12. Simple EXE Hacking with Ollydbg 12.简单的EXE用Ollydbg黑客入侵

What You Need你需要什么

A Windows machine, real or virtual.一台Windows机器,真实还是虚拟。 I used a Windows Server 2008 virtual machine.我使用了Windows Server 2008虚拟机。

Purpose目的

To modify a Windows EXE file and save an altered version.修改Windows EXE文件并保存更改后的版本。 This gives you practice with very simple features of the Ollydbg debugger.这使您可以使用Ollydbg调试器的非常简单的功能进行练习。

Task 1: Target EXE Recon任务1:Target EXE Recon

Get putty.exe获取putty.exe

If you are using the machine handed out by your instructor, putty.exe is in the Downloads folder.如果您使用的教师发布的机器, putty.exe位于Downloads文件夹中。

If you are using some other machine, get it here:如果您正在使用其他机器,请在此处获取:

https://samsclass.info/127/proj/putty.exe https://samsclass.info/127/proj/putty.exe

Verifying the SHA256 Hash验证SHA256散列

Run Hashcalc on putty.exe and confirm that the SHA256 value matches the value shown below.在putty.exe上运行Hashcalc并确认SHA256的值与下面显示的值相匹配。

Running Putty运行腻子

Double-click putty.exe .双击putty.exe PuTTY opens, as shown below. PuTTY打开,如下所示。

If PuTTY won't start, right-click it, click Properties , and click Unblock .如果PuTTY无法启动,请右键单击它,单击“ 属性” ,然后单击“ 取消阻止”

In the "Host Name (or IP address)" box, type在“主机名称(或IP地址)”框中,键入

ad.samsclass.info
At the bottom, click the Open button.在底部,点击打开按钮。

A black box opens, and shows a " login as: " prompt, as shown below.一个黑匣子打开,并显示“ login as: ”提示符,如下所示。

You could connect to a server at this point, but that's not the point of this project.此时您可以连接到服务器,但这不是该项目的重点。 We will alter this program to do other things instead of printing "login as".我们将改变这个程序来做其他的事情,而不是打印“登录为”。

Close the Putty window.关闭腻子窗口。

Starting Ollydbg开始Ollydbg

Click Start .点击开始 Search for Ollydbg and start it.搜索Ollydbg并启动它。

In Ollydbg, from the menu bar, click File , Open .在Ollydbg中,从菜单栏中单击文件打开 Navigate to putty.exe and open it.导航到putty.exe并打开它。

Ollydbg opens, as shown below. Ollydbg打开,如下所示。 If your screen doesn't look like this, click View , CPU and maximize the CPU window.如果您的屏幕看起来不像这样,请单击查看CPU并最大化CPU窗口。

Ollydbg shows you a lot of data, but for now just notice the Assembly Code in the top left pane, and the Paused message in the lower right. Ollydbg向您显示了大量数据,但现在只需注意左上窗格中的Assembly Code以及右下角的Paused消息。

When you load a program into Ollydbg, it starts in a "Paused" state, with the Assembly Code window showing the first instruction.当您将程序加载到Ollydbg中时,它会以“暂停”状态启动,并且“Assembly Code”窗口显示第一条指令。

Running Putty in Ollydbg在Ollydbg运行腻子

In Ollydbg, from the menu bar, click Debug , Run .在Ollydbg中,从菜单栏中单击调试运行

A Putty window opens, but it's behind the Olly window.一个腻子窗口打开,但它在Olly窗口后面。 At the bottom of the screen, in the taskbar, click the " PuTTY Configuration " button to bring the PuTTY window to the front, as shown below.在屏幕底部的任务栏中,单击“ PuTTY Configuration ”按钮,将PuTTY窗口置于前面,如下所示。

Click in the Putty window.点击Putty窗口。 In the "Host Name (or IP address)" box, type在“主机名称(或IP地址)”框中,键入

ad.samsclass.info
At the bottom, click the Open button.在底部,点击打开按钮。 The "login as" message appears, as shown below.出现“login as”消息,如下所示。

Putty is running, but it's under the control of Ollydbg, so we can modify its execution.腻子正在运行,但它在Ollydbg的控制下,所以我们可以修改它的执行。

Finding the "login as" Code寻找“登录为”代码

Close the Putty window.关闭腻子窗口。 A box asks "Are you sure..." Click OK .一个盒子问“​​你确定......”点击确定

In Ollydbg, from the menu bar, click Debug , Restart .在Ollydbg中,从菜单栏中单击调试重新启动

In Ollydbg, in the "Assembly Code" pane, right-click.在Ollydbg中的“汇编代码”窗格中,右键单击。 Point to " Search for ".指向“ 搜索 ”。 Click " All referenced text strings ", as shown below.点击“ 所有引用的文本字符串 ”,如下所示。

A "Text strings referenced in putty:.text" window opens, showing all the strings in the program.将打开“在putty:.text中引用的文本字符串”窗口,显示程序中的所有字符串。

To make this text easier to read, right-click, point to Appearance , Font , and click " OEM Fixed Font ".为了使这个文本更容易阅读,请右键单击,指向外观字体 ,然后单击“ OEM固定字体 ”。

Right-click in that window, and click " Search for text ", as shown below.在该窗口中右键单击,然后单击“ 搜索文本 ”,如下所示。

In the "Enter text to search for" box, type在“输入要搜索的文字”框中,输入

login as
as shown below.如下所示。 Check the " Entire scope " box.选中“ 整个范围 ”框。

Click OK .点击确定

Ollydbg finds the ASCII string "login as", and the instruction that uses it, as shown below. Ollydbg找到ASCII字符串“login as”和使用它的指令,如下所示。 This instruction is at address 00417053.该指令位于地址00417053。

Right-click again, and click " Search next ".再次右键单击,然后单击“ 搜索下一个 ”。

Ollydbg finds another line of code that uses this string, as shown below. Ollydbg发现使用此字符串的另一行代码,如下所示。 This instruction is at address 0041CB6E.该指令位于地址0041CB6E。

Right-click again, and click " Search next ".再次右键单击,然后单击“ 搜索下一个 ”。

A message appears at the bottom of the window saying "Item not found".在窗口底部出现一条消息,提示“找不到物品”。 There are only two commands in the program that use this string.程序中只有两个命令使用此字符串。

Using Breakpoints使用断点

We'll set breakpoints at those instructions to see which one is used when logging in to an SSH server.我们将在这些指示中设置断点以查看登录到SSH服务器时使用哪一个断点。

In the "Text strings referenced in putty:.text" window, right-click again, and click " Search text ".在“在putty:.text中引用的文本字符串”窗口中,再次右键单击,然后单击“ 搜索文本 ”。 In the "Enter text to search for" box, click OK .在“输入要搜索的文本”框中,单击确定

The instruction at 00417053 appears again. 00417053的指令再次出现。 Right-click this instruction and click " Toggle breakpoint ", as shown below.右键单击该指令并单击“ 切换断点 ”,如下所示。

The address turns red, as shown below, to indicate that there's a breakpoint here.地址变成红色,如下所示,表示这里有一个断点。

Right-click again, and click " Search next ".再次右键单击,然后单击“ 搜索下一个 ”。 The instruction at address 0041CB6E appears.出现地址0041CB6E的指令。 Right-click it and click " Toggle breakpoint ".右键单击它并单击“ 切换断点 ”。

The address turns red, as shown below.地址变成红色,如下所示。

In Ollydbg, from the menu bar, click Debug , Restart .在Ollydbg中,从菜单栏中单击调试重新启动

A box pops up warning you that "Process 'putty' is active".一个盒子弹出,警告你“Process'腻子'是活跃的”。 Click Yes .单击

In Ollydbg, from the menu bar, click Debug , Run .在Ollydbg中,从菜单栏中单击调试运行

A Putty window opens.腻子窗口打开。 Bring it to the front, as shown below.将它带到前面,如下所示。

Click in the Putty window.点击Putty窗口。 In the "Host Name (or IP address)" box, type在“主机名称(或IP地址)”框中,键入

ad.samsclass.info
At the bottom, click the Open button.在底部,点击打开按钮。

A black window opens and closes quickly, and the program stops, as shown below.黑色窗口快速打开和关闭,程序停止,如下所示。

The program stopped at instruction 0041CB6E, as shown in the image above.程序在指令0041CB6E处停止,如上图所示。

We'll use this instruction to hijack the program's execution.我们将使用这个指令来劫持程序的执行。


Task 2: Alter the Login Message任务2:更改登录消息

Removing the Breakpoints删除断点

We don't need the breakpoints any more, so we'll remove them.我们不再需要断点,所以我们将删除它们。

In Ollydbg, from the menu bar, click View , Breakpoints .在Ollydbg中,从菜单栏中单击查看断点

A "Breakpoints" window opens, showing two breakpoints.打开“断点”窗口,显示两个断点。

Right-click the first breakpoint and click Remove , as shown below.右键单击第一个断点并单击Remove ,如下所示。

Repeat the process to remove the other breakpoint.重复该过程以删除其他断点。 Close the "Breakpoints" window.关闭“断点”窗口。

Removing One Letter From the Message从消息中删除一个字母

In Ollydbg, in the CPU window, in the Assembly Code pane, right-click the instruction at address 0041CB6E and click Assemble , as shown below.在Ollydbg中,在CPU窗口的Assembly Code窗格中,右键单击地址0041CB6E处的指令,然后单击Assemble ,如下所示。

An "Assemble at 0041CB6E" box appears, as shown below.出现“在0041CB6E组装”框,如下所示。

This shows the command at this location.这显示在这个位置的命令。 It's a PUSH instruction, placing the address 467C7C onto the stack.这是一个PUSH指令,将地址467C7C放入堆栈。 That address points to the letter "l" in the ASCII string "login as: ", as shown on the right side of the instruction line, outlined in green in the image below.该地址指向ASCII字符串“login as:”中的字母“l”,如指令行右侧所示,在下图中以绿色标出。

In the "Assemble at 0041CB6E" box, change the last character to D , as shown below.在“在0041CB6E汇编”框中,将最后一个字符更改为D ,如下所示。 This will move the pointer from the "l" to the "o" in the string "login as: ".这会将指针从“l”移动到字符串“login as:”中的“o”。

Click the Assemble button.点击组装按钮。

Click the Cancel button.点击取消按钮。

The message on the right now says "ogin as: ", as shown below.现在右边的消息说“ogin as:”,如下所示。

Running the Modified Program运行修改的程序

In Ollydbg, from the menu bar, click Debug , Run .在Ollydbg中,从菜单栏中单击调试运行

The black login window appears, with the message "ogin as: ", as shown below.出现黑色登录窗口,并显示消息“ogin as:”,如下所示。

When I did it, an error box also popped up saying "Server unexpectedly closed network connection".当我这样做时,还出现一个错误框,提示“服务器意外关闭网络连接”。 If that happens, just close the error box.如果发生这种情况,请关闭错误框。

Saving the Modified .text Section保存修改的.text部分

We have now changed an assembly language instruction;我们现在改变了汇编语言指令; all executable code is in the .text section of the file.所有可执行代码位于文件的.text部分。

In Ollydbg, in the top left pane of the CPU window, right-click, point to " Copy to Executable ", and click " All modifications ", as shown below.在Ollydbg中,在CPU窗口的左上方窗格中,右键单击,指向“ 复制到可执行文件 ”,然后单击“ 所有修改 ”,如下所示。

A "Copy selection to executable file" box pops up, as shown below.弹出一个“将选择复制到可执行文件”框,如下所示。 Click the " Copy all " button.点击“ 全部复制 ”按钮。

A new window pops up, with a title ending in "putty.exe", as shown below.弹出一个新窗口,标题以“putty.exe”结尾,如下所示。

Right-click in the new window and click " Save file ".在新窗口中右键单击并单击“ 保存文件 ”。

Save the file as puttymod.exe .将文件另存为puttymod.exe

Running the Modified EXE运行修改的EXE

Close Ollydbg.关闭Ollydbg。

Double-click puttymod.exe .双击puttymod.exe

In the "Host Name (or IP address)" box, type在“主机名称(或IP地址)”框中,键入

ad.samsclass.info
At the bottom, click the Open button.在底部,点击打开按钮。

A black box opens, and shows a " ogin as: " prompt, as shown below.一个黑匣子打开,并显示“ ogin as: ”提示,如下所示。

Modifying the puttymod File修改puttymod文件

Open Ollydbg and load the puttymod.exe file.打开Ollydbg并加载puttymod.exe文件。

In the top left pane of the CPU window, right-click, point to " Go to ", and click Expression , as shown below.在CPU窗口的左上方窗格中,右键单击,指向“ 转到 ”,然后单击表达式 ,如下所示。

In the "Enter expression to follow" box, enter在“输入要跟随的表达式”框中,输入

41CB6E 41CB6E
as shown below.如下所示。 Click OK .点击确定

Changing the Login Message更改登录消息

In the top left pane of the CPU window, right-click 00467C7D , as shown below.在CPU窗口的左上方窗格中,右键单击00467C7D ,如下所示。 Point to " Follow in Dump " and click " Immediate constant ".指向“ 按照转储 ”并点击“ 立即不变 ”。

The Hex Dump pane, in the lower left, shows the text " ogin as: ", as shown below.十六进制转储窗格在左下方显示文本“ ogin as: ”,如下所示。

In the Hex Dump pane, highlight " ogin as: ", as shown below.在十六进制转储窗格中,突出显示“ ogin as: ”,如下所示。 Right-click the highlighted text.右键点击突出显示的文本。 Point to Binary .指向二进制 Click Edit .点击修改

An "Edit data at 00467C7D" box opens, as shown below. “00467C7D编辑数据”框将打开,如下所示。

Click in the ASCII field, press Backspace to move back to the start, and overwrite the message with this text, as shown below:点击ASCII字段,按Backspace退回到开始处,并用此文本覆盖消息,如下所示:

BADNESS

Click OK .点击确定 The modified text appears in red letters in the Dump, as shown below.修改后的文本在转储中以红色字母显示,如下所示。

Saving the Modified ASCII Text保存修改的ASCII文本

In Ollydbg, in the lower left "Dump" pane of the CPU window, right-click and click " Copy to executable file ", as shown below.在Ollydbg中,在CPU窗口左下方的“转储”窗格中,右键单击并单击“ 复制到可执行文件 ”,如下所示。

A box with a long title ending in "puttymod.exe" appears showing the modified file, as shown below.出现一个长标题以“puttymod.exe”结尾的框,显示修改后的文件,如下所示。 Click the X in the top right of that box to close it.点击该框右上方的X关闭它。

A "File changed" box appears, as shown below.出现“文件已更改”框,如下所示。 Click Yes .单击

A "Copy selection to executable file" box pops up.弹出“将选择复制到可执行文件”框。 Click the " Copy all " button.点击“ 全部复制 ”按钮。

A new window pops up, with a title ending in "putty.exe", as shown below.弹出一个新窗口,标题以“putty.exe”结尾,如下所示。

Right-click in the new window and click " Save file ".在新窗口中右键单击并单击“ 保存文件 ”。

Save the file as "puttymod2.exe".将该文件保存为“puttymod2.exe”。

Running the Modified EXE运行修改的EXE

Close Ollydbg.关闭Ollydbg。

Double-click puttymod2.exe .双击puttymod2.exe

In the "Host Name (or IP address)" box, type在“主机名称(或IP地址)”框中,键入

ad.samsclass.info
At the bottom, click the Open button.在底部,点击打开按钮。

A black box opens, and shows a " BADNESS: " prompt, as shown below.一个黑匣子打开,并显示“ BADNESS: ”提示,如下所示。

Calculating the Hash (20 pts)计算哈希(20分)

Calculate the CRC32 hash puttymod2.exe计算CRC32哈希puttymod2.exe

Use the form below to get your points.使用下面的表格来获得你的观点。

Your Name: 你的名字:
CRC32 hash like this: CRC32哈希像这样:
07b01710

Sources来源

Backdooring PE Files - Part 1 后门PE文件 - 第1部分

Art of Anti Detection 2 – PE Backdoor Manufacturing 反侦测艺术2 - PE后门制造

https://github.com/EgeBalci/Cminer https://github.com/EgeBalci/Cminer

https://en.wikipedia.org/wiki/Code_cave https://en.wikipedia.org/wiki/Code_cave

http://stackoverflow.com/questions/787100/what-is-a-code-cave-and-is-there-any-legitimate-use-for-one http://stackoverflow.com/questions/787100/what-is-a-code-cave-and-is-there-any-legitimate-use-for-one

The Beginners Guide to Codecaves Codecaves初学者指南

Reversing with Ollydbg debugger 使用Ollydbg调试器进行反转

Ollydbg 'Copy all modifications to executable' doesn't copy all modifications Ollydbg'将所有修改复制到可执行文件'不会复制所有修改


Revised 7-29-17 1 pm 7月17日至17日17时修订