软件加密技术内幕
第3章Win32调试API3.1Win32调试API原理3.1.1调试相关函数扼要说明3.1.2调试事情3.1.3如安在调试时创建并跟踪一个进程3.1.4最主要的循环体3.1.5如何管理调试事情3.1.6线程环境详解3.1.7如安在另一个进程中注入代码3.2使用调试API编写脱壳机3.2.1tElock0.98脱壳简介3.2.2脱壳机的编写3.3使用调试API制作内存补丁3.3.1跨进程内存存取机制3.3.2DebugAPI机制第4章Windows下的反常管理4.1基本概念4.1.1Windows下的软件反常4.1.2未公开的牢靠吗4.2结构化反常管理(SEH)4.2.1反常管理的基本进程4.2.2SEH的分类4.2.3相关API4.2.4SEH相关数据结构4.3反常管理程序设计4.3.1顶层(top-level)反常管理4.3.2线程反常管理4.3.3反常管理的仓库打开(Stackunwind)4.3.4反常管理程序设计中的几个注意事项:4.4SEH的简单使用4.4.1Win9x下使用SEH进ring04.4.2使用SEH实现对本身的单步自跟踪4.4.3其它使用4.5系统背面的隐秘4.6VC是如何封装系统提供的SEH机制的4.6.1扩展的EXCEPTION_REGISTRATION级相关结构4.6.2数据结构安排4.7WindowsXP下的向量化反常管理(VEH)第5章软件加密技术5.1反调试技术(Anti-Debug)5.1.1句柄查看5.1.2SoftICE后门命令5.1.3int68子类型5.1.4ICECream子类型5.1.5判别NTICE服务是不是运行5.1.6INT1查看5.1.7使用UnhandledExceptionFilter查看5.1.8INT41子类型5.2反跟踪技术(Anti-Trace)5.2.1断点查看5.2.2使用SEH反跟踪5.2.3SMC技术实现5.3反加载技术(Anti-Loader)5.3.1使用TEB查看5.3.2使用IsDebuggerPresent函数查看5.3.3查看父进程5.4反DUMP技术(Anti-Dump)5.5文件完整性查验5.5.1CRC校验实现5.5.2校验和(Checksum)5.5.3内存映像校验5.6反监视技术(Anti-Monitor)5.6.1窗口方法查看5.6.2句柄查看5.7反静态分析技术5.7.1打乱汇编代码5.7.2花命令5.7.3信息躲藏5.8代码与数据联系技术5.9软件维护的若干劝告第6章加壳软件编写6.1外壳编写基础6.1.1判别文件是不是是PE格式的EXE文件6.1.2文件基本数据的读入6.1.3额定数据保存6.1.4重定位数据的去掉6.1.5文件的压缩6.1.6资源区块的管理6.1.7区块的交融6.1.8输入表的管理6.1.9外壳部分的编写6.1.10将外壳部分增加至原程序6.1.10小结6.2加壳程序综合使用的实例6.2.1程序简介6.2.2加壳子程序(WJQ_ShellBegin())6.2.3PE外壳程序6.2.4加进Anti技术6.2.5通过外壳修改被加壳PE6.2.6VC++调用汇编子程序第7章如何让壳与程序融为一体7.1序7.1.1为何需求壳和程序一体化7.1.2为阅览此章节需求的常识7.1.3基于此章节用的的比如程序说明7.2欺骗查看壳的工具7.2.1fi是如何查看壳的7.2.2欺骗fi7.3判别自个是不是给脱壳了7.3.1判别文件尺度7.3.2查看符号7.3.3外部查看(使用dll)7.3.4hook相关的api(避免loader和调试api)7.4使用sdk把程序和壳溶为一体7.4.1sdk的含义7.4.2做一个带sdk的壳7.5跋文:关于壳和程序的考虑(Chapter 3 Win32 Debugging API 3.1 Win32 Debugging API Principle 3.1.1 Brief Description of Debugging Related Functions 3.1.2 Debugging Things 3.1.3 How to Create and Track a Process During Debugging 3.1.4 The Main Loop Body 3.1.5 How to Manage Debugging things 3.1.6 Detailed explanation of thread environment 3.1.7 How to inject code in another process 3.2 Use debugging API to write shelling machine 3.2.1 tElock0.98 shelling introduction 3.2.2 Writing shelling machine 3.3 Use debugging API to make memory Patch 3.3.1 Cross-process memory access mechanism 3.3.2 DebugAPI mechanism Chapter 4 Anomaly management under Windows 4.1 Basic concepts 4.1.1 Software anomalies under Windows 4.1.2 Undisclosed reliability 4.2 Structured anomaly management (SEH) 4.2. 1 Basic process of abnormal management 4.2.2 Classification of SEH 4.2.3 Related API 4.2.4 SEH related data structure 4.3 Program design of abnormal management 4.3.1 Top-level abnormal management Warehouse open (Stackunwind) 4.3.4 Several precautions in abnormal management program design: 4.4 Simple use of SEH The secret behind the system 4.6 VC is how to encapsulate the SEH mechanism provided by the system 4.6.1 Extended EXCEPTION_REGISTRATION level related structure 4.6.2 Data structure arrangement 4.7 Vectorized abnormal management (VEH) under WindowsXP Chapter 5 Software encryption technology 5.1 Anti-debugging Technology (Anti-Debug) 5.1.1 Handle view 5.1.2 SoftICE backdoor command 5.1.3 int68 subtype 5.1.4 ICECream subtype 5.1.5 Determine whether the NTICE service is running 5.1.6INT1 view 5.1.7 Use UnhandledExceptionFilter to view 5.1.8INT41 subtype 5.2 Anti-Trace Technology (Anti-Trace) 5.2.1 Breakpoint Viewing 5.2.2 Using SEH Anti-Trace Technology 5.2.3 SMC Technology Implementation 5.3 Anti-Loader Technology (Anti-Loader) 5.3.1 Viewing Using TEB 5.3.2 Viewing Using IsDebuggerPresent Function 5.3 .3 View the parent process 5.4 Anti-Dump technology (Anti-Dump) 5.5 File integrity check 5.5.1 CRC check implementation 5.5.2 Checksum (Checksum) 5.5.3 Memory image check 5.6 Anti-Monitor technology (Anti-Monitor) 5.6.1 Window method view 5.6.2 Handle view 5.7 Anti-static analysis technique 5.7.1 Disrupting assembly code 5.7.2 Flower command 5.7.3 Information hiding 5.8 Code and data connection technology 5.9 Some advices for software maintenance Chapter 6 Packing software writing 6.1 Shell writing basics 6.1.1 Determine whether the file is in PE format 6.1.2 Reading of basic data of EXE files 6.1.3 Saving of nominal data 6.1.4 Removing of relocation data 6.1.5 Compression of files 6.1.6 Management of resource blocks 6.1.7 Blending of blocks 6.1.8 Input table management 6.1.9 Writing of the shell part 6.1.10 Adding the shell part to the original program 6.1.10 Summary 6.2 Examples of comprehensive use of the shell program 6.2.1 Program introduction 6.2.2 The shell subroutine (WJQ_ShellBegin()) 6.2.3 PE shell program 6.2.4 Add anti technology 6.2.5 Packed PE6.2.6 VC call assembly subroutine through shell modification Chapter 7 How to integrate shell and program Integration 7.1.2 Common knowledge required for reading this chapter 7.1.3 For example, program descriptions used in this chapter 7.2 Tools for cheating and viewing the shell 7.2.1 How does fi view the shell? 7.3.1 Identify file size 7.3.2 View symbols 7.3.3 External view (use dll) 7.3.4 Hook related api (avoid loader and debug api) 7.4 Use sdk to integrate program and shell 7.4.1sdk Implications 7.4.2 Making a Shell with SDK 7.5 Epilogue: Considerations About Shells and Programs)
页:
[1]