Shelling-> The principle of analog tracking shelling method

Others 2020-04-12 01:56:18 views: null

table of Contents

Simulated tracking shelling method

1. Simulated tracking

1.1 Introduction to analog tracking

The focus of simulation tracking is to simulate the word, which means that the program replaces the manual F7 (stepping) or F8 (stepping)

Recall that when we manually unpacked the shell, the most stupid way is to encounter Call skip (F8) .If you run away, you will encounter Call F7.

But often the dumbest method is the best method. The principle has also been said. The single-step tracking method is that the shell code will always jump to OEP after execution

There are many ways to reach OEP, but the principle is to modify EIP (push + ret jmp)

The single-step tracking method is to simulate the manual operation of the person, and your next conditional breakpoint. Then we mainly learn this conditional breakpoint. This idea.

There are many kinds on the Internet, we only know one or the other, here is the principle, let me add.

If the principle is understood, it doesn't matter what debugger we use.

Memory mirroring method + analog tracking method on the network

1.2 The principle of analog tracking

We learn the simulation tracking method, what we actually learn is the setting of conditional breakpoints, let the program automatically step or step over, so how should the conditions be set?

I wonder if you have thought about such a problem. After the shell code is executed, it will always jump to OEP, and it is a big jump

Then the EIP will be modified because of the jump, then our conditional breakpoint focuses on this EIP.

We just open a program to watch its memory mirror

First I list a table as follows

Mirror base size Section (Mirror) Name
0x0040000 0x1000 dxpack.exe
0x00401000 0x4000 .text
0x00405000 0x1000 .data
0x00406000 0x5000 .idata
0x0040C000 0x1000 .reloc
0x40D000 0x1000 .dxpack

Please note that the last section is the shell code's own section. Its base address is 0x40D000

So how do we set up conditional breakpoints.

Can be set to interrupt when EIP <0x40D000 Why <

1. First of all, when unpacking, OEP will have a big jump, directly jump from 0x40D000 to the OEP position in the .text section. The base address + size of the .text section is obviously less than 0x40D000.

2. Why compare with the .text section. The reason is that the OEP is in the code area. Those who are familiar with PE should know that. In the text section, there will be our OEP, that is, the code will be executed from the OEP, the shell no matter what. Finally, jump to OEP. So <shell itself

1.3 Memory mirroring method and simulation tracking on the network

Let me first talk about why the network mirroring method is used and the simulation tracking is used. The reason is that the simulation tracking is just a step or step that the debugger automatically follows the conditions you set, for our own, if we know where Shell code, will we still track it. Not at all. You are just looking for OEP. So it will continue (F7 F8) and the memory mirroring method is actually to set a starting point for tracking.

Let it track at this starting point, and then reach your breakpoint faster. That is your conditional breakpoint.

Of course, if you don't want to set a starting point, you can set a conditional breakpoint directly at the entry point, but it's just a matter of time. The speed of time is only.

2. Use of debugging tools

2.1 Use of x64dbg tracking

As shown below

Just click one

Just let it track automatically.

2.2 Use of Ollydbg tool

Both OllyDbg and X64 can be set up quickly using commands. The debug interface also has integrated tracking and can be freely selected.

In ollydbg, you must first set the condition (CTRL + T), and then you can use the tracking step (CTRL + F12) or tracking step (CTRL + F11)

3. Summary

In summary, it is

Simulation tracking is the debugger emulating F7 F8. The important thing is the setting of conditional breakpoints. The principle of conditional breakpoints is that OEP will be in the .text section.

The EIP will always jump to the .text section. And the .text section is smaller than the shell code, so the setting is EIP <shell code base address

Guess you like

Origin www.cnblogs.com/iBinary/p/12683394.html
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com