What is a shell? What is shelling? This is a question that is often confusing and often raised, but it is not naïve at all. When you want to hear about shelling and trying to understand it, it means you've been on a safe site for a while. Below, let's go into the "shell" of the world.
The story of Jinchantuoqiao I want to tell a story first. That's Jinchantuoqiao. Jinchantuoqiao belongs to the melee meter in 36. Jinchantuoqiao The original intention is: chilling in the metamorphosis, the body away from the skin shell, leaving only chantui still hanging on the branches. This gauge is used for military purposes and refers to the strategy of getting rid of the enemy through camouflage, retreating or shifting to achieve our strategic goals. Stabilize each other, retreat or transfer, is not panic, passive escape, but the preservation of the form, pumping content, stabilize each other, so that their own out of danger to achieve their own strategic goals, you can often use clever suited transfer opportunity to attack another part of the enemy. Three Kingdoms period, Zhuge Liang six out Qishan, Northern Expedition Zhongyuan, but has not succeeded, finally in the sixth expedition, overwork, in five Zhang original died in the army. Dimensional according to Zhuge Liang's orders, after Zhuge Liang died, the secret is not Fasang, the foreign closely blocked the news. He took the coffin and secretly troops to retreat. Sima Yi sent troops to follow in pursuit of Shu army. Jiang Wei life craftsman imitation Zhuge Liang, carved a Mook Jong, Lupin carring, steady ride in. and sent Yang Yi led part of the army, to Weijun launched offensive. Weijun View Shu Army, grooming neat, flag drum big Zhang, see Zhuge Liang Steady Ride, commands, do not know Shu army and play what tricks, dare not move. Sima Yi always know Zhuge Liang "scheming", and suspect this retreat is decoy, so ordered troops retreat, observe the movement of Shu Army. Jiang Wei while Sima Yi Retreat good time, immediately command the main force, rapid and safe transfer, withdrew to Hanzhong. And so Sima Yi learned that Zhuge Liang is dead, and then stationing chase, too late. Believe this story, everyone in the large series "kingdoms" has been seen. Oh, just don't understand so deeply! In the hacking technology, Jinchantuoqiao refers to: Delete system running log attacker to break the system, often delete the system run log, hide their traces ... Oh
Second, Shell, shelling, packers
In nature, I think we should not be unfamiliar with the shell of this thing, from the above story, we can also be seen. Plants in nature use it to protect the seeds, and animals use it to protect the body and so on. Also, in some computer software there is a program that is specifically designed to protect software from unauthorized modification or decompile. They are usually run ahead of the program, get control, and then complete their task of protecting the software. Just like the shells of animals and plants are generally outside the body for granted (but later there is the so-called "seed in the Shell" shell). Since this procedure and the nature of the shell in the function of a lot of the same place, based on the rules of naming, we call this procedure "shell". Like a computer virus and natural viruses, in fact, is the name of the method. Functionally, the shell of software is almost the same as the shell in nature. It is nothing but the protection and concealment of the inside of the shell. From a technical point of view, the shell is a piece of code executed before the original program. The code of the original program may be compressed and encrypted during the Packers .... When the shell file is executed, the shell-this code runs before the original program, restores the compressed, encrypted code to the original program code, and then returns the execution to the original code. The shell of the software is divided into encryption shell, compression shell, camouflage shell, multilayer shell and other classes, the purpose is to hide the program real Oep (entry point, to prevent being cracked). About the development history of "shell" and related software please see Mr. Wu's "everything Starts with" shell.
(a) The concept of a shell
After compiling the software, the author compiles it into an EXE executable file. 1. Some copyright information need to be protected, do not want to let others casually change, such as the author's name, that is, in order to protect the software is not cracked, is usually used to protect the shell. 2. It is necessary to make the program smaller so that it is easy to use. Therefore, need to use some software, they can be exe executable file compression, 3. In the hacker community to the Trojan Horse and other software shell shelling to avoid anti-virus software. To achieve these functions, these software is called Packers software.
(b) Shell software is the most common Packers software aspack, upx,pecompact not commonly used shell software wwpack32;pe-pack; PETITE neolite
(iii) software to detect the language used in the shell and software, as the type of shell to be checked before shelling. 1. Detection shell software fileinfo.exe abbreviation Fi.exe (the ability to detect the shell is very strong) 2. Detects the software Language.exe of the language used in the shell and software (two functions as a whole, very good) recommended language2000 Chinese version (specially detect shell type) 3. Software commonly used to write language Delphi,visualbasic (VB)-the most difficult to break, VisualC (VC)
(d) Shelling software. Software packers are the means used by the author to protect his own code or to maintain the interests of the software after he finishes writing the software. At present, there are many shell tools, of course, there are shields, and naturally there are spears, as long as we collect all the commonly used shelling tools, it is not afraid of his shell. Software shelling has manual off and automatic shelling of the points, the following we first introduce automatic shelling, because manual shelling needs to use assembly language, to track breakpoints, etc., is not suitable for beginners, but we will be a little introduction in the rear.
Packers generally belong to software encryption, now more and more software compression processing, to the Chinese has brought many inconvenience, software, Chinese enthusiasts have to learn to master this skill. Shelling now generally divided into manual and automatic two, manual is used TRW2000, TR, SoftICE and other debugging tools to deal with, the shelling has a certain level of requirements, involving a lot of assembly language and software debugging knowledge. and automatic is to use special shelling tool to take off, the most commonly used some compression software has other people write anti-compression tool corresponding, some compression tool itself can decompress, such as UPX; some do not provide this function, such as: Aspack, need to unaspack deal with, the advantage is simple, the disadvantage is that the version of the update is useless. In addition shelling is to use special shelling tools to deal with, the most popular is Procdump v1.62, can deal with the current compression of various compressed software files. Here are some common methods and tools that I hope will be helpful to everyone. We know how to encrypt files, and we can use different tools and different methods for shelling. Here are the shells we often encounter and simple shelling measures, for your reference: the basic principle of shelling is a single-step tracking, can only forward, can not be back. The general process of shelling is: shell-and-look for oep->dump-> repair to find OEP general idea is as follows: First look at the shell is a cryptographic shell or compression shell, the compression shell is relatively easy, generally no exception, find the corresponding popad can go to the entrance, jump to the entrance of the way generally for. We know that the file is encrypted by some compressed shell software, the next step we will analyze the encryption software name, version. Because different software and even different versions of the shell, shelling processing methods are not the same.
Commonly used shelling tools: 1, File Analysis tool (type of Detection shell): Fi,gettyp,peid,pe-scan, 2, oep entrance Finder: Softice,trw,ollydbg,loader,peid 3, dump tool: ICEDUMP,TRW , PEDITOR,PROCDUMP32,LORDPE 4, PE file editing tools PEDITOR,PROCDUMP32,LORDPE 5, Rebuild Import Table tool: Importrec,revirgin 6, Asprotect shelling Special tools: CASPR (ASPr v1.1-v1.2 Effective), Rad (effective only for ASPr V1.1), Loader,peid (1) Aspack: Use the most, but only with unaspack or PEDUMP32 shelling. (2) Asprotect+aspack: Second, the foreign software more use it shell, shelling need to use the softice+icedump, need a certain professional knowledge, but the latest version now there is no way. (3) UPX: You can use the Upx itself to shell, but to pay attention to the version is consistent, with the-D parameter (4) Armadill: You can use softice+icedump shelling, more annoying (5) DBPE: The domestic relatively good encryption software, the new version temporarily can not be taken off, but can be cracked (6) Neolite: can use their own to Shell (7) PCGuard: Can be shelled with Softice+icedump+frogice (8) Pecompat: Use SoftICE with PEDUMP32 to shelling, but not professional knowledge (9) Petite: A part of the old version can be directly shelled with PEDUMP32, the new version of shelling needs to use the softice+icedump, need a certain degree of expertise (TEN) WWpack32: and Pecompact as a part of the old version can be directly shelled with PEDUMP32, However, sometimes the resources can not be modified, it can not be Chinese, so it is best to use SoftICE with PEDUMP32 shelling we will usually be using the PROCDUMP32 this generic shelling software, it is a powerful shelling software, he can unlock most of the encryption shell, There are also scripting features that can be used to easily unlock encrypted files for a particular shell. In addition, many times we need to use EXE executable file editing software UltraEdit. We can download its Chinese version of the registration, its registration machine can be searched from the Internet. UltraEdit Open a Chinese software, if the shell, many Chinese characters can not be recognized UltraEdit open a Chinese software, if not shell or have shelled,Many Chinese characters can be recognized UltraEdit used to check whether the shell is taken off, later its usefulness is many, please master for example, can use its replacement function to replace the name of the author of your name note that the byte must be equal, two kanji for two, three for three, The UltraEdit editor is insufficient to the left with 00 complement.
Common Shell stripping methods:
(a) Aspack shell shelling can be used unaspack or CASPR 1.unaspack, the use of similar lanuage, fool-like software, after running the selection of software to be shelled. Disadvantage: can only take off Aspack earlier version of the shell, can not be taken off the version of the Shell 2.CASPR first: The software to be shelled (such as Aa.exe) and Caspr.exe in the same directory, perform the Windows Start menu run, type CASPR Aa.exe after shelling the file for aa.ex_, delete the original Aa.exe, will aa.ex_ renamed Aa.exe can. The use of the method is similar to the advantages of fi: can be aspack any version of the shell, shelling ability very strong disadvantage: DOS interface. The second kind: Drag the Aa.exe icon to the caspr.exe icon * * * If the detection is Aspack shell, with unaspack shelling error, it is aspack high version of the shell, with Caspr off. (ii) UPX shells can be shelled UPX software (such as Aa.exe) and Upx.exe in the same directory, perform the Windows Start menu run, type upx-d Aa.exe (c) pecompact shell shelling Unpecompact Use similar lanuage fool software, run after the selection of the software to be shelled (four) Procdump universal shelling but not fine, generally do not use the method: After the operation, the first to specify the name of the shell, and then select the shelling software, to determine the size of the file is larger than the original file due to shelling software is very mature, Manual shelling is generally not available.
Three, compression and shelling
Shelling now generally divided into manual and automatic two, manual is used TRW2000, TR, SoftICE and other debugging tools to deal with, the shelling has a certain level of requirements. and automatically slightly better, with a special shelling tool to take off, the most commonly used some compression software has other people write anti-compression tool corresponding, some compression tool itself can decompress, such as UPX; some do not provide this function, such as: Aspack, you need to unaspack deal with. Many files use a number of compression shell software encryption, which requires the extraction of the file after shelling processing, can be Chinese. This compression and we usually contact compression tools such as winzip,winrar, such as compression, WinZip and WinRAR and other compressed files can not be directly executed, and this EXE compression software, EXE file compression, can still run. This compression tool compresses the file and adds a snippet of decompression code to the beginning of the file. When the file is executed, the code first performs the decompression and restore files, but these are done in memory, because of the speed of the microcomputer, we basically do not feel any difference. Such programs are many, such as the Bat,acdsee,winxfile and so on.
To be shelled should first understand the commonly used compression tools, so know-how, now more and more software vendors like to use compression to release their products, such as the bat! With UPX compression, ACDSEE3.0 with Aspack compression. It has the following factors: First, the computer performance is getting better, the implementation process of decompression so that people do not feel, users can accept (to the software shell, similar to the effect of WinZip, but this shell compression after the file, can run independently, the decompression process is completely concealed, all in memory to complete. Decompression principle, is the shell tool in the file header added a section of instructions, tell the CPU, how to extract themselves. Now the CPU is very fast, so this decompression process you can not see anything unusual. Because the software suddenly opened, only your machine configuration is very poor, you will feel the non-shell and shell after the software running speed difference. )。 The second is: after compression software volume reduced, easy to network transmission. The third is: to increase the difficulty of cracking. First, the shell software is different from the general Winzip,winrar and other compression software. It is compressed EXE executable file, compressed file can be run directly. While compression software such as Winzip,winrar compresses any file, it cannot be run directly after compression. Many sites do not allow uploading executable files, but only upload compressed files, on the one hand in the speed of consideration, but also for security reasons. The file compressed with the shell software is the volume reduction, the other nature has not changed. or EXE file can still be executed, but the running process is not the same as before. The compression tool compresses the file and adds an extract code to the beginning of the file. When the file is executed, the code first performs the decompression and restore files, but these are done in memory, because of the speed of the microcomputer, we basically do not feel any difference.
Four ﹑ Shell and Trojan
Trojan damage is endless, but with the knowledge of all kinds of trojans, anti-virus and special care for killing tools, so many Trojans no hiding place, but a lot of masters everywhere selling horses, claiming not to be avira. How exactly are they hiding in our system? In fact, nothing but the Trojan "Add/shelling". For hackers, the addition/shelling technology has been thoroughly applied to the Masquerade Trojan client, the purpose is to prevent the anti-tracking antivirus software and tracking debugging, but also to prevent the algorithm program by others static analysis. Most basic hidden: invisible form + hidden file. Trojan Horse Program
Using process hiding technology: first-generation process hiding technology: the backdoor of Windows 98. Second-generation process hiding technology: process insertion, and behind the hook technology is against anti-virus software against the dry: anti-virus software shell technology. The Trojan is cunning, but once the antivirus software defines the signature code, it is intercepted before it runs. To avoid anti-virus software, many Trojans were added shell, equivalent to the Trojan wear a piece of clothing, so antivirus software will not recognize it, but some antivirus software will try to shell the usual shells, and then avira (sample, don't think put on a piece of horse clip I do not know you). In addition to passive hiding, recently found to be able to active and anti-virus software against the shell, the Trojan in addition to this shell, once run, then the shell first get control of the program, by various means of the system installed in the anti-virus software to destroy, Finally in the confirmation of security (anti-virus software protection has been disrupted) by Shell release wrapped in their own "inside" Trojan Horse and execute it. The way to deal with this Trojan is to use anti-virus software with shelling ability to protect the system. Shell is able to wrap files (such as EXE), and then when the file is run, the shell gets control first, then releases and runs the wrapped file body. A lot of shells can be wrapped in the file body to encrypt, so that can prevent anti-virus software Avira. For example, the original anti-virus software definition of the Trojan is characterized by "12345", if found that a file contains this feature, the file is considered a trojan, and the shell with the encryption function will encrypt the file body (such as: The original feature is "12345", the encryption has become "54321", In this way antivirus software can not rely on the file characteristics of the inspection). Shelling refers to the removal of the outer shell of the file, restoring the state of the file before it is added to the shell.
Although a lot of antivirus software file monitoring will make the first run speed of the program is very slow. This is because: anti-virus software on the compression shell of the EXE file monitoring scan, must first "shelled." General compression shell program, can encrypt the code of the executable file, data, input table, relocation table, resource segment. Usually compressed file size only the original 50%-70%, but does not affect the normal use of the program and all functions, the purpose is to protect the file is not tracked analysis, disassembly, shelling and so on. So sometimes using a software to the Trojan shelling will fail, but can be replaced by a software test. Shell after shelling or use different shell software to add multi-layer shells, may deceive anti-virus software, but after a complex multi-shell, the results are not necessarily accurate, at this time need to "Adv.scan" advanced scanning, Pe-scan will be analyzed by a variety of shell tools to add shell possibilities.
Five ﹑ shells and viruses
In order to survive, the virus can also be associated with the program's shell compression, in addition to its ability to deform itself. Let us first look at the purpose of the virus deformation, because now anti-virus software, based on signature detection, increase the ability of deformation, so that the signature detection method more difficult. Then, if combined with the application of shell technology, then the only by adding the signature method to detoxify the complete failure, detoxification, must also update the scanning engine, and now there is no general solution shell method. Therefore, the combination of shell compression and deformation, will make anti-virus manufacturers rush, but also make anti-virus software users suffering, frequent updates, in addition to the signature, there are scanning engines. Add a shell to the usual virus, such as with UPX, now usually anti-virus software, for the commonly used encryption shell compression program, there are corresponding shell procedures. The effect is not good, so if the virus is not only a good deformation encryption shell compression program, then, the purpose is to force the Update scan engine, of course, can be detected by dynamic decompression, but increased the detoxification of a lot of work. In fact, Shell technology is not only used for software protection, but also for good viruses. Good virus does not have to be very fast propagation speed, difficult to detect, difficult to kill more important, like the current anti-virus industry, virtual machine technology, but also a prototype, there are many functions and can not be completely virtualized, and if the shell code itself can be deformed, at the same time there are a variety of shell algorithms available for random selection, Then it's hard to find out the rules and relationships. In short, good antivirus software should have at least one of the technical features is to have compression and restore technology: Pklite, Diet, Exepack, Com2exe, Lzexe, Cpav and other hundreds of kinds of compression shell software automatically restore, completely remove the hidden deeper virus, to avoid the resurgence of viruses.
Virus shell technology and shelling anti-virus method analysis "reprint"