反逆向工程揭密（试炼篇）


IT资讯	系统天下	网盟学院


硬件DIY	软件下载	网络安全

您现在的位置： ChinaBeta.cn 中文IT资讯 >> 网盟学院 >> 编程类 >> 其它编程程序 >> 网管技术正文

	让我穿过那道"墙"! 畅游网络应…		主动防御！瑞星杀毒2008抢先评…
	速度超快 Discuz! 6.0.0试用手…		奇虎举证:各杀毒软件均报CNNIC…
	Google Earth 4.2加入繁体中文…		专业防护！瑞星防火墙2008测试…
	挂载RAR文件从认识到爱上WinM…		让你冲浪随心所欲如何访问被封…
	轻装上阵！江民杀毒软件2008速…		VMware Fusion苹果版全程图解(…
	VMware Fusion苹果版全程图解(…		从菜鸟出发!征服高清详细评测全…
	VS2008和ASP.NET 3.5使用之初体…		[多图]Ubuntu 7.04 初体验
	东风吹战鼓擂下载软件你选谁?		若隐若现 Windows XP DirectX …
	GPRS上网全攻略		主流杀毒软件Vista兼容性横评
	基于IRF的网络管理和业务管理解…		83个美丽的Wordpress主题
	软交换网络中的关键路由技术详…		不只是换肤?Windows Mobile 6 …
	css教程–十步学会用css建站(全…		巧妙设置路由预防网络频繁掉线
	打造网络管理七大绝技		CorelDRAW X3 Service Pack 2 …
	重温经典:回归 Live Messenger…		Oracle数据库补丁分类、安装及…

反逆向工程揭密（试炼篇）

Www.ChinaBeta.Cn 更新时间：2006-7-25 阅读次数：

【ChinaBeta.Cn 网盟学院】

2．鉴别并解释阻碍分析和逆向的技术。

Many techniques have been used in order to slow down analysis and break reverse engineers tools:
? PE Header Modifications
Many fields of the PE header were modified in order to disturb analysing tools, and thus, the Reverse Engineer. I will quickly cover the most important changes:
->Optional Header
Magic: 0x010B (HDR32_MAGIC)
MajorLinkerVersion: 0x02
MinorLinkerVersion: 0x19 -> 2.25
SizeOfCode: 0x00000200
SizeOfInitializedData: 0x00045400
SizeOfUninitializedData: 0x00000000
AddressOfEntryPoint: 0x00002000
BaseOfCode: 0x00001000
BaseOfData: 0x00002000
ImageBase: 0x00DE0000 <--- "Non Standard" ImageBase
SectionAlignment: 0x00001000
FileAlignment: 0x00001000
MajorOperatingSystemVersion: 0x0001
MinorOperatingSystemVersion: 0x0000 -> 1.00
MajorImageVersion: 0x0000
MinorImageVersion: 0x0000 -> 0.00
MajorSubsystemVersion: 0x0004
MinorSubsystemVersion: 0x0000 -> 4.00
Win32VersionValue: 0x00000000
SizeOfImage: 0x00049000
SizeOfHeaders: 0x00001000
CheckSum: 0x00000000
Subsystem: 0x0003 (WINDOWS_CUI)
DllCharacteristics: 0x0000
SizeOfStackReserve: 0x00100000
SizeOfStackCommit: 0x00002000
SizeOfHeapReserve: 0x00100000
SizeOfHeapCommit: 0x00001000
LoaderFlags: 0xABDBFFDE <--- Bogus Value
NumberOfRvaAndSizes: 0xDFFFDDDE <--- Bogus Value
The "standard" ImageBase usually is 400000 for Win32 applications and Reverse Engineers are used to analyse programs with such an ImageBase. While it isn't a protection by itself, this simple modification will confuse some Reverse Engineers, because they aren't used to such memory addresses.

包括以下这些：
（1）修改PE文件头：
目的：干扰工具的分析。附上重要的修改：
->Optional Header
Magic: 0x010B (HDR32_MAGIC)
MajorLinkerVersion: 0x02
MinorLinkerVersion: 0x19 -> 2.25
SizeOfCode: 0x00000200
SizeOfInitializedData: 0x00045400
SizeOfUninitializedData: 0x00000000
AddressOfEntryPoint: 0x00002000
BaseOfCode: 0x00001000
BaseOfData: 0x00002000
ImageBase: 0x00DE0000 <--- 非一般性基址
SectionAlignment: 0x00001000
FileAlignment: 0x00001000
MajorOperatingSystemVersion: 0x0001
MinorOperatingSystemVersion: 0x0000 -> 1.00
MajorImageVersion: 0x0000
MinorImageVersion: 0x0000 -> 0.00
MajorSubsystemVersion: 0x0004
MinorSubsystemVersion: 0x0000 -> 4.00
Win32VersionValue: 0x00000000
SizeOfImage: 0x00049000
SizeOfHeaders: 0x00001000
CheckSum: 0x00000000
Subsystem: 0x0003 (WINDOWS_CUI)
DllCharacteristics: 0x0000
SizeOfStackReserve: 0x00100000
SizeOfStackCommit: 0x00002000
SizeOfHeapReserve: 0x00100000
SizeOfHeapCommit: 0x00001000
LoaderFlags: 0xABDBFFDE <--- 伪值
NumberOfRvaAndSizes: 0xDFFFDDDE <--- 伪值
400000作为Win32应用程序的一般基址，常常被逆向者在分析程序时使用。当程序不能保护自身时，这种简单的修改就可以对逆向工程造成影响，
因为程序并不使用这样的内存地址。

"Anti" OllyDbg:
LoaderFlags and NumberOfRvaAndSizes were modified.. I have Reverse Engineered OllyDBG and Soft ICE to find a few tricks that could slow down the analysis of a binary. With those two modifications, Olly will pretend that the binary isn't a good image and will eventually run the application without breaking at its entry point. This could be a bad thing if you wanted to debug a malware on your computer, because you would get infected.

反OllyDbg:
通过修改LoaderFlags和NumberOfRvaAndSizes实现。逆向OllyDbg和SoftICE后，我们会发现这种方法可以阻碍二进制代码的分析，因为程序会认为此二进制不是正确的基址，从而不在入口点处执行。导致直接的后果是：如果你调试一个病毒程序，你的计算机将会被感染。

上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] 下一页