看完了API级别基本用法,现在来看对应OllyDbg内部实现吧!这样可以和第二章作对照这里只进行简单分析即贴出C语言源码,如对逆向分析感兴趣,请关注我的书。以下部分每一节对应第二章的各个节,实为深入底层研究。
深入分析OllyDbg加载插件过程
ODBG_Plugindata ODBG_Plugininit ODBG_Pluginmenu
加载插件是在OllyDbg启动后,加载调试程序前完成的,因此需要用OllyDbg调试自身。文档中说OllyDbg先检查_ODBG_Plugindata,那么下断点bp Kernel32.GetProcAddress,[esp+8]=="_ODBG_Plugindata"会发现断在以地址0x00496658开始的函数中。查看其反汇编代码,先进行总体分析,发现有多处调用GetProcAddress,初步判断为加载插件的模块,命名为LoadPlugin,反汇编代码如下:
.text:00496658 push ebx
.text:00496659 push esi
.text:0049665A push edi
.text:0049665B push ebp
.text:0049665C add esp, 0FFFFF004h
.text:00496662 mov ebp, offset alldll ; "*.dll"
.text:00496667 push eax
.text:00496668 add esp, 0FFFFFBB0h
.text:0049666E push 4B00h ; n
.text:00496673 push 0 ; c
.text:00496675 push offset unk_4F0AB4 ; s
.text:0049667A call _memset
.text:0049667F xor eax, eax
.text:00496681 add esp, 0Ch
.text:00496684 mov dword_4F55B4, eax
.text:00496689 xor eax, eax
.text:0049668B or ecx, 0FFFFFFFFh
.text:0049668E mov edi, offset aCUsersLichaoDe ;"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
.text:00496693 repne scasb
.text:00496695 not ecx
.text:00496697 sub edi, ecx
.text:00496699 lea esi, [esp+1460h+pluginpath]
.text:004966A0 xchg esi, edi
.text:004966A2 mov edx, ecx
.text:004966A4 mov eax, edi
.text:004966A6 shr ecx, 2
.text:004966A9 lea eax, [esp+1460h+pluginpath]
.text:004966B0 rep movsd
.text:004966B2 mov ecx, edx
.text:004966B4 and ecx, 3
.text:004966B7 rep movsb
.text:004966B9 push eax ; s
.text:004966BA call _strlen
.text:004966BF pop ecx
.text:004966C0 mov edi, eax
.text:004966C2 test edi, edi
.text:004966C4 jle short loc_4966DD
.text:004966C6 xor eax, eax
.text:004966C8 mov al, [esp+edi+1460h+var_355]
.text:004966CF cmp eax, 5Ch
.text:004966D2 jz short loc_4966DD
.text:004966D4 mov [esp+edi+1460h+pluginpath], 5Ch
.text:004966DC inc edi
.text:004966DD
.text:004966DDloc_4966DD: ;CODE XREF: LoadPlugins+6Cj
.text:004966DD ;LoadPlugins+7Aj
.text:004966DD lea edx, [esp+1460h+pluginpath]
.text:004966E4 mov esi, ebp
.text:004966E6 add edi, edx
.text:004966E8 push edi
.text:004966E9 mov eax, edi
.text:004966EB movsd
.text:004966EC movsw
.text:004966EE pop edi
.text:004966EF lea edx, [esp+1460h+FindFileData]
.text:004966F6 push edx ; lpFindFileData
.text:004966F7 lea ecx, [esp+1464h+pluginpath]
.text:004966FE push ecx ; lpFileName
.text:004966FF call FindFirstFileA
.text:00496704 mov [esp+1460h+hFindFile], eax
.text:00496708 cmp [esp+1460h+hFindFile], 0FFFFFFFFh
.text:0049670D jnz short loc_496716
.text:0049670F xor eax, eax
.text:00496711 jmp loc_496B40
.text:00496716; ---------------------------------------------------------------------------
.text:00496716
.text:00496716loc_496716: ; CODE XREF: LoadPlugins+B5j
.text:00496716 call CreateMenu
.text:0049671B mov [esp+1460h+uIDNewItem], eax
.text:0049671F cmp [esp+1460h+uIDNewItem], 0
.text:00496724 jnz short loc_49672D
.text:00496726 xor eax, eax
.text:00496728 jmp loc_496B40
.text:0049672D; ---------------------------------------------------------------------------
.text:0049672D
.text:0049672Dloc_49672D: ;CODE XREF: LoadPlugins+CCj
.text:0049672D ;LoadPlugins+499j
.text:0049672D xor esi, esi
.text:0049672F push 0
.text:00496731 lea eax, [esp+1464h+arglist]
.text:00496738 push eax
.text:00496739 push 0
.text:0049673B push 0
.text:0049673D lea edx, [esp+1470h+FindFileData.cFileName]
.text:00496744 push edx
.text:00496745 call j___fnsplit
.text:0049674A add esp, 14h
.text:0049674D lea ecx, [ebp+6]
.text:00496750 push ecx ; s2
.text:00496751 lea eax, [esp+1464h+arglist]
.text:00496758 push eax ; s1
.text:00496759 call _stricmp
.text:0049675E add esp, 8
.text:00496761 test eax, eax
.text:00496763 jz loc_496AD3
.text:00496769 lea edx, [ebp+0Ch]
.text:0049676C push edx ; s2
.text:0049676D lea ecx, [esp+1464h+arglist]
.text:00496774 push ecx ; s1
.text:00496775 call _stricmp
.text:0049677A add esp, 8
.text:0049677D test eax, eax
.text:0049677F jz loc_496AD3
.text:00496785 xor eax, eax
.text:00496787 or ecx, 0FFFFFFFFh
.text:0049678A mov edi, offset aCUsersLichaoDe ;"\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
.text:0049678F lea esi, [esp+1460h+pluginpath]
.text:00496796 repne scasb
.text:00496798 not ecx
.text:0049679A sub edi, ecx
.text:0049679C mov edx, ecx
.text:0049679E xchg esi, edi
.text:004967A0 shr ecx, 2
.text:004967A3 mov eax, edi
.text:004967A5 rep movsd
.text:004967A7 mov ecx, edx
.text:004967A9 lea eax, [esp+1460h+pluginpath]
.text:004967B0 and ecx, 3
.text:004967B3 rep movsb
.text:004967B5 push eax ; s
.text:004967B6 call _strlen
.text:004967BB pop ecx
.text:004967BC mov edi, eax
.text:004967BE test edi, edi
.text:004967C0 jle short loc_4967D9
.text:004967C2 xor eax, eax
.text:004967C4 mov al, [esp+edi+1460h+var_355]
.text:004967CB cmp eax, 5Ch
.text:004967CE jz short loc_4967D9
.text:004967D0 mov [esp+edi+1460h+pluginpath], 5Ch
.text:004967D8 inc edi
.text:004967D9
.text:004967D9loc_4967D9: ;CODE XREF: LoadPlugins+168j
.text:004967D9 ;LoadPlugins+176j
.text:004967D9 lea edx, [esp+1460h+pluginpath]
.text:004967E0 xor eax, eax
.text:004967E2 add edi, edx
.text:004967E4 or ecx, 0FFFFFFFFh
.text:004967E7 push edi
.text:004967E8 mov esi, edi
.text:004967EA lea edi, [esp+1464h+FindFileData.cFileName]
.text:004967F1 repne scasb
.text:004967F3 not ecx
.text:004967F5 sub edi, ecx
.text:004967F7 mov edx, ecx
.text:004967F9 xchg esi, edi
.text:004967FB shr ecx, 2
.text:004967FE mov eax, edi
.text:00496800 rep movsd
.text:00496802 mov ecx, edx
.text:00496804 and ecx, 3
.text:00496807 rep movsb
.text:00496809 pop edi
.text:0049680A lea eax, [esp+1460h+pluginpath]
.text:00496811 push eax ; lpLibFileName
.text:00496812 call LoadLibraryA
.text:00496817 mov esi, eax
.text:00496819 test esi, esi
.text:0049681B jz loc_496AD3
.text:00496821 lea eax, [ebp+14h]
.text:00496824 push eax ; lpProcName
.text:00496825 push esi ; hModule
.text:00496826 call GetProcAddress
.text:0049682B mov ebx, eax
.text:0049682D lea eax, [ebp+25h]
.text:00496830 push eax ; lpProcName
.text:00496831 push esi ; hModule
.text:00496832 call GetProcAddress
.text:00496837 mov edi, eax
.text:00496839 test ebx, ebx
.text:0049683B jz loc_496AD3
.text:00496841 test edi, edi
.text:00496843 jz loc_496AD3
.text:00496849 mov [esp+1460h+src], 0
.text:0049684E lea eax, [esp+1460h+src]
.text:00496852 push eax
.text:00496853 call ebx
.text:00496855 pop ecx
.text:00496856 mov ecx, eax
.text:00496858 cmp ecx, 6Ah
.text:0049685B jl short loc_496869
.text:0049685D cmp ecx, 6Eh
.text:00496860 jg short loc_496869
.text:00496862 cmp [esp+1460h+src], 0
.text:00496867 jnz short loc_49689C
.text:00496869
.text:00496869loc_496869: ;CODE XREF: LoadPlugins+203j
.text:00496869 ;LoadPlugins+208j
.text:00496869 mov eax, ecx
.text:0049686B mov ebx, 64h
.text:00496870 cdq
.text:00496871 idiv ebx
.text:00496873 push edx
.text:00496874 mov eax, ecx
.text:00496876 mov ecx, 64h
.text:0049687B cdq
.text:0049687C idiv ecx
.text:0049687E push eax
.text:0049687F lea eax, [esp+1468h+arglist]
.text:00496886 push eax ; arglist
.text:00496887 lea edx, [ebp+36h]
.text:0049688A push edx ; format
.text:0049688B push 0 ; highlight
.text:0049688D push 0 ; addr
.text:0049688F call _Addtolist
.text:00496894 add esp, 18h
.text:00496897 jmp loc_496AD3
.text:0049689C; ---------------------------------------------------------------------------
.text:0049689C
.text:0049689Cloc_49689C: ;CODE XREF: LoadPlugins+20Fj
.text:0049689C mov ebx, dword_4F55B4
.text:004968A2 shl ebx, 3
.text:004968A5 lea ebx, [ebx+ebx*2]
.text:004968A8 lea ebx,[ebx+ebx*4]
.text:004968AB lea ebx, [ebx+ebx*4]
.text:004968AE add ebx, offset unk_4F0AB4
.text:004968B4 mov [ebx], esi
.text:004968B6 lea eax, [ebx+4]
.text:004968B9 push esi
.text:004968BA mov esi, eax
.text:004968BC push edi
.text:004968BD xor eax, eax
.text:004968BF lea edi, [esp+1468h+FindFileData.cFileName]
.text:004968C6 or ecx, 0FFFFFFFFh
.text:004968C9 repne scasb
.text:004968CB not ecx
.text:004968CD sub edi, ecx
.text:004968CF mov edx, ecx
.text:004968D1 xchg esi, edi
.text:004968D3 shr ecx, 2
.text:004968D6 mov eax, edi
.text:004968D8 rep movsd
.text:004968DA mov ecx, edx
.text:004968DC lea edx, [ebx+108h]
.text:004968E2 and ecx, 3
.text:004968E5 rep movsb
.text:004968E7 pop edi
.text:004968E8 pop esi
.text:004968E9 push 1Fh ; maxlen
.text:004968EB lea eax, [esp+1464h+src]
.text:004968EF push eax ; src
.text:004968F0 push edx ; dest
.text:004968F1 call _strncpy
.text:004968F6 add esp, 0Ch
.text:004968F9 lea ecx, [ebp+60h]
.text:004968FC mov byte ptr [ebx+127h], 0
.text:00496903 push ecx ; lpProcName
.text:00496904 push esi ; hModule
.text:00496905 call GetProcAddress
.text:0049690A mov [ebx+238h], eax
.text:00496910 lea eax, [ebp+73h]
.text:00496913 push eax ; lpProcName
.text:00496914 push esi ; hModule
.text:00496915 call GetProcAddress
.text:0049691A mov [ebx+230h], eax
.text:00496920 lea edx, [ebp+88h]
.text:00496926 push edx ; lpProcName
.text:00496927 push esi ; hModule
.text:00496928 call GetProcAddress
.text:0049692D mov [ebx+234h], eax
.text:00496933 lea ecx, [ebp+99h]
.text:00496939 push ecx ; lpProcName
.text:0049693A push esi ; hModule
.text:0049693B call GetProcAddress
.text:00496940 mov [ebx+23Ch], eax
.text:00496946 lea eax, [ebp+0AEh]
.text:0049694C push eax ; lpProcName
.text:0049694D push esi ; hModule
.text:0049694E call GetProcAddress
.text:00496953 mov [ebx+240h], eax
.text:00496959 lea edx, [ebp+0C2h]
.text:0049695F push edx ; lpProcName
.text:00496960 push esi ; hModule
.text:00496961 call GetProcAddress
.text:00496966 mov [ebx+244h], eax
.text:0049696C lea ecx, [ebp+0D8h]
.text:00496972 push ecx ; lpProcName
.text:00496973 push esi ; hModule
.text:00496974 call GetProcAddress
.text:00496979 mov [ebx+248h], eax
.text:0049697F lea eax, [ebp+0EAh]
.text:00496985 push eax ; lpProcName
.text:00496986 push esi ; hModule
.text:00496987 call GetProcAddress
.text:0049698C mov [ebx+24Ch], eax
.text:00496992 lea edx, [ebp+0F7h]
.text:00496998 push edx ; lpProcName
.text:00496999 push esi ; hModule
.text:0049699A call GetProcAddress
.text:0049699F mov [ebx+250h], eax
.text:004969A5 lea ecx, [ebp+106h]
.text:004969AB push ecx ; lpProcName
.text:004969AC push esi ; hModule
.text:004969AD call GetProcAddress
.text:004969B2 mov [ebx+254h], eax
.text:004969B8 xor eax, eax
.text:004969BA mov [esp+1460h+var_1460], eax
.text:004969BD push esp
.text:004969BE mov edx, hwmain
.text:004969C4 push edx
.text:004969C5 push 6Eh
.text:004969C7 call edi
.text:004969C9 add esp, 0Ch
.text:004969CC mov edi, eax
.text:004969CE test edi, edi
.text:004969D0 jz short loc_4969F3
.text:004969D2 push edi
.text:004969D3 lea ecx, [esp+1464h+arglist]
.text:004969DA push ecx ; arglist
.text:004969DB lea eax, [ebp+116h]
.text:004969E1 push eax ; format
.text:004969E2 push 0 ; highlight
.text:004969E4 push 0 ; addr
.text:004969E6 call _Addtolist
.text:004969EB add esp, 14h
.text:004969EE jmp loc_496AD3
.text:004969F3; ---------------------------------------------------------------------------
.text:004969F3
.text:004969F3loc_4969F3: ;CODE XREF: LoadPlugins+378j
.text:004969F3 mov esi, dword_4F55B4
.text:004969F9 shl esi, 6
.text:004969FC add esi, 0E000h
.text:00496A02 mov [esp+1460h+src], 0
.text:00496A07 cmp dword ptr [ebx+234h], 0
.text:00496A0E jz short loc_496A2D
.text:00496A10 push 0
.text:00496A12 lea eax, [esp+1464h+src]
.text:00496A16 push eax
.text:00496A17 push 0
.text:00496A19 call dword ptr [ebx+234h]
.text:00496A1F add esp, 0Ch
.text:00496A22 test eax, eax
.text:00496A24 jz short loc_496A2D
.text:00496A26 cmp [esp+1460h+src], 0
.text:00496A2B jnz short loc_496A31
.text:00496A2D
.text:00496A2Dloc_496A2D: ;CODE XREF: LoadPlugins+3B6j
.text:00496A2D ;LoadPlugins+3CCj
.text:00496A2D xor edi, edi
.text:00496A2F jmp short loc_496A38
.text:00496A31; ---------------------------------------------------------------------------
.text:00496A31
.text:00496A31loc_496A31: ;CODE XREF: LoadPlugins+3D3j
.text:00496A31 call CreateMenu
.text:00496A36 mov edi, eax
.text:00496A38
.text:00496A38loc_496A38: ;CODE XREF: LoadPlugins+3D7j
.text:00496A38 test edi, edi
.text:00496A3A jz short loc_496A52
.text:00496A3C lea eax, [esp+1460h+src]
.text:00496A40 mov dword_4F55BC, eax
.text:00496A45 push 1 ; int
.text:00496A47 push esi ; int
.text:00496A48 push ebx ; int
.text:00496A49 push edi ; hMenu
.text:00496A4A call sub_496260
.text:00496A4F add esp,10h
.text:00496A52
.text:00496A52loc_496A52: ;CODE XREF: LoadPlugins+3E2j
.text:00496A52 mov ecx, dword_4F55B4
.text:00496A58 cmp ecx, 0Ah
.text:00496A5B jge short loc_496A86
.text:00496A5D add ebx, 108h
.text:00496A63 push ebx
.text:00496A64 mov eax, ecx
.text:00496A66 inc eax
.text:00496A67 mov ecx, 0Ah
.text:00496A6C cdq
.text:00496A6D idiv ecx
.text:00496A6F push edx
.text:00496A70 lea eax, [ebp+141h]
.text:00496A76 push eax ; format
.text:00496A77 lea edx, [esp+146Ch+src]
.text:00496A7B push edx ; buffer
.text:00496A7C call _sprintf
.text:00496A81 add esp, 10h
.text:00496A84 jmp short loc_496AA1
.text:00496A86; ---------------------------------------------------------------------------
.text:00496A86
.text:00496A86loc_496A86: ;CODE XREF: LoadPlugins+403j
.text:00496A86 add ebx, 108h
.text:00496A8C push ebx
.text:00496A8D lea eax, [ebp+145h]
.text:00496A93 push eax ; format
.text:00496A94 lea edx, [esp+1468h+src]
.text:00496A98 push edx ; buffer
.text:00496A99 call _sprintf
.text:00496A9E add esp, 0Ch
.text:00496AA1
.text:00496AA1loc_496AA1: ;CODE XREF: LoadPlugins+42Cj
.text:00496AA1 test edi, edi
.text:00496AA3 jnz short loc_496AB9
.text:00496AA5 lea ecx, [esp+1460h+src]
.text:00496AA9 push ecx ; lpNewItem
.text:00496AAA push esi ; uIDNewItem
.text:00496AAB push 0 ; uFlags
.text:00496AAD mov eax, [esp+146Ch+uIDNewItem]
.text:00496AB1 push eax ; hMenu
.text:00496AB2 call AppendMenuA
.text:00496AB7 jmp short loc_496ACB
.text:00496AB9; ---------------------------------------------------------------------------
.text:00496AB9
.text:00496AB9loc_496AB9: ;CODE XREF: LoadPlugins+44Bj
.text:00496AB9 lea edx, [esp+1460h+src]
.text:00496ABD push edx ; lpNewItem
.text:00496ABE push edi ; uIDNewItem
.text:00496ABF push 10h ; uFlags
.text:00496AC1 mov ecx, [esp+146Ch+uIDNewItem]
.text:00496AC5 push ecx ; hMenu
.text:00496AC6 call AppendMenuA
.text:00496ACB
.text:00496ACBloc_496ACB: ;CODE XREF: LoadPlugins+45Fj
.text:00496ACB inc dword_4F55B4
.text:00496AD1 xor esi, esi
.text:00496AD3
.text:00496AD3loc_496AD3: ;CODE XREF: LoadPlugins+10Bj
.text:00496AD3 ; LoadPlugins+127j ...
.text:00496AD3 test esi, esi
.text:00496AD5 jz short loc_496ADD
.text:00496AD7 push esi ; hLibModule
.text:00496AD8 call FreeLibrary
.text:00496ADD
.text:00496ADDloc_496ADD: ;CODE XREF: LoadPlugins+47Dj
.text:00496ADD lea eax, [esp+1460h+FindFileData]
.text:00496AE4 push eax ; lpFindFileData
.text:00496AE5 mov edx, [esp+1464h+hFindFile]
.text:00496AE9 push edx ; hFindFile
.text:00496AEA call FindNextFileA
.text:00496AEF test eax, eax
.text:00496AF1 jnz loc_49672D
.text:00496AF7 cmp dword_4F55B4, 0
.text:00496AFE jle short loc_496B31
.text:00496B00 lea ecx, [ebp+148h]
.text:00496B06 push ecx ; lpNewItem
.text:00496B07 mov eax, [esp+1464h+uIDNewItem]
.text:00496B0B push eax ; uIDNewItem
.text:00496B0C push 410h ; uFlags
.text:00496B11 push 3 ; uPosition
.text:00496B13 mov edx, hwmain
.text:00496B19 push edx ; hWnd
.text:00496B1A call GetMenu
.text:00496B1F push eax ; hMenu
.text:00496B20 call InsertMenuA
.text:00496B25 mov ecx, hwmain
.text:00496B2B push ecx ; hWnd
.text:00496B2C call DrawMenuBar
.text:00496B31
.text:00496B31loc_496B31: ;CODE XREF: LoadPlugins+4A6j
.text:00496B31 mov eax, [esp+1460h+hFindFile]
.text:00496B35 push eax ; hFindFile
.text:00496B36 call FindClose
.text:00496B3B mov eax, dword_4F55B4
.text:00496B40
.text:00496B40loc_496B40: ;CODE XREF: LoadPlugins+B9j
.text:00496B40 ;LoadPlugins+D0j
.text:00496B40 add esp, 1450h
.text:00496B46 pop ebp
.text:00496B47 pop edi
.text:00496B48 pop esi
.text:00496B49 pop ebx
.text:00496B4A retn
int pluginnum; PluginData plugindata[32];//最多32个插件 char data[0x1100]; HANDLE hwmain; bool LoadPlugins() { charpluginpath[260],filename[256],pluginname[32]; HANDLEhFindFile; WIN32_FIND_DATAFindFileData; HMENUpluginmenu,popupmenu; HMODULE hmod; int ret; intpluginmenuid; memset(plugindata,sizeof(plugindata)); pluginnum=0; strcpy(pluginpath,"*.dll"); hFindFile=FindFirstFile(pluginpath,&FindFileData); if(hFindFile== INVALID_HANDLE_VALUE) return false; pluginmenu=CreateMenu(); if(!pluginmenu) return false; do {//搜索根目录下所有dll文件 hmod=NULL; fnsplit(FindFileData.cFileName,NULL,NULL,filename,NULL); if(stricmp(filename,"psapi")&& stricmp(filename,"dbghelp")) {//如果不是psapi.dll和dbghelp.dll strcpy(pluginpath,FindFileData.cFileName); hmod=LoadLibrary(pluginpath); if(hmod) { ODBG_Plugindata=GetProcAddress(hmod,"_ODBG_Plugindata"); ODBG_Plugininit=GetProcAddress(hmod,"_ODBG_Plugininit"); if(ODBG_Plugindata&& ODBG_Plugininit) { pluginname[0]='\0'; ret=ODBG_Plugindata(pluginname); if(ret>= 106 && ret <= 110 && pluginname[0] != '\0')//版本在1.06~1.10之间 { PluginData&curplugin=plugindata[pluginnum]; curplugin.hPluginDll=hmod; strcpy(curplugin.DllName,FindFileData.cFileName); strncpy(curplugin.PluginName,pluginname,31); curplugin.PluginName[31]='\0'; curplugin.ODBG_Pluginaction=GetProcAddress(hmod,"ODBG_Pluginaction"); curplugin.ODBG_Pluginmainloop=GetProcAddress(hmod,"ODBG_Pluginmainloop"); curplugin.ODBG_Pluginmenu=GetProcAddress(hmod,"ODBG_Pluginmenu"); curplugin.ODBG_Pluginshortcut=GetProcAddress(hmod,"ODBG_Pluginshortcut"); curplugin.ODBG_Pluginsaveudd=GetProcAddress(hmod,"ODBG_Pluginsaveudd"); curplugin.ODBG_Pluginuddrecord=GetProcAddress(hmod,"ODBG_Pluginuddrecord"); curplugin.ODBG_Pluginreset=GetProcAddress(hmod,"ODBG_Pluginreset"); curplugin.ODBG_Paused=GetProcAddress(hmod,"ODBG_Paused"); curplugin.ODBG_Pausedex=GetProcAddress(hmod,"ODBG_Pausedex"); curplugin.ODBG_Plugincmd=GetProcAddress(hmod,"ODBG_Plugincmd"); ulongfeature=0; ret=ODBG_Plugininit(110,hwmain,&feature); if(ret) { Addtolist(0,0,"Plugin'%s' failed to initialize (code %i)",filename,ret); } else { pluginmenuid=pluginnum*64+57344; pluginname[0]='\0'; if(curplugin.ODBG_Pluginmenu)&& curplugin.ODBG_Pluginmenu(PM_MAIN,data,NULL)) { if(pluginname[0]!= '\0'&& (popupmenu=CreateMenu()) != NULL) { CreateSubMenu(popupmenu,curplugin,pluginmenuid,1); } if(pluginnum>= 10) sprintf(pluginname,"%s",curplugin.pluginname); else sprintf(pluginname,"&%i%s",(pluginnum+1)%10,curplugin.pluginname); if(popupmenu) AppendMenu(pluginmenuid,MF_POPUP,popupmenu,pluginname); else AppendMenu(pluginmenuid,0,pluginmenuid,pluginname); pluginnum++; hmod=NULL; } } } else { Addtolist(0,0,"Plugin'%s' has invalid version (%i.%02i)",filename,ret/100,ret%100); } } } } if(hmod) FreeLibrary(hmod); } while(FindNextFile(hFindFile,&FindFileData)); } 可见加载过程是:ODBG_Plugindata => ODBG_Plugininit => ODBG_Pluginmenu,同理可分析其它函数。 ODBG_Pluginmainloop继续来看ODBG_Pluginmainloop函数,如何断在插件中该函数入口呢,在这里我利用GetProcAddress返回值,先bp Kernel32.GetProcAddress,[esp+8]=="_ODBG_Pluginmainloop",Ctrl+F9执行到返回,再单步一次即可跳出GetProcAddress函数到ollydbg函数中,此时eax为返回值为获取到的函数地址,因此bp eax可以断在ODBG_Pluginmainloop函数内,运行后程序果然断在其中: .text:00401684 _ODBG_Pluginmainloopproc near .text:00401684 push ebp .text:00401685 mov ebp, esp .text:00401687 pop ebp .text:00401688 retn .text:00401688_ODBG_Pluginmainloop endp bookmark插件中该函数毫无趣味,来看一下调用关系,经过分析,跳出后的函数可以命名为CallEverymainloop,代码如下: .text:00496B4C push ebp .text:00496B4D mov ebp, esp .text:00496B4F push ebx .text:00496B50 push esi .text:00496B51 push edi .text:00496B52 mov edi,[ebp+arg_0] .text:00496B55 xor esi, esi .text:00496B57 mov ebx, offset plugininfo .text:00496B5C jmp short loc_496B76 .text:00496B5E ;--------------------------------------------------------------------------- .text:00496B5E .text:00496B5Eloc_496B5E: ;CODE XREF: CallEverymainloop+30j .text:00496B5E cmp dword ptr [ebx+230h], 0 .text:00496B65 jz short loc_496B6F .text:00496B67 push edi .text:00496B68 call dword ptr [ebx+230h] .text:00496B6E pop ecx .text:00496B6F .text:00496B6Floc_496B6F: ;CODE XREF: CallEverymainloop+19j .text:00496B6F inc esi .text:00496B70 add ebx, 258h .text:00496B76 .text:00496B76loc_496B76: ;CODE XREF: CallEverymainloop+10j .text:00496B76 cmp esi, pluginnum .text:00496B7C jl short loc_496B5E .text:00496B7E pop edi .text:00496B7F pop esi .text:00496B80 pop ebx .text:00496B81 pop ebp .text:00496B82 retn voidCallEverymainloop(DEBUG_EVENT *debugevent) { for(int i=0;i<pluginnum;i++) { if(plugindata.ODBG_Pluginmainloop) plugindata. ODBG_Pluginmainloop(debugevent); } } 继续跳出后发现即是主函数WinMain且处于消息循环代码中(如果使用IDA查看调用关系,会发现Suspendprocess和Injectcode函数中均调用了该函数。这里不做详解),分析后得到: if(procstatus != STAT_RUNNING) { CallEverymainloop(NULL); Sleep(1); } ODBG_pluginaction同理,ODBG_pluginaction函数调用函数可以得到: .text:004965E4 push ebp .text:004965E5 mov ebp, esp .text:004965E7 push ebx .text:004965E8 push esi .text:004965E9 mov edx, [ebp+arg_4] .text:004965EC cmp edx, 0E000h .text:004965F2 jge short loc_4965F8 .text:004965F4 xor eax, eax .text:004965F6 jmp short loc_496653 .text:004965F8 ;--------------------------------------------------------------------------- .text:004965F8 .text:004965F8loc_4965F8: ; CODE XREF: CallEveryaction+Ej .text:004965F8 lea eax, [edx-0E000h] .text:004965FE test eax, eax .text:00496600 jns short loc_496605 .text:00496602 add eax, 3Fh .text:00496605 .text:00496605loc_496605: ;CODE XREF: CallEveryaction+1Cj .text:00496605 sar eax, 6 .text:00496608 cmp eax, pluginnum .text:0049660E jl short loc_496614 .text:00496610 xor eax, eax .text:00496612 jmp short loc_496653 .text:00496614 ;--------------------------------------------------------------------------- .text:00496614 .text:00496614loc_496614: ;CODE XREF: CallEveryaction+2Aj .text:00496614 mov esi, eax .text:00496616 shl esi, 4 .text:00496619 sub esi, eax .text:0049661B lea esi, [esi+esi*4] .text:0049661E cmp dword ptr (plugininfo+238h)[esi*8], 0 .text:00496626 jnz short loc_49662C .text:00496628 xor eax, eax .text:0049662A jmp short loc_496653 .text:0049662C ;--------------------------------------------------------------------------- .text:0049662C .text:0049662Cloc_49662C: ;CODE XREF: CallEveryaction+42j .text:0049662C mov ecx, eax .text:0049662E shl ecx, 6 .text:00496631 add ecx, 0E000h .text:00496637 mov ebx, [ebp+arg_8] .text:0049663A push ebx .text:0049663B sub edx, ecx .text:0049663D push edx .text:0049663E mov edx, [ebp+arg_0] .text:00496641 push edx .text:00496642 mov eax, dword ptr (plugininfo+238h)[esi*8] .text:00496649 call eax .text:0049664B add esp, 0Ch .text:0049664E mov eax, 1 .text:00496653 .text:00496653loc_496653: ;CODE XREF: CallEveryaction+12j .text:00496653 ; CallEveryaction+2Ej... .text:00496653 pop esi .text:00496654 pop ebx .text:00496655 pop ebp .text:00496656 retn bool CallEveryaction(int origin,int resourceid,void*item) { intpluginindex; if(resourceid< 57344) returnfalse; pluginindex=(resourceid-57344)/64;//由菜单资源id得到插件序号,和前面插件加载过程相对应 if(pluginindex>= pluginnum || plugindata[pluginindex].ODBG_pluginaction== NULL) returnfalse; plugindata[pluginindex].ODBG_pluginaction(origin,resourceid-pluginindex*64+57344,item); returntrue; } ODBG_Pluginshortcut同理分析ODBG_Pluginshortcut可得到CPU窗口消息回调函数为: LRESULT CALLBACKWndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) { ...... switch(message) { …… caseWM_KEYDOWN: caseWM_SYSKEYDOWN: returnCallEveryshortcut(PM_MAIN,GetKeyState(VK_CONTROL)&0x8000, message==WM_SYSKEYDOWN,GetKeyState(VK_SHIFT)&0x8000,wParam,NULL); break; …… } ...... } .text:00496E98 push ebp .text:00496E99 mov ebp, esp .text:00496E9B push ebx .text:00496E9C push esi .text:00496E9D push edi .text:00496E9E mov edi, [ebp+key] .text:00496EA1 cmp edi, 10h .text:00496EA4 jz short loc_496EB0 .text:00496EA6 cmp edi, 11h .text:00496EA9 jz short loc_496EB0 .text:00496EAB cmp edi, 12h .text:00496EAE jnz short loc_496EB4 .text:00496EB0 .text:00496EB0loc_496EB0: ;CODE XREF: CallEveryshortcut+Cj .text:00496EB0 ;CallEveryshortcut+11j .text:00496EB0 xor eax, eax .text:00496EB2 jmp short loc_496F27 .text:00496EB4 ;--------------------------------------------------------------------------- .text:00496EB4 .text:00496EB4loc_496EB4: ;CODE XREF: CallEveryshortcut+16j .text:00496EB4 cmp [ebp+hasctrl], 0 .text:00496EB8 setnz dl .text:00496EBB and edx, 1 .text:00496EBE mov ebx, offset plugininfo .text:00496EC3 mov [ebp+hasctrl], edx .text:00496EC6 cmp [ebp+hasalt], 0 .text:00496ECA setnz cl .text:00496ECD and ecx, 1 .text:00496ED0 mov [ebp+hasalt], ecx .text:00496ED3 cmp [ebp+hasshift], 0 .text:00496ED7 setnz al .text:00496EDA and eax, 1 .text:00496EDD xor esi, esi .text:00496EDF mov [ebp+hasshift], eax .text:00496EE2 jmp short loc_496F1D .text:00496EE4 ;--------------------------------------------------------------------------- .text:00496EE4 .text:00496EE4loc_496EE4: ;CODE XREF: CallEveryshortcut+8Bj .text:00496EE4 cmp dword ptr [ebx+23Ch], 0 .text:00496EEB jz short loc_496F16 .text:00496EED mov eax, [ebp+item] .text:00496EF0 push eax .text:00496EF1 push edi .text:00496EF2 mov edx, [ebp+hasshift] .text:00496EF5 push edx .text:00496EF6 mov ecx, [ebp+hasalt] .text:00496EF9 push ecx .text:00496EFA mov eax, [ebp+hasctrl] .text:00496EFD push eax .text:00496EFE mov edx, [ebp+origin] .text:00496F01 push edx .text:00496F02 call dword ptr [ebx+23Ch] .text:00496F08 add esp, 18h .text:00496F0B test eax, eax .text:00496F0D jz short loc_496F16 .text:00496F0F mov eax, 1 .text:00496F14 jmp short loc_496F27 .text:00496F16 ;--------------------------------------------------------------------------- .text:00496F16 .text:00496F16loc_496F16: ;CODE XREF: CallEveryshortcut+53j .text:00496F16 ;CallEveryshortcut+75j .text:00496F16 inc esi .text:00496F17 add ebx, 258h .text:00496F1D .text:00496F1Dloc_496F1D: ;CODE XREF: CallEveryshortcut+4Aj .text:00496F1D cmp esi, pluginnum .text:00496F23 jl short loc_496EE4 .text:00496F25 xor eax, eax .text:00496F27 .text:00496F27loc_496F27: ;CODE XREF: CallEveryshortcut+1Aj .text:00496F27 ;CallEveryshortcut+7Cj .text:00496F27 pop edi .text:00496F28 pop esi .text:00496F29 pop ebx .text:00496F2A pop ebp .text:00496F2B retn int CallEveryshortcut(int orgin,bool ctrl,bool alt,boolshift,int key,void* item) { if(key ==VK_SHIFT || key == VK_CONTROL || key == VK_MENU)//单个键无效 return0; for(intpluginindex=0;pluginindex<pluginnum;pluginindex++) { if(plugindata[pluginindex].ODBG_Pluginshortcut(origin,ctrl,alt,shift,key,item)) return1; } return0; } |
|Archiver|小黑屋|技术宅的结界
( 滇ICP备16008837号 )|网站地图
发表于 2015-1-5 22:15:13
