HooK GetModuleHandleA 脱壳辅助工具
2008-09-13 16:57
447 查看
我们都知道标准delphi程序一开始肯定会调用到GetModuleHandleA这个涵数,很多壳都把OEP处理了,也就是运行过后清楚什么的,代码偷取什么的,我们只要Hook这个函数,然后让程序暂停下来,那么是不是壳就还没有完成代码的清楚什么的,我们dump出来的代码就是完整的或者是可分析的.当然这个工具很容易就可以改来Hook其他函数.我给出代码,大家自己研究好了.
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, Grids;
type
TForm1 = class(TForm)
lbl1: TLabel;
lbl2: TLabel;
StringGrid1: TStringGrid;
btn1: TButton;
procedure btn1Click(Sender: TObject);
procedure FormShow(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
_kernel32hwnd:cardinal;
_oldPage:Cardinal;
_hgetadr:cardinal;
_modulehwnd:Cardinal;
__modulehwnd:Cardinal;
__kernel32hwnd:cardinal;
_esp,_ebp:Cardinal;
_msgnum:Cardinal;
procedure Hook;
implementation
{$R *.dfm}
procedure Transact;
var
_tsetp:Cardinal;
_tvalue:Cardinal;
_tesp:Cardinal;
begin
Form1.StringGrid1.Cells[0,0]:='Address';
Form1.StringGrid1.Cells[1,0]:='Value';
for _tsetp :=0 to 100 do
begin
_tesp:=_esp+(_tsetp*4)+36;
Form1.StringGrid1.Cells[0,_tsetp+1]:=IntToHex(_tesp,8);
asm
push eax;
push ebx;
mov eax,_Tesp;
Mov ebx,[eax];
Mov _tvalue,ebx;
pop ebx;
pop eax;
end;
Form1.StringGrid1.Cells[1,_tsetp+1]:=IntToHex(_tvalue,8);
end;
MessageBox(0, PChar(inttohex(_msgnum,8)), '警告', MB_OK + MB_ICONINFORMATION);
_msgnum:=_msgnum+1;
end;
procedure HGetmoduleHandleA;
label _label1;
begin
asm
pushad;
pushfd;
mov _esp,esp;
mov _ebp,ebp;
pushad;
pushad;
pushad;
pushad;
call transact;
mov ebp,_ebp;
mov esp,_esp;
popfd;
popad;
jmp __modulehwnd;
end;
end;
procedure Hook;
begin
_kernel32hwnd:=LoadLibrary('kernel32.dll');
__kernel32hwnd:=LoadLibrary('C:\HooKDLLs\_kernel32.dll');
__modulehwnd:=Cardinal(GetProcAddress(__kernel32hwnd,'GetModuleHandleA'));
_kernel32hwnd:=Cardinal(GetProcAddress(_kernel32hwnd,'GetModuleHandleA'));
VirtualProtect(Pointer(_kernel32hwnd),100,PAGE_READWRITE,_oldPage);
_hgetadr:=Cardinal(@HGetmoduleHandleA);
asm
push eax;
push ebx;
mov eax,_kernel32hwnd;
mov bl,$B8;
mov Byte[eax],bl;
add eax,1;
mov ebx,_hgetadr;
mov dword[eax],ebx;
add eax,4;
mov bl,$FF;
mov Byte[eax],bl;
add eax,1;
mov bl,$E0;
mov Byte[eax],bl;
pop ebx;
pop eax;
end;
VirtualProtect(Pointer(_kernel32hwnd),100,_oldPage,_oldPage);
end;
procedure TForm1.btn1Click(Sender: TObject);
begin
Hook;
end;
procedure TForm1.FormShow(Sender: TObject);
begin
hook;
end;
end.
/////////////////////////////
library hying7xUpK;
uses
Windows,
Unit1 in 'Unit1.pas' {Form1};
{$R *.res}
exports HooK;
begin
Form1:=TForm1.Create(form1);
form1.Show;
end.
/////////////////////////////
object Form1: TForm1
Left = 525
Top = 164
BorderIcons = [biSystemMenu, biMinimize]
BorderStyle = bsSingle
Caption = 'Form1'
ClientHeight = 533
ClientWidth = 664
Color = clBtnFace
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
OldCreateOrder = False
OnShow = FormShow
PixelsPerInch = 96
TextHeight = 13
object lbl1: TLabel
Left = 456
Top = 24
Width = 30
Height = 12
Caption = 'ESP->'
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
ParentFont = False
end
object lbl2: TLabel
Left = 456
Top = 224
Width = 30
Height = 12
Caption = 'EBP->'
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
ParentFont = False
end
object StringGrid1: TStringGrid
Left = 493
Top = 0
Width = 171
Height = 241
ColCount = 2
Ctl3D = True
DefaultRowHeight = 16
FixedCols = 0
RowCount = 50
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
Options = [goFixedVertLine, goFixedHorzLine, goVertLine, goHorzLine, goRangeSelect, goDrawFocusSelected, goRowSizing, goColSizing, goEditing, goTabs]
ParentCtl3D = False
ParentFont = False
ScrollBars = ssVertical
TabOrder = 0
ColWidths = (
74
77)
end
object btn1: TButton
Left = 16
Top = 16
Width = 121
Height = 33
Caption = 'HoOk'
TabOrder = 1
OnClick = btn1Click
end
end
/////////////////////
注入自己想办法,
要在被注入的程序目录下拷贝一个kernel32.dll为_kernel32.dll
大家其实一看代码就知道。我也不废话拉哈。希望对大家有用.让脱壳越来越简单,也是从另外一种思路去理解壳,不一定要去分析壳的代码才能脱壳.
http://bbs.pediy.com/showthread.php?t=14663
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, Grids;
type
TForm1 = class(TForm)
lbl1: TLabel;
lbl2: TLabel;
StringGrid1: TStringGrid;
btn1: TButton;
procedure btn1Click(Sender: TObject);
procedure FormShow(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
_kernel32hwnd:cardinal;
_oldPage:Cardinal;
_hgetadr:cardinal;
_modulehwnd:Cardinal;
__modulehwnd:Cardinal;
__kernel32hwnd:cardinal;
_esp,_ebp:Cardinal;
_msgnum:Cardinal;
procedure Hook;
implementation
{$R *.dfm}
procedure Transact;
var
_tsetp:Cardinal;
_tvalue:Cardinal;
_tesp:Cardinal;
begin
Form1.StringGrid1.Cells[0,0]:='Address';
Form1.StringGrid1.Cells[1,0]:='Value';
for _tsetp :=0 to 100 do
begin
_tesp:=_esp+(_tsetp*4)+36;
Form1.StringGrid1.Cells[0,_tsetp+1]:=IntToHex(_tesp,8);
asm
push eax;
push ebx;
mov eax,_Tesp;
Mov ebx,[eax];
Mov _tvalue,ebx;
pop ebx;
pop eax;
end;
Form1.StringGrid1.Cells[1,_tsetp+1]:=IntToHex(_tvalue,8);
end;
MessageBox(0, PChar(inttohex(_msgnum,8)), '警告', MB_OK + MB_ICONINFORMATION);
_msgnum:=_msgnum+1;
end;
procedure HGetmoduleHandleA;
label _label1;
begin
asm
pushad;
pushfd;
mov _esp,esp;
mov _ebp,ebp;
pushad;
pushad;
pushad;
pushad;
call transact;
mov ebp,_ebp;
mov esp,_esp;
popfd;
popad;
jmp __modulehwnd;
end;
end;
procedure Hook;
begin
_kernel32hwnd:=LoadLibrary('kernel32.dll');
__kernel32hwnd:=LoadLibrary('C:\HooKDLLs\_kernel32.dll');
__modulehwnd:=Cardinal(GetProcAddress(__kernel32hwnd,'GetModuleHandleA'));
_kernel32hwnd:=Cardinal(GetProcAddress(_kernel32hwnd,'GetModuleHandleA'));
VirtualProtect(Pointer(_kernel32hwnd),100,PAGE_READWRITE,_oldPage);
_hgetadr:=Cardinal(@HGetmoduleHandleA);
asm
push eax;
push ebx;
mov eax,_kernel32hwnd;
mov bl,$B8;
mov Byte[eax],bl;
add eax,1;
mov ebx,_hgetadr;
mov dword[eax],ebx;
add eax,4;
mov bl,$FF;
mov Byte[eax],bl;
add eax,1;
mov bl,$E0;
mov Byte[eax],bl;
pop ebx;
pop eax;
end;
VirtualProtect(Pointer(_kernel32hwnd),100,_oldPage,_oldPage);
end;
procedure TForm1.btn1Click(Sender: TObject);
begin
Hook;
end;
procedure TForm1.FormShow(Sender: TObject);
begin
hook;
end;
end.
/////////////////////////////
library hying7xUpK;
uses
Windows,
Unit1 in 'Unit1.pas' {Form1};
{$R *.res}
exports HooK;
begin
Form1:=TForm1.Create(form1);
form1.Show;
end.
/////////////////////////////
object Form1: TForm1
Left = 525
Top = 164
BorderIcons = [biSystemMenu, biMinimize]
BorderStyle = bsSingle
Caption = 'Form1'
ClientHeight = 533
ClientWidth = 664
Color = clBtnFace
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
OldCreateOrder = False
OnShow = FormShow
PixelsPerInch = 96
TextHeight = 13
object lbl1: TLabel
Left = 456
Top = 24
Width = 30
Height = 12
Caption = 'ESP->'
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
ParentFont = False
end
object lbl2: TLabel
Left = 456
Top = 224
Width = 30
Height = 12
Caption = 'EBP->'
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
ParentFont = False
end
object StringGrid1: TStringGrid
Left = 493
Top = 0
Width = 171
Height = 241
ColCount = 2
Ctl3D = True
DefaultRowHeight = 16
FixedCols = 0
RowCount = 50
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
Options = [goFixedVertLine, goFixedHorzLine, goVertLine, goHorzLine, goRangeSelect, goDrawFocusSelected, goRowSizing, goColSizing, goEditing, goTabs]
ParentCtl3D = False
ParentFont = False
ScrollBars = ssVertical
TabOrder = 0
ColWidths = (
74
77)
end
object btn1: TButton
Left = 16
Top = 16
Width = 121
Height = 33
Caption = 'HoOk'
TabOrder = 1
OnClick = btn1Click
end
end
/////////////////////
注入自己想办法,
要在被注入的程序目录下拷贝一个kernel32.dll为_kernel32.dll
大家其实一看代码就知道。我也不废话拉哈。希望对大家有用.让脱壳越来越简单,也是从另外一种思路去理解壳,不一定要去分析壳的代码才能脱壳.
http://bbs.pediy.com/showthread.php?t=14663
相关文章推荐
- 一个基于xposed和inline hook的一代壳脱壳工具
- ART模式下基于Xposed Hook开发脱壳工具
- GetModuleFileName在HOOK中的妙用
- 基于dalvik模式下的Xposed Hook开发的某加固脱壳工具
- AfxGetModuleState() 与 AfxGetModuleThreadState()
- [z]C#使用WebBrowser制作网页游戏辅助工具关键技术分析
- nodejs辅助开发工具
- 必备 VS2008 辅助工具之 PowerCommands
- 小知识 Sql 格式化工具 AutoPostBack后的定位 Post和Get区别 防止被 Fream
- QTester web 自动化测试工具软件|QTester web 自动化测试工具 1.0.0.0 下载 - 华军软件园 - 软件免费下载 - 网络辅助
- [转]VS2010几款超赞的扩展辅助工具总结
- Flash网页游戏辅助工具制作简析
- net的辅助工具
- Runtime.getRuntime().addShutdownHook(Thread)
- 跳一跳辅助工具
- WPF 辅助开发工具
- IE下WEB开发辅助工具
- 软件包管理工具-apt-get
- 仿iPhone的AssistiveTouch 悬浮辅助球工具
- LaTeX 写作的两个辅助工具:统计中文字数和关闭Acrobat中的PDF文档