我們都知道標準delphi程序一開始肯定會調用到GetModuleHandleA這個涵數,很多殼都把OEP處理了,也就是運行過後清楚什麼的,代碼偷取什麼的,我們只要Hook這個函數,然後讓程序暫停下來,那麼是不是殼就還沒有完成代碼的清楚什麼的,我們dump出來的代碼就是完整的或者是可分析的.當然這個工具很容易就可以改來Hook其他函數.我給出代碼,大家自己研究好了.
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, Grids;
type
TForm1 = class(TForm)
lbl1: TLabel;
lbl2: TLabel;
StringGrid1: TStringGrid;
btn1: TButton;
procedure btn1Click(Sender: TObject);
procedure FormShow(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
_kernel32hwnd:cardinal;
_oldPage:Cardinal;
_hgetadr:cardinal;
_modulehwnd:Cardinal;
__modulehwnd:Cardinal;
__kernel32hwnd:cardinal;
_esp,_ebp:Cardinal;
_msgnum:Cardinal;
procedure Hook;
implementation
{$R *.dfm}
procedure Transact;
var
_tsetp:Cardinal;
_tvalue:Cardinal;
_tesp:Cardinal;
begin
Form1.StringGrid1.Cells[0,0]:='Address';
Form1.StringGrid1.Cells[1,0]:='Value';
for _tsetp :=0 to 100 do
begin
_tesp:=_esp+(_tsetp*4)+36;
Form1.StringGrid1.Cells[0,_tsetp+1]:=IntToHex(_tesp,8);
asm
push eax;
push ebx;
mov eax,_Tesp;
Mov ebx,[eax];
Mov _tvalue,ebx;
pop ebx;
pop eax;
end;
Form1.StringGrid1.Cells[1,_tsetp+1]:=IntToHex(_tvalue,8);
end;
MessageBox(0, PChar(inttohex(_msgnum,8)), '警告', MB_OK + MB_ICONINFORMATION);
_msgnum:=_msgnum+1;
end;
procedure HGetmoduleHandleA;
label _label1;
begin
asm
pushad;
pushfd;
mov _esp,esp;
mov _ebp,ebp;
pushad;
pushad;
pushad;
pushad;
call transact;
mov ebp,_ebp;
mov esp,_esp;
popfd;
popad;
jmp __modulehwnd;
end;
end;
procedure Hook;
begin
_kernel32hwnd:=LoadLibrary('kernel32.dll');
__kernel32hwnd:=LoadLibrary('C:\HooKDLLs\_kernel32.dll');
__modulehwnd:=Cardinal(GetProcAddress(__kernel32hwnd,'GetModuleHandleA'));
_kernel32hwnd:=Cardinal(GetProcAddress(_kernel32hwnd,'GetModuleHandleA'));
VirtualProtect(Pointer(_kernel32hwnd),100,PAGE_READWRITE,_oldPage);
_hgetadr:=Cardinal(@HGetmoduleHandleA);
asm
push eax;
push ebx;
mov eax,_kernel32hwnd;
mov bl,$B8;
mov Byte[eax],bl;
add eax,1;
mov ebx,_hgetadr;
mov dword[eax],ebx;
add eax,4;
mov bl,$FF;
mov Byte[eax],bl;
add eax,1;
mov bl,$E0;
mov Byte[eax],bl;
pop ebx;
pop eax;
end;
VirtualProtect(Pointer(_kernel32hwnd),100,_oldPage,_oldPage);
end;
procedure TForm1.btn1Click(Sender: TObject);
begin
Hook;
end;
procedure TForm1.FormShow(Sender: TObject);
begin
hook;
end;
end.
/////////////////////////////
library hying7xUpK;
uses
Windows,
Unit1 in 'Unit1.pas' {Form1};
{$R *.res}
exports HooK;
begin
Form1:=TForm1.Create(form1);
form1.Show;
end.
/////////////////////////////
object Form1: TForm1
Left = 525
Top = 164
BorderIcons = [biSystemMenu, biMinimize]
BorderStyle = bsSingle
Caption = 'Form1'
ClientHeight = 533
ClientWidth = 664
Color = clBtnFace
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
OldCreateOrder = False
OnShow = FormShow
PixelsPerInch = 96
TextHeight = 13
object lbl1: TLabel
Left = 456
Top = 24
Width = 30
Height = 12
Caption = 'ESP->'
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
ParentFont = False
end
object lbl2: TLabel
Left = 456
Top = 224
Width = 30
Height = 12
Caption = 'EBP->'
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
ParentFont = False
end
object StringGrid1: TStringGrid
Left = 493
Top = 0
Width = 171
Height = 241
ColCount = 2
Ctl3D = True
DefaultRowHeight = 16
FixedCols = 0
RowCount = 50
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
Options = [goFixedVertLine, goFixedHorzLine, goVertLine, goHorzLine, goRangeSelect, goDrawFocusSelected, goRowSizing, goColSizing, goEditing, goTabs]
ParentCtl3D = False
ParentFont = False
ScrollBars = ssVertical
TabOrder = 0
ColWidths = (
74
77)
end
object btn1: TButton
Left = 16
Top = 16
Width = 121
Height = 33
Caption = 'HoOk'
TabOrder = 1
OnClick = btn1Click
end
end
/////////////////////
注入自己想辦法,
要在被注入的程序目錄下拷貝一個kernel32.dll爲_kernel32.dll
大家其實一看代碼就知道。我也不廢話拉哈。希望對大家有用.讓脫殼越來越簡單,也是從另外一種思路去理解殼,不一定要去分析殼的代碼才能脫殼.
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, Grids;
type
TForm1 = class(TForm)
lbl1: TLabel;
lbl2: TLabel;
StringGrid1: TStringGrid;
btn1: TButton;
procedure btn1Click(Sender: TObject);
procedure FormShow(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
_kernel32hwnd:cardinal;
_oldPage:Cardinal;
_hgetadr:cardinal;
_modulehwnd:Cardinal;
__modulehwnd:Cardinal;
__kernel32hwnd:cardinal;
_esp,_ebp:Cardinal;
_msgnum:Cardinal;
procedure Hook;
implementation
{$R *.dfm}
procedure Transact;
var
_tsetp:Cardinal;
_tvalue:Cardinal;
_tesp:Cardinal;
begin
Form1.StringGrid1.Cells[0,0]:='Address';
Form1.StringGrid1.Cells[1,0]:='Value';
for _tsetp :=0 to 100 do
begin
_tesp:=_esp+(_tsetp*4)+36;
Form1.StringGrid1.Cells[0,_tsetp+1]:=IntToHex(_tesp,8);
asm
push eax;
push ebx;
mov eax,_Tesp;
Mov ebx,[eax];
Mov _tvalue,ebx;
pop ebx;
pop eax;
end;
Form1.StringGrid1.Cells[1,_tsetp+1]:=IntToHex(_tvalue,8);
end;
MessageBox(0, PChar(inttohex(_msgnum,8)), '警告', MB_OK + MB_ICONINFORMATION);
_msgnum:=_msgnum+1;
end;
procedure HGetmoduleHandleA;
label _label1;
begin
asm
pushad;
pushfd;
mov _esp,esp;
mov _ebp,ebp;
pushad;
pushad;
pushad;
pushad;
call transact;
mov ebp,_ebp;
mov esp,_esp;
popfd;
popad;
jmp __modulehwnd;
end;
end;
procedure Hook;
begin
_kernel32hwnd:=LoadLibrary('kernel32.dll');
__kernel32hwnd:=LoadLibrary('C:\HooKDLLs\_kernel32.dll');
__modulehwnd:=Cardinal(GetProcAddress(__kernel32hwnd,'GetModuleHandleA'));
_kernel32hwnd:=Cardinal(GetProcAddress(_kernel32hwnd,'GetModuleHandleA'));
VirtualProtect(Pointer(_kernel32hwnd),100,PAGE_READWRITE,_oldPage);
_hgetadr:=Cardinal(@HGetmoduleHandleA);
asm
push eax;
push ebx;
mov eax,_kernel32hwnd;
mov bl,$B8;
mov Byte[eax],bl;
add eax,1;
mov ebx,_hgetadr;
mov dword[eax],ebx;
add eax,4;
mov bl,$FF;
mov Byte[eax],bl;
add eax,1;
mov bl,$E0;
mov Byte[eax],bl;
pop ebx;
pop eax;
end;
VirtualProtect(Pointer(_kernel32hwnd),100,_oldPage,_oldPage);
end;
procedure TForm1.btn1Click(Sender: TObject);
begin
Hook;
end;
procedure TForm1.FormShow(Sender: TObject);
begin
hook;
end;
end.
/////////////////////////////
library hying7xUpK;
uses
Windows,
Unit1 in 'Unit1.pas' {Form1};
{$R *.res}
exports HooK;
begin
Form1:=TForm1.Create(form1);
form1.Show;
end.
/////////////////////////////
object Form1: TForm1
Left = 525
Top = 164
BorderIcons = [biSystemMenu, biMinimize]
BorderStyle = bsSingle
Caption = 'Form1'
ClientHeight = 533
ClientWidth = 664
Color = clBtnFace
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -11
Font.Name = 'MS Sans Serif'
Font.Style = []
OldCreateOrder = False
OnShow = FormShow
PixelsPerInch = 96
TextHeight = 13
object lbl1: TLabel
Left = 456
Top = 24
Width = 30
Height = 12
Caption = 'ESP->'
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
ParentFont = False
end
object lbl2: TLabel
Left = 456
Top = 224
Width = 30
Height = 12
Caption = 'EBP->'
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
ParentFont = False
end
object StringGrid1: TStringGrid
Left = 493
Top = 0
Width = 171
Height = 241
ColCount = 2
Ctl3D = True
DefaultRowHeight = 16
FixedCols = 0
RowCount = 50
Font.Charset = ANSI_CHARSET
Font.Color = clWindowText
Font.Height = -12
Font.Name = #23435#20307
Font.Style = []
Options = [goFixedVertLine, goFixedHorzLine, goVertLine, goHorzLine, goRangeSelect, goDrawFocusSelected, goRowSizing, goColSizing, goEditing, goTabs]
ParentCtl3D = False
ParentFont = False
ScrollBars = ssVertical
TabOrder = 0
ColWidths = (
74
77)
end
object btn1: TButton
Left = 16
Top = 16
Width = 121
Height = 33
Caption = 'HoOk'
TabOrder = 1
OnClick = btn1Click
end
end
/////////////////////
注入自己想辦法,
要在被注入的程序目錄下拷貝一個kernel32.dll爲_kernel32.dll
大家其實一看代碼就知道。我也不廢話拉哈。希望對大家有用.讓脫殼越來越簡單,也是從另外一種思路去理解殼,不一定要去分析殼的代碼才能脫殼.