[转载]用WinDbg动态脱Reflector
<P>文章作者: Bi11</P><P><FONT face=宋体>我才知道WinDbg+SOS能调托管程序。。。无敌。。。<BR><BR>举个例子吧,脱Reflector玩玩,最新的4.2.0.0。<BR>精华7里henryouly的《研读Reflector的保护原理心得》文中已经说了原理。简单说就是先解压,然后用Assembly.Load(byte[])加载。这次我们的任务是动态将这个要加载的byte[]给dump出来。<BR><BR>用WinDbg加载Reflector<BR>Microsoft(R)WindowsDebuggerVersion6.6.0003.5<BR>...<BR><BR>在加载mscorjit.dll时设异常,执行<BR><B>0:000>sxeld:mscorjit.dll</B><BR><B>0:000>g</B><BR>...<BR>ModLoad:794300007947d000C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MSCORJIT.DLL<BR>eax=00000000ebx=00000000ecx=00f60000edx=7c92eb94esi=00000000edi=00000000<BR>eip=7c92eb94esp=0012e99cebp=0012ea90iopl=0nvupeingnzacponc<BR>cs=001bss=0023ds=0023es=0023fs=003bgs=0000efl=00000296<BR>ntdll!KiFastSystemCallRet:<BR>7c92eb94c3ret<BR><BR>载入sos.dll(WinDbg的插件,就在%windir%\Microsoft.NET\Framework\v1.1.4322\下。如果不能加载,请先设PATH环境变量)<BR><B>0:000>.loadsos</B><BR><BR>找Assembly.Load的MethodDesc<BR><B>0:000>!name2eemscorlib.dllSystem.Reflection.Assembly.Load</B><BR>LoadedSonofStrikedatatableversion5from"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"<BR>...<BR>-----------------------<BR>MethodDesc:79ba35a8<BR>Name:[DEFAULT]ClassSystem.Reflection.AssemblySystem.Reflection.Assembly.Load(SZArrayUI1)<BR>-----------------------<BR><BR>给这个MethodDesc的m_CodeOrIL上加个断点(等RV添入)<BR><B>0:000>baw479ba35a8+4</B><BR><B>0:000>g</B><BR>Breakpoint0hit<BR>...<BR><BR>RV应该添入了,设个断点<BR><B>0:000>bppoi(79ba35a8+4)</B><BR><B>0:000>g</B><BR>Breakpoint1hit<BR>eax=79a3bea8ebx=01283de0ecx=02447a68edx=00b4568cesi=01285f54edi=01285f30<BR>eip=79a3bea8esp=0012f644ebp=0012f674iopl=0nvupeiplnznaponc<BR>cs=001bss=0023ds=0023es=0023fs=003bgs=0000efl=00000206<BR>mscorlib_79990000+0xabea8:<BR>79a3bea850pusheax<BR><BR>看看堆栈,没问题~<BR><B>0:000>!clrstack</B><BR>Thread0<BR>ESPEIP<BR>0012f64479a3bea8[DEFAULT]ClassSystem.Reflection.AssemblySystem.Reflection.Assembly.Load(SZArrayUI1)<BR>0012f64800f702d7[DEFAULT][hasThis]VoidReflector.Application..ctor(ClassReflector.IWindowManager)<BR>0012f67c00f70090[DEFAULT]VoidReflector.Application.ᐁ()<BR>0012f9b0791d94bc[FRAME:GCFrame]<BR>0012fa94791d94bc[FRAME:GCFrame]<BR><BR>看看堆栈里的objects<BR><B>0:000>!dumpstackobjects</B><BR>ESP/REGObjectName<BR>ebx01283de0Reflector.Application<BR>ecx02447a68System.Byte[]<BR>esi01285f54ᐄ<BR>edi01285f30System.IO.MemoryStream<BR>0012f64c01283de0Reflector.Application<BR>0012f65401284decSystem.IO.__UnmanagedMemoryStream<BR>0012f66001283de0Reflector.Application<BR><BR>我们找到了她的地址:2447a68,看看:<BR><B>0:000>d02447a68</B><BR>02447a683c2cb60000000e00-4d5a000005000000<,......MZ......<BR>02447a7804000000ffff0000-8000000000000000................<BR>02447a884000000000000000-0000000000000000@...............<BR>02447a980000000000000000-0000000000000000................<BR>02447aa80000000080000000-0e1fe800005a83c2.............Z..<BR>02447ab80db409cd21b8014c-cd21546869732070....!..L.!Thisp<BR>02447ac8726f6772616d2063-616e6e6f74206265rogramcannotbe<BR>02447ad82072756e20696e20-444f53206d6f6465runinDOSmode<BR><BR>换只眼看看<BR><B>0:000>dd02447a68</B><BR>02447a6800b62c3c000e000000005a4d00000005<BR>02447a78000000040000ffff0000008000000000<BR>02447a8800000040000000000000000000000000<BR>02447a9800000000000000000000000000000000<BR>02447aa8000000000000008000e81f0ec2835a00<BR>02447ab8cd09b40d4c01b821685421cd70207369<BR>02447ac872676f7263206d616f6e6e6165622074<BR>02447ad86e757220206e692020534f4465646f6d<BR><BR>用LordPE把0x2447a70开始,0xe0000大小的内存Dump到文件。改个exe,peid查看入口,_CorDllMain,是dll文件。那就再把文件名改成dll。<BR><BR>拖到Reflector,正常,收工。初次玩WinDbg,有出丑的地方还请指正~<BR><BR>顺便提一下,4.2的Reflector混淆用的都是不可显示的Unicode,出来一个个框框,太有创意了。<BR><BR><BR>主要参考资料:<BR><BR>在托管代码中设置断点(WINDBG)<BR></FONT><A href="http://blog.joycode.com/gangp/articles/20417.aspx" target=_blank><FONT face=宋体 color=#000000>[url]http://blog.joycode.com/gangp/articles/20417.aspx[/url]</FONT></A><BR><BR><FONT face=宋体>用WinDbg探索CLR世界[3]跟踪方法的JIT过程<BR></FONT><A href="http://www.blogcn.com/User8/flier_lu/blog/1678453.html" target=_blank><FONT face=宋体 color=#000000>[url]http://www.blogcn.com/User8/flier_lu/blog/1678453.html[/url]</FONT></A><BR><BR><FONT face=宋体>SOS-SonofStrike<BR>%???%\SDK\v1.1\ToolDevelopersGuide\Samples\sos\SOS.htm</FONT><BR></P>
页:
[1]