Manual shelling-dump and rebuilding the input table

I haven't played the opposite thing for a long time. I have the right to review it today and take a note by the way.

 

Demo used in this article:

Http://download.csdn.net/detail/ccnyou/4540254

The attachment contains the demo and the original article word.

Tools used:

Ollydbg

LordPE

ImportREC

Download and prepare these tools.

 

The Dump principle is not described here. I want to know about google it! Common dump software include LordPE, ProcDump, PETools, etc. This article takes LordPE as an example.

First, open LordPE, because there is only one Chinese version on the machine at this time, it is too lazy to take time to find the original version. We open the option and set it to the following:

 

 

After the settings are complete, select the relevant process in the LordPE process window (here we will use dumpdemo.exe with the Aspack shell as an example), right-click, execute [complete transfer] DumpFull, and save it, if Anti-Dump exists, first modify the image size (correct ImageSize) and then dump full. Save the name as dumped.exe

 

 

Recreate the input table:

In general, an encrypted shell destroys the original input table. After the program is dumped out, you need to re-create the input table. For example, after the program is dumped, run the following command:

 

 

The following uses ImportREC as an example. Before Running ImportREC, you must meet the following requirements:

 

• The target file is fully dumped and saved as another file.
• The target file is running.
• Locate the real entry (OEP) or IAT offset and size of the program in advance

Here we use the stack Balancing Principle to find OEP. Because it is not the focus of this article, this is a simple description of the process:

 

1. OD loading. After executing pushad, we can see that each register is pressed

0012FFA4h ~ In 0012FFC0h,

 

 

2. Hardware access breakpoint in OD:

Hr 12FFA4

3. Run the program according to F9. After the shell code is processed, call popad to restore the on-site environment and access these stacks. The OD will be interrupted, and it is not far from the OEP. Interrupted

 

 

In fact, if you understand the principle, you can write down the ESP at the time when the PE file starts to run. Suppose it is 12FFC4h. The first sentence of most programs is the push command, which is to write the 12FFC0h, therefore, you can set a hardware write breakpoint (hr 12FFC0) to easily access OEP.

 

4. Go back to the topic and follow Retn to find the program

00401700/. 55 PUSH EBP

Here, press Ctrl + A to analyze the OD and find that this is the real entry point. record it.

 

 

It seems a little isolated .... Return to the question, run ImportREC, select the dumpdemo process in the drop-down box, and enter the RAV of the obtained OEP in the right OEP. Here we enter 1700 (because the image matrix is 00400000 ), then click automatic search to automatically check the IAT size and offset.

If a dialog box is displayed, the input OEP plays a role.

 

Click Get Imports to automatically analyze the IAT structure to obtain basic information,

The Trace level 1, 2, and 3 commands in the right-click menu are invalid. The figure shows that the pointer is invalid. Expand, right-click Delete pointer data, and all of them are valid now.

The OEP is also corrected. We run dumped_.exe, and there is no error prompt. The function is completely correct. It is determined that it is a little bigger than the previous one (the original file is 11.5 k, and the corrected 36.0 k). The shell data and new section (. input table data.

6. If you are unwilling to Add a new section, you can also. select a blank section in rdata. Enter limit 29c0 here and click repair file. After this repair, the size is 32.0 kb, saving 4 k O__O "...