转载【干货分享】恶意样本分析手册——常用方法篇
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;"><br />
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">图解恶意样本分析的常用方法,你与安全专家的差距只有一篇文章!</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:18.0pt;">文件识别</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">常见的可执行程序格式有</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">PE</span><span style="color:#777777;font-family:宋体;">,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ELF</span><span style="color:#777777;font-family:宋体;">,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">MACH-O</span><span style="color:#777777;font-family:宋体;">等,不同的格式有不同的标志信息(参考理论篇),知道了目标文件的格式后才能确定对应的分析方法和分析工具。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">可以使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">16</span><span style="color:#777777;font-family:宋体;">进制解析器载入可执行程序,然后查看是哪种类型的文件。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="179" src="https://www.2k8.org/content/uploadfile/202211/26/1a955df4.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="center" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:center;text-justify:inter-ideograph;vertical-align:baseline;">
<i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">图:</span></i><i><span lang="EN-US" style="border:none windowtext 1.0pt;color:#777777;font-family:inherit,serif;padding:0cm;">PE</span></i><i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">文件格式</span></i><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="143" src="https://www.2k8.org/content/uploadfile/202211/26/1b632f65.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="center" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:center;text-justify:inter-ideograph;vertical-align:baseline;">
<i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">图:</span></i><i><span lang="EN-US" style="border:none windowtext 1.0pt;color:#777777;font-family:inherit,serif;padding:0cm;">ELF</span></i><i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">文件格式</span></i><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">一般二进制文件的前四个字节为文件格式的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">magic</span><span style="color:#777777;font-family:宋体;">,可以通过从网络搜索获得文件的信息,或者使用相关的工具(</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">PEID</span><span style="color:#777777;font-family:宋体;">,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">file</span><span style="color:#777777;font-family:宋体;">)等进行自动识别。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:18.0pt;">静态分析</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">静态分析技术通常是研究恶意代码的第一步。静态分析指的是分析程序指令与结构来确定目标程序的功能的过程。在这个时候,病毒本身并不在运行状态。我们一般采用以下几种方式进行静态分析:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="border:none windowtext 1.0pt;color:#1E1E1E;font-family:宋体;font-size:15.0pt;padding:0cm;">采用反病毒引擎扫描</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">如果尚不确定目标程序是否为病毒程序,我们可以首先采用多个不同的反病毒软件来扫描一下这个文件,看是否有哪个引擎能够识别它。(</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"><a href="http://www.virscan.xn--orgwww-kr3e.virustotal.com/"><span style="border:none windowtext 1.0pt;color:#1EAAF1;font-family:inherit,serif;padding:0cm;">www.virscan.org</span><span lang="EN-US" style="border:none windowtext 1.0pt;color:#1EAAF1;font-family:宋体;padding:0cm;"><span lang="EN-US">、</span></span><span style="border:none windowtext 1.0pt;color:#1EAAF1;font-family:inherit,serif;padding:0cm;">www.virustotal.com</span></a> </span><span style="color:#777777;font-family:宋体;">)</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">注意:只能通过</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">MD5</span><span style="color:#777777;font-family:宋体;">值查询,不允许将样本进行上传。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="417" src="https://www.2k8.org/content/uploadfile/202211/26/8007c475.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="center" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:center;text-justify:inter-ideograph;vertical-align:baseline;">
<i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">图</span></i><i><span lang="EN-US" style="border:none windowtext 1.0pt;color:#777777;font-family:inherit,serif;padding:0cm;"> 35</span></i><i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">:</span></i><i><span lang="EN-US" style="border:none windowtext 1.0pt;color:#777777;font-family:inherit,serif;padding:0cm;">VitusTotal</span></i><i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">检测结果界面</span></i><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">计算哈希值</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">哈希是一种用来唯一标识目标程序的常用方法。目标程序通过一个哈希算法,会产生出一段唯一的用于标识这个样本的哈希值,我们可以将这个值理解为是目标程序的指纹。常用的哈希算法有</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">MD5</span><span style="color:#777777;font-family:宋体;">、</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Sha-1</span><span style="color:#777777;font-family:宋体;">以及</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">CRC32</span><span style="color:#777777;font-family:宋体;">等。由于仅仅采用一种算法,特别是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">MD5</span><span style="color:#777777;font-family:宋体;">算法,有可能使得不同程序产生同样的哈希结果,所以一般会运用多种哈希验证文件的唯一性。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="553" height="301" src="https://www.2k8.org/content/uploadfile/202211/26/a19e57b2.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="center" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:center;text-justify:inter-ideograph;vertical-align:baseline;">
<i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">图</span></i><i><span lang="EN-US" style="border:none windowtext 1.0pt;color:#777777;font-family:inherit,serif;padding:0cm;"> 36</span></i><i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">:计算文件校验码</span></i><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">查找字符串</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">程序中的字符串就是一串可打印的字符序列,一个程序通常都会包含一些字符串,比如打印输出信息、连接的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">URL</span><span style="color:#777777;font-family:宋体;">,或者是程序所调用的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">API</span><span style="color:#777777;font-family:宋体;">函数等。从字符串中进行搜索是获取程序功能提示的一种简单方法。(在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IDA</span><span style="color:#777777;font-family:宋体;">和</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">中都可以查找字符串)并不是所有的字符串都是有意义的,但是利用这个结果,也能够给我们的静态分析带来很大的便利了。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="553" height="425" src="https://www.2k8.org/content/uploadfile/202211/26/6d2b3c57.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="553" height="212" src="https://www.2k8.org/content/uploadfile/202211/26/fe8d5528.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="center" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:center;text-justify:inter-ideograph;vertical-align:baseline;">
<i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">图</span></i><i><span lang="EN-US" style="border:none windowtext 1.0pt;color:#777777;font-family:inherit,serif;padding:0cm;"> 37</span></i><i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">:查看字符串信息</span></i><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">查找导入函数</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">如果软件被加壳的话,那么导入表中的函数会很少,所以可以从这里判断文件是否被加壳。如果没有加壳,那么导入表中会列出程序使用的大部分函数(除去程序动态获得的),我们就可以通过这些函数大致判断一下程序的行为。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="552" src="https://www.2k8.org/content/uploadfile/202211/26/7783c18a.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">解析宏</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IDA</span><span style="color:#777777;font-family:宋体;">反汇编程序的时候,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IDA</span><span style="color:#777777;font-family:宋体;">并不会将宏的名字解析出来,相反,它只会使用宏对应的数字进行显示,如下如所示:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="317" height="246" src="https://www.2k8.org/content/uploadfile/202211/26/10f2a4e7.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">如果只看这些数字,完全无法得知什么情况,好在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IDA</span><span style="color:#777777;font-family:宋体;">提供了解析机制,可以将数字转换为宏名。在对应的数字上右键,选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Enum</span><span style="color:#777777;font-family:宋体;">:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="370" height="370" src="https://www.2k8.org/content/uploadfile/202211/26/59d6e9b8.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">然后在弹出的对话框中选择对应的宏即可!</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="300" src="https://www.2k8.org/content/uploadfile/202211/26/be4a670f.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">替换后的结果如下,这样的话,就方便了静态查看代码。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="373" height="248" src="https://www.2k8.org/content/uploadfile/202211/26/fa2a0397.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">侦壳操作</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">病毒木马编写者经常会使用加壳技术来让他们的恶意程序难以被检测或分析。正常的程序总是会包含很多字符串。而加了壳的恶意代码通过分析所得到的可打印字符串就会很少。如果查找出的程序的字符串很少时,那么这个程序就很有可能是加了壳的。此时往往就需要使用其它方法来进一步检测它们的行为。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">(</span><span style="color:#777777;font-family:宋体;">常用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">PEiD</span><span style="color:#777777;font-family:宋体;">进行查壳</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">)</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="427" height="246" src="https://www.2k8.org/content/uploadfile/202211/26/f1c1bbd0.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="center" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:center;text-justify:inter-ideograph;vertical-align:baseline;">
<i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">图</span></i><i><span lang="EN-US" style="border:none windowtext 1.0pt;color:#777777;font-family:inherit,serif;padding:0cm;"> 38</span></i><i><span style="border:none windowtext 1.0pt;color:#777777;font-family:宋体;padding:0cm;">:查壳</span></i><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:18.0pt;">动态调试</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">使用调试器对病毒进行分析在反病毒工作中扮演着十分重要的角色。调试器允许你查看任意内存地址的内容、寄存器的内容以及每个函数的参数。调试器也允许你在任意时刻改变关于程序执行的任何东西。比如你可以在任意时刻改变一个变量的值</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">——</span><span style="color:#777777;font-family:宋体;">前提是你需要获得关于这个变量足够的信息,包括在内存中的位置。在实际的动态调试过程中,最常用的是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OllyDBG</span><span style="color:#777777;font-family:宋体;">和</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">WinDbg</span><span style="color:#777777;font-family:宋体;">,前者是病毒分析人员使用最多的调试器,缺点是不支持内核调试,如果想调试内核,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">WinDbg</span><span style="color:#777777;font-family:宋体;">基本上就是唯一的选择了。虽然</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IDA Pro</span><span style="color:#777777;font-family:宋体;">也能够进行动态调试,但是它远远不如</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">方便。因此在实际分析的过程中,往往是将二者结合使用的。因为如果用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IDA Pro</span><span style="color:#777777;font-family:宋体;">在静态分析中遇到了十分抽象的函数,那么用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">动态地执行一下,该函数的功能往往就能一目了然了。关于常用工具</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OllyDbg</span><span style="color:#777777;font-family:宋体;">和</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Windbg</span><span style="color:#777777;font-family:宋体;">的使用方法请参考工具篇。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">脱壳</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">攻击者为了保护攻击代码,提高分析难度,避免被杀毒软件查杀,经常对可执行程序进行加壳来达到以上目的,本节对一些常见的壳的脱壳方法进行介绍(关于壳的基本信息可以参考文件封装篇)。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:12.0pt;">UPX</span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">将</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">UPX</span><span style="color:#777777;font-family:宋体;">加壳程序使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">打开时出现下面的对话框,选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">“</span><span style="color:#777777;font-family:宋体;">否</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">”</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="486" height="195" src="https://www.2k8.org/content/uploadfile/202211/26/9d2aef82.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:12.0pt;">单步跟踪法</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:12.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">单步跟踪法的原则是实现向下的跳转,越过向上的跳转,如果越过了某一个向上的跳转后,程序跑飞了,那么再次调试到那个跳转语句的时候就实现其跳转,然后再按照实现向下跳转,忽略向上跳转的原则进行调试。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="157" src="https://www.2k8.org/content/uploadfile/202211/26/75d8c98e.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">如上图所示,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">jnz</span><span style="color:#777777;font-family:宋体;">为向上的跳转,而且它的下一句代码也是向上的跳转,这时就需要在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">jmp</span><span style="color:#777777;font-family:宋体;">的下面设置断点,直接让程序越过这两个跳转。不能在下面的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">nop</span><span style="color:#777777;font-family:宋体;">语句上</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">f4</span><span style="color:#777777;font-family:宋体;">运行到光标,否则程序会跑飞。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">按照这套法则,很快就会找到关键句</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">popad</span><span style="color:#777777;font-family:宋体;">,那么程序的入口就在附近了。如下图所示,并且再看程序的地址,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">jmp</span><span style="color:#777777;font-family:宋体;">跳转的目标地址为</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x004010CC</span><span style="color:#777777;font-family:宋体;">,这条指令所在的地址为</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x0040EA0F</span><span style="color:#777777;font-family:宋体;">,可见这是一个很大的跳转,说明</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x004010CC</span><span style="color:#777777;font-family:宋体;">即是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">。(一般有很大的跳转的话,很快就会到达程序的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">)</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="104" src="https://www.2k8.org/content/uploadfile/202211/26/3d93f9dc.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">跳转之后,就到达程序</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="87" src="https://www.2k8.org/content/uploadfile/202211/26/5a444196.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">开始进行脱壳,这里使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">插件进行脱壳,选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">“</span><span style="color:#777777;font-family:宋体;">插件</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">”->”OllyDump”->”</span><span style="color:#777777;font-family:宋体;">脱壳在当前调试进程</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">”</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="459" height="359" src="https://www.2k8.org/content/uploadfile/202211/26/f60a0d18.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">因为这里入口点地址正是我们的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">10CC</span><span style="color:#777777;font-family:宋体;">,所以不需要修正,直接点击脱壳。如果脱壳后的程序无法运行,还需要进行修正。这里使用方式</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">1</span><span style="color:#777777;font-family:宋体;">脱壳之后,可以运行,不需要修正;使用方式</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">2</span><span style="color:#777777;font-family:宋体;">脱壳之后,无法运行,可以使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Import REConstructor</span><span style="color:#777777;font-family:宋体;">进行修正。在软件的下拉框中选中要进行脱壳的程序(这里使用的是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">upx.exe</span><span style="color:#777777;font-family:宋体;">),然后修改</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">为我们找到的值:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x10CC</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="554" src="https://www.2k8.org/content/uploadfile/202211/26/d136663c.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">AutoSearch</span><span style="color:#777777;font-family:宋体;">或者</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">GetImports</span><span style="color:#777777;font-family:宋体;">获取导入函数,然后点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">showinvalid</span><span style="color:#777777;font-family:宋体;">显示无效的函数,没有的话就点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">FixDump</span><span style="color:#777777;font-family:宋体;">,选取要修正的应用程序,之后,会在应用程序所在的文件夹下生成一个原文件名加下划线的应用程序。比如原始文件名为</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">xxx.exe,</span><span style="color:#777777;font-family:宋体;">那么</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Import REConstructor</span><span style="color:#777777;font-family:宋体;">生成的文件名为</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">xxx_.exe</span><span style="color:#777777;font-family:宋体;">。至此,脱壳完毕。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:12.0pt;">ESP</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:12.0pt;">定律法</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:12.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">关键句运行之后,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ESP</span><span style="color:#777777;font-family:宋体;">的值会改变</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">!</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="107" src="https://www.2k8.org/content/uploadfile/202211/26/c1cf9504.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">右键</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ESP</span><span style="color:#777777;font-family:宋体;">,选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Follow in Dump</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="356" height="359" src="https://www.2k8.org/content/uploadfile/202211/26/c95d871f.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ESP</span><span style="color:#777777;font-family:宋体;">地址处设置硬件访问断点。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="415" src="https://www.2k8.org/content/uploadfile/202211/26/6093270d.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">设置完断点之后,可以选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Debug->Hardware breakpoints</span><span style="color:#777777;font-family:宋体;">查看硬件断点是否设置成功。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="352" height="201" src="https://www.2k8.org/content/uploadfile/202211/26/79bd7853.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">F9</span><span style="color:#777777;font-family:宋体;">运行程序,程序停在关键句附近,接着要删除设置的硬件断点,直接店家上图所示的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Delete</span><span style="color:#777777;font-family:宋体;">即可。找到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">之后再进行脱壳。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="489" height="90" src="https://www.2k8.org/content/uploadfile/202211/26/01f28e9c.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:12.0pt;">内存镜像法</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:12.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">首先需要对</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">进行设置,忽略所有异常</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="475" height="387" src="https://www.2k8.org/content/uploadfile/202211/26/9912f3fc.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">在内存窗口中找到程序的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">.rsrc</span><span style="color:#777777;font-family:宋体;">段,按</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">f2</span><span style="color:#777777;font-family:宋体;">键设置断点,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">shift+f9</span><span style="color:#777777;font-family:宋体;">运行程序,断下之后,在程序的代码段按</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">f2</span><span style="color:#777777;font-family:宋体;">设置断点。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="360" height="278" src="https://www.2k8.org/content/uploadfile/202211/26/8186dc7c.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">shift+f9</span><span style="color:#777777;font-family:宋体;">运行,程序将停在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">附近。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="253" src="https://www.2k8.org/content/uploadfile/202211/26/e3a4e9ca.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">ASPack</span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">脱</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ASPack</span><span style="color:#777777;font-family:宋体;">壳可以使用上面所说的单步跟踪法,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ESP</span><span style="color:#777777;font-family:宋体;">定律法和内存镜象法,这里以单步跟踪法进行演示,其他两种方法的思路如上所述。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:12.0pt;">单步跟踪法</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:12.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">单步跟踪法除了上面说的跳转规则外,还有一个规则需要遵从,那就是近</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">call f7</span><span style="color:#777777;font-family:宋体;">进入,远</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">call f8</span><span style="color:#777777;font-family:宋体;">跳过。如果跳过了某个函数之后程序跑飞,那么再次调试时</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">f7</span><span style="color:#777777;font-family:宋体;">进入此函数即可。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">如下所示,载入程序后即可看到一个</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">call</span><span style="color:#777777;font-family:宋体;">指令,那么这个函数就需要进入跟踪。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="533" height="71" src="https://www.2k8.org/content/uploadfile/202211/26/55db8675.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">接着按照跳转指令和</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">call</span><span style="color:#777777;font-family:宋体;">指令规则进行跟踪。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="106" src="https://www.2k8.org/content/uploadfile/202211/26/cad00596.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">跟踪到如上图所示的地址后,就快到大</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">了,可见这个程序采用的是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">push/ret</span><span style="color:#777777;font-family:宋体;">的方式进行跳转的,而且跳转的跨度很到,从</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x004243BA</span><span style="color:#777777;font-family:宋体;">处跳转到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x00402360</span><span style="color:#777777;font-family:宋体;">。跳转之后即到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">,接着按照上面所说的方式进行脱壳。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">FSG</span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:12.0pt;">单步跟踪法</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:12.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">按照前面讲解的原则对</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">fsg</span><span style="color:#777777;font-family:宋体;">壳进行单步跟踪需要细心,拿此例来说,单步跟踪的时候,看到如下所示的语句:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="100" src="https://www.2k8.org/content/uploadfile/202211/26/a10fbc92.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">这个跳转并没有实现,但是程序的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">就在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x004010CC</span><span style="color:#777777;font-family:宋体;">,我们可以跟随到这个地址里面查看代码,直接在这个地址右键,选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">follow</span><span style="color:#777777;font-family:宋体;">:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="354" height="228" src="https://www.2k8.org/content/uploadfile/202211/26/70d7b0d5.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">但是并没有看到我们想要的代码:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="157" src="https://www.2k8.org/content/uploadfile/202211/26/6598657a.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">遇到这种情况,直接右键,选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Analysis->Analyse code</span><span style="color:#777777;font-family:宋体;">,就可以将这些机器码转为汇编码:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="416" src="https://www.2k8.org/content/uploadfile/202211/26/ffb49d27.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="107" src="https://www.2k8.org/content/uploadfile/202211/26/60aad1b2.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:12.0pt;">ESP</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:12.0pt;">定律法</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:12.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ESP</span><span style="color:#777777;font-family:宋体;">定律法单步跟踪的时候,要时刻注意着</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ESP</span><span style="color:#777777;font-family:宋体;">值的变化,当</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ESP</span><span style="color:#777777;font-family:宋体;">的值发生变化后,就安装上面所说的方法设置硬件访问断点,然后运行程序,程序将停止在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">oep</span><span style="color:#777777;font-family:宋体;">附近,然后在单步跟踪,很快就将找到程序</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">FSG</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">变形壳</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">FSG</span><span style="color:#777777;font-family:宋体;">变形壳在找</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">的方法和</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">FSG</span><span style="color:#777777;font-family:宋体;">的查找方法一样,只是在脱壳的时候有点区别,按照</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">FSG</span><span style="color:#777777;font-family:宋体;">的脱壳方法找到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">之后,进行脱壳,使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">的插件进行脱壳,发现程序无法运行,然后再对其导入表进行修正。使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Import REConstructor</span><span style="color:#777777;font-family:宋体;">载入目标程序,修改</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">,点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">show Invalid</span><span style="color:#777777;font-family:宋体;">会看到一些无效的程序。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="419" src="https://www.2k8.org/content/uploadfile/202211/26/3989e10a.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">在这些无效的程序上右键,选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">cut thunks</span><span style="color:#777777;font-family:宋体;">,接着点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Fix Dump</span><span style="color:#777777;font-family:宋体;">选择我们脱下来的程序。但是修正之后发现仍然无法运行,将修复后的程序使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">载入,直接</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">F9</span><span style="color:#777777;font-family:宋体;">运行,看到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">中断到下图所示的位置:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="526" height="180" src="https://www.2k8.org/content/uploadfile/202211/26/5c061ae6.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">第一种方法,将</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">int 0x13</span><span style="color:#777777;font-family:宋体;">使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">nop</span><span style="color:#777777;font-family:宋体;">覆盖:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="460" height="79" src="https://www.2k8.org/content/uploadfile/202211/26/56f50a7b.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">第二种方法,将</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">jle</span><span style="color:#777777;font-family:宋体;">改为</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">jmp</span><span style="color:#777777;font-family:宋体;">强制跳转,越过</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">int 0x13</span><span style="color:#777777;font-family:宋体;">:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="488" height="79" src="https://www.2k8.org/content/uploadfile/202211/26/ec89f52d.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">修改之后,保存文件,就可以运行了。也可以使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">16</span><span style="color:#777777;font-family:宋体;">进制工具打开文件,找到相应的位置,修改数据并保存。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;">FSG2.0</span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ESP</span><span style="color:#777777;font-family:宋体;">定律法和单步跟踪法结合可以很快找到程序的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">,这里重点讲解脱壳后的修复问题。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Import REConstructor</span><span style="color:#777777;font-family:宋体;">载入程序后,点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Get Import</span><span style="color:#777777;font-family:宋体;">可以看到只有</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">37</span><span style="color:#777777;font-family:宋体;">个函数,这是很不正常的,而且没有无效的指针。如果直接进行</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Fix Dump</span><span style="color:#777777;font-family:宋体;">程序依然无法执行。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="423" src="https://www.2k8.org/content/uploadfile/202211/26/7d7a2879.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">可以看到上图中</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IAT</span><span style="color:#777777;font-family:宋体;">表的大小只有</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x94</span><span style="color:#777777;font-family:宋体;">,这是不对的,需要对</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IAT</span><span style="color:#777777;font-family:宋体;">进行修复,这里介绍两种方法,第一种方法是通过</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">,当我们找到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">的时候,可以看到下图所示的情况:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="95" src="https://www.2k8.org/content/uploadfile/202211/26/ff3e8753.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">函数</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">GetCommandLineA</span><span style="color:#777777;font-family:宋体;">所在的地址是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x4063E4</span><span style="color:#777777;font-family:宋体;">,在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">dump</span><span style="color:#777777;font-family:宋体;">窗口(左下窗口)中定位到这个函数的地址:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="181" src="https://www.2k8.org/content/uploadfile/202211/26/220906ed.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">向上找,直到遇到一堆</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">00</span><span style="color:#777777;font-family:宋体;">,此时就找到了</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IAT</span><span style="color:#777777;font-family:宋体;">表的开始地址,如下图所示,开始地址是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x004062E4</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="90" src="https://www.2k8.org/content/uploadfile/202211/26/566ecc7b.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">然后在往后找,同样是找</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">00</span><span style="color:#777777;font-family:宋体;">,即</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IAT</span><span style="color:#777777;font-family:宋体;">的结尾。可以看到它结尾</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="120" src="https://www.2k8.org/content/uploadfile/202211/26/24cae2b1.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"> </span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">的地址是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x00406E00</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">所以</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IAT</span><span style="color:#777777;font-family:宋体;">的大小为</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x00406E00-0x004062E4=0xB1C</span><span style="color:#777777;font-family:宋体;">,接着就把</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">RVA</span><span style="color:#777777;font-family:宋体;">和</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Size</span><span style="color:#777777;font-family:宋体;">写入</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Import REConstructor</span><span style="color:#777777;font-family:宋体;">中。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="419" src="https://www.2k8.org/content/uploadfile/202211/26/31c2c51c.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">cut</span><span style="color:#777777;font-family:宋体;">掉无效的函数指针,选取我们脱壳后的应用程序进行</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Dump</span><span style="color:#777777;font-family:宋体;">即可。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">第二种方法和第一种类似,都需要找到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IAT</span><span style="color:#777777;font-family:宋体;">的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">RVA</span><span style="color:#777777;font-family:宋体;">进行修改,不同的是不需要计算</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Size</span><span style="color:#777777;font-family:宋体;">的值,随便写一个比较大的值,比如</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x1000</span><span style="color:#777777;font-family:宋体;">就行,这样的话,肯定会有很多无效的函数指针,当我们查看这些无效指针的反汇编代码时,会提示</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ReadError</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="415" src="https://www.2k8.org/content/uploadfile/202211/26/adde17f9.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">这种情况下,直接把无效的指针</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">cut</span><span style="color:#777777;font-family:宋体;">掉即可。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">PECompact1.84</span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">使用单步跟踪法对</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">PECompact</span><span style="color:#777777;font-family:宋体;">壳进行调试的时候,会看到有些向上的跳转,如果我们在这些跳转的下面下断点运行程序的话,程序将跑飞,这个时候,就需要在这些跳转的前面,找一个没有实现的大跳转,跟随进去,设置断点,然后运行程序,使用这种方法,一般很快就可以找到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="531" height="311" src="https://www.2k8.org/content/uploadfile/202211/26/9bf8f02c.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">例如:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">有一个向上的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">jmp</span><span style="color:#777777;font-family:宋体;">跳转,如果在它下面设置断点并运行程序的话,程序就将跑飞,这时,需要重新载入程序,在这个</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">jmp</span><span style="color:#777777;font-family:宋体;">前面找到一个没有实现的大跳转。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="507" height="67" src="https://www.2k8.org/content/uploadfile/202211/26/58a51476.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">跟随进这个跳转地址,设置断点运行程序</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="71" src="https://www.2k8.org/content/uploadfile/202211/26/759dd0e1.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">按照这个思路进行调试,即可找到程序</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">,接下来就可以进行脱壳。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">nspack</span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">对于</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">nspack</span><span style="color:#777777;font-family:宋体;">的壳,最简单的方法就是使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">esp</span><span style="color:#777777;font-family:宋体;">定律法,当然,使用前面所说的其他方法也可以找到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">Yoda</span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:12.0pt;">内存镜像法</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:12.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">首先使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">peid</span><span style="color:#777777;font-family:宋体;">查看一下壳,可以看到是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">yoda1.2</span><span style="color:#777777;font-family:宋体;">的壳</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="422" height="241" src="https://www.2k8.org/content/uploadfile/202211/26/04303073.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">载入程序,忽略所有异常,找到内存的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">.rsrc</span><span style="color:#777777;font-family:宋体;">段,设置断点后运行程序,然后再在代码段设置断点,运行程序,就可直接到达程序的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">,脱这个壳的重点在于修复方面。按照上述方法进行脱壳,使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Import REConstructor</span><span style="color:#777777;font-family:宋体;">进行修复,发现大部分的指针都是无效的。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="423" src="https://www.2k8.org/content/uploadfile/202211/26/47afba4c.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Show Invalid</span><span style="color:#777777;font-family:宋体;">显示无效指针,然后右键选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Trace Level1</span><span style="color:#777777;font-family:宋体;">进行修复。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="423" src="https://www.2k8.org/content/uploadfile/202211/26/f541c8b1.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">修复之后,所有的指针都有效了</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">然后再选择目标程序进行</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">fix dump</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">还有一个方法是单独寻找,比如在如下图所示的情况下:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="417" src="https://www.2k8.org/content/uploadfile/202211/26/7260100a.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">右键目标指针,选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">16</span><span style="color:#777777;font-family:宋体;">进制查看。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="417" src="https://www.2k8.org/content/uploadfile/202211/26/74152641.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">我们选择的指针就是第一行那个,库文件是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">advapi32</span><span style="color:#777777;font-family:宋体;">,函数名为</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">RegSetValueExA</span><span style="color:#777777;font-family:宋体;">:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="333" src="https://www.2k8.org/content/uploadfile/202211/26/b5510b94.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">然后双击刚才选择的指针,查找对应的动态库和函数名</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="384" height="344" src="https://www.2k8.org/content/uploadfile/202211/26/d4664c37.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OK</span><span style="color:#777777;font-family:宋体;">之后,就会发现指针已被修复。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="415" src="https://www.2k8.org/content/uploadfile/202211/26/aee5efe3.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">当然这种方法适合无效指针较少的情况。修复完之后,选择脱壳后的文件进行</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Fix</span><span style="color:#777777;font-family:宋体;">即可。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:12.0pt;">巧方法</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:12.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">打开</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">,对</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">进行设置。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="260" height="114" src="https://www.2k8.org/content/uploadfile/202211/26/bf0d31e5.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">SFX->Trace real entry bytewise</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="475" height="388" src="https://www.2k8.org/content/uploadfile/202211/26/fc93c383.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">然后载入目标程序,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">将自动停在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OEP</span><span style="color:#777777;font-family:宋体;">处。这种方法可以尝试使用,不保证适用于每一种壳。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:12.0pt;">附加数据的处理</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:12.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">有些加壳的作者会将一些关键的代码放到附加数据里,这样的话,当脱壳之后,附加数据里的代码也会被脱掉,这样就达到了保护代码的作用。这小节就来讲讲如何处理带有附加数据的情况。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">首先使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">peid</span><span style="color:#777777;font-family:宋体;">对目标程序进行查壳,从</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">peid</span><span style="color:#777777;font-family:宋体;">的显示信息上看,可以看到这是北斗壳,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Overlay</span><span style="color:#777777;font-family:宋体;">表示有附加数据。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="422" height="241" src="https://www.2k8.org/content/uploadfile/202211/26/1f9345c4.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">这个壳比较简单,重点讲解是脱壳后的修复,这里介绍两种方法。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">第一种方法是使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">16</span><span style="color:#777777;font-family:宋体;">进制编辑器载入原始的目标程序,从数据末尾向上找,一直找到全为</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0</span><span style="color:#777777;font-family:宋体;">的位置。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="79" src="https://www.2k8.org/content/uploadfile/202211/26/9fb4076e.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">从</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">CA00</span><span style="color:#777777;font-family:宋体;">开始复制,一直复制到数据末尾,然后打开修复后的文件,在数据的末尾将复制的数据粘贴进去即可。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">第二种方法和第一种类似,只是找的速度相对较快,使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">peid</span><span style="color:#777777;font-family:宋体;">查看程序的节信息。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="422" height="241" src="https://www.2k8.org/content/uploadfile/202211/26/695ae0fb.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="447" height="196" src="https://www.2k8.org/content/uploadfile/202211/26/8ac18b13.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">我们需要关注的是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">R</span><span style="color:#777777;font-family:宋体;">偏移和</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">R</span><span style="color:#777777;font-family:宋体;">大小,找最后一个区段,使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x400+0xC600=0xCA00</span><span style="color:#777777;font-family:宋体;">,然后在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">16</span><span style="color:#777777;font-family:宋体;">进制查看器中定位到这个地址,即是我们复制的数据的开始地址。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:18.0pt;">多线程调试</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">调试软件时,它每次只能跟一个线程,如果遇到的软件创建了很多线程,那么调试起来就比较麻烦了,本节介绍一下多线程的调试方法。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">首先看一下线程创建的函数:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">HANDLE CreateThread(</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">LPSECURITY_ATTRIBUTES lpThreadAttributes,//SD</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">SIZE_T dwStackSize,//initialstacksize</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">LPTHREAD_START_ROUTINE lpStartAddress,//threadfunction</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">LPVOID lpParameter,//threadargument</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">DWORD dwCreationFlags,//creationoption</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">LPDWORD lpThreadId//threadidentifier</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">)</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">重点看第三个和第四个函数,其中第三个参数指定了新线程的入口地址,第四个参数为新线程所需的参数,当程序调用此函数来创建线程的时候,定位到线程的入口地址设置断点,一般情况下,程序会在后面调用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Sleep</span><span style="color:#777777;font-family:宋体;">或</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">WaitForSingleObject</span><span style="color:#777777;font-family:宋体;">函数,这样的话,程序的控制权就到了新线程里面。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="168" src="https://www.2k8.org/content/uploadfile/202211/26/aea6dd8b.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">如果程序没有调用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Sleep</span><span style="color:#777777;font-family:宋体;">或</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">WaitForSingleObject</span><span style="color:#777777;font-family:宋体;">函数,那么可以修改函数的代码,强制程序调用这两个函数,这样程序就转到新线程中执行。另一种方法是修改程序的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">EIP</span><span style="color:#777777;font-family:宋体;">,使其指向新线程入口,如果有参数的话,还要修改寄存器的值,使其指向参数地址,不过这种方法可能会造成寄存器内容不正确,环境异常,从而造成程序执行崩溃。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">还有一种方法来调试多线程。如果程序多次调用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">CreateThread</span><span style="color:#777777;font-family:宋体;">,确定一个我们打算调试的线程,并让这个线程创建成功,当程序再调用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">CreateThread</span><span style="color:#777777;font-family:宋体;">创建线程的时候,直接修改此函数,让它直接返回,这样就不会再创建线程了,我们就可以只调试一个线程。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:18.0pt;">调试子进程</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">有些样本并不是单独运行的,它在运行过程中可能会创建子进程来完成恶意功能,遇到这种情况,就需要进入子进程中进行调试。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">如果父进程创建子进程时是以</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">suspended</span><span style="color:#777777;font-family:宋体;">的方式创建的,那么父进程会向子进程进行代码注入,写入之后会调用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ResumeThread</span><span style="color:#777777;font-family:宋体;">函数恢复子进程的运行。遇到这种情况,要确定父进程写入代码的地址,当代码写入之后,调用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ResumeThread</span><span style="color:#777777;font-family:宋体;">恢复子进程运行前,附加到子进程中,在代码注入的地址下断点并</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">F9</span><span style="color:#777777;font-family:宋体;">让子进程运行。这时再回到父进程中,运行函数</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">ResumeThread</span><span style="color:#777777;font-family:宋体;">,这样子进程就可以断在代码注入的地址了。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">还有一种创建子进程的方式,就只是简单的开启一个子进程运行,这种情况比较简单,需要注意的一点就是父进程创建子进程时传给子进程的参数,使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">打开要运行的子进程,传入所需的参数即可开始调试。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">PS</span><span style="color:#777777;font-family:宋体;">:如果使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">windbg</span><span style="color:#777777;font-family:宋体;">调试的话,可以使用命令</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">.childdbg 1</span><span style="color:#777777;font-family:宋体;">开启子进程调试。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;">SYS</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:18.0pt;">调试</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">sys</span><span style="color:#777777;font-family:宋体;">是驱动文件,相对于应用程序来说,它的调试难度稍微大一点,调试</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">sys</span><span style="color:#777777;font-family:宋体;">需要进行双机调试,而前提就是搭建双机调试的环境。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">环境搭建</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">1.</span><span style="color:#777777;font-family:宋体;">打开</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">vmware</span><span style="color:#777777;font-family:宋体;">中对应的虚拟机设置界面,如下图:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="501" src="https://www.2k8.org/content/uploadfile/202211/26/2d79578d.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">2.</span><span style="color:#777777;font-family:宋体;">查看是否已经有端口存在,如果有的话需要移除,否则</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">windbg</span><span style="color:#777777;font-family:宋体;">与</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">vmware</span><span style="color:#777777;font-family:宋体;">连接不上,比如下图,就需要将打印机移除。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="371" height="273" src="https://www.2k8.org/content/uploadfile/202211/26/9bc867e9.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">3.</span><span style="color:#777777;font-family:宋体;">添加串口。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="501" src="https://www.2k8.org/content/uploadfile/202211/26/a051b967.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">4.</span><span style="color:#777777;font-family:宋体;">在硬件类型窗口中选择串行端口,并点击下一步。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="503" height="405" src="https://www.2k8.org/content/uploadfile/202211/26/c5d2bb56.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">5.</span><span style="color:#777777;font-family:宋体;">在串行端口类型窗口下选择输出到命名管道,然后点击下一步。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="503" height="405" src="https://www.2k8.org/content/uploadfile/202211/26/5af8bfd3.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">6.</span><span style="color:#777777;font-family:宋体;">指定插槽。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">配置如下图所示,其中命名管道的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">com_1</span><span style="color:#777777;font-family:宋体;">为管道名称,可以作改动,但是在用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">windbg</span><span style="color:#777777;font-family:宋体;">进行连接的时候也要注意名字的一致,我这里保留默认名。两台机器,一台为【该端是服务器】保留默认设置,最后一个下拉框选择【另一端是应用程序】。最后注意吧【启动时连接】的复选框选上。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">然后点击【完成】按钮即可完成配置。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="503" height="405" src="https://www.2k8.org/content/uploadfile/202211/26/02acb5ea.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">7.</span><span style="color:#777777;font-family:宋体;">完成串行端口添加。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="372" height="285" src="https://www.2k8.org/content/uploadfile/202211/26/bcddfe72.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:18.0pt;">配置虚拟机</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">打开虚拟机中</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">windows</span><span style="color:#777777;font-family:宋体;">的系统盘,找到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">boot.ini</span><span style="color:#777777;font-family:宋体;">文件,如果不显示这个文件的话,在文件夹选项中设置为</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">“</span><span style="color:#777777;font-family:宋体;">显示所有文件</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">”</span><span style="color:#777777;font-family:宋体;">,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">“</span><span style="color:#777777;font-family:宋体;">不隐藏系统保护文件</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">”</span><span style="color:#777777;font-family:宋体;">,然后就可以看到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">boot.ini</span><span style="color:#777777;font-family:宋体;">文件了。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="379" height="467" src="https://www.2k8.org/content/uploadfile/202211/26/4395136b.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">打开</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">boot.ini</span><span style="color:#777777;font-family:宋体;">文件后,原始内容如下</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">timeout=30</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Microsoft Windows XP Professional” /noexecute=optin /fastdetect</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">将最后一行复制并粘贴在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span><span style="color:#777777;font-family:宋体;">下,然后修改一些参数即可</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">timeout=30</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”XP Debug” /fastdetect /debug /debugport=com1 /buadrate=115200</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Microsoft Windows XP Professional” /noexecute=optin /fastdetect</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">windbg</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">配置</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">下面设置调试机上的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">windbg</span><span style="color:#777777;font-family:宋体;">启动参数,使之连接一个管道,并把这个管道当作一个串口来处理,首先建立一个</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">windbg.exe</span><span style="color:#777777;font-family:宋体;">的快捷方式,然后右键快捷方式图标选择属性,在属性对话框的目标一栏加上空格后添加</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">windbg.exe -b -k com:pipe,port=\\.\pipe\com_1,baud=115200,pipe</span><span style="color:#777777;font-family:宋体;">,然后点击保存即可。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">要进行双机调试的话,在虚拟机启动时,选择启动调试程序,当虚拟机启动起来之后,再开启</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">windbg</span><span style="color:#777777;font-family:宋体;">就可以连接到虚拟机中。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="462" height="203" src="https://www.2k8.org/content/uploadfile/202211/26/b1cb359f.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">设置</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">windows</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">内核符号表</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">打开</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">windbg</span><span style="color:#777777;font-family:宋体;">,选择菜单</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">“File”->”Symbol File Path”</span><span style="color:#777777;font-family:宋体;">,然后填写:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">srv*c:\Symbols*http://msdl.microsoft.com/download/symbols</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">如下图,如果我们选择了</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Reload</span><span style="color:#777777;font-family:宋体;">,那么相当于输入了</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">.reload</span><span style="color:#777777;font-family:宋体;">命令,这时开始下载符号。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="409" height="197" src="https://www.2k8.org/content/uploadfile/202211/26/df2df4db.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">以上方法是设置是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">WinDbg</span><span style="color:#777777;font-family:宋体;">自动用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">HTTP</span><span style="color:#777777;font-family:宋体;">协议从微软的网站上下载所需的符号表。下载完后可以在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">C:\Symbols</span><span style="color:#777777;font-family:宋体;">目录中查看,这个路径也可以指定为其它路径。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">寻找</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">DriverEntry</span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">首先使用命令</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">uf nt!IopLoadDriver</span><span style="color:#777777;font-family:宋体;">查看驱动加载的入口,针对</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">32</span><span style="color:#777777;font-family:宋体;">位程序和</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">64</span><span style="color:#777777;font-family:宋体;">位程序,入口处的代码不一样,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">32</span><span style="color:#777777;font-family:宋体;">位下的代码如下</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">nt!IopLoadDriver+0x663:</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">805a07c9 ffb570ffffff push dword ptr </span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">805a07cf 57 push edi</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">805a07d0 ff572c call dword ptr </span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">805a07d3 3bc3 cmp eax,ebx</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">805a07d5 8b8d68ffffff mov ecx,dword ptr </span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">805a07db 8945ac mov dword ptr ,eax</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">805a07de 8901 mov dword ptr ,eax</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">805a07e0 0f8c91200500 jl nt!IopLoadDriver+0x67c (805f2877)</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">64</span><span style="color:#777777;font-family:宋体;">位下的代码如下:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">nt!IopLoadDriver+0x9fe:</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">fffff800`02cb545e 488bd6 mov rdx,rsi</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">fffff800`02cb5461 488bcb mov rcx,rbx</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">fffff800`02cb5464 ff5358 call qword ptr </span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">fffff800`02cb5467 4c8b15da3bdaff mov r10,qword ptr </span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">fffff800`02cb546e 8bf8 mov edi,eax</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">fffff800`02cb5470 898424e0000000 mov dword ptr ,eax</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">fffff800`02cb5477 4c3bd5 cmp r10,rbp</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">fffff800`02cb547a 0f848e000000 je nt!IopLoadDriver+0xaae (fffff800`02cb550e)</span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">可以通过搜索上述代码中加红的代码定位到关键点,然后</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">bp</span><span style="color:#777777;font-family:宋体;">下断点,之后输入</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">”g”</span><span style="color:#777777;font-family:宋体;">让虚拟机运行,回到使用软件</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">KmdManager</span><span style="color:#777777;font-family:宋体;">加载驱动,打开</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">KmdManager</span><span style="color:#777777;font-family:宋体;">,界面如下:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="366" height="289" src="https://www.2k8.org/content/uploadfile/202211/26/a4bf9c60.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">将</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">sys</span><span style="color:#777777;font-family:宋体;">文件拖入上图所示的窗口中,在小方框中打勾(可以在卸载驱动的时候再在下面的打勾),如下图所示:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="368" height="288" src="https://www.2k8.org/content/uploadfile/202211/26/3def3d27.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">然后点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Reg`nRun</span><span style="color:#777777;font-family:宋体;">加载驱动,会看到断点断在我们设置的地方,然后</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">F11</span><span style="color:#777777;font-family:宋体;">进入就达到了</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">DriverEntry</span><span style="color:#777777;font-family:宋体;">开始调试。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">注意:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">32</span><span style="color:#777777;font-family:宋体;">位的驱动程序要在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">32</span><span style="color:#777777;font-family:宋体;">位系统下调试,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">64</span><span style="color:#777777;font-family:宋体;">的驱动程序要在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">64</span><span style="color:#777777;font-family:宋体;">位系统下调试。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;">DLL</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:18.0pt;">调试</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">调试动态库时有两种打开方式,第一种比较简单,直接将</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">dll</span><span style="color:#777777;font-family:宋体;">文件拖入</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">即可,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">自身会自动识别出来当前文件是动态库文件,然后启用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">loadll.exe</span><span style="color:#777777;font-family:宋体;">来加载此动态库文件。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="79" src="https://www.2k8.org/content/uploadfile/202211/26/9c165813.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">另一种方法是通过</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">打开</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">rundll32.exe</span><span style="color:#777777;font-family:宋体;">,传入动态库文件的路径作为参数来进行调试。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="436" height="280" src="https://www.2k8.org/content/uploadfile/202211/26/dfa22494.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">上面两种是比较直接的方式,但是有的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">dll</span><span style="color:#777777;font-family:宋体;">文件会在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">od</span><span style="color:#777777;font-family:宋体;">载入并断下来时,就已经执行完了恶意代码,遇到这种情况,就需要下面介绍的一种调试技巧。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">选择菜单栏的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Options->Debugging options</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="267" height="101" src="https://www.2k8.org/content/uploadfile/202211/26/90dda3f0.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">在弹出的窗口中选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Events</span><span style="color:#777777;font-family:宋体;">,勾选</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Break on new module(dll).</span><span style="color:#777777;font-family:宋体;">然后点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OK</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="473" height="377" src="https://www.2k8.org/content/uploadfile/202211/26/53175d49.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">这样的话,在新模块载入的时候,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">会断下来。此时注意</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Executable modules</span><span style="color:#777777;font-family:宋体;">窗口的变化,这里会显示动态库加载的内存地址。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="59" src="https://www.2k8.org/content/uploadfile/202211/26/964d2bee.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">如图所示,我们的目标动态库的基地址是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x10000000</span><span style="color:#777777;font-family:宋体;">。然后使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IDA</span><span style="color:#777777;font-family:宋体;">打开目标文件,找到想要下断点的地址,以下图为例:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="516" height="256" src="https://www.2k8.org/content/uploadfile/202211/26/15d4e089.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">假如我们想要在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">sub_1000824C</span><span style="color:#777777;font-family:宋体;">处设置断点,直接在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">中,定位到这个地址,然后设置断点即可。如果在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IDA</span><span style="color:#777777;font-family:宋体;">中显示的地址是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x2000824C</span><span style="color:#777777;font-family:宋体;">,那么我们在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">中的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x2000824C</span><span style="color:#777777;font-family:宋体;">地址处是找不到对应的代码的。这时需要计算代码的偏移,很明显,我们可以知道这个地址的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">RVA</span><span style="color:#777777;font-family:宋体;">是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">824C</span><span style="color:#777777;font-family:宋体;">,然后在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">中,将这个偏移加上</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">OD</span><span style="color:#777777;font-family:宋体;">加载的基地址</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">0x10000000</span><span style="color:#777777;font-family:宋体;">即可得到对应代码的绝对地址。然后设置断点运行程序即可</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">(</span><span style="color:#777777;font-family:宋体;">此时可以取消先前设置的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Break on new module</span><span style="color:#777777;font-family:宋体;">断点了</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">)</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;">JS</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:18.0pt;">调试</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">目前使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">JS</span><span style="color:#777777;font-family:宋体;">来执行恶意功能或者下载恶意组件的情况已经很平常了,所以这里介绍一下关于</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">js</span><span style="color:#777777;font-family:宋体;">的调试方法。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">大部分的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">js</span><span style="color:#777777;font-family:宋体;">脚本都是经过混淆或者加密的,静态分析的话根本不可能,一般在分析之前都需要对</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">js</span><span style="color:#777777;font-family:宋体;">脚本进行一下美化,推荐美化网站:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"><a href="http://jsbeautifier.org/"><span style="border:none windowtext 1.0pt;color:#1EAAF1;font-family:inherit,serif;padding:0cm;">http://jsbeautifier.org/</span></a></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">下面进入正题,讲解</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">js</span><span style="color:#777777;font-family:宋体;">的调试方法。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">Alert</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">方法</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">在互联网刚刚起步的时代,网页前端还主要以内容展示为主,浏览器脚本还只能为页面提供非常简单的辅助功能的时候。那个时候,网页主要运行在以</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">IE6</span><span style="color:#777777;font-family:宋体;">为主的浏览器中,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">JS</span><span style="color:#777777;font-family:宋体;">的调试功能还非常弱,只能通过内置于</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Window</span><span style="color:#777777;font-family:宋体;">对象中的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">alert</span><span style="color:#777777;font-family:宋体;">方法来调试,在网页中按</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">F12</span><span style="color:#777777;font-family:宋体;">键,点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Console</span><span style="color:#777777;font-family:宋体;">按钮。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="479" height="135" src="https://www.2k8.org/content/uploadfile/202211/26/880027f3.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">直接在这里输入想要查看的值即可。如下图所示,我们输入</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">var a = ‘abc’;alert(a);</span><span style="color:#777777;font-family:宋体;">浏览器即弹出对话框,显示变量</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">a</span><span style="color:#777777;font-family:宋体;">的值。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="170" src="https://www.2k8.org/content/uploadfile/202211/26/ed66d573.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">Console</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">方法</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">随着</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">js</span><span style="color:#777777;font-family:宋体;">能做的事情越来越多,责任越来越大,地位也越来越重要,传统的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">alert</span><span style="color:#777777;font-family:宋体;">调试方法渐渐的跟不上技术前进的节奏,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">alert</span><span style="color:#777777;font-family:宋体;">调试方式弹出的调试信息,窗口不太美观,而且会遮挡页面内容,另外,使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">alert</span><span style="color:#777777;font-family:宋体;">方法,必须在程序逻辑中添加</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">alert(xxx)</span><span style="color:#777777;font-family:宋体;">的语句才能正常工作,比较麻烦,对于开发人员来说,后期还要手动清除这些代码。为了避免这种手续,出现了</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">console</span><span style="color:#777777;font-family:宋体;">的调试方法。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">和</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">alert</span><span style="color:#777777;font-family:宋体;">方法类似,只是将语句换成</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">console</span><span style="color:#777777;font-family:宋体;">即可。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="136" height="115" src="https://www.2k8.org/content/uploadfile/202211/26/58bb97d9.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">也可以在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">js</span><span style="color:#777777;font-family:宋体;">恶意脚本中添加</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">console</span><span style="color:#777777;font-family:宋体;">语句,输出想要查看的目标值。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">JS</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">断点调试</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">JS</span><span style="color:#777777;font-family:宋体;">断点调试,即是在浏览器开发者工具中为</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">JS</span><span style="color:#777777;font-family:宋体;">代码添加断点,让</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">js</span><span style="color:#777777;font-family:宋体;">执行到某一位置停止,方便我们对该处的代码进行分析和逻辑处理。为了方便说明,我们先准备一段示例代码:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="244" height="232" src="https://www.2k8.org/content/uploadfile/202211/26/904e2013.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">sources</span><span style="color:#777777;font-family:宋体;">断点</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">方法一:使用前面说的,在源码中添加</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">alert</span><span style="color:#777777;font-family:宋体;">或者</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">console</span><span style="color:#777777;font-family:宋体;">,添加后如下所示:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="341" height="276" src="https://www.2k8.org/content/uploadfile/202211/26/5b6489f4.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">结果为:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="206" height="150" src="https://www.2k8.org/content/uploadfile/202211/26/11515996.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">这种方法需要我们手动添加代码,比较麻烦,下面就使用断点来调试</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">方法二:点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">F12</span><span style="color:#777777;font-family:宋体;">,找到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">sources</span><span style="color:#777777;font-family:宋体;">菜单,在左侧树中找到对应的文件,然后点击行号来添加或删除断点</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="554" height="272" src="https://www.2k8.org/content/uploadfile/202211/26/95c526ae.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">设置完断点后,刷新页面,程序将在断点处停下来,在</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">sources</span><span style="color:#777777;font-family:宋体;">界面中会看到当前作用域中所有的变量和值。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="480" height="276" src="https://www.2k8.org/content/uploadfile/202211/26/82d4b2d4.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">如果想一行一行的跟踪代码,可以使用浏览器提供的调试按钮:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="191" height="31" src="https://www.2k8.org/content/uploadfile/202211/26/1e896b79.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">这六个按钮的功能依次为:</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Pause/Resume script execution</span><span style="color:#777777;font-family:宋体;">:暂停</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">/</span><span style="color:#777777;font-family:宋体;">恢复脚本执行(程序执行到下一断点停止)。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Step over next function call</span><span style="color:#777777;font-family:宋体;">:执行到下一步的函数调用(跳到下一行)。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Step into next function call</span><span style="color:#777777;font-family:宋体;">:进入当前函数。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Step out of current function</span><span style="color:#777777;font-family:宋体;">:跳出当前执行函数。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Deactive/Active all breakpoints</span><span style="color:#777777;font-family:宋体;">:关闭</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">/</span><span style="color:#777777;font-family:宋体;">开启所有断点(不会取消)。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Pause on exceptions</span><span style="color:#777777;font-family:宋体;">:异常情况自动断点设置</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">通过使用这几个键,就可以像调试可执行程序一样进行调试了。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">需要注意的一点是,直接在代码区打印变量值的功能是在较新版本的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Chrome</span><span style="color:#777777;font-family:宋体;">浏览器中才新增的功能,如果你还在使用较老版本的</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Chrome</span><span style="color:#777777;font-family:宋体;">浏览器,可能无法直接在断点的情况下查看变量信息,此时你可以将鼠标移动到变量名上短暂停顿则会出现变量值。也可以在右边</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Watch</span><span style="color:#777777;font-family:宋体;">面板中输入变量值来查看,此方法同样适用于表达式。此外,你还可以在断点情况下,切换到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Console</span><span style="color:#777777;font-family:宋体;">面板,直接在控制台输入变量名称,回车查看变量信息。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="223" height="151" src="https://www.2k8.org/content/uploadfile/202211/26/ce059ed1.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;">debugger</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:15.0pt;">方法</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:15.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">这种方法是在源程序中添加</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">“debugger;”</span><span style="color:#777777;font-family:宋体;">语句,这样当代码执行到该语句的时候就会自动断下来,接下去的操作就和上面介绍的断点调试方法类似了。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="470" height="286" src="https://www.2k8.org/content/uploadfile/202211/26/22c458d2.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;">.net</span></b><b><span style="color:#1E1E1E;font-family:宋体;font-size:18.0pt;">调试</span></b><b><span lang="EN-US" style="color:#1E1E1E;font-family:Helvetica,sans-serif;font-size:18.0pt;"></span></b>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">调试分析</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">.net</span><span style="color:#777777;font-family:宋体;">程序,首选的工具就是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">dnspy</span><span style="color:#777777;font-family:宋体;">,这是一款集静态分析与动态调试于一体的强大工具。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">直接使用</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">dnspy</span><span style="color:#777777;font-family:宋体;">打开目标应用程序,界面上显示的信息告诉了我们函数的入口点,直接点击</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Main</span><span style="color:#777777;font-family:宋体;">即可进入到</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">main</span><span style="color:#777777;font-family:宋体;">函数处。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="269" height="127" src="https://www.2k8.org/content/uploadfile/202211/26/ad39167c.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">或者右键左边的树结构,在弹出对话框中选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Go to Entry Point</span><span style="color:#777777;font-family:宋体;">也可以跳转到程序入口点。关于</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">dnspy</span><span style="color:#777777;font-family:宋体;">的详细使用方法,请参考工具篇的说明。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="453" height="343" src="https://www.2k8.org/content/uploadfile/202211/26/13a0bb85.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">找到程序入口后,就可以在关键的地方设置断点(</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">F9</span><span style="color:#777777;font-family:宋体;">设置断点),然后选择菜单栏上的调试按钮开始调试。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="136" height="32" src="https://www.2k8.org/content/uploadfile/202211/26/8725bd6d.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">点击上述按钮后,会弹出一个对话框,在对话框中选择要调试的程序和对应的参数就可以开始进行调试了。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="496" height="179" src="https://www.2k8.org/content/uploadfile/202211/26/c2b9b235.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">如果程序没有经过混淆的话,</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">dnspy</span><span style="color:#777777;font-family:宋体;">基本可以解析处源码,所以</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">.net</span><span style="color:#777777;font-family:宋体;">的程序一般都是经过混淆的,如果知道它使用的混淆方法,可以在网上搜索对应的去混淆的工具,如果不知道的话,只有通过动态调试之后,自己对函数名或者变量名进行重命名,方法是在目标变量名或者函数名上右键选择</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Edit Method</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="262" height="280" src="https://www.2k8.org/content/uploadfile/202211/26/858466fb.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"> </span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">如果要修改类名的话,选择的是</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;">Edit Type</span><span style="color:#777777;font-family:宋体;">。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="507" height="361" src="https://www.2k8.org/content/uploadfile/202211/26/af0581ab.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"> </span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span style="color:#777777;font-family:宋体;">在调试过程中,如果想要查看变量的值,直接将鼠标放到变量上就将显示变量的类型和值。</span><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<img width="264" height="70" src="https://www.2k8.org/content/uploadfile/202211/26/2e1f516f.png" alt="" style="vertical-align:middle;" /><span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"></span>
</p>
<p align="left" style="background:white;font-family:等线;font-size:10.5pt;margin:0cm;margin-bottom:15.0pt;text-align:left;text-justify:inter-ideograph;vertical-align:baseline;">
<span lang="EN-US" style="color:#777777;font-family:Helvetica,sans-serif;"> </span>
</p>
<p style="font-family:等线;font-size:10.5pt;margin:0cm;text-align:justify;text-justify:inter-ideograph;">
<span lang="EN-US"> </span>
</p>
<p>
<br />
</p>
页:
[1]