认识各语言的入口特征及加壳后的识别判断

小范 · 发表于 2013-12-2 14:27

C++入口特征

00408027 >/$ 55 push ebp

00408028 |. 8BEC mov ebp,esp

0040802A |. 6A FF push -0x1

0040802C |. 68 F0F14000 push C++.0040F1F0

00408031 |. 68 84AF4000 push C++.0040AF84 ; SE 处理程序安装

00408036 |. 64:A1 00000000 mov eax,dword ptr fs:[0]

0040803C |. 50 push eax

0040803D |. 64:8925 000000>mov dword ptr fs:[0],esp

00408044 |. 83EC 58 sub esp,0x58

00408047 |. 53 push ebx

00408048 |. 56 push esi

00408049 |. 57 push edi ; ntdll.7C930228

0040804A |. 8965 E8 mov [local.6],esp

0040804D |. FF15 E4F04000 call dword ptr ds:[<&KERNEL32.GetVersion>; kernel32.GetVersion

00408053 |. 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet

00408055 |. 8AD4 mov dl,ah

00408057 |. 8915 D06B4100 mov dword ptr ds:[0x416BD0],edx ; ntdll.KiFastSystemCallRet

0040805D |. 8BC8 mov ecx,eax

0040805F |. 81E1 FF000000 and ecx,0xFF

00408065 |. 890D CC6B4100 mov dword ptr ds:[0x416BCC],ecx

0040806B |. C1E1 08 shl ecx,0x8

C++的入口函数GetVersion

C++的字符串采用ASCII码查找

C++的按钮事件采用查找SUB EAX,0A

汇编的入口

0040285E >/$ 6A 00 push 0x0 ; /pModule =NULL

00402860 |. E8 970B0000 call <jmp.&kernel32.GetModuleHandleA> ; \GetModuleHandleA

00402865 |. A3 28544000 mov dword ptr ds:[0x405428],eax

0040286A |. E8 F50C0000 call <jmp.&comctl32.InitCommonControls> ; [InitCommonControls

0040286F |. 68 9D334000 push 汇编.0040339D ; /pTopLevelFilter = 汇编.0040339D

00402874 |. E8 F50B0000 call <jmp.&kernel32.SetUnhandledExceptio>; \SetUnhandledExceptionFilter

00402879 |. 6A 00 push 0x0 ; /lParam = NULL

0040287B |. 68 96284000 push 汇编.00402896 ; |DlgProc = 汇编.00402896

00402880 |. 6A 00 push 0x0 ; |hOwner = NULL

00402882 |. 6A 65 push 0x65 ; |pTemplate = 65

00402884 |. FF35 28544000 push dword ptr ds:[0x405428] ; |hInst = NULL

0040288A |. E8 4B0C0000 call <jmp.&user32.DialogBoxParamA> ; \DialogBoxParamA

0040288F |. 6A 00 push 0x0 ; /ExitCode = 0

00402891 \. E8 480B0000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess

汇编的入口API函数 GetModuleHandleA

汇编查找字符串使用 ASCII码

易语言入口特征

004464D1 >/$ 55 push ebp

004464D2 |. 8BEC mov ebp,esp

004464D4 |. 6A FF push -0x1

004464D6 |. 68 B0C14600 push 易语言.0046C1B0

004464DB |. 68 DCAC4400 push 易语言.0044ACDC ; SE 处理程序安装

004464E0 |. 64:A1 0000000>mov eax,dword ptr fs:[0]

004464E6 |. 50 push eax

004464E7 |. 64:8925 00000>mov dword ptr fs:[0],esp

004464EE |. 83EC 58 sub esp,0x58

004464F1 |. 53 push ebx

004464F2 |. 56 push esi

004464F3 |. 57 push edi ; ntdll.7C930228

004464F4 |. 8965 E8 mov [local.6],esp

004464F7 |. FF15 98514600 call dword ptrds:[<&KERNEL32.GetVersion>; kernel32.GetVersion

004464FD |. 33D2 xor edx,edx ; ntdll.KiFastSystemCallRet

易语言入口API函数 GetVersion

VC8入口特征

00403A30 > $ E8 6E270000 call VC8.004061A3

00403A35 .^ E979FEFFFF jmp VC8.004038B3

00403A3A /$ 55 push ebp

00403A3B |. 8BEC mov ebp,esp

00403A3D |. 83EC 08 sub esp,0x8

00403A40 |. 897D FC mov [local.1],edi ; ntdll.7C930228

00403A43 |. 8975 F8 mov [local.2],esi

00403A46 |. 8B75 0C mov esi,[arg.2]

00403A49 |. 8B7D 08 mov edi,[arg.1] ; VC8.<ModuleEntryPoint>

00403A4C |. 8B4D 10 mov ecx,[arg.3]

00403A4F |. C1E9 07 shr ecx,0x7

VC8入口特征查找 GetStartupInfoW

VC8查找字符串采用 Unicode码

VC8的按钮事件采用查找SUB EAX,0A

VB入口特征

00401978 .- FF2518114000 jmp dword ptr ds:[<&MSVBVM60.#613>] ; msvbvm60.rtcVarStrFromVar

0040197E .- FF2584104000 jmp dword ptr ds:[<&MSVBVM60.__vbaVarTst>; msvbvm60.__vbaVarTstEq

00401984 .- FF257C104000 jmp dword ptr ds:[<&MSVBVM60.#528>] ; msvbvm60.rtcUpperCaseVar

0040198A .- FF25A8104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_>; msvbvm60.EVENT_SINK_QueryInterface

00401990 .- FF2578104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_>; msvbvm60.EVENT_SINK_AddRef

00401996 .- FF259C104000 jmp dword ptr ds:[<&MSVBVM60.EVENT_SINK_>; msvbvm60.EVENT_SINK_Release

0040199C $- FF2508114000 jmp dword ptr ds:[<&MSVBVM60.#100>] ; msvbvm60.ThunRTMain

004019A2 00 db 00

004019A3 00 db 00

004019A4 > $ 68 5C284000 pushVB.0040285C ; ASCII "VB5!6&vb6chs.dll"

004019A9 . E8 EEFFFFFF call <jmp.&MSVBVM60.#100>

004019AE . 0000 add byte ptr ds:[eax],al

004019B0 . 0000 add byte ptr ds:[eax],al

004019B2 . 0000 add byte ptr ds:[eax],al

004019B4 . 3000 xor byte ptr ds:[eax],al

004019B6 . 0000 add byte ptr ds:[eax],al

VB入口特征查找函数 ThunRTMain

VB 查找字符串时采用二进制字符串816C2404??000000

DLPHI入口

0045D408 > $ 55 push ebp

0045D409 . 8BEC mov ebp,esp

0045D40B . 83C4 F0 add esp,-0x10

0045D40E . B8 28D24500 mov eax,DELPHI.0045D228

0045D413 . E8 6088FAFF call DELPHI.00405C78

0045D418 . A1 4CF14500 mov eax,dword ptr ds:[0x45F14C]

0045D41D . 8B00 mov eax,dword ptr ds:[eax]

0045D41F . E8 08DFFFFF call DELPHI.0045B32C

0045D424 . 8B0D 40F24500 mov ecx,dword ptr ds:[0x45F240] ; DELPHI.00460C04

0045D42A . A1 4CF14500 mov eax,dword ptr ds:[0x45F14C]

0045D42F . 8B00 mov eax,dword ptr ds:[eax]

0045D431 . 8B15 CCC84500 mov edx,dword ptr ds:[0x45C8CC] ; DELPHI.0045C918

0045D437 . E8 08DFFFFF call DELPHI.0045B344

0045D43C . A1 4CF14500 mov eax,dword ptr ds:[0x45F14C]

0045D441 . 8B00 mov eax,dword ptr ds:[eax]

0045D443 . E8 7CDFFFFF call DELPHI.0045B3C4

0045D448 . E8 2769FAFF call DELPHI.00403D74

0045D44D . 8D40 00 lea eax,dword ptr ds:[eax]

DELPHI入口特征 GetModuleHandleA

DELPHI查找按钮事件右键--查找---查找二进制字符串740E8BD38B83????????FF93????????

明天会更好 · 发表于 2013-12-2 16:06

谢谢楼主的分享

苏紫方璇 · 发表于 2013-12-2 15:54

谢谢楼主总结，学习了

sunyshen · 发表于 2013-12-2 14:41

多谢分享，表示感谢

zzw6776 · 发表于 2015-2-4 23:16

改了字体看上去舒服多了

小波专用 · 发表于 2013-12-2 16:47

多谢分享，新手实践的必备特征

a175676 · 发表于 2013-12-2 19:04

谢谢楼主，学习了

zeromaggot · 发表于 2013-12-2 20:41

学习了{:1_931:}

昕儿 · 发表于 2013-12-3 11:31

谢谢，脱壳后看到的都是这样？呵呵，验证去。

fzx118 · 发表于 2013-12-3 11:34

多谢分享，表示感谢

神龙万康_王 · 发表于 2013-12-3 15:40

多谢分享，表示感谢

帐号		自动登录	找回密码
密码			注册[Register]

[原创] 认识各语言的入口特征及加壳后的识别判断

免费评分

点评

点评