-
-
识别壳的简单程序,高手免进。
-
发表于:
2004-12-14 10:20
5726
-
前一段时间学习脱壳,写了一段代码希望能帮助大家学习PE结构。
#include <stdio.h>
#include <windows.h>
char upx[]="\x40"
"\x60\xBE\x00\x00\x00\x00\x8D\xBE\x00\x00\x00\x00\x57\x83\xCD\xFF"
"\xEB\x10\x90\x90\x90\x90\x90\x90\x8A\x06\x46\x88\x07\x47\x01\xDB"
"\x75\x07\x8B\x1E\x83\xEE\xFC\x11\xDB\x72\xED\xB8\x01\x00\x00\x00"
"\x01\xDB\x75\x07\x8B\x1E\x83\xEE\xFC\x11\xDB\x11\xC0\x01\xDB\x73"
;
// view shell function
int ViewShell(char *file)
{
int i;
char *pBase, flag;
HMODULE hMod;
IMAGE_DOS_HEADER *dos_header;
IMAGE_NT_HEADERS *pe_header;
IMAGE_OPTIONAL_HEADER *pe_option;
hMod = LoadLibraryEx(file,0,DONT_RESOLVE_DLL_REFERENCES);
if(hMod == NULL)
{
printf("Error LoadLibrary");
return 0;
}
dos_header = (IMAGE_DOS_HEADER *)hMod;
pe_header = (IMAGE_NT_HEADERS *)((char *)dos_header+dos_header->e_lfanew);
pe_option = (IMAGE_OPTIONAL_HEADER *)((char *)pe_header + 4 +
sizeof(IMAGE_FILE_HEADER));
pBase = (char *)hMod+pe_option->AddressOfEntryPoint;
flag = FALSE;
for (i=1;i<=64;i++)
{
if( *pBase == upx[i] || upx[i] == 0)
{
printf("%X ",(unsigned char)(*pBase));
pBase++;
flag = TRUE;
}
else {
flag = FALSE;
printf("\n#### Not UPX Shell ####\n");
return 0;
}
}
if (flag)
{
printf("\n#### UPX Shell ####\n");
}
FreeLibrary(hMod);
return 0;
}
int main(int argc,char* argv[])
{
HANDLE hFile;
if (argc!=2)
{
printf("Vis 1.0 \n");
printf("Usage: Vis <EXE or DLL file>\n");
return 0;
}
hFile = CreateFile(argv[1],GENERIC_READ,
FILE_SHARE_READ, 0, OPEN_EXISTING,
FILE_FLAG_SEQUENTIAL_SCAN, 0);
if (hFile == INVALID_HANDLE_VALUE)
{
puts("File is not exist.");
return 0;
}
CloseHandle(hFile);
ViewShell(argv[1]);
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课