-
-
[原创]浅谈伪装壳Hide PE v1.1的实现机理
-
发表于:
2008-6-16 10:07
7353
-
[原创]浅谈伪装壳Hide PE v1.1的实现机理
伪装后代码如下:
00433B45 >/$ 68 01404900 PUSH HideWiza.00494001 ; (Initial CPU selection)
00433B4A |. E8 01000000 CALL HideWiza.00433B50 ; F7
00433B4F \. C3 RETN ; 这里就可以返回
00433B50 $ C3 RETN
返回到这里:
00494001 BA 453B4300 MOV EDX,HideWiza.<模块入口点> ; 将OEP送EDX 准备SMC
00494006 B8 558BEC6A MOV EAX,6AEC8B55
0049400B 8902 MOV DWORD PTR DS:[EDX],EAX
0049400D 83C2 04 ADD EDX,4
00494010 B8 FF6818EE MOV EAX,EE1868FF
00494015 8902 MOV DWORD PTR DS:[EDX],EAX
00494017 83C2 04 ADD EDX,4
0049401A B8 45006880 MOV EAX,80680045
0049401F 8902 MOV DWORD PTR DS:[EDX],EAX
00494021 83C2 F8 ADD EDX,-8
00494024 - FFE2 JMP EDX ; OEP
00433B45 >/$ 55 PUSH EBP ; OEP
00433B46 |? 8BEC MOV EBP,ESP
00433B48 |? 6A FF PUSH -1
00433B4A |. 68 18EE4500 PUSH HideWiza.0045EE18
00433B4F \. 68 808F4300 PUSH HideWiza.00438F80
对照上文中的SMC代码
00433B45 >55 8B EC 6A FF 68 18 EE 45 00 68 80 U嬱jh頔.h€廋.
00433B45 >/$ 68 01404900 PUSH HideWiza.00494001 ; (Initial CPU selection)
00433B4A |. E8 01000000 CALL HideWiza.00433B50 ; F7
00433B4F \. C3 RETN ; 这里就可以返回
00433B50 $ C3 RETN
正好和ASP的特征码吻合:68 01 40 49 00 E8 01 00 00 00 C3 C3
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
学习中……!
