逆向还原exeshell一个可以给sys加花的小东西

最新推荐文章于 2023-03-30 16:36:39 发布

iiprogram

最新推荐文章于 2023-03-30 16:36:39 发布

阅读量1.7k

点赞数

分类专栏：病毒汇编和调试逆向技术加脱壳文章标签： null file image header byte 加密

本文链接：https://blog.youkuaiyun.com/iiprogram/article/details/2417429

版权

本文介绍了如何使用exeshell工具对sys文件进行加密，以延缓被F5攻击的时间。该工具通过将sys文件的.text段与0x44异或进行简单加密。主要操作包括替换原始入口点、写入花指令、修改PE头等，以达到加壳保护的效果。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

很早的时候，在研究怎么给驱动加壳的时候，忘了从哪有了这个exeshell小工具（这个小工具好像是V大写的，我也不是很确定，希望V大不要生气呵呵）可以给sys加密，从而在一定程度上拖延了sys被人用F5虐待的时间，于是当时就花了几天把他给逆了，其实简单的说就是把sys文件的.text段与与0x44异或，进行简单加密。具体可以看idb的sub_4014A0函数。

关键代码：

BOOL CEncrptySYSDlg::EncrptySYS(HANDLE hFile,DWORD dwbase)
{
DWORD Reloc_Size;
PIMAGE_SECTION_HEADER SectionHeader,pRelocSection, pTextSection;
int SECTION_ALIGN_MENT;
int nRet =0;
DWORD dwBytesWritten = 0;
//这里是从exeshell中扒出来的花指令
unsigned char Encrptycode[] =
{
0x9C,0x60,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0xE8,0x00,0x00,0x00,0x00,0x5B,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,
0x00,0xE8,0x8B,0xCB,0x49,0x66,0x8B,0x11,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x66,0x81,0xFA,0x4D,0x5A,0x75,0xE8,0x0F,0x80,0x07,0x00,
0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x8B,0x51,0x3C,0x03,0xD1,0x66,0x8B,0x02,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x66,0x3D,
0x50,0x45,0x75,0xC0,0x51,0x52,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x81,0xC2,0xF8,0x00,0x00,0x00,0x8B,0x42,0x0C,0x03,0xC1,0x8B,0x4A,
0x08,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x80,0x34,0x08,0x44,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0xE2,
0xE0,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x80,0x30,0x44,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0xB8,0x11,
0x11,0x11,0x11,0x5A,0x59,0x8B,0xE9,0x85,0xC0,0x0F,0x84,0x9D,0x00,0x00,0x00,0x03,0xC1,0x8B,0x18,0x8B,0x70,0x04,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,
0x00,0x00,0xE8,0x8B,0xC0,0x33,0xC9,0x8B,0xF8,0x83,0xC7,0x08,0x50,0x56,0x0F,0xB7,0x07,0x66,0x85,0xC0,0x74,0x4C,0x66,0x25,0xFF,0x0F,0x51,0x8B,0xF5,0x03,0xF0,0x03,
0xF3,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x8B,0x0E,0x2B,0x4A,0x34,0x03,0xCD,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,
0x00,0xE8,0x89,0x0E,0x59,0x41,0x47,0x47,0x5E,0x56,0x83,0xEE,0x08,0xD1,0xEE,0x3B,0xCE,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x73,0x02,
0xEB,0xAC,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x8B,0xC0,0x5E,0x58,0x03,0xC6,0x8B,0x30,0x85,0xF6,0x0F,0x85,0x72,0xFF,0xFF,0xFF,0x0F,
0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0xB8,0x22,0x22,0x22,0x22,0x03,0xC5,
0xE8,0x08,0x00,0x00,0x00,0xB8,0x00,0x00,0x00,0x00,0xFF,0xE0,0xE9,0x5A,0x0F,0x80,0x07,0x00,0x00,0x00,0x0F,0x81,0x01,0x00,0x00,0x00,0xE8,0x8B,0xC0,0x89,0x42,0x01,
0x61,0x9D,0xEB,0xE1,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0xCC,0x00
};

Reloc_Size = NtHeader-

最低0.47元/天解锁文章