
                         WIN32

                              (x) 2000 Z0MBiE
                           http://z0mbie.host.sk

         
   win32 api.
    ,  ,   .
  .  WIN32.HLP  .

  ,     .

       PE .
  1.       (EntryPointRVA).
          .
     (,      ?    )
  2.        JMP  .
        JMP   .
        JMP   ,   .
  3.   JMP      .
          .
        ,      ,    ,
           .
           PUSH EBP/MOV EBP,ESP  
      ,        .
       ,     ,  
     JMP/CALL --  .
          ,  ,  
       ,    .
  4.     .
          IDA    .
     ,       :
     ZCME/AZCME(dos)  RPME/CODEPERVERTOR(win32).
         ,
          ,    .
          .
      , , , -    
     ,     (Jxx)   ,
           "".
  5. .
              (  ) ,
            .

         ?
   -     ,
      - .
    ,       
   dos-,     ,   .

  ,  ,   ,      .
      -   JMP,   ,
     .  JMP- .   
       ,   ,  
     ,     ,  ,   
     .

           
       .

  ,    .

          CreateProcessA,
    DEBUG_PROCESS+DEBUG_ONLY_THIS_PROCESS.
      ,    DebugActiveProcess.

   ,     success,  
  .      :
   WaitForDebugEvent      debug event,
       .

; DEBUG_EVENT
de                      label   byte
de_code                 dd      ?
de_pid                  dd      ?
de_tid                  dd      ?
de_data                 db      1024 dup (?)  ;  -  

   ,   ,  ContinueDebugEvent.
          WaitForDebugEvent
  - .

    .      de_code.
  de_pid  de_tid -  id     ,  
    .      ,
         .

    ,  debug event'    .

    CREATE_PROCESS_DEBUG_EVENT --   event   .
                                        
                                  ,   .
                                     -  
                                  -. (  )
                                     ,
                                      .

    LOAD_DLL_DEBUG_EVENT       --     
                                   DLL-   
                                  . ,  LoadLibrary.

    EXIT_PROCESS_DEBUG_EVENT   --       ,
    RIP_EVENT                  --    

    CREATE_THREAD_DEBUG_EVENT  --    TF

    EXIT_THREAD_DEBUG_EVENT    --   , 
    UNLOAD_DLL_DEBUG_EVENT          
    OUTPUT_DEBUG_STRING_EVENT

    EXCEPTION_DEBUG_EVENT      --      event.
                                      exception,
                                    INT1  INT3.

      .
    1.      ,  
         DebugBreak,    INT3 (0xCC).
    2.    TF ()  ,
         ( )       
         INT1/INT3,        .

        
    (        -  )
       ReadProcessMemory  WriteProcessMemory.

          
    GetThreadContext  SetThreadContext.

    ,    :

    CreateProcessA()
    while(1)
    {
      WaitForDebugEvent()
      if (EXIT_PROCESS_DEBUG_EVENT or RIP_EVENT) break
      if (EXCEPTION_DEBUG_EVENT)
      {
        if (int1 or int3)
          set_trace_flag()
      }
      ContinueDebugEvent()
    }

         .
      ,        ,
          DLL-.   DLL-    
     ,        .
     ,    CALL  DLL-,
          ,   .
     ,    .

        .

      DLL   , 
    1.   INT3 (  DebugBreak),
            ,  TF  
    2.       INT3 (0xCC) 
         (  ),  -- .
    3.    CREATE_PROCESS_DEBUG_EVENT   
        (lpStartAddress) INT3.

         DLL-,   ,
        , 
    1.     (   )  
         INT3
    2.  TF  

         .
    1.    INT 3  lpStartAddress    .
    2.      , ..  
       ThreadId <--> ThreadHandle
    3.    int1/int3  TheadId
       (   )    ThreadHandle
    4.        ,
           .

     .
     TF -,   ,    
       SEH   .

        ?   .
    1.     FS   
    2.  FS,   GetThreadSelectorEntry  VA  FS:[0]
    3.  SEH'     SEH' 
    4.    INT3

       .     tracer32.

    ,    .
    1.  
    2.  2-3 
    3.      JMP  
