2023年11月9日 星期四

GetEIP Instruction Pointer Value Practical Reverse Engineering Solutions jumping dummy function parameter argument

 Practical Reverse Engineering Practice  

http://rioshen.logdown.com/posts/220416-practical-reverse-engineering-practice

https://bin.re/blog/practical-reverse-engineering-solutions-page-17/

https://link.springer.com/chapter/10.1007/978-981-19-0336-6_5

Reverse Engineering | SpringerLink

    Version 1 – Based on RET
    Version 2 – Based on JMP
    Version 3 – Based on CALL

https://www.nikj.fr/walkthroughs/prr_ex1/

Practical Reverse Engineering - Ex 1 •
 Tutorial - Setup Remote Kernel Debugging Oct 4, 2021 Setup Remote Kernel Debugging for Kernel Driver development ... ➦
Tutorial - Unpack Self Injection Packer Apr 15, 2021 Malware authors try to hide themselves from antivirus and make analysis harder for analysist. One technique they use is call packing, it means to make the code more obfuscated and unreable. In this post, we'll look at one specific kind of unpacking technique that you can use to finally start the analysis of the real payload. This technique is call Self-Injection. ... ➦ 

 

Reverse  EIP function name   breakpoint  GetProcAddress

https://medium.com/@nebdar/malware-basics-manually-unpacking-5-malware-samples-with-x32-64dbg-pma-labs-4c9b540b5456

Malware Basics: Manually unpacking 5 malware samples with x32-64dbg (PMA labs) | by Chloe Security System | Medium

https://github.com/mikesiko/PracticalMalwareAnalysis-Labs

Finding OEP: We can use OllyDbg or x64-dbg to find the original entry point which is the first instruction before the program was packed, We need to find the tail jump, which is the instruction that jumps from the unpacking stub to the OEP.

"_IMPORT_DESCRIPTOR_KERNEL32" "kernel32.dll" "ADVAPI32"

 OllyDbg OllyDmp plugin

kernel32 advapi32 gdi32 user32 explorer

 IApiTracingDataCollector  Win32 

https://monoinfinito.wordpress.com/series/exception-handling-in-c/

C++ exception handling internals

https://stackoverflow.com/questions/71540648/how-to-get-rtti-from-member-function-pointers

ABI reference c++ CXX ABI

https://github.com/itanium-cxx-abi/cxx-abi

https://itanium-cxx-abi.github.io/cxx-abi/abi.html

Application Binary Interface (ABI) for C++ programs


    Acknowledgements
    Chapter 1: Introduction
        1.1 Definitions
        1.2 Limits
        1.3 Namespace and Header
        1.4 Scope of This ABI
        1.5 Base Documents
    Chapter 2: Data Layout
        2.1 General
        2.2 POD Data Types
        2.3 Member Pointers
        2.4 Non-POD Class Types
        2.5 Virtual Table Layout
        2.6 Virtual Tables During Object Construction
        2.7 Array Operator new Cookies
        2.8 Initialization Guard Variables
        2.9 Run-Time Type Information (RTTI)
    Chapter 3: Code Emission and APIs
        3.1 Functions
        3.2 Virtual Calls
        3.3 Construction and Destruction APIs
        3.4 Demangler API
    Chapter 4: Exception Handling
    Chapter 5: Linkage and Object Files
        5.1 External Names (a.k.a. Mangling)
        5.2 Vague Linkage
        5.3 Unwind Table Location
    Appendix R: Revision History



沒有留言:

張貼留言