用CreateProcess启动ASProtect加密的软件后,发现有些块没有装载-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (7)
lordor 雪币： 279 活跃值： (375) 能力值： ( LV9，RANK：250 ) 在线值：发帖 12 回帖 239 粉丝 1 关注私信	lordor 6 2004-4-26 13:19 2 楼 0 EP是指程序入口。由于加壳软件会模拟PE装载器对文件进行载入，所以你去读40**处地址时，可能还未有数据
drgnmvpn 雪币： 217 活跃值： (70) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 25 粉丝 1 关注私信	drgnmvpn 2004-4-26 14:31 3 楼 0 但这个块里就是壳的代码啊.程序最一开始就得到这运行的.而且是在PE文件中可以看出来的一个块,应该属于自动加载的块.我不明白用CreateProcess后这一块怎么会不加载,那马上我一ResumeThread主线程就要运行这里的代码了,它又如何马上加载上这代码呢?
drgnmvpn 雪币： 217 活跃值： (70) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 25 粉丝 1 关注私信	drgnmvpn 2004-4-26 14:44 4 楼 0 再做了些实验,发现这个块应该是加载了的,只是对ReadProcessMemory,VirtualQureyEx之类的函数做了防范.这应该就是所谓的防内存读写功能吧.不知如何改掉它
drgnmvpn 雪币： 217 活跃值： (70) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 25 粉丝 1 关注私信	drgnmvpn 2004-4-26 16:46 5 楼 0 我想应该是壳通过SEH技术在后来加载此块吧.但啥代码都没运行,就能设置SEH处理功能吗?不太懂
lordor 雪币： 279 活跃值： (375) 能力值： ( LV9，RANK：250 ) 在线值：发帖 12 回帖 239 粉丝 1 关注私信	lordor 6 2004-4-26 18:03 6 楼 0 AsprDbgr.>CALL AsprDbgr.0040100C 00401005 PUSH 0 ; /ExitCode = 0 00401007 CALL <JMP.&kernel32.ExitProcess> ; \ExitProcess 0040100C PUSH AsprDbgr.00404000 ; /Arg1 = 00404000 ASCII "AsprDbgr v1.0beta (:P) Made by me... Manko. " 00401011 CALL AsprDbgr.00402ED0 ; \AsprDbgr.00402ED0 00401016 MOV DWORD PTR DS:[404030],4C 00401020 MOV DWORD PTR DS:[40403C],AsprDbgr.00404180 ; ASCII "Any files" 0040102A MOV DWORD PTR DS:[40404C],AsprDbgr.0040407C 00401034 MOV DWORD PTR DS:[404050],104 0040103E MOV DWORD PTR DS:[404064],281804 00401048 PUSH AsprDbgr.00404030 ; /pOpenFileName = AsprDbgr.00404030 0040104D CALL <JMP.&comdlg32.GetOpenFileNameA> ; \GetOpenFileNameA 00401052 MOV EAX,DWORD PTR DS:[40404C] 00401057 MOV EAX,DWORD PTR DS:[EAX] 00401059 TEST EAX,EAX 0040105B JE AsprDbgr.00402E3E 00401061 PUSH AsprDbgr.004041D3 ; /pStartupinfo = AsprDbgr.004041D3 00401066 CALL <JMP.&kernel32.GetStartupInfoA> ; \GetStartupInfoA 0040106B PUSH AsprDbgr.00404217 ; /pProcessInfo = AsprDbgr.00404217 00401070 PUSH AsprDbgr.004041D3 ; \|pStartupInfo = AsprDbgr.004041D3 00401075 PUSH 0 ; \|CurrentDir = NULL 00401077 PUSH 0 ; \|pEnvironment = NULL 00401079 PUSH 3 ; \|CreationFlags = DEBUG_PROCESS\|DEBUG_ONLY_THIS_PROCESS 0040107B PUSH 0 ; \|InheritHandles = FALSE 0040107D PUSH 0 ; \|pThreadSecurity = NULL 0040107F PUSH 0 ; \|pProcessSecurity = NULL 00401081 PUSH 0 ; \|CommandLine = NULL 00401083 PUSH AsprDbgr.0040407C ; \|ModuleFileName = "" 00401088 CALL <JMP.&kernel32.CreateProcessA> ; \CreateProcessA 0040108D TEST EAX,EAX 0040108F JE AsprDbgr.00402E3E 00401095 PUSH -1 ; /Timeout = INFINITE 00401097 PUSH AsprDbgr.0040432C ; \|pDebugEvent = AsprDbgr.0040432C 0040109C CALL <JMP.&kernel32.WaitForDebugEvent> ; \WaitForDebugEvent 004010A1 CMP DWORD PTR DS:[40432C],5 004010A8 JE AsprDbgr.00402E08 004010AE CMP DWORD PTR DS:[40432C],3 004010B5 JE SHORT AsprDbgr.004010BC 004010B7 JMP AsprDbgr.00401141 004010BC MOV EAX,DWORD PTR DS:[404354] 004010C1 MOV DWORD PTR DS:[404664],EAX 004010C6 PUSH 0 ; /pBytesRead = NULL 004010C8 PUSH 1 ; \|BytesToRead = 1 004010CA PUSH AsprDbgr.00404668 ; \|Buffer = AsprDbgr.00404668 004010CF PUSH DWORD PTR DS:[404664] ; \|pBaseAddress = 0 004010D5 PUSH DWORD PTR DS:[404217] ; \|hProcess = NULL 004010DB CALL <JMP.&kernel32.ReadProcessMemory> ; \ReadProcessMemory 004010E0 MOV EAX,DWORD PTR DS:[404344] 004010E5 MOV DWORD PTR DS:[404669],EAX 004010EA PUSH AsprDbgr.004046E4 ; /pOldProtect = AsprDbgr.004046E4 004010EF PUSH 40 ; \|NewProtect = PAGE_EXECUTE_READWRITE 004010F1 PUSH 1 ; \|Size = 1 004010F3 PUSH DWORD PTR DS:[404664] ; \|Address = NULL 004010F9 PUSH DWORD PTR DS:[404217] ; \|hProcess = NULL 004010FF CALL <JMP.&kernel32.VirtualProtectEx> ; \VirtualProtectEx 00401104 PUSH 0 ; /pBytesWritten = NULL 00401106 PUSH 1 ; \|BytesToWrite = 1 00401108 PUSH AsprDbgr.0040466D ; \|Buffer = AsprDbgr.0040466D 0040110D PUSH DWORD PTR DS:[404664] ; \|Address = 0 00401113 PUSH DWORD PTR DS:[404217] ; \|hProcess = NULL 00401119 CALL <JMP.&kernel32.WriteProcessMemory> ; \WriteProcessMemory 0040111E PUSH AsprDbgr.004046E4 ; /pOldProtect = AsprDbgr.004046E4 00401123 PUSH DWORD PTR DS:[4046E4] ; \|NewProtect = 0 00401129 PUSH 1 ; \|Size = 1 0040112B PUSH DWORD PTR DS:[404664] ; \|Address = NULL 00401131 PUSH DWORD PTR DS:[404217] ; \|hProcess = NULL 00401137 CALL <JMP.&kernel32.VirtualProtectEx> ; \VirtualProtectEx 0040113C JMP AsprDbgr.00402689 00401141 CMP DWORD PTR DS:[40432C],1 00401148 JNZ AsprDbgr.00402689 0040114E CMP DWORD PTR DS:[404338],C0000005 00401158 JNZ AsprDbgr.0040122C 0040115E CMP DWORD PTR DS:[4047C8],1 00401165 JE SHORT AsprDbgr.004011AA 00401167 CMP BYTE PTR DS:[404A33],0 0040116E JE AsprDbgr.0040122C 00401174 MOV EAX,DWORD PTR DS:[404338] 00401179 MOV EBX,DWORD PTR DS:[404344] 0040117F CMP EBX,0 00401182 JE AsprDbgr.0040122C 00401188 PUSH EBX ; /<%lX> => 0 00401189 PUSH AsprDbgr.00404A08 ; \|Format = " Access Violation caused at adress: %lX " 0040118E PUSH AsprDbgr.00404227 ; \|s = AsprDbgr.00404227 00401193 CALL <JMP.&user32.wsprintfA> ; \wsprintfA 00401198 ADD ESP,0C 0040119B PUSH AsprDbgr.00404227 ; /Arg1 = 00404227 004011A0 CALL AsprDbgr.00402ED0 ; \AsprDbgr.00402ED0 004011A5 JMP AsprDbgr.0040122C 004011AA MOV EAX,DWORD PTR DS:[404344] 004011AF ADD EAX,2 004011B2 MOV DWORD PTR DS:[4047CC],EAX 004011B7 PUSH 0 ; /pBytesRead = NULL 004011B9 PUSH 1 ; \|BytesToRead = 1 004011BB PUSH AsprDbgr.004047D0 ; \|Buffer = AsprDbgr.004047D0 004011C0 PUSH DWORD PTR DS:[4047CC] ; \|pBaseAddress = 0 004011C6 PUSH DWORD PTR DS:[404217] ; \|hProcess = NULL 004011CC CALL <JMP.&kernel32.ReadProcessMemory> ; \ReadProcessMemory 004011D1 CMP BYTE PTR DS:[4047D0],0EB 004011D8 JE SHORT AsprDbgr.0040122C 004011DA PUSH AsprDbgr.004046E4 ; /pOldProtect = AsprDbgr.004046E4 004011DF PUSH 40 ; \|NewProtect = PAGE_EXECUTE_READWRITE 004011E1 PUSH 1 ; \|Size = 1 给你看一下这段代码
drgnmvpn 雪币： 217 活跃值： (70) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 25 粉丝 1 关注私信	drgnmvpn 2004-4-27 09:45 7 楼 0 能给介绍一下代码的运行背景吗?在PE文件的什么地方,何时运行,什么运行机制etc
lordor 雪币： 279 活跃值： (375) 能力值： ( LV9，RANK：250 ) 在线值：发帖 12 回帖 239 粉丝 1 关注私信	lordor 6 2004-4-27 12:40 8 楼 0 这是AsprDbgr v1.0beta (:P) Made by me... Manko.的一段代码，你自己逆向一下吧
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复

lordor

雪币： 279

活跃值： (375)

能力值：

( LV9，RANK：250 )

在线值：

发帖

12

回帖

239

粉丝

1

关注

私信

lordor 6 2004-4-26 13:19: 2 楼
0

EP是指程序入口。由于加壳软件会模拟PE装载器对文件进行载入，所以你去读40**处地址时，可能还未有数据

drgnmvpn

雪币： 217

活跃值： (70)

能力值：

( LV2，RANK：10 )

在线值：

发帖

7

回帖

25

粉丝

1

关注

私信

drgnmvpn 2004-4-26 14:31: 3 楼
0

但这个块里就是壳的代码啊.程序最一开始就得到这运行的.而且是在PE文件中可以看出来的一个块,应该属于自动加载的块.我不明白用CreateProcess后这一块怎么会不加载,那马上我一ResumeThread主线程就要运行这里的代码了,它又如何马上加载上这代码呢?

drgnmvpn

雪币： 217

活跃值： (70)

能力值：

( LV2，RANK：10 )

在线值：

发帖

7

回帖

25

粉丝

1

关注

私信

drgnmvpn 2004-4-26 14:44: 4 楼
0

再做了些实验,发现这个块应该是加载了的,只是对ReadProcessMemory,VirtualQureyEx之类的函数做了防范.这应该就是所谓的防内存读写功能吧.不知如何改掉它

drgnmvpn

雪币： 217

活跃值： (70)

能力值：

( LV2，RANK：10 )

在线值：

发帖

7

回帖

25

粉丝

1

关注

私信

drgnmvpn 2004-4-26 16:46: 5 楼
0

我想应该是壳通过SEH技术在后来加载此块吧.但啥代码都没运行,就能设置SEH处理功能吗?不太懂

lordor

雪币： 279

活跃值： (375)

能力值：

( LV9，RANK：250 )

在线值：

发帖

12

回帖

239

粉丝

1

关注

私信

lordor 6 2004-4-26 18:03: 6 楼
0

AsprDbgr.>CALL AsprDbgr.0040100C
00401005  PUSH 0                                                  ; /ExitCode = 0
00401007  CALL <JMP.&kernel32.ExitProcess>                        ; \ExitProcess
0040100C  PUSH AsprDbgr.00404000                                  ; /Arg1 = 00404000 ASCII "AsprDbgr v1.0beta (:P) Made by me... Manko.

"
00401011  CALL AsprDbgr.00402ED0                                  ; \AsprDbgr.00402ED0
00401016  MOV DWORD PTR DS:[404030],4C
00401020  MOV DWORD PTR DS:[40403C],AsprDbgr.00404180             ;  ASCII "Any files"
0040102A  MOV DWORD PTR DS:[40404C],AsprDbgr.0040407C
00401034  MOV DWORD PTR DS:[404050],104
0040103E  MOV DWORD PTR DS:[404064],281804
00401048  PUSH AsprDbgr.00404030                                  ; /pOpenFileName = AsprDbgr.00404030
0040104D  CALL <JMP.&comdlg32.GetOpenFileNameA>                   ; \GetOpenFileNameA
00401052  MOV EAX,DWORD PTR DS:[40404C]
00401057  MOV EAX,DWORD PTR DS:[EAX]
00401059  TEST EAX,EAX
0040105B  JE AsprDbgr.00402E3E
00401061  PUSH AsprDbgr.004041D3                                  ; /pStartupinfo = AsprDbgr.004041D3
00401066  CALL <JMP.&kernel32.GetStartupInfoA>                    ; \GetStartupInfoA
0040106B  PUSH AsprDbgr.00404217                                  ; /pProcessInfo = AsprDbgr.00404217
00401070  PUSH AsprDbgr.004041D3                                  ; |pStartupInfo = AsprDbgr.004041D3
00401075  PUSH 0                                                  ; |CurrentDir = NULL
00401077  PUSH 0                                                  ; |pEnvironment = NULL
00401079  PUSH 3                                                  ; |CreationFlags = DEBUG_PROCESS|DEBUG_ONLY_THIS_PROCESS
0040107B  PUSH 0                                                  ; |InheritHandles = FALSE
0040107D  PUSH 0                                                  ; |pThreadSecurity = NULL
0040107F  PUSH 0                                                  ; |pProcessSecurity = NULL
00401081  PUSH 0                                                  ; |CommandLine = NULL
00401083  PUSH AsprDbgr.0040407C                                  ; |ModuleFileName = ""
00401088  CALL <JMP.&kernel32.CreateProcessA>                     ; \CreateProcessA
0040108D  TEST EAX,EAX
0040108F  JE AsprDbgr.00402E3E
00401095  PUSH -1                                                 ; /Timeout = INFINITE
00401097  PUSH AsprDbgr.0040432C                                  ; |pDebugEvent = AsprDbgr.0040432C
0040109C  CALL <JMP.&kernel32.WaitForDebugEvent>                  ; \WaitForDebugEvent
004010A1  CMP DWORD PTR DS:[40432C],5
004010A8  JE AsprDbgr.00402E08
004010AE  CMP DWORD PTR DS:[40432C],3
004010B5  JE SHORT AsprDbgr.004010BC
004010B7  JMP AsprDbgr.00401141
004010BC  MOV EAX,DWORD PTR DS:[404354]
004010C1  MOV DWORD PTR DS:[404664],EAX
004010C6  PUSH 0                                                  ; /pBytesRead = NULL
004010C8  PUSH 1                                                  ; |BytesToRead = 1
004010CA  PUSH AsprDbgr.00404668                                  ; |Buffer = AsprDbgr.00404668
004010CF  PUSH DWORD PTR DS:[404664]                              ; |pBaseAddress = 0
004010D5  PUSH DWORD PTR DS:[404217]                              ; |hProcess = NULL
004010DB  CALL <JMP.&kernel32.ReadProcessMemory>                  ; \ReadProcessMemory
004010E0  MOV EAX,DWORD PTR DS:[404344]
004010E5  MOV DWORD PTR DS:[404669],EAX
004010EA  PUSH AsprDbgr.004046E4                                  ; /pOldProtect = AsprDbgr.004046E4
004010EF  PUSH 40                                                 ; |NewProtect = PAGE_EXECUTE_READWRITE
004010F1  PUSH 1                                                  ; |Size = 1
004010F3  PUSH DWORD PTR DS:[404664]                              ; |Address = NULL
004010F9  PUSH DWORD PTR DS:[404217]                              ; |hProcess = NULL
004010FF  CALL <JMP.&kernel32.VirtualProtectEx>                   ; \VirtualProtectEx
00401104  PUSH 0                                                  ; /pBytesWritten = NULL
00401106  PUSH 1                                                  ; |BytesToWrite = 1
00401108  PUSH AsprDbgr.0040466D                                  ; |Buffer = AsprDbgr.0040466D
0040110D  PUSH DWORD PTR DS:[404664]                              ; |Address = 0
00401113  PUSH DWORD PTR DS:[404217]                              ; |hProcess = NULL
00401119  CALL <JMP.&kernel32.WriteProcessMemory>                 ; \WriteProcessMemory
0040111E  PUSH AsprDbgr.004046E4                                  ; /pOldProtect = AsprDbgr.004046E4
00401123  PUSH DWORD PTR DS:[4046E4]                              ; |NewProtect = 0
00401129  PUSH 1                                                  ; |Size = 1
0040112B  PUSH DWORD PTR DS:[404664]                              ; |Address = NULL
00401131  PUSH DWORD PTR DS:[404217]                              ; |hProcess = NULL
00401137  CALL <JMP.&kernel32.VirtualProtectEx>                   ; \VirtualProtectEx
0040113C  JMP AsprDbgr.00402689
00401141  CMP DWORD PTR DS:[40432C],1
00401148  JNZ AsprDbgr.00402689
0040114E  CMP DWORD PTR DS:[404338],C0000005
00401158  JNZ AsprDbgr.0040122C
0040115E  CMP DWORD PTR DS:[4047C8],1
00401165  JE SHORT AsprDbgr.004011AA
00401167  CMP BYTE PTR DS:[404A33],0
0040116E  JE AsprDbgr.0040122C
00401174  MOV EAX,DWORD PTR DS:[404338]
00401179  MOV EBX,DWORD PTR DS:[404344]
0040117F  CMP EBX,0
00401182  JE AsprDbgr.0040122C
00401188  PUSH EBX                                                ; /<%lX> => 0
00401189  PUSH AsprDbgr.00404A08                                  ; |Format = "  Access Violation caused at adress: %lX
"
0040118E  PUSH AsprDbgr.00404227                                  ; |s = AsprDbgr.00404227
00401193  CALL <JMP.&user32.wsprintfA>                            ; \wsprintfA
00401198  ADD ESP,0C
0040119B  PUSH AsprDbgr.00404227                                  ; /Arg1 = 00404227
004011A0  CALL AsprDbgr.00402ED0                                  ; \AsprDbgr.00402ED0
004011A5  JMP AsprDbgr.0040122C
004011AA  MOV EAX,DWORD PTR DS:[404344]
004011AF  ADD EAX,2
004011B2  MOV DWORD PTR DS:[4047CC],EAX
004011B7  PUSH 0                                                  ; /pBytesRead = NULL
004011B9  PUSH 1                                                  ; |BytesToRead = 1
004011BB  PUSH AsprDbgr.004047D0                                  ; |Buffer = AsprDbgr.004047D0
004011C0  PUSH DWORD PTR DS:[4047CC]                              ; |pBaseAddress = 0
004011C6  PUSH DWORD PTR DS:[404217]                              ; |hProcess = NULL
004011CC  CALL <JMP.&kernel32.ReadProcessMemory>                  ; \ReadProcessMemory
004011D1  CMP BYTE PTR DS:[4047D0],0EB
004011D8  JE SHORT AsprDbgr.0040122C
004011DA  PUSH AsprDbgr.004046E4                                  ; /pOldProtect = AsprDbgr.004046E4
004011DF  PUSH 40                                                 ; |NewProtect = PAGE_EXECUTE_READWRITE
004011E1  PUSH 1                                                  ; |Size = 1

给你看一下这段代码

drgnmvpn

雪币： 217

活跃值： (70)

能力值：

( LV2，RANK：10 )

在线值：

发帖

7

回帖

25

粉丝