2018. 3. 11. 03:04ㆍ0x03 Reversing Theory
메인 함수 시작 주소부터 10바이트 기계어 읽어오기.
#include <iostream>
#include <Windows.h>
#include <stdio.h>
#include <TlHelp32.h>
#define SIZE (10)
int main(int argc, char* argv[])
{
DWORD pid = GetCurrentProcessId(); // getting process id(pid)
// hardcoding version
LPCVOID lpBaseAddress = (LPCVOID)0x401100;
LPCVOID *lpBuffer = &lpBaseAddress; // pointer (lpBaseAddress)
LPVOID buf[SIZE] = { 0 };
INT i = 0;
// PROCESS_ALL_ACCESS = PROCESS_VM_WRITE + PROCESS_VM_READ
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
std::cout << argv[0] << "s pid = " << pid << std::endl;
std::cout << "main function address 0x" << lpBaseAddress << std::endl;
while (TRUE) {
if (!(ReadProcessMemory(hProcess, (LPVOID)lpBaseAddress, buf, SIZE, NULL) == 0))
{
break;
}
else
perror("not access read memory...");
}
while (i < 5) {
printf("%02x\n", buf[i]);
++i;
}
return 0;
}
메모리 덤프와 일치하게 짜봄.
#include <iostream>
#include <Windows.h>
#include <stdio.h>
#include <TlHelp32.h>
#define SIZE (0x100)
#define SWAP32(I) \
( ((((I) & 0xff000000) >> 24) | \
(((I) & 0x00ff0000) >> 8 ) | \
(((I) & 0x0000ff00) << 8 ) | \
(((I) & 0x000000ff) << 24)))
int main(int argc, char* argv[])
{
DWORD pid = GetCurrentProcessId(); // getting process id(pid)
// hardcoding version
LPCVOID lpBaseAddress = (LPCVOID)0x401100;
LPCVOID *lpBuffer = &lpBaseAddress; // pointer (lpBaseAddress)
LPVOID buf[SIZE] = { 0 };
LPVOID tmp[SIZE] = { 0 };
int s = 0;
INT i = 0;
// PROCESS_ALL_ACCESS = PROCESS_VM_WRITE + PROCESS_VM_READ
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
std::cout << argv[0] << "s pid = " << pid << std::endl;
std::cout << "main function address 0x" << lpBaseAddress << std::endl;
while (TRUE) {
if (!(ReadProcessMemory(hProcess, (LPVOID)lpBaseAddress, buf, SIZE, NULL) == 0))
{
break;
}
else
perror("not access read memory...");
}
while (i < SIZE) {
s = (int)buf[i];
tmp[i] = (LPVOID)SWAP32(s);
printf("%02X\n", tmp[i]);
++i;
}
return 0;
}
조금 더 수정
#include <iostream>
#include <Windows.h>
#include <stdio.h>
#include <TlHelp32.h>
#define SIZE (0x100)
#define SWAP32(I) \
( ((((I) & 0xff000000) >> 24) | \
(((I) & 0x00ff0000) >> 8 ) | \
(((I) & 0x0000ff00) << 8 ) | \
(((I) & 0x000000ff) << 24)))
int main(int argc, char* argv[])
{
DWORD pid = GetCurrentProcessId(); // getting process id(pid)
// hardcoding version
LPCVOID lpBaseAddress = (LPCVOID)0x401100;
LPCVOID *lpBuffer = &lpBaseAddress; // pointer (lpBaseAddress)
LPVOID buf[SIZE] = { 0 };
LPVOID tmp[SIZE] = { 0 };
int s = 0;
INT i = 0;
// PROCESS_ALL_ACCESS = PROCESS_VM_WRITE + PROCESS_VM_READ
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
std::cout << argv[0] << "s pid = " << pid << std::endl;
std::cout << "main function address 0x" << lpBaseAddress << std::endl;
while (TRUE) {
if (!(ReadProcessMemory(hProcess, (LPVOID)lpBaseAddress, buf, SIZE, NULL) == 0))
{
break;
}
else
perror("not access read memory...");
}
while (buf[i] != '\0') {
s = (int)buf[i];
tmp[i] = (LPVOID)SWAP32(s);
printf("%02X\n", tmp[i]);
++i;
}
return 0;
}
'0x03 Reversing Theory' 카테고리의 다른 글
| my first memory modulation (0) | 2018.03.11 |
|---|---|
| Windows_API_Hookcing CodeInjection (0) | 2018.03.11 |
| ptrace Anti_Debugging (0) | 2018.03.10 |
| WinDBG 사용법에 대해 공부 (0) | 2018.02.24 |
| IA-32 천천히 알아보자. (0) | 2018.02.22 |