• 我们在哪一颗星上见过 ,以至如此相互思念 ;我们在哪一颗星上相互思念过,以至如此相互深爱
  • 我们在哪一颗星上分别 ,以至如此相互辉映 ;我们在哪一颗星上入睡 ,以至如此唤醒黎明
  • 认识世界 克服困难 洞悉所有 贴近生活 寻找珍爱 感受彼此
> 逆向工程 > 恶意代码技术理论 > 恶意代码技术理论:IDAPython应用实例

恶意代码技术理论:IDAPython应用实例

恶意代码技术理论 云涯 3年前 (2021-07-06) 1402次浏览

解决Findr混淆

findr混淆第一版

def patch_jcc32(addr):#addr是一个字节
PatchByte(addr, 0x90)
PatchByte(addr+1, 0xE9)
PatchWord(addr+6, 0x9090)
PatchDword(addr+8,0x90909090)
def is_jump_near_pair(addr):
jcc1 = Byte(addr+1)
jcc2 = Byte(addr+7)
if Byte(addr) != 0x0F or Byte(addr+6) != 0x0F:
return False

if (jcc1 & 0xF0 != 0x80) or (jcc2 & 0xF0 != 0x80):
return False

if abs(jcc1-jcc2) != 1:
return False

dst1 = Dword(addr+2)
dst2 = Dword(addr+8)

if dst1-dst2 != 6:
print 'err'
return False
return True

def patch_jcc8(addr):
PatchByte(addr, 0xEB)
PatchWord(addr+2, 0x9090)

def is_jcc8(b):
return b&0xF0 == 0x70
def is_jump_short_pair(addr):
jcc1 = Byte(addr)
jcc2 = Byte(addr+2)
if not is_jcc8(jcc1) or not is_jcc8(jcc2):
return False
if abs(jcc2 - jcc1) != 1:
return False
dst1 = Byte(addr+1)
dst2 = Byte(addr+3)
if dst1 - dst2 != 2:
return False
return True

near_addr = 0x0117CC55
short_addr = 0x0117CAE5
near = is_jump_near_pair(near_addr)
short = is_jump_short_pair(short_addr)
if near== True:
patch_jcc32(near_addr)
print 'near_yes'
else:
print 'near_no'

if short== True:
patch_jcc8(short_addr)
print 'short_yes'
else:
print 'short_no'

第二版

def patch_jcc32(addr):#addr是一个字节
PatchByte(addr, 0x90)
PatchByte(addr+1, 0xE9)
PatchWord(addr+6, 0x9090)
PatchDword(addr+8,0x90909090)
def is_jump_near_pair(addr):
jcc1 = Byte(addr+1)
jcc2 = Byte(addr+7)
if Byte(addr) != 0x0F or Byte(addr+6) != 0x0F:
return False

if (jcc1 & 0xF0 != 0x80) or (jcc2 & 0xF0 != 0x80):
return False

if abs(jcc1-jcc2) != 1:
return False

dst1 = Dword(addr+2)
dst2 = Dword(addr+8)

if dst1-dst2 != 6:
print 'err'
return False
return True

def patch_jcc8(addr):
PatchByte(addr, 0xEB)
PatchWord(addr+2, 0x9090)

def is_jcc8(b):
return b&0xF0 == 0x70
def is_jump_short_pair(addr):
jcc1 = Byte(addr)
jcc2 = Byte(addr+2)
if not is_jcc8(jcc1) or not is_jcc8(jcc2):
return False
if abs(jcc2 - jcc1) != 1:
return False
dst1 = Byte(addr+1)
dst2 = Byte(addr+3)
if dst1 - dst2 != 2:
return False
return True


import idc
start = 0x0117C773
end = 0x0117D241

addr = start
while addr <= end:
near = is_jump_near_pair(addr)
short = is_jump_short_pair(addr)
print hex(addr),near,short
if near == True:
patch_jcc32(addr)
print 'near_yes'
if short == True:
patch_jcc8(addr)
print 'short_yes'
addr = NextHead(addr,end)

 

混淆地方归零通用

import idaapi
start = here()
end = NextHead(start)
for ea in range(start,end):
PatchByte(ea,0x90)
Jump(end)
Refresh()

 

解密应用

参考链接:

https://unit42.paloaltonetworks.com/using-idapython-to-make-your-life-easier-part-1/

https://unit42.paloaltonetworks.com/using-idapython-to-make-your-life-easier-part-2/

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

云涯历险记 , 版权所有丨如未注明 , 均为原创丨本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:恶意代码技术理论:IDAPython应用实例
喜欢 (0)