回顾第十六章PE病毒的16.2.2病毒分析案例一中,我们分析的病毒样本Lab01-03.exe使用了FSG壳。本节我们就来详细分析FSG壳。
本节必须掌握的知识点:
静态分析
手工脱壳
17.3.1 静态分析
■FSG壳的特点
FSG壳是一种经典的加壳工具,主要用于对可执行文件进行压缩和加密处理。下面是FSG壳的一些特点和工作原理:
●压缩功能:FSG壳使用定制的高效压缩算法对可执行文件进行压缩,从而减小文件大小。压缩后的文件会包含解压缩代码和数据,以便在运行时还原原始的可执行文件。
●加密保护:除了压缩,FSG壳还会对可执行文件进行加密处理,以增强文件的安全性。加密可以防止未经授权的访问和修改,保护程序的知识产权和机密性。
●运行时解压缩:在程序运行时,FSG壳会先解密和解压缩原始的可执行文件,然后将其加载到内存中执行。这种运行时解压缩的方式有助于保护程序的代码和数据不被恶意篡改或窥探。
●反调试和反分析:FSG壳通常包含反调试和反分析技术,用于防止调试器和逆向工程工具的使用。这些技术可以增加对程序的保护,使其更难以被破解和篡改。
●资源优化:通过压缩和加密处理,FSG壳可以帮助优化程序的资源占用和加载速度,提高程序的运行效率和用户体验。
实验一百一十五:FSG壳静态分析
让我们使用WinHex工具对FSG壳做静态分析,对比加壳前后的变化。
■静态分析
分析环境:VMWare16.2.1,Windows XP系统。
分析样本:
原程序HelloWorld.exe;
加壳程序HelloWorld_fsg.exe;
脱壳程序HelloWorld_unfsg.exe;
【注】样本程序不支持Windows 64位系统。
●加壳前
将原程序HelloWorld.exe拖入WinHex,PE头信息如下:
000000B0 50 45 00 00 4C 01 03 00 8C 10 A7 60 00 00 00 00 PE..L...?....
000000C0 00 00 00 00 E0 00 0F 01 0B 01 05 0C 00 02 00 00 ....?..........
000000D0 00 04 00 00 00 00 00 00 00 10 00 00 00 10 00 00 ................
000000E0 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00 . ....@.........
000000F0 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
00000100 00 40 00 00 00 04 00 00 00 00 00 00 02 00 00 00 .@..............
00000110 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
00000120 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
00000130 10 20 00 00 3C 00 00 00 00 00 00 00 00 00 00 00 . ..<...........
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000180 00 00 00 00 00 00 00 00 00 20 00 00 10 00 00 00 ......... ......
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001A0 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 .........text...
000001B0 24 00 00 00 00 10 00 00 00 02 00 00 00 04 00 00 $...............
000001C0 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
000001D0 2E 72 64 61 74 61 00 00 92 00 00 00 00 20 00 00 .rdata..?... ..
000001E0 00 02 00 00 00 06 00 00 00 00 00 00 00 00 00 00 ................
000001F0 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00 00 ....@..@.data...
00000200 0D 00 00 00 00 30 00 00 00 02 00 00 00 08 00 00 .....0..........
00000210 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0 ............@..
1.NumberOfSections:节区数3;
2.AddressOfEntryPoint:程序入口地址0x1000;
3.BaseOfCode:代码节起始地址0x1000;
4.BaseOfData:数据节起始地址0x2000;
5.ImageBase:程序建议装载基址0x4000;
6.SectionAlignment:内存对齐颗粒度0x1000;
7.FileAlignment:文件对齐颗粒度0x200;
8.SizeOflmage:映像文件大小0x4000;
9.导入表RAV地址:0x2010;
10.函数地址表RVA地址:0x2000;
11.3个节区:
.text
00000400 6A 00 6A 00 68 00 30 40 00 6A 00 E8 08 00 00 00 j.j.h.0@.j.?...
00000410 6A 00 E8 07 00 00 00 CC FF 25 08 20 40 00 FF 25 j.?...?%. @.%
00000420 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 . @.............
.rdata
00000600 76 20 00 00 00 00 00 00 5C 20 00 00 00 00 00 00 v ......\ ......
00000610 54 20 00 00 00 00 00 00 00 00 00 00 6A 20 00 00 T ..........j ..
00000620 08 20 00 00 4C 20 00 00 00 00 00 00 00 00 00 00 . ..L ..........
00000630 84 20 00 00 00 20 00 00 00 00 00 00 00 00 00 00 ?... ..........
00000640 00 00 00 00 00 00 00 00 00 00 00 00 76 20 00 00 ............v ..
00000650 00 00 00 00 5C 20 00 00 00 00 00 00 B1 01 4D 65 ....\ ......?Me
00000660 73 73 61 67 65 42 6F 78 41 00 75 73 65 72 33 32 ssageBoxA.user32
00000670 2E 64 6C 6C 00 00 9B 00 45 78 69 74 50 72 6F 63 .dll..?ExitProc
00000680 65 73 73 00 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C ess.kernel32.dll
.data;
00000800 48 65 6C 6C 6F 57 6F 72 6C 64 50 45 00 00 00 00 HelloWorldPE....
●加壳后
将加壳程序HelloWorld_fsg.exe拖入WinHex,PE头信息如下:
00000000 4D 5A 00 00 00 00 00 00 00 00 00 00 50 45 00 00 MZ..........PE..
00000010 4C 01 02 00 46 53 47 21 00 00 00 00 00 00 00 00 L...FSG!........
00000020 E0 00 0F 01 0B 01 00 00 00 02 00 00 00 04 00 00 ?..............
00000030 00 00 00 00 54 01 00 00 00 10 00 00 0C 00 00 00 ....T...........
00000040 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 ..@.............
00000050 00 00 00 00 04 00 00 00 00 00 00 00 00 60 00 00 .............`..
00000060 00 02 00 00 00 00 00 00 02 00 00 00 00 00 10 00 ................
00000070 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 ................
00000080 10 00 00 00 00 00 00 00 00 00 00 00 7C 50 00 00 ............|P..
00000090 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?..............
000000A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................