurrentDir = NULL
00401077 PUSH 0 ; |pEnvironment = NULL
00401079 PUSH 3 ; |CreationFlags = DEBUG_PROCESS|DEBUG_ONLY_THIS_PROCESS
0040107B PUSH 0 ; |InheritHandles = FALSE
0040107D PUSH 0 ; |pThreadSecurity = NULL
0040107F PUSH 0 ; |pProcessSecurity = NULL
00401081 PUSH 0 ; |CommandLine = NULL
00401083 PUSH AsprDbgr.0040407C ; |ModuleFileName = ""
00401088 CALL <JMP.&kernel32.CreateProcessA> ; \CreateProcessA
0040108D TEST EAX,EAX
0040108F JE AsprDbgr.00402E3E
00401095 PUSH -1 ; /Timeout = INFINITE
00401097 PUSH AsprDbgr.0040432C ; |pDebugEvent = AsprDbgr.0040432C
0040109C CALL <JMP.&kernel32.WaitForDebugEvent> ; \WaitForDebugEvent
004010A1 CMP DWORD PTR DS:[40432C],5
004010A8 JE AsprDbgr.00402E08
004010AE CMP DWORD PTR DS:[40432C],3
004010B5 JE SHORT AsprDbgr.004010BC
004010B7 JMP AsprDbgr.00401141
004010BC MOV EAX,DWORD PTR DS:[404354]
004010C1 MOV DWORD PTR DS:[404664],EAX
004010C6 PUSH 0 ; /pBytesRead = NULL
004010C8 PUSH 1 ; |BytesToRead = 1
004010CA PUSH AsprDbgr.00404668 ; |Buffer = AsprDbgr.00404668
004010CF PUSH DWORD PTR DS:[404664] ; |pBaseAddress = 0
004010D5 PUSH DWORD PTR DS:[404217] ; |hProcess = NULL
004010DB CALL <JMP.&kernel32.ReadProcessMemory> ; \ReadProcessMemory
004010E0 MOV EAX,DWORD PTR DS:[404344]
004010E5 MOV DWORD PTR DS:[404669],EAX
004010EA PUSH AsprDbgr.004046E4 ; /pOldProtect = AsprDbgr.004046E4
004010EF PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
004010F1 PUSH 1 ; |Size = 1
004010F3 PUSH DWORD PTR DS:[404664] ; |Address = NULL
004010F9 PUSH DWORD PTR DS:[404217] ; |hProcess = NULL
004010FF CALL <JMP.&kernel32.VirtualProtectEx> ; \VirtualProtectEx
00401104 PUSH 0 ; /pBytesWritten = NULL
00401106 PUSH 1 ; |BytesToWrite = 1
00401108 PUSH AsprDbgr.0040466D ; |Buffer = AsprDbgr.0040466D
0040110D PUSH DWORD PTR DS:[404664] ; |Address = 0
00401113 PUSH DWORD PTR DS:[404217] ; |hProcess = NULL
00401119 CALL <JMP.&kernel32.WriteProcessMemory> ; \WriteProcessMemory
0040111E PUSH AsprDbgr.004046E4 ; /pOldProtect = AsprDbgr.004046E4
00401123 PUSH DWORD PTR DS:[4046E4] ; |NewProtect = 0
00401129 PUSH 1 ; |Size = 1
0040112B PUSH DWORD PTR DS:[404664] ; |Address = NULL
00401131 PUSH DWORD PTR DS:[404217] ; |hProcess = NULL
00401137 CALL <JMP.&kernel32.VirtualProtectEx> ; \VirtualProtectEx
0040113C JMP AsprDbgr.00402689
00401141 CMP DWORD PTR DS:[40432C],1
00401148 JNZ AsprDbgr.00402689
0040114E CMP DWORD PTR DS:[404338],C0000005
00401158 JNZ AsprDbgr.0040122C
0040115E CMP DWORD PTR DS:[4047C8],1
00401165 JE SHORT AsprDbgr.004011AA
00401167 CMP BYTE PTR DS:[404A33],0
0040116E JE AsprDbgr.0040122C
00401174 MOV EAX,DWORD PTR DS:[404338]
00401179 MOV EBX,DWORD PTR DS:[404344]
0040117F CMP EBX,0
00401182 JE AsprDbgr.0040122C
00401188 PUSH EBX ; /<%lX> => 0
00401189 PUSH AsprDbgr.00404A08 ; |Format = " Access Violation caused at adress: %lX
"
0040118E PUSH AsprDbgr.00404227 ; |s = AsprDbgr.00404227
00401193 CALL <JMP.&user32.wsprintfA> ; \wsprintfA
00401198 ADD ESP,0C
0040119B PUSH AsprDbgr.00404227 ; /Arg1 = 00404227
004011A0 CALL AsprDbgr.00402ED0 ; \AsprDbgr.00402ED0
004011A5 JMP AsprDbgr.0040122C
004011AA MOV EAX,DWORD PTR DS:[404344]
004011AF ADD EAX,2
004011B2 MOV DWORD PTR DS:[4047CC],EAX
004011B7 PUSH 0 ; /pBytesRead = NULL
004011B9 PUSH 1 ; |BytesToRead = 1
004011BB PUSH AsprDbgr.004047D0 ; |Buffer = AsprDbgr.004047D0
004011C0 PUSH DWORD PTR DS:[4047CC] ; |pBaseAddress = 0
004011C6 PUSH DWORD PTR DS:[404217] ; |hProcess = NULL
004011CC CALL <JMP.&kernel32.ReadProcessMemory> ; \ReadProcessMemory
004011D1 CMP BYTE PTR DS:[4047D0],0EB
004011D8 JE SHORT AsprDbgr.0040122C
004011DA PUSH AsprDbgr.004046E4 ; /pOldProtect = AsprDbgr.004046E4
004011DF PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
004011E1 PUSH 1 ; |Size = 1
给你看一下这段代码
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
能给介绍一下代码的运行背景吗?在PE文件的什么地方,何时运行,什么运行机制etc
|
能力值:
( LV9,RANK:250 )
|
-
-
8 楼
这是AsprDbgr v1.0beta (:P) Made by me... Manko.的一段代码,你自己逆向一下吧
|
|
|
|
