在看雪注册也有好些年了,一直都不敢发贴,一是看雪上大牛太多,二是自己的水平太菜。这次怀着忐忑的心情,试着自己的处女贴,不足之处,还请各位多多指教。大家一起交流,共同进步,这是我发帖的主要目的。好了,下面开始步入正题,这是一个win32操作系统的账户密码查看器,是在某个群中有人问它的原理,我就跟对方要了那个小东西来分析下,于是就有了下面的文章。
这是一个控制台程序,用IDA加载后,基本上就能看到全貌,只要稍加分析下即可。下面我们来慢慢分析。用IDA加载后,我们直接来到了main函数,在最开始的部分,有这么写东西,代码如下:
.text:00401150 sub esp, 2C4h
.text:00401156 push offset aNWindowsIBByZS ; "欢迎使用windows密码读取器,by : 学生组G"...
.text:0040115B call sub_40183D ; 显示字符串
.text:00401160 add esp, 4
.text:00401163 call sub_4014E0 ; 提升程序特权
.text:00401168 cmp eax, 1
.text:0040116B jz short loc_40117A
.text:0040183D arg_0 = dword ptr 4
.text:0040183D arg_4 = dword ptr 8
.text:0040183D
.text:0040183D push ebx
.text:0040183E push esi
.text:0040183F mov esi, offset File
.text:00401844 push edi
.text:00401845 push esi
.text:00401846 call __stbuf
.text:0040184B mov edi, eax
.text:0040184D lea eax, [esp+10h+arg_4]
.text:00401851 push eax ; int
.text:00401852 push [esp+14h+arg_0] ; int
.text:00401856 push esi ; File
.text:00401857 call sub_402274
.text:0040185C push esi
.text:0040185D push edi
.text:0040185E mov ebx, eax
.text:00401860 call __ftbuf
.text:00401865 add esp, 18h
.text:00401868 mov eax, ebx
.text:0040186A pop edi
.text:0040186B pop esi
.text:0040186C pop ebx
.text:0040186D retn
.text:0040186D sub_40183D endp
83 EC 1C sub esp, 1Ch
.text:004014E3 8D 44 24 00 lea eax, [esp+1Ch+TokenHandle]
.text:004014E7 50 push eax ; TokenHandle
.text:004014E8 68 FF 01 0F 00 push 0F01FFh ; DesiredAccess
.text:004014ED FF 15 28 80 40 00 call ds:GetCurrentProcess ; 获取当前进程句柄
.text:004014F3 50 push eax ; ProcessHandle
.text:004014F4 FF 15 08 80 40 00 call ds:OpenProcessToken ; 打开当前进程访问令牌
.text:004014FA 85 C0 test eax, eax
.text:004014FC 75 13 jnz short loc_401511 ; 判断函数是否调用成功,调用成功则跳转
.text:004014FE 68 EC 92 40 00 push offset aOpenprocesstok ; "OpenProcessToken fail"
.text:00401503 E8 CE 02 00 00 call _puts
.text:00401508 83 C4 04 add esp, 4
.text:0040150B 33 C0 xor eax, eax
.text:0040150D 83 C4 1C add esp, 1Ch
.text:00401510 C3 retn
.text:00401511 ; ---------------------------------------------------------------------------
.text:00401511
.text:00401511 loc_401511: ; CODE XREF: sub_4014E0+1Cj
.text:00401511 8D 4C 24 04 lea ecx, [esp+1Ch+Luid]
.text:00401515 51 push ecx ; lpLuid
.text:00401516 68 D8 92 40 00 push offset Name ; "SeDebugPrivilege"
.text:0040151B 6A 00 push 0 ; lpSystemName
.text:0040151D FF 15 00 80 40 00 call ds:LookupPrivilegeValueA ; 查看系统权限的特权值
.text:00401523 85 C0 test eax, eax ; 判断函数是否调用成功
.text:00401525 75 13 jnz short loc_40153A ; 调用成功则跳转
.text:00401527 68 BC 92 40 00 push offset aLookupprivileg ; "LookupPrivilegeValue fail"
.text:0040152C E8 A5 02 00 00 call _puts
.text:00401531 83 C4 04 add esp, 4
.text:00401534 33 C0 xor eax, eax
.text:00401536 83 C4 1C add esp, 1Ch
.text:00401539 C3 retn
.text:0040153A ; ---------------------------------------------------------------------------
.text:0040153A
.text:0040153A loc_40153A: ; CODE XREF: sub_4014E0+45j
.text:0040153A 8B 54 24 04 mov edx, [esp+1Ch+Luid.LowPart]
.text:0040153E 8B 44 24 08 mov eax, [esp+1Ch+Luid.HighPart]
.text:00401542 6A 00 push 0 ; ReturnLength
.text:00401544 6A 00 push 0 ; PreviousState
.text:00401546 8D 4C 24 14 lea ecx, [esp+24h+NewState] ; 新特权的地址
.text:0040154A 89 54 24 18 mov [esp+24h+NewState.Privileges.Luid.LowPart], edx ; 初始化新特权
.text:0040154E 8B 54 24 08 mov edx, [esp+24h+TokenHandle]
.text:00401552 6A 10 push 10h ; BufferLength
.text:00401554 51 push ecx ; NewState
.text:00401555 6A 00 push 0 ; DisableAllPrivileges
.text:00401557 52 push edx ; TokenHandle
.text:00401558 C7 44 24 24 01 00 00 00 mov [esp+34h+NewState.PrivilegeCount], 1 ; 初始化新特权
.text:00401560 89 44 24 2C mov [esp+34h+NewState.Privileges.Luid.HighPart], eax ; 初始化新特权
.text:00401564 C7 44 24 30 02 00 00 00 mov [esp+34h+NewState.Privileges.Attributes], 2 ; 初始化新特权
.text:0040156C FF 15 04 80 40 00 call ds:AdjustTokenPrivileges ; 修改特权
.text:00401572 85 C0 test eax, eax
.text:00401574 75 13 jnz short loc_401589
.text:00401168 cmp eax, 1
.text:0040116B jz short loc_40117A
.text:0040117A loc_40117A: ; CODE XREF: _main+1Bj
.text:0040117A push ebx
.text:0040117B push edi
.text:0040117C push offset aLsass_exe ; "lsass.exe"
.text:00401181 call sub_401000
.text:00401186 mov ebx, eax
.text:00401188 add esp, 4
.text:0040118B test ebx, ebx
.text:0040118D jnz short loc_4011BB
.text:0040118F push offset aGetprocesshand ; "GetProcessHandleByName fail !"
.text:00401194 call _puts
.text:00401199 push offset aTryToRunAsAdmi ; "Try To Run As Administrator ..."
.text:0040119E call _puts
.text:004011A3 push offset aEchoPressAnyKe ; "echo Press any Key to Continue ... & pa"...
.text:004011A8 call sub_401740
.text:004011AD add esp, 0Ch
.text:004011B0 xor eax, eax
.text:004011B2 pop edi
.text:004011B3 pop ebx
.text:004011B4 add esp, 2C4h
.text:004011BA retn
.text:00401000 81 EC 54 03 00 00 sub esp, 354h
.text:00401006 53 push ebx
.text:00401007 55 push ebp
.text:00401008 56 push esi
.text:00401009 57 push edi
.text:0040100A 68 6C 90 40 00 push offset ProcName ; "NtQueryInformationProcess"
.text:0040100F 68 60 90 40 00 push offset ModuleName ; "ntdll.dll"
.text:00401014 FF 15 14 80 40 00 call ds:GetModuleHandleA
.text:0040101A 50 push eax ; hModule
.text:0040101B FF 15 10 80 40 00 call ds:GetProcAddress
.text:00401021 8B 1D 1C 80 40 00 mov ebx, ds:OpenProcess
.text:00401027 8B 2D 2C 80 40 00 mov ebp, ds:WideCharToMultiByte
.text:0040102D 89 44 24 10 mov [esp+364h+var_354], eax
.text:00401031 BF 04 00 00 00 mov edi, 4
.text:00401036 57 push edi ; dwProcessId
.text:00401037 6A 00 push 0 ; bInheritHandle
.text:00401039 68 FF 0F 1F 00 push 1F0FFFh ; dwDesiredAccess
.text:0040103E FF D3 call ebx ; OpenProcess ; 打开进程
.text:00401040 8B F0 mov esi, eax
.text:00401042 85 F6 test esi, esi
.text:00401044 74 72 jz short loc_4010B8
.text:00401046 8D 44 24 14 lea eax, [esp+364h+var_350]
.text:0040104A 8D 8C 24 1C 01 00 00 lea ecx, [esp+364h+var_248]
.text:00401051 50 push eax
.text:00401052 68 48 02 00 00 push 248h
.text:00401057 51 push ecx
.text:00401058 6A 1B push 1Bh
.text:0040105A 56 push esi
.text:0040105B FF 54 24 24 call [esp+378h+var_354] ; 调用NtQueryInformationProcess函数
.text:0040105F 85 C0 test eax, eax
.text:00401061 75 4E jnz short loc_4010B1
.text:00401063 50 push eax ; lpUsedDefaultChar
.text:00401064 50 push eax ; lpDefaultChar
.text:00401065 8B 84 24 28 01 00 00 mov eax, [esp+36Ch+lpWideCharStr]
.text:0040106C 8D 54 24 20 lea edx, [esp+36Ch+MultiByteStr]
.text:00401070 68 04 01 00 00 push 104h ; cbMultiByte
.text:00401075 52 push edx ; lpMultiByteStr
.text:00401076 6A FF push 0FFFFFFFFh ; cchWideChar
.text:00401078 50 push eax ; lpWideCharStr
.text:00401079 6A 00 push 0 ; dwFlags
.text:0040107B 6A 00 push 0 ; CodePage
.text:0040107D FF D5 call ebp ; WideCharToMultiByte ; 将UNICODE转为char
.text:0040107F 85 C0 test eax, eax
.text:00401081 74 2E jz short loc_4010B1
.text:00401083 8D 44 04 17 lea eax, [esp+eax+364h+var_34D]
.text:00401087 8D 4C 24 18 lea ecx, [esp+364h+MultiByteStr]
.text:0040108B 3B C1 cmp eax, ecx
.text:0040108D 72 0E jb short loc_40109D
.text:0040108F
.text:0040108F loc_40108F: ; CODE XREF: sub_401000+9Bj
.text:0040108F 80 38 5C cmp byte ptr [eax], 5Ch
.text:00401092 74 09 jz short loc_40109D
.text:00401094 48 dec eax
.text:00401095 8D 54 24 18 lea edx, [esp+364h+MultiByteStr]
.text:00401099 3B C2 cmp eax, edx
.text:0040109B 73 F2 jnb short loc_40108F
.text:0040109D
.text:0040109D loc_40109D: ; CODE XREF: sub_401000+8Dj
.text:0040109D ; sub_401000+92j
.text:0040109D 40 inc eax
.text:0040109E 50 push eax ; lpString2
.text:0040109F 8B 84 24 6C 03 00 00 mov eax, [esp+368h+lpString1]
.text:004010A6 50 push eax ; lpString1
.text:004010A7 FF 15 30 80 40 00 call ds:lstrcmpiA ; 将打开的进程名与目标进程名作比较,看目前打开的进程是不是目标进程,
.text:004010AD 85 C0 test eax, eax
.text:004010AF 74 23 jz short loc_4010D4 ; 如果是,则直接将进程句柄作为返回值返回,否则继续查找
.text:004010B1
.text:004010B1 loc_4010B1: ; CODE XREF: sub_401000+61j
.text:004010B1 ; sub_401000+81j
.text:004010B1 56 push esi ; hObject
.text:004010B2 FF 15 38 80 40 00 call ds:CloseHandle
.text:004010B8
.text:004010B8 loc_4010B8: ; CODE XREF: sub_401000+44j
.text:004010B8 83 C7 04 add edi, 4
.text:004010BB 81 FF 10 27 00 00 cmp edi, 2710h
.text:004010C1 0F 82 6F FF FF FF jb loc_401036
.text:004010C7 5F pop edi
.text:004010C8 5E pop esi
.text:004010C9 5D pop ebp
.text:004010CA 33 C0 xor eax, eax
.text:004010CC 5B pop ebx
.text:004010CD 81 C4 54 03 00 00 add esp, 354h
.text:004010D3 C3 retn
.text:004010D4 ; ---------------------------------------------------------------------------
.text:004010D4
.text:004010D4 loc_4010D4: ; CODE XREF: sub_401000+AFj
.text:004010D4 8B C6 mov eax, esi
.text:004010D6 5F pop edi
.text:004010D7 5E pop esi
.text:004010D8 5D pop ebp
.text:004010D9 5B pop ebx
.text:004010DA 81 C4 54 03 00 00 add esp, 354h
.text:004010E0 C3 retn
.text:004010E0 sub_401000 endp
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
