In the example walk-through, we did a nearly one-to-one translation of the assembly code to C. As an exercise, re-decompile this whole function so that it looks more natural. What can you say about the developer’s skill level/experience? Explain your reasons. Can you do a better job?
The function itself is fairly straightforward outside of the intrinsics library, which is basically just anti-VM code. It's hard to judge the competency of the developer in terms of software engineering skills since the compiler can change a lot of structure around. It's obvious he or she at least has a decent understanding of the Windows API, and has an idea about where a virtual machine CPU might store the Interrupt Descriptor Table.
Here is the function reverse engineered to C:
#include <Windows.h>
#include <tlhelp32.h>
#include <intrin.h>
typedef struct _IDTR {
DWORD base;
SHORT limit;
} IDTR, *PIDTR;
BOOL APIENTRY DllMain(HMODULE hMod, DWORD dwReason, LPVOID lpRes)
{
IDTR idtr;
PROCESSENTRY32 procentry;
HANDLE hToolSnap;
BOOL bProc32;
__sidt(&idtr);
if (idtr.base > 0x8003F400 && idtr.base < 0x80047400)
return FALSE;
memset(&procentry, 0, sizeof(PROCESSENTRY32));
procentry.dwSize = sizeof(procentry);
hToolSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hToolSnap == INVALID_HANDLE_VALUE)
return FALSE;
for ( bProc32 = Process32First(hToolSnap, &procentry);
bProc32 != FALSE;
bProc32 = Process32Next(hToolSnap, &procentry))
{
if (wcscmp(procentry.szExeFile, _T("explorer.exe")) == 0)
break;
}
if (!bProc32)
return FALSE;
if (procentry.th32ParentProcessID == procentry.th32ProcessID)
return FALSE;
if (dwReason == DLL_PROCESS_ATTACH)
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)0x100032D0, 0, 0, 0);
return TRUE;
}
No comments :
Post a Comment