以下数据来自
版本: svk-protector v1.43 
样本:  xp下的notepad, 默认参数加壳

svkp特点:
1: 大量花指令
2: 调试器检测
3: 抽入口
4: 抽api
5: 驱动
6: 大量自修改SMC, 分快解密.
7: 大量构造运行栈. 运行栈指令
8: 异常处理
9: 
9: 一些小技巧.


整体流程


附加SFX节中:
1: SMC几次后, 建栈指令, 栈中得到kernel.dll的imagebase, 出指令栈
2: SMC几次后, 建立kernel中的关键api, 如loadlibrary, virtualalloc等, 加密之
3: 分配内存块0, 内存快1, 内存快2, 自解密 (内存快1貌似没使用)
   把fake_api_call的代码拷贝到内存快1, 其他代码数据拷贝到内存快2.
   跑到内存快2继续执行.

内存快2中:
4: 建栈指令, 栈中分配内存快3, 内存快4, 拷贝自己代码到内存快3和4中.
5: 在内存快3和4中分别建立SEH, 解密内存快4, 产生c0000005异常.
6: 在4的SEH中解密内存快3, SEH_CONTINUE_SEARCH到内存快3
7: 在3的SEH中解密内存快2, 设置eip为内存快2解密后的代码,跑过去
8: 建栈指令, 栈中取消3,4中的SEH, 通过便例kernel32.dll中的export table
   中的name table, hash一把name, 查一张hash表, 来判断这个api是否壳
   自己需要用, 如果需要, 则去找symbol_addr, 然后加密后写另外张地址表
9: 接密数据得到user32.dll, 加载后, 用8同样的方法得到壳需要使用的api
10:释放内存快1,3,4, 分配内存快5, 解码自己的其他数据到内存快5中.
   跑到内存快5继续执行.


内存快5中:
11:建栈指令, 栈中建立3个SEH连, 解码最后一个seh的handle代码.产生c00000005异常
12:seh解密数据, 跑到解密数据处继续执行.
13:建栈指令, 栈中分配内存快6, 把内存快1拷贝到6中, 取代原来的fake_api_call,释放快1
14:产生异常 c000008c(array_bound_exceeded), 等待seh处理
15:seh一直提交到第一个seh处理,解密数据, 跑到解密数据处继续执行.
16:再次解密数据, 产生c0000005异常, 是通过INT 1指令(异常会判断)产生的, 等待SEH处理
17:seh一直提交到第一个seh处理,设置新的eip, 跑到这个eip执行.
18:取消3个seh连. 接密数据得到advapi32.dll, 加载后, 用8同样的方法得到壳需要使用的api
19:打开驱动 GetSystemDirectoryA\svkp.sys 没有则生成改文件,驱动不存在则打开.
20:依次发送IoControlCode为222000,222004,222014,22200c的代码,判断返回值.
21:建栈指令, 栈中根据记录信息循环解密节数据, 资源和普通数据分开对待.
22:重建立IAT, SPECIAL.DLL这个sdk的dll另外处理.(抽api代码, 需要还原,很简单)
23:运行抽去的oep, 然后跑到原始oep+抽过的地方. (可还原,不过复杂)


至于具体步骤的详细流程, 一会会详细解释.

to be continued.

  • 标 题: 答复
  • 作 者:jjnet
  • 时 间:2006-12-30 18:47

第一部分: 花指令

以下是svkp常用的花指令. 可以直接在花指令后f4跳过.
注: 凡是db掉的, 表示不会被执行, 但里面的字节数不一定就是该值
由于rdtsc的泛用, 可以用个让edx:eax递增的插件来解决.


===============================
花指令0_2:
    jmp +2
db ?? ??
花指令0_3:
    jmp +3
db ?? ?? ??
花指令0_4:
    jmp +4
db ?? ?? ?? ??

===============================
花指令1:

    call +1
db e8h        
    call +2
db cdh, 20h
    add dword ptr[esp], 0bh
    add dword ptr[esp+4], 13h
    ret
db e9h


===============================
花指令2:

    call +1
db 9ah
    add esp, 4

================================
花指令3:
    pushad
    call @1
db d2h
    jmp @4
@1:
    pop eax
    jmp @2
db 48h
@2:
    inc eax
    jmp @3
db 35h
@3:
    jmp eax
@4:
    popad

================================
花指令4:
    jl  @1
@2:
    jmp @3
db 8bh
@1:
    je  @2
@3:

=================================
花指令5:
    call +2
db cdh, 02h
    add dword ptr[esp], 8
    ret
db e8h


==================================
花指令6:  带rdtsc  长df字节   == push ecx
    push eax
    push edx
    [花指令0_2]
    rdtsc
    [花指令0_2]
    [花指令0_2]
    call @sub_eip_add_1
db c3h
    [花指令0_4]
    push eax
    push ebx
    call +4
db 8dh, b5h, d4h, 46h
    pop ax
    cmp esi, esi
    pop bx
    jnz ??? = nop
    [花指令2]
    pop eax
    [花指令0_3]
    call @sub_eip_add_2
db ffh, e4h
    cmp edi, edi
    pop ebx
    xchg eax, ebx  
    jnz ??? = nop
    push ebx
    [花指令0_2]
    mov ebx, edx
    [花指令5]
    ;执行到这, rdtsc的edx保存在ebx里面, ebx给压栈保存了. 下面再次rdtsc比较
    rdtsc
    [花指令2]
    sub edx, ebx  ; 这里需要注意, edx-ebx只能为0或者1, 要不然就飞了
    [花指令0_3]
    pop ebx
    [花指令4]
    sub edx, 2
    [花指令4]
    jns ???       ;这里跳就飞了
    [花指令4]
    pop edx
    [花指令0_3]
    pop eax
    [花指令0_3]
    [花指令4]
    pop ebp
    jmp over

//////////////////

@sub_eip_add_1:
    call @eip_inc
db ffh
    inc dword ptr[esp]
    [花指令0_2]
    ret

//////////////////

eip_inc:
    push ebp
    mov ebp, esp
    sub ebp, 80
    jnz +1 = jmp
db ffh     
    add dword ptr[esp+84], 1
    jnz +2 = jmp 
db 68h, 58h
    mov esp, ebp
    pop ebp
    ret

//////////////////

@sub_eip_add_2:
    call eip_inc
db ffh
    sub dword ptr[esp], -2
    jnz +2 = jmp
db 8dh, 87h
    [花指令0_2]
    ret

///////////////////   

over:


==================================
花指令7:              长68字节
push eax     
push ebx
call +4
db ?? ?? ?? ??
pop ax
cmp esi, esi
pop bx
jnz ?? = nop
pop eax
jmp +3
db ?? ?? ??
add_eip_2
db ?? ??
cmp edi, edi
pop ebx
xchg eax, ebx
jnz ?? = nop
jmp add_eip_2_over
add_eip_2
add_eip_2_over:

====================================
花指令8:    带rtdsc和自修改功能 长度137  ==push eax
9c9c93:

pushad

call +0             ;ebp
pop ebp

------------------------------
call +2                      |
db ?? ??                     |
add dword ptr [esp], 8       |
ret                          |
db ??                        |
------------------------------

sub ebp, 5 

------------------------------
jmp +2                       |
db ?? ??                     |
------------------------------

------------------------------
jmp +2                       |
db ?? ??                     |
------------------------------

rdtsc

------------------------------
call +2                      |
db ?? ??                     |
add dword ptr[esp], 8        |
ret                          |
db ??                        |
------------------------------

mov eax, 5c

------------------------------
jl +3                        |
jmp +3                       |
db ??                        |
je -5                        |
------------------------------

add eax, ebp

------------------------------
call +1                      |
db ??                        |
add esp, 4                   |
------------------------------

mov ecx, 5e; 0    <-----------------
                                 | |
------------------------------   | |
jmp +3                       |   | |
db ?? ?? ??                  |   | |
------------------------------   | |
                                 | |
------------------------------   | |
jl +3                        |   | |
jmp +3                       |   | |
db ??                        |   | |
je -5                        |   | |
------------------------------   | |
                                 | |
mov dword ptr[eax], ecx 5e,0---> | |
                               | | |
------------------------------ | | |
jmp +2                       | | | |
db ?? ??                     | | | |
------------------------------ | | |
                               | | |
call +5e == @1;0         <------ | |
                                 | |
pop eax                          | |
                                 | |
------------------------------   | |
jl +3                        |   | |
jmp +3                       |   | |
db ??                        |   | |
je -5                        |   | |
------------------------------   | |
                                 | |
mov ecx, edx                     | |
                                 | |
------------------------------   | |
call +1                      |   | |
db ??                        |   | |
add esp, 4                   |   | |
------------------------------   | |
                                 | |
rdtsc                            | | 
                                 | |
------------------------------   | |
jl +3                        |   | |
jmp +3                       |   | |
db ??                        |   | |
je -5                        |   | |
------------------------------   | |
                                 | |
sub edx, ecx                     | |
                                 | |
------------------------------   | |
jmp +2                       |   | |
db ?? ??                     |   | |
------------------------------   | |
                                 | |
sub edx, 2                       | |
                                 | |
------------------------------   | |
jmp +3                       |   | |
db ?? ?? ??                  |   | |
------------------------------   | |
                                 | |
------------------------------   | |
jmp +2                       |   | |
db ?? ??                     |   | |
------------------------------   | |
                                 | | 
                                 | |  
------------------------------   | |
jmp +3                       |   | |
db ?? ?? ??                  |   | |
------------------------------   | |
                                 | |
js +5 这里应该跳, 要不就挂了     | |
                                 | |
------------------------------   | |
jmp +2                       |   | |
db ?? ??                     |   | |
------------------------------   | |
pop edx                          | |
                                 | |
------------------------------   | |
call +1                      |   | |
db ??                        |   | |
add esp, 4                   |   | |
------------------------------   | |
                                 | | 
push eax                         | |
                                 | |
------------------------------   | |
pushad                       |   | |
call +3                      |   | |
db ??                        |   | |
jmp +a                       |   | |
pop eax                      |   | |
jmp +1                       |   | |
db ??                        |   | |
inc eax                      |   | |
jmp +1                       |   | |
db ??                        |   | |
jmp eax                      |   | |
popad                        |   | |
------------------------------   | |
jmp over                         | |
                                 | | 
------------------------------   | |
jmp +2                       |   | |
db ?? ??                     |   | |
------------------------------   | |
                                 | |
@1:                              | |
mov ecx, 45                      | |
                                 | |
------------------------------   | |
call +1                      |   | |
db ??                        |   | |
call +2                      |   | |
db ?? ??                     |   | |
add dword ptr[esp], 0b       |   | |
add dword ptr[esp+4], 13     |   | |
ret                          |   | |
db ??                        |   | |
------------------------------   | |
                                 | |
add ecx, ebp                     | |
                                 | |
------------------------------   | |
call +2                      |   | |
db ?? ??                     |   | |
add dword ptr[esp], 8        |   | |
ret                          |   | |
db ??                        |   | |
------------------------------   | |
                                 | |
mov dword ptr [ecx], 0 ----------> |
                                   | 
------------------------------     |
pushad                       |     |
call +3                      |     |
db ??                        |     |
jmp +a                       |     |
pop eax                      |     |
jmp +1                       |     |
db ??                        |     |
inc eax                      |     |
jmp +1                       |     |
db ??                        |     |
jmp eax                      |     |
popad                        |     |
------------------------------     |
                                   |
pop ebx                            |
                                   |
------------------------------     |
call +1                      |     |
db ??                        |     |
call +2                      |     |
db ?? ??                     |     |
add dword ptr[esp], 0b       |     |
add dword ptr[esp+4], 13     |     |
ret                          |     |
db ??                        |     |
------------------------------     |
                                   |
dec ecx                            |
                                   |
------------------------------     |
call +2                      |     |
db ?? ??                     |     |
add dword ptr[esp], 8        |     |
ret                          |     |
db ??                        |     |
------------------------------     |
                                   |
jmp ecx---------------------------->

------------------------------
call +1                      |
db ??                        |
add esp, 4                   |
------------------------------

to be continued.

  • 标 题: 答复
  • 作 者:xIkUg
  • 时 间:2007-01-03 12:31

引用: 最初由 forgot 发布
期待下文,特别是驱动分析 



先停止原来的驱动,可以在xp的cmd下输入:
sc stop svkp

把svkp.sys复制到windows\system32目录下,覆盖原来的svkp.sys驱动。。。

再:
sc start svkp

运行加壳的程序可以在DebugViewNt中看到我们的输出:
00000000  0.00000000  Our's SVKP Driver Start.  
00000001  2.40722394  ControlCode: 00222000  
00000002  2.40741467  ControlCode: 00222004  
00000003  2.40751123  ControlCode: 00222014  
00000004  2.40764880  ControlCode: 0022200c  
00000005  2.61064625  ControlCode: 00222008  

驱动里面没什么内容。。。

就是返回一些固定的值和状态。。。所以脱壳时我们可以忽略svkp的驱动。。。

附件下载:svkp_src.rar