当前位置:网站首页>Implementation of window encryption shell

Implementation of window encryption shell

2022-06-27 02:52:00 Sili can't write code

Preface

Encrypted shell is a relatively elementary shell , At the end of this article, there are two different implementations in the source code link . Implementing encryption granularity is completely different .

Shell overview

The shell can generally play the role of compression and reverse engineering .

DbgView.exe Is a primitive program ,Dbgview_pack.ext Is an encrypted program , You can see that the disk size is reduced by half .
Insert picture description here
Of course, the source code of this article is not redirected, so the operation may crash . But there are not many problems with programs that do not need redirection . Such as the minesweeping program in the source code .

Insert picture description here

The schematic diagram of the encryption shell in this paper :
Insert picture description here

Source build

Let's first write a GUI The program lets the user choose an encrypted exe Program .
Insert picture description here

Ui The code writing project skips 、
We often see the event handling after clicking :

//szSrcExePath  Shelled exe
//szDstExePath  Output the shell  exe
bool CPacker::Pack(const char const* szSrcExePath, const char const* szDstExePath)
{
    
	/* * 1. analysis PE */
	if (!AnalyzePE(szSrcExePath))
	{
    
		return false;
	}


	/* *  Get import table information  */
	if (!GetImpInfos())
	{
    
		return false;
	}

	/* * 2. Compression joint   Get compressed data  */
	if (!Compress())
	{
    
		return false;
	}

	/* * 3. Get shell code  */
	if (!GetCode())
	{
    
		return false;
	}

	/* * 4. Tectonic belt shell PE */

	//1.  Prepare section data 
	if (!GetSecData())
	{
    
		return false;
	}

	//2.  Construct a new section table 
	if (!GetNewSecHdrs())
	{
    
		return false;
	}


	//3. Construct new PE head 
	if (!GetNewPeHdr())
	{
    
		return false;
	}


	//4.  write file 

	if (!WriteNewPE2File(szDstExePath))
	{
    
		return false;
	}


	return true;
}

We will explain according to the sequence of function calls

Source link

Compress the sections separately , Erase the imported table

Encryption shell source code Erase the import table, etc

Original EXE The whole encryption . It is divided into two warehouses for storage One is shellcode Decompress , A compression tool

Compression tool Source code
shellcode Source code

原网站

版权声明
本文为[Sili can't write code]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/178/202206270241500672.html

边栏推荐

猜你喜欢

随机推荐