Seeking for OEP from shell-two memory breakpoint Methods

0x00 Preface

The first thing for shelling is to find the OEP (oringinal entry point). Because of shelling, when the PE file is loaded into OD or other debugging software, it is usually the entry address of the shell program. So the first step of reverse analysis is to find the original entry point of the pe program.

0x01 shell Loading Process

Shell and virus are similar in some aspects and require control earlier than the original program. Shell modifies the organizational structure of the execution file of the original program to obtain control earlier than the original program, and does not affect the normal operation of the original program. The shell loading process is important for shelling and shelling. The shell loading process is as follows:

1) Save the entry parameters

When the shell program is initialized, the values of each register are saved. After the shell is executed, the register content is restored, and then executed at the entrance of the source program. Generally, the pushad/popad and pushfd/popfd commands are used to save and restore the on-site environment.

2) obtain the API functions required by the shell.

In general, the shell input table only contains the getproaddress, getmoudlehanle, and loadlibrary API functions, and even only kernel32.dll and getproaddress. If you need other API functions, You can map the DLL file image to the address space of the calling process through loadlibrarya (w) or loadlibraryexa (W, the hinstance value returned by the function is used to identify the file image to the virtual memory address.

The following is a prototype of the loadlibrary function:

Hinstance loadlibrary {

Lpctstr lplibfilename // DLL file name address

}

Return Value: return the module handle when the call succeeds. If the call fails, return null.

When the DLL file has been mapped to the address space of the calling process, you can call the getmodulehanlea (w) function to obtain the handle of the DLL module. The address prototype of the function is as follows:

Hmodule getmodulehandle {

Lptstr lpmodulename // DLL file address

}

Once the module is loaded, the thread can call the getprocaddress function to obtain the input function address. The function prototype is as follows:

Farproc getprocaddress {

Hmodule hmodlue // DLL module handle

Lpstr lpproname // function name

}

These three functions are very important and helpful for program shelling. The usage will be detailed in the next few articles, which will be listed here for the time being.

3) decrypt data in each block of the original program

For the purpose of protecting the original program code and data, the shell usually encrypts the blocks of the original program file. During the program, the shell decrypts the data so that the program can run normally. Generally, shells are encrypted by block. Therefore, block data is decrypted by block, and block data is stored in the appropriate memory location according to the block definition.

4) ita Initialization

Ita should have been implemented by the PE Loader. However, when shelling, an input table is constructed and the PE File Header input table pointer is directed to the self-built input table. Therefore, the PE Loader fills in the self-built input table. The original PE input table can only be filled in by the shell program. The shell needs to scan the structure of the new input table from start to end, re-obtain the address for all functions introduced by each DLL, and fill it in the ITA table.

5) Relocation

The initial address is called the base address. For EXE files, the Windows system will try to use the memory address specified by the EXE price, for example, the base address of an EXE price is 40000 H, the base address provided by the Windows system to the program during runtime is also 40000 H. In this case, you do not need to relocate. For DLL files, Windows cannot provide the same base address every time the DLL is provided. In this case, relocation is required. In this case, the shell program also needs to provide the PE file relocation function. Therefore, the shell DLL file has one more relocation table than the shell EXE file.

6) HOOK-API

The input table in the program file is used to provide the actual API address for the program when the Windows system is running. Before the first line of the program code is executed, the Windows system completes the job.

The shell program generally modifies the input table of the original program, and then imitates the work of the Windows system to fill in the relevant data in the input table. During the filling process, the shell can populate the HOOK-API's Code address so that you can indirectly get control of the program.

7) Jump to the program entry point (OEP)

After the above steps, the function of the shell program is completed, and then the control is handed over to the original program. The General Shell has an obvious "Demarcation Line ". Of course, more and more encryption shells are moving a piece of OEP code to the address space of the shell, and then the code is cleared. This method is called stolenbytes. In this way, there is no obvious line between the OEP and the shell, which increases the difficulty of shelling.

0x02 use two memory breakpoints to manually find the OEP

The principle of the two memory methods is that, in the third step of the shell loading process, the segments must be decrypted and the decrypted segments must be written to each segment, after the process is completed, it will jump to the OEP of the original program. Of course, if we can determine when to jump to the OEP from the shell, it is generally not easy. But we can first. run the program after the data block is disconnected (because the data block. code ratio. extract the data first. code and the decryption is completed), and then. code (Some compilers are. text) segments are disconnected and running, so that the program will stop at the OEP (because after decryption, the shell program must return to the OEP again and give control to the original program ). This method is two memory methods.

0x03 instance describes how to find OEP using two breakpoint Methods

1) drag the file into the OD, ALT + M into the memory template, and then disconnect the. data block by pressing F2, for example:

2) Click F9 to run the program. At this time, the program stops, for example:

This is actually right now. the data block is decrypted and read/written, and then Alt + M enters the memory module. text (this is. code block, some of which are displayed due to different compilers. text block) block disconnection.

3) Click F9 to run the program. The program stops, for example:

In fact, this is the OEP address of the original program. Due to od analysis on the PE file, we can right-click the file and delete the module for analysis:

 

The place in the highlighted red box is the OEP address.

0x04 Summary

Although the two memory breakpoint methods are simple, we still need to figure out the principle. In fact, it is the feature that the block needs to be decrypted during shell loading and then the original program OEP is returned.

 

Seeking for OEP from shell-two memory breakpoint Methods