<P class=MsoNormal><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">加殼往往是實(shí)現(xiàn)對(duì)原</SPAN><SPAN lang=EN-US>PE</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的節(jié)數(shù)據(jù)加密����、壓縮��,若能加殼的同時(shí)���,讓加殼后的程序調(diào)用殼中的某些子程序,那加殼強(qiáng)度大大增加�。這樣處理后,即使脫掉了殼��,程序執(zhí)行也肯定不正常�,因?yàn)槊摎さ耐瑫r(shí)也將這些子程序脫掉了!</SPAN><SPAN lang=EN-US> </SPAN></P>% E* P# }3 i) n- W
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">怎樣實(shí)現(xiàn)呢�?作為探討性的介紹����,還是搞一個(gè)最基本的來(lái)說(shuō)(假設(shè)現(xiàn)在您已經(jīng)會(huì)寫</SPAN><SPAN lang=EN-US>PE-exe</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">、</SPAN><SPAN lang=EN-US>PE-dll</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">等</SPAN><SPAN lang=EN-US>PE</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">加殼程序):</SPAN><SPAN lang=EN-US> </SPAN></P>
- U, ^3 ]' B9 A3 Y% t7 v, J<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">我的實(shí)現(xiàn)是這樣的:作為一個(gè)</SPAN><SPAN lang=EN-US>PE</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">文件�����,多多少少程序中會(huì)有</SPAN><SPAN lang=EN-US>mov eax,1</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">或</SPAN><SPAN lang=EN-US>mov eax,0</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的語(yǔ)句����,就是從這里開刀�����,因?yàn)?lt;/SPAN><SPAN lang=EN-US>mov eax,xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">這樣的指令長(zhǎng)度正好與</SPAN><SPAN lang=EN-US>Call xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">指令的長(zhǎng)度一樣�,處理起來(lái)相對(duì)簡(jiǎn)單���。在加殼程序加殼時(shí)��,查找這些語(yǔ)句統(tǒng)統(tǒng)換成:</SPAN><SPAN lang=EN-US> </SPAN></P>( K4 T% u# l6 s
<P class=MsoNormal><SPAN lang=EN-US>call shellSub </SPAN></P>
9 E+ h& e, g! Q<P class=MsoNormal><SPAN lang=EN-US>// </SPAN></P>
/ c ~+ f7 C3 {4 L<P class=MsoNormal><SPAN lang=EN-US>shellSub</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">實(shí)現(xiàn)如下:</SPAN><SPAN lang=EN-US> </SPAN></P>$ j" H3 c( Q$ K
<P class=MsoNormal><SPAN lang=EN-US>shellSub() </SPAN></P>( B6 z; v9 {1 Z, }
<P class=MsoNormal><SPAN lang=EN-US>{ </SPAN></P>+ D7 g! Q( Y5 ]$ ~' E4 g0 r8 a
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN>mov eax,1 </SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">或</SPAN><SPAN lang=EN-US> mov eax,0 </SPAN></P>/ u0 S8 Z/ c: p+ i6 z( q' a( r
<P class=MsoNormal><SPAN lang=EN-US>} </SPAN></P>4 W; \7 R) ]8 d7 |) M6 V6 r
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">當(dāng)然��,這里有個(gè)問(wèn)題是怎樣計(jì)算這個(gè)</SPAN><SPAN lang=EN-US>Call xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的</SPAN><SPAN lang=EN-US>xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">�,其實(shí)想一想也很簡(jiǎn)單��,加殼時(shí)候我們已經(jīng)計(jì)算出了外殼程序的入口</SPAN><SPAN lang=EN-US>RVA</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">�,只要以這個(gè)</SPAN><SPAN lang=EN-US>RVA</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">為基準(zhǔn),就可以得到</SPAN><SPAN lang=EN-US>:(shellSub</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的</SPAN><SPAN lang=EN-US>RVA)-(mov eax,1</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的</SPAN><SPAN lang=EN-US>RVA)</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的差值����,這個(gè)差值再減去</SPAN><SPAN lang=EN-US>5</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">(</SPAN><SPAN lang=EN-US>Call</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">的指令長(zhǎng)度)就是</SPAN><SPAN lang=EN-US>xxxxxxxx</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">。</SPAN><SPAN lang=EN-US> </SPAN></P>1 W0 U1 a3 L0 z* B6 z" ]
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">這里僅僅拋磚引玉的介紹了最基本的方法�����,其實(shí)通過(guò)變化�,可以對(duì)原程序的很多特定語(yǔ)句實(shí)現(xiàn)改成調(diào)用外殼中不同的</SPAN><SPAN lang=EN-US>sub</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">���,大大增加了外殼的保密強(qiáng)度。</SPAN><SPAN lang=EN-US> </SPAN></P> _' F8 K- z# Y; P2 i. G) @6 x
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">這樣處理后�,可想而知,脫殼后的運(yùn)行情況:</SPAN><SPAN lang=EN-US>Windows</SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">錯(cuò)誤����,某個(gè)地址不能為讀或?qū)憽?��。呵呵����,要的就是這個(gè)效果?���。�����?�!</SPAN><SPAN lang=EN-US> </SPAN></P>) O( s: l' X; l5 s8 B4 P& k. [
<P class=MsoNormal><SPAN lang=EN-US><SPAN style="mso-spacerun: yes"> </SPAN></SPAN><SPAN style="FONT-FAMILY: 宋體; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">錯(cuò)誤之處���,懇請(qǐng)各位高手指正�����!</SPAN><SPAN lang=EN-US> </SPAN></P> |
發(fā)表于 2008-9-28 16:31:53
QQ好友和群
QQ空間
提升卡
置頂卡
沉默卡
喧囂卡
變色卡
顯身卡