首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[推荐][原创]Exe伪装天使整理分析
发表于: 2007-8-2 09:37 6418

[推荐][原创]Exe伪装天使整理分析

David 活跃值
20
2007-8-2 09:37
6418
如果你对PE结构一无所知,那么估计是看不懂。

所用工具

Uedit,Ollydbg,win98记事本,计算器,Peid,加PE脱壳知识。

'窗体代码

'btw,一直看不懂这个程序,基本拿下了。

Option Explicit

Dim mBakFileName$

Private Sub Form_Load()

    Option1(0).Value = True

End Sub

Private Sub cmdBrow_Click()

    CommonDialog1.Filter = "exe|*.exe|"
    CommonDialog1.ShowOpen
    Text1.Text = CommonDialog1.FileName

End Sub

Private Sub cmdOk_Click()

    Dim bytPosition As Byte
    Dim Address&
    Dim PeArray(5) As Byte
    Dim i&
    Dim OperateFlag As Boolean
    Dim Newoep&
    Dim Oldoep&
    Dim FreeAddressArray() As Byte

    If Text1.Text = "" Then

        MsgBox "请先选择需要伪装的文件!", vbInformation, "提示"
        Exit Sub

    Else

        mBakFileName$ = Left$(Text1, Len(Text1) - 4) & ".bak"

        FileCopy Text1, mBakFileName$

    End If

    Address& = 1

    Open Text1.Text For Binary As #1

    OperateFlag = False

    '从文件第一个字节位置开始
    Do

        Get #1, Address&, bytPosition

        '寻找PE头
        If bytPosition = &H50 Then

            For i = 0 To 5

                Get #1, Address& + i, PeArray(i)

            Next

            '通用特制码
            If PeArray(0) = &H50 And PeArray(1) = &H45 And PeArray(4) = &H4C And PeArray(5) = 1 Then

                OperateFlag = True
                Exit Do

            End If

        End If

        Address& = Address& + 1

    Loop While OperateFlag = False

    'PE头附近40个字节就是Oep!?
    Newoep& = Address& + 40
    Get #1, Newoep&, Oldoep&
    Oldoep& = Oldoep& + &H400000  '加上偏移量

    '选择一个空地放存放伪装码,地大物博啊,有身份证就能当业主
    Address& = 800
    OperateFlag = False

    '选择的vc++
    If Option1(0).Value = True Then

        ReDim FreeAddressArray(51)

        Do
            Address& = Address& + 4

            For i = 0 To 51

                '分配52个字节写伪装代码
                Get #1, Address& + i, FreeAddressArray(i)

                If FreeAddressArray(i) <> &H0 Then

                    Exit For

                Else

                    If i = 51 Then

                        OperateFlag = True

                    End If

                End If

            Next

        Loop While OperateFlag = False

        '在原来Oep位置写新Oep
        Put #1, Newoep&, Address&

        Address& = Address& + 1
        Address& = MaskVC(Address&)

        Oldoep& = (Oldoep& - (Address& + &H400000))
        '写跳转地址,伪装代码当然要跳往真正入口了
        Put #1, Address&, Oldoep& - 3

    End If

    '选择的vc++6.0
    If Option1(1).Value = True Then

        ReDim FreeAddressArray(63)

        Do

            Address& = Address& + 4

            For i = 0 To 63

                Get #1, Address& + i, FreeAddressArray(i)

                If FreeAddressArray(i) <> &H0 Then

                    Exit For

                Else

                    If i = 63 Then OperateFlag = True

                End If

            Next

        Loop While OperateFlag = False

        Put #1, Newoep&, Address&

        Address& = Address& + 1

        MaskVC60 (Address&)

        Oldoep& = (Oldoep& - (Address& + 54 + &H400000))
        Put #1, Address& + 54, Oldoep& - 3

    End If

    '选择的delphi 6.0-7.0
    If Option1(2).Value = True Then

        ReDim FreeAddressArray(16)

        Do

            Address& = Address& + 4

            For i = 0 To 16

                Get #1, Address& + i, FreeAddressArray(i)

                If FreeAddressArray(i) <> &H0 Then

                    Exit For

                Else

                    If i = 16 Then OperateFlag = True

                End If

            Next

        Loop While OperateFlag = False

        Put #1, Newoep&, Address&

        Address& = Address& + 1

        MaskDelphi60 (Address&)

        Oldoep& = (Oldoep& - (Address& + 11 + &H400000))

        Put #1, Address& + 11, Oldoep& - 3

    End If

    MsgBox "恭喜,伪装成功!", vbInformation
    Close #1

    cmdOk.Enabled = False
    cmdTest.Enabled = True

End Sub

Private Sub cmdTest_Click()
   
    ShellWait (Text1)

    If vbNo = MsgBox("程序正常运行没?", vbQuestion + vbYesNo, "提问") Then

        Kill Text1
        Name mBakFileName$ As Left$(Text1, Len(Text1) - 4) & ".exe"
        cmdOk.Enabled = True
        cmdTest.Enabled = False

    Else

        Kill mBakFileName$
        cmdOk.Enabled = True
        cmdTest.Enabled = False

    End If

End Sub

'mod1

Option Explicit

Public Function MaskVC(Code As Long) As Long

    '写入vc入口特征码
    Put #1, Code, &H55: Code = Code + 1
    Put #1, Code, &H8B: Code = Code + 1
    Put #1, Code, &HEC: Code = Code + 1
    Put #1, Code, &H6A: Code = Code + 1
    Put #1, Code, &HFF: Code = Code + 1
    Put #1, Code, &H68: Code = Code + 1
    Put #1, Code, &H66: Code = Code + 1
    Put #1, Code, &H66: Code = Code + 1
    Put #1, Code, &H66: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H68: Code = Code + 1
    Put #1, Code, &H88: Code = Code + 1
    Put #1, Code, &H88: Code = Code + 1
    Put #1, Code, &H88: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H64: Code = Code + 1
    Put #1, Code, &HA1: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H50: Code = Code + 1
    Put #1, Code, &H64: Code = Code + 1
    Put #1, Code, &H89: Code = Code + 1
    Put #1, Code, &H25: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H64: Code = Code + 1
    Put #1, Code, &HA3: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H8B: Code = Code + 1
    Put #1, Code, &HE8: Code = Code + 1
    Put #1, Code, &HE9: Code = Code + 1
   
    MaskVC = Code '将Code的位置回送MaskVC函数
   
End Function

Public Sub MaskVC60(Code As Long)

    '写入vc6.0入口特征码
    Put #1, Code, &H55: Code = Code + 1
    Put #1, Code, &H8B: Code = Code + 1
    Put #1, Code, &HEC: Code = Code + 1
    Put #1, Code, &H6A: Code = Code + 1
    Put #1, Code, &HFF: Code = Code + 1
    Put #1, Code, &H68: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H68: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H64: Code = Code + 1
    Put #1, Code, &HA1: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H50: Code = Code + 1
    Put #1, Code, &H64: Code = Code + 1
    Put #1, Code, &H89: Code = Code + 1
    Put #1, Code, &H25: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H83: Code = Code + 1
    Put #1, Code, &HEC: Code = Code + 1
    Put #1, Code, &H68: Code = Code + 1
    Put #1, Code, &H53: Code = Code + 1
    Put #1, Code, &H56: Code = Code + 1
    Put #1, Code, &H57: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H83: Code = Code + 1
    Put #1, Code, &HC4: Code = Code + 1
    Put #1, Code, &H68: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H67: Code = Code + 1
    Put #1, Code, &H64: Code = Code + 1
    Put #1, Code, &HA3: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H0: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H58: Code = Code + 1
    Put #1, Code, &H8B: Code = Code + 1
    Put #1, Code, &HE8: Code = Code + 1
    Put #1, Code, &HE9: Code = Code + 1
   
End Sub

Public Sub MaskDelphi60(Code As Long)

    'delphi6.0
    Put #1, Code, &H55: Code = Code + 1
    Put #1, Code, &H8B: Code = Code + 1
    Put #1, Code, &HEC: Code = Code + 1
    Put #1, Code, &H83: Code = Code + 1
    Put #1, Code, &HC4: Code = Code + 1
    Put #1, Code, &HF0: Code = Code + 1
    Put #1, Code, &H83: Code = Code + 1
    Put #1, Code, &HC4: Code = Code + 1
    Put #1, Code, &HC: Code = Code + 1
    Put #1, Code, &H50: Code = Code + 1
    Put #1, Code, &HE9: Code = Code + 1
   
End Sub

'mod_WaitProcess

'Option Explicit

'OpenProcess打开指定进程
'参数
'dwDesiredAccess访问标识
'bInheritHandle,//句柄是否可继承
'dwProcessId //系统进程ID

'其中dwDesiredAccess参数可以是以下常量的任意组合:
'PROCESS_ALL_ACCESS//所有可能的权限
'PROCESS_CREATE_PROCESS//内部使用
'PROCESS_CREATE_THREAD//产生线程权限
'PROCESS_DUP_HANDLE//复制句柄权限
'PROCESS_QUERY_INformATION//查询信息权限
'PROCESS_SET_INformATION//设置信息权限
'PROCESS_TERMINATE//中止进程权限

Private Declare Function OpenProcess Lib "kernel32" _
                          (ByVal dwDesiredaccess&, _
                          ByVal bInherithandle&, _
                          ByVal dwProcessid&) _
                          As Long

'GetExitCodeProcess获取一个已中断进程的退出代码

'参数 类型及说明

'hProcess  Long,想获取退出代码的一个进程的句柄
'lpExitCode Long,用于装载进程退出代码的一个长整数变量。如进程尚未中止,则设为常数STILL_ACTIVE

Private Declare Function GetExitCodeProcess Lib "kernel32" _
                          (ByVal hProcess As Long, _
                          lpexitcode As Long) _
                          As Long

Private Const STILL_ACTIVE = &H103              '外部程序在运行
Private Const PROCESS_QUERY_INFORMATION = &H400 '查询信息权限

Public Function ShellWait(cCommandLine As String) As Boolean

    Dim hShell As Long
    Dim hProc As Long
    Dim lExit As Long

    hShell = Shell(cCommandLine, vbNormalFocus)

    hProc = OpenProcess(PROCESS_QUERY_INFORMATION, False, hShell)

    Do

        GetExitCodeProcess hProc, lExit
        DoEvents

    Loop While lExit = STILL_ACTIVE

End Function

'说明

制作:aqtata,调试二哥

伪装入口的小工具,测试了几个不同的程序可以正常运行

aspack等压缩

原文

http://www.vbgood.com/viewthread.php?tid=55083&extra=page%3D1

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (13)
太虚伟了
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
俺看不懂
2007-8-2 10:14
0
yingyue
雪    币: 1844
活跃值: (35)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
3
重出江湖了 , 强
2007-8-2 10:34
0
快雪时晴
雪    币: 370
活跃值: (15)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
私信
4
还真看不动
2007-8-2 10:36
0
yzjsdn
雪    币: 170
活跃值: (18)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
二哥重出江湖了,高兴!
2007-8-2 10:49
0
vxin
雪    币: 372
活跃值: (31)
能力值: ( LV12,RANK:410 )
在线值:
发帖
回帖
粉丝
私信
6
强     
2007-8-2 10:50
0
sjclch
雪    币: 89
活跃值: (151)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
是真正的二哥么,想念呀
2007-8-2 10:50
0
whg3249
雪    币: 210
活跃值: (40)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
8
一个字;强              
2007-8-2 10:51
0
wzmooo
雪    币: 10500
活跃值: (2159)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
9
真正的二哥吗???太期待了
2007-8-2 11:06
0
layper
雪    币: 308
活跃值: (362)
能力值: ( LV12,RANK:370 )
在线值:
发帖
回帖
粉丝
私信
10
二哥回来了,太好了.
2007-8-2 11:55
0
池中金麟
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
11
狂晕..............
2007-8-3 18:00
0
warcraft
雪    币: 232
活跃值: (25)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
私信
12
HOHO~~王者归来~
2007-8-3 22:17
0
Pan88168
雪    币: 439
活跃值: (106)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
13
靠,还一直在专攻VB呀,现在功力强多了。
2007-8-4 11:34
0
daxia200N
雪    币: 690
活跃值: (1821)
能力值: ( LV9,RANK:250 )
在线值:
发帖
回帖
粉丝
私信
14
二哥回来了,不知一切可好!
2007-8-4 11:38
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//