资源名称:杀不死的秘密 反汇编揭露黑客免杀变种技术 PDF
第一章 背景知识
1.1 免杀技术的发展.......................................................1
1.2 免杀技术的定义.......................................................2
1.3 杀毒软件查杀原理.....................................................2
1.3.1 特征码法....................................................2
1.3.2 校验和法....................................................3
1.3.3 行为监测法..................................................4
1.3.4 软件模拟法..................................................4
1.3.5 总结........................................................4
1.4 常见杀毒软件及其杀毒引擎特点.........................................5
1.5 免杀技术的分类.......................................................6
1.5.1 内部免杀和外部免杀..........................................6
1.5.2 特征码免杀和大范围免杀......................................6
1.5.3 文件免杀、内存免杀和行为免杀................................6
1.5.4 盲免技术....................................................7
第二章 搭建实验环境
2.1 免杀测试步骤及测试环境...............................................8
2.1.1 免杀测试中遇到的问题........................................8
2.1.2 虚拟机的概念................................................8
2.1.3 VMware工作原理.............................................9
2.1.4 系统还原技术................................................9
2.1.5 冰点还原工作原理............................................9
2.1.6 选用哪种方式测试免杀效果....................................9
2.2 VMware的安装与使用.................................................10
2.2.1 安装VMware Workstation 6.5.2中文版........................10
2.2.2 创建一个新的虚拟机..........................................12
2.2.3 在VMware的虚拟机中安装Ghost XP...........................14
2.2.4 安装VMware Tools及简单使用VMware........................16
2.3 冰点还原的安装与使用.................................................17
2.3.1 安装冰点还原................................................17
2.3.2 使用冰点还原................................................18
2.4 综合型的测试环境.....................................................19
2.5 常用免杀工具一览.....................................................19
第三章 免杀技术前置知识——PE结构
3.1 PE结构简单介绍......................................................26
3.1.1 PE文件结构(简化)............................................26
3.1.2 初步理解内存地址............................................26
3.1.3 文件偏移地址和虚拟地址转换..................................27
3.2 DOS文件头和DOS块...................................................27
3.2.1 DOS文件头..................................................27
3.2.2 DOS块......................................................28
3.3 PE文件头............................................................29
3.3.1 FileHeader字段...............................................29
3.3.2 OptionalHeader字段...........................................30
3.4 区段表和区段.........................................................32
3.5 输出表和输入表.......................................................32
3.5.1 输出表......................................................32
3.5.2 输入表......................................................33
3.6 什么是加壳免杀.......................................................33
3.6.1 加壳免杀概念................................................33
3.6.2 壳程序的分类................................................33
3.7 壳程序的使用.........................................................34
3.7.1 ASPack加壳实例..............................................34
3.7.2 UPX加壳实例...............................................35
3.7.3 NSPack加壳实例..............................................36
3.8 实战加壳免杀.........................................................37
3.9 从PEID实战PE结构..................................................38
3.9.1 使用PEID载入一个文件.......................................39
3.9.2 入口点......................................................39
3.9.3 EP段.......................................................39
3.9.4 文件偏移....................................................40
3.9.5 首字节及汇编的概念..........................................40
3.9.6 查壳功能....................................................41
3.9.7 查壳原理....................................................41
3.9.8 PEID的设置.................................................41
第四章 免杀技术前置知识——汇编基础
4.1 免杀技术与汇编及反汇编的关系.........................................42
4.1.1 机器语言....................................................42
4.1.2 汇编语言....................................................42
4.1.3 高级语言....................................................42
4.1.4 反汇编......................................................42
4.1.5 汇编与反汇编................................................43
4.2 寄存器和堆栈.........................................................44
4.2.1 寄存器......................................................44
4.2.2 堆栈........................................................44
4.3 内存单元与内存寻址...................................................45
4.3.1 内存单元....................................................45
4.3.2 内存地址....................................................45
4.3.3 80386的寻址机制.............................................46
4.3.4 大尾与小尾..................................................47
4.4 JMP指令与EIP寄存器.................................................48
4.4.1 jmp(JuMP)指令.............................................48
4.4.2 EIP寄存器...................................................48
4.5 常用传送指令.........................................................49
4.5.1 PUSH(PUSH)指令..........................................49
4.5.2 POP(POP)指令.............................................49
4.5.3 MOV(MOVe)指令..........................................50
4.5.4 LEA(Load Effective Address)指令............................51
4.6 算术运算指令Ⅰ.......................................................52
4.6.1 ADD(ADD)指令............................................52
4.6.2 SUB(SUBtract)指令.........................................52
4.7 标志寄存器...........................................................52
4.7.1 ZF标志位...................................................52
4.7.2 PF标志位....................................................53
4.7.3 SF标志位....................................................54
4.7.4 CF标志位....................................................54
4.8 算术运算指令Ⅱ.......................................................55
4.8.1 ADC(ADd with Carry)指令.................................55
4.8.2 SBB(SuBtract with Borrow)指令............................55
4.8.3 INC(INCrement)指令........................................56
4.8.4 DEC(DECrement)指令......................................56
4.8.5 CMP(CoMPare)指令.........................................56
4.9 逻辑运算指令.........................................................57
4.9.1 AND(AND)指令............................................57
4.9.2 OR(OR)指令...............................................57
4.9.3 XOR(eXclusive OR)指令....................................58
4.9.4 TEST(TEST)指令...........................................58
4.10 程序转移指令........................................................58
4.10.1 CALL(CALL)指令..........................................58
4.10.2 RETN/RETF(RETurN/ RETurn Fuck)指令..................59
4.10.3 条件转移指令................................................60
4.10.4 LOOP(LOOP)指令.........................................60
4.10.5 NOP(No OPeretion)指令...................................61
4.11 环境保存............................................................61
4.11.1 变化的ESP寄存器...........................................61
4.11.2 LEAVE(LEAVE)指令.......................................62
4.12 OD使用指南.........................................................62
4.12.1 将文件载入OD..............................................63
4.12.2 反汇编代码窗口.............................................63
4.12.3 程序是如何执行的...........................................64
4.12.4 免杀过程中经常用到的OD的调试功能..........................65
4.12.5 单步跟踪和单步步入.........................................65
4.12.6 断点和设置断点.............................................66
4.12.7 编辑指令...................................................66
4.12.8 表达式跟随.................................................66
4.12.9 查找命令...................................................67
4.12.10 重新设置EIP...............................................67
4.12.11 复制到可执行文件..........................................67
4.12.12 查看跳转方向..............................................67
4.13 手工加花免杀........................................................68
4.13.1 加花免杀的原理.............................................68
4.13.2 一个典型的花指令...........................................68
4.13.3 给上兴服务端加花...........................................68
4.14 工具加花免杀实例....................................................72
4.15 为什么要编写花指令..................................................73
4.15.1 堆栈平衡...................................................73
4.15.2 pushad和popad..............................................73
4.15.3 常用平衡指令...............................................73
4.16 C32Asm使用指南....................................................74
4.16.1 打开文件...................................................74
4.16.2 编辑数据...................................................74
4.16.3 地址跳转...................................................75
4.16.4 数据查找...................................................75
4.16.5 文本操作...................................................75
4.16.6 保存文件...................................................75
4.17 API调用.............................................................75
第五章 手工脱壳
........
资源截图:
开通赞助会员 · 全站免费下载
版权声明:本站资源来自互联网收集,仅供用于学习和交流,请勿用于商业用途。如有侵权、不妥之处,请联系客服并出示版权证明以便删除!
