头次,看一个师兄写了一篇,请不要相信你的眼睛OD篇,我开始真的不相信,所谓的什么调试器对被调试程序的影响XXX的,其实我都要快忘记他写的是什么了,大概好象和VritualProtected相关的一些东西.
我真的不相信,我不相信调试器还会骗人.直到今天..........
是的,我被骗了.还好,这个骗局比较容易发现,仅仅用了分把分钟.
好了,我先贴出调试的程序代码,大概就是个远程注入DLL的小东西.
.386
.Model Flat, StdCall
Option Casemap :None
Include windows.inc
Include user32.inc
Include kernel32.inc
Include gdi32.inc
Include Shlwapi.inc
includelib gdi32.lib
IncludeLib user32.lib
IncludeLib kernel32.lib
IncludeLib Shlwapi.lib
include macro.asm
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
_GetProcessList PROTO
.const
DLG_MAIN equ 100
.data
lpExeName db 'QQ.exe',0
lpFormat db '%s%s',0
lp_addr_ddlname db '\DLL.DLL',0
lp_kernel32 db 'kernel32.dll',0
lp_LoadLibrary db 'LoadLibraryA',0
.data?
hInstance dd ?
lp_addr_patch db 256 dup(?)
lp_dll_path db 256 dup(?)
hQQ dd ?
p_AllocMem dd ?
hKernel32 dd ?
pLoadLibrary dd ?
.CODE
START:
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke DialogBoxParam,hInstance,DLG_MAIN,0,offset DlgProc,0
invoke ExitProcess,0
DlgProc proc hWnd,uMsg,wParam,lParam
.if uMsg==WM_INITDIALOG
invoke LoadIcon,hInstance,100
invoke SendMessage,hWnd,WM_SETICON,ICON_SMALL,eax
.elseif uMsg==WM_COMMAND
mov eax,wParam
and eax,0ffffh
.if eax==IDOK
invoke _GetProcessList
;invoke SendMessage,hWnd,WM_CLOSE,TRUE,0
.elseif eax==IDCANCEL
invoke SendMessage,hWnd,WM_CLOSE,0,0
.endif
.elseif uMsg==WM_CLOSE
invoke EndDialog,hWnd,wParam
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
DlgProc endp
_GetProcessList proc
local @stProcess:PROCESSENTRY32
local @hSnapShot
invoke RtlZeroMemory,addr @stProcess,sizeof @stProcess
;invoke SendMessage,hWinList,LB_RESETCONTENT,0,0
mov @stProcess.dwSize,sizeof @stProcess
invoke CreateToolhelp32Snapshot,TH32CS_SNAPPROCESS,0
mov @hSnapShot,eax
invoke Process32First,@hSnapShot,addr @stProcess
.while eax
invoke StrCmpN,addr @stProcess.szExeFile,addr lpExeName, 5
.if eax == 0
invoke MessageBox, NULL, addr lpExeName, addr lpExeName,MB_OK------注意这里
invoke GetCurrentDirectory,MAX_PATH,addr lp_addr_patch
invoke wsprintf,addr lp_dll_path,addr lpFormat, addr lp_addr_patch, addr lp_addr_ddlname
invoke OpenProcess,PROCESS_ALL_ACCESS,NULL, @stProcess.th32ProcessID
mov hQQ,eax
;invoke CreateRemoteThread, hQQ,NULL,
invoke VirtualAllocEx,hQQ,NULL,256,MEM_COMMIT,PAGE_READWRITE
mov p_AllocMem,eax
invoke WriteProcessMemory,hQQ,p_AllocMem,addr lp_dll_path,256,NULL
invoke GetModuleHandle,addr lp_kernel32
mov hKernel32,eax
invoke GetProcAddress, hKernel32, addr lp_LoadLibrary
mov pLoadLibrary,eax
invoke CreateRemoteThread,hQQ, NULL, 0,pLoadLibrary,p_AllocMem,0,NULL
.endif
invoke Process32Next,@hSnapShot,addr @stProcess
.endw
invoke CloseHandle,@hSnapShot
;invoke GetDlgItem,_hWnd,IDOK
invoke EnableWindow,eax,FALSE
ret
_GetProcessList endp
END START
----写的很不规范---仅仅是做测试用的.(这几天在调试研究下QQ的一些东西,所以当然边这断代码,是向QQ.exe注入一个dll.)
就不多费话了.
上边这段代码,我在查找QQ进程之后,设置了一个MessageBox.由于很久没写注入代码了,所以多少要找个点调调.写个MessageBox特别方便定位.
好--我们反汇编之---使用OD
004010FC |. 8D85 FCFEFFFF |lea eax, dword ptr [ebp-104] ; |
00401102 |. 50 |push eax ; |S1
00401103 |. E8 82010000 |call <jmp.&shlwapi.StrCmpNA> ; \StrCmpNA
00401108 |. 0BC0 |or eax, eax
0040110A |. 0F85 D3000000 |jnz 004011E3
00401110 |. 6A 00 |push 0 ; /Style = MB_OK|MB_APPLMODAL
00401112 |. 68 00304000 |push 00403000 ; |Title = "QQ.exe"
00401117 |. 68 00304000 |push 00403000 ; |Text = "QQ.exe"
0040111C |. 6A 00 |push 0 ; |hOwner = NULL
0040111E |. E8 0D010000 |call <jmp.&user32.MessageBoxA> ; ----这里\MessageBoxA
00401123 |. 68 34304000 |push 00403034 ; /Buffer = Dialog.00403034
00401128 |. 68 04010000 |push 104 ; |BufSize = 104 (260.)
0040112D |. E8 22010000 |call <jmp.&kernel32.GetCurrentDirect>; \GetCurrentDirectoryA
00401132 |. 68 0C304000 |push 0040300C ; /<%s> = "\DLL.DLL"
00401137 |. 68 34304000 |push 00403034 ; |<%s> = ""
0040113C |. 68 07304000 |push 00403007 ; |Format = "%s%s"
00401141 |. 68 34314000 |push 00403134 ; |s = Dialog.00403134
00401146 |. E8 C7000000 |call <jmp.&user32.wsprintfA> ; \wsprintfA
0040114B |. 83C4 10 |add esp, 10
0040114E |. FFB5 E0FEFFFF |push dword ptr [ebp-120] ; /ProcessId
00401154 |. 6A 00 |push 0 ; |Inheritable = FALSE
好了,我们在MessageBox那里下断.
然后F9...
神奇的事情出现了-------
断在MessageBox之后,再F8...那程序就异常了...
这时候我在贴出代码窗口的----MessageBox压站过程....
00401110 |. 6A 00 |push 0 ; /Style = MB_OK|MB_APPLMODAL
00401112 |. 68 00304000 |push 00403000 ; |Title = "QQ.exe"
00401117 |. 68 00304000 |push 00403000 ; |Text = "QQ.exe"
0040111C |. 6A 00 |push 0 ; |hOwner = NULL
0040111E |. E8 0D010000 |call <jmp.&user32.MessageBoxA> ; \MessageBoxA
恩..Title是push 403000---恩对了的
恩..text是push 403000-----恩对了的
天杀的,怎么会异常....
好的,我们再来卡堆栈窗口..
0012F9C8 00000000 |hOwner = NULL
0012F9CC 00CC3000 |Text = 00CC3000 ???
0012F9D0 00403000 |Title = "QQ.exe"
0012F9D4 00000000 \Style = MB_OK|MB_APPLMODAL
**,text杂变成cc3000了呢?...
地球人都知道cc是int3断点.写调试器的时候,那些人,写个CC下一部的时候再把CC覆盖的代码写回去.
**,这里它居然没写回去.
是的,我再也不相信调试器了.我决定空了再回去把那个同志写的那篇关于调试器对程序的影响的文章好好读读....
天杀的CC3000
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
