(1024節日快樂)
在樣本中多次從資源中獲取原始數據,就是通過調用FindResource。FindResource(HMODULE hModule,LPCSTR lpName,LPCSTR lpType)函數功能是找到文件中的指定資源。三個參數分別表示:hModule指向目標模塊,lpName是資源的名稱,lpType是類型。它第2個實參有6個,分別是4,5,6,7,14h,15h;第3個實參是"BINRES",大概意思是binary resource,二進制資源。然後下面是從樣本中複製過來的資源段:
.rsrc:0040C000 _rsrc segment para public 'DATA' use32
.rsrc:0040C000 assume cs:_rsrc (資源應該在資源段找)
.rsrc:0040C000 ;org 40C000h //0x40c000 相當於資源段基址
.rsrc:0040C000 db 0
.rsrc:0040C001 db 0
.rsrc:0040C002 db 0
.rsrc:0040C003 db 0
.rsrc:0040C004 db 0
.rsrc:0040C005 db 0 //往下看
.rsrc:0040C006 db 0
.rsrc:0040C007 db 0
.rsrc:0040C008 db 4
.rsrc:0040C009 db 0
.rsrc:0040C00A db 0
.rsrc:0040C00B db 0
.rsrc:0040C00C db 1
.rsrc:0040C00D db 0
.rsrc:0040C00E db 0
.rsrc:0040C00F db 0
.rsrc:0040C010 db 48h ; H
.rsrc:0040C011 db 1
.rsrc:0040C012 db 0
.rsrc:0040C013 db 80h ; €
.rsrc:0040C014 db 18h
.rsrc:0040C015 db 0
.rsrc:0040C016 db 0
.rsrc:0040C017 db 80h ; €
.rsrc:0040C018 db 0
.rsrc:0040C019 db 0
.rsrc:0040C01A db 0
.rsrc:0040C01B db 0
.rsrc:0040C01C db 0
.rsrc:0040C01D db 0
.rsrc:0040C01E db 0
.rsrc:0040C01F db 0
.rsrc:0040C020 db 4
.rsrc:0040C021 db 0
.rsrc:0040C022 db 0
.rsrc:0040C023 db 0
.rsrc:0040C024 db 0
.rsrc:0040C025 db 0
.rsrc:0040C026 db 6
.rsrc:0040C027 db 0
.rsrc:0040C028 db 4 //lpName=4,連續8字節爲一個結構體
.rsrc:0040C029 db 0
.rsrc:0040C02A db 0
.rsrc:0040C02B db 0
.rsrc:0040C02C db 58h ; X //這裏應該是個偏移量
.rsrc:0040C02D db 0
.rsrc:0040C02E db 0
.rsrc:0040C02F db 80h ; €
.rsrc:0040C030 db 5 //lpName=5
.rsrc:0040C031 db 0
.rsrc:0040C032 db 0
.rsrc:0040C033 db 0
.rsrc:0040C034 db 70h ; p //5號資源的偏移量 0x70
.rsrc:0040C035 db 0
.rsrc:0040C036 db 0
.rsrc:0040C037 db 80h ; €
.rsrc:0040C038 db 6 //lpName=6
.rsrc:0040C039 db 0
.rsrc:0040C03A db 0
.rsrc:0040C03B db 0
.rsrc:0040C03C db 88h ;
.rsrc:0040C03D db 0
.rsrc:0040C03E db 0
.rsrc:0040C03F db 80h ; €
.rsrc:0040C040 db 7 //lpName=7
.rsrc:0040C041 db 0
.rsrc:0040C042 db 0
.rsrc:0040C043 db 0
.rsrc:0040C044 db 0A0h ;
.rsrc:0040C045 db 0
.rsrc:0040C046 db 0
.rsrc:0040C047 db 80h ; €
.rsrc:0040C048 db 14h //lpName=14h
.rsrc:0040C049 db 0
.rsrc:0040C04A db 0
.rsrc:0040C04B db 0
.rsrc:0040C04C db 0B8h ;
.rsrc:0040C04D db 0
.rsrc:0040C04E db 0
.rsrc:0040C04F db 80h ; €
.rsrc:0040C050 db 15h //lpName=15h
.rsrc:0040C051 db 0
.rsrc:0040C052 db 0
.rsrc:0040C053 db 0
.rsrc:0040C054 db 0D0h ;
.rsrc:0040C055 db 0
.rsrc:0040C056 db 0
.rsrc:0040C057 db 80h ; €
.rsrc:0040C058 db 0 //正好由名稱爲4的資源結構偏移0x58到這裏,接着是長度爲0x18的結構體
.rsrc:0040C059 db 0
.rsrc:0040C05A db 0
.rsrc:0040C05B db 0
.rsrc:0040C05C db 0
.rsrc:0040C05D db 0
.rsrc:0040C05E db 0
.rsrc:0040C05F db 0
.rsrc:0040C060 db 4
.rsrc:0040C061 db 0
.rsrc:0040C062 db 0
.rsrc:0040C063 db 0
.rsrc:0040C064 db 0
.rsrc:0040C065 db 0
.rsrc:0040C066 db 1
.rsrc:0040C067 db 0
.rsrc:0040C068 db 0
.rsrc:0040C069 db 0
.rsrc:0040C06A db 0
.rsrc:0040C06B db 0
.rsrc:0040C06C db 0E8h ; //又要偏移一次,這還是第一個資源的
.rsrc:0040C06D db 0
.rsrc:0040C06E db 0
.rsrc:0040C06F db 0
.rsrc:0040C070 db 0 //5號資源的第2次偏移所在結構,就是這裏了,其它都一樣
.rsrc:0040C071 db 0
.rsrc:0040C072 db 0
.rsrc:0040C073 db 0
.rsrc:0040C074 db 0
.rsrc:0040C075 db 0
.rsrc:0040C076 db 0
.rsrc:0040C077 db 0
.rsrc:0040C078 db 4
.rsrc:0040C079 db 0
.rsrc:0040C07A db 0
.rsrc:0040C07B db 0
.rsrc:0040C07C db 0
.rsrc:0040C07D db 0
.rsrc:0040C07E db 1
.rsrc:0040C07F db 0
.rsrc:0040C080 db 0
.rsrc:0040C081 db 0
.rsrc:0040C082 db 0
.rsrc:0040C083 db 0
.rsrc:0040C084 db 0F8h ;
.rsrc:0040C085 db 0
.rsrc:0040C086 db 0
.rsrc:0040C087 db 0
.rsrc:0040C088 db 0 //
.rsrc:0040C089 db 0
.rsrc:0040C08A db 0
.rsrc:0040C08B db 0
.rsrc:0040C08C db 0
.rsrc:0040C08D db 0
.rsrc:0040C08E db 0
.rsrc:0040C08F db 0
.rsrc:0040C090 db 4
.rsrc:0040C091 db 0
.rsrc:0040C092 db 0
.rsrc:0040C093 db 0
.rsrc:0040C094 db 0
.rsrc:0040C095 db 0
.rsrc:0040C096 db 1
.rsrc:0040C097 db 0
.rsrc:0040C098 db 0
.rsrc:0040C099 db 0
.rsrc:0040C09A db 0
.rsrc:0040C09B db 0
.rsrc:0040C09C db 8
.rsrc:0040C09D db 1
.rsrc:0040C09E db 0
.rsrc:0040C09F db 0
.rsrc:0040C0A0 db 0
.rsrc:0040C0A1 db 0
.rsrc:0040C0A2 db 0
.rsrc:0040C0A3 db 0
.rsrc:0040C0A4 db 0
.rsrc:0040C0A5 db 0
.rsrc:0040C0A6 db 0
.rsrc:0040C0A7 db 0
.rsrc:0040C0A8 db 4
.rsrc:0040C0A9 db 0
.rsrc:0040C0AA db 0
.rsrc:0040C0AB db 0
.rsrc:0040C0AC db 0
.rsrc:0040C0AD db 0
.rsrc:0040C0AE db 1
.rsrc:0040C0AF db 0
.rsrc:0040C0B0 db 0
.rsrc:0040C0B1 db 0
.rsrc:0040C0B2 db 0
.rsrc:0040C0B3 db 0
.rsrc:0040C0B4 db 18h
.rsrc:0040C0B5 db 1
.rsrc:0040C0B6 db 0
.rsrc:0040C0B7 db 0
.rsrc:0040C0B8 db 0
.rsrc:0040C0B9 db 0
.rsrc:0040C0BA db 0
.rsrc:0040C0BB db 0
.rsrc:0040C0BC db 0
.rsrc:0040C0BD db 0
.rsrc:0040C0BE db 0
.rsrc:0040C0BF db 0
.rsrc:0040C0C0 db 4
.rsrc:0040C0C1 db 0
.rsrc:0040C0C2 db 0
.rsrc:0040C0C3 db 0
.rsrc:0040C0C4 db 0
.rsrc:0040C0C5 db 0
.rsrc:0040C0C6 db 1
.rsrc:0040C0C7 db 0
.rsrc:0040C0C8 db 0
.rsrc:0040C0C9 db 0
.rsrc:0040C0CA db 0
.rsrc:0040C0CB db 0
.rsrc:0040C0CC db 28h ; (
.rsrc:0040C0CD db 1
.rsrc:0040C0CE db 0
.rsrc:0040C0CF db 0
.rsrc:0040C0D0 db 0
.rsrc:0040C0D1 db 0
.rsrc:0040C0D2 db 0
.rsrc:0040C0D3 db 0
.rsrc:0040C0D4 db 0
.rsrc:0040C0D5 db 0
.rsrc:0040C0D6 db 0
.rsrc:0040C0D7 db 0
.rsrc:0040C0D8 db 4
.rsrc:0040C0D9 db 0
.rsrc:0040C0DA db 0
.rsrc:0040C0DB db 0
.rsrc:0040C0DC db 0
.rsrc:0040C0DD db 0
.rsrc:0040C0DE db 1
.rsrc:0040C0DF db 0
.rsrc:0040C0E0 db 0
.rsrc:0040C0E1 db 0
.rsrc:0040C0E2 db 0
.rsrc:0040C0E3 db 0
.rsrc:0040C0E4 db 38h ; 8
.rsrc:0040C0E5 db 1
.rsrc:0040C0E6 db 0
.rsrc:0040C0E7 db 0
.rsrc:0040C0E8 db 58h ; X //再看看,好像還是偏移 0xc158,這裏偏移是相對文件的,
.rsrc:0040C0E9 db 0C1h ; //前面的偏移是相對資源段的
.rsrc:0040C0EA db 0
.rsrc:0040C0EB db 0
.rsrc:0040C0EC db 0ECh ;
.rsrc:0040C0ED db 4
.rsrc:0040C0EE db 5
.rsrc:0040C0EF db 0
.rsrc:0040C0F0 db 0E4h ; //1次 e4h 正好出現了6次,說明這裏也是個結構體,長度爲0x10
.rsrc:0040C0F1 db 4
.rsrc:0040C0F2 db 0
.rsrc:0040C0F3 db 0
.rsrc:0040C0F4 db 0
.rsrc:0040C0F5 db 0
.rsrc:0040C0F6 db 0
.rsrc:0040C0F7 db 0
.rsrc:0040C0F8 db 44h ; D
.rsrc:0040C0F9 db 0C6h ;
.rsrc:0040C0FA db 5
.rsrc:0040C0FB db 0
.rsrc:0040C0FC db 78h ; x
.rsrc:0040C0FD db 2
.rsrc:0040C0FE db 0
.rsrc:0040C0FF db 0
.rsrc:0040C100 db 0E4h ; //2次
.rsrc:0040C101 db 4
.rsrc:0040C102 db 0
.rsrc:0040C103 db 0
.rsrc:0040C104 db 0
.rsrc:0040C105 db 0
.rsrc:0040C106 db 0
.rsrc:0040C107 db 0
.rsrc:0040C108 db 0BCh ;
.rsrc:0040C109 db 0C8h ;
.rsrc:0040C10A db 5
.rsrc:0040C10B db 0
.rsrc:0040C10C db 0Ah
.rsrc:0040C10D db 0
.rsrc:0040C10E db 0
.rsrc:0040C10F db 0
.rsrc:0040C110 db 0E4h ; //3次
.rsrc:0040C111 db 4
.rsrc:0040C112 db 0
.rsrc:0040C113 db 0
.rsrc:0040C114 db 0
.rsrc:0040C115 db 0
.rsrc:0040C116 db 0
.rsrc:0040C117 db 0
.rsrc:0040C118 db 0C8h ;
.rsrc:0040C119 db 0C8h ;
.rsrc:0040C11A db 5
.rsrc:0040C11B db 0
.rsrc:0040C11C db 4
.rsrc:0040C11D db 0
.rsrc:0040C11E db 0
.rsrc:0040C11F db 0
.rsrc:0040C120 db 0E4h ; //4次
.rsrc:0040C121 db 4
.rsrc:0040C122 db 0
.rsrc:0040C123 db 0
.rsrc:0040C124 db 0
.rsrc:0040C125 db 0
.rsrc:0040C126 db 0
.rsrc:0040C127 db 0
.rsrc:0040C128 db 0CCh ;
.rsrc:0040C129 db 0C8h ;
.rsrc:0040C12A db 5
.rsrc:0040C12B db 0
.rsrc:0040C12C db 4
.rsrc:0040C12D db 0
.rsrc:0040C12E db 0
.rsrc:0040C12F db 0
.rsrc:0040C130 db 0E4h ; //5次
.rsrc:0040C131 db 4
.rsrc:0040C132 db 0
.rsrc:0040C133 db 0
.rsrc:0040C134 db 0
.rsrc:0040C135 db 0
.rsrc:0040C136 db 0
.rsrc:0040C137 db 0
.rsrc:0040C138 db 0D0h ;
.rsrc:0040C139 db 0C8h ;
.rsrc:0040C13A db 5
.rsrc:0040C13B db 0
.rsrc:0040C13C db 4
.rsrc:0040C13D db 0
.rsrc:0040C13E db 0
.rsrc:0040C13F db 0
.rsrc:0040C140 db 0E4h ; //6次
.rsrc:0040C141 db 4
.rsrc:0040C142 db 0
.rsrc:0040C143 db 0
.rsrc:0040C144 db 0
.rsrc:0040C145 db 0
.rsrc:0040C146 db 0
.rsrc:0040C147 db 0
.rsrc:0040C148 db 6
.rsrc:0040C149 db 0
.rsrc:0040C14A db 42h ; B
.rsrc:0040C14B db 0
.rsrc:0040C14C db 49h ; I
.rsrc:0040C14D db 0
.rsrc:0040C14E db 4Eh ; N //第3個參數lpType="BINRES"
.rsrc:0040C14F db 0
.rsrc:0040C150 db 52h ; R
.rsrc:0040C151 db 0
.rsrc:0040C152 db 45h ; E
.rsrc:0040C153 db 0
.rsrc:0040C154 db 53h ; S
.rsrc:0040C155 db 0
.rsrc:0040C156 db 0
.rsrc:0040C157 db 0
.rsrc:0040C158 db 40h ; @ //0x40c158 終於找到了。頭字節爲0x40,與代碼中的驗證相符。
.rsrc:0040C159 db 0
.rsrc:0040C15A db 0
.rsrc:0040C15B db 0
.rsrc:0040C15C db 0ECh ;
.rsrc:0040C15D db 4
.rsrc:0040C15E db 5
.rsrc:0040C15F db 0
.rsrc:0040C160 db 0
.rsrc:0040C161 db 0E0h ;
.rsrc:0040C162 db 5
.rsrc:0040C163 db 0