探索任务管理器加密器原理

学校的机房的机子安了多媒体教学软件,但是任务管理器被锁定了,打开时需要密码输入,起先想着多媒体教学软件嘛,不会很复杂的,以为只是监视 taskmgr,后来把它复制出来改个名还是不行,用 taskkill 命令结束了教学软件的进程也是不行的,而且教学软件进程有防杀功能,今天突然想到这个东西,去网上找了个类似的加密任务管理器软件来试试(下载地址: http://www.netbars.net/soft/show.asp?id=223 ),用 IDA 简单分析了一下,因为腰痛得厉害很难坚持看完,只看了 1/3 的样子吧,随便抽了点关键代码帖上来,还有很多就懒得帖了,大概思路已经知道了的,有兴趣的朋友可以自己分析,这个东西先放在这,有空再慢慢分析。没办法,不想为个任务管理器还得带工具去机房,还是老实用 tasklist 吧。

用EnableWindow函数控制禁止指定的窗口:

.text:00401140 sub_401140      proc near               ; DATA XREF: .rdata:004194E8
.text:00401140                                         ; .rdata:00419758
.text:00401140                 mov     eax, [ecx+1Ch]
.text:00401143                 push    0               ; bEnable
.text:00401145                 push    eax             ; hWnd
.text:00401146                 call    ds:EnableWindow
.text:0040114C                 retn
.text:0040114C sub_401140      endp
.text:0040114C
.text:0040114C ; ---------------------------------------------------------------------------
.text:0040114D                 align 10h
.text:00401150
.text:00401150 ; =============== S U B R O U T I N E =======================================
.text:00401150
.text:00401150
.text:00401150 sub_401150      proc near               ; DATA XREF: .rdata:004194EC
.text:00401150                                         ; .rdata:0041975C
.text:00401150                 mov     eax, [ecx+1Ch]
.text:00401153                 push    1               ; bEnable
.text:00401155                 push    eax             ; hWnd
.text:00401156                 call    ds:EnableWindow
.text:0040115C                 retn
.text:0040115C sub_401150      endp

被锁定后创建一个对话框:

.text:0041055C                 push    ebx             ; dwInitParam
.text:0041055D                 push    offset DialogFunc ; lpDialogFunc
.text:00410562                 push    eax             ; hWndParent
.text:00410563                 push    [ebp+lpTemplate] ; lpTemplate
.text:00410566                 push    [ebp+hInstance] ; hInstance
.text:00410569                 call    ds:CreateDialogIndirectParamA
.text:0041056F                 lea     ecx, [ebp+Str1]
.text:00410572                 mov     [ebp+hWnd], eax
.text:00410575                 mov     byte ptr [ebp+var_4], bl
.text:00410578                 call    sub_413E86
.text:0041057D                 jmp     short loc_41059C

这里释放任务管理器:

.text:00410594
.text:00410594 loc_410594:                             ; DATA XREF: sub_4103F6+198
.text:00410594                 mov     esi, [ebp+var_24]
.text:00410597                 mov     edi, [ebp+var_28]
.text:0041059A                 xor     ebx, ebx
.text:0041059C
.text:0041059C loc_41059C:                             ; CODE XREF: sub_4103F6+187
.text:0041059C                 or      [ebp+var_4], 0FFFFFFFFh
.text:004105A0                 cmp     edi, ebx
.text:004105A2                 jz      short loc_4105BF
.text:004105A4                 mov     eax, [edi]
.text:004105A6                 lea     ecx, [ebp+var_34]
.text:004105A9                 push    ecx
.text:004105AA                 mov     ecx, edi
.text:004105AC                 call    dword ptr [eax+14h]
.text:004105AF                 cmp     [ebp+hWnd], ebx
.text:004105B2                 jz      short loc_4105BF
.text:004105B4                 mov     eax, [esi]
.text:004105B6                 push    ebx
.text:004105B7                 mov     ecx, esi
.text:004105B9                 call    dword ptr [eax+0B4h]
.text:004105BF
.text:004105BF loc_4105BF:                             ; CODE XREF: sub_4103F6+1AC
.text:004105BF                                         ; sub_4103F6+1BC
.text:004105BF                 call    ?AfxUnhookWindowCreate@@YGHXZ ; AfxUnhookWindowCreate(void)
.text:004105C4                 test    eax, eax
.text:004105C6                 jnz     short loc_4105D2
.text:004105C8                 mov     eax, [esi]
.text:004105CA                 mov     ecx, esi
.text:004105CC                 call    dword ptr [eax+0A4h]
.text:004105D2
.text:004105D2 loc_4105D2:                             ; CODE XREF: sub_4103F6+1D0
.text:004105D2                 cmp     [ebp+hWnd], ebx
.text:004105D5                 jz      short loc_4105E9
.text:004105D7                 test    byte ptr [esi+24h], 10h
.text:004105DB                 jnz     short loc_4105E9
.text:004105DD                 push    [ebp+hWnd]      ; hWnd
.text:004105E0                 call    ds:DestroyWindow
.text:004105E6                 mov     [ebp+hWnd], ebx
.text:004105E9
.text:004105E9 loc_4105E9:                             ; CODE XREF: sub_4103F6+1DF
.text:004105E9                                         ; sub_4103F6+1E5
.text:004105E9                 cmp     [ebp+hMem], ebx
.text:004105EC                 jz      short loc_410600
.text:004105EE                 push    [ebp+hMem]      ; hMem
.text:004105F1                 call    ds:GlobalUnlock
.text:004105F7                 push    [ebp+hMem]      ; hMem
.text:004105FA                 call    ds:GlobalFree
.text:00410600
.text:00410600 loc_410600:                             ; CODE XREF: sub_4103F6+1F6
.text:00410600                 cmp     [ebp+hWnd], ebx
.text:00410603                 jnz     short loc_41060F
.text:00410605                 test    byte ptr [esi+24h], 10h
.text:00410609                 jz      short loc_41060F
.text:0041060B
.text:0041060B loc_41060B:                             ; CODE XREF: sub_4103F6+66
.text:0041060B                                         ; sub_4103F6+80
.text:0041060B                 xor     eax, eax
.text:0041060D                 jmp     short loc_410612