查找操作码汇编指令 [英] Finding opcode assembly instruction

查看:271
本文介绍了查找操作码汇编指令的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我一直在尝试变形引擎.我首先尝试分析操作码汇编指令,但似乎没有给我任何帮助.我在功能中寻找的指令是MOV.为什么即使函数中也没有返回任何内容?

I have been giving a metamorphic engine a try. I started by trying to analyze the opcode assembly instruction but it does not seem to give me anything. The instruction I am looking for in the function is MOV. Why does it not return anything even though they are in the function?

#include <iostream>
#include <Windows.h>

using namespace std;


struct OPCODE
{
    unsigned short usSize;
    PBYTE pbOpCode;
    bool bRelative;
    bool bMutated;
};


namespace MOVRegisters
{
    enum MovRegisters
    {
        EAX = 0xB8,
        ECX,
        EDX,
        EBX,
        ESP,
        EBP,
        ESI,
        EDI
    };
}



bool __fastcall bIsMOV(PBYTE pInstruction)
{
    if (*pInstruction == MOVRegisters::EAX || *pInstruction == MOVRegisters::ECX || *pInstruction == MOVRegisters::EDX || *pInstruction == MOVRegisters::EBX ||
        *pInstruction == MOVRegisters::ESP || *pInstruction == MOVRegisters::EBP || *pInstruction == MOVRegisters::ESI || *pInstruction == MOVRegisters::EDI)
        return true;
    else
        return false;
}

void pCheckByte(PVOID pFunction, PBYTE pFirstFive)
{
    if (*pFirstFive == 0x0)
        memcpy(pFirstFive, pFunction, 5);
    else
        memcpy(pFunction, pFirstFive, 5);

    PBYTE pCurrentByte = (PBYTE)pFunction;
    while (*pCurrentByte != 0xC3 && *pCurrentByte != 0xC2 && *pCurrentByte != 0xCB && *pCurrentByte != 0xCA)
    {
        OPCODE* pNewOp = new OPCODE();
        pNewOp->pbOpCode = pCurrentByte;

        if (bIsMOV(pCurrentByte))
        {
            cout << "mov instr.\n";
        }
    }
}

void function()
{
    int eaxVal;
    __asm
    {
        mov eax, 5
        add eax, 6
        mov eaxVal, eax
    }
    printf("Testing %d\n", eaxVal);
}

int main()
{
    PBYTE pFirstFive = (PBYTE)malloc(5);
    RtlZeroMemory(pFirstFive, 5);


    while (true)
    {
        pCheckByte(function, pFirstFive);
        system("pause");
    }
    return 0;
}

推荐答案

您是否看过function()的反汇编?第一条指令可能不会是mov eax, 5,因为MSVC可能会在带有内联asm的函数中创建堆栈帧. (push ebp/mov ebp, esp).

Did you look at the disassembly of function()? The first instruction probably won't be mov eax, 5, since MSVC probably makes a stack frame in functions with inline asm. (push ebp / mov ebp, esp).

您的代码是否实际上遍历了函数的字节?您有一个循环,但每次迭代都会泄漏内存. pNewOp的唯一出现是,因此它是只写的.

Does your code actually loop over the bytes of the function? You have a loop, but it leaks memory every iteration. The only occurrence of pNewOp is, so it's write-only.

    OPCODE* pNewOp = new OPCODE();
    pNewOp->pbOpCode = pCurrentByte;

请注意,循环遍历所有字节将产生误报,因为0xb3或任何可能作为非操作码字节出现的内容. (例如,ModR/M或SIB字节,或即时数据.)类似,您可能在0xC3上出现误报,...扫描

Note that looping over all the bytes will give false positives, because 0xb3 or whatever can occur as a non-opcode byte. (e.g. a ModR/M or SIB byte, or immediate data.) Similarly, you could have false positives on your 0xC3, ... scan for ret instructions. Again, look at disassembly with the raw machine code.

编写自己的代码来解析x86机器代码似乎是很多不必要的工作;库中已经有很多工具可以做到这一点.

Writing your own code for parsing x86 machine code seems like a lot of unnecessary work; there are many tools an libraries that already do this.

此外,在调试器中单步执行C ++代码以查看其作用.

Also, single-step through your C++ code in a debugger to see what it does.

这篇关于查找操作码汇编指令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
C/C++开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆