2024Windows安全工具手册.docx

WindOWS安全工具锦集PE工具%PEiDPEiD是一款著名的PE侦壳工具，可以检测PE常见的一些壳，但是目前已经无法从官网获得：iPEiDv.95File:Q檄EXEInfoPE这是一个PE侦壳工具,PEiD的加强版，可以查看EXE/D1.1.文件编译器信息、是否加壳、入口点地址、输出表/输入表等等PE信息：Diagnose*1.amerInfb-HdpHint-Unpackinfo一，Scan/tExeinfoPE-ver.0.0.5.6by-1044+78sign2019.04.10-×File:EntryPoin=ileOffcet.inkerInfice,J,:I口<EPSection:FirstBytes:t：|I：I_IizzJPlUg会>：IjSubsystemPEFieSize:Overlay:下载地址：http:/www.exeinfo.xn.pl/与DetectItEasyDetectItEaSy是开源的PE侦壳工具，支持跨平台使用,有WindoWs、1.inux.MacOS多个可用版本：,M3etectItEasy1.01Filename:.ScanScriptsPlugins1.ogBOptionsAboutMiiiiiiiiiiiiiIiiBaoiOMD%深信服千里目安鳏室。CFFExplorer一款优秀的PE32&PE64编辑工具，使用CFFEXPlorer查看和编辑PE文件是极其方便的，并且它完全支持.NET文件格式：3CFFExplorerVlllIuciodallaCFileSettings?陵40IscografiacompleteIuciodalla-dtcografiacom-××PropertyValueIPIetdFileNameFileTypeC:Users30537AppData1.ocalTempBNZ.5d882d4d146ab32.1)DosHeader国NtHeaders1国RteHeaderMSiJOptionalHeader'UDataDIreCtofleS卜JSectionHeaders国uJExportDirectory口ImportDrecto<y昌ResourceDirectory口DebugDirectory'zAddressConverter*bDependencyWdker一HexQftor-Idertifier,.ImPOftAdderAzQuckDisassemblerRetxiilderResourceEdNor->UPXUtilHyPortableExecutable32FileInfoMicrosoftVisualC+8FileSize6.25MB(6549824bytes)PESize207KB(211968bytes)CreatedMonday12August2019,16.04.29ModifiedMonday05August2019,19.49.21AccessedMonday23September2019,10.26.26MD5D6D388E0883F8CFEA196BA1C8FB32043SHA-1EC69A9B5D7DA3085C2BBC852BA590F64757EDEBFPropertyValueEmptyNoadditionalinfoavailable深信服千里目安全实验室檄StudyPEStUdyPE是一个PE32&PE64查看分析集成工具，具有强大的PE结构处理分析功能，但其查壳方面的功能略显薄弱：.StudyPE+(×86)1.09beta0>Iudodalla-discografiacompleta.exe调试/反编译工具。OIIyDbgRing3级调试器，支持插件扩展功能，唯一不足的是OD是一个32位调试器，不支持调试64位程序。官方给出的原版程序是无插件的，有需要的童鞋可以在吾爱破解论坛自行搜索：jfOlIyDbg-Iuciodalla-discografiacompleta.exe-CPU-mainthread,moduleIUCiO_dICFileViewDebugOptionsWindowHelp-TfilX同UX上IjlIUil到/四里I9j因回回;旦I三U0041D98B$E885630008CA1.1.Iucioda.0423D15RPOiGtQrG(FPlB41D99000410995.E978FEFFFFS8BFFJMPlucio.da.041D80DMOUEDUEDIECX7621116200000000kerel32.Bas041D9970041D998.55.8BECPUSHEBPMOUEBP,ESPEDXEBX041D98B7FFDE00012FF8C012FF94lucio_da.<Mo0041D99O0041D99B.56.8D4508PUSHESI1.EflEOXrDWORDPTRSS:CEBP+8ESPFRP041D99E.50PUSHEOXArglE041D99F8BF1MOUESUECXEllI00000000041D9A1.E882FCFFFFCO1.1.Iucioda.41D6281.lucio_d0041D9A6.C70638B2420MOUDWORDPTRDS:CESI,Iucioda.042B23:EIP041D98Blucio-da.<Mc041D9AC41D9fiE041D9AF041D9B0041D9B33BC6.SE50I.C20400.C7138B2420MOUEQXrESIPOPESIPOPEBPRETN4MOUDWORDPTRDSxCECXlr1.ucio_da.42B23?7介ZAPCQl019ES0023CS01BSS0023DS02332bit0(FFFF32bit0(FFFF32bit(FFFF32bit0(FFFF32bit7FFDFNU1.1.041D9B9.E937FDFFFFJMPIucioda.41D6F5T0D00GS00041D9BE8BFFMOUEDI,EDI0041D9C041D9C1.55.8BECPUSHEBPMOUEBPrESP1.astErrERRCIR_SUCCES041D9C3.56PUSHESIEF1.00000246(NO,NB,E,BE,0041D9C4041D9C6.8BF1.C70638B2420HoUESIECXMOUDWORDPTRDSstESIJ,1.ucio.da.0042B23C<I1_1_AAA4C/1.1.STSTlenpty0.0enpty0.000423D15=lucida.00423D15ST2empty0.0ST3enty.0SI4enpty0.STSenpty.0AddressHedumpASCIIG»12FF8H762111747FFDE000012FFD47737B3F57FFDE007775B4BD00000000000000007FFDE00yy00000000000000000000临唐黎RETURNtokwRETURNtont043000004300800430010043018004302004300280043005O04303801143C411004300480U4300SU04300580B24202E3F41575F45584968Q6420076933F4380917E25Al2C12El00F2CO4F68R6420。292945454629292901111050003452415254440DD0E8917CZD032B074IF8A09COC8815FFFFFFFF06464646094646462929290146464645.7AW4RAR_EXlTh.?V?CW2?J"Nt逐."0h.÷FFF)EE.FFFF)<ktFFFEuu<r-r>u0012FF94012FF988012FF9C012FFfi0012FFfl40012FFA812FFRC0012FFB012FFB4012FFB8Analysinglucio_da:800heuristicalprocedures,519callstoknown,525callstoguessedfunctionsPaused强WinDbg支持WindoWS平台,用户态和内核态的调试器，有图形界面和命令行两种调试方式。其强大的内核调试功能收获了众多的追捧者：FileEditViewDebugWindowHelpI瞄即国党蕤加科干介IM(DE)R回口比国口口因其)拨IAA圜Xommand*1* Syabolloadingmaybeunreliablewithoutasymbolsearchpath* Use.symfitohavethedebuggerchooseasymbolpath.* Aftersettingyoursymbolpathzuse.reloadtorefreshsymbolIoc*3ExecutablesearchMod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:Mod1.oad:0040000077320000761c000075510000740900007633000077500000757d0000774f00007594000075770000758a0000766d000076580000759e0000766200007