Heute kam endlich mein neues Buch per Post an. Reverse – Secrets of Reverse Engineering. Damit werde ich wohl einige Zeit verbringen. Reverse Engineering ist einfach ein sehr komplex aber sehr interessantes Thema. Vor allem wie ein Programm auf dem Low-Level funktioniert und welche Strukturen dahinterstehen. Am meisten Spaß macht mir Reversing von Malware. Sehr interessant was für Funktionen hinter so manchem Virus stecken.
Derzeit werfe ich meinen Regenbogen1 mit rcracki_mt aus. Macht eine recht gute Arbeit und hat einen effektiven Weg die Tables platzsparend zu speichern.
Hier gibt es gute Tabellen.
| C++ | | copy code | | ? |
| 001 | #include <windows .h> |
| 002 | #include <tlhelp32 .h> |
| 003 | #include <shlwapi .h> |
| 004 | #define PROC_NAME "target.exe" |
| 005 | #define DLL_NAME "injected.dll" |
| 006 | unsigned long GetTargetProcessIdFromProcname(char *procName); |
| 007 | unsigned long GetTargetThreadIdFromProcname(char *procName); |
| 008 | __declspec(naked) loadDll(void) |
| 009 | { |
| 010 | _asm |
| 011 | { |
| 012 | // Placeholder for the return address |
| 013 | push 0xDEADBEEF |
| 014 | // Save the flags and registers |
| 015 | pushfd |
| 016 | pushad |
| 017 | // Placeholder for the string address and LoadLibrary |
| 018 | push 0xDEADBEEF |
| 019 | mov eax, 0xDEADBEEF |
| 020 | // Call LoadLibrary with the string parameter |
| 021 | call eax |
| 022 | // Restore the registers and flags |
| 023 | popad |
| 024 | popfd |
| 025 | // Return control to the hijacked thread |
| 026 | ret |
| 027 | } |
| 028 | } |
| 029 | |
| 030 | __declspec(naked) loadDll_end(void) |
| 031 | { |
| 032 | } |
| 033 | int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) |
| 034 | { |
| 035 | void *dllString; |
| 036 | void *stub; |
| 037 | unsigned long wowID, threadID, stubLen, oldIP, oldprot, loadLibAddy; |
| 038 | HANDLE hProcess, hThread; |
| 039 | CONTEXT ctx; |
| 040 | stubLen = (unsigned long)loadDll_end - (unsigned long)loadDll; |
| 041 | loadLibAddy = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); |
| 042 | wowID = GetTargetProcessIdFromProcname(PROC_NAME); |
| 043 | hProcess = OpenProcess((PROCESS_VM_WRITE | PROCESS_VM_OPERATION), false, wowID); |
| 044 | dllString = VirtualAllocEx(hProcess, NULL, (strlen(DLL_NAME) + 1), MEM_COMMIT, PAGE_READWRITE); |
| 045 | stub = VirtualAllocEx(hProcess, NULL, stubLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE); |
| 046 | WriteProcessMemory(hProcess, dllString, DLL_NAME, strlen(DLL_NAME), NULL); |
| 047 | threadID = GetTargetThreadIdFromProcname(PROC_NAME); |
| 048 | hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, threadID); |
| 049 | SuspendThread(hThread); |
| 050 | ctx.ContextFlags = CONTEXT_CONTROL; |
| 051 | GetThreadContext(hThread, &ctx); |
| 052 | oldIP = ctx.Eip; |
| 053 | ctx.Eip = (DWORD)stub; |
| 054 | ctx.ContextFlags = CONTEXT_CONTROL; |
| 055 | VirtualProtect(loadDll, stubLen, PAGE_EXECUTE_READWRITE, &oldprot); |
| 056 | memcpy((void *)((unsigned long)loadDll + 1), &oldIP, 4); |
| 057 | memcpy((void *)((unsigned long)loadDll + 8), &dllString, 4); |
| 058 | memcpy((void *)((unsigned long)loadDll + 13), &loadLibAddy, 4); |
| 059 | WriteProcessMemory(hProcess, stub, loadDll, stubLen, NULL); |
| 060 | SetThreadContext(hThread, &ctx); |
| 061 | ResumeThread(hThread); |
| 062 | Sleep(8000); |
| 063 | VirtualFreeEx(hProcess, dllString, strlen(DLL_NAME), MEM_DECOMMIT); |
| 064 | VirtualFreeEx(hProcess, stub, stubLen, MEM_DECOMMIT); |
| 065 | CloseHandle(hProcess); |
| 066 | CloseHandle(hThread); |
| 067 | return 0; |
| 068 | } |
| 069 | unsigned long GetTargetProcessIdFromProcname(char *procName) |
| 070 | { |
| 071 | PROCESSENTRY32 pe; |
| 072 | HANDLE thSnapshot; |
| 073 | BOOL retval, ProcFound = false; |
| 074 | thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); |
| 075 | if(thSnapshot == INVALID_HANDLE_VALUE) |
| 076 | { |
| 077 | MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); |
| 078 | return false; |
| 079 | } |
| 080 | pe.dwSize = sizeof(PROCESSENTRY32); |
| 081 | retval = Process32First(thSnapshot, &pe); |
| 082 | while(retval) |
| 083 | { |
| 084 | if(StrStrI(pe.szExeFile, procName) ) |
| 085 | { |
| 086 | ProcFound = true; |
| 087 | break; |
| 088 | } |
| 089 | retval = Process32Next(thSnapshot,&pe); |
| 090 | pe.dwSize = sizeof(PROCESSENTRY32); |
| 091 | } |
| 092 | CloseHandle(thSnapshot); |
| 093 | return pe.th32ProcessID; |
| 094 | } |
| 095 | unsigned long GetTargetThreadIdFromProcname(char *procName) |
| 096 | { |
| 097 | PROCESSENTRY32 pe; |
| 098 | HANDLE thSnapshot, hProcess; |
| 099 | BOOL retval, ProcFound = false; |
| 100 | unsigned long pTID, threadID; |
| 101 | thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); |
| 102 | if(thSnapshot == INVALID_HANDLE_VALUE) |
| 103 | { |
| 104 | MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); |
| 105 | return false; |
| 106 | } |
| 107 | pe.dwSize = sizeof(PROCESSENTRY32); |
| 108 | retval = Process32First(thSnapshot, &pe); |
| 109 | while(retval) |
| 110 | { |
| 111 | if(StrStrI(pe.szExeFile, procName) ) |
| 112 | { |
| 113 | ProcFound = true; |
| 114 | break; |
| 115 | } |
| 116 | retval = Process32Next(thSnapshot,&pe); |
| 117 | pe.dwSize = sizeof(PROCESSENTRY32); |
| 118 | } |
| 119 | CloseHandle(thSnapshot); |
| 120 | _asm { |
| 121 | mov eax, fs:[0x18] |
| 122 | add eax, 36 |
| 123 | mov [pTID], eax |
| 124 | } |
| 125 | hProcess = OpenProcess(PROCESS_VM_READ, false, pe.th32ProcessID); |
| 126 | ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL); |
| 127 | CloseHandle(hProcess); |
| 128 | return threadID; |
| 129 | }</shlwapi></tlhelp32></windows> |
Hier ein kleines BATCH Script um sein System zu defragmentieren und danach evtl. herunterfahren. Vielleicht kann es jemand gebrauchen. Ist irgendwann aus Bequemlichkeit entstanden da ich gerne über Nacht eine Defragmentierung laufen lasse.
| DOS | | copy code | | ? |
| 01 | @echo off |
| 02 | cls |
| 03 | title Defragmentierung |
| 04 | color 17 |
| 05 | |
| 06 | echo. |
| 07 | echo. |
| 08 | echo __ |
| 09 | echo ____ ___ ^| ^| |
| 10 | echo ^| ^\ ___^| _^|___ ___ ___ ___ _____^| ^| |
| 11 | echo ^| ^| ^| -_^| _^| _^| .'^| . ^| ^| -_^| ^|__^| |
| 12 | echo ^|____/^|___^|_^| ^|_^| ^|__,^|_ ^| ^|___^|_^|_^|_^|__^| |
| 13 | echo ^|___^| |
| 14 | echo. |
| 15 | echo. |
| 16 | |
| 17 | AT > NUL |
| 18 | IF %ERRORLEVEL% EQU 0 ( |
| 19 | goto start |
| 20 | ) ELSE ( |
| 21 | goto fail |
| 22 | ) |
| 23 | |
| 24 | :start |
| 25 | echo. |
| 26 | echo. |
| 27 | echo. |
| 28 | echo Shutdown nach formatierung? (y/n) |
| 29 | set /p shutdown= |
| 30 | echo Volume eingeben oder alle? (volume:/all) |
| 31 | set /p volume= |
| 32 | if %volume%==all ( |
| 33 | defrag /C /H /U /V |
| 34 | ) else ( |
| 35 | defrag %volume% /H /U /V |
| 36 | ) |
| 37 | echo. |
| 38 | echo. |
| 39 | echo. |
| 40 | echo Defragmentierung beendet |
| 41 | if %shutdown%==y ( |
| 42 | goto shutdown |
| 43 | ) else ( |
| 44 | goto END |
| 45 | ) |
| 46 | |
| 47 | :fail |
| 48 | color 47 |
| 49 | echo. |
| 50 | echo FEHLER |
| 51 | echo. |
| 52 | echo Administratorrechte benoetigt! |
| 53 | echo Bitte mit Administratorrechten starten |
| 54 | goto END |
| 55 | |
| 56 | :shutdown |
| 57 | echo. |
| 58 | echo. |
| 59 | echo Fahre System herunter! |
| 60 | echo. |
| 61 | echo. |
| 62 | PING 127.0.0.1 > NUL 2>&1 |
| 63 | shutdown /s /c "Defragmentierung fertig. Fahre herunter" /t 20 /f |
| 64 | |
| 65 | :END |
| 66 | echo. |
| 67 | echo. |
| 68 | echo ************************************** |
| 69 | echo. |
| 70 | echo ESC zum Beenden |
| 71 | echo. |
| 72 | echo. |
| 73 | pause>nul |
