Windows安全工具錦集

PE工具

%PEiD

PEiD是一款著名的PE偵殼工具，可以檢測PE常見的一些殼，但是目前已經無法從官網獲得:

PEiDv0.95X

File:Q

EPSection:

FirstBytes:

Subsystem:

MultiScan|TaskViewer|Options|About|Exit

VStayontop蘇售胖F甥彎棄甲

/EXEInfoPE

這是一個PE偵殼工具，PEiD的加強版，可以查看EXE/DLL文件編譯器信息、是否加殼、入口

點地址、輸出表/輸入表等等PE信息：

下載地址：http://www.exeinfo.xn.pl/

-DetectItEasy

DetectItEasy是開源的PE偵殼工具，支持跨平臺使用，有Windows、Linux、MacOS

多個可用版本：

■DetectItEasy1.01X

Filename:

ScanScriptsPluginsLog

版CFFExplorer

一款優秀的PE32&PE64編輯工具，使用CFFExplorer查看和編輯PE文件是極其方便的，并

且它完全支持.NET文件格式：

.CFFExplorerVIII-[luciodalla-discografiacompleta]□X

FileSettings?

0

PropertyValue

司Rie.ludodalla-dlscografidco<i

C:\Users\30537\AppData\Local\Temp\BNZ.5d882d4d146ab32..]

FileName

—國DosHeader

FileTypePortableExecutable32

-SUNtHeaders

—3RieHeaderFileInfoMicrosoftVisualC++8

I—E)WOptwnaiHeader

'-WDataDrectones岡FileSize6.25MB(6549824bytes)

一目SeaionHeaders(x]

PESize207.00KB(211968bytes)

—OExportDrectory

—cJhiportDirectoryCreatedMonday12August2019,16.04.29

—<_JResourceDuectoiy

—ODebugDrectoryModifiedMonday05August2019,19.49.21

—AddressConverter

AccessedMonday23September2019,10.26.26

DependencyWalker

一'HexEdttorMD5D6D388E0883F8CFEA1968A1C8FB32043

—A，Identifier

一^ImportAdderSHA-1EC69A9B5D7DA3O85C2BBC852BA59OF64757EDEBF

—^QuickDisassembler

一^Rebuilder

—3Resource&fitorPropertyValue

—guPXUtility

EmptyNoadditionalinfoavailable

府深信服千里目安全實驗室

。StudyPE

StudyPE是一個PE32&PE64查看分析集成工具，具有強大的PE結構處理分析功能」日

其查殼方面的功能略顯薄弱：

StudyPE+(x86)1.09beta0—>luciodalla-discografiacompleta.exe

文件選項工具雜項幫助

L基本」［區段］|［數據表］|［導入］|［導出］|［奧源］|［重定位］|［異常］［.Net］|［匯編］|［進程］

ImageDOSHeader

11

頭尺寸00000040CS00000000SS00000000J

J

Stub000000A8IP00000000SP000000B8EA

TfVkA-AHt1AHAAXAYlt■?l

節表數00000004時間戳55AB5815文件屬性000001033

可選頭大小000000E01時間計算器Cl

ImageOptionalHeader

SizeOfCode00028A00Entry0001D98BSectionAlign00001000

SizeOflmage00057000ImageBase00400000FileAlign00000200

BaseOfCode00001000SizeOfMead00000400CheckSum00000000

BaseOfBata0002A000BaseInfoPE32文件,文件大?。?396KBo

文件MD5D6D388E0883F87FEAl96BAlC8FB32043

文件SHMEC69A9B5D7DA3085C2BBC852BA590F64757EDEBF

文件類型[VC8->MicrosoftCorporation]

力?孕售股壬典型丹瑾追

查看PE文件的是本信息20:18:39

調試/反編譯工具

■OllyDbg

Ring3級調試器，支持插件擴展功能，唯一不足的是OD是一個32位調試器，不支持調試64位

程序。官方給出的原版程序是無插件的，有需要的童鞋可以在吾愛破解論壇自行搜索：

*OllyDbg-luciodalla-discografiacompleta.exe-[CPU-mainthread,moduleludod..J..S?l

c]FileViewDebugOptionsWindowHelp,||g|x

目型X上111!Mllil111Ji］回刊jJ?畫用竺］回￡］力司旦|四:JjJ

0041D98BI$E885630080CALLlucioda.00423D154Registers(FPU)

H041D990「E978FEFFFFJMPlucio_da.0041D80DERX76211162kerne132.Bas

O041D995PS8BFFMOUEDI,EDIECX00000000

0041D997.55PUSHEBPEDXQ041D98Blucioda.<Mo

0041D998.8BECMOUEBP,ESPEBX7FFDE060

8041D99A.56PUSHESIESP8012FF8C

0941D99B.8D4S08LEAEOX,DWORDPTRSS:CEBP+8JEBP8012FF94

6U41D39E.50PUSHEAXFArglESI00000000

8041D99F.8BF1MOUESI.ECXEDI00000000

0041D9A1.E882FCFFFFCALLlucioda.0041D628Lluciod

6U41D1?A6.C70638B24290MOUDWORDPTRDSzCESI],lucio_da.0942B23EIP0841D98Bl?cio_da.<Mo

9041D9AC.8BC6MOUEflX.ESIC0ES902332bit0(FFFF

O041D9AE.SEPOPESIP1CS001B32bit0(FFFF

6041D9AF.SDPOPEBP

L.C20400A0ss002332bit0(FFFF

6941D9B0RETN40Z1DS002332bit0(FFFF

8041D9B3.C70138B24200MOUDWORDPTRDSzCECX],lucio_da.0942B23S6FS003B32bit7FFDF0

6041D'?E：9「E937FDFFFF

JMPlucio_da.0041D6F5T0GS0000NULL

9041D9BE8BFFMOUEDI,EDI

0041D?C￡|PUSHEBPD0

r.5500LastErrERROR_SUCCES

0041D9C1.8BECMOUEBP,ESP

0941D9C3.56PUSHESIEFL00008246(NO,NB,E,BE,

6041D9c4.8BF1MOUESI.ECXST0empty0.0

.C70638B24200MOUDWORDPTRDSsCESI],lucio_da.0Q42B23▼

LCC/LCLLLLCC111.一一1一J-CC/4CLLSTIempty0.0

■

80423015=Lucio_da.00423D1'ST2empty0.0

STSempty0.0

ST4empty0.0

STSenpty0.0

AddressHexdumpASCII1UU12FFHC76211174RETURNtok€▲

10012FF907FFDE000

.，「.'..100B24200口二「1二J-.Bff

I0012FF94f0012FFD4

004300082E3F415734524152.?0UI4RflR19012FF98

00430010SF45584954494000EXIT@@.7737B3F5RETURNtont

0043001868口64200DD0E8917h.??0912FF9C7FFDEO0A

0012FFA9

0043002076933F43C7DQ32B0U?CW2?7775B4BD

0012FFA400000000

0043902880917E2574IF8AR9任"Zt▼嫉00000000

00430030fll2C12ElCRC880150012FFA8

0943003800F2Cfl4FFFFFFFFF?-00012FFRC7FFDE00U

9012FFB000000000

0043004068口6420006464646h.?FFF00000000

OG43G04G2929454509464646))cc.rrr0012FFB4

0012FFB800000000L

004300504629292929292901、了七翦后

004300580111100546464645???tFFFE1歌鑫竇安全英緊雪▼

Analysinglucio_da:800heuristicalprocedures,519callstoknown,525callstoguessedfunctionsIPaused

皖WinDbg

支持Windows平臺，用戶態和內核態的調試器，有圖形界面和命令行兩種調試方式。其強大

的內核調試功能收獲了眾多的追捧者：

涉"C:\Users\30537\De八+'

AleEditViewDebugWindowHelp

自言寺里哥I利濟呼刎區］毒JR國口的?口口圜AA圜

Commend園回Registers扃同

Customize...

*Syabolloadingmaybeunreliablewithoutasymbolsearchpath.

?Use.symfixtohavethedebuggerchooseasymbolpath.>

*Aftersettingyoursymbolpath,use.reloadtorefreshsymbollotRegValue

□

gs0

Executablesearchpathis:

fs3b

ModLoad:0040000000457000UINRARSFX

es23

ModLoad:773200007745c000ntdll.dll▼

ModLcad:761c000076294000C:indowsXsyste>32\kerne132.dllda251

NodLoad：755100007555ao00C\Uindovs\systeM32\KERNELBASE.dll4r__!!!________,?

ModLoad:740900007422e000C：XUindows\UinSxSXx86_iaicrosoft.windox

HodLoad：76330000763dc000C'Windows\systs325svcrt.dllMemory回回

ModLoad:775000007754e000C：\UindowsXsyste>32\GD132.dll

ModLoad:757d000075899000CXUindows\systea32XUSER32,dllvirtual：@$scopeipPrevious

ModLoad:774(0000774fa000C:\Uindous\systeM32\LPKdll

Displayformat:Byte▼

MudLudd.75940000759dd000C.'sW1udowyssLCM32XUSF10.dll

J

ModLoad:75770000757c7000C.\Uindows\systeM32\SHLUAPI.dllNext

ModLcad:758a00007591b000C:\Windows\systeM32\COMDLG32.dll

ModLoad:766do00077319000C\UindowsXsystea32XSHELL32dll773be60ecc8975.u4

ModLceid:7658000076620000C:\Uindows\systeM32\ADVAPI32.dll773be611fcebOe...

ModLoad:759e0000759f9000C\Windows\SYSTEM32\sechostdll773be61433cO403.@

ModLoad:766200007663000C:\UindowsXsyste>32\RPCRT4.dll773be617c38b65..e

ModLoad:75b5000075cac000C\UindowsXsyste>32\ole32.dll773be61ae8c745.E

ModLoad:762a00007632fo00C\Uindovs\systeM32\OLEAUT32.dll773be61dfcfeff...

(794ec4):Breakinstructionexception-code80000003(firstchant773be620ffffe8...

eax-00000000ebx-00000000ecx-0012fb0cedx-773664f4es..i..-..f...f..f..f...f.ffBec773be623d685fa...

eip=773be60eesp=0012fb28ebp=0012fb54iopl=0nvupeipl:773be626ffc390….

cs*001bss?0023ds?0023es?0023fs-003bgs"0000el773be629909090...

***ERROR:Symbolfilecouldnottefound.Defaultedtoexportsyj773be62c908bff...

ntdllILdrVerifyImageMatchesChecksuM+0x633773be62f558becU..

77773bbee6600eecciint3773be63283ec10...

——773be635803dec.=.

773be63802fe7f...

HI773be63b007411.t.

*BUSY?IA*累屋油〔.基gfe全實驗塞▼

Ln0,Col0Sys0:<Local>Proc000:794Thrd000:ec4ASMOVRCAPSNUM

%x32dbg/x64dbg

一款開源的調試器，在界面和操作的使用上和OD相似,支持32位和64位應用程序的調試。這

款調試器解決了OD對64位應用程序調試上的缺陷：

彩x32dbg-文件：ShareFolderMonitor.exe-PID:45D4-塊：ntdll.dll-61C-□X

文件⑻視圖⑺撕式(D)插件(P)收藏夾(工)迭項S)器助(H)Mar292017

10?畬蚣噩□?■口笑⑷明＜〉H〃，戊?叁愿看闡

且CPU電流程圖，日志二筆記?斷點8B內存布局口調用堆枝5SE啕8腳本閩符號?源代碼/劉

33jmpntdll.7731F15O隨藏FPU

7731F1494oxoreax,eax

7731F14Bc3inceaxEAXOOOOOOOO

7731F14C8B65E8r?EBX006EC000

7731F14Dmovesp,dwordptrss:[ebp-is]

c745FCEECXE8A30000

7731F150E8&DS2Dmovdwordptrss:[ebp-4]rrFFFPFFE

7731F157callntdll.7--7--2--F--4--3--C9-EDXOOOOOOOO

7731F15CretEBP008FF4C8

64A1

moveaxdwordptr■:[30]ESP008FF49C

7731F15D33c9t

7731F16389Dxorecx.ecxESI00S91C00

7731F16589oiDmovdwordptrds:[77391644],ecxEDI7-2837EC'Xd'plnitializeProc

7731F16B88ofo8movdwordptrds:[77391648]fecx

7731F1713848movbyteptrds:[eax],clEIP7731F147ntdl1.7731F147

7731F173740Scmpbyteptrds:[eax>2],cl

7731F176E89Ejentdll.7731F17DEFLAG!500000246

c

7731F17833Ocallntdll.7731F11BZF1PF1AF0

7731F17DC3xoreaxeax

9OF0SF0DF0

7731F17F3Bret

CFOTF0IF1

7731F15O55(iiuvedi9cdi

7731F1828Bpushebp

LastError00000002(ERROR_FILE_NOT_FOU

7731F18383F8movebp,esp

7731F1S5817001andesp,FFFFFFF8

773*188A16339subesp,170

7731F18E33cmoveax,dwordptrds:[77396360]

f

7731F193Aalxoreax,esp默認(ltdcdl)5：口話滸

QCmnvKu?nrdnrrAAY

[esp+4]772837ECHnitializePr

[esp+8100991C00

統舞將要執行fesptC]006EC000

ntdll.7731F15O-esp+io]oooooooi

.text：7731F147ntdll.dll：SAF147*AE5475：

工內存卷監視17垢008FF49C083455

1二內存2°、內存34內存4□4內存5008FF4A0772837EC

ASCII008FF4A400991C00

008FF4A8006EC000

7727103036S2Q.3g0070C42777S

00：008FF4AC00000001

7727101028002A1AooPCC4277DA6OO8FF4BO008FF49C

77271020IEOO202ooG」DOC327771ADA

0Oo008FF4B4008FF4C4

77271030181A2Coo0090C32777'A.A看的?計

0O?77008FF4BS008FF714WsEHj^ecordC]1

77271040300O3218oo002CC32.Aooorr4oc772COGOOntdll.772CGC00

ECC2277

77271050200O220ooo001A008FF4C07F8C3646

77271060100O120090$77?A

。COO008FF4C4OOOOOOOO

772710700E10u-IDA??77LLL?/--cccLL-rr?

I-F匐所,可安全邦除「

己暫停已到達系統醺點!已調i戲寸間：0:00:00:06

%dnSpy

一款針對.NET程序的開源逆向程序的工具。其包含了反匯編器，調試器和匯編編輯器等功能

組件，支持插件功能：

0在0536)

文。0)>M>x)WB(V)AXO)BQ(I)minoo

，*

?0BtCMltV(4000)

》(TSn(MH000)

>0S八gCwa(4000)

?°$n<?ui(4000)

>°Sn<?X7(4000)

》。"343(4000)

?&tr.uM.QiMC2.?000)

?OFraimiattefjrM?<*?rk?000)

>0Q000)

>。M?O000)

:04?S>r6050)

電深信服千里目安全實驗室

嶙IDAPro

該軟件名全稱