脱壳技术,Armadillo 3.6主程序IAT处理(13千字),Armadillo 2008年06月23日 星期一 下午 04:39 上次对IAT处理有误,近几天有空专门对其进行了分析,而且为此还安装了WINXP。发现Armadillo 3.6和3.7处理IAT方法一样,但是操作系统不同IAT位置不一样,以WIN2k为最难。win2k下IAT位置到012c1000处不在文件内存映像范围内,所以对其IAT修复还要处理位置问题。下面是分析笔记,不当之处请指点。 用OllyDBG加载,在命令窗口输入bp DebugActiveProcess。断下后察看堆栈窗口: 0012DA9C 00487DDB /CALL 到 DebugActiveProcess 来自 Armadill.00487DD5 0012DAA0 0000057C \ProcessId = 57C 0012DAA4 0012FF04 0012DAA8 00000000 进程ID为57C.另外打开一个ollydbg程序,附加到57C这个进程,OK。 按ALT F9会来到入口处,修改入口指令EB FE为60 E8(第一步记下的),结果: 004A2000 >PUSHAD 004A2001 CALL Armadill.004A2006 004A2006 POP EBP 004A2007 PUSH EAX 004A2008 PUSH ECX 004A2009 JMP SHORT Armadill.004A201A 设置bp OpenMutexA断点,断下后取消。 察看堆栈窗口: 0012F574 004797F1 /CALL 到 OpenMutexA 来自 Armadill.004797EB 0012F578 001F0001 |Access = 1F0001 0012F57C 00000000 |Inheritable = FALSE 0012F580 0012FBB4 \MutexName = "57C::DAAD341ECC" 0012F584 0012FF04 其中0012FBB4指向MutexName = "57C::DAAD341ECC",根据此值在00401000空白处输入以下代码:(先建立再打开,对OpenMutexA这个API进行Hook) 00401000 60 PUSHAD 00401001 68 B4FB1200 PUSH 12FBB4 ; ASCII "57C::DAAD341ECC" 00401006 6A 00 PUSH 0 00401008 6A 00 PUSH 0 0040100A E8 D08BA877 CALL KERNEL32.CreateMutexA 0040100F 61 POPAD 00401010 -E9 D48CA877 JMP KERNEL32.OpenMutexA 在00401000地址按鼠标右键,然后在菜单中选择“此处新建EIP”。 设置bp LoadLibraryA断点,不断按F9,当堆栈显示为: 0012BEE4 00DF8B55 /CALL 到 LoadLibraryA 来自 00DF8B4F 0012BEE8 012E0640 \FileName = "WSOCK32.dll" 此时说明开始处理IAT了。按Ctrl-F9,然后F7到程序领空。 然后一路F8到: 00E11684 PUSH 0 00E11686 CALL DWORD PTR DS:[E180C4] ; KERNEL32.GetModuleHandleA 00E1168C CMP DWORD PTR SS:[EBP-1744],EAX 00E11692 JNZ SHORT 00E116A3 再一路F8到: 00E1174F CMP DWORD PTR SS:[EBP-1744],EAX 00E11755 JNZ SHORT 00E11768 此处要说明一下,目前大部分都是在这之后修改jmp使之不进行IAT加密。其实所有Armadillo壳处理IAT的原理是:先比较模块是不是kernel32.dll/user32.dll/advapi32.dll,如果是再进行API比较(只对符合条件的API进行hook到壳中执行),如API符合就修改IAT中对应的项使其指向壳代码,都不满足则填入真实的API入口地址(即不加密)。 00E1174F处就是进行模块句柄比较,所以只要修改00E11755处的跳转或在此处下硬件执行断点手动转移,就可以免除所有IAT加密。 ok,当所有IAT处理完毕后,就可以用ImportREC.exe得到所有正确IAT了。win2k下RVA=00EC1008,SIZA=600,然后即可get imports. 这是得到的所有函数清单: 1 00EC1008 user32.dll 0261 SetWindowPos 1 00EC100C user32.dll 019D LoadBitmapA 1 00EC101C user32.dll 01BF MapWindowPoints 1 00EC1020 gdi32.dll 0052 DeleteDC 1 00EC1024 kernel32.dll 01FC MapViewOfFile 1 00EC102C user32.dll 01C3 MessageBeep 1 00EC1038 ws2_32.dll 0034 gethostbyname 1 00EC1040 gdi32.dll 01B4 RealizePalette 1 00EC1048 ws2_32.dll 0003 closesocket 1 00EC1050 kernel32.dll 0026 CompareStringW 1 00EC1058 user32.dll 019B LoadAcceleratorsA 1 00EC105C kernel32.dll 0025 CompareStringA 1 00EC1060 user32.dll 0100 GetCursorPos 1 00EC1064 user32.dll 013E GetPropA 1 00EC106C user32.dll 025E SetWindowLongA 1 00EC1074 user32.dll 0146 GetSubMenu 1 00EC1078 kernel32.dll 0202 MoveFileA 1 00EC107C user32.dll 0087 DefWindowProcA 1 00EC1080 kernel32.dll 018B GetTickCount 1 00EC1084 kernel32.dll 0309 WinExec 1 00EC1088 gdi32.dll 0013 BitBlt 1 00EC1090 ntdll.dll 0222 RtlLeaveCriticalSection 1 00EC1094 user32.dll 0161 GetWindowRect 1 00EC109C comctl32.dll 003F ImageList_LoadImage 1 00EC10A0 user32.dll 00D7 FillRect 1 00EC10A4 user32.dll 015B GetWindowLongA 1 00EC10B4 user32.dll 00F6 GetClipboardData 1 00EC10B8 kernel32.dll 0293 SetEndOfFile 1 00EC10BC user32.dll 0258 SetTimer 1 00EC10C4 kernel32.dll 012A GetFileSize 1 00EC10CC ntdll.dll 0199 RtlDeleteCriticalSection 1 00EC10D0 gdi32.dll 0039 CreateFontIndirectA 1 00EC10D4 advapi32.dll 0193 RegDeleteKeyA 1 00EC10D8 user32.dll 0017 CallWindowProcA 1 00EC10DC gdi32.dll 0168 GetStockObject 1 00EC10E0 kernel32.dll 01E6 LoadLibraryA 1 00EC10E8 user32.dll 00B2 DrawTextA 1 00EC10EC kernel32.dll 0044 CreateMutexA 1 00EC10F0 comdlg32.dll 006E GetOpenFileNameA 1 00EC10F8 ntdll.dll 0277 RtlSizeHeap 1 00EC1104 kernel32.dll 0049 CreateProcessA 1 00EC1108 gdi32.dll 0032 CreateDIBitmap 1 00EC110C user32.dll 018B IsClipboardFormatAvailable 1 00EC1110 kernel32.dll 02E5 UnmapViewOfFile 1 00EC1114 kernel32.dll 029C SetFilePointer 1 00EC1118 user32.dll 0270 ShowWindow 1 00EC1120 gdi32.dll 01CF SelectObject 1 00EC1124 gdi32.dll 0044 CreatePalette 1 00EC1128 user32.dll 008A DeleteMenu 1 00EC112C gdi32.dll 002C CreateCompatibleDC 1 00EC1130 user32.dll 0219 SendMessageA 1 00EC113C user32.dll 0288 TranslateMessage 1 00EC114C kernel32.dll 010C GetCurrentDirectoryA 1 00EC1154 user32.dll 02B1 WindowFromPoint 1 00EC115C user32.dll 0116 GetKeyState 1 00EC1160 advapi32.dll 0198 RegEnumKeyA 1 00EC1168 user32.dll 0008 AppendMenuA 1 00EC1170 kernel32.dll 031A WritePrivateProfileStringA 1 00EC1174 kernel32.dll 00BE FlushFileBuffers 1 00EC1184 kernel32.dll 02AF SetStdHandle 1 00EC118C user32.dll 0248 SetPropA 1 00EC1198 kernel32.dll 011E GetEnvironmentStrings 1 00EC119C user32.dll 0051 CreateDialogParamA 1 00EC11A0 kernel32.dll 010E GetCurrentProcess 1 00EC11B0 kernel32.dll 0120 GetEnvironmentStringsW 1 00EC11B8 ws2_32.dll 0073 WSAStartup 1 00EC11C0 user32.dll 0098 DispatchMessageA 1 00EC11C4 user32.dll 0163 GetWindowTextA 1 00EC11C8 user32.dll 0194 IsWindow 1 00EC11D0 kernel32.dll 0194 GetVersionExA 1 00EC11D4 gdi32.dll 01D6 SetBkMode 1 00EC11D8 user32.dll 0284 TranslateAccelerator 1 00EC11DC kernel32.dll 0315 WriteFile 1 00EC11E0 kernel32.dll 0151 GetPrivateProfileSectionNamesA 1 00EC11E4 kernel32.dll 02C9 SizeofResource 1 00EC11EC user32.dll 01A3 LoadIconA 1 00EC11F8 ws2_32.dll 0016 shutdown 1 00EC11FC kernel32.dll 01AC GlobalLock 1 00EC1204 advapi32.dll 01BA RegSetValueExA 1 00EC1208 kernel32.dll 0039 CreateFileA 1 00EC120C kernel32.dll 016B GetStartupInfoA 1 00EC1210 user32.dll 0277 SystemParametersInfoA 1 00EC1218 gdi32.dll 018E LineTo 1 00EC121C ws2_32.dll 006F WSAGetLastError 1 00EC1220 gdi32.dll 002D CreateDCA 1 00EC1224 user32.dll 0157 GetWindow 1 00EC1228 comctl32.dll 0046 ImageList_ReplaceIcon 1 00EC1230 kernel32.dll 0193 GetVersion 1 00EC1234 kernel32.dll 01BB HeapCreate 1 00EC123C user32.dll 0106 GetDlgItem 1 00EC1240 user32.dll 003C ClientToScreen 1 00EC1244 ws2_32.dll 0013 send 1 00EC1258 kernel32.dll 0262 SearchPathA 1 00EC125C user32.dll 010B GetFocus 1 00EC1264 user32.dll 0195 IsWindowEnabled 1 00EC126C comdlg32.dll 0070 GetSaveFileNameA 1 00EC1270 kernel32.dll 01EB LoadResource 1 00EC1274 user32.dll 01F6 RedrawWindow 1 00EC1278 kernel32.dll 0134 GetLocalTime 1 00EC127C user32.dll 00BE EndPaint 1 00EC1280 ntdll.dll 01B8 RtlEnterCriticalSection 1 00EC1288 kernel32.dll 0169 GetShortPathNameA 1 00EC1290 user32.dll 01C4 MessageBoxA 1 00EC1298 user32.dll 020F ScreenToClient 1 00EC129C user32.dll 0091 DestroyWindow 1 00EC12A8 user32.dll 01E6 PostQuitMessage 1 00EC12B8 user32.dll 00F4 GetClientRect 1 00EC12C0 ws2_32.dll 0074 WSACleanup 1 00EC12C4 kernel32.dll 00D4 GetCPInfo 1 00EC12C8 kernel32.dll 0121 GetEnvironmentVariableA 1 00EC12CC user32.dll 00E7 GetAsyncKeyState 1 00EC12D0 kernel32.dll 0052 CreateThread 1 00EC12D8 kernel32.dll 00B7 FindResourceA 1 00EC12DC user32.dll 00BA EnableWindow 1 00EC12F0 kernel32.dll 0209 MultiByteToWideChar 1 00EC12F8 kernel32.dll 018E GetTimeZoneInformation 1 00EC12FC kernel32.dll 01E4 LCMapStringW 1 00EC1304 user32.dll 0234 SetFocus 1 00EC1308 kernel32.dll 00A4 FindClose 1 00EC130C kernel32.dll 0294 SetEnvironmentVariableA 1 00EC1314 kernel32.dll 0092 ExitThread 1 00EC1318 user32.dll 0147 GetSysColor 1 00EC131C user32.dll 0160 GetWindowPlacement 1 00EC1320 kernel32.dll 0308 WideCharToMultiByte 1 00EC1324 user32.dll 01E2 PeekMessageA 1 00EC1328 comctl32.dll 0011 InitCommonControls 1 00EC132C advapi32.dll 01AE RegQueryValueA 1 00EC1330 user32.dll 018C IsDialogMessage 1 00EC1334 kernel32.dll 0244 ReadFile 1 00EC1338 gdi32.dll 01FB SetTextColor 1 00EC133C kernel32.dll 02F8 VirtualFree 1 00EC1340 user32.dll 0297 UpdateWindow 1 00EC1344 kernel32.dll 016D GetStdHandle 1 00EC1348 gdi32.dll 004F CreateSolidBrush 1 00EC134C kernel32.dll 01E3 LCMapStringA 1 00EC135C user32.dll 012E GetMessageA 1 00EC1360 ws2_32.dll 0002 bind 1 00EC1364 user32.dll 0197 IsWindowVisible 1 00EC136C ntdll.dll 029A RtlUnwind 1 00EC1378 gdi32.dll 01D0 SelectPalette 1 00EC137C kernel32.dll 0061 DeleteFileA 1 00EC1380 kernel32.dll 0181 GetTempFileNameA 1 00EC1384 user32.dll 0264 SetWindowTextA 1 00EC1388 user32.dll 0139 GetParent 1 00EC138C kernel32.dll 0091 ExitProcess 1 00EC1394 user32.dll 00BC EndDialog 1 00EC1398 advapi32.dll 0190 RegCreateKeyExA 1 00EC139C kernel32.dll 01BD HeapDestroy 1 00EC13A4 kernel32.dll 001F CloseHandle 1 00EC13AC user32.dll 01E4 PostMessageA 1 00EC13B0 wsock32.dll 0011 recvfrom 1 00EC13C0 ntdll.dll 0150 RtlAllocateHeap 1 00EC13C8 kernel32.dll 00C6 FreeEnvironmentStringsA 1 00EC13CC ws2_32.dll 0004 connect 1 00EC13D8 user32.dll 014A GetSystemMetrics 1 00EC13DC kernel32.dll 014B GetOEMCP 1 00EC13E0 kernel32.dll 0154 GetPrivateProfileStringA 1 00EC13E4 kernel32.dll 02D2 TerminateProcess 1 00EC13EC kernel32.dll 0183 GetTempPathA 1 00EC13F4 kernel32.dll 00DF GetCommandLineA 1 00EC13F8 kernel32.dll 0179 GetSystemTime 1 00EC13FC ws2_32.dll 0009 htons 1 00EC1404 user32.dll 019F LoadCursorA 1 00EC1410 kernel32.dll 02E2 UnhandledExceptionFilter 1 00EC1418 kernel32.dll 01F9 LockResource 1 00EC1420 user32.dll 018A IsChild 1 00EC1434 wsock32.dll 0010 recv 1 00EC143C kernel32.dll 01F9 LockResource 1 00EC1440 kernel32.dll 00A8 FindFirstFileA 1 00EC1444 user32.dll 0059 CreateMenu 1 00EC1450 kernel32.dll 025B ResumeThread 1 00EC145C comctl32.dll 002C ImageList_Create 1 00EC1460 kernel32.dll 00CE GetACP 1 00EC1488 kernel32.dll 012D GetFileType 1 00EC148C user32.dll 019A KillTimer 1 00EC1490 kernel32.dll 0111 GetCurrentThreadId 1 00EC1494 kernel32.dll 01B3 GlobalUnlock 1 00EC149C advapi32.dll 01A5 RegOpenKeyExA 1 00EC14A0 ws2_32.dll 0008 htonl 1 00EC14A4 ntdll.dll 0251 RtlReAllocateHeap 1 00EC14A8 advapi32.dll 018C RegCloseKey 1 00EC14B0 user32.dll 01CF MoveWindow 1 00EC14B4 advapi32.dll 0195 RegDeleteValueA 1 00EC14BC user32.dll 005B CreateWindowExA 1 00EC14C0 kernel32.dll 0171 GetStringTypeW 1 00EC14C4 user32.dll 003E CloseClipboard 1 00EC14CC advapi32.dll 01AF RegQueryValueExA 1 00EC14D4 user32.dll 01A5 LoadImageA 1 00EC14D8 kernel32.dll 00C6 FreeEnvironmentStringsA 1 00EC14E0 gdi32.dll 0046 CreatePen 1 00EC14E4 kernel32.dll 0158 GetProcAddress 1 00EC14E8 user32.dll 01D9 OpenClipboard 1 00EC14F0 kernel32.dll 016E GetStringTypeA 1 00EC14F4 user32.dll 0096 DialogBoxParamA 1 00EC1504 user32.dll 010C GetForegroundWindow 1 00EC150C user32.dll 0198 IsZoomed 1 00EC1510 kernel32.dll 01BF HeapFree 1 00EC1514 kernel32.dll 012E GetFullPathNameA 1 00EC1518 gdi32.dll 017F GetTextMetricsA 1 00EC1528 gdi32.dll 0055 DeleteObject 1 00EC152C kernel32.dll 003A CreateFileMappingA 1 00EC1530 user32.dll 01F7 RegisterClassA 1 00EC1534 kernel32.dll 002C CopyFileA 1 00EC1538 user32.dll 0101 GetDC 1 00EC153C user32.dll 0208 ReleaseDC 1 00EC1540 gdi32.dll 01AE Polygon 1 00EC1544 kernel32.dll 0132 GetLastError 1 00EC154C kernel32.dll 02F5 VirtualAlloc 1 00EC1554 user32.dll 000D BeginPaint 1 00EC155C ws2_32.dll 0017 socket 1 00EC1560 kernel32.dll 013F GetModuleHandleA 1 00EC1564 gdi32.dll 0192 MoveToEx 1 00EC1568 kernel32.dll 01CC InitializeCriticalSection 1 00EC1578 kernel32.dll 02CA Sleep 1 00EC157C kernel32.dll 013D GetModuleFileNameA 1 00EC1580 shell32.dll 0171 ShellExecuteA 1 00EC1584 gdi32.dll 01D5 SetBkColor 从上面可以看出,每个dll对应的API在IAT中都不是连续的,而是乱插。这样很难用ImportREC完整还原IAT,会把需要的函数也cut。因此必须在程序入口处自己写代码来专门处理IAT.思路是:把上述dll名和对应的API名移植到程序尾部,创建一个内存映射到012c1000处,然后根据dll名和API名用getprocaddress得到所有函数入口地址,并写回其对应的地址。 |
|小黑屋|最新主题|手机版|微赢网络技术论坛 ( 苏ICP备08020429号 )
GMT+8, 2024-9-29 21:30 , Processed in 0.249009 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.