姓名:
电话:
QQ:
学历:

PEID 识别机制揭密【一】

发布时间:2011-01-03 18:35   内容发布:武汉科锐软件安全教育机构
我以PEID识别某个Delphi程序为例,跟踪其识别过程,识别其他开发平台道理类似。
检查文件合法性和使用用户定义数据文件暂不讨论。
PEID 判断一个应用程序的开发环境主要依据3个地方,
1, 代码入口
2, PE结构中的链接器版本
    BYTE    MajorLinkerVersion
    BYTE    MinorLinkerVersion
3, 特征码, 对于Delphi, 把特征码定位在CODE节里, 这里是Delphi的支持库代码。不同的Delphi版本,对应特征码不同。
我们来看看代码。
先自查一下,代码有压缩,PECompact 2.x, esp 定理秒杀之。
0043FBF0     81EC 80050000               sub esp,580
0043FBF6     B8 00AB0000                 mov eax,0AB00
0043FBFB     53                          push ebx
0043FBFC     55                          push ebp
0043FBFD     56                          push esi
0043FBFE     B9 E8000000                 mov ecx,0E8
0043FC03     BD FF000000                 mov ebp,0FF
0043FC08     BA 89000000                 mov edx,89
0043FC0D     BE 42000000                 mov esi,42
0043FC12     57                          push edi
0043FC13     BF 05000000                 mov edi,5
0043FC18     BB C0000000                 mov ebx,0C0
0043FC1D     66:C74424 14 5000           mov word ptr ss:[esp+14],50     定义特征码
0043FC24     66:C74424 16 6A00           mov word ptr ss:[esp+16],6A
0043FC2B     66:C74424 18 0000           mov word ptr ss:[esp+18],0
0043FC32     66:894C24 1A                mov word ptr ss:[esp+1A],cx
0043FC37     66:894424 1C                mov word ptr ss:[esp+1C],ax
0043FC3C     66:894424 1E                mov word ptr ss:[esp+1E],ax
0043FC41     66:896C24 20                mov word ptr ss:[esp+20],bp
0043FC46     66:896C24 22                mov word ptr ss:[esp+22],bp
0043FC4B     66:C74424 24 BA00           mov word ptr ss:[esp+24],0BA
0043FC52     66:894424 26                mov word ptr ss:[esp+26],ax
0043FC57     66:894424 28                mov word ptr ss:[esp+28],ax
0043FC5C     66:894424 2A                mov word ptr ss:[esp+2A],ax
0043FC61     66:894424 2C                mov word ptr ss:[esp+2C],ax
0043FC66     66:C74424 2E 5200           mov word ptr ss:[esp+2E],52
0043FC6D     66:895424 30                mov word ptr ss:[esp+30],dx
0043FC72     66:897C24 32                mov word ptr ss:[esp+32],di
0043FC77     66:894424 34                mov word ptr ss:[esp+34],ax
0043FC7C     66:894424 36                mov word ptr ss:[esp+36],ax
0043FC81     66:894424 38                mov word ptr ss:[esp+38],ax
0043FC86     66:894424 3A                mov word ptr ss:[esp+3A],ax
0043FC8B     66:895424 3C                mov word ptr ss:[esp+3C],dx
0043FC90     66:897424 3E                mov word ptr ss:[esp+3E],si
0043FC95     66:C74424 40 0400           mov word ptr ss:[esp+40],4
0043FC9C     66:894C24 42                mov word ptr ss:[esp+42],cx
0043FCA1     66:894424 44                mov word ptr ss:[esp+44],ax
0043FCA6     66:894424 46                mov word ptr ss:[esp+46],ax
0043FCAB     66:894424 48                mov word ptr ss:[esp+48],ax
0043FCB0     66:894424 4A                mov word ptr ss:[esp+4A],ax
0043FCB5     66:C74424 4C 5A00           mov word ptr ss:[esp+4C],5A
0043FCBC     66:C74424 4E 5800           mov word ptr ss:[esp+4E],58
0043FCC3     66:894C24 50                mov word ptr ss:[esp+50],cx
0043FCC8     66:894424 52                mov word ptr ss:[esp+52],ax
0043FCCD     66:C74424 54 000A           mov word ptr ss:[esp+54],0A00
0043FCD4     66:894424 56                mov word ptr ss:[esp+56],ax
0043FCD9     66:894424 58                mov word ptr ss:[esp+58],ax
0043FCDE     66:C74424 5A C300           mov word ptr ss:[esp+5A],0C3
0043FCE5     66:C74424 5C 5500           mov word ptr ss:[esp+5C],55
0043FCEC     66:C74424 5E 8B00           mov word ptr ss:[esp+5E],8B
0043FCF3     66:C74424 60 EC00           mov word ptr ss:[esp+60],0EC
0043FCFA     66:C74424 62 3300           mov word ptr ss:[esp+62],33
0043FD01     66:895C24 64                mov word ptr ss:[esp+64],bx
0043FD06     66:C78424 C4000000 5000     mov word ptr ss:[esp+C4],50
0043FD10     66:C78424 C6000000 6A00     mov word ptr ss:[esp+C6],6A
0043FD1A     66:898424 C8000000          mov word ptr ss:[esp+C8],ax
0043FD22     66:898C24 CA000000          mov word ptr ss:[esp+CA],cx
0043FD2A     66:898424 CC000000          mov word ptr ss:[esp+CC],ax
0043FD32     66:898424 CE000000          mov word ptr ss:[esp+CE],ax
0043FD3A     66:89AC24 D0000000          mov word ptr ss:[esp+D0],bp
0043FD42     66:89AC24 D2000000          mov word ptr ss:[esp+D2],bp
0043FD4A     66:C78424 D4000000 BA00     mov word ptr ss:[esp+D4],0BA
0043FD54     66:898424 D6000000          mov word ptr ss:[esp+D6],ax
0043FD5C     66:898424 D8000000          mov word ptr ss:[esp+D8],ax
0043FD64     66:898424 DA000000          mov word ptr ss:[esp+DA],ax
0043FD6C     66:898424 DC000000          mov word ptr ss:[esp+DC],ax
0043FD74     66:C78424 DE000000 5200     mov word ptr ss:[esp+DE],52
0043FD7E     66:899424 E0000000          mov word ptr ss:[esp+E0],dx
0043FD86     66:89BC24 E2000000          mov word ptr ss:[esp+E2],di
0043FD8E     66:898424 E4000000          mov word ptr ss:[esp+E4],ax
0043FD96     66:898424 E6000000          mov word ptr ss:[esp+E6],ax
0043FD9E     66:898424 E8000000          mov word ptr ss:[esp+E8],ax
0043FDA6     66:898424 EA000000          mov word ptr ss:[esp+EA],ax
0043FDAE     66:899424 EC000000          mov word ptr ss:[esp+EC],dx
0043FDB6     66:89B424 EE000000          mov word ptr ss:[esp+EE],si
0043FDBE     66:C78424 F0000000 0400     mov word ptr ss:[esp+F0],4
0043FDC8     66:C78424 F2000000 C700     mov word ptr ss:[esp+F2],0C7
0043FDD2     66:89B424 F4000000          mov word ptr ss:[esp+F4],si
0043FDDA     66:C78424 F6000000 0800     mov word ptr ss:[esp+F6],8
0043FDE4     66:898424 F8000000          mov word ptr ss:[esp+F8],ax
0043FDEC     66:898424 FA000000          mov word ptr ss:[esp+FA],ax
0043FDF4     66:898424 FC000000          mov word ptr ss:[esp+FC],ax
0043FDFC     66:89B424 02010000          mov word ptr ss:[esp+102],si
0043FE04     BE A3000000                 mov esi,0A3
0043FE09     66:89AC24 48010000          mov word ptr ss:[esp+148],bp
0043FE11     BD 33000000                 mov ebp,33
0043FE16     66:898424 FE000000          mov word ptr ss:[esp+FE],ax
0043FE1E     66:C78424 00010000 C700     mov word ptr ss:[esp+100],0C7
0043FE28     66:C78424 04010000 0C00     mov word ptr ss:[esp+104],0C
0043FE32     66:898424 06010000          mov word ptr ss:[esp+106],ax
0043FE3A     66:898424 08010000          mov word ptr ss:[esp+108],ax
0043FE42     66:898424 0A010000          mov word ptr ss:[esp+10A],ax
0043FE4A     66:898424 0C010000          mov word ptr ss:[esp+10C],ax
0043FE52     66:898C24 0E010000          mov word ptr ss:[esp+10E],cx
0043FE5A     66:898424 10010000          mov word ptr ss:[esp+110],ax
0043FE62     66:898424 12010000          mov word ptr ss:[esp+112],ax
0043FE6A     66:898424 14010000          mov word ptr ss:[esp+114],ax
0043FE72     66:898424 16010000          mov word ptr ss:[esp+116],ax
0043FE7A     66:C78424 18010000 5A00     mov word ptr ss:[esp+118],5A
0043FE84     66:C78424 1A010000 5800     mov word ptr ss:[esp+11A],58
0043FE8E     66:898C24 1C010000          mov word ptr ss:[esp+11C],cx
0043FE96     66:898424 1E010000          mov word ptr ss:[esp+11E],ax
0043FE9E     66:898424 20010000          mov word ptr ss:[esp+120],ax
0043FEA6     66:898424 22010000          mov word ptr ss:[esp+122],ax
0043FEAE     66:898424 24010000          mov word ptr ss:[esp+124],ax
0043FEB6     66:C78424 26010000 C300     mov word ptr ss:[esp+126],0C3
0043FEC0     66:C78424 28010000 5300     mov word ptr ss:[esp+128],53
0043FECA     66:C78424 2A010000 8B00     mov word ptr ss:[esp+12A],8B
0043FED4     66:C78424 2C010000 D800     mov word ptr ss:[esp+12C],0D8
0043FEDE     66:C78424 2E010000 3300     mov word ptr ss:[esp+12E],33
0043FEE8     66:899C24 30010000          mov word ptr ss:[esp+130],bx
0043FEF0     66:89B424 32010000          mov word ptr ss:[esp+132],si
0043FEF8     66:898424 34010000          mov word ptr ss:[esp+134],ax
0043FF00     66:898424 36010000          mov word ptr ss:[esp+136],ax
0043FF08     66:898424 38010000          mov word ptr ss:[esp+138],ax
0043FF10     66:898424 3A010000          mov word ptr ss:[esp+13A],ax
0043FF18     66:C78424 3C010000 6A00     mov word ptr ss:[esp+13C],6A
0043FF22     66:898424 3E010000          mov word ptr ss:[esp+13E],ax
0043FF2A     66:898C24 40010000          mov word ptr ss:[esp+140],cx
0043FF32     66:898424 42010000          mov word ptr ss:[esp+142],ax
0043FF3A     66:898424 44010000          mov word ptr ss:[esp+144],ax
0043FF42     66:898424 46010000          mov word ptr ss:[esp+146],ax
0043FF4A     66:89B424 4A010000          mov word ptr ss:[esp+14A],si
0043FF52     66:898424 4C010000          mov word ptr ss:[esp+14C],ax
0043FF5A     66:898424 4E010000          mov word ptr ss:[esp+14E],ax
0043FF62     66:898424 50010000          mov word ptr ss:[esp+150],ax
0043FF6A     66:898424 52010000          mov word ptr ss:[esp+152],ax
0043FF72     66:C78424 54010000 A100     mov word ptr ss:[esp+154],0A1
0043FF7C     66:898424 56010000          mov word ptr ss:[esp+156],ax
0043FF84     66:898424 58010000          mov word ptr ss:[esp+158],ax
0043FF8C     66:898424 5A010000          mov word ptr ss:[esp+15A],ax
0043FF94     66:898424 5C010000          mov word ptr ss:[esp+15C],ax
0043FF9C     66:89B424 5E010000          mov word ptr ss:[esp+15E],si
0043FFA4     66:898424 60010000          mov word ptr ss:[esp+160],ax
0043FFAC     66:898424 62010000          mov word ptr ss:[esp+162],ax
0043FFB4     66:898424 64010000          mov word ptr ss:[esp+164],ax
0043FFBC     66:898424 66010000          mov word ptr ss:[esp+166],ax
0043FFC4     66:89AC24 68010000          mov word ptr ss:[esp+168],bp
0043FFCC     66:899C24 6A010000          mov word ptr ss:[esp+16A],bx
0043FFD4     66:89B424 6C010000          mov word ptr ss:[esp+16C],si
0043FFDC     66:898424 6E010000          mov word ptr ss:[esp+16E],ax
0043FFE4     66:898424 70010000          mov word ptr ss:[esp+170],ax
0043FFEC     66:898424 72010000          mov word ptr ss:[esp+172],ax
0043FFF4     66:898424 74010000          mov word ptr ss:[esp+174],ax
0043FFFC     66:89AC24 76010000          mov word ptr ss:[esp+176],bp
00440004     66:899C24 78010000          mov word ptr ss:[esp+178],bx
0044000C     66:89B424 7A010000          mov word ptr ss:[esp+17A],si
00440014     66:898424 7C010000          mov word ptr ss:[esp+17C],ax
0044001C     66:898424 7E010000          mov word ptr ss:[esp+17E],ax
00440024     66:898424 80010000          mov word ptr ss:[esp+180],ax
0044002C     66:898424 82010000          mov word ptr ss:[esp+182],ax
00440034     66:898C24 84010000          mov word ptr ss:[esp+184],cx
0044003C     66:894C24 68                mov word ptr ss:[esp+68],cx
00440041     66:894424 6A                mov word ptr ss:[esp+6A],ax
00440046     66:894424 6C                mov word ptr ss:[esp+6C],ax
0044004B     66:894424 6E                mov word ptr ss:[esp+6E],ax
00440050     66:894424 70                mov word ptr ss:[esp+70],ax
00440055     66:C74424 72 6A00           mov word ptr ss:[esp+72],6A
0044005C     66:894424 74                mov word ptr ss:[esp+74],ax
00440061     66:894C24 76                mov word ptr ss:[esp+76],cx
00440066     66:894424 78                mov word ptr ss:[esp+78],ax
0044006B     66:894424 7A                mov word ptr ss:[esp+7A],ax
00440070     66:894424 7C                mov word ptr ss:[esp+7C],ax
00440075     8BB424 98050000             mov esi,dword ptr ss:[esp+598]
0044007C     66:894424 7E                mov word ptr ss:[esp+7E],ax
00440081     66:898424 84000000          mov word ptr ss:[esp+84],ax
00440089     66:898424 86000000          mov word ptr ss:[esp+86],ax
00440091     66:898424 88000000          mov word ptr ss:[esp+88],ax
00440099     66:898424 8A000000          mov word ptr ss:[esp+8A],ax
004400A1     66:898424 8E000000          mov word ptr ss:[esp+8E],ax
004400A9     66:898424 90000000          mov word ptr ss:[esp+90],ax
004400B1     66:898424 92000000          mov word ptr ss:[esp+92],ax
004400B9     66:898424 94000000          mov word ptr ss:[esp+94],ax
004400C1     66:898424 9A000000          mov word ptr ss:[esp+9A],ax
004400C9     66:898424 9C000000          mov word ptr ss:[esp+9C],ax
004400D1     66:898424 9E000000          mov word ptr ss:[esp+9E],ax
004400D9     66:898424 A0000000          mov word ptr ss:[esp+A0],ax
004400E1     66:898424 A6000000          mov word ptr ss:[esp+A6],ax
004400E9     66:898424 A8000000          mov word ptr ss:[esp+A8],ax
004400F1     66:898424 AA000000          mov word ptr ss:[esp+AA],ax
004400F9     66:898424 AC000000          mov word ptr ss:[esp+AC],ax
00440101     66:898424 B0000000          mov word ptr ss:[esp+B0],ax
00440109     66:898424 B2000000          mov word ptr ss:[esp+B2],ax
00440111     66:898424 B4000000          mov word ptr ss:[esp+B4],ax
00440119     66:898424 B8000000          mov word ptr ss:[esp+B8],ax
00440121     66:898424 BA000000          mov word ptr ss:[esp+BA],ax
00440129     66:898424 BC000000          mov word ptr ss:[esp+BC],ax
00440131     66:898424 BE000000          mov word ptr ss:[esp+BE],ax
00440139     8B46 0C                     mov eax,dword ptr ds:[esi+C]
0044013C     66:898C24 8C000000          mov word ptr ss:[esp+8C],cx
00440144     66:899424 80000000          mov word ptr ss:[esp+80],dx
0044014C     66:89BC24 82000000          mov word ptr ss:[esp+82],di
00440154     66:899424 96000000          mov word ptr ss:[esp+96],dx
0044015C     66:89BC24 98000000          mov word ptr ss:[esp+98],di
00440164     66:C78424 A2000000 C700     mov word ptr ss:[esp+A2],0C7
0044016E     66:89BC24 A4000000          mov word ptr ss:[esp+A4],di
00440176     66:C78424 AE000000 0A00     mov word ptr ss:[esp+AE],0A
00440180     66:C78424 B6000000 B800     mov word ptr ss:[esp+B6],0B8
0044018A     66:C78424 C0000000 C300     mov word ptr ss:[esp+C0],0C3
, PAN style="COLOR: blue">mov word ptr ss:[esp+134],ax
0043FF00     66:898424 36010000          mov word ptr ss:[esp+136],ax
0043FF08     66:898424 38010000          mov word ptr ss:[esp+138],ax
0043FF10     66:898424 3A010000          mov word ptr ss:[esp+13A],ax
0043FF18     66:C78424 3C010000 6A00     mov word ptr ss:[esp+13C],6A
0043FF22     66:898424 3E010000          mov word ptr ss:[esp+13E],ax
0043FF2A     66:898C24 40010000          mov word ptr ss:[esp+140],cx
0043FF32     66:898424 42010000          mov word ptr ss:[esp+142],ax
0043FF3A     66:898424 44010000          mov word ptr ss:[esp+144],ax
0043FF42     66:898424 46010000          mov word ptr ss:[esp+146],ax
0043FF4A     66:89B424 4A010000          mov word ptr ss:[esp+14A],si
0043FF52     66:898424 4C010000          mov word ptr ss:[esp+14C],ax
0043FF5A     66:898424 4E010000          mov word ptr ss:[esp+14E],ax
0043FF62     66:898424 50010000          mov word ptr ss:[esp+150],ax
0043FF6A     66:898424 52010000          mov word ptr ss:[esp+152],ax
0043FF72     66:C78424 54010000 A100     mov word ptr ss:[esp+154],0A1
0043FF7C     66:898424 56010000          mov word ptr ss:[esp+156],ax
0043FF84     66:898424 58010000          mov word ptr ss:[esp+158],ax
0043FF8C     66:898424 5A010000          mov word ptr ss:[esp+15A],ax
0043FF94     66:898424 5C010000          mov word ptr ss:[esp+15C],ax
0043FF9C     66:89B424 5E010000          mov word ptr ss:[esp+15E],si
0043FFA4     66:898424 60010000          mov word ptr ss:[esp+160],ax
0043FFAC     66:898424 62010000          mov word ptr ss:[esp+162],ax
0043FFB4     66:898424 64010000          mov word ptr ss:[esp+164],ax
0043FFBC     66:898424 66010000          mov word ptr ss:[esp+166],ax
0043FFC4     66:89AC24 68010000          mov word ptr ss:[esp+168],bp
0043FFCC     66:899C24 6A010000          mov word ptr ss:[esp+16A],bx
0043FFD4     66:89B424 6C010000          mov word ptr ss:[esp+16C],si
0043FFDC     66:898424 6E010000          mov word ptr ss:[esp+16E],ax
0043FFE4     66:898424 70010000          mov word ptr ss:[esp+170],ax
0043FFEC     66:898424 72010000          mov word ptr ss:[esp+172],ax
0043FFF4     66:898424 74010000          mov word ptr ss:[esp+174],ax
0043FFFC     66:89AC24 76010000          mov word ptr ss:[esp+176],bp
00440004     66:899C24 78010000          mov word ptr ss:[esp+178],bx
0044000C     66:89B424 7A010000          mov word ptr ss:[esp+17A],si
00440014     66:898424 7C010000          mov word ptr ss:[esp+17C],ax
0044001C     66:898424 7E010000          mov word ptr ss:[esp+17E],ax
00440024     66:898424 80010000          mov word ptr ss:[esp+180],ax
0044002C     66:898424 82010000          mov word ptr ss:[esp+182],ax
00440034     66:898C24 84010000          mov word ptr ss:[esp+184],cx
0044003C     66:894C24 68                mov word ptr ss:[esp+68],cx
00440041     66:894424 6A                mov word ptr ss:[esp+6A],ax
00440046     66:894424 6C                mov word ptr ss:[esp+6C],ax
0044004B     66:894424 6E                mov word ptr ss:[esp+6E],ax
00440050     66:894424 70                mov word ptr ss:[esp+70],ax
00440055     66:C74424 72 6A00           mov word ptr ss:[esp+72],6A
0044005C     66:894424 74                mov word ptr ss:[esp+74],ax
00440061     66:894C24 76                mov word ptr ss:[esp+76],cx
00440066     66:894424 78                mov word ptr ss:[esp+78],ax
0044006B     66:894424 7A                mov word ptr ss:[esp+7A],ax
00440070     66:894424 7C                mov word ptr ss:[esp+7C],ax
00440075     8BB424 98050000             mov esi,dword ptr ss:[esp+598]
0044007C     66:894424 7E                mov word ptr ss:[esp+7E],ax
00440081     66:898424 84000000          mov word ptr ss:[esp+84],ax
00440089     66:898424 86000000          mov word ptr ss:[esp+86],ax
00440091     66:898424 88000000          mov word ptr ss:[esp+88],ax
00440099     66:898424 8A000000          mov word ptr ss:[esp+8A],ax
004400A1     66:898424 8E000000          mov word ptr ss:[esp+8E],ax
004400A9     66:898424 90000000          mov word ptr ss:[esp+90],ax
004400B1     66:898424 92000000          mov word ptr ss:[esp+92],ax
004400B9     66:898424 94000000          mov word ptr ss:[esp+94],ax
004400C1     66:898424 9A000000          mov word ptr ss:[esp+9A],ax
004400C9     66:898424 9C000000          mov word ptr ss:[esp+9C],ax
004400D1     66:898424 9E000000          mov word ptr ss:[esp+9E],ax
004400D9     66:898424 A0000000          mov word ptr ss:[esp+A0],ax
004400E1     66:898424 A6000000          mov word ptr ss:[esp+A6],ax
004400E9     66:898424 A8000000          mov word ptr ss:[esp+A8],ax
004400F1     66:898424 AA000000          mov word ptr ss:[esp+AA],ax
004400F9     66:898424 AC000000          mov word ptr ss:[esp+AC],ax
00440101     66:898424 B0000000          mov word ptr ss:[esp+B0],ax
00440109     66:898424 B2000000          mov word ptr ss:[esp+B2],ax
00440111     66:898424 B4000000          mov word ptr ss:[esp+B4],ax
00440119     66:898424 B8000000          mov word ptr ss:[esp+B8],ax
00440121     66:898424 BA000000          mov word ptr ss:[esp+BA],ax
00440129     66:898424 BC000000          mov word ptr ss:[esp+BC],ax
00440131     66:898424 BE000000          mov word ptr ss:[esp+BE],ax
00440139     8B46 0C                     mov eax,dword ptr ds:[esi+C]
0044013C     66:898C24 8C000000          mov word ptr ss:[esp+8C],cx
00440144     66:899424 80000000          mov word ptr ss:[esp+80],dx
0044014C     66:89BC24 82000000          mov word ptr ss:[esp+82],di
00440154     66:899424 96000000          mov word ptr ss:[esp+96],dx
0044015C     66:89BC24 98000000          mov word ptr ss:[esp+98],di
00440164     66:C78424 A2000000 C700     mov word ptr ss:[esp+A2],0C7
0044016E     66:89BC24 A4000000          mov word ptr ss:[esp+A4],di
00440176     66:C78424 AE000000 0A00     mov word ptr ss:[esp+AE],0A
00440180     66:C78424 B6000000 B800     mov word ptr ss:[esp+B6],0B8
0044018A     66:C78424 C0000000 C300     mov word ptr ss:[esp+C0],0C3
Copyright©2007-2015 武汉市科锐软件技术有限公司.
公司地址:武汉市东湖新技术开发区关南园一路当代光谷梦工场5号楼十层
鄂ICP备17007538号-1