*** PEid插件——Generic OEP Finder 原理分析 ***

本文详细分析了PEid插件Generic OEP Finder的实现原理,该插件通过读取PE文件映象并扫描特定语言的入口特征码来找到OEP。文章列举了使插件失效的多种方法,包括Stolen Code、双进程、父进程检测、Hook启动API等。同时,展示了特征码的代码片段,帮助读者理解其工作方式。
摘要由CSDN通过智能技术生成
***    PEid插件——Generic OEP Finder 原理分析    ***

   PEid的这个小插件用了很久了,一直觉得功能不错,准确率也挺高的,自己在写壳的过程中也曾尝试避开其检测,但一直没有成功,于是抽了些时间看看它的实现原理,这才恍然大悟。
   下面是这个插件的一级输出函数:

10001870 ; Exported entry   1. DoMyJob
10001870
10001870 ; ************** S U B R O U T I N E *****************************************
10001870
10001870
10001870           public DoMyJob
10001870 DoMyJob   proc near
10001870
10001870 hWnd      = dword ptr  4
10001870 arg_4     = dword ptr  8
10001870 arg_8     = dword ptr  0Ch
10001870
10001870           mov   eax, [esp+arg_8]
10001874           push  ebx
10001875           push  esi
10001876           cmp   eax, 50456944h
1000187B           push  edi
1000187C           jz    short loc_10001889
1000187E           cmp   eax, 5852445Ah
10001883           jnz   loc_10001A81
10001889
10001889 loc_10001889:                           ; ...
10001889           mov   ebx, [esp+0Ch+arg_4]
1000188D           or    ecx, 0FFFFFFFFh
10001890           mov   ediebx
10001892           xor   eaxeax
10001894           repne scasb
10001896           not   ecx
10001898           dec   ecx
10001899           cmp   ecx, 1
1000189C           jnb   short loc_100018BE
1000189E           mov   eax, [esp+0Ch+hWnd]
100018A2           push  40000h                  ; uType
100018A7           push  offset szError          ; lpCaption
100018AC           push  offset szNoFileSpecifie ; lpText
100018B1           push  eax                     ; hWnd
100018B2           call  ds:MessageBoxA
100018B8           pop   edi
100018B9           pop   esi
100018BA           xor   eaxeax
100018BC           pop   ebx
100018BD           retn
100018BE ; ----------------------------------------------------------------------------
100018BE
100018BE loc_100018BE:                           ; ...
100018BE           push  0                       ; hTemplateFile
100018C0           push  80h                     ; dwFlagsAndAttributes
100018C5           push  3                       ; dwCreationDisposition
100018C7           push  0                       ; lpSecurityAttributes
100018C9           push  1                       ; dwShareMode
100018CB           push  80000000h               ; dwDesiredAccess
100018D0           push  ebx                     ; lpFileName
100018D1           call  ds:CreateFileA
100018D7           cmp   eax, 0FFFFFFFFh
100018DA           mov   ds:hObject, eax
100018DF           jnz   short loc_10001908
100018E1           push  eax                     ; hObject
100018E2           call  ds:CloseHandle
100018E8           mov   ecx, [esp+0Ch+hWnd]
100018EC           push  40000h                  ; uType
100018F1           push  offset szError          ; lpCaption
100018F6           push  offset szCouldNotOpenTh ; lpText
100018FB           push  ecx                     ; hWnd
100018FC           call  ds:MessageBoxA
10001902           pop   edi
10001903           pop   esi
10001904           xor   eaxeax
10001906           pop   ebx
10001907           retn
10001908 ; ----------------------------------------------------------------------------
10001908
10001908 loc_10001908:                           ; ...
10001908           push  0                       ; lpName
1000190A           push  0                       ; dwMaximumSizeLow
1000190C           push  0                       ; dwMaximumSizeHigh
1000190E           push  2                       ; flProtect
10001910           push  0                       ; lpFileMappingAttributes
10001912           push  eax                     ; hFile
10001913           call  ds:CreateFileMappingA
10001919           push  0                       ; dwNumberOfBytesToMap
1000191B           push  0                       ; dwFileOffsetLow
1000191D           mov   edieax
1000191F           push  0                       ; dwFileOffsetHigh
10001921           push  4                       ; dwDesiredAccess
10001923           push  edi                     ; hFileMappingObject
10001924           call  ds:MapViewOfFile
1000192A           mov   esieax
1000192C           test  esiesi
1000192E           jnz   short MapViewCreated
10001930           mov   edxds:hObject
10001936           mov   esids:CloseHandle
1000193C           push  edx                     ; hObject
1000193D           call  esi ; CloseHandle
1000193F           push  edi                     ; hObject
10001940           call  esi ; CloseHandle
10001942           mov   eax, [esp+0Ch+hWnd]
10001946           push  40000h                  ; uType
1000194B           push  offset szError          ; lpCaption
10001950           push  offset szMappingError__ ; lpText
10001955           push  eax                     ; hWnd
10001956           call  ds:MessageBoxA
1000195C           pop   edi
1000195D           pop   esi
1000195E           xor   eaxeax
10001960           pop   ebx
10001961           retn
10001962 ; ----------------------------------------------------------------------------
10001962
10001962 MapViewCreated:                         ; ...
10001962           mov   ds:lpFileHeader, esi
10001968           cmp   word ptr [esi], 5A4Dh   ; 是否为可执行文件
1000196D           jz    short IsExeFile
1000196F           mov   ecxds:hObject
10001975           mov   esids:CloseHandle
1000197B           push  ecx                     ; hObject
1000197C           call  esi ; CloseHandle
1000197E           push  edi                     ; hObject
1000197F           call  esi ; CloseHandle
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值