c#的反汇编对抗

前记

随便编写一个c#调用winapi并用vs生成dll,同时用csc生成exe

using System;
using System.Runtime.InteropServices;
namespace coleak
{
    class winfun
    {
        [DllImport("User32.dll")]
        public static extern int MessageBox(IntPtr h, string m, string c, uint type);
        [DllImport("kernel32.dll", EntryPoint = "Beep")]
        public static extern bool mymethod(uint frequency, uint duration);
    }
        class Program
    {
            static void Main(string[] args)
            {
            winfun winfun = new winfun();
            winfun.MessageBox((IntPtr)0, "yueyy", "coleak",(uint) 0);
            Random random = new Random();
            for (int i = 0; i < 10000; i++)
            {
                winfun.mymethod((uint)random.Next(10000), 100);
            }
            Console.ReadLine();
            }
    }
}
/*BOOL Beep(
DWORD dwFreq,
DWORD dwDuration
);
int MessageBox(
  [in, optional] HWND hWnd,
  [in, optional] LPCTSTR lpText,
  [in, optional] LPCTSTR lpCaption,
  [in] UINT uType
);*/

优点:隐藏导入表,仅存在mscoree.dll

缺点:在dnspy下均直接出源码

nim攻防基础

为了更加OPSEC,考虑使用nim代替c#核心部分,nim防止反编译同时也不暴露导入函数

FFI

proc MessageBoxA*(hWnd: int, lpText: cstring, 
                  lpCaption: cstring, uType: int32): int32 
                 {.discardable, dynlib: "user32", importc.}
MessageBoxA(0, "Hello, world !", "MessageBox Example", 0)

proc WinExec*(lpCmdLine:cstring,uCmdShow:int32): int32 {.discardable,dynlib:"kernel32",importc.}
WinExec("calc.exe",0)

proc printf(format: cstring): cint {.importc, varargs,discardable.}#discardable忽略返回值否则报错
printf("My name is %s and I am %d years old!\n", "coleak", 20)

proc mycmp(a, b: cstring): cint {.importc: "strcmp", nodecl.} #=proc strcmp(a, b: cstring): cint {.importc, nodecl.}
let cmp = strcmp("Easy!", "Easy!")
echo cmp

嵌入c

when not defined(c):
    {.error: "Must be compiled in c mode"}
{.emit: """
#include <stdio.h>
int Test() 
 {
    char name[100]={0};
    scanf("%s",name);
    printf("嵌入成功,%s",name);
    return 0;
 } // end main 
""".}

proc Test(): int
    {.importc: "Test", nodecl,discardable.}
when isMainModule:
    discard Test()

内存加载

读取字节流

import os
var buf: array[4096,byte]
var f: File
f = open(r"D:\c_project\nim\test.exe")
discard readBytes(f, buf,0,4096)
f.close()
echo buf

c.exe>aaa.txt

import winim/clr
import sugar
import os
var buf: array[4096,byte]
buf = [77, 90, ..., 0]
var assembly = load(buf)
var arr = toCLRVariant(commandLineParams(), VT_BSTR)
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))

c#虽然没有暴露导入信息,但是在hxd下会暴露字符串信息,因此在 Nim 编译的可执行文件中检测 .NET 程序集仍然很容易,还可以用hxd轻松搜到nim加载的程序集中存在的user32.dll字符信息和exe关键词

在这里插入图片描述

加解密、编码

base64

import base64
import os
import strformat
func toByteSeq*(str: string): seq[byte] {.inline.} =
    # Converts a string to the corresponding byte sequence
    @(str.toOpenArrayByte(0, str.high))
let inFile: string = paramStr(1)
let inFileContents: string = readFile(inFile)
# To load this .NET assembly we need a byte array or sequence
var bytesequence: seq[byte] = toByteSeq(inFileContents)
let encoded = encode(bytesequence)
echo fmt"[*] Encoded: {encoded}"
import base64
import os
import strformat
import winim/clr
import sugar
import os
func toByteSeq*(str: string): seq[byte] {.inline.} =
    # Converts a string to the corresponding byte sequence
    @(str.toOpenArrayByte(0, str.high))
let encoded = r"TVqQAAMAAAAEAAAA//8...AAA=="
let decoded = decode(encoded)
let mys=toByteSeq(decoded)
var assembly = load(mys)
var arr = toCLRVariant(commandLineParams(), VT_BSTR)
assembly.EntryPoint.Invoke(nil, toCLRVariant([arr]))

可以换成别的方式加密.NET 程序集,用于运行时解密

后记

C#类型转换表

WindowsC#
BOOLint
BOOLEANbyte
BYTEbyte
UCHARbyte
UINT8byte
CCHARbyte
CHARsbyte
CHARsbyte
INT8sbyte
CSHORTshort
INT16short
SHORTshort
ATOMushort
UINT16ushort
USHORTushort
WORDushort
INTint
INT32int
LONGint
LONG32int
CLONGuint
DWORDuint
DWORD32uint
UINTuint
UINT32uint
ULONGuint
ULONG32uint
INT64long
LARGE_INTEGERlong
LONG64long
LONGLONGlong
QWORDlong
DWORD64ulong
UINT64ulong
ULONG64ulong
ULONGLONGulong
ULARGE_INTEGERulong
HRESULTint
NTSTATUSint

nim基础

语法速记

一、分支允许使用逗号分隔的值列表

let name = readLine(stdin)
case name
of "":
  echo "Poor soul, you lost your name?"
of "name":
  echo "Very funny, your name is name."
of "Dave", "Frank":
  echo "Cool name!"
else:
  echo "Hi, ", name, "!"

二、of全覆盖

from strutils import parseInt
echo "A number please: "
let n = parseInt(readLine(stdin))
case n
of 0..2, 4..7: echo "The number is in the set: {0, 1, 2, 4, 5, 6, 7}"
of 3, 8: echo "The number is 3 or 8"
else: discard

三、迭代器

echo "Counting down from 10 to 1: "
for i in countup(1, 5):
  echo i
for i in countdown(6, 2):
  echo i
for i in 10..19:
    echo i
for i in 1..<19:
    echo i

四、块语句

block myblock:
  echo "entering block"
  while true:
    echo "looping"
    break # 跳出循环,但不跳出块
  echo "still in block"

block myblock2:
  echo "entering block"
  while true:
    echo "looping"
    break myblock2 # 跳出块 (和循环)
  echo "still in block"

五、缩进原则

# 单个赋值语句不需要缩进:
if x: x = false

# 嵌套if语句需要缩进:
if x:
  if y:
    y = false
  else:
    y = true

# 需要缩进, 因为条件后有两个语句:
if x:
  x = false
  y = false

六、函数

proc yes(question: string): bool =
  echo question, " (y/n)"
  while true:
    case readLine(stdin)
    of "y", "Y", "yes", "Yes": return true
    of "n", "N", "no", "No": return false
    else: echo "Please be clear: yes or no"

if yes("Should I delete all your important files?"):
  echo "I'm sorry , I'm afraid I can't do that."
else:
  echo "I think you know what the problem is just as well as I do."
  
proc add(a:int,b:int):int=
    return a+b

echo add(1,89)

proc sumTillNegative(x: varargs[int]): int =
  for i in x:
    if i < 0:
      return
    result = result + i

echo sumTillNegative() # echos 0
echo sumTillNegative(3, 4, 5) # echos 12

函数定义格式看起来很繁琐,返回值类型放在: bool =

result 总在过程的结尾自动返回如果退出时没有 return语句

七、传实参

proc divmod(a, b: int; res: var int,remainder:var int) =
  res = a div b        # 整除
  remainder = a mod b  # 整数取模操作

var x, y=111

divmod(8, 5, x, y) # 修改x和y
echo x
echo y

传递实参用var修饰

八、忽略返回值discard

proc p(x, y: int): int {.discardable.} =
  return x + y

var c:int
c=p(3, 4) # now valid
echo c
p(3, 4)

九、数组初始化

type
  IntArray = array[0..7, int] # 一个索引为0..7的数组
  QuickArray = array[6, int]  # 一个索引为0..5的数组
var
  x: IntArray
x = [1, 5, 3, 4, 5, 77,9,8]
for i in low(x)..high(x):
  echo x[i]
for i in x:
  echo i
  
for i, v in @[3, 7, 5]:
  echo "index: ", $i, ", value:", $v
# --> index: 0, value:3
# --> index: 1, value:4
# --> index: 2, value:5

十、结构体

type
  Person = object
    name: string
    age: int

var person1 = Person(name: "Peter", age: 30)

echo person1.name # "Peter"
echo person1.age  # 30

var person2 = person1 # 复制person 1

十一、读写文件

#字节流
import os
var buf: array[100,byte]
var f: File
f = open("D:\\c_project\\nim\\d.exe")
discard readBytes(f, buf,0,9)
f.close()
echo buf


#文本文件
var file:File
file = open(r"D:\c_project\nim\d.txt")
echo file.readAll()
file.close()

let text = "Cats are very cool!"
writeFile("cats.txt", text)

十二、绝对路径默认目录为shell路径

  • 21
    点赞
  • 26
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 2
    评论
C#中,可以使用JsonConvert类的DeserializeObject方法来进行JSON反序列化操作。该方法接受一个JSON字符串作为参数,并将其转换为指定的对象类型。以下是一个示例代码: ```csharp string jsonStr = "{\"ID\":1,\"Name\":\"金刚罩\",\"damage\":1000}"; skill sk = JsonConvert.DeserializeObject<skill>(jsonStr); ``` 在上述代码中,我们首先定义了一个JSON字符串,然后使用JsonConvert.DeserializeObject方法将其反序列化为skill对象。最后,我们可以通过访问sk对象的属性来获取反序列化后的数据。 另外,如果要反序列化一个集合对象,可以使用类似的方法: ```csharp string jsonStr = "\[{\"id\":1,\"Name\":\"aggregate\",\"Number\":\"A1\",\"Date\":\"2019-08-01\"}\]"; List<Datas> dataList = JsonConvert.DeserializeObject<List<Datas>>(jsonStr); ``` 在上述代码中,我们定义了一个JSON数组字符串,并使用JsonConvert.DeserializeObject方法将其反序列化为List<Datas>对象。 总结起来,C#中的JSON反序列化可以通过JsonConvert类的DeserializeObject方法来实现,该方法可以将JSON字符串转换为指定的对象类型。 #### 引用[.reference_title] - *1* [C#序列化和反序列化(json)](https://blog.csdn.net/qq_44386034/article/details/125638718)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v91^koosearch_v1,239^v3^insert_chatgpt"}} ] [.reference_item] - *2* [C# JSON之序列化与反序列化](https://blog.csdn.net/wangnaisheng/article/details/125196831)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v91^koosearch_v1,239^v3^insert_chatgpt"}} ] [.reference_item] - *3* [C#中Json序列化和反序列化总结](https://blog.csdn.net/jia380_csdn/article/details/120332758)[target="_blank" data-report-click={"spm":"1018.2226.3001.9630","extra":{"utm_source":"vip_chatgpt_common_search_pc_result","utm_medium":"distribute.pc_search_result.none-task-cask-2~all~insert_cask~default-1-null.142^v91^koosearch_v1,239^v3^insert_chatgpt"}} ] [.reference_item] [ .reference_list ]

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

coleak

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值