_rdata段中:
是否有任何直接方法来重命名这些函数?
#1 楼
在将进程的内存转储到磁盘之前,请使用Scylla之类的工具来重建导入表。
#2 楼
在调试器中,选择导入表并运行idc\renimp.idc。文件中的顶部注释:
/*
Rename imports.
This script renames entries of a dynamically built import table.
For example, from a table like this:
dd offset ntdll_NtPowerInformation
dd offset ntdll_NtInitiatePowerAction
dd offset ntdll_NtSetThreadExecutionState
dd offset ntdll_NtRequestWakeupLatency
dd offset ntdll_NtGetDevicePowerState
dd offset ntdll_NtIsSystemResumeAutomatic
dd offset ntdll_NtRequestDeviceWakeup
dd offset ntdll_NtCancelDeviceWakeupRequest
dd offset ntdll_RtlQueryRegistryValues
it will create a table like this:
NtPowerInformation dd offset ntdll_NtPowerInformation
NtInitiatePowerAction dd offset ntdll_NtInitiatePowerAction
NtSetThreadExecutionState dd offset ntdll_NtSetThreadExecutionState
NtRequestWakeupLatency dd offset ntdll_NtRequestWakeupLatency
NtGetDevicePowerState dd offset ntdll_NtGetDevicePowerState
NtIsSystemResumeAutomatic dd offset ntdll_NtIsSystemResumeAutomatic
NtRequestDeviceWakeup dd offset ntdll_NtRequestDeviceWakeup
NtCancelDeviceWakeupRequest dd offset ntdll_NtCancelDeviceWakeupRequest
RtlQueryRegistryValues dd offset ntdll_RtlQueryRegistryValues
Usage: select the import table and run the script.
Known problems: if the dll name contains an underscore, the function
names might be incorrect. Special care is taken for the ws2_32.dll but
other dlls will have wrong function names.
*/
#3 楼
您最有可能使用进程转储。这些地址将取决于Windows版本和Service Pack。如果您有机会在VM中运行它,请尝试波动。执行procdump然后进行扫描。 impscan可以为您提供一个IDC,将这些地址重命名为其各自的API名称。即使使用非PE注入代码,此方法也能很好地工作。 com / volatilityfoundation / volatility / wiki / Command%20Reference%20Mal#impscan