I came into contact with the . NET platform Ten years after it was born, and the reverse technology of the domestic . NET platform arose years ago. I am unfortunate, unfortunately, the start is later than the predecessors of about ten years, very regret to have the best time to devote to the game. Finally found that play more games and no eggs. I am also fortunate, fortunately, the predecessors have left too many exploration footprints on the . NET platform. I just have to follow their footsteps and move quickly without going around a lot of detours and hitting the wall. finally thanks to those who have written articles for posterity to learn the predecessors, although a lot of articles are seven or eight years ago, but useful to date. This article is neither cracked nor shelled, just a reverse angle analysis. NET program execution principle. Just hope to give you a chance to help me improve the next analysis process. ---------------------------------------------------Split Line----------------------------------------------------------
Debugging Environment:Windows XP SP3Note: Debug environment use the system before Win7 , the system after Win7 has changed. target object:A based on. NET Framework 2.0Framework-WrittenEXEfilethe tools you need:Ida,ollydbg,windbg,cffexplorer,depends
Debugging Environment:
Windows XP SP3
Note: Debug environment use the system before Win7 , the system after Win7 has changed.
target object:
an EXE file written based on the . NET Framework 2.0 Framework
the tools you need:
IDA,
ollydbg,
WinDBG,
Cffexplorer,
Depends
1. First we use CFF open a .net program, find the optional head, here is a 000030ce This is a rva ( relative virtual address ) addressofentrypont mark the loader to run load pe file is the address of the first instruction executed when the
2. we find ImageBase This field, its value is 00400000,imagebse It marks the ideal initial address ( base site )for the program to load into memory, and here is why the XP system is used to debug it . NET Program for the reasons that interested friends can study under.
3. we can see that the addressofentrypont is located in the . Text section, let's calculate this What is the physical address of 000030CE in the file:
physical addresses =rva-visual address+raw Address
Visual address=2000,Raw Address =
so: Physical Address =000030ce-2000+200=12ce
4. We switch to the hexadecimal editing interface, find the 12CE position, you can see these characters FF
5.FF 25 00 20 40 00What do you mean, we open it?ODtake a look. In theOD, we pressctrl+b, and then enterFFcan see thatFF25represented by the assembly instructions in theJMP, i.e. unconditional jump. Behind thexx, which is actually a memory address00402000, so the whole line of code is connected.jmp 00402000 (This means that the program is loaded and then jumps directly to00402000here to execute).
6. to verify the correctness of what we have just analyzed, we now need to use WinDBG for analysis. First load the target program into WinDBG, and the program will automatically break down. We can see the following information in the Command window, the program main module starts loading from 00400000, that is, we just in the CFF See in the ImageBase ( base site ) .
7. In conjunction with our earlier offset address 000030CE, we enter the command "u 00400000+000030ce" in the commands bar below, This instruction means to decompile 8 machine codes from address 00400000+000030CE.
8. after the carriage return to see a let us heart result,004030CE at the first 6 bytes decompile The corresponding assembly code for Jmp 00402000 , just to validate our previous analysis.
9. confirming that the previous analysis is completely correct, let us explore what 00402000 is . Next we enter DPS windowsformsapplication3+0x2000 in the command bar or you can enter DPS 00402000
after the carriage return, see the following information mscoree! Corexemain, you can see 00402000 This address represents the mscoree.dll of this module. The _CorExeMain function is located at 79004ddb .
if WinDBG does not seem so intuitive, then we continue to use OD to analyze it. We use OD to load the program,ctrl+g go to The address we see in WinDBG 79004ddb , and then F2 The breakpoint at this address.
re- loading and running the current program, the program executes to the point where we just down the breakpoint will automatically break down. Look at the value of the EIP in the Register ( Why look at the eip, because the eip Mark the next sentence that the program will execute ), we can clearly see that the next sentence of the program is going to be executed by the mscoree.dll in this module. The _CorExeMain function.
13.since the load of the program needs to be called toMscoree.dllin the_CorExeMainfunction, then it's easy to guess,_CorExeMainThe function is saved to the import table of the program and is called when the program is run. We areCFFswitch to the program in theIAT (Import Table), it is clear to see that. NETThe program importedMscoree.dllof the_CorExeMainfunction, which is also. NETthe unique import function for the program.
of Course, we can also use other analysis tools to analyze the DLLs that the current program relies on.
We load the target program with Depends , it is clear to see that the program only depends on The _ in Mscoree.dll The Corexemain function.
15. In summary, after the PE loader loaded the. NET image file, the first one is to execute a jmp Mscoree. _CorExeMain (here specifically the _CorExeMain in Mscoree is for a reason, There will be time to talk about what specifically indicates mscoree this module, and Microsoft's Mscoree.dll to launch our. NET managed runtime environment.
_CorExeMain What exactly does this function do, how do you start the managed Environment step-by-step, and so on, when you have time to continue writing.
. NET Platform principle debugging Analysis "one" windbg+ollydbg by: Cool Tour shallow pen deep Thrush
