Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about the open source of PeDoll and how to use it. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

1. What is PEDoll?

PeDoll is a program behavior analysis software based on inline Hook, which mainly includes the following functions

1. Hook to generate reports on key API calls and monitor program behavior

two。 Modify program execution code at run time

3. The network grab package of the program, the Dump that writes the data

4. The spin lock breakpoint realized by the software is convenient for joint debugging with OllyDbg.

5. Analyze the memory of the target program and analyze the stack data to crack.

The composition principle of 2.PeDoll

PeDoll is mainly for reverse analysis beginners or Cracker with certain programming reverse foundation. It aims to simplify the reverse analysis work. To a certain extent, it can simplify the analysis difficulty or realize automatic analysis of some malicious programs with anti-reverse functions (shell, flower, anti-debugger).

PeDoll is a behavior analysis software based on simple script (command) control, which implements specific analysis by writing different scripts for different programs. At the same time, PeDoll is a remote analysis debugger, which also means that it is recommended to separate the control side from the debug side in the analysis of malicious programs.

Its working principle is as follows

1. Common scripts, including a series of common scripts that have been written, including some commonly used MBR blackmail virus, user lock blackmail virus, easy language registration code cracking, network packet analysis, remote injection code analysis. Common scripts, etc.

two。 Controller, program executed on the control side

3. Debugger programs that need to be copied to the debugger or other secure environment (trusted programs can be executed directly on the local machine)

PS: where PE.dll is the file that PEDoll completes DLL injection and executes inline hook. PeDolls.exe is used to perform injection and executable file to interact with the control side. PeDolls.exe can be turned off after successful injection without affecting debugging.

3. Deploy the PeDoll debug environment

Record the IP address on the debugger (assuming the debugger and the controller are in the same intranet)

Fill it in the control side and click the connect button

At this point, the deployment of PeDoll is complete.

4. Example 1 uses PeDoll to analyze the Net user blackmail program

Step1. Copy the sample to the debugger, which is named Sample1.exe

Step2. Load analysis script

Step3. Mount the target program, enter the command doll db, enter, and then connect

Step4. Execute the program and get the result

4. Example 2 using PeDoll to analyze the MBR blackmail program using API breakpoints

Step1. Repeat the third section to copy the sample to the debugger, here is sample2.exe

Step2. Clean up the previously loaded script and remount the MBR blackmail virus script

Step3. Mount the target program, enter the command doll db, enter, then connect, execute, and trigger the breakpoint

Step4. Enter the command hook WriteFile, monitor the MBR lock to write data, and then click execute to grab data

Step5. View MBR lock password in data

5. Example 3 use PeDoll binary hook to analyze the registration code / password of the easy language

Copy the sample to the debugger and name it Sample3.exestep2. Clean up the previously loaded script and remount the easy language password cracking script

Step3. Enter the command doll db execution program

Step4. Execute Hook, enter any text password on the interface, and get the correct password of the program.

6. Example 4 uses PeDoll remote injection to complete the network packet grabbing function for phishing programs.

Copy the sample to the debugger and execute

A little pop-up fishing interface

Through analysis, the program is

QQScLauncher.exe

Step1. Go to the PeDoll console, enter the enumprocess enumeration process, enter doll di, and inject step2. Considering that the fishing sample should be a mailbox phishing, mount the TCP connection analysis script

Step3. Click run, and then casually enter data in the fishing interface, waiting for the package to be grabbed.

Step4. Switch to the data and analyze the smtp packet (the password of the phishing author's email account is there, and everyone knows how to decode it with BASE64).

7. How to write PeDoll script

I. API hook

All PeDoll API that supports hook are included in the scripting manual for common scripts.

If you want to monitor an API function, just write

Hook + the function name of the API (case sensitive)

For example, we want to know if the program operates on the file (assuming that the underlying API calls are not considered), and only needs to monitor the CreateFileA CreateFileW

The script code is as follows

Hook CreateFileA

Hook CreateFileW

II. Binary hook

PeDoll supports direct hook of binary code, which is especially effective for the hook of some custom functions. Note that you must use other tools to know the stack structure of the code there before binary hook and you need to balance the stack in the script.

The code format is

Binary requires hook binary code hexadecimal sequence to explain the number of ESP or EBP bytes out of the stack after the execution is completed. The value of EAX after execution.

For example, we know that the characteristic of the easy language string comparison function is 8B5424048B4C240885D2750D, because the caller cleans up the stack (cdecl call), so the number of bytes out of the stack is 0.

There is a string pointer at the ESP+4 and ESP+8 offset. When execution ends, an EAX of 0 indicates a match, so the code can be written as

Binary 8B5424048B4C240885D2750D 0 S4S8 0

Where S4 represents String at ESP+4 and S8 represents String at ESP+8

Of course, if you want to interpret it as a number, you can write it as D4D8 for Decimal at ESP+4, where S8 stands for Decimal at ESP+8

The same principle

B4 represents String at EBP+4, where B8 stands for String at EBP+8

E4 means Decimal at EBP+4, where E8 means Decimal at EBP+8

III. API filtering and breakpoints

Take CreateFileA as an example, check out the scripting manual as follows

API: CreateFileA Regular: 1. CREATEFILEA 2. 3.

Where 1 represents the function name, note that it is capitalized

two。 Indicates its three parameters. UNKNOW indicates unknown operation, CREATE indicates creation, OPEN indicates on, and RESET indicates reset.

3. Represents the file that this function will operate on

If we need to monitor this function and make a breakpoint when it "opens" a name 123.txt, then the code can be written like this

Hook CreateFileA

FILTER_START is greater than, and QUERY SHOW indicates a breakpoint when the port of the client connection 192.168.1.1 is greater than 1000.

CONNECT QUERY SHOW indicates a breakpoint when the port of 192.168.1.1 is not equal to 1000

... and so on

8. How to get PeDoll

Release version 1.6.1-https://pan.baidu.com/s/189_m79g2-K0QVwkhxxSpBw

Github complete source code-https://github.com/matrixcascade/PeDoll

9. Other

1.PeDoll only simplifies the process of cracking, just mounting scripts doesn't make you learn to crack.

The 2.pedoll logo source code is all original and can be modified arbitrarily, but please indicate the copyright information of the original author in its derivative and secondary development version.

3. The compilation environment is VisualStudio 2010 + Qt 4.8.6 Framework

This is how the editor shares the open source and use of PeDoll. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.