[NOTE]很搓的逆一下GetStartupInfoW
【文章作者】: [UnPacKcN]XuZheNg【作者邮箱】: xuzheng1111@126.com
【作者主页】: http://hi.baidu.com/xuzheng1111
【软件名称】: 恕在下保护作者利益不公布了
【作者声明】: 只是感兴趣,没有其他目的。菜鸟之作(写给菜鸟观看),高手飘过,不许BS。失误之处敬请诸位大侠赐教
------------------------------------------------------------------------------------------------------------
估计高手们没谁愿意逆这么搓的函数,干脆我来搞一下算了,顺便揭秘一下STARTUPINFOW中间的保留字
首先是结构声明〉〉
typedef struct _STARTUPINFO {
DWORD cb;
LPTSTR lpReserved;
LPTSTR lpDesktop;
LPTSTR lpTitle;
DWORD dwX;
DWORD dwY;
DWORD dwXSize;
DWORD dwYSize;
DWORD dwXCountChars;
DWORD dwYCountChars;
DWORD dwFillAttribute;
DWORD dwFlags;
WORD wShowWindow;
WORD cbReserved2;
LPBYTE lpReserved2;
HANDLE hStdInput;
HANDLE hStdOutput;
HANDLE hStdError;
} STARTUPINFO,
*LPSTARTUPINFO;
其实STARTUPINFOW中间的内容是由PEB中间的_RTL_USER_PROCESS_PARAMETERS结构里面的对应参数来填充的。
ASM code:
7C801E54 >8BFF mov edi, edi
7C801E56 55 push ebp
7C801E57 8BEC mov ebp, esp
7C801E59 64:A1 18000000mov eax, dword ptr fs:[18] ; 取TEB地址
7C801E5F 8B40 30 mov eax, dword ptr ds:[eax+30] ; 取PEB地址
7C801E62 8B48 10 mov ecx, dword ptr ds:[eax+10]
7C801E65 8B45 08 mov eax, dword ptr ss:[ebp+8]
7C801E68 C700 44000000 mov dword ptr ds:[eax], 44
7C801E6E 8B91 84000000 mov edx, dword ptr ds:[ecx+84]
7C801E74 8950 04 mov dword ptr ds:[eax+4], edx
7C801E77 8B51 7C mov edx, dword ptr ds:[ecx+7C]
7C801E7A 8950 08 mov dword ptr ds:[eax+8], edx
7C801E7D 8B51 74 mov edx, dword ptr ds:[ecx+74]
7C801E80 8950 0C mov dword ptr ds:[eax+C], edx
7C801E83 8B51 4C mov edx, dword ptr ds:[ecx+4C]
7C801E86 8950 10 mov dword ptr ds:[eax+10], edx
7C801E89 8B51 50 mov edx, dword ptr ds:[ecx+50]
7C801E8C 8950 14 mov dword ptr ds:[eax+14], edx
7C801E8F 8B51 54 mov edx, dword ptr ds:[ecx+54]
7C801E92 8950 18 mov dword ptr ds:[eax+18], edx
7C801E95 8B51 58 mov edx, dword ptr ds:[ecx+58]
7C801E98 8950 1C mov dword ptr ds:[eax+1C], edx
7C801E9B 8B51 5C mov edx, dword ptr ds:[ecx+5C]
7C801E9E 8950 20 mov dword ptr ds:[eax+20], edx
7C801EA1 8B51 60 mov edx, dword ptr ds:[ecx+60]
7C801EA4 8950 24 mov dword ptr ds:[eax+24], edx
7C801EA7 8B51 64 mov edx, dword ptr ds:[ecx+64]
7C801EAA 8950 28 mov dword ptr ds:[eax+28], edx
7C801EAD 8B51 68 mov edx, dword ptr ds:[ecx+68]
7C801EB0 8950 2C mov dword ptr ds:[eax+2C], edx
7C801EB3 F640 2D 07 test byte ptr ds:[eax+2D], 7
7C801EB7 66:8B51 6C mov dx, word ptr ds:[ecx+6C]
7C801EBB 66:8950 30 mov word ptr ds:[eax+30], dx
7C801EBF 66:8B91 8800000>mov dx, word ptr ds:[ecx+88]
7C801EC6 66:8950 32 mov word ptr ds:[eax+32], dx
7C801ECA 8B91 8C000000 mov edx, dword ptr ds:[ecx+8C]
7C801ED0 8950 34 mov dword ptr ds:[eax+34], edx
7C801ED3 75 04 jnz short kernel32.7C801ED9
7C801ED5 5D pop ebp
7C801ED6 C2 0400 retn 4
7C801ED9 8B51 18 mov edx, dword ptr ds:[ecx+18]
7C801EDC 8950 38 mov dword ptr ds:[eax+38], edx
7C801EDF 8B51 1C mov edx, dword ptr ds:[ecx+1C]
7C801EE2 8950 3C mov dword ptr ds:[eax+3C], edx
7C801EE5 8B49 20 mov ecx, dword ptr ds:[ecx+20]
7C801EE8 8948 40 mov dword ptr ds:[eax+40], ecx
7C801EEB^ EB E8 jmp short kernel32.7C801ED5
然后是C码(VS2008 + WinXp sp3编译执行验证通过):
声明等等自己写...
VOID WINAPI XzGetStartupInfoW(
__out LPSTARTUPINFO lpStartupInfo
)
{
// Get _RTL_USER_PROCESS_PARAMETERS structure
PRTL_USER_PROCESS_PARAMETERS prtlUserProcessParameteters;
__asm{
mov eax,fs:[0x18]
mov eax,dword ptr ds:[eax+0x30]
mov ecx,dword ptr ds:[eax+0x10]
mov prtlUserProcessParameteters,ecx
}
lpStartupInfo->cb = 0x44;
lpStartupInfo->lpReserved = prtlUserProcessParameteters->ShellInfo.Buffer;
lpStartupInfo->lpDesktop = prtlUserProcessParameteters->DesktopInfo.Buffer;
lpStartupInfo->lpTitle = prtlUserProcessParameteters->WindowTitle.Buffer;
lpStartupInfo->dwX = prtlUserProcessParameteters->StartingX;
lpStartupInfo->dwY = prtlUserProcessParameteters->StartingY;
lpStartupInfo->dwXSize = prtlUserProcessParameteters->CountX;
lpStartupInfo->dwYSize = prtlUserProcessParameteters->CountY;
lpStartupInfo->dwXCountChars = prtlUserProcessParameteters->CountCharsX;
lpStartupInfo->dwYCountChars = prtlUserProcessParameteters->CountCharsY;
lpStartupInfo->dwFillAttribute = prtlUserProcessParameteters->FillAttribute;
lpStartupInfo->dwFlags = prtlUserProcessParameteters->WindowFlags;
lpStartupInfo->wShowWindow = prtlUserProcessParameteters->ShowWindowFlags;
lpStartupInfo->cbReserved2 = prtlUserProcessParameteters->RuntimeData.Length;
lpStartupInfo->lpReserved2 = (LPBYTE)prtlUserProcessParameteters->RuntimeData.Buffer;
if((lpStartupInfo->dwFlags & STARTF_USESTDHANDLES))
{
lpStartupInfo->hStdInput = prtlUserProcessParameteters->StandardInput;
lpStartupInfo->hStdOutput = prtlUserProcessParameteters->StandardOutput;
lpStartupInfo->hStdError = prtlUserProcessParameteters->StandardError;
}
}
看到代码,很明显,第一个保留字lpReserved 其实就是ShellInfo(Shell信息)
第二个保留字cbReserved2 就是RuntimeData的长度,
第三个保留字lpReserved2 就是RuntimeData的内容。
最后,代码截图:
[ 本帖最后由 XuZhenG 于 2009-1-29 22:33 编辑 ] 【软件名称】: 恕在下保护作者利益不公布了
为啥这样说呢?
不是微软的吗? 复制我自己其他文章的,没想起来改... _STARTUPINFO 这个结构也是你逆出来的吗?
对逆向工程探秘那本书上的例子影响很深刻啊:D 高手
学习了:)
回复 4# zapline 的帖子
_STARTUPINFOW结构在Windows SDK中间有声明... 强大 学习!
页:
[1]