用ASP2.XX_IATfixer_v1.02那个教本跑了一下,一直到最后一个提示stolen code start,我想这个是表示这个地方就是壳开始steal oep code的地方了吧。
现在IAT内存区显示了很多函数名的地址:
0040B000 7C80B357 kernel32.GetModuleFileNameA
0040B004 7C801D77 kernel32.LoadLibraryA
0040B008 7C809B77 kernel32.CloseHandle
0040B00C 7C809C28 kernel32.SetEvent
0040B010 7C812F7C kernel32.OpenEventA
0040B014 7C80994E kernel32.GetCurrentProcessId
0040B018 7C930331 ntdll.RtlGetLastWin32Error
0040B01C 7C80C6E0 kernel32.lstrlenA
0040B020 7C863C00 kernel32.Process32Next
0040B024 7C863A8D kernel32.Process32First
0040B028 7C8647B7 kernel32.CreateToolhelp32Snapshot
0040B02C 7C812851 kernel32.GetVersionExA
0040B030 7C81CAA2 kernel32.ExitProcess
0040B034 7C801E16 kernel32.TerminateProcess
0040B038 7C80CD58 kernel32.FlushFileBuffers
0040B03C 7C80CEC4 kernel32.LCMapStringW
0040B040 7C832E2B kernel32.LCMapStringA
0040B044 7C80180E kernel32.ReadFile
0040B048 7C80A480 kernel32.GetStringTypeW
0040B04C 7C838CB9 kernel32.GetStringTypeA
0040B050 7C81D8CB kernel32.SetStdHandle
0040B054 7C81E82A kernel32.GetOEMCP
0040B058 7C809943 kernel32.GetACP
0040B05C 7C9305D4 ntdll.RtlAllocateHeap
0040B060 7C80B529 kernel32.GetModuleHandleA
0040B064 7C801EEE kernel32.GetStartupInfoA
0040B068 7C812C8D kernel32.GetCommandLineA
0040B06C 7C8114AB kernel32.GetVersion
0040B070 7C93043D ntdll.RtlFreeHeap
0040B074 7C80AC28 kernel32.GetProcAddress
0040B078 7C81486A kernel32.GetEnvironmentVariableA
0040B07C 7C811110 kernel32.HeapDestroy
0040B080 7C812929 kernel32.HeapCreate
0040B084 7C809B14 kernel32.VirtualFree
0040B088 7C809A81 kernel32.VirtualAlloc
0040B08C 7C9379FD ntdll.RtlReAllocateHeap
0040B090 7C812BE6 kernel32.GetCPInfo
0040B094 7C812C78 kernel32.GetEnvironmentStringsW
0040B098 7C80E00D kernel32.GetCurrentProcess
0040B09C 7C862B8A kernel32.UnhandledExceptionFilter
0040B0A0 7C81DC3F kernel32.FreeEnvironmentStringsA
0040B0A4 7C81485F kernel32.FreeEnvironmentStringsW
0040B0A8 7C80A0C7 kernel32.WideCharToMultiByte
0040B0AC 7C81CC23 kernel32.GetEnvironmentStringsA
0040B0B0 7C80C6CF kernel32.SetHandleCount
0040B0B4 7C812CA9 kernel32.GetStdHandle
0040B0B8 7C811069 kernel32.GetFileType
0040B0BC 7C957A40 ntdll.RtlUnwind
0040B0C0 7C810F9F kernel32.WriteFile
0040B0C4 7C810DA6 kernel32.SetFilePointer
0040B0C8 7C809CAD kernel32.MultiByteToWideChar
0040B0CC 00000000
0040B0D0 77400BE9 shell32.Shell_NotifyIconA
0040B0D4 00000000
0040B0D8 77D1DF6B user32.DefWindowProcA
0040B0DC 77D3EDEB user32.PostQuitMessage
0040B0E0 77D221AE user32.LoadIconA
0040B0E4 77D3EA45 user32.GetMessageA
0040B0E8 77D18BCE user32.TranslateMessage
0040B0EC 77D1BCBD user32.DispatchMessageA
0040B0F0 77D22316 user32.RegisterClassA
0040B0F4 77D2190B user32.CreateWindowExA
0040B0F8 00000000
0040B0FC 00000000
0040B100 FFFFFFFF
0040B104 004055E8 XTrap.004055E8
0040B108 004055FC XTrap.004055FC
0040B10C 4C475F5F
0040B110 4C41424F
0040B114 4145485F
但是我怀疑会不会还有一部分被加密了?原因是:往后翻,还出现了这样的东西:
0040B48C 6D617267
0040B490 6D616E20
0040B494 6E752065
0040B498 776F6E6B shell32.776F6E6B
0040B49C 00003E6E
0040B4A0 4C746547
0040B4A4 41747361
0040B4A8 76697463
0040B4AC 706F5065
.................
0040B83C 23BB01C7
0040B840 BEFAE940
0040B844 48FE6A5A
0040B848 01F50000
0040B84C E93D2F3B
0040B850 7712C162 oleaut32.7712C162
0040B854 01650000
0040B858 28E340E7
0040B85C 18844B89
0040B860 5ED661F1
0040B864 9448E3EF
0040B868 0000FB92
0040B86C A60E0142
0040B870 C43003F0
0040B874 E6433B50
0040B878 D394DE52
0040B87C 714171FE
0040B880 16386158
0040B884 01F300EE
0040B888 77501016 shell32.77501016
0040B88C DA86A828
0040B890 006AED46
0040B894 821401F1
0040B898 396522D3
0040B89C 7500CD1D
.............................
0040BA5C 00006DED
0040BA60 738F0220
0040BA64 24401A56
0040BA68 E6577655
0040BA6C 00002607
0040BA70 142C0221
0040BA74 023920A7
0040BA78 23ED7F2A
0040BA7C 00005B96
0040BA80 4FB800DB
0040BA84 F6B63FC8
0040BA88 45D0E926
0040BA8C 42165D25
0040BA90 0000EE33
0040BA94 00000000
0040BA98 00000000
0040BA9C 00000000
0040BAA0 00000000
0040BAA4 00000000
0040BAA8 00000000
0040BAAC 00000000
0040BAB0 00000000
0040BAB4 00000000
0040BAB8 00000000
0040BABC 00000000
而且用LordPE载入被调试的进程,有10多个系统DLL被载入,这样看来,上面没被加密的API只是一部分,这个壳有这么奸诈吗?(故意来迷惑脱壳者?)
看起来0040BA98才是结束的地方啊。请各位也来分析一下看看
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课