Create your own shell checking tool

Text/FIG
Shell is a tool for protecting software. It has both encrypted and compressed shells, and some have both functions. I don't know much about shell, but I'm afraid of making mistakes, which affects my image in front of everyone. I will not talk much about it. I will only talk about my purpose today. I would like to discuss with you some implementation methods for compiling the shell check tool. I will only share my methods with you. If you have any shortcomings, I would like to welcome correction and criticism.
PEiD must have been used by many people? Our friends, especially those in the hacker line, are even more familiar with it. Why can PEiD shell be checked? This is because peidhas a local data database. The name of my peiddata database is "“userdb.txt". Let's copy it for you!
 
[ASPack v2.12]
Signature = 60 E8 03 00 00 00 E9 EB 04 5D 45 55 C3 E8 01
Ep_only = true
 
The first line is the name version of the shelling software, and the second line is the shell pattern. I don't know the third line, but we don't need to worry about it, because it has nothing to do with our article. The most important thing is the name and signature of the shelling software, because what is the shell query? Check the name of the shell software! How to check? Check the signature! In fact, I found that PEiD uses continuous signatures, and most of them are signatures starting from the program entrance. This method is also normal. Some of the experts of anti-DDoS pro can use OD to open the software to be debugged. As soon as they look at the previous lines, they will know what shell this software has added (sweat! The anti-DDoS pro is amazing ). Let's take a look at Figure 1. We can see that the signature is indeed extracted from the file entry point and is continuous.

Figure 1
With this method, we will know what to do. What should I do? Find the file entry point first! The file entry point is actually saved in a structure of the PE file. You can refer to MSDN for more information. The entry point is generally saved in the AddressOfEntryPoint member in the IMAGE_OPTIONAL_HEADER structure. If you read the value of this Member, the entry point is found. I remember someone once said "There is no secret in front of the source code", so let's look at the Code directly.
 
IMAGE_DOS_HEADER * pDosHeader = (IMAGE_DOS_HEADER *) lpBase;
PNtHeader = (IMAGE_NT_HEADERS *) (char *) lpBase + pDosHeader-> e_lfanew );
DwOEP = pNtHeader-> OptionalHeader. AddressOfEntryPoint;
 
The value of the entry point is saved in dwOEP. Is it easy? However, before that, we should first determine whether the opened file is a PE file and then read the entry point. However, I still omitted some operations such as opening files and ing file views, but it is also very simple, and the code is just two or three lines.
 
HFile = CreateFile (FileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0 );
HMap = CreateFileMapping (hFile, NULL, PAGE_READONLY, 0, 0 );
LpBase = MapViewOfFile (hMap, FILE_MAP_READ, 0, 0 );
 
If there is no error handling sentence in this case, we can make sure that all of them can be returned normally. All the previous steps were successful, but how can we read N signatures at the entrance and exit points? What reading is used? ReadFile ()? ReadProcessMemory ()? To be honest, it was really hard for me to solve this problem. Which file handle is used for reading with ReadFile? How to locate it? I cannot think of it. Which process is read if ReadProcessMemory () is used? I do not know. What should we do? As a result, I found a "file offset" button on the PEiD. What is the file offset? Use UltraEdit32 to open the file opened in PEiD and check the content of the "00001001" offset, as shown in Figure 2. I did not expect to find the legendary signature at the file offset. Okay, let's start from here. But how can I find the "file offset? Let's continue.

Figure 2
In fact, the entry point we found is a relative offset address (RVA). As the name suggests, it is a "relative" address, that is, an "offset ". So how can RVA be converted to a file offset? Does Microsoft provide API functions in this regard? Therefore, we can only solve it by ourselves. My method is too stupid. There are three steps: first, Scan each section table cyclically to obtain the RVA of each section in the memory (saved in the VirtualAddress member of IMAGE_SECTION_HEADERD ), and the size of this section (saved in SizeOfRawData of IMAGE_SECTION_HEADERD); judge whether the RVA of our entry point is within the range of a specific section; finally, in a section, use our RVA minus the starting RVA of the Section and add the file offset of the Section in the file. The method looks complicated, but the implementation is not complicated. It involves the structure of the PE file header. Let's still look at the code implementation first.
 
For (I = 0; I <pNtHeader-> FileHeader. NumberOfSections; I ++)
{
If (dwOEP> = (mongocheader [I]. VirtualAddress) & (dwOEP <(mongocheader [I]. VirtualAddress + mongocheader [I]. SizeOfRawData )))
{
FileOffSet = dwOEP-example cheader [I]. VirtualAddress + example cheader [I]. PointerToRawData;
Break;
}
}

The FileOffSet in the Code saves our file offset address. In this case, we will start to read our signature from the obtained file offset address. The program I used to read the signature is the one I used. The method for reading the signature is not too much. It is simpler to read the code directly.
 
HFile = CreateFile (FileName, GENERIC_READ, file_pai_read, NULL, OPEN_EXISTING,
SetFilePointer (hFile, FileOffSet, NULL, FILE_BEGIN );
ReadFile (hFile, buffer, 15, (unsigned long *) a, NULL );
 
Because the ASPack v2.12 features a total of 15 characters, the ReadFile () function can read 15 characters. After reading the signature, the last step is to compare it.
 
For (int I = 0; I <16; I ++)
{
If (buffer [I]! = Code [I])
{
Lstrcpy (types, "No found ");
Break;
}
Else if (I = 15)
{
Lstrcpy (types, "Aspack v2.12 ");
}
}

The code I provided is relatively simple, and the implementation of comparative signatures is not very good, but I am afraid it cannot be achieved by comparing functions such as strcmp, because the signature has the character "00.
Well, the whole program is like this, as shown in test result 3. Do you think our entry point and file offset are different from those of PEiD? This is because PEiD is in hexadecimal notation, while ours is in hexadecimal notation. The value size is actually no different, but the representation method is different.

Figure 3
At last, let's take a look at the extensibility knowledge. After all, we also mentioned the concept of signature. We also need to copy a signature from “userdb.txt.
 
[ASPack v1.07b]
Signature = 90 75 ?? E9
Ep_only = true
 
This is clearly the ASPack1.07 signature, but the "?" What does that mean? Actually, "?" Is a wildcard. No matter what character the signature is, just follow "?" If compared, it can be ignored. Besides "?", In addition, "%" means repetition. For example, "% 3 45" means "45" in the next three positions ". These two Wildcards are used in anti-virus software.