dumbug使用手册(so easy)

于 2012-08-16 10:56:40 发布
阅读量965 收藏
点赞数
分类专栏: 逆向调试 文章标签: module hex function image buffer api
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/mingyuanlove/article/details/7872308
版权

dumbug使用命令如下:

C:\>dumbug
Usage: dumbug <[PID]|filename.exe> [<trace.def>] [<traceout.txt>]

注:

1.PID ,filename.exe ,任意一个,进程ID号或者文件完整路径

2.trace.def ,追踪定义文件 ,里面包含要追踪API的原型

3.traceout.txt ,追踪输出文件,里面包含追踪到的API,以及访问到该API的地址

下面我举个示例给大家看看:

首先输入命令行:

C:\>dumbug myunpack.exe example.trace myresult.txt


我们看看 example.trace文件里面的内容:

//
// Example trace file for (dum(b)ug) tracer
//

int __cdecl recv( [in] int socket, [both] char * buf, [in] int len, [in] int flags	);
int sprintf(	[out] char * buf, [in] fmtchar * format );
int swprintf( [out] wchar *buffer, [in] fmtwchar *format);
int vsprintf( [out] char *buffer, [in] fmtchar *format, [in] void * argptr ); 
char  * strcpy( [out] char *dest, [in] char *Src );
wchar * wcscpy( [out] wchar *dest, [in] wchar *Src );
char  * strcat( [out] char *dest, [in] char *src);
wchar * wcscat( [out] wchar *dest, [in] wchar *src);

int system([in] char *command);

//
// trace definitions for forking processes
//
int CreateProcessA( 
	[in] char * lpApplicationName,
	[in] char * lpCommandLine,
	[in] void * lpProcAttr,
	[in] void * lpThreadAttr,
	[in] int    bInherit,
	[in] int    dwFlags,
	[in] void * lpEnv,
	[in] char * lpCurrentDir,
	[in] void * lpStartup,
	[out]void * lpProcInfo
);

int CreateProcessAsUserA( 
	[in] int	hToken,
	[in] char * lpApplicationName,
	[in] char * lpCommandLine,
	[in] void * lpProcAttr,
	[in] void * lpThreadAttr,
	[in] int    bInherit,
	[in] int    dwFlags,
	[in] void * lpEnv,
	[in] char * lpCurrentDir,
	[in] void * lpStartup,
	[out]void * lpProcInfo
);

int MessageBoxA(
  [in] int hWnd,
  [in] char * lpText,
  [in] char * lpCaption,
  [in] int  uType
);


我们再看看执行命令之后console返回的结果:

Debugger [INFO] Process 6136 (myunpack.exe) loaded
Tracer [INFO] 12 function trace definitions loaded from example.trace
=============================================================
(dum(b)ug) demo v0.3 (tracer/fork)
[q] Quit  [I] Imports  [E] Exports  [M] MemoryMap  [T] Traces
[1]-[0] Log Level (1-5 Debugger, 6-9 Tracer, 1/6 = LOG_DEBUG)
=============================================================
Debugger [INFO] attached to process 6136 (myunpack.exe, proc handle C8, main thread handle C4)
Debugger [INFO] Debugger::run(): Loaded and parsed main image (myunpack.exe)
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module ntdll.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module KERNEL32.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module KERNELBASE.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module USER32.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module GDI32.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module LPK.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module USP10.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module msvcrt.dll
[--initial--] Breakpoint - activating traces
Tracer [ERROR] ActivateTraces(): Function recv not found
Tracer [INFO] Tracing for ntdll.dll:sprintf (7763A449) activated
Tracer [INFO] Tracing for msvcrt.dll:sprintf (76E8D354) activated
Tracer [INFO] Tracing for ntdll.dll:swprintf (77639D98) activated
Tracer [INFO] Tracing for msvcrt.dll:swprintf (76E9E87C) activated
Tracer [INFO] Tracing for ntdll.dll:vsprintf (7763A66F) activated
Tracer [INFO] Tracing for msvcrt.dll:vsprintf (76EE769F) activated
Tracer [INFO] Tracing for ntdll.dll:strcpy (775A5360) activated
Tracer [INFO] Tracing for msvcrt.dll:strcpy (76E88D6E) activated
Tracer [INFO] Tracing for ntdll.dll:wcscpy (77572DEA) activated
Tracer [INFO] Tracing for msvcrt.dll:wcscpy (76E8D4F8) activated
Tracer [INFO] Tracing for ntdll.dll:strcat (775A5370) activated
Tracer [INFO] Tracing for msvcrt.dll:strcat (76E88D75) activated
Tracer [INFO] Tracing for ntdll.dll:wcscat (7763A68E) activated
Tracer [INFO] Tracing for msvcrt.dll:wcscat (76EF0ECE) activated
Tracer [INFO] Tracing for msvcrt.dll:system (76ECB177) activated
Tracer [INFO] Tracing for KERNEL32.dll:CreateProcessA (77002082) activated
Tracer [ERROR] ActivateTraces(): Function CreateProcessAsUserA not found
Tracer [INFO] Tracing for USER32.dll:MessageBoxA (75D9EA11) activated
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module IMM32.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module MSCTF.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module nvinit.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module ADVAPI32.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module SECHOST.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module RPCRT4.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module UxTheme.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module safemon.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module SHELL32.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module SHLWAPI.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module ole32.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module OLEAUT32.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module PSAPI.DLL
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module VERSION.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module WININET.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module Normaliz.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module iertutil.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module urlmon.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module WS2_32.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module NSI.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module dwmapi.dll
PEfile [ERROR] Unknown CodeView Signature
Debugger [INFO] Debugger::run(): Loaded and parsed module CRYPTBASE.dll
Debugger [INFO] Process exit, code 0
Debuggee terminated, doing the same
Dumping 1 results...


最后我们看看myresult.txt文件:

Thu Aug 16 10:48:19 2012
Trace results:


------------------------------------------------------
0040103E -> MessageBoxA(
	int             hWnd = 0 (unsigned = 0 / hex = 0),
	char*         lpText = [0042201C] = "hello world!" in main image (.text),
	char*      lpCaption = [0042202C] = "MyUnpack" in main image (.text),
	int            uType = 0 (unsigned = 0 / hex = 0),
       1 << MessageBoxA(
	int             hWnd = 0 (unsigned = 0 / hex = 0),
	char*         lpText = [0042201C] = "",
	char*      lpCaption = [0042202C] = "",
	int            uType = 0 (unsigned = 0 / hex = 0)
);


so easy


perfectplug
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值