[求助]请大家看下，这段汇编。翻译哪有问题。（已经卡了N天了））-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助]请大家看下，这段汇编。翻译哪有问题。（已经卡了N天了））

发表于: 2014-2-16 15:28 3271

[求助]请大家看下，这段汇编。翻译哪有问题。（已经卡了N天了））

wyplyxj

2014-2-16 15:28

3271

0047FA40  /$  55            PUSH EBP
0047FA41  |.  8BEC          MOV EBP,ESP
0047FA43  |.  81EC 3C010000 SUB ESP,13C
0047FA49  |.  A1 A0526F00   MOV EAX,DWORD PTR DS:[6F52A0]
0047FA4E  |.  33C5          XOR EAX,EBP
0047FA50  |.  8945 FC       MOV DWORD PTR SS:[EBP-4],EAX
0047FA53  |.  837D 0C 00    CMP DWORD PTR SS:[EBP+C],0
0047FA57  |.  75 07         JNZ SHORT LWLaunch.0047FA60
0047FA59  |.  33C0          XOR EAX,EAX
0047FA5B  |.  E9 30010000   JMP LWLaunch.0047FB90
0047FA60  |>  C785 CCFEFFFF>MOV DWORD PTR SS:[EBP-134],0
0047FA6A  |.  C785 C8FEFFFF>MOV DWORD PTR SS:[EBP-138],0
0047FA74  |.  C785 D0FEFFFF>MOV DWORD PTR SS:[EBP-130],0
0047FA7E  |.  68 24010000   PUSH 124
0047FA83  |.  6A 00         PUSH 0
0047FA85  |.  8D85 D4FEFFFF LEA EAX,DWORD PTR SS:[EBP-12C]
0047FA8B  |.  50            PUSH EAX
0047FA8C  |.  E8 5F1F0600   CALL LWLaunch.004E19F0
0047FA91  |.  83C4 0C       ADD ESP,0C
0047FA94  |.  6A 00         PUSH 0                                   ; /ProcessID = 0
0047FA96  |.  6A 02         PUSH 2                                   ; |Flags = TH32CS_SNAPPROCESS
0047FA98  |.  E8 97C80800   CALL LWLaunch.0050C334                   ; \CreateToolhelp32Snapshot
0047FA9D  |.  8985 CCFEFFFF MOV DWORD PTR SS:[EBP-134],EAX
0047FAA3  |.  83BD CCFEFFFF>CMP DWORD PTR SS:[EBP-134],-1
0047FAAA  |.  75 07         JNZ SHORT LWLaunch.0047FAB3
0047FAAC  |.  33C0          XOR EAX,EAX
0047FAAE  |.  E9 DD000000   JMP LWLaunch.0047FB90
0047FAB3  |>  C785 D0FEFFFF>MOV DWORD PTR SS:[EBP-130],128
0047FABD  |.  8D8D D0FEFFFF LEA ECX,DWORD PTR SS:[EBP-130]
0047FAC3  |.  51            PUSH ECX                                 ; /pProcessentry
0047FAC4  |.  8B95 CCFEFFFF MOV EDX,DWORD PTR SS:[EBP-134]           ; |
0047FACA  |.  52            PUSH EDX                                 ; |hSnapshot
0047FACB  |.  E8 5EC80800   CALL LWLaunch.0050C32E                   ; \Process32First
0047FAD0  |.  85C0          TEST EAX,EAX
0047FAD2  |.  0F84 9B000000 JE LWLaunch.0047FB73
0047FAD8  |>  8B45 0C       /MOV EAX,DWORD PTR SS:[EBP+C]
0047FADB  |.  50            |PUSH EAX
0047FADC  |.  E8 212B0600   |CALL LWLaunch.004E2602
0047FAE1  |.  83C4 04       |ADD ESP,4
0047FAE4  |.  50            |PUSH EAX
0047FAE5  |.  8D8D F4FEFFFF |LEA ECX,DWORD PTR SS:[EBP-10C]
0047FAEB  |.  51            |PUSH ECX
0047FAEC  |.  E8 112B0600   |CALL LWLaunch.004E2602
0047FAF1  |.  83C4 04       |ADD ESP,4
0047FAF4  |.  50            |PUSH EAX
0047FAF5  |.  E8 566C0600   |CALL LWLaunch.004E6750
0047FAFA  |.  83C4 08       |ADD ESP,8
0047FAFD  |.  85C0          |TEST EAX,EAX
0047FAFF  |.  75 4B         |JNZ SHORT LWLaunch.0047FB4C
0047FB01  |.  8B95 D8FEFFFF |MOV EDX,DWORD PTR SS:[EBP-128]
0047FB07  |.  52            |PUSH EDX                                ; /ProcessId
0047FB08  |.  6A 00         |PUSH 0                                  ; |Inheritable = FALSE
0047FB0A  |.  68 00040000   |PUSH 400                                ; |Access = QUERY_INFORMATION
0047FB0F  |.  FF15 10656700 |CALL NEAR DWORD PTR DS:[676510]         ; \OpenProcess
0047FB15  |.  8985 C4FEFFFF |MOV DWORD PTR SS:[EBP-13C],EAX
0047FB1B  |.  8B45 08       |MOV EAX,DWORD PTR SS:[EBP+8]
0047FB1E  |.  50            |PUSH EAX                                ; /phToken
0047FB1F  |.  68 FF010F00   |PUSH 0F01FF                             ; |DesiredAccess = STANDARD_RIGHTS_REQUIRED|TOKEN_ASSIGN_PRIMARY|TOKEN_DUPLICATE|TOKEN_IMPERSONATE|TOKEN_QUERY|TOKEN_QUERY_SOURCE|TOKEN_ADJUST_PRIVILEGES|TOKEN_ADJUST_GROUPS|TOKEN_ADJUST_DEFAULT|100
0047FB24  |.  8B8D C4FEFFFF |MOV ECX,DWORD PTR SS:[EBP-13C]          ; |
0047FB2A  |.  51            |PUSH ECX                                ; |hProcess
0047FB2B  |.  FF15 3C606700 |CALL NEAR DWORD PTR DS:[67603C]         ; \OpenProcessToken
0047FB31  |.  8985 C8FEFFFF |MOV DWORD PTR SS:[EBP-138],EAX
0047FB37  |.  8B95 CCFEFFFF |MOV EDX,DWORD PTR SS:[EBP-134]
0047FB3D  |.  52            |PUSH EDX                                ; /hObject
0047FB3E  |.  FF15 34656700 |CALL NEAR DWORD PTR DS:[676534]         ; \CloseHandle
0047FB44  |.  8B85 C8FEFFFF |MOV EAX,DWORD PTR SS:[EBP-138]
0047FB4A  |.  EB 44         |JMP SHORT LWLaunch.0047FB90
0047FB4C  |>  8D85 D0FEFFFF |LEA EAX,DWORD PTR SS:[EBP-130]
0047FB52  |.  50            |PUSH EAX                                ; /pProcessentry
0047FB53  |.  8B8D CCFEFFFF |MOV ECX,DWORD PTR SS:[EBP-134]          ; |
0047FB59  |.  51            |PUSH ECX                                ; |hSnapshot
0047FB5A  |.  E8 C9C70800   |CALL LWLaunch.0050C328                  ; \Process32Next
0047FB5F  |.  85C0          |TEST EAX,EAX
0047FB61  |.^ 0F85 71FFFFFF \JNZ LWLaunch.0047FAD8
0047FB67  |.  C785 C8FEFFFF>MOV DWORD PTR SS:[EBP-138],1
0047FB71  |.  EB 0A         JMP SHORT LWLaunch.0047FB7D
0047FB73  |>  C785 C8FEFFFF>MOV DWORD PTR SS:[EBP-138],0
0047FB7D  |>  8B95 CCFEFFFF MOV EDX,DWORD PTR SS:[EBP-134]
0047FB83  |.  52            PUSH EDX                                 ; /hObject
0047FB84  |.  FF15 34656700 CALL NEAR DWORD PTR DS:[676534]          ; \CloseHandle
0047FB8A  |.  8B85 C8FEFFFF MOV EAX,DWORD PTR SS:[EBP-138]
0047FB90  |>  8B4D FC       MOV ECX,DWORD PTR SS:[EBP-4]
0047FB93  |.  33CD          XOR ECX,EBP
0047FB95  |.  E8 55240600   CALL LWLaunch.004E1FEF
0047FB9A  |.  8BE5          MOV ESP,EBP
0047FB9C  |.  5D            POP EBP
0047FB9D  \.  C3            RETN

翻译后的代码：

HANDLE hProcess = NULL ;
    HANDLE hProcessSnap = NULL ;
    PROCESSENTRY32 pe32 = { 0 } ;
    HANDLE hToken = NULL;
    HANDLE hTokenDup = NULL;  
        hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS , 0 ) ;
    if( hProcessSnap == INVALID_HANDLE_VALUE )
    {
        return NULL;
    }
    pe32.dwSize = sizeof( PROCESSENTRY32 ) ;
    if( !Process32First( hProcessSnap, &pe32 ))
    {
        return NULL;
    }
    do {

        if (strcmp("explorer.exe",pe32.szExeFile) == 0)
        {
              hProcess = OpenProcess(
                0x400 ,
                FALSE ,
                pe32.th32ProcessID );


              DWORD a = TOKEN_ASSIGN_PRIMARY|
                  TOKEN_DUPLICATE|
                  TOKEN_IMPERSONATE|
                  TOKEN_QUERY|
                  TOKEN_QUERY_SOURCE|
                  TOKEN_ADJUST_PRIVILEGES|
                  TOKEN_ADJUST_GROUPS|
                  TOKEN_ADJUST_DEFAULT;
              OpenProcessToken( hProcess , TOKEN_ALL_ACCESS|STANDARD_RIGHTS_REQUIRED
                  , &hToken );


              CloseHandle(hProcess);
              CloseHandle(hProcessSnap);
              return hToken;
        }

    } while( Process32Next( hProcessSnap, &pe32 )) ;

关键问题在于，我遍历到explorer.exe 进程后，使用，OpenProcess()打开进程这行代码。。

请各位帮忙指点一二！！！

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持

最新回复 (1)
winwang 雪币： 290 活跃值： (41) 能力值： ( LV6，RANK：90 ) 在线值：发帖 13 回帖 64 粉丝 0 关注私信	winwang 1 2 楼调试你的 c 代码,与原来的比较一下,不就知了.... 2014-2-16 18:04 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

wyplyxj

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

最新回复 (1)
winwang 雪币： 290 活跃值： (41) 能力值： ( LV6，RANK：90 ) 在线值：发帖 13 回帖 64 粉丝 0 关注私信	winwang 1 2 楼调试你的 c 代码,与原来的比较一下,不就知了.... 2014-2-16 18:04 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复