Acrobat Reader 5.0的反跟蹤程式碼部分
HI,大家好!已經很久沒有帖東西了!由於比較忙!(其實是懶^_^)!
今天想用Acrobat Reader 5.0看看書!沒想到啟動後顯示了一個點陣圖,做一些初使化後就不見了蹤影!一連試了幾次!嗯??我的機子不會爛到連這個軟體都不能執行的地步吧!想了想。。。。。噢!是不是又是SICE在搗鬼!由於我平時總喜歡掛著它!總會引起一些不必要的麻煩!唉!沒辦法,執行frogsice擋一擋吧!咦!我倒~~~~~~~~不管用!氣死我了!追追它!看來是怎麼發現我的寶貝的!
經過一番跟蹤,發現反SICE的程式碼在DocBox.api這個外掛中!
好吧。繼續...........
:37020654 0F014DD6 sidt
[ebp-2A] *********
:37020658 8A45CC
mov al, byte ptr [ebp-34]
:3702065B 84C0
test al, al
:3702065D 0F84D8430100 je 37034A3B
:37034A3B 33C0
xor eax, eax
:37034A3D 8B55D0
mov edx, dword ptr [ebp-30]
:37034A40 397A20
cmp dword ptr [edx+20], edi
:37034A43 0F95C0
setne al
:37034A46 3BC7
cmp eax, edi
:37034A48 740A
je 37034A54
:37034A4A 6A02
push 00000002
:37034A4C E8DE9FFDFF call 3700EA2F
:37034A51 83C404
add esp, 00000004
:37034A54 33C0
xor eax, eax
:37034A56 8B4DD8
mov ecx, dword ptr [ebp-28] 得到中斷描述符表的基地址
:37034A59 668B5144 mov
dx, word ptr [ecx+44] 得到偏移值為44h(68d)的兩個位元組
:37034A5D 6681F20005 xor dx,
0500
:37034A62 F6C61F
test dh, 1F
:37034A65 7505
jne 37034A6C
:37034A67 B801000000 mov eax,
00000001
:37034A6C 3BC7
cmp eax, edi
:37034A6E 740A
je 37034A7A
:37034A70 6A03
push 00000003
:37034A72 E8B89FFDFF call 3700EA2F
:37034A77 83C404
add esp, 00000004
當在讀取中斷描述符表偏移值為44h的兩個位元組時,值為8500h!不管它,繼續跟下去!已經離死不遠了!F10帶過call 3700EA2F時!就退出程式了!裡面呼叫了EXITPROCESS!那麼只有向上找找看了!
其實有經驗的人早就應該知道!在執行SIDT這條命令的時候,就應該和我們們的目標不遠了!一般的程式不可能用到這個指令!TEST指令後,強制跳躍!避開那個CALL指令後來到了下面
.........
:37034AE1 6A03
push 00000003
:37034AE3 53
push ebx
:37034AE4 53
push ebx
:37034AE5 53
push ebx
:37034AE6 8B4D8C
mov ecx, dword ptr [ebp-74]
:37034AE9 51
push ecx <== //./SICE
:37034AEA FF1524210537 call dword ptr
[37052124] <===CreateFilea
:37034AF0 8BF0
mov esi, eax
:37034AF2 8B558C
mov edx, dword ptr [ebp-74]
:37034AF5 85D2
test edx, edx
:37034AF7 7433
je 37034B2C
:37034AF9 8BFA
mov edi, edx
:37034AFB 83C9FF
or ecx, FFFFFFFF
:37034AFE 33C0
xor eax, eax
:37034B00 F2
repnz
:37034B01 AE
scasb
:37034B02 F7D1
not ecx
:37034B04 49
dec ecx
:37034B05 B85A7DBDBC mov eax,
BCBD7D5A
:37034B0A 8D80623FFFFF lea eax, dword
ptr [eax+FFFF3F62]
:37034B10 8BFA
mov edi, edx
:37034B12 8BD1
mov edx, ecx
:37034B14 C1E902
shr ecx, 02
:37034B17 F3
repz
:37034B18 AB
stosd
:37034B19 8BCA
mov ecx, edx
:37034B1B 83E103
and ecx, 00000003
:37034B1E F3
repz
:37034B1F AA
stosb
:37034B20 8B458C
mov eax, dword ptr [ebp-74]
:37034B23 50
push eax
:37034B24 E810030000 call 37034E39
:37034B29 83C404
add esp, 00000004
:37034B2C 83FEFF
cmp esi, FFFFFFFF <======R U OK?
:37034B2F 740C
je 37034B3D <==jump is OK!
:37034B31 56
push esi
* Reference To: KERNEL32.CloseHandle, Ord:001Bh
|
:37034B32 FF156C330637 Call dword ptr
[3706336C]
:37034B38 BBCA104000 mov ebx,
004010CA
:37034B3D 85DB
test ebx, ebx
大家已經看到了!這又是一個檢測SICE的方法!也是最常用的!但如果你直接用CREATEFILEA來設斷攔截是沒用的!這個程式是用GETPROCADDRESS來找入口地址來呼叫的!玩了一個小把戲!有些病毒就是這麼做的!
好了,到此也就差不多了!剩下的事就簡單了!改改它就OK了!可有個問題還不清楚!讀中斷描術符表第68的兩個位元組有什麼用??問我??我也不清楚!請高手明示吧!!!!!!
.386
.model flat, stdcall
option casemap :none
include /masm32/include/windows.inc
include /masm32/include/user32.inc
includelib /masm32/lib/user32.lib
include /masm32/include/kernel32.inc
includelib /masm32/lib/kernel32.lib
.data
format db "%x",0
.data?
char db 4 dup(?)
.code
start:
sidt [esp-2]
pop eax
xor ebx,ebx
mov bx,word ptr [eax+44h]
invoke wsprintf,addr char,addr format,ebx
invoke MessageBox,0,addr char,0,MB_OK
invoke ExitProcess,0
end start
不過我做了個實驗:用MASM32編了上面的程式!來實現讀出IDT的第68處的兩個位元組!我試過了,在沒掛SICE的情況下是8E00h,在掛SICE的情況下是8500h!難不成這是SICE駐留的標誌??有意思!!請哪位高手回答一下吧!
全文完!
garfield
China Cracking Group
2001.8.14