我正在使用 IDA 在 Windows 中调试一个可执行文件。
我的 exe 发送了一个 TCP 数据包,我想看看它使用哪个函数来发送数据包。我查看了导入选项卡,并没有找到任何包含字符串tcp或send buffer名称或类似内容的函数。
如何找到负责发送 TCP 数据包的函数以及如何查看正在发送的缓冲区(就在发送之前)?
如何断点exe tcp数据包
逆向工程
艾达
视窗
断点
联网
2021-06-21 11:35:55
2个回答
添加带有您的进程名称的过滤器
并查看堆栈跟踪
如果您已经配置了符号,那么您将获得一个很好的概览
一个小的python服务器和客户端(来自wiki.python的mod)
:\>cat server.py
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('127.0.0.1', 5005))
s.listen(1)
conn, addr = s.accept()
print 'Connection address:', addr
while 1:
data = conn.recv(20)
if not data: break
print "received data:", data
conn.send(data) # echo
conn.close()
:\>cat client.py
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1', 5005))
s.send("Hello, World!")
data = s.recv(1024)
s.close()
print "received data:", data
:\>
procmon 只过滤 python.exe 的网络活动
执行服务器和客户端
procmon 捕获了这些网络事件
这是第一个 TcpConnectEvent 的调用堆栈
Frame, Module, Location
00, ntkrnlpa.exe, EtwpTraceNetwork + 0x55
01, tcpip.sys, TcpTraceConnectionEstablishment + 0xdc
02, tcpip.sys, TcpCreateAndConnectTcbComplete + 0x576
03, tcpip.sys, TcpSynchronizeTcbDelivery + 0x28
04, tcpip.sys, TcpTcbCarefulDatagram + 0x47e
05, tcpip.sys, TcpTcbReceive + 0x228
06, tcpip.sys, TcpMatchReceive + 0x237
07, tcpip.sys, TcpPreValidatedReceive + 0x293
8, tcpip.sys, TcpReceive + 0x2d
9, tcpip.sys, TcpNlClientReceiveDatagrams + 0x12
10, tcpip.sys, IppDeliverListToProtocol + 0x49
11, tcpip.sys, IppProcessDeliverList + 0x2a
12, tcpip.sys, IppReceiveHeaderBatch + 0x1fb
13, tcpip.sys, IppLoopbackTransmit + 0x226
14, tcpip.sys, IppLoopbackEnqueue + 0x13d
15, tcpip.sys, IppDispatchSendPacketHelper + 0xf6
16, tcpip.sys, IppPacketizeDatagrams + 0x8d6
17, tcpip.sys, IppSendDatagramsCommon + 0x652
18, tcpip.sys, IpNlpSendDatagrams + 0x4b
19, tcpip.sys, IppSlowSendDatagram + 0x31
20, tcpip.sys, IpNlpFastSendDatagram + 0x1067
21, tcpip.sys, TcpTcbSend + 0x787
22, tcpip.sys, TcpCreateAndConnectTcbRateLimitComplete + 0x6d2
23, tcpip.sys, TcpCreateAndConnectTcbInspectConnectComplete + 0x20d
24, tcpip.sys, TcpContinueCreateAndConnect + 0x69b
25, tcpip.sys, TcpCreateAndConnectTcbInspectConnectRequestComplete + 0xf8
26, tcpip.sys, TcpCreateAndConnectTcbWorkQueueRoutine + 0x4df
27, tcpip.sys, TcpCreateAndConnectTcb + 0x82a
28, afd.sys, AfdConnect + 0x826
29, afd.sys, AfdDispatchDeviceControl + 0x3b
30, ntkrnlpa.exe, IofCallDriver + 0x63
31, aswArPot.sys, aswArPot.sys + 0xfef3
32, ntkrnlpa.exe, IofCallDriver + 0x63
33, ntkrnlpa.exe, IopSynchronousServiceTail + 0x1f8
34, ntkrnlpa.exe, IopXxxControlFile + 0x6aa
35, ntkrnlpa.exe, NtDeviceIoControlFile + 0x2a
36, ntkrnlpa.exe, KiSystemServicePostCall
37, ntdll.dll, ZwDeviceIoControlFile + 0xc
38, mswsock.dll, SockDoConnectReal + 0x29e
39, mswsock.dll, SockDoConnect + 0x3a1
40, mswsock.dll, WSPConnect + 0x1f <<------
41, ws2_32.dll, connect + 0x52 <<<<----
42, _socket.pyd, init_sockobject + 0xf78 <<--parent
43, _socket.pyd, init_sockobject + 0x10f2
44, python27.dll, PyCFunction_Call + 0xe3
45, python27.dll, PyEval_GetFuncDesc + 0xb0a
46, python27.dll, PyEval_EvalFrameEx + 0x247b
47, python27.dll, PyEval_EvalCodeEx + 0x7dc
48, python27.dll, PyFunction_SetClosure + 0x9a1
49, python27.dll, PyObject_Call + 0x4c
50, python27.dll, python27.dll + 0x7ac5
51, python27.dll, PyObject_Call + 0x4c
52, python27.dll, PyEval_GetFuncDesc + 0x834
53, python27.dll, PyEval_GetFuncDesc + 0x3d5
54, python27.dll, PyEval_EvalFrameEx + 0x23cf
55, python27.dll, PyEval_EvalCodeEx + 0x7dc
56, python27.dll, PyRun_FileExFlags + 0xcf
57, python27.dll, PyRun_FileExFlags + 0x6e
58, python27.dll, PyRun_SimpleFileExFlags + 0x201
59, python27.dll, PyRun_AnyFileExFlags + 0x57
60, python27.dll, Py_Main + 0xa4c
61, python.exe, python.exe + 0x1180
62, kernel32.dll, BaseThreadInitThunk + 0xe
63, ntdll.dll, __RtlUserThreadStart + 0x70
64, ntdll.dll, _RtlUserThreadStart + 0x1b
有大量不同的 Windows API 函数可以让程序发送 TCP 数据包。没有那些(据我记得)包含字符串tcp或send buffer在他们的名字中。
要对网络通信进行逆向工程,您应该首先了解如何向我的程序发送数据包、相关 API 是什么以及它们是如何使用的。这很可能从阅读 MSDN 上的文档开始。
以下是一些提示:
其它你可能感兴趣的问题