探索任务管理器加密器原理
学校的机房的机子安了多媒体教学软件,但是任务管理器被锁定了,打开时需要密码输入,起先想着多媒体教学软件嘛,不会很复杂的,以为只是监视 taskmgr,后来把它复制出来改个名还是不行,用 taskkill 命令结束了教学软件的进程也是不行的,而且教学软件进程有防杀功能,今天突然想到这个东西,去网上找了个类似的加密任务管理器软件来试试(下载地址: http://www.netbars.net/soft/show.asp?id=223 ),用 IDA 简单分析了一下,因为腰痛得厉害很难坚持看完,只看了 1/3 的样子吧,随便抽了点关键代码帖上来,还有很多就懒得帖了,大概思路已经知道了的,有兴趣的朋友可以自己分析,这个东西先放在这,有空再慢慢分析。没办法,不想为个任务管理器还得带工具去机房,还是老实用 tasklist 吧。
用EnableWindow函数控制禁止指定的窗口:
.text:00401140 sub_401140 proc near ; DATA XREF: .rdata:004194E8 .text:00401140 ; .rdata:00419758 .text:00401140 mov eax, [ecx+1Ch] .text:00401143 push 0 ; bEnable .text:00401145 push eax ; hWnd .text:00401146 call ds:EnableWindow .text:0040114C retn .text:0040114C sub_401140 endp .text:0040114C .text:0040114C ; --------------------------------------------------------------------------- .text:0040114D align 10h .text:00401150 .text:00401150 ; =============== S U B R O U T I N E ======================================= .text:00401150 .text:00401150 .text:00401150 sub_401150 proc near ; DATA XREF: .rdata:004194EC .text:00401150 ; .rdata:0041975C .text:00401150 mov eax, [ecx+1Ch] .text:00401153 push 1 ; bEnable .text:00401155 push eax ; hWnd .text:00401156 call ds:EnableWindow .text:0040115C retn .text:0040115C sub_401150 endp
被锁定后创建一个对话框:
.text:0041055C push ebx ; dwInitParam .text:0041055D push offset DialogFunc ; lpDialogFunc .text:00410562 push eax ; hWndParent .text:00410563 push [ebp+lpTemplate] ; lpTemplate .text:00410566 push [ebp+hInstance] ; hInstance .text:00410569 call ds:CreateDialogIndirectParamA .text:0041056F lea ecx, [ebp+Str1] .text:00410572 mov [ebp+hWnd], eax .text:00410575 mov byte ptr [ebp+var_4], bl .text:00410578 call sub_413E86 .text:0041057D jmp short loc_41059C
这里释放任务管理器:
.text:00410594 .text:00410594 loc_410594: ; DATA XREF: sub_4103F6+198 .text:00410594 mov esi, [ebp+var_24] .text:00410597 mov edi, [ebp+var_28] .text:0041059A xor ebx, ebx .text:0041059C .text:0041059C loc_41059C: ; CODE XREF: sub_4103F6+187 .text:0041059C or [ebp+var_4], 0FFFFFFFFh .text:004105A0 cmp edi, ebx .text:004105A2 jz short loc_4105BF .text:004105A4 mov eax, [edi] .text:004105A6 lea ecx, [ebp+var_34] .text:004105A9 push ecx .text:004105AA mov ecx, edi .text:004105AC call dword ptr [eax+14h] .text:004105AF cmp [ebp+hWnd], ebx .text:004105B2 jz short loc_4105BF .text:004105B4 mov eax, [esi] .text:004105B6 push ebx .text:004105B7 mov ecx, esi .text:004105B9 call dword ptr [eax+0B4h] .text:004105BF .text:004105BF loc_4105BF: ; CODE XREF: sub_4103F6+1AC .text:004105BF ; sub_4103F6+1BC .text:004105BF call ?AfxUnhookWindowCreate@@YGHXZ ; AfxUnhookWindowCreate(void) .text:004105C4 test eax, eax .text:004105C6 jnz short loc_4105D2 .text:004105C8 mov eax, [esi] .text:004105CA mov ecx, esi .text:004105CC call dword ptr [eax+0A4h] .text:004105D2 .text:004105D2 loc_4105D2: ; CODE XREF: sub_4103F6+1D0 .text:004105D2 cmp [ebp+hWnd], ebx .text:004105D5 jz short loc_4105E9 .text:004105D7 test byte ptr [esi+24h], 10h .text:004105DB jnz short loc_4105E9 .text:004105DD push [ebp+hWnd] ; hWnd .text:004105E0 call ds:DestroyWindow .text:004105E6 mov [ebp+hWnd], ebx .text:004105E9 .text:004105E9 loc_4105E9: ; CODE XREF: sub_4103F6+1DF .text:004105E9 ; sub_4103F6+1E5 .text:004105E9 cmp [ebp+hMem], ebx .text:004105EC jz short loc_410600 .text:004105EE push [ebp+hMem] ; hMem .text:004105F1 call ds:GlobalUnlock .text:004105F7 push [ebp+hMem] ; hMem .text:004105FA call ds:GlobalFree .text:00410600 .text:00410600 loc_410600: ; CODE XREF: sub_4103F6+1F6 .text:00410600 cmp [ebp+hWnd], ebx .text:00410603 jnz short loc_41060F .text:00410605 test byte ptr [esi+24h], 10h .text:00410609 jz short loc_41060F .text:0041060B .text:0041060B loc_41060B: ; CODE XREF: sub_4103F6+66 .text:0041060B ; sub_4103F6+80 .text:0041060B xor eax, eax .text:0041060D jmp short loc_410612