[Zheng Wen]
I rarely write a document. Recently, some new users often ask shell lookup tools to find out what shell is, and finally find out how to remove shell... here I will simply use a sample program to talk about shell removal.
Method.
Generally, this kind of non-public shell won't be too fierce (except for the shells of the insiders such as hying, vcasm, and jingulong). Most of them are self-built shells, and some are disguised
As a result, the shell check tool cannot find out or find out what ASPack, UPX's shell. Don't be too afraid of this shell. It's generally okay to follow up and analyze it carefully.
Generally, the program running after shelling mostly uses the antidebugger of various methods, which is mixed with a lot of flowers and spam commands and then decoded,
It is also a bunch of antidebugger, which may be decoded and restored to IAT. It is also a bunch of antidebugger... and finally jumps to the real OEP of the program to deal with such shells.
The method is to first find the OEP and then fix the IAT
When the shell jumps to OEP, it is generally a cross-segment jump. There are many jump methods, such as jmp xxxxxxxx, JMP [XXXXXXXX], je [XXXXXXXX],
Push XXXXXXXX ret, call XXXXXXXXX, call [XXXXXXXX], call eax... some also directly specify the EIP in Seh, and so on. Find the jump address,
Set the breakpoint on the corresponding address, and run F9 to reach the OEP. This is the best dump time.
IAT is usually repaired using importrec. Fill in the oep rva, click iatautosearch, and then getimport. If all the APIS found are valid, click
Fix dump. If there is any invalid API, you need to fix it. First, Click Show invalid and right-click the invalid API. There are three repair levels, which are disasm,
Hook and trap flag. You can try them one by one. If all APIs are valid or only one or two APIs are invalid, you can click fix dump.
Fixed.
The method for manually repairing IAT is that normally the shell will recover IAT or destroy IAT during running. You can dump finished IAT after IAT is restored or before IAT is damaged,
Use a hexadecimal editor to copy the complete IAT to the dump file. It is not difficult to do more exercises.
Let's look at the Target Program "Songxue driving 6.6" and check it with peid. ASPack 2.12-> Alexey solodovnikov
Load with OD, prompting that the entry point is outside the code (do not ask how to determine whether the program is shelled in the future, if this prompt is loaded with OD, it indicates that the program is shelled ),
Click OK to check whether the analysis is performed. Click No to go to the entrance.
006af001 D> 60 pushad; shell code entry
006af002 E8 03000000 call drvstudy.006af00a; instructions for follow-up by F7
006af007-E9 eb045d45 JMP 45c7f4f7
006af00c 55 push EBP
006af00d C3 retn
006af00e E8 01000000 call drvstudy.006af014
006af013 EB 5d JMP short drvstudy.006af072
Call drvstudy.006af00a at 006af002, and the Code does not contain 006af00a. It is because the code is analyzed by the command OD error and followed up by F7.
At 006af00a, such close-range call is actually a deformed JMP. Follow up with F7. If F8 is skipped, it will hit the trap inside.
006af00a 5d pop EBP; drvstudy.006af007, jump here
006af00b 45 Inc EBP; EBP + 1
006af00c 55 push EBP; jump to the EBP address
006af00d C3 retn
Coming
006af008/EB 04 JMP short drvstudy.006af00e; here
006af00a | 5d pop EBP
006af00b | 45 Inc EBP; EBP + 1
006af00c | 55 push EBP; jump to the EBP address
006af00d | C3 retn
006af00e/E8 01000000 call drvstudy.006af014; deformation jump, F7 follow up
006af014 5d pop EBP
006af015 BB edffffff mov EBX,-13
006af01a 03dd add EBX, EBP
006af01c 81eb 00f02a00 sub EBX, 2af000; code relocation
006af022 83bd 22040000 00 cmp dword ptr ss: [EBP + 422], 0; variable EBP + 422 is the base address of Storage
006af029 899d 22040000 mov dword ptr ss: [EBP + 422], EBX
006af02f/0f85 65030000 jnz drvstudy.006af39a; skip this step
006af035 | 8d85 2e040000 Lea eax, dword ptr ss: [EBP + 42e]; "kernel32.dll"
006af03b | 50 push eax; parameter into Stack
006af03c | ff95 4d0f0000 call dword ptr ss: [EBP + F4D]; kernel32.getmodulehandlea
006af042 | 8985 26040000 mov dword ptr ss: [EBP + 426], eax; the handle of kernel32.dll is stored in EBP + 426
006af048 8bf8 mov EDI, eax; kernel32.77e40000
006af04a 8d5d 5E Lea EBX, dword ptr ss: [EBP + 5E]; "virtualalloc"
006af04d 53 push EBX
006af04e 50 push eax; kernel32.dll handle
006af04f ff95 490f0000 call dword ptr ss: [EBP + f49]; getprocaddress
006af055 8985 4d050000 mov dword ptr ss: [EBP + 54d], eax; store the virtualalloc function address to EBP + 54d
006af05b 8d5d 6B Lea EBX, dword ptr ss: [EBP + 6B]; "virtualfree"
006af05e 53 push EBX
006af05f 57 push EDI; kernel32.dll handle into Stack
006af060 ff95 490f0000 call dword ptr ss: [EBP + f49]; getprocaddress
006af066 8985 51050000 mov dword ptr ss: [EBP + 551], eax; store the virtualfree function address to EBP + 511
006af06c 8d45 77 Lea eax, dword ptr ss: [EBP + 77]; jump address load eax
006af06f ffe0 JMP eax; jump to the place pointed by eax
006af08a 8b9d 31050000 mov EBX, dword ptr ss: [EBP + 531]; here, EBX = 0
006af090 0bdb or EBX, EBX
006af092/74 0a je short drvstudy.006af09e; EBX = 0, skip
006af094 | 8b03 mov eax, dword ptr ds: [EBX]
006af096 | 8785 35050000 xchg dword ptr ss: [EBP + 535], eax
006af09c | 8903 mov dword ptr ds: [EBX], eax
006af09e/8db5 69050000 Lea ESI, dword ptr ss: [EBP + 569]; jump here, ESI points to a flag
006af0a4 833e 00 cmp dword ptr ds: [esi], 0
006af0a7/0f84 21010000 je drvstudy.006af1ce; not 0, skip
006af0ad 6a 04 Push 4
006af0af 68 00100000 push 1000
006af0b4 68 00180000 push 1800
006af0b9 6a 00 push 0
006af0bb ff95 4d050000 call dword ptr ss: [EBP + 54d]; allocate memory
The C language is described
Virtualalloc (null, Zero X 1800, mem_commit, page_readwrite );
006af0c7 8b46 04 mov eax, dword ptr ds: [ESI + 4]
006af0ca 05 0e010000 add eax, 10E
006af0cf 6a 04 Push 4
006af0d1 68 00100000 push 1000
006af0d6 50 push eax
006af0d7 6a 00 push 0
006af0d9 ff95 4d050000 call dword ptr ss: [EBP + 54d]; allocate memory again. eax indicates the memory size required.
006af0df 8985 52010000 mov dword ptr ss: [EBP + 152], eax; allocated 2nd pieces of memory saw handle stored in EBP + 152
006af0e5 56 push ESI
006af0e6 8b1e mov EBX, dword ptr ds: [esi]
006af0e8 039d 22040000 add EBX, dword ptr ss: [EBP + 422]
006af0ee ffb5 56010000 push dword ptr ss: [EBP + 156]; 0x401000
006af0f4 ff76 04 push dword ptr ds: [ESI + 4]
006af0f7 50 push eax
006af0f8 53 push EBX
006af0f9 E8 6e050000 call drvstudy.006af66c; decompress the code
006af0fe B3 01 mov BL, 1
006af100 80fb 00 cmp bl, 0
006af103 75 5E jnz short drvstudy.006af163
006af105 fe85 ec000000 Inc byte ptr ss: [EBP + EC]
006af10b 8b3e mov EDI, dword ptr ds: [esi]
006af10d 03bd 22040000 add EDI, dword ptr ss: [EBP + 422]
006af113 ff37 push dword ptr ds: [EDI]; protect code at 0x401000
006af115 c607 C3 mov byte ptr ds: [EDI], 0c3; change the code at 0x401000 to ret
006af118 ffd7 call EDI; spam call
006af11a 8f07 pop dword ptr ds: [EDI]; restore code at 0x401000
F8 one step below a little bit, come
006af12d 0bc9 or ECX, ECx
006af12f 74 2E je short drvstudy.006af15f
006af131 78 2C JS short drvstudy.006af15f
006af1_ac lods byte ptr ds: [esi]
006af134 3C E8 CMP Al, 0e8
006af136 74 0a je short drvstudy.006af142
006af138 EB 00 JMP short drvstudy.006af13a
006af13a 3C E9 CMP Al, 0e9
006af13c 74 04 je short drvstudy.006af142
006af13e 43 Inc EBX
006af13f 49 dec ECx
006af140 ^ eb jmp short drvstudy.006af12d
006af142 8b06 mov eax, dword ptr ds: [esi]; set a breakpoint here
Find the place where opcode is E8 or E9. If F9 is disconnected after running, content of EBX = 1fe, eax = [esi] will be compared to the place pointed by ESI.
006af144/EB 00 JMP short drvstudy.006af146
006af146/803e 36 CMP byte ptr ds: [esi], 36; compare whether the opcode of the 2nd bytes is 36
006af149 ^ 75 F3 jnz short drvstudy.006af13e; If yes, no jump is made. Here, no jump is made for 36.
006af14b 24 00 and Al, 0
006af14d c1c0 18 ROL eax, 18; Decoding
006af150 2bc3 sub eax, EBX; Decoding
006af152 8906 mov dword ptr ds: [esi], eax; decoded code stored in the place pointed by ESI
006af154 83c3 05 add EBX, 5
006af157 83c6 04 add ESI, 4
006af15a 83e9 05 Sub ECx, 5
006af15d ^ EB ce JMP short drvstudy.006af12d; jump up
It can be determined that the above Code is decoded, and the code at c30000 will be decoded. a breakpoint is set for the next command at 006af15d, and F9 is run and disconnected.
006af15f 5B pop EBX; disconnected, decoded
006af160 5E pop ESI
006af161 59 pop ECx
006af162 58 pop eax
006af163 EB 08 JMP short drvstudy.006af16d; hop
006af16d 8bc8 mov ECx, eax; here
006af16f 8b3e mov EDI, dword ptr ds: [esi]; code segment offset
006af171 03bd 22040000 add EDI, dword ptr ss: [EBP + 422]; base address + offset, pointing to code segment
006af177 8bb5 52010000 mov ESI, dword ptr ss: [EBP + 152]; decoded correct code address
006af17d c1f9 02 SAR ECx, 2
006af180 F3: A5 rep movs dword ptr es: [EDI], DWORD>; fill in the correct code
006af182 8bc8 mov ECx, eax
006af184 83e1 03 and ECx, 3
006af187 F3: A4 rep movs byte ptr es: [EDI], byte Pt>; fill in the correct code
006af189 5E pop ESI
006af18a 68 00800000 push 8000
006af18f 6a 00 push 0
006af191 ffb5 52010000 push dword ptr ss: [EBP + 152]
006af197 ff95 51050000 call dword ptr ss: [EBP + 551]; virtualfree
006af19d 83c6 08 add ESI, 8
006af1a0 833e 00 cmp dword ptr ds: [esi], 0; Decoding complete? Success
006af1a3 ^ 0f85 1 effffff jnz drvstudy.006af0c7; jump to the top
Therefore, it can be determined that this large segment 006af0c7-006af1a3 is decoded code. Set a breakpoint in the next command at 006af1a3, run F9, and stop
006af1a9 68 00800000 push 8000; disconnected
006af1ae 6a 00 push 0
006af1b0 ffb5 56010000 push dword ptr ss: [EBP + 156]
006af1b6 ff95 51050000 call dword ptr ss: [EBP + 551]; virtualfree
Memory released
006af1bc 8b9d 31050000 mov EBX, dword ptr ss: [EBP + 531]; EBX = 0
006af1c2 0bdb or EBX, EBX
006af1c4 74 08 je short drvstudy.006af1ce; EBX = 0, skip
006af1c6 8b03 mov eax, dword ptr ds: [EBX]
006af1c8 8785 35050000 xchg dword ptr ss: [EBP + 535], eax
006af1ce 8b95 22040000 mov edX, dword ptr ss: [EBP + 422]; jump here, EBX = 0x400000, base address
006af1d4 8b85 2d050000 mov eax, dword ptr ss: [EBP + 52d]; eax = 0x400000
006af1da 2bd0 sub edX, eax
006af1dc 74 79 je short drvstudy.006af257; ECx = 0, skip
Here is how to restore IAT.
006af257 8b95 22040000 mov edX, dword ptr ss: [EBP + 422]; jump here, EDX = 0x400000, base address
006af25d 8bb5 41050000 mov ESI, dword ptr ss: [EBP + 541]; ESI = 0
006af263 0bf6 or ESI, ESI
006af265 74 11 je short drvstudy.006af278; ESI = 0, skip
006af267 03f2 add ESI, EDX
006af269 ad lods dword ptr ds: [esi]
006af26a 0bc0 or eax, eax
006af26c 74 0a je short drvstudy.006af278
006af26e 03c2 add eax, EDX
006af270 8bf8 mov EDI, eax
006af272 66: Ad lods word ptr ds: [esi]
006af274 66: AB STOs word PTR ES: [EDI]
006af276 ^ EB F1 JMP short drvstudy.006af269
006af278 be 1_1e00 mov ESI, 1e0000; jump here, ESI = 1e0000
006af27d 8b95 22040000 mov edX, dword ptr ss: [EBP + 422]; edX = base address
006af283 03f2 add ESI, EDX; ESI = 51e0000
006af285 8b46 0C mov eax, dword ptr ds: [ESI + C]; pointing to the rva of the next dll file name
006af288 85c0 test eax and eax; Skip if it is not empty
006af28a 0f84 0a010000 je drvstudy.006af39a
006af290 03c2 add eax, EDX; get the name of the next DLL file
006af292 8bd8 mov EBX, eax
006af294 50 push eax
006af295 ff95 4d0f0000 call dword ptr ss: [EBP + F4D]; get the handle of kernel32.dll
006af29b 85c0 test eax, eax; success, skip
006af29d 75 07 jnz short drvstudy.006af2a6
006af29f 53 push EBX
006af2a0 ff95 510f0000 call dword ptr ss: [EBP + f51]
006af2a6 8985 45050000 mov dword ptr ss: [EBP + 545], eax; jump here, the kernel32.dll handle is saved to EBP + 545
006af2ac c785 49050000 00000000 mov dword ptr ss: [EBP + 549], 0; [EBP + 549] = 0
006af2b6 8b95 22040000 mov edX, dword ptr ss: [EBP + 422]; edX = base address
006af2bc 8b06 mov eax, dword ptr ds: [esi]; eax = 0
006af2be 85c0 test eax, eax
006af2c0 75 03 jnz short drvstudy.006af2c5; eax = 0, skip
006af2c2 8b46 10 mov eax, dword ptr ds: [ESI + 10]; IAT firthunk base address
006af2c5 03c2 add eax, EDX
006af2c7 0385 49050000 add eax, dword ptr ss: [EBP + 549]; point to the next API
006af2cd 8b18 mov EBX, dword ptr ds: [eax]
006af2cf 8b7e 10 mov EDI, dword ptr ds: [ESI + 10]
006af2d2 03fa add EDI, EDX
006af2d4 03bd 49050000 add EDI, dword ptr ss: [EBP + 549]
006af2da 85db test EBX, EBX
006af2dc 0f84 a2000000 je drvstudy.006af384
006af2e2 f7c3 00000080 test EBX, 80000000
006af2e8 75 04 jnz short drvstudy.006af2ee
006af2ea 03da add EBX, EDX
006af2ec 43 Inc EBX; function name
006af2ed 43 Inc EBX; function name
006af2ee 53 push EBX
006af2ef 81e3 ffffff7f and EBX, 7 fffffff
006af2f5 53 push EBX; function name into Stack
006af2f6 ffb5 45050000 push dword ptr ss: [EBP + 545]; kernel32.dll handle into Stack
006af2fc ff95 490f0000 call dword ptr ss: [EBP + f49]; getprocaddress
006af302 85c0 test eax, eax
006af304 5B pop EBX
006af305 75 6f jnz short drvstudy.006af376; hop
After the API function address is successfully retrieved, jump to the following area.
006af376 8907 mov dword ptr ds: [EDI], eax; the address to which the API address is stored in EDI
006af378 8385 49050000 04 add dword ptr ss: [EBP + 549], 4; obtain the next API
006af37f ^ E9 32 ffffff JMP drvstudy.006af2b6; hop
006af384 8906 mov dword ptr ds: [esi], eax
006af386 8946 0C mov dword ptr ds: [ESI + C], eax
006af389 8946 10 mov dword ptr ds: [ESI + 10], eax
006af38c 83c6 14 add ESI, 14
006af38f 8b95 22040000 mov edX, dword ptr ss: [EBP + 422]
006af395 ^ E9 ebfeffff JMP drvstudy.006af285; Skip to restore the function in the next imported DLL
After this large loop is completed, the IAT will be restored... This IAT is not damaged. According to general experience, there will be such a large loop during shell operation to restore IAT,
Some are damaged. Therefore, when you encounter getmodulehandlea, loadlibrarya, and getprocaddress in a loop, you must be careful and write it down,
It is possible that when importrec does not return the API function, it will be used to manually fix the IAT.
After the loop, come here
006af39a B8 08cf1c00 mov eax, 1ccf08; OEP RVA
006af39f 50 push eax
006af3a0 0385 22040000 add eax, dword ptr ss: [EBP + 422]; OEP Value
006af3a6 59 pop ECx
006af3a7 0bc9 or ECX, ECx
006af3a9 8985 a8030000 mov dword ptr ss: [EBP + 3a8], eax; modify the code in [EBP + 3a8]
006af3af 61 popad
006af3b0 75 08 jnz short drvstudy.006af3ba; hop
006af3b2 B8 01000000 mov eax, 1
006af3b7 C2 0c00 retn 0c
006af3ba 68 08cf5c00 push drvstudy.005ccf08; deformation jump
006af3bf C3 retn; ^_^ fly to the bright spot
Here is the OEP code of a typical Delphi Program.
005ccf08 55 push EBP; stop here
005ccf09 8bec mov EBP, ESP
005ccf0b 83c4 F0 add ESP,-10
005ccf0e 53 push EBX
005ccf0f B8 80ca5c00 mov eax, drvstudy.005cca80
005ccf14 E8 b3a7e3ff call drvstudy.004076cc
Now you can run the dump program at 005ccf08. Use the OD ollydump plug-in to dump the program, start importrec, and enter the oep rva value.
Click iatautosearch and then getimport. All the APIS found are valid. Click fix dump to fix the IAT pointer.
Run the program and prompt that the system data is incorrect. This is because the program has self-verification and is denied to run after being shelled. I won't say it if I remove the self-verification of the program.
The method can be done...
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
