Shell removal experience (1) -- shell removal Thoughts

I don't have a tutorial. Let's talk about it!

We get a shell. If we want to know more about it, we can't trace it in depth. There is no shortcut! You have to pay a lot of time and thinking and analysis. If you cannot do this, please give up. It is also a kind of respect and concern for your own body and mind!

If you are a person with tips off the shell, it is easy to feel empty when you are off the shell...

(The tool uses ollydbg as an example)
In case of a strange shell, do not be too flustered. Do some simple analysis first, clarify the type and level of the shell. Let's talk about saft103. Although the shelling Forum has already introduced some "shell overlord" to them, we can leave these ideas behind, follow up carefully (refer to one of my sleepwalking stories ).

Run the shell first, and look at the system activity process. We first discovered that it was a single process. We used ollydbg to append this single process, it turned out to be "bright flowers and flowers with masters". To find out the "Masters", we should start from the ground up (because we have assumed that we do not know anything about shells ).

We will come to some conclusions that the flowers and commands are not durable (in the vernacular: zookeeper), and exceptions occur in order downward, so if we encounter the same situation (before the OEP command, we can encounter the same situation, without having to into every exception), we can keep track of them one by one, pull the scroll bar down with the mouse, and pay attention to suspicious places, you can use the up/down key to view the commands in these places. If you find "no difference", it is a kind of feeling that you can't make it clear. You can just break it down there, it should be the key execution or decoding! We can find that the time anti-tracking is a relatively single stay version, as long as the relevant API of the patch can kill it cleanly;

In "sleepwalking", we found that the shell will implement the injection function (this is the first feature of the shell we found. Using Injection to attach the System Service Program increases the difficulty of debugging, generally, we are unlikely to debug the threads of the system service program, so the parent process is "Pope", which is sacred and cannot be violated.) It feels like a "golden shell, in addition, we can see all the relevant operations at a Glance. If this is a stranger to you, learn it quickly (even if it is, I will go through the API manual and delphichm manual. Fortunately, I can find it, you will know )! The exit of the parent process is designed to be pushed into the stack for running. Although nothing is new, it is a wonderful action to break the parent process cleanly. It is worth learning!

Now we have clarified the shell action, and we need to change it to run the parent process. When the parent process is running, there will also be anti-tracking. Pay attention to it. First, we need to ask ourselves to monitor the parent process? We figured out to trace again: the parent process must run the child process. Where can the child process come from? It's from the same ancestor! But it will grow in different ways. Its growth is guided by the parent process, so we need to obtain the "Guidance" of the parent process. getcontext and setcontext refer to the main method of introducing sub-processes, of course, you can get "Guidance" from it. In addition, the parent process will also be responsible for sub-process initialization and decoding. You should think of writeprocessmemory and readprocessmemory! By analyzing the code and tracing of the parent process, we can find that the parent process is only responsible for initialization and decoding once, And the rest only monitors whether the child process has asked the "length" by itself ". (In fact, the relationship between the parent process and the child process is very clear. As long as your code analysis capability is strong, you can use less dynamic tracking. Even if it doesn't work, you can only go back and forth between them, two ollydbg instances are enabled)

The child process also detects the parent process and finds that the parent has an affair. Then, the child process is declared to be "out of the parent-child relationship ". Sub-processes may encounter a car accident, "illegal driving", resulting in "too much blood loss", and may also ask for the DNA of the parent process. If the DNA does not match, it will cause a "blood transfusion error ", the sub-process will "accidentally mourn "!

If there is no problem above, the sub-process will continue to live, off-State [decoding], will continue to "Long Hair" [IAT fat encryption program] Before growing up, in the end, we will show the stolencode show after a year, and then live independently under the invisible shelter of the parent process.

After reading the Showtime of shell, we should be aware that shelling is no longer impassable. I will think of directly running the sub-process until shelling, and then I think of "shell magic" fxyang, let's look back at its previous script. Haha, we finally went almost the same way ..., learning to shell and do shell is not a show off, but to find out your own direction from it. If you don't understand it, you need to ask yourself why. I often solve it by myself. I'm very impressed, you don't have to remember what BP, CD, B, and so on. You need to mark in your memory (brain and storage file ).

This shell gives me the feeling that it is gentle. In some cases, it is hard and simple. For example, the game over area is too serious and unambiguous, however, you must have a certain amount of work to take off. In addition, the resources are hidden, unzipped before they appear, and then fully occupied. Don't forget to dump them! If we take a picture of every point of the shell, it would be boring to shell it, just like walking dead, never get the real fun of shelling (or you will have fun cracking the functional limitations of a shell software, but I am not talking about this )!

If you encounter abnormal shells unfortunately, don't let it go. Take it easy, give up in some time, some time in charge! Each person has different abilities and understandings, and there is no need to compare them with others. Unless you have an agreement, you must compare yourself to yourself, to the past, to the present, or to the future... that's yours!

If this draft is unfortunately listed as the essence, I hope you can find your own shell-ask yourself why...