查找操作码汇编指令 [英] Finding opcode assembly instruction
问题描述
我一直在尝试变形引擎.我首先尝试分析操作码汇编指令,但似乎没有给我任何帮助.我在功能中寻找的指令是MOV.为什么即使函数中也没有返回任何内容?
I have been giving a metamorphic engine a try. I started by trying to analyze the opcode assembly instruction but it does not seem to give me anything. The instruction I am looking for in the function is MOV. Why does it not return anything even though they are in the function?
#include <iostream>
#include <Windows.h>
using namespace std;
struct OPCODE
{
unsigned short usSize;
PBYTE pbOpCode;
bool bRelative;
bool bMutated;
};
namespace MOVRegisters
{
enum MovRegisters
{
EAX = 0xB8,
ECX,
EDX,
EBX,
ESP,
EBP,
ESI,
EDI
};
}
bool __fastcall bIsMOV(PBYTE pInstruction)
{
if (*pInstruction == MOVRegisters::EAX || *pInstruction == MOVRegisters::ECX || *pInstruction == MOVRegisters::EDX || *pInstruction == MOVRegisters::EBX ||
*pInstruction == MOVRegisters::ESP || *pInstruction == MOVRegisters::EBP || *pInstruction == MOVRegisters::ESI || *pInstruction == MOVRegisters::EDI)
return true;
else
return false;
}
void pCheckByte(PVOID pFunction, PBYTE pFirstFive)
{
if (*pFirstFive == 0x0)
memcpy(pFirstFive, pFunction, 5);
else
memcpy(pFunction, pFirstFive, 5);
PBYTE pCurrentByte = (PBYTE)pFunction;
while (*pCurrentByte != 0xC3 && *pCurrentByte != 0xC2 && *pCurrentByte != 0xCB && *pCurrentByte != 0xCA)
{
OPCODE* pNewOp = new OPCODE();
pNewOp->pbOpCode = pCurrentByte;
if (bIsMOV(pCurrentByte))
{
cout << "mov instr.\n";
}
}
}
void function()
{
int eaxVal;
__asm
{
mov eax, 5
add eax, 6
mov eaxVal, eax
}
printf("Testing %d\n", eaxVal);
}
int main()
{
PBYTE pFirstFive = (PBYTE)malloc(5);
RtlZeroMemory(pFirstFive, 5);
while (true)
{
pCheckByte(function, pFirstFive);
system("pause");
}
return 0;
}
推荐答案
您是否看过function()
的反汇编?第一条指令可能不会是mov eax, 5
,因为MSVC可能会在带有内联asm的函数中创建堆栈帧. (push ebp
/mov ebp, esp
).
Did you look at the disassembly of function()
? The first instruction probably won't be mov eax, 5
, since MSVC probably makes a stack frame in functions with inline asm. (push ebp
/ mov ebp, esp
).
您的代码是否实际上遍历了函数的字节?您有一个循环,但每次迭代都会泄漏内存. pNewOp
的唯一出现是,因此它是只写的.
Does your code actually loop over the bytes of the function? You have a loop, but it leaks memory every iteration. The only occurrence of pNewOp
is, so it's write-only.
OPCODE* pNewOp = new OPCODE();
pNewOp->pbOpCode = pCurrentByte;
请注意,循环遍历所有字节将产生误报,因为0xb3
或任何可能作为非操作码字节出现的内容. (例如,ModR/M或SIB字节,或即时数据.)类似,您可能在0xC3
上出现误报,...扫描
Note that looping over all the bytes will give false positives, because 0xb3
or whatever can occur as a non-opcode byte. (e.g. a ModR/M or SIB byte, or immediate data.) Similarly, you could have false positives on your 0xC3
, ... scan for ret
instructions. Again, look at disassembly with the raw machine code.
编写自己的代码来解析x86机器代码似乎是很多不必要的工作;库中已经有很多工具可以做到这一点.
Writing your own code for parsing x86 machine code seems like a lot of unnecessary work; there are many tools an libraries that already do this.
此外,在调试器中单步执行C ++代码以查看其作用.
Also, single-step through your C++ code in a debugger to see what it does.
这篇关于查找操作码汇编指令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!