一个有意思的自动逆向工具
2023-4-18 23:15:44 Author: MicroPest(查看原文) 阅读量:113 收藏

今天很多老朋友相聚,非常地开心!

有个朋友向我推荐了这个工具,就是下面要介绍的这个,抽时间晚上研究了下,还是很有意思的,尤其是在记录程序的自动执行方面,跟当年一个朋友写的东西有些类似。这个工具目前是手工的,如果能写成驱动,就成了一个非常不错、有创意的底层工具了。

看功能介绍:

  • Imports information - along with DLL name, function name, and address.

  • Intercept all commands executed - system(), ShellExecuteEx(), etc.

  • Intercept all thread creations - APIs like std::thread, CreateThread(), etc.

  • Intercept URLs - APIs like UrlDownloadToFileA and InternetOpenUrlA, etc.

  • Threads - lists thread ids along with cpu usage, allows you to suspend them with a button.

  • Bypass common debugger checks - CheckRemoteDebugger() and IsDebuggerPresent().

  • Anti-BSOD for common usermode BSOD methods which abuse the RtlAdjustPrivilege.

  • Easy-to-use interface powered by ImGui.

  • Hook library with a normal JMP hook and trampoline hook.

还是挺强大的。

1、先看下结果图:

2、实现过程:

(1)验证程序ConsoleApplication1.exe,里面用到函数“URLDownloadToFileA”(下载函数)以及“IsDebuggerPresent、CheckRemoteDebuggerPresent”(检测调试函数),如下示例:

#include <iostream>

#include <Urlmon.h>

#include <windows.h>

int main()

{

    std::cout << "Hello World!\n Please press any key...\n";

    getchar();

    URLDownloadToFileA(NULL, "http://192.168.10.110","f.txt",0, NULL);

    BOOL isDebuggerPresent = IsDebuggerPresent();

    BOOL isRemoteDebuggerPresent = FALSE;

    HANDLE process = GetCurrentProcess();

    CheckRemoteDebuggerPresent(process, &isRemoteDebuggerPresent);

    if (isDebuggerPresent || isRemoteDebuggerPresent)

    {

        printf("Debugger detected;\n");

        exit(0);

    }

    printf("No debuggers detected\n");

    getchar();

    return 0;

}

编译成x64程序。

(2)在这过程中碰到个LNK编译错误:

用Google查原因:

给了很多的答案,但没一个能用的,很失望。最终还是ChatGPT给干净利落得解决掉了:

(3)逆向工具ReverseKit.dll:看下关键代码段,

DLL入口:

Hook的函数:

里面的代码很多,需要的仔细研究吧,放最后了。

也编译成x64。

(4)方法:运行ConsoleApplication1.exe,注入ReverseKit.dll,随时监控记录ConsoleApplication1.exe的动作,输出,如图:

对照下程序,理解更深:

URLDownloadToFileA(NULL, "http://192.168.10.110","f.txt",0, NULL);

    BOOL isDebuggerPresent = IsDebuggerPresent();

    BOOL isRemoteDebuggerPresent = FALSE;

    HANDLE process = GetCurrentProcess();

    CheckRemoteDebuggerPresent(process, &isRemoteDebuggerPresent);

    if (isDebuggerPresent || isRemoteDebuggerPresent)

    {

        printf("Debugger detected;\n");

        exit(0);

    }

    printf("No debuggers detected\n");

    getchar();

    return 0;

(5)作了一段视频,如下:

(6)两个源码:

ReverseKit下载:

链接:https://pan.baidu.com/s/18QVdr9lFIGnF5c6y61YFqw

提取码:9nug

ConsoleApplication1下载:

链接:https://pan.baidu.com/s/10Sz5IA6CH0dhnfRJ1NAm_A

提取码:gu4e


文章来源: http://mp.weixin.qq.com/s?__biz=MjM5NDcxMDQzNA==&mid=2247487736&idx=1&sn=67590a05e00bdc07ac0fd232c36867d6&chksm=a682c63591f54f23fc33a7f9e84b34ebe20a5deae8ff4d451e9d1b483eee51bda5171fd04572#rd
如有侵权请联系:admin#unsafe.sh