Location:
Search - pe loader
Search list
Description: 加密解密技术内幕
第1章 PE文件格式深入研究
1.1 PE文件格式格式纵览
1.1.1 区块(Section)
1.1.2 相对虚拟地址(Relative Virtual Addresses)
1.1.3 数据目录
1.1.4 输入函数(Importing Functions)
1.2 PE文件结构
1.2.1 The MS-DOS头部
1.2.2 IMAGE_NT_HEADERS头部
1.2.3 区块表(The Section Table)
1.2.4 各种块(Sections)的描述
1.2.5 输出表
1.2.6 输出转向(Export Forwarding)
1.2.7 输入表
1.2.8 绑定输入(Bound import)
1.2.9 延迟装入数据(Delayload Data)
1.2.10 资源
1.2.11 基址重定位(Base Relocations)
1.2.12 调试目录(DebugDirectory)
1.2.13 NET头部
1.2.14 TLS初始化
1.2.15 程序异常数据
第2章 PE分析工具编写
2.1 文件格式检查
2.2 FileHeader和OptionalHeader内容的读取
2.3 得到数据目录(Data Dircetory)信息
2.4 得到块表(SectionTable)信息
2.5 得到输出表(ExportTable)信息
2.6 得到输入表(ImportTable)信息
第3章 Win32 调试API
3.1 Win32调试API原理
3.1.1 调试相关函数简要说明
3.1.2 调试事件
3.1.3 如何在调试时创建并跟踪一个进程
3.1.4 最主要的循环体
3.1.5 如何处理调试事件
3.1.6 线程环境详解
3.1.7 如何在另一个进程中注入代码
3.2 利用调试API编写脱壳机
3.2.1 tElock 0.98脱壳简介
3.2.2 脱壳机的编写
3.3 利用调试API制作内存补丁
3.3.1 跨进程内存存取机制
3.3.2 Debug API机制
第4章 Windows下的异常处理
4.1 基本概念
4.1.1 Windows下的软件异常
4.1.2 未公开的可靠吗
4.2 结构化异常处理(SEH)
4.2.1 异常处理的基本过程
4.2.2 SEH的分类
4.2.3 相关API
4.2.4 SEH相关数据结构
4.3 异常处理程序设计
4.3.1 顶层(top-level)异常处理
4.3.2 线程异常处理
4.3.3 异常处理的堆栈展开(Stack unwind)
4.3.4 异常处理程序设计中的几个注意事项:
4.4 SEH的简单应用
4.4.1 Win9x下利用SEH进ring0
4.4.2 利用SEH实现对自身的单步自跟踪
4.4.3 其它应用
4.5 系统背后的秘密
4.6 VC是如何封装系统提供的SEH机制的
4.6.1 扩展的EXCEPTION_REGISTRATION级相关结构
4.6.2 数据结构组织
4.7 Windows XP下的向量化异常处理(VEH)
第5章 软件加密技术
5.1 反调试技术(Anti-Debug)
5.1.1 句柄检测
5.1.2 SoftICE后门指令
5.1.3 int68子类型
5.1.4 ICECream子类型
5.1.5 判断NTICE服务是否运行
5.1.6 INT 1 检测
5.1.7 利用UnhandledExceptionFilter检测
5.1.8 INT 41子类型
5.2 反跟踪技术(Anti-Trace)
5.2.1 断点检测
5.2.2 利用SEH反跟踪
5.2.3 SMC技术实现
5.3 反加载技术(Anti-Loader)
5.3.1 利用TEB检测
5.3.2 利用IsDebuggerPresent函数检测
5.3.3 检查父进程
5.4 反DUMP技术(Anti-Dump)
5.5 文件完整性检验
5.5.1 CRC校验实现
5.5.2 校验和(Checksum)
5.5.3 内存映像校验
5.6 反监视技术(Anti-Monitor)
5.6.1 窗口方法检测
5.6.2 句柄检测
5.7 反静态分析技术
5.7.1 扰乱汇编代码
5.7.2 花指令
5.7.3 信息隐藏
5.8 代码与数据结合技术
5.9 软件保护的若干忠告
第6章 加壳软件编写
6.1 外壳编写基础
6.1.1 判断文件是否是PE格式的EXE文件
6.1.2 文件基本数据的读入
6.1.3 额外数据保留
6.1.4 重定位数据的去除
6.1.5 文件的压缩
6.1.6 资源区块的处理
6.1.7 区块的融合
6.1.8 输入表的处理
6.1.9 外壳部分的编写
6.1.10 将外壳部分添加至原程序
6.1.10 小结
6.2 加壳程序综合运用的实例
6.2.1 程序简介
6.2.2 加壳子程序(WJQ_ShellBegin())
6.2.3 PE外壳程序
6.2.4 加进Anti技术
6.2.5 通过外壳修改被加壳PE
6.2.6 VC++调用汇编子程序
第7章 如何让壳与程序融为一体
7.1 序
7.1.1 为何需要壳和程序一体化
7.1.2 为阅读此章节需要的知识
7.1.3 基于此章节用的的例子程序说明
7.2 欺骗检查壳的工具
7.2.1 fi是如何检查壳的
7.2.2 欺骗fi
7.3 判断自己是否给脱壳了
7.3.1 判断文件尺寸
7.3.2 检查标记
7.3.3 外部检测(使用dll)
7.3.4 hook 相关的api(防止loader和调试api)
7.4 使用sdk把程序和壳溶为一体
7.4.1 sdk的意义
7.4.2 做一个带sdk的壳
7.5 后记:关于壳和程序的思考
第8章 Visual Basic 6 逆向工程
8.1 简介
8.2 P-code传奇
8.3 VB编译奥秘
8.4 VB与COM
8.5 VB可执行程序结构研究
8.6 VB程序事件解读
8.7 VB程序图形界面(GUI)解读
8.8 VB程序执行代码研究
8.9 我们的工具
8.10 VB程序保护篇
附录A 在Visual C++中使用内联汇编
附录B 在Visual Basic中使用汇编
Platform: |
Size: 1389111 |
Author: vachel |
Hits:
Description: BlowFishEnc ENCRYPTION ALGORITHM 包含C++ class 用于文件加密
-BlowFishEnc ENCRYPTION ALGORITHM contains C class for file encryption
Platform: |
Size: 33792 |
Author: |
Hits:
Description: This article describes the customization of existing applications through the use of custom Dynamic-Link Libraries (DLLs) and the process of, what I have titled, Remote Library Loading. It also presents a small utility I developed to make this process easier I titled it the Remote Library Loader.
For the ideas here I give credit originally to Jeffrey Ricther in Programming Applications for Microsoft Windows with his "DLL Injection." The primary difference between our applications is that his works with running target processes, where mine also acts as a target process loader. In any case, much credit to him!-This article describes the customization of existing applications through the use of Miami tom Dynamic- Link Libraries (DLLs) and the proc ess of, and what I have titled, Remote Library Loading. It also presents a smal l utility I developed to make this process easie r I titled it the Remote Library Loader. For the i deas here I give credit to Jeffrey originally Ri cther in Programming Applications for Microso ft Windows with his "DLL Injection." The legs y difference between our applications is that h is works with running target processes, where mine also acts as a target process loader. In any case, much credit to him!
Platform: |
Size: 18432 |
Author: 李登煇 |
Hits:
Description: 原理:对Pe文件的.data节,.text节进行XOR加密,然后将带解密的Loader写入文件头和第一个段的开头之间,修改Entry Point使其指向Loader.
测试用例:使用vc6.0自动生成的mfc对话框应用程序。
参考文献:(1)def源码
(2)黑客调试技术揭秘
(3)yoda s protector源码-Principle: The Pe documents. Data section,. Text section to XOR encryption, and then will take declassified documents Loader write head and the first between the beginning of paragraph, modify Entry Point to point Loader. Test cases: the use of vc6. 0 automatically generated mfc dialog application. References: (1) def source (2) debug technology hackers Secret (3) yoda s protector source
Platform: |
Size: 457728 |
Author: 东南 |
Hits:
Description: 原理:对Pe文件的.data节,.text节进行XOR加密,然后将带解密的Loader写入文件头和第一个段的开头之间,修改Entry Point使其指向Loader.
测试用例:使用vc6.0自动生成的mfc对话框应用程序。
参考文献:(1)def源码
(2)黑客调试技术揭秘
(3)yoda s protector源码-Principle: The Pe documents. Data section,. Text section to XOR encryption, and then will take declassified documents Loader write head and the first between the beginning of paragraph, modify Entry Point to point Loader. Test cases: the use of vc6. 0 automatically generated mfc dialog application. References: (1) def source (2) debug technology hackers Secret (3) yoda s protector source
Platform: |
Size: 456704 |
Author: 东南 |
Hits:
Description: 用opengl and VC++编写的用于load obj文件的程序
Platform: |
Size: 2623488 |
Author: davii |
Hits:
Description: 原理:对Pe文件的.data节,.text节进行XOR加密,然后将带解密的Loader写入文件头和第一个段的开头之间,修改Entry Point使其指向Loader.
测试用例:使用vc6.0自动生成的mfc对话框应用程序。-Principle: The Pe documents. Data section,. Text section to XOR encryption, and then will take declassified documents Loader write head and the first between the beginning of paragraph, modify Entry Point to point Loader. Test cases: the use of vc6. 0 automatically generated mfc dialog application.
Platform: |
Size: 45056 |
Author: 黑色心情 |
Hits:
Description: 从内存中加载DLL和EXE文件,支持压缩的文件.-From memory to load DLL and EXE files, compressed file support.
Platform: |
Size: 5767168 |
Author: 李林 |
Hits:
Description: DLL注入,就把什么枚举进程、查找窗口和进程特权设置那西东西省了。
附件中带了一个testDll.dll,是我写的一个测试DLL,因为一般的DLL注入进去了可能没反应,所以在我写了个DLL,在里面加了MessageBox,可以弹出来,这样就知道DLL运行没有。DLL是VC++写的,因为我用的是VB迷你版,只能写ActiveX DLL,而这种DLL不能用来注入(我写了个,在Main函数里写了个MsgBox,启动对象设为 Sub Main,发现可以注入,但没有MsgBox出现),如果谁要DLL源码就回贴说,我发上来。-DLL injection, so what enumeration process, the search window and the process of setting privileges things that saved the West. Annex with a testDll.dll, I wrote a test DLL, because the DLL may be injected into the reaction, so I wrote a DLL, in which added a MessageBox, can pop up years, so know DLL Run no. DLL is VC++ Write, because I use the mini version of VB, only to write ActiveX DLL, and this DLL can not be used to inject (I wrote a month, in the Main function in writing a MsgBox, restart the object located for the Sub Main, discovery can be injected, but did not appear MsgBox), if the DLL source who said on Posted, me up.
Platform: |
Size: 84992 |
Author: 风尘小子 |
Hits:
Description: 一个操作系统的可执行文件格式,从许多角度来看,都是操作系统内建行为的一面镜子。
虽然可执行档格式通常并不是一个程序员认为迫切需要学习的东西,但操作系统的许多
有用的知识却可以在这个过程中获得。动态联结、加载器行为、以及内存管理,是特
别容易在这个学习过程中推理而得的三个主题。-An operating system of the executable file format, from a number of point of view, are built into the operating system acts as a mirror. Although the executable file format is usually not a programmer that there was an urgent need to learn things, but the operating system a lot of useful knowledge can be gained in this process. Dynamic linking, loader behavior, and memory management, are particularly susceptible to the learning process in the reasoning of the above-mentioned three themes.
Platform: |
Size: 219136 |
Author: zzc |
Hits:
Description: 说明:
1 例子程序在 vc6.0 +windows xp 编译测试过
2 需要阅读者对程序进程空间,编译,pe结构有一定的理解
3 这里根据自己认识加上对其他资料整理而成,对dll 简单的介绍
-Description: 1 examples of procedures vc6.0+ Windows xp compile tested 2 need to read about the process of the space program, the compiler, pe a certain degree of understanding of the structure of 3 here, according to their own awareness coupled with other data from the simple dll Introduction
Platform: |
Size: 327680 |
Author: 周晓宇 |
Hits:
Description: Morphine v2.7,程序压缩源码,保护程序不被恶意修改-Morphine is very unique application for PE files encryption. Unlike
other PE encryptors and compressors Morphine includes own PE loader which
enables it to put whole source image to the .text section of new PE file. This
one is very powerful because you can compress source file with your favourite
compressor like UPX and then encrypt its output with Morphine. Another powerful
thing here is polymorphic engine which always creates absolutely different
decryptor for the new PE file. This mean if your favourite trojan horse is
detected by an antivirus you can encrypt it with Morphine. You will not get
the virus alert again.
Platform: |
Size: 31744 |
Author: hack |
Hits:
Description: peloader简单的pe加载程序,应该会比较有用-peloader simple pe loader, should be more useful
Platform: |
Size: 23552 |
Author: 高小伟 |
Hits:
Description: vc++ 编写pe加载器
-crack with loader
Platform: |
Size: 1413120 |
Author: 谢玉林 |
Hits:
Description: 打开PE文件可以看出是否windows可执行文件
可以看一哈-pe loader
Platform: |
Size: 2066432 |
Author: 江浩 |
Hits:
Description: windows pe loader, ripped from reactos
Platform: |
Size: 3072 |
Author: felize |
Hits:
Description: Windows下可执行文件加载器的工作原理和分析,可以作为自制加载器哦参考-Reveals the inner process of Windows PE loader
Platform: |
Size: 287744 |
Author: |
Hits:
Description: PE-loader which I wrote in C and Assembler.
Loads test dll and calls the needed function from there. Analogues of WinAPI GetProcAddress and LoadLibrary are implemented.
Platform: |
Size: 23552 |
Author: Pavel |
Hits:
Description: PE Explorer & Windows DLL Disassembly
Platform: |
Size: 1703936 |
Author: zbuddha |
Hits:
Description: KMSpico 10.2.1 final Portable (All windows activator and Office) crack windows v2
Platform: |
Size: 1514496 |
Author: redbulx3 |
Hits: