当前位置: 代码迷 >> 汇编语言 >> ●病毒代码中带有SEH、强制程序跑错、是不是用OD跟踪不了病毒了,该怎么解决
  详细解决方案

●病毒代码中带有SEH、强制程序跑错、是不是用OD跟踪不了病毒了,该怎么解决

热度:9187   发布时间:2013-02-26 00:00:00.0
●●●病毒代码中带有SEH、强制程序跑错、是不是用OD跟踪不了病毒了
●●病毒代码中带有SEH、强制程序跑错、是不是用OD跟踪不了病毒了

跟踪到红色代码部分oD进行不下去了
00401000 >/$ 33DB XOR EBX,EBX
00401002 |. 8B1C24 MOV EBX,DWORD PTR SS:[ESP]
00401005 |. E8 00000000 CALL pgtest.0040100A
0040100A |$ 5D POP EBP
0040100B |. 81ED 0A104000 SUB EBP,pgtest.0040100A ; ???????
00401011 |. 83BD 78174000 >CMP DWORD PTR SS:[EBP+401778],0
00401018 |. 75 16 JNZ SHORT pgtest.00401030
0040101A |. C785 70174000 >MOV DWORD PTR SS:[EBP+401770],0
00401024 |. 8D85 E01C4000 LEA EAX,DWORD PTR SS:[EBP+401CE0]
0040102A |. 8985 74174000 MOV DWORD PTR SS:[EBP+401774],EAX
00401030 |> 8B85 70174000 MOV EAX,DWORD PTR SS:[EBP+401770]
00401036 |. 50 PUSH EAX
00401037 |. 8B85 74174000 MOV EAX,DWORD PTR SS:[EBP+401774]
0040103D |. 50 PUSH EAX
0040103E |. 8D85 32174000 LEA EAX,DWORD PTR SS:[EBP+401732]
00401044 |. 50 PUSH EAX
00401045 |. 64:FF35 000000>PUSH DWORD PTR FS:[0]
0040104C |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00401053 |. BE 00000000 MOV ESI,0
00401058 |. 8B06 MOV EAX,DWORD PTR DS:[ESI]---->DS:「00000000」eax=00401732
0040105A |. 64:8F05 000000>POP DWORD PTR FS:[0]
00401061 |. 83C4 04 ADD ESP,4
00401064 |. 83BD 78174000 >CMP DWORD PTR SS:[EBP+401778],0
0040106B |. 74 11 JE SHORT pgtest.0040107E

。。。。。。。。。

----------------
.code
host_start:

vstart:
   
xor ebx,ebx
mov ebx,[esp];
call nstart
nstart: 
pop ebp
sub ebp,offset nstart;
;---------------------------------------
;save the Entrypoint!!!!!!!!!!!!!!!!!!!
;---------------------------------------
cmp now[ebp],0
jnz gonext
;
mov Old_ImageBase[ebp],0h
lea eax,vend[ebp]
mov Old_AddressOfEntryPoint[ebp],eax

gonext:
mov eax,Old_ImageBase[ebp]
push eax
mov eax,Old_AddressOfEntryPoint[ebp]
push eax

ASSUME FS:NOTHING
lea eax,SEH1[ebp]
push eax
push fs:[0]  
  mov fs:[0],esp  
mov esi,0
mov eax,[esi];make a error for SEH<----此处特意弄出错、导致程序跑到回调函数、(病毒是通过回掉函数在继续向下执行、可是oD却跟踪不下去了)


ExecuteHere:
pop fs:[0] ;
  add esp,4

cmp now[ebp],0

jz EncryptStart

lea edi , EncryptStart[ebp]  

。。。。。。。。
。。。。。。。
SEH1 proc uses ebx pExcept:DWORD,pFrame:DWORD,pContext:DWORD,pDispatch:DWORD

   
  mov eax,pContext 
Assume eax:ptr CONTEXT
  mov [eax].regEcx,20  
  lea ebx, ExecuteHere
  mov [eax].regEip,ebx 
mov eax,0 ;//ExceptionContinueExecution,
ret  

SEH1 endp
EncryptEnd:
 

------解决方案--------------------------------------------------------
代码是通过SEH来触发异常的

那么这个异常处理函数在这里是SEH1,那么你在这个地方加断点试试!
  相关解决方案

代码迷 - 您身边的软件异常,代码异常,编程异常助手(发现,解决,分享)
Copyright © 2009-2013 DAIMAMI.COM. All rights reserved.