由于分析失误, 该帖作废。
7C9579C8 8BFF mov edi, edi
7C9579CA 55 push ebp
7C9579CB 8BEC mov ebp, esp
7C9579CD 51 push ecx
7C9579CE FF75 08 push dword ptr [ebp+8]
7C9579D1 E8 738EFDFF call RtlImageNtHeader
7C9579D6 F640 5F 04 test byte ptr [eax+5F], 4
7C9579DA 0F85 CF7C0100 jnz 7C96F6AF
7C9579E0 8D45 FC lea eax, [ebp-4]
7C9579E3 50 push eax
7C9579E4 6A 0A push 0A
7C9579E6 6A 01 push 1
7C9579E8 FF75 08 push dword ptr [ebp+8]
7C9579EB E8 668EFDFF call RtlImageDirectoryEntryToData
7C9579F0 85C0 test eax, eax
7C9579F2 0F84 D8010000 je 7C957BD0
这个地方如果把PE + 0x5F的地方, 也就是
ImageNtHeader->OptionalHeader.DllCharacteristics = ImageNtHeader->OptionalHeader.DllCharacteristics | 0x0400;
这样改过的PE文件, 在调试的时候则无法通过异常. 但是可以正常运行
(在XP SP2系统支持, W2K系统不支持)
#define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 // Image does not use SEH. No SE handler may reside in this image
PECOFF v8
IMAGE_DLLCHARACTERISTICS_NO_SEH is clear in the DllCharacteristics field of the optional header, as described earlier), then the handler must be in the list of known safe handlers for that image. Otherwise, the operating system terminates the application. This helps prevent the “x86 exception handler hijacking” exploit that has been used in the past to take control of the operating system.
The Microsoft linker automatically provides a default load configuration structure to include the reserved SEH data. If the user code already provides a load configuration structure, it must include the new reserved SEH fields. Otherwise, the linker cannot include the reserved SEH data and the image is not marked as containing reserved SEH.
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法