´Ó¶Ô¼Çʱ¾¼Ó¿Çµ½×îºó°Ñ¿ÇÍѵô£¬´ó¸ÅÓÃÁËÒ»ÐÇÆÚ£¬µ«ÊÇʵ¼ÊÉÏÔÚ·ÖÎö´úÂëµÄʱ¼äÒ²¾Í¼¸Ð¡Ê±¡£ÆäËûʱ¼ä¶¼ÔÚ¿´Ïà¹Ø·ÖÎöÎÄÕ£¬»òÕ߶Ô×ÅÒ»´ó¶Ñ´úÂ룬¾ÍÊDz»Ïë·ÖÎö¡£
¶ÔÓÚÕâ¸ö¾µäµÄ¿Ç£¬ÎÒÏëÔÙҲûÓÐÏóÎÒÕâô¼òµ¥µÄ·ÖÎöÁË¡£ÓÃATTACH·¨ÕÒµ½OEP£¬È»ºó¶¨Î»¼ÓÃܵÄÊý¾Ý±í£¬ÕÒ³öÊý¾Ý½á¹¹ºÍ½âÃÜËã·¨£¬Ö±½ÓÓóÌÐò×ÔÉíµÄ½âÃÜËã·¨½«Êý¾Ý½âÃÜ£¬¸²¸Ç±»¼ÓÃܵIJ¿·Ö¡£ATTACH·¨ÊÇ´Ó¿´Ñ©µÄ¾«»ª¼¯¿´µ½µÄ£¬ËƺõÒòΪ¾ÖÏÞÐÔ£¬½üÄêºÃÏóûÔõô¿´µ½ÎÄÕÂÌáµ½£¬»òÕßÄã¿ÉÒÔͨ¹ýÕâƪÎÄÕ¶ÔÆäÁ˽âһϣ¬¼ÙÈç¿ÇÖ»ÊǼòµ¥µÄ½âÃÜ»òÕß½âѹ³ÌÐò£¬ÀýÈçÇ°Á½ÆªÍÑÎÄÄÇÖÖ¡£Õâ¸ö·½·¨¿ÉÒÔÃëɱÄÇÖÖ¿Ç£¬µ±È»¼ÙÈçÄ¿±ê³ÌÐò»áÒþ²Ø½ø³Ì»òÕß²»»á½øÈëÏûϢѻ·£¬ÄÇôÕâ¸ö·½·¨ÊÇÎÞÄÜΪÁ¦µÄ¡£
¼Ó¿ÇµÄ³ÌÐò
http://www.pediy.com/tools/PACK/Protectors/PE-Armor/PE-Armor0.74.rar
ÍѵôµÄ¼Çʱ¾
http://www.nxer.cn/709394/attachment/1163996037_0.rar
ÔÚÖ÷Ò³ÏÂÁËpe-armor0.74£¬¶Ô¼Çʱ¾¼Ó¿Ç¡£ÔËÐÐһϣ¬µÈÁ˳¬¹ý1·ÖÖÓ£¬¼Çʱ¾µÄ´°¿Ú²Å³öÀ´£¬CPUÔËÐж¼Õâô¾Ã£¬¾ø¶ÔÊʺ϶ÍÁ¶ÄÍÐԵĿǡ£Åå·þÄÇЩ¸úÍêÕû¸ö¿ÇµÄÈË¡£¿´¶ÑÕ»Öеķµ»ØµØÖ·£¬Ò»²ãÒ»²ãÏòÉÏ£¬ÕÒµ½Î±OEP£¨ÕæÕýµÄ±»ÍµµôÁË£©¡£
ÖØмÓÔسÌÐò£¬ÔÚαOEP´¦ÏÂÄÚ´æдÈë¶Ïµã£¬ÔÚ³ÌÐò½âÂëÍêαOEPÖ®ºó£¬ÔÚ¸ÃλÖÃ϶ϡ£SHIFT+F9À´µ½Õâ¸öλÖ᣿´¶ÑÕ»¿´¼Ä´æÆ÷
EAX 0006FFE0
ECX 00000101
EDX FFFFFFFF
EBX 7FFDF000
ESP 0006FFB0
EBP 0006FFC0
0006FFB0 0006FFE0 Ö¸Õëµ½ÏÂÒ»¸ö SEH ¼Ç¼
0006FFB4 010065D0 SE ¾ä±ú
0006FFB8 01001888 notepad.01001888
0006FFBC FFFFFFFF
0006FFC0 0006FFF0
0006FFC4 77E67903 ·µ»Øµ½ KERNEL32.77E67903
³ÌÐòÈë¿Úµã¶ÑÕ»½áβһ°ã¶¼ÊÇC4£¬´¢´æµÄÊÇ·µ»ØϵͳµÄµØÖ·¡£Ò»°ãÈë¿ÚEAXΪ0£¬EBPÔòÊÇXXXXFFF0¡£ÏÖÔڵĶÑÕ»Èë¿ÚÊÇÒ»¸öSEH£¬¿É¼û°üº¬SEHµÄ×°ÈëÓï¾ä£¬¼´
PUSH FS:[0]
mov fs:[0],esp
ÎÒÃÇ¿´µ½EAX=Èë¿Ú¶ÑÕ»µÄÊý¾Ý£¬¿ÉÖª³ÌÐòÊÇÏȽ«FS[0]ÒÆÈëEAXÔÙPUSHµÄ¡£Òò´ËÈë¿Úµã¿ÉÒÔÐÞ¸´ÈçÏÂ
PUSH EBP
MOV EBP£¬ESP £»ÕâÁ½¾ä²»ÐèÒª½âÊÍÁË£¬¼¸ºõ¶¼ÓеÄ
PUSH -1 £»-1=FFFFFFFF
PUSH 01001888
PUSH 010065D0
MOV eax,fs:[0]
push eax
mov fs:[0],esp
È»ºóDUMPÏÂÀ´¾ÍºÃÁË¡£ÔËÐÐDUMP£¬·¢ÏÖ³ö´íÁË£¬¿´µ½´íÎó´°¿ÚÖ®ºóµãÈ¡Ïû¾Í¿ÉÒÔµ÷ÊÔÁË¡£¿´¶ÑÕ»µÄ·µ»ØµØÖ·£¬ÕÒµ½³öÎÊÌâµÄµØ·½£¬ÊäÈë±í±»¼ÓÃÜÁË¡£ÏÖÔÚ±ØÐë¸ú×Ù¿Ç´¦ÀíÊäÈë±íµÄ¹ý³Ì¡£ÖØÐÂÔØÈëδÍѿǵijÌÐò£¬¸Õ²ÅÕÒµ½ÊäÈë±íµÄÊ×ַΪ01001000£¬Ôڸô¦ÏÂÄÚ´æдÈë¶Ïµã¡£
002B7E98 8907 mov dword ptr ds:[edi],eax ;дÈëÊäÈë±í
002B7E9A 5A pop edx £»µ±Ç°Êý¾ÝλÖÃ
002B7E9B 0FB642 FF movzx eax,byte ptr ds:[edx-1]
002B7E9F 03D0 add edx,eax
002B7EA1 42 inc edx £»ÏÂÒ»¸öÊý¾ÝµÄλÖÃ
002B7EA2 83C7 04 add edi,4 £»ÏÂÒ»¸öAPI
002B7EA5 59 pop ecx £»Î´´¦ÀíAPIÊý
002B7EA6 49 dec ecx
002B7EA7 ^ 0F85 F7F9FFFF jnz 002B78A4 £»Î´Íê¾ÍÏÂÒ»¸ö
002B7EAD E9 F4280000 jmp 002BA7A6 £»ÁíÍâµÄ´¦ÀíÁ÷³Ì
--------ÕâÀïEDXÖ¸ÏòÒ»Õűí
DWORD RVA£¬ÔÚÊäÈë±í·¶Î§ÄÚ
BYTE DLL NAMEµÄ³¤¶È
STRING ASCII×Ö·û£¬DLL NAME
DWORD ÐèÒª´¦ÀíµÄAPIÊý
½ÓÏÂÀ´ÊÇÒ»¸ö½á¹¹
BYTE ³¤¶È£¬Êý¾ÝÖ¸Õë-1È¡µÃÆ䳤¶È£¬Ö¸Õë+³¤¶È+1»ñµÃÏÂÒ»Êý¾ÝµÄÖ¸Õë
DATA ¼ÓÃÜÁ˵ÄAPI NAME
¸ú×ٵĹý³ÌÖÐ×¢Òâ¿´ÆäÖ¸ÏòµÄÄÚ´æλÖúͶÁÈ¡Êý¾ÝµÄ·½·¨£¬ºÜÈÝÒ×¾ÍÖªµÀ¸÷³£Á¿µÄ³¤¶ÈºÍÓÃ;ÁË¡£
--------»Øµ½ÕýÌâ
002B71E5 8B3A mov edi,dword ptr ds:[edx] ;ÊäÈë±íÖиÃDLLµÄÆðʼλÖÃ
002B71E7 68 00FE98B7 push B798FE00
002B71EC 50 push eax
002B71ED E8 5D000000 call 002B724F £»½«´úÂëдµ½¶ÑÕ»Öв¢ÔËÐÐ
--------¶ÑÕ»ÖеĴúÂë
0006FF4C 873424 xchg dword ptr ss:[esp],esi
0006FF4F 8B36 mov esi,dword ptr ds:[esi]
0006FF51 81F6 EBFF7108 xor esi,871FFEB
0006FF57 75 19 jnz short 0006FF72
½øÈë¶ÑջǰÓõÄÊÇCALL£¬Èç¹û·µ»Ø´¦ÓÐINT3£¬XORµÄ½á¹û¾Í²»Îª0¡£
0006FF59 8B7424 50 mov esi,dword ptr ss:[esp+50]
0006FF5D 56 push esi
0006FF5E 8B36 mov esi,dword ptr ds:[esi]
0006FF60 81F6 EBFF7178 xor esi,7871FFEB
0006FF66 75 09 jnz short 0006FF71
ÕâÀïÒ²ÊÇÒ»ÑùESP+50´¦ÊÇcall 002B724FµÄ·µ»ØµØÖ·£¬ÇÉÃîµÄANTI DEBUG¡£
0006FF68 5E pop esi
0006FF69 83C6 4C add esi,4C £»½«¸Õ²Å¶Ô±ÈµÄµØÖ·+4C
0006FF6C 897424 48 mov dword ptr ss:[esp+48],esi
0006FF70 8D7424 58 lea esi,dword ptr ss:[esp+58]
0006FF74 51 push ecx £»À¬»ø´úÂë
0006FF75 B9 01000000 mov ecx,1 £»À¬»ø´úÂë
0006FF7A 8136 EBFF7074 xor dword ptr ds:[esi],7470FFEB
0006FF80 83EE FC sub esi,-4 £»À¬»ø´úÂë
0006FF83 49 dec ecx £»À¬»ø´úÂë
0006FF84 ^ 75 F4 jnz short 0006FF7A £»À¬»ø´úÂë
0006FF86 59 pop ecx £»À¬»ø´úÂë
0006FF87 8D7424 58 lea esi,dword ptr ss:[esp+58] £»À¬»ø´úÂë
0006FF8B FFD6 call esi
0006FF8D 5E pop esi
0006FF8E F3: prefix rep:
0006FF8F 68 61722B00 push 2B7261 £»±»0006FF6C´¦Ö¸Áî¸Äд
0006FF94 C2 5000 retn 50
½øÈëCALLÖ®ºó·¢ÏÖ»¹ÊÇÀ¬»ø¡£call 002B724FÆäʵ¾ÍÏ൱ÓÚÒ»¸ö¶ÌÌøת£¬×ªÏòµ±Ç°Î»ÖÃ+4C+5¡£¿´À´¿´ºóÃ棬¾ÓÈ»Êǽ«EAX»¹ÔºÍÊͷŶÑÕ»¡£ÔΣ¡½«002B71E7´¦µÄ´úÂëÖ±½ÓÐÞ¸ÄΪJMP 002B7336£¬ºóÃæ¾Í²»ËµÀàËƵĴúÂëÐÞ¸´¹ý³ÌÁË£¬ Ö±½Ó¸ø³öÓÐÒâÒåµÄ´úÂë¡£
---------´úÂë×ܽáÈçÏ£º
002B71E5 8B3A mov edi,dword ptr ds:[edx] ;ÊäÈë±íÖиÃDLLµÄÆðʼλÖÃ
002B7336 0BFF or edi,edi
002B7338 75 05 jnz short 002B733F
002B733A E9 6C340000 jmp 002BA7AB
ËƺõEDI=0¼´ÎªIAT´¦ÀíÍê±Ï¡£
002B733F 03BD 36F44000 add edi,dword ptr ss:[ebp+40F436]
RVA+IMG BASE£¬Ð´ÈëÊäÈë±íµÄλÖá£
002B7494 83C2 05 add edx,5
002B74C4 8BF2 mov esi,edx
002B74C6 56 push esi £»APIµÄµÚÒ»¸ö²ÎÊý£¨ÕâÀïÊÇDLLNAME£©
002B74C7 8D85 0A624000 lea eax,dword ptr ss:[ebp+40620A]
002B74FA 50 push eax £»·µ»ØµØÖ·
002B74FB 8B85 2AF44000 mov eax,dword ptr ss:[ebp+40F42A]
002C0072 6A 00 push 0 £»Ã»¸ã¶®
002C0074 50 push eax £»µ÷ÓÃAPIµÄµØÖ·£¨GETMODULEHANDLEA£©
002C0075 8B85 1AFD4000 mov eax,dword ptr ss:[ebp+40FD1A]
002C007B 68 00FE2FC7 push C72FFE00
002C0080 50 push eax ; »º³åÇøÓò
002C0081 E8 5D000000 call 002C00E3
¸Ã´¦Êµ¼Ê¾ÍÊÇʹÓÃGETMODULEHANDLEAÈ¡µÃKERNEL32µÄ»ùÖ·
---------˵Ã÷
´Ëºó³ÌÐò½«»á°ÑAPIÈë¿ÚµãµÄ´úÂëÒƵ½»º³åÇøÓò£¬ÏÈÔÚ»º³åÇøÓòÔËÐÐAPIÈë¿ÚµãµÄ´úÂ룬ȻºóÔÙÖ±½ÓÌø½øAPIµÄÇøÓò¡£ËùÒÔÔÚAPIÈë¿Ú϶ÏÊDz»Ðеġ£´ËºóÖ±½ÓÔÚ·µ»ØµØַ϶ϾͿÉÒÔÁË¡£
---------¼ÌÐø·ÖÎö~~
002B7508 0BC0 or eax,eax £»ÅжÏÊÇ·ñ»ñÈ¡³É¹¦
002B750A 75 1E jnz short 002B752A
0006FF90 0FB64E FF movzx ecx,byte ptr ds:[esi-1]
0006FF94 01CE add esi,ecx
0006FF96 89F2 mov edx,esi
0006FF99 FFC2 inc edx
0006FF9B 8B0A mov ecx,dword ptr ds:[edx]
0006FF9D 81E1 00000080 and ecx,80000000
¶ÑÕ»ÔËÐÐÖÐÓÐÕâÑùÒ»¶Î´úÂ룬ȡDLLNAMEÇ°ÃæµÄÒ»¸öBYTE²¢ÓëDLLNAMEµÄµØÖ·Ïà¼ÓºóÔÙ¼Ó1£¬µÃµ½ÏÂÒ»¸öÊý¾ÝµÄÊ×Ö·¡£
002B7746 8BF0 mov esi,eax
002B7748 0BC9 or ecx,ecx
002B774A 0F85 62070000 jnz 002B7EB2
´Ë´¦Ð£ÑéECX¸ßλÊÇ·ñΪ80¡£APIÊýÔõô¿ÉÄÜÕ¼DWORDÕâô´ó¿Õ¼äÄØ¡£¶Ô±ÈEDXÖ¸ÏòµÄ±í£¨×¢Òâ¸ø³öµÄÿ¸öDLLÊý¾Ý¶ÎµÄ×îºó4¸ö×Ö½Ú£¬¸Ã´¦¾ÍÊÇECX¶ÁÈ¡µÄµØ·½£©¡£
002C137F D4 12
002C138F 00 00 0C 43 4F 4D 44 4C 47 33 32 2E 44 4C 4C 00 ...COMDLG32.DLL.
002C139F 09 00 00 00 ....
002C141F 94
002C142F 11 00 00 0B 53 48 45 4C 4C 33 32 2E 44 4C 4C 00 ..SHELL32.DLL.
002C143F 04 00 00 00 ...
002C146F 44 11
002C147F 00 00 0A 4D 53 56 43 52 54 2E 44 4C 4C 00 13 00 ...MSVCRT.DLL..
002C148F 00 00 ..
002C155F 00 10 00 00 0C ...
002C156F 41 44 56 41 50 49 33 32 2E 44 4C 4C 00 07 00 00 ADVAPI32.DLL...
002C157F 00 .
002C15DF 80
002C15EF 10 00 00 0C 4B 45 52 4E 45 4C 33 32 2E 44 4C 4C ...KERNEL32.DLL
002C15FF 00 30 00 00 80 .0..€
002C18AF 20 10 00 00 09 47 44 49 33 32 2E 44 ...GDI32.D
002C18BF 4C 4C 00 17 00 00 00 LL....
002C19EF A8 11 00 00 0A 55 ..U
002C19FF 53 45 52 33 32 2E 44 4C 4C 00 46 00 00 80 SER32.DLL.F..€
002C1E2F C4 12 00 00 0C 57 49 4E 53 50 ...WINSP
002C1E3F 4F 4F 4C 2E 44 52 56 00 03 00 00 00 OOL.DRV....
Ö»ÓÐKERNEL32.DLLºÍUSER32.DLLËùÔڵıíÓÐ80£¬ÔÚÊäÈë±íÖеÄRVA·Ö±ðΪ1080ºÍ11A8£¬¶Ô±È֮ǰDUMP³öµÄ³ÌÐòµÄIAT¡£
01001070 <>10 17 F4 77 F7 29 F6 77 02 59 F4 77 00 00 00 00 ôw?öwYôw....
01001080 00 10 02 01 20 10 02 01 40 10 02 01 60 10 02 01 . @`
010011A0 <>4E 7E 56 77 00 00 00 00 00 20 02 01 20 20 02 01 N~Vw.....
010011B0 40 20 02 01 60 20 02 01 80 20 02 01 A0 20 02 01 @ ` € ?
¸ÕºÃÊÇÄÇЩλÖñ»¼ÓÃÜÁË¡£¿´À´80ÊÇAPIÊÇ·ñ±»¼ÓÃܵıê¼Ç£¬¼ÌÐø¸úÏÂÈ¥¿´¿´ËüÊÇÈçºÎ½âÃܵġ£
002B7EB2 8B0A mov ecx,dword ptr ds:[edx]
002B7EB4 81E1 FFFFFF7F and ecx,7FFFFFFF £»»ñÈ¡ÐèÒª½âÃܵÄAPIÊý
002B7EBA 51 push ecx
002B7EBB 52 push edx
002B800B C1E1 05 shl ecx,5
002B800E 6A 04 push 4
002B8010 68 00100000 push 1000
002B8015 51 push ecx
002B8016 6A 00 push 0
002B8018 8D85 2D6D4000 lea eax,dword ptr ss:[ebp+406D2D]
002B801E 50 push eax £»´ËΪ·µ»ØµØÖ·
002B801F 8B85 32F44000 mov eax,dword ptr ss:[ebp+40F432]
002C0072 6A 00 push 0
002C0074 50 push eax
002C0075 8B85 1AFD4000 mov eax,dword ptr ss:[ebp+40FD1A]
002C007B 68 00FE2FC7 push C72FFE00
002C0080 50 push eax
002C0081 E8 5D000000 call 002C00E3
´Ë´¦×¼±¸µ÷ÓÃVirtualAllocÉêÇë¿Õ¼äÁË¡£¹ØÓÚcall 002C00E3£¬Ç°ÃæÒѾ½âÊ͹ýÁË£¬ÔÚ·µ»ØµØÖ·´¦Ï¶ϾͿÉÒÔÁË¡£
002B802B 8985 82F44000 mov dword ptr ss:[ebp+40F482],eax
±£´æÉêÇëµ½µÄ¿Õ¼äµØÖ·¡£
002B8197 8907 mov dword ptr ds:[edi],eax
002B8199 83C0 20 add eax,20
002B819C 83C7 04 add edi,4
002B819F 49 dec ecx
002B81A0 0BC9 or ecx,ecx
002B81A2 ^ 75 F3 jnz short 002B8197
002B81A4 59 pop ecx
ÕâÀïÖ±½Ó´ÓÊäÈë±íÌîÈë¼ÓÃܺóµÄµØÖ·£¬¿´À´ÊäÈë±í½âÃÜÔÚºóÃæ
002B81D2 58 pop eax
002B81D3 8BF8 mov edi,eax
002B81D5 57 push edi
002B81D6 51 push ecx
002B81D7 E9 8B040000 jmp 002B8667
½«¼ÓÃܺóµÄµØÖ·´«ÈëEDI£¬×¼±¸½âÃÜÁË¡£
002B81DC 8D47 1C lea eax,dword ptr ds:[edi+1C]
002B820C 66:C707 FF35 mov word ptr ds:[edi],35FF
дÈëPUSH DWORD PTR DS£º[0]Ö¸Áî¡£
002B8360 C747 06 8134240>mov dword ptr ds:[edi+6],243481
XOR DWORD PTR SS£º[ESP]£¬0µÄÐÎʽ¡£
002B84B6 8947 02 mov dword ptr ds:[edi+2],eax
°ÑÇ°ÃæµÄÖ¸Áî¸ÄдΪPUSH DWORD PTR DS£º[75001c]¡£
002B84E6 C647 0D C3 mov byte ptr ds:[edi+D],0C3
дÈëRETN
002B865F 8947 09 mov dword ptr ds:[edi+9],eax
¸Ã´¦¾¹ýһЩ¸´ÔÓµÄÔËË㣬ÓÃRDTSCËæ»úÉú³ÉÒ»¸öÃÜÔ¿¡£
--------×ܽá
ÊäÈë±íÖмÓÃܵĵØַΪ20H¶ÔÆ룬750000´¦µÄ´úÂëΪ
00750000 FF35 1C007500 push dword ptr ds:[75001C]
00750006 813424 5BDE27CD xor dword ptr ss:[esp],CD27DE5B
0075000D C3 retn
75001C´¦±£´æ¼ÓÃܹýµÄÊý¾Ý¡£
--------»Øµ½ÕýÌâ
002B8662 5A pop edx
002B8663 83C7 20 add edi,20
002B8666 49 dec ecx
002B8667 0BC9 or ecx,ecx
002B8669 ^ 0F85 6DFBFFFF jnz 002B81DC
ÕâÀïÅжÏÊÇ·ñÐèÒª´¦ÀíÏÂÒ»¸ö¼ÓÃÜÊý¾ÝµØÖ·£¬Ö±½ÓÔÚºóÃæ϶ÏÌø³öÑ»·
002B866F 59 pop ecx
002B8670 5F pop edi
002B8671 83C2 04 add edx,4
002B8674 51 push ecx
002B8675 0FB602 movzx eax,byte ptr ds:[edx]
002B8678 0BC0 or eax,eax
002B867A 0F85 B4090000 jnz 002B9034
½øÈëÏÂÒ»¸öÑ»·£¬ÏȸúÒ»´Î¿´¿´ÊǸÉʲôµÄ
002B9034 42 inc edx
002B9035 52 push edx
002B9036 60 pushad
002B9037 68 FF559EB6 push B69E55FF
002B903C 8BF2 mov esi,edx
002B903E 68 3E3F8F00 push 8F3F3E
002B9043 8DBD FCF94000 lea edi,dword ptr ss:[ebp+40F9FC]
002B9049 68 00FE98C7 push C798FE00
002B904E 50 push eax
002B904F E8 5D000000 call 002B90B1
002B9043´¦È¡½âÃÜAPIµÄ»º´æÇø
002B91A4 0FB64E FF movzx ecx,byte ptr ds:[esi-1] £»È¡×Ö·û³¤¶È
0006FF68 50 push eax
0006FF69 AC lods byte ptr ds:[esi]
0006FF6A 34 79 xor al,79
0006FF6C 2C 55 sub al,55
0006FF6E C0C0 03 rol al,3
0006FF71 F6D0 not al
0006FF73 AA stos byte ptr es:[edi]
0006FF74 31C0 xor eax,eax
0006FF76 49 dec ecx
0006FF77 ^ 75 F0 jnz short 0006FF69
0006FF79 AA stos byte ptr es:[edi]
0006FF7A 58 pop eax
ÔÚ¶ÑÕ»ÖнâÃÜÊý¾Ý£¬µÃµ½µÄÊÇÒ»¸öAPI NAME¡£µ½ÕâÀEBXÖ¸ÏòµÄÄǸö±íËùÓг£Á¿µÄ½á¹¹ºÍÓ÷¨¶¼ºÜÇå³þÁË¡£ÎÒÖ±½ÓдÁË´úÂ뻹ԱíÖеļÓÃܵÄAPI NAME£¬È»ºóÓÃÖ±½ÓÓÃGetProcAddressÈ¡µØÖ·£¬°´Ë³ÐòÅųÉÒ»ÕÅ±í£¬ÔÙÊÖ¶¯¸²¸ÇÔÀ´±»¼ÓÃܵÄIAT£¬×îºóÓÃIMPORTRECTÐÞ¸´¾ÍOKÁË¡£
002B7E97 60 pushad
002B7E98 8BEC mov ebp,esp
002B7E9A BE EE152C00 mov esi,2C15EE
´Ë´¦°Ñ±íµÄÈë¿Ú´«¸øESI£¬ÊÖ¶¯Ð޸ġ£·´ÕýÖ»ÓÐÁ½¸ö±í±»¼ÓÃÜ¡£
002B7E9F 8B3E mov edi,dword ptr ds:[esi]
002B7EA1 83C6 05 add esi,5
002B7EA4 56 push esi
002B7EA5 B8 DB56E777 mov eax,KERNEL32.GetModuleHandleA
002B7EAA FFD0 call eax
002B7EAC 50 push eax
002B7EAD 0FB646 FF movzx eax,byte ptr ds:[esi-1]
002B7EB1 03F0 add esi,eax
002B7EB3 46 inc esi
002B7EB4 0FB60E movzx ecx,byte ptr ds:[esi]
002B7EB7 83C6 04 add esi,4
002B7EBA 51 push ecx
002B7EBB 0FB60E movzx ecx,byte ptr ds:[esi]
002B7EBE 46 inc esi
002B7EBF 57 push edi
002B7EC0 AC lods byte ptr ds:[esi]
002B7EC1 34 79 xor al,79
002B7EC3 2C 55 sub al,55
002B7EC5 C0C0 03 rol al,3
002B7EC8 F6D0 not al
002B7ECA AA stos byte ptr es:[edi]
002B7ECB 33C0 xor eax,eax
002B7ECD 49 dec ecx
002B7ECE ^ 75 F0 jnz short 002B7EC0
002B7ED0 AA stos byte ptr es:[edi]
002B7ED7 8B0C24 mov ecx,dword ptr ss:[esp]
002B7EDA 51 push ecx
002B7EDB 8B45 FC mov eax,dword ptr ss:[ebp-4]
002B7EDE 50 push eax
002B7EDF B8 4B56E777 mov eax,KERNEL32.GetProcAddress
002B7EE4 FFD0 call eax
002B7EE6 85C0 test eax,eax
002B7EE8 74 10 je short 002B7EFA
´Ë´¦ÌøתÐèҪ˵Ã÷һϣ¬ÓÐʱ½âÃܺóµÄAPI NAMEµÄºóÃæ»á°üº¬¶àÓà×Ö·û£¬ËùÒÔµ±»ñÈ¡APIµØַʧ°Üʱ±ã°Ñ×îºóÒ»¸ö×Ö½ÚÌî00
002B7EEA 5F pop edi
002B7EEB 8907 mov dword ptr ds:[edi],eax
002B7EED 83C7 04 add edi,4
002B7EF0 46 inc esi
002B7EF1 59 pop ecx
002B7EF2 49 dec ecx
002B7EF3 ^ 75 C5 jnz short 002B7EBA
002B7EF5 61 popad
002B7EF6 CC int3
002B7EFA 4F dec edi
002B7EFB 4F dec edi
002B7EFC AA stos byte ptr es:[edi]
002B7EFD ^ EB D8 jmp short 002B7ED7
¿´¹ØÓÚÕâ¸ö¿ÇµÄ·ÖÎöÎÄÕÂʱ£¬ÓÐÌá¼°¹ØÓÚÌØÊâ´úÂë¼ÓÃܵÄÎÊÌâ¡£ËäÈ»ÎÒûÓÐʹÓÃÕâ¸ö¹¦Äܼӿǣ¬»¹ÔÚѧϰÖУ¬²»Ïë¸ãµÃÌ«¸´ÔÓ£¬²»¹ýÔÚÉÏÊöµÄ±íÖеÄĩ⣬ÓÐÕâÑùÒ»¸ö±í
002C0AFD 00 58 44 4C 4C 2E 44 4C 4C 00 46 75 DLL.DLL.Fu
002C0B0D 6E 63 32 46 75 6E 63 00 54 65 73 74 44 65 62 75 nc2Func.TestDebu
002C0B1D 67 00 45 6E 43 72 79 70 74 00 44 65 43 72 79 70 g.EnCrypt.DeCryp
002C0B2D 74 00 43 52 43 00 54 65 73 74 42 6D 70 00 43 72 t.CRC.TestBmp.Cr
002C0B3D 65 61 74 65 44 69 61 6C 6F 67 50 61 72 61 6D 41 eateDialogParamA
002C0B4D 00 44 69 61 6C 6F 67 42 6F 78 50 61 72 61 6D 41 .DialogBoxParamA
002C0B5D 00 45 78 69 74 50 72 6F 63 65 73 73 00 46 72 65 .ExitProcess.Fre
002C0B6D 65 52 65 73 6F 75 72 63 65 00 47 65 74 50 72 6F eResource.GetProcAddress
002C0B7D 63 41 64 64 72 65 73 73 00 47 65 74 56 65 72 73 cAddress.GetVers
002C0B8D 69 6F 6E 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E ion.GetModuleHan
002C0B9D 64 6C 65 41 00 47 65 74 43 75 72 72 65 6E 74 50 dleA.GetCurrentP
002C0BAD 72 6F 63 65 73 73 00 47 65 74 43 75 72 72 65 6E rocess.GetCurren
002C0BBD 74 50 72 6F 63 65 73 73 49 64 00 47 65 74 43 6F tProcessId.GetCo
002C0BCD 6D 6D 61 6E 64 4C 69 6E 65 41 00 4C 6F 61 64 4C mmandLineA.LoadL
002C0BDD 69 62 72 61 72 79 41 00 4C 6F 63 6B 52 65 73 6F ibraryA.LockReso
002C0BED 75 72 63 65 00 53 65 6E 64 4D 65 73 73 61 67 65 urce.SendMessage
002C0BFD 41 00 73 65 6E 64 00 72 65 63 76 00 00 A.send.recv..
³ÌÐòÔÚ½âÃÜAPI NAMEÖ®ºóÔÙ¶Ô±ÈÊÇ·ñÉÏÊö±íÖеÄAPI,Ëƺõ¶Ô±È³É¹¦Ö®ºó¾ÍÌرðÕչˡ£ÎÒÕâôÐÞ¸´IAT£¬ËƺõÒ²Äܽâ¾öÌض¨API¼ÓÃÜ¡£