Simulated tracking shelling method
1. Simulated tracking
1.1 Introduction to analog tracking
The focus of simulation tracking is to simulate the word, which means that the program replaces the manual F7 (stepping) or F8 (stepping)
Recall that when we manually unpacked the shell, the most stupid way is to encounter Call skip (F8) .If you run away, you will encounter Call F7.
But often the dumbest method is the best method. The principle has also been said. The single-step tracking method is that the shell code will always jump to OEP after execution
There are many ways to reach OEP, but the principle is to modify EIP (push + ret jmp)
The single-step tracking method is to simulate the manual operation of the person, and your next conditional breakpoint. Then we mainly learn this conditional breakpoint. This idea.
There are many kinds on the Internet, we only know one or the other, here is the principle, let me add.
If the principle is understood, it doesn't matter what debugger we use.
Memory mirroring method + analog tracking method on the network
1.2 The principle of analog tracking
We learn the simulation tracking method, what we actually learn is the setting of conditional breakpoints, let the program automatically step or step over, so how should the conditions be set?
I wonder if you have thought about such a problem. After the shell code is executed, it will always jump to OEP, and it is a big jump
Then the EIP will be modified because of the jump, then our conditional breakpoint focuses on this EIP.
We just open a program to watch its memory mirror
First I list a table as follows
Mirror base | size | Section (Mirror) Name |
---|---|---|
0x0040000 | 0x1000 | dxpack.exe |
0x00401000 | 0x4000 | .text |
0x00405000 | 0x1000 | .data |
0x00406000 | 0x5000 | .idata |
0x0040C000 | 0x1000 | .reloc |
0x40D000 | 0x1000 | .dxpack |
Please note that the last section is the shell code's own section. Its base address is 0x40D000
So how do we set up conditional breakpoints.
Can be set to interrupt when EIP <0x40D000 Why <
1. First of all, when unpacking, OEP will have a big jump, directly jump from 0x40D000 to the OEP position in the .text section. The base address + size of the .text section is obviously less than 0x40D000.
2. Why compare with the .text section. The reason is that the OEP is in the code area. Those who are familiar with PE should know that. In the text section, there will be our OEP, that is, the code will be executed from the OEP, the shell no matter what. Finally, jump to OEP. So <shell itself
1.3 Memory mirroring method and simulation tracking on the network
Let me first talk about why the network mirroring method is used and the simulation tracking is used. The reason is that the simulation tracking is just a step or step that the debugger automatically follows the conditions you set, for our own, if we know where Shell code, will we still track it. Not at all. You are just looking for OEP. So it will continue (F7 F8) and the memory mirroring method is actually to set a starting point for tracking.
Let it track at this starting point, and then reach your breakpoint faster. That is your conditional breakpoint.
Of course, if you don't want to set a starting point, you can set a conditional breakpoint directly at the entry point, but it's just a matter of time. The speed of time is only.
2. Use of debugging tools
2.1 Use of x64dbg tracking
As shown below
Just click one
Just let it track automatically.
2.2 Use of Ollydbg tool
Both OllyDbg and X64 can be set up quickly using commands. The debug interface also has integrated tracking and can be freely selected.
In ollydbg, you must first set the condition (CTRL + T), and then you can use the tracking step (CTRL + F12) or tracking step (CTRL + F11)
3. Summary
In summary, it is
Simulation tracking is the debugger emulating F7 F8. The important thing is the setting of conditional breakpoints. The principle of conditional breakpoints is that OEP will be in the .text section.
The EIP will always jump to the .text section. And the .text section is smaller than the shell code, so the setting is EIP <shell code base address