ArmaÉý¼¶ÁË£¬3.7£¬jwh51˵ËûÄÇÀï¶ÔÓÃ3.7ºÍ3.6¼Ó¿ÇµÄ³ÌÐòµÄdump¹ý³Ì²î²»¶à£¬ÎÒÕâÀïÈ´ÓÐЩ²»Í¬£¬ÊDz»ÊÇÎÒÄÄÀï²Ù×÷
²»¶Ô£¿»¹ÓоÍÊǶÔiatµÄÐÞ¸´£¬²»ÖªÏÂÃæµÄ·½·¨ÊÇ·ñ¿ÉÈ¡£¬¿´¹Ù£¬×Ô¼ºÕå×ðɣ¬²»ÊÇÖ®´¦£¬º£º¡£
OS: XP
¹¤¾ß: (¸ÄÁËÃûµÄ)od
¶ÔÏó:goodmorningÉÏ´«µÄ¾3.7¼Ó¿ÇµÄnotepad
1.anti od
³ÌÐòÀûÓÃProcess32Next antiÒÔϽø³Ì£º
ollydbg
nrec.exe
n-rec.Vx ;Ó¦¸ÃÊÇn-rec.Vxd£¬ËüÖ»ºË¶ÔÎļþÃûÇ° 8¸ö×Ö½Ú
n rec.Vx
agoblin
lordpe
µäÐÍ´úÂëÈ磺
...
0103DC33 LODS DWORD PTR DS:[ESI] ;¿ªÊ¼esiÖ¸ÏòµÃµ½µÄ½ø³ÌÃû
0103DC34 OR EAX,20202020 ;´óд×Ö·û£>Сд×Ö·û
0103DC39 STOS DWORD PTR ES:[EDI]
0103DC3A LOOPD SHORT notepad.0103DC33
...
0103DCC4 CMP DWORD PTR DS:[EDI],796C6C6F ;ÊÇollyÂð£¿
0103DCCA JNZ SHORT notepad.0103DCDA
0103DCCC CMP DWORD PTR DS:[EDI+3],67626479 ;ydbg£¿
0103DCD3 JNZ SHORT notepad.0103DCDA
0103DCD5 JMP notepad.0103DECE
0103DCDA MOV EDI,84C0
0103DCDF ADD EDI,EBP
0103DCE1 CMP DWORD PTR DS:[EDI],6365726E
0103DCE7 JNZ SHORT notepad.0103DCF7
0103DCE9 CMP DWORD PTR DS:[EDI+4],6578652E
...
¶Ô¸¶armaµÄÕâÒ»ÕУ¬ÄãÖ»Òª°ÑodµÄÃû×Ö¸ÄÒ»¸Ä¾Í¿ÉÒÔÁË£¬ÔÝʱ²»ÒªÆô¶¯lordpe£¨»ò¸ÄÃû£©¡£
2.oep
ÎÒÕâÀïÓá°´«Í³¡±·½·¨²éÕÒ oepʧ°Ü£º
¶ÔWaitForDebugEvent϶ϣ¬µÃµ½pDebugEvent = 0012DA6C
ÔÙ¶ÔWriteProcessMemory£¬¶ÏϺó¶ÑÕ»Êý¾Ý£º
0012D8EC 00000050 |hProcess = 00000050 (window)
0012D8F0 01006000 |Address = 01006000
0012D8F4 00881FB0 |Buffer = 00881FB0
0012D8F8 00001000 |BytesToWrite = 00001000
0012D8FC 0012D91C pBytesWritten = 0012D91C
Õâʱ0012DA6C´¦Êý¾Ý£º
0012DA6C 70 F5 12 00 70 F5 12 00 CA 44 02 01 05 00 00 00 p?.p?.ÊD...
0012DA7C D8 1E 88 00 00 00 00 00 FC FE 12 00 00 00 00 00 ??....üþ.....
0012DA8C 19 3B 03 01 00 00 00 00 04 00 00 80 00 00 00 00 ;......€....
0012DA9C 8C F7 56 5A 00 00 00 00 00 00 00 00 00 00 00 00 Œ÷VZ............
1006420£¨oep£©ÔÚÄÄÀ¿´À´armaÕâ´ÎÉý¼¶¶Ô´Ë·¨ÕÒ oepÓÐËù·À±¸ÁË¡£ÁíÑ°Ëü·¨°É£¬×ܲ»ÄÜËÑË÷ËüµÄ¶þ½øÖÆÖµ£¡
ÖØÐÂÔØÈëÕâ¸ö¶«¶«£¬Òþ²Øodºó¶ÔWaitForDebugEvent϶ϣ¬¶ÏϺóÈ¥µô¶ÏµãÔÙbp GetThreadContext£¬ºÇºÇ£¬À´ÁË£º
0012D79C 01028408 /CALL to GetThreadContext from notepad.01028402
0012D7A0 00000058 |hThread = 00000058
0012D7A4 0012D7A8 pContext = 0012E86C
Ö´Ðе½º¯Êý½áÊøʱ£¨retn 8£©ÔÚodµÄCommand´¦¼üÈ룺d 12E86C+0b8£¬¿´µ½ÁË:
0012E924 20 64 00 01 1B 00 00 00 02 02 01 00 54 F5 12 00 d.....T?.
¼ÇÏ oep=1006420
ÓÐÁË oep£¬dumpʱÀûÓòå¼þ£¨Ð»Ð»jwh51£©£¬µÄÈ·ºÜ·½±ã¡£¶ÔWriteProcessMemory϶ϣ¬¶ÏϺó£¬
°Ñ8823D0£¨881FB0+(1006420-1006000)£©´¦µÄ55 8b¸Ä³Éeb fe£¬°Ñ1026d2d´¦µÄcall 1026da5 nopµô£¬Ö´ÐгÌÐò£¬
Õâʱ¿ÉÒÔdumpÁË¡£
£¨Ïêϸ˵Ã÷²Î¼ûjwh51µÄÎÄÕ£©
dumpºó¼Çס°ÑÄǸöeb fe¸Ä»ØÀ´£¨55 8b£©¡£
3.iat
odÔØÈëdumpÏÂÀ´µÄ¶«¶«£¬´úÂë´°¿Úתµ½1006420£¬Ï¹öÊó±ê¿´µ½£º
01006549 CALL DWORD PTR DS:[100109C] ; kernel32.GetStartupInfoA
100109C Ó¦¸ÃλÓÚ iatÖÐÁË£¬follow in dumpºó¿ÉÒÔ¿´µ½´Ó1001000¿ªÊ¼µÄ iat:
01001000 CA 60 DF 77 70 DA 9A 00 65 1B DD 77 0B 58 DD 77 Ê`ßwpÚš.eÝw
XÝw
01001010 EA 22 DD 77 D7 23 DD 77 78 D8 9A 00 D6 A6 9A 00 ?Ýw?ÝwxØš.Ö¦?
01001020 1C 3A C7 77 F9 89 C8 77 1D 53 C7 77 B0 1B C7 77 :Çwù‰ÈwSÇw?Çw
...
ÓÃImportRec´¦ÀíÕâ¶ÎÊý¾Ý£¬ÉÔ¼ÓÕûÀíµÃµ½Éæ¼° 8¸ö dll£¬57¸öδ½âÎö³öº¯ÊýÖ¸ÕëµÄ iat±í£¬Õâ 8
¸ö dll·Ö±ðÊÇ£º
1£©advapi32.dll
2£©gdi32.dll
3£©kernel32.dll
4£©? ;´Ó1001144¿ªÊ¼µÚÒ»¸öÖ¸ÕëÖ¸Ïò77C379DB
5£©? ;´Ó1001194¿ªÊ¼µÚÒ»¸öÖ¸ÕëÖ¸Ïò7740FB28
6£©user32.dll
7£©? ;´Ó10012c4¿ªÊ¼µÚÒ»¸öÖ¸ÕëÖ¸Ïò73006818
8£©? ;´Ó10012d4¿ªÊ¼µÚÒ»¸öÖ¸ÕëÖ¸Ïò763D6AC8
¼ÇÏÂÕâ¸ö˳Ðò£¬ÐÞ¸´ iatÓÐÓá£let's go
odÔÙ´ÎÔØÈëÕâ¸önotepad£¬¶ÔWaitForDebugEventÉè¶Ï£¬Ö´ÐгÌÐò£¬Öжϣ¬Õâʱ²»¶Ï°´f9£¬µ± ediµÄ
ÖµÁ¬Ðø·¢ÉúÈçϱ仯£¬pause
0012E0DC->0104E8C8->0012E0DC (×¢ÒâÒªÁ¬Ðø)
ÕâʱÓÃpupe£¨ÎÒÓÃ×Ô¼ºÐ´µÄС¹¤¾ß£©°Ñ×Ó½ø³ÌÖÐApiº¯ÊýVirtualProtectµÄRetn 10£¨c2 10 00£©Óï¾äÇ°2×Ö½Ú¸Ä
³Éeb fe, alt+f9½«¸¸½ø³Ì´ÓWaitForDebugEvent·µ»Ø£¬ÔÙ°´¡°¾µä¡±·½·¨Ê¹¸¸½ø³ÌÓë×Ó½ø³Ì¶Ï¿ª£¬Èà od
attachÉÏ×Ó½ø³Ì£¬Íê³Éºó°´alt+f9×ßµ½eb fe´¦£¬¸Ä»ØÀ´£ºeb fe->c2 10£¬ÔÙf8À´µ½£º
009C465F PUSH 1
009C4661 POP EAX
009C4662 TEST EAX,EAX
009C4664 JE 009C4929
009C466A AND WORD PTR SS:[EBP-1D7C],0
009C4672 AND DWORD PTR SS:[EBP-1D84],0
009C4679 AND DWORD PTR SS:[EBP-1D80],0
009C4680 MOV EAX,DWORD PTR SS:[EBP-1780]
009C4686 MOVSX EAX,BYTE PTR DS:[EAX]
009C4689 TEST EAX,EAX
009C468B JNZ SHORT 009C46D1
009C468D LEA ECX,DWORD PTR SS:[EBP-17C0]
009C4693 CALL 009A1040
...
ÕâÕýÊÇÎÒÃÇÏ£ÍûÀ´µ½µÄ´úÂëÇø££´¦Àí iatµÄµØ·½£¡×÷ÈçÏÂÐ޸ģº
1£©9C46AE´¦µÄ MOV[EAX],ECX nopµô
2£©9C4813µÄ JNZ 9C4854 Ò²nop
3£©9C4847´¦
009C4847 CALL 009A9C72
009C484C POP ECX
009C484D POP ECX
¸Ä³É£º
009C4847 CALL kernel32.GetProcAddress
009C484C NOP
009C484D NOP
ÔÚ9C4913(MOV[EAX],ECX)ºÍ9C49ed£¨CALL [9CB138] ; kernel32.VirtualProtect£©Éè¶Ï£¬f9,¶ÏÔÚ9C4913ʱ¿´µ½£º
009C4913 MOV DWORD PTR DS:[EAX],ECX ; comdlg32.FindTextW
´ËʱµÄeax=009F9200£¬ecx=763CA8A5£¬½áºÏÇ°ÃæImportRecµÃµ½µÄ˳Ðò£¬¿´³öËü×îÏÈ´¦ÀíµÄÊÇ×îºóÒ»¸ö£¨µÚ°Ë¸ö£©
dll£¨comdlg32.dll£©£¬arma²¢Ã»ÓаÑËüÖ±½Ó·Åµ½10012d4£¬¶øÊÇ009F9200£¡°´f8£¬hex dump´°¿Úתµ½9f9200
°ÑÕâÀïµÄA5 A8 3C 76°´¶þ½øÖÆ·½Ê½copy£¬È¥µô9C4913µÄ¶Ïµã£¬f9£¬¶ÏÔÚCALL [9CB138]´¦£¬ÕâʱÄã¿ÉÒÔ´Óhex dump
Öп´µ½¶Ôcomdlg32ÒѾ´¦ÀíÍê±Ï£¬µ«9f9200´¦ÒѾ±ä³É 00 00 00 00£¬Õâ¾ÍÊǸղÅcopyµÄÔÒò£¬paste it£¬ok£¬ÔÙ
Ñ¡¶¨ÄÇÀïµÄÊý¾Ý¿é£¬Binary copy£¬´ò¿ª¼Çʱ¾£¬Õ³Ìù£¬½á¹ûÈç´Ë
A5 A8 3C 76 58 A8 3C 76 FC A7 3C 76 C8 6A 3D 76 B5 A8 3C 76 59 1A 3B 76 3F DE 3C 76 08 1E 3D 76
B7 44 3C 76 00 00 00 00
ÔÙ´ÎÔÚ9C4913϶ϣ¬f9£¬¿´µ½£º
009C4913 MOV DWORD PTR DS:[EAX],ECX ; SHELL32.DragQueryFileW
(eax=009F9230 ecx=7740FB28)
ºÇºÇ£¬Õâ´Î´¦ÀíµÄÊÇSHELL32.DLL£¬µÚÒ»¸öº¯ÊýÖ¸Õë7740FB28£¬¶ÔÕÕecxµÄÖµÖªµÀ£¬ÕâÓ¦¸Ã·Åµ½µÚÎå¸öλÖã¡
ͬǰ£¬´¦ÀíÍêÕâ¸ö dllºóÕ³Ìùµ½¼Çʱ¾ÖеÄÊÇ£º
28 FB 40 77 CE 8A 4A 77 DB E3 49 77 41 52 41 77 00 00 00 00
Òª·Åµ½µÚÒ»´ÎÕ³Ìùµ½¼Çʱ¾Êý¾ÝµÄÇ°ÃæŶ£¬µÚÎå¸öλÖÃѽ£¡£¨½¨ÒéÔÚÇ°Ãæ±ê¼ÇÉÏ 5£©
ºÃÁË£¬Ã¿¸ö dll¶¼¿ÉÒÔ´ÓÃû³Æ»òecxµÄÖµÕÒµ½×Ô¼ºµÄλÖã¬ÕâÑùµÄ²Ù×÷Ö»ÊǼòµ¥Öظ´½øÐоͿÉÒÔÁË¡£×îºóµ±armaÒì³£
ʱ°Ñ¼Çʱ¾ÖеÄÊý¾Ý¸´ÖƵ½1001000£¬ÔÙ½èÖúImpotREC£¬Ã»ÓÐʲôֵµÃһ˵µÄÁË¡£
¶ÔÁË£¬Èç¹ûÒª¿çϵͳ£¬°ÑRestoreLastErr¸Ä³ÉSetLatErr¾ÍÐС£