首页
社区
课程
招聘
[讨论]发现一个神奇的程序
发表于: 2023-7-29 10:00 4985

[讨论]发现一个神奇的程序

2023-7-29 10:00
4985

最近发现一个小exe程序,打开此程序后会弹出一个MessageBox内容是电脑的硬件id,根据以往的经验,一般情况获取硬件id都是通过注册表,或者硬盘序列号,网卡地址等计算,于是用frida来hook相关函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
var ShellExecuteW = Module.findExportByName("Shell32.dll", 'ShellExecuteW')
Interceptor.attach(ShellExecuteW, {
    onEnter: function (args, state) {
        console.log("[+] ShellExecuteW");
    },
    onLeave: function (retval, state) {
        console.log("leave ShellExecuteW returns:"+retval);
    }
});
var GetVolumeInformationByHandleW = Module.findExportByName("Kernel32.dll", 'GetVolumeInformationByHandleW')
Interceptor.attach(GetVolumeInformationByHandleW, {
    onEnter: function (args, state) {
        console.log("[+] GetVolumeInformationByHandleW");
    },
    onLeave: function (retval, state) {
        console.log("leave GetVolumeInformationByHandleW returns:"+retval);
    }
});
var GetVolumeInformationW = Module.findExportByName("Kernel32.dll", 'GetVolumeInformationW')
Interceptor.attach(GetVolumeInformationW, {
    onEnter: function (args, state) {
        console.log("[+] GetVolumeInformationW");
    },
    onLeave: function (retval, state) {
        console.log("leave GetVolumeInformationW returns:"+retval);
    }
});
var GetLogicalDriveStringsW = Module.findExportByName("Kernel32.dll", 'GetLogicalDriveStringsW')
Interceptor.attach(GetLogicalDriveStringsW, {
    onEnter: function (args, state) {
        console.log("[+] GetLogicalDriveStringsW");
    },
    onLeave: function (retval, state) {
        console.log("leave GetLogicalDriveStringsW returns:"+retval);
    }
});
var QueryDosDeviceW = Module.findExportByName("Kernel32.dll", 'QueryDosDeviceW')
Interceptor.attach(QueryDosDeviceW, {
    onEnter: function (args, state) {
        console.log("[+] QueryDosDeviceW");
    },
    onLeave: function (retval, state) {
    console.log("leave QueryDosDeviceW returns:"+retval);
    }
});
var getProc = Module.findExportByName("Kernel32.dll", 'GetProcAddress')
Interceptor.attach(getProc, {
    onEnter: function (args, state) {
        console.log("[+] GetProcAddress");
    },
    onLeave: function (retval, state) {
        console.log("leave GetProcAddress");
    }
});
var LoadLibraryW  = Module.findExportByName("Kernel32.dll", 'LoadLibraryW')
Interceptor.attach(LoadLibraryW , {
    onEnter: function (args, state) {
        console.log("[+] LoadLibraryW ");
    },
    onLeave: function (retval, state) {
        console.log("leave LoadLibraryW ");
    }
});
var LoadLibraryExW  = Module.findExportByName("Kernel32.dll", 'LoadLibraryExW')
Interceptor.attach(LoadLibraryExW , {
    onEnter: function (args, state) {
        console.log("[+] LoadLibraryExW ");
    },
    onLeave: function (retval, state) {
        console.log("leave LoadLibraryExW ");
    }
});
var GetNativeSystemInfo  = Module.findExportByName("Kernel32.dll", 'GetNativeSystemInfo')
Interceptor.attach(GetNativeSystemInfo , {
    onEnter: function (args, state) {
        console.log("[+] GetNativeSystemInfo ");
    },
    onLeave: function (retval, state) {
        console.log("leave GetNativeSystemInfo ");
    }
});
var GetSystemInfo  = Module.findExportByName("Kernel32.dll", 'GetSystemInfo')
Interceptor.attach(GetSystemInfo , {
    onEnter: function (args, state) {
        console.log("[+] GetSystemInfo ");
    },
    onLeave: function (retval, state) {
        console.log("leave GetSystemInfo ");
    }
});
var RegCreateKeyExW  = Module.findExportByName("Advapi32.dll", 'RegCreateKeyExW')
Interceptor.attach(RegCreateKeyExW , {
    onEnter: function (args, state) {
        console.log("[+] RegCreateKeyExW ");
    },
    onLeave: function (retval, state) {
        console.log("leave RegCreateKeyExW ");
    }
});
var RegOpenKeyExW  = Module.findExportByName("Advapi32.dll", 'RegOpenKeyExW')
Interceptor.attach(RegOpenKeyExW , {
    onEnter: function (args, state) {
        console.log("[+] RegOpenKeyExW ");
    },
    onLeave: function (retval, state) {
        console.log("leave RegOpenKeyExW ");
    }
});
 
var CoInitialize  = Module.findExportByName("Ole32.dll", 'CoInitialize')
Interceptor.attach(CoInitialize , {
    onEnter: function (args, state) {
        console.log("[+] CoInitialize ");
    },
    onLeave: function (retval, state) {
        console.log("leave CoInitialize ");
    }
});
var CoCreateInstance  = Module.findExportByName("Ole32.dll", 'CoCreateInstance')
Interceptor.attach(CoCreateInstance , {
    onEnter: function (args, state) {
        console.log("[+] CoCreateInstance ");
    },
    onLeave: function (retval, state) {
        console.log("leave CoCreateInstance ");
    }
});
var GetAdaptersInfo  = Module.findExportByName("Iphlpapi.dll", 'GetAdaptersInfo')
Interceptor.attach(GetSystemInfo , {
    onEnter: function (args, state) {
        console.log("[+] GetAdaptersInfo ");
    },
    onLeave: function (retval, state) {
        console.log("leave GetAdaptersInfo ");
    }
});
var GetInterfaceInfo  = Module.findExportByName("Iphlpapi.dll", 'GetInterfaceInfo')
Interceptor.attach(GetSystemInfo , {
    onEnter: function (args, state) {
        console.log("[+] GetInterfaceInfo ");
    },
    onLeave: function (retval, state) {
        console.log("leave GetInterfaceInfo ");
    }
});
var dic = Module.findExportByName("Kernel32.dll", 'DeviceIoControl')
Interceptor.attach(dic, {
    onEnter: function (args, state) {
        console.log("[+] DeviceIoControl");
    },
    onLeave: function (retval, state) {
    }
});
var GetSystemFirmwareTable = Module.findExportByName("Kernel32.dll", 'GetSystemFirmwareTable')
Interceptor.attach(GetSystemFirmwareTable, {
    onEnter: function (args, state) {
        console.log("[+] GetSystemFirmwareTable");
    },
    onLeave: function (retval, state) {
    }
});
var EnumSystemFirmwareTables = Module.findExportByName("Kernel32.dll", 'EnumSystemFirmwareTables')
Interceptor.attach(EnumSystemFirmwareTables, {
    onEnter: function (args, state) {
        console.log("[+] EnumSystemFirmwareTables");
    },
    onLeave: function (retval, state) {
        console.log(retval)
    }
 
});
var GetVersion = Module.findExportByName("Kernel32.dll", 'GetVersion')
Interceptor.attach(GetVersion, {
    onEnter: function (args, state) {
        console.log("[+] GetVersion");
    },
    onLeave: function (retval, state) {
        console.log(retval)
    }
});

然后运行的时候发现只有QueryDosDeviceWGetLogicalDriveStringsW两个函数被调用了,这就奇怪了,到底它是根据什么信息计算的硬件id呢


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2023-7-29 10:13 被从未沦陷编辑 ,原因:
上传的附件:
收藏
免费 1
支持
分享
最新回复 (11)
雪    币: 914
活跃值: (2438)
能力值: ( LV5,RANK:68 )
在线值:
发帖
回帖
粉丝
2
有没有可能是com调用,比如wmi
2023-7-29 11:05
0
雪    币: 1777
活跃值: (990)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
万剑归宗 有没有可能是com调用,比如wmi
CoInitialize 函数已经hook了,没有发现函数调用
2023-7-29 11:20
0
雪    币: 14802
活跃值: (6038)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
先学基础?!
原理不知道,当然hook不到
2023-7-29 11:54
0
雪    币: 1777
活跃值: (990)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
2023-7-29 15:31
0
雪    币: 1777
活跃值: (990)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
对ZwQueryValueKey监控发现读取了HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer和HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion,尝试改变这两个值发现机器码改变了几个字符,应该还有其它地方的信息也参与了机器码的计算,看加载的dll发现貌似用了rpc,可能是这个原因导致没有hook到其它函数
2023-7-29 17:03
0
雪    币: 6535
活跃值: (4491)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
7
cpuid指令呢
2023-7-29 17:12
0
雪    币: 1777
活跃值: (990)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
pxhb cpuid指令呢
想到这个了,就是不知道咋样hook这个cpuid
2023-7-29 20:08
0
雪    币: 2915
活跃值: (30836)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
mark
2023-7-29 23:03
1
雪    币: 4343
活跃值: (4328)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
SE有模拟DLL功能.   就是把系统的DLL载入内存映射再调用,  跳过原始系统的DLL调用,  而你HOOK的是原系统的DLL函数,当然会发现不了     
2023-7-30 10:54
0
雪    币: 4343
活跃值: (4328)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
00473FBE   你可以在此处下断或者HOOK 来看到API的模拟详情

2023-7-30 11:04
0
雪    币: 1777
活跃值: (990)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
12
Mxixihaha SE有模拟DLL功能. 就是把系统的DLL载入内存映射再调用, 跳过原始系统的DLL调用, 而你HOOK的是原系统的DLL函数,当然会发现不了
多谢大佬指点,看来得把这个Safengine Shielden 脱掉才能分析了,目前的功力还搞不定
2023-7-30 11:51
0
游客
登录 | 注册 方可回帖
返回
//