认识壳与程序的入口特征
<h1 id="1无壳程序">1.无壳程序</h1><h2 id="11vc6">1.1:vc6</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602918064167-efabbe01-18f2-42bc-96b9-8e71bca96a7e.png" alt="image.png" loading="lazy"></p>
<p>入口特征。注意有调用相同的API</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602917682666-212dcf21-3c55-4bb6-bfae-e7282b91f26b.png" alt="image.png" loading="lazy"></p>
<p>区段特征:用exeinfo PE查看区段有</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602917829132-88f0e024-2d37-473d-a6e9-bec36b80e58c.png" alt="image.png" loading="lazy"></p>
<p>用OD查看内存也可以看到<img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602917859233-07059927-355b-4d49-9e00-94f2c1ed0515.png" alt="image.png" loading="lazy"></p>
<p>VC6特点:入口点代码是固定的代码,入口调用的API也是相同的,其中有的push地址不同程序可能不同;区段有四个也是固定的.text、.rdata、.data和.rsrc</p>
<h2 id="12vs2008vs2013">1.2:vs2008&vs2013</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602918097259-18faf821-b56f-42b9-9e84-e3c24cc3e1b2.png" alt="image.png" loading="lazy"></p>
<p>入口一般为 call+jmp</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602918157629-17ad66d8-4745-49d0-a895-bdb617a23667.png" alt="image.png" loading="lazy"></p>
<p>进入call后,你会发现。与vc6的特征基本相同。也调用那几个API。</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602918297501-fcfcb0cd-6c10-494d-811a-3e306d605c70.png" alt="image.png" loading="lazy"></p>
<p>区段特征。软件查看:</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602918390683-8a87172a-66ef-4562-a01b-b1d38b4929e3.png" alt="image.png" loading="lazy"></p>
<p>od查看:</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602918430743-c3cc9f78-5537-42d0-b1dc-0b725baa2456.png" alt="image.png" loading="lazy"></p>
<p>与vc6的区段特征相比多了一个 .reloc 重定位。</p>
<p>vs2013同理。</p>
<p>VS特点:入口点只有两行代码,一个CALL后直接JMP,第一个CALL进去后调用的API也是相同的;区段相对于VC6多了一个.reloc。</p>
<h2 id="13易语言非独立编译">1.3:易语言非独立编译</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602919592375-d3b2e0a4-49ab-4e84-8cc9-e9595311f135.png" alt="image.png" loading="lazy"></p>
<p>入口特征:</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602919737418-e15a8800-4cc1-4699-8ffb-c079ba358594.png" alt="image.png" loading="lazy"></p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602919958826-eecbc72a-a522-4000-b32f-bcdd54bdea6e.png" alt="image.png" loading="lazy">区段特征难以分辨。因为与vc6的区块特征一致。(易语言底层是vc6)</p>
<p>易语言非独立编译特点:入口特征和模块特征都有krnln.fnr。</p>
<h2 id="14易语言独立编译">1.4:易语言独立编译</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602920641805-895ed716-d593-4b1c-877d-10960e970c76.png" alt="image.png" loading="lazy"></p>
<p>易语言独立编译的入口特征基本与vc6一样</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602920697362-8c06f23e-c836-42f4-9b7a-6d58fcac6fbe.png" alt="image.png" loading="lazy"></p>
<p>与vc6相比我们使用智能搜索</p>
<p>可以看到易语言生成的特有特征。从而分辨</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602920671243-9cafc303-2088-4215-a117-8893d8fab5c0.png" alt="image.png" loading="lazy">区段特征也与vc6的一样。</p>
<h2 id="15delphi">1.5:Delphi</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602920815518-a718d05b-5fdd-44d2-9f8a-bbdb914cad90.png" alt="image.png" loading="lazy"></p>
<p>区段特征:<img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602920869812-f5f60437-1e81-4a0f-8257-4aaf7fdd0fc2.png" alt="image.png" loading="lazy"></p>
<p>入口特征:</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602920860408-1737561b-f330-4031-ba6e-bdded2546fa4.png" alt="image.png" loading="lazy"></p>
<p>进入第一个call里边有一个 GetModuleHandle。(加壳程序也有有这个GetModuleHandle)</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602921416943-a56516d5-b453-4b95-a291-123fb06c54ee.png" alt="image.png" loading="lazy"></p>
<h2 id="16bc">1.6:BC++</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602922024458-a3d1f847-9d19-4052-84a7-68a42bd9189a.png" alt="image.png" loading="lazy"></p>
<p>区段特征:</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602922034536-4d3f068f-56a2-48ba-a5c4-465f2e504086.png" alt="image.png" loading="lazy"></p>
<p>入口特征:有一个很大的JMP,以及一个getmodulehandlea</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602922011613-5ea61adc-85a1-4071-9135-d53ca9e54c2c.png" alt="image.png" loading="lazy"></p>
<h2 id="17asm">1.7:ASM</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602924463377-cf4c6865-7c34-4526-adea-a77a94b39bda.png" alt="image.png" loading="lazy"></p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602924471658-bede74aa-8a38-47c2-8ffa-15bfbe7d8e3a.png" alt="image.png" loading="lazy"></p>
<p>文件小,直接调用系统的API了</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602924490765-58d9f89a-15f9-4e8a-b94a-336db51c32f1.png" alt="image.png" loading="lazy"></p>
<h2 id="18net">1.8:net</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602924630902-071e1613-65ed-4f8f-97ff-8f3fd823e3dc.png" alt="image.png" loading="lazy"></p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602924639923-0f751895-48a2-49c7-8542-6bb041643ec4.png" alt="image.png" loading="lazy"></p>
<p>拖进OD就运行。这也是一个特点吧。新的OD里没有那个插件,复现不了。</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602924688171-23afddbb-6cda-43f5-ba9f-b3699b2bb280.png" alt="image.png" loading="lazy"></p>
<h2 id="19autolt">1.9:Autolt</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602924771242-c3d7b41c-0dd9-4331-8ad9-ea65aa9d8ed0.png" alt="image.png" loading="lazy"></p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602924775757-2763947d-cfa5-4992-9e5b-4eeaa736f45b.png" alt="image.png" loading="lazy"></p>
<p>入口特征和vs很像。</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602924949418-70905562-3fde-4dce-a286-10ba11382bc9.png" alt="image.png" loading="lazy"></p>
<p>字符串搜索</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602924999941-7f891674-8736-4bc7-9f6d-e05e4d66cbad.png" alt="image.png" loading="lazy"></p>
<h1 id="2加壳程序">2.加壳程序</h1>
<h2 id="21aspack壳">2.1:Aspack壳</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959058040-37e68522-15db-41c7-a085-01135b8f3117.png" alt="image.png" loading="lazy"></p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959092007-a0a46696-8a93-44ab-91fc-6e5104c33981.png" alt="image.png" loading="lazy"></p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959148940-729aafcc-c3c2-4d70-9659-9dca543b03cc.png" alt="image.png" loading="lazy"></p>
<h2 id="22upx壳">2.2:upx壳</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959235492-da05ee67-6326-4814-a3a9-bf3c0de505e3.png" alt="image.png" loading="lazy"></p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959284303-a0e9f578-16fc-4557-bee8-2a794dad9e01.png" alt="image.png" loading="lazy"></p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959306473-bb172920-6bbd-474e-82e0-1203b6cadd25.png" alt="image.png" loading="lazy"></p>
<h2 id="23themida壳">2.3:Themida壳</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959378325-1220ab4d-2ab2-409a-9a64-526757d27cda.png" alt="image.png" loading="lazy"></p>
<p>旧版本入口:</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959541515-689d19e9-bcf9-47e4-975a-fcf948482328.png" alt="image.png" loading="lazy"></p>
<p>新版本:<img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959558684-06016950-5a45-4319-8bfc-a75216793e6f.png" alt="image.png" loading="lazy"></p>
<p>经过一些函数后就会跳转到旧版本的入口处。</p>
<p>区段特征不明显。名字随机。</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959627033-fc81847a-ad5c-49a8-aba6-a63a291a83b6.png" alt="image.png" loading="lazy"></p>
<h2 id="24vmprotect壳">2.4:VMProtect壳</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959711096-3ff711f2-a7a2-4c87-96d3-def101e07a0d.png" alt="image.png" loading="lazy"></p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959730358-21942542-49f2-4d75-99bc-43cec96d5bd7.png" alt="image.png" loading="lazy"></p>
<p>入口特征反汇编很乱。JMP乱飞。</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959788764-d1aed403-bd1c-4abf-840d-5cf9ebb75a49.png" alt="image.png" loading="lazy"></p>
<h2 id="25shielden">2.5:Shielden</h2>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959877639-8b8d23ca-a004-4259-a7d3-17d6d97fc82b.png" alt="image.png" loading="lazy"></p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602959920142-d86a307b-25cd-4efb-b751-3fca04a6d2bc.png" alt="image.png" loading="lazy"></p>
<p>按ctrl+A 分析代码。然后经过两个jmp到下图。按ctrl+a分析代码。出现提示!</p>
<p><img src="https://cdn.nlark.com/yuque/0/2020/png/630087/1602960111241-d2846033-8fe6-4b77-8ab9-719bec9121b0.png" alt="image.png" loading="lazy"></p><br><br>
来源:https://www.cnblogs.com/pupububu/p/14245990.html
頁:
[1]