EXELOCK technology is completely analyzed

zhaozj2021-02-08  299

It's hard! This is the first sentence I want to say.

Sometimes I don't want to do it, but I always believe that I can make it, I will stick it. What is important is that my keyboard and mouse are not very flexible, and it is even more, I can't even buy a new mouse!

When I wanted this program at the beginning, I found that it is really simple in theory. I have a program name called Dosomething. The program of our check password is checkpassword, then we add Checkpassword to the front of DOSMETHING, When someone wants to run DOSMETHING, CHECKPASSWORD jumps out, and someone enters the correct password, let him dosomething, and vice versa.

Simple, but just look like this!

We opened this DOSMETHING.EXE to open this DOSMETHING.EXE, what is it just a bunch of garbled, completely does not imagine things like the begin, end, huh, even the program starts from there, not to say anything Your own code. :)

To understand the file structure of Exe, you must know what PE (Portable Executable File Format is in the east, the following is related articles, recommended first to look at :)

Matt Pietrek Big Brother Wen Peering Inside The PE: A Tour of the Win32 Portable Executable File Format, he is one of my idols.

Mr. Jie translated Chinese version! Well, I will know you want this. Another idol :)

Microsoft Portable Executable and Common Object File Format Specification, Official Information in MSDN.

If you are not good, you can see this article.

If you don't understand the above documents, um ... I can't help you, haha, laugh :)

To run a program to another program can be divided into three steps:

1 Modify PE file header information

2 Add a segment table information (section Table)

3 write shell file

Below is my detailed description of these three steps.

1 Modify PE file header information

.1 paragraph plus one (Numberofsections)

We added a section, this is certainly added.

.2 Modify the program entry (AddressofentryPoint)

Don't say this! Oh, this address refers to the entrance to the shell file, pay attention to adding imagebase.

.3 Increase the size of the code (SizeOfcode)

It is the original size plus the size of the shell file (except the head of the shell).

.4 Increase the size of the memory image (Sizeofimage)

It is also the original size plus the size of the shell file (except the head of the shell).

.5 Modified Import Table Inlet (DataDirectory [1] .virtualAddress)

This is more important, please read it carefully.

We know that the general Windows program has an API call. This import table is the name or serial number of the DLL to be called by the program. Since our shell program is also used to use the API call, we must modify the entrance to the entrance to the housing of the IMPORT TABLE. When I started, I didn't want to modify this entrance, but in order to clear the shell, I only modified the entrance to the original Import Table, but this has also caused another trouble, that is, we must manually load the original program. The input section. That is, the original program is to reference the DLL now to load it, um ... it is really gains. Because IMPORT TABLE is a loader, it is to load the program when running the program, and then automatically load it. After modifying the entry of the original program, the loader loads the IMPORT TABLE of the shell. Import Table of the original program, it is no matter (it doesn't know, how to manage?). So only the shell is next to this rough. .6 Modify the introduction table (dataDirectory [1] .size)

This changed the introduction table size changed to the shell.

2 Add a segment table information (section Table)

.1 Increases a piece of table information after the last section of the table information ".boyu"

Without this paragraph information, the system doesn't care what you have added.

3 write shell file

.1 The base number of the original program is added to the address portion in the EXE file of the shell program.

Generally, it is called the DLL, and there is also a global variable.

.2 Save the original program image, addressofentrypoint, the IMPORT TABLE entry (DataDirectory [1] .VirtualAddress) in the corresponding variable offset address of the case of the shell program to the shell program.

.3 Three segments of the EXE file of the shell program are written to the end of the original EXE file, and should pay attention to the segment align.

These three paragraphs are merged into one, the part of the PointertorawData, which is written to the paragraph information, because it is necessary to pay attention to the partial part of the complement.

For more information, please visit vc paradise network

http://www.vcheaven.net

转载请注明原文地址:https://www.9cbs.com/read-2673.html

New Post(0)