|
来查找其演示内容。我想删除该解决方法。是否可以混淆转储文件,即在保持转储本身完整的同时将模块重命名为随机名称? (当然,不重命名系统模块)
是否已经有任何工具可以帮助我完成此任务?可以将转储分解为流并可以重新组装流的东西将是很好的。 >
我不是在寻找
简单的单个可执行文件。在创建转储之前,我可以重命名可执行文件作为构建脚本的一部分。.NET方法的混淆。我可以将.NET代码混淆为构建脚本的一部分。
#1 楼
如果您擅长十六进制编辑,则在windbg sdk附带的dbghelp.inc中记录流。在dmp文件上使用
dumpchk
并找到rva of the ModuleList stream
,如果说0x294
您会看到
_MINIDUMP_MODULE_LIST
位于此处,而忽略了第一个双字,即模块数_MINIDUMP_MODULE
,然后使用sizeof (_MINIDUMP_MODULE)
导航到下一个模块。模块名称模块名称的格式为
ulong32 size of string
wstr name
您可以在此处十六进制编辑名称
C:\>dumpchk foo.dmp | grep ModuleListStream
Loading dump file foo.dmp
Stream 1: type ModuleListStream (4), size 000004A8, RVA 00000294
C:\>xxd -s 0x294 -l 0x70 -g 4 foo.dmp
0000294: 0b000000 00000001 00000000 00f00100 ................
00002a4: fcd70100 10847d3b 660a0000 bd04effe ......};f.......
00002b4: 00000100 01000500 0000280a 01000500 ..........(.....
00002c4: 0000280a 3f000000 00000000 04000400 ..(.?...........
00002d4: 01000000 00000000 00000000 00000000 ................
00002e4: 19000000 22110000 00000000 00000000 ...."...........
00002f4: 00000000 00000000 00000000 00000000 ................
C:\>xxd -s 0xa66 -l 0x20 -g 1 foo.dmp
0000a66: 10 00 00 00 63 00 61 00 6c 00 63 00 2e 00 65 00 ....c.a.l.c...e.
0000a76: 78 00 65 00 00 00 12 00 00 00 6e 00 74 00 64 00 x.e.......n.t.d.
C:\>echo pathched with hxd
pathched with hxd
C:\>xxd -s 0xa66 -l 0x20 -g 1 foo.dmp
0000a66: 10 00 00 00 64 00 61 00 6c 00 63 00 2e 00 65 00 ....d.a.l.c...e.
0000a76: 78 00 65 00 00 00 12 00 00 00 6e 00 74 00 64 00 x.e.......n.t.d.
C:\>cdb -z foo.dmp
0:000> |
. 0 id: 548 examine name: dalc.exe
0:000>
这里是如何从.dump / marR创建的转储文件中删除peb
C:\>cdb -c ".dump /marR /u c:\foo.dmp;q" calc
0:000> cdb: Reading initial command '.dump /marR /u c:\foo.dmp;q'
Creating c:\foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp - mini user dump
Dump successfully written
quit:
C:\>ls -lh foo*
-rw-rw-rw- 1 Admin 0 14M 2014-03-22 13:38 foo_0fa4_2014-03-22_13-38-25-062_00a0
.dmp
C:\>cdb -c "!peb;q" -z foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp
0:000> cdb: Reading initial command '!peb;q'
PEB at 7ffde000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 01000000
Ldr 001a1ea0
C:\>dumpchk foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp | grep -i peb
Loading dump file foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp
PEB at 7ffde000
C:\>dumpchk foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp | grep -i 7ffde000
Loading dump file foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp
62 00DA7ACE 7ffde000 00001000
PEB at 7ffde000
C:\>xxd -s 0xda7ace -l 0x10 -g 1 foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp
0da7ace: 00 00 01 00 ff ff ff ff 00 00 00 01 a0 1e 1a 00 ................
C:\> filled 0x1000 bytes with 0 with hxd (selct block -> fill)
C:\>xxd -s 0xda7ace -l 0x10 -g 1 foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp
0da7ace: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
C:\>cdb -c "!peb;q" -z foo_0fa4_2014-03-22_13-38-25-062_00a0.dmp
0:000> cdb: Reading initial command '!peb;q'
PEB at 7ffde000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 00000000
Ldr 00000000
*** unable to read Ldr table at 00000000
SubSystemData: 00000000
ProcessHeap: 00000000
ProcessParameters: 00000000
*** unable to read process parameters
quit: