Aspack壳代码分析
2024-05-06 16:12:42
00417000 90 NOP00417001 > 60 PUSHAD00417002 E8 03000000 CALL 00_aspac.0041700A ; 下一条是花指令 按100417007 90 NOP00417008 EB 04 JMP SHORT 00_aspac.0041700E0041700A 5D POP EBP ; 上一条17002call了,所以把返回地址17007压入了栈再pop出来0041700B 45 INC EBP ; 因此上条ebp是17007,自增完就是170080041700C 55 PUSH EBP ; 17008压入0041700D C3 RETN ; 返回到17008.0041700E E8 01000000 CALL 00_aspac.0041701400417013 EB 5D JMP SHORT 00_aspac.00417072 //初始化00417015 BB EDFFFFFF MOV EBX,-0x13 ; ebx=-0x130041701A 03DD ADD EBX,EBP ; ebx=4170000041701C 81EB 00700100 SUB EBX,0x17000 ; 计算出模块基址ebx=400000映像基地址00417022 83BD 88040000 0>CMP DWORD PTR SS:[EBP+0x488],0x000417029 899D 88040000 MOV DWORD PTR SS:[EBP+0x488],EBX ;保存模块基址0041702F 0F85 CB030000 JNZ 00_aspac.00417400 00417035 8D85 94040000 LEA EAX,DWORD PTR SS:[EBP+0x494] 0041703B 50 PUSH EAX 0041703C FF95 A90F0000 CALL DWORD PTR SS:[EBP+0xFA9] ; 获取kernel32基地址00417042 8985 8C040000 MOV DWORD PTR SS:[EBP+0x48C],EAX ; 保存kernel32基址到ebp+0x48c00417048 8BF0 MOV ESI,EAX ; 保存kernel32基址到esi0041704A 8D7D 51 LEA EDI,DWORD PTR SS:[EBP+0x51] ; 初始化edi0041704D 57 PUSH EDI ; 用来放返回的函数地址0041704E 56 PUSH ESI ; esi存在kernel32基址0041704F FF95 A50F0000 CALL DWORD PTR SS:[EBP+0xFA5] ; 获取函数地址kernel32.GetProcAddress00417055 AB STOS DWORD PTR ES:[EDI] ; 放2个字节的eax内容到edi上的地址00417056 B0 00 MOV AL,0x000417058 AE SCAS BYTE PTR ES:[EDI] ; SCAS每一个字节,跟0做对比,遇到0结束00417059 ^ 75 FD JNZ SHORT 00_aspac.00417058 ; 不是0跳回去0041705B 3807 CMP BYTE PTR DS:[EDI],AL0041705D ^ 75 EE JNZ SHORT 00_aspac.0041704D ; 如果不是连续两个0就重新获取新的函数0041705F 8D45 7A LEA EAX,DWORD PTR SS:[EBP+0x7A] ; 41708D00417062 FFE0 JMP EAX ; 解压函数00417064 F4 HLT00417065 05 48767561 ADD EAX,0x617576480041706A 6C INS BYTE PTR ES:[EDI],DX0041706B 41 INC ECX0041706C 6C INS BYTE PTR ES:[EDI],DX0041706D 6C INS BYTE PTR ES:[EDI],DX0041706E 6F OUTS DX,DWORD PTR DS:[ESI]0041706F 6300 ARPL WORD PTR DS:[EAX],AX00417071 35 0D487675 XOR EAX,0x7576480D00417076 61 POPAD00417077 6C INS BYTE PTR ES:[EDI],DX00417078 46 INC ESI00417079 72 65 JB SHORT 00_aspac.004170E00041707B 65:00AB 5047767>ADD BYTE PTR GS:[EBX+0x75764750],CH00417082 61 POPAD00417083 6C INS BYTE PTR ES:[EDI],DX00417084 50 PUSH EAX00417085 72 6F JB SHORT 00_aspac.004170F600417087 74 65 JE SHORT 00_aspac.004170EE00417089 637400 00 ARPL WORD PTR DS:[EAX+EAX],SI//开始解压0041708D 8B9D 95050000 MOV EBX,DWORD PTR SS:[EBP+0x595] 00417093 0BDB OR EBX,EBX 00417095 74 0A JE SHORT 00_aspac.004170A100417097 8B03 MOV EAX,DWORD PTR DS:[EBX]00417099 8785 99050000 XCHG DWORD PTR SS:[EBP+0x599],EAX0041709F 8903 MOV DWORD PTR DS:[EBX],EAX004170A1 8DB5 C5050000 LEA ESI,DWORD PTR SS:[EBP+0x5C5] ; 获取原始程序区段信息004170A7 833E 00 CMP DWORD PTR DS:[ESI],0x0004170AA 0F84 0A010000 JE 00_aspac.004171BA ; 判断004170B0 6A 04 PUSH 0x4004170B2 68 00100000 PUSH 0x1000004170B7 68 00180000 PUSH 0x1800 ; 大小0x1800的004170BC 6A 00 PUSH 0x0004170BE FF55 51 CALL DWORD PTR SS:[EBP+0x51] ; 申请内存(kernel32.VirtualAlloc)004170C1 8985 48010000 MOV DWORD PTR SS:[EBP+0x148],EAX ; 保存申请地址到EBP+0x148里004170C7 8B46 04 MOV EAX,DWORD PTR DS:[ESI+0x4] ;获取区段大小004170CA 05 0E010000 ADD EAX,0x10E004170CF 0F84 B7000000 JE 00_aspac.0041718C004170D5 6A 04 PUSH 0x4004170D7 68 00100000 PUSH 0x1000004170DC 50 PUSH EAX ;大小等于区段大小+10E004170DD 6A 00 PUSH 0x0004170DF FF55 51 CALL DWORD PTR SS:[EBP+0x51] ; 再申请了空间004170E2 8985 44010000 MOV DWORD PTR SS:[EBP+0x144],EAX ; 保存地址起来004170E8 56 PUSH ESI ; esi是区段信息004170E9 8B1E MOV EBX,DWORD PTR DS:[ESI] ; 获取区段RVA=1000004170EB 039D 88040000 ADD EBX,DWORD PTR SS:[EBP+0x488] ; 加上模块基址004170F1 FFB5 48010000 PUSH DWORD PTR SS:[EBP+0x148] ; 固定大小内存0x1800004170F7 FF76 04 PUSH DWORD PTR DS:[ESI+0x4] ; 代码段大小0A000004170FA 50 PUSH EAX ; 第二次申请的空间地址004170FB 53 PUSH EBX ; 区段虚拟地址00401000004170FC E8 C7050000 CALL 00_aspac.004176C8 ; 解压的函数(地址,大小,地址,代码段基地址)00417101 B3 01 MOV BL,0x100417103 80FB 00 CMP BL,0x000417106 75 4D JNZ SHORT 00_aspac.0041715500417108 FE85 EF000000 INC BYTE PTR SS:[EBP+0xEF] ; 自己修改了自己00417101的代码。0x0改成了0x10041710E 50 PUSH EAX0041710F 51 PUSH ECX00417110 56 PUSH ESI00417111 53 PUSH EBX 00417112 8BC8 MOV ECX,EAX00417114 83E9 05 SUB ECX,0x500417117 8BB5 44010000 MOV ESI,DWORD PTR SS:[EBP+0x144] ; 第二次申请的空间。放的是原本的入口OEP代码0041711D 33DB XOR EBX,EBX0041711F 0BC9 OR ECX,ECX00417121 74 2E JE SHORT 00_aspac.0041715100417123 78 2C JS SHORT 00_aspac.0041715100417125 AC LODS BYTE PTR DS:[ESI] ; 加载代码段1个字节00417126 3C E8 CMP AL,0xE8 ; 比较是不是E8 call00417128 74 0A JE SHORT 00_aspac.004171340041712A EB 00 JMP SHORT 00_aspac.0041712C0041712C 3C E9 CMP AL,0xE90041712E 74 04 JE SHORT 00_aspac.0041713400417130 43 INC EBX00417131 49 DEC ECX00417132 ^ EB EB JMP SHORT 00_aspac.0041711F ; 循环查找E8 call会把整个代码中的call跟jmp恢复00417134 8B06 MOV EAX,DWORD PTR DS:[ESI] ; 如果是E8跳到这 获取地址00417136 EB 00 JMP SHORT 00_aspac.0041713800417138 803E 05 CMP BYTE PTR DS:[ESI],0x5 ; 跟0x5对比0041713B ^ 75 F3 JNZ SHORT 00_aspac.004171300041713D 24 00 AND AL,0x00041713F C1C0 18 ROL EAX,0x18 00417142 2BC3 SUB EAX,EBX00417144 8906 MOV DWORD PTR DS:[ESI],EAX ; 更换call后面地址00417146 83C3 05 ADD EBX,0x500417149 83C6 04 ADD ESI,0x40041714C 83E9 05 SUB ECX,0x50041714F ^ EB CE JMP SHORT 00_aspac.0041711F ; 判断是否跳出循环00417151 5B POP EBX00417152 5E POP ESI00417153 59 POP ECX00417154 58 POP EAX00417155 EB 08 JMP SHORT 00_aspac.0041715F00417157 0000 ADD BYTE PTR DS:[EAX],AL00417159 2000 AND BYTE PTR DS:[EAX],AL0041715B 0000 ADD BYTE PTR DS:[EAX],AL0041715D 1F POP DS0041715E 008B C88B3E03 ADD BYTE PTR DS:[EBX+0x33E8BC8],CL00417164 BD 88040000 MOV EBP,0x48800417169 8BB5 44010000 MOV ESI,DWORD PTR SS:[EBP+0x144] ; esi=3E00000041716F C1F9 02 SAR ECX,0x2 00417172 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; 拷贝代码00417174 8BC8 MOV ECX,EAX00417176 83E1 03 AND ECX,0x300417179 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]0041717B 5E POP ESI0041717C 68 00800000 PUSH 0x800000417181 6A 00 PUSH 0x000417183 FFB5 44010000 PUSH DWORD PTR SS:[EBP+0x144]00417189 FF55 5E CALL DWORD PTR SS:[EBP+0x5E] ; 释放 (kernel32.VirtualFree)0041718C 83C6 0C ADD ESI,0xC0041718F 833E 00 CMP DWORD PTR DS:[ESI],0x000417192 ^ 0F85 2FFFFFFF JNZ 00_aspac.004170C7 ; 循环解压00417198 68 00800000 PUSH 0x80000041719D 6A 00 PUSH 0x00041719F FFB5 48010000 PUSH DWORD PTR SS:[EBP+0x148] ; 1F0000004171A5 FF55 5E CALL DWORD PTR SS:[EBP+0x5E] ; 释放内存004171A8 8B9D 95050000 MOV EBX,DWORD PTR SS:[EBP+0x595] ; SS:[004175A8]=00000000004171AE 0BDB OR EBX,EBX ; EBX=0,004171B0 74 08 JE SHORT 00_aspac.004171BA ; 实现了004171B2 8B03 MOV EAX,DWORD PTR DS:[EBX]004171B4 8785 99050000 XCHG DWORD PTR SS:[EBP+0x599],EAX004171BA 8B95 88040000 MOV EDX,DWORD PTR SS:[EBP+0x488] 004171C0 8B85 91050000 MOV EAX,DWORD PTR SS:[EBP+0x591] 004171C6 2BD0 SUB EDX,EAX 004171C8 74 79 JE SHORT 00_aspac.00417243 ; 实现,跳到00417243004171CA 8BC2 MOV EAX,EDX004171CC C1E8 10 SHR EAX,0x10004171CF 33DB XOR EBX,EBX004171D1 8BB5 9D050000 MOV ESI,DWORD PTR SS:[EBP+0x59D]004171D7 03B5 88040000 ADD ESI,DWORD PTR SS:[EBP+0x488]004171DD 833E 00 CMP DWORD PTR DS:[ESI],0x0004171E0 74 61 JE SHORT 00_aspac.00417243004171E2 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+0x4]004171E5 83E9 08 SUB ECX,0x8004171E8 D1E9 SHR ECX,1004171EA 8B3E MOV EDI,DWORD PTR DS:[ESI]004171EC 03BD 88040000 ADD EDI,DWORD PTR SS:[EBP+0x488]004171F2 83C6 08 ADD ESI,0x8004171F5 66:8B1E MOV BX,WORD PTR DS:[ESI]004171F8 C1EB 0C SHR EBX,0xC004171FB 83FB 01 CMP EBX,0x1004171FE 74 0C JE SHORT 00_aspac.0041720C00417200 83FB 02 CMP EBX,0x200417203 74 16 JE SHORT 00_aspac.0041721B00417205 83FB 03 CMP EBX,0x300417208 74 20 JE SHORT 00_aspac.0041722A0041720A EB 2C JMP SHORT 00_aspac.004172380041720C 66:8B1E MOV BX,WORD PTR DS:[ESI]0041720F 81E3 FF0F0000 AND EBX,0xFFF00417215 66:01041F ADD WORD PTR DS:[EDI+EBX],AX00417219 EB 1D JMP SHORT 00_aspac.004172380041721B 66:8B1E MOV BX,WORD PTR DS:[ESI]0041721E 81E3 FF0F0000 AND EBX,0xFFF00417224 66:01141F ADD WORD PTR DS:[EDI+EBX],DX00417228 EB 0E JMP SHORT 00_aspac.004172380041722A 66:8B1E MOV BX,WORD PTR DS:[ESI]0041722D 81E3 FF0F0000 AND EBX,0xFFF00417233 01141F ADD DWORD PTR DS:[EDI+EBX],EDX00417236 EB 00 JMP SHORT 00_aspac.0041723800417238 66:830E FF OR WORD PTR DS:[ESI],0xFFFF0041723C 83C6 02 ADD ESI,0x20041723F ^ E2 B4 LOOPD SHORT 00_aspac.004171F500417241 ^ EB 9A JMP SHORT 00_aspac.004171DD//重定位00417243 8B95 88040000 MOV EDX,DWORD PTR SS:[EBP+0x488] ; 0040000000417249 8BB5 A5050000 MOV ESI,DWORD PTR SS:[EBP+0x5A5] ; SS:[004175B8]=000000000041724F 0BF6 OR ESI,ESI ; 判断是否为0012F71C8 /74 79 JE SHORT 00_aspac.012F7243 ; 判断是否开了重定位,没开跳走,开了直接往下012F71CA |8BC2 MOV EAX,EDX 012F71CC |C1E8 10 SHR EAX,0x10 012F71CF |33DB XOR EBX,EBX 012F71D1 |8BB5 9D050000 MOV ESI,DWORD PTR SS:[EBP+0x59D] ;00016000012F71D7 |03B5 88040000 ADD ESI,DWORD PTR SS:[EBP+0x488] ;计算出重定位段012E0000 012F71DD |833E 00 CMP DWORD PTR DS:[ESI],0x0 ; esi里面是区段个数10 循环重定位代码012F71E0 |74 61 JE SHORT 00_aspac.012F7243012F71E2 |8B4E 04 MOV ECX,DWORD PTR DS:[ESI+0x4] ; esi=重定位块大小E4012F71E5 |83E9 08 SUB ECX,0x8 ; 减完=DC012F71E8 |D1E9 SHR ECX,1 ; ecx=重定位项6E012F71EA |8B3E MOV EDI,DWORD PTR DS:[ESI] ;获取重定位RVA012F71EC |03BD 88040000 ADD EDI,DWORD PTR SS:[EBP+0x488] ; EDI=重定位VA12E1000012F71F2 |83C6 08 ADD ESI,0x8 ; esi=重定位基址012F6008012F71F5 |66:8B1E MOV BX,WORD PTR DS:[ESI] ; 获取typeoffset类型DS:[012F6008]=3006012F71F8 |C1EB 0C SHR EBX,0xC ; 只保留类型003012F71FB |83FB 01 CMP EBX,0x1 ; 判断类型012F71FE |74 0C JE SHORT 00_aspac.012F720C012F7200 |83FB 02 CMP EBX,0x2012F7203 |74 16 JE SHORT 00_aspac.012F721B012F7205 |83FB 03 CMP EBX,0x3 ; 对比看是不是3012F7208 |74 20 JE SHORT 00_aspac.012F722A ; 实现的话更改012F720A |EB 2C JMP SHORT 00_aspac.012F7238012F720C |66:8B1E MOV BX,WORD PTR DS:[ESI]012F720F |81E3 FF0F0000 AND EBX,0xFFF012F7215 |66:01041F ADD WORD PTR DS:[EDI+EBX],AX012F7219 |EB 1D JMP SHORT 00_aspac.012F7238012F721B |66:8B1E MOV BX,WORD PTR DS:[ESI]012F721E |81E3 FF0F0000 AND EBX,0xFFF012F7224 |66:01141F ADD WORD PTR DS:[EDI+EBX],DX012F7228 |EB 0E JMP SHORT 00_aspac.012F7238012F722A |66:8B1E MOV BX,WORD PTR DS:[ESI] ; 获取类型012F722D |81E3 FF0F0000 AND EBX,0xFFF ; 3006AND0xFFF=006 去除类型,去除3重定位代码012F7233 |01141F ADD DWORD PTR DS:[EDI+EBX],EDX ; 清除重定位,例如原本0040BOF4变成012E0BF4012F7236 |EB 00 JMP SHORT 00_aspac.012F7238012F7238 |66:830E FF OR WORD PTR DS:[ESI],0xFFFF ; DS:[012F6008]=3006012F723C |83C6 02 ADD ESI,0x2 ; ESI+2.下一个,跳到获取类型那里012F723F ^|E2 B4 LOOPD SHORT 00_aspac.012F71F5 ;跳出重定位//导入表012F7241 ^|EB 9A JMP SHORT 00_aspac.012F71DD012F7243 \8B95 88040000 MOV EDX,DWORD PTR SS:[EBP+0x488] ; 00400000012F7249 8BB5 A5050000 MOV ESI,DWORD PTR SS:[EBP+0x5A5] ; SS:[004175B8]=00000000012F724F 0BF6 OR ESI,ESI ; 判断是否为0012F7251 /74 11 JE SHORT 00_aspac.012F7264 ; 实现012F7253 |03F2 ADD ESI,EDX012F7255 |AD LODS DWORD PTR DS:[ESI]012F7256 |0BC0 OR EAX,EAX012F7258 |74 0A JE SHORT 00_aspac.012F7264012F725A |03C2 ADD EAX,EDX012F725C |8BF8 MOV EDI,EAX012F725E |66:AD LODS WORD PTR DS:[ESI]012F7260 |66:AB STOS WORD PTR ES:[EDI]012F7262 ^|EB F1 JMP SHORT 00_aspac.012F7255012F7264 \BE B4F00000 MOV ESI,0xF0B4 ; 导入表偏移012F7269 8B95 88040000 MOV EDX,DWORD PTR SS:[EBP+0x488] ; 基址放到edx012F726F 03F2 ADD ESI,EDX ; esi=导入表结构012EF0B4012F7271 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC] ; EAX=获取模块DLL名称RVA0000F20A012F7274 85C0 TEST EAX,EAX012F7276 0F84 0D010000 JE 00_aspac.012F7389012F727C 03C2 ADD EAX,EDX ; 加上基址,字符串VA012F727E 8BD8 MOV EBX,EAX ; EAX=012EF20A "USER32.dll"012F7280 50 PUSH EAX012F7281 FF95 A90F0000 CALL DWORD PTR SS:[EBP+0xFA9] ; 获取模块基址(kernel32.GetModuleHandleA)012F7287 85C0 TEST EAX,EAX012F7289 75 07 JNZ SHORT 00_aspac.012F7292012F728B 53 PUSH EBX012F728C FF95 AD0F0000 CALL DWORD PTR SS:[EBP+0xFAD] ; LoadLibraryA012F7292 8985 A9050000 MOV DWORD PTR SS:[EBP+0x5A9],EAX ; 保存模块基址EAX=75EA0000 (user32.Ordinal2397)012F7298 C785 AD050000 0>MOV DWORD PTR SS:[EBP+0x5AD],0x0012F72A2 8B95 88040000 MOV EDX,DWORD PTR SS:[EBP+0x488] ; 获取基址012F72A8 8B06 MOV EAX,DWORD PTR DS:[ESI] ; 获取指向OrigalFirstThunkRVA eax=0000F1E0012F72AA 85C0 TEST EAX,EAX012F72AC 75 03 JNZ SHORT 00_aspac.012F72B1012F72AE 8B46 10 MOV EAX,DWORD PTR DS:[ESI+0x10]012F72B1 03C2 ADD EAX,EDX ; 计算出OriginalFirstThunk VA012F72B3 0385 AD050000 ADD EAX,DWORD PTR SS:[EBP+0x5AD] ; 0012F72B9 8B18 MOV EBX,DWORD PTR DS:[EAX] ; 获取INT中的数据,即指向函数名称的RVA012F72BB 8B7E 10 MOV EDI,DWORD PTR DS:[ESI+0x10] ; 获取FirstThunkEdi=0000B0F0012F72BE 03FA ADD EDI,EDX ; 加上基址,计算出IAT地址=012EB0F0012F72C0 03BD AD050000 ADD EDI,DWORD PTR SS:[EBP+0x5AD] ; 0012F72C6 85DB TEST EBX,EBX ;判断结束012F72C8 0F84 A5000000 JE 00_aspac.012F7373012F72CE F7C3 00000080 TEST EBX,0x80000000 ; 判断最高位,即判断是不是字母012F72D4 75 04 JNZ SHORT 00_aspac.012F72DA012F72D6 03DA ADD EBX,EDX ; 指向函数字符串结构=INT[I]+基址 012EF1FE012F72D8 43 INC EBX ; 减去2012F72D9 43 INC EBX ; 跳过字符串前面序号012F72DA 53 PUSH EBX ; 保存寄存器 012F72DB 81E3 FFFFFF7F AND EBX,0x7FFFFFFF012F72E1 53 PUSH EBX ;压入字符串or序号012F72E2 FFB5 A9050000 PUSH DWORD PTR SS:[EBP+0x5A9] ; SS:[012F75BC]=75EA0000 (user32.Ordinal2397)012F72E8 FF95 A50F0000 CALL DWORD PTR SS:[EBP+0xFA5] ; SS:[012F7FB8]=76481837 (kernel32.GetProcAddress)012F72EE 85C0 TEST EAX,EAX ; 获取到函数的地址75ED555C012F72F0 5B POP EBX ;恢复寄存器012F72F1 75 72 JNZ SHORT 00_aspac.012F7365012F72F3 F7C3 00000080 TEST EBX,0x80000000012F72F9 75 19 JNZ SHORT 00_aspac.012F7314012F72FB 57 PUSH EDI012F72FC 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC]012F72FF 0385 88040000 ADD EAX,DWORD PTR SS:[EBP+0x488]012F7305 50 PUSH EAX012F7306 53 PUSH EBX012F7307 8D85 DB040000 LEA EAX,DWORD PTR SS:[EBP+0x4DB]012F730D 50 PUSH EAX012F730E 57 PUSH EDI012F730F E9 12010000 JMP 00_aspac.012F7426012F7314 81E3 FFFFFF7F AND EBX,0x7FFFFFFF012F731A 8B85 8C040000 MOV EAX,DWORD PTR SS:[EBP+0x48C]012F7320 3985 A9050000 CMP DWORD PTR SS:[EBP+0x5A9],EAX012F7326 75 24 JNZ SHORT 00_aspac.012F734C012F7328 57 PUSH EDI012F7329 8BD3 MOV EDX,EBX012F732B 4A DEC EDX012F732C C1E2 02 SHL EDX,0x2012F732F 8B9D A9050000 MOV EBX,DWORD PTR SS:[EBP+0x5A9]012F7335 8B7B 3C MOV EDI,DWORD PTR DS:[EBX+0x3C]012F7338 8B7C3B 78 MOV EDI,DWORD PTR DS:[EBX+EDI+0x78]012F733C 035C3B 1C ADD EBX,DWORD PTR DS:[EBX+EDI+0x1C]012F7340 8B0413 MOV EAX,DWORD PTR DS:[EBX+EDX]012F7343 0385 A9050000 ADD EAX,DWORD PTR SS:[EBP+0x5A9]012F7349 5F POP EDI012F734A EB 19 JMP SHORT 00_aspac.012F7365012F734C 57 PUSH EDI012F734D 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC]012F7350 0385 88040000 ADD EAX,DWORD PTR SS:[EBP+0x488]012F7356 50 PUSH EAX012F7357 53 PUSH EBX012F7358 8D85 2C050000 LEA EAX,DWORD PTR SS:[EBP+0x52C]012F735E 50 PUSH EAX012F735F 57 PUSH EDI012F7360 E9 C1000000 JMP 00_aspac.012F7426012F7365 8907 MOV DWORD PTR DS:[EDI],EAX ; 获取到的地址放到EDI寄存器上地址里面,填充IAT012F7367 8385 AD050000 0>ADD DWORD PTR SS:[EBP+0x5AD],0x4 ; IAT表+4到下一个012F736E ^ E9 2FFFFFFF JMP 00_aspac.012F72A2 ; 一个模块内不同函数,跳回去循环012F7373 8906 MOV DWORD PTR DS:[ESI],EAX012F7375 8946 0C MOV DWORD PTR DS:[ESI+0xC],EAX012F7378 8946 10 MOV DWORD PTR DS:[ESI+0x10],EAX012F737B 83C6 14 ADD ESI,0x14012F737E 8B95 88040000 MOV EDX,DWORD PTR SS:[EBP+0x488]012F7384 ^ E9 E8FEFFFF JMP 00_aspac.012F7271 ; 不同模块,跳回去循环012F7389 8BB5 88040000 MOV ESI,DWORD PTR SS:[EBP+0x488]012F738F 8B7E 3C MOV EDI,DWORD PTR DS:[ESI+0x3C]012F7392 03FE ADD EDI,ESI//修改区段内存属性012F73E7 FF77 08 PUSH DWORD PTR DS:[EDI+0x8]012F73EA 0385 88040000 ADD EAX,DWORD PTR SS:[EBP+0x488]012F73F0 50 PUSH EAX012F73F1 FF55 6A CALL DWORD PTR SS:[EBP+0x6A] ; 修改各区段属性012F73F4 59 POP ECX012F73F5 AD LODS DWORD PTR DS:[ESI]012F73F6 AD LODS DWORD PTR DS:[ESI]012F73F7 8947 24 MOV DWORD PTR DS:[EDI+0x24],EAX012F73FA ^ E2 BB LOOPD SHORT 00_aspac.012F73B7012F73FC FF55 6A CALL DWORD PTR SS:[EBP+0x6A] ; 修改内存PE头内存属性012F73FF 59 POP ECX012F7400 B8 D2110000 MOV EAX,0x11D2012F7405 50 PUSH EAX012F7406 0385 88040000 ADD EAX,DWORD PTR SS:[EBP+0x488]012F740C 59 POP ECX012F740D 0BC9 OR ECX,ECX012F740F 8985 0E040000 MOV DWORD PTR SS:[EBP+0x40E],EAX ; 填入OEP012F7415 61 POPAD012F7416 75 08 JNZ SHORT 00_aspac.012F7420012F7418 B8 01000000 MOV EAX,0x1012F741D C2 0C00 RETN 0xC012F7420 68 00000000 PUSH 0x0 ; 将原始OEP压入栈中跳转回去012F7425 C3 RETN012F7426 8B85 8C040000 MOV EAX,DWORD PTR SS:[EBP+0x48C]
转载于:https://www.cnblogs.com/ltyandy/p/11289601.html
Aspack壳代码分析相关推荐
- 【恶意代码分析】_第一站
文章目录 概述 基本概念 有损压缩 加壳 壳的装载及其分类 压缩器和保护器 恶意程序在线分析网站 UPX实验 介绍UPX 使用UPX压缩文件 UPX加壳原理 使用工具查看和脱壳 Lord PE 工具P ...
- 20145236《网络攻防》Exp4 恶意代码分析
20145236<网络攻防>Exp4 恶意代码分析 一.基础问题回答 如果在工作中怀疑一台主机上有恶意代码,但只是猜想,所有想监控下系统一天天的到底在干些什么.请设计下你想监控的操作有哪些 ...
- 20145328 《网络对抗技术》恶意代码分析
20145328 <网络对抗技术>恶意代码分析 ------看到这句话说明还没写完-------- 实践内容: 使用schtasks指令监控系统运行 使用sysmon工具监控系统运行 使用 ...
- 2018-2019-2 网络对抗技术 20165324 Exp4:恶意代码分析
2018-2019-2 网络对抗技术 20165324 网络对抗技术 Exp4:恶意代码分析 课下实验: 实践目标 是监控你自己系统的运行状态,看有没有可疑的程序在运行. 是分析一个恶意软件,就分析E ...
- 2018-2019-2 网络对抗技术 20165320 Exp4 恶意代码分析
2018-2019-2 网络对抗技术 20165320 Exp4 恶意代码分析 一.实践目标 监控你自己系统的运行状态,看有没有可疑的程序在运行 分析一个恶意软件,就分析Exp2或Exp3中生成后门软 ...
- Exp4 恶意代码分析 20164303 景圣
Exp4 恶意代码分析 实验内容 实验点一:系统运行监控 (1)使用如计划任务,每隔一分钟记录自己的电脑有哪些程序在联网,连接的外部IP是哪里.运行一段时间并分析该文件,综述一下分析结果.目标就是找出 ...
- 20155317《网络对抗》Exp4 恶意代码分析
20155317<网络对抗>Exp4 恶意代码分析 基础问题回答 如果在工作中怀疑一台主机上有恶意代码,但只是猜想,所有想监控下系统一天天的到底在干些什么.请设计下你想监控的操作有哪些,用 ...
- 2018-2019-2 20165114《网络对抗技术》Exp4 恶意代码分析
Exp4 恶意代码分析 目录 一.实验目标 (1)监控你自己系统的运行状态,看有没有可疑的程序在运行. (2)分析一个恶意软件,就分析Exp2或Exp3中生成后门软件:分析工具尽量使用原生指令或sys ...
- 20145217《网络对抗》 恶意代码分析
20145217<网络对抗> 免杀原理与实践 知识点学习总结 进行恶意代码分析之前必须具备以下知识:编程.汇编/反汇编.网络基本知识.PE文件结构以及一些常用行为分析软件. 一.在一个已经 ...
- 2018-2019-2 网络对抗技术 20165227 Exp4 恶意代码分析
2018-2019-2 网络对抗技术 20165227 Exp4 恶意代码分析 实验步骤: 使用的设备:Win7(虚拟机).kali(虚拟机) 实验一:使用如计划任务,每隔一分钟记录自己的电脑有哪些程 ...
最新文章
- 网页上的静止导航脚本
- protobuf数据类型_protobuf【1】
- 网络爬虫生成代理ip
- 【Attention九层塔】注意力机制的九重理解
- Python-cvxopt库的使用(2)(解决QP问题)
- opengl将bmp读成像素_在 opengl 环境下将 texture 保存为 bmp 图片
- 关于android的日志输出LogCat
- python x轴加范围_Python,Matplotlib,subplot:如何设置轴范围?
- 编程基本功:BUG描述不要偷懒,不要误导
- 《基于MFC的OpenGL编程》Part 3 Drawing Simple 2D Shapes
- 从小白到大牛,程序员必读的经典套系书
- 七人表决器VHDL代码
- 手机安全修改IMEI的方法
- 优秀的求职者,是如何巧妙应对面试提问呢?
- Docker 安装MySql后创库、创表
- table 表格,table表格细边框设置,table表格禁止内容换行设置,table表格斑马线设置
- 银行 结算 清分清算 对账
- Leetcode 048旋转图像(将矩阵逆时针旋转90度)(先对角线翻转,再左右翻转)
- JavaWeb:request.setAttribute()和session.setAttribute()的区别
- docker安装redis无法启动: The container name “/ly-redis“ is already in use by container